From 6beee732e49fb77e92afd613f8634f828b885560 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 5 Aug 2009 02:09:04 +0000 Subject: [PATCH 001/385] 2643. [bug] Stub zones interacted badly with NSEC3 support. [RT #19777] --- CHANGES | 3 +++ bin/named/query.c | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 04bb7d7718..ac571b29ac 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2643. [bug] Stub zones interacted badly with NSEC3 support. + [RT #19777] + --- 9.7.0a2 released --- 2642. [bug] nsupdate could dump core on solaris when reading diff --git a/bin/named/query.c b/bin/named/query.c index d598684a84..b31335258d 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.325 2009/06/26 08:02:57 jinmei Exp $ */ +/* $Id: query.c,v 1.326 2009/08/05 02:09:04 marka Exp $ */ /*! \file */ @@ -2731,7 +2731,7 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node, return; addnsec3: - if (dns_db_iscache(db)) + if (!dns_db_iszone(db)) goto cleanup; /* * Add the NSEC3 which proves the DS does not exist. From 3a875400473e5c06199272a1292ed84646990e2f Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 5 Aug 2009 17:35:33 +0000 Subject: [PATCH 002/385] 2644. [bug] Change #2628 caused a regression on some systems; named was unable to write the PID file and would fail on startup. [RT #20001] --- CHANGES | 8 +- bin/named/server.c | 8 +- bin/named/unix/include/named/os.h | 6 +- bin/named/unix/os.c | 182 +++++++++++++++++------------ bin/named/win32/include/named/os.h | 5 +- bin/named/win32/os.c | 61 +++++----- 6 files changed, 164 insertions(+), 106 deletions(-) diff --git a/CHANGES b/CHANGES index ac571b29ac..cb02c43fb3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,8 +1,12 @@ + --- 9.7.0a2 released --- + +2644. [bug] Change #2628 caused a regression on some systems; + named was unable to write the PID file and would + fail on startup. [RT #20001] + 2643. [bug] Stub zones interacted badly with NSEC3 support. [RT #19777] - --- 9.7.0a2 released --- - 2642. [bug] nsupdate could dump core on solaris when reading improperly formatted key files. [RT #20015] diff --git a/bin/named/server.c b/bin/named/server.c index 357ee47e80..e2d682b583 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.539 2009/07/14 23:47:53 tbox Exp $ */ +/* $Id: server.c,v 1.540 2009/08/05 17:35:33 each Exp $ */ /*! \file */ @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -3395,11 +3396,12 @@ generate_session_key(const char *filename, const char *keynamestr, key = NULL; /* ownership of key has been transferred */ /* Dump the key to the key file. */ - result = isc_file_safecreate(filename, &fp); - if (result != ISC_R_SUCCESS) { + fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE); + if (fp == NULL) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "could not create %s", filename); + result = ISC_R_NOPERM; goto cleanup; } diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h index d03bf75c6f..f3c51f47b7 100644 --- a/bin/named/unix/include/named/os.h +++ b/bin/named/unix/include/named/os.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.29 2008/10/24 01:44:48 tbox Exp $ */ +/* $Id: os.h,v 1.30 2009/08/05 17:35:33 each Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 @@ -51,8 +51,12 @@ ns_os_adjustnofile(void); void ns_os_minprivs(void); +FILE * +ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user); + void ns_os_writepidfile(const char *filename, isc_boolean_t first_time); + void ns_os_shutdown(void); diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index 6b02e2640e..0f1159d211 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.99 2009/07/15 00:36:37 marka Exp $ */ +/* $Id: os.c,v 1.100 2009/08/05 17:35:33 each Exp $ */ /*! \file */ @@ -637,7 +637,7 @@ ns_os_minprivs(void) { } static int -safe_open(const char *filename, isc_boolean_t append) { +safe_open(const char *filename, mode_t mode, isc_boolean_t append) { int fd; struct stat sb; @@ -650,13 +650,11 @@ safe_open(const char *filename, isc_boolean_t append) { } if (append) - fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, mode); else { if (unlink(filename) < 0 && errno != ENOENT) return (-1); - fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode); } return (fd); } @@ -728,38 +726,126 @@ mkdirpath(char *filename, void (*report)(const char *, ...)) { } static void -setperms(uid_t uid, gid_t gid, void (*report)(const char *, ...)) { +setperms(uid_t uid, gid_t gid) { char strbuf[ISC_STRERRORSIZE]; +#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) + gid_t oldgid, tmpg; +#endif +#if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID) + uid_t olduid, tmpu; +#endif #if defined(HAVE_SETEGID) - if (setegid(gid) == -1) { + if (getegid() != gid && setegid(gid) == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("unable to set effective gid: %s", strbuf); + ns_main_earlywarning("unable to set effective gid to %d: %s", + gid, strbuf); } #elif defined(HAVE_SETRESGID) - if (setresgid(-1, gid, -1) == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("unable to set effective gid: %s", strbuf); + if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) { + if (setresgid(-1, gid, -1) == -1) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("unable to set effective " + "gid to %d: %s", gid, strbuf); + } } #endif #if defined(HAVE_SETEUID) - if (seteuid(uid) == -1) { + if (geteuid() != uid && seteuid(uid) == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("unable to set effective uid: %s", strbuf); + ns_main_earlywarning("unable to set effective uid to %d: %s", + uid, strbuf); } #elif defined(HAVE_SETRESUID) - if (setresuid(-1, uid, -1) == -1) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("unable to set effective uid: %s", strbuf); + if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) { + if (setresuid(-1, uid, -1) == -1) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("unable to set effective " + "uid to %d: %s", uid, strbuf); + } } #endif } +FILE * +ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user) { + char strbuf[ISC_STRERRORSIZE], *f; + FILE *fp; + int fd; + + /* + * Make the containing directory if it doesn't exist. + */ + f = strdup(filename); + if (f == NULL) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("couldn't strdup() '%s': %s", + filename, strbuf); + return (NULL); + } + if (mkdirpath(f, ns_main_earlywarning) == -1) { + free(f); + return (NULL); + } + free(f); + + if (switch_user && runas_pw != NULL) { + /* Set UID/GID to the one we'll be running with eventually */ + setperms(runas_pw->pw_uid, runas_pw->pw_gid); + + fd = safe_open(filename, mode, ISC_FALSE); + +#ifndef HAVE_LINUXTHREADS + /* Restore UID/GID to root */ + setperms(0, 0); +#endif /* HAVE_LINUXTHREADS */ + + if (fd == -1) { +#ifndef HAVE_LINUXTHREADS + fd = safe_open(filename, mode, ISC_FALSE); + if (fd != -1) { + ns_main_earlywarning("Required root " + "permissions to open " + "'%s'.", filename); + } else { + ns_main_earlywarning("Could not open " + "'%s'.", filename); + } + ns_main_earlywarning("Please check file and " + "directory permissions " + "or reconfigure the filename."); +#else /* HAVE_LINUXTHREADS */ + ns_main_earlywarning("Could not open " + "'%s'.", filename); + ns_main_earlywarning("Please check file and " + "directory permissions " + "or reconfigure the filename."); +#endif /* HAVE_LINUXTHREADS */ + } + } else { + fd = safe_open(filename, mode, ISC_FALSE); + } + + if (fd < 0) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("could not open file '%s': %s", + filename, strbuf); + return (NULL); + } + + fp = fdopen(fd, "w"); + if (fp == NULL) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("could not fdopen() file '%s': %s", + filename, strbuf); + } + + return (fp); +} + void ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { - int fd; FILE *lockfile; - size_t len; pid_t pid; char strbuf[ISC_STRERRORSIZE]; void (*report)(const char *, ...); @@ -775,66 +861,16 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { if (filename == NULL) return; - len = strlen(filename); - pidfile = malloc(len + 1); + pidfile = strdup(filename); if (pidfile == NULL) { isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("couldn't malloc '%s': %s", filename, strbuf); + (*report)("couldn't strdup() '%s': %s", filename, strbuf); return; } - /* This is safe. */ - strcpy(pidfile, filename); - - /* - * Make the containing directory if it doesn't exist. - */ - if (mkdirpath(pidfile, report) == -1) { - free(pidfile); - pidfile = NULL; - return; - } - - if (first_time && runas_pw != NULL) { - /* - * Open the file using the uid/gid pair we will eventually - * be running as. - */ - setperms(runas_pw->pw_uid, runas_pw->pw_gid, report); - fd = safe_open(filename, ISC_FALSE); - setperms(0, 0, report); - - if (fd == -1) { - /* - * Backwards compatibility. - */ - fd = safe_open(filename, ISC_FALSE); - if (fd != -1) { - ns_main_earlywarning("Required root " - "permissions to open " - "'%s'.", filename); - ns_main_earlywarning("Please check file and " - "directory permissions " - "or adjust 'pid-file' " - "in named.conf."); - } - } - } else - fd = safe_open(filename, ISC_FALSE); - - if (fd < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("couldn't open pid file '%s': %s", filename, strbuf); - free(pidfile); - pidfile = NULL; - return; - } - lockfile = fdopen(fd, "w"); + lockfile = ns_os_openfile(filename, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, + first_time); if (lockfile == NULL) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("could not fdopen() pid file '%s': %s", - filename, strbuf); - (void)close(fd); cleanup_pidfile(); return; } diff --git a/bin/named/win32/include/named/os.h b/bin/named/win32/include/named/os.h index c00e973721..cdfc90796e 100644 --- a/bin/named/win32/include/named/os.h +++ b/bin/named/win32/include/named/os.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.14 2008/10/24 01:44:48 tbox Exp $ */ +/* $Id: os.h,v 1.15 2009/08/05 17:35:33 each Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 @@ -49,6 +49,9 @@ ns_os_adjustnofile(void); void ns_os_minprivs(void); +FILE * +ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user); + void ns_os_writepidfile(const char *filename, isc_boolean_t first_time); diff --git a/bin/named/win32/os.c b/bin/named/win32/os.c index 4ba467e109..6eed888ade 100644 --- a/bin/named/win32/os.c +++ b/bin/named/win32/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.35 2009/07/14 22:54:56 each Exp $ */ +/* $Id: os.c,v 1.36 2009/08/05 17:35:33 each Exp $ */ #include #include @@ -177,7 +177,7 @@ ns_os_minprivs(void) { } static int -safe_open(const char *filename, isc_boolean_t append) { +safe_open(const char *filename, mode_t mode, isc_boolean_t append) { int fd; struct stat sb; @@ -188,12 +188,10 @@ safe_open(const char *filename, isc_boolean_t append) { return (-1); if (append) - fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, mode); else { (void)unlink(filename); - fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, - S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode); } return (fd); } @@ -207,11 +205,34 @@ cleanup_pidfile(void) { pidfile = NULL; } +FILE * +ns_os_openfile(char *filename, mode_t mode, isc_boolean_t switch_user) { + char strbuf[ISC_STRERRORSIZE]; + FILE *fp; + int fd; + + UNUSED(switch_user); + fd = safe_open(filename, mode, ISC_FALSE); + if (fd < 0) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("could not open file '%s': %s", + filename, strbuf); + } + + fp = fdopen(fd, "w"); + if (lockfile == NULL) { + isc__strerror(errno, strbuf, sizeof(strbuf)); + ns_main_earlywarning("could not fdopen() file '%s': %s", + filename, strbuf); + close(fd); + } + + return (fp); +} + void ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { - int fd; FILE *lockfile; - size_t len; pid_t pid; char strbuf[ISC_STRERRORSIZE]; void (*report)(const char *, ...); @@ -226,33 +247,21 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { if (filename == NULL) return; - len = strlen(filename); - pidfile = malloc(len + 1); + + pidfile = strdup(filename): if (pidfile == NULL) { isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("couldn't malloc '%s': %s", filename, strbuf); + (*report)("couldn't strdup() '%s': %s", filename, strbuf); return; } - /* This is safe. */ - strcpy(pidfile, filename); - fd = safe_open(filename, ISC_FALSE); - if (fd < 0) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("couldn't open pid file '%s': %s", filename, strbuf); + lockfile = ns_os_openfile(filename, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, + ISC_FALSE); + if (lockfile == NULL) { free(pidfile); pidfile = NULL; return; } - lockfile = fdopen(fd, "w"); - if (lockfile == NULL) { - isc__strerror(errno, strbuf, sizeof(strbuf)); - (*report)("could not fdopen() pid file '%s': %s", - filename, strbuf); - (void)close(fd); - cleanup_pidfile(); - return; - } pid = getpid(); From 2ac8f5841292b75f8ec2880ffb1576b0910eecff Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 5 Aug 2009 18:43:37 +0000 Subject: [PATCH 003/385] needed fixes for windows build --- bin/named/win32/include/named/os.h | 4 ++-- bin/named/win32/os.c | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/bin/named/win32/include/named/os.h b/bin/named/win32/include/named/os.h index cdfc90796e..5724444deb 100644 --- a/bin/named/win32/include/named/os.h +++ b/bin/named/win32/include/named/os.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.15 2009/08/05 17:35:33 each Exp $ */ +/* $Id: os.h,v 1.16 2009/08/05 18:43:37 each Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 @@ -50,7 +50,7 @@ void ns_os_minprivs(void); FILE * -ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user); +ns_os_openfile(const char *filename, int mode, isc_boolean_t switch_user); void ns_os_writepidfile(const char *filename, isc_boolean_t first_time); diff --git a/bin/named/win32/os.c b/bin/named/win32/os.c index 6eed888ade..39151ed147 100644 --- a/bin/named/win32/os.c +++ b/bin/named/win32/os.c @@ -15,11 +15,12 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.36 2009/08/05 17:35:33 each Exp $ */ +/* $Id: os.c,v 1.37 2009/08/05 18:43:37 each Exp $ */ #include #include +#include #include #include @@ -177,7 +178,7 @@ ns_os_minprivs(void) { } static int -safe_open(const char *filename, mode_t mode, isc_boolean_t append) { +safe_open(const char *filename, int mode, isc_boolean_t append) { int fd; struct stat sb; @@ -206,7 +207,7 @@ cleanup_pidfile(void) { } FILE * -ns_os_openfile(char *filename, mode_t mode, isc_boolean_t switch_user) { +ns_os_openfile(const char *filename, int mode, isc_boolean_t switch_user) { char strbuf[ISC_STRERRORSIZE]; FILE *fp; int fd; @@ -220,7 +221,7 @@ ns_os_openfile(char *filename, mode_t mode, isc_boolean_t switch_user) { } fp = fdopen(fd, "w"); - if (lockfile == NULL) { + if (fp == NULL) { isc__strerror(errno, strbuf, sizeof(strbuf)); ns_main_earlywarning("could not fdopen() file '%s': %s", filename, strbuf); @@ -248,7 +249,7 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) { if (filename == NULL) return; - pidfile = strdup(filename): + pidfile = strdup(filename); if (pidfile == NULL) { isc__strerror(errno, strbuf, sizeof(strbuf)); (*report)("couldn't strdup() '%s': %s", filename, strbuf); From b73fda80357fa0dccad6d80cf8bddf7c241cf050 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 5 Aug 2009 23:18:20 +0000 Subject: [PATCH 004/385] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index 917f75cc45..9a81f471ea 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -226,8 +226,10 @@ rt19750 new marka // 2009-07-01 07:18 +0000 rt19773 new each // 2009-07-02 21:22 +0000 rt19780 new jinmei // 2009-06-08 03:12 +0000 rt19816 new each // 2009-06-12 22:33 +0000 +rt19874 new each // 2009-08-05 22:36 +0000 rt19875 new each // 2009-07-04 22:47 +0000 rt19910 new marka // 2009-07-09 02:38 +0000 +rt20001 new each // 2009-08-05 15:54 +0000 rt20023 new fdupont // 2009-07-31 15:08 +0000 shane_dbbackend open skan open explorer From cf7e98f59148b559946a7f1ca728471374f1eef3 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 5 Aug 2009 23:30:31 +0000 Subject: [PATCH 005/385] newcopyrights --- util/copyrights | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/copyrights b/util/copyrights index 2ea1f4a029..6dae8431ca 100644 --- a/util/copyrights +++ b/util/copyrights @@ -207,11 +207,11 @@ ./bin/named/tsigconf.c C 1999,2000,2001,2004,2005,2006,2007,2009 ./bin/named/unix/.cvsignore X 1999,2000,2001 ./bin/named/unix/Makefile.in MAKE 1999,2000,2001,2004,2007 -./bin/named/unix/include/named/os.h C 1999,2000,2001,2002,2004,2005,2007,2008 +./bin/named/unix/include/named/os.h C 1999,2000,2001,2002,2004,2005,2007,2008,2009 ./bin/named/unix/os.c C 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 ./bin/named/update.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./bin/named/win32/include/named/ntservice.h C 1999,2000,2001,2002,2003,2004,2007 -./bin/named/win32/include/named/os.h C 1999,2000,2001,2002,2004,2007,2008 +./bin/named/win32/include/named/os.h C 1999,2000,2001,2002,2004,2007,2008,2009 ./bin/named/win32/named.dsp X 2001,2004,2005,2008,2009 ./bin/named/win32/named.dsw X 2001 ./bin/named/win32/named.mak X 2001,2002,2004,2005,2006,2008,2009 From 0a7e3c7d096a2f85d9cbc768858c5527937b46c1 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 5 Aug 2009 23:47:43 +0000 Subject: [PATCH 006/385] update copyright notice --- bin/named/unix/include/named/os.h | 4 ++-- bin/named/win32/include/named/os.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h index f3c51f47b7..c979e53871 100644 --- a/bin/named/unix/include/named/os.h +++ b/bin/named/unix/include/named/os.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.30 2009/08/05 17:35:33 each Exp $ */ +/* $Id: os.h,v 1.31 2009/08/05 23:47:43 tbox Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 diff --git a/bin/named/win32/include/named/os.h b/bin/named/win32/include/named/os.h index 5724444deb..e4eb9942c5 100644 --- a/bin/named/win32/include/named/os.h +++ b/bin/named/win32/include/named/os.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.h,v 1.16 2009/08/05 18:43:37 each Exp $ */ +/* $Id: os.h,v 1.17 2009/08/05 23:47:43 tbox Exp $ */ #ifndef NS_OS_H #define NS_OS_H 1 From 3f5510b6fd74d8458aa4c8ead297bbfdd70547f0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 6 Aug 2009 01:21:58 +0000 Subject: [PATCH 007/385] update "Update the copyrights" directions --- doc/dev/release | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/doc/dev/release b/doc/dev/release index f3192b203e..acb688d8e9 100644 --- a/doc/dev/release +++ b/doc/dev/release @@ -2,7 +2,7 @@ Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000-2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: release,v 1.71 2007/02/15 23:40:09 tbox Exp $ +$Id: release,v 1.72 2009/08/06 01:21:58 marka Exp $ Preparing a bind9 release @@ -62,7 +62,17 @@ release. - Verify that the documents in doc/misc are up-to-date. - - Update the copyrights. According to tale: + - Update the copyrights. + + ssh tbox@cvs.isc.org + run these two command from the crontab +# +# Merge and Update copyrights +# +30 23 * * * /usr/bin/lockf -s -t 3600 /udir/tbox/tarballs/build-tarballs.lock /bin/sh /udir/tbox/tarballs/mergecopyrights +45 23 * * * /usr/bin/lockf -s -t 3600 /udir/tbox/updatecopyrights/updatecopyrights.lock /bin/sh /udir/tbox/updatecopyrights/updatecopyrights + + When tbox@cvs.isc.org is not available: Go to the root of the source tree. The scripts need to be run from there; they reference the util From 9be408c36882c768c1a3554803d8b4dbf44557e4 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 6 Aug 2009 01:31:50 +0000 Subject: [PATCH 008/385] update how to regenerate the documentation --- doc/dev/release | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/doc/dev/release b/doc/dev/release index acb688d8e9..c6b808b5fe 100644 --- a/doc/dev/release +++ b/doc/dev/release @@ -2,7 +2,7 @@ Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000-2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: release,v 1.72 2009/08/06 01:21:58 marka Exp $ +$Id: release,v 1.73 2009/08/06 01:31:50 marka Exp $ Preparing a bind9 release @@ -60,6 +60,19 @@ release. and Scanner's machine do. Commit any files that were regenerated. + Most of this has now been automated, only doc/arm/ARM.pdf will + not be committed: + ssh tbox@docs.lab.isc.org + run this command from crontab. +1 1 * * * /usr/bin/lockf -s -t 0 /udir/tbox/bind9-documents/regenerate.lock /udir/tbox/bind9-documents/regenerate + + Check to see if the ARM has changed since the last release + and if it has commit doc/arm/ARM.pdf. + e.g. + cvs rdiff -r v9_6_1 -r v9_6 bind9/doc/arm + cd bind9-documents/bind9.v9_6 + cvs commit doc/arm/ARM.pdf + - Verify that the documents in doc/misc are up-to-date. - Update the copyrights. From 68e1b398b5b1b417723e90b5e52b9148f8f93294 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 6 Aug 2009 23:30:29 +0000 Subject: [PATCH 009/385] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 6dae8431ca..60febbd9ef 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1548,7 +1548,7 @@ ./doc/dev/cvs-usage TXT.BRIEF 2000,2001,2004 ./doc/dev/magic_numbers TXT.BRIEF 1999,2000,2001,2002,2004 ./doc/dev/rdata.html HTML 1999,2000,2001,2004,2007 -./doc/dev/release TXT.BRIEF 2000,2001,2002,2003,2004,2005,2006,2007 +./doc/dev/release TXT.BRIEF 2000,2001,2002,2003,2004,2005,2006,2007,2009 ./doc/dev/results TXT.BRIEF 1999,2000,2001,2004 ./doc/dev/tests TXT.BRIEF 2000,2001,2004 ./doc/dev/unexpected TXT.BRIEF 1999,2000,2001,2004 From 6bf23b0270d0f39afcc1d6c4da25c1473c5fd264 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 6 Aug 2009 23:47:44 +0000 Subject: [PATCH 010/385] update copyright notice --- doc/dev/release | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/dev/release b/doc/dev/release index c6b808b5fe..dcf11f937d 100644 --- a/doc/dev/release +++ b/doc/dev/release @@ -1,8 +1,8 @@ -Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 2000-2003 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: release,v 1.73 2009/08/06 01:31:50 marka Exp $ +$Id: release,v 1.74 2009/08/06 23:47:44 tbox Exp $ Preparing a bind9 release From 60f06c196033dd46312fcd9b9207f86fb63191f8 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 7 Aug 2009 23:18:01 +0000 Subject: [PATCH 011/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 9a81f471ea..89db237257 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -231,6 +231,7 @@ rt19875 new each // 2009-07-04 22:47 +0000 rt19910 new marka // 2009-07-09 02:38 +0000 rt20001 new each // 2009-08-05 15:54 +0000 rt20023 new fdupont // 2009-07-31 15:08 +0000 +rt20044 new fdupont // 2009-08-07 18:59 +0000 shane_dbbackend open skan open explorer skan-metazones1 private explorer From 1762bd3d21463c1a359c22fb049ebd0fde85b429 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 10 Aug 2009 23:18:36 +0000 Subject: [PATCH 012/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 89db237257..08c6e095d3 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -232,6 +232,7 @@ rt19910 new marka // 2009-07-09 02:38 +0000 rt20001 new each // 2009-08-05 15:54 +0000 rt20023 new fdupont // 2009-07-31 15:08 +0000 rt20044 new fdupont // 2009-08-07 18:59 +0000 +rt20062 new marka // 2009-08-10 05:00 +0000 shane_dbbackend open skan open explorer skan-metazones1 private explorer From 835ee9481b46974ed9a88091bb256e15a89473ba Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 11 Aug 2009 23:17:58 +0000 Subject: [PATCH 013/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 08c6e095d3..b11d124995 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -231,6 +231,7 @@ rt19875 new each // 2009-07-04 22:47 +0000 rt19910 new marka // 2009-07-09 02:38 +0000 rt20001 new each // 2009-08-05 15:54 +0000 rt20023 new fdupont // 2009-07-31 15:08 +0000 +rt20037 new marka // 2009-08-11 07:46 +0000 rt20044 new fdupont // 2009-08-07 18:59 +0000 rt20062 new marka // 2009-08-10 05:00 +0000 shane_dbbackend open From 90c1e763d577da656b5eeb02462b5236dca5f266 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 13 Aug 2009 01:51:19 +0000 Subject: [PATCH 014/385] 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms which default to 64 bits. [RT #19927] --- CHANGES | 3 ++ configure | 104 +++++++++++++++++++++++++++++++++++++-------------- configure.in | 64 +++++++++++++++++-------------- 3 files changed, 115 insertions(+), 56 deletions(-) diff --git a/CHANGES b/CHANGES index cb02c43fb3..90a00ace7f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms + which default to 64 bits. [RT #19927] + --- 9.7.0a2 released --- 2644. [bug] Change #2628 caused a regression on some systems; diff --git a/configure b/configure index 7e0b0d5e57..7403dea387 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.458 2009/07/14 22:39:30 each Exp $ +# $Id: configure,v 1.459 2009/08/13 01:51:19 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.472 . +# From configure.in Revision: 1.473 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.61. # @@ -1642,15 +1642,15 @@ Optional Features: --enable-openssl-hash use OpenSSL for hash functions [default=no] --enable-threads enable multithreading --enable-largefile 64-bit file support - --enable-ipv6 use IPv6 default=autodetect - --enable-getifaddrs Enable the use of getifaddrs() [yes|no]. - --disable-isc-spnego use SPNEGO from GSSAPI library - --disable-chroot disable chroot - --disable-linux-caps disable linux capabilities - --enable-atomic enable machine specific atomic operations - [default=autodetect] - --enable-fixed-rrset enable fixed rrset ordering - [default=no] + --enable-ipv6 use IPv6 default=autodetect + --enable-getifaddrs Enable the use of getifaddrs() [yes|no]. + --disable-isc-spnego use SPNEGO from GSSAPI library + --disable-chroot disable chroot + --disable-linux-caps disable linux capabilities + --enable-atomic enable machine specific atomic operations + [default=autodetect] + --enable-fixed-rrset enable fixed rrset ordering + [default=no] Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1659,21 +1659,21 @@ Optional Packages: --with-pic try to use only PIC/non-PIC objects [default=use both] --with-tags[=TAGS] include additional configurations [automatic] - --with-openssl=PATH Build with OpenSSL yes|no|path. + --with-openssl=PATH Build with OpenSSL yes|no|path. (Required for DNSSEC) - --with-pkcs11 Build with PKCS11 support - --with-gssapi=PATH Specify path for system-supplied GSSAPI - --with-randomdev=PATH Specify path for random device + --with-pkcs11 Build with PKCS11 support + --with-gssapi=PATH Specify path for system-supplied GSSAPI + --with-randomdev=PATH Specify path for random device --with-ptl2 on NetBSD, use the ptl2 thread library (experimental) - --with-libxml2=PATH Build with libxml2 library yes|no|path - --with-purify=PATH use Rational purify - --with-libtool use GNU libtool (following indented options supported) - --with-kame=PATH use Kame IPv6 default path /usr/local/v6 - --with-docbook-xsl=PATH Specify path for Docbook-XSL stylesheets - --with-idn=MPREFIX enable IDN support using idnkit default PREFIX - --with-libiconv=IPREFIX GNU libiconv are in IPREFIX default PREFIX - --with-iconv=LIBSPEC specify iconv library default -liconv - --with-idnlib=ARG specify libidnkit + --with-libxml2=PATH Build with libxml2 library yes|no|path + --with-purify=PATH use Rational purify + --with-libtool use GNU libtool + --with-kame=PATH use Kame IPv6 default path /usr/local/v6 + --with-docbook-xsl=PATH Specify path for Docbook-XSL stylesheets + --with-idn=MPREFIX enable IDN support using idnkit default PREFIX + --with-libiconv=IPREFIX GNU libiconv are in IPREFIX default PREFIX + --with-iconv=LIBSPEC specify iconv library default -liconv + --with-idnlib=ARG specify libidnkit --with-dlz-postgres=PATH Build with Postgres DLZ driver yes|no|path. (Required to use Postgres with DLZ) --with-dlz-mysql=PATH Build with MySQL DLZ driver yes|no|path. @@ -30630,8 +30630,56 @@ fi ;; x86_64-*|amd64-*) - have_xaddq=yes - arch=x86_64 +if test "$cross_compiling" = yes; then + arch=x86_64 + have_xaddq=yes +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +main() { + exit((sizeof(void *) == 8) ? 0 : 1); +} + +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + arch=x86_64 + have_xaddq=yes +else + echo "$as_me: program exited with status $ac_status" >&5 +echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +arch=x86_32 +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + ;; alpha*-*) arch=alpha @@ -30861,9 +30909,9 @@ else fi if test "$have_xaddq" = "yes"; then - ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1" + ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1" else - ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ" + ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ" fi diff --git a/configure.in b/configure.in index 83939cdb11..94f1c6a93a 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.472 $) +AC_REVISION($Revision: 1.473 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -485,7 +485,7 @@ AC_C_BIGENDIAN OPENSSL_WARNING= AC_MSG_CHECKING(for OpenSSL library) AC_ARG_WITH(openssl, -[ --with-openssl[=PATH] Build with OpenSSL [yes|no|path]. +[ --with-openssl[=PATH] Build with OpenSSL [yes|no|path]. (Required for DNSSEC)], use_openssl="$withval", use_openssl="auto") @@ -695,7 +695,7 @@ AC_SUBST(ISC_OPENSSL_INC) AC_MSG_CHECKING(for PKCS11 support) AC_ARG_WITH(pkcs11, -[ --with-pkcs11 Build with PKCS11 support], +[ --with-pkcs11 Build with PKCS11 support], use_pkcs11="yes", use_pkcs11="no") case "$use_pkcs11" in @@ -713,7 +713,7 @@ AC_SUBST(USE_PKCS11) AC_MSG_CHECKING(for GSSAPI library) AC_ARG_WITH(gssapi, -[ --with-gssapi=PATH Specify path for system-supplied GSSAPI], +[ --with-gssapi=PATH Specify path for system-supplied GSSAPI], use_gssapi="$withval", use_gssapi="no") gssapidirs="/usr/local /usr/pkg /usr/kerberos /usr" @@ -867,7 +867,7 @@ AC_SUBST(DNS_CRYPTO_LIBS) # AC_MSG_CHECKING(for random device) AC_ARG_WITH(randomdev, -[ --with-randomdev=PATH Specify path for random device], +[ --with-randomdev=PATH Specify path for random device], use_randomdev="$withval", use_randomdev="unspec") case "$use_randomdev" in @@ -1040,7 +1040,7 @@ AC_SUBST(ISC_THREAD_DIR) # AC_MSG_CHECKING(for libxml2 library) AC_ARG_WITH(libxml2, -[ --with-libxml2[=PATH] Build with libxml2 library [yes|no|path]], +[ --with-libxml2[=PATH] Build with libxml2 library [yes|no|path]], use_libxml2="$withval", use_libxml2="auto") case "$use_libxml2" in @@ -1234,7 +1234,7 @@ esac # AC_MSG_CHECKING(whether to use purify) AC_ARG_WITH(purify, - [ --with-purify[=PATH] use Rational purify], + [ --with-purify[=PATH] use Rational purify], use_purify="$withval", use_purify="no") case "$use_purify" in @@ -1273,7 +1273,7 @@ AC_SUBST(PURIFY) AC_ARG_WITH(libtool, - [ --with-libtool use GNU libtool (following indented options supported)], + [ --with-libtool use GNU libtool], use_libtool="$withval", use_libtool="no") case $use_libtool in @@ -1332,7 +1332,7 @@ AC_SUBST(LIBTOOL_IN_MAIN) # IPv6 # AC_ARG_ENABLE(ipv6, - [ --enable-ipv6 use IPv6 [default=autodetect]]) + [ --enable-ipv6 use IPv6 [default=autodetect]]) case "$enable_ipv6" in yes|''|autodetect) @@ -1363,7 +1363,7 @@ AC_TRY_COMPILE([ # AC_MSG_CHECKING(for Kame IPv6 support) AC_ARG_WITH(kame, - [ --with-kame[=PATH] use Kame IPv6 [default path /usr/local/v6]], + [ --with-kame[=PATH] use Kame IPv6 [default path /usr/local/v6]], use_kame="$withval", use_kame="no") case "$use_kame" in @@ -1813,7 +1813,7 @@ AC_SUBST(ISC_LWRES_GETADDRINFOPROTO) AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO) AC_ARG_ENABLE(getifaddrs, -[ --enable-getifaddrs Enable the use of getifaddrs() [[yes|no]].], +[ --enable-getifaddrs Enable the use of getifaddrs() [[yes|no]].], want_getifaddrs="$enableval", want_getifaddrs="yes") # @@ -1935,7 +1935,7 @@ AC_SUBST(ISC_EXTRA_SRCS) # Use our own SPNEGO implementation? # AC_ARG_ENABLE(isc-spnego, - [ --disable-isc-spnego use SPNEGO from GSSAPI library]) + [ --disable-isc-spnego use SPNEGO from GSSAPI library]) if test -n "$USE_GSSAPI" then @@ -2000,7 +2000,7 @@ AC_SUBST(LWRES_PLATFORM_QUADFORMAT) # Note it is very recommended to *not* disable chroot(), # this is only because chroot() was made obsolete by Posix. AC_ARG_ENABLE(chroot, - [ --disable-chroot disable chroot]) + [ --disable-chroot disable chroot]) case "$enable_chroot" in yes|'') AC_CHECK_FUNCS(chroot) @@ -2009,7 +2009,7 @@ case "$enable_chroot" in ;; esac AC_ARG_ENABLE(linux-caps, - [ --disable-linux-caps disable linux capabilities]) + [ --disable-linux-caps disable linux capabilities]) case "$enable_linux_caps" in yes|'') AC_CHECK_HEADERS(linux/capability.h sys/capability.h) @@ -2248,8 +2248,8 @@ AC_CHECK_FUNCS(nanosleep) # Machine architecture dependent features # AC_ARG_ENABLE(atomic, - [ --enable-atomic enable machine specific atomic operations - [[default=autodetect]]], + [ --enable-atomic enable machine specific atomic operations + [[default=autodetect]]], enable_atomic="$enableval", enable_atomic="autodetect") case "$enable_atomic" in @@ -2281,8 +2281,16 @@ main() { [arch=x86_32]) ;; x86_64-*|amd64-*) - have_xaddq=yes - arch=x86_64 +AC_TRY_RUN([ +main() { + exit((sizeof(void *) == 8) ? 0 : 1); +} +], + [arch=x86_64 + have_xaddq=yes], + [arch=x86_32], + [arch=x86_64 + have_xaddq=yes]) ;; alpha*-*) arch=alpha @@ -2387,9 +2395,9 @@ else fi if test "$have_xaddq" = "yes"; then - ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1" + ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1" else - ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ" + ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ" fi AC_SUBST(ISC_PLATFORM_HAVEXADD) @@ -2409,14 +2417,14 @@ AC_SUBST(ISC_ARCH_DIR) # Activate "rrset-order fixed" or not? # AC_ARG_ENABLE(fixed-rrset, - [ --enable-fixed-rrset enable fixed rrset ordering - [[default=no]]], + [ --enable-fixed-rrset enable fixed rrset ordering + [[default=no]]], enable_fixed="$enableval", enable_fixed="no") case "$enable_fixed" in yes) AC_DEFINE(DNS_RDATASET_FIXED, 1, - [Define to enable "rrset-order fixed" syntax.]) + [Define to enable "rrset-order fixed" syntax.]) ;; no) ;; @@ -2536,7 +2544,7 @@ AC_SUBST($1) # AC_MSG_CHECKING(for Docbook-XSL path) AC_ARG_WITH(docbook-xsl, -[ --with-docbook-xsl=PATH Specify path for Docbook-XSL stylesheets], +[ --with-docbook-xsl=PATH Specify path for Docbook-XSL stylesheets], docbook_path="$withval", docbook_path="auto") case "$docbook_path" in auto) @@ -2604,7 +2612,7 @@ AC_SUBST(XSLT_DB2LATEX_ADMONITIONS) # IDN support # AC_ARG_WITH(idn, - [ --with-idn[=MPREFIX] enable IDN support using idnkit [default PREFIX]], + [ --with-idn[=MPREFIX] enable IDN support using idnkit [default PREFIX]], use_idn="$withval", use_idn="no") case "$use_idn" in yes) @@ -2624,7 +2632,7 @@ esac iconvinc= iconvlib= AC_ARG_WITH(libiconv, - [ --with-libiconv[=IPREFIX] GNU libiconv are in IPREFIX [default PREFIX]], + [ --with-libiconv[=IPREFIX] GNU libiconv are in IPREFIX [default PREFIX]], use_libiconv="$withval", use_libiconv="no") case "$use_libiconv" in yes) @@ -2643,7 +2651,7 @@ no) esac AC_ARG_WITH(iconv, - [ --with-iconv[=LIBSPEC] specify iconv library [default -liconv]], + [ --with-iconv[=LIBSPEC] specify iconv library [default -liconv]], iconvlib="$withval") case "$iconvlib" in no) @@ -2655,7 +2663,7 @@ yes) esac AC_ARG_WITH(idnlib, - [ --with-idnlib=ARG specify libidnkit], + [ --with-idnlib=ARG specify libidnkit], idnlib="$withval", idnlib="no") if test "$idnlib" = yes; then AC_MSG_ERROR([You must specify ARG for --with-idnlib.]) From 048690a34d0fa89bd128ac21d1a4c84b4703a3de Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 13 Aug 2009 02:11:20 +0000 Subject: [PATCH 015/385] 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] --- CHANGES | 2 ++ lib/isc/unix/socket.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 90a00ace7f..d1674f65c0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] + 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms which default to 64 bits. [RT #19927] diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index 4955b78656..df1002ab02 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.318 2009/04/18 01:28:17 jinmei Exp $ */ +/* $Id: socket.c,v 1.319 2009/08/13 02:11:20 marka Exp $ */ /*! \file */ @@ -3659,7 +3659,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) { manager->maxsocks); if (manager->fdpollinfo == NULL) { isc_mem_put(mctx, manager->events, - sizeof(pollinfo_t) * manager->maxsocks); + sizeof(struct pollfd) * manager->nevents); return (ISC_R_NOMEMORY); } memset(manager->fdpollinfo, 0, sizeof(pollinfo_t) * manager->maxsocks); From 8cff1a894f09360814f88437c0c6bce90db11944 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 13 Aug 2009 02:53:01 +0000 Subject: [PATCH 016/385] 2647. [bug] Remove unnecessary SOA updates when a new KSK is added. [RT #19913] --- CHANGES | 3 +++ lib/dns/zone.c | 28 ++++++++++++++++++++++------ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index d1674f65c0..625184f133 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2647. [bug] Remove unnecessary SOA updates when a new KSK is + added. [RT #19913] + 2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987] 2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 6ece61e8ca..b4221e40d0 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.501 2009/07/17 23:47:40 tbox Exp $ */ +/* $Id: zone.c,v 1.502 2009/08/13 02:53:01 marka Exp $ */ /*! \file */ @@ -6000,6 +6000,7 @@ zone_sign(dns_zone_t *zone) { dst_key_t *zone_keys[MAXZONEKEYS]; isc_int32_t signatures; isc_boolean_t check_ksk, is_ksk; + isc_boolean_t commit = ISC_FALSE; isc_boolean_t delegation; isc_boolean_t finishedakey = ISC_FALSE; isc_boolean_t secureupdated = ISC_FALSE; @@ -6288,6 +6289,7 @@ zone_sign(dns_zone_t *zone) { goto failure; } } + if (finishedakey) { /* * We have changed the RRset above so we need to update @@ -6313,6 +6315,15 @@ zone_sign(dns_zone_t *zone) { goto failure; } } + + /* + * Have we changed anything? + */ + if (ISC_LIST_HEAD(sig_diff.tuples) == NULL) + goto pauseall; + + commit = ISC_TRUE; + result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, &sig_diff, zone_keys, nkeys, now); if (result != ISC_R_SUCCESS) { @@ -6344,9 +6355,12 @@ zone_sign(dns_zone_t *zone) { goto failure; } - /* Write changes to journal file. */ + /* + * Write changes to journal file. + */ zone_journal(zone, &sig_diff, "zone_sign"); + pauseall: /* * Pause all iterators so that dns_db_closeversion() can succeed. */ @@ -6363,7 +6377,7 @@ zone_sign(dns_zone_t *zone) { /* * Everything has succeeded. Commit the changes. */ - dns_db_closeversion(db, &version, ISC_TRUE); + dns_db_closeversion(db, &version, commit); /* * Everything succeeded so we can clean these up now. @@ -6379,9 +6393,11 @@ zone_sign(dns_zone_t *zone) { set_resigntime(zone); - LOCK_ZONE(zone); - zone_needdump(zone, DNS_DUMP_DELAY); - UNLOCK_ZONE(zone); + if (commit) { + LOCK_ZONE(zone); + zone_needdump(zone, DNS_DUMP_DELAY); + UNLOCK_ZONE(zone); + } failure: /* From 1d9958c6cc291916010779792f0fbdf6cd5ba368 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 13 Aug 2009 03:34:10 +0000 Subject: [PATCH 017/385] 2648. [port] win32: isc_time_seconds() was broken. [RT #19900] --- CHANGES | 2 ++ lib/isc/win32/time.c | 34 ++++++++++++++++++---------------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index 625184f133..6d333dc3b4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2648. [port] win32: isc_time_seconds() was broken. [RT #19900] + 2647. [bug] Remove unnecessary SOA updates when a new KSK is added. [RT #19913] diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c index 0cf75cb07c..4c0211da33 100644 --- a/lib/isc/win32/time.c +++ b/lib/isc/win32/time.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.c,v 1.50 2009/07/17 23:47:41 tbox Exp $ */ +/* $Id: time.c,v 1.51 2009/08/13 03:34:10 marka Exp $ */ #include @@ -226,28 +226,30 @@ isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) { isc_uint32_t isc_time_seconds(const isc_time_t *t) { - SYSTEMTIME st; + SYSTEMTIME epoch = { 1970, 1, 4, 1, 0, 0, 0, 0 }; + FILETIME temp; + ULARGE_INTEGER i1, i2; + LONGLONG i3; - /* - * Convert the time to a SYSTEMTIME structure and the grab the - * milliseconds - */ - FileTimeToSystemTime(&t->absolute, &st); + SystemTimeToFileTime(&epoch, &temp); - return ((isc_uint32_t)(st.wMilliseconds / 1000)); + i1.LowPart = t->absolute.dwLowDateTime; + i1.HighPart = t->absolute.dwHighDateTime; + i2.LowPart = temp.dwLowDateTime; + i2.HighPart = temp.dwHighDateTime; + + i3 = (i1.QuadPart - i2.QuadPart) / 10000000; + + return ((isc_uint32_t)i3) } isc_uint32_t isc_time_nanoseconds(const isc_time_t *t) { - SYSTEMTIME st; + ULARGE_INTEGER i; - /* - * Convert the time to a SYSTEMTIME structure and the grab the - * milliseconds - */ - FileTimeToSystemTime(&t->absolute, &st); - - return ((isc_uint32_t)(st.wMilliseconds * 1000000)); + i.LowPart = t->absolute.dwLowDateTime; + i.HighPart = t->absolute.dwHighDateTime; + return ((isc_uint32_t)(i.QuadPart % 10000000) * 100); } void From 50eab6c2aa2433d3a84693b8bbea19789d6e4236 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 13 Aug 2009 04:13:58 +0000 Subject: [PATCH 018/385] silence compiler warnings --- bin/dnssec/dnssec-dsfromkey.c | 6 +++--- bin/dnssec/dnssec-signzone.c | 4 ++-- bin/dnssec/dnssectool.c | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 18fb64e901..9e152439b3 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-dsfromkey.c,v 1.11 2009/07/19 23:47:55 tbox Exp $ */ +/* $Id: dnssec-dsfromkey.c,v 1.12 2009/08/13 04:13:58 marka Exp $ */ /*! \file */ @@ -367,7 +367,7 @@ main(int argc, char **argv) { /* fall through */ case 'K': dir = isc_commandline_argument; - if (strlen(dir) == 0) + if (strlen(dir) == 0U) fatal("directory must be non-empty string"); break; case 'f': @@ -375,7 +375,7 @@ main(int argc, char **argv) { break; case 'l': lookaside = isc_commandline_argument; - if (strlen(lookaside) == 0) + if (strlen(lookaside) == 0U) fatal("lookaside must be a non-empty string"); break; case 's': diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 87eb60b495..a4fd2c7b0c 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.225 2009/07/21 03:27:38 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.226 2009/08/13 04:13:58 marka Exp $ */ /*! \file */ @@ -3203,7 +3203,7 @@ main(int argc, char *argv[]) { case 'd': dsdir = isc_commandline_argument; - if (strlen(dsdir) == 0) + if (strlen(dsdir) == 0U) fatal("DS directory must be non-empty string"); break; diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index df58ad3d24..32a8537438 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.49 2009/07/19 23:47:55 tbox Exp $ */ +/* $Id: dnssectool.c,v 1.50 2009/08/13 04:13:58 marka Exp $ */ /*! \file */ @@ -293,7 +293,7 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) { const char *orig = str; char *endp; - if (strlen(str) == 1 && (str[0] == '0' || str[0] == '-')) + if ((str[0] == '0' || str[0] == '-') && str[1] == '\0') return ((isc_stdtime_t) 0); if (strncmp(str, "now", 3) == 0) { From bcd0cbfdae6729c48894501b6bcddc972feda67f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 13 Aug 2009 04:33:51 +0000 Subject: [PATCH 019/385] 2649. [bug] Set the domain for forward only zones. [RT #19944] --- CHANGES | 2 ++ lib/dns/resolver.c | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 6d333dc3b4..b3ce6cbf1d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2649. [bug] Set the domain for forward only zones. [RT #19944] + 2648. [port] win32: isc_time_seconds() was broken. [RT #19900] 2647. [bug] Remove unnecessary SOA updates when a new KSK is diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 888b15956e..3bec9adb05 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.403 2009/07/13 06:24:27 marka Exp $ */ +/* $Id: resolver.c,v 1.404 2009/08/13 04:33:51 marka Exp $ */ /*! \file */ @@ -2530,6 +2530,16 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, } } +static isc_boolean_t +isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) { + int order; + unsigned int nlabels; + dns_namereln_t namereln; + + namereln = dns_name_fullcompare(name1, name2, &order, &nlabels); + return (ISC_TF(namereln == dns_namereln_subdomain)); +} + static isc_result_t fctx_getaddresses(fetchctx_t *fctx) { dns_rdata_t rdata = DNS_RDATA_INIT; @@ -2575,6 +2585,8 @@ fctx_getaddresses(fetchctx_t *fctx) { dns_name_t *name = &fctx->name; dns_name_t suffix; unsigned int labels; + dns_fixedname_t fixed; + dns_name_t *domain; /* * DS records are found in the parent server. @@ -2587,11 +2599,26 @@ fctx_getaddresses(fetchctx_t *fctx) { dns_name_getlabelsequence(name, 1, labels - 1, &suffix); name = &suffix; } - result = dns_fwdtable_find(fctx->res->view->fwdtable, name, - &forwarders); + + dns_fixedname_init(&fixed); + domain = dns_fixedname_name(&fixed); + result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, + domain, &forwarders); if (result == ISC_R_SUCCESS) { sa = ISC_LIST_HEAD(forwarders->addrs); fctx->fwdpolicy = forwarders->fwdpolicy; + if (fctx->fwdpolicy == dns_fwdpolicy_only && + isstrictsubdomain(domain, &fctx->domain)) { + isc_mem_t *mctx; + + mctx = res->buckets[fctx->bucketnum].mctx; + dns_name_free(&fctx->domain, mctx); + dns_name_init(&fctx->domain, NULL); + result = dns_name_dup(domain, mctx, + &fctx->domain); + if (result != ISC_R_SUCCESS) + return (result); + } } } From de3200acf43b23858f19f9f45b71a745fb3728c0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 13 Aug 2009 07:04:38 +0000 Subject: [PATCH 020/385] silence format warnings: treat uid/gid as longs when printing --- bin/named/unix/os.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c index 0f1159d211..a44d6c1cca 100644 --- a/bin/named/unix/os.c +++ b/bin/named/unix/os.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: os.c,v 1.100 2009/08/05 17:35:33 each Exp $ */ +/* $Id: os.c,v 1.101 2009/08/13 07:04:38 marka Exp $ */ /*! \file */ @@ -737,8 +737,8 @@ setperms(uid_t uid, gid_t gid) { #if defined(HAVE_SETEGID) if (getegid() != gid && setegid(gid) == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlywarning("unable to set effective gid to %d: %s", - gid, strbuf); + ns_main_earlywarning("unable to set effective gid to %ld: %s", + (long)gid, strbuf); } #elif defined(HAVE_SETRESGID) if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) { @@ -753,8 +753,8 @@ setperms(uid_t uid, gid_t gid) { #if defined(HAVE_SETEUID) if (geteuid() != uid && seteuid(uid) == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); - ns_main_earlywarning("unable to set effective uid to %d: %s", - uid, strbuf); + ns_main_earlywarning("unable to set effective uid to %ld: %s", + (long)uid, strbuf); } #elif defined(HAVE_SETRESUID) if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) { From 1f5dc0fc222a2b2525712a483f75f48d291f9aae Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 13 Aug 2009 07:14:05 +0000 Subject: [PATCH 021/385] update copyright notice --- lib/dns/zone.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index b4221e40d0..4469fdd683 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.502 2009/08/13 02:53:01 marka Exp $ */ +/* $Id: zone.c,v 1.503 2009/08/13 07:14:05 tbox Exp $ */ /*! \file */ @@ -6315,13 +6315,13 @@ zone_sign(dns_zone_t *zone) { goto failure; } } - + /* * Have we changed anything? */ - if (ISC_LIST_HEAD(sig_diff.tuples) == NULL) + if (ISC_LIST_HEAD(sig_diff.tuples) == NULL) goto pauseall; - + commit = ISC_TRUE; result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa, From 813b34ebecba1293ccfb91e52e3c69d5c819073d Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 14 Aug 2009 01:07:00 +0000 Subject: [PATCH 022/385] 2650. [bug] Assertion failure in dnssec-signzone when trying to read keyset-* files. [RT #20075] --- CHANGES | 3 +++ bin/dnssec/dnssec-signzone.c | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index b3ce6cbf1d..896d0b9651 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2650. [bug] Assertion failure in dnssec-signzone when trying + to read keyset-* files. [RT #20075] + 2649. [bug] Set the domain for forward only zones. [RT #19944] 2648. [port] win32: isc_time_seconds() was broken. [RT #19900] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index a4fd2c7b0c..1a0c97cf20 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.226 2009/08/13 04:13:58 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.227 2009/08/14 01:07:00 each Exp $ */ /*! \file */ @@ -826,6 +826,12 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { return (ISC_R_NOTFOUND); } + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) { + dns_db_detach(&db); + return (result); + } + dns_rdataset_init(&keyset); result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0, &keyset, NULL); From 3d2ce18535b3d2d828bd40aec7f4686519f305fe Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 Aug 2009 06:17:20 +0000 Subject: [PATCH 023/385] remove false positive for out of date documentation --- util/kit.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/util/kit.sh b/util/kit.sh index b25ba6fb21..e09c4c3fcd 100644 --- a/util/kit.sh +++ b/util/kit.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: kit.sh,v 1.35 2009/07/16 23:47:55 tbox Exp $ +# $Id: kit.sh,v 1.36 2009/08/14 06:17:20 marka Exp $ # Make a release kit # @@ -142,7 +142,16 @@ done # check that documentation has been updated properly; issue a warning # if it hasn't -if test doc/arm/Bv9ARM-book.xml -nt doc/arm/Bv9ARM.html +ok= +for f in doc/arm/*.html +do + if test "$f" -nt doc/arm/Bv9ARM-book.xml + then + ok=ok + fi +done + +if test "$ok" != ok then echo "WARNING: ARM source is newer than the html version." fi From ddc225b15d04e5b7d637d305f4ea3c04df1896bf Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 14 Aug 2009 06:28:40 +0000 Subject: [PATCH 024/385] 2651. [bug] Dates could print incorrectly in K*.key files on 64-bit systems. [RT #20076] --- CHANGES | 3 +++ lib/dns/dst_api.c | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 896d0b9651..3c85a2cea9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2651. [bug] Dates could print incorrectly in K*.key files on + 64-bit systems. [RT #20076] + 2650. [bug] Assertion failure in dnssec-signzone when trying to read keyset-* files. [RT #20075] diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 00221e0552..232fba7c0f 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.25 2009/07/29 23:45:24 each Exp $ + * $Id: dst_api.c,v 1.26 2009/08/14 06:28:40 each Exp $ */ /*! \file */ @@ -1138,14 +1138,17 @@ issymmetric(const dst_key_t *key) { static void printtime(const dst_key_t *key, int type, const char *tag, FILE *stream) { isc_result_t result; - isc_stdtime_t when; const char *output; + isc_stdtime_t when; + time_t t; result = dst_key_gettime(key, type, &when); if (result == ISC_R_NOTFOUND) return; - output = ctime((time_t *) &when); + /* time_t and isc_stdtime_t might be different sizes */ + t = when; + output = ctime(&t); fprintf(stream, "%s: %s", tag, output); } From ece6c39dd823d92cf89e7e37614bd458d5d42658 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 14 Aug 2009 07:51:08 +0000 Subject: [PATCH 025/385] missing semicolon --- lib/isc/win32/time.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c index 4c0211da33..aafd70b124 100644 --- a/lib/isc/win32/time.c +++ b/lib/isc/win32/time.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: time.c,v 1.51 2009/08/13 03:34:10 marka Exp $ */ +/* $Id: time.c,v 1.52 2009/08/14 07:51:08 marka Exp $ */ #include @@ -240,7 +240,7 @@ isc_time_seconds(const isc_time_t *t) { i3 = (i1.QuadPart - i2.QuadPart) / 10000000; - return ((isc_uint32_t)i3) + return ((isc_uint32_t)i3); } isc_uint32_t From 3fe0b63ff113179febc460f616591fecbf334ba1 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 14 Aug 2009 23:18:42 +0000 Subject: [PATCH 026/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index b11d124995..b5e4223ffd 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -48,6 +48,7 @@ marka-xlink new marka // 2009-02-10 02:17 +0000 marka_970 new marka // 2009-06-18 02:50 +0000 marka_libdnsng open marka_tools new marka // 2009-07-23 03:10 +0000 +marka_tools2 new marka // 2009-08-14 10:55 +0000 mlg-20000518 open explorer newresolver0 open openssl_stub open marka From 38cd84d1b37672990ef51b41f2c1dc5e3e7a9878 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 15 Aug 2009 03:11:57 +0000 Subject: [PATCH 027/385] 2652. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() returned a misleading error code when lwresd was down. [RT #20028] --- CHANGES | 4 ++++ lib/lwres/getipnode.c | 20 +++++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 3c85a2cea9..2eb93475bf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +2652. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() + returned a misleading error code when lwresd was + down. [RT #20028] + 2651. [bug] Dates could print incorrectly in K*.key files on 64-bit systems. [RT #20076] diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c index a6c50c28b8..29317c03eb 100644 --- a/lib/lwres/getipnode.c +++ b/lib/lwres/getipnode.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getipnode.c,v 1.42 2007/06/18 23:47:51 tbox Exp $ */ +/* $Id: getipnode.c,v 1.43 2009/08/15 03:11:57 each Exp $ */ /*! \file */ @@ -285,7 +285,10 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) { goto cleanup; } } else { - tmp_err = HOST_NOT_FOUND; + if (n == LWRES_R_NOTFOUND) + tmp_err = HOST_NOT_FOUND; + else + tmp_err = NO_RECOVERY; } } @@ -437,9 +440,15 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) { if (n != 0) { lwres_conf_clear(lwrctx); lwres_context_destroy(&lwrctx); - *error_num = HOST_NOT_FOUND; + + if (n == LWRES_R_NOTFOUND) + *error_num = HOST_NOT_FOUND; + else + *error_num = NO_RECOVERY; + return (NULL); } + he1 = hostfromaddr(by, AF_INET6, src); lwres_gnbaresponse_free(lwrctx, &by); if (he1 == NULL) @@ -836,6 +845,11 @@ copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num) int len = 0; char **cpp, **npp; + + /* If there is an unrecoverable error, the other steps are useless */ + if (*error_num == NO_RECOVERY) + goto no_recovery; + /* * Work out array sizes. */ From 181b990c21c368f1418b96e7f4559662fbfdbd30 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 15 Aug 2009 05:03:14 +0000 Subject: [PATCH 028/385] Back out change #2652 --- CHANGES | 4 ---- lib/lwres/getipnode.c | 20 +++----------------- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index 2eb93475bf..3c85a2cea9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,3 @@ -2652. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() - returned a misleading error code when lwresd was - down. [RT #20028] - 2651. [bug] Dates could print incorrectly in K*.key files on 64-bit systems. [RT #20076] diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c index 29317c03eb..4c26f98c59 100644 --- a/lib/lwres/getipnode.c +++ b/lib/lwres/getipnode.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getipnode.c,v 1.43 2009/08/15 03:11:57 each Exp $ */ +/* $Id: getipnode.c,v 1.44 2009/08/15 05:03:14 each Exp $ */ /*! \file */ @@ -285,10 +285,7 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) { goto cleanup; } } else { - if (n == LWRES_R_NOTFOUND) - tmp_err = HOST_NOT_FOUND; - else - tmp_err = NO_RECOVERY; + tmp_err = HOST_NOT_FOUND; } } @@ -440,15 +437,9 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) { if (n != 0) { lwres_conf_clear(lwrctx); lwres_context_destroy(&lwrctx); - - if (n == LWRES_R_NOTFOUND) - *error_num = HOST_NOT_FOUND; - else - *error_num = NO_RECOVERY; - + *error_num = HOST_NOT_FOUND; return (NULL); } - he1 = hostfromaddr(by, AF_INET6, src); lwres_gnbaresponse_free(lwrctx, &by); if (he1 == NULL) @@ -845,11 +836,6 @@ copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num) int len = 0; char **cpp, **npp; - - /* If there is an unrecoverable error, the other steps are useless */ - if (*error_num == NO_RECOVERY) - goto no_recovery; - /* * Work out array sizes. */ From bde521789ec55f11ac6966d16bcd187e8fa1d4bf Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sat, 15 Aug 2009 23:30:34 +0000 Subject: [PATCH 029/385] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 60febbd9ef..62f8b76ab1 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2322,7 +2322,7 @@ ./lib/lwres/gai_strerror.c C 2000,2001,2004,2005,2006,2007 ./lib/lwres/getaddrinfo.c C.BSDI 1999,2000,2001,2004,2005,2006,2007,2008 ./lib/lwres/gethost.c C 2000,2001,2004,2005,2007 -./lib/lwres/getipnode.c C 1999,2000,2001,2002,2003,2004,2005,2007 +./lib/lwres/getipnode.c C 1999,2000,2001,2002,2003,2004,2005,2007,2009 ./lib/lwres/getnameinfo.c C.PORTION 1999,2000,2001,2003,2004,2005,2007 ./lib/lwres/getrrset.c C 2000,2001,2002,2003,2004,2005,2007 ./lib/lwres/herror.c C.PORTION 2000,2001,2003,2004,2005,2007 From 800fb35bf0c1cfcd82b542944b0d29e1837d8a09 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sat, 15 Aug 2009 23:48:06 +0000 Subject: [PATCH 030/385] update copyright notice --- lib/lwres/getipnode.c | 82 +++++++++++++++++++++---------------------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c index 4c26f98c59..8eb30301ea 100644 --- a/lib/lwres/getipnode.c +++ b/lib/lwres/getipnode.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: getipnode.c,v 1.44 2009/08/15 05:03:14 each Exp $ */ +/* $Id: getipnode.c,v 1.45 2009/08/15 23:48:06 tbox Exp $ */ /*! \file */ @@ -23,7 +23,7 @@ * These functions perform thread safe, protocol independent * nodename-to-address and address-to-nodename translation as defined in * RFC2553. This use a struct hostent which is defined in namedb.h: - * + * * \code * struct hostent { * char *h_name; // official name of host @@ -34,90 +34,90 @@ * }; * #define h_addr h_addr_list[0] // address, for backward compatibility * \endcode - * + * * The members of this structure are: - * + * * \li h_name: * The official (canonical) name of the host. - * + * * \li h_aliases: * A NULL-terminated array of alternate names (nicknames) for the * host. - * + * * \li h_addrtype: * The type of address being returned - usually PF_INET or * PF_INET6. - * + * * \li h_length: * The length of the address in bytes. - * + * * \li h_addr_list: * A NULL terminated array of network addresses for the host. Host * addresses are returned in network byte order. - * + * * lwres_getipnodebyname() looks up addresses of protocol family af for * the hostname name. The flags parameter contains ORed flag bits to * specify the types of addresses that are searched for, and the types of * addresses that are returned. The flag bits are: - * + * * \li #AI_V4MAPPED: * This is used with an af of #AF_INET6, and causes IPv4 addresses * to be returned as IPv4-mapped IPv6 addresses. - * + * * \li #AI_ALL: * This is used with an af of #AF_INET6, and causes all known * addresses (IPv6 and IPv4) to be returned. If #AI_V4MAPPED is * also set, the IPv4 addresses are return as mapped IPv6 * addresses. - * + * * \li #AI_ADDRCONFIG: * Only return an IPv6 or IPv4 address if here is an active * network interface of that type. This is not currently * implemented in the BIND 9 lightweight resolver, and the flag is * ignored. - * + * * \li #AI_DEFAULT: * This default sets the #AI_V4MAPPED and #AI_ADDRCONFIG flag bits. - * + * * lwres_getipnodebyaddr() performs a reverse lookup of address src which * is len bytes long. af denotes the protocol family, typically PF_INET * or PF_INET6. - * + * * lwres_freehostent() releases all the memory associated with the struct * hostent pointer. Any memory allocated for the h_name, h_addr_list * and h_aliases is freed, as is the memory for the hostent structure * itself. - * + * * \section getipnode_return Return Values - * + * * If an error occurs, lwres_getipnodebyname() and * lwres_getipnodebyaddr() set *error_num to an appropriate error code * and the function returns a NULL pointer. The error codes and their * meanings are defined in \link netdb.h \endlink: - * + * * \li #HOST_NOT_FOUND: * No such host is known. - * + * * \li #NO_ADDRESS: * The server recognised the request and the name but no address * is available. Another type of request to the name server for * the domain might return an answer. - * + * * \li #TRY_AGAIN: * A temporary and possibly transient error occurred, such as a * failure of a server to respond. The request may succeed if * retried. - * + * * \li #NO_RECOVERY: * An unexpected failure occurred, and retrying the request is * pointless. - * + * * lwres_hstrerror() translates these error codes to suitable error * messages. - * + * * \section getipnode_see See Also - * - * getaddrinfo.c, gethost.c, getnameinfo.c, herror.c, RFC2553 + * + * getaddrinfo.c, gethost.c, getnameinfo.c, herror.c, RFC2553 */ #include @@ -146,21 +146,21 @@ LIBLWRES_EXTERNAL_DATA const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT; #ifndef IN6_IS_ADDR_V4COMPAT static const unsigned char in6addr_compat[12] = { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; #define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \ - ((x)->s6_addr[12] != 0 || \ - (x)->s6_addr[13] != 0 || \ - (x)->s6_addr[14] != 0 || \ - ((x)->s6_addr[15] != 0 && \ - (x)->s6_addr[15] != 1))) + ((x)->s6_addr[12] != 0 || \ + (x)->s6_addr[13] != 0 || \ + (x)->s6_addr[14] != 0 || \ + ((x)->s6_addr[15] != 0 && \ + (x)->s6_addr[15] != 1))) #endif #ifndef IN6_IS_ADDR_V4MAPPED #define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12)) #endif static const unsigned char in6addr_mapped[12] = { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff }; /*** @@ -492,7 +492,7 @@ lwres_freehostent(struct hostent *he) { */ #if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \ - !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) + !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) #ifdef __hpux #define lifc_len iflc_len @@ -504,7 +504,7 @@ lwres_freehostent(struct hostent *he) { #define ISC_HAVE_LIFC_FLAGS 1 #define LIFCONF lifconf #endif - + #ifdef __hpux #define lifr_addr iflr_addr #define lifr_name iflr_name @@ -557,7 +557,7 @@ scan_interfaces6(int *have_v4, int *have_v6) { /* * Some OS's just return what will fit rather * than set EINVAL if the buffer is too small - * to fit all the interfaces in. If + * to fit all the interfaces in. If * lifc.lifc_len is too near to the end of the * buffer we will grow it just in case and * retry. @@ -619,13 +619,13 @@ scan_interfaces6(int *have_v4, int *have_v6) { if ((lifreq.lifr_flags & IFF_UP) == 0) break; *have_v4 = 1; - } + } break; case AF_INET6: if (*have_v6 == 0) { memcpy(&in6, &((struct sockaddr_in6 *) - &lifreq.lifr_addr)->sin6_addr, + &lifreq.lifr_addr)->sin6_addr, sizeof(in6)); if (memcmp(&in6, &in6addr_any, sizeof(in6)) == 0) @@ -675,7 +675,7 @@ scan_interfaces(int *have_v4, int *have_v6) { InitSockets(); #endif #if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \ - !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) + !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) /* * Try to scan the interfaces using IPv6 ioctls(). */ @@ -721,7 +721,7 @@ scan_interfaces(int *have_v4, int *have_v6) { /* * Some OS's just return what will fit rather * than set EINVAL if the buffer is too small - * to fit all the interfaces in. If + * to fit all the interfaces in. If * ifc.ifc_len is too near to the end of the * buffer we will grow it just in case and * retry. @@ -786,7 +786,7 @@ scan_interfaces(int *have_v4, int *have_v6) { if ((u.ifreq.ifr_flags & IFF_UP) == 0) break; *have_v4 = 1; - } + } break; case AF_INET6: if (*have_v6 == 0) { From 88471538d69a7c21b8b9fd13b489399ad6c26597 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 17 Aug 2009 07:18:41 +0000 Subject: [PATCH 031/385] 2652. [func] Provide more detail about what record is being deleted. [RT #20061] --- CHANGES | 3 +++ bin/named/update.c | 17 +++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 3c85a2cea9..aec8919298 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2652. [func] Provide more detail about what record is being + deleted. [RT #20061] + 2651. [bug] Dates could print incorrectly in K*.key files on 64-bit systems. [RT #20076] diff --git a/bin/named/update.c b/bin/named/update.c index 2f580720ed..ea61500e5c 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.158 2009/07/28 15:45:43 marka Exp $ */ +/* $Id: update.c,v 1.159 2009/08/17 07:18:41 marka Exp $ */ #include @@ -3901,6 +3901,9 @@ update_action(isc_task_t *task, isc_event_t *event) { &diff)); } } else if (update_class == dns_rdataclass_none) { + char namestr[DNS_NAME_FORMATSIZE]; + char typestr[DNS_RDATATYPE_FORMATSIZE]; + /* * The (name == zonename) condition appears in * RFC2136 3.4.2.4 but is missing from the pseudocode. @@ -3928,11 +3931,13 @@ update_action(isc_task_t *task, isc_event_t *event) { } } } - update_log(client, zone, - LOGLEVEL_PROTOCOL, - "deleting an RR"); - CHECK(delete_if(rr_equal_p, db, ver, name, - rdata.type, covers, &rdata, &diff)); + dns_name_format(name, namestr, sizeof(namestr)); + dns_rdatatype_format(rdata.type, typestr, + sizeof(typestr)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "deleting an RR at %s %s", namestr, typestr); + CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type, + covers, &rdata, &diff)); } } if (result != ISC_R_NOMORE) From 97a2451eea9dfb4ccb8d5c5392142c80b34a7e48 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 18 Aug 2009 07:45:14 +0000 Subject: [PATCH 032/385] 2653. [bug] Treat ENGINE_load_private_key() failures as key not found rather than out of memory. [RT #18033] --- CHANGES | 3 +++ lib/dns/opensslrsa_link.c | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index aec8919298..d3c5a34907 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2653. [bug] Treat ENGINE_load_private_key() failures as key + not found rather than out of memory. [RT #18033] + 2652. [func] Provide more detail about what record is being deleted. [RT #20061] diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 131b4cb520..5f1f811795 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -17,7 +17,7 @@ /* * Principal Author: Brian Wellington - * $Id: opensslrsa_link.c,v 1.24 2009/07/19 04:18:05 each Exp $ + * $Id: opensslrsa_link.c,v 1.25 2009/08/18 07:45:14 marka Exp $ */ #ifdef OPENSSL #ifndef USE_EVP @@ -806,8 +806,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) { DST_RET(DST_R_NOENGINE); pkey = ENGINE_load_private_key(e, label, NULL, NULL); if (pkey == NULL) { - ERR_print_errors_fp(stderr); - DST_RET(ISC_R_FAILURE); + /* ERR_print_errors_fp(stderr); */ + DST_RET(ISC_R_NOTFOUND); } key->engine = isc_mem_strdup(key->mctx, name); if (key->engine == NULL) @@ -925,7 +925,7 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(DST_R_NOENGINE); pkey = ENGINE_load_private_key(e, label, NULL, NULL); if (pkey == NULL) - DST_RET(ISC_R_NOMEMORY); + DST_RET(ISC_R_NOTFOUND); key->engine = isc_mem_strdup(key->mctx, label); if (key->engine == NULL) DST_RET(ISC_R_NOMEMORY); From 7f7412f12c99c722742d494429a3439d3e38fe66 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 18 Aug 2009 23:18:25 +0000 Subject: [PATCH 033/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index b5e4223ffd..654b7c2741 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -235,6 +235,7 @@ rt20023 new fdupont // 2009-07-31 15:08 +0000 rt20037 new marka // 2009-08-11 07:46 +0000 rt20044 new fdupont // 2009-08-07 18:59 +0000 rt20062 new marka // 2009-08-10 05:00 +0000 +rt20112 new marka // 2009-08-18 05:22 +0000 shane_dbbackend open skan open explorer skan-metazones1 private explorer From 34ef21525efa08c217f37e60ed16118b928f494b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 19 Aug 2009 23:38:11 +0000 Subject: [PATCH 034/385] add comments to multi view tsig example --- FAQ.xml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/FAQ.xml b/FAQ.xml index 8c6711405f..7e7a4bab07 100644 --- a/FAQ.xml +++ b/FAQ.xml @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - +
Frequently Asked Questions about BIND 9 @@ -323,12 +323,17 @@ Master 10.0.1.1: secret "xxxxxxxx"; }; view "internal" { - match-clients { !key external; 10.0.1/24; }; + match-clients { !key external; // reject message ment for the + // external view. + 10.0.1/24; }; // accept from these addresses. ... }; view "external" { match-clients { key external; any; }; - server 10.0.1.2 { keys external; }; + server 10.0.1.2 { keys external; }; // tag messages from the + // external view to the + // other servers for the + // view. recursion no; ... }; From 80c2098825d4fe5193e12caf895fdfdca83a124b Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 20 Aug 2009 01:13:34 +0000 Subject: [PATCH 035/385] regen --- FAQ | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/FAQ b/FAQ index 2846b31fe0..4df1d764ce 100644 --- a/FAQ +++ b/FAQ @@ -157,12 +157,17 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view. secret "xxxxxxxx"; }; view "internal" { - match-clients { !key external; 10.0.1/24; }; + match-clients { !key external; // reject message ment for the + // external view. + 10.0.1/24; }; // accept from these addresses. ... }; view "external" { match-clients { key external; any; }; - server 10.0.1.2 { keys external; }; + server 10.0.1.2 { keys external; }; // tag messages from the + // external view to the + // other servers for the + // view. recursion no; ... }; From 7bae9e718e572e22dc42fe0409575c3a1533d159 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 20 Aug 2009 23:20:50 +0000 Subject: [PATCH 036/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 654b7c2741..6c90b53f71 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -250,6 +250,7 @@ sp1213 open sp1324 new marka // 2007-06-29 05:40 +0000 sp1705 new sp1705a new +sp2708 new marka // 2009-08-20 02:00 +0000 stats_lidl open v6source open v9_1 active // security fixes only From 995f3bc4c4d181b9edd7552ca7a9168c90d09f5d Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Sun, 23 Aug 2009 11:44:44 +0000 Subject: [PATCH 037/385] indent --- lib/bind9/check.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bind9/check.c b/lib/bind9/check.c index b901e3423b..a44831bc51 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.105 2009/07/14 23:47:54 tbox Exp $ */ +/* $Id: check.c,v 1.106 2009/08/23 11:44:44 fdupont Exp $ */ /*! \file */ @@ -709,7 +709,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) { result = ISC_R_FAILURE; } - if(!cfg_obj_isvoid(anchor)) { + if (!cfg_obj_isvoid(anchor)) { dlv = cfg_obj_asstring(anchor); isc_buffer_init(&b, dlv, strlen(dlv)); isc_buffer_add(&b, strlen(dlv)); From 18114698b4fad77aa0f32741cf815cff0def7696 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 25 Aug 2009 02:42:46 +0000 Subject: [PATCH 038/385] 2654. [bug] Improve error reporting on duplicated names for deny-answer-xxx. [RT #20164] --- CHANGES | 3 +++ bin/named/server.c | 11 +++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index d3c5a34907..ba462c9a4e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2654. [bug] Improve error reporting on duplicated names for + deny-answer-xxx. [RT #20164] + 2653. [bug] Treat ENGINE_load_private_key() failures as key not found rather than out of memory. [RT #18033] diff --git a/bin/named/server.c b/bin/named/server.c index e2d682b583..4246ed79ee 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.540 2009/08/05 17:35:33 each Exp $ */ +/* $Id: server.c,v 1.541 2009/08/25 02:42:46 marka Exp $ */ /*! \file */ @@ -431,7 +431,14 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, * for baz.example.com, which is not the expected result. * We simply use (void *)1 as the dummy data. */ - CHECK(dns_rbt_addname(*rbtp, name, (void *)1)); + result = dns_rbt_addname(*rbtp, name, (void *)1); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR, + "failed to add %s for %s: %s", + str, confname, isc_result_totext(result)); + goto cleanup; + } + } return (result); From a0ba5a502e0ca8049bff7ef4305948566703ea26 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 25 Aug 2009 02:56:03 +0000 Subject: [PATCH 039/385] 2655. [doc] Document that key-directory does not affect bind.keys, rndc.key or session.key. [RT #20155] --- CHANGES | 3 +++ doc/arm/Bv9ARM-book.xml | 15 +++++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index ba462c9a4e..1ffad6a3d4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2655. [doc] Document that key-directory does not affect + bind.keys, rndc.key or session.key. [RT #20155] + 2654. [bug] Improve error reporting on duplicated names for deny-answer-xxx. [RT #20164] diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 13137cacf4..1c94c42435 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -5118,11 +5118,14 @@ badresp:1,adberr:0,findfail:0,valfail:0] When performing dynamic update of secure zones, the - directory where the public and private key files should be - found, - if different than the current working directory. The - directory specified - must be an absolute path. + directory where the public and private DNSSEC key files + should be found, if different than the current working + directory. The directory specified must be an absolute + path. (Note that this option has no effect on the paths + for files containing non-DNSSEC keys such as + bind.keys, + rndc.key or + session.key.) From 2bee3c2e705cdcc969cfcf5e9fda817563c19449 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 25 Aug 2009 06:47:06 +0000 Subject: [PATCH 040/385] CHANGES --- bin/win32/BINDInstall/BINDInstall.rc | 110 ++++++-------- bin/win32/BINDInstall/BINDInstallDlg.cpp | 182 ++++++++++++----------- bin/win32/BINDInstall/BINDInstallDlg.h | 3 +- bin/win32/BINDInstall/resource.h | 1 + 4 files changed, 149 insertions(+), 147 deletions(-) diff --git a/bin/win32/BINDInstall/BINDInstall.rc b/bin/win32/BINDInstall/BINDInstall.rc index 8bcb636b2e..8e94734689 100644 --- a/bin/win32/BINDInstall/BINDInstall.rc +++ b/bin/win32/BINDInstall/BINDInstall.rc @@ -1,4 +1,4 @@ -//Microsoft Developer Studio generated resource script. +// Microsoft Visual C++ generated resource script. // #include "resource.h" @@ -27,18 +27,18 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US // TEXTINCLUDE // -1 TEXTINCLUDE DISCARDABLE +1 TEXTINCLUDE BEGIN "resource.h\0" END -2 TEXTINCLUDE DISCARDABLE +2 TEXTINCLUDE BEGIN "#include ""afxres.h""\r\n" "\0" END -3 TEXTINCLUDE DISCARDABLE +3 TEXTINCLUDE BEGIN "#define _AFX_NO_SPLITTER_RESOURCES\r\n" "#define _AFX_NO_OLE_RESOURCES\r\n" @@ -66,73 +66,65 @@ END // Icon with lowest ID value placed first to ensure application icon // remains consistent on all systems. -IDR_MAINFRAME ICON DISCARDABLE "res\\BINDInstall.ico" +IDR_MAINFRAME ICON "res\\BINDInstall.ico" ///////////////////////////////////////////////////////////////////////////// // // Dialog // -IDD_BINDINSTALL_DIALOG DIALOGEX 0, 0, 210, 301 -STYLE DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | - WS_SYSMENU +IDD_BINDINSTALL_DIALOG DIALOGEX 0, 0, 210, 311 +STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_APPWINDOW CAPTION "BIND 9 Installer" -FONT 8, "MS Sans Serif",0,0,0x1 +FONT 8, "MS Sans Serif", 0, 0, 0x1 BEGIN EDITTEXT IDC_TARGETDIR,7,62,196,14,ES_AUTOHSCROLL EDITTEXT IDC_ACCOUNT_NAME,7,94,196,14,ES_AUTOHSCROLL - EDITTEXT IDC_ACCOUNT_PASSWORD,7,122,196,14,ES_PASSWORD | - ES_AUTOHSCROLL - EDITTEXT IDC_ACCOUNT_PASSWORD_CONFIRM,7,151,196,14,ES_PASSWORD | - ES_AUTOHSCROLL + EDITTEXT IDC_ACCOUNT_PASSWORD,7,122,196,14,ES_PASSWORD | ES_AUTOHSCROLL + EDITTEXT IDC_ACCOUNT_PASSWORD_CONFIRM,7,151,196,14,ES_PASSWORD | ES_AUTOHSCROLL DEFPUSHBUTTON "&Install",IDC_INSTALL,153,7,50,14 PUSHBUTTON "E&xit",IDC_EXIT,153,39,50,14 - CONTROL "&Automatic Startup",IDC_AUTO_START,"Button", - BS_AUTOCHECKBOX | WS_TABSTOP,14,190,72,10 + CONTROL "&Tools Only",IDC_TOOLS_ONLY,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,185,72,10 + CONTROL "&Automatic Startup",IDC_AUTO_START,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,195,72,10 CONTROL "&Keep Config Files After Uninstall",IDC_KEEP_FILES, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,200,116,10 - CONTROL "&Start BIND Service After Install",IDC_START,"Button", - BS_AUTOCHECKBOX | WS_TABSTOP,14,210,113,10 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,205,116,10 + CONTROL "&Start BIND Service After Install",IDC_START,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,14,215,113,10 PUSHBUTTON "&Uninstall",IDC_UNINSTALL,153,23,50,14 PUSHBUTTON "Browse",IDC_BROWSE,7,22,50,14 LTEXT "Target Directory:",IDC_STATIC,7,53,54,8 - GROUPBOX "Progress",IDC_STATIC,7,224,196,70 - RTEXT "",IDC_COPY_TAG,14,261,78,8 - LTEXT "",IDC_COPY_FILE,105,261,90,8 - RTEXT "",IDC_SERVICE_TAG,15,271,77,8 - LTEXT "",IDC_REG_SERVICE,105,271,89,8 - RTEXT "",IDC_MESSAGE_TAG,15,281,77,8 - LTEXT "",IDC_REG_MESSAGE,105,281,88,8 - RTEXT "",IDC_DIR_TAG,15,251,77,8 - GROUPBOX "Options",IDC_STATIC,7,172,196,49 - CTEXT "Version Unknown",IDC_VERSION,7,7,61,10,SS_CENTERIMAGE | - SS_SUNKEN - RTEXT "Current Operation:",IDC_CURRENT_TAG,34,235,58,8 - LTEXT "",IDC_CURRENT,105,235,90,8 - LTEXT "",IDC_CREATE_DIR,105,251,88,8 + GROUPBOX "Progress",IDC_STATIC,7,234,196,70 + RTEXT "",IDC_COPY_TAG,14,271,78,8 + LTEXT "",IDC_COPY_FILE,105,271,90,8 + RTEXT "",IDC_SERVICE_TAG,15,281,77,8 + LTEXT "",IDC_REG_SERVICE,105,281,89,8 + RTEXT "",IDC_MESSAGE_TAG,15,291,77,8 + LTEXT "",IDC_REG_MESSAGE,105,291,88,8 + RTEXT "",IDC_DIR_TAG,15,261,77,8 + GROUPBOX "Options",IDC_STATIC,7,172,196,60 + CTEXT "Version Unknown",IDC_VERSION,7,7,61,10,SS_CENTERIMAGE | SS_SUNKEN + RTEXT "Current Operation:",IDC_CURRENT_TAG,34,245,58,8 + LTEXT "",IDC_CURRENT,105,245,90,8 + LTEXT "",IDC_CREATE_DIR,105,261,88,8 LTEXT "Service Account Name",IDC_STATIC,7,84,74,8 LTEXT "Service Account Password",IDC_STATIC,7,112,86,8 - LTEXT "Confirm Service Account Password",IDC_STATIC,7,140,112, - 8 + LTEXT "Confirm Service Account Password",IDC_STATIC,7,140,112,8 END -IDD_BROWSE DIALOG DISCARDABLE 0, 0, 227, 117 -STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU +IDD_BROWSE DIALOG 0, 0, 227, 117 +STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Select Directory" FONT 8, "MS Sans Serif" BEGIN DEFPUSHBUTTON "OK",IDOK,170,7,50,14 PUSHBUTTON "Cancel",IDCANCEL,170,24,50,14 - LISTBOX IDC_DIRLIST,7,28,155,82,LBS_SORT | LBS_NOINTEGRALHEIGHT | - WS_VSCROLL | WS_TABSTOP + LISTBOX IDC_DIRLIST,7,28,155,82,LBS_SORT | LBS_NOINTEGRALHEIGHT | WS_VSCROLL | WS_TABSTOP EDITTEXT IDC_CURDIR,7,7,155,14,ES_AUTOHSCROLL - COMBOBOX IDC_DRIVES,170,98,50,74,CBS_DROPDOWNLIST | CBS_SORT | - WS_VSCROLL | WS_TABSTOP + COMBOBOX IDC_DRIVES,170,98,50,74,CBS_DROPDOWNLIST | CBS_SORT | WS_VSCROLL | WS_TABSTOP END -IDD_DIALOG1 DIALOG DISCARDABLE 0, 0, 186, 95 -STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU +IDD_DIALOG1 DIALOG 0, 0, 186, 95 +STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Dialog" FONT 8, "MS Sans Serif" BEGIN @@ -141,7 +133,6 @@ BEGIN END -#ifndef _MAC ///////////////////////////////////////////////////////////////////////////// // // Version @@ -164,18 +155,14 @@ BEGIN BEGIN BLOCK "040904b0" BEGIN - VALUE "Comments", "\0" - VALUE "CompanyName", "Internet Software Consortium\0" - VALUE "FileDescription", "ISC BIND Install Utility\0" - VALUE "FileVersion", "2.0.0\0" - VALUE "InternalName", "BINDInstall\0" - VALUE "LegalCopyright", "Copyright © 2000\0" - VALUE "LegalTrademarks", "\0" - VALUE "OriginalFilename", "BINDInstall.EXE\0" - VALUE "PrivateBuild", "\0" - VALUE "ProductName", "ISC BIND\0" - VALUE "ProductVersion", "9.3.0\0" - VALUE "SpecialBuild", "\0" + VALUE "CompanyName", "Internet Software Consortium" + VALUE "FileDescription", "ISC BIND Install Utility" + VALUE "FileVersion", "2.0.0" + VALUE "InternalName", "BINDInstall" + VALUE "LegalCopyright", "Copyright © 2000" + VALUE "OriginalFilename", "BINDInstall.EXE" + VALUE "ProductName", "ISC BIND" + VALUE "ProductVersion", "9.7.0" END END BLOCK "VarFileInfo" @@ -184,8 +171,6 @@ BEGIN END END -#endif // !_MAC - ///////////////////////////////////////////////////////////////////////////// // @@ -193,7 +178,7 @@ END // #ifdef APSTUDIO_INVOKED -GUIDELINES DESIGNINFO DISCARDABLE +GUIDELINES DESIGNINFO BEGIN IDD_BINDINSTALL_DIALOG, DIALOG BEGIN @@ -212,6 +197,7 @@ BEGIN HORZGUIDE, 265 HORZGUIDE, 275 HORZGUIDE, 285 + HORZGUIDE, 295 END IDD_BROWSE, DIALOG @@ -238,7 +224,7 @@ END // String Table // -STRINGTABLE DISCARDABLE +STRINGTABLE BEGIN IDS_MAINFRAME "BIND 9 Installer" IDS_CREATEDIR "Directory %s does not exist.\nDo you wish to create it?" @@ -253,7 +239,7 @@ BEGIN IDS_UNINSTALL_DONE "BIND Uninstall Completed" END -STRINGTABLE DISCARDABLE +STRINGTABLE BEGIN IDS_CREATE_KEY "Creating BIND registry key" IDS_ADD_REMOVE "Setting up Add/Remove Programs entry" @@ -273,7 +259,7 @@ BEGIN IDS_START_SERVICE "Starting BIND service" END -STRINGTABLE DISCARDABLE +STRINGTABLE BEGIN IDS_UNINSTALL_DIR "Remove Directories..." IDS_UNINSTALL_FILES "Delete Files..." @@ -293,7 +279,7 @@ BEGIN IDS_ERR_CREATE_KEY "An error occured while creating registry keys\n(%s)" END -STRINGTABLE DISCARDABLE +STRINGTABLE BEGIN IDS_ERR_SET_VALUE "An error occured while setting registry key values\n(%s)" IDS_NO_VERSION "Version Unknown" diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index 2a43a85f14..581f3be3fb 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.cpp,v 1.42 2009/07/17 06:25:42 each Exp $ */ +/* $Id: BINDInstallDlg.cpp,v 1.43 2009/08/25 06:47:06 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -102,61 +102,60 @@ typedef struct _filedata { int destination; int importance; BOOL checkVer; - + BOOL withTools; } FileData; const FileData installFiles[] = { #ifdef BINARIES_INSTALL # ifdef DEBUG_BINARIES - {"msvcrtd.dll", FileData::WinSystem, FileData::Critical, TRUE}, + {"msvcrtd.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE}, # endif # ifdef RELEASE_BINARIES - {"msvcrt.dll", FileData::WinSystem, FileData::Critical, TRUE}, + {"msvcrt.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE}, # endif #endif #if _MSC_VER < 1400 #if _MSC_VER >= 1310 - {"mfc71.dll", FileData::WinSystem, FileData::Critical, TRUE}, - {"msvcr71.dll", FileData::WinSystem, FileData::Critical, TRUE}, + {"mfc71.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE}, + {"msvcr71.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE}, #elif _MSC_VER > 1200 && _MSC_VER < 1310 - {"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE}, - {"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE}, + {"mfc70.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE}, + {"msvcr70.dll", FileData::WinSystem, FileData::Critical, TRUE, TRUE}, #endif #endif - {"bindevt.dll", FileData::BinDir, FileData::Normal, FALSE}, - {"libbind9.dll", FileData::BinDir, FileData::Critical, FALSE}, - {"libisc.dll", FileData::BinDir, FileData::Critical, FALSE}, - {"libisccfg.dll", FileData::BinDir, FileData::Critical, FALSE}, - {"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE}, - {"libdns.dll", FileData::BinDir, FileData::Critical, FALSE}, - {"liblwres.dll", FileData::BinDir, FileData::Critical, FALSE}, - {"libeay32.dll", FileData::BinDir, FileData::Critical, FALSE}, + {"bindevt.dll", FileData::BinDir, FileData::Normal, FALSE, TRUE}, + {"libbind9.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, + {"libisc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, + {"libisccfg.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, + {"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, + {"libdns.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, + {"liblwres.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, + {"libeay32.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, #ifdef HAVE_LIBXML2 - {"libxml2.dll", FileData::BinDir, FileData::Critical, FALSE}, + {"libxml2.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, #endif - {"named.exe", FileData::BinDir, FileData::Critical, FALSE}, - {"nsupdate.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"BINDInstall.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"rndc.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dig.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"host.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"nslookup.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"rndc-confgen.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"ddns-confgen.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dnssec-keygen.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dnssec-signzone.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dnssec-dsfromkey.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dnssec-keyfromlabel.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"dnssec-revoke.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"named-checkconf.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"named-checkzone.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"named-compilezone.exe", FileData::BinDir, FileData::Normal, FALSE}, - {"readme1st.txt", FileData::BinDir, FileData::Trivial, FALSE}, + {"named.exe", FileData::BinDir, FileData::Critical, FALSE, FALSE}, + {"nsupdate.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE}, + {"BINDInstall.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE}, + {"rndc.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"dig.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE}, + {"host.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE}, + {"nslookup.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE}, + {"rndc-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"ddns-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"dnssec-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"dnssec-signzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"dnssec-dsfromkey.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"dnssec-keyfromlabel.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"dnssec-revoke.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"named-checkconf.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"named-checkzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"named-compilezone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE}, + {"readme1st.txt", FileData::BinDir, FileData::Trivial, FALSE, TRUE}, {NULL, -1, -1} }; - ///////////////////////////////////////////////////////////////////////////// // CBINDInstallDlg dialog @@ -167,6 +166,7 @@ CBINDInstallDlg::CBINDInstallDlg(CWnd* pParent /*=NULL*/) //{{AFX_DATA_INIT(CBINDInstallDlg) m_targetDir = _T(""); m_version = _T(""); + m_toolsOnly = FALSE; m_autoStart = FALSE; m_keepFiles = FALSE; m_current = _T(""); @@ -201,6 +201,7 @@ void CBINDInstallDlg::DoDataExchange(CDataExchange* pDX) { DDX_Text(pDX, IDC_ACCOUNT_NAME, m_accountName); DDX_Text(pDX, IDC_ACCOUNT_PASSWORD, m_accountPassword); DDX_Text(pDX, IDC_ACCOUNT_PASSWORD_CONFIRM, m_accountPasswordConfirm); + DDX_Check(pDX, IDC_TOOLS_ONLY, m_toolsOnly); DDX_Check(pDX, IDC_AUTO_START, m_autoStart); DDX_Check(pDX, IDC_KEEP_FILES, m_keepFiles); DDX_Text(pDX, IDC_CURRENT, m_current); @@ -409,48 +410,50 @@ void CBINDInstallDlg::OnInstall() { UpdateData(); - /* - * Check that the Passwords entered match. - */ - if (m_accountPassword != m_accountPasswordConfirm) { - MsgBox(IDS_ERR_PASSWORD); - return; - } - - /* - * Check that there is not leading / trailing whitespace. - * This is for compatibility with the standard password dialog. - * Passwords really should be treated as opaque blobs. - */ - oldlen = m_accountPassword.GetLength(); - m_accountPassword.TrimLeft(); - m_accountPassword.TrimRight(); - if (m_accountPassword.GetLength() != oldlen) { - MsgBox(IDS_ERR_WHITESPACE); - return; - } - - /* - * Check the entered account name. - */ - if (ValidateServiceAccount() == FALSE) - return; - - /* - * For Registration we need to know if account was changed. - */ - if (m_accountName != m_currentAccount) - m_accountUsed = FALSE; - - if (m_accountUsed == FALSE && m_serviceExists == FALSE) - { - /* - * Check that the Password is not null. - */ - if (m_accountPassword.GetLength() == 0) { - MsgBox(IDS_ERR_NULLPASSWORD); + if (!m_toolsOnly) { + /* + * Check that the Passwords entered match. + */ + if (m_accountPassword != m_accountPasswordConfirm) { + MsgBox(IDS_ERR_PASSWORD); return; } + + /* + * Check that there is not leading / trailing whitespace. + * This is for compatibility with the standard password dialog. + * Passwords really should be treated as opaque blobs. + */ + oldlen = m_accountPassword.GetLength(); + m_accountPassword.TrimLeft(); + m_accountPassword.TrimRight(); + if (m_accountPassword.GetLength() != oldlen) { + MsgBox(IDS_ERR_WHITESPACE); + return; + } + + /* + * Check the entered account name. + */ + if (ValidateServiceAccount() == FALSE) + return; + + /* + * For Registration we need to know if account was changed. + */ + if (m_accountName != m_currentAccount) + m_accountUsed = FALSE; + + if (m_accountUsed == FALSE && m_serviceExists == FALSE) + { + /* + * Check that the Password is not null. + */ + if (m_accountPassword.GetLength() == 0) { + MsgBox(IDS_ERR_NULLPASSWORD); + return; + } + } } /* Directories */ @@ -473,14 +476,16 @@ void CBINDInstallDlg::OnInstall() { } } - if (m_accountExists == FALSE) { - success = CreateServiceAccount(m_accountName.GetBuffer(30), - m_accountPassword.GetBuffer(30)); - if (success == FALSE) { - MsgBox(IDS_CREATEACCOUNT_FAILED); - return; + if (!m_toolsOnly) { + if (m_accountExists == FALSE) { + success = CreateServiceAccount(m_accountName.GetBuffer(30), + m_accountPassword.GetBuffer(30)); + if (success == FALSE) { + MsgBox(IDS_CREATEACCOUNT_FAILED); + return; + } + m_accountExists = TRUE; } - m_accountExists = TRUE; } ProgramGroup(FALSE); @@ -505,7 +510,8 @@ void CBINDInstallDlg::OnInstall() { try { CreateDirs(); CopyFiles(); - RegisterService(); + if (!m_toolsOnly) + RegisterService(); RegisterMessages(); HKEY hKey; @@ -606,6 +612,8 @@ void CBINDInstallDlg::CopyFiles() { CString destFile; for (int i = 0; installFiles[i].filename; i++) { + if (m_toolsOnly && !installFiles[i].withTools) + continue; SetCurrent(IDS_COPY_FILE, installFiles[i].filename); destFile = DestDir(installFiles[i].destination) + "\\" + @@ -784,6 +792,9 @@ CBINDInstallDlg::RegisterService() { SC_HANDLE hService; CString StartName = ".\\" + m_accountName; + if(m_toolsOnly) + return; + /* * We need to change the service rather than create it * if the service already exists. Do nothing if we are already @@ -839,6 +850,9 @@ CBINDInstallDlg::UpdateService() { SC_HANDLE hService; CString StartName = ".\\" + m_accountName; + if(m_toolsOnly) + return; + SetCurrent(IDS_OPEN_SCM); hSCManager= OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (!hSCManager) { diff --git a/bin/win32/BINDInstall/BINDInstallDlg.h b/bin/win32/BINDInstall/BINDInstallDlg.h index 597f7a3636..927e6c1da6 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.h +++ b/bin/win32/BINDInstall/BINDInstallDlg.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.h,v 1.8 2007/06/19 23:47:07 tbox Exp $ */ +/* $Id: BINDInstallDlg.h,v 1.9 2009/08/25 06:47:06 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -48,6 +48,7 @@ public: CString m_version; BOOL m_autoStart; BOOL m_keepFiles; + BOOL m_toolsOnly; CString m_current; BOOL m_startOnInstall; //}}AFX_DATA diff --git a/bin/win32/BINDInstall/resource.h b/bin/win32/BINDInstall/resource.h index 14b50846aa..b176fe0930 100644 --- a/bin/win32/BINDInstall/resource.h +++ b/bin/win32/BINDInstall/resource.h @@ -90,6 +90,7 @@ #define IDC_ACCOUNT_NAME 1030 #define IDC_ACCOUNT_PASSWORD 1031 #define IDC_ACCOUNT_PASSWORD_CONFIRM 1032 +#define IDC_TOOLS_ONLY 1033 // Next default values for new objects // From 7179c3476f676bc8c520583b3ed7a738aa8eeee2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 25 Aug 2009 06:47:32 +0000 Subject: [PATCH 041/385] 2656. [func] win32: add a "tools only" check box to the installer which causes it to only install dig, host, nslookup, nsupdate and relevent dlls. [RT #19998] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 1ffad6a3d4..380cfde775 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +2656. [func] win32: add a "tools only" check box to the installer + which causes it to only install dig, host, nslookup, + nsupdate and relevent dlls. [RT #19998] + 2655. [doc] Document that key-directory does not affect bind.keys, rndc.key or session.key. [RT #20155] From 11b4f17027f4cf67d494eb89a8d2ea919dd16615 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 25 Aug 2009 07:41:28 +0000 Subject: [PATCH 042/385] 2657. [cleanup] Lower "journal file does not exist, creating it" log level to debug 1. [RT #20058] --- CHANGES | 3 +++ lib/dns/journal.c | 8 +++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 380cfde775..4872132018 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2657. [cleanup] Lower "journal file does not exist, creating it" + log level to debug 1. [RT #20058] + 2656. [func] win32: add a "tools only" check box to the installer which causes it to only install dig, host, nslookup, nsupdate and relevent dlls. [RT #19998] diff --git a/lib/dns/journal.c b/lib/dns/journal.c index b797021531..bc1ba0cdda 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: journal.c,v 1.105 2009/01/17 23:47:42 tbox Exp $ */ +/* $Id: journal.c,v 1.106 2009/08/25 07:41:28 marka Exp $ */ #include @@ -562,11 +562,9 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write, if (result == ISC_R_FILENOTFOUND) { if (create) { - isc_log_write(JOURNAL_COMMON_LOGARGS, - ISC_LOG_INFO, + isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(1), "journal file %s does not exist, " - "creating it", - j->filename); + "creating it", j->filename); CHECK(journal_file_create(mctx, filename)); /* * Retry. From 3a9593055ead76cbbb417aee2d2e656c2c92cf46 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 25 Aug 2009 23:30:31 +0000 Subject: [PATCH 043/385] newcopyrights --- util/copyrights | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/copyrights b/util/copyrights index 62f8b76ab1..dfb08a94f6 100644 --- a/util/copyrights +++ b/util/copyrights @@ -956,9 +956,9 @@ ./bin/win32/BINDInstall/BINDInstall.dsw X 2001 ./bin/win32/BINDInstall/BINDInstall.h C.PORTION 2001,2004,2007 ./bin/win32/BINDInstall/BINDInstall.mak X 2001,2006,2007,2009 -./bin/win32/BINDInstall/BINDInstall.rc X 2001,2005 +./bin/win32/BINDInstall/BINDInstall.rc X 2001,2005,2009 ./bin/win32/BINDInstall/BINDInstallDlg.cpp C.PORTION 2001,2003,2004,2005,2006,2007,2008,2009 -./bin/win32/BINDInstall/BINDInstallDlg.h C.PORTION 2001,2004,2007 +./bin/win32/BINDInstall/BINDInstallDlg.h C.PORTION 2001,2004,2007,2009 ./bin/win32/BINDInstall/DirBrowse.cpp C.PORTION 2001,2004,2007 ./bin/win32/BINDInstall/DirBrowse.h C.PORTION 2001,2004,2007 ./bin/win32/BINDInstall/StdAfx.cpp X 2001 @@ -967,7 +967,7 @@ ./bin/win32/BINDInstall/VersionInfo.h X 2001 ./bin/win32/BINDInstall/res/BINDInstall.ico X 2001 ./bin/win32/BINDInstall/res/BINDInstall.rc2 X 2001 -./bin/win32/BINDInstall/resource.h X 2001,2005 +./bin/win32/BINDInstall/resource.h X 2001,2005,2009 ./bind.keys X 2009 ./config.guess X 1998,1999,2000,2001,2004,2009 ./config.h.in X 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 From da035d9f4429b9679e537542b2ab9a7c279cf2df Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 25 Aug 2009 23:47:51 +0000 Subject: [PATCH 044/385] update copyright notice --- bin/named/server.c | 4 ++-- bin/win32/BINDInstall/BINDInstallDlg.h | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 4246ed79ee..7302cdf064 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.541 2009/08/25 02:42:46 marka Exp $ */ +/* $Id: server.c,v 1.542 2009/08/25 23:47:51 tbox Exp $ */ /*! \file */ @@ -438,7 +438,7 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config, str, confname, isc_result_totext(result)); goto cleanup; } - + } return (result); diff --git a/bin/win32/BINDInstall/BINDInstallDlg.h b/bin/win32/BINDInstall/BINDInstallDlg.h index 927e6c1da6..f8e02968c0 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.h +++ b/bin/win32/BINDInstall/BINDInstallDlg.h @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.h,v 1.9 2009/08/25 06:47:06 marka Exp $ */ +/* $Id: BINDInstallDlg.h,v 1.10 2009/08/25 23:47:51 tbox Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -78,7 +78,7 @@ protected: void RegisterMessages(); void UnregisterMessages(BOOL uninstall); - + void FailedInstall(); void SetItemStatus(UINT nID, BOOL bSuccess = TRUE); @@ -92,7 +92,7 @@ protected: BOOL CheckBINDService(); void SetCurrent(int id, ...); void ProgramGroup(BOOL create = TRUE); - + HICON m_hIcon; CString m_defaultDir; CString m_etcDir; @@ -107,7 +107,7 @@ protected: CString m_accountPasswordConfirm; CString m_accountPassword; BOOL m_serviceExists; - + // Generated message map functions //{{AFX_MSG(CBINDInstallDlg) virtual BOOL OnInitDialog(); From f8da2eefea1ea17bb233fa8c0c9b18404075dd9c Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 26 Aug 2009 01:14:39 +0000 Subject: [PATCH 045/385] regen --- doc/arm/Bv9ARM.ch06.html | 97 ++++++++------- doc/arm/Bv9ARM.ch07.html | 14 +-- doc/arm/Bv9ARM.ch08.html | 18 +-- doc/arm/Bv9ARM.ch09.html | 180 +++++++++++++-------------- doc/arm/Bv9ARM.html | 42 +++---- doc/arm/man.ddns-confgen.html | 10 +- doc/arm/man.dig.html | 20 +-- doc/arm/man.dnssec-dsfromkey.html | 16 +-- doc/arm/man.dnssec-keyfromlabel.html | 12 +- doc/arm/man.dnssec-keygen.html | 16 +-- doc/arm/man.dnssec-revoke.html | 10 +- doc/arm/man.dnssec-settime.html | 12 +- doc/arm/man.dnssec-signzone.html | 12 +- doc/arm/man.host.html | 10 +- doc/arm/man.named-checkconf.html | 12 +- doc/arm/man.named-checkzone.html | 12 +- doc/arm/man.named.html | 16 +-- doc/arm/man.nsupdate.html | 14 +-- doc/arm/man.rndc-confgen.html | 12 +- doc/arm/man.rndc.conf.html | 12 +- doc/arm/man.rndc.html | 12 +- 21 files changed, 281 insertions(+), 278 deletions(-) diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 6f0db4c09d..1f107e91f5 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -78,25 +78,25 @@
server Statement Definition and Usage
statistics-channels Statement Grammar
-
statistics-channels Statement Definition and +
statistics-channels Statement Definition and Usage
-
trusted-keys Statement Grammar
-
trusted-keys Statement Definition +
trusted-keys Statement Grammar
+
trusted-keys Statement Definition and Usage
view Statement Grammar
-
view Statement Definition and Usage
+
view Statement Definition and Usage
zone Statement Grammar
-
zone Statement Definition and Usage
+
zone Statement Definition and Usage
-
Zone File
+
Zone File
Types of Resource Records and When to Use Them
-
Discussion of MX Records
+
Discussion of MX Records
Setting TTLs
-
Inverse Mapping in IPv4
-
Other Zone File Directives
-
BIND Master File Extension: the $GENERATE Directive
+
Inverse Mapping in IPv4
+
Other Zone File Directives
+
BIND Master File Extension: the $GENERATE Directive
Additional File Formats
BIND9 Statistics
@@ -2345,11 +2345,14 @@ badresp:1,adberr:0,findfail:0,valfail:0]
key-directory

When performing dynamic update of secure zones, the - directory where the public and private key files should be - found, - if different than the current working directory. The - directory specified - must be an absolute path. + directory where the public and private DNSSEC key files + should be found, if different than the current working + directory. The directory specified must be an absolute + path. (Note that this option has no effect on the paths + for files containing non-DNSSEC keys such as + bind.keys, + rndc.key or + session.key.)

named-xfer

@@ -3344,7 +3347,7 @@ options {

-Forwarding

+Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3388,7 +3391,7 @@ options {

-Dual-stack Servers

+Dual-stack Servers

Dual-stack servers are used as servers of last resort to work around @@ -3585,7 +3588,7 @@ options {

-Interfaces

+Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4037,7 +4040,7 @@ avoid-v6-udp-ports {};

-UDP Port Lists

+UDP Port Lists

use-v4-udp-ports, avoid-v4-udp-ports, @@ -4079,7 +4082,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Operating System Resource Limits

+Operating System Resource Limits

The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4241,7 +4244,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Periodic Task Intervals

+Periodic Task Intervals
cleaning-interval

@@ -5037,7 +5040,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

-Content Filtering

+Content Filtering

BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5367,7 +5370,7 @@ deny-answer-aliases { "example.net"; };

-statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

The statistics-channels statement @@ -5418,7 +5421,7 @@ deny-answer-aliases { "example.net"; };

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5427,7 +5430,7 @@ deny-answer-aliases { "example.net"; };
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -5486,7 +5489,7 @@ deny-answer-aliases { "example.net"; };
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -5763,10 +5766,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 
@@ -5977,7 +5980,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -5999,7 +6002,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -6629,7 +6632,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -6642,7 +6645,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7379,7 +7382,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7582,7 +7585,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7838,7 +7841,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -7899,7 +7902,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -7914,7 +7917,7 @@ zone zone_name [
 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -7925,7 +7928,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -7954,7 +7957,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -7990,7 +7993,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -8009,7 +8012,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -8433,7 +8436,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -8990,7 +8993,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 
 

 
 
@@ -9144,7 +9147,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 
 

 
 
@@ -9527,7 +9530,7 @@ HOST-127.EXAMPLE. MX 0 .
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9682,7 +9685,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 5c4323bc0f..c6fc069927 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -122,7 +122,7 @@ zone "example.com" {
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 1139185e6c..f4e98172e6 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

-Common Problems

+Common Problems

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 3bb57609c8..808129c540 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@
           

 

 

-Bibliography

+Bibliography

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -268,42 +268,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -312,19 +312,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -332,146 +332,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -487,47 +487,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -541,39 +541,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -594,14 +594,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 7f3d40e96f..879373bf6f 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,25 +157,25 @@
 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 
-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -184,31 +184,31 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 2daff74c2d..a48315c160 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -142,7 +142,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index d4f981c8a9..8b549917ec 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -144,7 +144,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index c6621d4a5a..85948d9163 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -117,7 +117,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -132,7 +132,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -146,13 +146,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -161,7 +161,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index cf9ce003b8..2c371f25ac 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-K directory] [-n nametype] [-p protocol] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -135,7 +135,7 @@
 

 

 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -176,7 +176,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -186,7 +186,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 0f90985c17..21c470ab55 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-g generator] [-h] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-U date/offset] [-v level] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -221,7 +221,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -266,7 +266,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -312,7 +312,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -333,7 +333,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -342,7 +342,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index d2f8c78062..3f779c449b 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -86,14 +86,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 7f91c32087..37e501ebf7 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-settime  [-fr] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-U date/offset] [-D date/offset] [-h] [-v level] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -101,7 +101,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -146,7 +146,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -154,7 +154,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index ce90b1e3ab..9a15b846aa 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -344,7 +344,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -373,14 +373,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index afbcc463e9..740854b70c 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 06f5cebcf7..fe87002bb7 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -96,21 +96,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 699121b03c..432829661f 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 1ef55447cc..efd43f4dad 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +276,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -289,7 +289,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +302,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 7016c2630a..415d741be1 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -546,7 +546,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 765c78dae7..208c227d41 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -173,7 +173,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 99959268e3..7d1fd29623 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 1fa2708abe..1b62c0c033 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From de10c46b2a714b0fb74837da7867f55cccc6d261 Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Wed, 26 Aug 2009 21:34:44 +0000
Subject: [PATCH 046/385] Add -l to synopsis. For RT BUG 20147. Not adding a
 CHANGES entry as is so minor and the -l addition is in 2630 which is not in
 any official release. Also update the date for the manual page.

---
 bin/nsupdate/nsupdate.docbook | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index 242118b0a6..ab234b498b 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,10 +18,10 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
-    Jun 30, 2000
+    Aug 25, 2009
   
   
     nsupdate
@@ -60,6 +60,7 @@
       
 	
 	
+	
         
         
       

From 35490da6150316932957908f2f85109ecf9f7c59 Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Wed, 26 Aug 2009 21:56:05 +0000
Subject: [PATCH 047/385] Update date for manpage. Add -l to synopsis sections.
 (It is already documented.) Mention the RFC number for DLV. Not adding a
 CHANGES entry. No official release since this was added. The previous CHANGES
 entries for this are 2611 and 2636.

---
 bin/dnssec/dnssec-dsfromkey.docbook | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
index 7f777b7645..df24df14e8 100644
--- a/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -17,10 +17,10 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
-    November 29, 2008
+    August 26, 2009
   
 
   
@@ -49,6 +49,7 @@
       
       
       
+      
       keyfile
     
     
@@ -58,6 +59,7 @@
       
       
       
+      
       
       
       
@@ -150,6 +152,8 @@
             Generate a DLV set instead of a DS set.  The specified
              is appended to the name for each
             record in the set.
+            The DNSSEC Lookaside Validation (DLV) RR is described
+            in RFC 4431.
           
         
       
@@ -233,6 +237,7 @@
       ,
       BIND 9 Administrator Reference Manual,
       RFC 3658,
+      RFC 4431.
       RFC 4509.
     
   

From 163af735c2082a024167be111d27bd5b5ff4f462 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 27 Aug 2009 01:14:39 +0000
Subject: [PATCH 048/385] regen

---
 bin/dnssec/dnssec-dsfromkey.8        | 13 +++++++------
 bin/dnssec/dnssec-dsfromkey.html     | 23 +++++++++++++----------
 bin/nsupdate/nsupdate.1              |  8 ++++----
 bin/nsupdate/nsupdate.html           | 16 ++++++++--------
 doc/arm/man.ddns-confgen.html        | 10 +++++-----
 doc/arm/man.dnssec-dsfromkey.html    | 23 +++++++++++++----------
 doc/arm/man.dnssec-keyfromlabel.html | 12 ++++++------
 doc/arm/man.dnssec-keygen.html       | 16 ++++++++--------
 doc/arm/man.dnssec-revoke.html       | 10 +++++-----
 doc/arm/man.dnssec-settime.html      | 12 ++++++------
 doc/arm/man.dnssec-signzone.html     | 12 ++++++------
 doc/arm/man.named-checkconf.html     | 12 ++++++------
 doc/arm/man.named-checkzone.html     | 12 ++++++------
 doc/arm/man.named.html               | 16 ++++++++--------
 doc/arm/man.nsupdate.html            | 16 ++++++++--------
 doc/arm/man.rndc-confgen.html        | 12 ++++++------
 doc/arm/man.rndc.conf.html           | 12 ++++++------
 doc/arm/man.rndc.html                | 12 ++++++------
 18 files changed, 127 insertions(+), 120 deletions(-)

diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8
index 9fd4cec249..907c1083c7 100644
--- a/bin/dnssec/dnssec-dsfromkey.8
+++ b/bin/dnssec/dnssec-dsfromkey.8
@@ -12,18 +12,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-dsfromkey.8,v 1.10 2009/07/19 04:27:55 tbox Exp $
+.\" $Id: dnssec-dsfromkey.8,v 1.11 2009/08/27 01:14:39 tbox Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: dnssec\-dsfromkey
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 
-.\"      Date: November 29, 2008
+.\"      Date: August 26, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -32,9 +32,9 @@
 dnssec\-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
 .HP 17
-\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] {keyfile}
 .HP 17
-\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-dsfromkey\fR
@@ -82,7 +82,7 @@ Include ZSK's when generating DS records. Without this option, only keys which h
 .RS 4
 Generate a DLV set instead of a DS set. The specified
 \fBdomain\fR
-is appended to the name for each record in the set.
+is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
 .RE
 .PP
 \-s
@@ -133,6 +133,7 @@ A keyfile error can give a "file not found" even if the file exists.
 \fBdnssec\-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
 RFC 3658,
+RFC 4431.
 RFC 4509.
 .SH "AUTHOR"
 .PP
diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html
index e143f3106c..45f9a3ac20 100644
--- a/bin/dnssec/dnssec-dsfromkey.html
+++ b/bin/dnssec/dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 
@@ -29,18 +29,18 @@
 

 

 
Synopsis

-
dnssec-dsfromkey  [-v level] [-1] [-2] [-a alg] {keyfile}

-
dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

+
dnssec-dsfromkey  [-v level] [-1] [-2] [-a alg] [-l domain] {keyfile}

+
dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -81,6 +81,8 @@
             Generate a DLV set instead of a DS set.  The specified
             domain is appended to the name for each
             record in the set.
+            The DNSSEC Lookaside Validation (DLV) RR is described
+            in RFC 4431.
           

 
-s

 

@@ -99,7 +101,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -114,7 +116,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -128,22 +130,23 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 3658,
+      RFC 4431.
       RFC 4509.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index 06daaa215c..e8645dd324 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -13,18 +13,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.1,v 1.9 2009/07/15 01:13:10 tbox Exp $
+.\" $Id: nsupdate.1,v 1.10 2009/08/27 01:14:39 tbox Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: nsupdate
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 
-.\"      Date: Jun 30, 2000
+.\"      Date: Aug 25, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NSUPDATE" "1" "Jun 30, 2000" "BIND9" "BIND9"
+.TH "NSUPDATE" "1" "Aug 25, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -33,7 +33,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index b48fb4cb71..2c4203bf93 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 
 

 
Synopsis

-
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

+
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -187,7 +187,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -451,7 +451,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -505,7 +505,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -528,7 +528,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -542,7 +542,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index a48315c160..038bd9029a 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -142,7 +142,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 85948d9163..524129c8f2 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,18 +47,18 @@
 
 

 
Synopsis

-
dnssec-dsfromkey  [-v level] [-1] [-2] [-a alg] {keyfile}

-
dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

+
dnssec-dsfromkey  [-v level] [-1] [-2] [-a alg] [-l domain] {keyfile}

+
dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -99,6 +99,8 @@
             Generate a DLV set instead of a DS set.  The specified
             domain is appended to the name for each
             record in the set.
+            The DNSSEC Lookaside Validation (DLV) RR is described
+            in RFC 4431.
           

 
-s

 

@@ -117,7 +119,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -132,7 +134,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -146,22 +148,23 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 3658,
+      RFC 4431.
       RFC 4509.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 2c371f25ac..6a189afb7e 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-K directory] [-n nametype] [-p protocol] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -135,7 +135,7 @@
 

 

 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -176,7 +176,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -186,7 +186,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 21c470ab55..29830dfb44 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-g generator] [-h] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-U date/offset] [-v level] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -59,7 +59,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -221,7 +221,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -266,7 +266,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -312,7 +312,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -333,7 +333,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -342,7 +342,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 3f779c449b..dbfdfc0d62 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -86,14 +86,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 37e501ebf7..04373568f0 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-settime  [-fr] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-U date/offset] [-D date/offset] [-h] [-v level] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -101,7 +101,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -146,7 +146,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -154,7 +154,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 9a15b846aa..67f66aec8f 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -344,7 +344,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -373,14 +373,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index fe87002bb7..0f7b4ef6d2 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -96,21 +96,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 432829661f..2a968a0d24 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index efd43f4dad..31ca23dd3f 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +276,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -289,7 +289,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +302,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 415d741be1..4c27c86393 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 

 
Synopsis

-
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

+
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -546,7 +546,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 208c227d41..fc97debf54 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -173,7 +173,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 7d1fd29623..aabde6b8b0 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 1b62c0c033..a2ccbfd1f6 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From 85eb2c76354185f3ea41978fc27ec1151cf9b552 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 27 Aug 2009 23:18:22 +0000
Subject: [PATCH 049/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 6c90b53f71..5290c9d8d1 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -230,6 +230,7 @@ rt19816				new	each	// 2009-06-12 22:33 +0000
 rt19874				new	each	// 2009-08-05 22:36 +0000
 rt19875				new	each	// 2009-07-04 22:47 +0000
 rt19910				new	marka	// 2009-07-09 02:38 +0000
+rt19942				new	each	// 2009-08-27 23:01 +0000
 rt20001				new	each	// 2009-08-05 15:54 +0000
 rt20023				new	fdupont	// 2009-07-31 15:08 +0000
 rt20037				new	marka	// 2009-08-11 07:46 +0000

From 747abb4993e03b8812514e4476bff67f5248c717 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 28 Aug 2009 03:13:08 +0000
Subject: [PATCH 050/385] 2658.	[bug]		dnssec-settime and
 dnssec-revoke didn't process 			key file paths correctly. [RT
 #20078]

---
 CHANGES                     |  3 +++
 bin/dnssec/dnssec-revoke.c  | 35 ++++++++----------------------
 bin/dnssec/dnssec-settime.c | 40 ++++++----------------------------
 lib/isc/include/isc/file.h  | 17 ++++++++++++++-
 lib/isc/unix/file.c         | 37 ++++++++++++++++++++++++++++++-
 lib/isc/win32/file.c        | 43 ++++++++++++++++++++++++++++++++++++-
 6 files changed, 113 insertions(+), 62 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4872132018..4abdb5179e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
+			key file paths correctly. [RT #20078]
+
 2657.	[cleanup]	Lower "journal file  does not exist, creating it"
 			log level to debug 1. [RT #20058]
 
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 613ceec45d..eb00a3d22a 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.6 2009/07/19 05:26:05 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.7 2009/08/28 03:13:08 each Exp $ */
 
 /*! \file */
 
@@ -27,6 +27,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -66,7 +67,7 @@ usage(void) {
 int
 main(int argc, char **argv) {
 	isc_result_t result;
-	char *filename = NULL, *dir= NULL;
+	char *filename = NULL, *dir = NULL;
 	char newname[1024], oldname[1024];
 	char keystr[KEY_FORMATSIZE];
 	char *endp;
@@ -126,30 +127,11 @@ main(int argc, char **argv) {
 	if (argc > isc_commandline_index + 1)
 		fatal("Extraneous arguments");
 
-	if (dir == NULL) {
-		char *slash;
-#ifdef _WIN32
-		char *backslash;
-#endif
-
-		dir = strdup(argv[isc_commandline_index]);
-		filename = dir;
-
-		/* Figure out the directory name from the key name */
-		slash = strrchr(dir, '/');
-#ifdef _WIN32
-		backslash = strrchr(dir, '\\');
-		if ((slash != NULL && backslash != NULL && backslash > slash) ||
-		    (slash == NULL && backslash != NULL))
-			slash = backslash;
-#endif
-		if (slash != NULL) {
-			*slash++ = '\0';
-			filename = slash;
-		} else {
-			free(dir);
-			dir = strdup(".");
-		}
+	if (dir != NULL) {
+		filename = argv[isc_commandline_index];
+	} else {
+                isc_file_splitpath(mctx, argv[isc_commandline_index],
+				   &dir, &filename);
 	}
 
 	if (ectx == NULL)
@@ -232,6 +214,7 @@ cleanup:
 	cleanup_entropy(&ectx);
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
+	isc_mem_free(mctx, dir);
 	isc_mem_destroy(&mctx);
 
 	return (0);
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index cc696d4554..8c242cb79a 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.6 2009/07/21 02:57:39 jinmei Exp $ */
+/* $Id: dnssec-settime.c,v 1.7 2009/08/28 03:13:08 each Exp $ */
 
 /*! \file */
 
@@ -29,6 +29,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -188,39 +189,12 @@ main(int argc, char **argv) {
 	if (argc > isc_commandline_index + 1)
 		fatal("Extraneous arguments");
 
-	if (directory == NULL) {
-		char *slash;
-#ifdef _WIN32
-		char *backslash;
-#endif
-
-		directory = isc_mem_strdup(mctx, argv[isc_commandline_index]);
-		if (directory == NULL)
-			fatal("Failed to memory allocation for directory");
-		filename = directory;
-
-		/* Figure out the directory name from the key name */
-		slash = strrchr(directory, '/');
-#ifdef _WIN32
-		backslash = strrchr(directory, '\\');
-		if ((slash != NULL && backslash != NULL && backslash > slash) ||
-		    (slash == NULL && backslash != NULL))
-			slash = backslash;
-#endif
-		if (slash != NULL) {
-			*slash++ = '\0';
-			filename = slash;
-		} else {
-			isc_mem_free(mctx, directory);
-			/* strdup could be skipped (see above) */
-			directory = isc_mem_strdup(mctx, ".");
-			if (directory == NULL) {
-				fatal("Failed to memory allocation "
-				      "for directory");
-			}
-		}
-	} else
+	if (directory != NULL) {
 		filename = argv[isc_commandline_index];
+	} else {
+                isc_file_splitpath(mctx, argv[isc_commandline_index],
+				   &directory, &filename);
+	}
 
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
index e64c7fac3b..68ae8ca86d 100644
--- a/lib/isc/include/isc/file.h
+++ b/lib/isc/include/isc/file.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.h,v 1.36 2009/06/10 00:27:22 each Exp $ */
+/* $Id: file.h,v 1.37 2009/08/28 03:13:08 each Exp $ */
 
 #ifndef ISC_FILE_H
 #define ISC_FILE_H 1
@@ -259,6 +259,21 @@ isc_file_safecreate(const char *filename, FILE **fp);
  * that only the owner can read/write it.
  */
 
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, char *path,
+		   char **dirname, char **basename);
+/*%<
+ * Split a path into dirname and basename.  If 'path' contains no slash
+ * (or, on windows, backslash), then '*dirname' is set to ".".
+ *
+ * Allocates memory for '*dirname', which can be freed with isc_mem_free().
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ * - ISC_R_INVALIDFILE if 'path' is empty or ends with '/'
+ * - ISC_R_NOMEMORY if unable to allocate memory
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_FILE_H */
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
index b7156c3acd..4b1c58c7b9 100644
--- a/lib/isc/unix/file.c
+++ b/lib/isc/unix/file.c
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: file.c,v 1.54 2009/06/10 00:27:22 each Exp $ */
+/* $Id: file.c,v 1.55 2009/08/28 03:13:08 each Exp $ */
 
 /*! \file */
 
@@ -68,6 +68,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -478,3 +479,37 @@ isc_file_safecreate(const char *filename, FILE **fp) {
 	*fp = f;
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, char *path, char **dirname, char **basename)
+{
+	char *dir, *file, *slash;
+
+	slash = strrchr(path, '/');
+
+	if (slash == path) {
+		file = ++slash;
+		dir = isc_mem_strdup(mctx, "/");
+	} else if (slash != NULL) {
+		file = ++slash;
+		dir = isc_mem_allocate(mctx, slash - path);
+		if (dir != NULL)
+			strlcpy(dir, path, slash - path);
+	} else {
+		file = path;
+		dir = isc_mem_strdup(mctx, ".");
+	}
+
+	if (dir == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (*file == '\0') {
+		isc_mem_free(mctx, dir);
+		return (ISC_R_INVALIDFILE);
+	}
+
+	*dirname = dir;
+	*basename = file;
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c
index 026182e4c3..494805c945 100644
--- a/lib/isc/win32/file.c
+++ b/lib/isc/win32/file.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.c,v 1.33 2009/06/11 23:47:55 tbox Exp $ */
+/* $Id: file.c,v 1.34 2009/08/28 03:13:08 each Exp $ */
 
 #include 
 
@@ -31,6 +31,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -541,3 +542,43 @@ isc_file_safecreate(const char *filename, FILE **fp) {
 	*fp = f;
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, char *path, char **dirname, char **basename)
+{
+	char *dir, *file, *slash;
+	char *backslash;
+
+	slash = strrchr(path, '/');
+
+	backslash = strrchr(path, '\\');
+	if ((slash != NULL && backslash != NULL && backslash > slash) ||
+	    (slash == NULL && backslash != NULL))
+		slash = backslash;
+
+	if (slash == path) {
+		file = ++slash;
+		dir = isc_mem_strdup(mctx, "/");
+	} else if (slash != NULL) {
+		file = ++slash;
+		dir = isc_mem_allocate(mctx, slash - path);
+		if (dir != NULL)
+			strlcpy(dir, path, slash - path);
+	} else {
+		file = path;
+		dir = isc_mem_strdup(mctx, ".");
+	}
+
+	if (dir == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (*file == '\0') {
+		isc_mem_free(mctx, dir);
+		return (ISC_R_INVALIDFILE);
+	}
+
+	*dirname = dir;
+	*basename = file;
+
+	return (ISC_R_SUCCESS);
+}

From 41eeb37b516d1bac073781b6ec50a39a669987df Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 28 Aug 2009 21:47:02 +0000
Subject: [PATCH 051/385] 2659.	[doc]		Clarify dnssec-keygen doc: key
 name must match zone 			name for DNSSEC keys. [RT #19938]

---
 CHANGES                          | 3 +++
 bin/dnssec/dnssec-keygen.docbook | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 4abdb5179e..2b432bcb3b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
+			name for DNSSEC keys. [RT #19938]
+
 2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
 			key file paths correctly. [RT #20078]
 
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 5ba3862ea1..5d6d6e62f5 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -91,6 +91,11 @@
       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
       (Transaction Key) as defined in RFC 2930.
     
+    
+      The  of the key is specified on the command
+      line.  For DNSSEC keys, this must match the name of the zone for
+      which the key is being generated.
+    
   
 
   

From 5ac9ef944830b43258a5055e03f78c2dfb57f14e Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 28 Aug 2009 23:48:02 +0000
Subject: [PATCH 052/385] update copyright notice

---
 bin/dnssec/dnssec-revoke.c  | 4 ++--
 bin/dnssec/dnssec-settime.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index eb00a3d22a..27d6835a0a 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.7 2009/08/28 03:13:08 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -130,7 +130,7 @@ main(int argc, char **argv) {
 	if (dir != NULL) {
 		filename = argv[isc_commandline_index];
 	} else {
-                isc_file_splitpath(mctx, argv[isc_commandline_index],
+		isc_file_splitpath(mctx, argv[isc_commandline_index],
 				   &dir, &filename);
 	}
 
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 8c242cb79a..d862bc61f8 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.7 2009/08/28 03:13:08 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -192,7 +192,7 @@ main(int argc, char **argv) {
 	if (directory != NULL) {
 		filename = argv[isc_commandline_index];
 	} else {
-                isc_file_splitpath(mctx, argv[isc_commandline_index],
+		isc_file_splitpath(mctx, argv[isc_commandline_index],
 				   &directory, &filename);
 	}
 

From ad671240d635376dd8681550eebee799d2e3d1fd Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 29 Aug 2009 01:14:37 +0000
Subject: [PATCH 053/385] regen

---
 bin/dnssec/dnssec-keygen.8       |  6 +++++-
 bin/dnssec/dnssec-keygen.html    | 19 ++++++++++++-------
 doc/arm/man.ddns-confgen.html    | 10 +++++-----
 doc/arm/man.dnssec-keygen.html   | 21 +++++++++++++--------
 doc/arm/man.dnssec-revoke.html   | 10 +++++-----
 doc/arm/man.dnssec-settime.html  | 12 ++++++------
 doc/arm/man.dnssec-signzone.html | 12 ++++++------
 doc/arm/man.named-checkconf.html | 12 ++++++------
 doc/arm/man.named-checkzone.html | 12 ++++++------
 doc/arm/man.named.html           | 16 ++++++++--------
 doc/arm/man.nsupdate.html        | 14 +++++++-------
 doc/arm/man.rndc-confgen.html    | 12 ++++++------
 doc/arm/man.rndc.conf.html       | 12 ++++++------
 doc/arm/man.rndc.html            | 12 ++++++------
 14 files changed, 97 insertions(+), 83 deletions(-)

diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 4882e78ca8..6e45f30934 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.45 2009/07/19 04:27:55 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.46 2009/08/29 01:14:37 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -38,6 +38,10 @@ dnssec\-keygen \- DNSSEC key generation tool
 .PP
 \fBdnssec\-keygen\fR
 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
+.PP
+The
+\fBname\fR
+of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.
 .SH "OPTIONS"
 .PP
 \-a \fIalgorithm\fR
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 8aa2981ffa..bb37e443b7 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -39,9 +39,14 @@
       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
       (Transaction Key) as defined in RFC 2930.
     

+

+      The name of the key is specified on the command
+      line.  For DNSSEC keys, this must match the name of the zone for
+      which the key is being generated.
+    

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -203,7 +208,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -248,7 +253,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -294,7 +299,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -315,7 +320,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -324,7 +329,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 038bd9029a..1cd8ffaf4b 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -142,7 +142,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 29830dfb44..237be08bce 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,16 +50,21 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-g generator] [-h] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-U date/offset] [-v level] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
       (Transaction Key) as defined in RFC 2930.
     

+

+      The name of the key is specified on the command
+      line.  For DNSSEC keys, this must match the name of the zone for
+      which the key is being generated.
+    

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -221,7 +226,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -266,7 +271,7 @@
 

 
 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -312,7 +317,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -333,7 +338,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -342,7 +347,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index dbfdfc0d62..7eb5a742d7 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -86,14 +86,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 04373568f0..a09b49062f 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-settime  [-fr] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-U date/offset] [-D date/offset] [-h] [-v level] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -101,7 +101,7 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -146,7 +146,7 @@
 

 
 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -154,7 +154,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 67f66aec8f..924217af5e 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -344,7 +344,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -373,14 +373,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 0f7b4ef6d2..2a0dd01bfc 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -96,21 +96,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2a968a0d24..5723f84ca6 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 31ca23dd3f..5bb9f74ae3 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +276,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -289,7 +289,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +302,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 4c27c86393..513ab20e62 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -546,7 +546,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index fc97debf54..764ba4c6a8 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -173,7 +173,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index aabde6b8b0..07e8897878 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index a2ccbfd1f6..8ea6dc4dfb 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 


From 307d2084502eddc7ce921e5ce439aec3531d90e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 00:22:28 +0000
Subject: [PATCH 054/385] 2660.	[func]		Add a new set of DNS libraries
 for non-BIND9 			applications.  See README.libdns. [RT #19369]

---
 CHANGES                                       |    3 +
 Makefile.in                                   |    8 +-
 README                                        |    2 +-
 README.libdns                                 |  275 ++
 bin/check/Makefile.in                         |    4 +-
 bin/check/check-tool.c                        |    5 +-
 bin/confgen/Makefile.in                       |    4 +-
 bin/dig/Makefile.in                           |    4 +-
 bin/dig/dighost.c                             |   18 +-
 bin/dnssec/Makefile.in                        |    4 +-
 bin/dnssec/dnssec-dsfromkey.c                 |    4 +-
 bin/dnssec/dnssec-keyfromlabel.c              |    4 +-
 bin/dnssec/dnssec-keygen.c                    |    4 +-
 bin/dnssec/dnssec-signzone.c                  |    8 +-
 bin/named/Makefile.in                         |    4 +-
 bin/named/config.c                            |    4 +-
 bin/named/lwdgabn.c                           |    4 +-
 bin/named/lwdgrbn.c                           |    4 +-
 bin/named/lwresd.c                            |    5 +-
 bin/named/server.c                            |   49 +-
 bin/named/tkeyconf.c                          |   14 +-
 bin/named/tsigconf.c                          |    4 +-
 bin/named/unix/Makefile.in                    |    4 +-
 bin/named/zoneconf.c                          |    7 +-
 bin/nsupdate/Makefile.in                      |    4 +-
 bin/nsupdate/nsupdate.c                       |   22 +-
 bin/rndc/Makefile.in                          |    4 +-
 bin/tests/Makefile.in                         |    4 +-
 bin/tests/adb_test.c                          |    5 +-
 bin/tests/byname_test.c                       |    4 +-
 bin/tests/db/Makefile.in                      |    4 +-
 bin/tests/db/t_db.c                           |   30 +-
 bin/tests/db_test.c                           |   14 +-
 bin/tests/dst/Makefile.in                     |    4 +-
 bin/tests/dst/dst_test.c                      |    6 +-
 bin/tests/dst/gsstest.c                       |    8 +-
 bin/tests/dst/t_dst.c                         |    8 +-
 bin/tests/master/Makefile.in                  |    4 +-
 bin/tests/master/t_master.c                   |    4 +-
 bin/tests/master_test.c                       |    4 +-
 bin/tests/mem/Makefile.in                     |    4 +-
 bin/tests/name_test.c                         |   11 +-
 bin/tests/names/Makefile.in                   |    4 +-
 bin/tests/names/t_names.c                     |   30 +-
 bin/tests/net/Makefile.in                     |    4 +-
 bin/tests/nsecify.c                           |    4 +-
 bin/tests/rbt/Makefile.in                     |    4 +-
 bin/tests/rbt/t_rbt.c                         |   10 +-
 bin/tests/rbt_test.c                          |    5 +-
 bin/tests/sig0_test.c                         |    7 +-
 bin/tests/sockaddr/Makefile.in                |    4 +-
 bin/tests/system/lwresd/Makefile.in           |    4 +-
 bin/tests/system/tkey/Makefile.in             |    4 +-
 bin/tests/system/tkey/keycreate.c             |    6 +-
 bin/tests/tasks/Makefile.in                   |    4 +-
 bin/tests/timers/Makefile.in                  |    4 +-
 bin/tests/zone_test.c                         |    6 +-
 bin/tools/Makefile.in                         |    4 +-
 config.h.in                                   |    8 +-
 configure.in                                  |  119 +-
 contrib/dbus/dbus_mgr.c                       |    6 +-
 contrib/dlz/bin/dlzbdb/Makefile.in            |    6 +-
 contrib/sdb/bdb/zone2bdb.c                    |    4 +-
 contrib/sdb/ldap/zone2ldap.c                  |    2 +-
 contrib/sdb/pgsql/zonetodb.c                  |    4 +-
 contrib/sdb/sqlite/zone2sqlite.c              |    4 +-
 lib/bind9/Makefile.in                         |    4 +-
 lib/bind9/check.c                             |   34 +-
 lib/dns/Makefile.in                           |    8 +-
 lib/dns/byaddr.c                              |   45 +-
 lib/dns/cache.c                               |    8 +-
 lib/dns/client.c                              | 2994 +++++++++++++++++
 lib/dns/db.c                                  |   12 +-
 lib/dns/dispatch.c                            |   85 +-
 lib/dns/dst_api.c                             |   34 +-
 lib/dns/ecdb.c                                |  797 +++++
 lib/dns/forward.c                             |   18 +-
 lib/dns/gssapictx.c                           |    4 +-
 lib/dns/include/dns/client.h                  |  621 ++++
 lib/dns/include/dns/ecdb.h                    |   52 +
 lib/dns/include/dns/events.h                  |    4 +-
 lib/dns/include/dns/forward.h                 |   17 +-
 lib/dns/include/dns/lib.h                     |   16 +-
 lib/dns/include/dns/message.h                 |    5 +-
 lib/dns/include/dns/name.h                    |   37 +-
 lib/dns/include/dns/rdata.h                   |   18 +-
 lib/dns/include/dns/resolver.h                |    3 +-
 lib/dns/include/dns/tsec.h                    |  135 +
 lib/dns/include/dns/types.h                   |    7 +-
 lib/dns/lib.c                                 |  107 +-
 lib/dns/master.c                              |    4 +-
 lib/dns/masterdump.c                          |    6 +-
 lib/dns/name.c                                |   29 +-
 lib/dns/peer.c                                |    4 +-
 lib/dns/rbtdb.c                               |   63 +-
 lib/dns/rdata.c                               |   93 +-
 lib/dns/request.c                             |    5 +-
 lib/dns/resolver.c                            |    6 +-
 lib/dns/sdb.c                                 |    4 +-
 lib/dns/sdlz.c                                |    4 +-
 lib/dns/tkey.c                                |    5 +-
 lib/dns/tsec.c                                |  159 +
 lib/dns/view.c                                |   56 +-
 lib/export/Makefile.in                        |   27 +
 lib/export/dns/Makefile.in                    |  172 +
 lib/export/dns/include/Makefile.in            |   23 +
 lib/export/dns/include/dns/Makefile.in        |   56 +
 lib/export/dns/include/dst/Makefile.in        |   36 +
 lib/export/irs/Makefile.in                    |   85 +
 lib/export/irs/include/Makefile.in            |   24 +
 lib/export/irs/include/irs/Makefile.in        |   46 +
 lib/export/isc/Makefile.in                    |  136 +
 lib/export/isc/include/Makefile.in            |   24 +
 lib/export/isc/include/isc/Makefile.in        |   63 +
 lib/export/isc/nls/Makefile.in                |   35 +
 lib/export/isc/nothreads/Makefile.in          |   38 +
 lib/export/isc/nothreads/include/Makefile.in  |   24 +
 .../isc/nothreads/include/isc/Makefile.in     |   36 +
 lib/export/isc/pthreads/Makefile.in           |   38 +
 lib/export/isc/pthreads/include/Makefile.in   |   24 +
 .../isc/pthreads/include/isc/Makefile.in      |   36 +
 lib/export/isc/unix/Makefile.in               |   57 +
 lib/export/isc/unix/include/Makefile.in       |   24 +
 lib/export/isc/unix/include/isc/Makefile.in   |   37 +
 lib/export/isccfg/Makefile.in                 |   82 +
 lib/export/isccfg/include/Makefile.in         |   24 +
 lib/export/isccfg/include/isccfg/Makefile.in  |   42 +
 lib/export/samples/Makefile-postinstall.in    |   78 +
 lib/export/samples/Makefile.in                |   96 +
 lib/export/samples/nsprobe.c                  | 1215 +++++++
 lib/export/samples/sample-async.c             |  397 +++
 lib/export/samples/sample-gai.c               |   75 +
 lib/export/samples/sample-request.c           |  258 ++
 lib/export/samples/sample-update.c            |  749 +++++
 lib/export/samples/sample.c                   |  373 ++
 lib/irs/Makefile.in                           |   80 +
 lib/irs/api                                   |    3 +
 lib/irs/context.c                             |  399 +++
 lib/irs/dnsconf.c                             |  272 ++
 lib/irs/gai_strerror.c                        |   92 +
 lib/irs/getaddrinfo.c                         | 1299 +++++++
 lib/irs/getnameinfo.c                         |  410 +++
 lib/irs/include/Makefile.in                   |   24 +
 lib/irs/include/irs/Makefile.in               |   44 +
 lib/irs/include/irs/context.h                 |  162 +
 lib/irs/include/irs/dnsconf.h                 |   97 +
 lib/irs/include/irs/netdb.h.in                |  168 +
 lib/irs/include/irs/platform.h.in             |   45 +
 lib/irs/include/irs/resconf.h                 |  116 +
 lib/irs/include/irs/types.h                   |   31 +
 lib/irs/include/irs/version.h                 |   27 +
 lib/irs/resconf.c                             |  639 ++++
 lib/irs/version.c                             |   27 +
 lib/isc/Makefile.in                           |    8 +-
 lib/isc/app_api.c                             |  134 +
 lib/isc/hash.c                                |   16 +-
 lib/isc/include/isc/app.h                     |  171 +-
 lib/isc/include/isc/lib.h                     |   11 +-
 lib/isc/include/isc/mem.h                     |   98 +-
 lib/isc/include/isc/namespace.h               |  160 +
 lib/isc/include/isc/result.h                  |    3 +-
 lib/isc/include/isc/resultclass.h             |    3 +-
 lib/isc/include/isc/socket.h                  |  102 +-
 lib/isc/include/isc/task.h                    |  100 +-
 lib/isc/include/isc/timer.h                   |   91 +-
 lib/isc/include/isc/types.h                   |    5 +-
 lib/isc/lib.c                                 |   32 +-
 lib/isc/mem.c                                 |  539 ++-
 lib/isc/mem_api.c                             |  287 ++
 lib/isc/nls/Makefile.in                       |    4 +-
 lib/isc/nothreads/Makefile.in                 |    8 +-
 lib/isc/pthreads/Makefile.in                  |    4 +-
 lib/isc/socket_api.c                          |  194 ++
 lib/isc/task.c                                |  490 ++-
 lib/isc/task_api.c                            |  199 ++
 lib/isc/task_p.h                              |    6 +-
 lib/isc/timer.c                               |  323 +-
 lib/isc/timer_api.c                           |  142 +
 lib/isc/timer_p.h                             |    6 +-
 lib/isc/unix/Makefile.in                      |    4 +-
 lib/isc/unix/app.c                            |  518 ++-
 lib/isc/unix/socket.c                         |  865 +++--
 lib/isc/unix/socket_p.h                       |    7 +-
 lib/isc/win32/Makefile.in                     |    4 +-
 lib/isc/win32/app.c                           |   18 +-
 lib/isc/win32/socket.c                        |  101 +-
 lib/isccc/Makefile.in                         |    4 +-
 lib/isccfg/Makefile.in                        |    4 +-
 lib/isccfg/aclconf.c                          |    4 +-
 lib/isccfg/dnsconf.c                          |   68 +
 lib/isccfg/include/isccfg/dnsconf.h           |   36 +
 lib/tests/Makefile.in                         |    4 +-
 make/rules.in                                 |    6 +-
 193 files changed, 18162 insertions(+), 1332 deletions(-)
 create mode 100644 README.libdns
 create mode 100644 lib/dns/client.c
 create mode 100644 lib/dns/ecdb.c
 create mode 100644 lib/dns/include/dns/client.h
 create mode 100644 lib/dns/include/dns/ecdb.h
 create mode 100644 lib/dns/include/dns/tsec.h
 create mode 100644 lib/dns/tsec.c
 create mode 100644 lib/export/Makefile.in
 create mode 100644 lib/export/dns/Makefile.in
 create mode 100644 lib/export/dns/include/Makefile.in
 create mode 100644 lib/export/dns/include/dns/Makefile.in
 create mode 100644 lib/export/dns/include/dst/Makefile.in
 create mode 100644 lib/export/irs/Makefile.in
 create mode 100644 lib/export/irs/include/Makefile.in
 create mode 100644 lib/export/irs/include/irs/Makefile.in
 create mode 100644 lib/export/isc/Makefile.in
 create mode 100644 lib/export/isc/include/Makefile.in
 create mode 100644 lib/export/isc/include/isc/Makefile.in
 create mode 100644 lib/export/isc/nls/Makefile.in
 create mode 100644 lib/export/isc/nothreads/Makefile.in
 create mode 100644 lib/export/isc/nothreads/include/Makefile.in
 create mode 100644 lib/export/isc/nothreads/include/isc/Makefile.in
 create mode 100644 lib/export/isc/pthreads/Makefile.in
 create mode 100644 lib/export/isc/pthreads/include/Makefile.in
 create mode 100644 lib/export/isc/pthreads/include/isc/Makefile.in
 create mode 100644 lib/export/isc/unix/Makefile.in
 create mode 100644 lib/export/isc/unix/include/Makefile.in
 create mode 100644 lib/export/isc/unix/include/isc/Makefile.in
 create mode 100644 lib/export/isccfg/Makefile.in
 create mode 100644 lib/export/isccfg/include/Makefile.in
 create mode 100644 lib/export/isccfg/include/isccfg/Makefile.in
 create mode 100644 lib/export/samples/Makefile-postinstall.in
 create mode 100644 lib/export/samples/Makefile.in
 create mode 100644 lib/export/samples/nsprobe.c
 create mode 100644 lib/export/samples/sample-async.c
 create mode 100644 lib/export/samples/sample-gai.c
 create mode 100644 lib/export/samples/sample-request.c
 create mode 100644 lib/export/samples/sample-update.c
 create mode 100644 lib/export/samples/sample.c
 create mode 100644 lib/irs/Makefile.in
 create mode 100644 lib/irs/api
 create mode 100644 lib/irs/context.c
 create mode 100644 lib/irs/dnsconf.c
 create mode 100644 lib/irs/gai_strerror.c
 create mode 100644 lib/irs/getaddrinfo.c
 create mode 100644 lib/irs/getnameinfo.c
 create mode 100644 lib/irs/include/Makefile.in
 create mode 100644 lib/irs/include/irs/Makefile.in
 create mode 100644 lib/irs/include/irs/context.h
 create mode 100644 lib/irs/include/irs/dnsconf.h
 create mode 100644 lib/irs/include/irs/netdb.h.in
 create mode 100644 lib/irs/include/irs/platform.h.in
 create mode 100644 lib/irs/include/irs/resconf.h
 create mode 100644 lib/irs/include/irs/types.h
 create mode 100644 lib/irs/include/irs/version.h
 create mode 100644 lib/irs/resconf.c
 create mode 100644 lib/irs/version.c
 create mode 100644 lib/isc/app_api.c
 create mode 100644 lib/isc/include/isc/namespace.h
 create mode 100644 lib/isc/mem_api.c
 create mode 100644 lib/isc/socket_api.c
 create mode 100644 lib/isc/task_api.c
 create mode 100644 lib/isc/timer_api.c
 create mode 100644 lib/isccfg/dnsconf.c
 create mode 100644 lib/isccfg/include/isccfg/dnsconf.h

diff --git a/CHANGES b/CHANGES
index 2b432bcb3b..b96114bbf7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2660.	[func]		Add a new set of DNS libraries for non-BIND9
+			applications.  See README.libdns. [RT #19369]
+
 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
 			name for DNSSEC keys. [RT #19938]
 
diff --git a/Makefile.in b/Makefile.in
index 0021dadc2d..f2b730e30c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.56 2009/06/25 17:06:42 each Exp $
+# $Id: Makefile.in,v 1.57 2009/09/01 00:22:24 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,13 +21,13 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-SUBDIRS =	make lib bin doc
+SUBDIRS =	make lib bin doc @LIBEXPORT@
 TARGETS =
 
 MANPAGES =	isc-config.sh.1
- 
+
 HTMLPAGES =	isc-config.sh.html
- 
+
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
diff --git a/README b/README
index 51dd578120..f2962f2946 100644
--- a/README
+++ b/README
@@ -66,11 +66,11 @@ BIND 9.7.0
 	- Smart signing: simplified tools for zone signing and key
 	  maintenance
 	- The "statistics-channels" option is now available on Windows
+        - DNSSEC-aware libdns API
 
 	Planned but not complete in this alpha:
 
 	- Fully automatic signing of zones by "named"
-        - DNSSEC-aware libdns API
         - Improved PKCS#11 support, including Keyper support
 
 BIND 9.6.0
diff --git a/README.libdns b/README.libdns
new file mode 100644
index 0000000000..2a16b7b1ba
--- /dev/null
+++ b/README.libdns
@@ -0,0 +1,275 @@
+
+			BIND-9 DNS Library Support
+
+This version of BIND9 "exports" its internal libraries so that they
+can be used by third-party applications more easily (we call them
+"export" libraries in this document).  In addition to all major
+DNS-related APIs BIND9 is currently using, the export libraries
+provide the following features:
+
+- The newly created "DNS client" module.  This is a higher level API
+  that provides an interface to name resolution, single DNS
+  transaction with a particular server, and dynamic update.  Regarding
+  name resolution, it supports advanced features such as DNSSEC
+  validation and caching.  This module supports both synchronous and
+  asynchronous mode.
+- The new "IRS" (Information Retrieval System) library.  It provides
+  an interface to parse the traditional resolv.conf file and more
+  advanced, DNS-specific configuration file for the rest of this
+  package (see the description for the dns.conf file below).
+- As part of the IRS library, newly implemented standard address-name
+  mapping functions, getaddrinfo() and getnameinfo(), are provided.
+  They use the DNSSEC-aware validating resolver backend, and could use
+  other advanced features of the BIND9 libraries such as caching.  The
+  getaddrinfo() function resolves both A and AAAA RRs concurrently
+  (when the address family is unspecified).
+- An experimental framework to support other event libraries than
+  BIND9's internal event task system.
+
+* Prerequisite
+
+GNU make is required to build the export libraries (other part of
+BIND9 can still be built with other types of make).  In the reminder
+of this document, "make" means GNU make.  Note that in some platforms
+you may need to invoke a different command name than "make"
+(e.g. "gmake") to indicate it's GNU make.
+
+* Compilation
+
+1. ./configure --enable-exportlib [other flags]
+2. make
+
+This will create (in addition to usual BIND9 programs) and a separate
+set of libraries under the lib/export directory.  For example,
+lib/export/dns/libdns.a is the archive file of the export version of
+the BIND9 DNS library.
+
+Sample application programs using the libraries will also be built
+under the lib/export/samples directory (see below).
+
+* Installation
+
+1. cd lib/export
+2. make install (root privilege is normally required)
+   (make install at the top directory will do the same)
+
+This will install library object files under the directory specified
+by the --with-export-libdir configure option (default:
+EPREFIX/lib/bind9), and header files under the directory specified by
+the --with-export-installdir configure option (default:
+PREFIX/include/bind9).
+
+To see how to build your own application after the installation, see
+lib/export/samples/Makefile-postinstall.in
+
+* Known Defects/Restrictions
+
+- Currently, win32 is not supported for the export library.  (Normal
+  BIND9 application can be built as before).
+- The "fixed" RRset order is not (currently) supported in the export
+  library.  If you want to use "fixed" RRset order for, e.g. named
+  while still building the export library even without the fixed
+  order support, build them separately:
+  % ./configure --enable-fixed-rrset [other flags, but not --enable-exportlib]
+  % make (this doesn't have to be make)
+  % ./configure --enable-exportlib [other flags, but not --enable-fixed-rrset]
+  % cd lib/export
+  % make
+- The client module and the IRS library currently do not support
+  DNSSEC validation using DLV (the underlying modules can handle it,
+  but there is no tunable interface to enable the feature).
+- RFC5011 is not supported in the validating stub resolver of the
+  export library.  In fact, it is not clear whether it should: trust
+  anchors would be a system-wide configuration which would be managed
+  by an administrator, while the stub resolver will be used by
+  ordinary applications run by a normal user.
+- Not all common /etc/resolv.conf options are supported in the IRS library.
+  The only available options in this version are "debug" and "ndots".
+
+* The dns.conf File
+
+The IRS library supports an "advanced" configuration file related to
+the DNS library for configuration parameters that would be beyond the
+capability of the resolv.conf file.  Specifically, it is intended to
+provide DNSSEC related configuration parameters.
+
+By default the path to this configuration file is /etc/dns.conf.
+
+This module is very experimental and the configuration syntax or
+library interfaces may change in future versions.  Currently, only the
+'trusted-keys' statement is supported, whose syntax is the same as the
+same name of statement for named.conf.
+
+* Sample Applications
+
+Some sample application programs using this API are provided for
+reference.  The following is a brief description of these
+applications.
+
+- sample: a simple stub resolver utility.
+
+  It sends a query of a given name (of a given optional RR type)
+  to a specified recursive server, and prints the result as a list of
+  RRs.  It can also act as a validating stub resolver if a trust
+  anchor is given via a set of command line options.
+
+  Usage: sample [options] server_address hostname
+
+  Options and Arguments:
+  -t RRtype
+	specify the RR type of the query.  The default is the A RR.
+  [-a algorithm] [-e] -k keyname -K keystring
+	specify a command-line DNS key to validate the answer.  For
+	example, to specify the following DNSKEY of example.com:
+		example.com. 3600 IN DNSKEY 257 3 5 xxx
+        specify the options as follows:
+	  -e -k example.com -K "xxx"
+	-e means that this key is a zone's "key signing key" (as known
+        as "secure Entry point").
+ 	when -a is omitted rsasha1 will be used by default.
+  -s domain:alt_server_address
+	specify a separate recursive server address for the specific
+	"domain".  Example: -s example.com:2001:db8::1234
+  server_address
+	an IP(v4/v6) address of the recursive server to which queries
+	are sent.
+  hostname
+	the domain name for the query
+
+- sample-async: a simple stub resolver, working asynchronously.
+
+  Similar to "sample", but accepts a list of (query) domain names as a
+  separate file and resolves the names asynchronously.
+
+  Usage: sample-async [-s server_address] [-t RR_type] input_file
+  Options and Arguments:
+  -s server_address
+	an IPv4 address of the recursive server to which queries are
+	sent.  (IPv6 addresses are not supported in this implementation)
+  -t RR_type
+	specify the RR type of the queries.  The default is the A RR.
+  input_file
+	a list of domain names to be resolved.  each line consists of a
+	single domain name.  Example:
+  	www.example.com
+	mx.examle.net
+	ns.xxx.example
+
+- sample-request: a simple DNS transaction client.
+
+  It sends a query to a specified server, and prints the response with
+  minimal processing.  It doesn't act as a "stub resolver": it stops
+  the processing once it gets any response from the server, whether
+  it's a referral or an alias (CNAME or DNAME) that would require
+  further queries to get the ultimate answer.  In other words, this
+  utility acts as a very simplified dig.
+
+  Usage: sample-request [-t RRtype] server_address hostname
+  Options and Arguments:
+  -t RRtype
+	specify the RR type of the queries.  The default is the A RR.
+  server_address
+	an IP(v4/v6) address of the recursive server to which the query is
+	sent.
+  hostname
+	the domain name for the query
+
+- sample-gai: getaddrinfo() and getnameinfo() test code.
+
+  This is a test program to check getaddrinfo() and getnameinfo()
+  behavior.  It takes a host name as an argument, calls getaddrinfo()
+  with the given host name, and calls getnameinfo() with the resulting
+  IP addresses returned by getaddrinfo().  If the dns.conf file exists
+  and defines a trust anchor, the underlying resolver will act as a
+  validating resolver, and getaddrinfo()/getnameinfo() will fail with
+  an EAI_INSECUREDATA error when DNSSEC validation fails.
+
+  Usage: sample-gai hostname
+
+- sample-update: a simple dynamic update client program
+
+  It accepts a single update command as a command-line argument, sends
+  an update request message to the authoritative server, and shows the
+  response from the server.  In other words, this is a simplified
+  nsupdate.
+
+  Usage: sample-update [options] (add|delete) "update data"
+  Options and Arguments:
+  -a auth_server
+	An IP address of the authoritative server that has authority
+	for the zone containing the update name.  This should normally
+	be the primary authoritative server that accepts dynamic
+	updates.  It can also be a secondary server that is configured
+	to forward update requests to the primary server.
+  -k keyfile
+	A TSIG key file to secure the update transaction.  The keyfile
+	format is the same as that for the nsupdate utility.
+  -p prerequisite
+	A prerequisite for the update (only one prerequisite can be
+	specified).  The prerequisite format is the same as that is
+	accepted by the nsupdate utility.
+  -r recursive_server
+	An IP address of a recursive server that this utility will
+	use.  A recursive server may be necessary to identify the
+	authoritative server address to which the update request is
+	sent.
+  -z zonename
+	The domain name of the zone that contains
+  (add|delete)
+	Specify the type of update operation.  Either "add" or "delete"
+	must be specified.
+  "update data"
+	Specify the data to be updated.  A typical example of the data
+	would look like "name TTL RRtype RDATA".
+
+   Note: in practice, either -a or -r must be specified.  Others can
+   be optional; the underlying library routine tries to identify the
+   appropriate server and the zone name for the update.
+
+   Examples: assuming the primary authoritative server of the
+   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
+   + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"
+     adds an A RR for foo.dynamic.example.com using the given key.
+   + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"
+     removes all A RRs for foo.dynamic.example.com using the given key.
+   + sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"
+     removes all RRs for foo.dynamic.example.com using the given key.
+
+- nsprobe: domain/name server checker in terms of RFC4074.
+
+  It checks a set of domains to see the name servers of the domains
+  behave correctly in terms of RFC4074.  This is included in the set
+  of sample programs to show how the export library can be used in a
+  DNS-related application.
+
+  Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
+  Options
+  -d
+	run in the "debug" mode.  with this option nsprobe will dump
+	every RRs it receives.
+  -v
+	increase verbosity of other normal log messages.  This can be
+	specified multiple times
+  -c cache_address
+	specify an IP address of a recursive (caching) name server.
+	nsprobe uses this server to get the NS RRset of each domain and
+	the A and/or AAAA RRsets for the name servers.  The default
+	value is 127.0.0.1.
+  input_file
+	a file name containing a list of domain (zone) names to be
+	probed.  when omitted the standard input will be used.  Each
+	line of the input file specifies a single domain name such as
+	"example.com".  In general this domain name must be the apex
+	name of some DNS zone (unlike normal "host names" such as
+	"www.example.com").  nsprobe first identifies the NS RRsets for
+	the given domain name, and sends A and AAAA queries to these
+	servers for some "widely used" names under the zone;
+	specifically, adding "www" and "ftp" to the zone name.
+
+* Library References
+
+As of this writing, there is no formal "manual" of the libraries,
+except this document, header files (some of them provide pretty
+detailed explanations), and sample application programs.
+
+; $Id: README.libdns,v 1.2 2009/09/01 00:22:24 jinmei Exp $
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 06f55418b4..488a143d83 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.32 2007/06/19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.33 2009/09/01 00:22:24 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
 		${ISC_INCLUDES}
 
-CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CDEFINES = 	-DBIND9 -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index 0bad407aa7..09fd2c9900 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.38 2009/01/20 02:01:11 marka Exp $ */
+/* $Id: check-tool.c,v 1.39 2009/09/01 00:22:24 jinmei Exp $ */
 
 /*! \file */
 
@@ -597,8 +597,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	origin = dns_fixedname_name(&fixorigin);
-	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
-				ISC_FALSE, NULL));
+	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
 	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
 	CHECK(dns_zone_setfile2(zone, filename, fileformat));
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index b67ccdd04e..be9fc385b8 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4 2009/07/14 22:54:56 each Exp $
+# $Id: Makefile.in,v 1.5 2009/09/01 00:22:24 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index bc9d34f044..ad8f2e8d98 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.41 2007/06/19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.42 2009/09/01 00:22:24 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISC_INCLUDES} ${LWRES_INCLUDES}
 
-CDEFINES =	-DVERSION=\"${VERSION}\"
+CDEFINES =	-DBIND9 -DVERSION=\"${VERSION}\"
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 271f806e49..f1fa25ef7b 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.323 2009/07/19 04:18:03 each Exp $ */
+/* $Id: dighost.c,v 1.324 2009/09/01 00:22:24 jinmei Exp $ */
 
 /*! \file
  *  \note
@@ -921,9 +921,7 @@ setup_text_key(void) {
 
 	secretsize = isc_buffer_usedlength(&secretbuf);
 
-	result = dns_name_fromtext(&keyname, namebuf,
-				   dns_rootname, ISC_FALSE,
-				   namebuf);
+	result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -1890,7 +1888,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		isc_buffer_init(&b, lookup->origin->origin, len);
 		isc_buffer_add(&b, len);
 		result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
-					   ISC_FALSE, &lookup->onamebuf);
+					   0, &lookup->onamebuf);
 		if (result != ISC_R_SUCCESS) {
 			dns_message_puttempname(lookup->sendmsg,
 						&lookup->name);
@@ -1907,7 +1905,7 @@ setup_lookup(dig_lookup_t *lookup) {
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
-						   lookup->oname, ISC_FALSE,
+						   lookup->oname, 0,
 						   &lookup->namebuf);
 		}
 		if (result != ISC_R_SUCCESS) {
@@ -1931,16 +1929,14 @@ setup_lookup(dig_lookup_t *lookup) {
 			isc_buffer_init(&b, idn_textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
-						   dns_rootname,
-						   ISC_FALSE,
+						   dns_rootname, 0,
 						   &lookup->namebuf);
 #else
 			len = strlen(lookup->textname);
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
-						   dns_rootname,
-						   ISC_FALSE,
+						   dns_rootname, 0,
 						   &lookup->namebuf);
 #endif
 		}
@@ -4085,7 +4081,7 @@ nameFromString(const char *str, dns_name_t *p_ret) {
 
 	dns_fixedname_init(&fixedname);
 	result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
-				   dns_rootname, ISC_TRUE, NULL);
+				   dns_rootname, DNS_NAME_DOWNCASE, NULL);
 	check_result(result, "nameFromString");
 
 	if (dns_name_dynamic(p_ret))
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index af6f3a556f..ef4bedbcf5 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.38 2009/07/19 04:18:04 each Exp $
+# $Id: Makefile.in,v 1.39 2009/09/01 00:22:24 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =	-DVERSION=\"${VERSION}\" 
+CDEFINES =	-DBIND9 -DVERSION=\"${VERSION}\" 
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 9e152439b3..9b1b55a8b7 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-dsfromkey.c,v 1.12 2009/08/13 04:13:58 marka Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.13 2009/09/01 00:22:24 jinmei Exp $ */
 
 /*! \file */
 
@@ -72,7 +72,7 @@ initname(char *setname) {
 
 	isc_buffer_init(&buf, setname, strlen(setname));
 	isc_buffer_add(&buf, strlen(setname));
-	result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
 	return (result);
 }
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 02bba62a11..f0df650ee3 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.9 2009/07/19 04:18:04 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.10 2009/09/01 00:22:24 jinmei Exp $ */
 
 /*! \file */
 
@@ -273,7 +273,7 @@ main(int argc, char **argv) {
 	isc_buffer_init(&buf, argv[isc_commandline_index],
 			strlen(argv[isc_commandline_index]));
 	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
 	if (ret != ISC_R_SUCCESS)
 		fatal("invalid key name %s: %s", argv[isc_commandline_index],
 		      isc_result_totext(ret));
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index d2188478f2..60451ec23e 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.89 2009/07/19 23:47:55 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.90 2009/09/01 00:22:24 jinmei Exp $ */
 
 /*! \file */
 
@@ -567,7 +567,7 @@ main(int argc, char **argv) {
 	isc_buffer_init(&buf, argv[isc_commandline_index],
 			strlen(argv[isc_commandline_index]));
 	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
 	if (ret != ISC_R_SUCCESS)
 		fatal("invalid key name %s: %s", argv[isc_commandline_index],
 		      isc_result_totext(ret));
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 1a0c97cf20..d369298227 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.227 2009/08/14 01:07:00 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.228 2009/09/01 00:22:24 jinmei Exp $ */
 
 /*! \file */
 
@@ -2486,7 +2486,7 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed converting name '%s' to dns format: %s",
 		      origin, isc_result_totext(result));
@@ -3274,8 +3274,8 @@ main(int argc, char *argv[]) {
 
 			dns_fixedname_init(&dlv_fixed);
 			dlv = dns_fixedname_name(&dlv_fixed);
-			result = dns_name_fromtext(dlv, &b, dns_rootname,
-						   ISC_FALSE, NULL);
+			result = dns_name_fromtext(dlv, &b, dns_rootname, 0,
+						   NULL);
 			check_result(result, "dns_name_fromtext(dlv)");
 			break;
 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 69438e2f04..cd2a0247ae 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.104 2009/03/05 23:47:35 tbox Exp $
+# $Id: Makefile.in,v 1.105 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -45,7 +45,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
 
-CDEFINES =      @USE_DLZ@
+CDEFINES =      -DBIND9 @USE_DLZ@
 
 CWARNINGS =
 
diff --git a/bin/named/config.c b/bin/named/config.c
index 8d89c89cf4..ef64482670 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.99 2009/07/14 22:54:56 each Exp $ */
+/* $Id: config.c,v 1.100 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -651,7 +651,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 		isc_buffer_add(&b, strlen(keystr));
 		dns_fixedname_init(&fname);
 		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-					   dns_rootname, ISC_FALSE, NULL);
+					   dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		result = dns_name_dup(dns_fixedname_name(&fname), mctx,
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index dec1e1a571..761b741500 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.22 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: lwdgabn.c,v 1.23 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -619,7 +619,7 @@ ns_lwdclient_processgabn(ns_lwdclient_t *client, lwres_buffer_t *b) {
 	dns_fixedname_init(&client->target_name);
 	dns_fixedname_init(&client->query_name);
 	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, ISC_FALSE, NULL);
+				   &namebuf, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto out;
 	ns_lwsearchctx_init(&client->searchctx,
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index b54e83d0dd..c3bbe58b5d 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgrbn.c,v 1.20 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: lwdgrbn.c,v 1.21 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -472,7 +472,7 @@ ns_lwdclient_processgrbn(ns_lwdclient_t *client, lwres_buffer_t *b) {
 
 	dns_fixedname_init(&client->query_name);
 	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, ISC_FALSE, NULL);
+				   &namebuf, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto out;
 	ns_lwsearchctx_init(&client->searchctx,
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index 4e245fdb3d..f32c8cb37e 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.58 2008/07/23 23:27:54 marka Exp $ */
+/* $Id: lwresd.c,v 1.59 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file
  * \brief
@@ -372,8 +372,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 					strlen(searchstr));
 			isc_buffer_add(&namebuf, strlen(searchstr));
 			result = dns_name_fromtext(name, &namebuf,
-						   dns_rootname, ISC_FALSE,
-						   NULL);
+						   dns_rootname, 0, NULL);
 			if (result != ISC_R_SUCCESS) {
 				isc_log_write(ns_g_lctx,
 					      NS_LOGCATEGORY_GENERAL,
diff --git a/bin/named/server.c b/bin/named/server.c
index 7302cdf064..b4a1a8cf06 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.542 2009/08/25 23:47:51 tbox Exp $ */
+/* $Id: server.c,v 1.543 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -422,8 +422,7 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		str = cfg_obj_asstring(nameobj);
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
-		CHECK(dns_name_fromtext(name, &b, dns_rootname,
-					ISC_FALSE, NULL));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		/*
 		 * We don't need the node data, but need to set dummy data to
 		 * avoid a partial match with an empty node.  For example, if
@@ -526,9 +525,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	dns_fixedname_init(&fkeyname);
 	isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
 	isc_buffer_add(&namebuf, strlen(keynamestr));
-	CHECK(dns_name_fromtext(keyname, &namebuf,
-				dns_rootname, ISC_FALSE,
-				NULL));
+	CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
 	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
 			      mctx, &dstkey));
 
@@ -712,8 +709,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
 		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
-		CHECK(dns_name_fromtext(name, &b, dns_rootname,
-					ISC_FALSE, NULL));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
 		CHECK(dns_resolver_setmustbesecure(resolver, name, value));
 	}
@@ -873,7 +869,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 	isc_buffer_add(&b, strlen(str));
 	dns_fixedname_init(&fixed);
 	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1057,7 +1053,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
 	isc_buffer_init(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
-	CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 
 	algorithms = cfg_tuple_get(disabled, "algorithms");
 	for (element = cfg_list_first(algorithms);
@@ -1110,7 +1106,7 @@ on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(name, &b, dns_rootname,
-					   ISC_TRUE, NULL);
+					   0, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (dns_name_equal(name, zonename))
 			return (ISC_TRUE);
@@ -2111,7 +2107,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			isc_buffer_init(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			CHECK(dns_name_fromtext(name, &b, dns_rootname,
-						ISC_TRUE, NULL));
+						0, NULL));
 #endif
 			str = cfg_obj_asstring(cfg_tuple_get(obj,
 							     "trust-anchor"));
@@ -2119,7 +2115,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			isc_buffer_add(&b, strlen(str));
 			dlv = dns_fixedname_name(&view->dlv_fixed);
 			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
-						ISC_TRUE, NULL));
+						DNS_NAME_DOWNCASE, NULL));
 			view->dlv = dns_fixedname_name(&view->dlv_fixed);
 		}
 	} else
@@ -2171,7 +2167,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 				isc_buffer_init(&b, str, strlen(str));
 				isc_buffer_add(&b, strlen(str));
 				CHECK(dns_name_fromtext(name, &b, dns_rootname,
-							ISC_FALSE, NULL));
+							0, NULL));
 				CHECK(dns_view_excludedelegationonly(view,
 								     name));
 			}
@@ -2224,8 +2220,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			str = cfg_obj_asstring(obj);
 			isc_buffer_init(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 			isc_buffer_init(&buffer, server, sizeof(server) - 1);
 			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
 			server[isc_buffer_usedlength(&buffer)] = 0;
@@ -2239,8 +2235,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			str = cfg_obj_asstring(obj);
 			isc_buffer_init(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 			isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
 			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
 			contact[isc_buffer_usedlength(&buffer)] = 0;
@@ -2266,8 +2262,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			/*
 			 * Look for zone on drop list.
 			 */
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 			if (disablelist != NULL &&
 			    on_disable_list(disablelist, name))
 				continue;
@@ -2457,8 +2453,8 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
 			isc_buffer_add(&buffer, strlen(str));
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 
 			portobj = cfg_tuple_get(alternate, "port");
 			if (cfg_obj_isuint32(portobj)) {
@@ -2671,7 +2667,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	isc_buffer_add(&buffer, strlen(zname));
 	dns_fixedname_init(&fixorigin);
 	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
-				&buffer, dns_rootname, ISC_FALSE, NULL));
+				&buffer, dns_rootname, 0, NULL));
 	origin = dns_fixedname_name(&fixorigin);
 
 	CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
@@ -3471,8 +3467,7 @@ configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
 	isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
 	isc_buffer_add(&buffer, strlen(keynamestr));
 	keyname = dns_fixedname_name(&fname);
-	result = dns_name_fromtext(keyname, &buffer, dns_rootname, ISC_FALSE,
-				   NULL);
+	result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -5053,7 +5048,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
 	isc_buffer_add(&buf, strlen(zonetxt));
 	dns_fixedname_init(&name);
 	result = dns_name_fromtext(dns_fixedname_name(&name),
-				   &buf, dns_rootname, ISC_FALSE, NULL);
+				   &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto fail1;
 
@@ -5894,7 +5889,7 @@ ns_server_flushname(ns_server_t *server, char *args) {
 	isc_buffer_add(&b, strlen(target));
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index 82cf573bf7..52f5f105c1 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.29 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: tkeyconf.c,v 1.30 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -77,8 +77,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname,
-					 ISC_FALSE, NULL));
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY;
 		RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH,
 					type, NULL, mctx, &tctx->dhkey));
@@ -92,8 +91,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
-					 NULL));
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
 		if (tctx->domain == NULL) {
 			result = ISC_R_NOMEMORY;
@@ -112,10 +110,8 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
-					 NULL));
-		RETERR(dst_gssapi_acquirecred(name, ISC_FALSE,
-					      &tctx->gsscred));
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		RETERR(dst_gssapi_acquirecred(name, ISC_FALSE, &tctx->gsscred));
 	}
 
 	*tctxp = tctx;
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index f44dcd7eb4..5e06b0f64a 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.32 2009/06/11 23:47:55 tbox Exp $ */
+/* $Id: tsigconf.c,v 1.33 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -82,7 +82,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 		isc_buffer_add(&keynamesrc, strlen(keyid));
 		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
 		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
-					ISC_TRUE, &keynamebuf);
+					DNS_NAME_DOWNCASE, &keynamebuf);
 		if (ret != ISC_R_SUCCESS)
 			goto failure;
 
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index 5092834001..00bf2e0696 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.10 2007/06/19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.11 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
 		${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 OBJS =		os.@O@
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 1ecc4b96b3..f56da44899 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.153 2009/07/14 23:47:53 tbox Exp $ */
+/* $Id: zoneconf.c,v 1.154 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*% */
 
@@ -260,7 +260,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
-					   dns_rootname, ISC_FALSE, NULL);
+					   dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS) {
 			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
 				    "'%s' is not a valid name", str);
@@ -283,8 +283,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 			isc_buffer_init(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			result = dns_name_fromtext(dns_fixedname_name(&fname),
-						   &b, dns_rootname,
-						   ISC_FALSE, NULL);
+						   &b, dns_rootname, 0, NULL);
 			if (result != ISC_R_SUCCESS) {
 				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
 					    "'%s' is not a valid name", str);
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index b479eb7e93..00d0fbd23e 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.32 2009/07/14 22:54:56 each Exp $
+# $Id: Makefile.in,v 1.33 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
 
-CDEFINES =	@USE_GSSAPI@
+CDEFINES =	-DBIND9 @USE_GSSAPI@
 CWARNINGS =
 
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 27c61742e0..c62a8418bf 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.171 2009/07/19 04:18:04 each Exp $ */
+/* $Id: nsupdate.c,v 1.172 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -526,8 +526,7 @@ setup_keystr(void) {
 	isc_buffer_add(&keynamesrc, n - name);
 
 	debug("namefromtext");
-	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext");
 
 	secretlen = strlen(secretstr) * 3 / 4;
@@ -1110,8 +1109,7 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
 	dns_message_takebuffer(msg, &namebuf);
 	isc_buffer_init(&source, word, strlen(word));
 	isc_buffer_add(&source, strlen(word));
-	result = dns_name_fromtext(*namep, &source, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(*namep, &source, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext");
 	isc_buffer_invalidate(&source);
 	return (STATUS_MORE);
@@ -1433,7 +1431,7 @@ evaluate_key(char *cmdline) {
 
 	isc_buffer_init(&b, namestr, strlen(namestr));
 	isc_buffer_add(&b, strlen(namestr));
-	result = dns_name_fromtext(keyname, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not parse key name\n");
 		return (STATUS_SYNTAX);
@@ -1490,8 +1488,7 @@ evaluate_zone(char *cmdline) {
 	userzone = dns_fixedname_name(&fuserzone);
 	isc_buffer_init(&b, word, strlen(word));
 	isc_buffer_add(&b, strlen(word));
-	result = dns_name_fromtext(userzone, &b, dns_rootname, ISC_FALSE,
-				   NULL);
+	result = dns_name_fromtext(userzone, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		userzone = NULL; /* Lest it point to an invalid name */
 		fprintf(stderr, "could not parse zone name\n");
@@ -2426,8 +2423,7 @@ start_gssrequest(dns_name_t *master)
 		      isc_result_totext(result));
 	isc_buffer_init(&buf, servicename, strlen(servicename));
 	isc_buffer_add(&buf, strlen(servicename));
-	result = dns_name_fromtext(servname, &buf, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_name_fromtext(servname) failed: %s",
 		      isc_result_totext(result));
@@ -2444,8 +2440,7 @@ start_gssrequest(dns_name_t *master)
 	isc_buffer_init(&buf, keystr, strlen(keystr));
 	isc_buffer_add(&buf, strlen(keystr));
 
-	result = dns_name_fromtext(keyname, &buf, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(keyname, &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_name_fromtext(keyname) failed: %s",
 		      isc_result_totext(result));
@@ -2596,8 +2591,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 	servname = dns_fixedname_name(&fname);
 	isc_buffer_init(&buf, servicename, strlen(servicename));
 	isc_buffer_add(&buf, strlen(servicename));
-	result = dns_name_fromtext(servname, &buf, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext");
 
 	tsigkey = NULL;
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index d6892d1270..6ec10ba7d3 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.46 2009/06/11 23:47:55 tbox Exp $
+# $Id: Makefile.in,v 1.47 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
index ac3a51adbe..20f1206046 100644
--- a/bin/tests/Makefile.in
+++ b/bin/tests/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.134 2009/03/02 03:53:29 each Exp $
+# $Id: Makefile.in,v 1.135 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
 		${LWRES_INCLUDES} ${OMAPI_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/tests/adb_test.c b/bin/tests/adb_test.c
index 2ef812d70d..a63a2537e2 100644
--- a/bin/tests/adb_test.c
+++ b/bin/tests/adb_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb_test.c,v 1.68 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: adb_test.c,v 1.69 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -249,8 +249,7 @@ lookup(const char *target) {
 	isc_buffer_add(&t, strlen(target));
 	isc_buffer_init(&namebuf, namedata, sizeof(namedata));
 	dns_name_init(&name, NULL);
-	result = dns_name_fromtext(&name, &t, dns_rootname, ISC_FALSE,
-				   &namebuf);
+	result = dns_name_fromtext(&name, &t, dns_rootname, 0, &namebuf);
 	check_result(result, "dns_name_fromtext %s", target);
 
 	result = dns_name_dup(&name, mctx, &client->name);
diff --git a/bin/tests/byname_test.c b/bin/tests/byname_test.c
index fdf45a9891..1c3ea711a3 100644
--- a/bin/tests/byname_test.c
+++ b/bin/tests/byname_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byname_test.c,v 1.31 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: byname_test.c,v 1.32 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file
  * \author
@@ -343,7 +343,7 @@ main(int argc, char *argv[]) {
 	dns_fixedname_init(&name);
 	dns_fixedname_init(&target);
 	RUNTIME_CHECK(dns_name_fromtext(dns_fixedname_name(&name), &b,
-					dns_rootname, ISC_FALSE, NULL) ==
+					dns_rootname, 0, NULL) ==
 		      ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(isc_app_onrun(mctx, task, run, NULL) == ISC_R_SUCCESS);
diff --git a/bin/tests/db/Makefile.in b/bin/tests/db/Makefile.in
index 13ebad269e..fe9e28398e 100644
--- a/bin/tests/db/Makefile.in
+++ b/bin/tests/db/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29 2007/06/19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.30 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/tests/db/t_db.c b/bin/tests/db/t_db.c
index 6ec057a53a..3a7a2a725a 100644
--- a/bin/tests/db/t_db.c
+++ b/bin/tests/db/t_db.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_db.c,v 1.38 2009/01/22 23:47:53 tbox Exp $ */
+/* $Id: t_db.c,v 1.39 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -61,7 +61,7 @@ t_create(const char *db_type, const char *origin, const char *class,
 	isc_buffer_init(&origin_buffer, origin, len);
 	isc_buffer_add(&origin_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_origin),
-				       &origin_buffer, NULL, ISC_FALSE, NULL);
+				       &origin_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 		       dns_result_totext(dns_result));
@@ -190,7 +190,7 @@ t_dns_db_load(char **av) {
 	isc_buffer_init(&findname_buffer, findname, len);
 	isc_buffer_add(&findname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-				&findname_buffer, NULL, ISC_FALSE, NULL);
+				&findname_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
@@ -305,7 +305,7 @@ t_dns_db_zc_x(char *filename, char *db_type, char *origin, char *class,
 	isc_buffer_init(&origin_buffer, origin, len);
 	isc_buffer_add(&origin_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_origin),
-				       &origin_buffer, NULL, ISC_FALSE, NULL);
+				       &origin_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 		       dns_result_totext(dns_result));
@@ -584,7 +584,7 @@ t_dns_db_origin(char **av) {
 	}
 
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_origin),
-				&origin_buffer, NULL, ISC_FALSE, NULL);
+				&origin_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 				dns_result_totext(dns_result));
@@ -832,7 +832,7 @@ t_dns_db_currentversion(char **av) {
 	isc_buffer_init(&findname_buffer, findname, len);
 	isc_buffer_add(&findname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-				&findname_buffer, NULL, ISC_FALSE, NULL);
+				&findname_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
@@ -1123,7 +1123,7 @@ t_dns_db_newversion(char **av) {
 	isc_buffer_init(&newname_buffer, newname, len);
 	isc_buffer_add(&newname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_newname),
-				&newname_buffer, NULL, ISC_FALSE, NULL);
+				&newname_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
@@ -1449,7 +1449,7 @@ t_dns_db_closeversion_1(char **av) {
 	isc_buffer_init(&name_buffer, existing_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_existingname),
-			&name_buffer, NULL, ISC_FALSE, NULL);
+			&name_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
@@ -1528,7 +1528,7 @@ t_dns_db_closeversion_1(char **av) {
 	isc_buffer_init(&name_buffer, new_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_newname),
-				&name_buffer, NULL, ISC_FALSE, NULL);
+				&name_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
@@ -1861,7 +1861,7 @@ t_dns_db_closeversion_2(char **av) {
 	isc_buffer_init(&name_buffer, existing_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_existingname),
-			&name_buffer, NULL, ISC_FALSE, NULL);
+			&name_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
@@ -1942,7 +1942,7 @@ t_dns_db_closeversion_2(char **av) {
 	isc_buffer_init(&name_buffer, new_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_newname),
-				       &name_buffer, NULL, ISC_FALSE, NULL);
+				       &name_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 		       dns_result_totext(dns_result));
@@ -2279,7 +2279,7 @@ t_dns_db_expirenode(char **av) {
 	isc_buffer_init(&name_buffer, existing_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_existingname),
-				       &name_buffer, NULL, ISC_FALSE, NULL);
+				       &name_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 		       dns_result_totext(dns_result));
@@ -2525,7 +2525,7 @@ t_dns_db_findnode_1(char **av) {
 	isc_buffer_init(&name_buffer, find_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_name),
-				&name_buffer, NULL, ISC_FALSE, NULL);
+				&name_buffer, NULL, 0, NULL);
 
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_name),
 				ISC_FALSE, &nodep);
@@ -2681,7 +2681,7 @@ t_dns_db_findnode_2(char **av) {
 	isc_buffer_init(&name_buffer, newname, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_name),
-				       &name_buffer, NULL, ISC_FALSE, NULL);
+				       &name_buffer, NULL, 0, NULL);
 
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_name),
 				     ISC_FALSE, &nodep);
@@ -2886,7 +2886,7 @@ t_dns_db_find_x(char **av) {
 	isc_buffer_init(&findname_buffer, findname, len);
 	isc_buffer_add(&findname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-				&findname_buffer, NULL, ISC_FALSE, NULL);
+				&findname_buffer, NULL, 0, NULL);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
diff --git a/bin/tests/db_test.c b/bin/tests/db_test.c
index 9b0d90d2b2..1cd8f0dfc7 100644
--- a/bin/tests/db_test.c
+++ b/bin/tests/db_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db_test.c,v 1.66 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: db_test.c,v 1.67 2009/09/01 00:22:25 jinmei Exp $ */
 
 /*! \file
  * \author
@@ -134,8 +134,7 @@ select_db(char *origintext) {
 	isc_buffer_add(&source, len);
 	dns_fixedname_init(&forigin);
 	origin = dns_fixedname_name(&forigin);
-	result = dns_name_fromtext(origin, &source, dns_rootname, ISC_FALSE,
-				   NULL);
+	result = dns_name_fromtext(origin, &source, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		print_result("bad name", result);
 		return (NULL);
@@ -188,8 +187,7 @@ list(dbinfo *dbi, char *seektext) {
 				result = dns_name_fromtext(seekname, &source,
 							   dns_db_origin(
 								 dbi->db),
-							   ISC_FALSE,
-							   NULL);
+							   0, NULL);
 				if (result == ISC_R_SUCCESS)
 					result = dns_dbiterator_seek(
 							     dbi->dbiterator,
@@ -271,8 +269,7 @@ load(const char *filename, const char *origintext, isc_boolean_t cache) {
 	isc_buffer_add(&source, len);
 	dns_fixedname_init(&forigin);
 	origin = dns_fixedname_name(&forigin);
-	result = dns_name_fromtext(origin, &source, dns_rootname, ISC_FALSE,
-				   NULL);
+	result = dns_name_fromtext(origin, &source, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -736,8 +733,7 @@ main(int argc, char *argv[]) {
 		isc_buffer_init(&source, s, len);
 		isc_buffer_add(&source, len);
 		isc_buffer_init(&target, b, sizeof(b));
-		result = dns_name_fromtext(&name, &source, origin,
-					   ISC_FALSE, &target);
+		result = dns_name_fromtext(&name, &source, origin, 0, &target);
 		if (result != ISC_R_SUCCESS) {
 			print_result("bad name: ", result);
 			continue;
diff --git a/bin/tests/dst/Makefile.in b/bin/tests/dst/Makefile.in
index fad70d5aef..72e6e42373 100644
--- a/bin/tests/dst/Makefile.in
+++ b/bin/tests/dst/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.48 2009/03/02 23:47:43 tbox Exp $
+# $Id: Makefile.in,v 1.49 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} \
 		${ISC_INCLUDES} @DST_GSSAPI_INC@
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/tests/dst/dst_test.c b/bin/tests/dst/dst_test.c
index 597e6356c6..ac1327c99f 100644
--- a/bin/tests/dst/dst_test.c
+++ b/bin/tests/dst/dst_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_test.c,v 1.45 2009/03/02 23:47:43 tbox Exp $ */
+/* $Id: dst_test.c,v 1.46 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -264,7 +264,7 @@ main(void) {
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&b, "test.", 5);
 	isc_buffer_add(&b, 5);
-	result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (1);
 	io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
@@ -276,7 +276,7 @@ main(void) {
 
 	isc_buffer_init(&b, "dh.", 3);
 	isc_buffer_add(&b, 3);
-	result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (1);
 	dh(name, 18602, name, 48957, mctx);
diff --git a/bin/tests/dst/gsstest.c b/bin/tests/dst/gsstest.c
index 98e16d265b..355fde3a9e 100755
--- a/bin/tests/dst/gsstest.c
+++ b/bin/tests/dst/gsstest.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gsstest.c,v 1.6 2007/06/19 23:47:00 tbox Exp $ */
+/* $Id: gsstest.c,v 1.7 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -212,7 +212,7 @@ sendquery(isc_task_t *task, isc_event_t *event)
 	isc_buffer_init(&buf, host, strlen(host));
 	isc_buffer_add(&buf, strlen(host));
 	result = dns_name_fromtext(dns_fixedname_name(&queryname), &buf,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	CHECK("dns_name_fromtext", result);
 
 	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &message);
@@ -369,7 +369,7 @@ initctx1(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_init(&buf, contextname, strlen(contextname));
 	isc_buffer_add(&buf, strlen(contextname));
 	result = dns_name_fromtext(dns_fixedname_name(&servername), &buf,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	CHECK("dns_name_fromtext", result);
 
 	/* Make name happen */	
@@ -377,7 +377,7 @@ initctx1(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_init(&buf, gssid, strlen(gssid));
 	isc_buffer_add(&buf, strlen(gssid));
 	result = dns_name_fromtext(dns_fixedname_name(&gssname), &buf,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	CHECK("dns_name_fromtext", result);
 
 	query = NULL;
diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c
index c801022869..bc430ec64a 100644
--- a/bin/tests/dst/t_dst.c
+++ b/bin/tests/dst/t_dst.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_dst.c,v 1.57 2009/01/22 23:47:54 tbox Exp $ */
+/* $Id: t_dst.c,v 1.58 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -405,7 +405,7 @@ t1(void) {
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&b, "test.", 5);
 	isc_buffer_add(&b, 5);
-	isc_result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
+	isc_result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 		       isc_result_totext(isc_result));
@@ -427,7 +427,7 @@ t1(void) {
 
 	isc_buffer_init(&b, "dh.", 3);
 	isc_buffer_add(&b, 3);
-	isc_result = dns_name_fromtext(name, &b, NULL, ISC_FALSE, NULL);
+	isc_result = dns_name_fromtext(name, &b, NULL, 0, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 		       isc_result_totext(isc_result));
@@ -686,7 +686,7 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&b, keyname, strlen(keyname));
 	isc_buffer_add(&b, strlen(keyname));
-	isc_result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	isc_result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			isc_result_totext(isc_result));
diff --git a/bin/tests/master/Makefile.in b/bin/tests/master/Makefile.in
index 03125da11c..61b6761db5 100644
--- a/bin/tests/master/Makefile.in
+++ b/bin/tests/master/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2007/06/19 23:47:00 tbox Exp $
+# $Id: Makefile.in,v 1.29 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
diff --git a/bin/tests/master/t_master.c b/bin/tests/master/t_master.c
index 8df588b0c6..496b79aa37 100644
--- a/bin/tests/master/t_master.c
+++ b/bin/tests/master/t_master.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_master.c,v 1.38 2009/01/22 23:47:54 tbox Exp $ */
+/* $Id: t_master.c,v 1.39 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -94,7 +94,7 @@ test_master(char *testfile, char *origin, char *class, isc_result_t exp_result)
 	isc_buffer_init(&target, name_buf, BUFLEN);
 	dns_name_init(&dns_origin, NULL);
 	dns_result = dns_name_fromtext(&dns_origin, &source, dns_rootname,
-				   ISC_FALSE, &target);
+				       0, &target);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 				dns_result_totext(dns_result));
diff --git a/bin/tests/master_test.c b/bin/tests/master_test.c
index f77c8f64fc..f0160f436c 100644
--- a/bin/tests/master_test.c
+++ b/bin/tests/master_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master_test.c,v 1.30 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: master_test.c,v 1.31 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -75,7 +75,7 @@ main(int argc, char *argv[]) {
 		isc_buffer_init(&target, name_buf, 255);
 		dns_name_init(&origin, NULL);
 		result = dns_name_fromtext(&origin, &source, dns_rootname,
-					   ISC_FALSE, &target);
+					   0, &target);
 		if (result != ISC_R_SUCCESS) {
 			fprintf(stdout, "dns_name_fromtext: %s\n",
 				dns_result_totext(result));
diff --git a/bin/tests/mem/Makefile.in b/bin/tests/mem/Makefile.in
index 135a8e3ec9..550ebe5611 100644
--- a/bin/tests/mem/Makefile.in
+++ b/bin/tests/mem/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.34 2007/06/19 23:47:00 tbox Exp $
+# $Id: Makefile.in,v 1.35 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../../lib/isc/libisc.@A@
diff --git a/bin/tests/name_test.c b/bin/tests/name_test.c
index 799115fe06..c54260fa8f 100644
--- a/bin/tests/name_test.c
+++ b/bin/tests/name_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name_test.c,v 1.41 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: name_test.c,v 1.42 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -73,7 +73,7 @@ main(int argc, char *argv[]) {
 	isc_buffer_t source;
 	isc_region_t r;
 	dns_name_t *name, *origin, *comp, *down;
-	isc_boolean_t downcase = ISC_FALSE;
+	unsigned int downcase = 0;
 	size_t len;
 	isc_boolean_t quiet = ISC_FALSE;
 	isc_boolean_t concatenate = ISC_FALSE;
@@ -128,8 +128,7 @@ main(int argc, char *argv[]) {
 			dns_fixedname_init(&oname);
 			origin = &oname.name;
 			result = dns_name_fromtext(origin, &source,
-						   dns_rootname, ISC_FALSE,
-						   NULL);
+						   dns_rootname, 0, NULL);
 			if (result != 0) {
 				fprintf(stderr,
 					"dns_name_fromtext() failed: %d\n",
@@ -151,8 +150,8 @@ main(int argc, char *argv[]) {
 			isc_buffer_add(&source, len);
 			dns_fixedname_init(&compname);
 			comp = &compname.name;
-			result = dns_name_fromtext(comp, &source,
-						   origin, ISC_FALSE, NULL);
+			result = dns_name_fromtext(comp, &source, origin,
+						   0, NULL);
 			if (result != 0) {
 				fprintf(stderr,
 					"dns_name_fromtext() failed: %d\n",
diff --git a/bin/tests/names/Makefile.in b/bin/tests/names/Makefile.in
index 31b12feef9..17711f1ae0 100644
--- a/bin/tests/names/Makefile.in
+++ b/bin/tests/names/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2007/06/19 23:47:00 tbox Exp $
+# $Id: Makefile.in,v 1.29 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
diff --git a/bin/tests/names/t_names.c b/bin/tests/names/t_names.c
index ce776dec29..ce859dea53 100644
--- a/bin/tests/names/t_names.c
+++ b/bin/tests/names/t_names.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_names.c,v 1.48 2009/01/22 23:47:54 tbox Exp $ */
+/* $Id: t_names.c,v 1.49 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -344,8 +344,7 @@ dname_from_tname(char *name, dns_name_t *dns_name) {
 		isc_buffer_init(binbuf, junk, BUFLEN);
 		dns_name_init(dns_name, NULL);
 		dns_name_setbuffer(dns_name, binbuf);
-		result = dns_name_fromtext(dns_name,  &txtbuf,
-						NULL, ISC_FALSE, NULL);
+		result = dns_name_fromtext(dns_name,  &txtbuf, NULL, 0, NULL);
 	} else {
 		result = ISC_R_NOSPACE;
 		if (junk != NULL)
@@ -535,7 +534,7 @@ test_dns_name_isabsolute(char *test_name, isc_boolean_t expected) {
 	isc_buffer_init(&binbuf, &junk[0], BUFLEN);
 	dns_name_init(&name, NULL);
 	dns_name_setbuffer(&name, &binbuf);
-	result = dns_name_fromtext(&name,  &buf, NULL, ISC_FALSE, NULL);
+	result = dns_name_fromtext(&name,  &buf, NULL, 0, NULL);
 	if (result == ISC_R_SUCCESS) {
 		isabs_p = dns_name_isabsolute(&name);
 		if (isabs_p == expected)
@@ -1659,7 +1658,7 @@ static const char *a40 =
 
 static int
 test_dns_name_fromtext(char *test_name1, char *test_name2, char *test_origin,
-		       isc_boolean_t downcase)
+		       unsigned int downcase)
 {
 	int		result;
 	int		order;
@@ -1702,8 +1701,8 @@ test_dns_name_fromtext(char *test_name1, char *test_name2, char *test_origin,
 	dns_name_setbuffer(&dns_name2, &binbuf2);
 	dns_name_setbuffer(&dns_name3, &binbuf3);
 
-	dns_result = dns_name_fromtext(&dns_name3,  &txtbuf3, NULL,
-						ISC_FALSE, &binbuf3);
+	dns_result = dns_name_fromtext(&dns_name3,  &txtbuf3, NULL, 0,
+				       &binbuf3);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext(dns_name3) failed, result == %s\n",
 			dns_result_totext(dns_result));
@@ -1718,8 +1717,8 @@ test_dns_name_fromtext(char *test_name1, char *test_name2, char *test_origin,
 		return (T_FAIL);
 	}
 
-	dns_result = dns_name_fromtext(&dns_name2,  &txtbuf2, NULL,
-						ISC_FALSE, &binbuf2);
+	dns_result = dns_name_fromtext(&dns_name2,  &txtbuf2, NULL, 0,
+				       &binbuf2);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext(dns_name2) failed, result == %s\n",
 		       dns_result_totext(dns_result));
@@ -1777,8 +1776,8 @@ t_dns_name_fromtext(void) {
 								Tokens[2],
 							   atoi(Tokens[3])
 								== 0 ?
-								ISC_FALSE :
-								ISC_TRUE);
+								0 :
+						       	     DNS_NAME_DOWNCASE);
 			} else {
 				t_info("bad format at line %d\n", line);
 			}
@@ -1830,8 +1829,7 @@ test_dns_name_totext(char *test_name, isc_boolean_t omit_final) {
 	/*
 	 * Out of the data file to dns_name1.
 	 */
-	dns_result = dns_name_fromtext(&dns_name1, &buf1, NULL, ISC_FALSE,
-				       &buf2);
+	dns_result = dns_name_fromtext(&dns_name1, &buf1, NULL, 0, &buf2);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed, result == %s\n",
 		       dns_result_totext(dns_result));
@@ -1855,8 +1853,7 @@ test_dns_name_totext(char *test_name, isc_boolean_t omit_final) {
 	 */
 	dns_name_init(&dns_name2, NULL);
 	isc_buffer_init(&buf3, junk3, BUFLEN);
-	dns_result = dns_name_fromtext(&dns_name2, &buf1, NULL, ISC_FALSE,
-				       &buf3);
+	dns_result = dns_name_fromtext(&dns_name2, &buf1, NULL, 0, &buf3);
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed, result == %s\n",
 		       dns_result_totext(dns_result));
@@ -2195,8 +2192,7 @@ test_dns_name_towire(char *testname, unsigned int dc_method, char *exp_data,
 	isc_buffer_init(&iscbuf1, testname, len);
 	isc_buffer_add(&iscbuf1, len);
 	isc_buffer_init(&iscbuf2, buf2, BUFLEN);
-	dns_result = dns_name_fromtext(&dns_name, &iscbuf1, NULL, ISC_FALSE,
-				       &iscbuf2);
+	dns_result = dns_name_fromtext(&dns_name, &iscbuf1, NULL, 0, &iscbuf2);
 	if (dns_result == ISC_R_SUCCESS) {
 		isc_buffer_init(&iscbuf3, buf3, buflen);
 		dns_result = dns_name_towire(&dns_name, &cctx, &iscbuf3);
diff --git a/bin/tests/net/Makefile.in b/bin/tests/net/Makefile.in
index 0c75c28bfa..1c223bf03b 100644
--- a/bin/tests/net/Makefile.in
+++ b/bin/tests/net/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.16 2007/06/19 23:47:00 tbox Exp $
+# $Id: Makefile.in,v 1.17 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../../lib/isc/libisc.@A@
diff --git a/bin/tests/nsecify.c b/bin/tests/nsecify.c
index 2e055c66d5..d7f841c299 100644
--- a/bin/tests/nsecify.c
+++ b/bin/tests/nsecify.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsecify.c,v 1.8 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: nsecify.c,v 1.9 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -139,7 +139,7 @@ nsecify(char *filename) {
 	len = strlen(origintext);
 	isc_buffer_init(&b, origintext, len);
 	isc_buffer_add(&b, len);
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext()");
 
 	db = NULL;
diff --git a/bin/tests/rbt/Makefile.in b/bin/tests/rbt/Makefile.in
index d551297b57..be3cd5a50d 100644
--- a/bin/tests/rbt/Makefile.in
+++ b/bin/tests/rbt/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2007/06/19 23:47:00 tbox Exp $
+# $Id: Makefile.in,v 1.29 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
diff --git a/bin/tests/rbt/t_rbt.c b/bin/tests/rbt/t_rbt.c
index 848e262452..55ebfd2b77 100644
--- a/bin/tests/rbt/t_rbt.c
+++ b/bin/tests/rbt/t_rbt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_rbt.c,v 1.32 2009/01/22 23:47:54 tbox Exp $ */
+/* $Id: t_rbt.c,v 1.33 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -152,7 +152,7 @@ create_name(char *s, isc_mem_t *mctx, dns_name_t **dns_name) {
 			isc_buffer_init(&target, name + 1, DNSNAMELEN);
 
 			result = dns_name_fromtext(name, &source, dns_rootname,
-						   ISC_FALSE, &target);
+						   0, &target);
 
 			if (result != ISC_R_SUCCESS) {
 				++nfails;
@@ -832,7 +832,7 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 	dns_fixedname_init(&dns_nextname);
 
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-					&isc_buffer, NULL, ISC_FALSE, NULL);
+					&isc_buffer, NULL, 0, NULL);
 
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
@@ -1494,7 +1494,7 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 	dns_fixedname_init(&dns_origin);
 
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-				       &isc_buffer, NULL, ISC_FALSE, NULL);
+				       &isc_buffer, NULL, 0, NULL);
 
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
@@ -1701,7 +1701,7 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname, char *prevname,
 	dns_fixedname_init(&dns_origin);
 
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-				       &isc_buffer, NULL, ISC_FALSE, NULL);
+				       &isc_buffer, NULL, 0, NULL);
 
 	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
diff --git a/bin/tests/rbt_test.c b/bin/tests/rbt_test.c
index ac8db14e45..93e4705447 100644
--- a/bin/tests/rbt_test.c
+++ b/bin/tests/rbt_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt_test.c,v 1.48 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: rbt_test.c,v 1.49 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -71,8 +71,7 @@ create_name(char *s) {
 	dns_name_init(name, NULL);
 	isc_buffer_init(&target, name + 1, DNSNAMELEN);
 
-	result = dns_name_fromtext(name, &source, dns_rootname,
-				   ISC_FALSE, &target);
+	result = dns_name_fromtext(name, &source, dns_rootname, 0, &target);
 
 	if (result != ISC_R_SUCCESS) {
 		printf("dns_name_fromtext(%s) failed: %s\n",
diff --git a/bin/tests/sig0_test.c b/bin/tests/sig0_test.c
index f36bbee02f..07654ed9cc 100644
--- a/bin/tests/sig0_test.c
+++ b/bin/tests/sig0_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig0_test.c,v 1.17 2008/07/22 23:47:04 tbox Exp $ */
+/* $Id: sig0_test.c,v 1.18 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -157,8 +157,7 @@ buildquery(void) {
 	isc_buffer_add(&namesrc, strlen(nametext));
 	isc_buffer_init(&namedst, namedata, sizeof(namedata));
 	dns_name_init(qname, NULL);
-	result = dns_name_fromtext(qname, &namesrc, dns_rootname, ISC_FALSE,
-				   &namedst);
+	result = dns_name_fromtext(qname, &namesrc, dns_rootname, 0, &namedst);
 	CHECK("dns_name_fromtext", result);
 	ISC_LIST_APPEND(qname->list, question, link);
 	dns_message_addname(query, qname, DNS_SECTION_QUESTION);
@@ -264,7 +263,7 @@ main(int argc, char *argv[]) {
 	name = dns_fixedname_name(&fname);
 	isc_buffer_init(&b, "child.example.", strlen("child.example."));
 	isc_buffer_add(&b, strlen("child.example."));
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	CHECK("dns_name_fromtext", result);
 
 	key = NULL;
diff --git a/bin/tests/sockaddr/Makefile.in b/bin/tests/sockaddr/Makefile.in
index cdb3626e09..83b76f1175 100644
--- a/bin/tests/sockaddr/Makefile.in
+++ b/bin/tests/sockaddr/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.23 2009/02/06 23:47:42 tbox Exp $
+# $Id: Makefile.in,v 1.24 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/tests/system/lwresd/Makefile.in b/bin/tests/system/lwresd/Makefile.in
index 807349dd32..85ec286574 100644
--- a/bin/tests/system/lwresd/Makefile.in
+++ b/bin/tests/system/lwresd/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19 2007/06/19 23:47:03 tbox Exp $
+# $Id: Makefile.in,v 1.20 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${LWRES_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 LWRESLIBS =	../../../../lib/lwres/liblwres.@A@
diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in
index 684fb1a610..1157c8d464 100644
--- a/bin/tests/system/tkey/Makefile.in
+++ b/bin/tests/system/tkey/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11 2007/06/19 23:47:06 tbox Exp $
+# $Id: Makefile.in,v 1.12 2009/09/01 00:22:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 DNSLIBS =	../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index cbb27d3119..23e6d42476 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keycreate.c,v 1.17 2009/07/19 23:47:55 tbox Exp $ */
+/* $Id: keycreate.c,v 1.18 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -153,14 +153,14 @@ sendquery(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_init(&namestr, "tkeytest.", 9);
 	isc_buffer_add(&namestr, 9);
 	result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr,
-				   NULL, ISC_FALSE, NULL);
+				   NULL, 0, NULL);
 	CHECK("dns_name_fromtext", result);
 
 	dns_fixedname_init(&ownername);
 	isc_buffer_init(&namestr, ownername_str, strlen(ownername_str));
 	isc_buffer_add(&namestr, strlen(ownername_str));
 	result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr,
-				   NULL, ISC_FALSE, NULL);
+				   NULL, 0, NULL);
 	CHECK("dns_name_fromtext", result);
 
 	isc_buffer_init(&keybuf, keydata, 9);
diff --git a/bin/tests/tasks/Makefile.in b/bin/tests/tasks/Makefile.in
index 8f6e236d63..8806b6a808 100644
--- a/bin/tests/tasks/Makefile.in
+++ b/bin/tests/tasks/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.32 2009/02/06 23:47:42 tbox Exp $
+# $Id: Makefile.in,v 1.33 2009/09/01 00:22:26 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/tests/timers/Makefile.in b/bin/tests/timers/Makefile.in
index 19c083d65e..7924067796 100644
--- a/bin/tests/timers/Makefile.in
+++ b/bin/tests/timers/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.30 2009/02/06 23:47:42 tbox Exp $
+# $Id: Makefile.in,v 1.31 2009/09/01 00:22:26 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/tests/zone_test.c b/bin/tests/zone_test.c
index 7983bbaa8a..9274e41dc2 100644
--- a/bin/tests/zone_test.c
+++ b/bin/tests/zone_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone_test.c,v 1.33 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: zone_test.c,v 1.34 2009/09/01 00:22:25 jinmei Exp $ */
 
 #include 
 
@@ -104,7 +104,7 @@ setup(const char *zonename, const char *filename, const char *classname) {
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
-			  	   &buffer, dns_rootname, ISC_FALSE, NULL);
+			  	   &buffer, dns_rootname, 0, NULL);
 	ERRRET(result, "dns_name_fromtext");
 	origin = dns_fixedname_name(&fixorigin);
 
@@ -206,7 +206,7 @@ query(void) {
 		isc_buffer_init(&buffer, buf, strlen(buf));
 		isc_buffer_add(&buffer, strlen(buf));
 		result = dns_name_fromtext(dns_fixedname_name(&name),
-				  &buffer, dns_rootname, ISC_FALSE, NULL);
+				  &buffer, dns_rootname, 0, NULL);
 		ERRCONT(result, "dns_name_fromtext");
 
 		result = dns_db_find(db, dns_fixedname_name(&name),
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index e244fde428..90a7b9eac9 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.7 2009/07/21 02:41:01 marka Exp $
+# $Id: Makefile.in,v 1.8 2009/09/01 00:22:26 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
 		${LWRES_INCLUDES} ${OMAPI_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/config.h.in b/config.h.in
index 99595db675..e4cdc9b9df 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.117 2009/08/13 01:51:19 marka Exp $ */
+/* $Id: config.h.in,v 1.118 2009/09/01 00:22:24 jinmei Exp $ */
 
 /*! \file */
 
@@ -292,6 +292,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Defined if extern char *optarg is not declared. */
 #undef NEED_OPTARG
 
+/* Define to the buffer length type used by getnameinfo(3). */
+#undef IRS_GETNAMEINFO_BUFLEN_T
+
+/* Define to the flags type used by getnameinfo(3). */
+#undef IRS_GETNAMEINFO_FLAGS_T
+
 /* Define if connect does not honour the permission on the UNIX domain socket.
    */
 #undef NEED_SECURE_DIRECTORY
diff --git a/configure.in b/configure.in
index 94f1c6a93a..7f5bd3c135 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.473 $)
+AC_REVISION($Revision: 1.474 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -62,7 +62,6 @@ It is available from http://www.isc.org as a separate download.])
 		;;
 esac
 
-
 #
 # Make very sure that these are the first files processed by
 # config.status, since we use the processed output as the input for
@@ -1323,6 +1322,54 @@ AC_SUBST(LIBTOOL_MODE_LINK)
 AC_SUBST(LIBTOOL_ALLOW_UNDEFINED)
 AC_SUBST(LIBTOOL_IN_MAIN)
 
+#
+# build exportable DNS library?
+#
+AC_ARG_ENABLE(exportlib,
+	[  --enable-exportlib	build exportable library (GNU make required)
+                        [[default=no]]])
+case "$enable_exportlib" in
+	yes)
+		gmake=
+		for x in gmake gnumake make; do
+			if $x --version 2>/dev/null | grep GNU > /dev/null; then
+				gmake=$x
+				break;
+			fi
+		done
+		if test -z "$gmake"; then
+			AC_MSG_ERROR([exportlib requires GNU make.  Install it or disable the feature.])
+		fi
+		LIBEXPORT=lib/export
+		AC_SUBST(LIBEXPORT)
+		BIND9_CO_RULE="%.$O:  \${srcdir}/%.c"
+		;;
+	no|*)
+		BIND9_CO_RULE=".c.$O:"
+		;;
+esac
+AC_SUBST(BIND9_CO_RULE)
+
+AC_ARG_WITH(export-libdir,
+	[  --with-export-libdir[=PATH]
+                        installation directory for the export library
+                        [[EPREFIX/lib/bind9]]],
+	export_libdir="$withval",)
+if test -z "$export_libdir"; then
+	export_libdir="\${exec_prefix}/lib/bind9/"
+fi
+AC_SUBST(export_libdir)
+
+AC_ARG_WITH(export-installdir,
+	[  --with-export-installdir[=PATH]
+                        installation directory for the header files of the
+                        export library [[PREFIX/include/bind9]]],
+	export_installdir="$withval",)
+if test -z "$export_includedir"; then
+	export_includedir="\${prefix}/include/bind9/"
+fi
+AC_SUBST(export_includedir)
+
 #
 # Here begins a very long section to determine the system's networking
 # capabilities.  The order of the tests is significant.
@@ -1707,10 +1754,13 @@ AC_TRY_COMPILE([
 [struct addrinfo a; return (0);],
 	[AC_MSG_RESULT(yes)
 	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
+	ISC_IRS_NEEDADDRINFO="#undef ISC_IRS_NEEDADDRINFO"
 	AC_DEFINE(HAVE_ADDRINFO)],
 	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"])
+	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"
+	ISC_IRS_NEEDADDRINFO="#define ISC_IRS_NEEDADDRINFO 1"])
 AC_SUBST(ISC_LWRES_NEEDADDRINFO)
+AC_SUBST(ISC_IRS_NEEDADDRINFO)
 
 #
 # Check for rrsetinfo
@@ -1797,6 +1847,35 @@ AC_TRY_COMPILE([
 	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"])
 AC_SUBST(ISC_LWRES_NEEDHERRNO)
 
+#
+# Sadly, the definitions of system-supplied getnameinfo(3) vary.  Try to catch
+# known variations here:
+#
+AC_MSG_CHECKING(for getnameinfo prototype definitions)
+AC_TRY_COMPILE([
+#include 
+#include 
+#include 
+int getnameinfo(const struct sockaddr *, socklen_t, char *,
+                socklen_t, char *, socklen_t, unsigned int);],
+[ return (0);],
+	[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
+	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
+	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)],
+[AC_TRY_COMPILE([
+#include 
+#include 
+#include 
+int getnameinfo(const struct sockaddr *, socklen_t, char *,
+                size_t, char *, size_t, int);],
+[ return (0);],
+	[AC_MSG_RESULT(size_t for buflen; int for flags)
+	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
+	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)],
+[AC_MSG_RESULT(not match any subspecies; assume standard definition)
+AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])
+
 AC_CHECK_FUNC(getipnodebyname,
 	[ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
 	[ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
@@ -1811,6 +1890,7 @@ AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
 AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
 AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
 AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
+AC_SUBST(ISC_IRS_GETNAMEINFOSOCKLEN)
 
 AC_ARG_ENABLE(getifaddrs,
 [  --enable-getifaddrs     Enable the use of getifaddrs() [[yes|no]].],
@@ -2144,6 +2224,8 @@ AC_SUBST(ISC_PLATFORM_USEDECLSPEC)
 ISC_PLATFORM_USEDECLSPEC="#undef ISC_PLATFORM_USEDECLSPEC"
 AC_SUBST(LWRES_PLATFORM_USEDECLSPEC)
 LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
+AC_SUBST(IRS_PLATFORM_USEDECLSPEC)
+IRS_PLATFORM_USEDECLSPEC="#undef IRS_PLATFORM_USEDECLSPEC"
 
 #
 # Random remaining OS-specific issues involving compiler warnings.
@@ -2752,6 +2834,9 @@ LIBBIND9_API=$srcdir/lib/bind9/api
 AC_SUBST_FILE(LIBLWRES_API)
 LIBLWRES_API=$srcdir/lib/lwres/api
 
+AC_SUBST_FILE(LIBIRS_API)
+LIBIRS_API=$srcdir/lib/irs/api
+
 #
 # Configure any DLZ drivers.
 #
@@ -2941,10 +3026,38 @@ AC_CONFIG_FILES([
 	lib/isccfg/Makefile
 	lib/isccfg/include/Makefile
 	lib/isccfg/include/isccfg/Makefile
+	lib/irs/Makefile
+	lib/irs/include/Makefile
+	lib/irs/include/irs/Makefile
+	lib/irs/include/irs/netdb.h
+	lib/irs/include/irs/platform.h
 	lib/dns/Makefile
 	lib/dns/include/Makefile
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
+	lib/export/Makefile
+	lib/export/isc/Makefile
+	lib/export/isc/include/Makefile
+	lib/export/isc/include/isc/Makefile
+	lib/export/isc/unix/Makefile
+	lib/export/isc/unix/include/Makefile
+	lib/export/isc/unix/include/isc/Makefile
+	lib/export/isc/nls/Makefile
+	lib/export/isc/$thread_dir/Makefile
+	lib/export/isc/$thread_dir/include/Makefile
+	lib/export/isc/$thread_dir/include/isc/Makefile
+	lib/export/dns/Makefile
+	lib/export/dns/include/Makefile
+	lib/export/dns/include/dns/Makefile
+	lib/export/dns/include/dst/Makefile
+	lib/export/irs/Makefile
+	lib/export/irs/include/Makefile
+	lib/export/irs/include/irs/Makefile
+	lib/export/isccfg/Makefile
+	lib/export/isccfg/include/Makefile
+	lib/export/isccfg/include/isccfg/Makefile
+	lib/export/samples/Makefile
+	lib/export/samples/Makefile-postinstall
 	lib/bind9/Makefile
 	lib/bind9/include/Makefile
 	lib/bind9/include/bind9/Makefile
diff --git a/contrib/dbus/dbus_mgr.c b/contrib/dbus/dbus_mgr.c
index b744790cfa..427aff86b1 100644
--- a/contrib/dbus/dbus_mgr.c
+++ b/contrib/dbus/dbus_mgr.c
@@ -914,7 +914,7 @@ dbus_mgr_get_name_list
 	dnsName = dns_fixedname_name(fixedname);
 
 	result= dns_name_fromtext
-	        (  dnsName, &buffer, ( *(endp-1) != '.') ? dns_rootname : NULL, ISC_FALSE, NULL
+	        (  dnsName, &buffer, ( *(endp-1) != '.') ? dns_rootname : NULL, 0, NULL
 		); 
 
 	if( result != ISC_R_SUCCESS )
@@ -1566,7 +1566,7 @@ dbus_mgr_handle_get_forwarders
     dnsName = dns_fixedname_name(&fixedname);
 
     result = dns_name_fromtext
-	     (  dnsName, &buffer, dns_rootname, ISC_FALSE, NULL
+	     (  dnsName, &buffer, dns_rootname, 0, NULL
 	     ); 
 
     if( result != ISC_R_SUCCESS )
@@ -1740,7 +1740,7 @@ dns_name_t *dbus_mgr_if_reverse_ip_name
 	dns_name = dns_fixedname_name(fixedname);
 
 	result= dns_name_fromtext
-	        (  dns_name, &buffer, dns_rootname, ISC_FALSE, NULL
+	        (  dns_name, &buffer, dns_rootname, 0, NULL
 		); 
 
 	ISC_LINK_INIT(dns_name, link);
diff --git a/contrib/dlz/bin/dlzbdb/Makefile.in b/contrib/dlz/bin/dlzbdb/Makefile.in
index a31c503b42..f0e20c294c 100644
--- a/contrib/dlz/bin/dlzbdb/Makefile.in
+++ b/contrib/dlz/bin/dlzbdb/Makefile.in
@@ -13,7 +13,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2007/09/07 06:53:03 marka Exp $
+# $Id: Makefile.in,v 1.4 2009/09/01 00:22:26 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -27,8 +27,8 @@ DLZINCLUDES =	@DLZ_DRIVER_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
                 ${ISC_INCLUDES} ${DLZINCLUDES}
-                
-CDEFINES =      @USE_DLZ@
+
+CDEFINES =      -DBIND9 @USE_DLZ@
 CWARNINGS =
 
 DLZLIBS = 	@DLZ_DRIVER_LIBS@
diff --git a/contrib/sdb/bdb/zone2bdb.c b/contrib/sdb/bdb/zone2bdb.c
index 36326afe53..e711853175 100644
--- a/contrib/sdb/bdb/zone2bdb.c
+++ b/contrib/sdb/bdb/zone2bdb.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone2bdb.c,v 1.2 2008/09/24 02:46:21 marka Exp $ */
+/* $Id: zone2bdb.c,v 1.3 2009/09/01 00:22:26 jinmei Exp $ */
 
 #include 
 
@@ -137,7 +137,7 @@ main(int argc, char *argv[])
 	dns_fixedname_init(&origin);
 
 	REQUIRE(dns_name_fromtext(dns_fixedname_name(&origin), &b, dns_rootname,
-				  ISC_FALSE, NULL) == ISC_R_SUCCESS);
+				  0, NULL) == ISC_R_SUCCESS);
 	REQUIRE(dns_db_create(mctx, "rbt", dns_fixedname_name(&origin),
 			      dns_dbtype_zone, dns_rdataclass_in, 0, NULL,
 			      &db) == ISC_R_SUCCESS);
diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c
index c2820fdc2b..e06f4f9578 100644
--- a/contrib/sdb/ldap/zone2ldap.c
+++ b/contrib/sdb/ldap/zone2ldap.c
@@ -201,7 +201,7 @@ main (int *argc, char **argv)
   isc_buffer_add (&buff, strlen (argzone));
   dns_fixedname_init (&fixedzone);
   zone = dns_fixedname_name (&fixedzone);
-  result = dns_name_fromtext (zone, &buff, dns_rootname, ISC_FALSE, NULL);
+  result = dns_name_fromtext (zone, &buff, dns_rootname, 0, NULL);
   isc_result_check (result, "dns_name_fromtext");
 
   result = dns_db_create (mctx, "rbt", zone, dns_dbtype_zone,
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index 61ec264433..f141aaee65 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonetodb.c,v 1.21 2008/11/27 06:14:22 marka Exp $ */
+/* $Id: zonetodb.c,v 1.22 2009/09/01 00:22:26 jinmei Exp $ */
 
 #include 
 #include 
@@ -174,7 +174,7 @@ main(int argc, char **argv) {
 	isc_buffer_add(&b, strlen(porigin));
 	dns_fixedname_init(&forigin);
 	origin = dns_fixedname_name(&forigin);
-	result = dns_name_fromtext(origin, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(origin, &b, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext");
 
 	db = NULL;
diff --git a/contrib/sdb/sqlite/zone2sqlite.c b/contrib/sdb/sqlite/zone2sqlite.c
index abaf52bf02..2ba63cc58a 100644
--- a/contrib/sdb/sqlite/zone2sqlite.c
+++ b/contrib/sdb/sqlite/zone2sqlite.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone2sqlite.c,v 1.2 2008/09/24 02:46:21 marka Exp $ */
+/* $Id: zone2sqlite.c,v 1.3 2009/09/01 00:22:26 jinmei Exp $ */
 
 #include 
 #include 
@@ -181,7 +181,7 @@ main(int argc, char *argv[])
     isc_buffer_add(&b, strlen(porigin));
     dns_fixedname_init(&forigin);
     origin = dns_fixedname_name(&forigin);
-    result = dns_name_fromtext(origin, &b, dns_rootname, ISC_FALSE, NULL);
+    result = dns_name_fromtext(origin, &b, dns_rootname, 0, NULL);
     check_result(result, "dns_name_fromtext");
     
     db = NULL;
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
index 7c1e5b0b9d..f03a8652e7 100644
--- a/lib/bind9/Makefile.in
+++ b/lib/bind9/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11 2007/06/19 23:47:16 tbox Exp $
+# $Id: Makefile.in,v 1.12 2009/09/01 00:22:26 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -28,7 +28,7 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
 		${ISCCFG_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index a44831bc51..423e1f8db6 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.106 2009/08/23 11:44:44 fdupont Exp $ */
+/* $Id: check.c,v 1.107 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -100,7 +100,7 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "rrset-order: invalid name '%s'", str);
@@ -199,7 +199,7 @@ check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) {
 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
 		tresult = dns_name_fromtext(name, &buffer, dns_rootname,
-					   ISC_FALSE, NULL);
+					    0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "bad name '%s'", str);
@@ -262,7 +262,7 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
 	str = cfg_obj_asstring(obj);
 	isc_buffer_init(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
-	tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (tresult != ISC_R_SUCCESS) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "bad domain name '%s'", str);
@@ -349,7 +349,7 @@ mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
 	str = cfg_obj_asstring(obj);
 	isc_buffer_init(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "bad domain name '%s'", str);
@@ -617,7 +617,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				isc_buffer_add(&b, strlen(str));
 				tresult = dns_name_fromtext(name, &b,
 							   dns_rootname,
-							   ISC_FALSE, NULL);
+							   0, NULL);
 				if (tresult != ISC_R_SUCCESS) {
 					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 						    "bad domain name '%s'",
@@ -680,7 +680,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 			isc_buffer_init(&b, dlv, strlen(dlv));
 			isc_buffer_add(&b, strlen(dlv));
 			tresult = dns_name_fromtext(name, &b, dns_rootname,
-						    ISC_TRUE, NULL);
+						    0, NULL);
 			if (tresult != ISC_R_SUCCESS) {
 				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 					    "bad domain name '%s'", dlv);
@@ -715,7 +715,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				isc_buffer_add(&b, strlen(dlv));
 				tresult = dns_name_fromtext(name, &b,
 							    dns_rootname,
-							    ISC_TRUE, NULL);
+							    DNS_NAME_DOWNCASE,
+							    NULL);
 				if (tresult != ISC_R_SUCCESS) {
 					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 						    "bad domain name '%s'",
@@ -771,7 +772,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "empty-server: invalid name '%s'", str);
@@ -786,7 +787,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "empty-contact: invalid name '%s'", str);
@@ -805,7 +806,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "disable-empty-zone: invalid name '%s'",
@@ -990,7 +991,7 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
 				    "'%s' is not a valid name", str);
@@ -1004,8 +1005,7 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 			isc_buffer_init(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
-						    &b, dns_rootname,
-						    ISC_FALSE, NULL);
+						    &b, dns_rootname, 0, NULL);
 			if (tresult != ISC_R_SUCCESS) {
 				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
 					    "'%s' is not a valid name", str);
@@ -1198,7 +1198,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	isc_buffer_init(&b, zname, strlen(zname));
 	isc_buffer_add(&b, strlen(zname));
 	tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
-				    dns_rootname, ISC_TRUE, NULL);
+				    dns_rootname, DNS_NAME_DOWNCASE, NULL);
 	if (tresult != ISC_R_SUCCESS) {
 		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
 			    "zone '%s': is not a valid name", zname);
@@ -1511,7 +1511,7 @@ check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab,
 		isc_buffer_init(&b, keyid, strlen(keyid));
 		isc_buffer_add(&b, strlen(keyid));
 		tresult = dns_name_fromtext(name, &b, dns_rootname,
-					    ISC_FALSE, NULL);
+					    0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
 				    "key '%s': bad key name", keyid);
@@ -1681,7 +1681,7 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 			isc_buffer_add(&b, strlen(keyval));
 			keyname = dns_fixedname_name(&fname);
 			tresult = dns_name_fromtext(keyname, &b, dns_rootname,
-						    ISC_FALSE, NULL);
+						    0, NULL);
 			if (tresult != ISC_R_SUCCESS) {
 				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
 					    "bad key name '%s'", keyval);
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index 170031fb1c..eef55f1e27 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.165 2009/07/01 23:47:36 tbox Exp $
+# $Id: Makefile.in,v 1.166 2009/09/01 00:22:26 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -34,7 +34,7 @@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
 		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
+CDEFINES =	-DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
 		${USE_ISC_SPNEGO}
 
 CWARNINGS =
@@ -68,7 +68,7 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 		resolver.@O@ result.@O@ rootns.@O@ rriterator.@O@ sdb.@O@ \
 		sdlz.@O@ soa.@O@ ssu.@O@ \
 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
-		tsig.@O@ ttl.@O@ validator.@O@ \
+		tsec.@O@ tsig.@O@ ttl.@O@ validator.@O@ \
 		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
 
 OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
@@ -94,7 +94,7 @@ DNSSRCS =	acache.c acl.c adb.c byaddr.c \
 		resolver.c result.c rootns.c rriterator.c sdb.c sdlz.c \
 		soa.c ssu.c \
 		stats.c tcpmsg.c time.c timer.c tkey.c \
-		tsig.c ttl.c validator.c \
+		tsec.c tsig.c ttl.c validator.c \
 		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
 SRCS = ${DSTSRCS} ${DNSSRCS}
 
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
index 234d6b2cd0..068c9985ea 100644
--- a/lib/dns/byaddr.c
+++ b/lib/dns/byaddr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.c,v 1.39 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: byaddr.c,v 1.40 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -43,25 +43,6 @@
  * XXXRTH  We could use a static event...
  */
 
-struct dns_byaddr {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	dns_fixedname_t		name;
-	/* Locked by lock. */
-	unsigned int		options;
-	dns_lookup_t *		lookup;
-	isc_task_t *		task;
-	dns_byaddrevent_t *	event;
-	isc_boolean_t		canceled;
-};
-
-#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
-#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
-
-#define MAX_RESTARTS 16
-
 static char hex_digits[] = {
 	'0', '1', '2', '3', '4', '5', '6', '7',
 	'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
@@ -125,10 +106,29 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
 	len = (unsigned int)strlen(textname);
 	isc_buffer_init(&buffer, textname, len);
 	isc_buffer_add(&buffer, len);
-	return (dns_name_fromtext(name, &buffer, dns_rootname,
-				  ISC_FALSE, NULL));
+	return (dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL));
 }
 
+#ifdef BIND9
+struct dns_byaddr {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	dns_fixedname_t		name;
+	/* Locked by lock. */
+	unsigned int		options;
+	dns_lookup_t *		lookup;
+	isc_task_t *		task;
+	dns_byaddrevent_t *	event;
+	isc_boolean_t		canceled;
+};
+
+#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
+#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
+
+#define MAX_RESTARTS 16
+
 static inline isc_result_t
 copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
 	isc_result_t result;
@@ -314,3 +314,4 @@ dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
 
 	*byaddrp = NULL;
 }
+#endif /* BIND9 */
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 5909879923..9752836f96 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.84 2009/05/06 22:53:54 jinmei Exp $ */
+/* $Id: cache.c,v 1.85 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -450,6 +450,7 @@ dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
 	return (ISC_R_SUCCESS);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_cache_load(dns_cache_t *cache) {
 	isc_result_t result;
@@ -465,6 +466,7 @@ dns_cache_load(dns_cache_t *cache) {
 
 	return (result);
 }
+#endif /* BIND9 */
 
 isc_result_t
 dns_cache_dump(dns_cache_t *cache) {
@@ -475,10 +477,14 @@ dns_cache_dump(dns_cache_t *cache) {
 	if (cache->filename == NULL)
 		return (ISC_R_SUCCESS);
 
+#ifdef BIND9
 	LOCK(&cache->filelock);
 	result = dns_master_dump(cache->mctx, cache->db, NULL,
 				 &dns_master_style_cache, cache->filename);
 	UNLOCK(&cache->filelock);
+#else
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
 
 	return (result);
 }
diff --git a/lib/dns/client.c b/lib/dns/client.c
new file mode 100644
index 0000000000..dcb8817e2b
--- /dev/null
+++ b/lib/dns/client.c
@@ -0,0 +1,2994 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: client.c,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+#define DNS_CLIENT_MAGIC		ISC_MAGIC('D', 'N', 'S', 'c')
+#define DNS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, DNS_CLIENT_MAGIC)
+
+#define RCTX_MAGIC			ISC_MAGIC('R', 'c', 't', 'x')
+#define RCTX_VALID(c)			ISC_MAGIC_VALID(c, RCTX_MAGIC)
+
+#define REQCTX_MAGIC			ISC_MAGIC('R', 'q', 'c', 'x')
+#define REQCTX_VALID(c)			ISC_MAGIC_VALID(c, REQCTX_MAGIC)
+
+#define UCTX_MAGIC			ISC_MAGIC('U', 'c', 't', 'x')
+#define UCTX_VALID(c)			ISC_MAGIC_VALID(c, UCTX_MAGIC)
+
+#define MAX_RESTARTS 16
+
+/*%
+ * DNS client object
+ */
+struct dns_client {
+	/* Unlocked */
+	unsigned int			magic;
+	unsigned int			attributes;
+	isc_mutex_t			lock;
+	isc_mem_t			*mctx;
+	isc_appctx_t			*actx;
+	isc_taskmgr_t			*taskmgr;
+	isc_task_t			*task;
+	isc_socketmgr_t			*socketmgr;
+	isc_timermgr_t			*timermgr;
+	dns_dispatchmgr_t		*dispatchmgr;
+	dns_dispatch_t			*dispatchv4;
+	dns_dispatch_t			*dispatchv6;
+
+	unsigned int			update_timeout;
+	unsigned int			update_udptimeout;
+	unsigned int			update_udpretries;
+	unsigned int			find_timeout;
+	unsigned int			find_udpretries;
+
+	/* Locked */
+	unsigned int			references;
+	dns_viewlist_t			viewlist;
+	ISC_LIST(struct resctx)		resctxs;
+	ISC_LIST(struct reqctx)		reqctxs;
+	ISC_LIST(struct updatectx)	updatectxs;
+};
+
+/*%
+ * Timeout/retry constants for dynamic update borrowed from nsupdate
+ */
+#define DEF_UPDATE_TIMEOUT	300
+#define MIN_UPDATE_TIMEOUT	30
+#define DEF_UPDATE_UDPTIMEOUT	3
+#define DEF_UPDATE_UDPRETRIES	3
+
+#define DEF_FIND_TIMEOUT	5
+#define DEF_FIND_UDPRETRIES	3
+
+#define DNS_CLIENTATTR_OWNCTX			0x01
+
+#define DNS_CLIENTVIEW_NAME			"dnsclient"
+
+/*%
+ * Internal state for a single name resolution procedure
+ */
+typedef struct resctx {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	dns_client_t		*client;
+	isc_boolean_t		want_dnssec;
+
+	/* Locked */
+	ISC_LINK(struct resctx)	link;
+	isc_task_t		*task;
+	dns_view_t		*view;
+	unsigned int		restarts;
+	dns_fixedname_t		name;
+	dns_rdatatype_t		type;
+	dns_fetch_t		*fetch;
+	dns_namelist_t		namelist;
+	isc_result_t		result;
+	dns_clientresevent_t	*event;
+	isc_boolean_t		canceled;
+	dns_rdataset_t		*rdataset;
+	dns_rdataset_t		*sigrdataset;
+} resctx_t;
+
+/*%
+ * Argument of an internal event for synchronous name resolution.
+ */
+typedef struct resarg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	isc_result_t		vresult;
+	dns_namelist_t		*namelist;
+	dns_clientrestrans_t	*trans;
+	isc_boolean_t		canceled;
+} resarg_t;
+
+/*%
+ * Internal state for a single DNS request
+ */
+typedef struct reqctx {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	dns_client_t		*client;
+	unsigned int		parseoptions;
+
+	/* Locked */
+	ISC_LINK(struct reqctx)	link;
+	isc_boolean_t		canceled;
+	dns_tsigkey_t		*tsigkey;
+	dns_request_t		*request;
+	dns_clientreqevent_t	*event;
+} reqctx_t;
+
+/*%
+ * Argument of an internal event for synchronous DNS request.
+ */
+typedef struct reqarg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	dns_clientreqtrans_t	*trans;
+	isc_boolean_t		canceled;
+} reqarg_t;
+
+/*%
+ * Argument of an internal event for synchronous name resolution.
+ */
+typedef struct updatearg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	dns_clientupdatetrans_t	*trans;
+	isc_boolean_t		canceled;
+} updatearg_t;
+
+/*%
+ * Internal state for a single dynamic update procedure
+ */
+typedef struct updatectx {
+	/* Unlocked */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_client_t			*client;
+
+	/* Locked */
+	dns_request_t			*updatereq;
+	dns_request_t			*soareq;
+	dns_clientrestrans_t		*restrans;
+	dns_clientrestrans_t		*restrans2;
+	isc_boolean_t			canceled;
+
+	/* Task Locked */
+	ISC_LINK(struct updatectx) 	link;
+	dns_clientupdatestate_t		state;
+	dns_rdataclass_t		rdclass;
+	dns_view_t			*view;
+	dns_message_t			*updatemsg;
+	dns_message_t			*soaquery;
+	dns_clientupdateevent_t		*event;
+	dns_tsigkey_t			*tsigkey;
+	dst_key_t			*sig0key;
+	dns_name_t			*firstname;
+	dns_name_t			soaqname;
+	dns_fixedname_t			zonefname;
+	dns_name_t			*zonename;
+	isc_sockaddrlist_t		servers;
+	unsigned int			nservers;
+	isc_sockaddr_t			*currentserver;
+	struct updatectx		*bp4;
+	struct updatectx		*bp6;
+} updatectx_t;
+
+static isc_result_t request_soa(updatectx_t *uctx);
+static void client_resfind(resctx_t *rctx, dns_fetchevent_t *event);
+static isc_result_t send_update(updatectx_t *uctx);
+
+static isc_result_t
+getudpdispatch(int family, dns_dispatchmgr_t *dispatchmgr,
+	       isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+	       isc_boolean_t is_shared, dns_dispatch_t **dispp)
+{
+	unsigned int attrs, attrmask;
+	isc_sockaddr_t sa;
+	dns_dispatch_t *disp;
+	unsigned buffersize, maxbuffers, maxrequests, buckets, increment;
+	isc_result_t result;
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (family) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	default:
+		INSIST(0);
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	isc_sockaddr_anyofpf(&sa, family);
+
+	buffersize = 4096;
+	maxbuffers = is_shared ? 1000 : 8;
+	maxrequests = 32768;
+	buckets = is_shared ? 16411 : 3;
+	increment = is_shared ? 16433 : 5;
+
+	disp = NULL;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr,
+				     taskmgr, &sa,
+				     buffersize, maxbuffers, maxrequests,
+				     buckets, increment,
+				     attrs, attrmask, &disp);
+	if (result == ISC_R_SUCCESS)
+		*dispp = disp;
+
+	return (result);
+}
+
+static isc_result_t
+dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		      unsigned int options, isc_taskmgr_t *taskmgr,
+		      unsigned int ntasks, isc_socketmgr_t *socketmgr,
+		      isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		      dns_view_t **viewp)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	const char *dbtype;
+
+	result = dns_view_create(mctx, rdclass, DNS_CLIENTVIEW_NAME, &view);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	result = dns_view_createresolver(view, taskmgr, ntasks, socketmgr,
+					 timermgr, 0, dispatchmgr,
+					 dispatchv4, dispatchv6);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	/*
+	 * Set cache DB.
+	 * XXX: it may be better if specific DB implementations can be
+	 * specified via some configuration knob.
+	 */
+	if ((options & DNS_CLIENTCREATEOPT_USECACHE) != 0)
+		dbtype = "rbt";
+	else
+		dbtype = "ecdb";
+	result = dns_db_create(mctx, dbtype, dns_rootname, dns_dbtype_cache,
+			       rdclass, 0, NULL, &view->cachedb);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	*viewp = view;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_client_create(dns_client_t **clientp, unsigned int options) {
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	isc_appctx_t *actx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_appctx_create(mctx, &actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_socketmgr_createinctx(mctx, actx, &socketmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_timermgr_createinctx(mctx, actx, &timermgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    options, clientp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(*clientp)->attributes |= DNS_CLIENTATTR_OWNCTX;
+
+	/* client has its own reference to mctx, so we can detach it here */
+	isc_mem_detach(&mctx);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (actx != NULL)
+		isc_appctx_destroy(&actx);
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		   unsigned int options, dns_client_t **clientp)
+{
+	dns_client_t *client;
+	isc_result_t result;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_dispatch_t *dispatchv6 = NULL;
+	dns_view_t *view = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(socketmgr != NULL);
+	REQUIRE(clientp != NULL && *clientp == NULL);
+
+	client = isc_mem_get(mctx, sizeof(*client));
+	if (client == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&client->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, client, sizeof(*client));
+		return (result);
+	}
+
+	client->actx = actx;
+	client->taskmgr = taskmgr;
+	client->socketmgr = socketmgr;
+	client->timermgr = timermgr;
+
+	client->task = NULL;
+	result = isc_task_create(client->taskmgr, 0, &client->task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	client->dispatchmgr = dispatchmgr;
+
+	/* TODO: whether to use dispatch v4 or v6 should be configurable */
+	result = getudpdispatch(AF_INET, dispatchmgr, socketmgr,
+				taskmgr, ISC_TRUE, &dispatchv4);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	client->dispatchv4 = dispatchv4;
+	result = getudpdispatch(AF_INET6, dispatchmgr, socketmgr,
+				taskmgr, ISC_TRUE, &dispatchv6);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	client->dispatchv6 = dispatchv6;
+
+	/* Create the default view for class IN */
+	result = dns_client_createview(mctx, dns_rdataclass_in, options,
+				       taskmgr, 31, socketmgr, timermgr,
+				       dispatchmgr, dispatchv4, dispatchv6,
+				       &view);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	ISC_LIST_INIT(client->viewlist);
+	ISC_LIST_APPEND(client->viewlist, view, link);
+
+	dns_view_freeze(view); /* too early? */
+
+	ISC_LIST_INIT(client->resctxs);
+	ISC_LIST_INIT(client->reqctxs);
+	ISC_LIST_INIT(client->updatectxs);
+
+	client->mctx = NULL;
+	isc_mem_attach(mctx, &client->mctx);
+
+	client->update_timeout = DEF_UPDATE_TIMEOUT;
+	client->update_udptimeout = DEF_UPDATE_UDPTIMEOUT;
+	client->update_udpretries = DEF_UPDATE_UDPRETRIES;
+	client->find_timeout = DEF_FIND_TIMEOUT;
+	client->find_udpretries = DEF_FIND_UDPRETRIES;
+
+	client->references = 1;
+	client->magic = DNS_CLIENT_MAGIC;
+
+	*clientp = client;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dispatchv4 != NULL)
+		dns_dispatch_detach(&dispatchv4);
+	if (dispatchv6 != NULL)
+		dns_dispatch_detach(&dispatchv6);
+	if (dispatchmgr != NULL)
+		dns_dispatchmgr_destroy(&dispatchmgr);
+	if (client->task != NULL)
+		isc_task_detach(&client->task);
+	isc_mem_put(mctx, client, sizeof(*client));
+
+	return (result);
+}
+
+static void
+destroyclient(dns_client_t **clientp) {
+	dns_client_t *client = *clientp;
+	dns_view_t *view;
+
+	while ((view = ISC_LIST_HEAD(client->viewlist)) != NULL) {
+		ISC_LIST_UNLINK(client->viewlist, view, link);
+		dns_view_detach(&view);
+	}
+
+	if (client->dispatchv4 != NULL)
+		dns_dispatch_detach(&client->dispatchv4);
+	if (client->dispatchv6 != NULL)
+		dns_dispatch_detach(&client->dispatchv6);
+
+	dns_dispatchmgr_destroy(&client->dispatchmgr);
+
+	isc_task_detach(&client->task);
+
+	/*
+	 * If the client has created its own running environments,
+	 * destroy them.
+	 */
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) != 0) {
+		isc_taskmgr_destroy(&client->taskmgr);
+		isc_timermgr_destroy(&client->timermgr);
+		isc_socketmgr_destroy(&client->socketmgr);
+
+		isc_app_ctxfinish(client->actx);
+		isc_appctx_destroy(&client->actx);
+	}
+
+	DESTROYLOCK(&client->lock);
+	client->magic = 0;
+	
+	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
+
+	*clientp = NULL;
+}
+
+void
+dns_client_destroy(dns_client_t **clientp) {
+	dns_client_t *client;
+	isc_boolean_t destroyok = ISC_FALSE;
+
+	REQUIRE(clientp != NULL);
+	client = *clientp;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	client->references--;
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs)) {
+		destroyok = ISC_TRUE;
+	}
+	UNLOCK(&client->lock);
+
+	if (destroyok)
+		destroyclient(&client);
+
+	*clientp = NULL;
+}
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      dns_name_t *namespace, isc_sockaddrlist_t *addrs) 
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(addrs != NULL);
+
+	if (namespace == NULL)
+		namespace = dns_rootname;
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_add(view->fwdtable, namespace, addrs,
+				  dns_fwdpolicy_only);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			dns_name_t *namespace)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	if (namespace == NULL)
+		namespace = dns_rootname;
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_delete(view->fwdtable, namespace);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+static isc_result_t
+getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_rdataset_init(rdataset);
+
+	*rdatasetp = rdataset;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+putrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(rdatasetp != NULL);
+	rdataset = *rdatasetp;
+	REQUIRE(rdataset != NULL);
+
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+
+	isc_mem_put(mctx, rdataset, sizeof(*rdataset));
+
+	*rdatasetp = NULL;
+}
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	resctx_t *rctx = event->ev_arg;
+	dns_fetchevent_t *fevent;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->task == task);
+	fevent = (dns_fetchevent_t *)event;
+
+	client_resfind(rctx, fevent);
+}
+
+static inline isc_result_t
+start_fetch(resctx_t *rctx) {
+	isc_result_t result;
+
+	/*
+	 * The caller must be holding the rctx's lock.
+	 */
+
+	REQUIRE(rctx->fetch == NULL);
+
+	result = dns_resolver_createfetch(rctx->view->resolver,
+					  dns_fixedname_name(&rctx->name),
+					  rctx->type,
+					  NULL, NULL, NULL, 0,
+					  rctx->task, fetch_done, rctx,
+					  rctx->rdataset,
+					  rctx->sigrdataset,
+					  &rctx->fetch);
+
+	return (result);
+}
+
+static isc_result_t
+view_find(resctx_t *rctx, dns_db_t **dbp, dns_dbnode_t **nodep,
+	  dns_name_t *foundname)
+{
+	isc_result_t result;
+	dns_name_t *name = dns_fixedname_name(&rctx->name);
+	dns_rdatatype_t type;
+
+	if (rctx->type == dns_rdatatype_rrsig)
+		type = dns_rdatatype_any;
+	else
+		type = rctx->type;
+
+	result = dns_view_find(rctx->view, name, type, 0, 0, ISC_FALSE,
+			       dbp, nodep, foundname, rctx->rdataset,
+			       rctx->sigrdataset);
+
+	return (result);
+}
+
+static void
+client_resfind(resctx_t *rctx, dns_fetchevent_t *event) {
+	isc_mem_t *mctx;
+	isc_result_t result, tresult;
+	isc_result_t vresult = ISC_R_SUCCESS;
+	isc_boolean_t want_restart;
+	isc_boolean_t send_event = ISC_FALSE;
+	dns_name_t *name, *prefix;
+	dns_fixedname_t foundname, fixed;
+	dns_rdataset_t *trdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	mctx = rctx->view->mctx;
+
+	result = ISC_R_SUCCESS;
+	name = dns_fixedname_name(&rctx->name);
+
+	do {
+		dns_name_t *fname = NULL;
+		dns_name_t *ansname = NULL;
+		dns_db_t *db = NULL;
+		dns_dbnode_t *node = NULL;
+
+		rctx->restarts++;
+		want_restart = ISC_FALSE;
+
+		if (event == NULL && !rctx->canceled) {
+			dns_fixedname_init(&foundname);
+			fname = dns_fixedname_name(&foundname);
+			INSIST(!dns_rdataset_isassociated(rctx->rdataset));
+			INSIST(rctx->sigrdataset == NULL ||
+			       !dns_rdataset_isassociated(rctx->sigrdataset));
+			result = view_find(rctx, &db, &node, fname);
+			if (result == ISC_R_NOTFOUND) {
+				/*
+				 * We don't know anything about the name.
+				 * Launch a fetch.
+				 */
+				if (node != NULL) {
+					INSIST(db != NULL);
+					dns_db_detachnode(db, &node);
+				}
+				if (db != NULL)
+					dns_db_detach(&db);
+				result = start_fetch(rctx);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+					if (rctx->sigrdataset != NULL)
+						putrdataset(mctx,
+							    &rctx->sigrdataset);
+					send_event = ISC_TRUE;
+				}
+				goto done;
+			}
+		} else {
+			INSIST(event->fetch == rctx->fetch);
+			dns_resolver_destroyfetch(&rctx->fetch);
+			db = event->db;
+			node = event->node;
+			result = event->result;
+			vresult = event->vresult;
+			fname = dns_fixedname_name(&event->foundname);
+			INSIST(event->rdataset == rctx->rdataset);
+			INSIST(event->sigrdataset == rctx->sigrdataset);
+		}
+
+		/*
+		 * If we've been canceled, forget about the result.
+		 */
+		if (rctx->canceled)
+			result = ISC_R_CANCELED;
+		else {
+			/*
+			 * Otherwise, get some resource for copying the
+			 * result.
+			 */
+			ansname = isc_mem_get(mctx, sizeof(*ansname));
+			if (ansname == NULL)
+				tresult = ISC_R_NOMEMORY;
+			else {
+				dns_name_t *aname;
+
+				aname = dns_fixedname_name(&rctx->name);
+				dns_name_init(ansname, NULL);
+				tresult = dns_name_dup(aname, mctx, ansname);
+				if (tresult != ISC_R_SUCCESS)
+					isc_mem_put(mctx, ansname,
+						    sizeof(*ansname));
+			}
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			send_event = ISC_TRUE;
+			/*
+			 * This case is handled in the main line below.
+			 */
+			break;
+		case DNS_R_CNAME:
+			/*
+			 * Add the CNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			/*
+			 * Copy the CNAME's target into the lookup's
+			 * query name and start over.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS)
+				goto done;
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &cname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS)
+				goto done;
+			tresult = dns_name_copy(&cname.cname, name, NULL);
+			dns_rdata_freestruct(&cname);
+			if (tresult == ISC_R_SUCCESS)
+				want_restart = ISC_TRUE;
+			else
+				result = tresult;
+			goto done;
+		case DNS_R_DNAME:
+			/*
+			 * Add the DNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			namereln = dns_name_fullcompare(name, fname, &order,
+							&nlabels);
+			INSIST(namereln == dns_namereln_subdomain);
+			/*
+			 * Get the target name of the DNAME.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &dname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			/*
+			 * Construct the new query name and start over.
+			 */
+			dns_fixedname_init(&fixed);
+			prefix = dns_fixedname_name(&fixed);
+			dns_name_split(name, nlabels, prefix, NULL);
+			tresult = dns_name_concatenate(prefix, &dname.dname,
+						      name, NULL);
+			dns_rdata_freestruct(&dname);
+			if (tresult == ISC_R_SUCCESS)
+				want_restart = ISC_TRUE;
+			else
+				result = tresult;
+			goto done;
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+			rctx->rdataset = NULL;
+			/* What about sigrdataset? */
+			if (rctx->sigrdataset != NULL)
+				putrdataset(mctx, &rctx->sigrdataset);
+			send_event = ISC_TRUE;
+			goto done;
+		default:
+			if (rctx->rdataset != NULL)
+				putrdataset(mctx, &rctx->rdataset);
+			if (rctx->sigrdataset != NULL)
+				putrdataset(mctx, &rctx->sigrdataset);
+			send_event = ISC_TRUE;
+			goto done;
+		}
+
+		if (rctx->type == dns_rdatatype_any) {
+			int n = 0;
+			dns_rdatasetiter_t *rdsiter = NULL;
+
+			tresult = dns_db_allrdatasets(db, node, NULL, 0,
+						      &rdsiter);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+
+			tresult = dns_rdatasetiter_first(rdsiter);
+			while (tresult == ISC_R_SUCCESS) {
+				dns_rdatasetiter_current(rdsiter,
+							 rctx->rdataset);
+				if (rctx->rdataset->type != 0) {
+					ISC_LIST_APPEND(ansname->list,
+							rctx->rdataset,
+							link);
+					n++;
+					rctx->rdataset = NULL;
+				} else {
+					/*
+					 * We're not interested in this
+					 * rdataset.
+					 */
+					dns_rdataset_disassociate(
+						rctx->rdataset);
+				}
+				tresult = dns_rdatasetiter_next(rdsiter);
+
+				if (tresult == ISC_R_SUCCESS &&
+				    rctx->rdataset == NULL) {
+					tresult = getrdataset(mctx,
+							      &rctx->rdataset);
+					if (tresult != ISC_R_SUCCESS) {
+						result = tresult;
+						break;
+					}
+				}
+			}
+			if (n == 0) {
+				/*
+				 * We didn't match any rdatasets (which means
+				 * something went wrong in this
+				 * implementation).
+				 */
+				result = DNS_R_SERVFAIL; /* better code? */
+			} else {
+				ISC_LIST_APPEND(rctx->namelist, ansname, link);
+				ansname = NULL;
+			}
+			dns_rdatasetiter_destroy(&rdsiter);
+			if (tresult != ISC_R_NOMORE)
+				result = DNS_R_SERVFAIL; /* ditto */
+			else
+				result = ISC_R_SUCCESS;
+			goto done;
+		} else {
+			/*
+			 * This is the "normal" case -- an ordinary question
+			 * to which we've got the answer.
+			 */
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+		}
+
+	done:
+		/*
+		 * Free temporary resources
+		 */
+		if (ansname != NULL) {
+			dns_rdataset_t *rdataset;
+
+			while ((rdataset = ISC_LIST_HEAD(ansname->list))
+			       != NULL) {
+				ISC_LIST_UNLINK(ansname->list, rdataset, link);
+				putrdataset(mctx, &rdataset);
+			}
+			dns_name_free(ansname, mctx);
+			isc_mem_put(mctx, ansname, sizeof(*ansname));
+		}
+
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (db != NULL)
+			dns_db_detach(&db);
+		if (event != NULL)
+			isc_event_free(ISC_EVENT_PTR(&event));
+
+		/*
+		 * Limit the number of restarts.
+		 */
+		if (want_restart && rctx->restarts == MAX_RESTARTS) {
+			want_restart = ISC_FALSE;
+			result = ISC_R_QUOTA;
+			send_event = ISC_TRUE;
+		}
+
+		/*
+		 * Prepare further find with new resources
+		 */
+		if (want_restart) {
+			INSIST(rctx->rdataset == NULL &&
+			       rctx->sigrdataset == NULL);
+
+			result = getrdataset(mctx, &rctx->rdataset);
+			if (result == ISC_R_SUCCESS && rctx->want_dnssec) {
+				result = getrdataset(mctx, &rctx->sigrdataset);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+				}
+			}
+
+			if (result != ISC_R_SUCCESS) {
+				want_restart = ISC_FALSE;
+				send_event = ISC_TRUE;
+			}
+		}
+	} while (want_restart);
+
+	if (send_event) {
+		isc_task_t *task;
+
+		while ((name = ISC_LIST_HEAD(rctx->namelist)) != NULL) {
+			ISC_LIST_UNLINK(rctx->namelist, name, link);
+			ISC_LIST_APPEND(rctx->event->answerlist, name, link);
+		}
+
+		rctx->event->result = result;
+		rctx->event->vresult = vresult;
+		task = rctx->event->ev_sender;
+		rctx->event->ev_sender = rctx;
+		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&rctx->event));
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+static void
+resolve_done(isc_task_t *task, isc_event_t *event) {
+	resarg_t *resarg = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+
+	UNUSED(task);
+
+	LOCK(&resarg->lock);
+
+	resarg->result = rev->result;
+	resarg->vresult = rev->vresult;
+	while ((name = ISC_LIST_HEAD(rev->answerlist)) != NULL) {
+		ISC_LIST_UNLINK(rev->answerlist, name, link);
+		ISC_LIST_APPEND(*resarg->namelist, name, link);
+	}
+
+	dns_client_destroyrestrans(&resarg->trans);
+	isc_event_free(&event);
+
+	if (!resarg->canceled) {
+		UNLOCK(&resarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(resarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&resarg->lock);
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(resarg->client->mctx, resarg, sizeof(*resarg));
+	}
+}
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist)
+{
+	isc_result_t result;
+	isc_appctx_t *actx;
+	resarg_t *resarg;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(namelist != NULL && ISC_LIST_EMPTY(*namelist));
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution. 
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	resarg = isc_mem_get(client->mctx, sizeof(*resarg));
+	if (resarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&resarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+		return (result);
+	}
+
+	resarg->actx = actx;
+	resarg->client = client;
+	resarg->result = DNS_R_SERVFAIL;
+	resarg->namelist = namelist;
+	resarg->trans = NULL;
+	resarg->canceled = ISC_FALSE;
+	result = dns_client_startresolve(client, name, rdclass, type, options,
+					 client->task, resolve_done, resarg,
+					 &resarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&resarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = resarg->result;
+	if (result != ISC_R_SUCCESS && resarg->vresult != ISC_R_SUCCESS) {
+		/*
+		 * If this lookup failed due to some error in DNSSEC
+		 * validation, return the validation error code.
+		 * XXX: or should we pass the validation result separately? 
+		 */
+		result = resarg->vresult;
+	}
+	if (resarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		resarg->canceled = ISC_TRUE;
+		dns_client_cancelresolve(resarg->trans);
+
+		UNLOCK(&resarg->lock);
+
+		/* resarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&resarg->lock);
+
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp)
+{
+	dns_view_t *view = NULL;
+	dns_clientresevent_t *event = NULL;
+	resctx_t *rctx = NULL;
+	isc_task_t *clone = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_boolean_t want_dnssec;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(transp != NULL && *transp == NULL);
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	mctx = client->mctx;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	want_dnssec = ISC_TF((options & DNS_CLIENTRESOPT_NODNSSEC) == 0); 
+
+	/*
+	 * Prepare some intermediate resources
+	 */
+	clone = NULL;
+	isc_task_attach(task, &clone);
+	event = (dns_clientresevent_t *)
+		isc_event_allocate(mctx, clone, DNS_EVENT_CLIENTRESDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	event->result = DNS_R_SERVFAIL;
+	ISC_LIST_INIT(event->answerlist);
+
+	rctx = isc_mem_get(mctx, sizeof(*rctx));
+	if (rctx == NULL)
+		result = ISC_R_NOMEMORY;
+	else {
+		result = isc_mutex_init(&rctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, rctx, sizeof(*rctx));
+			rctx = NULL;
+		}
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = getrdataset(mctx, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	rctx->rdataset = rdataset;
+
+	if (want_dnssec) {
+		result = getrdataset(mctx, &sigrdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	rctx->sigrdataset = sigrdataset;
+
+	dns_fixedname_init(&rctx->name);
+	result = dns_name_copy(name, dns_fixedname_name(&rctx->name), NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rctx->client = client;
+	ISC_LINK_INIT(rctx, link);
+	rctx->canceled = ISC_FALSE;
+	rctx->task = client->task;
+	rctx->type = type;
+	rctx->view = view;
+	rctx->restarts = 0;
+	rctx->fetch = NULL;
+	rctx->want_dnssec = want_dnssec;
+	ISC_LIST_INIT(rctx->namelist);
+	rctx->event = event;
+
+	rctx->magic = RCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->resctxs, rctx, link);
+	UNLOCK(&client->lock);
+
+	client_resfind(rctx, NULL);
+ 
+	*transp = (dns_clientrestrans_t *)rctx;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (rdataset != NULL)
+		putrdataset(client->mctx, &rdataset);
+	if (sigrdataset != NULL)
+		putrdataset(client->mctx, &sigrdataset);
+	if (rctx != NULL) {
+		DESTROYLOCK(&rctx->lock);
+		isc_mem_put(mctx, rctx, sizeof(*rctx));
+	}
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	isc_task_detach(&clone);
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans) {
+	resctx_t *rctx;
+
+	REQUIRE(trans != NULL);
+	rctx = (resctx_t *)trans;
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	if (!rctx->canceled) {
+		rctx->canceled = ISC_TRUE;
+		if (rctx->fetch != NULL)
+			dns_resolver_cancelfetch(rctx->fetch);
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist) { 
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(namelist != NULL);
+
+	while ((name = ISC_LIST_HEAD(*namelist)) != NULL) {
+		ISC_LIST_UNLINK(*namelist, name, link);
+		while ((rdataset = ISC_LIST_HEAD(name->list)) != NULL) {
+			ISC_LIST_UNLINK(name->list, rdataset, link);
+			putrdataset(client->mctx, &rdataset);
+		}
+		dns_name_free(name, client->mctx);
+		isc_mem_put(client->mctx, name, sizeof(*name));
+	}
+}
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp) {
+	resctx_t *rctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	isc_boolean_t need_destroyclient = ISC_FALSE;
+
+	REQUIRE(transp != NULL);
+	rctx = (resctx_t *)*transp;
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->fetch == NULL);
+	REQUIRE(rctx->event == NULL);
+	client = rctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	mctx = client->mctx;
+	dns_view_detach(&rctx->view);
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(rctx, link));
+	ISC_LIST_UNLINK(client->resctxs, rctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs))
+		need_destroyclient = ISC_TRUE;
+
+	UNLOCK(&client->lock);
+
+	INSIST(ISC_LIST_EMPTY(rctx->namelist));
+
+	DESTROYLOCK(&rctx->lock);
+	rctx->magic = 0;
+
+	isc_mem_put(mctx, rctx, sizeof(*rctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_name_t *keyname, isc_buffer_t *keydatabuf)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	dst_key_t *dstkey = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx,
+				 &dstkey);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_keytable_add(view->secroots, ISC_FALSE, &dstkey);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+/*%
+ * Simple request routines
+ */
+static void
+request_done(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request;
+	isc_result_t result, eresult;
+	reqctx_t *ctx;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	result = eresult = reqev->result;
+	ctx = reqev->ev_arg;
+	REQUIRE(REQCTX_VALID(ctx));
+
+	isc_event_free(&event);
+
+	LOCK(&ctx->lock);
+
+	if (eresult == ISC_R_SUCCESS) {
+		result = dns_request_getresponse(request, ctx->event->rmessage,
+						 ctx->parseoptions);
+	}
+
+	if (ctx->tsigkey != NULL)
+		dns_tsigkey_detach(&ctx->tsigkey);
+
+	if (ctx->canceled)
+		ctx->event->result = ISC_R_CANCELED;
+	else
+		ctx->event->result = result;
+	task = ctx->event->ev_sender;
+	ctx->event->ev_sender = ctx;
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&ctx->event));
+
+	UNLOCK(&ctx->lock);
+}
+
+static void
+localrequest_done(isc_task_t *task, isc_event_t *event) {
+	reqarg_t *reqarg = event->ev_arg;
+	dns_clientreqevent_t *rev =(dns_clientreqevent_t *)event; 
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_CLIENTREQDONE);
+
+	LOCK(&reqarg->lock);
+
+	reqarg->result = rev->result;
+	dns_client_destroyreqtrans(&reqarg->trans);
+	isc_event_free(&event);
+
+	if (!reqarg->canceled) {
+		UNLOCK(&reqarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(reqarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&reqarg->lock);
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(reqarg->client->mctx, reqarg, sizeof(*reqarg));
+	}
+}
+
+isc_result_t
+dns_client_request(dns_client_t *client, dns_message_t *qmessage,
+		   dns_message_t *rmessage, isc_sockaddr_t *server,
+		   unsigned int options, unsigned int parseoptions,
+		   dns_tsec_t *tsec, unsigned int timeout,
+		   unsigned int udptimeout, unsigned int udpretries)
+{
+	isc_appctx_t *actx;
+	reqarg_t *reqarg;
+	isc_result_t result;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(qmessage != NULL);
+	REQUIRE(rmessage != NULL);
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTREQOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution. 
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	reqarg = isc_mem_get(client->mctx, sizeof(*reqarg));
+	if (reqarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&reqarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+		return (result);
+	}
+
+	reqarg->actx = actx;
+	reqarg->client = client;
+	reqarg->trans = NULL;
+	reqarg->canceled = ISC_FALSE;
+
+	result = dns_client_startrequest(client, qmessage, rmessage, server,
+					 options, parseoptions, tsec, timeout,
+					 udptimeout, udpretries,
+					 client->task, localrequest_done,
+					 reqarg, &reqarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&reqarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = reqarg->result;
+	if (reqarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		reqarg->canceled = ISC_TRUE;
+		dns_client_cancelresolve(reqarg->trans);
+
+		UNLOCK(&reqarg->lock);
+
+		/* reqarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&reqarg->lock);
+
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
+			dns_message_t *rmessage, isc_sockaddr_t *server,
+			unsigned int options, unsigned int parseoptions,
+			dns_tsec_t *tsec, unsigned int timeout,
+			unsigned int udptimeout, unsigned int udpretries,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_clientreqtrans_t **transp)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	isc_task_t *clone = NULL;
+	dns_clientreqevent_t *event = NULL;
+	reqctx_t *ctx = NULL;
+	dns_tsectype_t tsectype = dns_tsectype_none;
+
+	UNUSED(options);
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(qmessage != NULL);
+	REQUIRE(rmessage != NULL);
+	REQUIRE(transp != NULL && *transp == NULL);
+
+	if (tsec != NULL) {
+		tsectype = dns_tsec_gettype(tsec);
+		if (tsectype != dns_tsectype_tsig)
+			return (ISC_R_NOTIMPLEMENTED); /* XXX */
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   qmessage->rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	clone = NULL;
+	isc_task_attach(task, &clone);
+	event = (dns_clientreqevent_t *)
+		isc_event_allocate(client->mctx, clone,
+				   DNS_EVENT_CLIENTREQDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	ctx = isc_mem_get(client->mctx, sizeof(*ctx));
+	if (ctx == NULL)
+		result = ISC_R_NOMEMORY;
+	else {
+		result = isc_mutex_init(&ctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(client->mctx, ctx, sizeof(*ctx));
+			ctx = NULL;
+		}
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ctx->client = client;
+	ISC_LINK_INIT(ctx, link);
+	ctx->parseoptions = parseoptions;
+	ctx->canceled = ISC_FALSE;
+	ctx->event = event;
+	ctx->event->rmessage = rmessage;
+	ctx->tsigkey = NULL;
+	if (tsec != NULL)
+		dns_tsec_getkey(tsec, &ctx->tsigkey);
+
+	ctx->magic = REQCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->reqctxs, ctx, link);
+	UNLOCK(&client->lock);
+
+	ctx->request = NULL;
+	result = dns_request_createvia3(view->requestmgr, qmessage, NULL,
+					server, options, ctx->tsigkey,
+					timeout, udptimeout, udpretries,
+					client->task, request_done, ctx,
+					&ctx->request);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		*transp = (dns_clientreqtrans_t *)ctx;
+		return (ISC_R_SUCCESS);
+	}
+
+ cleanup:
+	if (ctx != NULL) {
+		LOCK(&client->lock);
+		ISC_LIST_UNLINK(client->reqctxs, ctx, link);
+		UNLOCK(&client->lock);
+		DESTROYLOCK(&ctx->lock);
+		isc_mem_put(client->mctx, ctx, sizeof(*ctx));
+	}
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	isc_task_detach(&clone);
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelrequest(dns_clientreqtrans_t *trans) {
+	reqctx_t *ctx;
+
+	REQUIRE(trans != NULL);
+	ctx = (reqctx_t *)trans;
+	REQUIRE(REQCTX_VALID(ctx));
+
+	LOCK(&ctx->lock);
+
+	if (!ctx->canceled) {
+		ctx->canceled = ISC_TRUE;
+		if (ctx->request != NULL)
+			dns_request_cancel(ctx->request);
+	}
+
+	UNLOCK(&ctx->lock);
+}
+
+void
+dns_client_destroyreqtrans(dns_clientreqtrans_t **transp) {
+	reqctx_t *ctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	isc_boolean_t need_destroyclient = ISC_FALSE;
+
+	REQUIRE(transp != NULL);
+	ctx = (reqctx_t *)*transp;
+	REQUIRE(REQCTX_VALID(ctx));
+	client = ctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(ctx->event == NULL);
+	REQUIRE(ctx->request != NULL);
+
+	dns_request_destroy(&ctx->request);
+	mctx = client->mctx;
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(ctx, link));
+	ISC_LIST_UNLINK(client->reqctxs, ctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs)) {
+		need_destroyclient = ISC_TRUE;
+	}
+
+	UNLOCK(&client->lock);
+
+	DESTROYLOCK(&ctx->lock);
+	ctx->magic = 0;
+
+	isc_mem_put(mctx, ctx, sizeof(*ctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+/*%
+ * Dynamic update routines
+ */
+static isc_result_t
+rcode2result(dns_rcode_t rcode) {
+	/* XXX: isn't there a similar function? */
+	switch (rcode) {
+	case dns_rcode_formerr:
+		return (DNS_R_FORMERR);
+	case dns_rcode_servfail:
+		return (DNS_R_SERVFAIL);
+	case dns_rcode_nxdomain:
+		return (DNS_R_NXDOMAIN);
+	case dns_rcode_notimp:
+		return (DNS_R_NOTIMP);
+	case dns_rcode_refused:
+		return (DNS_R_REFUSED);
+	case dns_rcode_yxdomain:
+		return (DNS_R_YXDOMAIN);
+	case dns_rcode_yxrrset:
+		return (DNS_R_YXRRSET);
+	case dns_rcode_nxrrset:
+		return (DNS_R_NXRRSET);
+	case dns_rcode_notauth:
+		return (DNS_R_NOTAUTH);
+	case dns_rcode_notzone:
+		return (DNS_R_NOTZONE);
+	case dns_rcode_badvers:
+		return (DNS_R_BADVERS);
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+static void
+update_sendevent(updatectx_t *uctx, isc_result_t result) {
+	isc_task_t *task;
+
+	dns_message_destroy(&uctx->updatemsg);
+	if (uctx->tsigkey != NULL)
+		dns_tsigkey_detach(&uctx->tsigkey);
+	if (uctx->sig0key != NULL)
+		dst_key_free(&uctx->sig0key);
+
+	if (uctx->canceled)
+		uctx->event->result = ISC_R_CANCELED;
+	else
+		uctx->event->result = result;
+	uctx->event->state = uctx->state;
+	task = uctx->event->ev_sender;
+	uctx->event->ev_sender = uctx;
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&uctx->event));
+}
+
+static void
+update_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request;
+	dns_message_t *answer = NULL;
+	updatectx_t *uctx = event->ev_arg;
+	dns_client_t *client;
+	unsigned int timeout;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	REQUIRE(UCTX_VALID(uctx));
+	client = uctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	result = reqev->result;
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
+				    &answer);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	uctx->state = dns_clientupdatestate_done;
+	result = dns_request_getresponse(request, answer,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	if (result == ISC_R_SUCCESS && answer->rcode != dns_rcode_noerror)
+		result = rcode2result(answer->rcode);
+
+ out:
+	if (answer != NULL)
+		dns_message_destroy(&answer);
+	isc_event_free(&event);
+
+	LOCK(&uctx->lock);
+	uctx->currentserver = ISC_LIST_NEXT(uctx->currentserver, link);
+	dns_request_destroy(&uctx->updatereq);
+	if (result != ISC_R_SUCCESS && !uctx->canceled &&
+	    uctx->currentserver != NULL) {
+		dns_message_renderreset(uctx->updatemsg);
+		dns_message_settsigkey(uctx->updatemsg, NULL);
+
+		timeout = client->update_timeout / uctx->nservers;
+		if (timeout < MIN_UPDATE_TIMEOUT)
+			timeout = MIN_UPDATE_TIMEOUT;
+		result = dns_request_createvia3(uctx->view->requestmgr,
+						uctx->updatemsg,
+						NULL,
+						uctx->currentserver, 0,
+						uctx->tsigkey,
+						timeout,
+						client->update_udptimeout,
+						client->update_udpretries,
+						client->task,
+						update_done, uctx,
+						&uctx->updatereq);
+		UNLOCK(&uctx->lock);
+
+		if (result == ISC_R_SUCCESS) {
+			/* XXX: should we keep the 'done' state here? */
+			uctx->state = dns_clientupdatestate_sent;
+			return;
+		}
+	} else
+		UNLOCK(&uctx->lock);
+
+	update_sendevent(uctx, result);
+}
+
+static isc_result_t
+send_update(updatectx_t *uctx) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_client_t *client = uctx->client;
+	unsigned int timeout;
+
+	REQUIRE(uctx->zonename != NULL && uctx->currentserver != NULL);
+
+	result = dns_message_gettempname(uctx->updatemsg, &name);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(name, NULL);
+	dns_name_clone(uctx->zonename, name);
+	result = dns_message_gettemprdataset(uctx->updatemsg, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(uctx->updatemsg, &name);
+		return (result);
+	}
+	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(uctx->updatemsg, name, DNS_SECTION_ZONE);
+	if (uctx->tsigkey == NULL && uctx->sig0key != NULL) {
+		result = dns_message_setsig0key(uctx->updatemsg,
+						uctx->sig0key);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	timeout = client->update_timeout / uctx->nservers;
+	if (timeout < MIN_UPDATE_TIMEOUT)
+		timeout = MIN_UPDATE_TIMEOUT;
+	result = dns_request_createvia3(uctx->view->requestmgr,
+					uctx->updatemsg,
+					NULL, uctx->currentserver, 0,
+					uctx->tsigkey, timeout,
+					client->update_udptimeout,
+					client->update_udpretries,
+					client->task, update_done, uctx,
+					&uctx->updatereq);
+	if (result == ISC_R_SUCCESS &&
+	    uctx->state == dns_clientupdatestate_prepare) {
+		uctx->state = dns_clientupdatestate_sent;
+	}
+
+	return (result);
+}
+
+static void
+resolveaddr_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	int family;
+	dns_rdatatype_t qtype;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	updatectx_t *uctx;
+	isc_boolean_t completed = ISC_FALSE;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_arg != NULL);
+	uctx = *(updatectx_t **)event->ev_arg;
+	REQUIRE(UCTX_VALID(uctx));
+
+	if (event->ev_arg == &uctx->bp4) {
+		family = AF_INET;
+		qtype = dns_rdatatype_a;
+		LOCK(&uctx->lock);
+		dns_client_destroyrestrans(&uctx->restrans);
+		UNLOCK(&uctx->lock);
+	} else {
+		INSIST(event->ev_arg == &uctx->bp6);
+		family = AF_INET6;
+		qtype = dns_rdatatype_aaaa;
+		LOCK(&uctx->lock);
+		dns_client_destroyrestrans(&uctx->restrans2);
+		UNLOCK(&uctx->lock);
+	}
+
+	result = rev->result;
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!dns_rdataset_isassociated(rdataset))
+				continue;
+			if (rdataset->type != qtype)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_t rdata;
+				dns_rdata_in_a_t rdata_a;
+				dns_rdata_in_aaaa_t rdata_aaaa;
+				isc_sockaddr_t *sa;
+
+				sa = isc_mem_get(uctx->client->mctx,
+						 sizeof(*sa));
+				if (sa == NULL) {
+					/*
+					 * If we fail to get a sockaddr,
+					 we simply move forward with the
+					 * addresses we've got so far.
+					 */
+					goto done;
+				}
+
+				dns_rdata_init(&rdata);
+				switch (family) {
+				case AF_INET:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_a,
+							   NULL);
+					isc_sockaddr_fromin(sa,
+							    &rdata_a.in_addr,
+							    53);
+					dns_rdata_freestruct(&rdata_a);
+					break;
+				case AF_INET6:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_aaaa,
+							   NULL);
+					isc_sockaddr_fromin6(sa,
+							     &rdata_aaaa.in6_addr,
+							     53);
+					dns_rdata_freestruct(&rdata_aaaa);
+					break;
+				}
+
+				ISC_LINK_INIT(sa, link);
+				ISC_LIST_APPEND(uctx->servers, sa, link);
+				uctx->nservers++;
+			}
+		}
+	}
+
+ done:
+	dns_client_freeresanswer(uctx->client, &rev->answerlist);
+	isc_event_free(&event);
+
+	LOCK(&uctx->lock);
+	if (uctx->restrans == NULL && uctx->restrans2 == NULL)
+		completed = ISC_TRUE;
+	UNLOCK(&uctx->lock);
+
+	if (completed) {
+		INSIST(uctx->currentserver == NULL);
+		uctx->currentserver = ISC_LIST_HEAD(uctx->servers);
+		if (uctx->currentserver != NULL && !uctx->canceled)
+			send_update(uctx);
+		else {
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_NOTFOUND;
+			update_sendevent(uctx, result);
+		}
+	}
+}
+
+static isc_result_t
+process_soa(updatectx_t *uctx, dns_rdataset_t *soaset, dns_name_t *soaname) {
+	isc_result_t result;
+	dns_rdata_t soarr = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	dns_name_t primary;
+
+	result = dns_rdataset_first(soaset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdata_init(&soarr);
+	dns_rdataset_current(soaset, &soarr);
+	result = dns_rdata_tostruct(&soarr, &soa, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_name_init(&primary, NULL);
+	dns_name_clone(&soa.origin, &primary);
+
+	if (uctx->zonename == NULL) {
+		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
+		result = dns_name_copy(soaname, uctx->zonename, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+	}
+
+	if (uctx->currentserver != NULL)
+		result = send_update(uctx);
+	else {
+		/*
+		 * Get addresses of the primary server.  We don't use the ADB
+		 * feature so that we could avoid caching data.
+		 */
+		LOCK(&uctx->lock);
+		uctx->bp4 = uctx;
+		result = dns_client_startresolve(uctx->client, &primary,
+						 uctx->rdclass,
+						 dns_rdatatype_a,
+						 0, uctx->client->task,
+						 resolveaddr_done, &uctx->bp4,
+						 &uctx->restrans);
+		if (result == ISC_R_SUCCESS) {
+			uctx->bp6 = uctx;
+			result = dns_client_startresolve(uctx->client,
+							 &primary,
+							 uctx->rdclass,
+							 dns_rdatatype_aaaa,
+							 0, uctx->client->task,
+							 resolveaddr_done,
+							 &uctx->bp6,
+							 &uctx->restrans2);
+		}
+		UNLOCK(&uctx->lock);
+	}
+
+ out:
+	dns_rdata_freestruct(&soa);
+
+	return (result);
+}
+
+static void
+receive_soa(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	updatectx_t *uctx;
+	dns_client_t *client;
+	isc_result_t result, eresult;
+	dns_request_t *request;
+	dns_message_t *rcvmsg = NULL;
+	dns_section_t section;
+	dns_rdataset_t *soaset = NULL;
+	int pass = 0;
+	dns_name_t *name;
+	dns_message_t *soaquery = NULL;
+	isc_sockaddr_t *addr;
+	isc_boolean_t seencname = ISC_FALSE;
+	isc_boolean_t droplabel = ISC_FALSE;
+	dns_name_t tname;
+	unsigned int nlabels;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	result = eresult = reqev->result;
+	uctx = reqev->ev_arg;
+	client = uctx->client;
+	soaquery = uctx->soaquery;
+	addr = uctx->currentserver;
+	INSIST(addr != NULL);
+
+	isc_event_free(&event);
+
+	if (eresult != ISC_R_SUCCESS) {
+		result = eresult;
+		goto out;
+	}
+
+	result = dns_message_create(uctx->client->mctx,
+				    DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+
+	if (result == DNS_R_TSIGERRORSET) {
+		dns_request_t *newrequest = NULL;
+
+		/* Retry SOA request without TSIG */
+		dns_message_destroy(&rcvmsg);
+		dns_message_renderreset(uctx->soaquery);
+		result = dns_request_createvia3(uctx->view->requestmgr,
+						uctx->soaquery, NULL, addr, 0,
+						NULL,
+						client->find_timeout * 20,
+						client->find_timeout, 3,
+						uctx->client->task,
+						receive_soa, uctx,
+						&newrequest);
+		if (result == ISC_R_SUCCESS) {
+			LOCK(&uctx->lock);
+			dns_request_destroy(&uctx->soareq);
+			uctx->soareq = newrequest;
+			UNLOCK(&uctx->lock);
+
+			return;
+		}
+		goto out;
+	}
+
+	section = DNS_SECTION_ANSWER;
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain) {
+		result = rcode2result(rcvmsg->rcode);
+		goto out;
+	}
+
+ lookforsoa:
+	if (pass == 0)
+		section = DNS_SECTION_ANSWER;
+	else if (pass == 1)
+		section = DNS_SECTION_AUTHORITY;
+	else {
+		droplabel = ISC_TRUE;
+		goto out;
+	}
+
+	result = dns_message_firstname(rcvmsg, section);
+	if (result != ISC_R_SUCCESS) {
+		pass++;
+		goto lookforsoa;
+	}
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(rcvmsg, section, &name);
+		soaset = NULL;
+		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
+					      &soaset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		if (section == DNS_SECTION_ANSWER) {
+			dns_rdataset_t *tset = NULL;
+			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    ||
+			    dns_message_findtype(name, dns_rdatatype_dname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    )
+			{
+				seencname = ISC_TRUE;
+				break;
+			}
+		}
+
+		result = dns_message_nextname(rcvmsg, section);
+	}
+
+	if (soaset == NULL && !seencname) {
+		pass++;
+		goto lookforsoa;
+	}
+
+	if (seencname) {
+		droplabel = ISC_TRUE;
+		goto out;
+	}
+
+	result = process_soa(uctx, soaset, name);
+
+ out:
+	if (droplabel) {
+		result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
+		INSIST(result == ISC_R_SUCCESS);
+		name = NULL;
+		dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
+		nlabels = dns_name_countlabels(name);
+		if (nlabels == 1)
+			result = DNS_R_SERVFAIL; /* is there a better error? */
+		else {
+			dns_name_init(&tname, NULL);
+			dns_name_getlabelsequence(name, 1, nlabels - 1,
+						  &tname);
+			dns_name_clone(&tname, name);
+			dns_request_destroy(&request);
+			LOCK(&uctx->lock);
+			uctx->soareq = NULL;
+			UNLOCK(&uctx->lock);
+			dns_message_renderreset(soaquery);
+			dns_message_settsigkey(soaquery, NULL);
+			result = dns_request_createvia3(uctx->view->requestmgr,
+							soaquery, NULL,
+							uctx->currentserver, 0,
+							uctx->tsigkey,
+							client->find_timeout *
+							20,
+							client->find_timeout,
+							3, client->task,
+							receive_soa, uctx,
+							&uctx->soareq);
+		}
+	}
+
+	if (!droplabel || result != ISC_R_SUCCESS) {
+		dns_message_destroy(&uctx->soaquery);
+		LOCK(&uctx->lock);
+		dns_request_destroy(&uctx->soareq);
+		UNLOCK(&uctx->lock);
+	}
+
+	if (rcvmsg != NULL)
+		dns_message_destroy(&rcvmsg);
+
+	if (result != ISC_R_SUCCESS)
+		update_sendevent(uctx, result);
+}
+
+static isc_result_t
+request_soa(updatectx_t *uctx) {
+	isc_result_t result;
+	dns_message_t *soaquery = uctx->soaquery;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+
+	if (soaquery == NULL) {
+		result = dns_message_create(uctx->client->mctx,
+					    DNS_MESSAGE_INTENTRENDER,
+					    &soaquery);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	soaquery->flags |= DNS_MESSAGEFLAG_RD;
+	result = dns_message_gettempname(soaquery, &name);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	result = dns_message_gettemprdataset(soaquery, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
+	dns_name_clone(uctx->firstname, name);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
+	rdataset = NULL;
+	name = NULL;
+
+	result = dns_request_createvia3(uctx->view->requestmgr,
+					soaquery, NULL, uctx->currentserver, 0,
+					uctx->tsigkey,
+					uctx->client->find_timeout * 20,
+					uctx->client->find_timeout, 3,
+					uctx->client->task, receive_soa, uctx,
+					&uctx->soareq);
+	if (result == ISC_R_SUCCESS) {
+		uctx->soaquery = soaquery;
+		return (ISC_R_SUCCESS);
+	}
+
+ fail:
+	if (rdataset != NULL) {
+		ISC_LIST_UNLINK(name->list, rdataset, link); /* for safety */
+		dns_message_puttemprdataset(soaquery, &rdataset);
+	}
+	if (name != NULL)
+		dns_message_puttempname(soaquery, &name);
+	dns_message_destroy(&soaquery);
+
+	return (result);
+}
+
+static void
+resolvesoa_done(isc_task_t *task, isc_event_t *event) {
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	updatectx_t *uctx;
+	dns_name_t *name, tname;
+	dns_rdataset_t *rdataset = NULL;
+	isc_result_t result = rev->result;
+	unsigned int nlabels;
+
+	UNUSED(task);
+
+	uctx = event->ev_arg;
+	REQUIRE(UCTX_VALID(uctx));
+
+	LOCK(&uctx->lock);
+	dns_client_destroyrestrans(&uctx->restrans);
+	UNLOCK(&uctx->lock);
+
+	uctx = event->ev_arg;
+	if (result != ISC_R_SUCCESS &&
+	    result != DNS_R_NCACHENXDOMAIN &&
+	    result != DNS_R_NCACHENXRRSET) {
+		/* XXX: what about DNSSEC failure? */
+		goto out;
+	}
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (dns_rdataset_isassociated(rdataset) &&
+			    rdataset->type == dns_rdatatype_soa)
+				break;
+		}
+	}
+
+	if (rdataset == NULL) {
+		/* Drop one label and retry resolution. */
+		nlabels = dns_name_countlabels(&uctx->soaqname);
+		if (nlabels == 1) {
+			result = DNS_R_SERVFAIL; /* is there a better error? */
+			goto out;
+		}
+		dns_name_init(&tname, NULL);
+		dns_name_getlabelsequence(&uctx->soaqname, 1, nlabels - 1,
+					  &tname);
+		dns_name_clone(&tname, &uctx->soaqname);
+
+		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
+						 uctx->rdclass,
+						 dns_rdatatype_soa, 0,
+						 uctx->client->task,
+						 resolvesoa_done, uctx,
+						 &uctx->restrans);
+	} else
+		result = process_soa(uctx, rdataset, &uctx->soaqname);
+
+ out:
+	dns_client_freeresanswer(uctx->client, &rev->answerlist);
+	isc_event_free(&event);
+
+	if (result != ISC_R_SUCCESS)
+		update_sendevent(uctx, result);
+}
+
+static isc_result_t
+copy_name(isc_mem_t *mctx, dns_message_t *msg, dns_name_t *name,
+	  dns_name_t **newnamep)
+{
+	isc_result_t result;
+	dns_name_t *newname = NULL;
+	isc_region_t r;
+	isc_buffer_t *namebuf = NULL, *rdatabuf = NULL;
+	dns_rdatalist_t *rdatalist;
+	dns_rdataset_t *rdataset, *newrdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT, *newrdata;
+
+	result = dns_message_gettempname(msg, &newname);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_name_init(newname, NULL);
+	dns_name_setbuffer(newname, namebuf);
+	dns_message_takebuffer(msg, &namebuf);
+	result = dns_name_copy(name, newname, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		rdatalist = NULL;
+		result = dns_message_gettemprdatalist(msg, &rdatalist);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_rdatalist_init(rdatalist);
+		rdatalist->type = rdataset->type;
+		rdatalist->rdclass = rdataset->rdclass;
+		rdatalist->covers = rdataset->covers;
+		rdatalist->ttl = rdataset->ttl;
+
+		result = dns_rdataset_first(rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(rdataset, &rdata);
+
+			newrdata = NULL;
+			result = dns_message_gettemprdata(msg, &newrdata);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			dns_rdata_toregion(&rdata, &r);
+			rdatabuf = NULL;
+			result = isc_buffer_allocate(mctx, &rdatabuf,
+						     r.length);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			isc_buffer_putmem(rdatabuf, r.base, r.length);
+			isc_buffer_usedregion(rdatabuf, &r);
+			dns_rdata_init(newrdata);
+			dns_rdata_fromregion(newrdata, rdata.rdclass,
+					     rdata.type, &r);
+			newrdata->flags = rdata.flags;
+
+			ISC_LIST_APPEND(rdatalist->rdata, newrdata, link);
+			dns_message_takebuffer(msg, &rdatabuf);
+
+			result = dns_rdataset_next(rdataset);
+		}
+
+		newrdataset = NULL;
+		result = dns_message_gettemprdataset(msg, &newrdataset);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_rdataset_init(newrdataset);
+		dns_rdatalist_tordataset(rdatalist, newrdataset);
+
+		ISC_LIST_APPEND(newname->list, newrdataset, link);
+	}
+
+	*newnamep = newname;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	dns_message_puttempname(msg, &newname);
+
+	return (result);
+
+}
+
+static void
+internal_update_callback(isc_task_t *task, isc_event_t *event) {
+	updatearg_t *uarg = event->ev_arg;
+	dns_clientupdateevent_t *uev = (dns_clientupdateevent_t *)event;
+
+	UNUSED(task);
+
+	LOCK(&uarg->lock);
+
+	uarg->result = uev->result;
+
+	dns_client_destroyupdatetrans(&uarg->trans);
+	isc_event_free(&event);
+
+	if (!uarg->canceled) {
+		UNLOCK(&uarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(uarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&uarg->lock);
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(uarg->client->mctx, uarg, sizeof(*uarg));
+	}
+}
+
+isc_result_t
+dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
+		  dns_name_t *zonename, dns_namelist_t *prerequisites,
+		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		  dns_tsec_t *tsec, unsigned int options)
+{
+	isc_result_t result;
+	isc_appctx_t *actx;
+	updatearg_t *uarg;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution. 
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	uarg = isc_mem_get(client->mctx, sizeof(*uarg));
+	if (uarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&uarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+		return (result);
+	}
+
+	uarg->actx = actx;
+	uarg->client = client;
+	uarg->result = ISC_R_FAILURE;
+	uarg->trans = NULL;
+	uarg->canceled = ISC_FALSE;
+
+	result = dns_client_startupdate(client, rdclass, zonename,
+					prerequisites, updates, servers,
+					tsec, options, client->task,
+					internal_update_callback, uarg,
+					&uarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&uarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = uarg->result;
+
+	if (uarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		uarg->canceled = ISC_TRUE;
+		dns_client_cancelupdate(uarg->trans);
+
+		UNLOCK(&uarg->lock);
+
+		/* uarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&uarg->lock);
+
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
+		       dns_name_t *zonename, dns_namelist_t *prerequisites,
+		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		       dns_tsec_t *tsec, unsigned int options,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_clientupdatetrans_t **transp)
+{
+	dns_view_t *view = NULL;
+	isc_result_t result;
+	dns_name_t *name, *newname;
+	updatectx_t *uctx;
+	isc_task_t *clone = NULL;
+	dns_section_t section = DNS_SECTION_UPDATE;
+	isc_sockaddr_t *server, *sa = NULL;
+	dns_tsectype_t tsectype = dns_tsectype_none;
+
+	UNUSED(options);
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(transp != NULL && *transp == NULL);
+	REQUIRE(updates != NULL);
+	REQUIRE(task != NULL);
+
+	if (tsec != NULL) {
+		tsectype = dns_tsec_gettype(tsec);
+		if (tsectype != dns_tsectype_tsig)
+			return (ISC_R_NOTIMPLEMENTED); /* XXX */
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Create a context and prepare some resources */
+	uctx = isc_mem_get(client->mctx, sizeof(*uctx));
+	if (uctx == NULL) {
+		dns_view_detach(&view);
+		return (ISC_R_NOMEMORY);
+	}
+	result = isc_mutex_init(&uctx->lock);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		isc_mem_put(client->mctx, uctx, sizeof(*uctx));
+		return (ISC_R_NOMEMORY);
+	}
+	clone = NULL;
+	isc_task_attach(task, &clone);
+	uctx->client = client;
+	ISC_LINK_INIT(uctx, link);
+	uctx->state = dns_clientupdatestate_prepare;
+	uctx->view = view;
+	uctx->rdclass = rdclass;
+	uctx->canceled = ISC_FALSE;
+	uctx->updatemsg = NULL;
+	uctx->soaquery = NULL;
+	uctx->updatereq = NULL;
+	uctx->restrans = NULL;
+	uctx->restrans2 = NULL;
+	uctx->bp4 = NULL;
+	uctx->bp6 = NULL;
+	uctx->soareq = NULL;
+	uctx->event = NULL;
+	uctx->tsigkey = NULL;
+	uctx->sig0key = NULL;
+	uctx->zonename = NULL;
+	dns_name_init(&uctx->soaqname, NULL);
+	ISC_LIST_INIT(uctx->servers);
+	uctx->nservers = 0;
+	uctx->currentserver = NULL;
+	dns_fixedname_init(&uctx->zonefname);
+	if (tsec != NULL)
+		dns_tsec_getkey(tsec, &uctx->tsigkey);
+	uctx->event = (dns_clientupdateevent_t *)
+		isc_event_allocate(client->mctx, clone, DNS_EVENT_UPDATEDONE,
+				   action, arg, sizeof(*uctx->event));
+	if (uctx->event == NULL)
+		goto fail;
+	if (zonename != NULL) {
+		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
+		result = dns_name_copy(zonename, uctx->zonename, NULL);
+	}
+	if (servers != NULL) {
+		for (server = ISC_LIST_HEAD(*servers);
+		     server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			sa = isc_mem_get(client->mctx, sizeof(*sa));
+			if (sa == NULL)
+				goto fail;
+			sa->type = server->type;
+			sa->length = server->length;
+			ISC_LINK_INIT(sa, link);
+			ISC_LIST_APPEND(uctx->servers, sa, link);
+			if (uctx->currentserver == NULL)
+				uctx->currentserver = sa;
+			uctx->nservers++;
+		}
+	}
+
+	/* Make update message */
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &uctx->updatemsg);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	uctx->updatemsg->opcode = dns_opcode_update;
+
+	if (prerequisites != NULL) {
+		for (name = ISC_LIST_HEAD(*prerequisites); name != NULL;
+		     name = ISC_LIST_NEXT(name, link)) {
+			newname = NULL;
+			result = copy_name(client->mctx, uctx->updatemsg,
+					   name, &newname);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			dns_message_addname(uctx->updatemsg, newname,
+					    DNS_SECTION_PREREQUISITE);
+		}
+	}
+
+	for (name = ISC_LIST_HEAD(*updates); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		newname = NULL;
+		result = copy_name(client->mctx, uctx->updatemsg, name,
+				   &newname);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_message_addname(uctx->updatemsg, newname,
+				    DNS_SECTION_UPDATE);
+	}
+
+	uctx->firstname = NULL;
+	result = dns_message_firstname(uctx->updatemsg, section);
+	if (result == ISC_R_NOMORE) {
+		section = DNS_SECTION_PREREQUISITE;
+		result = dns_message_firstname(uctx->updatemsg, section);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_message_currentname(uctx->updatemsg, section, &uctx->firstname);
+
+	uctx->magic = UCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->updatectxs, uctx, link);
+	UNLOCK(&client->lock);
+
+	if (uctx->zonename != NULL && uctx->currentserver != NULL) {
+		result = send_update(uctx);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	} else if (uctx->currentserver != NULL) {
+		result = request_soa(uctx);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	} else {
+		dns_name_clone(uctx->firstname, &uctx->soaqname);
+		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
+						 uctx->rdclass,
+						 dns_rdatatype_soa, 0,
+						 client->task, resolvesoa_done,
+						 uctx, &uctx->restrans);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	*transp = (dns_clientupdatetrans_t *)uctx;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	if (ISC_LINK_LINKED(uctx, link)) {
+		LOCK(&client->lock);
+		ISC_LIST_UNLINK(client->updatectxs, uctx, link);
+		UNLOCK(&client->lock);
+	}
+	if (uctx->updatemsg != NULL)
+		dns_message_destroy(&uctx->updatemsg);
+	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
+		ISC_LIST_UNLINK(uctx->servers, sa, link);
+		isc_mem_put(client->mctx, sa, sizeof(*sa));
+	}
+	if (uctx->event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&uctx->event));
+	if (uctx->tsigkey != NULL)
+		dns_tsigkey_detach(&uctx->tsigkey);
+	isc_task_detach(&clone);
+	DESTROYLOCK(&uctx->lock);
+	uctx->magic = 0;
+	isc_mem_put(client->mctx, uctx, sizeof(*uctx));
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelupdate(dns_clientupdatetrans_t *trans) {
+	updatectx_t *uctx;
+
+	REQUIRE(trans != NULL);
+	uctx = (updatectx_t *)trans;
+	REQUIRE(UCTX_VALID(uctx));
+
+	LOCK(&uctx->lock);
+
+	if (!uctx->canceled) {
+		uctx->canceled = ISC_TRUE;
+		if (uctx->updatereq != NULL)
+			dns_request_cancel(uctx->updatereq);
+		if (uctx->soareq != NULL)
+			dns_request_cancel(uctx->soareq);
+		if (uctx->restrans != NULL)
+			dns_client_cancelresolve(&uctx->restrans);
+		if (uctx->restrans2 != NULL)
+			dns_client_cancelresolve(&uctx->restrans2);
+	}
+
+	UNLOCK(&uctx->lock);
+}
+
+void
+dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp) {
+	updatectx_t *uctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	isc_boolean_t need_destroyclient = ISC_FALSE;
+	isc_sockaddr_t *sa;
+
+	REQUIRE(transp != NULL);
+	uctx = (updatectx_t *)*transp;
+	REQUIRE(UCTX_VALID(uctx));
+	client = uctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(uctx->updatereq == NULL && uctx->updatemsg == NULL &&
+		uctx->soareq == NULL && uctx->soaquery == NULL &&
+		uctx->event == NULL && uctx->tsigkey == NULL &&
+		uctx->sig0key == NULL);
+
+	mctx = client->mctx;
+	dns_view_detach(&uctx->view);
+	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
+		ISC_LIST_UNLINK(uctx->servers, sa, link);
+		isc_mem_put(mctx, sa, sizeof(*sa));
+	}
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(uctx, link));
+	ISC_LIST_UNLINK(client->updatectxs, uctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs))
+		need_destroyclient = ISC_TRUE;
+
+	UNLOCK(&client->lock);
+
+	DESTROYLOCK(&uctx->lock);
+	uctx->magic = 0;
+
+	isc_mem_put(mctx, uctx, sizeof(*uctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+isc_mem_t *
+dns_client_mctx(dns_client_t *client) {
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	return (client->mctx);
+}
+
+typedef struct {
+	isc_buffer_t 	buffer;
+	dns_rdataset_t	rdataset;
+	dns_rdatalist_t	rdatalist;
+	dns_rdata_t	rdata;
+	size_t		size;
+	isc_mem_t *	mctx;
+	unsigned char	data[0];
+} dns_client_updaterec_t;
+
+isc_result_t
+dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
+		     dns_rdatatype_t type, dns_rdata_t *source,
+		     dns_ttl_t ttl, dns_name_t *target,
+		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
+		     dns_rdata_t *rdata, isc_mem_t *mctx)
+{
+	dns_client_updaterec_t *updaterec;
+	size_t size = sizeof(dns_client_updaterec_t);
+	isc_buffer_t *b = NULL;
+
+	REQUIRE(op < updateop_max);
+	REQUIRE(owner != NULL);
+	REQUIRE((rdataset != NULL && rdatalist != NULL && rdata != NULL) ||
+		(rdataset == NULL && rdatalist == NULL && rdata == NULL &&
+		 mctx != NULL)); 
+	if (op == updateop_add)
+		REQUIRE(source != NULL);
+	if (source != NULL) {
+		REQUIRE(source->type == type);
+		REQUIRE(op == updateop_add || op == updateop_delete ||
+			op == updateop_exist);
+	}
+
+	size += owner->length;
+	if (source != NULL)
+		size += source->length;
+
+	if (rdataset == NULL) {
+		updaterec = isc_mem_get(mctx, size);
+		if (updaterec == NULL)
+			return (ISC_R_NOMEMORY);
+		rdataset = &updaterec->rdataset;
+		rdatalist = &updaterec->rdatalist;
+		rdata = &updaterec->rdata;
+		dns_rdataset_init(rdataset);
+		dns_rdatalist_init(&updaterec->rdatalist);
+		dns_rdata_init(&updaterec->rdata);
+		isc_buffer_init(b, b + 1,
+			        size - sizeof(dns_client_updaterec_t));
+		dns_name_copy(owner, target, b);
+		if (source != NULL) {
+			isc_region_t r;
+			dns_rdata_clone(source, rdata);
+			dns_rdata_toregion(rdata, &r);
+			rdata->data = isc_buffer_used(b);
+			isc_buffer_copyregion(b, &r);
+			
+		}
+		updaterec->mctx = NULL;
+		isc_mem_attach(mctx, &updaterec->mctx);
+	} else if (source != NULL)
+		dns_rdata_clone(source, rdata);
+
+	switch (op) {
+	case updateop_add:
+		break;
+	case updateop_delete:
+		if (source != NULL) {
+			ttl = 0;
+			dns_rdata_makedelete(rdata);
+		} else
+			dns_rdata_deleterrset(rdata, type);
+		break;
+	case updateop_notexist:
+		dns_rdata_notexist(rdata, type);
+		break;
+	case updateop_exist:
+		if (source == NULL) {
+			ttl = 0;
+			dns_rdata_exists(rdata, type);
+		}
+	case updateop_none:
+		break;
+	default:
+		INSIST(0);
+	}
+
+	rdatalist->type = rdata->type;
+	rdatalist->rdclass = rdata->rdclass;
+	if (source != NULL) {
+		rdatalist->covers = dns_rdata_covers(rdata);
+		rdatalist->ttl = ttl;
+	}
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_APPEND(target->list, rdataset, link);
+	if (b != NULL) {
+		target->attributes |= DNS_NAMEATTR_HASUPDATEREC;
+		dns_name_setbuffer(target, b);
+	}
+	if (op == updateop_add || op == updateop_delete)
+		target->attributes |= DNS_NAMEATTR_UPDATE;
+	else
+		target->attributes |= DNS_NAMEATTR_PREREQUISITE;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_client_freeupdate(dns_name_t **namep) {
+	dns_client_updaterec_t *updaterec;
+	dns_rdatalist_t *rdatalist;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t *rdata;
+	dns_name_t *name;
+
+	REQUIRE(namep != NULL && *namep != NULL);
+
+	name = *namep;
+	for (rdataset = ISC_LIST_HEAD(name->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_HEAD(name->list)) {
+		ISC_LIST_UNLINK(name->list, rdataset, link);
+		rdatalist = NULL;
+		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
+		if (rdatalist == NULL) {
+			dns_rdataset_disassociate(rdataset);
+			continue;
+		}
+		for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
+		     rdata != NULL;
+		     rdata = ISC_LIST_HEAD(rdatalist->rdata))
+			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
+		dns_rdataset_disassociate(rdataset);
+	}
+
+	if ((name->attributes & DNS_NAMEATTR_HASUPDATEREC) != 0) {
+		updaterec = (dns_client_updaterec_t *)name->buffer;
+		INSIST(updaterec != NULL);
+		isc_mem_putanddetach(&updaterec->mctx, updaterec,
+				     updaterec->size);
+		*namep = NULL;
+	}
+}
diff --git a/lib/dns/db.c b/lib/dns/db.c
index f120fcbb19..bc64bd85c7 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.93 2009/07/19 23:47:55 tbox Exp $ */
+/* $Id: db.c,v 1.94 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -63,14 +63,18 @@ struct dns_dbimplementation {
  */
 
 #include "rbtdb.h"
+#ifdef BIND9
 #include "rbtdb64.h"
+#endif
 
 static ISC_LIST(dns_dbimplementation_t) implementations;
 static isc_rwlock_t implock;
 static isc_once_t once = ISC_ONCE_INIT;
 
 static dns_dbimplementation_t rbtimp;
+#ifdef BIND9
 static dns_dbimplementation_t rbt64imp;
+#endif
 
 static void
 initialize(void) {
@@ -82,15 +86,19 @@ initialize(void) {
 	rbtimp.driverarg = NULL;
 	ISC_LINK_INIT(&rbtimp, link);
 
+#ifdef BIND9
 	rbt64imp.name = "rbt64";
 	rbt64imp.create = dns_rbtdb64_create;
 	rbt64imp.mctx = NULL;
 	rbt64imp.driverarg = NULL;
 	ISC_LINK_INIT(&rbt64imp, link);
+#endif
 
 	ISC_LIST_INIT(implementations);
 	ISC_LIST_APPEND(implementations, &rbtimp, link);
+#ifdef BIND9
 	ISC_LIST_APPEND(implementations, &rbt64imp, link);
+#endif
 }
 
 static inline dns_dbimplementation_t *
@@ -292,6 +300,7 @@ dns_db_class(dns_db_t *db) {
 	return (db->rdclass);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
 		 dns_dbload_t **dbloadp) {
@@ -383,6 +392,7 @@ dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
 
 	return ((db->methods->dump)(db, version, filename, masterformat));
 }
+#endif /* BIND9 */
 
 /***
  *** Version Methods
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 9103dd69d9..e13230557e 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.163 2009/04/28 21:39:00 jinmei Exp $ */
+/* $Id: dispatch.c,v 1.164 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -417,7 +417,7 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
 
 /*%
  * ARC4 random number generator derived from OpenBSD.
- * Only dispatch_arc4random() and dispatch_arc4uniformrandom() are expected
+ * Only dispatch_random() and dispatch_uniformrandom() are expected
  * to be called from general dispatch routines; the rest of them are subroutines
  * for these two.
  *
@@ -437,8 +437,11 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+#ifdef BIND9
 static void
-dispatch_arc4init(arc4ctx_t *actx, isc_entropy_t *entropy, isc_mutex_t *lock) {
+dispatch_initrandom(arc4ctx_t *actx, isc_entropy_t *entropy,
+		    isc_mutex_t *lock)
+{
 	int n;
 	for (n = 0; n < 256; n++)
 		actx->s[n] = n;
@@ -527,7 +530,7 @@ dispatch_arc4stir(arc4ctx_t *actx) {
 }
 
 static isc_uint16_t
-dispatch_arc4random(arc4ctx_t *actx) {
+dispatch_random(arc4ctx_t *actx) {
 	isc_uint16_t result;
 
 	if (actx->lock != NULL)
@@ -543,9 +546,38 @@ dispatch_arc4random(arc4ctx_t *actx) {
 
 	return (result);
 }
+#else
+/*
+ * For general purpose library, we don't have to be too strict about the
+ * quality of random values.  Performance doesn't matter much, either.
+ * So we simply use the isc_random module to keep the library as small as
+ * possible.
+ */
+
+static void
+dispatch_initrandom(arc4ctx_t *actx, isc_entropy_t *entropy,
+		    isc_mutex_t *lock)
+{
+	UNUSED(actx);
+	UNUSED(entropy);
+	UNUSED(lock);
+
+	return;
+}
 
 static isc_uint16_t
-dispatch_arc4uniformrandom(arc4ctx_t *actx, isc_uint16_t upper_bound) {
+dispatch_random(arc4ctx_t *actx) {
+	isc_uint32_t r;
+
+	UNUSED(actx);
+
+	isc_random_get(&r);
+	return (r & 0xffff);
+}
+#endif	/* BIND9 */
+
+static isc_uint16_t
+dispatch_uniformrandom(arc4ctx_t *actx, isc_uint16_t upper_bound) {
 	isc_uint16_t min, r;
 
 	if (upper_bound < 2)
@@ -568,7 +600,7 @@ dispatch_arc4uniformrandom(arc4ctx_t *actx, isc_uint16_t upper_bound) {
 	 * to re-roll.
 	 */
 	for (;;) {
-		r = dispatch_arc4random(actx);
+		r = dispatch_random(actx);
 		if (r >= min)
 			break;
 	}
@@ -851,7 +883,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	 */
 	localaddr = disp->local;
 	for (i = 0; i < 64; i++) {
-		port = ports[dispatch_arc4uniformrandom(DISP_ARC4CTX(disp),
+		port = ports[dispatch_uniformrandom(DISP_ARC4CTX(disp),
 							nports)];
 		isc_sockaddr_setport(&localaddr, port);
 
@@ -956,6 +988,7 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
 	INSIST(dispsock->portentry != NULL);
 	deref_portentry(disp, &dispsock->portentry);
 
+#ifdef BIND9
 	if (disp->nsockets > DNS_DISPATCH_POOLSOCKS)
 		destroy_dispsocket(disp, &dispsock);
 	else {
@@ -979,6 +1012,13 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
 			destroy_dispsocket(disp, &dispsock);
 		}
 	}
+#else
+	/* This kind of optimization isn't necessary for normal use */
+	UNUSED(qid);
+	UNUSED(result);
+
+	destroy_dispsocket(disp, &dispsock);
+#endif
 }
 
 /*
@@ -1704,8 +1744,10 @@ destroy_mgr(dns_dispatchmgr_t **mgrp) {
 
 	DESTROYLOCK(&mgr->pool_lock);
 
+#ifdef BIND9
 	if (mgr->entropy != NULL)
 		isc_entropy_detach(&mgr->entropy);
+#endif /* BIND9 */
 	if (mgr->qid != NULL)
 		qid_destroy(mctx, &mgr->qid);
 
@@ -1744,9 +1786,13 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
 			return (result);
 		isc_socket_setname(sock, "dispatcher", NULL);
 	} else {
+#ifdef BIND9
 		result = isc_socket_open(sock);
 		if (result != ISC_R_SUCCESS)
 			return (result);
+#else
+		INSIST(0);
+#endif
 	}
 
 #ifndef ISC_ALLOW_MAPPED
@@ -1756,8 +1802,13 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
 	if (result != ISC_R_SUCCESS) {
 		if (*sockp == NULL)
 			isc_socket_detach(&sock);
-		else
+		else {
+#ifdef BIND9
 			isc_socket_close(sock);
+#else
+			INSIST(0);
+#endif
+		}
 		return (result);
 	}
 
@@ -1889,10 +1940,14 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
 	if (result != ISC_R_SUCCESS)
 		goto kill_dpool;
 
+#ifdef BIND9
 	if (entropy != NULL)
 		isc_entropy_attach(entropy, &mgr->entropy);
+#else
+	UNUSED(entropy);
+#endif
 
-	dispatch_arc4init(&mgr->arc4ctx, mgr->entropy, &mgr->arc4_lock);
+	dispatch_initrandom(&mgr->arc4ctx, mgr->entropy, &mgr->arc4_lock);
 
 	*mgrp = mgr;
 	return (ISC_R_SUCCESS);
@@ -2393,7 +2448,7 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 	ISC_LIST_INIT(disp->activesockets);
 	ISC_LIST_INIT(disp->inactivesockets);
 	disp->nsockets = 0;
-	dispatch_arc4init(&disp->arc4ctx, mgr->entropy, NULL);
+	dispatch_initrandom(&disp->arc4ctx, mgr->entropy, NULL);
 	disp->port_table = NULL;
 	disp->portpool = NULL;
 
@@ -2690,7 +2745,7 @@ get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
 		for (i = 0; i < 1024; i++) {
 			in_port_t prt;
 
-			prt = ports[dispatch_arc4uniformrandom(
+			prt = ports[dispatch_uniformrandom(
 					DISP_ARC4CTX(disp),
 					nports)];
 			isc_sockaddr_setport(&localaddr_bound, prt);
@@ -2826,8 +2881,10 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		disp->task[i] = NULL;
 		result = isc_task_create(taskmgr, 0, &disp->task[i]);
 		if (result != ISC_R_SUCCESS) {
-			while (--i >= 0)
-				isc_task_destroy(&disp->task[i]);
+			while (--i >= 0) {
+				isc_task_shutdown(disp->task[i]);
+				isc_task_detach(&disp->task[i]);
+			}
 			goto kill_socket;
 		}
 		isc_task_setname(disp->task[i], "udpdispatch", disp);
@@ -3027,7 +3084,7 @@ dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	/*
 	 * Try somewhat hard to find an unique ID.
 	 */
-	id = (dns_messageid_t)dispatch_arc4random(DISP_ARC4CTX(disp));
+	id = (dns_messageid_t)dispatch_random(DISP_ARC4CTX(disp));
 	bucket = dns_hash(qid, dest, id, localport);
 	ok = ISC_FALSE;
 	for (i = 0; i < 64; i++) {
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 232fba7c0f..71fd242ca6 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.26 2009/08/14 06:28:40 each Exp $
+ * $Id: dst_api.c,v 1.27 2009/09/01 00:22:26 jinmei Exp $
  */
 
 /*! \file */
@@ -69,7 +69,9 @@
 #define DST_AS_STR(t) ((t).value.as_textregion.base)
 
 static dst_func_t *dst_t_func[DST_MAX_ALGS];
+#ifdef BIND9
 static isc_entropy_t *dst_entropy_pool = NULL;
+#endif
 static unsigned int dst_entropy_flags = 0;
 static isc_boolean_t dst_initialized = ISC_FALSE;
 
@@ -126,7 +128,7 @@ static isc_result_t	addsuffix(char *filename, unsigned int len,
 			return (_r);		\
 	} while (0);				\
 
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(BIND9)
 static void *
 default_memalloc(void *arg, size_t size) {
 	UNUSED(arg);
@@ -146,12 +148,17 @@ isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	isc_result_t result;
 
-	REQUIRE(mctx != NULL && ectx != NULL);
+	REQUIRE(mctx != NULL);
+#ifdef BIND9
+	REQUIRE(ectx != NULL);
+#else
+	UNUSED(ectx);
+#endif
 	REQUIRE(dst_initialized == ISC_FALSE);
 
 	dst__memory_pool = NULL;
 
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(BIND9)
 	UNUSED(mctx);
 	/*
 	 * When using --with-openssl, there seems to be no good way of not
@@ -170,7 +177,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 #else
 	isc_mem_attach(mctx, &dst__memory_pool);
 #endif
+#ifdef BIND9
 	isc_entropy_attach(ectx, &dst_entropy_pool);
+#endif
 	dst_entropy_flags = eflags;
 
 	dst_result_register();
@@ -218,9 +227,10 @@ dst_lib_destroy(void) {
 #endif
 	if (dst__memory_pool != NULL)
 		isc_mem_detach(&dst__memory_pool);
+#ifdef BIND9
 	if (dst_entropy_pool != NULL)
 		isc_entropy_detach(&dst_entropy_pool);
-
+#endif
 }
 
 isc_boolean_t
@@ -1045,7 +1055,7 @@ dst_key_read_public(const char *filename, int type,
 	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
 	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
 	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
-				ISC_FALSE, NULL);
+				0, NULL);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1397,13 +1407,25 @@ addsuffix(char *filename, unsigned int len, const char *odirname,
 
 isc_result_t
 dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
+#ifdef BIND9
 	unsigned int flags = dst_entropy_flags;
 	if (pseudo)
 		flags &= ~ISC_ENTROPY_GOODONLY;
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+#else
+	UNUSED(buf);
+	UNUSED(len);
+	UNUSED(pseudo);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 unsigned int
 dst__entropy_status(void) {
+#ifdef BIND9
 	return (isc_entropy_status(dst_entropy_pool));
+#else
+	return (0);
+#endif
 }
diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
new file mode 100644
index 0000000000..c8cee3af6d
--- /dev/null
+++ b/lib/dns/ecdb.c
@@ -0,0 +1,797 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ecdb.c,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+
+#include "config.h"
+
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define ECDB_MAGIC		ISC_MAGIC('E', 'C', 'D', 'B')
+#define VALID_ECDB(db)		((db) != NULL && \
+				 (db)->common.impmagic == ECDB_MAGIC)
+
+#define ECDBNODE_MAGIC		ISC_MAGIC('E', 'C', 'D', 'N')
+#define VALID_ECDBNODE(ecdbn)	ISC_MAGIC_VALID(ecdbn, ECDBNODE_MAGIC)
+
+#if DNS_RDATASET_FIXED
+#error "Fixed rdataset isn't supported in this implementation"
+#endif
+
+/*%
+ * The 'ephemeral' cache DB (ecdb) implementation.  An ecdb just provides
+ * temporary storage for ongoing name resolution with the common DB interfaces.
+ * It actually doesn't cache anything.  The implementation expects any stored
+ * data is released within a short period, and does not care about the
+ * scalability in terms of the number of nodes.
+ */
+
+typedef struct dns_ecdb {
+	/* Unlocked */
+	dns_db_t			common;
+	isc_mutex_t			lock;
+
+	/* Locked */
+	unsigned int			references;
+	ISC_LIST(struct dns_ecdbnode)	nodes;
+} dns_ecdb_t;
+
+typedef struct dns_ecdbnode {
+	/* Unlocked */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_ecdb_t			*ecdb;
+	dns_name_t			name;
+	ISC_LINK(struct dns_ecdbnode)	link;
+
+	/* Locked */
+	ISC_LIST(struct rdatasetheader)	rdatasets;
+	unsigned int			references;
+} dns_ecdbnode_t;
+
+typedef struct rdatasetheader {
+	dns_rdatatype_t			type;
+	dns_ttl_t			ttl;
+	dns_trust_t			trust;
+	dns_rdatatype_t			covers;
+	unsigned int			attributes;
+
+	ISC_LINK(struct rdatasetheader)	link;
+} rdatasetheader_t;
+
+/* Copied from rbtdb.c */
+#define RDATASET_ATTR_NXDOMAIN		0x0010
+#define NXDOMAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+
+static isc_result_t dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin,
+				    dns_dbtype_t type,
+				    dns_rdataclass_t rdclass,
+				    unsigned int argc, char *argv[],
+				    void *driverarg, dns_db_t **dbp);
+
+static void rdataset_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
+static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+static unsigned int rdataset_count(dns_rdataset_t *rdataset);
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,			/* addnoqname */
+	NULL,			/* getnoqname */
+	NULL,			/* addclosest */
+	NULL,			/* getclosest */
+	NULL,			/* getadditional */
+	NULL,			/* setadditional */
+	NULL			/* putadditional */
+};
+
+typedef struct ecdb_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	rdatasetheader_t	       *current;
+} ecdb_rdatasetiter_t;
+
+static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
+					     dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(dbimp != NULL && *dbimp == NULL);
+
+	return (dns_db_register("ecdb", dns_ecdb_create, NULL, mctx, dbimp));
+}
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp) {
+	REQUIRE(dbimp != NULL && *dbimp != NULL);
+
+	dns_db_unregister(dbimp);
+}
+
+/*%
+ * DB routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&ecdb->lock);
+	ecdb->references++;
+	UNLOCK(&ecdb->lock);
+
+	*targetp = source;
+}
+
+static void
+destroy_ecdb(dns_ecdb_t **ecdbp) {
+	dns_ecdb_t *ecdb = *ecdbp;
+	isc_mem_t *mctx = ecdb->common.mctx;
+
+	if (dns_name_dynamic(&ecdb->common.origin))
+		dns_name_free(&ecdb->common.origin, mctx);
+
+	DESTROYLOCK(&ecdb->lock);
+
+	ecdb->common.impmagic = 0;
+	ecdb->common.magic = 0;
+
+	isc_mem_putanddetach(&mctx, ecdb, sizeof(*ecdb));
+
+	*ecdbp = NULL;
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_ecdb_t *ecdb;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(dbp != NULL);
+	ecdb = (dns_ecdb_t *)*dbp;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	LOCK(&ecdb->lock);
+	ecdb->references--;
+	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
+		need_destroy = ISC_TRUE;
+	UNLOCK(&ecdb->lock);
+
+	if (need_destroy)
+		destroy_ecdb(&ecdb);
+
+	*dbp = NULL;
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node = (dns_ecdbnode_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(node));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);		/* Catch overflow. */
+	UNLOCK(&node->lock);
+
+	*targetp = node;
+}
+
+static void
+destroynode(dns_ecdbnode_t *node) {
+	isc_mem_t *mctx;
+	dns_ecdb_t *ecdb = node->ecdb;
+	isc_boolean_t need_destroydb = ISC_FALSE;
+	rdatasetheader_t *header;
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_UNLINK(ecdb->nodes, node, link);
+	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
+		need_destroydb = ISC_TRUE;
+	UNLOCK(&ecdb->lock);
+
+	dns_name_free(&node->name, mctx);
+
+	while ((header = ISC_LIST_HEAD(node->rdatasets)) != NULL) {
+		unsigned int headersize;
+
+		ISC_LIST_UNLINK(node->rdatasets, header, link);
+		headersize =
+			dns_rdataslab_size((unsigned char *)header,
+					   sizeof(*header));
+		isc_mem_put(mctx, header, headersize);
+	}
+
+	DESTROYLOCK(&node->lock);
+
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(*node));
+
+	if (need_destroydb)
+		destroy_ecdb(&ecdb);
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL);
+	node = (dns_ecdbnode_t *)*nodep;
+	REQUIRE(VALID_ECDBNODE(node));
+
+	UNUSED(ecdb);		/* in case REQUIRE() is empty */
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&node->lock);
+
+	if (need_destroy)
+		destroynode(node);
+
+	*nodep = NULL;
+}
+
+static isc_result_t
+find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+    dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
+    dns_rdataset_t *sigrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, dns_name_t *name,
+	    unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+	 dns_dbnode_t **nodep)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *node;
+	isc_result_t result;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+
+	if (create != ISC_TRUE)	{
+		/* an 'ephemeral' node is never reused. */
+		return (ISC_R_NOTFOUND);
+	}
+
+	mctx = ecdb->common.mctx;
+	node = isc_mem_get(mctx, sizeof(*node));
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&node->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		isc_mem_put(mctx, node, sizeof(*node));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	dns_name_init(&node->name, NULL);
+	result = dns_name_dup(name, mctx, &node->name);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&node->lock);
+		isc_mem_put(mctx, node, sizeof(*node));
+		return (result);
+	}
+	node->ecdb= ecdb;
+	node->references = 1;
+	ISC_LIST_INIT(node->rdatasets);
+
+	ISC_LINK_INIT(node, link);
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_APPEND(ecdb->nodes, node, link);
+	UNLOCK(&ecdb->lock);
+
+	node->magic = ECDBNODE_MAGIC;
+
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+bind_rdataset(dns_ecdb_t *ecdb, dns_ecdbnode_t *node,
+	      rdatasetheader_t *header, dns_rdataset_t *rdataset)
+{
+	unsigned char *raw;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ecdb->common.rdclass;
+	rdataset->type = header->type;
+	rdataset->covers = header->covers;
+	rdataset->ttl = header->ttl;
+	rdataset->trust = header->trust;
+	if (NXDOMAIN(header))
+		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+
+	rdataset->private1 = ecdb;
+	rdataset->private2 = node;
+	raw = (unsigned char *)header + sizeof(*header);
+	rdataset->private3 = raw;
+	rdataset->count = 0;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	INSIST(node->references > 0);
+	node->references++;
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(options);
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdbnode->lock);
+
+	/*
+	 * Sanity check: this implementation does not allow overriding an
+	 * existing rdataset of the same type.
+	 */
+	for (header = ISC_LIST_HEAD(ecdbnode->rdatasets); header != NULL;
+	     header = ISC_LIST_NEXT(header, link)) {
+		INSIST(header->type != rdataset->type ||
+		       header->covers != rdataset->covers);
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, mctx,
+					    &r, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	header = (rdatasetheader_t *)r.base;
+	header->type = rdataset->type;
+	header->ttl = rdataset->ttl;
+	header->trust = rdataset->trust;
+	header->covers = rdataset->covers;
+	header->attributes = 0;
+	if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+		header->attributes |= RDATASET_ATTR_NXDOMAIN;
+	ISC_LINK_INIT(header, link);
+	ISC_LIST_APPEND(ecdbnode->rdatasets, header, link);
+
+	if (addedrdataset == NULL)
+		goto unlock;
+
+	bind_rdataset(ecdb, ecdbnode, header, addedrdataset);
+
+ unlock:
+	UNLOCK(&ecdbnode->lock);
+
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, isc_boolean_t relative_names,
+	       dns_dbiterator_t **iteratorp)
+{
+	UNUSED(db);
+	UNUSED(relative_names);
+	UNUSED(iteratorp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	isc_mem_t *mctx;
+	ecdb_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	mctx = ecdb->common.mctx;
+
+	iterator = isc_mem_get(mctx, sizeof(ecdb_rdatasetiter_t));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static dns_dbmethods_t ecdb_methods = {
+	attach,
+	detach,
+	NULL,			/* beginload */
+	NULL,			/* endload */
+	NULL,			/* dump */
+	NULL,			/* currentversion */
+	NULL,			/* newversion */
+	NULL,			/* attachversion */
+	NULL,			/* closeversion */
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	NULL,			/* expirenode */
+	NULL,			/* printnode */
+	createiterator,		/* createiterator */
+	NULL,			/* findrdataset */
+	allrdatasets,
+	addrdataset,
+	NULL,			/* subtractrdataset */
+	deleterdataset,
+	NULL,			/* issecure */
+	NULL,			/* nodecount */
+	NULL,			/* ispersistent */
+	NULL,			/* overmem */
+	NULL,			/* settask */
+	NULL,			/* getoriginnode */
+	NULL,			/* transfernode */
+	NULL,			/* getnsec3parameters */
+	NULL,			/* findnsec3node */
+	NULL,			/* setsigningtime */
+	NULL,			/* getsigningtime */
+	NULL,			/* resigned */
+	NULL,			/* isdnssec */
+	NULL			/* getrrsetstats */
+};
+
+static isc_result_t
+dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
+		dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		void *driverarg, dns_db_t **dbp)
+{
+	dns_ecdb_t *ecdb;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(origin == dns_rootname);
+	REQUIRE(type == dns_dbtype_cache);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	UNUSED(argc);
+	UNUSED(argv);
+	UNUSED(driverarg);
+
+	ecdb = isc_mem_get(mctx, sizeof(*ecdb));
+	if (ecdb == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ecdb->common.attributes = DNS_DBATTR_CACHE;
+	ecdb->common.rdclass = rdclass;
+	ecdb->common.methods = &ecdb_methods;
+	dns_name_init(&ecdb->common.origin, NULL);
+	result = dns_name_dupwithoffsets(origin, mctx, &ecdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
+		return (result);
+	}
+
+	result = isc_mutex_init(&ecdb->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		if (dns_name_dynamic(&ecdb->common.origin))
+			dns_name_free(&ecdb->common.origin, mctx);
+		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	ecdb->references = 1;
+	ISC_LIST_INIT(ecdb->nodes);
+
+	ecdb->common.mctx = NULL;
+	isc_mem_attach(mctx, &ecdb->common.mctx);
+	ecdb->common.impmagic = ECDB_MAGIC;
+	ecdb->common.magic = DNS_DB_MAGIC;
+
+	*dbp = (dns_db_t *)ecdb;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Rdataset Methods
+ */
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+
+	dns_db_detachnode(db, &node);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+	unsigned int length;
+	unsigned int flags = 0;
+
+	REQUIRE(raw != NULL);
+
+	length = raw[0] * 256 + raw[1];
+	raw += 2;
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE)
+			flags |= DNS_RDATA_OFFLINE;
+		length--;
+		raw++;
+	}
+	r.length = length;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_db_t *db = source->private1;
+	dns_dbnode_t *node = source->private2;
+	dns_dbnode_t *cloned_node = NULL;
+
+	attachnode(db, node, &cloned_node);
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	ecdb_rdatasetiter_t *ecdbiterator;
+	isc_mem_t *mctx;
+
+	REQUIRE(iteratorp != NULL);
+	ecdbiterator = (ecdb_rdatasetiter_t *)*iteratorp;
+	REQUIRE(DNS_RDATASETITER_VALID(&ecdbiterator->common));
+
+	mctx = ecdbiterator->common.db->mctx;
+
+	ecdbiterator->common.magic = 0;
+
+	dns_db_detachnode(ecdbiterator->common.db, &ecdbiterator->common.node);
+	isc_mem_put(mctx, ecdbiterator, sizeof(ecdb_rdatasetiter_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)iterator->node;
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	if (ISC_LIST_EMPTY(ecdbnode->rdatasets))
+		return (ISC_R_NOMORE);
+	ecdbiterator->current = ISC_LIST_HEAD(ecdbnode->rdatasets);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	ecdbiterator->current = ISC_LIST_NEXT(ecdbiterator->current, link);
+	if (ecdbiterator->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdb_t *ecdb;
+
+	ecdb = (dns_ecdb_t *)iterator->db;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	bind_rdataset(ecdb, iterator->node, ecdbiterator->current, rdataset);
+}
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
index 39e2ef5df0..bc1a94bd33 100644
--- a/lib/dns/forward.c
+++ b/lib/dns/forward.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.c,v 1.12 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: forward.c,v 1.13 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -132,6 +132,22 @@ dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
 	return (result);
 }
 
+isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name) {
+	isc_result_t result;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_deletename(fwdtable->table, name, ISC_FALSE);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
 isc_result_t
 dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp)
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index 11eadb9675..6f2e3b0783 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.12 2008/04/03 06:09:04 tbox Exp $ */
+/* $Id: gssapictx.c,v 1.13 2009/09/01 00:22:26 jinmei Exp $ */
 
 #include 
 
@@ -630,7 +630,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 		isc_buffer_add(&namebuf, r.length);
 
 		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
-					 ISC_FALSE, NULL));
+					 0, NULL));
 
 		if (gnamebuf.length != 0) {
 			gret = gss_release_buffer(&minor, &gnamebuf);
diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h
new file mode 100644
index 0000000000..4017528dc1
--- /dev/null
+++ b/lib/dns/include/dns/client.h
@@ -0,0 +1,621 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: client.h,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+
+#ifndef DNS_CLIENT_H
+#define DNS_CLIENT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ *
+ * \brief
+ * The DNS client module provides convenient programming interfaces to various
+ * DNS services, such as name resolution with or without DNSSEC validation or
+ * dynamic DNS update.  This module is primarily expected to be used by other
+ * applications than BIND9-related ones that need such advanced DNS features.
+ *
+ * MP:
+ *\li	In the typical usage of this module, application threads will not share
+ *	the same data structures created and manipulated in this module.
+ *	However, the module still ensures appropriate synchronization of such
+ *	data structures.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+#include 
+
+typedef enum {
+	updateop_none = 0,
+	updateop_add = 1,
+	updateop_delete = 2,
+	updateop_exist = 3,
+	updateop_notexist = 4,
+	updateop_max = 5
+} dns_client_updateop_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Optional flags for dns_client_create(x).
+ */
+/*%< Enable caching resolution results (experimental). */
+#define DNS_CLIENTCREATEOPT_USECACHE	0x8000
+
+/*%
+ * Optional flags for dns_client_(start)resolve.
+ */
+/*%< Disable DNSSEC validation. */
+#define DNS_CLIENTRESOPT_NODNSSEC	0x01
+/*%< Allow running external context. */
+#define DNS_CLIENTRESOPT_ALLOWRUN	0x02
+
+/*%
+ * Optional flags for dns_client_(start)request.
+ */
+/*%< Allow running external context. */
+#define DNS_CLIENTREQOPT_ALLOWRUN	0x01
+
+/*%
+ * A dns_clientresevent_t is sent when name resolution performed by a client
+ * completes.  'result' stores the result code of the entire resolution
+ * procedure.  'vresult' specifically stores the result code of DNSSEC
+ * validation if it is performed.  When name resolution successfully completes,
+ * 'answerlist' is typically non empty, containing answer names along with
+ * RRsets.  It is the receiver's responsibility to free this list by calling
+ * dns_client_freeresanswer() before freeing the event structure.
+ */
+typedef struct dns_clientresevent {
+	ISC_EVENT_COMMON(struct dns_clientresevent);
+	isc_result_t	result;
+	isc_result_t	vresult;
+	dns_namelist_t	answerlist;
+} dns_clientresevent_t;		/* too long? */
+
+/*%
+ * Status of a dynamic update procedure.
+ */
+typedef enum {
+	dns_clientupdatestate_prepare,	/*%< no updates have been sent */
+	dns_clientupdatestate_sent,	/*%< updates were sent, no response */
+	dns_clientupdatestate_done	/*%< update was sent and succeeded */
+} dns_clientupdatestate_t;
+
+/*%
+ * A dns_clientreqevent_t is sent when a DNS request is completed by a client.
+ * 'result' stores the result code of the entire transaction.
+ * If the transaction is successfully completed but the response packet cannot
+ * be parsed, 'result' will store the result code of dns_message_parse().
+ * If the response packet is received, 'rmessage' will contain the response
+ * message, whether it is successfully parsed or not.
+ */
+typedef struct dns_clientreqevent {
+	ISC_EVENT_COMMON(struct dns_clientreqevent);
+	isc_result_t	result;
+	dns_message_t	*rmessage;
+} dns_clientreqevent_t;		/* too long? */
+
+/*%
+ * A dns_clientupdateevent_t is sent when dynamic update performed by a client
+ * completes.  'result' stores the result code of the entire update procedure.
+ * 'state' specifies the status of the update procedure when this event is
+ * sent.  This can be used as a hint by the receiver to determine whether
+ * the update attempt was ever made.  In particular, if the state is
+ * dns_clientupdatestate_prepare, the receiver can be sure that the requested
+ * update was not applied.
+ */
+typedef struct dns_clientupdateevent {
+	ISC_EVENT_COMMON(struct dns_clientupdateevent);
+	isc_result_t		result;
+	dns_clientupdatestate_t	state;
+} dns_clientupdateevent_t;	/* too long? */
+
+isc_result_t
+dns_client_create(dns_client_t **clientp, unsigned int options);
+
+isc_result_t
+dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		   unsigned int options, dns_client_t **clientp);
+/*%<
+ * Create a DNS client.  These functions create a new client object with
+ * minimal internal resources such as the default 'view' for the IN class and
+ * IPv4/IPv6 dispatches for the view.
+ *
+ * dns_client_createx() takes 'manager' arguments so that the caller can
+ * control the behavior of the client through the underlying event framework.
+ * On the other hand, dns_client_create() simplifies the interface and creates
+ * the managers internally.  A DNS client object created via
+ * dns_client_create() is expected to be used by an application that only needs
+ * simple synchronous services or by a thread-based application.
+ *
+ * If the DNS_CLIENTCREATEOPT_USECACHE flag is set in 'options',
+ * dns_client_create(x) will create a cache database with the view.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'actx' is a valid application context.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	clientp != NULL && *clientp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_destroy(dns_client_t **clientp);
+/*%<
+ * Destroy 'client'.
+ *
+ * Requires:
+ *
+ *\li	'*clientp' is a valid client.
+ *
+ * Ensures:
+ *
+ *\li	*clientp == NULL.
+ */
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      dns_name_t *namespace, isc_sockaddrlist_t *addrs);
+/*%<
+ * Specify a list of addresses of recursive name servers that the client will
+ * use for name resolution.  A view for the 'rdclass' class must be created
+ * beforehand.  If 'namespace' is non NULL, the specified server will be used
+ * if and only if the query name is a subdomain of 'namespace'.  When servers
+ * for multiple 'namespace's are provided, and a query name is covered by
+ * more than one 'namespace', the servers for the best (longest) matching
+ * namespace will be used.  If 'namespace' is NULL, it works as if
+ * dns_rootname (.) were specified.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namespace' is NULL or a valid name.
+ *
+ *\li	'addrs' != NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			dns_name_t *namespace);
+/*%<
+ * Remove configured recursive name servers for the 'rdclass' and 'namespace'
+ * from the client.  See the description of dns_client_setservers() for
+ * the requirements about 'rdclass' and 'namespace'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namespace' is NULL or a valid name.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist);
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp);
+/*%<
+ * Perform name resolution for 'name', 'rdclass', and 'type'.
+ *
+ * If any trusted keys are configured and the query name is considered to
+ * belong to a secure zone, these functions also validate the responses
+ * using DNSSEC by default.  If the DNS_CLIENTRESOPT_NODNSSEC flag is set
+ * in 'options', DNSSEC validation is disabled regardless of the configured
+ * trusted keys or the query name.
+ *
+ * dns_client_resolve() provides a synchronous service.  This function starts
+ * name resolution internally and blocks until it completes.  On success,
+ * 'namelist' will contain a list of answer names, each of which has
+ * corresponding RRsets.  The caller must provide a valid empty list, and
+ * is responsible for freeing the list content via dns_client_freeresanswer().
+ * If the name resolution fails due to an error in DNSSEC validation,
+ * dns_client_resolve() returns the result code indicating the validation
+ * error. Otherwise, it returns the result code of the entire resolution
+ * process, either success or failure.
+ *
+ * It is typically expected that the client object passed to
+ * dns_client_resolve() was created via dns_client_create() and has its own
+ * managers and contexts.  However, if the DNS_CLIENTRESOPT_ALLOWRUN flag is
+ * set in 'options', this function performs the synchronous service even if
+ * it does not have its own manager and context structures.
+ *
+ * dns_client_startresolve() is an asynchronous version of dns_client_resolve()
+ * and does not block.  When name resolution is completed, 'action' will be
+ * called with the argument of a 'dns_clientresevent_t' object, which contains
+ * the resulting list of answer names (on success).  On return, '*transp' is
+ * set to an opaque transaction ID so that the caller can cancel this
+ * resolution process.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'addrs' != NULL.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'namelist' != NULL and is not empty.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans);
+/*%<
+ * Cancel an ongoing resolution procedure started via
+ * dns_client_startresolve().
+ *
+ * Notes:
+ *
+ *\li	If the resolution procedure has not completed, post its CLIENTRESDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp);
+/*%<
+ * Destroy name resolution transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTRESDONE event (either because the
+ *	resolution completed or because dns_client_cancelresolve() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist); 
+/*%<
+ * Free resources allocated for the content of 'namelist'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namelist' != NULL.
+ */
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_name_t *keyname, isc_buffer_t *keydatabuf);
+/*%<
+ * Add a DNSSEC trusted key for the 'rdclass' class.  A view for the 'rdclass'
+ * class must be created beforehand.  'keyname' is the DNS name of the key,
+ * and 'keydatabuf' stores the resource data of the key.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'keyname' is a valid name.
+ *
+ *\li	'keydatabuf' is a valid buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_request(dns_client_t *client, dns_message_t *qmessage,
+		   dns_message_t *rmessage, isc_sockaddr_t *server,
+		   unsigned int options, unsigned int parseoptions,
+		   dns_tsec_t *tsec, unsigned int timeout,
+		   unsigned int udptimeout, unsigned int udpretries);
+
+isc_result_t
+dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
+			dns_message_t *rmessage, isc_sockaddr_t *server,
+			unsigned int options, unsigned int parseoptions,
+			dns_tsec_t *tsec, unsigned int timeout,
+			unsigned int udptimeout, unsigned int udpretries,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_clientreqtrans_t **transp);
+
+/*%<
+ * Send a DNS request containig a query message 'query' to 'server'.
+ *
+ * 'parseoptions' will be used when the response packet is parsed, and will be
+ * passed to dns_message_parse() via dns_request_getresponse().  See
+ * dns_message_parse() for more details.
+ *
+ * 'tsec' is a transaction security object containing, e.g. a TSIG key for
+ * authenticating the request/response transaction.  This is optional and can
+ * be NULL, in which case this library performs the transaction  without any
+ * transaction authentication.
+ *
+ * 'timeout', 'udptimeout', and 'udpretries' are passed to
+ * dns_request_createvia3().  See dns_request_createvia3() for more details.
+ *
+ * dns_client_request() provides a synchronous service.  This function sends
+ * the request and blocks until a response is received.  On success,
+ * 'rmessage' will contain the response message.  The caller must provide a
+ * valid initialized message.
+ *
+ * It is usually expected that the client object passed to
+ * dns_client_request() was created via dns_client_create() and has its own
+ * managers and contexts.  However, if the DNS_CLIENTREQOPT_ALLOWRUN flag is
+ * set in 'options', this function performs the synchronous service even if
+ * it does not have its own manager and context structures.
+ *
+ * dns_client_startrequest() is an asynchronous version of dns_client_request()
+ * and does not block.  When the transaction is completed, 'action' will be
+ * called with the argument of a 'dns_clientreqevent_t' object, which contains
+ * the response message (on success).  On return, '*transp' is set to an opaque
+ * transaction ID so that the caller can cancel this request.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'qmessage' and 'rmessage' are valid initialized message.
+ *
+ *\li	'server' is a valid socket address structure.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ *
+ *\li	Any result that dns_message_parse() can return.
+ */
+
+void
+dns_client_cancelrequest(dns_clientreqtrans_t *transp);
+/*%<
+ * Cancel an ongoing DNS request procedure started via
+ * dns_client_startrequest().
+ *
+ * Notes:
+ *
+ *\li	If the request procedure has not completed, post its CLIENTREQDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyreqtrans(dns_clientreqtrans_t **transp);
+/*%
+ * Destroy DNS request transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTREQDONE event (either because the
+ *	request completed or because dns_client_cancelrequest() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+isc_result_t
+dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
+		  dns_name_t *zonename, dns_namelist_t *prerequisites,
+		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		  dns_tsec_t *tsec, unsigned int options);
+
+isc_result_t
+dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
+		       dns_name_t *zonename, dns_namelist_t *prerequisites,
+		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		       dns_tsec_t *tsec, unsigned int options,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_clientupdatetrans_t **transp);
+/*%<
+ * Perform DNS dynamic update for 'updates' of the 'rdclass' class with
+ * optional 'prerequisites'.
+ *
+ * 'updates' are a list of names with associated RRsets to be updated.
+ *
+ * 'prerequisites' are a list of names with associated RRsets corresponding to
+ * the prerequisites of the updates.  This is optional and can be NULL, in
+ * which case the prerequisite section of the update message will be empty.
+ *
+ * Both 'updates' and 'prerequisites' must be constructed as specified in
+ * RFC2136.
+ *
+ * 'zonename' is the name of the zone in which the updated names exist.
+ * This is optional and can be NULL.  In this case, these functions internally
+ * identify the appropriate zone through some queries for the SOA RR starting
+ * with the first name in prerequisites or updates.
+ *
+ * 'servers' is a list of authoritative servers to which the update message
+ * should be sent.  This is optional and can be NULL.  In this case, these
+ * functions internally identify the appropriate primary server name and its
+ * addresses through some queries for the SOA RR (like the case of zonename)
+ * and supplemental A/AAAA queries for the server name.
+ * Note: The client module generally assumes the given addresses are of the
+ * primary server of the corresponding zone.  It will work even if a secondary
+ * server address is specified as long as the server allows update forwarding,
+ * it is generally discouraged to include secondary server addresses unless
+ * there's strong reason to do so.
+ *
+ * 'tsec' is a transaction security object containing, e.g. a TSIG key for
+ * authenticating the update transaction (and the supplemental query/response
+ * transactions if the server is specified).  This is optional and can be
+ * NULL, in which case the library tries the update without any transaction
+ * authentication.
+ *
+ * dns_client_update() provides a synchronous service.  This function blocks
+ * until the entire update procedure completes, including the additional
+ * queries when necessary.
+ *
+ * dns_client_startupdate() is an asynchronous version of dns_client_update().
+ * It immediately returns (typically with *transp being set to a non-NULL
+ * pointer), and performs the update procedure through a set of internal
+ * events.  All transactions including the additional query exchanges are
+ * performed as a separate event, so none of these events cause blocking
+ * operation.  When the update procedure completes, the specified function
+ * 'action' will be called with the argument of a 'dns_clientupdateevent_t'
+ * structure.  On return, '*transp' is set to an opaque transaction ID so that
+ * the caller can cancel this update process.
+ *
+ * Notes:
+ *\li	No options are currently defined.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'updates' != NULL.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_cancelupdate(dns_clientupdatetrans_t *trans);
+/*%<
+ * Cancel an ongoing dynamic update procedure started via
+ * dns_client_startupdate().
+ *
+ * Notes:
+ *
+ *\li	If the update procedure has not completed, post its UPDATEDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp);
+/*%<
+ * Destroy dynamic update transaction identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the UPDATEDONE event (either because the
+ *	update completed or because dns_client_cancelupdate() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+isc_result_t
+dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
+		     dns_rdatatype_t type, dns_rdata_t *source,
+		     dns_ttl_t ttl, dns_name_t *target,
+		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
+		     dns_rdata_t *rdata, isc_mem_t *mctx);
+/*%<
+ * TBD
+ */
+
+void
+dns_client_freeupdate(dns_name_t **namep);
+/*%<
+ * TBD
+ */
+
+isc_mem_t *
+dns_client_mctx(dns_client_t *client);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CLIENT_H */
diff --git a/lib/dns/include/dns/ecdb.h b/lib/dns/include/dns/ecdb.h
new file mode 100644
index 0000000000..8d638d6f63
--- /dev/null
+++ b/lib/dns/include/dns/ecdb.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ecdb.h,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+
+#ifndef DNS_ECDB_H
+#define DNS_ECDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/* TBD */
+
+/***
+ *** Imports
+ ***/
+
+#include 
+
+/***
+ *** Types
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+/* TBD: describe those */
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ECDB_H */
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index ec4aee0185..c92f44be02 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.52 2009/06/30 02:52:32 each Exp $ */
+/* $Id: events.h,v 1.53 2009/09/01 00:22:26 jinmei Exp $ */
 
 #ifndef DNS_EVENTS_H
 #define DNS_EVENTS_H 1
@@ -70,6 +70,8 @@
 #define DNS_EVENT_ACACHEOVERMEM			(ISC_EVENTCLASS_DNS + 40)
 #define DNS_EVENT_RBTPRUNE			(ISC_EVENTCLASS_DNS + 41)
 #define DNS_EVENT_MANAGEKEYS			(ISC_EVENTCLASS_DNS + 42)
+#define DNS_EVENT_CLIENTRESDONE			(ISC_EVENTCLASS_DNS + 43)
+#define DNS_EVENT_CLIENTREQDONE			(ISC_EVENTCLASS_DNS + 44)
 
 #define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
 #define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
index 512c5e3c6e..fa5a10c31d 100644
--- a/lib/dns/include/dns/forward.h
+++ b/lib/dns/include/dns/forward.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.h,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: forward.h,v 1.12 2009/09/01 00:22:26 jinmei Exp $ */
 
 #ifndef DNS_FORWARD_H
 #define DNS_FORWARD_H 1
@@ -66,6 +66,21 @@ dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
  * \li	#ISC_R_NOMEMORY
  */
 
+isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name);
+/*%<
+ * Removes an entry for 'name' from the forwarding table.  If an entry
+ * that exactly matches 'name' does not exist, ISC_R_NOTFOUND will be returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
 isc_result_t
 dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp);
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
index fd3325b940..49c12c7c78 100644
--- a/lib/dns/include/dns/lib.h
+++ b/lib/dns/include/dns/lib.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: lib.h,v 1.17 2009/09/01 00:22:26 jinmei Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
@@ -40,6 +40,20 @@ dns_lib_initmsgcat(void);
  * has not already been initialized.
  */
 
+isc_result_t
+dns_lib_init(void);
+/*%<
+ * A set of initialization procedure used in the DNS library.  This function
+ * is provided for an application that is not aware of the underlying ISC or
+ * DNS libraries much.
+ */
+
+void
+dns_lib_shutdown(void);
+/*%<
+ * Free temporary resources allocated in dns_lib_init().
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_LIB_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index c499e5a239..044b0103dd 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.127 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: message.h,v 1.128 2009/09/01 00:22:26 jinmei Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -81,8 +81,7 @@
  *	name = NULL;
  *	name = dns_message_gettempname(message, &name);
  *	dns_name_init(name, NULL);
- *	result = dns_name_fromtext(name, &source, dns_rootname, ISC_FALSE,
- *				   buffer);
+ *	result = dns_name_fromtext(name, &source, dns_rootname, 0, buffer);
  *	dns_message_takebuffer(message, &buffer);
  * \endcode
  *
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 4c6c523112..bd81d037ad 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.130 2009/06/30 02:52:32 each Exp $ */
+/* $Id: name.h,v 1.131 2009/09/01 00:22:26 jinmei Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -127,21 +127,27 @@ struct dns_name {
 
 #define DNS_NAME_MAGIC			ISC_MAGIC('D','N','S','n')
 
-#define DNS_NAMEATTR_ABSOLUTE		0x0001
-#define DNS_NAMEATTR_READONLY		0x0002
-#define DNS_NAMEATTR_DYNAMIC		0x0004
-#define DNS_NAMEATTR_DYNOFFSETS		0x0008
-#define DNS_NAMEATTR_NOCOMPRESS		0x0010
+#define DNS_NAMEATTR_ABSOLUTE		0x00000001
+#define DNS_NAMEATTR_READONLY		0x00000002
+#define DNS_NAMEATTR_DYNAMIC		0x00000004
+#define DNS_NAMEATTR_DYNOFFSETS		0x00000008
+#define DNS_NAMEATTR_NOCOMPRESS		0x00000010
 /*
  * Attributes below 0x0100 reserved for name.c usage.
  */
-#define DNS_NAMEATTR_CACHE		0x0100		/*%< Used by resolver. */
-#define DNS_NAMEATTR_ANSWER		0x0200		/*%< Used by resolver. */
-#define DNS_NAMEATTR_NCACHE		0x0400		/*%< Used by resolver. */
-#define DNS_NAMEATTR_CHAINING		0x0800		/*%< Used by resolver. */
-#define DNS_NAMEATTR_CHASE		0x1000		/*%< Used by resolver. */
-#define DNS_NAMEATTR_WILDCARD		0x2000		/*%< Used by server. */
+#define DNS_NAMEATTR_CACHE		0x00000100	/*%< Used by resolver. */
+#define DNS_NAMEATTR_ANSWER		0x00000200	/*%< Used by resolver. */
+#define DNS_NAMEATTR_NCACHE		0x00000400	/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHAINING		0x00000800	/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHASE		0x00001000	/*%< Used by resolver. */
+#define DNS_NAMEATTR_WILDCARD		0x00002000	/*%< Used by server. */
+#define DNS_NAMEATTR_PREREQUISITE	0x00004000	/*%< Used by client. */
+#define DNS_NAMEATTR_UPDATE		0x00008000	/*%< Used by client. */
+#define DNS_NAMEATTR_HASUPDATEREC	0x00010000	/*%< Used by client. */
 
+/*
+ * Various flags.
+ */
 #define DNS_NAME_DOWNCASE		0x0001
 #define DNS_NAME_CHECKNAMES		0x0002		/*%< Used by rdata. */
 #define DNS_NAME_CHECKNAMESFAIL		0x0004		/*%< Used by rdata. */
@@ -1294,6 +1300,13 @@ dns_name_destroy(void);
  * non-NULL argument prior to calling dns_name_destroy();
  */
 
+isc_result_t
+dns_name_fromstr(dns_name_t *name, const char *source, const char *origin,
+		 unsigned int options, isc_buffer_t *target);
+/*%<
+ * TBD
+ */
+
 ISC_LANG_ENDDECLS
 
 /*
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index 7b1d7f2c5e..6051752cb0 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.73 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: rdata.h,v 1.74 2009/09/01 00:22:26 jinmei Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -95,6 +95,7 @@
 
 #include 
 #include 
+#include 
 
 ISC_LANG_BEGINDECLS
 
@@ -698,6 +699,21 @@ dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad);
  *	'bad'	to be NULL or valid.
  */
 
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata);
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATA_H */
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 04a7a1e0a5..bdf4c64333 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.63 2009/01/27 22:29:59 jinmei Exp $ */
+/* $Id: resolver.h,v 1.64 2009/09/01 00:22:26 jinmei Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -81,6 +81,7 @@ typedef struct dns_fetchevent {
 	dns_fixedname_t			foundname;
 	isc_sockaddr_t *		client;
 	dns_messageid_t			id;
+	isc_result_t			vresult;
 } dns_fetchevent_t;
 
 /*
diff --git a/lib/dns/include/dns/tsec.h b/lib/dns/include/dns/tsec.h
new file mode 100644
index 0000000000..2d85e4b0a0
--- /dev/null
+++ b/lib/dns/include/dns/tsec.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsec.h,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#ifndef DNS_TSEC_H
+#define DNS_TSEC_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ *
+ * \brief
+ * The TSEC (Transaction Security) module is an abstraction layer for managing
+ * DNS transaction mechanisms such as TSIG or SIG(0).  A TSEC structure is a
+ * mechanism-independent object containing key information specific to the
+ * mechanism, and is expected to be used as an argument to other modules
+ * that use transaction security in a mechanism-independent manner.
+ *
+ * MP:
+ *\li	A TSEC structure is expected to be thread-specific.  No inter-thread
+ *	synchronization is ensured in multiple access to a single TSEC
+ *	structure.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include 
+
+#include 
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Transaction security types.
+ */
+typedef enum {
+	dns_tsectype_none,
+	dns_tsectype_tsig,
+	dns_tsectype_sig0
+} dns_tsectype_t;
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp);
+/*%<
+ * Create a TSEC structure and stores a type-dependent key structure in it.  
+ * For a TSIG key (type is dns_tsectype_tsig), dns_tsec_create() creates a
+ * TSIG key structure from '*key' and keeps it in the structure.  For other
+ * types, this function simply retains '*key' in the structure.  In either
+ * case, the ownership of '*key' is transferred to the TSEC module; the caller
+ * must not modify or destroy it after the call to dns_tsec_create().
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'type' is a valid value of dns_tsectype_t (see above).
+ *
+ *\li	'key' is a valid key.
+ *
+ *\li	tsecp != NULL && *tsecp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp);
+/*%<
+ * Destroy the TSEC structure.  The stored key is also detached or destroyed.
+ *
+ * Requires
+ *
+ *\li	'*tsecp' is a valid TSEC structure.
+ *
+ * Ensures
+ *
+ *\li	*tsecp == NULL.
+ *
+ */
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec);
+/*%<
+ * Return the TSEC type of '*tsec'.
+ *
+ * Requires
+ *
+ *\li	'tsec' is a valid TSEC structure.
+ *
+ */
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp);
+/*%<
+ * Return the TSEC key of '*tsec' in '*keyp'.
+ *
+ * Requires
+ *
+ *\li	keyp != NULL
+ *
+ * Ensures
+ *
+ *\li	*tsecp points to a valid key structure depending on the TSEC type.
+ */
+
+#endif /* DNS_TSEC_H */
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 2e100d317e..79be222e10 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.135 2009/07/19 04:18:05 each Exp $ */
+/* $Id: types.h,v 1.136 2009/09/01 00:22:27 jinmei Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -44,6 +44,10 @@ typedef struct dns_adbentry			dns_adbentry_t;
 typedef struct dns_adbfind			dns_adbfind_t;
 typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
 typedef struct dns_byaddr			dns_byaddr_t;
+typedef struct dns_client			dns_client_t;
+typedef void					dns_clientrestrans_t;
+typedef void					dns_clientreqtrans_t;
+typedef void					dns_clientupdatetrans_t;
 typedef struct dns_cache			dns_cache_t;
 typedef isc_uint16_t				dns_cert_t;
 typedef struct dns_compress			dns_compress_t;
@@ -114,6 +118,7 @@ typedef struct dns_stats			dns_stats_t;
 typedef isc_uint32_t				dns_rdatastatstype_t;
 typedef struct dns_tkeyctx			dns_tkeyctx_t;
 typedef isc_uint16_t				dns_trust_t;
+typedef struct dns_tsec				dns_tsec_t;
 typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
 typedef struct dns_tsigkey			dns_tsigkey_t;
 typedef isc_uint32_t				dns_ttl_t;
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index 6f98b5374e..becc19d1b5 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: lib.c,v 1.17 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -23,11 +23,20 @@
 
 #include 
 
-#include 
+#include 
+#include 
 #include 
+#include 
+#include 
 #include 
 
+#include 
+#include 
 #include 
+#include 
+
+#include 
+
 
 /***
  *** Globals
@@ -63,3 +72,97 @@ dns_lib_initmsgcat(void) {
 
 	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
 }
+
+static isc_once_t init_once = ISC_ONCE_INIT;
+static isc_mem_t *dns_g_mctx = NULL;
+#ifndef BIND9
+static dns_dbimplementation_t *dbimp = NULL;
+#endif
+static isc_boolean_t initialize_done = ISC_FALSE;
+static isc_mutex_t reflock;
+static unsigned int references = 0;
+
+static void
+initialize() {
+	isc_result_t result;
+
+	REQUIRE(initialize_done == ISC_FALSE);
+
+	result = isc_mem_create(0, 0, &dns_g_mctx);
+	if (result != ISC_R_SUCCESS)
+		return;
+	dns_result_register();
+#ifndef BIND9
+	result = dns_ecdb_register(dns_g_mctx, &dbimp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mctx;
+#endif
+	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
+
+	result = dst_lib_init(dns_g_mctx, NULL, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_hash;
+
+	result = isc_mutex_init(&reflock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dst;
+
+	initialize_done = ISC_TRUE;
+	return;
+
+  cleanup_dst:
+	dst_lib_destroy();
+  cleanup_hash:
+	isc_hash_destroy();
+  cleanup_db:
+#ifndef BIND9
+	dns_ecdb_unregister(&dbimp);
+  cleanup_mctx:
+#endif
+	isc_mem_detach(&dns_g_mctx);
+}
+
+isc_result_t
+dns_lib_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Since this routine is expected to be used by a normal application,
+	 * it should be better to return an error, instead of an emergency
+	 * abort, on any failure.
+	 */
+	result = isc_once_do(&init_once, initialize);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!initialize_done)
+		return (ISC_R_FAILURE);
+
+	LOCK(&reflock);
+	references++;
+	UNLOCK(&reflock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_lib_shutdown(void) {
+	isc_boolean_t cleanup_ok = ISC_FALSE;
+
+	LOCK(&reflock);
+	if (--references == 0)
+		cleanup_ok = ISC_TRUE;
+	UNLOCK(&reflock);
+
+	if (!cleanup_ok)
+		return;
+
+	dst_lib_destroy();
+	isc_hash_destroy();
+#ifndef BIND9
+	dns_ecdb_unregister(&dbimp);
+#endif
+	isc_mem_detach(&dns_g_mctx);
+}
diff --git a/lib/dns/master.c b/lib/dns/master.c
index 35543520ba..49e2985c2c 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.177 2009/06/30 02:52:32 each Exp $ */
+/* $Id: master.c,v 1.178 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -1382,7 +1382,7 @@ load_text(dns_loadctx_t *lctx) {
 			isc_buffer_setactive(&buffer,
 					     token.value.as_region.length);
 			result = dns_name_fromtext(new_name, &buffer,
-					  ictx->origin, ISC_FALSE, NULL);
+					  ictx->origin, 0, NULL);
 			if (MANYERRS(lctx, result)) {
 				SETRESULT(lctx, result);
 				LOGIT(result);
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index ce9496279a..a451d98dfd 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.97 2009/01/17 23:47:42 tbox Exp $ */
+/* $Id: masterdump.c,v 1.98 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -162,6 +162,7 @@ static char spaces[N_SPACES+1] = "          ";
 #define N_TABS 10
 static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
 
+#ifdef BIND9
 struct dns_dumpctx {
 	unsigned int		magic;
 	isc_mem_t		*mctx;
@@ -189,6 +190,7 @@ struct dns_dumpctx {
 					    dns_totext_ctx_t *ctx,
 					    isc_buffer_t *buffer, FILE *f);
 };
+#endif /* BIND9 */
 
 #define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 
@@ -698,6 +700,7 @@ dns_master_questiontotext(dns_name_t *owner_name,
 				ISC_FALSE, target));
 }
 
+#ifdef BIND9
 /*
  * Print an rdataset.  'buffer' is a scratch buffer, which must have been
  * dynamically allocated by the caller.  It must be large enough to
@@ -1775,6 +1778,7 @@ dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 
 	return (result);
 }
+#endif /* BIND9 */
 
 isc_result_t
 dns_master_stylecreate(dns_master_style_t **stylep, unsigned int flags,
diff --git a/lib/dns/name.c b/lib/dns/name.c
index c5c374042d..1102ea166a 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.167 2009/03/11 23:47:35 tbox Exp $ */
+/* $Id: name.c,v 1.168 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -1019,6 +1019,31 @@ dns_name_toregion(dns_name_t *name, isc_region_t *r) {
 	DNS_NAME_TOREGION(name, r);
 }
 
+isc_result_t
+dns_name_fromstr(dns_name_t *name, const char *source, const char *origin,
+		 unsigned int options, isc_buffer_t *target)
+{
+	dns_name_t *o;
+	dns_fixedname_t fixed;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	REQUIRE(source != NULL);
+	if (origin != NULL) {
+		isc_buffer_init(&b, origin, strlen(origin));
+		isc_buffer_add(&b, strlen(origin));
+		dns_fixedname_init(&fixed);
+		o = dns_fixedname_name(&fixed);
+		result = dns_name_fromtext(o, &b, dns_rootname, options, NULL);
+		if (result != ISC_R_SUCCESS)
+			return(result);
+	} else
+		o = dns_rootname;
+	
+	isc_buffer_init(&b, source, strlen(source));
+	isc_buffer_add(&b, strlen(source));
+	return (dns_name_fromtext(name, &b, o, options, target));
+}
 
 isc_result_t
 dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
@@ -2385,7 +2410,7 @@ dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx) {
 	dns_fixedname_init(&fn);
 	name = dns_fixedname_name(&fn);
 
-	result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
index 12474cb822..d83b253c6f 100644
--- a/lib/dns/peer.c
+++ b/lib/dns/peer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.31 2008/04/03 06:09:04 tbox Exp $ */
+/* $Id: peer.c,v 1.32 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -536,7 +536,7 @@ dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
 	isc_buffer_init(&b, keyval, strlen(keyval));
 	isc_buffer_add(&b, strlen(keyval));
 	result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index bcd01a1e61..0bbf3d9c97 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.277 2009/07/13 07:02:46 marka Exp $ */
+/* $Id: rbtdb.c,v 1.278 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -625,8 +625,10 @@ typedef struct rbtdb_dbiterator {
 static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
 		       isc_event_t *event);
 static void overmem(dns_db_t *db, isc_boolean_t overmem);
+#ifdef BIND9
 static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 			       isc_boolean_t *nsec3createflag);
+#endif
 
 /*%
  * 'init_count' is used to initialize 'newheader->count' which inturn
@@ -1925,6 +1927,13 @@ cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
 
 static void
 iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
+#ifndef BIND9
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(origin);
+
+	return;
+#else
 	dns_rdataset_t keyset;
 	dns_rdataset_t nsecset, signsecset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -1988,12 +1997,14 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 		version->secure = dns_db_partial;
 	else
 		version->secure = dns_db_insecure;
+#endif
 }
 
 /*%<
  * Walk the origin node looking for NSEC3PARAM records.
  * Cache the nsec3 parameters.
  */
+#ifdef BIND9
 static void
 setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 		   isc_boolean_t *nsec3createflag)
@@ -2098,6 +2109,7 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 		    isc_rwlocktype_read);
 	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 }
+#endif
 
 static void
 closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
@@ -6505,9 +6517,17 @@ dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
+#ifdef BIND9
 	return (dns_master_dump2(rbtdb->common.mctx, db, version,
 				 &dns_master_style_default,
 				 filename, masterformat));
+#else
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* BIND9 */
 }
 
 static void
@@ -8089,6 +8109,21 @@ rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 		       dns_name_t *fname, dns_message_t *msg,
 		       isc_stdtime_t now)
 {
+#ifndef BIND9
+	UNUSED(rdataset);
+	UNUSED(type);
+	UNUSED(qtype);
+	UNUSED(acache);
+	UNUSED(zonep);
+	UNUSED(dbp);
+	UNUSED(versionp);
+	UNUSED(nodep);
+	UNUSED(fname);
+	UNUSED(msg);
+	UNUSED(now);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#else
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
@@ -8205,8 +8240,10 @@ acache_callback(dns_acacheentry_t *entry, void **arg) {
 	dns_db_detach((dns_db_t **)(void*)&rbtdb);
 
 	*arg = NULL;
+#endif /* BIND9 */
 }
 
+#ifdef BIND9
 static void
 acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry,
 		      acache_cbarg_t **cbargp)
@@ -8227,6 +8264,7 @@ acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry,
 
 	*cbargp = NULL;
 }
+#endif /* BIND9 */
 
 static isc_result_t
 rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
@@ -8235,6 +8273,19 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 		       dns_dbversion_t *version, dns_dbnode_t *node,
 		       dns_name_t *fname)
 {
+#ifndef BIND9
+	UNUSED(rdataset);
+	UNUSED(type);
+	UNUSED(qtype);
+	UNUSED(acache);
+	UNUSED(zone);
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(node);
+	UNUSED(fname);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#else
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
@@ -8358,12 +8409,21 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 	}
 
 	return (result);
+#endif
 }
 
 static isc_result_t
 rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 		       dns_rdatasetadditional_t type, dns_rdatatype_t qtype)
 {
+#ifndef BIND9
+	UNUSED(acache);
+	UNUSED(rdataset);
+	UNUSED(type);
+	UNUSED(qtype);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#else
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
@@ -8428,6 +8488,7 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 	}
 
 	return (ISC_R_SUCCESS);
+#endif
 }
 
 /*%
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 032c3d8ccd..5f8f0d6198 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.200 2008/12/12 04:37:23 marka Exp $ */
+/* $Id: rdata.c,v 1.201 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -38,6 +38,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -1767,3 +1768,93 @@ dns_rdatatype_isknown(dns_rdatatype_t type) {
 		return (ISC_TRUE);
 	return (ISC_FALSE);
 }
+
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata) {
+	REQUIRE(rdata != NULL);
+
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	switch (section) {
+	case DNS_SECTION_PREREQUISITE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain doesn't exist");
+			default:
+				return ("rrset doesn't exist");
+			}
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain exists");
+			default:
+				return ("rrset exists (value independent)");
+			}
+		default:
+			return ("rrset exists (value dependent)");
+		}
+	case DNS_SECTION_UPDATE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			return ("delete");
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("delete all rrsets");
+			default:
+				return ("delete rrset");
+			}
+		default:
+			return ("add");
+		}
+	}
+	return ("invalid");
+}
diff --git a/lib/dns/request.c b/lib/dns/request.c
index d0637ad688..ba19154b15 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.84 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: request.c,v 1.85 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -449,7 +449,8 @@ req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) {
 }
 
 static isc_result_t
-new_request(isc_mem_t *mctx, dns_request_t **requestp) {
+new_request(isc_mem_t *mctx, dns_request_t **requestp)
+{
 	dns_request_t *request;
 
 	request = isc_mem_get(mctx, sizeof(*request));
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 3bec9adb05..4cfc737e00 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.404 2009/08/13 04:33:51 marka Exp $ */
+/* $Id: resolver.c,v 1.405 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -1013,6 +1013,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
 		ISC_LIST_UNLINK(fctx->events, event, ev_link);
 		task = event->ev_sender;
 		event->ev_sender = fctx;
+		event->vresult = fctx->vresult;
 		if (!HAVE_ANSWER(fctx))
 			event->result = result;
 
@@ -3889,6 +3890,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
 
 	vevent = (dns_validatorevent_t *)event;
+	fctx->vresult = vevent->result;
 
 	FCTXTRACE("received validation completion event");
 
@@ -7151,6 +7153,7 @@ dns_resolver_create(dns_view_t *view,
 	return (result);
 }
 
+#ifdef BIND9
 static void
 prime_done(isc_task_t *task, isc_event_t *event) {
 	dns_resolver_t *res;
@@ -7256,6 +7259,7 @@ dns_resolver_prime(dns_resolver_t *res) {
 		}
 	}
 }
+#endif /* BIND9 */
 
 void
 dns_resolver_freeze(dns_resolver_t *res) {
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 6dc02f351a..34c3455d06 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.69 2009/06/26 06:21:02 marka Exp $ */
+/* $Id: sdb.c,v 1.70 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -450,7 +450,7 @@ getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
 	isc_buffer_init(&b, name, strlen(name));
 	isc_buffer_add(&b, strlen(name));
 
-	result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL);
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index 176470d875..2138e38eb8 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.c,v 1.21 2009/06/26 06:21:03 marka Exp $ */
+/* $Id: sdlz.c,v 1.22 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -1620,7 +1620,7 @@ dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
 	isc_buffer_init(&b, name, strlen(name));
 	isc_buffer_add(&b, strlen(name));
 
-	result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL);
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 9e59dfaf8e..5d6d5484cf 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.90 2008/04/03 00:45:23 marka Exp $
+ * $Id: tkey.c,v 1.91 2009/09/01 00:22:26 jinmei Exp $
  */
 /*! \file */
 #include 
@@ -724,8 +724,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			}
 			isc_buffer_init(&b, randomtext, sizeof(randomtext));
 			isc_buffer_add(&b, sizeof(randomtext));
-			result = dns_name_fromtext(keyname, &b, NULL,
-						   ISC_FALSE, NULL);
+			result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
 			if (result != ISC_R_SUCCESS)
 				goto failure;
 		}
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
new file mode 100644
index 0000000000..dbd0b85cb8
--- /dev/null
+++ b/lib/dns/tsec.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsec.c,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+
+#include 
+
+#include 
+#include 
+#include 
+
+#include 
+
+#define DNS_TSEC_MAGIC			ISC_MAGIC('T', 's', 'e', 'c')
+#define DNS_TSEC_VALID(t)		ISC_MAGIC_VALID(t, DNS_TSEC_MAGIC)
+
+/*%
+ * DNS Transaction Security object.  We assume this is not shared by
+ * multiple threads, and so the structure does not contain a lock.
+ */
+struct dns_tsec {
+	unsigned int		magic;
+	dns_tsectype_t		type;
+	isc_mem_t		*mctx;
+	union {
+		dns_tsigkey_t	*tsigkey;
+		dst_key_t	*key;
+	} ukey;
+};
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp)
+{
+	isc_result_t result;
+	dns_tsec_t *tsec;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_name_t *algname;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(tsecp != NULL && *tsecp == NULL);
+
+	tsec = isc_mem_get(mctx, sizeof(*tsec));
+	if (tsec == NULL)
+		return (ISC_R_NOMEMORY);
+
+	tsec->type = type;
+	tsec->mctx = mctx;
+
+	switch (type) {
+	case dns_tsectype_tsig:
+		switch (dst_key_alg(key)) {
+		case DST_ALG_HMACMD5:
+			algname = dns_tsig_hmacmd5_name;
+			break;
+		case DST_ALG_HMACSHA1:
+			algname = dns_tsig_hmacsha1_name;
+			break;
+		case DST_ALG_HMACSHA224:
+			algname = dns_tsig_hmacsha224_name;
+			break;
+		case DST_ALG_HMACSHA256:
+			algname = dns_tsig_hmacsha256_name;
+			break;
+		case DST_ALG_HMACSHA384:
+			algname = dns_tsig_hmacsha384_name;
+			break;
+		case DST_ALG_HMACSHA512:
+			algname = dns_tsig_hmacsha512_name;
+			break;			
+		default:
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (DNS_R_BADALG);
+		}
+		result = dns_tsigkey_createfromkey(dst_key_name(key),
+						   algname, key, ISC_FALSE,
+						   NULL, 0, 0, mctx, NULL,
+						   &tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (result);
+		}
+		tsec->ukey.tsigkey = tsigkey;
+		break;
+	case dns_tsectype_sig0:
+		tsec->ukey.key = key;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	tsec->magic = DNS_TSEC_MAGIC;
+
+	*tsecp = tsec;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp) {
+	dns_tsec_t *tsec;
+
+	REQUIRE(tsecp != NULL && *tsecp != NULL);
+	tsec = *tsecp;
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_detach(&tsec->ukey.tsigkey);
+		break;
+	case dns_tsectype_sig0:
+		dst_key_free(&tsec->ukey.key);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	tsec->magic = 0;
+	isc_mem_put(tsec->mctx, tsec, sizeof(*tsec));
+
+	*tsecp = NULL;
+}
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	return (tsec->type);
+}
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+	REQUIRE(keyp != NULL);
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_attach(tsec->ukey.tsigkey, (dns_tsigkey_t **)keyp);
+		break;
+	case dns_tsectype_sig0:
+		*(dst_key_t **)keyp = tsec->ukey.key;
+		break;
+	default:
+		INSIST(0);
+	}
+}
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 57dc617472..0c477c3656 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.155 2009/06/30 02:52:32 each Exp $ */
+/* $Id: view.c,v 1.156 2009/09/01 00:22:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -86,6 +86,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_name;
 
+#ifdef BIND9
 	view->zonetable = NULL;
 	result = dns_zt_create(mctx, rdclass, &view->zonetable);
 	if (result != ISC_R_SUCCESS) {
@@ -95,6 +96,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup_mutex;
 	}
+#endif
 	view->secroots = NULL;
 	view->fwdtable = NULL;
 	result = dns_fwdtable_create(mctx, &view->fwdtable);
@@ -177,9 +179,11 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->maxudp = 0;
 	dns_fixedname_init(&view->dlv_fixed);
 
+#ifdef BIND9
 	result = dns_order_create(view->mctx, &view->order);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_dynkeys;
+#endif
 
 	result = dns_peerlist_new(view->mctx, &view->peers);
 	if (result != ISC_R_SUCCESS)
@@ -209,9 +213,11 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	dns_peerlist_detach(&view->peers);
 
  cleanup_order:
+#ifdef BIND9
 	dns_order_detach(&view->order);
 
  cleanup_dynkeys:
+#endif
 	dns_tsigkeyring_destroy(&view->dynamickeys);
 
  cleanup_references:
@@ -221,9 +227,11 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	dns_fwdtable_destroy(&view->fwdtable);
 
  cleanup_zt:
+#ifdef BIND9
 	dns_zt_detach(&view->zonetable);
 
  cleanup_mutex:
+#endif
 	DESTROYLOCK(&view->lock);
 
  cleanup_name:
@@ -244,8 +252,10 @@ destroy(dns_view_t *view) {
 	REQUIRE(ADBSHUTDOWN(view));
 	REQUIRE(REQSHUTDOWN(view));
 
+#ifdef BIND9
 	if (view->order != NULL)
 		dns_order_detach(&view->order);
+#endif
 	if (view->peers != NULL)
 		dns_peerlist_detach(&view->peers);
 	if (view->dynamickeys != NULL)
@@ -256,11 +266,13 @@ destroy(dns_view_t *view) {
 		dns_adb_detach(&view->adb);
 	if (view->resolver != NULL)
 		dns_resolver_detach(&view->resolver);
+#ifdef BIND9
 	if (view->acache != NULL) {
 		if (view->cachedb != NULL)
 			dns_acache_putdb(view->acache, view->cachedb);
 		dns_acache_detach(&view->acache);
 	}
+#endif
 	if (view->requestmgr != NULL)
 		dns_requestmgr_detach(&view->requestmgr);
 	if (view->task != NULL)
@@ -399,12 +411,14 @@ view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
 			dns_adb_shutdown(view->adb);
 		if (!REQSHUTDOWN(view))
 			dns_requestmgr_shutdown(view->requestmgr);
+#ifdef BIND9
 		if (view->acache != NULL)
 			dns_acache_shutdown(view->acache);
 		if (view->flush)
 			dns_zt_flushanddetach(&view->zonetable);
 		else
 			dns_zt_detach(&view->zonetable);
+#endif
 		done = all_done(view);
 		UNLOCK(&view->lock);
 	}
@@ -425,6 +439,7 @@ dns_view_detach(dns_view_t **viewp) {
 	view_flushanddetach(viewp, ISC_FALSE);
 }
 
+#ifdef BIND9
 static isc_result_t
 dialup(dns_zone_t *zone, void *dummy) {
 	UNUSED(dummy);
@@ -437,6 +452,7 @@ dns_view_dialup(dns_view_t *view) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	(void)dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL);
 }
+#endif
 
 void
 dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
@@ -628,8 +644,10 @@ dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared) {
 
 	view->cacheshared = shared;
 	if (view->cache != NULL) {
+#ifdef BIND9
 		if (view->acache != NULL)
 			dns_acache_putdb(view->acache, view->cachedb);
+#endif
 		dns_db_detach(&view->cachedb);
 		dns_cache_detach(&view->cache);
 	}
@@ -637,8 +655,10 @@ dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared) {
 	dns_cache_attachdb(cache, &view->cachedb);
 	INSIST(DNS_DB_VALID(view->cachedb));
 
+#ifdef BIND9
 	if (view->acache != NULL)
 		dns_acache_setdb(view->acache, view->cachedb);
+#endif
 }
 
 isc_boolean_t
@@ -673,6 +693,7 @@ dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
 	view->dstport = dstport;
 }
 
+#ifdef BIND9
 isc_result_t
 dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
 	isc_result_t result;
@@ -684,6 +705,7 @@ dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
 
 	return (result);
 }
+#endif
 
 void
 dns_view_freeze(dns_view_t *view) {
@@ -697,6 +719,7 @@ dns_view_freeze(dns_view_t *view) {
 	view->frozen = ISC_TRUE;
 }
 
+#ifdef BIND9
 isc_result_t
 dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
 	isc_result_t result;
@@ -711,6 +734,7 @@ dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
 
 	return (result);
 }
+#endif
 
 isc_result_t
 dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
@@ -725,6 +749,10 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	dns_rdataset_t zrdataset, zsigrdataset;
 	dns_zone_t *zone;
 
+#ifndef BIND9
+	UNUSED(use_hints);
+#endif
+
 	/*
 	 * Find an rdataset whose owner name is 'name', and whose type is
 	 * 'type'.
@@ -750,6 +778,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	zone = NULL;
 	db = NULL;
 	node = NULL;
+#ifdef BIND9
 	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 		result = dns_zone_getdb(zone, &db);
@@ -759,6 +788,11 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 			goto cleanup;
 	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL)
 		dns_db_attach(view->cachedb, &db);
+#else
+	result = ISC_R_NOTFOUND;
+	if (view->cachedb != NULL)
+		dns_db_attach(view->cachedb, &db);
+#endif /* BIND9 */
 	else
 		goto cleanup;
 
@@ -841,6 +875,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		result = ISC_R_SUCCESS;
 	}
 
+#ifdef BIND9
 	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
 		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
@@ -875,6 +910,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		if (db == NULL && node != NULL)
 			dns_db_detachnode(view->hints, &node);
 	}
+#endif /* BIND9 */
 
  cleanup:
 	if (dns_rdataset_isassociated(&zrdataset)) {
@@ -903,8 +939,10 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	} else
 		INSIST(node == NULL);
 
+#ifdef BIND9
 	if (zone != NULL)
 		dns_zone_detach(&zone);
+#endif
 
 	return (result);
 }
@@ -997,9 +1035,13 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 	/*
 	 * Find the right database.
 	 */
+#ifdef BIND9
 	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);
+#else
+	result = ISC_R_NOTFOUND;
+#endif
 	if (result == ISC_R_NOTFOUND) {
 		/*
 		 * We're not directly authoritative for this query name, nor
@@ -1131,8 +1173,10 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 	}
 	if (db != NULL)
 		dns_db_detach(&db);
+#ifdef BIND9
 	if (zone != NULL)
 		dns_zone_detach(&zone);
+#endif
 
 	return (result);
 }
@@ -1159,6 +1203,7 @@ dns_viewlist_find(dns_viewlist_t *list, const char *name,
 	return (ISC_R_SUCCESS);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name,
 		      isc_boolean_t allclasses, dns_rdataclass_t rdclass,
@@ -1223,6 +1268,7 @@ dns_view_loadnew(dns_view_t *view, isc_boolean_t stop) {
 
 	return (dns_zt_loadnew(view->zonetable, stop));
 }
+#endif /* BIND9 */
 
 isc_result_t
 dns_view_gettsig(dns_view_t *view, dns_name_t *keyname, dns_tsigkey_t **keyp)
@@ -1266,6 +1312,7 @@ dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) {
 				view->dynamickeys));
 }
 
+#ifdef BIND9
 isc_result_t
 dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
 	isc_result_t result;
@@ -1280,6 +1327,7 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
 	dns_adb_dump(view->adb, fp);
 	return (ISC_R_SUCCESS);
 }
+#endif
 
 isc_result_t
 dns_view_flushcache(dns_view_t *view) {
@@ -1299,12 +1347,16 @@ dns_view_flushcache2(dns_view_t *view, isc_boolean_t fixuponly) {
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
+#ifdef BIND9
 	if (view->acache != NULL)
 		dns_acache_putdb(view->acache, view->cachedb);
+#endif
 	dns_db_detach(&view->cachedb);
 	dns_cache_attachdb(view->cache, &view->cachedb);
+#ifdef BIND9
 	if (view->acache != NULL)
 		dns_acache_setdb(view->acache, view->cachedb);
+#endif
 
 	dns_adb_flush(view->adb);
 	return (ISC_R_SUCCESS);
@@ -1436,11 +1488,13 @@ dns_view_getrootdelonly(dns_view_t *view) {
 	return (view->rootdelonly);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_view_freezezones(dns_view_t *view, isc_boolean_t value) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	return (dns_zt_freezezones(view->zonetable, value));
 }
+#endif
 
 void
 dns_view_setresstats(dns_view_t *view, isc_stats_t *stats) {
diff --git a/lib/export/Makefile.in b/lib/export/Makefile.in
new file mode 100644
index 0000000000..5bbc93f400
--- /dev/null
+++ b/lib/export/Makefile.in
@@ -0,0 +1,27 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+SUBDIRS =	isc dns isccfg irs samples
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/dns/Makefile.in b/lib/export/dns/Makefile.in
new file mode 100644
index 0000000000..3942ef156d
--- /dev/null
+++ b/lib/export/dns/Makefile.in
@@ -0,0 +1,172 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/dns
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+@BIND9_VERSION@
+
+@LIBDNS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
+		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+
+CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+
+CWARNINGS =
+
+ISCLIBS =	../isc/libisc.@A@
+
+ISCDEPLIBS =	../isc/libisc.@A@
+
+LIBS =		@LIBS@
+
+# Alphabetically
+DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
+		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \
+		openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+		opensslrsa_link.@O@
+
+DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
+		cache.@O@ callbacks.@O@ client.@O@ compress.@O@ \
+		db.@O@ dbiterator.@O@ diff.@O@ dispatch.@O@ dlz.@O@ dnssec.@O@ \
+		ds.@O@ \
+		forward.@O@ iptable.@O@ \
+		keytable.@O@ \
+		lib.@O@ log.@O@ \
+		master.@O@ masterdump.@O@ message.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ \
+		peer.@O@ portlist.@O@ \
+		rbt.@O@ rbtdb.@O@ rcode.@O@ rdata.@O@ \
+		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
+		request.@O@ resolver.@O@ result.@O@ soa.@O@ stats.@O@ \
+		tcpmsg.@O@ time.@O@ tsec.@O@ tsig.@O@ ttl.@O@ \
+		validator.@O@ version.@O@ view.@O@
+PORTDNSOBJS =	ecdb.@O@
+
+OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS}
+
+# Alphabetically
+DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
+		dst_result.c gssapi_link.c gssapictx.c \
+		hmac_link.c key.c \
+		openssl_link.c openssldh_link.c \
+		openssldsa_link.c opensslrsa_link.c
+
+DNSSRCS =	acl.c adb.c byaddr.c \
+		cache.c callbacks.c client.c compress.c \
+		db.c dbiterator.c diff.c dispatch.c dlz.c dnssec.c ds.c \
+		forward.c iptable.c \
+		keytable.c \
+		lib.c log.c \
+		master.c masterdump.c message.c \
+		name.c ncache.c nsec.c nsec3.c \
+		peer.c portlist.c \
+		rbt.c rbtdb.c rcode.c rdata.c \
+		rdatalist.c rdataset.c rdatasetiter.c rdataslab.c \
+		request.c res.c resolver.c result.c soa.c stats.c \
+		tcpmsg.c time.c tsec.c tsig.c ttl.c \
+		validator.c version.c view.c
+PORTDNSSRCS =	ecdb.c
+
+SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS}
+
+SUBDIRS =	include
+TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
+		include/dns/rdatastruct.h timestamp
+
+DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
+		-s ${srcdir} -d >> Makefile ;
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libdns.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libdns.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+
+timestamp: libdns.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
+	${DESTDIR}${export_libdir}
+
+clean distclean::
+	rm -f libdns.@A@ timestamp
+	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+newrr::
+	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+include: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h
+
+rdata.@O@: code.h
+
+include/dns/enumtype.h: gen
+	./gen -s ${srcdir} -t > $@
+
+include/dns/enumclass.h: gen
+	./gen -s ${srcdir} -c > $@
+
+include/dns/rdatastruct.h: gen \
+		${srcdir}/rdata/rdatastructpre.h \
+		${srcdir}/rdata/rdatastructsuf.h
+	./gen -s ${srcdir} -i \
+		-P ${srcdir}/rdata/rdatastructpre.h \
+		-S ${srcdir}/rdata/rdatastructsuf.h > $@
+
+code.h:	gen
+	./gen -s ${srcdir} > code.h
+
+gen: ${srcdir}/gen.c
+	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
+
+#We don't need rbtdb64 for this library
+#rbtdb64.@O@: rbtdb.c
+
+depend: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h code.h
+subdirs: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h code.h
+${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h
diff --git a/lib/export/dns/include/Makefile.in b/lib/export/dns/include/Makefile.in
new file mode 100644
index 0000000000..d28e14a1cc
--- /dev/null
+++ b/lib/export/dns/include/Makefile.in
@@ -0,0 +1,23 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dns dst
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/dns/include/dns/Makefile.in b/lib/export/dns/include/dns/Makefile.in
new file mode 100644
index 0000000000..13486159a1
--- /dev/null
+++ b/lib/export/dns/include/dns/Makefile.in
@@ -0,0 +1,56 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	acl.h adb.h byaddr.h \
+		cache.h callbacks.h cert.h client.h compress.h \
+		db.h dbiterator.h diff.h dispatch.h dlz.h dnssec.h \
+		ds.h events.h fixedname.h ecdb.h \
+		forward.h iptable.h \
+		keytable.h keyvalues.h \
+		lib.h log.h \
+		master.h masterdump.h message.h \
+		name.h ncache.h nsec.h nsec3.h \
+		peer.h portlist.h \
+		rbt.h rbtdb.h rcode.h rdata.h rdataclass.h \
+		rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \
+		request.h resolver.h result.h \
+		secalg.h secproto.h soa.h stats.h \
+		tcpmsg.h time.h tsec.h tsig.h ttl.h types.h \
+		validator.h version.h view.h
+
+GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/dns
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/dns/include/dns/$$i \
+		${DESTDIR}${export_includedir}/dns ; \
+	done
+	for i in ${GENHEADERS}; do \
+		${INSTALL_DATA} $$i ${DESTDIR}${export_includedir}/dns ; \
+	done
diff --git a/lib/export/dns/include/dst/Makefile.in b/lib/export/dns/include/dst/Makefile.in
new file mode 100644
index 0000000000..c1d1340c6c
--- /dev/null
+++ b/lib/export/dns/include/dst/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	dst.h gssapi.h lib.h result.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/dst
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/dns/include/dst/$$i \
+		${DESTDIR}${export_includedir}/dst ; \
+	done
diff --git a/lib/export/irs/Makefile.in b/lib/export/irs/Makefile.in
new file mode 100644
index 0000000000..91925c9ba3
--- /dev/null
+++ b/lib/export/irs/Makefile.in
@@ -0,0 +1,85 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/irs
+
+@BIND9_VERSION@
+
+@LIBIRS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I./include -I${srcdir}/include \
+		${ISCCFG_INCLUDES} -I../dns/include ${DNS_INCLUDES} \
+		${ISC_INCLUDES}
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		context.@O@ \
+		dnsconf.@O@ \
+		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
+		resconf.@O@
+
+# Alphabetically
+SRCS =		context.c \
+		dnsconf.c \
+		gai_sterror.c getaddrinfo.c getnameinfo.c \
+		resconf.c
+
+ISCLIBS =	../isc/libisc.@A@
+DNSLIBS =	../dns/libdns.@A@
+ISCCFGLIBS =	../isccfg/libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libirs.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+libirs.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
+
+timestamp: libirs.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
+	${DESTDIR}${export_libdir}
+
+clean distclean::
+	rm -f libirs.@A@ libirs.la timestamp
diff --git a/lib/export/irs/include/Makefile.in b/lib/export/irs/include/Makefile.in
new file mode 100644
index 0000000000..6fad286ea9
--- /dev/null
+++ b/lib/export/irs/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/irs/include/irs/Makefile.in b/lib/export/irs/include/irs/Makefile.in
new file mode 100644
index 0000000000..334b355de8
--- /dev/null
+++ b/lib/export/irs/include/irs/Makefile.in
@@ -0,0 +1,46 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	context.h dnsconf.h resconf.h types.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/$$i \
+		${DESTDIR}${export_includedir}/irs ; \
+	done
+	${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/netdb.h \
+	${DESTDIR}${export_includedir}/irs
+	${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/platform.h \
+	${DESTDIR}${export_includedir}/irs
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/lib/export/isc/Makefile.in b/lib/export/isc/Makefile.in
new file mode 100644
index 0000000000..30531b4f9c
--- /dev/null
+++ b/lib/export/isc/Makefile.in
@@ -0,0 +1,136 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc
+
+@BIND9_VERSION@
+
+@LIBISC_API@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		-I${srcdir}/@ISC_THREAD_DIR@/include \
+		-I${srcdir}/@ISC_ARCH_DIR@/include \
+		-I${srcdir}/include @ISC_OPENSSL_INC@
+CDEFINES =	@USE_OPENSSL@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \
+		-DUSE_SOCKETIMPREGISTER -DUSE_TASKIMPREGISTER \
+		-DUSE_TIMERIMPREGISTER
+CWARNINGS =
+
+# Alphabetically
+# {file,dir}.c is necessary for isclog
+# symtab.c is necessary for isccfg
+APIOBJS =	app_api.@O@ mem_api.@O@ socket_api.@O@ \
+		task_api.@O@ timer_api.@O@
+
+ISCDRIVEROBJS =	mem.@O@ unix/socket.@O@ task.@O@ timer.@O@ lib.@O@ \
+		heap.@O@	#timer module depends on this
+
+UNIXOBJS =	@ISC_ISCIPV6_O@ \
+		unix/app.@O@ \
+		unix/dir.@O@ \
+		unix/errno2result.@O@ \
+		unix/file.@O@ \
+		unix/fsaccess.@O@ \
+		unix/stdio.@O@ \
+		unix/stdtime.@O@ unix/strerror.@O@ unix/time.@O@
+
+NLSOBJS =	nls/msgcat.@O@
+
+THREADOBJS =	@ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@ \
+		@ISC_THREAD_DIR@/thread.@O@
+
+WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
+		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
+		win32/thread.@O@ win32/time.@O@
+
+# Alphabetically
+OBJS =		@ISC_EXTRA_OBJS@ \
+		assertions.@O@ base32.@O@ \
+		base64.@O@ buffer.@O@ bufferlist.@O@ \
+		error.@O@ event.@O@ \
+		hash.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
+		inet_aton.@O@ iterated_hash.@O@ lex.@O@ lfsr.@O@ log.@O@ \
+		md5.@O@ mutexblock.@O@ \
+		netaddr.@O@ netscope.@O@ \
+		ondestroy.@O@ \
+		parseint.@O@ portset.@O@ radix.@O@ \
+		random.@O@ refcount.@O@ region.@O@ result.@O@ rwlock.@O@ \
+		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ string.@O@ \
+		symtab.@O@ \
+		version.@O@ \
+		${APIOBJS} ${ISCDRIVEROBJS} \
+		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+
+# Alphabetically
+APISRCS =	app_api.c mem_api.c socket_api.c \
+		task_api.c timer_api.c
+
+ISCDRIVERSRCS =	mem.c task.c lib.c timer.c heap.c
+
+SRCS =		@ISC_EXTRA_SRCS@ \
+		assertions.c base32.c \
+		base64.c buffer.c bufferlist.c \
+		error.c event.c \
+		hash.c hex.c hmacmd5.c hmacsha.c \
+		inet_aton.c iterated_hash.c lex.c log.c lfsr.c \
+		md5.c mutexblock.c \
+		netaddr.c netscope.c \
+		ondestroy.c \
+		parseint.c portset.c radix.c \
+		random.c refcount.c region.c result.c rwlock.c \
+		serial.c sha1.c sha2.c sockaddr.c stats.c string.c symtab.c \
+		version.c \
+		${APISRCS} ${ISCDRIVERSRCS}
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include unix nls @ISC_THREAD_DIR@
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisc.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisc.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS}
+
+timestamp: libisc.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
+	${DESTDIR}${export_libdir}
+
+clean distclean::
+	rm -f libisc.@A@ libisc.la timestamp
diff --git a/lib/export/isc/include/Makefile.in b/lib/export/isc/include/Makefile.in
new file mode 100644
index 0000000000..4a5e0c6be1
--- /dev/null
+++ b/lib/export/isc/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/include/isc/Makefile.in b/lib/export/isc/include/isc/Makefile.in
new file mode 100644
index 0000000000..1e0ff001ea
--- /dev/null
+++ b/lib/export/isc/include/isc/Makefile.in
@@ -0,0 +1,63 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
+		bufferlist.h commandline.h entropy.h error.h event.h \
+		eventclass.h file.h formatcheck.h fsaccess.h \
+		hash.h heap.h hex.h hmacmd5.h \
+		httpd.h \
+		interfaceiter.h @ISC_IPV6_H@ iterated_hash.h lang.h lex.h \
+		lfsr.h lib.h list.h log.h \
+		magic.h md5.h mem.h msgcat.h msgs.h \
+		mutexblock.h namespace.h netaddr.h ondestroy.h os.h parseint.h \
+		print.h quota.h radix.h random.h ratelimiter.h \
+		refcount.h region.h resource.h \
+		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
+		sockaddr.h socket.h stdio.h stdlib.h string.h \
+		symtab.h \
+	        task.h taskpool.h timer.h types.h util.h version.h \
+		xml.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/isc/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
+	${INSTALL_DATA} ${top_srcdir}/lib/isc/include/isc/platform.h \
+	${DESTDIR}${export_includedir}/isc
+	${INSTALL_DATA} ${top_srcdir}/lib/isc/@ISC_ARCH_DIR@/include/isc/atomic.h \
+	${DESTDIR}${export_includedir}/isc
+
+distclean::
+	rm -f platform.h
diff --git a/lib/export/isc/nls/Makefile.in b/lib/export/isc/nls/Makefile.in
new file mode 100644
index 0000000000..e272f369e7
--- /dev/null
+++ b/lib/export/isc/nls/Makefile.in
@@ -0,0 +1,35 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/nls
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		msgcat.@O@
+
+SRCS =		msgcat.c
+
+SUBDIRS =
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/nothreads/Makefile.in b/lib/export/isc/nothreads/Makefile.in
new file mode 100644
index 0000000000..571f429269
--- /dev/null
+++ b/lib/export/isc/nothreads/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/nothreads
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		condition.@O@ mutex.@O@ thread.@O@
+
+SRCS =		condition.c mutex.c thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/nothreads/include/Makefile.in b/lib/export/isc/nothreads/include/Makefile.in
new file mode 100644
index 0000000000..4a5e0c6be1
--- /dev/null
+++ b/lib/export/isc/nothreads/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/nothreads/include/isc/Makefile.in b/lib/export/isc/nothreads/include/isc/Makefile.in
new file mode 100644
index 0000000000..eb25c885bc
--- /dev/null
+++ b/lib/export/isc/nothreads/include/isc/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(top_srcdir)/lib/isc/nothreads/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
diff --git a/lib/export/isc/pthreads/Makefile.in b/lib/export/isc/pthreads/Makefile.in
new file mode 100644
index 0000000000..624d44f3ef
--- /dev/null
+++ b/lib/export/isc/pthreads/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/pthreads
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		condition.@O@ mutex.@O@ thread.@O@
+
+SRCS =		condition.c mutex.c thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/pthreads/include/Makefile.in b/lib/export/isc/pthreads/include/Makefile.in
new file mode 100644
index 0000000000..4a5e0c6be1
--- /dev/null
+++ b/lib/export/isc/pthreads/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/pthreads/include/isc/Makefile.in b/lib/export/isc/pthreads/include/isc/Makefile.in
new file mode 100644
index 0000000000..77d5c0774b
--- /dev/null
+++ b/lib/export/isc/pthreads/include/isc/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(top_srcdir)/lib/isc/pthreads/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
diff --git a/lib/export/isc/unix/Makefile.in b/lib/export/isc/unix/Makefile.in
new file mode 100644
index 0000000000..ccd60ce3b8
--- /dev/null
+++ b/lib/export/isc/unix/Makefile.in
@@ -0,0 +1,57 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/unix
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../@ISC_THREAD_DIR@/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =	-DUSE_SOCKETIMPREGISTER -DUSE_APPIMPREGISTER
+
+CWARNINGS =
+
+# Alphabetically
+ISCDRIVEROBJS =	app.@O@ socket.@O@
+
+OBJS =		@ISC_IPV6_O@ \
+		dir.@O@ \
+		errno2result.@O@ \
+		file.@O@ fsaccess.@O@ \
+		stdio.@O@ stdtime.@O@ strerror.@O@ \
+		time.@O@ \
+		${ISCDRIVEROBJS}
+
+# Alphabetically
+ISCDRIVERSRCS =	app.c socket.c
+
+SRCS =		@ISC_IPV6_C@ \
+		dir.c \
+		errno2result.c \
+		file.c fsaccess.c \
+		stdio.c stdtime.c strerror.c \
+		time.c \
+		${ISCDRIVERSRCS}
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/unix/include/Makefile.in b/lib/export/isc/unix/include/Makefile.in
new file mode 100644
index 0000000000..4a5e0c6be1
--- /dev/null
+++ b/lib/export/isc/unix/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isc/unix/include/isc/Makefile.in b/lib/export/isc/unix/include/isc/Makefile.in
new file mode 100644
index 0000000000..f19b8c6576
--- /dev/null
+++ b/lib/export/isc/unix/include/isc/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	dir.h int.h net.h netdb.h offset.h stdtime.h \
+		syslog.h time.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(top_srcdir)/lib/isc/unix/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
diff --git a/lib/export/isccfg/Makefile.in b/lib/export/isccfg/Makefile.in
new file mode 100644
index 0000000000..d4e255dab8
--- /dev/null
+++ b/lib/export/isccfg/Makefile.in
@@ -0,0 +1,82 @@
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isccfg
+
+@BIND9_VERSION@
+
+@LIBISCCFG_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../isc/libisc.@A@
+DNSLIBS =	../dns/libdns.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		dnsconf.@O@ log.@O@ parser.@O@ version.@O@
+
+# Alphabetically
+SRCS =		dnsconf.c log.c parser.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisccfg.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccfg.la: ${OBJS}
+	 ${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
+
+timestamp: libisccfg.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
+	${DESTDIR}${export_libdir}
+
+clean distclean::
+	rm -f libisccfg.@A@ timestamp
diff --git a/lib/export/isccfg/include/Makefile.in b/lib/export/isccfg/include/Makefile.in
new file mode 100644
index 0000000000..0c3d185381
--- /dev/null
+++ b/lib/export/isccfg/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isccfg
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/export/isccfg/include/isccfg/Makefile.in b/lib/export/isccfg/include/isccfg/Makefile.in
new file mode 100644
index 0000000000..49a6530c1a
--- /dev/null
+++ b/lib/export/isccfg/include/isccfg/Makefile.in
@@ -0,0 +1,42 @@
+# Copyright (C) 20097  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	cfg.h grammar.h log.h dnsconf.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs \
+	${DESTDIR}${export_includedir}/isccfg
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/isccfg/include/isccfg/$$i \
+		${DESTDIR}${export_includedir}/isccfg ; \
+	done
diff --git a/lib/export/samples/Makefile-postinstall.in b/lib/export/samples/Makefile-postinstall.in
new file mode 100644
index 0000000000..6908147641
--- /dev/null
+++ b/lib/export/samples/Makefile-postinstall.in
@@ -0,0 +1,78 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile-postinstall.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+#prefix =	@prefix@
+#exec_prefix =	@exec_prefix@
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	-ldns @DNS_CRYPTO_LIBS@
+ISCLIBS =	-lisc
+ISCCFGLIBS =	-lisccfg
+IRSLIBS =	-lirs
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
+		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@ \
+		dlvchecks@EXEEXT@
+
+OBJS =		sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
+		sample-request.@O@ nsprobe.@O@ dlvchecks.@O@
+
+SRCS =		sample.c sample-async.c sample-gai.c sample-update.c \
+		sample-request.c nsprobe.c dlvchecks..c
+
+@BIND9_MAKE_RULES@
+
+# The following two may depend on BIND9_MAKE_RULES
+CINCLUDES =	-I@export_includedir@
+LDFLAGS =	-L@export_libdir@
+
+sample@EXEEXT@: sample.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample.@O@ ${LIBS}
+
+sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-async.@O@ ${LIBS}
+
+sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-gai.@O@ ${IRSLIBS} ${LIBS}
+
+sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-update.@O@ ${LIBS}
+
+sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-request.@O@ ${LIBS}
+
+nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nsprobe.@O@ ${LIBS}
+
+dlvchecks@EXEEXT@: dlvchecks.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dlvchecks.@O@ ${LIBS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/lib/export/samples/Makefile.in b/lib/export/samples/Makefile.in
new file mode 100644
index 0000000000..97e1a7c3a6
--- /dev/null
+++ b/lib/export/samples/Makefile.in
@@ -0,0 +1,96 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I../dns/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES} \
+		-I${top_srcdir}/lib/irs/include
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS =	../isc/libisc.@A@
+ISCCFGLIBS =	../isccfg/libisccfg.@A@
+IRSLIBS =	../irs/libirs.@A@
+
+DNSDEPLIBS =	../dns/libdns.@A@
+ISCDEPLIBS =	../isc/libisc.@A@
+ISCCFGDEPLIBS =	../isccfg/libisccfg.@A@
+IRSDEPLIBS =	../irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
+		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@
+
+OBJS =		sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
+		sample-request.@O@ nsprobe.@O@
+
+UOBJS =
+
+SRCS =		sample.c sample-async.c sample-gai.c sample-update.c \
+		sample-request.c nsprobe.c
+
+MANPAGES =
+
+HTMLPAGES =
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+sample@EXEEXT@: sample.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample.@O@ ${LIBS}
+
+sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-async.@O@ ${LIBS}
+
+sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-gai.@O@ ${IRSLIBS} ${LIBS}
+
+sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-update.@O@ ${LIBS}
+
+sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-request.@O@ ${LIBS}
+
+nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nsprobe.@O@ ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/lib/export/samples/nsprobe.c b/lib/export/samples/nsprobe.c
new file mode 100644
index 0000000000..fa3dfd4720
--- /dev/null
+++ b/lib/export/samples/nsprobe.c
@@ -0,0 +1,1215 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsprobe.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define MAX_PROBES 1000
+
+static dns_client_t *client = NULL;
+static isc_task_t *probe_task = NULL;
+static isc_appctx_t *actx = NULL;
+static isc_mem_t *mctx = NULL;
+static unsigned int outstanding_probes = 0;
+const char *cacheserver = "127.0.0.1";
+static FILE *fp;
+
+typedef enum {
+	none,
+	exist,
+	nxdomain,
+	othererr,
+	multiplesoa,
+	multiplecname,
+	brokenanswer,
+	lame,
+	timedout,
+	notype,
+	unexpected
+} query_result_t;
+
+struct server {
+	ISC_LINK(struct server) link;
+
+	isc_sockaddr_t address;
+	query_result_t result_a;
+	query_result_t result_aaaa;
+};
+
+struct probe_ns {
+	ISC_LINK(struct probe_ns) link;
+
+	dns_fixedname_t fixedname;
+	dns_name_t *name;
+	struct server *current_server;
+	ISC_LIST(struct server) servers;
+};
+
+struct probe_trans {
+	isc_boolean_t inuse;
+	char *domain;
+	dns_fixedname_t fixedname;
+	dns_name_t *qname;
+	const char **qlabel;
+	isc_boolean_t qname_found;
+	dns_clientrestrans_t *resid;
+	dns_message_t *qmessage;
+	dns_message_t *rmessage;
+	dns_clientreqtrans_t *reqid;
+
+	/* NS list */
+	struct probe_ns *current_ns;
+	ISC_LIST(struct probe_ns) nslist;
+};
+
+struct stat {
+	unsigned long valid;
+	unsigned long ignore;
+	unsigned long nxdomain;
+	unsigned long othererr;
+	unsigned long multiplesoa;
+	unsigned long multiplecname;	
+	unsigned long brokenanswer;
+	unsigned long lame;
+	unsigned long unknown;
+} server_stat, domain_stat;
+
+static unsigned long number_of_domains = 0;
+static unsigned long number_of_servers = 0;
+static unsigned long multiple_error_domains = 0;
+static isc_boolean_t debug_mode = ISC_FALSE; 
+static int verbose_level = 0; 
+static const char *qlabels[] = {"www.", "ftp.", NULL};
+static struct probe_trans probes[MAX_PROBES];
+
+static isc_result_t probe_domain(struct probe_trans *trans);
+static void reset_probe(struct probe_trans *trans);
+static isc_result_t fetch_nsaddress(struct probe_trans *trans);
+static isc_result_t probe_name(struct probe_trans *trans,
+			       dns_rdatatype_t type);
+
+/* Dump an rdataset for debug */
+static isc_result_t
+print_rdataset(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	if (!debug_mode)
+		return (ISC_R_SUCCESS);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	if (!dns_rdataset_isassociated(rdataset))
+		return (ISC_R_SUCCESS);
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+print_name(dns_name_t *name) {
+	isc_result_t result;
+	isc_buffer_t target;
+	isc_region_t r;
+	char t[4096];
+
+	isc_buffer_init(&target, t, sizeof(t));
+	result = dns_name_totext(name, ISC_TRUE, &target);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_usedregion(&target, &r);
+		printf("%.*s", (int)r.length, (char *)r.base);
+	} else
+		printf("(invalid name)");
+
+	return (result);
+}
+
+static isc_result_t
+print_address(FILE *fp, isc_sockaddr_t *addr) {
+	char buf[NI_MAXHOST];
+
+	if (getnameinfo(&addr->type.sa, addr->length, buf, sizeof(buf),
+			NULL, 0, NI_NUMERICHOST) == 0) {
+		fprintf(fp, "%s", buf);
+	} else {
+		fprintf(fp, "(invalid address)");
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (*taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (*timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (*socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (*actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (*mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+/*
+ * Common routine to make query data
+ */
+static isc_result_t
+make_querymessage(dns_message_t *message, dns_name_t *qname0,
+		  dns_rdatatype_t rdtype)
+{
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(qname0, qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	return (result);
+}
+
+/*
+ * Update statistics
+ */
+static inline void
+increment_entry(unsigned long *entryp) {
+	(*entryp)++;
+	INSIST(*entryp != 0);	/* check overflow */
+}
+
+static void
+update_stat(struct probe_trans *trans) {
+	struct probe_ns *pns;
+	struct server *server;
+	struct stat local_stat;
+	unsigned int err_count = 0;
+	const char *stattype;
+
+	increment_entry(&number_of_domains);
+	memset(&local_stat, 0, sizeof(local_stat));
+
+	/* Update per sever statistics */
+	for (pns = ISC_LIST_HEAD(trans->nslist); pns != NULL;
+	     pns = ISC_LIST_NEXT(pns, link)) {
+		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			increment_entry(&number_of_servers);
+
+			if (server->result_aaaa == exist ||
+			    server->result_aaaa == notype) {
+				/*
+				 * Don't care about the result of A query if
+				 * the answer to AAAA query was expected.
+				 */
+				stattype = "valid";
+				increment_entry(&server_stat.valid);
+				increment_entry(&local_stat.valid);
+			} else if (server->result_a == exist) {
+				switch (server->result_aaaa) {
+				case exist:
+				case notype:
+					stattype = "valid";
+					increment_entry(&server_stat.valid);
+					increment_entry(&local_stat.valid);
+					break;
+				case timedout:
+					stattype = "ignore";
+					increment_entry(&server_stat.ignore);
+					increment_entry(&local_stat.ignore);
+					break;
+				case nxdomain:
+					stattype = "nxdomain";
+					increment_entry(&server_stat.nxdomain);
+					increment_entry(&local_stat.nxdomain);
+					break;
+				case othererr:
+					stattype = "othererr";
+					increment_entry(&server_stat.othererr);
+					increment_entry(&local_stat.othererr);
+					break;
+				case multiplesoa:
+					stattype = "multiplesoa";
+					increment_entry(&server_stat.multiplesoa);
+					increment_entry(&local_stat.multiplesoa);
+					break;
+				case multiplecname:
+					stattype = "multiplecname";
+					increment_entry(&server_stat.multiplecname);
+					increment_entry(&local_stat.multiplecname);
+					break;
+				case brokenanswer:
+					stattype = "brokenanswer";
+					increment_entry(&server_stat.brokenanswer);
+					increment_entry(&local_stat.brokenanswer);
+					break;
+				case lame:
+					stattype = "lame";
+					increment_entry(&server_stat.lame);
+					increment_entry(&local_stat.lame);
+					break;
+				default:
+					stattype = "unknown";
+					increment_entry(&server_stat.unknown);
+					increment_entry(&local_stat.unknown);
+					break;
+				}
+			} else {
+				stattype = "unknown";
+				increment_entry(&server_stat.unknown);
+				increment_entry(&local_stat.unknown);
+			}
+
+			if (verbose_level > 1 ||
+			    (verbose_level == 1 &&
+			     strcmp(stattype, "valid") != 0 &&
+			     strcmp(stattype, "unknown") != 0)) {
+				print_name(pns->name);
+				putchar('(');
+				print_address(stdout, &server->address);
+				printf(") for %s:%s\n", trans->domain,
+				       stattype);
+			}
+		}
+	}
+
+	/* Update per domain statistics */
+	if (local_stat.ignore > 0) {
+		if (verbose_level > 0)
+			printf("%s:ignore\n", trans->domain);
+		increment_entry(&domain_stat.ignore);
+		err_count++;
+	}
+	if (local_stat.nxdomain > 0) {
+		if (verbose_level > 0)
+			printf("%s:nxdomain\n", trans->domain);
+		increment_entry(&domain_stat.nxdomain);
+		err_count++;
+	}
+	if (local_stat.othererr > 0) {
+		if (verbose_level > 0)
+			printf("%s:othererr\n", trans->domain);
+		increment_entry(&domain_stat.othererr);
+		err_count++;
+	}
+	if (local_stat.multiplesoa > 0) {
+		if (verbose_level > 0)
+			printf("%s:multiplesoa\n", trans->domain);
+		increment_entry(&domain_stat.multiplesoa);
+		err_count++;
+	}
+	if (local_stat.multiplecname > 0) {
+		if (verbose_level > 0)
+			printf("%s:multiplecname\n", trans->domain);
+		increment_entry(&domain_stat.multiplecname);
+		err_count++;
+	}
+	if (local_stat.brokenanswer > 0) {
+		if (verbose_level > 0)
+			printf("%s:brokenanswer\n", trans->domain);
+		increment_entry(&domain_stat.brokenanswer);
+		err_count++;
+	}
+	if (local_stat.lame > 0) {
+		if (verbose_level > 0)
+			printf("%s:lame\n", trans->domain);
+		increment_entry(&domain_stat.lame);
+		err_count++;
+	}
+
+	if (err_count > 1)
+		increment_entry(&multiple_error_domains);
+
+	/*
+	 * We regard the domain as valid if and only if no authoritative server
+	 * has a problem and at least one server is known to be valid.
+	 */
+	if (local_stat.valid > 0 && err_count == 0) {
+		if (verbose_level > 1)
+			printf("%s:valid\n", trans->domain);
+		increment_entry(&domain_stat.valid);
+	}
+
+	/*
+	 * If the domain has no available server or all servers have the
+	 * 'unknown' result, the domain's result is also regarded as unknown.
+	 */
+	if (local_stat.valid == 0 && err_count == 0) {
+		if (verbose_level > 1)
+			printf("%s:unknown\n", trans->domain);
+		increment_entry(&domain_stat.unknown);
+	}
+}
+
+/*
+ * Search for an existent name with an A RR
+ */
+
+static isc_result_t
+set_nextqname(struct probe_trans *trans) {
+	isc_result_t result;
+	size_t domainlen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad-hoc constant, but should be enough */
+
+	if (*trans->qlabel == NULL)
+		return (ISC_R_NOMORE);
+
+	result = isc_string_copy(buf, sizeof(buf), *trans->qlabel);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_string_append(buf, sizeof(buf), trans->domain);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	domainlen = strlen(buf);
+	isc_buffer_init(&b, buf, domainlen);
+	isc_buffer_add(&b, domainlen);
+	dns_fixedname_init(&trans->fixedname);
+	trans->qname = dns_fixedname_name(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname,
+				   0, NULL);
+
+	trans->qlabel++;
+
+	return (result);
+}
+
+static void
+request_done(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientreqevent_t *rev = (dns_clientreqevent_t *)event;
+	dns_message_t *rmessage;
+	struct probe_ns *pns;
+	struct server *server;
+	isc_result_t result;
+	query_result_t *resultp;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans != NULL && trans->inuse == ISC_TRUE);
+	rmessage = rev->rmessage;
+	REQUIRE(rmessage == trans->rmessage);
+	INSIST(outstanding_probes > 0);
+
+	server = trans->current_ns->current_server;
+	INSIST(server != NULL);
+
+	if (server->result_a == none) {
+		type = dns_rdatatype_a;
+		resultp = &server->result_a;
+	} else {
+		resultp = &server->result_aaaa;
+		type = dns_rdatatype_aaaa;
+	}
+
+	if (rev->result == ISC_R_SUCCESS) {
+		if ((rmessage->flags & DNS_MESSAGEFLAG_AA) == 0)
+			*resultp = lame;
+		else if (rmessage->rcode == dns_rcode_nxdomain)
+			*resultp = nxdomain;
+		else if (rmessage->rcode != dns_rcode_noerror)
+			*resultp = othererr;
+		else if (rmessage->counts[DNS_SECTION_ANSWER] == 0) {
+			/* no error but empty answer */
+			*resultp = notype;
+		} else {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_ANSWER);
+			while (result == ISC_R_SUCCESS) {
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_ANSWER,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					(void)print_rdataset(rdataset, name);
+
+					if (rdataset->type ==
+					    dns_rdatatype_cname ||
+					    rdataset->type ==
+					    dns_rdatatype_dname) {
+						/* Should chase the chain? */
+						*resultp = exist;
+						goto found;
+					} else if (rdataset->type == type) {
+						*resultp = exist;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_ANSWER);
+			}
+
+			/*
+			 * Something unexpected happened: the response
+			 * contained a non-empty authoritative answer, but we
+			 * could not find an expected result.
+			 */
+			*resultp = unexpected;
+		}
+	} else if (rev->result == DNS_R_RECOVERABLE ||
+		   rev->result == DNS_R_BADLABELTYPE) {
+		/* Broken response.  Try identifying known cases. */
+		*resultp = brokenanswer;
+
+		if (rmessage->counts[DNS_SECTION_ANSWER] > 0) {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_ANSWER);
+			while (result == ISC_R_SUCCESS) {
+				/*
+				 * Check to see if the response has multiple
+				 * CNAME RRs.  Update the result code if so.
+				 */
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_ANSWER,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					if (rdataset->type ==
+					    dns_rdatatype_cname &&
+					    dns_rdataset_count(rdataset) > 1) {
+						*resultp = multiplecname;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_ANSWER);
+			}
+		}
+
+		if (rmessage->counts[DNS_SECTION_AUTHORITY] > 0) {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_AUTHORITY);
+			while (result == ISC_R_SUCCESS) {
+				/*
+				 * Check to see if the response has multiple
+				 * SOA RRs.  Update the result code if so.
+				 */
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_AUTHORITY,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					if (rdataset->type ==
+					    dns_rdatatype_soa &&
+					    dns_rdataset_count(rdataset) > 1) {
+						*resultp = multiplesoa;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_AUTHORITY);
+			}
+		}
+	} else if (rev->result == ISC_R_TIMEDOUT)
+		*resultp = timedout;
+	else {
+		fprintf(stderr, "unexpected result: %d (domain=%s, server=",
+			rev->result, trans->domain);
+		print_address(stderr, &server->address);
+		fputc('\n', stderr);
+		*resultp = unexpected;
+	}
+
+ found:
+	INSIST(*resultp != none);
+	if (type == dns_rdatatype_a && *resultp == exist)
+		trans->qname_found = ISC_TRUE;
+
+	dns_client_destroyreqtrans(&trans->reqid);
+	isc_event_free(&event);
+	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	result = probe_name(trans, type);
+	if (result == ISC_R_NOMORE) {
+		/* We've tried all addresses of all servers. */
+		if (type == dns_rdatatype_a && trans->qname_found) {
+			/*
+			 * If we've explored A RRs and found an existent
+			 * record, we can move to AAAA.
+			 */
+			trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+			probe_name(trans, dns_rdatatype_aaaa);
+			result = ISC_R_SUCCESS;
+		} else if (type == dns_rdatatype_a) {
+			/*
+			 * No server provided an existent A RR of this name.
+			 * Try next label.
+			 */
+			dns_fixedname_invalidate(&trans->fixedname);
+			trans->qname = NULL;
+			result = set_nextqname(trans);
+			if (result == ISC_R_SUCCESS) {
+				trans->current_ns =
+					ISC_LIST_HEAD(trans->nslist);
+				for (pns = trans->current_ns; pns != NULL;
+				     pns = ISC_LIST_NEXT(pns, link)) {
+					for (server = ISC_LIST_HEAD(pns->servers);
+					     server != NULL;
+					     server = ISC_LIST_NEXT(server,
+								    link)) {
+						INSIST(server->result_aaaa ==
+						       none);
+						server->result_a = none;
+					}
+				}
+				result = probe_name(trans, dns_rdatatype_a);
+			}
+		}
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We've explored AAAA RRs or failed to find a valid
+			 * query label.  Wrap up the result and move to the
+			 * next domain.
+			 */
+			reset_probe(trans);
+		}
+	} else if (result != ISC_R_SUCCESS)
+		reset_probe(trans); /* XXX */
+}
+
+static isc_result_t
+probe_name(struct probe_trans *trans, dns_rdatatype_t type) {
+	isc_result_t result;
+	struct probe_ns *pns;
+	struct server *server;
+
+	REQUIRE(trans->reqid == NULL);
+	REQUIRE(type == dns_rdatatype_a || type == dns_rdatatype_aaaa);
+
+	for (pns = trans->current_ns; pns != NULL;
+	     pns = ISC_LIST_NEXT(pns, link)) {
+		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			if ((type == dns_rdatatype_a &&
+			     server->result_a == none) ||
+			    (type == dns_rdatatype_aaaa &&
+			     server->result_aaaa == none)) {
+				pns->current_server = server;
+				goto found;
+			}
+		}
+	}
+
+ found:
+	trans->current_ns = pns;
+	if (pns == NULL)
+		return (ISC_R_NOMORE);
+
+	INSIST(pns->current_server != NULL);
+	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
+	result = make_querymessage(trans->qmessage, trans->qname, type);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_client_startrequest(client, trans->qmessage,
+					 trans->rmessage,
+					 &pns->current_server->address,
+					 0, DNS_MESSAGEPARSE_BESTEFFORT,
+					 NULL, 120, 0, 4,
+					 probe_task, request_done, trans,
+					 &trans->reqid);
+
+	return (result);
+}
+
+/*
+ * Get IP addresses of NSes
+ */
+
+static void
+resolve_nsaddress(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct probe_ns *pns = trans->current_ns;
+	isc_result_t result;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans->inuse == ISC_TRUE);
+	REQUIRE(pns != NULL);
+	INSIST(outstanding_probes > 0);
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)print_rdataset(rdataset, name);
+
+			if (rdataset->type != dns_rdatatype_a)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_in_a_t rdata_a;
+				struct server *server;
+
+				dns_rdataset_current(rdataset, &rdata);
+				result = dns_rdata_tostruct(&rdata, &rdata_a,
+							    NULL);
+				if (result != ISC_R_SUCCESS)
+					continue;
+
+				server = isc_mem_get(mctx, sizeof(*server));
+				if (server == NULL) {
+					fprintf(stderr, "resolve_nsaddress: "
+						"mem_get failed");
+					result = ISC_R_NOMEMORY;
+					goto cleanup;
+				}
+				isc_sockaddr_fromin(&server->address,
+						    &rdata_a.in_addr, 53);
+				ISC_LINK_INIT(server, link);
+				server->result_a = none;
+				server->result_aaaa = none;
+				ISC_LIST_APPEND(pns->servers, server, link);
+			}
+		}
+	}
+
+ cleanup:
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->resid);
+	isc_event_free(&event);
+
+ next_ns:
+	trans->current_ns = ISC_LIST_NEXT(pns, link);
+	if (trans->current_ns == NULL) {
+		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+		dns_fixedname_invalidate(&trans->fixedname);
+		trans->qname = NULL;
+		result = set_nextqname(trans);
+		if (result == ISC_R_SUCCESS)
+			 result = probe_name(trans, dns_rdatatype_a);
+	} else {
+		result = fetch_nsaddress(trans);
+		if (result != ISC_R_SUCCESS)
+			goto next_ns; /* XXX: this is unlikely to succeed */
+	}
+
+	if (result != ISC_R_SUCCESS)
+		reset_probe(trans);
+}
+
+static isc_result_t
+fetch_nsaddress(struct probe_trans *trans) {
+	struct probe_ns *pns;
+
+	pns = trans->current_ns;
+	REQUIRE(pns != NULL);
+
+	return (dns_client_startresolve(client, pns->name, dns_rdataclass_in,
+					dns_rdatatype_a, 0, probe_task,
+					resolve_nsaddress, trans,
+					&trans->resid));
+}
+
+/*
+ * Get NS RRset for a given domain
+ */
+
+static void
+reset_probe(struct probe_trans *trans) {
+	struct probe_ns *pns;
+	struct server *server;
+	isc_result_t result;
+
+	REQUIRE(trans->resid == NULL);
+	REQUIRE(trans->reqid == NULL);
+
+	update_stat(trans);
+
+	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
+	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	trans->inuse = ISC_FALSE;
+	if (trans->domain != NULL)
+		isc_mem_free(mctx, trans->domain);
+	trans->domain = NULL;
+	if (trans->qname != NULL)
+		dns_fixedname_invalidate(&trans->fixedname);
+	trans->qname = NULL;
+	trans->qlabel = qlabels;
+	trans->qname_found = ISC_FALSE;
+	trans->current_ns = NULL;
+
+	while ((pns = ISC_LIST_HEAD(trans->nslist)) != NULL) {
+		ISC_LIST_UNLINK(trans->nslist, pns, link);
+		while ((server = ISC_LIST_HEAD(pns->servers)) != NULL) {
+			ISC_LIST_UNLINK(pns->servers, server, link);
+			isc_mem_put(mctx, server, sizeof(*server));
+		}
+		isc_mem_put(mctx, pns, sizeof(*pns));
+	}
+
+	outstanding_probes--;
+
+	result = probe_domain(trans);
+	if (result == ISC_R_NOMORE && outstanding_probes == 0)
+		isc_app_ctxshutdown(actx);
+}
+
+static void
+resolve_ns(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct probe_ns *pns;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans->inuse == ISC_TRUE);
+	INSIST(outstanding_probes > 0);
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)print_rdataset(rdataset, name);
+
+			if (rdataset->type != dns_rdatatype_ns)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_ns_t ns;
+
+				dns_rdataset_current(rdataset, &rdata);
+				/*
+				 * Extract the name from the NS record.
+				 */
+				result = dns_rdata_tostruct(&rdata, &ns, NULL);
+				if (result != ISC_R_SUCCESS)
+					continue;
+
+				pns = isc_mem_get(mctx, sizeof(*pns));
+				if (pns == NULL) {
+					fprintf(stderr,
+						"resolve_ns: mem_get failed");
+					result = ISC_R_NOMEMORY;
+					/*
+					 * XXX: should we continue with the
+					 * available servers anyway?
+					 */
+					goto cleanup;
+				}
+
+				dns_fixedname_init(&pns->fixedname);
+				pns->name =
+					dns_fixedname_name(&pns->fixedname);
+				ISC_LINK_INIT(pns, link);
+				ISC_LIST_APPEND(trans->nslist, pns, link);
+				ISC_LIST_INIT(pns->servers);
+
+				dns_name_copy(&ns.name, pns->name, NULL);
+				dns_rdata_reset(&rdata);
+				dns_rdata_freestruct(&ns);
+			}
+		}
+	}
+
+ cleanup:
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->resid);
+	isc_event_free(&event);
+
+	if (!ISC_LIST_EMPTY(trans->nslist)) {
+		/* Go get addresses of NSes */
+		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+		result = fetch_nsaddress(trans);
+	} else
+		result = ISC_R_FAILURE;
+
+	if (result == ISC_R_SUCCESS)
+		return;
+
+	reset_probe(trans);
+}
+
+static isc_result_t
+probe_domain(struct probe_trans *trans) {
+	isc_result_t result;
+	size_t domainlen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad hoc constant, but should be enough */
+	char *cp;
+
+	REQUIRE(trans != NULL);
+	REQUIRE(trans->inuse == ISC_FALSE);
+	REQUIRE(outstanding_probes < MAX_PROBES);
+
+	/* Construct domain */
+	cp = fgets(buf, sizeof(buf), fp);
+	if (cp == NULL)
+		return (ISC_R_NOMORE);
+	if ((cp = strchr(buf, '\n')) != NULL) /* zap NL if any */
+		*cp = '\0';
+	trans->domain = isc_mem_strdup(mctx, buf);
+	if (trans->domain == NULL) {
+		fprintf(stderr,
+			"failed to allocate memory for domain: %s", cp);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Start getting NS for the domain */
+	domainlen = strlen(buf);
+	isc_buffer_init(&b, buf, domainlen);
+	isc_buffer_add(&b, domainlen);
+	dns_fixedname_init(&trans->fixedname);
+	trans->qname = dns_fixedname_name(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_client_startresolve(client, trans->qname,
+					 dns_rdataclass_in, dns_rdatatype_ns,
+					 0, probe_task, resolve_ns, trans,
+					 &trans->resid);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	trans->inuse = ISC_TRUE;
+	outstanding_probes++;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_free(mctx, trans->domain);
+	dns_fixedname_invalidate(&trans->fixedname);
+
+	return (result);
+}
+
+static void
+usage() {
+	fprintf(stderr, "usage: nsprobe [-d] [-v [-v...]] [-c cache_address] "
+		"[input_file]\n");
+
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch, error;
+	struct addrinfo hints, *res;
+	isc_result_t result;
+	isc_sockaddr_t sa;
+	isc_sockaddrlist_t servers;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+
+	while ((ch = getopt(argc, argv, "c:dhv")) != -1) {
+		switch (ch) {
+		case 'c':
+			cacheserver = optarg;
+			break;
+		case 'd':
+			debug_mode = ISC_TRUE;
+			break;
+		case 'h':
+			usage();
+			break;
+		case 'v':
+			verbose_level++;
+			break;
+		default:
+			usage();
+			break;
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	/* Common set up */
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr,
+			   &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "ctx create failed: %d\n", result);
+		exit(1);
+	}
+
+	isc_app_ctxstart(actx);
+
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr,
+				    timermgr, 0, &client);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_createx failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set local cache server */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	error = getaddrinfo(cacheserver, "53", &hints, &res);
+	if (error != 0) {
+		fprintf(stderr, "failed to convert server name (%s): %s\n",
+			cacheserver, gai_strerror(error));
+		exit(1);
+	}
+
+	if (res->ai_addrlen > sizeof(sa.type)) {
+		fprintf(stderr,
+			"assumption failure: addrlen is too long: %d\n",
+			res->ai_addrlen);
+		exit(1);
+	}
+	memcpy(&sa.type.sa, res->ai_addr, res->ai_addrlen);
+	sa.length = res->ai_addrlen;
+	freeaddrinfo(res);
+	ISC_LINK_INIT(&sa, link);
+	ISC_LIST_INIT(servers);
+	ISC_LIST_APPEND(servers, &sa, link);
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to set server: %d\n", result);
+		exit(1);
+	}
+
+	/* Create the main task */
+	probe_task = NULL;
+	result = isc_task_create(taskmgr, 0, &probe_task);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create task: %d\n", result);
+		exit(1);
+	}
+
+	/* Open input file */
+	if (argc == 0)
+		fp = stdin;
+	else {
+		fp = fopen(argv[0], "r");
+		if (fp == NULL) {
+			fprintf(stderr, "failed to open input file: %s\n",
+				argv[0]);
+			exit(1);
+		}
+	}
+
+	/* Set up and start probe */
+	for (i = 0; i < MAX_PROBES; i++) {
+		probes[i].inuse = ISC_FALSE;
+		probes[i].domain = NULL;
+		dns_fixedname_init(&probes[i].fixedname);
+		probes[i].qname = NULL;
+		probes[i].qlabel = qlabels;
+		probes[i].qname_found = ISC_FALSE;
+		probes[i].resid = NULL;
+		ISC_LIST_INIT(probes[i].nslist);
+		probes[i].reqid = NULL;
+
+		probes[i].qmessage = NULL;
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+					    &probes[i].qmessage);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_message_create(mctx,
+						    DNS_MESSAGE_INTENTPARSE,
+						    &probes[i].rmessage);
+		}
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "initialization failure\n");
+			exit(1);
+		}
+	}
+	for (i = 0; i < MAX_PROBES; i++) {
+		result = probe_domain(&probes[i]);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to issue an initial probe\n");
+			exit(1);
+		}
+	}
+
+	/* Start event loop */
+	isc_app_ctxrun(actx);
+
+	/* Dump results */
+	printf("Per domain results (out of %lu domains):\n",
+	       number_of_domains);
+	printf("  valid: %lu\n"
+	       "  ignore: %lu\n"
+	       "  nxdomain: %lu\n"
+	       "  othererr: %lu\n"
+	       "  multiplesoa: %lu\n"
+	       "  multiplecname: %lu\n"
+	       "  brokenanswer: %lu\n"
+	       "  lame: %lu\n"
+	       "  unknown: %lu\n"
+	       "  multiple errors: %lu\n",
+	       domain_stat.valid, domain_stat.ignore, domain_stat.nxdomain,
+	       domain_stat.othererr, domain_stat.multiplesoa,
+	       domain_stat.multiplecname, domain_stat.brokenanswer,
+	       domain_stat.lame, domain_stat.unknown, multiple_error_domains);
+	printf("Per server results (out of %lu servers):\n",
+	       number_of_servers);
+	printf("  valid: %lu\n"
+	       "  ignore: %lu\n"
+	       "  nxdomain: %lu\n"
+	       "  othererr: %lu\n"
+	       "  multiplesoa: %lu\n"
+	       "  multiplecname: %lu\n"
+	       "  brokenanswer: %lu\n"
+	       "  lame: %lu\n"
+	       "  unknown: %lu\n",
+	       server_stat.valid, server_stat.ignore, server_stat.nxdomain,
+	       server_stat.othererr, server_stat.multiplesoa,
+	       server_stat.multiplecname, server_stat.brokenanswer,
+	       server_stat.lame, server_stat.unknown);
+
+	/* Cleanup */
+	for (i = 0; i < MAX_PROBES; i++) {
+		dns_message_destroy(&probes[i].qmessage);
+		dns_message_destroy(&probes[i].rmessage);
+	}
+	isc_task_detach(&probe_task);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+	isc_app_ctxfinish(actx);
+	ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+
+	exit(0);
+}
diff --git a/lib/export/samples/sample-async.c b/lib/export/samples/sample-async.c
new file mode 100644
index 0000000000..d209f3a066
--- /dev/null
+++ b/lib/export/samples/sample-async.c
@@ -0,0 +1,397 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-async.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#include 
+#include 
+
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define MAX_SERVERS 10
+#define MAX_QUERIES 100
+
+static dns_client_t *client = NULL;
+static isc_task_t *query_task = NULL;
+static isc_appctx_t *query_actx = NULL;
+static unsigned int outstanding_queries = 0;
+static const char *def_server = "127.0.0.1";
+static FILE *fp;
+
+struct query_trans {
+	int id;
+	isc_boolean_t inuse;
+	dns_rdatatype_t type;
+	dns_fixedname_t fixedname;
+	dns_name_t *qname;
+	dns_namelist_t answerlist;
+	dns_clientrestrans_t *xid;
+};
+
+static struct query_trans query_array[MAX_QUERIES];
+
+static isc_result_t dispatch_query(struct query_trans *trans);
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (*taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (*timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (*socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (*actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (*mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	if (!dns_rdataset_isassociated(rdataset))
+		return (ISC_R_SUCCESS);
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("  %.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+process_answer(isc_task_t *task, isc_event_t *event) {
+	struct query_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(task == query_task);
+	REQUIRE(trans->inuse == ISC_TRUE);
+	REQUIRE(outstanding_queries > 0);
+
+	printf("answer[%2d]\n", trans->id);
+
+	if (rev->result != ISC_R_SUCCESS)
+		printf("  failed: %d(%s)\n", rev->result,
+		       dns_result_totext(rev->result));
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)printdata(rdataset, name);
+		}
+	}
+
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->xid);
+
+	isc_event_free(&event);
+
+	trans->inuse = ISC_FALSE;
+	dns_fixedname_invalidate(&trans->fixedname);
+	trans->qname = NULL;
+	outstanding_queries--;
+
+	result = dispatch_query(trans);
+#if 0				/* for cancel test */
+	if (result == ISC_R_SUCCESS) {
+		static int count = 0;
+
+		if ((++count) % 10 == 0)
+			dns_client_cancelresolve(trans->xid);
+	}
+#endif
+	if (result == ISC_R_NOMORE && outstanding_queries == 0)
+		isc_app_ctxshutdown(query_actx);
+}
+
+static isc_result_t
+dispatch_query(struct query_trans *trans) {
+	isc_result_t result;
+	size_t namelen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad hoc constant, but should be enough */
+	char *cp;
+
+	REQUIRE(trans != NULL);
+	REQUIRE(trans->inuse == ISC_FALSE);
+	REQUIRE(ISC_LIST_EMPTY(trans->answerlist));
+	REQUIRE(outstanding_queries < MAX_QUERIES);
+
+	/* Construct qname */
+	cp = fgets(buf, sizeof(buf), fp);
+	if (cp == NULL)
+		return (ISC_R_NOMORE);
+	/* zap NL if any */
+	if ((cp = strchr(buf, '\n')) != NULL)
+		*cp = '\0';
+	namelen = strlen(buf);
+	isc_buffer_init(&b, buf, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&trans->fixedname);
+	trans->qname = dns_fixedname_name(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Start resolution */
+	result = dns_client_startresolve(client, trans->qname,
+					 dns_rdataclass_in, trans->type, 0,
+					 query_task, process_answer, trans,
+					 &trans->xid);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	trans->inuse = ISC_TRUE;
+	outstanding_queries++;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_fixedname_invalidate(&trans->fixedname);
+
+	return (result);
+}
+
+static void
+usage() {
+	fprintf(stderr, "usage: sample-async [-s server_address] [-t RR type] "
+		"input_file\n");
+
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	isc_textregion_t tr;
+	isc_mem_t *mctx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	int nservers = 0;
+	const char *serveraddr[MAX_SERVERS];
+	isc_sockaddr_t sa[MAX_SERVERS];
+	isc_sockaddrlist_t servers;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	struct in_addr inaddr;
+	isc_result_t result;
+	int i;
+
+	while ((ch = getopt(argc, argv, "s:t:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = optarg;
+			tr.length = strlen(optarg);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n", optarg);
+				exit(1);
+			}
+			break;
+		case 's':
+			if (nservers == MAX_SERVERS) {
+				fprintf(stderr,
+					"too many servers (up to %d)\n",
+					MAX_SERVERS);
+				exit(1);
+			}
+			serveraddr[nservers++] = (const char *)optarg;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 1)
+		usage();
+
+	if (nservers == 0) {
+		nservers = 1;
+		serveraddr[0] = def_server;
+	}
+
+	for (i = 0; i < MAX_QUERIES; i++) {
+		query_array[i].id = i;
+		query_array[i].inuse = ISC_FALSE;
+		query_array[i].type = type;
+		dns_fixedname_init(&query_array[i].fixedname);
+		query_array[i].qname = NULL;
+		ISC_LIST_INIT(query_array[i].answerlist);
+		query_array[i].xid = NULL;
+	}
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	result = ctxs_init(&mctx, &query_actx, &taskmgr, &socketmgr,
+			   &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "ctx create failed: %d\n", result);
+		exit(1);
+	}
+
+	isc_app_ctxstart(query_actx);
+
+	result = dns_client_createx(mctx, query_actx, taskmgr, socketmgr,
+				    timermgr, 0, &client);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_createx failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set nameservers */
+	ISC_LIST_INIT(servers);
+	for (i = 0; i < nservers; i++) {
+		if (inet_pton(AF_INET, serveraddr[i], &inaddr) != 1) {
+			fprintf(stderr, "failed to parse IPv4 address %s\n",
+				serveraddr[i]);
+			exit(1);
+		}
+		isc_sockaddr_fromin(&sa[i], &inaddr, 53);
+		ISC_LIST_APPEND(servers, &sa[i], link);
+	}
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "set server failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Create the main task */
+	query_task = NULL;
+	result = isc_task_create(taskmgr, 0, &query_task);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create task: %d\n", result);
+		exit(1);
+	}
+
+	/* Open input file */
+	fp = fopen(argv[0], "r");
+	if (fp == NULL) {
+		fprintf(stderr, "failed to open input file: %s\n", argv[1]);
+		exit(1);
+	}
+
+	/* Dispatch initial queries */
+	for (i = 0; i < MAX_QUERIES; i++) {
+		result = dispatch_query(&query_array[i]);
+		if (result == ISC_R_NOMORE)
+			break;
+	}
+
+	/* Start event loop */
+	isc_app_ctxrun(query_actx);
+
+	/* Sanity check */
+	for (i = 0; i < MAX_QUERIES; i++)
+		INSIST(query_array[i].inuse == ISC_FALSE);
+
+	/* Cleanup */
+	isc_task_detach(&query_task);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+	isc_app_ctxfinish(query_actx);
+	ctxs_destroy(&mctx, &query_actx, &taskmgr, &socketmgr, &timermgr);
+
+	exit(0);
+}
diff --git a/lib/export/samples/sample-gai.c b/lib/export/samples/sample-gai.c
new file mode 100644
index 0000000000..321004ef04
--- /dev/null
+++ b/lib/export/samples/sample-gai.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-gai.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#include 
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+
+static void
+do_gai(int family, char *hostname) {
+	struct addrinfo hints, *res, *res0;
+	int error;
+	char namebuf[1024], addrbuf[1024], servbuf[1024];
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = family;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_CANONNAME;
+	error = getaddrinfo(hostname, "http", &hints, &res0);
+	if (error) {
+		fprintf(stderr, "getaddrinfo failed for %s,family=%d: %s\n",
+			hostname, family, gai_strerror(error));
+		return;
+	}
+
+	for (res = res0; res; res = res->ai_next) {
+		error = getnameinfo(res->ai_addr, res->ai_addrlen,
+				    addrbuf, sizeof(addrbuf),
+				    NULL, 0, NI_NUMERICHOST);
+		if (error == 0)
+			error = getnameinfo(res->ai_addr, res->ai_addrlen,
+					    namebuf, sizeof(namebuf),
+					    servbuf, sizeof(servbuf), 0);
+		if (error != 0) {
+			fprintf(stderr, "getnameinfo failed: %s\n",
+				gai_strerror(error));
+		} else {
+			printf("%s(%s/%s)=%s:%s\n", hostname,
+			       res->ai_canonname, addrbuf, namebuf, servbuf);
+		}
+	}
+
+	freeaddrinfo(res);
+}
+
+int
+main(int argc, char *argv[]) {
+	if (argc < 2)
+		exit(1);
+
+	do_gai(AF_INET, argv[1]);
+	do_gai(AF_INET6, argv[1]);
+	do_gai(AF_UNSPEC, argv[1]);
+
+	exit(0);
+}
diff --git a/lib/export/samples/sample-request.c b/lib/export/samples/sample-request.c
new file mode 100644
index 0000000000..75242ee410
--- /dev/null
+++ b/lib/export/samples/sample-request.c
@@ -0,0 +1,258 @@
+/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-request.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#include 
+#include 
+
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+static isc_mem_t *mctx;
+static dns_fixedname_t fixedqname;
+
+static void
+usage() {
+	fprintf(stderr, "sample-request [-t RRtype] server_address hostname\n");
+
+	exit(1);
+}
+
+static isc_result_t
+make_querymessage(dns_message_t *message, const char *namestr,
+		  dns_rdatatype_t rdtype)
+{
+	dns_name_t *qname = NULL, *qname0;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	size_t namelen;
+
+	/* Construct qname */
+	namelen = strlen(namestr);
+	isc_buffer_init(&b, namestr, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&fixedqname);
+	qname0 = dns_fixedname_name(&fixedqname);
+	result = dns_name_fromtext(qname0, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to convert qname: %d\n", result);
+		return (result);
+	}
+
+	/* Construct query message */
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(qname0, qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	return (result);
+}
+
+static void
+print_section(dns_message_t *message, int section, isc_buffer_t *buf) {
+	isc_result_t result;
+	isc_region_t r;
+
+	result = dns_message_sectiontotext(message, section,
+					   &dns_master_style_full, 0, buf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	isc_buffer_usedregion(buf, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return;
+
+ fail:
+	fprintf(stderr, "failed to convert a section\n");
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch, i, gai_error;
+	struct addrinfo hints, *res;
+	isc_textregion_t tr;
+	dns_client_t *client = NULL;
+	isc_result_t result;
+	isc_sockaddr_t sa;
+	dns_message_t *qmessage, *rmessage;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	isc_buffer_t *outputbuf;
+
+	while ((ch = getopt(argc, argv, "t:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = optarg;
+			tr.length = strlen(optarg);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n", optarg);
+				exit(1);
+			}
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 2)
+		usage();
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	result = dns_client_create(&client, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Prepare message structures */
+	mctx = NULL;
+	qmessage = NULL;
+	rmessage = NULL;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create a memory context\n");
+		exit(1);
+	}
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &qmessage);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
+					    &rmessage);
+	}
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create messages\n");
+		exit(1);
+	}
+
+	/* Initialize the nameserver address */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	gai_error = getaddrinfo(argv[0], "53", &hints, &res);
+	if (gai_error != 0) {
+		fprintf(stderr, "getaddrinfo failed: %s\n",
+			gai_strerror(gai_error));
+		exit(1);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sa.type));
+	memcpy(&sa.type, res->ai_addr, res->ai_addrlen);
+	freeaddrinfo(res);
+	sa.length = res->ai_addrlen;
+	ISC_LINK_INIT(&sa, link);
+
+	/* Construct qname */
+	result = make_querymessage(qmessage, argv[1], type);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create a query\n");
+		exit(1);
+	}
+
+	/* Send request and wait for a response */
+	result = dns_client_request(client, qmessage, rmessage, &sa, 0, 0,
+				    NULL, 60, 0, 3);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to get a response: %s\n",
+			dns_result_totext(result));
+	}
+
+	/* Dump the response */
+	outputbuf = NULL;
+	result = isc_buffer_allocate(mctx, &outputbuf, 65535);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to allocate a result buffer\n");
+		exit(1);
+	}
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		print_section(rmessage, i, outputbuf);
+		isc_buffer_clear(outputbuf);
+	}
+	isc_buffer_free(&outputbuf);
+
+	/* Cleanup */
+	dns_message_destroy(&qmessage);
+	dns_message_destroy(&rmessage);
+	isc_mem_destroy(&mctx);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+
+	exit(0);
+}
diff --git a/lib/export/samples/sample-update.c b/lib/export/samples/sample-update.c
new file mode 100644
index 0000000000..e186f536d6
--- /dev/null
+++ b/lib/export/samples/sample-update.c
@@ -0,0 +1,749 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-update.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#include 
+#include 
+
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+static dns_tsec_t *tsec = NULL;
+static const dns_rdataclass_t default_rdataclass = dns_rdataclass_in;
+static isc_bufferlist_t usedbuffers;
+static ISC_LIST(dns_rdatalist_t) usedrdatalists;
+
+static void setup_tsec(char *keyfile, isc_mem_t *mctx);
+static void update_addordelete(isc_mem_t *mctx, char *cmdline,
+			       isc_boolean_t isdelete, dns_name_t *name);
+static void evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name);
+
+static void
+usage() {
+	fprintf(stderr, "sample-update "
+		"[-a auth_server] "
+		"[-k keyfile] "
+		"[-p prerequisite] "
+		"[-r recursive_server] "
+		"[-z zonename] "
+		"(add|delete) \"name TTL RRtype RDATA\"\n");
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	struct addrinfo hints, *res;
+	int gai_error;
+	dns_client_t *client = NULL;
+	char *zonenamestr = NULL;
+	char *keyfilename = NULL;
+	char *prereqstr = NULL;
+	isc_sockaddrlist_t auth_servers;
+	char *auth_server = NULL;
+	char *recursive_server = NULL;
+	isc_sockaddr_t sa_auth, sa_recursive;
+	isc_sockaddrlist_t rec_servers;
+	isc_result_t result;
+	isc_boolean_t isdelete;
+	isc_buffer_t b, *buf;
+	dns_fixedname_t zname0, pname0, uname0;
+	size_t namelen;
+	dns_name_t *zname = NULL, *uname, *pname;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	dns_namelist_t updatelist, prereqlist, *prereqlistp = NULL;
+	isc_mem_t *umctx = NULL;
+
+	while ((ch = getopt(argc, argv, "a:k:p:r:z:")) != -1) {
+		switch (ch) {
+		case 'k':
+			keyfilename = optarg;
+			break;
+		case 'a':
+			auth_server = optarg;
+			break;
+		case 'p':
+			prereqstr = optarg;
+			break;
+		case 'r':
+			recursive_server = optarg;
+			break;
+		case 'z':
+			zonenamestr = optarg;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 2)
+		usage();
+
+	/* command line argument validation */
+	if (strcmp(argv[0], "delete") == 0)
+		isdelete = ISC_TRUE;
+	else if (strcmp(argv[0], "add") == 0)
+		isdelete = ISC_FALSE;
+	else {
+		fprintf(stderr, "invalid update command: %s\n", argv[0]);
+		exit(1);
+	}
+
+	if (auth_server == NULL && recursive_server == NULL) {
+		fprintf(stderr, "authoritative or recursive server "
+			"must be specified\n");
+		usage();
+	}
+
+	/* Initialization */
+	ISC_LIST_INIT(usedbuffers);
+	ISC_LIST_INIT(usedrdatalists);
+	ISC_LIST_INIT(prereqlist);
+	ISC_LIST_INIT(auth_servers);
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+	result = isc_mem_create(0, 0, &umctx);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to crate mctx\n");
+		exit(1);
+	}
+
+	result = dns_client_create(&client, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set the authoritative server */
+	if (auth_server != NULL) {
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = AF_UNSPEC;
+		hints.ai_socktype = SOCK_DGRAM;
+		hints.ai_protocol = IPPROTO_UDP;
+		hints.ai_flags = AI_NUMERICHOST;
+		gai_error = getaddrinfo(auth_server, "53", &hints, &res);
+		if (gai_error != 0) {
+			fprintf(stderr, "getaddrinfo failed: %s\n",
+				gai_strerror(gai_error));
+			exit(1);
+		}
+		INSIST(res->ai_addrlen <= sizeof(sa_auth.type));
+		memcpy(&sa_auth.type, res->ai_addr, res->ai_addrlen);
+		freeaddrinfo(res);
+		sa_auth.length = res->ai_addrlen;
+		ISC_LINK_INIT(&sa_auth, link);
+
+		ISC_LIST_APPEND(auth_servers, &sa_auth, link);
+	}
+
+	/* Set the recursive server */
+	if (recursive_server != NULL) {
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = AF_UNSPEC;
+		hints.ai_socktype = SOCK_DGRAM;
+		hints.ai_protocol = IPPROTO_UDP;
+		hints.ai_flags = AI_NUMERICHOST;
+		gai_error = getaddrinfo(recursive_server, "53", &hints, &res);
+		if (gai_error != 0) {
+			fprintf(stderr, "getaddrinfo failed: %s\n",
+				gai_strerror(gai_error));
+			exit(1);
+		}
+		INSIST(res->ai_addrlen <= sizeof(sa_recursive.type));
+		memcpy(&sa_recursive.type, res->ai_addr, res->ai_addrlen);
+		freeaddrinfo(res);
+		sa_recursive.length = res->ai_addrlen;
+		ISC_LINK_INIT(&sa_recursive, link);
+		ISC_LIST_INIT(rec_servers);
+		ISC_LIST_APPEND(rec_servers, &sa_recursive, link);
+		result = dns_client_setservers(client, dns_rdataclass_in,
+					       NULL, &rec_servers);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "set server failed: %d\n", result);
+			exit(1);
+		}
+	}
+
+	/* Construct zone name */
+	zname = NULL;
+	if (zonenamestr != NULL) {
+		namelen = strlen(zonenamestr);
+		isc_buffer_init(&b, zonenamestr, namelen);
+		isc_buffer_add(&b, namelen);
+		dns_fixedname_init(&zname0);
+		zname = dns_fixedname_name(&zname0);
+		result = dns_name_fromtext(zname, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS)
+			fprintf(stderr, "failed to convert zone name: %d\n",
+				result);
+	}
+
+	/* Construct prerequisite name (if given) */
+	if (prereqstr != NULL) {
+		dns_fixedname_init(&pname0);
+		pname = dns_fixedname_name(&pname0);
+		evaluate_prereq(umctx, prereqstr, pname);
+		ISC_LIST_APPEND(prereqlist, pname, link);
+		prereqlistp = &prereqlist;
+	}
+
+	/* Construct update name */
+	ISC_LIST_INIT(updatelist);
+	dns_fixedname_init(&uname0);
+	uname = dns_fixedname_name(&uname0);
+	update_addordelete(umctx, argv[1], isdelete, uname);
+	ISC_LIST_APPEND(updatelist, uname, link);
+
+	/* Set up TSIG/SIG(0) key (if given) */
+	if (keyfilename != NULL)
+		setup_tsec(keyfilename, umctx);
+
+	/* Perform update */
+	result = dns_client_update(client,
+				   default_rdataclass, /* XXX: fixed */
+				   zname, prereqlistp, &updatelist,
+				   (auth_server == NULL) ? NULL :
+				   &auth_servers, tsec, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"update failed: %s\n", dns_result_totext(result));
+	} else
+		fprintf(stderr, "update succeeded\n");
+
+	/* Cleanup */
+	while ((pname = ISC_LIST_HEAD(prereqlist)) != NULL) {
+		while ((rdataset = ISC_LIST_HEAD(pname->list)) != NULL) {
+			ISC_LIST_UNLINK(pname->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
+		}
+		ISC_LIST_UNLINK(prereqlist, pname, link);
+	}
+	while ((uname = ISC_LIST_HEAD(updatelist)) != NULL) {
+		while ((rdataset = ISC_LIST_HEAD(uname->list)) != NULL) {
+			ISC_LIST_UNLINK(uname->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
+		}
+		ISC_LIST_UNLINK(updatelist, uname, link);
+	}
+	while ((rdatalist = ISC_LIST_HEAD(usedrdatalists)) != NULL) {
+		while ((rdata = ISC_LIST_HEAD(rdatalist->rdata)) != NULL) {
+			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
+			isc_mem_put(umctx, rdata, sizeof(*rdata));
+		}
+		ISC_LIST_UNLINK(usedrdatalists, rdatalist, link);
+		isc_mem_put(umctx, rdatalist, sizeof(*rdatalist));
+	}
+	while ((buf = ISC_LIST_HEAD(usedbuffers)) != NULL) {
+		ISC_LIST_UNLINK(usedbuffers, buf, link);
+		isc_buffer_free(&buf);
+	}
+	if (tsec != NULL)
+		dns_tsec_destroy(&tsec);
+	isc_mem_destroy(&umctx);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+
+	exit(0);
+}
+
+/*
+ *  Subroutines borrowed from nsupdate.c
+ */
+#define MAXWIRE (64 * 1024)
+#define TTL_MAX 2147483647U	/* Maximum signed 32 bit integer. */
+
+static char *
+nsu_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (; *string != '\0'; string++) {
+		sc = *string;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc)
+				break;
+		}
+		if (dc == 0)
+			break;
+	}
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+		}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS)
+		fatal("%s: %s", msg, isc_result_totext(result));
+}
+
+static void
+parse_name(char **cmdlinep, dns_name_t *name) {
+	isc_result_t result;
+	char *word;
+	isc_buffer_t source;
+
+	word = nsu_strsep(cmdlinep, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read owner name\n");
+		exit(1);
+	}
+
+	isc_buffer_init(&source, word, strlen(word));
+	isc_buffer_add(&source, strlen(word));
+	result = dns_name_fromtext(name, &source, dns_rootname, 0, NULL);
+	check_result(result, "dns_name_fromtext");
+	isc_buffer_invalidate(&source);
+}
+
+static void
+parse_rdata(isc_mem_t *mctx, char **cmdlinep, dns_rdataclass_t rdataclass,
+	    dns_rdatatype_t rdatatype, dns_rdata_t *rdata)
+{
+	char *cmdline = *cmdlinep;
+	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
+	isc_region_t r;
+	isc_lex_t *lex = NULL;
+	dns_rdatacallbacks_t callbacks;
+	isc_result_t result;
+
+	while (cmdline != NULL && *cmdline != 0 &&
+	       isspace((unsigned char)*cmdline))
+		cmdline++;
+
+	if (cmdline != NULL && *cmdline != 0) {
+		dns_rdatacallbacks_init(&callbacks);
+		result = isc_lex_create(mctx, strlen(cmdline), &lex);
+		check_result(result, "isc_lex_create");
+		isc_buffer_init(&source, cmdline, strlen(cmdline));
+		isc_buffer_add(&source, strlen(cmdline));
+		result = isc_lex_openbuffer(lex, &source);
+		check_result(result, "isc_lex_openbuffer");
+		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
+		check_result(result, "isc_buffer_allocate");
+		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
+					    dns_rootname, 0, mctx, buf,
+					    &callbacks);
+		isc_lex_destroy(&lex);
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(buf, &r);
+			result = isc_buffer_allocate(mctx, &newbuf, r.length);
+			check_result(result, "isc_buffer_allocate");
+			isc_buffer_putmem(newbuf, r.base, r.length);
+			isc_buffer_usedregion(newbuf, &r);
+			dns_rdata_reset(rdata);
+			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
+			isc_buffer_free(&buf);
+			ISC_LIST_APPEND(usedbuffers, newbuf, link);
+		} else {
+			fprintf(stderr, "invalid rdata format: %s\n",
+				isc_result_totext(result));
+			isc_buffer_free(&buf);
+			exit(1);
+		}
+	} else {
+		rdata->flags = DNS_RDATA_UPDATE;
+	}
+	*cmdlinep = cmdline;
+}
+
+static void
+update_addordelete(isc_mem_t *mctx, char *cmdline, isc_boolean_t isdelete,
+		   dns_name_t *name)
+{
+	isc_result_t result;
+	isc_uint32_t ttl;
+	char *word;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	isc_textregion_t region;
+
+	/*
+	 * Read the owner name.
+	 */
+	parse_name(&cmdline, name);
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fprintf(stderr, "memory allocation for rdata failed\n");
+		exit(1);
+	}
+	dns_rdata_init(rdata);
+
+	/*
+	 * If this is an add, read the TTL and verify that it's in range.
+	 * If it's a delete, ignore a TTL if present (for compatibility).
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		if (!isdelete) {
+			fprintf(stderr, "could not read owner ttl\n");
+			exit(1);
+		}
+		else {
+			ttl = 0;
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+			goto doneparsing;
+		}
+	}
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS) {
+		if (isdelete) {
+			ttl = 0;
+			goto parseclass;
+		} else {
+			fprintf(stderr, "ttl '%s': %s\n", word,
+				isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	if (isdelete)
+		ttl = 0;
+	else if (ttl > TTL_MAX) {
+		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
+			word, TTL_MAX);
+		exit(1);
+	}
+
+	/*
+	 * Read the class or type.
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+ parseclass:
+	if (word == NULL || *word == 0) {
+		if (isdelete) {
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+		goto doneparsing;
+		} else {
+			fprintf(stderr, "could not read class or type\n");
+			exit(1);
+		}
+	}
+	region.base = word;
+	region.length = strlen(word);
+	result = dns_rdataclass_fromtext(&rdataclass, ®ion);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Now read the type.
+		 */
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			if (isdelete) {
+				rdataclass = dns_rdataclass_any;
+				rdatatype = dns_rdatatype_any;
+				rdata->flags = DNS_RDATA_UPDATE;
+				goto doneparsing;
+			} else {
+				fprintf(stderr, "could not read type\n");
+				exit(1);
+			}
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdatatype_fromtext(&rdatatype, ®ion);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid type: %s\n",
+				word, isc_result_totext(result));
+			exit(1);
+		}
+	} else {
+		rdataclass = default_rdataclass;
+		result = dns_rdatatype_fromtext(&rdatatype, ®ion);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid class or type: "
+				"%s\n", word, isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
+
+	if (isdelete) {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
+			rdataclass = dns_rdataclass_any;
+		else
+			rdataclass = dns_rdataclass_none;
+	} else {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+			fprintf(stderr, "could not read rdata\n");
+			exit(1);
+		}
+	}
+
+ doneparsing:
+
+	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
+	if (rdatalist == NULL) {
+		fprintf(stderr, "memory allocation for rdatalist failed\n");
+		exit(1);
+	}
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	rdatalist->rdclass = rdataclass;
+	rdatalist->covers = rdatatype;
+	rdatalist->ttl = (dns_ttl_t)ttl;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL) {
+		fprintf(stderr, "memory allocation for rdataset failed\n");
+		exit(1);
+	}
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+static void
+make_prereq(isc_mem_t *mctx, char *cmdline, isc_boolean_t ispositive,
+	    isc_boolean_t isrrset, dns_name_t *name)
+{
+	isc_result_t result;
+	char *word;
+	isc_textregion_t region;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+
+	/*
+	 * Read the owner name
+	 */
+	parse_name(&cmdline, name);
+
+	/*
+	 * If this is an rrset prereq, read the class or type.
+	 */
+	if (isrrset) {
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			fprintf(stderr, "could not read class or type\n");
+			exit(1);
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdataclass_fromtext(&rdataclass, ®ion);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Now read the type.
+			 */
+			word = nsu_strsep(&cmdline, " \t\r\n");
+			if (word == NULL || *word == 0) {
+				fprintf(stderr, "could not read type\n");
+				exit(1);
+			}
+			region.base = word;
+			region.length = strlen(word);
+			result = dns_rdatatype_fromtext(&rdatatype, ®ion);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				exit(1);
+			}
+		} else {
+			rdataclass = default_rdataclass;
+			result = dns_rdatatype_fromtext(&rdatatype, ®ion);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				exit(1);
+			}
+		}
+	} else
+		rdatatype = dns_rdatatype_any;
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fprintf(stderr, "memory allocation for rdata failed\n");
+		exit(1);
+	}
+	dns_rdata_init(rdata);
+
+	if (isrrset && ispositive)
+		parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
+	else
+		rdata->flags = DNS_RDATA_UPDATE;
+
+	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
+	if (rdatalist == NULL) {
+		fprintf(stderr, "memory allocation for rdatalist failed\n");
+		exit(1);
+	}
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	if (ispositive) {
+		if (isrrset && rdata->data != NULL)
+			rdatalist->rdclass = rdataclass;
+		else
+			rdatalist->rdclass = dns_rdataclass_any;
+	} else
+		rdatalist->rdclass = dns_rdataclass_none;
+	rdatalist->covers = 0;
+	rdatalist->ttl = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatatype;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL) {
+		fprintf(stderr, "memory allocation for rdataset failed\n");
+		exit(1);
+	}
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+static void
+evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name) {
+	char *word;
+	isc_boolean_t ispositive, isrrset;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read operation code\n");
+		exit(1);
+	}
+	if (strcasecmp(word, "nxdomain") == 0) {
+		ispositive = ISC_FALSE;
+		isrrset = ISC_FALSE;
+	} else if (strcasecmp(word, "yxdomain") == 0) {
+		ispositive = ISC_TRUE;
+		isrrset = ISC_FALSE;
+	} else if (strcasecmp(word, "nxrrset") == 0) {
+		ispositive = ISC_FALSE;
+		isrrset = ISC_TRUE;
+	} else if (strcasecmp(word, "yxrrset") == 0) {
+		ispositive = ISC_TRUE;
+		isrrset = ISC_TRUE;
+	} else {
+		fprintf(stderr, "incorrect operation code: %s\n", word);
+		exit(1);
+	}
+	
+	make_prereq(mctx, cmdline, ispositive, isrrset, name);
+}
+
+static void
+setup_tsec(char *keyfile, isc_mem_t *mctx) {
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	dns_tsectype_t tsectype;
+
+	result = dst_key_fromnamedfile(keyfile, NULL,
+				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
+				       &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not read key from %s: %s\n",
+			keyfile, isc_result_totext(result));
+		exit(1);
+	}
+
+	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5)
+		tsectype = dns_tsectype_tsig;
+	else
+		tsectype = dns_tsectype_sig0;
+
+	result = dns_tsec_create(mctx, tsectype, dstkey, &tsec);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create tsec: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+}
diff --git a/lib/export/samples/sample.c b/lib/export/samples/sample.c
new file mode 100644
index 0000000000..64797955c6
--- /dev/null
+++ b/lib/export/samples/sample.c
@@ -0,0 +1,373 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#include 
+#include 
+
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+static char *algname;
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		printf("[WARN: empty]\n");
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+usage() {
+	fprintf(stderr, "sample [-t RRtype] " 
+		"[[-a algorithm] [-e] -k keyname -K keystring] "
+		"[-s domain:serveraddr_for_domain ] "
+		"server_address hostname\n");
+
+	exit(1);
+}
+
+static void
+set_key(dns_client_t *client, char *keynamestr, char *keystr,
+	isc_boolean_t is_sep, isc_mem_t **mctxp)
+{
+	isc_result_t result;
+	dns_fixedname_t fkeyname;
+	size_t namelen;
+	dns_name_t *keyname;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_buffer_t b;
+	isc_textregion_t tr;
+	isc_region_t r;
+	dns_secalg_t alg;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to crate mctx\n");
+		exit(1);
+	}
+
+	if (algname != NULL) {
+		tr.base = algname;
+		tr.length = strlen(algname);
+		result = dns_secalg_fromtext(&alg, &tr);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to identify the algorithm\n");
+			exit(1);
+		}
+	} else
+		alg = DNS_KEYALG_RSASHA1;
+
+	keystruct.common.rdclass = dns_rdataclass_in;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */
+	if (is_sep)
+		keystruct.flags |= DNS_KEYFLAG_KSK;	
+	keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */
+	keystruct.algorithm = alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+	result = isc_base64_decodestring(keystr, &keydatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "base64 decode failed\n");
+		exit(1);
+	}
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+
+	result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
+				      keystruct.common.rdtype,
+				      &keystruct, &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key rdata\n");
+		exit(1);
+	}
+	namelen = strlen(keynamestr);
+	isc_buffer_init(&b, keynamestr, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&fkeyname);
+	keyname = dns_fixedname_name(&fkeyname);
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key name\n");
+		exit(1);
+	}
+	result = dns_client_addtrustedkey(client, dns_rdataclass_in,
+					  keyname, &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to add key for %s\n",
+			keynamestr);
+		exit(1);
+	}
+}
+
+static void
+addserver(dns_client_t *client, const char *addrstr, const char *namespace) {
+	struct addrinfo hints, *res;
+	int gai_error;
+	isc_sockaddr_t sa;
+	isc_sockaddrlist_t servers;
+	isc_result_t result;
+	size_t namelen;
+	isc_buffer_t b;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	gai_error = getaddrinfo(addrstr, "53", &hints, &res);
+	if (gai_error != 0) {
+		fprintf(stderr, "getaddrinfo failed: %s\n",
+			gai_strerror(gai_error));
+		exit(1);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sa.type));
+	memcpy(&sa.type, res->ai_addr, res->ai_addrlen);
+	freeaddrinfo(res);
+	sa.length = res->ai_addrlen;
+	ISC_LINK_INIT(&sa, link);
+	ISC_LIST_INIT(servers);
+	ISC_LIST_APPEND(servers, &sa, link);
+
+	if (namespace != NULL) {
+		namelen = strlen(namespace);
+		isc_buffer_init(&b, namespace, namelen);
+		isc_buffer_add(&b, namelen);
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to convert qname: %d\n",
+				result);
+			exit(1);
+		}
+	}
+
+	result = dns_client_setservers(client, dns_rdataclass_in, name,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "set server failed: %d\n", result);
+		exit(1);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	isc_textregion_t tr;
+	char *altserver = NULL;
+	char *altserveraddr = NULL;
+	char *altservername = NULL;
+	dns_client_t *client = NULL;
+	char *keynamestr = NULL;
+	char *keystr = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_fixedname_t qname0;
+	size_t namelen;
+	dns_name_t *qname, *name;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	dns_rdataset_t *rdataset;
+	dns_namelist_t namelist;
+	isc_mem_t *keymctx = NULL;
+	unsigned int clientopt, resopt;
+	isc_boolean_t is_sep = ISC_FALSE;
+
+	while ((ch = getopt(argc, argv, "a:es:t:k:K:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = optarg;
+			tr.length = strlen(optarg);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n", optarg);
+				exit(1);
+			}
+			break;
+		case 'a':
+			algname = optarg;
+			break;
+		case 'e':
+			is_sep = ISC_TRUE;
+			break;
+		case 's':
+			if (altserver != NULL) {
+				fprintf(stderr, "alternate server "
+					"already defined: %s\n",
+					altserver);
+				exit(1);
+			}
+			altserver = optarg;
+			break;
+		case 'k':
+			keynamestr = optarg;
+			break;
+		case 'K':
+			keystr = optarg;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 2)
+		usage();
+
+	if (altserver != NULL) {
+		char *cp;
+
+		cp = strchr(altserver, ':');
+		if (cp == NULL) {
+			fprintf(stderr, "invalid alternate server: %s\n",
+				altserver);
+			exit(1);
+		}
+		*cp = '\0';
+		altservername = altserver;
+		altserveraddr = cp + 1;
+	}
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	clientopt = 0;
+	result = dns_client_create(&client, clientopt);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set the nameserver */
+	addserver(client, argv[0], NULL);
+
+	/* Set the alternate nameserver (when specified) */
+	if (altserver != NULL)
+		addserver(client, altserveraddr, altservername);
+
+	/* Install DNSSEC key (if given) */
+	if (keynamestr != NULL) {
+		if (keystr == NULL) {
+			fprintf(stderr,
+				"key string is missing "
+				"while key name is provided\n");
+			exit(1);
+		}
+		set_key(client, keynamestr, keystr, is_sep, &keymctx);
+	}
+
+	/* Construct qname */
+	namelen = strlen(argv[1]);
+	isc_buffer_init(&b, argv[1], namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&qname0);
+	qname = dns_fixedname_name(&qname0);
+	result = dns_name_fromtext(qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		fprintf(stderr, "failed to convert qname: %d\n", result);
+
+	/* Perform resolution */
+	resopt = 0;
+	if (keynamestr == NULL)
+		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
+	ISC_LIST_INIT(namelist);
+	result = dns_client_resolve(client, qname, dns_rdataclass_in, type,
+				    resopt, &namelist);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"resolution failed: %s\n", dns_result_totext(result));
+	}
+	for (name = ISC_LIST_HEAD(namelist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (printdata(rdataset, name) != ISC_R_SUCCESS)
+				fprintf(stderr, "print data failed\n");
+		}
+	}
+
+	dns_client_freeresanswer(client, &namelist);
+
+	/* Cleanup */
+	dns_client_destroy(&client);
+	if (keynamestr != NULL)
+		isc_mem_destroy(&keymctx);
+	dns_lib_shutdown();
+
+	exit(0);
+}
diff --git a/lib/irs/Makefile.in b/lib/irs/Makefile.in
new file mode 100644
index 0000000000..9504794db1
--- /dev/null
+++ b/lib/irs/Makefile.in
@@ -0,0 +1,80 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBIRS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I./include -I${srcdir}/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		context.@O@ \
+		dnsconf.@O@ \
+		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
+		resconf.@O@
+
+# Alphabetically
+SRCS =		context.c \
+		dnsconf.c \
+		gai_sterror.c getaddrinfo.c getnameinfo.c \
+		resconf.c
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libirs.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+libirs.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} version.@O@ ${LIBS}
+
+timestamp: libirs.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libirs.@A@ libirs.la timestamp
diff --git a/lib/irs/api b/lib/irs/api
new file mode 100644
index 0000000000..2240cdda3a
--- /dev/null
+++ b/lib/irs/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 50
+LIBREVISION = 1
+LIBAGE = 0
diff --git a/lib/irs/context.c b/lib/irs/context.c
new file mode 100644
index 0000000000..59ecd0e63b
--- /dev/null
+++ b/lib/irs/context.c
@@ -0,0 +1,399 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: context.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#define IRS_CONTEXT_MAGIC		ISC_MAGIC('I', 'R', 'S', 'c')
+#define IRS_CONTEXT_VALID(c)		ISC_MAGIC_VALID(c, IRS_CONTEXT_MAGIC)
+
+#ifndef RESOLV_CONF
+/*% location of resolve.conf */
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif
+
+#ifndef DNS_CONF
+/*% location of dns.conf */
+#define DNS_CONF "/etc/dns.conf"
+#endif
+
+#ifndef ISC_PLATFORM_USETHREADS
+irs_context_t *irs_g_context = NULL;
+#else
+static isc_boolean_t thread_key_initialized = ISC_FALSE;
+static isc_mutex_t thread_key_mutex;
+static isc_thread_key_t irs_context_key;
+static isc_once_t once = ISC_ONCE_INIT;
+#endif
+
+
+struct irs_context {
+	/*
+	 * An IRS context is a thread-specific object, and does not need to
+	 * be locked.
+	 */
+	unsigned int			magic;
+	isc_mem_t			*mctx;
+	isc_appctx_t			*actx;
+	isc_taskmgr_t			*taskmgr;
+	isc_task_t			*task;
+	isc_socketmgr_t			*socketmgr;
+	isc_timermgr_t			*timermgr;
+	dns_client_t			*dnsclient;
+	irs_resconf_t			*resconf;
+	irs_dnsconf_t			*dnsconf;
+};
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+static void
+free_specific_context(void *arg) {
+	irs_context_t *context = arg;
+
+	irs_context_destroy(&context);
+
+	isc_thread_key_setspecific(irs_context_key, NULL);
+}
+
+static void
+thread_key_mutex_init(void) {
+	RUNTIME_CHECK(isc_mutex_init(&thread_key_mutex) == ISC_R_SUCCESS);
+}
+
+static isc_result_t
+thread_key_init() {
+	isc_result_t result;
+
+	result = isc_once_do(&once, thread_key_mutex_init);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!thread_key_initialized) {
+		LOCK(&thread_key_mutex);
+
+		if (!thread_key_initialized &&
+		    isc_thread_key_create(&irs_context_key,
+					  free_specific_context) != 0) {
+			result = ISC_R_FAILURE;
+		} else
+			thread_key_initialized = ISC_TRUE;
+
+		UNLOCK(&thread_key_mutex);
+	}
+
+	return (result);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+irs_context_get(irs_context_t **contextp) {
+	irs_context_t *context;
+	isc_result_t result;
+
+	REQUIRE(contextp != NULL && *contextp == NULL);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (irs_g_context == NULL) {
+		result = irs_context_create(&irs_g_context);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	context = irs_g_context;
+#else
+	result = thread_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	context = isc_thread_key_getspecific(irs_context_key);
+	if (context == NULL) {
+		result = irs_context_create(&context);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = isc_thread_key_setspecific(irs_context_key, context);
+		if (result != ISC_R_SUCCESS) {
+			irs_context_destroy(&context);
+			return (result);
+		}
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	*contextp = context;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+irs_context_create(irs_context_t **contextp) {
+	isc_result_t result;
+	irs_context_t *context;
+	isc_appctx_t *actx = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	dns_client_t *client = NULL;
+	isc_sockaddrlist_t *nameservers;
+	irs_dnsconf_dnskeylist_t *trustedkeys;
+	irs_dnsconf_dnskey_t *trustedkey;
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS) {
+		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+		return (result);
+	}
+
+	context = isc_mem_get(mctx, sizeof(*context));
+	if (context == NULL) {
+		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+		return (ISC_R_NOMEMORY);
+	}
+
+	context->mctx = mctx;
+	context->actx = actx;
+	context->taskmgr = taskmgr;
+	context->socketmgr = socketmgr;
+	context->timermgr = timermgr;
+	context->resconf = NULL;
+	context->dnsconf = NULL;
+	context->task = NULL;
+	result = isc_task_create(taskmgr, 0, &context->task);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/* Create a DNS client object */
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    0, &client);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	context->dnsclient = client;
+
+	/* Read resolver configuration file */
+	result = irs_resconf_load(mctx, RESOLV_CONF, &context->resconf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	/* Set nameservers */
+	nameservers = irs_resconf_getnameservers(context->resconf);
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       nameservers);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/* Read advanced DNS configuration (if any) */
+	result = irs_dnsconf_load(mctx, DNS_CONF, &context->dnsconf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	trustedkeys = irs_dnsconf_gettrustedkeys(context->dnsconf);
+	for (trustedkey = ISC_LIST_HEAD(*trustedkeys);
+	     trustedkey != NULL;
+	     trustedkey = ISC_LIST_NEXT(trustedkey, link)) {
+		result = dns_client_addtrustedkey(client, dns_rdataclass_in,
+						  trustedkey->keyname,
+						  trustedkey->keydatabuf);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	context->magic = IRS_CONTEXT_MAGIC;
+	*contextp = context;
+
+	return (ISC_R_SUCCESS);
+
+  fail:
+	if (context->task != NULL)
+		isc_task_detach(&context->task);
+	if (context->resconf != NULL)
+		irs_resconf_destroy(&context->resconf);
+	if (context->dnsconf != NULL)
+		irs_dnsconf_destroy(&context->dnsconf);
+	if (client != NULL)
+		dns_client_destroy(&client);
+	ctxs_destroy(NULL, &actx, &taskmgr, &socketmgr, &timermgr);
+	isc_mem_putanddetach(&mctx, context, sizeof(*context));
+
+	return (result);
+}
+
+void
+irs_context_destroy(irs_context_t **contextp) {
+	irs_context_t *context;
+
+	REQUIRE(contextp != NULL);
+	context = *contextp;
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	isc_task_detach(&context->task);
+	irs_dnsconf_destroy(&context->dnsconf);
+	irs_resconf_destroy(&context->resconf);
+	dns_client_destroy(&context->dnsclient);
+
+	ctxs_destroy(NULL, &context->actx, &context->taskmgr,
+		     &context->socketmgr, &context->timermgr);
+
+	context->magic = 0;
+
+	isc_mem_putanddetach(&context->mctx, context, sizeof(*context));
+
+	*contextp = NULL;
+
+#ifndef ISC_PLATFORM_USETHREADS
+	irs_g_context = NULL;
+#else
+	(void)isc_thread_key_setspecific(irs_context_key, NULL);
+#endif
+}
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->mctx);
+}
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->actx);
+}
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->taskmgr);
+}
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->timermgr);
+}
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->task);
+}
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsclient);
+}
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->resconf);
+}
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsconf);
+}
diff --git a/lib/irs/dnsconf.c b/lib/irs/dnsconf.c
new file mode 100644
index 0000000000..1aa339e103
--- /dev/null
+++ b/lib/irs/dnsconf.c
@@ -0,0 +1,272 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+/*! \file */
+
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+#define IRS_DNSCONF_MAGIC		ISC_MAGIC('D', 'c', 'f', 'g')
+#define IRS_DNSCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_DNSCONF_MAGIC)
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_dnsconf {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	irs_dnsconf_dnskeylist_t trusted_keylist;
+};
+
+static isc_result_t
+configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
+		     dns_rdataclass_t rdclass)
+{
+	isc_mem_t *mctx = conf->mctx;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key, *keylist;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname_base, *keyname;
+	const cfg_listelt_t *element, *element2;
+	isc_result_t result;
+	isc_uint32_t flags, proto, alg;
+	const char *keystr, *keynamestr;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf_base, *keydatabuf;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	irs_dnsconf_dnskey_t *keyent;
+
+	cfg_map_get(cfgobj, "trusted-keys", &keys);
+	if (keys == NULL)
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			keydatabuf = NULL;
+			keyname = NULL;
+
+			key = cfg_listelt_value(element2);
+
+			flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+			proto = cfg_obj_asuint32(cfg_tuple_get(key,
+							       "protocol"));
+			alg = cfg_obj_asuint32(cfg_tuple_get(key,
+							     "algorithm"));
+			keynamestr = cfg_obj_asstring(cfg_tuple_get(key,
+								    "name"));
+
+			keystruct.common.rdclass = rdclass;
+			keystruct.common.rdtype = dns_rdatatype_dnskey;
+			keystruct.mctx = NULL;
+			ISC_LINK_INIT(&keystruct.common, link);
+
+			if (flags > 0xffff)
+				return (ISC_R_RANGE);
+			if (proto > 0xff)
+				return (ISC_R_RANGE);
+			if (alg > 0xff)
+				return (ISC_R_RANGE);
+			keystruct.flags = (isc_uint16_t)flags;
+			keystruct.protocol = (isc_uint8_t)proto;
+			keystruct.algorithm = (isc_uint8_t)alg;
+
+			isc_buffer_init(&keydatabuf_base, keydata,
+					sizeof(keydata));
+			isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+			/* Configure key value */
+			keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+			result = isc_base64_decodestring(keystr,
+							 &keydatabuf_base);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_usedregion(&keydatabuf_base, &r);
+			keystruct.datalen = r.length;
+			keystruct.data = r.base;
+
+			result = dns_rdata_fromstruct(NULL,
+						      keystruct.common.rdclass,
+						      keystruct.common.rdtype,
+						      &keystruct, &rrdatabuf);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_usedregion(&rrdatabuf, &r);
+			result = isc_buffer_allocate(mctx, &keydatabuf,
+						     r.length);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			result = isc_buffer_copyregion(keydatabuf, &r);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			/* Configure key name */
+			dns_fixedname_init(&fkeyname);
+			keyname_base = dns_fixedname_name(&fkeyname);
+			isc_buffer_init(&namebuf, keynamestr,
+					strlen(keynamestr));
+			isc_buffer_add(&namebuf, strlen(keynamestr));
+			result = dns_name_fromtext(keyname_base, &namebuf,
+						   dns_rootname, 0, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			keyname = isc_mem_get(mctx, sizeof(*keyname));
+			if (keyname == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			dns_name_init(keyname, NULL);
+			result = dns_name_dup(keyname_base, mctx, keyname);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			/* Add the key data to the list */
+			keyent = isc_mem_get(mctx, sizeof(*keyent));
+			if (keyent == NULL) {
+				dns_name_free(keyname, mctx);
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			keyent->keyname = keyname;
+			keyent->keydatabuf = keydatabuf;
+
+			ISC_LIST_APPEND(conf->trusted_keylist, keyent, link);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (keydatabuf != NULL)
+		isc_buffer_free(&keydatabuf);
+	if (keyname != NULL)
+		isc_mem_put(mctx, keyname, sizeof(*keyname));
+		
+	return (result);
+}
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp)
+{
+	irs_dnsconf_t *conf;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *cfgobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+	if (conf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->trusted_keylist);
+
+	/*
+	 * If the specified file does not exist, we'll simply with an empty
+	 * configuration.
+	 */
+	if (!isc_file_exists(filename))
+		goto cleanup;
+
+	result = cfg_parser_create(mctx, NULL, &parser);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_parse_file(parser, filename, &cfg_type_dnsconf,
+				&cfgobj);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = configure_dnsseckeys(conf, cfgobj, dns_rdataclass_in);
+
+ cleanup:
+	if (parser != NULL) {
+		if (cfgobj != NULL)
+			cfg_obj_destroy(parser, &cfgobj);
+		cfg_parser_destroy(&parser);
+	}
+
+	conf->magic = IRS_DNSCONF_MAGIC;
+
+	if (result == ISC_R_SUCCESS)
+		*confp = conf;
+	else
+		irs_dnsconf_destroy(&conf);
+
+	return (result);
+}
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp) {
+	irs_dnsconf_t *conf;
+	irs_dnsconf_dnskey_t *keyent;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	while ((keyent = ISC_LIST_HEAD(conf->trusted_keylist)) != NULL) {
+		ISC_LIST_UNLINK(conf->trusted_keylist, keyent, link);
+
+		isc_buffer_free(&keyent->keydatabuf);
+		dns_name_free(keyent->keyname, conf->mctx);
+		isc_mem_put(conf->mctx, keyent->keyname, sizeof(dns_name_t));
+		isc_mem_put(conf->mctx, keyent, sizeof(*keyent));
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+
+	*confp = NULL;
+}
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf) {
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	return (&conf->trusted_keylist);
+}
diff --git a/lib/irs/gai_strerror.c b/lib/irs/gai_strerror.c
new file mode 100644
index 0000000000..ce31df95c6
--- /dev/null
+++ b/lib/irs/gai_strerror.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gai_strerror.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+/*! \file gai_strerror.c
+ * gai_strerror() returns an error message corresponding to an
+ * error code returned by getaddrinfo() and getnameinfo(). The following error
+ * codes and their meaning are defined in
+ * \link netdb.h include/irs/netdb.h.\endlink
+ * This implementation is almost an exact copy of lwres/gai_sterror.c except
+ * that it catches up the latest API standard, RFC3493.
+ *
+ * \li #EAI_ADDRFAMILY address family for hostname not supported
+ * \li #EAI_AGAIN temporary failure in name resolution
+ * \li #EAI_BADFLAGS invalid value for ai_flags
+ * \li #EAI_FAIL non-recoverable failure in name resolution
+ * \li #EAI_FAMILY ai_family not supported
+ * \li #EAI_MEMORY memory allocation failure
+ * \li #EAI_NODATA no address associated with hostname (obsoleted in RFC3493)
+ * \li #EAI_NONAME hostname nor servname provided, or not known
+ * \li #EAI_SERVICE servname not supported for ai_socktype
+ * \li #EAI_SOCKTYPE ai_socktype not supported
+ * \li #EAI_SYSTEM system error returned in errno
+ * \li #EAI_BADHINTS Invalid value for hints (non-standard)
+ * \li #EAI_PROTOCOL Resolved protocol is unknown (non-standard)
+ * \li #EAI_OVERFLOW Argument buffer overflow
+ * \li #EAI_INSECUREDATA Insecure Data (experimental)
+ *
+ * The message invalid error code is returned if ecode is out of range.
+ *
+ * ai_flags, ai_family and ai_socktype are elements of the struct
+ * addrinfo used by lwres_getaddrinfo().
+ *
+ * \section gai_strerror_see See Also
+ *
+ * strerror(), getaddrinfo(), getnameinfo(), RFC3493.
+ */
+#include 
+
+/*% Text of error messages. */
+static const char *gai_messages[] = {
+	"no error",
+	"address family for hostname not supported",
+	"temporary failure in name resolution",
+	"invalid value for ai_flags",
+	"non-recoverable failure in name resolution",
+	"ai_family not supported",
+	"memory allocation failure",
+	"no address associated with hostname",
+	"hostname nor servname provided, or not known",
+	"servname not supported for ai_socktype",
+	"ai_socktype not supported",
+	"system error returned in errno",
+	"bad hints",
+	"bad protocol",
+	"argument buffer overflow",
+	"insecure data provided"
+};
+
+/*%
+ * Returns an error message corresponding to an error code returned by
+ * getaddrinfo() and getnameinfo()
+ */
+const char *
+gai_strerror(int ecode) {
+	union {
+		const char *const_ptr;
+		char *deconst_ptr;
+	} ptr;
+
+	if ((ecode < 0) ||
+	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
+		ptr.const_ptr = "invalid error code";
+	else
+		ptr.const_ptr = gai_messages[ecode];
+	return (ptr.deconst_ptr);
+}
diff --git a/lib/irs/getaddrinfo.c b/lib/irs/getaddrinfo.c
new file mode 100644
index 0000000000..a86b82905a
--- /dev/null
+++ b/lib/irs/getaddrinfo.c
@@ -0,0 +1,1299 @@
+/*
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddrinfo.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+/*! \file */
+
+/**
+ *    getaddrinfo() is used to get a list of IP addresses and port
+ *    numbers for host hostname and service servname as defined in RFC3493.
+ *    hostname and servname are pointers to null-terminated strings
+ *    or NULL. hostname is either a host name or a numeric host address
+ *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
+ *    either a decimal port number or a service name as listed in
+ *    /etc/services.
+ * 
+ *    If the operating system does not provide a struct addrinfo, the
+ *    following structure is used:
+ * 
+ * \code
+ * struct  addrinfo {
+ *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
+ *         int             ai_family;      // PF_xxx
+ *         int             ai_socktype;    // SOCK_xxx
+ *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
+ *         size_t          ai_addrlen;     // length of ai_addr
+ *         char            *ai_canonname;  // canonical name for hostname
+ *         struct sockaddr *ai_addr;       // binary address
+ *         struct addrinfo *ai_next;       // next structure in linked list
+ * };
+ * \endcode
+ * 
+ * 
+ *    hints is an optional pointer to a struct addrinfo. This structure can
+ *    be used to provide hints concerning the type of socket that the caller
+ *    supports or wishes to use. The caller can supply the following
+ *    structure elements in *hints:
+ * 
+ * 
    
+ *    
  • ai_family:
+ *           The protocol family that should be used. When ai_family is set
+ *           to PF_UNSPEC, it means the caller will accept any protocol
+ *           family supported by the operating system.
    • 
+ * 
+ *    
  • ai_socktype:
+ *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
+ *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
+ *           will accept any socket type.
    • 
+ * 
+ *    
  • ai_protocol:
+ *           indicates which transport protocol is wanted: IPPROTO_UDP or
+ *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
+ *           protocol.
    • 
+ * 
+ *    
  • ai_flags:
+ *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
+ *           getaddrinfo() will return a null-terminated string
+ *           containing the canonical name of the specified hostname in
+ *           ai_canonname of the first addrinfo structure returned. Setting
+ *           the AI_PASSIVE bit indicates that the returned socket address
+ *           structure is intended for used in a call to bind(2). In this
+ *           case, if the hostname argument is a NULL pointer, then the IP
+ *           address portion of the socket address structure will be set to
+ *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
+ *           address.

    
+ * 
+ *           When ai_flags does not set the AI_PASSIVE bit, the returned
+ *           socket address structure will be ready for use in a call to
+ *           connect(2) for a connection-oriented protocol or connect(2),
+ *           sendto(2), or sendmsg(2) if a connectionless protocol was
+ *           chosen. The IP address portion of the socket address structure
+ *           will be set to the loopback address if hostname is a NULL
+ *           pointer and AI_PASSIVE is not set in ai_flags.

    
+ * 
+ *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
+ *           should be treated as a numeric string defining an IPv4 or IPv6
+ *           address and no name resolution should be attempted.
+ * 

+ * 
+ *    All other elements of the struct addrinfo passed via hints must be
+ *    zero.
+ * 
+ *    A hints of NULL is treated as if the caller provided a struct addrinfo
+ *    initialized to zero with ai_familyset to PF_UNSPEC.
+ * 
+ *    After a successful call to getaddrinfo(), *res is a pointer to a
+ *    linked list of one or more addrinfo structures. Each struct addrinfo
+ *    in this list cn be processed by following the ai_next pointer, until a
+ *    NULL pointer is encountered. The three members ai_family, ai_socktype,
+ *    and ai_protocol in each returned addrinfo structure contain the
+ *    corresponding arguments for a call to socket(2). For each addrinfo
+ *    structure in the list, the ai_addr member points to a filled-in socket
+ *    address structure of length ai_addrlen.
+ * 
+ *    All of the information returned by getaddrinfo() is dynamically
+ *    allocated: the addrinfo structures, and the socket address structures
+ *    and canonical host name strings pointed to by the addrinfostructures.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to getaddrinfo() is released by freeaddrinfo().
+ *    ai is a pointer to a struct addrinfo created by a call to getaddrinfo().
+ * 
+ * \section irsreturn RETURN VALUES
+ * 
+ *    getaddrinfo() returns zero on success or one of the error codes
+ *    listed in gai_strerror() if an error occurs. If both hostname and
+ *    servname are NULL getaddrinfo() returns #EAI_NONAME.
+ * 
+ * \section irssee SEE ALSO
+ * 
+ *    getaddrinfo(), freeaddrinfo(),
+ *    gai_strerror(), RFC3493, getservbyname(3), connect(2),
+ *    sendto(2), sendmsg(2), socket(2).
+ */
+
+#include 
+
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#define SA(addr)	((struct sockaddr *)(addr))
+#define SIN(addr)	((struct sockaddr_in *)(addr))
+#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
+#define SLOCAL(addr)	((struct sockaddr_un *)(addr))
+
+/*! \struct addrinfo
+ */
+static struct addrinfo
+	*ai_concat(struct addrinfo *ai1, struct addrinfo *ai2),
+	*ai_reverse(struct addrinfo *oai),
+	*ai_clone(struct addrinfo *oai, int family),
+	*ai_alloc(int family, int addrlen);
+#ifdef AF_LOCAL
+static int get_local(const char *name, int socktype, struct addrinfo **res);
+#endif
+
+static int
+resolve_name(int family, const char *hostname, int flags,
+	     struct addrinfo **aip, int socktype, int port);
+
+static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+		    int socktype, int port);
+static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+		    int socktype, int port);
+static void set_order(int, int (**)(const char *, int, struct addrinfo **,
+				    int, int));
+
+#define FOUND_IPV4	0x1
+#define FOUND_IPV6	0x2
+#define FOUND_MAX	2
+
+#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
+/*%
+ * Get a list of IP addresses and port numbers for host hostname and
+ * service servname.
+ */
+int
+getaddrinfo(const char *hostname, const char *servname,
+	    const struct addrinfo *hints, struct addrinfo **res)
+{
+	struct servent *sp;
+	const char *proto;
+	int family, socktype, flags, protocol;
+	struct addrinfo *ai, *ai_list;
+	int err = 0;
+	int port, i;
+	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
+				      int, int);
+
+	if (hostname == NULL && servname == NULL)
+		return (EAI_NONAME);
+
+	proto = NULL;
+	if (hints != NULL) {
+		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
+			return (EAI_BADFLAGS);
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next) {
+			errno = EINVAL;
+			return (EAI_SYSTEM);
+		}
+		family = hints->ai_family;
+		socktype = hints->ai_socktype;
+		protocol = hints->ai_protocol;
+		flags = hints->ai_flags;
+		switch (family) {
+		case AF_UNSPEC:
+			switch (hints->ai_socktype) {
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			}
+			break;
+		case AF_INET:
+		case AF_INET6:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			case SOCK_RAW:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#ifdef	AF_LOCAL
+		case AF_LOCAL:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				break;
+			case SOCK_DGRAM:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#endif
+		default:
+			return (EAI_FAMILY);
+		}
+	} else {
+		protocol = 0;
+		family = 0;
+		socktype = 0;
+		flags = 0;
+	}
+
+#ifdef	AF_LOCAL
+	/*!
+	 * First, deal with AF_LOCAL.  If the family was not set,
+	 * then assume AF_LOCAL if the first character of the
+	 * hostname/servname is '/'.
+	 */
+
+	if (hostname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
+		return (get_local(hostname, socktype, res));
+
+	if (servname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
+		return (get_local(servname, socktype, res));
+#endif
+
+	/*
+	 * Ok, only AF_INET and AF_INET6 left.
+	 */
+	ai_list = NULL;
+
+	/*
+	 * First, look up the service name (port) if it was
+	 * requested.  If the socket type wasn't specified, then
+	 * try and figure it out.
+	 */
+	if (servname != NULL) {
+		char *e;
+
+		port = strtol(servname, &e, 10);
+		if (*e == '\0') {
+			if (socktype == 0)
+				return (EAI_SOCKTYPE);
+			if (port < 0 || port > 65535)
+				return (EAI_SERVICE);
+			port = htons((unsigned short) port);
+		} else {
+			sp = getservbyname(servname, proto);
+			if (sp == NULL)
+				return (EAI_SERVICE);
+			port = sp->s_port;
+			if (socktype == 0) {
+				if (strcmp(sp->s_proto, "tcp") == 0)
+					socktype = SOCK_STREAM;
+				else if (strcmp(sp->s_proto, "udp") == 0)
+					socktype = SOCK_DGRAM;
+			}
+		}
+	} else
+		port = 0;
+
+	/*
+	 * Next, deal with just a service name, and no hostname.
+	 * (we verified that one of them was non-null up above).
+	 */
+	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
+		if (family == AF_INET || family == 0) {
+			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN(ai->ai_addr)->sin_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		if (family == AF_INET6 || family == 0) {
+			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
+			if (ai == NULL) {
+				freeaddrinfo(ai_list);
+				return (EAI_MEMORY);
+			}
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		*res = ai_list;
+		return (0);
+	}
+
+	/*
+	 * If the family isn't specified or AI_NUMERICHOST specified, check
+	 * first to see if it is a numeric address.
+	 * Though the gethostbyname2() routine will recognize numeric addresses,
+	 * it will only recognize the format that it is being called for.  Thus,
+	 * a numeric AF_INET address will be treated by the AF_INET6 call as
+	 * a domain name, and vice versa.  Checking for both numerics here
+	 * avoids that.
+	 */
+	if (hostname != NULL &&
+	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
+		char abuf[sizeof(struct in6_addr)];
+		char nbuf[NI_MAXHOST];
+		int addrsize, addroff;
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		char *p, *ep;
+		char ntmp[NI_MAXHOST];
+		isc_uint32_t scopeid;
+#endif
+
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		/*
+		 * Scope identifier portion.
+		 */
+		ntmp[0] = '\0';
+		if (strchr(hostname, '%') != NULL) {
+			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
+			ntmp[sizeof(ntmp) - 1] = '\0';
+			p = strchr(ntmp, '%');
+			ep = NULL;
+
+			/*
+			 * Vendors may want to support non-numeric
+			 * scopeid around here.
+			 */
+
+			if (p != NULL)
+				scopeid = (isc_uint32_t)strtoul(p + 1,
+								&ep, 10);
+			if (p != NULL && ep != NULL && ep[0] == '\0')
+				*p = '\0';
+			else {
+				ntmp[0] = '\0';
+				scopeid = 0;
+			}
+		} else
+			scopeid = 0;
+#endif
+
+		if (inet_pton(AF_INET, hostname, (struct in_addr *)abuf)
+		    == 1) {
+			if (family == AF_INET6) {
+				/*
+				 * Convert to a V4 mapped address.
+				 */
+				struct in6_addr *a6 = (struct in6_addr *)abuf;
+				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
+				memset(&a6->s6_addr[10], 0xff, 2);
+				memset(&a6->s6_addr[0], 0, 10);
+				goto inet6_addr;
+			}
+			addrsize = sizeof(struct in_addr);
+			addroff = (char *)(&SIN(0)->sin_addr) - (char *)0;
+			family = AF_INET;
+			goto common;
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		} else if (ntmp[0] != '\0' &&
+			   inet_pton(AF_INET6, ntmp, abuf) == 1) {
+			if (family && family != AF_INET6)
+				return (EAI_NONAME);
+			addrsize = sizeof(struct in6_addr);
+			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
+			family = AF_INET6;
+			goto common;
+#endif
+		} else if (inet_pton(AF_INET6, hostname, abuf) == 1) {
+			if (family != 0 && family != AF_INET6)
+				return (EAI_NONAME);
+		inet6_addr:
+			addrsize = sizeof(struct in6_addr);
+			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
+			family = AF_INET6;
+
+		common:
+			ai = ai_alloc(family,
+				      ((family == AF_INET6) ?
+				       sizeof(struct sockaddr_in6) :
+				       sizeof(struct sockaddr_in)));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai_list = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memcpy((char *)ai->ai_addr + addroff, abuf, addrsize);
+			if ((flags & AI_CANONNAME) != 0) {
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+				if (ai->ai_family == AF_INET6)
+					SIN6(ai->ai_addr)->sin6_scope_id =
+						scopeid;
+#endif
+				if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
+						nbuf, sizeof(nbuf), NULL, 0,
+						NI_NUMERICHOST) == 0) {
+					ai->ai_canonname = strdup(nbuf);
+					if (ai->ai_canonname == NULL) {
+						freeaddrinfo(ai);
+						return (EAI_MEMORY);
+					}
+				} else {
+					/* XXX raise error? */
+					ai->ai_canonname = NULL;
+				}
+			}
+			goto done;
+		} else if ((flags & AI_NUMERICHOST) != 0) {
+			return (EAI_NONAME);
+		}
+	}
+
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		set_order(family, net_order);
+		for (i = 0; i < FOUND_MAX; i++) {
+			if (net_order[i] == NULL)
+				break;
+			err = (net_order[i])(hostname, flags, &ai_list,
+					     socktype, port);
+			if (err != 0) {
+				if (ai_list != NULL)
+					freeaddrinfo(ai_list);
+				break;
+			}
+		}
+	} else
+		err = resolve_name(family, hostname, flags, &ai_list,
+				   socktype, port);
+
+	if (ai_list == NULL) {
+		if (err == 0)
+			err = EAI_NONAME;
+		return (err);
+	}
+
+done:
+	ai_list = ai_reverse(ai_list);
+
+	*res = ai_list;
+	return (0);
+}
+
+typedef struct gai_restrans {
+	dns_clientrestrans_t	*xid;
+	isc_boolean_t		is_inprogress;
+	int			error;
+	struct addrinfo		ai_sentinel;
+	struct gai_resstate	*resstate;
+} gai_restrans_t;
+
+typedef struct gai_resstate {
+	isc_mem_t			*mctx;
+	struct gai_statehead		*head;
+	dns_fixedname_t			fixedname;
+	dns_name_t			*qname;
+	gai_restrans_t			*trans4;
+	gai_restrans_t			*trans6;
+	ISC_LINK(struct gai_resstate)	link;
+} gai_resstate_t;
+
+typedef struct gai_statehead {
+	int				ai_family;
+	int				ai_flags;
+	int				ai_socktype;
+	int				ai_port;
+	isc_appctx_t			*actx;
+	dns_client_t			*dnsclient;
+	ISC_LIST(struct gai_resstate)	resstates;
+	unsigned int			activestates;
+} gai_statehead_t;
+
+static isc_result_t
+make_resstate(isc_mem_t *mctx, gai_statehead_t *head, const char *hostname,
+	      const char *domain, gai_resstate_t **statep)
+{
+	isc_result_t result;
+	gai_resstate_t *state;
+	dns_fixedname_t fixeddomain;
+	dns_name_t *qdomain;
+	size_t namelen;
+	isc_buffer_t b;
+	isc_boolean_t need_v4 = ISC_FALSE;
+	isc_boolean_t need_v6 = ISC_FALSE;
+
+	state = isc_mem_get(mctx, sizeof(*state));
+	if (state == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/* Construct base domain name */
+	namelen = strlen(domain);
+	isc_buffer_init(&b, domain, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&fixeddomain);
+	qdomain = dns_fixedname_name(&fixeddomain);
+	result = dns_name_fromtext(qdomain, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	/* Construct query name */
+	namelen = strlen(hostname);
+	isc_buffer_init(&b, hostname, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&state->fixedname);
+	state->qname = dns_fixedname_name(&state->fixedname);
+	result = dns_name_fromtext(state->qname, &b, qdomain, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET)
+		need_v4 = ISC_TRUE;
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET6)
+		need_v6 = ISC_TRUE;
+
+	state->trans6 = NULL;
+	state->trans4 = NULL;
+	if (need_v4) {
+		state->trans4 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		if (state->trans4 == NULL) {
+			isc_mem_put(mctx, state, sizeof(*state));
+			return (ISC_R_NOMEMORY);
+		}
+		state->trans4->error = 0;
+		state->trans4->xid = NULL;
+		state->trans4->resstate = state;
+		state->trans4->is_inprogress = ISC_TRUE;
+		state->trans4->ai_sentinel.ai_next = NULL;
+	}
+	if (need_v6) {
+		state->trans6 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		if (state->trans6 == NULL) {
+			if (state->trans4 != NULL)
+				isc_mem_put(mctx, state->trans4,
+					    sizeof(*state->trans4));
+			isc_mem_put(mctx, state, sizeof(*state));
+			return (ISC_R_NOMEMORY);
+		}
+		state->trans6->error = 0;
+		state->trans6->xid = NULL;
+		state->trans6->resstate = state;
+		state->trans6->is_inprogress = ISC_TRUE;
+		state->trans6->ai_sentinel.ai_next = NULL;
+	}
+
+	state->mctx = mctx;
+	state->head = head;
+	ISC_LINK_INIT(state, link);
+
+	*statep = state;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+make_resstates(isc_mem_t *mctx, const char *hostname, gai_statehead_t *head,
+	       irs_resconf_t *resconf)
+{
+	isc_result_t result;
+	irs_resconf_searchlist_t *searchlist;
+	irs_resconf_search_t *searchent;
+	gai_resstate_t *resstate, *resstate0;
+
+	resstate0 = NULL;
+	result = make_resstate(mctx, head, hostname, ".", &resstate0);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	searchlist = irs_resconf_getsearchlist(resconf);
+	for (searchent = ISC_LIST_HEAD(*searchlist); searchent != NULL;
+	     searchent = ISC_LIST_NEXT(searchent, link)) {
+		resstate = NULL;
+		result = make_resstate(mctx, head, hostname,
+				       (const char *)searchent->domain,
+				       &resstate);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		ISC_LIST_APPEND(head->resstates, resstate, link);
+		head->activestates++;
+	}
+
+	/*
+	 * Insert the original hostname either at the head or the tail of the
+	 * state list, depending on the number of labels contained in the
+	 * original name and the 'ndots' configuration parameter.
+	 */
+	if (dns_name_countlabels(resstate0->qname) >
+	    irs_resconf_getndots(resconf) + 1) {
+		ISC_LIST_PREPEND(head->resstates, resstate0, link);
+	} else
+		ISC_LIST_APPEND(head->resstates, resstate0, link);
+	head->activestates++;
+
+	if (result != ISC_R_SUCCESS) {
+		while ((resstate = ISC_LIST_HEAD(head->resstates)) != NULL) {
+			ISC_LIST_UNLINK(head->resstates, resstate, link);
+			if (resstate->trans4 != NULL) {
+				isc_mem_put(mctx, resstate->trans4,
+					    sizeof(*resstate->trans4));
+			}
+			if (resstate->trans6 != NULL) {
+				isc_mem_put(mctx, resstate->trans6,
+					    sizeof(*resstate->trans6));
+			}
+
+			isc_mem_put(mctx, resstate, sizeof(*resstate));
+		}
+	}
+
+	return (result);
+}
+
+static void
+process_answer(isc_task_t *task, isc_event_t *event) {
+	int error = 0, family;
+	gai_restrans_t *trans = event->ev_arg;
+	gai_resstate_t *resstate;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_rdatatype_t qtype;
+	dns_name_t *name;
+
+	REQUIRE(trans != NULL);
+	resstate = trans->resstate;
+	REQUIRE(resstate != NULL);
+	REQUIRE(task != NULL);
+
+	if (trans == resstate->trans4) {
+		family = AF_INET;
+		qtype = dns_rdatatype_a;
+	} else {
+		INSIST(trans == resstate->trans6);
+		family = AF_INET6;
+		qtype = dns_rdatatype_aaaa;
+	}
+
+	INSIST(trans->is_inprogress);
+	trans->is_inprogress = ISC_FALSE;
+
+	switch (rev->result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN: /* treat this as a fatal error? */
+	case DNS_R_NCACHENXRRSET:
+		break;
+	default:
+		switch (rev->vresult) {
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			error = EAI_INSECUREDATA;
+			break;
+		default:
+			error = EAI_FAIL;
+		}
+		goto done;
+	}
+
+	/* Parse the response and construct the addrinfo chain */
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		isc_result_t result;
+		dns_rdataset_t *rdataset;
+		isc_buffer_t b;
+		isc_region_t r;
+		char t[1024];
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!dns_rdataset_isassociated(rdataset))
+				continue;
+			if (rdataset->type != qtype)
+				continue;
+
+			if ((resstate->head->ai_flags & AI_CANONNAME) != 0) {
+				isc_buffer_init(&b, t, sizeof(t));
+				result = dns_name_totext(name, ISC_TRUE, &b);
+				if (result != ISC_R_SUCCESS) {
+					error = EAI_FAIL;
+					goto done;
+				}
+				isc_buffer_putuint8(&b, '\0');
+				isc_buffer_usedregion(&b, &r);
+			}
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				struct addrinfo *ai;
+				dns_rdata_t rdata;
+				dns_rdata_in_a_t rdata_a;
+				dns_rdata_in_aaaa_t rdata_aaaa;
+
+				ai = ai_alloc(family,
+					      ((family == AF_INET6) ?
+					       sizeof(struct sockaddr_in6) :
+					       sizeof(struct sockaddr_in)));
+				if (ai == NULL) {
+					error = EAI_MEMORY;
+					goto done;
+				}
+				ai->ai_socktype = resstate->head->ai_socktype;
+				ai->ai_next = trans->ai_sentinel.ai_next;
+				trans->ai_sentinel.ai_next = ai;
+
+				/*
+				 * Set AF-specific parameters
+				 * (IPv4/v6 address/port)
+				 */
+				dns_rdata_init(&rdata);
+				switch (family) {
+				case AF_INET:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_a,
+							   NULL);
+
+					SIN(ai->ai_addr)->sin_port =
+						resstate->head->ai_port;
+					memcpy(&SIN(ai->ai_addr)->sin_addr,
+					       &rdata_a.in_addr, 4);
+					dns_rdata_freestruct(&rdata_a);
+					break;
+				case AF_INET6:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_aaaa,
+							   NULL);
+					SIN6(ai->ai_addr)->sin6_port =
+						resstate->head->ai_port;
+					memcpy(&SIN6(ai->ai_addr)->sin6_addr,
+					       &rdata_aaaa.in6_addr, 16);
+					dns_rdata_freestruct(&rdata_aaaa);
+					break;
+				}
+
+				if ((resstate->head->ai_flags & AI_CANONNAME)
+				    != 0) {
+					ai->ai_canonname =
+						strdup((const char *)r.base);
+					if (ai->ai_canonname == NULL) {
+						error = EAI_MEMORY;
+						goto done;
+					}
+				}
+			}
+		}
+	}
+
+ done:
+	dns_client_freeresanswer(resstate->head->dnsclient, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->xid);
+
+	isc_event_free(&event);
+
+	/* Make sure that error == 0 iff we have a non-empty list */
+	if (error == 0) {
+		if (trans->ai_sentinel.ai_next == NULL)
+			error = EAI_NONAME;
+	} else {
+		if (trans->ai_sentinel.ai_next != NULL) {
+			freeaddrinfo(trans->ai_sentinel.ai_next);
+			trans->ai_sentinel.ai_next = NULL;
+		}
+	}
+	trans->error = error;
+
+	/* Check whether we are done */
+	if ((resstate->trans4 == NULL || !resstate->trans4->is_inprogress) &&
+	    (resstate->trans6 == NULL || !resstate->trans6->is_inprogress)) {
+		/*
+		 * We're done for this state.  If there is no other outstanding
+		 * state, we can exit.
+		 */
+		resstate->head->activestates--;
+		if (resstate->head->activestates == 0) {
+			isc_app_ctxsuspend(resstate->head->actx);
+			return;
+		}
+
+		/*
+		 * There are outstanding states, but if we are at the head
+		 * of the state list (i.e., at the highest search priority)
+		 * and have any answer, we can stop now by canceling the
+		 * others. 
+		 */
+		if (resstate == ISC_LIST_HEAD(resstate->head->resstates)) {
+			if ((resstate->trans4 != NULL &&
+			     resstate->trans4->ai_sentinel.ai_next != NULL) ||
+			    (resstate->trans6 != NULL &&
+			     resstate->trans6->ai_sentinel.ai_next != NULL)) {
+				gai_resstate_t *rest;
+
+				for (rest = ISC_LIST_NEXT(resstate, link);
+				     rest != NULL;
+				     rest = ISC_LIST_NEXT(rest, link)) {
+					if (rest->trans4 != NULL &&
+					    rest->trans4->xid != NULL)
+						dns_client_cancelresolve(
+							rest->trans4->xid);
+					if (rest->trans6 != NULL &&
+					    rest->trans6->xid != NULL)
+						dns_client_cancelresolve(
+							rest->trans6->xid);
+				}
+			} else {
+				/*
+				 * This search fails, so we move to the tail
+				 * of the list so that the next entry will
+				 * have the highest priority.
+				 */
+				ISC_LIST_UNLINK(resstate->head->resstates,
+						resstate, link);
+				ISC_LIST_APPEND(resstate->head->resstates,
+						resstate, link);
+			}
+		}
+	}
+}
+
+static int
+resolve_name(int family, const char *hostname, int flags,
+	     struct addrinfo **aip, int socktype, int port)
+{
+	isc_result_t result;
+	irs_context_t *irsctx;
+	irs_resconf_t *conf;
+	isc_mem_t *mctx;
+	isc_appctx_t *actx;
+	isc_task_t *task;
+	int terror = 0;
+	int error = 0;
+	dns_client_t *client;
+	gai_resstate_t *resstate;
+	gai_statehead_t head;
+	isc_boolean_t all_fail = ISC_TRUE;
+
+	/* get IRS context and the associated parameters */
+	irsctx = NULL;
+	result = irs_context_get(&irsctx);
+	if (result != ISC_R_SUCCESS)
+		return (EAI_FAIL);
+	actx = irs_context_getappctx(irsctx);
+
+	mctx = irs_context_getmctx(irsctx);
+	task = irs_context_gettask(irsctx);
+	conf = irs_context_getresconf(irsctx);
+	client = irs_context_getdnsclient(irsctx);
+
+	/* construct resolution states */
+	head.activestates = 0;
+	head.ai_family = family;
+	head.ai_socktype = socktype;
+	head.ai_flags = flags;
+	head.ai_port = port;
+	head.actx = actx;
+	head.dnsclient = client;
+	ISC_LIST_INIT(head.resstates);
+	result = make_resstates(mctx, hostname, &head, conf);
+	if (result != ISC_R_SUCCESS)
+		return (EAI_FAIL);
+
+	for (resstate = ISC_LIST_HEAD(head.resstates);
+	     resstate != NULL; resstate = ISC_LIST_NEXT(resstate, link)) {
+		if (resstate->trans4 != NULL) {
+			result = dns_client_startresolve(client,
+							 resstate->qname,
+							 dns_rdataclass_in,
+							 dns_rdatatype_a,
+							 0, task,
+							 process_answer,
+							 resstate->trans4,
+							 &resstate->trans4->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans4->is_inprogress = ISC_TRUE;
+				all_fail = ISC_FALSE;
+			} else
+				resstate->trans4->is_inprogress = ISC_FALSE;
+		}
+		if (resstate->trans6 != NULL) {
+			result = dns_client_startresolve(client,
+							 resstate->qname,
+							 dns_rdataclass_in,
+							 dns_rdatatype_aaaa,
+							 0, task,
+							 process_answer,
+							 resstate->trans6,
+							 &resstate->trans6->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans6->is_inprogress = ISC_TRUE;
+				all_fail = ISC_FALSE;
+			} else
+				resstate->trans6->is_inprogress= ISC_FALSE;
+		}
+	}
+	if (!all_fail) {
+		/* Start all the events */
+		isc_app_ctxrun(actx);
+	} else
+		error = EAI_FAIL;
+
+	/* Cleanup */
+	while ((resstate = ISC_LIST_HEAD(head.resstates)) != NULL) {
+		int terror4 = 0, terror6 = 0;
+
+		ISC_LIST_UNLINK(head.resstates, resstate, link);
+
+		if (*aip == NULL) {
+			struct addrinfo *sentinel4 = NULL;
+			struct addrinfo *sentinel6 = NULL;
+
+			if (resstate->trans4 != NULL) {
+				sentinel4 =
+					resstate->trans4->ai_sentinel.ai_next;
+				resstate->trans4->ai_sentinel.ai_next = NULL;
+			}
+			if (resstate->trans6 != NULL) {
+				sentinel6 =
+					resstate->trans6->ai_sentinel.ai_next;
+				resstate->trans6->ai_sentinel.ai_next = NULL;
+			}
+			*aip = ai_concat(sentinel4, sentinel6);
+		}
+
+		if (resstate->trans4 != NULL) {
+			INSIST(resstate->trans4->xid == NULL);
+			terror4 = resstate->trans4->error;
+			isc_mem_put(mctx, resstate->trans4,
+				    sizeof(*resstate->trans4));
+		}
+		if (resstate->trans6 != NULL) {
+			INSIST(resstate->trans6->xid == NULL);
+			terror6 = resstate->trans6->error;
+			isc_mem_put(mctx, resstate->trans6,
+				    sizeof(*resstate->trans6));
+		}
+
+		/*
+		 * If the entire lookup fails, we need to choose an appropriate
+		 * error code from individual codes.  We'll try to provide as
+		 * specific a code as possible.  In general, we are going to
+		 * find an error code other than EAI_NONAME (which is too
+		 * generic and may actually not be problematic in some cases).
+		 * EAI_NONAME will be set below if no better code is found.
+		 */
+		if (terror == 0 || terror == EAI_NONAME) {
+			if (terror4 != 0 && terror4 != EAI_NONAME)
+				terror = terror4;
+			else if (terror6 != 0 && terror6 != EAI_NONAME)
+				terror = terror6;
+		}
+
+		isc_mem_put(mctx, resstate, sizeof(*resstate));
+	}
+
+	if (*aip == NULL) {
+		error = terror;
+		if (error == 0)
+			error = EAI_NONAME;
+	}
+
+#if 1	/*  XXX: enabled for finding leaks.  should be cleaned up later. */
+	isc_app_ctxfinish(actx);
+	irs_context_destroy(&irsctx);
+#endif
+
+	return (error);
+}
+
+static char *
+irs_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
+					int, int))
+{
+	char *order, *tok;
+	int found;
+
+	if (family) {
+		switch (family) {
+		case AF_INET:
+			*net_order++ = add_ipv4;
+			break;
+		case AF_INET6:
+			*net_order++ = add_ipv6;
+			break;
+		}
+	} else {
+		order = getenv("NET_ORDER");
+		found = 0;
+		while (order != NULL) {
+			/*
+			 * We ignore any unknown names.
+			 */
+			tok = irs_strsep(&order, ":");
+			if (strcasecmp(tok, "inet6") == 0) {
+				if ((found & FOUND_IPV6) == 0)
+					*net_order++ = add_ipv6;
+				found |= FOUND_IPV6;
+			} else if (strcasecmp(tok, "inet") == 0 ||
+			    strcasecmp(tok, "inet4") == 0) {
+				if ((found & FOUND_IPV4) == 0)
+					*net_order++ = add_ipv4;
+				found |= FOUND_IPV4;
+			}
+		}
+
+		/*
+		 * Add in anything that we didn't find.
+		 */
+		if ((found & FOUND_IPV4) == 0)
+			*net_order++ = add_ipv4;
+		if ((found & FOUND_IPV6) == 0)
+			*net_order++ = add_ipv6;
+	}
+	*net_order = NULL;
+	return;
+}
+
+static char v4_loop[4] = { 127, 0, 0, 1 };
+
+static int
+add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET); /* don't use ai_clone() */
+	if (ai == NULL) {
+		freeaddrinfo(*aip);
+		return (EAI_MEMORY);
+	}
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN(ai->ai_addr)->sin_port = port;
+	memcpy(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
+
+	return (0);
+}
+
+static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
+
+static int
+add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET6); /* don't use ai_clone() */
+	if (ai == NULL) {
+		freeaddrinfo(*aip);
+		return (EAI_MEMORY);
+	}
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN6(ai->ai_addr)->sin6_port = port;
+	memcpy(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
+
+	return (0);
+}
+
+/*% Free address info. */
+void
+freeaddrinfo(struct addrinfo *ai) {
+	struct addrinfo *ai_next;
+
+	while (ai != NULL) {
+		ai_next = ai->ai_next;
+		if (ai->ai_addr != NULL)
+			free(ai->ai_addr);
+		if (ai->ai_canonname)
+			free(ai->ai_canonname);
+		free(ai);
+		ai = ai_next;
+	}
+}
+
+#ifdef AF_LOCAL
+static int
+get_local(const char *name, int socktype, struct addrinfo **res) {
+	struct addrinfo *ai;
+	struct sockaddr_un *slocal;
+
+	if (socktype == 0)
+		return (EAI_SOCKTYPE);
+
+	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
+	if (ai == NULL)
+		return (EAI_MEMORY);
+
+	slocal = SLOCAL(ai->ai_addr);
+	strncpy(slocal->sun_path, name, sizeof(slocal->sun_path));
+
+	ai->ai_socktype = socktype;
+	/*
+	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
+	 * and ai->ai_next were initialized to zero.
+	 */
+
+	*res = ai;
+	return (0);
+}
+#endif
+
+/*!
+ * Allocate an addrinfo structure, and a sockaddr structure
+ * of the specificed length.  We initialize:
+ *	ai_addrlen
+ *	ai_family
+ *	ai_addr
+ *	ai_addr->sa_family
+ *	ai_addr->sa_len	(IRS_PLATFORM_HAVESALEN)
+ * and everything else is initialized to zero.
+ */
+static struct addrinfo *
+ai_alloc(int family, int addrlen) {
+	struct addrinfo *ai;
+
+	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
+	if (ai == NULL)
+		return (NULL);
+
+	ai->ai_addr = SA(calloc(1, addrlen));
+	if (ai->ai_addr == NULL) {
+		free(ai);
+		return (NULL);
+	}
+	ai->ai_addrlen = addrlen;
+	ai->ai_family = family;
+	ai->ai_addr->sa_family = family;
+#ifdef IRS_PLATFORM_HAVESALEN
+	ai->ai_addr->sa_len = addrlen;
+#endif
+	return (ai);
+}
+
+static struct addrinfo *
+ai_clone(struct addrinfo *oai, int family) {
+	struct addrinfo *ai;
+
+	ai = ai_alloc(family, ((family == AF_INET6) ?
+	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
+
+	if (ai == NULL) {
+		if (oai != NULL)
+			freeaddrinfo(oai);
+		return (NULL);
+	}
+	if (oai == NULL)
+		return (ai);
+
+	ai->ai_flags = oai->ai_flags;
+	ai->ai_socktype = oai->ai_socktype;
+	ai->ai_protocol = oai->ai_protocol;
+	ai->ai_canonname = NULL;
+	ai->ai_next = oai;
+	return (ai);
+}
+
+static struct addrinfo *
+ai_reverse(struct addrinfo *oai) {
+	struct addrinfo *nai, *tai;
+
+	nai = NULL;
+
+	while (oai != NULL) {
+		/*
+		 * Grab one off the old list.
+		 */
+		tai = oai;
+		oai = oai->ai_next;
+		/*
+		 * Put it on the front of the new list.
+		 */
+		tai->ai_next = nai;
+		nai = tai;
+	}
+	return (nai);
+}
+
+
+static struct addrinfo *
+ai_concat(struct addrinfo *ai1, struct addrinfo *ai2) {
+	struct addrinfo *ai_tmp;
+
+	if (ai1 == NULL)
+		return (ai2);
+	else if (ai2 == NULL)
+		return (ai1);
+
+	for (ai_tmp = ai1; ai_tmp != NULL && ai_tmp->ai_next != NULL;
+	     ai_tmp = ai_tmp->ai_next)
+		;
+
+	ai_tmp->ai_next = ai2;
+
+	return (ai1);
+}
diff --git a/lib/irs/getnameinfo.c b/lib/irs/getnameinfo.c
new file mode 100644
index 0000000000..b2f6ac3904
--- /dev/null
+++ b/lib/irs/getnameinfo.c
@@ -0,0 +1,410 @@
+/*
+ * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getnameinfo.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+
+/*! \file */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/**
+ *    getnameinfo() returns the hostname for the struct sockaddr sa which is
+ *    salen bytes long. The hostname is of length hostlen and is returned via
+ *    *host. The maximum length of the hostname is 1025 bytes: #NI_MAXHOST.
+ * 
+ *    The name of the service associated with the port number in sa is
+ *    returned in *serv. It is servlen bytes long. The maximum length of the
+ *    service name is #NI_MAXSERV - 32 bytes.
+ * 
+ *    The flags argument sets the following bits:
+ * 
+ * \li   #NI_NOFQDN:
+ *           A fully qualified domain name is not required for local hosts.
+ *           The local part of the fully qualified domain name is returned
+ *           instead.
+ * 
+ * \li   #NI_NUMERICHOST
+ *           Return the address in numeric form, as if calling inet_ntop(),
+ *           instead of a host name.
+ * 
+ * \li   #NI_NAMEREQD
+ *           A name is required. If the hostname cannot be found in the DNS
+ *           and this flag is set, a non-zero error code is returned. If the
+ *           hostname is not found and the flag is not set, the address is
+ *           returned in numeric form.
+ * 
+ * \li   #NI_NUMERICSERV
+ *           The service name is returned as a digit string representing the
+ *           port number.
+ * 
+ * \li   #NI_DGRAM
+ *           Specifies that the service being looked up is a datagram
+ *           service, and causes getservbyport() to be called with a second
+ *           argument of "udp" instead of its default of "tcp". This is
+ *           required for the few ports (512-514) that have different
+ *           services for UDP and TCP.
+ * 
+ * \section getnameinfo_return Return Values
+ * 
+ *    getnameinfo() returns 0 on success or a non-zero error code if
+ *    an error occurs.
+ * 
+ * \section getname_see See Also
+ * 
+ *    RFC3493, getservbyport(), 
+ *    getnamebyaddr(). inet_ntop().
+ */
+
+#include 
+
+#include 
+#include 
+
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+
+#define SUCCESS 0
+
+/*% afd structure definition */
+static struct afd {
+	int a_af;
+	size_t a_addrlen;
+	size_t a_socklen;
+} afdl [] = {
+	/*!
+	 * First entry is linked last...
+	 */
+	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
+	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
+	{0, 0, 0},
+};
+
+/*!
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
+
+int
+getnameinfo(const struct sockaddr *sa, socklen_t salen, char *host,
+	    IRS_GETNAMEINFO_BUFLEN_T hostlen, char *serv,
+	    IRS_GETNAMEINFO_BUFLEN_T servlen, IRS_GETNAMEINFO_FLAGS_T flags)
+{
+	struct afd *afd;
+	struct servent *sp;
+	unsigned short port;
+#ifdef IRS_PLATFORM_HAVESALEN
+	size_t len;
+#endif
+	int family, i;
+	const void *addr;
+	char *p;
+#if 0
+	unsigned long v4a;
+	unsigned char pfx;
+#endif
+	char numserv[sizeof("65000")];
+	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
+		    + 1 + sizeof("4294967295")];
+	const char *proto;
+	int result = SUCCESS;
+
+	if (sa == NULL)
+		ERR(EAI_FAIL);
+
+#ifdef IRS_PLATFORM_HAVESALEN
+	len = sa->sa_len;
+	if (len != salen)
+		ERR(EAI_FAIL);
+#endif
+
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++)
+		if (afdl[i].a_af == family) {
+			afd = &afdl[i];
+			goto found;
+		}
+	ERR(EAI_FAMILY);
+
+ found:
+	if (salen != afd->a_socklen)
+		ERR(EAI_FAIL);
+
+	switch (family) {
+	case AF_INET:
+		port = ((const struct sockaddr_in *)sa)->sin_port;
+		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
+		break;
+
+	case AF_INET6:
+		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
+		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
+		break;
+
+	default:
+		port = 0;
+		addr = NULL;
+		INSIST(0);
+	}
+	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
+
+	if (serv == NULL || servlen == 0U) {
+		/*
+		 * Caller does not want service.
+		 */
+	} else if ((flags & NI_NUMERICSERV) != 0 ||
+		   (sp = getservbyport(port, proto)) == NULL) {
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
+		if ((strlen(numserv) + 1) > servlen)
+			ERR(EAI_OVERFLOW);
+		strcpy(serv, numserv);
+	} else {
+		if ((strlen(sp->s_name) + 1) > servlen)
+			ERR(EAI_OVERFLOW);
+		strcpy(serv, sp->s_name);
+	}
+
+#if 0
+	switch (sa->sa_family) {
+	case AF_INET:
+		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
+		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
+			flags |= NI_NUMERICHOST;
+		v4a >>= IN_CLASSA_NSHIFT;
+		if (v4a == 0 || v4a == IN_LOOPBACKNET)
+			flags |= NI_NUMERICHOST;
+		break;
+
+	case AF_INET6:
+		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
+		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
+			flags |= NI_NUMERICHOST;
+		break;
+	}
+#endif
+
+	if (host == NULL || hostlen == 0U) {
+		/*
+		 * do nothing in this case.
+		 * in case you are wondering if "&&" is more correct than
+		 * "||" here: RFC3493 says that host == NULL or hostlen == 0
+		 * means that the caller does not want the result.
+		 */
+	} else if ((flags & NI_NUMERICHOST) != 0) {
+		if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
+		    == NULL)
+			ERR(EAI_SYSTEM);
+#if defined(IRS_HAVE_SIN6_SCOPE_ID)
+		if (afd->a_af == AF_INET6 &&
+		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
+			char *p = numaddr + strlen(numaddr);
+			const char *stringscope = NULL;
+#ifdef VENDOR_SPECIFIC
+			/*
+			 * Vendors may want to add support for
+			 * non-numeric scope identifier.
+			 */
+			stringscope = foo;
+#endif
+			if (stringscope == NULL) {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%u",
+				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
+			} else {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%s", stringscope);
+			}
+		}
+#endif
+		if (strlen(numaddr) + 1 > hostlen)
+			ERR(EAI_OVERFLOW);
+		strcpy(host, numaddr);
+	} else {
+		isc_netaddr_t netaddr;
+		dns_fixedname_t ptrfname;
+		dns_name_t *ptrname;
+		irs_context_t *irsctx = NULL;
+		dns_client_t *client;
+		isc_boolean_t found = ISC_FALSE;
+		dns_namelist_t answerlist;
+		dns_rdataset_t *rdataset;
+		isc_region_t hostregion;
+		char hoststr[1024]; /* is this enough? */
+		isc_result_t iresult;
+
+		/* Get IRS context and the associated DNS client object */
+		iresult = irs_context_get(&irsctx);
+		if (iresult != ISC_R_SUCCESS)
+			ERR(EAI_FAIL);
+		client = irs_context_getdnsclient(irsctx);
+
+		/* Make query name */
+		isc_netaddr_fromsockaddr(&netaddr, (const isc_sockaddr_t *)sa);
+		dns_fixedname_init(&ptrfname);
+		ptrname = dns_fixedname_name(&ptrfname);
+		iresult = dns_byaddr_createptrname2(&netaddr, 0, ptrname);
+		if (iresult != ISC_R_SUCCESS)
+			ERR(EAI_FAIL);
+
+		/* Get the PTR RRset */
+		ISC_LIST_INIT(answerlist);
+		iresult = dns_client_resolve(client, ptrname,
+					     dns_rdataclass_in,
+					     dns_rdatatype_ptr,
+					     DNS_CLIENTRESOPT_ALLOWRUN,
+					     &answerlist);
+		switch (iresult) {
+		case ISC_R_SUCCESS:
+		/*
+		 * a 'non-existent' error is not necessarily fatal for
+		 * getnameinfo().
+		 */
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			break;
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			ERR(EAI_INSECUREDATA);
+		default:
+			ERR(EAI_FAIL);
+		}
+
+		/* Parse the answer for the hostname */
+		for (ptrname = ISC_LIST_HEAD(answerlist); ptrname != NULL;
+		     ptrname = ISC_LIST_NEXT(ptrname, link)) {
+			for (rdataset = ISC_LIST_HEAD(ptrname->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (!dns_rdataset_isassociated(rdataset))
+					continue;
+				if (rdataset->type != dns_rdatatype_ptr)
+					continue;
+
+				for (iresult = dns_rdataset_first(rdataset);
+				     iresult == ISC_R_SUCCESS;
+				     iresult = dns_rdataset_next(rdataset)) {
+					dns_rdata_t rdata;
+					dns_rdata_ptr_t rdata_ptr;
+					isc_buffer_t b;
+
+					dns_rdata_init(&rdata);
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_ptr,
+							   NULL);
+
+					isc_buffer_init(&b, hoststr,
+							sizeof(hoststr));
+					iresult =
+						dns_name_totext(&rdata_ptr.ptr,
+								ISC_TRUE, &b);
+					dns_rdata_freestruct(&rdata_ptr);
+					if (iresult == ISC_R_SUCCESS) {
+						/*
+						 * We ignore the rest of the
+						 * answer.  After all,
+						 * getnameinfo() can return
+						 * at most one hostname.
+						 */
+						found = ISC_TRUE;
+						isc_buffer_usedregion(
+							&b, &hostregion);
+						goto ptrfound;
+					}
+					
+				}
+			}
+		}
+	ptrfound:
+		dns_client_freeresanswer(client, &answerlist);
+		if (found) {
+			if ((flags & NI_NOFQDN) != 0) {
+				p = strchr(hoststr, '.');
+				if (p)
+					*p = '\0';
+			}
+			if (hostregion.length + 1 > hostlen)
+				ERR(EAI_OVERFLOW);
+			snprintf(host, hostlen, "%.*s",
+				 (int)hostregion.length,
+				 (char *)hostregion.base);
+		} else {
+			if ((flags & NI_NAMEREQD) != 0)
+				ERR(EAI_NONAME);
+			if (inet_ntop(afd->a_af, addr, numaddr,
+				      sizeof(numaddr)) == NULL)
+				ERR(EAI_SYSTEM);
+			if ((strlen(numaddr) + 1) > hostlen)
+				ERR(EAI_OVERFLOW);
+			strcpy(host, numaddr);
+		}
+	}
+	result = SUCCESS;
+
+ cleanup:
+	return (result);
+}
diff --git a/lib/irs/include/Makefile.in b/lib/irs/include/Makefile.in
new file mode 100644
index 0000000000..3fba6e9dde
--- /dev/null
+++ b/lib/irs/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/irs/include/irs/Makefile.in b/lib/irs/include/irs/Makefile.in
new file mode 100644
index 0000000000..e85a90de0c
--- /dev/null
+++ b/lib/irs/include/irs/Makefile.in
@@ -0,0 +1,44 @@
+# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/irs ; \
+	done
+	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/irs
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/irs
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/lib/irs/include/irs/context.h b/lib/irs/include/irs/context.h
new file mode 100644
index 0000000000..a72d0e3b88
--- /dev/null
+++ b/lib/irs/include/irs/context.h
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: context.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#ifndef IRS_CONTEXT_H
+#define IRS_CONTEXT_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS context module provides an abstract interface to the DNS library
+ * with an application.  An IRS context object initializes and holds various
+ * resources used in the DNS library.
+ */
+
+#include 
+#include 
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_context_create(irs_context_t **contextp);
+/*%<
+ * Create an IRS context.  It internally initializes the ISC and DNS libraries
+ * (if not yet), creates a DNS client object and initializes the client using
+ * the configuration files parsed via the 'resconf' and 'dnsconf' IRS modules.
+ * Some of the internally initialized objects can be used by the application
+ * via irs_context_getxxx() functions (see below).
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+isc_result_t
+irs_context_get(irs_context_t **contextp);
+/*%<
+ * Return an IRS context for the calling thread.  If no IRS context is
+ * associated to the thread, this function creates a new one by calling
+ * irs_context_create(), and associates it with the thread as a thread specific
+ * data value.  This function is provided for standard libraries that are
+ * expected to be thread-safe but do not accept an appropriate IRS context
+ * as a library parameter, e.g., getaddrinfo().
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+void
+irs_context_destroy(irs_context_t **contextp);
+/*%<
+ * Destroy an IRS context.
+ *
+ * Requires:
+ *
+ *\li	'*contextp' is a valid IRS context.
+ *
+ * Ensures:
+ *\li	'*contextp' == NULL.
+ */
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context);
+/*%<
+ * Return the memory context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context);
+/*%<
+ * Return the application context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context);
+/*%<
+ * Return the task manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context);
+/*%<
+ * Return the timer manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context);
+/*%<
+ * Return the task object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context);
+/*%<
+ * Return the DNS client object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context);
+/*%<
+ * Return the resolver configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context);
+/*%<
+ * Return the advanced DNS configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_CONTEXT_H */
diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h
new file mode 100644
index 0000000000..7adb2cf723
--- /dev/null
+++ b/lib/irs/include/irs/dnsconf.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#ifndef IRS_DNSCONF_H
+#define IRS_DNSCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS dnsconf module parses an "advanced" configuration file related to
+ * the DNS library, such as trusted keys for DNSSEC validation, and creates
+ * the corresponding configuration objects for the DNS library modules.
+ *
+ * Notes:
+ * This module is very experimental and the configuration syntax or library
+ * interfaces may change in future versions.  Currently, only the
+ * 'trusted-keys' statement is supported, whose syntax is the same as the
+ * same name of statement for named.conf.
+ */
+
+#include 
+
+/*%
+ * A compound structure storing DNS key information mainly for DNSSEC
+ * validation.  A dns_key_t object will be created using the 'keyname' and
+ * 'keydatabuf' members with the dst_key_fromdns() function.
+ */
+typedef struct irs_dnsconf_dnskey {
+	dns_name_t				*keyname;
+	isc_buffer_t				*keydatabuf;
+	ISC_LINK(struct irs_dnsconf_dnskey)	link;
+} irs_dnsconf_dnskey_t;
+
+typedef ISC_LIST(irs_dnsconf_dnskey_t) irs_dnsconf_dnskeylist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp);
+/*%<
+ * Load the "advanced" DNS configuration file 'filename' in the "dns.conf"
+ * format, and create a new irs_dnsconf_t object from the configuration.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp);
+/*%<
+ * Destroy the dnsconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid dnsconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf);
+/*%<
+ * Return a list of key information stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid dnsconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_DNSCONF_H */
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
new file mode 100644
index 0000000000..4f834dbaa2
--- /dev/null
+++ b/lib/irs/include/irs/netdb.h.in
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netdb.h.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+/*! \file */
+
+#ifndef IRS_NETDB_H
+#define IRS_NETDB_H 1
+
+#include 	/* Required on FreeBSD (and  others?) for size_t. */
+#include 	/* Contractual provision. */
+
+/*
+ * Define if  does not declare struct addrinfo.
+ */
+@ISC_IRS_NEEDADDRINFO@
+
+#ifdef ISC_IRS_NEEDADDRINFO
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+/*
+ * Undefine all #defines we are interested in as  may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo().  EAI_INSECUREDATA is our own extension
+ * and it's very unlikely to be already defined, but undef it just in case; it
+ * at least doesn't do any harm.
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_OVERFLOW
+#undef	EAI_INSECUREDATA
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_OVERFLOW	14
+#define EAI_INSECUREDATA 15
+#define EAI_MAX		16
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for lwres_getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for lwres_getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_NETDB_H */
diff --git a/lib/irs/include/irs/platform.h.in b/lib/irs/include/irs/platform.h.in
new file mode 100644
index 0000000000..c498613911
--- /dev/null
+++ b/lib/irs/include/irs/platform.h.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: platform.h.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+/*! \file */
+
+#ifndef IRS_PLATFORM_H
+#define IRS_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+#ifndef IRS_PLATFORM_USEDECLSPEC
+#define LIBIRS_EXTERNAL_DATA
+#else
+#ifdef LIBIRS_EXPORTS
+#define LIBIRS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBIRS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_PLATFORM_H */
diff --git a/lib/irs/include/irs/resconf.h b/lib/irs/include/irs/resconf.h
new file mode 100644
index 0000000000..da31f0eab6
--- /dev/null
+++ b/lib/irs/include/irs/resconf.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resconf.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#ifndef IRS_RESCONF_H
+#define IRS_RESCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS resconf module parses the legacy "/etc/resolv.conf" file and
+ * creates the corresponding configuration objects for the DNS library
+ * modules.
+ */
+
+#include 
+
+/*%
+ * A DNS search list specified in the 'domain' or 'search' statements
+ * in the "resolv.conf" file.
+ */
+typedef struct irs_resconf_search {
+	char					*domain;
+	ISC_LINK(struct irs_resconf_search)	link;
+} irs_resconf_search_t;
+
+typedef ISC_LIST(irs_resconf_search_t) irs_resconf_searchlist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp);
+/*%<
+ * Load the resolver configuration file 'filename' in the "resolv.conf" format,
+ * and create a new irs_resconf_t object from the configuration.
+ *
+ * Notes:
+ *
+ *\li	Currently, only the following options are supported:
+ *	nameserver, domain, search, sortlist, ndots, and options.
+ *	In addition, 'sortlist' is not actually effective; it's parsed, but
+ *	the application cannot use the configuration.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_resconf_destroy(irs_resconf_t **confp);
+/*%<
+ * Destroy the resconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid resconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf);
+/*%<
+ * Return a list of name server addresses stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf);
+/*%<
+ * Return the search list stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf);
+/*%<
+ * Return the 'ndots' value stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_RESCONF_H */
diff --git a/lib/irs/include/irs/types.h b/lib/irs/include/irs/types.h
new file mode 100644
index 0000000000..14b548d7b9
--- /dev/null
+++ b/lib/irs/include/irs/types.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: types.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#ifndef IRS_TYPES_H
+#define IRS_TYPES_H 1
+
+/* Core Types.  Alphabetized by defined type. */
+
+/*%< per-thread IRS context */
+typedef struct irs_context		irs_context_t;
+/*%< resolv.conf configuration information */
+typedef struct irs_resconf		irs_resconf_t;
+/*%< advanced DNS-related configuration information */
+typedef struct irs_dnsconf		irs_dnsconf_t;
+
+#endif /* IRS_TYPES_H */
diff --git a/lib/irs/include/irs/version.h b/lib/irs/include/irs/version.h
new file mode 100644
index 0000000000..d9020b8289
--- /dev/null
+++ b/lib/irs/include/irs/version.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+/*! \file */
+
+#include 
+
+LIBIRS_EXTERNAL_DATA extern const char irs_version[];
+
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libinterface;
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_librevision;
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libage;
diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
new file mode 100644
index 0000000000..e51108e92f
--- /dev/null
+++ b/lib/irs/resconf.c
@@ -0,0 +1,639 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resconf.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+/*! \file resconf.c */
+
+/**
+ * Module for parsing resolv.conf files (largely derived from lwconfig.c).
+ *
+ *    irs_resconf_load() opens the file filename and parses it to initialize
+ *    the configuration structure.
+ * 
+ * \section lwconfig_return Return Values
+ * 
+ *    irs_resconf_load() returns #IRS_R_SUCCESS if it successfully read and
+ *    parsed filename. It returns a non-0 error code if filename could not be
+ *    opened or contained incorrect resolver statements.
+ * 
+ * \section lwconfig_see See Also
+ * 
+ *    stdio(3), \link resolver resolver \endlink
+ * 
+ * \section files Files
+ * 
+ *    /etc/resolv.conf
+ */
+
+#include 
+
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+#define IRS_RESCONF_MAGIC		ISC_MAGIC('R', 'E', 'S', 'c')
+#define IRS_RESCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_RESCONF_MAGIC)
+
+/*!
+ * protocol constants
+ */
+
+#if ! defined(NS_INADDRSZ)
+#define NS_INADDRSZ	 4
+#endif
+
+#if ! defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ	16
+#endif
+
+/*!
+ * resolv.conf parameters
+ */
+
+#define RESCONFMAXNAMESERVERS 3		/*%< max 3 "nameserver" entries */
+#define RESCONFMAXSEARCH 8		/*%< max 8 domains in "search" entry */
+#define RESCONFMAXLINELEN 256		/*%< max size of a line */
+#define RESCONFMAXSORTLIST 10		/*%< max 10 */
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_resconf {
+	/*
+	 * The configuration data is a thread-specific object, and does not
+	 * need to be locked.
+	 */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+
+	isc_sockaddrlist_t	nameservers;
+	unsigned int		numns; /*%< number of configured servers */
+
+	char	       		*domainname;
+	char 	       		*search[RESCONFMAXSEARCH];
+	isc_uint8_t		searchnxt; /*%< index for next free slot */
+
+	irs_resconf_searchlist_t searchlist;
+
+	struct {
+		isc_netaddr_t	addr;
+		/*% mask has a non-zero 'family' if set */
+		isc_netaddr_t	mask;
+	} sortlist[RESCONFMAXSORTLIST];
+	isc_uint8_t		sortlistnxt;
+
+	/*%< non-zero if 'options debug' set */
+	isc_uint8_t		resdebug;
+	/*%< set to n in 'options ndots:n' */
+	isc_uint8_t		ndots;
+};
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parseoption(irs_resconf_t *ctx,  FILE *fp);
+
+/*!
+ * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
+ */
+static int
+eatline(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF)
+		ch = fgetc(fp);
+
+	return (ch);
+}
+
+/*!
+ * Eats white space up to next newline or non-whitespace character (of
+ * EOF). Returns the last character read. Comments are considered white
+ * space.
+ */
+static int
+eatwhite(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
+		ch = fgetc(fp);
+
+	if (ch == ';' || ch == '#')
+		ch = eatline(fp);
+
+	return (ch);
+}
+
+/*!
+ * Skip over any leading whitespace and then read in the next sequence of
+ * non-whitespace characters. In this context newline is not considered
+ * whitespace. Returns EOF on end-of-file, or the character
+ * that caused the reading to stop.
+ */
+static int
+getword(FILE *fp, char *buffer, size_t size) {
+	int ch;
+	char *p = buffer;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(size > 0U);
+
+	*p = '\0';
+
+	ch = eatwhite(fp);
+
+	if (ch == EOF)
+		return (EOF);
+
+	do {
+		*p = '\0';
+
+		if (ch == EOF || isspace((unsigned char)ch))
+			break;
+		else if ((size_t) (p - buffer) == size - 1)
+			return (EOF);	/* Not enough space. */
+
+		*p++ = (char)ch;
+		ch = fgetc(fp);
+	} while (1);
+
+	return (ch);
+}
+
+static isc_result_t
+add_server(isc_mem_t *mctx, const char *address_str,
+	   isc_sockaddrlist_t *nameservers)
+{
+	int error;
+	isc_sockaddr_t *address = NULL;
+	struct addrinfo hints, *res;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	res = NULL;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	error = getaddrinfo(address_str, "53", &hints, &res);
+	if (error != 0)
+		return (ISC_R_BADADDRESSFORM);
+
+	/* XXX: special case: treat all-0 IPv4 address as loopback */
+	if (res->ai_family == AF_INET) {
+		struct in_addr *v4;
+		unsigned char zeroaddress[] = {0, 0, 0, 0};
+		unsigned char loopaddress[] = {127, 0, 0, 1};
+
+		v4 = &((struct sockaddr_in *)res->ai_addr)->sin_addr;
+		if (memcmp(v4, zeroaddress, 4) == 0)
+			memcpy(v4, loopaddress, 4);
+	}
+
+	address = isc_mem_get(mctx, sizeof(*address));
+	if (address == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	if (res->ai_addrlen > sizeof(address->type)) {
+		isc_mem_put(mctx, address, sizeof(*address));
+		result = ISC_R_RANGE;
+		goto cleanup;
+	}
+	address->length = res->ai_addrlen;
+	memcpy(&address->type.sa, res->ai_addr, res->ai_addrlen);
+	ISC_LINK_INIT(address, link);
+	ISC_LIST_APPEND(*nameservers, address, link);
+
+  cleanup:
+	freeaddrinfo(res);
+
+	return (result);
+}
+
+static isc_result_t
+create_addr(const char *buffer, isc_netaddr_t *addr, int convert_zero) {
+	struct in_addr v4;
+	struct in6_addr v6;
+
+	if (inet_aton(buffer, &v4) == 1) {
+		if (convert_zero) {
+			unsigned char zeroaddress[] = {0, 0, 0, 0};
+			unsigned char loopaddress[] = {127, 0, 0, 1};
+			if (memcmp(&v4, zeroaddress, 4) == 0)
+				memcpy(&v4, loopaddress, 4);
+		}
+		addr->family = AF_INET;
+		memcpy(&addr->type.in, &v4, NS_INADDRSZ);
+		addr->zone = 0;
+	} else if (inet_pton(AF_INET6, buffer, &v6) == 1) {
+		addr->family = AF_INET6;
+		memcpy(&addr->type.in6, &v6, NS_IN6ADDRSZ);
+		addr->zone = 0;
+	} else
+		return (ISC_R_BADADDRESSFORM); /* Unrecognised format. */
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int cp;
+	isc_result_t result;
+
+	if (conf->numns == RESCONFMAXNAMESERVERS)
+		return (ISC_R_SUCCESS);
+
+	cp = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */
+	else if (cp == ' ' || cp == '\t')
+		cp = eatwhite(fp);
+
+	if (cp != EOF && cp != '\n')
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+
+	result = add_server(conf->mctx, word, &conf->nameservers);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	conf->numns++;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf,  FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int res, i;
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+
+	if (conf->domainname != NULL)
+		isc_mem_free(conf->mctx, conf->domainname);
+
+	/*
+	 * Search and domain are mutually exclusive.
+	 */
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[i]); 
+			conf->search[i] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	conf->domainname = isc_mem_strdup(conf->mctx, word);
+	if (conf->domainname == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf,  FILE *fp) {
+	int idx, delim;
+	char word[RESCONFMAXLINELEN];
+
+	if (conf->domainname != NULL) {
+		/*
+		 * Search and domain are mutually exclusive.
+		 */
+		isc_mem_free(conf->mctx, conf->domainname);
+		conf->domainname = NULL;
+	}
+
+	/*
+	 * Remove any previous search definitions.
+	 */
+	for (idx = 0; idx < RESCONFMAXSEARCH; idx++) {
+		if (conf->search[idx] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[idx]);
+			conf->search[idx] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+
+	idx = 0;
+	while (strlen(word) > 0U) {
+		if (conf->searchnxt == RESCONFMAXSEARCH)
+			goto ignore; /* Too many domains. */
+
+		conf->search[idx] = isc_mem_strdup(conf->mctx, word);
+		if (conf->search[idx] == NULL)
+			return (ISC_R_NOMEMORY);
+		idx++;
+		conf->searchnxt++;
+
+	ignore:
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp) {
+	int delim, res, idx;
+	char word[RESCONFMAXLINELEN];
+	char *p;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (conf->sortlistnxt == RESCONFMAXSORTLIST)
+			return (ISC_R_QUOTA); /* Too many values. */
+
+		p = strchr(word, '/');
+		if (p != NULL)
+			*p++ = '\0';
+
+		idx = conf->sortlistnxt;
+		res = create_addr(word, &conf->sortlist[idx].addr, 1);
+		if (res != ISC_R_SUCCESS)
+			return (res);
+
+		if (p != NULL) {
+			res = create_addr(p, &conf->sortlist[idx].mask, 0);
+			if (res != ISC_R_SUCCESS)
+				return (res);
+		} else {
+			/*
+			 * Make up a mask. (XXX: is this correct?)
+			 */
+			conf->sortlist[idx].mask = conf->sortlist[idx].addr;
+			memset(&conf->sortlist[idx].mask.type, 0xff,
+			       sizeof(conf->sortlist[idx].mask.type));
+		}
+
+		conf->sortlistnxt++;
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parseoption(irs_resconf_t *conf,  FILE *fp) {
+	int delim;
+	long ndots;
+	char *p;
+	char word[RESCONFMAXLINELEN];
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (strcmp("debug", word) == 0) {
+			conf->resdebug = 1;
+		} else if (strncmp("ndots:", word, 6) == 0) {
+			ndots = strtol(word + 6, &p, 10);
+			if (*p != '\0') /* Bad string. */
+				return (ISC_R_UNEXPECTEDTOKEN);
+			if (ndots < 0 || ndots > 0xff) /* Out of range. */
+				return (ISC_R_RANGE);
+			conf->ndots = (isc_uint8_t)ndots;
+		}
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_search(irs_resconf_t *conf, char *domain) {
+	irs_resconf_search_t *entry;
+
+	entry = isc_mem_get(conf->mctx, sizeof(*entry));
+	if (entry == NULL)
+		return (ISC_R_NOMEMORY);
+
+	entry->domain = domain;
+	ISC_LINK_INIT(entry, link);
+	ISC_LIST_APPEND(conf->searchlist, entry, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*% parses a file and fills in the data structure. */
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
+{
+	FILE *fp = NULL;
+	char word[256];
+	isc_result_t rval, ret;
+	irs_resconf_t *conf;
+	int i, stopchar;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(filename != NULL);
+	REQUIRE(strlen(filename) > 0U);
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+	if (conf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->nameservers);
+	conf->numns = 0;
+	conf->domainname = NULL;
+	conf->searchnxt = 0;
+	conf->resdebug = 0;
+	conf->ndots = 1;
+	for (i = 0; i < RESCONFMAXSEARCH; i++)
+		conf->search[i] = NULL;
+
+	errno = 0;
+	if ((fp = fopen(filename, "r")) == NULL) {
+		isc_mem_put(mctx, conf, sizeof(*conf));
+		return (ISC_R_INVALIDFILE);
+	}
+
+	ret = ISC_R_SUCCESS;
+	do {
+		stopchar = getword(fp, word, sizeof(word));
+		if (stopchar == EOF) {
+			rval = ISC_R_SUCCESS;
+			break;
+		}
+
+		if (strlen(word) == 0U)
+			rval = ISC_R_SUCCESS;
+		else if (strcmp(word, "nameserver") == 0)
+			rval = resconf_parsenameserver(conf, fp);
+		else if (strcmp(word, "domain") == 0)
+			rval = resconf_parsedomain(conf, fp);
+		else if (strcmp(word, "search") == 0)
+			rval = resconf_parsesearch(conf, fp);
+		else if (strcmp(word, "sortlist") == 0)
+			rval = resconf_parsesortlist(conf, fp);
+		else if (strcmp(word, "options") == 0)
+			rval = resconf_parseoption(conf, fp);
+		else {
+			/* unrecognised word. Ignore entire line */
+			rval = ISC_R_SUCCESS;
+			stopchar = eatline(fp);
+			if (stopchar == EOF) {
+				break;
+			}
+		}
+		if (ret == ISC_R_SUCCESS && rval != ISC_R_SUCCESS)
+			ret = rval;
+	} while (1);
+
+	fclose(fp);
+
+	/* If we don't find a nameserver fall back to localhost */
+	if (conf->numns == 0) {
+		INSIST(ISC_LIST_EMPTY(conf->nameservers));
+
+		/* XXX: should we catch errors? */
+		(void)add_server(conf->mctx, "127.0.0.1", &conf->nameservers);
+		(void)add_server(conf->mctx, "::1", &conf->nameservers);
+	}
+
+	/*
+	 * Construct unified search list from domain or configured
+	 * search list
+	 */
+	ISC_LIST_INIT(conf->searchlist);
+	if (conf->domainname != NULL) {
+		ret = add_search(conf, conf->domainname);
+	} else if (conf->searchnxt > 0) {
+		for (i = 0; i < conf->searchnxt; i++) {
+			ret = add_search(conf, conf->search[i]);
+			if (ret != ISC_R_SUCCESS)
+				break;
+		}
+	}
+
+	conf->magic = IRS_RESCONF_MAGIC;
+
+	if (ret != ISC_R_SUCCESS)
+		irs_resconf_destroy(&conf);
+	else
+		*confp = conf;
+
+	return (ret);
+}
+
+void
+irs_resconf_destroy(irs_resconf_t **confp) {
+	irs_resconf_t *conf;
+	isc_sockaddr_t *address;
+	irs_resconf_search_t *searchentry;
+	int i;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	while ((searchentry = ISC_LIST_HEAD(conf->searchlist)) != NULL) {
+		ISC_LIST_UNLINK(conf->searchlist, searchentry, link);
+		isc_mem_put(conf->mctx, searchentry, sizeof(*searchentry));
+	}
+
+	while ((address = ISC_LIST_HEAD(conf->nameservers)) != NULL) {
+		ISC_LIST_UNLINK(conf->nameservers, address, link);
+		isc_mem_put(conf->mctx, address, sizeof(*address));
+	}
+
+	if (conf->domainname != NULL)
+		isc_mem_free(conf->mctx, conf->domainname);
+
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL)
+			isc_mem_free(conf->mctx, conf->search[i]);
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+
+	*confp = NULL;
+}
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->nameservers);
+}
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->searchlist);
+}
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return ((unsigned int)conf->ndots);
+}
diff --git a/lib/irs/version.c b/lib/irs/version.c
new file mode 100644
index 0000000000..1142a8496b
--- /dev/null
+++ b/lib/irs/version.c
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+/*! \file */
+
+#include 
+
+const char irs_version[] = VERSION;
+
+const unsigned int irs_libinterface = LIBINTERFACE;
+const unsigned int irs_librevision = LIBREVISION;
+const unsigned int irs_libage = LIBAGE;
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 2eba940988..ced0e64729 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.100 2009/02/06 12:26:22 fdupont Exp $
+# $Id: Makefile.in,v 1.101 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -28,7 +28,7 @@ CINCLUDES =	-I${srcdir}/unix/include \
 		-I${srcdir}/@ISC_ARCH_DIR@/include \
 		-I./include \
 		-I${srcdir}/include @ISC_OPENSSL_INC@
-CDEFINES =	@USE_OPENSSL@
+CDEFINES =	-DBIND9 @USE_OPENSSL@
 CWARNINGS =
 
 # Alphabetically
@@ -39,7 +39,6 @@ UNIXOBJS =	@ISC_ISCIPV6_O@ \
 		unix/os.@O@ unix/resource.@O@ unix/socket.@O@ unix/stdio.@O@ \
 		unix/stdtime.@O@ unix/strerror.@O@ unix/syslog.@O@ unix/time.@O@
 
-
 NLSOBJS =	nls/msgcat.@O@
 
 THREADOBJS =	@ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@ \
@@ -112,5 +111,8 @@ installdirs:
 install:: timestamp installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir}
 
+install:: @ISC_ARCH_DIR@/include/isc/atomic.h
+	${INSTALL_DATA} @ISC_ARCH_DIR@/include/isc/atomic.h ${DESTDIR}${includedir}/isc
+
 clean distclean::
 	rm -f libisc.@A@ libisc.la timestamp
diff --git a/lib/isc/app_api.c b/lib/isc/app_api.c
new file mode 100644
index 0000000000..8f44c5e84c
--- /dev/null
+++ b/lib/isc/app_api.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: app_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_appctxcreatefunc_t appctx_createfunc = NULL;
+
+#define ISCAPI_APPMETHODS_VALID(m) ISC_MAGIC_VALID(m, ISCAPI_APPMETHODS_MAGIC)
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_register(isc_appctxcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (appctx_createfunc == NULL)
+		appctx_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(appctx_createfunc != NULL);
+	result = (*appctx_createfunc)(mctx, ctxp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp) {
+	REQUIRE(ctxp != NULL && ISCAPI_APPCTX_VALID(*ctxp));
+
+	(*ctxp)->methods->ctxdestroy(ctxp);
+
+	ENSURE(*ctxp == NULL);
+}
+
+isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	
+	return (ctx->methods->ctxstart(ctx));
+}
+
+isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	
+	return (ctx->methods->ctxrun(ctx));
+}
+
+isc_result_t
+isc_app_ctxsuspend(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	
+	return (ctx->methods->ctxsuspend(ctx));
+}
+
+isc_result_t
+isc_app_ctxshutdown(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	return (ctx->methods->ctxshutdown(ctx));
+}
+
+void
+isc_app_ctxfinish(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	return (ctx->methods->ctxfinish(ctx));
+}
+
+void
+isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(taskmgr != NULL);
+
+	ctx->methods->settaskmgr(ctx, taskmgr);
+}
+
+void
+isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(socketmgr != NULL);
+
+	ctx->methods->setsocketmgr(ctx, socketmgr);
+}
+
+void
+isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(timermgr != NULL);
+
+	ctx->methods->settimermgr(ctx, timermgr);
+}
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
index 2a1c112bf7..f1d68c7700 100644
--- a/lib/isc/hash.c
+++ b/lib/isc/hash.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.15 2009/05/06 23:47:50 tbox Exp $ */
+/* $Id: hash.c,v 1.16 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file
  * Some portion of this code was derived from universal hash function
@@ -194,8 +194,12 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 	hctx->vectorlen = vlen;
 	hctx->rndvector = rv;
 
+#ifdef BIND9
 	if (entropy != NULL)
 		isc_entropy_attach(entropy, &hctx->entropy);
+#else
+	UNUSED(entropy);
+#endif
 
 	*hctxp = hctx;
 	return (ISC_R_SUCCESS);
@@ -236,18 +240,22 @@ isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
 
 void
 isc_hash_ctxinit(isc_hash_t *hctx) {
-	isc_result_t result;
-
 	LOCK(&hctx->lock);
 
 	if (hctx->initialized == ISC_TRUE)
 		goto out;
 
 	if (hctx->entropy) {
+#ifdef BIND9
+		isc_result_t result;
+
 		result = isc_entropy_getdata(hctx->entropy,
 					     hctx->rndvector, hctx->vectorlen,
 					     NULL, 0);
 		INSIST(result == ISC_R_SUCCESS);
+#else
+		INSIST(0);
+#endif
 	} else {
 		isc_uint32_t pr;
 		unsigned int i, copylen;
@@ -304,8 +312,10 @@ destroy(isc_hash_t **hctxp) {
 	isc_refcount_destroy(&hctx->refcnt);
 
 	mctx = hctx->mctx;
+#ifdef BIND9
 	if (hctx->entropy != NULL)
 		isc_entropy_detach(&hctx->entropy);
+#endif
 	if (hctx->rndvector != NULL)
 		isc_mem_put(mctx, hctx->rndvector, hctx->vectorlen);
 
diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
index c4d54cbe44..f20f604639 100644
--- a/lib/isc/include/isc/app.h
+++ b/lib/isc/include/isc/app.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.8 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: app.h,v 1.9 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
@@ -54,12 +54,23 @@
  * Use of this module is not required.  In particular, isc_app_start() is
  * NOT an ISC library initialization routine.
  *
+ * This module also supports per-thread 'application contexts'.  With this
+ * mode, a thread-based application will have a separate context, in which
+ * it uses other ISC library services such as tasks or timers.  Signals are
+ * not caught in this mode, so that the application can handle the signals
+ * in its preferred way.
+ *
  * \li MP:
  *	Clients must ensure that isc_app_start(), isc_app_run(), and
  *	isc_app_finish() are called at most once.  isc_app_shutdown()
  *	is safe to use by any thread (provided isc_app_start() has been
  *	called previously).
  *
+ *	The same note applies to isc_app_ctxXXX() functions, but in this case
+ *	it's a per-thread restriction.  For example, a thread with an
+ *	application context must ensure that isc_app_ctxstart() with the
+ *	context is called at most once.
+ *
  * \li Reliability:
  *	No anticipated impact.
  *
@@ -75,16 +86,63 @@
 
 #include 
 #include 
+#include 
 #include 
 
+/***
+ *** Types
+ ***/
+
 typedef isc_event_t isc_appevent_t;
 
 #define ISC_APPEVENT_FIRSTEVENT		(ISC_EVENTCLASS_APP + 0)
 #define ISC_APPEVENT_SHUTDOWN		(ISC_EVENTCLASS_APP + 1)
 #define ISC_APPEVENT_LASTEVENT		(ISC_EVENTCLASS_APP + 65535)
 
+/*%
+ * app module methods.  Only app driver implementations use this structure.
+ * Other clients should use the top-level interfaces (i.e., isc_app_xxx
+ * functions).  magic must be ISCAPI_APPMETHODS_MAGIC.
+ */
+typedef struct isc_appmethods {
+	void		(*ctxdestroy)(isc_appctx_t **ctxp);
+	isc_result_t	(*ctxstart)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxrun)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxsuspend)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxshutdown)(isc_appctx_t *ctx);
+	void		(*ctxfinish)(isc_appctx_t *ctx);
+	void		(*settaskmgr)(isc_appctx_t *ctx,
+				      isc_taskmgr_t *timermgr);
+	void		(*setsocketmgr)(isc_appctx_t *ctx,
+					isc_socketmgr_t *timermgr);
+	void		(*settimermgr)(isc_appctx_t *ctx,
+				       isc_timermgr_t *timermgr);
+} isc_appmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of an application context
+ * implementation's version of an isc_appctx_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_APPCTX_MAGIC for any
+ * of the isc_app_ routines to work.  app implementations must maintain
+ * all app socket invariants.
+ */
+struct isc_appctx {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_appmethods_t	*methods;
+};
+
+#define ISCAPI_APPCTX_MAGIC		ISC_MAGIC('A','a','p','c')
+#define ISCAPI_APPCTX_VALID(c)		((c) != NULL && \
+					 (c)->magic == ISCAPI_APPCTX_MAGIC)
+
 ISC_LANG_BEGINDECLS
 
+isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx);
+
 isc_result_t
 isc_app_start(void);
 /*!<
@@ -93,6 +151,9 @@ isc_app_start(void);
  * Notes:
  *	This call should be made before any other ISC library call, and as
  *	close to the beginning of the application as possible.
+ *
+ * Requires:
+ *	'ctx' is a valid application context (for app_ctxstart()).
  */
 
 isc_result_t
@@ -102,13 +163,16 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
  * \brief Request delivery of an event when the application is run.
  *
  * Requires:
- *	isc_app_start() has been called.
+ *\li	isc_app_start() has been called.
  *
  * Returns:
  *	ISC_R_SUCCESS
  *	ISC_R_NOMEMORY
  */
 
+isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx);
+
 isc_result_t
 isc_app_run(void);
 /*!<
@@ -120,17 +184,21 @@ isc_app_run(void);
  *	caller should start shutting down the application.
  *
  * Requires:
- *\li	isc_app_start() has been called.
+ *\li	isc_app_[ctx]start() has been called.
  *
  * Ensures:
  *\li	Any events requested via isc_app_onrun() will have been posted (in
  *	FIFO order) before isc_app_run() blocks.
+ *\li	'ctx' is a valid application context (for app_ctxrun()).
  *
  * Returns:
  *\li	ISC_R_SUCCESS			Shutdown has been requested.
  *\li	ISC_R_RELOAD			Reload has been requested.
  */
 
+isc_result_t
+isc_app_ctxshutdown(isc_appctx_t *ctx);
+
 isc_result_t
 isc_app_shutdown(void);
 /*!<
@@ -141,13 +209,20 @@ isc_app_shutdown(void);
  *	only be triggered once.
  *
  * Requires:
- *\li	isc_app_run() has been called.
+ *\li	isc_app_[ctx]run() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxshutdown()).
  *
  * Returns:
  *\li	ISC_R_SUCCESS
  *\li	ISC_R_UNEXPECTED
  */
 
+isc_result_t
+isc_app_ctxsuspend(isc_appctx_t *ctx);
+/*!<
+ * \brief This has the same behavior as isc_app_ctxsuspend().
+ */
+
 isc_result_t
 isc_app_reload(void);
 /*!<
@@ -161,6 +236,9 @@ isc_app_reload(void);
  *\li	ISC_R_UNEXPECTED
  */
 
+void
+isc_app_ctxfinish(isc_appctx_t *ctx);
+
 void
 isc_app_finish(void);
 /*!<
@@ -171,6 +249,7 @@ isc_app_finish(void);
  *
  * Requires:
  *\li	isc_app_start() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxfinish()).
  *
  * Ensures:
  *\li	Any resources allocated by isc_app_start() have been released.
@@ -206,6 +285,90 @@ isc_app_unblock(void);
  * \li	isc_app_block() has been called by the same thread.
  */
 
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp);
+/*!<
+ * \brief Create an application context.
+ *
+ * Requires:
+ *\li	'mctx' is a valid memory context.
+ *\li	'ctxp' != NULL && *ctxp == NULL.
+ */
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp);
+/*!<
+ * \brief Destroy an application context.
+ *
+ * Requires:
+ *\li	'*ctxp' is a valid application context.
+ *
+ * Ensures:
+ *\li	*ctxp == NULL.
+ */
+
+void
+isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr);
+/*!<
+ * \brief Associate a task manager with an application context.
+ *
+ * This must be done before running tasks within the application context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'taskmgr' is a valid task manager.
+ */
+
+void
+isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr);
+/*!<
+ * \brief Associate a socket manager with an application context.
+ *
+ * This must be done before handling socket events within the application
+ * context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'socketmgr' is a valid socket manager.
+ */
+
+void
+isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr);
+/*!<
+ * \brief Associate a socket timer with an application context.
+ *
+ * This must be done before handling timer events within the application
+ * context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'timermgr' is a valid timer manager.
+ */
+
+#ifdef USE_APPIMPREGISTER
+/*%<
+ * See isc_appctx_create() above.
+ */
+typedef isc_result_t
+(*isc_appctxcreatefunc_t)(isc_mem_t *mctx, isc_appctx_t **ctxp);
+
+isc_result_t
+isc_app_register(isc_appctxcreatefunc_t createfunc);
+/*%<
+ * Register a new application implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__app_register(void);
+/*%<
+ * A short cut function that specifies the application module in the ISC
+ * library for isc_app_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_APPIMPREGISTER */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h
index 765cdfaa19..af8b07b009 100644
--- a/lib/isc/include/isc/lib.h
+++ b/lib/isc/include/isc/lib.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: lib.h,v 1.15 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
@@ -36,6 +36,15 @@ isc_lib_initmsgcat(void);
  * has not already been initialized.
  */
 
+void
+isc_lib_register(void);
+/*!<
+ * \brief Register the ISC library implementations for some base services
+ * such as memory or event management and handling socket or timer events.
+ * An external application that wants to use the ISC library must call this
+ * function very early in main().
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_LIB_H */
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index a114d3eb6a..04a604f73f 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.81 2009/02/11 03:04:18 jinmei Exp $ */
+/* $Id: mem.h,v 1.82 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
@@ -187,6 +187,72 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
  * \endcode
  */
 
+/*% memory and memory pool methods */
+typedef struct isc_memmethods {
+	void (*attach)(isc_mem_t *source, isc_mem_t **targetp);
+	void (*detach)(isc_mem_t **mctxp);
+	void (*destroy)(isc_mem_t **mctxp);
+	void *(*memget)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void (*memput)(isc_mem_t *mctx, void *ptr, size_t size _ISC_MEM_FLARG);
+	void (*memputanddetach)(isc_mem_t **mctxp, void *ptr,
+				size_t size _ISC_MEM_FLARG);
+	void *(*memallocate)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	char *(*memstrdup)(isc_mem_t *mctx, const char *s _ISC_MEM_FLARG);
+	void (*memfree)(isc_mem_t *mctx, void *ptr _ISC_MEM_FLARG);
+	void (*setdestroycheck)(isc_mem_t *mctx, isc_boolean_t flag);
+	void (*setwater)(isc_mem_t *ctx, isc_mem_water_t water,
+			 void *water_arg, size_t hiwater, size_t lowater);
+	void (*waterack)(isc_mem_t *ctx, int flag);
+	size_t (*inuse)(isc_mem_t *mctx);
+	isc_result_t (*mpcreate)(isc_mem_t *mctx, size_t size,
+				 isc_mempool_t **mpctxp);
+} isc_memmethods_t;
+
+typedef struct isc_mempoolmethods {
+	void (*destroy)(isc_mempool_t **mpctxp);
+	void *(*get)(isc_mempool_t *mpctx _ISC_MEM_FLARG);
+	void (*put)(isc_mempool_t *mpctx, void *mem _ISC_MEM_FLARG);
+	unsigned int (*getallocated)(isc_mempool_t *mpctx);
+	void (*setmaxalloc)(isc_mempool_t *mpctx, unsigned int limit);
+	void (*setfreemax)(isc_mempool_t *mpctx, unsigned int limit);
+	void (*setname)(isc_mempool_t *mpctx, const char *name);
+	void (*associatelock)(isc_mempool_t *mpctx, isc_mutex_t *lock);
+	void (*setfillcount)(isc_mempool_t *mpctx, unsigned int limit);
+} isc_mempoolmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a memory context 
+ * implementation's version of an isc_mem_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_MCTX_MAGIC for any of the
+ * isc_mem_ routines to work.  mctx implementations must maintain all mctx
+ * invariants.
+ */
+struct isc_mem {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_memmethods_t	*methods;
+};
+
+#define ISCAPI_MCTX_MAGIC	ISC_MAGIC('A','m','c','x')
+#define ISCAPI_MCTX_VALID(m)	((m) != NULL && \
+				 (m)->magic == ISCAPI_MCTX_MAGIC)
+
+/*%
+ * This is the common prefix of a memory pool context.  The same note as
+ * that for the mem structure applies.
+ */
+struct isc_mempool {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_mempoolmethods_t	*methods;
+};
+
+#define ISCAPI_MPOOL_MAGIC	ISC_MAGIC('A','m','p','l')
+#define ISCAPI_MPOOL_VALID(mp)	((mp) != NULL && \
+				 (mp)->magic == ISCAPI_MPOOL_MAGIC)
+
 #if ISC_MEM_DEBUG
 #define isc_mem_put(c, p, s) \
 	do { \
@@ -607,8 +673,7 @@ isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
 void *
 isc__mem_get(isc_mem_t *, size_t _ISC_MEM_FLARG);
 void
-isc__mem_putanddetach(isc_mem_t **, void *,
-				      size_t _ISC_MEM_FLARG);
+isc__mem_putanddetach(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
 void
 isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void *
@@ -624,6 +689,33 @@ isc__mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
 void
 isc__mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
 
+#ifdef USE_MEMIMPREGISTER
+
+/*%<
+ * See isc_mem_create2() above.
+ */
+typedef isc_result_t
+(*isc_memcreatefunc_t)(size_t init_max_size, size_t target_size,
+		       isc_mem_t **ctxp, unsigned int flags);
+
+isc_result_t
+isc_mem_register(isc_memcreatefunc_t createfunc);
+/*%<
+ * Register a new memory management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * memory management library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__mem_register(void);
+/*%<
+ * A short cut function that specifies the memory management module in the ISC
+ * library for isc_mem_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_MEMIMPREGISTER */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_MEM_H */
diff --git a/lib/isc/include/isc/namespace.h b/lib/isc/include/isc/namespace.h
new file mode 100644
index 0000000000..9cc8d60a84
--- /dev/null
+++ b/lib/isc/include/isc/namespace.h
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: namespace.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#ifndef ISCAPI_NAMESPACE_H
+#define ISCAPI_NAMESPACE_H 1
+
+/*%
+ * name space conversions
+ */
+
+#ifdef BIND9
+
+#define isc_app_start isc__app_start
+#define isc_app_ctxstart isc__app_ctxstart
+#define isc_app_onrun isc__app_onrun
+#define isc_app_run isc__app_run
+#define isc_app_ctxrun isc__app_ctxrun
+#define isc_app_shutdown isc__app_shutdown
+#define isc_app_ctxshutdown isc__app_ctxshutdown
+#define isc_app_ctxsuspend isc__app_ctxsuspend
+#define isc_app_reload isc__app_reload
+#define isc_app_finish isc__app_finish
+#define isc_app_block isc__app_block
+#define isc_app_unblock isc__app_unblock
+#define isc_appctx_create isc__appctx_create
+#define isc_appctx_destroy isc__appctx_destroy
+#define isc_appctx_settaskmgr isc__appctx_settaskmgr
+#define isc_appctx_setsocketmgr isc__appctx_setsocketmgr
+#define isc_appctx_settimermgr isc__appctx_settimermgr
+
+#define isc_mem_checkdestroyed isc__mem_checkdestroyed
+#define isc_mem_createx isc__mem_createx
+#define isc_mem_createx2 isc__mem_createx2
+#define isc_mem_create isc__mem_create
+#define isc_mem_create2 isc__mem_create2
+#define isc_mem_attach isc__mem_attach
+#define isc_mem_detach isc__mem_detach
+#define isc__mem_putanddetach isc___mem_putanddetach
+#define isc_mem_destroy isc__mem_destroy
+#define isc_mem_ondestroy isc__mem_ondestroy
+#define isc__mem_get isc___mem_get
+#define isc__mem_put isc___mem_put
+#define isc_mem_stats isc__mem_stats
+#define isc__mem_allocate isc___mem_allocate
+#define isc__mem_free isc___mem_free
+#define isc__mem_strdup isc___mem_strdup
+#define isc_mem_references isc__mem_references
+#define isc_mem_setdestroycheck isc__mem_setdestroycheck
+#define isc_mem_setquota isc__mem_setquota
+#define isc_mem_getname isc__mem_getname
+#define isc_mem_getquota isc__mem_getquota
+#define isc_mem_gettag isc__mem_gettag
+#define isc_mem_inuse isc__mem_inuse
+#define isc_mem_setname isc__mem_setname
+#define isc_mem_setwater isc__mem_setwater
+#define isc_mem_printallactive isc__mem_printallactive
+#define isc_mem_waterack isc__mem_waterack
+#define isc_mempool_create isc__mempool_create
+#define isc_mempool_setname isc__mempool_setname
+#define isc_mempool_destroy isc__mempool_destroy
+#define isc_mempool_associatelock isc__mempool_associatelock
+#define isc__mempool_get isc___mempool_get
+#define isc__mempool_put isc___mempool_put
+#define isc_mempool_setfreemax isc__mempool_setfreemax
+#define isc_mempool_getfreemax isc__mempool_getfreemax
+#define isc_mempool_getfreecount isc__mempool_getfreecount
+#define isc_mempool_setmaxalloc isc__mempool_setmaxalloc
+#define isc_mempool_getmaxalloc isc__mempool_getmaxalloc
+#define isc_mempool_getallocated isc__mempool_getallocated
+#define isc_mempool_setfillcount isc__mempool_setfillcount
+#define isc_mempool_getfillcount isc__mempool_getfillcount
+
+#define isc_socket_create isc__socket_create
+#define isc_socket_attach isc__socket_attach
+#define isc_socket_detach isc__socket_detach
+#define isc_socketmgr_create isc__socketmgr_create
+#define isc_socketmgr_create2 isc__socketmgr_create2
+#define isc_socketmgr_destroy isc__socketmgr_destroy
+#define isc_socket_open isc__socket_open
+#define isc_socket_close isc__socket_close
+#define isc_socket_recvv isc__socket_recvv
+#define isc_socket_recv isc__socket_recv
+#define isc_socket_recv2 isc__socket_recv2
+#define isc_socket_send isc__socket_send
+#define isc_socket_sendto isc__socket_sendto
+#define isc_socket_sendv isc__socket_sendv
+#define isc_socket_sendtov isc__socket_sendtov
+#define isc_socket_sendto2 isc__socket_sendto2
+#define isc_socket_cleanunix isc__socket_cleanunix
+#define isc_socket_permunix isc__socket_permunix
+#define isc_socket_bind isc__socket_bind
+#define isc_socket_filter isc__socket_filter
+#define isc_socket_listen isc__socket_listen
+#define isc_socket_accept isc__socket_accept
+#define isc_socket_connect isc__socket_connect
+#define isc_socket_fdwatchcreate isc__socket_fdwatchcreate
+#define isc_socket_getname isc__socket_getname
+#define isc_socket_gettag isc__socket_gettag
+#define isc_socket_getpeername isc__socket_getpeername
+#define isc_socket_getsockname isc__socket_getsockname
+#define isc_socket_cancel isc__socket_cancel
+#define isc_socket_gettype isc__socket_gettype
+#define isc_socket_isbound isc__socket_isbound
+#define isc_socket_ipv6only isc__socket_ipv6only
+#define isc_socket_setname isc__socket_setname
+#define isc_socketmgr_getmaxsockets isc__socketmgr_getmaxsockets
+#define isc_socketmgr_setstats isc__socketmgr_setstats
+#define isc_socketmgr_setreserved isc__socketmgr_setreserved
+#define isc__socketmgr_maxudp isc___socketmgr_maxudp
+
+#define isc_task_create isc__task_create
+#define isc_task_attach isc__task_attach
+#define isc_task_detach isc__task_detach
+#define isc_task_send isc__task_send
+#define isc_task_sendanddetach isc__task_sendanddetach
+#define isc_task_purgerange isc__task_purgerange
+#define isc_task_purge isc__task_purge
+#define isc_task_purgeevent isc__task_purgeevent
+#define isc_task_unsendrange isc__task_unsendrange
+#define isc_task_unsend isc__task_unsend
+#define isc_task_onshutdown isc__task_onshutdown
+#define isc_task_shutdown isc__task_shutdown
+#define isc_task_destroy isc__task_destroy
+#define isc_task_setname isc__task_setname
+#define isc_task_getname isc__task_getname
+#define isc_task_gettag isc__task_gettag
+#define isc_task_getcurrenttime isc__task_getcurrenttime
+#define isc_taskmgr_create isc__taskmgr_create
+#define isc_taskmgr_destroy isc__taskmgr_destroy
+#define isc_task_beginexclusive isc__task_beginexclusive
+#define isc_task_endexclusive isc__task_endexclusive
+
+#define isc_timer_create isc__timer_create
+#define isc_timer_reset isc__timer_reset
+#define isc_timer_gettype isc__timer_gettype
+#define isc_timer_touch isc__timer_touch
+#define isc_timer_attach isc__timer_attach
+#define isc_timer_detach isc__timer_detach
+#define isc_timermgr_create isc__timermgr_create
+#define isc_timermgr_poke isc__timermgr_poke
+#define isc_timermgr_destroy isc__timermgr_destroy
+
+#endif /* BIND9 */
+
+#endif /* ISCAPI_NAMESPACE_H */
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 56b4ca6d69..b01b181fcf 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.71 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: result.h,v 1.72 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
@@ -42,6 +42,7 @@
 #define ISC_R_EOF			14	/*%< end of file */
 #define ISC_R_BOUND			15	/*%< socket already bound */
 #define ISC_R_RELOAD			16	/*%< reload */
+#define ISC_R_SUSPEND	      ISC_R_RELOAD	/*%< alias of 'reload' */
 #define ISC_R_LOCKBUSY			17	/*%< lock busy */
 #define ISC_R_EXISTS			18	/*%< already exists */
 #define ISC_R_NOSPACE			19	/*%< ran out of space */
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
index b32426fee2..e0f64393b1 100644
--- a/lib/isc/include/isc/resultclass.h
+++ b/lib/isc/include/isc/resultclass.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resultclass.h,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: resultclass.h,v 1.19 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
@@ -45,6 +45,7 @@
 #define	ISC_RESULTCLASS_DNSRCODE	ISC_RESULTCLASS_FROMNUM(3)
 #define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
 #define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
+#define	ISC_RESULTCLASS_DHCP		ISC_RESULTCLASS_FROMNUM(6)
 
 
 #endif /* ISC_RESULTCLASS_H */
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 4f654a2967..15ade4ea92 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.89 2009/03/05 03:13:55 marka Exp $ */
+/* $Id: socket.h,v 1.90 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -260,6 +260,71 @@ typedef enum {
 #define ISC_SOCKFDWATCH_WRITE	0x00000002	/*%< watch for writable */
 /*@}*/
 
+/*% Socket and socket manager methods */
+typedef struct isc_socketmgrmethods {
+	void		(*destroy)(isc_socketmgr_t **managerp);
+	isc_result_t	(*socketcreate)(isc_socketmgr_t *manager, int pf,
+					isc_sockettype_t type,
+					isc_socket_t **socketp);
+} isc_socketmgrmethods_t;
+
+typedef struct isc_socketmethods {
+	void		(*attach)(isc_socket_t *socket,
+				  isc_socket_t **socketp);
+	void		(*detach)(isc_socket_t **socketp);
+	isc_result_t	(*bind)(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+				unsigned int options);
+	isc_result_t	(*sendto)(isc_socket_t *sock, isc_region_t *region,
+				  isc_task_t *task, isc_taskaction_t action,
+				  const void *arg, isc_sockaddr_t *address,
+				  struct in6_pktinfo *pktinfo);
+	isc_result_t	(*connect)(isc_socket_t *sock, isc_sockaddr_t *addr,
+				   isc_task_t *task, isc_taskaction_t action,
+				   const void *arg);
+	isc_result_t	(*recv)(isc_socket_t *sock, isc_region_t *region,
+				unsigned int minimum, isc_task_t *task,
+				isc_taskaction_t action, const void *arg);
+	void		(*cancel)(isc_socket_t *sock, isc_task_t *task,
+				  unsigned int how);
+	isc_result_t	(*getsockname)(isc_socket_t *sock,
+				       isc_sockaddr_t *addressp);
+	isc_sockettype_t (*gettype)(isc_socket_t *sock);
+	void		(*ipv6only)(isc_socket_t *sock, isc_boolean_t yes);
+} isc_socketmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a socket manager
+ * object implementation's version of an isc_socketmgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_SOCKETMGR_MAGIC for any
+ * of the isc_socket_ routines to work.  socket implementations must maintain
+ * all socket invariants.
+ */
+struct isc_socketmgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_socketmgrmethods_t	*methods;
+};
+
+#define ISCAPI_SOCKETMGR_MAGIC		ISC_MAGIC('A','s','m','g')
+#define ISCAPI_SOCKETMGR_VALID(m)	((m) != NULL && \
+					 (m)->magic == ISCAPI_SOCKETMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a socket object.  The same note as
+ * that for the socketmgr structure applies.
+ */
+struct isc_socket {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_socketmethods_t	*methods;
+};
+
+#define ISCAPI_SOCKET_MAGIC	ISC_MAGIC('A','s','c','t')
+#define ISCAPI_SOCKET_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_SOCKET_MAGIC)
+
 /***
  *** Socket and Socket Manager Functions
  ***
@@ -820,6 +885,10 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
  */
 /*@}*/
 
+isc_result_t
+isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+ 			  isc_socketmgr_t **managerp);
+
 isc_result_t
 isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
 
@@ -831,6 +900,8 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
  * maximum number of sockets that the created manager should handle.
  * isc_socketmgr_create() is equivalent of isc_socketmgr_create2() with
  * "maxsocks" being zero.
+ * isc_socketmgr_createinctx() also associates the new manager with the
+ * specified application context.
  *
  * Notes:
  *
@@ -842,6 +913,8 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
  *
  *\li	'managerp' points to a NULL isc_socketmgr_t.
  *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
  * Ensures:
  *
  *\li	'*managerp' is a valid isc_socketmgr_t.
@@ -987,7 +1060,7 @@ void *isc_socket_gettag(isc_socket_t *socket);
  */
 
 void
-isc__socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
+isc_socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
 /*%<
  * Temporary.  For use by named only.
  */
@@ -1008,6 +1081,31 @@ isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer);
 
 #endif /* HAVE_LIBXML2 */
 
+#ifdef USE_SOCKETIMPREGISTER
+/*%<
+ * See isc_socketmgr_create() above.
+ */
+typedef isc_result_t
+(*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, isc_socketmgr_t **managerp); 
+
+isc_result_t
+isc_socket_register(isc_socketmgrcreatefunc_t createfunc);
+/*%<
+ * Register a new socket I/O implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__socket_register(void);
+/*%<
+ * A short cut function that specifies the socket I/O module in the ISC
+ * library for isc_socket_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_SOCKETIMPREGISTER */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SOCKET_H */
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
index bf90281e78..2fd838f45e 100644
--- a/lib/isc/include/isc/task.h
+++ b/lib/isc/include/isc/task.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.63 2009/01/18 23:48:14 tbox Exp $ */
+/* $Id: task.h,v 1.64 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
@@ -96,6 +96,70 @@
 
 ISC_LANG_BEGINDECLS
 
+/***
+ *** Types
+ ***/
+
+/*% Task and task manager methods */
+typedef struct isc_taskmgrmethods {
+	void		(*destroy)(isc_taskmgr_t **managerp);
+	isc_result_t	(*taskcreate)(isc_taskmgr_t *manager,
+				      unsigned int quantum,
+				      isc_task_t **taskp);
+} isc_taskmgrmethods_t;
+
+typedef struct isc_taskmethods {
+	void (*attach)(isc_task_t *source, isc_task_t **targetp);
+	void (*detach)(isc_task_t **taskp);
+	void (*destroy)(isc_task_t **taskp);
+	void (*send)(isc_task_t *task, isc_event_t **eventp);
+	void (*sendanddetach)(isc_task_t **taskp, isc_event_t **eventp);
+	unsigned int (*unsend)(isc_task_t *task, void *sender, isc_eventtype_t type,
+			       void *tag, isc_eventlist_t *events);
+	isc_result_t (*onshutdown)(isc_task_t *task, isc_taskaction_t action,
+				   const void *arg);
+	void (*shutdown)(isc_task_t *task);
+	void (*setname)(isc_task_t *task, const char *name, void *tag);
+	unsigned int (*purgeevents)(isc_task_t *task, void *sender,
+				    isc_eventtype_t type, void *tag);
+	unsigned int (*purgerange)(isc_task_t *task, void *sender,
+				   isc_eventtype_t first, isc_eventtype_t last,
+				   void *tag);
+} isc_taskmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a task manager
+ * object implementation's version of an isc_taskmgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_TASKMGR_MAGIC for any
+ * of the isc_task_ routines to work.  task implementations must maintain
+ * all task invariants.
+ */
+struct isc_taskmgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_taskmgrmethods_t	*methods;
+};
+
+#define ISCAPI_TASKMGR_MAGIC	ISC_MAGIC('A','t','m','g')
+#define ISCAPI_TASKMGR_VALID(m)	((m) != NULL && \
+				 (m)->magic == ISCAPI_TASKMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a task object.  The same note as
+ * that for the taskmgr structure applies.
+ */
+struct isc_task {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_taskmethods_t	*methods;
+};
+
+#define ISCAPI_TASK_MAGIC	ISC_MAGIC('A','t','s','t')
+#define ISCAPI_TASK_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_TASK_MAGIC)
+
 isc_result_t
 isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 		isc_task_t **taskp);
@@ -540,10 +604,15 @@ isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
  *****/
 
 isc_result_t
+isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			unsigned int workers, unsigned int default_quantum,
+			isc_taskmgr_t **managerp);
+isc_result_t
 isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		   unsigned int default_quantum, isc_taskmgr_t **managerp);
 /*%<
- * Create a new task manager.
+ * Create a new task manager.  isc_taskmgr_createinctx() also associates
+ * the new manager with the specified application context.
  *
  * Notes:
  *
@@ -565,6 +634,8 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
  *
  *\li	managerp != NULL && *managerp == NULL
  *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
  * Ensures:
  *
  *\li	On success, '*managerp' will be attached to the newly created task
@@ -619,6 +690,31 @@ isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer);
 
 #endif
 
+/*%<
+ * See isc_taskmgr_create() above.
+ */
+typedef isc_result_t
+(*isc_taskmgrcreatefunc_t)(isc_mem_t *mctx, unsigned int workers,
+			   unsigned int default_quantum,
+			   isc_taskmgr_t **managerp);
+
+isc_result_t
+isc_task_register(isc_taskmgrcreatefunc_t createfunc);
+/*%<
+ * Register a new task management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__task_register(void);
+/*%<
+ * A short cut function that specifies the task management module in the ISC
+ * library for isc_task_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_TASK_H */
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
index a4b2df7a54..583dd9624e 100644
--- a/lib/isc/include/isc/timer.h
+++ b/lib/isc/include/isc/timer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.40 2008/06/23 23:47:11 tbox Exp $ */
+/* $Id: timer.h,v 1.41 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
@@ -103,6 +103,61 @@ typedef struct isc_timerevent {
 #define ISC_TIMEREVENT_LIFE		(ISC_EVENTCLASS_TIMER + 3)
 #define ISC_TIMEREVENT_LASTEVENT	(ISC_EVENTCLASS_TIMER + 65535)
 
+/*% Timer and timer manager methods */
+typedef struct {
+	void		(*destroy)(isc_timermgr_t **managerp);
+	isc_result_t	(*timercreate)(isc_timermgr_t *manager,
+				       isc_timertype_t type,
+				       isc_time_t *expires,
+				       isc_interval_t *interval,
+				       isc_task_t *task,
+				       isc_taskaction_t action,
+				       const void *arg,
+				       isc_timer_t **timerp);
+} isc_timermgrmethods_t;
+
+typedef struct {
+	void		(*attach)(isc_timer_t *timer, isc_timer_t **timerp);
+	void		(*detach)(isc_timer_t **timerp);
+	isc_result_t	(*reset)(isc_timer_t *timer, isc_timertype_t type,
+				 isc_time_t *expires, isc_interval_t *interval,
+				 isc_boolean_t purge);
+	isc_result_t	(*touch)(isc_timer_t *timer);
+} isc_timermethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a timer manager
+ * object implementation's version of an isc_timermgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_TIMERMGR_MAGIC for any
+ * of the isc_timer_ routines to work.  timer implementations must maintain
+ * all timer invariants.
+ */
+struct isc_timermgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_timermgrmethods_t	*methods;
+};
+
+#define ISCAPI_TIMERMGR_MAGIC		ISC_MAGIC('A','t','m','g')
+#define ISCAPI_TIMERMGR_VALID(m)	((m) != NULL && \
+					 (m)->magic == ISCAPI_TIMERMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a timer object.  The same note as
+ * that for the timermgr structure applies.
+ */
+struct isc_timer {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_timermethods_t	*methods;
+};
+
+#define ISCAPI_TIMER_MAGIC	ISC_MAGIC('A','t','m','r')
+#define ISCAPI_TIMER_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_TIMER_MAGIC)
+
 /***
  *** Timer and Timer Manager Functions
  ***
@@ -288,10 +343,15 @@ isc_timer_gettype(isc_timer_t *timer);
  *\li	'timer' to be a valid timer.
  */
 
+isc_result_t
+isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			 isc_timermgr_t **managerp);
+
 isc_result_t
 isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
 /*%<
- * Create a timer manager.
+ * Create a timer manager.  isc_timermgr_createinctx() also associates
+ * the new manager with the specified application context.
  *
  * Notes:
  *
@@ -303,6 +363,8 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
  *
  *\li	'managerp' points to a NULL isc_timermgr_t.
  *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
  * Ensures:
  *
  *\li	'*managerp' is a valid isc_timermgr_t.
@@ -339,6 +401,31 @@ isc_timermgr_destroy(isc_timermgr_t **managerp);
 
 void isc_timermgr_poke(isc_timermgr_t *m);
 
+#ifdef USE_TIMERIMPREGISTER
+/*%<
+ * See isc_timermgr_create() above.
+ */
+typedef isc_result_t
+(*isc_timermgrcreatefunc_t)(isc_mem_t *mctx, isc_timermgr_t **managerp);
+
+isc_result_t
+isc__timer_register(void);
+/*%<
+ * Register a new timer management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc_timer_register(isc_timermgrcreatefunc_t createfunc);
+/*%<
+ * A short cut function that specifies the timer management module in the ISC
+ * library for isc_timer_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_TIMERIMPREGISTER */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_TIMER_H */
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index 469e7d62f4..dd60d76a20 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.48 2009/01/27 23:47:54 tbox Exp $ */
+/* $Id: types.h,v 1.49 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
 
+#include 
+
 /*! \file isc/types.h
  * \brief
  * OS-specific types, from the OS-specific include directories.
@@ -40,6 +42,7 @@
 
 /* Core Types.  Alphabetized by defined type. */
 
+typedef struct isc_appctx		isc_appctx_t;	 	/*%< Application context */
 typedef struct isc_bitstring		isc_bitstring_t; 	/*%< Bitstring */
 typedef struct isc_buffer		isc_buffer_t;		/*%< Buffer */
 typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;	/*%< Buffer List */
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
index f3a2c2dc79..8d431f13e0 100644
--- a/lib/isc/lib.c
+++ b/lib/isc/lib.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.14 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: lib.c,v 1.15 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file */
 
@@ -24,9 +24,15 @@
 #include 
 #include 
 
-#include 
-#include 
+#include 
 #include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
 
 /***
  *** Globals
@@ -41,7 +47,6 @@ LIBISC_EXTERNAL_DATA isc_msgcat_t *		isc_msgcat = NULL;
 
 static isc_once_t		msgcat_once = ISC_ONCE_INIT;
 
-
 /***
  *** Functions
  ***/
@@ -77,3 +82,22 @@ isc_lib_initmsgcat(void) {
 		abort();
 	}
 }
+
+#ifndef BIND9
+static isc_once_t		register_once = ISC_ONCE_INIT;
+
+static void
+do_register(void) {
+	RUNTIME_CHECK(isc__mem_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__app_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__task_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__socket_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__timer_register() == ISC_R_SUCCESS);
+}
+
+void
+isc_lib_register() {
+	RUNTIME_CHECK(isc_once_do(®ister_once, do_register)
+		      == ISC_R_SUCCESS);
+}
+#endif
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 2ee8c89ea8..6895a873e9 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.149 2009/02/16 03:16:10 marka Exp $ */
+/* $Id: mem.c,v 1.150 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file */
 
@@ -60,6 +60,9 @@ LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
 /*
  * Types.
  */
+typedef struct isc__mem isc__mem_t;
+typedef struct isc__mempool isc__mempool_t;
+
 #if ISC_MEM_TRACKLINES
 typedef struct debuglink debuglink_t;
 struct debuglink {
@@ -89,7 +92,7 @@ typedef struct {
 	 */
 	union {
 		size_t		size;
-		isc_mem_t	*ctx;
+		isc__mem_t	*ctx;
 		char		bytes[ALIGNMENT_SIZE];
 	} u;
 } size_info;
@@ -110,7 +113,7 @@ typedef ISC_LIST(debuglink_t)	debuglist_t;
 
 /* List of all active memory contexts. */
 
-static ISC_LIST(isc_mem_t)	contexts;
+static ISC_LIST(isc__mem_t)	contexts;
 static isc_once_t		once = ISC_ONCE_INIT;
 static isc_mutex_t		lock;
 
@@ -120,8 +123,8 @@ static isc_mutex_t		lock;
  */
 static isc_uint64_t		totallost;
 
-struct isc_mem {
-	unsigned int		magic;
+struct isc__mem {
+	isc_mem_t		common;
 	isc_ondestroy_t		ondestroy;
 	unsigned int		flags;
 	isc_mutex_t		lock;
@@ -143,7 +146,7 @@ struct isc_mem {
 	isc_boolean_t		hi_called;
 	isc_mem_water_t		water;
 	void *			water_arg;
-	ISC_LIST(isc_mempool_t)	pools;
+	ISC_LIST(isc__mempool_t) pools;
 	unsigned int		poolcnt;
 
 	/*  ISC_MEMFLAG_INTERNAL */
@@ -162,19 +165,19 @@ struct isc_mem {
 #endif
 
 	unsigned int		memalloc_failures;
-	ISC_LINK(isc_mem_t)	link;
+	ISC_LINK(isc__mem_t)	link;
 };
 
 #define MEMPOOL_MAGIC		ISC_MAGIC('M', 'E', 'M', 'p')
 #define VALID_MEMPOOL(c)	ISC_MAGIC_VALID(c, MEMPOOL_MAGIC)
 
-struct isc_mempool {
+struct isc__mempool {
 	/* always unlocked */
-	unsigned int	magic;		/*%< magic number */
+	isc_mempool_t	common;		/*%< common header of mempool's */
 	isc_mutex_t    *lock;		/*%< optional lock */
-	isc_mem_t      *mctx;		/*%< our memory context */
+	isc__mem_t      *mctx;		/*%< our memory context */
 	/*%< locked via the memory context's lock */
-	ISC_LINK(isc_mempool_t)	link;	/*%< next pool in this mem context */
+	ISC_LINK(isc__mempool_t)	link;	/*%< next pool in this mem context */
 	/*%< optionally locked from here down */
 	element	       *items;		/*%< low water item list */
 	size_t		size;		/*%< size of each item on this pool */
@@ -209,13 +212,170 @@ struct isc_mempool {
 #define DELETE_TRACE(a, b, c, d, e)	delete_trace_entry(a, b, c, d, e)
 
 static void
-print_active(isc_mem_t *ctx, FILE *out);
+print_active(isc__mem_t *ctx, FILE *out);
+
+/*%
+ * The following can be either static or public, depending on build environment.
+ */
+
+#ifdef BIND9
+#define ISC_MEMFUNC_SCOPE
+#else
+#define ISC_MEMFUNC_SCOPE static
+#endif
+
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx(size_t init_max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		 isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx2(size_t init_max_size, size_t target_size,
+		  isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		  isc_mem_t **ctxp, unsigned int flags);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create(size_t init_max_size, size_t target_size, isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create2(size_t init_max_size, size_t target_size,
+		 isc_mem_t **ctxp, unsigned int flags);
+ISC_MEMFUNC_SCOPE void
+isc__mem_attach(isc_mem_t *source, isc_mem_t **targetp);
+ISC_MEMFUNC_SCOPE void
+isc__mem_detach(isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mem_destroy(isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event);
+ISC_MEMFUNC_SCOPE void *
+isc___mem_get(isc_mem_t *ctx, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc___mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mem_stats(isc_mem_t *ctx, FILE *out);
+ISC_MEMFUNC_SCOPE void *
+isc___mem_allocate(isc_mem_t *ctx, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc___mem_free(isc_mem_t *ctx, void *ptr FLARG);
+ISC_MEMFUNC_SCOPE char *
+isc___mem_strdup(isc_mem_t *mctx, const char *s FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setquota(isc_mem_t *ctx, size_t quota);
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_getquota(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_inuse(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+		  size_t hiwater, size_t lowater);
+ISC_MEMFUNC_SCOPE void
+isc__mem_waterack(isc_mem_t *ctx0, int flag);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setname(isc_mem_t *ctx, const char *name, void *tag);
+ISC_MEMFUNC_SCOPE const char *
+isc__mem_getname(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE void *
+isc__mem_gettag(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setname(isc_mempool_t *mpctx, const char *name);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_destroy(isc_mempool_t **mpctxp);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
+ISC_MEMFUNC_SCOPE void *
+isc___mempool_get(isc_mempool_t *mpctx FLARG);
+ISC_MEMFUNC_SCOPE void
+isc___mempool_put(isc_mempool_t *mpctx, void *mem FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreemax(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreecount(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getmaxalloc(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getallocated(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfillcount(isc_mempool_t *mpctx);
+#ifdef BIND9
+ISC_MEMFUNC_SCOPE void
+isc__mem_printactive(isc_mem_t *ctx0, FILE *file);
+ISC_MEMFUNC_SCOPE void
+isc__mem_printallactive(FILE *file);
+ISC_MEMFUNC_SCOPE void
+isc__mem_checkdestroyed(FILE *file);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mem_references(isc_mem_t *ctx0);
+#endif
+
+static struct isc__memmethods {
+	isc_memmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *createx, *create, *create2, *ondestroy, *stats,
+		*setquota, *getquota, *setname, *getname, *gettag;
+} memmethods = {
+	{
+		isc__mem_attach,
+		isc__mem_detach,
+		isc__mem_destroy,
+		isc___mem_get,
+		isc___mem_put,
+		isc___mem_putanddetach,
+		isc___mem_allocate,
+		isc___mem_strdup,
+		isc___mem_free,
+		isc__mem_setdestroycheck,
+		isc__mem_setwater,
+		isc__mem_waterack,
+		isc__mem_inuse,
+		isc__mempool_create
+	},
+	isc__mem_createx, isc__mem_create, isc__mem_create2,
+	isc__mem_ondestroy, isc__mem_stats,
+	isc__mem_setquota, isc__mem_getquota, isc__mem_setname,
+	isc__mem_getname, isc__mem_gettag
+};
+
+static struct isc__mempoolmethods {
+	isc_mempoolmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *getfreemax, *getfreecount, *getmaxalloc, *getfillcount;
+} mempoolmethods = {
+	{
+		isc__mempool_destroy,
+		isc___mempool_get,
+		isc___mempool_put,
+		isc__mempool_getallocated,
+		isc__mempool_setmaxalloc,
+		isc__mempool_setfreemax,
+		isc__mempool_setname,
+		isc__mempool_associatelock,
+		isc__mempool_setfillcount
+	},
+	isc__mempool_getfreemax, isc__mempool_getfreecount,
+	isc__mempool_getmaxalloc, isc__mempool_getfillcount
+};
 
 /*!
  * mctx must be locked.
  */
 static inline void
-add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
+add_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size
 		FLARG)
 {
 	debuglink_t *dl;
@@ -274,7 +434,7 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
 }
 
 static inline void
-delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size,
+delete_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size,
 		   const char *file, unsigned int line)
 {
 	debuglink_t *dl;
@@ -345,7 +505,7 @@ quantize(size_t size) {
 }
 
 static inline isc_boolean_t
-more_basic_blocks(isc_mem_t *ctx) {
+more_basic_blocks(isc__mem_t *ctx) {
 	void *new;
 	unsigned char *curr, *next;
 	unsigned char *first, *last;
@@ -415,7 +575,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 }
 
 static inline isc_boolean_t
-more_frags(isc_mem_t *ctx, size_t new_size) {
+more_frags(isc__mem_t *ctx, size_t new_size) {
 	int i, frags;
 	size_t total_size;
 	void *new;
@@ -477,7 +637,7 @@ more_frags(isc_mem_t *ctx, size_t new_size) {
 }
 
 static inline void *
-mem_getunlocked(isc_mem_t *ctx, size_t size) {
+mem_getunlocked(isc__mem_t *ctx, size_t size) {
 	size_t new_size = quantize(size);
 	void *ret;
 
@@ -558,7 +718,7 @@ check_overrun(void *mem, size_t size, size_t new_size) {
 #endif
 
 static inline void
-mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
+mem_putunlocked(isc__mem_t *ctx, void *mem, size_t size) {
 	size_t new_size = quantize(size);
 
 	if (size == ctx->max_size || new_size >= ctx->max_size) {
@@ -606,7 +766,7 @@ mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
  * Perform a malloc, doing memory filling and overrun detection as necessary.
  */
 static inline void *
-mem_get(isc_mem_t *ctx, size_t size) {
+mem_get(isc__mem_t *ctx, size_t size) {
 	char *ret;
 
 #if ISC_MEM_CHECKOVERRUN
@@ -634,7 +794,7 @@ mem_get(isc_mem_t *ctx, size_t size) {
  * Perform a free, doing memory filling and overrun detection as necessary.
  */
 static inline void
-mem_put(isc_mem_t *ctx, void *mem, size_t size) {
+mem_put(isc__mem_t *ctx, void *mem, size_t size) {
 #if ISC_MEM_CHECKOVERRUN
 	INSIST(((unsigned char *)mem)[size] == 0xbe);
 #endif
@@ -650,7 +810,7 @@ mem_put(isc_mem_t *ctx, void *mem, size_t size) {
  * Update internal counters after a memory get.
  */
 static inline void
-mem_getstats(isc_mem_t *ctx, size_t size) {
+mem_getstats(isc__mem_t *ctx, size_t size) {
 	ctx->total += size;
 	ctx->inuse += size;
 
@@ -667,7 +827,7 @@ mem_getstats(isc_mem_t *ctx, size_t size) {
  * Update internal counters after a memory put.
  */
 static inline void
-mem_putstats(isc_mem_t *ctx, void *ptr, size_t size) {
+mem_putstats(isc__mem_t *ctx, void *ptr, size_t size) {
 	UNUSED(ptr);
 
 	INSIST(ctx->inuse >= size);
@@ -711,22 +871,22 @@ initialize_action(void) {
  * Public.
  */
 
-isc_result_t
-isc_mem_createx(size_t init_max_size, size_t target_size,
-		isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		isc_mem_t **ctxp)
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx(size_t init_max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		 isc_mem_t **ctxp)
 {
-	return (isc_mem_createx2(init_max_size, target_size, memalloc, memfree,
-				 arg, ctxp, ISC_MEMFLAG_DEFAULT));
+	return (isc__mem_createx2(init_max_size, target_size, memalloc, memfree,
+				  arg, ctxp, ISC_MEMFLAG_DEFAULT));
 
 }
 
-isc_result_t
-isc_mem_createx2(size_t init_max_size, size_t target_size,
-		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		 isc_mem_t **ctxp, unsigned int flags)
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx2(size_t init_max_size, size_t target_size,
+		  isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		  isc_mem_t **ctxp, unsigned int flags)
 {
-	isc_mem_t *ctx;
+	isc__mem_t *ctx;
 	isc_result_t result;
 
 	REQUIRE(ctxp != NULL && *ctxp == NULL);
@@ -766,7 +926,9 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 	ctx->hi_called = ISC_FALSE;
 	ctx->water = NULL;
 	ctx->water_arg = NULL;
-	ctx->magic = MEM_MAGIC;
+	ctx->common.impmagic = MEM_MAGIC;
+	ctx->common.magic = ISCAPI_MCTX_MAGIC;
+	ctx->common.methods = (isc_memmethods_t *)&memmethods;
 	isc_ondestroy_init(&ctx->ondestroy);
 	ctx->memalloc = memalloc;
 	ctx->memfree = memfree;
@@ -831,7 +993,7 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 	ISC_LIST_INITANDAPPEND(contexts, ctx, link);
 	UNLOCK(&lock);
 
-	*ctxp = ctx;
+	*ctxp = (isc_mem_t *)ctx;
 	return (ISC_R_SUCCESS);
 
   error:
@@ -852,30 +1014,29 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 	return (result);
 }
 
-isc_result_t
-isc_mem_create(size_t init_max_size, size_t target_size,
-	       isc_mem_t **ctxp)
-{
-	return (isc_mem_createx2(init_max_size, target_size,
-				 default_memalloc, default_memfree, NULL,
-				 ctxp, ISC_MEMFLAG_DEFAULT));
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create(size_t init_max_size, size_t target_size, isc_mem_t **ctxp) {
+	return (isc__mem_createx2(init_max_size, target_size,
+				  default_memalloc, default_memfree, NULL,
+				  ctxp, ISC_MEMFLAG_DEFAULT));
 }
 
-isc_result_t
-isc_mem_create2(size_t init_max_size, size_t target_size,
-		isc_mem_t **ctxp, unsigned int flags)
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create2(size_t init_max_size, size_t target_size,
+		 isc_mem_t **ctxp, unsigned int flags)
 {
-	return (isc_mem_createx2(init_max_size, target_size,
-				 default_memalloc, default_memfree, NULL,
-				 ctxp, flags));
+	return (isc__mem_createx2(init_max_size, target_size,
+				  default_memalloc, default_memfree, NULL,
+				  ctxp, flags));
 }
 
 static void
-destroy(isc_mem_t *ctx) {
+destroy(isc__mem_t *ctx) {
 	unsigned int i;
 	isc_ondestroy_t ondest;
 
-	ctx->magic = 0;
+	ctx->common.impmagic = 0;
+	ctx->common.magic = 0;
 
 	LOCK(&lock);
 	ISC_LIST_UNLINK(contexts, ctx, link);
@@ -938,8 +1099,10 @@ destroy(isc_mem_t *ctx) {
 	isc_ondestroy_notify(&ondest, ctx);
 }
 
-void
-isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_attach(isc_mem_t *source0, isc_mem_t **targetp) {
+	isc__mem_t *source = (isc__mem_t *)source0;
+
 	REQUIRE(VALID_CONTEXT(source));
 	REQUIRE(targetp != NULL && *targetp == NULL);
 
@@ -947,16 +1110,16 @@ isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
 	source->references++;
 	MCTXUNLOCK(source, &source->lock);
 
-	*targetp = source;
+	*targetp = (isc_mem_t *)source;
 }
 
-void
-isc_mem_detach(isc_mem_t **ctxp) {
-	isc_mem_t *ctx;
+ISC_MEMFUNC_SCOPE void
+isc__mem_detach(isc_mem_t **ctxp) {
+	isc__mem_t *ctx;
 	isc_boolean_t want_destroy = ISC_FALSE;
 
 	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
+	ctx = (isc__mem_t *)*ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -982,15 +1145,15 @@ isc_mem_detach(isc_mem_t **ctxp) {
  * isc_mem_detach(&mctx);
  */
 
-void
-isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
-	isc_mem_t *ctx;
+ISC_MEMFUNC_SCOPE void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx;
 	isc_boolean_t want_destroy = ISC_FALSE;
 	size_info *si;
 	size_t oldsize;
 
 	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
+	ctx = (isc__mem_t *)*ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(ptr != NULL);
 
@@ -1008,7 +1171,7 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 				oldsize -= ALIGNMENT_SIZE;
 			INSIST(oldsize == size);
 		}
-		isc__mem_free(ctx, ptr FLARG_PASS);
+		isc_mem_free((isc_mem_t *)ctx, ptr);
 
 		MCTXLOCK(ctx, &ctx->lock);
 		ctx->references--;
@@ -1042,9 +1205,9 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 		destroy(ctx);
 }
 
-void
-isc_mem_destroy(isc_mem_t **ctxp) {
-	isc_mem_t *ctx;
+ISC_MEMFUNC_SCOPE void
+isc__mem_destroy(isc_mem_t **ctxp) {
+	isc__mem_t *ctx;
 
 	/*
 	 * This routine provides legacy support for callers who use mctxs
@@ -1052,7 +1215,7 @@ isc_mem_destroy(isc_mem_t **ctxp) {
 	 */
 
 	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
+	ctx = (isc__mem_t *)*ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1069,8 +1232,9 @@ isc_mem_destroy(isc_mem_t **ctxp) {
 	*ctxp = NULL;
 }
 
-isc_result_t
-isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_ondestroy(isc_mem_t *ctx0, isc_task_t *task, isc_event_t **event) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	isc_result_t res;
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1080,16 +1244,16 @@ isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
 	return (res);
 }
 
-
-void *
-isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mem_get(isc_mem_t *ctx0, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	void *ptr;
 	isc_boolean_t call_water = ISC_FALSE;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0)
-		return (isc__mem_allocate(ctx, size FLARG_PASS));
+		return (isc_mem_allocate((isc_mem_t *)ctx, size));
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
 		MCTXLOCK(ctx, &ctx->lock);
@@ -1121,9 +1285,9 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 	return (ptr);
 }
 
-void
-isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
-{
+ISC_MEMFUNC_SCOPE void
+isc___mem_put(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	isc_boolean_t call_water = ISC_FALSE;
 	size_info *si;
 	size_t oldsize;
@@ -1139,7 +1303,7 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 				oldsize -= ALIGNMENT_SIZE;
 			INSIST(oldsize == size);
 		}
-		isc__mem_free(ctx, ptr FLARG_PASS);
+		isc_mem_free((isc_mem_t *)ctx, ptr);
 		return;
 	}
 
@@ -1170,8 +1334,10 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
 }
 
-void
-isc_mem_waterack(isc_mem_t *ctx, int flag) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_waterack(isc_mem_t *ctx0, int flag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1184,7 +1350,7 @@ isc_mem_waterack(isc_mem_t *ctx, int flag) {
 
 #if ISC_MEM_TRACKLINES
 static void
-print_active(isc_mem_t *mctx, FILE *out) {
+print_active(isc__mem_t *mctx, FILE *out) {
 	if (mctx->debuglist != NULL) {
 		debuglink_t *dl;
 		unsigned int i, j;
@@ -1226,11 +1392,12 @@ print_active(isc_mem_t *mctx, FILE *out) {
 /*
  * Print the stats[] on the stream "out" with suitable formatting.
  */
-void
-isc_mem_stats(isc_mem_t *ctx, FILE *out) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_stats(isc_mem_t *ctx0, FILE *out) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_t i;
 	const struct stats *s;
-	const isc_mempool_t *pool;
+	const isc__mempool_t *pool;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1303,7 +1470,8 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
  */
 
 static void *
-isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
+isc__mem_allocateunlocked(isc_mem_t *ctx0, size_t size) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_info *si;
 
 	size += ALIGNMENT_SIZE;
@@ -1325,8 +1493,9 @@ isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
 	return (&si[1]);
 }
 
-void *
-isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mem_allocate(isc_mem_t *ctx0, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_info *si;
 	isc_boolean_t call_water = ISC_FALSE;
 
@@ -1334,9 +1503,9 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
 		MCTXLOCK(ctx, &ctx->lock);
-		si = isc__mem_allocateunlocked(ctx, size);
+		si = isc__mem_allocateunlocked((isc_mem_t *)ctx, size);
 	} else {
-		si = isc__mem_allocateunlocked(ctx, size);
+		si = isc__mem_allocateunlocked((isc_mem_t *)ctx, size);
 		MCTXLOCK(ctx, &ctx->lock);
 		if (si != NULL)
 			mem_getstats(ctx, si[-1].u.size);
@@ -1399,8 +1568,9 @@ isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
 	return (new_ptr);
 }
 
-void
-isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
+ISC_MEMFUNC_SCOPE void
+isc___mem_free(isc_mem_t *ctx0, void *ptr FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_info *si;
 	size_t size;
 	isc_boolean_t call_water= ISC_FALSE;
@@ -1451,8 +1621,9 @@ isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
  * Other useful things.
  */
 
-char *
-isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
+ISC_MEMFUNC_SCOPE char *
+isc___mem_strdup(isc_mem_t *mctx0, const char *s FLARG) {
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
 	size_t len;
 	char *ns;
 
@@ -1461,7 +1632,7 @@ isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
 
 	len = strlen(s);
 
-	ns = isc__mem_allocate(mctx, len + 1 FLARG_PASS);
+	ns = isc___mem_allocate((isc_mem_t *)mctx, len + 1 FLARG_PASS);
 
 	if (ns != NULL)
 		strncpy(ns, s, len + 1);
@@ -1469,8 +1640,10 @@ isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
 	return (ns);
 }
 
-void
-isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_setdestroycheck(isc_mem_t *ctx0, isc_boolean_t flag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 	MCTXLOCK(ctx, &ctx->lock);
 
@@ -1483,8 +1656,10 @@ isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
  * Quotas
  */
 
-void
-isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_setquota(isc_mem_t *ctx0, size_t quota) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 	MCTXLOCK(ctx, &ctx->lock);
 
@@ -1493,8 +1668,9 @@ isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
 	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
-size_t
-isc_mem_getquota(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_getquota(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_t quota;
 
 	REQUIRE(VALID_CONTEXT(ctx));
@@ -1507,8 +1683,9 @@ isc_mem_getquota(isc_mem_t *ctx) {
 	return (quota);
 }
 
-size_t
-isc_mem_inuse(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_inuse(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_t inuse;
 
 	REQUIRE(VALID_CONTEXT(ctx));
@@ -1521,10 +1698,11 @@ isc_mem_inuse(isc_mem_t *ctx) {
 	return (inuse);
 }
 
-void
-isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+ISC_MEMFUNC_SCOPE void
+isc__mem_setwater(isc_mem_t *ctx0, isc_mem_water_t water, void *water_arg,
 		 size_t hiwater, size_t lowater)
 {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	isc_boolean_t callwater = ISC_FALSE;
 	isc_mem_water_t oldwater;
 	void *oldwater_arg;
@@ -1559,8 +1737,10 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
 		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
 }
 
-void
-isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	LOCK(&ctx->lock);
@@ -1570,15 +1750,19 @@ isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag) {
 	UNLOCK(&ctx->lock);
 }
 
-const char *
-isc_mem_getname(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE const char *
+isc__mem_getname(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	return (ctx->name);
 }
 
-void *
-isc_mem_gettag(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE void *
+isc__mem_gettag(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	return (ctx->tag);
@@ -1588,9 +1772,10 @@ isc_mem_gettag(isc_mem_t *ctx) {
  * Memory pool stuff
  */
 
-isc_result_t
-isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
-	isc_mempool_t *mpctx;
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	isc__mempool_t *mpctx;
 
 	REQUIRE(VALID_CONTEXT(mctx));
 	REQUIRE(size > 0U);
@@ -1600,11 +1785,13 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 	 * Allocate space for this pool, initialize values, and if all works
 	 * well, attach to the memory context.
 	 */
-	mpctx = isc_mem_get(mctx, sizeof(isc_mempool_t));
+	mpctx = isc_mem_get((isc_mem_t *)mctx, sizeof(isc__mempool_t));
 	if (mpctx == NULL)
 		return (ISC_R_NOMEMORY);
 
-	mpctx->magic = MEMPOOL_MAGIC;
+	mpctx->common.methods = (isc_mempoolmethods_t *)&mempoolmethods;
+	mpctx->common.impmagic = MEMPOOL_MAGIC;
+	mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
 	mpctx->lock = NULL;
 	mpctx->mctx = mctx;
 	mpctx->size = size;
@@ -1619,7 +1806,7 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 #endif
 	mpctx->items = NULL;
 
-	*mpctxp = mpctx;
+	*mpctxp = (isc_mempool_t *)mpctx;
 
 	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
@@ -1629,9 +1816,12 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setname(isc_mempool_t *mpctx0, const char *name) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(name != NULL);
+	REQUIRE(VALID_MEMPOOL(mpctx));
 
 #if ISC_MEMPOOL_NAMES
 	if (mpctx->lock != NULL)
@@ -1648,20 +1838,20 @@ isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
 #endif
 }
 
-void
-isc_mempool_destroy(isc_mempool_t **mpctxp) {
-	isc_mempool_t *mpctx;
-	isc_mem_t *mctx;
+ISC_MEMFUNC_SCOPE void
+isc__mempool_destroy(isc_mempool_t **mpctxp) {
+	isc__mempool_t *mpctx;
+	isc__mem_t *mctx;
 	isc_mutex_t *lock;
 	element *item;
 
 	REQUIRE(mpctxp != NULL);
-	mpctx = *mpctxp;
+	mpctx = (isc__mempool_t *)*mpctxp;
 	REQUIRE(VALID_MEMPOOL(mpctx));
 #if ISC_MEMPOOL_NAMES
 	if (mpctx->allocated > 0)
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mempool_destroy(): mempool %s "
+				 "isc__mempool_destroy(): mempool %s "
 				 "leaked memory",
 				 mpctx->name);
 #endif
@@ -1701,9 +1891,10 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	mctx->poolcnt--;
 	MCTXUNLOCK(mctx, &mctx->lock);
 
-	mpctx->magic = 0;
+	mpctx->common.impmagic = 0;
+	mpctx->common.magic = 0;
 
-	isc_mem_put(mpctx->mctx, mpctx, sizeof(isc_mempool_t));
+	isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
 
 	if (lock != NULL)
 		UNLOCK(lock);
@@ -1711,8 +1902,10 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	*mpctxp = NULL;
 }
 
-void
-isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_associatelock(isc_mempool_t *mpctx0, isc_mutex_t *lock) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(VALID_MEMPOOL(mpctx));
 	REQUIRE(mpctx->lock == NULL);
 	REQUIRE(lock != NULL);
@@ -1720,10 +1913,11 @@ isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
 	mpctx->lock = lock;
 }
 
-void *
-isc__mempool_get(isc_mempool_t *mpctx FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mempool_get(isc_mempool_t *mpctx0 FLARG) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	element *item;
-	isc_mem_t *mctx;
+	isc__mem_t *mctx;
 	unsigned int i;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1802,9 +1996,10 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 	return (item);
 }
 
-void
-isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
-	isc_mem_t *mctx;
+ISC_MEMFUNC_SCOPE void
+isc___mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mem_t *mctx;
 	element *item;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1859,8 +2054,10 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
  * Quotas
  */
 
-void
-isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfreemax(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(VALID_MEMPOOL(mpctx));
 
 	if (mpctx->lock != NULL)
@@ -1872,8 +2069,9 @@ isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
 		UNLOCK(mpctx->lock);
 }
 
-unsigned int
-isc_mempool_getfreemax(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreemax(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int freemax;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1889,8 +2087,9 @@ isc_mempool_getfreemax(isc_mempool_t *mpctx) {
 	return (freemax);
 }
 
-unsigned int
-isc_mempool_getfreecount(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreecount(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int freecount;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1906,8 +2105,10 @@ isc_mempool_getfreecount(isc_mempool_t *mpctx) {
 	return (freecount);
 }
 
-void
-isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setmaxalloc(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(limit > 0);
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1921,8 +2122,9 @@ isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
 		UNLOCK(mpctx->lock);
 }
 
-unsigned int
-isc_mempool_getmaxalloc(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getmaxalloc(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int maxalloc;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1938,8 +2140,9 @@ isc_mempool_getmaxalloc(isc_mempool_t *mpctx) {
 	return (maxalloc);
 }
 
-unsigned int
-isc_mempool_getallocated(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getallocated(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int allocated;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1955,8 +2158,10 @@ isc_mempool_getallocated(isc_mempool_t *mpctx) {
 	return (allocated);
 }
 
-void
-isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfillcount(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(limit > 0);
 	REQUIRE(VALID_MEMPOOL(mpctx));
 
@@ -1969,8 +2174,10 @@ isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
 		UNLOCK(mpctx->lock);
 }
 
-unsigned int
-isc_mempool_getfillcount(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfillcount(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	unsigned int fillcount;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1986,8 +2193,17 @@ isc_mempool_getfillcount(isc_mempool_t *mpctx) {
 	return (fillcount);
 }
 
-void
-isc_mem_printactive(isc_mem_t *ctx, FILE *file) {
+#ifdef USE_MEMIMPREGISTER 
+isc_result_t
+isc__mem_register() {
+	return (isc_mem_register(isc__mem_create2));
+}
+#endif
+
+#ifdef BIND9
+ISC_MEMFUNC_SCOPE void
+isc__mem_printactive(isc_mem_t *ctx0, FILE *file) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(file != NULL);
@@ -2000,12 +2216,12 @@ isc_mem_printactive(isc_mem_t *ctx, FILE *file) {
 #endif
 }
 
-void
-isc_mem_printallactive(FILE *file) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_printallactive(FILE *file) {
 #if !ISC_MEM_TRACKLINES
 	UNUSED(file);
 #else
-	isc_mem_t *ctx;
+	isc__mem_t *ctx;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
@@ -2020,15 +2236,15 @@ isc_mem_printallactive(FILE *file) {
 #endif
 }
 
-void
-isc_mem_checkdestroyed(FILE *file) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_checkdestroyed(FILE *file) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
 	LOCK(&lock);
 	if (!ISC_LIST_EMPTY(contexts))  {
 #if ISC_MEM_TRACKLINES
-		isc_mem_t *ctx;
+		isc__mem_t *ctx;
 
 		for (ctx = ISC_LIST_HEAD(contexts);
 		     ctx != NULL;
@@ -2043,9 +2259,11 @@ isc_mem_checkdestroyed(FILE *file) {
 	UNLOCK(&lock);
 }
 
-unsigned int
-isc_mem_references(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc_mem_references(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	unsigned int references;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -2065,7 +2283,7 @@ typedef struct summarystat {
 } summarystat_t;
 
 static void
-renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
+renderctx(isc__mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	xmlTextWriterStartElement(writer, ISC_XMLCHAR "context");
@@ -2151,7 +2369,7 @@ renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
 
 void
 isc_mem_renderxml(xmlTextWriterPtr writer) {
-	isc_mem_t *ctx;
+	isc__mem_t *ctx;
 	summarystat_t summary;
 	isc_uint64_t lost;
 
@@ -2203,3 +2421,4 @@ isc_mem_renderxml(xmlTextWriterPtr writer) {
 }
 
 #endif /* HAVE_LIBXML2 */
+#endif /* BIND9 */
diff --git a/lib/isc/mem_api.c b/lib/isc/mem_api.c
new file mode 100644
index 0000000000..432cd67b66
--- /dev/null
+++ b/lib/isc/mem_api.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mem_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#include 
+#include 
+#include 
+#include 
+
+#if ISC_MEM_TRACKLINES
+#define FLARG_PASS	, file, line
+#define FLARG		, const char *file, int line
+#else
+#define FLARG_PASS
+#define FLARG
+#endif
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_memcreatefunc_t mem_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mem_register(isc_memcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (mem_createfunc == NULL)
+		mem_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_mem_create(size_t init_max_size, size_t target_size, isc_mem_t **mctxp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(mem_createfunc != NULL);
+	result = (*mem_createfunc)(init_max_size, target_size, mctxp,
+				   ISC_MEMFLAG_DEFAULT);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_mem_create2(size_t init_max_size, size_t target_size, isc_mem_t **mctxp,
+		unsigned int flags)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(mem_createfunc != NULL);
+	result = (*mem_createfunc)(init_max_size, target_size, mctxp, flags);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
+	REQUIRE(ISCAPI_MCTX_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	source->methods->attach(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+isc_mem_detach(isc_mem_t **mctxp) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp)); 
+
+	(*mctxp)->methods->detach(mctxp);
+
+	ENSURE(*mctxp == NULL);
+}
+
+void
+isc_mem_destroy(isc_mem_t **mctxp) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	(*mctxp)->methods->destroy(mctxp);
+
+	ENSURE(*mctxp == NULL);
+}
+
+void *
+isc__mem_get(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memget(mctx, size FLARG_PASS));
+}
+
+void
+isc__mem_put(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->memput(mctx, ptr, size FLARG_PASS);
+}
+
+void
+isc__mem_putanddetach(isc_mem_t **mctxp, void *ptr, size_t size FLARG) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	(*mctxp)->methods->memputanddetach(mctxp, ptr, size FLARG_PASS);
+
+	/*
+	 * XXX: We cannot always ensure *mctxp == NULL here
+	 * (see lib/isc/mem.c).
+	 */
+}
+
+void *
+isc__mem_allocate(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memallocate(mctx, size FLARG_PASS));
+}
+
+char *
+isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memstrdup(mctx, s FLARG_PASS));
+}
+
+void
+isc__mem_free(isc_mem_t *mctx, void *ptr FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->memfree(mctx, ptr FLARG_PASS);
+}
+
+void
+isc_mem_setdestroycheck(isc_mem_t *mctx, isc_boolean_t flag) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->setdestroycheck(mctx, flag);
+}
+
+void
+isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+		 size_t hiwater, size_t lowater)
+{
+	REQUIRE(ISCAPI_MCTX_VALID(ctx));
+
+	ctx->methods->setwater(ctx, water, water_arg, hiwater, lowater);
+}
+
+void
+isc_mem_waterack(isc_mem_t *ctx, int flag) {
+	REQUIRE(ISCAPI_MCTX_VALID(ctx));
+
+	ctx->methods->waterack(ctx, flag);
+}
+
+size_t 
+isc_mem_inuse(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->inuse(mctx));
+}
+
+void
+isc_mem_setname(isc_mem_t *mctx, const char *name, void *tag) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	UNUSED(name);
+	UNUSED(tag);
+
+	return;
+}
+
+const char *
+isc_mem_getname(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return ("");
+}
+
+void *
+isc_mem_gettag(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (NULL);
+}
+
+isc_result_t
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->mpcreate(mctx, size, mpctxp));
+}
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp) {
+	REQUIRE(mpctxp != NULL && ISCAPI_MPOOL_VALID(*mpctxp));
+
+	(*mpctxp)->methods->destroy(mpctxp);
+
+	ENSURE(*mpctxp == NULL);
+}
+
+void *
+isc__mempool_get(isc_mempool_t *mpctx FLARG) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	return (mpctx->methods->get(mpctx FLARG_PASS));
+}
+
+void
+isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->put(mpctx, mem FLARG_PASS);
+}
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	return (mpctx->methods->getallocated(mpctx));
+}
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setmaxalloc(mpctx, limit);
+}
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setfreemax(mpctx, limit);
+}
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setname(mpctx, name);
+}
+
+void
+isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->associatelock(mpctx, lock);
+}
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setfillcount(mpctx, limit);
+}
diff --git a/lib/isc/nls/Makefile.in b/lib/isc/nls/Makefile.in
index 695c31327a..29baa21fcc 100644
--- a/lib/isc/nls/Makefile.in
+++ b/lib/isc/nls/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.14 2007/06/19 23:47:18 tbox Exp $
+# $Id: Makefile.in,v 1.15 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ CINCLUDES =	-I../unix/include \
 		-I../include \
 		-I${srcdir}/../include
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 OBJS =		msgcat.@O@
diff --git a/lib/isc/nothreads/Makefile.in b/lib/isc/nothreads/Makefile.in
index 75a2cb5e3b..2e6a41bebd 100644
--- a/lib/isc/nothreads/Makefile.in
+++ b/lib/isc/nothreads/Makefile.in
@@ -13,11 +13,11 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.7 2007/06/19 23:47:18 tbox Exp $
+# $Id: Makefile.in,v 1.8 2009/09/01 00:22:28 jinmei Exp $
 
-srcdir =	@srcdir@
-VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/nothreads
+VPATH =		@top_srcdir@/lib/isc/nothreads
 
 CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../unix/include \
@@ -25,7 +25,7 @@ CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../include \
 		-I${srcdir}/..
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 OBJS =		condition.@O@ mutex.@O@ thread.@O@
diff --git a/lib/isc/pthreads/Makefile.in b/lib/isc/pthreads/Makefile.in
index a287457805..c83eaa610a 100644
--- a/lib/isc/pthreads/Makefile.in
+++ b/lib/isc/pthreads/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19 2007/06/19 23:47:18 tbox Exp $
+# $Id: Makefile.in,v 1.20 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../include \
 		-I${srcdir}/..
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 OBJS =		condition.@O@ mutex.@O@ thread.@O@
diff --git a/lib/isc/socket_api.c b/lib/isc/socket_api.c
new file mode 100644
index 0000000000..66541299bd
--- /dev/null
+++ b/lib/isc/socket_api.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: socket_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_socketmgrcreatefunc_t socketmgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_register(isc_socketmgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (socketmgr_createfunc == NULL)
+		socketmgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			  isc_socketmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(socketmgr_createfunc != NULL);
+	result = (*socketmgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_setsocketmgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(socketmgr_createfunc != NULL);
+	result = (*socketmgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
+	REQUIRE(managerp != NULL && ISCAPI_SOCKETMGR_VALID(*managerp));
+
+	(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		  isc_socket_t **socketp)
+{
+	REQUIRE(ISCAPI_SOCKETMGR_VALID(manager));
+
+	return (manager->methods->socketcreate(manager, pf, type, socketp));
+}
+
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	sock->methods->attach(sock, socketp);
+
+	ENSURE(*socketp == sock);
+}
+
+void
+isc_socket_detach(isc_socket_t **socketp) {
+	REQUIRE(socketp != NULL && ISCAPI_SOCKET_VALID(*socketp));
+
+	(*socketp)->methods->detach(socketp);
+
+	ENSURE(*socketp == NULL);
+}
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		unsigned int options) 
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->bind(sock, sockaddr, options));
+}
+
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		  isc_taskaction_t action, const void *arg,
+		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->sendto(sock, region, task, action, arg, address,
+				      pktinfo));
+}
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr, isc_task_t *task,
+		   isc_taskaction_t action, const void *arg)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->connect(sock, addr, task, action, arg));
+}
+
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->recv(sock, region, minimum, task, action, arg));
+}
+
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	sock->methods->cancel(sock, task, how);
+}
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->getsockname(sock, addressp));
+}
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	sock->methods->ipv6only(sock, yes);
+}
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->gettype(sock));
+}
+
+void
+isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+	REQUIRE(ISCAPI_SOCKET_VALID(socket));
+
+	UNUSED(socket);		/* in case REQUIRE() is empty */
+	UNUSED(name);
+	UNUSED(tag);
+}
diff --git a/lib/isc/task.c b/lib/isc/task.c
index a630173d94..27b1a508f9 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.107 2008/03/27 23:46:57 tbox Exp $ */
+/* $Id: task.c,v 1.108 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file
  * \author Principal Author: Bob Halley
@@ -40,9 +40,29 @@
 #include 
 #include 
 
-#ifndef ISC_PLATFORM_USETHREADS
+/*%
+ * For BIND9 internal applications:
+ * when built with threads we use multiple worker threads shared by the whole
+ * application.
+ * when built without threads we share a single global task manager and use
+ * an integrated event loop for socket, timer, and other generic task events.
+ * For generic library:
+ * we don't use either of them: an application can have multiple task managers
+ * whether or not it's threaded, and if the application is threaded each thread
+ * is expected to have a separate manager; no "worker threads" are shared by
+ * the application threads.
+ */
+#ifdef BIND9
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_WORKER_THREADS
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* BIND9 */
+
+#ifndef USE_WORKER_THREADS
 #include "task_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
 #ifdef ISC_TASK_TRACE
 #define XTRACE(m)		fprintf(stderr, "task %p thread %lu: %s\n", \
@@ -66,7 +86,7 @@ typedef enum {
 	task_state_done
 } task_state_t;
 
-#ifdef HAVE_LIBXML2
+#if defined(HAVE_LIBXML2) && defined(BIND9)
 static const char *statenames[] = {
 	"idle", "ready", "running", "done",
 };
@@ -75,10 +95,13 @@ static const char *statenames[] = {
 #define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
 #define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
 
-struct isc_task {
+typedef struct isc__task isc__task_t;
+typedef struct isc__taskmgr isc__taskmgr_t;
+
+struct isc__task {
 	/* Not locked. */
-	unsigned int			magic;
-	isc_taskmgr_t *			manager;
+	isc_task_t			common;
+	isc__taskmgr_t *		manager;
 	isc_mutex_t			lock;
 	/* Locked by task lock. */
 	task_state_t			state;
@@ -91,8 +114,8 @@ struct isc_task {
 	char				name[16];
 	void *				tag;
 	/* Locked by task manager lock. */
-	LINK(isc_task_t)		link;
-	LINK(isc_task_t)		ready_link;
+	LINK(isc__task_t)		link;
+	LINK(isc__task_t)		ready_link;
 };
 
 #define TASK_F_SHUTTINGDOWN		0x01
@@ -103,9 +126,11 @@ struct isc_task {
 #define TASK_MANAGER_MAGIC		ISC_MAGIC('T', 'S', 'K', 'M')
 #define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TASK_MANAGER_MAGIC)
 
-struct isc_taskmgr {
+typedef ISC_LIST(isc__task_t)	isc__tasklist_t;
+
+struct isc__taskmgr {
 	/* Not locked. */
-	unsigned int			magic;
+	isc_taskmgr_t			common;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
 #ifdef ISC_PLATFORM_USETHREADS
@@ -114,8 +139,8 @@ struct isc_taskmgr {
 #endif /* ISC_PLATFORM_USETHREADS */
 	/* Locked by task manager lock. */
 	unsigned int			default_quantum;
-	LIST(isc_task_t)		tasks;
-	isc_tasklist_t			ready_tasks;
+	LIST(isc__task_t)		tasks;
+	isc__tasklist_t			ready_tasks;
 #ifdef ISC_PLATFORM_USETHREADS
 	isc_condition_t			work_available;
 	isc_condition_t			exclusive_granted;
@@ -123,7 +148,7 @@ struct isc_taskmgr {
 	unsigned int			tasks_running;
 	isc_boolean_t			exclusive_requested;
 	isc_boolean_t			exiting;
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	unsigned int			refs;
 #endif /* ISC_PLATFORM_USETHREADS */
 };
@@ -132,17 +157,112 @@ struct isc_taskmgr {
 #define DEFAULT_DEFAULT_QUANTUM		5
 #define FINISHED(m)			((m)->exiting && EMPTY((m)->tasks))
 
-#ifndef ISC_PLATFORM_USETHREADS
-static isc_taskmgr_t *taskmgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
+#ifdef USE_SHARED_MANAGER
+static isc__taskmgr_t *taskmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
+
+/*%
+ * The following can be either static or public, depending on build environment.
+ */
+
+#ifdef BIND9
+#define ISC_TASKFUNC_SCOPE
+#else
+#define ISC_TASKFUNC_SCOPE static
+#endif
+
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
+		 isc_task_t **taskp);
+ISC_TASKFUNC_SCOPE void
+isc__task_attach(isc_task_t *source0, isc_task_t **targetp);
+ISC_TASKFUNC_SCOPE void
+isc__task_detach(isc_task_t **taskp);
+ISC_TASKFUNC_SCOPE void
+isc__task_send(isc_task_t *task0, isc_event_t **eventp);
+ISC_TASKFUNC_SCOPE void
+isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag);
+ISC_TASKFUNC_SCOPE isc_boolean_t
+isc__task_purgeevent(isc_task_t *task0, isc_event_t *event);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		      isc_eventtype_t last, void *tag,
+		      isc_eventlist_t *events);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		 void *tag, isc_eventlist_t *events);
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
+		     const void *arg);
+ISC_TASKFUNC_SCOPE void
+isc__task_shutdown(isc_task_t *task0);
+ISC_TASKFUNC_SCOPE void
+isc__task_destroy(isc_task_t **taskp);
+ISC_TASKFUNC_SCOPE void
+isc__task_setname(isc_task_t *task0, const char *name, void *tag);
+ISC_TASKFUNC_SCOPE const char *
+isc__task_getname(isc_task_t *task0);
+ISC_TASKFUNC_SCOPE void *
+isc__task_gettag(isc_task_t *task0);
+ISC_TASKFUNC_SCOPE void
+isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t);
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		    unsigned int default_quantum, isc_taskmgr_t **managerp);
+ISC_TASKFUNC_SCOPE void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp);
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_beginexclusive(isc_task_t *task);
+ISC_TASKFUNC_SCOPE void
+isc__task_endexclusive(isc_task_t *task0);
+
+static struct isc__taskmethods {
+	isc_taskmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *purgeevent, *unsendrange,
+		*getname, *gettag, *getcurrenttime, *beginexclusive,
+		*endexclusive;
+} taskmethods = {
+	{
+		isc__task_attach,
+		isc__task_detach,
+		isc__task_destroy,
+		isc__task_send,
+		isc__task_sendanddetach,
+		isc__task_unsend,
+		isc__task_onshutdown,
+		isc__task_shutdown,
+		isc__task_setname,
+		isc__task_purge,
+		isc__task_purgerange
+	},
+	isc__task_purgeevent, isc__task_unsendrange,
+	isc__task_getname, isc__task_gettag,
+	isc__task_getcurrenttime, isc__task_beginexclusive,
+	isc__task_endexclusive
+};
+
+static isc_taskmgrmethods_t taskmgrmethods = {
+	isc__taskmgr_destroy,
+	isc__task_create
+};
 
 /***
  *** Tasks.
  ***/
 
 static void
-task_finished(isc_task_t *task) {
-	isc_taskmgr_t *manager = task->manager;
+task_finished(isc__task_t *task) {
+	isc__taskmgr_t *manager = task->manager;
 
 	REQUIRE(EMPTY(task->events));
 	REQUIRE(EMPTY(task->on_shutdown));
@@ -153,7 +273,7 @@ task_finished(isc_task_t *task) {
 
 	LOCK(&manager->lock);
 	UNLINK(manager->tasks, task, link);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	if (FINISHED(manager)) {
 		/*
 		 * All tasks have completed and the
@@ -163,19 +283,21 @@ task_finished(isc_task_t *task) {
 		 */
 		BROADCAST(&manager->work_available);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 	UNLOCK(&manager->lock);
 
 	DESTROYLOCK(&task->lock);
-	task->magic = 0;
+	task->common.impmagic = 0;
+	task->common.magic = 0;
 	isc_mem_put(manager->mctx, task, sizeof(*task));
 }
 
-isc_result_t
-isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
-		isc_task_t **taskp)
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
+		 isc_task_t **taskp)
 {
-	isc_task_t *task;
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0; 
+	isc__task_t *task;
 	isc_boolean_t exiting;
 	isc_result_t result;
 
@@ -220,14 +342,17 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 		return (ISC_R_SHUTTINGDOWN);
 	}
 
-	task->magic = TASK_MAGIC;
-	*taskp = task;
+	task->common.methods = (isc_taskmethods_t *)&taskmethods;
+	task->common.magic = ISCAPI_TASK_MAGIC;
+	task->common.impmagic = TASK_MAGIC;
+	*taskp = (isc_task_t *)task;
 
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_attach(isc_task_t *source0, isc_task_t **targetp) {
+	isc__task_t *source = (isc__task_t *)source0;
 
 	/*
 	 * Attach *targetp to source.
@@ -242,11 +367,11 @@ isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
 	source->references++;
 	UNLOCK(&source->lock);
 
-	*targetp = source;
+	*targetp = (isc_task_t *)source;
 }
 
 static inline isc_boolean_t
-task_shutdown(isc_task_t *task) {
+task_shutdown(isc__task_t *task) {
 	isc_boolean_t was_idle = ISC_FALSE;
 	isc_event_t *event, *prev;
 
@@ -283,8 +408,8 @@ task_shutdown(isc_task_t *task) {
 }
 
 static inline void
-task_ready(isc_task_t *task) {
-	isc_taskmgr_t *manager = task->manager;
+task_ready(isc__task_t *task) {
+	isc__taskmgr_t *manager = task->manager;
 
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(task->state == task_state_ready);
@@ -294,15 +419,15 @@ task_ready(isc_task_t *task) {
 	LOCK(&manager->lock);
 
 	ENQUEUE(manager->ready_tasks, task, ready_link);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	SIGNAL(&manager->work_available);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
 	UNLOCK(&manager->lock);
 }
 
 static inline isc_boolean_t
-task_detach(isc_task_t *task) {
+task_detach(isc__task_t *task) {
 
 	/*
 	 * Caller must be holding the task lock.
@@ -330,9 +455,9 @@ task_detach(isc_task_t *task) {
 	return (ISC_FALSE);
 }
 
-void
-isc_task_detach(isc_task_t **taskp) {
-	isc_task_t *task;
+ISC_TASKFUNC_SCOPE void
+isc__task_detach(isc_task_t **taskp) {
+	isc__task_t *task;
 	isc_boolean_t was_idle;
 
 	/*
@@ -340,7 +465,7 @@ isc_task_detach(isc_task_t **taskp) {
 	 */
 
 	REQUIRE(taskp != NULL);
-	task = *taskp;
+	task = (isc__task_t *)*taskp;
 	REQUIRE(VALID_TASK(task));
 
 	XTRACE("isc_task_detach");
@@ -356,7 +481,7 @@ isc_task_detach(isc_task_t **taskp) {
 }
 
 static inline isc_boolean_t
-task_send(isc_task_t *task, isc_event_t **eventp) {
+task_send(isc__task_t *task, isc_event_t **eventp) {
 	isc_boolean_t was_idle = ISC_FALSE;
 	isc_event_t *event;
 
@@ -385,8 +510,9 @@ task_send(isc_task_t *task, isc_event_t **eventp) {
 	return (was_idle);
 }
 
-void
-isc_task_send(isc_task_t *task, isc_event_t **eventp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_send(isc_task_t *task0, isc_event_t **eventp) {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_boolean_t was_idle;
 
 	/*
@@ -426,10 +552,10 @@ isc_task_send(isc_task_t *task, isc_event_t **eventp) {
 	}
 }
 
-void
-isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
 	isc_boolean_t idle1, idle2;
-	isc_task_t *task;
+	isc__task_t *task;
 
 	/*
 	 * Send '*event' to '*taskp' and then detach '*taskp' from its
@@ -437,7 +563,7 @@ isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
 	 */
 
 	REQUIRE(taskp != NULL);
-	task = *taskp;
+	task = (isc__task_t *)*taskp;
 	REQUIRE(VALID_TASK(task));
 
 	XTRACE("isc_task_sendanddetach");
@@ -463,7 +589,7 @@ isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
 #define PURGE_OK(event)	(((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
 
 static unsigned int
-dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
+dequeue_events(isc__task_t *task, void *sender, isc_eventtype_t first,
 	       isc_eventtype_t last, void *tag,
 	       isc_eventlist_t *events, isc_boolean_t purging)
 {
@@ -502,10 +628,11 @@ dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
 	return (count);
 }
 
-unsigned int
-isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		    isc_eventtype_t last, void *tag)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag)
 {
+	isc__task_t *task = (isc__task_t *)task0;
 	unsigned int count;
 	isc_eventlist_t events;
 	isc_event_t *event, *next_event;
@@ -533,9 +660,9 @@ isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
 	return (count);
 }
 
-unsigned int
-isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
-	       void *tag)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag)
 {
 	/*
 	 * Purge events from a task's event queue.
@@ -543,11 +670,12 @@ isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
 
 	XTRACE("isc_task_purge");
 
-	return (isc_task_purgerange(task, sender, type, type, tag));
+	return (isc__task_purgerange(task, sender, type, type, tag));
 }
 
-isc_boolean_t
-isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
+ISC_TASKFUNC_SCOPE isc_boolean_t
+isc__task_purgeevent(isc_task_t *task0, isc_event_t *event) {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_event_t *curr_event, *next_event;
 
 	/*
@@ -588,10 +716,10 @@ isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
 	return (ISC_TRUE);
 }
 
-unsigned int
-isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		     isc_eventtype_t last, void *tag,
-		     isc_eventlist_t *events)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		      isc_eventtype_t last, void *tag,
+		      isc_eventlist_t *events)
 {
 	/*
 	 * Remove events from a task's event queue.
@@ -599,13 +727,13 @@ isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
 
 	XTRACE("isc_task_unsendrange");
 
-	return (dequeue_events(task, sender, first, last, tag, events,
-			       ISC_FALSE));
+	return (dequeue_events((isc__task_t *)task, sender, first,
+			       last, tag, events, ISC_FALSE));
 }
 
-unsigned int
-isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag, isc_eventlist_t *events)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		 void *tag, isc_eventlist_t *events)
 {
 	/*
 	 * Remove events from a task's event queue.
@@ -613,13 +741,15 @@ isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
 
 	XTRACE("isc_task_unsend");
 
-	return (dequeue_events(task, sender, type, type, tag, events,
-			       ISC_FALSE));
+	return (dequeue_events((isc__task_t *)task, sender, type,
+			       type, tag, events, ISC_FALSE));
 }
 
-isc_result_t
-isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
+		     const void *arg)
 {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_boolean_t disallowed = ISC_FALSE;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_event_t *event;
@@ -655,8 +785,9 @@ isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
 	return (result);
 }
 
-void
-isc_task_shutdown(isc_task_t *task) {
+ISC_TASKFUNC_SCOPE void
+isc__task_shutdown(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_boolean_t was_idle;
 
 	/*
@@ -673,8 +804,8 @@ isc_task_shutdown(isc_task_t *task) {
 		task_ready(task);
 }
 
-void
-isc_task_destroy(isc_task_t **taskp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_destroy(isc_task_t **taskp) {
 
 	/*
 	 * Destroy '*taskp'.
@@ -686,8 +817,9 @@ isc_task_destroy(isc_task_t **taskp) {
 	isc_task_detach(taskp);
 }
 
-void
-isc_task_setname(isc_task_t *task, const char *name, void *tag) {
+ISC_TASKFUNC_SCOPE void
+isc__task_setname(isc_task_t *task0, const char *name, void *tag) {
+	isc__task_t *task = (isc__task_t *)task0;
 
 	/*
 	 * Name 'task'.
@@ -702,18 +834,28 @@ isc_task_setname(isc_task_t *task, const char *name, void *tag) {
 	UNLOCK(&task->lock);
 }
 
-const char *
-isc_task_getname(isc_task_t *task) {
+ISC_TASKFUNC_SCOPE const char *
+isc__task_getname(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+
 	return (task->name);
 }
 
-void *
-isc_task_gettag(isc_task_t *task) {
+ISC_TASKFUNC_SCOPE void *
+isc__task_gettag(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+
 	return (task->tag);
 }
 
-void
-isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
+ISC_TASKFUNC_SCOPE void
+isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t) {
+	isc__task_t *task = (isc__task_t *)task0;
+
 	REQUIRE(VALID_TASK(task));
 	REQUIRE(t != NULL);
 
@@ -728,12 +870,12 @@ isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
  *** Task Manager.
  ***/
 static void
-dispatch(isc_taskmgr_t *manager) {
-	isc_task_t *task;
-#ifndef ISC_PLATFORM_USETHREADS
+dispatch(isc__taskmgr_t *manager) {
+	isc__task_t *task;
+#ifndef USE_WORKER_THREADS
 	unsigned int total_dispatch_count = 0;
-	isc_tasklist_t ready_tasks;
-#endif /* ISC_PLATFORM_USETHREADS */
+	isc__tasklist_t ready_tasks;
+#endif /* USE_WORKER_THREADS */
 
 	REQUIRE(VALID_MANAGER(manager));
 
@@ -787,12 +929,12 @@ dispatch(isc_taskmgr_t *manager) {
 	 * unlocks.  The while expression is always protected by the lock.
 	 */
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	ISC_LIST_INIT(ready_tasks);
 #endif
 	LOCK(&manager->lock);
 	while (!FINISHED(manager)) {
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 		/*
 		 * For reasons similar to those given in the comment in
 		 * isc_task_send() above, it is safe for us to dequeue
@@ -812,11 +954,11 @@ dispatch(isc_taskmgr_t *manager) {
 						    ISC_MSGSET_TASK,
 						    ISC_MSG_AWAKE, "awake"));
 		}
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WORKER_THREADS */
 		if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
 		    EMPTY(manager->ready_tasks))
 			break;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
 					    ISC_MSG_WORKING, "working"));
 
@@ -859,13 +1001,15 @@ dispatch(isc_taskmgr_t *manager) {
 							    "execute action"));
 					if (event->ev_action != NULL) {
 						UNLOCK(&task->lock);
-						(event->ev_action)(task,event);
+						(event->ev_action)(
+							(isc_task_t *)task,
+							event);
 						LOCK(&task->lock);
 					}
 					dispatch_count++;
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 					total_dispatch_count++;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 				}
 
 				if (task->references == 0 &&
@@ -950,12 +1094,12 @@ dispatch(isc_taskmgr_t *manager) {
 
 			LOCK(&manager->lock);
 			manager->tasks_running--;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 			if (manager->exclusive_requested &&
 			    manager->tasks_running == 1) {
 				SIGNAL(&manager->exclusive_granted);
 			}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 			if (requeue) {
 				/*
 				 * We know we're awake, so we don't have
@@ -976,7 +1120,7 @@ dispatch(isc_taskmgr_t *manager) {
 				 * were usually nonempty, the 'optimization'
 				 * might even hurt rather than help.
 				 */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 				ENQUEUE(manager->ready_tasks, task,
 					ready_link);
 #else
@@ -985,19 +1129,19 @@ dispatch(isc_taskmgr_t *manager) {
 			}
 		}
 	}
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	ISC_LIST_APPENDLIST(manager->ready_tasks, ready_tasks, ready_link);
 #endif
 	UNLOCK(&manager->lock);
 }
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 static isc_threadresult_t
 #ifdef _WIN32
 WINAPI
 #endif
 run(void *uap) {
-	isc_taskmgr_t *manager = uap;
+	isc__taskmgr_t *manager = uap;
 
 	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				    ISC_MSG_STARTING, "starting"));
@@ -1009,31 +1153,36 @@ run(void *uap) {
 
 	return ((isc_threadresult_t)0);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
 static void
-manager_free(isc_taskmgr_t *manager) {
+manager_free(isc__taskmgr_t *manager) {
 	isc_mem_t *mctx;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	(void)isc_condition_destroy(&manager->exclusive_granted);
 	(void)isc_condition_destroy(&manager->work_available);
 	isc_mem_free(manager->mctx, manager->threads);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 	DESTROYLOCK(&manager->lock);
-	manager->magic = 0;
+	manager->common.impmagic = 0;
+	manager->common.magic = 0;
 	mctx = manager->mctx;
 	isc_mem_put(mctx, manager, sizeof(*manager));
 	isc_mem_detach(&mctx);
+
+#ifdef USE_SHARED_MANAGER
+	taskmgr = NULL;
+#endif	/* USE_SHARED_MANAGER */
 }
 
-isc_result_t
-isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		   unsigned int default_quantum, isc_taskmgr_t **managerp)
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		    unsigned int default_quantum, isc_taskmgr_t **managerp)
 {
 	isc_result_t result;
 	unsigned int i, started = 0;
-	isc_taskmgr_t *manager;
+	isc__taskmgr_t *manager;
 
 	/*
 	 * Create a new task manager.
@@ -1042,28 +1191,31 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	REQUIRE(workers > 0);
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	UNUSED(i);
 	UNUSED(started);
-	UNUSED(workers);
+#endif
 
+#ifdef USE_SHARED_MANAGER
 	if (taskmgr != NULL) {
 		taskmgr->refs++;
-		*managerp = taskmgr;
+		*managerp = (isc_taskmgr_t *)taskmgr;
 		return (ISC_R_SUCCESS);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
-	manager->magic = TASK_MANAGER_MAGIC;
+	manager->common.methods = &taskmgrmethods;
+	manager->common.impmagic = TASK_MANAGER_MAGIC;
+	manager->common.magic = ISCAPI_TASKMGR_MAGIC;
 	manager->mctx = NULL;
 	result = isc_mutex_init(&manager->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mgr;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	manager->workers = 0;
 	manager->threads = isc_mem_allocate(mctx,
 					    workers * sizeof(isc_thread_t));
@@ -1087,7 +1239,7 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup_workavailable;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 	if (default_quantum == 0)
 		default_quantum = DEFAULT_DEFAULT_QUANTUM;
 	manager->default_quantum = default_quantum;
@@ -1099,7 +1251,7 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 
 	isc_mem_attach(mctx, &manager->mctx);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	LOCK(&manager->lock);
 	/*
 	 * Start workers.
@@ -1119,16 +1271,17 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		return (ISC_R_NOTHREADS);
 	}
 	isc_thread_setconcurrency(workers);
-#else /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
+#ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
 	taskmgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
-	*managerp = manager;
+	*managerp = (isc_taskmgr_t *)manager;
 
 	return (ISC_R_SUCCESS);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
  cleanup_workavailable:
 	(void)isc_condition_destroy(&manager->work_available);
  cleanup_threads:
@@ -1141,10 +1294,10 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	return (result);
 }
 
-void
-isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
-	isc_taskmgr_t *manager;
-	isc_task_t *task;
+ISC_TASKFUNC_SCOPE void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
+	isc__taskmgr_t *manager;
+	isc__task_t *task;
 	unsigned int i;
 
 	/*
@@ -1152,18 +1305,20 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 	 */
 
 	REQUIRE(managerp != NULL);
-	manager = *managerp;
+	manager = (isc__taskmgr_t *)*managerp;
 	REQUIRE(VALID_MANAGER(manager));
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	UNUSED(i);
+#endif /* USE_WORKER_THREADS */
 
+#ifdef USE_SHARED_MANAGER
 	if (manager->refs > 1) {
 		manager->refs--;
 		*managerp = NULL;
 		return;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif
 
 	XTHREADTRACE("isc_taskmgr_destroy");
 	/*
@@ -1203,7 +1358,7 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 			ENQUEUE(manager->ready_tasks, task, ready_link);
 		UNLOCK(&task->lock);
 	}
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	/*
 	 * Wake up any sleeping workers.  This ensures we get work done if
 	 * there's work left to do, and if there are already no tasks left
@@ -1217,36 +1372,48 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 	 */
 	for (i = 0; i < manager->workers; i++)
 		(void)isc_thread_join(manager->threads[i], NULL);
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WORKER_THREADS */
 	/*
 	 * Dispatch the shutdown events.
 	 */
 	UNLOCK(&manager->lock);
-	while (isc__taskmgr_ready())
-		(void)isc__taskmgr_dispatch();
+	while (isc__taskmgr_ready((isc_taskmgr_t *)manager))
+		(void)isc__taskmgr_dispatch((isc_taskmgr_t *)manager);
+#ifdef BIND9
 	if (!ISC_LIST_EMPTY(manager->tasks))
 		isc_mem_printallactive(stderr);
+#endif
 	INSIST(ISC_LIST_EMPTY(manager->tasks));
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
 	manager_free(manager);
 
 	*managerp = NULL;
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 isc_boolean_t
-isc__taskmgr_ready(void) {
-	if (taskmgr == NULL)
+isc__taskmgr_ready(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = taskmgr;
+#endif
+	if (manager == NULL)
 		return (ISC_FALSE);
-	return (ISC_TF(!ISC_LIST_EMPTY(taskmgr->ready_tasks)));
+	return (ISC_TF(!ISC_LIST_EMPTY(manager->ready_tasks)));
 }
 
 isc_result_t
-isc__taskmgr_dispatch(void) {
-	isc_taskmgr_t *manager = taskmgr;
+isc__taskmgr_dispatch(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
 
-	if (taskmgr == NULL)
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = taskmgr;
+#endif
+	if (manager == NULL)
 		return (ISC_R_NOTFOUND);
 
 	dispatch(manager);
@@ -1254,12 +1421,13 @@ isc__taskmgr_dispatch(void) {
 	return (ISC_R_SUCCESS);
 }
 
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
-isc_result_t
-isc_task_beginexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_taskmgr_t *manager = task->manager;
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_beginexclusive(isc_task_t *task0) {
+#ifdef USE_WORKER_THREADS
+	isc__task_t *task = (isc__task_t *)task0;
+	isc__taskmgr_t *manager = task->manager;
 	REQUIRE(task->state == task_state_running);
 	LOCK(&manager->lock);
 	if (manager->exclusive_requested) {
@@ -1272,15 +1440,17 @@ isc_task_beginexclusive(isc_task_t *task) {
 	}
 	UNLOCK(&manager->lock);
 #else
-	UNUSED(task);
+	UNUSED(task0);
 #endif
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_task_endexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_taskmgr_t *manager = task->manager;
+ISC_TASKFUNC_SCOPE void
+isc__task_endexclusive(isc_task_t *task0) {
+#ifdef USE_WORKER_THREADS
+	isc__task_t *task = (isc__task_t *)task0;
+	isc__taskmgr_t *manager = task->manager;
+
 	REQUIRE(task->state == task_state_running);
 	LOCK(&manager->lock);
 	REQUIRE(manager->exclusive_requested);
@@ -1288,16 +1458,22 @@ isc_task_endexclusive(isc_task_t *task) {
 	BROADCAST(&manager->work_available);
 	UNLOCK(&manager->lock);
 #else
-	UNUSED(task);
+	UNUSED(task0);
 #endif
 }
 
-#ifdef HAVE_LIBXML2
+#ifdef USE_SOCKETIMPREGISTER 
+isc_result_t
+isc__task_register() {
+	return (isc_task_register(isc__taskmgr_create));
+}
+#endif
 
+#if defined(HAVE_LIBXML2) && defined(BIND9)
 void
-isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer)
-{
-	isc_task_t *task;
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr0, xmlTextWriterPtr writer) {
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *)mgr0;
+	isc__task_t *task;
 
 	LOCK(&mgr->lock);
 
@@ -1373,4 +1549,4 @@ isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer)
 
 	UNLOCK(&mgr->lock);
 }
-#endif /* HAVE_LIBXML2 */
+#endif /* HAVE_LIBXML2 && BIND9 */
diff --git a/lib/isc/task_api.c b/lib/isc/task_api.c
new file mode 100644
index 0000000000..ff5c5c5cd6
--- /dev/null
+++ b/lib/isc/task_api.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: task_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_taskmgrcreatefunc_t taskmgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_task_register(isc_taskmgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (taskmgr_createfunc == NULL)
+		taskmgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			unsigned int workers, unsigned int default_quantum,
+			isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(taskmgr_createfunc != NULL);
+	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
+				       managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_settaskmgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		   unsigned int default_quantum, isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(taskmgr_createfunc != NULL);
+	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
+				       managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
+	REQUIRE(managerp != NULL && ISCAPI_TASKMGR_VALID(*managerp));
+
+	(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+};
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp)
+{
+	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	return (manager->methods->taskcreate(manager, quantum, taskp));
+}
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
+	REQUIRE(ISCAPI_TASK_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	source->methods->attach(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+isc_task_detach(isc_task_t **taskp) {
+	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
+
+	(*taskp)->methods->detach(taskp);
+
+	ENSURE(*taskp == NULL);
+}
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+	REQUIRE(eventp != NULL && *eventp != NULL);
+
+	task->methods->send(task, eventp);
+
+	ENSURE(*eventp == NULL);
+}
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
+	REQUIRE(eventp != NULL && *eventp != NULL);
+
+	(*taskp)->methods->sendanddetach(taskp, eventp);
+
+	ENSURE(*taskp == NULL && *eventp == NULL);
+}
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag, isc_eventlist_t *events)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->unsend(task, sender, type, tag, events));
+}
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->onshutdown(task, action, arg));
+}
+
+void
+isc_task_shutdown(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	task->methods->shutdown(task);
+}
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	task->methods->setname(task, name, tag);
+}
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->purgeevents(task, sender, type, tag));
+}
+
+/*%
+ * This is necessary for libisc's internal timer implementation.  Other
+ * implementation might skip implementing this.
+ */
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->purgerange(task, sender, first, last, tag));
+}
diff --git a/lib/isc/task_p.h b/lib/isc/task_p.h
index c888103908..75cba60a0f 100644
--- a/lib/isc/task_p.h
+++ b/lib/isc/task_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_p.h,v 1.11 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: task_p.h,v 1.12 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
@@ -23,9 +23,9 @@
 /*! \file */
 
 isc_boolean_t
-isc__taskmgr_ready(void);
+isc__taskmgr_ready(isc_taskmgr_t *taskmgr);
 
 isc_result_t
-isc__taskmgr_dispatch(void);
+isc__taskmgr_dispatch(isc_taskmgr_t *taskmgr);
 
 #endif /* ISC_TASK_P_H */
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index b40f404c8b..4a715e1638 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.89 2009/01/23 23:47:54 tbox Exp $ */
+/* $Id: timer.c,v 1.90 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file */
 
@@ -34,9 +34,18 @@
 #include 
 #include 
 
-#ifndef ISC_PLATFORM_USETHREADS
+/* See task.c about the following definition: */
+#ifdef BIND9
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_TIMER_THREAD
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* BIND9 */
+
+#ifndef USE_TIMER_THREAD
 #include "timer_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 #ifdef ISC_TIMER_TRACE
 #define XTRACE(s)			fprintf(stderr, "%s\n", (s))
@@ -58,10 +67,13 @@
 #define TIMER_MAGIC			ISC_MAGIC('T', 'I', 'M', 'R')
 #define VALID_TIMER(t)			ISC_MAGIC_VALID(t, TIMER_MAGIC)
 
-struct isc_timer {
+typedef struct isc__timer isc__timer_t;
+typedef struct isc__timermgr isc__timermgr_t;
+
+struct isc__timer {
 	/*! Not locked. */
-	unsigned int			magic;
-	isc_timermgr_t *		manager;
+	isc_timer_t			common;
+	isc__timermgr_t *		manager;
 	isc_mutex_t			lock;
 	/*! Locked by timer lock. */
 	unsigned int			references;
@@ -75,45 +87,109 @@ struct isc_timer {
 	void *				arg;
 	unsigned int			index;
 	isc_time_t			due;
-	LINK(isc_timer_t)		link;
+	LINK(isc__timer_t)		link;
 };
 
 #define TIMER_MANAGER_MAGIC		ISC_MAGIC('T', 'I', 'M', 'M')
 #define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TIMER_MANAGER_MAGIC)
 
-struct isc_timermgr {
+struct isc__timermgr {
 	/* Not locked. */
-	unsigned int			magic;
+	isc_timermgr_t			common;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
 	/* Locked by manager lock. */
 	isc_boolean_t			done;
-	LIST(isc_timer_t)		timers;
+	LIST(isc__timer_t)		timers;
 	unsigned int			nscheduled;
 	isc_time_t			due;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	isc_condition_t			wakeup;
 	isc_thread_t			thread;
-#else /* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_TIMER_THREAD */
+#ifdef USE_SHARED_MANAGER
 	unsigned int			refs;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 	isc_heap_t *			heap;
 };
 
-#ifndef ISC_PLATFORM_USETHREADS
-/*!
- * If threads are not in use, there can be only one.
+/*%
+ * The followings can be either static or public, depending on build
+ * environment.
  */
-static isc_timermgr_t *timermgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
+
+#ifdef BIND9
+#define ISC_TIMERFUNC_SCOPE
+#else
+#define ISC_TIMERFUNC_SCOPE static
+#endif
+
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		  isc_time_t *expires, isc_interval_t *interval,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg,
+		  isc_timer_t **timerp);
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		 isc_time_t *expires, isc_interval_t *interval,
+		 isc_boolean_t purge);
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_gettype(isc_timer_t *timer);
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_touch(isc_timer_t *timer);
+ISC_TIMERFUNC_SCOPE void
+isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp);
+ISC_TIMERFUNC_SCOPE void
+isc__timer_detach(isc_timer_t **timerp);
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_poke(isc_timermgr_t *manager0);
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_destroy(isc_timermgr_t **managerp);
+
+static struct isc__timermethods {
+	isc_timermethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *gettype;
+} timermethods = {
+	{
+		isc__timer_attach,
+		isc__timer_detach,
+		isc__timer_reset,
+		isc__timer_touch
+	},
+	isc__timer_gettype
+};
+
+static struct isc__timermgrmethods {
+	isc_timermgrmethods_t methods;
+	void *poke;		/* see above */
+} timermgrmethods = {
+	{
+		isc__timermgr_destroy,
+		isc__timer_create
+	},
+	isc__timermgr_poke
+};
+
+#ifdef USE_SHARED_MANAGER
+/*!
+ * If the manager is supposed to be shared, there can be only one.
+ */
+static isc__timermgr_t *timermgr = NULL;
+#endif /* USE_SHARED_MANAGER */
 
 static inline isc_result_t
-schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
+schedule(isc__timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	isc_result_t result;
-	isc_timermgr_t *manager;
+	isc__timermgr_t *manager;
 	isc_time_t due;
 	int cmp;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	isc_boolean_t timedwait;
 #endif
 
@@ -123,13 +199,13 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 
 	REQUIRE(timer->type != isc_timertype_inactive);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_TIMER_THREAD
 	UNUSED(signal_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	manager = timer->manager;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	/*!
 	 * If the manager was timed wait, we may need to signal the
 	 * manager to force a wakeup.
@@ -199,7 +275,7 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	 * the current "next" timer.  We do this either by waking up the
 	 * run thread, or explicitly setting the value in the manager.
 	 */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 
 	/*
 	 * This is a temporary (probably) hack to fix a bug on tru64 5.1
@@ -232,19 +308,19 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 				      "signal (schedule)"));
 		SIGNAL(&manager->wakeup);
 	}
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_TIMER_THREAD */
 	if (timer->index == 1 &&
 	    isc_time_compare(&timer->due, &manager->due) < 0)
 		manager->due = timer->due;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	return (ISC_R_SUCCESS);
 }
 
 static inline void
-deschedule(isc_timer_t *timer) {
+deschedule(isc__timer_t *timer) {
 	isc_boolean_t need_wakeup = ISC_FALSE;
-	isc_timermgr_t *manager;
+	isc__timermgr_t *manager;
 
 	/*
 	 * The caller must ensure locking.
@@ -258,20 +334,20 @@ deschedule(isc_timer_t *timer) {
 		timer->index = 0;
 		INSIST(manager->nscheduled > 0);
 		manager->nscheduled--;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 		if (need_wakeup) {
 			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
 					      ISC_MSG_SIGNALDESCHED,
 					      "signal (deschedule)"));
 			SIGNAL(&manager->wakeup);
 		}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 	}
 }
 
 static void
-destroy(isc_timer_t *timer) {
-	isc_timermgr_t *manager = timer->manager;
+destroy(isc__timer_t *timer) {
+	isc__timermgr_t *manager = timer->manager;
 
 	/*
 	 * The caller must ensure it is safe to destroy the timer.
@@ -291,17 +367,19 @@ destroy(isc_timer_t *timer) {
 
 	isc_task_detach(&timer->task);
 	DESTROYLOCK(&timer->lock);
-	timer->magic = 0;
+	timer->common.impmagic = 0;
+	timer->common.magic = 0;
 	isc_mem_put(manager->mctx, timer, sizeof(*timer));
 }
 
-isc_result_t
-isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
-		 isc_time_t *expires, isc_interval_t *interval,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg,
-		 isc_timer_t **timerp)
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
+		  isc_time_t *expires, isc_interval_t *interval,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg,
+		  isc_timer_t **timerp)
 {
-	isc_timer_t *timer;
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+	isc__timer_t *timer;
 	isc_result_t result;
 	isc_time_t now;
 
@@ -382,7 +460,9 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 		return (result);
 	}
 	ISC_LINK_INIT(timer, link);
-	timer->magic = TIMER_MAGIC;
+	timer->common.impmagic = TIMER_MAGIC;
+	timer->common.magic = ISCAPI_TIMER_MAGIC;
+	timer->common.methods = (isc_timermethods_t *)&timermethods;
 
 	LOCK(&manager->lock);
 
@@ -401,25 +481,27 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	UNLOCK(&manager->lock);
 
 	if (result != ISC_R_SUCCESS) {
-		timer->magic = 0;
+		timer->common.impmagic = 0;
+		timer->common.magic = 0;
 		DESTROYLOCK(&timer->lock);
 		isc_task_detach(&timer->task);
 		isc_mem_put(manager->mctx, timer, sizeof(*timer));
 		return (result);
 	}
 
-	*timerp = timer;
+	*timerp = (isc_timer_t *)timer;
 
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
-		isc_time_t *expires, isc_interval_t *interval,
-		isc_boolean_t purge)
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_reset(isc_timer_t *timer0, isc_timertype_t type,
+		 isc_time_t *expires, isc_interval_t *interval,
+		 isc_boolean_t purge)
 {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
 	isc_time_t now;
-	isc_timermgr_t *manager;
+	isc__timermgr_t *manager;
 	isc_result_t result;
 
 	/*
@@ -489,8 +571,9 @@ isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
 	return (result);
 }
 
-isc_timertype_t
-isc_timer_gettype(isc_timer_t *timer) {
+ISC_TIMERFUNC_SCOPE isc_timertype_t
+isc__timer_gettype(isc_timer_t *timer0) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
 	isc_timertype_t t;
 
 	REQUIRE(VALID_TIMER(timer));
@@ -502,8 +585,9 @@ isc_timer_gettype(isc_timer_t *timer) {
 	return (t);
 }
 
-isc_result_t
-isc_timer_touch(isc_timer_t *timer) {
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_touch(isc_timer_t *timer0) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
 	isc_result_t result;
 	isc_time_t now;
 
@@ -532,8 +616,10 @@ isc_timer_touch(isc_timer_t *timer) {
 	return (result);
 }
 
-void
-isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
+ISC_TIMERFUNC_SCOPE void
+isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
+
 	/*
 	 * Attach *timerp to timer.
 	 */
@@ -545,12 +631,12 @@ isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
 	timer->references++;
 	UNLOCK(&timer->lock);
 
-	*timerp = timer;
+	*timerp = (isc_timer_t *)timer;
 }
 
-void
-isc_timer_detach(isc_timer_t **timerp) {
-	isc_timer_t *timer;
+ISC_TIMERFUNC_SCOPE void
+isc__timer_detach(isc_timer_t **timerp) {
+	isc__timer_t *timer;
 	isc_boolean_t free_timer = ISC_FALSE;
 
 	/*
@@ -558,7 +644,7 @@ isc_timer_detach(isc_timer_t **timerp) {
 	 */
 
 	REQUIRE(timerp != NULL);
-	timer = *timerp;
+	timer = (isc__timer_t *)*timerp;
 	REQUIRE(VALID_TIMER(timer));
 
 	LOCK(&timer->lock);
@@ -575,11 +661,11 @@ isc_timer_detach(isc_timer_t **timerp) {
 }
 
 static void
-dispatch(isc_timermgr_t *manager, isc_time_t *now) {
+dispatch(isc__timermgr_t *manager, isc_time_t *now) {
 	isc_boolean_t done = ISC_FALSE, post_event, need_schedule;
 	isc_timerevent_t *event;
 	isc_eventtype_t type = 0;
-	isc_timer_t *timer;
+	isc__timer_t *timer;
 	isc_result_t result;
 	isc_boolean_t idle;
 
@@ -693,13 +779,13 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 	}
 }
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 static isc_threadresult_t
 #ifdef _WIN32			/* XXXDCL */
 WINAPI
 #endif
 run(void *uap) {
-	isc_timermgr_t *manager = uap;
+	isc__timermgr_t *manager = uap;
 	isc_time_t now;
 	isc_result_t result;
 
@@ -734,11 +820,11 @@ run(void *uap) {
 
 	return ((isc_threadresult_t)0);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 static isc_boolean_t
 sooner(void *v1, void *v2) {
-	isc_timer_t *t1, *t2;
+	isc__timer_t *t1, *t2;
 
 	t1 = v1;
 	t2 = v2;
@@ -752,7 +838,7 @@ sooner(void *v1, void *v2) {
 
 static void
 set_index(void *what, unsigned int index) {
-	isc_timer_t *timer;
+	isc__timer_t *timer;
 
 	timer = what;
 	REQUIRE(VALID_TIMER(timer));
@@ -760,9 +846,9 @@ set_index(void *what, unsigned int index) {
 	timer->index = index;
 }
 
-isc_result_t
-isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
-	isc_timermgr_t *manager;
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc__timermgr_t *manager;
 	isc_result_t result;
 
 	/*
@@ -771,19 +857,21 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	if (timermgr != NULL) {
 		timermgr->refs++;
-		*managerp = timermgr;
+		*managerp = (isc_timermgr_t *)timermgr;
 		return (ISC_R_SUCCESS);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 
-	manager->magic = TIMER_MANAGER_MAGIC;
+	manager->common.impmagic = TIMER_MANAGER_MAGIC;
+	manager->common.magic = ISCAPI_TIMERMGR_MAGIC;
+	manager->common.methods = (isc_timermgrmethods_t *)&timermgrmethods;
 	manager->mctx = NULL;
 	manager->done = ISC_FALSE;
 	INIT_LIST(manager->timers);
@@ -803,7 +891,7 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 		return (result);
 	}
 	isc_mem_attach(mctx, &manager->mctx);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	if (isc_condition_init(&manager->wakeup) != ISC_R_SUCCESS) {
 		isc_mem_detach(&manager->mctx);
 		DESTROYLOCK(&manager->lock);
@@ -828,30 +916,33 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 						ISC_MSG_FAILED, "failed"));
 		return (ISC_R_UNEXPECTED);
 	}
-#else /* ISC_PLATFORM_USETHREADS */
+#endif
+#ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
 	timermgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
-	*managerp = manager;
+	*managerp = (isc_timermgr_t *)manager;
 
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_timermgr_poke(isc_timermgr_t *manager) {
-#ifdef ISC_PLATFORM_USETHREADS
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_poke(isc_timermgr_t *manager0) {
+#ifdef USE_TIMER_THREAD
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+
 	REQUIRE(VALID_MANAGER(manager));
 
 	SIGNAL(&manager->wakeup);
 #else
-	UNUSED(manager);
+	UNUSED(manager0);
 #endif
 }
 
-void
-isc_timermgr_destroy(isc_timermgr_t **managerp) {
-	isc_timermgr_t *manager;
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_destroy(isc_timermgr_t **managerp) {
+	isc__timermgr_t *manager;
 	isc_mem_t *mctx;
 
 	/*
@@ -859,34 +950,36 @@ isc_timermgr_destroy(isc_timermgr_t **managerp) {
 	 */
 
 	REQUIRE(managerp != NULL);
-	manager = *managerp;
+	manager = (isc__timermgr_t *)*managerp;
 	REQUIRE(VALID_MANAGER(manager));
 
 	LOCK(&manager->lock);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	if (manager->refs > 1) {
 		manager->refs--;
 		UNLOCK(&manager->lock);
 		*managerp = NULL;
 		return;
 	}
+#endif /* USE_SHARED_MANAGER */
 
-	isc__timermgr_dispatch();
-#endif /* ISC_PLATFORM_USETHREADS */
+#ifndef USE_TIMER_THREAD
+	isc__timermgr_dispatch((isc_timermgr_t *)manager);
+#endif
 
 	REQUIRE(EMPTY(manager->timers));
 	manager->done = ISC_TRUE;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
 			      ISC_MSG_SIGNALDESTROY, "signal (destroy)"));
 	SIGNAL(&manager->wakeup);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	UNLOCK(&manager->lock);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	/*
 	 * Wait for thread to exit.
 	 */
@@ -895,39 +988,63 @@ isc_timermgr_destroy(isc_timermgr_t **managerp) {
 				 "isc_thread_join() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"));
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	/*
 	 * Clean up.
 	 */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	(void)isc_condition_destroy(&manager->wakeup);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 	DESTROYLOCK(&manager->lock);
 	isc_heap_destroy(&manager->heap);
-	manager->magic = 0;
+	manager->common.impmagic = 0;
+	manager->common.magic = 0;
 	mctx = manager->mctx;
 	isc_mem_put(mctx, manager, sizeof(*manager));
 	isc_mem_detach(&mctx);
 
 	*managerp = NULL;
+
+#ifdef USE_SHARED_MANAGER
+	timermgr = NULL;
+#endif
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_TIMER_THREAD
 isc_result_t
-isc__timermgr_nextevent(isc_time_t *when) {
-	if (timermgr == NULL || timermgr->nscheduled == 0)
+isc__timermgr_nextevent(isc_timermgr_t *manager0, isc_time_t *when) {
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = timermgr;
+#endif
+	if (manager == NULL || manager->nscheduled == 0)
 		return (ISC_R_NOTFOUND);
-	*when = timermgr->due;
+	*when = manager->due;
 	return (ISC_R_SUCCESS);
 }
 
 void
-isc__timermgr_dispatch(void) {
+isc__timermgr_dispatch(isc_timermgr_t *manager0) {
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
 	isc_time_t now;
-	if (timermgr == NULL)
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = timermgr;
+#endif
+	if (manager == NULL)
 		return;
 	TIME_NOW(&now);
-	dispatch(timermgr, &now);
+	dispatch(manager, &now);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
+
+#ifdef USE_TIMERIMPREGISTER 
+isc_result_t
+isc__timer_register() {
+	return (isc_timer_register(isc__timermgr_create));
+}
+#endif
diff --git a/lib/isc/timer_api.c b/lib/isc/timer_api.c
new file mode 100644
index 0000000000..07c3448d8d
--- /dev/null
+++ b/lib/isc/timer_api.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: timer_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_timermgrcreatefunc_t timermgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_timer_register(isc_timermgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (timermgr_createfunc == NULL)
+		timermgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			 isc_timermgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(timermgr_createfunc != NULL);
+	result = (*timermgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_settimermgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(timermgr_createfunc != NULL);
+	result = (*timermgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp) {
+	REQUIRE(*managerp != NULL && ISCAPI_TIMERMGR_VALID(*managerp));
+
+	(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		 isc_time_t *expires, isc_interval_t *interval,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg,
+		 isc_timer_t **timerp)
+{
+	REQUIRE(ISCAPI_TIMERMGR_VALID(manager));
+
+	return (manager->methods->timercreate(manager, type, expires,
+					      interval, task, action, arg,
+					      timerp));
+}
+
+void
+isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+
+	timer->methods->attach(timer, timerp);
+
+	ENSURE(*timerp == timer);
+}
+
+void
+isc_timer_detach(isc_timer_t **timerp) {
+	REQUIRE(timerp != NULL && ISCAPI_TIMER_VALID(*timerp));
+
+	(*timerp)->methods->detach(timerp);
+
+	ENSURE(*timerp == NULL);
+}
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		isc_time_t *expires, isc_interval_t *interval,
+		isc_boolean_t purge)
+{
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+
+	return (timer->methods->reset(timer, type, expires, interval, purge));
+}
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer) {
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+
+	return (timer->methods->touch(timer));
+}
diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h
index ec8e2e0b78..5e66bbe4bb 100644
--- a/lib/isc/timer_p.h
+++ b/lib/isc/timer_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_p.h,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: timer_p.h,v 1.11 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
@@ -23,9 +23,9 @@
 /*! \file */
 
 isc_result_t
-isc__timermgr_nextevent(isc_time_t *when);
+isc__timermgr_nextevent(isc_timermgr_t *timermgr, isc_time_t *when);
 
 void
-isc__timermgr_dispatch(void);
+isc__timermgr_dispatch(isc_timermgr_t *timermgr);
 
 #endif /* ISC_TIMER_P_H */
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
index 7d19b5c042..861048dd93 100644
--- a/lib/isc/unix/Makefile.in
+++ b/lib/isc/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.41 2007/06/19 23:47:18 tbox Exp $
+# $Id: Makefile.in,v 1.42 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../include \
 		-I${srcdir}/..
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 # Alphabetically
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index 660b438678..10b99f05f9 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.60 2008/10/15 03:41:17 marka Exp $ */
+/* $Id: app.c,v 1.61 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file */
 
@@ -37,6 +37,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -47,18 +48,26 @@
 #include 
 #include 
 
+/*%
+ * For BIND9 internal applications built with threads, we use a single app
+ * context and let multiple worker, I/O, timer threads do actual jobs.
+ * For other cases (including BIND9 built without threads) an app context acts
+ * as an event loop dispatching various events.
+ */
+#if defined(ISC_PLATFORM_USETHREADS) && defined(BIND9)
+#define USE_THREADS_SINGLECTX
+#endif
+
 #ifdef ISC_PLATFORM_USETHREADS
 #include 
-#else /* ISC_PLATFORM_USETHREADS */
+#endif
+
+#ifndef USE_THREADS_SINGLECTX
 #include "../timer_p.h"
 #include "../task_p.h"
 #include "socket_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_THREADS_SINGLECTX */
 
-static isc_eventlist_t		on_run;
-static isc_mutex_t		lock;
-static isc_boolean_t		shutdown_requested = ISC_FALSE;
-static isc_boolean_t		running = ISC_FALSE;
 /*!
  * We assume that 'want_shutdown' can be read and written atomically.
  */
@@ -68,11 +77,104 @@ static volatile isc_boolean_t	want_shutdown = ISC_FALSE;
  */
 static volatile isc_boolean_t	want_reload = ISC_FALSE;
 
-static isc_boolean_t		blocked  = ISC_FALSE;
 #ifdef ISC_PLATFORM_USETHREADS
 static pthread_t		blockedthread;
 #endif /* ISC_PLATFORM_USETHREADS */
 
+/*%
+ * The following can be either static or public, depending on build environment.
+ */
+
+#ifdef BIND9
+#define ISC_APPFUNC_SCOPE
+#else
+#define ISC_APPFUNC_SCOPE static
+#endif
+
+ISC_APPFUNC_SCOPE isc_result_t isc__app_start(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxstart(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_onrun(isc_mem_t *mctx,
+					      isc_task_t *task,
+					      isc_taskaction_t action,
+					      void *arg);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxrun(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_run(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxshutdown(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_shutdown(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_reload(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxsuspend(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE void isc__app_ctxfinish(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE void isc__app_finish(void);
+ISC_APPFUNC_SCOPE void isc__app_block(void);
+ISC_APPFUNC_SCOPE void isc__app_unblock(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__appctx_create(isc_mem_t *mctx,
+						  isc_appctx_t **ctxp);
+ISC_APPFUNC_SCOPE void isc__appctx_destroy(isc_appctx_t **ctxp);
+ISC_APPFUNC_SCOPE void isc__appctx_settaskmgr(isc_appctx_t *ctx,
+					      isc_taskmgr_t *taskmgr);
+ISC_APPFUNC_SCOPE void isc__appctx_setsocketmgr(isc_appctx_t *ctx,
+						isc_socketmgr_t *socketmgr);
+ISC_APPFUNC_SCOPE void isc__appctx_settimermgr(isc_appctx_t *ctx,
+					       isc_timermgr_t *timermgr);
+
+/*
+ * The application context of this module.  This implementation actually
+ * doesn't use it. (This may change in the future).
+ */
+#define APPCTX_MAGIC		ISC_MAGIC('A', 'p', 'c', 'x')
+#define VALID_APPCTX(c)		ISC_MAGIC_VALID(c, APPCTX_MAGIC)
+
+typedef struct isc__appctx {
+	isc_appctx_t		common;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	isc_eventlist_t		on_run;
+	isc_boolean_t		shutdown_requested;
+	isc_boolean_t		running;
+
+	/*!
+	 * We assume that 'want_shutdown' can be read and written atomically.
+	 */
+	isc_boolean_t		want_shutdown;
+	/*
+	 * We assume that 'want_reload' can be read and written atomically.
+	 */
+	isc_boolean_t		want_reload;
+	
+	isc_boolean_t		blocked;
+
+	isc_taskmgr_t		*taskmgr;
+	isc_socketmgr_t		*socketmgr;
+	isc_timermgr_t		*timermgr;
+} isc__appctx_t;
+
+static isc__appctx_t isc_g_appctx;
+
+static struct {
+	isc_appmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *run, *shutdown, *start, *onrun, *reload, *finish,
+		*block, *unblock;
+} appmethods = {
+	{
+		isc__appctx_destroy,
+		isc__app_ctxstart,
+		isc__app_ctxrun,
+		isc__app_ctxsuspend,
+		isc__app_ctxshutdown,
+		isc__app_ctxfinish,
+		isc__appctx_settaskmgr,
+		isc__appctx_setsocketmgr,
+		isc__appctx_settimermgr
+	},
+	isc__app_run, isc__app_shutdown,
+	isc__app_start, isc__app_onrun, isc__app_reload, isc__app_finish,
+	isc__app_block, isc__app_unblock
+};
+
 #ifdef HAVE_LINUXTHREADS
 /*!
  * Linux has sigwait(), but it appears to prevent signal handlers from
@@ -91,13 +193,13 @@ static pthread_t		main_thread;
 static void
 exit_action(int arg) {
 	UNUSED(arg);
-	want_shutdown = ISC_TRUE;
+	isc_g_appctx.want_shutdown = ISC_TRUE;
 }
 
 static void
 reload_action(int arg) {
 	UNUSED(arg);
-	want_reload = ISC_TRUE;
+	isc_g_appctx.want_reload = ISC_TRUE;
 }
 #endif
 
@@ -123,12 +225,12 @@ handle_signal(int sig, void (*handler)(int)) {
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_start(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxstart(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	isc_result_t result;
-	int presult;
-	sigset_t sset;
-	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_APPCTX(ctx));
 
 	/*
 	 * Start an ISC library application.
@@ -151,7 +253,35 @@ isc_app_start(void) {
 	main_thread = pthread_self();
 #endif
 
-	result = isc_mutex_init(&lock);
+	result = isc_mutex_init(&ctx->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	ISC_LIST_INIT(ctx->on_run);
+
+	ctx->shutdown_requested = ISC_FALSE;
+	ctx->running = ISC_FALSE;
+	ctx->want_shutdown = ISC_FALSE;
+	ctx->want_reload = ISC_FALSE;
+	ctx->blocked = ISC_FALSE;
+
+	return (ISC_R_SUCCESS);
+}
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_start(void) {
+	isc_result_t result;
+	int presult;
+	sigset_t sset;
+	char strbuf[ISC_STRERRORSIZE];
+
+	isc_g_appctx.common.impmagic = APPCTX_MAGIC;
+	isc_g_appctx.common.magic = ISCAPI_APPCTX_MAGIC;
+	isc_g_appctx.common.methods = &appmethods.methods;
+	isc_g_appctx.mctx = NULL;
+	/* The remaining members will be initialized in ctxstart() */
+
+	result = isc__app_ctxstart((isc_appctx_t *)&isc_g_appctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -253,22 +383,20 @@ isc_app_start(void) {
 	}
 #endif /* ISC_PLATFORM_USETHREADS */
 
-	ISC_LIST_INIT(on_run);
-
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 	      void *arg)
 {
 	isc_event_t *event;
 	isc_task_t *cloned_task = NULL;
 	isc_result_t result;
 
-	LOCK(&lock);
+	LOCK(&isc_g_appctx.lock);
 
-	if (running) {
+	if (isc_g_appctx.running) {
 		result = ISC_R_ALREADYRUNNING;
 		goto unlock;
 	}
@@ -285,24 +413,25 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 		goto unlock;
 	}
 
-	ISC_LIST_APPEND(on_run, event, ev_link);
+	ISC_LIST_APPEND(isc_g_appctx.on_run, event, ev_link);
 
 	result = ISC_R_SUCCESS;
 
  unlock:
-	UNLOCK(&lock);
+	UNLOCK(&isc_g_appctx.lock);
 
 	return (result);
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_THREADS_SINGLECTX
 /*!
  * Event loop for nonthreaded programs.
  */
 static isc_result_t
-evloop(void) {
+evloop(isc__appctx_t *ctx) {
 	isc_result_t result;
-	while (!want_shutdown) {
+
+	while (!ctx->want_shutdown) {
 		int n;
 		isc_time_t when, now;
 		struct timeval tv, *tvp;
@@ -310,14 +439,27 @@ evloop(void) {
 		isc_boolean_t readytasks;
 		isc_boolean_t call_timer_dispatch = ISC_FALSE;
 
-		readytasks = isc__taskmgr_ready();
+		/*
+		 * Check the reload (or suspend) case first for exiting the
+		 * loop as fast as possible in case:
+		 *   - the direct call to isc__taskmgr_dispatch() in
+		 *     isc__app_ctxrun() completes all the tasks so far,
+		 *   - there is thus currently no active task, and
+		 *   - there is a timer event
+		 */
+		if (ctx->want_reload) {
+			ctx->want_reload = ISC_FALSE;
+			return (ISC_R_RELOAD);
+		}
+
+		readytasks = isc__taskmgr_ready(ctx->taskmgr);
 		if (readytasks) {
 			tv.tv_sec = 0;
 			tv.tv_usec = 0;
 			tvp = &tv;
 			call_timer_dispatch = ISC_TRUE;
 		} else {
-			result = isc__timermgr_nextevent(&when);
+			result = isc__timermgr_nextevent(ctx->timermgr, &when);
 			if (result != ISC_R_SUCCESS)
 				tvp = NULL;
 			else {
@@ -334,7 +476,7 @@ evloop(void) {
 		}
 
 		swait = NULL;
-		n = isc__socketmgr_waitevents(tvp, &swait);
+		n = isc__socketmgr_waitevents(ctx->socketmgr, tvp, &swait);
 
 		if (n == 0 || call_timer_dispatch) {
 			/*
@@ -351,11 +493,11 @@ evloop(void) {
 			 * call, since this loop only runs in the non-thread
 			 * mode.
 			 */
-			isc__timermgr_dispatch();
+			isc__timermgr_dispatch(ctx->timermgr);
 		}
 		if (n > 0)
-			(void)isc__socketmgr_dispatch(swait);
-		(void)isc__taskmgr_dispatch();
+			(void)isc__socketmgr_dispatch(ctx->socketmgr, swait);
+		(void)isc__taskmgr_dispatch(ctx->taskmgr);
 
 		if (want_reload) {
 			want_reload = ISC_FALSE;
@@ -364,7 +506,9 @@ evloop(void) {
 	}
 	return (ISC_R_SUCCESS);
 }
+#endif	/* USE_THREADS_SINGLECTX */
 
+#ifndef ISC_PLATFORM_USETHREADS
 /*
  * This is a gross hack to support waiting for condition
  * variables in nonthreaded programs in a limited way;
@@ -400,11 +544,11 @@ isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp) {
 	INSIST(*mp == 1); /* Mutex must be locked on entry. */
 	--*mp;
 
-	result = evloop();
+	result = evloop(&isc_g_appctx);
 	if (result == ISC_R_RELOAD)
-		want_reload = ISC_TRUE;
+		isc_g_appctx.want_reload = ISC_TRUE;
 	if (signalled) {
-		want_shutdown = ISC_FALSE;
+		isc_g_appctx.want_shutdown = ISC_FALSE;
 		signalled = ISC_FALSE;
 	}
 
@@ -420,43 +564,46 @@ isc__nothread_signal_hack(isc_condition_t *cp) {
 
 	INSIST(in_recursive_evloop);
 
-	want_shutdown = ISC_TRUE;
+	isc_g_appctx.want_shutdown = ISC_TRUE;
 	signalled = ISC_TRUE;
 	return (ISC_R_SUCCESS);
 }
 
 #endif /* ISC_PLATFORM_USETHREADS */
 
-isc_result_t
-isc_app_run(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxrun(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	int result;
 	isc_event_t *event, *next_event;
 	isc_task_t *task;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_THREADS_SINGLECTX
 	sigset_t sset;
 	char strbuf[ISC_STRERRORSIZE];
 #ifdef HAVE_SIGWAIT
 	int sig;
 #endif
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_THREADS_SINGLECTX */
+
+	REQUIRE(VALID_APPCTX(ctx));
 
 #ifdef HAVE_LINUXTHREADS
 	REQUIRE(main_thread == pthread_self());
 #endif
 
-	LOCK(&lock);
+	LOCK(&ctx->lock);
 
-	if (!running) {
-		running = ISC_TRUE;
+	if (!ctx->running) {
+		ctx->running = ISC_TRUE;
 
 		/*
 		 * Post any on-run events (in FIFO order).
 		 */
-		for (event = ISC_LIST_HEAD(on_run);
+		for (event = ISC_LIST_HEAD(ctx->on_run);
 		     event != NULL;
 		     event = next_event) {
 			next_event = ISC_LIST_NEXT(event, ev_link);
-			ISC_LIST_UNLINK(on_run, event, ev_link);
+			ISC_LIST_UNLINK(ctx->on_run, event, ev_link);
 			task = event->ev_sender;
 			event->ev_sender = NULL;
 			isc_task_sendanddetach(&task, &event);
@@ -464,7 +611,7 @@ isc_app_run(void) {
 
 	}
 
-	UNLOCK(&lock);
+	UNLOCK(&ctx->lock);
 
 #ifndef HAVE_SIGWAIT
 	/*
@@ -473,19 +620,27 @@ isc_app_run(void) {
 	 * We do this here to ensure that the signal handler is installed
 	 * (i.e. that it wasn't a "one-shot" handler).
 	 */
-	result = handle_signal(SIGHUP, reload_action);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
+	if (ctx == &isc_g_appctx) {
+		result = handle_signal(SIGHUP, reload_action);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+	}
 #endif
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_THREADS_SINGLECTX
+	/*
+	 * When we are using multiple contexts, we don't rely on signals.
+	 */
+	if (ctx != &isc_g_appctx)
+		return (ISC_R_SUCCESS);
+
 	/*
 	 * There is no danger if isc_app_shutdown() is called before we wait
 	 * for signals.  Signals are blocked, so any such signal will simply
 	 * be made pending and we will get it when we call sigwait().
 	 */
 
-	while (!want_shutdown) {
+	while (!ctx->want_shutdown) {
 #ifdef HAVE_SIGWAIT
 		/*
 		 * Wait for SIGHUP, SIGINT, or SIGTERM.
@@ -503,21 +658,19 @@ isc_app_run(void) {
 #ifndef HAVE_UNIXWARE_SIGWAIT
 		result = sigwait(&sset, &sig);
 		if (result == 0) {
-			if (sig == SIGINT ||
-			    sig == SIGTERM)
-				want_shutdown = ISC_TRUE;
+			if (sig == SIGINT || sig == SIGTERM)
+				ctx->want_shutdown = ISC_TRUE;
 			else if (sig == SIGHUP)
-				want_reload = ISC_TRUE;
+				ctx->want_reload = ISC_TRUE;
 		}
 
 #else /* Using UnixWare sigwait semantics. */
 		sig = sigwait(&sset);
 		if (sig >= 0) {
-			if (sig == SIGINT ||
-			    sig == SIGTERM)
-				want_shutdown = ISC_TRUE;
+			if (sig == SIGINT || sig == SIGTERM)
+				ctx->want_shutdown = ISC_TRUE;
 			else if (sig == SIGHUP)
-				want_reload = ISC_TRUE;
+				ctx->want_reload = ISC_TRUE;
 		}
 
 #endif /* HAVE_UNIXWARE_SIGWAIT */
@@ -528,131 +681,174 @@ isc_app_run(void) {
 		if (sigemptyset(&sset) != 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run() sigsetops: %s", strbuf);
+					 "isc_app_run() sigsetops: %s",
+					 strbuf);
 			return (ISC_R_UNEXPECTED);
 		}
 		result = sigsuspend(&sset);
 #endif /* HAVE_SIGWAIT */
 
-		if (want_reload) {
-			want_reload = ISC_FALSE;
+		if (ctx->want_reload) {
+			ctx->want_reload = ISC_FALSE;
 			return (ISC_R_RELOAD);
 		}
 
-		if (want_shutdown && blocked)
+		if (ctx->want_shutdown && ctx->blocked)
 			exit(1);
 	}
 
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_THREADS_SINGLECTX */
 
-	(void)isc__taskmgr_dispatch();
+	(void)isc__taskmgr_dispatch(ctx->taskmgr);
 
-	result = evloop();
+	result = evloop(ctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_THREADS_SINGLECTX */
 
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_shutdown(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_run() {
+	return (isc__app_ctxrun((isc_appctx_t *)&isc_g_appctx));
+}
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxshutdown(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	isc_boolean_t want_kill = ISC_TRUE;
 	char strbuf[ISC_STRERRORSIZE];
 
-	LOCK(&lock);
+	REQUIRE(VALID_APPCTX(ctx));
 
-	REQUIRE(running);
+	LOCK(&ctx->lock);
 
-	if (shutdown_requested)
+	REQUIRE(ctx->running);
+
+	if (ctx->shutdown_requested)
 		want_kill = ISC_FALSE;
 	else
-		shutdown_requested = ISC_TRUE;
+		ctx->shutdown_requested = ISC_TRUE;
 
-	UNLOCK(&lock);
+	UNLOCK(&ctx->lock);
 
 	if (want_kill) {
+		if (ctx != &isc_g_appctx)
+			ctx->want_shutdown = ISC_TRUE;
+		else {
 #ifdef HAVE_LINUXTHREADS
-		int result;
+			int result;
 
-		result = pthread_kill(main_thread, SIGTERM);
-		if (result != 0) {
-			isc__strerror(result, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_shutdown() pthread_kill: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
+			result = pthread_kill(main_thread, SIGTERM);
+			if (result != 0) {
+				isc__strerror(result, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_shutdown() "
+						 "pthread_kill: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
 #else
-		if (kill(getpid(), SIGTERM) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_shutdown() kill: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
+			if (kill(getpid(), SIGTERM) < 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_shutdown() "
+						 "kill: %s", strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
+#endif	/* HAVE_LINUXTHREADS */
 		}
-#endif
 	}
 
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_reload(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_shutdown() {
+	return (isc__app_ctxshutdown((isc_appctx_t *)&isc_g_appctx));
+}
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxsuspend(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	isc_boolean_t want_kill = ISC_TRUE;
 	char strbuf[ISC_STRERRORSIZE];
 
-	LOCK(&lock);
+	REQUIRE(VALID_APPCTX(ctx));
 
-	REQUIRE(running);
+	LOCK(&ctx->lock);
+
+	REQUIRE(ctx->running);
 
 	/*
 	 * Don't send the reload signal if we're shutting down.
 	 */
-	if (shutdown_requested)
+	if (ctx->shutdown_requested)
 		want_kill = ISC_FALSE;
 
-	UNLOCK(&lock);
+	UNLOCK(&ctx->lock);
 
 	if (want_kill) {
+		if (ctx != &isc_g_appctx)
+			ctx->want_reload = ISC_TRUE;
+		else {
 #ifdef HAVE_LINUXTHREADS
-		int result;
+			int result;
 
-		result = pthread_kill(main_thread, SIGHUP);
-		if (result != 0) {
-			isc__strerror(result, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_reload() pthread_kill: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
+			result = pthread_kill(main_thread, SIGHUP);
+			if (result != 0) {
+				isc__strerror(result, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_reload() "
+						 "pthread_kill: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
 #else
-		if (kill(getpid(), SIGHUP) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_reload() kill: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
+			if (kill(getpid(), SIGHUP) < 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_reload() "
+						 "kill: %s", strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
 #endif
+		}
 	}
 
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_app_finish(void) {
-	DESTROYLOCK(&lock);
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_reload(void) {
+	return (isc__app_ctxsuspend((isc_appctx_t *)&isc_g_appctx));
 }
 
-void
-isc_app_block(void) {
+ISC_APPFUNC_SCOPE void
+isc__app_ctxfinish(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	DESTROYLOCK(&ctx->lock);
+}
+
+ISC_APPFUNC_SCOPE void
+isc__app_finish(void) {
+	isc__app_ctxfinish((isc_appctx_t *)&isc_g_appctx);
+}
+
+ISC_APPFUNC_SCOPE void
+isc__app_block(void) {
 #ifdef ISC_PLATFORM_USETHREADS
 	sigset_t sset;
 #endif /* ISC_PLATFORM_USETHREADS */
-	REQUIRE(running);
-	REQUIRE(!blocked);
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(!isc_g_appctx.blocked);
 
-	blocked = ISC_TRUE;
+	isc_g_appctx.blocked = ISC_TRUE;
 #ifdef ISC_PLATFORM_USETHREADS
 	blockedthread = pthread_self();
 	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
@@ -662,16 +858,16 @@ isc_app_block(void) {
 #endif /* ISC_PLATFORM_USETHREADS */
 }
 
-void
-isc_app_unblock(void) {
+ISC_APPFUNC_SCOPE void
+isc__app_unblock(void) {
 #ifdef ISC_PLATFORM_USETHREADS
 	sigset_t sset;
 #endif /* ISC_PLATFORM_USETHREADS */
 
-	REQUIRE(running);
-	REQUIRE(blocked);
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(isc_g_appctx.blocked);
 
-	blocked = ISC_FALSE;
+	isc_g_appctx.blocked = ISC_FALSE;
 
 #ifdef ISC_PLATFORM_USETHREADS
 	REQUIRE(blockedthread == pthread_self());
@@ -682,3 +878,77 @@ isc_app_unblock(void) {
 	RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0);
 #endif /* ISC_PLATFORM_USETHREADS */
 }
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+
+	ctx = isc_mem_get(mctx, sizeof(*ctx));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ctx->common.impmagic = APPCTX_MAGIC;
+	ctx->common.magic = ISCAPI_APPCTX_MAGIC;
+	ctx->common.methods = &appmethods.methods;
+
+	ctx->mctx = NULL;
+	isc_mem_attach(mctx, &ctx->mctx);
+
+	ctx->taskmgr = NULL;
+	ctx->socketmgr = NULL;
+	ctx->timermgr = NULL;
+
+	*ctxp = (isc_appctx_t *)ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_destroy(isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(ctxp != NULL);
+	ctx = (isc__appctx_t *)*ctxp;
+	REQUIRE(VALID_APPCTX(ctx));
+
+	isc_mem_putanddetach(&ctx->mctx, ctx, sizeof(*ctx));
+
+	*ctxp = NULL;
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_settaskmgr(isc_appctx_t *ctx0, isc_taskmgr_t *taskmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->taskmgr = taskmgr;
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_setsocketmgr(isc_appctx_t *ctx0, isc_socketmgr_t *socketmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->socketmgr = socketmgr;
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_settimermgr(isc_appctx_t *ctx0, isc_timermgr_t *timermgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->timermgr = timermgr;
+}
+
+#ifdef USE_APPIMPREGISTER 
+isc_result_t
+isc__app_register() {
+	return (isc_app_register(isc__appctx_create));
+}
+#endif
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index df1002ab02..0edac59716 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.319 2009/08/13 02:11:20 marka Exp $ */
+/* $Id: socket.c,v 1.320 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file */
 
@@ -72,9 +72,18 @@
 
 #include "errno2result.h"
 
-#ifndef ISC_PLATFORM_USETHREADS
+/* See task.c about the following definition: */
+#ifdef BIND9
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_WATCHER_THREAD
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* BIND9 */
+
+#ifndef USE_WATCHER_THREAD
 #include "socket_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 #if defined(SO_BSDCOMPAT) && defined(__linux__)
 #include 
@@ -97,7 +106,7 @@ typedef struct {
 #define USE_SELECT
 #endif	/* ISC_PLATFORM_HAVEKQUEUE */
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WATCHER_THREAD
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
 struct isc_socketwait {
 	int nevents;
@@ -110,7 +119,7 @@ struct isc_socketwait {
 	int maxfd;
 };
 #endif	/* USE_KQUEUE */
-#endif /* !ISC_PLATFORM_USETHREADS */
+#endif /* !USE_WATCHER_THREAD */
 
 /*%
  * Maximum number of allowable open sockets.  This is also the maximum
@@ -244,7 +253,7 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
 typedef isc_event_t intev_t;
 
 #define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
-#define VALID_SOCKET(t)		ISC_MAGIC_VALID(t, SOCKET_MAGIC)
+#define VALID_SOCKET(s)		ISC_MAGIC_VALID(s, SOCKET_MAGIC)
 
 /*!
  * IPv6 control information.  If the socket is an IPv6 socket we want
@@ -278,16 +287,21 @@ typedef isc_event_t intev_t;
  */
 #define NRETRIES 10
 
-struct isc_socket {
+typedef struct isc__socket isc__socket_t;
+typedef struct isc__socketmgr isc__socketmgr_t;
+
+#define NEWCONNSOCK(ev) ((isc__socket_t *)(ev)->newsocket)
+
+struct isc__socket {
 	/* Not locked. */
-	unsigned int		magic;
-	isc_socketmgr_t	       *manager;
+	isc_socket_t		common;
+	isc__socketmgr_t	*manager;
 	isc_mutex_t		lock;
 	isc_sockettype_t	type;
 	const isc_statscounter_t	*statsindex;
 
 	/* Locked by socket lock. */
-	ISC_LINK(isc_socket_t)	link;
+	ISC_LINK(isc__socket_t)	link;
 	unsigned int		references;
 	int			fd;
 	int			pf;
@@ -335,9 +349,9 @@ struct isc_socket {
 #define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
 #define VALID_MANAGER(m)	ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
 
-struct isc_socketmgr {
+struct isc__socketmgr {
 	/* Not locked. */
-	unsigned int		magic;
+	isc_socketmgr_t		common;
 	isc_mem_t	       *mctx;
 	isc_mutex_t		lock;
 	isc_mutex_t		*fdlock;
@@ -366,14 +380,14 @@ struct isc_socketmgr {
 #endif
 
 	/* Locked by fdlock. */
-	isc_socket_t	       **fds;
+	isc__socket_t	       **fds;
 	int			*fdstate;
 #ifdef USE_DEVPOLL
 	pollinfo_t		*fdpollinfo;
 #endif
 
 	/* Locked by manager lock. */
-	ISC_LIST(isc_socket_t)	socklist;
+	ISC_LIST(isc__socket_t)	socklist;
 #ifdef USE_SELECT
 	fd_set			*read_fds;
 	fd_set			*read_fds_copy;
@@ -382,18 +396,18 @@ struct isc_socketmgr {
 	int			maxfd;
 #endif	/* USE_SELECT */
 	int			reserved;	/* unlocked */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_thread_t		watcher;
 	isc_condition_t		shutdown_ok;
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WATCHER_THREAD */
 	unsigned int		refs;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 	int			maxudp;
 };
 
-#ifndef ISC_PLATFORM_USETHREADS
-static isc_socketmgr_t *socketmgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
+#ifdef USE_SHARED_MANAGER
+static isc__socketmgr_t *socketmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
 
 #define CLOSED			0	/* this one must be zero */
 #define MANAGED			1
@@ -409,27 +423,150 @@ static isc_socketmgr_t *socketmgr = NULL;
 # define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
 #endif
 
-static void send_recvdone_event(isc_socket_t *, isc_socketevent_t **);
-static void send_senddone_event(isc_socket_t *, isc_socketevent_t **);
-static void free_socket(isc_socket_t **);
-static isc_result_t allocate_socket(isc_socketmgr_t *, isc_sockettype_t,
-				    isc_socket_t **);
-static void destroy(isc_socket_t **);
+static void send_recvdone_event(isc__socket_t *, isc_socketevent_t **);
+static void send_senddone_event(isc__socket_t *, isc_socketevent_t **);
+static void free_socket(isc__socket_t **);
+static isc_result_t allocate_socket(isc__socketmgr_t *, isc_sockettype_t,
+				    isc__socket_t **);
+static void destroy(isc__socket_t **);
 static void internal_accept(isc_task_t *, isc_event_t *);
 static void internal_connect(isc_task_t *, isc_event_t *);
 static void internal_recv(isc_task_t *, isc_event_t *);
 static void internal_send(isc_task_t *, isc_event_t *);
 static void internal_fdwatch_write(isc_task_t *, isc_event_t *);
 static void internal_fdwatch_read(isc_task_t *, isc_event_t *);
-static void process_cmsg(isc_socket_t *, struct msghdr *, isc_socketevent_t *);
-static void build_msghdr_send(isc_socket_t *, isc_socketevent_t *,
+static void process_cmsg(isc__socket_t *, struct msghdr *, isc_socketevent_t *);
+static void build_msghdr_send(isc__socket_t *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
-static void build_msghdr_recv(isc_socket_t *, isc_socketevent_t *,
+static void build_msghdr_recv(isc__socket_t *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
-#ifdef ISC_PLATFORM_USETHREADS
-static isc_boolean_t process_ctlfd(isc_socketmgr_t *manager);
+#ifdef USE_WATCHER_THREAD
+static isc_boolean_t process_ctlfd(isc__socketmgr_t *manager);
 #endif
 
+/*%
+ * The following can be either static or public, depending on build environment.
+ */
+
+#ifdef BIND9
+#define ISC_SOCKETFUNC_SCOPE
+#else
+#define ISC_SOCKETFUNC_SCOPE static
+#endif
+
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		   isc_socket_t **socketp);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_detach(isc_socket_t **socketp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks);
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_destroy(isc_socketmgr_t **managerp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum, isc_task_t *task,
+		  isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, const void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active);
+ISC_SOCKETFUNC_SCOPE isc_boolean_t
+isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
+		     isc_uint32_t owner, isc_uint32_t group);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		 unsigned int options);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_filter(isc_socket_t *sock, const char *filter);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_listen(isc_socket_t *sock, unsigned int backlog);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_accept(isc_socket_t *sock,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+		    isc_task_t *task, isc_taskaction_t action,
+		    const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how);
+ISC_SOCKETFUNC_SCOPE isc_sockettype_t
+isc__socket_gettype(isc_socket_t *sock);
+ISC_SOCKETFUNC_SCOPE isc_boolean_t
+isc__socket_isbound(isc_socket_t *sock);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
+#if defined(HAVE_LIBXML2) && defined(BIND9)
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer);
+#endif
+
+static struct {
+	isc_socketmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *recvv, *send, *sendv, *sendto2, *cleanunix, *permunix, *filter,
+		*listen, *accept, *getpeername, *isbound;
+} socketmethods = {
+	{
+		isc__socket_attach,
+		isc__socket_detach,
+		isc__socket_bind,
+		isc__socket_sendto,
+		isc__socket_connect,
+		isc__socket_recv,
+		isc__socket_cancel,
+		isc__socket_getsockname,
+		isc__socket_gettype,
+		isc__socket_ipv6only
+	},
+	isc__socket_recvv, isc__socket_send, isc__socket_sendv,
+	isc__socket_sendto2, isc__socket_cleanunix, isc__socket_permunix,
+	isc__socket_filter, isc__socket_listen, isc__socket_accept,
+	isc__socket_getpeername, isc__socket_isbound
+};
+
+static isc_socketmgrmethods_t socketmgrmethods = {
+	isc__socketmgr_destroy,
+	isc__socket_create
+};
+
 #define SELECT_POKE_SHUTDOWN		(-1)
 #define SELECT_POKE_NOTHING		(-2)
 #define SELECT_POKE_READ		(-3)
@@ -529,11 +666,11 @@ static const isc_statscounter_t fdwatchstatsindex[] = {
 };
 
 static void
-manager_log(isc_socketmgr_t *sockmgr,
+manager_log(isc__socketmgr_t *sockmgr,
 	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
 static void
-manager_log(isc_socketmgr_t *sockmgr,
+manager_log(isc__socketmgr_t *sockmgr,
 	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	    const char *fmt, ...)
 {
@@ -552,12 +689,12 @@ manager_log(isc_socketmgr_t *sockmgr,
 }
 
 static void
-socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
+socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
 	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	   isc_msgcat_t *msgcat, int msgset, int message,
 	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
 static void
-socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
+socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
 	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	   isc_msgcat_t *msgcat, int msgset, int message,
 	   const char *fmt, ...)
@@ -592,7 +729,7 @@ socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
  * setting IPV6_V6ONLY.
  */
 static void
-FIX_IPV6_RECVPKTINFO(isc_socket_t *sock)
+FIX_IPV6_RECVPKTINFO(isc__socket_t *sock)
 {
 	char strbuf[ISC_STRERRORSIZE];
 	int on = 1;
@@ -629,7 +766,7 @@ inc_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
 }
 
 static inline isc_result_t
-watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+watch_fd(isc__socketmgr_t *manager, int fd, int msg) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 #ifdef USE_KQUEUE
@@ -696,7 +833,7 @@ watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
 }
 
 static inline isc_result_t
-unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+unwatch_fd(isc__socketmgr_t *manager, int fd, int msg) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 #ifdef USE_KQUEUE
@@ -782,7 +919,7 @@ unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) {
 }
 
 static void
-wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
+wakeup_socket(isc__socketmgr_t *manager, int fd, int msg) {
 	isc_result_t result;
 	int lockid = FDLOCK_ID(fd);
 
@@ -843,14 +980,14 @@ wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
 	}
 }
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 /*
  * Poke the select loop when there is something for us to do.
  * The write is required (by POSIX) to complete.  That is, we
  * will not get partial writes.
  */
 static void
-select_poke(isc_socketmgr_t *mgr, int fd, int msg) {
+select_poke(isc__socketmgr_t *mgr, int fd, int msg) {
 	int cc;
 	int buf[2];
 	char strbuf[ISC_STRERRORSIZE];
@@ -889,7 +1026,7 @@ select_poke(isc_socketmgr_t *mgr, int fd, int msg) {
  * Read a message on the internal fd.
  */
 static void
-select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) {
+select_readmsg(isc__socketmgr_t *mgr, int *fd, int *msg) {
 	int buf[2];
 	int cc;
 	char strbuf[ISC_STRERRORSIZE];
@@ -916,19 +1053,19 @@ select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) {
 	*fd = buf[0];
 	*msg = buf[1];
 }
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WATCHER_THREAD */
 /*
  * Update the state of the socketmgr when something changes.
  */
 static void
-select_poke(isc_socketmgr_t *manager, int fd, int msg) {
+select_poke(isc__socketmgr_t *manager, int fd, int msg) {
 	if (msg == SELECT_POKE_SHUTDOWN)
 		return;
 	else if (fd >= 0)
 		wakeup_socket(manager, fd, msg);
 	return;
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 /*
  * Make a fd non-blocking.
@@ -1021,7 +1158,7 @@ cmsg_space(ISC_SOCKADDR_LEN_T len) {
  * Process control messages received on a socket.
  */
 static void
-process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
+process_cmsg(isc__socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
 #ifdef USE_CMSG
 	struct cmsghdr *cmsgp;
 #ifdef ISC_PLATFORM_HAVEIN6PKTINFO
@@ -1124,7 +1261,7 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
  * this transaction can send.
  */
 static void
-build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
+build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 		  struct msghdr *msg, struct iovec *iov, size_t *write_countp)
 {
 	unsigned int iovcount;
@@ -1243,7 +1380,7 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
  * this transaction can receive.
  */
 static void
-build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
+build_msghdr_recv(isc__socket_t *sock, isc_socketevent_t *dev,
 		  struct msghdr *msg, struct iovec *iov, size_t *read_countp)
 {
 	unsigned int iovcount;
@@ -1364,7 +1501,7 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 }
 
 static void
-set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
+set_dev_address(isc_sockaddr_t *address, isc__socket_t *sock,
 		isc_socketevent_t *dev)
 {
 	if (sock->type == isc_sockettype_udp) {
@@ -1388,7 +1525,7 @@ destroy_socketevent(isc_event_t *event) {
 }
 
 static isc_socketevent_t *
-allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
+allocate_socketevent(isc__socket_t *sock, isc_eventtype_t eventtype,
 		     isc_taskaction_t action, const void *arg)
 {
 	isc_socketevent_t *ev;
@@ -1441,7 +1578,7 @@ dump_msg(struct msghdr *msg) {
 #define DOIO_EOF		3	/* EOF, no event sent */
 
 static int
-doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
+doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
 	int cc;
 	struct iovec iov[MAXSCATTERGATHER_RECV];
 	size_t read_count;
@@ -1621,7 +1758,7 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
  *	No other return values are possible.
  */
 static int
-doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
+doio_send(isc__socket_t *sock, isc_socketevent_t *dev) {
 	int cc;
 	struct iovec iov[MAXSCATTERGATHER_SEND];
 	size_t write_count;
@@ -1732,7 +1869,7 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
  * references exist.
  */
 static void
-closesocket(isc_socketmgr_t *manager, isc_socket_t *sock, int fd) {
+closesocket(isc__socketmgr_t *manager, isc__socket_t *sock, int fd) {
 	isc_sockettype_t type = sock->type;
 	int lockid = FDLOCK_ID(fd);
 
@@ -1795,10 +1932,10 @@ closesocket(isc_socketmgr_t *manager, isc_socket_t *sock, int fd) {
 }
 
 static void
-destroy(isc_socket_t **sockp) {
+destroy(isc__socket_t **sockp) {
 	int fd;
-	isc_socket_t *sock = *sockp;
-	isc_socketmgr_t *manager = sock->manager;
+	isc__socket_t *sock = *sockp;
+	isc__socketmgr_t *manager = sock->manager;
 
 	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
 		   ISC_MSG_DESTROYING, "destroying");
@@ -1819,10 +1956,10 @@ destroy(isc_socket_t **sockp) {
 
 	ISC_LIST_UNLINK(manager->socklist, sock, link);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (ISC_LIST_EMPTY(manager->socklist))
 		SIGNAL(&manager->shutdown_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 	UNLOCK(&manager->lock);
 
@@ -1830,10 +1967,10 @@ destroy(isc_socket_t **sockp) {
 }
 
 static isc_result_t
-allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
-		isc_socket_t **socketp)
+allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type,
+		isc__socket_t **socketp)
 {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	isc_result_t result;
 	ISC_SOCKADDR_LEN_T cmsgbuflen;
 
@@ -1844,7 +1981,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 
 	result = ISC_R_UNEXPECTED;
 
-	sock->magic = 0;
+	sock->common.magic = 0;
+	sock->common.impmagic = 0;
 	sock->references = 0;
 
 	sock->manager = manager;
@@ -1908,7 +2046,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	 */
 	result = isc_mutex_init(&sock->lock);
 	if (result != ISC_R_SUCCESS) {
-		sock->magic = 0;
+		sock->common.magic = 0;
+		sock->common.impmagic = 0;
 		goto error;
 	}
 
@@ -1922,7 +2061,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTW,
 		       NULL, sock, sock, NULL, NULL);
 
-	sock->magic = SOCKET_MAGIC;
+	sock->common.magic = ISCAPI_SOCKET_MAGIC;
+	sock->common.impmagic = SOCKET_MAGIC;
 	*socketp = sock;
 
 	return (ISC_R_SUCCESS);
@@ -1947,8 +2087,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
  * also close the socket.
  */
 static void
-free_socket(isc_socket_t **socketp) {
-	isc_socket_t *sock = *socketp;
+free_socket(isc__socket_t **socketp) {
+	isc__socket_t *sock = *socketp;
 
 	INSIST(sock->references == 0);
 	INSIST(VALID_SOCKET(sock));
@@ -1968,7 +2108,8 @@ free_socket(isc_socket_t **socketp) {
 		isc_mem_put(sock->manager->mctx, sock->sendcmsgbuf,
 			    sock->sendcmsgbuflen);
 
-	sock->magic = 0;
+	sock->common.magic = 0;
+	sock->common.impmagic = 0;
 
 	DESTROYLOCK(&sock->lock);
 
@@ -2016,7 +2157,7 @@ clear_bsdcompat(void) {
 #endif
 
 static isc_result_t
-opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
+opensocket(isc__socketmgr_t *manager, isc__socket_t *sock) {
 	char strbuf[ISC_STRERRORSIZE];
 	const char *err = "socket";
 	int tries = 0;
@@ -2287,11 +2428,12 @@ opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
  * called with 'arg' as the arg value.  The new socket is returned
  * in 'socketp'.
  */
-isc_result_t
-isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
-		  isc_socket_t **socketp)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
+		   isc_socket_t **socketp)
 {
-	isc_socket_t *sock = NULL;
+	isc__socket_t *sock = NULL;
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
 	isc_result_t result;
 	int lockid;
 
@@ -2327,8 +2469,9 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		return (result);
 	}
 
+	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
 	sock->references = 1;
-	*socketp = sock;
+	*socketp = (isc_socket_t *)sock;
 
 	/*
 	 * Note we don't have to lock the socket like we normally would because
@@ -2359,9 +2502,11 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_socket_open(isc_socket_t *sock) {
+#ifdef BIND9
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_open(isc_socket_t *sock0) {
 	isc_result_t result;
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 
 	REQUIRE(VALID_SOCKET(sock));
 
@@ -2408,12 +2553,13 @@ isc_socket_open(isc_socket_t *sock) {
  * called with 'arg' as the arg value.  The new socket is returned
  * in 'socketp'.
  */
-isc_result_t
-isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
-			 isc_sockfdwatch_t callback, void *cbarg,
-			 isc_task_t *task, isc_socket_t **socketp)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_fdwatchcreate(isc_socketmgr_t *manager0, int fd, int flags,
+			  isc_sockfdwatch_t callback, void *cbarg,
+			  isc_task_t *task, isc_socket_t **socketp)
 {
-	isc_socket_t *sock = NULL;
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+	isc__socket_t *sock = NULL;
 	isc_result_t result;
 	int lockid;
 
@@ -2431,8 +2577,9 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
 	sock->fdwatchtask = task;
 	sock->statsindex = fdwatchstatsindex;
 
+	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
 	sock->references = 1;
-	*socketp = sock;
+	*socketp = (isc_socket_t *)sock;
 
 	/*
 	 * Note we don't have to lock the socket like we normally would because
@@ -2463,12 +2610,15 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
 
 	return (ISC_R_SUCCESS);
 }
+#endif	/* BIND9 */
 
 /*
  * Attach to a socket.  Caller must explicitly detach when it is done.
  */
-void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_attach(isc_socket_t *sock0, isc_socket_t **socketp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(socketp != NULL && *socketp == NULL);
 
@@ -2476,20 +2626,20 @@ isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
 	sock->references++;
 	UNLOCK(&sock->lock);
 
-	*socketp = sock;
+	*socketp = (isc_socket_t *)sock;
 }
 
 /*
  * Dereference a socket.  If this is the last reference to it, clean things
  * up by destroying the socket.
  */
-void
-isc_socket_detach(isc_socket_t **socketp) {
-	isc_socket_t *sock;
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_detach(isc_socket_t **socketp) {
+	isc__socket_t *sock;
 	isc_boolean_t kill_socket = ISC_FALSE;
 
 	REQUIRE(socketp != NULL);
-	sock = *socketp;
+	sock = (isc__socket_t *)*socketp;
 	REQUIRE(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -2505,10 +2655,12 @@ isc_socket_detach(isc_socket_t **socketp) {
 	*socketp = NULL;
 }
 
-isc_result_t
-isc_socket_close(isc_socket_t *sock) {
+#ifdef BIND9
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_close(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	int fd;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	isc_sockettype_t type;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -2546,6 +2698,7 @@ isc_socket_close(isc_socket_t *sock) {
 
 	return (ISC_R_SUCCESS);
 }
+#endif	/* BIND9 */
 
 /*
  * I/O is possible on a given socket.  Schedule an event to this task that
@@ -2556,7 +2709,7 @@ isc_socket_close(isc_socket_t *sock) {
  * The socket and manager must be locked before calling this function.
  */
 static void
-dispatch_recv(isc_socket_t *sock) {
+dispatch_recv(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
 	isc_task_t *sender;
@@ -2590,7 +2743,7 @@ dispatch_recv(isc_socket_t *sock) {
 }
 
 static void
-dispatch_send(isc_socket_t *sock) {
+dispatch_send(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
 	isc_task_t *sender;
@@ -2627,7 +2780,7 @@ dispatch_send(isc_socket_t *sock) {
  * Dispatch an internal accept event.
  */
 static void
-dispatch_accept(isc_socket_t *sock) {
+dispatch_accept(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socket_newconnev_t *ev;
 
@@ -2653,7 +2806,7 @@ dispatch_accept(isc_socket_t *sock) {
 }
 
 static void
-dispatch_connect(isc_socket_t *sock) {
+dispatch_connect(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socket_connev_t *ev;
 
@@ -2683,7 +2836,7 @@ dispatch_connect(isc_socket_t *sock) {
  * Caller must have the socket locked if the event is attached to the socket.
  */
 static void
-send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+send_recvdone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
 	isc_task_t *task;
 
 	task = (*dev)->ev_sender;
@@ -2706,7 +2859,7 @@ send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
  * Caller must have the socket locked if the event is attached to the socket.
  */
 static void
-send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+send_senddone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
 	isc_task_t *task;
 
 	INSIST(dev != NULL && *dev != NULL);
@@ -2737,8 +2890,8 @@ send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
  */
 static void
 internal_accept(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
-	isc_socketmgr_t *manager;
+	isc__socket_t *sock;
+	isc__socketmgr_t *manager;
 	isc_socket_newconnev_t *dev;
 	isc_task_t *task;
 	ISC_SOCKADDR_LEN_T addrlen;
@@ -2793,9 +2946,9 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	 * daemons such as BIND 8 and Apache.
 	 */
 
-	addrlen = sizeof(dev->newsocket->peer_address.type);
-	memset(&dev->newsocket->peer_address.type, 0, addrlen);
-	fd = accept(sock->fd, &dev->newsocket->peer_address.type.sa,
+	addrlen = sizeof(NEWCONNSOCK(dev)->peer_address.type);
+	memset(&NEWCONNSOCK(dev)->peer_address.type, 0, addrlen);
+	fd = accept(sock->fd, &NEWCONNSOCK(dev)->peer_address.type.sa,
 		    (void *)&addrlen);
 
 #ifdef F_DUPFD
@@ -2865,14 +3018,14 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 
 			(void)close(fd);
 			goto soft_error;
-		} else if (dev->newsocket->peer_address.type.sa.sa_family !=
+		} else if (NEWCONNSOCK(dev)->peer_address.type.sa.sa_family !=
 			   sock->pf)
 		{
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "internal_accept(): "
 					 "accept() returned peer address "
 					 "family %u (expected %u)",
-					 dev->newsocket->peer_address.
+					 NEWCONNSOCK(dev)->peer_address.
 					 type.sa.sa_family,
 					 sock->pf);
 			(void)close(fd);
@@ -2891,8 +3044,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	}
 
 	if (fd != -1) {
-		dev->newsocket->peer_address.length = addrlen;
-		dev->newsocket->pf = sock->pf;
+		NEWCONNSOCK(dev)->peer_address.length = addrlen;
+		NEWCONNSOCK(dev)->pf = sock->pf;
 	}
 
 	/*
@@ -2921,28 +3074,28 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		int lockid = FDLOCK_ID(fd);
 
 		LOCK(&manager->fdlock[lockid]);
-		manager->fds[fd] = dev->newsocket;
+		manager->fds[fd] = NEWCONNSOCK(dev);
 		manager->fdstate[fd] = MANAGED;
 		UNLOCK(&manager->fdlock[lockid]);
 
 		LOCK(&manager->lock);
-		ISC_LIST_APPEND(manager->socklist, dev->newsocket, link);
+		ISC_LIST_APPEND(manager->socklist, NEWCONNSOCK(dev), link);
 
-		dev->newsocket->fd = fd;
-		dev->newsocket->bound = 1;
-		dev->newsocket->connected = 1;
+		NEWCONNSOCK(dev)->fd = fd;
+		NEWCONNSOCK(dev)->bound = 1;
+		NEWCONNSOCK(dev)->connected = 1;
 
 		/*
 		 * Save away the remote address
 		 */
-		dev->address = dev->newsocket->peer_address;
+		dev->address = NEWCONNSOCK(dev)->peer_address;
 
 #ifdef USE_SELECT
 		if (manager->maxfd < fd)
 			manager->maxfd = fd;
 #endif
 
-		socket_log(sock, &dev->newsocket->peer_address, CREATION,
+		socket_log(sock, &NEWCONNSOCK(dev)->peer_address, CREATION,
 			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
 			   "accepted connection, new socket %p",
 			   dev->newsocket);
@@ -2952,8 +3105,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPT]);
 	} else {
 		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
-		dev->newsocket->references--;
-		free_socket(&dev->newsocket);
+		NEWCONNSOCK(dev)->references--;
+		free_socket((isc__socket_t **)&dev->newsocket);
 	}
 
 	/*
@@ -2977,7 +3130,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 static void
 internal_recv(isc_task_t *me, isc_event_t *ev) {
 	isc_socketevent_t *dev;
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
 
@@ -3042,14 +3195,14 @@ internal_recv(isc_task_t *me, isc_event_t *ev) {
 static void
 internal_send(isc_task_t *me, isc_event_t *ev) {
 	isc_socketevent_t *dev;
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
 
 	/*
 	 * Find out what socket this is and lock it.
 	 */
-	sock = (isc_socket_t *)ev->ev_sender;
+	sock = (isc__socket_t *)ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -3096,7 +3249,7 @@ internal_send(isc_task_t *me, isc_event_t *ev) {
 
 static void
 internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	int more_data;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
@@ -3104,7 +3257,7 @@ internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
 	/*
 	 * Find out what socket this is and lock it.
 	 */
-	sock = (isc_socket_t *)ev->ev_sender;
+	sock = (isc__socket_t *)ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -3115,7 +3268,8 @@ internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
 	INSIST(sock->pending_send == 1);
 
 	UNLOCK(&sock->lock);
-	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
+				      sock->fdwatcharg);
 	LOCK(&sock->lock);
 
 	sock->pending_send = 0;
@@ -3136,7 +3290,7 @@ internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
 
 static void
 internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	int more_data;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
@@ -3144,7 +3298,7 @@ internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
 	/*
 	 * Find out what socket this is and lock it.
 	 */
-	sock = (isc_socket_t *)ev->ev_sender;
+	sock = (isc__socket_t *)ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -3155,7 +3309,8 @@ internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
 	INSIST(sock->pending_recv == 1);
 
 	UNLOCK(&sock->lock);
-	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
+				      sock->fdwatcharg);
 	LOCK(&sock->lock);
 
 	sock->pending_recv = 0;
@@ -3179,10 +3334,10 @@ internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
  * and unlocking twice if both reads and writes are possible.
  */
 static void
-process_fd(isc_socketmgr_t *manager, int fd, isc_boolean_t readable,
+process_fd(isc__socketmgr_t *manager, int fd, isc_boolean_t readable,
 	   isc_boolean_t writeable)
 {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	isc_boolean_t unlock_sock;
 	isc_boolean_t unwatch_read = ISC_FALSE, unwatch_write = ISC_FALSE;
 	int lockid = FDLOCK_ID(fd);
@@ -3248,11 +3403,11 @@ check_write:
 
 #ifdef USE_KQUEUE
 static isc_boolean_t
-process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
+process_fds(isc__socketmgr_t *manager, struct kevent *events, int nevents) {
 	int i;
 	isc_boolean_t readable, writable;
 	isc_boolean_t done = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_boolean_t have_ctlevent = ISC_FALSE;
 #endif
 
@@ -3270,7 +3425,7 @@ process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
 
 	for (i = 0; i < nevents; i++) {
 		REQUIRE(events[i].ident < manager->maxsocks);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (events[i].ident == (uintptr_t)manager->pipe_fds[0]) {
 			have_ctlevent = ISC_TRUE;
 			continue;
@@ -3281,7 +3436,7 @@ process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
 		process_fd(manager, events[i].ident, readable, writable);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (have_ctlevent)
 		done = process_ctlfd(manager);
 #endif
@@ -3290,10 +3445,11 @@ process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
 }
 #elif defined(USE_EPOLL)
 static isc_boolean_t
-process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
+process_fds(isc__socketmgr_t *manager, struct epoll_event *events, int nevents)
+{
 	int i;
 	isc_boolean_t done = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_boolean_t have_ctlevent = ISC_FALSE;
 #endif
 
@@ -3306,7 +3462,7 @@ process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
 
 	for (i = 0; i < nevents; i++) {
 		REQUIRE(events[i].data.fd < (int)manager->maxsocks);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (events[i].data.fd == manager->pipe_fds[0]) {
 			have_ctlevent = ISC_TRUE;
 			continue;
@@ -3328,7 +3484,7 @@ process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
 			   (events[i].events & EPOLLOUT) != 0);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (have_ctlevent)
 		done = process_ctlfd(manager);
 #endif
@@ -3337,10 +3493,10 @@ process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
 }
 #elif defined(USE_DEVPOLL)
 static isc_boolean_t
-process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
+process_fds(isc__socketmgr_t *manager, struct pollfd *events, int nevents) {
 	int i;
 	isc_boolean_t done = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_boolean_t have_ctlevent = ISC_FALSE;
 #endif
 
@@ -3353,7 +3509,7 @@ process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
 
 	for (i = 0; i < nevents; i++) {
 		REQUIRE(events[i].fd < (int)manager->maxsocks);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (events[i].fd == manager->pipe_fds[0]) {
 			have_ctlevent = ISC_TRUE;
 			continue;
@@ -3364,7 +3520,7 @@ process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
 			   (events[i].events & POLLOUT) != 0);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (have_ctlevent)
 		done = process_ctlfd(manager);
 #endif
@@ -3373,27 +3529,27 @@ process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
 }
 #elif defined(USE_SELECT)
 static void
-process_fds(isc_socketmgr_t *manager, int maxfd,
-	    fd_set *readfds, fd_set *writefds)
+process_fds(isc__socketmgr_t *manager, int maxfd, fd_set *readfds,
+	    fd_set *writefds)
 {
 	int i;
 
 	REQUIRE(maxfd <= (int)manager->maxsocks);
 
 	for (i = 0; i < maxfd; i++) {
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (i == manager->pipe_fds[0] || i == manager->pipe_fds[1])
 			continue;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 		process_fd(manager, i, FD_ISSET(i, readfds),
 			   FD_ISSET(i, writefds));
 	}
 }
 #endif
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 static isc_boolean_t
-process_ctlfd(isc_socketmgr_t *manager) {
+process_ctlfd(isc__socketmgr_t *manager) {
 	int msg, fd;
 
 	for (;;) {
@@ -3441,7 +3597,7 @@ process_ctlfd(isc_socketmgr_t *manager) {
  */
 static isc_threadresult_t
 watcher(void *uap) {
-	isc_socketmgr_t *manager = uap;
+	isc__socketmgr_t *manager = uap;
 	isc_boolean_t done;
 	int ctlfd;
 	int cc;
@@ -3556,29 +3712,34 @@ watcher(void *uap) {
 
 	return ((isc_threadresult_t)0);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
-void
-isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) {
+#ifdef BIND9
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_setreserved(isc_socketmgr_t *manager0, isc_uint32_t reserved) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
 
 	REQUIRE(VALID_MANAGER(manager));
 
 	manager->reserved = reserved;
 }
 
-void
-isc__socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) {
+ISC_SOCKETFUNC_SCOPE void
+isc___socketmgr_maxudp(isc_socketmgr_t *manager0, int maxudp) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
 	REQUIRE(VALID_MANAGER(manager));
 
 	manager->maxudp = maxudp;
 }
+#endif	/* BIND9 */
 
 /*
  * Create a new socket manager.
  */
 
 static isc_result_t
-setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
+setup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
 	isc_result_t result;
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
 	char strbuf[ISC_STRERRORSIZE];
@@ -3604,7 +3765,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 		return (result);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	if (result != ISC_R_SUCCESS) {
 		close(manager->kqueue_fd);
@@ -3612,7 +3773,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(struct kevent) * manager->nevents);
 		return (result);
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 #elif defined(USE_EPOLL)
 	manager->nevents = ISC_SOCKET_MAXEVENTS;
 	manager->events = isc_mem_get(mctx, sizeof(struct epoll_event) *
@@ -3632,7 +3793,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(struct epoll_event) * manager->nevents);
 		return (result);
 	}
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	if (result != ISC_R_SUCCESS) {
 		close(manager->epoll_fd);
@@ -3640,7 +3801,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(struct epoll_event) * manager->nevents);
 		return (result);
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 #elif defined(USE_DEVPOLL)
 	/*
 	 * XXXJT: /dev/poll seems to reject large numbers of events,
@@ -3678,7 +3839,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(pollinfo_t) * manager->maxsocks);
 		return (result);
 	}
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	if (result != ISC_R_SUCCESS) {
 		close(manager->devpoll_fd);
@@ -3688,7 +3849,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(pollinfo_t) * manager->maxsocks);
 		return (result);
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 #elif defined(USE_SELECT)
 	UNUSED(result);
 
@@ -3736,20 +3897,20 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 	memset(manager->read_fds, 0, manager->fd_bufsize);
 	memset(manager->write_fds, 0, manager->fd_bufsize);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	(void)watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	manager->maxfd = manager->pipe_fds[0];
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WATCHER_THREAD */
 	manager->maxfd = 0;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 #endif	/* USE_KQUEUE */
 
 	return (ISC_R_SUCCESS);
 }
 
 static void
-cleanup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
-#ifdef ISC_PLATFORM_USETHREADS
+cleanup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
+#ifdef USE_WATCHER_THREAD
 	isc_result_t result;
 
 	result = unwatch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
@@ -3759,7 +3920,7 @@ cleanup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"));
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 
 #ifdef USE_KQUEUE
 	close(manager->kqueue_fd);
@@ -3787,35 +3948,35 @@ cleanup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 #endif	/* USE_KQUEUE */
 }
 
-isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
-	return (isc_socketmgr_create2(mctx, managerp, 0));
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	return (isc__socketmgr_create2(mctx, managerp, 0));
 }
 
-isc_result_t
-isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
-		      unsigned int maxsocks)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks)
 {
 	int i;
-	isc_socketmgr_t *manager;
-#ifdef ISC_PLATFORM_USETHREADS
+	isc__socketmgr_t *manager;
+#ifdef USE_WATCHER_THREAD
 	char strbuf[ISC_STRERRORSIZE];
 #endif
 	isc_result_t result;
 
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	if (socketmgr != NULL) {
 		/* Don't allow maxsocks to be updated */
 		if (maxsocks > 0 && socketmgr->maxsocks != maxsocks)
 			return (ISC_R_EXISTS);
 
 		socketmgr->refs++;
-		*managerp = socketmgr;
+		*managerp = (isc_socketmgr_t *)socketmgr;
 		return (ISC_R_SUCCESS);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	if (maxsocks == 0)
 		maxsocks = ISC_SOCKET_MAXSOCKETS;
@@ -3830,7 +3991,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 	manager->reserved = 0;
 	manager->maxudp = 0;
 	manager->fds = isc_mem_get(mctx,
-				   manager->maxsocks * sizeof(isc_socket_t *));
+				   manager->maxsocks * sizeof(isc__socket_t *));
 	if (manager->fds == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto free_manager;
@@ -3842,7 +4003,9 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 	}
 	manager->stats = NULL;
 
-	manager->magic = SOCKET_MANAGER_MAGIC;
+	manager->common.methods = &socketmgrmethods;
+	manager->common.magic = ISCAPI_SOCKETMGR_MAGIC;
+	manager->common.impmagic = SOCKET_MANAGER_MAGIC;
 	manager->mctx = NULL;
 	memset(manager->fds, 0, manager->maxsocks * sizeof(isc_socket_t *));
 	ISC_LIST_INIT(manager->socklist);
@@ -3866,7 +4029,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 		}
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_condition_init() %s",
@@ -3895,9 +4058,11 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 #if 0
 	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[1]) == ISC_R_SUCCESS);
 #endif
-#else /* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
+
+#ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	/*
 	 * Set up initial state for the select loop
@@ -3906,7 +4071,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	memset(manager->fdstate, 0, manager->maxsocks * sizeof(int));
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	/*
 	 * Start up the select/poll thread.
 	 */
@@ -3920,26 +4085,26 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 	isc_mem_attach(mctx, &manager->mctx);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	socketmgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
-	*managerp = manager;
+#endif /* USE_SHARED_MANAGER */
+	*managerp = (isc_socketmgr_t *)manager;
 
 	return (ISC_R_SUCCESS);
 
 cleanup:
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	(void)close(manager->pipe_fds[0]);
 	(void)close(manager->pipe_fds[1]);
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 cleanup_condition:
 	(void)isc_condition_destroy(&manager->shutdown_ok);
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 
 
 cleanup_lock:
@@ -3967,8 +4132,10 @@ free_manager:
 	return (result);
 }
 
+#ifdef BIND9
 isc_result_t
-isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
+isc__socketmgr_getmaxsockets(isc_socketmgr_t *manager0, unsigned int *nsockp) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(nsockp != NULL);
 
@@ -3978,7 +4145,9 @@ isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
 }
 
 void
-isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
+isc__socketmgr_setstats(isc_socketmgr_t *manager0, isc_stats_t *stats) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
 	REQUIRE(manager->stats == NULL);
@@ -3986,10 +4155,11 @@ isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
 
 	isc_stats_attach(stats, &manager->stats);
 }
+#endif
 
-void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
-	isc_socketmgr_t *manager;
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_destroy(isc_socketmgr_t **managerp) {
+	isc__socketmgr_t *manager;
 	int i;
 	isc_mem_t *mctx;
 
@@ -3998,20 +4168,20 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	 */
 
 	REQUIRE(managerp != NULL);
-	manager = *managerp;
+	manager = (isc__socketmgr_t *)*managerp;
 	REQUIRE(VALID_MANAGER(manager));
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	if (manager->refs > 1) {
 		manager->refs--;
 		*managerp = NULL;
 		return;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	LOCK(&manager->lock);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	/*
 	 * Wait for all sockets to be destroyed.
 	 */
@@ -4022,7 +4192,7 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 					   "sockets exist"));
 		WAIT(&manager->shutdown_ok, &manager->lock);
 	}
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WATCHER_THREAD */
 	/*
 	 * Hope all sockets have been destroyed.
 	 */
@@ -4033,7 +4203,7 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 					   "sockets exist"));
 		INSIST(0);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 	UNLOCK(&manager->lock);
 
@@ -4044,7 +4214,7 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	 */
 	select_poke(manager, 0, SELECT_POKE_SHUTDOWN);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	/*
 	 * Wait for thread to exit.
 	 */
@@ -4053,25 +4223,25 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 				 "isc_thread_join() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"));
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 	/*
 	 * Clean up.
 	 */
 	cleanup_watcher(manager->mctx, manager);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	(void)close(manager->pipe_fds[0]);
 	(void)close(manager->pipe_fds[1]);
 	(void)isc_condition_destroy(&manager->shutdown_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 	for (i = 0; i < (int)manager->maxsocks; i++)
 		if (manager->fdstate[i] == CLOSE_PENDING) /* no need to lock */
 			(void)close(i);
 
 	isc_mem_put(manager->mctx, manager->fds,
-		    manager->maxsocks * sizeof(isc_socket_t *));
+		    manager->maxsocks * sizeof(isc__socket_t *));
 	isc_mem_put(manager->mctx, manager->fdstate,
 		    manager->maxsocks * sizeof(int));
 
@@ -4085,17 +4255,22 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 			    FDLOCK_COUNT * sizeof(isc_mutex_t));
 	}
 	DESTROYLOCK(&manager->lock);
-	manager->magic = 0;
+	manager->common.magic = 0;
+	manager->common.impmagic = 0;
 	mctx= manager->mctx;
 	isc_mem_put(mctx, manager, sizeof(*manager));
 
 	isc_mem_detach(&mctx);
 
 	*managerp = NULL;
+
+#ifdef USE_SHARED_MANAGER
+	socketmgr = NULL;
+#endif
 }
 
 static isc_result_t
-socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+socket_recv(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	    unsigned int flags)
 {
 	int io_state;
@@ -4166,13 +4341,14 @@ socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	return (result);
 }
 
-isc_result_t
-isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recvv(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	unsigned int iocount;
 	isc_buffer_t *buffer;
 
@@ -4220,12 +4396,14 @@ isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
 	return (socket_recv(sock, dev, task, 0));
 }
 
-isc_result_t
-isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv(isc_socket_t *sock0, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(action != NULL);
@@ -4239,14 +4417,16 @@ isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
 	if (dev == NULL)
 		return (ISC_R_NOMEMORY);
 
-	return (isc_socket_recv2(sock, region, minimum, task, dev, 0));
+	return (isc__socket_recv2(sock0, region, minimum, task, dev, 0));
 }
 
-isc_result_t
-isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_socketevent_t *event, unsigned int flags)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv2(isc_socket_t *sock0, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
 	event->ev_sender = sock;
 	event->result = ISC_R_UNEXPECTED;
 	ISC_LIST_INIT(event->bufferlist);
@@ -4271,7 +4451,7 @@ isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
 }
 
 static isc_result_t
-socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
 	    unsigned int flags)
 {
@@ -4362,24 +4542,25 @@ socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	return (result);
 }
 
-isc_result_t
-isc_socket_send(isc_socket_t *sock, isc_region_t *region,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
 	/*
 	 * REQUIRE() checking is performed in isc_socket_sendto().
 	 */
-	return (isc_socket_sendto(sock, region, task, action, arg, NULL,
-				  NULL));
+	return (isc__socket_sendto(sock, region, task, action, arg, NULL,
+				   NULL));
 }
 
-isc_result_t
-isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto(isc_socket_t *sock0, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(region != NULL);
@@ -4401,21 +4582,22 @@ isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
 	return (socket_send(sock, dev, task, address, pktinfo, 0));
 }
 
-isc_result_t
-isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
-	return (isc_socket_sendtov(sock, buflist, task, action, arg, NULL,
-				   NULL));
+	return (isc__socket_sendtov(sock, buflist, task, action, arg, NULL,
+				    NULL));
 }
 
-isc_result_t
-isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendtov(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, const void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	unsigned int iocount;
 	isc_buffer_t *buffer;
 
@@ -4449,12 +4631,15 @@ isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
 	return (socket_send(sock, dev, task, address, pktinfo, 0));
 }
 
-isc_result_t
-isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		   isc_socketevent_t *event, unsigned int flags)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto2(isc_socket_t *sock0, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE|ISC_SOCKFLAG_NORETRY)) == 0);
 	if ((flags & ISC_SOCKFLAG_NORETRY) != 0)
 		REQUIRE(sock->type == isc_sockettype_udp);
@@ -4469,8 +4654,8 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 	return (socket_send(sock, event, task, address, pktinfo, flags));
 }
 
-void
-isc_socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
 #ifdef ISC_PLATFORM_HAVESYSUNH
 	int s;
 	struct stat sb;
@@ -4599,8 +4784,8 @@ isc_socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
 #endif
 }
 
-isc_result_t
-isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
 		    isc_uint32_t owner, isc_uint32_t group)
 {
 #ifdef ISC_PLATFORM_HAVESYSUNH
@@ -4653,12 +4838,15 @@ isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
 #endif
 }
 
-isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
-		unsigned int options) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_bind(isc_socket_t *sock0, isc_sockaddr_t *sockaddr,
+		 unsigned int options) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	char strbuf[ISC_STRERRORSIZE];
 	int on = 1;
 
+	REQUIRE(VALID_SOCKET(sock));
+
 	LOCK(&sock->lock);
 
 	INSIST(!sock->bound);
@@ -4717,8 +4905,9 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_socket_filter(isc_socket_t *sock, const char *filter) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_filter(isc_socket_t *sock0, const char *filter) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 #ifdef SO_ACCEPTFILTER
 	char strbuf[ISC_STRERRORSIZE];
 	struct accept_filter_arg afa;
@@ -4756,8 +4945,9 @@ isc_socket_filter(isc_socket_t *sock, const char *filter) {
  * is a new connection we'll have to allocate a new one anyway, so we might
  * as well keep things simple rather than having to track them.
  */
-isc_result_t
-isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_listen(isc_socket_t *sock0, unsigned int backlog) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	char strbuf[ISC_STRERRORSIZE];
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -4790,14 +4980,15 @@ isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
 /*
  * This should try to do aggressive accept() XXXMLG
  */
-isc_result_t
-isc_socket_accept(isc_socket_t *sock,
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_accept(isc_socket_t *sock0,
 		  isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socket_newconnev_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	isc_task_t *ntask = NULL;
-	isc_socket_t *nsock;
+	isc__socket_t *nsock;
 	isc_result_t result;
 	isc_boolean_t do_poke = ISC_FALSE;
 
@@ -4838,7 +5029,7 @@ isc_socket_accept(isc_socket_t *sock,
 	nsock->statsindex = sock->statsindex;
 
 	dev->ev_sender = ntask;
-	dev->newsocket = nsock;
+	dev->newsocket = (isc_socket_t *)nsock;
 
 	/*
 	 * Poke watcher here.  We still have the socket locked, so there
@@ -4857,13 +5048,14 @@ isc_socket_accept(isc_socket_t *sock,
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_connect(isc_socket_t *sock0, isc_sockaddr_t *addr,
 		   isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socket_connev_t *dev;
 	isc_task_t *ntask = NULL;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	int cc;
 	char strbuf[ISC_STRERRORSIZE];
 
@@ -5000,7 +5192,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
  */
 static void
 internal_connect(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	isc_socket_connev_t *dev;
 	isc_task_t *task;
 	int cc;
@@ -5114,8 +5306,9 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
 }
 
-isc_result_t
-isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getpeername(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_result_t result;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -5129,14 +5322,15 @@ isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	} else {
 		result = ISC_R_NOTCONNECTED;
 	}
-
+	
 	UNLOCK(&sock->lock);
 
 	return (result);
 }
 
-isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getsockname(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	ISC_SOCKADDR_LEN_T len;
 	isc_result_t result;
 	char strbuf[ISC_STRERRORSIZE];
@@ -5173,8 +5367,9 @@ isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
  * Run through the list of events on this socket, and cancel the ones
  * queued for task "task" of type "how".  "how" is a bitmask.
  */
-void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cancel(isc_socket_t *sock0, isc_task_t *task, unsigned int how) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 
 	REQUIRE(VALID_SOCKET(sock));
 
@@ -5253,8 +5448,8 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 				ISC_LIST_UNLINK(sock->accept_list, dev,
 						ev_link);
 
-				dev->newsocket->references--;
-				free_socket(&dev->newsocket);
+				NEWCONNSOCK(dev)->references--;
+				free_socket((isc__socket_t **)&dev->newsocket);
 
 				dev->result = ISC_R_CANCELED;
 				dev->ev_sender = sock;
@@ -5293,17 +5488,22 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 	UNLOCK(&sock->lock);
 }
 
-isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock) {
+ISC_SOCKETFUNC_SCOPE isc_sockettype_t
+isc__socket_gettype(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
 	REQUIRE(VALID_SOCKET(sock));
 
 	return (sock->type);
 }
 
-isc_boolean_t
-isc_socket_isbound(isc_socket_t *sock) {
+ISC_SOCKETFUNC_SCOPE isc_boolean_t
+isc__socket_isbound(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_boolean_t val;
 
+	REQUIRE(VALID_SOCKET(sock));
+
 	LOCK(&sock->lock);
 	val = ((sock->bound) ? ISC_TRUE : ISC_FALSE);
 	UNLOCK(&sock->lock);
@@ -5311,8 +5511,9 @@ isc_socket_isbound(isc_socket_t *sock) {
 	return (val);
 }
 
-void
-isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_ipv6only(isc_socket_t *sock0, isc_boolean_t yes) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 #if defined(IPV6_V6ONLY)
 	int onoff = yes ? 1 : 0;
 #else
@@ -5342,12 +5543,21 @@ isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
 #endif
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
-/* In our assumed scenario, we can simply use a single static object. */
+#ifndef USE_WATCHER_THREAD
+/*
+ * In our assumed scenario, we can simply use a single static object.
+ * XXX: this is not true if the application uses multiple threads with
+ *      'multi-context' mode.  Fixing this is a future TODO item.
+ */
 static isc_socketwait_t swait_private;
 
 int
-isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
+isc__socketmgr_waitevents(isc_socketmgr_t *manager0, struct timeval *tvp,
+			  isc_socketwait_t **swaitp)
+{
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
+
 	int n;
 #ifdef USE_KQUEUE
 	struct timespec ts, *tsp;
@@ -5361,7 +5571,11 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 
 	REQUIRE(swaitp != NULL && *swaitp == NULL);
 
-	if (socketmgr == NULL)
+#ifdef USE_SHARED_MANAGER
+  	if (manager == NULL)
+		manager = socketmgr;
+#endif
+	if (manager == NULL)
 		return (0);
 
 #ifdef USE_KQUEUE
@@ -5371,8 +5585,8 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 		tsp = &ts;
 	} else
 		tsp = NULL;
-	swait_private.nevents = kevent(socketmgr->kqueue_fd, NULL, 0,
-				       socketmgr->events, socketmgr->nevents,
+	swait_private.nevents = kevent(manager->kqueue_fd, NULL, 0,
+				       manager->events, manager->nevents,
 				       tsp);
 	n = swait_private.nevents;
 #elif defined(USE_EPOLL)
@@ -5380,29 +5594,28 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 		timeout = tvp->tv_sec * 1000 + (tvp->tv_usec + 999) / 1000;
 	else
 		timeout = -1;
-	swait_private.nevents = epoll_wait(socketmgr->epoll_fd,
-					   socketmgr->events,
-					   socketmgr->nevents, timeout);
+	swait_private.nevents = epoll_wait(manager->epoll_fd,
+					   manager->events,
+					   manager->nevents, timeout);
 	n = swait_private.nevents;
 #elif defined(USE_DEVPOLL)
-	dvp.dp_fds = socketmgr->events;
-	dvp.dp_nfds = socketmgr->nevents;
+	dvp.dp_fds = manager->events;
+	dvp.dp_nfds = manager->nevents;
 	if (tvp != NULL) {
 		dvp.dp_timeout = tvp->tv_sec * 1000 +
 			(tvp->tv_usec + 999) / 1000;
 	} else
 		dvp.dp_timeout = -1;
-	swait_private.nevents = ioctl(socketmgr->devpoll_fd, DP_POLL, &dvp);
+	swait_private.nevents = ioctl(manager->devpoll_fd, DP_POLL, &dvp);
 	n = swait_private.nevents;
 #elif defined(USE_SELECT)
-	memcpy(socketmgr->read_fds_copy, socketmgr->read_fds,
-	       socketmgr->fd_bufsize);
-	memcpy(socketmgr->write_fds_copy, socketmgr->write_fds,
-	       socketmgr->fd_bufsize);
+	memcpy(manager->read_fds_copy, manager->read_fds,  manager->fd_bufsize);
+	memcpy(manager->write_fds_copy, manager->write_fds,
+	       manager->fd_bufsize);
 
-	swait_private.readset = socketmgr->read_fds_copy;
-	swait_private.writeset = socketmgr->write_fds_copy;
-	swait_private.maxfd = socketmgr->maxfd + 1;
+	swait_private.readset = manager->read_fds_copy;
+	swait_private.writeset = manager->write_fds_copy;
+	swait_private.maxfd = manager->maxfd + 1;
 
 	n = select(swait_private.maxfd, swait_private.readset,
 		   swait_private.writeset, NULL, tvp);
@@ -5413,24 +5626,32 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 }
 
 isc_result_t
-isc__socketmgr_dispatch(isc_socketwait_t *swait) {
+isc__socketmgr_dispatch(isc_socketmgr_t *manager0, isc_socketwait_t *swait) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
 	REQUIRE(swait == &swait_private);
 
-	if (socketmgr == NULL)
+#ifdef USE_SHARED_MANAGER
+  	if (manager == NULL)
+		manager = socketmgr;
+#endif
+	if (manager == NULL)
 		return (ISC_R_NOTFOUND);
 
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
-	(void)process_fds(socketmgr, socketmgr->events, swait->nevents);
+	(void)process_fds(manager, manager->events, swait->nevents);
 	return (ISC_R_SUCCESS);
 #elif defined(USE_SELECT)
-	process_fds(socketmgr, swait->maxfd, swait->readset, swait->writeset);
+	process_fds(manager, swait->maxfd, swait->readset, swait->writeset);
 	return (ISC_R_SUCCESS);
 #endif
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
+#ifdef BIND9
 void
-isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+isc__socket_setname(isc_socket_t *socket0, const char *name, void *tag) {
+	isc__socket_t *socket = (isc__socket_t *)socket0;
 
 	/*
 	 * Name 'socket'.
@@ -5445,17 +5666,29 @@ isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
 	UNLOCK(&socket->lock);
 }
 
-const char *
-isc_socket_getname(isc_socket_t *socket) {
+ISC_SOCKETFUNC_SCOPE const char *
+isc__socket_getname(isc_socket_t *socket0) {
+	isc__socket_t *socket = (isc__socket_t *)socket0;
+
 	return (socket->name);
 }
 
 void *
-isc_socket_gettag(isc_socket_t *socket) {
+isc__socket_gettag(isc_socket_t *socket0) {
+	isc__socket_t *socket = (isc__socket_t *)socket0;
+
 	return (socket->tag);
 }
+#endif	/* BIND9 */
 
-#ifdef HAVE_LIBXML2
+#ifdef USE_SOCKETIMPREGISTER 
+isc_result_t
+isc__socket_register() {
+	return (isc_socket_register(isc__socketmgr_create));
+}
+#endif
+
+#if defined(HAVE_LIBXML2) && defined(BIND9)
 
 static const char *
 _socktype(isc_sockettype_t type)
@@ -5472,21 +5705,21 @@ _socktype(isc_sockettype_t type)
 		return ("not-initialized");
 }
 
-void
-isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer)
-{
-	isc_socket_t *sock;
+ISC_SOCKETFUNC_SCOPE void
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer) {
+	isc__socketmgr_t *mgr = (isc__socketmgr_t *)mgr0;
+	isc__socket_t *sock;
 	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_t addr;
 	ISC_SOCKADDR_LEN_T len;
 
 	LOCK(&mgr->lock);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
 	xmlTextWriterWriteFormatString(writer, "%d", mgr->refs);
 	xmlTextWriterEndElement(writer);
-#endif
+#endif	/* USE_SHARED_MANAGER */
 
 	xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets");
 	sock = ISC_LIST_HEAD(mgr->socklist);
diff --git a/lib/isc/unix/socket_p.h b/lib/isc/unix/socket_p.h
index fc044e58b2..e4a19baaaf 100644
--- a/lib/isc/unix/socket_p.h
+++ b/lib/isc/unix/socket_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_p.h,v 1.13 2008/06/23 23:47:11 tbox Exp $ */
+/* $Id: socket_p.h,v 1.14 2009/09/01 00:22:28 jinmei Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
@@ -27,6 +27,7 @@
 #endif
 
 typedef struct isc_socketwait isc_socketwait_t;
-int isc__socketmgr_waitevents(struct timeval *, isc_socketwait_t **);
-isc_result_t isc__socketmgr_dispatch(isc_socketwait_t *);
+int isc__socketmgr_waitevents(isc_socketmgr_t *, struct timeval *,
+			      isc_socketwait_t **);
+isc_result_t isc__socketmgr_dispatch(isc_socketmgr_t *, isc_socketwait_t *);
 #endif /* ISC_SOCKET_P_H */
diff --git a/lib/isc/win32/Makefile.in b/lib/isc/win32/Makefile.in
index 5c71dffb60..280b04e4f0 100644
--- a/lib/isc/win32/Makefile.in
+++ b/lib/isc/win32/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11 2007/06/19 23:47:19 tbox Exp $
+# $Id: Makefile.in,v 1.12 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +23,7 @@ CINCLUDES =	-I${srcdir}/.. \
 		-I./include \
 		-I${srcdir}/include \
 		-I${srcdir}/../include
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 # Alphabetically
diff --git a/lib/isc/win32/app.c b/lib/isc/win32/app.c
index b0db90d410..65eddb050a 100644
--- a/lib/isc/win32/app.c
+++ b/lib/isc/win32/app.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.7 2007/06/19 23:47:19 tbox Exp $ */
+/* $Id: app.c,v 1.8 2009/09/01 00:22:28 jinmei Exp $ */
 
 #include 
 
@@ -75,7 +75,7 @@ DWORD  dwWaitResult;
 static isc_thread_t	main_thread;
 
 isc_result_t
-isc_app_start(void) {
+isc__app_start(void) {
 	isc_result_t result;
 
 	/*
@@ -99,7 +99,7 @@ isc_app_start(void) {
 }
 
 isc_result_t
-isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+isc__app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 	      void *arg) {
 	isc_event_t *event;
 	isc_task_t *cloned_task = NULL;
@@ -133,7 +133,7 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 }
 
 isc_result_t
-isc_app_run(void) {
+isc__app_run(void) {
 	isc_event_t *event, *next_event;
 	isc_task_t *task;
 	HANDLE *pHandles = NULL;
@@ -199,7 +199,7 @@ isc_app_run(void) {
 }
 
 isc_result_t
-isc_app_shutdown(void) {
+isc__app_shutdown(void) {
 	isc_boolean_t want_kill = ISC_TRUE;
 
 	LOCK(&lock);
@@ -218,7 +218,7 @@ isc_app_shutdown(void) {
 }
 
 isc_result_t
-isc_app_reload(void) {
+isc__app_reload(void) {
 	isc_boolean_t want_reload = ISC_TRUE;
 
 	LOCK(&lock);
@@ -238,12 +238,12 @@ isc_app_reload(void) {
 }
 
 void
-isc_app_finish(void) {
+isc__app_finish(void) {
 	DESTROYLOCK(&lock);
 }
 
 void
-isc_app_block(void) {
+isc__app_block(void) {
 	REQUIRE(running);
 	REQUIRE(!blocked);
 
@@ -252,7 +252,7 @@ isc_app_block(void) {
 }
 
 void
-isc_app_unblock(void) {
+isc__app_unblock(void) {
 	REQUIRE(running);
 	REQUIRE(blocked);
 	blocked = ISC_FALSE;
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index e60618cdfb..b63eebe508 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.76 2009/07/17 06:25:44 each Exp $ */
+/* $Id: socket.c,v 1.77 2009/09/01 00:22:28 jinmei Exp $ */
 
 /* This code uses functions which are only available on Server 2003 and
  * higher, and Windows XP and higher.
@@ -1594,7 +1594,7 @@ free_socket(isc_socket_t **sockp, int lineno) {
  * in 'socketp'.
  */
 isc_result_t
-isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		  isc_socket_t **socketp) {
 	isc_socket_t *sock = NULL;
 	isc_result_t result;
@@ -1774,7 +1774,7 @@ isc_socket_open(isc_socket_t *sock) {
  * Attach to a socket.  Caller must explicitly detach when it is done.
  */
 void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+isc__socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(socketp != NULL && *socketp == NULL);
 
@@ -1791,7 +1791,7 @@ isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
  * up by destroying the socket.
  */
 void
-isc_socket_detach(isc_socket_t **socketp) {
+isc__socket_detach(isc_socket_t **socketp) {
 	isc_socket_t *sock;
 	isc_boolean_t kill_socket = ISC_FALSE;
 
@@ -2434,13 +2434,13 @@ SocketIoThread(LPVOID ThreadContext) {
  * Create a new socket manager.
  */
 isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
 	return (isc_socketmgr_create2(mctx, managerp, 0));
 }
 
 isc_result_t
-isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
-		     unsigned int maxsocks)
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks)
 {
 	isc_socketmgr_t *manager;
 	isc_result_t result;
@@ -2489,7 +2489,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 }
 
 isc_result_t
-isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
+isc__socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(nsockp != NULL);
 
@@ -2497,7 +2497,7 @@ isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
 }
 
 void
-isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
+isc__socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
 	REQUIRE(manager->stats == NULL);
@@ -2507,7 +2507,7 @@ isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
 }
 
 void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
+isc__socketmgr_destroy(isc_socketmgr_t **managerp) {
 	isc_socketmgr_t *manager;
 	int i;
 	isc_mem_t *mctx;
@@ -2635,7 +2635,7 @@ socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 }
 
 isc_result_t
-isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+isc__socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
 		 unsigned int minimum, isc_task_t *task,
 		 isc_taskaction_t action, const void *arg)
 {
@@ -2705,8 +2705,9 @@ isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
 }
 
 isc_result_t
-isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
+isc__socket_recv(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, const void *arg)
 {
 	isc_socketevent_t *dev;
 	isc_socketmgr_t *manager;
@@ -2742,9 +2743,9 @@ isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
 }
 
 isc_result_t
-isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_socketevent_t *event, unsigned int flags)
+isc__socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags)
 {
 	isc_result_t ret;
 
@@ -2852,8 +2853,8 @@ socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 }
 
 isc_result_t
-isc_socket_send(isc_socket_t *sock, isc_region_t *region,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
 	/*
 	 * REQUIRE() checking is performed in isc_socket_sendto().
@@ -2863,9 +2864,9 @@ isc_socket_send(isc_socket_t *sock, isc_region_t *region,
 }
 
 isc_result_t
-isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+isc__socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
 {
 	isc_socketevent_t *dev;
 	isc_socketmgr_t *manager;
@@ -2906,17 +2907,17 @@ isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
 }
 
 isc_result_t
-isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg)
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
 	return (isc_socket_sendtov(sock, buflist, task, action, arg, NULL,
 				   NULL));
 }
 
 isc_result_t
-isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, const void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
 {
 	isc_socketevent_t *dev;
 	isc_socketmgr_t *manager;
@@ -2969,10 +2970,10 @@ isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
 }
 
 isc_result_t
-isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		   isc_socketevent_t *event, unsigned int flags)
+isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags)
 {
 	isc_result_t ret;
 
@@ -3004,8 +3005,8 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 }
 
 isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
-		unsigned int options) {
+isc__socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		 unsigned int options) {
 	int bind_errno;
 	char strbuf[ISC_STRERRORSIZE];
 	int on = 1;
@@ -3070,7 +3071,7 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
 }
 
 isc_result_t
-isc_socket_filter(isc_socket_t *sock, const char *filter) {
+isc__socket_filter(isc_socket_t *sock, const char *filter) {
 	UNUSED(sock);
 	UNUSED(filter);
 
@@ -3089,7 +3090,7 @@ isc_socket_filter(isc_socket_t *sock, const char *filter) {
  * as well keep things simple rather than having to track them.
  */
 isc_result_t
-isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
+isc__socket_listen(isc_socket_t *sock, unsigned int backlog) {
 	char strbuf[ISC_STRERRORSIZE];
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -3134,8 +3135,8 @@ isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
  * This should try to do aggressive accept() XXXMLG
  */
 isc_result_t
-isc_socket_accept(isc_socket_t *sock,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg)
+isc__socket_accept(isc_socket_t *sock,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
 	isc_socket_newconnev_t *adev;
 	isc_socketmgr_t *manager;
@@ -3245,8 +3246,8 @@ isc_socket_accept(isc_socket_t *sock,
 }
 
 isc_result_t
-isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg)
+isc__socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+		    isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
 	char strbuf[ISC_STRERRORSIZE];
 	isc_socket_connev_t *cdev;
@@ -3360,7 +3361,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 }
 
 isc_result_t
-isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+isc__socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	isc_result_t result;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -3390,7 +3391,7 @@ isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 }
 
 isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+isc__socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	ISC_SOCKADDR_LEN_T len;
 	isc_result_t result;
 	char strbuf[ISC_STRERRORSIZE];
@@ -3437,7 +3438,7 @@ isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
  * queued for task "task" of type "how".  "how" is a bitmask.
  */
 void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+isc__socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 
 	REQUIRE(VALID_SOCKET(sock));
 
@@ -3563,7 +3564,7 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 }
 
 isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock) {
+isc__socket_gettype(isc_socket_t *sock) {
 	isc_sockettype_t type;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -3584,7 +3585,7 @@ isc_socket_gettype(isc_socket_t *sock) {
 }
 
 isc_boolean_t
-isc_socket_isbound(isc_socket_t *sock) {
+isc__socket_isbound(isc_socket_t *sock) {
 	isc_boolean_t val;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -3607,7 +3608,7 @@ isc_socket_isbound(isc_socket_t *sock) {
 }
 
 void
-isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
+isc__socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
 #if defined(IPV6_V6ONLY)
 	int onoff = yes ? 1 : 0;
 #else
@@ -3625,14 +3626,14 @@ isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
 }
 
 void
-isc_socket_cleanunix(isc_sockaddr_t *addr, isc_boolean_t active) {
+isc__socket_cleanunix(isc_sockaddr_t *addr, isc_boolean_t active) {
 	UNUSED(addr);
 	UNUSED(active);
 }
 
 isc_result_t
-isc_socket_permunix(isc_sockaddr_t *addr, isc_uint32_t perm,
-		    isc_uint32_t owner,	isc_uint32_t group)
+isc__socket_permunix(isc_sockaddr_t *addr, isc_uint32_t perm,
+		     isc_uint32_t owner,	isc_uint32_t group)
 {
 	UNUSED(addr);
 	UNUSED(perm);
@@ -3642,7 +3643,7 @@ isc_socket_permunix(isc_sockaddr_t *addr, isc_uint32_t perm,
 }
 
 void
-isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+isc__socket_setname(isc_socket_t *socket, const char *name, void *tag) {
 
 	/*
 	 * Name 'socket'.
@@ -3658,12 +3659,12 @@ isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
 }
 
 const char *
-isc_socket_getname(isc_socket_t *socket) {
+isc__socket_getname(isc_socket_t *socket) {
 	return (socket->name);
 }
 
 void *
-isc_socket_gettag(isc_socket_t *socket) {
+isc__socket_gettag(isc_socket_t *socket) {
 	return (socket->tag);
 }
 
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
index 5dcc2251b0..1bae4b35cb 100644
--- a/lib/isccc/Makefile.in
+++ b/lib/isccc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.9 2007/06/19 23:47:21 tbox Exp $
+# $Id: Makefile.in,v 1.10 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -27,7 +27,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCC_INCLUDES}
 
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
index 6dcacdd370..c3d2ee4aff 100644
--- a/lib/isccfg/Makefile.in
+++ b/lib/isccfg/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.18 2007/06/19 23:47:22 tbox Exp $
+# $Id: Makefile.in,v 1.19 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -27,7 +27,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
 
-CDEFINES =      @USE_DLZ@
+CDEFINES =	-DBIND9 @USE_DLZ@
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index 3fc1070a37..2b7719444f 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.24 2009/01/18 23:48:14 tbox Exp $ */
+/* $Id: aclconf.c,v 1.25 2009/09/01 00:22:28 jinmei Exp $ */
 
 #include 
 
@@ -150,7 +150,7 @@ convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
 	isc_buffer_add(&buf, keylen);
 	dns_fixedname_init(&fixname);
 	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING,
 			    "key name '%s' is not a valid domain name",
diff --git a/lib/isccfg/dnsconf.c b/lib/isccfg/dnsconf.c
new file mode 100644
index 0000000000..e8907bdbb9
--- /dev/null
+++ b/lib/isccfg/dnsconf.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+/*! \file */
+
+#include 
+#include 
+
+/*%
+ * A trusted key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t trustedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_trustedkey = {
+	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, trustedkey_fields
+};
+
+static cfg_type_t cfg_type_trustedkeys = {
+	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_trustedkey
+};
+
+/*%
+ * Clauses that can be found within the top level of the dns.conf
+ * file only.
+ */
+static cfg_clausedef_t
+dnsconf_clauses[] = {
+	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*% The top-level dns.conf syntax. */
+
+static cfg_clausedef_t *
+dnsconf_clausesets[] = {
+	dnsconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_dnsconf = {
+	"dnsconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, dnsconf_clausesets
+};
diff --git a/lib/isccfg/include/isccfg/dnsconf.h b/lib/isccfg/include/isccfg/dnsconf.h
new file mode 100644
index 0000000000..da34788704
--- /dev/null
+++ b/lib/isccfg/include/isccfg/dnsconf.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+
+#ifndef ISCCFG_NAMEDCONF_H
+#define ISCCFG_NAMEDCONF_H 1
+
+/*! \file
+ * \brief
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include 
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_dnsconf;
+/*%< A complete dns.conf file. */
+
+#endif /* ISCCFG_CFG_H */
diff --git a/lib/tests/Makefile.in b/lib/tests/Makefile.in
index 81b0bfbdf3..b57a35cf95 100644
--- a/lib/tests/Makefile.in
+++ b/lib/tests/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25 2007/06/19 23:47:23 tbox Exp $
+# $Id: Makefile.in,v 1.26 2009/09/01 00:22:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -22,7 +22,7 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${TEST_INCLUDES}
-CDEFINES =
+CDEFINES =	-DBIND9
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
diff --git a/make/rules.in b/make/rules.in
index 2effeef1d8..4191ef038f 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.66 2009/01/10 23:47:28 tbox Exp $
+# $Id: rules.in,v 1.67 2009/09/01 00:22:28 jinmei Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
@@ -35,6 +35,8 @@ sysconfdir =	@sysconfdir@
 localstatedir =	@localstatedir@
 mandir =	@mandir@
 datarootdir =   @datarootdir@
+export_libdir =	@export_libdir@
+export_includedir = @export_includedir@
 
 DESTDIR =
 
@@ -122,7 +124,7 @@ ALL_CPPFLAGS = \
 ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
 	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
 
-.c.@O@:
+@BIND9_CO_RULE@
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
 
 SHELL = @SHELL@

From 713b816c6f7232949de789b843b0d70ed81cce32 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 1 Sep 2009 01:59:57 +0000
Subject: [PATCH 055/385] regen

---
 configure | 322 +++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 282 insertions(+), 40 deletions(-)

diff --git a/configure b/configure
index 7403dea387..82162081b4 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.459 2009/08/13 01:51:19 marka Exp $
+# $Id: configure,v 1.460 2009/09/01 01:59:57 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.473 .
+# From configure.in Revision: 1.474 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -918,6 +918,10 @@ LIBTOOL_MODE_INSTALL
 LIBTOOL_MODE_LINK
 LIBTOOL_ALLOW_UNDEFINED
 LIBTOOL_IN_MAIN
+LIBEXPORT
+BIND9_CO_RULE
+export_libdir
+export_includedir
 ISC_PLATFORM_HAVEIPV6
 LWRES_PLATFORM_HAVEIPV6
 ISC_PLATFORM_NEEDNETINETIN6H
@@ -947,6 +951,7 @@ LWRES_PLATFORM_HAVESALEN
 ISC_PLATFORM_MSGHDRFLAVOR
 ISC_PLATFORM_NEEDPORTT
 ISC_LWRES_NEEDADDRINFO
+ISC_IRS_NEEDADDRINFO
 ISC_LWRES_NEEDRRSETINFO
 ISC_LWRES_SETHOSTENTINT
 ISC_LWRES_ENDHOSTENTINT
@@ -958,6 +963,7 @@ ISC_LWRES_NEEDHERRNO
 ISC_LWRES_GETIPNODEPROTO
 ISC_LWRES_GETADDRINFOPROTO
 ISC_LWRES_GETNAMEINFOPROTO
+ISC_IRS_GETNAMEINFOSOCKLEN
 ISC_PLATFORM_NEEDSTRSEP
 ISC_PLATFORM_NEEDMEMMOVE
 ISC_PLATFORM_NEEDSTRTOUL
@@ -980,6 +986,7 @@ ISC_PLATFORM_HAVESYSUNH
 ISC_PLATFORM_RLIMITTYPE
 ISC_PLATFORM_USEDECLSPEC
 LWRES_PLATFORM_USEDECLSPEC
+IRS_PLATFORM_USEDECLSPEC
 ISC_PLATFORM_BRACEPTHREADONCEINIT
 ISC_PLATFORM_HAVESTRINGSH
 ISC_PLATFORM_HAVEIFNAMETOINDEX
@@ -1040,6 +1047,7 @@ LIBISCCFG_API
 LIBDNS_API
 LIBBIND9_API
 LIBLWRES_API
+LIBIRS_API
 DLZ_DRIVER_RULES'
       ac_precious_vars='build_alias
 host_alias
@@ -1642,6 +1650,8 @@ Optional Features:
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
   --enable-threads	enable multithreading
   --enable-largefile	  64-bit file support
+  --enable-exportlib	build exportable library (GNU make required)
+                        [default=no]
   --enable-ipv6           use IPv6 default=autodetect
   --enable-getifaddrs     Enable the use of getifaddrs() [yes|no].
   --disable-isc-spnego    use SPNEGO from GSSAPI library
@@ -1668,6 +1678,12 @@ Optional Packages:
   --with-libxml2=PATH     Build with libxml2 library yes|no|path
   --with-purify=PATH      use Rational purify
   --with-libtool          use GNU libtool
+  --with-export-libdir=PATH
+                        installation directory for the export library
+                        [EPREFIX/lib/bind9]
+  --with-export-installdir=PATH
+                        installation directory for the header files of the
+                        export library [PREFIX/include/bind9]
   --with-kame=PATH	  use Kame IPv6 default path /usr/local/v6
   --with-docbook-xsl=PATH Specify path for Docbook-XSL stylesheets
   --with-idn=MPREFIX      enable IDN support using idnkit default PREFIX
@@ -3933,7 +3949,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 3936 "configure"' > conftest.$ac_ext
+  echo '#line 3952 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -6881,11 +6897,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6884: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6900: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6888: \$? = $ac_status" >&5
+   echo "$as_me:6904: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7171,11 +7187,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7174: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7190: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7178: \$? = $ac_status" >&5
+   echo "$as_me:7194: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7275,11 +7291,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7278: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7294: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7282: \$? = $ac_status" >&5
+   echo "$as_me:7298: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9639,7 +9655,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:12163: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12151: \$? = $ac_status" >&5
+   echo "$as_me:12167: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -12248,11 +12264,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12251: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12267: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12255: \$? = $ac_status" >&5
+   echo "$as_me:12271: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13831,11 +13847,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13834: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13850: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13838: \$? = $ac_status" >&5
+   echo "$as_me:13854: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13935,11 +13951,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13938: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13954: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13942: \$? = $ac_status" >&5
+   echo "$as_me:13958: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16146,11 +16162,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16149: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16165: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16153: \$? = $ac_status" >&5
+   echo "$as_me:16169: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16436,11 +16452,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16439: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16455: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16443: \$? = $ac_status" >&5
+   echo "$as_me:16459: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16540,11 +16556,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16543: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16559: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16547: \$? = $ac_status" >&5
+   echo "$as_me:16563: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -19333,7 +19349,6 @@ It is available from http://www.isc.org as a separate download." >&2;}
 		;;
 esac
 
-
 #
 # Make very sure that these are the first files processed by
 # config.status, since we use the processed output as the input for
@@ -25915,6 +25930,60 @@ SA=a
 
 
 
+#
+# build exportable DNS library?
+#
+# Check whether --enable-exportlib was given.
+if test "${enable_exportlib+set}" = set; then
+  enableval=$enable_exportlib;
+fi
+
+case "$enable_exportlib" in
+	yes)
+		gmake=
+		for x in gmake gnumake make; do
+			if $x --version 2>/dev/null | grep GNU > /dev/null; then
+				gmake=$x
+				break;
+			fi
+		done
+		if test -z "$gmake"; then
+			{ { echo "$as_me:$LINENO: error: exportlib requires GNU make.  Install it or disable the feature." >&5
+echo "$as_me: error: exportlib requires GNU make.  Install it or disable the feature." >&2;}
+   { (exit 1); exit 1; }; }
+		fi
+		LIBEXPORT=lib/export
+
+		BIND9_CO_RULE="%.$O:  \${srcdir}/%.c"
+		;;
+	no|*)
+		BIND9_CO_RULE=".c.$O:"
+		;;
+esac
+
+
+
+# Check whether --with-export-libdir was given.
+if test "${with_export_libdir+set}" = set; then
+  withval=$with_export_libdir; export_libdir="$withval"
+fi
+
+if test -z "$export_libdir"; then
+	export_libdir="\${exec_prefix}/lib/bind9/"
+fi
+
+
+
+# Check whether --with-export-installdir was given.
+if test "${with_export_installdir+set}" = set; then
+  withval=$with_export_installdir; export_installdir="$withval"
+fi
+
+if test -z "$export_includedir"; then
+	export_includedir="\${prefix}/include/bind9/"
+fi
+
+
 #
 # Here begins a very long section to determine the system's networking
 # capabilities.  The order of the tests is significant.
@@ -26886,6 +26955,7 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   { echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
+	ISC_IRS_NEEDADDRINFO="#undef ISC_IRS_NEEDADDRINFO"
 	cat >>confdefs.h <<\_ACEOF
 #define HAVE_ADDRINFO 1
 _ACEOF
@@ -26897,11 +26967,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 	{ echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"
+	ISC_IRS_NEEDADDRINFO="#define ISC_IRS_NEEDADDRINFO 1"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
+
 #
 # Check for rrsetinfo
 #
@@ -27307,6 +27379,131 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
+#
+# Sadly, the definitions of system-supplied getnameinfo(3) vary.  Try to catch
+# known variations here:
+#
+{ echo "$as_me:$LINENO: checking for getnameinfo prototype definitions" >&5
+echo $ECHO_N "checking for getnameinfo prototype definitions... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include 
+#include 
+#include 
+int getnameinfo(const struct sockaddr *, socklen_t, char *,
+                socklen_t, char *, socklen_t, unsigned int);
+int
+main ()
+{
+ return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: socklen_t for buflen; u_int for flags" >&5
+echo "${ECHO_T}socklen_t for buflen; u_int for flags" >&6; }
+	 cat >>confdefs.h <<\_ACEOF
+#define IRS_GETNAMEINFO_BUFLEN_T socklen_t
+_ACEOF
+
+	 cat >>confdefs.h <<\_ACEOF
+#define IRS_GETNAMEINFO_FLAGS_T unsigned int
+_ACEOF
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include 
+#include 
+#include 
+int getnameinfo(const struct sockaddr *, socklen_t, char *,
+                size_t, char *, size_t, int);
+int
+main ()
+{
+ return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: size_t for buflen; int for flags" >&5
+echo "${ECHO_T}size_t for buflen; int for flags" >&6; }
+	 cat >>confdefs.h <<\_ACEOF
+#define IRS_GETNAMEINFO_BUFLEN_T size_t
+_ACEOF
+
+	 cat >>confdefs.h <<\_ACEOF
+#define IRS_GETNAMEINFO_FLAGS_T int
+_ACEOF
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ echo "$as_me:$LINENO: result: not match any subspecies; assume standard definition" >&5
+echo "${ECHO_T}not match any subspecies; assume standard definition" >&6; }
+cat >>confdefs.h <<\_ACEOF
+#define IRS_GETNAMEINFO_BUFLEN_T socklen_t
+_ACEOF
+
+cat >>confdefs.h <<\_ACEOF
+#define IRS_GETNAMEINFO_FLAGS_T int
+_ACEOF
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 { echo "$as_me:$LINENO: checking for getipnodebyname" >&5
 echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6; }
 if test "${ac_cv_func_getipnodebyname+set}" = set; then
@@ -27664,6 +27861,7 @@ fi
 
 
 
+
 # Check whether --enable-getifaddrs was given.
 if test "${enable_getifaddrs+set}" = set; then
   enableval=$enable_getifaddrs; want_getifaddrs="$enableval"
@@ -30022,6 +30220,8 @@ ISC_PLATFORM_USEDECLSPEC="#undef ISC_PLATFORM_USEDECLSPEC"
 
 LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
 
+IRS_PLATFORM_USEDECLSPEC="#undef IRS_PLATFORM_USEDECLSPEC"
+
 #
 # Random remaining OS-specific issues involving compiler warnings.
 # XXXDCL print messages to indicate some compensation is being done?
@@ -32012,6 +32212,9 @@ LIBBIND9_API=$srcdir/lib/bind9/api
 
 LIBLWRES_API=$srcdir/lib/lwres/api
 
+
+LIBIRS_API=$srcdir/lib/irs/api
+
 #
 # Configure any DLZ drivers.
 #
@@ -32849,7 +33052,7 @@ ac_config_commands="$ac_config_commands chmod"
 # elsewhere if there's a good reason for doing so.
 #
 
-ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/tools/Makefile bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
+ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/export/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/tools/Makefile bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
 
 
 #
@@ -33443,10 +33646,38 @@ do
     "lib/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/Makefile" ;;
     "lib/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/Makefile" ;;
     "lib/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/isccfg/Makefile" ;;
+    "lib/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/Makefile" ;;
+    "lib/irs/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/include/Makefile" ;;
+    "lib/irs/include/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/include/irs/Makefile" ;;
+    "lib/irs/include/irs/netdb.h") CONFIG_FILES="$CONFIG_FILES lib/irs/include/irs/netdb.h" ;;
+    "lib/irs/include/irs/platform.h") CONFIG_FILES="$CONFIG_FILES lib/irs/include/irs/platform.h" ;;
     "lib/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/Makefile" ;;
     "lib/dns/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/Makefile" ;;
     "lib/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dns/Makefile" ;;
     "lib/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/dns/include/dst/Makefile" ;;
+    "lib/export/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/Makefile" ;;
+    "lib/export/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/Makefile" ;;
+    "lib/export/isc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/include/Makefile" ;;
+    "lib/export/isc/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/include/isc/Makefile" ;;
+    "lib/export/isc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/Makefile" ;;
+    "lib/export/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/include/Makefile" ;;
+    "lib/export/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/unix/include/isc/Makefile" ;;
+    "lib/export/isc/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/nls/Makefile" ;;
+    "lib/export/isc/$thread_dir/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/$thread_dir/Makefile" ;;
+    "lib/export/isc/$thread_dir/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/$thread_dir/include/Makefile" ;;
+    "lib/export/isc/$thread_dir/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isc/$thread_dir/include/isc/Makefile" ;;
+    "lib/export/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/Makefile" ;;
+    "lib/export/dns/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/Makefile" ;;
+    "lib/export/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/dns/Makefile" ;;
+    "lib/export/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/dns/include/dst/Makefile" ;;
+    "lib/export/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/Makefile" ;;
+    "lib/export/irs/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/include/Makefile" ;;
+    "lib/export/irs/include/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/irs/include/irs/Makefile" ;;
+    "lib/export/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/Makefile" ;;
+    "lib/export/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/include/Makefile" ;;
+    "lib/export/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/isccfg/include/isccfg/Makefile" ;;
+    "lib/export/samples/Makefile") CONFIG_FILES="$CONFIG_FILES lib/export/samples/Makefile" ;;
+    "lib/export/samples/Makefile-postinstall") CONFIG_FILES="$CONFIG_FILES lib/export/samples/Makefile-postinstall" ;;
     "lib/bind9/Makefile") CONFIG_FILES="$CONFIG_FILES lib/bind9/Makefile" ;;
     "lib/bind9/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/bind9/include/Makefile" ;;
     "lib/bind9/include/bind9/Makefile") CONFIG_FILES="$CONFIG_FILES lib/bind9/include/bind9/Makefile" ;;
@@ -33635,12 +33866,9 @@ CPP!$CPP$ac_delim
 CXX!$CXX$ac_delim
 CXXFLAGS!$CXXFLAGS$ac_delim
 ac_ct_CXX!$ac_ct_CXX$ac_delim
-CXXCPP!$CXXCPP$ac_delim
-F77!$F77$ac_delim
-FFLAGS!$FFLAGS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 70; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 67; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -33692,6 +33920,10 @@ d
 r $LIBLWRES_API
 d
 }
+/^[	 ]*@LIBIRS_API@[	 ]*$/{
+r $LIBIRS_API
+d
+}
 /^[	 ]*@DLZ_DRIVER_RULES@[	 ]*$/{
 r $DLZ_DRIVER_RULES
 d
@@ -33715,6 +33947,9 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+CXXCPP!$CXXCPP$ac_delim
+F77!$F77$ac_delim
+FFLAGS!$FFLAGS$ac_delim
 ac_ct_F77!$ac_ct_F77$ac_delim
 LIBTOOL!$LIBTOOL$ac_delim
 INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
@@ -33765,6 +34000,10 @@ LIBTOOL_MODE_INSTALL!$LIBTOOL_MODE_INSTALL$ac_delim
 LIBTOOL_MODE_LINK!$LIBTOOL_MODE_LINK$ac_delim
 LIBTOOL_ALLOW_UNDEFINED!$LIBTOOL_ALLOW_UNDEFINED$ac_delim
 LIBTOOL_IN_MAIN!$LIBTOOL_IN_MAIN$ac_delim
+LIBEXPORT!$LIBEXPORT$ac_delim
+BIND9_CO_RULE!$BIND9_CO_RULE$ac_delim
+export_libdir!$export_libdir$ac_delim
+export_includedir!$export_includedir$ac_delim
 ISC_PLATFORM_HAVEIPV6!$ISC_PLATFORM_HAVEIPV6$ac_delim
 LWRES_PLATFORM_HAVEIPV6!$LWRES_PLATFORM_HAVEIPV6$ac_delim
 ISC_PLATFORM_NEEDNETINETIN6H!$ISC_PLATFORM_NEEDNETINETIN6H$ac_delim
@@ -33794,6 +34033,7 @@ LWRES_PLATFORM_HAVESALEN!$LWRES_PLATFORM_HAVESALEN$ac_delim
 ISC_PLATFORM_MSGHDRFLAVOR!$ISC_PLATFORM_MSGHDRFLAVOR$ac_delim
 ISC_PLATFORM_NEEDPORTT!$ISC_PLATFORM_NEEDPORTT$ac_delim
 ISC_LWRES_NEEDADDRINFO!$ISC_LWRES_NEEDADDRINFO$ac_delim
+ISC_IRS_NEEDADDRINFO!$ISC_IRS_NEEDADDRINFO$ac_delim
 ISC_LWRES_NEEDRRSETINFO!$ISC_LWRES_NEEDRRSETINFO$ac_delim
 ISC_LWRES_SETHOSTENTINT!$ISC_LWRES_SETHOSTENTINT$ac_delim
 ISC_LWRES_ENDHOSTENTINT!$ISC_LWRES_ENDHOSTENTINT$ac_delim
@@ -33804,14 +34044,6 @@ ISC_LWRES_GETHOSTBYADDRVOID!$ISC_LWRES_GETHOSTBYADDRVOID$ac_delim
 ISC_LWRES_NEEDHERRNO!$ISC_LWRES_NEEDHERRNO$ac_delim
 ISC_LWRES_GETIPNODEPROTO!$ISC_LWRES_GETIPNODEPROTO$ac_delim
 ISC_LWRES_GETADDRINFOPROTO!$ISC_LWRES_GETADDRINFOPROTO$ac_delim
-ISC_LWRES_GETNAMEINFOPROTO!$ISC_LWRES_GETNAMEINFOPROTO$ac_delim
-ISC_PLATFORM_NEEDSTRSEP!$ISC_PLATFORM_NEEDSTRSEP$ac_delim
-ISC_PLATFORM_NEEDMEMMOVE!$ISC_PLATFORM_NEEDMEMMOVE$ac_delim
-ISC_PLATFORM_NEEDSTRTOUL!$ISC_PLATFORM_NEEDSTRTOUL$ac_delim
-LWRES_PLATFORM_NEEDSTRTOUL!$LWRES_PLATFORM_NEEDSTRTOUL$ac_delim
-GENRANDOMLIB!$GENRANDOMLIB$ac_delim
-ISC_PLATFORM_NEEDSTRLCPY!$ISC_PLATFORM_NEEDSTRLCPY$ac_delim
-ISC_PLATFORM_NEEDSTRLCAT!$ISC_PLATFORM_NEEDSTRLCAT$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -33853,6 +34085,15 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+ISC_LWRES_GETNAMEINFOPROTO!$ISC_LWRES_GETNAMEINFOPROTO$ac_delim
+ISC_IRS_GETNAMEINFOSOCKLEN!$ISC_IRS_GETNAMEINFOSOCKLEN$ac_delim
+ISC_PLATFORM_NEEDSTRSEP!$ISC_PLATFORM_NEEDSTRSEP$ac_delim
+ISC_PLATFORM_NEEDMEMMOVE!$ISC_PLATFORM_NEEDMEMMOVE$ac_delim
+ISC_PLATFORM_NEEDSTRTOUL!$ISC_PLATFORM_NEEDSTRTOUL$ac_delim
+LWRES_PLATFORM_NEEDSTRTOUL!$LWRES_PLATFORM_NEEDSTRTOUL$ac_delim
+GENRANDOMLIB!$GENRANDOMLIB$ac_delim
+ISC_PLATFORM_NEEDSTRLCPY!$ISC_PLATFORM_NEEDSTRLCPY$ac_delim
+ISC_PLATFORM_NEEDSTRLCAT!$ISC_PLATFORM_NEEDSTRLCAT$ac_delim
 ISC_PLATFORM_NEEDSPRINTF!$ISC_PLATFORM_NEEDSPRINTF$ac_delim
 LWRES_PLATFORM_NEEDSPRINTF!$LWRES_PLATFORM_NEEDSPRINTF$ac_delim
 ISC_PLATFORM_NEEDVSNPRINTF!$ISC_PLATFORM_NEEDVSNPRINTF$ac_delim
@@ -33868,6 +34109,7 @@ ISC_PLATFORM_HAVESYSUNH!$ISC_PLATFORM_HAVESYSUNH$ac_delim
 ISC_PLATFORM_RLIMITTYPE!$ISC_PLATFORM_RLIMITTYPE$ac_delim
 ISC_PLATFORM_USEDECLSPEC!$ISC_PLATFORM_USEDECLSPEC$ac_delim
 LWRES_PLATFORM_USEDECLSPEC!$LWRES_PLATFORM_USEDECLSPEC$ac_delim
+IRS_PLATFORM_USEDECLSPEC!$IRS_PLATFORM_USEDECLSPEC$ac_delim
 ISC_PLATFORM_BRACEPTHREADONCEINIT!$ISC_PLATFORM_BRACEPTHREADONCEINIT$ac_delim
 ISC_PLATFORM_HAVESTRINGSH!$ISC_PLATFORM_HAVESTRINGSH$ac_delim
 ISC_PLATFORM_HAVEIFNAMETOINDEX!$ISC_PLATFORM_HAVEIFNAMETOINDEX$ac_delim
@@ -33922,7 +34164,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 67; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 77; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

From e2a61b7bb2ae967530552a2f829e07494555e886 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 1 Sep 2009 02:54:26 +0000
Subject: [PATCH 056/385] add #include 

---
 lib/irs/getnameinfo.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/irs/getnameinfo.c b/lib/irs/getnameinfo.c
index b2f6ac3904..9c708f3ac5 100644
--- a/lib/irs/getnameinfo.c
+++ b/lib/irs/getnameinfo.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: getnameinfo.c,v 1.3 2009/09/01 02:54:26 marka Exp $ */
 
 /*! \file */
 
@@ -101,8 +101,9 @@
 #include 
 #include 
 
-#include 
 #include 
+#include 
+#include 
 #include 
 
 #include 

From 1eb6d0f372bb792043827df3b9a54e0ac0fb0591 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 03:31:33 +0000
Subject: [PATCH 057/385] make the _H definition consistent with the file name.

---
 .../idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h b/contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h
index 0006911d3e..29c13e2c01 100644
--- a/contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h
+++ b/contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h
@@ -1,4 +1,4 @@
-/* $Id: selectiveencode.h,v 1.1 2003/06/04 00:27:08 marka Exp $ */
+/* $Id: selectiveencode.h,v 1.2 2009/09/01 03:31:33 jinmei Exp $ */
 /*
  * Copyright (c) 2000,2002 Japan Network Information Center.
  * All rights reserved.
@@ -42,8 +42,8 @@
  *    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  */
 
-#ifndef IDN_SELECTIVENCODE_H
-#define IDN_SELECTIVENCODE_H 1
+#ifndef IDN_SELECTIVEENCODE_H
+#define IDN_SELECTIVEENCODE_H 1
 
 /*
  * Find where to convert.
@@ -67,4 +67,4 @@
 extern idn_result_t
 idn_selectiveencode_findregion(const char *s, char **startp, char **endp);
 
-#endif /* IDN_SELECTIVENCODE_H */
+#endif /* IDN_SELECTIVEENCODE_H */

From 9eae5f2a7a189353bd4fcbb939c2b61094b3bfe9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 03:43:27 +0000
Subject: [PATCH 058/385] added include 

---
 lib/dns/client.c                    | 4 +++-
 lib/dns/tsec.c                      | 4 +++-
 lib/export/samples/nsprobe.c        | 4 +++-
 lib/export/samples/sample-async.c   | 4 +++-
 lib/export/samples/sample-gai.c     | 4 +++-
 lib/export/samples/sample-request.c | 4 +++-
 lib/export/samples/sample-update.c  | 4 +++-
 lib/export/samples/sample.c         | 4 +++-
 lib/irs/gai_strerror.c              | 4 +++-
 lib/isc/app_api.c                   | 4 +++-
 lib/isc/mem_api.c                   | 4 +++-
 lib/isc/socket_api.c                | 4 +++-
 lib/isc/task_api.c                  | 4 +++-
 lib/isc/timer_api.c                 | 4 +++-
 lib/isccfg/dnsconf.c                | 4 +++-
 15 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/lib/dns/client.c b/lib/dns/client.c
index dcb8817e2b..f094188c83 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: client.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
index dbd0b85cb8..44bde128db 100644
--- a/lib/dns/tsec.c
+++ b/lib/dns/tsec.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsec.c,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: tsec.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 
diff --git a/lib/export/samples/nsprobe.c b/lib/export/samples/nsprobe.c
index fa3dfd4720..b8fdcefb9e 100644
--- a/lib/export/samples/nsprobe.c
+++ b/lib/export/samples/nsprobe.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsprobe.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: nsprobe.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/export/samples/sample-async.c b/lib/export/samples/sample-async.c
index d209f3a066..49e1c7a187 100644
--- a/lib/export/samples/sample-async.c
+++ b/lib/export/samples/sample-async.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-async.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: sample-async.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/export/samples/sample-gai.c b/lib/export/samples/sample-gai.c
index 321004ef04..364b5ad152 100644
--- a/lib/export/samples/sample-gai.c
+++ b/lib/export/samples/sample-gai.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-gai.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: sample-gai.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/export/samples/sample-request.c b/lib/export/samples/sample-request.c
index 75242ee410..b45e952d43 100644
--- a/lib/export/samples/sample-request.c
+++ b/lib/export/samples/sample-request.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-request.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: sample-request.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/export/samples/sample-update.c b/lib/export/samples/sample-update.c
index e186f536d6..5ada36461d 100644
--- a/lib/export/samples/sample-update.c
+++ b/lib/export/samples/sample-update.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-update.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: sample-update.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/export/samples/sample.c b/lib/export/samples/sample.c
index 64797955c6..765a759af9 100644
--- a/lib/export/samples/sample.c
+++ b/lib/export/samples/sample.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: sample.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/irs/gai_strerror.c b/lib/irs/gai_strerror.c
index ce31df95c6..edae6613a8 100644
--- a/lib/irs/gai_strerror.c
+++ b/lib/irs/gai_strerror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: gai_strerror.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
 
 /*! \file gai_strerror.c
  * gai_strerror() returns an error message corresponding to an
@@ -50,6 +50,8 @@
  *
  * strerror(), getaddrinfo(), getnameinfo(), RFC3493.
  */
+#include 
+
 #include 
 
 /*% Text of error messages. */
diff --git a/lib/isc/app_api.c b/lib/isc/app_api.c
index 8f44c5e84c..80ebd2ba88 100644
--- a/lib/isc/app_api.c
+++ b/lib/isc/app_api.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: app_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 
diff --git a/lib/isc/mem_api.c b/lib/isc/mem_api.c
index 432cd67b66..e50c56b843 100644
--- a/lib/isc/mem_api.c
+++ b/lib/isc/mem_api.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: mem_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/isc/socket_api.c b/lib/isc/socket_api.c
index 66541299bd..a10efef41f 100644
--- a/lib/isc/socket_api.c
+++ b/lib/isc/socket_api.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: socket_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/isc/task_api.c b/lib/isc/task_api.c
index ff5c5c5cd6..af7a93ca64 100644
--- a/lib/isc/task_api.c
+++ b/lib/isc/task_api.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: task_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 
diff --git a/lib/isc/timer_api.c b/lib/isc/timer_api.c
index 07c3448d8d..44a0b9f1ff 100644
--- a/lib/isc/timer_api.c
+++ b/lib/isc/timer_api.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_api.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: timer_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+
+#include 
 
 #include 
 
diff --git a/lib/isccfg/dnsconf.c b/lib/isccfg/dnsconf.c
index e8907bdbb9..8429f34ccf 100644
--- a/lib/isccfg/dnsconf.c
+++ b/lib/isccfg/dnsconf.c
@@ -15,10 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: dnsconf.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
 
 /*! \file */
 
+#include 
+
 #include 
 #include 
 

From ef22fffeebffacbcbce1f8d68d0c3f29a7d4a59e Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 1 Sep 2009 05:50:18 +0000
Subject: [PATCH 059/385] 2662.	[bug]		lwres_getipnodebyname() and
 lwres_getipnodebyaddr() 			returned a misleading error
 code when lwresd was 			down. [RT #20028]

2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
			creating lwres context. [RT #20029]
---
 CHANGES               |  7 +++++++
 lib/lwres/context.c   | 13 ++++++++++++-
 lib/lwres/getipnode.c | 22 ++++++++++++++++------
 3 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index b96114bbf7..630164ab74 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr() 
+			returned a misleading error code when lwresd was
+			down. [RT #20028]
+
+2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
+			creating lwres context. [RT #20029]
+
 2660.	[func]		Add a new set of DNS libraries for non-BIND9
 			applications.  See README.libdns. [RT #19369]
 
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index 32233ff737..20b7341630 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.52 2008/12/17 23:47:58 tbox Exp $ */
+/* $Id: context.c,v 1.53 2009/09/01 05:50:17 each Exp $ */
 
 /*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
@@ -471,6 +471,17 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	result = lwres_context_send(ctx, sendbase, sendlen);
 	if (result != LWRES_R_SUCCESS)
 		return (result);
+	
+	/*
+	 * If this is not checked, select() can overflow,
+	 * causing corruption elsewhere.
+	 */
+	if (ctx->sock >= FD_SETSIZE) {
+		close(ctx->sock);
+		ctx->sock = -1;
+		return (LWRES_R_IOERROR);
+	}
+
  again:
 	FD_ZERO(&readfds);
 	FD_SET(ctx->sock, &readfds);
diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c
index 8eb30301ea..b872e3d5ad 100644
--- a/lib/lwres/getipnode.c
+++ b/lib/lwres/getipnode.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getipnode.c,v 1.45 2009/08/15 23:48:06 tbox Exp $ */
+/* $Id: getipnode.c,v 1.46 2009/09/01 05:50:18 each Exp $ */
 
 /*! \file */
 
@@ -202,7 +202,7 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
 	struct in6_addr in6;
 	struct hostent he, *he1 = NULL, *he2 = NULL, *he3 = NULL;
 	int v4 = 0, v6 = 0;
-	int tmp_err;
+	int tmp_err = 0;
 	lwres_context_t *lwrctx = NULL;
 	lwres_gabnresponse_t *by = NULL;
 	int n;
@@ -275,7 +275,6 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
 	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
 	tmp_err = NO_RECOVERY;
 	if (have_v6 && af == AF_INET6) {
-
 		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V6, &by);
 		if (n == 0) {
 			he1 = hostfromname(by, AF_INET6);
@@ -285,7 +284,12 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
 				goto cleanup;
 			}
 		} else {
-			tmp_err = HOST_NOT_FOUND;
+			if (n == LWRES_R_NOTFOUND)
+				tmp_err = HOST_NOT_FOUND;
+			else {
+				*error_num = NO_RECOVERY;
+				goto cleanup;
+        		}
 		}
 	}
 
@@ -311,7 +315,7 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
 	} else
 		*error_num = tmp_err;
 
-	he3 = copyandmerge(he1, he2, af, error_num);
+        he3 = copyandmerge(he1, he2, af, error_num);
 
  cleanup:
 	if (he1 != NULL)
@@ -437,9 +441,15 @@ lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
 	if (n != 0) {
 		lwres_conf_clear(lwrctx);
 		lwres_context_destroy(&lwrctx);
-		*error_num = HOST_NOT_FOUND;
+
+		if (n == LWRES_R_NOTFOUND)
+		       *error_num = HOST_NOT_FOUND;
+		else
+		       *error_num = NO_RECOVERY;
+
 		return (NULL);
 	}
+
 	he1 = hostfromaddr(by, AF_INET6, src);
 	lwres_gnbaresponse_free(lwrctx, &by);
 	if (he1 == NULL)

From 479b80d4d706be399fd8974e941d9a0edb4259ef Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 1 Sep 2009 06:51:47 +0000
Subject: [PATCH 060/385] 2663.   [func]          win32:  allow named to run as
 a service using                         "NT AUTHORITY\LocalService" as the
 account. [RT #19977]

---
 CHANGES                                  |  3 ++
 bin/win32/BINDInstall/BINDInstallDlg.cpp | 52 ++++++++++++++----------
 bin/win32/BINDInstall/BINDInstallDlg.h   |  4 +-
 win32utils/readme1st.txt                 |  9 +++-
 4 files changed, 42 insertions(+), 26 deletions(-)

diff --git a/CHANGES b/CHANGES
index 630164ab74..29ba1e8292 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2663.	[func]		win32:  allow named to run as a service using
+			"NT AUTHORITY\LocalService" as the account. [RT #19977]
+
 2662.	[bug]		lwres_getipnodebyname() and lwres_getipnodebyaddr() 
 			returned a misleading error code when lwresd was
 			down. [RT #20028]
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 581f3be3fb..a09766418f 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.cpp,v 1.43 2009/08/25 06:47:06 marka Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.44 2009/09/01 06:51:47 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -69,6 +69,8 @@
 #define MAX_GROUPS	100
 #define MAX_PRIVS	 50
 
+#define LOCAL_SERVICE "NT AUTHORITY\\LocalService"
+
 #ifdef _DEBUG
 #define new DEBUG_NEW
 #undef THIS_FILE
@@ -410,7 +412,7 @@ void CBINDInstallDlg::OnInstall() {
 
 	UpdateData();
 
-	if (!m_toolsOnly) {
+	if (!m_toolsOnly && m_accountName != LOCAL_SERVICE) {
 		/*
 		 * Check that the Passwords entered match.
 		 */
@@ -454,6 +456,11 @@ void CBINDInstallDlg::OnInstall() {
 				return;
 			}
 		}
+	} else if (m_accountName == LOCAL_SERVICE) {
+		/* The LocalService always exists. */
+		m_accountExists = TRUE;
+		if (m_accountName != m_currentAccount)
+			m_accountUsed = FALSE;
 	}
 
 	/* Directories */
@@ -728,13 +735,16 @@ CBINDInstallDlg::GetCurrentServiceAccountName() {
 	}
 
 	RegCloseKey(hKey);
-	if(keyFound == FALSE)
+	if (keyFound == FALSE)
 		m_accountName = "";
-	else {
-	/*
-	 * LocalSystem is not a regular account and is equivalent
-	 * to no account but with lots of privileges
-	 */
+	else if (!strcmp(accountName, LOCAL_SERVICE)) {
+		m_accountName = LOCAL_SERVICE;
+		m_accountUsed = TRUE;
+	} else {
+		/*
+		 * LocalSystem is not a regular account and is equivalent
+		 * to no account but with lots of privileges
+		 */
 		Tmp = accountName;
 		if (Tmp == ".\\LocalSystem")
 			m_accountName = "";
@@ -790,23 +800,23 @@ void
 CBINDInstallDlg::RegisterService() {
 	SC_HANDLE hSCManager;
 	SC_HANDLE hService;
-	CString StartName = ".\\" + m_accountName;
-
-	if(m_toolsOnly)
-		return;
+	CString StartName;
 
+	if (m_accountName == LOCAL_SERVICE)
+		StartName = LOCAL_SERVICE;
+	else
+		StartName = ".\\" + m_accountName;
 	/*
 	 * We need to change the service rather than create it
 	 * if the service already exists. Do nothing if we are already
 	 * using that account
 	 */
-	if(m_serviceExists == TRUE) {
-		if(m_accountUsed == FALSE) {
-			UpdateService();
+	if (m_serviceExists == TRUE) {
+		if (m_accountUsed == FALSE) {
+			UpdateService(StartName);
 			SetItemStatus(IDC_REG_SERVICE);
 			return;
-		}
-		else {
+		} else {
 			SetItemStatus(IDC_REG_SERVICE);
 			return;
 		}
@@ -845,10 +855,9 @@ CBINDInstallDlg::RegisterService() {
 }
 
 void
-CBINDInstallDlg::UpdateService() {
+CBINDInstallDlg::UpdateService(CString StartName) {
 	SC_HANDLE hSCManager;
 	SC_HANDLE hService;
-	CString StartName = ".\\" + m_accountName;
 
 	if(m_toolsOnly)
 		return;
@@ -878,11 +887,10 @@ CBINDInstallDlg::UpdateService() {
 		if (hSCManager)
 			CloseServiceHandle(hSCManager);
 		return;
-	}
-	else {
+	} else {
 		if (ChangeServiceConfig(hService, dwServiceType, dwStart,
 			SERVICE_ERROR_NORMAL, namedLoc, NULL, NULL, NULL,
-			StartName, m_accountPassword,BIND_DISPLAY_NAME)
+			StartName, m_accountPassword, BIND_DISPLAY_NAME)
 			!= TRUE) {
 			DWORD err = GetLastError();
 			MsgBox(IDS_ERR_UPDATE_SERVICE, GetErrMessage());
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.h b/bin/win32/BINDInstall/BINDInstallDlg.h
index f8e02968c0..9cbc4c4c62 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.h
+++ b/bin/win32/BINDInstall/BINDInstallDlg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.h,v 1.10 2009/08/25 23:47:51 tbox Exp $ */
+/* $Id: BINDInstallDlg.h,v 1.11 2009/09/01 06:51:47 marka Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -73,7 +73,7 @@ protected:
 	void DeleteFiles(BOOL uninstall);
 
 	void RegisterService();
-	void UpdateService();
+	void UpdateService(CString StartName);
 	void UnregisterService(BOOL uninstall);
 
 	void RegisterMessages();
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
index 5acc294f59..f93164dafb 100644
--- a/win32utils/readme1st.txt
+++ b/win32utils/readme1st.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2003  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: readme1st.txt,v 1.23 2009/06/22 23:47:53 tbox Exp $
+$Id: readme1st.txt,v 1.24 2009/09/01 06:51:47 marka Exp $
 
 	   Release of BIND 9.7 for Windows and later.
 
@@ -11,7 +11,7 @@ This is a release of BIND 9.7 for Windows XP and later.
 	Important Kit Installation Information
 
 As of release 9.3.0, BINDInstall requires that you install it under
-an account with restricted privileges. The installer will prompt
+a account with restricted privileges. The installer will prompt
 you for an account name, the default is "named", and a password for
 that account. It will also check for the existence of that account.
 If it does not exist is will create it with only the privileges
@@ -28,6 +28,11 @@ or for master zones supporting dynamic updates. The account will
 also need read access to the named.conf and any other file that it
 needs to read.
 
+"NT AUTHORITY\LocalService" is also an acceptable account.  This
+account is built into Windows and no password is required.  Appropriate
+file permissions will also need to be set for "NT AUTHORITY\LocalService"
+similar to those that would have been required for the "named" account.
+
 It is important that on Windows the directory directive is used in
 the options section to tell BIND where to find the files used in
 named.conf (default %WINDOWS%\system32\dns\etc\named.conf).

From b1f3364f52261c3198b3717530aabc612c5a431a Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 1 Sep 2009 07:04:12 +0000
Subject: [PATCH 061/385] 2664.	[bug]		create_keydata() and
 minimal_update() in zone.c 			didn't properly check return
 values for some 			functions.  [RT #19956]

---
 CHANGES        |  4 ++++
 lib/dns/zone.c | 21 +++++++++++----------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 29ba1e8292..b7a42ac474 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2664.	[bug]		create_keydata() and minimal_update() in zone.c 
+			didn't properly check return values for some
+			functions.  [RT #19956]
+
 2663.	[func]		win32:  allow named to run as a service using
 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4469fdd683..2a21bc3e10 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.503 2009/08/13 07:14:05 tbox Exp $ */
+/* $Id: zone.c,v 1.504 2009/09/01 07:04:12 each Exp $ */
 
 /*! \file */
 
@@ -2532,15 +2532,16 @@ create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 				     dns_rdatatype_dnskey, &r);
 
 		/* DSTKEY to KEYDATA. */
-		dns_rdata_tostruct(&rdata, &dnskey, NULL);
-		dns_keydata_fromdnskey(&keydata, &dnskey, now, 0, 0, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
+		CHECK(dns_keydata_fromdnskey(&keydata, &dnskey, now, 0, 0,
+					     NULL));
 
 		/* KEYDATA to rdata. */
 		dns_rdata_reset(&rdata);
 		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-		dns_rdata_fromstruct(&rdata,
-				     zone->rdclass, dns_rdatatype_keydata,
-				     &keydata, &keyb);
+		CHECK(dns_rdata_fromstruct(&rdata,
+					   zone->rdclass, dns_rdatatype_keydata,
+					   &keydata, &keyb));
 
 		/* Add rdata to zone. */
 		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD,
@@ -6580,15 +6581,15 @@ minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff) {
 				    name, 0, &rdata));
 
 		/* Update refresh timer */
-		dns_rdata_tostruct(&rdata, &keydata, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &keydata, NULL));
 		keydata.refresh = refresh_time(kfetch);
 		set_refreshkeytimer(zone, &keydata, now);
 
 		dns_rdata_reset(&rdata);
 		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
-		dns_rdata_fromstruct(&rdata,
-				     zone->rdclass, dns_rdatatype_keydata,
-				     &keydata, &keyb);
+		CHECK(dns_rdata_fromstruct(&rdata,
+					   zone->rdclass, dns_rdatatype_keydata,
+					   &keydata, &keyb));
 
 		/* Insert updated version */
 		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD,

From 85be60e3c8e47b9fdfeaa0770f445b206c39bca8 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 1 Sep 2009 07:14:26 +0000
Subject: [PATCH 062/385] 2665.	[func]		Clarify syntax for
 managed-keys {} statement, add 			ARM documentation
 about RFC 5011 support. [RT #19874]

---
 CHANGES                 |   3 +
 README.rfc5011          |  39 ++++---
 bin/named/bind.keys.h   |   8 ++
 bin/named/bindkeys.pl   |  16 ++-
 bin/named/config.c      |   8 +-
 bin/named/server.c      |  16 ++-
 bind.keys               |   4 +-
 doc/arm/Bv9ARM-book.xml | 222 +++++++++++++++++++++++++++++++---------
 lib/isccfg/namedconf.c  |  41 +++++++-
 9 files changed, 278 insertions(+), 79 deletions(-)

diff --git a/CHANGES b/CHANGES
index b7a42ac474..0bfb605f6f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2665.	[func]		Clarify syntax for managed-keys {} statement, add
+			ARM documentation about RFC 5011 support. [RT #19874]
+
 2664.	[bug]		create_keydata() and minimal_update() in zone.c 
 			didn't properly check return values for some
 			functions.  [RT #19956]
diff --git a/README.rfc5011 b/README.rfc5011
index e8f07d0fed..539d3ba84c 100644
--- a/README.rfc5011
+++ b/README.rfc5011
@@ -48,20 +48,35 @@ To configure a validating resolver to use RFC5011 to maintain a trust
 anchor, configure the trust anchor using a "managed-keys" statement
 instead of a "trusted-keys" statement.
 
-The syntax for "managed-keys" is identical to that for "trusted-keys".
-However, whereas a trusted key is trusted permanently until it is removed
-from named.conf, a managed key is only trusted for as long as it takes to
-initialize RFC5011 key maintenance.
+A "managed-keys" statement contains a list of keys to be maintained,
+with information on how they are to be initialized the first time.  The
+only initialization method supported in BIND 9.7.0 is "initial-key".
+This means the "managed-keys" statement itself will contain a copy of
+the initializing key.  In future releases, keys may be initialized by
+other methods, removing the need to incorporate a copy of an intializing
+key in named.conf.
 
-When named loads for the first time with a managed key configured, it
-will fetch the DNSKEY RRset directly from the zone apex and check its
-signature against the key specified in the "managed-keys" statement.
-If it is validly signed, then the DNSKEY RRset is used as the basis for a
-new managed keys database.
+Example:
 
-From that point on, when named loads, it will see the "managed-keys"
-statement, check to make sure RFC5011 key maintenance has already been
-initialized for the specified zone, and if so, it will simply move on.
+managed-keys {
+	sample.domain. initial-key 257 3 5 "BEAAAAPHMu ...";
+};
+
+At first glance this is very similar to a "trusted-keys" statement,
+differing only in the presence of the second field, "initial-key".
+However, whereas a trusted key is trusted permanently until it is
+removed from named.conf, this key would only be trusted once, for
+as long as it takes to initialize RFC5011 key maintenance.
+
+The first time named runs with a managed key configured in named.conf,
+it fetches the DNSKEY RRset directly from the zone apex, and validates
+it using the key specified in the "managed-keys" statement, as above.
+If the DNSKEY RRset is validly signed, then it is used as the basis for
+a new managed keys database.
+
+From that point on, whenever named loads, it sees the "managed-keys"
+statement, checks to make sure RFC5011 key maintenance has already been
+initialized for the specified zone, and if so, it simply moves on.
 No action will be taken unless a key is *removed* from the "managed-keys"
 statement--in which case that zone is removed from the managed keys
 database as well, and RFC5011 key maintenance will no longer be used.
diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h
index 1b287a5184..433173e782 100644
--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -5,3 +5,11 @@ trusted-keys {\n\
 	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
 };\n\
 "
+
+#define MANAGED_KEYS "\
+managed-keys {\n\
+        # NOTE: This key expires September 2009 \n\
+        # Go to https://www.isc.org/solutions/dlv to download a replacement\n\
+	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+};\n\
+"
diff --git a/bin/named/bindkeys.pl b/bin/named/bindkeys.pl
index c68002b900..3ab3ec9818 100755
--- a/bin/named/bindkeys.pl
+++ b/bin/named/bindkeys.pl
@@ -14,13 +14,12 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: bindkeys.pl,v 1.2 2009/03/04 02:42:30 each Exp $
+# $Id: bindkeys.pl,v 1.3 2009/09/01 07:14:25 each Exp $
 
 use strict;
 use warnings;
 
-my $lines = '#define TRUSTED_KEYS "\\' . "\n";
-
+my $lines;
 while (<>) {
     chomp;
     s/\"/\\\"/g;
@@ -28,5 +27,12 @@ while (<>) {
     $lines .= $_ . "\n";
 }
 
-$lines .= '"' . "\n";
-print $lines;
+my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";
+
+$lines =~ s/managed-keys/trusted-keys/;
+$lines =~ s/\s+initial-key//;
+my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";
+
+print $tkey;
+print "\n";
+print $mkey;
diff --git a/bin/named/config.c b/bin/named/config.c
index ef64482670..3d72c5573d 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.100 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: config.c,v 1.101 2009/09/01 07:14:25 each Exp $ */
 
 /*! \file */
 
@@ -248,12 +248,12 @@ view \"_meta\" in {\n\
 #  (used if \"dnssec-lookaside auto;\" is set and\n\
 #  sysconfdir/bind.keys doesn't exist).\n\
 #\n\
-# BEGIN TRUSTED KEYS\n"
+# BEGIN MANAGED KEYS\n"
 
 /* Imported from bind.keys.h: */
-TRUSTED_KEYS
+MANAGED_KEYS
 
-"# END TRUSTED KEYS\n\
+"# END MANAGED KEYS\n\
 ";
 
 isc_result_t
diff --git a/bin/named/server.c b/bin/named/server.c
index b4a1a8cf06..dbde146eaa 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.543 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: server.c,v 1.544 2009/09/01 07:14:25 each Exp $ */
 
 /*! \file */
 
@@ -475,6 +475,20 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	keyname = dns_fixedname_name(&fkeyname);
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 
+        if (managed) {
+                const char *initmethod;
+                initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
+
+                if (strcmp(initmethod, "initial-key") != 0) {
+                        cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
+                                    "managed key '%s': "
+                                    "invalid initialization method '%s'",
+                                    keynamestr, initmethod);
+                        result = ISC_R_FAILURE;
+                        goto cleanup;
+                }
+        }
+
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
 	else {
diff --git a/bind.keys b/bind.keys
index 0f14287da8..a54ad97791 100644
--- a/bind.keys
+++ b/bind.keys
@@ -1,5 +1,5 @@
-trusted-keys {
+managed-keys {
         # NOTE: This key expires September 2009 
         # Go to https://www.isc.org/solutions/dlv to download a replacement
-	dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
+	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
 };
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 1c94c42435..f4f7785517 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -2486,7 +2486,8 @@ allow-update { key host1-host2. ;};
 	  dnssec-validation options must both be
           set to yes (the default setting in BIND 9.5
           and later), and at least one trust anchor must be configured
-          with a trusted-keys statement in
+          with a trusted-keys or
+          managed-keys statement in
           named.conf.
         
 	  
@@ -2500,7 +2501,14 @@ allow-update { key host1-host2. ;};
 	
 
 	
-	  trusted-keys are described in more detail
+	  managed-keys are trusted keys which are
+          automatically kept up to date via RFC 5011 trust anchor
+          maintenance.
+	
+
+	
+	  trusted-keys and
+          managed-keys are described in more detail
 	  later in this document.
 	
 
@@ -2517,54 +2525,55 @@ allow-update { key host1-host2. ;};
 	  more public keys for the root.  This allows answers from
 	  outside the organization to be validated.  It will also
 	  have several keys for parts of the namespace the organization
-	  controls.  These are here to ensure that named is immune
-	  to compromises in the DNSSEC components of the security
-	  of parent zones.
+          controls.  These are here to ensure that named
+          is immune to compromises in the DNSSEC components of the security
+          of parent zones.
 	
 
 
-trusted-keys {
-
+managed-keys {
 	/* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
-             JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
-             aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
-             4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
-             hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
-             5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
-             g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
-             66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
-             97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
-             dgxbcDTClU0CRBdiieyLMNzXG3";
+        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+                                 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+                                 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+                                 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+                                 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+                                 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+                                 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+                                 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+                                 dgxbcDTClU0CRBdiieyLMNzXG3";
+};
 
-/* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
-                      5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
-                      GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
-                      4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
-                      kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
-                      g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
-                      TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
-                      FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
-                      F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
-                      /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
-                      1OTQ09A0=";
+trusted-keys {
+        /* Key for our organization's forward zone */
+        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+                              5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
+                              GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
+                              4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
+                              kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
+                              g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
+                              TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
+                              FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
+                              F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
+                              /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
+                              1OTQ09A0=";
 
-/* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
-                               xOdNax071L18QqZnQQQAVVr+i
-                               LhGTnNGp3HoWQLUIzKrJVZ3zg
-                               gy3WwNT6kZo6c0tszYqbtvchm
-                               gQC8CzKojM/W16i6MG/eafGU3
-                               siaOdS0yOI6BgPsw+YZdzlYMa
-                               IJGf4M4dyoKIhzdZyQ2bYQrjy
-                               Q4LB0lC7aOnsMyYKHHYeRvPxj
-                               IQXmdqgOJGq+vsevG06zW+1xg
-                               YJh9rCIfnm1GX/KMgxLPG2vXT
-                               D/RnLX+D3T3UL7HJYHJhAZD5L
-                               59VvjSPsZJHeDCUyWYrvPZesZ
-                               DIRvhDD52SKvbheeTJUm6Ehkz
-                               ytNN2SN96QRk8j/iI8ib";
+        /* Key for our reverse zone. */
+        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+                                       xOdNax071L18QqZnQQQAVVr+i
+                                       LhGTnNGp3HoWQLUIzKrJVZ3zg
+                                       gy3WwNT6kZo6c0tszYqbtvchm
+                                       gQC8CzKojM/W16i6MG/eafGU3
+                                       siaOdS0yOI6BgPsw+YZdzlYMa
+                                       IJGf4M4dyoKIhzdZyQ2bYQrjy
+                                       Q4LB0lC7aOnsMyYKHHYeRvPxj
+                                       IQXmdqgOJGq+vsevG06zW+1xg
+                                       YJh9rCIfnm1GX/KMgxLPG2vXT
+                                       D/RnLX+D3T3UL7HJYHJhAZD5L
+                                       59VvjSPsZJHeDCUyWYrvPZesZ
+                                       DIRvhDD52SKvbheeTJUm6Ehkz
+                                       ytNN2SN96QRk8j/iI8ib";
 };
 
 options {
@@ -3494,6 +3503,17 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
                 
               
             
+            
+              
+                managed-keys
+              
+              
+                
+                  lists DNSSEC keys to be kept up to date
+                  using RFC 5011 trust anchor maintenance.
+                
+              
+            
             
               
                 view
@@ -5495,7 +5515,8 @@ options {
                 they are secure.  If no, then normal
                 DNSSEC validation applies allowing for insecure answers to
                 be accepted.  The specified domain must be under a
-                trusted-key or
+                trusted-keys or
+                managed-keys statement, or
                 dnssec-lookaside must be active.
               
             
@@ -9017,11 +9038,112 @@ deny-answer-aliases { "example.net"; };
 	    level are inherited by all views, but keys defined in a view
 	    are only used within that view.
 	  
+	
+
+        
+          <command>managed-keys</command> Statement Grammar
+
+managed-keys {
+    string initial-key number number number string ;
+     string initial-key number number number string ; ...
+};
+
+
+        
+	
+	  <command>managed-keys</command> Statement Definition
+	    and Usage
 	  
-	    In addition to keys specified in
-	    trusted-keys statements, if the
-	    dnssec-lookaside option is set to "auto",
-	    named will also load a built-in trusted key for dlv.isc.org.
+	    The managed-keys statement, like 
+            trusted-keys, defines DNSSEC
+            security roots.  The difference is that
+            managed-keys can be kept up to date
+            automatically, without intervention from the resolver
+            operator.
+	  
+	  
+            Suppose, for example, that a zone's key-signing
+            key was compromised, and the zone owner had to revoke and
+            replace the key.  A resolver which had the old key in a
+            trusted-keys statement would be
+            unable to validate this zone any longer; it would
+            reply with a SERVFAIL response code.  This would
+            continue until the resolver operator had updated the
+            trusted-keys statement with the new key.
+	  
+	  
+            If, however, the zone were listed in a
+            managed-keys statement instead, then the
+            zone owner could add a "stand-by" key to the zone in advance.
+            named would store the stand-by key, and
+            when the original key was revoked, named
+            would be able to transition smoothly to the new key.  It would
+            also recognize that the old key had been revoked, and cease
+            using that key to validate answers, minimizing the damage that
+            the compromised key could do.
+	  
+          
+            A managed-keys statement contains a list of
+            the keys to be managed, along with information about how the
+            keys are to be initialized for the first time.  The only
+            initialization method currently supported (as of
+            BIND 9.7.0) is initial-key.
+            This means the managed-keys statement must
+            contain a copy of the initializing key.  (Future releases may
+            allow keys to be initialized by other methods, eliminating this
+            requirement.)
+	  
+          
+            Consequently, a managed-keys statement
+            appears similar to a trusted-keys, differing
+            in the presence of the second field, containing the keyword
+            initial-key.  The difference is, whereas the
+            keys listed in a trusted-keys continue to be
+            trusted until they are removed from
+            named.conf, an initializing key listed 
+            in a managed-keys statement is only trusted
+            once: for as long as it takes to load the
+            managed key database and start the RFC 5011 key maintenance
+            process.
+	  
+          
+            The first time named runs with a managed key
+            configured in named.conf, it fetches the
+            DNSKEY RRset directly from the zone apex, and validates it
+            using the key specified in the managed-keys
+            statement.  If the DNSKEY RRset is validly signed, then it is
+            used as the basis for a new managed keys database.
+	  
+          
+            From that point on, whenever named runs, it
+            sees the managed-keys statement, checks to
+            make sure RFC 5011 key maintenance has already been initialized
+            for the specified domain, and if so, it simply moves on.  The
+            key specified in the managed-keys is not
+            used to validate answers; it has been superseded by the key or
+            keys stored in the managed keys database.
+          
+          
+            The first name named runs after a name
+            has been removed from the
+            managed-keys statement, the corresponding
+            zone will be removed from the managed keys database,
+            and RFC 5011 key maintenance will no longer be used for that
+            domain.
+	  
+	  
+	    named only maintains a single managed keys
+            database; consequently, unlike trusted-keys,
+            managed-keys may only be set at the top
+            level of named.conf, not within a view.
+	  
+	  
+	    If the dnssec-lookaside option is set to
+            "auto", named will automatically initialize
+            a managed key for the zone dlv.isc.org.  The
+            key that is used to initialize the key maintenance process is
+            built into named, and can be overridden
+            from bindkeys-file.
 	  
 	
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index c8b433099e..aef85edddd 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.103 2009/07/29 17:52:00 each Exp $ */
+/* $Id: namedconf.c,v 1.104 2009/09/01 07:14:26 each Exp $ */
 
 /*! \file */
 
@@ -428,7 +428,7 @@ static cfg_type_t cfg_type_category = {
 
 
 /*%
- * A dnssec key, as used in the "trusted-keys" or "managed-keys" statement.
+ * A dnssec key, as used in the "trusted-keys" statement.
  */
 static cfg_tuplefielddef_t dnsseckey_fields[] = {
 	{ "name", &cfg_type_astring, 0 },
@@ -443,6 +443,24 @@ static cfg_type_t cfg_type_dnsseckey = {
 	&cfg_rep_tuple, dnsseckey_fields
 };
 
+/*%
+ * A managed key initialization specifier, as used in the
+ * "managed-keys" statement.
+ */
+static cfg_tuplefielddef_t managedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "init", &cfg_type_ustring, 0 },   /* must be literal "initial-key" */
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_managedkey = {
+	"managedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, managedkey_fields
+};
+
 static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
 
 static cfg_type_t cfg_type_optional_wild_class = {
@@ -530,12 +548,25 @@ static cfg_type_t cfg_type_keylist = {
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
 };
 
-/*% A list of dnssec keys, as in "trusted-keys" and "managed-keys" stanzas */
+/*% A list of dnssec keys, as in "trusted-keys" */
 static cfg_type_t cfg_type_dnsseckeys = {
 	"dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey
 };
 
+/*%
+ * A list of managed key entries, as in "trusted-keys".  Currently
+ * (9.7.0) this has a format similar to dnssec keys, except the keyname
+ * is followed by the keyword "initial-key".  In future releases, this
+ * keyword may take other values indicating different methods for the
+ * key to be initialized.
+ */
+
+static cfg_type_t cfg_type_managedkeys = {
+	"managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey
+};
+
 static const char *forwardtype_enums[] = { "first", "only", NULL };
 static cfg_type_t cfg_type_forwardtype = {
 	"forwardtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
@@ -762,7 +793,7 @@ namedconf_or_view_clauses[] = {
 	{ "dlz", &cfg_type_dynamically_loadable_zones, 0 },
 	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
 	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
-	{ "managed-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };
 
@@ -772,7 +803,7 @@ namedconf_or_view_clauses[] = {
 static cfg_clausedef_t
 bindkeys_clauses[] = {
 	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
-	{ "managed-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };
 

From 965b6e2a1baeb464db049134334321782052dde3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 08:12:33 +0000
Subject: [PATCH 063/385] fixed trivial errors about the type of function
 return values

---
 lib/isc/app_api.c     | 4 ++--
 lib/isc/timer.c       | 4 ++--
 lib/isc/unix/socket.c | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/isc/app_api.c b/lib/isc/app_api.c
index 80ebd2ba88..82940c3ef6 100644
--- a/lib/isc/app_api.c
+++ b/lib/isc/app_api.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: app_api.c,v 1.4 2009/09/01 08:12:33 jinmei Exp $ */
 
 #include 
 
@@ -108,7 +108,7 @@ void
 isc_app_ctxfinish(isc_appctx_t *ctx) {
 	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
 
-	return (ctx->methods->ctxfinish(ctx));
+	ctx->methods->ctxfinish(ctx);
 }
 
 void
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index 4a715e1638..327620b2be 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.90 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: timer.c,v 1.91 2009/09/01 08:12:33 jinmei Exp $ */
 
 /*! \file */
 
@@ -133,7 +133,7 @@ ISC_TIMERFUNC_SCOPE isc_result_t
 isc__timer_reset(isc_timer_t *timer, isc_timertype_t type,
 		 isc_time_t *expires, isc_interval_t *interval,
 		 isc_boolean_t purge);
-ISC_TIMERFUNC_SCOPE isc_result_t
+ISC_TIMERFUNC_SCOPE isc_timertype_t
 isc__timer_gettype(isc_timer_t *timer);
 ISC_TIMERFUNC_SCOPE isc_result_t
 isc__timer_touch(isc_timer_t *timer);
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 0edac59716..66ad903901 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.320 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: socket.c,v 1.321 2009/09/01 08:12:33 jinmei Exp $ */
 
 /*! \file */
 
@@ -501,7 +501,7 @@ isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 		    isc_socketevent_t *event, unsigned int flags);
 ISC_SOCKETFUNC_SCOPE void
 isc__socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active);
-ISC_SOCKETFUNC_SCOPE isc_boolean_t
+ISC_SOCKETFUNC_SCOPE isc_result_t
 isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
 		     isc_uint32_t owner, isc_uint32_t group);
 ISC_SOCKETFUNC_SCOPE isc_result_t

From 44de0b1f7d9997aaf6092589c4c7da4a1df908db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 17:36:51 +0000
Subject: [PATCH 064/385] 2666.	[func]		Added an 'options' argument to
 dns_name_fromstring() 			(API change from 9.7.0a2). [RT #20196]

---
 CHANGES                    |  3 +++
 bin/named/server.c         |  4 +--
 lib/dns/include/dns/name.h | 52 +++++---------------------------------
 lib/dns/name.c             | 36 +++++---------------------
 4 files changed, 18 insertions(+), 77 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0bfb605f6f..ba70d925d3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2666.	[func]		Added an 'options' argument to dns_name_fromstring()
+			(API change from 9.7.0a2). [RT #20196]
+
 2665.	[func]		Clarify syntax for managed-keys {} statement, add
 			ARM documentation about RFC 5011 support. [RT #19874]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index dbde146eaa..5e94ccd262 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.544 2009/09/01 07:14:25 each Exp $ */
+/* $Id: server.c,v 1.545 2009/09/01 17:36:51 jinmei Exp $ */
 
 /*! \file */
 
@@ -2901,7 +2901,7 @@ add_keydata_zone(dns_view_t *view, isc_mem_t *mctx) {
 	CHECK(dns_zone_create(&zone, mctx));
 
 	dns_name_init(&zname, NULL);
-	CHECK(dns_name_fromstring(&zname, KEYZONE, mctx));
+	CHECK(dns_name_fromstring(&zname, KEYZONE, 0, mctx));
 	CHECK(dns_zone_setorigin(zone, &zname));
 	dns_name_free(&zname, mctx);
 
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index bd81d037ad..8608ef3869 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.131 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: name.h,v 1.132 2009/09/01 17:36:51 jinmei Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -1157,50 +1157,17 @@ dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
  */
 
 isc_result_t
-dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx);
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx);
 /*%<
  * Convert a string to a name and place it in target, allocating memory
- * as necessary.
- *
- * Returns:
- *
- *\li	#ISC_R_SUCCESS
- *
- *\li	Any error that dns_name_fromtext() can return.
- *
- *\li	Any error that dns_name_dup() can return.
- */
-
-isc_result_t
-dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
-/*%<
- * Convert 'name' to string format, allocating sufficient memory to
- * hold it (free with isc_mem_free()).
- *
- * Differs from dns_name_format in that it allocates its own memory.
- *
- * Requires:
- *
- *\li	'name' is a valid name.
- *\li	'target' is not NULL.
- *\li	'*target' is NULL.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any error that dns_name_totext() can return.
- */
-
-isc_result_t
-dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx);
-/*%<
- * Convert a string to a name and place it in target, allocating memory
- * as necessary.
+ * as necessary.  'options' has the same semantics as that of
+ * dns_name_fromtext().
  *
  * Requires:
  *
  * \li	'target' is a valid name that is not read-only.
+ * \li	'src' is not NULL.
  *
  * Returns:
  *
@@ -1300,13 +1267,6 @@ dns_name_destroy(void);
  * non-NULL argument prior to calling dns_name_destroy();
  */
 
-isc_result_t
-dns_name_fromstr(dns_name_t *name, const char *source, const char *origin,
-		 unsigned int options, isc_buffer_t *target);
-/*%<
- * TBD
- */
-
 ISC_LANG_ENDDECLS
 
 /*
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 1102ea166a..fc7d5be34a 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.168 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: name.c,v 1.169 2009/09/01 17:36:51 jinmei Exp $ */
 
 /*! \file */
 
@@ -1019,32 +1019,6 @@ dns_name_toregion(dns_name_t *name, isc_region_t *r) {
 	DNS_NAME_TOREGION(name, r);
 }
 
-isc_result_t
-dns_name_fromstr(dns_name_t *name, const char *source, const char *origin,
-		 unsigned int options, isc_buffer_t *target)
-{
-	dns_name_t *o;
-	dns_fixedname_t fixed;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	REQUIRE(source != NULL);
-	if (origin != NULL) {
-		isc_buffer_init(&b, origin, strlen(origin));
-		isc_buffer_add(&b, strlen(origin));
-		dns_fixedname_init(&fixed);
-		o = dns_fixedname_name(&fixed);
-		result = dns_name_fromtext(o, &b, dns_rootname, options, NULL);
-		if (result != ISC_R_SUCCESS)
-			return(result);
-	} else
-		o = dns_rootname;
-	
-	isc_buffer_init(&b, source, strlen(source));
-	isc_buffer_add(&b, strlen(source));
-	return (dns_name_fromtext(name, &b, o, options, target));
-}
-
 isc_result_t
 dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 		  dns_name_t *origin, unsigned int options,
@@ -2399,18 +2373,22 @@ dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
  * allocating memory as needed
  */
 isc_result_t
-dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx) {
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx)
+{
 	isc_result_t result;
 	isc_buffer_t buf;
 	dns_fixedname_t fn;
 	dns_name_t *name;
 
+	REQUIRE(src != NULL);
+
 	isc_buffer_init(&buf, src, strlen(src));
 	isc_buffer_add(&buf, strlen(src));
 	dns_fixedname_init(&fn);
 	name = dns_fixedname_name(&fn);
 
-	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+	result = dns_name_fromtext(name, &buf, dns_rootname, options, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 

From 588f79e557cd66ef77c90378a997b0d377af9db7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 17:54:16 +0000
Subject: [PATCH 065/385] fixed build error on hpux due to gai_strerror()
 prototype mismatch [RT #20194]

---
 config.h.in            |  5 ++++-
 configure.in           | 18 +++++++++++++++++-
 lib/irs/gai_strerror.c |  4 ++--
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/config.h.in b/config.h.in
index e4cdc9b9df..009515ef7f 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.118 2009/09/01 00:22:24 jinmei Exp $ */
+/* $Id: config.h.in,v 1.119 2009/09/01 17:54:16 jinmei Exp $ */
 
 /*! \file */
 
@@ -298,6 +298,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to the flags type used by getnameinfo(3). */
 #undef IRS_GETNAMEINFO_FLAGS_T
 
+/* Define to the return type of gai_strerror(3). */
+#undef IRS_GAISTRERROR_RETURN_T
+
 /* Define if connect does not honour the permission on the UNIX domain socket.
    */
 #undef NEED_SECURE_DIRECTORY
diff --git a/configure.in b/configure.in
index 7f5bd3c135..11e79a334d 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.474 $)
+AC_REVISION($Revision: 1.475 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1876,6 +1876,22 @@ int getnameinfo(const struct sockaddr *, socklen_t, char *,
 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])
 
+#
+# ...and same for gai_strerror().
+#
+AC_MSG_CHECKING(for gai_strerror prototype definitions)
+AC_TRY_COMPILE([
+#include 
+#include 
+#include 
+char *gai_strerror(int ecode);],
+[ return (0); ],
+	[AC_MSG_RESULT(returning char *)
+	 AC_DEFINE([IRS_GAISTRERROR_RETURN_T], [char *],
+	 [return type of gai_srerror])],
+[AC_MSG_RESULT(not match any subspecies; assume standard definition)])
+AC_DEFINE([IRS_GAISTRERROR_RETURN_T], [const char *])
+
 AC_CHECK_FUNC(getipnodebyname,
 	[ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
 	[ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
diff --git a/lib/irs/gai_strerror.c b/lib/irs/gai_strerror.c
index edae6613a8..df8bf024d4 100644
--- a/lib/irs/gai_strerror.c
+++ b/lib/irs/gai_strerror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: gai_strerror.c,v 1.4 2009/09/01 17:54:16 jinmei Exp $ */
 
 /*! \file gai_strerror.c
  * gai_strerror() returns an error message corresponding to an
@@ -78,7 +78,7 @@ static const char *gai_messages[] = {
  * Returns an error message corresponding to an error code returned by
  * getaddrinfo() and getnameinfo()
  */
-const char *
+IRS_GAISTRERROR_RETURN_T
 gai_strerror(int ecode) {
 	union {
 		const char *const_ptr;

From 11254f9c5ac319062fe68c9f0ac7fb5efeef5b47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 17:55:07 +0000
Subject: [PATCH 066/385] regen

---
 configure | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index 82162081b4..e2ed74b270 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.460 2009/09/01 01:59:57 marka Exp $
+# $Id: configure,v 1.461 2009/09/01 17:55:07 jinmei Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.474 .
+# From configure.in Revision: 1.475 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -27504,6 +27504,68 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
+#
+# ...and same for gai_strerror().
+#
+{ echo "$as_me:$LINENO: checking for gai_strerror prototype definitions" >&5
+echo $ECHO_N "checking for gai_strerror prototype definitions... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include 
+#include 
+#include 
+char *gai_strerror(int ecode);
+int
+main ()
+{
+ return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: returning char *" >&5
+echo "${ECHO_T}returning char *" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define IRS_GAISTRERROR_RETURN_T char *
+_ACEOF
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ echo "$as_me:$LINENO: result: not match any subspecies; assume standard definition" >&5
+echo "${ECHO_T}not match any subspecies; assume standard definition" >&6; }
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+cat >>confdefs.h <<\_ACEOF
+#define IRS_GAISTRERROR_RETURN_T const char *
+_ACEOF
+
+
 { echo "$as_me:$LINENO: checking for getipnodebyname" >&5
 echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6; }
 if test "${ac_cv_func_getipnodebyname+set}" = set; then

From a27fe4c990f96bd792f2a07ca4d38c78d5b9df2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 18:40:25 +0000
Subject: [PATCH 067/385] 2667.	[func]		Add support for logging stack
 backtrace on assertion 			failure (not available for all
 platforms). [RT #19780] 9.7.0

---
 CHANGES                           |   3 +
 bin/check/Makefile.in             |  18 +-
 bin/confgen/Makefile.in           |  15 +-
 bin/dig/Makefile.in               |  18 +-
 bin/dnssec/Makefile.in            |  21 ++-
 bin/named/Makefile.in             |  16 +-
 bin/named/main.c                  |  83 ++++++++-
 bin/nsupdate/Makefile.in          |   8 +-
 bin/rndc/Makefile.in              |  13 +-
 bin/tests/Makefile.in             |  37 +++-
 bin/tests/backtrace_test.c        |  95 ++++++++++
 bin/tools/Makefile.in             |  17 +-
 config.h.in                       |   5 +-
 configure.in                      |  51 +++++-
 lib/isc/Makefile.in               |  29 ++-
 lib/isc/assertions.c              |  41 ++++-
 lib/isc/backtrace-emptytbl.c      |  32 ++++
 lib/isc/backtrace.c               | 285 ++++++++++++++++++++++++++++++
 lib/isc/include/isc/backtrace.h   | 131 ++++++++++++++
 lib/isc/include/isc/platform.h.in |   7 +-
 lib/isc/include/isc/types.h       |   3 +-
 make/rules.in                     |  87 ++++++++-
 22 files changed, 946 insertions(+), 69 deletions(-)
 create mode 100644 bin/tests/backtrace_test.c
 create mode 100644 lib/isc/backtrace-emptytbl.c
 create mode 100644 lib/isc/backtrace.c
 create mode 100644 lib/isc/include/isc/backtrace.h

diff --git a/CHANGES b/CHANGES
index ba70d925d3..c7bae302eb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2667.	[func]		Add support for logging stack backtrace on assertion
+			failure (not available for all platforms). [RT #19780]
+
 2666.	[func]		Added an 'options' argument to dns_name_fromstring()
 			(API change from 9.7.0a2). [RT #20196]
 
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 488a143d83..39af25cbe8 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.33 2009/09/01 00:22:24 jinmei Exp $
+# $Id: Makefile.in,v 1.34 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -32,6 +32,7 @@ CWARNINGS =
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
@@ -39,7 +40,8 @@ ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 
-LIBS =		@LIBS@
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
 
 SUBDIRS =
 
@@ -69,14 +71,14 @@ named-checkzone.@O@: named-checkzone.c
 
 named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 		${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
-	${DNSLIBS} ${ISCLIBS} ${LIBS}
+	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
+	export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
-	${ISCLIBS} ${LIBS}
+	export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
+	export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index be9fc385b8..5bfdc6adfe 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2009/09/01 00:22:24 jinmei Exp $
+# $Id: Makefile.in,v 1.6 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -43,7 +43,10 @@ BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
 RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
 
-CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
 CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
 SRCS=		rndc-confgen.c ddns-confgen.c
@@ -71,12 +74,12 @@ ddns-confgen.@O@: ddns-confgen.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
 
 rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ keygen.@O@ \
-		${UOBJS} ${CONFLIBS}
+	export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ddns-confgen.@O@ util.@O@ keygen.@O@ \
-		${UOBJS} ${CONFLIBS}
+	export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index ad8f2e8d98..ee57ce2dcb 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.42 2009/09/01 00:22:24 jinmei Exp $
+# $Id: Makefile.in,v 1.43 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -33,6 +33,7 @@ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -47,6 +48,9 @@ DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
 		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
 
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCNOSYMLIBS} \
+		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
+
 SUBDIRS =
 
 TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
@@ -66,16 +70,16 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 @BIND9_MAKE_RULES@
 
 dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="nslookup.@O@ dighost.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index ef4bedbcf5..2af3838fa8 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.39 2009/09/01 00:22:24 jinmei Exp $
+# $Id: Makefile.in,v 1.40 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -30,6 +30,7 @@ CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
@@ -38,6 +39,8 @@ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
 # Alphabetically
 TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
 		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
@@ -60,24 +63,24 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 @BIND9_MAKE_RULES@
 
 dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-dsfromkey.@O@ ${OBJS} ${LIBS}
+	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
 
 dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS}
+	export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
 
 dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-keygen.@O@ ${OBJS} ${LIBS}
+	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
 
 dnssec-signzone.@O@: dnssec-signzone.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-signzone.c
 
 dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-signzone.@O@ ${OBJS} ${LIBS}
+	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
 
 dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index cd2a0247ae..a5cbc1e4d6 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.105 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.106 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -53,6 +53,7 @@ DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
@@ -70,6 +71,10 @@ LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
 		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
 
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
+		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+
 SUBDIRS =	unix
 
 TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
@@ -86,10 +91,12 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 
 UOBJS =		unix/os.@O@
 
+SYMOBJS =	symtbl.@O@
+
 SRCS =		builtin.c client.c config.c control.c \
 		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
-		query.c server.c sortlist.c statschannel.c \
+		query.c server.c sortlist.c statschannel.c symtbl.c symtbl-empty.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@@ -122,8 +129,9 @@ config.@O@: config.c bind.keys.h
 		-c ${srcdir}/config.c
 
 named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	${OBJS} ${UOBJS} ${LIBS}
+	export MAKE_SYMTABLE="yes"; \
+	export BASEOBJS="${OBJS} ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 lwresd@EXEEXT@: named@EXEEXT@
 	rm -f lwresd@EXEEXT@
diff --git a/bin/named/main.c b/bin/named/main.c
index a05daf15df..b0f0514133 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.172 2009/05/07 09:33:52 fdupont Exp $ */
+/* $Id: main.c,v 1.173 2009/09/01 18:40:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -26,6 +26,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -81,6 +82,13 @@
 #include 
 #endif
 
+/*
+ * The maximum number of stack frames to dump on assertion failure.
+ */
+#ifndef BACKTRACE_MAXFRAME
+#define BACKTRACE_MAXFRAME 128
+#endif
+
 static isc_boolean_t	want_stats = ISC_FALSE;
 static char		program_name[ISC_DIR_NAMEMAX] = "named";
 static char		absolute_conffile[ISC_DIR_PATHMAX];
@@ -134,6 +142,12 @@ static void
 assertion_failed(const char *file, int line, isc_assertiontype_t type,
 		 const char *cond)
 {
+	void *tracebuf[BACKTRACE_MAXFRAME];
+	int i, nframes;
+	isc_result_t result;
+	const char *logsuffix = "";
+	const char *fname;
+
 	/*
 	 * Handle assertion failures.
 	 */
@@ -145,10 +159,40 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type,
 		 */
 		isc_assertion_setcallback(NULL);
 
+		result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME,
+						&nframes);
+		if (result == ISC_R_SUCCESS && nframes > 0)
+			logsuffix = ", back trace";
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "%s:%d: %s(%s) failed", file, line,
-			      isc_assertion_typetotext(type), cond);
+			      "%s:%d: %s(%s) failed%s", file, line,
+			      isc_assertion_typetotext(type), cond, logsuffix);
+		if (result == ISC_R_SUCCESS) {
+			for (i = 0; i < nframes; i++) {
+				unsigned long offset;
+
+				fname = NULL;
+				result = isc_backtrace_getsymbol(tracebuf[i],
+								 &fname,
+								 &offset);
+				if (result == ISC_R_SUCCESS) {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_MAIN,
+						      ISC_LOG_CRITICAL,
+						      "#%d %p in %s()+0x%lx", i,
+						      tracebuf[i], fname,
+						      offset);
+				} else {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_MAIN,
+						      ISC_LOG_CRITICAL,
+						      "#%d %p in ??", i,
+						      tracebuf[i]);
+				}
+			}
+		}
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
 			      "exiting (due to assertion failure)");
@@ -584,6 +628,34 @@ destroy_managers(void) {
 	isc_hash_destroy();
 }
 
+static void
+dump_symboltable() {
+	int i;
+	isc_result_t result;
+	const char *fname;
+	const void *addr;
+
+	if (isc__backtrace_nsymbols == 0)
+		return;
+
+	if (!isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(99)))
+		return;
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+		      ISC_LOG_DEBUG(99), "Symbol table:");
+
+	for (i = 0, result = ISC_R_SUCCESS; result == ISC_R_SUCCESS; i++) {
+		addr = NULL;
+		fname = NULL;
+		result = isc_backtrace_getsymbolfromindex(i, &addr, &fname);
+		if (result == ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_MAIN, ISC_LOG_DEBUG(99),
+				      "[%d] %p %s", i, addr, fname);
+		}
+	}
+}
+
 static void
 setup(void) {
 	isc_result_t result;
@@ -691,6 +763,8 @@ setup(void) {
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
 
+	dump_symboltable();
+
 	/*
 	 * Get the initial resource limits.
 	 */
@@ -902,6 +976,9 @@ main(int argc, char *argv[]) {
 	if (strcmp(program_name, "lwresd") == 0)
 		ns_g_lwresdonly = ISC_TRUE;
 
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("failed to build internal symbol table");
+
 	isc_assertion_setcallback(assertion_failed);
 	isc_error_setfatal(library_fatal_error);
 	isc_error_setunexpected(library_unexpected_error);
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index 00d0fbd23e..b2ce180684 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.33 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.34 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -33,6 +33,7 @@ LWRESLIBS =	../../lib/lwres/liblwres.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
@@ -45,6 +46,8 @@ DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
 
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCNOSYMLIBS} ${ISCCFGLIBS} @LIBS@
+
 SUBDIRS =
 
 TARGETS =	nsupdate@EXEEXT@
@@ -69,7 +72,8 @@ nsupdate.@O@: nsupdate.c
 		-c ${srcdir}/nsupdate.c
 
 nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="nsupdate.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index 6ec10ba7d3..3334e445b6 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.47 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.48 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -32,6 +32,7 @@ CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
@@ -41,10 +42,11 @@ ISCDEPLIBS =	../../lib/isc/libisc.@A@
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 
-RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
 RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
 
-CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
 CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
 SRCS=		rndc.c
@@ -67,8 +69,9 @@ rndc.@O@: rndc.c
 		-c ${srcdir}/rndc.c
 
 rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
-		${RNDCLIBS}
+	export BASEOBJS="rndc.@O@ util.@O@"; \
+	export LIBS0="${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
index 20f1206046..4dbdb78d6f 100644
--- a/bin/tests/Makefile.in
+++ b/bin/tests/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.135 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.136 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -29,11 +29,13 @@ CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCDEPNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 
@@ -52,6 +54,8 @@ TARGETS =	cfg_test@EXEEXT@
 # Alphabetically
 XTARGETS =	adb_test@EXEEXT@ \
 		byaddr_test@EXEEXT@ \
+		backtrace_test@EXEEXT@ \
+		backtrace_test_nosymtbl@EXEEXT@ \
 		byname_test@EXEEXT@ \
 		compress_test@EXEEXT@ \
 		db_test@EXEEXT@ \
@@ -91,6 +95,7 @@ SRCS =		cfg_test.c ${XSRCS}
 
 XSRCS =		adb_test.c \
 		byaddr_test.c \
+		backtrace_test.c \
 		byname_test.c \
 		compress_test.c \
 		db_test.c \
@@ -128,12 +133,41 @@ XSRCS =		adb_test.c \
 
 @BIND9_MAKE_RULES@
 
+# disable optimization for backtrace test to get the expected result	
+BTTEST_CFLAGS =	${EXT_CFLAGS} ${ALL_CPPFLAGS} -g ${ALWAYS_WARNINGS} \
+	${STD_CWARNINGS} ${CWARNINGS}
+
 all_tests: ${XTARGETS}
 
 adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
+backtrace_test_nosymtbl@EXEEXT@: backtrace_test.c ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} -o $@ \
+	backtrace_test.c ${ISCLIBS} ${LIBS}
+
+backtrace_test@EXEEXT@: backtrace_test_nosymtbl@EXEEXT@
+	#first step: create a first symbol table
+	rm -f symtbl.c
+	if test X${MKSYMTBL_PROGRAM} != X; then \
+	${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl $<; else \
+	cp ${top_srcdir}/lib/isc/backtrace-emptytbl.c symtbl.c; fi
+	#second step: build a binary with the first symbol table
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} \
+	-o $@0 backtrace_test.c symtbl.c \
+	${ISCNOSYMLIBS} ${LIBS}
+	rm -f symtbl.c
+	#third step: create a second symbol table
+	if test X${MKSYMTBL_PROGRAM} != X; then \
+	${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl $@0; else \
+	cp ${top_srcdir}/lib/isc/backtrace-emptytbl.c symtbl.c; fi
+	#fourth step: build the final binary
+	rm -f $@0
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} \
+	-o $@ backtrace_test.c symtbl.c ${ISCNOSYMLIBS} ${LIBS}
+	rm -f symtbl.c
+
 nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsecify.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
@@ -280,6 +314,7 @@ distclean::
 clean distclean::
 	rm -f ${TARGETS} ${XTARGETS}
 	rm -f t_journal
+	rm -f backtrace_test_symtbl.c
 
 check: test
 
diff --git a/bin/tests/backtrace_test.c b/bin/tests/backtrace_test.c
new file mode 100644
index 0000000000..f2f27eaa58
--- /dev/null
+++ b/bin/tests/backtrace_test.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace_test.c,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+const char *expected_symbols[] = {
+	"func3",
+	"func2",
+	"func1",
+	"main"
+};
+
+static int
+func3() {
+	void *tracebuf[16];
+	int i, nframes;
+	int error = 0;
+	const char *fname;
+	isc_result_t result;
+	unsigned long offset;
+
+	result = isc_backtrace_gettrace(tracebuf, 16, &nframes);
+	if (result != ISC_R_SUCCESS) {
+		printf("isc_backtrace_gettrace failed: %s\n",
+		       isc_result_totext(result));
+		return (1);
+	}
+		
+	if (nframes < 4)
+		error++;
+	
+	for (i = 0; i < 4 && i < nframes; i++) {
+		fname = NULL;
+		result = isc_backtrace_getsymbol(tracebuf[i], &fname, &offset);
+		if (result != ISC_R_SUCCESS) {
+			error++;
+			continue;
+		}
+		if (strcmp(fname, expected_symbols[i]) != 0)
+			error++;
+	}
+
+	if (error) {
+		printf("Unexpected result:\n");
+		printf("  # of frames: %d (expected: at least 4)\n", nframes);
+		printf("  symbols:\n");
+		for (i = 0; i < nframes; i++) {
+			fname = NULL;
+			result = isc_backtrace_getsymbol(tracebuf[i], &fname,
+							 &offset);
+			if (result == ISC_R_SUCCESS)
+				printf("  [%d] %s\n", i, fname);
+			else {
+				printf("  [%d] getsymbol failed: %s\n", i,
+				       isc_result_totext(result));
+			}
+		}
+	}
+
+	return (error);
+}
+
+static int
+func2() {
+	return (func3());
+}
+
+static int
+func1() {
+	return (func2());
+}
+
+int
+main() {
+	return (func1());
+}
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 90a7b9eac9..0ed7b66e45 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8 2009/09/01 00:22:26 jinmei Exp $
+# $Id: Makefile.in,v 1.9 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -28,6 +28,7 @@ CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 
@@ -36,7 +37,8 @@ ISCDEPLIBS =	../../lib/isc/libisc.@A@
 ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 
-LIBS =		@LIBS@
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
 
 SUBDIRS = 
 
@@ -53,13 +55,16 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
 journalprint@EXEEXT@: journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ journalprint.@O@ \
-		${DNSLIBS} ${ISCLIBS} ${LIBS}
+	export BASEOBJS="journalprint.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsec3hash.@O@ \
-	${DNSLIBS} ${ISCLIBS} ${LIBS}
+	export BASEOBJS="nsec3hash.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 genrandom@EXEEXT@: genrandom.@O@
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
diff --git a/config.h.in b/config.h.in
index 009515ef7f..cc78c6d318 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.119 2009/09/01 17:54:16 jinmei Exp $ */
+/* $Id: config.h.in,v 1.120 2009/09/01 18:40:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -334,6 +334,9 @@ int sigwait(const unsigned int *set, int *sig);
    non-blocking. */
 #undef USE_FIONBIO_IOCTL
 
+/** define if the system have backtrace function. */
+#undef HAVE_LIBCTRACE
+
 /* define if idnkit support is to be included. */
 #undef WITH_IDN
 
diff --git a/configure.in b/configure.in
index 11e79a334d..f224951cc1 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.475 $)
+AC_REVISION($Revision: 1.476 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -111,6 +111,8 @@ AC_SUBST(ETAGS)
 
 #
 # Perl is optional; it is used only by some of the system test scripts.
+# Note: the backtrace feature (see below) uses perl to build the symbol table,
+# but it still compiles without perl, in which case an empty table will be used.
 #
 AC_PATH_PROGS(PERL, perl5 perl)
 AC_SUBST(PERL)
@@ -1306,6 +1308,53 @@ case $use_libtool in
 		;;
 esac
 
+#
+# enable/disable dumping stack backtrace.  Also check if the system supports
+# glibc-compatible backtrace() function.
+#
+AC_ARG_ENABLE(backtrace,
+[  --enable-backtrace      log stack backtrace on abort [[default=yes]]],
+	      want_backtrace="$enableval",  want_backtrace="yes")
+case $want_backtrace in
+yes)
+	ISC_PLATFORM_USEBACKTRACE="#define ISC_PLATFORM_USEBACKTRACE 1"
+	AC_TRY_LINK([#include ],
+	[return (backtrace((void **)0, 0));],
+	[AC_DEFINE([HAVE_LIBCTRACE], [], [if system have backtrace function])],)
+	;;
+*)
+	ISC_PLATFORM_USEBACKTRACE="#undef ISC_PLATFORM_USEBACKTRACE"
+	;;
+esac
+AC_SUBST(ISC_PLATFORM_USEBACKTRACE)
+
+AC_ARG_ENABLE(symtable,
+[  --enable-symtable       use internal symbol table for backtrace
+                          [[all|minimal(default)|none]]],
+		want_symtable="$enableval",  want_symtable="minimal")
+case $want_symtable in
+yes|all|minimal)
+	
+	if test "$PERL" == ""
+	then
+		AC_MSG_ERROR([Internal symbol table requires perl but no perl is found.
+Install perl or explicitly disable the feature by --disable-symtable.])
+	fi
+	if test "$use_libtool" = "yes"; then
+		AC_MSG_WARN([Internal symbol table does not work with libtool.  Disabling symtbol table.])
+	else
+		MKSYMTBL_PROGRAM="$PERL"
+		if test $want_symtable = all; then
+			ALWAYS_MAKE_SYMTABLE="yes"
+		fi
+	fi
+	;;
+*)
+	;;
+esac
+AC_SUBST(MKSYMTBL_PROGRAM)
+AC_SUBST(ALWAYS_MAKE_SYMTABLE)
+
 #
 # File name extension for static archive files, for those few places
 # where they are treated differently from dynamic ones.
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index ced0e64729..bbe3cd01e8 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.101 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.102 2009/09/01 18:40:25 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -50,8 +50,9 @@ WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 
 # Alphabetically
 OBJS =		@ISC_EXTRA_OBJS@ \
-		assertions.@O@ base32.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
-		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
+		assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
+		bitstring.@O@ buffer.@O@ bufferlist.@O@ commandline.@O@ \
+		error.@O@ event.@O@ \
 		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
 		httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \
 		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
@@ -62,6 +63,7 @@ OBJS =		@ISC_EXTRA_OBJS@ \
 		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
 		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
 		timer.@O@ version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+SYMTBLOBJS =	backtrace-emptytbl.@O@
 
 # Alphabetically
 SRCS =		@ISC_EXTRA_SRCS@ \
@@ -75,7 +77,7 @@ SRCS =		@ISC_EXTRA_SRCS@ \
 		parseint.c portset.c quota.c radix.c random.c \
 		ratelimiter.c refcount.c region.c result.c rwlock.c \
 		serial.c sha1.c sha2.c sockaddr.c stats.c string.c strtoul.c \
-		symtab.c task.c taskpool.c timer.c version.c
+		symtab.c symtbl-empty.c task.c taskpool.c timer.c version.c
 
 LIBS =		@LIBS@
 
@@ -92,17 +94,27 @@ version.@O@: version.c
 		-DLIBAGE=${LIBAGE} \
 		-c ${srcdir}/version.c
 
-libisc.@SA@: ${OBJS}
+libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
+	${RANLIB} $@
+
+libisc-nosymtbl.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@
 
-libisc.la: ${OBJS}
+libisc.la: ${OBJS} ${SYMTBLOBJS}
 	${LIBTOOL_MODE_LINK} \
 		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${SYMTBLOBJS} ${LIBS}
+
+libisc-nosymtbl.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${LIBS}
 
-timestamp: libisc.@A@
+timestamp: libisc.@A@ libisc-nosymtbl.@A@
 	touch timestamp
 
 installdirs:
@@ -115,4 +127,5 @@ install:: @ISC_ARCH_DIR@/include/isc/atomic.h
 	${INSTALL_DATA} @ISC_ARCH_DIR@/include/isc/atomic.h ${DESTDIR}${includedir}/isc
 
 clean distclean::
-	rm -f libisc.@A@ libisc.la timestamp
+	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
+	libisc-nosymtbl.la timestamp
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
index 4c9251bdcf..0d5cc5c211 100644
--- a/lib/isc/assertions.c
+++ b/lib/isc/assertions.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assertions.c,v 1.23 2008/10/15 23:47:31 tbox Exp $ */
+/* $Id: assertions.c,v 1.24 2009/09/01 18:40:25 jinmei Exp $ */
 
 /*! \file */
 
@@ -25,7 +25,16 @@
 #include 
 
 #include 
+#include 
 #include 
+#include 
+
+/*
+ * The maximum number of stack frames to dump on assertion failure.
+ */
+#ifndef BACKTRACE_MAXFRAME
+#define BACKTRACE_MAXFRAME 128
+#endif
 
 /*%
  * Forward.
@@ -87,10 +96,36 @@ static void
 default_callback(const char *file, int line, isc_assertiontype_t type,
 		 const char *cond)
 {
-	fprintf(stderr, "%s:%d: %s(%s) %s.\n",
+	void *tracebuf[BACKTRACE_MAXFRAME];
+	int i, nframes;
+	const char *logsuffix = ".";
+	const char *fname;
+	isc_result_t result;
+
+	result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME, &nframes);
+		if (result == ISC_R_SUCCESS && nframes > 0)
+			logsuffix = ", back trace";
+
+	fprintf(stderr, "%s:%d: %s(%s) %s%s\n",
 		file, line, isc_assertion_typetotext(type), cond,
 		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-			       ISC_MSG_FAILED, "failed"));
+			       ISC_MSG_FAILED, "failed"), logsuffix);
+	if (result == ISC_R_SUCCESS) {
+		for (i = 0; i < nframes; i++) {
+			unsigned long offset;
+
+			fname = NULL;
+			result = isc_backtrace_getsymbol(tracebuf[i], &fname,
+							 &offset);
+			if (result == ISC_R_SUCCESS) {
+				fprintf(stderr, "#%d %p in %s()+0x%lx\n", i,
+					tracebuf[i], fname, offset);
+			} else {
+				fprintf(stderr, "#%d %p in ??\n", i,
+					tracebuf[i]);
+			}
+		}
+	}
 	fflush(stderr);
 	abort();
 	/* NOTREACHED */
diff --git a/lib/isc/backtrace-emptytbl.c b/lib/isc/backtrace-emptytbl.c
new file mode 100644
index 0000000000..a5e3187c36
--- /dev/null
+++ b/lib/isc/backtrace-emptytbl.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace-emptytbl.c,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+
+/*! \file */
+
+/*
+ * This file defines an empty (default) symbol table used in backtrace.c
+ * If the application wants to have a complete symbol table, it should redefine
+ * isc__backtrace_symtable with the complete table in some way, and link the
+ * version of the library not including this definition
+ * (e.g. libisc-nosymbol.a).
+ */
+
+#include 
+
+const int isc__backtrace_nsymbols = 0;
+const isc_backtrace_symmap_t isc__backtrace_symtable[] = { { NULL, "" } };
diff --git a/lib/isc/backtrace.c b/lib/isc/backtrace.c
new file mode 100644
index 0000000000..26355ad55b
--- /dev/null
+++ b/lib/isc/backtrace.c
@@ -0,0 +1,285 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace.c,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+
+/*! \file */
+
+#include "config.h"
+
+#include 
+#include 
+#ifdef HAVE_LIBCTRACE
+#include 
+#endif
+
+#include 
+#include 
+#include 
+
+#ifdef ISC_PLATFORM_USEBACKTRACE
+/*
+ * Getting a back trace of a running process is tricky and highly platform
+ * dependent.  Our current approach is as follows:
+ * 1. If the system library supports the "backtrace()" function, use it.
+ * 2. Otherwise, if the compiler is gcc and the architecture is x86_64 or IA64,
+ *    then use gcc's (hidden) Unwind_Backtrace() function.  Note that this
+ *    function doesn't work for C programs on many other architectures. 
+ * 3. Otherwise, if the architecture x86 or x86_64, try to unwind the stack
+ *    frame following frame pointers.  This assumes the executable binary
+ *    compiled with frame pointers; this is not always true for x86_64 (rather,
+ *    compiler optimizations often disable frame pointers).  The validation
+ *    checks in getnextframeptr() hopefully rejects bogus values stored in
+ *    the RBP register in such a case.  If the backtrace function itself crashes
+ *    due to this problem, the whole package should be rebuilt with
+ *    --disable-backtrace.
+ */
+#ifdef HAVE_LIBCTRACE
+#define BACKTRACE_LIBC
+#elif defined(__GNUC__) && (defined(__x86_64__) || defined(__ia64__))
+#define BACKTRACE_GCC
+#elif defined(__x86_64__) || defined(__i386__)
+#define BACKTRACE_X86STACK
+#else
+#define BACKTRACE_DISABLED
+#endif  /* HAVE_LIBCTRACE */
+#else	/* !ISC_PLATFORM_USEBACKTRACE */
+#define BACKTRACE_DISABLED
+#endif	/* ISC_PLATFORM_USEBACKTRACE */
+
+#ifdef BACKTRACE_LIBC
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int n;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	/*
+	 * backtrace(3) includes this function itself in the address array,
+	 * which should be eliminated from the returned sequence.
+	 */
+	n = backtrace(addrs, maxaddrs);
+	if (n < 2)
+		return (ISC_R_NOTFOUND);
+	n--;
+	memmove(addrs, &addrs[1], sizeof(void *) * n);
+	*nframes = n;
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_GCC)
+extern int _Unwind_Backtrace(void* fn, void* a);
+extern void* _Unwind_GetIP(void* ctx);
+
+typedef struct {
+	void **result;
+	int max_depth;
+	int skip_count;
+	int count;
+} trace_arg_t;
+
+static int
+btcallback(void *uc, void *opq) {
+	trace_arg_t *arg = (trace_arg_t *)opq;
+
+	if (arg->skip_count > 0)
+		arg->skip_count--;
+	else
+		arg->result[arg->count++] = (void *)_Unwind_GetIP(uc);
+	if (arg->count == arg->max_depth)
+		return (5); /* _URC_END_OF_STACK */
+
+	return (0); /* _URC_NO_REASON */
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	trace_arg_t arg;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	arg.skip_count = 1;
+	arg.result = addrs;
+	arg.max_depth = maxaddrs;
+	arg.count = 0;
+	_Unwind_Backtrace(btcallback, &arg);
+
+	*nframes = arg.count;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_X86STACK)
+#ifdef __x86_64__
+static unsigned long
+getrbp() {
+	__asm("movq %rbp, %rax\n");
+}
+#endif
+
+static void **
+getnextframeptr(void **sp) {
+	void **newsp = (void **)*sp;
+
+	/*
+	 * Perform sanity check for the new frame pointer, derived from
+	 * google glog.  This can actually be bogus depending on compiler.
+	 */
+
+	/* prohibit the stack frames from growing downwards */
+	if (newsp <= sp)
+		return (NULL);
+
+	/* A heuristics to reject "too large" frame: this actually happened. */
+	if ((char *)newsp - (char *)sp > 100000)
+		return (NULL);
+
+	/*
+	 * Not sure if other checks used in glog are needed at this moment.
+	 * For our purposes we don't have to consider non-contiguous frames,
+	 * for example.
+	 */
+
+	return (newsp);
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int i = 0;
+	void **sp;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+#ifdef __x86_64__
+	sp = (void **)getrbp();
+	if (sp == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * sp is the frame ptr of this function itself due to the call to
+	 * getrbp(), so need to unwind one frame for consistency.
+	 */
+	sp = getnextframeptr(sp);
+#else
+	/*
+	 * i386: the frame pointer is stored 2 words below the address for the
+	 * first argument.  Note that the body of this function cannot be
+	 * inlined since it depends on the address of the function argument.
+	 */
+	sp = (void **)&addrs - 2;
+#endif
+
+	while (sp != NULL && i < maxaddrs) {
+		addrs[i++] = *(sp + 1);
+		sp = getnextframeptr(sp);
+	}
+
+	*nframes = i;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_DISABLED)
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	UNUSED(maxaddrs);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+#endif
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int index, const void **addrp,
+				 const char **symbolp)
+{
+	REQUIRE(addrp != NULL && *addrp == NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	if (index < 0 || index >= isc__backtrace_nsymbols)
+		return (ISC_R_RANGE);
+
+	*addrp = isc__backtrace_symtable[index].addr;
+	*symbolp = isc__backtrace_symtable[index].symbol;
+	return (ISC_R_SUCCESS);
+}
+
+static int
+symtbl_compare(const void *addr, const void *entryarg) {
+	const isc_backtrace_symmap_t *entry = entryarg;
+	const isc_backtrace_symmap_t *end =
+		&isc__backtrace_symtable[isc__backtrace_nsymbols - 1];
+
+	if (isc__backtrace_nsymbols == 1 || entry == end) {
+		if (addr >= entry->addr) {
+			/*
+			 * If addr is equal to or larger than that of the last
+			 * entry of the table, we cannot be sure if this is
+			 * within a valid range so we consider it valid.
+			 */
+			return (0);
+		}
+		return (-1);
+	}
+
+	/* entry + 1 is a valid entry from now on. */
+	if (addr < entry->addr)
+		return (-1);
+	else if (addr >= (entry + 1)->addr)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_backtrace_symmap_t *found;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (symbolp == NULL || *symbolp != NULL || offsetp == NULL)
+		return (ISC_R_FAILURE);
+
+	if (isc__backtrace_nsymbols < 1)
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * Search the table for the entry that meets:
+	 * entry.addr <= addr < next_entry.addr.
+	 */
+	found = bsearch(addr, isc__backtrace_symtable, isc__backtrace_nsymbols,
+			sizeof(isc__backtrace_symtable[0]), symtbl_compare);
+	if (found == NULL)
+		result = ISC_R_NOTFOUND;
+	else {
+		*symbolp = found->symbol;
+		*offsetp = (const char *)addr - (char *)found->addr;
+	}
+
+	return (result);
+}
diff --git a/lib/isc/include/isc/backtrace.h b/lib/isc/include/isc/backtrace.h
new file mode 100644
index 0000000000..c0e98c0b75
--- /dev/null
+++ b/lib/isc/include/isc/backtrace.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace.h,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+
+/*! \file isc/backtrace.h
+ * \brief provide a back trace of the running process to help debug problems.
+ *
+ * This module tries to get a back trace of the process using some platform
+ * dependent way when available.  It also manages an internal symbol table
+ * that maps function addresses used in the process to their textual symbols.
+ * This module is expected to be used to help debug when some fatal error
+ * happens.
+ *
+ * IMPORTANT NOTE: since the (major) intended use case of this module is
+ * dumping a back trace on a fatal error, normally followed by self termination,
+ * functions defined in this module generally doesn't employ assertion checks
+ * (if it did, a program bug could cause infinite recursive calls to a
+ * backtrace function).  These functions still perform minimal checks and return
+ * ISC_R_FAILURE if they detect an error, but the caller should therefore be
+ * very careful about the use of these functions, and generally discouraged to
+ * use them except in an exit path.  The exception is
+ * isc_backtrace_getsymbolfromindex(), which is expected to be used in a
+ * non-error-handling context and validates arguments with assertion checks.
+ */
+
+#ifndef ISC_BACKTRACE_H
+#define ISC_BACKTRACE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include 
+
+/***
+ *** Types
+ ***/
+struct isc_backtrace_symmap {
+	void		*addr;
+	const char	*symbol;
+};
+
+extern const int isc__backtrace_nsymbols;
+extern const isc_backtrace_symmap_t isc__backtrace_symtable[];
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes);
+/*%<
+ * Get a back trace of the running process above this function itself.  On
+ * success, addrs[i] will store the address of the call point of the i-th
+ * stack frame (addrs[0] is the caller of this function).  *nframes will store
+ * the total number of frames.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'addrs' is a valid array containing at least 'maxaddrs' void * entries.
+ *
+ *\li	'nframes' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int index, const void **addrp,
+				 const char **symbolp);
+/*%<
+ * Returns the content of the internal symbol table of the given index.
+ * On success, *addrsp and *symbolp point to the address and the symbol of
+ * the 'index'th entry of the table, respectively.  If 'index' is not in the
+ * range of the symbol table, ISC_R_RANGE will be returned.
+ *
+ * Requires
+ *
+ *\li	'addrp' must be non NULL && '*addrp' == NULL.
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ */
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp);
+/*%<
+ * Searches the internal symbol table for the symbol that most matches the
+ * given 'addr'.  On success, '*symbolp' will point to the name of function
+ * to which the address 'addr' belong, and '*offsetp' will store the offset
+ * from the function's entry address to 'addr'.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ *\li	'offsetp' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ */
+ISC_LANG_ENDDECLS
+
+#endif	/* ISC_BACKTRACE_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index fd5461e4b1..ef49d3298d 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.51 2009/02/06 23:47:42 tbox Exp $ */
+/* $Id: platform.h.in,v 1.52 2009/09/01 18:40:25 jinmei Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -146,6 +146,11 @@
  */
 @ISC_PLATFORM_HAVEDEVPOLL@
 
+/*! \brief
+ * Define if we want to log backtrace
+ */
+@ISC_PLATFORM_USEBACKTRACE@
+
 /*
  *** Printing.
  ***/
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index dd60d76a20..03ada89a1c 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.49 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: types.h,v 1.50 2009/09/01 18:40:25 jinmei Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
@@ -43,6 +43,7 @@
 /* Core Types.  Alphabetized by defined type. */
 
 typedef struct isc_appctx		isc_appctx_t;	 	/*%< Application context */
+typedef struct isc_backtrace_symmap	isc_backtrace_symmap_t; /*%< Symbol Table Entry */
 typedef struct isc_bitstring		isc_bitstring_t; 	/*%< Bitstring */
 typedef struct isc_buffer		isc_buffer_t;		/*%< Buffer */
 typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;	/*%< Buffer List */
diff --git a/make/rules.in b/make/rules.in
index 4191ef038f..2bd67556a7 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.67 2009/09/01 00:22:28 jinmei Exp $
+# $Id: rules.in,v 1.68 2009/09/01 18:40:25 jinmei Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
@@ -136,12 +136,83 @@ PURIFY = @PURIFY@
 
 MKDEP = ${SHELL} ${top_builddir}/make/mkdep
 
+###
+### This is a template compound command to build an executable binary with
+### an internal symbol table.
+### This process is tricky.  We first link all objects including a tentative
+### empty symbol table, then get a tentative list of symbols from the resulting
+### binary ($@tmp0).  Next, we re-link all objects, but this time with the
+### symbol table just created ($tmp@1).  The set of symbols should be the same,
+### but the corresponding addresses would be changed due to the difference on
+### the size of symbol tables.  So we create the symbol table and re-create the
+### objects once again.  Finally, we check the symbol table embedded in the
+### final binaryis consistent with the binary itself; otherwise the process is
+### terminated.
+###
+### To minimize the overhead of creating symbol tables, the autoconf switch
+### --enable-symtable takes an argument so that the symbol table can be created
+### on a per application basis: unless the argument is set to "all", the symbol
+### table is created only when a shell (environment) variable "MAKE_SYMTABLE" is
+### set to a non-null value in the rule to build the executable binary.
+###
+### Each Makefile.in that uses this macro is expected to define "LIBS" and
+### "NOSYMLIBS"; the former includes libisc with an empty symbol table, and
+### the latter includes libisc without the definition of a symbol table.
+### The rule to make the executable binary will look like this
+### binary@EXEEXT@: ${OBJS}
+###     #export MAKE_SYMTABLE="yes"; \  <- enable if symtable is always needed
+###	export BASEOBJS="${OBJS}"; \
+###	${FINALBUILDCMD}
+###
+### Normally, ${LIBS} includes all necessary libraries to build the binary;
+### there are some exceptions however, where the rule lists some of the
+### necessary libraries explicitly in addition to (or instead of) ${LIBS},
+### like this:
+### binary@EXEEXT@: ${OBJS}
+###     cc -o $@ ${OBJS} ${OTHERLIB1} ${OTHERLIB2} ${lIBS}
+### in order to modify such a rule to use this compound command, a separate
+### variable "LIBS0" should be deinfed for the explicitly listed libraries,
+### while making sure ${LIBS} still includes libisc.  So the above rule would
+### be modified as follows:
+### binary@EXEEXT@: ${OBJS}
+###	export BASEOBJS="${OBJS}"; \
+###	export LIBS0="${OTHERLIB1} ${OTHERLIB2}"; \
+###     ${FINALBUILDCMD}
+### See bin/check/Makefile.in for a complete example of the use of LIBS0.
+###
+FINALBUILDCMD = if [ X"${MKSYMTBL_PROGRAM}" = X -o X"$${MAKE_SYMTABLE:-${ALWAYS_MAKE_SYMTABLE}}" = X ] ; then \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@ $${BASEOBJS} $${LIBS0} ${LIBS}; \
+	else \
+		rm -f $@tmp0; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@tmp0 $${BASEOBJS} $${LIBS0} ${LIBS} || exit 1; \
+		rm -f $@-symtbl.c $@-symtbl.@O@; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl.c $@tmp0 || exit 1; \
+		$(MAKE) $@-symtbl.@O@ || exit 1; \
+		rm -f $@tmp1; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@tmp1 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS} || exit 1; \
+		rm -f $@-symtbl.c $@-symtbl.@O@; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl.c $@tmp1 || exit 1; \
+		$(MAKE) $@-symtbl.@O@ || exit 1; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@tmp2 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS}; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl2.c $@tmp2; \
+		diff $@-symtbl.c $@-symtbl2.c || exit 1;\
+		mv $@tmp2 $@; \
+		rm -f $@tmp0 $@tmp1 $@tmp2 $@-symtbl2.c; \
+	fi
+
 cleandir: distclean
 superclean: maintainer-clean
 
 clean distclean maintainer-clean::
-	rm -f *.@O@ *.o *.lo *.la core *.core .depend
-	rm -rf .libs
+	rm -f *.@O@ *.o *.lo *.la core *.core *-symtbl.c *tmp0 *tmp1 *tmp2
+	rm -rf .depend .libs
 
 distclean maintainer-clean::
 	rm -f Makefile
@@ -218,6 +289,16 @@ LATEX =			@LATEX@
 PDFLATEX =		@PDFLATEX@
 W3M =			@W3M@
 
+###
+### Script language program used to create internal symbol tables
+###
+MKSYMTBL_PROGRAM =	@MKSYMTBL_PROGRAM@
+
+###
+### Switch to create internal symbol table selectively
+###
+ALWAYS_MAKE_SYMTABLE =	@ALWAYS_MAKE_SYMTABLE@
+
 ###
 ### DocBook -> HTML
 ### DocBook -> man page

From 7daca48bf23a8ed2b2cefd0deb770d8410c9e359 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 18:41:05 +0000
Subject: [PATCH 068/385] regen

---
 configure | 171 +++++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 142 insertions(+), 29 deletions(-)

diff --git a/configure b/configure
index e2ed74b270..7d0e639861 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.461 2009/09/01 17:55:07 jinmei Exp $
+# $Id: configure,v 1.462 2009/09/01 18:41:05 jinmei Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.475 .
+# From configure.in Revision: 1.476 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -909,6 +909,9 @@ MKDEPPROG
 IRIX_DNSSEC_WARNINGS_HACK
 purify_path
 PURIFY
+ISC_PLATFORM_USEBACKTRACE
+MKSYMTBL_PROGRAM
+ALWAYS_MAKE_SYMTABLE
 O
 A
 SA
@@ -1650,6 +1653,9 @@ Optional Features:
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
   --enable-threads	enable multithreading
   --enable-largefile	  64-bit file support
+  --enable-backtrace      log stack backtrace on abort [default=yes]
+  --enable-symtable       use internal symbol table for backtrace
+                          [all|minimal(default)|none]
   --enable-exportlib	build exportable library (GNU make required)
                         [default=no]
   --enable-ipv6           use IPv6 default=autodetect
@@ -3949,7 +3955,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 3952 "configure"' > conftest.$ac_ext
+  echo '#line 3958 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -6897,11 +6903,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6900: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6906: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6904: \$? = $ac_status" >&5
+   echo "$as_me:6910: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7187,11 +7193,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7190: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7196: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7194: \$? = $ac_status" >&5
+   echo "$as_me:7200: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7291,11 +7297,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7294: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7300: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7298: \$? = $ac_status" >&5
+   echo "$as_me:7304: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9655,7 +9661,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:12169: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12167: \$? = $ac_status" >&5
+   echo "$as_me:12173: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -12264,11 +12270,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12267: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12273: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12271: \$? = $ac_status" >&5
+   echo "$as_me:12277: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13847,11 +13853,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13850: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13856: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13854: \$? = $ac_status" >&5
+   echo "$as_me:13860: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13951,11 +13957,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13954: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13960: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13958: \$? = $ac_status" >&5
+   echo "$as_me:13964: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16162,11 +16168,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16165: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16171: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16169: \$? = $ac_status" >&5
+   echo "$as_me:16175: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16452,11 +16458,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16455: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16461: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16459: \$? = $ac_status" >&5
+   echo "$as_me:16465: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16556,11 +16562,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16559: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16565: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16563: \$? = $ac_status" >&5
+   echo "$as_me:16569: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -19490,6 +19496,8 @@ fi
 
 #
 # Perl is optional; it is used only by some of the system test scripts.
+# Note: the backtrace feature (see below) uses perl to build the symbol table,
+# but it still compiles without perl, in which case an empty table will be used.
 #
 for ac_prog in perl5 perl
 do
@@ -25914,6 +25922,108 @@ case $use_libtool in
 		;;
 esac
 
+#
+# enable/disable dumping stack backtrace.  Also check if the system supports
+# glibc-compatible backtrace() function.
+#
+# Check whether --enable-backtrace was given.
+if test "${enable_backtrace+set}" = set; then
+  enableval=$enable_backtrace; want_backtrace="$enableval"
+else
+  want_backtrace="yes"
+fi
+
+case $want_backtrace in
+yes)
+	ISC_PLATFORM_USEBACKTRACE="#define ISC_PLATFORM_USEBACKTRACE 1"
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include 
+int
+main ()
+{
+return (backtrace((void **)0, 0));
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_LIBCTRACE
+_ACEOF
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+	;;
+*)
+	ISC_PLATFORM_USEBACKTRACE="#undef ISC_PLATFORM_USEBACKTRACE"
+	;;
+esac
+
+
+# Check whether --enable-symtable was given.
+if test "${enable_symtable+set}" = set; then
+  enableval=$enable_symtable; want_symtable="$enableval"
+else
+  want_symtable="minimal"
+fi
+
+case $want_symtable in
+yes|all|minimal)
+
+	if test "$PERL" == ""
+	then
+		{ { echo "$as_me:$LINENO: error: Internal symbol table requires perl but no perl is found.
+Install perl or explicitly disable the feature by --disable-symtable." >&5
+echo "$as_me: error: Internal symbol table requires perl but no perl is found.
+Install perl or explicitly disable the feature by --disable-symtable." >&2;}
+   { (exit 1); exit 1; }; }
+	fi
+	if test "$use_libtool" = "yes"; then
+		{ echo "$as_me:$LINENO: WARNING: Internal symbol table does not work with libtool.  Disabling symtbol table." >&5
+echo "$as_me: WARNING: Internal symbol table does not work with libtool.  Disabling symtbol table." >&2;}
+	else
+		MKSYMTBL_PROGRAM="$PERL"
+		if test $want_symtable = all; then
+			ALWAYS_MAKE_SYMTABLE="yes"
+		fi
+	fi
+	;;
+*)
+	;;
+esac
+
+
+
 #
 # File name extension for static archive files, for those few places
 # where they are treated differently from dynamic ones.
@@ -34053,6 +34163,9 @@ MKDEPPROG!$MKDEPPROG$ac_delim
 IRIX_DNSSEC_WARNINGS_HACK!$IRIX_DNSSEC_WARNINGS_HACK$ac_delim
 purify_path!$purify_path$ac_delim
 PURIFY!$PURIFY$ac_delim
+ISC_PLATFORM_USEBACKTRACE!$ISC_PLATFORM_USEBACKTRACE$ac_delim
+MKSYMTBL_PROGRAM!$MKSYMTBL_PROGRAM$ac_delim
+ALWAYS_MAKE_SYMTABLE!$ALWAYS_MAKE_SYMTABLE$ac_delim
 O!$O$ac_delim
 A!$A$ac_delim
 SA!$SA$ac_delim
@@ -34103,9 +34216,6 @@ ISC_LWRES_GETNETBYADDRINADDR!$ISC_LWRES_GETNETBYADDRINADDR$ac_delim
 ISC_LWRES_SETNETENTINT!$ISC_LWRES_SETNETENTINT$ac_delim
 ISC_LWRES_ENDNETENTINT!$ISC_LWRES_ENDNETENTINT$ac_delim
 ISC_LWRES_GETHOSTBYADDRVOID!$ISC_LWRES_GETHOSTBYADDRVOID$ac_delim
-ISC_LWRES_NEEDHERRNO!$ISC_LWRES_NEEDHERRNO$ac_delim
-ISC_LWRES_GETIPNODEPROTO!$ISC_LWRES_GETIPNODEPROTO$ac_delim
-ISC_LWRES_GETADDRINFOPROTO!$ISC_LWRES_GETADDRINFOPROTO$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -34147,6 +34257,9 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+ISC_LWRES_NEEDHERRNO!$ISC_LWRES_NEEDHERRNO$ac_delim
+ISC_LWRES_GETIPNODEPROTO!$ISC_LWRES_GETIPNODEPROTO$ac_delim
+ISC_LWRES_GETADDRINFOPROTO!$ISC_LWRES_GETADDRINFOPROTO$ac_delim
 ISC_LWRES_GETNAMEINFOPROTO!$ISC_LWRES_GETNAMEINFOPROTO$ac_delim
 ISC_IRS_GETNAMEINFOSOCKLEN!$ISC_IRS_GETNAMEINFOSOCKLEN$ac_delim
 ISC_PLATFORM_NEEDSTRSEP!$ISC_PLATFORM_NEEDSTRSEP$ac_delim
@@ -34226,7 +34339,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 77; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 80; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

From f909fbf73cec86a4166c82976a5e58ddb389bbe2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 18:50:52 +0000
Subject: [PATCH 069/385] missing new file

---
 util/mksymtbl.pl | 113 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100755 util/mksymtbl.pl

diff --git a/util/mksymtbl.pl b/util/mksymtbl.pl
new file mode 100755
index 0000000000..b0fef5f42f
--- /dev/null
+++ b/util/mksymtbl.pl
@@ -0,0 +1,113 @@
+#!/usr/bin/env perl
+
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: mksymtbl.pl,v 1.2 2009/09/01 18:50:52 jinmei Exp $
+
+use strict;
+use diagnostics;
+$^W = 1;
+
+my $rev = '$Id: mksymtbl.pl,v 1.2 2009/09/01 18:50:52 jinmei Exp $';
+$rev =~ s/\$//g;
+$rev =~ s/,v//g;
+$rev =~ s/Id: //;
+
+use Getopt::Std;
+my %options;
+getopts('i:o:', \%options);
+
+my ($binname, $need_uscorefix, $outputfile, $nsyms, $ostype, $nm_prog);
+my %symmap;
+
+$binname = $ARGV[0];
+$need_uscorefix = 0;
+if ($options{'o'}) {
+	$outputfile = $options{'o'};
+} else {
+	$outputfile = "symtbl.c";
+}
+
+# OS-depending configuration
+$nm_prog = "nm";
+$ostype = `uname -s`;
+chop($ostype);
+if ($ostype eq "SunOS" || $ostype eq "HP-UX") {
+	$nm_prog = "/usr/ccs/bin/nm -x"
+}
+
+if ($options{'i'}) {
+	open(SYMBOLS, $options{'i'}) || die "failed to open $options{'i'}";
+} else {
+	open(SYMBOLS, "$nm_prog $binname |") ||
+	    die "failed to invoke utility to get symbols";
+}
+open(TBLFILE, ">$outputfile") || die "failed to open output file: $outputfile";
+
+$nsyms = 0;
+while () {
+	my ($addr, $symbol) = (0, "");
+	if ($ostype eq "SunOS") {
+		if (/\[\d*\]\s*\|\s*0x([0-9a-f]*)\|\s*0x[0-9a-f]*\|FUNC\s*(.*)\|([^|]+)$/) {
+			next if ($2 =~ /UNDEF/); # skip undefined symbols
+			$addr = $1;
+			$symbol = $3;
+			chop($symbol);
+		}
+	} elsif ($ostype eq "HP-UX") {
+		if (/(\S*)\s*\|0x([0-9a-f]*)\|([^|]*\|entry|extern\|code)/) {
+			$addr = $2;
+			$symbol = $1;
+			# this filter catches a massive number of awkward
+			# symbols such as "$START$".  we are not interested in
+			# those and ignore them.
+			next if ($symbol =~ /\$/);
+		}
+	} else {
+		# *BSDs, Linux, etc.
+		if (/([0-9a-f]*)\s[tT]\s(.*)/) {
+			($addr, $symbol) = ($1, $2);
+			# heuristics: some compilers add a "_" to all program
+			# defined symbols.  Detect and fix it for a well known
+			# symbol of "main".
+			$need_uscorefix = 1 if ($symbol eq "_main");
+		}
+	}
+	if ($symbol ne "") {
+		# XXX: HP-UX's nm can produce a duplicate entry for the same
+		# address.  Ignore duplicate entries except the first one.
+		next if ($symmap{$addr});
+
+		$symmap{$addr} = $symbol;
+		$nsyms++;
+	}
+}
+
+print TBLFILE "/*\n * Generated by $rev \n */\n";
+print TBLFILE "#include \n";
+print TBLFILE "const int isc__backtrace_nsymbols = $nsyms;\n";
+print TBLFILE "const isc_backtrace_symmap_t isc__backtrace_symtable[] = {\n";
+foreach (sort {hex($a) <=> hex($b)} keys(%symmap)) {
+	my ($addr, $symbol) = ($_, $symmap{$_});
+	if ($need_uscorefix && $symbol =~ /^_(.*)/) {
+		$symbol = $1;
+	}
+	print TBLFILE "\t{ (void *)0x$addr, \"$symbol\" },\n";
+}
+print TBLFILE "\t{ (void *)0x0, \"\" },\n";
+print TBLFILE "};\n";
+
+close(TBLFILE);
+close(SYMBOLS);

From 93ebf0fc08b2e2ab498b5bcb581c77815f73cf0e Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 1 Sep 2009 20:13:44 +0000
Subject: [PATCH 070/385] - add .cvsignore files - silence tinderbox warnings
 about missing config.h in a few files.

---
 bin/tests/backtrace_test.c                     | 4 +++-
 lib/export/.cvsignore                          | 1 +
 lib/export/dns/.cvsignore                      | 1 +
 lib/export/dns/include/.cvsignore              | 1 +
 lib/export/dns/include/dns/.cvsignore          | 1 +
 lib/export/dns/include/dst/.cvsignore          | 1 +
 lib/export/irs/.cvsignore                      | 1 +
 lib/export/irs/include/.cvsignore              | 1 +
 lib/export/irs/include/irs/.cvsignore          | 1 +
 lib/export/isc/.cvsignore                      | 1 +
 lib/export/isc/include/.cvsignore              | 1 +
 lib/export/isc/include/isc/.cvsignore          | 1 +
 lib/export/isc/nls/.cvsignore                  | 1 +
 lib/export/isc/pthreads/.cvsignore             | 1 +
 lib/export/isc/pthreads/include/.cvsignore     | 1 +
 lib/export/isc/pthreads/include/isc/.cvsignore | 1 +
 lib/export/isc/unix/.cvsignore                 | 1 +
 lib/export/isc/unix/include/.cvsignore         | 1 +
 lib/export/isc/unix/include/isc/.cvsignore     | 1 +
 lib/export/isccfg/.cvsignore                   | 1 +
 lib/export/isccfg/include/.cvsignore           | 1 +
 lib/export/isccfg/include/isccfg/.cvsignore    | 1 +
 lib/export/samples/.cvsignore                  | 2 ++
 lib/irs/.cvsignore                             | 1 +
 lib/irs/include/.cvsignore                     | 1 +
 lib/irs/include/irs/.cvsignore                 | 3 +++
 lib/isc/backtrace-emptytbl.c                   | 4 +++-
 27 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 lib/export/.cvsignore
 create mode 100644 lib/export/dns/.cvsignore
 create mode 100644 lib/export/dns/include/.cvsignore
 create mode 100644 lib/export/dns/include/dns/.cvsignore
 create mode 100644 lib/export/dns/include/dst/.cvsignore
 create mode 100644 lib/export/irs/.cvsignore
 create mode 100644 lib/export/irs/include/.cvsignore
 create mode 100644 lib/export/irs/include/irs/.cvsignore
 create mode 100644 lib/export/isc/.cvsignore
 create mode 100644 lib/export/isc/include/.cvsignore
 create mode 100644 lib/export/isc/include/isc/.cvsignore
 create mode 100644 lib/export/isc/nls/.cvsignore
 create mode 100644 lib/export/isc/pthreads/.cvsignore
 create mode 100644 lib/export/isc/pthreads/include/.cvsignore
 create mode 100644 lib/export/isc/pthreads/include/isc/.cvsignore
 create mode 100644 lib/export/isc/unix/.cvsignore
 create mode 100644 lib/export/isc/unix/include/.cvsignore
 create mode 100644 lib/export/isc/unix/include/isc/.cvsignore
 create mode 100644 lib/export/isccfg/.cvsignore
 create mode 100644 lib/export/isccfg/include/.cvsignore
 create mode 100644 lib/export/isccfg/include/isccfg/.cvsignore
 create mode 100644 lib/export/samples/.cvsignore
 create mode 100644 lib/irs/.cvsignore
 create mode 100644 lib/irs/include/.cvsignore
 create mode 100644 lib/irs/include/irs/.cvsignore

diff --git a/bin/tests/backtrace_test.c b/bin/tests/backtrace_test.c
index f2f27eaa58..3af46239e9 100644
--- a/bin/tests/backtrace_test.c
+++ b/bin/tests/backtrace_test.c
@@ -14,7 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: backtrace_test.c,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+/* $Id: backtrace_test.c,v 1.3 2009/09/01 20:13:43 each Exp $ */
+
+#include 
 
 #include 
 #include 
diff --git a/lib/export/.cvsignore b/lib/export/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/dns/.cvsignore b/lib/export/dns/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/dns/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/dns/include/.cvsignore b/lib/export/dns/include/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/dns/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/dns/include/dns/.cvsignore b/lib/export/dns/include/dns/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/dns/include/dns/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/dns/include/dst/.cvsignore b/lib/export/dns/include/dst/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/dns/include/dst/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/irs/.cvsignore b/lib/export/irs/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/irs/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/irs/include/.cvsignore b/lib/export/irs/include/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/irs/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/irs/include/irs/.cvsignore b/lib/export/irs/include/irs/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/irs/include/irs/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/.cvsignore b/lib/export/isc/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/include/.cvsignore b/lib/export/isc/include/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/include/isc/.cvsignore b/lib/export/isc/include/isc/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/include/isc/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/nls/.cvsignore b/lib/export/isc/nls/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/nls/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/pthreads/.cvsignore b/lib/export/isc/pthreads/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/pthreads/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/pthreads/include/.cvsignore b/lib/export/isc/pthreads/include/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/pthreads/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/pthreads/include/isc/.cvsignore b/lib/export/isc/pthreads/include/isc/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/pthreads/include/isc/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/unix/.cvsignore b/lib/export/isc/unix/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/unix/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/unix/include/.cvsignore b/lib/export/isc/unix/include/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/unix/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isc/unix/include/isc/.cvsignore b/lib/export/isc/unix/include/isc/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isc/unix/include/isc/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isccfg/.cvsignore b/lib/export/isccfg/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isccfg/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isccfg/include/.cvsignore b/lib/export/isccfg/include/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isccfg/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/isccfg/include/isccfg/.cvsignore b/lib/export/isccfg/include/isccfg/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/export/isccfg/include/isccfg/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/export/samples/.cvsignore b/lib/export/samples/.cvsignore
new file mode 100644
index 0000000000..28be5a30a5
--- /dev/null
+++ b/lib/export/samples/.cvsignore
@@ -0,0 +1,2 @@
+Makefile
+Makefile-postinstall
diff --git a/lib/irs/.cvsignore b/lib/irs/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/irs/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/irs/include/.cvsignore b/lib/irs/include/.cvsignore
new file mode 100644
index 0000000000..f3c7a7c5da
--- /dev/null
+++ b/lib/irs/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/irs/include/irs/.cvsignore b/lib/irs/include/irs/.cvsignore
new file mode 100644
index 0000000000..67360141e7
--- /dev/null
+++ b/lib/irs/include/irs/.cvsignore
@@ -0,0 +1,3 @@
+Makefile
+netdb.h
+platform.h
diff --git a/lib/isc/backtrace-emptytbl.c b/lib/isc/backtrace-emptytbl.c
index a5e3187c36..bd534d60c8 100644
--- a/lib/isc/backtrace-emptytbl.c
+++ b/lib/isc/backtrace-emptytbl.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: backtrace-emptytbl.c,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+/* $Id: backtrace-emptytbl.c,v 1.3 2009/09/01 20:13:44 each Exp $ */
 
 /*! \file */
 
@@ -26,6 +26,8 @@
  * (e.g. libisc-nosymbol.a).
  */
 
+#include 
+
 #include 
 
 const int isc__backtrace_nsymbols = 0;

From ee537376ad830bed312d801e16bd3b26387ff1aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 22:30:28 +0000
Subject: [PATCH 071/385] avoid using @< (which some make don't seem to
 understand) for portability

---
 bin/tests/Makefile.in | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
index 4dbdb78d6f..f92b3d133e 100644
--- a/bin/tests/Makefile.in
+++ b/bin/tests/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.136 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.137 2009/09/01 22:30:28 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -151,7 +151,8 @@ backtrace_test@EXEEXT@: backtrace_test_nosymtbl@EXEEXT@
 	#first step: create a first symbol table
 	rm -f symtbl.c
 	if test X${MKSYMTBL_PROGRAM} != X; then \
-	${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl $<; else \
+	${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+	backtrace_test_nosymtbl@EXEEXT@; else \
 	cp ${top_srcdir}/lib/isc/backtrace-emptytbl.c symtbl.c; fi
 	#second step: build a binary with the first symbol table
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} \

From d364948549856a00bb6d4cd1a9475cb25544cc8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 22:52:27 +0000
Subject: [PATCH 072/385] treat FD_SIZE as int (which can be defined as
 unsigned on some platforms) to silence compiler

---
 lib/lwres/context.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index 20b7341630..7e8188eaf6 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.53 2009/09/01 05:50:17 each Exp $ */
+/* $Id: context.c,v 1.54 2009/09/01 22:52:27 jinmei Exp $ */
 
 /*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
@@ -476,7 +476,7 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	 * If this is not checked, select() can overflow,
 	 * causing corruption elsewhere.
 	 */
-	if (ctx->sock >= FD_SETSIZE) {
+	if (ctx->sock >= (int)FD_SETSIZE) {
 		close(ctx->sock);
 		ctx->sock = -1;
 		return (LWRES_R_IOERROR);

From ae16941d9f59040afc529f57e88a16c07782d20e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 1 Sep 2009 23:05:33 +0000
Subject: [PATCH 073/385] cleanup: removed a redundant semi-colon

---
 lib/isc/task_api.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/task_api.c b/lib/isc/task_api.c
index af7a93ca64..2bb2061062 100644
--- a/lib/isc/task_api.c
+++ b/lib/isc/task_api.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: task_api.c,v 1.4 2009/09/01 23:05:33 jinmei Exp $ */
 
 #include 
 
@@ -97,7 +97,7 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 	(*managerp)->methods->destroy(managerp);
 
 	ENSURE(*managerp == NULL);
-};
+}
 
 isc_result_t
 isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,

From 823ca3c14f1596341bdd50707c01f3b529b75b4a Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 1 Sep 2009 23:47:45 +0000
Subject: [PATCH 074/385] update copyright notice

---
 bin/named/server.c           | 26 +++++++++++++-------------
 bin/tests/names/t_names.c    |  4 ++--
 lib/isc/include/isc/mem.h    |  4 ++--
 lib/isc/include/isc/socket.h |  6 +++---
 lib/isc/mem.c                |  4 ++--
 lib/isc/timer.c              |  4 ++--
 lib/isc/unix/socket.c        | 10 +++++-----
 lib/lwres/getipnode.c        |  6 +++---
 8 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index 5e94ccd262..3b67836cca 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.545 2009/09/01 17:36:51 jinmei Exp $ */
+/* $Id: server.c,v 1.546 2009/09/01 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -475,19 +475,19 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	keyname = dns_fixedname_name(&fkeyname);
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 
-        if (managed) {
-                const char *initmethod;
-                initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
+	if (managed) {
+		const char *initmethod;
+		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
 
-                if (strcmp(initmethod, "initial-key") != 0) {
-                        cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-                                    "managed key '%s': "
-                                    "invalid initialization method '%s'",
-                                    keynamestr, initmethod);
-                        result = ISC_R_FAILURE;
-                        goto cleanup;
-                }
-        }
+		if (strcmp(initmethod, "initial-key") != 0) {
+			cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
+				    "managed key '%s': "
+				    "invalid initialization method '%s'",
+				    keynamestr, initmethod);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+	}
 
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
diff --git a/bin/tests/names/t_names.c b/bin/tests/names/t_names.c
index ce859dea53..d3a8b66c7d 100644
--- a/bin/tests/names/t_names.c
+++ b/bin/tests/names/t_names.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_names.c,v 1.49 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: t_names.c,v 1.50 2009/09/01 23:47:44 tbox Exp $ */
 
 #include 
 
@@ -1777,7 +1777,7 @@ t_dns_name_fromtext(void) {
 							   atoi(Tokens[3])
 								== 0 ?
 								0 :
-						       	     DNS_NAME_DOWNCASE);
+							     DNS_NAME_DOWNCASE);
 			} else {
 				t_info("bad format at line %d\n", line);
 			}
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index 04a604f73f..28edcb67a3 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.82 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: mem.h,v 1.83 2009/09/01 23:47:44 tbox Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
@@ -221,7 +221,7 @@ typedef struct isc_mempoolmethods {
 } isc_mempoolmethods_t;
 
 /*%
- * This structure is actually just the common prefix of a memory context 
+ * This structure is actually just the common prefix of a memory context
  * implementation's version of an isc_mem_t.
  * \brief
  * Direct use of this structure by clients is forbidden.  mctx implementations
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 15ade4ea92..8f3f398168 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.90 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: socket.h,v 1.91 2009/09/01 23:47:44 tbox Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -887,7 +887,7 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 
 isc_result_t
 isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
- 			  isc_socketmgr_t **managerp);
+			  isc_socketmgr_t **managerp);
 
 isc_result_t
 isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
@@ -1086,7 +1086,7 @@ isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer);
  * See isc_socketmgr_create() above.
  */
 typedef isc_result_t
-(*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, isc_socketmgr_t **managerp); 
+(*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, isc_socketmgr_t **managerp);
 
 isc_result_t
 isc_socket_register(isc_socketmgrcreatefunc_t createfunc);
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 6895a873e9..4e97857b3a 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.150 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: mem.c,v 1.151 2009/09/01 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -2193,7 +2193,7 @@ isc__mempool_getfillcount(isc_mempool_t *mpctx0) {
 	return (fillcount);
 }
 
-#ifdef USE_MEMIMPREGISTER 
+#ifdef USE_MEMIMPREGISTER
 isc_result_t
 isc__mem_register() {
 	return (isc_mem_register(isc__mem_create2));
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index 327620b2be..d5352cddb8 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.91 2009/09/01 08:12:33 jinmei Exp $ */
+/* $Id: timer.c,v 1.92 2009/09/01 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -1042,7 +1042,7 @@ isc__timermgr_dispatch(isc_timermgr_t *manager0) {
 }
 #endif /* USE_TIMER_THREAD */
 
-#ifdef USE_TIMERIMPREGISTER 
+#ifdef USE_TIMERIMPREGISTER
 isc_result_t
 isc__timer_register() {
 	return (isc_timer_register(isc__timermgr_create));
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 66ad903901..db79d18eda 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.321 2009/09/01 08:12:33 jinmei Exp $ */
+/* $Id: socket.c,v 1.322 2009/09/01 23:47:45 tbox Exp $ */
 
 /*! \file */
 
@@ -5322,7 +5322,7 @@ isc__socket_getpeername(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
 	} else {
 		result = ISC_R_NOTCONNECTED;
 	}
-	
+
 	UNLOCK(&sock->lock);
 
 	return (result);
@@ -5572,7 +5572,7 @@ isc__socketmgr_waitevents(isc_socketmgr_t *manager0, struct timeval *tvp,
 	REQUIRE(swaitp != NULL && *swaitp == NULL);
 
 #ifdef USE_SHARED_MANAGER
-  	if (manager == NULL)
+	if (manager == NULL)
 		manager = socketmgr;
 #endif
 	if (manager == NULL)
@@ -5632,7 +5632,7 @@ isc__socketmgr_dispatch(isc_socketmgr_t *manager0, isc_socketwait_t *swait) {
 	REQUIRE(swait == &swait_private);
 
 #ifdef USE_SHARED_MANAGER
-  	if (manager == NULL)
+	if (manager == NULL)
 		manager = socketmgr;
 #endif
 	if (manager == NULL)
@@ -5681,7 +5681,7 @@ isc__socket_gettag(isc_socket_t *socket0) {
 }
 #endif	/* BIND9 */
 
-#ifdef USE_SOCKETIMPREGISTER 
+#ifdef USE_SOCKETIMPREGISTER
 isc_result_t
 isc__socket_register() {
 	return (isc_socket_register(isc__socketmgr_create));
diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c
index b872e3d5ad..3bd82177b1 100644
--- a/lib/lwres/getipnode.c
+++ b/lib/lwres/getipnode.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getipnode.c,v 1.46 2009/09/01 05:50:18 each Exp $ */
+/* $Id: getipnode.c,v 1.47 2009/09/01 23:47:45 tbox Exp $ */
 
 /*! \file */
 
@@ -289,7 +289,7 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
 			else {
 				*error_num = NO_RECOVERY;
 				goto cleanup;
-        		}
+			}
 		}
 	}
 
@@ -315,7 +315,7 @@ lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
 	} else
 		*error_num = tmp_err;
 
-        he3 = copyandmerge(he1, he2, af, error_num);
+	he3 = copyandmerge(he1, he2, af, error_num);
 
  cleanup:
 	if (he1 != NULL)

From ea854b585041ad19f70f7af15e08144ef2c2bd1b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 2 Sep 2009 03:54:09 +0000
Subject: [PATCH 075/385] README.libdns

---
 util/copyrights | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/copyrights b/util/copyrights
index dfb08a94f6..16f110b609 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -7,6 +7,7 @@
 ./NSEC3-NOTES					X	2008,2009
 ./README					X	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./README.idnkit					X	2005,2009
+./README.libdns					X	2009
 ./README.pkcs11					X	2008
 ./README.rfc5011				X	2009
 ./acconfig.h					C	1999,2000,2001,2002,2003,2004,2005,2007,2008

From 7fc3b88c3a6e18f8a085406c36fddc2af63619ef Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 2 Sep 2009 03:56:54 +0000
Subject: [PATCH 076/385] update

---
 util/copyrights | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util/copyrights b/util/copyrights
index 16f110b609..f8793427e7 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1932,6 +1932,8 @@
 ./lib/dns/zone.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/zonekey.c				C	2001,2003,2004,2005,2007
 ./lib/dns/zt.c					C	1999,2000,2001,2002,2004,2005,2006,2007
+./lib/export/samples/Makefile-postinstall.in	MAKE	2009
+./lib/irs/api					X	2009
 ./lib/isc/.cvsignore				X	1998,1999,2000,2001
 ./lib/isc/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/isc/alpha/.cvsignore			X	2007

From 8fec8134ea13c2c082c3e63f1ce0afd851e45a91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Wed, 2 Sep 2009 04:25:19 +0000
Subject: [PATCH 077/385] suppress compiler warnings [RT #20203]

---
 lib/isc/mem.c         | 29 ++++++++++++++++++++---------
 lib/isc/task.c        | 17 +++++++++++------
 lib/isc/timer.c       | 18 +++++++++++++-----
 lib/isc/unix/app.c    | 16 +++++++++++-----
 lib/isc/unix/socket.c | 19 +++++++++++++------
 5 files changed, 68 insertions(+), 31 deletions(-)

diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 4e97857b3a..934694f618 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.151 2009/09/01 23:47:44 tbox Exp $ */
+/* $Id: mem.c,v 1.152 2009/09/02 04:25:19 jinmei Exp $ */
 
 /*! \file */
 
@@ -323,8 +323,10 @@ static struct isc__memmethods {
 	/*%
 	 * The following are defined just for avoiding unused static functions.
 	 */
+#ifndef BIND9
 	void *createx, *create, *create2, *ondestroy, *stats,
 		*setquota, *getquota, *setname, *getname, *gettag;
+#endif
 } memmethods = {
 	{
 		isc__mem_attach,
@@ -341,11 +343,15 @@ static struct isc__memmethods {
 		isc__mem_waterack,
 		isc__mem_inuse,
 		isc__mempool_create
-	},
-	isc__mem_createx, isc__mem_create, isc__mem_create2,
-	isc__mem_ondestroy, isc__mem_stats,
-	isc__mem_setquota, isc__mem_getquota, isc__mem_setname,
-	isc__mem_getname, isc__mem_gettag
+	}
+#ifndef BIND9
+	,
+	(void *)isc__mem_createx, (void *)isc__mem_create,
+	(void *)isc__mem_create2, (void *)isc__mem_ondestroy,
+	(void *)isc__mem_stats, (void *)isc__mem_setquota,
+	(void *)isc__mem_getquota, (void *)isc__mem_setname,
+	(void *)isc__mem_getname, (void *)isc__mem_gettag
+#endif
 };
 
 static struct isc__mempoolmethods {
@@ -354,7 +360,9 @@ static struct isc__mempoolmethods {
 	/*%
 	 * The following are defined just for avoiding unused static functions.
 	 */
+#ifndef BIND9
 	void *getfreemax, *getfreecount, *getmaxalloc, *getfillcount;
+#endif
 } mempoolmethods = {
 	{
 		isc__mempool_destroy,
@@ -366,9 +374,12 @@ static struct isc__mempoolmethods {
 		isc__mempool_setname,
 		isc__mempool_associatelock,
 		isc__mempool_setfillcount
-	},
-	isc__mempool_getfreemax, isc__mempool_getfreecount,
-	isc__mempool_getmaxalloc, isc__mempool_getfillcount
+	}
+#ifndef BIND9
+	,
+	(void *)isc__mempool_getfreemax, (void *)isc__mempool_getfreecount,
+	(void *)isc__mempool_getmaxalloc, (void *)isc__mempool_getfillcount
+#endif
 };
 
 /*!
diff --git a/lib/isc/task.c b/lib/isc/task.c
index 27b1a508f9..839900771a 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.108 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: task.c,v 1.109 2009/09/02 04:25:19 jinmei Exp $ */
 
 /*! \file
  * \author Principal Author: Bob Halley
@@ -228,9 +228,11 @@ static struct isc__taskmethods {
 	/*%
 	 * The following are defined just for avoiding unused static functions.
 	 */
+#ifndef BIND9
 	void *purgeevent, *unsendrange,
 		*getname, *gettag, *getcurrenttime, *beginexclusive,
 		*endexclusive;
+#endif
 } taskmethods = {
 	{
 		isc__task_attach,
@@ -244,11 +246,14 @@ static struct isc__taskmethods {
 		isc__task_setname,
 		isc__task_purge,
 		isc__task_purgerange
-	},
-	isc__task_purgeevent, isc__task_unsendrange,
-	isc__task_getname, isc__task_gettag,
-	isc__task_getcurrenttime, isc__task_beginexclusive,
-	isc__task_endexclusive
+	}
+#ifndef BIND9
+	,
+	(void *)isc__task_purgeevent, (void *)isc__task_unsendrange,
+	(void *)isc__task_getname, (void *)isc__task_gettag,
+	(void *)isc__task_getcurrenttime, (void *)isc__task_beginexclusive,
+	(void *)isc__task_endexclusive
+#endif
 };
 
 static isc_taskmgrmethods_t taskmgrmethods = {
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index d5352cddb8..ef6996d8a8 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.92 2009/09/01 23:47:44 tbox Exp $ */
+/* $Id: timer.c,v 1.93 2009/09/02 04:25:19 jinmei Exp $ */
 
 /*! \file */
 
@@ -154,15 +154,20 @@ static struct isc__timermethods {
 	/*%
 	 * The following are defined just for avoiding unused static functions.
 	 */
+#ifndef BIND9
 	void *gettype;
+#endif
 } timermethods = {
 	{
 		isc__timer_attach,
 		isc__timer_detach,
 		isc__timer_reset,
 		isc__timer_touch
-	},
-	isc__timer_gettype
+	}
+#ifndef BIND9
+	,
+	(void *)isc__timer_gettype
+#endif
 };
 
 static struct isc__timermgrmethods {
@@ -172,8 +177,11 @@ static struct isc__timermgrmethods {
 	{
 		isc__timermgr_destroy,
 		isc__timer_create
-	},
-	isc__timermgr_poke
+	}
+#ifdef BIND9
+	,
+	(void *)isc__timermgr_poke
+#endif
 };
 
 #ifdef USE_SHARED_MANAGER
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index 10b99f05f9..ef4d48d0af 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.61 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: app.c,v 1.62 2009/09/02 04:25:19 jinmei Exp $ */
 
 /*! \file */
 
@@ -156,8 +156,10 @@ static struct {
 	/*%
 	 * The following are defined just for avoiding unused static functions.
 	 */
+#ifndef BIND9
 	void *run, *shutdown, *start, *onrun, *reload, *finish,
 		*block, *unblock;
+#endif
 } appmethods = {
 	{
 		isc__appctx_destroy,
@@ -169,10 +171,14 @@ static struct {
 		isc__appctx_settaskmgr,
 		isc__appctx_setsocketmgr,
 		isc__appctx_settimermgr
-	},
-	isc__app_run, isc__app_shutdown,
-	isc__app_start, isc__app_onrun, isc__app_reload, isc__app_finish,
-	isc__app_block, isc__app_unblock
+	}
+#ifndef BIND9
+	,
+	(void *)isc__app_run, (void *)isc__app_shutdown,
+	(void *)isc__app_start, (void *)isc__app_onrun, (void *)isc__app_reload,
+	(void *)isc__app_finish, (void *)isc__app_block,
+	(void *)isc__app_unblock
+#endif
 };
 
 #ifdef HAVE_LINUXTHREADS
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index db79d18eda..ccd495a856 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.322 2009/09/01 23:47:45 tbox Exp $ */
+/* $Id: socket.c,v 1.323 2009/09/02 04:25:19 jinmei Exp $ */
 
 /*! \file */
 
@@ -541,8 +541,10 @@ static struct {
 	/*%
 	 * The following are defined just for avoiding unused static functions.
 	 */
+#ifndef BIND9
 	void *recvv, *send, *sendv, *sendto2, *cleanunix, *permunix, *filter,
 		*listen, *accept, *getpeername, *isbound;
+#endif
 } socketmethods = {
 	{
 		isc__socket_attach,
@@ -555,11 +557,16 @@ static struct {
 		isc__socket_getsockname,
 		isc__socket_gettype,
 		isc__socket_ipv6only
-	},
-	isc__socket_recvv, isc__socket_send, isc__socket_sendv,
-	isc__socket_sendto2, isc__socket_cleanunix, isc__socket_permunix,
-	isc__socket_filter, isc__socket_listen, isc__socket_accept,
-	isc__socket_getpeername, isc__socket_isbound
+	}
+#ifndef BIND9
+	,
+	(void *)isc__socket_recvv, (void *)isc__socket_send,
+	(void *)isc__socket_sendv, (void *)isc__socket_sendto2,
+	(void *)isc__socket_cleanunix, (void *)isc__socket_permunix,
+	(void *)isc__socket_filter, (void *)isc__socket_listen,
+	(void *)isc__socket_accept, (void *)isc__socket_getpeername,
+	(void *)isc__socket_isbound
+#endif
 };
 
 static isc_socketmgrmethods_t socketmgrmethods = {

From be3d498c6e79a14beb5a8a93ebc01787a1bab353 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 2 Sep 2009 04:45:41 +0000
Subject: [PATCH 078/385] close off command

---
 doc/arm/Bv9ARM-book.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f4f7785517..89300abe11 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -9126,7 +9126,7 @@ deny-answer-aliases { "example.net"; };
           
             The first name named runs after a name
             has been removed from the
-            managed-keys statement, the corresponding
+            managed-keys statement, the corresponding
             zone will be removed from the managed keys database,
             and RFC 5011 key maintenance will no longer be used for that
             domain.

From eab9975bcf5830a73f18ed8f320ae18ea32775ee Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 06:29:01 +0000
Subject: [PATCH 079/385] 2668.	[func]		Several improvements to
 dnssec-* tools, including: 			- dnssec-keygen and
 dnssec-settime can now set key 			  metadata fields 0
 (to unset a value, use "none") 			- dnssec-revoke sets
 the revocation date in 			  addition to the revoke bit 
 		- dnssec-settime can now print individual metadata 	
 	  fields instead of always printing all of them, 		
   and can print them in unix epoch time format for 			  use
 by scripts 			[RT #19942]

---
 CHANGES                            |  13 ++
 bin/dnssec/dnssec-keygen.c         | 106 ++++++++---
 bin/dnssec/dnssec-keygen.docbook   |  12 +-
 bin/dnssec/dnssec-revoke.c         |   7 +-
 bin/dnssec/dnssec-settime.c        | 274 ++++++++++++++++++++++-------
 bin/dnssec/dnssec-settime.docbook  |  50 +++++-
 bin/dnssec/dnssec-signzone.c       |  57 +++---
 bin/dnssec/dnssec-signzone.docbook |  29 ++-
 bin/dnssec/dnssectool.c            |  36 +++-
 bin/dnssec/dnssectool.h            |   4 +-
 lib/dns/dnssec.c                   |  24 ++-
 lib/dns/dst_api.c                  |  39 +++-
 lib/dns/dst_internal.h             |   7 +-
 lib/dns/dst_parse.c                |  50 ++++--
 lib/dns/dst_parse.h                |   6 +-
 lib/dns/include/dns/dnssec.h       |   3 +-
 lib/dns/include/dst/dst.h          |  37 +++-
 lib/dns/win32/libdns.def           |   3 +
 18 files changed, 597 insertions(+), 160 deletions(-)

diff --git a/CHANGES b/CHANGES
index c7bae302eb..6abf383fa3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,16 @@
+	--- 9.7.0a3 released ---
+
+2668.	[func]		Several improvements to dnssec-* tools, including:
+			- dnssec-keygen and dnssec-settime can now set key
+			  metadata fields 0 (to unset a value, use "none")
+			- dnssec-revoke sets the revocation date in
+			  addition to the revoke bit
+			- dnssec-settime can now print individual metadata
+			  fields instead of always printing all of them,
+			  and can print them in unix epoch time format for
+			  use by scripts
+			[RT #19942]
+
 2667.	[func]		Add support for logging stack backtrace on assertion
 			failure (not available for all platforms). [RT #19780]
 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 60451ec23e..cb1b5cd08c 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.90 2009/09/01 00:22:24 jinmei Exp $ */
+/* $Id: dnssec-keygen.c,v 1.91 2009/09/02 06:29:00 each Exp $ */
 
 /*! \file */
 
@@ -174,6 +174,12 @@ main(int argc, char **argv) {
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t	unpublish = 0, delete = 0;
 	isc_stdtime_t	now;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -305,24 +311,64 @@ main(int argc, char **argv) {
 			/* already the default */
 			break;
 		case 'P':
-			publish = strtotime(isc_commandline_argument,
-					    now, now);
+                        if (setpub || unsetpub)
+                                fatal("-P specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setpub = ISC_TRUE;
+				publish = strtotime(isc_commandline_argument,
+						    now, now);
+			} else {
+                                unsetpub = ISC_TRUE;
+                        }
 			break;
 		case 'A':
-			activate = strtotime(isc_commandline_argument,
-					     now, now);
+                        if (setact || unsetact)
+                                fatal("-A specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setact = ISC_TRUE;
+				activate = strtotime(isc_commandline_argument,
+						     now, now);
+			} else {
+                                unsetact = ISC_TRUE;
+			}
 			break;
 		case 'R':
-			revoke = strtotime(isc_commandline_argument,
-					   now, now);
+                        if (setrev || unsetrev)
+                                fatal("-R specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setrev = ISC_TRUE;
+				revoke = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+                                unsetrev = ISC_TRUE;
+			}
 			break;
 		case 'U':
-			unpublish = strtotime(isc_commandline_argument,
-					      now, now);
+                        if (setunpub || unsetunpub)
+                                fatal("-U specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setunpub = ISC_TRUE;
+				unpublish = strtotime(isc_commandline_argument,
+						      now, now);
+			} else {
+                                unsetunpub = ISC_TRUE;
+			}
 			break;
 		case 'D':
-			delete = strtotime(isc_commandline_argument,
-					   now, now);
+                        if (setdel || unsetdel)
+                                fatal("-D specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setdel = ISC_TRUE;
+				delete = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+                                unsetdel = ISC_TRUE;
+			}
 			break;
 		case 'F':
 			/* Reserved for FIPS mode */
@@ -618,19 +664,37 @@ main(int argc, char **argv) {
 		dst_key_setbits(key, dbits);
 
 		/*
-		 * Set key timing metadata
+		 * Set key timing metadata (unless using -C)
 		 */
 		if (!oldstyle) {
 			dst_key_settime(key, DST_TIME_CREATED, now);
-			dst_key_settime(key, DST_TIME_PUBLISH, publish);
-			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
-			dst_key_settime(key, DST_TIME_REVOKE, revoke);
-			dst_key_settime(key, DST_TIME_REMOVE, unpublish);
-			dst_key_settime(key, DST_TIME_DELETE, delete);
-		} else if (publish != 0 || activate != 0 || revoke != 0 ||
-			   unpublish != 0 || delete != 0) {
-			fatal("cannot use -C together with "
-			      "-P, -A, -R, -U, or -D options");
+
+			if (setpub)
+				dst_key_settime(key, DST_TIME_PUBLISH,
+						publish);
+			if (setact)
+				dst_key_settime(key, DST_TIME_ACTIVATE,
+						activate);
+			if (setrev)
+				dst_key_settime(key, DST_TIME_REVOKE,
+						revoke);
+			if (setunpub)
+				dst_key_settime(key, DST_TIME_UNPUBLISH,
+						unpublish);
+			if (setdel)
+				dst_key_settime(key, DST_TIME_DELETE,
+						delete);
+		} else {
+			if (setpub || setact || setrev || setunpub ||
+			    setdel || unsetpub || unsetact ||
+			    unsetrev || unsetunpub || unsetdel)
+				fatal("cannot use -C together with "
+				      "-P, -A, -R, -U, or -D options");
+			/*
+			 * Compatibility mode: Private-key-format 
+			 * should be set to 1.2.
+			 */
+			dst_key_setprivateformat(key, 1, 2);
 		}
 
 		/*
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 5d6d6e62f5..2ff764ac1d 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -350,10 +350,12 @@
     
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  If such an offset is followed
-      by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
-      offset is computed in years, months, weeks, days, or hours,
-      respectively; otherwise it is computed in seconds.
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
     
 
     
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 27d6835a0a..d58db629ca 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
+/* $Id: dnssec-revoke.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
 
 /*! \file */
 
@@ -161,6 +161,11 @@ main(int argc, char **argv) {
 
 	flags = dst_key_flags(key);
 	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+                isc_stdtime_t now;
+
+                isc_stdtime_get(&now);
+		dst_key_settime(key, DST_TIME_REVOKE, now);
+
 		dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
 
 		isc_buffer_init(&buf, newname, sizeof(newname));
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index d862bc61f8..77fa98242d 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.8 2009/08/28 23:48:02 tbox Exp $ */
+/* $Id: dnssec-settime.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
 
 /*! \file */
 
@@ -53,18 +53,29 @@ usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "General options:\n");
 	fprintf(stderr, "    -f:                 force update of old-style "
 						 "keys\n");
 	fprintf(stderr, "    -K directory:       set key file location\n");
-	fprintf(stderr, "    -h:	         help\n");
-	fprintf(stderr, "    -v level:	         set level of verbosity\n");
+	fprintf(stderr, "    -v level:           set level of verbosity\n");
+	fprintf(stderr, "    -h:                 help\n");
 	fprintf(stderr, "Timing options:\n");
-	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
-	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
-	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
-	fprintf(stderr, "    -U date/[+-]offset: set key unpublication date\n");
-	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
+						     "publication date\n");
+	fprintf(stderr, "    -A date/[+-]offset/none: set key "
+						     "activation date\n");
+	fprintf(stderr, "    -R date/[+-]offset/none: set key "
+						     "revocation date\n");
+	fprintf(stderr, "    -U date/[+-]offset/none: set key "
+						     "unpublication date\n");
+	fprintf(stderr, "    -D date/[+-]offset/none: set key "
+						     "deletion date\n");
+	fprintf(stderr, "Printing options:\n");
+	fprintf(stderr, "    -p C/P/A/R/U/D/all: print a particular time "
+	                                        "value or values "
+						"[default: all]\n");
+	fprintf(stderr, "    -u:                 print times in unix epoch "
+						"format\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K++.key, "
 			     "K++.private\n");
@@ -73,19 +84,26 @@ usage(void) {
 }
 
 static void
-printtime(dst_key_t *key, int type, const char *tag, FILE *stream) {
+printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
+	  FILE *stream)
+{
 	isc_result_t result;
-	time_t when;
-	const char *output;
+	const char *output = NULL;
+	isc_stdtime_t when;
 
-	result = dst_key_gettime(key, type, (isc_stdtime_t *) &when);
-	if (result == ISC_R_NOTFOUND || when == 0) {
-		fprintf(stream, "%s: NOT SET\n", tag);
-		return;
+	if (tag != NULL)
+		fprintf(stream, "%s: ", tag);
+
+	result = dst_key_gettime(key, type, &when);
+	if (result == ISC_R_NOTFOUND) {
+		fprintf(stream, "UNSET\n");
+	} else if (epoch) {
+		fprintf(stream, "%d\n", (int) when);
+	} else {
+		time_t time = when;
+		output = ctime(&time);
+		fprintf(stream, "%s", output);
 	}
-
-	output = ctime(&when);
-	fprintf(stream, "%s: %s", tag, output);
 }
 
 int
@@ -94,18 +112,26 @@ main(int argc, char **argv) {
 	char *filename = NULL, *directory = NULL;
 	char newname[1024];
 	char keystr[KEY_FORMATSIZE];
-	char *endp;
+	char *endp, *p;
 	int ch;
 	isc_entropy_t *ectx = NULL;
 	dst_key_t *key = NULL;
 	isc_buffer_t buf;
-	isc_stdtime_t	now, when;
+	int major, minor;
+	isc_stdtime_t	now;
 	isc_stdtime_t	pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	printcreate = ISC_FALSE, printpub = ISC_FALSE;
+	isc_boolean_t	printact = ISC_FALSE,  printrev = ISC_FALSE;
+	isc_boolean_t	printunpub = ISC_FALSE, printdel = ISC_FALSE;
 	isc_boolean_t	forceupdate = ISC_FALSE;
-	isc_boolean_t	print = ISC_TRUE;
+	isc_boolean_t   epoch = ISC_FALSE;
+	isc_boolean_t   changed = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -121,11 +147,54 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "fK:hv:P:A:R:U:D:")) != -1) {
+					   "fK:uhp:v:P:A:R:U:D:")) != -1) {
 		switch (ch) {
 		case 'f':
 			forceupdate = ISC_TRUE;
 			break;
+		case 'p':
+			p = isc_commandline_argument;
+			if (!strcasecmp(p, "all")) {
+				printcreate = ISC_TRUE;
+				printpub = ISC_TRUE;
+				printact = ISC_TRUE;
+				printrev = ISC_TRUE;
+				printunpub = ISC_TRUE;
+				printdel = ISC_TRUE;
+				break;
+			}
+
+			do {
+				switch (*p++) {
+				case 'C':
+					printcreate = ISC_TRUE;
+					break;
+				case 'P':
+					printpub = ISC_TRUE;
+					break;
+				case 'A':
+					printact = ISC_TRUE;
+					break;
+				case 'R':
+					printrev = ISC_TRUE;
+					break;
+				case 'U':
+					printunpub = ISC_TRUE;
+					break;
+				case 'D':
+					printdel = ISC_TRUE;
+					break;
+				case ' ':
+					break;
+				default:
+					usage();
+					break;
+				}
+			} while (*p != '\0');
+			break;
+		case 'u':
+			epoch = ISC_TRUE;
+			break;
 		case 'K':
 			/*
 			 * We don't have to copy it here, but do it to
@@ -144,29 +213,69 @@ main(int argc, char **argv) {
 				fatal("-v must be followed by a number");
 			break;
 		case 'P':
-			print = ISC_FALSE;
-			setpub = ISC_TRUE;
-			pub = strtotime(isc_commandline_argument, now, now);
+                        if (setpub || unsetpub)
+                                fatal("-P specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetpub = ISC_TRUE;
+			} else {
+				setpub = ISC_TRUE;
+				pub = strtotime(isc_commandline_argument,
+						now, now);
+			}
 			break;
 		case 'A':
-			print = ISC_FALSE;
-			setact = ISC_TRUE;
-			act = strtotime(isc_commandline_argument, now, now);
+                        if (setact || unsetact)
+                                fatal("-A specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetact = ISC_TRUE;
+			} else {
+				setact = ISC_TRUE;
+				act = strtotime(isc_commandline_argument,
+						now, now);
+			}
 			break;
 		case 'R':
-			print = ISC_FALSE;
-			setrev = ISC_TRUE;
-			rev = strtotime(isc_commandline_argument, now, now);
+                        if (setrev || unsetrev)
+                                fatal("-R specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetrev = ISC_TRUE;
+			} else {
+				setrev = ISC_TRUE;
+				rev = strtotime(isc_commandline_argument,
+						now, now);
+			}
 			break;
 		case 'U':
-			print = ISC_FALSE;
-			setunpub = ISC_TRUE;
-			unpub = strtotime(isc_commandline_argument, now, now);
+                        if (setunpub || unsetunpub)
+                                fatal("-U specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetunpub = ISC_TRUE;
+			} else {
+				setunpub = ISC_TRUE;
+				unpub = strtotime(isc_commandline_argument,
+						now, now);
+			}
 			break;
 		case 'D':
-			print = ISC_FALSE;
-			setdel = ISC_TRUE;
-			del = strtotime(isc_commandline_argument, now, now);
+                        if (setdel || unsetdel)
+                                fatal("-D specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetdel = ISC_TRUE;
+			} else {
+				setdel = ISC_TRUE;
+				del = strtotime(isc_commandline_argument,
+						now, now);
+			}
 			break;
 		case '?':
 			if (isc_commandline_option != '?')
@@ -220,41 +329,84 @@ main(int argc, char **argv) {
 	key_format(key, keystr, sizeof(keystr));
 
 	/* Is this an old-style key? */
-	result = dst_key_gettime(key, DST_TIME_CREATED, &when);
-	if (result == ISC_R_NOTFOUND) {
-		if (forceupdate)
+	dst_key_getprivateformat(key, &major, &minor);
+	if (major <= 1 && minor <= 2) {
+		if (forceupdate) {
+			/*
+			 * Updating to new-style key: set
+			 * Private-key-format to 1.3
+			 */
+			dst_key_setprivateformat(key, 1, 3);
 			dst_key_settime(key, DST_TIME_CREATED, now);
-		else
+		} else
 			fatal("Incompatible key %s, "
-			      "use -f force update.", keystr);
+			      "use -f to force update.", keystr);
 	}
 
 	if (verbose > 2)
 		fprintf(stderr, "%s: %s\n", program, keystr);
 
-	if (print) {
-		printtime(key, DST_TIME_CREATED, "Created", stdout);
-		printtime(key, DST_TIME_PUBLISH, "Publish", stdout);
-		printtime(key, DST_TIME_ACTIVATE, "Activate", stdout);
-		printtime(key, DST_TIME_REVOKE, "Revoke", stdout);
-		printtime(key, DST_TIME_REMOVE, "Remove", stdout);
-		printtime(key, DST_TIME_DELETE, "Delete", stdout);
-	} else {
-		if (setpub)
-			dst_key_settime(key, DST_TIME_PUBLISH, pub);
+	/*
+	 * Set time values.
+	 */
+	if (setpub)
+		dst_key_settime(key, DST_TIME_PUBLISH, pub);
+	else if (unsetpub)
+		dst_key_unsettime(key, DST_TIME_PUBLISH);
 
-		if (setact)
-			dst_key_settime(key, DST_TIME_ACTIVATE, act);
+	if (setact)
+		dst_key_settime(key, DST_TIME_ACTIVATE, act);
+	else if (unsetact)
+		dst_key_unsettime(key, DST_TIME_ACTIVATE);
 
-		if (setrev)
-			dst_key_settime(key, DST_TIME_REVOKE, rev);
+	if (setrev) {
+                if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
+                        fprintf(stderr, "%s: warning: Key %s is already "
+					"revoked; changing the revocation date "
+					"will not affect this.\n",
+					program, keystr);
+		dst_key_settime(key, DST_TIME_REVOKE, rev);
+	} else if (unsetrev) {
+                if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
+                        fprintf(stderr, "%s: warning: Key %s is already "
+					"revoked; removing the revocation date "
+					"will not affect this.\n",
+					program, keystr);
+		dst_key_unsettime(key, DST_TIME_REVOKE);
+        }
 
-		if (setunpub)
-			dst_key_settime(key, DST_TIME_REMOVE, unpub);
+	if (setunpub)
+		dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
+	else if (unsetunpub)
+		dst_key_unsettime(key, DST_TIME_UNPUBLISH);
 
-		if (setdel)
-			dst_key_settime(key, DST_TIME_DELETE, del);
+	if (setdel)
+		dst_key_settime(key, DST_TIME_DELETE, del);
+	else if (unsetdel)
+		dst_key_unsettime(key, DST_TIME_DELETE);
 
+	/*
+	 * Print out time values, if -p was used.
+	 */
+	if (printcreate)
+		printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
+
+	if (printpub)
+		printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
+
+	if (printact)
+		printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
+
+	if (printrev)
+		printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
+
+	if (printunpub)
+		printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
+
+	if (printdel)
+		printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
+
+	if (changed) {
 		isc_buffer_init(&buf, newname, sizeof(newname));
 		result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
 					       &buf);
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index 7e0142e87a..224df4d3dc 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     July 15, 2009
@@ -135,10 +135,12 @@
     
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  If such an offset is followed
-      by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
-      offset is computed in years, months, weeks, days, or hours,
-      respectively; otherwise it is computed in seconds.
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To unset a date, use 'none'.
     
 
     
@@ -202,6 +204,44 @@
     
   
 
+  
+    PRINTING OPTIONS
+    
+      dnssec-settime can also be used to print the
+      timing metadata associated with a key.
+    
+
+    
+      
+	-u
+        
+	  
+	    Print times in UNIX epoch format.
+	  
+        
+      
+
+      
+        -p C/P/A/R/U/D/all
+        
+	  
+	    Print a specific metadata value or set of metadata values.
+            The  option may be followed by one or more
+            of the following letters to indicate which value or values to print:
+             for the creation date,
+             for the publication date,
+             for the activation date,
+             for the revokation date,
+             for the unpublication date, or
+             for the deletion date.
+            To print all of the metadata, use .
+	  
+        
+      
+
+    
+  
+
   
     SEE ALSO
     
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index d369298227..a9e356423e 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.228 2009/09/01 00:22:24 jinmei Exp $ */
+/* $Id: dnssec-signzone.c,v 1.229 2009/09/02 06:29:00 each Exp $ */
 
 /*! \file */
 
@@ -130,6 +130,7 @@ static isc_boolean_t printstats = ISC_FALSE;
 static isc_mem_t *mctx = NULL;
 static isc_entropy_t *ectx = NULL;
 static dns_ttl_t zone_soa_min_ttl;
+static dns_ttl_t soa_ttl;
 static FILE *fp;
 static char *tempfile = NULL;
 static const dns_master_style_t *masterstyle;
@@ -160,7 +161,8 @@ static unsigned int serialformat = SOA_SERIAL_KEEP;
 static unsigned int hash_length = 0;
 static isc_boolean_t unknownalg = ISC_FALSE;
 static isc_boolean_t disable_zone_check = ISC_FALSE;
-static int keyttl = 3600;
+static isc_boolean_t set_keyttl = ISC_FALSE;
+static dns_ttl_t keyttl;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -1128,17 +1130,15 @@ active_node(dns_dbnode_t *node) {
 }
 
 /*%
- * Extracts the minimum TTL from the SOA.
+ * Extracts the minimum TTL from the SOA record, and the SOA record's TTL.
  */
-static dns_ttl_t
-soa_min_ttl(void) {
+static void
+get_soa_ttls(void) {
 	dns_rdataset_t soaset;
 	dns_fixedname_t fname;
 	dns_name_t *name;
 	isc_result_t result;
-	dns_ttl_t ttl;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
 
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
@@ -1152,11 +1152,9 @@ soa_min_ttl(void) {
 	result = dns_rdataset_first(&soaset);
 	check_result(result, "dns_rdataset_first");
 	dns_rdataset_current(&soaset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	check_result(result, "dns_rdata_tostruct");
-	ttl = soa.minimum;
+	zone_soa_min_ttl = dns_soa_getminimum(&rdata);
+	soa_ttl = soaset.ttl;
 	dns_rdataset_disassociate(&soaset);
-	return (ttl);
 }
 
 /*%
@@ -2530,6 +2528,14 @@ loadzonekeys(dns_db_t *db) {
 				     &rdataset, NULL);
 
 	if (result == ISC_R_SUCCESS) {
+		if (set_keyttl && keyttl != rdataset.ttl) {
+			fprintf(stderr, "User-specified TTL (%d) conflicts "
+					"with existing DNSKEY RRset TTL.\n",
+					keyttl);
+			fprintf(stderr, "Imported keys will use the RRSet "
+					"TTL (%d) instead.\n",
+					rdataset.ttl);
+		}
 		keyttl = rdataset.ttl;
 		if (dns_rdataset_isassociated(&rdataset))
 			dns_rdataset_disassociate(&rdataset);
@@ -2744,7 +2750,7 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 			make_dnskey(key1->key, &dnskey);
 
 			alg_format(dst_key_alg(key1->key), alg, sizeof(alg));
-			fprintf(stderr, "Fetching %s %d/%s from key %s.\n",
+			fprintf(stderr, "Fetching %s %d/%s from key %s\n",
 					isksk(key1) ?
 					    (iszsk(key1) ?  "KSK/ZSK" : "KSK") :
 					    "ZSK",
@@ -2753,6 +2759,19 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 						"file" :
 						"repository");
 
+			if (key1->prepublish && keyttl > key1->prepublish) {
+				char keystr[KEY_FORMATSIZE];
+				key_format(key1->key, keystr, sizeof(keystr));
+				fatal("Key %s is scheduled to\n"
+				      "become active in %d seconds.  "
+				      "This is less than the DNSKEY TTL\n"
+				      "value of %d seconds.  Reduce "
+				      "the TTL, or change the activation\n"
+				      "date of the key using "
+				      "'dnssec-settime -A'.",
+				      keystr, key1->prepublish, keyttl);
+			}
+
 			/* add key to the zone */
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      gorigin, keyttl,
@@ -3324,9 +3343,8 @@ main(int argc, char *argv[]) {
 
 		case 'T':
 			endp = NULL;
-			keyttl = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("key TTL must be numeric");
+			set_keyttl = ISC_TRUE;
+			keyttl = strtottl(isc_commandline_argument);
 			break;
 
 		case 't':
@@ -3382,15 +3400,11 @@ main(int argc, char *argv[]) {
 	isc_stdtime_get(&now);
 
 	if (startstr != NULL) {
-		if (startstr[0] == '-' || strncmp(startstr, "now-", 4) == 0)
-			fatal("time value %s is invalid", startstr);
 		starttime = strtotime(startstr, now, now);
 	} else
 		starttime = now - 3600;  /* Allow for some clock skew. */
 
 	if (endstr != NULL) {
-		if (endstr[0] == '-' || strncmp(endstr, "now-", 4) == 0)
-			fatal("time value %s is invalid", endstr);
 		endtime = strtotime(endstr, now, starttime);
 	} else
 		endtime = starttime + (30 * 24 * 60 * 60);
@@ -3471,7 +3485,10 @@ main(int argc, char *argv[]) {
 	loadzone(file, origin, rdclass, &gdb);
 	gorigin = dns_db_origin(gdb);
 	gclass = dns_db_class(gdb);
-	zone_soa_min_ttl = soa_min_ttl();
+	get_soa_ttls();
+
+	if (!set_keyttl)
+		keyttl = soa_ttl;
 
 	if (IS_NSEC3) {
 		isc_boolean_t answer;
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index d22fd6c0f9..d6e5bb79a9 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 05, 2009
@@ -124,6 +124,20 @@
         
       
 
+      
+        -C
+        
+          
+            Compatibility mode: Generate a
+            keyset-zonename
+            file in addition to
+            dsset-zonename
+            when signing a zone, for use by older versions of
+            dnssec-signzone.
+          
+        
+      
+
       
         -d directory
         
@@ -202,6 +216,8 @@
             the start time.  A time relative to the current time is
             indicated with now+N.  If no  is
             specified, 30 days from the start time is used as a default.
+             must be later than
+            .
           
         
       
@@ -477,8 +493,15 @@
         -T ttl
         
           
-            Specifies the TTL of new DNSKEY records imported to the zone
-            from the key repository.  Only useful with the -S option.
+            Specifies the TTL to be used for new DNSKEY records imported
+            into the zone from the key repository.  If not specified,
+            the default is the minimum TTL value from the zone's SOA
+            record.  This option is ignored when signing without
+            , since DNSKEY records are not imported
+            from the key repository in that case.  It is also ignored if
+            there are any pre-existing DNSKEY records at the zone apex,
+            in which case new records' TTL values will be set to match
+            them.
           
         
       
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 32a8537438..225e48ca90 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.50 2009/08/13 04:13:58 marka Exp $ */
+/* $Id: dnssectool.c,v 1.51 2009/09/02 06:29:01 each Exp $ */
 
 /*! \file */
 
@@ -266,12 +266,23 @@ cleanup_entropy(isc_entropy_t **ectx) {
 }
 
 static isc_stdtime_t
-time_units(isc_stdtime_t offset, char suffix, const char *str) {
-	switch(suffix) {
+time_units(isc_stdtime_t offset, char *suffix, const char *str) {
+	switch (suffix[0]) {
 	    case 'Y': case 'y':
 		return (offset * (365 * 24 * 3600));
 	    case 'M': case 'm':
-		return (offset * (30 * 24 * 3600));
+		switch (suffix[1]) {
+		    case 'O': case 'o':
+			return (offset * (30 * 24 * 3600));
+		    case 'I': case 'i':
+			return (offset * 60);
+		    case '\0':
+			fatal("'%s' ambiguous: use 'mi' for minutes "
+			      "or 'mo' for months", str);
+		    default:
+			fatal("time value %s is invalid", str);
+		}
+		break;
 	    case 'W': case 'w':
 		return (offset * (7 * 24 * 3600));
 	    case 'D': case 'd':
@@ -286,6 +297,19 @@ time_units(isc_stdtime_t offset, char suffix, const char *str) {
 	return(0); /* silence compiler warning */
 }
 
+dns_ttl_t
+strtottl(const char *str) {
+	const char *orig = str;
+	dns_ttl_t ttl;
+	char *endp;
+
+	ttl = strtol(str, &endp, 0);
+        if (ttl == 0 && endp == str)
+                fatal("TTL must be numeric");
+	ttl = time_units(ttl, endp, orig);
+	return (ttl);
+}
+
 isc_stdtime_t
 strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
 	isc_int64_t val, offset;
@@ -305,11 +329,11 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
 		return ((isc_stdtime_t) base);
 	else if (str[0] == '+') {
 		offset = strtol(str + 1, &endp, 0);
-		offset = time_units(offset, *endp, orig);
+		offset = time_units(offset, endp, orig);
 		val = base + offset;
 	} else if (str[0] == '-') {
 		offset = strtol(str + 1, &endp, 0);
-		offset = time_units(offset, *endp, orig);
+		offset = time_units(offset, endp, orig);
 		val = base - offset;
 	} else if (strlen(str) == 8U) {
 		char timestr[15];
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index ee476f4ea7..3506184d98 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: dnssectool.h,v 1.23 2009/09/02 06:29:01 each Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -67,6 +67,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
 void
 cleanup_entropy(isc_entropy_t **ectx);
 
+dns_ttl_t strtottl(const char *str);
+
 isc_stdtime_t
 strtotime(const char *str, isc_int64_t now, isc_int64_t base);
 
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index ba65203889..906af63866 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.98 2009/07/19 23:47:55 tbox Exp $
+ * $Id: dnssec.c,v 1.99 2009/09/02 06:29:01 each Exp $
  */
 
 /*! \file */
@@ -958,8 +958,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 		     dns_dnsseckey_t **dkp)
 {
 	isc_result_t result;
-	isc_stdtime_t when;
 	dns_dnsseckey_t *dk;
+	int major, minor;
 
 	REQUIRE(dkp != NULL && *dkp == NULL);
 	dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
@@ -973,6 +973,7 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 	dk->hint_publish = ISC_FALSE;
 	dk->hint_sign = ISC_FALSE;
 	dk->hint_remove = ISC_FALSE;
+        dk->prepublish = 0;
 	dk->source = dns_keysource_unknown;
 	dk->index = 0;
 
@@ -980,8 +981,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 	dk->ksk = ISC_TF((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
 
 	/* Is this an old-style key? */
-	result = dst_key_gettime(dk->key, DST_TIME_CREATED, &when);
-	dk->legacy = ISC_TF(result != ISC_R_SUCCESS);
+	result = dst_key_getprivateformat(dk->key, &major, &minor);
+	dk->legacy = ISC_TF(major == 1 && minor <= 2);
 
 	ISC_LINK_INIT(dk, link);
 	*dkp = dk;
@@ -1003,7 +1004,7 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
 static void
 get_hints(dns_dnsseckey_t *key) {
 	isc_result_t result;
-	isc_stdtime_t now, publish, active, revoke, remove, delete;
+	isc_stdtime_t now, publish, active, revoke, unpublish, delete;
 	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
 	isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE;
 	isc_boolean_t delset = ISC_FALSE;
@@ -1024,7 +1025,7 @@ get_hints(dns_dnsseckey_t *key) {
 	if (result == ISC_R_SUCCESS)
 		revset = ISC_TRUE;
 
-	result = dst_key_gettime(key->key, DST_TIME_REMOVE, &remove);
+	result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish);
 	if (result == ISC_R_SUCCESS)
 		remset = ISC_TRUE;
 
@@ -1056,6 +1057,13 @@ get_hints(dns_dnsseckey_t *key) {
 	if (actset && !pubset)
 		key->hint_publish = ISC_TRUE;
 
+        /*
+         * If activation date is in the future, make note of how far off
+         */
+        if (key->hint_publish && actset && active > now) {
+                key->prepublish = active - now;
+        }
+
 	/*
 	 * Metadata says revoke.  If the key is published,
 	 * we *have to* sign with it per RFC5011--even if it was
@@ -1074,10 +1082,10 @@ get_hints(dns_dnsseckey_t *key) {
 	}
 
 	/*
-	 * Metadata says remove or delete, so don't publish
+	 * Metadata says unpublish or delete, so don't publish
 	 * this key or sign with it.
 	 */
-	if ((remset && remove < now) ||
+	if ((remset && unpublish < now) ||
 	    (delset && delete < now)) {
 		key->hint_publish = ISC_FALSE;
 		key->hint_sign = ISC_FALSE;
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 71fd242ca6..ae08c00670 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.27 2009/09/01 00:22:26 jinmei Exp $
+ * $Id: dst_api.c,v 1.28 2009/09/02 06:29:01 each Exp $
  */
 
 /*! \file */
@@ -786,7 +786,7 @@ dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(timep != NULL);
 	REQUIRE(type <= DST_MAX_TIMES);
-	if (key->times[type] == 0)
+	if (!key->timeset[type])
 		return (ISC_R_NOTFOUND);
 	*timep = key->times[type];
 	return (ISC_R_SUCCESS);
@@ -797,6 +797,31 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(type <= DST_MAX_TIMES);
 	key->times[type] = when;
+	key->timeset[type] = ISC_TRUE;
+}
+
+void
+dst_key_unsettime(dst_key_t *key, int type) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_TIMES);
+	key->timeset[type] = ISC_FALSE;
+}
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(majorp != NULL);
+	REQUIRE(minorp != NULL);
+	*majorp = key->fmt_major;
+	*minorp = key->fmt_minor;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
+	REQUIRE(VALID_KEY(key));
+	key->fmt_major = major;
+	key->fmt_minor = minor;
 }
 
 isc_boolean_t
@@ -954,6 +979,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 {
 	dst_key_t *key;
 	isc_result_t result;
+	int i;
 
 	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
 	if (key == NULL)
@@ -977,12 +1003,17 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 	key->key_alg = alg;
 	key->key_flags = flags;
 	key->key_proto = protocol;
-	memset(key->times, 0, sizeof(key->times));
 	key->mctx = mctx;
 	key->keydata.generic = NULL;
 	key->key_size = bits;
 	key->key_class = rdclass;
 	key->func = dst_t_func[alg];
+	key->fmt_major = 0;
+	key->fmt_minor = 0;
+	for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
+		key->times[i] = 0;
+		key->timeset[i] = ISC_FALSE;
+	}
 	return (key);
 }
 
@@ -1242,7 +1273,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 		printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
 		printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
 		printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
-		printtime(key, DST_TIME_REMOVE, "; Remove", fp);
+		printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp);
 		printtime(key, DST_TIME_DELETE, "; Delete", fp);
 	}
 
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 6bdd5ed2e6..7adc68d328 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.15 2009/07/19 04:18:05 each Exp $ */
+/* $Id: dst_internal.h,v 1.16 2009/09/02 06:29:01 each Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -117,6 +117,11 @@ struct dst_key {
 	} keydata;			/*%< pointer to key in crypto pkg fmt */
 
 	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< key timing metadata */
+	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< metadata set? */
+
+	int		fmt_major;     /*%< private key format, major version */
+	int		fmt_minor;     /*%< private key format, minor version */
+
 	dst_func_t *    func;	       /*%< crypto package specific functions */
 };
 
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index af66e74670..807fc0562c 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -31,7 +31,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.19 2009/07/19 23:47:55 tbox Exp $
+ * $Id: dst_parse.c,v 1.20 2009/09/02 06:29:01 each Exp $
  */
 
 #include 
@@ -62,7 +62,7 @@ static const char *metatags[METADATA_NTAGS] = {
 	"Publish:",
 	"Activate:",
 	"Revoke:",
-	"Remove:",
+	"Unpublish:",
 	"Delete:"
 };
 
@@ -309,7 +309,7 @@ dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
 	priv->nelements = 0;
 }
 
-int
+isc_result_t
 dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		      isc_mem_t *mctx, dst_private_t *priv)
 {
@@ -373,6 +373,11 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		goto fail;
 	}
 
+	/*
+	 * Store the private key format version number
+	 */
+	dst_key_setprivateformat(key, major, minor);
+
 	READLINE(lex, opt, &token);
 
 	/*
@@ -474,7 +479,7 @@ fail:
 	return (ret);
 }
 
-int
+isc_result_t
 dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 			  const char *directory)
 {
@@ -487,6 +492,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	isc_stdtime_t when;
 	isc_buffer_t b;
 	isc_region_t r;
+	int major, minor;
 
 	REQUIRE(priv != NULL);
 
@@ -507,11 +513,17 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 			 &access);
 	(void)isc_fsaccess_set(filename, access);
 
+	dst_key_getprivateformat(key, &major, &minor);
+	if (major == 0 && minor == 0) {
+		major = MAJOR_VERSION;
+		minor = MINOR_VERSION;
+	}
+
 	/* XXXDCL return value should be checked for full filesystem */
-	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
-		MINOR_VERSION);
+	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
 
 	fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
+
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (dst_key_alg(key)) {
 	case DST_ALG_RSAMD5:
@@ -576,21 +588,23 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	}
 
 	/* Add the timing metadata tags */
-	for (i = 0; i < METADATA_NTAGS; i++) {
-		result = dst_key_gettime(key, i, &when);
-		if (result != ISC_R_SUCCESS)
-			continue;
+	if (major > 1 || (major == 1 && minor >= 3)) {
+		for (i = 0; i < METADATA_NTAGS; i++) {
+			result = dst_key_gettime(key, i, &when);
+			if (result != ISC_R_SUCCESS)
+				continue;
 
-		isc_buffer_init(&b, buffer, sizeof(buffer));
-		result = dns_time32_totext(when, &b);
-		if (result != ISC_R_SUCCESS)
-			continue;
+			isc_buffer_init(&b, buffer, sizeof(buffer));
+			result = dns_time32_totext(when, &b);
+			if (result != ISC_R_SUCCESS)
+				continue;
 
-		isc_buffer_usedregion(&b, &r);
+			isc_buffer_usedregion(&b, &r);
 
-		fprintf(fp, "%s ", metatags[i]);
-		fwrite(r.base, 1, r.length, fp);
-		fprintf(fp, "\n");
+			fprintf(fp, "%s ", metatags[i]);
+			fwrite(r.base, 1, r.length, fp);
+			fprintf(fp, "\n");
+		}
 	}
 
 	fflush(fp);
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
index 66c4399fa9..d893c2dc2a 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_parse.h,v 1.13 2009/07/19 23:47:55 tbox Exp $ */
+/* $Id: dst_parse.h,v 1.14 2009/09/02 06:29:01 each Exp $ */
 
 /*! \file */
 #ifndef DST_DST_PARSE_H
@@ -126,11 +126,11 @@ ISC_LANG_BEGINDECLS
 void
 dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
 
-int
+isc_result_t
 dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		      isc_mem_t *mctx, dst_private_t *priv);
 
-int
+isc_result_t
 dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 			  const char *directory);
 
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index ea1c916761..9064a73752 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.35 2009/07/19 04:18:05 each Exp $ */
+/* $Id: dnssec.h,v 1.36 2009/09/02 06:29:01 each Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -52,6 +52,7 @@ struct dns_dnsseckey {
 	isc_boolean_t hint_sign;     /*% metadata says to sign with this key */
 	isc_boolean_t force_sign;    /*% sign with key regardless of metadata */
 	isc_boolean_t hint_remove;   /*% metadata says *don't* publish */
+	unsigned int prepublish;     /*% how long until active? */
 	dns_keysource_t source;      /*% how the key was found */
 	isc_boolean_t ksk;           /*% this is a key-signing key */
 	isc_boolean_t legacy;        /*% this is old-style key with no
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 0236248f60..258e6143c2 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.16 2009/07/19 04:18:05 each Exp $ */
+/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -84,7 +84,7 @@ typedef struct dst_context 	dst_context_t;
 #define DST_TIME_PUBLISH	1
 #define DST_TIME_ACTIVATE	2
 #define DST_TIME_REVOKE 	3
-#define DST_TIME_REMOVE 	4
+#define DST_TIME_UNPUBLISH	4
 #define DST_TIME_DELETE 	5
 #define DST_MAX_TIMES		5
 
@@ -683,6 +683,39 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when);
  *	"type" is no larger than DST_MAX_TIMES
  */
 
+void
+dst_key_unsettime(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the timing metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ */
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp);
+/*%<
+ * Get the private key format version number.  (If the key does not have
+ * a private key associated with it, the version will be 0.0.)  The major
+ * version number is placed in '*majorp', and the minor version number in
+ * '*minorp'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"majorp" is not NULL.
+ *	"minorp" is not NULL.
+ */
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor);
+/*%<
+ * Set the private key format version number.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_H */
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 4ed7c413b4..f934ad7dc4 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -866,6 +866,7 @@ dst_key_fromgssapi
 dst_key_fromlabel
 dst_key_fromnamedfile
 dst_key_generate
+dst_key_getprivateformat
 dst_key_gettime
 dst_key_id
 dst_key_isnullkey
@@ -877,12 +878,14 @@ dst_key_proto
 dst_key_secretsize
 dst_key_setbits
 dst_key_setflags
+dst_key_setprivateformat
 dst_key_settime
 dst_key_sigsize
 dst_key_size
 dst_key_tobuffer
 dst_key_todns
 dst_key_tofile
+dst_key_unsettime
 dst_lib_destroy
 dst_lib_init
 dst_lib_initmsgcat

From d699672160ba01589227ac046a28e20d55336fac Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 06:41:31 +0000
Subject: [PATCH 080/385] Initial prep for 9.7.0a3 release.

---
 CHANGES |  2 +-
 README  | 13 +++++++++----
 version |  4 ++--
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6abf383fa3..18dc3e0985 100644
--- a/CHANGES
+++ b/CHANGES
@@ -48,7 +48,7 @@
 
 2656.	[func]		win32: add a "tools only" check box to the installer
 			which causes it to only install dig, host, nslookup,
-			nsupdate and relevent dlls.  [RT #19998]
+			nsupdate and relevant DLLs.  [RT #19998]
 
 2655.	[doc]		Document that key-directory does not affect
 			bind.keys, rndc.key or session.key.  [RT #20155]
diff --git a/README b/README
index f2962f2946..333a881a35 100644
--- a/README
+++ b/README
@@ -62,11 +62,16 @@ BIND 9.7.0
 	  share a single cache.
 	- DNS rebinding attack prevention.
 	- New default values for dnssec-keygen parameters.
-	- Support for RFC 5011 (automated trust anchor maintenance)
+	- Support for RFC 5011 (automated trust anchor maintenance).
 	- Smart signing: simplified tools for zone signing and key
-	  maintenance
-	- The "statistics-channels" option is now available on Windows
-        - DNSSEC-aware libdns API
+	  maintenance.
+	- The "statistics-channels" option is now available on Windows.
+        - A new DNSSEC-aware libdns API for use by non-BIND9 applications
+          (see README.libdns for details).
+        - On some platforms, named and other binaries can now print out
+          a stack backtrace an assertion failure, to aid in debugging.
+        - A "tools only" installation mode on Windows, which only installs
+          dig, host, nslookup and nsupdate.
 
 	Planned but not complete in this alpha:
 
diff --git a/version b/version
index 80321bfc0f..05fab79b9e 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.46 2009/07/19 04:18:03 each Exp $
+# $Id: version,v 1.47 2009/09/02 06:41:31 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=7
 PATCHVER=0
 RELEASETYPE=a
-RELEASEVER=2
+RELEASEVER=3

From ae6bd1ae93b076ce4b19efd8da075e669329d329 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Wed, 2 Sep 2009 08:41:06 +0000
Subject: [PATCH 081/385] trivial fix: second Step 2 -> 3

---
 win32utils/win32-build.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index fcf4e20db8..cf181c37a1 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: win32-build.txt,v 1.15 2009/07/17 23:47:41 tbox Exp $
+$Id: win32-build.txt,v 1.16 2009/09/02 08:41:06 fdupont Exp $
 
        BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009
 
@@ -80,7 +80,7 @@ directories:
  cscript configure.js compiler=msvc vcmanifest=yes static=yes debug=no iconv=no
  nmake /f Makefile.msvc libxml
 
-Step 2: Building BIND
+Step 3: Building BIND
 
 You must build openssl and libxml2 first. 
 

From 3a6b6f5b11a6db4677a5e244a852ec33defffce5 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 16:10:03 +0000
Subject: [PATCH 082/385] remove references to the "ddns-autoconf" option,
 which no longer exists

---
 lib/bind9/check.c      | 3 +--
 lib/isccfg/namedconf.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 423e1f8db6..cb28c9f850 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.107 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: check.c,v 1.108 2009/09/02 16:10:03 each Exp $ */
 
 /*! \file */
 
@@ -1083,7 +1083,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "notify", MASTERZONE | SLAVEZONE },
 	{ "also-notify", MASTERZONE | SLAVEZONE },
 	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "ddns-autoconf", MASTERZONE },
 	{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
 	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
 	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index aef85edddd..c2f899833b 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.104 2009/09/01 07:14:26 each Exp $ */
+/* $Id: namedconf.c,v 1.105 2009/09/02 16:10:03 each Exp $ */
 
 /*! \file */
 
@@ -1163,7 +1163,6 @@ zone_only_clauses[] = {
 	{ "masters", &cfg_type_namesockaddrkeylist, 0 },
 	{ "pubkey", &cfg_type_pubkey,
 	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
-	{ "ddns-autoconf", &cfg_type_boolean, 0 },
 	{ "update-policy", &cfg_type_updatepolicy, 0 },
 	{ "database", &cfg_type_astring, 0 },
 	{ "delegation-only", &cfg_type_boolean, 0 },

From 63b17e175fc75adebf16563b08c89d54e6dfa253 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 16:39:20 +0000
Subject: [PATCH 083/385] retroactively added a note to change 2630 that
 "ddns-autoconf" has been removed.

---
 CHANGES | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 18dc3e0985..dd97e65a20 100644
--- a/CHANGES
+++ b/CHANGES
@@ -137,7 +137,8 @@
 
 2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
 			"update-policy local;" to switch on local DDNS in a
-			zone.  [RT #19875]
+			zone. (The "ddns-autoconf" option has been removed.)
+                        [RT #19875]
 
 2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
 			setresgid() if not present. [RT #19932]

From a21cde02918c25b3a459c38129382ae3ca0d8914 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 17:23:45 +0000
Subject: [PATCH 084/385] update win32 libisc.def

---
 lib/isc/win32/libisc.def | 224 +++++++++++++++++++--------------------
 1 file changed, 112 insertions(+), 112 deletions(-)

diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index 151a4e3d08..2c5a44801d 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -26,26 +26,26 @@ isc__buffer_remainingregion
 isc__buffer_setactive
 isc__buffer_subtract
 isc__buffer_usedregion
-isc__mem_allocate
-isc__mem_free
-isc__mem_get
-isc__mem_put
-isc__mem_putanddetach
+isc___mem_allocate
+isc___mem_free
+isc___mem_get
+isc___mem_put
+isc___mem_putanddetach
 isc__mem_reallocate
-isc__mem_strdup
-isc__mempool_get
-isc__mempool_put
-isc__socketmgr_maxudp
+isc___mem_strdup
+isc___mempool_get
+isc___mempool_put
+isc___socketmgr_maxudp
 isc__socketmgr_setreserved
 isc__strerror
-isc_app_block
-isc_app_finish
-isc_app_onrun
-isc_app_reload
-isc_app_run
-isc_app_shutdown
-isc_app_start
-isc_app_unblock
+isc__app_block
+isc__app_finish
+isc__app_onrun
+isc__app_reload
+isc__app_run
+isc__app_shutdown
+isc__app_start
+isc__app_unblock
 isc_assertion_setcallback
 isc_assertion_typetotext
 isc_base32_decoderegion
@@ -252,39 +252,39 @@ isc_md5_final
 isc_md5_init
 isc_md5_invalidate
 isc_md5_update
-isc_mem_attach
-isc_mem_checkdestroyed
-isc_mem_create
-isc_mem_create2
-isc_mem_createx
-isc_mem_createx2
-isc_mem_destroy
-isc_mem_detach
-isc_mem_getname
-isc_mem_getquota
-isc_mem_gettag
-isc_mem_inuse
-isc_mem_ondestroy
-isc_mem_references
+isc__mem_attach
+isc__mem_checkdestroyed
+isc__mem_create
+isc__mem_create2
+isc__mem_createx
+isc__mem_createx2
+isc__mem_destroy
+isc__mem_detach
+isc__mem_getname
+isc__mem_getquota
+isc__mem_gettag
+isc__mem_inuse
+isc__mem_ondestroy
+isc__mem_references
 isc_mem_renderxml
-isc_mem_setdestroycheck
-isc_mem_setname
-isc_mem_setquota
-isc_mem_setwater
-isc_mem_stats
-isc_mem_waterack
-isc_mempool_associatelock
-isc_mempool_create
-isc_mempool_destroy
-isc_mempool_getallocated
-isc_mempool_getfillcount
-isc_mempool_getfreecount
-isc_mempool_getfreemax
-isc_mempool_getmaxalloc
-isc_mempool_setfillcount
-isc_mempool_setfreemax
-isc_mempool_setmaxalloc
-isc_mempool_setname
+isc__mem_setdestroycheck
+isc__mem_setname
+isc__mem_setquota
+isc__mem_setwater
+isc__mem_stats
+isc__mem_waterack
+isc__mempool_associatelock
+isc__mempool_create
+isc__mempool_destroy
+isc__mempool_getallocated
+isc__mempool_getfillcount
+isc__mempool_getfreecount
+isc__mempool_getfreemax
+isc__mempool_getmaxalloc
+isc__mempool_setfillcount
+isc__mempool_setfreemax
+isc__mempool_setmaxalloc
+isc__mempool_setname
 isc_msgcat_close
 isc_msgcat_get
 isc_msgcat_open
@@ -415,41 +415,41 @@ isc_sockaddr_pf
 isc_sockaddr_setport
 isc_sockaddr_totext
 isc_sockaddr_v6fromin
-isc_socket_accept
-isc_socket_attach
-isc_socket_bind
-isc_socket_cancel
-isc_socket_cleanunix
-isc_socket_close
-isc_socket_connect
-isc_socket_create
-isc_socket_detach
-isc_socket_filter
-isc_socket_getname
-isc_socket_getpeername
-isc_socket_getsockname
-isc_socket_gettag
-isc_socket_gettype
-isc_socket_ipv6only
-isc_socket_isbound
-isc_socket_listen
-isc_socket_open
-isc_socket_permunix
-isc_socket_recv
-isc_socket_recv2
-isc_socket_recvv
-isc_socket_send
-isc_socket_sendto
-isc_socket_sendto2
-isc_socket_sendtov
-isc_socket_sendv
-isc_socket_setname
-isc_socketmgr_create
-isc_socketmgr_create2
-isc_socketmgr_destroy
-isc_socketmgr_getmaxsockets
+isc__socket_accept
+isc__socket_attach
+isc__socket_bind
+isc__socket_cancel
+isc__socket_cleanunix
+isc__socket_close
+isc__socket_connect
+isc__socket_create
+isc__socket_detach
+isc__socket_filter
+isc__socket_getname
+isc__socket_getpeername
+isc__socket_getsockname
+isc__socket_gettag
+isc__socket_gettype
+isc__socket_ipv6only
+isc__socket_isbound
+isc__socket_listen
+isc__socket_open
+isc__socket_permunix
+isc__socket_recv
+isc__socket_recv2
+isc__socket_recvv
+isc__socket_send
+isc__socket_sendto
+isc__socket_sendto2
+isc__socket_sendtov
+isc__socket_sendv
+isc__socket_setname
+isc__socketmgr_create
+isc__socketmgr_create2
+isc__socketmgr_destroy
+isc__socketmgr_getmaxsockets
 isc_socketmgr_renderxml
-isc_socketmgr_setstats
+isc__socketmgr_setstats
 isc_stats_create
 isc_stats_attach
 isc_stats_detach
@@ -482,27 +482,27 @@ isc_symtab_destroy
 isc_symtab_lookup
 isc_symtab_undefine
 isc_syslog_facilityfromstring
-isc_task_attach
-isc_task_beginexclusive
-isc_task_create
-isc_task_destroy
-isc_task_detach
-isc_task_endexclusive
-isc_task_getcurrenttime
-isc_task_getname
-isc_task_gettag
-isc_task_onshutdown
-isc_task_purge
-isc_task_purgeevent
-isc_task_purgerange
-isc_task_send
-isc_task_sendanddetach
-isc_task_setname
-isc_task_shutdown
-isc_task_unsend
-isc_task_unsendrange
-isc_taskmgr_create
-isc_taskmgr_destroy
+isc__task_attach
+isc__task_beginexclusive
+isc__task_create
+isc__task_destroy
+isc__task_detach
+isc__task_endexclusive
+isc__task_getcurrenttime
+isc__task_getname
+isc__task_gettag
+isc__task_onshutdown
+isc__task_purge
+isc__task_purgeevent
+isc__task_purgerange
+isc__task_send
+isc__task_sendanddetach
+isc__task_setname
+isc__task_shutdown
+isc__task_unsend
+isc__task_unsendrange
+isc__taskmgr_create
+isc__taskmgr_destroy
 isc_taskmgr_renderxml
 isc_taskpool_create
 isc_taskpool_destroy
@@ -526,14 +526,14 @@ isc_time_seconds
 isc_time_set
 isc_time_settoepoch
 isc_time_subtract
-isc_timer_attach
-isc_timer_create
-isc_timer_detach
-isc_timer_reset
-isc_timer_touch
-isc_timermgr_create
-isc_timermgr_destroy
-isc_timermgr_poke
+isc__timer_attach
+isc__timer_create
+isc__timer_detach
+isc__timer_reset
+isc__timer_touch
+isc__timermgr_create
+isc__timermgr_destroy
+isc__timermgr_poke
 isc_win32os_majorversion
 isc_win32os_minorversion
 isc_win32os_servicepackmajor

From e30d8c5a4728ca05720ec3fdefa99200e09dca39 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 17:58:06 +0000
Subject: [PATCH 085/385] missing include needed for win32 build

---
 lib/isc/win32/file.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c
index 494805c945..fabd5b6e10 100644
--- a/lib/isc/win32/file.c
+++ b/lib/isc/win32/file.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.c,v 1.34 2009/08/28 03:13:08 each Exp $ */
+/* $Id: file.c,v 1.35 2009/09/02 17:58:06 each Exp $ */
 
 #include 
 
@@ -36,6 +36,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "errno2result.h"
 

From 0c1326fa622333c81056167c237888a44282f853 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 18:00:51 +0000
Subject: [PATCH 086/385] add /D "BIND9" for win32 builds (we'll probably need
 a different project file for creating an exportable DLL)

---
 lib/isc/win32/libisc.dsp | 8 ++++----
 lib/isc/win32/libisc.mak | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/isc/win32/libisc.dsp b/lib/isc/win32/libisc.dsp
index 184cbff01d..3bbbed3f43 100644
--- a/lib/isc/win32/libisc.dsp
+++ b/lib/isc/win32/libisc.dsp
@@ -42,8 +42,8 @@ RSC=rc.exe
 # PROP Intermediate_Dir "Release"
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "include" /I "../include" /I "../noatomic/include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "include" /I "../include" /I "../noatomic/include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /c
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
@@ -70,8 +70,8 @@ LINK32=link.exe
 # PROP Intermediate_Dir "Debug"
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "include" /I "../include" /I "../noatomic/include" /I "win32" /I "../../isccfg/include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR /YX /FD /GZ /c
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "include" /I "../include" /I "../noatomic/include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR /YX /FD /GZ /c
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
diff --git a/lib/isc/win32/libisc.mak b/lib/isc/win32/libisc.mak
index 9f9bc53620..4a23b26980 100644
--- a/lib/isc/win32/libisc.mak
+++ b/lib/isc/win32/libisc.mak
@@ -198,7 +198,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/noatomic/include" /I "win32" /I "../../isccfg/include" /I "../../../../libxml2-2.7.3/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/noatomic/include" /I "win32" /I "../../isccfg/include" /I "../../../../libxml2-2.7.3/include" /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 
@@ -467,7 +467,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/noatomic/include" /I "win32" /I "../../isccfg/include" /I "../../../../libxml2-2.7.3/include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/noatomic/include" /I "win32" /I "../../isccfg/include" /I "../../../../libxml2-2.7.3/include" /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 

From f0eecd4d62a8f51eca4cf6d20e8a78d3c2f61d81 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 18:32:25 +0000
Subject: [PATCH 087/385] changes needed for win32 build

---
 lib/isc/include/isc/socket.h | 12 ++++++++++--
 lib/isc/win32/socket.c       |  4 ++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 8f3f398168..11ee408935 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.91 2009/09/01 23:47:44 tbox Exp $ */
+/* $Id: socket.h,v 1.92 2009/09/02 18:32:25 each Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -296,16 +296,22 @@ typedef struct isc_socketmethods {
  * This structure is actually just the common prefix of a socket manager
  * object implementation's version of an isc_socketmgr_t.
  * \brief
- * Direct use of this structure by clients is forbidden.  mctx implementations
+ * Direct use of this structure by clients is forbidden.  socket implementations
  * may change the structure.  'magic' must be ISCAPI_SOCKETMGR_MAGIC for any
  * of the isc_socket_ routines to work.  socket implementations must maintain
  * all socket invariants.
+ * In effect, this definition is used only for non-BIND9 version ("export")
+ * of the library, and the export version does not work for win32.  So, to avoid
+ * the definition conflict with win32/socket.c, we enable this definition only
+ * for non-Win32 (i.e. Unix) platforms.
  */
+#ifndef WIN32
 struct isc_socketmgr {
 	unsigned int		impmagic;
 	unsigned int		magic;
 	isc_socketmgrmethods_t	*methods;
 };
+#endif
 
 #define ISCAPI_SOCKETMGR_MAGIC		ISC_MAGIC('A','s','m','g')
 #define ISCAPI_SOCKETMGR_VALID(m)	((m) != NULL && \
@@ -315,11 +321,13 @@ struct isc_socketmgr {
  * This is the common prefix of a socket object.  The same note as
  * that for the socketmgr structure applies.
  */
+#ifndef WIN32
 struct isc_socket {
 	unsigned int		impmagic;
 	unsigned int		magic;
 	isc_socketmethods_t	*methods;
 };
+#endif
 
 #define ISCAPI_SOCKET_MAGIC	ISC_MAGIC('A','s','c','t')
 #define ISCAPI_SOCKET_VALID(s)	((s) != NULL && \
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index b63eebe508..459e286f00 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.77 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: socket.c,v 1.78 2009/09/02 18:32:25 each Exp $ */
 
 /* This code uses functions which are only available on Server 2003 and
  * higher, and Windows XP and higher.
@@ -3675,7 +3675,7 @@ isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) {
 }
 
 void
-isc__socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) {
+isc___socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) {
 
 	UNUSED(manager);
 	UNUSED(maxudp);

From 9dbca282e4df874472518934571fcdf6ba01147e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Wed, 2 Sep 2009 18:38:40 +0000
Subject: [PATCH 088/385] corrected trivial comment errors (reviewed by Evan in
 jabber)

---
 lib/isc/include/isc/app.h   | 6 +++---
 lib/isc/include/isc/task.h  | 4 ++--
 lib/isc/include/isc/timer.h | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
index f20f604639..f93f9fcdb8 100644
--- a/lib/isc/include/isc/app.h
+++ b/lib/isc/include/isc/app.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.9 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: app.h,v 1.10 2009/09/02 18:38:40 jinmei Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
@@ -123,10 +123,10 @@ typedef struct isc_appmethods {
  * This structure is actually just the common prefix of an application context
  * implementation's version of an isc_appctx_t.
  * \brief
- * Direct use of this structure by clients is forbidden.  mctx implementations
+ * Direct use of this structure by clients is forbidden.  app implementations
  * may change the structure.  'magic' must be ISCAPI_APPCTX_MAGIC for any
  * of the isc_app_ routines to work.  app implementations must maintain
- * all app socket invariants.
+ * all app context invariants.
  */
 struct isc_appctx {
 	unsigned int		impmagic;
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
index 2fd838f45e..2fe99c4752 100644
--- a/lib/isc/include/isc/task.h
+++ b/lib/isc/include/isc/task.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.64 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: task.h,v 1.65 2009/09/02 18:38:40 jinmei Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
@@ -131,7 +131,7 @@ typedef struct isc_taskmethods {
  * This structure is actually just the common prefix of a task manager
  * object implementation's version of an isc_taskmgr_t.
  * \brief
- * Direct use of this structure by clients is forbidden.  mctx implementations
+ * Direct use of this structure by clients is forbidden.  task implementations
  * may change the structure.  'magic' must be ISCAPI_TASKMGR_MAGIC for any
  * of the isc_task_ routines to work.  task implementations must maintain
  * all task invariants.
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
index 583dd9624e..c50b82c78d 100644
--- a/lib/isc/include/isc/timer.h
+++ b/lib/isc/include/isc/timer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.41 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: timer.h,v 1.42 2009/09/02 18:38:40 jinmei Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
@@ -129,7 +129,7 @@ typedef struct {
  * This structure is actually just the common prefix of a timer manager
  * object implementation's version of an isc_timermgr_t.
  * \brief
- * Direct use of this structure by clients is forbidden.  mctx implementations
+ * Direct use of this structure by clients is forbidden.  timer implementations
  * may change the structure.  'magic' must be ISCAPI_TIMERMGR_MAGIC for any
  * of the isc_timer_ routines to work.  timer implementations must maintain
  * all timer invariants.

From 41e251fad0181aa7391a88805c86fb4804af0493 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 19:01:49 +0000
Subject: [PATCH 089/385] add backtrace.c, backtrace.h, backtrace-emptytbl.c,
 backtrace-emptytbl.h to win32 build

---
 lib/isc/win32/libisc.def |  4 ++++
 lib/isc/win32/libisc.dsp | 16 ++++++++++++++
 lib/isc/win32/libisc.mak | 48 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)

diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index 2c5a44801d..cffe791c84 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -5,6 +5,8 @@ EXPORTS
 
 NTReportError
 closelog
+isc__backtrace_nsymbols
+isc__backtrace_symtable
 isc__buffer_activeregion
 isc__buffer_add
 isc__buffer_availableregion
@@ -48,6 +50,8 @@ isc__app_start
 isc__app_unblock
 isc_assertion_setcallback
 isc_assertion_typetotext
+isc_backtrace_getsymbol
+isc_backtrace_gettrace
 isc_base32_decoderegion
 isc_base32_decodestring
 isc_base32_tobuffer
diff --git a/lib/isc/win32/libisc.dsp b/lib/isc/win32/libisc.dsp
index 3bbbed3f43..8e4441c39f 100644
--- a/lib/isc/win32/libisc.dsp
+++ b/lib/isc/win32/libisc.dsp
@@ -207,6 +207,14 @@ SOURCE=..\include\isc\assertions.h
 # End Source File
 # Begin Source File
 
+SOURCE=..\include\isc\backtrace.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\backtrace-emptytbl.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\isc\base32.h
 # End Source File
 # Begin Source File
@@ -579,6 +587,14 @@ SOURCE=..\assertions.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\backtrace.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\backtrace-emptytbl.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\base32.c
 # End Source File
 # Begin Source File
diff --git a/lib/isc/win32/libisc.mak b/lib/isc/win32/libisc.mak
index 4a23b26980..e15b46b3f8 100644
--- a/lib/isc/win32/libisc.mak
+++ b/lib/isc/win32/libisc.mak
@@ -116,6 +116,8 @@ ALL : "..\..\..\Build\Release\libisc.dll"
 CLEAN :
 	-@erase "$(INTDIR)\app.obj"
 	-@erase "$(INTDIR)\assertions.obj"
+	-@erase "$(INTDIR)\backtrace.obj"
+	-@erase "$(INTDIR)\backtrace-emptytbl.obj"
 	-@erase "$(INTDIR)\base32.obj"
 	-@erase "$(INTDIR)\base64.obj"
 	-@erase "$(INTDIR)\bitstring.obj"
@@ -236,6 +238,8 @@ LINK32_OBJS= \
 	"$(INTDIR)\version.obj" \
 	"$(INTDIR)\win32os.obj" \
 	"$(INTDIR)\assertions.obj" \
+	"$(INTDIR)\backtrace.obj" \
+	"$(INTDIR)\backtrace-emptytbl.obj" \
 	"$(INTDIR)\base32.obj" \
 	"$(INTDIR)\base64.obj" \
 	"$(INTDIR)\bitstring.obj" \
@@ -307,6 +311,10 @@ CLEAN :
 	-@erase "$(INTDIR)\app.sbr"
 	-@erase "$(INTDIR)\assertions.obj"
 	-@erase "$(INTDIR)\assertions.sbr"
+	-@erase "$(INTDIR)\backtrace.obj"
+	-@erase "$(INTDIR)\backtrace-emptytbl.obj"
+	-@erase "$(INTDIR)\backtrace.sbr"
+	-@erase "$(INTDIR)\backtrace-emptytbl.sbr"
 	-@erase "$(INTDIR)\base32.obj"
 	-@erase "$(INTDIR)\base32.sbr"
 	-@erase "$(INTDIR)\base64.obj"
@@ -499,6 +507,8 @@ BSC32_SBRS= \
 	"$(INTDIR)\version.sbr" \
 	"$(INTDIR)\win32os.sbr" \
 	"$(INTDIR)\assertions.sbr" \
+	"$(INTDIR)\backtrace.sbr" \
+	"$(INTDIR)\backtrace-emptytbl.sbr" \
 	"$(INTDIR)\base32.sbr" \
 	"$(INTDIR)\base64.sbr" \
 	"$(INTDIR)\bitstring.sbr" \
@@ -585,6 +595,8 @@ LINK32_OBJS= \
 	"$(INTDIR)\version.obj" \
 	"$(INTDIR)\win32os.obj" \
 	"$(INTDIR)\assertions.obj" \
+	"$(INTDIR)\backtrace.obj" \
+	"$(INTDIR)\backtrace-emptytbl.obj" \
 	"$(INTDIR)\base32.obj" \
 	"$(INTDIR)\base64.obj" \
 	"$(INTDIR)\bitstring.obj" \
@@ -1100,6 +1112,42 @@ SOURCE=..\assertions.c
 	$(CPP) $(CPP_PROJ) $(SOURCE)
 
 
+!ENDIF 
+
+SOURCE=..\backtrace.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\backtrace.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\backtrace.obj"	"$(INTDIR)\backtrace.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\backtrace-emptytbl.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\backtrace-emptytbl.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\backtrace-emptytbl.obj"	"$(INTDIR)\backtrace-emptytbl.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
 !ENDIF 
 
 SOURCE=..\base32.c

From fff4ec3629ceedcd590ab0352489f4a53a7f1b68 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 19:36:36 +0000
Subject: [PATCH 090/385] add /D BIND9 for win32 build

---
 lib/dns/win32/libdns.dsp | 8 ++++----
 lib/dns/win32/libdns.mak | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/dns/win32/libdns.dsp b/lib/dns/win32/libdns.dsp
index 29b3fcd4f0..c1912fcf9c 100644
--- a/lib/dns/win32/libdns.dsp
+++ b/lib/dns/win32/libdns.dsp
@@ -42,8 +42,8 @@ RSC=rc.exe
 # PROP Intermediate_Dir "Release"
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
-# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /YX /FD /c
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /YX /FD /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -69,8 +69,8 @@ LINK32=link.exe
 # PROP Intermediate_Dir "Debug"
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
-# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR /YX /FD /GZ /c
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR /YX /FD /GZ /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
diff --git a/lib/dns/win32/libdns.mak b/lib/dns/win32/libdns.mak
index b256248b39..c18009b02e 100644
--- a/lib/dns/win32/libdns.mak
+++ b/lib/dns/win32/libdns.mak
@@ -207,7 +207,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -534,7 +534,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -964,7 +964,7 @@ SOURCE=..\dispatch.c
 
 !IF  "$(CFG)" == "libdns - Win32 Release"
 
-CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8k/inc32/openssl/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 "$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)"
 	$(CPP) @<<
@@ -974,7 +974,7 @@ CPP_SWITCHES=/nologo /MD /W3 /GX /O2 /I "../../../../../openssl-0.9.8k/inc32/ope
 
 !ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
 
-CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_SWITCHES=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../isc/noatomic/include" /I "../../../../openssl-0.9.8k/inc32" /I "../../../../libxml2-2.7.3/include" /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 "$(INTDIR)\dispatch.obj"	"$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)"
 	$(CPP) @<<

From a4666db97c93fc6ec70ee77956000c3d2d28da88 Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Wed, 2 Sep 2009 21:24:24 +0000
Subject: [PATCH 091/385] Minor two word change about managed-keys (fixes typo
 too). As discussed in RT #19874.

---
 doc/arm/Bv9ARM-book.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 89300abe11..1e55d84b1f 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -9124,7 +9124,7 @@ deny-answer-aliases { "example.net"; };
             keys stored in the managed keys database.
           
           
-            The first name named runs after a name
+            The next time named runs after a name
             has been removed from the
             managed-keys statement, the corresponding
             zone will be removed from the managed keys database,

From 9cd5eb6fe0f26d65724b99216cb31dcdd12e4afd Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 2 Sep 2009 23:30:44 +0000
Subject: [PATCH 092/385] newcopyrights

---
 util/copyrights | 222 ++++++++++++++++++++++++++++++++++--------------
 1 file changed, 157 insertions(+), 65 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index f8793427e7..53e118524a 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -15,7 +15,7 @@
 ./bin/.cvsignore				X	1998,1999,2000,2001
 ./bin/Makefile.in				MAKE	1998,1999,2000,2001,2004,2007,2009
 ./bin/check/.cvsignore				X	2000,2001
-./bin/check/Makefile.in				MAKE	2000,2001,2002,2003,2004,2005,2006,2007
+./bin/check/Makefile.in				MAKE	2000,2001,2002,2003,2004,2005,2006,2007,2009
 ./bin/check/check-tool.c			C	2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./bin/check/check-tool.h			C	2000,2001,2002,2004,2005,2007
 ./bin/check/named-checkconf.8			MAN	DOCBOOK
@@ -62,7 +62,7 @@
 ./bin/confgen/win32/rndcconfgen.dsw		X	2001,2004,2005,2006,2009
 ./bin/confgen/win32/rndcconfgen.mak		X	2001,2004,2005,2006,2009
 ./bin/dig/.cvsignore				X	2000,2001
-./bin/dig/Makefile.in				MAKE	2000,2001,2002,2004,2005,2007
+./bin/dig/Makefile.in				MAKE	2000,2001,2002,2004,2005,2007,2009
 ./bin/dig/dig.1					MAN	DOCBOOK
 ./bin/dig/dig.c					C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/dig/dig.docbook				SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
@@ -115,7 +115,7 @@
 ./bin/dnssec/dnssec-signzone.docbook		SGML	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/dnssec/dnssec-signzone.html		HTML	DOCBOOK
 ./bin/dnssec/dnssectool.c			C	2000,2001,2003,2004,2005,2007,2009
-./bin/dnssec/dnssectool.h			C	2000,2001,2003,2004,2007,2008
+./bin/dnssec/dnssectool.h			C	2000,2001,2003,2004,2007,2008,2009
 ./bin/dnssec/win32/dnssectool.dsp		X	2006,2009
 ./bin/dnssec/win32/dnssectool.dsw		X	2006,2009
 ./bin/dnssec/win32/dsfromkey.dsp		X	2008,2009
@@ -183,12 +183,12 @@
 ./bin/named/lwaddr.c				C	2000,2001,2004,2005,2007,2008
 ./bin/named/lwdclient.c				C	2000,2001,2004,2005,2007
 ./bin/named/lwderror.c				C	2000,2001,2004,2005,2007
-./bin/named/lwdgabn.c				C	2000,2001,2004,2005,2006,2007
+./bin/named/lwdgabn.c				C	2000,2001,2004,2005,2006,2007,2009
 ./bin/named/lwdgnba.c				C	2000,2001,2002,2004,2005,2007,2008
-./bin/named/lwdgrbn.c				C	2000,2001,2003,2004,2005,2006,2007
+./bin/named/lwdgrbn.c				C	2000,2001,2003,2004,2005,2006,2007,2009
 ./bin/named/lwdnoop.c				C	2000,2001,2004,2005,2007,2008
 ./bin/named/lwresd.8				MAN	DOCBOOK
-./bin/named/lwresd.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008
+./bin/named/lwresd.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/named/lwresd.docbook			SGML	2000,2001,2004,2005,2007,2008,2009
 ./bin/named/lwresd.html				HTML	DOCBOOK
 ./bin/named/lwsearch.c				C	2000,2001,2004,2005,2007
@@ -204,10 +204,10 @@
 ./bin/named/server.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/named/sortlist.c				C	2000,2001,2004,2005,2006,2007
 ./bin/named/statschannel.c			C	2008,2009
-./bin/named/tkeyconf.c				C	1999,2000,2001,2004,2005,2006,2007
+./bin/named/tkeyconf.c				C	1999,2000,2001,2004,2005,2006,2007,2009
 ./bin/named/tsigconf.c				C	1999,2000,2001,2004,2005,2006,2007,2009
 ./bin/named/unix/.cvsignore			X	1999,2000,2001
-./bin/named/unix/Makefile.in			MAKE	1999,2000,2001,2004,2007
+./bin/named/unix/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009
 ./bin/named/unix/include/named/os.h		C	1999,2000,2001,2002,2004,2005,2007,2008,2009
 ./bin/named/unix/os.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./bin/named/update.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
@@ -251,15 +251,16 @@
 ./bin/tests/Kchild.example.+003+04017.key	X	2000,2001
 ./bin/tests/Kchild.example.+003+04017.private	X	2000,2001
 ./bin/tests/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
-./bin/tests/adb_test.c				C	1999,2000,2001,2004,2005,2007
+./bin/tests/adb_test.c				C	1999,2000,2001,2004,2005,2007,2009
 ./bin/tests/b8t.mk				MAKE	1999,2000,2001,2004,2007
 ./bin/tests/b9t.mk				MAKE	1999,2000,2001,2004,2007
+./bin/tests/backtrace_test.c			C	2009
 ./bin/tests/byaddr_test.c			C	2000,2001,2002,2004,2005,2007
-./bin/tests/byname_test.c			C	2000,2001,2004,2005,2007
+./bin/tests/byname_test.c			C	2000,2001,2004,2005,2007,2009
 ./bin/tests/cfg_test.c				C	2001,2002,2004,2005,2007,2009
 ./bin/tests/compress_test.c			C	1999,2000,2001,2004,2005,2006,2007
 ./bin/tests/db/.cvsignore			X	1999,2000,2001
-./bin/tests/db/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007
+./bin/tests/db/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007,2009
 ./bin/tests/db/dns_db_class_1.data		X	1999,2000,2001
 ./bin/tests/db/dns_db_class_data		X	1999,2000,2001
 ./bin/tests/db/dns_db_closeversion_1.data	X	1999,2000,2001
@@ -311,7 +312,7 @@
 ./bin/tests/db/dns_db_origin_1.data		X	1999,2000,2001
 ./bin/tests/db/dns_db_origin_data		X	1999,2000,2001
 ./bin/tests/db/t_db.c				C	1999,2000,2001,2004,2005,2007,2009
-./bin/tests/db_test.c				C	1999,2000,2001,2004,2005,2007,2008
+./bin/tests/db_test.c				C	1999,2000,2001,2004,2005,2007,2008,2009
 ./bin/tests/dnssec-signzone/Kexample.com.+005+07065.key	X	2009
 ./bin/tests/dnssec-signzone/Kexample.com.+005+07065.private	X	2009
 ./bin/tests/dnssec-signzone/Kexample.com.+005+23362.key	X	2009
@@ -341,7 +342,7 @@
 ./bin/tests/dst/Makefile.in			MAKE	1999,2000,2001,2002,2004,2006,2007,2008,2009
 ./bin/tests/dst/dst_2_data			X	1999,2000,2001
 ./bin/tests/dst/dst_test.c			C	1999,2000,2001,2004,2005,2007,2009
-./bin/tests/dst/gsstest.c			C	2006,2007
+./bin/tests/dst/gsstest.c			C	2006,2007,2009
 ./bin/tests/dst/t2_data_1			X	1999,2000,2001
 ./bin/tests/dst/t2_data_2			X	1999,2000,2001
 ./bin/tests/dst/t2_dsasig			X	1999,2000,2001
@@ -362,7 +363,7 @@
 ./bin/tests/lwres_test.c			C	2000,2001,2004,2005,2007
 ./bin/tests/lwresconf_test.c			C	2000,2001,2004,2007
 ./bin/tests/master/.cvsignore			X	1999,2000,2001
-./bin/tests/master/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007
+./bin/tests/master/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007,2009
 ./bin/tests/master/dns_master_load_10_data	X	2000,2001
 ./bin/tests/master/dns_master_load_11_data	X	2000,2001
 ./bin/tests/master/dns_master_load_1_data	X	1999,2000,2001
@@ -386,15 +387,15 @@
 ./bin/tests/master/master8.data			X	2000,2001
 ./bin/tests/master/master9.data			X	2000,2001
 ./bin/tests/master/t_master.c			C	1998,1999,2000,2001,2003,2004,2005,2007,2009
-./bin/tests/master_test.c			C	1999,2000,2001,2004,2007
+./bin/tests/master_test.c			C	1999,2000,2001,2004,2007,2009
 ./bin/tests/mem/.cvsignore			X	1999,2000,2001
-./bin/tests/mem/Makefile.in			MAKE	1998,1999,2000,2001,2002,2004,2005,2007
+./bin/tests/mem/Makefile.in			MAKE	1998,1999,2000,2001,2002,2004,2005,2007,2009
 ./bin/tests/mem/t_mem.c				C	1999,2000,2001,2004,2007,2009
 ./bin/tests/mempool_test.c			C	1999,2000,2001,2004,2007
-./bin/tests/name_test.c				C	1998,1999,2000,2001,2003,2004,2005,2007
+./bin/tests/name_test.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009
 ./bin/tests/named.conf				CONF-C	1999,2000,2001,2004,2007
 ./bin/tests/names/.cvsignore			X	1999,2000,2001
-./bin/tests/names/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007
+./bin/tests/names/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007,2009
 ./bin/tests/names/dns_name_compare_data		X	1999,2000,2001
 ./bin/tests/names/dns_name_countlabels_data	X	1999,2000,2001,2003
 ./bin/tests/names/dns_name_fromregion_data	X	1999,2000,2001,2003
@@ -431,18 +432,18 @@
 ./bin/tests/ndc.conf				CONF-C	2000,2001,2004,2007
 ./bin/tests/ndc.conf-include			CONF-C	2001,2004,2007
 ./bin/tests/net/.cvsignore			X	2000,2001
-./bin/tests/net/Makefile.in			MAKE	2000,2001,2002,2004,2007
+./bin/tests/net/Makefile.in			MAKE	2000,2001,2002,2004,2007,2009
 ./bin/tests/net/driver.c			C	2000,2001,2004,2007
 ./bin/tests/net/driver.h			C	2000,2001,2004,2007
 ./bin/tests/net/netaddr_multicast.c		C	2000,2001,2004,2007
 ./bin/tests/net/sockaddr_multicast.c		C	2000,2001,2004,2007
 ./bin/tests/net/testsuite.h			C	2000,2001,2004,2007
-./bin/tests/nsecify.c				C	1999,2000,2001,2003,2004,2007,2008
+./bin/tests/nsecify.c				C	1999,2000,2001,2003,2004,2007,2008,2009
 ./bin/tests/printmsg.c				C	1998,1999,2000,2001,2004,2007
 ./bin/tests/printmsg.h				C	1998,1999,2000,2001,2004,2007
 ./bin/tests/ratelimiter_test.c			C	1999,2000,2001,2004,2007
 ./bin/tests/rbt/.cvsignore			X	1999,2000,2001
-./bin/tests/rbt/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007
+./bin/tests/rbt/Makefile.in			MAKE	1999,2000,2001,2002,2004,2007,2009
 ./bin/tests/rbt/dns_rbt.data			X	1999,2000,2001
 ./bin/tests/rbt/dns_rbt_addname_1_data		X	1999,2000,2001,2003
 ./bin/tests/rbt/dns_rbt_addname_2_data		X	1999,2000,2001
@@ -466,7 +467,7 @@
 ./bin/tests/rbt/dns_rbtnodechain_prev.data	X	1999,2000,2001
 ./bin/tests/rbt/dns_rbtnodechain_prev_data	X	1999,2000,2001
 ./bin/tests/rbt/t_rbt.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009
-./bin/tests/rbt_test.c				C	1999,2000,2001,2004,2005,2007
+./bin/tests/rbt_test.c				C	1999,2000,2001,2004,2005,2007,2009
 ./bin/tests/rbt_test.out			X	1999,2000,2001
 ./bin/tests/rbt_test.txt			SH	1999,2000,2001,2004,2007
 ./bin/tests/rdata_test.c			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
@@ -474,7 +475,7 @@
 ./bin/tests/rwlock_test.c			C	1998,1999,2000,2001,2004,2005,2007
 ./bin/tests/serial_test.c			C	1999,2000,2001,2003,2004,2007
 ./bin/tests/shutdown_test.c			C	1998,1999,2000,2001,2004,2007
-./bin/tests/sig0_test.c				C	2000,2001,2004,2005,2007,2008
+./bin/tests/sig0_test.c				C	2000,2001,2004,2005,2007,2008,2009
 ./bin/tests/sock_test.c				C	1998,1999,2000,2001,2004,2007,2008
 ./bin/tests/sockaddr/.cvsignore			X	1999,2000,2001
 ./bin/tests/sockaddr/Makefile.in		MAKE	1999,2000,2001,2002,2004,2007,2009
@@ -655,7 +656,7 @@
 ./bin/tests/system/limits/ns1/root.db		ZONE	2000,2001,2004,2007
 ./bin/tests/system/limits/tests.sh		SH	2000,2001,2004,2007
 ./bin/tests/system/lwresd/.cvsignore		X	2000,2001
-./bin/tests/system/lwresd/Makefile.in		MAKE	2000,2001,2002,2004,2007
+./bin/tests/system/lwresd/Makefile.in		MAKE	2000,2001,2002,2004,2007,2009
 ./bin/tests/system/lwresd/clean.sh		SH	2008
 ./bin/tests/system/lwresd/lwresd1/.cvsignore	X	2000,2001
 ./bin/tests/system/lwresd/lwresd1/lwresd.conf	CONF-C	2000,2001,2004,2007
@@ -816,7 +817,7 @@
 ./bin/tests/system/stub/tests.sh		SH	2000,2001,2004,2007
 ./bin/tests/system/testsock.pl			PERL	2000,2001,2004,2007
 ./bin/tests/system/tkey/.cvsignore		X	2001
-./bin/tests/system/tkey/Makefile.in		MAKE	2001,2002,2004,2007
+./bin/tests/system/tkey/Makefile.in		MAKE	2001,2002,2004,2007,2009
 ./bin/tests/system/tkey/clean.sh		SH	2001,2004,2007
 ./bin/tests/system/tkey/keycreate.c		C	2001,2004,2005,2007,2009
 ./bin/tests/system/tkey/keydelete.c		C	2001,2004,2005,2007,2009
@@ -931,7 +932,7 @@
 ./bin/tests/wire_test.data2			X	1999,2000,2001
 ./bin/tests/wire_test.data3			X	1999,2000,2001
 ./bin/tests/wire_test.data4			X	1999,2000,2001
-./bin/tests/zone_test.c				C	1999,2000,2001,2002,2004,2005,2007
+./bin/tests/zone_test.c				C	1999,2000,2001,2002,2004,2005,2007,2009
 ./bin/tools/.cvsignore				X	2009
 ./bin/tools/Makefile.in				MAKE	2009
 ./bin/tools/arpaname.1				MAN	2009
@@ -991,14 +992,14 @@
 ./contrib/dbus/SetForwarders			X	2006
 ./contrib/dbus/bind-9.3.2b1-dbus.patch		X	2006
 ./contrib/dbus/bind-9.3.3rc2-dbus.patch		X	2006
-./contrib/dbus/dbus_mgr.c			X	2006,2007
+./contrib/dbus/dbus_mgr.c			X	2006,2007,2009
 ./contrib/dbus/dbus_mgr.h			X	2006
 ./contrib/dbus/dbus_service.c			X	2006,2007
 ./contrib/dbus/dbus_service.h			X	2006,2007
 ./contrib/dbus/named-dbus-system.conf		X	2006
 ./contrib/dbus/named-dbus.service		X	2006
 ./contrib/dlz/bin/dlzbdb/.cvsignore		X	2005
-./contrib/dlz/bin/dlzbdb/Makefile.in		X	2005,2007
+./contrib/dlz/bin/dlzbdb/Makefile.in		X	2005,2007,2009
 ./contrib/dlz/bin/dlzbdb/dlzbdb.c		X	2005
 ./contrib/dlz/config.dlz.in			X	2005,2006,2008
 ./contrib/dlz/drivers/.cvsignore		X	2005
@@ -1168,7 +1169,7 @@
 ./contrib/idn/idnkit-1.0-src/tools/idnconv/idnslookup.in	X	2003
 ./contrib/idn/idnkit-1.0-src/tools/idnconv/make.wnt	X	2003
 ./contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.c	X	2003
-./contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h	X	2003
+./contrib/idn/idnkit-1.0-src/tools/idnconv/selectiveencode.h	X	2003,2009
 ./contrib/idn/idnkit-1.0-src/tools/idnconv/util.c	X	2003
 ./contrib/idn/idnkit-1.0-src/tools/idnconv/util.h	X	2003
 ./contrib/idn/idnkit-1.0-src/tools/make.wnt	X	2003
@@ -1285,7 +1286,7 @@
 ./contrib/sdb/bdb/README			X	2002
 ./contrib/sdb/bdb/bdb.c				X	2002
 ./contrib/sdb/bdb/bdb.h				X	2002
-./contrib/sdb/bdb/zone2bdb.c			X	2002,2008
+./contrib/sdb/bdb/zone2bdb.c			X	2002,2008,2009
 ./contrib/sdb/dir/dirdb.c			C	2000,2001,2004,2007
 ./contrib/sdb/dir/dirdb.h			C	2000,2001,2004,2007
 ./contrib/sdb/ldap/INSTALL.ldap			X	2001,2002,2004
@@ -1294,14 +1295,14 @@
 ./contrib/sdb/ldap/ldapdb.c			X	2001,2002,2003,2004
 ./contrib/sdb/ldap/ldapdb.h			X	2001
 ./contrib/sdb/ldap/zone2ldap.1			X	2001
-./contrib/sdb/ldap/zone2ldap.c			X	2001,2005,2008
+./contrib/sdb/ldap/zone2ldap.c			X	2001,2005,2008,2009
 ./contrib/sdb/pgsql/pgsqldb.c			C	2000,2001,2004,2007
 ./contrib/sdb/pgsql/pgsqldb.h			C	2000,2001,2004,2007
-./contrib/sdb/pgsql/zonetodb.c			C	2000,2001,2002,2004,2005,2007,2008
+./contrib/sdb/pgsql/zonetodb.c			C	2000,2001,2002,2004,2005,2007,2008,2009
 ./contrib/sdb/sqlite/README.sdb_sqlite		X	2007
 ./contrib/sdb/sqlite/sqlitedb.c			X	2007
 ./contrib/sdb/sqlite/sqlitedb.h			X	2007
-./contrib/sdb/sqlite/zone2sqlite.c		X	2007,2008
+./contrib/sdb/sqlite/zone2sqlite.c		X	2007,2008,2009
 ./contrib/sdb/tcl/lookup.tcl			TCL	2000,2001,2004,2007
 ./contrib/sdb/tcl/tcldb.c			C	2000,2001,2004,2007
 ./contrib/sdb/tcl/tcldb.h			C	2000,2001,2004,2007
@@ -1610,7 +1611,7 @@
 ./lib/.cvsignore				X	1998,1999,2000,2001
 ./lib/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2007
 ./lib/bind9/.cvsignore				X	2001
-./lib/bind9/Makefile.in				MAKE	2001,2004,2007
+./lib/bind9/Makefile.in				MAKE	2001,2004,2007,2009
 ./lib/bind9/api					X	2001,2006,2008
 ./lib/bind9/check.c				C	2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/bind9/getaddresses.c			C	2001,2002,2004,2005,2007
@@ -1634,9 +1635,10 @@
 ./lib/dns/acl.c					C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/adb.c					C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/api					X	1999,2000,2001,2006,2008,2009
-./lib/dns/byaddr.c				C	2000,2001,2002,2003,2004,2005,2007
+./lib/dns/byaddr.c				C	2000,2001,2002,2003,2004,2005,2007,2009
 ./lib/dns/cache.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/callbacks.c				C	1999,2000,2001,2004,2005,2007
+./lib/dns/client.c				C	2009
 ./lib/dns/compress.c				C	1999,2000,2001,2004,2005,2006,2007
 ./lib/dns/db.c					C	1999,2000,2001,2003,2004,2005,2007,2008,2009
 ./lib/dns/dbiterator.c				C	1999,2000,2001,2004,2005,2007
@@ -1653,12 +1655,13 @@
 ./lib/dns/dst_parse.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/dst_parse.h				C.NAI	2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/dst_result.c				C	1999,2000,2001,2004,2005,2007,2008
-./lib/dns/forward.c				C	2000,2001,2004,2005,2007
+./lib/dns/ecdb.c				C	2009
+./lib/dns/forward.c				C	2000,2001,2004,2005,2007,2009
 ./lib/dns/gen-unix.h				C	1999,2000,2001,2004,2005,2007,2009
 ./lib/dns/gen-win32.h				C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/gen.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
 ./lib/dns/gssapi_link.c				C	2000,2001,2002,2004,2005,2006,2007,2008
-./lib/dns/gssapictx.c				C	2000,2001,2004,2005,2006,2007,2008
+./lib/dns/gssapictx.c				C	2000,2001,2004,2005,2006,2007,2008,2009
 ./lib/dns/hmac_link.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008
 ./lib/dns/include/.cvsignore			X	1998,1999,2000,2001
 ./lib/dns/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007
@@ -1672,6 +1675,7 @@
 ./lib/dns/include/dns/cache.h			C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/callbacks.h		C	1999,2000,2001,2002,2004,2005,2006,2007
 ./lib/dns/include/dns/cert.h			C	1999,2000,2001,2004,2005,2006,2007
+./lib/dns/include/dns/client.h			C	2009
 ./lib/dns/include/dns/compress.h		C	1999,2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/db.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/include/dns/dbiterator.h		C	1999,2000,2001,2004,2005,2006,2007
@@ -1681,16 +1685,17 @@
 ./lib/dns/include/dns/dlz.h			C.PORTION	1999,2000,2001,2005,2006,2007,2009
 ./lib/dns/include/dns/dnssec.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/ds.h			C	2002,2004,2005,2006,2007
+./lib/dns/include/dns/ecdb.h			C	2009
 ./lib/dns/include/dns/events.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/fixedname.h		C	1999,2000,2001,2004,2005,2006,2007
-./lib/dns/include/dns/forward.h			C	2000,2001,2004,2005,2006,2007
+./lib/dns/include/dns/forward.h			C	2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/iptable.h			C	2007
 ./lib/dns/include/dns/journal.h			C	1999,2000,2001,2004,2005,2006,2007,2008,2009
 ./lib/dns/include/dns/keydata.h			C	2009
 ./lib/dns/include/dns/keyflags.h		C	1999,2000,2001,2004,2005,2006,2007
 ./lib/dns/include/dns/keytable.h		C	2000,2001,2004,2005,2007,2009
 ./lib/dns/include/dns/keyvalues.h		C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009
-./lib/dns/include/dns/lib.h			C	1999,2000,2001,2004,2005,2006,2007
+./lib/dns/include/dns/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/log.h			C	1999,2000,2001,2003,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/lookup.h			C	2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/master.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
@@ -1729,6 +1734,7 @@
 ./lib/dns/include/dns/time.h			C	1999,2000,2001,2004,2005,2006,2007
 ./lib/dns/include/dns/timer.h			C	2000,2001,2004,2005,2006,2007
 ./lib/dns/include/dns/tkey.h			C	1999,2000,2001,2004,2005,2006,2007,2009
+./lib/dns/include/dns/tsec.h			C	2009
 ./lib/dns/include/dns/tsig.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/ttl.h			C	1999,2000,2001,2004,2005,2006,2007
 ./lib/dns/include/dns/types.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
@@ -1750,7 +1756,7 @@
 ./lib/dns/key.c					C	2001,2004,2005,2006,2007
 ./lib/dns/keydata.c				C	2009
 ./lib/dns/keytable.c				C	2000,2001,2004,2005,2007,2009
-./lib/dns/lib.c					C	1999,2000,2001,2004,2005,2007
+./lib/dns/lib.c					C	1999,2000,2001,2004,2005,2007,2009
 ./lib/dns/log.c					C	1999,2000,2001,2003,2004,2005,2006,2007
 ./lib/dns/lookup.c				C	2000,2001,2003,2004,2005,2007
 ./lib/dns/master.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
@@ -1765,7 +1771,7 @@
 ./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/order.c				C	2002,2004,2005,2007
-./lib/dns/peer.c				C	2000,2001,2003,2004,2005,2006,2007,2008
+./lib/dns/peer.c				C	2000,2001,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/portlist.c				C	2003,2004,2005,2006,2007
 ./lib/dns/rbt.c					C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009
 ./lib/dns/rbtdb.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
@@ -1773,7 +1779,7 @@
 ./lib/dns/rbtdb64.c				C	1999,2000,2001,2004,2005,2007
 ./lib/dns/rbtdb64.h				C	1999,2000,2001,2004,2005,2007
 ./lib/dns/rcode.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
-./lib/dns/rdata.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
+./lib/dns/rdata.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/rdata/any_255/tsig_250.c		C	1999,2000,2001,2002,2003,2004,2005,2007
 ./lib/dns/rdata/any_255/tsig_250.h		C	1999,2000,2001,2004,2005,2007
 ./lib/dns/rdata/ch_3/a_1.c			C	2005,2007
@@ -1913,7 +1919,8 @@
 ./lib/dns/tcpmsg.c				C	1999,2000,2001,2004,2005,2006,2007
 ./lib/dns/time.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2007,2009
 ./lib/dns/timer.c				C	2000,2001,2004,2005,2007
-./lib/dns/tkey.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008
+./lib/dns/tkey.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009
+./lib/dns/tsec.c				C	2009
 ./lib/dns/tsig.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/ttl.c					C	1999,2000,2001,2004,2005,2007
 ./lib/dns/validator.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
@@ -1932,8 +1939,81 @@
 ./lib/dns/zone.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/zonekey.c				C	2001,2003,2004,2005,2007
 ./lib/dns/zt.c					C	1999,2000,2001,2002,2004,2005,2006,2007
+./lib/export/.cvsignore				X	2009
+./lib/export/Makefile.in			MAKE	2009
+./lib/export/dns/.cvsignore			X	2009
+./lib/export/dns/Makefile.in			MAKE	2009
+./lib/export/dns/include/.cvsignore		X	2009
+./lib/export/dns/include/Makefile.in		MAKE	2009
+./lib/export/dns/include/dns/.cvsignore		X	2009
+./lib/export/dns/include/dns/Makefile.in	MAKE	2009
+./lib/export/dns/include/dst/.cvsignore		X	2009
+./lib/export/dns/include/dst/Makefile.in	MAKE	2009
+./lib/export/irs/.cvsignore			X	2009
+./lib/export/irs/Makefile.in			MAKE	2009
+./lib/export/irs/include/.cvsignore		X	2009
+./lib/export/irs/include/Makefile.in		MAKE	2009
+./lib/export/irs/include/irs/.cvsignore		X	2009
+./lib/export/irs/include/irs/Makefile.in	MAKE	2009
+./lib/export/isc/.cvsignore			X	2009
+./lib/export/isc/Makefile.in			MAKE	2009
+./lib/export/isc/include/.cvsignore		X	2009
+./lib/export/isc/include/Makefile.in		MAKE	2009
+./lib/export/isc/include/isc/.cvsignore		X	2009
+./lib/export/isc/include/isc/Makefile.in	MAKE	2009
+./lib/export/isc/nls/.cvsignore			X	2009
+./lib/export/isc/nls/Makefile.in		MAKE	2009
+./lib/export/isc/nothreads/Makefile.in		MAKE	2009
+./lib/export/isc/nothreads/include/Makefile.in	MAKE	2009
+./lib/export/isc/nothreads/include/isc/Makefile.in	MAKE	2009
+./lib/export/isc/pthreads/.cvsignore		X	2009
+./lib/export/isc/pthreads/Makefile.in		MAKE	2009
+./lib/export/isc/pthreads/include/.cvsignore	X	2009
+./lib/export/isc/pthreads/include/Makefile.in	MAKE	2009
+./lib/export/isc/pthreads/include/isc/.cvsignore	X	2009
+./lib/export/isc/pthreads/include/isc/Makefile.in	MAKE	2009
+./lib/export/isc/unix/.cvsignore		X	2009
+./lib/export/isc/unix/Makefile.in		MAKE	2009
+./lib/export/isc/unix/include/.cvsignore	X	2009
+./lib/export/isc/unix/include/Makefile.in	MAKE	2009
+./lib/export/isc/unix/include/isc/.cvsignore	X	2009
+./lib/export/isc/unix/include/isc/Makefile.in	MAKE	2009
+./lib/export/isccfg/.cvsignore			X	2009
+./lib/export/isccfg/Makefile.in			MAKE	2009
+./lib/export/isccfg/include/.cvsignore		X	2009
+./lib/export/isccfg/include/Makefile.in		MAKE	2009
+./lib/export/isccfg/include/isccfg/.cvsignore	X	2009
+./lib/export/isccfg/include/isccfg/Makefile.in	MAKE	2009
+./lib/export/samples/.cvsignore			X	2009
 ./lib/export/samples/Makefile-postinstall.in	MAKE	2009
+./lib/export/samples/Makefile.in		MAKE	2009
+./lib/export/samples/nsprobe.c			C	2009
+./lib/export/samples/sample-async.c		C	2009
+./lib/export/samples/sample-gai.c		C	2009
+./lib/export/samples/sample-request.c		C	2009
+./lib/export/samples/sample-update.c		C	2009
+./lib/export/samples/sample.c			C	2009
+./lib/irs/.cvsignore				X	2009
+./lib/irs/Makefile.in				MAKE	2009
 ./lib/irs/api					X	2009
+./lib/irs/context.c				C	2009
+./lib/irs/dnsconf.c				C	2009
+./lib/irs/gai_strerror.c			C	2009
+./lib/irs/getaddrinfo.c				C	2009
+./lib/irs/getnameinfo.c				C	2009
+./lib/irs/include/.cvsignore			X	2009
+./lib/irs/include/Makefile.in			MAKE	2009
+./lib/irs/include/irs/.cvsignore		X	2009
+./lib/irs/include/irs/Makefile.in		MAKE	2009
+./lib/irs/include/irs/context.h			C	2009
+./lib/irs/include/irs/dnsconf.h			C	2009
+./lib/irs/include/irs/netdb.h.in		C	2009
+./lib/irs/include/irs/platform.h.in		C	2009
+./lib/irs/include/irs/resconf.h			C	2009
+./lib/irs/include/irs/types.h			C	2009
+./lib/irs/include/irs/version.h			C	2009
+./lib/irs/resconf.c				C	2009
+./lib/irs/version.c				C	2009
 ./lib/isc/.cvsignore				X	1998,1999,2000,2001
 ./lib/isc/Makefile.in				MAKE	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/isc/alpha/.cvsignore			X	2007
@@ -1944,7 +2024,10 @@
 ./lib/isc/alpha/include/isc/Makefile.in		MAKE	2007
 ./lib/isc/alpha/include/isc/atomic.h		C	2005,2007,2009
 ./lib/isc/api					X	1999,2000,2001,2006,2008
-./lib/isc/assertions.c				C	1997,1998,1999,2000,2001,2004,2005,2007,2008
+./lib/isc/app_api.c				C	2009
+./lib/isc/assertions.c				C	1997,1998,1999,2000,2001,2004,2005,2007,2008,2009
+./lib/isc/backtrace-emptytbl.c			C	2009
+./lib/isc/backtrace.c				C	2009
 ./lib/isc/base32.c				C	2008,2009
 ./lib/isc/base64.c				C	1998,1999,2000,2001,2003,2004,2005,2007
 ./lib/isc/bitstring.c				C	1999,2000,2001,2004,2005,2007
@@ -1972,8 +2055,9 @@
 ./lib/isc/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007
 ./lib/isc/include/isc/.cvsignore		X	1998,1999,2000,2001
 ./lib/isc/include/isc/Makefile.in		MAKE	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009
-./lib/isc/include/isc/app.h			C	1999,2000,2001,2004,2005,2006,2007
+./lib/isc/include/isc/app.h			C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/assertions.h		C	1997,1998,1999,2000,2001,2004,2005,2006,2007,2008
+./lib/isc/include/isc/backtrace.h		C	2009
 ./lib/isc/include/isc/base32.h			C	2008
 ./lib/isc/include/isc/base64.h			C	1999,2000,2001,2004,2005,2006,2007
 ./lib/isc/include/isc/bitstring.h		C	1999,2000,2001,2004,2005,2006,2007
@@ -2000,7 +2084,7 @@
 ./lib/isc/include/isc/lang.h			C	1999,2000,2001,2004,2005,2006,2007
 ./lib/isc/include/isc/lex.h			C	1998,1999,2000,2001,2002,2004,2005,2007,2008
 ./lib/isc/include/isc/lfsr.h			C	1999,2000,2001,2004,2005,2006,2007
-./lib/isc/include/isc/lib.h			C	1999,2000,2001,2004,2005,2006,2007
+./lib/isc/include/isc/lib.h			C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/list.h			C	1997,1998,1999,2000,2001,2002,2004,2006,2007
 ./lib/isc/include/isc/log.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/magic.h			C	1999,2000,2001,2004,2005,2006,2007
@@ -2009,6 +2093,7 @@
 ./lib/isc/include/isc/msgcat.h			C	1999,2000,2001,2004,2005,2007
 ./lib/isc/include/isc/msgs.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2008
 ./lib/isc/include/isc/mutexblock.h		C	1999,2000,2001,2004,2005,2006,2007
+./lib/isc/include/isc/namespace.h		C	2009
 ./lib/isc/include/isc/netaddr.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/netscope.h		C	2002,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/ondestroy.h		C	2000,2001,2004,2005,2006,2007
@@ -2024,8 +2109,8 @@
 ./lib/isc/include/isc/refcount.h		C	2001,2003,2004,2005,2006,2007
 ./lib/isc/include/isc/region.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007
 ./lib/isc/include/isc/resource.h		C	2000,2001,2004,2005,2006,2007,2008
-./lib/isc/include/isc/result.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008
-./lib/isc/include/isc/resultclass.h		C	1999,2000,2001,2004,2005,2006,2007
+./lib/isc/include/isc/result.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009
+./lib/isc/include/isc/resultclass.h		C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/rwlock.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007
 ./lib/isc/include/isc/serial.h			C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/sha1.h			C	2000,2001,2004,2005,2006,2007,2009
@@ -2039,7 +2124,7 @@
 ./lib/isc/include/isc/symtab.h			C	1996,1997,1998,1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/task.h			C	1998,1999,2000,2001,2003,2004,2005,2006,2007,2009
 ./lib/isc/include/isc/taskpool.h		C	1999,2000,2001,2004,2005,2006,2007
-./lib/isc/include/isc/timer.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008
+./lib/isc/include/isc/timer.h			C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/isc/include/isc/types.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/isc/include/isc/util.h			C	1998,1999,2000,2001,2004,2005,2006,2007
 ./lib/isc/include/isc/version.h			C	2001,2004,2005,2006,2007
@@ -2050,10 +2135,11 @@
 ./lib/isc/iterated_hash.c			C	2006,2008,2009
 ./lib/isc/lex.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2007
 ./lib/isc/lfsr.c				C	1999,2000,2001,2002,2004,2005,2007
-./lib/isc/lib.c					C	1999,2000,2001,2004,2005,2007
+./lib/isc/lib.c					C	1999,2000,2001,2004,2005,2007,2009
 ./lib/isc/log.c					C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2009
 ./lib/isc/md5.c					C	2000,2001,2004,2005,2007,2009
 ./lib/isc/mem.c					C	1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
+./lib/isc/mem_api.c				C	2009
 ./lib/isc/mips/.cvsignore			X	2007
 ./lib/isc/mips/Makefile.in			MAKE	2007
 ./lib/isc/mips/include/.cvsignore		X	2007
@@ -2065,7 +2151,7 @@
 ./lib/isc/netaddr.c				C	1999,2000,2001,2002,2004,2005,2007
 ./lib/isc/netscope.c				C	2002,2004,2005,2006,2007
 ./lib/isc/nls/.cvsignore			X	1999,2000,2001
-./lib/isc/nls/Makefile.in			MAKE	1999,2000,2001,2004,2007
+./lib/isc/nls/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009
 ./lib/isc/nls/msgcat.c				C	1999,2000,2001,2004,2005,2007
 ./lib/isc/noatomic/.cvsignore			X	2007
 ./lib/isc/noatomic/Makefile.in			MAKE	2007
@@ -2075,7 +2161,7 @@
 ./lib/isc/noatomic/include/isc/Makefile.in	MAKE	2007
 ./lib/isc/noatomic/include/isc/atomic.h		C	2005,2007
 ./lib/isc/nothreads/.cvsignore			X	2000,2001
-./lib/isc/nothreads/Makefile.in			MAKE	2000,2001,2004,2007
+./lib/isc/nothreads/Makefile.in			MAKE	2000,2001,2004,2007,2009
 ./lib/isc/nothreads/condition.c			C	2000,2001,2004,2006,2007
 ./lib/isc/nothreads/include/.cvsignore		X	2000,2001
 ./lib/isc/nothreads/include/Makefile.in		MAKE	2000,2001,2004,2007
@@ -2099,7 +2185,7 @@
 ./lib/isc/powerpc/include/isc/atomic.h		C	2005,2007
 ./lib/isc/print.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008
 ./lib/isc/pthreads/.cvsignore			X	1998,1999,2000,2001
-./lib/isc/pthreads/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007
+./lib/isc/pthreads/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2009
 ./lib/isc/pthreads/condition.c			C	1998,1999,2000,2001,2004,2005,2007
 ./lib/isc/pthreads/include/.cvsignore		X	1998,1999,2000,2001
 ./lib/isc/pthreads/include/Makefile.in		MAKE	1998,1999,2000,2001,2004,2007
@@ -2123,6 +2209,7 @@
 ./lib/isc/sha1.c				C	2000,2001,2003,2004,2005,2007,2009
 ./lib/isc/sha2.c				C	2005,2006,2007,2009
 ./lib/isc/sockaddr.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007
+./lib/isc/socket_api.c				C	2009
 ./lib/isc/sparc64/.cvsignore			X	2007
 ./lib/isc/sparc64/Makefile.in			MAKE	2007
 ./lib/isc/sparc64/include/.cvsignore		X	2007
@@ -2134,14 +2221,16 @@
 ./lib/isc/string.c				C	1999,2000,2001,2003,2004,2005,2006,2007
 ./lib/isc/strtoul.c				C	2003,2004,2005,2007
 ./lib/isc/symtab.c				C	1996,1997,1998,1999,2000,2001,2004,2005,2007
-./lib/isc/task.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
-./lib/isc/task_p.h				C	2000,2001,2004,2005,2007
+./lib/isc/task.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
+./lib/isc/task_api.c				C	2009
+./lib/isc/task_p.h				C	2000,2001,2004,2005,2007,2009
 ./lib/isc/taskpool.c				C	1999,2000,2001,2004,2005,2007
 ./lib/isc/timer.c				C	1998,1999,2000,2001,2002,2004,2005,2007,2008,2009
-./lib/isc/timer_p.h				C	2000,2001,2004,2005,2007
+./lib/isc/timer_api.c				C	2009
+./lib/isc/timer_p.h				C	2000,2001,2004,2005,2007,2009
 ./lib/isc/unix/.cvsignore			X	1998,1999,2000,2001
-./lib/isc/unix/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007
-./lib/isc/unix/app.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008
+./lib/isc/unix/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2009
+./lib/isc/unix/app.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009
 ./lib/isc/unix/dir.c				C	1999,2000,2001,2004,2005,2007,2008,2009
 ./lib/isc/unix/entropy.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008
 ./lib/isc/unix/errno2result.c			C	2000,2001,2002,2004,2005,2007
@@ -2173,7 +2262,7 @@
 ./lib/isc/unix/os.c				C	2000,2001,2004,2005,2007
 ./lib/isc/unix/resource.c			C	2000,2001,2004,2007,2008,2009
 ./lib/isc/unix/socket.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
-./lib/isc/unix/socket_p.h			C	2000,2001,2004,2005,2007,2008
+./lib/isc/unix/socket_p.h			C	2000,2001,2004,2005,2007,2008,2009
 ./lib/isc/unix/stdio.c				C	2000,2001,2004,2007
 ./lib/isc/unix/stdtime.c			C	1999,2000,2001,2004,2005,2007
 ./lib/isc/unix/strerror.c			C	2001,2004,2005,2007,2009
@@ -2182,8 +2271,8 @@
 ./lib/isc/version.c				C	1998,1999,2000,2001,2004,2005,2007
 ./lib/isc/win32/.cvsignore			X	1999,2000,2001
 ./lib/isc/win32/DLLMain.c			C	2001,2004,2007
-./lib/isc/win32/Makefile.in			MAKE	1999,2000,2001,2004,2007
-./lib/isc/win32/app.c				C	1999,2000,2001,2004,2007
+./lib/isc/win32/Makefile.in			MAKE	1999,2000,2001,2004,2007,2009
+./lib/isc/win32/app.c				C	1999,2000,2001,2004,2007,2009
 ./lib/isc/win32/condition.c			C	1998,1999,2000,2001,2004,2006,2007
 ./lib/isc/win32/dir.c				C	1999,2000,2001,2004,2007,2008,2009
 ./lib/isc/win32/entropy.c			C	2000,2001,2002,2004,2007,2009
@@ -2258,7 +2347,7 @@
 ./lib/isc/x86_64/include/isc/Makefile.in	MAKE	2007
 ./lib/isc/x86_64/include/isc/atomic.h		C	2005,2007,2008
 ./lib/isccc/.cvsignore				X	2001
-./lib/isccc/Makefile.in				MAKE	2001,2003,2004,2007
+./lib/isccc/Makefile.in				MAKE	2001,2003,2004,2007,2009
 ./lib/isccc/alist.c				C.NOM	2001,2004,2005,2007
 ./lib/isccc/api					X	2001,2006,2008
 ./lib/isccc/base64.c				C.NOM	2001,2004,2005,2007
@@ -2293,15 +2382,17 @@
 ./lib/isccc/win32/libisccc.mak			X	2001,2002,2004,2005,2006,2009
 ./lib/isccc/win32/version.c			C	2001,2004,2007
 ./lib/isccfg/.cvsignore				X	2001
-./lib/isccfg/Makefile.in			MAKE	2001,2002,2003,2004,2005,2007
+./lib/isccfg/Makefile.in			MAKE	2001,2002,2003,2004,2005,2007,2009
 ./lib/isccfg/aclconf.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/isccfg/api				X	2001,2006,2008
+./lib/isccfg/dnsconf.c				C	2009
 ./lib/isccfg/include/.cvsignore			X	2001
 ./lib/isccfg/include/Makefile.in		MAKE	2001,2004,2007
 ./lib/isccfg/include/isccfg/.cvsignore		X	2001
 ./lib/isccfg/include/isccfg/Makefile.in		MAKE	2001,2002,2004,2005,2007
 ./lib/isccfg/include/isccfg/aclconf.h		C	1999,2000,2001,2004,2005,2006,2007
 ./lib/isccfg/include/isccfg/cfg.h		C	2000,2001,2002,2004,2005,2006,2007
+./lib/isccfg/include/isccfg/dnsconf.h		C	2009
 ./lib/isccfg/include/isccfg/grammar.h		C	2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/isccfg/include/isccfg/log.h		C	2001,2004,2005,2006,2007,2009
 ./lib/isccfg/include/isccfg/namedconf.h		C	2002,2004,2005,2006,2007,2009
@@ -2320,7 +2411,7 @@
 ./lib/lwres/Makefile.in				MAKE	2000,2001,2004,2005,2007
 ./lib/lwres/api					X	2000,2001,2006,2008
 ./lib/lwres/assert_p.h				C	2000,2001,2004,2005,2007
-./lib/lwres/context.c				C	2000,2001,2003,2004,2005,2007,2008
+./lib/lwres/context.c				C	2000,2001,2003,2004,2005,2007,2008,2009
 ./lib/lwres/context_p.h				C	2000,2001,2004,2005,2007,2008
 ./lib/lwres/gai_strerror.c			C	2000,2001,2004,2005,2006,2007
 ./lib/lwres/getaddrinfo.c			C.BSDI	1999,2000,2001,2004,2005,2006,2007,2008
@@ -2441,7 +2532,7 @@
 ./lib/lwres/win32/socket.c			C	2007
 ./lib/lwres/win32/version.c			C	1998,1999,2000,2001,2004,2007
 ./lib/tests/.cvsignore				X	1999,2000,2001
-./lib/tests/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2007
+./lib/tests/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2007,2009
 ./lib/tests/T_testlist.imp			X	2004
 ./lib/tests/include/.cvsignore			X	1999,2000,2001
 ./lib/tests/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007
@@ -2482,6 +2573,7 @@
 ./util/memleak.pl				PERL	1999,2000,2001,2004,2007
 ./util/merge_copyrights				PERL	1998,1999,2000,2001,2003,2004,2005,2006,2007,2009
 ./util/mkreslib.pl				PERL	2000,2001,2004,2007
+./util/mksymtbl.pl				PERL	2009
 ./util/nanny.pl					PERL	2000,2001,2004,2007
 ./util/new-func					PERL	2005,2007
 ./util/nt-kit					SH	1999,2000,2001,2004,2007

From e7c38ca9635e73c9a928bbab9c73c2abbd499f8b Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 23:43:54 +0000
Subject: [PATCH 093/385] - define isc_mem_reallocate() in the abstract API for
 export lib [rt20208] - define BIND9 in config.h.win32 - fix problems in mem.h
 caused by the win32 preprocessor failing to   expand macros used within
 macros - silence a win32 compiler warning in hip_55.c

---
 config.h.win32                  | 11 +++++++-
 lib/dns/rdata/generic/hip_55.c  |  4 +--
 lib/isc/include/isc/mem.h       | 46 +++++++++++++++++----------------
 lib/isc/include/isc/namespace.h |  3 ++-
 lib/isc/include/isc/socket.h    |  4 +--
 lib/isc/mem.c                   | 16 +++++++-----
 lib/isc/mem_api.c               |  9 ++++++-
 lib/isc/win32/libisc.def        |  2 ++
 lib/isccfg/parser.c             |  6 ++---
 9 files changed, 63 insertions(+), 38 deletions(-)

diff --git a/config.h.win32 b/config.h.win32
index 962ffe2be8..301d2871f4 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.21 2009/07/17 23:47:40 tbox Exp $ */
+/* $Id: config.h.win32,v 1.22 2009/09/02 23:43:54 each Exp $ */
 
 /*
  * win32 configuration file
@@ -51,7 +51,10 @@
 /*
  * Windows NT and 2K only
  */
+#ifndef _WIN32_WINNT
 #define _WIN32_WINNT 0x0400
+#endif
+
 /* Define if you have the ANSI C header files.  */
 #define STDC_HEADERS 1
 
@@ -239,3 +242,9 @@ typedef long off_t;
  * Define if libxml2 is present
  */
 #define HAVE_LIBXML2 1
+
+/*
+ * Define when building BIND9.  When building exportable versions
+ * of libisc, libdns, etc, this must be removed.
+ */
+#define BIND9 1
diff --git a/lib/dns/rdata/generic/hip_55.c b/lib/dns/rdata/generic/hip_55.c
index c5e0687ee2..101066209f 100644
--- a/lib/dns/rdata/generic/hip_55.c
+++ b/lib/dns/rdata/generic/hip_55.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hip_55.c,v 1.3 2009/02/26 11:18:56 tbox Exp $ */
+/* $Id: hip_55.c,v 1.4 2009/09/02 23:43:54 each Exp $ */
 
 /* reviewed: TBC */
 
@@ -215,7 +215,7 @@ fromwire_hip(ARGS_FROMWIRE) {
 	if (key_len == 0)
 		RETERR(DNS_R_FORMERR);
 	isc_region_consume(®ion, 2);
-	if (region.length < hit_len + key_len)
+	if (region.length < (unsigned) (hit_len + key_len))
 		RETERR(DNS_R_FORMERR);
 
 	RETERR(mem_tobuffer(target, rr.base, 4 + hit_len + key_len));
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index 28edcb67a3..ef6e3c89c9 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.83 2009/09/01 23:47:44 tbox Exp $ */
+/* $Id: mem.h,v 1.84 2009/09/02 23:43:54 each Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
@@ -152,11 +152,11 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 #endif
 
 
-#define isc_mem_get(c, s)	isc__mem_get((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_allocate(c, s)	isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_reallocate(c, p, s) isc__mem_reallocate((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_strdup(c, p)	isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_get(c)	isc__mempool_get((c) _ISC_MEM_FILELINE)
+#define isc_mem_get(c, s)	isc___mem_get((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_allocate(c, s)	isc___mem_allocate((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_reallocate(c, p, s) isc___mem_reallocate((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_strdup(c, p)	isc___mem_strdup((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_get(c)	isc___mempool_get((c) _ISC_MEM_FILELINE)
 
 /*%
  * isc_mem_putanddetach() is a convenience function for use where you
@@ -197,6 +197,8 @@ typedef struct isc_memmethods {
 	void (*memputanddetach)(isc_mem_t **mctxp, void *ptr,
 				size_t size _ISC_MEM_FLARG);
 	void *(*memallocate)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void *(*memreallocate)(isc_mem_t *mctx, void *ptr,
+			       size_t size _ISC_MEM_FLARG);
 	char *(*memstrdup)(isc_mem_t *mctx, const char *s _ISC_MEM_FLARG);
 	void (*memfree)(isc_mem_t *mctx, void *ptr _ISC_MEM_FLARG);
 	void (*setdestroycheck)(isc_mem_t *mctx, isc_boolean_t flag);
@@ -256,29 +258,29 @@ struct isc_mempool {
 #if ISC_MEM_DEBUG
 #define isc_mem_put(c, p, s) \
 	do { \
-		isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE); \
+		isc___mem_put((c), (p), (s) _ISC_MEM_FILELINE); \
 		(p) = NULL; \
 	} while (0)
 #define isc_mem_putanddetach(c, p, s) \
 	do { \
-		isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE); \
+		isc___mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE); \
 		(p) = NULL; \
 	} while (0)
 #define isc_mem_free(c, p) \
 	do { \
-		isc__mem_free((c), (p) _ISC_MEM_FILELINE); \
+		isc___mem_free((c), (p) _ISC_MEM_FILELINE); \
 		(p) = NULL; \
 	} while (0)
 #define isc_mempool_put(c, p) \
 	do { \
-		isc__mempool_put((c), (p) _ISC_MEM_FILELINE); \
+		isc___mempool_put((c), (p) _ISC_MEM_FILELINE); \
 		(p) = NULL; \
 	} while (0)
 #else
-#define isc_mem_put(c, p, s)	isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_put(c, p, s)	isc___mem_put((c), (p), (s) _ISC_MEM_FILELINE)
 #define isc_mem_putanddetach(c, p, s) \
-	isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_free(c, p)	isc__mem_free((c), (p) _ISC_MEM_FILELINE)
+	isc___mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_free(c, p)	isc___mem_free((c), (p) _ISC_MEM_FILELINE)
 #define isc_mempool_put(c, p)	isc__mempool_put((c), (p) _ISC_MEM_FILELINE)
 #endif
 
@@ -671,23 +673,23 @@ isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
  * Pseudo-private functions for use via macros.  Do not call directly.
  */
 void *
-isc__mem_get(isc_mem_t *, size_t _ISC_MEM_FLARG);
+isc___mem_get(isc_mem_t *, size_t _ISC_MEM_FLARG);
 void
-isc__mem_putanddetach(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
+isc___mem_putanddetach(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
 void
-isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+isc___mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void *
-isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
+isc___mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
 void *
-isc__mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+isc___mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void
-isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
+isc___mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
 char *
-isc__mem_strdup(isc_mem_t *, const char *_ISC_MEM_FLARG);
+isc___mem_strdup(isc_mem_t *, const char *_ISC_MEM_FLARG);
 void *
-isc__mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
+isc___mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
 void
-isc__mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
+isc___mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
 
 #ifdef USE_MEMIMPREGISTER
 
diff --git a/lib/isc/include/isc/namespace.h b/lib/isc/include/isc/namespace.h
index 9cc8d60a84..24fdcecc89 100644
--- a/lib/isc/include/isc/namespace.h
+++ b/lib/isc/include/isc/namespace.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namespace.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: namespace.h,v 1.3 2009/09/02 23:43:54 each Exp $ */
 
 #ifndef ISCAPI_NAMESPACE_H
 #define ISCAPI_NAMESPACE_H 1
@@ -59,6 +59,7 @@
 #define isc__mem_allocate isc___mem_allocate
 #define isc__mem_free isc___mem_free
 #define isc__mem_strdup isc___mem_strdup
+#define isc__mem_reallocate isc___mem_reallocate
 #define isc_mem_references isc__mem_references
 #define isc_mem_setdestroycheck isc__mem_setdestroycheck
 #define isc_mem_setquota isc__mem_setquota
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 11ee408935..376dcc09ad 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.92 2009/09/02 18:32:25 each Exp $ */
+/* $Id: socket.h,v 1.93 2009/09/02 23:43:54 each Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -1068,7 +1068,7 @@ void *isc_socket_gettag(isc_socket_t *socket);
  */
 
 void
-isc_socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
+isc__socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
 /*%<
  * Temporary.  For use by named only.
  */
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 934694f618..ef6ece0c29 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.152 2009/09/02 04:25:19 jinmei Exp $ */
+/* $Id: mem.c,v 1.153 2009/09/02 23:43:54 each Exp $ */
 
 /*! \file */
 
@@ -255,6 +255,8 @@ ISC_MEMFUNC_SCOPE void
 isc__mem_stats(isc_mem_t *ctx, FILE *out);
 ISC_MEMFUNC_SCOPE void *
 isc___mem_allocate(isc_mem_t *ctx, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void *
+isc___mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG);
 ISC_MEMFUNC_SCOPE void
 isc___mem_free(isc_mem_t *ctx, void *ptr FLARG);
 ISC_MEMFUNC_SCOPE char *
@@ -336,6 +338,7 @@ static struct isc__memmethods {
 		isc___mem_put,
 		isc___mem_putanddetach,
 		isc___mem_allocate,
+		isc___mem_reallocate,
 		isc___mem_strdup,
 		isc___mem_free,
 		isc__mem_setdestroycheck,
@@ -1545,8 +1548,9 @@ isc___mem_allocate(isc_mem_t *ctx0, size_t size FLARG) {
 	return (si);
 }
 
-void *
-isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mem_reallocate(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	void *new_ptr = NULL;
 	size_t oldsize, copysize;
 
@@ -1564,17 +1568,17 @@ isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
 	 *     NULL if allocation fails or doesn't happen.
 	 */
 	if (size > 0U) {
-		new_ptr = isc__mem_allocate(ctx, size FLARG_PASS);
+		new_ptr = isc__mem_allocate(ctx0, size FLARG_PASS);
 		if (new_ptr != NULL && ptr != NULL) {
 			oldsize = (((size_info *)ptr)[-1]).u.size;
 			INSIST(oldsize >= ALIGNMENT_SIZE);
 			oldsize -= ALIGNMENT_SIZE;
 			copysize = oldsize > size ? size : oldsize;
 			memcpy(new_ptr, ptr, copysize);
-			isc__mem_free(ctx, ptr FLARG_PASS);
+			isc__mem_free(ctx0, ptr FLARG_PASS);
 		}
 	} else if (ptr != NULL)
-		isc__mem_free(ctx, ptr FLARG_PASS);
+		isc__mem_free(ctx0, ptr FLARG_PASS);
 
 	return (new_ptr);
 }
diff --git a/lib/isc/mem_api.c b/lib/isc/mem_api.c
index e50c56b843..a6f2c3aa35 100644
--- a/lib/isc/mem_api.c
+++ b/lib/isc/mem_api.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: mem_api.c,v 1.4 2009/09/02 23:43:54 each Exp $ */
 
 #include 
 
@@ -148,6 +148,13 @@ isc__mem_allocate(isc_mem_t *mctx, size_t size FLARG) {
 	return (mctx->methods->memallocate(mctx, size FLARG_PASS));
 }
 
+void *
+isc__mem_reallocate(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memreallocate(mctx, ptr, size FLARG_PASS));
+}
+
 char *
 isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
 	REQUIRE(ISCAPI_MCTX_VALID(mctx));
diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index cffe791c84..1773472802 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -51,6 +51,7 @@ isc__app_unblock
 isc_assertion_setcallback
 isc_assertion_typetotext
 isc_backtrace_getsymbol
+isc_backtrace_getsymbolfromindex
 isc_backtrace_gettrace
 isc_base32_decoderegion
 isc_base32_decodestring
@@ -128,6 +129,7 @@ isc_file_renameunique
 isc_file_safecreate
 isc_file_safemovefile
 isc_file_settime
+isc_file_splitpath
 isc_file_template
 isc_file_truncate
 isc_fsaccess_add
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 1314e7a5de..e76a53df8a 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.131 2009/06/11 23:47:55 tbox Exp $ */
+/* $Id: parser.c,v 1.132 2009/09/02 23:43:54 each Exp $ */
 
 /*! \file */
 
@@ -29,12 +29,12 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
-#include 
-#include 
 #include 
+#include 
 
 #include 
 #include 

From d7201de09b85929a86b157f4b2d91667c68c6b52 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 2 Sep 2009 23:48:03 +0000
Subject: [PATCH 094/385] update copyright notice

---
 bin/check/Makefile.in                        |  4 +-
 bin/dig/Makefile.in                          |  4 +-
 bin/dnssec/dnssec-keygen.c                   | 36 ++++++------
 bin/dnssec/dnssec-revoke.c                   |  6 +-
 bin/dnssec/dnssec-settime.c                  | 34 +++++------
 bin/dnssec/dnssectool.c                      |  6 +-
 bin/dnssec/dnssectool.h                      |  4 +-
 bin/named/lwdgabn.c                          |  4 +-
 bin/named/lwdgrbn.c                          |  4 +-
 bin/named/lwresd.c                           |  4 +-
 bin/named/tkeyconf.c                         |  4 +-
 bin/named/unix/Makefile.in                   |  4 +-
 bin/tests/adb_test.c                         |  4 +-
 bin/tests/backtrace_test.c                   |  6 +-
 bin/tests/byname_test.c                      |  4 +-
 bin/tests/db/Makefile.in                     |  4 +-
 bin/tests/db_test.c                          |  4 +-
 bin/tests/dst/gsstest.c                      | 28 ++++-----
 bin/tests/master/Makefile.in                 |  4 +-
 bin/tests/master_test.c                      |  6 +-
 bin/tests/mem/Makefile.in                    |  4 +-
 bin/tests/name_test.c                        |  4 +-
 bin/tests/names/Makefile.in                  |  4 +-
 bin/tests/net/Makefile.in                    |  4 +-
 bin/tests/nsecify.c                          |  4 +-
 bin/tests/rbt/Makefile.in                    |  4 +-
 bin/tests/rbt_test.c                         |  4 +-
 bin/tests/sig0_test.c                        |  4 +-
 bin/tests/system/lwresd/Makefile.in          |  4 +-
 bin/tests/system/tkey/Makefile.in            |  4 +-
 bin/tests/zone_test.c                        | 28 ++++-----
 contrib/sdb/pgsql/zonetodb.c                 |  4 +-
 lib/bind9/Makefile.in                        |  4 +-
 lib/dns/byaddr.c                             |  4 +-
 lib/dns/client.c                             | 34 +++++------
 lib/dns/dnssec.c                             | 16 ++---
 lib/dns/ecdb.c                               |  6 +-
 lib/dns/forward.c                            |  6 +-
 lib/dns/gssapictx.c                          |  4 +-
 lib/dns/include/dns/client.h                 |  8 +--
 lib/dns/include/dns/ecdb.h                   |  6 +-
 lib/dns/include/dns/forward.h                |  4 +-
 lib/dns/include/dns/lib.h                    |  4 +-
 lib/dns/include/dns/tsec.h                   |  8 +--
 lib/dns/lib.c                                |  4 +-
 lib/dns/peer.c                               |  4 +-
 lib/dns/rdata.c                              |  4 +-
 lib/dns/tkey.c                               |  4 +-
 lib/dns/tsec.c                               |  8 +--
 lib/export/Makefile.in                       |  6 +-
 lib/export/dns/Makefile.in                   |  6 +-
 lib/export/dns/include/Makefile.in           |  6 +-
 lib/export/dns/include/dns/Makefile.in       |  6 +-
 lib/export/dns/include/dst/Makefile.in       |  4 +-
 lib/export/irs/Makefile.in                   |  6 +-
 lib/export/irs/include/irs/Makefile.in       |  4 +-
 lib/export/isc/Makefile.in                   |  6 +-
 lib/export/isc/nls/Makefile.in               |  6 +-
 lib/export/isc/nothreads/Makefile.in         |  6 +-
 lib/export/isc/pthreads/Makefile.in          |  6 +-
 lib/export/isc/unix/Makefile.in              |  6 +-
 lib/export/isccfg/Makefile.in                |  7 +--
 lib/export/isccfg/include/isccfg/Makefile.in |  4 +-
 lib/export/samples/Makefile-postinstall.in   |  6 +-
 lib/export/samples/Makefile.in               |  6 +-
 lib/export/samples/nsprobe.c                 | 12 ++--
 lib/export/samples/sample-async.c            |  6 +-
 lib/export/samples/sample-gai.c              |  6 +-
 lib/export/samples/sample-request.c          |  6 +-
 lib/export/samples/sample-update.c           |  8 +--
 lib/export/samples/sample.c                  | 10 ++--
 lib/irs/Makefile.in                          |  6 +-
 lib/irs/context.c                            | 23 ++++----
 lib/irs/dnsconf.c                            | 25 ++++----
 lib/irs/gai_strerror.c                       |  7 +--
 lib/irs/getaddrinfo.c                        | 62 +++++++++-----------
 lib/irs/getnameinfo.c                        | 33 +++++------
 lib/irs/include/Makefile.in                  |  6 +-
 lib/irs/include/irs/Makefile.in              |  6 +-
 lib/irs/include/irs/context.h                | 23 ++++----
 lib/irs/include/irs/dnsconf.h                | 23 ++++----
 lib/irs/include/irs/netdb.h.in               |  7 +--
 lib/irs/include/irs/platform.h.in            |  6 +-
 lib/irs/include/irs/resconf.h                | 23 ++++----
 lib/irs/include/irs/types.h                  |  6 +-
 lib/irs/include/irs/version.h                |  6 +-
 lib/irs/resconf.c                            | 37 ++++++------
 lib/irs/version.c                            |  6 +-
 lib/isc/app_api.c                            | 12 ++--
 lib/isc/assertions.c                         |  4 +-
 lib/isc/backtrace.c                          |  4 +-
 lib/isc/include/isc/app.h                    |  4 +-
 lib/isc/include/isc/lib.h                    |  4 +-
 lib/isc/include/isc/namespace.h              |  6 +-
 lib/isc/include/isc/result.h                 |  4 +-
 lib/isc/include/isc/resultclass.h            |  4 +-
 lib/isc/include/isc/timer.h                  |  4 +-
 lib/isc/lib.c                                |  4 +-
 lib/isc/mem_api.c                            | 10 ++--
 lib/isc/nls/Makefile.in                      |  4 +-
 lib/isc/nothreads/Makefile.in                |  4 +-
 lib/isc/pthreads/Makefile.in                 |  4 +-
 lib/isc/socket_api.c                         |  8 +--
 lib/isc/task.c                               |  8 +--
 lib/isc/task_api.c                           |  6 +-
 lib/isc/task_p.h                             |  4 +-
 lib/isc/timer_api.c                          |  6 +-
 lib/isc/timer_p.h                            |  4 +-
 lib/isc/unix/Makefile.in                     |  4 +-
 lib/isc/unix/app.c                           |  8 +--
 lib/isc/unix/socket_p.h                      |  4 +-
 lib/isc/win32/Makefile.in                    |  4 +-
 lib/isc/win32/app.c                          |  6 +-
 lib/isccc/Makefile.in                        |  4 +-
 lib/isccfg/Makefile.in                       |  4 +-
 lib/isccfg/dnsconf.c                         |  7 +--
 lib/isccfg/include/isccfg/dnsconf.h          |  7 +--
 lib/lwres/context.c                          |  6 +-
 lib/tests/Makefile.in                        |  4 +-
 util/mksymtbl.pl                             | 18 +++++-
 120 files changed, 494 insertions(+), 508 deletions(-)

diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 39af25cbe8..b586b5badc 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.34 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.35 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index ee57ce2dcb..3cb1bd1fb4 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.43 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.44 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index cb1b5cd08c..d71226720e 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.91 2009/09/02 06:29:00 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.92 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -311,63 +311,63 @@ main(int argc, char **argv) {
 			/* already the default */
 			break;
 		case 'P':
-                        if (setpub || unsetpub)
-                                fatal("-P specified more than once");
+			if (setpub || unsetpub)
+				fatal("-P specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
 				setpub = ISC_TRUE;
 				publish = strtotime(isc_commandline_argument,
 						    now, now);
 			} else {
-                                unsetpub = ISC_TRUE;
-                        }
+				unsetpub = ISC_TRUE;
+			}
 			break;
 		case 'A':
-                        if (setact || unsetact)
-                                fatal("-A specified more than once");
+			if (setact || unsetact)
+				fatal("-A specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
 				setact = ISC_TRUE;
 				activate = strtotime(isc_commandline_argument,
 						     now, now);
 			} else {
-                                unsetact = ISC_TRUE;
+				unsetact = ISC_TRUE;
 			}
 			break;
 		case 'R':
-                        if (setrev || unsetrev)
-                                fatal("-R specified more than once");
+			if (setrev || unsetrev)
+				fatal("-R specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
 				setrev = ISC_TRUE;
 				revoke = strtotime(isc_commandline_argument,
 						   now, now);
 			} else {
-                                unsetrev = ISC_TRUE;
+				unsetrev = ISC_TRUE;
 			}
 			break;
 		case 'U':
-                        if (setunpub || unsetunpub)
-                                fatal("-U specified more than once");
+			if (setunpub || unsetunpub)
+				fatal("-U specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
 				setunpub = ISC_TRUE;
 				unpublish = strtotime(isc_commandline_argument,
 						      now, now);
 			} else {
-                                unsetunpub = ISC_TRUE;
+				unsetunpub = ISC_TRUE;
 			}
 			break;
 		case 'D':
-                        if (setdel || unsetdel)
-                                fatal("-D specified more than once");
+			if (setdel || unsetdel)
+				fatal("-D specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
 				setdel = ISC_TRUE;
 				delete = strtotime(isc_commandline_argument,
 						   now, now);
 			} else {
-                                unsetdel = ISC_TRUE;
+				unsetdel = ISC_TRUE;
 			}
 			break;
 		case 'F':
@@ -691,7 +691,7 @@ main(int argc, char **argv) {
 				fatal("cannot use -C together with "
 				      "-P, -A, -R, -U, or -D options");
 			/*
-			 * Compatibility mode: Private-key-format 
+			 * Compatibility mode: Private-key-format
 			 * should be set to 1.2.
 			 */
 			dst_key_setprivateformat(key, 1, 2);
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index d58db629ca..634fc71128 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.10 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -161,9 +161,9 @@ main(int argc, char **argv) {
 
 	flags = dst_key_flags(key);
 	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
-                isc_stdtime_t now;
+		isc_stdtime_t now;
 
-                isc_stdtime_get(&now);
+		isc_stdtime_get(&now);
 		dst_key_settime(key, DST_TIME_REVOKE, now);
 
 		dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 77fa98242d..90e374769a 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.9 2009/09/02 06:29:00 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.10 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -72,7 +72,7 @@ usage(void) {
 						     "deletion date\n");
 	fprintf(stderr, "Printing options:\n");
 	fprintf(stderr, "    -p C/P/A/R/U/D/all: print a particular time "
-	                                        "value or values "
+						"value or values "
 						"[default: all]\n");
 	fprintf(stderr, "    -u:                 print times in unix epoch "
 						"format\n");
@@ -213,8 +213,8 @@ main(int argc, char **argv) {
 				fatal("-v must be followed by a number");
 			break;
 		case 'P':
-                        if (setpub || unsetpub)
-                                fatal("-P specified more than once");
+			if (setpub || unsetpub)
+				fatal("-P specified more than once");
 
 			changed = ISC_TRUE;
 			if (!strcasecmp(isc_commandline_argument, "none")) {
@@ -226,8 +226,8 @@ main(int argc, char **argv) {
 			}
 			break;
 		case 'A':
-                        if (setact || unsetact)
-                                fatal("-A specified more than once");
+			if (setact || unsetact)
+				fatal("-A specified more than once");
 
 			changed = ISC_TRUE;
 			if (!strcasecmp(isc_commandline_argument, "none")) {
@@ -239,8 +239,8 @@ main(int argc, char **argv) {
 			}
 			break;
 		case 'R':
-                        if (setrev || unsetrev)
-                                fatal("-R specified more than once");
+			if (setrev || unsetrev)
+				fatal("-R specified more than once");
 
 			changed = ISC_TRUE;
 			if (!strcasecmp(isc_commandline_argument, "none")) {
@@ -252,8 +252,8 @@ main(int argc, char **argv) {
 			}
 			break;
 		case 'U':
-                        if (setunpub || unsetunpub)
-                                fatal("-U specified more than once");
+			if (setunpub || unsetunpub)
+				fatal("-U specified more than once");
 
 			changed = ISC_TRUE;
 			if (!strcasecmp(isc_commandline_argument, "none")) {
@@ -265,8 +265,8 @@ main(int argc, char **argv) {
 			}
 			break;
 		case 'D':
-                        if (setdel || unsetdel)
-                                fatal("-D specified more than once");
+			if (setdel || unsetdel)
+				fatal("-D specified more than once");
 
 			changed = ISC_TRUE;
 			if (!strcasecmp(isc_commandline_argument, "none")) {
@@ -360,20 +360,20 @@ main(int argc, char **argv) {
 		dst_key_unsettime(key, DST_TIME_ACTIVATE);
 
 	if (setrev) {
-                if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
-                        fprintf(stderr, "%s: warning: Key %s is already "
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
+			fprintf(stderr, "%s: warning: Key %s is already "
 					"revoked; changing the revocation date "
 					"will not affect this.\n",
 					program, keystr);
 		dst_key_settime(key, DST_TIME_REVOKE, rev);
 	} else if (unsetrev) {
-                if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
-                        fprintf(stderr, "%s: warning: Key %s is already "
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
+			fprintf(stderr, "%s: warning: Key %s is already "
 					"revoked; removing the revocation date "
 					"will not affect this.\n",
 					program, keystr);
 		dst_key_unsettime(key, DST_TIME_REVOKE);
-        }
+	}
 
 	if (setunpub)
 		dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 225e48ca90..5e62640090 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.51 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dnssectool.c,v 1.52 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -304,8 +304,8 @@ strtottl(const char *str) {
 	char *endp;
 
 	ttl = strtol(str, &endp, 0);
-        if (ttl == 0 && endp == str)
-                fatal("TTL must be numeric");
+	if (ttl == 0 && endp == str)
+		fatal("TTL must be numeric");
 	ttl = time_units(ttl, endp, orig);
 	return (ttl);
 }
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index 3506184d98..a77a5b4bd1 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.23 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dnssectool.h,v 1.24 2009/09/02 23:48:01 tbox Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index 761b741500..c4b598beb1 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.23 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: lwdgabn.c,v 1.24 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index c3bbe58b5d..5c858cbeda 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgrbn.c,v 1.21 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: lwdgrbn.c,v 1.22 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index f32c8cb37e..11198a4324 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.59 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: lwresd.c,v 1.60 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index 52f5f105c1..e11aaa22d3 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.30 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: tkeyconf.c,v 1.31 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index 00bf2e0696..dc1bf2b9c1 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.12 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/adb_test.c b/bin/tests/adb_test.c
index a63a2537e2..bf44b45d3f 100644
--- a/bin/tests/adb_test.c
+++ b/bin/tests/adb_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb_test.c,v 1.69 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: adb_test.c,v 1.70 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/backtrace_test.c b/bin/tests/backtrace_test.c
index 3af46239e9..9253ca7714 100644
--- a/bin/tests/backtrace_test.c
+++ b/bin/tests/backtrace_test.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: backtrace_test.c,v 1.3 2009/09/01 20:13:43 each Exp $ */
+/* $Id: backtrace_test.c,v 1.4 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
@@ -46,10 +46,10 @@ func3() {
 		       isc_result_totext(result));
 		return (1);
 	}
-		
+
 	if (nframes < 4)
 		error++;
-	
+
 	for (i = 0; i < 4 && i < nframes; i++) {
 		fname = NULL;
 		result = isc_backtrace_getsymbol(tracebuf[i], &fname, &offset);
diff --git a/bin/tests/byname_test.c b/bin/tests/byname_test.c
index 1c3ea711a3..ae372e8571 100644
--- a/bin/tests/byname_test.c
+++ b/bin/tests/byname_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byname_test.c,v 1.32 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: byname_test.c,v 1.33 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file
  * \author
diff --git a/bin/tests/db/Makefile.in b/bin/tests/db/Makefile.in
index fe9e28398e..9120510edd 100644
--- a/bin/tests/db/Makefile.in
+++ b/bin/tests/db/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.30 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.31 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/db_test.c b/bin/tests/db_test.c
index 1cd8f0dfc7..e800531f22 100644
--- a/bin/tests/db_test.c
+++ b/bin/tests/db_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db_test.c,v 1.67 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: db_test.c,v 1.68 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file
  * \author
diff --git a/bin/tests/dst/gsstest.c b/bin/tests/dst/gsstest.c
index 355fde3a9e..6c314d227c 100755
--- a/bin/tests/dst/gsstest.c
+++ b/bin/tests/dst/gsstest.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gsstest.c,v 1.7 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: gsstest.c,v 1.8 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
@@ -175,7 +175,7 @@ recvresponse(isc_task_t *task, isc_event_t *event) {
 end:
 	if (query)
 		dns_message_destroy(&query);
-	
+
 	if (reqev->request)
 		dns_request_destroy(&reqev->request);
 
@@ -184,7 +184,7 @@ end:
 	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
 				   sizeof(*event));
 	isc_task_send(task, &event);
-	return;		
+	return;
 }
 
 
@@ -202,7 +202,7 @@ sendquery(isc_task_t *task, isc_event_t *event)
 	char output[10 * 1024];
 
 	static char host[256];
-	
+
 	isc_event_free(&event);
 
 	printf("Query => ");
@@ -335,7 +335,7 @@ end:
 		dns_request_destroy(&reqev->request);
 
 	isc_event_free(&event);
-	
+
 	event = isc_event_allocate(mctx, (void *)1, 1, console, NULL,
 				   sizeof(*event));
 	isc_task_send(task, &event);
@@ -357,14 +357,14 @@ initctx1(isc_task_t *task, isc_event_t *event) {
 	sprintf(contextname, "gsstest.context.%d.", (int)time(NULL));
 
 	printf("Initctx - context name we're using: %s\n", contextname);
-	
+
 	printf("Negotiating GSSAPI context: ");
 	printf(gssid);
 	printf("\n");
 
 	/*
 	 * Setup a GSSAPI context with the server
-	 */ 
+	 */
 	dns_fixedname_init(&servername);
 	isc_buffer_init(&buf, contextname, strlen(contextname));
 	isc_buffer_add(&buf, strlen(contextname));
@@ -372,7 +372,7 @@ initctx1(isc_task_t *task, isc_event_t *event) {
 				   dns_rootname, 0, NULL);
 	CHECK("dns_name_fromtext", result);
 
-	/* Make name happen */	
+	/* Make name happen */
 	dns_fixedname_init(&gssname);
 	isc_buffer_init(&buf, gssid, strlen(gssid));
 	isc_buffer_add(&buf, strlen(gssid));
@@ -423,7 +423,7 @@ setup(void)
 			isc_sockaddr_fromin(&address, &inaddr, PORT);
 			return;
 		}
-	
+
 	};
 }
 
@@ -446,7 +446,7 @@ main(int argc, char *argv[]) {
 
 	UNUSED(argv);
 	UNUSED(argc);
-	
+
 	RUNCHECK(isc_app_start());
 
 	dns_result_register();
@@ -519,7 +519,7 @@ main(int argc, char *argv[]) {
 				   &sock));
 
 	setup();
-	
+
 	RUNCHECK(isc_app_onrun(mctx, task, console, NULL));
 
 	(void)isc_app_run();
@@ -529,10 +529,10 @@ main(int argc, char *argv[]) {
 
 	dns_requestmgr_shutdown(requestmgr);
 	dns_requestmgr_detach(&requestmgr);
-	
+
 	dns_dispatch_detach(&dispatchv4);
 	dns_dispatchmgr_destroy(&dispatchmgr);
-	
+
 	isc_timermgr_destroy(&timermgr);
 
 	isc_task_detach(&task);
diff --git a/bin/tests/master/Makefile.in b/bin/tests/master/Makefile.in
index 61b6761db5..8fbe3aa0b2 100644
--- a/bin/tests/master/Makefile.in
+++ b/bin/tests/master/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.30 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/master_test.c b/bin/tests/master_test.c
index f0160f436c..afc6c8c10d 100644
--- a/bin/tests/master_test.c
+++ b/bin/tests/master_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master_test.c,v 1.31 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: master_test.c,v 1.32 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
@@ -85,7 +85,7 @@ main(int argc, char *argv[]) {
 		dns_rdatacallbacks_init_stdio(&callbacks);
 		callbacks.add = print_dataset;
 
-		result = dns_master_loadfile(argv[1], &origin, &origin, 
+		result = dns_master_loadfile(argv[1], &origin, &origin,
 					     dns_rdataclass_in, 0,
 					     &callbacks, mctx);
 		fprintf(stdout, "dns_master_loadfile: %s\n",
diff --git a/bin/tests/mem/Makefile.in b/bin/tests/mem/Makefile.in
index 550ebe5611..71b9f9b0ec 100644
--- a/bin/tests/mem/Makefile.in
+++ b/bin/tests/mem/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.35 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.36 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/name_test.c b/bin/tests/name_test.c
index c54260fa8f..9c98685a5d 100644
--- a/bin/tests/name_test.c
+++ b/bin/tests/name_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name_test.c,v 1.42 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: name_test.c,v 1.43 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
diff --git a/bin/tests/names/Makefile.in b/bin/tests/names/Makefile.in
index 17711f1ae0..c901d8d93b 100644
--- a/bin/tests/names/Makefile.in
+++ b/bin/tests/names/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.30 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/net/Makefile.in b/bin/tests/net/Makefile.in
index 1c223bf03b..59660f05a7 100644
--- a/bin/tests/net/Makefile.in
+++ b/bin/tests/net/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.17 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.18 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/nsecify.c b/bin/tests/nsecify.c
index d7f841c299..d21b9fdd98 100644
--- a/bin/tests/nsecify.c
+++ b/bin/tests/nsecify.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsecify.c,v 1.9 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: nsecify.c,v 1.10 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
diff --git a/bin/tests/rbt/Makefile.in b/bin/tests/rbt/Makefile.in
index be3cd5a50d..fbf3c1d6a5 100644
--- a/bin/tests/rbt/Makefile.in
+++ b/bin/tests/rbt/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.30 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/rbt_test.c b/bin/tests/rbt_test.c
index 93e4705447..39039b3b73 100644
--- a/bin/tests/rbt_test.c
+++ b/bin/tests/rbt_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt_test.c,v 1.49 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: rbt_test.c,v 1.50 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
diff --git a/bin/tests/sig0_test.c b/bin/tests/sig0_test.c
index 07654ed9cc..296356af76 100644
--- a/bin/tests/sig0_test.c
+++ b/bin/tests/sig0_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig0_test.c,v 1.18 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: sig0_test.c,v 1.19 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
diff --git a/bin/tests/system/lwresd/Makefile.in b/bin/tests/system/lwresd/Makefile.in
index 85ec286574..d81598c8e5 100644
--- a/bin/tests/system/lwresd/Makefile.in
+++ b/bin/tests/system/lwresd/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.20 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.21 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in
index 1157c8d464..84996c0a28 100644
--- a/bin/tests/system/tkey/Makefile.in
+++ b/bin/tests/system/tkey/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12 2009/09/01 00:22:25 jinmei Exp $
+# $Id: Makefile.in,v 1.13 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/tests/zone_test.c b/bin/tests/zone_test.c
index 9274e41dc2..8ce005d042 100644
--- a/bin/tests/zone_test.c
+++ b/bin/tests/zone_test.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone_test.c,v 1.34 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: zone_test.c,v 1.35 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 
@@ -104,7 +104,7 @@ setup(const char *zonename, const char *filename, const char *classname) {
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
-			  	   &buffer, dns_rootname, 0, NULL);
+				   &buffer, dns_rootname, 0, NULL);
 	ERRRET(result, "dns_name_fromtext");
 	origin = dns_fixedname_name(&fixorigin);
 
@@ -137,19 +137,19 @@ setup(const char *zonename, const char *filename, const char *classname) {
 
 static void
 print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) {
-        isc_buffer_t text;
-        char t[1000];
-        isc_result_t result;
-        isc_region_t r;
+	isc_buffer_t text;
+	char t[1000];
+	isc_result_t result;
+	isc_region_t r;
 
-        isc_buffer_init(&text, t, sizeof(t));
-        result = dns_rdataset_totext(rdataset, name, ISC_FALSE, ISC_FALSE,
+	isc_buffer_init(&text, t, sizeof(t));
+	result = dns_rdataset_totext(rdataset, name, ISC_FALSE, ISC_FALSE,
 				     &text);
-        isc_buffer_usedregion(&text, &r);
-        if (result == ISC_R_SUCCESS)
-                printf("%.*s", (int)r.length, (char *)r.base);
-        else
-                printf("%s\n", dns_result_totext(result));
+	isc_buffer_usedregion(&text, &r);
+	if (result == ISC_R_SUCCESS)
+		printf("%.*s", (int)r.length, (char *)r.base);
+	else
+		printf("%s\n", dns_result_totext(result));
 }
 
 static void
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index f141aaee65..a26d72d4b3 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonetodb.c,v 1.22 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: zonetodb.c,v 1.23 2009/09/02 23:48:01 tbox Exp $ */
 
 #include 
 #include 
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
index f03a8652e7..91e2083632 100644
--- a/lib/bind9/Makefile.in
+++ b/lib/bind9/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12 2009/09/01 00:22:26 jinmei Exp $
+# $Id: Makefile.in,v 1.13 2009/09/02 23:48:01 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
index 068c9985ea..6a3a603618 100644
--- a/lib/dns/byaddr.c
+++ b/lib/dns/byaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.c,v 1.40 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: byaddr.c,v 1.41 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/client.c b/lib/dns/client.c
index f094188c83..0990e219ba 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: client.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -526,7 +526,7 @@ destroyclient(dns_client_t **clientp) {
 
 	DESTROYLOCK(&client->lock);
 	client->magic = 0;
-	
+
 	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
 
 	*clientp = NULL;
@@ -558,7 +558,7 @@ dns_client_destroy(dns_client_t **clientp) {
 
 isc_result_t
 dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
-		      dns_name_t *namespace, isc_sockaddrlist_t *addrs) 
+		      dns_name_t *namespace, isc_sockaddrlist_t *addrs)
 {
 	isc_result_t result;
 	dns_view_t *view = NULL;
@@ -1112,7 +1112,7 @@ dns_client_resolve(dns_client_t *client, dns_name_t *name,
 		/*
 		 * If the client is run under application's control, we need
 		 * to create a new running (sub)environment for this
-		 * particular resolution. 
+		 * particular resolution.
 		 */
 		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
 	} else
@@ -1156,7 +1156,7 @@ dns_client_resolve(dns_client_t *client, dns_name_t *name,
 		/*
 		 * If this lookup failed due to some error in DNSSEC
 		 * validation, return the validation error code.
-		 * XXX: or should we pass the validation result separately? 
+		 * XXX: or should we pass the validation result separately?
 		 */
 		result = resarg->vresult;
 	}
@@ -1210,7 +1210,7 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
 	mctx = client->mctx;
 	rdataset = NULL;
 	sigrdataset = NULL;
-	want_dnssec = ISC_TF((options & DNS_CLIENTRESOPT_NODNSSEC) == 0); 
+	want_dnssec = ISC_TF((options & DNS_CLIENTRESOPT_NODNSSEC) == 0);
 
 	/*
 	 * Prepare some intermediate resources
@@ -1276,7 +1276,7 @@ dns_client_startresolve(dns_client_t *client, dns_name_t *name,
 	UNLOCK(&client->lock);
 
 	client_resfind(rctx, NULL);
- 
+
 	*transp = (dns_clientrestrans_t *)rctx;
 
 	return (ISC_R_SUCCESS);
@@ -1318,7 +1318,7 @@ dns_client_cancelresolve(dns_clientrestrans_t *trans) {
 }
 
 void
-dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist) { 
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist) {
 	dns_name_t *name;
 	dns_rdataset_t *rdataset;
 
@@ -1453,7 +1453,7 @@ request_done(isc_task_t *task, isc_event_t *event) {
 static void
 localrequest_done(isc_task_t *task, isc_event_t *event) {
 	reqarg_t *reqarg = event->ev_arg;
-	dns_clientreqevent_t *rev =(dns_clientreqevent_t *)event; 
+	dns_clientreqevent_t *rev =(dns_clientreqevent_t *)event;
 
 	UNUSED(task);
 
@@ -1501,7 +1501,7 @@ dns_client_request(dns_client_t *client, dns_message_t *qmessage,
 		/*
 		 * If the client is run under application's control, we need
 		 * to create a new running (sub)environment for this
-		 * particular resolution. 
+		 * particular resolution.
 		 */
 		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
 	} else
@@ -2503,13 +2503,13 @@ dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
 	updatearg_t *uarg;
 
 	REQUIRE(DNS_CLIENT_VALID(client));
-	
+
 	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
 	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
 		/*
 		 * If the client is run under application's control, we need
 		 * to create a new running (sub)environment for this
-		 * particular resolution. 
+		 * particular resolution.
 		 */
 		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
 	} else
@@ -2875,7 +2875,7 @@ dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
 	REQUIRE(owner != NULL);
 	REQUIRE((rdataset != NULL && rdatalist != NULL && rdata != NULL) ||
 		(rdataset == NULL && rdatalist == NULL && rdata == NULL &&
-		 mctx != NULL)); 
+		 mctx != NULL));
 	if (op == updateop_add)
 		REQUIRE(source != NULL);
 	if (source != NULL) {
@@ -2899,7 +2899,7 @@ dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
 		dns_rdatalist_init(&updaterec->rdatalist);
 		dns_rdata_init(&updaterec->rdata);
 		isc_buffer_init(b, b + 1,
-			        size - sizeof(dns_client_updaterec_t));
+				size - sizeof(dns_client_updaterec_t));
 		dns_name_copy(owner, target, b);
 		if (source != NULL) {
 			isc_region_t r;
@@ -2907,7 +2907,7 @@ dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
 			dns_rdata_toregion(rdata, &r);
 			rdata->data = isc_buffer_used(b);
 			isc_buffer_copyregion(b, &r);
-			
+
 		}
 		updaterec->mctx = NULL;
 		isc_mem_attach(mctx, &updaterec->mctx);
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 906af63866..664e4989ee 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.99 2009/09/02 06:29:01 each Exp $
+ * $Id: dnssec.c,v 1.100 2009/09/02 23:48:02 tbox Exp $
  */
 
 /*! \file */
@@ -973,7 +973,7 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 	dk->hint_publish = ISC_FALSE;
 	dk->hint_sign = ISC_FALSE;
 	dk->hint_remove = ISC_FALSE;
-        dk->prepublish = 0;
+	dk->prepublish = 0;
 	dk->source = dns_keysource_unknown;
 	dk->index = 0;
 
@@ -1057,12 +1057,12 @@ get_hints(dns_dnsseckey_t *key) {
 	if (actset && !pubset)
 		key->hint_publish = ISC_TRUE;
 
-        /*
-         * If activation date is in the future, make note of how far off
-         */
-        if (key->hint_publish && actset && active > now) {
-                key->prepublish = active - now;
-        }
+	/*
+	 * If activation date is in the future, make note of how far off
+	 */
+	if (key->hint_publish && actset && active > now) {
+		key->prepublish = active - now;
+	}
 
 	/*
 	 * Metadata says revoke.  If the key is published,
diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
index c8cee3af6d..cb36edb7c3 100644
--- a/lib/dns/ecdb.c
+++ b/lib/dns/ecdb.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ecdb.c,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: ecdb.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #include "config.h"
 
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
index bc1a94bd33..7ec4e5c9de 100644
--- a/lib/dns/forward.c
+++ b/lib/dns/forward.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.c,v 1.13 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: forward.c,v 1.14 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -153,7 +153,7 @@ dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp)
 {
 	return (dns_fwdtable_find2(fwdtable, name, NULL, forwardersp));
-} 
+}
 
 isc_result_t
 dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index 6f2e3b0783..6724590b4f 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.13 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: gssapictx.c,v 1.14 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h
index 4017528dc1..d21dff788d 100644
--- a/lib/dns/include/dns/client.h
+++ b/lib/dns/include/dns/client.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: client.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef DNS_CLIENT_H
 #define DNS_CLIENT_H 1
@@ -346,7 +346,7 @@ dns_client_destroyrestrans(dns_clientrestrans_t **transp);
  */
 
 void
-dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist); 
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist);
 /*%<
  * Free resources allocated for the content of 'namelist'.
  *
diff --git a/lib/dns/include/dns/ecdb.h b/lib/dns/include/dns/ecdb.h
index 8d638d6f63..5c735b53cc 100644
--- a/lib/dns/include/dns/ecdb.h
+++ b/lib/dns/include/dns/ecdb.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ecdb.h,v 1.2 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: ecdb.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef DNS_ECDB_H
 #define DNS_ECDB_H 1
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
index fa5a10c31d..23e94be789 100644
--- a/lib/dns/include/dns/forward.h
+++ b/lib/dns/include/dns/forward.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.h,v 1.12 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: forward.h,v 1.13 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef DNS_FORWARD_H
 #define DNS_FORWARD_H 1
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
index 49c12c7c78..a78562f910 100644
--- a/lib/dns/include/dns/lib.h
+++ b/lib/dns/include/dns/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.17 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: lib.h,v 1.18 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
diff --git a/lib/dns/include/dns/tsec.h b/lib/dns/include/dns/tsec.h
index 2d85e4b0a0..c6b376a19d 100644
--- a/lib/dns/include/dns/tsec.h
+++ b/lib/dns/include/dns/tsec.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsec.h,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: tsec.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef DNS_TSEC_H
 #define DNS_TSEC_H 1
@@ -68,7 +68,7 @@ isc_result_t
 dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
 		dns_tsec_t **tsecp);
 /*%<
- * Create a TSEC structure and stores a type-dependent key structure in it.  
+ * Create a TSEC structure and stores a type-dependent key structure in it.
  * For a TSIG key (type is dns_tsectype_tsig), dns_tsec_create() creates a
  * TSIG key structure from '*key' and keeps it in the structure.  For other
  * types, this function simply retains '*key' in the structure.  In either
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index becc19d1b5..eb69e992d2 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.17 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: lib.c,v 1.18 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
index d83b253c6f..c55d73dddf 100644
--- a/lib/dns/peer.c
+++ b/lib/dns/peer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.32 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: peer.c,v 1.33 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 5f8f0d6198..5e4e471a39 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.201 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: rdata.c,v 1.202 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 5d6d5484cf..02f93debd6 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.91 2009/09/01 00:22:26 jinmei Exp $
+ * $Id: tkey.c,v 1.92 2009/09/02 23:48:02 tbox Exp $
  */
 /*! \file */
 #include 
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
index 44bde128db..c90d4ee256 100644
--- a/lib/dns/tsec.c
+++ b/lib/dns/tsec.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsec.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: tsec.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -82,7 +82,7 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
 			break;
 		case DST_ALG_HMACSHA512:
 			algname = dns_tsig_hmacsha512_name;
-			break;			
+			break;
 		default:
 			isc_mem_put(mctx, tsec, sizeof(*tsec));
 			return (DNS_R_BADALG);
diff --git a/lib/export/Makefile.in b/lib/export/Makefile.in
index 5bbc93f400..fc9d4ad4c6 100644
--- a/lib/export/Makefile.in
+++ b/lib/export/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/lib/export/dns/Makefile.in b/lib/export/dns/Makefile.in
index 3942ef156d..9d0cce2ec4 100644
--- a/lib/export/dns/Makefile.in
+++ b/lib/export/dns/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/dns
diff --git a/lib/export/dns/include/Makefile.in b/lib/export/dns/include/Makefile.in
index d28e14a1cc..9fc0b66b8f 100644
--- a/lib/export/dns/include/Makefile.in
+++ b/lib/export/dns/include/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/lib/export/dns/include/dns/Makefile.in b/lib/export/dns/include/dns/Makefile.in
index 13486159a1..5e04d88538 100644
--- a/lib/export/dns/include/dns/Makefile.in
+++ b/lib/export/dns/include/dns/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/lib/export/dns/include/dst/Makefile.in b/lib/export/dns/include/dst/Makefile.in
index c1d1340c6c..259e62eda2 100644
--- a/lib/export/dns/include/dst/Makefile.in
+++ b/lib/export/dns/include/dst/Makefile.in
@@ -1,6 +1,6 @@
 # Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/lib/export/irs/Makefile.in b/lib/export/irs/Makefile.in
index 91925c9ba3..2cdc5818b0 100644
--- a/lib/export/irs/Makefile.in
+++ b/lib/export/irs/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/irs
diff --git a/lib/export/irs/include/irs/Makefile.in b/lib/export/irs/include/irs/Makefile.in
index 334b355de8..c8507571c5 100644
--- a/lib/export/irs/include/irs/Makefile.in
+++ b/lib/export/irs/include/irs/Makefile.in
@@ -1,6 +1,6 @@
 # Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/lib/export/isc/Makefile.in b/lib/export/isc/Makefile.in
index 30531b4f9c..9939515c33 100644
--- a/lib/export/isc/Makefile.in
+++ b/lib/export/isc/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc
diff --git a/lib/export/isc/nls/Makefile.in b/lib/export/isc/nls/Makefile.in
index e272f369e7..a9e779f928 100644
--- a/lib/export/isc/nls/Makefile.in
+++ b/lib/export/isc/nls/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc/nls
diff --git a/lib/export/isc/nothreads/Makefile.in b/lib/export/isc/nothreads/Makefile.in
index 571f429269..e1bd566346 100644
--- a/lib/export/isc/nothreads/Makefile.in
+++ b/lib/export/isc/nothreads/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc/nothreads
diff --git a/lib/export/isc/pthreads/Makefile.in b/lib/export/isc/pthreads/Makefile.in
index 624d44f3ef..92788ec104 100644
--- a/lib/export/isc/pthreads/Makefile.in
+++ b/lib/export/isc/pthreads/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc/pthreads
diff --git a/lib/export/isc/unix/Makefile.in b/lib/export/isc/unix/Makefile.in
index ccd60ce3b8..5a8eed8824 100644
--- a/lib/export/isc/unix/Makefile.in
+++ b/lib/export/isc/unix/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc/unix
diff --git a/lib/export/isccfg/Makefile.in b/lib/export/isccfg/Makefile.in
index d4e255dab8..d15b6433b0 100644
--- a/lib/export/isccfg/Makefile.in
+++ b/lib/export/isccfg/Makefile.in
@@ -1,7 +1,6 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001-2003  Internet Software Consortium.
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isccfg
diff --git a/lib/export/isccfg/include/isccfg/Makefile.in b/lib/export/isccfg/include/isccfg/Makefile.in
index 49a6530c1a..5e9ea78d80 100644
--- a/lib/export/isccfg/include/isccfg/Makefile.in
+++ b/lib/export/isccfg/include/isccfg/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 20097  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/lib/export/samples/Makefile-postinstall.in b/lib/export/samples/Makefile-postinstall.in
index 6908147641..174aed60ad 100644
--- a/lib/export/samples/Makefile-postinstall.in
+++ b/lib/export/samples/Makefile-postinstall.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile-postinstall.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile-postinstall.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 #prefix =	@prefix@
diff --git a/lib/export/samples/Makefile.in b/lib/export/samples/Makefile.in
index 97e1a7c3a6..4ab0286cd5 100644
--- a/lib/export/samples/Makefile.in
+++ b/lib/export/samples/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
diff --git a/lib/export/samples/nsprobe.c b/lib/export/samples/nsprobe.c
index b8fdcefb9e..e706e29023 100644
--- a/lib/export/samples/nsprobe.c
+++ b/lib/export/samples/nsprobe.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsprobe.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: nsprobe.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -113,7 +113,7 @@ struct stat {
 	unsigned long nxdomain;
 	unsigned long othererr;
 	unsigned long multiplesoa;
-	unsigned long multiplecname;	
+	unsigned long multiplecname;
 	unsigned long brokenanswer;
 	unsigned long lame;
 	unsigned long unknown;
@@ -122,8 +122,8 @@ struct stat {
 static unsigned long number_of_domains = 0;
 static unsigned long number_of_servers = 0;
 static unsigned long multiple_error_domains = 0;
-static isc_boolean_t debug_mode = ISC_FALSE; 
-static int verbose_level = 0; 
+static isc_boolean_t debug_mode = ISC_FALSE;
+static int verbose_level = 0;
 static const char *qlabels[] = {"www.", "ftp.", NULL};
 static struct probe_trans probes[MAX_PROBES];
 
diff --git a/lib/export/samples/sample-async.c b/lib/export/samples/sample-async.c
index 49e1c7a187..014b6a65d0 100644
--- a/lib/export/samples/sample-async.c
+++ b/lib/export/samples/sample-async.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-async.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: sample-async.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
diff --git a/lib/export/samples/sample-gai.c b/lib/export/samples/sample-gai.c
index 364b5ad152..6dc4014ed5 100644
--- a/lib/export/samples/sample-gai.c
+++ b/lib/export/samples/sample-gai.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-gai.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: sample-gai.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
diff --git a/lib/export/samples/sample-request.c b/lib/export/samples/sample-request.c
index b45e952d43..4d7d2fc9ef 100644
--- a/lib/export/samples/sample-request.c
+++ b/lib/export/samples/sample-request.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-request.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: sample-request.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
diff --git a/lib/export/samples/sample-update.c b/lib/export/samples/sample-update.c
index 5ada36461d..c614e77c6e 100644
--- a/lib/export/samples/sample-update.c
+++ b/lib/export/samples/sample-update.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-update.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: sample-update.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -718,7 +718,7 @@ evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name) {
 		fprintf(stderr, "incorrect operation code: %s\n", word);
 		exit(1);
 	}
-	
+
 	make_prereq(mctx, cmdline, ispositive, isrrset, name);
 }
 
diff --git a/lib/export/samples/sample.c b/lib/export/samples/sample.c
index 765a759af9..f547e893e9 100644
--- a/lib/export/samples/sample.c
+++ b/lib/export/samples/sample.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: sample.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -80,7 +80,7 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
 
 static void
 usage() {
-	fprintf(stderr, "sample [-t RRtype] " 
+	fprintf(stderr, "sample [-t RRtype] "
 		"[[-a algorithm] [-e] -k keyname -K keystring] "
 		"[-s domain:serveraddr_for_domain ] "
 		"server_address hostname\n");
@@ -127,7 +127,7 @@ set_key(dns_client_t *client, char *keynamestr, char *keystr,
 	keystruct.common.rdtype = dns_rdatatype_dnskey;
 	keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */
 	if (is_sep)
-		keystruct.flags |= DNS_KEYFLAG_KSK;	
+		keystruct.flags |= DNS_KEYFLAG_KSK;
 	keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */
 	keystruct.algorithm = alg;
 
diff --git a/lib/irs/Makefile.in b/lib/irs/Makefile.in
index 9504794db1..ed869679cf 100644
--- a/lib/irs/Makefile.in
+++ b/lib/irs/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/irs/context.c b/lib/irs/context.c
index 59ecd0e63b..be69622b5b 100644
--- a/lib/irs/context.c
+++ b/lib/irs/context.c
@@ -1,23 +1,20 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: context.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
diff --git a/lib/irs/dnsconf.c b/lib/irs/dnsconf.c
index 1aa339e103..4a7d58bfbc 100644
--- a/lib/irs/dnsconf.c
+++ b/lib/irs/dnsconf.c
@@ -1,23 +1,20 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: dnsconf.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -185,7 +182,7 @@ configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
 		isc_buffer_free(&keydatabuf);
 	if (keyname != NULL)
 		isc_mem_put(mctx, keyname, sizeof(*keyname));
-		
+
 	return (result);
 }
 
diff --git a/lib/irs/gai_strerror.c b/lib/irs/gai_strerror.c
index df8bf024d4..2fe3941619 100644
--- a/lib/irs/gai_strerror.c
+++ b/lib/irs/gai_strerror.c
@@ -1,8 +1,7 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.4 2009/09/01 17:54:16 jinmei Exp $ */
+/* $Id: gai_strerror.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file gai_strerror.c
  * gai_strerror() returns an error message corresponding to an
diff --git a/lib/irs/getaddrinfo.c b/lib/irs/getaddrinfo.c
index a86b82905a..4b1f4a9221 100644
--- a/lib/irs/getaddrinfo.c
+++ b/lib/irs/getaddrinfo.c
@@ -1,24 +1,20 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.2 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: getaddrinfo.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -30,10 +26,10 @@
  *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
  *    either a decimal port number or a service name as listed in
  *    /etc/services.
- * 
+ *
  *    If the operating system does not provide a struct addrinfo, the
  *    following structure is used:
- * 
+ *
  * \code
  * struct  addrinfo {
  *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
@@ -46,29 +42,29 @@
  *         struct addrinfo *ai_next;       // next structure in linked list
  * };
  * \endcode
- * 
- * 
+ *
+ *
  *    hints is an optional pointer to a struct addrinfo. This structure can
  *    be used to provide hints concerning the type of socket that the caller
  *    supports or wishes to use. The caller can supply the following
  *    structure elements in *hints:
- * 
+ *
  * 
    
  *    
  • ai_family:
  *           The protocol family that should be used. When ai_family is set
  *           to PF_UNSPEC, it means the caller will accept any protocol
  *           family supported by the operating system.
    • 
- * 
+ *
  *    
  • ai_socktype:
  *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
  *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
  *           will accept any socket type.
    • 
- * 
+ *
  *    
  • ai_protocol:
  *           indicates which transport protocol is wanted: IPPROTO_UDP or
  *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
  *           protocol.
    • 
- * 
+ *
  *    
  • ai_flags:
  *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
  *           getaddrinfo() will return a null-terminated string
@@ -80,7 +76,7 @@
  *           address portion of the socket address structure will be set to
  *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
  *           address.

    
- * 
+ *
  *           When ai_flags does not set the AI_PASSIVE bit, the returned
  *           socket address structure will be ready for use in a call to
  *           connect(2) for a connection-oriented protocol or connect(2),
@@ -88,18 +84,18 @@
  *           chosen. The IP address portion of the socket address structure
  *           will be set to the loopback address if hostname is a NULL
  *           pointer and AI_PASSIVE is not set in ai_flags.

    
- * 
+ *
  *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
  *           should be treated as a numeric string defining an IPv4 or IPv6
  *           address and no name resolution should be attempted.
  * 

- * 
+ *
  *    All other elements of the struct addrinfo passed via hints must be
  *    zero.
- * 
+ *
  *    A hints of NULL is treated as if the caller provided a struct addrinfo
  *    initialized to zero with ai_familyset to PF_UNSPEC.
- * 
+ *
  *    After a successful call to getaddrinfo(), *res is a pointer to a
  *    linked list of one or more addrinfo structures. Each struct addrinfo
  *    in this list cn be processed by following the ai_next pointer, until a
@@ -108,22 +104,22 @@
  *    corresponding arguments for a call to socket(2). For each addrinfo
  *    structure in the list, the ai_addr member points to a filled-in socket
  *    address structure of length ai_addrlen.
- * 
+ *
  *    All of the information returned by getaddrinfo() is dynamically
  *    allocated: the addrinfo structures, and the socket address structures
  *    and canonical host name strings pointed to by the addrinfostructures.
  *    Memory allocated for the dynamically allocated structures created by a
  *    successful call to getaddrinfo() is released by freeaddrinfo().
  *    ai is a pointer to a struct addrinfo created by a call to getaddrinfo().
- * 
+ *
  * \section irsreturn RETURN VALUES
- * 
+ *
  *    getaddrinfo() returns zero on success or one of the error codes
  *    listed in gai_strerror() if an error occurs. If both hostname and
  *    servname are NULL getaddrinfo() returns #EAI_NONAME.
- * 
+ *
  * \section irssee SEE ALSO
- * 
+ *
  *    getaddrinfo(), freeaddrinfo(),
  *    gai_strerror(), RFC3493, getservbyname(3), connect(2),
  *    sendto(2), sendmsg(2), socket(2).
@@ -854,7 +850,7 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 		 * There are outstanding states, but if we are at the head
 		 * of the state list (i.e., at the highest search priority)
 		 * and have any answer, we can stop now by canceling the
-		 * others. 
+		 * others.
 		 */
 		if (resstate == ISC_LIST_HEAD(resstate->head->resstates)) {
 			if ((resstate->trans4 != NULL &&
diff --git a/lib/irs/getnameinfo.c b/lib/irs/getnameinfo.c
index 9c708f3ac5..0b674dbd81 100644
--- a/lib/irs/getnameinfo.c
+++ b/lib/irs/getnameinfo.c
@@ -1,8 +1,7 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.3 2009/09/01 02:54:26 marka Exp $ */
+/* $Id: getnameinfo.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -52,47 +51,47 @@
  *    getnameinfo() returns the hostname for the struct sockaddr sa which is
  *    salen bytes long. The hostname is of length hostlen and is returned via
  *    *host. The maximum length of the hostname is 1025 bytes: #NI_MAXHOST.
- * 
+ *
  *    The name of the service associated with the port number in sa is
  *    returned in *serv. It is servlen bytes long. The maximum length of the
  *    service name is #NI_MAXSERV - 32 bytes.
- * 
+ *
  *    The flags argument sets the following bits:
- * 
+ *
  * \li   #NI_NOFQDN:
  *           A fully qualified domain name is not required for local hosts.
  *           The local part of the fully qualified domain name is returned
  *           instead.
- * 
+ *
  * \li   #NI_NUMERICHOST
  *           Return the address in numeric form, as if calling inet_ntop(),
  *           instead of a host name.
- * 
+ *
  * \li   #NI_NAMEREQD
  *           A name is required. If the hostname cannot be found in the DNS
  *           and this flag is set, a non-zero error code is returned. If the
  *           hostname is not found and the flag is not set, the address is
  *           returned in numeric form.
- * 
+ *
  * \li   #NI_NUMERICSERV
  *           The service name is returned as a digit string representing the
  *           port number.
- * 
+ *
  * \li   #NI_DGRAM
  *           Specifies that the service being looked up is a datagram
  *           service, and causes getservbyport() to be called with a second
  *           argument of "udp" instead of its default of "tcp". This is
  *           required for the few ports (512-514) that have different
  *           services for UDP and TCP.
- * 
+ *
  * \section getnameinfo_return Return Values
- * 
+ *
  *    getnameinfo() returns 0 on success or a non-zero error code if
  *    an error occurs.
- * 
+ *
  * \section getname_see See Also
- * 
- *    RFC3493, getservbyport(), 
+ *
+ *    RFC3493, getservbyport(),
  *    getnamebyaddr(). inet_ntop().
  */
 
@@ -376,7 +375,7 @@ getnameinfo(const struct sockaddr *sa, socklen_t salen, char *host,
 							&b, &hostregion);
 						goto ptrfound;
 					}
-					
+
 				}
 			}
 		}
diff --git a/lib/irs/include/Makefile.in b/lib/irs/include/Makefile.in
index 3fba6e9dde..eca1945292 100644
--- a/lib/irs/include/Makefile.in
+++ b/lib/irs/include/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/irs/include/irs/Makefile.in b/lib/irs/include/irs/Makefile.in
index e85a90de0c..3c3b612757 100644
--- a/lib/irs/include/irs/Makefile.in
+++ b/lib/irs/include/irs/Makefile.in
@@ -1,6 +1,6 @@
-# Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/irs/include/irs/context.h b/lib/irs/include/irs/context.h
index a72d0e3b88..f2ef3f4790 100644
--- a/lib/irs/include/irs/context.h
+++ b/lib/irs/include/irs/context.h
@@ -1,23 +1,20 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: context.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef IRS_CONTEXT_H
 #define IRS_CONTEXT_H 1
diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h
index 7adb2cf723..4f673ff2df 100644
--- a/lib/irs/include/irs/dnsconf.h
+++ b/lib/irs/include/irs/dnsconf.h
@@ -1,23 +1,20 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: dnsconf.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef IRS_DNSCONF_H
 #define IRS_DNSCONF_H 1
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
index 4f834dbaa2..299928b972 100644
--- a/lib/irs/include/irs/netdb.h.in
+++ b/lib/irs/include/irs/netdb.h.in
@@ -1,8 +1,7 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: netdb.h.in,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/irs/include/irs/platform.h.in b/lib/irs/include/irs/platform.h.in
index c498613911..0e9be3ce23 100644
--- a/lib/irs/include/irs/platform.h.in
+++ b/lib/irs/include/irs/platform.h.in
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: platform.h.in,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/irs/include/irs/resconf.h b/lib/irs/include/irs/resconf.h
index da31f0eab6..78c87d5166 100644
--- a/lib/irs/include/irs/resconf.h
+++ b/lib/irs/include/irs/resconf.h
@@ -1,23 +1,20 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resconf.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: resconf.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef IRS_RESCONF_H
 #define IRS_RESCONF_H 1
diff --git a/lib/irs/include/irs/types.h b/lib/irs/include/irs/types.h
index 14b548d7b9..0a539decd8 100644
--- a/lib/irs/include/irs/types.h
+++ b/lib/irs/include/irs/types.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: types.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef IRS_TYPES_H
 #define IRS_TYPES_H 1
diff --git a/lib/irs/include/irs/version.h b/lib/irs/include/irs/version.h
index d9020b8289..bd7e5cf8e0 100644
--- a/lib/irs/include/irs/version.h
+++ b/lib/irs/include/irs/version.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: version.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
index e51108e92f..f3181a30d2 100644
--- a/lib/irs/resconf.c
+++ b/lib/irs/resconf.c
@@ -1,23 +1,20 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resconf.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: resconf.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file resconf.c */
 
@@ -26,19 +23,19 @@
  *
  *    irs_resconf_load() opens the file filename and parses it to initialize
  *    the configuration structure.
- * 
+ *
  * \section lwconfig_return Return Values
- * 
+ *
  *    irs_resconf_load() returns #IRS_R_SUCCESS if it successfully read and
  *    parsed filename. It returns a non-0 error code if filename could not be
  *    opened or contained incorrect resolver statements.
- * 
+ *
  * \section lwconfig_see See Also
- * 
+ *
  *    stdio(3), \link resolver resolver \endlink
- * 
+ *
  * \section files Files
- * 
+ *
  *    /etc/resolv.conf
  */
 
@@ -324,7 +321,7 @@ resconf_parsedomain(irs_resconf_t *conf,  FILE *fp) {
 	 */
 	for (i = 0; i < RESCONFMAXSEARCH; i++) {
 		if (conf->search[i] != NULL) {
-			isc_mem_free(conf->mctx, conf->search[i]); 
+			isc_mem_free(conf->mctx, conf->search[i]);
 			conf->search[i] = NULL;
 		}
 	}
diff --git a/lib/irs/version.c b/lib/irs/version.c
index 1142a8496b..f50a385556 100644
--- a/lib/irs/version.c
+++ b/lib/irs/version.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: version.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/app_api.c b/lib/isc/app_api.c
index 82940c3ef6..ce767d1750 100644
--- a/lib/isc/app_api.c
+++ b/lib/isc/app_api.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app_api.c,v 1.4 2009/09/01 08:12:33 jinmei Exp $ */
+/* $Id: app_api.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -79,21 +79,21 @@ isc_appctx_destroy(isc_appctx_t **ctxp) {
 isc_result_t
 isc_app_ctxstart(isc_appctx_t *ctx) {
 	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-	
+
 	return (ctx->methods->ctxstart(ctx));
 }
 
 isc_result_t
 isc_app_ctxrun(isc_appctx_t *ctx) {
 	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-	
+
 	return (ctx->methods->ctxrun(ctx));
 }
 
 isc_result_t
 isc_app_ctxsuspend(isc_appctx_t *ctx) {
 	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
-	
+
 	return (ctx->methods->ctxsuspend(ctx));
 }
 
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
index 0d5cc5c211..368e90052c 100644
--- a/lib/isc/assertions.c
+++ b/lib/isc/assertions.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assertions.c,v 1.24 2009/09/01 18:40:25 jinmei Exp $ */
+/* $Id: assertions.c,v 1.25 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/backtrace.c b/lib/isc/backtrace.c
index 26355ad55b..d2f044cb8c 100644
--- a/lib/isc/backtrace.c
+++ b/lib/isc/backtrace.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: backtrace.c,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+/* $Id: backtrace.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -37,7 +37,7 @@
  * 1. If the system library supports the "backtrace()" function, use it.
  * 2. Otherwise, if the compiler is gcc and the architecture is x86_64 or IA64,
  *    then use gcc's (hidden) Unwind_Backtrace() function.  Note that this
- *    function doesn't work for C programs on many other architectures. 
+ *    function doesn't work for C programs on many other architectures.
  * 3. Otherwise, if the architecture x86 or x86_64, try to unwind the stack
  *    frame following frame pointers.  This assumes the executable binary
  *    compiled with frame pointers; this is not always true for x86_64 (rather,
diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
index f93f9fcdb8..e0be790637 100644
--- a/lib/isc/include/isc/app.h
+++ b/lib/isc/include/isc/app.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.10 2009/09/02 18:38:40 jinmei Exp $ */
+/* $Id: app.h,v 1.11 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h
index af8b07b009..f24fef8501 100644
--- a/lib/isc/include/isc/lib.h
+++ b/lib/isc/include/isc/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.15 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: lib.h,v 1.16 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
diff --git a/lib/isc/include/isc/namespace.h b/lib/isc/include/isc/namespace.h
index 24fdcecc89..33ec63a38f 100644
--- a/lib/isc/include/isc/namespace.h
+++ b/lib/isc/include/isc/namespace.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namespace.h,v 1.3 2009/09/02 23:43:54 each Exp $ */
+/* $Id: namespace.h,v 1.4 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISCAPI_NAMESPACE_H
 #define ISCAPI_NAMESPACE_H 1
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index b01b181fcf..2347d5f80c 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.72 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: result.h,v 1.73 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
index e0f64393b1..d91e800e06 100644
--- a/lib/isc/include/isc/resultclass.h
+++ b/lib/isc/include/isc/resultclass.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resultclass.h,v 1.19 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: resultclass.h,v 1.20 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
index c50b82c78d..fa9abb16aa 100644
--- a/lib/isc/include/isc/timer.h
+++ b/lib/isc/include/isc/timer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.42 2009/09/02 18:38:40 jinmei Exp $ */
+/* $Id: timer.h,v 1.43 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
index 8d431f13e0..a50542551d 100644
--- a/lib/isc/lib.c
+++ b/lib/isc/lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.15 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: lib.c,v 1.16 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/mem_api.c b/lib/isc/mem_api.c
index a6f2c3aa35..470c820124 100644
--- a/lib/isc/mem_api.c
+++ b/lib/isc/mem_api.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem_api.c,v 1.4 2009/09/02 23:43:54 each Exp $ */
+/* $Id: mem_api.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -99,7 +99,7 @@ isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
 
 void
 isc_mem_detach(isc_mem_t **mctxp) {
-	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp)); 
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
 
 	(*mctxp)->methods->detach(mctxp);
 
@@ -192,7 +192,7 @@ isc_mem_waterack(isc_mem_t *ctx, int flag) {
 	ctx->methods->waterack(ctx, flag);
 }
 
-size_t 
+size_t
 isc_mem_inuse(isc_mem_t *mctx) {
 	REQUIRE(ISCAPI_MCTX_VALID(mctx));
 
diff --git a/lib/isc/nls/Makefile.in b/lib/isc/nls/Makefile.in
index 29baa21fcc..8302a927bb 100644
--- a/lib/isc/nls/Makefile.in
+++ b/lib/isc/nls/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.15 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.16 2009/09/02 23:48:03 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nothreads/Makefile.in b/lib/isc/nothreads/Makefile.in
index 2e6a41bebd..eef176522e 100644
--- a/lib/isc/nothreads/Makefile.in
+++ b/lib/isc/nothreads/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.9 2009/09/02 23:48:03 tbox Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc/nothreads
diff --git a/lib/isc/pthreads/Makefile.in b/lib/isc/pthreads/Makefile.in
index c83eaa610a..2cbda99fc4 100644
--- a/lib/isc/pthreads/Makefile.in
+++ b/lib/isc/pthreads/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.20 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.21 2009/09/02 23:48:03 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/socket_api.c b/lib/isc/socket_api.c
index a10efef41f..8ba206070c 100644
--- a/lib/isc/socket_api.c
+++ b/lib/isc/socket_api.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: socket_api.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
@@ -122,7 +122,7 @@ isc_socket_detach(isc_socket_t **socketp) {
 
 isc_result_t
 isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
-		unsigned int options) 
+		unsigned int options)
 {
 	REQUIRE(ISCAPI_SOCKET_VALID(sock));
 
diff --git a/lib/isc/task.c b/lib/isc/task.c
index 839900771a..ddd4a53478 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.109 2009/09/02 04:25:19 jinmei Exp $ */
+/* $Id: task.c,v 1.110 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file
  * \author Principal Author: Bob Halley
@@ -301,7 +301,7 @@ ISC_TASKFUNC_SCOPE isc_result_t
 isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
 		 isc_task_t **taskp)
 {
-	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0; 
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
 	isc__task_t *task;
 	isc_boolean_t exiting;
 	isc_result_t result;
@@ -1467,7 +1467,7 @@ isc__task_endexclusive(isc_task_t *task0) {
 #endif
 }
 
-#ifdef USE_SOCKETIMPREGISTER 
+#ifdef USE_SOCKETIMPREGISTER
 isc_result_t
 isc__task_register() {
 	return (isc_task_register(isc__taskmgr_create));
diff --git a/lib/isc/task_api.c b/lib/isc/task_api.c
index 2bb2061062..89065355fa 100644
--- a/lib/isc/task_api.c
+++ b/lib/isc/task_api.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_api.c,v 1.4 2009/09/01 23:05:33 jinmei Exp $ */
+/* $Id: task_api.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
diff --git a/lib/isc/task_p.h b/lib/isc/task_p.h
index 75cba60a0f..cab2a83978 100644
--- a/lib/isc/task_p.h
+++ b/lib/isc/task_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_p.h,v 1.12 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: task_p.h,v 1.13 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
diff --git a/lib/isc/timer_api.c b/lib/isc/timer_api.c
index 44a0b9f1ff..97e62b3f0e 100644
--- a/lib/isc/timer_api.c
+++ b/lib/isc/timer_api.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_api.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: timer_api.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
 
 #include 
 
diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h
index 5e66bbe4bb..d6f7c996c7 100644
--- a/lib/isc/timer_p.h
+++ b/lib/isc/timer_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_p.h,v 1.11 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: timer_p.h,v 1.12 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
index 861048dd93..d47e5726a7 100644
--- a/lib/isc/unix/Makefile.in
+++ b/lib/isc/unix/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.42 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.43 2009/09/02 23:48:03 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index ef4d48d0af..04dfa7e5f8 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.62 2009/09/02 04:25:19 jinmei Exp $ */
+/* $Id: app.c,v 1.63 2009/09/02 23:48:03 tbox Exp $ */
 
 /*! \file */
 
@@ -140,7 +140,7 @@ typedef struct isc__appctx {
 	 * We assume that 'want_reload' can be read and written atomically.
 	 */
 	isc_boolean_t		want_reload;
-	
+
 	isc_boolean_t		blocked;
 
 	isc_taskmgr_t		*taskmgr;
@@ -952,7 +952,7 @@ isc__appctx_settimermgr(isc_appctx_t *ctx0, isc_timermgr_t *timermgr) {
 	ctx->timermgr = timermgr;
 }
 
-#ifdef USE_APPIMPREGISTER 
+#ifdef USE_APPIMPREGISTER
 isc_result_t
 isc__app_register() {
 	return (isc_app_register(isc__appctx_create));
diff --git a/lib/isc/unix/socket_p.h b/lib/isc/unix/socket_p.h
index e4a19baaaf..1316011739 100644
--- a/lib/isc/unix/socket_p.h
+++ b/lib/isc/unix/socket_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_p.h,v 1.14 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: socket_p.h,v 1.15 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
diff --git a/lib/isc/win32/Makefile.in b/lib/isc/win32/Makefile.in
index 280b04e4f0..acfbf32bc9 100644
--- a/lib/isc/win32/Makefile.in
+++ b/lib/isc/win32/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.13 2009/09/02 23:48:03 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/win32/app.c b/lib/isc/win32/app.c
index 65eddb050a..04b1638783 100644
--- a/lib/isc/win32/app.c
+++ b/lib/isc/win32/app.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.8 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: app.c,v 1.9 2009/09/02 23:48:03 tbox Exp $ */
 
 #include 
 
@@ -170,7 +170,7 @@ isc__app_run(void) {
 						      FALSE, INFINITE);
 
 		/* See why we returned */
-		
+
 		if (WaitSucceeded(dwWaitResult, NUM_EVENTS)) {
 			/*
 			 * The return was due to one of the events
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
index 1bae4b35cb..31713e1abc 100644
--- a/lib/isccc/Makefile.in
+++ b/lib/isccc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.10 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.11 2009/09/02 23:48:03 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
index c3d2ee4aff..d7dbb65a3e 100644
--- a/lib/isccfg/Makefile.in
+++ b/lib/isccfg/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.20 2009/09/02 23:48:03 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/dnsconf.c b/lib/isccfg/dnsconf.c
index 8429f34ccf..704d383a77 100644
--- a/lib/isccfg/dnsconf.c
+++ b/lib/isccfg/dnsconf.c
@@ -1,8 +1,7 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.c,v 1.3 2009/09/01 03:43:27 jinmei Exp $ */
+/* $Id: dnsconf.c,v 1.4 2009/09/02 23:48:03 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccfg/include/isccfg/dnsconf.h b/lib/isccfg/include/isccfg/dnsconf.h
index da34788704..edc5e5037b 100644
--- a/lib/isccfg/include/isccfg/dnsconf.h
+++ b/lib/isccfg/include/isccfg/dnsconf.h
@@ -1,8 +1,7 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.h,v 1.2 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: dnsconf.h,v 1.3 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index 7e8188eaf6..64bdaa107d 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.54 2009/09/01 22:52:27 jinmei Exp $ */
+/* $Id: context.c,v 1.55 2009/09/02 23:48:03 tbox Exp $ */
 
 /*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
@@ -471,7 +471,7 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	result = lwres_context_send(ctx, sendbase, sendlen);
 	if (result != LWRES_R_SUCCESS)
 		return (result);
-	
+
 	/*
 	 * If this is not checked, select() can overflow,
 	 * causing corruption elsewhere.
diff --git a/lib/tests/Makefile.in b/lib/tests/Makefile.in
index b57a35cf95..b336c9f3e8 100644
--- a/lib/tests/Makefile.in
+++ b/lib/tests/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.26 2009/09/01 00:22:28 jinmei Exp $
+# $Id: Makefile.in,v 1.27 2009/09/02 23:48:03 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/util/mksymtbl.pl b/util/mksymtbl.pl
index b0fef5f42f..8ebc795c04 100755
--- a/util/mksymtbl.pl
+++ b/util/mksymtbl.pl
@@ -1,4 +1,18 @@
 #!/usr/bin/env perl
+#
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
 
 # Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
@@ -14,13 +28,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: mksymtbl.pl,v 1.2 2009/09/01 18:50:52 jinmei Exp $
+# $Id: mksymtbl.pl,v 1.3 2009/09/02 23:48:03 tbox Exp $
 
 use strict;
 use diagnostics;
 $^W = 1;
 
-my $rev = '$Id: mksymtbl.pl,v 1.2 2009/09/01 18:50:52 jinmei Exp $';
+my $rev = '$Id: mksymtbl.pl,v 1.3 2009/09/02 23:48:03 tbox Exp $';
 $rev =~ s/\$//g;
 $rev =~ s/,v//g;
 $rev =~ s/Id: //;

From c164f233b4ab79f7ba6b97d651da5674f65cb333 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 2 Sep 2009 23:51:55 +0000
Subject: [PATCH 095/385] s/isc__mem_reallocate/isc___mem_reallocate/

---
 lib/isc/win32/libisc.def | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index 1773472802..4133c419c6 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -33,7 +33,7 @@ isc___mem_free
 isc___mem_get
 isc___mem_put
 isc___mem_putanddetach
-isc__mem_reallocate
+isc___mem_reallocate
 isc___mem_strdup
 isc___mempool_get
 isc___mempool_put

From 9f8d002a665cb12a5236883c697ea1f1c96409b8 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 3 Sep 2009 00:12:23 +0000
Subject: [PATCH 096/385] silence win32 compiler warnings

---
 bin/dnssec/dnssectool.c | 6 +++---
 lib/dns/lib.c           | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 5e62640090..62f3da33ba 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.52 2009/09/02 23:48:01 tbox Exp $ */
+/* $Id: dnssectool.c,v 1.53 2009/09/03 00:12:23 each Exp $ */
 
 /*! \file */
 
@@ -329,11 +329,11 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
 		return ((isc_stdtime_t) base);
 	else if (str[0] == '+') {
 		offset = strtol(str + 1, &endp, 0);
-		offset = time_units(offset, endp, orig);
+		offset = time_units((isc_stdtime_t) offset, endp, orig);
 		val = base + offset;
 	} else if (str[0] == '-') {
 		offset = strtol(str + 1, &endp, 0);
-		offset = time_units(offset, endp, orig);
+		offset = time_units((isc_stdtime_t) offset, endp, orig);
 		val = base - offset;
 	} else if (strlen(str) == 8U) {
 		char timestr[15];
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index eb69e992d2..df16fa22d0 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.18 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */
 
 /*! \file */
 
@@ -83,7 +83,7 @@ static isc_mutex_t reflock;
 static unsigned int references = 0;
 
 static void
-initialize() {
+initialize(void) {
 	isc_result_t result;
 
 	REQUIRE(initialize_done == ISC_FALSE);

From 2895f101b5585a19015ac2c2c1e1812ac467fa12 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 3 Sep 2009 01:14:42 +0000
Subject: [PATCH 097/385] regen

---
 bin/dnssec/dnssec-keygen.8           |   4 +-
 bin/dnssec/dnssec-keygen.html        |  18 +-
 bin/dnssec/dnssec-settime.8          |  33 +++-
 bin/dnssec/dnssec-settime.html       |  42 +++-
 bin/dnssec/dnssec-signzone.8         |  18 +-
 bin/dnssec/dnssec-signzone.html      |  30 ++-
 doc/arm/Bv9ARM.ch04.html             | 108 ++++++-----
 doc/arm/Bv9ARM.ch05.html             |   6 +-
 doc/arm/Bv9ARM.ch06.html             | 277 +++++++++++++++++++--------
 doc/arm/Bv9ARM.ch07.html             |  14 +-
 doc/arm/Bv9ARM.ch08.html             |  18 +-
 doc/arm/Bv9ARM.ch09.html             | 180 ++++++++---------
 doc/arm/Bv9ARM.html                  |  81 ++++----
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |  20 +-
 doc/arm/man.dnssec-dsfromkey.html    |  16 +-
 doc/arm/man.dnssec-keyfromlabel.html |  12 +-
 doc/arm/man.dnssec-keygen.html       |  26 +--
 doc/arm/man.dnssec-revoke.html       |  10 +-
 doc/arm/man.dnssec-settime.html      |  48 ++++-
 doc/arm/man.dnssec-signzone.html     |  34 +++-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +-
 doc/arm/man.nsupdate.html            |  14 +-
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 doc/misc/options                     |   7 +-
 30 files changed, 688 insertions(+), 424 deletions(-)

diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 6e45f30934..f171a1b824 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.46 2009/08/29 01:14:37 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.47 2009/09/03 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -169,7 +169,7 @@ Sets the debugging level.
 .RE
 .SH "TIMING OPTIONS"
 .PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. If such an offset is followed by one of the characters 'y', 'm', 'w', 'd', or 'h', then the offset is computed in years, months, weeks, days, or hours, respectively; otherwise it is computed in seconds.
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
 .PP
 \-P \fIdate/offset\fR
 .RS 4
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index bb37e443b7..518f71bc9e 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -212,10 +212,12 @@
 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  If such an offset is followed
-      by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
-      offset is computed in years, months, weeks, days, or hours,
-      respectively; otherwise it is computed in seconds.
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
     

 

 
-P date/offset

@@ -299,7 +301,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -320,7 +322,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -329,7 +331,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
index c3f6e982b7..42a21d1166 100644
--- a/bin/dnssec/dnssec-settime.8
+++ b/bin/dnssec/dnssec-settime.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-settime.8,v 1.4 2009/07/19 23:47:55 tbox Exp $
+.\" $Id: dnssec-settime.8,v 1.5 2009/09/03 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -78,7 +78,7 @@ Sets the debugging level.
 .RE
 .SH "TIMING OPTIONS"
 .PP
-Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. If such an offset is followed by one of the characters 'y', 'm', 'w', 'd', or 'h', then the offset is computed in years, months, weeks, days, or hours, respectively; otherwise it is computed in seconds.
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
 .PP
 \-P \fIdate/offset\fR
 .RS 4
@@ -104,6 +104,35 @@ Sets the date on which the key is to be unpublished. After that date, the key wi
 .RS 4
 Sets the date on which the key is to be deleted. After that date, the key can be removed from the key repository. NOTE: Keys are not currently deleted automatically; this field is included for informational purposes and for future development.
 .RE
+.SH "PRINTING OPTIONS"
+.PP
+\fBdnssec\-settime\fR
+can also be used to print the timing metadata associated with a key.
+.PP
+\-u
+.RS 4
+Print times in UNIX epoch format.
+.RE
+.PP
+\-p \fIC/P/A/R/U/D/all\fR
+.RS 4
+Print a specific metadata value or set of metadata values. The
+\fB\-p\fR
+option may be followed by one or more of the following letters to indicate which value or values to print:
+\fBC\fR
+for the creation date,
+\fBP\fR
+for the publication date,
+\fBA\fR
+for the activation date,
+\fBR\fR
+for the revokation date,
+\fBU\fR
+for the unpublication date, or
+\fBD\fR
+for the deletion date. To print all of the metadata, use
+\fB\-p all\fR.
+.RE
 .SH "SEE ALSO"
 .PP
 \fBdnssec\-keygen\fR(8),
diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html
index 06dda04c43..aa711d3d64 100644
--- a/bin/dnssec/dnssec-settime.html
+++ b/bin/dnssec/dnssec-settime.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 
@@ -87,10 +87,12 @@
 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  If such an offset is followed
-      by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
-      offset is computed in years, months, weeks, days, or hours,
-      respectively; otherwise it is computed in seconds.
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To unset a date, use 'none'.
     

 

 
-P date/offset

@@ -128,7 +130,33 @@
 

 

 

-
SEE ALSO

+
PRINTING OPTIONS

+

+      dnssec-settime can also be used to print the
+      timing metadata associated with a key.
+    

+

+
-u

+

+	    Print times in UNIX epoch format.
+	  

+
-p C/P/A/R/U/D/all

+

+	    Print a specific metadata value or set of metadata values.
+            The -p option may be followed by one or more
+            of the following letters to indicate which value or values to print:
+            C for the creation date,
+            P for the publication date,
+            A for the activation date,
+            R for the revokation date,
+            U for the unpublication date, or
+            D for the deletion date.
+            To print all of the metadata, use -p all.
+	  

+

+

+

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -136,7 +164,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 6dbfaa4ad6..f14bd18b68 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.51 2009/07/19 04:27:55 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.52 2009/09/03 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -52,6 +52,16 @@ Verify all generated signatures.
 Specifies the DNS class of the zone.
 .RE
 .PP
+\-C
+.RS 4
+Compatibility mode: Generate a
+\fIkeyset\-\fR\fI\fIzonename\fR\fR
+file in addition to
+\fIdsset\-\fR\fI\fIzonename\fR\fR
+when signing a zone, for use by older versions of
+\fBdnssec\-signzone\fR.
+.RE
+.PP
 \-d \fIdirectory\fR
 .RS 4
 Look for
@@ -99,6 +109,9 @@ Specify the date and time when the generated RRSIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
+\fBend\-time\fR
+must be later than
+\fBstart\-time\fR.
 .RE
 .PP
 \-f \fIoutput\-file\fR
@@ -247,7 +260,8 @@ If either of the key's unpublication or deletion dates are set and in the past,
 .PP
 \-T \fIttl\fR
 .RS 4
-Specifies the TTL of new DNSKEY records imported to the zone from the key repository. Only useful with the \-S option.
+Specifies the TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the minimum TTL value from the zone's SOA record. This option is ignored when signing without
+\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match them.
 .RE
 .PP
 \-t
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 35e934d6b7..c72b702650 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -53,6 +53,15 @@
 

             Specifies the DNS class of the zone.
           

+
-C

+

+            Compatibility mode: Generate a
+            keyset-zonename
+            file in addition to
+            dsset-zonename
+            when signing a zone, for use by older versions of
+            dnssec-signzone.
+          

 
-d directory

 

             Look for dsset- or
@@ -99,6 +108,8 @@
             the start time.  A time relative to the current time is
             indicated with now+N.  If no end-time is
             specified, 30 days from the start time is used as a default.
+            end-time must be later than
+            start-time.
           

 
-f output-file

 

@@ -279,8 +290,15 @@
 

 
-T ttl

 

-            Specifies the TTL of new DNSKEY records imported to the zone
-            from the key repository.  Only useful with the -S option.
+            Specifies the TTL to be used for new DNSKEY records imported
+            into the zone from the key repository.  If not specified,
+            the default is the minimum TTL value from the zone's SOA
+            record.  This option is ignored when signing without
+            -S, since DNSKEY records are not imported
+            from the key repository in that case.  It is also ignored if
+            there are any pre-existing DNSKEY records at the zone apex,
+            in which case new records' TTL values will be set to match
+            them.
           

 
-t

 

@@ -326,7 +344,7 @@
 
 
 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -355,14 +373,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 2e264d02d3..c58535f3c2 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -68,10 +68,10 @@
 
Signing the Zone

 
Configuring Servers

 
-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
@@ -884,7 +884,8 @@ allow-update { key host1-host2. ;};
           dnssec-validation options must both be
           set to yes (the default setting in BIND 9.5
           and later), and at least one trust anchor must be configured
-          with a trusted-keys statement in
+          with a trusted-keys or
+          managed-keys statement in
           named.conf.
         

 

@@ -896,7 +897,13 @@ allow-update { key host1-host2. ;};
           to validated the DNSKEY RRset that they are from.
         

 

-          trusted-keys are described in more detail
+          managed-keys are trusted keys which are
+          automatically kept up to date via RFC 5011 trust anchor
+          maintenance.
+        

+

+          trusted-keys and
+          managed-keys are described in more detail
           later in this document.
         

 

@@ -911,53 +918,54 @@ allow-update { key host1-host2. ;};
           more public keys for the root.  This allows answers from
           outside the organization to be validated.  It will also
           have several keys for parts of the namespace the organization
-          controls.  These are here to ensure that named is immune
-          to compromises in the DNSSEC components of the security
+          controls.  These are here to ensure that named
+          is immune to compromises in the DNSSEC components of the security
           of parent zones.
         

 
-trusted-keys {
-
+managed-keys {
         /* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
-             JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
-             aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
-             4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
-             hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
-             5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
-             g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
-             66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
-             97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
-             dgxbcDTClU0CRBdiieyLMNzXG3";
+        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+                                 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+                                 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+                                 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+                                 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+                                 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+                                 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+                                 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+                                 dgxbcDTClU0CRBdiieyLMNzXG3";
+};
 
-/* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
-                      5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
-                      GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
-                      4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
-                      kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
-                      g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
-                      TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
-                      FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
-                      F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
-                      /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
-                      1OTQ09A0=";
+trusted-keys {
+        /* Key for our organization's forward zone */
+        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+                              5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
+                              GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
+                              4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
+                              kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
+                              g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
+                              TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
+                              FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
+                              F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
+                              /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
+                              1OTQ09A0=";
 
-/* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
-                               xOdNax071L18QqZnQQQAVVr+i
-                               LhGTnNGp3HoWQLUIzKrJVZ3zg
-                               gy3WwNT6kZo6c0tszYqbtvchm
-                               gQC8CzKojM/W16i6MG/eafGU3
-                               siaOdS0yOI6BgPsw+YZdzlYMa
-                               IJGf4M4dyoKIhzdZyQ2bYQrjy
-                               Q4LB0lC7aOnsMyYKHHYeRvPxj
-                               IQXmdqgOJGq+vsevG06zW+1xg
-                               YJh9rCIfnm1GX/KMgxLPG2vXT
-                               D/RnLX+D3T3UL7HJYHJhAZD5L
-                               59VvjSPsZJHeDCUyWYrvPZesZ
-                               DIRvhDD52SKvbheeTJUm6Ehkz
-                               ytNN2SN96QRk8j/iI8ib";
+        /* Key for our reverse zone. */
+        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+                                       xOdNax071L18QqZnQQQAVVr+i
+                                       LhGTnNGp3HoWQLUIzKrJVZ3zg
+                                       gy3WwNT6kZo6c0tszYqbtvchm
+                                       gQC8CzKojM/W16i6MG/eafGU3
+                                       siaOdS0yOI6BgPsw+YZdzlYMa
+                                       IJGf4M4dyoKIhzdZyQ2bYQrjy
+                                       Q4LB0lC7aOnsMyYKHHYeRvPxj
+                                       IQXmdqgOJGq+vsevG06zW+1xg
+                                       YJh9rCIfnm1GX/KMgxLPG2vXT
+                                       D/RnLX+D3T3UL7HJYHJhAZD5L
+                                       59VvjSPsZJHeDCUyWYrvPZesZ
+                                       DIRvhDD52SKvbheeTJUm6Ehkz
+                                       ytNN2SN96QRk8j/iI8ib";
 };
 
 options {
@@ -1009,7 +1017,7 @@ options {
 
 

 

-IPv6 Support in BIND 9

+IPv6 Support in BIND 9

 

         BIND 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
@@ -1047,7 +1055,7 @@ options {
       

 

 

-Address Lookups Using AAAA Records

+Address Lookups Using AAAA Records

 

           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -1066,7 +1074,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 

 

-Address to Name Lookups Using Nibble Format

+Address to Name Lookups Using Nibble Format

 

           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 56bc69d63e..c5ceb50dbf 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 

 
Table of Contents

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 

 

 

-The Lightweight Resolver Library

+The Lightweight Resolver Library

 

         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 1f107e91f5..68543607dd 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,55 +48,58 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
+            and Usage

+
managed-keys Statement Grammar

+
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -474,7 +477,7 @@
 Address Match Lists
 

 

-Syntax

+Syntax

 
address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -483,7 +486,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -567,7 +570,7 @@
 
 

 

-Comment Syntax

+Comment Syntax

 

           The BIND 9 comment syntax allows for
           comments to appear
@@ -577,7 +580,7 @@
         

 

 

-Syntax

+Syntax

 

             

 
/* This is a BIND comment as in C */

@@ -593,7 +596,7 @@
 
 

 

-Definition and Usage

+Definition and Usage

 

             Comments may appear anywhere that whitespace may appear in
             a BIND configuration file.
@@ -805,6 +808,17 @@
               
 
 

+
+
+
+
@@ -834,7 +848,7 @@
       

 

 

-acl Statement Grammar

+acl Statement Grammar

 
acl acl-name {
     address_match_list
 };
@@ -916,7 +930,7 @@
 
 

 

-controls Statement Grammar

+controls Statement Grammar

 
controls {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow {  address_match_list  }
@@ -1040,12 +1054,12 @@
 
 

 

-include Statement Grammar

+include Statement Grammar

 
include filename;

 
 

 

-include Statement Definition and
+include Statement Definition and
           Usage

 

           The include statement inserts the
@@ -1060,7 +1074,7 @@
 

 

 

-key Statement Grammar

+key Statement Grammar

 
key key_id {
     algorithm string;
     secret string;
@@ -1069,7 +1083,7 @@
 
 

 

-key Statement Definition and Usage

+key Statement Definition and Usage

 

           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1116,7 +1130,7 @@
 
 

 

-logging Statement Grammar

+logging Statement Grammar

 
logging {
    [ channel channel_name {
      ( file path_name
@@ -1140,7 +1154,7 @@
 
 

 

-logging Statement Definition and
+logging Statement Definition and
           Usage

 

           The logging statement configures a
@@ -1174,7 +1188,7 @@
         

 

 

-The channel Phrase

+The channel Phrase

 

             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1738,7 +1752,7 @@ category notify { null; };
 
 

 

-The query-errors Category

+The query-errors Category

 

             The query-errors category is
             specifically intended for debugging purposes: To identify
@@ -1966,7 +1980,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-lwres Statement Grammar

+lwres Statement Grammar

 

            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1982,7 +1996,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-lwres Statement Definition and Usage

+lwres Statement Definition and Usage

 

           The lwres statement configures the
           name
@@ -2033,7 +2047,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-masters Statement Grammar

+masters Statement Grammar

 
 masters name [port ip_port] { ( masters_list | 
       ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2041,7 +2055,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 

 

-masters Statement Definition and
+masters Statement Definition and
           Usage

 
masters
           lists allow for a common set of masters to be easily used by
@@ -2050,7 +2064,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 

 

 

-options Statement Grammar

+options Statement Grammar

 

           This is the grammar of the options
           statement in the named.conf file:
@@ -2616,7 +2630,8 @@ options {
                 they are secure.  If no, then normal
                 DNSSEC validation applies allowing for insecure answers to
                 be accepted.  The specified domain must be under a
-                trusted-key or
+                trusted-keys or
+                managed-keys statement, or
                 dnssec-lookaside must be active.
               

 
@@ -3347,7 +3362,7 @@ options {
 
 

 

-Forwarding

+Forwarding

 

             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3391,7 +3406,7 @@ options {
 
 

 

-Dual-stack Servers

+Dual-stack Servers

 

             Dual-stack servers are used as servers of last resort to work
             around
@@ -3588,7 +3603,7 @@ options {
 
 

 

-Interfaces

+Interfaces

 

             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4040,7 +4055,7 @@ avoid-v6-udp-ports {};
 
 

 

-UDP Port Lists

+UDP Port Lists

 

             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4082,7 +4097,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Operating System Resource Limits

+Operating System Resource Limits

 

             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4244,7 +4259,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 

 

-Periodic Task Intervals

+Periodic Task Intervals

 

 
cleaning-interval

 

@@ -5040,7 +5055,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 

 

 

-Content Filtering

+Content Filtering

 

             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5370,7 +5385,7 @@ deny-answer-aliases { "example.net"; };
 
 

 

-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage

 

           The statistics-channels statement
@@ -5421,7 +5436,7 @@ deny-answer-aliases { "example.net"; };
 

 

 

-trusted-keys Statement Grammar

+trusted-keys Statement Grammar

 
trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5430,7 +5445,7 @@ deny-answer-aliases { "example.net"; };
 
 

 

-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage

 

             The trusted-keys statement defines
@@ -5467,11 +5482,111 @@ deny-answer-aliases { "example.net"; };
             level are inherited by all views, but keys defined in a view
             are only used within that view.
           

+

+

+

+managed-keys Statement Grammar

+
managed-keys {
+    string initial-key number number number string ;
+    [ string initial-key number number number string ; [...]]
+};
+

+

+

+

+managed-keys Statement Definition
+            and Usage

 

-            In addition to keys specified in
-            trusted-keys statements, if the
-            dnssec-lookaside option is set to "auto",
-            named will also load a built-in trusted key for dlv.isc.org.
+            The managed-keys statement, like 
+            trusted-keys, defines DNSSEC
+            security roots.  The difference is that
+            managed-keys can be kept up to date
+            automatically, without intervention from the resolver
+            operator.
+          

+

+            Suppose, for example, that a zone's key-signing
+            key was compromised, and the zone owner had to revoke and
+            replace the key.  A resolver which had the old key in a
+            trusted-keys statement would be
+            unable to validate this zone any longer; it would
+            reply with a SERVFAIL response code.  This would
+            continue until the resolver operator had updated the
+            trusted-keys statement with the new key.
+          

+

+            If, however, the zone were listed in a
+            managed-keys statement instead, then the
+            zone owner could add a "stand-by" key to the zone in advance.
+            named would store the stand-by key, and
+            when the original key was revoked, named
+            would be able to transition smoothly to the new key.  It would
+            also recognize that the old key had been revoked, and cease
+            using that key to validate answers, minimizing the damage that
+            the compromised key could do.
+          

+

+            A managed-keys statement contains a list of
+            the keys to be managed, along with information about how the
+            keys are to be initialized for the first time.  The only
+            initialization method currently supported (as of
+            BIND 9.7.0) is initial-key.
+            This means the managed-keys statement must
+            contain a copy of the initializing key.  (Future releases may
+            allow keys to be initialized by other methods, eliminating this
+            requirement.)
+          

+

+            Consequently, a managed-keys statement
+            appears similar to a trusted-keys, differing
+            in the presence of the second field, containing the keyword
+            initial-key.  The difference is, whereas the
+            keys listed in a trusted-keys continue to be
+            trusted until they are removed from
+            named.conf, an initializing key listed 
+            in a managed-keys statement is only trusted
+            once: for as long as it takes to load the
+            managed key database and start the RFC 5011 key maintenance
+            process.
+          

+

+            The first time named runs with a managed key
+            configured in named.conf, it fetches the
+            DNSKEY RRset directly from the zone apex, and validates it
+            using the key specified in the managed-keys
+            statement.  If the DNSKEY RRset is validly signed, then it is
+            used as the basis for a new managed keys database.
+          

+

+            From that point on, whenever named runs, it
+            sees the managed-keys statement, checks to
+            make sure RFC 5011 key maintenance has already been initialized
+            for the specified domain, and if so, it simply moves on.  The
+            key specified in the managed-keys is not
+            used to validate answers; it has been superseded by the key or
+            keys stored in the managed keys database.
+          

+

+            The next time named runs after a name
+            has been removed from the
+            managed-keys statement, the corresponding
+            zone will be removed from the managed keys database,
+            and RFC 5011 key maintenance will no longer be used for that
+            domain.
+          

+

+            named only maintains a single managed keys
+            database; consequently, unlike trusted-keys,
+            managed-keys may only be set at the top
+            level of named.conf, not within a view.
+          

+

+            If the dnssec-lookaside option is set to
+            "auto", named will automatically initialize
+            a managed key for the zone dlv.isc.org.  The
+            key that is used to initialize the key maintenance process is
+            built into named, and can be overridden
+            from bindkeys-file.
           

 

 

@@ -5489,7 +5604,7 @@ deny-answer-aliases { "example.net"; };
 

 

 

-view Statement Definition and Usage

+view Statement Definition and Usage

 

             The view statement is a powerful
             feature
@@ -5766,10 +5881,10 @@ zone zone_name [
 

 

-zone Statement Definition and Usage

+zone Statement Definition and Usage

 

 

-Zone Types

+Zone Types

 

 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

+                
managed-keys

+              		
+                

+                  lists DNSSEC keys to be kept up to date
+                  using RFC 5011 trust anchor maintenance.
+                

+              

 
                 
view

               
@@ -5980,7 +6095,7 @@ zone zone_name [
 

 

-Class

+Class

 

               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6002,7 +6117,7 @@ zone zone_name [
 

 

-Zone Options

+Zone Options

 

 
allow-notify

 

@@ -6632,7 +6747,7 @@ zone zone_name [
 

 

-Zone File

+Zone File

 

 

 Types of Resource Records and When to Use Them

@@ -6645,7 +6760,7 @@ zone zone_name [
 

 

-Resource Records

+Resource Records

 

               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7382,7 +7497,7 @@ zone zone_name [
 

 

-Textual expression of RRs

+Textual expression of RRs

 

               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7585,7 +7700,7 @@ zone zone_name [
 

 

-Discussion of MX Records

+Discussion of MX Records

 

             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7841,7 +7956,7 @@ zone zone_name [
 

 

-Inverse Mapping in IPv4

+Inverse Mapping in IPv4

 

             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -7902,7 +8017,7 @@ zone zone_name [
 

 

-Other Zone File Directives

+Other Zone File Directives

 

             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -7917,7 +8032,7 @@ zone zone_name [
 

 

-The @ (at-sign)

+The @ (at-sign)

 

               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -7928,7 +8043,7 @@ zone zone_name [
 

 

-The $ORIGIN Directive

+The $ORIGIN Directive

 

               Syntax: $ORIGIN
               domain-name
@@ -7957,7 +8072,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $INCLUDE Directive

+The $INCLUDE Directive

 

               Syntax: $INCLUDE
               filename
@@ -7993,7 +8108,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-The $TTL Directive

+The $TTL Directive

 

               Syntax: $TTL
               default-ttl
@@ -8012,7 +8127,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 

 

-BIND Master File Extension: the  $GENERATE Directive

+BIND Master File Extension: the  $GENERATE Directive

 

             Syntax: $GENERATE
             range
@@ -8436,7 +8551,7 @@ HOST-127.EXAMPLE. MX 0 .
           

 

 

-Name Server Statistics Counters

+Name Server Statistics Counters

 

 
 

@@ -8993,7 +9108,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Zone Maintenance Statistics Counters

+Zone Maintenance Statistics Counters

 

 
 

@@ -9147,7 +9262,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Resolver Statistics Counters

+Resolver Statistics Counters

 

 
 

@@ -9530,7 +9645,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Socket I/O Statistics Counters

+Socket I/O Statistics Counters

 

               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9685,7 +9800,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 

 

-Compatibility with BIND 8 Counters

+Compatibility with BIND 8 Counters

 

               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index c6fc069927..531c63c15e 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
Table of Contents

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

@@ -122,7 +122,7 @@ zone "example.com" {
 
 

 

-Chroot and Setuid
+Chroot and Setuid
 

 

           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         

 

 

-The chroot Environment

+The chroot Environment

 

             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 

 

-Using the setuid Function

+Using the setuid Function

 

             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index f4e98172e6..d15cd3dbdf 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 

 
Table of Contents

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 

 

 

-Common Problems

+Common Problems

 

 

-It's not working; how can I figure out what's wrong?

+It's not working; how can I figure out what's wrong?

 

             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 

 

-Incrementing and Changing the Serial Number

+Incrementing and Changing the Serial Number

 

           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 

 

-Where Can I Get Help?

+Where Can I Get Help?

 

           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 808129c540..81d1791e0e 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 

 
Table of Contents

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 

 

 

-Acknowledgments

+Acknowledgments

 

 

 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 

 

 

-General DNS Reference Information

+General DNS Reference Information

 

 

 IPv6 addresses (AAAA)

@@ -250,17 +250,17 @@
           

 

 

-Bibliography

+Bibliography

 

 
Standards

 

-
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

+
[RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 

 

 

-
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

+
[RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 

 

 

-
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
[RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 

 

 

@@ -268,42 +268,42 @@
 

 Proposed Standards

 

-
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
[RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 

 

 

-
[RFC2308] M. Andrews. Negative Caching of DNS
+
[RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 

 

 

-
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

+
[RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 

 

 

-
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

+
[RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 

 

 

-
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

+
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 

 

 

-
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

+
[RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 

 

 

-
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

+
[RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 

 

 

-
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

+
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 

 

 

-
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

+
[RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 

 

 

-
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

+
[RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 

 

 

-
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

+
[RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 

 

 

-
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
[RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 

 

@@ -312,19 +312,19 @@
 

 DNS Security Proposed Standards

 

-
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

+
[RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 

 

 

-
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

+
[RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 

 

 

-
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

+
[RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 

 

 

-
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

+
[RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 

 

 

-
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
[RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 

 

 
@@ -332,146 +332,146 @@
 
Other Important RFCs About DNS
                 Implementation

 

-
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
[RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 

 

 

-
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 

 

 

-
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

+
[RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 

 

 

-
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
[RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 

 

 
 

 
Resource Record Types

 

-
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

+
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 

 

 

-
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

+
[RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 

 

 

-
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
[RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 

 

 

-
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 

 

 

-
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
[RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 

 

 

-
[RFC2163] A. Allocchio. Using the Internet DNS to
+
[RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 

 

 

-
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

+
[RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 

 

 

-
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

+
[RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

+
[RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

+
[RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 

 

 

-
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

+
[RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 

 

 

-
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

+
[RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 

 

 

-
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

+
[RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 

 

 

-
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

+
[RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 

 

 

-
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

+
[RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 

 

 

-
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
[RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 

 

 

-
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

+
[RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 

 

 

 

 

 DNS and the Internet

 

-
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
[RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 

 

 

-
[RFC1123] Braden. Requirements for Internet Hosts - Application and
+
[RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 

 

 

-
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

+
[RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 

 

 

-
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

+
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 

 

 

-
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

+
[RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 

 

 

-
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

+
[RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 

 

 

 

 

 DNS Operations

 

-
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

+
[RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 

 

 

-
[RFC1537] P. Beertema. Common DNS Data File
+
[RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 

 

 

-
[RFC1912] D. Barr. Common DNS Operational and
+
[RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 

 

 

-
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

+
[RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 

 

 

-
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
[RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 

 

 

 

 
Internationalized Domain Names

 

-
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
[RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 

 

 

-
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

+
[RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 

 

 

-
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

+
[RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 

 

 

-
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
[RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 

 

@@ -487,47 +487,47 @@
                 

 

 

-
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
[RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 

 

 

-
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

+
[RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 

 

 

-
[RFC1794] T. Brisco. DNS Support for Load
+
[RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 

 

 

-
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

+
[RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 

 

 

-
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

+
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 

 

 

-
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

+
[RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 

 

 

-
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

+
[RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 

 

 

-
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
[RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 

 

 

-
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

+
[RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 

 

 
 

 
Obsolete and Unimplemented Experimental RFC

 

-
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 

 

 

-
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

+
[RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 

 

 

-
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
[RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 

 

 

@@ -541,39 +541,39 @@
                 

 
 

-
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

+
[RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 

 

 

-
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

+
[RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 

 

 

-
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

+
[RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 

 

 

-
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
[RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 

 

 

-
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

+
[RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 

 

 

-
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

+
[RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 

 

 

-
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

+
[RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 

 

 

-
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

+
[RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 

 

 

-
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

+
[RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 

 

 

-
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
[RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 

 

 

-
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

+
[RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 

 

 
 
@@ -594,14 +594,14 @@
 
 

 

-Other Documents About BIND
+Other Documents About BIND
 

 

 

 

-Bibliography

+Bibliography

 

-
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

+
Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 

 

 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 879373bf6f..65c51472dc 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -111,15 +111,15 @@
 
Signing the Zone

 
Configuring Servers

 
-
IPv6 Support in BIND 9

+
IPv6 Support in BIND 9

 

-
Address Lookups Using AAAA Records

-
Address to Name Lookups Using Nibble Format

+
Address Lookups Using AAAA Records

+
Address to Name Lookups Using Nibble Format

 

 
 
5. The BIND 9 Lightweight Resolver

 

-
The Lightweight Resolver Library

+
The Lightweight Resolver Library

 
Running a Resolver Daemon

 

 
6. BIND 9 Configuration Reference

@@ -127,55 +127,58 @@
 
Configuration File Elements

 

 
Address Match Lists

-
Comment Syntax

+
Comment Syntax

 

 
Configuration File Grammar

 

-
acl Statement Grammar

+
acl Statement Grammar

 
acl Statement Definition and
           Usage

-
controls Statement Grammar

+
controls Statement Grammar

 
controls Statement Definition and
           Usage

-
include Statement Grammar

-
include Statement Definition and
+
include Statement Grammar

+
include Statement Definition and
           Usage

-
key Statement Grammar

-
key Statement Definition and Usage

-
logging Statement Grammar

-
logging Statement Definition and
+
key Statement Grammar

+
key Statement Definition and Usage

+
logging Statement Grammar

+
logging Statement Definition and
           Usage

-
lwres Statement Grammar

-
lwres Statement Definition and Usage

-
masters Statement Grammar

-
masters Statement Definition and
+
lwres Statement Grammar

+
lwres Statement Definition and Usage

+
masters Statement Grammar

+
masters Statement Definition and
           Usage

-
options Statement Grammar

+
options Statement Grammar

 
options Statement Definition and
           Usage

 
server Statement Grammar

 
server Statement Definition and
             Usage

 
statistics-channels Statement Grammar

-
statistics-channels Statement Definition and
+
statistics-channels Statement Definition and
             Usage

-
trusted-keys Statement Grammar

-
trusted-keys Statement Definition
+
trusted-keys Statement Grammar

+
trusted-keys Statement Definition
+            and Usage

+
managed-keys Statement Grammar

+
managed-keys Statement Definition
             and Usage

 
view Statement Grammar

-
view Statement Definition and Usage

+
view Statement Definition and Usage

 
zone
             Statement Grammar

-
zone Statement Definition and Usage

+
zone Statement Definition and Usage

 

-
Zone File

+
Zone File

 

 
Types of Resource Records and When to Use Them

-
Discussion of MX Records

+
Discussion of MX Records

 
Setting TTLs

-
Inverse Mapping in IPv4

-
Other Zone File Directives

-
BIND Master File Extension: the  $GENERATE Directive

+
Inverse Mapping in IPv4

+
Other Zone File Directives

+
BIND Master File Extension: the  $GENERATE Directive

 
Additional File Formats

 

 
BIND9 Statistics

@@ -184,31 +187,31 @@
 
7. BIND 9 Security Considerations

 

 
Access Control Lists

-
Chroot and Setuid

+
Chroot and Setuid

 

-
The chroot Environment

-
Using the setuid Function

+
The chroot Environment

+
Using the setuid Function

 

 
Dynamic Update Security

 

 
8. Troubleshooting

 

-
Common Problems

-
It's not working; how can I figure out what's wrong?

-
Incrementing and Changing the Serial Number

-
Where Can I Get Help?

+
Common Problems

+
It's not working; how can I figure out what's wrong?

+
Incrementing and Changing the Serial Number

+
Where Can I Get Help?

 

 
A. Appendices

 

-
Acknowledgments

+
Acknowledgments

 
A Brief History of the DNS and BIND

-
General DNS Reference Information

+
General DNS Reference Information

 
IPv6 addresses (AAAA)

 
Bibliography (and Suggested Reading)

 

 
Request for Comments (RFCs)

 
Internet Drafts

-
Other Documents About BIND

+
Other Documents About BIND

 

 

 
I. Manual pages

diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 1cd8ffaf4b..c333ded46f 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -142,7 +142,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 8b549917ec..807c025f70 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
dig  [global-queryopt...] [query...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     

 

 

-
SIMPLE USAGE

+
SIMPLE USAGE

 

       A typical invocation of dig looks like:
       

@@ -144,7 +144,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     

 

 

-
QUERY OPTIONS

+
QUERY OPTIONS

 
dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     

 

 

-
MULTIPLE QUERIES

+
MULTIPLE QUERIES

 

       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 
${HOME}/.digrc
     

 

 

-
SEE ALSO

+
SEE ALSO

 
host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     

 

 

-
BUGS

+
BUGS

 

       There are probably too many query options.
     

diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 524129c8f2..b56ca82516 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-1

 

@@ -119,7 +119,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     

 

 

-
FILES

+
FILES

 

       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     

 

 

-
CAVEAT

+
CAVEAT

 

       A keyfile error can give a "file not found" even if the file exists.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 6a189afb7e..0fe11c6e9f 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-K directory] [-n nametype] [-p protocol] [-t type] [-v level] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -135,7 +135,7 @@
 

 

 

-
GENERATED KEY FILES

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -176,7 +176,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -186,7 +186,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 237be08bce..76c1fb62e0 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-g generator] [-h] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-U date/offset] [-v level] [-z] {name}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

@@ -226,14 +226,16 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  If such an offset is followed
-      by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
-      offset is computed in years, months, weeks, days, or hours,
-      respectively; otherwise it is computed in seconds.
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
     

 

 
-P date/offset

@@ -271,7 +273,7 @@
 

 

 

-
GENERATED KEYS

+
GENERATED KEYS

 

       When dnssec-keygen completes
       successfully,
@@ -317,7 +319,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 

       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -338,7 +340,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -347,7 +349,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 7eb5a742d7..9396e59333 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -86,14 +86,14 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index a09b49062f..6146b93b37 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-settime  [-fr] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-U date/offset] [-D date/offset] [-h] [-v level] {keyfile}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-f

 

@@ -101,14 +101,16 @@
 

 

 

-
TIMING OPTIONS

+
TIMING OPTIONS

 

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
-      an offset from the present time.  If such an offset is followed
-      by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
-      offset is computed in years, months, weeks, days, or hours,
-      respectively; otherwise it is computed in seconds.
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To unset a date, use 'none'.
     

 

 
-P date/offset

@@ -146,7 +148,33 @@
 

 

 

-
SEE ALSO

+
PRINTING OPTIONS

+

+      dnssec-settime can also be used to print the
+      timing metadata associated with a key.
+    

+

+
-u

+

+	    Print times in UNIX epoch format.
+	  

+
-p C/P/A/R/U/D/all

+

+	    Print a specific metadata value or set of metadata values.
+            The -p option may be followed by one or more
+            of the following letters to indicate which value or values to print:
+            C for the creation date,
+            P for the publication date,
+            A for the activation date,
+            R for the revokation date,
+            U for the unpublication date, or
+            D for the deletion date.
+            To print all of the metadata, use -p all.
+	  

+

+

+

+
SEE ALSO

 
dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -154,7 +182,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 924217af5e..b4706285a6 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -71,6 +71,15 @@
 

             Specifies the DNS class of the zone.
           

+
-C

+

+            Compatibility mode: Generate a
+            keyset-zonename
+            file in addition to
+            dsset-zonename
+            when signing a zone, for use by older versions of
+            dnssec-signzone.
+          

 
-d directory

 

             Look for dsset- or
@@ -117,6 +126,8 @@
             the start time.  A time relative to the current time is
             indicated with now+N.  If no end-time is
             specified, 30 days from the start time is used as a default.
+            end-time must be later than
+            start-time.
           

 
-f output-file

 

@@ -297,8 +308,15 @@
 

 
-T ttl

 

-            Specifies the TTL of new DNSKEY records imported to the zone
-            from the key repository.  Only useful with the -S option.
+            Specifies the TTL to be used for new DNSKEY records imported
+            into the zone from the key repository.  If not specified,
+            the default is the minimum TTL value from the zone's SOA
+            record.  This option is ignored when signing without
+            -S, since DNSKEY records are not imported
+            from the key repository in that case.  It is also ignored if
+            there are any pre-existing DNSKEY records at the zone apex,
+            in which case new records' TTL values will be set to match
+            them.
           

 
-t

 

@@ -344,7 +362,7 @@
 

 

 

-
EXAMPLE

+
EXAMPLE

 

       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -373,14 +391,14 @@ db.example.com.signed
 %
 

 

-
SEE ALSO

+
SEE ALSO

 
dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 740854b70c..f8343f2cc4 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     

 

 

-
IDN SUPPORT

+
IDN SUPPORT

 

       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     

 

 

-
FILES

+
FILES

 
/etc/resolv.conf
     

 

 

-
SEE ALSO

+
SEE ALSO

 
dig(1),
       named(8).
     

diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 2a0dd01bfc..a0de1afb8c 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-h

 

@@ -96,21 +96,21 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 5723f84ca6..38346d3b68 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      

 

 

-
OPTIONS

+
OPTIONS

 

 
-d

 

@@ -257,14 +257,14 @@
 

 

 

-
RETURN VALUES

+
RETURN VALUES

 
named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     

 

 

-
SEE ALSO

+
SEE ALSO

 
named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 5bb9f74ae3..829da5d0bc 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-4

 

@@ -238,7 +238,7 @@
 

 

 

-
SIGNALS

+
SIGNALS

 

       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     

 

 

-
CONFIGURATION

+
CONFIGURATION

 

       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +276,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/named.conf

 

@@ -289,7 +289,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +302,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 513ab20e62..1a901314b4 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

 
 

-
DESCRIPTION

+
DESCRIPTION

 
nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     

 

 

-
INPUT FORMAT

+
INPUT FORMAT

 
nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     

 

 

-
EXAMPLES

+
EXAMPLES

 

       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     

 

 

-
FILES

+
FILES

 

 
/etc/resolv.conf

 

@@ -546,7 +546,7 @@
 

 

 

-
SEE ALSO

+
SEE ALSO

 
RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     

 

 

-
BUGS

+
BUGS

 

       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 764ba4c6a8..c5fa62420a 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

 

 

-
DESCRIPTION

+
DESCRIPTION

 
rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-a

 

@@ -173,7 +173,7 @@
 

 

 

-
EXAMPLES

+
EXAMPLES

 

       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 07e8897878..4958631a85 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc.conf 

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     

 

 

-
EXAMPLE

+
EXAMPLE

 
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     

 

 

-
NAME SERVER CONFIGURATION

+
NAME SERVER CONFIGURATION

 

       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 8ea6dc4dfb..db62de4fef 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

 
 

-
DESCRIPTION

+
DESCRIPTION

 
rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     

 

 

-
OPTIONS

+
OPTIONS

 

 
-b source-address

 

@@ -151,7 +151,7 @@
     

 

 

-
LIMITATIONS

+
LIMITATIONS

 
rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     

 

 

-
SEE ALSO

+
SEE ALSO

 
rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     

 

 

-
AUTHOR

+
AUTHOR

 
Internet Systems Consortium
     

 

diff --git a/doc/misc/options b/doc/misc/options
index f092ff4940..999b41af54 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -44,7 +44,8 @@ lwres {
         view  ;
 };
 
-managed-keys {     ; ... };
+managed-keys {     
+    ; ... };
 
 masters  [ port  ] { (  |  [ port
      ] |  [ port  ] ) [ key  ]; ... };
@@ -316,7 +317,7 @@ view   {
         key-directory ;
         lame-ttl ;
         maintain-ixfr-base ; // obsolete
-        managed-keys {    
+        managed-keys {     
             ; ... };
         masterfile-format ( text | raw );
         match-clients { ; ... };
@@ -421,7 +422,6 @@ view   {
                 check-srv-cname ( fail | warn | ignore );
                 check-wildcard ;
                 database ;
-                ddns-autoconf ;
                 delegation-only ;
                 dialup ;
                 file ;
@@ -503,7 +503,6 @@ zone   {
         check-srv-cname ( fail | warn | ignore );
         check-wildcard ;
         database ;
-        ddns-autoconf ;
         delegation-only ;
         dialup ;
         file ;

From 3e1938b728e3138454e47632930105f24cede4ee Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 3 Sep 2009 01:25:54 +0000
Subject: [PATCH 098/385] commit pdf for 9.7.0a3

---
 doc/arm/Bv9ARM.pdf | 14692 ++++++++++++++++++++++---------------------
 1 file changed, 7406 insertions(+), 7286 deletions(-)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 1c19044a76..45eda4cbe1 100755
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -675,443 +675,455 @@ endobj
 << /S /GoTo /D (subsection.6.2.23) >>
 endobj
 456 0 obj
-(6.2.23 view Statement Grammar)
+(6.2.23 managed-keys Statement Grammar)
 endobj
 457 0 obj
 << /S /GoTo /D (subsection.6.2.24) >>
 endobj
 460 0 obj
-(6.2.24 view Statement Definition and Usage)
+(6.2.24 managed-keys Statement Definition and Usage)
 endobj
 461 0 obj
 << /S /GoTo /D (subsection.6.2.25) >>
 endobj
 464 0 obj
-(6.2.25 zone Statement Grammar)
+(6.2.25 view Statement Grammar)
 endobj
 465 0 obj
 << /S /GoTo /D (subsection.6.2.26) >>
 endobj
 468 0 obj
-(6.2.26 zone Statement Definition and Usage)
+(6.2.26 view Statement Definition and Usage)
 endobj
 469 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.1) >>
+<< /S /GoTo /D (subsection.6.2.27) >>
 endobj
 472 0 obj
-(6.2.26.1 Zone Types)
+(6.2.27 zone Statement Grammar)
 endobj
 473 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.2) >>
+<< /S /GoTo /D (subsection.6.2.28) >>
 endobj
 476 0 obj
-(6.2.26.2 Class)
+(6.2.28 zone Statement Definition and Usage)
 endobj
 477 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.3) >>
+<< /S /GoTo /D (subsubsection.6.2.28.1) >>
 endobj
 480 0 obj
-(6.2.26.3 Zone Options)
+(6.2.28.1 Zone Types)
 endobj
 481 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.4) >>
+<< /S /GoTo /D (subsubsection.6.2.28.2) >>
 endobj
 484 0 obj
-(6.2.26.4 Dynamic Update Policies)
+(6.2.28.2 Class)
 endobj
 485 0 obj
-<< /S /GoTo /D (section.6.3) >>
+<< /S /GoTo /D (subsubsection.6.2.28.3) >>
 endobj
 488 0 obj
-(6.3 Zone File)
+(6.2.28.3 Zone Options)
 endobj
 489 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
+<< /S /GoTo /D (subsubsection.6.2.28.4) >>
 endobj
 492 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
+(6.2.28.4 Dynamic Update Policies)
 endobj
 493 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
+<< /S /GoTo /D (section.6.3) >>
 endobj
 496 0 obj
-(6.3.1.1 Resource Records)
+(6.3 Zone File)
 endobj
 497 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
+<< /S /GoTo /D (subsection.6.3.1) >>
 endobj
 500 0 obj
-(6.3.1.2 Textual expression of RRs)
+(6.3.1 Types of Resource Records and When to Use Them)
 endobj
 501 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.1) >>
 endobj
 504 0 obj
-(6.3.2 Discussion of MX Records)
+(6.3.1.1 Resource Records)
 endobj
 505 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
+<< /S /GoTo /D (subsubsection.6.3.1.2) >>
 endobj
 508 0 obj
-(6.3.3 Setting TTLs)
+(6.3.1.2 Textual expression of RRs)
 endobj
 509 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
+<< /S /GoTo /D (subsection.6.3.2) >>
 endobj
 512 0 obj
-(6.3.4 Inverse Mapping in IPv4)
+(6.3.2 Discussion of MX Records)
 endobj
 513 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
+<< /S /GoTo /D (subsection.6.3.3) >>
 endobj
 516 0 obj
-(6.3.5 Other Zone File Directives)
+(6.3.3 Setting TTLs)
 endobj
 517 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
+<< /S /GoTo /D (subsection.6.3.4) >>
 endobj
 520 0 obj
-(6.3.5.1 The @ \(at-sign\))
+(6.3.4 Inverse Mapping in IPv4)
 endobj
 521 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
+<< /S /GoTo /D (subsection.6.3.5) >>
 endobj
 524 0 obj
-(6.3.5.2 The \044ORIGIN Directive)
+(6.3.5 Other Zone File Directives)
 endobj
 525 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
+<< /S /GoTo /D (subsubsection.6.3.5.1) >>
 endobj
 528 0 obj
-(6.3.5.3 The \044INCLUDE Directive)
+(6.3.5.1 The @ \(at-sign\))
 endobj
 529 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.4) >>
+<< /S /GoTo /D (subsubsection.6.3.5.2) >>
 endobj
 532 0 obj
-(6.3.5.4 The \044TTL Directive)
+(6.3.5.2 The \044ORIGIN Directive)
 endobj
 533 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
+<< /S /GoTo /D (subsubsection.6.3.5.3) >>
 endobj
 536 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
+(6.3.5.3 The \044INCLUDE Directive)
 endobj
 537 0 obj
-<< /S /GoTo /D (subsection.6.3.7) >>
+<< /S /GoTo /D (subsubsection.6.3.5.4) >>
 endobj
 540 0 obj
-(6.3.7 Additional File Formats)
+(6.3.5.4 The \044TTL Directive)
 endobj
 541 0 obj
-<< /S /GoTo /D (section.6.4) >>
+<< /S /GoTo /D (subsection.6.3.6) >>
 endobj
 544 0 obj
-(6.4 BIND9 Statistics)
+(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
 endobj
 545 0 obj
-<< /S /GoTo /D (subsubsection.6.4.0.1) >>
+<< /S /GoTo /D (subsection.6.3.7) >>
 endobj
 548 0 obj
-(6.4.0.1 The Statistics File)
+(6.3.7 Additional File Formats)
 endobj
 549 0 obj
-<< /S /GoTo /D (subsection.6.4.1) >>
+<< /S /GoTo /D (section.6.4) >>
 endobj
 552 0 obj
-(6.4.1 Statistics Counters)
+(6.4 BIND9 Statistics)
 endobj
 553 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.1) >>
+<< /S /GoTo /D (subsubsection.6.4.0.1) >>
 endobj
 556 0 obj
-(6.4.1.1 Name Server Statistics Counters)
+(6.4.0.1 The Statistics File)
 endobj
 557 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.2) >>
+<< /S /GoTo /D (subsection.6.4.1) >>
 endobj
 560 0 obj
-(6.4.1.2 Zone Maintenance Statistics Counters)
+(6.4.1 Statistics Counters)
 endobj
 561 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.3) >>
+<< /S /GoTo /D (subsubsection.6.4.1.1) >>
 endobj
 564 0 obj
-(6.4.1.3 Resolver Statistics Counters)
+(6.4.1.1 Name Server Statistics Counters)
 endobj
 565 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.4) >>
+<< /S /GoTo /D (subsubsection.6.4.1.2) >>
 endobj
 568 0 obj
-(6.4.1.4 Socket I/O Statistics Counters)
+(6.4.1.2 Zone Maintenance Statistics Counters)
 endobj
 569 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.5) >>
+<< /S /GoTo /D (subsubsection.6.4.1.3) >>
 endobj
 572 0 obj
-(6.4.1.5 Compatibility with BIND 8 Counters)
+(6.4.1.3 Resolver Statistics Counters)
 endobj
 573 0 obj
-<< /S /GoTo /D (chapter.7) >>
+<< /S /GoTo /D (subsubsection.6.4.1.4) >>
 endobj
 576 0 obj
-(7 BIND 9 Security Considerations)
+(6.4.1.4 Socket I/O Statistics Counters)
 endobj
 577 0 obj
-<< /S /GoTo /D (section.7.1) >>
+<< /S /GoTo /D (subsubsection.6.4.1.5) >>
 endobj
 580 0 obj
-(7.1 Access Control Lists)
+(6.4.1.5 Compatibility with BIND 8 Counters)
 endobj
 581 0 obj
-<< /S /GoTo /D (section.7.2) >>
+<< /S /GoTo /D (chapter.7) >>
 endobj
 584 0 obj
-(7.2 Chroot and Setuid)
+(7 BIND 9 Security Considerations)
 endobj
 585 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
+<< /S /GoTo /D (section.7.1) >>
 endobj
 588 0 obj
-(7.2.1 The chroot Environment)
+(7.1 Access Control Lists)
 endobj
 589 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
+<< /S /GoTo /D (section.7.2) >>
 endobj
 592 0 obj
-(7.2.2 Using the setuid Function)
+(7.2 Chroot and Setuid)
 endobj
 593 0 obj
-<< /S /GoTo /D (section.7.3) >>
+<< /S /GoTo /D (subsection.7.2.1) >>
 endobj
 596 0 obj
-(7.3 Dynamic Update Security)
+(7.2.1 The chroot Environment)
 endobj
 597 0 obj
-<< /S /GoTo /D (chapter.8) >>
+<< /S /GoTo /D (subsection.7.2.2) >>
 endobj
 600 0 obj
-(8 Troubleshooting)
+(7.2.2 Using the setuid Function)
 endobj
 601 0 obj
-<< /S /GoTo /D (section.8.1) >>
+<< /S /GoTo /D (section.7.3) >>
 endobj
 604 0 obj
-(8.1 Common Problems)
+(7.3 Dynamic Update Security)
 endobj
 605 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
+<< /S /GoTo /D (chapter.8) >>
 endobj
 608 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
+(8 Troubleshooting)
 endobj
 609 0 obj
-<< /S /GoTo /D (section.8.2) >>
+<< /S /GoTo /D (section.8.1) >>
 endobj
 612 0 obj
-(8.2 Incrementing and Changing the Serial Number)
+(8.1 Common Problems)
 endobj
 613 0 obj
-<< /S /GoTo /D (section.8.3) >>
+<< /S /GoTo /D (subsection.8.1.1) >>
 endobj
 616 0 obj
-(8.3 Where Can I Get Help?)
+(8.1.1 It's not working; how can I figure out what's wrong?)
 endobj
 617 0 obj
-<< /S /GoTo /D (appendix.A) >>
+<< /S /GoTo /D (section.8.2) >>
 endobj
 620 0 obj
-(A Appendices)
+(8.2 Incrementing and Changing the Serial Number)
 endobj
 621 0 obj
-<< /S /GoTo /D (section.A.1) >>
+<< /S /GoTo /D (section.8.3) >>
 endobj
 624 0 obj
-(A.1 Acknowledgments)
+(8.3 Where Can I Get Help?)
 endobj
 625 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
+<< /S /GoTo /D (appendix.A) >>
 endobj
 628 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
+(A Appendices)
 endobj
 629 0 obj
-<< /S /GoTo /D (section.A.2) >>
+<< /S /GoTo /D (section.A.1) >>
 endobj
 632 0 obj
-(A.2 General DNS Reference Information)
+(A.1 Acknowledgments)
 endobj
 633 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
+<< /S /GoTo /D (subsection.A.1.1) >>
 endobj
 636 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
+(A.1.1 A Brief History of the DNS and BIND)
 endobj
 637 0 obj
-<< /S /GoTo /D (section.A.3) >>
+<< /S /GoTo /D (section.A.2) >>
 endobj
 640 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
+(A.2 General DNS Reference Information)
 endobj
 641 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
+<< /S /GoTo /D (subsection.A.2.1) >>
 endobj
 644 0 obj
-(A.3.1 Request for Comments \(RFCs\))
+(A.2.1 IPv6 addresses \(AAAA\))
 endobj
 645 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
+<< /S /GoTo /D (section.A.3) >>
 endobj
 648 0 obj
-(A.3.2 Internet Drafts)
+(A.3 Bibliography \(and Suggested Reading\))
 endobj
 649 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
+<< /S /GoTo /D (subsection.A.3.1) >>
 endobj
 652 0 obj
-(A.3.3 Other Documents About BIND)
+(A.3.1 Request for Comments \(RFCs\))
 endobj
 653 0 obj
-<< /S /GoTo /D (appendix.B) >>
+<< /S /GoTo /D (subsection.A.3.2) >>
 endobj
 656 0 obj
-(B Manual pages)
+(A.3.2 Internet Drafts)
 endobj
 657 0 obj
-<< /S /GoTo /D (section.B.1) >>
+<< /S /GoTo /D (subsection.A.3.3) >>
 endobj
 660 0 obj
-(B.1 dig)
+(A.3.3 Other Documents About BIND)
 endobj
 661 0 obj
-<< /S /GoTo /D (section.B.2) >>
+<< /S /GoTo /D (appendix.B) >>
 endobj
 664 0 obj
-(B.2 host)
+(B Manual pages)
 endobj
 665 0 obj
-<< /S /GoTo /D (section.B.3) >>
+<< /S /GoTo /D (section.B.1) >>
 endobj
 668 0 obj
-(B.3 dnssec-dsfromkey)
+(B.1 dig)
 endobj
 669 0 obj
-<< /S /GoTo /D (section.B.4) >>
+<< /S /GoTo /D (section.B.2) >>
 endobj
 672 0 obj
-(B.4 dnssec-keyfromlabel)
+(B.2 host)
 endobj
 673 0 obj
-<< /S /GoTo /D (section.B.5) >>
+<< /S /GoTo /D (section.B.3) >>
 endobj
 676 0 obj
-(B.5 dnssec-keygen)
+(B.3 dnssec-dsfromkey)
 endobj
 677 0 obj
-<< /S /GoTo /D (section.B.6) >>
+<< /S /GoTo /D (section.B.4) >>
 endobj
 680 0 obj
-(B.6 dnssec-revoke)
+(B.4 dnssec-keyfromlabel)
 endobj
 681 0 obj
-<< /S /GoTo /D (section.B.7) >>
+<< /S /GoTo /D (section.B.5) >>
 endobj
 684 0 obj
-(B.7 dnssec-settime)
+(B.5 dnssec-keygen)
 endobj
 685 0 obj
-<< /S /GoTo /D (section.B.8) >>
+<< /S /GoTo /D (section.B.6) >>
 endobj
 688 0 obj
-(B.8 dnssec-signzone)
+(B.6 dnssec-revoke)
 endobj
 689 0 obj
-<< /S /GoTo /D (section.B.9) >>
+<< /S /GoTo /D (section.B.7) >>
 endobj
 692 0 obj
-(B.9 named-checkconf)
+(B.7 dnssec-settime)
 endobj
 693 0 obj
-<< /S /GoTo /D (section.B.10) >>
+<< /S /GoTo /D (section.B.8) >>
 endobj
 696 0 obj
-(B.10 named-checkzone)
+(B.8 dnssec-signzone)
 endobj
 697 0 obj
-<< /S /GoTo /D (section.B.11) >>
+<< /S /GoTo /D (section.B.9) >>
 endobj
 700 0 obj
-(B.11 named)
+(B.9 named-checkconf)
 endobj
 701 0 obj
-<< /S /GoTo /D (section.B.12) >>
+<< /S /GoTo /D (section.B.10) >>
 endobj
 704 0 obj
-(B.12 nsupdate)
+(B.10 named-checkzone)
 endobj
 705 0 obj
-<< /S /GoTo /D (section.B.13) >>
+<< /S /GoTo /D (section.B.11) >>
 endobj
 708 0 obj
-(B.13 rndc)
+(B.11 named)
 endobj
 709 0 obj
-<< /S /GoTo /D (section.B.14) >>
+<< /S /GoTo /D (section.B.12) >>
 endobj
 712 0 obj
-(B.14 rndc.conf)
+(B.12 nsupdate)
 endobj
 713 0 obj
-<< /S /GoTo /D (section.B.15) >>
+<< /S /GoTo /D (section.B.13) >>
 endobj
 716 0 obj
-(B.15 rndc-confgen)
+(B.13 rndc)
 endobj
 717 0 obj
-<< /S /GoTo /D (section.B.16) >>
+<< /S /GoTo /D (section.B.14) >>
 endobj
 720 0 obj
-(B.16 ddns-confgen)
+(B.14 rndc.conf)
 endobj
 721 0 obj
-<< /S /GoTo /D [722 0 R  /FitH ] >>
+<< /S /GoTo /D (section.B.15) >>
 endobj
-725 0 obj <<
+724 0 obj
+(B.15 rndc-confgen)
+endobj
+725 0 obj
+<< /S /GoTo /D (section.B.16) >>
+endobj
+728 0 obj
+(B.16 ddns-confgen)
+endobj
+729 0 obj
+<< /S /GoTo /D [730 0 R  /FitH ] >>
+endobj
+733 0 obj <<
 /Length 236       
 /Filter /FlateDecode
 >>
 stream
 xÚÁJA†ïó9¶‡M'™d2s´T¥‚Beoâai·Rp·t­ïïÔÕ*êArÉÿ‘ü	/A}È–ՓºsžŠvíèƒ
¨B)þP+!ÃlQ¡bJÕÂwìNì1úÈP©)&>áóÚÍ®˜€-A½bEM¦pæêÍÃd¾¼[L+V?ÉcºØt»~÷ršã~[÷í¶Ú~ÝNë a¤(±ø˘’å÷9·MÿÚ<ŸwYŸÝQDËr;yƒ|ê~üÁÁýhÌ–ÁbïVV_§æŒlåP}&ûÿsßC+WDendstream
 endobj
-722 0 obj <<
+730 0 obj <<
 /Type /Page
-/Contents 725 0 R
-/Resources 724 0 R
+/Contents 733 0 R
+/Resources 732 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 731 0 R
+/Parent 739 0 R
 >> endobj
-723 0 obj <<
+731 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (./isc-logo.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 732 0 R 
+/PTEX.InfoDict 740 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 255.00000000 149.00000000]
 /Resources <<
 /ProcSet [ /PDF /Text ]
 /ColorSpace <<
-/R15 733 0 R
-/R9 734 0 R
-/R11 735 0 R
-/R13 736 0 R
+/R15 741 0 R
+/R9 742 0 R
+/R11 743 0 R
+/R13 744 0 R
 >>/ExtGState <<
-/R17 737 0 R
-/R8 738 0 R
->>/Font << /R19 739 0 R >>
+/R17 745 0 R
+/R8 746 0 R
+>>/Font << /R19 747 0 R >>
 >>
-/Length 740 0 R
+/Length 748 0 R
 /Filter /FlateDecode
 >>
 stream
@@ -1127,7 +1139,7 @@ x
 FÑÞIca­Ç0Ú)	¹A¿+ÇÀº
¸|-Tuùa>‚s:½¯•~K“ÒÞV׋„OÒAŠI…
ɪÁr2Q“°Ø¨Á>.zÎCN’¦{Õ«'^5Mã»Åûæ¡æÔÊý¹U1z6õßvãpF)ÂÏåìÊ›C£i#]bÝLkS#ˆQÁŽv–¨Ô­«•ÇcHŸ$¬Áê³DI­ÌÑptÅ73*_åª'ŽÚ¿¢ÚòQŒ×èŒ‚,É*Ñ+ôÚ™%vŽ&u߉ xœÉ-¾kz˜ χÚ	Q´Pë3ÈZ§q¢Æ0¯ˆwMÍ?©=õ*_Ç£RïѪëƬ¡”’¢g!SeRâÅéz·ÝŠFLÚŸv
 ÏÆ狼eÇNdæÌdï"gK2cëÉ—GoOá8GëÏϦ:B
Àht[~Ðåõ—×SÒÜ£uˆQk·%È´ÔÛ†ëiATÆÌp[OU‡Ç(zßQã³* *Ñûø®á¾FÅÍ„Ï'µV‡¾;1aŠÑüËŒÜr$¿Íâ9Ë8ˆüý‚TóþÏÍ÷_oôô¢ññCÙõ"ú*~uÊqæþéïÛ{Ç"ß~±Úú"ú…bùz+·£]OZ,SÏ¥._^·§_\^þ†56g‡3^®Ç5Z©®©¹Uý¶õòÇí÷O¿½<Ó#rYëé»Ë^~¹ÁÇ<ц®5%¥Ü~ÿñsõ\êídŽ3¼4ü~èé[iþÂÈg
óžµ|¥Ïà5³m“XSô7…ÿúáò¬ä>!»Î“O÷hKYð¿þîÇÓ3/¡úôÃgë¾4EO=öï¦üì“­‡v5”ùÜþû‚ék”ùôñR”Ì¡ÌlöÅ·ß_DÍη„Rf.{úÏåYӎͧÿ^ž©í5¬?ývýüeûMüó?Òƒendstream
 endobj
-732 0 obj
+740 0 obj
 <<
 /Producer (AFPL Ghostscript 8.51)
 /CreationDate (D:20050606145621)
@@ -1137,46 +1149,46 @@ endobj
 /Author (Douglas E. Appelt)
 >>
 endobj
-733 0 obj
-[/Separation/PANTONE#201805#20C/DeviceCMYK 741 0 R]
+741 0 obj
+[/Separation/PANTONE#201805#20C/DeviceCMYK 749 0 R]
 endobj
-734 0 obj
-[/Separation/PANTONE#207506#20C/DeviceCMYK 742 0 R]
+742 0 obj
+[/Separation/PANTONE#207506#20C/DeviceCMYK 750 0 R]
 endobj
-735 0 obj
-[/Separation/PANTONE#20301#20C/DeviceCMYK 743 0 R]
+743 0 obj
+[/Separation/PANTONE#20301#20C/DeviceCMYK 751 0 R]
 endobj
-736 0 obj
-[/Separation/PANTONE#20871#20C/DeviceCMYK 744 0 R]
+744 0 obj
+[/Separation/PANTONE#20871#20C/DeviceCMYK 752 0 R]
 endobj
-737 0 obj
+745 0 obj
 <<
 /Type /ExtGState
 /SA true
 >>
 endobj
-738 0 obj
+746 0 obj
 <<
 /Type /ExtGState
 /OPM 1
 >>
 endobj
-739 0 obj
+747 0 obj
 <<
 /BaseFont /NVXWCK#2BTrajanPro-Bold
-/FontDescriptor 745 0 R
+/FontDescriptor 753 0 R
 /Type /Font
 /FirstChar 67
 /LastChar 136
 /Widths [ 800 0 0 0 0 0 452 0 0 0 0 0 0 0 0 0 582 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 841 633 576 686 590 540 923 827 407 760]
-/Encoding 746 0 R
+/Encoding 754 0 R
 /Subtype /Type1
 >>
 endobj
-740 0 obj
+748 0 obj
 2362
 endobj
-741 0 obj
+749 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1187,7 +1199,7 @@ endobj
 stream
 xœ«N)-P0PÈ-ÍQH­HÎPsõ,
QE¸zFÆ`^-=1°endstream
 endobj
-742 0 obj
+750 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1198,7 +1210,7 @@ endobj
 stream
 xœ«N)-P0PÈ-ÍQH­HÎPsõLÑE‘D Êk8/«endstream
 endobj
-743 0 obj
+751 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1209,7 +1221,7 @@ endobj
 stream
 xœ«N)-P0TÈ-ÍQH­HÎPq
ôLLÑD\=C0¯=D³endstream
 endobj
-744 0 obj
+752 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1220,7 +1232,7 @@ endobj
 stream
 xœ«N)-P0Ð365³TÈ-ÍQH­HÎP€Š™X ‹™›#Äô-,ŒÀüZ&‹ˆendstream
 endobj
-745 0 obj
+753 0 obj
 <<
 /Type /FontDescriptor
 /FontName /NVXWCK#2BTrajanPro-Bold
@@ -1233,17 +1245,17 @@ endobj
 /StemV 138
 /MissingWidth 500
 /CharSet (/Msmall/C/Ysmall/Nsmall/Osmall/Esmall/Rsmall/S/Ssmall/I/Tsmall/Ismall/Usmall)
-/FontFile3 747 0 R
+/FontFile3 755 0 R
 >>
 endobj
-746 0 obj
+754 0 obj
 <<
 /Type /Encoding
 /BaseEncoding /WinAnsiEncoding
 /Differences [ 127/Nsmall/Tsmall/Esmall/Rsmall/Ysmall/Ssmall/Msmall/Osmall/Ismall/Usmall]
 >>
 endobj
-747 0 obj
+755 0 obj
 <<
 /Filter /FlateDecode
 /Subtype /Type1C
@@ -1266,18 +1278,18 @@ x
 ȼLçÇ<;—*X³«¥×ÛGâ_Y1ETïƒ4ˆÒ-U…_>´üØ¢æ}õï÷v¼
§ádù#¹rÛŸå¥@ÔÁ\5l…hð<8Ús·’?h¹†!-¶‚*JŠ»,\G/Wé9OW—×µ.Ÿ—­€&¨[”ÄIÁÚ´Ó½7ýáÐäKý¡«¨ðúš.cxQn<¼À°üÖëgöõÁúhíY8³¶+oî^÷ë°‹>9p¯“°¥!ÑÚÙ®ŠðK´¢†#©óRÄlxŽJ”ب¬Ò–àá•{ϳwÿaû’ožÇ£ëHõÅâH9”ç/.~å÷Ë
 »O·Øèv61Bá5*È<6ÞÍ,‡bh‘˜¶ž\Î]Çé#¹#ØÔÍ1Oúñ°Ï¤5oÂ]цÆß4}h˜î0$å,6ü¼”A,¯?/å;Rôcy6Ò½UJ¿§Y½X^é¶ÙÉŸ‡‹º–2¸K|o½Ø”/Ȩ/ƒ(Â2Ð#žNMKðrˆ
rœÛf9ËyZ¸Ú}$«Ö	õ–©) h`iÎGàAç÷´€H+Šˆ…Õ&*áX$žèìVŽhª”—›¾÷‡A1Ý£¤œÏ0‰÷—Hi éƒw~I(Áö2;à]¸L ™x4[¡OÜ,¾®ÆûÂQQ°”FdQ“ƒ¢¬„%\î¢Åâ:Ó;ÈÑ”ÌEb1ž’¡ˆÿ§=$¸¥?Iš¿CÐõ3¾C=VÐ'>·¯ôÌÒ+Ü~8	ç#;úÁ_£×á*qň+ô	8®‚ãÆpêŒ_YR”¾d%a	ç¡H\eÄõãDf£Ñ¨­ŽR[kφG¸ù/WT®ò•A5”H¥ÛVoo8hnû)¼ÞÃDn…ñëqÌzfåhý&þcQbµXÇß‚çLŽúõ;{²Ðñðué¿ÊÛÙ†-©[SÄ-Û¼ÔyubÜñhüm´œ4^Ë™ ääšLÿQ‹¡endstream
 endobj
-726 0 obj <<
-/D [722 0 R /XYZ 85.0394 794.5015 null]
+734 0 obj <<
+/D [730 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-727 0 obj <<
-/D [722 0 R /XYZ 85.0394 769.5949 null]
+735 0 obj <<
+/D [730 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-724 0 obj <<
-/Font << /F21 730 0 R >>
-/XObject << /Im1 723 0 R >>
+732 0 obj <<
+/Font << /F21 738 0 R >>
+/XObject << /Im1 731 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-750 0 obj <<
+758 0 obj <<
 /Length 999       
 /Filter /FlateDecode
 >>
@@ -1289,21 +1301,21 @@ xÚµVM
 "Ê€îܶZ\'ïyŸgn%Kc(,QÝK—asÚJ?Iâ¹,,N;‘kJÁƒñªÁËÔWµ‰ðMú|`"AéôAñðaŠ“¾æ®Z½,ˆ£~k¡ì,q{Eþ4¦~äùýLq¹æ
 _Ô!ýv‹aLF̆zãez™Rv“ m¥ˆ—YŸI|ŘEþãîZ´÷ôéµµ¾øœ‘¾ˆ?É™»]=“¯®Ìí«D~1ÕŸIw¿ÆT¾ÿü5¦«lºa#æ8ôþ«ˆ:q›µ¤šë
qrÊ,z‡ù?<h÷endstream
 endobj
-749 0 obj <<
+757 0 obj <<
 /Type /Page
-/Contents 750 0 R
-/Resources 748 0 R
+/Contents 758 0 R
+/Resources 756 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 731 0 R
+/Parent 739 0 R
 >> endobj
-751 0 obj <<
-/D [749 0 R /XYZ 56.6929 794.5015 null]
+759 0 obj <<
+/D [757 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-748 0 obj <<
-/Font << /F23 754 0 R /F14 757 0 R >>
+756 0 obj <<
+/Font << /F23 762 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-760 0 obj <<
+768 0 obj <<
 /Length 2890      
 /Filter /FlateDecode
 >>
@@ -1330,375 +1342,375 @@ l
 ~TçåúSh?mÏ?ÿëëýóù6Kž38£¨@6'£‚)T°Zr¼	5…
 é= âÆ“¥PA—ÊÅÝí²Á¥bjµÐo9“C†cXfŠ±Hc¤÷a.œ¹ôeY˜ËÎ~A‡÷ëÇ̵W4›»¶DRû¤o2È‚ËCÁ‰ƒ‚ƒôÈR¦¹€:š£./ÎßÏ݇+±¯¶)¤˜Ê6$8Û’ZŽúÆâ 8£½‡AH¤–)®€¡7EÙžÊÁáÉ°Àï”üX<<>‰9Ëþðå}¾¬·¿!í‡jÝt‚Úï«3dg²öÈÒg_ŽŸÑÆâ ´'½‡Íu‘¸7rÐ>·œlšj•‡ÓCÿÍwv_n|HÏdñ‘!%>N?%~$J|Òû ¾u‹gž íá`åm^n`„…OR³_¿ÏÐdù;J}”JüÝ (í)×Øo8ãÐuØjg*§ÕÝChµGèÇþ‹Â/˜}YÚT¾?¨‚Ó÷·]ã`Û•o•úÎF|ÈÍdÕ‘!%;Î=¥{$JxÒû ¼JXæ*É <|uÔyéæñUD{üØ-Ìæá]WüÁ¿wöËrÝeû`f"Ìw¦9de²æÈÒgÒ<¥9é}Ð\–BSa«¹š¯›ú8=j¿$zDøí<ôÚ`Úåˆ}>ÛZ![“Y@†X
Š…H¤÷¡X"t@¾¦£_WEûnÏðŵ'‹E±^‡g	šþ¬®B°ûÑty›Å`G1T‘ã
‘ ("(×\0Ý~-ðÍgu¯r?ö¾PðWæ	Ò>(dH…e¥ŠÄA1Ez‡½«4cF$PcXغúñìom³Ž:l]}µ-RPb*eÈŽ€ëL0	‚@Œt
„%	ÓÐ’è–³p:sþ¦=™ãý±œæÙ±¯6 "SICviXoiGI‹Aý?,”ëá[þ™’ƒ–B¿Ê»‹‹³S·ÐÙ§`¾T>ùS™Ì¤°Q»ìþߟ¹ÌXûòv@õ=ˆså–_j¤ÉEñÌyãzæ?Ô?ð<þü\	¼ý-°®Gendstream
 endobj
-759 0 obj <<
+767 0 obj <<
 /Type /Page
-/Contents 760 0 R
-/Resources 758 0 R
+/Contents 768 0 R
+/Resources 766 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 731 0 R
-/Annots [ 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R 785 0 R 786 0 R 787 0 R 788 0 R 789 0 R 790 0 R 791 0 R 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R 801 0 R 802 0 R 803 0 R 804 0 R 805 0 R 806 0 R 807 0 R 808 0 R 809 0 R 810 0 R 811 0 R 812 0 R ]
+/Parent 739 0 R
+/Annots [ 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R 785 0 R 786 0 R 787 0 R 788 0 R 789 0 R 790 0 R 791 0 R 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R 801 0 R 802 0 R 803 0 R 804 0 R 805 0 R 806 0 R 807 0 R 808 0 R 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R ]
 >> endobj
-763 0 obj <<
+771 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 688.709 539.579 697.2967]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.1) >>
 >> endobj
-764 0 obj <<
+772 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 676.5858 539.579 685.4425]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.1) >>
 >> endobj
-765 0 obj <<
+773 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 664.4876 539.579 673.3442]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.2) >>
 >> endobj
-766 0 obj <<
+774 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 652.3894 539.579 661.246]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.3) >>
 >> endobj
-767 0 obj <<
+775 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 640.1914 539.579 649.1477]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.4) >>
 >> endobj
-768 0 obj <<
+776 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 628.0932 539.579 637.0495]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.1) >>
 >> endobj
-769 0 obj <<
+777 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 615.995 539.579 624.9512]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.2) >>
 >> endobj
-770 0 obj <<
+778 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 603.8967 539.579 612.853]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.3) >>
 >> endobj
-771 0 obj <<
+779 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 591.7985 539.579 600.7547]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.4) >>
 >> endobj
-772 0 obj <<
+780 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 579.7002 539.579 588.6565]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.1) >>
 >> endobj
-773 0 obj <<
+781 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 567.6019 539.579 576.5582]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.2) >>
 >> endobj
-774 0 obj <<
+782 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 555.5037 539.579 564.46]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.3) >>
 >> endobj
-775 0 obj <<
+783 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 543.4055 539.579 552.5112]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.5) >>
 >> endobj
-776 0 obj <<
+784 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 531.3072 539.579 540.413]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.5.1) >>
 >> endobj
-777 0 obj <<
+785 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 519.209 539.579 528.3147]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.6) >>
 >> endobj
-778 0 obj <<
+786 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 496.7003 539.579 505.4125]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.2) >>
 >> endobj
-779 0 obj <<
+787 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 484.5772 539.579 493.5832]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.1) >>
 >> endobj
-780 0 obj <<
+788 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 472.4789 539.579 481.485]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.2) >>
 >> endobj
-781 0 obj <<
+789 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 460.3806 539.579 469.3867]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.3) >>
 >> endobj
-782 0 obj <<
+790 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 448.2824 539.579 457.2885]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.4) >>
 >> endobj
-783 0 obj <<
+791 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 436.1841 539.579 445.1902]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.5) >>
 >> endobj
-784 0 obj <<
+792 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 413.4314 539.579 422.288]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.3) >>
 >> endobj
-785 0 obj <<
+793 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 401.353 539.579 410.4588]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.1) >>
 >> endobj
-786 0 obj <<
+794 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 389.2548 539.579 398.3605]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.1.1) >>
 >> endobj
-787 0 obj <<
+795 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 377.1565 539.579 386.2623]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.1.2) >>
 >> endobj
-788 0 obj <<
+796 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 365.1579 539.579 374.164]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.2) >>
 >> endobj
-789 0 obj <<
+797 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 352.96 539.579 362.0658]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.3) >>
 >> endobj
-790 0 obj <<
+798 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 340.8618 539.579 349.9675]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.3.1) >>
 >> endobj
-791 0 obj <<
+799 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 328.7635 539.579 337.8693]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.3.3.1.1) >>
 >> endobj
-792 0 obj <<
+800 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 316.6653 539.579 325.771]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.3.3.1.2) >>
 >> endobj
-793 0 obj <<
+801 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 304.567 539.579 313.6728]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.3.2) >>
 >> endobj
-794 0 obj <<
+802 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 281.9139 539.579 290.7706]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.4) >>
 >> endobj
-795 0 obj <<
+803 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 269.8356 539.579 278.9413]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.1) >>
 >> endobj
-796 0 obj <<
+804 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 257.7373 539.579 266.8431]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.2) >>
 >> endobj
-797 0 obj <<
+805 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 245.6391 539.579 254.7448]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.2.1) >>
 >> endobj
-798 0 obj <<
+806 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 233.5408 539.579 242.4971]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.3) >>
 >> endobj
-799 0 obj <<
+807 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 221.4426 539.579 230.3988]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.4) >>
 >> endobj
-800 0 obj <<
+808 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 209.3443 539.579 218.3006]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.4.1) >>
 >> endobj
-801 0 obj <<
+809 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 197.2461 539.579 206.2023]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.5) >>
 >> endobj
-802 0 obj <<
+810 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 185.2475 539.579 194.2536]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.1) >>
 >> endobj
-803 0 obj <<
+811 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 173.1492 539.579 182.1553]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.4.5.1.1) >>
 >> endobj
-804 0 obj <<
+812 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 161.051 539.579 170.0571]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.4.5.1.2) >>
 >> endobj
-805 0 obj <<
+813 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 148.9527 539.579 157.9588]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.2) >>
 >> endobj
-806 0 obj <<
+814 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 136.8545 539.579 145.8606]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.3) >>
 >> endobj
-807 0 obj <<
+815 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 124.7562 539.579 133.7623]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.4) >>
 >> endobj
-808 0 obj <<
+816 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 112.5583 539.579 121.5146]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.5) >>
 >> endobj
-809 0 obj <<
+817 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 100.4601 539.579 109.4163]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.6) >>
 >> endobj
-810 0 obj <<
+818 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 88.3618 539.579 97.3181]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.6) >>
 >> endobj
-811 0 obj <<
+819 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 76.2636 539.579 85.2199]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.7) >>
 >> endobj
-812 0 obj <<
+820 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 64.1653 539.579 73.1216]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.8) >>
 >> endobj
-761 0 obj <<
-/D [759 0 R /XYZ 85.0394 794.5015 null]
+769 0 obj <<
+/D [767 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-762 0 obj <<
-/D [759 0 R /XYZ 85.0394 711.9273 null]
+770 0 obj <<
+/D [767 0 R /XYZ 85.0394 711.9273 null]
 >> endobj
-758 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R >>
+766 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-815 0 obj <<
+823 0 obj <<
 /Length 3172      
 /Filter /FlateDecode
 >>
@@ -1717,986 +1729,1000 @@ bx
 ƒa‘ˆÃõÞa!1N3ˆ…j°x»ô
ìç³q6Ö”osMã˜0Äð€©áyf*Ô{‡‡Äè^GBtƒÇ¯õÎMûà?øà
aÌ‘Š˜·l*€!FÔ£"Fê½£‚3bD¿û0
ÍÓŠk(.Î=]Ëõçí¤BvÄ"&.`ˆaÑføW©80,PïÔCY¯–Ø‹ß^~h¨øŸ@Û>‘GÉãpÑe.›`ˆqÑSføqM©80.Pï‘æÑÚIÈ…k¸xÝ{:þùízS.ºÇçÝlËÊ$>wq1«‘±R=®5˘€\y¡!"o?ÁÃò¦â@äŽwòZE´¯ú½µ(ê'±§Ü'¨aú‰71GÙCŒ€žÃ×v¤âÀ@½wA4í7Œ5|(W³êr6‰“~Z¬Û‡m‡ñµ˜×ŸéŸa}òaIÊFbôDÞ`OÅ!€zïÐŒ(#{c<ã
[Ñ«ëj^M}Ã`„9>'MHÈa6!À#¤§BH"ŒÔ{GˆtDIÞ/¢%äW
 ®ýÌqî猩.I(gnw§KXu·“Çäf£1tzâ
âÀÐA½wèCT¿¯`²!çãÇuÙ6ï›}Ž2¼åx7^L\6”exá2†æº#‚+"M¿¥`*–zzÓ>Ž[쳓ò@	ùÌ&b¨ôô¾W<ê½£…	"åE7´<¿™Í7ãð:œ5èWfËÏÛ×WÄ+$þ]-ëµpcÜ£¼r&f![c`ˆiÜËòðšd*LcÔ{§1eD2ݓؤ$~µ¸ÞÜv¯V«77~¢%¨‡mAÚeÐÙaúÌð=L‰ 0õ1×Q|눰RôÄ·øÏ./·9ó°Ë=é>Ñ/ŠÉÕ¶N8­ŸŽÌ!¹2;Df˜k3¼Äœ‘ue6†ÅûŸq×È\ï[Ç‹Û^ûÏ{;
Bðü/$,ûÕUöæ* ‡¾è)öÞ*Ìux€"‚ƒv`ÿs=Úºžh©§Hゥž›§> endobj
-820 0 obj <<
+828 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 758.4766 511.2325 767.4329]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.1) >>
 >> endobj
-821 0 obj <<
+829 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 746.5446 511.2325 755.4012]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.2) >>
 >> endobj
-822 0 obj <<
+830 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 734.5129 511.2325 743.3696]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.3) >>
 >> endobj
-823 0 obj <<
+831 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 722.3816 511.2325 731.3379]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.9) >>
 >> endobj
-824 0 obj <<
+832 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 710.3499 511.2325 719.3062]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.9.1) >>
 >> endobj
-825 0 obj <<
+833 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 698.3182 511.2325 707.2745]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.9.2) >>
 >> endobj
-826 0 obj <<
+834 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 675.998 511.2325 684.8547]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.5) >>
 >> endobj
-827 0 obj <<
+835 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 663.9862 511.2325 673.0919]
 /Subtype /Link
 /A << /S /GoTo /D (section.5.1) >>
 >> endobj
-828 0 obj <<
+836 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 651.9545 511.2325 661.0603]
 /Subtype /Link
 /A << /S /GoTo /D (section.5.2) >>
 >> endobj
-829 0 obj <<
+837 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 629.6343 511.2325 638.3664]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.6) >>
 >> endobj
-830 0 obj <<
+838 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 617.6225 511.2325 626.5788]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.1) >>
 >> endobj
-831 0 obj <<
+839 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 605.5908 511.2325 614.6966]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.1.1) >>
 >> endobj
-832 0 obj <<
+840 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 593.5591 511.2325 602.6649]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.1.1) >>
 >> endobj
-833 0 obj <<
+841 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 581.5275 511.2325 590.4837]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.1.2) >>
 >> endobj
-834 0 obj <<
+842 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 569.4958 511.2325 578.4521]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.1.2) >>
 >> endobj
-835 0 obj <<
+843 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 557.4641 511.2325 566.4204]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.2.1) >>
 >> endobj
-836 0 obj <<
+844 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 545.4324 511.2325 554.3887]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.2.2) >>
 >> endobj
-837 0 obj <<
+845 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 533.4007 511.2325 542.357]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.2) >>
 >> endobj
-838 0 obj <<
+846 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 521.3691 511.2325 530.3254]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.1) >>
 >> endobj
-839 0 obj <<
+847 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 509.3374 511.2325 518.2937]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.2) >>
 >> endobj
-840 0 obj <<
+848 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 497.3057 511.2325 506.262]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.3) >>
 >> endobj
-841 0 obj <<
+849 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 485.274 511.2325 494.2303]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.4) >>
 >> endobj
-842 0 obj <<
+850 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 473.2424 511.2325 482.1986]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.5) >>
 >> endobj
-843 0 obj <<
+851 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 461.2107 511.2325 470.167]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.6) >>
 >> endobj
-844 0 obj <<
+852 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 449.179 511.2325 458.1353]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.7) >>
 >> endobj
-845 0 obj <<
+853 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 437.1473 511.2325 446.1036]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.8) >>
 >> endobj
-846 0 obj <<
+854 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 425.1157 511.2325 434.0719]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.9) >>
 >> endobj
-847 0 obj <<
+855 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 413.084 511.2325 422.1897]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.10) >>
 >> endobj
-848 0 obj <<
+856 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 401.0523 511.2325 410.158]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.1) >>
 >> endobj
-849 0 obj <<
+857 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 389.1203 511.2325 398.1264]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.2) >>
 >> endobj
-850 0 obj <<
+858 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 377.0886 511.2325 386.0947]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.3) >>
 >> endobj
-851 0 obj <<
+859 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 364.9573 511.2325 374.063]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.11) >>
 >> endobj
-852 0 obj <<
+860 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 352.9256 511.2325 362.0313]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.12) >>
 >> endobj
-853 0 obj <<
+861 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 340.8939 511.2325 349.9997]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.13) >>
 >> endobj
-854 0 obj <<
+862 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 328.8622 511.2325 337.968]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.14) >>
 >> endobj
-855 0 obj <<
+863 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 316.8305 511.2325 325.9363]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.15) >>
 >> endobj
-856 0 obj <<
+864 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 304.7989 511.2325 313.9046]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.16) >>
 >> endobj
-857 0 obj <<
+865 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 292.7672 511.2325 301.7235]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.1) >>
 >> endobj
-858 0 obj <<
+866 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 280.7355 511.2325 289.6918]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.2) >>
 >> endobj
-859 0 obj <<
+867 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 268.7038 511.2325 277.6601]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.3) >>
 >> endobj
-860 0 obj <<
+868 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 256.6722 511.2325 265.6285]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.4) >>
 >> endobj
-861 0 obj <<
+869 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 244.6405 511.2325 253.5968]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.5) >>
 >> endobj
-862 0 obj <<
+870 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 232.6088 511.2325 241.5651]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.6) >>
 >> endobj
-863 0 obj <<
+871 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 220.5771 511.2325 229.6829]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.7) >>
 >> endobj
-864 0 obj <<
+872 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 208.5455 511.2325 217.5017]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.8) >>
 >> endobj
-865 0 obj <<
+873 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 196.5138 511.2325 205.4701]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.9) >>
 >> endobj
-866 0 obj <<
+874 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 184.4821 511.2325 193.5878]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.10) >>
 >> endobj
-867 0 obj <<
+875 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 172.4504 511.2325 181.4067]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.11) >>
 >> endobj
-868 0 obj <<
+876 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 160.4187 511.2325 169.375]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.12) >>
 >> endobj
-869 0 obj <<
+877 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 148.3871 511.2325 157.3433]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.13) >>
 >> endobj
-870 0 obj <<
+878 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 136.3554 511.2325 145.3117]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.14) >>
 >> endobj
-871 0 obj <<
+879 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 124.3237 511.2325 133.28]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.15) >>
 >> endobj
-872 0 obj <<
+880 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 112.292 511.2325 121.2483]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.16) >>
 >> endobj
-873 0 obj <<
+881 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 100.2604 511.2325 109.2166]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.17) >>
 >> endobj
-874 0 obj <<
+882 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 88.3283 511.2325 97.3344]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.18) >>
 >> endobj
-875 0 obj <<
+883 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 76.2967 511.2325 85.1533]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.19) >>
 >> endobj
-876 0 obj <<
+884 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 64.1653 511.2325 73.1216]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.17) >>
 >> endobj
-816 0 obj <<
-/D [814 0 R /XYZ 56.6929 794.5015 null]
+824 0 obj <<
+/D [822 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-813 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R >>
+821 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-879 0 obj <<
-/Length 3482      
+887 0 obj <<
+/Length 3480      
 /Filter /FlateDecode
 >>
 stream
-xÚí[SGÇßùzHÕ¾_vv1`‡T‚½@*[›äA–Æ 2’ˆ$ ΧßÍt÷ê9¢7qÀ@\Ë0gÎáüsú>°õXÏ*B…“=ã$Q”©Þ`¼E{çþ{o¶X{Ín¸h^õêlëë×ÂôqšëÞÙp/K¨µ¬w6üi{ÿíñÙáñÙéÎ/gßnžÅ›BÇŒŠúŽ¿nýôí
½ÿo·(Ϊޭÿ%Ì9ÞoI%ˆ’B„¯\nný;Þ|wišûA”°DYn2?	à'aœëŒN9¢…ÿ^ý£hÂ	³õâ/gàrÁˆµTzõeójvSÍÚËà]…[kÝ^vºè/ªq5YììrE·ªŸ)å“Ñb44_éO†Í‡æýójg×:ºMvv}¿¤sEwäVÜÍ)K]ÓgvÞk>œ@Å‚Ý.4\WlýþuŽX‹#‹ãõžx‘ÆÓÇtâÅmæŃ0š/Fƒùîà¢?™T—ó<þy‘ʺ<Tyh¨qfS²ö)—žM0…tÃ1˜ œÆtÔ‰ƒ	õž`ÒŒªAs¦?L›+Qì	5[!­ÅÐC(›¥ÝÐdâÀ A½3%‰1Æõ´tDúk4„ùAó¿5KYÏvüx÷ÓU5÷¹’¼óU%¤°`ˆ%ÂÉÄ‚zO€ãNJB@xÈþeî‘”IH|vN6áZŒ0Äp‚YÖK&Ô{ÂÅ7ÎJqwëÉÛ«ºí¨Ñá/e$ê2WÌ0ĸ€Ê`\dâÀ¸@½'.'F®TÙ`qðiÒmâjèûÍçwÓËÑ`T7:R©'«z›—bÑ“¦9ȺힽÏ)Ž¹vþ£¢§)%ŠŠ°èK£+5àõ貞HWî‹o;uç5ÈPÌ0ă2[døœ‰CõG<~4ë	¨{®ŒÓ•kÍÚôCó÷I5Ÿ^Ïv˜ÝTá+ƒéòÃù¡ÌU;ºYLÃà&t‡/ª±äñø&lcFJõ††ˆÞ+GôÎÅè{ˆ2šPΓÜKÁÅfe­`ϱKòUC²ÃXj`(¬‘€¹N hAŒeÀ[ü£Ï·«ß×ýË„ê·«%Õ|',bA8YŽ_ôS-ÿ1OÅC¨ƒµÝdâÀ @½§ò¯Q’êHoËÿÁh>¸ÎÈýý2µA>¨ü=¿sXL0ÄY×MH&ŒÔ{"D8Âs‘ÑrZ-£ÉyÛžŸ}·ä@¾ô,Ëù	.æbü@1~2q`ü Þ?ܪ\êqÈ–Ÿ£ÉM5ýÁïûWW¦Q[sŽÞÝø‹¹/ƒ˜ÅbF€!ÆTÉuOæâÀA½'F˜$–YQ-#oÕ¬áî°w¹Œ2jº%ƒÅ覨ɞs;²XÌ0Ä*aŒdâÀA½§þ*åDc#qäâ“™U:M	e2,Àý+³Dç?	.ø™*Ú_ìÎGçÿ‘Õó*ì¥mŠY/f
-bLAU1¦2q`L¡Þ#SÒQ"„á€)^ÀÔWoOŽÞgȪ÷æúêÖ^·R¦vvÝ#ëOÞ
ZŠ4DpYÁ%‚î=áb,¡NƒfjÙ¾7.GÇûßýpp˜Û©Õ¢‹.ž\[SY
-0Ä@R¹î•š\(¨÷ŠVÄ*Û*YŠMåv”hb¥ë€Ä<Ìú΃uˆcŠ‹†@PB L@¨÷Ø!®—i¦XH·âWGÇaÄ4_„¾qêþ¶¨&õ¬Íß}o˜ÑíE7f´U…í‘_½9<><Ù«gýÎrÕIB©yðô_4÷Ó	BHU1ÀJ‰õž@Œˆ´è+ˆiAØ—»ÇÂmBàõt6î/ühHý2pŽ	,Æbx@\÷	À\¨÷°B,¹#Ìw\Z:d»B\	×ÀprùDñ—Åà?ŒSÈx1NÀÃ	*Šá”‰Ã	õžú-Ìw1\X’„®±×€JuÇYþGÇ!_Å0$;Œ †ëÞy’	#sš*‰V\F®€»òïO¯'¾R¯S÷ÌKG'%!™Å˜CŒ(J&ŒÔ{¬Âq"3	•X4ŽûãP5š·d+HBHrû%ë3Qª34Dt^É4¢s.DgÜ{ÒÙúÖÀ0 s˜*K3óß÷G^ÊI2¨6ií«ÌcŸÌ
-?q±œÉSäÓuÛÌi‰¹NRjCœ h)À& Ë{<ªVó§S c>Š•†˜Ô0ß®{›O.LlÔ{R[)¢­Ó@í0u:|¬Ú#IG_¿Ý$ºþ‹—÷?“Ú!ÅjCLm˜o×}‚-¦6ê=©-‘Ò: ¶jÕÞŸŽ¯¼´ïG—£Å§FÛÛÑ⢙ðn¥hˆt4Ò_N:eæ#ë„9K»‹xlýÁN BÊŠ†PˆLkÞYæõX‚ÓúWíyÊz‚`e1LTƒëY¤b:™†Õ¬ß1éÌ[¸µà~ùë¯ßw™¯îý*ðvXžÖ¼æ¦R5Ä7jíÉ÷e¶žJÙªy,„“ÅrêsÚι}çËäò{òe^¥ü©	/~ê€!öÔAA1Š2q`4¡ÞMÜùbÍy{$žä^š²|‹dmùÜ¿˜M§‹ÜkÜ$¡’‡Ëê­õ™é|G„2"5®×£aîV–xTm{Ù3?2RB¬ ZX“D½/±­Ý.4Ì{÷þµ<¾Nw"›Awç|¸DX&³é$Hv
I1¦
Ð
:ùõãDÃÃÚÑáä¦Y=šNšÃðB‹çS;Á
-™/b`AeQ°2``¡îX†&©‰`…=æ?Ìã–Ïü:¥©ç*‹¯ºì*l”WÏ__OÍ{¤yÍm'U!íÅTCŒ*(+JU&Œ*Ô}laë÷ˆQZØp8²ó$lêá¥_&ªóÄ„œ1b f(1™@0bÖÜçFB\(¢”Ôa¸º	í0ƶgÓë÷—ÕüÂ7auEêÌO¸Ã¦OÌ0È
xîÞ·ÉK÷ª¼–5·Ù'È»L´Çâˆg:‡C?Úçf\è¥|à”?T!ÍÅ0Ä*(#
-O&"Ô}jÜ™ïšpz¹]üYïXü­7O¦íãítöÑ?_ÿhþu1½m>úá¼GóWýj¤óæ$j[¼§×áýxÛÛ¶#yþO_Ó™}L-oÈI±äÀ“æ•<&9ê>Ô
æ,±‚·utÙ™«ëÆÑdÐHVwìc¿.žß¿èOÎWº{aap¶0_ß×+B»'Щi*…"¬È€Aw!°š(ÇBãº_?ÖÇuÒs»çÉ~¾©.¯üc+åKr/–B¶‹Y†KPM”¥L Kkîs3¦á²Ý«½·S¿›x{ïꪚGƒjÞ”`vßÞ4@zc+áxª»“î‡%aÍmöªçSh»ßx¯nEñi|œLo/«áy]UëuWî^ú`åÏOHnñó±çŠ‡"“	Cuû`ÌÝnQÞkú`®~ˆšbûj6ªÚÓûߌæ‹éìÓê‘þØŸÞiµ›…"MÙb!$«˜`ˆ±Å@YÈ‚±€ºe„ûŠËÛíÈ{uç¬.#oªI5ݬ¨òIõ¡m­ã~£É‡åîñåô™vÏdE*(rWL0ÄÈ€Ú0Ú½$Fê>U	&	·íÖâ½f~¿®Gïntû؇á5/áµOõ©Ø=ÿ_s$V󌷀C‹1†&P'“L &¨ûX@('TŠÑÔW£÷—£éù¬uñ)q[‰Óëóóªþ¡®ô‡~¤× #8&Õ£M\1ɃȂ2±†æ;눥<"êÆIõëµW½ÑÜ7a“ĸíªLN^ïÏü°òyô7CÆJYvPŒ…L¨ïôaQš™ÈoÛzÓ×$Œîfý5Îñ—qÉ=p	I-ÅØ!¸@Éë^tÉDý~ÌwzŸ¾"‚³H‹hhou9˜®A½Ø{§z›¡‡bϤd´™*E ™!0ÖCXÓ?þÚË]îËEî÷ÐÔÿgŒ8¥øÿ-›éwÖ/Ô°¶ã
‚:9•=¡ˆl§Å‘õÍE òÿ&:q%endstream
+xÚíßSGÇßù+ôªƒ&óûÇÝÃ
Ø!•`àÊÕ%y¥5l­ˆ$ÀÎ_³ÚÙšm1—8` )ÔÛ­þ~¶§gfwaêÿg«NŒ“DQ¦£Éœùß½Þbí{vÛvá»^žn}ûJ˜#Ns=8ýŽe	µ–
NÇ?oï½9:=8:=Ùùõôû­ƒÓxPè˜QQñ·­Ÿ¥ƒ±÷ÿý%ÂY5¸ñßPÂœãƒÉ–T‚()DøÉÅÖÉÖ¿ãÁo—¦©¢„%Êr“ø$\€OÂ8'ÖrDÿ»ú£hÂ	³õñogàí‚k©ô>ê·Í‹Ùu1kß*|ÜZëöm'‹á¢˜Õbg—+º½_üB)¯ÊE9­šŸ«qóâÝ|xVììZG·Éή¢÷òE:—epKnÅ-Ñœ².£kúÌÎÍ‹c¨X°Û…†ëŠ­¿Î±kqRq`¼ Þ;^¤!ÊHÀ‹ÛÌ‹¡œ/ÊÑ|wt>¬ªâbž€ÇŸ/RY—†çõl8™g^%nî‘‘\Tz	YÌfbŒ@•Œìg$Æê½cD(¢˜îáô¯`dsQî‘èe!d+›`ˆ±Õ0ªŸ…D¨÷Ž.jÉl#‹ÙÕ|QŒw?ŸS(K·zC¡°’Þ¡ø?‡–MÄ„œf1b f1‰80bPï1ŒI) †Qb6—
®ÄWÖ‚„f1@ D ‰80@Pïí´¬\ld2¬¼”½€hK„ª;k´¤h)]-‰ÉÌE"¨¬ˆet/*©8Tpï*ÖnA·ÊåEåsjzõˆIËFbH@Q0$q`H Þ;$Œò#
+lNÕF$®Ëâ&—þµ¡jxXL#ògV”;ÂÒ
0Ä`‚rb0%âÀ`B½w0iA˜†Ý­þ"0m®+Úé¯^hBZ³¡†4P6cú¡IÄAƒzï QŒ0æyˆÐ˜Ðü>­Š44Ô8³©Yû˜KÏ&˜Bº³a†LPNcûaJÄÁ„zï`ŽPÅLö‹À´¹ÅÑ°Òš

0Ä ²YÚM"Ô;S’cÜÀOœ“Â|oêÅüoÍÆRÖÓG·?_sŸ+ùÀ[˜{¨*!…Ù€C(H"Ô{“Ä	½oÙ»Î=‚ò¯	‰/ÎÉ&\BB³q†.P0ËûqIÄá‚zïp¡~42vq»ž¼¹¬ÇŽþ\F¢n!sÙ\CŒ¨ÆE"ŒÔ{äB9J,§+\Ȇ‹ýÏÕpRŽÚârì›æõÛéE9*ëQG*õXe‰É•"²¯$Þö/Цâ@dǽ;ÿÒ
+1PÆ£cKê£+•àUyQoÆ)÷Õ ¹…2d31Ơ̶Šcõç=JkbhlaEÝ¿2NWÚÖšµé‡æëq1Ÿ^Ív˜Ýá'£éòãù­	ÍOçE;ÇYLÃ'4ÅçÅÄOuŒxx˶1#ÙzCLo˜qLïD˜Þ¨÷n(ñ/´Ô@ï¥âb³´V°§ØYÄ„eã1  ‰80Pï’{qà-¾ðíâÓâjxÑÐP|º\ÂPÌçqñ"–…ãå\F?ÚA ä)›`ˆQu°®Ÿ‚D¨÷n”ø*RÀÛA`¿œ®rÿøŸD÷*ÿ}¯µÇf1B F®!#Fê½#„ù‡á!¢%ä¤X,Êê¬ÕOXr ŸûË|~B†³ù†?PAŒŸD?¨÷Žª‰d²ãG¶üV×Å,t…?//#Le[sß^û7s+ž§"1‹ÙŒCŒ¨’cýŒ$âÀA½GF¤“D(Ý1¢ZFÞ,΋YÃíÉïrK¥lÚ’Ñ¢¼®§+B²'<Å,æ2
FVTBIÅ0‚{ýª´œðú¦ÈHœ¾ø)ebÇNSB™›qÿJl×ùW‚‡7üB.vçåYå_²zu…=M1ëÙLCŒ)¨*ÆT"Œ)Ô{Ç”¡„K
+™âL}óæøðõáQ‚,iˆðÕ­}ßJ™ÚÙu¬?ùZȘÐl\€!†Ã%†ê½ÃEYÂ,‡¸ˆ\ö~x·º¼ZªE/\<¾±*¤2`ˆ¥rý»6©80PPï(RÆ%Eæ€âgS©«K4±Òõ@bîg«çÞâ˜âl€€!”(ê½kˆ…ô4ĺmˆ_í‡Ó|zã®#>ø´(ªzÕæï¾ft{‘ÄíAUáRÉo^¿¨WýNSÕIB©iðô_´öÓBHU6ÀJˆõÞà_P
+º^Ó‚ðb<^^I–h;^Mg“áÂφ´ÑÏç˜Àl<€!†Èõß'šŠÃõö‰%õ/Tì_e»O\	×Àpo
+õ‰âÏ[§ñlœ€!†TÃ)†ê=ö-Â_vbƒë+ÔÊ{¨®ð8ËŸâô8&,hˆà°"ˆë¿
+%‚î=>Â*b…Ô‡p…Àmö¦W•oFê­bêžxéE%$3`ˆ¡ÅÂPIÄ¡‚zï*‡ñ­‰Ñ•X9Ž†“P:š§ž$ËH‡äö«Ö9d"[g`ˆé3霈ÓõÞé¬1ÌBÊY·@ÿã°ôZVÃjTlÛ—™‡¾¦?r¶ À¦Ôõß—ŠõÞ	*Ñ~ઠ‹;œ°VóGT¦C>²Õ†˜Ú0ß®ÿ¢ŸT˜Ú¨÷Nmaˆ¦ª¦N¦£E{«Òá·o6‰®ÿâ­þ/¤vÈG¶ÚÀSæÛõßÙ–ŠSõÞ©ÍQöoËU±rré¥}_^”‹Ï¶7åâ¼Yün¥4D:ý±\€J¬M"âov
ñкÂ^ Bʲ†PˆDkÞYâ¡{‚
+¼žÍ}–õbÁÊŠbX2(FW³HÅÞ´š—ãb6ln=éÍ[8´ànùë¯w™¯þ«ãàá°<­yM-«pÇU²ÍÓ²‘­—U^ŒFÅ<Âj±\¶ëo?ø2¹ü|^cÉ>ëbÂsÏ:hˆœu+‚"¥â@h½GšŒ%Îé@SêQL~Âí˜dmùÜ;ŸM§‹ÔÃ!%¡’‡·ÕÛ'–öÊć«‹«rœ:”%UÛ¾í‰ßD’C¬ ZXÓ‰zWb[»]h˜"ööñky|îG6†,ê>®üp­‰«ãh™íî
Iî')H õòë'‹†‡}¤ƒêºÙIšVÍMòB‹§S{Á
+™Ïb`AeQ°``¡î;°|oj-íÀ
+×›¿›ÇË?Ó{–Fû#0 ÛWØh}/LèD_]U£æyÒ<…ᶗªölª€!F”¥*Fê>Ž°ÒÓÅC_o—ì½A¶ëpÒÏËÕibBN³‰†1P3”˜D 1kîS3!Îë'€S¦«Ë™Ðécl{6½zQÌÏýVW¤Þü„#lšðļƒÔ„çöq›¼ô?œËÇšÛäD-‚·ùˆ3ž½édnzÛŒÕ>7“ùyã×wR…4gŸTÀ;© Œ(<‰@0ˆP÷qpgNûOFŠb×x¸ø[;o®¦íãÍtöÑŸ_ÿh¾;ŸÞ4/FÃpïGó¥~dÒYskj[¼§WáçÃxØ›¶‘<û§¯éÌ> ‘7æ$WrhˆH¾’sLòT ˆä¸ûP7˜•„3çmÝ8¬FducûºxwøÞù°:[i÷Âö`.g:ºš¼¯w„v ©iʆb@P` î#ÆÏ•
„öë§úÖî¼Ý»uf¿›
ß—þ´•òy¹K!ÛÙ,CŒ%¨&ÊR"Œ¥5÷©ÆŒIG×néý…/æœo¿¸¼,ªq9*æýI	fwíÆ Ò­„ã©îO8–„5·ÉªÞÞѶMB=ŠãÓ0úXMo.ŠñY]Uë}Wîž{°üó'$7ûü†ØùÅC‘I‚¡ƒºïz0®ˆf4²SÓãꓨ)¶/geÑÞÉÿ]9_LgŸWoïƒñþÑÉ­Q»Ù(Ò”="B²²Y†P”…D ¨ûXF˜ Jñ€oÊÈë¢*f¡ÍŠ*ÚÑ:^´sX}X^I¾\>Óî‰ìHåBî²É†PFû¯úI‚‘ºïªeD:ÑUâðíµnOûñ8<ò%<ª¾Cö…ÿ¯¹=Vó„/2†r*B‘úXõE®‰oÞ"ÿ4ð¶endstream
 endobj
-878 0 obj <<
+886 0 obj <<
 /Type /Page
-/Contents 879 0 R
-/Resources 877 0 R
+/Contents 887 0 R
+/Resources 885 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 731 0 R
-/Annots [ 881 0 R 882 0 R 883 0 R 884 0 R 885 0 R 886 0 R 887 0 R 888 0 R 889 0 R 890 0 R 891 0 R 892 0 R 893 0 R 894 0 R 895 0 R 896 0 R 897 0 R 898 0 R 899 0 R 900 0 R 901 0 R 902 0 R 903 0 R 904 0 R 905 0 R 906 0 R 907 0 R 908 0 R 909 0 R 910 0 R 911 0 R 912 0 R 913 0 R 914 0 R 918 0 R 919 0 R 920 0 R 921 0 R 922 0 R 923 0 R 924 0 R 925 0 R 926 0 R 927 0 R 928 0 R 929 0 R 930 0 R 931 0 R 932 0 R 933 0 R 934 0 R 935 0 R 936 0 R 937 0 R 938 0 R ]
+/Parent 739 0 R
+/Annots [ 889 0 R 890 0 R 891 0 R 892 0 R 893 0 R 894 0 R 895 0 R 896 0 R 897 0 R 898 0 R 899 0 R 900 0 R 901 0 R 902 0 R 903 0 R 904 0 R 905 0 R 906 0 R 907 0 R 908 0 R 909 0 R 910 0 R 911 0 R 912 0 R 913 0 R 914 0 R 915 0 R 916 0 R 917 0 R 918 0 R 919 0 R 920 0 R 921 0 R 922 0 R 923 0 R 924 0 R 928 0 R 929 0 R 930 0 R 931 0 R 932 0 R 933 0 R 934 0 R 935 0 R 936 0 R 937 0 R 938 0 R 939 0 R 940 0 R 941 0 R 942 0 R 943 0 R 944 0 R 945 0 R 946 0 R 947 0 R ]
 >> endobj
-881 0 obj <<
+889 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 758.4766 539.579 767.4329]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.18) >>
 >> endobj
-882 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 746.3356 539.579 755.3417]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.19) >>
->> endobj
-883 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 733.9953 539.579 742.9515]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.20) >>
->> endobj
-884 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 721.7546 539.579 730.7109]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.21) >>
->> endobj
-885 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 709.5139 539.579 718.4702]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.22) >>
->> endobj
-886 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 697.2732 539.579 706.2295]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.23) >>
->> endobj
-887 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 685.0325 539.579 693.9888]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.24) >>
->> endobj
-888 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 672.8915 539.579 681.7481]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.25) >>
->> endobj
-889 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 660.5511 539.579 669.5074]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.26) >>
->> endobj
 890 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 648.3105 539.579 657.2667]
+/Rect [527.6238 746.5183 539.579 755.5244]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.1) >>
+/A << /S /GoTo /D (subsection.6.2.19) >>
 >> endobj
 891 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 636.0698 539.579 645.1755]
+/Rect [527.6238 734.3606 539.579 743.3169]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.2) >>
+/A << /S /GoTo /D (subsection.6.2.20) >>
 >> endobj
 892 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 623.8291 539.579 632.9348]
+/Rect [527.6238 722.3027 539.579 731.2589]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.3) >>
+/A << /S /GoTo /D (subsection.6.2.21) >>
 >> endobj
 893 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 611.5884 539.579 620.6941]
+/Rect [527.6238 710.2447 539.579 719.201]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.4) >>
+/A << /S /GoTo /D (subsection.6.2.22) >>
 >> endobj
 894 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 599.3477 539.579 608.304]
+/Rect [527.6238 698.1867 539.579 707.143]
 /Subtype /Link
-/A << /S /GoTo /D (section.6.3) >>
+/A << /S /GoTo /D (subsection.6.2.23) >>
 >> endobj
 895 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 587.107 539.579 596.0633]
+/Rect [527.6238 686.1287 539.579 695.085]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.1) >>
+/A << /S /GoTo /D (subsection.6.2.24) >>
 >> endobj
 896 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 574.8663 539.579 583.8226]
+/Rect [527.6238 674.0707 539.579 683.027]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.1.1) >>
+/A << /S /GoTo /D (subsection.6.2.25) >>
 >> endobj
 897 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 562.6256 539.579 571.5819]
+/Rect [527.6238 662.1124 539.579 670.969]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.1.2) >>
+/A << /S /GoTo /D (subsection.6.2.26) >>
 >> endobj
 898 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 550.385 539.579 559.3412]
+/Rect [527.6238 649.9547 539.579 658.911]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.2) >>
+/A << /S /GoTo /D (subsection.6.2.27) >>
 >> endobj
 899 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 538.1443 539.579 547.1005]
+/Rect [527.6238 637.8967 539.579 646.853]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.3) >>
+/A << /S /GoTo /D (subsection.6.2.28) >>
 >> endobj
 900 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 525.9036 539.579 534.8599]
+/Rect [527.6238 625.8387 539.579 634.795]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.4) >>
+/A << /S /GoTo /D (subsubsection.6.2.28.1) >>
 >> endobj
 901 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 513.6629 539.579 522.6192]
+/Rect [527.6238 613.7808 539.579 622.737]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.5) >>
+/A << /S /GoTo /D (subsubsection.6.2.28.2) >>
 >> endobj
 902 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 501.4222 539.579 510.3785]
+/Rect [527.6238 601.7228 539.579 610.679]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.1) >>
+/A << /S /GoTo /D (subsubsection.6.2.28.3) >>
 >> endobj
 903 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 489.1815 539.579 498.1378]
+/Rect [527.6238 589.6648 539.579 598.621]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.2) >>
+/A << /S /GoTo /D (subsubsection.6.2.28.4) >>
 >> endobj
 904 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 476.9408 539.579 486.0466]
+/Rect [527.6238 577.6068 539.579 586.5631]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.3) >>
+/A << /S /GoTo /D (section.6.3) >>
 >> endobj
 905 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 464.7002 539.579 473.8059]
+/Rect [527.6238 565.5488 539.579 574.5051]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.3.5.4) >>
+/A << /S /GoTo /D (subsection.6.3.1) >>
 >> endobj
 906 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 452.4595 539.579 461.5652]
+/Rect [527.6238 553.4908 539.579 562.4471]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.6) >>
+/A << /S /GoTo /D (subsubsection.6.3.1.1) >>
 >> endobj
 907 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 440.2188 539.579 449.1751]
+/Rect [527.6238 541.4328 539.579 550.3891]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.3.7) >>
+/A << /S /GoTo /D (subsubsection.6.3.1.2) >>
 >> endobj
 908 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 427.9781 539.579 436.9344]
+/Rect [527.6238 529.3748 539.579 538.3311]
 /Subtype /Link
-/A << /S /GoTo /D (section.6.4) >>
+/A << /S /GoTo /D (subsection.6.3.2) >>
 >> endobj
 909 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 415.7374 539.579 424.8431]
+/Rect [527.6238 517.3168 539.579 526.2731]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.0.1) >>
+/A << /S /GoTo /D (subsection.6.3.3) >>
 >> endobj
 910 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 403.4967 539.579 412.6025]
+/Rect [527.6238 505.2588 539.579 514.3646]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.4.1) >>
+/A << /S /GoTo /D (subsection.6.3.4) >>
 >> endobj
 911 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 391.256 539.579 400.3618]
+/Rect [527.6238 493.2008 539.579 502.3066]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.1) >>
+/A << /S /GoTo /D (subsection.6.3.5) >>
 >> endobj
 912 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 379.0153 539.579 387.9716]
+/Rect [527.6238 481.1428 539.579 490.2486]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.2) >>
+/A << /S /GoTo /D (subsubsection.6.3.5.1) >>
 >> endobj
 913 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 366.7746 539.579 375.7309]
+/Rect [527.6238 469.0848 539.579 478.1906]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.3) >>
+/A << /S /GoTo /D (subsubsection.6.3.5.2) >>
 >> endobj
 914 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 354.534 539.579 363.4902]
+/Rect [527.6238 457.0269 539.579 465.9832]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.4) >>
+/A << /S /GoTo /D (subsubsection.6.3.5.3) >>
+>> endobj
+915 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 444.9689 539.579 453.9252]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.3.5.4) >>
+>> endobj
+916 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 432.9109 539.579 441.8672]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.6) >>
+>> endobj
+917 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 420.8529 539.579 429.9586]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.3.7) >>
 >> endobj
 918 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 342.2933 539.579 351.2496]
+/Rect [527.6238 408.7949 539.579 417.9006]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.4.1.5) >>
+/A << /S /GoTo /D (section.6.4) >>
 >> endobj
 919 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 318.928 539.579 327.6601]
+/Rect [527.6238 396.7369 539.579 405.6932]
 /Subtype /Link
-/A << /S /GoTo /D (chapter.7) >>
+/A << /S /GoTo /D (subsubsection.6.4.0.1) >>
 >> endobj
 920 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 306.7072 539.579 315.6634]
+/Rect [527.6238 384.6789 539.579 393.6352]
 /Subtype /Link
-/A << /S /GoTo /D (section.7.1) >>
+/A << /S /GoTo /D (subsection.6.4.1) >>
 >> endobj
 921 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 294.4665 539.579 303.5722]
+/Rect [527.6238 372.6209 539.579 381.5772]
 /Subtype /Link
-/A << /S /GoTo /D (section.7.2) >>
+/A << /S /GoTo /D (subsubsection.6.4.1.1) >>
 >> endobj
 922 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 282.2258 539.579 291.3315]
+/Rect [527.6238 360.5629 539.579 369.5192]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.7.2.1) >>
+/A << /S /GoTo /D (subsubsection.6.4.1.2) >>
 >> endobj
 923 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 269.9851 539.579 279.0908]
+/Rect [527.6238 348.505 539.579 357.4612]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.7.2.2) >>
+/A << /S /GoTo /D (subsubsection.6.4.1.3) >>
 >> endobj
 924 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 257.7444 539.579 266.8502]
+/Rect [527.6238 336.447 539.579 345.4032]
 /Subtype /Link
-/A << /S /GoTo /D (section.7.3) >>
->> endobj
-925 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 234.3791 539.579 243.2358]
-/Subtype /Link
-/A << /S /GoTo /D (chapter.8) >>
->> endobj
-926 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 222.1583 539.579 231.264]
-/Subtype /Link
-/A << /S /GoTo /D (section.8.1) >>
->> endobj
-927 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 209.9176 539.579 219.0234]
-/Subtype /Link
-/A << /S /GoTo /D (subsection.8.1.1) >>
+/A << /S /GoTo /D (subsubsection.6.4.1.4) >>
 >> endobj
 928 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 197.6769 539.579 206.7827]
+/Rect [527.6238 324.389 539.579 333.3452]
 /Subtype /Link
-/A << /S /GoTo /D (section.8.2) >>
+/A << /S /GoTo /D (subsubsection.6.4.1.5) >>
 >> endobj
 929 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 185.4363 539.579 194.542]
+/Rect [527.6238 301.9372 539.579 310.6693]
 /Subtype /Link
-/A << /S /GoTo /D (section.8.3) >>
+/A << /S /GoTo /D (chapter.7) >>
 >> endobj
 930 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 162.0709 539.579 170.9276]
+/Rect [527.6238 289.899 539.579 298.8553]
 /Subtype /Link
-/A << /S /GoTo /D (appendix.A) >>
+/A << /S /GoTo /D (section.7.1) >>
 >> endobj
 931 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 149.8501 539.579 158.9559]
+/Rect [522.6425 277.8411 539.579 286.9468]
 /Subtype /Link
-/A << /S /GoTo /D (section.A.1) >>
+/A << /S /GoTo /D (section.7.2) >>
 >> endobj
 932 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 137.6095 539.579 146.7152]
+/Rect [522.6425 265.7831 539.579 274.8888]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.A.1.1) >>
+/A << /S /GoTo /D (subsection.7.2.1) >>
 >> endobj
 933 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 125.3688 539.579 134.4745]
+/Rect [522.6425 253.7251 539.579 262.8308]
 /Subtype /Link
-/A << /S /GoTo /D (section.A.2) >>
+/A << /S /GoTo /D (subsection.7.2.2) >>
 >> endobj
 934 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 113.1281 539.579 122.2338]
+/Rect [522.6425 241.6671 539.579 250.7728]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.A.2.1) >>
+/A << /S /GoTo /D (section.7.3) >>
 >> endobj
 935 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 100.8874 539.579 109.9931]
+/Rect [522.6425 219.2153 539.579 228.0719]
 /Subtype /Link
-/A << /S /GoTo /D (section.A.3) >>
+/A << /S /GoTo /D (chapter.8) >>
 >> endobj
 936 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 88.6467 539.579 97.7524]
+/Rect [522.6425 207.1772 539.579 216.2829]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.A.3.1) >>
+/A << /S /GoTo /D (section.8.1) >>
 >> endobj
 937 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 76.406 539.579 85.5118]
+/Rect [522.6425 195.1192 539.579 204.2249]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.A.3.2) >>
+/A << /S /GoTo /D (subsection.8.1.1) >>
 >> endobj
 938 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 64.1653 539.579 73.2711]
+/Rect [522.6425 183.0612 539.579 192.1669]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.A.3.3) >>
+/A << /S /GoTo /D (section.8.2) >>
 >> endobj
-880 0 obj <<
-/D [878 0 R /XYZ 85.0394 794.5015 null]
+939 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 171.0032 539.579 180.1089]
+/Subtype /Link
+/A << /S /GoTo /D (section.8.3) >>
 >> endobj
-877 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
+940 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 148.5514 539.579 157.408]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.A) >>
 >> endobj
 941 0 obj <<
-/Length 1078      
-/Filter /FlateDecode
->>
-stream
-xÚíÚOÓ:ð{>EŽí!Æãÿ¾.$$xzÞ‡ÒdËj·)l—‡xŸþ9iìRgP–Â)Z¡-ÛŒgâù)±ÓBÉÔÚ0ã…/­WLsÐåfWðrÞ{UÀpLªðQW«âÙKiKϼ¦\]—Jk&t?˜cÜ9(WõûÅó¿Þ®^¼]½[~X½.^¬Ò¨83pÙ
ù¥xÿ—u(àuÁ™ôN—ßÂ8ïE¹+”–L+)ã_îŠwÅßi@ônš=àLH#2§"J*N{f¤ý™\-+'åâͺýº¾[VBóÅçõ¶9üxfʇyð!(E‡Ç7ï·åñÅ?¨¨t|…΋:·«
-Φ6ž%š‹³´¥µÞ4a.”eÆÚcW¯,+/ý¢¾Ù†^,زҜϿú_Êû‹
6ª+ö㬹?S†ÏÛ}>þO•e
-¡´‘é“6©™àmâ¨íÓþðæÅÎÜþ<·ØÉÜP Å
7ÀŒsËBq#Ó'nB2kŒ¸ÉáâÖͦª×÷Kp‹ýî¶ù¾¬¤s³¦'3Š=™
-¤áF¸qF™B(FdúÄ€¹€w`¤N<ÑÑÝúc–ŽûÙÎ;qv'ÛA”Ü=|ÜN¦Ê™>Ú1Þ3§ìèíl›6̯Òó}í2šÒ|OÕ„	M'ý1¾~ÊBh¢Ó'MÎ2Ïaع0s¢©¿
-5ÿîo›ee4Ì¢.$*ÎùdQ(…{
-B‹ÊB‰"Ó'QV3¯LÜÿÙQ‡æááf×̨KrŠ>™
-¤8ᆂÐãœ2…PœÈô‰“‘Ì{7xî”ÓͶýoßöžäéW!Å©ž	Rp+AØqH™B(HdúIÆ¥Ž[7„Ô®wM]m>5›Û;½îîsbôdAqŽ'B” ÜCã+ï\!” 2}¤8ãŽÇ]ð0›§„†k‘ž/BO''y2!HÂMI,·3…P„Èô‰p,ÜBãæ

-û|¯çG”¿ÿejÂdb("†›’Xg
-¡ˆ‘é10,;:±Ã×Ïõú¡é‹«™×ïä0™
-¤xáƒ$–Q™B(^dúÄ‹+&@§÷ä‘×}[oÂ+póG-Ü[ìÈdo(ò†;ŠXte
-¡¼‘é£7íÚÇýôWÓg/þÄ[æAu)ºƒ:Š¬_Ì÷GžŒj {:o‡#g£—t˜:5Õ!$žH%Fæ
-!Òé“CÇ™ä*nA?^÷ª[ÿØ]‚œ¯q—E§}2*H¡Âm5¾VËB¡"Ó'TÆ1©|ÚQš#ªºn¨œ±³¦iŠó=Y
-¤4á~‚Tš+äLSú¦Z¥ew‡3Ù/«…À¼>ÞGí«qßàS–IçDþtE°í­ô¥Ô,Œu\Œ#…jÿPÇÑ¢endstream
-endobj
-940 0 obj <<
-/Type /Page
-/Contents 941 0 R
-/Resources 939 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 731 0 R
-/Annots [ 943 0 R 944 0 R 945 0 R 946 0 R 947 0 R 948 0 R 949 0 R 950 0 R 951 0 R 952 0 R 953 0 R 954 0 R 955 0 R 956 0 R 960 0 R 961 0 R 962 0 R ]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 136.5133 539.579 145.619]
+/Subtype /Link
+/A << /S /GoTo /D (section.A.1) >>
+>> endobj
+942 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 124.4553 539.579 133.561]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.1.1) >>
 >> endobj
 943 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 758.6012 511.2325 767.3134]
+/Rect [522.6425 112.3973 539.579 121.503]
 /Subtype /Link
-/A << /S /GoTo /D (appendix.B) >>
+/A << /S /GoTo /D (section.A.2) >>
 >> endobj
 944 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 746.6211 511.2325 755.6272]
+/Rect [522.6425 100.3393 539.579 109.445]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.1) >>
+/A << /S /GoTo /D (subsection.A.2.1) >>
 >> endobj
 945 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 734.5663 511.2325 743.672]
+/Rect [522.6425 88.2813 539.579 97.3871]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.2) >>
+/A << /S /GoTo /D (section.A.3) >>
 >> endobj
 946 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 722.6111 511.2325 731.7169]
+/Rect [522.6425 76.2233 539.579 85.3291]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.3) >>
+/A << /S /GoTo /D (subsection.A.3.1) >>
 >> endobj
 947 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 710.656 511.2325 719.7617]
+/Rect [522.6425 64.1653 539.579 73.2711]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.4) >>
+/A << /S /GoTo /D (subsection.A.3.2) >>
 >> endobj
-948 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 698.8005 511.2325 707.8065]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.5) >>
+888 0 obj <<
+/D [886 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-949 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 686.8453 511.2325 695.8514]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.6) >>
+885 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 950 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 674.7905 511.2325 683.8962]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.7) >>
->> endobj
-951 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 662.935 511.2325 671.941]
-/Subtype /Link
-/A << /S /GoTo /D (section.B.8) >>
+/Length 1163      
+/Filter /FlateDecode
+>>
+stream
+xÚíÚKoÛFà»~Ò›}ï1n’¢ê nAŠDˆ-*µäí¯ïò±ëQHNC[I‹‚0ˇ3œùD/%BÆÃdÚ0ã…ϬWLsÐÙz7ãÙ6<÷ãÚmò¸QŽ·ºXÎ^¼‘6óÌa²åU¦´fB×;sŒ;ÙróaþûËåëËåûÅÇåÛÙëeÚ+Î\V»ümöá#Ï6¡€·3Τw:û#üÂx/²ÝLiÉ´’2þånö~öKÚ!z¶í=àLH#zEHt(Õ“2«=32qãÀœò­6ÙžÛÊáXç›ÃÕýÜ|¿»-þ\äÒ¹	Ó“µ}è1Ž2„¦à†	u« Q¹# ãâ†	nãe"®ð½žÞ–üöoK¦!Œ&†)bxÈ ‰•wO!12}$¦½ª>[U‘˜h‰>oVÇ¢z+\M¼¾!¯4€±¼p ÁëdÀ ‡P}…¼èô‰—¡›>Ò“
¯ûr³ÀM¯|woq"£½¡@Êž8¨á%W_!”72}òf9“JÄ+?¨Ï¦/Þ(ü)·̇ÂB‚j£Š"«×ñõ–'{5À¬1¶Ýr2zV‡qR£¢@Ê!–jxåÖWåLŸjǤ3ñã>Ðç½¼ÂV¿á.ANç¸ó¢Šm
+R¨ðXA
¯Õú
+¡P‘é*e˜’éí0
ªÍ¦<<¢rÆNšÎ¤)ö{´&HiÂó5|CB_!Mé6ÅÚ•÷ÎöÝ”¾ùêÄgßùxû¦²A¯ý‡+\¨ÆJŸIͪ}U;|¨íF¨ò¿Ñ6šendstream
+endobj
+949 0 obj <<
+/Type /Page
+/Contents 950 0 R
+/Resources 948 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 739 0 R
+/Annots [ 952 0 R 953 0 R 954 0 R 955 0 R 956 0 R 957 0 R 958 0 R 959 0 R 960 0 R 961 0 R 962 0 R 963 0 R 964 0 R 965 0 R 966 0 R 970 0 R 971 0 R 972 0 R ]
 >> endobj
 952 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 650.8801 511.2325 659.9859]
+/Rect [494.296 758.4766 511.2325 767.5824]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.9) >>
+/A << /S /GoTo /D (subsection.A.3.3) >>
 >> endobj
 953 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 638.925 511.2325 648.0307]
+/Rect [494.296 736.6834 511.2325 745.3956]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.10) >>
+/A << /S /GoTo /D (appendix.B) >>
 >> endobj
 954 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 626.9698 511.2325 636.0755]
+/Rect [494.296 724.7033 511.2325 733.7094]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.11) >>
+/A << /S /GoTo /D (section.B.1) >>
 >> endobj
 955 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 615.0146 511.2325 624.1204]
+/Rect [494.296 712.6485 511.2325 721.7542]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.12) >>
+/A << /S /GoTo /D (section.B.2) >>
 >> endobj
 956 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 603.0594 511.2325 612.1652]
+/Rect [494.296 700.6933 511.2325 709.7991]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.13) >>
+/A << /S /GoTo /D (section.B.3) >>
+>> endobj
+957 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 688.7382 511.2325 697.8439]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.4) >>
+>> endobj
+958 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 676.8826 511.2325 685.8887]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.5) >>
+>> endobj
+959 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 664.9275 511.2325 673.9336]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.6) >>
 >> endobj
 960 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 591.2039 511.2325 600.21]
+/Rect [494.296 652.8727 511.2325 661.9784]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.14) >>
+/A << /S /GoTo /D (section.B.7) >>
 >> endobj
 961 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 579.2488 511.2325 588.2549]
+/Rect [494.296 641.0171 511.2325 650.0232]
 /Subtype /Link
-/A << /S /GoTo /D (section.B.15) >>
+/A << /S /GoTo /D (section.B.8) >>
 >> endobj
 962 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 567.1939 511.2325 576.2997]
+/Rect [494.296 628.9623 511.2325 638.0681]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.9) >>
+>> endobj
+963 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 617.0071 511.2325 626.1129]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.10) >>
+>> endobj
+964 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 605.052 511.2325 614.1577]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.11) >>
+>> endobj
+965 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 593.0968 511.2325 602.2026]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.12) >>
+>> endobj
+966 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 581.2413 511.2325 590.2474]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.13) >>
+>> endobj
+970 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 569.2861 511.2325 578.2922]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.14) >>
+>> endobj
+971 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 557.331 511.2325 566.3371]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.15) >>
+>> endobj
+972 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 545.2761 511.2325 554.3819]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.16) >>
 >> endobj
-942 0 obj <<
-/D [940 0 R /XYZ 56.6929 794.5015 null]
+951 0 obj <<
+/D [949 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-939 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R >>
+948 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-965 0 obj <<
+975 0 obj <<
 /Length 2175      
 /Filter /FlateDecode
 >>
@@ -2712,51 +2738,51 @@ F
 –Q£­¢+O(Ÿèº³ß…Ù¤ÆáÜ,Ç[|Ö§%_P[B騠ò™ªýó`ÉU¸týqwyˆLä©Ê³ì¡”YÌ'}šûÿƒ“©ÿ‰3ÅWá$ h·Vž?pÊY8I
”‚lSø´£à2Þoýçˆk¥$\î™Ø¹Ó€H~ú÷oPrÛtýHx-Tà3Ÿv@¤è]’·`ºç×î‰ àÚýô•¯×=:å×n„èç–óÌ!zd¹ïªß=Çæ@¿OUÙo¯ƒ÷Õôý7:ú¹AA¨²ü%ðr™2)"ÄúsZVicÎ;ŸÁÏh£WcÄçÊ+3‹Ÿ±ò#ýšo›]yJ¯¦úßJV§Ìrû’\Ó4lqþ²áË’ÈFCÿ9¶x-=×ú
 µ¾€Ð5༚ºÜ¸c3Í¡vÃH-Ôø·¿‹ßE `{õ1³?ÆßÿඖúŸgÑ#!¥`jIBÞúÂìñ'ÇóJq·ÿ¢uendstream
 endobj
-964 0 obj <<
+974 0 obj <<
 /Type /Page
-/Contents 965 0 R
-/Resources 963 0 R
+/Contents 975 0 R
+/Resources 973 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 976 0 R
+/Parent 986 0 R
 >> endobj
-966 0 obj <<
-/D [964 0 R /XYZ 85.0394 794.5015 null]
+976 0 obj <<
+/D [974 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 6 0 obj <<
-/D [964 0 R /XYZ 85.0394 769.5949 null]
+/D [974 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-967 0 obj <<
-/D [964 0 R /XYZ 85.0394 582.8476 null]
+977 0 obj <<
+/D [974 0 R /XYZ 85.0394 582.8476 null]
 >> endobj
 10 0 obj <<
-/D [964 0 R /XYZ 85.0394 512.9824 null]
+/D [974 0 R /XYZ 85.0394 512.9824 null]
 >> endobj
-968 0 obj <<
-/D [964 0 R /XYZ 85.0394 474.7837 null]
+978 0 obj <<
+/D [974 0 R /XYZ 85.0394 474.7837 null]
 >> endobj
 14 0 obj <<
-/D [964 0 R /XYZ 85.0394 399.5462 null]
->> endobj
-969 0 obj <<
-/D [964 0 R /XYZ 85.0394 363.8828 null]
->> endobj
-18 0 obj <<
-/D [964 0 R /XYZ 85.0394 223.0066 null]
->> endobj
-970 0 obj <<
-/D [964 0 R /XYZ 85.0394 190.9009 null]
->> endobj
-971 0 obj <<
-/D [964 0 R /XYZ 85.0394 170.4169 null]
->> endobj
-972 0 obj <<
-/D [964 0 R /XYZ 85.0394 158.4617 null]
->> endobj
-963 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F39 917 0 R /F41 959 0 R /F48 975 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [974 0 R /XYZ 85.0394 399.5462 null]
 >> endobj
 979 0 obj <<
+/D [974 0 R /XYZ 85.0394 363.8828 null]
+>> endobj
+18 0 obj <<
+/D [974 0 R /XYZ 85.0394 223.0066 null]
+>> endobj
+980 0 obj <<
+/D [974 0 R /XYZ 85.0394 190.9009 null]
+>> endobj
+981 0 obj <<
+/D [974 0 R /XYZ 85.0394 170.4169 null]
+>> endobj
+982 0 obj <<
+/D [974 0 R /XYZ 85.0394 158.4617 null]
+>> endobj
+973 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F48 985 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+989 0 obj <<
 /Length 3187      
 /Filter /FlateDecode
 >>
@@ -2783,66 +2809,66 @@ W
 ½þ`J9ÿdÑÆÇVþ¢Ì!ûȨÀÌBÖ?e‘úñcΗ`ùX¹žŸš¦-zXæç-@fØ:\a½ã¶Gî7žÛù¨ß•=Éȧv)½»@2wl(kz+0h´zx6éqŸSS>u»žQ¶àðI¼þ˜CÍ-í‚f¡œoMoqÓâ›äÚµ|Éï…2VDÓWÜãÒ|ññþkÿ=êø_bP*˜4Õ/øÃ[Df@
 ž!þêóy©òendstream
 endobj
-978 0 obj <<
+988 0 obj <<
 /Type /Page
-/Contents 979 0 R
-/Resources 977 0 R
+/Contents 989 0 R
+/Resources 987 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 976 0 R
-/Annots [ 986 0 R 987 0 R ]
+/Parent 986 0 R
+/Annots [ 996 0 R 997 0 R ]
 >> endobj
-986 0 obj <<
+996 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [272.8897 207.1951 329.1084 219.2548]
 /Subtype /Link
 /A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
 >> endobj
-987 0 obj <<
+997 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [190.6691 179.6723 249.6573 189.0819]
 /Subtype /Link
 /A << /S /GoTo /D (rfcs) >>
 >> endobj
-980 0 obj <<
-/D [978 0 R /XYZ 56.6929 794.5015 null]
+990 0 obj <<
+/D [988 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-981 0 obj <<
-/D [978 0 R /XYZ 56.6929 756.8229 null]
+991 0 obj <<
+/D [988 0 R /XYZ 56.6929 756.8229 null]
 >> endobj
-982 0 obj <<
-/D [978 0 R /XYZ 56.6929 744.8677 null]
+992 0 obj <<
+/D [988 0 R /XYZ 56.6929 744.8677 null]
 >> endobj
 22 0 obj <<
-/D [978 0 R /XYZ 56.6929 651.295 null]
->> endobj
-983 0 obj <<
-/D [978 0 R /XYZ 56.6929 612.4036 null]
->> endobj
-26 0 obj <<
-/D [978 0 R /XYZ 56.6929 555.4285 null]
->> endobj
-984 0 obj <<
-/D [978 0 R /XYZ 56.6929 530.6703 null]
->> endobj
-30 0 obj <<
-/D [978 0 R /XYZ 56.6929 416.0112 null]
->> endobj
-985 0 obj <<
-/D [978 0 R /XYZ 56.6929 391.253 null]
->> endobj
-34 0 obj <<
-/D [978 0 R /XYZ 56.6929 164.815 null]
->> endobj
-988 0 obj <<
-/D [978 0 R /XYZ 56.6929 137.4068 null]
->> endobj
-977 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F39 917 0 R /F41 959 0 R /F21 730 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [988 0 R /XYZ 56.6929 651.295 null]
 >> endobj
 993 0 obj <<
+/D [988 0 R /XYZ 56.6929 612.4036 null]
+>> endobj
+26 0 obj <<
+/D [988 0 R /XYZ 56.6929 555.4285 null]
+>> endobj
+994 0 obj <<
+/D [988 0 R /XYZ 56.6929 530.6703 null]
+>> endobj
+30 0 obj <<
+/D [988 0 R /XYZ 56.6929 416.0112 null]
+>> endobj
+995 0 obj <<
+/D [988 0 R /XYZ 56.6929 391.253 null]
+>> endobj
+34 0 obj <<
+/D [988 0 R /XYZ 56.6929 164.815 null]
+>> endobj
+998 0 obj <<
+/D [988 0 R /XYZ 56.6929 137.4068 null]
+>> endobj
+987 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F21 738 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1003 0 obj <<
 /Length 3415      
 /Filter /FlateDecode
 >>
@@ -2861,60 +2887,60 @@ J$
 ?6`³> endobj
-996 0 obj <<
+1006 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 463.1122 539.579 475.1718]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-997 0 obj <<
+1007 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 451.8246 133.308 463.2167]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-994 0 obj <<
-/D [992 0 R /XYZ 85.0394 794.5015 null]
+1004 0 obj <<
+/D [1002 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 38 0 obj <<
-/D [992 0 R /XYZ 85.0394 570.5252 null]
+/D [1002 0 R /XYZ 85.0394 570.5252 null]
 >> endobj
-995 0 obj <<
-/D [992 0 R /XYZ 85.0394 541.3751 null]
+1005 0 obj <<
+/D [1002 0 R /XYZ 85.0394 541.3751 null]
 >> endobj
 42 0 obj <<
-/D [992 0 R /XYZ 85.0394 434.1868 null]
+/D [1002 0 R /XYZ 85.0394 434.1868 null]
 >> endobj
-998 0 obj <<
-/D [992 0 R /XYZ 85.0394 406.5769 null]
+1008 0 obj <<
+/D [1002 0 R /XYZ 85.0394 406.5769 null]
 >> endobj
 46 0 obj <<
-/D [992 0 R /XYZ 85.0394 301.1559 null]
+/D [1002 0 R /XYZ 85.0394 301.1559 null]
 >> endobj
-999 0 obj <<
-/D [992 0 R /XYZ 85.0394 276.6843 null]
+1009 0 obj <<
+/D [1002 0 R /XYZ 85.0394 276.6843 null]
 >> endobj
 50 0 obj <<
-/D [992 0 R /XYZ 85.0394 200.1512 null]
+/D [1002 0 R /XYZ 85.0394 200.1512 null]
 >> endobj
-1000 0 obj <<
-/D [992 0 R /XYZ 85.0394 175.6796 null]
+1010 0 obj <<
+/D [1002 0 R /XYZ 85.0394 175.6796 null]
 >> endobj
-991 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F39 917 0 R /F41 959 0 R /F21 730 0 R >>
+1001 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1004 0 obj <<
+1014 0 obj <<
 /Length 2458      
 /Filter /FlateDecode
 >>
@@ -2927,39 +2953,39 @@ Y
 K³ËZ!U¢|õ },ä-T\Èiù)¶†—™M¬)¢Ût‡KBaŒÂ´˜ŸS7`\&Ö^±¡‰&&Ú¡Ù’å^_ˆ¼=¢µŽ¸Š©/@ð$.˜Á²n	0ãf—«{/Qc‡çöùŽ±Éñ¡ÚÖ=¯tñÍX>Ëî)z/{0„öG1YC*5÷Hò|ÅjAÀùеa0ÂXë–KƯ,†•p=†”Fä9‰ñléÜî|uÚ$1Sû52Ñ”*?õVù8ijÞC@üû3ß‚ü¹=á¬zÛ”SsÀÖ'¨‹«ƒNøÒÕæOwíi¸þáñé=|ë5ë~ÒÅÀªƒtk¨€ƒ6¼Ý]´Né!)½=Á˜*5$ÐyúÿPŠrla±Ö¯æj§›íb5%îÖfÏX.]äü©pšwzc4vÖ׳Ü]Õ°»“™2_$¡OæÖ#ç’_åpÚÐØ°ö4uîëÜzû.—H38Bn«‚'äô°…ïúýuoõÖV1J¹–cݽŒñ=Ãm}„R/"$•§Ž4÷•>‚tùª[«_Ð@âIŠý[†a{ÓШk/O \¯\iܽŒ‹µyîbm^`8O_Š­j˜=:9M®<uH&)!Íf¹²E ¤òïFÜÙÍv¤Yžú*Ï]‚ÍŽb7KFY!ëö4¹é>a±¬zÙ\˜"T‘2»Œ·SCNE˜"¿ÄTz[Õ•=L	
A05h1„u”»œdkM9C€/¥x$ue¿r~EÇðyΟ¯Ž&áèBgÚ½.ßóh¦·\Q&ɧw%±»Üéu©®Œ¡™ÐÙ^ôÃo)Ó$TK
 …3¸U£©UPk\‘;cpËÜÓ…à8~*”©DGÊR³)=„ò6MÄU$ä¨U“—¿pf¥ÉÖ\:âç¥Z¾þ®Úé=YO½å¼zxã¿H_ø‡ÈÂ?!á˜èþïÿ]¦¿Ÿ¢4PY&—ÿRÁá("Ì”K©á
çþš[ÖÿxK:óendstream
 endobj
-1003 0 obj <<
+1013 0 obj <<
 /Type /Page
-/Contents 1004 0 R
-/Resources 1002 0 R
+/Contents 1014 0 R
+/Resources 1012 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 976 0 R
+/Parent 986 0 R
 >> endobj
-1005 0 obj <<
-/D [1003 0 R /XYZ 56.6929 794.5015 null]
+1015 0 obj <<
+/D [1013 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 54 0 obj <<
-/D [1003 0 R /XYZ 56.6929 717.7272 null]
+/D [1013 0 R /XYZ 56.6929 717.7272 null]
 >> endobj
-1006 0 obj <<
-/D [1003 0 R /XYZ 56.6929 690.4227 null]
+1016 0 obj <<
+/D [1013 0 R /XYZ 56.6929 690.4227 null]
 >> endobj
 58 0 obj <<
-/D [1003 0 R /XYZ 56.6929 550.0786 null]
+/D [1013 0 R /XYZ 56.6929 550.0786 null]
 >> endobj
-1007 0 obj <<
-/D [1003 0 R /XYZ 56.6929 525.2967 null]
+1017 0 obj <<
+/D [1013 0 R /XYZ 56.6929 525.2967 null]
 >> endobj
 62 0 obj <<
-/D [1003 0 R /XYZ 56.6929 393.0502 null]
+/D [1013 0 R /XYZ 56.6929 393.0502 null]
 >> endobj
-1008 0 obj <<
-/D [1003 0 R /XYZ 56.6929 363.1913 null]
+1018 0 obj <<
+/D [1013 0 R /XYZ 56.6929 363.1913 null]
 >> endobj
-1002 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F39 917 0 R >>
+1012 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1011 0 obj <<
+1021 0 obj <<
 /Length 2095      
 /Filter /FlateDecode
 >>
@@ -2977,66 +3003,66 @@ D
 Õmíš™Q‘‚z
 â~ó
¯	fÙ"‡èâ9Lt¨ž¹£j¡	mK(ÈÏbµÌ¥X2¼É6õpT!h_¥^ÁO8,uU•a¸‡àk"¿°•6ªÇsÓ÷Oã_IZ:ä[²ÑiÉ*Np’êZÀu
‰¡‰ñìK—!Gµ&¯!cÖ`þû$8‘ôbGÊ=6ü¡ºJ¬« z¸Äã5Âr‘> endobj
-1017 0 obj <<
+1027 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 268.1131 539.579 280.1727]
 /Subtype /Link
 /A << /S /GoTo /D (acache) >>
 >> endobj
-1018 0 obj <<
+1028 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 256.1579 143.5361 268.2175]
 /Subtype /Link
 /A << /S /GoTo /D (acache) >>
 >> endobj
-1012 0 obj <<
-/D [1010 0 R /XYZ 85.0394 794.5015 null]
+1022 0 obj <<
+/D [1020 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 66 0 obj <<
-/D [1010 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1013 0 obj <<
-/D [1010 0 R /XYZ 85.0394 574.3444 null]
->> endobj
-70 0 obj <<
-/D [1010 0 R /XYZ 85.0394 574.3444 null]
->> endobj
-1014 0 obj <<
-/D [1010 0 R /XYZ 85.0394 540.5052 null]
->> endobj
-74 0 obj <<
-/D [1010 0 R /XYZ 85.0394 447.7637 null]
->> endobj
-1015 0 obj <<
-/D [1010 0 R /XYZ 85.0394 410.3389 null]
->> endobj
-78 0 obj <<
-/D [1010 0 R /XYZ 85.0394 348.7624 null]
->> endobj
-1016 0 obj <<
-/D [1010 0 R /XYZ 85.0394 311.223 null]
->> endobj
-82 0 obj <<
-/D [1010 0 R /XYZ 85.0394 189.9853 null]
->> endobj
-1019 0 obj <<
-/D [1010 0 R /XYZ 85.0394 156.0037 null]
->> endobj
-1009 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [1020 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 1023 0 obj <<
+/D [1020 0 R /XYZ 85.0394 574.3444 null]
+>> endobj
+70 0 obj <<
+/D [1020 0 R /XYZ 85.0394 574.3444 null]
+>> endobj
+1024 0 obj <<
+/D [1020 0 R /XYZ 85.0394 540.5052 null]
+>> endobj
+74 0 obj <<
+/D [1020 0 R /XYZ 85.0394 447.7637 null]
+>> endobj
+1025 0 obj <<
+/D [1020 0 R /XYZ 85.0394 410.3389 null]
+>> endobj
+78 0 obj <<
+/D [1020 0 R /XYZ 85.0394 348.7624 null]
+>> endobj
+1026 0 obj <<
+/D [1020 0 R /XYZ 85.0394 311.223 null]
+>> endobj
+82 0 obj <<
+/D [1020 0 R /XYZ 85.0394 189.9853 null]
+>> endobj
+1029 0 obj <<
+/D [1020 0 R /XYZ 85.0394 156.0037 null]
+>> endobj
+1019 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1033 0 obj <<
 /Length 592       
 /Filter /FlateDecode
 >>
@@ -3045,27 +3071,27 @@ xÚ¥TKs
 ¶AÌâ1cƒ¥
 ²àúpäíS?ä`DÙ„~@%€ÄˆÅÆ9fŽKDEBæˆ`l8ÙïvºéTáYÛ©fÝ•õƒgì¹íÔ¶µ\6º"*Ð$‘¬œe'†V1h5i½Ý••jq]NiB÷uëbtí½NTë&$>(ç­÷Û;Õ8—¾wrU—¢ªü¥¼ùP¶Íh}Ù¯?é¾Bà¼ÜôøºÕ÷mÍ6C’œ;v¾†œÃ².ô“ 8†™jmV§3§õÀÞ$ŽŒJØÁöãÛâMÖ—>¢íÖfô¨Œá™n†'÷»¨ÓQ±î”;W&Øi–+ÛÑåÙ£kûèuOnWZ¥Ü•v?Õ0ÒÓÓ¹ïÓÊÛËúM`§wN©Ô£ªœZ”=…jÓéæÙ™ú¢Æy‡]’N´zßgmÔÒvMy·ïJ]£mãÈ®Â;`^iÿ½q‡ßPœ &=,Óxèi"P,ˆ/ÊKè»Ê‡Õ|_ú_ˆˆ6Hendstream
 endobj
-1022 0 obj <<
+1032 0 obj <<
 /Type /Page
-/Contents 1023 0 R
-/Resources 1021 0 R
+/Contents 1033 0 R
+/Resources 1031 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 976 0 R
+/Parent 986 0 R
 >> endobj
-1024 0 obj <<
-/D [1022 0 R /XYZ 56.6929 794.5015 null]
+1034 0 obj <<
+/D [1032 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 86 0 obj <<
-/D [1022 0 R /XYZ 56.6929 769.5949 null]
+/D [1032 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1025 0 obj <<
-/D [1022 0 R /XYZ 56.6929 744.7247 null]
+1035 0 obj <<
+/D [1032 0 R /XYZ 56.6929 744.7247 null]
 >> endobj
-1021 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R >>
+1031 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1028 0 obj <<
+1038 0 obj <<
 /Length 1160      
 /Filter /FlateDecode
 >>
@@ -3078,45 +3104,45 @@ JxI1|
 Ó–ÿ¼\g¥»ÜEÕýx€
 ¾qÂôrœº=ȘZ\
ö\FØÿxd²ó‘ód¦·$4%9‡‹{¦úÃ9šfؼ!¼‚¦ÿH	ËI)xáõ8kØ;ߥo…­<©»çÃ¥ÛŽ›­>L/‰ÁÌ ²”Š,`îö$àžÇV”ðl×ØæÚ,˜Lá5]Ö·[öhLs&¾Ñ¡0ÌC/—U5U}hõö5¡æ^uº…®û]}á¦×=}»ž^êáý-Rb_ósoù _dð!A3Rð2Š,,&î­MÍýÍ­D³endstream
 endobj
-1027 0 obj <<
+1037 0 obj <<
 /Type /Page
-/Contents 1028 0 R
-/Resources 1026 0 R
+/Contents 1038 0 R
+/Resources 1036 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1034 0 R
+/Parent 1044 0 R
 >> endobj
-1029 0 obj <<
-/D [1027 0 R /XYZ 85.0394 794.5015 null]
+1039 0 obj <<
+/D [1037 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 90 0 obj <<
-/D [1027 0 R /XYZ 85.0394 769.5949 null]
+/D [1037 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1030 0 obj <<
-/D [1027 0 R /XYZ 85.0394 575.896 null]
+1040 0 obj <<
+/D [1037 0 R /XYZ 85.0394 575.896 null]
 >> endobj
 94 0 obj <<
-/D [1027 0 R /XYZ 85.0394 529.2011 null]
+/D [1037 0 R /XYZ 85.0394 529.2011 null]
 >> endobj
-1031 0 obj <<
-/D [1027 0 R /XYZ 85.0394 492.9468 null]
+1041 0 obj <<
+/D [1037 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
 98 0 obj <<
-/D [1027 0 R /XYZ 85.0394 492.9468 null]
+/D [1037 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
-1032 0 obj <<
-/D [1027 0 R /XYZ 85.0394 466.0581 null]
+1042 0 obj <<
+/D [1037 0 R /XYZ 85.0394 466.0581 null]
 >> endobj
 102 0 obj <<
-/D [1027 0 R /XYZ 85.0394 201.2466 null]
+/D [1037 0 R /XYZ 85.0394 201.2466 null]
 >> endobj
-1033 0 obj <<
-/D [1027 0 R /XYZ 85.0394 170.5419 null]
+1043 0 obj <<
+/D [1037 0 R /XYZ 85.0394 170.5419 null]
 >> endobj
-1026 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F41 959 0 R >>
+1036 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1037 0 obj <<
+1047 0 obj <<
 /Length 1766      
 /Filter /FlateDecode
 >>
@@ -3126,41 +3152,41 @@ x
 ´71¬q'Ô)W£®ìÙÐã€?³ÿŸ^`ÛmËì<MýÛê]‚Qÿ<Ûqfo¬MÐÛ56#¢‚&R^»]‡6õçÚ]]ªìH,o–iŸ¶ãj£íŠT0e¯H_Ø  …£Lµi^`_ÿÇá’ïá3µ?p;(8µù*üµ>üåg¤°f%ûKÅYAˆ… Œñ·ŠÊIUgø6:¾”a,,m³»nôUØ ËsÌ'EÅðz¡PÜàîjÛæ ì€’HP§Q'Â¥‹^uêçbu¦\©?yØ™ý:ÝSŸ5–Fë1Ÿ›r[Ÿâû>úGº@ADDÁ|Ïþ^ÀëhÔᘓV‚œ2]D
 1(Žz&ȧþt݃'#"âøD îºÓÊü‘÷tw¿g”ÿk6	endstream
 endobj
-1036 0 obj <<
+1046 0 obj <<
 /Type /Page
-/Contents 1037 0 R
-/Resources 1035 0 R
+/Contents 1047 0 R
+/Resources 1045 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1034 0 R
-/Annots [ 1042 0 R ]
+/Parent 1044 0 R
+/Annots [ 1052 0 R ]
 >> endobj
-1042 0 obj <<
+1052 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [55.6967 61.5153 126.3509 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1038 0 obj <<
-/D [1036 0 R /XYZ 56.6929 794.5015 null]
+1048 0 obj <<
+/D [1046 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 106 0 obj <<
-/D [1036 0 R /XYZ 56.6929 372.6686 null]
+/D [1046 0 R /XYZ 56.6929 372.6686 null]
 >> endobj
-1039 0 obj <<
-/D [1036 0 R /XYZ 56.6929 334.1957 null]
+1049 0 obj <<
+/D [1046 0 R /XYZ 56.6929 334.1957 null]
 >> endobj
-1040 0 obj <<
-/D [1036 0 R /XYZ 56.6929 266.1213 null]
+1050 0 obj <<
+/D [1046 0 R /XYZ 56.6929 266.1213 null]
 >> endobj
-1041 0 obj <<
-/D [1036 0 R /XYZ 56.6929 254.1661 null]
+1051 0 obj <<
+/D [1046 0 R /XYZ 56.6929 254.1661 null]
 >> endobj
-1035 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F21 730 0 R /F23 754 0 R >>
+1045 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1046 0 obj <<
+1056 0 obj <<
 /Length 2695      
 /Filter /FlateDecode
 >>
@@ -3178,45 +3204,45 @@ x
 =Þ=ç„&.Ñÿ‹rb+Sçs¸=@•i1îãÔΕ02Q	¿J“˜°ªpâak°q‘@¹À<¿Úœô¦¹NYV`ßàP…bç…ãø`£9/ÎZncadPpa@neŽA‘‹ñêUL=6Ö‚vĸ+Œt˜ƒ…I_xÜ>…D•ÿÿѽJ{Õ3bÞ)ØAT×x#¹æÞ:E\
 ¨z:Ø<–7ØJLZóÌN&"â
Ü~Q8“îFæÒ~± éTÌ"8K­0=eŽná÷¼ïÑO#e
ÙzÄÁm­ÌT‹¿wöÎ!'Zç’–WOÊ.æ›-;üE3Ãàìrývà‚÷~KGˆIjŽeàÉ;sò•}{P«ZsVSqÖ«0²~h&Ò‰ç„Ý¡j!?µ_ž´Á(6ýkö“z€ŠÃÒØžŒ$ÚKëre¿Ä³t¬}ïhz}³„´`Šš Y¾ž¹SÛò¾nJæ64,§Êêд–âaZ…jX8]ðÓ§_€™2áAâS @Sš¹­–=}×7ÌÁ»¼h¿áX`C¯ÊŠÏÍxA’P|àŽ”Ù;Òç“Kão¼'
}ÞŸ/Ô»òÑ!q‡ð{µñW‡òد4ü©jè£6Â/‹Ê$C`;•„3ú4Ô>ÓÌmKãR ŠW[µú
Bp}¶àXñ”hOs!{ìä„@ýeCá³GY1>/œpÎÉXÁ.oíþIÚ]Üù7}ùeê‡K`Nøkk£™Ñ#e„¥©ô7ˆ	ÛöMn¯ÇyÈž‰?yÿîd9ÿÈÏó™sFž¤$gPê¬RZ}*§šûÿx¹TýܵŸendstream
 endobj
-1045 0 obj <<
+1055 0 obj <<
 /Type /Page
-/Contents 1046 0 R
-/Resources 1044 0 R
+/Contents 1056 0 R
+/Resources 1054 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1034 0 R
+/Parent 1044 0 R
 >> endobj
-1047 0 obj <<
-/D [1045 0 R /XYZ 85.0394 794.5015 null]
+1057 0 obj <<
+/D [1055 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 110 0 obj <<
-/D [1045 0 R /XYZ 85.0394 769.5949 null]
+/D [1055 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1048 0 obj <<
-/D [1045 0 R /XYZ 85.0394 744.949 null]
+1058 0 obj <<
+/D [1055 0 R /XYZ 85.0394 744.949 null]
 >> endobj
 114 0 obj <<
-/D [1045 0 R /XYZ 85.0394 744.949 null]
+/D [1055 0 R /XYZ 85.0394 744.949 null]
 >> endobj
-1049 0 obj <<
-/D [1045 0 R /XYZ 85.0394 721.0357 null]
+1059 0 obj <<
+/D [1055 0 R /XYZ 85.0394 721.0357 null]
 >> endobj
 118 0 obj <<
-/D [1045 0 R /XYZ 85.0394 672.3079 null]
+/D [1055 0 R /XYZ 85.0394 672.3079 null]
 >> endobj
-1001 0 obj <<
-/D [1045 0 R /XYZ 85.0394 647.0603 null]
+1011 0 obj <<
+/D [1055 0 R /XYZ 85.0394 647.0603 null]
 >> endobj
 122 0 obj <<
-/D [1045 0 R /XYZ 85.0394 136.5325 null]
+/D [1055 0 R /XYZ 85.0394 136.5325 null]
 >> endobj
-1053 0 obj <<
-/D [1045 0 R /XYZ 85.0394 113.5963 null]
+1063 0 obj <<
+/D [1055 0 R /XYZ 85.0394 113.5963 null]
 >> endobj
-1044 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R >>
+1054 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1056 0 obj <<
+1066 0 obj <<
 /Length 3185      
 /Filter /FlateDecode
 >>
@@ -3238,21 +3264,21 @@ _
 ™>°ùÒp°vì0N0e¢;“1üÃØe
 08>\ƒ3ØE7†,g§r^6žªñ¨‚ký¹j»ª¾;òè¯ÚúsnÎépÓkWÌäù¼2Xž+ó7s_Og VÅÈ	.?¶[é Û¿¤Þ"ñ|;|Y3ª9žËøe¥?>Nó„4æLs*“šœò¯ÑœÈMU”ŒÆ>·¤Î|QŸØ 8>ùÃýãÿ3˜“8¥F¾Õ¡™©Ÿ€‰ÊNäù'IÜGÒ„èÿt3Ùºendstream
 endobj
-1055 0 obj <<
+1065 0 obj <<
 /Type /Page
-/Contents 1056 0 R
-/Resources 1054 0 R
+/Contents 1066 0 R
+/Resources 1064 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1034 0 R
+/Parent 1044 0 R
 >> endobj
-1057 0 obj <<
-/D [1055 0 R /XYZ 56.6929 794.5015 null]
+1067 0 obj <<
+/D [1065 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1054 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F41 959 0 R /F53 1052 0 R /F23 754 0 R /F14 757 0 R /F48 975 0 R /F55 1060 0 R >>
+1064 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F14 765 0 R /F48 985 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1063 0 obj <<
+1073 0 obj <<
 /Length 3817      
 /Filter /FlateDecode
 >>
@@ -3272,29 +3298,29 @@ w
 5Ñ’é´V‘^@v§¤xÉ·âöLÓð—â+¿ßê¸aàAC*+!'·@gÄQùÑœrTOÊ©ë®JÓõØ2UØ’eh¸/Z2ŽUè¹%ç¢jiä\„[ÅÚÇy½i÷`iv¤:ŒÏ«ÓÉ,KE>-Äd¦ùRƒiò¨™Èo+W³%ôG
 ²|üþ[ûÃPpü;> endobj
-1065 0 obj <<
+1075 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [120.1376 238.8931 176.3563 248.1085]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1064 0 obj <<
-/D [1062 0 R /XYZ 85.0394 794.5015 null]
+1074 0 obj <<
+/D [1072 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1061 0 obj <<
-/Font << /F37 819 0 R /F48 975 0 R /F55 1060 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R >>
+1071 0 obj <<
+/Font << /F37 827 0 R /F48 985 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1069 0 obj <<
+1079 0 obj <<
 /Length 2236      
 /Filter /FlateDecode
 >>
@@ -3313,34 +3339,34 @@ b*
 )ûDêXü£ìNcìÅ$ýÿÆl`Š|b$¶´ƒØõÍü4Âö_`‡<†ñ5dò?€¯—’ó^¬Iô‡HŒÿ¸;úºT$”iÔ¡tˆ%	ý͇'ßìsÿTÜÿ×
 53“’†Ñ­0ÃèêPMKcÈ£¿<ý¿n×€õG]>Cendstream
 endobj
-1068 0 obj <<
+1078 0 obj <<
 /Type /Page
-/Contents 1069 0 R
-/Resources 1067 0 R
+/Contents 1079 0 R
+/Resources 1077 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1034 0 R
+/Parent 1044 0 R
 >> endobj
-1070 0 obj <<
-/D [1068 0 R /XYZ 56.6929 794.5015 null]
+1080 0 obj <<
+/D [1078 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 126 0 obj <<
-/D [1068 0 R /XYZ 56.6929 317.229 null]
+/D [1078 0 R /XYZ 56.6929 317.229 null]
 >> endobj
-1071 0 obj <<
-/D [1068 0 R /XYZ 56.6929 289.9246 null]
+1081 0 obj <<
+/D [1078 0 R /XYZ 56.6929 289.9246 null]
 >> endobj
-1072 0 obj <<
-/D [1068 0 R /XYZ 56.6929 260.4072 null]
+1082 0 obj <<
+/D [1078 0 R /XYZ 56.6929 260.4072 null]
 >> endobj
-1073 0 obj <<
-/D [1068 0 R /XYZ 56.6929 248.452 null]
->> endobj
-1067 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F48 975 0 R /F21 730 0 R /F41 959 0 R >>
-/ProcSet [ /PDF /Text ]
+1083 0 obj <<
+/D [1078 0 R /XYZ 56.6929 248.452 null]
 >> endobj
 1077 0 obj <<
-/Length 2478      
+/Font << /F37 827 0 R /F23 762 0 R /F48 985 0 R /F21 738 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1087 0 obj <<
+/Length 2477      
 /Filter /FlateDecode
 >>
 stream
@@ -3349,35 +3375,33 @@ $
 cᤴs­M%X¦¤	ËöþîéúOÔ¶IÄ­QÉ+°¨‰0CzÀæ׺i¨U‘ÒÚ&úÐÉÛòUظ§/X8Ž´õPçC “_ž4œò¶ß“ØhJ˸ä•ï:ôn’CGP¯n÷ÝéžÈï»ó@Mtä3j9Uæ%3JÇ$OÓ°ì‘ôªÆ†×6ʪ/NõqbÀ{iX±æDœ!âéísWRÂ29:Q7£_·¸üæíÝ„XF0¸
 а–)É%"Mž6Ôø4ƒ°qýn¾ láÈWt‘—Ûª˜˜ÉXÊDsÁÒˆ’󾃥ßg$B©2S&Ümp6p¥ƒsBM±Éh
Ck,—S**uÅF™cV)”Ÿ7}·{ÖPàM™“ÑM®ˆGMDæ¿oœqýn¾áZ'×tÆAQƒqÌKƒÅ‚¡+Ó„5/1qA	Yðk“»U÷‡@—£~BâYXv$º¢kH2K`ÂþXõ =²ÉLƒVl¶uÀ§Oï^SC8—±KµŒ^&%h€ÈÞüöß” Ÿ_o8“ÎêÍWèpÒÍáF‰”9§Uinnoþ5R³’e\|‡íã@+4i‡¾ µ‹Üí¤rLk37ȈâûCx±peh3µ„ìf*Ö™òy†àLË4Zâãv—‰äþ§ÉÛKÅM —n¤å:•âÑ›?7‚q圤E³¶uRøéý!ݼé@ ÍL¦Hx7§ì…‚LfŽ™†q³ ?3”¡XëC	| XnSˆGÛTclH­I¾m€¿î° ÈÛ°î3µî«	3EeÂ’€ã´rB´_‘^³¹ëB‡PÉðù|óB&	W“;9E—Ôñäé?ÑieµßJ”çf³}Õ–ýʉ»Ô€ÑÌ–áüÃÇ­âÉtÁ–Ç;¦´áøCÕ÷yȨTâÏõÑ:vHdŸ®É™nqU=зéòÒk@@‘ÜâýÜ?ÕíÚ¦8X“§¡ÐÓ	–m캶A‚OÿX‘ÂI¦¬Ô€Ï‘¤nåŠüÜWk|@ Wμd0Ŭ±1ùóîaÀ=Úæ‰ZhâÑ9Þ÷lb™ã2ž0Z‰ž	í¨ùžº!çƒV¾3#\&
 ô"¿†ü5TBüÓ.s›]Øû—1s	t€Ã‹újVæÄuÄv¡ØIC±óæ	,Y„÷ÿ>–˜z>_ù(Ú>mÊ\ÜäÛ>àÀ7§Ï¡;L?OöÞH8W–àèxY!‡¥õØä:¿Ÿëʪ©†q””Ô–á°fÇEóC;”¾}ÿD,€[‹¤-‰&ôÁÅBȹ}ÌÌê`òL­nQbFPÀx.¸çã–|þ¸ªAüŒ@g_-‰-ËŠyøEÂE N…ÌVË™yErñ£± Kä)ù=Ì4D]ºp¾-S’sPŒä«i D›ŽÒW¶»ósž”¥Ìrã©·õs„SÍ„ŠÉ
Ü»¦.ÖòKHh4z7­.b3e‰g
-
m X
»|Î{M’1nU”¯P˜htê–z€ªoÕïÁàÂ…2¡î^áJÁ•ÎÔÊ®˜3:ÊŽf>Ḏö€3•X8EÉ›®È›5Ñ!÷ÆÍÂ/O;ýHüZ&jQ1Ž­û0r¬N‡zÐÑ°ë!a±ùsäSGšey̙ݕeÛ¯Õ`£íÈ1ÙI[Ч±Ë‹þõ±.ÉG»&VñûPµÕ)â»Z-R±DéuH\fÿ~ÇL'bøÑi8lÜVÕUùÁAj|J9D!àú¥Š(®ßÍ7¬#Wt—ð†Q
-ùŠ%“ÂmqŽ®K¢°è%6ŒB$0K6(J ŽÏØ+«!¯›žn„"42TÁáv)¿u½’Áy4Ѷ{Œ=Ö»âT•pSëUÇ\žŒè“Ǥ咶AEÎh—Ý!¯Ûµ;Ê™³ãk
-áSÈÌ=@Y÷@`f™V‹Ž5LJ\NX5©½>Y뾩¦S(OrLã]ÒFd“ †)ÉâÆhG
 ½–† `¨ÛpFxŠ‚Qê%M¥f™§gd·–Ì—êoùm1§ºÏûè–qÊ¿­æ3ìë‡? çï‹T.zzõ¿#¸dQ=Šíà«ÄðøÄôÁÑ¡˜‰9ùøĘEþ·;ŸÚ˜…b
-Ø<—žƒgjC†ü™‚Ùì€TãczYÑ°¿íðÍé_—õh,§Ä1ö›&\Ö€3¦Kš¤\+‹áÙôË,žÉ’Y0ú¥Ä%³Äá@,Œ¡íÖvîxB&±œîÃqÑ:ÐþúXµÓxøÉãtHÿÔu€;òÏ^«ÐÄÒÅH
VƒĄåá`~Ƥ„p`&êþ¹‡6püm-ÖNEà¸f-àg C¤
‹PuÂ=û}}ÜÿJCô³endstream
+
m X
»|Î{M’1nU”¯P˜htê–z€ªoÕïÁàÂ…2¡î^áJÁ•ÎÔÊ®˜3:ÊŽf>Ḏö€3•X8EÉ›®È›5Ñ!÷ÆÍÂ/O;ýHüZ&jQ1Ž­û0r¬N‡zÐÑ°ë!a±ùsäSGšey̙ݕeÛ¯Õ`£íÈ1ÙI[Ч±Ë‹þõ±.ÉG»&VñûPµÕ)â»Z-R±DéuH\fÿ~ÇL'bøÑi8lÜVÕUùÁAj|J9D!àú¥Š(®ßÍ7¬#Wt—ð†ེbɤp[Ü‚£ë’(,z‰
£	Ì’
Šˆ„ãóöÊjÈ릧[¡Up¸]Êo]¯¤FpM4€ƒícõ®8U%ÜÔzÕñ—€'#úä1i¹¤mP‘3ÚewÈëvíŽræìøšBø2sPÖ=P˜Y¦Õâ…cÍñ!—VÍAê@¯OÖz„oªéÊÓc„Óx—´Ù$ÈŸaJ²¸1Ýìm
+ÄŸ½¢SSñ0»F‹Çx‰òÐM?ÄMÝ¡WÐ
+w9U^?„ÿÓCÐiÍ\‚ÙI“/Å)HÉĘ3Ç“’)¯”ªûü'ä–‚ºÁ°â+"ûæizŽŸ3Jä}.›¼ÚQH¯¥!(ê6œž¢`Àz	@S©YæéÙ­%sàe§ú[>A[Ì©îó>ºeœòo«ùûú¡Åßèùû"•‹ž^ýï.YGTbA;ø*1<þ1½Apt(&BbN>þ1f‘ÿíΧ6f¡˜6Ï¥çà™Ú!¦`6û Õø˜^V4ìo;|súÄ×e=Ë)qÌ‚ýæ	—5àL€é’&)×ÊâCx6ý²‹g²dAŒ~©qÉ,q8cèc»5‡;žIA¬§ƒû0AÜ@c´´¿>VíÅ4~òøRä¿õGàŽü³×*4±tA1RgƒÕ`3jy8˜Ÿ1)!Ø„‰ºî¡
œg[‹µS8®Yø$èiÃ"TpÏ>E_÷ZWôµendstream
 endobj
-1076 0 obj <<
+1086 0 obj <<
 /Type /Page
-/Contents 1077 0 R
-/Resources 1075 0 R
+/Contents 1087 0 R
+/Resources 1085 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1092 0 R
-/Annots [ 1081 0 R 1082 0 R 1090 0 R ]
+/Parent 1102 0 R
+/Annots [ 1091 0 R 1092 0 R 1100 0 R ]
 >> endobj
-1074 0 obj <<
+1084 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 1093 0 R 
+/PTEX.InfoDict 1103 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 27.00000000 27.00000000]
 /Resources <<
 /ProcSet [ /PDF ]
 /ExtGState <<
-/R4 1094 0 R
+/R4 1104 0 R
 >>>>
-/Length 1095 0 R
+/Length 1105 0 R
 /Filter /FlateDecode
 >>
 stream
@@ -3390,12 +3414,12 @@ q
 n*Œ1½÷¨¾x¥Æˆpîâ‹&XîÃœ§³±è\íD¤ßä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎr)`˜¢Xh¡Ò& „hb—H°Œe"Ãêʱ„£~Ï“a³tŒºìZDß!#Z¶ÚÂk! e'jÝ=§ _tsÙ¬ûÍ&­Nå@‚i¬ˆ3t%kÐE„\H–YZxÿ/U¥Ç™åë—Φ@±¯iWH
 þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5©/¨vp÷o`kA“ôr±ñœÓ4N.4Žæ&F°ÑTÆG%V½ Î'ÌØR5¬BÔ‹`qUžv-UÍ=ëÆåQv2ë_ ”¿­qq‚~èr¯Ú5ÌJ¼ð˜°h»P¡õ‹kÜàéÚýªå>Ò¸D°o»Îi¸CrT]¿MJ¥ ÆÖ¹’°;¿ö‹ûóZ¼¬å[Ç-œÁ¤ŸBx¿ýpü|üÈÂendstream
 endobj
-1093 0 obj
+1103 0 obj
 <<
 /Producer (AFPL Ghostscript 6.50)
 >>
 endobj
-1094 0 obj
+1104 0 obj
 <<
 /Type /ExtGState
 /Name /R4
@@ -3405,63 +3429,63 @@ endobj
 /SA true
 >>
 endobj
-1095 0 obj
+1105 0 obj
 1049
 endobj
-1081 0 obj <<
+1091 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [470.3398 484.6246 539.579 496.6843]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1082 0 obj <<
+1092 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [316.7164 472.6695 385.3363 484.7291]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1090 0 obj <<
+1100 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [304.6433 205.7899 373.3153 217.8495]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1078 0 obj <<
-/D [1076 0 R /XYZ 85.0394 794.5015 null]
+1088 0 obj <<
+/D [1086 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 130 0 obj <<
-/D [1076 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1079 0 obj <<
-/D [1076 0 R /XYZ 85.0394 582.6901 null]
->> endobj
-134 0 obj <<
-/D [1076 0 R /XYZ 85.0394 582.6901 null]
->> endobj
-1080 0 obj <<
-/D [1076 0 R /XYZ 85.0394 544.5476 null]
->> endobj
-138 0 obj <<
-/D [1076 0 R /XYZ 85.0394 327.6392 null]
+/D [1086 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 1089 0 obj <<
-/D [1076 0 R /XYZ 85.0394 295.6795 null]
+/D [1086 0 R /XYZ 85.0394 582.6901 null]
+>> endobj
+134 0 obj <<
+/D [1086 0 R /XYZ 85.0394 582.6901 null]
+>> endobj
+1090 0 obj <<
+/D [1086 0 R /XYZ 85.0394 544.5476 null]
+>> endobj
+138 0 obj <<
+/D [1086 0 R /XYZ 85.0394 327.6392 null]
+>> endobj
+1099 0 obj <<
+/D [1086 0 R /XYZ 85.0394 295.6795 null]
 >> endobj
 142 0 obj <<
-/D [1076 0 R /XYZ 85.0394 119.5277 null]
->> endobj
-1091 0 obj <<
-/D [1076 0 R /XYZ 85.0394 92.1076 null]
->> endobj
-1075 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F62 1085 0 R /F63 1088 0 R /F48 975 0 R /F41 959 0 R >>
-/XObject << /Im2 1074 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [1086 0 R /XYZ 85.0394 119.5277 null]
 >> endobj
 1101 0 obj <<
+/D [1086 0 R /XYZ 85.0394 92.1076 null]
+>> endobj
+1085 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F62 1095 0 R /F63 1098 0 R /F48 985 0 R /F41 969 0 R >>
+/XObject << /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1111 0 obj <<
 /Length 3448      
 /Filter /FlateDecode
 >>
@@ -3483,54 +3507,54 @@ JNvE@
 fGK»dªNÒ)h*ói ¦ÅbZDß-’bË0¬?׆:d$|Â^ઈ	¹KqÅgƒ¿Sð|0@.ÄmA
[ƒy~~ýš~ v™âPf©k†¸‘*U–œr5hßf^i}k+8F5ÛìXþ0¿« A­
 üн ·ºü8Ól)øŒòU"»LY2Z
ËÉ ™ð°{Þ£Oº‚;{¤Þd‹¶ãj¥°^(€Åô&ÎíÏ*´Ðçºr&éñ…º²qvèÛ(øJa1	fÁ´WƒùFhr¹. —Æ,õ•Ŷ£¬Xó+¾7`èãšìÓóÚ=_‡*¯nO‚·@!ºêHC½˜§
}«fsLð+?€„7Œ]ß”‹¨xÕ²é`ž:!£H‘æEê!£P„Œ.¡N§‹vV»@Ã⎺.i¶ìCßþ6DCžiA°	ë‡-cÛ£¦`ÃÕ¶n˯þÚ7RÜõP©f´/wD§83Æ:ô:±øàô^2d~ôbÂ%–]qÀÈ­]<Çý—ÀŒœ^†@„qÈ°Ø×óàkŠ'9ýÂmÚÓ_LÜÏÁ‡ÁýfâjÙN
ö÷áºYúçȢώu™~«sÅxOø“4©ÓKÝml‚'TKHf85cN¯	zÝïîç·´iËW’Fæ\hø©¿³o°Gc“MÏú
ì“¢ôñÊ…ä*À°Î]A“C3Ë{á©•”S©VEU_ŠX»´ž#MXP¬?%§B­„šéÅÄòÖ¸»¹Ü;ÞÏŠ¸h¨©®ž;g¢ÖðrT…CT.ÓÓGϤK=¹&u^êqK­cÁg¥„°lšâð‡\Ôʹ 6	Ámƒ¾^LÑøzÚaoúú‹;Œßð:µdßÿü+=Ú¿ò5`pøo05­h2Íÿû¿mæÿI’:Y–,Ç…2"ÌJ<‰Î8wÿ–sÎú¹<ÒÐendstream
 endobj
-1100 0 obj <<
+1110 0 obj <<
 /Type /Page
-/Contents 1101 0 R
-/Resources 1099 0 R
+/Contents 1111 0 R
+/Resources 1109 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1092 0 R
-/Annots [ 1104 0 R 1105 0 R ]
+/Parent 1102 0 R
+/Annots [ 1114 0 R 1115 0 R ]
 >> endobj
-1104 0 obj <<
+1114 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [464.1993 465.6151 511.2325 477.6747]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1105 0 obj <<
+1115 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [55.6967 454.6761 105.4 465.7196]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1102 0 obj <<
-/D [1100 0 R /XYZ 56.6929 794.5015 null]
+1112 0 obj <<
+/D [1110 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 146 0 obj <<
-/D [1100 0 R /XYZ 56.6929 531.1808 null]
+/D [1110 0 R /XYZ 56.6929 531.1808 null]
 >> endobj
-1103 0 obj <<
-/D [1100 0 R /XYZ 56.6929 497.8268 null]
+1113 0 obj <<
+/D [1110 0 R /XYZ 56.6929 497.8268 null]
 >> endobj
 150 0 obj <<
-/D [1100 0 R /XYZ 56.6929 342.6181 null]
+/D [1110 0 R /XYZ 56.6929 342.6181 null]
 >> endobj
-1106 0 obj <<
-/D [1100 0 R /XYZ 56.6929 307.0547 null]
+1116 0 obj <<
+/D [1110 0 R /XYZ 56.6929 307.0547 null]
 >> endobj
 154 0 obj <<
-/D [1100 0 R /XYZ 56.6929 119.358 null]
+/D [1110 0 R /XYZ 56.6929 119.358 null]
 >> endobj
-1107 0 obj <<
-/D [1100 0 R /XYZ 56.6929 92.1345 null]
+1117 0 obj <<
+/D [1110 0 R /XYZ 56.6929 92.1345 null]
 >> endobj
-1099 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R /F55 1060 0 R /F48 975 0 R /F39 917 0 R >>
+1109 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F55 1070 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1111 0 obj <<
+1121 0 obj <<
 /Length 3046      
 /Filter /FlateDecode
 >>
@@ -3550,29 +3574,29 @@ H8
 ~'sd_èc\Ñgbe8ÓÚ¤ã*;O£
 ~Èø­ÁD0cJ‹Õ–Z~>¶ôú/×ÌÀ8SÿóÏeò¥›ÌqÒ0OþûK¯S¾%8@ïƒê½k,,ª]»xß,6å¾<Ž2¡f‡àÇ©RL3ü!å„TàÏ)üïþ½fﶨN9‘¤(É	ºMGÞBiTøaç1éÿÆv–endstream
 endobj
-1110 0 obj <<
+1120 0 obj <<
 /Type /Page
-/Contents 1111 0 R
-/Resources 1109 0 R
+/Contents 1121 0 R
+/Resources 1119 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1092 0 R
-/Annots [ 1113 0 R ]
+/Parent 1102 0 R
+/Annots [ 1123 0 R ]
 >> endobj
-1113 0 obj <<
+1123 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [417.8476 169.1947 466.5943 181.2543]
 /Subtype /Link
 /A << /S /GoTo /D (sample_configuration) >>
 >> endobj
-1112 0 obj <<
-/D [1110 0 R /XYZ 85.0394 794.5015 null]
+1122 0 obj <<
+/D [1120 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1109 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F39 917 0 R /F41 959 0 R /F14 757 0 R >>
+1119 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1116 0 obj <<
+1126 0 obj <<
 /Length 776       
 /Filter /FlateDecode
 >>
@@ -3581,21 +3605,21 @@ xÚ½WMs
 f[¦¿#ž¯³ÔZ_së2³®(£˜õÂ\â{žêâ)Ô<Ú\'T®£$Éî­œE)_Q&ÏΡÓLQ@ÅéÜé®>ÉŸT\›Êåó Œòœ­ã\înn){¬pÅ1å¼?lôŠ¹N%í|Ú.ï‚€0ß2.×a—¶&C ôAÿ!ɪ¦N_MÕ㾚n„XTAþˆJè’(ÏK‹=¾Î)ô¡ôâl³×”£ØBš?^·bi³\­ ½Ý
2¨‹e¦„Ä6ª“„åë;ZW,Knóº…j·×òVƒöI¸ÛUû_ÂCÿêžYÚR¼”é•O"Å]WX§
 üVU”¡´i7DÁín-ñRcí¡	Èâ›¶Ú++ŒÞáÕò¾î4°ò¹s÷¢¾î­#L?¬—vï]‰Åo"V׸¯úxE¥þWÖäÃJbŠÙm;Ö‰PDL‡Ž…›y=_ÃjñÚ¯¦#yp•ñ¼|ß·‡Z9‡Éuœ¥çâËO2Xk†|,Š-B@;U‚((}€š‡23Ý(M\PÌ¿šÁÖ2ÛyÌÞþÃp&€ø>®'èÕxâÇN*Pw«y¼ý/ÙTbendstream
 endobj
-1115 0 obj <<
+1125 0 obj <<
 /Type /Page
-/Contents 1116 0 R
-/Resources 1114 0 R
+/Contents 1126 0 R
+/Resources 1124 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1092 0 R
+/Parent 1102 0 R
 >> endobj
-1117 0 obj <<
-/D [1115 0 R /XYZ 56.6929 794.5015 null]
+1127 0 obj <<
+/D [1125 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1114 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R >>
+1124 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1120 0 obj <<
+1130 0 obj <<
 /Length 1487      
 /Filter /FlateDecode
 >>
@@ -3609,27 +3633,27 @@ Yj
 Ö,ûdÒ$œfÅ¡.JHÙìƒé¦çëÕ±òSÛÍ`¬ÅƒñH-‡oS#PâhÃTŠÃŠv+¹†KÇ(dMˆŒ9È0×Qtø¡ÃìÊ’
¿ŸÂÃMCó3¸cTƒ¬;c¯DÙW¸ŠYf1@“¹•Ø¼:4˜] Ó>àd›Ó}ü‘¦lÌ–Þ²júª°àšºÃ‚·0N¿-͹OR{î“l§^s(.hL2P	!ƒ$õ²¯ß{6azƒ5dVPèE©ìX«ÞoÝNr	§BgPÝh‡M×,[¾Y!·ØÖŽìdãa¿‡] çnÀó§)ƒª£ä­u¯ßˆV6¦Ú
œÄÀ¯—½»›$Hõ·ÞMÊéñ½F$õ³Ä
 ZTàÔzkÑžìCh÷’#á~;0P›e©oÕz_–™¾½ýѲ>•Ž7%qnÕ5¼;à›>¼jF·“m+¬dm{ìö£ÑLìEÖ;ìžâ°	wÎ@Ã;„øŒF!´a—§1‰i[rêKž3úóÛñÝM·/Û_þÊßý¬&P"©¿ý€?€Ðë‚ÒÀýàùöç€ÇÐÿ¾Jendstream
 endobj
-1119 0 obj <<
+1129 0 obj <<
 /Type /Page
-/Contents 1120 0 R
-/Resources 1118 0 R
+/Contents 1130 0 R
+/Resources 1128 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1092 0 R
+/Parent 1102 0 R
 >> endobj
-1121 0 obj <<
-/D [1119 0 R /XYZ 85.0394 794.5015 null]
+1131 0 obj <<
+/D [1129 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 158 0 obj <<
-/D [1119 0 R /XYZ 85.0394 263.5848 null]
+/D [1129 0 R /XYZ 85.0394 263.5848 null]
 >> endobj
-1122 0 obj <<
-/D [1119 0 R /XYZ 85.0394 220.0831 null]
+1132 0 obj <<
+/D [1129 0 R /XYZ 85.0394 220.0831 null]
 >> endobj
-1118 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R >>
+1128 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1125 0 obj <<
+1135 0 obj <<
 /Length 2338      
 /Filter /FlateDecode
 >>
@@ -3642,57 +3666,57 @@ xÚ¥Y[w
 Ÿ¬»ìÆcYwE4n5Að½‰ÂQÂY&^¶v[³US_ðžBÄNS/LQFŒ*S™C& ôeÊH6ëzþí`è4£*7Ͳöj˜:¿|È[³¶¿{(£ø—ÎFOûÏËqHõïAéµ<°ö|D©dYw ðÿýÝãŒÉ(ÌhâsÔ9f¿™OÔ¥iŽÒ8fö×Ö98ÝCÿ’Æ_¿ÍpFÇé Bårl{"z!v $0Àn–E~Y¸TC¤1åì–ò_e?Iït{;¨îl5u˜—P]i«m];,ãvŠ¦i1V¾Çà€A&û$ðBÒ
 ÿX²$žë¦žÝ6»’Îô®ZbÉ‘óZbaLO%PzDÑ‚UMq£‡iÀˆ¡RßcÃ6ûlܯÕ®÷ ƒrßí½¼•-èDöI%9˲Î#òTA!T¨GÉŠc$õåZi@SÔ­>}‚az¢(™dÂ7uñ/±„ŠX‰tøp¦¿,¬½ò=´«wm–¦
5Èœ*¿•1jãW›¥”¡¹X÷µýó±˜è ƘuYŽ.®îFlaP-…Vˆ!‹;¿úÖ$ìr†`‡ö«0|µwÉ¢?Æ*_¯gÈÛàzÈjs¼]ÓÒË{,Ú‡·ßyô²ñh@»€IéÐþ@Hâý£ï‡öÇ_t½—	ýs•¥ÔA‚ùð•6”Ý+­k´·
îeIçPQÝ€>á$;XY0íþKm›’N¸Ýúí`©m<+øõɤd‹í¨žàéýãø©‚GÓ¤âŸóÃSüHºÄ™ÈxþXº4x’¦4±8NçÎ?t#¿û'KðG"zô1|¨yÑñÐVèL¼xè'ˆ öw‘@ÂÎþïŸ[¿/A°RF‡_RWÈ$‹í“1e/‚O'Îýï2÷Yÿ/`záendstream
 endobj
-1124 0 obj <<
+1134 0 obj <<
 /Type /Page
-/Contents 1125 0 R
-/Resources 1123 0 R
+/Contents 1135 0 R
+/Resources 1133 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1092 0 R
+/Parent 1102 0 R
 >> endobj
-1126 0 obj <<
-/D [1124 0 R /XYZ 56.6929 794.5015 null]
+1136 0 obj <<
+/D [1134 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 162 0 obj <<
-/D [1124 0 R /XYZ 56.6929 769.5949 null]
+/D [1134 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1127 0 obj <<
-/D [1124 0 R /XYZ 56.6929 749.2418 null]
+1137 0 obj <<
+/D [1134 0 R /XYZ 56.6929 749.2418 null]
 >> endobj
 166 0 obj <<
-/D [1124 0 R /XYZ 56.6929 703.0989 null]
+/D [1134 0 R /XYZ 56.6929 703.0989 null]
 >> endobj
-1128 0 obj <<
-/D [1124 0 R /XYZ 56.6929 680.1552 null]
+1138 0 obj <<
+/D [1134 0 R /XYZ 56.6929 680.1552 null]
 >> endobj
 170 0 obj <<
-/D [1124 0 R /XYZ 56.6929 533.6481 null]
+/D [1134 0 R /XYZ 56.6929 533.6481 null]
 >> endobj
-1129 0 obj <<
-/D [1124 0 R /XYZ 56.6929 510.7044 null]
+1139 0 obj <<
+/D [1134 0 R /XYZ 56.6929 510.7044 null]
 >> endobj
 174 0 obj <<
-/D [1124 0 R /XYZ 56.6929 421.9372 null]
+/D [1134 0 R /XYZ 56.6929 421.9372 null]
 >> endobj
-1130 0 obj <<
-/D [1124 0 R /XYZ 56.6929 391.3503 null]
+1140 0 obj <<
+/D [1134 0 R /XYZ 56.6929 391.3503 null]
 >> endobj
 178 0 obj <<
-/D [1124 0 R /XYZ 56.6929 345.2074 null]
+/D [1134 0 R /XYZ 56.6929 345.2074 null]
 >> endobj
-1131 0 obj <<
-/D [1124 0 R /XYZ 56.6929 317.2705 null]
+1141 0 obj <<
+/D [1134 0 R /XYZ 56.6929 317.2705 null]
 >> endobj
 182 0 obj <<
-/D [1124 0 R /XYZ 56.6929 120.3964 null]
+/D [1134 0 R /XYZ 56.6929 120.3964 null]
 >> endobj
-1132 0 obj <<
-/D [1124 0 R /XYZ 56.6929 92.4595 null]
+1142 0 obj <<
+/D [1134 0 R /XYZ 56.6929 92.4595 null]
 >> endobj
-1123 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R /F48 975 0 R /F41 959 0 R >>
+1133 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1135 0 obj <<
+1145 0 obj <<
 /Length 3003      
 /Filter /FlateDecode
 >>
@@ -3700,56 +3724,56 @@ stream
 xÚ¥Z[sܶ~ׯط®f¼®¼4O²-ÇNb'•7é$y –”–1—T–\Ëj§ÿ½ç.¹¢¬v:š€ƒààÃÁ¹€«
 þô"õ‘²™[$™‹¼Ò~±Ù©Å-ô}w¦…g˜Vc®—ë³oÞØd‘EYlâÅúf4W©4Õ‹uñëòÕÛ‹Ÿ×—Wç+ãÕÒEç+«åÅë¿Ÿk­—^]¾æ®×>råÍåÅyâ–ë_®.‘¢2àsQ,#×?\þãü÷õ÷g—ëA¾ñ´²(ÜŸg¿þ®låû3Ù,õ‹{h¨Hg™YìÎœ·‘wÖJ}öñìoÄ£^:‡‰·iäS“Ì€âô(.‰â$aPºrÿ¹ÜŸ¯b¥–DˆLd¹õ/ÜÜBë(óÞ,V¡‚ƒ>•]`¢bÛv½^á1åÛKãW'ðªÜùÍcGò©Åʪ(I^äý¡î«»ºä“L–4IºÜåLº–®»ý¹N—eW6ý ¤~y}蹫mjaî·%ÿM)³ï¤¿ê¸ËRE[ʈ¦í™kÓ6}^5LÍY®+7<¸ïH¦xÙµ„‡š"Yõ¬j¼)¨Ð¦ ¤¡Ì¹¸o÷u±â)ó"¿®…
wS—Ñ0u¥–g~wÃÛlq9›‚2ÚÌ9YgŒp¬í9!YðÊ®ËoK¦õÛ¼çZ€-ç&Ëúç¡ì¨¾=‘…ƒäŽ§4Y㾪k®]KwWÝ6ezû­¬°•Ý]¹©à!%´ôJù©‚JÑÕf€2pߌŸGJÅ™.N¥üÈɲJ@E¶z×6)(‡í &ðÎO8‚ZŒ9eãȵ
ÝùNj“Í-VÎ4³z¢!|YºjWÕù^}Þ—;¸IÜÜ:©‘PŽ.@QçéØ¥#üÌ~:òIš	×_:žnžÝíaŸ÷UÛ0‘=Ô½¢ÍÏ,¬aaŸ=wn³ëŽÔVÐL¼i÷3ËÄ>ŠQžÙž‹œ–¡£$¼o9ÆÝûxj¦gN#f@bû?m[ÔÞèÁÆH¢£Ø*°×àU´—ƒ¼àV"¾Ò
 ,ûúã»ïX”JQí—y”òb³q¹þ
-Lã¾­çM½‰#GÓ¿|÷}oª—y]·÷tfùîg¡Ï…@@RSpeŸ7Œð3ÀZTUO¬1M…Ž‹W?r¥(±»©PÍdœ9àr”×:
'AŸIÊói7F8À±„offJÀ9é‡3Þ?ÌÍ’E61a±?ffÓH‚ZÝM¹Ÿ™NÐèÌ}ež•óàq¸0<Ü`æf„°&	Vñvæ`!²ÐƒhÚ¡õ6ø×Ø/·9UXÙp­üÒƒ»¡ó:P ÜLå¢Ôݵ49„jd‘vݒφ!ŸHKvßê"¬È}E	~¼,f‘ÑQ’éä±Ë Õž<³ú=6´Mpùî.xîö&ø‡™ÕS÷’d¢nãC™,›(UNÏ‚Þ8ù‘¿ò“Èp¥ŒÒé4›¬;÷†¯Æ}O…v£èî>Üw¨M¾«6ÜàUOýä¬K°4Ûa¬tsâ™Ðû¼{ì?¯&!Öp¶ E`ùÍ7g24ÃÍzF<å>ÄS8åà”áÇ.ž(ËDz<Í*´‚ \9¿ptѨã{îÜß.¸r5JþÕx%ÁÏËlÄí`¤ÁLGî‘Hqe)ø ñ
+Lã¾­çM½‰#GÓ¿|÷}oª—y]·÷tfùîg¡Ï…@@RSpeŸ7Œð3ÀZTUO¬1M…Ž‹W?r¥(±»©PÍdœ9àr”×:
'AŸIÊói7F8À±„offJÀ9é‡3Þ?ÌÍ’E61a±?ffÓH‚ZÝM¹Ÿ™NÐèÌ}ež•óàq¸0<Ü`æf„°&	Vñvæ`!²ÐƒhÚ¡õ6ø×Ø/·9UXÙp­üÒƒ»¡ó:P ÜLå¢Ôݵ49„jd‘vݒφ!ŸHKvßê"¬È}E	~¼,f‘ÑQ’éä±Ë Õž<³ú=6´Mpùî.xîö&ø‡™ÕS÷’d¢nãC™,›(UNÏ‚Þ8ù‘¿ò“Èp¥ŒÒé4›¬;÷†¯Æ}O…v£èî>Üw¨M¾«6ÜàUOýä¬K°4Ûa¬tsâ™Ðû¼{ì?¯&!Öp¶ E`ùÍ7g24ÃÍzF<å>ÄS8åà”áÇ.ž(ËDz<Í*´‚ \9¿ptѨã{îÜß.¸r5JþÕx%ÁÏËlÄí`¤#0jî‘Hqe)ø ñ
 2“ë9A¹€˜‚®w|@EÕm]7ÈÖžû®åƒBc[~©0T~|‚Úƒ¥6&XjÖ¶Õ][W›‡¹+†׆û8Ió.ÔB•XºLäBãÁ…ÆâB/÷ûvß=ïÙœéD¢®]kÕÜ2¶¯ã`2(7ÔGA´6yÃÌâH!µâr‰8´„,0¯¹Qîy¹=Úl“¥˜KPGþä:2[Ç«Htº¹Ç‘MÛ¬¦iÞƒÃ}Ÿ‡MIO!ÇÁd4Ðßütõþòꊂ²ì(¯€ö ¿„q@’Ø܈é‡Rҳö"s¶ée:
 p2	gP9€·‚l’ã7“æ‰Ifý¤LS™`_†2‹&‡d:i(wp¦±1
 nÕQp÷#Á‡0ÞH%d( êUO&ÔŒcnZ»ÉÚ0WSŒ$7<³Ï™DfjÁå*¡™Xûã1?‘Ê®¬¡ÌVk’±²`GØ2Öñ#Ñè‘ÂÒ‘ë舯áòÐ|jÚû†G…t
 ·N2M¤“:ÆJB–a"YfFñ9‡³VË”P‘íY5Š†>h577mQ2[Wö2EËåË‹×ø6ÅéQA(s–С9 õ­âÑz„ 4ŽÈŸRˆ¼?k¨Xò«yMAÝ'$}Îë
 M1âlÄ´#ýg"8+~@Ê€3QE0ZP&‘mi„¬J&ÈB§ «BvfS„³óˆ3Ìqƒ v1äB Šµ1Äîx/±~ñqôbhÈNœç^ØPµ“®öÐwU7\ò~‘ƒ+Ú$¢L	a³ÇVJ¬Ô²VdÍXëð5^Rš¥²1Ä@CMXåÕl!°P×ïÞ_¾àÖÉ
 ²y¨®· èÌQq ¸€
äÄ‚Þâ8Á২Xt+S¾*a.ŠB»îæP“õ„yà@%Ѥ<¦áǨ	§Ëã¼Î¢OÔqy9xz’ÒX3{C·w"®ghÅïahâÞ²Ÿâ?­ÑÜ^ü²~Â%¯Ø­¡™>€DM_mà*8Û(ÒÁ×ÁØH´‚yCYG8!¾	Oã'AgÀ`Ùé¹ìIöë]ˆÌØ5:v<ðÙló¦êvLåè pþæC¾Û²)ÑKR¼„,âзùÈÇÙÑKmˆú{ÎG¡³¿o™ŠÁ=e°JcT6QFñŠâ(ŠïÃN¦§cvpFåÀ“¡r̤øÒ!Åx+€S«á=AÔf$ÿzóÀ-&ÏV-Ë2Iu2yÿ†R°"LP =È;ºîçšbŠ-/5À“É˜Ñb,ÜñÉÊp’¦oo±Jñ›H–NmN¸ÀG¨Ð½7Áf«åkHî4¿Ú—«·e]ïè:†M Kùuâ¶"¶ô,Jï‚XÇCzH«AVFåŸeíœ	ó" ƒÊ×£=ÑRº^yÝoÛÃ-JgÑWlǹ!t8Pò­´src7Ém9ÜÀrúBÃ(Æ·ü0Å?á`øJ“·[oçò#«“ÈeCÆóôUõøjÀL£$…W’°ÓÒ÷&"!ôJQ MÁ‰…¶öQB|^‚¿á6ãä}‘ÒJl5ìÑJe²“Èú‰›g -O”ÑÏîÝ©ÄOÌ”¤'Ù‰‘IOŒLn*ÔØ»ùšeøS”0µ2xx06ø¬®²xz…¦ïÃǯk
-Nï/Ëâb÷ìöb†óg)齦;ù"qž~ƒk)ʺìÉ1䇆ïb!yÏÅç„OaÛ\xE‘?Wí¡O=ƒ¡’'mlÇ~úac^¥Š>¶?gPåÝœF[Ïö’J|3f{‰MJb¡¹©+º|X'Sê³cØ؉ÖäžFcäTün‹Rÿ•üvòÀLóâ•€,±>ÈŠž?VòEôiäãøÄQåw²ý»}E€`ÐâÉÇ+Ù½åì’)3ËÕ8ä¥Ç…cv·òZó}õP}eÀ*B4ƒŽÀ:zÛÃÞª— ÛðË MÀ±˜0‡p59~•eñfc‘ÉÄ“·@C]à|d¤U*_" WàP)§¸a/¾VÓcJ¼¼¸éɈ)L#Én@-ø°ü€rÍ>Þå{ˆjª»œ<,²²¾²oÔªá|{âG	ÖGøK‚™‡:5¼_ýß?X8þBÃ%‘MS3ÿâž'JM–¡^ãO%~ÙðXôÿ=É{endstream
+Nï/Ëâb÷ìöb†óg)齦;ù"qž~ƒk)ʺìÉ1䇆ïb!yÏÅç„OaÛ\xE‘?Wí¡O=ƒ¡’'mlÇ~úac^¥Š>¶?gPåÝœF[Ïö’J|3f{‰MJb¡¹©+º|X'Sê³cØ؉ÖäžFcäTün‹Rÿ•üvòÀLóâ•€,±>ÈŠž?VòEôiäãøÄQåw²ý»}E€`ÐâÉÇ+Ù½åì’)3ËÕ8ä¥Ç…cv·òZó}õP}eÀ*B4ƒŽÀ:zÛÃÞª— ÛðË MÀ±˜0‡p59~•eñfc‘ÉÄ“·@C]à|d¤U*_" WàP)§¸a/¾VÓcJ¼¼¸éɈ)L#Én@-ø°ü€rÍ>Þå{ˆjª»œ<,²²¾²oÔªá|{âG	ÖGøK‚™‡:5¼_ýß?X8þBÃ%‘MS3ÿâž'JM–¡^ãO%~ÙðXôÿ5eÉ}endstream
 endobj
-1134 0 obj <<
+1144 0 obj <<
 /Type /Page
-/Contents 1135 0 R
-/Resources 1133 0 R
+/Contents 1145 0 R
+/Resources 1143 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1141 0 R
-/Annots [ 1138 0 R ]
+/Parent 1151 0 R
+/Annots [ 1148 0 R ]
 >> endobj
-1138 0 obj <<
+1148 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [101.3082 428.2743 169.9802 440.1745]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1136 0 obj <<
-/D [1134 0 R /XYZ 85.0394 794.5015 null]
+1146 0 obj <<
+/D [1144 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 186 0 obj <<
-/D [1134 0 R /XYZ 85.0394 599.3467 null]
+/D [1144 0 R /XYZ 85.0394 599.3467 null]
 >> endobj
-1137 0 obj <<
-/D [1134 0 R /XYZ 85.0394 570.7212 null]
+1147 0 obj <<
+/D [1144 0 R /XYZ 85.0394 570.7212 null]
 >> endobj
 190 0 obj <<
-/D [1134 0 R /XYZ 85.0394 411.9765 null]
+/D [1144 0 R /XYZ 85.0394 411.9765 null]
 >> endobj
-1139 0 obj <<
-/D [1134 0 R /XYZ 85.0394 386.1565 null]
+1149 0 obj <<
+/D [1144 0 R /XYZ 85.0394 386.1565 null]
 >> endobj
 194 0 obj <<
-/D [1134 0 R /XYZ 85.0394 219.8396 null]
+/D [1144 0 R /XYZ 85.0394 219.8396 null]
 >> endobj
-1140 0 obj <<
-/D [1134 0 R /XYZ 85.0394 186.413 null]
+1150 0 obj <<
+/D [1144 0 R /XYZ 85.0394 186.413 null]
 >> endobj
-1133 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F39 917 0 R /F21 730 0 R /F14 757 0 R >>
+1143 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F39 927 0 R /F21 738 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1144 0 obj <<
+1154 0 obj <<
 /Length 3066      
 /Filter /FlateDecode
 >>
@@ -3774,166 +3798,170 @@ O
 H³*è7Èîˆkúí˜ÀÜÎçÝh"g4ó“"ô2cb’V9+CwpyV„¦ÃMµqä:¾”‡-˜1ŸLE”CCÆù8•ë{!ô÷2V‰Žðç?FE©IãÑ¥kÙ‹°ÃÝmL•VeêõQ$h “ÿí­æuôÙOÚa÷tMb’±5€­—¡uÙ,P™$S Bñøé×—…HÁ>žQæ—ËðÑÙ	L€ŠËÑò<‘&‹²D$þ>ôeÏÓ‚¾dy£ð}-JÚÓÖ\5á~-ýŽ€ž¦ŸŒ0ßÅÜT“ž^÷)‡K|"¦:=ëí'ƒŽ/bfà>j¾ÙPd&BÎ)7[”žè×üüíÂgcú¨#­Ó3ƒŒ/efl¥,ÕèûR¹·ÎøÊI\щ‘¯³ûÁ]óá,šf}€|9œ.P¡¤ï¦÷vÔ½Žwd,pe‰¿êlÁ˱&ô@ƒl¸š+ž0EF/}ÖW:Âoñ3áEè&þïOþÇ¿uH²HÏÍ}¢ÄÀ",”ûþ˜žIîÿ6à\ôÿRw²Hendstream
 endobj
-1143 0 obj <<
-/Type /Page
-/Contents 1144 0 R
-/Resources 1142 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1141 0 R
->> endobj
-1145 0 obj <<
-/D [1143 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-198 0 obj <<
-/D [1143 0 R /XYZ 56.6929 714.3337 null]
->> endobj
-1146 0 obj <<
-/D [1143 0 R /XYZ 56.6929 679.6003 null]
->> endobj
-202 0 obj <<
-/D [1143 0 R /XYZ 56.6929 548.3115 null]
->> endobj
-1147 0 obj <<
-/D [1143 0 R /XYZ 56.6929 514.8119 null]
->> endobj
-206 0 obj <<
-/D [1143 0 R /XYZ 56.6929 311.7264 null]
->> endobj
-1148 0 obj <<
-/D [1143 0 R /XYZ 56.6929 283.0279 null]
->> endobj
-1142 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F39 917 0 R /F41 959 0 R /F48 975 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1151 0 obj <<
-/Length 3156      
-/Filter /FlateDecode
->>
-stream
-xÚ¥kWÛ:ò;¿‚sÏžsö1–å—ö[x´ZZ’@¡wïÇvƒÁv€°~g4’±ƒi»g$F£Ñ¼GíšðÇv}Ç0¹°w=aŽÉœÝ0Û1w°öq‡)œ¡F¶±¦;û¸·+áZîîtÞ¢å¦ï³Ýiô×àðÓèÛôx¼7´s`{CÇ5££«=ÆØ`t~x|DKGçš|8íyö`z9>ŽÃaŸ¯vÚäøpïïééÎñ´á°}frdï~篿ÍÝ.sºc\øÎî#|˜ÂÚÍvl‡ŽÍ¹†¤;“‹†`kUní“ŠÃ}Ãñ-¯G,ï‹#—ÊeºŒñ€ÊZ¨L6w} 8Q^Uq8¼‹7ó²ÈÒ`§jO›¼ða3½gUî1P,Ê qzÞ ©h\WqD³º q×4	h€sh²
-’’fs¢–uðÂr³Ò4–ĈiŒb®Žš­“TŸºŒ_Ž[ìóîù.ÎP³%/ðoÓ´Ò¸usfNꊬb]‹˜¦‰UI–¤AIÀP8™ox·^Ésç=’t]`”M؆âÔç«0CAƒµú†Ü7«õ,MBšá
-glP-‹5^¡3…™äU\Öq¤¿P„ˆ[kRÏE®f$µ}£7„é:JòÅË.y»}a°.ƒ›×WP²Þº§å®¹›mÓ)ë
-Ox-I§®P[þqr~øùò踇öÐ6MCx¦¯µJQ ªƒ:Îâ¼®Œ†z£õ9rÇ`®K6€în9˜$‹\ÞZjy©làÊêõé@DzáËñîdÌõD×(*8湟¨çA„èu¯–1*÷"KTæ¹ÈiЀä•Q	×à°Ð±©Q¾éQ©eA,µ´Q¢‰Û¾fb‘ïñJ§&„EIÎY­Š&šÖT-oP¬ê¤ÈeTj‹Ò‡­±-™Ø+}nã;pô©}ƒŽSËÚ‚9šù‡$ÂpÃl»pE‘ËkZP…¬²¤ªÁ‹²¢ÕǤ^ÒjékqÓ°m_	ô‰gÇ7U¼m(=¯)”¬è&%¶U2é’¸k•&¤<Ûùiv°vúë8šéƒƒš$	‘
-C_t͹²ÞLS ÇRŸU‘äu7®½a½?¯Á¹ªÁ‹Mb±.›J|—qYýF
¾'¬2aq`QFçžö‚žhJ0éà}å7,Ötºµ"ÚR ®”ÍA€H.íðßR
ÍÆûu\ÉZ ­v—±ì”+A«Á…Ï0M°—yßsÎ,P¡mwÛ‹ÎÍ;ý÷…Á]›w½'[Wu·ª çlitÓ4ÉhÄzÛI£q•^25(ÑÖ‡6·•Àu¹îOÔe®c[¿V—ËEG]@ô!H“ˆ¬žžWhFr©%~X*à%-TdlX ¸âÅÿ·º:fXÂb¿)wèõ¡«zUôo7Š³¶EÅ?„Ъ¾e¬­ƒK±ê²ÇGûö»n40¸=‘º9ݬa`²ÕˆT7ÿWËwt·-›ÒS–ÉL3¨f.+ºH5ôvJ>«ºÈu“ý¢"\gòUJ› <·Ó@]æir'_£¹
-Š–g|L/žh &i!*d

zdd£d¾!`·G$X‘^Z‘"+‹yXR]-,*ÝŒz˜ëbhÑ*yPXúÉV£‚@ÈF'Ì’g½ý"ÑzÙ–Û«€L©­Õ}eÂhN:°ÜV™äâO
-Í ¨‚Ì›TKz†áLöŒ=6ج’0H黽ý5T†³´(îhVY:—NK=Œ Ùæ!ÅèËH'˜³¸;XbˆÊi8)i|1?ΗW~XQ¯üÜ%µá„’0LÈ_ŠZþXå«~	ÈÚÖÔ<’FSóÈÓ×uER›*±²òäYÉE.4Îâ>chBÖˆ\ÈF\S÷—ŽÐ/).V‡`ÙBPöé6=°À–­V0¼ÝÆ„„̘Õ*ã6_qPPuMWO+Å¢n4Ý—(Ôs±eü¢AB°±ù©Ö¸j©¶‚–&Ì~]¸â³WSÅ‘
-Šɲµ´ÛT²ø>§z,©b˜+¤¥bF›¸ÞÆ–£	ÅH+dÙÖ%õ¦Y¦_¡,Ë€¦{+e´;èæyÒè©m°'ƒ/Óv_kùõyŒíAQlB#¯Öy_.9Ø4c5<›;ráŸrAóÓZ'‘ì™ú­Ï‘ýïÙ®è¶àûúÆŽá@ÕÕþÆDÙr<šðÎðÇÁùýX~ÿÂòÃùé»ÃëÈ,¯®77Y1«½êøx~ÆÃt<ûLeÃŽ¯/žùò$Éõô©üx÷tú½ø±vO¼oϧëýc±x²/ÙóÇѧôú,:¶ŸoNVãeŸ‰gùCxh]ŠìÇò.º\Eìª*ö?¢ÛóØÿœ}Ióçþ¼±®7}Ûí»ôû×ÑÑôÛóäAÄAvë_1ÿÛ§·Ÿƒ«úæán?Í£ÕíÍ¢/¶-çïÜùqZfŸï¢à™ÄòåÂúz˜Ç>óŽ>Øw9ÞŸÅGŸ6«>œäûôúû$q¯³âôó죘„÷¡—zæÙÑ}úp=æ_öÓËË«ñì®×GìäÛé$‰²3þcs˜¦Kûzr6»÷mgr¶?-òÇKç6ž©ïûn຋³"º¸}÷%Yl4¿¼Š½µߟ§ŸAn÷éÓÑòéæâÂ2?\ô.¼É»Ïg—ÓÕExoyco4åûWÎr|ñ4	OÎïÃgûöæþÇ‘5¿xëÿ¸càÿ=¿ú›Í“Éÿý?/ÿV~Ç}ßêÿ÷ŽïL–ð4SxEËÛæ¼ùg„׬ÿ„Öyendstream
-endobj
-1150 0 obj <<
-/Type /Page
-/Contents 1151 0 R
-/Resources 1149 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1141 0 R
->> endobj
-1152 0 obj <<
-/D [1150 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-210 0 obj <<
-/D [1150 0 R /XYZ 85.0394 702.3889 null]
->> endobj
 1153 0 obj <<
-/D [1150 0 R /XYZ 85.0394 672.41 null]
->> endobj
-214 0 obj <<
-/D [1150 0 R /XYZ 85.0394 478.1291 null]
->> endobj
-1154 0 obj <<
-/D [1150 0 R /XYZ 85.0394 450.8002 null]
->> endobj
-1149 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R /F48 975 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1157 0 obj <<
-/Length 1905      
-/Filter /FlateDecode
->>
-stream
-xÚ¥WY“«º~Ÿ_AÝ—Ø™XÖ‚XêT¼÷Ǿ¹Ø`ÀƒÁ¼¦òß#Ì0s9¹©:å*«Q·º¿nuK-$@öC•€¤bUUPˆ¨°=æ½@ÄðNO¿ÿƒ9Ó{‚€¨
-®ì¤ªX8<‰”*’͸Oó§é‡Â7YZ&.‹ˆraADbÌ•©
-$‚Iúm¶M­á.`cV7Ǽ†£Ç[›üö#vi•I¨`TÅdY5áQ Ê2ã  ‹„3þž0,ºXÈ1úæ½\‘ ,íü€þ9#K÷œ‡9¾÷·ðCêªÿxøž™èÅDK
-L¦XrócK@Ä2¤ÂQñ|0oúáèš`ë7‚©Ì	Âʇßj×V­¦ß&Ãíß`g3}—æº.ù­æÛs§C‰»L¾¤dfpb†ö7¶¶–h­×f‡‰ÝZ¯M²RÕ:Ÿä˺úHï«Úë…Ñj–÷çÞúq¡»8FWkß¾Ú‹9¢Tél¾®JS¼×_l6cm;TŽ×7w[Îñ›/¯‡}g,Š¢5(²õ^/ú‹]õÐ;—ÝuÕ©ÖMŒÛ^Ã
¯ß;¢qÑ*K¼_cui¹Ãwy¿Ù-	±ý‹hÓö@ž!Ô¦‹G}Cá-R\Ë»k‹Nˆ"Ò»6VÔƩÈÖËíP{]O0t,͹9^
¶õVí[m£ºqΗÂUâ©×¸gÇìœßÏ+Ò߆µíìùæèØë.&—Cª_Δú²j/ÇøâÍšívväæ¬\³¹‰ª~‘-4Ö¦P­Áf5ó™¼hÈÏŠ†þ¬hè_M`^Ì 4?p%”ɨ@¾Bh¾B¬‚eúÕ)â#	ƒî¨Rk6g“µ´¿ª•éØ›‹7¯ÚµÆ‹c}Ò#ßz\·šB}5s#ýe4@Êô´ö¦Óiíõ5xvŠ¶g`·5oÔ>’Ž¿œÝG?è½®ÉÃ*ÌÑ;Y^Gšô¾ö¥-ŒÂÇê´‰.[ûP(6æð>îJuk^ŸWkãᮆz‘æn¯½‡¢q÷û]ûa¬ïS¼YMƒý½Hx*êÐmÈú؇÷U¿ÓY™³Ëä¶/‚ѾŒ“5îµOϗм´¡ôX>£[a4V=[
Ýw@í¸v¬Û`ÒÆ—7­H¸Yyƒ·ç&ÑÈb wz«NÏ®­›tPƒª¯—ý|®{³ÙXÜ—«à2Y›áºPswv±›MŠçýËÆ6M­·8H-û½ð¼G£žTi:{WöU§«8›û–MË~dzò·•Œ¯–ôfùw"!Ê@ÁðÛ¥(‚axahn+¦§oÜ´àîføãˆ^t×1’ûì›x¥Ð.G]ÔI°ªŒåÕÿ«•@¨*‹[	TfJEˆ®‹¯ƒLWJf+¾ªúlĘ@
-s'ë8XWñŽ a@d$	˜T…Râì(ö5‘T•X‹÷&P‚òDbÌ‚†JûÇ¥Ö÷È0UPƲ€‘D*I±iáÄN5(ª*áB9:ñõ3ÉDµ{ÀBÓg	9§2Å•¼æÄ)Ö[}¶Q¬©dRÌ>LJT¸OqƒRÁ²Zòwñ¨”";x/cX2ã¿{ÈY®F¦Á¹Ž—‰;!Ÿ1Ë–xsÂYzjº”1-ʼnÅa"ÒR×ãóG]	",EÎöì2š5©ÿø"ðýˆOåà¤RT“(HèœÑo!J*ÀŠªi(¿žWqSUb‰õÙïþZÖçS•mœ‚I>Uÿüf@Ì)¢p×—¶G+O†˜Î—vüÄüt0ø‡î%Û› Œvþ˜[FIÈÙäÖ÷þ!¶Î	Ó4âÝ"8Ý-¶šO‡¾Ënx>su\7ÏÛ›Û(³tψðÊnaÇÍÞt¡cyÜ&KvX¥(øwÜH„œ¼ÚÎÖæäNw\NE>Ó(˜©îo¼ˆe×ÏÙ#‹ÒÒëKüzªu_õqß±uÓ‹>Ža¬„!?%gfxd§x‚OKýΉB¹66“¡KùqïuعD…)ÉP%}·ò'ìÙ¿ü^ÑV°endstream
-endobj
-1156 0 obj <<
 /Type /Page
-/Contents 1157 0 R
-/Resources 1155 0 R
+/Contents 1154 0 R
+/Resources 1152 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1141 0 R
->> endobj
-1158 0 obj <<
-/D [1156 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1151 0 R
 >> endobj
 1155 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F62 1085 0 R >>
-/XObject << /Im2 1074 0 R >>
+/D [1153 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+198 0 obj <<
+/D [1153 0 R /XYZ 56.6929 714.3337 null]
+>> endobj
+1156 0 obj <<
+/D [1153 0 R /XYZ 56.6929 679.6003 null]
+>> endobj
+202 0 obj <<
+/D [1153 0 R /XYZ 56.6929 548.3115 null]
+>> endobj
+1157 0 obj <<
+/D [1153 0 R /XYZ 56.6929 514.8119 null]
+>> endobj
+206 0 obj <<
+/D [1153 0 R /XYZ 56.6929 311.7264 null]
+>> endobj
+1158 0 obj <<
+/D [1153 0 R /XYZ 56.6929 283.0279 null]
+>> endobj
+1152 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1161 0 obj <<
-/Length 2842      
+/Length 3191      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿B÷@ÍX>LŸÜÄiÝé9>Ûé=4} EÊfC‘
-IYçþúÛÅ$ÑigÏ`±Øï]PbÆáOÌR͸ÊâY’ÅLs¡gËõŸ=ÂÞOgÂá,<Ò"ÄúñþìÍ•Ì2–if÷«€VÊxšŠÙ}ñ{ôîç‹›ûËÛùBjÅl¾Ð†Gï›!¢‹ëw—ïiëýõ./æIݺ½„!Wp.s'¯n~3„w÷éææãí\%Ñ=-\]ÓøãÕµ£™Íÿ¸ÿåìò~”$”Vp…b|=ûý>+@è_Î8SYªg;˜p&²LÎÖg±VLÇJù•úìîì?#Á`×ÒÞˆ<1ŵøG×
-ɲLÇÓ×òÙB$	ãI¿NŒr æÀñÈ!±½yu&™Ùh]©fB°Lk‰æÍ8KX5ÑLnȼרb‹™1mbˆ‚3­$°n1>ÎF ŒŒ.
4c¬c˜ˆ3«ÀÙ×™`<Î2EHleÝ+Á.¼¹ZËÙûš2y‹²ÊÈÀe…D•Är–(Ð7¦‘åÿ>•
xÒÑðT"GÏs©£¼®Š|h;ÚëÊeYÙõ²§•Üoô›¶éÝÉU׮ݶ#ºmúê±)Úÿk.tÔ6¥¿0zÊCªqä΀­ù½]€ÝMÞ•Íp>_ÄÀKÇU¦£õ\ðhÛÛ™‰–mó™s‰œã–ÅØUÃíZ)q‰(ùÅÜ‘·÷¬"ÂgÈ$nUÍ'«¶Éëú…öërål›Å!ßä;$¶R&ºB±µŽŠÖjS#UOksÉ£‚Iá \^­^ªæ—ž«œ0FåjTy#ûù½ë»Ëwoð?Es°gÛ=Ju>¥fgš$u^€×Âa
-òªéiÖ´4¾¿£Ñ_e'«¹â‘uªôò©ªA7ž„eJ¦–«`ï›Bù¦G£'7ŠIa¤‹Ç%¸!áBÊ$WeÓµsO·ô—YáÃk…‰ª¹ˆz‚ï/·]Iš\H™à¡æà¸	£MÙÓ˜/—åf(ä‹T¸0ýægËݼDÝy—€Œ×%8†Aæ¦ܦã%ØÞÇ
-Îò¾ß®K{L/’¬#½–ƆgÖGôU€^~˜ò©jðñg¹ú#ïI/P·½_¢±ìºÖÊä0‰½äÞÓƒƒeqâäÞ?K;Y)†çé]ۮͫº,û€·ÌxlT¡ÖöÒü0ÆÎbJ%”€x§‹j	ኆ§”Ø`¹j·uA0ª÷è¼²I¬dô™k~ƒ"ÄQÕv„„vÂCÔ ”±|By¯Ä%¯"<àT„Ëû\¼ÜiÒžÍ+*†F†Ò˜U€UõFÚ#‹1åBÇæŽá5·$’Šãªg	3ʨYPп³GÀ~Dg&›-öÎ÷õ0aÛ!X"ù¾DK11S±‘a[©5gÆ$Æ*:B°.çØ>ûŽp»Ù´Ý@“ª™ì]«âÓ˜Of,5.R2º
«­-g’›¨'ê=m@™#¬ÝÍEŠnK˜IT”Xk©!¶[÷DÆ,9žjr›j²¾€”‹‚öîÅÖéÎþÈžHݶ_¶›žMùæ•ÓÌ®²¼”×}KÐÖ&j3¸*2§û`\ç_ú×mÙU~{G‰ nžBÑo 8Ó¼uëys|Ë2ßäµ£Ö¿ôC¹Þ3Ÿ²D¥Ô’}°ÉJ*Ôæ.·Œ´àD¶…&õ„õŒg6W`¡m¬º€‘ P“-Ý#—‹èöÃ;Ú†þDT” äÐ]+Ëšñ–•»ÃLÞ0Ù`¡
”«ºwZôUQÒB?z6LVVXÚ0ѦÅ]nÌaE¬ÛçÒ]¹²+¶SMÆ u|w)“@ÍÝ•ÏPÊàefóRåÛá©íª!ªçrª½ó¦HÉ©wS‰ùºb½›äT^ô5a,Õ¥Ãum9ÌI½©WØ&ЂÅwѹÄèÄ''r¯èºß•!í&¤ÝSÒÿÀrèà¶}!؉€qÓÁu+{ÌèD>Æ;æƇӑ{¾ ðÒr±eü1TtI[A¨5™[ûÀvá`‘|–û¢¢Öžvlý« l]H˜äl‡hl2)hÕ&a$ñTRòUY|twZ¦þ¡XmË»M>‘¦•DßÀí”Dv€ºõJóøȶâÊhWZÏJԸ⊨ŒÚºÜ9ÅÈÃú”[h£upž	f%¾„¥:à£(I¢öR{?štÚ{Ô[Io€2Úp6¡†!`5ÿP5y÷BxuþPÖÖV-"Çz’5Îعœotô¥iw
”+Œ£:ôC>ˆÛ]X2ð9e…‡í@«AbÒ$Œ#_@±†DÖÜô¨Eœ²tw/Ûõ¦.‡’R“>NMð(µ*ƒÃ˜'‚³³íµLôï¼±Td”o65vNÅ°B¾8ªØHïöEKSj´Ø6`¥~péØ+€½`’NàÞ÷á^?ÖnsähMá[ž;•{ê¶OˆEØökP6zŠàXRF³iLO!£›l/*´ØCµÜÖ¹wt…‘àéäo»ä:c€2(c#D›`j ì>ªJÜ–,
”Ô¢ü=U ŽÓݨ^€­z¿•é‚n\¥{®Ê›­\Ò}*Ç|Kæ±G\¢Çe	úµz><ûJtîΖåqÇ­’”¥à©ô¼Jb/K›Ý£ûVu|ñáÿÑ-H|'tQwPÎ*ßS]0èñO^1Súüé—Iõ7\œRC.˜Ë}"üH” ódêͺußJ¦›wÄŒ³à™+µ·@}\“§ª(­Ù§™¤ol0`s—w»6´aÁv¼Òµ ÚXñdMRµÝ…u3m›ºúR‰k
±j¾A¯ß”Ë
-©ì§¿L9ÿÅOp¡?OúñáûÈ5!¨y߆²€©Uð}Ô•ÿË1aŸ“Abqho´LiËÖ¿>Þ^ý„_å
1H÷“¯“§¿¿À3G
-ðᮘÓ7}œzÀ5@o‹‡ôí[1í!Ÿ°÷Q*¶¡­pQ5R
VØ'?ÀG\ªz:H¹¼zÖë
-Ea˜Pö«œ¥@‰£üw\»ÓÐH.„[Ám˜œµ¦÷Ã=øÕÒúØ…Ê×Þ¢¨±sÿâž&Ì%„WûØ©¼}»‚o~30)‹]Z9Ò/â&NÝ¡¼?ʶLÓ	B*ÉbˆÓ!§„s^Óãá)ãÚ¶¤îG$Êù›3èK?¤6Û8ÙnhÌÝæAôàBå6w'Âc‡¤Dâ?(MÅ~Šc3¸yî'}AòBpо–ª‰þ¤úæ€ïþÍuÿá0N˜JÓ×Z'nX*³Ä3e-tò‹°V)Ó©L&Xÿ?¹˜ÔÄendstream
+xÚ¥ÛVã8ò¯àÌÙs&ìtŒeù¦}ãÖ4ÐÍô$Ð
=;Nì$n|IÛtØŸß*•ä؉8»‡•KR©T÷R`û6ü±ýгl.Üý@¸–g3ošïÙûs˜;ßcjÍP/vWßì¾çÁ¾°„ïøû7³­Ð²ÃíßÄN>}¾9ϸÖÁÐóíÁÑé—ÆØàèúä씦N¯Ç¼?;:ÜÁÍíè0Lx‡}¡Ú	ËÆg'Ý\îÝ´voÁlŽìýØûó/{?†Ë\îÙ¡·ÿ¶Å„pöó=×ã–çr®1ÙÞxï–`gVn5IÅã¡å…N`‹ÃMbñ„ås˜B±Ü,¼,e¥LX.÷C k⢮“éð!YϪ2Ï¢I’©=]ò"°„ËôžeuÀÂA9¯¢Äƒ´¦qU'1AMIã¥YFø^RE
°a²à¡æã:nß|®UÌß6dn	÷téwr`!×±©p“ì+™Z„±k—Ø„oMh4_œ¿DÈÖŽE"éˉv"ìÁ¬Ä€%”Û#åõŽD©EO	
+!À˜qmËŽk§c+|È
4ÃêTí@pütA‘Y1P6ŽÃäÆ\-å_‡ó_Mªð­Ðæ®Z”ª‹ÔËdš¢1&1š	w¦†\ØV@ VZg¯åÚ¬{8WQ6Êí6G¾kƒ†rÄSUbŒFàDj#‰¦[ºÞ€ßZTÞFTx`²íðµ>Šc=•GÅ*ʲµ,v”ï+ö
éDøÀM–•OåásZæ¹L¦øîTH9CÚxP²Q]¯òvgÚ¨±¦…iAß
m†ÁC€Ã$6f4×ö,ã—†•üŒòef
+–Ì,Oø›$:Üpp¬R¾Ë&Ö÷î8™E«¬Qꊤí{:"D‰¡§E:]¸ˆµÀuœ}Œ  ˜d
+½¬ÒGÈ:-	µ¨«Úݨ­¢S²‰áQ£¬A§.7ìgœ®"·³	„3{0,iìËN¢Þ$Ó­3~Gº¼«\5ËUC°V(¨sU²ŠWÓ$þ—)Ž€~½€ñõkÉÃVªÂߨÝýf¡î²£óÂ…#‰Î‹i¢ç×ÆxXnàéàRD9†2(‡Ynèó~à˜–ÅìµÀÕ[nŸR˜jîÍñ¡Íã[u…ѳßT^xž[”'Šè¬.	êèQMÑ ŠBÉ’;ÄDÓâÚ* ³ ”Ë&-•ºÄâìqk#FlG&öZŸÛú$}G*Aß çÔ²¶`žfþ11Ü0WÅ.œQ䊆&Tá3Q,­pIJªiö)m4k.}n[®j#>ñêì¾6ÈÛu!m¡äÙ¨`E7­è°­’I—Ä}«´!å¹Þß&aû`Ï\ÀÑL5$IˆÔP†¢oνõbš9V*Æ-Ë´húqíë5Õàn[ƒsUƒŸ”šÄ|Uµ•ø8©“ª~C
~ œ2áp`QFgC{Á­@´%˜tpSyÅÁ¯ÚN·QD;ŠB$Â¥²9HÉ¥Ã:Z輻†vãURËZ0v—bÙ)g¢NƒŸÓ,Å^æá*œ9py×í·½›÷ú%
+‹ûîVËWuÓ¯*È9;]·M21…ÞnGÒj\¥×–LJ´¤õ¡Ím%—V]¾ÿ7êr-ßs×ÕåsÑS}Œ²4¦냧õš‘œêˆ¦J¸@E5¾ØøÿVWÇ,G8ìr‡^ºª¢»Qô˜³Õ(*þ!„¨†”±®.år¨Ëží{«'FÜÀžHÝŒnRÊ08ÙjF*ž+FÄ:Q»PïMá£Õ²ÚÓP)3²ôäñÅõ)aà^„¢Ú0h¤B›ÀNÄezV¨Ã³$Ò,R˜F†ªLjETLÛ´Mu.ºkÌÓ6 H§R5…xê˜Í9¶ð´:š
+¨&ñPÖ†»šðBK8mè%¾vZ¡ßVPgGó—éù
=®K¥ö9C—¦ÖÓ·ßç½¢å…Âăî2hof¬- ‡ÞÒã}o}]®Ý2ÝF0ýÀ´\¦‰,ÖÀãf„£œI0´HÈúW©Þq2aI¨G“ªi\‹¦ª6çz‹Z„z¯ê†Öeiñ@h4ÒÞ:zeœWÑJ~r#}~­·ˆp/v¯xÙZ+»”-'Q3ÍtP–Öò%Nö¼…É6 #…aøF[ƒÎ}Ñ))¨ØÌPHH´”%ø¹É-ð'I®y“AÆäg*]H(Ï”·-2ÕU96$FÇ[áEÇÿö²ýN*Õ}ÖäÅfHÇêx+£hCi{i=µ±ÝÒÞdá[yè5wDÙ¶k©Kë^¾³Â·z“\·ŽˆìíˆVM™C@ŸRIL›–
A«¥"[Ê\ˆyL#FïOðlÆúL¨6qH|÷S=Øoy
+š 7ÈåMaÏ-­q/àÿKÜëi3Nêi•N´u¤ªÏËþ¢šreˆ˜dú‹›¶l‰Ëé*—ωôìîúX=8ýÛßYú Gà*9;±0D‹Gq)»@Ðó  ŽHgkBö»{•­ËÊ(VdeSê=&•ŽºCÀŠ@É)ä…ôQ­ÒE0—„B6	òå·¤ÎkÖ¶àvR)%Ö2xG3R‚ãw
+\ª	‚rj¦´^Ðg²Ct 4°Áz‰~BßÝí»\R…€²²| ¨.ó”.!N:õ¤…dÛ'0«/*ò–t*îØ¿#@ÕûãÜÛü>3*pŸÔ†•OPd*ù3c¨^2@„ܨmmµ*i´Õª<}ÕÔÔâv©+ó¨HŸ•\ätIã$1Ct±ºçBÞØñÛ€íÛúeÀú
ÌǺ,;R”}úíë…Àf»Q8™&ýÖ„„¬Mêe4Mºx\¸Ã=bAÕ
]=«‹ú‰ÀßÄ{ÃÅÉF1‚„àbÛZ¯zxÕo­0°{½åÀ˶þ&ŠAšç+i%®­d/ðeUu‰yZ'za¡-3ÚÄõ0¶ň‹PŒÄ°Z,ò´Y·ÓÈÇrÂí–¾ûöÑ>,[†*»rÛb¾!+ÊÄÿÈSܺ{ëæPNyøÚ¿±ZË©µÿ§œÐìt&F%†I${¥~¤õdcÎ
ÛÝþ°}
+ìͯºtß_¬_ˆpZ¤MeCù‹Çà½á—ãë{÷©úú‰'³ËßNîb»úr·¾ÏËIÔgg³+>ÍF“óèæiL×Ñ/’=\þ¬Î~^~-¿­ü‹àóóåêðL̺·'ìùüèCvwŸ¹Ï÷ËÑÂd²ÑñUñ8=qnEþmñß.cö¥.?Å߯“ðcþ)+žïùóÚ¹[›‚•û}ýýèôæóóøQ$Qþ=üÂÂÏοŒ¾4÷‡Yá};Z~¿Ÿfö›?;˪üãC=“\>ýáü~RŒBœ¾w£àvt8IN?¬—&^úõæîë8õïòòòãä\Œ§?¦AØW§?²Ç»ÿt˜ÝÞ~MÓ
æìâóå8ó+þm}’e÷n|5ùžºÞøj5ý0/žn½ïÉìSóã¥ÿÉàž…ÿHaø
+»}~ú¿ÿ_có/*à
+<ó¿bp|³sD ™Â+:Á6çí?vì²þ_§*¸endstream
 endobj
 1160 0 obj <<
 /Type /Page
 /Contents 1161 0 R
 /Resources 1159 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1141 0 R
-/Annots [ 1167 0 R ]
->> endobj
-1167 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [377.8384 354.4628 436.8266 365.2472]
-/Subtype /Link
-/A << /S /GoTo /D (ipv6addresses) >>
+/Parent 1151 0 R
 >> endobj
 1162 0 obj <<
 /D [1160 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-218 0 obj <<
-/D [1160 0 R /XYZ 85.0394 568.4965 null]
+210 0 obj <<
+/D [1160 0 R /XYZ 85.0394 701.5077 null]
 >> endobj
-1166 0 obj <<
-/D [1160 0 R /XYZ 85.0394 535.842 null]
+1163 0 obj <<
+/D [1160 0 R /XYZ 85.0394 671.1418 null]
 >> endobj
-222 0 obj <<
-/D [1160 0 R /XYZ 85.0394 338.3845 null]
+214 0 obj <<
+/D [1160 0 R /XYZ 85.0394 474.6626 null]
 >> endobj
-1168 0 obj <<
-/D [1160 0 R /XYZ 85.0394 308.6213 null]
->> endobj
-226 0 obj <<
-/D [1160 0 R /XYZ 85.0394 177.2016 null]
->> endobj
-1169 0 obj <<
-/D [1160 0 R /XYZ 85.0394 147.4384 null]
+1164 0 obj <<
+/D [1160 0 R /XYZ 85.0394 446.9467 null]
 >> endobj
 1159 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F62 1085 0 R /F65 1165 0 R /F21 730 0 R /F39 917 0 R /F41 959 0 R >>
-/XObject << /Im2 1074 0 R >>
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1173 0 obj <<
+1167 0 obj <<
+/Length 1997      
+/Filter /FlateDecode
+>>
+stream
+xÚ­XÙ“²Hï¿Â˜—ÕuÄ:(Žøbl±½´uv°ðÜØÿ}
+m»?f˜Žh’¬<~™•••K€þÁ8AFrI”yŽHJæÖ~¹Lí.T{–zÕ^êoX,Éœ, ¡¤mžlI$XÒ¬ßÊ<'qj”•ÑlÖjVjP&—›ÆDkM+5Db"
e^–£fKaKT‹o­FEäËš>mÍ*¿k½—–ö@ø8…wxùíwP²h0½ÀaY"¥3}”eTÚ½ðs„ÇøÎñ_f/êÃàÓj¦Z˜8„T>¥Q[2Á¨$™0ÂY^Á釖º­½‚>·Å£,/nÚà¶Äÿ¢¸—¥ª"ð¦¦ÑR—5©‚2uYœU}]Û«æ‰S±¡áúœ¸Sõ23»£ÃÙ¼ñÛåa¥ M¡ºå\Ö¦¢5}4§¯–çÙ×Ápt{oã_~dòt—D	4—¹ÛÍþ¸[C4(øŒ›DÇ8±­Ú‡}+5€ò?21^ä$į&êÙádQè
+'ò˜dÍî(Ÿúö•YÝ„#Âãˆ#ðnFâ…Á_â‡ÔÙˆ,ör;³‹°œ–.p™cyâ3Œ5$`@,~Í}1v{ßæÌpÇ1'ˆˆŒÀìAØã—ƹÕh—ÉÐœ¢è¬Õ9¿°W¯BØRÞ«P‡CZ>‚ôÕ
é¯]m-àÊhLw·µZÙx){§u<ˆ§UýöucYvÛ+ÝjµG‹kµ·ºcàëûäìlÛgWŸAB¤Îº¨ø^__¯Çš9”öçwZÞ;•·ùnÛó<ïŠ´>^Çz_ßÔwM±sÚœ—ú«P;hú‘ô{{8.Bèð×óm,/ø!nכƎÞ?y‘Ö‰iÄY‘/MÕo¯k¢Ç—Dòàªé&¸wn.‰Û_	ÍC‘ÖÛeט¯&xŽæ]¼ fä¼×ûÃVÛª¯½ã©áè5¯Öѳ;Çãwø÷aÃœV/ž‚®>9íŠ|ÕÃëb*½.êîºOÁ¬©¹~gƒ/ÞÒ·•uR‹´àXSÜ{œ»G1°†ÿÿ‡&²OvÛŸ„cFáx(Âÿå„@Qæ0É× —6UÄuGµ†¢L'
nÔÒþÓYQÇÁŒ¿õ®3Ö÷¯“^‡Îíl2há0 ðë>]ÆÖȸ ¤Vªªù<ªzE‰¸m-µ÷¸.ÔÞ½õ£Þ|…oN‘°sÅ‹óH>V¡`‚$¾-ëädº»Â‚V›RóÖ·Ãú
+ž0l×mcÓÖq‘åØ3ÆÖ\Ç]áÕ™ÄçêreÝüåÐ(îöÚ~È[×°ßuoÖꪢõR¶×"*?x~S4ÆA<¼.ûÎÒžž&—m¡eõ}gœq¯}¨žbûÔÂmQ…—Âl,{®5»›`ÛéÙq.ƒIÞµ"J}Þ«
+Ö°>;½e§ç6V
+)ì DžŸ¶³I¼êul¥©_Ëè4YÙñªHXéNO®¢4ëŸÖ®mk=}'´ÜÂ>xMF#4É‚:ý¶u¯+yëûCs‘oýöûÕÆ^¸O¯–w«1mŽã
+ïÙ Žm³fÆÚÏÜÕŽ!ÎEO†ïYÙ}öM¼Vè—¡.š…èhBGAø¯†!ˆ8Y&|ñ0DŠÔ(ÐÛbz€ÚÊÉ»ÆWSŸ£$¨2øÇÌDç¢G`›’€8,B¡„èfˆX`›1JcÍ$eŽtÈ¢‚t£³EžIŒiÒ`Y£ÿQ¹õ=3Ô&‘XJ›–P6&–´«^–1z¢³X?s1êÝ*)!¨ôÔÝpíÙr?A:S)ê_†T
+°F:J”år¸IŸR9qsÆG²þKǪtÉ÷Ò9‹­zÁ]Ü‹Ç®`PfÃ	[2¢ÜÒ©‚H9-,Ú„1OÊÝ€ñ÷½xPN<óèSšŽÙ¿~…aÂXOpr9ª€JÔþ“ÓoÁ2‡$Y*åE@þ|]¥LdÖçÄþçªþ©TéÜ.#é¹Rþèt¾äežå…k§FÒã£'¥Ÿvúžå>Yw°Ø‹dÝ›¨%ÚìȯÀ,å”i†Áß@Î1[´­t·0Êw‹j3vúô†gœ³çûÏk[ÛLîž®w">Ó€yØ0·»âËË	˜OZ(´Yå(Ø{:HÄŒ<»žé2rcx>£’=ó,عoªÄ€RŠYMŽQÀÞgô3‘òü-ýþkt_í±Ø)aúž$Ÿm˜ÎûKð©ïiÏðI|yg\‘£“³F9wtùz:;¥Ë%²CJåãt†2|Æd€˜ºH£’1=œ¦´¼ÀÉzqL_²ED? öÞÓþQñ»/Èüç.h¶ZÑ>$yâ3o¼P6Ò)¤#_JÜóOI+Ì‚æùì”f¬‘ÜWYî(¡ÌØs:í\,ë/Ï2i³H½	3˜nx ÃOEŒà®û¥:('œíã<
+i²ÇãsíÛå˜Et¯Ó3Ý<¿Oµà%y~b½W«ý¼Ò\ã”—ÌÚ¶ƒïÕÌýÑ…ŠéxŒqÑOàqsýé>»½î±$¡â®CÛ.ÇKÔH*›º¥Ÿß¡øú¿rŒYendstream
+endobj
+1166 0 obj <<
+/Type /Page
+/Contents 1167 0 R
+/Resources 1165 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1151 0 R
+>> endobj
+1168 0 obj <<
+/D [1166 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1165 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F62 1095 0 R >>
+/XObject << /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1171 0 obj <<
+/Length 2836      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿B÷@ÍX>~¸Onâ´îÜ9®í´Mh²ÙP¤BRÖ¹¿þv±É´{3‰g‚°Xì÷.(1ãð'f™f\åñ,Íc¦¹Ð³åú„Ï`ï§ápibýxwòî£Jg9Ë™ÌîV­Œñ,³»òèýÏç×w7ó…Ô<ŠÙ|¡øm.„ˆÎ¯Þ_| ­W·|¼8Ÿ§qt÷ùæV„H¸‚s¹;yyý[Bx·Ÿ¯¯?ÝÌUÝÑÂå?^^9šùüÏ»_N.îFIBiW(Æ·“?þ䳄þå„3•gz¶ƒ	g"Ïål}kÅt¬”_©OnO~	»öè”öFœ…J˜LâÿëV!YžëxúV>[ˆ4eà-·Z'U¨µ½4?Œ±³˜
+3J@<…Óeµ„pÅÃ3Jl°Ü?¶Ûº$UŽ{t
Þ
Ù$V2úÂ5¿Fâ¨j;BB;á!êÊY
+>¡¼Wâ’Wp*Âå}®ƒ	Þî4iÏæ€C#CiÌ*ÀªÈz#í‘Åǘr¡csÇðš[IÅqUó”%*Q³°¢g—€‰Î“|¶Ø·:ß×Å„´‰Ø×h)f"f*NdØWêX@÷IŠ†Ž¬Ë9v„O¾#Ün6m7Фj&»Aתø´æ“9È«•¥êÑ5hXmm9“<‰z¢ÞÓ”9ÀÚÝ\d趄™F¥ÁZK5i´Ýº'6„`ÉñPSØTõ¤\–D°w‡(¶^îìì‰Ômûu»éÙ”o^:Íì*Ë;@EÝ·mm’Ñ¡6ƒÛ¨"sºÆuñÕ¡Ûš®òÛ;J¬uóŠ~Å™æ­[/šã[–Ŧ¸¯µþ¹ÌzÏ<Ö$IÌ´ÉJ*Ôæ®°Œ•´àD¶…&ó„õœg6W`¡m¬:‡‘ P“-Ý#—‹èæã{Ú†þDTš
Pr讕€e
+MHxËÊÝ‘LÞp:e 2t媮À}UZèGφÉʪKÆ#Ú´¸+Õí€9¬èã‘uûdÜ•+»b;ÕtXÇw—JR¨¹;ó¥^f6/ÅQ±Û®Š¡z2SâxSddŠÌ»©Ä|ݱÞMrH‰ª(	ú›€0–jãp][EŽsRoæU¶	´`ñ]t.1:ñɉÜ+ºîw¦#¤½Ä´û’ô+–åÐÁmûB°㦃ëVö:˜Ñ
ˆ|Œw ÌÏNGîy *xi¹ØJü1T´¡­ T5™[ûÀvá`‘|–û²¢Öžvlý«î!l]H˜äl‡˜ØdRÒªMÂHâÑPòUy|T'-3ÿP¬6	+ºM1‘¦•DßÀ–í”Dv€²åJóø(’lÅ•ÑÎXÏJո⊨ŒÚºÜ9ÃÈÃú%·ªt¨yÀ-ÙKíýhÐiOìQo%½MÊiÃÙ„†€}Ôü}ÕÝ3áÕŽ©­9¬ZD
+5ÍŽgìŠ\ÎOtôµiw
”+Guè‡|'¶»°(dàSÊ
+÷ÛVƒÄ¤IG¾€b
!‰¬¹èQ‹8Ƹ»—ízS›ÁPjÒÇ©	¥VepóñDžÁìl{­$úOÑX*2*6›»G§bX!_UœHïöeKSj´Ø6`¥~péØ+€½`’NàÞ÷á^?ÖnsähMákNÊ=u[Ž'Ä"ìaÛ5(=Ep4”ÑlgÓSÇÈÂèf	¶Zì¡ZnëÂ;ºÂHðôò·]r1@9
”±¢ŒM05vU†%nK–JjQþžÊšÇénT/ÀV½oeº ›Wéž*³s³•KºfÌ·d{Ä%jpqìQ– _«çó¯tA§î¬1Ç·J3–B¦âê½ý.G›ÝƒûVu|ñáÿÑ-H|/è¢n¡œU¾§:g’½|@ÆÌ<èCò/¿Lz¬àâ%5䂹Ü'„–RšóÜ~íäBŽí:0I
û9¨”ZXàþßT’hò¹ß—>êͺqßJ¦›wÍ8uðÌ•Ú[ sÈ>®ÉÓGU”ÖìÓLÒ76°¹+:ˆ]Ú°`;^é¿Zm¬x2Ž&©Úƒ¶M]}5DâãZC¬&oÐë7fYa ™~*UŒ®ŽŸàBžôãÃ÷‘kBPó¾
?dS«àû¨3ÿ-0aŸ’AbqhO=’ƒüëÓÍåOøU>áã1é~òuòØâ÷—Tª|¸+æôM§Þp
PÄYyŸ‰i§yøŒ½R±
m¥È€‹ªYjpg
µÂ>ù>zôàRÕÓAÊu°àÕ³^(¥ýaBÙ¯r–
$ŽòßqíNC#¹n·arÖšÞ{dôàWKCè#`*_{‹¢ÆNý‹oxœ0—	<ÚÇNåìlÿÎDù$ÉXìÒÊ‘~ñOâÌ*ú£lÈ4 ¤’,Ö©x™ äT‚ðoÎ+z<¼‘2®lKê~D¢œÿ9ƒ¾ôCj³½±%…“í†ÆÂmD.Tn£qw"`qÒW$Ïí{i©&Ñ_ôAŸÇî[”edê©.æÁŠ÷Òô14Ô"WG7›P˜OÈ„Gôæ€ïþÍuÿÝ0N™Ê2ùJëÄ–É<õLY½øEX«ŒéL¦¬ÿ«ÂÓÎendstream
+endobj
+1170 0 obj <<
+/Type /Page
+/Contents 1171 0 R
+/Resources 1169 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1151 0 R
+/Annots [ 1177 0 R ]
+>> endobj
+1177 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [377.8384 347.6929 436.8266 358.4773]
+/Subtype /Link
+/A << /S /GoTo /D (ipv6addresses) >>
+>> endobj
+1172 0 obj <<
+/D [1170 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+218 0 obj <<
+/D [1170 0 R /XYZ 85.0394 558.7948 null]
+>> endobj
+1176 0 obj <<
+/D [1170 0 R /XYZ 85.0394 526.9277 null]
+>> endobj
+222 0 obj <<
+/D [1170 0 R /XYZ 85.0394 332.8718 null]
+>> endobj
+1178 0 obj <<
+/D [1170 0 R /XYZ 85.0394 303.8962 null]
+>> endobj
+226 0 obj <<
+/D [1170 0 R /XYZ 85.0394 175.3419 null]
+>> endobj
+1179 0 obj <<
+/D [1170 0 R /XYZ 85.0394 146.3662 null]
+>> endobj
+1169 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F62 1095 0 R /F65 1175 0 R /F21 738 0 R /F39 927 0 R /F41 969 0 R >>
+/XObject << /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1183 0 obj <<
 /Length 317       
 /Filter /FlateDecode
 >>
@@ -3943,21 +3971,21 @@ xÚ¥
 Ŭ­êN*-"y9,º£²n7ã"O2-Â|VÔÉ*LYÎ$}ZBuÀxgËòM„ž2åá_ñ€@ÞKÞ0m­Ô©²c5{8önO¯¦GRYy%>M½ødFàœ‰îŒ«¤:æ÷ºÿø„í÷Só¶ÛÂzßÄ,¢xDCÑ)KW¼ÄIà‘ÿ'ÿý:åœ> endobj
-1174 0 obj <<
-/D [1172 0 R /XYZ 56.6929 794.5015 null]
+1184 0 obj <<
+/D [1182 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1171 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R >>
+1181 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1177 0 obj <<
+1187 0 obj <<
 /Length 1913      
 /Filter /FlateDecode
 >>
@@ -3971,59 +3999,59 @@ M&P
 ïp,'èñ+)jä‘jåQúk ©ï¯‘ÙYºÝÕ¡Eâ¦Á§âÛð´â·I-§Ñ;ÀÍÍ$b®»Ö¬Ý‰ÜQµ㩺›{JýÐà4;,ÿ‰f`¨º
‡W$‚7€Úù«1[Ë/¥nÆÏX	 «EšQS£»»·ž;šWïP{“øÄDN)ój=u”ö¬ÊùßC;»òÕ]Û Ñ_;Œ`ÝÄF
 q…7ÉGb†N0bèKNôJ…$ȳÈBÏ"g¥OØêåýµ	G’^—=Ys{}ñJE½Ó6l`‘“TÈ‹«Ã}%­JüŠÆ‹ŸêIÙmS:_Óß	Р*çóýÃì(š´ªŠúºWy÷ËÓü-1~!EŠß×¾6F‘íE†>5.NF¸áb‚Ý®6¸|»ÜÿÏ“vendstream
 endobj
-1176 0 obj <<
+1186 0 obj <<
 /Type /Page
-/Contents 1177 0 R
-/Resources 1175 0 R
+/Contents 1187 0 R
+/Resources 1185 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1192 0 R
 >> endobj
-1178 0 obj <<
-/D [1176 0 R /XYZ 85.0394 794.5015 null]
+1188 0 obj <<
+/D [1186 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 230 0 obj <<
-/D [1176 0 R /XYZ 85.0394 769.5949 null]
+/D [1186 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1179 0 obj <<
-/D [1176 0 R /XYZ 85.0394 576.7004 null]
+1189 0 obj <<
+/D [1186 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 234 0 obj <<
-/D [1176 0 R /XYZ 85.0394 576.7004 null]
+/D [1186 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1180 0 obj <<
-/D [1176 0 R /XYZ 85.0394 544.8207 null]
+1190 0 obj <<
+/D [1186 0 R /XYZ 85.0394 544.8207 null]
 >> endobj
 238 0 obj <<
-/D [1176 0 R /XYZ 85.0394 403.9445 null]
+/D [1186 0 R /XYZ 85.0394 403.9445 null]
 >> endobj
-1181 0 obj <<
-/D [1176 0 R /XYZ 85.0394 368.2811 null]
->> endobj
-1175 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F41 959 0 R >>
-/ProcSet [ /PDF /Text ]
+1191 0 obj <<
+/D [1186 0 R /XYZ 85.0394 368.2811 null]
 >> endobj
 1185 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1195 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1184 0 obj <<
+1194 0 obj <<
 /Type /Page
-/Contents 1185 0 R
-/Resources 1183 0 R
+/Contents 1195 0 R
+/Resources 1193 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1192 0 R
 >> endobj
-1186 0 obj <<
-/D [1184 0 R /XYZ 56.6929 794.5015 null]
+1196 0 obj <<
+/D [1194 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1183 0 obj <<
+1193 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1189 0 obj <<
+1199 0 obj <<
 /Length 3198      
 /Filter /FlateDecode
 >>
@@ -4044,47 +4072,47 @@ C
 Ceß—óeÈà=ܯPÆ[ËŒQi«¯©x.x:‰W×ÊHÉCÄßm þ‡õ‹d}>9d0‰Ã•røS~fƒ›Îì¿÷CÛ§r&8o¼¬Ûp0ÕI°ÓŽÆK…Ï£¥ª¨X™¥©··WÏåK¼FñáàîÙ>P +V5eºÎØTö–Ú‡tmÎgC£,㕉˹=SAèk»3N@±$Ä™Ó!
ÓØ«¡„p6˜!O@‹ç“còΦAÐ/†SŸw¹ô]X¼^§ú4uWx.bnÆè€ð2£˜˜Æ+‡_ÀèÁPöpç°Îd¶J+&¹–7cs@x™M¥-|þe\ƺáZ‰>RïWîoiÁ¤´­‘i•ÿ‹Â,ý·Ï¯ñ¯
 ùS~Y»=‹@ÈR',¤ÿ3ìQ¥éþÈ|OÂendstream
 endobj
-1188 0 obj <<
+1198 0 obj <<
 /Type /Page
-/Contents 1189 0 R
-/Resources 1187 0 R
+/Contents 1199 0 R
+/Resources 1197 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
-/Annots [ 1195 0 R ]
+/Parent 1192 0 R
+/Annots [ 1205 0 R ]
 >> endobj
-1195 0 obj <<
+1205 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [356.2946 363.7923 412.5133 376.6291]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1190 0 obj <<
-/D [1188 0 R /XYZ 85.0394 794.5015 null]
+1200 0 obj <<
+/D [1198 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 242 0 obj <<
-/D [1188 0 R /XYZ 85.0394 769.5949 null]
+/D [1198 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1191 0 obj <<
-/D [1188 0 R /XYZ 85.0394 576.7004 null]
+1201 0 obj <<
+/D [1198 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 246 0 obj <<
-/D [1188 0 R /XYZ 85.0394 479.565 null]
+/D [1198 0 R /XYZ 85.0394 479.565 null]
 >> endobj
-1192 0 obj <<
-/D [1188 0 R /XYZ 85.0394 441.8891 null]
+1202 0 obj <<
+/D [1198 0 R /XYZ 85.0394 441.8891 null]
 >> endobj
-1193 0 obj <<
-/D [1188 0 R /XYZ 85.0394 424.9629 null]
+1203 0 obj <<
+/D [1198 0 R /XYZ 85.0394 424.9629 null]
 >> endobj
-1194 0 obj <<
-/D [1188 0 R /XYZ 85.0394 413.0077 null]
+1204 0 obj <<
+/D [1198 0 R /XYZ 85.0394 413.0077 null]
 >> endobj
-1187 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F41 959 0 R >>
+1197 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1199 0 obj <<
+1209 0 obj <<
 /Length 4061      
 /Filter /FlateDecode
 >>
@@ -4109,33 +4137,33 @@ S
 žèͶKê-‰?˜^À¡E×°NžÄô;,)ÒJ”¯0¬•;ªåëÉ3½&„–˺/ÐñÐè›»ç“_A½Îì±ê%”ÔTÚêÏk]ß­ëËAt•Û…e›(Cµ|LÌœÜnè?cX/J•–±È[Mì©ÂëJka5ó\Sî€[²Ä%ØùØê ŸÆkú2|¼uÀ(ƒovY	m‰S»f?PÛûŠŒºüQ[·¨>Õ¡Ëãiß×onBË—Z1ycr®ÒíÇ™'¿ö„g5;_{þgOå,- 
k€±3Á1kΆ_‰î}-ÊÅüuò<ÎÛ.β¶>¸eR°øý$~pË@œ)¥Ó···ëXîN§ßÆbsh~Ó`.g¿¸ŸâˉTmIeb?U…—þì‹Û•˜™ùC¸ìßþ¹^ÔKˆvÂýß{ŸV9’üOQø}@	Ÿb
 jLŒ˜æxqºñ¿IýÅã=þ\%öúoõ꾈CþuèÃcUJ‡w7žæU¿ú£äí'ÛÒagÐ;ð-JZœòEȽ™3[BóÂÔÿ
ƃh> endobj
-1200 0 obj <<
-/D [1198 0 R /XYZ 56.6929 794.5015 null]
+1210 0 obj <<
+/D [1208 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 250 0 obj <<
-/D [1198 0 R /XYZ 56.6929 165.9801 null]
+/D [1208 0 R /XYZ 56.6929 165.9801 null]
 >> endobj
-1196 0 obj <<
-/D [1198 0 R /XYZ 56.6929 136.242 null]
+1206 0 obj <<
+/D [1208 0 R /XYZ 56.6929 136.242 null]
 >> endobj
 254 0 obj <<
-/D [1198 0 R /XYZ 56.6929 136.242 null]
+/D [1208 0 R /XYZ 56.6929 136.242 null]
 >> endobj
-1201 0 obj <<
-/D [1198 0 R /XYZ 56.6929 106.2766 null]
+1211 0 obj <<
+/D [1208 0 R /XYZ 56.6929 106.2766 null]
 >> endobj
-1197 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R /F48 975 0 R >>
+1207 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1204 0 obj <<
+1214 0 obj <<
 /Length 3065      
 /Filter /FlateDecode
 >>
@@ -4151,39 +4179,39 @@ xÚ¥Z
 ¬_²Õº°n–Ô§X;‘LjÉRÓaXΓçB}ƒY™š~E•qùÍX|ë$Œ¤Ï\tc©ÕƒZN‰11+,¥wØÿñ6à˜%„ Èy/5+îª±¢¦ \tÁ	y\üƒQEUÝoÖD¤€{z¹ÀÊÅ¡ `dêBÃD7þÒŒg!=¾¨Ë=ÔC‰§Ç¥—P.ÕÀUZÍï°{Ãjò$8Îgá³bÆètÇÏÓE^6ª>¡Ù¾¦¾Ì„œ¶c<~°Îp¹]þ†_ÎU*ºÐáôEµê“¢øÂõåØWçxðêÄÿLê_©:qÐhH=,…œèÝ7cÏÝß ¾QØÌs€Ë=òâÖàJmm³¦÷éûiW€:ô‰êCmŽ_«"q·©ÃÓobœ‹ø">½>Mñúqn‚‚F:­¡ôŽsWg°¦º!¢‹78 ðÜ÷9d÷gôÕ·]ºW
 覷=èv/P>ÂQl­'æ^r) \œùòåË3ŠKU=ú”¸´Eq¾¶u÷”ú„ËÍïe‚€=éýƒqï!C§Pü°Sœ;bH›4†.¦•¤ÿ(|í:‚bƒŽkw_á(B™QAû‚µÎŸ\oà.©¼ ÁÒ¡ÈÁÁÝ9½2ú¹ÿˆ¥L†ÜSçç$÷ëõòå¡=2fø—‘.Qg¡üWšþ‹ yiÌO¾â©©J¡	d¼«y÷Ÿ›}Õÿ~ý\Iendstream
 endobj
-1203 0 obj <<
+1213 0 obj <<
 /Type /Page
-/Contents 1204 0 R
-/Resources 1202 0 R
+/Contents 1214 0 R
+/Resources 1212 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1192 0 R
 >> endobj
-1205 0 obj <<
-/D [1203 0 R /XYZ 85.0394 794.5015 null]
+1215 0 obj <<
+/D [1213 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 258 0 obj <<
-/D [1203 0 R /XYZ 85.0394 730.0812 null]
+/D [1213 0 R /XYZ 85.0394 730.0812 null]
 >> endobj
-1206 0 obj <<
-/D [1203 0 R /XYZ 85.0394 700.9798 null]
+1216 0 obj <<
+/D [1213 0 R /XYZ 85.0394 700.9798 null]
 >> endobj
 262 0 obj <<
-/D [1203 0 R /XYZ 85.0394 216.5924 null]
+/D [1213 0 R /XYZ 85.0394 216.5924 null]
 >> endobj
-1207 0 obj <<
-/D [1203 0 R /XYZ 85.0394 187.7778 null]
+1217 0 obj <<
+/D [1213 0 R /XYZ 85.0394 187.7778 null]
 >> endobj
 266 0 obj <<
-/D [1203 0 R /XYZ 85.0394 127.6814 null]
+/D [1213 0 R /XYZ 85.0394 127.6814 null]
 >> endobj
-1208 0 obj <<
-/D [1203 0 R /XYZ 85.0394 101.3894 null]
->> endobj
-1202 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F21 730 0 R /F23 754 0 R /F14 757 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
+1218 0 obj <<
+/D [1213 0 R /XYZ 85.0394 101.3894 null]
 >> endobj
 1212 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F14 765 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1222 0 obj <<
 /Length 2311      
 /Filter /FlateDecode
 >>
@@ -4196,14 +4224,14 @@ pR
 ÜͺË8yÜ¡~KdëNøf;Ðp(yó.›qí.»Y†ÿmñ»—þìš.D->\]>.+¯cl¶•(ž€¬"–D‰ûýOžUý—þÚ×gAÒJ¤_ˆy',H‰
 âBV©è ät?Z(ôÿÑQNendstream
 endobj
-1211 0 obj <<
+1221 0 obj <<
 /Type /Page
-/Contents 1212 0 R
-/Resources 1210 0 R
+/Contents 1222 0 R
+/Resources 1220 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1192 0 R
 >> endobj
-1209 0 obj <<
+1219 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
@@ -4223,154 +4251,159 @@ x
 6\>RgÈbÏWÖ¹j[†›
 WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½t•‹ùD„™Â²]°Ä(‡;„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^˜h±ÎW9AVªy­Â©/fýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
 endobj
-1213 0 obj <<
-/D [1211 0 R /XYZ 56.6929 794.5015 null]
+1223 0 obj <<
+/D [1221 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 270 0 obj <<
-/D [1211 0 R /XYZ 56.6929 730.9277 null]
->> endobj
-1214 0 obj <<
-/D [1211 0 R /XYZ 56.6929 704.9004 null]
->> endobj
-274 0 obj <<
-/D [1211 0 R /XYZ 56.6929 236.9993 null]
->> endobj
-1215 0 obj <<
-/D [1211 0 R /XYZ 56.6929 205.1553 null]
->> endobj
-1216 0 obj <<
-/D [1211 0 R /XYZ 56.6929 146.386 null]
->> endobj
-1217 0 obj <<
-/D [1211 0 R /XYZ 56.6929 134.4308 null]
->> endobj
-1210 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F21 730 0 R /F23 754 0 R /F62 1085 0 R >>
-/XObject << /Im3 1209 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1220 0 obj <<
-/Length 2333      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ6÷_¡·“;Ší“›89w·ç¸Oi&CK´ÄEúD*ª{×ÿýv±E%”e'êLÇÀbñÛÅ~@#bdSÆ•KFÆ%,å"M—'|4‡±—'"Ì™ÄI“þ¬¯O¾{¡ÌÈ1§¥]ßöxYÆ­£ëÙÛñ³žýr}~u:‘)kv:I5ÿxqùœ(Ž>Ï~¾|qñò׫³S“Œ¯/~¾$òÕù‹ó«óËgç§aSëeà°gÁ‹‹WçÔzyuöúõÙÕé»ëŸNί»³ôÏ+¸Âƒüçäí;>šÁ±:áL9›Ž6ÐáL8'GË“$U,M”Š”òäÍÉ¿:†½Q¿t¿D*&¥S£IÊY"Äþ]i»†&¬t(çî¦!R¦R…*IÆߪDŠžJ„ÌH—ŽLê˜VRy”õ|^TsÄæ«þ|n™H»|ZüƹÌ@U™ñf‘µÔj96ì¸ÉWóqó-4>ΪY\£ÂŽóu~.1Xæ§bÜ4Ùœ6±ã,Ìñ@8+si*I ¼jÙ§:M¹aÖp1êcñuø*'Y*´Mâ„cªLÂLËå!•©‘Ê6+€ç Â¦u…ꚯ	¸¢Ï?CÐ:	ªl™Ïøª„i£Â¤¶>(íÆYÙ`Ë€v§m 5áKô²˜/ÚÉ&Ç
AêÒ	RfY>ñºØ„)ïWHÅä0–uE7ø7žòùeÊl"]Íã2xÎœUi˜¼ÄvÓSÈqí&9¦ÝhþO;{ÈnM+„&4³¦ÍW°œYŽ†SáT&%}&Á<<%rò²hZšq[¯ˆTTÓrݨ=êÒxÓ®oË*pjÊìãàíþ£®rÒ}·v¦e¶nòf¿þúÀüï½6Zî«ÖÖ0ǹêú®Hwó[×êasv`	`4ò|ÕfEp}Ÿ«ÑíT„@ÌèsG1vÒéh7YS<„~ïX_Õ_{i”f‰KŸJÈëRK ‚í*¦ÍdºÈª*/åÿÀÍĨ	)¦%,—몘xRdç{ñ;Ï[jdÓiÞøAƒƒ±+ŒK©ßI7o7ùéÎõ€V·pý¯”„:BÙC‘LKP‘LJBVkˆ	³É‡üþiáï¸F;öë©ÿüòÍ›ógÔF†ÚõX×$¦;ÇDTsåØD…fÂpŠ-‹|ód$ƒÃñk?\O¢ãw\SäœÊ™L×êφ2$`9:w<¢”íÃPÚ+±:•VõeÝãPNÇÄèKÛ»
_wö—ö)uîñ>7•)¨Ž–ØG–¹À	
-~¹ó¾Ù+~âÏÕBKftø-K J ÿìOOþO-ìRf¸sÛ<—m=ÓÀ£{K3à†µÔò?Òíî½·.ßù±Š¥&A?ÈL¢(††ˆio“~Zv¹«WmÇ{ÛyG)p´‡Ýz³ÔxŠ‰œ• 4ðç“ð¯‹q=~€aJÔ¾ƆVÀˆ1¶³ŒÎ_WÅïáÜTÔoF­j½¼É¸õ¦ŠÍ>y¾ª×w;ä>Ð_|Ê¡ÿžP)Ãyø_>:˜*>ö?+¶ÿvªVÖÊ᧠î.¡ð|Ê|æy”e©•f@ôÿË;2ôendstream
-endobj
-1219 0 obj <<
-/Type /Page
-/Contents 1220 0 R
-/Resources 1218 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
->> endobj
-1221 0 obj <<
-/D [1219 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-278 0 obj <<
-/D [1219 0 R /XYZ 85.0394 537.224 null]
->> endobj
-1222 0 obj <<
-/D [1219 0 R /XYZ 85.0394 512.8844 null]
->> endobj
-282 0 obj <<
-/D [1219 0 R /XYZ 85.0394 444.1158 null]
->> endobj
-1223 0 obj <<
-/D [1219 0 R /XYZ 85.0394 414.002 null]
+/D [1221 0 R /XYZ 56.6929 730.9277 null]
 >> endobj
 1224 0 obj <<
-/D [1219 0 R /XYZ 85.0394 336.6639 null]
+/D [1221 0 R /XYZ 56.6929 704.9004 null]
+>> endobj
+274 0 obj <<
+/D [1221 0 R /XYZ 56.6929 236.9993 null]
 >> endobj
 1225 0 obj <<
-/D [1219 0 R /XYZ 85.0394 324.7088 null]
->> endobj
-286 0 obj <<
-/D [1219 0 R /XYZ 85.0394 183.2103 null]
+/D [1221 0 R /XYZ 56.6929 205.1553 null]
 >> endobj
 1226 0 obj <<
-/D [1219 0 R /XYZ 85.0394 155.2928 null]
+/D [1221 0 R /XYZ 56.6929 146.386 null]
 >> endobj
-1218 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R >>
+1227 0 obj <<
+/D [1221 0 R /XYZ 56.6929 134.4308 null]
+>> endobj
+1220 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F62 1095 0 R >>
+/XObject << /Im3 1219 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1230 0 obj <<
-/Length 4279      
+/Length 2383      
 /Filter /FlateDecode
 >>
 stream
-xÚ­;]sÛ8’ïþz;ùÊâßDò”Í$sÞÚÍÌ%žª»š™Z¢-V$R'RãñUÝ¿n4’dy+)=ÀF£Ñß
±Y?6S:Ó–Û™±2S9S³åö*Ÿ=ÂØOWÌÏY„I‹ñ¬¿Ý]ýðQ˜™Í¬æzv÷0‚UdyQ°ÙÝê·¹Îxv
òùûŸ?}¼ýé×ÏﮜßÝþüézÁU>ÿxûÔúéó»þóÝçë+›¿ÿw¿Ü}øLCÚÃøÛí§©ÇÒãÐÏ>~øüáÓû×ÜýýêÃ]ÜËx¿,¸‘ÿ¹úí|¶‚mÿý*Ï„-Ôì	^òŒYËgÛ+©D¦¤¡gsõåê?#ÀѨû4I?–g\hž  d#™i®ÌÌ(›iÁ…#ào×çóCSÿE­,ËÞRëÜÝlÁLf/ Á2«wŸýß[üá#g³Øýèàa*+ãÙH w°–mÓïÛMGôûÒ—}µ­šž^¬~ÏsÞÔ}Ý6ÔS6+jüÚ••_JŒö+q›1®
-·ÔݺŠø“8M“qNDášÂiѼn@Nh;_UËM¹¿fżì…ñ{ÁŽvCS–ë²iªî[꽯èyèªÜ?SO÷ÜÁ
-ÔW®¶uSwý¾ìÛ}GãÂt!MÛœÁñdÀ¯&œ	ÉB»«
-ÑP›yû€ÏÂ}ä:šr[QWWíÿ¬öÈӮđ~›,ŠŸ
»ÃaO
-¢­a·;=‘/äÒx߬–‰Cà"cÂ~Ò¡¯7uÿLБ „wã×[¶Û-0‰G
-ÆYð„ìˆW#3êý¾®þ¬¨§i›ÅŸ¾Œ‡»Ã¦÷lú@tØzžôŸ¡5¦".<™g¦`´ì»&A	¦²0ö›¬›ªOP‚A¡Œø6ì†/ż¤×»÷¿Ð{×.¿V=µ7À_US74§ôÝÄÐÑíªe"§™"	"«€òîXç	i³šõ{®òx_w_¡ÍˆÂNîöu#;¯Ùœ6Fòwô$ö†YᬊùS½Y-I‰¯üygõ–/©\è#FhAë,Ѿ8C§”³K’Lô”ËeµëÉÜ)'d8Z6Ͼãž-l!ü·Žæ’΀R…¤ð¾®-Ÿ·4N
-¾¢UF@‰=‚Ã^½†ÌÑ2 
‚q4hÐÈÑI«Y(s–[™(2Ž©*`bþ:÷ïEf
cˆ§¼Ê$%`‹aá—xUf9Óê¯Y?åÍ›”‰òŒASPÆpÙï¹=kY8ºÚfóL-$ñ)i­É„0ü¢‡ U¡F:“Ãj›vYúåÖm×Ç#u†ïhf»»/—_ýYlàù_á©è#Eˆr˜ –í`N Ì²~,=xÆ €6`¿O¾ÐJF§Àw<H1òFênìÅ ÎRå=Ÿ§¢¡±-ÿª·‡mp`–‡=:YŒ1ïÃ,
-$õÔ•Áƒ%w‰žÎÄNVÙÏ›ã9V‰édtÑñd¹sÜÉ»òŽÞ~ç\&è+˵µ¨Ê¬1z¢E¢ƒ
­i=j÷Õ€Ñ@©{‚€†÷¬Î,Ä”,2­…ýv(@\ŒA&| mÆù°ò>ëÂì µä4kn ç\ĈŠtñ½wÄQÙö^×]wðãƒ'îTÅbB~ÁLònÆ®ì×4Àù¹šä8|ç"$Ô 9Ÿ¿ƒð*ø¨v#3€Î¸:Ä}z@±P>bÔG¨@‡ËÝù¯R:‚e\‹pfhƒÒ®y‘Ç$ÑMŽÊ$é—§¦JÅ&‚dn_´Ó >aÎã¾=ìÒßšžDC
FÚÌ?µ½§Ž³šŽJ[ß³Û”=håmG$C—ÿË¡ùùzŒ0@•ƒ7±õ_ÚM	.¬wÉY8Qh8ÃÝuÞ€Ž!–8âcØÊ‹…ÖÃrƒ8áËn·©Ý	3Ÿ?*€ûh®ËÀÃÀªöaCßîŸ=€îÒ&ùÆ3"·A»î»jóà+ ÈÀ¢G®ÑËÒ”L¥8AÛùn_oK‡#¼”‡~ÝîëÿYo;ßV(Èu·¥Ì0%ÁC¢ÏåÔ»ê_¢ÌË“?5áj"ê6ú~	[	.4Ø!P˜’ëL¡KñÍ*8@\ŒA&Tp~}ª-N{µo‚Á8딌ùPqž%=,×
-	ƒ	9b-2F	"±(l!fÐPHзÒ(\Œ!ž’È€áÁ.Î:ëM¸ø7(*§3d1ÿP’É=I@ƒRËíyžÀŽÅÎwÛo„xaè¶m®í+vÌÀËPRÇšæHÎY^d’½ €2²¢ýŽ/l˜ƒƒ^°ˆ“
ŸŽŸŠe˜Ž¶Ô‰S›H‚–žÕ_ÕòàŒ¼Œ*OðFñn 4Ì‘g_–ñ¬ô¥ªÎU1ÆЂ"}Û?Ψñ9U/Ï'‚ˆD½<ÎråÞÏÕ–ìŸáóOTÊ2bþc	Ý
õ¾ŸàƒÎ”,Žýã$@P*5%&¸ŸT¨ã¬(Ñd£ð	Îus²*8îŠqöZŠÅù—Ö?ëì:ðD‘‰¢Ó eRÈtˆ³.àq
-mdéMáh꽕r@¯¼o=¢—÷xð!Œ†´Æ•>øLNv,Ҹܗ½šÍ3iÄQb‰a¤g©D¦0•˜Ð.T@LÔ¼P°˜ëRì´b 8ÃÓWE:¸IçôŒÒg,릔£Àªt‘)¡À»Ê¯þ§{–ôXUåaãǦª€R_ø2Ž˜òî”
-ÔäD3`”::±I>@r”†WAµoì¯{?Á—G
-dƒ+•˜¨Å¡7o()ÃØü¶¡)½ËYàزìªr #ÌrÓµ4ïiíÊ1…<ç=)›1­ŠW]Å2£ñ]ÜD~,Êi.§ÑÏè¼1x’óûƒo¬ÚÊtÈv¾k]º;Ð*S<Ï1§ ì…t €È(ú
-e¤8
b5¬f_d4øĔѽ(°óX;‹Ä‘5Ê•ïYûmŽ-¾Á¬tfÚ}5ºÏÀåp™„Cø,1‹zTîpQh¢H¡A—l¤2ï I
~E²à!Š@Àª>©Zô83‹‘i¿¸¸ãÏ*UIQÈ ‘ß Š–{À(ç¾æ°{8îÉÅ=&?
-“ñ¦NV­jùëbØïõ¦GEÑPµÄ±%ñgIæ7Œ7Á›êÓÚ…–/SbɃ§vJAÅüÈ^Œy
ÖÑCà¤Ï#no~-ÊTewÂLuø.‡v9ì°A*ÏMOÖRL¦¥¼\Éí ÇÊCÇlÀmOÀ·åWB÷áõµ[J{JŽ]Ûuõ½Ët	ïlC%xìp÷Lzß`'ÉJ°?è/è1¸9Á
fH¡Á„ÚÃ	_w¹:
Rô‘*–Âú{b0Ë9íSÉžTÝ@q]¾Ñ	÷ŸÚýW¿Õ y1Ta²8Êñwä–Kà·2•µw±6g^d-7z¼´“i‰ðôäž»±†‹Uˆgês9A˜E¡Q_†4ŠÒ(§º…ƒg`Âÿ5åbÁ󓱪]>ô.¬¡iáÔ¼í7+sä¹ú|݀˰ٜÉ"}©›eE¹Ô>©¢$„¢JòW©¨b¸¸4QQÝyM9ט»§Cõx·zKOªXF„ÜLtùžü­ Üv|í¤gÜ}X‚ý@O¢~YPP{A´²÷®O
ûXZ¬—¼‡ç}>ìŸj^èð~”*OØàG	JÁȺ~\ûÙÕ#}\шS¹ÂŽ%Ö×–éþ ¯çÿíæÁÏ¥zj¾«w
-ÊÛ=úeƒ0姹'Œ;ã}ME×ÔTp°¡ÑA¨ï‡&C¯Fø;UN80·I3ènÎX·‡ÍŠ:QåQ+eÓyAûEŸÖqJDúŽˆÑ·zª]€VõÈ·O
5âë‡	fxí©[Žñ^l®Að£jA¤¢ÛxÛÅ&ˆ;&¾¸Œg,9óÅÐ×È	DOlâxJmI×ΞãNzߘ¦šUˆ¶°qpÖW¡-}	Ùäd©À:Z5rlàüi«øéMŸXŸ{´÷ÔÄEÄ<³<ÚÍÜ{Å¢«*Áä¡ù–(Cõï8ˆTö¡Òqï†ù+9"œºiëê!£.çÑ9òEfØ·[®sàœÚ_pjÈ#!æ-ìÝo7ïc.+3)ÿ@²" ˜°U˜°Åå{]2zø!ÁvC7„zr·a­ÌÌ›Š2tE\âZ#>ɸüO3Áå14Ã=¬Èµ¸ñ+{‘·Xé "xëòðê1Z•÷á[gSrøÿ–I”ʼnPŽ¡¸ºué¯*òò*\e£›K{ß÷´ö׳Õ”ýŒWÜÙEÙ'D)0mUwåñ2Ct‰/äˆÞDÂzb¸šò[8f’”~Evœ&øqàMŠ¿0¤m&“gaú[ÉÐNE„³›b×LÚ\ã ãÿÁ,„â™±}2Ó.Ç?Ä(ÿ‡ðD6‡U•ü?ÌOû¨
-kþö _õPo*Ô>oÏ¥—±Z!D*1™Gä¿ùK£ì´Á<?“i5EAƒHánDq‚yøgÓ)êÿâ¾cžendstream
+xÚÍZ_sÛ6÷§ÐÛÉ7	 }r'çNâö÷)Ídh‰–x¡HŸHÅõÝõ»ß.¤(‡’ìF7“ñ°Xì.vYŒ8ü‰‘3Œ+¯GÖkf¸0£éò„æ0öúDÄ9“vÒ¤?ëÇë“¿½Rvä™Od2º¾íñrŒ;'F׳÷ã?ûåúüêt"
'ìtb>þñâò%Q<}^ü|ùêâõ¯Wg§V¯/~¾$òÕù«ó«óËç§ጀõ2rرàÕÅ›sj½¾:{ûöìêôÃõO'ç×ÝYúç\áAþuòþÍàØ?p¦¼3£{èp&¼—£å‰6Š­TK)NÞü£cØ
K‡ô§¥bRz5šδ»w¥8ì›°Ò£œÛ›N„0L…&ÑšqÏ7&‘¢g!³Ò›‘5ž%Jª`“¢šÏórŽºùª?Ÿ;&´Å}pb}—Móß8—Y
ZUv|¿Hj5‹n\g«ÏÙŠˆÀ¸þššÓrÖ.QáÆÙÖº0—,³S1®ëtN›¸qçƒx œ•yc$	”•
{lSÃ-s–‹Q__§_å%3"±£I;á˜&“0ÓqyÈdÊ@Cx2Ùý
+ÔsÐ`ÓªDsÍפÂvEŸ¿GH”é2›
ðUš%VÅIMu:Q‰§E-Ö6‘TÇ/Ñ‹|¾h&÷~h 
+RÁI2K³I°íÄi¦B\!SÀXV%Ýà߸áòKÃœ–>Šô2xμS&N^bßôr\¿ÑÇô›ÄCüK¼;ä7 M'DBÚLë&[=Ásf:N‰wPYCöÔÑ=¥å:E^74ã¶Z)/§ÅºÎÑzÔ¥ñºYßD–eäTéçÁÛýïªÌÈöÝfØ™éºÎêÝöë+æ¾÷‰•Ðò‡Buâ,ó\P¨®îPéÓn~îZU Ú¼Ï‹ê&-°í7A蛑6Á\8¡Ý'Ì Øí1¶75ϲÛt]4õÙ‚ ¡ªf‘ÅfݤM¶„h½Ïl=}Ël­\OgÙ®Øm¶’6×êÙÍsóTÐ÷áK
+F'ÏVMšÇÐ÷¥‰P»‰°‰)}î(ÇN:;í&­ó}ÚïëëTõÿ½4*aÚëCÊ7pq¤Tð=ˆOù´žLiYfÅ“â„™6kÄLÀËåºÌ§ÑÔ²=L‹øg
5Òé4«Ã ÅÁÜ¥ãRªÉwÒÍÛ?ݹöXu£®oùJI¨#”;”É	&’FY­!'Ì&Ÿ²‡ç¥3¼Ý8¬§þËËwïÎ_PîQhOÔoùšpÎ@]s‹H˜°\ElPè~ªF1å£6mO{Ví¯Rn2êÊîj­ïh„fp@€MF圈W¯^P
+LçG«
%´œ.Ú¼³„ÀÙd%²=†ìiè¾Æ9DÞ‡²¤ñ”m>çÙý³¯DÌa­—ãÝŠëKt¬Ðþc*Î&Ì
+w¨ª26áÚmçŸT®Ý£´ž4ÇRÚæ…áГ®ñxm=Yü¹U­ ¦m9IZÆíöSÇOŠ'ÌIR(8!Ÿõ좾x3R#£˜ÅQ¨¿^dÉSxjè
+¿oÊ2(3Ûʱì /eºúv7Ȇl기-Zë@mwZ4V´­étÝ¢aGt6„ëX'YÙnÑ¥%ƒŠ\Z&§BŸ¾ ,
+αú.ˆß»V øæµJ—Ë4ÂNÝ?/GLÁ¼¤àÀ !ND!ÔûO´mÔÛ·³ÚõÇeÚLCùJøG“©„ÿ㇡ƒ<'‰(
$è%ݼ|‚©4Ưø`4`±G'ÝíJµ®„»P~¢ücÓãëÔ²uÏסVÆOý°¼©Š|J=Ò*¶BÖÃieü‚*	g†õÉ8è”ÆP±ªdîÆq«9•ÐÊÛƆ÷-•|Ë-AîV9xÁu r&K)ͤ“nÛ¬ÕmTë–LÁµI&Ã)ñB	>>‹7¼Ùn*N"¼‰!¾Ýœ½xSwï.!}C]«¤
_V”õ„'E¥’  ¤l	ƒQCaþɤ¤.×uäq)mÌžù>oCxÜ:(µ»@¿ÃpZÝÆ€›Ë]zÏÄò¸ñ´•ž$HPñ3¢@Áu¯ ?àˆ—U¼?œÅõ=#ÑÛiímä¥ÍEÝÓ*vŠ¢ºÏfƒú¾^ÄI·Î"Ô]4Ò«›u^4“¼üþq‚B3k­)Ž)È“Ò‘ZûÜt4´ª„DÄCM$`­õžÂD@BÒc¹ŸhÒòaÀk¼bJ˜6½EîŒVij¨êÁ÷”â_˜¯ÅŠ%	Œ±v:¨£Oé€·	9x9¼ö(­¬ž¦³ž0ÇÒÙ˵Ng@õêÎ,€E<Ó´ÀÓ?CoVÅß[¬_üòY‰r(‘’HÚ„ÜvaH
0‰¼eÖÜW«OÔÁ‚ku›NÃo7qA9T§5mà© ü^î±\O%_[Ÿµ–¼á$·Ï`Ù®Øm9-ãz»†t+¸Ý˜®Ìšúé¦^‡À
|žHƒhˆFȨadE_²)ŽuöBòm;~¿È1—â„`¤‘i†¬·Àßw¤P^„ÜØÑñ»*@˜ALjš6«ˆXV
5î)|wÉgqEJŸû€¢¡ÑÀ`\7Ë`›e^>ú™@ô\JêÈ4dú߉Rd%0™7‹šúÁ‰‘Ž ftzhm9}@]b|QÒX½ðG’”@˜¦uöÝà“že	€É®,ÙmêI7wƒuÅòðº‹ÓÊÍ(û6`ËÂO®@ûg@AÙ>
Á^‰Õ©tª/뎈¢9`è¤F{nmï:|ÝÛÜÚçÔ¹Çs»‘ÁK(û>¡ÌÖ@Á/E?.ôŠŸöÿ„rÌaºHÅ(ü~C¿Ý<·°ƒy|	ÚpÙÔs-Ürº÷4nXC­ðk+Ñî>ï
+ÿ¡ 6k„ÌjE¥Õ_ã1í
 è§Õq—»jÕt¼7[غã˶§˜ÉùP	JE.z—Œëñ„¸{P¢öe°t^¼_GŒ±þ²¡ÿ+’]ÓSÙc_ᣃØë©ÿs²ù‡ÐrnÇÛJçœQ(<“²_\eðHã¤ýfÐmŒendstream
 endobj
 1229 0 obj <<
 /Type /Page
 /Contents 1230 0 R
 /Resources 1228 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
-/Annots [ 1232 0 R 1233 0 R ]
+/Parent 1237 0 R
+>> endobj
+1231 0 obj <<
+/D [1229 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+278 0 obj <<
+/D [1229 0 R /XYZ 85.0394 513.3136 null]
 >> endobj
 1232 0 obj <<
+/D [1229 0 R /XYZ 85.0394 488.974 null]
+>> endobj
+282 0 obj <<
+/D [1229 0 R /XYZ 85.0394 420.2055 null]
+>> endobj
+1233 0 obj <<
+/D [1229 0 R /XYZ 85.0394 390.0916 null]
+>> endobj
+1234 0 obj <<
+/D [1229 0 R /XYZ 85.0394 312.7536 null]
+>> endobj
+1235 0 obj <<
+/D [1229 0 R /XYZ 85.0394 300.7984 null]
+>> endobj
+286 0 obj <<
+/D [1229 0 R /XYZ 85.0394 159.3 null]
+>> endobj
+1236 0 obj <<
+/D [1229 0 R /XYZ 85.0394 131.3824 null]
+>> endobj
+1228 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1240 0 obj <<
+/Length 4330      
+/Filter /FlateDecode
+>>
+stream
+xÚ­[_sÛ¸÷§Ð[åŽÅÃ_‚HžÒ\rõM›»&¾™vîn:´D[œH¤+Rçs;ýîÝÅ )A–;ÉøA$.‹Åîowa>cðÇg:Ïr+ìÌX•iÆõl¹½`³{èûî‚û1‹0h1õ§›‹oÞK3³™ÍE>»¹Ñ*2V|v³úyžg"»
+lþö‡ﯿûéã›K£æ7×?|¸\Íæï¯ÿòŽž¾ûøæ¯}óñrÁÍçoÿüæÇ›w©+÷4þtýá[j±ôs‚èÇwïß}|÷áí»Ë_o¾¿xw×2^/gò¯‹Ÿe³,ûû–I[èÙ#¼°Œ[+fÛ¥e¦•”¡esñéâo‘à¨×}š”g™¹HPñ‘Êr¡ÍÌh›åRH'ÀŸ/9có}SÿNOe¿öOÕnKOÍ~{[íè¹}lÂã¸ù~×î&Í šç™Õ88åçê©£‘ÿ¡høç¦îzzûïkúýÕQX$IqeÙÁg&³Rá3Ò 
ß¼!	 b.ÆŠwDD}×b^wÔXÒëÍÛé½k—Ÿ«žžÑ&TMÝÜÓ˜Ò7“f@C÷P-k<ƒ°‰c¤r0†:°üph«¥²c…œÕÈ
+åÖZÀ
+‹"m«‘âbLÒâ©^iØekø03røÐîRBÌì,ï*E
+ð1~ÕÆeo¼xZï¹Ò#‡½–Ÿ9F!tÿj2ˆÏÈ@*Ð9~(ƒôÁ0,ÓÀ‚¯Çd xŽI#3m wÂ䩃ÁWÁçȸ8¸oZz_ÇÍ(-§ŽéMJaf÷Ñe3Æ[dFòlèÛÝ“'Ð[„ßxDÔ6x®û®ÚÜùd­hÄ_pú’©'ävþ°«·¥ã^Ê}¿nwõ¿cÚÛηäºÛRf˜²à!Ñç’ê®ú—xæáÅ?45‘u±_ÂW„?„&˜ëLHö°I ¸“L˜`LQ`Úâ°cÖ¬S0ÀÄya”ôCU%|
+	ƒ	‰9â\åGªC!³(lx‚É`é—»©@p1¦x,"Ž¸8ê$špño0TÎf¨bþ®$—{”€£ÆìiÀŽÅÎW[o¤xfÁh¶-˜z~ÅP†Vy¬I`Žä”7EJöÌ‚Nƒ*Ú¯¸à@ñÌ‚àò€Gœ,øÔ!0üt,Ãt´ä`NœÙD´ô[ý^-÷ÎiÀ˨òoïyÁƒ9@øY¯JŸªêTµ[Zl1Wv¦¾ÝýŒ>¦êüãñ$™¨óÇQ®àû±Ú’ÿ3bþJYFο-¡¹¡Ö·þ¡Ó¹’¥³±¿Zg`¦ä„÷£Êzu†eØ’Œc>á¹nŽfஹà/•Xnþ#ºÎ¯SOÒ‘™Ì	9U4d¯	+Ì¢”;\š(Rä`Ë‹ñeŽÌCÄp“ô€+’Y~SõIÓ’3³9‘õc u ¿U©JŠF‰úQ4¨ÜF9Çôs«×Aã]ÜcØA˜ŒWuº0kÕГ¿æ†m¡óv_oz4Ô]Ù	UKì[’~–ä~YP¼	ßTŸÎÍAhù¼”!6‘Q<¸kW¡TÌ÷AìÅX×`a_ |îqax÷kQ¦*Ó˜¸“fjã9k–'Š‰Í†=ÁÚöK'òÕw ±}Œ±„]úÚ÷ P_÷¦ü‡…¦®šTÀáaW6]¸bVX
+¡,žàè€@—ß^x*®|=så
+)ÁèUí§%£-Ψ8¹–	¥ŽÔª¾¯{*QÂÄòÆ…¡‘eÆ—4o¬™5¶uxÙ‚Å/ïÇqL¿Þû&Ç69îðLžž¬¥˜,Wê|„ÙÁŽ;“‡À|ÀuOÄ·ågb×áíµ_F{*Ž‡¶ëê[—é’lKC%xlp÷L$¢oð“ä%¡Ûo
+´ô3Àœƒ¤Rh0 öt—Æ]J…†}ƒ½§Š¥´þžtÀtÎúÂа£GU7‡ËÔP‰ˆ7ÚÛÝg¿Ô`y€e\|êÇ:‚å
+ô­Leí]¬Í䧆³ÆL>žÚeIðëÅ¡¼vc
«OÔær‚0ŠB’¾
+i5¤QŽm‹ÎÁ…ÿÆÅòS±ª]Þõ.¬±ia×¼ï7ëƒÌg(-×
@†ÍæDéSÝ,+Ê¥öI¥ ÕJ¼ÈDÃÅ¥‰‰Bê51¯=pwO‡êñnö–~©br#ò=ú[+ ¹íèµ;%8jï.Äí;ú%	á—5€´$++3ƒy¡#Ç>>-ÖŸ¼›ç1¶O-/4x%ƒÉ“6à(I©"èY×÷k?ºº§+êq&WÚñ‰õµeºÌçó8‡¹÷#C©^¢™ïj§’òv÷~Úp˜ØôèÑ:Þ×ÔtMM€
„ú¾ënÒ¥ðj„¿Såæ6iÝmÁëv¿YQ#šþh祉3&Šˆ,³"úÍgà½æê†J0!4Âe¨à=籑Ê>T:îÝÆp%G†]—pÚºzȨ«ù}G¾Èë–àKÃuSûkÎy&ä¼…µû%ãâ}ÌeU¦Ôá?P†¬,&|ælqþ^—Š?$Ø®è†POp&ñ×Ê̼©(CWÄù'ÐùIÆ-€?Í„—gŽ¡îaE­EŸÙy‹•j!»ÿÞÀWÏѪ¼
ß:Ÿ˜¤B¡ 'º7¦âêÖ¥¿ª4ÊËëp•n.í|ÛãÚ_ÏLö¯¸=JWWB”ÃVuçYO3D—øB@ô*rîÐ/†«)Ü"0“¤ódw¼p)s¯Rú…‰ Ü&iru’¦¿pŸýaWdØû×)uÁ±|þ'ÌBj‘+]Y"“Êï-þGŒöÿHd³_UɈùnW‚´SaíÁÿ½D"ˆ«îêM…ÖçõÉô²Îð? ‰I™ÿâ´²ÓOÈ¢'2­¦È h)\,Ž8ÿ‘uÌúÿ=<”¼endstream
+endobj
+1239 0 obj <<
+/Type /Page
+/Contents 1240 0 R
+/Resources 1238 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1237 0 R
+/Annots [ 1242 0 R 1243 0 R ]
+>> endobj
+1242 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 398.8282 256.3816 410.8879]
+/Rect [55.6967 387.5149 256.3816 399.5745]
 /Subtype /Link
 /A << /S /GoTo /D (rndc) >>
 >> endobj
-1233 0 obj <<
+1243 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 398.8282 332.4306 410.8879]
+/Rect [268.5158 387.5149 332.4306 399.5745]
 /Subtype /Link
 /A << /S /GoTo /D (admin_tools) >>
 >> endobj
-1231 0 obj <<
-/D [1229 0 R /XYZ 56.6929 794.5015 null]
+1241 0 obj <<
+/D [1239 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 290 0 obj <<
-/D [1229 0 R /XYZ 56.6929 713.8569 null]
+/D [1239 0 R /XYZ 56.6929 692.9565 null]
 >> endobj
-1066 0 obj <<
-/D [1229 0 R /XYZ 56.6929 679.5586 null]
+1076 0 obj <<
+/D [1239 0 R /XYZ 56.6929 660.5438 null]
 >> endobj
 294 0 obj <<
-/D [1229 0 R /XYZ 56.6929 115.507 null]
+/D [1239 0 R /XYZ 56.6929 112.3379 null]
 >> endobj
-1234 0 obj <<
-/D [1229 0 R /XYZ 56.6929 86.983 null]
->> endobj
-1228 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F21 730 0 R /F23 754 0 R /F48 975 0 R /F14 757 0 R >>
-/ProcSet [ /PDF /Text ]
+1244 0 obj <<
+/D [1239 0 R /XYZ 56.6929 85.6994 null]
 >> endobj
 1238 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F14 765 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1248 0 obj <<
 /Length 2372      
 /Filter /FlateDecode
 >>
@@ -4391,67 +4424,67 @@ U
 û1ú†Á`ð¶¿ïài')"=æ…G_'í
 wíÃùs¡¶h $48ÚÓê<ÖÂàg[y™»;ð¸¡/s©ßÓoò›	9n¸3˜•ËŸÚìPåþê{Ó»¹ÈÐíj3³ÙÌñõG'_Qìå¸òÁæ1¶kw{E¥¶÷œ&ÅHIpj=VÛK²©zCèN¯a§é¦ìÙ>ÐŒdÉ«Çz´-3[OÈså;¨Ëê®?O‡"5>>n$è<¦
lF_õâîŒ7N¶ª¾8}÷Hi¬¸7SbSJmÞ¹Ã)*óõçxËÝNy"6ýÈ£Ë:ºNy'÷–nÇ6èÏý?)à™*fÛ§´—ñÝÿ]îÿØ…òQhÍç‚FP\ƪcÊr.âCÎû?9§¬ÿl!‰ãendstream
 endobj
-1237 0 obj <<
+1247 0 obj <<
 /Type /Page
-/Contents 1238 0 R
-/Resources 1236 0 R
+/Contents 1248 0 R
+/Resources 1246 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
-/Annots [ 1243 0 R 1244 0 R 1245 0 R ]
+/Parent 1237 0 R
+/Annots [ 1253 0 R 1254 0 R 1255 0 R ]
 >> endobj
-1243 0 obj <<
+1253 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [406.6264 524.1437 456.8481 536.2033]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1244 0 obj <<
+1254 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [140.5805 512.856 196.7992 524.2481]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1245 0 obj <<
+1255 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [103.6195 470.0794 159.8382 482.1391]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1239 0 obj <<
-/D [1237 0 R /XYZ 85.0394 794.5015 null]
+1249 0 obj <<
+/D [1247 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 298 0 obj <<
-/D [1237 0 R /XYZ 85.0394 769.5949 null]
+/D [1247 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1240 0 obj <<
-/D [1237 0 R /XYZ 85.0394 749.3189 null]
+1250 0 obj <<
+/D [1247 0 R /XYZ 85.0394 749.3189 null]
 >> endobj
 302 0 obj <<
-/D [1237 0 R /XYZ 85.0394 679.8163 null]
+/D [1247 0 R /XYZ 85.0394 679.8163 null]
 >> endobj
-1241 0 obj <<
-/D [1237 0 R /XYZ 85.0394 652.1211 null]
+1251 0 obj <<
+/D [1247 0 R /XYZ 85.0394 652.1211 null]
 >> endobj
 306 0 obj <<
-/D [1237 0 R /XYZ 85.0394 573.4726 null]
+/D [1247 0 R /XYZ 85.0394 573.4726 null]
 >> endobj
-1242 0 obj <<
-/D [1237 0 R /XYZ 85.0394 542.9681 null]
+1252 0 obj <<
+/D [1247 0 R /XYZ 85.0394 542.9681 null]
 >> endobj
 310 0 obj <<
-/D [1237 0 R /XYZ 85.0394 335.1831 null]
+/D [1247 0 R /XYZ 85.0394 335.1831 null]
+>> endobj
+1256 0 obj <<
+/D [1247 0 R /XYZ 85.0394 307.4879 null]
 >> endobj
 1246 0 obj <<
-/D [1237 0 R /XYZ 85.0394 307.4879 null]
->> endobj
-1236 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R >>
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1249 0 obj <<
+1259 0 obj <<
 /Length 3489      
 /Filter /FlateDecode
 >>
@@ -4476,33 +4509,33 @@ vk^)
 ü“Ål7·5Ú'}Á¯"´ú‚HcÀÀž¢í¶dÚ¼Œ~?Ú×í°¤jç=U}ô#Í›ªs—QqÏùw2Eš<\{ðõl$a@Z)ĉ+&9¹b’ók$0L’Óë#Ép2
 kî²Úc¯0¹¿C8_Pø;v! ¹(Éï3S|µŒ@x"BÉ_–
IJ,Ç÷xc$†âÖ•Æ'Ëýн.ô'
&O¾ÐjJæù‹ÛÔ.þÔvLå›p÷ûåôÈ|»4N* wվߦÇÕ×üÎ"‘"ü™vn»é‚£j3y.—¦¬wñ  ƒ¸'™xÿÛ”¨c9\"ós…)ùO	s¶J'7Wæ	8Qv.ŸÝCÔ¾*ù¨BK%@¤3‹bñÂBV¤É$Bhï·‡Ãú!ÆE&6×ù§¸xаÞG7<§æ\Qp¯ ä½ízÈCŸËi;<œ²s*Îe²ëÖå.VBKpA›ÊÿŠøßù˜)ù™äQŸ‰þLz™Ï$ñÁo²á¾ê$Ñ6ÜÝ:VÙ"-¥Ux·]ñ¿$bÿÝT&Á?\Fþi™†¯úÿ÷ÿ:Ç?½ê,Qy.Ç¿lÎäÏòDçÀ„…B-túLrÿÐç¢ÿy@Òendstream
 endobj
-1248 0 obj <<
+1258 0 obj <<
 /Type /Page
-/Contents 1249 0 R
-/Resources 1247 0 R
+/Contents 1259 0 R
+/Resources 1257 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
+/Parent 1237 0 R
 >> endobj
-1250 0 obj <<
-/D [1248 0 R /XYZ 56.6929 794.5015 null]
+1260 0 obj <<
+/D [1258 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 314 0 obj <<
-/D [1248 0 R /XYZ 56.6929 769.5949 null]
+/D [1258 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1251 0 obj <<
-/D [1248 0 R /XYZ 56.6929 749.2381 null]
+1261 0 obj <<
+/D [1258 0 R /XYZ 56.6929 749.2381 null]
 >> endobj
 318 0 obj <<
-/D [1248 0 R /XYZ 56.6929 540.3599 null]
+/D [1258 0 R /XYZ 56.6929 540.3599 null]
 >> endobj
-1252 0 obj <<
-/D [1248 0 R /XYZ 56.6929 517.4049 null]
+1262 0 obj <<
+/D [1258 0 R /XYZ 56.6929 517.4049 null]
 >> endobj
-1247 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F39 917 0 R >>
+1257 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1255 0 obj <<
+1265 0 obj <<
 /Length 3318      
 /Filter /FlateDecode
 >>
@@ -4524,29 +4557,29 @@ FB
 C)²¬/é>3‚u~ÜuD:ÙÒÐúCÑñƒ4”\æïWðV>ÎÁaJh{yÓî¿c
Ÿ'ˆÝ]ÂÅïTŠÅšŽfÚ5R÷…ž&›ÍŒw£OúýúÅø…§ŸôŸî‹þT,ýÕ—t?jPRèK’ .#•ôä·ýªWyºU^W1”èè…‚õøÇÛ×J…¯¿æ:£@”ÂæonÄm€æᶥ®Ýá•£cé÷!¬ðÇÒ—†)üñ‡ÇÝE»kå~W†Á»•qQƒ¯^3¾ñ¬ÜF•Ðˆ
¯´‹©ÜœÛ	@
OOoy~}v¾åN-08NE.eéù\wˆFNJt‰K;³jȧè,ÈDrî`€u%`OÐW¼jý’Fz:}1>Ê]OùÓèiòΛÅú
Ÿ~˜ÞP†«Ó´÷/	 ·(„Å‘ÞH—Ǧq¿[¹(i)íxÕ^¸ôz½þuïk†4VÕ—ZR{á‚ý•}è‡R&øë¦ôÀ?Ÿðÿˆjø…Y”
 c­c$Âê,õD!g‘º¤¼ÿµÕSÒÿ|Æ)¯endstream
 endobj
-1254 0 obj <<
+1264 0 obj <<
 /Type /Page
-/Contents 1255 0 R
-/Resources 1253 0 R
+/Contents 1265 0 R
+/Resources 1263 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
-/Annots [ 1257 0 R ]
+/Parent 1237 0 R
+/Annots [ 1267 0 R ]
 >> endobj
-1257 0 obj <<
+1267 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [173.6261 273.4719 242.2981 282.8815]
 /Subtype /Link
 /A << /S /GoTo /D (the_category_phrase) >>
 >> endobj
-1256 0 obj <<
-/D [1254 0 R /XYZ 85.0394 794.5015 null]
+1266 0 obj <<
+/D [1264 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1253 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R >>
+1263 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1261 0 obj <<
+1271 0 obj <<
 /Length 2400      
 /Filter /FlateDecode
 >>
@@ -4560,33 +4593,33 @@ E*<
 B6	moê:Ýæ9+¦äã¶LÅ“û*•`âE8FB¨ÉFˆÕ2@šÉÞW:í?ì~O넉ËYÃËc`µnLŠ®!ÀQ›%ËÁ½¬M„uÚDxJ°.Ðö@UAìøEÄê1°:
 ìM™çå}‡˜NG±Ë}šuý$6%ÿ˜ÈàÞ81ö²â|Ò‘¦hûTk0æÛ1ÐÖp†½dB9ÇpQ…1¦T87¦ûCn¬. Í2Í«š6êôH˜¬èЀÈäš|Ë"w#‚!¼Š†É8Ô”>©Pðm6gŽ®HóšñÝeáüwc|­z
¼èԃǩÔ@„éG~îéÿ½HTïW\Öúø&çÎæOÚ/z8¿îŸœ*>6hœ=‹‰ã
¶Wé›áqóökNÝCc¯ëÍ÷¯ò½ª†§.;ÁÁ‰O	ðôÜ=4­µª›zºfKeÎ“Þ bœ£æ45LzÇD/µˆü~šÃŒ‡ìB×æçæ)Ïù#á!±'2ÄŸS-±<
S½]’À©AÆ4 ²b=Eáé4r9ÈŠ^Ð×vü 0Bèç4ËÓ».†ŒºÄ°m(,åÚÔ«*³½*c•›aèÃs²Ge0®s«K§Ž|{Y4iVˆ)w¼.;&º­}zt…f½6ë±mÚÁ° ‡/Ía†6µxððã%ЀyÉL†¡ð5´ö/xúº%"/:yiüÿN9F°„Zjý8tÎZ¼t'N_ŸœPKé{"H‚à±÷'œ!#˜ÏÁßé?Ó#$ˆtàbͶ§õE3ðÝoQ÷[ÓgCG¾L ´tΆØ]MvFegC9rü¾ïûÜ Äà"°MxûŠ•~mÛŠ8ÎOMÆSíûÐqÐY aþªøË̆ÝcÜgâ—“¤þžà…BÇÏ9‚‚	DiJ|ô‘¿ÌdbÓËj·„|/°É•ók;eHûPÖ®iÍϸä¼eHK OëÚ
£!0ƒ•ñå”gôÓËh°æ´3¬?ÆíµžÒØqž°m¯´/³Ã©iý¯iÚX‰0ò£§M›ÄŠ¥¦O›ônzˆ›öº+Ù¾Ö.‘Bü@IÁèE í0µëuÐçC؇ÓØÒT½äâÎÝq:Ò9ã‹Öø¡uøòQ7£ŠñWY˜X¥«nÚ–7ò@}_ËÈN —“t'5rä‰HÆúi#G0ÀI¬ë*Ÿ3òùŸü?§ù‰צÈЖú®œþÑšº©Wê€Ý/Ó@à%ƶ<ªXOþçΛ=«ñ—þŸ°ÿ'j	?ŽU¯ñQKÅ q \!-Td üÓýC‘±¬ÿ
”|‹Hendstream
 endobj
-1260 0 obj <<
+1270 0 obj <<
 /Type /Page
-/Contents 1261 0 R
-/Resources 1259 0 R
+/Contents 1271 0 R
+/Resources 1269 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1227 0 R
+/Parent 1237 0 R
 >> endobj
-1262 0 obj <<
-/D [1260 0 R /XYZ 56.6929 794.5015 null]
+1272 0 obj <<
+/D [1270 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 322 0 obj <<
-/D [1260 0 R /XYZ 56.6929 520.4669 null]
+/D [1270 0 R /XYZ 56.6929 520.4669 null]
 >> endobj
-1258 0 obj <<
-/D [1260 0 R /XYZ 56.6929 495.6849 null]
+1268 0 obj <<
+/D [1270 0 R /XYZ 56.6929 495.6849 null]
 >> endobj
-1263 0 obj <<
-/D [1260 0 R /XYZ 56.6929 178.7136 null]
+1273 0 obj <<
+/D [1270 0 R /XYZ 56.6929 178.7136 null]
 >> endobj
-1264 0 obj <<
-/D [1260 0 R /XYZ 56.6929 166.7584 null]
+1274 0 obj <<
+/D [1270 0 R /XYZ 56.6929 166.7584 null]
 >> endobj
-1259 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R >>
+1269 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1267 0 obj <<
+1277 0 obj <<
 /Length 3171      
 /Filter /FlateDecode
 >>
@@ -4599,21 +4632,21 @@ x
 ”LK
 {÷	Óh&„°$ÌŽ>ÿ+DÞSõâ…›ëó÷¯s®Ÿ÷úÖÝó[Ý¥YlôçíˆÝ¬•šŒÙ*¥Úhϳ@׌ÔwÜVýìß®”N‚Âט	SgÒm".™.òzÞEÈ`8è@ÅÒ/}[XãiðFÏ«G·Eh‰ð)$,é™k	pÓJªÜõ—Ø×+*Éᇪî=vžAØÚ¦Ÿû¯{”¦#/“ðWU	VÓ&Ñè}à$Á¶ºÂÝ{qΪ²æO6ý1nPS?ˆÒ`Û“éÏÕ}M-[‡gUëð ö>:ªùØÈ×0‚˜SÊT¡lzñï“ËGçþGvJÐÍ´¸Îv<)}SBÁÒíyuPßögx'³ˆo´6Ù¶
Jǹg#E¼
vó²÷˜Ž*ÀÎ*<ÅÕÍú–jnžð2!]¹ÝÚý[i¨`·“ÏrBaÄî‡Ïˆ.ÆTÆ‚ER“Usà1fY#ÆÍšŽ¹é¨7­úqݪЂúA­§~Ø»¢¾>´B²HóÐ×ÿp+ÙzÐΑÃO Y8À~hUáDm¨OANI$œÊÓ6ƒI§{6Õwè²Ä‡ž×äÖ…‡ž^S€A„53´,òÔë¥0BXøH‹§ô¹¦:­Ü¬We˜ÍLÏ.¯¯§WøK'©H‹eí"•%¢?O‰u²k€LÎST4÷	xS{³ƒÅÊŠûCÅO¬,o=µ=SmëÄàÃ{®ËøØTUâNfç<¦a>R”Ý=éxi;mˆ–»wçâÓ²‰[}2bû0´¢2رeåcâÖ¸ù2»&îÒ¬*¿Äplà9âì(Ú;Ì쳪TÈ6aeAoô1OKªÐ›ÖnC“×f¥@‹•T%ÄÝNX׃¹®]¸ˆ¨ì‰ê„Þ¤‚IÔabB^ÃSK0¿¤ê@
ªäVÕçnxþØNFÔ$„Ómf«I6@yË»¯Ÿ8"$ÚðÇ@Íz³}Úvóªõ’׸éíÑL€mÍŒ‚•L½œ-á\÷èú®£$³õÎã†ß,Q¯—s¿)ºÙ²ªóÆÿªªŸø–VЕ8²´™uZCé^|¦·2}ÚÚ^®WÃÈ\k‘„Çg0Mµ¤ZC[L›ð<ÁTÓŠ›ÐÓÿš“j­Q¦¯6
Gæ×»%éT‚.A­ôxǘ®RÑ$ÃySŸ&G€ÊûÛô5‡‹ÑPÕçÝ Sð0¾ÚÞh¦»2³ŠOÏPFEÀÈ>§šß=Úã{ÛÞ:¬ãLTKCIÇŽˆ³XÒ±¡ŽÊ‚W8`–ÞÉ¡W¾˜
é5,êK‹m,´Ç´È³?ÂwxùÇníkOH܆I‚Û€Ú]µÚ«ÙÝ1ü\¬µ×ÃÁøÖÇí‹Å;åËPÐXm5;ö3\c¹}ñ3ÜÿoÔf#Z²HÄþw¹ÖPPóò×»|2š.ø«¿Þþ:²LÅq燅=À
‹eb–â\(ÚH½”Š†=ëXnzu¶þ?<”{endstream
 endobj
-1266 0 obj <<
+1276 0 obj <<
 /Type /Page
-/Contents 1267 0 R
-/Resources 1265 0 R
+/Contents 1277 0 R
+/Resources 1275 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1269 0 R
+/Parent 1279 0 R
 >> endobj
-1268 0 obj <<
-/D [1266 0 R /XYZ 85.0394 794.5015 null]
+1278 0 obj <<
+/D [1276 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1265 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R >>
+1275 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1272 0 obj <<
+1282 0 obj <<
 /Length 2934      
 /Filter /FlateDecode
 >>
@@ -4629,33 +4662,33 @@ xÚµZKs
 š¶G(î •ãÏ5	5A4Žhxåw)V6Ö‡c۔馲é.ë±ÁúVâ%½Ó&±¥séB凉HÆNžJÁ¸·x¤§ùªÀ°>4õ-Ç_tRÙaæÛ°§#FsCbØVôÄ›ÙÝÖIž:@ü¼œüÓÜA€ÔåÒJ²¨³ÓEj&ÜÄÜ‹·¯1ž¥/»àU¸íÞéxêSÌ0ÙÌL÷ƒê‘ú³â1$?Óž"ü0­ž	cŒÇøý¾0ÓåïË,JHÞY¶ráéªØü_C¤–@I%µŒ¨Ã0g•óé»Õ]ÙZý7©l©ª@½§àm¢ï}@
ÅÊP=e› Z%_`œ1 @§à‘÷±tE~‚E¾JŽn„7ævNJ@—.´È|¥;9ÌžÍ{oëŽùè‚‹:±þ™È·I°8¼Ðè)&Ú³¢¯àØsýæïÔ:ž
 ˆÃ/ŒðºÑͤžð“ÌÓ4ÀæÁ]q$™¹›úáü³+û៙ô¿Á‘‘/â¸W#œØ¬Qžˆ”G?‚aÏ…âŽk°ô¿É#%endstream
 endobj
-1271 0 obj <<
+1281 0 obj <<
 /Type /Page
-/Contents 1272 0 R
-/Resources 1270 0 R
+/Contents 1282 0 R
+/Resources 1280 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1269 0 R
+/Parent 1279 0 R
 >> endobj
-1273 0 obj <<
-/D [1271 0 R /XYZ 56.6929 794.5015 null]
+1283 0 obj <<
+/D [1281 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 326 0 obj <<
-/D [1271 0 R /XYZ 56.6929 744.4469 null]
+/D [1281 0 R /XYZ 56.6929 744.4469 null]
 >> endobj
-1274 0 obj <<
-/D [1271 0 R /XYZ 56.6929 716.8556 null]
+1284 0 obj <<
+/D [1281 0 R /XYZ 56.6929 716.8556 null]
 >> endobj
-1275 0 obj <<
-/D [1271 0 R /XYZ 56.6929 352.0635 null]
+1285 0 obj <<
+/D [1281 0 R /XYZ 56.6929 352.0635 null]
 >> endobj
-1276 0 obj <<
-/D [1271 0 R /XYZ 56.6929 340.1083 null]
+1286 0 obj <<
+/D [1281 0 R /XYZ 56.6929 340.1083 null]
 >> endobj
-1270 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R >>
+1280 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1279 0 obj <<
+1289 0 obj <<
 /Length 2722      
 /Filter /FlateDecode
 >>
@@ -4671,48 +4704,48 @@ lVUm
 (©gZ`$áWë¼iÌRlrš#å!/Š!&£:çò³än„•DJ›Ÿy¤ø_ƒ­c÷àn®Î‘Ó¨0‚r"åÝåeZS—Ž{Cà=µ(tlÀ!¦Âë|iÃDŠ3¼\
Ð
O븕íRgW7ÔÁ‹¡vR”ÁЛdžáÙ©ÈÃKB‡6…‰r…É^=GL` о ;ËI¦n¶ÓÈÛY´­èm¤Z&[ Ao”¥Ù§²åE‹4àvXé´ âï-nj3_Ñc¦Á/3'Kscqa}U·¾ª‡¾ª«Í½Ë†t·—Ø}žfv—	5t‘`¯ZØUÊxì5Ïe·UŽ Û¤µ¶ªÇ|&L]Žs'q¶6FŠ‰êaue‹ü6“KáŽ÷haG±«ì´-,ý¡ÁNŠûO<Û_7_¶ò{G~+÷EXk,nÞiÓ|‹ÖvOT> endobj
-1283 0 obj <<
+1293 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 255.0679 539.579 267.1276]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1284 0 obj <<
+1294 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 243.1128 117.8035 255.1724]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1280 0 obj <<
-/D [1278 0 R /XYZ 85.0394 794.5015 null]
+1290 0 obj <<
+/D [1288 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 330 0 obj <<
-/D [1278 0 R /XYZ 85.0394 467.3023 null]
+/D [1288 0 R /XYZ 85.0394 467.3023 null]
 >> endobj
-1281 0 obj <<
-/D [1278 0 R /XYZ 85.0394 442.1291 null]
+1291 0 obj <<
+/D [1288 0 R /XYZ 85.0394 442.1291 null]
 >> endobj
 334 0 obj <<
-/D [1278 0 R /XYZ 85.0394 305.1414 null]
+/D [1288 0 R /XYZ 85.0394 305.1414 null]
 >> endobj
-1282 0 obj <<
-/D [1278 0 R /XYZ 85.0394 274.1939 null]
->> endobj
-1277 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R >>
-/ProcSet [ /PDF /Text ]
+1292 0 obj <<
+/D [1288 0 R /XYZ 85.0394 274.1939 null]
 >> endobj
 1287 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1297 0 obj <<
 /Length 1218      
 /Filter /FlateDecode
 >>
@@ -4724,39 +4757,39 @@ xÚ¥XKs
 dsæÎ+tPÙš'6Ú^X3õ¼§ŠŸiAÅÓ3Á«SÛªX-—gÊ¿º¾;À[ø£­\rÝ=¼§ˆ§L_®‰Êà@”€­¹¤÷sÍÛªÛŸ›ä;`ÿŒ>2À´l›:NŸ1©Rö2oÙé ³¼mV`sukË›U+Sñ|ƒ+ªä)Hr®ÒÏÔéþÔ#€¢tmSk[,X=$yÉšƒš5•º3Ù9qlL Ñ'ÿ+J!yvx¶OçMÃÖUÎ.{“æ§\˜¿wq†Ÿë,q=ùR1|ºyꉩîgP	‘ŸA®Šm©~_g5XІ®c#šÕ¢P—u¦n[V&[7é²å8å†ÝÞÔæá«ëŽ!™¡l–VÒE~d+þDsžRy–׬Š\ˆGõÞOÙa¦Ò§èÖgÇPöÍéfWY·*Üh™¬DÝ},ì²,p¨ñ¼B«\¨‹@OöZëQ‹íª¸Ó•ö‘íê’7ôûÿvøª¼‰"w_«wßïn¨Ê‰H)± ´Ù~ð
 ù¶ò
ý_ÿP¤Áendstream
 endobj
-1286 0 obj <<
+1296 0 obj <<
 /Type /Page
-/Contents 1287 0 R
-/Resources 1285 0 R
+/Contents 1297 0 R
+/Resources 1295 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1269 0 R
+/Parent 1279 0 R
 >> endobj
-1288 0 obj <<
-/D [1286 0 R /XYZ 56.6929 794.5015 null]
+1298 0 obj <<
+/D [1296 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 338 0 obj <<
-/D [1286 0 R /XYZ 56.6929 769.5949 null]
+/D [1296 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1289 0 obj <<
-/D [1286 0 R /XYZ 56.6929 752.2028 null]
+1299 0 obj <<
+/D [1296 0 R /XYZ 56.6929 752.2028 null]
 >> endobj
 342 0 obj <<
-/D [1286 0 R /XYZ 56.6929 681.9672 null]
+/D [1296 0 R /XYZ 56.6929 681.9672 null]
 >> endobj
-1290 0 obj <<
-/D [1286 0 R /XYZ 56.6929 651.209 null]
+1300 0 obj <<
+/D [1296 0 R /XYZ 56.6929 651.209 null]
 >> endobj
 346 0 obj <<
-/D [1286 0 R /XYZ 56.6929 616.9944 null]
+/D [1296 0 R /XYZ 56.6929 616.9944 null]
 >> endobj
-1291 0 obj <<
-/D [1286 0 R /XYZ 56.6929 589.1412 null]
+1301 0 obj <<
+/D [1296 0 R /XYZ 56.6929 589.1412 null]
 >> endobj
-1285 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F41 959 0 R /F23 754 0 R >>
+1295 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1294 0 obj <<
+1304 0 obj <<
 /Length 1125      
 /Filter /FlateDecode
 >>
@@ -4767,21 +4800,21 @@ xÚ½X[s
 &ˆÂs`Ñ1XבbþÂ)ò™´Àcî„b^ìD½©Á©»â‚õN·Äí_‰ÕÒsbÚ³(Èèryõ@:GÎÖî‹xé¾=Æ2ªbw)5K‹.üµÄ6ŒT0Ñ›wO¾Ì'‘ßßZZ	
 Ö:XyKœýuªIM×ù]GÌ;ñ¡Ñ^ÎÐèÏç¤7Ý-½‡P-¯ª¥=L]iV:sYËÙÖ+¢wŽâÝ[ê•<3ÏGMbÍ$š:ÖSÔ_j©j¥¡Lí2LˆMMoÔçbÕxÅó"–W#SÞp2Ûä˜m²³]Õí-g¢H4»9³ÍEm¥6¡nézw6
݆:¶F¤ÍdT©^Þ£†Ž…N·ÍÑcjf›P3T­ƒf#yÍƲԣXãTôt˜ºÓStAÚFÏÁYFPBFnÞ‘ßý|¯¯žá*x¢¼Å†¿‘\¥øÚñO£ÔˆÎk™g‚˜T
­âŽÎÔ0˜çŸK#…hE£žvÉ”Ëõ
;φ\3É‹'w÷…¶®Õ‡§¹óš¶7_/3Çϯ#¼Ì•[Ó¯ŒgT|@µ<+Úux1i2—‰Àá+²ÃfïE&pÂm^/NݨQ“9‘†Ò>BU¼[MO«˜Àä=´á!T-7ª³Ÿ]woÒºLT,K+_T5\yQŪ-Í6R‰º¹Ï¼|Ÿ=¤þ?¾ Aendstream
 endobj
-1293 0 obj <<
+1303 0 obj <<
 /Type /Page
-/Contents 1294 0 R
-/Resources 1292 0 R
+/Contents 1304 0 R
+/Resources 1302 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1269 0 R
+/Parent 1279 0 R
 >> endobj
-1295 0 obj <<
-/D [1293 0 R /XYZ 85.0394 794.5015 null]
+1305 0 obj <<
+/D [1303 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1292 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R >>
+1302 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1298 0 obj <<
+1308 0 obj <<
 /Length 1171      
 /Filter /FlateDecode
 >>
@@ -4790,21 +4823,21 @@ xÚµX[s
 PäYвƒæ­±üz&Óò[$}€ ö±wÉœ2U\ɉ?[û„Ä"R1ñ÷ÕQÕl5²oA××uºÁšmqò„°dœ_þ­[ãä=5=6ä
°·%qº‚ýE;Vz-ÿ‡ryB⊸¾[ˆŒ†Í5MÔÓÉÖžˆˆ$×È/YLEáy!Iøç5ocJ–¬K$å¯$îhÿ5%\¾P";ÔM‹-‰JÙž”	$’…¢/‚L³T…_=‘tôS!"Ãõ"VoØÇöüæ’?Tn×v…ª±â\P	RQ^CËgÎü|ñéi†õ}1ÙP eW‡êŒLB®[
 Ÿ¥s_YÁV@9ŸELîCao¨b0oŸcLW¦Už%IQqŽÙ’]‰¢¯Dnùÿ%wmRwKOSÙµµÖ}‰.Ø}7®Œ§¯,jÄhÁšÓÏ[*d{é“v[ª"€ÈÈY7ÕZ‰Üxt©¸’mzz@Åz&’ﮀÈyt…¨©rÖ´é`"•¨,Õ÷’§@¶rÝ»:ÁÊKH°zŒ‘$R}ee„dD®	)­Ó©]³;ç;Ø,£Øo#eÑè’6™Š3ʹYÅÛJ_ÜÝ–q1Rµ‰ÉÓd|A-XÓ(`e}û¹ö¢u¿©j¦?sèŠèXiïj{#}ãmDk»©vjeG®íŽ-èªjÄwªwè¸ä%Ö_z«”3¹Þì«°¤ÞE”KnN¿´š>Ök/ôå§õ”*¢—&š_ï¼,@z4™g•’\ŸMaÌh"‹#¥Üq—k]ÓAšå@}úÕpì¥þ÷o¼úíxi+ù>>œŸa«r~†=Ú¾Ù“ÒšÚþóò4îœú}ƒ|Äendstream
 endobj
-1297 0 obj <<
+1307 0 obj <<
 /Type /Page
-/Contents 1298 0 R
-/Resources 1296 0 R
+/Contents 1308 0 R
+/Resources 1306 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1269 0 R
+/Parent 1279 0 R
 >> endobj
-1299 0 obj <<
-/D [1297 0 R /XYZ 56.6929 794.5015 null]
+1309 0 obj <<
+/D [1307 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1296 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R >>
+1306 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1302 0 obj <<
+1312 0 obj <<
 /Length 2511      
 /Filter /FlateDecode
 >>
@@ -4818,58 +4851,59 @@ xÚ½YQ
 œ0¸4ß“'$Bm%R‡ñîp„;\ á"/clp¸8Ú×8ö‰:9]{‡úÀâˇ,æZÜ¢Ë=·ó÷TßÛ{m§±<÷ô+–Á—ñìÿéxñ ãùø¾i˜Ñdüüë\Êy8Ø)°OwD
^5=z cp8´^4œU8
ªþ4¨‡?hÑk¯åPw	¹QN·0¦#œYB'˜Q»SÓÚ,»)—ø³!âc’QS’Èb¾Ü·´¼0J¤ÂãZåN¡N€I|Ø—}ˆ’]бn°n¸ÜFþ‰ùÀC<€šM÷2ÒŸ‘HÖ–¶ÃÙ§bZT*¸ï»€ôÍ稧D'º€c°Ë?"D;y^õ“ìÚd\d}¥_VFװ¨¬a>öG£¡Ê<Ó¬P©7ƒ«ÚZ³ŒôÒÝ£šO»²ìÍ•Še!¿V-˜X®t8`©,à¬(ü€Ê(ˆÇÙ8qÜ âîRýToç,–¤èM¡,õçTW?¨/ƒs˾F©³åç©B—1œâöõ·Ãç\hô’"L}ü„jØ)‚êП)°‰q«ýªé\k‘†>îGRŸÒÀ_xFhè€5‚‘?
 [â½õ!¿Ö{K‰"Ôÿà swÒúÀ1«ä£ûŒç£‰Ä\•kؽxßÃ÷fa¿>ìâSêâåá–ïÐÂGi.|ãÌCã–À`g¸SK00žlEWþþÃ=ÆÑÕ;R®‘e´8ˆîû“2‘1þ³8qKÊúnã/ÿyøwz¶¤(Äôuk‚wÐpâFá.¤êØòþŸÎSÓÿ*Ûendstream
 endobj
-1301 0 obj <<
+1311 0 obj <<
 /Type /Page
-/Contents 1302 0 R
-/Resources 1300 0 R
+/Contents 1312 0 R
+/Resources 1310 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1305 0 R
+/Parent 1315 0 R
 >> endobj
-1303 0 obj <<
-/D [1301 0 R /XYZ 85.0394 794.5015 null]
+1313 0 obj <<
+/D [1311 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 350 0 obj <<
-/D [1301 0 R /XYZ 85.0394 612.8238 null]
+/D [1311 0 R /XYZ 85.0394 612.8238 null]
 >> endobj
-1304 0 obj <<
-/D [1301 0 R /XYZ 85.0394 582.6371 null]
+1314 0 obj <<
+/D [1311 0 R /XYZ 85.0394 582.6371 null]
 >> endobj
-1300 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F21 730 0 R /F23 754 0 R /F53 1052 0 R >>
+1310 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1308 0 obj <<
-/Length 3703      
+1318 0 obj <<
+/Length 3862      
 /Filter /FlateDecode
 >>
 stream
-xÚ½]sÛ¸ñÝ¿ÂoGO#	LŸr‰“s¯—»&êt:w7SJ¢lN$Ò);î¯ï. @‰”ÓÞL'ãØÅb¿qÉ៸Ôˬ´—¹M™æB_.·üòÆÞ_3@³êûùÅõ;•_Zf3™]Î×ÑZ†qcÄå|õk’1É®`ž¼ùùûÛ÷ÿøú*O“ùíÏ®fRóäÝí_o¨õþãëŸ~zýñj&ŒÉ›^ÿ2¿ùHC™_ãûÛo©ÇÒgbÑ7ïn>Þ|xssõûü/7ó~/ñ~W¸‘/¿þÎ/W°í¿\p¦¬Ñ—Oðƒ3a­¼Ü^¤Z1*z6Ÿ.þÖ/º©£üœI•ÉJ1Ц­Õ—¹¶,S0„|*vWÂ$«r×^Í”åIw_tØɲ¨©ËA”Ý~篪5ö¬K¨;ê.êöÉ/#’u³ë•Ôh‹­o}Ù—mW5õ««Y*³¤½/vU}wN«y„Mé—­›yŸ	Á¬ÖÒíb[|†iÒ–²n})Àï²ÙoVÔ,ËšZ¸·ëý å<¹í°W$Õ•HZj«mUWm·+:\äà»Ã 1 }hê¶ZTœÖ=ÓP×x”u»'°@MýçònÆvsÌß%î宪é;rØýX•OrÕÐùåËbïøâf·»+“ì~×õTu÷Ô*èƒgâÖ^…éËû’ˆ»`¹ÙeÎAÜ%·âI@³Š¤SŒ©w€"NìÊ%ðýù³ÍY–ssÁë…àôË!ê¹D©“§f÷™Ä~AŽ-ËŽér½Íš¾]˜Ó–»G8´,*M^×´nêY±h›Í¾ó°Ew_ƒn „ËÔñ`­cqس)ð̤`\ñl(COÕf iê$]¥*é@Gjê*ZúÒ^6°îcjh¤»¯<ÌaǸ]!„Û¨"1!Êu±ßt´À¦Y2aˆ¬4¶MÛQ˱æ
-UÇýlöÝÃÞѦÚðCó’Ý9™»~—Æ¢Ò«ùdÞŠíö5ÎÌ'ø	SÖ Ïp,¸;üÒ>±5ºOedr»&€bn°)4Ú‡rYánÊÕ+Òzwš8ÔKÓèZ `ÈÇÏ–:œØ0BeŠeœç~{lŒÌæyæ¾{E“JÅTžé¡ÈÄ¥â˜,•Êdízš-<ÝWË{júI2ˆ<“€™ìŠ]‡ct˜"f™_ïžÌ6.ü<ç`¬W ã‰ê4i¨2™‚•/{ÖPÅPÓ†ª‡B¬ŸËçÙ¤±"g:OÏc@#ØÆJJ¦µVCôÿ¸wª-xòPî@é¶d°¸MVÏ Õ’÷«Â™h;›m¹ìýöÿ»©ËöÙ":\ÁOºžîË~,Óƒ>움¯¨W^à89:©]õHäH‹¤ÆÁHsXxÈu³¯Q­Tj“jMpc‰D¢œÄÈ@4`³C˜È¼›	c—æÁØ#ˆü‘52ºÎí¾õ>xápá½îÁ௳‚«3Ë„ÉÍyÁ¡¦·‡êçì+rîXj¹eA"Ïâî¡N‘+Ë­SeÁ°ÏÉÍ(0->Q*Oú>äOÙ•cvÍZ&!Üõ†
ã6œA†–€`gE]Ο—b{3Ôá\|Ý­Ÿ}§;g
-^y‹ÃDKÌX™jÀ•öÄYzD÷ì.Ë„ǺàìëݮآۈáÖ	‰és“Xô%ÆÀô»-Š]ÑQ$ÒœAâ[(Ò3Xm=hDaqÎ
¾uY®ÊÕŸ‘™Tï]ïë%\±©\àÛO}ÝW›ÎwÕ§Ù3‚»WâÔ“ûø3
- ¦T%*ÏÒT"‚:£ÊùA4æwm[OG5BÈÀ¬g<2XÈ%ÎêÌÐH;㯥Í=a®"x×"ç,B2EóÉ9»¶·©Ø.ö«,ÆØ{K-BârµÒ›qÃjxh’v*ðŒßÒ€óŽØIÞñUHîvÛb³y>"Óæ®Ënyýy·ÐVêŠÅ˜AÕ,‰´%!É“ÃLé,$Њx?C·‹) ÚM­1þßR×oR¦žN˽1,ÍSåÑ®êözd7®ZÁmÄe¶j¶E5óç9˹	ֻݘd~eeÒe˜
;™VF³\¥ÙP¨ƒ¿1®©a™ÎƒmuÖb’–ŒC€.Ãö¡@±i›aPЖݤ©KUÊ$„!çM]5mêz¨â‡AkÊO_@ÞC`Ø7aYnôzŠªÀ-x\»xx€¨¬W΃kï|uðÍèŠ|¶M’¸ø¹¡Ž¸p¿Éža뮬Kt—+šáæéá*ˆ¯•å!cšÿxóÏ‘c•9Òt×÷18î H
-âQ’µÜT.ô6‹-¬³¹šfQ”–jn_ È2žg!,¿.!ò½sv‚ƒzz|Ûâ™ÍŽÐõ.sÅFá°wØ¥¶ê¹êà£F˜5­•€ÑVùÈYZáÒgì~ðµ2ؽÏBçLCŠ;Ô<_Ì=l¹C†o?48dk|ò`óPõ€Ö¢±#"ÓL¤6¨n8H¡ýÆ+\BdÕ°YŸS£Ÿÿ4‚ZVåßfÀòh™Ü\‹ägØåî©jKÏ%•s¦Œ°c¹º
-'«ã’ÊC.q	<— 5Á%ÀÈePxSLü‘-÷åWj¬ª;ŒG8ÄSh[}–C öãd.2Fâ}M	v¶,ZÊYu>¢C¶ÈY*`©a¥Õ!v<A.Á΋°“6Ic}ñØ[$쎫Ã-u“†pˆàÅ>T”6”XŽ›~by°üZçwE]l÷‹ÃR6ÙTŸ½ã
-ä
´'¸ÙØ’ƒ¹É.Už‚¯5ö[n%$ƒ\ÍŒßIÌ‚³xÅS›oav™aÎÛ›‡?gdd³‡£ÁŸ`¼ö‚û–ŠoxÔ»x„…ð±ØU>–MßW%Fa5–µ&üµJ%3ùKÙz5í¯{¨ƒ¶Ü#dzõp÷P#ÈÕi¶~„ݹk	Æõ-•[\•cöC¹Ùl8KŒ ”€c×Â÷tav%[òíØœ3õnly¸¨2ÞmÀFÇj£SIÆÁõc‚r#Àš¬œJ4¤#5pNg©ùïâ\˜¸fR‡¤
-zÉ–ˆÄK\s$“MS¬|OX"×Ü—ä`g¨£a¯g´ú’-9[¥QžŽJp}±-¾]"lx+Ôת5Ÿ¨£ÂùidŽ)õ!sL°NpÁ´H_@ÞC`2/c)V²èç!Š+zÙi´ä)tñ^î…B`¯0¸•öhÞª€|ºhý/*fX÷QJU·»n]Rê­"LOIfàی͎B—]½ZzͪV‹ñFêLFiJä{¡8º¬Š5qP¨Ú±XÍŠ°y\h<>eÅ^ˆK™*f¾ñYÄÙ¤_q/é$bx?&`™ÔÚæ l”a©`&U"¾NUXVò—n‘b¨3ª \} Ü¶]ÑAøW-Û)QSŸ¥¢‡!c 3°e¥ Ðá]tÆ=¨XÇ—™†÷:uŠÈÍÙUs/ІÍÑ-§ACTÜ…ý†ý:þÝDãj@4ܹ×”JbWx2à P>ãÉ3A±6gæOe,Û1&™HÃ&FdX2Rçå%š—äJõÕjBFŒe <ê,ÞsŠwÃéÉl6À;¿#!‹š®P5ºW9˜Ó¼—wMÓù›_/^–­ï¸}.r0ÿËéBœskN\eü€îð6î•NO<å˜ö5ëpCŽÙ•=º¥Ìàz·¯¯\ÐÿNa,
V9¤2i\N…Ì•8_ܦòƒa§«¢æ<Ü]ACg‰.e<Œ¥cO…»ÉÌIs°§-k?¿­îêbÓöÃ>ô¤–]¤Ñ‰óUuMA…IÃŒ9zÔ’Š4ùDÅ"	˜³rwt#V·$º£97¸úL„zUµ·4Å“˜&ô’Ého´«ÙC¿ã*þ> J15ÌÊÓQ*…`ï"\LI°œ"?:yÕν³ÒGÞ®ñLE.—²ûˆº¤†_Ýú(¾Co›G÷("U:ùÐt~ÌéÈí¢ÆôYFN0Nê¸ÐìâD$>{C,ïÞù¡‚pé½ÿ‚xâëÐ_݃Áeò¤þD[Y7qzâÓ>¸(ëå¦iÃUxÿ~­Ù÷ùõ—=0 4`¦¤/˜ÎhÚt <á}æŒSNVäŒs0ìçÐ÷@§ø‡5Cà›Éõ€ò°ZÇV{Ö(êX§v/®:¨€ÖÑM“Qé`üËÞ½±ªÊ~ è¨•CtüÂÝ¿ií%Ô³‡º\0Þq¸ÚÝðælá:ÛŸ!†ËŽ‰WpÈ›Ó,¸ÝChÛŸÓxmPçqmðÿݲs4Ág™2“ñ@¨éh†ozG„
-þ|zóÃo>]Í„Ñ"yûÝ›Ÿîo?QWæçøöîã;‚Xú™˜ôÓíûÛO·ßÞ^ýzÿ—‹Ûû¸—þ~W¸‘¯?ÿÊ/—°í¿\p¦¬Ñ—ÏðÁ™°V^n.R­˜N•
+õÅç‹¿Å	{½nè(ÿgRer„RõhÓÖêË\[–)èB>»+a’e¹k¯fÊò¤{,:l‰dQÔre·ßùïeµBȪ¤Žº#pQ·Ï~‘¬š]˜¯¤F[l|ëë¾l»ª©¯¯f©Ì’ö±ØUõÃ:Íæ	6¥Ÿ¶n:ä9l|&³ZK·‹Mñ†ITʺõM\þ.šýzIÍò©¬©5÷H@{³Ú¯ARΓ»¡"©®DÒR³Xnªºj»]Ñá„ ß:‰í¶©Ûj^­qX÷B]]ãIÖížÐÂjê_8—{˜x0¶›cþ.p÷(wUM¿#€à§ª|ö˜Ë†~‘_®±(öŽ/nt»»2É~ëè;ÐsÕ=R« <7÷2_<–ìDÜË…È.s®™äy>!ž„4ëc‘tŠ1õXĉ]¹¾¿S¶9ËRcÎSH#”ûz!¸}àrHúÞ	¢ÔÉs³ûBâ	° Ç–EGërÐfE¿]Ó–»'8´,*MÞÔµnêY1o›õ¾ó¸Û¢{¬A7PÂeêÎx0×±À8 BÖ¥ž™Œ+ž
eè¹Z¯5M¤«T%èHM ¢¥_ÚËæ}
+H
õt•Ç9ì·+„p[U$!F¹*öëŽ&X7‹°Lè"+MÓvÔr¬¹BÕqŸÍ¾Ûî}mª
š—ìÁÉÜÍû´/*Q]È ó–l·¯	up¶`>Á_H‚˜0§y†cÁÝá/í[£ûTF&w+B(Æð“‘²A£Ý–‹
+wS.¯IëÝibW”¦Ñ¹@À7ŽŸ-œÜ0BeŠeœç~{lŒÌæyæ¾¹&‰I¥b*ÏôPdHâRq¼,•Êdå ͆ž«Å#5ý DžúIÀÀLvÅ®ƒÃ‰1:HÌÑg™Ÿï‘Ì6vÎý8ç /*ЈñDuš4TÀfriΪ>Ö´¡ŠXHõKù2›4VBäLçéyêi„úÀXIÉ´ÖjHþNµO¶å”nC‹ÛdùêQ-¨s¿]Îì@ÛÙ,@hËEôOÿwS—í5Ù":\ÁO@ÏeÓDÔí~¾ôŠzéŽã™¡ÞnwÕ-GÉäÝÇÏŸoßR˜IƒAPâ Ð1÷£V;FSZ%ÕŠ`Ñ9^ÿìèЦ-?ì}ˆs°önª1Û§3'É£ŽûHŸÕP®e.“;í¨Ë… ÁEá÷Á- ”äx¦rãLádž:”Ð%/•4Á—ô±ðÀº!@éù±ðt¢·IÊ‘òcÐ`l,„‹šº+ &rVÌÅõ,~ÃñyÌv¿aE;b¾„±`†ŒðÖi^ÕKæ¿fǯG&K™5By„]½\àTc3A$-Dêi»ÇëÌd: ´eÛs'¦Ë4ËÁÁì<Ì„ñƒ¥V‰óƧ5m|"Vt€³ß0<¶<ÜÀ´`UÎÒŽX§Ä•ðÜ…€j@ýžBe¢*•'†B]vå˜o²–IHY<ïî:AΦ€€uI Á/ågØgàÂøuZ¶zñ@RîØT×,Ì”¥µÉÛƒã\ûÁMM-“|_îæ4-õiúé­•ü•ð²†}OEµ.æk¿Œúk²Ç,¸)’½ª=$±©=^t@ÈQ/ª-2<›±‡¨¤6²™²^Ÿ‹¯û*fñ).ŠæÝ?ÙS`ü†:\Tƒ@r¦×Áyî6Åzýr.Í¡3º)»ÅÍ—Ý\£'êŠù˜AÕðFß'•É<ù(@””…ÄZ=^àg»¸Ð!¢ÝÔC‚
~‘2õë47nXš§Á÷.ëöfd7rXÁN¹Ì–Í"‰‘ä9˹	Ö	»Ý˜äþÊʤ¡•aEÃÉ´2à…Uz”¾1®©a™ÎƒmuÖbr-àì2.Ãö|ü†B±n}•e-^7iêR	[¯tÞÔõ±¦M]ÄYü0ñH™áé+Ä#Öõ}–åF‘§¤Ü‚_‚kÛ-Dße½t\{竃oFWä+Ð$‰ËŸkô‹OøMö[e]¢»\Òg0OWAŽ¤,Yïý÷·ÿ9VØ„€ô)ê
+Îïó(ÜA,Ä£Dy±®\¾ lÖ·°Îæjy´¢\°TsûÊ‚,ãy’ùò·¤+ÎNpPOOoS¼P£Ù¹pÕlÄ`»½ûÈÀ.µUäªÃwŽqV4Wv@F[åÓi…+ xëë°{_Iœ3-s=´Ã¾ˆ›{Ør‡¿±kpÈÖø¤Ïæ¡r­y9œCÄ-RT7œEƹßx…3â'DVÝ›ð95:ðùO#4 eUþûŒÃ0þ¿šåZ$?Â.wÏU[z.©’#ìX½E…“ÀˆÕqIe‡®—Á§ÆYà´&¸¹*°oŠÅdËcù5–ÕÆ€#âLeVŸåh†ýß8¤3ë"c\¼¯ÂÎEKuO„è3•BÚ!`ªaÒí;Ž—`çEØI›¤±þÀ[$Çþ–@Á¤!¸¦Ø‡.%î€Ö„ã¦ȮËß*ðü®0ˆí~~˜Ê&ëê‹w\ayí	n¶oÉÁ‰"J•å€œÿ7K2bHÖFï•faÂYÆS›oat™aÄ
+çíÍÈŸ‡322ˆÆÙÃÑàO0^8y¬¹’+øÓ—fï]mŒ½àcßÆÒÃÁÅû ,D€OÅ®ò±$||vðÔË£°K“þd’¥ékþº5í¯#ÖA[}9a$[…vÄ!®N³õ#êÎ]K0®ï¨LæJS³ïÊõzãÄ9XbD¡AséÂè%[òíΙ ƒ$›‡ªÍÃeàñn5:VÛË0•dLñPá'VnX“¥ÓA‰†t$£Îé,5ÿ]\€×Ì¡Êí¨‘Tém‰H¼ÄÅÛ?™¬›bé!aŠP u\’ƒÀPE¨g´bÙœ­Ò(OæLm.Ü5¼Ù‹÷
šOÜq ÂùadŽ)õ!s<˜ÖKïƒ1í©UÄ<6¦zŒsã“z'b\ØWªd}¬i½‹X.RÀ+ÌÙáâlph™½NôH#Ľ§Äth@ý>š¦ðë¢.Ç4¼
Gä’èÞɼ;¾È¥œæ–LóԾ»ÖÞ,gÆ÷›íëL‹ôâk„úyK±’5 ¡~E/;–ü
+]<´¡ï¦·Ò[O­ÿ¢Ba†7>J©ê¶sWæJ=zHËÆ“ƒÆS’ø6c³tèé±Lí5Vµœ0Rg²—¦ôücŠ£Ǿ&êÕhÍŠ°y¿Ðx|ÊŠ#¾—b0Zó‡8ã¬?¥“ˆá§€iRk”ƒ@²Q†¥‚™T‰þ•è¨ªθÒúUéaQ•€åêå¦íŠ¿jÑNéŒÊ˜Â˜øì*"ÖÈ2:[V*͇ëð.‹÷tÆ=ŠYõ/¤
:ÓŠž›²«:ç^ 
›£›-ƒ†¨xnâ†ý<þíKãÛ@4ܹ6”J"(<ä™a¨À•
ãÉ3W k¶/ÎÌŸÊX¶V:3=
›ƒ!x¼³ÓÇš˜ˆåªõÕrBLŒe ?ê<é€4BzȃýÉl6$}?~SBv5?\¤ìjïvå`Tó(#ó÷7¾j¼([¸{®s0Ìéiv8;æ朻ÊøÜá•	Ý.ÜrÌJceà&¼uÀËÝÕ@~p³Û×7N:è?ƒƒK†1z6i¿¨
+ù+q?¹Må=B «¥æ<Ü`Ahìé]ÍxÿÞúžw	“þ ¤-k?¾­êbÝÆnú¥–¤Ñ‰óXµ¿§5i¸™1GÏ“R‘&Ÿ©d„¨#as–B¯ƒ†ôäÕMéîhæ
?!Ž^V-Ç-
ñKLz“f´7KÚUîßB)&ˆy yÚK„ÎÃõ”û)ò£û)Õν´ÒÇß®ñB¥.—¸ûDÒˆº¤†ŸÝúX~)’Þ4OîyKªtâ¯è­¤3¹cÔ)Ks9Á8©ûåf-âé"pˆèÝ‹MT.}pÀ žøj"ÄG`v‡ƒ<Úʪé'Ù!J!FY/ÖMÞÆ—ˆÍ>fÙ_÷À€vÒ€‚¡’J¨óö³‡4m>’¡ðV
3Ç)W+rÆ9Ø»sä#Ò)ýaåøfr=XùY­û~V{Ö(êX§vWT@ëÞ}“±é ÿëÞ=d©ÊØáž@«WÑý‡,îNk/¡ž=r!mx‘ã*xY8Šsßm†JÕÇDœ+8dÏif{ï0?žÓx…Pçý
+áÿ'ÆeçÖGœeÊLF¡²£¾Î*~8û‡^Èã“c&\¼Ì
¸˜Ä/
+®ù©:ú×â§Kÿ~óä›endstream
 endobj
-1307 0 obj <<
+1317 0 obj <<
 /Type /Page
-/Contents 1308 0 R
-/Resources 1306 0 R
+/Contents 1318 0 R
+/Resources 1316 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1305 0 R
+/Parent 1315 0 R
 >> endobj
-1309 0 obj <<
-/D [1307 0 R /XYZ 56.6929 794.5015 null]
+1319 0 obj <<
+/D [1317 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1306 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R /F39 917 0 R /F48 975 0 R >>
+1316 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F39 927 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1312 0 obj <<
-/Length 3701      
+1322 0 obj <<
+/Length 3700      
 /Filter /FlateDecode
 >>
 stream
@@ -4882,86 +4916,92 @@ c0
 `ÀÆ8tÆ8`OKx;#ìÍ3¬ÀcëWú’¢¡ºú ƒõDp
 ¥Â±
 e—ï»ÎIlh$6#É*ZÔ]§óUÕ4_³q¬ÓpµÒOìP3«>}VVRøÆæ ÔØlŒmÎHÍamœ±9	´kF®tŸ_¡x†o3‚«8tVð„Çqà©(–çxˆuZ€–ñ}Ú0}äa‚‹–ê<	k††±'àÌ“`Lù¾ ú>èßX‹
çû ]ÖÆMAëeSæÆ´ ¶ì/£ÏÃý§ÔâSŽM']ë6#]äcñ ¾»+#ä37
-RŸxq$Žm<,-CÐ%MÙ=¢Ôc•Ø=ºý®Èzž°ªf¶Æ©Œn4ˆÉJÁn¦NܨUw:¸Q˜P^ËyOŠÂf–Åú9k¯Ú}}e˜pÅ,EŸ¡0Ò‹‚$“ø»/}´
Sqóa"{1Ä©ˆƒ7ü–E_
ñgÄnºêÈk‰‚ã\×=I67Q#‚ŽÅßb½EÇÑjHÞˆH—Y†{M»¬…Èm_e-ÁéÊ``h,qÀ(
+RŸxq$Žm<,-CÐ%MÙ=¢Ôc•Ø=ºý®Èzž°ªf¶Æ©Œn4ˆÉJÁn¦NܨUw:¸Q˜P^ËyOŠÂf–Åú9k¯Ú}}e˜pÅ,EŸ¡0Ò‹‚$“ø»/}´
Sqóa"{1Ä©ˆƒ7ü–E_
ñgÄnºêÈk‰‚ãPyÑ=I67Q#‚ŽÅßb½EÇÑjHÞˆH—Y†{M»¬…Èm_e-ÁéÊ``h,qÀ(
 ÀÙÄND
 -R’„–ÿ$Q«]S•ùÜuÅÀ
 eÃ2–ôœï¬T¨¡ì	@¬ìUMžÍI¨žŸúVtšaºñ"M=Ja5%›émCá”
r(Lr."[7ûÞÚg=ê¬ßÓ4D,8ePe
 úoDC¬ÓÕaMª±dSyŠ1‘³8¬
-FòC²%ñ˜ŠRAÖ
¤Û#ÄX!l·¡A>PÈT"È™J»‡´QÄ^3ecÇ&Ʀ'8tðš© ¶ù=##2+Hó V'a8yD<é%Ú?_¾á‡XgîÑbMî1«žŽ½"™‚"ŸÝßaÍ0¶&i0¦À\cˆ%ì߀CÛl±KWˆ`s…0WˆÞΠ+Ä1w…\¡òýå¿.!ʪ² Ôç¬Ú뎷´š‡Í6ËWÝ&à^#)©Ï±d~bêê®ÌX5å&‡26ÄA„šâÈ DCæ[SÐȶX¸IèpœüŒ„WÁ˱DkˆJÑ\ÌÈØÈ;)c8ôP¼!b¤Óf‘þ·ÈëÜþ‡À눀ٸkH…]¡†]Ð#obS_¸°+”6ì‚–
» I È…]Êès¶ Ã1 RØ ŠŠBÉQ4æ#/‘z¾/ä4,"/¢bOªhb9fƒ¥Ø‹…ˆÉŒ(¨ÈºXhŒ\l"ˆ)Œ0ãbCåE÷\l’:‡ü¦MR_¾ícešŒ]¬¡—88Ss<Ê€¨cq¥2…J=áËdâ˜ÿ¢o¢Ð˜§W˜Ö±XHÀ®iûã€QxJBÀrvW‡5³í8PTž‚°d¼/×æÔò—÷?_=¼û™:†hA¾»ß®©üf459ÌŸuG¨tâJ‘.Ÿ±¨f@dõÌÔºpÐ÷·÷4•óí¾É›Š÷j³G„¡‚æè—UäJM8’8_à {M¸–¤– `h6!Eâ *q„öÍʺzeXÝ…T}Jl¼–¸#J¯»Žð7èÅ)BL¨˜hÀmQõ·MfJ•hÑ:b“iHŽ*{‰´«Ûx&¦æl‘OD¨/Êzå+¸Ÿ+ÒÛ9o±Adj¾=’Ø@ziMÞMu°?ðŒî5ŒRË
h‘Ðà!úï	bd5ˆµŒý|);|ðSë&Ö'Ñ×…–²#»39Fâ{ÒÕ™œ‡€Ýúì+
-,6µqG:ï©_ìIš{¬b¶I¼VÖe_ZÛ75ÞÒÓ¾äûU“ñ{‡}+9ø£¨¶ßïØš—[ëêbützÊ‘Øå»ýºÞ›ÇìnÚta
-‘6Î:!Öi'à°L¤ÓêGݶºX=¡$y_aÔùýÖÓúœR"S`tGM+‡ajR‰eUò³ õ¯;M-”ðkB0€®á3@Yݾæ…ô¶ìÝJkýx¨ûà"ÀÐi%Íë„
-´dEQÚœ´
-´,^(FVººás•}oËèо ÛeÓüTðpê`Øxƒ•õÑÊhVóÒÌ-óº'ýÛ/·7ÈžÓbþ\EáŪ!Ö1³XF盦¯ô“ѳUƒ!ÞQTy2IÔy*Ö#aS©È4Óñp‰QC‹yˆ"
-Ì9Øöš…!7ÁÏUx	cÂ
°äE~zß:²¸ov®ô³®xzƒ1mÇÞSÙªÌ gÕô$O‰ðâ`Zã0>~DfV¦vCqÓßòj_ð}£ÎxÎ	bVK)Æû{ª™¡ü•š_ë];úhâÑýšG·Y¡Ç#»P ¸yÑÎô™‘W~èwŒä7¡åBÈ ï9t:9¾½MÒ‘ötrÇÁNÏ¡?,¦ËÌbg®mÚzÄoè{téäÔ(Çjƒñ7Iz d´-‡)ºðnwX~&2¹ý÷û/Ÿ¯?Ý„n¨áî
ô`GÞÝ^¾9a°¶€o¯C/”õ“™‰>)!é–otþµsàѳ#ƒ»ÞUšØÄ“¡++|3ï_ÇÑä#Ü:'cµ±KÏ.ZÀTnN¯,%¬5Öj=ÈZ³Ê±É.Æ^!â_c•Û²ÊZcü£È’‚M Lx°$j’£µÅFÖ–kpiÐÓÛïŸú
-;cªº¡ö‘›õzú’EôÉ¡€Ëz4<
-Af˜Ã&sÄΉOøÌC„}ä~¯oåjljŸ·
-éáoRgÂ\øÏTýß?}=ü.8Jè÷Pó?tócO…ib‰BnWÞ¥€è[…Ééÿ-6endstream
+FòC²%ñ˜ŠRAÖ
¤Û#ÄX!l·¡A>PÈT"È™J»‡´QÄ^3ecÇ&Ʀ'8tðš© ¶ù=##2+Hó V'a8yD<é%Ú?_¾á‡XgîÑbMî1«žŽ½"™‚"ŸÝßaÍ0¶&i0¦À\cˆ%ì߀CÛl±KWˆ`s…0WˆÞΠ+Ä1w…\¡òýå¿.!ʪ² Ôç¬Ú뎷´š‡Í6ËWÝ&à^#)©Ï±d~bêê®ÌX5å&‡26ÄA„šâÈ DCæ[SÐȶX¸IèpœüŒ„WÁ˱DkˆJÑ\ÌÈØÈ;)c8ôP¼!b¤Óf‘þ·ÈëÜþ‡À눀ٸkH…]¡†]Ð#obS_¸°+”6ì‚–
» I È…]Êès¶ Ã1 RØ ŠŠBÉQ4æ#/‘z¾/ä4,"/¢bOªhb9fƒ¥Ø‹…ˆÉŒ(¨ÈºXhŒ\l"ˆ)Œ0ãb1t8ø¸¿àb“Ô9ä7}l’úòm+Ódìb
½Ä`8ÀÁ™šãQD‹k¼(•)Tê	_&Çü}k…žÀ<í¼Â°ÎhŒÅBvMÛŒÂS–³»:¬™mÇ¢ò„%ã}¹6§–¿¼ÿùêáÝÏÔ1Ô@òÝývMå7k| q¨Éaþ¬;B¥ûWŠtùŒE5"«g¦Ö…ƒ¾¿½§©œo÷MÞT¼W›="4G¿¬"Wj
+À‘ÄÁøÙkµ$µC³	)Q‰ ¶°mVÖÕ+Ãê(¤êSbãµÄQzÝõp„¿A/Lb‚@ÅDæQâ'Ž5ÀD^³ßdµ¥sl¿IÍ_ʪš¤ïkmãC[63A|óf»Ý×en2*¼€WdøOU³ÎxI`ýI§ T*ç…|ˆuZÈ–©›‚4ÛU¡ŸË|Æ'/D|~{‡5³ÿØ+@ø˜Fé˜#íAê/»†´=ç>Ú@ü‚©"Qܽù‹ß5#‚¸±nM$Bóàfº
+~wm¹ÍÚ²bp­uaW5‡
¸ û›wŠ@ü©t,ͳzæî{Îþ÷ÆiAô“uô}øÇͯÔuª»Ì$…&Fµ)Ì—9u\Nîû\Ÿ‡s•Oµfäÿ4µÆâR$SV*ƒ¹ã…
:Æ-«96ÁbÖXê6€åQ㯌	ìc€±Å¦ÿH¬ÜRÏFF"¶:YA½áEr\(}.›íK&Ä~3Knk¢-ÀâáîË–LØdŸ™Œu8‹§D-z €ˆÅÖ%…pho²ŽF×÷i‹ª¿m2SªD‹–ÐA›LCrTÙK¤]=ØFÀ3¡05g‹|"B}QÖ+_Áý\‘ÞÎy{ˆ
"›Póí‘ÄÒK£hòn‚¬ƒýgt¯a”Zn@‹œ€ÑO#£Ø¨Aì¨eìçKÙi䃟ZŸ0±>aˆ¾.´”ÙÉ1ß“®Îä<ìÖg_Q`±©;zÔyOýbOB`ÐÜdý³Mâµ².ûÒÞ¼©ñ–žöí ߯šŒß;ì[ÉÁŸøEµý~ÇÖ¼ÜZ'Pã§ÐSŽ„xÀ.ßí×ðÞ<æ`ŸpÓî¤Sˆä°qÖ	±N;‡e"V?ê¶ÕÅê	%ñÈøø
+£Îïï°f˜Öç”Á˜£;jZ9S«J,«’Ÿ­Ýij¡„_‚	t
ÿX˜Êêð5/¤·eïVZëÇCÝá`†žH+h^'Tx %+ŠÒ椠U ýcñB1²ÒÕ
Ÿ«ì{[F€öu(Ý,›æ§‚‡SïãÄƬ¬VF³š—fn™×=éß~¹½Aöœ3ðç*
+ß(V
±Îˆ™Å2:ß4=h|¥ŸŒž­ñŽ* Ê“I¢ÎSá°fÈ	›‚LE¦Á˜Ž‡KŒZÌCi¤P`ÎÁ¶×,¹Én|®ÂKn€%/òðÓûŽÐ‘Å}³#p¥ŸuÅÓŒi;öžÊV`9«¦'yJ„Ó‡ññÓ 2³2µŠ›þ–Wû‚ïuÆsN³ZJ1ÞßSÍå¯ÔüZïª0ØÑß@Þè×<ºÍ
+=áØå€ÁÍ‹v¦ÏŒ¼òC¿c$ÿ耸	-Ê@yÏ¡ÓÈ™ð…ìm’Ž´§#;vzEøa1]fË8s…lÓÖË ~CߣKG §F9VŒ¿IÒ%£m9HÑÅ€ïp»Ãò3‘Éí¿ßù|ýéöØ tC
wo ;òîöúóÍ	ó€µ|{z¡¬Ÿä!C„¥™9™¡K˜-EŒo1öí-ÆRË%¥˜”Uæ‡Ú
¼)«‚ð³Ëž¿ð¯4`Rõ’½ò».Á¤^Ø3Òhˆëu»-k=›Äm4y!éþÍ׈«iCâf8ÍCˆ‹=b4†‡Ç>Ë´ˆ|k'“øË£Ÿ¹Ü¹&&Þ¡ˆY’é&3‚ÂÙ<Ùª¢ãyNð$¹;ýÀ–´äÄ,ÚÒbèo³è4R
½¡dÈ=H÷hÑ,\J<¿q#1–û¥7PÌ9çz\‰KàwrHç-s¡i™+Âåݽ.ȹÓãäÓOŠ-ý-CááõúÆÖ±|´Õóâ1]Ç&gØ^¿¨TLåÌ9Yê!z¦dË诩±(û^
r¿ï7Xš%LX`‡r&ߪ@‡@xßØI¼XùH£
+ÖîÖÑhdê\[$¼u³Î†AVaÌZ³ÅîAz¦¶¾«œ®ŒoJFrym–ë,®Ù>)LZÍÓ©¬Èå@¸¡¢špzØNY&‡éxY.ï«¡‘æågnꌑæüç=ôK[óÉLôI	IÇ°|£ó¯žÜõ®ÒÄ&ž]Yá›yÿ:Ž&áÖ9«]zvѦrsze)a­±V{èAÖšUŽMv1ö
+ÿ«Ü–UÖãE–lÅ`ƒ%Qƒ­-6²¶´XƒKƒžÞîŒxGøÔWØySÕ
µôج×Ó—„,¢'Hµ\Ö£áQ2Ã6™#¦pN|Âg"ì#÷{}û+W;Nü¼UH“:æ¦êÿþéëáwÁQB¿‡šÿ¡›{*LKrã¸ò.Dß*LfHÿ/RÕ6
+endstream
 endobj
-1311 0 obj <<
+1321 0 obj <<
 /Type /Page
-/Contents 1312 0 R
-/Resources 1310 0 R
+/Contents 1322 0 R
+/Resources 1320 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1305 0 R
-/Annots [ 1314 0 R 1315 0 R ]
+/Parent 1315 0 R
+/Annots [ 1324 0 R 1325 0 R ]
 >> endobj
-1314 0 obj <<
+1324 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [250.9056 734.5663 314.5963 743.9759]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1315 0 obj <<
+1325 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [108.9497 634.1305 178.334 646.1901]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1313 0 obj <<
-/D [1311 0 R /XYZ 85.0394 794.5015 null]
+1323 0 obj <<
+/D [1321 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1310 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F48 975 0 R >>
+1320 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1319 0 obj <<
-/Length 3376      
+1329 0 obj <<
+/Length 3401      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZÝsÛ6÷_áéK陈H¯OnìôÜkì;Û¹^§í-Á'©Š”ßÍýï·‹]ðC¢”dn2Àr±XìÇo—–§þÉÓD‡:‹²Ó4Sa"dr:_ˆÓ'XûñD2ÍÌ͆T?ÜŸ|÷.NO³0Ó‘>½ð2¡0FžÞ/~t…gÀAoo®ß]ýøáöü,UÁýÕÍõÙ,JDðîêçKýx{þþýùíÙLšDoÿzþ÷ûË[ZÒÌ㇫ëšÉèçÓÛËw—·—×o/Ïþ¸ÿéäò¾;Ëð¼RÄx?O~ûCœ.àØ?ˆ0ÎLrú"”Y®NT‡‰Šc?SžÜü£c8Xu¯NêOŠ0Šu4¡À((ÐÈ0ɲä4M²PÇ°„
-¼®[‡RiÐÔ+Ýÿ|ÑàHùæLš€§«º¥Á–ö)o‹º¢çº*_iô»H„
Ÿ@±È‚ߣH]\âÿox†?ŸeQðÏnÒ¸Éwø?ïY-zê÷î.?¼Ç°–Ì÷~Y4DR
ËägPH¸ÐÌLÊ0K’ÈÓ~ZæÛ¦-žmˆËß½Sr  Že(½QÕk<0ÔBÿqìTšH¤c¦›ºng½2f¤|É~š—Û…õÜÏ7ûÍ÷<,Ÿ»á¶é†«mc·+ÿøßïÝγ­IDZ™žS)õ©VY¨âD0"š
©ÈRä„«uT¸å¢hò‡ÒÎòò©ÞírÕìŠ U*-’ã2tTBÍUÂÁ•’f,ÅI—­UÐ.Ý šµ¿Ù­\\ßÝ]¾¥ÅÀn-où×<ز~ùÇ*_Y´?ˆï·e[Ìèvtrng
:+iUêP*ðpqD».kÂ(1þ•¦Í[»²UÛPê½J8„] ˆR7ä’0O'‚Áªv¾£îlsz~)Ê’FžÙz]Èì‘	¼Y}ÆÈTGŒÌS9­TMcç³²®?æM±°{&«0™9.AG5!ÂÈÄbˆ„™”c~YZlÚmßL\¤Ò!Äåî"'DÞ½Fjc˜~ín­~Ò†¶a£3Ás^‹¼­7ôøfA£œÊ!{å™Z»©r¹u¬l»¬Ì«îX±…Bºƒô™qìÂ},†Ó}åo—¿âXdQóÚý."@‡Á_'§Ôk"¯™‚~þ]Wè#ÊVâ`m¸K±ÃŒó숃·õ*/˜ÑÐ%G!žœîÁå ïÂ*†4e׶i'.PëP …~ñ¦9¤Îø—¸Ÿ¨;Võf•—4I\iÌ÷Ê	3–yC¥}liŠy¨à£åsl«vsfÈZvÁ;"Ý©R¡ˆŒîÔÓÏòj¾$¦ìܤ]VízmQtºÉÑÕjÚg0Þ1½'Ήä‚R8Í
æЖ¨[Ë«Ûõpk
NÆDSÁV1«ŸHå¬L;!¸”2pö'ƒ«Gšîlö3RëŽosÀl	Ý4Ū(óMùÊìë×xÉyÅ¿wXO‹Ú6k¦¬¹Û^‡;o!"Ñ°àF¾r)
-C}=Žâ½ý„ÝÆ‚Ìm*Úw,Lt$¿*´eB1½*I™±D†`¾mk†}±py©"¢‡mQ¶³‚Ÿö1‡üJïÁl-3}ta1ó
I98 %9cÖšžØœÓdp‡–ckÚÏ}Âœ¿¹œZWO>GºXŒ“LÞK
O䵉—½ÏO*ÿúæþò/ ‰TwE5GëI6#˜ë¹ã9%¬¯œuÁŒý´.Ȥ@TåÐiésªŸífS,–yáAêmKDÞ*Wë¢,ð¨Hž¿`1^§é¨±Â(û`g0ÞnöA
-X	°9.FG5!Ǥh(êÒ4r‡ÉðU¥Á²°ƒs64ù²,æK®È`äŒ<¢ŒëVrfAÅÝ€ÂÍãËÈ¿§Ê›ˆ³|Ü\P…æ\Í€¤éâðáF™Q¸Q:òÿj§®\¦aGé ÷š”¢Ç~ôŠÒ0M´È÷9Æ`DFú Ç0×±0Êçs»F…¤Yš»ihsþÂþž´SÐöJÃ4QnòБˆÃHyüXÕS‡fÅíÚmÚ
#úRǸ àÐ×&±P¡X;Î,=ÑŒóÆ3XA_Ã2ÕÈðñQ”ñ×Ù
²tª£BD¨Õy~\P—.zÃ"è€Í¶ZØÍTðÉ'®
-ÅÔëªÝ¸Œ7Ã84?°AÒé•2Ãn™&C£õU)0àŸôeXLÍ}‡ÑV3™BJH4÷1œA§}S‹Eûl臺.mÎÑô†{_¬Dhd|<î
ˆ‡=Oät¾m—³êßØn´‹ ŠÀŽíÝío>.Èd¨„áîG«ì‡é}(Ž$ûZ&ƒéÝÚŠ%•úØp~>Å×FêÂǃ‡«]QSä±B¸YÍ5Ìõ¿.nÞŸ_]Aa³†µ
hŸ}áäñ0cK,G7̻ݸa”šöEs„Eóv~ýÊOpØl€‘“MÎDpòQX`/Ã;ì¨]BdOM¢¿¿Ö[æÑ…%xØ6¼€¨é•õ“©0Ub'Õå¢C×Ü©Û—¼ƒT8E»`ç$õ gj÷x¼í&´†}YÓÁ–/1׃Ъ>(}ÜŇT‡}¼£r‘Îb˜C&ŸÕÕÌ~*ÚýæÚL—¡£šbÜßs}@3–‚{» IêÂ2úvs"8Ã˾goˆ­»¦¡­¸W«ó¥ìPkÓWvUo^‰¢ìG¿9sG5¸–š¤¨ç±IËhlRüÅRÍn½‡ç!ðä*
-8^Û
ˆµÚ}Ï	Þ¶PcêûŒ=¨ŽØƒ§r‰Ì®°áX4m1ßoõBÔ*ËŽoßQMì?2…(u	ð~th媽åÁ›u—Ùܳ¿ö,ñbâ+«ü‹¯SR˜Ðd])2ÒÁlXÀŒH)ﺮ¿8¢†„Rdaº² ÕdÅ€P“h·e7lU¨T‡x·Ui6 og+Œ[ߎûcµ,¿·¿zµêìªD;ö?_f eÞØq4œ<¤ƒò{ô¨ÿ õË*ˆÈ|¦ÐR¶þŽŠÚóy¹]ïnk4˜§Hoë‰&¶ž0“a‚ÕÜhÛI¬N„£¯+’¤o±¾L!:á&É0r÷9A¸/´€m\?×Д«{„¯{p¦O½;1.²ú—™v…£+ÜsÊîgMÓ¨hL8묌
-Ð ¤±ùóÌâ$A3üˆxÉDÞþp–z	÷>(&hÇíÓ²¥ÿ>öŠñD|Dþ‚ï>z**ðyך”¸7\~«bx8\§.\rý]d¶({P‚SVÕNµú,ÓÌñ"b©°„bg%!`Êõá—´ëf^×<¢þ¬„ó×ÕöØpSrgzüBø#õœ`¢©=­kÇèà_g8Xº–1ótM)Ø-ŸªÎÀ—Î÷£·Ù@Aú†k·!Ž¬Gg{…IJ¨3â¥Í7í˜çÌsšŠ¼qhå}ƒÃT,ëµ}Üî…ÇÅvÙ?òq
âÁÎér<L–=/†Ív½æ|ÞX¹3˜;wŽNßÏ1„>î„Ю\‡1û‡ƒ•ƒ› ~íÀùCÞ½çѧCq5Òq˜¦æË¡97k¢ðWGãåýdyZ™¬û†éƒän‡%
-Ê|IÜ!ŸÌ0–Æp@*†)W'ÃïN†6”b8zMˆ’À±ßä¹°/’DI(…I2y(wèÜ]Ð#€ðZ¤{ŸbßÐ=yY}:ñ9âAZúÅ^,^0÷g"ƒiDÊÃp°áƒCz*ë‡ÎþGàªôî#Öf||ûRà]íÞ¾û|b|C@`ä‚œI܃-é¦uE)a?Zf¾Î²èÊWó'"7ëÂŒ¨+Ýs¾¾¹¿z÷+ÉÿÜâ÷<âZ3­çÓoSæÏì©;Á	[˜ìFü×$Z‰.lg¼¶XÆ}±xzrÒj¾°´K¤º4Ž«íêÁ“:´Nì\ ¾í$£!ŠÒ¦0¯	79Jˆ:H'OAjqßúÿ]aÓ™o6,VAûÔ2VYO×Ç#0]_,
À_UAbê
-}Ok£ºjØG@ºòfXïf¿~ô>§˜4]Vã¾ÈF¦.K^'A½¨§¢o¸¶¨†	/¡Ôú³±"NR_`›䧰¹§cXßiKBü¯	()º€ýÿ!YÿWv*
ccüED”BP5À„…BÁ“h}ó_œí‹þ?¸þ¾endstream
+xÚ¥ZÝsܶ×_¡ÉK¨C 6OŠ%§Jc©•ä¦™$Ԥ㘗#O²ÚéÿÞ]ì‚_Ç;ÛÓñŒ–‹Åb?~»”8
àŸ8•¯Ò0=MRéLjO—åIpúk?ž¦Y8¢Åê‡û“ïÞEÉiê§*T§÷^Ú´§÷«ß<å‡þp¼·7×ï®~üp{~–HïþêæúlÆ÷îêçKýx{þþýùíÙBèXxoÿzþ÷ûË[ZRÌ㇫ëšIéçÓÛËw—·—×o/Ïþ¸ÿéäò¾;Ëð¼"ˆð žüöGpº‚cÿtøQªãÓx|‘¦áiy"ãÈe¹™âäîäÃÁª}uV"ðÃH…3
+£µðã4O“8õUK¨Àëº5p(™xM]òèþç‹GÊ˶gB{<]Õ-
V¦0OY›×=×UñJ£ßƒ80þ¨3
+Rï÷0”—øÿ^†áÏgièý³›ÔvòÃþÏ{V«žúý‡»Ëïq¬ó½_ç
‘yÃ2¹.4³ÂOã8´Ç4ŸÖÙ®iógããòwï¤hˆ#ágTõÏUxÿ±ìdâë0HÆL·uÝ.ze,Hø’ù´,v+ã8ØŸoVæ›ïyXaÖßlN­«'—#m,ÆI&牢'òÚØI	ƒÞçg•}sùÐD¢¼»¼Z¢õ$1›ÌõÜñ‰œÖKk]0c>mr2)U:§tKúÀœêg³Ýæ«•a^xzב³Êr“9)ÐóW,ÆëœnŠl™;Å°:*ó2Ñ„SMgɺ0ÁoˆÒÊYÑC^­|`3ˆ ‚ú/bʃøDÆ!ˆv|Ÿ©ã“Žjà%FÙ³€ñn»R ÀŠÍq1:ª9F EAQ—$ñX;L†¨ê0ñÖ¹Ù\°¡É—u¾\Ó°$€‘5ò2®]ɘw
+{4‡/Cüž*lBÎ
+8pqsEšu5
’&ÄáÂÔ£p#Uè.þÕÌ]¹Hü4
+“AîÕ	Eýè&~Çi‘!ïsŒÀˆ´pAŽ#`®ca”-—fƒ
+I0²4/fÛÐæ(ü…ýi§$ í•†i¢Üì¡Ã òCéðcUÏš·h»i4tЗ:Ú‡®6‰é€µãÌÒÅ8¿a<ƒù5,Q ƒA^LÁ§I­Ý K«:*D
µ:Ï*àÒEoXd°ÙU+³>Ù̵C¡˜8]µ[›ñ‡ˆöÓP;èG©aZ§	_«ØŘ2«²§Ãü”ö£8Š¦'Yþà÷i$ã¯Ê±q8™YWÃjm9hlŒ¶‚ZT§’F $•ô]3¬F¡šÀH¨ëÂd®o¸ùq ²F2𵈎ÖÑá¸êˆì¥îÚõ¢úÄ&1
§!Ô[!øë±½;¢ýÍÇŸðeg¸ûÈ”D2ý‚Ȥ{'BÁNŠ¦Ïh}Z±›khÊV+¬p¦O½¶zldu/3í*‘G[‰Ø–”ÝÇš¦QјpVÆZUF A‰¨xhþ|#‹(ŽÑ?"^Ò¡³?œ¥æJÌÍ•ªÚq÷´niÁ½Íhü‘„¿¶à;€žò
+|Þö[€¦%ö
›ŸpĪ„×À©—l™­rË”`•Uµs½DÃ4K¼ˆHH¬ÑØYI˜²Lø%íÚ™×
¨,àüuµ„=¶Ü%Üú¿‡¾…ÄHM-˜hjGkûý0Êù×Ö¶'ͧC> endobj
-1320 0 obj <<
-/D [1318 0 R /XYZ 56.6929 794.5015 null]
+1330 0 obj <<
+/D [1328 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 354 0 obj <<
-/D [1318 0 R /XYZ 56.6929 396.2024 null]
+/D [1328 0 R /XYZ 56.6929 396.2024 null]
 >> endobj
-1096 0 obj <<
-/D [1318 0 R /XYZ 56.6929 369.4308 null]
+1106 0 obj <<
+/D [1328 0 R /XYZ 56.6929 369.4308 null]
 >> endobj
-1317 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R /F48 975 0 R >>
+1327 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1323 0 obj <<
+1333 0 obj <<
 /Length 3397      
 /Filter /FlateDecode
 >>
@@ -4976,35 +5016,35 @@ L
 øGNåxVê£/l¢`’ñA™ßýk£CQ†U:Ï4-À`.½eª)\ ÁQÅApÄ.wT1nìn×]žKCHßl‘8J·µŽõ7»5•Xî)äÌ)Ž®4Š?-,Bú¢ìüéCQbõ¶jK¼¬H‚R‰ÞÐ^ñÞ^>–´6Ko؈K*7Þn~mõð°\CÝæVBã£*u¾iêèä÷€"2Ù…h
 @ìÔÌB1üêxÄTâÙÙ×ÌŸûqóáËo™1¡õ‰X*b°‰É¼P(¾ƒWÄþ+è¡èÿå17:endstream
 endobj
-1322 0 obj <<
+1332 0 obj <<
 /Type /Page
-/Contents 1323 0 R
-/Resources 1321 0 R
+/Contents 1333 0 R
+/Resources 1331 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1305 0 R
-/Annots [ 1327 0 R ]
+/Parent 1315 0 R
+/Annots [ 1337 0 R ]
 >> endobj
-1327 0 obj <<
+1337 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [182.6146 85.4256 231.8861 97.4853]
 /Subtype /Link
 /A << /S /GoTo /D (notify) >>
 >> endobj
-1324 0 obj <<
-/D [1322 0 R /XYZ 85.0394 794.5015 null]
+1334 0 obj <<
+/D [1332 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1325 0 obj <<
-/D [1322 0 R /XYZ 85.0394 679.1143 null]
+1335 0 obj <<
+/D [1332 0 R /XYZ 85.0394 679.1143 null]
 >> endobj
-1326 0 obj <<
-/D [1322 0 R /XYZ 85.0394 667.1591 null]
+1336 0 obj <<
+/D [1332 0 R /XYZ 85.0394 667.1591 null]
 >> endobj
-1321 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F48 975 0 R /F39 917 0 R >>
+1331 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1330 0 obj <<
+1340 0 obj <<
 /Length 3687      
 /Filter /FlateDecode
 >>
@@ -5028,58 +5068,58 @@ A
 &¦¯V…ãÞÅΓE¹\–ûû[zöDëÎÇλø0
 ¶Ì`±®Ø©GÝÊ0|‰=²=¼­Èýé߇×ðÚ1åý™0F{@‰BNŒ*~|>$ýÿ7fy/endstream
 endobj
-1329 0 obj <<
+1339 0 obj <<
 /Type /Page
-/Contents 1330 0 R
-/Resources 1328 0 R
+/Contents 1340 0 R
+/Resources 1338 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1305 0 R
-/Annots [ 1332 0 R 1333 0 R 1334 0 R 1335 0 R 1336 0 R ]
+/Parent 1315 0 R
+/Annots [ 1342 0 R 1343 0 R 1344 0 R 1345 0 R 1346 0 R ]
 >> endobj
-1332 0 obj <<
+1342 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [180.4479 292.4725 244.1386 301.902]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1333 0 obj <<
+1343 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [265.4578 246.568 326.6578 258.6276]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1334 0 obj <<
+1344 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [367.5441 246.568 416.2908 258.6276]
 /Subtype /Link
 /A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-1335 0 obj <<
+1345 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [280.9692 215.2488 342.1692 227.3084]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1336 0 obj <<
+1346 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [277.6219 183.9296 338.8219 195.9892]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1331 0 obj <<
-/D [1329 0 R /XYZ 56.6929 794.5015 null]
+1341 0 obj <<
+/D [1339 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1328 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F48 975 0 R /F21 730 0 R /F62 1085 0 R /F39 917 0 R /F14 757 0 R >>
-/XObject << /Im2 1074 0 R >>
+1338 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F48 985 0 R /F21 738 0 R /F62 1095 0 R /F39 927 0 R /F14 765 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1340 0 obj <<
+1350 0 obj <<
 /Length 3869      
 /Filter /FlateDecode
 >>
@@ -5104,21 +5144,21 @@ v
 ,f§'¡ôéÆùùt&Ñ¿¾½qÀ(‹ÜWýÁ]‡sDÛ¢ͼw5=Ñ>¯§3U,°´!$Ho>0ÊåUU£¥úJV> endobj
-1341 0 obj <<
-/D [1339 0 R /XYZ 85.0394 794.5015 null]
+1351 0 obj <<
+/D [1349 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1338 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F48 975 0 R /F41 959 0 R /F21 730 0 R >>
+1348 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1345 0 obj <<
+1355 0 obj <<
 /Length 3498      
 /Filter /FlateDecode
 >>
@@ -5138,21 +5178,21 @@ E] }
 È¿ÉÑ¢à¼)ðOÚõØNž(!¤Â#NFY_ÌIAóŽúøžZ>U»øD¿GæCÈ.¢ÌÐ@íw˜ƒ‡å­é·ÔwOÍĘ7vrÈux';.—¯›zZÕӦΧm»ÞOè•0±ÑÇ踌÷2ãÄ&cx/¥OAÛ-7Pú¹j¾mï±–Ìñ«$ᆻîIî¾çB’óQüáóŒþ¨£Rð@¶{žðöö'¢¸tJú—@À(«7"S‰<–Õ¿0ÀUøõr÷å±_gM
~q³û}ÄtÃZ{¶£ÀºÊ¤	î´Äï â7p7à:‚;ÏÀÝt‘/î÷Ï'L O9ªFÇÐcüæΈ$†df¤¡OB‚*8÷—™»AZ4|Øp³°‡ÙÜÎ_ Í
n÷±ÓÍQxô`«!#£­Fºßj‡?üŒ#–r\«÷?Vv™ì¡ow ¥ßÚý4JK}|óL‡÷Þ3¹úêi	Õ#åüÓ‡æa?+LÂfÇÅwLûòÇ0‡äÅDc8à(ÿ‚ÿ®À/…ø»%íݺçó›Ë
WõŠ/¾ßÊÜEP¾æ÷)Ã	a÷ÝÅ„foîùÁÓ÷l™«ÚÞ
oé½S„/Õvî•I«ÌL~¼ù‘çߢHçwDtÑ#3=×û«›/þEŒó9wÖôÛ}›BÝåÊu™	´ŠWêê>ÿâž™/IqDiž’mXìhá,(BU¶¿ˆ5ý2´xZŸ®-¹cEíàÅ<öµ.~³@_÷ÖÄùœ§üR·÷Ôz)©e¹¤eÄL%ØYP‹¯rŸ?8C¾*¦5&øú›7#ðƒßü£îë»?ý]qÿÑuŒo3Rv$•¤PBÃ$¬*nì~àˆÀͬ
 ¨þ“(Mèendstream
 endobj
-1344 0 obj <<
+1354 0 obj <<
 /Type /Page
-/Contents 1345 0 R
-/Resources 1343 0 R
+/Contents 1355 0 R
+/Resources 1353 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1342 0 R
+/Parent 1352 0 R
 >> endobj
-1346 0 obj <<
-/D [1344 0 R /XYZ 56.6929 794.5015 null]
+1356 0 obj <<
+/D [1354 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1343 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F48 975 0 R >>
+1353 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1349 0 obj <<
+1359 0 obj <<
 /Length 3135      
 /Filter /FlateDecode
 >>
@@ -5162,67 +5202,64 @@ xÚ¥ZKs
 Ž©oñ	ïk‘ ’}€XÔùXRã?mSß±«š"Þ}øBjG}¿~dŸÇòP•½ìŠªKH„>µ¢‘Qᘌ›vÿTôÕ}UWýi-„ÞAGšX@Ex0‘Jrغˆrc¤ÝɶÜǺ'+ª:dœV‘IZCþSéxFJÒQ®UÆ<ÑÂ,a¦"™€¶•Œ¤Öä-hàþ½ÇqŒ{{)[ÔÎ|‰xJ\Eh:«×8	vvê|Kj
èkCZ°›¢!ò=9vå–(ö腭虣 îš&~`jWõeøRmKêÝ'DË+,SùÂ#ÊÃsyèð Dβ=nXP8šC±Câïq,7öâññ´0XuÔU󭣦•ZåAùW_š¢&jSìKjñª;Ò<¸é‰Jj€FQw-µîy(d-‚í`vËV·/Ô<#:Ñê¼
 z,x™-oZ&<ÏåxktøÛŠô±A>™ÅfSvµ­2cïÂMƒ[-{Ô¤N‚ûcO/•u4?$
ê¶ýF­ãñX5UÖo€ŠjâUŠæôR« ®´dpµ›ÍñÀ#Ú¦>ѤpâÇÕ?¶ JëK^gø²ÃÕ±ñòXm©i÷†
R¤÷@û´ÚÃFq„9UžýÌüE³¥Æ¶-§ìVÙã鋦{ñÓ7üìy µáh–688'qÜè×#øër÷\¨'rÚí,rK™Tä¯/ì¹V%™DÆ@®-}÷ˆ:V¹Ú§¾²Ž›‹ÀÓ耲/‹l`w¬©ÇFèÜt ¹ÐêªëÇ’¡Ü?õÞÖRe‚÷D.ê#ÏØî(îé¡þT‚»Í9´îª¬0Ž2²Ìs—ht	øc€(©–‹¡˜e¢Á 
  U$¼GlxÓL(Íá
û4á›êiÓPXz‘2¥YoB)&)˜	í¹ù®w|l¶Ãu`ííÝR@!®Ìœ¥Î4ˆº&*t7Ô¢½ä—ÔI
¿,ô‚—”õŽ’Np³t8R˜(•^ïÖz'‰Rhf².ŽR>•›
-•TnñrõÖÈ6±j€x}8e·Ç,µŒtªÕø˜ÇgsÑ×
à›Ø¼ÖL—=Ý1
bêëJGp½¶®ã™¯;òsÆPn´ðW¯]T·ó[	^vó…ÅvËP­ó<-±Ü—ôN@[d(¹˜À
´
¥	ŒàÀ3šâ0Z™B€¥Q ÀÖﱉ^W™C>NëÓ“Ó,#EäN>ÊcÀh¡H£•e&3)
lÀ–Ý,vµ
êëáÈ0…¨­ã§ÇSInÛ}Qq×}ÑUq¤bÐàW#­Iç^Ðx¨Û{,Ü;“brÇ£Ú¥kåM”…F‡j»µ^
ÌŠô‚Ϥ_«nèkwD„t°Qó¿×qD'µcWöDy*}µ9"´ï´áŽ¸(*‹›¨·²0nGÚ)›žøÆ®g-`ÅuÎqí¯àä>›rš§QjbX\RµÃ1X|ïBð<$e2J4Tw1«„A„Õå;˜ ‹Á^W8„R×ï)§^®’ëE¹ÒYIå¸0uVÔ¸x¼ç‡æ>?Ÿ×:=€I›Ò©ú†JÃL‚¼ˆ:KGÍKXÇõ†óÙ.Ö?
-‚s*„Z¬€W@Ev}±ùF{øÊûÍrh8P).<0GtôN'WÒ×?€AŠnÀN¼Æ:ë‚ pœl=õPb‚—öðm8{l¶ôþ„k[Ò}]îyôP|r±µy,î]™“m,žËg¿¨½V¬7£½Ÿž¬L#ˆ]V0·o¾<ë±=%q2Ê€Ýy®=ÈV5—q±Ê²”x=Y¹.gKÏe!™?Æ°;ý(m&)äøܼ.ƒçZb”:S@Iœ¥åN¥
k/W=ÑTðœäQä²]¬GðCý¾ÔÓ\‚cI×R¯áC³S[s‚N{j6Ó%22Bg“²ë°
Mƒ{’'ÖB•f¶‡åçòˆšÝ‘²p úòÂþýÑNJÆL+uš{ϨŸ]Ç#óºõr{ßîð@o\a@kfçb¼DwPwðó±ÀÍé8µ›C
-ÃEéÔÌü=Ñ”°¥kO2cƒ¥[b—`ÿ!2—–-ršM?m4„kÐ‹z–œÊ6¼—cSãùÛD†¦:J‚l!ÖA[N4ü:Эx™í¾,—:;<©í?ß´û½¯¡kR´ˆ•ÑÃRð–Y%)„yÚ -õ‚:†¦™ÌíaÚ,#ü	¤oÎr˜4g„÷E|h›þÐÖ¯eeçðƒ´$íi‡Bà‹hîÞ{îd{îÕ¦·{à;j
-Ò¥–çÉ,˜Ö#0M6FŸ99”TÀY´‡¢œº¾Ü# ³þ:G:Ó‘V¹‚òÖD"Õâ
ôàùÃစ´=›wŒ@40ÊHLå1
-PGðz8ý,øz®7¤p@âÕ(¸€qlÄe_Tu7¶áG¼‘ú„-"w'—ÛØQF‡a¼ë/W~€["¥ÞHf¦Ë¹Ì1YÆJ øˆâM“x ¦×—öLóµÇWÏà,I6^|\ýIáïݤ´É€©!Ý
-LeW‚ðdù-CooŽÊ.Äho‰£«!ô1É:€t÷þØx§ypQñ$ñ¬*ku“ÈH©'Ù
sMæR4øS´öÑ\Q?9“<‹r11=Œ‰“8RBfÞ'š/Š3N€ðÜYÁB:–m.ƒ€Àkí¾X¹®GL¤g‚\1ê{‰%ý
-|‚ØÜ@@b}A¤Ls‘ŽVÙ´-]…hñ¼ö„Å”&¹Û¾/AqÌŠ%‹$I§¢#
-I
ݼ§’‡¿\„Öèr1åë»=¬!Q•ææÛ	k2»}‘b®Nä@L.–†©oúµgKž°Ÿó7~„Ä@-Êî\]2ì¦AûQŠF™¿ë–FE_¹€O&MÍëhÈu9y®³ÙÓ…å,ÍgB¿¾¸çZX}„ðÓ„üÑòã(t¶a€>
-¡›ù(ôsÊeZb÷­».)èò/>~þJ]îjt1`"’‰u½L6c ‰Fé¢yy,ÄØì,„€cÅ$ØPÏå‘I˜Kço„
ÊG³aˆYìpêM5…Z½§gÞŽ—å`p) ±i4À¯ë
“½óXÀ:ShÇ“+ø›Ýä–åÿõ]þX7ÿð4vO{•Ì¥îˆ6öʴù_~.€¶gY¶üsÀ¥©ˆ¼ü¾8‹a.nºã©B']Ù*§z¢×)œŸ0Q"5¸¢È#aUœ—Iðg%ÝAÿ‚ß׃;ø/ƒë™f`R%M¶J!ÌHúIÃêÏ•€ì–犘m»×³,áû›½\}laG«á¦ÜÄá`f»«dü#Ø`u:xKŒ?­p^¼PW[‹Äz!8…›b³††3mpã«åtg6økC“Ðßxs…‹Ï3ÂÄzÚ2Ð4ãïá0×Ì°tžF‰JðKœ?º¿g
-âl’Ç€ôÏ?Dù{¦z¾Cw…„{KûÛ¿¤9ÿÌH§àmÙ…
-¿]Ê<])@IŠÊ;“^,L˜k ú\-;endstream
+•TnñrõÖÈ6±j€x}8e·Ç,µŒtªÕø˜ÇgsÑ×
à›Ø¼ÖL—=Ý1
bêëJGp½¶®ã™¯;òsÆPn´ðW¯]T·ó[	^vó…ÅvËP­ó<-±Ü—ôN@[d(¹˜À
´
¥	ŒàÀ3šâ0Z™B€¥Q ÀÖﱉ^W™C>NëÓ“Ó,#EäN>ÊcÀh¡H£•e&3)
lÀ–Ý,vµ
êëáÈ0…¨­ã§ÇSInÛ}Qq×}ÑUq¤bÐàW#­Iç^Ðx¨Û{,Ü;“brÇ£Ú¥kåM”…F‡j»µ^
ÌŠô‚Ϥ_«nèkwD„t°Qó¿×qD'µcWöDy*}µ9"´ï´áŽ¸(*‹›¨·²0nGÚ)›žøÆ®g-`ÅuÎqí¯àä>›rš§QjbX\RµÃ1X|ïBð<$e2J4Tw1«„A„Õå;˜ ‹Á^W8„R×ï)§^®’ëE¹ÒYIå¸0uVÔ¸x¼ç‡æ>?Ÿ×:=€I›Ò©ú†J#
+yu–Žš—°Žë
1æ³]¬çTµX)®€>‹:ìúbóöð•1ö›åÐp R\x`ŽèèN®¤®ƒÝ€xu$Ö…3@á8Ùzê¡Ä/íáÛpþöØléý	׶¤ûºÜó*è¡øäbkóXÜ»2
&ÛY<—Ï&~Q{­XoF{;>=Y™F»¬`nß|yÖc{JâúQÚLRÈñ¹y]ϵ Ä(u¦€’8K1ÊJÖ^®z¢-¨à9É£Èe-ºX<à†ú}©§¹Ç’®¥^Çf§¶æöÔl¦Kdd„Î&e×`š÷$O¬…*Íl=%0ÊÏå1-4*º"eá@=ô9ä…ýû£Ý5Pm”Œ™(Vê4÷žQ?»ŽGæuëåö¾Üá޸€ÖÌÎÅx3ˆî îàçc›Óqj7‡†‹Ò©™ù;z¢)aKÖždÆK·þÄ.ÁþBd.5,[ä4›~Úh× ?ô,9•mx/ǦÆó·
+‰Mu”ÙB¬ƒ¶œhøu [ñ2Û}Y6.uvxRÛ~¾i÷{_Cפ8h!+£‡¥à-³sr6(©€³hE9u}¹G@fýuŽt¦#­rå­‰DªÅèÁó‡Ãi{6ï=€h`”‘˜Êc ŽàõpúYðõ\oHá2€Ä«Qpâ؈˾¨ênlÃx#7ô	[DîN.·±£ŒÃy×_®ü·DJ½‘ÌL—s™c²Œ•@ðÅ›&1ð@L¯/í™æk¯žÁY’l¼ø¸ú“Âß»Ii“S=*Bº˜Ê®áÉò[†ÞÞ!•]ˆÑ2Þ$GWCèc’uéîý±ðNóà¢âIâYUÖê(&‘‘RO²æšÌ¥hð§hí¢¹¢~r&yåþbbz&q¤„2̼/N4;_gœá9¸³ ‚…t,Û\-ÖÚ};°r/\˜HϹbÔ;öKúø±¹€Äú‚H™æ"+¬²i[º
+Ñâxí!	/Š	 (Mr·}_‚â˜7JI’NEG’ºyO%¹­ÑåbÊ×v=zXC¢&*ÍÍ·#Ödvû"Å\È1€˜\,
SßôkÏ(–<`?çoü‰Z<”ݹºdØMƒö£2×9,&Š¾r1	(žLšš×#Ðërò\g³§ËY›Ï„~}qϵ°ú8á§5ù£åÇQèlÃ'|B7óQèç(”Ê´ÄîZw]RÐå_|üü•ºÜÕèb0ÀD$ê&z™lÆ@) 9ŒÒEò:(òXˆ±ÙYÇ<ŠH°¡žË1"“0—Îß”fÃ!³Ø/àÔ›j
+´zOϼÿ.Ë#ÀàR@cÓh€#^×&{!æ±€u¦ÐŽ'Wð7»É-Ëÿë»ü±nþáiìžö*™KÝ9 1l1†m•ió¿ü\m!βlùç€KS%xù}q.Ã\Üt#ÆS…Nº²U
+N9ôD¯S8?a¢DjpE‘GÂ0ªþ<8/“ àÎ82Jºƒþ¿¯wð_×3ÍÀ¤Jšl•B˜‘ô“†ÕŸ+Ù-Ï1
Úv¯gXÂ÷7{¹úØÂŽVÃM¹‰ÃÁÌvWÉøG°Áêtð–Zá¼x- ®¶‰õBp
+7Åf

gÚàÆWËéÎlð*Ö†&¡¾ñæ
+Ÿg„‰õ´+,d iÆßÃa®™aé<•à—8tÏÄÙ$韈ò÷Lõ|‡î	!ö–ö·Isþ™‘NÁÛ²7~»”yºR€’•w&½X˜0×@ôÿ†”-=endstream
 endobj
-1348 0 obj <<
+1358 0 obj <<
 /Type /Page
-/Contents 1349 0 R
-/Resources 1347 0 R
+/Contents 1359 0 R
+/Resources 1357 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1342 0 R
-/Annots [ 1352 0 R 1355 0 R ]
+/Parent 1352 0 R
+/Annots [ 1362 0 R 1365 0 R ]
 >> endobj
-1352 0 obj <<
+1362 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [367.5469 483.6075 428.747 495.5077]
 /Subtype /Link
 /A << /S /GoTo /D (zone_statement_grammar) >>
 >> endobj
-1355 0 obj <<
+1365 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [483.4431 291.3684 539.579 303.428]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1350 0 obj <<
-/D [1348 0 R /XYZ 85.0394 794.5015 null]
+1360 0 obj <<
+/D [1358 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 358 0 obj <<
-/D [1348 0 R /XYZ 85.0394 712.783 null]
+/D [1358 0 R /XYZ 85.0394 712.783 null]
 >> endobj
-1351 0 obj <<
-/D [1348 0 R /XYZ 85.0394 687.8416 null]
+1361 0 obj <<
+/D [1358 0 R /XYZ 85.0394 687.8416 null]
 >> endobj
 362 0 obj <<
-/D [1348 0 R /XYZ 85.0394 470.2923 null]
+/D [1358 0 R /XYZ 85.0394 470.2923 null]
 >> endobj
-1353 0 obj <<
-/D [1348 0 R /XYZ 85.0394 447.8217 null]
+1363 0 obj <<
+/D [1358 0 R /XYZ 85.0394 447.8217 null]
 >> endobj
 366 0 obj <<
-/D [1348 0 R /XYZ 85.0394 335.2388 null]
+/D [1358 0 R /XYZ 85.0394 335.2388 null]
 >> endobj
-1354 0 obj <<
-/D [1348 0 R /XYZ 85.0394 312.9276 null]
+1364 0 obj <<
+/D [1358 0 R /XYZ 85.0394 312.9276 null]
 >> endobj
-1347 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F63 1088 0 R /F62 1085 0 R >>
-/XObject << /Im2 1074 0 R >>
+1357 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F63 1098 0 R /F62 1095 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1359 0 obj <<
+1369 0 obj <<
 /Length 3203      
 /Filter /FlateDecode
 >>
@@ -5247,37 +5284,37 @@ c
 grƒÈ¾èò#ÑhÔ/Éd«¹Ö}YÆ7
"×+"(Á2–k×—!eÛ¦«ï×ò<®³ê•4¡Ãt:KˆLG?úY/Ú—€ÛRŒê×{€&ÌYÓX‚~µ§3EaW‚p±Àäáû-µŸOÔø٠ٖq–]|ѯQ<ž)s9ƒðeuþŠ
t¸ÎAä:ZÎC¹R‚'±> endobj
-1361 0 obj <<
+1371 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [184.7318 305.3272 233.4785 316.1115]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-1362 0 obj <<
+1372 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [369.8158 182.7836 418.5625 194.8432]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-1360 0 obj <<
-/D [1358 0 R /XYZ 56.6929 794.5015 null]
+1370 0 obj <<
+/D [1368 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1357 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F63 1088 0 R /F62 1085 0 R /F48 975 0 R >>
-/XObject << /Im2 1074 0 R >>
+1367 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F63 1098 0 R /F62 1095 0 R /F48 985 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1366 0 obj <<
+1376 0 obj <<
 /Length 2656      
 /Filter /FlateDecode
 >>
@@ -5291,33 +5328,33 @@ oT6I
 Vñ7x¹üz¹Ý’—&qád?—@´ÐêL‡mIà.cîO¦ørs~qòþýÞ£µ“¹p™òØwÑ>UßÝ¥h	&ŠûOÍNiá ܵû†’çâ?c-
 
–oýN¤Šc“Bk7èŒ=Óø{¬7NàûÈÓµœDüî‡üÝ9XH¿³L?‚¸°Lç>2…ÇqùÞa(Ó~„õÿ{f™endstream
 endobj
-1365 0 obj <<
+1375 0 obj <<
 /Type /Page
-/Contents 1366 0 R
-/Resources 1364 0 R
+/Contents 1376 0 R
+/Resources 1374 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1342 0 R
+/Parent 1352 0 R
 >> endobj
-1367 0 obj <<
-/D [1365 0 R /XYZ 85.0394 794.5015 null]
+1377 0 obj <<
+/D [1375 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 370 0 obj <<
-/D [1365 0 R /XYZ 85.0394 725.2846 null]
+/D [1375 0 R /XYZ 85.0394 725.2846 null]
 >> endobj
-1368 0 obj <<
-/D [1365 0 R /XYZ 85.0394 700.2184 null]
+1378 0 obj <<
+/D [1375 0 R /XYZ 85.0394 700.2184 null]
 >> endobj
 374 0 obj <<
-/D [1365 0 R /XYZ 85.0394 148.5316 null]
+/D [1375 0 R /XYZ 85.0394 148.5316 null]
 >> endobj
-1369 0 obj <<
-/D [1365 0 R /XYZ 85.0394 118.3446 null]
+1379 0 obj <<
+/D [1375 0 R /XYZ 85.0394 118.3446 null]
 >> endobj
-1364 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F48 975 0 R /F41 959 0 R >>
+1374 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1372 0 obj <<
+1382 0 obj <<
 /Length 2996      
 /Filter /FlateDecode
 >>
@@ -5343,22 +5380,22 @@ h
 #ç8-¬ÎœôNš0cä—	:¶ãGý#c‘e©yÄ?©ü¤&ü³oVyWø7„·ùý(Êàrà  =hN/5aÏè[¨„òf¥ô½ŽâÍ©Ä
 ›ÙäI‘Üb2g§?"$CÑ­ÉNë¢ytq3Ì«:|¬‡:š:™Òã>À¡&ƒD¯Aþ¶¹h	}#vÀ•ÜÞPÑü¯£{×A'Ä`Ë$Búº>û\X¬& êõÓ»¦–ÆêÊת”>3`·;Ž×À;blNØ@š7w(˜ã&¿òX릨+¾O÷—(ÿRÄ·/¾
ë¤튺ûÜKS‹%#ÍÒ%Bòã©…Iìðï%æ‡?öøáÄw@«U6YdŸ°?üg*XÀ¯Æiz¢ €G…MA‰quù¿à‘÷+ÿ=K
LÿÐo@Xendstream
 endobj
-1371 0 obj <<
+1381 0 obj <<
 /Type /Page
-/Contents 1372 0 R
-/Resources 1370 0 R
+/Contents 1382 0 R
+/Resources 1380 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1342 0 R
+/Parent 1352 0 R
 >> endobj
-1373 0 obj <<
-/D [1371 0 R /XYZ 56.6929 794.5015 null]
+1383 0 obj <<
+/D [1381 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1370 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R /F62 1085 0 R /F63 1088 0 R >>
-/XObject << /Im2 1074 0 R >>
+1380 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F62 1095 0 R /F63 1098 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1376 0 obj <<
+1386 0 obj <<
 /Length 2840      
 /Filter /FlateDecode
 >>
@@ -5379,28 +5416,28 @@ x
 G¬ä¤"î>—‹_„ºxˆ”ØÜ„r†¾¬èõÐtß•ÎÝ8ZfÀ$_؃œù™Œ2·2âмûðýÍ?¡9~ׄ¡¬=óAIñ˜Y	çm¯”ûª)N57
 ,be2¢úÿ§‡Õendstream
 endobj
-1375 0 obj <<
+1385 0 obj <<
 /Type /Page
-/Contents 1376 0 R
-/Resources 1374 0 R
+/Contents 1386 0 R
+/Resources 1384 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1378 0 R
+/Parent 1388 0 R
 >> endobj
-1377 0 obj <<
-/D [1375 0 R /XYZ 85.0394 794.5015 null]
+1387 0 obj <<
+/D [1385 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 378 0 obj <<
-/D [1375 0 R /XYZ 85.0394 568.882 null]
+/D [1385 0 R /XYZ 85.0394 568.882 null]
 >> endobj
-1097 0 obj <<
-/D [1375 0 R /XYZ 85.0394 545.0538 null]
+1107 0 obj <<
+/D [1385 0 R /XYZ 85.0394 545.0538 null]
 >> endobj
-1374 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F62 1085 0 R /F63 1088 0 R /F21 730 0 R >>
-/XObject << /Im2 1074 0 R >>
+1384 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F62 1095 0 R /F63 1098 0 R /F21 738 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1381 0 obj <<
+1391 0 obj <<
 /Length 3373      
 /Filter /FlateDecode
 >>
@@ -5417,22 +5454,22 @@ D
 ­3Õ#ƒì\^TpCFºôNK·u_‰FîÈ–4ÿ"7Úû.‹ûêšÚ¤$ÒŸ'‰­”³*º'5zfÀŒrqòœ(Õž½(gÎúg®D}ªG—©˜ìf/¹)ðDøæ{‘‘Žj„“áÙi¦ƒôCV^c8vY*·u–³½4!Þ¡8K²y §
=«ªOf‘ª»(°4ëü—Fc«ò'Ë¢Zµ‰éÑß!h@˜ÖíÞ¾g(ïüf¦™J§žEIÊÕ¼E¥/wg£¤ß­xª¿"Jz̨ðÎ.q.J
 €ŠN™ðL”N1¡ÿÚ(‰wt.þQ²?ó…()4>Å;z
{ŸWøô	ÃN³§Æ³a\¤Èñ^WI¬¥ÇNVƒz0M¦ƒƒ FøôÝÆxMfé¢"R4TÞ¥6^e1+Çíƒö¾Ù¯©^¦×W«Î§Ì²®“>#°> endobj
-1382 0 obj <<
-/D [1380 0 R /XYZ 56.6929 794.5015 null]
+1392 0 obj <<
+/D [1390 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1379 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F62 1085 0 R /F63 1088 0 R >>
-/XObject << /Im2 1074 0 R >>
+1389 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F62 1095 0 R /F63 1098 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1385 0 obj <<
+1395 0 obj <<
 /Length 3308      
 /Filter /FlateDecode
 >>
@@ -5449,49 +5486,49 @@ JQ!
 zhÇ@c“ýUlöºéó}¼ÝTû²™2Y<m?C…[ÓÌÒY«;\¬ÆN£¾,´Y+â·R‰6òˆr ¢DÆåÅlâVó³xbÑd»¦­U°¾)i¹+¶ÝÉìdÁƒDËö¸·.þU”RK †Pôóéžü¢OËø5øäùV«qÑW9>¾’ÚÀú¤ÝÀ±ÊŸ:¶‰Â1šy|0üÜ°t0‹gêâV~ÂÆAhŒôëbÿÛ>ªÒñdŸ+7°füu=J½`ÃXÚ„ ƒ­ÏS(UÁ¸”ƒÒnÛ<+èëPìí²ܶPí1tâ›q„5š8&q1!D6ô†\Ù€Ž7ÔüSå:&¨™ƒÜÀ«Êï¾,§Î
õ×^¶<ÃÕg&”ó0g#›³=àO™ž(ƒ‚½ÿ†Š-°H̨¨@I…#ÞPíi©ž¢®÷Ù±Ýo"íË`x¤\ðLØü˜&N~HM€	Ûç?ƒ÷¥NŸ·R>[U»|
 !¸à€kâ…‘[©‰¡RüÝÉÑØ7×:¨÷êï¼E7b\‘‹
Žvö›mÊ›	í£_LJ4fÖšÓƒ‚4¢Ú“è“ëdY¤†¿ð™Nè™_È!oVÖdÓ‹‚vŽŸ¶;\’4aŽëÁÀäIÇ{+7”m©í×Ä1obÍ7ÖTØnâû-x]á)}¼VRtãt+7“+†_S—~ýŠÁ@ñ'rL"I­G'Ä(¤¡`lÉ¿ë4=îõ›—êM\MÆ1Uøõ‹Lbð0—pf{®ªƒT¬ñwMx¥¯»cç-ýÇ3oO;ÍkêWcR''²k?€~ó/ʺŸÛó“Öž8á•Ò>žÌ£|Y#Ož*Mÿ?ÞáìŒendstream
 endobj
-1384 0 obj <<
+1394 0 obj <<
 /Type /Page
-/Contents 1385 0 R
-/Resources 1383 0 R
+/Contents 1395 0 R
+/Resources 1393 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1378 0 R
-/Annots [ 1388 0 R 1390 0 R ]
+/Parent 1388 0 R
+/Annots [ 1398 0 R 1400 0 R ]
 >> endobj
-1388 0 obj <<
+1398 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [471.1233 444.3406 539.579 456.4002]
 /Subtype /Link
 /A << /S /GoTo /D (query_address) >>
 >> endobj
-1390 0 obj <<
+1400 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [389.4645 175.6376 438.2112 187.6973]
 /Subtype /Link
 /A << /S /GoTo /D (configuration_file_elements) >>
 >> endobj
-1386 0 obj <<
-/D [1384 0 R /XYZ 85.0394 794.5015 null]
+1396 0 obj <<
+/D [1394 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 382 0 obj <<
-/D [1384 0 R /XYZ 85.0394 500.6173 null]
+/D [1394 0 R /XYZ 85.0394 500.6173 null]
 >> endobj
-1387 0 obj <<
-/D [1384 0 R /XYZ 85.0394 478.0377 null]
+1397 0 obj <<
+/D [1394 0 R /XYZ 85.0394 478.0377 null]
 >> endobj
 386 0 obj <<
-/D [1384 0 R /XYZ 85.0394 255.8247 null]
+/D [1394 0 R /XYZ 85.0394 255.8247 null]
 >> endobj
-1389 0 obj <<
-/D [1384 0 R /XYZ 85.0394 230.7743 null]
->> endobj
-1383 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F62 1085 0 R /F41 959 0 R >>
-/XObject << /Im2 1074 0 R >>
-/ProcSet [ /PDF /Text ]
+1399 0 obj <<
+/D [1394 0 R /XYZ 85.0394 230.7743 null]
 >> endobj
 1393 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F62 1095 0 R /F41 969 0 R >>
+/XObject << /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1403 0 obj <<
 /Length 3440      
 /Filter /FlateDecode
 >>
@@ -5511,35 +5548,35 @@ G=
 ÞÀ-¸Ò?ŽòhÒg{zf:ÙÊšécÉø„W+B)èæ-^SKål:I&G½>Ê(%Ã.-W¾Œ~¬Ûò©¦"¹tQÆ“=ð‚h£ÅW2w×ÿC;ŽS”úŸd'Z¨öµOûDL9c2¾ž@›ï[[l»ßDÀWÐÇ¥_sýb[§kÛú¥ržÑ÷ûæÀ]Ó‡ño3©ˆ¾+zu2T$p3¼µÂ¥ö9þøc™
 œž­ìJJ]>.(5{E„x[~xK]`€úŠ”0ê³7©ú¶ãuš~•zîyÝœšÞê`eØ‹ÉP¹¯<‰¥}¦Z\úH¯ì+·X®Â¸ÏÑdTþ¥³9{èòsTsá@¸ñ-ÇkåS÷]*¤äQš¼R!]v¨ÉǺ /!¦<μgˆÐ@ØruûéåþÓD'¦×Ü1ìN3Ó	&R–ÊÝÒ¾Û:wgÜþêœëuOaô¦âÅNÅsï7w›:Ô¶"˜U§¥©½/u‰á9Œkú.F=áß7tNò°E½*ûÌõ	;hˆÕ¯‚4¼#]ñضy&`—×'‚\ÄÏØCÒNKæLùY„œBC÷·¦¾²¾ôÃ9`þÚm†£ðÇjñÿ¨nøÅ¡N!v6’`ˆcñ—&ÊåÞæõK]à_ß½$ý¿é©IVendstream
 endobj
-1392 0 obj <<
+1402 0 obj <<
 /Type /Page
-/Contents 1393 0 R
-/Resources 1391 0 R
+/Contents 1403 0 R
+/Resources 1401 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1378 0 R
-/Annots [ 1396 0 R ]
+/Parent 1388 0 R
+/Annots [ 1406 0 R ]
 >> endobj
-1396 0 obj <<
+1406 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [347.1258 495.0249 404.2417 507.0845]
 /Subtype /Link
 /A << /S /GoTo /D (journal) >>
 >> endobj
-1394 0 obj <<
-/D [1392 0 R /XYZ 56.6929 794.5015 null]
+1404 0 obj <<
+/D [1402 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 390 0 obj <<
-/D [1392 0 R /XYZ 56.6929 628.3918 null]
+/D [1402 0 R /XYZ 56.6929 628.3918 null]
 >> endobj
-1395 0 obj <<
-/D [1392 0 R /XYZ 56.6929 604.1707 null]
+1405 0 obj <<
+/D [1402 0 R /XYZ 56.6929 604.1707 null]
 >> endobj
-1391 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R /F48 975 0 R >>
+1401 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1399 0 obj <<
+1409 0 obj <<
 /Length 2836      
 /Filter /FlateDecode
 >>
@@ -5562,34 +5599,34 @@ jj:Õ›
 Þ/%oغâÁ™(ˆnµâ—,ææmÀ‰…õHøúTâ9óÐõóŽ‚×1u¬ŠÞbN9€q,‰ø–}XGEl8Æ"8Áý_‘ü‡	Ì;òFŽC²%F:Ž
‹âùïaÓJ'þ„7ºW)Þç¦Îä/#&ú½2“£¿“`ày/ÓÔÑ()´þûßî§V¤ÁãŒb¨~¬ßå æRŸ#3½Ç…ºˆûÇ èHA_~PóM,_ÖM,®‘‹kü>ÃY‰pPlRËÝÐg0EY›à_àÀ¢dê´ÆÄ=ר”±°ÙIehø/ø›"½‘':$GE
=IàÐ@¢	ŠjjŽÕƨfP5Öù¸:cæ”,{æáBå]|Ãd8û_9·ÙýCUi¢lwÇ Þã'H³“Пªü
 çàûoGˆœúa[Ûž(îE_<ýé½÷ÿ#Àd	$ò'~žÔ"MrUdQ©›ÛCÍû_ÇUÿÅ\/~endstream
 endobj
-1398 0 obj <<
+1408 0 obj <<
 /Type /Page
-/Contents 1399 0 R
-/Resources 1397 0 R
+/Contents 1409 0 R
+/Resources 1407 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1378 0 R
+/Parent 1388 0 R
 >> endobj
-1400 0 obj <<
-/D [1398 0 R /XYZ 85.0394 794.5015 null]
+1410 0 obj <<
+/D [1408 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 394 0 obj <<
-/D [1398 0 R /XYZ 85.0394 732.1335 null]
+/D [1408 0 R /XYZ 85.0394 732.1335 null]
 >> endobj
-1401 0 obj <<
-/D [1398 0 R /XYZ 85.0394 707.0477 null]
+1411 0 obj <<
+/D [1408 0 R /XYZ 85.0394 707.0477 null]
 >> endobj
 398 0 obj <<
-/D [1398 0 R /XYZ 85.0394 332.0911 null]
+/D [1408 0 R /XYZ 85.0394 332.0911 null]
 >> endobj
-1402 0 obj <<
-/D [1398 0 R /XYZ 85.0394 308.176 null]
+1412 0 obj <<
+/D [1408 0 R /XYZ 85.0394 308.176 null]
 >> endobj
-1397 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F62 1085 0 R /F41 959 0 R >>
-/XObject << /Im2 1074 0 R >>
+1407 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F62 1095 0 R /F41 969 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1405 0 obj <<
+1415 0 obj <<
 /Length 2942      
 /Filter /FlateDecode
 >>
@@ -5607,43 +5644,43 @@ P
 .­ço†-ïÜcóÙ6… Øº,¾u„·±÷@”€êš¾׆Ëù”â‡Ì2ù¦®k~šˆgXeš˜Ÿ	EKŽ#tÒ–ï®u2Œù+G¤qbô-§46ºÜ^#±òç`ËGiÿ_'ŽNŒÇÜ#Vñ”=ÖÏPÊw
 Žÿ‚“Ç'Ÿœx†ÅÉ$8yLpü™‚/dq±ÝUå´m(§Ë»Þ·û™–Ô1þnj¢¡Îú_&}÷O¸ö?WÁ~¸1âHg>…Ðh€ˆcÊþX%9àœ³XÈDL°þ_):˜æendstream
 endobj
-1404 0 obj <<
+1414 0 obj <<
 /Type /Page
-/Contents 1405 0 R
-/Resources 1403 0 R
+/Contents 1415 0 R
+/Resources 1413 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1378 0 R
-/Annots [ 1408 0 R 1409 0 R ]
+/Parent 1388 0 R
+/Annots [ 1418 0 R 1419 0 R ]
 >> endobj
-1408 0 obj <<
+1418 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [213.6732 587.5427 286.8984 599.6023]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1409 0 obj <<
+1419 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [209.702 509.8341 283.4678 521.8937]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-1406 0 obj <<
-/D [1404 0 R /XYZ 56.6929 794.5015 null]
+1416 0 obj <<
+/D [1414 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 402 0 obj <<
-/D [1404 0 R /XYZ 56.6929 654.332 null]
+/D [1414 0 R /XYZ 56.6929 654.332 null]
 >> endobj
-1407 0 obj <<
-/D [1404 0 R /XYZ 56.6929 633.0122 null]
+1417 0 obj <<
+/D [1414 0 R /XYZ 56.6929 633.0122 null]
 >> endobj
-1403 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F62 1085 0 R /F63 1088 0 R /F21 730 0 R /F41 959 0 R >>
-/XObject << /Im2 1074 0 R >>
+1413 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F62 1095 0 R /F63 1098 0 R /F21 738 0 R /F41 969 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1412 0 obj <<
+1422 0 obj <<
 /Length 2657      
 /Filter /FlateDecode
 >>
@@ -5659,42 +5696,42 @@ rо
 `=܆«¨–&Æå}gµ/úù’ù›Õ<•Ü«¾D½„VÞ§Hu~áž6˱­÷pq¶^aÍxIxð+×ÍåÀq²þQ¹íì#ÁØ£·‚Åibiú‹ƒevßä¡è¶‹Ë_}e5I£;«#¶N–ù’®Žç„M4ròE]¼WÈÂEWV‡ÎÂBì66á„šFAb×
𠂪y!2÷hîoPZ‹@ˆ)¥c8?5¡Œå¬|ÈvÍ°F|y9æl‘ë$Ô£Êô¾Ÿô1Ä@òÈÉ-’Çõ¹ý˜Yâ)%Ÿ]“LpïêkAƒÍ&Ϭ,}‚±›P®«Àú©4„LGè	ÕŽ &)‹¼!‡n ™”ü€†Ï¹‚d"0Õ¡¨[W;x>$‡#Hî®zJR/†¶Î÷À¥á+ÓÌŠ™b.ºˆBÇ»,%âÀ›_Á_>?xJ†’¥àë©
„f¿Í¡Òáh¢¶Õ´·€íx}¾æ³jÐg©ø."ÆV%8Ëâ*]Š5'ÔÞ)3N¥spfÈ+`¡1°ÀÖ6/óÁ	_ðœÆ§‹?°eÀ£¤4}}8¶(¤(‰é|ø†8?>æ´/`$SlÝ%×Q}ç[Õ¹Ì:+6šûÍó×cc„•cˆòU6ØxÅ$°3¼ù°¼f~âí\’p䃉8B¤3g…çì&Æ/Ý݉ñ×#fŽáò,à ‡¿&Š£à¥-Öù¾6˜¹Ùù„y/eŠ:7Ã"Ò}Ø¥ÚÝêÁÓídhà§>xÌ{JlínŸá¥4ÀµÛ’L
 È‹îö{ùŽÄ½¯øÌ7IOâ^•Ñ$™*ÞÓÙ“	àsÿ7¢G‰…}è:"TB.Ó±e»¢ðT‘èÿõÄ^‡endstream
 endobj
-1411 0 obj <<
+1421 0 obj <<
 /Type /Page
-/Contents 1412 0 R
-/Resources 1410 0 R
+/Contents 1422 0 R
+/Resources 1420 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1417 0 R
-/Annots [ 1414 0 R ]
+/Parent 1427 0 R
+/Annots [ 1424 0 R ]
 >> endobj
-1414 0 obj <<
+1424 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [353.6787 518.4396 427.332 530.4992]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1413 0 obj <<
-/D [1411 0 R /XYZ 85.0394 794.5015 null]
+1423 0 obj <<
+/D [1421 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 406 0 obj <<
-/D [1411 0 R /XYZ 85.0394 589.0297 null]
+/D [1421 0 R /XYZ 85.0394 589.0297 null]
 >> endobj
-1043 0 obj <<
-/D [1411 0 R /XYZ 85.0394 561.4384 null]
+1053 0 obj <<
+/D [1421 0 R /XYZ 85.0394 561.4384 null]
 >> endobj
-1415 0 obj <<
-/D [1411 0 R /XYZ 85.0394 435.7497 null]
+1425 0 obj <<
+/D [1421 0 R /XYZ 85.0394 435.7497 null]
 >> endobj
-1416 0 obj <<
-/D [1411 0 R /XYZ 85.0394 423.7945 null]
->> endobj
-1410 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R /F53 1052 0 R /F62 1085 0 R /F63 1088 0 R >>
-/XObject << /Im2 1074 0 R >>
-/ProcSet [ /PDF /Text ]
+1426 0 obj <<
+/D [1421 0 R /XYZ 85.0394 423.7945 null]
 >> endobj
 1420 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R /F62 1095 0 R /F63 1098 0 R >>
+/XObject << /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1430 0 obj <<
 /Length 3273      
 /Filter /FlateDecode
 >>
@@ -5718,36 +5755,36 @@ v
 O+<ã1Ïý†Â°Î(|ÀêZÅv
nt¹Äá»îùä°Çnë×cÜ0xTƒj',QçÐaMœaT’'	
 ¤P£C,ðc(7ŒJë_ ƒnÑmnqÀG|„/8`A£l_dîw‡Ý޻ɟŸ¢I9÷·,Ã7Úuð÷h2¿çƒ\©Ä/1º/&¯„¥(ã<Ì&XB¹÷ØýhÁª‡„Ún1äåy±õŠ	p[çe³¦¯GLÏiö>õå‚ô*8•Ã#YcÅ!¦Lh”àA¡d¼Cq…;Ä€‡}‹cákôÁž£k}xí!°ƒd.î‚öíKB3o¶ù3áuŸÝÜÖ«hªTußK[ÕM¨TÚ6dÓ#}ðÕÊsÈ”™¢î± FšH‘É€Àk»ßPMè1ëØ7ÿT«ÿÔÖ2ËN|çi«6!¦¼SÍŽÝý¦ë˜õ?ŸH´Âendstream
 endobj
-1419 0 obj <<
+1429 0 obj <<
 /Type /Page
-/Contents 1420 0 R
-/Resources 1418 0 R
+/Contents 1430 0 R
+/Resources 1428 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1417 0 R
-/Annots [ 1423 0 R ]
+/Parent 1427 0 R
+/Annots [ 1433 0 R ]
 >> endobj
-1423 0 obj <<
+1433 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [286.8324 392.4739 335.1613 404.5335]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update) >>
 >> endobj
-1421 0 obj <<
-/D [1419 0 R /XYZ 56.6929 794.5015 null]
+1431 0 obj <<
+/D [1429 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 410 0 obj <<
-/D [1419 0 R /XYZ 56.6929 769.5949 null]
+/D [1429 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1422 0 obj <<
-/D [1419 0 R /XYZ 56.6929 749.8269 null]
+1432 0 obj <<
+/D [1429 0 R /XYZ 56.6929 749.8269 null]
 >> endobj
-1418 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F48 975 0 R /F62 1085 0 R >>
-/XObject << /Im2 1074 0 R >>
+1428 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F62 1095 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1426 0 obj <<
+1436 0 obj <<
 /Length 3991      
 /Filter /FlateDecode
 >>
@@ -5764,44 +5801,44 @@ XÛ­
 q.¯^Ø©É$Ð
`÷Ô.V˜VC¤! ®'W¤¨*NrBq¥Â¾4`ʼ³rðK¢.é~¼ Øsd ª0Ä;÷ÅWËäºËôumýl—߇)²n#ÇLµú¸£.6¾Ò«ù¨¼$GG2ÒÕÕ)Α£âcÙR@Šº™eÁîߊ@òYQwÝÖïVðeW|Ši*mQ³JÈ|	r¸ e`/5º°‰µÂÚ%sìØ6ÞT%«³¯'‰Ñὺ¼RÿDùt¸z$%ÄZÍ7s÷iºzîw÷;îèygªƒ¼ú›¥»Å= VfJc! ¦­Ü79›!ì³ÈXO7)Ò¸¼OlcÃcuûr~—îÀÔg2¸‡!ìÄ'0‡ÄÔ=aëˆsKŠªáØvvœ¡!3Q.**0v!ñ‰”PÞ¶]uÊ—ÔÈÆ“4Åì>f+Y7-Ó:·o˜-8àjÞÔè°@ÃóêŠòTjÏ3'èYÌz¦G>ÑÐg(ðþÏøoDh'ÚYÆ:›=ûŽÔU,Ó Yÿ	{%„œÀªÑ›Á¿Ëc)âzÄãXeÄãXÑ÷Ø1âqœ*/z*ó›~¦¥ùÃÑ1
 »6í€üA«O4¿hµ:[WwȯK‘±”’š9¤“fü¡—‚o³ÜÇñWãTXóGÅ1Öõ85`ñ{nµ{]—¶.^/ñör}{÷€µ°ýäBcåN÷'¯œâH~…ê’q*žbT
 }éµ/ý‹µa¨á4	à *é$|6êã‡H~8'o
-Ýý ñvõ´|L ªp†t^õ2¸=A.å"Iè9äÄÍÀ¯ÿdk+ÄêÇ¡ªûµÏhBØç²JçBBã²ÖAm„LU	™ý²óbø*JeØö¹*-¿åR¡'[wCMˆeUì›Ìû–'TÐðøƒú6û½yÂ.WéÏðíÈ[D¿Cµ›¿p>IÃçþcg‡²]÷íqíjë²Eë¿TšÑ*JLê-ù¦jÊåB°J¥×6G’N¯•@À5èÔ‡ïþðö—/+¢ðg!šwI·Áù¯uÎŒÉ|(?ãñŠSOã°9b´¨X€ÃW^GÂ7ox¼D~çqäü
ìýR]çkNžF”Ì+}i3t”ÇBiY0Œt›„‹µF	“ÌIÍáw”‰M#ñi K¾s€•ÉPwô_X–¢zLÂàš\”iÇŠ¾Šl4Æv>2ÐàâŽ'f]#Q‰,ŠAly÷Ÿ–!˜Š4ö2û?acþJ“=4*áDèsSo´²(Õ2²ÁÊäÙèëShtƒcAžbqqÉ¥Ë(S!)vï^õâ°³×Õ‡óŒëÃøúpž2+sç¸;Þàwxø°ú^Û€u5Ð<óSÓUCvñNeÕ›z²òÝËŽß>/ˆ«¸÷¶é¿þÄú¬{qé,SWÞ%E,ÎSO”sùœòð-ö%éÿaŸ»endstream
+Ýý ñvõ´|L ªp†t^õ2¸=A.å"Iè9äÄÍÀ¯ÿdk+ÄêÇ¡ªûµÏhBØç²JçBBã²ÖAm„LU	™ý²óbø*JeØö¹*-¿åR¡'[wCMˆeUì›Ìû–'TÐðøƒú6û½yÂ.WéÏðíÈ[D¿Cµ›¿p>IÃçþcg‡²]÷íqíjë²Eë¿TšÑ*JLê-ù¦jÊåB°J¥×6G’N¯•@À5èÔ‡ïþðö—/+¢ðg!šwI·Áù¯uÎŒÉ|(?ãñŠSOã°9b´¨X€ÃW^GÂ7ox¼D~çqäü
ìýR]çkNžF”Ì+si3t”ÇBiY0Œt›„‹µF	“ÌIÍáw”‰M#ñi K¾s€•ÉPwô_X–¢zLÂàš\”iÇŠ¾Šl4Æv>2ÐàâŽ'f]#Q‰,ŠAly÷Ÿ–!˜Š4ö2û?acþJ“=4*áDèsSo´²(Õ2²ÁÊäÙèëShtƒcAžbqqÉ¥Ë(S!)vï^õâ°³×Õ‡óŒëÃøúpž2+sç¸;Þàwxø°ú^Û€u5Ð<óSÓUCvñNeÕ›z²òÝËŽß>/ˆ«¸÷¶é¿þÄú¬{qé,SWÞ%E,ÎSO”sùœòð-ö%éÿhͽendstream
 endobj
-1425 0 obj <<
+1435 0 obj <<
 /Type /Page
-/Contents 1426 0 R
-/Resources 1424 0 R
+/Contents 1436 0 R
+/Resources 1434 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1417 0 R
-/Annots [ 1428 0 R 1433 0 R ]
+/Parent 1427 0 R
+/Annots [ 1438 0 R 1443 0 R ]
 >> endobj
-1428 0 obj <<
+1438 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [353.2799 485.9484 410.176 498.008]
 /Subtype /Link
 /A << /S /GoTo /D (zonefile_format) >>
 >> endobj
-1433 0 obj <<
+1443 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 73.4705 144.9365 85.5301]
 /Subtype /Link
 /A << /S /GoTo /D (view_statement_grammar) >>
 >> endobj
-1427 0 obj <<
-/D [1425 0 R /XYZ 85.0394 794.5015 null]
+1437 0 obj <<
+/D [1435 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 414 0 obj <<
-/D [1425 0 R /XYZ 85.0394 144.3392 null]
+/D [1435 0 R /XYZ 85.0394 144.3392 null]
 >> endobj
-1432 0 obj <<
-/D [1425 0 R /XYZ 85.0394 119.1174 null]
+1442 0 obj <<
+/D [1435 0 R /XYZ 85.0394 119.1174 null]
 >> endobj
-1424 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R /F11 1431 0 R >>
+1434 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F11 1441 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1438 0 obj <<
+1448 0 obj <<
 /Length 2834      
 /Filter /FlateDecode
 >>
@@ -5813,27 +5850,27 @@ xÚ½]sÛ¸
 \í®ÚÚ}à¾Q:´D
p cUŒËÄQ>Ø+Á™æ§õö™ê\H*n£rˆnÀšŸE¡h_l°YŒ.±¼
æoÝS¹¸nžvÍ‘†ÿÆ—‰¾àÝ6Q[™\H-çÆþZÍëÊœ€Úg3ˈ6¢˜W‚â1Ü}¼"xZZb«;úÚ[ 2ß­eP•ÅOÎ*æ¬jË0%|š<˜’>7z)0RÒ-Ô+m¬WVû'[š@ÍqŸÑ—ƒ!¿%HQmš&Éê*§$ôê­Ä«ða\VMŸx
9ŽF¦Kl}‰€eÙdû2kþdéPplFì¥zí@­YöàոɱÏRzE™T­ÌßTt£Jf¦–„!ÆK½K7™Ý@vhû’ÖW¿\üpµ\ÑŒVë]UÖ´A’ZRù4»T%jÂ.Ý7ùf1t.‡"5Ý.ÞݱhIEº:rvƒ	:Z@«NCò„§Û­˜¤Ðù‰f·ïßѸËb»Çœv·¦çRB»B}œÂÑ¢uE[órS¶ÙZ$±'KÞ“ÖIb€/?}	d\€ž´†Õ¹(bÀÅñ¥Ì¶:hC¶”ø¼È˯c4Í#%ni.ùÜIìRíC¾wŸn¾Ú׸ž€0FôËfKF‡òkY=—/v²–GPÀý$$„´WŽÒ¦Á„Cã~ðÝfLO¦£ÃiŽu»P¦°~ºÂf
Kª°o4Û#²ïy-%ŽÍ¡ -;‡r"ÿf7âoº´!èNò˜Â©>SÚÚ.0±
ÑÃi{ŽmEÝ>Å;˸¾I­`D¹A­Mæpé›u)ߪ#wt/«PEeƒÖ_»ÓÛöÄ¢´[Š¼nú
Ò	/ëyý—sùßß"(¥G¸ð±L«wžWTqÊУ…RàÊ´ÕüÓAÍ{L…†²/L^¯}¨Y̧~¨ó±F´wX“Ú1í´?e:¬½ÏT0üQM¼^{…i2©½‡5¢½ÃšÔ~Œi§ý)Óaí}¦š{ÿÿ«­ B¦£I+xX#VpX“VcÚYá”é°|¦ûcÿ–ŸÂi‹!\–“ó°F,æ°&-6Æ´³Ø)Óa‹ùLùÿÁb<Ž˜”\[ÌÇ:o±kÊb£L[‹½`:h±Óköµ}æa„Ï«Sš{X#š;¬IÍǘvšŸ2ÖÜg³›Ñ]Å,H&u÷°FtwX“º1ít?e:¬»Ï4ù1ÝEÌT4©»‡5¢»ÃšÔ}Œi§û)ÓaÝ}¦W?¦{³Xs9¡»‡5¢»ÃšÔ}Œi§û)ÓaÝ}¦oÏêŽ×4KüÁÖt(Ý=iqÝö\u/E¯³¦Á—Vš™Ž‡ÛGCÐ_±à¨€ö¼°L«0Ó´ÑÆÝŽ†ŠN»µ¶x´Doñ´\1\ÓKï–0²‰u+ñÀ‚AjèÛ³}ÞJЬ{°Øþ5.™ÞWš“ÖîìkeEÀm'@x°àÄhoÍæçËÛ˜Qº:3JkFóð£çk<=Ë[å}¾|Äj	:-[LOV×e¾¡ñ±:¸V¶ìáž¼Bx/l½žØuÂ-¢UÅ@…,z¦Áf÷{ú´+²ó½-ö	ƒáÿíéþá?`ëÂ[Á…Çb8ÐD„?T+Z<
 ^þ|iÿÒí¥èÿM» endstream
 endobj
-1437 0 obj <<
+1447 0 obj <<
 /Type /Page
-/Contents 1438 0 R
-/Resources 1436 0 R
+/Contents 1448 0 R
+/Resources 1446 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1417 0 R
+/Parent 1427 0 R
 >> endobj
-1439 0 obj <<
-/D [1437 0 R /XYZ 56.6929 794.5015 null]
+1449 0 obj <<
+/D [1447 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 418 0 obj <<
-/D [1437 0 R /XYZ 56.6929 502.1235 null]
+/D [1447 0 R /XYZ 56.6929 502.1235 null]
 >> endobj
-1440 0 obj <<
-/D [1437 0 R /XYZ 56.6929 472.2328 null]
+1450 0 obj <<
+/D [1447 0 R /XYZ 56.6929 472.2328 null]
 >> endobj
-1436 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R /F14 757 0 R >>
+1446 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1443 0 obj <<
+1453 0 obj <<
 /Length 3264      
 /Filter /FlateDecode
 >>
@@ -5850,28 +5887,28 @@ M;T6
 4¡1Køb
 {qWz*÷û9…æãC;×!nÐ…(l0Ê:kr‡7VÚ‹°ƒ¸	U«à§æ	?óâw{W$¹mjHfjH0‚Hó³‹þÆ°\Xƒ€£»ãqæ©íÆ5K®
#Gàñfü«ßtrÑZÉ퇣‘Q©ãQGlUÐÒc¥}fÁVû"ÔÒWfüý¯«°å¬×ï‹¢,]
ì§MÓNËí^\6{þ~¯)ÎŒòè!ûÑ/¢¼Ó	¦„ÍiCŸ	.lVgPS ßÍÁ4èáC&3W2¥G&þã;Pü‡6¤Þó,Šd,J©`73¤xx'©|ÅI|“ØtZ¦ÞœçÖ†ýÑë|d;ög™Ç—˜3ýCSû–{®ê–z9ý´‡œ<*
êþpOćXÐ3;ˆìU)	¿ü'¸vNÍ€ƒÝ×mº/ý.\ýMÚU€,™þ˜a†/]Ëc˜Yáî1½¼»E8yç—Ü6{¨J‡õü3@θ¶?rŸ}^lŽ¾ðzá™`!ñÁÞBªôÏ…ëÿ@™ÿÆgá¥UßÛÿòŸŸõ¡ÄPY/?Ù*‘DY…‚§òRòáoŽž‹þ?­¿šendstream
 endobj
-1442 0 obj <<
+1452 0 obj <<
 /Type /Page
-/Contents 1443 0 R
-/Resources 1441 0 R
+/Contents 1453 0 R
+/Resources 1451 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1417 0 R
+/Parent 1427 0 R
 >> endobj
-1444 0 obj <<
-/D [1442 0 R /XYZ 85.0394 794.5015 null]
+1454 0 obj <<
+/D [1452 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 422 0 obj <<
-/D [1442 0 R /XYZ 85.0394 398.7344 null]
+/D [1452 0 R /XYZ 85.0394 398.7344 null]
 >> endobj
-1020 0 obj <<
-/D [1442 0 R /XYZ 85.0394 373.8645 null]
+1030 0 obj <<
+/D [1452 0 R /XYZ 85.0394 373.8645 null]
 >> endobj
-1441 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F62 1085 0 R /F21 730 0 R >>
-/XObject << /Im2 1074 0 R >>
+1451 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F62 1095 0 R /F21 738 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1447 0 obj <<
+1457 0 obj <<
 /Length 3454      
 /Filter /FlateDecode
 >>
@@ -5889,34 +5926,34 @@ A
 SÛgoø5ˆLsÔ3º<ÊüùHŸ™ªÎ5꺮\6@gÈê '0ÅFµÌL()a†À¤ãùàI)e=R¼.95ƒßó®ËçÚg á5•Û»³08/¯ÃÁ…Ëò?£Ì”½'=I0yŒåòäüvæ$Ú}”]#Ÿ÷ÃQ]wŠYÓOÃt]F…YY­tÀü–fç¼ÞÅÜ“bø…6M§ÍfMµfëé(ºm³þÀ½žÞÑ”Ÿʱþ˜÷Ëc/-½ny—twGF$®@ÆüäòÞÏ.®©ïšÎ¹m}*½á•Úùº\qN|ÞlªEŸ~¯ƒü;uzêzÅÓMÝ‹ÒçìÃ.éz™WU³åìž ˆâx¸–“w(oÝ›SdXs±IðÑ'Í”wÅÞºYð’”^ê™=U3ï‡ù[q+Ò£@Ä¨¿î¨ÿšWr™] Æn­vyÕ™Ì"&[
œn‘{IsPôÁ+«|…GvSïó²rïãÔ쨼ëºÕ7ÏŸ¯šu—W"Ÿ/YÜÛçó²Ë]Bk~³ük¹ø³Ô`çM,\™¥dÜ¥ÜCÖÝÚ÷P?¸	eÁ¯þ±}ü0ñµ¿¾~ùy³`¢óBƒÝ÷WGþ2ŠÃ dÎ<¨ºñf2|äÁW‹ØÅÏëùµ³Óɶɻ¥ý¨ÊWni…‘¦7ÔbCR5CVÚ}œªÉÈ,¨†! ]†ïhEÞ1YX½¡T¶æ·eù8|cvýaL%eÀ==W†]ùWÞÞ1“\yó¸Ç±›f§™Î	¥ÓMU´ßŒ`= ìa»xï?T„„½ ®ÿR¦OÂ_¬üÊOy1vèÁîÑ~ÚJ‡§ŽD¦bÛƒ§‰5•»çÒOo¯°U]ËýT8³‹•ÙÅŽ’—#ap“É*aµ—êo¸¶Y
I!‰p=¡3r6‡©v	çÀ劽ùÙè“ÓP{‚wbìtPà ®ö#„-4ôîØS•
 /|姘'g$·p60ù±„-æ\µŠ:Óƒ§3›¦Ó÷e=/öFHtqšŸæè»Wý#šÏîQføûèöÜÎpWSƒ€LÚ–2ð:I‚|_¸û0G	À$øçö±«9£?¸_ÀøW¨8¯‡U;½Óç~;ÃV56Ä#0Ž¥o(ïXæTTÅmÙ•ÀžXO˜GG%Á}'þÛ-=xe\Úe•{F9°†ûœòð£`ýàgLé“r¦Ó€úq‘WÇ~D¨!~Ö£¿W‰&þ¨ŸýÃݯ/M"4úØѾ¨‚ôa¢ðtÉ!åÎ÷[5Búÿ‡˜Çendstream
 endobj
-1446 0 obj <<
+1456 0 obj <<
 /Type /Page
-/Contents 1447 0 R
-/Resources 1445 0 R
+/Contents 1457 0 R
+/Resources 1455 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1417 0 R
-/Annots [ 1450 0 R ]
+/Parent 1427 0 R
+/Annots [ 1460 0 R ]
 >> endobj
-1450 0 obj <<
+1460 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 268.4593 65.4379 278.099]
 /Subtype/Link/A<>
 >> endobj
-1448 0 obj <<
-/D [1446 0 R /XYZ 56.6929 794.5015 null]
+1458 0 obj <<
+/D [1456 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 426 0 obj <<
-/D [1446 0 R /XYZ 56.6929 601.2567 null]
+/D [1456 0 R /XYZ 56.6929 601.2567 null]
 >> endobj
-1449 0 obj <<
-/D [1446 0 R /XYZ 56.6929 572.3004 null]
+1459 0 obj <<
+/D [1456 0 R /XYZ 56.6929 572.3004 null]
 >> endobj
-1445 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F11 1431 0 R >>
+1455 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F11 1441 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1453 0 obj <<
+1463 0 obj <<
 /Length 2628      
 /Filter /FlateDecode
 >>
@@ -5936,33 +5973,33 @@ x
 péqu	ƒMM“£“3"3x’*SªÔ$÷D4ŸAôWTAå\&Ãæ¿è™®+á[gƒ2îé;Ü4‰Â„mŽúÏË©Æ3Ô¬‘²¨‚“$ŒHŸ•´Ï¸a‚Mýà[n(±÷ynI®l°#—e¦Â†aÊkCׯ«·)õN—Œ¿%äÝÏПË8±\=ÏŸ¹yª=Ù’ÒTØÞѦú?7å}Âv+âH½Äx~à=9¾ýK_Š
…­ÈºåãÑ×-´&ûpLR¥Bì[=2R½“…ù-£Dì¼k“±¤+ýŒÑbUÕ‡¨
"×XÀ ®€l‚Gãä 6Ä€rlB?QÉ3V/ÐO˜Äþ”~¤‘lxÈ‘l§gy<Úÿÿ=kBwr·üßdH '5A®—i_vÓ,£Â@Q'
 ¦hÒΨ«+ƒÐèãìs›qlÚÛð];jyÃØôMpÿ"Íù€´KQsa%`óuÀ,:ú¦L…û8¤?þpÄWÈÎD’]öiNäT|,P:Ʀ_Í	µã¿¬nmÆeõнÍÄËÉÂÿ1݈íCüü”õÿIH8endstream
 endobj
-1452 0 obj <<
+1462 0 obj <<
 /Type /Page
-/Contents 1453 0 R
-/Resources 1451 0 R
+/Contents 1463 0 R
+/Resources 1461 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1456 0 R
+/Parent 1466 0 R
 >> endobj
-1454 0 obj <<
-/D [1452 0 R /XYZ 85.0394 794.5015 null]
+1464 0 obj <<
+/D [1462 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 430 0 obj <<
-/D [1452 0 R /XYZ 85.0394 554.5721 null]
+/D [1462 0 R /XYZ 85.0394 554.5721 null]
 >> endobj
-1455 0 obj <<
-/D [1452 0 R /XYZ 85.0394 527.6165 null]
+1465 0 obj <<
+/D [1462 0 R /XYZ 85.0394 527.6165 null]
 >> endobj
 434 0 obj <<
-/D [1452 0 R /XYZ 85.0394 225.7428 null]
+/D [1462 0 R /XYZ 85.0394 225.7428 null]
 >> endobj
-1337 0 obj <<
-/D [1452 0 R /XYZ 85.0394 193.0129 null]
+1347 0 obj <<
+/D [1462 0 R /XYZ 85.0394 193.0129 null]
 >> endobj
-1451 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R >>
+1461 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1459 0 obj <<
+1469 0 obj <<
 /Length 4034      
 /Filter /FlateDecode
 >>
@@ -5981,1435 +6018,1452 @@ T$l
 n`hJZ
 úÓ¯H~¢Wƒ¾ãߌöWôsÿg'ƒÿ1Ÿ¤‘ÿù0úPÉl¢œ“ó‘Ž´_&«@²n³#ÊÃ?k“þ±H)endstream
 endobj
-1458 0 obj <<
+1468 0 obj <<
 /Type /Page
-/Contents 1459 0 R
-/Resources 1457 0 R
+/Contents 1469 0 R
+/Resources 1467 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1456 0 R
-/Annots [ 1461 0 R 1462 0 R ]
+/Parent 1466 0 R
+/Annots [ 1471 0 R 1472 0 R ]
 >> endobj
-1461 0 obj <<
+1471 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [87.6538 337.0934 137.7628 349.153]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1462 0 obj <<
+1472 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [370.941 229.4213 439.613 241.481]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1460 0 obj <<
-/D [1458 0 R /XYZ 56.6929 794.5015 null]
+1470 0 obj <<
+/D [1468 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 438 0 obj <<
-/D [1458 0 R /XYZ 56.6929 131.3818 null]
+/D [1468 0 R /XYZ 56.6929 131.3818 null]
 >> endobj
-1463 0 obj <<
-/D [1458 0 R /XYZ 56.6929 106.9867 null]
+1473 0 obj <<
+/D [1468 0 R /XYZ 56.6929 106.9867 null]
 >> endobj
-1457 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R >>
+1467 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1466 0 obj <<
-/Length 3340      
+1476 0 obj <<
+/Length 3193      
 /Filter /FlateDecode
 >>
 stream
-xÚµZKsã6¾ûWèyk„`æäL<g7“YÛ9lMæ@‘´ÄŠTHÊŽwkÿû6Ð
>$zìÔdK6@ Ñh4¾~P|À/LÈ«…Ž.ÒÝY°ØÀ»wgœÆ¬ü ÕxÔ÷·gß¾•z³8ÑâönÄË°À¾¸Í>.ßüxñáöòú|%Â`±óUËï¯Þÿ€=1>ÞüòþíÕ»_¯/εZÞ^ýò»¯/ß^^_¾sy¾â&ä0_‡'&¼½úÇ%Rï®/~þùâúüÓíOg—·ý^Æûå´ùýìã§`‘Á¶:˜ŒM¸x€FÀx‹ÅîL…’…JJßSžÝœý³g8zë¦Îé/”†…Fè*>R ‹µàÆ,’B:
~<_EA°,ª¼CŠ1ö©Ov{‹×,––=ç,Cá¦ý÷µ}ùí[`×wß<«3©„rƒ¬BEÚ
€[Û%]ÑvEÚ®ÒmRUyÙ¢.oàE¾Ë«›?俨Š®¨+ìIª‰_Ûd“Óºr´3XVDÌð8tËÞnó^¸Ñöc¦Œ`°3'Í)c±@«ñTr±Ìò´Lšsn–y‹=i½Ûª"MPvÉùrتÐÕø\çø<´y†ãÖØÓ>¶°ÒI¶+*²IVtAÈõô(ºº!MZöö¹ÉI—IšæíÑËaçØ.ª»ºÙ%ƒºë;šjtD•ìˆjóæ>oì¥`N"P<¨Up.Iñ…eÊ£±ªl³¨º¼Êè„ëåúœ/s$áÄeþG±.óñ`sØï놘ìeWìý#]Û®½;Œº«ÓºlýÂÄpK+ݺžÙ+èp‡ߤؿê7æTŒ0ƒ3ª®„S:\Ö•§~¼½ý€T¯k z’üy¸"M¸¼²kéˆøý~(zó±£»mÒ!ETŒk0ö	»Þ¥5Ûz(º-Re±þcW
-¸¸Â·ÛÓ x´OoZWÿ~b]_¸J2¡Äéå&B

ÝEYb—Uоs²Ã‹ü>¯hèö`‘-¾ZŠ’ºì^ëqÇã„^Øw“4ç®=Ð8¤…wIõˆ£éŒH„¶õ½`wIQ’
-pG’á3oÐО¾ÕÁå‘!}9À=Õ)p‰
÷JMëªÃµ¬¨"ö§aµ	6oß|Àv[§Ÿ]ÂçUQmpLBݨ@èh÷yZXÀ…s9Y¨Š·˜bìï¤ÖL†Ê,BšÓ<~‰Ç/dŒ™÷w«žãjÌÒ9³‰dÒkpÞ³:°8Uªà,ˆ£˜¶áàâå:Ð0Ùpõ¤”,Jþu:è9>£áFÈ%Ÿê ɲæ	HN»°WEÊåöH·dùð>Ô‘—OÉ¢8ü1ñÒ·¯>Ü+ì[à{"¤œÖZ€=%Â'®C»Z>©X†ŒG1lŽ@r¸9_«ØžãjÌòT±"4Œ‡:Vþ’b%‹ƒÁyº!ÓÈ‹C¼X\aZIRþ6n€wôb4ê· ¸ÁMÑ~š£†cçVôz9+¨¿œ€åÏÊXÈËRY2:Ïá¬^£!€+C€‹55„`'µ®ÖF2ÎõXô”€.–!ÿ‡ð.‡Ä·„]Ç>X–ÀHç›Ç¡ŽÏ Rn
(2‚ŸÇbYã{D4œ…«Œ˜¢’€Ã^'.]§‰Ë¼BX‡`¬ÇùSsbf´~
-y¤XÌc€¥™
-"õÕÖÚs\YžZ+ @ˆVþ²µ†pÄÏX«PÚùî»9/EŠÄ!Œ¢S³0†\…\!êùŠ¢ÉŠÂOŠçlàIè~_1Át,Ì–ºsÀyw |¨bƒ-¸4Ï“.¶~BÍìZrÉTÄÏ^Ò’(M.©åˆ€5‰¾ÎçD>5¬˜3n4Ò°Àÿ²(Òj
-@¥´þµ†Õs\YžV…‘Vþ‚åÆ&`G&¡”`ÊaÉ$KÈÑý$À¾Ã†Ë:$Üò½Wì|LRhQL(¨“ns×)b!ôÙ¬Ê>w‹aI9s`2ÌÄÒÇgIYÖsH3­û 2@8_kpZ¾ƒ¤[¶–wúªƒæåŠ&Û‹
m¢áÛ”dbcŸ7»¢ÃÆD%h^ðÆÅ5Ð5ý‹ `Z(ogl(|ÐA ¸*k@˜üõ縳œ	è„b"ßܳbB^ŠÊDȬJó
-é9>'$*øœi=ÒÜPQÜ߈•
-%Â!ÀáŒ	‚*!ž³@Ã7fbhî*s
-	ZÈÆ^ÍE´À î£z›Ýg3Ë@äa(ltš
-£›wñQX€mºÑôöS—½sé˜%Æ1=Š*Íñ%ÞT ¦—‚ƒ%<ökvIAÂÛ¢+îÝ$‘½ÞlÌäô›ÈM§8òIÛb³u)>Ð(¬­7äUæ±ÜWSƨsT6ik¬(¤ù´®2QZÏâ÷p¡Õ“=•2öMYu‰ùíl¦9r¯3w^¢©?Wñ{ãj§¥9¯gì+L÷©ÆSæ%ÁÝå£JÆÝFh1ë|<öè57­ùL|þL9ÀW±02ö†ÇL-†²$§²d× <ÈVŸóÇùzä»&Ùí’f&d8*;N9Ùê܉ÙÁƒ0¿q^Ϋ»uÞ|™=gÎOÇýy¾îñ‘1ö‰j¿G²ó—Ô~ÃAÉâ¥Jþ?}U¤½9Oʉìà^	δ‚e†ºZ4xssùé6OMÑ=bonݹä7à“‘E뙵iS¬1e³%Ø“¢B$ÀQ)á†d‘®€/›Í‰ëÑ7€~üj<ؤdwÂ×nõ¦‡#F1s‚‚fT<æô3
zF‚^Þ9‚™\x}úŠ$Æǹ¨W¶ä½²±…¡ ïÏÊEÁòaëDzïÄþ°.‹i°$0¥"ÁGUW«äÐmkX/!'Ýÿ®«ûõ>Wõƒó$Ò—¡³Ï€^ÓTg);ÓgêÌõÚº6ü&`«œ¸½Ãf‹`J¯ÊØJƒô:O1°Â}œÀ
-´ô…oš‹Ä 2ÛÂÍXªžgG|ö‰¯Ïó+Ào*[êžA§_œƒ—ö^Û)ݶ·¶^a{Ö¹ËêÑAÚóÛª2šHãlv͹YºëŒm˪ÀR“ÈeÙYXFÍ“nÊ.pÕg;ÀOØ&™—Ç~Ÿ¨°qŸ”E6š\Ñ òÓ¶–=³ëá¸SRr ui?§ Þ
¡S8‚ iíáûŒGHï2ÝÑZF%þ£Å ‡uVïÀ¦Úi’øï9ýe
-ä:
-4p/n5©—„áRcqÊÁ44Òº¡Míë*£N;;i©r%5ohF1[ŒC¦c½±
Ž}©bÈ“€{–ç;¿æaz™ÿa#uGâÐ
ˆJü*ý˜†jÀŒ„FŽ,]b1E|œÃ¹}Â-ÛÄÇkÆË›bW”Iã¢Ix‹ ¤P zí¨è	í@èiÇ‹•ÏPõö ¹„a²ô ;hPÉBч8xzû÷ˆËûûå¿|¨A¬ÅS½\_·ywlýƒJ¿ñöNì†#9ŽK*³Fúd„}"ö­ñh擯1ÕÃ¥%!Ð;ú0	-r'±Ý^S䮺¨I’tÛÏmm ŽW$&“óß#ƒÓŒÅË‹Ý6’~…ºÖšA0{ô¥Î~DM6v=©ÂÉÇPêJÊueÛk+B1áß'à{#…
<£Q¬ï?kÃ;WÍÏD<¡Ã û/
-þfŸ¤¹—§KÖž¬ò‡²p×ÅδRÌ`gš4ül&xÙdƒ½Z´ÛTuï+Æð×çbx(‘¯|~v4hð;#´Å¼sd|í¾ôÙâaï—óéàÈ åvÉf,ò(‰{Þ$!÷eHÑ7xâQôqOyC‚Ž®Þ#Qæ÷®\ä|ÉW®è çlÔq7#
DÀǧwˆfÆ}%uZ·ràã¾ÈlÝžn¿ËT¡» i]ð4§ÇËuí>¸BϾ$r›Ùæ„4ÊêñQab@0û׉̕¾³<àœ˜„†J’Ê„W™ð*ƒÊÄ”sQAàUL¬0ZF%
¶»F‘%Å‚@<±¾ =TN>YS"vÏÜ‘¡´Ü«ßÙsBö9œÀ\åÀŸ–S•3wE®z½ÄzòuÔŸÓÆJ° Hè_²CªÇXÒÅ]âsÕ+m¿Ñ{4Ϫ‚˜UYן“¶ÈæE0edï÷~³Þõ`‚¸{í*úù×öI+ÁíG&S£ÃêÆ‘¿JJ-ed“€Ëý¡aÕŸÔ(† Tÿq#+ï1–(Ú”!ÆmØSÿ:“!³›I΂>Qÿê¤
×SšIcÄ|š·Ž¡	e•¥Ã“ÄÒÿuíTôÿ¡=endstream
+xÚµËrÛ8òî¯Ðmä-CÓ!¤Q³Ø(<œ¥Û³`¶†±×gœpi1Äz~{öë+Ï3‘ˆf·wZšZóÙíêýüÅoÏÞÝ^^Ÿ/DÌ#v¾£`þüêÍKì1øyñöÍ««×^?;Õüöêíì¾¾|uy}ùæÅåù‚ëÃ|ANLxuõK„^_?ûãg×ço?»¼íö2Ü/¤ÝÈç³÷ƒÙ
+¶ýûYÀ¤ÑáìãƈÙöL…’…JJßSœÝœý³#8uS§äJÍB-â	*> 3±à³84,’B:	¾?_DA0ÏˬEˆ1ö¡v{³™‘–<çÌ„¡pÓþûÔþú
+ÈuÝwÀÏ"™Ñ±vHV "é@­i“6oÚçzž5Ø“VÛí¾ÌÓy—œÏû­Z„¶Âï2Ãï¾ÉVˆ·|Äžæ±5NVÛ¼&ëdA'„°K-ÆGÑV5IÒ’·ßuF²LÒ4kûc;/ïªz›ôâ®îhˆÑe²%¨Éêû¬¶—‚9Ž¬à楞[Š<ÊÉ6ó²ÍÊ9.x<_žóy† ·Ì¾äË"¢™ýnWÕDd»/Ú|çQm»vî$ª¶J«¢ñÁ
­t·o÷x`Ð!àö-Ž¤Ø¿ð»Êg”mG$âp^•úíööB ÎéKüg+0*R‡ó+»V½Ïû¼Ó‹Ýn’!2_üXm±_Øõ./¬ÆØÖCÞn*òå—m!àÖ
+­Ýnµ_ñ`«?ªV7N[Góú•«¡$Jß¡#”€Ž¡;/
+ì²ÚµŽwÈî³’Pï°'}h	lph¹Ïê²{­öDzaßuR?žs¸?ö@MH
+cIùˆØtFÄBÓx‚ž±»$/H¸£ÑÙ“ÂoV£¢¸ÏÊ)Ó×VDš„åLí±@Á>ͽDÓªlq!˧0þ(lC£ˆ 3Áæí‹wØnªô“»ûp¾Y™—kÄI¨¥Í.KskjáPŽY*WâÕ%ßz:ÇL†JÏÂX2˜ïquà~´ÖÓŽnÑ\(:'6âKj ¬ÀŒ{,Ëž3Çœ&2´g(¾_1LÖ\€Ò‚…BÉ¿LÁ¯@AŒrÉGHV«ú„$§-Ø"åüa“§RxuàÙS§é`HœÙÑfîÛWïîö€òûž!Ç€³f
X;%Â!‚½‹Xž”ª€ðGvqpuRÿ´X;Š‹!Éc¹ŠP3Ʀ_ùk‚•Ìõ‡éPÆч+°æ„Å
+ìªEüÛTˆ‹ñl€õ!ƒîn7Ÿæ(a´ŠÆyÓ]FöÄßô¶ßaù³ÒÖÒ­RSVtžýY=EEŠ—j¬œÔzX½8c¦»çâr{hÕ¥sŒ8êl¯ë¸Ã¯cËÝüÒ 2éèô,eV"
a÷¹ó
+ÇÑ–á,\e@µì÷:òä¼?M\æ­9`y?V×È0ǧ 3Ü€
#ÛóûYmí(.†$µ•G0
+ö©_ùëÚÂC[…Š=Ê“'Sþ‰TQE¤Â°Ð@~â<` œ¯(‚,)ä¤0ΛtlïÅ!ŽƸ$[èÎÈ©ä#cñÀ…þxžt°õA5±kÉ%SØP¼¤êä%…œ&Ž£ÙËQD€ŠX_fS,+–áŒë˜ŸT,ð¼,Šb5áfJ»æÏ*VGq1$y¬Xa YF¢_ù+–ƒñâæ@%”Ì:èaf¡ïIZ¸ý».ÍpÅw>J±øå(ÐS']å¶ÎS4„ÐgÓ(ûECè¨[–‡ú´‘>,KŠ¢z˜º=1‹ã.p†”×j[ æ/†Ò-[õË;aHÈÍAìrlYGÛ3š¶pmÊ*±±ËêmÞâ
$N	ꌸˆº¦#~,Ê+™µ
6ü=Œã ü”Ò
+òcÈ-:óC’‘œPL†÷+[6!ÅðdÄd*ý2é)~‹IˆT¶sĤuGS×A1ðB¦»J´…pH`'T4P	ñ-
ÔLq­Gˆà®§x ìb*–¦æm:¿šXÂ6ˆ@•9ˆÑÇ»…ø &À6Ýh½ÃŒeKc.³À0àÀ*G^¦âM`|)8hÂc·f›ä´ l±ÉÛüÞM
Ùëí])c"ç^µ€or7ùCÚäëKëFfm!+WÞûòÉÐêÔIš
+«i6.¤Œ„Ö‘ø¼*´z²£òÅ®Î!“.0§=Î.ŽuâÂ0gêÇê[ Ýa§Y͸çEó
å2‚Å]’qJ·$8Z­|ÜOÙ·Û-f½€Ä½ØÆEž‘·Ÿ(>‚åU,Œ´Í¥$>"î‹œŠm½‡À`µø”=NW_×Év›ÔÁÂA‘qLÉ–KÿãŽË¦¶ô;R=«.ÖÅY´r¿]fõ×á!þÓ©šÔûc¼§ë>ïc©Ò{ÀûVzÅ÷
+ùÿXâUQìÕyÄÆDLg€cNU°‚ù
+9tÅ9h¾|sssùá&K÷uÞ>b¯mÕº´7à#̼ñÄš´Î—˜¬Ù‚ëQ-!॔vU—Ⱥ%pF8X¯g\*þþb8½×¨FwD×nõ¦³EÀŒbú8øÉ(3bæøѾÁÁ-ïAMžyyú$‡Y¨¶ä°±…q ïÎÊ…€Áüaã,‰ô®€Ý~Yä) 
`2@‚Ÿ²*ɾÝT°^Bºÿ]•öë}*«çF¤¯7Bg—¼¤©NSœíƒ>q‰«¥õkø`Ëš¸½ýzƒ Je9l¥Fx™¥èÿm#wOXr–¾ÒMsèEf[¸UÓäˆÎ.ñEïÃy~¥=¸áuikÛžö­óîÒÞkû!¡ÛöÆV*lÏ2sù×sw±m	RÙWÆ$rYv–N³¤“\¹Ù"ø	›dåù±%6î“"_
&—„DNÚ¯'Ž³?îÃd”hUØÇ´w}ÜÌÀ´vÿã-¤w™îh-X‰¡d¿\U[Щf€$þõ¦»Lao¹&jØn)ÏÉ€ËkRÎFC#­jÚÑ®*W”»ÅNI*XÉk64#Ÿ,šÅ&Ž¾Ó\k@6¾BÑgH@}•e[¿f`ñ<ûbct"êšêB¾@?& 1Œ„0jþ0„€ÂfonŸçÖðÍ›ÄGjšùM¾Í‹¤vq$Œ¢…Ï(@tTtB:´B·p ×é+Ýž°f.U-ÝËT©Pôì_¯üž v¿ü—""3–Ëõu“µ‡ªß‹ô¯ì¤¾Á‰xpXI™zk<áþƒ°Ë¿¾Cd<šxÚÒP
\êA7Hh‘#1vouž¹Š¢’¤›nncCp¼†ôÍ?@ 'ÀÅk‹Ý6†¾@AÇ1Ó±Çr¶ï¥ÉÚ®'U8z÷¤®¤X['¶Ùº¶"û%¼{ày^7RØÀDùþùÆ\w8-¹õ±ÿ–æovIšy~ÚdéÁ2{(rwWìLËÅ„¯H“ržõÈR¶ûÚ›°^Y­[—Uç%††¯KÁðPÈ8^ø´ì©÷8;‹éæ@óš]á“ÄýÎ/ç³À*@Ëí’Mhd0®‹~[%!üöÕdHÑ;|ñº(zÊS^‘ £­vÙ½«’8]æ…:ˆƒh˜­1ÇÝ7;ŸØ¡)ÓîAÔIÝòŸû<{°µzºú.G…uaÓ}œnæËʽ­BÏ® r›Ùddf”ÑÌÌÀ|Ù¿H¬\5à‰5À½‘£ PI™ð"^d¢™SÎK¹r²Ñ‹–PAÈv×Ȳ¤(€ëÚ³@‘áä£5%î‰;Ò—“;ñ;}NH?û8ñ$	y¾”S|Ð%u?ý_¥þ\*frTR•‚ˆižœ˜²ŒÃ£$Äÿ©é˜õÿ3N½$endstream
 endobj
-1465 0 obj <<
+1475 0 obj <<
 /Type /Page
-/Contents 1466 0 R
-/Resources 1464 0 R
+/Contents 1476 0 R
+/Resources 1474 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1456 0 R
-/Annots [ 1471 0 R ]
+/Parent 1466 0 R
+/Annots [ 1481 0 R ]
 >> endobj
-1471 0 obj <<
+1481 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 269.8672 510.2452 281.9269]
+/Rect [461.1985 242.8671 510.2452 254.9267]
 /Subtype /Link
 /A << /S /GoTo /D (DNSSEC) >>
 >> endobj
-1467 0 obj <<
-/D [1465 0 R /XYZ 85.0394 794.5015 null]
+1477 0 obj <<
+/D [1475 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 442 0 obj <<
-/D [1465 0 R /XYZ 85.0394 717.5385 null]
+/D [1475 0 R /XYZ 85.0394 714.2819 null]
 >> endobj
-1468 0 obj <<
-/D [1465 0 R /XYZ 85.0394 685.5465 null]
+1478 0 obj <<
+/D [1475 0 R /XYZ 85.0394 680.2498 null]
 >> endobj
 446 0 obj <<
-/D [1465 0 R /XYZ 85.0394 432.9142 null]
->> endobj
-1469 0 obj <<
-/D [1465 0 R /XYZ 85.0394 403.7317 null]
->> endobj
-450 0 obj <<
-/D [1465 0 R /XYZ 85.0394 321.6962 null]
->> endobj
-1470 0 obj <<
-/D [1465 0 R /XYZ 85.0394 289.7042 null]
->> endobj
-1464 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F21 730 0 R /F23 754 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1474 0 obj <<
-/Length 2918      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZYsÛF~ׯ`ùe¡*ž׬Ÿ”DN”Š•¬£ìV­ãrAäÐB™”¢ÝÚÿ¾ÝÓ=8¨¡©Í¦ø€ž===__Ê™€Ÿœ¥Yœef¹IâTÈt¶Øœ‰Ù'ûöLòœ¹Ÿ4ÏúêæìÕÏLl2•ÍnV#^E,ŠBÎn–ï£,Vñ9pÑ×?^¿¹úö—wçyÝ\ýx}>W©ˆÞ\ýpIÔ·ï.Þ¾½xw>—E*£¯¿»øéæò
eÌã««ëo¨ÇÐãÓw—o.ß]^}yþáæû³Ë›~/ãýJ¡q#¿½ÿ fKØö÷g"Ö¦Hgб4FÍ6gIªã4ÑÚ÷¬Ï~>û[Ïp4ê^
êOŠXéL¨äLÊؤ©šh05q¦•î5¨4hEÝWö¶øsWvvc뎕·+7›r‡û}õ&‘£c3˜§i‘;vÄ!c^ërcñ¥™Nã"KÓÙ¼—&¿_¬Ë¶ý@óÿíæ‰éŒMÙ-îæ‹u’´~ž{”ËåζíG7ããºj;êÿÏë)9â³´mWÕeW5õc6jgû][ÝÛyS¯iþ£m?6»uCÍàÛïGêi¶(Ëkê‰ãøCHv~á_Mm?¶þXß™Lòâø'Eœä”É)|cBÕ
-L=e½$â—¶üdy!}7w¶—f˜$M¬”A0÷ðyÊI%qVOjÇ’eQÕÒ³¤Ç¶y°»Õ~­féÂÝD>
QN%Ù°pﺟÈX˜8×2ûeôOÉhTœ+‘L…tñ'€é,ÎÑg“¾›Õp8Ž@üþ¥
Øè!Ï„wž¼a°jšš"±6 ֱЙ—‚78pA±	5$F±–:knêkØÑc
G°‚i¿òQ¬¥±PY>ÃŒH:û°Æçc–!¬AN*ÓlXù`+0GS¢žã)!Œ3ñÔòXä}P&/UxX‡Z& NëçBm’=+M‘Lð†©zj¢+”Ië¨n:"Ú­]Tè×íò%ô¤ItÛt¡ð!µÄdBN„<Žù2ùÌäy€ó@DB¦SŽ'¶fð•>@-íª„¨H;Á˜‰OÇ#)åwY'J«©˵ËsÌت,Æ­³èªîÇú´ÍpH6ØÜâ3jC‘àOh«}óJ›gjOljê‹Úƒ0IÒôÑ^¯¨Þ•~£ë–7וŸCÉ&äH€l4¯IÖõÙ>¶G²Î4ñð{¸«Àšá’hëTÔÜWK4ˆLG(lì⮬«vCM—_á8Yôøð´;glíÚ.|ŸŸè²£"8ÊÊÕšÊ9
-2òKÒž‘ºeaF–ÀSB9÷»;]ÚÐ!¸OÇ_bF˜yý¨\‚ʺ%’Sê\DT%aŒ—wAÊÜvüâŠt¼aŽÞ«¾Ä!J½úI£eÝ°¨“]Ž”«Eê
-“¹ÒiÔ¸5—.£Ç択]°p1E\ÀèÉÂ%ÉóÃ4´%¾?ÛêSíµ£®_•Ê‘J\^}ÞôHYÔÁ*êÖŽ§´ÍúAેÍ8Æ‹¦îìï]¿U§-Hèb-Ä}Ð;¬£»>bL‚¨Y÷žÿeœÊ½Ê|µ%¢ŠŸœ	P-õ-T´RNJ‚6.m‡”©ÏâqB»‚ÄíQ Î^F(8
-}ºÐ”Y–
-M`Ëj†ÅË‚ŒÎ-¹X€Ë¬n]Y#ȉcÿU‘øÝCU$GÐ¥ Bϳ$?!.f™"gåÃW´+hˆ àûÒÄ)tAÐGHw»€” hŸùêˆÖ•¾8T3%š°g¨å°¥l1úB1­yÙé
ëÈhYv%1a_Ƶt|¿À]ä$e˜]ï	ÜšÆùÛÀŠý½Äúö%cBXÐßÕåéƒËì³8Žáê/@¸‚åR/I¨øT*‡jÚ·eí.4ßBho\бå‹)l°
-¬êab×IË4ñ–ç™’÷,.´R¡;íC¨îC¨&dÃr®%Q½‰á¼(çE®N;´O¿z9Üé$þÜnkŸùdD¨CÜn·ÎñÖÔÃSPƒ¤¨]x!S9ï3a/HÞ(¡o’4þÑ3Ãû®oÎyò·ýøîÑ‹yà¢ö8’
-A†ƒ,jf`‡œiQuÁºT@qoL(ÙžØÎG–Ù»õÖçÂy¨€Þ âBÙ¡O0Á²ìÈÂìÛÐ3- Îõáñ¼‘q’>çXh«>N@¸I\á†K7ë;;Ö@åÕÂ^óbt5Ij»Ç-Zû‰—ùú¯G–sè}ËEÇaQ53dVlŸ
Üîu,Š$øéáôŸè¿c~*}õŠ¦Ü8ÛCª½köë%Ñ\¯!‰ŸPáyS«¶ÝC³û<
-ÏúŒ-Eì~¯Š×‡Ÿœ~ z"ÝO;¾uÂÆn¸CqòÚÝ}µàF×Ê3È…¡4UQ¼úAþÔ} ir\Ò’j)¾€óš+úŽ‡™1¼ůAé)ms±ÞÓÇÒÑ÷|ÛNùOO¹.|\ß#INcŒÆz¼´°Tð¯«j}À|î劗·/^ŸüœúÃ	Lljþ"ú/ÿÿ÷ŸQ†ê$y5¾þg2ýxV^
-%ϳ'’û­<ý¿½Ý`´endstream
-endobj
-1473 0 obj <<
-/Type /Page
-/Contents 1474 0 R
-/Resources 1472 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1456 0 R
->> endobj
-1475 0 obj <<
-/D [1473 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-454 0 obj <<
-/D [1473 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1435 0 obj <<
-/D [1473 0 R /XYZ 56.6929 752.2115 null]
->> endobj
-458 0 obj <<
-/D [1473 0 R /XYZ 56.6929 622.2614 null]
->> endobj
-1476 0 obj <<
-/D [1473 0 R /XYZ 56.6929 591.5303 null]
->> endobj
-1472 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F41 959 0 R /F23 754 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [1475 0 R /XYZ 85.0394 416.0284 null]
 >> endobj
 1479 0 obj <<
-/Length 1241      
-/Filter /FlateDecode
->>
-stream
-xÚµX[SÛ8}ϯðð;#áK|ž(X:í¦Ù'–É8¶ÚÚ–+)	iÓÿ¾’e%vbÀ¡ìd2–déè|wÉ–aŠŸe.4phøẦåq>0ñîj`Õs€žš³>L§—Žo„0ôlϘ¤
¬šA`“äîøâóÏ“ÑøØ®yìÁàzæñ‡ëÛßÕH¨Ÿn/¯¯þŸŸøÃãÉõ§[5<]ŽÆ£Û‹Ñ	°×ëíᙗ׎Tëj|~ss>>¹Ÿ|Œ&YšòZ¦#ù6¸»7Dˆýq`B'\c):&´ÂÐ6òÁÐu ;t=’
¾þÚ6ÞVK»ôç:tÛïPàÐêR BϱJ?ϤØ-sX.0ZžÏ4ÐG´ˆ²#ÕÿQMw\x®kË‚¡ë*[œžª)7U3Ê2Õˆ3Œ
-ÎT§ \5r9%ª3[©'Dš’B·[è%ELæ5”$
-»¦WРµíšS±:S­]ÙÖFc”ÎRmŠâ9exQw¢×NÔS+ª%p'·Z/òøLÉ'õf‘æÃ8Å1׺ÛÚ‹¤[-Ö´¢¼ÌŒIþ’Z¿“¢^“‚G¸ÀÅCXdµeÊù,ñîEqŒó¬^÷HØž¼Ê1¶ØG
6-‡²C~ØæÆW%Ҏ„rϺHq¶´%`2;RkÀ¾Õô}°ãÍvãåé¥m›áTn>ôEŒùÊF2cØ®HæF…2;|áG¹°,h”çUx­”&w¡å¸ÎŽ¢dkZDyݽ‹³ˆ±û–ÆjWiIÔKcw›Ø$KðmŽèªI"Ü‹M«šf˜ñM´TÏû~˜@»÷Û`­}XN£‚¥ˆ¾3Ûy™k½¨‚%¡R+6#±NëÖ>jîTÍÒ¹öä;áý!êaˆ¤ŠÓ¶%q9•’Ô˜%¡|3.;õÊGzgwŠÔ§zêšq‡à¥}D-ˆ¿éõuÆþÇtÍeD‹uál
-B‘³Z¾¤…˜?½®ƒàgIÑ:õ®›:•I¼çz\pô@1_íô–*ÁQ6/›í))ù¦žô ²Mš²ŽèLßc¡J+r9H	ñ±Õ,iwM£åAú—Ì·5ó`.O ^þ®­)+QÜG
„.7†”2ÈZ·N1eü )jDÛ'÷Ÿn1ðSJÁ,bo3iµ:¥$	NEzEE¬ãï߶ö`x^‚_ð-\<ÀŽ<½dÏ3*Œ<4\£˜ç3]>zH$QtÍ8.Oæ¼/’ý,ÇùÛ‘šY~G/k}Þ+E5Á¼5¨Âlr=ÄW[eÑJ{ÅÙ0a’œF¢Ã³¥8n~E«}5=×~Ýݺäc"ƒè£¼L¸6Âu]XžßWTúCÇ­`~«^¹0ô}ÏhŒo3Çk±^—DËw ã¾¤AÅ,¼&MoŸ¦¸á9b÷ÿ‰fhA»ºfv•çUÀıWœ•pÌÞZÙ~‹(ɨŽU¤]š–¾SûÞž(qÅ_^jÄA)ÑùíÀàk¢ÈgÄçô5¨®¯â¾!¯ôwyss×øå/ÛÏ*âÂâ½ù( nþÛˆcz0°C_“’âúþ.óÍ'†}êÿ&F­Gendstream
-endobj
-1478 0 obj <<
-/Type /Page
-/Contents 1479 0 R
-/Resources 1477 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1456 0 R
+/D [1475 0 R /XYZ 85.0394 384.8057 null]
+>> endobj
+450 0 obj <<
+/D [1475 0 R /XYZ 85.0394 298.1249 null]
 >> endobj
 1480 0 obj <<
-/D [1478 0 R /XYZ 85.0394 794.5015 null]
+/D [1475 0 R /XYZ 85.0394 264.0928 null]
 >> endobj
-462 0 obj <<
-/D [1478 0 R /XYZ 85.0394 540.8995 null]
->> endobj
-1356 0 obj <<
-/D [1478 0 R /XYZ 85.0394 513.5566 null]
->> endobj
-1477 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F21 730 0 R /F23 754 0 R >>
+1474 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1483 0 obj <<
-/Length 1158      
-/Filter /FlateDecode
->>
-stream
-xÚÅX]s£6}÷¯àÑîŒT$B“§lêl³ÓͶ®û”z<‹„+É›8ëýï_6¶qŽ3;ÆB £s®î½º¦þ!Ãv Ã03(³ m"Ûðç=Ó¸ÓÏ>öPù¨^õ·>Œ{¿^j0Èìã †åBÓu‘1žÝôˆá@#˜ý‹/×—Wÿ¨Õ_}¹l›ýË«?†EëãèüóçóÑ ×Fý‹ßÏÿGÅ#§Äøpuý[ÑÊ¿ £áåp4¼¾&ãO½áx­¥®™$òµw31™–ý©gBÂ\ÛxÔ7&DŒacÞ³lm‹ª'êýÝûk
X{šm´2!&n0 …jtM蘊Ú:“Ü€7à˜f_†w@_qßµLyÑ/æ·\í³âo’IÖó„ ³m\™yÊ»õd9X*¡ÑZž‡1<\ÞÎ[3@[ ÞÓQ 
L”X¾"çÑbKÊ_‚Y(¸¯±,ºROÝOcoÎ[0xæ"qd⥢¢sÉå4Ó8i`0™Ö6Ú³jŽâqá4ÏI\ŠÊZ9¥âöÆ<)'ÅÍ÷|h#ìÆÅdä}ãg/ØÁ‹¢äQ+Qa°¬p‹³™^g9{Ê¿ŸF¡TEÿÖ)@¿.¸xLÄomЯ„Ë rŸ“±]¤:f9ñè‰Ù:\O€_"û÷ÜòaÇ[Ï£ÇO«xn°#Q&MŽ¦ÓLYé±i"Ôº?»™TÁ‘!»:®ƒñÛâäŠqƒ
ÁÎ<[†(l˜™,:þ5mS¯W¼
-¼0Z鬮ûPûDzÑ"­·§IªÂÊk[ aÔ:Íïdh©¸È†g^§=k#Iñ'µÞc')ÿ%{Ñq[ŽÎÒåx½ù=W‚tk*Sî·PSÎFCGËU
-©:©(q¸[žzzGkž>|
-è²s£½ÑHæz¿
-tŽâ±_yj—pÍaÔ<]|kg=ÃXéìèyiÛ{ÉKå+ÿ¾Y÷­aµT¹Ú^ÁlFdÛÐBïHh˜¤I©.ÖõÁd=ÿ¶§ÝhhN3»sïO¹å¢ä®G”>Õn™Žó0>P²PGW…k¤¬ ;	¥¨¥-¤ú¶´ãž¥Ëð§4
-ýpÛ
-Y–i­¾˜
-Ìx䕃$÷“x&;’*¯&»vº¸]{mÝL‡ÚÓÏzA¤Nå>ßÄd˜Zµ¼¹*‚2H0µ5¤±s _òG6d”:F­X¯%Ý*¼\=¨Ñ;<Á7§NÕÙ§Ê(Äúƒí}¨b“èFÊTN
-t2k
-ãdàjË•A¬S×úx뫦ÅADM§½is”BjºÎ뉻É5,-ÂœæbYrpÐæ]jæ2R[E‚C!¡Ø:dûm‘@	$c/哶q°	ª÷Y† v1mþˆÖ_·@*Oéý<ôå±ÕÄO9Á§8A?ñ\¤é\èò…¦S0}•Ó½ùÌms iéq]¼>Nävœ†©-Wƒ”¤2™ÔÝc^ÎíSÿQ†~öendstream
-endobj
-1482 0 obj <<
-/Type /Page
-/Contents 1483 0 R
-/Resources 1481 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1456 0 R
->> endobj
 1484 0 obj <<
-/D [1482 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1481 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1487 0 obj <<
-/Length 971       
+/Length 3341      
 /Filter /FlateDecode
 >>
 stream
-xÚÅX[sÚ8~çWøvFŠ.–e
Oi–délé.¥O,Ã8X$žúB-±iZòßWÆ6ØÄ”Ûv2™Œ¥#ë;ßùt,-dþ°å2ˆ¨°-.lÈfÖ,j!ëÁŒÝµpñ(_Õ·ÞZW·”[
-‡8Öh^Ár!r]lüqûæë¿F½a†Úìæ ö»þà÷Ü"òÇÍÇÁmÿîóðºÃíö¨ÿq›‡½ÛÞ°7¸éuv6óI°gÂmÿÏ^Þº^øp=ìLFï[½Ñ&–j¼Ñ,¯­ñY¾	û}A*\f=™‚XbE-›QÈlJKKØúÔú{X]OmÒQ2—ðm\#
-[p‹3JèZÁq8µ£e¨yJË4·—¨¹Ý÷S©Ô4òôìqªˆëå%+˜fE.ÅÿÇý$s/\.ªíi²Èéx„³s¯Ú¾¤?è?ß,²é`ž¤FÕ­2Z~Ó«Ô{:Ibõ·(YT«y*}7àÈTÕ–¿
Ó,
-Û"IõÆžu&57ÂÚ§ör´,ꀃÛ0kÓ*y¹ªÎ\\~óãÕÙi.o.øpºR‘X^\~wN­o®Î¾ÿþìêt%“H.ßýíì7çW4d˜Æ×—ÞS¥Ç+D¯Î/ίÎ?¼;?ýtóíÉùMw–áy¥Ðx_N>~‹Žý퉴M¢Å3ü´V-6'a¤ƒ(ÔÚ÷”'×'ÿìFÝÒYùI(mÔŒ•\HØ(R#	F60ZéN‚JƒT„ËMZ¥÷y¶zÌ_:êu›¶ù&¯Zâ.ÝlÒžû«‹P®G,`B ÉŽ) ý\´P:°R„‹UÇLnÚ]QÝÓ´¢*Ú"-q!uTûÍm¾û|{Hà­ÛGŒwøx8ïÿ°‘{|‚àÓ'·éjr:ÒÑÿ¾%q/ãÀ†‰í¯!<öÞç?	¡ðuE=i•QãÇ–ò†úõû¹yÈ;®úIÒaÁ܃+<$h’À„pVÁWÈ¾6³,‹Ç¹
LhI^ÔîöMûú ¯¡Ž-OfÂ=GÁÄvùþÃõõù;j7ùz¿+Úü—,w§2YÖuÛ€qk»»iYq‡Cw¹›‘WëœL²}HÛÖW
+n/	“‰îþ¾”t„öë&¯S¾®Ûœžù–¯t¿¥g[Ó3yòÕîÛz“¶Å:-Ë—S)¥<íC½çõEÕæ»'¸€N%îH¦ûÀäèÔM]>¡RcO½Íwi[ïÐɤȞmp–à–L츿Þo·u“Ã–w°`¥aIþkºÙ–¾ÛIÏõ§ôø­®òS¹üKCAN«¦¸¯œq5žSž²®7[æ½hòŒ	;
Çaw’Ž²kÕÏUÎÜ<¤~Z=çèôOõ#®5S…
lËtÍ#´
4A”:‰Ä.Ï°WMĈóžŠõ5‰‰!‘ºÌzj®QTÌÁŒ®iqFGÚ‰
’(4SKd®ê½ßú6§ËÕ„µr,™}•Þ–È­–N	ñù”–)¢ë}@ÁKZiõB²®îóÝ[”½Z-uúÍ¡éåËÓQw™=®!GÑò_¨…g—ß
W5ÛºjxÃuåxäŽÚgtÝä{×5DµgÕßßòxspÿÜU’¢$²~ùáµ)
þßZ}äµ%vxmÞ¶'œVù³w^!)èX„ÀO²±&ŽÞåz	¥–õsŽg±rQ”_#¶žÙÒ¿²hè¤ÐF5Å眚J#kstÀ¢ÓéáyÝ6°ešõò¶3¼²±csMúåø˲£ e·d¢ä?)ÂÎU¶º}Á6,Ñ–lÎùê„w…ÞZNðL³§BF0'ŽXƒüã˜OX¥›<›‘(	؈—›’nPéøb"Yz†{f}%~è&™
ֻ⾨Ҳ_H¢&ˆb¡Æ¦âܯ2áÀEÂuÌ„p(Û©ígiTd&‡ê.òÁ“œ
¶œÐ
\õ.­i ¿Ù@ô~@‡ÑÏbï
2ý3ĬåeK݃=Ó²©‡g[×~Ëy[÷‹ g«B5ÖòàÊ°W1{pè!/=·9Š»F²§k8ÀÀÐ:O&µo(úÁR—ÐÉdcr¾Ð1p¾
+é4`¤
SÝzÝ¿1㹌6lÿM#í4ò(“@Û{%"©ƒŽäœÍ´Žì‘.ð&"àÃÈe„óÝ)øú—Ò]µê;zÒÑcœç:	BYød.PvIÚP;±ïe±UT€ge¡ö¹ýnZ9½HDð‹Ü*ÂE¯±æý±+í̺âƬøðä¼ô/£	H(!ÂÝá9]o±Á€§é!, ‰Ê™Å³Ž£›paF〈æ¶~Iƒ0n×æÙœ–ü$"áp˜HHÂÂrZŒ=6ˆS$
ÍL"Ñ‹Ã,kæþ£ Ž´Ï!à”aù°ô7yZ1/ó7†Ê„áÑñÇê(žQ6 ¿Ù;½‚MYí¨;õ}Û—N&„¡D›$cÊ–5¸g¡Ø3ôRáPÎûvßiJäS‰~¢¡žMúB
€þN߈RªÀšM5Üjˆ˜À׎):ÝhÞÐ@^‚©@u<—â½
+›ÙÔ@¹Nf¼Â;k¿ìIã8Ré0žEq(­ŽvR%s÷§à¢¶Û<Ý5ô§S•énèN“y£@ÂB}a>Š§ê³IvÆ	!{•x§œ,·2]®Iêë$™ø28¿PĘÑÖ.~@':…¼tNô‡µ”öì—$¨Ï#²ãx(ôe_hš|n4—FcÑ0‹Ï<”6“c±§†.FšKŒ„N&ñ×á.«æ¯‡Õúè,I÷~iqgIðt–d!ÓÙ&Ë=ƒ`è÷‰ƒuÐô…9êl×útpS?ÑÙg߇—€ÐqÆAÀÏÝ<Óq%•°1‹dâd §ƒxÚÄšI%ªÃõãYxÎÉ5ŒȯŽw«aÚ¹4ÆRMž°06;ўʥ¿ø¯.´á˜(öȱf“™l*áxVùI%3£@Š±›w¥@ïNÉ=óÕ¦9w°dQ§,öâÖŸœþôð9Äš¬Æz
+H-½uoTŽy즰ëêâ5"!åtmR,äT)U¥ ƒÚ:oš	KºBÞJZÕƒüƒ aæbA"côïawÈ'…ñÂu÷…aé`’ÎÝ£‘dõs
ÐfdçžÃƒÊÍx¤X‰‰¾Ì”Ý•"õ»¼]?äÌgë¥òþÃõßÏÿMí««&gH§UH©íØ>2okÂJ&ÖÐŒO¡Ái¡Á¸“ÿú†`Ý9ôyàÞÐ_§s&ñ¨DˆîÍ6_ÎÅ3gŸæ5à£Ã89ÚD#­JµE 'ºôbƒ1r.ÿq5g–¤Ó`'Iª;r…Úºd-ÆŸÃÛ¬÷\‘,&kö]Ò‘6Sò³î|)&ÔAæ)–}­Ü[⬹\tª•è²/0³º¨¸YWèg!}ƌڕNæ€8 Ù3^µ$в¤Ã7lIL½àíšÖ~³šž›Ô•B‘FIdˆ¥z3¶纰–H®¡]As亨
+ÚД´d ½øJ¤K˜C5Ƭ8Deå¾tªÆ¦#Y[ᙌϯ‘Ò65\4ˆeÇT‹áY”˜Q!¾±–ñô…ZhŒ÷—\¹•ú•û’F‘Ð )I„÷µsSÕ-5ÈBÜf5=U©}UË®!¹Bì%ÁËNÎxˆý–Ðت/¼Ë€Í¼9ݾL²‹PÞ{ƒëêV™1YûÇ5îãÖgªü×–+5óAÍ $úˆ‚”VA
é¦w­K°É{j=øª˜å\Q2=\ÂÀL TÇÃ0¶D¯(S(‚Pmü	¾ý5soäŒígëšK+5x©]ØBæA+î´ž‹²¤Öm>xÑÖAßØûX^â¤+–$¸÷{üšû	%AƒQRì£elÙÕˆô@	úc3F^ñ5zA1~ýÖ .Èôe2r3s…Þ‰ª~Æû÷wG³Ç<¶|‰R=uÉ)T'©q²ä%…Ö®
‚¬Ã<[a²òÊËW-U×_–íΠÉÀØxš¼“N…"	b)ãñU¼²“<­d¯äÞÑTNøëê@ÇA%³­ùõi	›_ñÔwsp3x‡_†6|Ôƒ4ÞÑ10y*™ÎôïeÐå$2š¾—ÁË|õ
½÷eYÕ4ùzUÖõ#À¡l.J$¾Té”lËLA ŸNhnÇšžøÞ#Ý·`=56çnV
+TÝä÷]ªM¤g–n0~aMÌtaž§`¾j‡ŠÎh‹œiA"*•ž)²i¯8T­×ˬ|
+ŠfÔ»ûcJÆD¿Ò„;œhè#âÀŒc5èý­öc€S¹Ý˜ú-&ÈEÙÒ?XUÏ} E‰š2÷Úm‰ÀÚî]Ý›Ižzðe¸óݮȲ|ú5Á†(Z¯„·E•¡¥¯3•sJ	0IÔI}æó(®Œf¥#d<î?“‰ø3goê+%¢`˜ÖÏ.ì£æÁ–“N2üë2mšOx2…tµ.à¤ûêÉ=Ò,ÛÁ-ÿìfüL/1°Ÿ¾
šû„XÀï¾f>øœþôçeý·waŒõHÕ96rÐq`ˆ0SxÖØpî¿C;dý–‘~„endstream
 endobj
-1486 0 obj <<
+1483 0 obj <<
 /Type /Page
-/Contents 1487 0 R
-/Resources 1485 0 R
+/Contents 1484 0 R
+/Resources 1482 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1489 0 R
->> endobj
-1488 0 obj <<
-/D [1486 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1466 0 R
 >> endobj
 1485 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R >>
+/D [1483 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+454 0 obj <<
+/D [1483 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1486 0 obj <<
+/D [1483 0 R /XYZ 56.6929 749.3199 null]
+>> endobj
+458 0 obj <<
+/D [1483 0 R /XYZ 56.6929 670.678 null]
+>> endobj
+1487 0 obj <<
+/D [1483 0 R /XYZ 56.6929 640.1762 null]
+>> endobj
+462 0 obj <<
+/D [1483 0 R /XYZ 56.6929 132.0998 null]
+>> endobj
+1445 0 obj <<
+/D [1483 0 R /XYZ 56.6929 107.213 null]
+>> endobj
+1482 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1492 0 obj <<
-/Length 3535      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿BòŒà‹ 9}JÓ$çÎ5í%î˵} %ÊâU"u"Gýõ·_€(™î´—ñx°\,Àb?™™†?3Ë‚
-¥-gyéU¦M6[l¯ôìúÞ_¡¹D·cªoï¯^½sù¬Te°av¿ñ*”.
-3»_þ2ʪkà ço~üðîîýÏ__ç~~÷ã‡ë[›éù»»¾eèýÇ×?üðúãõ­)23ó×?Ý¿ýÈ]Ax|{÷á;ƔܼÀôãÛwo?¾ýðæíõo÷ß_½½O{ï×h‡ùïÕ/¿éÙ¶ýý•V®,²Ù|heÊÒζW>s*óÎEÌæêÓÕ¿ÃQ/
”ŸÑʺ`'hÍÌUf™=“`Vªà¬K´¤¢µžÿѵ5oñÓP
õ¶nþü®þUkÛ6CÓµŒ©Ú%?÷Õc‚ éNç¥g·Ö«Ò?šG™éßi¦ûëRÏ»º¿faT¹™åƪá/ISƒ¼Êì\˜ÿ× ¸
-܆S埞&ÓÀJÀ8âœÕmÜÑm(
-•‡Â¥ƒòcɃrƒóɵWŽ}[õC½1»qîUnÊ&@²û5JÚ×ûÏ@Oðºê(ÊyÅß‹àE·;2Ô­˜hˆ,–Õ VP§>QäIz¨§f³aèÔ%ÇÊÇ;¨6râCÇínmŠy÷¹YJGuÖݾÕk>GTÛ?Õûž?x4ƒºÔ_xUfcÙ~Ýq¡^˜2d &èo±”/i€ÏAçòìE
ÈUéŒÍàeNì7ÕçzJŒÊ
xÇ’-ñ¬ŠyÓ3¦â†Ä_ï6Í¢â~VÔŸôD˜€—ôÖ’Ž=7w«K•ûÜË2xl?±Z—«ÜÆÕnš~ïêEsKŠ~#W>>*%Zô@5iB>ïKÞ3bÛñnøëî'î­–KF÷}¹’qs@ÆÆ"ú"$“Danѵ·SÚ=T‹!2 õóÃ,H†5Ü¢½¥…„8K±szþƒHDF@QoÈ%GVUËèjÓwçkbÞ:m[mq÷â¤Ô¬{‹tR„ǹzXœÐüÛ#ã–õª:l†>ýa&¹Jª(vG
-³¬§²bCßÂrs3ßu{ÜOnç™cÅhYÈ|ƒªS®IqÏ[†‘B¸XWíc½ävT䉀ìt°€}8NéÝêØ´°ïQ÷Ïd‘ˆhÛ’`êUÒ3ì£cŸ¢H€A$~cºÀJK´-ÓVSBÛÕ4î6yòÌϪžD`µ"V4ȋڟ͉
-gù<+hXzŒà^ôt4üc.×Brw&°ªDÊe@;ÈóÔk†.—Ž¸ûOwïú½>â²2]ÎïV–y¡…o„î[:2ýåͤáÁ¾€2î3¿æ2'¡	»„ä	¢Ìv‘M
-PZ†	jÞÆxöª5ý¤ÈX3ñÄMÆQÒi+kÛt`)‚9~ÉJk˜ÚŠ›$×Ä°ªý€þ9HÈâ¨U5±¾ÈÞjÃq!ñZt[ð2KZ»5`ŒM»ˆ„·ÝŠ„‡cà|êeÏ褪ãŠ;&â$°õ¦Ù6“´_)aÃ/ç-0Þ€
-3ò	•“Aòœ@ðlŸšå°F%7zþ¡‹чǔˆ7ì©…‚­ºŸ–L¦xôH.ŽuÛ3ŠŒ0ëC+V¶Œ=+¡]w‡ÖÖ'3î2¤5=Sí蓳Ã
-]¬Ö$eì˜V¬‡šÃ¶óC_3¢âï᩻݀Ênvõ‹5„ÆK6eSÖïD)(^(6ÉwLäæõ—Éc«¶»M}sJ/Á]§Ôc¤€æéŠèå™—„óä'3ª€ºAR„úÍ¡@-'²‰P¨,+lÌ:šÇõÀ³ì6Õ¢Žñ£–¼Âjå3&P±dðËÜŽ¯øմ䪸I‰¤cÀ‚'Vï­Ò¹ÍÒê_ýùŠ\—	Bþ´®%¾<çì0öþÄx‚›…üV)4¢@((Gu~¾ïÿH‘À;ñ‰€;Ü'ìSÇÀæw„¾ÉþÆÃDBÕQXdF?t‘Y걇ô>û#Xó¶ŸÒ¨‡z]Åì”çÈP¿éž67+nÝA
-‰ƒX;––Z3̧%ÞƒÏ2:äK‰õȲÇ7t0—§Èr_ª0ƹûו£
-#8¥ËÿÏ8ä¥Ã­²`Â5C	Œf>dÊê 5Æpx˜6³²¿Qár¦(D…ì?.—ºIöŽë
-wªMd zW‚B/êÝÀâ¿‘ßÀ„£˜ÎqÂa°9NyHvÚ¶œø„m‘âµä­¡“\²eã†ÏX J<`›°Õò|DâUJef6>Ì?‰/µ[Æ”:[ðùm'¡µâoŸí’)$tî*J›µÄ?) ¾ûð雄:2nÄ=1]ÕÕpãSrµ˜”c£©Êé~¬A†µå“jj4IÄâSг™$’V1@@ìZ2†œ-`(Eh©r"ôZL˜‚"	¢7aÃ'í/Nzê(²›œS΀R¥!xÑ…è?R:[	†@ýeWƒ'l{ù&u0Xõ€w.!NÙ,›""ÓçÙOê¬\§ìŸ`p=H»â=kìŠÁD‹ak**… 
-(³Å€‘ÙR»š°õ
-ù<+…”*RE#ütßÇUmŒ/6@Øñá|K¤ÒÎå—i%#ùhë'`9¨Š‡=)K™\0a?kB%7ýa‡eÚd¡ªì#¢ƒ/øt
-¬Ø¶Í@‹ÜS%~*_XëÊŒùW&g¦Œg	¸³J8Hi-ü“bÝN6_«†èhl@G³ØH8ˆg‹õ»Ÿy0ì•Õ@"Þs“u³µhCJÊèWCtUkãƒÆu[Wd9çÓ”œ# ún+©ñ¢âÊSW0ç½_t‡Í’ÁÇZ2Ú
-M()‰núFEtS†<ð®Ìh«=cù|jZî”K„pºáÁÑf/×ñæzÇN;^+Mz @·Í•!b¶Í4A‡v¼æJ(Þ•"^nTѧ£#-{e²Û7Ÿ%µ€!5”8ûßùãÐOºjæÂüã»7¦4ŒÂ®`päN:²žécÅñ…”„T °sz¾/Žòú¦½ÅE¨j¿«&bxéDíXBÇ:–Ì…2´t@N⃔¼õ¾­6L%"
£rª†{îNeuœì<¡yþ–3ºf½åœîjXÇ^~Ù×3_Y#
-/eu¦Cù7˜ÊâÅÂ+/•Î|þÒÛJÉe3«-Õ„tCÞퟪýrêq'W¹.©òò¾œÿj­ç!R  µ;ø£8¶h›^Ü~“ñB{¡Œñ$½FZPbT¦»Ý)c‰N+|ºª¦«€Výü½jhçã¶N7Aç·Nå'¢~ô$n! ŠwSïQ 7HxŒ}Y¾®ÀÇåXÙòƒ¡À4È^¼šàY²=‹8Ýø~•[•—Y~nµ/,s碈¸í¾Š.àl>—©Üúâ|?Ó/l™S¨?Ûd^ëfȇx/PµÛQžŒîµcÔõ¾©%Ã7&1Y{‘u€/#éøX%)NÁ‡#w]z–ÔùéÒ(Ѓ¡º©'FãT†sÿUäéøIñpB¦¼sÙùV¶R:yxpò:]÷Òaùâ““–Ûz»ŽÊó±'ÿmÏË/p
Eö—nUi‹òtƒG oÒõƒ¬€¥„=^ãÊs}»4fçóщS”òéýÆK^Œ(yÕ’ %ï
§ï`(Ï#3¡ƒø,é+=bÏeVkÜ£.§•q< èTú<`Y([„x÷Ùí¨@œ²æ Ê$ç¤ù˜‡²âCœlÅ“ñ
b@÷È%ûG+±’U,ÏæÆ_Þ15ÈÈÿÐC·:å‚çù$?3J|¾À‹Î&†Á88%œxíÚ=@0ž°X“Ï.jJ‰¬.“Ü’ƒòÊ祿xJã§AoéîVâ²ÇwL˽v°WîŒ9òàà¡#r'ŠJü¦bé†ÂœjÌüsC÷ö0
-“…êfò
ä0È›#—¨†ï±åÇ„xo$s'(¥1èÔãc-7(mX¿Ú†Ô¹{MÃÎa2
-Ê‹ò³ã¤³Œ¹ÏHÿ_NxFyÄW¦&ÞÊäøà
-ÖäS¿$ÓéÇb_ý»µÓú|®\QØÓOÒÎb_^(_G>™ÄWèg¿ª‹?pªÑÒÿÑþVÎendstream
-endobj
-1491 0 obj <<
-/Type /Page
-/Contents 1492 0 R
-/Resources 1490 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1489 0 R
->> endobj
-1493 0 obj <<
-/D [1491 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-466 0 obj <<
-/D [1491 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1494 0 obj <<
-/D [1491 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-470 0 obj <<
-/D [1491 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-1495 0 obj <<
-/D [1491 0 R /XYZ 56.6929 725.0323 null]
->> endobj
-1496 0 obj <<
-/D [1491 0 R /XYZ 56.6929 725.0323 null]
->> endobj
-1497 0 obj <<
-/D [1491 0 R /XYZ 56.6929 713.0771 null]
->> endobj
 1490 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F41 959 0 R /F23 754 0 R >>
+/Length 2947      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZYsÛF~ׯ`ùe¡*s<®õ“œÈ‰R±’µ•ÝªMR.ˆš(SC€R´[ûß·{ºšÊnŠè9ÐÓÓóõ5 šIø©Yir;Ks+b©âÙâîLÎ>ÁØ7gŠçÌäùpÖ››³WoM:ËEžèdv³ðÊ„Ì25»Yþ}õíÅ7—ïÏç:–Q"Îçq"£7W×_SON¯~¸~{õÍOï/ÎSÝ\ýpMÝï/ß^¾¿¼þêò|®²XÁûš9yáíÕ÷—D}óþâÝ»‹÷ç¿Þ|wvyÓíe¸_%
nä·³Ÿ•³%lû»3)LžÅ³hH¡ò\ÏîÎllDl	=›³gëFý«Sú‹M&âL§
+´j @¥¥È¥Ígiœ‹Ähã5xW´‹õ|隶¬Š¶¬«æ|žHý›År¹sMóÑOû¸)›–úÿó÷Ì•yë³[ìwMyïæuµy¤ù®ùXï>V55'ßþ™ÆîK÷ð±Þ¢,¯©Gñëø5|á_uå>6mѺ;Wµ‡ïÌM,²$ŽÇk‘ü¯Þj5ëºWÈßf"7MB@èÐ!Y,:üa)j~í~‘RW%
+L=Eµ$⧦øäx!38
+XGÇ"Mà¸ÎÍÚuÒÎ+ZçxÌ8Ç/ÿ”“¶"ɲŒ'5CÉ’¨lèYÐc[?¸Ýj¿ÁV­\Ñž«h¿;WY䨯^ÑÌ`A	YPµë‚yn\;æZwüvãv÷nǃUóÐÑôøúú¿íÝî‘Èe¹ÂåWÎK1§³Fä*ÍÇg
›B,é4‹–nëªeY}¢¦×:<Ö5~Ûð,šÏ0	LÚä&ºjǃÛb×–‹ý¦Ø¶ûÆ‘r€^Õ;ž~·ÝxvË5ÛMɼhGØçÚý–?”íºÞ·S_÷Ä ÑÖôÜÃÊŒ›»ý¦-a=j‘:ÑqÊ„Íuì9]‹õd
&O &Úª	Ä¥AµË®Á¦Â“Ã^‚>Rh±¾Ã«{ͶXp?©‡r³¡)·<Ö8Wuû8Z§Ùß‚&Ç+-6%HZ˜Û<Ž.!èÀ’|¬]š	ºËRrD¸l þ²vp÷6rEceË“šš,7€í«ùep€ÞBš†Þ±nƒåŽ<-ƒPÚXÖ1ûÐÃ`a2°]i’8o‘Æ*}N¸Ð"÷æ>,æÇùåÓH`²TŶýÊó>"d
+ÑöO²ãxBH«•	òHH&@ˆ4Uùõª?O €ÿÒLDÂ4‘Á(|1Ä´qœgSk&$0B$Xl
+p'ˆàŒ¢kH¢-u ØüÔ!Ø°£6Ž€
Íânå£`3¤FÏâTŠ4O’?lÌq>d9¶D˜d°ð°–ˆÌ¦éŸ'cÇñ„Œbm†§7òÖRÀo—ÉOeÁ#fDZ–HÕ`œÏÅÚ('{*@Wå™Ó×8®P&c¢ªn‰h¶nQ¢gwË—ÐÛè¶n§ˆ2
+ó	5ò8èHs“<
РOÄ$8È®GOl-ÇWTί,ݪ€ÀH;Á°‰Oσ)¥xI,¬F,Xl|ª“ÍÊa$1&‰®ªn¬ËÜrŽÊyF·ø̱:§XpÈgj«ÓòþgjÏk¤þ¢ö˜ÖÆñÑ^†¯èÎa£›†7ן§òMH“Ùh`£Äë³{lŽ$ž±
ð{X—`Ïp6ÚzÕ÷å
"1
+€wn±.ª²¹£¦O±pœ,zBGÚŸ36nã¡/LôùH®#8Ê궚ÊY
+2
+KÒž‘ºea–ÀS¦rvwºº™@/”
]Fþ“Â$èG§
+ÔPT
‘œU§2¢B	û`¼Ä°²æ¦åW¤ã;ælÁ³
+xóC”|u“Ëz»aQG»(×ÈØ×&smâ¨ök.}RÍ=ÛÉÚjôFOÖ.è›цø–ülÊO•?08Ô–º~Ñ:EÊúÌ:ºÌ貨ƒUÔ­NiêÍ=‚À/Võ›ñŒuÕºßÛn«^[Ò	#å}Ð;¯£».bŒB ¨Ùtžÿ•œNƒÊBÁ%£’Ÿœ
+P9%.µJ«‚Ö>s×Òv‰	¤Z½R±Ýz#Ìó`Ž@=¬½Ò€ê] Å
èÂ[™Ò»œ	{A*V	}ƒÀ`ã4úGÇ/õ„y`ÜYlöŽÈ’™ûÃ{9¸H8œWMáôÈùBág;ÿÂñ¦BO9®Ü²X6œdîszÒƒPÜ·ÕÑ@à%ÅF2WœÒƒ3çô‰uqïF,¨á·ÊsGùˆ—†ßÞî<6PïÞ|<+¢/HýŽ\O:Yd¶jŸ3zjËŠ[ºjÁ}5ßû!×:p
Ž`z'Fc5gõ³Sª'iÇA“)Ì4ìØüý<† î}}ݧÄd¡h¸¿ß2,œpÀ#z<·äg¯Vv8|u=žû;·d¾×uË«‡ —puâ«æáõû^軽Ï`P
+HFŠC£P!>¡ŠÁï°EH²+oÊþ|Èðaxâê:ønÚr)˜XÔwÛrã–óp„=|y±é[I¯¾/ÿ\«¬ê‡1PíDilàŒå3<£µùT¾|IÔàP ´†Gû‰ZHrÓ¤5=Ü•î®÷»¬úú«>|‰"“ê³M\5îÛf—8ÕGBf–aåvO,H :˜»ÊIl•«pØuu-ˆ¸¨'S5+ ey4¡,¨-ó§ßx‰‘×Áå늼ö"9N£÷
ׇu
ÔÍ[ýoûüëÄå0ìÚ™Ùƒm“³ÃϤ/B²ÿ"|öEeM~2}õŠ¦ÜxãCªY×ûÍ’h®ÙÄ/)ž¼©U¹ö¡Þ}„Ž'w+]!1ø­¤ð¿WÙëÃOÏ?J3’îÇ_=ac×_¤xyÝî¾\p£­„œ*0É…ÁTLc^
!ò>Ô—´à…j„Jëú/á¼æŠ…^óCSÀS¢„5(C¥m.6{úh:ø®ïš1ÿñ‰A.×NWÏ÷Å@’Ó«q/
,õzJøU¹9`>r‰åí‹×'?ëyð8[•íómá]zŸÏ=‹¿‚ïìñ±Ü>öÇù…ÓÛîÜ}Yï›
âØ?N@Jü›ÈÄÿCd÷‡ÿûß(ý_ul*L–éîkÊ8^JHÙ5(
+·”¦‡’w[y*úd]Œendstream
+endobj
+1489 0 obj <<
+/Type /Page
+/Contents 1490 0 R
+/Resources 1488 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1466 0 R
+>> endobj
+1491 0 obj <<
+/D [1489 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+466 0 obj <<
+/D [1489 0 R /XYZ 85.0394 683.3585 null]
+>> endobj
+1492 0 obj <<
+/D [1489 0 R /XYZ 85.0394 652.4223 null]
+>> endobj
+1488 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
+1495 0 obj <<
+/Length 1237      
+/Filter /FlateDecode
+>>
+stream
+xÚ­X[oÛ6~÷¯ò” £ûyJ3'K±¦ë=y†ÁHTÂUU’¶ãÖûï£DÊ–c%‘ÝÀ0DR<ß¹Ñ2Lù³χ~dGF¹Ð3-ψói<Èw7KïÍ&ÐÞõa<8¿v#‚‘oûÆ8ma…ÐCË'“SÚðL"˜§WŸï®ooþ]žîéøöóÝ°=óôúöÏ¡ÝŒ.?}º+ô¬Ó«?.¿Œ‡#õÊ×nï~W+‘z¼:^Gû«áÙtüq0otiëk™N¥È÷Ádj‰TûãÀ„NzÆRNLhE‘mä×s ç:N³’
¾þÚ¶ÞÖ¤ö³Lh;¾Ýa@×j0²¡ç…®xôÛ©
˜#?‚8#¸üø¦yúS=P±ºP£ÿ.*=%3`;0²L·¦ÖÚ‡<Å쥗‰ôÖ»*8PR™*Ú°›²°Þá£öÎÔÞ›7‘<N1§  ‚¤»ž$å¬ÒDc–”‰Íz5ÑTŒ„ôêÖv¨Ô§~Hщ;¯ñ‰qü
TQ¯+ö?¦g.+Ö)"Ùš<”a¹fí0|Í2
+1:®CÀ%É’1]zW˜Ï(›UE¼'=)~`D¬žôÖ*!(›—íñŒ–bsžôd[4«s¤©ô=UY©ÈAJ™Ì­e…,»k†–9è_:ßž™Ëò4=àäG£Íx‰ã>f l¹qd¥CuÖ­S¸8HƒÙn§ñþéÓ­yJ¸Gü8—ÖÔ)£9HH*Ë+.â&ÿÞˆmkFä%ø…Ø"uçžéÓ+Aö"£ÉèC+4Šy~ß=4ªPš3D†<‹¾Hö‹H‚äÇ#µ«ü3»¬›~¯”§	;‹*mÁ¶•ë¡¾bœ¡UÓöÊÞ0á
+œ¢Ã«¥l7¿áÕ¾™^¿n]úqYAšV¾*¤t[麮,?€N`»®ãÕ0¿Õ¯<o´Ö·•ã­\×G¢8Ðñ^³ ’,ü¶˜þ¾˜¡É]‹é¾ ¦{¤˜‘íÐ:­úUÀeÛ+{%ócO6NÀe$‘§c}N²Es8´==Q“iïH¬på¿ú¨‘RÒÔ·“¯R=‘˜³þPÖKPÛ¦ý@ydóˆŽ.û¹,´§RǺ$]"éDÈO†·!º.%äç[u“Ðq…`n>Ý~ùÂb{›#¿ÿœ0´7w¶Óú ³ƒº¡ÑBUjážäÍÍƾèÿrcÎ9endstream
+endobj
+1494 0 obj <<
+/Type /Page
+/Contents 1495 0 R
+/Resources 1493 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1466 0 R
+>> endobj
+1496 0 obj <<
+/D [1494 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+470 0 obj <<
+/D [1494 0 R /XYZ 56.6929 600.6754 null]
+>> endobj
+1366 0 obj <<
+/D [1494 0 R /XYZ 56.6929 573.3325 null]
+>> endobj
+1493 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1499 0 obj <<
+/Length 1169      
+/Filter /FlateDecode
+>>
+stream
+xÚµXßs£6~÷_ÁcÜ©H„&O¹Ô¹æ¦—k]÷)õxˆD
É—8çûß+~ÙØÁ1عñx‚ýôíjwµ,2LýC†kC“0Ë Ì‚¶‰lßLã^?û8@Õ; ~	4ßú0üzE¨Á s°cL–M×EÆ$¸=»üýâÏÉh<Ø6Ï8¶cž}¸¾ù­œaååòËÍÕõÇÆCjM®¿Ü”ÓãÑÕh<º¹
rm¤åq…°GàêúQ9ú8¾øüùb<œN>
F“µ.M}‘IrE¾n§¦hµ?
LH˜kOúÆ„ˆ1lÌ–M mRÏDƒ¿­OÑ6ûÙÄ…¶‹i‹-Ô0 2]È,F
j3èL
+Þcšgsïd\eK Äœ—sñb~dzr|^^¦¹ÆzY€d¶›|	‘q_%Ù²œJ=õ0‹½9ï þ³Ä	‰”ŠÊÉ%—³$›ÅI€	d¹•+´Ò#~œ×k”­bö%‰+¥òQA©¼½õ#OÊiyó½m…UË´’‘÷Ÿ¿¡ˆEÉ“ÖD‰pYã–‚ ãRÎæžòf‘ªœÿÑÁ:%è×ÏNÂD{0A¿3U•y±k÷y7ØExŠƒ0Éž¼,ñý»Y£Bö¸ÿåãŽv`XDŸê8
+5‹‡þ^$“6Çé,׬òØ4ÉÔz>¿™ÖÁ‘#»:®ƒ[UìŠS\ „5ã‚u¶ô(m˜™,'þ5mSïW¼
+=­Ä}œd\ϡι%^´H›ãY’*Q{m‡í
ET°ÊÖ~Óaé¹'ÏrñÜë´gmTRüY­2ï©—*ÿ%‹,ö¢®\Ðn–®ä/µBz4“)÷;¬^ÎF‡$Ž–«PdRõÒ¢Âá™ÜòÔ÷w´vCˆç0wžاE%XŒfy86Aõâ1qñ¹ß²/ù×-ÊSú<¾<¶šÐ_BÞÑÕÕ\×3Õ'P¯fzÝèÒÂ䤦Æq}‘mU‘ <Ý“›#¸µ9Bú6GÚš]DWh„´µ¦ô¿ZüäFئKhé,àºxÝã¤Ñã"¦]ÌhM*W²]æëŽÙkêÿbïendstream
+endobj
+1498 0 obj <<
+/Type /Page
+/Contents 1499 0 R
+/Resources 1497 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+>> endobj
 1500 0 obj <<
-/Length 3216      
-/Filter /FlateDecode
->>
-stream
-xÚµZ[sÛ¶~÷¯Ð[噈ŕ$ÝÔIÝiìÔqç\Ú>Ðe±•H•¤ìúüú³‹(ÞD¥'=“qìíÃbqá3ÿø,Ö“FÍ"£͸ž-wlömï/¸£Yx¢E›ê›‡‹¯ßÉhfŠpö°n,ŽùìaõóüíwW®ï/B³y\.tÈæßÜÜ~K5†>oïnßݼÿéþê2R󇛻[ª¾¿~w}}ûöúrÁcÍ¡¿p#œèðîæ‡k*½¿¿úðáêþòׇï/®]Úúr&Q‘?.~þ•ÍV ö÷,&Ö³øÁnŒ˜í.”–VRúšíŧ‹›[­¶ë˜ý”ˆ(e„äÑi¶Ä‚[WŒxIÞcºàœŒËp¶
%4qãÅ[.áÊ@kúj„RHë“M–×h˜¯ßAÅ‘8ŒƒH	äŽD›,Éù<˳:K¶ô£Jk*küŠyyÉãyQ¸Ú<Ù¥ž°|NËÊ
á¾Õ>]f¿0&ÒUª,¢ªùEe峿þSä)Ö(.ŠFka%üÇ&Í‘ÌÌk’Õ8®®\'e]Qù°¡çYí*ª´êõmkb¬b¬O©3Ì[â#E³v”1‡(ÅâYÈ`tˆÔX>ͨpßJ^úE»ƒ
¢m×á¸(U	!{1bã¶D2Rx@Ðj3$Q
Õˆmw
GC9NëVü²ÐzŒÖÇLðlj	}´ÑÝÌòêäÅ	‚˜‡è7
úE¢mË¡MPÍ:‚Ę‹xÜ·>kÖJ2Ф˜Œø¦3ƒØgWÞ‘é0…üÍ(®Ži%74A¿ª¨Lù–vÉ+Š=â%ÙnÝïGG°.¶Ûâ…ÂÔºÖ„>67±A…ÙܧßDÅÌs¥€ÅÚÉŽúÂQƒ‡„•Úº`¹ÄÈ(ƒXEÚ‘àBƒ³{8Ç•UD~¨¼NË<ËËUNbÑq@þ†â„‚u	®»"sS48ìÒ¦‚œ5k1kÚ—EéÂ’‹¬”âa4ݸPòœT®m—üæÖüU¬}¨©ÒV4…$@È»yDe(2íM³I«¬X(,MÀŒôY„óœÊŠŽ_ÄËŠŠVh,Ø5i0¡Øù*0WÌ0»°äÇ°¿>Ü<|å†üH
¿Q‡Š+°BžàvSŠùMÝ€ò,áÊ#acQm’Vâ±Ðq`n™;ži‹†M1!°kàsRf…Íl¯Uî*jY%uòˆ†lJÈ#ªÃrãº;
-¦¤V6"={O¾/3„–™¶Ч*è[ä ¢’Üí÷ æ÷ôõ…–£Õùåó»Oc3@JéØù¯Á#}ª×¼È_w=ÈJß¿ƒ¨«Ü¥ó­ÑqXP°>§Ûb¿£­´Xnð}»IŠ
-æNhH@ªýáê–úíÉLu±,¶Ô´l§>v¤œHi6@Å.[A¸ˆFgóÓ®	ZÐEDL
-Ån£‰Ã&ùX¢å³˜î>*0K<Ρý!7ÐÌ›öíwWwc¦£8lO —
-uÂú‚Ã"Ç!l G¨”lvé»S$º³1¹œ©Àž¼%CXoA“ñ#$¢Y´‰N¯3
•MŽ1à/ÀûÙz:p0Žø4ó†j„}·a Â¸Ç¿I¬š°¸J«e™íÝ<¦x8´®‰&”b}-z¬1^Hàì¦Ì k“°ªÀÆ*ì(:‘µ5ôgTŽK*/Ê!`;¨"O…1glßPd0ÚhÚF8*©ÉÅØe‹jmžêè§?i96HÇb®¦™7T#Ü»`ÓKÁúßaÿw‚­Q¢5È'd“xŒa
¦ëykŽþŒÆÃq?k)Gá´éªs‚F›Æl$”PòÖZTXóT=7ÁÆh7
°ÎNòo¨FèÀ-X2õ	¾nñnNóHQêÓˆƒ-®!-¦çéÏ(=÷³§ä‘–ÓÖo¨Î2mqö°á4âÚT§×P=U—I^­ÓràL  Ýšdï‰FØwð¦1ŒÙåÿwâ­­Eÿ&#ÂxŸÄ›0ÇSͶSxóôg”ŽûùÎè ŠÙã7TçŒ67¥ ý;q{uÄ[‹jožêè©Ãätˆ6ˆ\Z˜iî
Õû.Þ ¾I%ºüÿN¼µè£M1SbmTà]3O¢ÍÑŸQy8î_ÈÝ`„å`Úö
Õ9A£M£
öwQäÓhkQM ÍS!GòÐb_l³åHö°Ô«iö
Õÿ.Ü$ÞG]>5»¹îž¯0?á1¾!øÈ_SØß?YÁ‘Š~;
8çsw|ƒ@îûVt.!çkK:+OFµá¸£°c‹¦ÀÓGXÝ&mÜPd8Ú$¬x¬‚8g`Õ¦:
«†ª?ý°ÁIÊ^[÷ÖØ
¶Ó‚4T#’´•LÛjýâYO¡>Ìyhó“±MI†WÓQz„
ýõ‡ã~~æʆÐmÚ
Õ9A£MƒÒ«è[T ôT䳪8u»aÔæ
Õ÷îñ5äw‘£Xaæ»4É,ëÖ~gcxÀ{>á?yêé’Ñ‘iˆ	8ù9¥²{v€Ï4|3^`TdÒY
-㞥@ÁžL£”Ér“Ñm¯íœ¸vºÅRëJα9m¡TûµýÛÛOîä³ bª{z{÷póî_cÇq1Þøã¸]ZUÉžG3§H?ÉbwEŠuTƒÊ¬\ÍaO_û*h{ËÜ+,àS{6ÍÜ{[:¾—€Nx%áŸFØ®öè¼=ȾÌv	`@ÒwÎ/w	°)ñ.¯“Ýó,¸khéÕ€ªýϵ±”ä¯T¸ùè*V+òƒ{´¡z/OÆžˆ!& í:<Æ´ÎüÌb UþÈõãh~åÄ+ÊšJöò	iOºÆ's€ éÒ]ßÓ±-Z7䈫Â@FB–´ZÀ–>ôÒ¶lD앃uj¾r5ä¸ØÏ4B
á¬Ó)ÆŒÄz˜”fqóHÆÓCBÜ<Ñ!Ò5µBî3všlâ ÄÉîÓ†iMy)­z7Í]'Ö´¯ªúðعçww\Í¢è¤nßw5KfºÛû‹,œ-'cyA ùt(oŽäžÈžÆoÒåÕ0E•A›iÎ
Ñu÷x¼!ªÍ›.!·s׫ôÁ×¹K-÷œkîê2£×
ÌOoj$%jt>¦©ýˇÑT¯yüI•;Ø/-ë$sœWÅŽÊŠ‚•{-áž`aä‰`K1y€P†öEÞÖö’öeÝ×…kÀ@mNƒ}‘Wž®÷jZ—‚ð‹T„BžÖ/Eù»}q¸°ú8%à^Û5,—îÞÌ>j´c§ JXXäè¡ü¹ùóÅS/wUÀ.íÔy¨à„B3Ç|ðbÜ¡cˆþ_¢$ŠÝendstream
-endobj
-1499 0 obj <<
-/Type /Page
-/Contents 1500 0 R
-/Resources 1498 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1489 0 R
-/Annots [ 1502 0 R 1505 0 R 1506 0 R 1507 0 R 1508 0 R 1509 0 R 1510 0 R 1511 0 R ]
+/D [1498 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1502 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.2146 599.6322 375.7455 612.3694]
-/Subtype /Link
-/A << /S /GoTo /D (root_delegation_only) >>
->> endobj
-1505 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [312.6233 360.3945 381.2953 372.4541]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1506 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [310.4119 330.5066 379.0839 342.5662]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1507 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [340.2996 300.6187 408.9716 312.6783]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1508 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [328.1051 270.7307 396.7771 282.7904]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1509 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [320.3548 240.8428 389.0268 252.9024]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1510 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1386 210.9549 427.8106 223.0145]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1511 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [429.9426 181.067 498.6146 193.1266]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1501 0 obj <<
-/D [1499 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-474 0 obj <<
-/D [1499 0 R /XYZ 85.0394 560.3013 null]
->> endobj
-1503 0 obj <<
-/D [1499 0 R /XYZ 85.0394 535.1807 null]
->> endobj
-478 0 obj <<
-/D [1499 0 R /XYZ 85.0394 416.2201 null]
->> endobj
-1504 0 obj <<
-/D [1499 0 R /XYZ 85.0394 391.5178 null]
->> endobj
-1498 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R >>
+1497 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1515 0 obj <<
-/Length 3163      
+1504 0 obj <<
+/Length 1062      
 /Filter /FlateDecode
 >>
 stream
-xÚ­[[oã6~ϯ0úR¨¸â|œv3ÝÛ™n&Å.ÐöA±åD,¹–Ü4ýõ{x“u35Eƒb™üt.äÇÃÃ#¯Rø¯¸@B½’š!žb¾Úì¯ÒÕ#ô}{…=&	 ¤úúþêï©\i¤«û]O–B©Rxu¿ýi-A× !]óñÃûÛo¼{w-Ùúþöã‡ë„ðtýþöß7îéÛ»wßÿîî:ÁŠãõ7ÿz÷ÃýÍë^Æ×·þéZ´ûsAèÝÍû›»›ßÜ\ÿrÿÝÕÍ}çKß_œRãÈoW?ý’®¶àöwW)¢ZñÕüHÖš¬öWŒSÄ¥¡¥¼útõŸN`¯×¾:;~8E„
-23€„öPaĵæ+É5ºÌþYWùuBeºn_9Œƒzý¾>Ïà}Ü{_b¤%a Ô¼¸Ïš6°¾
-®cE=ÌÈo¼‚'£	Äoó]v*[×Z43ª41ƒ!½Œ]V”3Š0GL㊚N$’œ`mÊì÷|F HÎßÀráe¼dÇjNE„‘‘å·g±VWU·æÕUBE:Å°@0ÌçľUìe¾Ï«6ß:Rîæ'M#:ÏŸŠª³£Á|¡	¯1’ €DŒq‡”ôQŽ†xn”Q»yÊ7ÏÉþ±b­‘â©Š+ Å¾¤)
-¶4Ês7~v’ÍÃ6o6ÇâÐuåêÝÜDK”¦ü°õí©e	¦#Šjì"á
-„²®óø¸rw=o;ü‚»S¹ÎÝÍÙ1=±@xl%QI†½C-2•æXcBI„¥ÀqŽõQ—9Ö¡ÎsôR”ÛMvÜŽÕcXý,Åqõ4£~À4
-JAÓ@ÿßcš0­ïÅH¹4HÉ‹|£E¤¦jài„o~Áé©ÜÏç›TˆIJãƒß¡–™H‹óÛ°¿Óú¨ßêújɉ´8ã ŠÉ—"\a\@§ª)Ê¢zœð
+3M$®¾CÍè0r˜TQ>4à-7Óž#Ý‚"¥µ¾¼£j!Ö}ß…ØŽð>Oå~>ßFJò…¹ïP†L¥EùÆ5ìZ„-D¸>ê2ß:”MócTuÒÔYÒ¶å4Â8¼p7 CÍX0dœDœ94ám7ãȘs
-QFq$Æ1X„|Æ8_ðz*÷/ĸÁî§ãÃß¡–™H‹sN€E’-ĸ>*¹€2O‡mÖ手ÏÍó„t’L¡,èP3&HÇb<Ùð6ëœ'ã#;…¤—YGáhHñÀ×é<|Áé‰ÔϦKS$0ä+ÑÁïPvL¥Å)G9l¾t)ÌõPÊ”ÑØ_“vsHŽùî˜7OÓ0Çr%IÜ€5cÁ0ÌA
-!”šð6anÆ‘q˜“H*‰r gö}ˆF9_pz*÷/ì¬2®â£ß¡–™H‹S.…ý¤Œ;ƒ"„ó £ÂBö5ù¤"§p i
˜©Öa)#Ž™¨ýtÈ7Åîõ:¡,”¼¨¶eA׳;ó\íZ<êÔ˜‚”y2)iÚúh2¹ž`xð•Gè7MV¥ëû ¶iϯì견_¦LO0DÀÃy¢l3LäW×æpµÎª­k˪W÷Ðœšü·¨q¿;+=Îùï~²ÆαíO¦ ̨ãæøî;70ÃêæxÔM(|(ÈÜŸ—ìÕ=4†¸f6>FÖãXyÖÌC¡;(UÒz·ìT†Ïe^ó#”y!Šöâ$A§áÈûÅñ¡ýb®®ª‘R2ì÷_y4|dÉúËk¼nÜs•µÅï^}Q%û|__ÝO7
-Ûä¡Ì QhÝÏ`©÷™‰•àAaå
\6°:zBUÙªa›{›=ûALèìh}„ᵜ­ÏÊ“­•Sz¦Šé8Ô9Æ宫عÖl»-L`ÏJ×Þ(l½=Â@½´'S©·Íy^¹68>ÛÕ­À“Úµú€ÅÖM~„÷ÍûU¯?ÕûYŽ5™)¡{†¥gßó@ºMyÚ
-¾íÓ˜\…‰U§óVÏ!n"28ÐçôÃkØÖ-õ.î8Tj”.«z Ë;NÙ0YÀÆ:ì%HÓ0Sý… a»1ß_ú:ß&¥9[>©:#*"©âô½‹Õ<îèDêgç1D+¤0QÑÑî@VŒeE“Êr¾À©*Bª€²s“—ùcf\Oꪜ)€*ȵȂjÆ‚a	”"AèÈÒµ0$ÍÍ3_[clkv8”…Û7…ß‘„ûHf~ŸœÜ“ÿ>–0&×·;ß›{îMþfšÂpXßj×B‘¥J°á±¦|{™ýæ
-	£rý=T„ýÕc¿ßqäIÍ=	³bº;ÔŒòA4_™2k ¯ýGwjÂþì3]CÎy„Ão}òî8ižÌqÒËúÁŽ6´
‰‚Lä×n+‚οhC8@Lºoº3R°Á&ž€ÈÜO¿±t:Ýyq†L”k$‰ ánÎ9 LJ)ˆS"º-Í^	¤>ltê¨êîKðÌ‘½·m»TÚ–yãŸç4»ÚŽúº‘3é¤M-ç’|7LÜU/.òÃÂ6¸£´ì.³2€ljúÇΚ’\(ùPNuTuÀLUK>¯È@÷¯5±i†ŒÂUn°f–¦ÅUÍ“r†¸ægJEæ‡kÓ[eûÜ5õºàáÑ*ói°Á–õ£ëù9åé¯õé§AxÄ¡1%¥—jçÛ4n_AA±ñÆÚâ¹#FR.GñÖRŽ·ÿ{‡Ü£?zw¿ŠÇÊ:l(B8+®±µö@¥Ö§M;~Á9ošì:wáµwÏá‚k¦ÃúŒ‚Ã!¯<çáçÏ„0ŸHöÉÃA‚kÒ]ó+Ê·ì¯U¹˜eZ5óïŒ;‚]ZlΓ˫…J$¥\øÔGEÖK@
L»?$~8'ߺ1RŒ/Ñ¡f¬†s#3ºµãÕ¶Þœú×òêÞy6öÏ÷L•)Üàt}Ûq{	ª/tj¿Œ.ú¨ÈH”e‘'î¸. ‘2iBToÍèd‹›K͆zßùtC…E¤H¯&§ºõeã~:xÒÖòYÙ$Äþõûì6¯ÌÉ-åþX¨ðPªÝkÌë¡×pý’[	ráòb©õp^ZÃÆ$\¡Eó«rQm.W©‹f²”ñµ¾þyÍœf7ÙC(j…ãèè4$‘lù/Aú¼Í›8#KÃÎÓ}ž¼x­–Cx¦ì³.˜
-ŽÌ
Í…«X»ˆe1ÎÃ?Ï—¤)þœÆ
-Jm$¢:@&ª‡…R*i_÷ÛÔ¸æ<_ÁRHq¹‚“œ’=/cŸí:êðXæÅRW:±R)y‡‰Û0’4ªÅ)ŽÌUúmðϧûÆþùg€…F•"êæ’¢2…Bg”1\‘é²ðWû§¦ÿ‡¥Ž°endstream
+xÚÍXÛrÛ6}×WðQêa\€?9Žì:Ó8­¢¼ÄÑhh	’9¡H…€â¸‘ÿ½ Añ"SÑ%í¤ã¸œ={°äî9Ðü!‡2À Qg²è@gnÖ®;¨Øãn6¹õ]¯†³+ÂÃÌÎjX>€¾œáô®Ë=ƒ»—ïn¯n®?.zÜëoÞÝö\La÷êæ¾].Þ¾½ô\äSÔ½üýâÏa`—Xñêæöµögè Õôo/û½ÑðM§?,}©û‹ ÉùÒ¹AgjÜ~Ó€Ÿ:æ$v@=B63Qç}篰¶šmÕA€	Ã-z¨& ƒŠSÁ$P?-eÏevÂXŸgT! (Åù–Y[”NÃxnÇ­[ïìÚTFrè0‰Ý$Žžìä“Tã$ÇÉæ|þ3j :ÌäAN>»q°ÊN|‚>i¼ža´çq’J3‡¶óŸ³3û{›h;¸Y,#¹±–Su1A¯éÂsé˜]¶2ýÄ…Ùhœq²w“(Pª°ù=?Ú
+[é¬ôêþGâQ”<º_V2}Ú Úùé4•Jž<Œ£P~= d
ÓÜÈÏÀâã‚~9a­–õñ8YftpÐœ{
"»‚~ïÁE ´L³ãî,Iª•2Z~Óë4xܧHÃbV(™WëY˜*}”²ŽLUãú‹Õp9Ρ˜[&©.糇QÃ ñª=,‹Úcà{åfãX-.×M™ED)ðÇ[úµiã÷YAb£Ò~SØ;ãr«³î¶í-§¿¹:
b5“©NMH„E ǫŽL‚Ç5-W÷¥¿õ£»ÆGÉQ%«t"«Û—^-ÀÖöÚ¸sj÷ˆ—ý–/Q 8gNm¾º’}ѹ¹Ÿbµê¹ÅÓýÊêTÙKª‚l’gA•î J+ª9·>Û’ê@þ˜ŠÙ‘#´{”ÖS#pñßh¡Ø¼	;rÏ®{õÆÄ!;RoŸæ3|šÞkWJº;%/sËïqV<¸J›ô¤t8Q§&§i ƒû@˜ ÂØMåÌ$ý‡üSròé&ÚÔ$§Cä<Ž…hº²ŠtèÚD³ÿB~QÑXdïóý	þ”Bý
+…£ë·_t#[<Ï[¹ —³+Œœk–Q3ÄU#‹}Ӝ‚œí4ß›oEÞ´ØÇצš†8mEœÍñÔ>¨`.K;U×—)àá!¯f ÂÒÇÒÒ°'ŒÎKSÉoõ´>ŒqdzZàCÁêiM¶¡‚¶·´9î™/­çÂkkja©ÔO·ÐÕÿ<ˆïã²;6-p¥æ>ð|‚b
+:bÃŇ/üM¯]ìªQÿHèOZendstream
 endobj
-1514 0 obj <<
+1503 0 obj <<
 /Type /Page
-/Contents 1515 0 R
-/Resources 1513 0 R
+/Contents 1504 0 R
+/Resources 1502 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1489 0 R
-/Annots [ 1517 0 R 1518 0 R 1519 0 R 1520 0 R 1521 0 R 1522 0 R 1523 0 R 1524 0 R 1525 0 R 1526 0 R ]
+/Parent 1501 0 R
 >> endobj
-1517 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [257.6971 713.6209 326.3691 725.6806]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+1505 0 obj <<
+/D [1503 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+474 0 obj <<
+/D [1503 0 R /XYZ 56.6929 146.6885 null]
+>> endobj
+1506 0 obj <<
+/D [1503 0 R /XYZ 56.6929 116.5746 null]
+>> endobj
+478 0 obj <<
+/D [1503 0 R /XYZ 56.6929 116.5746 null]
+>> endobj
+1507 0 obj <<
+/D [1503 0 R /XYZ 56.6929 92.1632 null]
+>> endobj
+1508 0 obj <<
+/D [1503 0 R /XYZ 56.6929 92.1632 null]
+>> endobj
+1509 0 obj <<
+/D [1503 0 R /XYZ 56.6929 80.2081 null]
+>> endobj
+1502 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1512 0 obj <<
+/Length 3461      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿BôŒÅ ’Ó§4s¾¹¸=Ç}jû@K”Å+Eª"eEýõ·_€(™î´“d<\.€%°ß»ž)ø¯gy«¤°³¬°qªt:[l®ÔìÆ>]i™3÷“æãYß?^½»M²YθÙãjD+UžëÙãò—èÿÞÿôøñáznR¹øzž:}wÿc
+~|øñþöîÓÏï¯3=ÞýxÏ臷>Þøx=×yªa½
+o,¸½ûÏG†>=¼ÿüùýÃõoÿ¾úøÎ2>¯V	ä«_~S³%ûßW*NŠ<àEź(ÌlseÓ$Nm’xLsõåê¿àh”–NñÏš5ëÌÐñs»»ÖyÔ½ÔK(÷úÛÕC9Ô/Õö‡j×óï€zˆ/5.ÕÀ6=óöÛä…Š¡æht
+PòOHÊŠ7U 5*N}o©X`–¹Yf²8IKì›ò¥šÒg‰xRÉd.^TyT÷Œ)ùAܯ¶M½(yœ5 Œ5"à¬1¤b¼‰ñ–*âÌfV¶Ákû‰Ý&ÊG¦5u?Ȇ·Õ¢ž“ÞÌÍbër{®?¿*e*R„,â#¥°å#6Ÿ†ßî~âÑr¹dt߇•+YàÓØVd°.ÉG<3·èÚù”råbðH»]´ß‚ɲš7·°ç¿Xœ$*ú,Ü£	Â#˜Q5Õ¦j©²etÙôÝùž8$€Î`m[nðôâGé	_Ý!˜I¿ÕÃ&@BÑ÷GÆ-«U¹o†–þ°‹\…¥g{B
+³œ´üÛù¶›éhÛíð<™‰Ò„1]ËOf"ïP5à“kR\Àó‘aå“L\¬Ëö¹Zò{JrD0í$XÀ>§öFz·:Öí3œÁZÔýĦ²ID´ûÍñ
+°OÕ*èŽÑ†q€e„(â0`P‰ÞX‡‰c¥¥¹-Ï-§¤·­hÝ<8òÔFOeO¬°\
+dEíϾ‰
+²|Ž4,}¨‰Û¸¬»X~
+1—L"¾'Ú±ªDÊ¥A;Ès¨‡5C—[GÜã—»Oý^q[©*¢»•eZháPÃsâ“äC¦¿¼™4<8Ìôç@à̯÷”È„CO2åAf;O€>
+PØ.†T|ŒñGØ«"T÷SâÍD‰ë”ƒd¢Œì­éÀRs2|“=ö0)
+먟×eÛ”‹ÊÇJò
+Hºl
+ëÏä-–~‚ûÀñßê–@%?‚EâTˆ1`Á»·&V™IÃîßýõrJðœL?¬+‰/¯)'[{"§ÁåÅd¹ÓÆ8sÿ¶j`T`¸ë‚ìŸÐôKÞ,1 5ŒSš·JŒŠKøxªA9”?”

û§i+Ë ù•IÆsr^þ€£H‚càæÑãÒ0±>á²"9•&²GR€>/ªíÀ3Ä}#½'ŽB:‡‰k€æ8å¿Ùg›"ºÿ‚Ï<„5z’³†AòȆm^}9€(q€­[À–Ëó>&T!”u˜ØX}>^*·ø…!s6àòÛN"kÉï=Û%Ïȹ-)kVþ”÷£€øáþËwud܈z ºªÊa?ƇÜj1™Yu>˜ŠœºI5:4,E(Œ§¤@¶ØóL*y¤‘<º–Œ!_ÊZ*œ½³žAQÏÍ^È°¤í…¤§E]gœq:ä*-iFÿ²ÙR0¼ª¯Û
+aÛË;©ƒÆ¢œüqqJfÙ<á‰føÝdÂ	Rš³{‚ÅÕ õ튟èXý¯&ê[ŒZSAɹ8‡*[‰-!µ«	[O¡ŽÏÒB¦RAš@Í_}Èlž}QëËqu¬;WRé$É.³JF²h«°TÅçýŽ”Šj¥TÚK8ÎÚ‡PÁ~¿Å*m2ˆP
+•;ö‘às–NŽÛ¦h3€;”âö¡ð…½ÞÉTù"@ö]Ž¹™.¼,wV;©¬…~P¬Éœ‰´Í8ïhŒCG³höÄijÅ€zï<Žªj˜"ÞS“u݈Z´Œ!%r…÷«Î»ª	³eAc~º©J²ŠŒÓiÊM5³P}·‘ÌxQra‹™+˜óN–/º}³dð¹’„¶DFJjEš7ÝP]àŒ!s|*S:jÏX–/Bu˃ÒCp§®ð6xéøÆŒŽL0‡÷Ä
+á—Úé趹0D̦þŠ&ˆàÐÁ‰×\ùN)⥟Šž8ˆŽðÐÀëª:mÑ!V(:Q^O›#NZ«òÝ
+Š±†'ŽyøPÁÀ2Ãn†™Zpƨ(â³å›ì³°~*{:W:²y.¤¨âL¤£¼0aÏT:êéž…9žy¶GrSyÝ&“Ê“"˸/}J@CìëÅÿª ˆˆä3¥*œ)U¯ÎôWÑQå!:ª\¢#Òeˆâ¤Ê}œÄ1™\òƒ-JåRì瑈|ÁáHùtEù4¨ïš=÷€dÕT4B_—EÏõzK]sçÄ%ÄQÙi9–â3”z±§´ß)†áÜÍ;ïîó椵Ýrœw¾¼áf™d0Jæp|D(è¾Ð9
{eX²ÝÕ/’ZÀ’
+*œÝïü²ïçSrbúÎE·t¡s~…]™€iÀ‘IdνÒÆŠãs!?p.¨€cçô:|_02üºã&âr·-'bx‘ĵ}íËXXâ
+_Ï’€‰RñV»¶lx–°ÔúãT÷<ªjÿ±sz}“3ê²nrN­Ö±·îuÆÕÌ7–H§ºKCM*—ÿ¢aÉ›u—†tH©Ü¾Uwñ™êK[ç¸=Þíån9u³“Å™Êݩˆ~5Æò)‰:„ü†1Ÿh™Vœ¾“éÂóB79¢IZ8´Ÿ@¨Ý)Sñ.Ë{êSS €]¿¾,Ê@e¬?Ö©
tÞÊHâì4	
+¢*Žqbøq;u|ƒt7‘µoó7Éc—…îß.h
+KƒœÅEå}È‘ÍI.ârýåUfâ¬H/š-ol3g¼êU¾
+xçÀÙ÷èNÓæç百^KÁZÒüÛn$ïZ×ô?Öù¦8@åvKY2:׎Qì«]]I~¯u
+l‚òÿüDàɈGÊß”A<	J Bø@ðéÈÃ2/ÜIªìÔ1rt@¨nê~Ü@Šßþ;<Ðqžñ¼p\Û$IÏUw#õ_"·‰ÜLW½îúbjÒò³Úl‡#ƒr÷£ÍÉ{›óâKƒÓ¿µqØZ
+í;ú1ò&4dÌ%¼œ¶±ÓIqqåvảÍF§eÃ啬Qr¥%!ÞNÞÁ:Pœ{b2¢³$¯tÿ‰#oäíQÊ–ÓÎ8Pùs*|^3°Èc“;ßøì¶TNY³‹‹Àç ù˜»râ½ÿØŠ?ÆíC‡î‘2öF"%«>XžÉ´½ì0ÕÆÈÿÐýB·:e‚çÙ$ßóI¼»À.g탠_ÒÍgì¹vOŠ',ödÓK…šâG+£ŠÀ·à ll³ââv]î­¡Æ­De‹—˜”[û:ìà¨4Œ9òàâ¡£é‰(*Ñ›Zˆ…q¾¥ÑÑKMM{X…©B9yã÷´ä‘TÍF|r†£ïÚ8ÉÛ	
+I:u»X	…ç¹
{â+Àz  §ÑgØ9LFA¹N~%N’¥Ï|FúÿVº3N"¾13Á_EéLAfR¨8ÍR;õÛ)øó/µN?c³Yœäù©}®
+{RE†Á
i!÷ò×MwÑin¬ÑÖÿ¶Æendstream
+endobj
+1511 0 obj <<
+/Type /Page
+/Contents 1512 0 R
+/Resources 1510 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1501 0 R
+>> endobj
+1513 0 obj <<
+/D [1511 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1510 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1516 0 obj <<
+/Length 3204      
+/Filter /FlateDecode
+>>
+stream
+xÚµZYsã6~÷¯Ð[誂“Ç£3ñLœÊØS{$y %Êb"‘
+IÙñþúíF)RÔd'[.[@èãC£qˆ‡?13!™Ì¢D3Ã…™-¶|öuï/„ã™{¦y—뛇‹¯ß©h–°$”áìaÕé+f<ŽÅìaùs2É.¡¼½»}wóþ§û«ËH7w·—sixðîæ‡k¢Þß_}øpu9±ÁÛï®>>\ßSUèúøææö[*Iès¢Óûëw×÷×·o¯/}øþâú¡Õ¥«¯à
+ùãâç_ùl	jÁ™Jb3{œ‰$‘³í…6Š­”/Ù\|ºø±í°Sk›ŽÙO˘™0
+,#•ˆNKCpÖ‘‘`‘GƒÎcÁÂ0"LÀÀa·Ñ¢ã!9K ›Yd*©¬KÖyÑ ]¾~æ0f‘–882=¬30¥A^äMžnèG5D”+üÊ ºqP–®´H·™g¬ž³ªv]¸o½Ëù/œËlIû:/ž¨£”J~‘R[ùì¯ÿ”E†%ÅÁæB°Äi%üÇ:+-	’5q£:ºI«¦&z¿{„4AÞ¸‚:«Úv5I¬¼¡ªÛë\Lì/ÜÝ¿^Á¨îªx¥â´¨_,Ò¹WC¥¹ëÝOàü†°CáKÞ¬Ëý(Ü-8udî6ùƒ”Ò÷ŠJóm·ô`Wë¾ÖnÈîaœ*o^©¼Îž96*~ÌÆ"AC’§
+-˜»5~UpûÏoï>\ÝÜ2*&Ï"µ,3ÇRàì´mv;t’èe¬³Âa…âÊþ´¶ÔÛX{m–4çlïHæ&fI’è#ÏtECŒ¦˜Ø…ð9­òÒ¦7È׺ɶ5Õ,Ó&}DC6$õ~±vÍHSQ-žHýγ瑱åz¦M´©Kú–¨¨•p»>(ù={}¡iy~
ýîÓØÐLkãý×â‘>õkQ¯Û#ÈJsß¾‡¨«Â%õ­ÑqHhXŸ³M¹ÛÒ†	jìhð}»NËæNhÈBR*ýáê–ÚíÈLM¹(7Tµèæ?¶§‚Xi6@Á6_B¸ˆ8FgÁ¿iï5è"b&…b·ÝÄnÓb,Ûò©L·˜*fáÐþîMûö»«»1(ÓQv'ˇza}.`‘ˆã0„õU¢¦U7°+Øš ÑÉõà`v0b¢
+aÉUÆ’Ó¼Ëuz¥i¹lŽŒ!þÏWƒôA@¸¢ãäè-×Èð=䊘	)û÷¹U—Y½¨ò›È‡æM"Æ¥ö¾:Vâhd*Ö~Î·ÖsÜ(v˜JÜ<ÿ‡ý’Ê‹ƒrˆiÕ s3hyÆñ-×A†½fn-Ø”f
+]5
¶×Ø<×ÁOì³jk’q¥“éÁ[®‘ÑûX|ˆPõ‡ÿ;ÁÖ*qŒ5H(T›yŒaM1Š¨§ç$Öÿ‡ý~>ÖtÂ"-ä´é[®3‚{›Æì%´ÔêÖ:\Xó\Gn‚½Ñn2dIÇÓã·\#ôÓR˜_!}	þv¸9=Ž$‹¢0<‰8ðl _êê0¸–ÿŒÒÃ~?qQ‚;Ã3Öo¹Î	2èmq2ÒÌ@ œF\—ë4âZ®ƒ§š*-êUV
Ç!fzü–kD€â0»%ø;×ÕãøJ´uq°ñŒNzªN!ÎóŸQzØïç#.Œ˜VIë·\çô68­!> endobj
 1518 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [310.7975 683.3704 379.4695 695.4301]
+/Rect [251.8681 599.6322 347.399 612.3694]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1519 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [308.6055 653.1199 377.2775 665.1795]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1520 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [294.1999 622.8694 362.8719 634.929]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
 1521 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [303.0862 592.6189 371.7582 604.6785]
+/Rect [284.2769 360.3945 352.9489 372.4541]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1522 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [332.9347 562.3684 401.6067 574.428]
+/Rect [282.0654 330.5066 350.7374 342.5662]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1523 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [301.97 532.1179 370.642 544.1775]
+/Rect [311.9531 300.6187 380.6251 312.6783]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1524 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [231.137 375.2504 299.809 387.31]
+/Rect [299.7586 270.7307 368.4306 282.7904]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1525 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [143.8055 314.9088 239.3365 326.7094]
+/Rect [292.0084 240.8428 360.6804 252.9024]
 /Subtype /Link
-/A << /S /GoTo /D (root_delegation_only) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1526 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [324.1075 61.5153 397.7608 73.5749]
+/Rect [330.7921 210.9549 399.4641 223.0145]
 /Subtype /Link
-/A << /S /GoTo /D (server_resource_limits) >>
+/A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1516 0 obj <<
-/D [1514 0 R /XYZ 56.6929 794.5015 null]
+1527 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [401.5962 181.067 470.2682 193.1266]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
 >> endobj
-1513 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F48 975 0 R /F41 959 0 R >>
+1517 0 obj <<
+/D [1515 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+482 0 obj <<
+/D [1515 0 R /XYZ 56.6929 560.3013 null]
+>> endobj
+1519 0 obj <<
+/D [1515 0 R /XYZ 56.6929 535.1807 null]
+>> endobj
+486 0 obj <<
+/D [1515 0 R /XYZ 56.6929 416.2201 null]
+>> endobj
+1520 0 obj <<
+/D [1515 0 R /XYZ 56.6929 391.5178 null]
+>> endobj
+1514 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1529 0 obj <<
-/Length 2710      
+1531 0 obj <<
+/Length 3163      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[[sÛ¶~÷¯Ð£=¢¸_ÓÔÉqçÔ=u|žÚ>(p"K>’ìÔýõg!’A€yêL&c^>.¾]|\,@ˆÍ(üc3«NÎŒ“DQ¦f‹û3:û÷>œ±Sõ jˆúñöì‡÷ÂÌqšëÙíÝÀ–%ÔZ6»]þ~þî_oÿs{ysQqEÏ5¹¨”¦ç?^]ÿÔ^qíŸw¿^¿¿úðß›·Fžß^ýzÝ^¾¹|ysyýîò¢bV1xžw&xõïËöèÃÍÛ_~y{sñçíÏg—·Á—¡¿Œ
-ïÈÿÎ~ÿ“ΖàöÏg”gÕìœPÂœã³û3©QRˆþÊêìãÙoÁààîáÑ\ü¤²Dq©g•âÄJ!óQ¦„*ˆZe$#ÚõQæ,åå£|?ÿ«ÚoçëÝ]½½`ö¼Ú7÷uÕ¬Çî3c‰ãzðtŽI@e¨ˆfqÔؘËǺn»`ÿ¥;XֻŶyØ7›u{asç‰s†P.-P(y4¢á4ƘîÁÔia-‘ÎòÈéöæöó¬=¸¸ð÷S»­û‹££^°L3¦$•"ÌsFû! 
-DRkžI´ß	Ì0F·¦ Â
-QaÊöY³\åU¨	SÚáL*C%V!#Lønrùg*tS*x4V¡ š‹irâ”ã‘Ó¨
-;|ÁýÔîé*”Žha5ÞU ’ZCU¨¡ÛŒs…\8DM«0 ¦3ÇæqŸÈÐJ"µÒ8•€Êp‰e舔 ׈Ìw’áÐ¥1ʈcÚMÑ9¢ŒV‘Û˜{|!©ÝÓ…¨áN©#zPFbW¡b¤”	D-f:gdõÙÚi”DÀ$,bíi¢‰h|§axèÌ8:Â$˜ž„`5ð•]‡F=Û|ä(1Ì`±ï!(‘\l^MIKr Áõ(ßâz³oîž}1Ô”ÀÛ
¨LÑƘñJÔq˯£²#ÿq÷BÍ­¡Í)IÁ‹N¨Q6rUÀœMíN	‹%*çOUŠz@ˆ¤ÖP…A@(cWØ5­°€:öPµ¬WóTg’'œÀ[¨Ló‘Τ‚ÉÕqû¯©³££¦aš&UÓ	^Å…ÅRX/¸œÚT›JËJ˜ÈZ©ñàT‰Ib
—›Ô¼¸ÚŽ DlhÐKûMµÛÌS±	ˆµhÛ”6KÍÂ̳¨õשØFMè¡)gˆÔ4¼îPÅ
@•ÖÁq‡«§g5˜êk¿$€…=€
-,ƶp	`¤àI\d¢²å[|xüôµÎšðµ
-o7 2
G
-ã’XëlÜò•¶‘ý2Ù7ð×2Ð\³k¯lz½Áñ·yw±Yïëõ²^ú3u~·Ù¶—wõÔÖ¬?·çóö8¸jíñß›uÝ>å}>\
-?ÕÛæJùb~l$~@ïšÏëyåƒäß*Ïf0¿sJµý¶<Ô…µgÈ=ÃöïO×?^¾k½gÞòè ß¾ÔÞ´çöhÞkOV›ù²îîpcsßž-›ÝWrQ	ÊúÂE×ÝÛô
À;ØxïždæGÒÞ1Ú{Ô®›ô¯‚o¾=š¯»xvstw˜#Úîš±40´0îpQÓ"(OÖdzÚí¡çvûf±K³¥#Ü¿b(€Ê0ˆÔ¬üèàTLáªË†0ʲ!¼á¢vŸÛ@­¨xyã»Ótuú|Wo¡ÛÚãoÍjÕ}­ë‡î~ïó¼»Õ¬AÐ÷½„áB«o8è^*8òÑ:4dA}ÍâK{u1ïžøÔµ½|¼áDo ¬§”D¿9v:pC¤Õ}qìœÊ¿d«:Wx8"UxbY{`ûÊxÑ­GZ¡	ºÛMOh"¹-¬²QˆðzÔÁ­æsõ4_5Ëfÿ\ù¼´…³t¡Oc½ü0•áÏraª¥½ü†D^§2œt']åãÂ)t•s˜])¬òðßS»§—ˆþ„Wá½P&©5tø–P®”øŽ D~¨ï.ŸÉaÈ«Ö›e&>­	Ôm?€Rq¢bDh(í†^§LÌú1jª%+$²ž§‘ŒG®bŠëá¸Ó‰ÕèM@!ÑØN#±…ŠMM”v…–!jZn5‚ȈÎBLœ58€Ê‰dçá1âñzÉ.ïM²–,ˆ™NvnsÉcé|ÁóÔîÄg J¥Bá}P%&‰5\R-iaùeˆBô×£Æ=¶~¨åAÁÕ8ƒ€ÊPˆº]CgxLáõ¥×;2jÝøF’ï Z¥\Ǿb	¯Ç¼Ní¾@uæóÖH<þU`’ZÃUç×·+ˆîB4×5îpÕ·yÜ.2ªãÄq‰3 ”B<·€éU1‡×ÑÜ„'cÙQ"ŒB¾^ørÇùTptS]ÇÝN¬žþ’$3}Á9Œ-¡bã0zË
-Ë1CÔ´Üj¢—ª'«ëŒæ•!2®ìŒß1ùnªëü×w’p&áùlì§=C_ЯÜOíž®=A‰…’í„T ‘ØÂå§4±ŠFØ!
-‘_ò-ÎWûê””§
 2íÇ3˜øï[WÝx0)8
•ßK2É3˜ÀDpè–üz|ÁçÔîÉz󻟩t~@•ˆ$Öp½	C f¶½
PˆÞzTÒQ¹¡WùOeTá*C!Yh±ÌƾƒäòC®_iQÌâ+-R‹ÈÙÒJ‹ÇÜNížžå˜"†+‹Ç? 
-DRk¸ê¨nUª º
-Q]:ì²lÖÕ¶¾ÛÖ»/‡­½oÚ øÍ—¹Ëô~ûœbû‹éË
-·¸•ña\29ïhäÄA¶Ìu²õ‘lý…Ì@
-M*ÿéyØ"6öøÅÔn$1Ofr1OA!¦ÌLÐ`TIj
ÿq€Œ.,æ
@ÈO3:ÐáÝþ«Ý@QÝm7÷Õ²¹ó'PÕëEî3%’Äã@)™xz¡ˆ¤<"sŠÐªŠÐ2Š¿“Ío~g;”$aÓTɧt‚A™Ä&ÆHÚ‡ÐùEÇXtè}Úrå7²3
Æ°n œEb«Õ`¥•<ÿƒ*z½Ù‡>™ïÛNÉon¨Ì’9;$ùÁ¦™:#Þbˆ5o»ÂÃúb(˜Ž%u0=~ëÊÒÏícÒb7OÅæ9Ùÿ1Œ‰„ù$.9 fDC)ÂBò¡ìOEagÐ,³~ØíæXº²©mC³›[jR¤›¸¾#±,CœIÏ«²I¤ÐS"FÚÎããÊ>ÜõÌ
øs§ãZs7gôËÃá±JüŽÀŠÆç= ™ŽfyeôÆ‚ã8Ëú¨Ë,¨ó½”Õv“·®e	&²¸ü€šQ`èDÊ¡oɵ¾#áB{!)/2Ž28mXJ¦FðFOÇýlƱ”#	›8>ûµ Èt´8ã2ãúüZaœGW
+¼nñx,»×)å(âØQjFƒ!å¤>ØåP…·¤ÜÀ1ç0„<$Â9* ü€À oDŒs¿`õtÜ¿À9†8">ýµ Èt´8ç Üà"[òr=T„su^ª¶|¨ÊúqÂ8ÆcpFÅÔŒü!ã0øs¥†
+ü=Æ©ãzfŒdsŠ¤Rê2߈ÉÐÒß<~Áæ鸟ªªBâsïAKjŒÇŠ’-S° „-8¸>ê2ÙÊċűIê&i›<éºjêàRX%,ã
+ÔŒCºeH
+Š‡*¼
ÝfN"ÊhÄ¿ÐIª©QÿæðFOÇý|Sà“%‹Ï~@-)2-N9	¶àßú¨åÍ9:
+¡H\€šÑ`ìè(|
ÞÆÏÍØ1ös‰H¶J)Ý Ðë›õs¿`ótÜ¿àç TpF'? –™Œg\
+é½ „;ƒ"|s -Cþ·Å´ Âà„œ>&6€¦r,#
+IŽÉ@ð§C±)w¯×:çs…/ªLqÐ6ÅÌß  íolëƒCZ]–ÒOº,e m×u$×\ýúõ€ºü*Óõ½ÛvçWvMU5/ƒ¦\O0<ãŒøZžLæؽP8ÓR×Ð˵֞[ŒÓ!ñ9LOa*nf­s×™Û?UÙvöÉÌ^žÊ®hù¦H¶EUîK÷ªX{)­¶˜g1tüœ¦äèÇé²-ê®LlQÐë=¨	ê—uÍ’(áœ<œÊ4ÃB~ã¥j×[ۖׯö¡==´Åo'c-ÎÚoòÖ¬±éOº,éÕhâê¸î³6°
+ÃçxÖµ(3ÈퟗüÕ>´š¸z6ÎK6coy–œùr·*Q™Ýf)Ãçb¯þዽpv÷<%•ú:îLJê*ì2Øõ•úo0²úò¯[û\ç]ù»_ÖɾØ7ÇWûÓÎÂ6y¨r:ûÓkê,CzaXPšñ&kXSx9¾¶lÊÕ:ÏëO{—?»I,èìl}„é5œ­Ï«“©˜Sz¦Šî84­Nã
+ÛUîlk¾Ý–Úµç•mï;¶Þa"Žn´']¯7ÍEQÛ6È
+ŸÍn‚VàIc[Ãbë¶8Âûúóù¤ƒ×Ÿšý,ÇÚ\ÒC¼Ð³í…'ݦ:m=_ÊîiL®Rûª‡Óù°‚gûP7ÒÐçôë?Ø
õ.ž9T(xXrz ËgŽ7YÂ
+&'fàR‰
+
 ©ÔÁ‰îYêïX}±oל•ŸäëˆòXõ§ˆA„ß·/V|÷𸥓Q??˜!áLÅç;€âZLÆŠF2”I$Ó,[ Uá•G™µ)ªâ1צ'M]ÍTA9RàFå{ÐŒüøþJ™Ž°>]q}BÒüQ?gk£Ši͇ª´'wG·ßÊД‘Ӄ}rŸÉÆÄúvçz‡‡¦g¡=3ì¿¾íÜ'Mˆs	’o‘r®ù¥ž~›—Xøæ&¦±279$5NVP±jšg8u¬Þíô×`~F˜b<Ü€ùN_œHˆ¾Xp|5	
Ømn‘NŒÓÖAçcÑuᕺ±yݾØ`GG—‚ëÄ£šŸô—3|²13澉Ÿ…—æT9ù¹NÂœN¶¥nŽ{Ãé&?ƶƶyoDA©äl˜šAÐTl/o}™„Q±°z¨Èð¨ÞÐó;Þ“°RQÑ4#zxߪw@_ö6oÂ.ûun êœÜ@ú¯1¡†¨Â–o°b†ºÅæ«úIÚÍ]ý³õõ"ýÃ̶î­ó}a›4z]ðpw•»@Xc«æÑöüœfé¯Íé)!Ö¶àaBAî]2÷„±a´
P‚)¹>mºñÖ~Ýd¶Ñ¹¯…ç­Ó&ùÓ‡¢vćŸ?Â\<‰uq‚x¦p¸Dæö•k8Ù_ëj1Ø4bæ'Λ‡]ÚqÖ’Ë[†
+$„XøÔGE6G
vM·?$n:'ß¼õÝJ² D@Íh1˜6–!ˆ%Gj„íc½s"õ¶Ùœú—ôš^Rë“þóuU©88]ß"n/AÕå™NÊïèõQ‘™ö(Ã"GÜI}B|Æx\p@ÍHú&ŠÉÔPô;uH¿$é•çdØT_¶ö§åã-`
¥¥‰EÌ_wàn‹ZçpiæD‰‡£š3G¿î{5Ý/É0E!ë„À¡Ôp^ÚÆÔb¡ù
+S¢pÊ&Õ:
+}NÖ¸²_?sÓyí&ðõ-Ÿ˜ó"&çlù^/Aê|Þk/83–Bà}éÒ=Ûœ4ý¼§£R’3§/,]/´JiÅ%k®úOUÿ?q‘Žendstream
 endobj
-1528 0 obj <<
+1530 0 obj <<
 /Type /Page
-/Contents 1529 0 R
-/Resources 1527 0 R
+/Contents 1531 0 R
+/Resources 1529 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1489 0 R
-/Annots [ 1531 0 R 1532 0 R 1533 0 R 1534 0 R 1535 0 R 1536 0 R 1537 0 R 1538 0 R 1539 0 R 1540 0 R 1541 0 R 1542 0 R 1543 0 R 1544 0 R 1545 0 R 1546 0 R 1547 0 R 1548 0 R 1549 0 R 1550 0 R ]
->> endobj
-1531 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [387.5019 737.8524 456.1739 749.912]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1532 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.9629 707.9231 450.6349 719.9827]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/Parent 1501 0 R
+/Annots [ 1533 0 R 1534 0 R 1535 0 R 1536 0 R 1537 0 R 1538 0 R 1539 0 R 1540 0 R 1541 0 R 1542 0 R ]
 >> endobj
 1533 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.5803 677.9937 467.2523 690.0533]
+/Rect [286.0435 713.6209 354.7155 725.6806]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1534 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.0412 648.0643 461.7132 660.124]
+/Rect [339.144 683.3704 407.816 695.4301]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1535 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [255.0796 618.135 323.7516 630.1946]
+/Rect [336.952 653.1199 405.624 665.1795]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1536 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [311.5276 588.2056 385.1809 600.2653]
+/Rect [322.5463 622.8694 391.2183 634.929]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1537 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [315.9507 558.2763 384.6227 570.3359]
+/Rect [331.4327 592.6189 400.1047 604.6785]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1538 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.2254 432.6227 454.8788 444.6824]
+/Rect [361.2812 562.3684 429.9532 574.428]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1539 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [362.4163 402.6934 436.0696 414.753]
+/Rect [330.3165 532.1179 398.9885 544.1775]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1540 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [402.2465 372.764 475.8998 384.8236]
+/Rect [259.4835 375.2504 328.1555 387.31]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1541 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [348.0303 342.8347 421.6837 354.8943]
+/Rect [172.152 314.9088 267.6829 326.7094]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
 1542 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [335.4973 312.9053 404.1693 324.9649]
+/Rect [352.4539 61.5153 426.1073 73.5749]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (server_resource_limits) >>
 >> endobj
-1543 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [363.1733 282.9759 431.8453 295.0356]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+1532 0 obj <<
+/D [1530 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1544 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [365.365 253.0466 434.037 265.1062]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+1529 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1545 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.041 223.1172 461.713 235.1769]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1546 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [402.9837 193.1879 471.6557 205.2475]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/Length 2705      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[Msã6½ûWèhW
|'ϬSgãñž’8ía,y%Ùç×oC$!‚ rE®ÔÄùØx~l4 ˆÍ(üÇfJí¸›'‰¢LÍægtv÷>±St ¢úñöì‡ÂÌqšëÙí]Ï–%ÔZ6»]ü~®	'`žøõúãÕ§ÿÞ¼¿0òüöê×ë‹‚+zþñêß—MëÓÍû_~ysQ0«Øù‡½ÿÏíåMsK·6~¼ºþ©¹âš?Fo.?^Þ\^¸¼øóöç³ËÛàKß_F…wäg¿ÿIgpûç3J„³jö>Pœ㳇3©QRˆîÊòìóÙoÁ`ïîþѱñ“ÊÅ¥†‘äÄJ!ÇG™Ã€ŒdD+¿n”9ååGù¡ü«ØmÊÕö®Ú\0{^ìꇪ¨WC÷™¢DÙY¿‡„G‹¡!z4˜RDi&bŸ«ª	ÀîkÛXTÛù¦~ÜÕëUsa}çI
œr†P.-Èy3 á4ƘöÁÔa¡!jŠÅ.777÷³¦qÓs>à3î§v÷çG½ò™&fHIrM¬`B@eˆ¤Ö<’è¾ünMF=¢À5³z±U 4Ä2ªp&5B%V!'Æù0ô¹¼‘
+{
U(ˆ¦–O«PI¢7‘Ó˜
+;|ÆýÔî+TÈwœãq¨‘ÔªBm¡á\&öQÓ*¨é̱~Ú¥‰PÆéÔ—H†šÁlrȼe2l]ò Œ8¦Ý´
ÄIÐØmLˆ>3©Ýã…(qÔeDP"©5\ˆÐÈ%Ãaƒ™N£DH‡’˜„Eœ-‚F4þ™øšÇÅç´-©XÁ`±ž»è<Ü€Q¿_!9Uƒ]§G>`PCK¸Ø I:Isrë¡Áu(ßãj½«ï^†ÝZI„¶ï¶tÛ÷Ó:"”½ûÝžFbòÃèB…¥µšÔç¦xÃûÔI|Æ×Ôî”°XB	V’Z‡y@åˆ$ÖPy)Ç	eLàò꣦åP‡‹jY&"cŒ[¼÷€é>JdÌ…lÜÿiæÑ¡ƒ®}
+uTO«
ÞfŒŒÅÔÖá3.§v'Õ¦Ò²RAíu':ø•a’ZÃå¦h\m"¶Ô‹Òn]l×e*6I,•í;€ÒÎc©9b¬2Qï'UÚÁ‡A×°tÔ”3Dj0©ô@•ÖÂq‡«Gg5/ÿ†#ƒÞBp;¸º`b…ÅÎÈ«‡BôÕ¡|O_¾UIsŒ-¼×3Òé`CBùž¨Ó+?ÂFvÛWвïà¯e ´zÛ\Yw"ƒö÷²½X¯vÕjQ-ü'u~·Þ4—·Õ$V¯î›Ïeó|[Öó¦ý÷zU5Oyw÷—ÂãÏÕ¦þƒR>/]‚®÷èm}¿*?>~ÓŽ°þ"N©&d»§}%Xy†Ü3lþþtýùó処ímì9ó†GýþµjÁðz½4­²1Ö|X®ËE÷ÜÝþÆú¡ù´¨·ßÈE+Œná¢kï­»àÅkÞÁ»—™ò@Ú;F;šÍ’Nÿ¾û¦U®Ú<»>¸ÛOM¸&õ+
Ì'ć귚Öo@y²~<‹í"·ÝÕóm’"9%V3ƒ¨Q’äÊïWÆ®Úù®'{¢¹èàK3ÎCc°2¼Ã¼óÑ4íx:}¾­6µ¦ý½^.›Ö·ªzlïw.—í­zz~èyC£}§ åkß‘ñÕó¯ÍÕyÙ>ñ¥í{ñôðºÛk²–R6Ðüúý4ûC½(m(T±)ü;¶¬ÆŠ
G¤
+O,*lÞ¯¹Õ@jah‚ì¶ÓºšH¨)2ºë¡Ýu¨½[õ}ñ\.ëE½{)|ZÚÀ§±Í=)½ú05Âc¸¹'áJÄã4‹ŽIoÒ=.`)0½±'`Ù*é{‚nìµøŒë©Ýã«B	/­)t Ä:iK
+(—Ëy"½ÔÅÊ'q˜íŠÕzQ¥9OXB…áhÿ”ˆ4'Ô¾VENSŽú1\gCØ…Döï„"TkÖw“[ÇN¬¾Blð„áÚ¡c@8Ä*6a ÒÒ.³›ÒGMË- †qꊇÑ)˜Îç8€!o s˜…Ž™œ^w±?Éî± F!{Ç°°rZD£{Ç->ã{j÷ò“ðˆ2B@e˜¤Öp\KšÙpé£v¨aÄv/Ušð |“’ãj„Bvxû-W*æpzíužº7¾S†¤<¨Uµ…Š¬ï&»Ÿq;µûŠljÔᨓÄ.;¿¥ÍXFu"º´/qû»üÛõÓfžÊŽK¢ŒÁPJ!^Y8xÕb
+§‘Ü„#CÕQ"ŒB
+;jý·¬ï+&ºŽ{X=ú+‹}’ä°dÀÆ>€2,†¶P¹q Ë2;1}Ô´àj"Pų+î$S5BdXÞ	Èë‘7Ó]ëΰƓ„3!ÑÏrÁ"3EÞŸñ=µ{üf”E¹ÂƒP"©5\€ «xfší£v(ßc¹ÜǤ=©Š1…	¨&±%Ô¶ÜÆTN³ªEjPAr`ů–˜´‘Ϩ[|ÆûÔî+4(!†Ràa¨‘Ô®A®‰ã¹í¼>
+Ñ`‡BB6–›£
+çP#dFŽؘ͛Êp<6§xæÔ@Ÿè1¨Í
@j÷µÇ‰€ÊI­¡JdPNd¦ã>jZ‰å{|ÚVűÑ‹‡ÃØ¡dj„M¼öÉRX#GtN3)gœJÀ’0f5²ÑÀ<9Ž.[|fR»Ç‹Q‚|˜ÀCÑ24[¸5µ–™o€û(D‰ª÷ýé„ö s½w ‘ÞãE?ˆ»?å±–i­iN,Ó—¹`NØÈQì[àŸñ9µ{üD9‰JàcP"©5\m¨šmFm=¢¶•jtB¡@84B ÙjJÄÞ@pãs­ßjQÌà[-ÎÙÈ×ÜV‹ÇgÜNí¯9k`vtþ€ÊI¬áš£†pªTFs=¢¹µ?VY¯ŠMu·©¶_÷Çyß5ƒàO[Ž]Þ£w›—Û]L«&F4¼T¸5âC\+i¢¬1±{Ù2×ÊÖ7"Ùú©Ä¤?)­™ˆ!øÅÔn$1Ofr7ÏÕà¾fÀãÝ¡2LRkø2dtf7¯B~ŽÑ‚öïö_Íù‰ân³~(õÿõOµš}•Á	5°¸PJ&^W@RRJGlöJ‚»QŠÐ2VŠ¿3šàüqvuøö5çSº²€¥&v°N²¾Û袅ãXtè]:få®[æ…„!€p‰­Fƒ…VòüªèõzBRŒn€ù3ÿ5NÿÌÌÁˆÏ‡Ÿ°Ê{(·;¨ÅGŽüŠÁŸ±jב«Åˆ%æ"‡cæÛeù> endobj
 1547 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [320.374 163.2585 389.046 175.3182]
+/Rect [359.1555 737.8524 427.8275 749.912]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1548 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [348.05 133.3292 416.722 145.3888]
+/Rect [353.6164 707.9231 422.2884 719.9827]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1549 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [488.512 103.3998 561.5676 115.4595]
+/Rect [370.2338 677.9937 438.9058 690.0533]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1550 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [397.3443 73.4705 467.1586 85.5301]
+/Rect [364.6948 648.0643 433.3668 660.124]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1551 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [226.7331 618.135 295.4051 630.1946]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1530 0 obj <<
-/D [1528 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1527 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F48 975 0 R >>
-/ProcSet [ /PDF /Text ]
+1552 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [283.1811 588.2056 356.8344 600.2653]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1553 0 obj <<
-/Length 3374      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã¶ñÝ¿B“—Ê3 	ì½Ô¹ø.N_j;ÓéÜå&i‰=ŠÔ‰”¥íï.v~ˆ’ÝiæÆGp±Xì7vA‰™ÿÄL†N{ñ,ŠGºBÎÒõ™;[Â܇3Á8ƒ´èc}{öæ½Íb'½pvÿØ£¥W)1»Ï>ÍCÇs΂;÷ñæýõ‡_n/Ï£`~ýñæ|áIwþþú¯W4úp{ùÓO—·ç¡¤˜¿ûþòçû«[š
-™Æ·×7ß$¦Ç¢·Wï¯n¯nÞ]ÿzÿÃÙÕ½•¥/¯p}äëÙ§_ÝYbÿpæ:~¬äì^\Gı7[ŸÒwdàûRžÝýÍìÍê¥Sú¤r¤„ IßQ~MkY8‘€®†BY-{bJ˵ü%ß/²b›§m½Ýe"rdÌútv7H»û½Ý…ç9RJ¸ý]ž“ÞÛ²¼I·Å¦-êŠõ#²5’%Ž×p0)ÄhïÐwüHì¢Ëé¡MÁAir»œÑà¶'²ÅAæCº$sÚI‡^.Â1C>˜Û"ÿ´æ-ÖlRC6œg7ŠÜ؉üÐ{Á×zX'|Í`áŽë]Ù‹uÒ´ùöÐÕ$ðè§w·XÛ
‚ʃ3Øÿq¶±c_Ž\qÜ×Tì„Q(‚žò5ƒÿ‚ȇtøš#½-tàï´ê
ÒlÐ:éja¤%Üð´«õ±Ž»šÅÒFÒæùìº^™/ëí:i<ΗŽAâ:É„ÅšàbàqZžTÑ?È㦅q „ãFò¸ãù^ç
8H_Žgñ_üîQÇ“cž PÏ…ÌtÒëN©YçéwáPˆÌꇎTqWrx¡@!áºîü»}•¬‹”døe“%-ñçº,Ò"o&¬àBÄ…PR’å²#uÙf·ÙÔÛ¶Á79oŸk'%X¸JÚâ)'À:oWuÖÐøˆ~.·IÕçb^-	–E^µŒE>ƒm±\µ«i£M¾EÇ!`få‚—–«é£;(Ê"„KIÚù½®òR@ZWèŽËÝö\¨yžôaß9û¡ÎÁà®qê¤,ëçí>•F=G¹ñæ¤Ê¦(Æj 4	‡H-6h›É"@B™Ga×:Y’¢Ù Ï>ååþ\A~ÖÄÊ+†,$”G®Ô«ï§%Ä”'_)Ÿ.I|FNËd×€õ|7š?×Û/

µEqÐ$k3›ìi0:<Ãù†„x*êÏ<åÛdä7ô!|¢G:4¼né©ÝŠÑ– €Š†Æ¹´”Uoè ¼n³¸×ºhðÚà¹ëMRíûÚNkýÌl"UZbÕ(…¢:ÖAµU‚SVQPóxòõ^â†jl(ßÉ 'ÖÄ<Ï`(TùÔXTƒi5N] sÐâçäo
³±§é÷IêÍòåÅþü’69¯Cmás{®æ»2ïLù_Èq,çÍÒFžÈkž]Ï<¯r³)âäIºÂQ`3¸hWšw˜0®‚ðšaY^9Ã:Ghhò‘°»Ê	bŠöfÚyôÀû“–²©”¤3N1q ñHõ‰´Û¢.Ñóco~ýHäS0èR"¼X¯BDæë.oZš6›di7ôlŠ¥¶<®øìJ·Õ&&Ì1*˜P¥å.Ëy¡Õ-,%]²ßýÝõ‘-=€[¸ðŸ˜
-(„_ŒB†°›Öì3ù4áx{°K‹F­Ð'‚îV; zQçÁø‚Ù”½
!Åq;„D¯Ó(æxøìÄ»´	}jŒƒÃ´*÷^çIUTËÇ]Iïä«8AŽFGÚÚmB1ÿû*¯(ÖV®T‡ùpB4(PQ[¯–,Æš°›×`@”É"Š³<›ç¢MW:À[ͳä¤8\Y¯×Óåžçô¾:Æ(øSìBéíúC–uš”o'Dzn›Ê@ŸµñüN3Zè
-ƒ91ð§5+TOdxÑIM(­nxp"B»cáÐLeƒÊ 0žˆç^6Á›¯ãȤC8@u™ƒÒÙÔmÊGŒ`G®Á€ã/ùžÑt„Á¦LRÃw;É?õ˜\ùúž(!†áIÔ¤àOPB`{0¢Í¥g±ºJP˜sGp%·ð…¯OÍo÷ÎòÇdWêÌ&½›˜£qÁª
AC <ã ož’í›í®z£uü†•ã k‡úR:ˆ<^{Ñqªuøà{£êWËèS«úB³¥!ŸÁWµÛ-²¬jðàZy8 Ê^ˆŽHR.ë-„Ú^
¥ïº|·¸ûþÒ“!m^8ص–†î`ø””»œWØÃÉ÷òÿC™O•P‚GÛ6?v\i²,ëp\³5&DäH8É­"IN¬ÄI­Ç‰‹
ZõHþ­`&¨uŠÇØéBj†æH/ˆå”i£^‹óHr·Dc"ªŠ’H$)‰À“OI)‰†Íjµ.MÅP¶
-Œ’
åðz³-¸*”Ùz%CÉÞìü'™Ù1ažlô M³nngÕ'…q í=„4²äqb®ëd]-¹±>¶5*†ùŸšñ2‚R·?eI£&ª»þÞ&ÑV,p˜®’jÉP7i´-ç‘08Òi꨺lšÝšÚÇà<7èWzæ[•«€Þ2è5
-gò%ÝJÿy"ÕŠðáY¸¡Yü=tÃFÃŽzוíî^@UoiôŸ·Ó×Z¾ëÄ…l§ÍAÇNk¬c•I§UÓ¿	X”;HÚt%mWYsx‡ÐëÆšáMƒnU7í…¹HȺަ±V[3ÍæДÝáÉví]	È/¡„€DþGîÝ4c¦(Г.¶Š–Û`Í^ý…GÅ—¼óƒ#¶íëOÆ[þ›ÐÖ±¹©ÄQ×ëáúe»ßäôö©Òè×3ñ¢\ÑuAö¤ÃîŠ{-n¨ìAˆUÅSQæKꪤš¬R^šÐ£k±aé*áuÍ.Maº5êß/1%e·–YÑ 1.2²ÉmF\>Œ³]±†:“¬Þ@Å$
-Õ¬¦]ŠI–ŒÆäe0¨jz>î¶ìJu×3„Û•é±é3ð‚'€3ý’ ½j:æJ^õ¤à3v zÄslz“‰œF+uâ5WêßXwè%^áœEâtD}"v>²óÊ °Î LR“k2.Ìñ‘6¦BÎ٣ĬpVÛȆ+¯ƒQÇa?œÙ—ud®"¦®;bÌÄäUÇM+l7èCuªë4€™ÌTØqœÅÖZÇ‘Ôšz({Qܦ›E“—S9Q8¾'ì•õ$-Ú1iP¶Ž‹ÛKÂ\ÕÏù	Á9ò}q•%æb¶“¯’e
‰Nž8û†Üe¢î~3½Cäø>~¼ëªQ¾”fË횶gÓ—V§s?åÛqß5UÏ	Ø—Bê°bT~hR;À‚µ)	Þ_¥5:‘~µG…¬xSŠ'}¨w›zÐ{ó*_Öma2ŒFý™ÆÄŽ¸ùþpw·@ÿâNÚÜÏÀ<¢á¼éÍ&Ø:ŸôF=½äÐÔ¼‰XÎÌ·tU7“¾J‹MRÒ+}µÝ
-j™9Wï+'¦·Wƒ¯8‘Æöëá7 ìö/Xï9Y½NŠê›©žÞ…V4<»¼aä0£Ðú¦;µê8¤xQD›k„þØÒ徘
-œ@Ñè*…nEG‰Fѹ8y¯‹jzø'´¦|a[ð»›»iR!xÙ&©¾a=/áò¡_»©Èta†,OUPhwÑ?|ÙÔþ7•	゚Ô-”Ñ"´·°'”+]Çâ@¹ÃC¿±%æ,Oè¡ËÃÅ×]RN|r’®UsŽý¼Ï—Úú?C€?¶ÝÿýÓ¿îw‘“JûIO¤Àk€3…ªPÁáoi\ÇÃ_Ú²þ_%бtendstream
-endobj
-1552 0 obj <<
-/Type /Page
-/Contents 1553 0 R
-/Resources 1551 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1489 0 R
-/Annots [ 1555 0 R 1556 0 R 1557 0 R ]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [287.6042 558.2763 356.2762 570.3359]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1554 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [352.879 432.6227 426.5323 444.6824]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1555 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.1435 736.8562 354.3435 748.9158]
+/Rect [334.0699 402.6934 407.7232 414.753]
 /Subtype /Link
-/A << /S /GoTo /D (options) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1556 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [288.6803 705.9305 357.3523 717.9902]
+/Rect [373.9 372.764 447.5533 384.8236]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1557 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [328.5503 675.005 402.2036 687.0646]
+/Rect [319.6839 342.8347 393.3372 354.8943]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1554 0 obj <<
-/D [1552 0 R /XYZ 56.6929 794.5015 null]
+1558 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [307.1508 312.9053 375.8228 324.9649]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-482 0 obj <<
-/D [1552 0 R /XYZ 56.6929 658.3825 null]
->> endobj
-1098 0 obj <<
-/D [1552 0 R /XYZ 56.6929 632.0762 null]
->> endobj
-1551 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R /F48 975 0 R >>
-/ProcSet [ /PDF /Text ]
+1559 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [334.8268 282.9759 403.4988 295.0356]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1560 0 obj <<
-/Length 2955      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÛrÛ8}÷WèQÞŠÜ	ì›'v²žÚ8YÇ[[[3ó@ItÌ$jLÊŽçë·
R¤D]2¶«¦\eB
—Æéƒîŀß8øòzxÍf0™ŸðÁW¨ûp"b›QÝhÔnõÓÍÉÛ÷*xæ­´ƒ›ÛV_ŽqçÄàfúËðÝ?Î>ß\\ŸŽ¤áCËNGÆòáO—Wç$ñôx÷éêýå‡_Ÿ&zxsùéŠÄ×ï/®/®Þ]œŽ„3Þ—±‡/¼¿üç•>\Ÿ}üxv}úÛÍÏ'7ÍZÚë\áB~?ùå7>˜Â²>áLygðƒ3á½ÌO´QÌh¥jÉìäËÉ¿š[µáÕ>ýå˜q2éQ T}
-4žYU¨À›»ñö½i7ÐcÂql³HçYõ´Œ
;}jÏ¡llø+ç2›MAžïÒ’
-BÑó!­²òïÔ‹í™i&¥Ò­áz†’ŠyÁëFozºÁÅ«zÒåj<-æi¾èé
-”
-(RÇvõ˜Ï¦“ô~Ú·þ„9É“£'•Ín_`iÐ,¯o:‚9Ý´;ª#\Üóöí~lF;VwXÛ#H¦eb#!˜7F†¦órW—ǬÓ;¡:³Û§˜uVÛNlOo‰`Éñ“«&ËËÉ–ÕUwiE­ó(©±ØƒHVFF²‚!S…È<¤~¥_
8±Q Ax¦ôX›Kø‰8ÂWš>QÝáIGᇜ™Êur=ÙV±L ›M*£©Œ–Å,Ÿ<õ(ØZæ¼­ZVÐx(§±Òå2Kï‘ÑîjFy1~ÈɾFBÒ/ºº‚^°©ŒV¬$è*
-‘´3ቾz·QX|EÕbåc>É`ó”òÁÂl‘Žg4F£‡Í
[•h¹Ú­Â3¥,r1˜7œöè€iá<.„=ˆk&¾},‡B{©»áØÚççAçUVí$Äी£JNïåûÎU ¢õ~
-o×û‰5´ŸX
-ºÅzÚ-ÅýDa³Ÿ(ïô°ƒ¦×~•’šÎC©wð“õœóÚ:Èe«úhÙð¿¼Úô­FFɆ@×'4<¡ü–áÁ|ó8ÿüë¢hC¦%Ž÷Øzî@x¼
-Æ	§P=Y¯5Ⳏ†°’ìJiIϼ­9ƒm7G)F£æ7c^+¦»{&à„ߟ‚ƒ
Ü)6R#MJCkÒ˜eE8nW³.a€?›‘ °MÃä€ì[öD’ev߇©È#N÷¹Ú%vrÅ¡hb›»X n¡uH
-vªâN8Õê»Ý¨‡¥bÜ¢ì°ß° â8ŠVKKå+nwe8…dÜqwÄÆ‹ØÚ2	Sa@'ŽY.³Ið%Bܤ¨¶÷ÛƒGÈ-n$K4Ð	ö÷·Þ-7žq£Ñyád–)ÃÓÈÆiYe÷yù
d":[ŽÊ$-³ÝÄܦ¼—ò^!nÖ@¹‰ç‡‚`ÎJÊéÑÞ¨Ùv|:?¬…MЃB@{φ†¸QÈí‚OçmM u$› 	{oB—8tqÛ3šõÿ£|A&3i3+cgœu²>{ ÒÚƒ¿pŠE+<¸<°g-…?”ïÊâmÇŒGg
-ž
VðG?VÀu0FÄŠ‡Ån`%ô°‚¥b1{Šƒ¶PjúPq¤f>1ªËã{ÀÚ 
fŽGJk^
-)à0Éý>ã+{Â	¦kmaôaØÒ<}+gxÊ¢gæ£Æ‚›æâ¢ø.}Ȩ4ÎÈùƒÀ"·({ÈS*ܼûL…c£[Lª¡$&+°¸Ãûëã`oE,—”惷¡¦˜Ó/òêÁ…Ëy•C@\7»üLÏt:¥ƒ½,I/B&xý.´½êM
žŸ_³³ëϧ^ÏÖ÷¡pùÙ¶«´g{¹L'Y<Åb"¼zÔyKMmÓ?8„W)4K 2¨$aÒ[qÌÍ„;?Vì¼cH,³h<Çã”ÞØ:P›éUsfm_ç6šc…ü5Ï–qkè’᪅Oca¾hpbU“4ýN©ÞÀ9¼ØÒ
t*À(øV"8ƒßÁí~?ï”Ãj×Z‚·—s98/`Mƒö²êžGí®Ãº€:Zd,7B”‚µÒ-õe…÷ò*ð­!?¾¸ÏBVÙ«–EYæãSɇHÎ(A€â³\D›È„^B&+qdjX(áô–§Âl_iiå˜Óàf´6æ™{
¨âz­/øŸ‡D™Àöp=jü*À¿on‘±yQ2°áÚzq€Œ¥K`öàMg/«úÞCáw"ð6‰–Djèº
-j"Ææ:„Êã'ªKO$¨Á„Ú‹l‚yÄ>>Zs-h²ÎÚøz ZdÕcqÿÄHñ(ÜñÖ¤¸L¼,ÓÁ9`ÒM
Òi/
7üÍâÜ£÷«£Ã(=[LCc)¾ÃgJ
-ĘåBQ¸ÙçùÕÙǪº¾.³ªì¾9î=—à$©¯·îiŠÙ}Yó;I²Ý.Á$¹çö)\¾$…‹y®q8ÎÍY®^”Ã…ã,íyow½‡Ã…‡0Sjý*,.žÉâí½ù‹Ó¸{Q?~’¯ñ=†°ž©À
n88ÿʵ¿jÛúº
(ŸÁ1†‰rðÆá¬pû¿nú}•ÎÖé"×÷–µsK—Q#R$&5ÀØà€”äß]b"ž‹á¢ 'f‘x!LëÜʳïËY>É+´,üÝÊQáú…¨SE¼ýÕo5ÀET\w˜&‡âëë/—ÞPùêK,|ùtÖˆ.ÞÅŽ‚Ëo£Hõ޶ݜz>ŒÃ8óÀ™û~‚ ›eÊ'ª@•áõ
-Ç4Ød¶¢Sk~#;»ú/>¢€z½R¨¡•‚´ZO¡Y)ˆãR\ŒÆj‘zÓÇI1<ƒÃ)FÑ
-f‰É(WY‡‡SÌâÅdåUQź˜‚ÖñËpKK’´ª²y˜˜Šù*ÎÓiýjA’i6Ëêîhy $ŒL(—>-cmY“<~÷CæÕ]¬Ùõ‰«2pp)Ñ÷E*Ôºxö÷¯ëƒ5xÎÉ~ãoH¢žn‚3›so¾”í™üÿ|£¢nendstream
-endobj
-1559 0 obj <<
-/Type /Page
-/Contents 1560 0 R
-/Resources 1558 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1564 0 R
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [337.0185 253.0466 405.6905 265.1062]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1561 0 obj <<
-/D [1559 0 R /XYZ 85.0394 794.5015 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [364.6945 223.1172 433.3665 235.1769]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1562 0 obj <<
-/D [1559 0 R /XYZ 85.0394 746.113 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [374.6372 193.1879 443.3092 205.2475]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1563 0 obj <<
-/D [1559 0 R /XYZ 85.0394 734.1579 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [292.0276 163.2585 360.6996 175.3182]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1558 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F53 1052 0 R /F41 959 0 R /F21 730 0 R /F62 1085 0 R >>
-/XObject << /Im2 1074 0 R >>
+1564 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [319.7036 133.3292 388.3756 145.3888]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1565 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [460.1655 103.3998 533.2211 115.4595]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
+>> endobj
+1566 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [368.9978 73.4705 438.8121 85.5301]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1546 0 obj <<
+/D [1544 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1543 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1567 0 obj <<
-/Length 2931      
+1569 0 obj <<
+/Length 3375      
 /Filter /FlateDecode
 >>
 stream
-xÚÍÙrã6òÝ_¡GºjÄÅEØ7ÇGÆÙÄ™••ÚÚMò@Q°Í
-EjEÊçë·nP”¬#Ù™©ÌL•	4@£/t7ÄGþóQ’Æ©f”'Œ'£bqÆF0öí'œq@±¾™žýíFf#›T¤£éÃ`-3­ùh:ÿ9JcŸÃ
-,úÏw×çc‘°èæö{hq©]¾¿ø0½žà@J¨ßÜÞ]!ÄàçòÇ»›Ûoš\œg*šÞþx‡àÉõÍõäúîòúü×éwg×Óžäá±8“ŽÞÿžýü+Íátß±XŒ^ ÃbnŒ-ÎT"ãDI ÕÙýÙ?û£~ê^6q™Š=|rŸ§†Ÿê|aß᩺'‹Õ¹ŽÖ•m±—¯Î¹Žh¨x²ÅovŽ‡f…
›OÔúX¶]Y?†…ÜÌ¢ñ_šÔ½.mìøÔñW±T@:ÇFcI¥Y1ljÚý¦¬ìf*M’„©’ÅiÆM/{N“§ç†E°%¦y 	Ú¶Y¯
-z@ã<œ·&Jÿõdk¢¹ÁïO-M˜>Ù2ä0Ð!TlWžŽéS	kÊÄD0GEW65ðZê4ª«¶zEŒY³òæÅqW&:zÀþÇ'7—µR´ÈܶŪœÙG¼ünÑÔ…]vu'vÀ»xp·rAØ“€Æ/,a“	üå4øGu‡C–£ÙË*/k·7Ñ‹ç•ä’tÁÁJ[·v¦LÝ—µß H-LX®gUYäŽ98â)†/áÈB#Ÿí*¯^Û\b2¡­žògZ~fAåÜÖ]ùcÂîDøƒôò.ËÊ.9èwYïÆÕÝ}Ü+@Ð…-ûÈ«¶	“‹j=w'
-»¥'T”|ï5v¿jžT¶8-!6‹ÜÑíÚζ]+ò Å±œPš¹u²Ñ2ºFÁ[Où6zk;\ÐËxö-•hYƒkXäAß…Ó2¬¾È_±1#l»Xv¯çœó(Þ'Ÿ©WÅishøÍá»gsņ›#ZÞ¶MQæ^¬®ÿRvO4‚Ÿe¾êÊbílÒ÷‰oÐò*kÍbÙ´a°ka&¬‹=PBw'Å{,†¬Ìº]˜!R^h ØÐR9¼6H|ë†mùX{ayM ¯ÄÉÚù:òÙDKâ—]={ØcöJ¸¤)ÎSÁèªõbS=‡«¬	ôƒY¬ö	̱ÓùR†ÎG.ZÈ‚ô<¬ê.Vwÿð,j›]ƒ™‹uÕ•`—õ¼ÄXÚÕ¢ìÐb¡‹7’#nÙ•‹òwÒ¹^9¶´Yi?æÎîßí;IðûíÒåÃkðyGÆŽŸ¡ú¸~móÕŒ‘Øž‘Iw«2x'ÄUÛÅ({kw
-p`±æ@Nä*sW;®Gؘb<œð6x»®;ï½-ˆa>(1Oc.ßФ“XeéIo‚’€tŠA;M·é +g¸©bYÚ÷GùÐOlÿfÕƒ\PoÊtl´ÒÇÙÐc"äÍjŽô‡c%D,7cÜ’"ÛøE“9çTƒƒß‰qòa¨Ê6„ÓëÃ…-=K²Xq„Èý48fÃÅJ)@ÙŽæ)o–3s5Mb`—:ÁUÍ ¯	nâóóq
-3£Ç=“F¶. qúi’ˆ§ãYÙáÀs^­-6É‚÷Ï!ºÁ¡€ã—v8Þ*†C(“±71-‘Q[Þ×l¶³™#‚pàÓ¸º”Êb-ØŸ‘}˜qXPàL¸§Ôße@ºœé÷ §Ä0RùØY.ìîI«ò™€ž×Yàu–€ªÇÁ”ȼ¸ª9‚0Ç®$p•?z£sxõaq­ëÒ{@‰Ñ©û¶ ­zî¯|;—„¶\•‹|UºÌu×>Às­A¶ÂùDgOpGu“RHó Ž¶ØÄP*Aüg¡k’7×}j^\ƒEUãC ÔG§¸HX·ÆÆÌî‹Uü¶ói<4C—SRÀÒ>5ëj¾Ì˶È)2=¦Ômù4
ü¢ÞG‹Lœò>LCô£PrE	¨µTŠÜº=p?fã~tï~ÌNvåÆrÀˆ»éš¢©ò/œ¾íQâ>G ì±íò:xž}¸ìa‰
Yñ¹ÜЗXjb™Bz|TbRCªË¨44¹Âzœûsá
-©¢,Q‹}I!@çy—ƒ)f,Ù`bšˆmŸŒiNU	š€-Ÿ~Á¯×r’P9ps,¬sŒt±{
ÂJŸMøôíˆð\ù\ÂÛ”ÿŠŽ»e \pä1˶k™oâfñ°ÒR8úy¬uÂ×4¥;}B5Í>{hªªyéË‘¡Rãk)Ò–ÑŽd
”÷ñȾŠì‘žV0Jp	å­Ó#ìÐõ¹—N“äO,ffŸ?–hq‚}©Š“ VÀ±T€êf!²»7òz«ñ­‚“+‚ï,€Hþv¢›fýà†Ü]óqsÿPÁ–«÷Y^ae=/)á¡Jj"|=Ìñ¥A„ºa"†I®Løƒhë°‡ƒ¶¨wG}·¿~JõËái€•È$hx&Á—Òh_£¼þ¸´äCx–Wê¦JQ7ዺ	
¡‡us ôOS¤/T	.c®²^Y§ÚW¾¹¿úl[h}ß„÷‘Hºè”Ã@€‹f9¾¨P1vìü
Ç´áømÛõ«ÃRïkv°Œæ©[0g™!ûÒÃ$‘<ºØ¶k¶¥þ©Ê¾t¼Ëö†Ìü –\ãò€üÏ凿—¹61˜erœËpÈF)廼žœC.?õ¹‹Þ7Uÿø’âDz¶°«Žž[:{â†næ‚¥èÃÌRýWóxšÄ.äÌÕ®>Œï—w?\“RáÛvbéZ_·ÝÔeáypª–fT§ˆwë®$T•¹w.ZmqPJBqú|еÕ†çûŠ“dI‚ê„ 2‰F~õþòö
-œÝ÷a#ªpA¦ƒÏ_¼¯]<¼ú$Éè¥Ö5a‰Ø*ªÒº§F?ƒ>«ú‰îYõ º>ªq¢þƒq¢ÊÀ–Ý€)_qÕ@Ö’:!:)c	/ŠŽL(•ŸØe•XWÊ¢üÖ¯³Íc´É| µ)…Ï€¯Ý®çŸlwf@PwPjþé؈¨jÿ«id´^¾óaBd}pùàÄgü`zsõÊä{5Îq:Ö‡‡o׳û|`h00ÜSÜìÏÊd œAä±Ì}…€«œŽÆœÉ	5'< §
-ˆ»?I‚ñ¼Å1Ü!8).ÈÙ÷’ÿ°ó”CNkô‘SÊ-RÈs*÷@k¾ârkj €LN¸%IJHRíû\ÿd-
‹î;ªR;þ+ÿÃ÷Áaû7KéCoãH­7³Ü"¯aþÞÔ_3>¬ç'Ü“GR‚>­Š±8©ËVU,¡÷½(³QPÄOþmáæ÷• :RÊd©']"k¡èôÍOïÚ€øÿÓË«endstream
+xÚ­]sã¶ñݿ“—Ê3 	ì½Ô¹ø.—»Ôv¦ÓIò@‹´ÄE*"eÇiûß»‹]€¤DÉ—I's!°X,ö»Õ¹„ÿÔ¹ÑB†itž¤‘ÐRéóÅúLž/aíÝ™bœ¹Cš±¾¼;{õ6LÎS‘ÆA|~÷0 e„4Fßå?ÍÞ|}õÃÝõÍÅ<Ðr‹‹¹ŽåìË÷¾"HJŸ7?¼}ÿîÇ›«‹$šÝ½ÿøÀ7×o¯o®?¼¹¾˜+£ì˜Â‘
oßwM£w7WßusñËÝ7g×w^–¡¼J†(ȯg?ý"Ïsû›3)ÂÔèó'˜H¡Ò48_ŸE::
+C©ÎnÏþî	VíÖ)ýEÚDñùM˜&ÓZ–BjÐÚ<‰¤ˆce¼–5¥e‡…ZþT<Ïór[,ºfû¼/³Š´H9Ø2u¼Çš8?œ¯´©„Õ·EAzïV<È‹v±-7]ÙÔh±=iÒDÈ 2À¤{gÇ¡•0vYïKˆLŒ$¥Åíòœ7™=þ2Ò%™½tèš*>`È(§%'Uï±^b〲!|œ)‘©HBàú´·
°Nx›ÃÂ×»ª+çë¬íŠí¡³…"6Æœ>ÝcM?r¶Èˆ8‘j|þŸs¶”Ýg_Š}_SBER÷5Yv8åjŒþ‚ÀT8šP‡®‰Dú´â=ÖK|P;éjqb„Q2>íjC¬ã®æ±¬‘¬y~–2¨ŠùC³]gÝÇAVˆƒÐœfÂcMp1ò¸ zÔñô>CQ
+­_2€Çz‘CjÞóö”;#(GTWVmRª8ÏÀˆj)åì«ç:[—’áÇMžulÁšª\”E;ay>bÅš2,—+QlËø´»Í¦Ùv-Îô¬{jœU`Þ:ëÊÇ‚ë¢[5yKpû]n³º+/Ô¬^`Q•EÝ19¶årÕ1¬¡ƒ6Ž†€¹—&;+W;DvP2”E)‘jMÚù½©‹KRÀ¢©Ñ—»í…2³"'èýsïé‡:{€HçÑYU5Os:}*‡ÂÈȹrVçSS¾1‘šoÐ6“€Òc76þX’¢Ý Ï>Õó…RŠü¬‰…WªSÐ…i"µÝ~7-"&<ý™Ú‚$däE•íZ0_(“ÙS³ýÔÒКm¶v«Ù3
2Æ0‡o<Ûe³ã•ÇbÛ‚§­Ë¶õo	¾»AÔdõóPÝ‹Æ~sŸÇHµ•Ge½—@Ñ…÷Pk•è”U -Çþ|7‘±Ù·”ïdPH
kbžW0êbj,k„Aˆt§©Ѐ9hóÓ
+²·…ùà³ô‡$íaE†
+ÒpvEÛ‚÷¡¶ð»½0³]Uô&JB°‘‰Jä8Õ³vy£X”Èk‘_’Ï<­
+w(âÙb…£ÈfpÙ­,ï°à\á
Ãò¢.†õŽÐÒâav]Äz"íÍ4¬óèžÏ'-åS9ɦœ$aâ8@â‰h	,ve\¢ç§Áìý-OÁ Ï‰0ñ^„ˆÌ¯»¢íhØl³¥#ÜÒ·-—Öò¸ãg©egML˜dL4+ ^T»¼à^·°q/ë’ýînß¿ãÙÒx„„ÿ©©€Bøå^È°žÇÁæ—-ûL~‘q¼Ýûz¥C£ÖèAwcn½¤÷`œ`:eoC@Lq'Ç®BàEÉç‡i)w?üNöâ}^O”½6öƒÛ´®ž	¼.²º¬—»Šæ䫸@¥½EGÚÖmb5ûǪ¨)Ö–P›æÃ	ÑbìDþÀ=•†ÚÝSmÈk0:QLþf—ì[X¸¤ )÷02šö7uÆõ‹-e¦-MIlsÌ2´ŒR¦égßk
+ÌiömdÃA÷i1„Ê=1ÁX‰ÙPí$Óy]Hƒ~ŽÃ¤I:ÁW8—HÂYñ[†®ÞœÓCØ"?,£)çƒ×åýŽ†Š£EAhYž³\-!”|FÝtìRA(R|&e8ÚTªc¾ñÞm$Û_’ý¥Sæ ñŶa£aÏÍme»»§	¨ê5þûzú]+”"…,ä;m~	:v[ck\:­ÛáKÀ¼š8A‡Ð¦í#¸ÎÛÃ7„A7ÖŽ_¬p«¦í.ÝCBÞ÷6­·Úši¶‡¦ì/O¶ëàHA~‰5ü(ò?rïfsEí˜l±UvÜ[öšO<*?½±íP×x3Øò?ô¶ŽÍMÝ Žú^gè—Ýó¦ ÙO=F¿ŒàˆØº…àšžâx }÷OØkqCåŸb|¨*˪XRW¥Íìc½à­}ú¶®2Þ×îX€nú7ÀË\IÙïeVl茋Œl
+ßÅ	—ûÙ®\C€IÖ`R…jV×.¥$KNcò2Ô
}v[v
+cúçÂíËôÔõøÀÁ~EÐA5r%oRð	;P;â‚9u½ÉDN£6ñº§ŽÈßl;ô
+„pÍ#q:‹’!¿žøuãØfPf—k32.¬ñ•¶O…œs@‰Yᬲo#®¼F=‡Ãpf_¶‘=zŠ˜zRì‰1“OtXå»ÁªS[§Ìe¦Ò?‰ã*¶Ö6Žô¨ÖTÐCù‡ân±™·Eõ0••ÿ«õ4­Ú1íP⮉ŽKD€í%a®š§â‘„à‚ù…¾¸Î3÷0ÛË…OÉŒ²†‚Ä&O\}Eî2Qw¿¹Þ!a¨â±ñ åGi¶Ü®í6<ùhuÊ0wS¾]Óœ€}9#¤Þ“m€$£)T$ùÂë—ð7¸Š*¸¤}|¯#ãpò°·ÄÝÛàüÑß±¢,¨Þrá-ˆlQyf!ôÓAê¯O®OL<\ì‹–]˸hûöúŸ4*~s¥ÎlÆ#î±Î³›”Üç¾®?Ý‘L¶]e}` £#v—G£<Œ†>€3ûF$ûåÙhH–··¼xö{¨[ƒQÖî‘{á4R|äÅŽ¨ü°¤v€{$øp—ÕèDvvúµ³âN)¡Þm›QÌêbÙt¥»È0íï„4&®ptÏÍ÷»ÛÛ9úwÒî}†àЖ-çÍ`–1ÁaÐ…¤7êéÃ#—¦åM¥zöm±½§§¨¦%Üôõ¢ÜdMéWÝï –	™“öz_8s½½ýŠ“ˆ8õ?~Ânÿ†õžÈ›uVÖ_LõôZÑ4=ðìòŽ‘ÃŒAoºîÔ«ã:à%qä}®QöÇ–>×ðÃT$"%{O)ô*º—hÝ‹“ﺨ¦ûAkʶ
¿úp;M*/ÛduËoâ)ìç-\>k7“¸.Àå©
+Šý)öÏ^6uø›Ê„wßMêÊhûWØÊÕR„J(w|iàol™»Ë3úØòpþë.«F7>9Iߪ‰cÞjký‰¿C€l»?ý§ýßEFpMsìOid,L&Ž)T…9ø#
+¡ML°þ?w±nendstream
 endobj
-1566 0 obj <<
+1568 0 obj <<
 /Type /Page
-/Contents 1567 0 R
-/Resources 1565 0 R
+/Contents 1569 0 R
+/Resources 1567 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1564 0 R
-/Annots [ 1571 0 R 1572 0 R ]
+/Parent 1574 0 R
+/Annots [ 1571 0 R 1572 0 R 1573 0 R ]
 >> endobj
 1571 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [312.8189 530.1591 386.4723 542.2187]
+/Rect [321.49 736.8562 382.69 748.9158]
 /Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
+/A << /S /GoTo /D (options) >>
 >> endobj
 1572 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [406.3277 530.1591 479.981 542.2187]
+/Rect [317.0267 705.9305 385.6987 717.9902]
 /Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-1568 0 obj <<
-/D [1566 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-486 0 obj <<
-/D [1566 0 R /XYZ 56.6929 740.4694 null]
->> endobj
-1569 0 obj <<
-/D [1566 0 R /XYZ 56.6929 708.3638 null]
->> endobj
-490 0 obj <<
-/D [1566 0 R /XYZ 56.6929 708.3638 null]
->> endobj
-989 0 obj <<
-/D [1566 0 R /XYZ 56.6929 678.508 null]
->> endobj
-494 0 obj <<
-/D [1566 0 R /XYZ 56.6929 621.8501 null]
->> endobj
-1570 0 obj <<
-/D [1566 0 R /XYZ 56.6929 599.5389 null]
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1573 0 obj <<
-/D [1566 0 R /XYZ 56.6929 513.2226 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [356.8967 675.005 430.5501 687.0646]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
 >> endobj
-1574 0 obj <<
-/D [1566 0 R /XYZ 56.6929 501.2674 null]
+1570 0 obj <<
+/D [1568 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1575 0 obj <<
-/D [1566 0 R /XYZ 56.6929 321.1429 null]
+490 0 obj <<
+/D [1568 0 R /XYZ 85.0394 658.3825 null]
 >> endobj
-1576 0 obj <<
-/D [1566 0 R /XYZ 56.6929 309.1877 null]
+1108 0 obj <<
+/D [1568 0 R /XYZ 85.0394 632.0762 null]
 >> endobj
-1565 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F39 917 0 R >>
+1567 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1579 0 obj <<
-/Length 2792      
+1577 0 obj <<
+/Length 2950      
 /Filter /FlateDecode
 >>
 stream
-xÚíZ[Së8~çWäÑT
Z]-©ö‰áÀæÙ„S5»3ó`C\âllà°¿~»Õ²ãdIÌ)`‹ªÝ¢
-·Ú²bõåëO’ŀß8øòz`½f†3˜ÜðÁ-Üû| bŸ£¦ÓQ·×÷W9Svà™Oe:¸ºéŒåwN®¦¿%'?¯NG‡GÒð$e‡G&åÉ÷çŸHãérryqvþùËèøÐêäêüò‚Ô£Ó³ÓÑéÅÉéá‘PÚH@Å!þqyqJÎÎ>=üãêǃӫö•»Ó\áûþóà·?ø`
-³ûñ€3åmŒ{ýDן/Oö˜´ó®¯›ÿÚ¤Íß2!¸cÛ}…q`V.Xô‡ó‹³K0©p29Ÿæ‹zmSa£MA8~!![ Ý oШ¸¯‚%A
-–„;5geUƒÙ¥÷ñwBŽOO~:ý;˜È*H•Å”€ªE£»¼ž•WnÊlÔŠÅ-5·U¾†«V}`µ*0A°…¾ˆÐÄžs¬~@’{œÕ5ÃÛzK¿©·R¨P\÷Rj
ó:%Ãœ?AY6ÜØd”/cA,Êtà†”¡Š©š® É¦ÓسÊ+H!¤KN¿.Á-wøì¼Ñ}Êv'È~áÔt¦úVtu©ù–”lžØí	ÔJÁà=1˜±Á,!uÀF|£ÂC7L¼4eåPÆýNÇ6•ñÎSXºƒ°Èîò@·Lò¥jºƒùwædäm±‰Æüþ+5èõ–ólüš€¡Ô0€ï‚E­K“c2Å"¯ËÕŸÔ¨òÕC1i=™+íXy˾`ÏŒÓòt};/þWІÚ8+ûì+9ƒùh_d©K®(Û†+¬¢*¢HhïN H*A4’¡ü˜¨V»¨€Ü¤=ÈÑ™ß[Qm™“ü[VwÍ;Ýÿ™HÓ¾0×>e©pitÃéIØr
1×ÁdáÚrgjÖ%]a|O•dþÔ<0-&°ˆýfYMÒh+²=î(èc-›ú¡¡âË &£Ë$_ÕédÛK$Úp½ CÑŒ£”5	ù×¢ª·Ç{¦,áv"¼§I‰³£Ð™´in Ft­Ÿ–a­„T–¬Búκ–!lihº†—:Ú|
bbˆ9‘á¾z{³¯‹·uÃZ9ué·dEóÄÎVVó>6«á¬·¾
a>Uÿó1,>FËukÙÆ0ÄRë*§Å
Ž}“¯*RÜОݵ. f4I§Ë£S‚&^ã>ÀV{ò(O¾¸¿ËWð<Ø7™P‡{AÑa–—íìA;)ï–÷´)•ÍC˜XäëË|Qa…zÆôa`ðËuBEÆýuT5eò‹Í]žLæÙ8(³8š‹Q‡Nö«*ÏͶÅ#ÌžrÖM²×%
-¥=3}»À*5La×H0<ô29ÿü"MDH#"¤›ˆFDÀkŽ@A
-^a‹‘ ªu#ȳb2Û1ØÑ°°)‘ ¶	°üɮ籉ï· ^ˆú=žnMøV´Åxf­ñß0$=ávû!€¹}žÖ‚I.h¿ÿâ׫°ƒ¡¢µ£-	íÿ’
Š×M¸§Þ
$†~„, ¸Gà¥ÿÃýKá^zÝÀ½Ö2ú•!n½ênë‚v½­­m]Єí¸GÃ<óÓmB¿0gpcvwÎtÃñu!þ®è(øœS}ûRÒ	¦¥!²6	Lª<.i•Öí–@h5Òàk¨^r™­j’ðD&tèB³3…2E5JÕˆ[ý^½ê$f;ù|’)²¼U}2	ÜpœÌ2ÄrˆÐ­3Lélr—-—f±u×y¾ Ù
'%	tæ¯Lsu›Gh;]Ó›@"ÝsLÖõ>¸”Â1žª¾²#P®i©1çÈä|ÐxÏ+¥•Is]Ÿ-C©‡F4öÕxPÒî…m¶x­ìì^XK›çøÜžÔYx¾îöjvÍðSIàçWFöÂ÷,õÚ·FãóÏP‰ñ’“rQÓNt) v2|m”Õ÷M)DÕ4«3ðI²0Žnô­ÆNËé¸9T6¹Â4qƒå}Õ3‚²ûÛY<¯E‚ø‚J›Ý¼4T$C	i^-
-½2ÚÄNy¶;[¦9v‚lJ!±›æ$Eòƒ4Mwöwí­¯
\“šëÜsvý­Á'{MBvþVÇïR±}	)`â…£õYHGã¼ï¤£ÅÅmdì(oå"ªš\D™(¥›HqK)w—³†f*±ýõ€D3ñN„TZ#6?PJÄ
è?À>ásgb \ÿ—¾èºã;à0ÑGˆ„ÐŒEÞ_ãR`cë4ÕŠu	­êÀSC%¾¡kF]hy´q£=B„£0»yh`	ãñúŠí:SýÀ,&–rÑG‚<§%q ñð“Xu“Xs—àκåq¾˜†e1ÈÃr^LžH>[Á:!‚,§ÏZ…Š3(d»­~[<ä1_òõáñšC½d«~bß—À­I^geàÝÌÊñ×3‘ºç>õæƒÞóΗ~X¾þ¸^[¦œÛq§xÊœôóÇB›:»m
£ |l{u^ýß·n¯endstream
+xÚÍZmsÛ6þî_¡òM„âÀ}s'çÎÕÉ9¾¹¹iû–è˜ITM*ŽûëoP¤E½¤vf:ž1Á¸ì.$FþÄÈXf½ô£Ìkf¸0£éâ„>AÝ»ÛLR£I·Õ×'?¼UÙÈ3o¥]ßvt9Æ£ëÙ/cË$;
|üúýåÛ‹wÿ¾:;ÍôøúâýåéD>~{ñÏs*½»:ûù糫ӉpFŒ_ÿãìÃõùUÙ¨ãÇ‹Ë7$ñôØ¡ôêüíùÕùåëóÓß®:9¿nçÒ¯à
+'òûÉ/¿ñÑ¦ýÓ	gÊ;3z€΄÷r´8ÑF1£•J’ùÉÇ“µ
+;µáÓAû	Τ²rÀ€R
ÐxfT¡¯ï
+œÄoM·©pÌd{À6Ë|Q4«Ø°§S{–	ecÃ_9—Å|&ö||—×TŠž_òùº¨ÿNZ´èhqšI©L§»®¤bmJ^
¨ÁÉ«4èz}3«y¹PF­ê¡œÏ¦ùýlhþs’gGª˜ßþ-0½¡áætÛî(E8¹çOìóý™ì˜ÝakOt&™–™M„`Þš.ê]*™§wBõF·N1ë`©¶G[&Xvüàšéjç4X„Ž&ÛTúØE<–/g:¥fJ¹´§ÿ¨–Å1`cO¹PpÏüe
+ú6þ(6TÚ±ŒgOØðÏ}•ÂG“Ä;G@ßqЋ鋾ªI;©I%§}Kµ=
+a˜vÙ(“ºàn¯eœy©öοæÓf²È›éÝéDe
+öè"_6å´†3Ê:„]ÖTsêÆëyA/á‹"Ö<ÜK,éqsëSçhî»)Êå'BÃz5Ë›bF/ØIxÎ
+ì=ŸÓkSÅ'êÅ´Z6Ð"¶®n7ÕÛ§Š„Ž¥ÕîÏ[¦Û£'ž([àÒ&cZx°ðfž·²ˆ!~Åw‹u†y€Ø.à	çÀ¡ó«B„§¦E¾´ˆÀB–âÊ	2(µ]ˆqR›Ó#Œh2¢0Ì€H-Õýü¼z€„×OKó’ê.ÍK!('Ç«L_ìF—Liö#Èf9nû™{?üß?ø’„u¹(çù=¾ˆ°ÿƒ0¡–Ó9.¾N‹UCuÍ]ÞPë2J ©ÊÈHUP `*£˜§ÔOôÖb„gNÍn	¯#ü¤Õ‰¶èwO6
+8dÌ2®“èÉ®…­`ÂÉD]4”ɪš—ÓÇ[Ëœ·é´­h¼S_ùjUä÷Èçw‰ÏA^Ý|)i{M„ g^ômZ°©Œ›XI°U"ieÂõ~£0ù Š¦ÅʇrZÀâ)僄Å2¿™S­ž.غƫ
mUxæô€I.gáƳû0mÖî܃ö3ÌH`õ-ûaOkà¹XÏ›r5Ã	hÖÓ
+vU¦ûKýP6wÕº!~YT³©aš7eµdCýO¤Lt:
;»9"Á"³W{iKxð•ùŸ ­~GÕ¢l`ìá²Iú~8`dáô¾0~èX;l–Sx»YN¬¡åÄR0-ÖÓb¡(.'
+ÛåDyOÖÞxUJj:¥ÞAOÖ3ðÌS”I[3ÄÊF€÷åÕSÏjb”ܱñçbăO¨í}ã-ãøËOË*€
‰–(Þk`ÐÜCðÍ:ìM8Œ€éió0#>S(„•´ ”×ôÜAÛš3Xvs”a4Zþ©a¬ÑÃôãv@ðûÓBp®×!Å“´H›Žƒ}!Ɖ3UÝΣÛõ¼ÏàÄÏçÕCälÓR9 û\<’dUÜa*ÒˆÓD}.yd@nZ,ÓÅ6w±@j¡uHöªâJ8ÕÑÝm4@R1jQvÜ€kXQñ&ŠÖ+…ÆWÜîÊn
+ɸã±ig<¦B‡ÐOì³^ÓàJ„¨IPm¯·‡[\H–ie‚¾¿
.¹ñŒ¾§mI2,øh..!Šïò/•n
+òü ¨-ʾ”9®_ BˆÌ±Ñ-æÓPXÜáúõqØmA¬V”თÛPS-觪««ºhêþ—7ƒ!éVqëú†ø¥¸¯±“¤ØÍÝRCå¹}Aî–/ÉÝÂb6€ëCäcs–«$oá8Ë`q^œ¼»Šw“7N-“ZúϤïî²üÅùÛ½(?Èïñãa=SàM .‘˜Æ€½G£$Ÿîï\Œ—=1퇜1_ž’m(/¾®æå´lpgá{')…ó"å†x÷G¼û#.¢áúÝ´Y_]}¼x÷ŠÊ—cáãû³Vtþ:*
+n>|"5x»v}êù8vã<ŒGîcÄ	‚~Z
+©M†×)ó^ÓùšD¬ù6ÙÙåñÜpÐ÷›™B
ͤÍfíLA§âb–DêÕ'ÅÎ¥8+%ži$£äd
+	g˜¶‹ÙÉ˪‰u1­ã5­,Iò¦)a`*f¨@¸ÈgéÓŠ$³b^$u4=F¦”<ŸÕ±¶®«iæ]–Í]¬Ùõ{V¸æC??å£d‹gÿØuóK`
ŽŸsrxó·$‘F…‹àìÖØég±jhðÿ©ž–endstream
 endobj
-1578 0 obj <<
+1576 0 obj <<
 /Type /Page
-/Contents 1579 0 R
-/Resources 1577 0 R
+/Contents 1577 0 R
+/Resources 1575 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1564 0 R
+/Parent 1574 0 R
+>> endobj
+1578 0 obj <<
+/D [1576 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1579 0 obj <<
+/D [1576 0 R /XYZ 56.6929 746.113 null]
 >> endobj
 1580 0 obj <<
-/D [1578 0 R /XYZ 85.0394 794.5015 null]
+/D [1576 0 R /XYZ 56.6929 734.1579 null]
 >> endobj
-1577 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R >>
+1575 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R /F21 738 0 R /F62 1095 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1583 0 obj <<
-/Length 3301      
+/Length 2937      
 /Filter /FlateDecode
 >>
 stream
-xÚÕZësÛ6ÿî¿BßJÏÄ<àóîSêØûHsŽîÚ¹¶ Š–XS¤JVÜ¿þv±Š’©8wuçæ&3!°x-öù[ÈbÀ?1‹b?Îd6K²ÐÍòÍY0[ÁØWg‚ç\¸IãY_ÎÏþr­’Yæg±Œgó»Ñ^©¤©˜Í—?y±¯üsØ!ðþõý»«óÞõÍ·Ð*Œ¤wùöõûùÕ-
Ä<õË›woˆ’Ñçòûw×7_ýãöõyzó›ïßùöêúêöêÝåÕù/ó¯Ï®æËãk‰@!¿¿ýôK0[Âí¾>|•¥ÑlÀY&g›³0R~*å(ÕÙ‡³¿ŽFíÒ)1…ð…Œ,ðC!NŸJ'p*7¥ò3äóðÐd¾€ÿ@òaèY°—¼T#ÉùašÌ’(ócC(ù·çQäý%‡ÞM}×´Ý•M}~¡âÄÓ‹¦ï°™z»¢ª¨u_7»ššuÑíšöž:¦hʼ0Ôû9ˆ‚ö\¤^±­4RAú³$ô³(’À´ òðÃ7`²ðI]o
-“·å¢XR·¬Y‹×—ÔI*ýcU†QÂÌàr#ü1±ª0õXèìÂMxIMI˜™òM©ÈO¤ÈHSÞ^¿?¿ÃTzï­`›‡r‰Ò–iäiüÄÞN?R¿kˆ`Š¼'-T<²íUiÖ4¬‰¶ŸÅ«ÖVÙ8t_<~aˆúsÈúbJäÅ«¢Ý¶eÝ"•x^‘¡Œ¢O(r$¡—R¤3ºÏßÒ­8­È õ¥|Îã`›TˆØJiþã½M	o~žI¯øØ‘8Hþyc¿Kó™B„û~Jˆ{îþØ…ÿTgˆÓÐW"L>-Ä8Ëü4ŠC2@ˆ2Q‡!+’‘YØÜ­Ë|͘£9zasˆ^8ÃE¯W§
Üô¸Š]ú~ønþþ\ÈÌ{Eýn­Yš>Ëf£ÒL¿Ý6mçTû¶4]Ó–¹®N+p,š—
gá‹j0†\„ê
&‘Ÿ…1ÉòGÜÓ(ñn‹-Ù¾)êÎåžTyÍ}ôq*¶öÙ:z¹äe¦@‘&Aæ]}Üm¹Á}H¨Ó	çY§©ú„NF—})ìÃs×$Ar„@þ»UŽg¾J@g2ñƒä¹š†2Z^L†WvÒ!éAR uëÎæJ =èª<2’Î]àÍ»=¶‘Á#"VJüÏ4ü)É.J?MâgÜ<Ê„Æ’PË
€ðXEñ^ñ7uW´àɧl|ÌK¥-È’iý'™Ð­8-HúÒg¤‘dP
%‰•Æå[ˆy¯ËµnÓF"m²´ýík,Y;S@lº&o*¢ädšº³A‘yGßÝ̉`
d ÐØ”Ëg`üÓíVÀ¡P^oìþB‚¶D*;Cõ¯¨¿íÛmc
-¼‚¼&]$Ó†a½ö•Áa<^ôeÕ]iqÑ:¯ew$üÞÔ˜¢m»ðWþ+
-¡‹>µB@¡°{Xî/Êz9Cá'JðÜOØäHÙÌ€þ\›±/ }Æ&CåÇ¡$á¿$0 ·Èi‰²MCO£¼“ôHÉPäQgY<U³µª†î⑾`“¶f€&W*¿ywÚ
-_ƒÍÖËz™z7XoJé•XGJg’HÁš)f=Äm;ñ h…qW´Â؃n˦çÌ£¹˜2¿®Øp>XêN/´,ì)ànZ7º¢»õ[G°ÕŒó’šS‡ièFxÚ¾FŠ{)ûúÿašúqœ>*Bðq(G BAd‘›µÞ0‘	ﺢfÒf[•y‰áW©Ôk5 ¯ϓЪŸØŽ#¢‚W-†@ìmuÛ¹ÍÝr>õöÖ§ÆuÃ;5[ð™]?N#ñ.Hqë{kXµ®¨Š-sÔêÈ
-šgƒ-PךJ|¨íaBêõyǾ6àõk^::y«s×3ÅVÄ|M…̼½åMàÖ°åuêfix(B«‘‰ËXYÁÊPÀ^ø•V”†H{Tb&àëùð>Ú`ýu¡—6MÀ$|kê·–çPbäö|þ->.Ñ<.qyɇåMm ±è£>É&hûb9t{‘,Cš‚ÑE/ª£«RL#Ó@·GænßУ$þ÷šù9(ñv9‚˜uQ8¤êÀí06r	c™+rü½ÄÏ”LG.Ül
-MÊPIDVœ°M ¤G䯨–Ô±•ØG';»ÜðôªÜ”m0†ïºÙñXC§PnA
-ªû¹æ¹Þæ¾Øò.e}pR®óu&ánàØ S'ÌmÙØÇÈD€mÚ
Á·[t!¤Ùt‚¤¾[®ÁÒó¡ !ÌÔ"wü
Œ[­ã1Þ\W†·BI,‰)¬&!#]¸ƒIºN‡w¬Ê5«AxÛ£“ã-rÂÀh—,´¬aýv9w4Ò[ƪB76¦\Õ–9 ZN²p¿‡^B¨7€HhÃUÆ—D­†KÎÀûm”“@ «²¸jKsð•Öe5 ȵ¡–5	l,
-ú2žL¿l
-Þ”¿nAŽò³è%sA‹>¿»Íp5f¯ËÜ'ûpl¬)¨»²à™Ö#áëꙩ»m‹Öb“:g¬búÕª0NÈû©Už&dxòºé+Æ>&Œ#]ž‘´”¾$ç!	šxä]Hã%)	ÅcgݘΧ°^«é¿^MÆ6rX™1W(ïv‹Õ	¦·0u‡el‰Ðx²ˆdºìsÂwÂ'â5c¨7Ú†™
f#À^Y¡<$Ò²o9“*'4Dû¾:BlˆG]â*/ãž‹:¿çiìJ¹QÙ®tyÐUÿä­ã0†ÓáGñ9½“Ä»¶¨ÀsI…Hp6Aõ˜sγé:¦€…„\·mI…$#Û˜,q¬Ù,Ðqy1ì‚Ôö‘éP°naÍ;
o°
-Á„ñ§$><ŒŸFíô‰7Ž¿õ£G™~Єå?KnÂÞØ>ÔNCàÎáûÓÏ9>—‡ãZ˜W
-Š«Ñ•Â—çPrH^/ø½­‰±$ý¸mc†rÕ¥mTÁÓÚ6—P`¢bÜê)“#@‡CÛ?‘ÚÛg”šp ˜L:X˜IuÖ’!ÀÊï‹ŽO°|er?
-קùã§ôåÀÁžLòÕ›žáèi&-6°.Wk»4Îx~MMë‚t‡#Eª‚HUYÓ[ ‘
-Y¿ZÓòZÖ½I°§jŽµ5àz‹Ší
E\Ðîe­9ˆe¬@sÝcűO93QödlIo`Ñrù9¹ÒփظáMû¸äE@L¼å®ìÖ£i0XéúÅÊáìtâä’·Ä×#‚Ž«Ž‚ !_…Ö}…ò¤ao Šrüþ—È-5®Ž#;Wãœc«~é‚:`C…£—zQîz´±vRs×ûôŠ¾MF

-8=Ʊ$zUZ6ž
-(哨ŒÄù6î!ÍÖ“¼çÝÑJªó¡q¹Ÿ4,Äͨ՛âhá¦.6M]æfJCËÂþØ>äèEó`#vÑ8v06†´®9÷Ú7
-2Ôñ]3È}Œˆ7lqm‡÷…FÌûû`b§7DÖM鸤°êQ5øœÍ0„FÅc&"]C…N¸ØÜ‹Äv÷öei~ÅÛªÔ•
-dzøê¶`WÉþº56è֣ð‘q·jg‘3¶1û·AÈÁæáï{®OÞÌ—Ôã€à3.Ð@Û
@Ùgã Å™¦p‹E=”亣·à±=á8 3œzLªƒž!gÓð)âLj3ä¨çÄn黿7t0tò£¡‰¿ËWÅrUœØj¨Zö?ùÝx:SI¯5)Žk7uÿR‡½¯ÛháXHõ`WJ}Ñ\ÔŨ@®Ñ«!ÄNü~ðR)…Ïä	˜Ùg½ÝÆÇ2š~……lî‡aŒÍ|™ÑÏþǯ¯ÁìÙ?÷Oàö&¾JÓáÄϽ
-±q/š>ù=øRÅÒͱþoC¯úendstream
+xÚÍ]sÛ6òÝ¿BôLÄÃIðÞ[nÜKœ¬ÎÍ]ÛŠ‚lN)R'RvÜ_»X€¢d}¤çxšdÆ`±_Ø]ˆüç…L¦j¤*ŒùâŒ
îaì‡3îp†iØÇz?9ûÛµLi˜Æ"Læ½µtÈ´æƒÉì—àòÃÅçÉh|>âð|Å,xs{E”>—Ÿn¯o~øy|qž¨`róé–ÀãÑõh<º½¹T‘€¤[â?ŸnG„t}óqtþÛädzѤ#¹,Î$Òûß³_~cƒœîÇ3ÊTGƒ'è°§©,ÎT$ÃHIé!åÙÝÙ?»{£vê>6ER‡‘É>	¹OQƆOU¶0ïè@탡Æê\ëÒ4ÔËVç\n(0ùïfFy½¢†Éò×úR4mQÝû…pf^Û¯›Ô>/Mˆ|êø€«PªX yl0T,±Ô–0`9pŸ1`y]¹Ý¯‹Òl¦ò0"?U²0Nx꧆ÜMžœ§,€-Ýa깓°iêõ*7¾4Îüy+Gé¿Låh®éûsã&LÌÂÒç0Ð!T˜*®,“‡Ö”‘“·E]£¥Žƒ’XzoÊgNƒi½²ú	Y‹æÔ_Ðøøú’À SÊ-23M¾*¦Æí`…‡¸y]åfÙ‹ÀŒºtj\9wØãžtãW±ñþr7˜çÄ“¿ÉºÌ—e™îÍEðd%¹tŠ€°Â­3ÓQiÜ•Ý D-LX®§e‘gȱ׎
d\|4«¬$xežh‰ñØmõ=ºå§ÆTÌLÕ¿2&ÌÎA„=H'ìb±,ͽrÕŽU\ÝÞ…ô½"lGV6µŸœ—ëžÜkë–’HÐOî•UÖN]÷ëåIM»€Ó2b½Ènl£ac+é󠡱̡Ô3ƒ²Ñ2‘àZÙ6zcZZÐÊtö-•hQ_Xd^ßêGáW_dÏÔ˜:l³X¶Ïçœó Ü'Ÿ‰UÅÝæа›ÃwÏæŠõ7'´¬iê¼È¬X±ÿT´n„>ËlÕùmÒöß eUÖÌëŲnü~ÿÆÀLX—z „xA'‘â=ã¬Ìà.,u,LòBƒÄF–Ê™çuJDÀ·ª )î++Ì<«È*±E2f¶ƒN|Nƒ¥ã—Y=ZØcúìp¦ÀÚ8ºj¬ØTÇᲫ=ý`«}Cv¢#eä|à’ÀY€>€§ƒUñÖÅˇ'AS¯Ü½Ñ›¹X—mvIPË+áx‚€¥Y-Š–,ºt!q˶X8-°˜ëŠ°q›u˜æK†vÿnßI¼Óo–&/æÏÞd­3vúôÕû•ÉVS‡Lì¤öÔ™t»*¼‡A!®š6$iܳMH%BódÃHc•à½Nƒ«û5ƽ@ Ãö'¼^®‹ç½£;ÊGLˆr¹K“â2ÔB¨-š^„$Ö	JìnšoSâ.­me÷;‹¾–þ)^¬{j—¦ˆ%¡„ëæ8+:¬”¼\
)!§8TB„"å44	S)’s´Qz¨
+¼üN”“õƒï&»‹¥”¹kìï»Gä2	U”€´u¬Ó¯‰h¥ÒaÂ’ˆöÿ›å	éÙæA
+hƒµ\ÓÏØ^jØ
+n>¦ÐÝ/®@‰¥Œ*V3
+˜ë§ÊÛ49N¡!¶éDá¯àÞ8´žÐ[n….¦»¥h|D½®(hØR~ˆÜ“¢ä>½¯ãr®_P(Úv4Uy±¤Ÿq˜­1d¶b«fÛxo1úù0†©Á²/Så‹ †¦QÀãá´hià1+׆šÎ‚uÓ>È¡!c—Fký!ÊЙ–t[o]»†³Ñ‘T¯cëFR*ŸÊþŒðýŒÃ’wÂ1u/¾•#z‘Åi(cÈ“‹LjHz™«¯¨l‡.°Ä+—/j±/=è,k30Fø6˜”0RÛ¦eš»ú„›@-›ˆÁ—nla­Ä×G\ƒ®Ñ]îVŨ´Òå6‘;"½[¾•ô6•Ä¿"ãx¢¤®NÆ«#«úߪ>aE|gB²”»lÖsÂëæËæ
+rÕoX®Úgt‹Õ¬pi+«FÂÇì—ž„/"F¢Ÿëʈo0m-õèe¢·Àõ@êÛýÅTWÌìŸXIL‚†e|]6m–£/K‘>„hYé@}åT1)'|I9¡!4ðã°rö¤þ:MzÓÀJpr•œrÌBè0Ö©sÌ×wWïÁº…fÁÇڿΈHºËN!0>šfô¢|ýù+ø–hÃò#ê¶ë#8W‡ÅÐ;ß÷ìcÌ“‰¶`*L’ÔùØÏ%F‘äÁŶe³- HYt•ä]¾oü0$è]±äâ›{ô+Wülæ:
Á0£l†“@Xé2¿ËÑørú‰Í Xð¡.»—`Ÿß­w²¹Yµîù¥5'n9`·ç®ÀGúƒÜí“ý×õx….åSÜÕX+¦§øËÛ‹ŸFÀ¥XA· CÖÖ•†Àu×U‘[&ÜNW±ˆuíX*‹Ìú­¶Ø(…CA>è]Žlý~ÇÉ2‡\HA"uJQ×äÓ¯>\Þ\Š³T7À~ØÉÕº ã¡1Þ1æÏ6YB€{»Å&,ñ™ZyY||´3Übý‡V;ZÊ¡íB”õWF‹*/tXx=®|Ç%ײGÕ)ÙI2¥é"¸rFÒͲÌrª0%A.†jÙÉæåÚ΀ µ)‹Ï@àØ›³¯¸;3 ´;(6ûšœŠ ¬kû+ ™Ê`½|gc…ÀØsŽaâ#ý´0­ÁZm²½Šæ ’uA"À›õ´¥¾!¦î©svgeÒSÎ üXf¶VÀUæŽÆÐËd5sx@Oéw¢ãYCc´ƒwSÈ1ÒÙ÷¸?ßy×qnŠîW#§´[ÄîÔîžÚ|Ç•×8…(2:å˜àL²I§Ûwÿý„-Sܵ®bPöÇø¡	Qûwã×ûþœ^ofá%<³aþQWo3<¬è'“G2ƒ^ÇWÅX˜ˆ³VŠHè}Ìlà5ñÕ?6ÜüàtGêCmW”ƒ«Ö"ÐÉ‹çqÿ³DÖ#þ(QÏ7endstream
 endobj
 1582 0 obj <<
 /Type /Page
 /Contents 1583 0 R
 /Resources 1581 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1564 0 R
->> endobj
-1584 0 obj <<
-/D [1582 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1585 0 obj <<
-/D [1582 0 R /XYZ 56.6929 612.1852 null]
->> endobj
-1586 0 obj <<
-/D [1582 0 R /XYZ 56.6929 600.23 null]
->> endobj
-498 0 obj <<
-/D [1582 0 R /XYZ 56.6929 297.3236 null]
+/Parent 1574 0 R
+/Annots [ 1587 0 R 1588 0 R ]
 >> endobj
 1587 0 obj <<
-/D [1582 0 R /XYZ 56.6929 272.6213 null]
->> endobj
-1588 0 obj <<
-/D [1582 0 R /XYZ 56.6929 87.0771 null]
->> endobj
-1589 0 obj <<
-/D [1582 0 R /XYZ 56.6929 75.1219 null]
->> endobj
-1581 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F39 917 0 R /F41 959 0 R /F21 730 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1592 0 obj <<
-/Length 2868      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ6÷_¡Gy&ÆáĽ¹‰Ós§q{Š{“¹¶´D[œJ¢N¤âú¿ï.vIQ2e»{“x&Å.ðÛÅ~€R#	j”9!M´£­pR¹Ñty"Gw0öí‰bš³–è¬OõÍõÉ?Þ›0Š"zíG×·=^™Y¦F׳ŸÇoÿuþãõÅäôL;9öâôÌy9þæòêõDz¼ýáêýå·?MÎOƒ__þpEÝ“‹÷“‹«·§gÊX§aÿýáꂈÞ_~qúëõw'×Ý’ûÛRÒàzÿwòó¯r4ƒÝ}w"…‰™ÝË*F=ZžXg„³Æ´=‹“'ÿîöFÓÔ!˜¬ LÇÑ™±"óÀãb—Â{í†ÅÊÑ™R":÷/š'7Ûû¬A%,èÔhƒð!¨NVõÔ¨L™sqœÚƒŠQ—/ÅÅ»Ÿ}o29þðéô,˜ ÇJB”ãÿ\\]LÎEGv •Öd£¾ì/Û"§½ý{2N­â0BÚF¡­†Í˜(Œ!ˆÐcHÎ?u€Ç£'éUñP¯Š‡6"xŸ=g1:ãŒMxì[œÕvsEÄHg"
-X’>ŽLOæWl)@‘)埳åPˆNÈt €ÀÀ=Aû׋ôÌŸ±i„µ†Œ£6Î@´ì£¢Ž¢Ò—÷õžŸ¥2ÏX†‡]Ù,Ä}Ëh‡9Bý+°‹m-j}Y¬SŽˆ>Á‹È°d[#½Èt€3pµÚîpÖf )ñVÀŽ\õõ¼£Ó&ùl£íx2©©cžæ¡|ÅCï()ÁÿÎi¨.¦MY­èå~^NçD:­VuY7̪ºeF4¨üÙMÙP×j»¼)6Ô¾­‹ê¾˜ÕÍCo’Ϫe^òBVù²HqµŸt»ÁL(ŸÍ6§*uÍùÓ„Ûº%¡GÝä«YžˆgÔsùã·Õf™7Ôn*zÂF›´®K£iØ.WM±YÍ#–»õƒñÖS}æfñ{¾\/ø¥žW÷¼šºü½ÛÚjÝ—Íœ—w_ì»]x‘O™µ’hç´&Ñmúp¥YZéÇrY.òÍâ%óäey7gAuQüóðÈ*íED—àB„ô9d/;añ/°øÿÊ&ÛMA6øcÞß@JÞß%”‰d²Ÿ>‰ïß~.¯9©„“ìÆ—W”8Á1óN¥H€Ö>v‚œ'8Á¾ì/u‚ñµãã!ç„‹áH|ÔN£Î!…Ê,—M}(Ôx‡öBàÇ1éI{%LþL`x}³Upl²¿Q¥¥}:08Ì²к¢²~Úu>¦çÕŠ«D­ž€ ÁðA¿rÀô‰~aFøÌ+&s̱ە·¸ŠÛ‚³b?4]äìm»êìaØAN‰UªJIÚ8Öªl	Öõ®¬§ÛºN®/ƒeò®Å´ÚÌꥃƒÑVD«ÈˆÏ1z=žõtSÞ¤ç
¹ù7˜õíü.ö×Åæs±á9uSÑŽh¬\Q¢°ã9ÓåÝܲà®x¡ÕSmScZÐ(õN‰û¬NëPŒo6Åõ½pK7üPçF%5Àcošrº…àÀïe±™àƒçÞÒÔ›j‹ê2²årW~.x°HÐÆ€D­_¤“œp$–¼ˆm½Í•x
-4ãÆ7Ä&WÜÈ÷ùìw ƒ@$?UÝ€^ÆÆÀYô×%…“ðÊÀ…º1ÀŽf^®~£®žÒ-ÃÉ„^qøž·Ožø°N6=ë¼ÜP'±€Ô'orTŽÎZòÎV`” Á 
-p€™¥$e`«¤þEñ9OGÅZ´]"jÖAÒ7£ÎÎüø“©’2  Dmæ|7i;4²¯jèH‰<çÅbÍlê¦XÖ¼„ò¥e¹âé÷ó¢*0Á	ߧµÎª¿©ÁÄ%å¹`ÆOywÐ’)% ¡•Ôk(ÙKÕ‚fÅìtó@oI_ð,@9¼œs†-IA‰Ôª×¨£iù‹”º•”‰’Zòýå1Q»Jz¬7eµ)žôE£ºîÆΞSô¤ÕA_—õý}Ö4Þ´„¼ ”²Ã+ñô]ê]i÷ÔìÁƒ´5Ñæ
¨{Ý3´é Z3íKÁ2Ù€¾ÛzA›lŒnjP3Fºñer.‘Ãóž’3Ä÷N¹ø’D!yLJ|…e–±ÿ%‚’§OÁ'KÊÆ@»Z²›Ù“Ÿ—aÆ­O²~Ò£ónq‡ü3êVœu>|]­fåê×5o#³céXPmzÍï(fxrLs›Sª¬|úÏ«øÙ²\¿3-ä.9>êÍû·JŽìL§žj"ŸUC»#wN*M­#ñuå7uµØ6½-‹|{&š_´Ô
+mÉ; €àÀ¯ÁpµZ0a"–­­Ð´q¤~j¦øÞ±ê9	Ä܆å'µ¯!{åæ56gw‡ÑÙÖ{C‹m›é¤8ËçÁ¡v§óäSoEÏöÌí¦³çZecë¦K§‘|9¯é²¡ÜÅÄ^î¹ 6´y×r[7¤7RFÏD|[brÂl"ª’“®ëjZæM1;Rd:>ìÃXÎ؆žçð4Màç“«óû!ìs×mJÑmLËâQ| ôï}’àé¨úÝQ…&é
O^€@~KÉhØøà5	…çM•¢¤-Ÿva>{¼E”¶êôL&øˆ˜…Ó=JÕ_
-ùh|/6äÓ7x“™$vàh²§€¬ŸåݪڙŽ›¿\AØΓ—²õ±uDQ0Ù³@ê"¯y~”;׋íu/L¦U¬xVJs¨ ˆ†}ë
-ï_v¢¶zóÐÞ‚=üA­57®]hD(àja%áí‹êBÀN¸ ÂŸ«‡gý×í–0‘ƒò+ûÒWØxéªm:xªs'1­–éû$nx•a´[…¢jü‰_ðËPì±ÄÞ´ˆö°ÞÌŽúëù²-"˜*ýŠ—Ý;ÔŒr˜#7&¤Eh8a´¢OQäKXh0<&Á£_ˆOOòëâóªV¥¢!ºçðÑFïÕ|tIÌv-ªÍÝèôä~ÅèÈ ²þ
þ‘3| ç¢/%OÔýƒ‡wõY2ªt‰¨ŽcDÒíבŠ®ûMÁ/aË:ŒŽÄ¿'@ÒGAê‹-^~«øwD8P"“½ðVц,{á­¢ò7ÅÞOo•…>í(»ú@ÙÖ½ÚPkÕæ
-ПrxvU"½Rð>ÔµSBI=rð $­?ÀÊ6iåìçk2¸ØcªŸáŠ6—éLóLWS¦‚ÛXñ»Â³Ö7\¶pö…e0Ø”Rû©IÉ·«¢äÒdï«MÕ~ɪ·Ói‘Êét
ºÖÉ#¸y0ô²=Üv>t6-”³-ά,lj]ú¸ÄÊ:rÏê^äštÑêÜîžÕð=ëÇ¢i¨Àf××ß»QuB™`ûŸÊü¸)—ÅYS-¨ ƒ‚(´)çK"Ÿ2ÿb1£*(?‡×ÝG;Ÿ>ÚÝàžóÊ5W)瓉ŠlWeS÷%{ü,
-e:}–ksûN¤Çòy™oJúxè¢i vL©iïövÁ÷	éJ–ŠÓÁКB‘XPs2©1
-ØŒa‚.@•í4sšW÷ÔXTIÞPÅBW–Ä—EÝ=A³¶ï¶ÚÕ?fœ Ä[èyµ]t4Ç~”怿$ø	™=8^úƒµÝö S5Y¦‡ýUç×xQ¨,>
- ¸L‡¥ÿ"³q?endstream
-endobj
-1591 0 obj <<
-/Type /Page
-/Contents 1592 0 R
-/Resources 1590 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1564 0 R
->> endobj
-1593 0 obj <<
-/D [1591 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1594 0 obj <<
-/D [1591 0 R /XYZ 85.0394 591.8614 null]
->> endobj
-1595 0 obj <<
-/D [1591 0 R /XYZ 85.0394 579.9063 null]
->> endobj
-502 0 obj <<
-/D [1591 0 R /XYZ 85.0394 492.1929 null]
->> endobj
-1596 0 obj <<
-/D [1591 0 R /XYZ 85.0394 467.8533 null]
->> endobj
-1597 0 obj <<
-/D [1591 0 R /XYZ 85.0394 267.9987 null]
->> endobj
-1598 0 obj <<
-/D [1591 0 R /XYZ 85.0394 256.0435 null]
->> endobj
-506 0 obj <<
-/D [1591 0 R /XYZ 85.0394 119.6628 null]
->> endobj
-1599 0 obj <<
-/D [1591 0 R /XYZ 85.0394 92.1624 null]
->> endobj
-1590 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1602 0 obj <<
-/Length 2775      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝoÜ8Ï_1û൪È‹Ãa³MÒ›E7饳ØÃöúàŒŒ={šæþú#EÉ_ñ¤Ýk=¨5EQÔ)E,8ü‹0bQ"“Eœ,ä"\¬·'|q}¯O„åñ“?äúyuòòRÅ‹„%‘Œ«»,͸Öb±ÊÞ{Sì$pïë«‹S_†Ü»\¾–PA(½Wÿ8{»º¸¡ŽÈ²þ¼¼:'JBŸW×W—Ë׿ݜƷZ^_ùæâòâæâêÕÅé‡Õ/'«Nåá²W¨ïÇ“÷ø"ƒÕýr™Jt¸x€œ‰$‘‹íI*J9JyòîäŸÀA¯:k&Á™T‘œ±“Tsv
-)èB;eE³N÷§B{Yž”àÞj“Ó:ï견Šêž~¶ØÛÞöq—7Ô¬ïè»Z½¡‰´ŒëÞ~VmùH¤C“gÔ**;‚>ÿ©+;êßœË2gSkX…à°Š `¬çkl¬ÅbOlü¿rzð…ÄLK×€Æqe›nÄX”ïÖäG	´}dÉ/b¸xdöïÝõÙ©(nׯL›[ʘ0/3úA†`s"˜¡H)"´NB•ß§mñÉò­ÓõÆb@á3bZmܸu]µfƒë²¡¾Mý€û¶ˆB–„! Sj ÊeMÂB¯†÷Ôlòý§|o†GÞCQ–DƹsjVµßÖ?«·)­%„†üê_ç׿ž-¯ -ˆJ`kvuÕ@Qî4 àpGÚn	hõ¹HÏÎ
¶éçb{°Üm±í¼cO¡¹øÐ\Üš–{Š>›ú°o¼C®6¨ôˆ1ì¹Hôb‡oCbYq
“
-d?šžˆt#Ž‚6–,VZ>ÚHk&ã$1–ýÁĉ@jEFVR[š’1„$ÚÀ5Ù;Ó–¾-qÇ^[‘Çœ
- Ø¢BÝhíÛwŒÂÒH8©÷0icg=Žá,¿Ke;‰z"rÀ²t7öŒy(ZØývìš]¾.PÍõDP“·Ï b`ïoÛÂ)*‚@cý<*¢€)@¹±©³X}$Ž•w¾MR§Ä€PQc“‡ƒVJ2þnèKáLbl•Q»‰ð£¨&œ77/°hS¸™m0¹û8wúÌ2\˜ã}˜ãÃ0ÇíZlÈp‡ªkÏ!€l›|Oô	Æ_qšŠD0Ë33'ÀŠ²"?’‚©'Ïg<W,63<ÃíT‰ Ð‘H4y“‰ ‡DpðSᑦš8UÑZ/,¼šÑ0Õ‡ûÍ„YÐ^ã¨[;UþyWëÂdDHïbAžIEìÊ?§Û]™¿@<¼¼Ä`…“#KlßÛÈ2aZ^¸áb–ÌîÆÞQ-¯B&„M/0 gæœ{Ë
-¡káùkºÛõ§œÅñòí§`fvPR,	D@~ž[9*³3ÅãTéÄÚuyh‹º¢^ÛíÆDà(ÈÆà¯û´jÊÔòAO ã¨å[¢¦Yf…6Ôa6:pRñ:£
;œÛ ZFÔÛG¢ns˜‹H´áä£f•*9¾Eå›ù¡p`é~—ÎØr{‘„ÒîŠËk”Ž½Õґ÷vuC
{$Ò–5ƒÅ’{
-s\Á ÙsÍ&*˜îÑ<ÝyÛ4ËÇ’ÊRI¿­ým
)%†<ßé<ʧšâ¾¢s,­ð„Óඦ0³cPÈÓdiFe~gx•Ù¤ì‹û
D=?à±Ë.J_—¢èÝ®nŠ6'r?‘ét²,·òÒG¢ *ð;@EnE÷Õ
-ôšCZš:Gï‹ÖŸKÛ¼b&…MˆKÅéXGȘÅ%tîÙD{O9…§´ø¨ç“LYõÁœWÐaϼ¤›	ðÐ'»ù#"úÉÆK‹ún¢™%)˜S@eÁ¦Ã±,T²Køµ“Æ^³±ÚÕjÔ”¼øÛ¹öÁ4Ö9u!Mœ›º±ÝYÚ¦D”1ÚfÔ±;(‡ÊPªN³þÁ¶|0GDa(1».„ ªò¶ü‹]iÐb 1ñD"wô%­ a&ƒÄÍ·I-ç¶ËA‰ŸP:8N\BKEÞ¥É'‡'€QÜs‘.sxo¹ÙºÞ~ ùüÇjéjéPDú/¬¥ÝJ¾>£q#Ž% ’,ŒDÔ¥£ƒÓ& ÖÒ&þp}³|½¼:õC¡¸7v†.†Ï$d(¦ŸëÛÔ·	™î¡û-"9‹x>o8ªE¢Èe élF‰ À'ÀÆ]]³ÌØqËæü^–ù¿IUA!}!U…5N ²òÄtHÚ¿êNPÀ^$apÔ[´b:ÒnÄĨÝ«Ô §½Ìr‰ô ;Œà8Šß*„Fs :®9M˜€<&T`Êi®-UÃÿÒ{rY
-2yMeRÆŽ‹Áx$Š˜m³ÖÞ†ðr¹•‹óV´,Ê	ö‡’Í¢"9¼†Ç0?–ÜÞ‡®\nògP$nU.NßP$ÄQBêL|%œ66u,ª>u4üÜŠȲ¤{Ûu‡]”ûso·¯OEè}*ètG–¡4¼¤µG…›´
KU>©TëÊÔÒl)cj¡È+-=«é[Õ­mäkÈV ]òA§Â
‡R Gš‚³Ó,T8]°sÝB>EíC“Þç¸<ߺhîg#@£WÌ\ÏœuPOãakÊ÷à[@ú³N[G55µ,i`;¢¡ï>ÇJâÓ)Ô™ÝزhZs_
íÚ.þ¾¨žF½(‡}èMßæ 
-Â$úSúóácìóJÊÁÅݨ"t|2ˆð¦=ì
-ÂЄ×ý½ÆݵýeQÚÖy±§;¼æË5!ݵj
u%˜zOm+
-RWH„¶fGú`2)[^´…KÕ±À<±2ûdzièÍå+"®Bj™ê
-””Ss¸mò÷@]·y^Q+ÿ¹>=Ž`íùûµz.ÿê–0²F·s·ÓäåÝø†x]¦MãÊé,ß᜕».¤ëp>“{>}A™Ÿ~{h¬°Û|üfÓéݤîfÛèÒ߉Ç,i9/ü|xcÛiµ.YÞ]5ô[/@=ŽÄ\4a£©¡å{1#
-¤…r‚–W¯Þüv~1WiƒŲ—Döª²‘€J5°“iÞ;L•m	ÇLD2	5jïLXèž~ê/ùÓÖÇúØÜ7|Ñ~ßØ)é^È”}¸Q®¶€F™Þæ%õá¦HPrp«A=¦hµ*wÃ	ä´Ùå{reª ¢¶Pª5{±?9YÒk··µ‘vzgK:€h3ÑnðÚG#ê},§%ÙY;Å`›îÛ#øœ>
¾pÎ4v¤îvFŒ@ÑLré@÷·™»´˜ÅA·ñf²Ix‡L‚‰Pè…€§¯{ÞŤrÖùHÜ	ôŸfæ2ÐP¤@Zá¸PASö>]§»È§Uü}qæµ8q¸ÓôÌëdoíÃE»O‹²»âËê¶{«šxÞƒgÄ¡óŒhàrê]‘5:"¾ìï«6ýüãÌü*Äâ5œ'á(œÄLG×m~oÆÑä$ŽAàÐò~Fäþ"v“B	´E¼ÏÄ0(å}8ö°|åŸyÞç‹/–Æ_ûÇýɦÐÇ^ìºÛu«*žð'š»¿:xªú?‘0endstream
-endobj
-1601 0 obj <<
-/Type /Page
-/Contents 1602 0 R
-/Resources 1600 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1564 0 R
->> endobj
-1603 0 obj <<
-/D [1601 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1604 0 obj <<
-/D [1601 0 R /XYZ 56.6929 756.8229 null]
->> endobj
-1605 0 obj <<
-/D [1601 0 R /XYZ 56.6929 744.8677 null]
->> endobj
-510 0 obj <<
-/D [1601 0 R /XYZ 56.6929 576.1531 null]
->> endobj
-1606 0 obj <<
-/D [1601 0 R /XYZ 56.6929 546.1637 null]
->> endobj
-1607 0 obj <<
-/D [1601 0 R /XYZ 56.6929 456.8705 null]
->> endobj
-1608 0 obj <<
-/D [1601 0 R /XYZ 56.6929 444.9153 null]
->> endobj
-514 0 obj <<
-/D [1601 0 R /XYZ 56.6929 262.033 null]
->> endobj
-1609 0 obj <<
-/D [1601 0 R /XYZ 56.6929 239.2457 null]
->> endobj
-518 0 obj <<
-/D [1601 0 R /XYZ 56.6929 175.7981 null]
->> endobj
-1610 0 obj <<
-/D [1601 0 R /XYZ 56.6929 149.7409 null]
->> endobj
-522 0 obj <<
-/D [1601 0 R /XYZ 56.6929 105.3857 null]
->> endobj
-1611 0 obj <<
-/D [1601 0 R /XYZ 56.6929 82.1181 null]
->> endobj
-1600 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R /F39 917 0 R /F62 1085 0 R /F63 1088 0 R /F11 1431 0 R /F53 1052 0 R >>
-/XObject << /Im2 1074 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1614 0 obj <<
-/Length 2338      
-/Filter /FlateDecode
->>
-stream
-xÚµYÝoÛ8Ï_á‡<ÈÀŠå—¾‹Ãe·—Eêt]ïöpÝ>(6­Ä’›æþú›á²d«m‚Þ¢@5&‡Ã™áÌ3Œqø'FiĸÊô(É4‹¸ˆF‹õ	ÝÂÜ›áxBÏv¹~Ÿ¼z­’QƲXÆ£ùª#+eœ|üÄGK°î·ÎT–F£GøÁ™È29ZŸèH±H+åGÊ“÷'¿·;³vé›"•²(•É€Ÿ¤òS”±XIeýtz=»|s9EC€]uØu”Ô	ì|µij´[Í!bY­óbƒ´6ùÚøé¼!ê±(K¢nqå÷÷f³4KÇYÑ7ß<±Û<ìò²ø‹sI<2ØŽE˜Ee¿ËA	|¸3nßœVþ·Ú¸í§%
-ÙÖ
Ú5
-½)¡,‹"i-"ѹÝ(
-È­£	7\Ó7·ÓqP¬ïËbQ4Î_]÷
-‘°TkåÖs¬Žÿ;¾_ˆCw9–è4uÖ¶ƒ8“©„ƒ†,H@Xœ$â9‘&Y–¢Ô¡8[‰aW¤
¢žj¢Hg2ÚïŒ:Úã?¶T*–	®!ÿpšµÔLjˆ%ªÄðøª*ËêѸc»yrǶ͋²ØÜÒ¯eÕ«Àh‘q0¿s‡¹Ømél7ƒç—p–&‰:¿žJ¡æ)K¤8ˆ'
-Þrî‚œû¬á¬áA}opçŸ@î
Ó¼_CŒ0!=_n¾Ý­ÑnÚfå¾þ·S}S¹ü¦®Ê]cØ@p†R%ŒëpYqÆ%{Ú„1çù’C¢¶¨ÖVhÒóÕ‡àl8pžOÏÞ"̦@¿=»œ†ï'³?·âýý¼ÎæaW|ÎËÖ6pø±Îka{6ù÷ÙÛwWv~ý–‘ÒN•¸¯IŸñøP@´ŽX$²oŠˆ)°­›ûS?½œž_ýqᮎ‹bkMñÙ›)#&!¬¼÷O›&ÿòóÀÆ
-w}rµXƨ—B€û{¼Yà«6]û¹¨!„O¶¢0$‘c¨¶Å-ì±Ð,#Ïö‰l—1!#Ÿý+ë}föÂY°*Ñʳ˜.•€(Ä[OÀµGÚNÎÐU
-ˆm‰$¸·á_-L]Ó¥"˜y¥±i>Ëe"m,w;Øü‚­m~ÁïÇý‚³›E¹#€@ž…ˆ½ìtÞøÉÂ	¿¯`	BƒËÕ@`H¡ jAóëÇ¡Uæؼø.&ÑåÉ5K£ìíZréÈz¤sQ…ÁÉYµ¬sî5\W"˜Ãÿ28jF@¦ ™†5ª(Üzô0BØÌ2ELÚšºwxu¹–£‹
-ulò‚îdkÔ&<’P'`i…"ɨÙëó1äYýQTÚ-ƒjš¢l&ÊfƒÍÅ€PœÛìÁú®Ú•KâÄfǶ¦nª­q£ùª¶¹ø†J2HP¹ïÐå°Ÿèk'ö{6ƒ¥p…ú«
-`Hk(RÇ`u×±½pá¿uAµÒÕ†xïŒíCì ¹@Gè¨d'0°Â¼€Î˺rû»¼óÊõÛ ç&,‚TäZd•DØ"+èŠÝ|Mƒ7©DU+ú‚zk·vnï(\v…ñC›º¡sÛ™%ÉÎ{NŸ¥+ð"û5#õMî‘I¬¶Õš(LH`0ýDdî˜P–É›ÝÖŒaO7i¡¾hÇ’èZ,¼:¹úcÙ8e0îû÷æ. $vÙwš}¥Q³¤S›ê£Út>¿úûêR~\ùI¸tæ³miVù®l¦)vŽS&µÏ-K_XGÂB¸Ö¸òw4¡Ô{[`d¾fÂéH?æc|Xÿ+“AEôzÏRج‚ñ؈ÒÀÊõ¶….öŒ>rР-˜,µƒnÑqck)Üo~…/!üOÜ:/‹ÎRÂ5}NÌUoÌ@fmóÍ­‹J¡¡%‡;(q=*(¶Á——ÁÖ§ë³ýQËã£URפNãK	
–Mû=;7eèå…h‘»*1´cØûW¾·ymQß>×¾¸˜|i̦4ù_“:eáé›Ét2;C—ÎÿÿZ[9õv9æªw®|þtΦ¼«‡ª-ÉR.Ÿ›Ã&I”L_Ú°•y=¤‘Ì´DY7Í;RP9õ:7O÷ÎÀí ÎòÿoIÿƒƒ‚ž*c*ÉúõúÀõñI²$ŠU7ÀedÛ¢lY-ã`áJØÆÐxNŸÚlãÙD…/qÖÕζ€Ç8Ò©óÁÅ›ò‰¨%4 À²²±¿WÔ­IŒÉwnUHÞ¸¥ö¡¾$N?>Œå~è­îßu•f"nË£n¦â˜j„8q>Ãô~MõÑÑ·fƒ:9^›µ8L/ÓHÙ’¦Žü„“4ø°+ˆèí“$ßßWØBY‰»"^IÝ]MVíJ)oHÏú¥)ÍmŽuJrõb[Ü|äDâ@è“©¤7
-˜òóìâbÆÎfïЙg^žß€
?rõ¶û ­>T’uäž
¾Ì¹œ»‡0J"þIŸé{úÒÛØiû8ö,QÐyzôàvÊø0Âv-zé“_w-:`ÈV‰oZõAò›‚Ä·u\C|_9¾¡F®­”ú[ù{ÿ‡ÿ2µ/Dñ$Me·³í>2!|gI«šž‰CÝÛ¿a
(ÿ?¥Þˇendstream
-endobj
-1613 0 obj <<
-/Type /Page
-/Contents 1614 0 R
-/Resources 1612 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1619 0 R
->> endobj
-1615 0 obj <<
-/D [1613 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-526 0 obj <<
-/D [1613 0 R /XYZ 85.0394 606.2532 null]
->> endobj
-1616 0 obj <<
-/D [1613 0 R /XYZ 85.0394 579.9813 null]
->> endobj
-530 0 obj <<
-/D [1613 0 R /XYZ 85.0394 357.4916 null]
->> endobj
-1617 0 obj <<
-/D [1613 0 R /XYZ 85.0394 335.0205 null]
->> endobj
-534 0 obj <<
-/D [1613 0 R /XYZ 85.0394 253.3724 null]
->> endobj
-1618 0 obj <<
-/D [1613 0 R /XYZ 85.0394 226.0165 null]
->> endobj
-1612 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F11 1431 0 R /F41 959 0 R /F53 1052 0 R /F62 1085 0 R /F63 1088 0 R >>
-/XObject << /Im2 1074 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1622 0 obj <<
-/Length 2826      
-/Filter /FlateDecode
->>
-stream
-xÚÝZÝoÛ8Ï_a,œÄ*¿$Š÷æíºÝ,Út/õ‹ëöA¶h[8YòZrÓô¯¿!‡”d‡qÓk~Åáp>~œ™Žüè(N¢D15’JD1¡ñh¹½ £5Œ½¾ nÎÄOšgý<¿xñŠË‘ŠTÂ’Ñ|5 •F$Méhž'®€ÿëÝíìjÂb2~uóZ”‹˜_þ:ý}>»ÃÄMýùæöìQøxùîöÕÍëÞM¯¤ÏoÞÝb÷ÝìÕìnvûrvõqþÛÅlÞ±<<%Üðû×Ňd”Ãé~» Wi<º‡Q¥Øh{!bÅ‚sßS^¼¿øGGp0j—ÅDIÄxÂr4$§XE	gÜʉE$2;³èæv2ýå—»hz÷ûä‘8þíôí›8/4D|L(T3K4Š‚Ý”Égîæg>±ß‹WÀ}0؆©(M¥²Û¼Ö•Þg­]Éxœá£Ñ­i$ãz…S7\åØxû>÷W4ëemŸy¼ñ4ßÖž^»Ñ~Áß$	SÇÅzã6Øt$›"ws‹æˆ™¿@.ÇéM»/ªµÝ&Ï=q;Ñ¿/Ê2$Î…Fk4v;KÞî7ºÂr
-½cšŽ9³
-™ƒ–ež;{äz©›FçNÎGt"çËww7¯onQc³?¦o3êýòõìvv7{åN@½ØüõÝûùäÛS71pÝËc:ôèEšçOŸÑOa“¡2Rœ¥–²þëP|ÊJ]9qµuX¸VÚµvou˜ÐOCYwKx¡gßsÿäJv~K’`xá³·äç·äÏ_x~KzEPl=Éä±ÀÁ2ž¿6ÄÍÖS@NJÔH¤"b‰PÏÁu®x$‰<Áõÿn•çNÃã(MâøipZ®éW“šø3M„Ha±Ý¥Á†Æð«R9¨¨ïŒ}V­uÀ©¤@I;k¾±^•¤ãeVaÃ"<ëÊ6$‚1t´÷56Võ~ÛüÀPdÌöí¤ië[µÇgßÿ¢iõÎ@gÂÇ7žÔÆmò'!lß´!30»À$¥ÐñáyÈ»B”†]e6Ò»ãix‹@£­ñIaw'ã)@´í°'23
“Ž¢;PDôµÃžôöÐ8šò‚]ÝmñI?2J!AòTn
-ü>›0ÖÇ!„œ'€ \ªo Ù-yÊИˆ#š¢“ ¡	¸õ{örÓ<ÓÌ8%ã\7Ë}±ÐM§Gì¯ï!À¾*ÛúÎÕÉ,¼÷›ú`KÃ'ÑN5Ê7Ï…›´ÄYräAÄšVf¢€;·Z—ÞsŽB3	)w¤ËÀ¡Sˆ'A18áO“¼.Ëlïé®+è£îía»¨Ë_î‹vSTØ6g}¼7+ËNža™ÓÄ'vs0fA¢_°½+³%„#FÆ@¯îÏ#£^<˜ÐÆ;«”ã¢5!›õpè†+ø _+>ž_)6®±A\Šq”AÙ7s¾#jõ¡ÝŒ÷1ˆ©êWc.‰Þ+º—ÙN÷‹ç4’	j†%ê£d
-†)ãy,²å¿›2k6¸”ŠáR
-n˜xÉWâ`ê)õÄ
œ5ÖÑ:
-cI$)KOˆÑSb⌑ífr"!mHú˜\¡ŠqÖ`A,~Â6{@iÔ»¶¨«¬,Ý»u!x®Àšë{£Ûû€ÆCØFôƃJØÖyaÀ]ïÈý¦XnLüvcï&Û®-,&ƒY®,x›÷º[\ÒMëlr=#jÉí¢ËÜmSäí›ÇX½Èc¶"Ç·À$¤=ŸJ\E%`´-²‘–öÜ0Á¸…Ëꥀ1¡ÞXVA‘+N“F”zÕ"ÅÅ\ÒAlTl·:/°J·#Èâd.Œ;:’9(Ç6ì	O*Ši|Î"dÄMvŽ²&E®
-ÆiIáÈBWOÙ¸ŸÐ+þõÕÞ‡k£¢”ìÄÒ­\?Ã;8‘ãW²@(ús¶Ý•ú:ÀR×ï°óÉS‰çž
-.çk~‡ @EœŸ9Á‘šÃ©œÁ­•Ç*oÁdZc¹i:fŸÏI½ç@cyØ£i›¼ÉtXŒAZ	¦Þœ¬p·í¡t27!ÃG®—Å6+ñÅ^_v,àr_4²4Ùeynñ=!½Û²„º“x÷5MSâ‚BÎw˧¬(³E©Ýl{uà4Œb³s]3§ã÷ŠI m¨»Òó€6’ˆ¤’õîJ¯Qœ˜ˆŠžx`½l­@¸|rK	¬¼Õã(æêxGH(ÔxÖÛ‹œ§Oí &ÞÂ>!ˆ‹ÎÁ7>Î"É;?û#kÐoÞŒ‡™Sv;Ôõ\ØAw!µ¯Š…Õâ	Qí7]¸*‚pš>ÿ·¡k=‚X_=÷V_á.¦¶b¢oy↎m‘G¹R¤I¹^eÖÌK7šwi—À	L%0åê»qÖÛ¹&a<¢ËSúM˜ª0“ƒ³„ïN ©ø×¢U–2¯"›¼½ªnQ(Ù¢©ËC«¿1n©“µ+ž
±-¸0†N® 8& /elÈÎ@µUîw6(–íL²‚ùÄÄT¶c¸û,ã¦:5üÔèß¹B-wXŒ}¶’h[7Øö©X †b…ïE‹ï÷8 -BÃ×}‚ØW¦D&¡ìg€,6ö©±¹	öêÌpÐwE0”kËŒe.³Ë)½Ë°ÎkÃui²q€t³žÞþˆ‡7„)€VËòëæDþ–¢+–âVs<p—õv—µÅ¢(‹Ö¹ÂŸu¶/›ŒB·ÃM(f RF©êÀü2OQ™ô¿·)³CÓ¢Ž™èr×uU|ÁÈ:F³¨òÂ|ù•ˆãó,á6à3vêäad'‘K/º¡áýùt±bXøÎÂB_­øñE1F€xr¶TÁ8d\惊ŋ¶üj©âýÛZžE$W|°b«'m=)‹O®ÇF-‚ôSÖî«FŽ¯ÏŽ"tRuà#Ý–¹ß¯„ǾQ:ÍúÏ
-EµÑû¢õðä2Ûc„‚ÉÄ|þæh]V-ý燫t|(u}=¿^B¢t&ÿ”¡]öuê2üÆÒ{LXpwÁ½>°.982`<Þµ:?6o
l¯Tcá(rÝcAØÐ{úQE¹oæTòHpr¾$Ç U${NCç,=fÞd¸[oû¬‰dž&ý§Ò—•aº«œÂÌmÖ.7ØÙBÒíé}1uæVw<{ÍÙg{ü-là7gÍ–þ¿™íÐ"~”ÝzÙ?Ÿ¤_ñ¤Ý&¦`ó³vK!ñ&	uøü°ûú'[¨5‚˜©ða,<#®#ßw¶SqÑ).Sœa„WñI°ò¾‡¸z’”ØV Ï«´¯KZëk{Â3×Û}ëv_ª«õiøüQÒìÿ8ñ¿øbg‚+Hò!¸)˜ÜyðŽGÿä`2DÊ9hŒ@‹Äƒr<ðOPpšp澃è0ºÐDv	
-~@7Uù,T‘àysEyá¸Å¨d."ìÿ/£?·º2Ѭ÷ÿ2À@Äü¹ Û»V½:‰"ˆr,°¸U_ð¡‹ÓK×6嘬uQÊ"*!sœ@Ž†2èùIñ‘×>ªïi ¡®=/}Øêl÷$–éÎñòÍôýû£Ô¡‰žúóà¡ùÇNà¯:dôU(|îƒú?G	[ÕcaKé,Ê1e¤¤Ø#Îý?ˆ³þïVÉendstream
-endobj
-1621 0 obj <<
-/Type /Page
-/Contents 1622 0 R
-/Resources 1620 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1619 0 R
->> endobj
-1623 0 obj <<
-/D [1621 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1624 0 obj <<
-/D [1621 0 R /XYZ 56.6929 496.6186 null]
->> endobj
-1625 0 obj <<
-/D [1621 0 R /XYZ 56.6929 484.6634 null]
->> endobj
-1620 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R /F14 757 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1628 0 obj <<
-/Length 3177      
-/Filter /FlateDecode
->>
-stream
-xÚÝZKsã6¾ûWhO+WE^Éã<Ýh"%ZžÉè05¥R±Ñx5_7>bðã£4Ž˜ÌÔ(ÉT3f«6z„¼Ÿ.¸+3ñ…&ÝRo.~ü “QeZèÑâÓV±4壇ùoãwÿzóËÃÕÝåDÄl¬£ËI¬ÙøíõÍ{âdôyw{óáú§ÿܽ¹LÔøáúö†ØwW®î®nÞ]]N²,P_uZpuï°’«yÿpýîþò÷‡Ÿ/®ºƒäL¢ô\üö;Ía¬?_°Hfiµ[ìÛ݈ý";s•·ëu½iúmæÓ¢,Ú]¿GÛ…É]'õ†¾óíjÝ/÷g]¹fþϘ(*.èWàpD<®¡Ï
‘$iƒ`‘ñød±*R¼£"ÐmĔж²ÉŸô(xÄîŠP«ÔCÑÐw¶ÝÐ`ª¶Ü+Ê‹2Ÿâ$Ù¤+™;1óÎtîeu¢^4ŸÓgZTùf×-o1á Ÿà‰ð
-!›#Öôi@²¢z$ÀtïŸ
EÕšMÀÖS	–ú:õ½É©Ã祩zÒ0ÒXéî´
4-aªx’ºRèXݸÈ/áçx4‘),c)XX<0}-¸ç%òEk§/ö>Ùšé&¯š…ç×îkå¦Jëu¹F
¶ê‹l×àgLs`â	-U0C‚(˜ò½1µ7^ ­ñîy÷ˆt0C +cæ
‘U²!¤ë¹ÚYŽG”qI(sÝl—Xm=e
–Ũ–'ÀŽÙÍ¡TéÄÙ¬“Ç5±Z½^À‰þBãÌÐ'XЛҺ÷23MCº‚d_Äk–õ¶œýˆãŠ5y-H;oØE³bW¦¾˜-{ÍuÂxeœ¤Gw8™:<¡n½bcæzí¬ašcæÕŠÜݾØaJƒ˜øBMr÷5éý˜Áv"Ò4Jcˆ€{ð}S¶0òÇ%*ž¿°¸h¥™ä¯àûäaämnÓì[·DeÚçzó‘Ó]ëØ5Er6(‚¤…%žêbîÚ ho¶,Z–úÉܬM5ë§2ØÒeñXMhü)ÓBªþ¤®l%¡Ä¸©éÛ.sÇ)üMRIazµµ 
-ãG
-œ0åó×uÓS™RÍø °A†¢%×­·Ê­·Ê­·ð幜¢jŠ¹ñ2©x8ñÁo¹ÕõÀ`›øöX–ÖšköT­3Š_
ÂÀˆ—Ë…´Àð
¹6†ÅŠƒ€ßÅ`E¯!F3u„hÔÆ×ÐÉ*ÿhz²ìõÌi>û¸]»ñ,öòXF°sØðØ)ÀÜ¢q¦ ’ˆóX
…¡h?¦£v¶~`áÁÇ™wb³‚£
g'êµN-
->+ˆw´p»#Å"¡eê6[ÊmµºÛJ¬ß@”ñÒö*t’ÑnÍ…ÕšÛý¬Hƒ›háß·¬í:
-¨Wä4ûÖ-¿¨hÂÈ
kg¬˜Bæ¹q­54gGm+¼Èg>“‚*m‘¾q<«IÁfëŸá2@LÈ|aU‚à+ëj=m7S“v·9ý‚”.ªY¹û²v(5«·¬Ÿ-É*3ï.€z6aãqÜ›
àë4RbÞpµ·2yæ½Ø–~t´;rÛšàøÝÞ’Jw§Ê4w8.šnt.$kæ:y:ßkg¨«Ð„Oõ¦øÓ·084—E]–õs¿  Çv(è:8Éât¤dÉŒëÏ;áQÂtÿpäoUòB AÁB}òt†ê1hÊ‘¾F¿©‰ÐDÁœ+‰Â¹Ko•‘”àeø.&$wç$ஂÊîÌ[ÓÐùJWcT•qžº=|Ì¡ÉW¤–
-öiÚ—šð“dãj»šZ˜&äÁ‘W쇩÷7÷”MØtã³Yè9ŒÅäÒ±ñí/ïnß_áB p¥±>£6*’%z4Ù°}˜”)¬”‰ˆ_Á$Q•Àä¯[³)ÌËìvp.Hž:@²+´…¤Ld€$Ò6¨€ï’˜úÃÈ&ìò…„…]Ž„õ;w”ÜîÖæe(žOßa6RɈ|— ³(cé+P”I)Ó1òí¶}¬?Š¾NäO
-í¡ØÚBQ1 ˆ4BÑ~Ⱦ{(b–…"ÇPŠ±ÐŠD5v÷‹¤sgK,
±÷‡­Èv¡j]ºcËhðÿv¡¤_é×>y*Ìóe&Æ'¬àlð;d¡£8Ë’W¬€ÅýeÊ
mqàO5öÃÑéël¾ù¤üÁ ºòw$…†´Á)ÇT>› ²ã§¥îFCÖàö)¸±€*'@y6%|c Tg%,¥,÷PÂ"•Èõÿ/œÊZ‡aª¼š™ÏGf§Ã³!óä 2»ƒè!S÷©=Ý	áR'á@EÓ®ÛL†ÐÙQG½ÆKÜ
-¹ÑÖ¸yóÒ	wsÏgSÝ÷j­a·¢_Á³ÈdI{â;¿.~.„»}œ+Ú8-·‡pOî.„•V+{犕]E€­ÝèÄ€X<°WQ	§ÃÂÄ[ǘ:+&>èmãoFçSø7üTF:ÕâFäk¼|ž‚ž•à¯?•ÆèD›Îû¼ëÎ!îsâ¢ÛÉ׉½GþiÁò»‚SœÅû8;ÓgÏ
ÁòÖ”Û¿@cž·
yopÈŸÀªlx0fZÓž(Öáœ
³Ð8o3«Ð«ÂkiÞÀ6æ‹Ù‹Gå_® a>ÍÊÜŸ¾!_3…WÉÿ «Ú”Žå#"´K4¬ÔŸË¦t©»…/ŽS:UGO6.—ŽZçp*ƒö»-s»iNœ"¥;ýAŽÕ;‘öf²>VõsåÊ×ÄšJ[=O†tå•/
¾¥ËsÁÆþ›—xã#æÞ¾@!ÔÍïîî¯DÍECCùŠÍÎù¬àûÝìp°W-å+'¢øö…'1-gõì£q§Û×?Þ~öjÜíé\åié½OrÒóãÕ8ë”*KÂjáùäOJûrdèDô	ßEœ@âÙÆþm Qà;§„'ÒGOø:ïÞ=J¦£Tdx-Ž·‚‚éáùòÏ9Kq¾2º=Ç—Bò©u[HÛslÆý®8a×t÷Æ„¹KaøÎê²ô×ÀÌߦaËKë›\û6üáœ4þ!s—ì¶j§Ûeîú	¹ù¶]Ö|è8à=_xʃúI”h€bLšS·Žpií_þÐU޶ᾔnŽÓ®UÄÑþ±ÐÎµêß×Q¼åãóƸ.¥ö6„¹ùþu ÚÅW@E»$&¨¨8x:ä'ëØm¦]ÓÝÛ
-®’Hòìà=Ûµk»©ýÌ,·!z÷^-º­]÷c½*ÚðÊdá%…æf‘oËv`á±óšÂ2£´y|»Rwt‰Ã‡¡zx®)ïf‰ê^ßJwU‹EíU­ì\Õî3ý»Þ-2ÆøJŒo+—S4¾}×µ¯².sâq÷ˆGÒ¥±{¡6ôl0¤È›;úIõþ‘9N}šŠ¼¼÷.N(œ…L»b÷öúXô¿ïƒneendstream
-endobj
-1627 0 obj <<
-/Type /Page
-/Contents 1628 0 R
-/Resources 1626 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1619 0 R
->> endobj
-1629 0 obj <<
-/D [1627 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-538 0 obj <<
-/D [1627 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1434 0 obj <<
-/D [1627 0 R /XYZ 85.0394 752.4085 null]
->> endobj
-542 0 obj <<
-/D [1627 0 R /XYZ 85.0394 542.1781 null]
->> endobj
-1630 0 obj <<
-/D [1627 0 R /XYZ 85.0394 510.0725 null]
->> endobj
-1631 0 obj <<
-/D [1627 0 R /XYZ 85.0394 447.7453 null]
->> endobj
-1632 0 obj <<
-/D [1627 0 R /XYZ 85.0394 435.7902 null]
->> endobj
-1626 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F48 975 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1635 0 obj <<
-/Length 2603      
-/Filter /FlateDecode
->>
-stream
-xÚÍZMsÛ8½ûWèHU",>H€˜=%ŽqžDVv§v2J¢mÎJ¤F¤äx~ýv£AŠ²eQ±=[ªT…`£Ñh¼n<4h‰‡¢i¦­´=cCqõ&óÞ»¾'Âëj¥A[ëýèäçÊô,³ZêÞèºe+f<ŽEo4ý-Ð,d}°Àƒ÷—l #\ú&Þᣋ«ÑÅéU`m,ƒÓŸß}
IK·’Ä?ýåòüâãס7ðË%‰‡gçgóËÓ³þï£O'g£fíE
-®Ðû?O~û÷¦°ÖO'œ)G½;xáLX+{ó“0R,
-•ª%³“«“/ÁV¯º4Á™TZî@Mª]¨E–i]ˆÚt5_¤SX–ŽƒªÀ§
ªÛ”ß8—3ß.é$CiÛ`|ïG6À“‰Ödf3BGà"NSVI••U6)Þ(
Ùòݲژ9jÞ¬–0²Èi®bmˆ–ÒQ0"7mP€KRÈJz.û"ÒyQ¥³{RJ&“´,³1MÝH¡™Š4à'³Q$ݬë,õXî![~“xr›äy:£Î»Û4'ñ„³œÛÇx3åâˆ#MkL:OóŠæqËC·¶‚9uPèÐÑGðAoOPøÆ#^¦é“¬À),¦õ-ozÔîÜ°-ý=©WkáÚ®Ò‰wÍmA	ùÿÐ!‚á–;6@£ÕáÅckè$ÄŽè
 %7Qo ¢Å2°SûÁ9÷)ˆ<ÓÎx?Ïv¦8‡¼™
EèŒ5ëô{E­ëb9O|»|`÷*µÆéM–{é]VÝR+¡Ç,ËÓ·uó¿éO;Ö~ì‚%½)úšgßeu?ó–«lž‚Ö|WRó4)WdØH¼É2…­1­_²|â-|JòU²¼'eñÖ‘ß&a
Gîá:8/f³â.Ëo”âwëb¦¬ŸZn¯Â3!•2õÅ5=·¢
-Y±ïƒënÃbC¤˜lr»moŒpS,³¿ÜÞ‡‰ï˜¦åd™çë”Ñâΰ²µ"Êæ²½_-©bŸT¤~™ÌëM’.׎¨wdhïÉ#JS·
- nÓò[h¤ºL•Ôåà…':\¢ÇRi3t«$Ë)pðN|)Ìv4œÑU^9g¡sÌV^ïÚÞaZîiVÏŽy•Ìè…²ìÊ¥æCXÜ9ÖR0MœfI²dd³d<ó*Þ­Ò=¯ÕÆ”ë묺ï!\¸:õY
-ê·É:%YB‚z…Ú"îÈ2Éò¢"iy[Üå$sG6õøp¡IŒÎ Ö¨¶âK3\- ^+\¯Ï?2š:ìWd˜áM´Î¦yÉ»c4l¢²}¿>ûpy…µw{Ò:dOBÚröµëo€4”Lh!; 
#f€Ók¤Þ'SÄå_î.ä³Ñ]ååj±(–¶7µàà-›oBÞZÌC®8“¼‹s <1V6GÄèêâãóav£È‹¯‹£xMEÌ`Ig­”‚ÅÊD5>€ÄØF?Z¾qfrͤL¢Ü²8–ªE/JÎ,_'³lºùH²ÉÖú“Lö
ôev“'•ÿŒ¼ûÖªŽ{aC¦BíÇ^XÃ,ÜXZ8ýŒ5q0ìGQ€¯qpc–?’ÌmW—D,™Š£ŽbAij†ª¦w«êöËò~˜þ÷’8Œ‚á׊;U,3¼®ÓM玮œfët“¼X¢eéj/î­q"ÎBÅ;*
-aBÆ…®+ŠI{		¸RUkPŸhËÕ#4Šá>ÝEZ‚‚ê…_¯—LAy6üúëù°ÍÿyýÇÎe’—×õg§H¢Û×GÌ¡fhv`9®©„øº˜&UJ¹ª¥xAÒ
ï‡û<™g_õ:/Ä·åúç®
-Y¤ÃŽŠB(hD¢®(ðC!~p*PÁÕ»¼<„h‡°Lójt-§Ž:)™æ¶kßK
æ´hP¹;Ùr•ãß¡HÌQßbÊÅA=¢•ƒ?‚iËÛ#Þï‚3…]5™7â”ÿpîý„ÐfËÍãMP3zû±ä’É8Š7ùyà]á	,7wƒý¶œ;^cÍLW2Z°¯¸nP9ôþú~/°ûqܸøRq=¡ÄŸC2%Ä®Šñ^'ćþ.só÷Ð@ÍËÝ¿8“Š”XÉžŠXè?ðÚðõ8½VËõÿº(Oæendstream
-endobj
-1634 0 obj <<
-/Type /Page
-/Contents 1635 0 R
-/Resources 1633 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1619 0 R
-/Annots [ 1637 0 R ]
->> endobj
-1637 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 732.5838 116.8967 743.9759]
+/Rect [341.1654 530.1591 414.8187 542.2187]
 /Subtype /Link
-/A << /S /GoTo /D (statschannels) >>
+/A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1636 0 obj <<
-/D [1634 0 R /XYZ 56.6929 794.5015 null]
+1588 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [434.6742 530.1591 508.3275 542.2187]
+/Subtype /Link
+/A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-546 0 obj <<
-/D [1634 0 R /XYZ 56.6929 718.3947 null]
+1584 0 obj <<
+/D [1582 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1316 0 obj <<
-/D [1634 0 R /XYZ 56.6929 695.4159 null]
+494 0 obj <<
+/D [1582 0 R /XYZ 85.0394 740.4694 null]
 >> endobj
-550 0 obj <<
-/D [1634 0 R /XYZ 56.6929 492.5344 null]
+1585 0 obj <<
+/D [1582 0 R /XYZ 85.0394 708.3638 null]
 >> endobj
-1638 0 obj <<
-/D [1634 0 R /XYZ 56.6929 467.9557 null]
+498 0 obj <<
+/D [1582 0 R /XYZ 85.0394 708.3638 null]
 >> endobj
-554 0 obj <<
-/D [1634 0 R /XYZ 56.6929 360.5123 null]
+999 0 obj <<
+/D [1582 0 R /XYZ 85.0394 678.508 null]
 >> endobj
-1639 0 obj <<
-/D [1634 0 R /XYZ 56.6929 338.2011 null]
+502 0 obj <<
+/D [1582 0 R /XYZ 85.0394 621.8501 null]
 >> endobj
-1640 0 obj <<
-/D [1634 0 R /XYZ 56.6929 338.2011 null]
+1586 0 obj <<
+/D [1582 0 R /XYZ 85.0394 599.5389 null]
 >> endobj
-1641 0 obj <<
-/D [1634 0 R /XYZ 56.6929 326.2459 null]
+1589 0 obj <<
+/D [1582 0 R /XYZ 85.0394 513.2226 null]
+>> endobj
+1590 0 obj <<
+/D [1582 0 R /XYZ 85.0394 501.2674 null]
+>> endobj
+1591 0 obj <<
+/D [1582 0 R /XYZ 85.0394 321.1429 null]
+>> endobj
+1592 0 obj <<
+/D [1582 0 R /XYZ 85.0394 309.1877 null]
+>> endobj
+1581 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1595 0 obj <<
+/Length 2791      
+/Filter /FlateDecode
+>>
+stream
+xÚíZ[OëH~çWäÑHƒ·ïíÃåsl‘ÎîÌ<˜ÄkBœÅóë·ª«í8s¬v…„Ëåv§»._}Ým>`ðÇÚ¤Æ?°^¥šq=˜Üî±Á
<û´Çc›ƒ¦ÑA·Õ÷—{;•vàSo„\^wúr)sŽ.§¿&&•é>ôÀ’]œŸìÍ’Ó³ŸAâRi‘ýp8¼<Ñ›~v~LO—£‹óÓ³OŸG‡ûV%—g礜žŒNÎNö¿üqïä²rwZœIï¿÷~ý
¦0»÷X*½ÓƒG¸a)÷^n÷”–©VR6šùÞxïm‡§áÕç̤O¹ÐÆRÅùö_¥_`ð«Q2õ8Îõ=à̧þå•J™g+ËÙ±<ç:Uάö©‘ð-<Þ?0Bèd\—wûÜ%yF÷*©g9
+:™eÕŒ¤òš®µXÞ_Í‹	©þȟ⳪*'EVçSjôXÔ³Î[:©Š›=ÔÉñù}2°*õZ˜
+'Gög¹ÈÁÓ’³ä8¯&wž†-ѱ§G$(&Uºé]¥-Ø×Ã|;Vy¥¥r©„ ]
ôå]6olwž)—Zö8OêÔ
+>
/À}Ê)“Œ—ù¤ø1þC›ÿ¡p3/¯²9É˲*ê¢\D»Žï—ù>Oîª|ÚØöꉮ?_í°hg¨¯›þÊ¢Éß2˜K!´{
+ÝXc\0ègç§`QîDr6ÍõʤÜF“‚p4üLB¶@³AÖ Pq_C‚	O2º•U
VÞ¯E3<	Ñ
1š·&ÌSïðÇj¢oàïàãT*¹²»ýa¼O6*Lûl8>9úéäŸ`!+U2U>SB©ŠnózVFP¹#¤D+7ts6¬òVµê[@ª»ÓïЗÒç|AŪÄ_u­ð¶ÎRoê,Õ‰©42V§^²ËÙø*®fÚ&£|‹	äP†ˆ„DÙ4M6Æ–U^A‚p.\ròu	^¹Åwçî8?Øž»¹“;Ò™é[9’Õý-	Ù¼±Ý!X•„Îw;D‹ Â«„ıµâ.eH¼4åPÁóNÇ{ªà·°ja‘Ýæ‹éäsÕ4ëoÍÈÇ›bŠõÙýwº¡á-çÙ$¸4@©!uÞyõª¨¾Ã{—\Ý×áWÙFXÔż€XÞÊž…˜€Yˆ“U†¸?ñ¹ql)œMn³å’,Þ]åõcž/è†Ì‚‚:háKª‹ºõc³­žéMnvu'ýÏ*w)3²§æ	¬‡)ZbŒ†Á7"9[.ÞF)¬HšëxlÊ<ÜD[/AQP}%íYØfg׊Ξ…µ´eŽïíHœÕçK°n÷9f×
+8‘8~l¥EÖA{ã•&gÆgŸ 
+Ü%Gå¢&ú¥ï²?åDø¶(«ï›2ˆªiVgx„ÌÖw‘ðq±íêȻ×àÝÉ|à³c®]
+¨Ñ³çN§Ö©¸øØ—6¹Ä$qå}Ô3±û›Y<¡En¨‚4Íž	'‰ÄÄPBF„×ÀˆB«Œ6±Q^ÄW€mÏ•iA~ ‘’Èé¦9I‘÷ CS-Ýðhãó×$æ*óœ]}\°AÇ^“Ž]›¿ÕÙÄ{„†@*xO:rXzxîha’Q;ï;ÉhqQ¹:Ê™ˆª&Q&2iãf€:Ü’Éí¥¬!˜’o~. 9L|ÁUÑðõ¯¤äq£Äï°Mø>à™ˆGÕÿ¥ºÞøÀx,‡÷p!ÎUÊ´$ç/q ±q€jùª|Vu`¨¡
+_Ó5£&´.Z{Ð…qÎÃñ—]?&°ðx}Å—u™~`3Œ÷ð½)Aôg<<Å–ÝVÌ%õ>OÐ(óÅ4,‡A–óbòDòé,"Â2úž %P¨ƒB¶Ýè7ÅC³%_¯èÓK6Çá'v}óÛZäuFÆZa|ÁÚÆ=÷M7ôo¾ôòÕWôʦҹ-ÇoÂ:ð)t±‹}¡MûË÷휥PVEÓª3ôÿùnendstream
+endobj
+1594 0 obj <<
+/Type /Page
+/Contents 1595 0 R
+/Resources 1593 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1574 0 R
+>> endobj
+1596 0 obj <<
+/D [1594 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1593 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1599 0 obj <<
+/Length 3301      
+/Filter /FlateDecode
+>>
+stream
+xÚÕZÝ“Û6ß¿ÂoÕÎÄ:ñC¼{J“Ýfû‘æ6¾kçÚ>ȶÖV#K®)­³ýë @YöÊÙÜu;77™‰HA~ WL"ø'&YFÊèIjtG"ž,6Ñdc_]ž3õ“¦ÃY_Î.þr­Ò‰	M"“ÉìnÀ+£,“Ùò§àÕ›—ïfW·—SGA^Nã$
+¾¼yûš(†>¯¾{}óÕ?n_^¦:˜Ý|ÿ–È·W×W·Wo_]]N…Ò±ŠYüëû·W4éúæÛ«Ë_f__\Íz‘‡Ç‘By»øé—h²„Ó}}…Êdñd(ÆÈÉæBÇ*ŒµRžR]¼¿ø{Ïp0ê–Ž©IG"2V“i…Zˆó»ÒìÊM©Bƒro
+‡NC§¨y­ÃÈDÍK5мÐ*Ì”Š'ilÂDÁªþýíeÿD}%:¸©ïšÝ&o˦¾œª$
òyÓµØÌ‚}QUÔúP7ûššuÑî›ÝêØbw_.
+K½Ÿ£8Ú]Š,(¶UŽTPÿ$Õ¡‰c”Z`C:~øæ=L!™êua»r^,©[ÖlæëWÔi&ÃS[j0fš$r2ÔÁÓ«ÒY¨ÀE'S?á9M%afɧL¥àXR2Õû7×ï.§Zg2xç4ÛÜ—KT·Ìâ ÇOìóê·
l±èÈl»yUÚ5
çD;ÌâUkgmúP<|a‰úsÉz:fHºÇ«b·Ý•u–TâiKjÇŸ°ä@EÏeIïuŸÏÒ¯8oÉ(¥|òΟLˆÄ©iöãï›ÁìÒÈ øØ’>È‹Æ}—ö3µþ”âý±ÿ©×!Ét¨„NŸÐbbL˜Å‰öQ´(Suµbû¨…Íýº\¬±™pC"0lögøö⼋ÛÙ¡ÞsKß÷ßÍÞ]
+i‚Ôo×9Û3§Ï²ÙäÞj¶Ûn›]ëmû¦´m³+yuÞ‚CÝn‹]¹A>¤Õñ¤óäµ™ú„Q§}.£PÃS0פQzCþ»U^‘˜P¥`´©LÃ(=†/`ŒŠ’0“&»+¸…ãv÷+`°;Å¿uA:¾kªªÙ—õ
+õ@ÑV&ÊL¦a;\²¨r41Í;ÚAšP*„æ¡¿B©m(©-ŠÑË·´Ï{Ð,HݺuéH÷yUž8Iëðúíû¿žúH%bŒVJüÏ,ý)ù.ÎÒ0K“§îylD¨IÈå z¢âä`ù›º-vp•Ïß°á>Ï•¹ QfIüŸ$C¿â¼:bF"ÊžRGj (JS.w ê_¯ÖycA˜9Réò`îo_bešBbÓ6‹¦"Ê‚œ3o]ØB|ÞÒÀw73"8¹(46år*LÙð|R»ÍQ¨ ³Ž¿pCwD*[KuŸ²¨¿ívÛÆxsÌ»H&†#Œ°¬û‚Šè8"Ï»²j§}¦„\\ìü½$x$üÞÔ˜¥]»Wá
+ZuŸ‚]!¤P`^–‡ó²^ŽD‘T„©<÷N9°öó ?×)E
+¨FŸrJh$Z’ößšJxЛµDåf:ÈQáivb´¯õ¨³,Ù:[Cwþ@_pJW9@“ë•_‹E{Þ
_‚ÓÖ9Öî2n°ì”2(±œ”Þ'‘‚•
RìºÝnâQí
+ã¾v…±û|W6s²v:æm±á”°ÌÛ|žÛÞŃ>fçGWt¶në	®‚q^Rsö°
}ÁÏ;ØÀrÏå`ÿŸ¸BgY˜$Ù¸BÃ%‡"y€+D!@÷:°Yç&’#Áà][ÔLÚl«rQbüU*v98 ¯ϓЫ¢¸Ž'¢W;ŒØÛæ»Ö3÷Ëy×ÛÛ×
s.>æ°mÁ{nòúaÌIn¼‚¹ÊwŽUçÕòÚ	G­–îBAó\´ê:§B*|˜Ý¢å:ßöxýš—vÞæØb/âbMÅ̼½e&pj`yGºY:,®…v9I€U‘S¬ÔxáW:UZ"€tH)&äîĉçy‘"P<š‚¡%ŸW'礀F~w…»}M/—øßK–ç¨^Ä£µöbÖEᑪ·ýØ8ʤUd¾È	{ñÒÐ(™
îH³)r²„Jcrá”	 =¢ |Eµ¤Ž»N©{wr³Ë
O¯ÊMÙÑEbø®›=5´%¤ Ý±¿ÈyîœÙ|(¶Ì¥¬vZä‹uþ±NàÅ ]G|mÙ¸ÉT€c:†p‰·[¼?Hs¹I]»Tƒ¥ç}AC˜¨E0êøx¶ZËcÌ<¯,³BM,‰ù¼FG‚pŽÎýƤ]oÃ;6åšÍ ‚mƒ¡ÉËŽ9â`ÄÅh'Ö¿à—3O#»6ÞakËU턪“Äè|	q®„A«G\z´µö+9ýØ(¯7 BWe
`Õ•æpW~X—Õh@° |¼™@©-µœK`c^ЗÑd&øqS(ð¦ü½ð¨?]ŒXtQáó;‰ÛôÛPƒAöºœÄ}ć£`KA5Ø–Ït7¾¾œ;Û¶Ø9`R/¨Ønµ*,#ºýÔ*,Ï@²ÉÈ€ZÊ]’“K<0²ãp	DJÂðØY7¶
é	ì†×æôh_¯Fc]XiX*Ôw»ÅÚs›Îüf†=‘N—Ý‚ÀAìD²Æy6,Ì`Ð<{e݇òÅ‘–ÝŽ³7™rÄBÄ÷Å	\C0êË_wYÿ\4Ïx£ºÒGn4¶/\îóª{ôÖqÃió“øœÞI’ˆ¯¶¨¼óéGI…H@6áô„sÎs¹:¡€…„E¾Û•TF2¬MèÅÇšÍ/.s=¤îx›ëÖÌ©ì„Uˆ$l8¦ñþ`ø6ꦼÉplü­<Êt½%<"ÿYJ½mxcûØ:
!;îÏ?ç„\+I^©Pþµ_¡¼œŠ(Š@óB|Ãï\EŒéÇí®°¶/V}ÚF<®<¹„bЕâÎNFTþíðDêNo(5á„Þ0FzLh$zo1ˆ®Š–wpry…ãÓüáÃÞåÈÃ#ŽåêlÇXô¼NŒX—«µ[š˜®+ Æ%uX~È{º‚@Ã7
+Ô/™žÓ‡1k:x6jÃ_“*{Òo›75-á»d<2·ÔÛ~b;Ù”ÞˆS÷Ó‹~11zF¼Û‡ªà&D©*ßQǯ¨þ‘OmHs`¾›¢ÏGàåäÂÎ>çFÂ6§ë†¹ ßJ`ÙûMY$•y™›KðDðž$N?´ }¯¡rÛ=üÄÁ¦±îå'cfà)ðÁýkjº{!Èv8Q¤*ˆT•5½$©‘u«5
 ¬eÝùËpª¥æ`#0[Wo^ñ¶¥ˆ‹¹ÙÅDkÏ#b™(°A÷DqìSÞM”Û[2XX´'£\{Ž®tÅ 6nx$'>ž£‚¼ˆ‰YîËv=˜ƒU^@õ€q8;Ù¹d€ø:D£cбñÕÂI´t—¡õP¡<ª@ø¶ßÓë
+E9þÿK”–šÞV§‘KqαU·ôA
+°¾ÂÉ—ù¼Üõàbí¨å®éï6994H)pé1ŽüèUéØp* ”L¢2绸‡4WO2Ï»“•TäCãÕaR¿™Q«³ÅÉÂM]lšº\Ø1-÷{{Ÿ£çͽ»‰Æ‰‡±IÔ§õœs¯{  w@ß5½Þ‡èdÃ×vx-(4bÞ?7½!r~ß”^*@
+«Ms„Oà²Y†Ð袸ÍH¡c(핋̓J\÷à/ÐY–öWLñÈVe¾T8ÅGw»J›Ð©±A§l†½˜tˆÜª½CÎØÁÜŸ3DšƒÌß3RŸ=¸/™ÇÁ'®@lÛßÊ>)úÌ4†[ê¡$מ¼€Œ»3çdê±Ç zè©9›êLjS§æ¨çÕné{87t0tò£¡‰?ÌWÅrUœaÕW-ýn<ž©N4†ÇUǵŸzx¦ÃÞž×m´p,¤ŒzÄ•R_<×s1êkóUbG~?¡NM†oä)¸Ùg=Ü&Q˜$2‚…lji€±&”†~÷?}z&OþXø¹wø[@†*ËÎü•SÿÖ«ây¡ú3sªŽXeaœÉ~Ö@ôBxLendstream
+endobj
+1598 0 obj <<
+/Type /Page
+/Contents 1599 0 R
+/Resources 1597 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1574 0 R
+>> endobj
+1600 0 obj <<
+/D [1598 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1601 0 obj <<
+/D [1598 0 R /XYZ 85.0394 612.1852 null]
+>> endobj
+1602 0 obj <<
+/D [1598 0 R /XYZ 85.0394 600.23 null]
+>> endobj
+506 0 obj <<
+/D [1598 0 R /XYZ 85.0394 297.3236 null]
+>> endobj
+1603 0 obj <<
+/D [1598 0 R /XYZ 85.0394 272.6213 null]
+>> endobj
+1604 0 obj <<
+/D [1598 0 R /XYZ 85.0394 87.0771 null]
+>> endobj
+1605 0 obj <<
+/D [1598 0 R /XYZ 85.0394 75.1219 null]
+>> endobj
+1597 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F21 738 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1608 0 obj <<
+/Length 2864      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZ_sÛ8ϧð£3ÓðøŸâ½eÛt7;Û´—fo:·ÝÅVbÍÚ–Ï’›æÛ@@²ìÈM¶MoÚÌT	à RV#	jä¼ðQÇQˆV8©Üh²8’£[ûùH1ÍIKtÒ§úéêè¯ME½ö£«›¯LÈ,S£«éc/Œ8rüŸ·gÇ'ÚÉñëóß ¥Œuzüò—ÓwWg—4à™ô§ó‹WÔéñòíÅëóŸ¿<=v|uþö‚º/Ï^Ÿ]ž]¼<;þóê×£³«Nåþ²”4¨ïþøSŽ¦°º_¤01s£;x‘BŨG‹#ëŒpÖ˜¶g~ôþè_ÃÞhš:“•„!NÆŠä?E¬ñRx¯Ý°X9:QJDç¾À‹æIàÅÍvÆ.«ÀA(K8	6‚êÌhUÏŒJF0r´£à”ÐLŒv<.Î^ýò&“ã7ŽO‚	z¬$ôH9þ÷ÙÅÙå©èÈöb½…ƒõeÛz9íí÷AÈ8´ŠÃi-E=,ÆDa$A„Brú¡ä0=IÏŠ‡zV<´Áûì1ÑAglÂc×#`Ãð›SÀ("F:Q€Jú02=™?°§E¦”ÌS”C!:!ÓB÷zÜ\|Œ"sÀüï€	ÖrŽþÞ8ѲŠTt8ˆJ_Þ»g|D”Ê<â>*a³w=£Ýæ0=öÏÂ6·}]Öú¶\§l!}B‘a7É>H¶M¶„3pµÚnqÖf (ñV…ê«YN§MŠÙFÛñåeM³üåKzEEþwJCu1iÊjI/w³r2#ÒIµ¬ËºaVÕ
3¢AåO®Ë†º–›Åu±¦öM5ŸWwÅ”¨®ï{“ÌxZ-ò’Yæ‹"åÕ~UЭË¡|:]«l\Ô5×G—ÜØÔ-	=ê&_NóD<¥žówxÜTëEÞP»©è	m’^=–FÓú°].›b½,š,·úƒóöô¿®>q³øœ/Vs~©gÕkS—Ÿ»¥½ Ö]ÙÌX½»joÝ­âE>a´J¢‘N,¢Ûô¾¦YÒô}¹(çùz~Ï’yò¢¼± º(þ¹¿e¡ö’¢Cö´
¿jƒÅÿS1Ù®	Êõ `ÜŠýNH¬]AXŒä°>ˆß^¾oί¸¤Ô1¸ñù•M°É¼S)àŸµC`€ÐОìo
ñ™³ã ç„Cm¤+ŒÉÎE¡2ªœ^þÒGB·@a¯¶Z†¤'í™ ù;YáùVÁ¦É¾"+8È JKûå¬à°ËB‡ÊúËѧ0½Vlã$Ze
~’ä€çýŽb™>óšÉ_Š^s§å
jqS2KB“yΡ¸«ÎÀÀ†”íë„R2t‡t
'r	îõª¬'›ºNù­/SeŠ­Å¤ZOëÝ!¾€7G«È‹O1z=žõd]^§ç
ùXóm£.ö×ÅúS±æ9uSÑ’h¬\R¢¤ã9ÓåÝܲஔv¡íSmRcRÐ(õNˆû´Nz(¸?›²úN²¥ûN}ht£’à±Ê×M9Ù@jà÷²@ØLðÁsg	iêuµA{Ùr¹-?<Ø¥#hc:¢ÖGé$—‰%+±©7ùr’‚PcÜøšXÃäŠùü.¿‡õÔ¢‚Ò§ª  ÌظF‚þºÄ½PcéQ¸P7ÖØÑÌÊå_Ô•ÀSºexyI¯¨'¾çí“'Þ¯’O@Ï*/×ÔI, ðÉ›£³–¼ó%H°ˆN@Q5fNT”¥’ùçŧ<íkQÐf¨Y%ß”:;÷ãw.1p¤JÆ€„€­™ÏñݤåÐÈ®©¡#•Mðœó³¹¯›bQ³
+TK‹rÉÓïfE;V6à‚—|[ÖF«þ¢Ë–Tå‚ì9?uæÝFK®”L­d^C¥^¢¨æ40-æà§ë{zKö‚gÆ™ãí3ì9H
+F¤V½“ò£”º•Œ‰’Zò]õ˜¨Õ’«uY­Ë†…'{Ñ耭;‡±kç”>I;èëñ²¾¿ÎšÆ›–J;¼OßþЕVOÍê”æõ[%Çï:Â)d§šÈ§ÕÐê(CP£s¦Öœøžºò뺚oš‚ÞE¾„5ÍG­uƒ¦-yìÅ5®–s&lAÄCk+4-©€ßšš)¿w¬zA±¸aùɬ@ÇÛkÈ_y³iÍ›ÍÙíft¶ÞÐbŸÀfÚ)Îò~phÝÉ,ÅÄÔ[ѳÝs»„iï¹ÖØغnÅÒn¤XÎ:7T»˜Ø«]L´BÚÐ^‹MÝT8PÞÀiÆ3߀˜œpŸÈ„t>Ûs麮&eÞÓGìýÀ‡}˜ëO¹[Óóþa‚fò	ü8rqúæl7%ŸañºI"†IY<ÈTþ½Nú9ñQQ„Ýcøh#Œ÷ê>ºÀÚe³ÕúöèôäþÀèHP·m?¼Û€
TZôuäáþê»å²t?Ÿ%ŸJW‡ê0D$ÜþØ©èºß†X	ë\ÖA´·‰ é}#}£¾ôçÂèéw‰ß#kà–Ë$d-¼K´óŸp—ˆ–õP,Åޯ>í¨¤zC%Ö½¡Öª- ?ð쎆ôJI{ÿÑ)¡$ä9¸*ÕdDÙVª\òìsBßã©aŠß63µE2–¨©:ÁU,yÝa+Õ|TኾàRJïV$%ß0.‹’#;ßiªöÛU½™LŠt„NwŸ[\<›o0*öaÛÐ!Ô´PüCö+BÇÅ\úœÄ¶:p¹êÞÞÚt¹êÜönÕðÝêû¢ièPÌ®®~;t‹ê„2Áö?ŽùqS.Š“¦:™Ó!z¢ÐVrž/†|ªö‹ù”^èH@59¼n?Óùô™î–÷\N®ødRp™¨ˆÁfY6u_²Ç¡p4§qm=߉ôxd^äë’>—º\8/¦Š´wc;ç;„t
KÓ|¡5É'tÀÆs€Í&èT©Ñ^;3§YuGy•à
Rèš’ø²¨ë¢'hÚöÝTÛ3'ñæyVmæÍ¡Ÿ¡;àoÇ~4&G¦§þDmû3=¨PM–éápÕ…5V
+-|PÂ#Úx= úÿæoendstream
+endobj
+1607 0 obj <<
+/Type /Page
+/Contents 1608 0 R
+/Resources 1606 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1574 0 R
+>> endobj
+1609 0 obj <<
+/D [1607 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1610 0 obj <<
+/D [1607 0 R /XYZ 56.6929 591.8614 null]
+>> endobj
+1611 0 obj <<
+/D [1607 0 R /XYZ 56.6929 579.9063 null]
+>> endobj
+510 0 obj <<
+/D [1607 0 R /XYZ 56.6929 492.1929 null]
+>> endobj
+1612 0 obj <<
+/D [1607 0 R /XYZ 56.6929 467.8533 null]
+>> endobj
+1613 0 obj <<
+/D [1607 0 R /XYZ 56.6929 267.9987 null]
+>> endobj
+1614 0 obj <<
+/D [1607 0 R /XYZ 56.6929 256.0435 null]
+>> endobj
+514 0 obj <<
+/D [1607 0 R /XYZ 56.6929 119.6628 null]
+>> endobj
+1615 0 obj <<
+/D [1607 0 R /XYZ 56.6929 92.1624 null]
+>> endobj
+1606 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1618 0 obj <<
+/Length 2779      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝoÛ8Ï_á‡}P€Šå‡¨Åá°Ù6éyÑMz©{Ø^‹‰È’kÉMsýÍpHYrä¤{-°‡=‡Ã烌˜qø'f©f\eÑ,É"¦¹Ð³åú„Ïî ï͉p<¡g
+‡\?/N^^¨d–±,–ñlq;•2ž¦b¶(>¯þqönq~}J̓˜†:æÁÏóË×DÉèóêêòbþæ·ë³Ó$
+ó«K"_Ÿ_œ_Ÿ_¾:?
…Š´ʉøãêòœ˜.æoÏO?.~99_ô*—%¸B}?|øÈg¬î—ÎT–êÙ=üàLd™œ­O"­˜Ž”ò”êäýÉ?{ƒ^;tÊLZ¥L§2™°“TSvÒ‹t¡Š²]æÛS‘…)`Jð`±2´ÄÛ¦ªšû²¾£ŸÝÊ2×Û=lLKÍæ–¾‹Å[jHǸÜmégÝUDÚµ¦ VY»ôùOS»Qÿæ\V†šXˆˆe:eD‹b°ØWYeŠ%<90òÿ6Ê+Âga”°Tòä¸4Žƒ,×ô#Æ¢Â~QaœÅ,ŽÒ#[(¤`J)=KTã±ÝÃ÷Wg§! Eø‹‚*o;l)kFSôƒŒÁN"Ø¡H)["t^Bmîò®üìø–ùråp p—1-V~ܲ©;»ÉMÕRߪ¹Ç½›Å–¦í"±!­ÊUCÂtÐÀŒ[j¶fûÙlíð8¸/«ŠÈ8·¡fÝ„ín¹
+‹fÓZ4,Pó˽¾úõl~	mAT\»iê@Šzp¯9ˆ[ÒvM`{hvlÌEzöGa)×;ÇÝ•ëþ„l©14š‹;Óò@ÑgÕ춭‡¸æj…J?‚¹æ)“q,gC@|ÈÎ
+ä,”ŠeOº§G"ýˆã¸M$KT*ŸÁmœÂ²’,³ÆýÁº‹H¦Šì¬dêhJ&à™h—dVìÌ;úvÄ]³!
+: KðrÈ`‹üu£Áony§‘08„¤ÞÁ¤­›õ8Œs›ïªîÀùõ 0gçð®](º/;@7òyíÆ,KTsy ¨5ÝÀXüÛvñÑwF”“ô9`ÄS€ukVo,0ž”$QÁ9œ(hJMÝBMUn´rúýðwK_rj=ø©‚Ú{Ç?Êú€óúú6À­J?³sI8÷ÞÛ:@»ïìøÞÙñ¡³ãn-ÎqøðêåS  ëfßûT㯫",M$°ïŒ'ãœçQî£xëÏ ÷‰IšgOç>1W,.G<ÃíT™ ï‘I4ykˆDÐCbaNEàŽ¹ejˆcW—c¡ñÂÁ«}N
}Q³»[0Úkuã¦2_6U¹,mn„ôÞ˜ÂJŠÉ¡`—ù’¯7•yxxy‰Á
+—X)¾&¶‘!dÆÒðÂ-s˜V¹±·`xÇ*Í„pI¦ÀäÃœó`^#t<Í7›}¬s8ž¿ûMÌJJp‘ˆèœ'GeAsª*Í|ìnª]W65õ¢çîV6GI6†óºÍë¶ÊôìÃ:Žš¿#j^NhKv¡'uN?£HmÙ!zƒjQoˆº60‘hÃéŒÚUªìøV”uh燃åÛM>aÈòE¦¥ÛŸÝ¨4	rtW*ƒw‹kj¸¨H1¬h!K$ÎÁ!•6bÁ »Ðf	*ØîÑ<}H„Žu^˜±¤Ê@BvM¸n ±D—zGYU[ÞÕÊòƒ\
+‡ÃUvvtªyš,/ˆ£2·–WÙmAʶ¼[×#žø¨ôõ9*ŠÞlš¶ì‘÷ÙN/Ëq«à> 
+¢¿T'z_·@ÿ®Ýå•­Xpô¶ì©±35³YhºC\*N‘!có@—Qè'²õöžòžÒá;¸H&™ršWÐáb^ÖÏxا¼GDô£—õýDKR0§€ú‚ÇQÉ>íO½$íÊiT§Ps"Xðâo´w¶±4Ô=†4qÞ¯šÖuy—qP̤.¯N| *CõhêÏçaî?Ø‹O¦âˆ(t%v×…DUÁœ¹©ÜZ4N"Ë[ú’Vа“Añó­rǹîÓPâ'T€ž׃ÐRqpaSÊa°ŠÁñœB¤Ï>8n¶lÖ‰DgþÇ£UuUµqúVÕ~)_ŸÒøG“ÐHI¦c÷ÉÁ(töIh„Uu”’¸ºž¿™_ž†Z(ŒDïÇ'“²ál߶‚}Ræáû="9‹y¬Ÿ3
+Dl‘):9à‰ÒÌv‰ÁÏÙ³€Û¦a´ÏX‡³~/ãüßd¬ ŠŸÎX%Ø5É ÿ¸v¼¶ûšKB!Y–éèè™IKãôÏÀÃ80jç*SÐÓ]nù|z$fœ%˜G+
áIÈŽËAj£c€âˆ3­däR›+@$×ð¿Ýž‚ÌH€j
+±"#kÇÙ§™`<Ê2ELƒ¶]ëÞ–ðr¾–³×
¬h6X”%ÛE ‡ÇŠ#°ÁÝ
éÂçxñ(M´ðËò¾‚ø†2Á¦Rh⫠긲¬÷)¤m˜S8Wt‚K¾u]·ØE56ÛæTèàsIQIXŽÒðnÞnÓ7,Y¹Ž¦¶5ˆ€t[Ê„Z(òKG/úÖMçf	Y¤M!èTúáP¤)ˆ¡v¡Âë‚Ëò*jïÚüÎàr0ÎEtõ¼Ÿ½böâx"æA]A/I)ïƒo	iÐ2ï<ÕÖÔr¤M܈–¾[ƒÅçS¨/döc«²íì
6´·ø»²~äö¢,a±äÓ·Pô:‹³?ãöžöãC¯¤Üâ*CÏ'£¯Þu_jW^íï7þè/ò/Êʵ^—[ºÎkŸ¯
éæ5M¡¾So©íDA
+	ÑÚî(PïmF•â–—]éSv,0_¬í>Ù^z}ñŠ‚+M-[eaƒ’3`jw7­ù´óOÐucLM-ór~z.Áô÷jõTÖ/ad~	öŽ§5Õíø¾xYåmëËêÂlpÎÚßÒå8ŸÈA¿©LO¿ÞµNØ¿âôz·¹¿ç¶ºìoÈ–´‹œþzxyÛkµ¬v…鯎WÔ“XLyÓFЛJ¡ß‹	Q€ T(/h~ùêío¯Ï§*n8D‰ÜK"{ÕÅ„H@¥‚ZØË´¯Ö…Êb[Æ1‘LB­º?L¸Ñ? ü´¿òÏ»ëd{ïðì9ø}ea§¤3SîGùU~c*êÃ	l± äàvƒzlñ„kUþ¦Èy»1[:ÊVCDí d±jîÅþäeÉ }Xß4nFÚé+í¢ívƒ÷?Ñl{gyXšu‡ìòmwŸ‡…/üa¤þ–FŒ@§c&¹ô ûÛÄZÂ’¨ßx;Ù{—‰bQ–Bf$O_÷àž8…¤uÚ÷ÃÄÇɹLÀ§‰èçEmùûxþ¾—Vñ÷	ÄAŠ&Ñ­î4=üú'Ú÷†Ñmó²ê¯úŠ¦ë_®NÞ‘ÃÉÀ"ƒNF<8òðdô…Ö(D<2Þ?Ô]þåljù•Æv29Ó#w’0]»…{3Ž&!sŒ"–Ò ù‰÷(P­ï>ª…HyAý	¬ßý'üùìÙ
+ùkÿ¼`ùÑé±ç»þ–Ý)…ŠgâQ‰çÿá±êÿØÒµendstream
+endobj
+1617 0 obj <<
+/Type /Page
+/Contents 1618 0 R
+/Resources 1616 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1628 0 R
+>> endobj
+1619 0 obj <<
+/D [1617 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1620 0 obj <<
+/D [1617 0 R /XYZ 85.0394 756.8229 null]
+>> endobj
+1621 0 obj <<
+/D [1617 0 R /XYZ 85.0394 744.8677 null]
+>> endobj
+518 0 obj <<
+/D [1617 0 R /XYZ 85.0394 576.1531 null]
+>> endobj
+1622 0 obj <<
+/D [1617 0 R /XYZ 85.0394 546.1637 null]
+>> endobj
+1623 0 obj <<
+/D [1617 0 R /XYZ 85.0394 456.8705 null]
+>> endobj
+1624 0 obj <<
+/D [1617 0 R /XYZ 85.0394 444.9153 null]
+>> endobj
+522 0 obj <<
+/D [1617 0 R /XYZ 85.0394 262.033 null]
+>> endobj
+1625 0 obj <<
+/D [1617 0 R /XYZ 85.0394 239.2457 null]
+>> endobj
+526 0 obj <<
+/D [1617 0 R /XYZ 85.0394 175.7981 null]
+>> endobj
+1626 0 obj <<
+/D [1617 0 R /XYZ 85.0394 149.7409 null]
+>> endobj
+530 0 obj <<
+/D [1617 0 R /XYZ 85.0394 105.3857 null]
+>> endobj
+1627 0 obj <<
+/D [1617 0 R /XYZ 85.0394 82.1181 null]
+>> endobj
+1616 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F62 1095 0 R /F63 1098 0 R /F11 1441 0 R /F53 1062 0 R >>
+/XObject << /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1631 0 obj <<
+/Length 2336      
+/Filter /FlateDecode
+>>
+stream
+xÚµYÝoÛ8Ï_¡‡<(ÀŠå—¾‡Ãe§—Eêô\ïöpÝ>(6­Ä’›fÿú›á¶d«i‚¢(PÉápf83ü
#ÿD',Ée¤¹f1q0[ñàæÞ	Çy¦¨ËõÛôèÍ…Jƒœå‰L‚é¢#+c<ËD0
+¦Ø	Hàáÿ®Ç£“HÆ<¼¸¼J(Ëðìߧ泥	M$Žõ·Ëñ9äô9»_\¾ýcrz’êpzy=¦áÉèb4ÏF'Ÿ§¿¦[•»f	®P߇£OŸy0ë~?âLåY<ÂÎDžË`y¤cÅb­”©Ž>ýg+°3k—ºIp&U"ü$ÅŸâœ%J*ë§ãëÉåÛË1ìªÃ®S¦¤NaäkLÛ ñ"lïózY”+¤e¸*–ÆO-QeUucˆ«¸¿7«¹™;Κ¾ÅꉈÍêaSTå_œKâ‘áúDd¡™Õö;oàœ”PáÇ;ãö-håßõÊm_:-QȺiÑ® ò¦DB°<Ž¥µˆDv£8$Cb´Ž&ÜpCßÂN'a¹¼¯ÊYÙ:uÝ+DÊ2­•sXϱBì9üïøþAºË‘²Tg™c°¶íÅ™Œ!¾âT)KÒT¼$Ò$Ë3”:gÑVbÔiƒ¨§šŒS&t"v;£Žöø-•Šå˜dÈ?œÖ³”
DaÌRUbø‹Ç|QWUýhܱÝ<¹c[eU®né×¼nU`´È$œÞ¹ÃœmÖt¶«ÁóK9ËÒT_O¥HóŒ¥Rdýx¢Pá½ ç.ȹÏÞÉ6÷fÖ	wú	äÐ0ËÁ‰ú®†aBzK
+kôíf‰vÓ6÷õ¿ê«Ú
7M]mZÂ3’*e\CtEŠ3.yÒÓ&J8Í×Å°Y½´"@“ž¯>~ügÃól|ú‹rô»ÓËqôa4ùêò¡Q¼¿Ÿ×ÙÑè]áö»_—€®–Ô›D°4®7r¿Þhíãª^ÍLO,D”HX ¤QÝ@º+œ3oŒqW¢‡kì[˜[ã±å´/ÝÀPç1† çŠI™<#‹ÖqåHZ‘ïãªm£Ò`_¶ƒæ*ØZ¿ÉT*ÀûÈ¥cë‘nÌÅ	T(NÎbÀ²Î¹×p]‰p
+ÿËð ™<…©a…[–Íd¤£-Ñ=2ÍÂź^eƒ		¦_ˆ,Ê2E»Y›ØÓMÚJ_´ã è$g2˳ “ª?–üXfâÆ£]ûþc¥©[OR»ü;½¾Ò¨YÚ¦úšN§W?–¢ðCà'áйGts³(6Uµm5°s’1©µx)*}%Œ„…p«Aê®hªR,¾È=dÂéH?¦'ø4°4þW.Úè+ôž¥°Wã±¥…
> šÍM]Ýë9ßã A‹—,µf«ãÊB)Üoz…!üOܺ¨ÊÎRÂõ|NÌUoÌ@f­‹Õ­‹I¡¡#‡+(u-*(¶Â‡—ÁΧë³ÝQËoµI]“:}/%4ˆšv{v.ÊÈË‹0ÐbwSbh'.°wxïŠÆV}ûöWzl1úÚšUÕäW|Lê Âã·£ñhrŠ.þÄF­·Ëa0'Þ¹ò|çlª»flI–qùÒäÎ0•DÉìµýZU4CÉœAG”wÓl¿!•3¯sûtï\¨á¼!ÿJúï´T9À°¼×¬_Ÿ$Kãí£Œ
pÛ.€(‹ªe΂m
ôi̺4n‘MTøgSo,añ38¬(\¼ªžˆšCÿ	,ûð{AíؒĘbvçVÊ@òÆ-µïœð-!q
+¸øñÝ{(÷#ouL|×Uš‰Dø#˜áf*I#$©óŽ Ïðk
+ÀGODßšêäxmÖâ0=L#e!	Lø	'iðaSÑÛ'…’|_ce%nnˆx#uw1ôXƒRÞžõsS™ÛqʶÈ5³uyóL‘©+Bg˜L=QÀÀÏÓóó	;¼Ggžzy~6üÆÕÛî{tú€&$ëÈ=|˜s'8uï`"’Dü‹>ãô¥§±ãíÛØ‹D	™y|ðÞvÌøp…íZôÚ¿îZtÀ¬ÏZõ
+AòYAâ9A×ß7Žo¨†ëF+%†þTÄïÿð¦v@_A²LvÛÎePà„Új…¦çò@wÿ'¬åÿ8Ëendstream
+endobj
+1630 0 obj <<
+/Type /Page
+/Contents 1631 0 R
+/Resources 1629 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1628 0 R
+>> endobj
+1632 0 obj <<
+/D [1630 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+534 0 obj <<
+/D [1630 0 R /XYZ 56.6929 606.2532 null]
 >> endobj
 1633 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F39 917 0 R >>
+/D [1630 0 R /XYZ 56.6929 579.9813 null]
+>> endobj
+538 0 obj <<
+/D [1630 0 R /XYZ 56.6929 357.4916 null]
+>> endobj
+1634 0 obj <<
+/D [1630 0 R /XYZ 56.6929 335.0205 null]
+>> endobj
+542 0 obj <<
+/D [1630 0 R /XYZ 56.6929 253.3724 null]
+>> endobj
+1635 0 obj <<
+/D [1630 0 R /XYZ 56.6929 226.0165 null]
+>> endobj
+1629 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F11 1441 0 R /F41 969 0 R /F53 1062 0 R /F62 1095 0 R /F63 1098 0 R >>
+/XObject << /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1638 0 obj <<
+/Length 2828      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝoÛ8Ï_a,œÄ*¿$Š÷æmnmÚK}@qÝ>È–l'K^Knšþõ7ä²äÐŽ{í Dñc83œùqfd: ð£ƒ8Wb •BBÃÁ|}AK{}A휑›4êÎúuzñâ†Ë
+TÄ¢ÁtÑ¡$Žé`š~¾ümü~:¹¿±£àjFdøëíÝ+ìQøxùîîæöõ?ïÇWR§·ïî°û~r3¹ŸÜ½œ\(!Ü’ø×»»	Nº¹}3¹ú<ýýb2mYîŠE	×üþyñé3¤ Ýï$à*ðBª¬/DȃPpîzŠ‹ÿh	vFÍRŸšBa̤GO‚úôª âŒ=±€zgÜÞƯ^Ýãû÷c6" ž»ñÛ	6qžo&¨øQ¨0d†hx»)“gîæfÙïÅ
p¿¶a*ˆc©Ì6¯³2Û&MÇ$Ãa‚:kt#VìÛá2ÅÆÛøÜ^Ñx˜Í+óLkàÇÑð®rôšUæü­¶KòåÊR_µôê<µóºÇÉŸ; •âôºÙæåÒ짎²™Q㌇¼(|ºœeh…šÂfcèÁÛÃ*+±…lBÃ1MËœ^…ÌAË0Ï‘·šgu¥VÉ=ë9Pòå»ûÛ×·wx\“ã·ïßL¼‡~ùzr7¹OÝÉŽàl±ùÛ»ÓÑ%¶Çv4`ài—}:ô;èèSÔÏ_>ƒ_üöBe 8‹
e§‚ìÏ]þ%)²Òª«©üjÀµÒ¬5{Ó UÀˆÆ(
e­8Ô§ÿBǾãþèJvzKæÓ áÙ[òÓ[òóžÞ’ž‚T ÃždôTá`ç¯õqÓÅtJÐb b°H¨sP+H"Pý¿[åqxÄQç× e›nEŸÔ¨j$D«áZpwëš;e4àœ‡!ŠðÒØ&å2ó8–x€ÄÌš®ŒgEñpž”Ø0¨Ϫ4
‰hÍC…Eµ]×@“m3ª›jcWmñ¹ïQ7ÙFÃgć·ŽÔÊnò!l[7>SлÀ$¥Ðùá¹Ø»B”jš]¥7Ê6ýix@£©ðIawFÃ1À´é0陚IKÑŠÍ°#½ÞÕ–æ,óy¦ªó&ÿ’=1ÌÄ`tðÇÌB ‡
+°žŠp©¾ƒf»ä¨­14êÄ'GlMÀÍlñ‹U}¦¥qJ†iVÏ·ù,«Û£Äþêbì+“µë\Ì»¿®v¦1Ïpø "À©úüõsf'Íq„©¸Æ壞(àê-—…sž®ø!
„ÒŠté:†˜Î'üAB’VE‘lÝe	}Ô¾=®gUQãËCÞ¬òÛZÖ§{S®™¥í×9´8¡ƒ¡MPx|Áö¦Hæ•hMŒc¢‚õízö¨#ç¯RóF‡mÆÉ¡nâ]¦][ñáôJ±a…ýKäb§$(ʼiùzÔª]³ÙidZ=V;.3½$:°ÔÇ=O6Ù~ñSå4Þ“aV3»ÔæQ?fÉüßu‘Ô+\JEw)OŒœæKq0õ˜r;A#ŠPÃ,Xb,
+$eñ1zHLœ0²Þn:éÒD¦OIÁMª'
¶£–uòˆÚ¨6M^•IQØwãBð\€5Wú|Lï#`!hÿÖUšk|϶5*äa•ÏWº	~»2דéF×–Á,¿õûãÝ5.i§µ6ù VµäæÉŠÔn“§Í
+›Ê=p=Kjm¶È·ÀäîùT²ã**£mt77rÃíz,ñ/•ŒuƲðª\qu0¢È
RœmÁ%-DÀFùz¥9Vawý¬Î%Q`G=ÃáÃf‚ñ¡‚†§,B\gè8!©}PD÷iô´Ð³ÐÅ1wöÿéڜާk}DŸ?{(+Ø;
+/ÏðNäðÆ@(%ûš¬7Evía)‚‹·ØyT*q®Tp?_óëÔ*àü„½¨w3{ä,tTö¼“i´åÆñ|v<'vžùn‹¦­Ó'Ýa|H0Ù%˜z}°ÂÞ¶»Â.Hì„i6Ï×I/æú2c—û–!K£M’¦ß#²w[Qf羺©:\PHànù’äE2+2;Û\8ÍÄ£Øl]WÏi¹Ã½BâHSÎSÏiD‰%Û»+½ÆãàDUôÀ«ycÂåÑ-%X°rfTyvƒ«þŽV¨á
+¬w¯rÛAjÿŒœ…}õB­ƒox|œ’·~öÑkБ6¾[hÓRï6<ë9¸°…2n£j=^æ3sŠ'4¤£LµßÜwáª"jz¾w¾k=€p_{«/p]bѸuÁÄ0/ð=oðý¤Ahxàº/ÛàÊXƒÈÈ—ýtŤÃ.u &7ÁÞ,1ôõ¡†Ò|ix€±Äfv‰%•m¬õêAÀð¬Ð	9@ºYï
+w„ÝB×AËy±K³ú@ÿ†¢­™âVzs<pçÕz“4ù,/òƹÂÉ	ƒY²-r“ŒB·Võ/f R±jÁüÒOQ×D×ÈõuƒgÌD›».ËüFÖ!ªžy™æ.àƒÈ‡¨Hô噃&àÓvjõad«‘K§º¥áýy¼^Ñ-ü`ma_°øJcŒ(@ñè™jãt)†eñ¦)ž­V|Ø€mã3 d릑¯³QSŠü‹í1‹<ÂÍZÚï)¾z>X@PzkZÀOiwMÝ®x1<õž¯ûÆ—«l›7¤l~ÛÇ)“œYL§ozë’rî¾E\ÅÃ]‘ÕÁóYöÒe¬3(¨\Hes°Ã£8”îzð	ÜàBp‡ÆX ìˆH7n–ö<?6«¶sTy¶G¿¹ïÍègUçþc§’‚“çjsSÅ`Á©C:eï!sVÃízÓg½;Öµrè÷X9•®ÄÓmf®“f¾ÂNKŒ
¿é‚³±[ˆ¹ì̳éëøÍI³¥ÿofÛ5ˆŸe·N÷ç“t+ŽÛm¤ë¦!Æn)dà$¢¥7Ͼ0[­/žrŸÁÂë°òcâjŒþTé2
#ì9…[«ð[ˆ±G‰‰iyr>°]A÷5Jcgû:…PÍö¶Ÿ¿íÇëryB¡N–B÷¤ø_|ÃÓ$ü|05è<ºóŽ'ÿìà$
+b¦t6*$ì|¥ãžvÄ0=âÌ~ÉüC#Ù&+øM]W@¦_u‚CÎ]šæ„O: i£Ãýÿk²¯MVêÈÖŽ»?`8¢ÿolm«ZÄ5D)[ìªoø½ÐÆì…mëÒLÒØì(f•EŽÀ|CÁP{~b|¤•‹ð[FjH®+ÇË>„µ¶{Ñ´r¼|3þð¡—FÔÁ±?*êðxþºCÏâ¹ÚÿYJ˜
+ó[JkQ–)­%ÅŸ8 ûGÑSÖÿ›®õendstream
+endobj
+1637 0 obj <<
+/Type /Page
+/Contents 1638 0 R
+/Resources 1636 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1628 0 R
+>> endobj
+1639 0 obj <<
+/D [1637 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1640 0 obj <<
+/D [1637 0 R /XYZ 85.0394 496.6186 null]
+>> endobj
+1641 0 obj <<
+/D [1637 0 R /XYZ 85.0394 484.6634 null]
+>> endobj
+1636 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1644 0 obj <<
-/Length 2927      
+/Length 3175      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[[SãF~çWøQTŽ}¿ìÛd€,©&†l¥6Ƀ°ÅŒ²¶å‘dö×ïé›Ü¶eOŠâ¡[­¾œþÎýȆ?2Ðafø@Ž&b0žàÁGx÷Ã		s†qÒ0õýíÉ?.˜d$•ƒÛûd/°Ödp;ù={ÿ¯wnÏG§C*p&ÑéPHœ}yuæGŒoÞ__]\þðëèÝ©âÙíåõ•_œÎ¯ÞŸŸÑÖód‡°öæÖ.
-+on/ßßœþyûãÉùmwô’3Kýç“ßÿă	ÜõÇŒ˜Ñbðcè`vÂC‚3G¦'7'¿t&oÝÒ>Ð8×€U€GŒ’=Çú#0º\!M±Ú8uh0à
-ûQ˜¦1í¸@I 	IJ$eŽ¿ÔO7Ëñ¸h‹
¬`É
-¢
P
-ø`?wYÔeÑœ™1Y}JtV4Ëi[LN‡㬜û7¹o¿íýr†çÍcQ[f§”ÐÙí§²ñ+g¼´çÃACB‚ºÛO…e%Ë>ÃÑO¾ûø©²]hh—5¬vïrß\]ŸF×#ÿ]Tó&löX¶ŸÂü¶ïÔi‘7--TVÍß	ÔC_f£òƒþ¶7®êÕ9“0ØV¡…[xpSvPÊ@
à6;¹0ìf*½þŒ«å¼µ$YQ¯î}»ðT<”Õ²ñ#EݔռYŸ—èÚT
-Á"œ‰A*N¯“Oζìp~þ–qÅ‘l($öЄÈ(ñï–í§wó—H¼Ej]â툕xÛæ°_U—mÞ–EJ¤}'¾+Ú_‡Å·ƒW„T½_iÒBòˆïU•„‡&d7Wù1ážW¯Ã=½Ô±€§™½dk˸bðŠ"&ÌÁ–Z!ƒIgÊGÅ}Q×ùô%¶œó
¨íˆ³åÝ›°©Y3ã°háÕ¦ì3è•gÓ“¨×RëÝ—aÀ@Ád˜øí-aÊ×±w%1L ¸ëK¶Œ+vH€Â¿ûFY›NS¿ÔuS´/QMª6UFœjB»ò¼«iÎó†•ÁõBo^ùv’·9ê/WÄlË•´’äÚ^Iäasï¼&p˜+A6%Éîl%Ķë’dG@’ìÐБ=$¼fÀê5÷üÕ¢¶bãëÄâ:
-Á>Ó‡œÕˆPÑ9…ˆõÁjüûâTˆìÝåO€„Æà.òrz4×`íáù_þ´çäÇõ¾äx@Š„†Tj?ÐD"¢pç.®G?ƒZ@¤|ÏA{Ž…oØ{¬	ÉÇõ­üh¾Uh¤b쬘#J‚6[SùÛÙõÏï.!%Wx~‰›%lÓÍ’àfáMÜùÇàR¡·WgúväJ=†P"†µììचåpê6á”rªÉßæRS&¼U—
-Ð"ÕC'4€¹^a㥃År‹²ltñ8ùå…¢’\'ù²ñòÂ|>l;MQ?¸tÔV¾]õ}UÏRY‹„ôˆ‹=f²ÊÍœ¸Í8ö›ÁðÓù$Œ¹Sã ñF ¨b>oçmK­ßù+¥¶Nï±)¶Œùß'¶‰HË?ƒ”/Ù2®è[n`gv 
-$8Gœ¥öl¹˜–ã¼µ¬¦Ld#x‰ÔBBÕ•f ë+7Љ’jûyÛ³…w*vNåÛ•¬†5wËÖw&e3\—šXû!˜¯=IFß_ʦ-çý“­’ìÉ?ùØÓöq¶Óä³Ð»ü6šL‚è6ßõÉ뢪Ûï€8Æ»š5Ù噃Ô6¯Û§EáßæV‘ìÛñ4oš06õÇä“'ÿî®pdÛ®ØjØw¾­Ð8iºú“êÓ8åñum¿ŽÅ—RªÀÈIÇÿ%uTÝÌNÉìÞ <>6aÎø:ŸŽªz‰X¿NMVšDKþ¢l\ѯyÌ(XŠl\s@žu‘ñY]- É•-x[ë`
-;ôÀôÛé\‡Š†:»€>èÔšúØ5y¯‹(¾XióÇ1šÍ—³;·	#Žqvl¥oö)q:~Ih„÷žFè‰ÜTk¯Ž‚ʨGr=²ƒNl'èÑÚØc¸‘j–wMgÏÛéSßÕ¼’;ØA—¼2	@(¶>Û‰7·}{sÛ&;ØÕMûN[†Ê³/ÐU];ÆW´,ž‹)Äg>ì^UªéN?	i®¤&jæ´„7ÃEÈO½…ê©(wëÖà·XöeÒ”D_<Ë¿Ÿ{ÄìÈP“ðjÑzÍç`ºþÀ7…5¾F{£“¢×å"&ÖT"%¬^­E.²¢°,¿«–í¦¹`üš:8d"†Q—6ø—õÇ¯1Ýüaº`[y·÷Ý‹xJ’]Á°Ñk$mŠ³zY3Æ[»YBJDÁƒ [€¶¼‚t2@ß涅ÜÔ—]&ŠáÂß—7+_o³¿¡À)pWûÝãŽ)íL[YÖÅa7p
¬³†TŠƒ0)³{·Ü³ÛÆBÆøæmÇ°ÂÅðrG1–`¤$¶å~'uÃnæz¤E3æXÌÁ𯋂}³ûÞÏcAìˆÂP]UmñO¸–²ô–½f6	LHæ#£xbõPN¢³³	ðôÉ¿í¼æ]>þïcîs!ÿj\Íy[Þ•ÓÞ´lŸ|6îm´ËË}v¶Y1´éX¼¥M•0…ËÔ³|:
;ä¾™UуÙ'—k½1àÇ:º¥â¥ÿÔ,]½¼éó¶:#I$ûÌ%¬õ°‚'Šuúú}1HR%VáÉÎÝ @$ NJn¦¹
õ…È«åÔy=ÀcÚT~ð@òcå¼
c­7oB¤ÆEðì›”éß¹BX¼ÀVÈauÇ]mo%E¸£ÊvçUë;w…o]íÌaÎ y(!Ùpk¦µapî§-ê|ÜËζ{ì]bKŽeïŽ]¦`Ÿ”ád¿½£¿3ÈÝ¥»¯GÅç3û}ýa/˜¹¦«EþÏ}”w_‘ê|ÞÜ{á‡G«±Ó¢µ!Ý.4SJßjÕ´if€©	â × _Hܦ‹Çgd~vZéuðÁ"F;¸È‘oõÛ5•iÍTï¨4×a¾d³øJ$W»^eBç›ÅR0åµ<€¥PH`Ö<8€ãó>ðœ=AÎWŽ=rËØÅ0ûíÅ3¡õÍâ	a³QìÀ×ZÊZSñçÙË(_`!=eoúW)”AKôøšÂ•$æ&•Æ¯Å晢—öfÁ#Úî|ÈYCÚ!½JÀû>Ÿ|¨‹ºøü½™ü«wî<Gp÷Û=G×T6eg
-V)Î$÷;V¿æ<øóPXÃ%]ÿuèW-ŠdP"m¨€s»Øˆ<©lU âDšÚÙÄþ6HˆqDüå+ü¸ò¯ì¯h!?ŒqöŸ.Îúò¶˜çóq¸±?¹j p
\}“
¦¦@œÃ¢F>붌k¸§b/ðU$QºK
	…ˆ–“•*A@”Ø@âcK*&‡ñÍÓ쮂¤”‹fg¾ÞÕ†o[kE#à’ é!¯#ÜBÄ°ÖߘÁô.q[aA8¸*Ó—÷O×Ëö÷ØÑ<& —`Røù_[Úì8š”¦˜·h7|Ž.ùÆÑ3„Âæ‡ÀÃ`ˆâàÉç€'¿¼„¬7:®„<ž!`Ì)M°»œ¿JîÂ׎¢|è		:âÞ0„
-MŠù•A$ä¾ç!˜Ðv\É1”BuÁ ("‚˜ÂþrÙ‚sÜýçá(új7Š	}¯ŒŠ0FŠJWöAÄþIÏ×<8(¤Ïý—šÕ?q–\ÓþÏ"]à‘†ÝËâfÄv”¨‘д›•þhk&endstream
+xÚÝZKsã6¾ûWhO+WE^Éã<Ýh$%ZžÉè05å’	4^ݯŸ0øã“P:É$JT2N›6y„²Ÿ.¸­3s•fýZo.~ü £I$ZèÉê×W°8擇åoS¨àz`Ó·×7ï“Ë™Ùôþá2RÓ7øïáúþáúÝýå,Ib1}÷¯7¿<\ÝQ-ÝkHÛüÝí͇ëŸþsg;¸½!òÝÕ‡«»«›wW—¿?ü|qõàèÉ™Dîÿ¸øíw6Y‚¬?_°@&q8y†x’ˆÉæB…2•”ŽR\Ü_üê;ì•š¦£Jã,R‹­	>á­³ÝpN1Ê|%B¦E”FØà·GG$¥x|,ˆe¢Ða:¯é›}Ú^rÔV¶´£Uô[.³2Û¥¾xEúÙ@–o„£ÂÀLj¬}`f.1^DÑQ$T¡ã¾L7Ùr¶¨6[p/fcya­…²- îüE@º¦™Ê0
cÖÙ¢Bg²wY37&]Ùïê ÉrLäÊ ˆ-°ý¼!’Q*Vo›
+4/Òeí@ŒÅC3èéVjú
+Y¾¢t³²66oÖv´z›-rÔ°kº”Z¾ KX$ÐÇGV5›´£¢	šuöz ÎX‚Å®MµE§Lrðy•##i4TƒYéZÂLñÈ¡«•‹ü2$ÜOf2†e,ñ;0{
xë$ÒUcf/t>ÙXé.-ë•£Wökø¦FÛm±÷6
¦êª´[p3Y}`á-U0C‚&˜r£1ÕÙ.¤ív•œwÄ´·BH—Y¶¬)	H%Âtµ4S»HQã2.	dv˜]m3›Ö¥Œ½²Õò„½#“
+B©¢¤e§³WËíb?¶z½€'"~™m&1—Ƕ	ô¦0Þ=…,²º&]Av¨¢Õëª-–”~D¹BMNòÖYGFBJѬ˜E †©ÏëA7dœ ¯£øHp‹“¹ÅêÖ)6dvÔÞá§9dN­HÝwÕÆSBÄÄj’Ëp¨I‹èÇ4/	¶3ÇAB<€ï›¢ÉרxþÂÚ¢E'’¿x€ë“‡ôÙÖYÝõneÖ/E»tuÍ4RkQµ%¬Ÿ
ñ*ç. õœù}Çñh&€¯Õè³éî;8„Ö°mѯ Z$2…¤ýñ[?Äý1ÎsœæÛƒxÀxÄJ«ˆ•ƒÅ‚Ò,%HôÁ@kvý#‘`O̽TÄéä0²g˜DpÁ掃‹™†º†Qëø›1Æù4þÍ@?–Žµø‰\‹— ÏcP´üèC}&„ wtZôþ­=“¸«³'ýA¾Žïû§ï°ßçœâí$ìâíDS¼
4+ƒ¡m©044ðBÍÄÒ˜Á¸1'~ù˜–‰´#ÆŒA‡:Á3ÆÊŸ¼aZÒ… aa”:bZxÑ1OkØSÎbÐ4^E*÷–Ù§E‘ºó8$àóJáåò?èò6¦ƒºÑЭ+v'µ1ÝòÃÇljá‹û<~ŒéœIx`YÛR:l„Ô6Ýg5â¶HÍ:²›iƒbTOIs×
EËê¹´õ+"Í3Ê=ÏÆtå”/	ßÐuº`S÷M¼’‚û³a ‰êæ¿ww÷W˜DÍc¢|žç|–ðï{8¦¤|åˆ_Ãpß,jÕâcf¼¯¼ýìE¹?Ò¹"ËÓÜ{ÇdÙçÇ‹rÒ,UùE
+ü­*ÒÉ£æ5ÉØ龕8ų	ÿm`QàÓ§ˆG8Ç¿ÞÈ£·bb‰¯Ôð¦P0=>aî)$µÁ|%t£Ž¯'Äæsã¸0m¶w;p ø8¦û·(Ì^ÃwQ…»fî†
{^ï„É­ëÃ=;ÖMCÂ=n`öâÝ4í
»Ní8¾4m›uµÃÇ#þó…ç=¨ŸH¹ÇÈƬ>u	q—Öî5]á
aãïPé69î›EtˆöÙX¯îÉÕÁ›?.pE¯3;ÀÁEUgCXšv¹×.¾Ê›5AEùÁs"7!0®ÝšUݾ·à*
+$OäÐð®mßuåc©y 1¸;èÑîñúï«MÞø—'+÷PÉw°ÌVi[4#K™W°r¥´‹{\¿R÷t™Ã·¢Fx®¨ïk)Õ¿Ò•öú«šë[Ù»¾í
+Ý[ÁÍ2†úJLoK[’×®;´k²-R¢qû°GÒE²}µ6ö”0¤È›;óo›¿ú™u÷ð§>ŽÅ¸×ðÞÅ2…³¨#ÎÝ{ìcÖÿ†§r?endstream
 endobj
 1643 0 obj <<
 /Type /Page
 /Contents 1644 0 R
 /Resources 1642 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1619 0 R
-/Annots [ 1646 0 R ]
->> endobj
-1646 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [333.4761 409.1267 413.3061 421.1864]
-/Subtype /Link
-/A << /S /GoTo /D (clients-per-query) >>
+/Parent 1628 0 R
 >> endobj
 1645 0 obj <<
-/D [1643 0 R /XYZ 85.0394 794.5015 null]
+/D [1643 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-558 0 obj <<
-/D [1643 0 R /XYZ 85.0394 172.7706 null]
+546 0 obj <<
+/D [1643 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1444 0 obj <<
+/D [1643 0 R /XYZ 56.6929 752.4085 null]
+>> endobj
+550 0 obj <<
+/D [1643 0 R /XYZ 56.6929 542.1781 null]
+>> endobj
+1646 0 obj <<
+/D [1643 0 R /XYZ 56.6929 510.0725 null]
 >> endobj
 1647 0 obj <<
-/D [1643 0 R /XYZ 85.0394 147.65 null]
+/D [1643 0 R /XYZ 56.6929 447.7453 null]
 >> endobj
 1648 0 obj <<
-/D [1643 0 R /XYZ 85.0394 147.65 null]
->> endobj
-1649 0 obj <<
-/D [1643 0 R /XYZ 85.0394 135.6948 null]
+/D [1643 0 R /XYZ 56.6929 435.7902 null]
 >> endobj
 1642 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R >>
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1653 0 obj <<
-/Length 3078      
+1651 0 obj <<
+/Length 2603      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[[sâÆ~÷¯àíÈuÂdî—Ggmç8•µ³ÀI¥N’äµjArØÙº5@ ˆÙ*ÊUFŒzzº¿ééËÌÀzþXOi¢w=ã$Q”©ÞxvA{Ÿáݬ¢é×Dýê‡ÑÅ÷·ÂôqšëÞè)àe	µ–õF“ß#M$¹4úáîþÚ]ö¹¢Ñptidt…ÿFwÃÑ݇áeß9Ë£ÿ¹úet3ðT:èè[ªîîoï~üï bðpï›7·7ƒ›û7—Ž~º¸­•dT ô]üþ'íM@ן.(ΪÞ|¡„9Ç{³©QRˆºez1¼ø´b¼-»¶&)#Œ+ÑëK¤Rv÷°~
-ÃVŒ§Ôæ¨}Fað&T¢R™ÕDpLcŠHkzF9¢åD®–‹W‰à½è£¤Aðî òÓôpåþZ&ó4)ü—"Édb…HæpÌF²÷i+¤%ìô®N	 ”„:ª:”†hcX >@ýÉÎ@Á	Jt(1œ¹—«ßnƒä¯£Lûø§ù%³Q@‹d²>/—+‰`²#öjkˆ£ÌÇÞßžæÃåxœE'~ÿ˳ģ¶˜ÇYñ”Ì·0¬ÃrL&{
D=gƒ4œå:–³6Š8©YèmœNOç°Û‹e ä©°lÒÇ®|ûj6òÑÖ«„iG„˜^Ÿ; ³&Ìc·òYn µ‚ÃtIN¸â;Blkœ^!ùª
-`D\¤SHÔ“"Ÿ¾ÖS1\Ä‹´X¤ãj">äËl‘͙̋Ќ!tOYG”ãæ 4^
-"5?µÖNµô„+ Ö¨¯ä™Âu•Õª°@eDYe£_gùô&Ãñ²B²šU»à’G×I1ž§/‹4϶j"
-ëÄAjŽý>u7ª…ú&iE´Ýes+„À¢¹¶>Ýü9÷WåJi
oß&ŸZÜCk¢Nnÿ0î´²SBE«á†w@þN0aõÑêã!„;c+”ðÔ‰ T(¬O;ÁÕ½äY‘ UIªM4c„>LyEØ4NÒ×–hÕàÙHzÆpBܱLÛ<¸c*ä:žú8<õ{ñD=ã%Î±š™@9#By‰Íýoׯîî!b©¢|ï´ét‚lgl’’LªU‚ÛH'ªH|3À}È_o/•Š®î~ÃTVFƒùé”ØúAoÜÅÞG@{¾P@À:B·t†(a|è¾}|¼•Ý—¥MÞÞÌçÝH®:`(Úù®j	yŸ¥;´Š(Ë}à~X<'s@-Ÿ£52
‚°ìæLæ%„ùü(7ŠzÆi(¡’uàiÑÜø0~s}?¤‡-h$ýƒ*Jákò ¯M•¹¬¢ÐO…¢‚ÏuQ÷؉"£l«.³z(}ôþ˜³x1~£t
-b÷õòå€ðÝôâ†m…p³i›}¨i£ÑsâßÁlø~w×ßm3øWYe†EXä~ŠÆÈC°(žLªNò*Š³É÷—,Âå…‹çŠrƒwÙ¶Éí%Ÿ/üÓ$O6Æ÷%Ë‘2îZmx|{Ž«Æ·¸ðÉß/ÉxáUV6B£ójûjä±,ª§Çò‰”ðßóy›ò%wG£Iò¥žøù	+ßžVH;ƒO”—e)ñ«D£ç´ðcÍâj°RbøŒ3ÿ"Í&é8î—bãVD?*×Å/kÝr©åOþ3öãxü\m½äi‘giö¹"X,’ÙËžâ$´ô÷-žoéÕ #Tn«‘2böNmtÉ 2Ì—Ù8+ê^‡£K‡kÍFu÷¥Ô¼ç)„ÕPËÉŽ
-ENN2ïã~Žg`f†bÐ-Ÿ;qõ=¸I2M>ÇhÂÇ!HyÆX	îÀÒâ¬æUµ·ÀÀY‚9„`qÀîç&ÖzðÍÄK2Êç³½Pz!ϼJšC';ª¡5¡‚±—«ÇvÏÜ‚á
-´ûÔ‹}²¬wÓó:µÉµƒÍ³…ϧ{ð
$?¾BAa©ŽaY÷؉/×DA-²^%	5*Ølæã/‡%‰·AèQmþ3IªÈD›Ä‘b1þ’, g„@(£‡òTšÇùl–W]=¿¸ð›½›qý	“æž=ã_KFý»´ðobÿ5 ðíSñÅJÊ€8KÞüw/ªoDƒiÉpjó©LgšÎÒE„îê3éÊ7ú½l¨Hö˜W3qï3…oºz™„ÊBtf	gT6æ5‚t–äËÅQ~páûìƒ-茽åDkÛ@¨&¼6ú§Ëä6$7T…2¿G”õšjST¥ò­½dš½æ_ö–@øóÝj€drtÑXÀA)Û€X
±>)Ä¡ðçkÅxŽ
-•AÇv·œ)ݦ^µÞ½'ß
®ÄgŒ+d;–v@ÜÀ6L÷`\õ	q
$>c—iŽíª€¸²D
-éëÊ_˺2ž^ùººÖëûáðæƒí5ž¦“ ¨Šó½86ž±yJ•7ïÂQj"“k8>|y„»/
-5Ò
-C.ˆÛ{Ûz‹eÝc'†9Ë»¢“DñêâIá}òùtk0š*)Åö¬,Ñ_ßšfXRd€v¿-ÿ@¹÷áõM͘B¹éŠ^ŒÍ„[›‚Ã\ì>Cît¨p'óÀS¹ãÎØê.»@tœ%ípÌY¢•õ‘êÓükyL8eÙÕåêv[6.wRE´ˆËB
-k·Ì×¾V_f“ŠŠ«ê	ê…Â?âžòàR7ÿŠêL¹p»B
-²­+’â%§X¢XPùývÁ”¿ófÿqRV¤øþi
4?ü)	SÑ]æûU»Ø¸i
-!غýßÇ5ÝÖåÀ˜ZÓ!´I,D%ZfÀ8¥•‡ÜVãà¬m¿wÖ_qì‡,·íGp¬™lFF	YȆcõ4|×¢¤&ÌJ¹[G%ŒÆO¨cͱKG€æy]EÞ­"Ô'`
-„´)ËÀ$,ÊÚâY1ƒ.§Ó¶æØ¥­ÓxÐáÖÕµ¨kñƶYWׯ©Ñ›.÷™´Æk6†ï <ÛÚ€Çàq\™uÒ41†Ön#õ‡k}L(^†Z?(ò>„GÙröˆ§ÞÜz5l[Ý\Ã/oÏy‘ø÷¡/ô/ãz{¿<&‹·$ÉÚ|^u‰y7¸ŠXca-iÁLð€[qì‡,ÛÀ«£YQ¡€è÷Ó~
#’ÒuøX
-Z<7Å˹õ”|²ñtY@ÂTçy“64DKÊv¯@iý.S”Ø}»U‡.Àša?àØæmd3èË+ª]Ö§€Œñ@õäï-ÕgétšÉÂnæ
-*£[ŒL›¨	‚¦Ò¬GÓ"þ‚f¦ýÉ&~“×$K«P
oÕg}vÛææ$̦6z·%˜wÊÃr÷~K¬9öC–-–ˆ»D[‘¡„´ÕÏ©FÜKF¥+å)Á[ÑÔ_À†i\,ª#c­03c릜då)“°"*žóåt‚ÏÒóƒ6¿À_ª<ˆ“Š .Zñ•„71§
_‰"T,
-¼š1'À·âØY¶áÒòfä2Žü»mCE½J'!@Wpƒ)îl $³$Î*çŠ.|x›såÊ®œ+xïê@ކׂMí\±}ݹâË•sÅ×”ÅSßŸøc‚í¹Ø¼V±5åncÓ)äû Ê»çbű²Üž¨Rz²šhWDù!`×ִ3¨•m­÷£“ŸÎUÔ³Ìiz£ë–­˜ñ8½Ñôàô—wŸGgÃþ@jÖhÃ÷—HbéqúëåùÅǯÃwý(F¿^’xxv~6<»<=ë¬%Œ[üØ«ò#¯F§Wý?GŸNÎFÍÚ‹\¡÷Ÿüñ'ïMa­ŸN8S6Ö½;xáLX+{ó“P+¦C¥jÉìäêäKc°Õë†îM«˜éXF;P“jjÚ2£ Q›®æ‹t
+ë3qPø´Au›’àçræÛå"d( mŒïý(Ð`2ÑšLhÃ"a4¸ˆÓ”URee•MÊ7JCÚþ9·l=bRä¨y³ZÂÈ"§¹Š¶!2Êè`DnÚ –¤•ô\öE¤ó¢Jg÷¤”L&iYfcšº7Â0¥Mo ³ZK7é:K@;{È–Û$žÜ&yžÎ¨óî6ÍIü¡f–sûo¦Ü)Š ¹“ÎÓ¼¢yÜêЭ­X`GN9tôzÐÛ„¾qÍË4}2ø!…ÅL¢¾åMÃûµ¥¿'ój-\ÛU:ñ®¹ý*!ýz#ÂÉÐØ-wå£ÕáÅckè$ÄŽè
 %to “òlÔþ@pÎ}"3´óÞϳÎ!íBfC:cÍð*ý^QëºXÎß.Å­J­qz“å^z—U·ÔJè1ËòômÝüwúóŽµ"bVg oÞ¼Ù½ŒÍŒ
+æ0¯
m:µË|¼Y¦âQ¯æcܨØÆŒU<	mÕR·LKßéŸ	=ˆ|JzSõ5ϾÊê~æ-WÙ<­ù®¤æiR®È°‘x“e
+[cZ¿dùÄ[ø”ä«dyOÊâ­ã¾MÂF©‡›à¼˜ÍŠ»,¿PBˆß­‹™²|j¹½
+Ï„TÊÔk×ôÜŠ.(d9ľ®»
‹‘b²Éí¶½	0ÂM±Ìþãö>L|Ç4-'ËlìÄ8ï¸X§Œw–€•­Q6—í-øjIû¤"õËd^o’t¹v<½#Ó@{OQšºUoG-¿…Aª+ÁTI]^x¢Ã%z,U6A·J²œïÄ—"ÚŽ†3ºÊ+ç,t®“ÙÊë]»À;ŒAË ÍêÙq#¯’½P@ƒ]¹Ôc‹;ÆÀZ
+¦±‰Ó,I–¬“l–Œg^Å»Uú¡çµÚ˜r}U÷}!D€D£NF}–‚úm²NI– ^¡ñ‚ˆ{²L²¼¨HZÞw9ÉÜÑc¢ú|¸Ð‡$FgkT[ñ%žñÖèôć=)m]Q†¢¬¢a‘ß{(ºÃz€ÜÞÒhHR¥€²l
+Ü“M0hN· qU;³5ög¾e3¦mã2jÇêÑ¥4ÌNô;ðÔì^þ&eÔȨ˜ŽÑÚ#7~Bð¨9ÎêÃìá§uòvŽ)%qwB53¢¤ÂÜE¤•ÊÕ|ž qQ×V”U;YÝ@—¬(§e–Ûb
‘൦€*´ÕQ‹”îHŒIªö”üz»‹IGÑ¥×Õ¼(Ñ
îÍVóœz\î^«B¹8nv Ð3`0%yy?3RÎbËy#D½FÔt7XQhbZzu2Rú™šÄÆچΥ¼¶yÀ6´tỨʚûòØtSÄwÿ2}&É–%èñµ,2’Šë’ÆËìæÖ£ç´\f8ñõ&[§ÞÙàtI”æè)ª+Ý
Ç!tŽõ¢æÐŒ|ÁÚɬ,HR3Wä‹æ¶©­¥EbS/GÒí®ñªrS˜ÖÐÌëN‹É
+uïâpw{êôÇ)(gˆË®´›SWÒO|P”VÄا•;°M	L“q6¾ÇàaƒwÓi†ƒ—&еÛ{Ðœ'÷Ô $È&=[ÛiJ’ÌOO«Ã%?N#yðOwïqÆvÅjžM§55›ÛéwJCÖs—ºÛ“4AE©Žòê®ht8ìÖ¬"i64¨Ö\"å
+;:Ù¸>À‘÷©‘þt«éŽ]v¬"~Xƒûê'»öuÑb1ƒScìϲÇDþðÖ ¢=¬"jÓoûNd9ãqOIÍâ0
+úÂ*¹ýáYƒjZX=9?ã`Ê7ëÛ¦´à.Åb+åæƒmáiAmDOÁñF1U˜Wž\Mh¥‹£Y-WXA Vq{ê’C*ÓkÏý²Å jÜ€IH[f÷~zd²±qûj+váÃ5ÓæG|†éß+¸­C8Q"Ã/;Žrv¡ný‡‹Ï¤zšqJgÀK&)lÂ)Px\ÃüÜD:ödzD1hÃmÂ’Ú9à!íÁx븵gdO«
ÄËýËÆ#aöKÆ‚¡ÔV°ÌËüŸ‚%Ÿ¬¯¬×f©œ…	;‚¥#ñ&VgÓ¼äÝ61Ù¾UŸ}¸¼ÂŠ‚»:½h°'m9ûZTõꀆ’	#d ¡fpyÓûdŠ¨üæî¯p(>ÛU^®‹bYQ1K`SÛ²ùÞq à­Å-àŠ3É»ØVYÙ
£«‹ÏÙþ7.¾.ŠâõP1ƒuœ°R
+«H×è/àý<hùz´YÉ
“VGxrËâXª
¼(1³|̲éæ“È&Së0mÐ7À—ÙMžTþ£ñä[«:Vä…
™
+¹Þ¼°³p;máô3þÇ3Šƒa_ë_;£àÆ<,~$‘Û®+1ˆX2ëŽAÄšÙˆê¤w«êöËò~˜þ·8ÔÁðëåŽ*–Þ×é&óÖ
+ΰuºI\,ʲtõ¿ÒIµõÖŠŽ6‰#ÎBÅ;ª…ŒSW“õP	¨REkHŸgËÕ£…SÇpsî¢#azA5Âï×K¥ÑP
¿þ~>ìÆò_E^ÿKs™äåuýqã)zèDvãõѲCh˜½d5ã†Ê†¯‹iR¥”§F*$Ýà~¸Ï“y6ñU®³ñBt[®mÞªivTBÅLhQWø)?)	¨àê]^Â4ÈX¦yµ¸–SGœ”ÌpÛµã¥cF4ŒÜýk¹ÊñÿÌ$å¨o1Ýâ ÑÊ¿A´åíÑîtÁ™ÑaW ðW&@ñöÉ8ÿö~*耲åæ±&§™A­ýHrÉd¬ãMnx3xÉÍM`?€-玿ذ¨+AU)nL½©>Þã«ê~7.¾D vÊ°9SBìú	ïu|è.7?i#¨‘c¹û·d,‹¥zJ³Ðµú1þ—™^«åúBiGgendstream
 endobj
-1652 0 obj <<
+1650 0 obj <<
 /Type /Page
-/Contents 1653 0 R
-/Resources 1651 0 R
+/Contents 1651 0 R
+/Resources 1649 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1619 0 R
+/Parent 1628 0 R
+/Annots [ 1653 0 R ]
+>> endobj
+1653 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [84.0431 732.5838 145.2431 743.9759]
+/Subtype /Link
+/A << /S /GoTo /D (statschannels) >>
+>> endobj
+1652 0 obj <<
+/D [1650 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+554 0 obj <<
+/D [1650 0 R /XYZ 85.0394 718.3947 null]
+>> endobj
+1326 0 obj <<
+/D [1650 0 R /XYZ 85.0394 695.4159 null]
+>> endobj
+558 0 obj <<
+/D [1650 0 R /XYZ 85.0394 492.5344 null]
 >> endobj
 1654 0 obj <<
-/D [1652 0 R /XYZ 56.6929 794.5015 null]
+/D [1650 0 R /XYZ 85.0394 467.9557 null]
 >> endobj
 562 0 obj <<
-/D [1652 0 R /XYZ 56.6929 627.067 null]
+/D [1650 0 R /XYZ 85.0394 360.5123 null]
 >> endobj
 1655 0 obj <<
-/D [1652 0 R /XYZ 56.6929 601.9463 null]
+/D [1650 0 R /XYZ 85.0394 338.2011 null]
 >> endobj
 1656 0 obj <<
-/D [1652 0 R /XYZ 56.6929 601.9463 null]
+/D [1650 0 R /XYZ 85.0394 338.2011 null]
 >> endobj
 1657 0 obj <<
-/D [1652 0 R /XYZ 56.6929 589.9912 null]
+/D [1650 0 R /XYZ 85.0394 326.2459 null]
 >> endobj
-1651 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R >>
+1649 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1660 0 obj <<
-/Length 2375      
+/Length 2927      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZmoÛ8þž_áP³|ÁhÝd×l’&.p‡Ýý ÈJ#œcy-;Ùþû¾É”-ÛIëäb‘Î3Ï‡‘†?ÒÓafxOŽ&¢—?œàÞWx÷Ó		4ƒH4H©>ŽOÞŸ3Õ3ÈH*{㻄—FXkÒO~ëþp5>»>Pû„Äý£‹O¾ÇøŸáåÅùè§/×NïG—¾ûúìüìúìbxv:0FSÏaìÍØ
-#oÆ£áÍéã_NÎÆÍÒEÌììÿ<ùíÜ›ÀZ9Áˆ-zOÐÀˆC{'\0$8c±gzrsò¹a˜¼uC»”&˜FBSÕ¡5Jº´&’Œ2§5»P‚øé€`+¬òÿK¿ÚÑûË°ìe¶,ëe™×A…Õj¶,µ]<ˆ`‰ÜPŽ'Ü1ìˆ	ììC°³í<²s­lqJt¿ðIñ;ÆtVL|s^,‹„ïòÛ¼¨ßÁÌ0í?Ý—ù}›Ÿcª
- ‘JZõÙ9~ùtÅ;VB
„D¢ß±À@ø~tõÈᙼëà+€-3bÍV¾„­ÜÅvÀ‰@Œ)Ý‚ŒÔ
»§­bJ%üpÿ´¢ÀG®ò%\峸~™•uq¤HªÂÒ
¨æýOÕCVÎ<ó5¬ŸÍ&RAJËÀáüÓS¶óoâ)¥x"ɨöªyá æžW˺œ¾±¼wøé
ÃHܘÀœºqѨ&«ia'aƒQÙÍìéx8Š»j:­žÊÙ×ПÝN:Iº$¢ÀÓÁ‡ÃdÿÙ±j0×Qoãÿ\u°¡qÉY úW‡RF Ø(Ç{ËÜÿÔÅÌéfùÙ¦KµyQ-ýûl:õ/×ÎìFGgv4Y9«†8AÒB²6¬ïª…2#ND_ÿ‡.þÊ‹ù²¬f!*%²pV-Eᱜ…±÷áݤ¨óEé†úcŠémsÂâp#5CRÒg…sÆ5RXm„óï'‚×:Ú9?¯ðG´Y
šE
¤"V&Yo±&…8fLô¤(Êôo·FrCûŸEn¨ŽÃ^£@e½TÈMܪˆÁfÈaÈìÝ\·XÆ»uÁÁ©l0Šºhûd£É CÄÙëšê{\s§ƒ_Btêp_È”¡&ݬãIâxÏ*Ï‹º¾[M§ßNaãéƒçrÌúãû²öÁcýÐ2°˜9dž‡l>Ÿ–ç±¸í©¹seïZÕÚÅ:¶Š„¤ä9Qš3Wä£ÌNX%öú1¼.¬€Bk)ÁŠÄ©¦o
«sÈ¡e‰Va_€¨M¿ºƒ_‚ÎÜ~f;ÃŽjá¥u€—%jàe‰ÊÀÁÁ˾ý»Â+±Û±àõÜR0ÂÁHA”yKx
§U]¼ lys;d²Ç(Éjµ•¼‚Q„ÕÚãÅ£`fq«ÞÒ(ËÙä;|ÞÇú¼ý½!‡ÅkŸße²TÇ59ªÉ´F˜²˜€Ó†ÄêM7ÿa5›ý År`QäËm­¿³›)‰°‡26¡’‚ò·6ÚAƒ
ƒYšóKQÛ#aYßǃKGê¶Ód‰2Že3&ì€/ÙãˆÝ6ãpæÄøÐ~%¤BÒ¨7M‡>äö4ù®&w®&ëgŽ‰ó4Û]Îòê¡iåÁ}Ûsøsv÷θ™…p—C’¾ÏÒ¡û}–N˜O£bÆ/\ÆýÝ#ùú¦ªûr†JÕÓ}ýB4ðá‡S¯QÁYûþÄæ÷€:AË!ðuA9œ	ùÁ@Ä<õö >èQƒSÉT‚ÓÚvè&](rê6]®¨kWÓ®|úoníCŠ[Û¶¸u¿;pkï´Ù[À6–r/n)lä¬ÑÒÑq›âX¸}…³)×üÐÙ”òMƒñM1›œ-ki ˆVöº‘)æ®ú˜âÍ•¡í«—‚ãê"s¸ÐJã!^­©ÊF[϶è<—Öój6©›ƒéöJ8¬•šxõ}Ó½J'"jm}ãó¶¦
-1Iš<Þµ:k7¦Ð»ššþXÇÛWˆ¬œs$„9PE¶doÐë"|)@)öµuªæNú<Öò¢|,üËN©á1pãóéjR„V±æÞTŸÿ«àö~ÍØ¿ñ÷ßÊßñ7¿Ô6¼zͼ²‘»t×哶Ho¿…«øp±>þz’Û8Uß|€ý$ûºç&1ý±B躀úÿ¸Â'Ò ¦*ªVíJîVE—a‰45Êÿ€\Óý]¦Á;%3IAW„‚î°z˜ƒÍoËi¹Öy*—a³“iMÀĬ!·BLËO4„ÆÝU¬l®‰%“íºð¯UmÃ3¥­b0£$©Ù·Ëû,Ð=±¼c©Ö¥$÷²œuMÛ˜)Åþ˜ÉÀ””®×cÙe-QÓº
-S]ÍçÕÂùÇN¡Ç9£/j‚Р€ú¾zš5‚bRql£œÝVñ¦ÔêĆ
{·ús‘VĶÊc±lv[­Bu­A‹xi°.ãá`W;«aø|^d‹­J[½1¡ÍÏ$0„lMz#¢Áß‚¢AJµÇ	"•ÐçO“ëw7öÿVUOÀ¸Ø+¼¡êÞª¢J˜%Uº-~ì5À¸L
­5´¸·àЛ"š·Ež­êÎظËny^@”ÀxNª"L!HýlRÍÃ\m4¼tTû‘² ½ðèUwÕÂgI¨àÀ(°icó)[¸ëÂŽIJ gq[Îê®ÕBšn$yQÒ`ZNvbŽ*û9…dû1—RíÆ\Cå0÷áßçÛh#÷%æûÅ6Tr[hƒ Ê`KhùÀíD2vfîøV6å”­‚øúüg[ŸWÅ¢ŒÑ¡ö'ÁÝÊ´Ù.×8¥Ú£ÌHå”9ú¼¥J8Wq{´Û+´¡êÚþüT®•i‹=®*¯ÃõÎ3uiË4‹ºL¨öè2R9]^Ηõ60JÂföûÄ6Tr[Ú´µ·Ðf³‰$ñÏÕvÇ?È¢@ê%!ÁÄ«Ø›·öÄd#…¬µJ¿/Ù²µÍƒu2Ÿfùv>ÛìM1ÆH—Šqïàåøs¿\=i‹Zï"Mrgå´¤6çÞ|UØ1ùÿ¥ôÆ[endstream
+xÚÍ[[sÚH~÷¯àQ®
+½}¿ì›Û³žš±ìÙšÚ™yAN4ˆHÂŽ÷×ïé‹DŒ!)Wª¢V_Oç~„IÃ?ÒICMOŽ&¢7œœàÞgûé„„9ýfR?žõþîä—Lõ2’ÊÞÝC´—FXkÒ»ý‘HÄÑ)쀓÷W×çæ´ONnïNOÎìwW·wWnOûÆhš|ø×ÙÇ»‹Ÿ%£…¾',ÿps}yõÓoƒ°Á͵ï\\^.®?\œþu÷óÉÅ]{ø’3Kýד?þ½Üõ猘Ѣ÷/chorÂC‚3ÖôŒOnO>µF£nihœkÀ
+é+Ž%[ŽõG`864¹Bšbµrj_¤³;R˜¨1mù@IÄ©á–Fõ”0H2Ê>•Ï·óá0«*‹¬`Ñ
+¢
Ðj8ãæγ2ϪÓ>3&)O‰N²j>®³ÑiŸcœäS?’úGå·}˜C÷´zÊJËàŸ:¹û’W~å$ƒA{>Ô'!¨;±þ’Y²ä+ýì›O_òáÛ¤†z^Âj7–úÇõÍÅ`p3ð/ÐY1­ÂfOyý%̯»NgiUÑB%Å4ó@=´e2 ßéo`[â\œ3
+užpnÌŠAˆ Üj#úíÌ@¥× a1ŸÖ–$+ãŃÎ<y1¯|ÏcVVy1­–çEºƒÖÔs¤Œ"½Xœ“PÎÂ’‰Î/ß²Y±QèJÅ™‡]4!²‘ù³yýålºÌ[¬–eÞöX™·Ïö+ʼNëü1]‘¼oDxAûah|O€¥‘ˆJ£·#,AZHÞ |]¤ã>å 4·×é1Ÿ‡!_êXÐS†ÌV?²¶e³b#ôŠ"&Ìá–Z!ƒIkÐÙCV–éx‹Îù
+ضÇYôv$lêz–Œ¹0¬1…0´j
+»ÌzáµÁ0*ĵÄróe°PLøÙ؇1x!3L ¸ë>[6+6ÊÀÂÃÛEFa›V[¿•e•Õû¨'U«ê	=N=á¹ðÀ‹i·•ÁCkZøç(­SÔ%,^²ˆY—,×ieÉ=;e	°–µNvºñšŒ!®Y•%»³•û\–%Û²d»úŽì>à5f/¹éWÛ‚‡	Æwu
¦w¹
+
*Z×p‘å$–¶†qÂÇLR¸™#·Ç~3èþc:…>wjÓéCB¼ª&¿·óÖåÖïüJ¹-ã{¬
+®&`þã7‰cùiaRbŸ-››—Ø›í¨	Îg†6r{>ŸóaZ[fS&’tì#·^µÅhúZ4Yµí´®³ÉÌ»;§ðÏ…´†5÷óÚ7FyÕ_–›¦‚1_’ Žþ™}Ë«:Ÿ~öo¶ŽtJ’gÿæ£PÛrÄÙF•NBëêcØh4
+Â[½ë’ØYQÖï€8ÆÛ*5ÉÕ¹ëƒD6Ãõó,ó£©U%;:§UúÆþ˜tôìÇî3G¶mz‘-ú]çÛªQ6“¦­H©.S_÷ìÖ2°úRJ9jùß¡f J®¥^voP°-†.ñé¨Ê‰õaŠ²Ð= Zò½Š²ÍŠMºÇŒ‚ÅxGàÆ5ìY#Ÿ—Ål²¼SÝ‚w±µ¦°Aï5àÌ¿mÖ}¨ÆxC£uЭZR »&ítÙ7+oþ8F“é|rï6aıÎö-4ξEŽÇ/"0îi„FÉUÅö
+)¨l4	ð I¶Ói’mMZê{
+7òoÕü¾Êàìi=~Ws;h¡€W'5OŸm47·m{sûŒv°‹›v6Õh_¡‹Zw0•¯pYãõ'¸Ê¬ù5:XdèeÕ°ÌgM’M%R땨ÁEW–¥÷ż^5K›€š‡ŒÄ0êÒ?X~îùÆ úFÓÎïÇÖ•w}ß­ˆ/‘¤!|µúŸ°ö±¨ÕAÈRõbm7K@	€(xdК_°NèëÜv 3°‘«ú²ÉDq‚ `øqÙC0±òp«ý]†¸¬íŽ€yÇ”¶‰¦-ŠÌËl·#¸æYS*E‡0)“·Ü3ÜÆB61Ì[`…‹`pCq–`¤$o¬ËÃFêúíÌåh¥ˆ“9˜þea°#a°ã~Â`{@úZè亨³µ”¥7ï4´QpB5'ù¨qw6?ûÑÖoÞ§Ãÿ>¥>#òCÃb2Këü>w†¡yýì³ro¥]~îs´Õú¡MÊš[Ú„	S¸L9IÇã°Cê“¢ñaöÍe\Ygø¹lœ„RÍ¥+ÿVÍ]­´êò¶N#I#HöÛ˜K[ÿî`+Pë&DìöÄ I•X(wƒ ‘€B)¹š¦6Ü"y*æcç÷qUøÎÉ÷åÓ:ôÕÞÀ	›XÔ€gGb¦¿s%±ækA‡ÕÜìj[)Â-U¶9-j߸ÏüÓEAðœ8ÌÁC$9$n­Ó´:tNý´Y™;ÙYçÃl‹Å‹lɱ,ÞñËÃ,”2œl·x¢x9´»öïå ûzn¿»¿ ôCWµuÉÿ¹õî»R™N«/þðjuvœÕ6¬Û„gLéÛ­ƒ#ÍÌ85AdÛAôÛl	uùô‚\ÂÏŽë¾à#XÅÆn…rAäÛý¦M¥@Z³•<*
â
+ó%(«Ù+±\|Û̈Î7Œ¦€ð“j¹M¡ Á¼yxÉ—}ô9†ì/zìæ´Ž¡öÛŠhDëFBh£ØŽ¯¸”´¤è/³›`îa)=eoü7+”a„‰ÞkSÆÄÜÄùZq¬^(~ao>¢íÞ»7%RÁ÷>},³2ûz†Þ\þ
[׊%¸ýåHˆ¥'•Wyk	Ï.D÷;¿ùÜù#RXÃ%]þ
é«5dP"m8¨€sÇØø<ª&¬U¨ÒˆkW™µ¿bCDÑü>–]éö‡»ÞŸö	Æ8ùOsý
+ÙGMÓé0tÜÚŸdUÆ®~hR’¦€(!ÿõˆù¢ßá2®ážŠí‡a÷ª†|DMj/Õ'¢[Nª¡Qœz	`…êÙ
+‹ÈÉA|û<¹/ Ãݢɹ/ÕásWŒ‡Ê‰±«gF·Eˆa­¿0ƒéMÒÖBA88*ßçÏ7óú‘wXê,x“Œ^}„IáÇun3åÆ TÙ´F›ÑsdÉ7žP6ßkD_ÁN¾;ùì"ªÞ0v`å¸r;v†€!§4‚îjzÔ…/YþØ´F´½ašóí*˜ÒøÀCDïeF¤@rL%ƒH]°íJ…ˆ &B°»l¶àÂvÿ©x#ˆ>˜ÚbDÞñÆHQ©mñûW&ß5po§ˆ¾ôOn„ÄXqM»?´!Äv/‹›‘kñ!Áˆ2I›Yéÿîr`endstream
 endobj
 1659 0 obj <<
 /Type /Page
 /Contents 1660 0 R
 /Resources 1658 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1669 0 R
->> endobj
-1661 0 obj <<
-/D [1659 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-566 0 obj <<
-/D [1659 0 R /XYZ 85.0394 769.5949 null]
+/Parent 1628 0 R
+/Annots [ 1662 0 R ]
 >> endobj
 1662 0 obj <<
-/D [1659 0 R /XYZ 85.0394 752.4444 null]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [305.1296 409.1267 384.9596 421.1864]
+/Subtype /Link
+/A << /S /GoTo /D (clients-per-query) >>
+>> endobj
+1661 0 obj <<
+/D [1659 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+566 0 obj <<
+/D [1659 0 R /XYZ 56.6929 172.7706 null]
 >> endobj
 1663 0 obj <<
-/D [1659 0 R /XYZ 85.0394 696.016 null]
+/D [1659 0 R /XYZ 56.6929 147.65 null]
 >> endobj
 1664 0 obj <<
-/D [1659 0 R /XYZ 85.0394 684.0608 null]
+/D [1659 0 R /XYZ 56.6929 147.65 null]
 >> endobj
-570 0 obj <<
-/D [1659 0 R /XYZ 85.0394 401.8966 null]
->> endobj
-1668 0 obj <<
-/D [1659 0 R /XYZ 85.0394 374.3052 null]
+1665 0 obj <<
+/D [1659 0 R /XYZ 56.6929 135.6948 null]
 >> endobj
 1658 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F11 1431 0 R /F39 917 0 R /F67 1667 0 R >>
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1672 0 obj <<
-/Length 69        
+1669 0 obj <<
+/Length 3081      
 /Filter /FlateDecode
 >>
 stream
-xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
+xÚÍ[Ksã6¾ûWè¶tm„àý8:3vÖ©ÄÎHÚTj“h‰³F"‘²3ÿ~»	R„dJ”b¥Jå*F÷‡F?
(ü±U„
+'ÆI¢(Sƒéâ‚>ûï/XÝfØ4†­¾›\|{#ÌÀ§¹LZ–PkÙ`2û-ú🫟'×£Ë!W4Òär¨4¾»½ûèkœ|¸¿»¹ýþ¿£«K#£Éíý¯]ß\®ï>\_³úË€BÝw<ÁNuÏñäöÃøòÉדµ¡Œ
+äþÏ‹ßþ ƒÈúÃ%ÂY5x…”0çø`q!• J
+ÑÔÌ/ÆŸÖƒ·U×.Ð$e„q%Ca‰TÊîÖAaغÈqJm:dÂ%ƒ¡4¡P\OgÁD0)ˆB
ŒrD.ª™ß_ݯʉè@t\Œ’FÁ†·?C#íý•/ü¹J–iRøE’•dc	 ­ù dí}â
+i‰EÁë§DPJBU}JC´1,DP‚ ~‚k猠à„	%ú g®æê×›Ñ(ùó(%Ä>¾´¼d6JÉ¢Lf{ðóŒÉsÇCKKy~\ Xv¿cTðxüÆÎ?j	ç½èXÆ´åo¨ßíÑðµ|1zÚiµ³=ðiçˆUZnÀwŒö
_ÈØiñc'ÅÏJ"˜ìóÀÚâ(óø×Çåx5&EÑàÿò,ñ°•Ë8+“å_‚“Ù^H^ÏY%
'B¹¾­"NjÖ@z§óâùäö‚py*0Û0²/.Å>†š­¸ôïõjaÚnf0äšYƳoâZA5±Ü˜/É	W|GÐÝš:ðÆ’WÓ€<#ârÈ(…ð>)òùK3ã2.Ó¢L§õD|ÈWY™,‹í™p²‹²Ž(ÇÍAÁ<¨Ž„©;
+³ÎN
ô„ÀË3T"Ma‚ÜÊ…ÚÈ)Ðye8YÇ£_ùü&Âñ*#²5’u½à’G“bºLŸË4϶‘TBXVzŽý>a5ªäéñÑŠh»KÛÖø€.sm}´ù	bî¯èÇ•Ò:ß¼Î>u
+†šDAS·=ÈÞ0wZÙ鄤ÕpÃ{T|…°€úhõñÌ­JFL/~R{°>Þ÷œgE‚%©6ÑhtŒzçäIaÕ4I_:|T‹fËéÙ‚	¾Æ2m{Љ$rM}šú½h¬žíâf†XÍLœœ)­Fï~ýxÿÓÕíø	!U4‚ßýp¶ŽÀ/àílÕ‘BPIµêÁbéDí}¯G¸çøËÍ¥RÑÕí ”ÊÊh´#Ý{C?è›—Øû@fÏP€	^³w-!Jï®oîG?]ÚÊJo®—Ë~ׇ/dí\׳„8ÏÈ=ðA­,÷Îú¾|J–€Y¾DMd,`ÕÍ×,+óåQæ1dõlµÑÀS²4 šﺯ?ÞéaK›þN¥ðµ‘Ï×6Ÿ\Õ¾gˆ-ƒ§ÂPA2gŽ:vhzìÀQ­UŸJjF Eöû§´XÄåô	Ò)ð×Wϸì¶7ìÛ6Ûz9„Ü5š<%þÌ…ïwûñ›·þUe“aú†¹Ÿ )Ò,Šg³ºS4„Šâlöm~‰´ªåSÝr‹vU·Mí9_–¾4Ë“­ñ½'Érlv#6_Ÿâºò5.|!ùë9™–^de#T9/6¼«A«¢.=TïL¤„ÿ/»„¯¨;Í’ß)åY2ß,zøê«QT?cálÈé­åõ„Uƒ¿V6ƒß(¯RPâ׈4&OiáÇZÄõ`ÇðŒ3ÿ"Ífé4Vlã–x=ª6Ù¯òÚj¡åþûÇ4ž>Õ[>ÏyZäYš}®”e²xÞ“Œ„šþ¾¥óÏY4èyZÏZ¤ŒX§½A›\2ð	ËU6A‡úWáäÒáJ³QÓã}AtËï¹úa5dn²'#€’“Ì۷㨘¡èl«r/ª¾Â6KæÉçÕ÷8.ÏI#¡«Ó=HCœÕ¼ÎíJt˜”cpì3|j}¬‡®l7ž“åc¾\ìÒ3yÖY‰Ðò5Ù“•­	Œµ¨\=t[ä×ÅاYæ³U³[ž7M^6†5ÏJ'Î÷ p~*t…‚4RC²é±]®‰‚Üc?¸JjT°¡8Χ_o‚а£èÐü3NjDÛ`‘bì0ý’”'‚û“Ñ}ufÕÓ|±È뮞^\øíÜmoþˆÑ?s…ž°Ä7Pÿ.-ü›Øÿøzô¤øbÍeÐ8K^ýoϪ¯Duéˆkå©gž.Ò2výĸc¾¶Š~·r=ÊÕNÜûá\¹LB.!úœ	³„3*[åšà¦@ºHòUy”,}Ÿ} ­½£œhmûÕ„7
+ÿý|•Ü$6㦩0BFãñ×â¨}þ*c@5mÃþ:uCº}L³—üË^‡0®Û
+\CL.z
+Ø"(e[ë£Ö'8dþ\5˜K èÙöâ–!¥ÛÖàÃÜÊ¡š»÷<»E5àølQ…ÇÒ¾tÒá¹ÙVÛƒQÕ'D5àøl„6¶/ßáÊ)¤Ï!©rÈx~å3è~P?ÞÇ×IH¢x}¤Að.ù|ˆFº
M„b}V%ã/‰¯M3Lƒf€õ°+Þî€@¸÷¡õª05„rÓç³%š	·1‡™Ö}JÜkHæNf€¦rÇŸ5]º!tŒ$í1ÌY¢•õþéÓòku8™dÙ™äúžZ6­öJETÆUÒ„yZæóEŸ•¯²YÝ©ºÙAዸk<ºÆ
¾¢>³@*žJ}kƒtet×18À·ÛÁ\âU©f§·[ Öu“â9™¦˜÷![ùuÁ¤ºËvqVeŸøþqT>ü„©è6óýê}jÜÇkÝÖ¿ï‰cHƒ’¾•?[`LmÈj$n€¡€i4X°ò›g¿µÝwȆkŠÃä[ýʃ‡¤ëfÈ!ëYÂp¬™†o:„Ô„Y)wËhñðFéÊØPì“ÑBvª¥Ú”‘÷Ë)	è!]Ò2P	«r—¸’ãF{Bq×{Ä•\.ÜwÑ!®Åë×fS\¿X¤FcºÚ§ÓoϾ…VÈÓ°¦Ø€b‚pÃù&išC»‘úó³!Fo8mžy#£lµxÀCmvÍÖ­/£áק¼HüûÐú—q³†?’ò5I².£&MZ³\‰W5A»4'Æ	~pkŠÃd¸†p†ÓÚ4CÑò§Ã?†ú·e%Yå:l7Å«¶ÍTt²é|U@¸T»gv³.
4DKÊv[£‰3ô@Qb÷íNjp‚Àb‡½1PVhÍëV»ÔOAÐÃx zò×Ñé|žÉnÝ
+*£›|éß­ý„šJ³éO‹øê™ö§—ø"/I–ÖÎ
+*^ëgs>Ûeç$̦6z·¡“¦P˜e&ÀžXîÞoèŠÃd‡¡ƒÄ9ÉÚ‘‘CÚièT+î£Ðµð”à-gêù±be},¬FflS•“¬:OVDÅS¾šÏ°,==¨ó+ü¹Ž4 qR7ˆ‹N|aݵN§_-!d0ÚÇ9¾5ÅaH²_[À¶#WŽäß]«réu@	žD2v0Å
„d‘ÄYm]Ñ&;¡»¬+8·µuåÊÔ‡î6¼êkëŠõ›Ö_®­+¾†°,žûzX€·ê'~ðv.¶¯N¼™Q6DK`v)BhÞïÓÖ‡!É›B1\Ëvä]N$èýý\lš]‰Pb¼3gi¡Ã¿;9ý'œiŒ~Á ‚„†ùëx;¿:áx™ÄQÿŠµþðg»ôn‘ú…wûÍ»4DàU—õ”‹)¯?†ˆúb¨3o'Ñâ=½¶YÀüÿëöendstream
 endobj
-1671 0 obj <<
+1668 0 obj <<
 /Type /Page
-/Contents 1672 0 R
-/Resources 1670 0 R
+/Contents 1669 0 R
+/Resources 1667 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1669 0 R
->> endobj
-1673 0 obj <<
-/D [1671 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1674 0 R
 >> endobj
 1670 0 obj <<
-/ProcSet [ /PDF ]
+/D [1668 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
+570 0 obj <<
+/D [1668 0 R /XYZ 85.0394 627.067 null]
+>> endobj
+1671 0 obj <<
+/D [1668 0 R /XYZ 85.0394 601.9463 null]
+>> endobj
+1672 0 obj <<
+/D [1668 0 R /XYZ 85.0394 601.9463 null]
+>> endobj
+1673 0 obj <<
+/D [1668 0 R /XYZ 85.0394 589.9912 null]
+>> endobj
+1667 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1677 0 obj <<
+/Length 2372      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZëoÛHÿž¿Â žÎû;кɮØ$M\à»ûA‘•F8ÇòZv²ýïó’G¶l'­“[ˆõà3ä)ÒÃðGzB"i¨é)ÑÀDôò‡Üû
+ï~:!f‰)ÕÇñÉûs¦zIeo|—ðÒkMzãÉo}‰8:¸ÿqtñÉœ¨Àý›ñ©âýößxt3
oNÆhÚþüáj|ví©d2Ð?	Ç—磟¾\—þñõÙùÙõÙÅðìôñ/'gãfé"	fvöžüöîM`­¿œ`ÄŒ½'¸ÁˆC{'\0$8cñÉôäæäsÃ0yë†v*`D™¤Z£¤Kk É(k´F?ŒA]Uþßbé9zt¸Ì–e½,ó:(¥ZÍ–Å¢¶‹,{Ê‘á„;æ‘1½¨vö>ìÜ]¶8%º_ø›Iñ;ÆtVLüí¼X	ßå·yQ¿ƒ™aÚº/óû6?ÇT
@#•´ê³süòéŠw¬„„	‰D¿cðýèê‘Ã5y×ÁW[fÄš­|	[¹‹í€Sº7 !¨:vO[!Å”Jøáþi+D'Ž\åK¸Êgqý2+ÿêâ
+H‘:U…¥PÍûŸª‡¬œyæjX?›M:¤‚”–Ãù§§l	æßÄRJñD’Pí…UóÂAÌ]¯–u9)üÍòÞá§7`#ð²Æ>àÔ³ˆþC5YM;a%ŒÊþhf_HÇÃQÜUÓiõTξ†çÙí4 “¤K"
+<|8LöŸ«cpõ6þÏÕY*—œ¢u(Å
âï-sÿS3§˜uæg›.Õ:\XäEµôï³éÔ¿\;³ÙÑÈŽ8|ýþºø+/æ˲š…¨”ÈÂýYµt…ËrÆÞ‡w“¢Î¥êØSL'h3˜l=©’’>+œ3®‘Âj#œߨ8¼ÖÑÎøqx…Ë8¢ÍjÐ,j ±2Éz‹5)< êp­zR	‹åãù·‡Û
+ì"¹¡ýO‰74ÇÁý91vôZÆÍÛjˆÁ^ÀaÈìÝ[·XÆ»UÁÁ§l,Šªh»dT…dˆ!ÞìuLõÇ䎹“Ë%Ħç…¬@Ù­'Û¬‹f$‰fà;«6ýê~	v0s›™}¶S‹.­º,Qƒ.KT]öíß]‰ÙŽ…®×ß–‚v]ð+ˆ2o‰®á´ª‹-°nn‡LöØ$Yì±ö‘W°‰0°Z{´ØoÌ,jÕ[Úäc9›|‡Ç[ÛX·¿·À"¤¯xíñ»,–ªâ¸#Gµ˜ÖÓpÎX½éÆ?¬f³4X,Š|ù›­•ñwv2%–â@²&”ARPþÖ6;h¯a°Jsp)j{,ëûxbéÈÚvZ,ÑűLÆ‚Ýï%Û_±Ûd›Ø«„THõ¦™Ð‡Üž"¿ÃÑãÎÑcýÌ1q~f—³¼zhîòÆÞþÞsøsf÷®¸™ü„äœp—>’¾ÏÏá>>÷ù9a>ƒŠÉ¼pÉ<ïN–ˆÈÉתî¢•,VºË.D~8ë€Íœµë&î¿Ó	X~€¯‹iÌá4È…!FfD½=¦âyÔÀT2•À´¶t…€.¹‡é6S®¨ÇjW®|âolíE
+[{oaë~wÀÖÖ´Ù[€6–r/l)ìâ¬)œ¶	ŽÛW8”rá¸ÉJ¹ðL¾i(¾)f“³Åâ n-
„ÐÊ™b®ÀÇo
+…öY
¼üœS™ƒ5`VjO§ðj}:U6Öz¶Eç´žW³IÝœH·WÂa­ÔÄ‚÷M÷:(¨ˆ¸ÞuéÅçlLb’DÀºæTgGAâF‰z7@SËë\û
+q•sŽ„0ð©(–ê
ñy]ä/Å'ÅŸ¶9ղᙇZ^”…Ù‚)5]MŠpW¬¹wàÔ§þ*àßVÝ׌ý_ôV¾°ß„ý"PÛàê4Uweãvéj䓶Ho¿…ú{¨¦†¿^…Ä6NÕß>Àn’}ÝSxI,¬ºîšþ?êöDÄ@e@ªݾÝjãR¥یڎkº¿‹Ë48§d&éâŠÐÅVs°ùm9-—Á:Oå2lu2m¤˜˜5äV„iù‰Fc„9ØØDCRÑnÿZÕ6:SÚê3J’¦‘}»¼ÏÝS{:–jÝ?r/ËY×T±
™M°#d20%¥ëõXvYKÔ´®ÂTWóyµpþ±S(Á ~Îè„š 4( ¾¯žf„ …Ø{TqÁ6Ú¿Ùmõ+¤V'6lØšêÏEÚÛê‰Å^Ùmµ
+-µ
+-b½`Ý»ÃÁ®aV5Âðù¼È[íµzcB›ßF@GˆìA6Œˆ2|Ç·žhRíq‚HåôùÓäúÝý¿ÕʃüPí—ìI:䶚¦ÎK
€n	ûµ3.S(ÃÝT\„º7{÷yU,ÊjüÛ­I›ãr}ÀoSª=šŒTN“£Ï›2]Y“ý2#Q‡ÌTÚB\¶%ó¸z¼õœg*Òöd$™PíQd¤rŠ¼œ/ëM©´D¨Þ/5uHmAûÂOKêU6»Fö\;aw؃´Ih¢^	LܪŠM±ykLv¾QHS«ô+’-CÛÄwQ‡!ói–o'°ÍføbŒt)÷ŸûEàúI{<ÔzGôÙ$kfå´¤·1¾ì˜üÿJ”Áendstream
+endobj
 1676 0 obj <<
+/Type /Page
+/Contents 1677 0 R
+/Resources 1675 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1674 0 R
+>> endobj
+1678 0 obj <<
+/D [1676 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+574 0 obj <<
+/D [1676 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1679 0 obj <<
+/D [1676 0 R /XYZ 56.6929 752.4444 null]
+>> endobj
+1680 0 obj <<
+/D [1676 0 R /XYZ 56.6929 696.016 null]
+>> endobj
+1681 0 obj <<
+/D [1676 0 R /XYZ 56.6929 684.0608 null]
+>> endobj
+578 0 obj <<
+/D [1676 0 R /XYZ 56.6929 401.8966 null]
+>> endobj
+1685 0 obj <<
+/D [1676 0 R /XYZ 56.6929 374.3052 null]
+>> endobj
+1675 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F11 1441 0 R /F39 927 0 R /F67 1684 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1688 0 obj <<
 /Length 1238      
 /Filter /FlateDecode
 >>
@@ -7419,33 +7473,33 @@ xÚ•WK
 ôU³5œ‰éJÓ)HY+mk­p-ʼnÔgJyc'J–…‰#[ZÎÔ|J—¯¥“¶cuø€:vP½ì@:¬#I¸|­t©í`êA›a¶Oºc;;\CëÀÚ-¥@€‹T9l%R®ûT\ÃõhhÈžŒÚBú#!—U«ÀT…ùQª¸á3µUjíDÖRÌÕ#Yž2ljf–€Ä™ …iîÆOLÅd<‚5~v™"'89DÜ	ËÍ4ÝUÚ–0ž‡ç–~ÞcÑ™ÞdIĦù1i„«ÚŠNW>XY»$¶î/²ÑxзJÙÒsÙ´>±–M%êiÚÀ¦ª>ï1}¯>áu`Eµ6ët‹­¨š^Ÿ–ÎqHf²ý³ôã˜+åÜ_Å®­åÔ¦R½"a[jtQµ²«Ýå*ÚÖ“Ý°("vr'šàæ©5cµ2ù¢pGk$ `K`50H@‹­‘¼}VÛ¡o¤îoñ¯: ^«ºFê¹VÅË\—y•¿x`9ËpÓ·¢šš^íÜQ'm4×G¼oœ¾²‚«ȪŸ»½¶BívªàX/{V5T©-Xk&˜ÌÙ/
 ï¡nÿ±ÌQjæ6M§"”Øß*»GVv²ç§Ïs81ÿîç¼âfÆ£HèEÎt¤Ü´=bü~ÎÐÂ’Y’{w{ÌÙÿ}”ç!É
¯¬ÂÜ>à¦AqU ÛzL½.«Þב.ý™¼TE.0im¡»gÙæŽMsç­ð©³ËWb6èÓæ¾ÏRµø.{Tþñ„Y£ÎŽùÙ»Õ±•Þô‹&¾ý\pѨÃ+Ë1âØ	mòÁIpØlá+û7Õ8U·n&ÓÉ·Bhzß:¹èÍ?kЦò~ÜîVÇð÷×äC4û©Û—ü»ùñiü0óŸ[ð‚e>Þæ>Ý> endobj
-1677 0 obj <<
-/D [1675 0 R /XYZ 85.0394 794.5015 null]
+1689 0 obj <<
+/D [1687 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-574 0 obj <<
-/D [1675 0 R /XYZ 85.0394 769.5949 null]
+582 0 obj <<
+/D [1687 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1678 0 obj <<
-/D [1675 0 R /XYZ 85.0394 574.0823 null]
+1690 0 obj <<
+/D [1687 0 R /XYZ 85.0394 574.0823 null]
 >> endobj
-578 0 obj <<
-/D [1675 0 R /XYZ 85.0394 574.0823 null]
+586 0 obj <<
+/D [1687 0 R /XYZ 85.0394 574.0823 null]
 >> endobj
-1679 0 obj <<
-/D [1675 0 R /XYZ 85.0394 543.8373 null]
+1691 0 obj <<
+/D [1687 0 R /XYZ 85.0394 543.8373 null]
 >> endobj
-1674 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F39 917 0 R /F41 959 0 R >>
+1686 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1682 0 obj <<
+1694 0 obj <<
 /Length 3285      
 /Filter /FlateDecode
 >>
@@ -7464,53 +7518,53 @@ C=
 ç
G]r[ˆÄ³Z£Ú|¥YÆŽdùxk§YžÞÎUåaŽƒ=[²–(Îi´—Õü¼¥L
 ¬ÝÆ@tŸ¶”)ÂöD»4Jy7?“ Í2â§-D	—r=µ·­)erƒ_ [bJ9îF;wÉÞÅ“,‹¡«¦:ÝCϬ”"úXGUBVºpí/)~%¹­´†æÅû€Xè8q\ËÞ¬®ø¨góScûƒËdžÓ?$ã*äb9Šwy·­3žË 1@ã®3ÁÍ!Ïs´½Ûšº¸Ó³ÀŽ5rAÖ2ÉÖYŒÛwoqwC,Ÿl>70ôò´-lÒõŒõh
л*Ûšw¼î†©¦NÅÃdò1âtÒ9c÷—j°†LáÅ“Q‰R´ð•“Y
ÝgòrÆ‘lµ„h²Ð˜î,¬•ãúiËô‰»·X­bÒƒÕ(°·¼Á+é–Ð|¦ÔŽ°‘ÖRðVcïÙTpœÒ.…\¬™3ü
´	fdN‹emN?AœvžmF/ïYÚ™`èÜígòœã GÞ™îG÷T–ávîÂÜ´çÂ0tæ*pü+™«_à‚ùIŽRcvgäü߉Ø	Èܤp!2žMÝýÙÉùÜÿN:'©endstream
 endobj
-1681 0 obj <<
+1693 0 obj <<
 /Type /Page
-/Contents 1682 0 R
-/Resources 1680 0 R
+/Contents 1694 0 R
+/Resources 1692 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1669 0 R
-/Annots [ 1687 0 R ]
+/Parent 1674 0 R
+/Annots [ 1699 0 R ]
 >> endobj
-1687 0 obj <<
+1699 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 707.8911 452.088 718.0529]
 /Subtype/Link/A<>
 >> endobj
-1683 0 obj <<
-/D [1681 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-582 0 obj <<
-/D [1681 0 R /XYZ 56.6929 690.9391 null]
->> endobj
-1688 0 obj <<
-/D [1681 0 R /XYZ 56.6929 656.5891 null]
->> endobj
-586 0 obj <<
-/D [1681 0 R /XYZ 56.6929 517.028 null]
->> endobj
-1689 0 obj <<
-/D [1681 0 R /XYZ 56.6929 489.6469 null]
+1695 0 obj <<
+/D [1693 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 590 0 obj <<
-/D [1681 0 R /XYZ 56.6929 373.2709 null]
+/D [1693 0 R /XYZ 56.6929 690.9391 null]
 >> endobj
-1690 0 obj <<
-/D [1681 0 R /XYZ 56.6929 344.9674 null]
+1700 0 obj <<
+/D [1693 0 R /XYZ 56.6929 656.5891 null]
 >> endobj
 594 0 obj <<
-/D [1681 0 R /XYZ 56.6929 184.6919 null]
+/D [1693 0 R /XYZ 56.6929 517.028 null]
 >> endobj
-1363 0 obj <<
-/D [1681 0 R /XYZ 56.6929 151.8489 null]
+1701 0 obj <<
+/D [1693 0 R /XYZ 56.6929 489.6469 null]
 >> endobj
-1680 0 obj <<
-/Font << /F37 819 0 R /F71 1686 0 R /F23 754 0 R /F39 917 0 R /F11 1431 0 R /F41 959 0 R /F21 730 0 R /F53 1052 0 R /F48 975 0 R /F62 1085 0 R /F63 1088 0 R >>
-/XObject << /Im2 1074 0 R >>
+598 0 obj <<
+/D [1693 0 R /XYZ 56.6929 373.2709 null]
+>> endobj
+1702 0 obj <<
+/D [1693 0 R /XYZ 56.6929 344.9674 null]
+>> endobj
+602 0 obj <<
+/D [1693 0 R /XYZ 56.6929 184.6919 null]
+>> endobj
+1373 0 obj <<
+/D [1693 0 R /XYZ 56.6929 151.8489 null]
+>> endobj
+1692 0 obj <<
+/Font << /F37 827 0 R /F71 1698 0 R /F23 762 0 R /F39 927 0 R /F11 1441 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F48 985 0 R /F62 1095 0 R /F63 1098 0 R >>
+/XObject << /Im2 1084 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1693 0 obj <<
+1705 0 obj <<
 /Length 846       
 /Filter /FlateDecode
 >>
@@ -7519,41 +7573,41 @@ xÚ¥UM
 ?—‚P.óx)s"(qÝG4ÞÃÞûˆLz¥×¨·UôË;¾Œ%‘EVÄÕ·+_%¡eÉâªùœÜÿz÷X­Ÿi&h²$‹T4y»yX¡Eâ²]ß|ÚTŸP»ÿýa»Y­ŸîË<©6 -Ò¼¤%œçÁÃêÓÃÝo›{Ä|\!týÊÛ×êC´®ž¹.–Qî«ø3úü•Æ
Ôü!¢„ËRÄ'P(aRfqå‚‘s~±tÑ6úãÙáÕî|ôy‚—D”Ùò{¿Åž¤à°åÙ{g¦EÊi‘¸ƒ¶Ú‹ËdZ°2ÑÊšÁ¾KF““FuóžöÝù[›¾×Csñ¤JDZQN[TvÁ{=Ggö“m­:tT$êLNG»£×j°žj¨7eŒH!²9yó
ÚQd‰› jךÁXbÛý Ü“³úB­¶›÷°2‚°jÎÔo¶¾Ò¬È=
>PÇ®¨c² y2ãBÖæ”bu}Mt‘ÉdÀf¼ä•%ö`Ž]ƒÁ»Ö†àfð$Ì	A~hû®Ï(–¨EÊ’iŠd0n&¦Q^dù?‰Ù<✪¦	Ø™0ù~ûuÐîd¦ï¨ŒˆúBiöS[`‡3šÜuNO@cûCC~Œ±ä
¢=GÁÇéYY.	-8õ#Méhº¶>ßbK±äÅk¶À}­‚°ñŽV7ëæ,‡!.`èÙ’HÓïOoM?CaR[‡I}0Ƴ3~@¯Ñ½D¡9ªÇ‰­mpcå_‡¡œB©ÐMPíqט^¡\ád£;½÷3‚±qÚ.øôÖD'¼ÄL¹œC€jõ¨&tÚ_fÐ/Iuh-"Oê¥Kù¥K`wfL;
M|9‹RmñÚaô©õ÷¯Ãc¡ZûXPR!Tð]â ùWƒ¸œ7
 ;˜lçIï˜"aÔ—ß¡dõôCOö2g:üÜãQ#‚—1/Xò_/5Ä?¯7ÞUø‡¼ÿ÷+þò}ËáS–ÙíšÓœp.Ù%)Ï£ìuêÏïý¿sÿœ°à^endstream
 endobj
-1692 0 obj <<
+1704 0 obj <<
 /Type /Page
-/Contents 1693 0 R
-/Resources 1691 0 R
+/Contents 1705 0 R
+/Resources 1703 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1669 0 R
+/Parent 1674 0 R
 >> endobj
-1694 0 obj <<
-/D [1692 0 R /XYZ 85.0394 794.5015 null]
+1706 0 obj <<
+/D [1704 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1691 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R >>
+1703 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1697 0 obj <<
+1709 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1696 0 obj <<
+1708 0 obj <<
 /Type /Page
-/Contents 1697 0 R
-/Resources 1695 0 R
+/Contents 1709 0 R
+/Resources 1707 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1669 0 R
+/Parent 1674 0 R
 >> endobj
-1698 0 obj <<
-/D [1696 0 R /XYZ 56.6929 794.5015 null]
+1710 0 obj <<
+/D [1708 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1695 0 obj <<
+1707 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1701 0 obj <<
+1713 0 obj <<
 /Length 1965      
 /Filter /FlateDecode
 >>
@@ -7568,84 +7622,84 @@ i	
 “¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoãã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy7G)JΑOü©5­¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+¾,}w¸ÉÀUßÄx³Q³Ô}\Wù¸·ö߶
 ߣ«ª]qöü´Þíâ³äZÄ^d{‘¡ÉeIGid!:Æ[wó罿ÿ*endstream
 endobj
-1700 0 obj <<
+1712 0 obj <<
 /Type /Page
-/Contents 1701 0 R
-/Resources 1699 0 R
+/Contents 1713 0 R
+/Resources 1711 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1710 0 R
-/Annots [ 1708 0 R 1709 0 R ]
+/Parent 1722 0 R
+/Annots [ 1720 0 R 1721 0 R ]
 >> endobj
-1708 0 obj <<
+1720 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<>
 >> endobj
-1709 0 obj <<
+1721 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<>
 >> endobj
-1702 0 obj <<
-/D [1700 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-598 0 obj <<
-/D [1700 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1703 0 obj <<
-/D [1700 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-602 0 obj <<
-/D [1700 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-1704 0 obj <<
-/D [1700 0 R /XYZ 85.0394 548.3785 null]
+1714 0 obj <<
+/D [1712 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 606 0 obj <<
-/D [1700 0 R /XYZ 85.0394 548.3785 null]
+/D [1712 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1705 0 obj <<
-/D [1700 0 R /XYZ 85.0394 518.5228 null]
+1715 0 obj <<
+/D [1712 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 610 0 obj <<
-/D [1700 0 R /XYZ 85.0394 460.6968 null]
+/D [1712 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1706 0 obj <<
-/D [1700 0 R /XYZ 85.0394 425.0333 null]
+1716 0 obj <<
+/D [1712 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
 614 0 obj <<
-/D [1700 0 R /XYZ 85.0394 260.2468 null]
+/D [1712 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-1707 0 obj <<
-/D [1700 0 R /XYZ 85.0394 224.698 null]
+1717 0 obj <<
+/D [1712 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
-1699 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F11 1431 0 R /F41 959 0 R >>
+618 0 obj <<
+/D [1712 0 R /XYZ 85.0394 460.6968 null]
+>> endobj
+1718 0 obj <<
+/D [1712 0 R /XYZ 85.0394 425.0333 null]
+>> endobj
+622 0 obj <<
+/D [1712 0 R /XYZ 85.0394 260.2468 null]
+>> endobj
+1719 0 obj <<
+/D [1712 0 R /XYZ 85.0394 224.698 null]
+>> endobj
+1711 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F11 1441 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1713 0 obj <<
+1725 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1712 0 obj <<
+1724 0 obj <<
 /Type /Page
-/Contents 1713 0 R
-/Resources 1711 0 R
+/Contents 1725 0 R
+/Resources 1723 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1710 0 R
+/Parent 1722 0 R
 >> endobj
-1714 0 obj <<
-/D [1712 0 R /XYZ 56.6929 794.5015 null]
+1726 0 obj <<
+/D [1724 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1711 0 obj <<
+1723 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1717 0 obj <<
+1729 0 obj <<
 /Length 2544      
 /Filter /FlateDecode
 >>
@@ -7659,39 +7713,39 @@ FXЭ
 D¤<ÐÎÿ—yÇ‘sU@E…ÎqÌ*Š‘×8P”Ì Ë¿/@f4áRÊ}^º¦ÖÒRº#›Úv°/×ˈÖFtÅŒ‚þ[åSr Òéú@Øèªé)ŽL½"Ÿûæ¢@ù<ñpJµÙ>~æÜpËLtGY­Fgá±[A
—(-̃ÅÙ¶Ä ˜Þ°)Ëx™AaíF¼¨‚ÕáPâ¥V)§8·º>@ÌÔ4ûôÜÄP‰BÍÞ(dvP&máªëæßFD3zœ`·“¢ÂEàÛ=ÃBj{
†rh®ÔÐq½ ‘®³«zß&Å(uùJ¸8…B×ò5ø?Š²9Òp#ªf'Ë’•ú&_æùM_—¢±J6iðU£ª#E}ïãÏ^5X*‰eÃÏÖJ©>KF\¢P¯SSŒo&Œ>Ï! ·LÝ–è@±¸ˆ¤ægH@Ä9³ZI(	Ž:ž()6Sq
 UŸiQc¢õFêƆEiX*×5ÔÏ]OÕ-ãÖXXE p³Í‚¥¢o¹‡šMÔºõÁùˆ4òs®øbðج–×y­P°M”`à· FAˆ½Ž¼m¥uGKÑ–‹;ÕAŸ^–,y§ž%­Þõ½1,ôUUD¼.µæ!u[È8ˆló#_÷'k®ÿ1,°Èq‘<Äa	U®ßù³{”ül>Â1¥ƒÏéD}ãX/Í›·ô(òÄ-O¿õÄ7‹›.f2ïeO˜ÅËŒ¶±|ïÛþjÄJ˜±Ò¶ë–BºfÓ„È^'Dö6!2‹Šµ>¹Õª?DZ…Ú™ðìÂ
DðFÍ\¥Pà1ª~)‰ÅïšVýØ^
.-㤎Í°·ÁqÏGß5p’³:ñLðÊçaAêð0xšnþ5cµN¼‡£*itUV`+c!ž¡z'[´Úzå},ÿdêUi‘دšèœ7³v«êœÈu{d¤ÌcIÀýj~ÅžXfQ‹gR`sdß׳=¥±iˆ%†zߊêÁïªÂ÷UY*»bI뎺,hùAØ7{pä‘Å?õ°–ˆV¸M¯jjK€ü­?%
ÊGË_¾(XàëÿšV@%Ÿ£J4ËÝh^ý]žÔ‹f6×níƒ+LÍìS2vDN?š`®…8ä9H3ð`3zø…$ÛVÂïå4ýˆÕÕHƒ®\Büu|-Fc˜¤ë\5¢œs²knTuü×tè«ÊeÁ?Mä' ÁÙX€p†h¨k.æÍâõñkMb q‘ÌB°ƒiû†sk(ß½üdÚÿÃlhßp²ÑoC;àÐn;Õ£ž»¿¨Î…?^Uè&ŠÌ(\¹'HðêÑáC5mWp}cŒ‡XÉ„?)â’éÀ9–ÜI[(‘î¾›¨Â^5ðù©‡m7ïÍlŠR͇蕽M|1x:
t´yãizaÁSBïHæ>Ëíé±³Oâ"HÓȃ…×UØNÉø©|hÑçòÅ™X]ÖÌ=Î÷¯»"L1œ¬ù‹Oï×WHÎÔšæÝǧá#¾û4á·óhö3¿cYŒ<ôú9¢wEYà6B=?y{Üð'ƒ¿Ÿ÷Á¢rendstream
 endobj
-1716 0 obj <<
+1728 0 obj <<
 /Type /Page
-/Contents 1717 0 R
-/Resources 1715 0 R
+/Contents 1729 0 R
+/Resources 1727 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1710 0 R
+/Parent 1722 0 R
 >> endobj
-1718 0 obj <<
-/D [1716 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-618 0 obj <<
-/D [1716 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1719 0 obj <<
-/D [1716 0 R /XYZ 85.0394 573.5449 null]
->> endobj
-622 0 obj <<
-/D [1716 0 R /XYZ 85.0394 573.5449 null]
->> endobj
-1720 0 obj <<
-/D [1716 0 R /XYZ 85.0394 539.0037 null]
+1730 0 obj <<
+/D [1728 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 626 0 obj <<
-/D [1716 0 R /XYZ 85.0394 539.0037 null]
+/D [1728 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1721 0 obj <<
-/D [1716 0 R /XYZ 85.0394 510.2426 null]
+1731 0 obj <<
+/D [1728 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-1715 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R >>
+630 0 obj <<
+/D [1728 0 R /XYZ 85.0394 573.5449 null]
+>> endobj
+1732 0 obj <<
+/D [1728 0 R /XYZ 85.0394 539.0037 null]
+>> endobj
+634 0 obj <<
+/D [1728 0 R /XYZ 85.0394 539.0037 null]
+>> endobj
+1733 0 obj <<
+/D [1728 0 R /XYZ 85.0394 510.2426 null]
+>> endobj
+1727 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1724 0 obj <<
+1736 0 obj <<
 /Length 2810      
 /Filter /FlateDecode
 >>
@@ -7705,64 +7759,64 @@ k
 ½5ºÂ5æaŸ6|šq˜ÐëA¤S‘ônhaЫg#ˆV˜ilÚqø…Ë·­(„á´ª[Óà2àdƒûÚ“9òŸóv¼LZ•Ï–\'NrÓQT&1À;Þ3Y¶÷j†+~Sm vRM“—ç	V¸_hvK%OÆ1e¼»YÞrîMlk‘ă,ómúOm?‹çŸ¸ÙÓ"Ñú„ôÂ@•ÒâwÖÞÊz…±rp3ûöû\p©z»|à;Ù^Mdûu»¿º¼|yyA8….•.‹ja¬t‰­¾qý`èúÂOàZ…¶þ
 Ä“N"\‹ä´_ùaEŒóŠÈ¶Å>þtâ¾%AlZv&>}ë å/3;ú±ÿîÑíX·˜ïþðàSÊ#uUßwÈk/ùó‘ÿ8ŽŽø;úÓaò4RÆ)5äé/SyW01bŒ‰®ôÒ=<žÚ
¢¡'ñfßµ8…¶ˆê½W¶-±O,Ý"x‹õbšé‰oi©í'ç´°OªC—íèýR­Fþ{¤²~¶¡éáÄBßñ}zÒqEðÇ^d7,†;Nè„®©ÚÞ‰T»vêfsÙ¬³ßñÜÈI\yÌÕ‘ïtX§¬ŒqJí-߉œÈ£áÏqz7!Ø$MÓ’3Ðo}ᔃŸ%'äp»Äü?ýì?s2Ž½é›^À
13…7> endobj
-1728 0 obj <<
+1740 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [253.7995 149.3637 417.685 161.4234]
 /Subtype/Link/A<>
 >> endobj
-1729 0 obj <<
+1741 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 110.455 208.8999 120.6168]
 /Subtype/Link/A<>
 >> endobj
-1725 0 obj <<
-/D [1723 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-630 0 obj <<
-/D [1723 0 R /XYZ 56.6929 662.0717 null]
->> endobj
-1726 0 obj <<
-/D [1723 0 R /XYZ 56.6929 624.1661 null]
->> endobj
-634 0 obj <<
-/D [1723 0 R /XYZ 56.6929 624.1661 null]
->> endobj
-1170 0 obj <<
-/D [1723 0 R /XYZ 56.6929 593.0972 null]
+1737 0 obj <<
+/D [1735 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 638 0 obj <<
-/D [1723 0 R /XYZ 56.6929 294.2701 null]
+/D [1735 0 R /XYZ 56.6929 662.0717 null]
 >> endobj
-1727 0 obj <<
-/D [1723 0 R /XYZ 56.6929 255.4568 null]
+1738 0 obj <<
+/D [1735 0 R /XYZ 56.6929 624.1661 null]
 >> endobj
 642 0 obj <<
-/D [1723 0 R /XYZ 56.6929 255.4568 null]
+/D [1735 0 R /XYZ 56.6929 624.1661 null]
 >> endobj
-990 0 obj <<
-/D [1723 0 R /XYZ 56.6929 226.1045 null]
+1180 0 obj <<
+/D [1735 0 R /XYZ 56.6929 593.0972 null]
 >> endobj
-1730 0 obj <<
-/D [1723 0 R /XYZ 56.6929 53.5688 null]
+646 0 obj <<
+/D [1735 0 R /XYZ 56.6929 294.2701 null]
 >> endobj
-1731 0 obj <<
-/D [1723 0 R /XYZ 56.6929 53.5688 null]
+1739 0 obj <<
+/D [1735 0 R /XYZ 56.6929 255.4568 null]
 >> endobj
-1722 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F21 730 0 R /F39 917 0 R /F53 1052 0 R /F11 1431 0 R /F41 959 0 R >>
-/ProcSet [ /PDF /Text ]
+650 0 obj <<
+/D [1735 0 R /XYZ 56.6929 255.4568 null]
+>> endobj
+1000 0 obj <<
+/D [1735 0 R /XYZ 56.6929 226.1045 null]
+>> endobj
+1742 0 obj <<
+/D [1735 0 R /XYZ 56.6929 53.5688 null]
+>> endobj
+1743 0 obj <<
+/D [1735 0 R /XYZ 56.6929 53.5688 null]
 >> endobj
 1734 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F11 1441 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1746 0 obj <<
 /Length 2825      
 /Filter /FlateDecode
 >>
@@ -7779,189 +7833,189 @@ xÚµZ]{
 µ9Te>#ôá¶6Ø6Ay2¾b$´ÌHÜ)³|Þ‰zA4lY3ª#Óò`ï§6c¿ŒI0‚¶Æ¾[g;µú,{Ù•oúùFÿÍ+”Ÿë¯’ù
Ø.…‚1¦‘•ß‹WñÈÌvìï&}•/\u˜sê8˜$Ðk“3©-å¡ZKY\{h½ÐÙ}lÛ6ø´Üïå®+Ö›­ßÁä\²Z*)#ý&ÇÍ:±¦‚ñwù·á£s£˜cû‰†Íçƒb‘÷Ç}ªO]žkÓçÁj%¬¼SƒS5ø´‰3zÝÏÞs–äWœ¹Ïw;sâû}&ÁDÂ(ò[„%ä6-Ô~P‘xN|¸­9ô‡­ÁF^d‡\•<ÛkÒlIdu¾ª2!³ðôtÖÅ:Úsq\û½I$Ø‚?Sÿ[Bn…k¡6ãû>ûòá¶
 ï+ÜF6Þuþ}^=gÛô5Õ Œ@õµ®­ÑLKç„}RÛˆÈBFo_#y5Y«YÈ°ƒŽAóañEXûDó*å!¯¶yJIŒ/…—(™»¼Øg¹vB½fgÉ>ÜprªÅ'¸ª
LnÿË_úZ;‡1¢Iâ8L£Ð|Rʱ~)ñ+p÷_Ý||úîÿ‰bÅendstream
 endobj
-1733 0 obj <<
-/Type /Page
-/Contents 1734 0 R
-/Resources 1732 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1710 0 R
->> endobj
-1735 0 obj <<
-/D [1733 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1736 0 obj <<
-/D [1733 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1737 0 obj <<
-/D [1733 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1738 0 obj <<
-/D [1733 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1739 0 obj <<
-/D [1733 0 R /XYZ 85.0394 746.3107 null]
->> endobj
-1740 0 obj <<
-/D [1733 0 R /XYZ 85.0394 731.5461 null]
->> endobj
-1741 0 obj <<
-/D [1733 0 R /XYZ 85.0394 728.1497 null]
->> endobj
-1742 0 obj <<
-/D [1733 0 R /XYZ 85.0394 713.3851 null]
->> endobj
-1743 0 obj <<
-/D [1733 0 R /XYZ 85.0394 709.9887 null]
->> endobj
-1744 0 obj <<
-/D [1733 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1108 0 obj <<
-/D [1733 0 R /XYZ 85.0394 651.9592 null]
->> endobj
 1745 0 obj <<
-/D [1733 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1746 0 obj <<
-/D [1733 0 R /XYZ 85.0394 648.8377 null]
+/Type /Page
+/Contents 1746 0 R
+/Resources 1744 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1722 0 R
 >> endobj
 1747 0 obj <<
-/D [1733 0 R /XYZ 85.0394 634.0731 null]
+/D [1745 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1748 0 obj <<
-/D [1733 0 R /XYZ 85.0394 630.6767 null]
+/D [1745 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1749 0 obj <<
-/D [1733 0 R /XYZ 85.0394 615.9121 null]
+/D [1745 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1750 0 obj <<
-/D [1733 0 R /XYZ 85.0394 612.5156 null]
+/D [1745 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1751 0 obj <<
-/D [1733 0 R /XYZ 85.0394 585.7959 null]
+/D [1745 0 R /XYZ 85.0394 746.3107 null]
 >> endobj
 1752 0 obj <<
-/D [1733 0 R /XYZ 85.0394 582.3994 null]
+/D [1745 0 R /XYZ 85.0394 731.5461 null]
 >> endobj
 1753 0 obj <<
-/D [1733 0 R /XYZ 85.0394 567.6349 null]
+/D [1745 0 R /XYZ 85.0394 728.1497 null]
 >> endobj
 1754 0 obj <<
-/D [1733 0 R /XYZ 85.0394 564.2384 null]
+/D [1745 0 R /XYZ 85.0394 713.3851 null]
 >> endobj
 1755 0 obj <<
-/D [1733 0 R /XYZ 85.0394 549.5337 null]
+/D [1745 0 R /XYZ 85.0394 709.9887 null]
 >> endobj
 1756 0 obj <<
-/D [1733 0 R /XYZ 85.0394 546.0774 null]
+/D [1745 0 R /XYZ 85.0394 651.9592 null]
+>> endobj
+1118 0 obj <<
+/D [1745 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1757 0 obj <<
-/D [1733 0 R /XYZ 85.0394 531.3128 null]
+/D [1745 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1758 0 obj <<
-/D [1733 0 R /XYZ 85.0394 527.9163 null]
+/D [1745 0 R /XYZ 85.0394 648.8377 null]
 >> endobj
 1759 0 obj <<
-/D [1733 0 R /XYZ 85.0394 513.1518 null]
+/D [1745 0 R /XYZ 85.0394 634.0731 null]
 >> endobj
 1760 0 obj <<
-/D [1733 0 R /XYZ 85.0394 509.7553 null]
+/D [1745 0 R /XYZ 85.0394 630.6767 null]
 >> endobj
 1761 0 obj <<
-/D [1733 0 R /XYZ 85.0394 483.0356 null]
+/D [1745 0 R /XYZ 85.0394 615.9121 null]
 >> endobj
 1762 0 obj <<
-/D [1733 0 R /XYZ 85.0394 479.6391 null]
+/D [1745 0 R /XYZ 85.0394 612.5156 null]
 >> endobj
 1763 0 obj <<
-/D [1733 0 R /XYZ 85.0394 464.8745 null]
+/D [1745 0 R /XYZ 85.0394 585.7959 null]
 >> endobj
 1764 0 obj <<
-/D [1733 0 R /XYZ 85.0394 461.4781 null]
+/D [1745 0 R /XYZ 85.0394 582.3994 null]
 >> endobj
 1765 0 obj <<
-/D [1733 0 R /XYZ 85.0394 446.7135 null]
+/D [1745 0 R /XYZ 85.0394 567.6349 null]
 >> endobj
 1766 0 obj <<
-/D [1733 0 R /XYZ 85.0394 443.3171 null]
+/D [1745 0 R /XYZ 85.0394 564.2384 null]
 >> endobj
 1767 0 obj <<
-/D [1733 0 R /XYZ 85.0394 428.5525 null]
+/D [1745 0 R /XYZ 85.0394 549.5337 null]
 >> endobj
 1768 0 obj <<
-/D [1733 0 R /XYZ 85.0394 425.156 null]
+/D [1745 0 R /XYZ 85.0394 546.0774 null]
 >> endobj
 1769 0 obj <<
-/D [1733 0 R /XYZ 85.0394 355.0758 null]
+/D [1745 0 R /XYZ 85.0394 531.3128 null]
 >> endobj
 1770 0 obj <<
-/D [1733 0 R /XYZ 85.0394 355.0758 null]
+/D [1745 0 R /XYZ 85.0394 527.9163 null]
 >> endobj
 1771 0 obj <<
-/D [1733 0 R /XYZ 85.0394 355.0758 null]
+/D [1745 0 R /XYZ 85.0394 513.1518 null]
 >> endobj
 1772 0 obj <<
-/D [1733 0 R /XYZ 85.0394 352.0499 null]
+/D [1745 0 R /XYZ 85.0394 509.7553 null]
 >> endobj
 1773 0 obj <<
-/D [1733 0 R /XYZ 85.0394 337.3452 null]
+/D [1745 0 R /XYZ 85.0394 483.0356 null]
 >> endobj
 1774 0 obj <<
-/D [1733 0 R /XYZ 85.0394 333.8889 null]
+/D [1745 0 R /XYZ 85.0394 479.6391 null]
 >> endobj
 1775 0 obj <<
-/D [1733 0 R /XYZ 85.0394 309.8192 null]
+/D [1745 0 R /XYZ 85.0394 464.8745 null]
 >> endobj
 1776 0 obj <<
-/D [1733 0 R /XYZ 85.0394 303.7727 null]
+/D [1745 0 R /XYZ 85.0394 461.4781 null]
 >> endobj
 1777 0 obj <<
-/D [1733 0 R /XYZ 85.0394 278.3282 null]
+/D [1745 0 R /XYZ 85.0394 446.7135 null]
 >> endobj
 1778 0 obj <<
-/D [1733 0 R /XYZ 85.0394 273.6565 null]
+/D [1745 0 R /XYZ 85.0394 443.3171 null]
 >> endobj
 1779 0 obj <<
-/D [1733 0 R /XYZ 85.0394 246.9367 null]
+/D [1745 0 R /XYZ 85.0394 428.5525 null]
 >> endobj
 1780 0 obj <<
-/D [1733 0 R /XYZ 85.0394 243.5403 null]
+/D [1745 0 R /XYZ 85.0394 425.156 null]
 >> endobj
 1781 0 obj <<
-/D [1733 0 R /XYZ 85.0394 173.5556 null]
+/D [1745 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1782 0 obj <<
-/D [1733 0 R /XYZ 85.0394 173.5556 null]
+/D [1745 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1783 0 obj <<
-/D [1733 0 R /XYZ 85.0394 173.5556 null]
+/D [1745 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1784 0 obj <<
-/D [1733 0 R /XYZ 85.0394 170.4341 null]
+/D [1745 0 R /XYZ 85.0394 352.0499 null]
 >> endobj
 1785 0 obj <<
-/D [1733 0 R /XYZ 85.0394 144.9896 null]
+/D [1745 0 R /XYZ 85.0394 337.3452 null]
 >> endobj
 1786 0 obj <<
-/D [1733 0 R /XYZ 85.0394 140.3179 null]
+/D [1745 0 R /XYZ 85.0394 333.8889 null]
 >> endobj
 1787 0 obj <<
-/D [1733 0 R /XYZ 85.0394 113.5982 null]
+/D [1745 0 R /XYZ 85.0394 309.8192 null]
 >> endobj
 1788 0 obj <<
-/D [1733 0 R /XYZ 85.0394 110.2017 null]
+/D [1745 0 R /XYZ 85.0394 303.7727 null]
 >> endobj
 1789 0 obj <<
-/D [1733 0 R /XYZ 85.0394 95.4372 null]
+/D [1745 0 R /XYZ 85.0394 278.3282 null]
 >> endobj
 1790 0 obj <<
-/D [1733 0 R /XYZ 85.0394 92.0407 null]
+/D [1745 0 R /XYZ 85.0394 273.6565 null]
 >> endobj
-1732 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
+1791 0 obj <<
+/D [1745 0 R /XYZ 85.0394 246.9367 null]
+>> endobj
+1792 0 obj <<
+/D [1745 0 R /XYZ 85.0394 243.5403 null]
 >> endobj
 1793 0 obj <<
+/D [1745 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+1794 0 obj <<
+/D [1745 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+1795 0 obj <<
+/D [1745 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+1796 0 obj <<
+/D [1745 0 R /XYZ 85.0394 170.4341 null]
+>> endobj
+1797 0 obj <<
+/D [1745 0 R /XYZ 85.0394 144.9896 null]
+>> endobj
+1798 0 obj <<
+/D [1745 0 R /XYZ 85.0394 140.3179 null]
+>> endobj
+1799 0 obj <<
+/D [1745 0 R /XYZ 85.0394 113.5982 null]
+>> endobj
+1800 0 obj <<
+/D [1745 0 R /XYZ 85.0394 110.2017 null]
+>> endobj
+1801 0 obj <<
+/D [1745 0 R /XYZ 85.0394 95.4372 null]
+>> endobj
+1802 0 obj <<
+/D [1745 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+1744 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1805 0 obj <<
 /Length 2889      
 /Filter /FlateDecode
 >>
@@ -7981,177 +8035,177 @@ id
 …º#õ:ÓÊEYi(^ds›´¥«ÝÅÔOï7ÕḭD˜d™7žmôl‘‡ü€ºíÉÿ ãóa ±~ãcðÆÓÊ‚AYé´ŽbË®e•60tµû1˜Ú—YR–™>
 .Wçñ|¾FñZD—øw¦~TЙìkUUIw9SAèJ6î$Í«z꾅щlÍ£ü~dÃÏu1dwGÛ›VdÊJ#‰å4i•6uµû‘™ÚËøBm¼DÁ¶Ï9„§L½Î´ç1NîC݇MyúýȺ‡ лéz~ÐÛ–±DÇÊŽ§^I§‚ö;•“~f8ö–…a4LK5eb©TÛtV]á^T¦°Žqn¨bœñ7ƒ´ºsnÔ©b‚å2^Åâêr…tÇÉÐû¼¤é“ÖÓ?±N©áv3¥†f#¥æÒè¢.lå¹x	òüßµ·eYšìÕ‹Z¤uö×ÎÚyÍnð i©³xˆ¿OÛ3ùŽ>“þϯíUñÑ08¼2ڮ嗪+ñNxòÕÕ¾§ßý?˜Oaendstream
 endobj
-1792 0 obj <<
-/Type /Page
-/Contents 1793 0 R
-/Resources 1791 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1710 0 R
->> endobj
-1794 0 obj <<
-/D [1792 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1795 0 obj <<
-/D [1792 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-1796 0 obj <<
-/D [1792 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-1797 0 obj <<
-/D [1792 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-1798 0 obj <<
-/D [1792 0 R /XYZ 56.6929 743.7078 null]
->> endobj
-1799 0 obj <<
-/D [1792 0 R /XYZ 56.6929 719.6381 null]
->> endobj
-1800 0 obj <<
-/D [1792 0 R /XYZ 56.6929 711.8197 null]
->> endobj
-1801 0 obj <<
-/D [1792 0 R /XYZ 56.6929 697.0552 null]
->> endobj
-1802 0 obj <<
-/D [1792 0 R /XYZ 56.6929 691.8868 null]
->> endobj
-1803 0 obj <<
-/D [1792 0 R /XYZ 56.6929 665.1671 null]
->> endobj
 1804 0 obj <<
-/D [1792 0 R /XYZ 56.6929 659.9987 null]
->> endobj
-1805 0 obj <<
-/D [1792 0 R /XYZ 56.6929 635.929 null]
+/Type /Page
+/Contents 1805 0 R
+/Resources 1803 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1722 0 R
 >> endobj
 1806 0 obj <<
-/D [1792 0 R /XYZ 56.6929 628.1106 null]
+/D [1804 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1807 0 obj <<
-/D [1792 0 R /XYZ 56.6929 601.3909 null]
+/D [1804 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1808 0 obj <<
-/D [1792 0 R /XYZ 56.6929 596.2225 null]
+/D [1804 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1809 0 obj <<
-/D [1792 0 R /XYZ 56.6929 569.5028 null]
+/D [1804 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1810 0 obj <<
-/D [1792 0 R /XYZ 56.6929 564.3344 null]
+/D [1804 0 R /XYZ 56.6929 743.7078 null]
 >> endobj
 1811 0 obj <<
-/D [1792 0 R /XYZ 56.6929 549.6297 null]
+/D [1804 0 R /XYZ 56.6929 719.6381 null]
 >> endobj
 1812 0 obj <<
-/D [1792 0 R /XYZ 56.6929 544.4015 null]
+/D [1804 0 R /XYZ 56.6929 711.8197 null]
 >> endobj
 1813 0 obj <<
-/D [1792 0 R /XYZ 56.6929 529.6968 null]
+/D [1804 0 R /XYZ 56.6929 697.0552 null]
 >> endobj
 1814 0 obj <<
-/D [1792 0 R /XYZ 56.6929 524.4686 null]
+/D [1804 0 R /XYZ 56.6929 691.8868 null]
 >> endobj
 1815 0 obj <<
-/D [1792 0 R /XYZ 56.6929 500.3989 null]
+/D [1804 0 R /XYZ 56.6929 665.1671 null]
 >> endobj
 1816 0 obj <<
-/D [1792 0 R /XYZ 56.6929 492.5805 null]
+/D [1804 0 R /XYZ 56.6929 659.9987 null]
 >> endobj
 1817 0 obj <<
-/D [1792 0 R /XYZ 56.6929 467.136 null]
+/D [1804 0 R /XYZ 56.6929 635.929 null]
 >> endobj
 1818 0 obj <<
-/D [1792 0 R /XYZ 56.6929 460.6924 null]
+/D [1804 0 R /XYZ 56.6929 628.1106 null]
 >> endobj
 1819 0 obj <<
-/D [1792 0 R /XYZ 56.6929 436.6227 null]
+/D [1804 0 R /XYZ 56.6929 601.3909 null]
 >> endobj
 1820 0 obj <<
-/D [1792 0 R /XYZ 56.6929 428.8043 null]
+/D [1804 0 R /XYZ 56.6929 596.2225 null]
 >> endobj
 1821 0 obj <<
-/D [1792 0 R /XYZ 56.6929 414.0996 null]
+/D [1804 0 R /XYZ 56.6929 569.5028 null]
 >> endobj
 1822 0 obj <<
-/D [1792 0 R /XYZ 56.6929 408.8714 null]
+/D [1804 0 R /XYZ 56.6929 564.3344 null]
 >> endobj
 1823 0 obj <<
-/D [1792 0 R /XYZ 56.6929 382.1516 null]
+/D [1804 0 R /XYZ 56.6929 549.6297 null]
 >> endobj
 1824 0 obj <<
-/D [1792 0 R /XYZ 56.6929 376.9833 null]
+/D [1804 0 R /XYZ 56.6929 544.4015 null]
 >> endobj
 1825 0 obj <<
-/D [1792 0 R /XYZ 56.6929 350.2636 null]
+/D [1804 0 R /XYZ 56.6929 529.6968 null]
 >> endobj
 1826 0 obj <<
-/D [1792 0 R /XYZ 56.6929 345.0952 null]
+/D [1804 0 R /XYZ 56.6929 524.4686 null]
 >> endobj
 1827 0 obj <<
-/D [1792 0 R /XYZ 56.6929 321.0255 null]
+/D [1804 0 R /XYZ 56.6929 500.3989 null]
 >> endobj
 1828 0 obj <<
-/D [1792 0 R /XYZ 56.6929 313.2071 null]
+/D [1804 0 R /XYZ 56.6929 492.5805 null]
 >> endobj
 1829 0 obj <<
-/D [1792 0 R /XYZ 56.6929 298.5024 null]
+/D [1804 0 R /XYZ 56.6929 467.136 null]
 >> endobj
 1830 0 obj <<
-/D [1792 0 R /XYZ 56.6929 293.2742 null]
+/D [1804 0 R /XYZ 56.6929 460.6924 null]
 >> endobj
 1831 0 obj <<
-/D [1792 0 R /XYZ 56.6929 267.8297 null]
+/D [1804 0 R /XYZ 56.6929 436.6227 null]
 >> endobj
 1832 0 obj <<
-/D [1792 0 R /XYZ 56.6929 261.3861 null]
+/D [1804 0 R /XYZ 56.6929 428.8043 null]
 >> endobj
 1833 0 obj <<
-/D [1792 0 R /XYZ 56.6929 199.468 null]
+/D [1804 0 R /XYZ 56.6929 414.0996 null]
 >> endobj
 1834 0 obj <<
-/D [1792 0 R /XYZ 56.6929 199.468 null]
+/D [1804 0 R /XYZ 56.6929 408.8714 null]
 >> endobj
 1835 0 obj <<
-/D [1792 0 R /XYZ 56.6929 199.468 null]
+/D [1804 0 R /XYZ 56.6929 382.1516 null]
 >> endobj
 1836 0 obj <<
-/D [1792 0 R /XYZ 56.6929 191.7053 null]
+/D [1804 0 R /XYZ 56.6929 376.9833 null]
 >> endobj
 1837 0 obj <<
-/D [1792 0 R /XYZ 56.6929 176.9408 null]
+/D [1804 0 R /XYZ 56.6929 350.2636 null]
 >> endobj
 1838 0 obj <<
-/D [1792 0 R /XYZ 56.6929 171.7724 null]
+/D [1804 0 R /XYZ 56.6929 345.0952 null]
 >> endobj
 1839 0 obj <<
-/D [1792 0 R /XYZ 56.6929 157.0677 null]
+/D [1804 0 R /XYZ 56.6929 321.0255 null]
 >> endobj
 1840 0 obj <<
-/D [1792 0 R /XYZ 56.6929 151.8395 null]
+/D [1804 0 R /XYZ 56.6929 313.2071 null]
 >> endobj
 1841 0 obj <<
-/D [1792 0 R /XYZ 56.6929 137.1348 null]
+/D [1804 0 R /XYZ 56.6929 298.5024 null]
 >> endobj
 1842 0 obj <<
-/D [1792 0 R /XYZ 56.6929 131.9066 null]
+/D [1804 0 R /XYZ 56.6929 293.2742 null]
 >> endobj
 1843 0 obj <<
-/D [1792 0 R /XYZ 56.6929 117.2018 null]
+/D [1804 0 R /XYZ 56.6929 267.8297 null]
 >> endobj
 1844 0 obj <<
-/D [1792 0 R /XYZ 56.6929 111.9736 null]
+/D [1804 0 R /XYZ 56.6929 261.3861 null]
 >> endobj
 1845 0 obj <<
-/D [1792 0 R /XYZ 56.6929 97.2091 null]
+/D [1804 0 R /XYZ 56.6929 199.468 null]
 >> endobj
 1846 0 obj <<
-/D [1792 0 R /XYZ 56.6929 92.0407 null]
+/D [1804 0 R /XYZ 56.6929 199.468 null]
 >> endobj
-1791 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
+1847 0 obj <<
+/D [1804 0 R /XYZ 56.6929 199.468 null]
+>> endobj
+1848 0 obj <<
+/D [1804 0 R /XYZ 56.6929 191.7053 null]
 >> endobj
 1849 0 obj <<
+/D [1804 0 R /XYZ 56.6929 176.9408 null]
+>> endobj
+1850 0 obj <<
+/D [1804 0 R /XYZ 56.6929 171.7724 null]
+>> endobj
+1851 0 obj <<
+/D [1804 0 R /XYZ 56.6929 157.0677 null]
+>> endobj
+1852 0 obj <<
+/D [1804 0 R /XYZ 56.6929 151.8395 null]
+>> endobj
+1853 0 obj <<
+/D [1804 0 R /XYZ 56.6929 137.1348 null]
+>> endobj
+1854 0 obj <<
+/D [1804 0 R /XYZ 56.6929 131.9066 null]
+>> endobj
+1855 0 obj <<
+/D [1804 0 R /XYZ 56.6929 117.2018 null]
+>> endobj
+1856 0 obj <<
+/D [1804 0 R /XYZ 56.6929 111.9736 null]
+>> endobj
+1857 0 obj <<
+/D [1804 0 R /XYZ 56.6929 97.2091 null]
+>> endobj
+1858 0 obj <<
+/D [1804 0 R /XYZ 56.6929 92.0407 null]
+>> endobj
+1803 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1861 0 obj <<
 /Length 2542      
 /Filter /FlateDecode
 >>
@@ -8163,171 +8217,171 @@ xÚ¥Z[w
 ”vйQ`Å­cCÊ¡d%Õi9q¸ŠÚPóÛ¢g\ëss:˪¨ûs™îÔˆ€'+‹¾Ià…1Ì{žy'¤UVo•ÒÇ*˵Ʃ]ã~ì¡(¾0ê1¥WR]Ï8êX'´¡ñ!¶Eã&øBj–íÕdá:­³3;txª±ÍKQÎŽŽÓ>	zløÓô´Eé˜éÛ EðÂñ…v”r¡¤4$pt‘Nhƒˆ!¶…\g„P×üPÔnppSŽiñ£Gkñž½y#$¾Äæt‡$dúÉWþ-gd¦vÕ×îÁw~áì”ù«¼@?½Ü„þ¯~ùÑEy¹Ns˜-b+Ÿ~D½(¼”.L);ŸZªã“:ŠG'tÇçö8Ÿ=ð…ž¾³¢‹Þ)—’UÁÀùTõÇg9µcºrÖ(£úÿ¬·é¶ÝM¼ƒ¼tBZ¤.éQäèá\¸)`'òšA7FØÖ¨™-b¸"2ú]¨JÑŽ¼¡ Ý—àyõ`è×’5J%^ƒúû“¤¨sÆщ7àØN¡^€‚¥€)å JIi¦ 7;˜rAT
±-\™àKþåW²­›$œ.Nͨ¼ŒóÎÄ’ˆƒüH¹ùI4}çsñvõM42¼ùàç¼+KëFÞo·›u=êTt„)ºC(ù>Š»ïÚñ7ßµ„ž©«{ˆôíDB—-Ô…/{¦”ƒH%¥‰LËå\БCl‘&¸®éVOÅxê¨Ò¢îŠ¼³/÷üÓjžlü›òž:Gkêå©Òžª”«­ÞëÊÙ6ìØ¥0Xfâ{1Oý™øãK]æ¬a4°´Ã1gˆýªó½ý^1ã+êyˆ±Ø&GÁXܶ`JÙmAK]”#):¡;[8÷…¸°?œÞvC8k£'ü¿gå¾JoहXùì(0Cß‹)MÌá(žÞxâ»T|dy.wÚ/&>tËÛ·Sþ“«)ÿ”³¬)˜þîH°äö–RšŽ]Ydd¥£ð{ó˜ÿ¡…×ÐînJ9(VRºî	#G£ì„6(b[(6Á¯³B§­ÏéS=sv–iG{
 9±ôIŒ»©Òï¯bF²SÁà´?Õæ!±ò¡‘n!;J¨û$9úhnÇÁxœY8YŒ!à4¼ªÅœ7%ÿo6×°(£2ùP.ì÷ba¯¾ëÇÊ+à.kVœ¸¥7álE‘9ôˆAWܧ«»­Ì›òž[ݨϧÌøƧSþ3ŸŸxYAFméÿÿ ˘OF‰m3Ù…«‡j»#”]ÿtëüÙÿ“ƒ÷øendstream
 endobj
-1848 0 obj <<
-/Type /Page
-/Contents 1849 0 R
-/Resources 1847 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1901 0 R
->> endobj
-1850 0 obj <<
-/D [1848 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1851 0 obj <<
-/D [1848 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-1852 0 obj <<
-/D [1848 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-1853 0 obj <<
-/D [1848 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-1854 0 obj <<
-/D [1848 0 R /XYZ 85.0394 743.3452 null]
->> endobj
-1855 0 obj <<
-/D [1848 0 R /XYZ 85.0394 728.6405 null]
->> endobj
-1856 0 obj <<
-/D [1848 0 R /XYZ 85.0394 723.1655 null]
->> endobj
-1857 0 obj <<
-/D [1848 0 R /XYZ 85.0394 708.4607 null]
->> endobj
-1858 0 obj <<
-/D [1848 0 R /XYZ 85.0394 702.9857 null]
->> endobj
-1859 0 obj <<
-/D [1848 0 R /XYZ 85.0394 688.2211 null]
->> endobj
 1860 0 obj <<
-/D [1848 0 R /XYZ 85.0394 682.8059 null]
->> endobj
-1861 0 obj <<
-/D [1848 0 R /XYZ 85.0394 668.0414 null]
+/Type /Page
+/Contents 1861 0 R
+/Resources 1859 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1913 0 R
 >> endobj
 1862 0 obj <<
-/D [1848 0 R /XYZ 85.0394 662.6262 null]
+/D [1860 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1863 0 obj <<
-/D [1848 0 R /XYZ 85.0394 599.7666 null]
+/D [1860 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1864 0 obj <<
-/D [1848 0 R /XYZ 85.0394 599.7666 null]
+/D [1860 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1865 0 obj <<
-/D [1848 0 R /XYZ 85.0394 599.7666 null]
+/D [1860 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1866 0 obj <<
-/D [1848 0 R /XYZ 85.0394 591.7571 null]
+/D [1860 0 R /XYZ 85.0394 743.3452 null]
 >> endobj
 1867 0 obj <<
-/D [1848 0 R /XYZ 85.0394 565.0374 null]
+/D [1860 0 R /XYZ 85.0394 728.6405 null]
 >> endobj
 1868 0 obj <<
-/D [1848 0 R /XYZ 85.0394 559.6222 null]
+/D [1860 0 R /XYZ 85.0394 723.1655 null]
 >> endobj
 1869 0 obj <<
-/D [1848 0 R /XYZ 85.0394 534.1777 null]
+/D [1860 0 R /XYZ 85.0394 708.4607 null]
 >> endobj
 1870 0 obj <<
-/D [1848 0 R /XYZ 85.0394 527.4872 null]
+/D [1860 0 R /XYZ 85.0394 702.9857 null]
 >> endobj
 1871 0 obj <<
-/D [1848 0 R /XYZ 85.0394 502.0427 null]
+/D [1860 0 R /XYZ 85.0394 688.2211 null]
 >> endobj
 1872 0 obj <<
-/D [1848 0 R /XYZ 85.0394 495.3523 null]
+/D [1860 0 R /XYZ 85.0394 682.8059 null]
 >> endobj
 1873 0 obj <<
-/D [1848 0 R /XYZ 85.0394 420.5376 null]
+/D [1860 0 R /XYZ 85.0394 668.0414 null]
 >> endobj
 1874 0 obj <<
-/D [1848 0 R /XYZ 85.0394 420.5376 null]
+/D [1860 0 R /XYZ 85.0394 662.6262 null]
 >> endobj
 1875 0 obj <<
-/D [1848 0 R /XYZ 85.0394 420.5376 null]
+/D [1860 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1876 0 obj <<
-/D [1848 0 R /XYZ 85.0394 412.5281 null]
+/D [1860 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1877 0 obj <<
-/D [1848 0 R /XYZ 85.0394 388.4584 null]
+/D [1860 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1878 0 obj <<
-/D [1848 0 R /XYZ 85.0394 380.3932 null]
+/D [1860 0 R /XYZ 85.0394 591.7571 null]
 >> endobj
 1879 0 obj <<
-/D [1848 0 R /XYZ 85.0394 365.6884 null]
+/D [1860 0 R /XYZ 85.0394 565.0374 null]
 >> endobj
 1880 0 obj <<
-/D [1848 0 R /XYZ 85.0394 360.2134 null]
+/D [1860 0 R /XYZ 85.0394 559.6222 null]
 >> endobj
 1881 0 obj <<
-/D [1848 0 R /XYZ 85.0394 345.4488 null]
+/D [1860 0 R /XYZ 85.0394 534.1777 null]
 >> endobj
 1882 0 obj <<
-/D [1848 0 R /XYZ 85.0394 340.0336 null]
+/D [1860 0 R /XYZ 85.0394 527.4872 null]
 >> endobj
 1883 0 obj <<
-/D [1848 0 R /XYZ 85.0394 325.269 null]
+/D [1860 0 R /XYZ 85.0394 502.0427 null]
 >> endobj
 1884 0 obj <<
-/D [1848 0 R /XYZ 85.0394 319.8539 null]
+/D [1860 0 R /XYZ 85.0394 495.3523 null]
 >> endobj
 1885 0 obj <<
-/D [1848 0 R /XYZ 85.0394 295.7842 null]
+/D [1860 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1886 0 obj <<
-/D [1848 0 R /XYZ 85.0394 287.7189 null]
+/D [1860 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1887 0 obj <<
-/D [1848 0 R /XYZ 85.0394 272.9543 null]
+/D [1860 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1888 0 obj <<
-/D [1848 0 R /XYZ 85.0394 267.5392 null]
+/D [1860 0 R /XYZ 85.0394 412.5281 null]
 >> endobj
 1889 0 obj <<
-/D [1848 0 R /XYZ 85.0394 252.7746 null]
+/D [1860 0 R /XYZ 85.0394 388.4584 null]
 >> endobj
 1890 0 obj <<
-/D [1848 0 R /XYZ 85.0394 247.3594 null]
+/D [1860 0 R /XYZ 85.0394 380.3932 null]
 >> endobj
 1891 0 obj <<
-/D [1848 0 R /XYZ 85.0394 223.2897 null]
+/D [1860 0 R /XYZ 85.0394 365.6884 null]
 >> endobj
 1892 0 obj <<
-/D [1848 0 R /XYZ 85.0394 215.2245 null]
+/D [1860 0 R /XYZ 85.0394 360.2134 null]
 >> endobj
 1893 0 obj <<
-/D [1848 0 R /XYZ 85.0394 149.4956 null]
+/D [1860 0 R /XYZ 85.0394 345.4488 null]
 >> endobj
 1894 0 obj <<
-/D [1848 0 R /XYZ 85.0394 149.4956 null]
+/D [1860 0 R /XYZ 85.0394 340.0336 null]
 >> endobj
 1895 0 obj <<
-/D [1848 0 R /XYZ 85.0394 149.4956 null]
+/D [1860 0 R /XYZ 85.0394 325.269 null]
 >> endobj
 1896 0 obj <<
-/D [1848 0 R /XYZ 85.0394 144.3554 null]
+/D [1860 0 R /XYZ 85.0394 319.8539 null]
 >> endobj
 1897 0 obj <<
-/D [1848 0 R /XYZ 85.0394 120.2857 null]
+/D [1860 0 R /XYZ 85.0394 295.7842 null]
 >> endobj
 1898 0 obj <<
-/D [1848 0 R /XYZ 85.0394 112.2205 null]
+/D [1860 0 R /XYZ 85.0394 287.7189 null]
 >> endobj
 1899 0 obj <<
-/D [1848 0 R /XYZ 85.0394 97.4559 null]
+/D [1860 0 R /XYZ 85.0394 272.9543 null]
 >> endobj
 1900 0 obj <<
-/D [1848 0 R /XYZ 85.0394 92.0407 null]
+/D [1860 0 R /XYZ 85.0394 267.5392 null]
 >> endobj
-1847 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
+1901 0 obj <<
+/D [1860 0 R /XYZ 85.0394 252.7746 null]
+>> endobj
+1902 0 obj <<
+/D [1860 0 R /XYZ 85.0394 247.3594 null]
+>> endobj
+1903 0 obj <<
+/D [1860 0 R /XYZ 85.0394 223.2897 null]
 >> endobj
 1904 0 obj <<
+/D [1860 0 R /XYZ 85.0394 215.2245 null]
+>> endobj
+1905 0 obj <<
+/D [1860 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+1906 0 obj <<
+/D [1860 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+1907 0 obj <<
+/D [1860 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+1908 0 obj <<
+/D [1860 0 R /XYZ 85.0394 144.3554 null]
+>> endobj
+1909 0 obj <<
+/D [1860 0 R /XYZ 85.0394 120.2857 null]
+>> endobj
+1910 0 obj <<
+/D [1860 0 R /XYZ 85.0394 112.2205 null]
+>> endobj
+1911 0 obj <<
+/D [1860 0 R /XYZ 85.0394 97.4559 null]
+>> endobj
+1912 0 obj <<
+/D [1860 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+1859 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1916 0 obj <<
 /Length 2121      
 /Filter /FlateDecode
 >>
@@ -8342,117 +8396,117 @@ a
 BRSOÄú1£ìô<(AD]­Xx©°óZìM¬¸¾{˜åºP¬ú\J"VßCÞäN¹Qï3;¡Ô»pý²©Î“	ì‚™8
 ÓÙ„õç‘A­Ç> endobj
-1905 0 obj <<
-/D [1903 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1906 0 obj <<
-/D [1903 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-1907 0 obj <<
-/D [1903 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-1908 0 obj <<
-/D [1903 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-1909 0 obj <<
-/D [1903 0 R /XYZ 56.6929 746.6461 null]
->> endobj
-1910 0 obj <<
-/D [1903 0 R /XYZ 56.6929 722.5763 null]
->> endobj
-1911 0 obj <<
-/D [1903 0 R /XYZ 56.6929 716.7581 null]
->> endobj
-1912 0 obj <<
-/D [1903 0 R /XYZ 56.6929 701.9936 null]
->> endobj
-1913 0 obj <<
-/D [1903 0 R /XYZ 56.6929 698.8254 null]
->> endobj
-1914 0 obj <<
-/D [1903 0 R /XYZ 56.6929 684.1207 null]
->> endobj
 1915 0 obj <<
-/D [1903 0 R /XYZ 56.6929 680.8926 null]
->> endobj
-1916 0 obj <<
-/D [1903 0 R /XYZ 56.6929 656.8229 null]
+/Type /Page
+/Contents 1916 0 R
+/Resources 1914 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1913 0 R
 >> endobj
 1917 0 obj <<
-/D [1903 0 R /XYZ 56.6929 651.0047 null]
+/D [1915 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1918 0 obj <<
-/D [1903 0 R /XYZ 56.6929 636.3 null]
+/D [1915 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1919 0 obj <<
-/D [1903 0 R /XYZ 56.6929 633.072 null]
+/D [1915 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1920 0 obj <<
-/D [1903 0 R /XYZ 56.6929 609.0023 null]
+/D [1915 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1921 0 obj <<
-/D [1903 0 R /XYZ 56.6929 603.184 null]
+/D [1915 0 R /XYZ 56.6929 746.6461 null]
 >> endobj
 1922 0 obj <<
-/D [1903 0 R /XYZ 56.6929 579.1143 null]
+/D [1915 0 R /XYZ 56.6929 722.5763 null]
 >> endobj
 1923 0 obj <<
-/D [1903 0 R /XYZ 56.6929 573.2961 null]
+/D [1915 0 R /XYZ 56.6929 716.7581 null]
 >> endobj
 1924 0 obj <<
-/D [1903 0 R /XYZ 56.6929 558.5914 null]
+/D [1915 0 R /XYZ 56.6929 701.9936 null]
 >> endobj
 1925 0 obj <<
-/D [1903 0 R /XYZ 56.6929 555.3634 null]
+/D [1915 0 R /XYZ 56.6929 698.8254 null]
 >> endobj
 1926 0 obj <<
-/D [1903 0 R /XYZ 56.6929 540.5988 null]
+/D [1915 0 R /XYZ 56.6929 684.1207 null]
 >> endobj
 1927 0 obj <<
-/D [1903 0 R /XYZ 56.6929 537.4306 null]
+/D [1915 0 R /XYZ 56.6929 680.8926 null]
 >> endobj
 1928 0 obj <<
-/D [1903 0 R /XYZ 56.6929 510.7109 null]
+/D [1915 0 R /XYZ 56.6929 656.8229 null]
 >> endobj
 1929 0 obj <<
-/D [1903 0 R /XYZ 56.6929 507.5427 null]
->> endobj
-646 0 obj <<
-/D [1903 0 R /XYZ 56.6929 477.5928 null]
+/D [1915 0 R /XYZ 56.6929 651.0047 null]
 >> endobj
 1930 0 obj <<
-/D [1903 0 R /XYZ 56.6929 453.2532 null]
->> endobj
-650 0 obj <<
-/D [1903 0 R /XYZ 56.6929 369.7201 null]
+/D [1915 0 R /XYZ 56.6929 636.3 null]
 >> endobj
 1931 0 obj <<
-/D [1903 0 R /XYZ 56.6929 345.3805 null]
+/D [1915 0 R /XYZ 56.6929 633.072 null]
 >> endobj
 1932 0 obj <<
-/D [1903 0 R /XYZ 56.6929 310.6805 null]
+/D [1915 0 R /XYZ 56.6929 609.0023 null]
 >> endobj
 1933 0 obj <<
-/D [1903 0 R /XYZ 56.6929 310.6805 null]
+/D [1915 0 R /XYZ 56.6929 603.184 null]
 >> endobj
 1934 0 obj <<
-/D [1903 0 R /XYZ 56.6929 310.6805 null]
+/D [1915 0 R /XYZ 56.6929 579.1143 null]
 >> endobj
 1935 0 obj <<
-/D [1903 0 R /XYZ 56.6929 310.6805 null]
+/D [1915 0 R /XYZ 56.6929 573.2961 null]
 >> endobj
-1902 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R /F14 757 0 R >>
-/ProcSet [ /PDF /Text ]
+1936 0 obj <<
+/D [1915 0 R /XYZ 56.6929 558.5914 null]
+>> endobj
+1937 0 obj <<
+/D [1915 0 R /XYZ 56.6929 555.3634 null]
 >> endobj
 1938 0 obj <<
+/D [1915 0 R /XYZ 56.6929 540.5988 null]
+>> endobj
+1939 0 obj <<
+/D [1915 0 R /XYZ 56.6929 537.4306 null]
+>> endobj
+1940 0 obj <<
+/D [1915 0 R /XYZ 56.6929 510.7109 null]
+>> endobj
+1941 0 obj <<
+/D [1915 0 R /XYZ 56.6929 507.5427 null]
+>> endobj
+654 0 obj <<
+/D [1915 0 R /XYZ 56.6929 477.5928 null]
+>> endobj
+1942 0 obj <<
+/D [1915 0 R /XYZ 56.6929 453.2532 null]
+>> endobj
+658 0 obj <<
+/D [1915 0 R /XYZ 56.6929 369.7201 null]
+>> endobj
+1943 0 obj <<
+/D [1915 0 R /XYZ 56.6929 345.3805 null]
+>> endobj
+1944 0 obj <<
+/D [1915 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1945 0 obj <<
+/D [1915 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1946 0 obj <<
+/D [1915 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1947 0 obj <<
+/D [1915 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1914 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F14 765 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1950 0 obj <<
 /Length 1945      
 /Filter /FlateDecode
 >>
@@ -8465,42 +8519,42 @@ O3i_
 ³‰1éï\³\«XûXÌΚeyn@Çœ¥iJÿ¦ê7Í~½™8Jè8•ºvµ2eàÁÀUJÎkŒñª:àÌ›{Iôç²ßmÑl·`ý¤*kGkëýÖÕ}‡Wg$\.qU×צè‰æE¿Ûf ü=ãšR7€ÕB¹»ýB(bŠ%%}r¡h©ëCŽ8†(ÎŽ™JVÎç;C´Gˆ½
»=(½;Ф	DïÀxÆØ$õÔ$ä½	··¨X7$̉ˆnw˜‘ßêùóÆÕ4Âtò²È§9Âêp‘ÉfÚ«Lfc@¤OØð]—O®Fõšÿ³®ÊïŽè®ØU¥˜`úEÑÁiJÙMZ3{{÷ž8ò€ºm!øA÷âxR³šŒ	x‰¡¾X—Lj¢7ƒw6ÏdµDãÓ*züÛ}Õ—måN£»GòcX,»nïB”Ÿø…âÀ.7€Á
³áÆN‚lF)A‘ïK¥B1”phµ$Š?(¾°© J׺E‰N¸ y,{*Œ›TCV|i@ÉsïyÍ€^5繬ª XŠ2 —Ô«‚QÕ%jUvä–¨e=á‹Â&¤ˆêk×/^ê©žb*Ëàá$@º‘¿/šz5!÷¸Ñ‘82ÿ¿(Fd	¿éɵ1&ŒÎH>ÀŽc\|a“ŽIëë³É®Z_Èll}@
^ñ}Ûßè!0\E᥮þ#:ötM0!ßmzì)¢¡,<ƒyfÇ–ò}“ÍBà§ðëºÐ Õ;(P;ØZêG¨;ZZºUÖÑ:
 7Ñ[¤ʘÐ×ìbyíòTSþ*¤Ñ›þüïŸ?}øÏkx»Åb¦˜Í¬ü:5¿ßDU)ÇŸªŸ
µƒ8Èa€\Ô¢7…r$sÍ´gõȇ½á'®ƒ“¶…ü¹ŒYÍu\¼œcN‘‚³N¦{ß`Bɺ½£/uµ0x÷‘¾ô{ƒo™1§tDm ¦«¢¥I¨í0ê¯ÂõMK`•{rÑè•ý!`zfó%5YH§Î-œ1ñ³¼eL–ÅBç£ëMÓÙ+5´‚çžy1W±»M—ª¢T£ªÊ!Å¢´¼:Ë/
ðw¿F“™C]ôª^®×"‡¤aÉ~\”,†Ïpî‰4êHi0Fë)šP´ƒ4ʧۻ˜@`eè¡¡„*œžõÐÈøîcäwH¨©Ômá/„íàÍ]tì¦}²÷/açïðãó˜áϲ“íÀ’yèÙÑo#\Ó/U€·Äùqü/Ïû/Ð6ž‚endstream
 endobj
-1937 0 obj <<
+1949 0 obj <<
 /Type /Page
-/Contents 1938 0 R
-/Resources 1936 0 R
+/Contents 1950 0 R
+/Resources 1948 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1901 0 R
+/Parent 1913 0 R
 >> endobj
-1939 0 obj <<
-/D [1937 0 R /XYZ 85.0394 794.5015 null]
+1951 0 obj <<
+/D [1949 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-654 0 obj <<
-/D [1937 0 R /XYZ 85.0394 769.5949 null]
+662 0 obj <<
+/D [1949 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1940 0 obj <<
-/D [1937 0 R /XYZ 85.0394 573.0107 null]
+1952 0 obj <<
+/D [1949 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-658 0 obj <<
-/D [1937 0 R /XYZ 85.0394 573.0107 null]
+666 0 obj <<
+/D [1949 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-1941 0 obj <<
-/D [1937 0 R /XYZ 85.0394 538.4209 null]
+1953 0 obj <<
+/D [1949 0 R /XYZ 85.0394 538.4209 null]
 >> endobj
-1942 0 obj <<
-/D [1937 0 R /XYZ 85.0394 504.6118 null]
+1954 0 obj <<
+/D [1949 0 R /XYZ 85.0394 504.6118 null]
 >> endobj
-1943 0 obj <<
-/D [1937 0 R /XYZ 85.0394 432.7569 null]
+1955 0 obj <<
+/D [1949 0 R /XYZ 85.0394 432.7569 null]
 >> endobj
-1944 0 obj <<
-/D [1937 0 R /XYZ 85.0394 303.3232 null]
+1956 0 obj <<
+/D [1949 0 R /XYZ 85.0394 303.3232 null]
 >> endobj
-1936 0 obj <<
-/Font << /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R >>
+1948 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1947 0 obj <<
+1959 0 obj <<
 /Length 3824      
 /Filter /FlateDecode
 >>
@@ -8522,27 +8576,27 @@ h
 Giß\_¾AQ?çM@#`£JU¤7ÏøJg]­T;Tˆ8I§r3À-KBnöq\‘¬ºIËlö‹;—­@‰-Úñ¦©‰ÔÙ†¿(êÓeÛ›["’¨Ò£±r™—¨\ë
›ã+‚òŸ^ŒÕPð«ÔP%z˜¸vé^àŽÿ6u±•øȱÞæËqè"™’ð)ˆYaÆw&®úâ›!=Çoß]¼œ¿{•ŒãX€Yf¡ˆ=Ô‘¥pè'> endobj
-1948 0 obj <<
-/D [1946 0 R /XYZ 56.6929 794.5015 null]
+1960 0 obj <<
+/D [1958 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1949 0 obj <<
-/D [1946 0 R /XYZ 56.6929 752.1413 null]
+1961 0 obj <<
+/D [1958 0 R /XYZ 56.6929 752.1413 null]
 >> endobj
-1950 0 obj <<
-/D [1946 0 R /XYZ 56.6929 501.191 null]
+1962 0 obj <<
+/D [1958 0 R /XYZ 56.6929 501.191 null]
 >> endobj
-1945 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F48 975 0 R /F53 1052 0 R /F11 1431 0 R >>
+1957 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F53 1062 0 R /F11 1441 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1953 0 obj <<
+1965 0 obj <<
 /Length 3111      
 /Filter /FlateDecode
 >>
@@ -8561,24 +8615,24 @@ D
 q09ÿÂêŽFÅà‹à¬j't¢»ïÚHzq(ãžòëÜ^K¤íI¥¡*¬a—Ö}×˪±™Êª+Þöå™Ïë:çËJ?†S=i}¾”÷ùÔ´ØkxSÎH
 gˆ¯nGªïÜëÃ]51ŸVÍ›%”^ÒM‘1aúô,‹’0ÂÁ%ŠX¿ZñÝ)…"´¨"Ñ“çÉï_0[”ÌwÕæ’ñÕ±;«¤{-ÌM€P°~?Jj*ÊOóÚv1·½]q è\Ž÷f=1Ù¤;Y0®3ߤõì[!ZR¿Ö¡ÐypÖ{ òËí_×_¾.©bŸ–Oø†(3[Áƒñlé‹'«ÝsÔíÒ=ë1^Ô’½…®U¯imGì,æÈTìmŠËJœ—&)ïM%û<Åt¥¦)ÆI9ŠY§˜³Ê[Š9Ñ>N1=õ†b`crª–Ø5M$S–ÈÛPøxM¿H1«u¾z¦­5YQã‰0ã?2€Ã2X0a²;Je@>±6õYÆOü¶—{ÈÇ¡ª3¬2Ì5éãúóÝݧ½åv'Äê±—XÒÅÐ$àdìo¥–¡i X¡›É{ÛsZÛkÛ¡Úñ[Û®ÞkzÄÊ×ù÷~é|üõêîÎÞ‘çeçeÔåíN¶ÏU“n…X¯ü7žUZ™i§²L{ÓÛÀbŸ¸r—D`Îhu2Cµƒ?NÑ°ý¢°«÷¿óérùëÿÉ£öäzø—X#sî#þç?øjÿœ-À¿¾I&^ð £”–Ö(t“”jhºûÓ°SÛÿ
Q¨¯[endstream
 endobj
-1952 0 obj <<
+1964 0 obj <<
 /Type /Page
-/Contents 1953 0 R
-/Resources 1951 0 R
+/Contents 1965 0 R
+/Resources 1963 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1901 0 R
+/Parent 1913 0 R
 >> endobj
-1954 0 obj <<
-/D [1952 0 R /XYZ 85.0394 794.5015 null]
+1966 0 obj <<
+/D [1964 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1955 0 obj <<
-/D [1952 0 R /XYZ 85.0394 679.319 null]
+1967 0 obj <<
+/D [1964 0 R /XYZ 85.0394 679.319 null]
 >> endobj
-1951 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R /F48 975 0 R /F53 1052 0 R >>
+1963 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F48 985 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1958 0 obj <<
+1970 0 obj <<
 /Length 2837      
 /Filter /FlateDecode
 >>
@@ -8595,21 +8649,21 @@ lh
 ®’ñÌÜß.äPŸøÛPðƒ®­ú8‘äF&+¶ˆ'	7øû·­Ö\ëy9-é° 0(Žd0‰ÝdYpØK¹SQ—°2»{›±=C¯Êì˜õâ3´ \פUìSnçö-Áu ?C]C-.Ô?7.¤ÊjµŽÊ^xײŸÃvôì-ÎkOY¯øvÈÛB×Ýt©†?†±×mzÔéè:ûÔª†Æç÷7¦áî‡"2ncúæÀ!œ¦Æ|éá¹%¨Û~e5‘Ï	üEpLÕ#X®ÎË\6ë9¿È×Ý‹Õöâ¶f^ßÁ¥ß|]¼”ßÏe—g?¥9¸šn¸À¬RÃ\Ý@µí6áfªsëÏÀôevÀ
¯b:ËR’‰Ûå€hã/H–Hú$€Þb;âyÊwÎ!c‹fê8ð¨Qh›3ìѬšyÚÍ”93ÁÓÐ1{L›¾%LCš±b[$+f…t+öæ”'$5Ç>ŸÕ¡OS[:uO@iÎ
 Óš8³tüÌÕÿoœ'xL:´Uœnþëvßœ«éᢾŠsPÿ~µòÇ;à«þ-·€´sÎõÿ)oüË!Ë cædO$ã)|,œPJ³¹ã ”PH»sÙÿnuþ¤endstream
 endobj
-1957 0 obj <<
+1969 0 obj <<
 /Type /Page
-/Contents 1958 0 R
-/Resources 1956 0 R
+/Contents 1970 0 R
+/Resources 1968 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1901 0 R
+/Parent 1913 0 R
 >> endobj
-1959 0 obj <<
-/D [1957 0 R /XYZ 56.6929 794.5015 null]
+1971 0 obj <<
+/D [1969 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1956 0 obj <<
-/Font << /F37 819 0 R /F48 975 0 R /F23 754 0 R /F21 730 0 R /F53 1052 0 R >>
+1968 0 obj <<
+/Font << /F37 827 0 R /F48 985 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1962 0 obj <<
+1974 0 obj <<
 /Length 3265      
 /Filter /FlateDecode
 >>
@@ -8634,24 +8688,24 @@ O
 >œ¹_¨ØE›­;¬`ÁÕ’Ôß·
íðh¼1Û¢Û6Ãl­ŽëÓ· °?Ûí¶¦Q¶¿ïz¸«‚^‘RÀôK;ƒÕý¶rëä…¤UT¡é:ÝoÛMOJø¢§{0#•äò$‹pÜù©_Š)¨ÒÕä‡Bä?þÙá7r2üò>™'€÷d
 ?æ˜B±aŽY7S™Lðþ?ËÊÀuendstream
 endobj
-1961 0 obj <<
+1973 0 obj <<
 /Type /Page
-/Contents 1962 0 R
-/Resources 1960 0 R
+/Contents 1974 0 R
+/Resources 1972 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1965 0 R
+/Parent 1977 0 R
 >> endobj
-1963 0 obj <<
-/D [1961 0 R /XYZ 85.0394 794.5015 null]
+1975 0 obj <<
+/D [1973 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1964 0 obj <<
-/D [1961 0 R /XYZ 85.0394 179.5067 null]
+1976 0 obj <<
+/D [1973 0 R /XYZ 85.0394 179.5067 null]
 >> endobj
-1960 0 obj <<
-/Font << /F37 819 0 R /F48 975 0 R /F23 754 0 R /F53 1052 0 R /F41 959 0 R /F21 730 0 R >>
+1972 0 obj <<
+/Font << /F37 827 0 R /F48 985 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1968 0 obj <<
+1980 0 obj <<
 /Length 1913      
 /Filter /FlateDecode
 >>
@@ -8665,45 +8719,45 @@ xڥX[sۺ~ׯ
 ÙF¬šDÞ¶¬ÏP- HeˆTËã8¶¹½û„ï»Óº½G¯WªI¯*Uëâ•À	_¶iÇ0ˆìŠ¿üû·ÏÜü犀U:d=Üx~sƒÞÏ>Í?_ä÷•®ôÌpè;ü£áŠÌ£ž0+ëZ¥Óïjÿ¢ÊÞ¤Ý@Ä}è¨Ád‡Ý—Ûð”õ‡J‚ˆ„~·n\*Á³·kìý×ó‹nAεgßeý£×gH÷új´ÆÎÚ¾‘νÍ:ûÀtØÇ^ÙÝ	ä¼›®m0ÁOx8ûvŽáásϩɸ‹
 nþó{×mEÑÖý¦¿mò"oöçÓ1›ïK½©á|ÑŽ`$Œà1FPQ@å1ðy€‘Ü7—Óð·0šÁ©ìi8å˜îË[ôæ¢yb>N“YQVõb÷úÔŠÒ¡BS˜'l/Ó´HêzðUB,-ÚEÂû…Â'Qà·	Xfº9«/Œ~¹¬p»~VƒÏÅ€p.Ù±Ææ¢Æf¿üú!H̨<Ö÷÷‹úvIÞœÕ':}ø ‹‡à­ Â0>N×»´,’—¡]$‘at‚‚ìzëaíbeX<ûnÞ™]™J»£ñS{ûd(M‘ñáÏe<ô	ü9h2NÂQ91½ýúvjûoò"4endstream
 endobj
-1967 0 obj <<
+1979 0 obj <<
 /Type /Page
-/Contents 1968 0 R
-/Resources 1966 0 R
+/Contents 1980 0 R
+/Resources 1978 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1965 0 R
+/Parent 1977 0 R
 >> endobj
-1969 0 obj <<
-/D [1967 0 R /XYZ 56.6929 794.5015 null]
+1981 0 obj <<
+/D [1979 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1970 0 obj <<
-/D [1967 0 R /XYZ 56.6929 581.7741 null]
+1982 0 obj <<
+/D [1979 0 R /XYZ 56.6929 581.7741 null]
 >> endobj
-1971 0 obj <<
-/D [1967 0 R /XYZ 56.6929 460.6765 null]
+1983 0 obj <<
+/D [1979 0 R /XYZ 56.6929 460.6765 null]
 >> endobj
-1972 0 obj <<
-/D [1967 0 R /XYZ 56.6929 366.7195 null]
+1984 0 obj <<
+/D [1979 0 R /XYZ 56.6929 366.7195 null]
 >> endobj
-1973 0 obj <<
-/D [1967 0 R /XYZ 56.6929 293.4426 null]
+1985 0 obj <<
+/D [1979 0 R /XYZ 56.6929 293.4426 null]
 >> endobj
-662 0 obj <<
-/D [1967 0 R /XYZ 56.6929 247.3727 null]
+670 0 obj <<
+/D [1979 0 R /XYZ 56.6929 247.3727 null]
 >> endobj
-1974 0 obj <<
-/D [1967 0 R /XYZ 56.6929 211.2315 null]
+1986 0 obj <<
+/D [1979 0 R /XYZ 56.6929 211.2315 null]
 >> endobj
-1975 0 obj <<
-/D [1967 0 R /XYZ 56.6929 172.539 null]
+1987 0 obj <<
+/D [1979 0 R /XYZ 56.6929 172.539 null]
 >> endobj
-1976 0 obj <<
-/D [1967 0 R /XYZ 56.6929 96.3402 null]
+1988 0 obj <<
+/D [1979 0 R /XYZ 56.6929 96.3402 null]
 >> endobj
-1966 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R /F53 1052 0 R /F39 917 0 R >>
+1978 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1979 0 obj <<
+1991 0 obj <<
 /Length 4192      
 /Filter /FlateDecode
 >>
@@ -8725,121 +8779,120 @@ O
 ÓqŒ'\ò̵î9'Ýȇÿ’J§YnìÙãdªTèÔ—Xj¨}-½%Ð|¡’®œxãÄM5ghêŽ,Ó†Nì4&Ä„9<¯yšéü)S‰ÉÓxÀö÷3ç,¶?g™<^Ä[T…‰Ã¼žft†ìÏîA¦0D¬Y^|m'NX§gOür	N2ÿÆ[q#Q¤-›“«p’ž
 ?B£ ‚Ø{Úè€äN-(_í/ËŠéêS¦!$ë¯U~˨dÊôlÃæÉ×Öj‚ fö&4(' úuùRõ™;‡i¿¦k~ŒðÉgêù.—Ögë¡Y¢Sm¿&%˜E%™µ£"}x•s(`Îß겉Ìss9ÛSâø®*îV¨6+*gS8`‚jÚ> endobj
-1980 0 obj <<
-/D [1978 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1981 0 obj <<
-/D [1978 0 R /XYZ 85.0394 751.6872 null]
->> endobj
-1977 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F53 1052 0 R /F41 959 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1984 0 obj <<
-/Length 2010      
-/Filter /FlateDecode
->>
-stream
-xÚ¥XKsÛ8¾ëWè¶RÕÁƒ £˳šÉØ^KÙÚ­L´I¬¡H
I9ãýõÛ Š¤`'©)6šF?¾î&™bø‘)P$©œÆ2D>Ý'xº‡½Ÿ'ÄòŽ)ès½ßLÞݲx*‘Œh4Ýìz²ÂBé&ý<{šƒ<»¹[¯—‚›õíãýo¿.ÿ;H,°œ-–w7«ÿÌÊ1ð7ƳßwŸ
ía.élñór=ÿ²ùe²Ütšõµ'˜iµþœ|þ‚§)\â—	FL
->ý
-)éô8	9CÎ9Ÿýûv‡³ÅÊFÒE\­~2¤¯‡l{0ˬ6ÿ­ÒvP¦¶„rgþ‹²:&¹Y×Íùi ½Ì[õ5åI’第´¨Uƒšeéñ@$"QÜÅÃÑç”…!wŽÛ&…;ÐüŸk•ÚË”VMÕŒnwTÇRûËð'{KNÕÓy¿ÏŠ½yüc–ìm€ñ¾
-”Å“‘ŒJmË*õ¨Ê8ç–í'¤"•0Ë`Tñˆ¡ˆÅ]<'Eê†cŸNeÕèä á,³ÒM|s²Ýª“%jiY}Ê“+®,“˜@4´äåbýaµΘ\”€u
-Èc'‚1’!û–¥(ÂQQÉéÔ¦byª²àñÅœ±-H̦¶O‡£i3U±-SôðÔæ¹GE³zR»ÒäºyÖP¨_µpÄ&PìµM$ÀI‹€“ucmvFBGCpà§×¥ý·öEÈloHy§ö†ð¸3×>ZÙm¢G ¶°(ÖÙn¼”礆9ÏþP}•àÿ\†
¬bw©ÒÆ™VÙ„Lo=ok;Œ‚‰JmdµÙ…8Ñ/¥–º3TkPpŒäЈDÃÀt'
+`W,¾k<è-
¡ß†/Á»*VÍÅì\Ô~¸¤EaŒã!ÜÞ®>šžodð¾¾SÍö]ÕÖ]9¾ó€‡’×Ë¥¹ßâãúþÛžf{
¦Däm4¤š(4±w«±0rg†qÁ¸ë„¡åÅÐÛ¦E]«mÖ»ª<þ¡^\æ@¡ŒbµÜwmüŠí¥0z]™Ä×ÂLÕ¦46+ÓvÛõÚü?>šÿ½*T•˜VÒô
-eþ=Ö{)ÊSÕãdAfðy@üÃlIÊu…ö÷ÖúEѾˆëŒs­uÇ52†5D¶þ<ûúªÛié…z¼Ü×—ëF¡‹à/N"éV´[%žSt¾…]_“ä{°	!p4<´ße¹zÕ¾˜À€®ùöí‰xþŽëuû°òƒV¡˜ÁüÔYõÌò9øÕ#oØ^¦ô¡îk¯…òoNÆBënµõˆ8Š9]£'uýý‘²ó˜€²Áè<bçð±`˜âôh;¼øòVxuþ¡è/è¡tCàÙ
n–뫇ÍêþÎS)ÆHê¾Ä	ŽL·ƒî¹9Û–rÛzÐhv£rµw¸ël_´M¬5&߬mC¼n(;·‹­2\†º5m\zyóñÑa<¼šØs]‡bùÚ†¶o?‹¸0+;•L{‰A3døfCŽ¥-#mƒ4˜ÊöÙ³²pöÑ:Õ£
-ó*.ß·N¸þJb“ž0¼B¾}.óQÇW; ’ñ‘Lt’ˆ·tLž#Á˦ Á‘ŸÜD¾þç" f™ŒÇw(Û¦ÑÖ›ù¾¬`F:º©–ãŸÚ%ç¼}(»IÚŽÖes¸>³H/4Ê£ÎU^@£ÿ†z\o8Àqµ ¯:à­#/¸:Òë€þ‘ÀÅį(†F:ŽÈÛöé1½nÇÔZÇU!>˜+¡–J~)B6:Fšhb©€Æô-Õ:¦k݆MG„ôwŸ¾nk@²­¶gÆh1¿
ˆ=£Aá`fÐÏI~¶Ërç­ Ð~Kúnxý¥’wŸŽgwô“U§,.ç´ÿ.þa©ó‰Å[Í]¤‚éÞA«Ü ZìË]Ú@ׇõ]hµW´•t7> endobj
-1985 0 obj <<
-/D [1983 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1986 0 obj <<
-/D [1983 0 R /XYZ 56.6929 684.0716 null]
->> endobj
-1987 0 obj <<
-/D [1983 0 R /XYZ 56.6929 572.8605 null]
->> endobj
-1988 0 obj <<
-/D [1983 0 R /XYZ 56.6929 509.4701 null]
->> endobj
-666 0 obj <<
-/D [1983 0 R /XYZ 56.6929 470.2699 null]
->> endobj
-1989 0 obj <<
-/D [1983 0 R /XYZ 56.6929 433.5878 null]
->> endobj
 1990 0 obj <<
-/D [1983 0 R /XYZ 56.6929 401.47 null]
->> endobj
-1991 0 obj <<
-/D [1983 0 R /XYZ 56.6929 335.1577 null]
+/Type /Page
+/Contents 1991 0 R
+/Resources 1989 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1977 0 R
 >> endobj
 1992 0 obj <<
-/D [1983 0 R /XYZ 56.6929 244.1508 null]
+/D [1990 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1993 0 obj <<
-/D [1983 0 R /XYZ 56.6929 168.8052 null]
+/D [1990 0 R /XYZ 85.0394 751.6872 null]
 >> endobj
-1982 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R /F39 917 0 R /F53 1052 0 R /F55 1060 0 R >>
+1989 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1996 0 obj <<
-/Length 2087      
+/Length 2016      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YËvÛ8Ýû+´ê$B@ÙQ¶œvÛq2–ÒÓÓ#B6Oøp‹”Ýž¯Ÿ@P$EÉî™dA*¢.ªn=@“	†ÿd"8ÂT²I(â˜ðÉ:?Ó{øíãidfNhÖ•š¯Î~¸¤áD"øÁdµéì%‚LVÉo^ôåËâöâê—éÌçØ›£éŒcì}Šn¿F7víËTú^ôq±œÎH(°!ªÅì]Ü.—‹óÙÅòòîó§ëÅ¿§¬~:[¬Zd]ôS
ëϳßþÀ“ñÓFT
->y†	FDJ’Ÿ1Ng”º•ìlyöÏvÃίæÕ1k0.÷Y0™°$·F˜ƒ
f!È)Z›ùdÌfNJÛlv­úÃ%çIȸ„͵D’nÕº.·/C‹îò ˜tÕ€k¥FÐÑ®N"Š>º›²ün=·)·vð]½ØÁïû™ªÜ„c™÷Þ.¤E+^©ÚŽó2QïíqY×0$QHÀAöÀö•™ìadQJE#×Õ¤Õy¸9eHpïˆ1»ƒ‹Î´‘Dl¼b‰Ïž¦BG꜔¡Âf„
-‚:ô›4S, `•Ó¸Z©`=øßCökY(0qÀ›Û±vç‡éŒ2b½
KY¼n~-7öY?˜…@»µûvçJs%N„{ñvJ„w¿ËUQÛ•´ìi®$e;µz¯¾ÖØJÿGƒà\´%äÜ7çÊãªVÀkŠIs2@D	÷žÒõƒ]_Ç…øÞ7eF'vuc¦e>Jk¬©'ÎX.u>s¬›1€µ±ºÌ±õÀÄ(´gÕkÚ6z¥ªšŸ|/®Æð0cÈa±Ó*+¤µÕ•Ç/­YŒ)¤Ê€ßYØ2§ÌÓºVÉÑ`
-8C,d¯SWêx0µR&˜¢¡J@ÝÃÓ*ЈÊ^˜`eOöU^ël—h"Réýº¼þGe‡ÏÆxzt¯
-µë´¸·ó‹¥}ZJ­KóL*¤-zÿšr€ú¡ÜÕV¬~H›-ËÇ:->|e‘½Øe9NC`=|ˆŸ”{_ö®—×vHOã{ã@ûáÑ&îç4ËìH~®ËâImÁ³vZ—öiÏÁìb\4ÒÛ´0¤naïk¥6»fûæ(úa‰¿¯7ûJrœSpƉ§9Õ‘:Á)'e8•&hâsSMR¦h
-J)N#k¥F õ¸G!²í£¥–¶&ýÁãâF÷[?ëIØxVÓ²žÎ_zb¦{#´„)ëTäSoõÐìY=ªuªN?L.À&Dr`‡x*PHahÅµòÇGU$ªdÈXj§¹Iï0Ò]ˆÍ6˜"Â%ïgÒ°O)»/Ì!ˆ1_°Ó$êJ'Q+eHT$&A/ìŸVé„FTví+¡“
-HÐWy=èÁ>ØÀsöpE[Çßf`¢nц©+Ú]‘AÑÖ†®"¶hà-ÚÍ^}­ñaËh•÷…¦5À¯´å]©^rRÆK뱶#ºƒ†¼ë,®|	¹x)Äid­Ô´~¨ÃÍ…aÒǶlñ¨-¶¶3OÔ&Þeï\ÝêÎÙÉé$Üõˆ»ü‰™ãù’¾Rì»R'¼å¤Œ·žÆ¼Ee¡kd2õ¤²CoÁ&!t»'‘µR#ÐúÞ"ÈçAÚRÕC/%êÛîþÞ605ÈP“+u?ßà
\?a#¢¯n\1¤ÙqñKôéËÍb$¹â	4½(™
û•Nþ¦0ïÛ.ÍLôâ-ŒàØU[¹‰wwgçm_kVõ;6ç‹^ƒMf.›_«¿âü¢u]æètï|HEx(óH!åþ·çÙ'™+À)³¬|nlMy™Ï\!€Š"6ö®×x.wYÒï]ÒªÚ©äÃÈÀ€ê9„§­bEU©õ,©6Û27÷ÞcoæÛçÛ;ØvõÐ6Qù(PÓ5%ªÌ´}-WÒïê
À»È¦À_¬£Ý¢Ö~ÖO‹Õy³b4"‹è"
-£ÍÅžG"ý`ŽÏ}?Œ"Á£¹˜Ï/ü9lÊ €ŸEÄÙ¥9·ÁÑqÃ9_Dx.Ù¹qŸÕ—W7‹å8mlGI3´¹¥ùÔÞÒôB¢ªô¾0-̾½ØgÝyÝÒʖɦëX÷Ô£­
Þ˜¹¼]À?ô.Žãw©þ7ª°dm\˜ŒÙU™6³hͦÄSvjJâ!"Š°§ß²Ÿ‘lŠ¾Ù÷Ø>ç!>·œ0pßQâ&A5·×ÓkŠ@°èj"lÝ0ÜNã?¬äÃÒÎO`7óàNæé_­9âû®ûÍu†½KUoul*€«2óÙ?H9m,ƒ†¾=)Àª{o÷÷¶±ÞW¨ƒº@%Fï÷#è<š_z?/"÷W¯ÇR4Úâ©­µSæm`iv¤Oª×¦ýîû¬çÔÒ9°Ü‰þµÙðI5[¤Ã÷¯´ª+ô†T±\,ì+ÑÍòóëÇçïû¹u®Ð
Mçg³/•]Ò…ÐÿIéÂf~u{a7‘
œ$O8ijÞÚ({)\‹ý).vq6V¡šú{‚Œ!`ú´£ÆÝå¹Ý‘\ŒóȇëáßÞŽq,_ÝîH¿™ë¹=E_W?~¾{ÝQWE­¶…Ë˸¥æMz8/‹ªÜÖé.?ög.ý-¤Ã-ÄÿûOû¿Ž0èÇ…8rC§X§I(}8¸°¡s¸sá‡#Øÿ‚“nendstream
+xÚµ]“â6ò_ÁÛAU¬Õ‡eKì“#ÙÌL6uW›}ð€WŒMl3›¹_-K2¶Ñ0»—ºâ©Õînõw‹Œ1üȘG(’TŽc"Ž	¯#<ÞÁÙ#bq‡t±Þ¯FïnY<–HF4¯¶Za!Èxµù«ÒìÓ­ùOòGù|XN‰˜¨êXä›Ê@¾¦õÞ~ e„JÄ™°"HrN1—óÇ)ç“ßn§q8™-¬'ÉUêúºO×{³L+óß}Fa*(¶æ?/ÊC’™uUŸžzÔ‹¬_CžÔ>yN‹Rq1ˆ)h–^ñ"‰âÖ>£„(¹3Ü:ÉCóªÔÆ^¦°bªzp»ƒ:Ú^?ÙYðF=v»4ß™íï³dgŒwE ,ŸŒœc”j]”¨Œ#qnÑ~ðP
+ÁS	³FŠXÜús’o<„@qŒÇŽR]&k%p!œêP:­ûlÇ“E„@¸Ã%C†Mô.nîŒR–Ÿî[yèƒ)‡6)p±õD§€˜Ââ"8ûrplFR¢Ý“Ä`c¥­
¾ötJ³ÚMXh @¿cŽÓ¼Vežèl‘d駀£MqHRKDÇ# sRŽÇ¢¬upÐp’ZêÆ¿9Y¯Õѵ	µ´:fÉ‹%Wä	LI4†lÓ‹ËÙòÃb˜19ë&) žÆH†ì-MQ„£6E%ÇcŠÅ±LH/†ÇºÈ!0ëÊîö	¸GÝD*lU¾.6Æéa×ĹGD³zRÛÂĺÙëT¨?µéˆ!L (ØkH3’6C@ž¬jh¢3º8€K~z]Ø«_„LvÔ£wlnÛ­¹öÁÒn=jj“ƒÅÚ#›ƒ—âôAÎÒ?TW$ø?•¹AmÙmª´~¦E6.Ó¦·ŽµµžFAE…V£ÔŠœTE>ÆܼÓ\U³ögDˆYS—D4ïA/@qˆ¨är*Tfù-ÝÕ%Rø{ ¥tI6…~P½cD¡Bž9koËÙûs³†á0¤ö**NÙòƒÊk£„ç<÷)Sº‚0\í­ò7ú´:o6ieNÁOôGݨU(FrhD¢¾c:Ný
+Ø‹¯{È5žì-
¡o§/ÁÛ*VNÅä”Wþt™…1ŽûéövñÑô|…òë;U¯ß•MÝEã[ܧ¼œÏÍýf—÷ogðMºÓÉ”è4iÛ
6(4°s«±0r1@ka†}˜íŠ渃›¼9>ã©mrÊêÁCEÑNûvü/êý%Ï|s†Qµ¦òšYèÚøè`]1€Ãj@_5À5–g\°ô Ë²g¸ø÷˜àUÅÐìǹ®ŸÒëêqHv\]ã½Ùª³äç²f½c F›
+hž¯‰Ö"]ÊÖoŒ"¤ß¦º²-!“­µ~`€4J‹ùYiì(-`‚™qE<'ÙÉ.‹­·&È iè»áåk*oŸB'ÇúÉŠSäg>Í¿óXê8‚-±ùVc—&RÁt7"ûe³ç-öã6l 3Åú‚εš+ZJÚGج‡’æ•Ê«´†¤‰^{Á†:«Ÿ=–Ãm2ýÛ¯Ûç‡ü0FLê÷ÐĬ­PZ'„ˆË€°ïà—²ÿ„ìß­endstream
 endobj
 1995 0 obj <<
 /Type /Page
 /Contents 1996 0 R
 /Resources 1994 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1965 0 R
+/Parent 1977 0 R
 >> endobj
 1997 0 obj <<
-/D [1995 0 R /XYZ 85.0394 794.5015 null]
+/D [1995 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1998 0 obj <<
-/D [1995 0 R /XYZ 85.0394 459.5487 null]
+/D [1995 0 R /XYZ 56.6929 684.0716 null]
 >> endobj
 1999 0 obj <<
-/D [1995 0 R /XYZ 85.0394 312.48 null]
+/D [1995 0 R /XYZ 56.6929 572.8605 null]
 >> endobj
 2000 0 obj <<
-/D [1995 0 R /XYZ 85.0394 215.681 null]
+/D [1995 0 R /XYZ 56.6929 509.4701 null]
+>> endobj
+674 0 obj <<
+/D [1995 0 R /XYZ 56.6929 470.2699 null]
 >> endobj
 2001 0 obj <<
-/D [1995 0 R /XYZ 85.0394 149.9497 null]
+/D [1995 0 R /XYZ 56.6929 433.5878 null]
 >> endobj
 2002 0 obj <<
-/D [1995 0 R /XYZ 85.0394 84.2184 null]
+/D [1995 0 R /XYZ 56.6929 401.47 null]
 >> endobj
-1994 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F55 1060 0 R /F23 754 0 R /F41 959 0 R /F48 975 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
+2003 0 obj <<
+/D [1995 0 R /XYZ 56.6929 335.1577 null]
+>> endobj
+2004 0 obj <<
+/D [1995 0 R /XYZ 56.6929 244.1508 null]
 >> endobj
 2005 0 obj <<
+/D [1995 0 R /XYZ 56.6929 168.8052 null]
+>> endobj
+1994 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F55 1070 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2008 0 obj <<
+/Length 2161      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Y]{›8¾Ï¯ðÝâ§c„$$z‡§“Išvã´;;ÄÈ	O1dN&ûë÷è&Nf·½@Wç¼çC™`øO&’#Lc61C>YmNðäÞ}-BxÈ£hÒU{®•AG»:¹@TÈ>ºËªún=·®¶vð]=ÛÁªý„c,øÁ.äe+^«ÆŽ7U¦~°Çe]ÃH AÀAöÀö“™ìadQJ¥“s@5iunNŠ	¸wĘƒÝÁÅ@gê$Ñ—:Qú:RG¨à¥Ö#TˆQ$©G¿ÎuÀ"QV9Ž«•ÖcA<'@ø²_«R‰#îlnÇÚï§3ʈõ6,=éʽ­ÖöÙÜ›…H»µûu™n”æJ{¤Û)‘ÁÝn£ÊÆ®äõ`Hv%«6©W«÷êkM­ô4p0ÎÉH[Åœ‡æ\›´nðšbâNˆ(áÁÓ}¾º·ë«´Ôƒ0¸UvÁ`TifW×fZmFi5õâóƒÇ:ŸyÖÍÀ?_[]æØz`bÚ³ê5m½Ò
+ÕîU¤õcLÄßÁcìÁ´
+g…¼±º6éskc`
+©2b$ô¶%¡ÚäM£²ƒ)â±8’ǃ©+õr0µR&˜’¡Ê8‚º!Äq•^hDe/L0²÷Už—«b—i"Ò8øuyñÚŸŒñôèN•j›6yygç§Kû´”ZUæ™ÕH[Vÿšr€æ¾Ú5V¬¹ÏÝ–ÕC“W¥¾ª,ží²Îœ^§!°Þ§Ê¯Ë»¤§éq D’‹~x´‰û)/
+;ÒA Ÿ«ª|T[ð¬6•}šÁsp »˜–Núa›—†À-|­Õzç¶wGéÔKü}½ÙW’—9EB$	{S©#œòR†SÅh‚&!÷1å’Ò0ESPJ¡¤EÖJ@ëq6Bâ>¶–ZÚ>RšôÓKÝo}Óá¼	«y	YOç/=1	Ó!¬a
+Â:…4¸¹w{Öj•k'€Ó“°	шØažJ$(­˜¡³Vþð ÊL9H†L€¥ñš]z‡‘îBl¶Áó>aUjH@À>¥ì¾0°‡Ô¼ñK¶µcÝü¤už¹Wß´-Ó"ÏR{û¶Çy߆\_;}Ž÷™ªWÛüV
`\Ÿ9=ŒQò"™¹Ðu8|¥ÛèJ½LæVʹ>H!‚ž<<®Ò¨ìú9†Ž."Q_åÅ |oï
â›ÖWu›˜úæ¡+2h:h:Þu.ñ̓۫¯5=l]­ò—½ìgèÜK©#^òRÆK«±ëF!t).ˆVEZørć”Ç‘µR#Ðú)¼È0éc[¶	áE;[lm¨djîŠwίtè ;9^ºñ÷‘ÿ¡@p­Šˆé+ÞêHñ–—2ÞzóA”	ßPêQ‡ÞŠP( ë>Š¬•Ö÷A!úЖªz)S·»»;ÛŒÀÔ C.gë{…Ë«k¸ƒb¢¯T@sÙ»áâ—äÓ—ËÅH’Çh¾Ô
+ÞèühÜîòÂäÁÐã Áò§ž‘]µqI´Ó_›Uý­=²×hC󂙯*ê¯tóѺª6èt8ïBHEx(:Ç2Ž÷Ï=‡È>É´XNUÕ“³\ªÍÌ$¨l1ãÆïyžª]‘õ{¨¼®w*{?r 0 Üׄ Ö€YY×j5Ëêõ¶Ú˜ûw„q0íóíÇlÛ=øp¨éÓ\©¬6
+ÚÏ–+ùwõà]dSà/ÖÑnQk?ë§Åj†Ü­ØMÈ"9MD"Ø\žây"#Fsü!E’HžÌå|~ÎaS­¼–	ggæÜGÇ
ø"Áó˜‘÷Y}v~¹Xã´èØŽ’g¨»-†ÔÞõÿü®4µf·ÏöÙt>·h3ÊÆdÓ•í/ÆZ,=:óyÿ¢„è]š¦ïrýo4Tᘵqa2fW9dÚ¢5G˜’@Ù©)‰‡¤@RHÑÓoÙψ€T#dÿò·Ç†ô9ñImÑÈÿž“ºånI¾_ºuEÀE캚H[7¿Ó8Á+ù°ôûb¤ó“ìfÜÉ<ý+>G|ßý¿ùÇ¥aïR7[[‡
+àÊÎBöÆÆ<Ž6–ÇAÃý!Š<)Àª{o÷÷¶±Þ¯auÆEaØ É”„qðm‘è¼óz,%£-žÚZû»2oK³#T½6í÷0d=§VÞÕ®Ìô[·á£r[äÃ÷¯¼njô†T±\,ì'Éåòóëepœ¿š	”ù—:W膦óÚìKãétÕ¢Þƒóó«S½	bûH²M^Â! †lÈÃ]C­•½•+üŸÒrŸcu1ˆ‰(lÙz‚!	™Â	Ø«è¡—ãTÂL°¿½¾½ºÙ¢’ô¶³YŠ2$ûÅqÙ†!?Î/Ó£Eòõæ§ÏׯÓþ¼lÔ¶ôiiù—òËBª²®¶M¾Û¼ôWˆaý§‹‘6·ÿï¿ìÿÄ¢R†ãý&Å:ûÄă҇#$Bçp÷ç2#ØÿLSX3endstream
+endobj
+2007 0 obj <<
+/Type /Page
+/Contents 2008 0 R
+/Resources 2006 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1977 0 R
+>> endobj
+2009 0 obj <<
+/D [2007 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2010 0 obj <<
+/D [2007 0 R /XYZ 85.0394 463.2352 null]
+>> endobj
+2011 0 obj <<
+/D [2007 0 R /XYZ 85.0394 318.8302 null]
+>> endobj
+2012 0 obj <<
+/D [2007 0 R /XYZ 85.0394 224.0131 null]
+>> endobj
+2013 0 obj <<
+/D [2007 0 R /XYZ 85.0394 159.9229 null]
+>> endobj
+2014 0 obj <<
+/D [2007 0 R /XYZ 85.0394 83.8775 null]
+>> endobj
+2006 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2017 0 obj <<
 /Length 2308      
 /Filter /FlateDecode
 >>
@@ -8860,39 +8913,39 @@ S
 jSgÐ7.ó}Ùâ‹)Fà)ôƒºÊúWùÂÚƒu#në¦)žJË©«ƒôd»v<ûÜŸ±_ëû®¢ÁŠ]kRá¯$a`¯+9ë¶8h
 ‡5Í~>WÐììºW©ï¡CnB»ÛÎÿûŸ¼Ãÿ–QBDšò°ÃñDø8vJé½0NߟýÏï½îynøendstream
 endobj
-2004 0 obj <<
+2016 0 obj <<
 /Type /Page
-/Contents 2005 0 R
-/Resources 2003 0 R
+/Contents 2017 0 R
+/Resources 2015 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1965 0 R
+/Parent 1977 0 R
 >> endobj
-2006 0 obj <<
-/D [2004 0 R /XYZ 56.6929 794.5015 null]
+2018 0 obj <<
+/D [2016 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-670 0 obj <<
-/D [2004 0 R /XYZ 56.6929 769.5949 null]
+678 0 obj <<
+/D [2016 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-2007 0 obj <<
-/D [2004 0 R /XYZ 56.6929 744.3807 null]
+2019 0 obj <<
+/D [2016 0 R /XYZ 56.6929 744.3807 null]
 >> endobj
-2008 0 obj <<
-/D [2004 0 R /XYZ 56.6929 712.2038 null]
+2020 0 obj <<
+/D [2016 0 R /XYZ 56.6929 712.2038 null]
 >> endobj
-2009 0 obj <<
-/D [2004 0 R /XYZ 56.6929 645.6981 null]
+2021 0 obj <<
+/D [2016 0 R /XYZ 56.6929 645.6981 null]
 >> endobj
-2010 0 obj <<
-/D [2004 0 R /XYZ 56.6929 573.1238 null]
+2022 0 obj <<
+/D [2016 0 R /XYZ 56.6929 573.1238 null]
 >> endobj
-2011 0 obj <<
-/D [2004 0 R /XYZ 56.6929 497.5848 null]
+2023 0 obj <<
+/D [2016 0 R /XYZ 56.6929 497.5848 null]
 >> endobj
-2003 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R /F55 1060 0 R >>
+2015 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2014 0 obj <<
+2026 0 obj <<
 /Length 2064      
 /Filter /FlateDecode
 >>
@@ -8908,157 +8961,162 @@ xÚ­YKs
 `„˜öÊjÊ›b¹¬t°$84˜öxÝê¿jGó€%ûRK†ÖiU…ö¶)%“¡êë³À|Çl¨V·£åQ½å:]…fˆ™¦0м
 aM!“bÆicsõg¿Ö
S()p<·£÷g‘ê´¥(_ÃêEÌœÿ³}<ËßÂ}{6œÛ²¨‹¹oDß“ç÷AÄ•¡¡Šÿxvø\žõ¹¾^lúåÒ˜ÇC¥ÕY¥@t¾ŽùÝ@Ôgui 1ô9óƒÃ@ߧ¤ööÝÂî涠GýÀ|n¿™Ò¿Øð›é÷uŽon”»Ý3ôUVc~	ìE¸Ýÿï_aöŸ nT©#ßk)®@á|çœ2‹!1ºÎ©B\Á6{èû_Ð4ƒúendstream
 endobj
-2013 0 obj <<
-/Type /Page
-/Contents 2014 0 R
-/Resources 2012 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2022 0 R
->> endobj
-2015 0 obj <<
-/D [2013 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2016 0 obj <<
-/D [2013 0 R /XYZ 85.0394 634.7354 null]
->> endobj
-2017 0 obj <<
-/D [2013 0 R /XYZ 85.0394 399.1196 null]
->> endobj
-2018 0 obj <<
-/D [2013 0 R /XYZ 85.0394 318.1439 null]
->> endobj
-674 0 obj <<
-/D [2013 0 R /XYZ 85.0394 275.0317 null]
->> endobj
-2019 0 obj <<
-/D [2013 0 R /XYZ 85.0394 236.6315 null]
->> endobj
-2020 0 obj <<
-/D [2013 0 R /XYZ 85.0394 202.7957 null]
->> endobj
-2021 0 obj <<
-/D [2013 0 R /XYZ 85.0394 130.8533 null]
->> endobj
-2012 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F55 1060 0 R /F23 754 0 R /F41 959 0 R /F14 757 0 R /F39 917 0 R /F53 1052 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
 2025 0 obj <<
-/Length 2933      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÙrÛ8òÝ_¡·¡«"ÏÙ''VbO6v6R¶6s<Ðl³–"5&óõÛnP D)[»å4€ú`ŸåDÀŸœÄI˜ä*Ÿ¤yÆBÆ“åúLL`ïý™dœ©CšúXog¯ßét’‡y¢’ÉâÞ»+E–ÉÉbõ[ð&ŒÃs¸A—7óùìíôÃìëûÙÍùTæYœŸ>Ín.¯ÿu>U±d@"øxqóåâï´öéi¡¼§qÛ–õßKɑ׼:PíÚÃ:à.£X«ø;ŒèÔ¹'
ÆöÝ–n¸ÔB‡bÙÂ	÷=ÖcñëüÃO®a‘üI +F¬ƒ›sçÙ©‹?àÅ6Ä'}ãÅwÛîê°*ˆ$ÄÆLºº~zÏå©[ø\?V4¤a®•«+P,¬2Áÿ®šgó
Ât{˜ÊtDLK²]í;µú†Ñüµ©ÊeÙaFÁùðÃÃyjqk¼ÖV6Ô"ÏœTÅÛü!	…äzŒ.îËA èX³EžžéhœˆÕbÙ÷ÝPŠ­D(ó4Mï9GÊ´8L’Ø5.KíWiQg~OqP3ͦ:Raõétêcϧ=–eµþaB­‹µé^6#5	#‘姙ë±F¸62Ô¹PCöIU%w94Ï5æT…U#2G‹÷,p4ø²»\ª¡ä^¸-×.Ò±k‘ioj¾ö»E(r­‡_®5¥5Gß1Õ_oof´‚žOUn‚r±HÃ(†<°½¾ñ…n—"•Ê%›/,Ù2ûúÐ`@OæŽ
±®nçB³¤`œÝ,®_iwÇl{÷mÛ,KŠE8g÷”‚Ê÷=;Ú#iùË|ö™ºOr¢
-QMö¨&=ÕD:Lð“§=z´án¼]\ù”vj	iÑõ‘ö}$îL¸ÝÁ
-ûÈÑÀ5—T8Pdálls Œüµºw-±C0ûSe´Jãšãä´ãûXÇ¿ÇÚu’>I¨1ò\f§I:¤’¾K$¦PTH~¡RQ"ƶ’Óe±)î*tTZõÓ “.•÷$i¯ ÜÞ5båÍZ¦ÔàãùGj¾Ô®3†ƒnÍuªÊEx~ð¾<ȶ÷òãÚºAꃹm¦l“Tï²õÑÍzÝç’ª¬Í«ÿ¥«¾{qo–ÖêŽ[†H®ãÏé„í0’5·¦“†Jèè$=‡sHoð¦®B™EÙ€ÞÛf½/¹+«²{¡·¾u³2?ŸªùiÑÚŒMµš¶ÝKeúÃþ±,§R¤ÙvUASßО؉ˆ$sÎÉðàc=–e|9þS8µkY–$ú}Æò$̤ŠN3æFèI€¹N‡œ]×+´+«žH;ÈÜ/‘Í(¨þýÏŽ+Ú\6uW”ÔÇ
NQù@a¥bìÇâ›੽žoD=XƒÍ(cÁ5Õx™÷l«ðÓHžxµ%•Zðúføìx²·pu¦âôfàa0‡eÍÀ+1N’ìKŒC’c%Æ€äõý°²²Ê>|ð¯yö1ëõ Ñú©tÅg8ISaø`úT%x}<çf9Ú¹>­Mé¸2Ò®Åßs©º}°GÝWÅÃCÏeIv’'‡sÈ“¯í<¡O‘žæöÉXDœ?˜·¶?,	]<ЦMO>önÓ"*,+>h_7}ä]‡Có¡{bÆNùw›Ú¾k{xuù}È%®©ÔкgÉ^»ïÿ¨„(°m‡áÚkîtQvõÝçÙ?o?ÌÂcÿ7¡ãÿÙa䣈þãÿþŸŠÝÿŽD)”âÙ‘p‰…:NS¨©Ô¡‘ó_òþ	î„—endstream
-endobj
-2024 0 obj <<
 /Type /Page
-/Contents 2025 0 R
-/Resources 2023 0 R
+/Contents 2026 0 R
+/Resources 2024 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2022 0 R
->> endobj
-2026 0 obj <<
-/D [2024 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2034 0 R
 >> endobj
 2027 0 obj <<
-/D [2024 0 R /XYZ 56.6929 751.6082 null]
+/D [2025 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2028 0 obj <<
-/D [2024 0 R /XYZ 56.6929 659.4312 null]
->> endobj
-2023 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F55 1060 0 R /F41 959 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2031 0 obj <<
-/Length 3010      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZKsã6¾ûWø6ò®ÅÁƒ ÁÊÉÏÃÉÚ3{ª6•ä@I”ĉtHÊ^å×oÝ€@‰’6Ù9Fãëd~Éà?¿Ô*b2‹/Ó,Žãêrº¾`—˜ûxÁ‰fìˆÆ!Õ÷Oo?Èô2‹²D$—Oó€—Ž˜ÖüòiöËèæË—÷·wÿºÅFßGWcÅØèþæáëÍ?pìËU&F7ß?^y¦UDÊ%ltûðøøþÝøÇ÷?|ÿpõÛÓX¡èœI#Óï¿üÆ.gp‚.X$Ûå+|°ˆg™¸\_ÄJF*–Ò¬./þé³vé*b¥#%âär,ãH'ÀcPa,b
-0NU%RH¯0Á‡樌ÂÆsз”
-(9dœ‚d–dQTE“wu³¯®à` y¸ípŽh@8n©TÄ“Dö¥»›_¥ˆeµÀï›Ûr~ÅõèWÆD#ŸŠÕjWøñ­Ø^qÎG×ð‹Ñ¦%¢nY¶=¾p´4HÀÆjU¿3$xÉW›‚ˆóÆlF<UD¨h5HZ27	0ƒ.3¥„=NU±dÁ¶ö¥ÉFís1-íafFdkŽߪúµÂîsS®ìέ<õÿôá%3ì½–«ö&´T0CòrNüê¶-'«â;øLÙ¨î–EóZ¶D_ö8¬ŽY1Ï7«
ÊHoZ˜á2e*Òp¬3à
¨N€×QYð.÷·ãŒãøÌ–Žh`Ë’YÅBímù¥)«ŽNœcÓ.ë†tÑnÖë¼ÙâG=ÇÖ(ž»²®Übƒ۱׸جϸ«Ñ({q)Yå¬jÛb:Œšˆ<”>Ià¾ÀîúèÝ$).ÕÉé»	©Žß§²wóãc—§2w‚²)¦`ÛC¿"À%&Éiá<Õ€t}Ï’F2Õ}é¯kw; Žµo	¡]aûº,§Ë=rã\lÇìªhÃË,ü5ÚvB߯MÙuEuü.Àid*ÉÎÜE@uâ.•½‹oÇìää–ÞN·²“Þ–·Å3©3ïŠY_óüŸ¾ÐFÆOØBìµ.û¸ŽxTg|IHuBGŽÊêèy8êL¹@øÜÔ]=­Wxã(U*>-œ§®‡W°óT&i_<¬ä"P
-
-¬ÿG‘ì”V89·Á%$§ cŒ»àhâ°y:ÎÃ#ø¬6ëIÑàФè^‹¢Â	FdàØl”pŽŒ¥ýÐ!”‰”’2»£<ˆ&ða£	´Ò4Ƹôz<¹Ï&Ha×…/ürÑZ8˜AŒö¦zÚp¤À«²E¨1*lmT5ˆªŠÖÐùöbbéJ»™N‹¶­›ö(ˆU""Høi‡TÇAì©,ˆ›C>¥¥
ˆ_¯gÅË!ˆMªÉÅiá<Õ€t}§žž	ÕïÑ'8RŒ8™µõÆ^Å´À	ãL‹âV O¸û8Q˜îVåó.34Œ¶p‰kœšÕnŸªîpšÐýRÎhyŽ
-‹CÕJ“‹f™ý[ÐÖ[i¥±Öîêy ÓÀdê"6Z$Àí÷M	Hµ 4vìËia2>©è\v”¬Â,é©Ç`ŽD;õàxÙzãžÔîÍTÏ›.:¬´ÙÂÇÞq C„*Dšd>D~Û¿ÕØÝU¹ÍUaïwh¦Ë¼É§u#@‡ Ê[«D^W]^VtÉÒ)ÜÎÍòŽ˜špkÚ	íNÉ.Œ”€"ŸõE9Û'Å“2Vm™¯ðýì¡.9W‘‚¼„tI·0P%E’s‡°²š•&Nú”$ï|’Ü#ÆP¸GŸwnV³~ŠaÎ|ÔíÄYÅüLªw:ŽÈúœv(p²HHîœNÛ5Eµè–‡>GF,>§$óD‡¢õæŽX*²žl{‡9h2#’uýV,;â‚'c‘€:–qB¨æRÒF96>X²0XÂ#2[?B‡+ã¸§Ž¸€lª‡Î馡»åŸËœ`SQº9+̉+—u=oˆ’E?Øz)*Ž Œ< BªXqT,OC`Qµ³ó@M·}. "e$ÏŠæ©dë”+„ë£EøÜ	ü¬ÕyÏûÑiíý¬Ð#+;.®±¥g‡ŒR²íV‡¾D@ðé’­Æ;Ý­7m‡¬'´EQb²dúpé&¿¶râk ŒA¸²]>™$˜É Qƒ›TA똊,†:ÉÀÛŒnZë¬M7÷t€8Z-j¨…–ëkòØÇ”ÚiN|&´uýR4M9›9þ¶´‚ÍÖ='Ž79wõÅÆÿµì¨‚{¼ûh²J†	¥[œ‚Be%Ùm‘NFö«hÈÉîª?Å>Ýß¼ÿ
-Úøö“áOõNM°ñþݽ™à‹@¿Z<[I- 	aê´q†TÇÓSYãì³G.”Ka-“Ç«âÓryªÁz–)ÀÛ+¨~z’ÝR¸"rq¼^Auän†4-.D$u¬÷µ'‰H"ÎTÏ°„ H[×ÕÞÖ7_Ÿ>½ûüðÁ¼/_ãÐÃçƒANƒDáÌ'íù–^rz‚1»é@.åKv¼ Õ´Ù>S2cØG¼ÐQÆô9ÄT'ï¨,â_ξ~¯Š—â°âpˆœóIÉ<Õ€hýhÄ#¡’¾hC/TÅd³Xxçd%‹üK¡W<$ê1lÌÍÓ˜4ÏГ¡§»û»òbŸ¿<Ý}~x€=\¡ˆ!$ oÉèRE>9ÅüÚÿ¦'žÖ&Úfʦ)U1¦®om“Y˜üþÝßßÞâŒu”Áè§O÷÷Nš*ÏLz>{¥;ŒL
-ÐD;„:rõ:±¡š7ƒ»§V£7ã7™€£É„L[AQBÇÂÇÆ&­û«Ã¼-:d·{ˆ7³(3tœvPd3S®“A¨= ,m7Óå)æ;Éæµû]Â|M¶D]CñØÔ%°zWpµ8ñfk4 …½YûÞ«ïÍ\«1 _º‘n‰)¬vÌÓžÈf¢¤M¦õŠ,´ņÝyÓ³5vK÷Éñ7ןåÛv'ÂÀ%Cíc¹0“ž!{ëJ0‰íw\w¿eØÔwï÷ŠtabÜB>WÍŽ?Ý&ÀF!>tE!ÕqW䩬+úröý|dñ¶ž[Eï;¤DD‰>'Ÿ§°ç’4J’Lõ%$”9¤3+Ù,&Û=•ÃdŽ#øP®3ÊÉÿgIaüy3Y•íÒÞD0í7ù@nÌ2Ø›¹}3ÀiëWHˆë `s›ÚÀªÒ(Rí{ˆÕª_7—Õtµ™íƒÁ{Þ?0Ú›®úÞñ°KûEx?Ôµå¢r(<
--“0‘yþ©ŽCËSYhÝœý)æ²b(©¸>-ž§¯¬
-/ÉûÒã¶rÏ_ÐAd™žA–T±CVÊbËtJ·¾ÆvB¹q	æÑ”ˆØ™¹½€4àL?¢"O„A§|ïù· ÿãÞ‚üÜ_…	‡”\É3(Ù	YŒü4ŒƸøo@"£4à8¤9”­¥)̆Â>´{‘ÑÌáC£ç1­ÃGH…·¨éYF£¦Í=O®¸ý%º=^êo$)xí¼ŒÛðÚoqÀž;h¶‰Ž4ª}üʘÌ’6Œ_Nóìxwàdþ´£ò0;äñ—¦Í&gÞ„¢?â‘Þ×ÿ‡s:%ÛÎ77èšBé(æ%”í˜Å<èÙ˜­‹y;ª”¢^‚É©±ÐâMåãž¹ôÄû&dcƒífÒœTì$ð¼éj¡WÕƒ¾	±ª«EÑüi]ïE<—@­ómˆÛuîVpñ¿‘#åsÝ–öÇõáç
W ©ÈüUÔÀM2_ãüÏ|µû#³8é#¿ÅJ›wBî„2ÚäBî‹®¤Ž”é€ìÿ*Sf–endstream
-endobj
-2030 0 obj <<
-/Type /Page
-/Contents 2031 0 R
-/Resources 2029 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2022 0 R
->> endobj
-2032 0 obj <<
-/D [2030 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2033 0 obj <<
-/D [2030 0 R /XYZ 85.0394 286.4453 null]
+/D [2025 0 R /XYZ 85.0394 634.7354 null]
 >> endobj
 2029 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F55 1060 0 R /F23 754 0 R /F41 959 0 R >>
+/D [2025 0 R /XYZ 85.0394 399.1196 null]
+>> endobj
+2030 0 obj <<
+/D [2025 0 R /XYZ 85.0394 318.1439 null]
+>> endobj
+682 0 obj <<
+/D [2025 0 R /XYZ 85.0394 275.0317 null]
+>> endobj
+2031 0 obj <<
+/D [2025 0 R /XYZ 85.0394 236.6315 null]
+>> endobj
+2032 0 obj <<
+/D [2025 0 R /XYZ 85.0394 202.7957 null]
+>> endobj
+2033 0 obj <<
+/D [2025 0 R /XYZ 85.0394 130.8533 null]
+>> endobj
+2024 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F14 765 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2036 0 obj <<
-/Length 2104      
+2037 0 obj <<
+/Length 3049      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XM{â8¾çWp؃yºQëÃ’åÙIèžL:Io wgvzˆàgÀÎ`;ö×o•%æ#9`—Ë¥Ò[¥·ªÌzþYO*¢b÷¢8$’2Ù›®.hïž}º`Ngà•m­ËÉŇ"êÅ$V\õ&ó–-M¨Ö¬7™ý\Eú`×÷ãñèjð8ú÷Ãí¨?`q†ÁðË—ÑýõÍý—”A•ÒànxÿuøÙʾôc?Æý_&?\Œ&[m×èÓo?ÿB{3ØÁ”ˆXËÞÜP‹ñÞê"”‚ÈP/Y^Œ/þÕl=­_í‚"”šH*E-uÔ
#c …”¨ë0κóZØà7úᣔ-M†[ŒÀ8jÌ’Ò|Èçó”û˜0¡ˆ”"ìµ>p¯ÑêðOì¬Ê¨E»ŽMYô‚‹ \¼àµGV”gö÷m‘Nö¡ÓÁ¯fc/ÒÂ=Éíý“S˜™¥)Í“€ë`8/ÍÚ›HJ§+½‡ËØåÁ4Év
®ûLf€(AP`cBâö‰¥äõfVù«™A¢iÌkí|…wÎk×ÖQb½äEZæëMŸ1€§!ÕÁýÃdôÕ¾5›Âª'Vߊ³¼´Òiµ¶ò¬\nì3·k{“Te¾JÊtš,—›‚,ÖàJZاß(åféTAˆû¢~Cö¼¥ÙtYÍjspxæùÚ^¤\¢áŒí7“ås¾NËÅê(¼Rs¢T|&ÛZÇám´ÎÁ{rÑÞƒE;áÝYô—ND¤ÕÙLܲ€q‡ý•´)y^ÖtBF:Xy #Â5PÑ€ië8üCìQx)öÎMmd“š …ƒò
û!ë²·4Ö})ƒ7«UÀãSX•§¤Àš‡ÒºQÙgAÝ"Àuí¼W°ÜFº¸Z	QÎŽp5A¸·F‰cí2ò4‡M³}È_ª§¥Oi´ç+«Á‡N1¬«G]‚½b÷uè%8ã¦úu»ãÞßñ‡ØJÃ!@ZñÈGÕVôÉÂty	•–G~±#H-ÆŠÆNɆbBUË;¼Kð'‰ÁÞCÇ`/lŠLs_çPæšC4R÷pQ÷`šµ;H!ò–}ü/ÏÜòmW0ñg©[©îÒÐ|ê²okä7÷®Ááüj½W—¯>½ùš
-@cûÔœ¢ºy;-$˜ïbND¬rê}x¡WnÁ¶ÈqP¼˜©­ýVÏ5˜¶àЭ~¬w
òüé5Í+÷:œé
-^ßØGîÔyVP%\¿êÍyf¹qïc3\ôɵÚëÈÉ«i÷Ë6û'®·y1ëUZÀÿ{8Zâ¹Ì!H@†D@óx&G#¨îM»Ö}$± Mz:"R6çxPˆäv>‘Ú¶MöYÝqáE±Y­LY—@¼5Ùt½y±e_kélBK»pÖäû»á•KOäÆe¼÷ݵtìí}æÉ!¯ž'x«ØÃ>n
æ·
-t–ǦêǹÑû/ŸGçǃ	ŽØfѶ‡ÉjÚ7VžØŸHéÁSÝ©
-\‡Vj½¾½n DÉF°Ô,8Ní¸3<Š¡‹§ù=Á‰‚À`Ñ5{Hámud¬içÛ<_.ó7ÛcÃ’`beQ…goyUy rêì•™}×á ¢ˆæ Û¡’ÝÚ
‰ý­!¨Oör§ù߇û‘½:½Åúªc¾Ý
ÜøÝH7R¹9œ3š8œ¨º¶¼·ìmËIòŽRñŽ+¦èyoêr!=aÑÐo÷}G‹…ÐÒöÇÏ8ÞÖÞÖ¦^ÑØ=%r#e±'«#{<ÂaL³ÐZ$1¨Ø1mŠq³€%ãä¼ÿµdoñ½‡â£Ê—¢îïÒŒG®\?Îó€D‘>gXαxk¬¯.„"nwΚ@è½S—7÷îƒD윭Ò,…ŒLJßø>š¹qßk¦.)ï’¬‚¢Ô:ÌåJ©æÀ:œn
-ùãÇ+k†ù¸Ã^Õ#ð§ÍéPþusá¾9HzqÖ\w€E,‰Y´àá×É÷ç#{û:3Ž/Æ›š'×½^A³‘¯Ë´Zm×…Ú*_RBèãc7¢_u™¹\Y›×üWãû¡§nH½‡¢Û1£Š`;)gó¢6e&Î#ç«wºa2ûÑÛ¥Û“ÿjâ§WÇ…öù¶–\…$ø‘ºc‚¤
úû[øv#"´æÝ_ˆy$‘ç”w
-á>ãÀu†ðAt}ÿ?{†&endstream
+xÚ¥ËrÛ8òî¯Ðmè*‹ÁƒÏÙ“+±'')[›yh	¶YK‘“ŠÇùúíF7(P¢”­ÝÒ
°n4ú	HNüä$NÂ$Wù$Í£02ž,×gbòßÞIÆ™:¤©õzqöê­N'y˜'*™,î½µ²Pd™œ,V¿¯Ã8<‡Dpu;ŸÏÞLßϾ¾›ÝžOežÅypùéÓìöêæ_çS@T!‚—·_.ÿNcŸÎs\¾›ÍÏÿXür6[ôlù¬K¡‘§?Ï~ûCLV°ƒ_ÎD¨Âä:"”y®&ë³(ÖaiíFª³ùÙ?ú½¯vê¨(¤•NÔˆ,”œHæq¬ˆó0ÑJ[a\Íæo>ß|ZÜ|¼ÅÝØ9;ù‰	l8ÌR¡,òªn[³œþÛ¼<˜šÑµ‡žŠ0Nc˜…È€bžŠÎ´çSè&1tß<@â'øw‹¹YnŸÎe˜þ;Ëê<}e~BÕfEݲ¦öó[^IÅ:æõjï[$tšDypÓá@hÄó´°¾,pÑ4Šªmr»¡o&x30´mùÛsÙ=´˜ß¼#w·8ÏEðTÔm±ìʆ	Ìˇºè¶ç2 ·¸a¦ÝRëïº%Ϥ= ²(E"	/Ðh»;áöEš?Êjô{óB„±ƒ„±õc·d\K•köd²0NbKeñhH7"_•dª4ËY9êbmFH%a,•d¤æ%2è`A€Ø	(‘ÅDíÆ,KäÒ€W4f÷äÏZ6ëµUìTem@t¤ƒ·(.œáôI´F°‘‘ÁzÛvÝòqo}»ÃV§¢8Ls9Ô)B±}oj†¬î ðüXÚUìÑh¯(w>Ž;SÖ:e\…½Ízv§¡ÓP©˜Žã£5îC_%ÃTÊd’ˆ(T™HøBšúXεºÙéNbØð´@„ ÎEÕCóæ²Þgt€:É]5ž¯UÔ
+ÎyÈÞÜTfÙ¡l3ÍRÏ¢`ùô²éš‡§bGBßz&Am")Xm·W›L÷j×ÒÁ·¢Úò²¤{¡EŠøÆÞPÀJ:ã±êHŠ&’P'"šùRq@Š†’ˆ‚ÏóËWè,”´ùõ¥äÞÕüò‚oaSzøÑîæÛO€&IB£{eŽ”2àuHîHíö{ˆ-ÇØ^]S‹Žêª¼G—HÖmG¯MU%sLˆ¢(¸þpùfJ[ê»Ì·ßW*Ú‰“‹1–Üwá´5g£îø'ô àçZ6V»E¶ÓÂ…0ì,‡RÖ­©Û²+¿™1§ysO¾¨n¨%m8G7³¦‘CŸ·²ŽÊJš}!>—UEUh!F±¼{¡‘•¹/¶UÇmëÊ´L¦õâ:Ï’ç)kâT(«„,$ѽßp˜é· iSRaÈ0KT¶©Üþ¼Èã¹É\}ue4Ú·u™Ôò¾é:S¬ÆNà¶Áè®Òð	:̤–C—€FŒÄµà8†áV¯¨ÙÙb.8=Gˆ3·œ}m»gcý%t¬"@†„¹ŒALoŠð#‡¢Qr#zj‰Cѱ#©R”1q‰Dž0"GÙ+€1&xWvÁ‘…iWðÂY …Šv>"@­ùJ×JðTc{±É˜\1ƒCßÂ\ƽì=?¼ã:®Ú¨Ù5×±üx]1U*ãÔR/¥Ò`ÕØðcuÓ1`¬ÓÈ:_@ºãù^¥òžÚmK)6€¯Kñ‘ǼLPíÚÃ:à.#«øÆÔƒ-]£*‡Z(-[ØáÂÓ*c,~¿ÿÉUŒ’ORbÄ:X9wÆ™Zø=.lý|²+6Ñ–·‡‰A$Á=fÒeöSW	¹á)ÃòcyCæZ¹Ô·…y&˜ßuól¾·‚rÙŽèÀ´$ÕÕ¾ÿ°]+ohÍ_›ª\–†ìæS­ŽŸÆÓëP‹ûL…‰·s¢
+
_6íQMzª‰t˜`'O{ôø*ŠWü¸¸ö)íÄÒ «$ì+I$Ü;èpŃUV’£e€+/)o ÏÂÁØÆ@hù´ýÛ'bgp³t*—VqJôÓ'
ßÇ:nø=Ö®˜ôIBŠ‘ç2;MÒ!ôM"0…œr@òU‘Š	T1¶šœ.‹MqW¡¡Ò¨^™d©¼;a»áö¦+?gÖ2¥çÓÅ"@}qݘ+V•óð|)0àNö¶wuíJ»A胾­¨l¥Tï]4î®G¡ƒ×£ÿKa}÷â.­Ö×LâôaÃÇ:¡=ËjÏ›íIC%ttš¤C!9xÙP¡Ì¢lHòM³Þ€­Ü•UÙ½ÐߺY™Ÿ‡/|Åh5Ú¦ZMÛî¥2ýÅai–SBÒl;7Å®ª ¼ï
+(Ô,GD¼fbýåÍáÃNe(PFâ¿z¸±·0Iší¹y:p-ñÕaYmW†:\¶%ÈüO--ÉWü´#+z-‘üdáÏsû¡á¶khòŠúü€²››§ò/—ø"Ó6äy
Å6DYY¹]”6Ãâè-Ù…N‡yZF Ð>«óš¢ãf{VÅ›ÄA$„GAºìɱO¦[²·×"ÁÇ^œ/˜€z/_.Û~‚ Ÿñ‘}Á|VÆÊ8cíø®4ે,ºÙG¸JîõÍíÕßNå’JĘ~E.™|óÃdrçØÀõl7~ÝjÝ%)ÐYõÒ•ÊDë¸è±,ãËñ'	H¹]Წ Üï3–'a&Utš1‡4ÂØ@N6ëtÈÙM½B½²â‰´SŒÈ½LD6®  ú›@Û®è㲩»¢¤jn0‹’Zp+c?ßÌOíUF¸"ÊÁ*lFqƨ´Æżû[…×ÑÞc×àú–DjÁ›ÛáäÉ
+CBê™æÉB…uB
–Us,Ñ8I²O4IŽ%’7÷ÃüʽäîQÕÞh½„[?4¬x‡jJLð!¯GÞ"]šÈÓÒôŽÓ!í
+ý=“Ê¡æ×	[Ô}U<¨~–d'yr8‡<ùÒÎãª9àinoEÄñ€zkûÀ$tñ@mxò±w-¢ÂD°â‰öŠÓGÞÕ9Ôš'Fì”oŠðkSÛ+nï¡.¿¹¢À5•
+ø,FäÁã^£XÀî½xî®uö]–÷yöÏïg᱿¯è8ÄÿœŒŠèo;þ￶ìþÂ¥¡Î25~¾*Áêf¦PR©C%ç?Áòþá~éÞendstream
 endobj
-2035 0 obj <<
+2036 0 obj <<
 /Type /Page
-/Contents 2036 0 R
-/Resources 2034 0 R
+/Contents 2037 0 R
+/Resources 2035 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2022 0 R
->> endobj
-2037 0 obj <<
-/D [2035 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2034 0 R
 >> endobj
 2038 0 obj <<
-/D [2035 0 R /XYZ 56.6929 670.3677 null]
+/D [2036 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2039 0 obj <<
-/D [2035 0 R /XYZ 56.6929 412.6159 null]
+/D [2036 0 R /XYZ 56.6929 752.112 null]
 >> endobj
 2040 0 obj <<
-/D [2035 0 R /XYZ 56.6929 259.474 null]
+/D [2036 0 R /XYZ 56.6929 634.5858 null]
 >> endobj
-2041 0 obj <<
-/D [2035 0 R /XYZ 56.6929 194.3348 null]
->> endobj
-678 0 obj <<
-/D [2035 0 R /XYZ 56.6929 153.9195 null]
->> endobj
-2042 0 obj <<
-/D [2035 0 R /XYZ 56.6929 120.2616 null]
->> endobj
-2043 0 obj <<
-/D [2035 0 R /XYZ 56.6929 84.0523 null]
->> endobj
-2034 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F55 1060 0 R /F23 754 0 R /F41 959 0 R /F14 757 0 R /F48 975 0 R /F39 917 0 R >>
+2035 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
+2043 0 obj <<
+/Length 2972      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[wã¶~÷¯ð›åvÅÅ… ÁÓ'gíÝuR_;§ÍIó@Ių©”ç×w€P DIM»ûƒonù9ƒÿü\«ˆÉ,>O³8RŒ«óéꌿÀÜ—3N4cO4©¾{>ûøY¦çY”%"9ž¼tÄ´æçϳ_FW7÷×·ÿºÅFßE—cÅØèîêþ§«¿ãØãe&FW_nž.Ç<Ó*"eÉ6º¾zºù4þáæç/7÷—¿>vó܉ŠÎ™´2ývö˯ì|'øþŒE¸¿Á‹x–‰óÕY¬d¤b)ýÈòìéìÃ`Ö-RE¬t¤Dœœ8N¹V‹˜ŒÓ˜ƒ(œS˜àC
+óTVaã{П•
+(9dœ‚dŽäÅ”¦ÎÛªÞU	Wp0<ÜvO8O4 œ·T*âI"ûÒÝÎ/ÇRÄ^„¢|Áï›ëb~Éõèߌ	ƒ#_Ír¹ÊKüøfÞ/9ç£ð‹Ñ¦!¢vQ4=¾p´4YHÀÆrY½™¼æË!⼶›Ac%*Z
ƒ–ìÍEBÀ)Æ ËL)áŽSV@,Y°­ûDi²Q³6ÓÂffE°æHð­¬ÞJì®ëbe°;wòT+\üãçO8,”Ì°÷V,—Ø›ÐPÁÉ‹9ñ«š¦˜,Íßà3e£ª]˜ú­hˆ¾Üq˜?ZÙÌÌóͲEƒ²ÒÛVD{&C¸Lt©Dèãà
©ƒ·£rà]ìn	ÆÇñ‰-=ÑÀ–!$³,Š…ÚÙò±.Ê–NœcÓ,ªštÑlV«¼~ÇjŽ­U"¬Û¢*ýb‹×q×ø²Y™Žq[¡Qö4 â %R²ÊYÙ4f:Œšˆ<”>Ià¾Àîúðݨ$bL¥'î& :r7žÊÝÍCŽ\žÊü	ŠÚLÁÞ÷ýŠ—˜$Dž먤ë{–4’©îK÷d:]ûÛqœ}£HíÛ·E1]ì[çâ:Ö`—¦	/Ót×èÚ	}¿ÕEÛšòð]ÀÔɉ»¨ŽÜ…§rwñí Ûrk'{[ÚI¸åµY“:óÖÌúêœç¯Öõ…62~Æb¯sÙu¤@(ñø¸ŽBªÃ:ꨜŽÖÃPgÊÂu]µÕ´Zîá5Ž£T©ø¸pÕ€t=¼‚§2Iûâ!`%ÏRØPàü?Šä¦\´Âɹ.!9`ÜG·€Íóa®ž0Ág¹YMLCÓ¾Sâ#2pl.J8GÆÒ~èÊFJ	I™ÛQDøpÑZik\ŠaZ=á܃
RØõá¿|´^v£½í…ž61¸bY4U+F‰­‹ª¶QUÑ:ëÇöÂ;”f3š¦©êæ0ˆc&s
+Ã[¢#&"‡àzÁY”hé£@
²W«™yÝG°Í3!½<&YG´/Zßß‚“gBõd{êR&Æ	–LŒšjã.ajpÂzÛ¢¬%hn=Næ‚Û•@¹Þæ„–Ñ;\ß
+§f•ß§¬Zœ&\¿3Zž£¶âP­Òf¡™ðÿTõуYGi¬uÿÒQÈèØg2õ±m€öÛ¦Œ:øY‹öÅÔØ\O*:—%{°Kz걘#ÑV=8^4YO*„õŒfÊõ¦†+U¤ÓCàØ9ä†à‹¤MãÃã7ý[ýÝÈQ™»,†ð>1e‡fºÈë|Ú:t¨¢¬±Å€JäUÙæEI—,½ÂÝÜ,o‰©
´¶Ðî”æÂHQ(òY_”ãY­uOÜ»'kÏöù?ÐÃîë’s)ÈHH—t³UB9$9÷+ÊYa#d—Œäm—^÷ˆÑî±Ë87ËY?¹°g>èpb¸>Ƹ<îqBªÃ.§£r>§Šš,’{§Ó´µ)_ÚžϑËxr\¸Žj@º~ÔÔKEÖoÇí0Pf¥r®ßIæF|ðdŒ€PÁ2NÃ\
+Ú(Ǧ–,–ðÁˆÌÕÐáʺ.ƒð©#.’¬Ñ馦Û%埋œÀSRº93öĥϺ֛¢¤é§`SãEò(ÖÙ	¸l‰Ž …ˆXž‡À"¢
+gï„êö}mö "e$OÉÕíÖ
+èUîJÖljè²&ð³NÛ=/ÜN«ÎÏ
+=r‚ãâ
+[zpÈ(ÙnµïKXÅÉžJöc½âV›¦EÖÚ˜&Ù>\·Í¬œøŽøbP!îÀk›~E&Éf2HÑàÃ¥SÐz¦"‹¡B²À¶£›Æ9kÛÍ;:À
-_*¨‚«ä±7ž)µÓœøLhëêÕÔu1›yþ®¨‚íÖiØÜWù·¢¥Úíéö‹Í'¦’~±Ž†k"Ñ]uNÖõ‹hÈ‹îË>žÞ]}ÿ…*Ú÷ú«eO…NE¨éÜ»,Á§€~™x²ötG1ÏNÔ‡!Õa»ì¨œa¶ƒ™#Êg0ƒVÉ­ËUñq¹:ªÁzv)ÀÑ+({z’ÝñQøê’p¼]Aäv†µ,.D$u¬wµ#‰H"ÎTÏ®„ @[WåÎÖW?=ýôpÿÙ>,À¡û‡½ANƒDá­'ðÇv«û¿Ö•<‰/–’°XJ¨XJzDÛ!ÛSä«æ¦&b7Ûz–ù¤Xí{6ßÀ|Ù:åÓÎnYá%§·+s›¤RÝ+É–wtSNë÷5å2–íaÄ3	LÀÇPA¼§rˆ=ùì½4¯f¿Ôpˆ|óQÉ:ªÑú±ˆGB%}цž¦ÌdóòÒ9''YÔ=vÀ<=†¹}“)œ%CŽÏ·w·÷äÅŸoîŸ`W(T”‰XáY]ªÈ'§˜_Ûó;=î4.ѶS.±H©Š±ð}+—ÌÂäÏðïîîúgœ§F¿~½»{zŠpÒVyv²ã³S´ÃÈÄ€*š!Ø‘«·«°¹øë…í$´'Œ/,†5Ç€“’
ÁLQBQBÇÂgˆ&s:]å~o˜7†oŸà{g÷ÚéDn‹•±u…NFŸ½(PÚ¼š²c0N$áÞäíL³™.Žï[4ñÏÿtM¬Õñ”ü8(&4›îç“ßÝ]ÃäxÏ‘Ó‘ˆG«
+»rtñÖõf]oá{îLvõªðC-fÜ;+Ix
+Nª‡vZ­ ´A¹SDŒ¾›¼&¡l¬Ýfµ'Ç{Ò#™(ìˆx¼°9›û˜åïS1ÜòK	AÜL,M¾ÆžÛÌn¢[Aݹ ¦ýÝÝP·;°]À
+rþo~û@Kïûvм*JЊ£Ã%HA¢Ú`þ]=bkÕ^*8Z,Ûþ/ÁØý1"¼Œàgœà2‚z¡d·œ~Ñâ	DVÆNüŒRvÔ•sÔ'Ÿe!‚˜ÕÜe×]«DŸ’¯£°ç®“4J’Lõ%$yÝêÌI„C.Ç˶¿ ÀdŽ#øûÎ(¦è˜QžãëÍdY4wÁt·É`ض…ôþjîTpÚ9]âCPÇúM]Ú¡Ò(RíºÏå²ÿ¨P”Óåf¶†C o±<ò¶<ÜËÛîE?hÀ‰u{Z<‹R­O¼–†TG å©´®NþBuY1T›\¯£¯¬ŠRÉûÒ›¿òoƒJ²lÏ"KªØ#«Gå°e;…__a;!‚Ü:û[(GOB&@~/ Í8ÓoËÈ!GÐ)ïCª î7Ïusÿ#LÒR®äD¦ùû"rùq#Œqñ߀DFiÀq"H³/[ :JSpy¡p„íª4óøÐèylëñRá-jz­Ò¨i{Ïþ»o^«o$)xí½Œß@s±Çž{h¶‰Ž4Tñ}@|’ùËK‡’&Œx^çn÷œÌŸvTÌöyüYàu•tdÿŠgànY—šÿß,´ý£¨{­Å0L$‹íã÷BYíBa½+º’:RZ¤²ÿ\®žendstream
+endobj
+2042 0 obj <<
+/Type /Page
+/Contents 2043 0 R
+/Resources 2041 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2034 0 R
+>> endobj
+2044 0 obj <<
+/D [2042 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2045 0 obj <<
+/D [2042 0 R /XYZ 85.0394 259.0654 null]
+>> endobj
+2041 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2048 0 obj <<
+/Length 2246      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YM{Û¸¾ûWèЃüd…àƒÁíɱ•¬×±ÚJ»íf´Y|V"½"i¯úë;À)QRÚÚ’ÃÁÌ`æÅ|Pl@áŸ
¤"*áÉ N"")“ƒéꌞáݧ3æyFiÔæú09{ÿQă„$Š«ÁdÞ’¥	Õš
&³_‡ˆ"ç ¯îÇ—£‡ñßïoÆç#–$Q4¼øòe|wuýËùˆK
+ÌÀJéðöâîëÅg¤}9OøðâÓøñü·ÉÏgãIcVÛtF…µé³_£ƒìàç3JD¢åà
(e|°:‹¤ 2"P–ggk¶Þº¥}®ˆ¤&’G
+œÂ‰¦¼ß_ŒÄŒO1°1Ùú‹³>.ë¯ÑW»Ï÷¥lq20L& ÜrÌÒʼ/æóÒT».aBJ¥´ï™×põØ'ÚZ#J­â®¦*!2J«…ÁkÞ9^ßÙtÑኇ¿›
R²°¾Àë“_\ç/õÓ2+f8
+Ð1¯Ì:ˆI«­¶à6æ[ÙoÙr‰wya½ÁHˆÐ±Ý6#‰”ÜmbYäÏN2Ì©‡k–O—õÌÌÂ^QÜü»ÈZ»¢®<“¿®Ò
ެϙšUVïIACΗ¢Ìªb½9gŒ
ÉÂ=ŽÀ÷DK[›ë0Ø.¶«>°ÙãؤÑqó®ûº`cØâ®6ÁzPpîÁfIlöêÁf_z.~¶7Yéßøüäffi*4ÉuŠ°@s,4±=¹|8Mó®@è¨]"äèVÅ«C—ùã.Vö)ÀX{é–Ò‹ŽQDõðî~2þ¹o̦Döù‘œR§õéyµÜà;¿k|HëªX¥U6M—ËÍ_–ØcæN'¼ýF)7KÏ
+D»/6„¹½{bæÅ:€n­à"O—Hz©×°SâSšï.™×UÝìžgæÕ,‹—˜N¢æÆ—óÁˆG$¡š :DÅR;{>ïƶ^LÆW(èfüÏG/ 6Š"†0ûÇÂäš-OcR…£—¥™Ž FÏ
w[¦JH	Ï<-V/ÖÕvÇq2,ëéÔ”å¼O»hÚL¢cL ü³ÎòÊó¦H*+ =#©˜#
ë`4!ê, cÃ1÷FÜäðGÞ¥iú.³=FC©Ž8¸¸Œâ­‡ãˆkÂ¥P] —D1çYÔÕK]Ù¬Íèp‚²HhîŸgÐÌ"kêàÔf§mDìgÌl©—
+a0ëÔâ­ÔŠDà¡£MM‹É¥%ÀÄÖ?1T>¡¶’ìö¿QïjŒAÓü¨ÆÀ³§±C
yÐÖÚ¶FÇžàqà ÌÇ.øzßqyº2‡]¤ ¡¡ZœðQ‹ëˆ“×I/SºuÓ®Ò~?µ•ÔûüDäBrT^¯Ì:›vê2^J€k¨î¶W¦ËçbU‹Õa÷JJd,OôÕm®#î
\'Ý{LéÖ½»JûÝÛVz(‹ND¬ÕI$nÏh¾¾QI›"P•K„@d¤'dL¸†$4b1ÔW®¿+/Ç%Á¸)F6u©YˆhX½ÙÎ@HWð–¦´_Jh$«2ØãS"ËSZÚjg©®ùRuΆ®9€{g|`À¬Fú²´$¦œÈÒĺk T$aq·O€h–ïºÜuÒÓ­ûCÍñÕwß(fëáA“`g¯¶ïÚ7‹EŒáqS÷úÍñë;ö¬1¤»Q,LŸ•Pcy”ð¤ÅDÑ0.aX!&Tµ¬³O©½Äv.Ågèð!2-B…³4ßZ!®óƒ×ùhÖw Š–|å¼k›b?˼&ןYQö(Ø·}[!¹¾ó­eçWkÕEÁåç¯WãPMÁѶqjN‘kÛNº’$Yè_ŽD¤ré]÷B—ÜroÔJŽ£òÅL±ê#Ÿo-KÛ|CŸúÑíèÅÓkVÔ~9œé–oð•?µe‘»ª„ïTƒ¸`¬0~½mƒÃ }r­vzñEújÚ]IJýSßÕ¼˜õ*+KÈÿ;~ŒñÓFAêqdD´'05Zÿ‘„ˆ(Ú´ŸÇ#"e“á|/Är;ˆXm&|çz-{SnV+S¹hM>]o^°ìÙeM ½Lhf^º§üt{qéáióã2éºûöJúì}3õóâHÞjÆ„½ì¯Ûƒù£žå¡yv…ñ/·_>O;LئX0ôd{8‘Ì¥}ƒô/±Ò£'×£
+:¼z¼@*Z+Bc+ü(i)³Â}'À¸ëNÜ™=Š‘§ù3µ³‘¢oê$¶ã5òZ'Ûš¶ð¶Í‹å²xÃîT‚ˆzÞ½µï„ÿ${mf?öØ4âJÍÖ9ÝÚ;R”G)^á	¯à Oðœÿº¿ãÝñ-ö¤/óínà!ìFúaÊcdÂØkâì,Õ·åÓ~Ó2’¼£T¼ãŠ)zÚÞkW.dHX4
+Ûý¡§Å‰#héûþ‘3I¶µ·ÓÚ8†”°Ÿc 9R–„du`rS`,´VG“Tì„6ŸQ€ÉB$vfÞ~'	-MGù‘ÞC@â£*”¢þ/
S'<Ž}¹¼øüx:ø@”Ùsn˹-ÞÚÖWB‘´;gMtҌԮïü§ˆÄ+œ­²<D¦Uh|ÌÜø/5SÊÛ4¯¡(õ9&r¥Tsà÷
»uSÈ>^¢Dã“yTGÿZœŽäÿ..Ú 'ÅõX$’èˆí|ºø:ùéþátd¯¡c_çÆç‹ÇM	Í“ï^/¡Ù(ÖUV¯¶z¡¶Gª))	¤DÀ¿ÿê…dæ±²6¯Åï&ô
Ö4©õŠ†iØ@"ÚC\8Q80q{[ƒÑM&ßV<ÜžÂ÷’0½ú\ˆ?ÃlkéÁUHb
+é™ iãýÿû—íÅDhÍû¿
óXÚ<§‚QÖ=Ðgì.‡IO@tömÿ,¦}endstream
+endobj
+2047 0 obj <<
+/Type /Page
+/Contents 2048 0 R
+/Resources 2046 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2034 0 R
+>> endobj
+2049 0 obj <<
+/D [2047 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2050 0 obj <<
+/D [2047 0 R /XYZ 56.6929 634.0466 null]
+>> endobj
+2051 0 obj <<
+/D [2047 0 R /XYZ 56.6929 389.2139 null]
+>> endobj
+2052 0 obj <<
+/D [2047 0 R /XYZ 56.6929 245.821 null]
+>> endobj
+2053 0 obj <<
+/D [2047 0 R /XYZ 56.6929 186.2038 null]
+>> endobj
+686 0 obj <<
+/D [2047 0 R /XYZ 56.6929 149.7581 null]
+>> endobj
+2054 0 obj <<
+/D [2047 0 R /XYZ 56.6929 117.6525 null]
+>> endobj
+2055 0 obj <<
+/D [2047 0 R /XYZ 56.6929 82.9956 null]
+>> endobj
 2046 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F14 765 0 R /F48 985 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2058 0 obj <<
 /Length 1422      
 /Filter /FlateDecode
 >>
@@ -9071,1016 +9129,1023 @@ xÚµX[s
 ÑØÑÙÆ4m¶óá2ÝTé`°0IÙ»M6Ú/£0©ÎðQÓ±ÒÈIZ‹|xù¼©e]&ó¤t
é¢ö©Û7í¶;~¾<;§ÅfŒ ?3¦í(œ˜ÒÈg'7ôlOU|Ç¥xªº??ªÁ@ð&_,Ìu|HV
 (ŠŒï“þ²²“¦W„ƳSˆþÇ_#öÕÿBVì“]œà»²|×ß±}d@tóÅÿ¸É¹ŸþX³û*Å¡Çã#m*ÃÜŒ²¤ÊhA¨Ø½ù¬s(û,Uöendstream
 endobj
-2045 0 obj <<
-/Type /Page
-/Contents 2046 0 R
-/Resources 2044 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2022 0 R
->> endobj
-2047 0 obj <<
-/D [2045 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2048 0 obj <<
-/D [2045 0 R /XYZ 85.0394 748.1793 null]
->> endobj
-2049 0 obj <<
-/D [2045 0 R /XYZ 85.0394 678.114 null]
->> endobj
-2050 0 obj <<
-/D [2045 0 R /XYZ 85.0394 593.1286 null]
->> endobj
-2051 0 obj <<
-/D [2045 0 R /XYZ 85.0394 365.8527 null]
->> endobj
-2052 0 obj <<
-/D [2045 0 R /XYZ 85.0394 292.8225 null]
->> endobj
-682 0 obj <<
-/D [2045 0 R /XYZ 85.0394 246.9241 null]
->> endobj
-2053 0 obj <<
-/D [2045 0 R /XYZ 85.0394 210.8582 null]
->> endobj
-2054 0 obj <<
-/D [2045 0 R /XYZ 85.0394 172.241 null]
->> endobj
-2055 0 obj <<
-/D [2045 0 R /XYZ 85.0394 96.2889 null]
->> endobj
-2044 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F41 959 0 R /F53 1052 0 R /F23 754 0 R /F55 1060 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2058 0 obj <<
-/Length 2784      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZOwÛ6¿ûSèfùÅD	€ ÀÝ“;©›ÚÉÆîëîëö@I”ÄŠTEʪöÓï DÉéû@p003?Ì€¢£þéHÄ$NX2’IDDHÅhººGèûpA-Oà˜ŸëíóÅwï¹%$‰Yÿpq÷ÜêåëNC®•úíâ—_ÃÑ–ðÃEHx¢Äh/!¡IÂF«‹Hp""Î¥¸xºøW+Ðë5C÷‚†„ñ˜
l£#JI"ëí†HHÌ7»q{÷ôîËýççûOz5fL·á(`I"æYY×Ù4¨³¦ÉW™åç¿„U„‘„qš}sEÕ8KgõUÀ¡•âw]·åx½É_Ò&ÃŽ¯Ùÿ
CVXbZΰ“^ѱÕ,Ç€By¹Àö*kÒYÚ¤8GjÇÔëlškÑ™•8ÙwÂÌR"é[KÐn!,)ø<°jÇ€«¾&`ç©Û–àæoñåoñÓ7È8£Æǘ àJÂI»’&±Të&¯ÊZG‹ÆÏƆ Ý3¼MÓR7˜6K‰¤‰eÜÖÆtЦ;vV_Bãv6ç¬ù¢ü_Uz«$I¶Úmp–
-&Þà4z¬ö*:
-¸¢DÉ8qhRWóf—¢§#:4>gY“mÀ)-yg–£[)>ŒëêF^÷NìˆõvRäõ2›]·P53¨Ág½¬¶Å¬?÷I·æ•ew+ñлbEgÍ”˜UBÀSØΔYÝý6ЯÔ-ØKMjGB³"=·O®Ø[¶0­V+Œj ¹ÑSŽö>¶*Øâ‚ÇV=	A149uF­óÕºØã\6eS£VkCAAS³˜0îÅ~ç§foÖŒuS!Åî}nÍm¦r§”ŽvZá?£{°ÄúóaL“
rKõ[çqð2]¦åÝ„óñ ŽÚÚpfäÁ,ë4߸D8æ2&2¤ÎKø#oÒ4}“ë?¢%
D>ƒhá¡5Œ 4!4}Éhö&–Rõ-àÍêNŽ™CID;€UQ°pâí™~Áö"+³
ˆ™&I!Ç%þ–ÃáÛî[¿kcë'ú4º“Í
-*2;Ç
Ò–[ˆ‚W۪܃ç_é¤È¤ÔÓMnÂ
	ƨ¾õ}Ô!KZÔ[ÖE:=tP™‰Œ“nkn.F½Ôœ™GòtæO&Ÿ8N(‘IÄBZE'Òd
-|.—ͧv-—9ƒæ‡SÆœ(%Ôù)ÓÀ”=dQDÅ’ö§|~0Õ›¥Dï^"ÇÛõÌX_ÓŒ‘€†}ð^ÌæUÚà;n00ìr¹@*+¤xæLTëàHŽ¾Î8¬ fiã’¯à”ˈD<”ß
-§)ì´âýHÜåE~Ì£ñ<ÍMKØNÓÒ¦ÉV ‚IÈ GŸlšîvEÓR$Ù"î‘Ô$X¬/çW¬­³>=Ê­/à"¶1gÇ›n§ÀÔ(KSR	[èÎË‹½Å¡ëËx\f;Ýc4—XɇÙoè¶ö’¢QmòE^¦’Ѳ@¶6jФpîiÐáJb"¤¹€ý²F¶VSu‘a®NÓ&–b[M0)„Œ]JÛ-eRkˆvä`tr2LC°|%¯„©Çu&L—	Óèhªy°
•ŽHœ[æ›l
-»?ÔB9Ç;¯\Ë5 ]ÿJH¨“…žzO™ÃÂAt £S'wË|º<™…‡²Dk‘|vÚ‘Ô
yÞÓi+8&c„åVÆ$LäùùÏñ|½Äš’Pªþ|w+—²nëtÑWu÷b’B“þž7§w#‚Ä‚%ô•íð¸Îì‡ã2ò2ä•”ðHFÖ-‹ì%+K ‹X8¯˜cP¬Ÿ»0(I ¦êi6äÙd»X´½Qlðd"Hei»:6Ÿïî?àXï°>Ðæ ú¿rðdÎ2µ”ýî°kè2Òa£Qìüü=<ÜÞb©R<ê÷ß?<<=ìÔ5ˆîlå`-¶+„1©Q¶¢‚rÑ*6y/<.ß\bÃÌ©Äø2¸Ô¸ž,© Ç¢úYBg—eN#Ævš
Ðb溎â憿Za/ê>òꃼç*\ ­·Óå9áfóª(ªSIßcîrô±b“®äQº\ؤSX[—ûËk¬w/Wmk׶f®e
-dÍ¿t[¢‡îB:}•uGn'$s½ÅsWSK¤î³tS[a«ªl–îe—e_]{–îëN…#Cd¤xxº¨Î!&öÿ´‰²®œwyõ«g— wÚùЙQUêtëq
-¥)O^AfŸë4µ\þ-Ó!©DpwBB0~WÍÍFž‘é
-¨óúµ\
-ö ‰'D_ö´ˆ”8DR‰ËO€d2–¤;‰;á=w£+|N¬öÊ£ßÝN¢¯,tÔ@µz3oÌ]ˆé6°b•¸öîܤ¦Ê’HÆ£¡DÖ¿=ÉËi±¬âÍ]ØZ/êd”Usê*Æøú&Æ9áIÏb:KOµÏz–ÏuÚ³Z.ÿîñLêuαàôÁϪ×r
è×s¬($	T}ѳ¸°ç†nØšZæ.	ŠëY=.LþuEäÆWøœX†T#‚­õc9B!ÚÜ\ÚlË
-”‰.±¡äÁ=QßÚ¬fÀƒÚ¾?ë&œ‘XpñŠ›x\gÜÄqùסn†”}‹ŸERœ×¯åPðÐO"¦T_Cë'Ê],BÃú‰BÒOç'>ZSÙ›J…;®í=±x‚¼T_ñV ÄyŠrPãf»Ö8;’M§¨°ó¥ó¹ƒ*Êž.­«Ôþæ4à4ß!ÍF«Ö׎eüIï£IH
_¹Æñ¹N{_Ëå˜øk uV½¤Žõ©ž‚öø‹mÞ£öøƒ–9þà鎿ŽKÚ0Æ´ÈôTøœØÁÛ²=µéã¦PŒ9çìl:ᑬӠ•m
›k¤Ó0UTåÂ}MøÞt}pø¹Tj•î}ï]¥nôéEä\WunÊêön|ÐÙ"F‘ügó¸Î8›ãò¿[õM¿•ßælB@NqV½–k@¿¾³Ql²¯ E:Æ-ΘŒØ ÒÁÓ!sh4D#h¤Ó=¾O,Ã,+2<S-Êå4‹=#z$—¹Ou@4hÐ:]¾¡T/X¶ð^¥äÜXq—#²aï"¨?=ßý¹?fûÙ»Û cÔévƒô²)öØgW/鶩 (ͧiµBw
-½öÂ_òz¨ºêGLû½-/±ÚÍ+¼4Ÿó6°˜ö2¨<2ß6[ÿ†h¦kúj­«ÜáÊ^×æa,ûWïOww8üæǧO¯×ôöþ6}‘•úÒßKlŒ|Aõº\žø¾+CÂ’DÙ˜y{ÿx‹B«Îl•—yÝlÒÆ-øK6Ϭq¦vÍi¹M‹¡:±",Žãþ·íž°*E]yôåý;”(BJäA¤±HPËMNýC§(|0¨ÃÖùGݯY"	8­Ø0:0)ŽRZqÊâcÀ´?9Öýÿ_Á²ãendstream
-endobj
 2057 0 obj <<
 /Type /Page
 /Contents 2058 0 R
 /Resources 2056 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2022 0 R
+/Parent 2034 0 R
 >> endobj
 2059 0 obj <<
-/D [2057 0 R /XYZ 56.6929 794.5015 null]
+/D [2057 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2060 0 obj <<
-/D [2057 0 R /XYZ 56.6929 752.4085 null]
+/D [2057 0 R /XYZ 85.0394 748.1793 null]
 >> endobj
 2061 0 obj <<
-/D [2057 0 R /XYZ 56.6929 597.0312 null]
+/D [2057 0 R /XYZ 85.0394 678.114 null]
 >> endobj
 2062 0 obj <<
-/D [2057 0 R /XYZ 56.6929 399.8107 null]
+/D [2057 0 R /XYZ 85.0394 593.1286 null]
 >> endobj
 2063 0 obj <<
-/D [2057 0 R /XYZ 56.6929 83.0386 null]
+/D [2057 0 R /XYZ 85.0394 365.8527 null]
 >> endobj
-2056 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F55 1060 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
+2064 0 obj <<
+/D [2057 0 R /XYZ 85.0394 292.8225 null]
+>> endobj
+690 0 obj <<
+/D [2057 0 R /XYZ 85.0394 246.9241 null]
+>> endobj
+2065 0 obj <<
+/D [2057 0 R /XYZ 85.0394 210.8582 null]
 >> endobj
 2066 0 obj <<
-/Length 2296      
+/D [2057 0 R /XYZ 85.0394 172.241 null]
+>> endobj
+2067 0 obj <<
+/D [2057 0 R /XYZ 85.0394 96.2889 null]
+>> endobj
+2056 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F55 1070 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2070 0 obj <<
+/Length 2782      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Y[wÛ6~÷¯Ð#uN…Å•³Onì&nâK#¥gÛ$´Ùl(RigÝ_ßÁ…!ATºk?†ƒ3ƒ™o 2ÁðO&R ÌR>IRŽ&b²\Ÿáɬ½9#NfÖ	͆R?.ÎþõK&)JcO«.‰°”d²È?Eçww—7Wÿ™Î¨ÀÑh:G×ç7ÏßÛ¹»iJ£ó7—óéŒÈ„$ $µXŒ£‹›ùüòõl~õææ÷Û›Ëé—ÅÏg—‹Ø<ÁL£úóìÓ<Éá~>È¥RL¾ÁŒHšÒÉúŒ†g¬›)Ïæg¿ô
-«æÑ1“HHš¬AÉ„”
-A=sˆÅŒ2kŽ‹··ô‹€8OÀ°«ˆÜUÕªm¥Zk¢ùKÓªuc¿¼®«¦Þ¶ÅÓÚ©]9b<¦N'ˆ¦Ò¨S‚U1X<¯šF-gMñPýUWJ?ªe™@þŒðM¶VG¥ˆ0&ŒÔ¾"ƒé3¥‰Y—Ùñn]KÕƒýÒÖu¹ƒ¾3˜†#¹Å>©êMS4û^Áuì/âðFÈKàSÁaŒgŒ°Ú—ƃœâ¹—
-¾~Æý4˾t£¥}514!á)â,a{­cYfMcż
ÁÌR&©“ê5æà7áDób«–m½}	(ÅT}¥ê¤RU島èBÂÓÉ$)Nöu®:gŒÂyI8/½«á™ú©Ý<µ³UQ†ôÇ%‚ñ}ýýè±½ì™
-sÂÿwã|=iœ¯*¤ŽHÀÝ»¹WWžv`½ÎŠ* Ñë5AKsŠXû†.t"yÎÊï÷âÕI´Ee|Wo×YЛ”°›þqRíEXCFˆ¥ü@ãÍIM͵-²ò8Z‚	ŠÉÁ¡«ƒŽ9JSÂ:Û¼Yo‹‡â¼Û“¸»ÓqÔÂ	J°<ˆ³M?ºëGۣ烹ǷYá—«ç#çC$ím4ïGMÈL4…Š'câGbÓfÛöXF™$Bîo´8iª¶
…6IP
-‰g_]ÛžŠý¬SªgU~’þ«±“ª›¬y•2”|õÞž>pl²¶^ð–Õ…Æ4u¡Xøú4;w»êÒfr³ÅÙ!ô%T´gŽŽ¿v_\Î_¸º[\ÝÞôå:j²GA Þå]¦Ò‚šÅ<Êô3p22A¢«ÖN=¨JE9ÁKJ`¢ÝN}ø¼ÒÎm§DFjY›Ï¼ÓmY´1Óuþ´Tþ¶ˆrڞն؅zeÍÜáöÒEû¨IQšê)‰p.âhÑMƒ-ž¶Ek/n¢ÍÚ'½s*µf3—«R=8Ÿ›…•¹¶Ën¹ƒhö«Üìg,pû˜µv¾h~Û}{TðàÖÊô0—E™Û9­¡±³™µYÇ#½ƒ®_À®¾WoígU·°1±_
-ÇfsÁ».,Hø~ÿâHâ£{ÚZ_5ªZîéË+7:X¶)æ]ínT3`öLÄ]¶ûŒ1-öU·§Ê–vÔ™Åñ\<SÍý‰:nÍÁ˜´3Ž–2.-’xœ»¥ºîã»öRzßY¶¿eÊc’ŽoÙ	¶ôª
-X¤Âßò×)t”à•ókV–vÐÐ|×!@˜;g££¶ŠE¡×9a›Ôˆm:)c›Ž·€û´}Œ@&#BÊqd½Tš×(0hn8&>¶ùF-ŽªÙ;Ðm¹h4ؼ“Ðõá2(•Ð¬³DŒt(uÜ ½”1h2(A2,ÄÌ=£
-’ƒë„à<“
-¨½„3Ýûºþº;Ún~è‹|õ©M1
*Òo*-<œ2/÷8‡†¹%°VLÂ-Ž§X0”¤²3ùñ8Ð
p`ãq0‰ƒNÊÄÁC éÈ4>±e'Ør/éÈ$ÙÛòK-PÕ¤Œ.æöó È3™ØÄ®W]:×CWåô°¯ªÇÂXÐødŒÿ‚‚9#ÎzJNÇD2N¸#ÀÊ£ËÿMknXô[¼²Œ¾:ëѽ-ßp€¢1Ï+ãöáuý¬òãQC •ÐW}ãQ3‰šNÊDÍ»Pö`HôU|$y@œÆñ8¸^*€ÎOÀáé£{§t5é³Ñ¦n
-äLÊԦ땓Èì µ¾0ˆÍT[ëO hÊr)C,`Þr
ôWi0ÖA4󊣫•:eM_r r”$@ªVÙSÙ6Ö½ÐçsF}çšÍ‡E(›EX¹;G±®âG£€$à&äx¥ŽGA/e¢àëÉâ.b¼ r.$úQ\½T˜>¥ÛC¶˜¦Øy_Óh xC7Ø	
Í²Æ}zótw+êIÃd½í§³êeo¶`ÙƒŽA´
…Ó^oZÓ€èñ:s[Ü«Cp&(à14È^P¬!fŠMÇyu§~œˆ(@L²Dl(5âóNÊø¼øwÚÓç2×.š³†Y7MÌe›ªòÎÕÀ=qys<Túö?L ÷ÊÈј©¦Ël<$BÇ#¢2ÑœdæþÕ’_@#“Ql½Ð!8/&bx:xÏž›Ûdß¹¹
Ü]7èµbí¡Í®¶×¦Œ2k‹gegôûèXÄ$:¯¬ððQn²“µ#ƒêã‘S0í;ÃŒiü©=UðQ=­ï;h…Óÿü]__ÌüK[’/Þ¾½¾žkÞõJ£¹ù·½¢þ å\`¬EÀ”
-„ÍyÂ_qñª[úÀ¯íØ$T¸6	&nõu	ãF­Î„FçVÊ·’·F8ò»%äýcc $q‹ðÿ¦¹ûõx°>n†u$ÔÒ6%4Ù‡Þÿúyˆýo===½endstream
+xÚ­ZOwã6¿çSøçMÄŠ¤(QÝSÚ¤Ót6™´q_w_·Ù–m½‘%×’“q?ý‚IQ¶ìLÿ$Q ‚øH™ŽBø§#“8eé(I#"B*F³õE8ZBßûjxËø\ßL.¾úŽ'£”¤1‹G“…'K’PJ:šÌCrÂñíãóóÝ·ÁóÝdrÿpwÐTR6¾yzº{¼½ÿÏUÀDÜÀ†ã‡›ÇŸoþ´§«ØÞß=_ý6ùáânâôòu§!WJý~ñëoáhKøá"$<•bô
+/!¡iÊFë‹Hp""Î-¥¼x¾øÑ	ôzõÐA[Ð0³c0:¢”¤B°ž5DJbθ¶ÆíÝó·?Ý?Mî?>ªÕè1ÃQÀÀtLJÍ<¯š&ŸMÞ¶Å:7üÜãO`a”À8ž½¢rœgóæ*àÐÊðVWíd¼Ù/Y›cǧ|ÿ…!+
1«æØ€I¯è؈jW‡c@¡¢Zb{·Ù+”èÜHœî;az)‘¿ôÀ®%p&„%O«¶¸êëa,O­Y‚›@ÆOÿ€ŒŸ¿@FÀÕN8ÆPVÚí4A¨–¥Þ´E]5jG±h<Ñ>éž»àm–UªÁ”[*$M
ã®Ñ®ƒ>pÝq°Âö%4v³Ù`-–Õu5­	IÃÐi·ÅYj˜x‹Ó¨±*ª`è(à’™Ä©
D“¦^´¯F:¢C[ãsž·ù‚Ò_õrT+Ç]Õ(šþÀ©±ÙMË¢Yåók'UÓƒZ|6«zWÎûÑNªµ¨
»]‰¯€²Š·3¢W©6|HB	½ºûЯR„XÇP@“ƒЭH/ÌSmWì­Ü$Ìêõw5PËBëÀ)G{•lqÁ㯞„ šœZ§6ÅzSîq.›ªmP	£ñ‚¦ € «YL˜÷ö~§Úˆ¥…7ãƦ­‘bl_w멬Ã)¥ãKGZø/,5qÁ|Sd\¥ÂRõÖE¼ÌVYµÄ0á|<…Fˆ£f„rœy0Ë&+¶vmó$&IH­>TðGÞeYö®PDIØùví¨a¡)¡‘èKFD4!q’Ⱦ¼Ymæ˜9LˆHc°*
+N=›©l/ó*ß‚˜9`R"’ñCE©orH¾ýá¾³Õ»r¶zb\A£ËlFP™›9n¶ÚÁ.pµNå´Øøʦen!¥™m½Ý êÇX?F-²dec°eSf³ÃU2×;ãdØê†]…Ý£^iÁ1ðeˆuÂG]O—G”$IDªH.g)ð¹l5s\Ú9.ƒ‡SÆœH)äù)-ÓÀ”=d‘DÆ	íOùÆÁLK‰²^šŒw›¹ö¾¢i'
ûཛྷÌë¬Åw400¼z穪‘â¹3•.! 0ÿr%äHFP»Ò‡qÉ×pÊ“ˆDª	„f§Å*ðú¬}
—ûKÈÄJ!8º_®km.ÆÇ—¯®5w­•mé5©ÑëÂ’ðX¯¦1ó%ýUPczxBaºÙ¡Í«0Ãöy¶5J©˵•¼vtÏ©â.•úÝnu)¤Î,ß,Z}Û¤»5d%®½;©>Ç
+HWŒGCGÿ~ª¨fån~òžäÚÞ™MmÜv2ªº=uÙeK*u×e/ÉNGƒC_"Þ8ƒú\g"Ërù·»gŠÛsµU!xV=Ç5 _/°¢¤pdí+ˆ‘Å…ÉKªaNeÐÒ·upì2‘ÕãÂã•B;¾ÆçÔ0d
+‚ÌmJiÂ
+QdçR$é€dspC™R°7drp× W1Dëû‹aBu¾Q{û\§ÃÄqùø‡a†”}IœE‰8¯ŸãPð0N"Ußõ44q"íÕ­mœHD õ´qâs¡7¥¹–hqåï©aÀ”õRÂ{7€)ÒB
"%¢ìH6µ‘"Ã.R$‘,=¸§€dzåÒ…Jã'M«J]÷GHó§ÑÊÅÚ±Œ¿}àÀT
+ñFôy\g¢ÏrùŸ~þHU¯©cýAª§ I±ùÔ§&ýAK§?xÚô×q%&¥°ãk|NÍà]åR r}ì`
+Åè[ÊH…oœ¨=¦Ó¡f™üÏ‚ýHSŸÇ“/‹4!  8§›c:V®g”WÒÓÎ`Kð›ŸÁ8ux©ði1ŽYâ44Æ©žߧ†až—9fBÁ¤Ã7-Bã›b1™0¢Gr™ýÚ	DW.ÜR~ô}ª~Ñq%¹þ”6€%·Õ!Ž‹ 
+åøñãäîkäþïdïn®€ŒPg»-Ò«¶ÜcŸY5¾d»¶†£~1ËÊrÿ¯Þ5ôšËl|)íý½â¾eÞ!5^´êO¥[XŒ»h«‡,víο}›«›’z£îÈ©q¨äÉkè®Vþö<º_²D	 ˆdÃÁg}ƒc«”²eññV6?9ÖýÿÞµendstream
 endobj
-2065 0 obj <<
-/Type /Page
-/Contents 2066 0 R
-/Resources 2064 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2074 0 R
->> endobj
-2067 0 obj <<
-/D [2065 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2068 0 obj <<
-/D [2065 0 R /XYZ 85.0394 752.2635 null]
->> endobj
-686 0 obj <<
-/D [2065 0 R /XYZ 85.0394 714.3488 null]
->> endobj
 2069 0 obj <<
-/D [2065 0 R /XYZ 85.0394 678.2312 null]
->> endobj
-2070 0 obj <<
-/D [2065 0 R /XYZ 85.0394 646.678 null]
+/Type /Page
+/Contents 2070 0 R
+/Resources 2068 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2034 0 R
 >> endobj
 2071 0 obj <<
-/D [2065 0 R /XYZ 85.0394 582.2157 null]
+/D [2069 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2072 0 obj <<
-/D [2065 0 R /XYZ 85.0394 463.8644 null]
+/D [2069 0 R /XYZ 56.6929 751.4229 null]
 >> endobj
 2073 0 obj <<
-/D [2065 0 R /XYZ 85.0394 378.4136 null]
+/D [2069 0 R /XYZ 56.6929 581.4086 null]
 >> endobj
-2064 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R /F55 1060 0 R >>
+2074 0 obj <<
+/D [2069 0 R /XYZ 56.6929 367.4495 null]
+>> endobj
+2068 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 2077 0 obj <<
-/Length 3323      
+/Length 2232      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[wÛ6~÷¯ÐÛʧK\HN“¶éÙ¸iíž½4} EÚb#‘ªHEqýÎ`¼‰”Ó³öƒÀÁæò
H±á_,¢8ˆ­´‹Äê 
-E´Xï®ÂÅô}%˜gå™V}®W÷Wß|§’…
l,ãÅýco.„ƈÅ}öÛòU`‚k˜!\¾¾½»{óíêîí÷·ÿýéöÍõJ˜D$Ë›÷ïßܾ~ûïë•ŒB`æ0\¾»¹ýõæŸD{måòæû7w׿ßÿxõ澬/¼JõçÕo¿‡‹öðãU(k¢Å	Â@X+»+© ÒJyÊöêîêçvÂ^¯:©RÅrBRõ´aDY-’ȱ‚.ÔFSìrØ”4Ë¢æß2+Öi“gôøðL¿_Ý~
»©¬P¯ß|§EOz%"Ø›…-£Øu“š•Þ±6Ë Ô&fV/d½Ï×Ň0”yö5Z¬T’Q”Ä‹•"Iq¢Â)Eë
-Z»¢<ÖÔô³©Žj}£°©¨n·Õ‰š÷¯·Õú#5ëù	ØyŠ‚g<ÖyœY–!âE"âÀ$¡˜±bZõ¹ÈÄ”[x.ÜöŠ5E=N°¬Ä€É&ó2kUÞ—MÀÑÀù‰Ëµ\ÒõOOH0g£õP¼;<½G°EaC:"ld`§ÔJËŒûÜ!aë´ÉËÿS^æ²m|üåð}jÒI¯+÷‹6ŒÄüó¾ °P	„î8ÍfÊF•
-âXÇ_b¤à„	x"³²Ej%!#5´È´DÃËô¡®¶ÇÆÙ l­Q°áˆçCÁÃþïÞ½~ýÃïÞÝÝ­¬š´)ª=ODË¢vSÒ®·ÀóÉ/W1φYÜîz¢àB/¸è\Ïê`V‘ö\$qPAæšH·ôØ õ‚
-t‘(@ö¢ ‰֡ÛS¨Å›ºMÂ1.hÐö«Í9ô~?Ï`“²Ý¤Ò²¿I¥o;ÊêôÕm@mqØ;â„VŒC3áncã”:êE8œ|áV*ÖKRO–>3O§AÃíÖ
%
:šÓ—ÛÁ€D})SR2WùF›H’åéqÛ̆°X™@j]a}®ùÖr¹ö8 ×å=²:6ûc³z,¶çA̹žµ—Åk¹&ä1•B9ðÞ©[ÄË2u:Ï«‰B''"ñ,·L/hÒ¢,Ê'znü\uñTºóö_Øt™;È’tËñ‰Ð@wª¸bEÏé~–6Íb؃N¼•¢¤âȊᙳç–
-ÛWQ,xŸÛ[”n³”7q³¨™YˉlöF¸jÞrú\ó–Ór9ËÙŒ—Œã ´ÉKz¦‰%û:HDB.ùþP”
gü”áÀ¦:°2êãn—žémd µj±Û.3n8×~:îòvâ†ÃÌ@R[ˆ2á3ÉÊbì
-O𯪜Š6‰•YÝ·ƒÉÓ‰/Qú…Óéq]8ÏåN§˜ôkH”~ Êüð)Ýž#HÈʪ˲µ\Â
œZ˜ –a<”î_-ÌHégOyãSQëíóÊû'v9»VÁHbŸÖµïM™æœc(§qÉ.e ô÷Ñ­ÄP§áì­ÔzBo£Í®”‰«AçG'Ó#êzŒòŸ×[_Vø%ÜSÊœ)O¦
’?Öys^5X˜ÂYNíÉÂZˆ¸‹rPƒ ªvU…l«Š”æȧ”¡n§r{Qn	ðvCMÚ,4üfh7‹‡g`ï
“y4M…aÜ“†šç'˜æp*ê|fì¦.²œFf¼rE¿¼ª“Ò%|ª«ªt“Y¦`™S±ÝRë-³ß¦k.AÜP˜H˜.ƒ	€GmJP
-³Þ·{ª‰Í^-ÿ<Î@
âÆ5ìmÚI2Þn¹fúCÞœrò²7š{Ú‰—H9UÒ—-4Ä&LLó*4qÑT6•yÇ2á?QX#ô ´0ÐZ{(WMÍ…Xó¥­_3õûEÇ5í(šÆ D¢Å—ú$PRù„ï‹¥š×ê«»&E5›´áZÚÅF9ª¥;aU²«(ЂUÌÅ0Р"*­}uÄ”x¼¥L ÃåE BOœÅy}Œ†Êk·6y‚‡¥å3
Ë?uCþd  ã,ø"Ñïi±²cÞæ]÷ÛÅwèw›×>CoR¦Ñ.¢°Õe|Ƨê¸Í^pÖ©¤¬±¦@|1)÷¹æ“rËå’òÛ—À¶Kc+PþŽŒdˆ¶M BÀ–åk¹&T£Â)4Æ%¼÷šE€¶f¼ux›(öQvF"aQ£õò}U×ÅápÍ“ÕŒ;[8YqÄ¡d]|€r­É?7ø;áx×^³`:ãðJ—Cn%чÈÒ(Ý[äžæÖÀŠÄÈ1šã¼ö~C5xÔe{-=m(šÛg&ƒK–•ö—Ñ1Ù(å‡n½Éºæn4—¶­ӓןÔhV.?µáߺò|Z¨B…öÈGáncàÙà´©5Ïãnnp8€ÚüÀ\î…Gj’34l¬ÓõfÒuœ‚ÝÖZ•÷G˜ÈÁ^ lùžˆïõËãîÖŽß4IŠUL˪ò|Ï?<>Ea
-~ùbJ’݉_%ôoœÝ*9%m¡nÇ÷§u–8á=øvèröS^w'Ý¡éâ±}Gò1Gæy6ë$ºO­)×É»ªn¶Ï£;8¿ÕžQMåV	£”â…+Ë>×|nm¹\n-§Þ×	t:Åq¡\ïÁ§F‚Y5a,/æ™&fVèðù@²»AÒkkͶFDÄ]§7óš˜\¬Ñ:"·zùê™z»w–îÜ€vX𲮢¦7š°Rót½¡V–7ÙèÖv
-ª‹’Q>ýöý¯ó'+ (¬|ád{\NÖs¹“½:Yü À£¦ºJW3Št;W^%0Ÿ0ö²-ׄ”ƒcN’@ÃyÅtèV‡Éòî§lÄK‰ˆþ¨±íêï¥Úøˆ'¿ŸÀcœ1{ð «»xª»ða¾îZYÈ;a8ªh°$ú˜çû™ÒHé ²]­6¬¿¦.V´„4m¢^Ý…Êe§™%"(Óàt5'l ¢Dõf=–Åg/s“†…ºwîbÞÁ]¨øDŒåe2¢=ÓªÏun©þã‘–kJ­gWïÖŠË«·\ËŸ]½›p´þëÊ×;m¤ÎÜGƒHíì“J%²O7„ì°â¼Úe¾¤¶×µy®Y{ÞŽ€Ã_¡åšax;^›„v(ÄÛ>¤úãOTZhöËwßò‡0ÖHÿ"
-j¦€§u=¯Ü?ÉR/)·ÇuA¹žkÎmÆïy£ÐèË´\"ŒßóÂ$Cîò¿­Ñ³7£ýNÿ°ûÂÁ_w?î®÷Õz3ÿÉPÈ$~é‹¡ŽéÂCÌä²T5?”NÚºäP<åyq¯ jEæ¢\-Ó¹`Cm ô%»÷*ä"è$q@8¤b·5†ßMO¡Eyg/a»ÙÛë¦ÞG\Pºwc„él÷"—åšùŒPE~û7¡ páÓÛÿý‰a÷1¥N G™ “(€Á±
-5-¤97:þñ\öÿx‡dŽendstream
+xÚ¥Y]sÛ¶}÷¯Ð£<ÂñA oŽíºêmd×’;wn’Z¤l6©+Rθ¿¾ H
+’œv2ÁÀjwq°Xœ]‘†d$9ÂT±Q¤â˜ðÑbu†GÏ°v{F¬Là„‚®ÔÇùÙÅÏ4)¤D(FóeG—DXJ2š'ŸÇ—÷÷7ÓëÉσãñGtpŒÇŸ.§—¿™¹ûsŽ/oof瑉@Hj1Ç×ÓÙìæ*˜Mn§ÿ»›Þœÿzv3oë:O0Õ^ýÿìóWˆŽˆ@}DéqtºR‡Ñi¥tÖ&l8ïHB¸JÅ©
›«‹û‹Ë‹‡‹Ç‹ë‹8χ.)××⨭”ÇÉ.žDÄ!Uô½t€†QO¡Wët‘}Á8\˜éN8ÂêkœoS³PnÌ'\³V.~£‚Cq8ž¿ØËĺø…p›$Ñ…Å!×wŸ¡0ÄÒŠ”ë:+k.~3–žÝ£€
+Ž„F9h³|eYæyù½¹FŠŒŸÞÌgYèÝ(lv+9NíòÒ|š‹ª°Õbî*Ìç ÒMe…Jó™I¶€k¾ñý%kBxZñ¦3Õû¾M?ypˆŽpèÂÇ“D2bNBß ÂG
+.CÄ<fS/Ì–c‹)ÌÀñ¥<D ŸwP÷^„²ã@£¯5µÞ>圓––HÁ^¬¦Ë7/êìõ]–BHH¡íáÇ-ø^Ëoï²&à­k÷õè±€3HpE†¼¼Û¢'wf›¡9ü¡y
+ˆPeÍ_{7Ë„{›íMRúž=}·	Ï5¯Øãtb3þ,š\žøо”¾Ü@œf»Ül´î»N9’®‘Eí;ßa	£bŠ	ÈQø«‘ÝÜ/.›Ýy4ûù¼½Ïiñs,á?b7âÈCö\üù¥³Üèð;ça*ånÔÇÉôÚ(QÖˆAVÕ›¸v'ñ.SqÅÂ"ù).¶±"$
+!v­zŸ®q/ÒÃÏWF#ð,âÑÇ
+'G¦’¡H…²ðåãü—»‡cȹI	µHmðÌÞª:]Ùgþª,ªrSgÛÕÎ."´z†“†)©~‹ñÞq4„)xÉ•y§±—äi×$Š$‰z¤Ð)jœúOòlÆ»u-ÝR»º,sfxŒoE¹®²jHh
+L˜m8>>@À}M›ðqBÓUÑpæ#4­”wûú~â¯n´°„§ÿl£Êà">ë»å@dä²R«1ñhìßñ$Û¤¸o¥xNØk«4=©4-’`ÇûûOp„dØ2•VçÒ£3 <\EQ?—Ûz½­ƒe–ûôu‰8eCýÏíè¥ýÇcSóa„ýsp¾GמwEêÛ$†êòÓX®bàïûûb­ÆÌ‹4…0íÑ›Lg’W—ßsŠ““ÞfEsvMIá£GEtÓ?Oªý3Ó4Ò‚ÖËö4NOj¬Êª×M燽%˜ Aö.]éEXÀ;¡È€S—›ìùGïî¤ßîvD8B–{q¶nG÷íhsð~¸×n~Iúzà~`
ÍÚQåƒ	žr$¤0·ªŽ7õ¡ŒÂŠ".‡†æ'¡ªk_h“)HµiØoõdMq¨›H!æý\ñ9¸´VõÓÖäfãd;„ÐW/Ñ	áJ`õßîë›ÙÕäé3½¿ÍÔ¡&
+ñNCæ2•ÔdH°¦Z´qWóoNÆ“ÚL#Õ ¤VpjH	,@´›©‡‡ÙäÖÌ"¹0EoâtA
+4^O—Év‘öÍjGR«í
+`SÀB¹40;¿{÷ÀVÑ
+¼>'ãÆqÆEÓh¦‹í&«aíÍNÔq½mªcÛ]€9]<Û3o–ÆÉ•Y¶6äÎÅÆ^ag5¯_âÚÌgÕ]»(ÒSøâÆÈ´n.^²<1sZCefcÛ °<²FÍ\û€Û¦|e­Û­ª\!ÁìÞuöš–D·>2è§ÕŽç;}ñSwréú¾Î
+C!<Ì»·[wk<…“D”—ít÷'OÛö™m©Å®£æ`±<÷@Uµ !éߎNÖ׌#P›ýÊå®]©Ã͸Vª)ã½V%E”B™{Ô¤ò˜ì½*€Q¼oò¦+OðòmP»šì*s{Ø•G(¤€ãql:RG°qR
6_£ÊRJø¶÷Ú“É—ò¸g­”ǵ^¡@¡¸a˜ô}›¹f¤kõ¶—ª-oþCžÞ¾8؉à©>Þß	éŠ[¡Í«½Hãˆ3¥ŽÚs2ûözaŒ8%aÏàU¹ZC:|Êò¬†H£B÷0“ô§óDÇ·6ÖÌ‚/Eè
+MÁå賂ÀóòBí/YËn5´…¿læ1Ò–.™hûºQßø‘$™é!QÑü0²ï–‘TÊ=ÞIuÀ©>8é”ËpïÛÅÀ=¸ð^Õï‚éà )êžU/y—y’Ú5û.îbsŸèž<÷Çíò4Vªëö_|?Ð*Ìÿsn“ô¿þñn÷3%”STÊд3H¢Š8§´ã$Œ†®·?óíûþ7ø’5endstream
 endobj
 2076 0 obj <<
 /Type /Page
 /Contents 2077 0 R
 /Resources 2075 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2074 0 R
+/Parent 2087 0 R
 >> endobj
 2078 0 obj <<
-/D [2076 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2075 0 obj <<
-/Font << /F37 819 0 R /F23 754 0 R /F41 959 0 R /F21 730 0 R /F55 1060 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2081 0 obj <<
-/Length 2845      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZK“Û6¾Ï¯Ðm©*ƃà#7'žxgÇÞÒ¤²»I‘’X¦HE¤f<þõÛ R"5©õÖH5F÷‡~€#fþÄ,ÑŒ«4œÅiÈ4z¶ÚÝðÙÆÞÝ˳pL‹>×÷÷7¯Tñ,ei$£Ùýº'+aÿ-xóéÓíÝÛ÷ÿš/¤æÁ÷l¾Ðœÿxs÷Ë›Ÿ‰öižÊàÍ»Ûå|!’XÄÀ” [ă·wËåí‹åûwwÿùxw;ÿãþ§›Û{¯X_yÁjõçÍoðY{øé†3•&zö?8i*g»›P+¦C¥¥ºYÞüÓìš©cÆu´£ÙB…,‰@ƨÉ8ãL°ˆuÊ"%•7™c&s\h²ÅGÜèëµîq
-Üb‘£9vûc·X7‡]Ö[EÄK`nåýÓˆ~ª¿j"X¢"5Tð~[Ì*æUÞEЬ‰Ö¹AR’Þç\V1®šºËÊz.‚²ÞÉÏiËM]äôþµ©ÀA㟚¶-ªÁª-MÍs‘Yl`ÛEº§‹…,ÕZÝ—2ìŠ/>í¤þ†e
-~ÖÌ¿sÍób«^Á5«ó‘ÅÀ i¸ŠO:¢îÏcù˜UÇñw€ør…ÙJ)m÷e¨¦(¡)óàÖÄt2ÑM,:³‡†0žÛ‘
-56¶Y¥YÂy2Ž³í@„rXAÑ<Ø~;ôªKæ\u¶+ˆDþƒŒ«mvÈV˜Ë
YÀrèéËId§rÒ:YùÜŒc¶´Àez>ØÕ!`æD)kE–U™ˆÖîþ´»›Ì*›>²êXŒØRʹЮì³^ÈGL©¡ûÂ!¬¬ó2Gá#Hf3ÖÐH1~´*m›cå–U÷<p$ÂΉéJÀ±L&à,§òûµõ|z¿Xo,»÷×[î²Z ‰]1õø*Ð^>Ì!Q®ºv¤|}½:µ.¢ÆfUóÂç¦#Ÿå¹Sn,×VÔÞFËý¡p2ZLQDmâ¯TŸJs²¥TÖ
-ðÛdIx®›cm”“PÊt-quPŒõaWtbqÓŠ/°˜¬,éhãh^@Ì@:‘·Í“]¬£q$$…|â‘°ëg+W/,ÆŽ¾·¨³7ꩪæÉ”AËaƒÄ­)ÝŒ+Ž«ãò±0ZiÙgwÂÁ¢XTØZ£yÄ@8XÐ0ØQïß]¤jâˆga3."1vÈ€%11f4ÃqHñŠ£/a$]Åi!´fac^¥§÷'¼÷ü	¿¶YK/u2Xì¡·¨É·Ó©·1塯.ãhH7/¥•¶?>Te»5øˆmÝ×dÑŒ—µå¡t`¸¬Ö¦|7õ~ÄR¥µÁÉ`Ó€…úГpÍŽÍ; °Ð߸Ð6ýμᎶe!ôÃ…¹ˆ{è&^].6œÕwÇTp™6¡Šì,ù÷%\1¡gó&tW2UÞ„@ƒÚJ4kÁ4tLm|2×e5LCÚtêu¼!Ë)®kXn+§o9Çë(Ê›öéfY›uoŠõï$zQãá…–¯†1îÔÿUo)΄ˆ¾ð}	×¼åØœ·„éœQIî4×ÆzÌs‡y5–æˆyhI;z7ö¶¹F‚‹wÑcê¯y’i¸÷ì”ΤÃé9Hè5ݯ¦ýwÊã[ŸKúÍúØ)ü?8J&¢0ýßÛ—pŹžÍ9W¥2(JTº>úÙX²½ÎçH;ÖþàMCmgØ™yQƒœªk|ÍN—'6*Ú)e}¶¨ED(cG“dzÃm…Þ}¼ŸöåYtt‰ý/»ëUgqå¹z­võ„¹!2¯.Oö2™ê…¦ Ï5Ýx.ÓÜ}á,ÔÊõG]W]:(¨øÕu½<׈b´AÛò(j6¸…±Ë±îï&Š1)êâ‰^ÞÞ-?Üþ›/ož€¡ÜíDnGE†¶E†ý0Í•$:XSY½;[Ý9áyVšI|¬«gÛÀ΢ó;ksël{Ô'8KgX‚N­wq5
	.˜Œ Qº‰×H8.‰‹ïX©`Q†×—tL#KzňEZÇÃ%?ÊÚµËÄŠ¶+Wöظ{Õìö-®XDÄDêIŸkÚ"žËXäqì¦ÂØÝ
TÅcqyLdÄ)ÑuÍ<׈jƒc¢Àb:ª¶,ºö?yñpÜl|d4›¶™JAØŸzLW,f™ŒÁ¾^@H1¥yu=Çs¹Þ@	S"ÕƒõÞoê¦ULÙÚ|íTÙÆuhg	Ù~µ1&£†ÕíÉßíôƒþ´y.”ú3ö¸®ØÑqCª1äq'©»'n³êòÃ34ÿ1$¼ëŠy®͆ñ9d±äz¨Ú»¢Æ+]Si¼WiÜ-oPDYmñÓ²¡RC¢-à¢`ÍwM´mñ…^ŠzÕäEN¸-†•´ÞÐpžµV
-–ßÖ.ƒ¯¹IÄ´L’3ÃœóU,…BêôaYX}3«íƒÝ%~¤ â.í-³Ô˜­âáíÄéV°vÈA= ÃTÿ:ð’2ïé²ÃokbÑÄÓŸ
-5^¤½ð¡Ðó\ùLH<Žéÿ!ÊÎhÝÔí&u5¥”×ôò<Š
ð¹Šúšý:i¸lÜlÞòμÎ9;_ ANr›9¿gö×þ}·
-ÎÙÔ?Æ((…Ôè?€ð™«
¾ùŸfNÿÆL%‰·Ÿ‚6BAYì”Bû	™ž«®UÂt"ãÝÿ#ì@endstream
-endobj
-2080 0 obj <<
-/Type /Page
-/Contents 2081 0 R
-/Resources 2079 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2074 0 R
->> endobj
-2082 0 obj <<
-/D [2080 0 R /XYZ 85.0394 794.5015 null]
+/D [2076 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2079 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F55 1060 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [2076 0 R /XYZ 85.0394 752.3759 null]
 >> endobj
-2085 0 obj <<
-/Length 1817      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]wÚ6ô_ÁËÎà4Öômë‘&´M۬гî´ypÀ¯`3lÒÒ_¿+K26V’n;<øJººß_‚ô1üH_H$UýPq$0ýù¦‡û÷pöºG,Nà‚&ÖËYï·W,ì+¤$•ýÙ²A+B8ŠH¶øgœ¯âÔ"Ii€r•àúf6$Ñàúã̬¿`ÌbK*··âõºCt§o%ó¼ú.
-‹˜-°ÈÍ7ËË–”‰6T?B‘û!H	aô±”uôt(ëÍ%,+ ÍŠd¾78fg‘¬“{0@ž¨pÖ«R…<|ÚõM¬Ç]_ci¹äY&£ë䔵¢HÊP=ÍÚ!yX7C%‡ào±ž­¬,ÿ
-žçY	Þ®¢A¯K‡¤µ[¹ùÞÙu‘ÞgÉâqÓA˜b,Å3¦k`=a:‡¥åÿšNy†18š§Còðl¥M„hDNxN·É<]@q)ßVé|e@¥0P±Ê÷ë…+Áw_$v§²Æ›Ù•EÒ†ZÈD4¸\š­,?¥׫‰ha´ó’Åì„•·*²a›¬7ÕihåÒiv áI%ßãMšUâ2—5~“é»ñŸf³›_:sKshø²:^ôÑ6ù®ÃÜ(fªGañŽÁþ2ßg–uìÀm¢ñál—ó•‰UXmwéƒ+¸­–¶à™+'‘
ÕÀÐÌJ[R«b™ïCBÈାr¼\ØëÖ¬„°înVío³J’*¶ká–ý€r¤°G°qÍHK<þ4ººy?¶š	ªQ	íŠD4–˜­×ù7c
) “7cD8Óüj½+¢þtÅ~ãíÓ÷¿
¾*€½é?ßúÚ/×½ÙøD)ùÉâ)ÿº´fÜj¦ã±±ÖèýôúùѦÕ÷u}ŽtuµÕ‚©f	&ˆcW,^^N.e¹-`¦M‹zƒÈ>4³Ël]ÅÙ>^ûræHiÉûøëq…¸"ðáÕ¹¡È1czœ Ê©K†w&TEêd&}œ½¹þð¼Ý.3H‰,±‘9=Àl²±õè^¹ù®L÷›#[Ž y:wq†„”Üý•3†8©ªD0_%ó¯®TT¾•0.„F¸	 øEcª¢c¹i2E’ÒÐ@ÕqýÕç~¿³L§œà©úÝ"k‚ÇGkž¯&Y¾-ÌÕ|E2x”F’ÁËËÞ7$ý¨Ðþ~æQëTÏKîÒV8^Ûèý¬nôPCÕÏDÓæ+D¡Î»^–îlYê$Á‘¤u,ZªËthamÍíÇícÉ1ôÿh{àÚÿûïºã“ºO=ò
‚ËÒ	¥U#wÿ¡Àˆ2ˆü®ìÿŒúBYendstream
-endobj
-2084 0 obj <<
-/Type /Page
-/Contents 2085 0 R
-/Resources 2083 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2074 0 R
+2080 0 obj <<
+/D [2076 0 R /XYZ 85.0394 596.2077 null]
 >> endobj
-2086 0 obj <<
-/D [2084 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2087 0 obj <<
-/D [2084 0 R /XYZ 56.6929 597.0856 null]
->> endobj
-2088 0 obj <<
-/D [2084 0 R /XYZ 56.6929 325.0037 null]
->> endobj
-2089 0 obj <<
-/D [2084 0 R /XYZ 56.6929 260.1986 null]
->> endobj
-690 0 obj <<
-/D [2084 0 R /XYZ 56.6929 220.0154 null]
->> endobj
-2090 0 obj <<
-/D [2084 0 R /XYZ 56.6929 186.4594 null]
->> endobj
-2091 0 obj <<
-/D [2084 0 R /XYZ 56.6929 150.3521 null]
->> endobj
-2092 0 obj <<
-/D [2084 0 R /XYZ 56.6929 82.6252 null]
->> endobj
-2083 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F48 975 0 R /F41 959 0 R /F39 917 0 R /F53 1052 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2095 0 obj <<
-/Length 1717      
-/Filter /FlateDecode
->>
-stream
-xÚµXÛr›H}×WèQª
-“¹ryTl%q6–½–¼ÙZ'!›D€çë·‡™AÜ„rñVªœº{NwŸi cÿÈØ3#‰ñoá·7#¢1–YuÔ«ÕèåkæŒ=äÙÔ¯65[.®KÆ«õÍdvy9_œžý=µ¨À“Whj	Œ'ç³Åõ콺w9õèdöf¾œZÄ!”ˆ`‰³ñd1;ŸŸZ'oç'üs±˜O?­Þæ«*²zô3Ö¿£›Ox¼†M¼aÄ„\§ÚVžj£w¾6%Áv·Õ’¾ÁXôæ0%“Ä<¥qÆ7Uc¨µ¯ì¨‹{µ¡ Ìsè,QÝoK¦L÷@p¾îèH7d6u';ÝuŸŸMšGq´õ³­¾Tœ™Ö-»ø`U	×A.d¸¬ê¨ÃuU¡ÊÂzèôC®gqi@=.=çB.–˾ž{³¼,£oò×®ÃqýŽm] ?«Ä:··™ÿL[áÀùãò#	¨¡`Peî‰Þ ËJôº.ûD¯á²–€tW´¸nt-<庴Î4:@²Mµm¡¡§ºY×õ“È4Îvà'iþV]nÒ,nvU’êüd*u™6ðšž•Wë°j!ê ê’#Ê\G
dРÊ~ïi!Æ€·A—Ôã²ÕBŒx¢éò2Ìöc=u@Aõ°°ÙTÌTVz00J¡ƒc­ÉF
t8TæâK'Ùçƒþ¦ë¯‘	ÙÐG
îÂdOz”Ü6R"6‡Œ:d½šäTâ÷%Ýe‰©SõQQ©R^ä‡i´mäp—᱆ Ò äÎTÜ2Ó‚r¨\â
û®P=Î#õ Àmz_•Ü0§,5¹rU-ÃEÜè»ðkE7ŠTÝûl‡„T8äÅäl£îªy`ù}Dòùp-m®su¸ñwÛ"×ôÍ7ŒÃû	±‰.û—a¼Üér¾¦ ¥rÀªZˆ2äÌë-Ô™Ü9­ Áýj¾º¾Z¨ºùk
-ÌNfï¯çË¡×÷—QUÈ”mnÑýªžÂ/vyS†H³ÄLÐ[§4Ö&¡²Ç(ÿ™÷šå|®ž½_^ôì±”X`þµ1M1¥º»ú¹´Ç¼zis)ñÄäñÕÙâTñtë8J »¡~S­ÉWáF“š‡s?Ù8tÃ%¶+Ï\{°L\Ïm1»^½½¸b@½åž%pX$¡Îèò	ÎŽXçê$Mò4+¢]¼w
ÏmªípðË°bR~7˜Zãesš	D	SãÉBkNOl¢L8í’•†šéIãûh–ÔàA©³—äú0¢ÇO­£¢ÎÁh¥å&5Ð0¥Õý"M·}”cõÚûò)Iïó(o«(¼…‚ê90ÎÐ?ìõ‰(ÝËé
«{ÝD)°¼OÝ+T{SˆÜÜXëOfuW­¾T««ÕCµ
-ô{iC¾ 0=˜i!ØúyÞ7Tx ˆŽ*‹›‹P.œ½*G¿èᬲøúù,–ZΉƒ8”ºÑrõZscE}\”Rn¨ˆÓuߘÝÔû*î¯Gã´ÇÚöâ߳׉ïü™ãKžÙ^z<ïÑ~Äi°€WŠ¶Í¼Ç¦ÅŒl‚iópÏ‹§møãu¿|æìGíµ¾Â4ßü8²© m£ÿ‡ÑÓjõ¡Ç¼-#ÿ¤²™ìJQ–ßý\·™¤zô}À†ÍɯÎ=ú‹+ÑÿíÛûïøPuL¾q÷ŽÊË‘Ú#&(?a¤zõ¼ûM®Å¬endstream
-endobj
-2094 0 obj <<
-/Type /Page
-/Contents 2095 0 R
-/Resources 2093 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2074 0 R
->> endobj
-2096 0 obj <<
-/D [2094 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2097 0 obj <<
-/D [2094 0 R /XYZ 85.0394 752.2309 null]
->> endobj
-2098 0 obj <<
-/D [2094 0 R /XYZ 85.0394 690.3554 null]
->> endobj
-2099 0 obj <<
-/D [2094 0 R /XYZ 85.0394 411.014 null]
->> endobj
-2100 0 obj <<
-/D [2094 0 R /XYZ 85.0394 349.1385 null]
->> endobj
-2101 0 obj <<
-/D [2094 0 R /XYZ 85.0394 287.2629 null]
+2081 0 obj <<
+/D [2076 0 R /XYZ 85.0394 535.8202 null]
 >> endobj
 694 0 obj <<
-/D [2094 0 R /XYZ 85.0394 249.1153 null]
+/D [2076 0 R /XYZ 85.0394 498.7066 null]
 >> endobj
-2102 0 obj <<
-/D [2094 0 R /XYZ 85.0394 216.4533 null]
+2082 0 obj <<
+/D [2076 0 R /XYZ 85.0394 462.9408 null]
+>> endobj
+2083 0 obj <<
+/D [2076 0 R /XYZ 85.0394 431.7394 null]
+>> endobj
+2084 0 obj <<
+/D [2076 0 R /XYZ 85.0394 368.4301 null]
+>> endobj
+2085 0 obj <<
+/D [2076 0 R /XYZ 85.0394 251.2316 null]
+>> endobj
+2086 0 obj <<
+/D [2076 0 R /XYZ 85.0394 166.9338 null]
+>> endobj
+2075 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2090 0 obj <<
+/Length 3421      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[wÛ6~÷¯Ð£|Z±Ä²Oiã¦i7[»»Ûmú@‰´ÍF"]‘ŠãþúÁ(’¢¤œ³öƒÀÁ3ß\@1‹á_ÌL%NºYêtdbaf«ÍE<»‡¾×‚yiÑçúööâ›ïU:s‘Kd2»½ëe£ØZ1»ÍŸÙèFˆç¯®on®¾[ܼy}ýߟ¯¯.¦"¿|ÿþêúÕ›ÿ\.¤‰˜ãxþîåõ¯/"ÚûK'ç/__Ý\þqûãÅÕm'X_x+”ꯋßÿˆg9¬áÇ‹8RΚÙ<Ä‘pNÎ6Ú¨Èh¥e}qsñÏnÀ^¯uj3´±‘‘:mÑ‘4"™Þ2¥ú©Ž#©ë¶LŠ©-\¸e‹úÍ÷Æô8…ˆ¬3 ™gÉËm±jëíóxK„”‘²‰™õç=®ãšOõ'•i¤’Ôåû©®?ÒÉÜÕ[U÷¼"uAÒ¦)Úq
ÆV6R&‘Ì69®91šY>ÏG†Ò:R
+T‘ø>ı\
IXVã*%±S{9ô´9( ŸrÛÈ	iΨBë„*.¯
+÷ã)êÎL˜&¦ì¯.#£âÑ”¯‹ªØfmq¹PÖÎ_ÝÐïöRØy±ªýoÞ 1õÇï{Wå:§æßuU4Ô¼óÌõfêdŠ#Ó³Jâ¢T:{RIT$•ç•ÄDiœš’ؤRϯ>—M[V÷´ªK¶ó§r½¦Ö²ÀIfiE$“l	ÔÕ#ýøôò¦þTäGµ&cJ¬î¤Öô¹ŽkMÇåµæ퀴w?t›Xž®ãšnˆ.Šø‹xo‹g0ÎØñ&=ÖM‰¢¼¢uó›ÇbUÞ1GF? .†Ù“Úí¼)2ß·z º×Il»¡6jœµtÉüÍ‘ªº¥Fƒó¡:ù×@”wÙnÝ6t¾:´./y5?;ÀKûPPcµÛ’ˆUK„¡ÈBˆãè‘ ËTžÑƒ×	=\^>žu$°3c±lþMœ–Šy&„ê¿-e Ôí¥‹ùä3Ø+%Eÿˆ€RùFÖðï€.çMy_‘Áö¹Xo;rV=úa
+•Ý£&©æ·%^?¶e]Q{“ñËâP8¯°¾XÚ¡¹o@_ÊÇ5+C[nŠæèq›BŸq}®ãÇÝqùã^O·‹Ø;œ­7yÄÍÇà-€êIÉ:®	Ñ6ƒlèµ²í½ŠL´7ëÄÌ_ý„‘Ý¿ˆ°MT˜ò¼¤sAª·8 ’ÅAß*ö|$c{õ´¿[å<ÅM7:ž»2xîõñnø~T¤eE•‡£–&Šã†g}`ûU¶áV}7êùã:¡À;iáÎèDë„N.¯Í@0‡¨LJÑ´Ù¶] Î:ƒ|&Ö'Åë¸&ä(†]¶¿Xœ½÷áp¡‘“ªÄŠOûÊ
w>=Õ€_ÍïY½˜÷—_ Ë æGâ~õS¶.sïCr¬²*°’*˜r„¼¾*%H€þF¢Êñﲩ×;/¾4óš{IŒuÖ–Ÿ
+¢àzP#c1YsÿUMç²ç¥–—O¢‘äå¥1iÍ@Y>óüôSí6Ë ZÉãÿïÞ½òÑœÝ`)¯~øáÝ»}À‚sÌÐôþ#æ2†?ˆ…Ö›!leL>Ò~¡_hó"týz’}Gm«ÀñÎÃ*TÜ>€ŸUJûa‹dwÄ5Ü%d§MÈ˘·Äò–X¿%Ý~XÞ;ÿêݺt 6¥z¯\ÓOêPåLë¢VÿD¡ƒÇžp~Šb
+ Uõd²Áxì&md!‰Œbmf
B¯‹*M!–K“.Ex¯ µ)«gF‚~êÝ–Zˆ£Û²õº~Úçx4ìº^qÞ×|,žl1Çâw͉`W<IÚI„ësG¸ŽË#\1p)D9¼“€èÓøGç'N×qMH7vV­ÖCñ:|Žý6ß°åñÍ÷ùCÂáÛ€¿‡oøÈø&\|ˆoH,>?røé-ž¿äŽ'¬)UŽ%:ù%5’¥]"Á©•Ä8C
5ÒC"àG׌ì´Q°âˆåCɯ1\uÈ„´€Lhy n u?ägqºšy˜%àje\¼`NsŠvÏw¨ ‰AÅ14éš÷ ´¨¸à¶€Dq;Ð:ö‹rè»Îy\ú8V
ZrÕ£1‡ÖÆ™@|ýjÙ_¤Ò‚‰UýôÕuDm„8ì„8¡¦ÀvÂÜÆʹ²Ô¦‡p8ø0SŽ©˜zòì™yö;ˆbøÕúWi=Íï—_¿ƒ€D}S2RWát¤-Ĩƒ
á¼/š2’&!¿`q¤„ÙÕf×0/€A3‹m³©â”K²Ý^~)ÚsÕ)tZš3…Ê>×qèí¸<ôÞM&‰UIê]û¸kwåú|=d8wZ¼ŽkB¾ap™FdË¡€>ÔW"áCt¤!Á‹HDª
+¬·…ô€ÒIxnÃX˜{z½‚öß5ØbUø¢uºŸŽ5‰^ôÚˆ3ÖôL)Ƥ’ÁtW¢ŠZ!y†dy²Çʪ¡v«”•_,ù{\,îÌqÍQ:‚8“–ô¹NhNàòšópP×L¢Ø¥g¦LSêš"ŠÁý§|¿-«–#•ŒÃ˜‡zË›Ñì6›Ì×–¦Ò8*„—}F‚
I÷»MÑ
Ü2<v@j¨·/vV
ø†ž K'Î0Õ°eNŸµëXF©;}:=®§¸üé”ç
+	°•Å2§Ãˆ
+	åÔiÙ:®	áF-l”È8J÷ï.<Êèç‘üݧ²Þ5ëçE°Oìòì[%G@YÓ„ÞŒiÞ(СÇr:žòE!l,‹~ÔE3qˆ…Æ?aÓpöNj=±o£Å.”M"§Í¨jSÃL g'Ï«uH‡Âþ)cÎŒ‡ÕÉï¨Ø2ÊvŒpVP{2á¡f
+e5È0ðÙ첡ŒÆ	¹¸WÔ§¯}àŠr[pÜwä/mà kE·X<<ko™ÌoÓPãþ˜4äj?cÆþT6Å‘W`5M™ôfÎ3×ô»äY½”Þ1àSS×Õ×T»Îª|2Òb¡Ëƒ~8Àðu¶âÔÉ¿ê"eA7:& ¬ë\Šp2ìÒ÷ÇíŸb`µWó¿v?àââö¶Ý %©/·Z1}Y´OYYÕ=kwÄK¤‚²Ò˜.¤Åæ¾:Þ_Ìqï¨úVq!åÐ~Œ‰œú‹/­µ=sèœýÒL<Ì™…õ¢Àã\|„¦	‘jñå@ŸFJªàðC’×ð\ýínBõ3k¹à±Q&CûÙ«Rªla3á$hX#kTZ‡¬ˆñûJL ÃûE ¦‘!Žâ­>AEå¹…Ÿ
›·ø;ax6Îíï‚MÌðJE-?Sч‘¥Uº7É6{:6f$Ão0šO ÆUî¸ììÌÞÛ;3´Çm	¡i¹~f2˜¤¿¡ðO”þ'¤£ðL)/¶Èä¡‘?CŒ_®è!GØæ«zO®y8ÄnñˆùnóHo$ócc·ò&©S29M`¢±”\-ð è)h¶û	¾°{Ìü°Ó[)4–×	Œ\#þ<¸ÿY¶-9ÚÉÀ“’íoE›¼ÈFa»L’ýå­LRº
+dÍòvG	iP¹>û£çw{1ö¯Ë»Ý8BxêK×D~Þ:ô+Ð_6Í.ëuh|»˜„`7ñ*4u(º4œ–’ºqð
+ªRâ½pV>1é4ÕYŠ‘mÈ0á]^¿åj:PÊjÅ‘@‹zc‚ƒESð!'¬"ò·Ž¾•€÷ŽdCøî¡ùö*rŸíoÞ»‚6}C†â›ŒÉ&·—©žûK{=û­àáÆÁ2=dŸŠáÈK~&¶^ÑÛKÄbd˺“è!\ÒgÓ5ÎPUõw{Sùx
'•=°ŽÃªŠK»0´û^@ÈaN¦}ªtÊ·ŸÊ*ÇëlÂ"#J$øSÑÕ+…äZ$0à†êMùw^æÆÐ¼~ZƒßuÈcùÔþ&¨uÂMPÃ*“å¤Ê>n(ólÏŒŠpË%Ÿºg9U]
+5á·–PÏÂ!þߟtî?^Õl[{äS™B¢á ÍBáæ	i¯Î9!ûÿû•´#endstream
+endobj
+2089 0 obj <<
+/Type /Page
+/Contents 2090 0 R
+/Resources 2088 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2087 0 R
+>> endobj
+2091 0 obj <<
+/D [2089 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2088 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2094 0 obj <<
+/Length 2932      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[wÛ8~ϯðÛ8çÔ*/¢.óÖëœÎì¤Ý&=»g§ó Xr¢­-yL9mæ×/@€´dKÎìôäÁ4	‚ àÈ™€?9ËL$tÏÒ<ŽŒf¶Ü\ˆÙ¬ýt!™fá‰}ª—7Ïßêt–Gy¢’ÙͪÇ+‹D–ÉÙMùÛüŇo®^¿û÷åB1].Œó__\}zñšûp™«ù‹ŸÞ\_.d–ʈ2$KÄüõÕõõ›W‹ëw?]ýçýÕ›Ëßo~¾xsë/…F©þ¸øíw1+á?_ˆHç™™}…/"’y®f›‹ØèÈÄZû™õÅõÅ?ÃÞªÛ:¦£³Èd*цÒ=mHã8™¥&
K¨ëú®)ºýîRfó
+®çóu½ªºzÃßþ[w]µÃq6/Ö¶¥ÙŽ?mëéªo]Õt4¾­šê³ª³ôý¡X×eѵ;Ë|š’·W»‡jÇT·<¹%iŠ²nîhªÝ3çe±¼¯Pëpõ…”QnŒr÷¨¾më]ÑÕmó¨çuTÍ40ªW4³.ß;بy³ßÜÒÙ°Ö®hòãG0-Ï•móCGÓŽ»W,}v÷ÌÌ^bÍÁÜÊíh7¼e½¦iwö÷Ù~­här·9溲–F˶¹«,^—¾w÷è¶ÂŸ'†Ê‡ïMU•¼©¥OŒ¾¼ç½}nZÛ­ý	,„¿ªpWNž€ˆ„§–
+Å*ËÆß/-úTä±rìýz*TÆ¢Á#Ÿ¿5¦ïÛ2ÊrÏÄ‘4ËíÞ&Ue
+ÈÏJ¨FD<&
'Š#Ñ®·Õ²FÇGûêØÒt³³Ñ$ú-z?·D„öÀ…½E×5y<ùH+eµ*öë\['ðæzà@k>ÖvÅ®«J"Zµ|nU }qTV]µDôµ…‚›˜lèq¯>|š´l’èHâÝÏZ¶O5mÙ@å,{5fYŒ¤)Ö¶ÅbF]¬p­
øé‘ŒJˆ(MÀÎ
+¨F¤ìYqÓ8I†bÞ Qc‘ί߿ÀA2'‘hÒ[Ç,££A«ã\çw[ˆ¼h#\üL
+&O3H>­µõíºês°ô¥àXá”4Pç"7à"ñF¤L÷Y©øKUmñ“7õo§!Yä¿™ÏÂv3Êg#§Ä*ÊUû
Àµn–»jqâ“E:ÖðÊUæ‘6©îqÝ7õ7Œ-SLE”‹,ç
'n*E¤q:Kj8kô{ªEŸìÔQ}ÒTcŠZ±Iž8ÞS?3q	•äÃó_sànÚ¨Ëzu¨{ºˆÍîé¶{¦ñÅW@
ŸW\ŸlZqjÒg2$àÈ:yB&‘` »TD™Lã¡ïàx÷Œ6WþªÆÜxo	’ÀðãÛW4y¦8mîêî~ØiiÏ(7(›ì)åöÈÎ(×SM=¡nA&ΞÁSˆ0Ð.A
e¸®þozvôÛ•ßˆ§dFX2mµm—÷“™Êh€¼g3UŸj:S*—©Úq¢ãÈÚ]}W7'6Ð*¨Î‹¨Fd‚4RZ›¡p7^‘: àÔè„qxXÌß­Ž¢‡
°¥|vl‹ö¼%ºSî¸uÍãšmTX»ßMc/ׄýâ< Zyiô©¦í¨œýÞ?…4 âØî»	”!S‰°÷¬|žhD¾
3‰ïHt6Ô©B§’€cÊêÃ	Ico$„·Òà|rîÂN…=và˜aGëØq8ÕÒÖ3°#EØ
âvtPN¤o•ƒÝä8ê`ßÅ	Pµ¦ùa#0ß_§ÎH#)35‚™42RÊ'ü«GuÆ¿<•ó¯íñ‘P™ÇqüÄ‘žhäÈþíÀQbeŽŽüdÑvP3lmµ/ÛÅ´ˆµ§Îï]A‹_陼æÐÈ;ò˜½f=5¸ +'r.+€jUØŽ°„‰XËù­s>  Âi Ps3i¨2Å%NžHÏe»RDF°+ ^|•*'>Æ®4e¡T
+û–«_ Ø4p¡‚ZíÁý×ô•náÖø¥ß*¼»¥,™ðÓoô•>Lj º~ËgÚ–.¼d6µ–ðdžu½©¡âšvE¡#-Ò'RUŸêŒ+z*çŠ&]ñÜ‘W<9rÔûG¾®mq붵>Í€î¹%PãÕ²èu0*Ûlê9”:ëÄöõS i¾—›uÈ„¶ÔƒXÑA=Ün¶4í¶%O/y¥´]V»öM6æG×,^ÌÌðmÙ¡U}Fš´£«q‡ºH÷í~]«¼ódØQI%"5çÃNŸj:ì*v®§òüÙ#Cž?=r,ÏŽ¼Þ;ÔC–z\õ#X,ƒ¶Þ]BÒ\vv¬ã'òH+éݽl, Æ²p)âÔR)àÜDúŽŸ«&ñÌŠ¬â~µÈ2N°£¥@u×î‰Ê¥|¦²4b[Êžn^&ªè R“Ç?΄žÐ!}r3¨~ëf¹Þ—‡xã§'ëð[ΖcævWƒ‹FáÍðÑ¿©*÷¼•Ò¬øî¦Âßö“Mªq¿Ì)÷kI›ª+è%ãŠßV}+€Ä%hEïWñ„ÎÓô}û•ëh=¼E±?ñ]ðùÅÒC‡ÅØû
+=é
­ÚõºýÖ“AñÁ‘âMáÁ²ûå"rýP
™[ñÅ?sP(â†íChJù¯BŒÿq²¯É*É(˜ŠÌÅ™ñ–µò=#¹\¨.Â1®•‰î‘bf¥Ï`L÷Œ	ßîKƒÛŠ
+}h*ªõy;•8&”™&Ãy7¨™Ûv»®í½sŽ”ñ_Ÿ{2ö¦¡„à¨XjãìO¢\'fè
+ƒW1ÝU•qŽ½ÞïQÃ9ý{²`€¾·€†~ðž…ºé8`£™õÍÒ*üÊILØBUñìô°á®¾9¦ËÊ`el¾C…=çTèÉ‚
+}Bå:¨æHc
æ±×`ÎÁÉu:&uÌcºtîëul‡æ´0ƒ3˜šùô5ëØ•¢ÜqljŸyÏ	º„-lßIïE‰‡}­€†îPÿEkAJ„·)ÿ¾±zÎØÊSySIW>£„"x;ÎùZ68¼ð«NÍêÒŽÆN’+lœplqÂûºìõÏ<ðtÔÞt¼¥s‰pzNô*ïgcÆ“áçÊ¡I†ûØüû–
µ¤‰ðÿ}Fl'fÞµ¾ûߊÿ@§‘Î25îÑ`äÒ…Z‘*?=üÒ©ìÿj™E2endstream
+endobj
+2093 0 obj <<
+/Type /Page
+/Contents 2094 0 R
+/Resources 2092 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2087 0 R
+>> endobj
+2095 0 obj <<
+/D [2093 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2092 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F55 1070 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2098 0 obj <<
+/Length 2582      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sâFòÝ¿‚—T ²LæCó¡GçÖÙsvãõ¤.wÙ<È Œ* q–°×ùõ×==#$8uW<¨ÕÓšîéïĈÃOŒ´a&•éȦ	Ó\èÑb{ÅG°öáJši$šv©~˜_}ÿ£²£”¥FšÑ|ÕÙË1îœÍ—¿`ŽM`>~7›Ýüm:»ýp÷ïÏw7“©pVØñõýýÍÝûÛ_'S©91ç㟯ï~¹þD¸ûI*Ç×nf“ßç?]ÝÌ[ÁºÂ®Pªÿ\ýö;-á?]q¦R§G/ð™HS9Ú^%Z1(1›«ÙÕ?Ú
;«þÓ!eÀ23ÂVf•$JXêì2¸L§©mª”YcZeJÕQ¦3L;gD¨ËÛÕdª@yѬ'bœ?ÑkÐÍ:G@ŒÿÈ_¿­	·/wû‡M±Èø ¨ÊðEør™oò¦€•¸°Ìš<|™=M„‡ë¼	ØrI˜¢QŽ— ²{/é…œ¶Ë¿†ôW„Ôø².kñŒù€<$É–Ý·„õN‹€wÚ7_ŠÍ† ‡°‹¯Ý„¼ÍšÈ„۞Ϣ`:•Øä,Ú¡ºE#•÷Í春QLI›^f‰XvÜ8¦xªú,ïŸ K}4Yƒv]e¿¨¶;,°UyV#ÚAG%Íe…tˆÎë#yu<AÂS¨nòçü¤¬¤–¥ÒÉ‹REšS©zyK–r(&]±fySÕíeþ°|¤ˆ€W/ÕyeiÉ,OÞÒV‡ê‚º"•×ן'î-\
+]ÞE–‘h€eÏ}´JôYÞ¶ù„Nþqö‘¨<*ê¨B,SNóA—QqMþ„'ªîe5§mÒy]JÎœƒã².;Tt©¼.Õïqf±µ ß«³ÍI¼¦ààW—åŠDrõ:S¥¬'ׇ¼ÌŸ ½…¹#Õãf|‰"ÌbaêD,–DBz?EÔcñœ—„[ç_	ÈËEµÄr€x&¨#GZ^fuØå×<(¥+¦Ä_BƒÖ×ÊÑa¤b)7D[‰ o¤}G¢þ1èˆ)Ê%vþ9ÕM%5“B™ãbݦŒnƒrP)©ûóÿ¡#?øã#©·uÇ6ƒŠ}>DŸõÈÄZ˜âÌÑÝ¥:ï‘-•÷È¿y$ŽŒ6hµh¼ìUY'gÚjwYº–j@¼^VTšimE_¾žUb6¬ÂÖ
+QÕÑPÛv¶Ú^©ÔöCÊ
Ml×Ä‚óó†IÀqœ~#Ut©.&RyÃ\Ÿ¤]'LÎYF¢–]e[ȶ‰4}–¤k%Óž®ñ=£GÐ5‚A×Òü5í|¾ŸcöþüËœÞcÚF¸
+_eØ8mzÚ#¡ŸªXVô¤Fø %…°cNÛ~øv\ã´ƒä*NÑEYç‹}·âàðÿ]äœé¹`š;û†é;TL©Pnl]qÆÚä'…@2clz™u$`Ý+–™˜ë6ÿЪ•MÖ©¦=öqÄòš/ϪNAÙ7Ϊ˪ëRW]K…ò‡A·ËÓBËù<#ÑÏ^Ø8ˆqÄÓ_¬0·ÓN‚,5A5‘›%Á^CðuÂPEòTtsƒ˜u BcŠÒÎâˆ*«ãÝSnÒÐ¥õÖòÛÚþ¶A\š_H.#Ѓ°Gq”Í ™òâª5~턦†â#·¡Eâ«ZÁ%˜Éð`<¡ƒQö¨ÝáD€_Uû2°Î"Ð+q·öE…y‹|ÞvOÅsLG£"jðh.l=²íǘeŽØ^‘¼k?9|«ÎéXxhÚ¬nXèkD{_Ž6•Ð>s†H :­óßüzýóý§›>N&!ñ;ÑbÙ´ÙT/¤£qæÚ’a
Ù×â±éŠÃu²VLrSô˜ØØ‚îÆ@g"mt°$´‹2^F!êýìšê܈‰|I”¯­J:Òà@áÒ4pX–5äì)lÈ3Uþ’8Iû7!Øm~위}¥é;aeb±{—´"%ýÁ‡Û'gAÚ‰¿†—í¾nˆä!újèâý. ¶YÝø[h€c6E‚CÃÛ»PRÊB‹ýîò]Ö·S€Œìt¾­ìEM=m"Áu’Dô½¾(Ÿ«E®Ä=ÞTÕ5虧‚¥
+º1õŽA“µâ*…šØV <0†¤JÒMï#è…—JÌpxá§xÅDŸf
Aïgô[¦ŒR}{ǃ·¦ÅÎ3Uý€ÂuðsQíëÍ+-]{8žPÆÚ¢Ewlƒ
²'8ä^šî’ØÔŠ¶ðd¡BƇÎ_Ž³ºÞo‡û¸Éý_º†¡<ÀÀb7ÒÑ톢}0/$“¿˜D¶ýù@òÁÐßÒ0ìãɽ8oû ÿû/ëßó	x¦sg†ai5ƒM
+ŠŸ/œIF:•ý¿ïŸá”endstream
+endobj
+2097 0 obj <<
+/Type /Page
+/Contents 2098 0 R
+/Resources 2096 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2087 0 R
+>> endobj
+2099 0 obj <<
+/D [2097 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2100 0 obj <<
+/D [2097 0 R /XYZ 56.6929 296.1579 null]
+>> endobj
+2096 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F55 1070 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 2103 0 obj <<
-/D [2094 0 R /XYZ 85.0394 181.2399 null]
+/Length 1561      
+/Filter /FlateDecode
+>>
+stream
+xÚ­XßsÚ8~ç¯ð#ÌU¿m?RBÛôZ’rw3m\#‚[°s¶IKÿú[[’±A@;w“™Œ-Ò®¾ÝoW‚xþˆ„YÈ=?äH`"¼xÓÃÞ#|{Ó#3´ aõjÞ{ùšù^ˆBI¥7_¶Ö
+âÍŸú£ÛÛÉôêúïÁ
+Ü…CqÿÃhz?z¯Çn!íÞLfƒ!ñ%ã
++˜ÄýéèÃäj8~;ÿ1¾™¾<Ìßõ&óƱ¶ó³Ê«zŸ°·€=¼ëaÄÂ@xßá#†ÔÛô¸`HpÆìȺ7ë}ll}­§ºÈ,@" ¾ƒ
J A_¥±ÒC¢t­n *¥4Ë»à(3€»×c½"øÄëq‚(Ä ‘AtèÒP2ô†,D
š‘ÑýüíÍÝeæ®ÓRå©*µ³]QªM¡_ÆYZdy™l7{»1.©Y‡säh&0H0älmÔb¯Tü-ÎÒe5·3‰$!´OâvaÈ&kÔáBµSŸ)õõSýY?ÂçÏÓÇ-„-ÉRƒ„‘µ	X±KËè‡W&é£~+³lí¢wéœíÒì©HŠCiIЃ$ç	SR °C*8<;‹FX@¶—¨e‰£h4('Cøÿ4\=اçæékóTêíŠ6󇈒ÚÇZNI®bÀNC;ŽŽ$mRÒ¬ºLÖªrÆÚxj¬ý|p'­d(àXX–uį&³ñÝõíüúfÚÌ:™¹Ž<;ȧ€"ŸBñÒ®ÖH“Ú媓/ôË—­‘Aš•‡8µ‰Ò2‰ÍL:F¿“‹nýZ/;ùvS“0;ªä&Y§(}~>£Ú([x3ªAUv‡«C“P¼9çLZÃd; aˆx¥„ŽÉÛççMZÃd'pŸÐ:&ÿZ©tO}sÈö<·o:kmˆšø5Ûæ©UÍý¤ljSQ§ÉäùŒŠd¶PgÈ´¨jgÚïÔ\œ:'
+—2ÈÌó¶”ÃxçdACHsF»Öç57ÌïëC>eÎhÑ´ÁÀñÁ¾6t ÌôØ;¡jU€V/ú×K=ªÏÞ+žTœTóÕ¢:ts€,Ô2Ú®ËÂ8à:å0ð^i¯)/U¿Ü7öê6J¡ V­ö1â„(C!Áüì-œCƒ%~÷:s7™ßßMuÞü9fû£÷÷“ÙÿµÑ‰\BÚ¶•î;©9ö”Q¹-ºÅˆtSü×ÊúA¯ÆfIHƒü{R(têÇ'Ç6æl¡¸!ò?ÿ0µÿ	ŽWm6 î$g¸”pãTÅ!aäÐõæ'¬cßÿ]í¼endstream
+endobj
+2102 0 obj <<
+/Type /Page
+/Contents 2103 0 R
+/Resources 2101 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2087 0 R
 >> endobj
 2104 0 obj <<
-/D [2094 0 R /XYZ 85.0394 116.4425 null]
->> endobj
-2093 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F55 1060 0 R /F41 959 0 R /F39 917 0 R /F53 1052 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2107 0 obj <<
-/Length 2716      
-/Filter /FlateDecode
->>
-stream
-xÚÍZ[wÛ6~÷¯Ð#}NˆâJnâtÝÝ8nãm{šæ)›	E:"Çýõ;¸Q¤JÎe÷lsNÃÁà›ƒÐdáYˆ%ŠªEª8˜ˆÅr}‚·0öÓ	q2±Š‡R?^Ÿüð’¥…TB“Åõj K",%Y\ço£ÁèTàèòìÕù‹øù?ΟÿóÏ×—ç§1I	%ÑÙÕÕùå‹‹?Nc*0ȃ0ÆÑ«³ËŸýËö]*ýtþæôÝõÏ'ç×½eCë	fÚ¬'oßáE‹øù#¦¤X<ÀFD)ºXŸpÁàŒùžêäÍÉ/½ÂÁ¨y5„O%â\Œ#	ó‡¤ÀBè	JPJH€
-…FY('!@½”´ÎÖE/›õ}Y7uq'€×Û8ç[ïûÖǾõ©o-5Š?¼ãv3Q°X06s,«¬m­ØÈ ª”Ò	õ
-Ÿ2ЯoÝäEHCJ»mOß꨾U³Yg]@ãX¬×ø2 1f2_'é"&)!èW©.¿mñ|_߇ïæú;ÛWgûšãΞkÒtòIŠÓ}mÐÝB"­täí¶{¬Š9¢§j_qwÔؼÜË®Ù<”
-ŽØhûJþJ_ô­ßêRÁøW@ãó4v
…°ç±Õ€S8Så8F”Ieô¼8óü׋«ë‹×—ý[»9ñ"¦)f&†±î®X~0‘ξ0\‰äˆÓÔ³ÊH¶úÐ`QwWèÚǺË>ÛάÎmgYwÅí¦ìm³rãvÔ†UÝñÆ´*àLbpR]t¶ó¾Øè01™Èࢻvvð(këdL"B©׬3°º˜S
-1JíŨ¼)´rÉ£‡»¢¶­ªÉò²¾ÕvÒ.Lç„F×wekÇÖÙ‡"dI…>”äФcЧTù=²m‹Õ¶²ó8¶a^ï­r¨B¿EÕ­á¦ÐòDFnpÙÔzü6ÖsÇ-Ùƒ`»±j!;ü׶Nml+³?µóŽÚbó©Øœ¦ÇÍAä<çÉ
¶];ª€3XtÔÔP½”Õ_Õˆq f‘ÉMÍÐ0¥w/
óBÃØh:X€béز7úì^=îh™¿÷†.£Ž.ÜXÝt“Là™óÔF—úÿέO# ù¼+(AŠ«#®Hp…—2®(®PPÉt¯Šš%”HR6ËÌPnéû“‘YW¶\9”¥MÛÅz/ØG—òQ±«luªH©¢«¦mKsäkI½ˆÖJe®&dbi™¨òÅ«ö”~•ñÖ4nQh¦Êóõ/,°KÒ¡IžÔsŽ°TlO{¬­„M>3K9\’’¾Lšª…Z:A„'ã´_««še6g=TA‚q@/GJ’¡µFÝ1s•¾ñæêØ8!b"j®Á£svR”ˆ”÷ÅIí‰Hû$W·¯úëºwåòôéNí	ào;×u–.4•^ýa{,–¶ÄÏÛaçÊTu «ËPÝ}f›{„ÿBJ¬”¦Ò
”5V¢¬cOxaC£iÛÅÍ*öG*ĽJBÇ$€š¤Óp«)é‚ÔJæ¦rßÝs^*3ê15™‘
”ýý68í¦Nºóá®\Þ
Ç
d&°6¾hŠw]¿O"§Âû_ô¿Ôå%y²ÿåþ¥£Ò»Zo~="úÍ>L9@ÕˆúÕÆþžÙŸÆu;L”X€ÄŽð`9 5M8 ‘„#ôÿˆ=Xÿ#"È#D I"ŸL8”ÒÉý«T$PGVÅm_‹*ióX¨¯.q«3‘Aÿ4®Û²bªÄöíX¡ŸÀ$>M†Ž)b)Þ»èò„	7¸bæ.XeUÛØV¿ íö´n«­Ó’å¹5¶uBÓ]æ"Íh0¯ÑhgÆ:ë4쨹F±j¡êèÊÖÞ†ì_kÝLr´»²Êð[ ”§ä‹øMòÛzü;SÛ%š^öÎßHµÍºð¬‡Ô*Ut|µe'ù¸-mÃUÖO»lÿÙ¾Ú²7·¨÷05æØ摨¿ÐÊгaï¯'gÌû]O͉8¢’ócI‘œ|yúB“>óÍËÖ]1¹õõ ²Áèµ·×l—bšÞþ‚ÒŽYpµB{‡Á/)1‘œuÉ$¯;¶ FÈ'ä_ü«Â¼ÛèP×tå§bx!ù>Õ…?ªß)áOL¤·’ŒÒN¶¿Íýgê'‚%?)=\?
¥æë§^ÊÔO«`ý”ÈþB{÷á}hÁQNæ…†KÙQ Ôزp)묙¯eÇWÉ&œîJ©_·ÎSPîpÜßißvÅçîoI¸–Úݾ:A Tb¸Í7ÙÃÜ)‚tK‰UR3MŽ\ý„æ‰â…O^†®<b¼ß‰sDaHaÈlÙÕM
EêÏÿddYÏ&¹;%ëy¢;5OtŸä»oJ’í¾ÉÑÇ  5¬Â{¥­ž§dˆ1"ŸF†“DÍqÇLäNÙÂjÜÑ1úe$2ä%Ö@¡‚fÉ7|5{Óºîãøð~i™mýG§¬v;½XiXW ô¶®
-{å/þü§Ôðæ÷ŸRÑÜŸ¥1ý,ÄDÜtúæ?YÛýu‡DVÊ™àGSõM¼Q;ÂètwëëÅ„lÿò-Зendstream
-endobj
-2106 0 obj <<
-/Type /Page
-/Contents 2107 0 R
-/Resources 2105 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2074 0 R
->> endobj
-2108 0 obj <<
-/D [2106 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2109 0 obj <<
-/D [2106 0 R /XYZ 56.6929 687.5403 null]
->> endobj
-2110 0 obj <<
-/D [2106 0 R /XYZ 56.6929 540.8661 null]
+/D [2102 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2105 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F53 1052 0 R /F21 730 0 R /F23 754 0 R /F55 1060 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [2102 0 R /XYZ 85.0394 751.7846 null]
 >> endobj
-2113 0 obj <<
-/Length 2698      
-/Filter /FlateDecode
->>
-stream
-xÚÝZÍwÛ6¿û¯ÐaÔ{ŠO’8:¶ÓM7q²±ÓömÛ#Q_$ÒKRëzÿú@ˆ”@Êi²‡]û@`8ƒß|b3
-ÿl–*B…–³DK¢(S³åî‚Î>Á».˜ãYtL‹>׋û‹ï_Šd¦‰Žy<»_÷æJ	MS6»_ý]¾{ws{ýê—ù‚+½ ó…¢4zsyûáòµ¥½›k]þps7_°„qLŒ"_L£ÛË77׋«¿Þ\ýíoooæ¿ßÿxqsï%ëKϨ@±þyñëït¶‚MüxA‰Ð©š=B‡¦5Ÿí.¤DI!:Êöâîâï~ÂÞ[34¤
©R¢¸Œg«Š4	댪@‹DÂ\1O½Î8é¬ãB->ãF¿©T“1’j’–]µÊµÁ8%©T³þŠ'ruL¹D5®HÊã#ÁÞåõºªwVºÁ>€‹2.t¿q.—›|ùyQf»¼Á®Ó_#áD2æ†öf¾)‹‹vƒ-µ›Ü’š‡|YüF)ÏW–°ÎŠí¾ž³4r¨@MBeô®jšâã¶÷¢±ÓenÀ©ü<‘$MàÄÀF$_H*K¶€cÑJq;Š*ºÊ×Ù~ÛZhƒ²k)NÜ-…Z-–Õî¡Øæÿ®Ê<°žMq8Ú-þÌ›®Ó´·ƒÇ¬.Gv ‰u|˜ðOËÇ6"u
-ª¡\õ¤¶³gå*tŠ°Xõ øTVu>¶
ÂðÎȉgpæëJL›hiÜB;&c »JÇ24PAbžcJ*Ït*ÖÐ@Ái¥rÝ¡•¬Ÿì¬h“ƒùÔØáÑ›_,ÑÀ²2ÏUc‰Í¦ÚoW¶ý1·ÌÁæŽØVŽ1wo‹µ{±ÉÝj™·Eì¬V¶Û4yF)ãQÂÖ(A?°á”ÄRë¡)[*SDÃßó@%•ìÜRÈh$Ñ)_g4ç ­4I´b_myÚ~(Úã4¶{\àî¸ºß„ЭH’ÐitK’pª¦ó\Ɇø¥Q¦‡¢]!*ARXÂ3Ç8t‡ïÓÖyÝؾs7TDW˜e;M¥ð¦È;:RðÎ"¿‘b‘1$‰z&"cs6†H#w‘‘P"irÀ¾•×…¢£<Í×4;.Íò«2£I¹|ft*W03æ=/ÂxÞ9‹ŒóÅþí}ž8_.¸w¾È€ÎiÞù"ÑjóÜùH°Î)Þù"ùØù
-ªz°FëþÈDÀâÓ”ÊS„L¡;!ZªoV|«tHgWúÿ?RqÑVÄÓ–Ùç·LÏe,³
-[¦I'ÔNµtbRN9-œç
-H7°O©!‚ªl ÞÏóDFuÑ¢c,2'-UûöaßZjëö û»Õ1œöp´°LÀÐÄŸÀl&zµLÉÀJ”–ç§TŒ0懢	Í~œùp±Yá	ë 
>£´›}ì´Am<RÓ39Úq¹ßå.\ÞÆ¡~‹µVC±Ã)Úª~š²œ8&2¥ì‹M^Ÿ…7d2éx÷¸&àÝqÅ6!xSÂëtß´OÛ@ä3VP•MJæ¹¢
°-(a’²¡l‡Ø“j[1sM8†V­Þ­ö»^€hM[X^o±†–\ÛˆAÌn¾ÆrNÕÑŒ€×JúÉÐ~;.4‘>:M¨q¥ oŒ)Q‰îg\u¾ÍÚâ_cÞ}G"â>| ˆçja¡ÕÇï½¹qi„b»VUï²Ö¶­¤BGiöE›ÙŒÑòÚƃQQµ„(\”Ÿ,-Û·ÌT,³íöÉ’>ºgæ&˲:kÝdͲ.Œ&*z[ZbÛ	X™êwB»-Ø+·
(í;àQ¬c¦.õ°:²”îXÔ™ö®òUP7{0æ…¥d«n6^
†µ›}ã<È sÐëôA£|U´NÌíšIyttx8ψ±P„§”{o‡"òDG«*w­²Â ž¤Ñ2Û7¹¥eå“mäkÜí:_¶Ž{_è]»pÑzÉZTâ­Z˪ló²5™—Ž£W­[bÛT=Q;a‡{¬\Ò±Éð¨l‚à¼é.ÏJ£Dì˜4PQ'ƒ:„2çwÍéÆÆ>ýÌmþG;êB¥„
-…Ü}zÚçw¡žË¸Ð»¯ÊÝ'åò¹û©\ÁÜ} XWT*w¯ÏÌ>îÞÏ•Š~²“ÊRU–Àc"éa¼¯,Õ ²T>7¼•eŒ·ªß°²äJ<¿²L --QðñÒR0©þ;¥¥¤‚î¹K÷>×<;.Ï6OH%¹f«¢Ç€©ÍI	],Ä´pž+ ݤPWh	qi ÞÕÆ´aAu8WT«4Ê{œYbVëwÖTnÒMæ¦/Êåv¿Êm&²ØÇèÑ8pôe7ÊñëÃâÓBXQ¹·6«°íÞ%¡îGÈ|å®Ñ,cvtØý]=OÁ-ÛöGç3ûhŠ]±Íê­£.½ÎL²ƒ.È(¶„ÒØÐÓØêscËsl=†ï‹=­
“Ây®€tCly<”n¹Á†tHŽ 
-ÒÜ”?T)¡\ò¨ÌœTØ&!H±à0‰ wöÅ.kÚ¼î3Ùö_^Ý^½þp}c{GÀt7—ÆGQõ±ª?£#fÔU2ýÀè`ã‚cuV‹øªf¹u¹NRTÆ).÷U—…˜Ç:¤5M’D-mÞÇ$šgkœ—çõñ’Pòš~rÉŽ)°äq
-‘—¼†ÊjÏåMÐêNÙéÔê9+«Óå~R3zŒÙö1{rmÀÄÚÕT
-©Bˆ?}ñ4zT;üì0yT}®ñ£ò\æ¨~þº›ùIÁ7ó§’oæ¢>=AÒ{øô“ÁséÒ,¸ªhp¼°ó]Q⛡Åvµtw˜C'2n§¹,é[`lk
-4ë@\¥Ž¿/uX‘î#36ܵ©½öƒ¾©›¥Éæð1øälVö¹/W¶¦.LØÓR¿ËMáqâí§ª.ÚÍÎv1ËzÿòÊvs-sƒ›ÒÇ@Á×Ýç¢
Œ&“x=Ũü_üÒÅqŠésöÔãš°§ŽWD3ÞH
-F”éôÊž+°ôðÖ&†·1®}ïãKµË:‡g„±ÅÜquwð”s_º£šcoÁå™û°>׸æ<—ÅD¸CÎj|=½¶ç
-,~ìl|¸º×ݳôÕÝkupõ~Èa.†àŠ ›½¿¹ÿðþÖþi"D—¯?ÜÜ…ï'xL4UÏ¿žZtöamµÝ×eg½ù…+ÕÁ«´ûf¸E6̇óÚf¹µc{̽Btå-d.]$´.
-ÔM‰nú±hF´Ó‰;ÐÎÝÍ|ùúîm` IíwšCn…IQïµ™NèAšÌþCŽõ¨*Tè¦.½
-M8øâÿâÕíµO»M­ ÌM[ã%¶%½Çߨ´\:­¾ÉÊ=Ä¢ÓåY0ãxÔ¥ùò€àÏ̦Aý	|õ¯Ù?Üç/ÒtäS» h‹šuB¡àLˆcÑ•H<	Èþ¾­Wendstream
-endobj
-2112 0 obj <<
-/Type /Page
-/Contents 2113 0 R
-/Resources 2111 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2117 0 R
->> endobj
-2114 0 obj <<
-/D [2112 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2115 0 obj <<
-/D [2112 0 R /XYZ 85.0394 150.8622 null]
->> endobj
-2116 0 obj <<
-/D [2112 0 R /XYZ 85.0394 84.3753 null]
->> endobj
-2111 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F55 1060 0 R /F23 754 0 R /F41 959 0 R /F39 917 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2120 0 obj <<
-/Length 2454      
-/Filter /FlateDecode
->>
-stream
-xÚÝZ[oÛÊ~÷¯p*ÖfïäEÇvRœ8nä´Hò@K”DD"uDÒIúë;{£xYJzúÒø£åìÌììì73Ë	†?2IEÕ$R	LÄd±»À“5¼{{AÏÌ3ÍÚ\¯Ÿ.^½aÑD!%©œ<­Z²b„ã˜Lž–Ÿ¦¯!èDàéÃõ»»ÛËeŠÉéõããÝÃíýïð[`àŒ§ï®>^ÿfÇ/^¿½›_~yúõâ§m3ÁLóÇŧ/x²Ó½Àˆ©XL¾ÁŒˆRt²»à‚!Áó#Û‹ùÅ?­·fjÐ#Ê$
8’	¬Q	A;^
-IF™ñÂõǧ¿¿ÿ ì¬å3<µ"nøîó*=äie=0ÿQVé®´?nŠ¼,UVïœÐÊã’:9l B5^¿œ.Í“]ºÔS4ˆÅÒò<À‹‹âXYËítcÁgJ#KuÍ\»$Ë-­Ù-U¦‡—ôp´õè!m‡DQDc£aþ#/öeVö·™Å’C9ŸG¡m!J¯6ndÏPDˆÔ|a¶Œ“@Ü6\­uKðà§ÿâ)ÙP»4Ñö{„ ¨×2E¾ÊÖ³U¶uŽî¨•E‚qÇÛÈ]ä¶ÅRǺLŸëõl›¾¤ÛŸ»j¨uCíªD#'~új›¬:(G<ŠI_G7c1E„AÌÍš€9¿,öu’¬PGª/yÖ){8!y)‚Þ(jÜuá/»äû¬,_CöÂ!"÷åWç71;¤‹ª8ü	åHR1po}Vh]ú×ß.*>}ùbPÎ"È °›nƒ,nšý³áüP	8O}¤'‹M:èÖGGýH˜#ã¨
·wó›÷O÷ïšY£ØÙ]Ð+ÇþLÎÌ4§‰}Ü:ìÒ´DCYàµôg,ðíÃÄ8`‹øô
-"<Ý'zæU±²Ïjã½¾¸µ”²eVV‡ì¹®²Âi].I<-œ¶ûù
²Ô›â`‰]a8R·[n5ÍÊòUqØ%V¨_ÿ4†hVpåqÙ
}xsãR$QvÕÜ‘I¾lÆò„À>Qe1ò_›ÔèQ`ÀKñÕæ‰xú-«6E]Ù7‰1~]ïÒ¼*¯»HD9)’nFwRt„}}˶[+ßú&qªÝz`ä*©·ÎÀáÏÓu}h\OõH0\I„g
f¼J«Å+cÒx0-†D/™Ç€+»O’4êÂ^ÛZíá–Èò¬Ê’­K§I•ô·`a“º=]éÀÐÄuzÈÒýDŽ}oÎа’r	’I 0x÷dmsùÂg˜E.­wÆû*!Ç*EâÓ*=S@e§ŒéªüXºø¾|áþ4l£!g:/f«Þ	Ù¥«gvfYî†3wFÉ>yÞºÁbÕ¨(¸B GÁ­zÆ}›Ì¡w:Š
-11/FŽŠñç"qPa×QWu²m–þ}±­Ëì%E£Q#’œ‰‚׉(ð\GÃQpJå1
-*ƒQÐVÙŽù¿þ#Å;-®Q์á¾bmÃuWED¸`n›G…T©Óö5\;þb’ÁŽ…:h†•Å 2ŽÇjú~,ÊXøª(ѵ†®P|˜ˆô[—ˆå€ó:=hnSM´§»¤vŠ5"€&-_äQ(¬í¦£‘„f‹fpPÄ’OŸt;^\Î8Ó4/kcúwµI*Mq—à¶E²Ìòµé¸«×ƒ~õz20TY^§¥›è´}+_-C²‚¾³'Õ•c†Þ$¥]®_A§JZl’|­‹Æ b©JKhéÆVýªr³[™Û¡:µ„6§ýLìc_”eö¬$(ƒàÂX†KþŽË¡"QSÇ{ÚP÷´QÀÕŒ´n¼
-5`4ŽŽ$ný‰8ŽåÜ#W	åÜÖU"Ï©/MÜó¹,¶uåF÷IµÑa7Š.êWŸI1-¦qlñLZ–!h!(V‚…›æ.´è{èÚO×0
­ë€5Œ´­››‹å¶PË$Ýù_J÷K›fIkŸ/f.Sdì"€Žw±pŠ¹ˆ¦·zÊÚÄ»±è,ôqÓ
-›F$P£èá•dçktÈÄ)ŸÓ™+…‰@†{ñç/ŠšþÆü‚³ü\ø䔽ôì]¥Kbë*[>/\a]ºr8zDQ½ƒ§C¯Å4zžÉ„ÞjPÛ0@ZHé§ôyž¡¾Þ)Œ¡½íèûP÷[;€Ö½—+çܵÝÜÚ7º«ÍPª{M¢oðÜí]á¯ôL€fÿNuÛ;îQ©7ô\ÁØæ:áSÏeœº8U ÁÕ•ž) ²íVèïÃ=•’_›ŽÍ1,|$o]¬nüÄñŒ÷ÊFèw:eµL‡Ðië\ýŒo”Å":Wϵ¹Nl’ç2›´.Àžäªw}ضK	D52ž´Ë3ìêÀ!To”+Þ5*<­æ~…Mí=Ÿî ¢MN‡±ºLÖ©%—G@Ô\GY².õçòès»auïìäx)Ó¯¡„ÉæNNë
-Y›ÎPæ–ˆðFŒAê11ñÏJ¤8,ÏÓY9%@ÃháÈ{7!TO•]øo:nzët:»EõýgªS`O›Ô'
X¡Ý›r_øÓX½ó{?¿é&Õ×®J™K|éºÍsß•(4xÚû¡¯J3/pÖ–8b
-µŸŒ£ø¨X¯ëÝÝ»1C”’?ÓB/ñœ‰±D”à¨kâíÝëo‡>¥¸ãau¹8dÏþÓQ–‡úZδq>¦þš•‹WpJÑæo£ÕÌY´‹•î'Ï€]‹ië<“ºül}Ù|Ðè`]Œx$éI«<ÏЪ.Ò1èï"Ñ1ëÆU=U†ôç3£¾yÃ’
ìVÝé”
-à¨øËJx„Û¾G¿H¾¦v$Y¾$ye¡^˜~ž;èQ³ýÖ1Ý<~,Ý×Ý{Ç`Êý®Ü§‹L·.é2t5̈΄uce'ôÆp‚8ëu8ºÒ¸o
\7ÒÐGîìíŽÞ8"¯wÏ&ås»Í«í·#{+i^Ù›ìX7ÂÌ)Ž’[7¾Z„—R‘å½_Ù‘Ì	Íœ¶:w7Mœ»:Á\¿·úÙö*ÚØÖ¬¢uG¥Wá/•]y9Ïßdù}·bº—ÔþªýØúW»Dcßæ!Ÿèê€ÇÍ5õýÝþø¸þ†ÓôŠ‚ÉÒ¥}íÜBÜþ¡íÿ’
ç0endstream
-endobj
-2119 0 obj <<
-/Type /Page
-/Contents 2120 0 R
-/Resources 2118 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2117 0 R
->> endobj
-2121 0 obj <<
-/D [2119 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2122 0 obj <<
-/D [2119 0 R /XYZ 56.6929 752.1755 null]
+2106 0 obj <<
+/D [2102 0 R /XYZ 85.0394 685.3283 null]
 >> endobj
 698 0 obj <<
-/D [2119 0 R /XYZ 56.6929 713.6328 null]
+/D [2102 0 R /XYZ 85.0394 643.9977 null]
 >> endobj
-2123 0 obj <<
-/D [2119 0 R /XYZ 56.6929 680.7972 null]
+2107 0 obj <<
+/D [2102 0 R /XYZ 85.0394 609.9378 null]
 >> endobj
-2124 0 obj <<
-/D [2119 0 R /XYZ 56.6929 645.4104 null]
+2108 0 obj <<
+/D [2102 0 R /XYZ 85.0394 573.3266 null]
 >> endobj
-2125 0 obj <<
-/D [2119 0 R /XYZ 56.6929 580.0444 null]
+2109 0 obj <<
+/D [2102 0 R /XYZ 85.0394 503.9484 null]
 >> endobj
-2126 0 obj <<
-/D [2119 0 R /XYZ 56.6929 496.6548 null]
+2110 0 obj <<
+/D [2102 0 R /XYZ 85.0394 440.4569 null]
 >> endobj
-2127 0 obj <<
-/D [2119 0 R /XYZ 56.6929 391.8707 null]
+2111 0 obj <<
+/D [2102 0 R /XYZ 85.0394 374.0006 null]
+>> endobj
+2112 0 obj <<
+/D [2102 0 R /XYZ 85.0394 84.369 null]
+>> endobj
+2101 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2115 0 obj <<
+/Length 1960      
+/Filter /FlateDecode
+>>
+stream
+xÚíYKsã6¾ëWè(U…X¼I[IœÍØÎØ©líd´HÙœáÃ#Rv´¿~/Š)iœñníaËU4ûñu£Ñ
’)†?2IEÕ4T	LÄtYLðôÖ~œGx¢ KõýÝäo?°pª’TNïV^ÂQD¦wɇÙ÷ˆ`4xvuönqœÿ´8ÿû?¯¯󀄄’ÙÙÍÍâêâòó€
+ô@ŒñìÝÙÕog¿Ø¹›¹¢³³·ów?Ow­f]í	fZ­/“ñ4#~ž`ÄT$¦/ð€QŠN‹		ΘŸÉ'·“_[†Uóê(`e’ŽÀAÉ”¤„ =<„B’Qfð¸],¬Qg¿Ü^k{à-ÖOa1¢¸!/ã"MþÀGð|g_5“Áò1]~þWU¦eé?ÂbŒp`lÜqyua™(§FRdeV7븩Övê}ºJ×sÍÒr™Ú©wq¹‰óu‰Œ•R:öÈ‘ôp<Á@ >7¤g¿Ýýtýþ4—e“®Ë´±ŠÜnë&-jûp^•uµn²M±Ëã’:>œ B9oBã~úeM
ÚaÆ•¡¾’º)„EHwÞÙ1껧*ž²<5Ìô”†vԙØænüçY’5[ûd˜fåƒ}ò®YVås
+ûù¦ªò1ȱÇÚݶ¬žê¬Þß?Œ 0’l*°D‚2ﬧvÄÍ€BB$:,Ì^àd$5´T#èÍ	¾ù$ýè±}jG_ÚÑs;ZZD×SS)Â\`.ó¸®-YO1ðf…ÊQµW#ÐH
+áHWÕºˆ›Ž}²–ãoÇQ‡+„vˆ8„ú4°n·~²1,RûPTI:†„!bûz>©÷ëøßÆïó{÷Æú•o¬_uÚï%Ê6ÝôxòEË}žõÏ€…I‚©›¡êf›§_÷·ol}s’_’­Ó%=Û¦‚#IÙgúòŸ`zÑŽ~a/
+ãÙ¼wÁI
+¨úNêFÀXzæ‚".”ü†ôÜeq8=·TôÜ=Æöô_HË ‘øš´íûèü÷ú'Ë,
+¡¨”ážÓ_É:{ã­ù¿žØË7Öï
qøu‰XDH3í̯ÌÃÿÏ›mÞ4O}×ì·Ð.pY«Wó^,nÏß_ÞÜ]^_µo4l´VþGœ†m9©)MÂfÍ£)àù¬Þ–Mü§ŒËÄNfо<¬]YÏfÕÊ­ÛUß	0×	@óË %¾lìäSºÖib ÈࢧvzðY\ØÉX-õà;G¬8¥£Ô^ŽJªT3øìå1-í(¯âÄö‘5#²f€êœÐÙÝcVÛµ"þœŽ©DB¡¥¨«Ò)èCªüÙÔéj“[¹+ÓÁ Ó-d‡*Ì[T
÷©¦×}­{©*õúC`Ïf
+g3‡²ºÁf½k¶ÓÂŽÀ©•Å»–ÏŽêt
Ú<ä^¸v¢°CÛ•@”H¿ë,´ $+²<6¶èGÁn(W_1˜Œ©Ïº‘¢Ùý¦±ò²ÆŠŠó—xëtH6Å“ÚÀ„u¼iT›´l§ym§ï·ö7IWñ&o4?ª½aîIô‚AB¿¥Ññ÷
+Ýs Ú4OUF`OeynG÷©ý…ØNì(®Ýoé~—¾€1c‹²µÐ»/ýÛ÷Û‘ !Oˆ©€aè›ÙîB:{:ûÝlͺ07AùÖ>õ °~Éj}˜

·»$¢<"}G;œõÆñ8ëq±©Ý}OÜøÕØOÝ»;bë¹þ\óXÕ~CvU´›·ÝÎc(I…0	å)”âo—I6ëX\÷nçÀ¦úæPõ¬ksZ
o9]‰a/ô;DþJrXç{"-4Hö姰
+Ëó4Cy]”B(öè/oQÆ÷þÊ+Iï7`Ñ!›Iø`8,ŽÝ¥:luKeÌ~> endobj
+2116 0 obj <<
+/D [2114 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2117 0 obj <<
+/D [2114 0 R /XYZ 56.6929 752.2879 null]
 >> endobj
 2118 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R /F55 1060 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2130 0 obj <<
-/Length 2663      
-/Filter /FlateDecode
->>
-stream
-xÚÅZÝoÛHÏ_aàVÖê|Kƒ{J¯Ý"‹n®wÍâØÝÅž$jõáZÒ¦ýïŽdÉ–+šbQ ž‡Ã!$Gåÿø"Õ1“V-«b͸^¬Ë¶¸‡¹7<Ьz¢Õ˜êåÍÅ‹Ÿd²°±5Â,nîF¼Ò˜¥)_Ül~‹.ß½{}ýêê¿Ë•Ð,z/Wš±è—Ëë_/ßÒØ»¥Ñå›×ï¡+­4@Ä9Ò]_þòúÕò›Ÿ/^ßòŒeæL¢0Ÿ.~ûƒ-6 úÏ,–6Õ‹Gè°˜[+å…Ò2ÖJÊ~¤¸xñ¯áhÖ/ÓÒi¬…2‹3yBQ,f¾J•1{E	>§¨ž
-µÚâ9_ü¤õˆ‘Z
‚y’m½k•Á‹S¥ãäê‰fä’ãÝ„ŽSa{›7­«è®îê5>un—»†:u˜íåƒCLØrÎÄÁ)62¶x›D÷/9‹®îˆsU·Ôh¶nÿΘp›i¤}pÔظ»¬+]ÞŒDò-¸¶#C
-ו€š¥Òæ‰;Q¹ÓžÊßis¸¥q’‚*ÎnÙÍl9Ö˜MâÄp3Ýò?ËDE»¼
J)]Yï¾P»k²û0Ü´Yך¯ƒšÚšnDÄ•Žê¯­i7u7wq2¥6<õ¶à>çí‘Â9ƒeàC&±`hÖþ?®+S&é¼ë2PRF{’­cÀ+4i…<`µê¥[&bnäÄK@ÇVkAöz*Y“X[Knr=R6 H¤d±–BÕüs¹2<º¿"z}¤`*…NFð=í7_|Zð˜)k%QÚþ´{-øW¥X¼ªáL‹ñ±zΫ1k.#Æ×­áˆ)	¤ŽU
-·ƒBß<+%Q½msºÝ$¸—‰Ê,¯Š/aþ.ÌU­Û¹¦¥X–ÿ}yuýŠÖXظ¥dÑŸK¡#WÔ[·ÛdÕ†e†_hÑ­£ÁØó’ë°nƒZDn-!*I£õCVÝ»
uòŠ~3ú¹ëÚn稽s…ˇ\V	¦26‰o³2™Â¸ [í£Í·ùÀJ€7ÁäJ@<Ä0vÆ z¡X‚'çQl ò(öþÉÈô·2û¼jêõÇ#ÀãÚÄ	gf1Þø8@õT3òMB‰á   VÞúe‘iƒhêñ.J8n˜˜ELX'¥„Pl)Å 6Ž®IjlŽ »"B<Î1ŒÊ»® ‘[·Î¼!™?ŽŽò7 C]˜@Wùí>¯æD^;d x`­¸ŒŠ¼Ì1­A¹qO…ã@€®7Ž4V|É«{šm¾@v[Á廫˜F¯– žÀW‚ÐØÊTq`]W¨ûn·„„·—'P}
µI0²Ÿ÷çc:ÂÕÅÀ½Y£Ø¶õ.¬Æ:£Cºð1Œ¾ÃæÞ8H.à²ó]]•®j‰ÒÛL~¬|~¬hA‡›n»E£T,
-†=¦´îØ•·x%^ˆ»9'QŒøð25¤½ÑuÝúk€Œ¡hjl¡«d-…K‡ÉuÛá‘°
𜗴-
ŒeÀ>Ý5Œ×Áš³³χ~Š¼m7w×þZÊùˆ\‘¥ð
-Ȫ¾å¨1Q…Uô>Fçh¤w—fs™$ÇAm‚KRA<ísrÈÆáùnä¨Ë QoBØ›¹ÞJ°ÊÇ490o_>›à
-3­¶éS®Ö‘½MáP÷Tš5+ߪþâtÕº_–Dyû@-´§ã7X"ì ÂU7ƒå\xÿŠ@BýˆpÎ!$æë‡øå`Ñ0Qt†OjüËûuè!	õ®†#Y?ãý\Br³©]SýÐÒ°« ž­u·îF)(ù¤~˺	+(ÁjþŽ)ëµp”(aX©ßŒ’SYÒ?DÑYgš	øÃgØ¢룟¿ÍDC`C§­èEãmA9ŒŸ6ô2 ÷êÁN¸=h‘:ˆ€Nüg^¸{ûª1ÁкζtBHR@ŠD]½MôÓèC–§#âÈU¿Íùÿâx(àµUâ|<T|âgÞ°Ò9õ">ð:û">¦:ó">ì½k»Ü{¾8¡è…<òðÁÛÄ)·‡XBÛ®¥èýí.[ØÓuŠ˜v¯hŠðj¶ð8–2º;éŸ0Ól-%͸ºè_úq“Š¬nF)k§V<‘(¼²Ÿ~ËàÂ\Hù<ÜÄ2Õük2Ä~Éé÷Þ8Tç©pÈÛöYŸ{9S±‚æ;<÷ŽYŸ	~\ÁñR$4â·2ÑÛœj£Ï?ÎÔ 
-,Wšô©DÇZ'#'hˆ5•„Р¢.”®øa‰&h
-P4»Í
-+Ð/¾ææM‰]zTÆáÍ®ÞRÐœWÉr˜ºøÔrÐΪëµÛ¶ÔE«ö2àèì7		†>’ÜæÕæ\d0×ûPNe³”ÆŸ©laRO§ô:Ž
ÿö@«êP¦ñaG›ih¥h¦¤Á2°îv¼•L蹤/¨ˆ¢_«¡ŽÃýº*kT¿œ±pFAt£÷!\\º¬
-\CÍ-Í©¼K³ô|†ÊŸd8ÄsxYÁ0xÉŠP_k‡w°xÂҫ˱ÕBV ¸UO[-@A:ÊeŸ'a/¥$F˜&!“ŒyJ(Ž‚»öŠcÆgX`5”]mwNÒÉ-„<&ÄñWÌ'¬YAÑäÓ3†qƒÞëòºkˆø`¿0ºÁX†üWVŸVö¹u†…7^¡¿sm–ûìÊsðáìØò¾ÆGÒ³¹œŒ›î?Ÿþ@ƒþaá{$JÁ3cö™”„
1ç›ÿ?Ãþ?l@Á¢‰ùäF2üza9Ú<òBs©U¬¡–Õ©Hz²‘ìÿÒ	
-&endstream
-endobj
-2129 0 obj <<
-/Type /Page
-/Contents 2130 0 R
-/Resources 2128 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2117 0 R
->> endobj
-2131 0 obj <<
-/D [2129 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2128 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F55 1060 0 R /F23 754 0 R /F53 1052 0 R /F41 959 0 R /F62 1085 0 R /F63 1088 0 R >>
-/XObject << /Im2 1074 0 R /Im3 1209 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2134 0 obj <<
-/Length 1958      
-/Filter /FlateDecode
->>
-stream
-xÚ½XßsÛ6~×_ÁGj¦‚ñäÜ“’Ø®:Ž’³•öfÚ>Ð"dñ*‘ªH:ñýõ· @")¹w¹¹ñŒ	ËÝÅ·‹ý"†?‰dLã@Å	LD°ÞOpðk·âdf­ÐÌ—z·š\Ý0Ä(–T«§+B8ŠH°J
ß!BÐTàp9ÿxýa:£,f2œþ|½ü°ø¼R ‚qøq¾ü2¿³sŸ§1
ç·×ÓßW?M®W?¾Ï3ãÌŸ“_ÇA
-®ÿ4ÁˆÅ‘¾ÂF$Ži°ŸpÁàŒµ3»ÉÃäïBoµùt."$(—€Cœc>ŽAŠRœ ,	é¢d©VÊ 5{îoT
-p+–¯l`²1É<“
-#ÁpÏä½>ÇÊÂ]mµ<ëc™¹}Éëý£>Úq’§v ¿eDÅm]c‰«7ðñ¤.àÓJ5øü<ÀG!%	»l²1y‚EŠSyjò¿Äç±ÎvnX*-øO”FGod˜/uÁNªAð›1yu#„'	ûUQ,@»Y'ë­žm²î{G¨BTDì²{Ôˆ>Ü„Q…@ž:xW$ 4©;Ú§$
-‹½s½—ÓRÁ‘s½gO‚9)Û]fyUô¢Ú|íb¶é­¥z“Ô;—Ï™þj*Ó |A" %7åOý¥ºÄ¢¦TFãu	CÒ*±ø¼*ûUnè>8U4k}›	ÀŒòˆùQA
LDOE4Œ#1Ù õ‹‡§œ4ñ…Š*‡ç|:“4¼oþ/á?	ݘ†·¤$Š¡x"†³&lþbÂ9k„üq³ùWLš‰«Åž
-ØcàoÓ)žùš›mJê'ev©Œ¡ð+wØWÛ¬œÎ˜PîÐÚñ~JpX—•}Ë7xÔöY—:5ÜÁ–ÝR§%ß½¸ÑÆ­ä•>j«K†&Íì»ÅòƒÅö‘ê)ƒ<›Rê]q€rc4ÙÐE
-ܵµDEá>1â/öÅøežG½/¦D8-N²8Úçz›äOíd–Ûgb›ºª’NJmô²ËÑ(Ž?£¾+G$ŸŒ!f³Wþ¾óã¥=xqðÖ+–^Ú·ÕR@Ujô€·ËùÝÃH1HP"³Fpa¤2´…ª®²\Û	»Ä¤’)ÿŒ„eö”'»Ò.–Û¢nX‚º´2“îK“VvÔ*x®‹¼²vö[`%OöºÔG ¥¿9_}"`P…újOê1O×#;¢À~PЫkCL—•NÒ³ôÅ•@¼L_¾Ôyúê¤\@~üò¹o6VÇÐÏ\4Û
-˜=a%LV”ŸÚ½)à׎
/5sp>[Æ°†ÉTñðe[Âi<õe[;êL‹¯ùe RHÀ]ƒ@¿­u¥Yû —· —:O³ü©í²^Ü*˜q½ÙëÑ3Ö‹q/šqæ„ê<Õ¿aLsmS½_3 0`K.­‹ï?-o·_îçôÕâÓòRÝxÝÕðÀ’â	•ÊEs¸ÓUÀϘHÚ¶>En\}ªm¹Á,43;CS˜[N‚¹ª(ì`]ì;ýÍ®Vn2Õåú˜=¶ßäíl•d;;6xšåq…
ïI«¬Ò¾–ë#Ö8¶~Íl á¥Lvûœöœ¥Ú§ÌË”fû@^ÒÄMSo·oÔHÇö1O÷Yž•ÀQ¸°Þëó=oòÇ$¯“ݸDF¦[lË!‰TBðŸª^¢ž
ôX°®ý³ªI4úºC~r¬)â¤ëmë}Rþ1¦—)vÍûoXà6êFóÚnØå„™Ù©[3
-AžØ·®Éî<‚‰ƒ¬².‚k]–ŒÈp±±+ÖlÙ³kƒIÃÇ—1fÂPàÌàL‡š³¶ÓüÁ&‡âˆôŸ.}ìu¶¬×[0ñ01žD"ügQáÜÛI磩ˆ1sÝxÙô7ÂÛäYÛ™54|
0ßgeÙÞâàËñ€Q¸bÄXÆoGLQ¬úL†¦7J]Ù	ýí°ËÖYeÚHóÞ	°á	{Î,"4HRÕ;PŽµ½šWV‰£†E1h¸x+*ñˆ·	}’#µrF0°”f8©™7‹»‘_wíQSâc—¹Ñ—j‰G#ÜØI«WºZ_5ûBP77CJ”ÚsuÙNjèA	b,:õ`5z±q3isölA͆¾ñ[‹'t"'Ô ôœ¯ŽunQrX²´ïÅÐv_t£øqÚb“ìÄ‘q ¼l›eé§aòÁ…î’ü4ù®¯YÜ=|¡˜Yßß¼ŸÎHŒC‚9#Éeä—©žBóÓ)#NÀWÇÿ·êÄ_P± ölÏÖ[½þÃÑ¡„áò¿Š\÷—ÍM¢?·ûê´tTjÍ»2ÜÔŒ˜rÏe¯Œýßþ$mZ¡“´™Yýøéþíænaîú¹v)ûðw¦½ë,ß•Ç*«÷ç~ÙfÐÞŒܹøÝ¿z¿þ¬Ï‚‹ô™¦ºq `;§Ìæà +F”HCßÿ
­mºLendstream
-endobj
-2133 0 obj <<
-/Type /Page
-/Contents 2134 0 R
-/Resources 2132 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2117 0 R
->> endobj
-2135 0 obj <<
-/D [2133 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2136 0 obj <<
-/D [2133 0 R /XYZ 56.6929 524.676 null]
->> endobj
-2137 0 obj <<
-/D [2133 0 R /XYZ 56.6929 381.9267 null]
->> endobj
-2138 0 obj <<
-/D [2133 0 R /XYZ 56.6929 264.3646 null]
->> endobj
-2139 0 obj <<
-/D [2133 0 R /XYZ 56.6929 158.7576 null]
->> endobj
-2140 0 obj <<
-/D [2133 0 R /XYZ 56.6929 83.677 null]
->> endobj
-2132 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F55 1060 0 R /F53 1052 0 R /F62 1085 0 R /F39 917 0 R /F41 959 0 R /F48 975 0 R >>
-/XObject << /Im3 1209 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2143 0 obj <<
-/Length 3433      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÙrÛFò]_¡·PÁ¸ò¦XŽã8V¼–\Ù]Ç ‰(“C€R¸Ùüûö58¨‘¬ª-U	söôôÝ=T§!ü©Ó4
-B“ÙÓ$³Aªèt¹9	Ooaîõ‰’5s·h>^õÃõÉw?šä4²Xǧ×7#Xi¦©:½.>ÍÎß¿uyñæŸgs…³‚³y†³wç—Ïá±÷g™ž¿~u]mM‹”Æuq8»¼úøþâü,±³ëWgŸ¯>yuÝ£5F]…qúãäÓçð´€ü|&K£Ó{è„Ê2}º9±‘	"kŒYŸ\ü£8š¥­>RD&
¢T'Zhuªl`l¬'Ĉ²@§‰&bàÍÎæ*
-Ôí~[ä]‰·Ðs±‰SZv™oh`š}a•Î‚8Ê­ê!×:áÖÅ¡Î7ÕR:—WܯÝwÕºêr ­‚,Š´œa¸„fî]êfÛVí1íc  *Ä&$>Z)À\GÚ^™
-ƒ0™A­òÈT¿jzó(ùi^|v­‹¾uËÿògÞL»r÷hL^•%ŽAB:äÓj“/¿ÿü¥Dr–ß·årWv¼m‚¡2
-ä8ÇÛÜ	_<'÷Ò4Éd%@¾©Ö¥¤UAj’uý•:HàVDˆá¼ç"ìéªMÙì»çÃÞ{`ƒH¦qÉÒ}±}*y’Dé1ÔÝs YwUÙ>
-5;†úá«Pwy]4›¢¼óµA™Ž€Þ¹ò9þÙ§scAÿC Ÿ¨	¹xuõòÛ÷×o~½ì7MÕ6UPv*¼Ü‚!³Ö
-j us­@[Û²àV×ð·Ý/6UÇíAÛ•Óvh|tÚíÝ™Jgåû²íb.ߢü=uíÀW5?üøR+OÏÌùƒ”$ÊÝ]¹CÓ¶ZgÉìzÅvâtîî!"ɦ$_¯›{<86‚RÛ쩱,ǣˆ¾-µ|>L.dQ^„/4a!-á}›æÎMÜÐH³‘üùOS—¼þ¾êV(Æ4¼Éë= và^YT]Ußr§[É·ÕÌ^ë.lÀŒž;Û=Ö¼¶¯Ë‡6wÄXæµ4šºË«úÁ²–Gˆð…‹sƒ®Ý/ÅksÄ“^·rðù~Äêý¨£zÐß	ä<ËØý@6FØŽ[¹;
;ûºY fá;x7fÆšîªÜ£"*¿¦âX$ÿ)‰mC§½œ™óç⧗ï¹%ÂÉm`öºàvÝöA^ÊäâÀ_ œÐa®
ÒŒû„ÇïHf˜| uŒ¤s„§ *¦Z
-³Qä¸UŒ½3_S¶Ã©N2@åeuÞåS1XÈ̺i»#fe„Ü5J­‰2»‡Ñ‘’á pZW¡#¸²z˜8tʇsDúž(ÐU²Ø„.¥±}‹c9«¿Êï¤~ÒG•aäe •°	ƒ©0Ð*6S„jŒª&³ƒŠY=\Z[¢Sw6Û¼(Ô›ùØÙ®+g„keÅžFFžl¼S¼p4õÂ/“UÜÇ¡ó“m`mÐ9&óa²†,ìYú
†ÀjZˆÐìºÞÍUx˜³¯Äï[öÉÑÿÄ.ú.h Ê
Ÿca-/{Ù¦%É3UÅ„™Öù/~*0{LE‰A¸En:Žàf]y[JHÃ2t»ß°1‚²‹”,2ºãÍ«êvåö¶eçb'À¬GBèˆá¶uyW®)šÑ³7G¼ÀnÚoeòY³8›êE%Ò[Tm¾X—X›³,Ä°¼Í—¢{˜Úê¶Î»½8*£°dæáËá/¶ÈÀ7ßÃÅÀš.Ù8dbC±ÑGÃÔÁh˜@°›…‹&Æ 7Ûö€ë«7¯}–ÕãL{dfy¬;le,ÐrW-J™ –
-¯Sñ ¹ÑDX…
8ÿ÷0
-Cø§?ÄÚ"hMGFuf”ïZt<ĵ¯¯®ætuêa~`b=9†é”˜.`b0Õ0¡é•mZes†ëYŸó§]‰ep˜QS¿ãí„ÐJ‰Øœà÷KÝÜd§üÇùÖØë?m‰l&¢žl ­‹û¡!fö¡‡Og/÷;F¾î?¥ÔõÅÚa3#N›÷[´o¥€/ëåîàLôóõm³s°áîM#Q‡8ˆ0³ŸÞ¿œ÷)¡>K/"Â"ݯª%ÚàoN'Ét)á€/0“ÓYº\6ûµ¦ä›ŽÍ
-4{4Þ(hz\îÒ^0ù<ÝòÔ¯Þòà}µ^óʺ,Ÿ„R–f@µvߟ˜¦Hçϴ庤8;•XùN’X`»«ØqãøˆØØmù{_×ô¾ð9HÓ²–]ƒb«ŠøåDðÔÑŒEÅêdöc³›^Œå²ªÛ.By`Ùî«Í'rÀò¡Ø`%£!£AØØ•èZîß‹ºÀ²…p‘zhýR§qÛ>&û®ì–ß¡¸¤.7]É4Äp}¥m6ë,Ì†ê!
-OÀCb=uš ËETfÙØc#oÛfÉ\Â.'ŽB3å!ÎŽ
ö‰X‰EËØeg;ü潬,
-1í- Ÿ­Á ÕrË0G>Yej¨Xä[Äøî[ŽA¡)ZcAjjª§Ç€ö’I…Öv¿X“{ƒ6Ë4Èœ4·»|»bS$€®±°Þô äHþ<<Á‰3ÆôÁð‘Ô:бf@c³o%eZˆñk»¦·õdÁœ­ãÏÛWÿâõǾͳVŠ/ÎË¢Åá[mŽCâã<Ôf˜^FÏŠSm¢\¥´hJ±ÂTCÀ#Ÿõ‚X% È×Õ!±Iû¨XŽ¼3
Z—/¼-w‰Ö\	B¨ŽB•¯[æîˆI|öµ’‹u±´È¢îÓ¥£››,°`\T|ð'Ê&ñPÃñÄÖ:ˆâÄÑÞÓŸ‚âÒPÍ¥£Õ80¦™I(Bå¢Q(óèŒÜCg·eíÒQX!'Qex¥ÁìXþ¹ÒIAì7•†n$ËFå\ìP9}ê™e“Ô“|‡ï{“ï×Ïsü‰-
- &@?¥.îŦVËÁ‘Cg³ï¸ê1oåŸË5˜±»ÒáÿÆîQ
-ž‡ÍL=)60qŸ’õéR_FÑ”¼™=Í!¦‹Ǥà2Ê¥¡÷É÷>†AܧkôþãÁ’^q†§Ï[D`T
¯<£÷#©É &²$¼$…¸ÏàÓ¥ÖSΈñƒä‚ÒÄÄ‹ 12ë:ÉÈE>ÄŒU9U¿tMp£§Ïp‚œØA µ’Óy[Æ–†0·áR}2ýqrP8¤H’Î>¶‚/_À<"D:â'ÉW„(NBu,D‰î1†Du	‰\~+'¤¿I¤&šººEé
-±©«Ò¥zz“TMLÎÓ!8¾ÇXWi‰*ÉlàgÙl6œnÀܺªå£¬¡Õ²a]æ;êÊ?‘hB-)3Âü&?ðìB@ÝUmEѤ@ñF+RCjöÝvßù
-NÛƒÅAÂøíÁ=WHqð‡—hz#qÅ¢Š7\=kq8ªd$øêoăµ+Žµ¬ß΢hÆem÷>±Žžtà—“tZØzá‹L%™~V˜ ‡§O´–Ô˜ˆžÆ°8?¢ûx›ÐÒóXÅAj­ö½%OÑ›¼÷’ýQ8² Éâ£å•MsA¹o?vlsW
-ñ‡jª0›¼k¿ÇèQó››à݋E¬Ü“—”¤P-|ïê¡Äq¨=5MŸŸç\"ô1•~d¡¢ù$tØGûTë…Ôí$±ŽÎÅJž&ÕÄßÄT¦j°R)4Ó‘
- ë:Š–îí1EÝð`œÊ8dŠ¢nçH8ɃyA“qôz!þ`ÇÀ‰!Ùl›W2ÀõÄl6ÈAŒ)nCÆ‘Þ2:£}R[¤\¿'öÔV«80©uÈ¿ýAþ|«ÀÚ~û?Ñÿíꮊê®G•E?ƒtþ7Wm¼µÙT÷õßGŽ†œòίÓ
-3WŒh‰5Çû,‘ÇÛŒÓ;ó‡}¼Ä(0Ëz‚3Á
-Ìá’°"¨A“O^·ªò”у­
-|wª–2H¬ŠPB¯äq
¾RuUòìßv[.«›Ãðà
-cÇYdæ’R€£²­»Ô¡j­‚]lƒ]Ìj¡÷¦°îçá±FµXS™xÎTÑ»à%úW8tdâv8©£gþºàyÀ™õ#?BË‚•Ï/Âþ¥áÿþÚðC<›€j¥zøí™9zj5BmA
-©¢LrŒzÿS¶‡¸ÿß7W´endstream
-endobj
-2142 0 obj <<
-/Type /Page
-/Contents 2143 0 R
-/Resources 2141 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2117 0 R
->> endobj
-2144 0 obj <<
-/D [2142 0 R /XYZ 85.0394 794.5015 null]
+/D [2114 0 R /XYZ 56.6929 690.9973 null]
 >> endobj
 702 0 obj <<
-/D [2142 0 R /XYZ 85.0394 769.5949 null]
+/D [2114 0 R /XYZ 56.6929 653.2561 null]
 >> endobj
-2145 0 obj <<
-/D [2142 0 R /XYZ 85.0394 744.5266 null]
+2119 0 obj <<
+/D [2114 0 R /XYZ 56.6929 620.7725 null]
 >> endobj
-2146 0 obj <<
-/D [2142 0 R /XYZ 85.0394 712.3328 null]
+2120 0 obj <<
+/D [2114 0 R /XYZ 56.6929 585.7377 null]
 >> endobj
-2147 0 obj <<
-/D [2142 0 R /XYZ 85.0394 646.1476 null]
+2121 0 obj <<
+/D [2114 0 R /XYZ 56.6929 521.5252 null]
 >> endobj
-2148 0 obj <<
-/D [2142 0 R /XYZ 85.0394 573.8939 null]
+2122 0 obj <<
+/D [2114 0 R /XYZ 56.6929 385.2336 null]
 >> endobj
-2141 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R >>
+2123 0 obj <<
+/D [2114 0 R /XYZ 56.6929 245.9771 null]
+>> endobj
+2113 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2151 0 obj <<
-/Length 3623      
+2126 0 obj <<
+/Length 3124      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZK“Û6¾Ï¯˜Ûjª<4 ±·I줜ZO¼žqek³9P$eq-‘ŠHÙÿúíF7À‡8rR[:š@£Ñýõ×1üĵ6‘±Ò^§6‰t,ôu±¿Š¯?ÂØW‚in=Ñí˜ê»Ç«—?¨ôÚFÖHsý¸Í•Eq–‰ëÇò×Õw‘Ñ
L¯î>¼{uw“&«Ç×7·R&ʬîÞ½{}ÿêÍ¿à]Ç@”q¼z{wÿáîÔ÷îÆÊÕݯn~{üéêõc`k̺ˆòôûÕ¯¿Å×%ì৫8R6Ó×_à%Ž„µòz•héD)ß³»z¸úg˜p4ê>]…ˆ#©Œ\…K²Ð62J*'‹¦;ʼ¯p'@¯FôIYà2HXä
lފպ§\o²Õ‰ûj~æôصE¾»Ý¶]O¤m³{¢‘}[VÔ:uuó‘šý–—OÆìÊØFÚؔ׿Ý-°(’(Ó©gñ?q¬òp^‰‚óÜÖMßU}7,äêªãçêÈ<—åñFd«ªóTíx¸êõ­46RYú&HEK· íP%	,­ã²îòõÎí
-»Â®&‡øe˜M$E¤ÓÌ2êlàq[
›B£·–÷Ü;;Åk„E;–;þÈÁ6Ö•?
-`EÆM´oÐjBè/u¿¥Ö2¸Ø8Êlê9½ý´Œ-I¢=I{@Ö#¶€XG`´²ÈdÂ[AŒ‹Íª¬6ùi׿Xc‚È{I_Æ^[/o°¢Žæþðê6R)èè*4ìá¹\/ÁÀ離sÐ7¢'„ÔL?ƒ!NÒì‰ô‰zsš»Û–zwÔý1ôÓO¯'9Y¥Ê&S«q¾BZç+TÌ;‚÷ÏÔá	Ùb‘¸ÈO°óñ{þŒ°[Î1)‡9%螊•Ó½Ï¢L”
-ëåöóòéK€NŸ–ÙçŸà4ÎÏÖp¯ÁD.Ÿ­Rft¶y„“Yë8p›Íq—ýhú>¢†<$Ò
 ÙzÇ}_¶ÞDr&Îû‚MMŸA“ =Ó$M¨IË•qOí`YèÂFÂwxÖâ²àýŠ¤³Ð`ËâݵGn5§ýÚ)0Ò¶¼‡Ž¿Ù´ÿ£ÞŸöÜ[ï¹;ç/‰*3³3è([™añ(3O 5+ÇA<
-Ps6À¹”úß•[•†)4Zöôì(æªfz‚hOý_ÑÎ,J!ú÷çqZ>8Ž“ùyÄÚŸÇ€®Úã´fi÷Ç'z­pæŸó]„!¦fÉÅcÉ!QGOå§÷"’Ö¬Þl¨÷+‹
-Â)’ae¿ÍËèýk/Úýá%qßÙ¡74ó~Yª¬üÃ2hBMynŠNHKúc]u
8d*},s{\>­c3?û£1>ö7#¡Ó±h<‹Ð1a_ÁGCö}èTLåNÞǧb”O|p¥†—¦Vó¦h|àŒC>ܣɤ’S£Y€Þo€QÙí{¢Ð¦‘UÒ‡£G8Îv_VK~Q§‘ÆÎE­!§:TEÎßÅ*Бs{rû,*z'µ¼Já†3þ”d¬p@yÀœÒDœè	"á=µËÖ¯âl·k?×%‹Î¢ÏÌTtù‚|ÒH&^y^¶_kK‘2d>"˜ŒZ$S<ÁL¡j\à’¦|®‹
-U@y½s½^à“‰PàÝ	ˆ¡PÍOˆ×-Å[%QBt$V¹Ù†”Oؼtœ·
-2›4ߢòä,UêMUF,CONb›óÂ¥*8J2 !''xú¸Þ‘·MŸ×
®ò§10žÔÁ<<×¼&;è©P†œ_<+Ìeõ`##tcÌMh“9Ã#œßiÉvRP#}°ÆÇ°”ÑAhŸ
‰}Ý”Nö¶ûÄ×™$ŒÕÍáăݶ=í¸{Í\r4KÞÂ{†Áû$ö„OF‡Ç /$­Ž{P}ØÀ½‹BX7(>H¤Ð‰ûìÍý»ôÍ?¿{‡¥°Ç…p8Æ¢I'"ùñ°”:€ÃļĊ,HšÁ-ãWª#ØM
¦ˆjºxHÖ&jl¿0e׃ò
gâWuÑM¼z»øµÝïÉÓ!	3û:ìêŠ{Ý¡àþ[pØù,a?ôîꆱ	 ³ØYëRbV×R¯Ú}E½¼zGo!%SRPŒëzË=ØT×#l~æï§ã¡íœ?Ã	9tk9v4Áh6¹ªj¡¶÷VÄLŒE?¢lËñ!„Ï<¼«»ºç:P±­ŠOQ¹R€`ˆtƒ
-€¢~x3ÆòV÷Pã¶U–ÄdF¬†ø™ÊÚ׳Ü®r†$$Pá~·Òqø|²«á\ЛsqmÝ&áÞ‚âe§¶@ŠõÀ÷ïa>,²Q—«kÿQS>ß·ÜWó§ùº#Oc£HF8„Q^JÇ^Ø;Þ3¾ïOO³fŠ}ÕóZàâÈ|ð~«†˜ÅªYÌb™oxRÙTAEå0+QvõÁ}Ê$Þ@k=™í¿—9²Ìšõ›Å§žÐ¤\n<¸¬h82’Æ‚¢nòz·ƒ¾†ÌËPé4©4îaúŽÎ‡ªÂókuÃQ]ËGzîC:…/qÍ39|Aš¯Õù=^‡ŠFÃy[ÎEòIÐxõ8Xürÿp±4M¾Cf¸\:y&ÃãbŒw¥T¢Ùç¾Øzaöš3É}•s¤ˆ™FÛÙ´Nåÿ~v!'¢ò•k;È£Òô™4"ºS=¨Æ×ÃæaüŠ%ªßæ,	“F–¤—y
-TLM37P<“M™z¨(N€ 0w71Ð(ý9ãK0ïP¡ð>óåŒã…{JW‹.¬ôTµ!Ç`o|±õL¦!åHCM1Õ«_°0I)¯ÕQ±ôT¥d
-òžpÏ$]à!A‚¤Ÿ£L°|±x;’E	^“~»T«#%cÏ)_k9&LCëäý¾ôÌ#	ÃåÍ”qŠôì@ÐÇÈ¥sµs)gÕ2]‰/ºY³z{÷ö5%h]ý.j±ÚçЃ_ÿ­£Þ‡Ÿï¨s
-½4èý´YÁ1lžüT¼¦ßvw©Æ;èù¢Ñ‚ÂÌ€ÛUsÓ bú¤Ê»g¾œŒêNÃÊóål©Ñ…ê%õ4`Q"Üà}ÙVàŒÖ.ÜLFp©Ï*æzõÑ…]Z;ƸM&\ìÐN­ÃVèä³4ŠM’ÍÔTXó…ç‘s}q©RP}¹dîëtZM§§Ìó@™‰TJqxPÇTÏj î	ÜËòH•çÁ4Q‘6&¹ÌO Z`HÍ€A'¢ŽMešÊTŒN?9ËTÌOG9 I}-(ǨS•Èh¸ðX&e‰„*˜þºÛ–Óª°ŽërXyë‹Š âz¸˜ã‚©Høb\}H3%Âþ)i:EQX†QT¨ŠŠÄ›îòƧÿlp%5H¥‘¦ØB–ÛPïú‰ú8uL¸v¸„C®:¢í¬Lø<
á›c.v̹Dƒÿ=SvƒO*Wa‹\ªr—‡Ô:w»EÍ06®n~zk/èYD_`¬ìjÚaˆ{Øα]ûÑmb‚¾d¨º†ò´‹»ºúcBÉçaBØ(ƒðä2JD@‚‰¼¤µ±åa|‚ëvÙÅõ=ÍùúÓ‘ÈHbÐ>fàaR5ÁßAJMaô Óø2­HÜŽÓríÊùãïe€Äít'”€À$\ŠŒ¥07½ÂÂ8…fçcœóY˜ÛFðM½l:	7µ!#tÉ4ÎRçU Ký¦Ày©oü=M…€“UÈ{`æÐÓKYAœ²çDÎú¬ÊNâ-×Á*…4-=ªC{Sá9³TáOÅÀÄó8gÊÃü_ÿ–šÿÂWî—ŒÆ`Ô).ÛÌ@ó¼É0«]î©k>k32µ—Ö4gœÙLlå˜g2›§KqŠãŒo‚ßpP²¨¢B©ÈÚðßÚÜŸ¬ÀË¥™™D>j‰¬î™€Ì[k¯€oî—.&Ù¼õ=ówQ¥#üç‚Àã0ÅÿýWÒá/³	¦–™\>;™j-´™)d\¨ì\WùO§ç¼ÿøðJ=endstream
+xÚÝ[K“Û6¾Ï¯Ðaš*Á“Ž{œu6v¼ëÉnj“85bY'"å‰÷×oãɇ@JSöV¥Ös6›Æ×îLfþÈL	„™æ3©9˜ˆÙrw…gðì»+âihÑ¥úöîê›×LÎ4ÒÍfwë/…°Rdv·úe~óþýí»Wo~¾^Pçߢë…ÀxþöæÝO7?¸±÷ךÎo¾»ýp½ ’PDºÏßݼ½}µxù×Û—û÷ïn¯»ûþêö.JÖ•ž`fÄúýê—ßðl“øþ
+#¦•˜=A#¢5í®¸`HpÆÂÈöêÃÕß#ÃÎSûjJ\($(Ïf Öè#,@É1šD•Q’R™'2[”fšß¼¢C¨¡BkC±«VÅP„€Ò¥hY¥„ŠD§R±ÎÇe |&{b½/ëê°»^0ÎæUÝ,¶U¾rÝÿTû´ø¼Ü7Åál>»ËM±üX›ÅTzþ¾ªëò~ë)Í$jG•®‰šnÚ=ýP™!­µðÿ•R¾>n·æ×Swå¦Ð”-1xU¬óã¶&y‘`Ï9U³÷…‘²Ü?Œ|%#ДĿ”b»à4C„gVãHA#ÿmµÌÇÄg°GÄcŽ´"¼#®ewN^8Óþ¥|¿Jð%1!»Œ÷°¢cbR”µÄÈPÀ<…ÝdÀsâfüÖu¸ª€f!é勪yP·”˜7›¼qXzû³q8ZVöwUw×ÅÁÑ6•¾qÝêà»ð/ÅÄQ,ÝWÍÆQ”ûE@¼°uœŽÍ¢Z»'V'ÂL“°>6`9û|WÔ“`Œà15)Nˆªár-`™Ñ Ôj¿ýìÜkИi¿õnøDOfðiS.7ÝçVe¦kTf~ã¼M'N$ |§â2(XSF.€bÃå§*,?´>üãZˆù?]çT÷0`^­Üïû©ü°ÇÀ	Ç£ƒ h1‡Ãé
+)ÊÈŸQY Ð,S6y9€ÁP‘ÍWŶxÈ›²Ú»'ï>¸ßÄDEv™Ÿõæ§òçLÜX‹
+Óë(&s¨°œ1‰E0€r‚
®ÙüMãžåÛºr­hÐöv­‡íÑsÉW+'lí‰N­Ë}à`_£óVŒ]Þ¸§UÙ~*MYv…ðóp½G›eç`WnWgð-ä’<ßdßnÅ¿2´]·
+´nx^W»" ^#)! ì-­ûÈïÇÒ5Vî-·N¦UüQÖMýbȶŒâûN­8ÅáS;–ž0ï¨Þ5ÍtP\/k“ìŒMbŽå3ƒ"Ž¨âü\”A'Ï_hCßUYç6„¤ŒÍý‹¦CƒRkÑ£÷ÇÆ
†ÓŽ‚½‡§²ö/8冠\G‘ש¸Ž@T/%×}ÜŸw[à#Ô3°Ëݼ7ôÇbÙ”Ÿ
+0	–ê}±¢ˆsÌ/]wJ.Ä·Šô¥>1ü“6Ÿ	ÊÄ0Éô©K5ž?E*›@­“	T¦Xˆ­M"¶6L¡€‰PŠOK©¢õ’(БȴìËö–©\¥—Ç9™õàaëŽ~ŘnïPÛlªåàW`"Ÿ‚Œ‡ãžq7ÅÍ$ru:ŸòŸJÂ"_Èúþ!ûˆD1n:‘B×ÀZÓhéR£%RY´¼N Ì›qÉÎÀ…"*`]'E‹T	Ùúp‘\èáÂ÷Û´b.fÐÀÅŒù‡6
y<6nÐÆQšÂlÉ|D'LkG<Ž cD_† €>SdAöSI- LB³§K D#”¬¼†];aRi–yR³©®Ö_…Ð}ÀZ˜ò˜›{
»ïª
+Þo_y;^æǺFâ
¾Xµ®ÁS{êã~kC4»ƒûWÇÝc=ê–Õ¾)ö͸[å"CRð3nµK5a(ÊÊÇ´¡(-ØTaŠb¤¸˜–+%äꦤSÙ@°P™JÔK`º„v÷4»Æ`§A$aË$'åEæO¥Íý
¶Fº6åÖy¹=†HÃsügn$–¿€ÝTù‹#%U¯ü_‘|Á1ƒ‹²AxÒZ]Ü+R>좊¾ET»Çr[ŒØ„MÑ67©±AT¡U7Ã{Êûñ°"ÓÙ©·x¶Üg-¹S$œÜÉp$Ý(öÕa4.‚8Svv3#)LåíPMØh ²6ºKÙ(GYÆÕ¤2”žM©’õ­T!¡…î‹Öne˜˜ÄÆ„à¦C]õ§rT¬7ÕÑd2¦}_¸ìò~ÐÖra៖kÿ`Sø¯ÅØßvÚÔØ”,<ë™&0p¦é²:…2Øû›Ð¸½aªÕú2shqÁù¹r/û2Ó¹,T#Ï8?p³{+AÈ4À»TãTàoS•ái€s$)Ó‚Eª„d}€›
šžh/
*݆… 9Ø0?àÐ=­,³¶áÏB\yÚ¿Êæ/Í	rlºç'ìÂó“2•=‘l‘‚8U\ˆÈe±Vsú¹ÇC?Že"ôû¾—A”¨Ì‘Ò44;TÐTšû/Š&åŠñÑ©\Éø¨'X›s2f=ï5™[çkú¶\ÆX¢\Æht¾†àÞWF¢óµ•“ʾ‚boœó=)¼/â›È²à|{o¦
+10Oeë„L¡["ÍÅW.¾VP¤ŸáÙ…þÿŠ¨‚
K=m™]ªqËŒTÖ2«ó)>¬¨ÑÒ‰urŽ(–|Z¸H•®gŸÜ”@•ì‹÷¯kÉ燲1Ž‘P„g¸Må™
sìxw¶:ƒô »s|˜ƒ; ±ìcÎã¿Y'X°¡ùy–‚@²‡²Nñ?Nâv±HY¢2–[í6“}
+Úpuy3T7Å<îœ0Úñ¹³y¸¡.}ÜF!‹ËŒÿëeB;â©Ÿ§,'ËW˜<ÛäõYxsEƒsž†w‡jÞÊ*¶NÁ#Êâe‚ºù¼Mì<`Ær³IÉ"UB´~#Â1éËÖî=Jûr†Æ^;fËÝg¦üa·ôe¥ÛÒ'§þ"	lbnÓüjG9•M^K^|ÚÈc,tP›/%}c†‘ºqŠmnJó#2¾CÆR”/Üû$ý
îÎÖ˜š±}+”¡íŒ@ÁZû‘úX6î¸ÄӺƣUQµ„]ØŸ˜±üØTÀ©\æ[sªf†îýoî™ù!o<³zy(­J1ÿqï›  =`éŸú£oPÚ áÔ‘…“8§#7ÒΊ̃i滛ÅÁèæƼp#ù*Ìû“øÎkÍæX{rÈ´ú Ax^¬ÊÆ+‚øYc+©÷/éâàôó‚=òpH‡£·³ÅC©CñZ®x(U,J틇Ðèa ¡]úCñP‹’ÑŠ ÕLgö\Ù~ž+GQÜÉ‘¶·z±¸¹É?
k›»"ß»Ã8SËb„­lxÚQ˦¦˜<êBIÆ‘šM»Ð.Õ¸TÖ…~ø¢Ø}R®»ŸÊ•ŒÝ{‚…¤Røºüæô“ÌR2K ±;iû~Ì,E/³1·´™efj«_1³¤‚]žYJ/‚œ¦–FðñÔ’.þ7©¥YiJ噲^—jžÊ³9w%tUÀ1˜Ðæ$€…€.clZ¸H•®RÈ+4‡}©'ÞËÛPŒ
3¬Ó±*H¨,)ï0²4Qmœ™½òb˜ºk.Ð*÷ËíqU¸ÎÊ_­°‡ßµ'G¿oy:p}&†x8üí 3ÏÇ°î	uw‡ôw]@E€áá•Î¼îû»Ãµ·ìÚá:Œ¿‘Q—»r›Ú++AgáVˆÝ@F±%%D	Ù™‚Z‡hâ®±'²ÀzJ׋	>¬…)É"Ñ©h}XühÖm¹1KÁ0žõMÂI!L9íÀÉò´p2­~øaF,üÅN…½\cìòº)]"×þË›w/øéÕ­ë
 éÑNe´3> endobj
-2152 0 obj <<
-/D [2150 0 R /XYZ 56.6929 794.5015 null]
+2127 0 obj <<
+/D [2125 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2153 0 obj <<
-/D [2150 0 R /XYZ 56.6929 446.9354 null]
->> endobj
-2149 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F53 1052 0 R >>
+2124 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2156 0 obj <<
-/Length 2747      
+2131 0 obj <<
+/Length 1745      
 /Filter /FlateDecode
 >>
 stream
-xÚ½Z[oã¶~ϯ0Їã5Ë«D¾ Ŧ‹-¶AÎÆ
-ló ØJ"¬,y-9ÙôןáÕ’LÉI·(D5"‡sùøh2ÃðGfR ÌŸ¥Š#‰˜­6gxöÏÞŸ'³ðB‹®ÔÏ˳Ÿ~aéL!•Ðd¶¼ïŒ%–’Ì–ëÏó‹ëëË«wþ8_Pç?£ó…ÀxþÛÅÕïmßõ¹¢ó‹÷—7pK9K@ˆP-—àùÕÍï×ï.ÎS>_^žß.=»\µºªÌ´N_Ï>ßâÙVðëFLI1{†ŒˆRt¶9ã‚!Áó=åÙÍÙÿ€§æÕ˜)¸HPžÌ L˜HãÃ0À"å±DÈ`0JbóRÚ`m[Z»4ùª®ÖÍpÙ„1ÄyÚy+¦AŠ¨À:*&§Röu¸Ùæ«âþôÀbÞ>涱Îï³}ÙºÞbãºÛÚ^ËâÉôðù}½³]»s"ç°s…¥ôäïÜûÙz¯ÁßT‰ùÒÏõ”•û\/ý§_DW_*9RT)X¥V´ª+'Õ[H	JœÐsQ–vÔU™g»‘UÁ(³c
-¬À%À‚z— £ès.N”BDJ5]©ñ8RzÒ/ù‹ƒ*3–¶±ËÛ£€)ˆ“šx¡ˆ&½pH(DT1áð'Æ4×.”Œ—µ¶•ÓBc¿]g­žYÇ;áÚ^ïÜýòæÃûESå_÷…Mð:Q>it«ªíÕ=®÷¦±Ê»½4m_}o¯&rÌ`/['ž+šÖMñ\´n
-·ìa&%)"Dç¯KJ'}K”*ÌOø¶#5á[/5ôíË[|Ë–Ój©ˆ^Cß²”Ò¾bCß2ëÛcs…R)_ií%âNeó?±À™»	WJ|ZÓÚ.½šF,¬Ø ¬~´ÆDRÑ´:Úz8¥£
Ô £1 `[NK¦c +5Aê8¿w»&oCÀt|^•YÓÜ>ŠmaÁè´²A*¢m/2RŠÆE_Ý~dPFüV	-õúzìžCï!ëuŸÝ6>1㹺[F$ÑÈžz`öö8
-o¤4u¶B?FÆYp|¢ùn7@Œ©#ã1
-Ù"7žÞ®ŽG„mh3{ñ€@FðüÃ}lTŽRà»~óÔÏçcá¶ãzS´m)aî>\Ù«N»¢jó]•·:öm¯Æßo4mKNÔ2'ʃ®ÔDBx©cPüî„ \:©lŠh;Lt¡¯îòQ[Œc¿­uÓƒcŸúyÖëfÇ¡÷úUú™ÉÝ8‘¬®Ä«2‚¿"#ˆO	ò濾D”sOi7ûƹß`ÅT†è½H‰W%Hòo$ƈ
-u¢nêJM$ˆ—úÞ±rY›!t¤8U	„µ8¡yŠ¨Þ34”&œ$Ý—ñògSÛ´z±ÀM!†¨º7‰Ro x2ϳգn‰¹1†îÒÉ£;¶6³Br6…)âº"­IaÝuýÆñܘÓAܧQ’ŠiÔïJ£~ÒÓÛÏOÀó2í#ÐoÛò6‚ÿŸÀg·ÜÞ—Á¨.Ÿñ‰u©ÈBz»-Vd°’wFûfPï¿æSAs(ý£,Cu ásÎÛ"Ü~1ƒ&”Ó>EÙl¡˜KõÍØ)fD’“[ŸˆwIÔG6òë§bm™­4ê‡-¼½²"3£Rÿ-ßõÄ6õ“ùˆÍ0w±™ÎWËŽì]À*éÊ•~
˜“£S#TNa.ÿV±SÕŽ5ûí¶,¬ÒÀã襀œ`6鶌™#Nûæ׊?TÖr7†¯—VZwó¹~öK¶§ö“ç@ë®(‹ö圂â
-Kô‘“8+]©q\	RC\ÉÖëP	g6o§”‰âbZý ÑH)“TÈþ.Ö:tYj)\ªüY7D$êõãa¥¥ûìgEÝ2†nœ¨µÐ2ɦㆤH±ÀX_óñ᯴Fð¤G:ÇcNoíXž(ñ»R1ç¥,®Ÿy°æšÀh&g
R‘iû_í9b‰¢ýyßͶÌ^tv¦‰ãÐXíw6(ªÖvlò¦ÉrÖ’A–µ(*¦ðÔž¥¶~è
4Rk˜—6@ãpŒ7ýSÝQT«ü0ªÝ”4úÐ>”–™/‹øŒ×  >J9Qƒv¥Æ=¤,9·Ñ×÷ ¤±>Z›œ5HE¦í{†±7ïM^­›áÁQÏ}ÐáÜp? ¶»j×|t».×uÓ¢ž»õƒ‹˜#ƒ^m”ÈŸã#É„cì5’R¨AdìgaLg(‹IÿÝ?;ü4Ž§À¼$£æÀ·˜"^)mÂÔPuÁ$ðçX÷ÿp(¢öendstream
+xÚ¥XKoÛ8¾ûWèÅb–o‘Ç´I»)Z7»»´=¨m•¥T¦Ù_¿C‘’%›I
+,|ÐHÍ¿~3™bø‘©Hjª§‘æH`"¦ëýO·ðßÛ	ñ:óNi>Ôzµš¼|â©FZR9]m¶ÂJ‘é*ù<{…Ag`Ï®.Ïæ”i&g77W‹Ëëà^`ÐŒg.Ÿ.Þ»g7gšÎ.Þ^-Ͼ®ÞM®V}<Ø	f6˜“Ï_ñ4ÐßM0bZ‰é=Ü`D´¦Óý„†g¬{’M–“?{ƒƒÛWCp¡ \q¦Â@:ÓKvŠ’P–j~y¼N©ÚM‡ÆN\vJ—là2bˆj,Ç./›ýÃúß"7Nú‚1ͼœæó"O×qæn7E¹kÈ#x¶Ú¥•×ö×8»¼lòø[f’þ=»Ä#0h+`ü6¦<Þ›d¾.öwifÚ°Ü+ÃÅhŠ8¥Ê¿NêÃg!Â	¦Å3©h=‘ªN«MÕß.(!šD (Â]Pû"1Çqi‰XÄÉÓquJ¸†L‚[Þ™uºy€Ìh9»ß™zgJwSîºÞ™õw+Fm:ÚgÜymÊ}šÛ·¯¦Y²ŽË3¢fI‰Ž¸š-žÖrÜqâl_TµEa:'EB(ÒB8nè+…Ó„êg¡j²ÚÝwÝe§YÓyi_,ܵÉSVuœ'G‡aº'P½ë]šo½ál[”i½Û»Û/XàÛ7¯Ý
Ї–ÁV³›¢ªR(èvM¸[í3Þíßi±ó)‚¹/’/”òû¸Ìí5PæL@íÉNÂJÌ&\l@Þ,öÔ‰¬µ 'é6/Jó˜
BÙs»I
+àN,ØÓ»i¨õøn구G»Éí®?vØ#¢Ús¯p=Þ0
+©£±ïÕÎS]RìãŽîÚ`Z©­=¸ÖÚ'¿W@–íž2ÉãÈ‘	EžCn õr–«	ËÕ!ì´@ÐÈøÓ®;¥€ë1rd}÷ÈýZ.RÔk¿q6ÐY9¢4Ô9gHS?6Ü^­>Ý.Ü˪gï?¹Qà؆TÁ®‚QdÐ?lJéŠC—gÝöp[µnʼۼ¾
+̯´vJÝTã5ú
˜ú[S¶vŠÒ«Ý›ž¢lq™Ú¬ë®
:†{“–¥ïÓêxºpGð,¯®ÜËï—kbDYî8?$Î#µ.òÍàïÖÓÃàÐnˆÒ4ÇÌDÀ=hSÞ3PÈ ‡Ò#缺^\:{Ú¯*6“Vu׶IÙG·fã1Í×ÖqÞ@/:uO`(¢RÊ!¥à
+Ý"zìŧÕoŸGô:‡^˜_!ˇª6{Ÿû×E^e6ûƒ_È!—ÔÛá0‚)BûñøHû|t…ÙiS;…ßà§1Š —ÊCŽýn£4rÒ8Ì0ÉU¦üiÊFø¨èò⮂1ïˆlP˜’lJaá‚ÒÙ@ÿ×TØ„?I‚C-ñ	öZƒuK@ðóœí$ÙKk?¬*âä"_!¶þÓí|“fè‘[	“`]Óîí&»Ð²•„±Ð©&æ[³gæ§É~ß즗¶½´¸ö–œt¯o²xðA9â‘"Ç>ò€=(9Š“z<Ö¼Xß5UȲFJEúØòݳ ÜÁÞÙƒB;LF½½ª—–Ëc_ìã_óªXÅk‡¢H¨cûõóILK ï¢|åHRqoó¬Ñ¦êvÜqº¨<ÁôçW7C3iK‘q‚>Ïÿê5ÃÙä´«ôÿ±Bwü‡h“3q…£ŽÜAòjùúöúfuýqñ›:4‡B­rÜmI{šδc¿½\zê²rˇ­äx×ɶ].–n8¶<¯EÐœExvCåµÙ.n¯í¤b׬¤Ý%±Ý'ýÖÔiá½n\‡÷Þ®—¯‘“Þ´Ç(öÅaì‡dùÕŒr•æîìÜm{~42Á
+Î;Zö ÙV}·eç½ÈÏæ	ÛŒQ×@(FB*—ž¿w¦õ£!€ŸÅw×&Œê]ÑÔîwfÙ6{“×Õy ‹DDˆ©HÏé¡,2$"ÜÕœ½2gßa{×~½zæ4îhØŠÛ¦ì!R݉Ój%Fœõ”ñÒÔë—mTÈÒyhðÓHJ¦†S‰ý®C4ŸL‡ÑZ„º"ivŸA’¸ŽSAÙ˜üð¹£~4¦LM…ûŽÅì¥àˆŽû­÷¿¿q>âq›GEÃÃ>àP AöAY0ã§GŒ(ƒ‰æ4öÿjßlendstream
 endobj
-2155 0 obj <<
+2130 0 obj <<
 /Type /Page
-/Contents 2156 0 R
-/Resources 2154 0 R
+/Contents 2131 0 R
+/Resources 2129 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2159 0 R
+/Parent 2128 0 R
 >> endobj
-2157 0 obj <<
-/D [2155 0 R /XYZ 85.0394 794.5015 null]
+2132 0 obj <<
+/D [2130 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2158 0 obj <<
-/D [2155 0 R /XYZ 85.0394 161.4147 null]
+2133 0 obj <<
+/D [2130 0 R /XYZ 56.6929 565.1932 null]
 >> endobj
-2154 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F53 1052 0 R /F41 959 0 R >>
-/ProcSet [ /PDF /Text ]
+2134 0 obj <<
+/D [2130 0 R /XYZ 56.6929 492.4514 null]
 >> endobj
-2162 0 obj <<
-/Length 1934      
-/Filter /FlateDecode
->>
-stream
-xÚí]oÛ6ðÝ¿ÂÀ^l¬bHQ”¨—n’vÙÚ¬«½aC×E¢m¡²äJrRÿûy”,ÉŠS`¯ƒ‹<÷}G²)…›
-Ÿø¡NƒÐ#‚21w:ÝÀÚÛ	³8Nƒät±^¯&Wox0
Iè»þtµîÐ’„Jɦ«äÓì5aœÌ}¼¿¹ž;®'Co¶øðáöþæî/˜
-H€AéìýâþÅ;„}˜‡îlñöv9ÿ¼úer»jÙé²Ì(×¼||úL§	pþË„J1}‚	%,Ýénâ	N„ÇyÉ&ËÉï-ÁΪÙ:ªF‰Ë}wDÓ‰Ï]ntðÓÜñAºJå‰æê
ÀO[èÔá”,@…-òã|¶ÀO9gr¦âÂ|“JÝÙ¦fµÈ’mQÕD}‹vûL‘¸ØáB„ûp’¨LÕ*-{¾„‹“wNr'áR{P®žÆzJë­–JËÁ	…pwÐŽQ’ áªB\Â|ÂÃyZµˆ†EÎèlµU„c³£c–0dRöQCž€Ÿ$:â`µ²>õTú¥8­€NžTe
Ó³ek#Ïhļ:쓨Vc"[;ïKUª¯ý[Rì¢4·³4þ’G;ÕÓbë²'™1¨à
³b%ÓÃëûÅû[ëuÅNYîyæ¿ÏIÑ>²{àÿ×CZ¥µY3­Ú´N‹7ª®pT7{µˆ[©òhàrßx«â/ÍŽ¨FDØÛøµ^ˆº“Ün´ÞVÌ ¶Gœ…‘F-Ö–ŽŽ9sÒq¯ÆbÂÀrTûÚg¹7»ÓÄDØãvX_Ár 
-àƶzÜhOU5ÖQšU†¬°d%ìÄ@‘Þ`”ªv«ú–Vµ=,B†ÐFLŽRIÁÚ~+ü6¡èQ¦n 
-|ß*Ö.0zÚ*mgɬ€²uÁ3²š7)Û#ã(GÞõ¸Èÿ¡”§qCU§{’BòY‘oœªŽÀ·ò͘Låt›6á\ƒÙÇ7×P)<"×!õ©»CU[XaqŒ>¦³ŒÙ¦½E
-cj¦%sv&³š®-?]¢Õ€*NÚŽuº2‘†'tÓoÄM”1gÖ½t~äÔÚ 7÷Ëåí5ŽÓA7®à&øeYñ„ ÃPÕ_ÞF
-!?.ïÞ¾j©ÿzû·%'¼oD Ñi×f6mMˆ©& Rz(Ó›»w#=ƒ\Äü©
-ˆî35‘œ.–l9R²[,}ꕪ㫲Hö!ž¯‡0áz~™ƒ뜅^ve" œ	¿ÏájŠžÑ».•‰ÊëtmËZ¢ÖÑ!«m¡´I6Éô9ù‚0×{Ic¬k°ŒÆ£òª<äWš“ä*IòŠ|QÇ3Åé®-¼ËŒ´Xçœô†„	ôY©°Öˆ6ÝtµŸÅ‘fÐl‚§ZéV×9~³"Ž2§È3‹¹+õ¬r¹G<¼¤ÜÖå6XZ¢_1P˜×E$aø@Û¤rÛ¿t)y$”Œ[ãçD\NBF=‹´y‰
-ùQ»ê#„<ŽËÙ÷²SB‚À>d@‡CøB¼ÄPÃñ˜‹¹T‚/@J¼hŽëÜ=sáþ¨ïõ
òUÊñ=t	•Ç…©Gffš
-øþü~qí¼¿O‹1Úì€‡&œó
-R7*7jÛ˜Žúåà(”½àk¬¾Ö`ýïk—|m_¦¶õïùw	å»l’ëÜ&}ƒâG™/ûFiý…]Ó³bß“¿é™ñ7=èù›<Ø…þ6,É“p7vyØ”fÃÓòö=wñnùÛøÁ…{ž]7ŒûºY€Ë&Ì8¥Áiæ‚ktfÒ§™nÞ:kЮtf!gvf*O+‰êBäèÞ•²YCŒõ‘ߣÚSÇë?Þ./iwnN¡Û¡ÙÔÓ'‡ÍE<9äI”×™]¬êÂÂÉÔ'øÖs6{*p\©}TâµfÐK»Ð0ÂVÝÊÃU¶òzs…D#œ‚z*}ÿÈÍm	à&‡ÁB{Û5ÐC…INŸº½ß,W¶j¦eT‹kÚÔå¸<îëbSFûmÛ´¹WÀ:Ü«Wö2ŸÛ¹kîññ6Ê7ƒò¼>Ô‡Óu«yÈÄKÕ1šG¸ç7Fó8D¢Mäú}
-âÂÕ·Ì“¸J§†À
Ê}›ÎÎhX³_\7x¦)C1Š¼6l™í9ê4KëãË.¶<æžJ«aâî¥Ï§„ÄHGëÆ!p`|±^t(\xܲH'±õËÁ'ç%]-	N‚P6©XßÊc¥ßsJýtþæ"!çI0¢n(Ç#”ûÙ[GxºqÖi¦FÈBwî
É~y‘,Äæs4=°‹Kƒ!ÍêEš§}@‘ûÄu=6¤¸¡èp&+úñ·/Êz„0V^>$üg;:ŽÑ×ÙX+/C°-—SßßóëB=•rüÖié9'‚Æ	E¿åwÁÙal‘4si2"4ƒ»—à~_è¸Øí"|á{SCé‡à‘¡mTþç÷æÓ{:¸—ò¹Æ3€®+„±eJKÁ> endobj
-2163 0 obj <<
-/D [2161 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2164 0 obj <<
-/D [2161 0 R /XYZ 56.6929 526.3432 null]
->> endobj
-2165 0 obj <<
-/D [2161 0 R /XYZ 56.6929 358.1935 null]
->> endobj
-2166 0 obj <<
-/D [2161 0 R /XYZ 56.6929 282.1949 null]
+2135 0 obj <<
+/D [2130 0 R /XYZ 56.6929 419.7097 null]
 >> endobj
 706 0 obj <<
-/D [2161 0 R /XYZ 56.6929 230.5858 null]
+/D [2130 0 R /XYZ 56.6929 374.0117 null]
 >> endobj
-2167 0 obj <<
-/D [2161 0 R /XYZ 56.6929 197.2622 null]
+2136 0 obj <<
+/D [2130 0 R /XYZ 56.6929 338.0338 null]
 >> endobj
-2168 0 obj <<
-/D [2161 0 R /XYZ 56.6929 161.3874 null]
+2137 0 obj <<
+/D [2130 0 R /XYZ 56.6929 299.5046 null]
 >> endobj
-2169 0 obj <<
-/D [2161 0 R /XYZ 56.6929 94.4221 null]
+2138 0 obj <<
+/D [2130 0 R /XYZ 56.6929 223.841 null]
 >> endobj
-2160 0 obj <<
-/Font << /F37 819 0 R /F41 959 0 R /F23 754 0 R /F21 730 0 R /F48 975 0 R /F14 757 0 R /F53 1052 0 R >>
+2139 0 obj <<
+/D [2130 0 R /XYZ 56.6929 130.1538 null]
+>> endobj
+2129 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F39 927 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2172 0 obj <<
-/Length 3151      
+2142 0 obj <<
+/Length 3025      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6òÝ¿Bo•g"ßÓ$í¹Ó¤¹Ú½¹™^h‰²8¡HW¤ìó¿¿]| EÉéµã\,Åb¿WlAá-Œ"TX¹È¬$Š2µXï¯èâæ~¸bg‘V)ÖwwWß~/²…%Vs½¸Û&kBa‹»ÍoË·Ÿ?øôþæß×+®èò;r½R”.?¾ýôëÛŸ<ìóµåË·?|¸…Wi¬$&OÓå/ŸÞ¿»þýîÇ«w=9)ÉŒ
-¤å«ß~§‹
Pþã%µx†J˜µ|±¿’J%…ˆêêöêŸý‚ɬûtŽJ¢ÏfxÀÙ‚1b•â#&(K´àÂ1áý‡Ûw¿Ü|¾»ùùžÆ}3ð.VÜ™	îõf°D‚Å9QLÀF¤uSw‡kf–MÕߨZv»ÂšÇâweS‡×­æþQçû€×‡§âp©%0›[µ¼éÂÄVh‹M‘¬|J5—Ø¥=ó43<fxœcWVe÷ÍÃvÏyØçÑè©Ü)ãªøîæÓ{Ü8f)QŠòŪg>òW(ª"o‹N%…YÞlgˆW”É#ñç8.ˆ0‘á%iôÔ|qôÔ>—Ý΃ëÆCÖÍ~Ÿ×¬Êºðàæ/$,Ñü3wÔ>÷Eݵo®W‚ÂòÿàñP0àùG»ka¶=Â.‡—°ÜÖs$“„ª#C¼úy©-ƒK}„ïåðèlý›§=zþ”—U~_…×þ	vy°ô,䌃~Á¸Äq8c¢—ñýþX—ë¼CI ¨žß8r„ŠLyFPg7núQîwï>{|PœºXwå5[650]Ò¾¬7eýà1θϰSÝ9"6Aò‘#Á‹’ —›ò¡ìòÊ«T[>Ôywôbé$RŠåMí1=³k}V/~”
-™1ÍQÐ[M¤ÑöåÕCsîai-œ²áóß¾[}|¯pGË–Ï»r½ó3Ƕ8¹´;/‚¸·{/Öþ½óïhñYäq‰¢v¨ÒYHx™‚A”‘¦†ÓÒ.ïv‘¢ÄFµî@t¬ow·7?¬Úî¥rK™)l‹@è,nh«/žì?ŽEÛ…5âL„^g½ÐgrùM›~ß>‚üH?œðmU6šîï õâ‡Úî–Ùƒõ.žTþelæ}´. çÑ´Ü¿“à_Š—©ç&#–i¶ç@¨eìk|8'Ö 5žóà«~ÅUº¤wÏ#}¯a©´ÃÎζÊ¿ÔÍsÞL½¥\ÎY7tNÄh¥¾ÊÊáQ,‹šë®+÷¦Ø{…~¤þ¥üáØ»r˜Cˆ·È<(–›¢+{ïh¼kž=ÜÏ»…º|Ýà. …(@‰^€;.º÷ãgï¨qºWR¯ÉácEŽ¾¯Ý
Ê *ྎU˜<¢dF.&ÁH¤„)nÜb?»ˆéö$¤„*/X7Î23³¤UŠãµÓ˜µÇÂ}W÷ž8¸ÎÄL2b¬Š¦´mŽ‡u±Ê7›CѶS
-ì®9µ—Iì±fhGQŠhÊù˜È_Û•©‘lQ"¥Vg©œ,
j#ŒÊ¢pNEçÊÝ÷(žëÂOàBÞºLoÊ3|ÂÛÖj&EB6€“2FŽéã±êÊÇ”uÛåõºhÓh#Ì=¢üw}d57¯*¯¨»]çü»3nÛ`¦ç±S¿ùü$'!€tX$á…CxQøˆgNFefˆÍ¨¼,£)Öyí±œŒ®çd”BÈÔ#lˇն¬ŠÕŒP.Åeúz¬Gª5¡ÄhDá¼€bJ AægIœ¬«3ÀÍd"ÌIbvÆF"0ÚH£Ô€eõ/xïÌŠáóM±ÍAÈÞøå(¸¢p3‹T~[tëoј¤wNÑFó€~^¤&:3âaH°.CÄrÂðåUƒöx^¤$™Rò2q=Öu£Û…¤0ƒ¸dLÞYI°™ä3ôM…dÊÌ&bÀyŒž¹ž ½{äb¸zœp*Ï£ûÀ…«gÊí9¹úÇLhË2’Q£û›‡È˜A¸ö	¤!93[)È/m¦Ó¼E„à‡d`'¹íy*€ëÖ°Hós‰á8
-žÁüíÆœu„gš× D§!Ëb0˜|á™Ç†Çåv˜œqF™ *c_«ë–Éhº6M©›.2…©³IâPü·l»³
-' Ü“™z%BH±Î+\å®}Õú6MÕM0 é¸LZuJÛX…„&ŒeÙ˜¸açi¢-{ó
ó8ƒBù
-…û{7±|ÓŒCz†Ã}Þ­wEø(?EoÞûïZ_çI—YYùk×À~¦ìøÖÇf_˜ÁìヒÓÝ00H¯dËÈD1èrF–Ü¢XàÁú*À\Rˆ0H{«ÒežðæIŠQ”IjBÅš–X¬al׸TÏð€; ¦Q
-ª œ09‘ÿ`ÉVC¹Z•ƒÂÇÀiãŒ*9é5$¡Ñ™‚Ÿ€ÌFŠWXIÙ òÓ,†&Y¦*É$ÑT×g!	•WhŠuAŸ#–ÓçÇW(6N´™cQ]¦+"ÍÐ5Òe$×Ân‹z¶b£\W×rQp oj!¸%"ëK7ÖøÖ4‘4ÚéÁu&"á
-¯nd¿	$Ñ‹Ôõõ虂nû&|^ïìõR†~Œ½r½	Ö…ëXîzÿ5ÝÒ‚á¤h8/m‘f¶ñf©±ã-?ÔCõ4ó¾‰Y5ŒœeׂIXî"R¬óLè±^æe\6o¦VØÇœñ]©VÓ¯xzˆ	iP=>D¹9ÕAKŒfü2ãz¬Î=ªÄ΀ïú«»<›,0èã°‘¶)	ܤê<79…x‘	õ÷q³_q†›#‡è$£pÖvžñDYãí­Wëý„§¦€Þ´“Y;ĉ`6;ÏI$¤òïcM¿â+¬0Ë„ùó¬	uP8ø}‹PAD†þZG—Ž Ð$Ðjpê"gÆòq¹
å9•ÆÝ«÷jTÞvïÝ!T8B×LIŒâcãÃåk58˜ØjµÜC|—?„ŸòªÜôîZOƒ]Áõº@ß¼܇E…°èô²…U„iÎÏ_6V²´0Ù‚+_!Ì_¾ì~ÅUºäée+ðušgjØùìeC¸"úQÈå¢>
-ÁÓc±.Qâ‹Í›¹#Z¹¯h1Ê!\òÑ®Ë\PHÑc4_|béËmÔÕÖñáòKÄÇxýøôá%eCÈJG¾ºÖÇ€KG¸÷…oŠÁ•½	mFÅ´ãéóA«B;T&1¿Çü2¤±ë[´ý„—SÛ·ˆ„òÐu·Ïúl~å³mì§Å؆Üߪ¤[5´bM«¹Fêúâzù©q92µ}ÓÚÄn»±ƒ0Û‡¸¡ËK·!̤m*œô8 Ä$
-æ†*'ÀC
-D4a)"âI“rÒÚ9ÎfƒÉ؈b€
KÁ¨ÿaÀ¤„;zò¶MZŒÅtÝ
vùS=uqÈÃƱۢ˱<ƒ‰‹eU°2mKúV+DzÔTùÞ}$cABºÊÅcU¸$–':v7€ä¬M[”0yÿ2—é0…õÌ?‘,¾‰{ÚBÜ ëo7û².Á\ç]<È/Å6ð²^‡Ï>æõXæ™ ìdfÎñD£ž9$k”õµ—¯ÊÖÐ=5Çn¦¡?J×Ú	3»¢z­AïJf»;`£Á‚S›<þ>ºùxsç~„ÿú†Ïÿû™ä<¡ˆ”JåKÑ~Ñ·
-¦íΑ~¤yñ$2³‰²&–÷
¾3?±ø)1ùic,¶E8ÖÒ1›H…ÿ.j–­·¡ðL~@àZñržÏytt°MÌŒl·ãÞ½aæXЙ)™+ñ¥Ò—<y-„øØÎRæoïÂz«aAçïGtaYµˆ»^
-íxŸ'ªÇ=¶>´âvàÕ©Ù`þâ@m±Ó‘Þßmñ4ØÂÂ_ZTå :m”ÀÞÔÆÒȺ*Â
í³¹Æ¡½˜¯EÐ^ÿòæ†Jì!>ŸO	
-)‘]D!˜d'ñ`üyÝ)íÿÖ
Œendstream
+xÚÝZÝoÛF÷_!àŽ¢Í~/	p7pÑ8¾ÆÁhû@K”ÅEª"'ýëof?(’¢¤š¾\DËåpvv>~3³k6£ð?›ÅŠP‘È™I$Q”©Ùr{EgOðîÍó4‹@´èS½z¸zù½0³„$šëÙúÇ+&4ŽÙìaõKt}s÷úöçù‚+½"ó…¢4z{}÷áúG7w?Oxtýææ=<ŠDh bé4î®ßÞ¼žÿöðÃÕÍC'O_fF
+óûÕ/¿ÑÙ
+DÿኑÄjö”°$á³í•T‚()D˜)®Þ_ý«cØ{k?Ò1Q17Jàl'JñTB´àÂjáÝýÃí»»÷G;¡„*P”áœ0¥“ií{¢EŸ*,<¡ý@…ë.äxÉD!b~~É@4±¤è-	v,QÃ%?Ô™³ëíý'éFUY|q£ìSVºQ¾v¿ÍÆ“oªºq£mºÜ䥟Îk÷»Lwécá'«u·„&¸Ã—ß˾.¸R$‰
îç …‘ðL)UìIÒr5Á‡%D(#}™Í~ÎâÈK¹m›6-º­^mÊÈ)/Ð	#±Qç GtÚÑAê)8·^çGëM9@½¾ýõ_oùd͈JÄûˆÎØßY©—Nj¥úRSÂ@˜“zY•ëüi±ÎA¿#Ùp¢\Š³ÂuDÇÒ
T¥5¡T™xè.N¾>)§D›ØLË7b«gcÀ^oð‘(çW üøWJùS»O›¼*Ý[œ)27Î˺ÉÒ•£FÏ|¾ÊÖi[4/¦¼Œi"U¤|™5Ë—eºÍVÖ³…ÐœÄ1¤•E—üf&vÁI0™9^þb-£LÕ|!…Š²²nƒwás³IÉÈÍUºÊ˧ðÒSí'Ãîñc hò²Íjÿ¡_í¹ÚtéºÉö#®u¶ÿ&7 q»Ý°¿[—þ—›´|ÊP¹"‰ò¦väneŇUî6°lªý?Õfn€âôS÷³«ê:Þ04Š $¡T{EsÏøXåÊfT‚jçÝõ¿Î`pìD0éÔøbÂ}<†Èhvlú3~.eÀ¬zSµÅÊAÇ£”ÔcgúXWEÛøÙ]ÚlÐíNâŠJb”>,}ªÓÈÒQYhYMA¤‚DG^eíÓ¢Ü/Ž¡…Cà^’¯£šp.†h
¹h áûsJâ-‰ƒUšm«òïµBñÜÐɸP‚·Û”IÕ!›Þ×Ø”Š%ä!˜¥2Ñküäɺ½•hŸ.1êpÁµ€jëY
RƒÚ
+#BzÌ.&%C»™dì‡Û¢ª~‚˜~¬BúNëQ‚º‚¡×•ÍÏåÒ±Hë¬>í‚PasË.Ø£:ã‚ʺàú¨ºáÚ@7g—DKêC8z¸äOm9ÒL€C§Ñ˵Wñ“³q[ú þ•*šˆÚ…` ÜÊÍ–•/‚œŸæd@ÇNë*ï„ë5cŸêŒ^•ÕëÓDÕ'úÂ’hbÉQÝ3Zòé5
O°þ\x-ª…êê£òêÝe†ºYeûýTÐ)ÈNI‚·i€¤óFêS6RGe´Â_	8(¬‹ôÈ’2µfRŸ¬£šl€‹ãD%CÑ r¡Q»ÇL)Ed3¦”Ñ|Úæx˜këô)sÃÕ‘
+òªHŸj<&÷!×[RÿÎ=„j{¢~„¢Paä:-¸µ&Š®
+4@GG5•É5a²cc!û›øk¹@ARíWÝé"ŸÀád!)û\À„?=Ô#lØôÝ éÙ.›Ï_S®"ˆ=l²=`‹Î8õ®
+ÙT£¾}ÿÝØ7y,•
+CljüšÓ«ÿ©³EÇqÑgyìÇ<†îDH~XwööæíXD*T:þ†"v/ˆ( ¶•2#_ß¼úðægø/ä!.g×Ë}þ˜­:hr¥@á‚[ý#¯—/!PÉæŸ_QÙœ‚ϹͿ€Ú
f;@<ØbC‡¹u'>8½ñƒ²Ý>Úô/Ýnåw3;/YÙ¸	—øa°<Â~S8%z;p%ŽövífrÏ4÷«µ¥?}’Ò× †˜öwѹn½s+ÜÅ_–øR²_8Ý
+vwlz"ã»<”1¡)<ìvu2E¢¡AφcŸêt8vT6wÃqWí›ãh¤$†Já¬\hB®aýi“ë‘`?æuŽ±´ƒßÛlŸgu8”ôí³—oœkù!T—ÓàízTËkÜTÙã¥áY§]ÌŽ ï8iS€âD~Á¦=ª36
TÖ¦õDKebPÅÙ%ÑÄ’£–Êh¦‡Kþ{nd´ÏÉF(qìËD«Æ&mÀ¬ù²>S»c›®%?”îU;e8C‘£C7|!ûœ7G
+g>ƒ:XðåZšKé^Äö
+ìDÂä0xZ¡ÏÜ]¹ï(ðòÃðŨvÒüêp:P{ïZŠ1Ї$8Öj&w=Õ(
ŠtgÃJðâßÍšA9¿Ð<º9R
0\Å3n q&܆èì÷¬ “D8ªÞØîö ;ñòvËg¯+ØÓ¬¿­ÀyÑgm÷¥yßÜЪ%1	b˜d¾•|ظP2Ý©ŽÝœŽ¶iî/$ŒGdxWzgîÂøJÕD¯nï^»o7±Êæ‚FŸæ\á+ä¿Œo:
ðF‚/î#Ñ*þm5gÊ·f¢L|8/ÅÛóÂoê~ÖmÓî37Þgž¸ ×#‡•˜€¸Šw	öç½LÄ0ŸàáîáŠôÏÅÀÂ7MQ‰ òÜ­-3lÔ.ÜztTÅÞ_.·éçE]-?W‹ 8èžõ>NPjB¾áÑ$å±d(àuQTÏeèÅzÒ3ç}2–a'¡³jCûÕî†9Hm
+4.º>s¨…q¹Ï	׺;ª¬©O"$§s¦þ&ÉDB¤áòpÞî“S©)1x«y"´‚1Õ±ÏM	ýšá¡cº¶àø“ý÷ÎÂåm7æÑ›“ ‰°´ò I¿¤t@ÙŸMq4û¬Ï€&Ó‚é“°Í$>€&Œ»{[<ƒß¶,³eV×)6'í`vÈgqüy{ì0/µÀ
+OÛô?H¨•7ö3ÀÈ´F4µx¶TâaB÷b1±}XÔçöV‰÷np pRã°Ù¥#|ÌÜ›MjÃh»n7ó˜-SDHæoD¿~snSEëßw _Ùå>/¦D^fÈ@2ÏZBóUäÛ¼	Wsðw%™t½ÊœÆŠ/îzÞÖ_ ºÝ:‚ëû[âfoç,jÜUâ×ÙgÞ0~Å:küR˜'™ç
êIRí…€ÁÊñp•*NîÃæPðùñª¯vc§‰
ÌÞÛýÑÞ¤å^/½Sìšjï¿ö‡Sc:£@ŒaöíOÑ~l 9cçûªÜÚÆ)­ÀË¥ÍÂÏ¥›¶4L×ín‡N)iä?èÖhK\Ñ7tVˆõ”Œ€“(ÆGüðÒ;5”½Ñ]ÕX3@ÅPÔxÕÊâp‘sÞèðr‰9àÆÏùÖ-ë&ú2à³³5ÌWÞ›ÝßX>î§È›¦È¦lmÍš¡œÏÈÕvVöª1¨‚UÁA!Àé27‚Çâ¥d@#Æ'µ.AmëŽIëÌá‹‹ÝÚËáî®`\Ç}òW_œhc3rë_¶šêà
++­¦%WãZïÈúNµ—Ê,—UØ7HTE™%IBµ>&*ÚeÁ?ý§t‡¿”†€h'º@¨ø Ižy#/4
j¬âîî> endobj
-2173 0 obj <<
-/D [2171 0 R /XYZ 85.0394 794.5015 null]
+2143 0 obj <<
+/D [2141 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2174 0 obj <<
-/D [2171 0 R /XYZ 85.0394 751.281 null]
+2144 0 obj <<
+/D [2141 0 R /XYZ 85.0394 752.2237 null]
 >> endobj
-2175 0 obj <<
-/D [2171 0 R /XYZ 85.0394 555.2948 null]
->> endobj
-2176 0 obj <<
-/D [2171 0 R /XYZ 85.0394 126.1169 null]
->> endobj
-2170 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F55 1060 0 R /F53 1052 0 R /F41 959 0 R >>
+2140 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R /F53 1062 0 R /F62 1095 0 R /F63 1098 0 R >>
+/XObject << /Im2 1084 0 R /Im3 1219 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2179 0 obj <<
-/Length 2725      
+2147 0 obj <<
+/Length 2389      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Y_oÜF÷§Xà*·Yeþk”{r§uÑ8¹xÐôAÞ•m¡ZÉ]IvýíÎh%­6Nq0àq(‡ääŒø‚Á_h›T¤‹$U±f\/ÖÛ¶¸ƒ¹ŸO¸çY¦åëíêäõ{™,Ò85Â,V·Y6fÖòÅjó{ô6æ*>ýcõëë÷Z˜0s&`äú|õî<>ÿxõž8GbE’Ä	—©g=ûôéâêÝåO—B3ºÔŒEή¾œýF´O§©ˆÎ~¾¸Fa'«~#ÃÍr&qüþ[l`Ï¿ž°X¦V/žàÅÇÁŒ¹qÖ›Û1ÜT‚º,ÉÌ ”fÖ,VI€#€X&f¿2Á—K‰€À'B“ï–AÁÖ!´.i²k‹²hŸO!(ƒKÃE´º§}±æ<ºÏ<1CÕÀbÒCªôbÙ›ÔjŠmQf¸˜Ðä†Su붣¤@Ô¬ÚøéçªÍþ¦q[Ïø…+¨1ÊoyŸÊæ“ÆI¢mŸM–ZêèºÍòyÕ6~顣ʺÉ2***¢Þì²uÞL4…4¹dù秢½V`±B+²3ÀYŠ†ß¬Ëº}”TÑy™u
JPÙpEär.DB3Ð'zmÝCÙÔž­—êßï•ó«¬‚À®ÁÔë˜Öõ%{½Úç2hÁÝ°‰/»‡È‘ùæM?)[qJ
-ç”Kœ¬7`΢×?íÇ׳/üôÓÌ+¯‰ÖÖô›£ÉqPßÒoYTùHéö¥*þ>”ö¯ïvˆÿ¡¢/e܃¡l´íÖ÷8J1üJÄ’Ûû¬šY-…Tc{ÿ,¨%K½{a±€N\ˇPÛ{ò¨ŸØÕz=«ˆ¯~ÀÕL¸^ÑdÀ8„ƒ’†OâÂç²¾‘³`ñŒ~þÌŸ'|ñ\hà–fà»—&*è{h%¥â”	îùI–¸„—¸O|B“=æ~†Àˆ ±ü˜
-FÅLíeoòÛ¬+Û¥·À¡*Öĉҡ¦hµÂkp[—eýä	<Ý<Ó/¥qT¾'€òÅu¬›Ø¾v©ÒÁfCnn"`ˆ»	úñÙ_`:å‘S7Q./
-2<ÌÞ×MK£§¢,itãßì|r„¹û¼òrküe#ù¾ºÀ8H½+Ù'eáÙ©}×y%¤~1…ä ¡~OEĽ)}Ä‘"‰m"ìÄž‡RM3¡ÍÔ‰Âúý¥C'Õ9Q¤Þ‰@ÆI½W,yÅþt_`ÊÊ,6`‘t*7›ÛOÊcžôÝóüFô°L¥C`,)¸t˜‰Æ£à0¸ŸKhÊ£KTÜXô÷áâá%÷k›™Õ%œ©tª‡­’I£ê>ˆÊÛ)]§d‚aYj`‘„…‹ê01cã“Z_›aVCÁá¬Étò’ySrêgIÊZðs–qý!OÂã6k×÷Þ˜à£ØnÇÆ,ª»¹„GjÑ{äX‘prÔö £ÁÖ—`%§Ÿå!Žé‚˲€dë‘l{$[*HÉ:°5ÄÛD…l,Ð.~ðëx'ø'2=pRòV€ÎØØ„qÛ<@ʦ›$G i8“ÕšØyÌX&QX°ÉŒO°z”`O°:$X9¹nÔBÖ4„"Qåë@¯é”,´Ø@ ínëÖ‹ò0‡‘7™K°ÎŠM"ÂaŠÁœ C‚:²{ÀKt:ªˆ$3”—^„-˜	}‰ñØÒ[l-!¢žvDS	Zôi÷»TÝ;Ê*aÖ)¼ŽÍ8pÍã+žf®o!Ik6‹$Æ’6@æ(Š‘¤‡Œ”à×C)ñPJ˜&—;p¤Aœ§pš¶u·[çK¬çXËgîIðÆ å蛳@—¬#øÍ/²|4sëhs£ÇéÛCˆj_® óÖ®	d¤¸¶(»qA‚ëTapùéQÑ5ˆD2ž½¦ãáÚ3Z›¼ñp
-ºœî¹¹Ðo”á;Ó_žÝ¶û¦|Î9
-o2þb^¶pL·j_Užj§ÄæUè½C×ZäaoM;»MîïÌŸÚÆ»#c+Û0z¹Ø®QÚq-¼_aÔ"Áß2,––Å\èÉ=#”‡.EŽÒô‡†ŽnfÐLÃ+tƒÁ!ê¦)nJÿ’7s À*‘ö-É|]†ÚʾW{5×€ÄÖrýBJ`ë\|6Ð?2('‡à‘Ï¡PË8I­´š"	f¡¯ÃöÝŠX³éÑiÛa»-Œ¤GCò®QÞ#HrVøÍ臎Qfä|Á]!ì%H$Œé¢f¨”ÏpTuÛ—(€Cýf3‘ø=¤ÒHÇWû.oÇ×þòcîÐËeÌLoöMKðI:­ðBPW†¿x/Q.ëP×ƙÑ(ãèÆ3ù|…òª¦Í3ÿà,šx·J€0ŒÑ1îô-£‹Ì¹m¼¹Î
\±	Ø(_
-0eögN#¢h¬ßP5 „»K  ÝÝ2Üõ
-žwΘšºÛKˆÕqÊ{“†ȱHì…ûøþ®zÁdlu
-¨½ÂCç¸
-Põ#r“&ŸHdåYLú¤ÿéÀ{jp¡ãBöÖ_)§0©º¯|uÁW†ÕY&1¢Ù?¨#G*;ƒ³”ß>kà·”ÔÞQ(†¡yçn(p쮡Íg.LBÃÛgW @Å[˜PrJÉGè
-ÐO¡Jþ~7±–ò	©á²;Ú§:ãĨI@‡k“CC`³eeˬ¼«w°›íü5:粿GÛ}±¾HŸŠ¤xI»{}.Lì…ºÇ#×é	´L¶??»<€”¾grÝœtíÌ¿±¯SѺÛùoYmùL“uE#ýòáì|ùáö÷d©†îKNn©z›ý=jG3Iϱ?³ Ï,HÍè±ÉפGKä>%¸ï†]8á;–5ùÒ(¢‚5ëo4‚ì·7îÍÜ}ðÐárχ^¾®÷Kº‹?ßÙÀ¸h½l¸ywT/nSw®…Àñ_œ²(Ææ>üBKŒ_kg¾(±þ#ÐÿýQxÿ¹\%±´Vì¿÷Žû·!&(…–âJ¨>êþ?ør-×endstream
+xÚÅYÝsÛ6÷_Á·R3‚/âcúä\œœ;‰›Kœ»›iû@KÅF"]‘´ãÿ¾,H“¥´çtnܦÎÒ¥ó.[†+ƒn¾ÙT~ׇ0­¼züp¯߉·-Tà‰ï‹»uq1„Â0éêE~‡'œk/xØþ%€cÅ3`û·¼Ø„©à5ÉÐQŸçûœZY@ËùÈ=/2éc4À	‡`Çá.O"b—Ó§±§úÃAŸÆf"^/8án_{–iJ†;ÈÕMÈ5„)«‰ÔvO®®i‹àûür¢ûžŒ{¬¹"†Y½‡€À@înãD?èßí¢¹Å-«;‡PT‡8ÀÓº]¬q
+#‚HäšK#ðÅjñÙÁ@‰šuÞà²M^ZFî%°K•pò‘D¼«vM}3Áˆ€Ûÿ&(FD„ÉØ_p…~É1”>¸‚œ†ÁŒÂ$Å4èj
+)ÉïBôOú®è]=ŸN*É+€²nØ>züè
9Ÿ=	
+e¯õ'·¥Jß’1š¶_¾qudÔ`¯BuF]æ[0‚Ãè+2’eZ?™~¬C:åŸgœ¦ÁÔ³´t›ïf`F‘¢g~SlN ¿uÀ›¢Þú®aÖ/wÕ¶ Šc#ÄS4[öX>˜ƒ¨
ç€tçËÂÝ5ØG	•MŸdð£Õ$1¦!d‡I7E¹<…HtòááÀ9ÇÏX¶%Š~5›KÌHZ.±Q»¦[UÍcöj|°ÉÔØQÅ$<´v®®Úm)4xú¶ÿ‡
áÅá'ýT®¼ºýÚ2oÜ欀¦]$ Z2"¿xëò2rÅØ­ÉÌFOPs:³卵2äY•›Ç˜Ëh%©ŸîÁ[i…Šû쯓ÛôaíÊ	«`‘Ìʯ[­0ÜrϲË|Ï`r£{Œ“œpx*!ÌmrÒ³ H0–~|‚ðt²ó»xr8GÁ?G†X@æ7bMu
+O¥–QÁ°ï‹ª­‘xo¿8ºôæ”!Õóéd—a÷Ði`0/,ºqØß¹&/BV8;´:¾¾:àçÉNmMòÇó£A&&üßó#aà­¯ENæG=Uðªû}Å(ˆ4ÒªdÈì`ËŽhbË¡çhjtoËÎC>‚ÿB¾w»º—íöbÜò
÷¥hn±;ºÈ4Ñ™ýJEeHuB?UÐÏ¿ô³Š‰Ó[vD[Žôãã.Wã-ÿGýÜ´Å&61†*ÆŸ× ä’ Æ×,l@uBƒUÐà—©œ
)x÷ Ëk7_A8¨Jq@É¼ø¤x=Õ„|£ª”€+¬ø¶Ê£‚–y“ck…¤íDb6­´T“¢ïí§`;¥ºSexä
o5¬Žw¶Ú›[ºUÞn¢ÜîÁ×2æÉŒCÒdÕ7É“µ†4Íü•jQXq¼XÄYF4§ú+Y27ÀNñ÷‹¸PPQûbÑ󉼙K_,ÒƒZØbŸ¼øö6¤Ð¡=D×ËFþëËF¾ÚmàÄqªçâÓl­âL	€êÖüèËË«WزøY"äÏàÝÆ?ë©2ÆmÒm¬µ„N(gÁwç¶ý‘K¤ôùV,òò¶å.mºjƪmÚ]ÏdãòÚa~y´‡õ,ý0{dõ‚c·–«ï¢%ÓPDuË7Wço?Nê3Y@Q…EÆËrPŠ®Ú&²ÕÓÓ>±ëâ¶Ì}Ææ'û"$f…ÕmüÆj$Õ¨P+/Ü`ƒkú*ºÏ‚k·Xú!Ê:’jnº”yW.SÕ@?ˆ‘èI´C‰¼×Ë—GáËçd,Ö	ŽÃ×ê8|õTñBþùéýA}Hj;½mG4±í•('TCr4Ú÷5þà°ˆhq	k2›±Pïd¦ezTUÌMù‰ª×Ԁ踢:¢¨§Ë«kQ1í€ë‹ï^²ÖhyRŒžèPŽ‘æ2Ø
+q$Ⱥ ¹¬ÊÓê;’=™/QY"ᩃ²ª»îa¸SwíÊ%ÖÄB~õga›˜•=9ß½š–"´‹HÔ–}y™ûµRø_„Ä”ÆhXžýKæÓOµRÃ3Çði݃Öà±r× ”×êÐè(¤\€ƒ‡²ÿ¬þ:endstream
 endobj
-2178 0 obj <<
+2146 0 obj <<
 /Type /Page
-/Contents 2179 0 R
-/Resources 2177 0 R
+/Contents 2147 0 R
+/Resources 2145 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2159 0 R
+/Parent 2128 0 R
 >> endobj
-2180 0 obj <<
-/D [2178 0 R /XYZ 56.6929 794.5015 null]
+2148 0 obj <<
+/D [2146 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2181 0 obj <<
-/D [2178 0 R /XYZ 56.6929 752.2635 null]
+2149 0 obj <<
+/D [2146 0 R /XYZ 56.6929 166.8062 null]
 >> endobj
-2182 0 obj <<
-/D [2178 0 R /XYZ 56.6929 690.7232 null]
+2145 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F53 1062 0 R /F62 1095 0 R /F41 969 0 R /F63 1098 0 R >>
+/XObject << /Im3 1219 0 R /Im2 1084 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2152 0 obj <<
+/Length 2164      
+/Filter /FlateDecode
+>>
+stream
+xÚ½YKoã8¾çWø¶
+0bó¥×ÜÜIº'ƒî$“8À`39(kÛ’<–”žöÇo‘EÊ’¬tìbáƒø(‹õøªH³…[Ä¡"‘‹(‘$ ,Xdå]<ÁÜç#fi|Gä©>®Ž>|Ñ"!IÈÃÅêqÀ+&4ŽÙb•ßyË««³‹Óóß}Pï#9öJ½¯Ë‹Ûå»:N¸·ü|v].EDŒkºz7·W§ËãHz«³ãûÕ¯Gg«^¬¡èŒ
+-ÓŸGw÷t‘Ã	~=¢D$q°øJX’ðEy$A)„ÙÝýÖ3Ìš¥sªDL‚˜G3ºàlÁI‚€”$$\eœ\^|:ÿ|{½ÔG^_^è3ÁJ1Ð"]€V’À,Y­•%b"L“$bMS¥¥ÊgX	I(¹¥ÊêêJùS·KÛ¢®Ž}A…§G6J·¥W48ÖÖ56²ºÜnÔ_8ÛÚÁ\5Ù®xpk*7Ú¦ÅÛkµ;f±§À†2¢Þ)‘Y«†\¶{ApsémÍÚÚ×ÇÑê&>*=ê¹Èá´ÆuôîúÛ:%‰dpü  2dÂÿãùÅ)R'øYæeQMê¨w8t­­ìU¦pèkZuéfF¹,Œ	Ãв'3VùÁ”p€˜€%’›ÜNÞ¢=m£ÅàûÊá'’I'BW¦Í·9¾üÜ	©þ uVל3<°õ	=RÖ¹ÓžaïMSî%‚†ð¶©UY‹Ö‚™jðÁBïügpÛf²/“{/3*”‘H$á[žNI’!ÕOè<2`„:Vû¸„ɦËÖ°a,½TKÞ¿ênWÍ •ñ'è%«”‘.F÷×ÄëôYáHÖ5­Q´·jWM*t+ç
ÆCN&o[,âÔ§Y×ÝÆŠñ PŒFµ8 þÚnŠ¬h7/Ø7!hÀ8Cð$ !&Õ5.žÌ!á۴鮄ÖÈ,‘•Á[VDÆÒ9ôÈ/ËbúŒ†$Œâxá‹€Ä1•fÙ§ó/¦ØOÁ²aBNfgÓ–%ò‡Tªe<“¶z*½ëÕf̹àæãtIQñ†=Õ¡c(‰ÎcPçH„ÕÚBP®Óncíq€âz–¼¦¥ ŠMØZR½®¥žÊhé9Ý}ØujÊêk[äSA8u®”?–¤§:e¤.nü
+âz$˼ºNçù¶}PÆDê`äƒ7gg6g|¹¹œÉ4“œ}ýéäØg	õ ,3q!)	eÑjÂP—‚Y‚!;ù¿e¼ƒÏ)Ç÷³µÊ¾éxÐI$Ö™ápúïºRÓé]•gÓ±ÍwLM>ËŒ¸mœ9<”Ï4êËp‚fÿ·A)˜ØÝ.@½¯È”@½¡ì=Î#l¾€yŠÌv.n°1¤íÚbS´/sz¢“°z©êm•ß.B(ÏÄ7d*2Ï¡TÀ	$´jCjlÔzªñÉCPäŸß»ÖißzÂÆ¿ñã×ãîfܵªFÆ#Xãjó»u™f?ßSZ»êçFe;ÕÎÔL0å>8ÝßævH@ÑŽ?›¹ŠügŸ¢ïmáD¡rŽô…oX8ÝùíÜ6‚$úö…Ú¢Tu×¾ºë7²ŠìfXj	W\tùöu®p¹Šà†5åº{WÐð®PÍ«\ã)×ë7¹îÒ*¯Ë\=Ï1•$„jtÊôÙê\È-;³;m5í÷³°Ã¥®&'¨szvsr}~5¸^²×¡gˆÓ<×j)¥»Žh@bÔ‹Ì‹ðmº‡²h±½Gæз °ûg§šÖrLí7W:1WŽ½)dáéŠ3Ž÷Lñ£5c…P»g€ôH@ŽEP ®€7ÛsŒœ9ÝlêïzãPX‘¸è†IýhV›onHí-&,Qšã]š&·	®+ëg71¸6éøÑYé¿íZ;·.M2µ<ôT^´Eõ„,èa[*úB̯¯Ùê‡þÓÀò:ÄèlY™V}}	7ùꀬßààØp)ulì—¨8ånŽ?
+ß/i½uZ'ý™×çýXÀ
Û[©ÛMwº*_0ÍÜ9¤î賡168ð\¤s+1”ã¬Ïø?
+ˆ$I¨ÕvÏ?§¿œ\aË:'¶íeN·«ÚJÿ`×Wv®Ãæš³zð9dñ8'Z[¹õi3$^û;ƒ(2klír¶Vfs<¦]»:Ï€·Ôi›ŽÝàÁÎlê¦+ÞWå"Hf̽™´V…Öުб²bxˆºàÓsFõ=?|zÀuîYJâ8”ï218žË0xû7BÖø}°}óf„·-³48SÂY(ÆfÓa¬C—FPŽö!&ùþÐ\2pó¬ÃFåÒ½»À”fð»¦L¡fÜa{…š½B3…_æ9°-4|’æñÅÌXîÜûz±üz†MCg|	êÇ‘܉1<áÍåòAŸ9åä™3	…Dîéd.×îEQ¥ß\vÙ>$L¢ø]¦"Þ³V;ƒŸšwa÷ÈÕC÷d·«smÏ@&VázÐ^?õ“¥kHf0Ù<Ö»Ò=Çrpø“
+áÚº$/}ÄI{Í›om¬§C.Ó\M»]˜l7…Ck5U<»ç¡áà`¥ÍÂÁ8¿òZ•Š¾^Ïí´/mþë—üý?PU‰8æó	„H˜J땉h*zÿæ(ûh¦HØendstream
+endobj
+2151 0 obj <<
+/Type /Page
+/Contents 2152 0 R
+/Resources 2150 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2128 0 R
+>> endobj
+2153 0 obj <<
+/D [2151 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2154 0 obj <<
+/D [2151 0 R /XYZ 85.0394 752.3006 null]
+>> endobj
+2155 0 obj <<
+/D [2151 0 R /XYZ 85.0394 637.1124 null]
+>> endobj
+2156 0 obj <<
+/D [2151 0 R /XYZ 85.0394 533.8793 null]
+>> endobj
+2157 0 obj <<
+/D [2151 0 R /XYZ 85.0394 460.7643 null]
 >> endobj
 710 0 obj <<
-/D [2178 0 R /XYZ 56.6929 652.8084 null]
+/D [2151 0 R /XYZ 85.0394 423.114 null]
 >> endobj
-2183 0 obj <<
-/D [2178 0 R /XYZ 56.6929 620.2916 null]
+2158 0 obj <<
+/D [2151 0 R /XYZ 85.0394 387.2272 null]
 >> endobj
-2184 0 obj <<
-/D [2178 0 R /XYZ 56.6929 585.1376 null]
+2159 0 obj <<
+/D [2151 0 R /XYZ 85.0394 355.6754 null]
 >> endobj
-2185 0 obj <<
-/D [2178 0 R /XYZ 56.6929 520.6753 null]
+2160 0 obj <<
+/D [2151 0 R /XYZ 85.0394 291.5937 null]
 >> endobj
-2186 0 obj <<
-/D [2178 0 R /XYZ 56.6929 462.0998 null]
+2161 0 obj <<
+/D [2151 0 R /XYZ 85.0394 209.4884 null]
+>> endobj
+2150 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F48 985 0 R /F53 1062 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2164 0 obj <<
+/Length 4125      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿Âo§L#šì[š¯ËµMs3½»¶IÛœH¤*RNÝNÿûíbà‡ '77™À\,û
ˆËþÄ¥6‘Ée~™æI¤c¡/ËÝE|yï^_³vƒÖÓQß\_\½RéeåFšËë›	®,Š³L\^W?¯¾‰„ŒžŠxõöý‡w/ž=I“ÕõË'k)eVÏÞ½{ùöÅ›A_Ç0FÆñêûgo?<ûŽ`ïžärõìõË÷O~½þÇÅËkOÖ”t+¤é·‹Ÿ/+XÁ?.âH噾ü8y./w‰V‘N”ríÅû‹z„“·öÓ +DIed€R…x¡óÈ(x…¼¸¾«qW¯1*òH˜4ü8fý‚†Ì°‰$Jñn?4]KÜÙëž¿˜"5xbþ¢íûªêêV‘H‡úðDd«zßB_TUƒ“[êWõæx{Û´·ÔmÚ›î°+Fr†.¸@eIlÜ
+«Ð
+E”k-yH„#.×*1Q¬³ôr-Ò(Oã\Tq®Ýß…¹È’%M²úÔwÔ*,DÃʆú¶>0вåö¸«Û Ý
=ÿ¨í«Ž¡úø®¹½sßöõÐSkºmcÛ9BÇr”>ÛÖ÷õ4@i¹z³˜à)v3ÿ)±ØšPKÇ<\VÓóN5}±ÙÖ±2v,ÔÄÂ'y¼:m_”Ä•‹UßܶÅp$è	VürSÓóØ×µ`«í³8ÂÂÚ¡)Q¾èÍ7^<´Å®)¹óö=£°¢ØÃBS¥p7û÷Áõû7¯=ý“E2[âh°*-;û¬6<ìùmU÷å¡ÙÔü¢Á…¥jõã«ç2K4qíWwüÌÿK	þ‰ó“Q'ˆZiŨ‹¶òP™+1_ÙJ;½Q«×ï߯íÒm¯À½0r6€í,Æ.@™D;M’¯Üg’	Ý6v+a\Çãzôw$Õ]_—Ôèóá®ÜÈ’íµ¬@ÀócÛ}bÌNùg†h±s[¢$SVOË/p¬6ÐY²-	´îA/€™¨-q¶z~<ñíô	!V¨/I2~L„Û{´o5£¯ÛòðàLô‹ímws°£îÕiøŒ‹ «aðüû÷Ïž¯Ié³¥~ÿB[*²Õ§»¦DûûCƒäԿıl‰ŠÌn&>a3©!EœØÅå«Ú²&`7Y¦'“ññf‘ó2»†§DG±ßoA3A}qé=?5Û-lëº
+I(*½ÌràZô3fòùÞôõ¶.j÷3œ
fÚ“%Ûk),|ÂlìöôüT[:¯ƒxLiäiÝòW£"«Šô–á™ã‰J"ÓÕ+`FÀ¢4m?Àh`*ûc3 ùÄHhRlÇÚI ‡C®¡§þ'V¶aàF­žA3è!eáB’:/|UåŠ{•]{Е\Bx¡·ë;ÆM:“Uò)xHŒnfëvyBÆEßw%ív-2pâ(4ó=Ä·SÃ}Ë,‹™eã.c—œíñ›w<²ªØ´÷@?;	4‚Aky&’aŠ>B²J܆å[vCàyì­¨`“-&´¦‚Ôµ6Í–À~kM*´öÇÍÖº7h“Œ@Ú“îöPìïÈ1¢kŒc;‚§¤Çé$ˆŽí˜RdRë@sDšݱÈfmØøõCçm½µ`ÎÖÑãÛ—ÿ¦ñKßûG×N0Ú<œ±Õjf«O½ƒJ <–>lûœw‚V]ÍV¸íjñEP/ˆ%0E€øqƽϫYÔ•ù¨¶&žxgŒ³H°õm}Øp´ÆVŒ
+…ªØö!¬Ý³øì1>蛋¥Yeì$d±r•G	˜?„¢b‰$uÉ:.cki“:Þ¯?~;TKʼôæÿ¾©ê‘bûfŠÀ‹Y(ïѹw„-^ÝÖm} ˆFdUÀI”ooØò¯…L#
±ß\NÜHž¬í`‹
ÞÛ¦‰~;ÖýÐ[ß!ÀûÞÇí@ï)þÄ–
 &@?¤3÷ââVOÑ‘CgwŽÅvû2oõïåÌØ}½ˆð)Iú‰Üc"Ϩ¤âQÁH"e|JæÓ%@IAŒ´ÉÀÓ‰yób>ØíXE݇õ~¦ùõt~Ç‘ñéÚÝ®(¿P)ó(Ëœ†þ@£"%Rg`ÀH¢Â"V6ÀJ0Äe€¥™£Á-ÅYã5èV$r)1.?H.lš˜J¶‹Ð˜˜u™æÖEžRÆÊh§JDi€6•A6ÏHƒ´îxöMÑ×&¡‰!Ìí¬á‹©ÂáËQá#i¶úÐ3½´uFˆdÌOÓÏ‘Ic±¢TzŠ!Q-!‘+n9â„ô7ÒL鹸oê²°nSfÂ…ƒr¾x15øÞN‚ð#Æ
+4JrTiÍ>Ên·£tÞm›–'Ydýˆ­å¶uq ÐPÿŽLK Ôº¾s³íŠz»aT÷MßØh’±\9-	œFwöG.¿L”zûƒAA‚zpe®ÖÐè‡ÿ@̶µ+5í?ËèoxŒŸ(ÁWÿ=X¡x°„ðÓ­WT6‘ê¼÷1R?ê6À/§Ù¼°õ4'¨H§¹ü¢0A¦z^Î*ª~¤Ò6fb#ç1,¾Ÿð}úóòTc…6Q–$r´27Í6Hž€qJLŠX@àð@˜™LI96’g÷	ùÔ1}äØÖ®CdoÄ\ vÅÐÑ£´ra°ÀÓÞZQ€¶ƒòo¥‚KR¨,¡1ÆjEM:ÒqÖT"mªŽŒ2bdZH@òHƾ8êS­§\·ãÄÚ83T©ÂçÔß[¦ê°RÉ<“ZDu-b€Ò:[[iÛ<„(N#¡1UÕökdÌ Ü@Ф¿ž²?8r»!ùj_4 zb¾åÀ`ŠÛYƒpä7CÇaò×m®ï™=·ÕÂD*Kñßþ‰(ÿŠ¾`m¿úóö¯Ûýåê®ÂÖ]ó¹oŒÁÿšiÕ&X›Í¤¯ÿž™rÊû°NÌ\e:á%Ö|ÜÞç)%®2§ôÓ½Gph/1
+ÌsÏØL°kXä™í„H@gzÔÜ«ma·ªò˜ÑƒOøîL.ÖfX±	=´(]Í]ÕZ¿é÷uÙÜhg:Á«€|\¨iý*ñõ+W·UcùÀg+A왕l[UgÃM97ªJ),õy׶uÉY–Åß-æ±ÌàôPdîÔibýW÷ÉÁ+çã™òdzgÊù,ôfÿ/b¥âEQê´q±qõP˜ŽÕ<å³½Çm¯ˆs5«b!î/Þa#%#€¾¶‰@|Õ SG4O&œ„[lI»%;HC:†Tî:‚n9ôpzâî
ħ\E©Ê“åIÆè¹õ*æÉ™ó$€è[oIÀëçüŸÉH
+púr›9¨sñÄê©È}~Þ}©üø¼\æçoˆÈä^Eß[¥Ìdogüð+½MvQ'$Qy¶´»ìçlöÊaÆãª(Ö7`É6.Ååc¡1ÞCɪbƒeÌr$A{!I“dWTáÒÚÝâØö»íi`4VquþF{Ümꃿ`á2u.¸"@9õqÓ¡ÌV»fǧ赂8FhùûœÎâ*Á9nÄ2sùðz8S^ŒÍIeHÇå´»â÷fwÜ1´Ù1¸à/üŽ*³Ð3”nÔ’M­MÍ4÷j—¬ôªØØb«e†Ù£Ì„=~¬Y©8öìQ`5—çk°/UÏŒþÏx]D³íŸ
+4EéÓ½ã[9AtÇ!|µ#¼Y”JéÏŽáýˆãøävŒ=ìú™uÕÎNkæö`«M1]›9Üx‹Eæš9O9‡ƒzz*‡Þ±s5{ñ Ó‹/"gv3^¶Ž|ԊϲÛí>°Q×Í÷d^U[rÕ•Ôü46
©NUљⅷ%á©ûÿekòH¦Ò'Œ‡3—tlN..Åþv‘‹ýÍ„DRyÀ‘hÄœD|o‘™[Ö}*EבÄü:’¿U3µ<½WE?›SEãg®Òø;LRdÂ'¦÷3>*[ÿªÏ%]8J‡ªùEFB˜ü䦜$«=
+†On!aŸÄBò,-„VùSâ¡v‡8r18_¦D	ï¨Íç›ÐâTXÎÎÏ(ú@ž-Î4Cµ»4’þÀð
+–}E¤…"eÈ|D&Ƴ@ðÔ)î`ª@ep‰×Kî{SB*'wêä>™1ú–)0hd
+Á~Bl¼é
+î,í±Ú³‘[Ö•%xROæcÛ¹VÙ¤‰‹dn¶—*uŽÆ‡ŠKk)èQÞ‡¢´©
+¾%Ð+Ë'xúš*ŸÖT•[8½a¤ÖÌÃsÃs²ÞGÁÃlšàfF¥çuª¸°ÍMh‘›GØ¿cHwR#ÕXƒÅmetÚgcbß´•­õ4%î8Ïb#c,^ÓqZz¾I†à
SÉÑ,yçFï“pØç-|2«ùó\!òÅõ«0¨Ùo'Æ}rïÚ‚‘Ò I©ýêÍÛw®é“W?üøý3¼´q.3æxýòN$¤N'"ó̦÷J§æ+Õ‘öù+ž,œ9®„=ÊóDMÕï2
 {ã–¸Ymp¯^ÒM)ÔU†C˜ÀÉÁR×Ò³þTÁš~HgÉôÔÑŽ˜“ØEk3bég×R¯Þw»š <{O=Ÿ‘áa¾
q-´ÚJõZÍ{þn<ì»Þº3DÈÙ¸¤{_=_±ÉUÝÐ-:lûâ¦%cÍcè3·ÍAVðUànxì¥êÿ¾‰>Þ¸OÒHa¥8xÉ\‚`ÀÇÆ…\*;!ÝÝY?¥ý¿Å{ïendstream
+endobj
+2163 0 obj <<
+/Type /Page
+/Contents 2164 0 R
+/Resources 2162 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2128 0 R
+>> endobj
+2165 0 obj <<
+/D [2163 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2166 0 obj <<
+/D [2163 0 R /XYZ 56.6929 95.0316 null]
+>> endobj
+2162 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2169 0 obj <<
+/Length 3384      
+/Filter /FlateDecode
+>>
+stream
+xÚ½Z[oÛ8~ϯÈÛ8@ÍåU"÷-ƒvìt»M»@§Š­4Úú’±ä¶™_¿çð%Ëv:"š<¢Ïå;I\rø—Ö0®œ¾,f†s¹X_ðË°öÓ…4óH4Ï©~¼½øÛ?Tyé˜+dqy{Ÿíe·V\Þ.ßϮ߾}õæåëÿ^Í¥á³ÙÕÜp>ûåúͯ×ÿ¤¹·WNήzu?¥V	‰tŸ½¹ùõíËë«RÏn_]}¸ýùâÕmb+g]p…<ý~ñþ¿\Â	~¾àL9k.¿À΄sòr}¡bF+gV7ÿNf«þÖ)Qe™±²œ…TS²0Ž
+–PÛÝÕ\	1{Ü]	;«éÿïû¦mºWølñP/>µDµÝе{ˆ‹ÛMWoº¸|?Zþc»©Al¤yûP·5-ç;¶u—vZ6]³Ý´qª$ÛuØnS­Ã‘m¼t‚˜Áœ1’NŒÈBÍè8ívï‹gu˜]lýuÙéoÜðwï`?šª8È.Œ¿6m×ÒýÛ0ׄ[«»d@k÷~ÓíšV¼ p¡À¶‚ p6?3þ^ïÛ°Í] X×]xÖ=-àŽ†ç7t, sj¶\V]GÖ~sø†k·¥k»_,êz‰ŠRnö«¿5|iV+Ý
vû_½èêeØî>l÷Hàî.Üïe•/N®dÒœœö¾jV,-”̹Òù…WŸë݈¶,Ò©UYO‹°}K:Äeoªpý£¾D»
;º®·Qžxó×a§j³$š?êÃ}ŠÁ>eà°QÖ)4q“Õjû¥Òl…tÔtÕÝÊ,nò•/*¯$èÏ.Çg'Mãc‹Ú¦‰æž‚áƒëEóç2’úÞpàCHZõGϪÉ5ð ÐëºiÛfóLÀÚÜ{àÙ"ŒH3»¦™»UµùDÃfó¸ïh¸j6áôfozax0 ¡ÈÐPJÉ”.
+àÙ6—*ÇL©™ÖN¢Åv½u„€­Õ¾õ®’s[-ûõ~EªñTt©w.uÁJgÜPÍÞ¼›Á5 
+Œª–®ÛMXzù8Ø,Â774Hã¡ÇÃDÜx4IéA;p g“ÞuàÖ몌¥YؽÙÑp]WÒ*$dÊŽs¿õ&ÿ÷ƒÊ7¨‰Ò‘G¢ šçTñÄDÄKT¤iàìð½0Þ?nw݇1KÂV*%Oó”¨&˜˜ç¬Ú¹º©7Þ‹¸A, Á2*$ÿ†q¦_&‡Š¼0¡Fá¼Þ¶Íж![ÐB'H²8ôHÊÒØ@Š¾XšÙƒÈ¦œ[SmzƒLI›$îÇœbM˜?=þÁ5ÓçfY/_Lx«Ð–iÌlˆMÄqÈ©6LI9¥øELxœ†Ñ>8üÑIp0XWm—˜Í÷Cºž°/€ ¥ `Š•˜à[Ä.]_rÅì—7׿¼Â¡™y¤]-iÞ§-΄ÜgðîZš½ù×5M±—c .f Bˆ÷Oq«ðÌx.œL.ó!BÊ&f™ÐW¦ ³@Èò÷©†‰lÀÀß#=Ûì×wä‡óÊÃÇAÊ®¸PÏ1Ï°]*(ý¡î'{ö²NáåØŸpæ£Ï»Œñ8Œ‰›Ô³×÷4µÙfG!ÍÛ’ñBÛ‘ù§ò žG×#H^Ö÷Õ~Õ`=Ê‹¶ó†W£†ÛC4Z²cˆjÀßEiíiDÍ©Ž#j¢Âƒ®¶‹jÐ}¹ÜÕm{MK‘ö4?‰j‚¡\ó¢,˜uZ9
+h*KNh*K‘i¿Ì¢e)ÆÚÇÕ‘”¡”Á9:äŠJ¨Ð
++ƒíEL“`V+ÑC¨‚í=„úy«JÏñS+ça˜¸Á‚77±¤B
+uH­dZ¸gÁ¨(Ë!ŠÂcŠ
+•¡(Lá°ÚÐ:
+‚À6.,i@&4‹‡m[ohöî‰æBízÀZOáÐ\È’Wö8õù›gŽ{æ|¥ÆñD3w5]уhD!J°êSX;»J›a­Ï\ýþtIÞ¾ ßÈ"Æ‚Ây0Á©Í¶_
+3ÁÏqÜÄœÑb úHB’£qˆ>ñj››”K…	]îÔ¼89Õq˜HT1Òãq‘|
Æ°Bh}š‡D5ÁÄ
+VIË€‹›$7_t§¸µ5AEazÛÆ}öŠÄÛ¼>7`ËÁJŒ6@â;J@‚"cÝ‘‹bì‚%³’—`˜„
+„&övnpÙÖÓat"êó1‚ÐœÑvTœøðõê9p1²(Ÿ.ì9ežÁFáUÌ>ª†eŠë\sHÎãîƒ%£+Ü÷ɨN¸O¤ò൪b`õÃcdJ­Ns‘¨&Ø8p cŠ!Þ|zy4{ñü1êÙ½©Ê¤Á
+¥ ÔŒ¾@'<´}¥5ƒ”òù©T&·¦äêq8fØþõ›	¢ú£+ѽÂþ«VgtŸS×}¢òÝnVì’µz9j]êÓ$ª	†bKB*5à¡×{¬3qЋg›u˜öŽ×UóÙÏèPg¤â5ï¾fôwá~о!‰…Ém|ÖçjµŸ„Tp"]ÊjŽàžÁj[1v]¬êjwäT!õr>ÆÙ=¨ä¸É
+åði;ȨNØA¤Â‡~ªŸû7‹5Á‡@’*Os‰&8€dFØ+Ã8jyŒ£6¦Ü–gqÔæ] R6´»àz{óú§9æ'Õ}
+nyß¿*@LÚ2ú ™ ¸~ôbŸ0]Jíà±j²æ×\sǸå£\ëv²ƒ(E
+¤¨š‰§ÁvÎŽú‡!ƒrv‘4uÑ‚j“ŽXÊÚF87Ø/4?aô¹©ˆ=hxZížÈË|’]lw¦6Ïv7±
ÈÅ&†îù§ï@KÁY)Ë3¾œê„—D*¯Ó]½«Žòu¹]WMçS¡SJ9	‚Þ)¶Õ_Ã,›ärÈØ;|urŽ«¹pÑip„…^ÛíýlßòÁ9LWðê-ÇoöôÈãÛ*iº‡ðˆ”g=©(™)Žd4î´–ÊœÓ-x!+KÈÑOê6§:®ÛD5ÖíÓ·èV9nO³•¨&øëV•RëV‘nÅ­TkŸ)í’	âz¥ÒÛʇ*üHWoJz­íhÊgÆ©I³¿ÅyŠMÙu²–×±å”p
+­
ß„·H#lQÈ36Q°Huèß»][w‡&@(Ÿü}è>°”°Qò4³‰j‚Ûe” µ²;´¨ÿb¨T¡ë£ÄÔ‹ê4›5za.½ˆVô¾ö7ä!cªôtXúE`Žò80oæðÛ"z1ÕÑPC
+]ƒäéì=æøÕfŠ3“W¨o@ •ÅTeLìªxgù§ª‹íºZ4VPø+º]³²t“¾Ⱥ¯°ÿ~}¢+\Á°qÒ2¢ãî‰ñ»½ApÐç)NÑ!«c_à)x¥Þš÷¯({ÇÐ<:®W9Yîýlïx+ú®y_ÀÁ_Ð pgžåú¾ †hù—9ƒeRë˜Ì†ïGLHNùF!gžåÅ_áÍsíÎùFFuÂ9"Õ÷zÑU]ÅØã¬Z+s†óD5Áú@ÐP”hQŒx¿.|8dk.¢²7e¸%ØŒDYsZ³ºZ<àÈ„¯4½xĉcŸ¹d$}³¢ý›ÃuÈ Ü9-íÐÚ‡jG¯°‹Šß0_O¾ì³%`uBá?íŽ nnÏõ“¤cÖ¦Â
ìXaò4é‹Øxçé=È_¿µ&nÛ§‡cß5¾¶E!ø70ëèg*š }ÀÀæß½óŸ
+MȾÑàó£-™µ=L¸Â4˜£úkµèè}Ÿ­«­çÃ+bwb'TÃ/Ÿqç7†¬s>U…qâcó¹žÒ·Â¯`ð‹ïÌE3.½T{¾Â…8¢p…ó5ï7f$š«cÎk˜+8ã¼ ~`GP¿Ï¾ìz7ô£	×ÐÍöï7Ë*%‹¸T
=Ú%û&«Â÷_DE}ïl£‰lÔŽ³Ñ‚9
+aD 3ôýwáYüw}õË’ÉBçIÐψŽc~$Âgç_B-ëUƈßu«àÿ¾Gÿ÷þ?¼ÆV«f~ú‰èðg€@Ëã¥g½ÕøÏi´}¹?™_Hdjá|›mS—Lã‹-‡:ŸÌ3 0¤ö˜“L
+¥ÎåD¢8ôüF:OW”½´‚)üÜa=°=³
+ó»ÊØ?†å»ÙzûÙ7®ñíðm,Ëb^D¿JM}9®ÃϽ'Œ‰§¾ÚwUÞ=¯!O°VËJ4SʉÈJU(7f=}~Èûÿ÷âÓendstream
+endobj
+2168 0 obj <<
+/Type /Page
+/Contents 2169 0 R
+/Resources 2167 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2171 0 R
+>> endobj
+2170 0 obj <<
+/D [2168 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2167 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2174 0 obj <<
+/Length 2303      
+/Filter /FlateDecode
+>>
+stream
+xÚíYQoÛ8~ϯ0p/6¶fH‘’¨—¼MÚËnd/°‹n‰v„Ê’kÉIs¿þ†’‘dÙ	Ð×C€ˆŽf†3ß‡4›Pøc“0"Q$“8$¤,œd›3:YÃÜÇ3fyæŽiÞåúuyvþÇ“„$QM–«Ž,I¨”l²Ì¿L%, 3A§7wÞ^,f±˜./gó <š.no/o.®þ‚÷3pR:½^Üü¹ø„´ÛYL/ïf_—¿].½Y]ÓåÚ¦ïg_¾ÒI+ø팞Èpò/”°$	&›3r
+Î¥<»;ûÃìÌšOG]Á(	xŒø"à_HFÂ$	'q˜ˆÃ”öEÑà’Ò¦ÙoTŽ/ÅJ/ìüCØý¾J¨ S—•ðrõ”ð€ðXF–ËI¯êÍ~»-•ƒS9£ÓåƒÑ”Àz(
­Œ¶-Gô”ˆ€‹žb]Õ»“S•¿³ëªÜš,K]•Ïvª,ë'·ä|gY½Ù¦mq_”Eû—z*Ÿçfª‹Í#5íÁAÛ–fæ7ö·\ÚCù?4¤6xˆWH×¼*ûYhöдݩúnÙà¡Ì¾Ù7/=7¾
ã/°“1Äåû›Åõ¥…]½Q¡ûY”.OµÏ¾æE[˜
R2Õ{x[9tùs•CO׶ÃPÙ7÷E§$ûê¦;ôîKe?Ù@ü©²»tN©N:£IG"kË™õ¾-Ó+S“žð…µQL"_Be§àÊaÁ•ÓlZ±¾ÄL‘¾âÂ:jåhµýTý(šÖ*KÑ ÃHÈqUr°µÏŸ.e®—ºÝnöÖ¹H°qÑÓƒÒq–Ì.Pzˆ5'4éUfi…¶ëq]ÁÁŠ™“ŠM—tnñÐp­çM»ÞPGÖ´›oõvÌivk–ÄÓÏÞÃÁY ­Öä	èOMØì›ÖÒjËcü‰4]fÌg-šP›PÚ°.EæžEÏ+kOWh3Š¯ÆmǺ^™LC
…é’7Ó{eÂÀ™…—.ÜmÆ@½¸¹»»|cÓÉÀ$øŽm!Mòq{ñ…$cPÓŸ~HR>¾»úøÎKÿýòo+À´v@¼ñ
+HtÝ}CçûáêÓÈ-ª=•°Φ“§.].sˆräèâ¹´ÖsÕfç;¨"å#¤xµÀ€@ÒóÓx®CúWNaL8£¾
¶yî4`Eí\±zvGšUº/Û#mØ1 áU‡½0ð—e2îzLwç»}u®ÍÈÏó¼jÈ7õ|à5}éÇ⤞éÀŒ¾Ï’„€»âžj‡àž—–€Viëú*¸ÛzÙžéÊ:KËùËmð¦ÎÕ1·&lÁi·v˜Ž»Õ1éåüŽùÁD—$qìnÏí-|O ‰dî–ÐÀâP^%ºûÆõkRÈ/¡¿ŒŒHÁÙ[ÍÙA]Àöc 2^FaøšAÎâ1p<@%<ÏtŒþU+ã„ÑHô¢qŸ6j	w÷”Õ¹¿p'±ÿ\/Þϯ/ÂÆ2¬}¶"ëÛ—ÂU]èת2í©ïFǯv	ã¶Wnv=Óq”9¦ÿ£ìʶ»âÑöú=¤ñ€PŠ“ñðL\êÇ„²Hö"â‘Æ’.Òô[½ÂçÒô›Ašô¦	÷vâ­H³øOéßGFý^ýÓ?]¾üD+`ÿ“òX2Æ€ÆÆÖ(í!&èa’Ø9mÿN‘_hendstream
+endobj
+2173 0 obj <<
+/Type /Page
+/Contents 2174 0 R
+/Resources 2172 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2171 0 R
+>> endobj
+2175 0 obj <<
+/D [2173 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2176 0 obj <<
+/D [2173 0 R /XYZ 56.6929 524.4854 null]
 >> endobj
 2177 0 obj <<
-/Font << /F37 819 0 R /F53 1052 0 R /F21 730 0 R /F23 754 0 R /F39 917 0 R /F48 975 0 R /F41 959 0 R >>
+/D [2173 0 R /XYZ 56.6929 188.0905 null]
+>> endobj
+2172 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F53 1062 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2189 0 obj <<
-/Length 1782      
+2180 0 obj <<
+/Length 2516      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XKsÔ8¾Ï¯˜ÊeZ,ô´¥¥8’@€„Ù-ŠÇÁ{2^ücCØå¿oK-{<ÁÙ„¢æ`©Õê—Ô­¯‡M)üØT+B…‘ÓØH¢(SÓY9¡ÓX{2až'ì˜Â!×£³ÉýCO
1¦gó,M¨Ölz–¾öNONöÞî†\ÑàÙ
¥ÁñÞÉŸ{/vºkx°÷äà
L¹Œ#`b’ì~<{vÿP‰|a‰¥²fYɯOö“Ç/O-ëäଷwè£Âûyòþ#¦àÚ³	%Âh5]ÄfŸ–©QRˆŽRLÞL^õ«nëXŒ”ÐDi‰‹± )C"KÖ•³E¶Üe:ÈvCAul&qЮk¤Î견+$®“«©m”‹¬Ê–Ië%´¿ûpév$»-6³ 8ÐÎ_˜#8ªé{/L*ÈOíôFCµ·ZíTÇúvÕ쎪۬i‡óÛtsé7õšé6W’¦Ë¬i²þÆ<¼¬—~¤„pøýç=q&EÃhÜêER\ÔKH&Ègi|Q&³°LÕ¨3ö¡ÈÐRìD‡Çó¿¥xÙ|“ÅÕ9—/2ž?9øfŠ9+Šg//¾íü‚>ª?ãAtWܱí¼OôiôèùÚ¼[¿]Ÿˆ¿Þ=_½zøðV_«\aŸzB!(²¹rß•a‚ä¼þ’!-ûêŽèÞH½„·'fLÑœ­ŒòLë¼(PîùªòɉD¨ùHEK$íï¼³Ês
.¥% €exL(üLra
ÊÂD
-l/ð]v7Ð?ýŒ3¢bj¶OÂ_Oû"W=‚ÇX mYä'ûuZ8۲轰ä½*::Ü6ÈK¢hj‘ϸR®P4ëžl {!iöÀHå|r^m”ŒÔÅδX¿YoâØ+ábï,>±,ŽÀà߳أ2»–ûŪaðãkMÙ,ºjYZxÓá±m‘žWi>JÓ©qÇŽz|„Ffå*—ZxÜ:xz¼÷8<ÞW¾ÙeAŸ€ŽRyh–·~ëÆXœÏŠÊŽëªMòªÙ 1z=ü€‰@,r›ßdÐ
	ß«¶l5+jD@0ËýƒÖ«|^Õ$Ò	ƒË+b©1Ÿç#Ùª‰Ü?LVÈ„Ö#Á‡ÊIk¢e20 	w¿ªJB3$n¯q_« â]Vñ
-j$nªC $¶ó
Xñ‰²ö‰ê,ÅC]¾ÍÖ—oÌp¬…í¦|T
¶@¶¬1ø(ªŠÂ§Gñˆ³¶ÎÓåÍ––Ù¨ï\#rs³AwNxæ?<²ÒÃúΩ!LCзL¿E.ÝæÞƒL‚om6à”"‘ܪüÄJƒÊ1ÔÔ¾!ÆJ5MB°s¸â+L«»<íÃÉZWHè‚"ã 4Z1xeì‚­‚ö»†$o³Ê‹­‡âcÛ#€|ì_Óîù„Ùogd½j]ŸàPµ­ùP¡²4¬µ_c”ĦË_£®ßtJ$ïÓÁVŸ9†w<¶æ,뢋+\°Û3ö%t€ÕIb´êRÍëô¦c‹ [Œ¢ŽµïöÝeÇWF—ÐlAH|Ò®¡Ù‹Ùv)º5i6ôg²&"JëøöNM¢Yßçf3‘öÏ­Èf‹qÚŽoþ-ëòW‚]Kd‰G³µíàä_üû™­4#ØÐFþòßC›ÿÇdL„Ö|üŸhÕÖeÁ¤¸nzÿGÒ¶ÿ3Ç
;endstream
+xÚ¥YÝoÛ8Ï_á·s€5ËO‰zL›l/‹mškÜÃmTI¶…Ê’×’›ÍC)S²Xˆø1‡3¿™¡ÙŒÂ›iE¨Hä,N$Q”©Y¶½¢³5̽¿bŽfá‰!ÕÛåÕ›ßEšóÀ*hŽÎ`–‰ÔŸ~Ç™ˆ~ƒ%”›ž 4>ö8£2èi©Ž=ÐG8§D0ÇÁ\¯N·Eþ•*ªáŸÌóº]dM½ZõÉ\ݶE¶0¢aûó‚´?Š—pqÇ(–ˆˆP®ìŠ·Ÿß?]TÂrSÀÖ`Ëk6ºØÌ4ؼlq`Íô¼ÈužÖ]å&Û®qãHTÖøí€Õsƒí¶Ø¥û´s›|¥”WL·`xR(ØÞï€_6O±
+j‹¿E8Þ¬p¢n»Ü1dóC[Ök·+œd 7tŒÛ§%ÚDU~ߧûì¬@rÛ(»Ùþe×5ë}ºÛ”5»D/A’ßp ­sllSÇ'Û¤õºp¬jÇûÐP/ØÇvU¤mÑ×&á"m’k¼iã—×FÁ÷užùC	°x¥ñjÀ°Î\m˜@KeW[¾rc˘$¶Úbÿ³pZmwV̦ÂCWVe÷rÙÈž^êf×ÂåÐ#àÇRs"¸’SÞÎ@r3E§ÑšóB#da‘@²	4ì©Ž'@ƒ_ßñ*T  '‡uÛöY±Hó|_´-’÷$Ò‘'ÿæ9gœá–t¤”#5n^®«²*&ØFŠÄJÈ1ÛÙ‚{žã)c¢9Ç<Û‹<9œr„Ëæ\²1ÇÝG0èÄ`èÚ5ûn‚1$1eÄø¿}ëeb‹¡ÎN3M˜¶2†8Sþ+‹“Dk=¶=ÇEÈÒZâ@4ÎÁ‰”Ž;Ë|âèlU‰hxô¬Ùn
ÂLøÜ‚IM¤‰¡ïÝÞ=½ûtÿ¸¼ÿøÐ/:‡óIFˆÁ9QÀûh®*ReAÕ6z,tÝ~Sü8T–3£XΉe9¿ïÜÄ8´E^œO…æ2ëñŠ™–®#24©ÓÔm÷œº}vx ŸenÃŒ”þ•x{ÿpkQ¦D)¸¹A8Ä-=¿_M¯(Ñ’{áÏi\¡½Â1è	égóÇÑç²ÛàpÝø`ˆ–a«²vÑ´ÙÙà„Ã6 Á7µÒ®Û¢îLÜØw¸`·/ëÎѧøi7Æ91T` 
»j$–„
­ÂÄÃÎ8w‘û0bålGѲ'O¦e•~¯
+_½ü#êÒ…¥ÁYÈ´ƒ5p±WUg`LôF¾Ýê2ƒ¶±r
+7-+©ˆ#gÐfȇIÓnúVŠŸå»G¤Ï©‹¬+!µijк¤1¬¬s›Ê£jìòìTwVˆÜ™žr ho
+rž—ë²KMtN@¦r]§>É°&)Åü¾FJÔ6Pe‡=RÔ΀ô­7ånxì\Gò¢
Ky…†˜xiB¼•Û4x‚ $Iz´¶yñ%èóL9°²d <ƒGÎq#"u4R_Z­›=¨p¬#a½Í|ÿýáæÝâíÉÙäÏðmpæÐŽ&ÅO»Iû×ö‹ûö
šo‘zEmI¥…H3€6
o#M
7ÉÄ%¿f*©v*‰]Bf¾h»—ʲÒcØ1›ÒŠ(öê#l˜Š
uÛ9~¦§wFŽÑŒÿ«
×·;“—ùá„7U5بª[Z4?ãî}ºÙ‚IŸëÂåœÛCë(¿{x;÷ØòÝeÜ)~¦"¿Ž!¡(`{4ÕýãÈï9.B–XüÂFBerÜÙE~µnž]iÐ5#„áòÔ‡LtÂí—`Îœ%ñ‰ÞWŠ`Œp¯lYej°õ¡æ0çª2K€Šy^tÅ~‹¡†7Í3Žã¼eÔ¥Yç7ŽÌW"¨.¸‡vÃ4Çö3†j3Ý{)º²;ÆГ}tÀÊÔnNƒ›æP¹Éƒ1Í‹%ËG›1=¼w¸zƒ3E”†úÕ¢$¤òϧEIOeöí+Â$#:Qâl%JÈ`÷ˆCq÷ªˆ=Õ„ŒÃ4J‘ˆr>òs[LdÝœBö©Wê¥kp¡•/BRô˜®Ü®7Ö™8a!º8J„²˜û%,ÀNÇ«Œɨ‚”ÖrhGUWbo»´ÎŠ6L7ÜÜΘק6ÞsÓªBW0¾Ûuøú`Àmå`ª±;ôñûÇŸr”ãÀP䘺°$G]¸×‚)e1.’üu
©ÎÛhOem4›²Q
+9 ;SÓ4bàePq¼*_O5!àÀ@#ðY
+f4pÚ@MMÍŸ)»|£hcX'sÏG¶q‘ìøpeÛÆjX±cî%â¸úÁÀ+WÏ”&š'úäê]3’-ŽILuÔßN4#ÎÄV
+T”ÄQ¸""$?$H·ç¥­'šy™ŸK“îqcz_·9¶,:Â7¬kÌH–„,öÉ`°•ÇŽ)§i—«ãäD08P1ûU_O˜ôЕ7…¤n:¯Ø
+‡âï²íÎ:œNŠ×ý- :ïnžÈz[{zot_Œ0¨8^•«':lè='1ÇɧÁaF-{_ÃÇŒÄWp‰Ï¡…É0ÒÛ‰ÕhMoÐv…™inÓ.ÛnQzJ
+q¼+¶®ÒMÜ/[°üUeê™J†÷=|¡€/4¦#§É¹f$Š/ÔÉ6ÅâèÅ1UæåÈ25o;f£þ}Aã¯-v
+Þª´5'ôP$Ÿ?éà9ÈŒšç óàÀüëŒm[äi÷šÊùßIŒr¤ÂðÅà×*WþÈÑg7ƒGœð‚¤èÌ[Ôÿæy’^*j"}\¾Ð |¡¤‚Ò€9÷Û¦PÄ<ªN8íë‡ü»çñw]iòb}&ÝTpä…2çe’Eï!=•ýÿeŸ‹}endstream
 endobj
-2188 0 obj <<
+2179 0 obj <<
 /Type /Page
-/Contents 2189 0 R
-/Resources 2187 0 R
+/Contents 2180 0 R
+/Resources 2178 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2159 0 R
+/Parent 2171 0 R
 >> endobj
-2190 0 obj <<
-/D [2188 0 R /XYZ 85.0394 794.5015 null]
+2181 0 obj <<
+/D [2179 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2191 0 obj <<
-/D [2188 0 R /XYZ 85.0394 668.3939 null]
+2182 0 obj <<
+/D [2179 0 R /XYZ 85.0394 752.2803 null]
 >> endobj
-2187 0 obj <<
-/Font << /F37 819 0 R /F53 1052 0 R /F23 754 0 R /F21 730 0 R /F41 959 0 R /F48 975 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2194 0 obj <<
-/Length 2487      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y[oÛÆ~÷¯Ð£DÛ½_pžÜØÍqÑØ9¶sp€$2E[D%R)»î¯?³W‘ÒÊrQ×ËÑììÌì7ß,ÉÃ?2ICÍHŽ&bT¬Îðè	Þ}:#Af…¦}©ŸïÏ~ú…©‘AFR9ºìéÒkMF÷óoãŸh*ðøöúâãôãÍõ/Ÿ.¯'Sb¸âãó/_.¯/®þ7™RA$1>¿þzþ›Ÿû21t|þéònòãþ׳ËûdVßt‚™µé³o?ðh;øõ#f´½ÀcèhuÆC‚3g–gwgÿI
-{oÝO³® Q&iÆ”ŒAF:p†0H2Êœ3®Ï?_ú]Ý]ÞN`ûÿ…‡ûÛºåêÓ×Ûs»Ûû«›k»[ÐÉzþÅ#E˜3í”Ý/ÊÉ”9®g+7ã¶Ü<—?»Ú¶=„·ESǘ>m7¢ÇåÜ¿íÿœE¹î¼ä¦ž~~S—EW5uÄê¹—‰¿óÊŠæ©®þ
-u‹°âïå«Ÿi×eQÙÅãªUm7h·ä}æ“ÅþÐ훓޾‰D†IÂVÆÚ†À¬ÇŒ‡Àé†($ízËò,HÍxÛVõ“]›Eó˜Ý\çÌo–­Ÿi»YW®Êºóz+Ìü:,b??jAJ%QHnnÌø®,÷ìh{fã¦Þ½Î¬þRŒGnÖüÃŧ¤(UÑÇÔý¢·E›x°E÷tƸ3xu}áGÆ?Î竪®Ún3뚟º-K÷º?û<«·³¥?F¹yÙͪe‹‚uƒ¡g1bͺ»'ãü·»›ÓÉo³à;XÃäƒÿ¥›ÚH<•õþ»ì¸hæ¥'~Þ­ÁLß·J!¡`ì}ûÏß”mû~t'U‹MÓtój“³èHé’”nO*Ý]ȹ•JíÔeAŠP`Jzxø..ï>Þ^}é‘’ª¢‡dˆbS* Ai‘L›‰“¾Ø	[€M œ!…
í‰ÌÒ`P±^ɦj|Õ…•ga5K©ì\8÷£YXz–l|.ëÊ—Y;½´Àö>‡_ZúdŸ/›ª›:\ "¦¹樣-ÔÈ#|€Á!pœõ=äHqªäÈkvœŽH€±´oã«Z»nê¹5!ãNðÆœf"Ì .UL{»ZF›Ašº‘\5¼õ$"Óz›³dM‰3š¾‡¬I
-l)ÁÉë׺s‘·õÒp3ŒÏù.²Ë×	г±¥챡ç<$
>i`b3Ñãm˜{©º…ŸMáºEhD4WÁªé,çŒPDÛu8Üst«»uŒ&¶k?1˸Jid0!ýLʇAظï±l¯Þ'’ÕÿÜTó`Ã"l».Ë0åùá3À„Pj`Gð?> öG¢I%â˜ìÛTÂÛhwB`p÷»RF÷S1h^vÍS	ßØ/ÏóÖˆ3P0Ô³…Ÿ‡­n à3`)àú79J_*v¦‡$%Iíòª¿¤„·†è·—ŒB™%'†
-ÊÞ`É€>Û®YÁñ)2á€#©—'›!Fi¯!êà€c÷‹ªõË×b5‘°eL‘L>rKæ${×¹
-ÇêšïÚ¥ÃüSÙùÌUÀ/0û9[´¬h&"·¯­=‰/ûB}ˆ–XqìÅV0E`Ыۉøâea)¬ùÎÈÍÅ—ÛjÙÙÆÊÿÙ©îŽg\à÷ Ó«{6€‡§8¥¤äDä)â$ß‘º{ÅÚô@î8SdvîkÂ6áXoºíÙJ@Ý}K¦À€~*å!Z1í×zˆVGt^f­0ÛŽÓÚ%+.YÝìãl»ìüE³ZyPêU].ý›4glBÆ>8f‘3áp=ã—Ëæ%_åÎÈ8	M—+;Á²mm—,ƒO š1ªÄ^æUù€zÌ9?9†8pê^ä·˦ˆ·‹¦
øŠ.Œê&ÜXl7®ÝâlÜ”±—)aËMíz·ÛºÎû
¨>´iÕoU¾’+ ¨LÅdrQi½x¼‹þ.BÉv
FîþqÀÄë~°@¡c' ?PZ»DX{îïÈÖÓ*Øîòz9+ÿ‚†[Ÿ­j¬#±åk¹8Gy ‰ç7@$FEýp,¨ö,<•m¼AØËŒòϪí<¹Üzél+°J%¿ž¢‘€bp–C
-Q{¿döRèêÑ®ë‰Ç«Æ{×O–ËÙCc[ÿça瓵»QçµÄŽiî_<¼æ·×Z‡~Ššã)ªULWUAÔÛüǶ
-WË6&’Æ”€}ü9[­— ý½>çÑ^Ôêx÷#«Ü>ÝM3<Ý=6Ò…ÆÆÁ(k8áü0WÃÇÞCÛÿÛª·/endstream
-endobj
-2193 0 obj <<
-/Type /Page
-/Contents 2194 0 R
-/Resources 2192 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2159 0 R
->> endobj
-2195 0 obj <<
-/D [2193 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2196 0 obj <<
-/D [2193 0 R /XYZ 56.6929 752.3759 null]
->> endobj
-2197 0 obj <<
-/D [2193 0 R /XYZ 56.6929 668.0781 null]
->> endobj
-2198 0 obj <<
-/D [2193 0 R /XYZ 56.6929 607.6906 null]
+2183 0 obj <<
+/D [2179 0 R /XYZ 85.0394 678.9572 null]
 >> endobj
 714 0 obj <<
-/D [2193 0 R /XYZ 56.6929 570.577 null]
+/D [2179 0 R /XYZ 85.0394 629.2071 null]
 >> endobj
-2199 0 obj <<
-/D [2193 0 R /XYZ 56.6929 534.8112 null]
+2184 0 obj <<
+/D [2179 0 R /XYZ 85.0394 596.6999 null]
 >> endobj
-2200 0 obj <<
-/D [2193 0 R /XYZ 56.6929 503.6098 null]
+2185 0 obj <<
+/D [2179 0 R /XYZ 85.0394 561.6414 null]
 >> endobj
-2201 0 obj <<
-/D [2193 0 R /XYZ 56.6929 440.3004 null]
+2186 0 obj <<
+/D [2179 0 R /XYZ 85.0394 497.3516 null]
 >> endobj
-2202 0 obj <<
-/D [2193 0 R /XYZ 56.6929 370.9227 null]
+2187 0 obj <<
+/D [2179 0 R /XYZ 85.0394 426.9933 null]
 >> endobj
-2203 0 obj <<
-/D [2193 0 R /XYZ 56.6929 274.6697 null]
+2188 0 obj <<
+/D [2179 0 R /XYZ 85.0394 245.5268 null]
+>> endobj
+2178 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2191 0 obj <<
+/Length 2201      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛ6ò]¿BoGµ€IôÍuœž;‰ãFJçfš>Ð%qJ‘>’²OÿþvñA‘dO§™ÌDàb±Øï˜M)ücS‘Hq5• ’29]í'tº…½_&ÌâÌÒ¼õórrõ!Œ§Š¨ˆGÓå¦G+!4IØt¹þ#ø™0Af.½ú Ã2dF9\€X_îßß›Ï÷æ€,c³PYÔ뇇Ûû÷wÿ™Í¹¤@~6—”Ÿ®ï¿^4°‡™âÁõ/·$6¹]v‚ô…e4D)þ;ùãO:]ƒÌ¿N(	U"§/ðA	SŠO÷!C"E:H1YL~ëövõQŸò„Lˆä"5†„SûUÌ@FH±`„+™t*æ̧b‡…™?YýÊ&c$Q q£´§ªnÇÚPœ•DÓþg|9$_}kª˜ˆXøZdåÚXdUí÷i¹nÌW[™ßå̓Y8îF.¸"aF#FWƒ#	Ê,N^6m–Ú[«õ‘»û÷f¥þeYXg›ôP´Ž»²­g,	ªÂviYfʼn¹wö8Xð̧¬áà?B©àoX·‡õŠu–¶îïã+#ˆ‡ˆ…¯_éeŽ5ÅIE®NlLHïGâC°£”ouÚæUi€)2âÍAp=SñeÅ„aL(&ßM1ŽàŠs‘X±äo+fhZ#ö£s‰²z±šx<âo”é>[ÐKÞîNJêÓ9C'
+­Èˆ’Ò¤Î`žAZl«Žíí§©2h²•¶JÖÚﶆtbÖ9r EPiŒuV𦲋Q––Á>kštko|N‹|í,
+ߦÆÀ
‡Õ*ËÖÐ%„\w-+©C%	‹8¿lj\j£(!±„ÔóOmÝQœ÷Ižj0á	c§›/{.dК4kÓ‡åPùBh”š§l•£¿gëwö4æ…¾dtP—땯ä†DD¡‹‰—¼(m$[£sáGQUáŠ	g,¨Í:5›¨\½XéS®ÑðWÇ*"7YýœÕ–ï6m³}VZêXÛ{¸t€û˜i¯B@ÜÈ	…0n"
+‡>«½K‰ GÏPÚ3ô·#‡°ÞÕµ1à'ãÊM·a\Uaœ¤´«lB!§¥š\ۅ̵6ð ÓnVG̞н›Os-J„ŒDŠ‚ûªÅ³T9ŽhbÉè<®I„B›æúBØiv©‘wmvO¡l^vùjgö,¦£,•%eúBD< VÚ|¬‡Â¯=oͼdi3sƒãÑàÎvxÍ®:¶+„
{›ªcITw—>[Ð6+³:µÜ®µ¬Íïd9‹B¢ib$„ÅâÆÀéÂHja>èS"¶6JóTdš€¬M€ž°mOØ‹jmÂæãѾœIhã${#~)tën4xç.ÏFÌÙ¶@Ê®×û¼Ì!g§­“äK¶±Ú,Wöا´<€ÒŒB	7%lhT§¼zÞQz¤)¡,æo‰5ê†,RÕÁšÐøßö€¡0ò#&,r·³ËŠ'³²…tuaYUb§	”gh³"#ÈÇ»OwK=lâË»Ï÷4àÒ\
+ñ¶8.§®«¬ùå1sÎlüÀŠZ[û"ÄÍ@ÝöiJ|þÒAóíüÇÏ*S8Þ;ÿ9´y‘·Çc,pÞ©Vaµ²îo_ºÀƒë¹2i~W‡ÚzP[
H'aø}I- µ“r«ç|­‰¸l;ƒôÄÕ°Ó€o“›a‘Ä@j©HLeôZ“'P/0è@‰g¡øMž!8ïSÔuÀö‚ŠÅÉéâך<î	ùИ&éôužýØkƒ§XeÀÑ©q‘=Ÿrbf,çâÙÆOãü°K¹Î5‹ÌZ©žÅ"ðDØâöÖ½þ¸øìÚ[DÛ|£’JøÙÉ7æ¸9÷’Þžnu½@/) ÔC6ÏUªïL0°PJ]xô¬$£,
+ qÐ)‹ŽÍ
 4èÎÐþd%$E$eu	FÔ/g_—ÿþüåm-Þ•mV—.Ý,Ž
t?Ö¨7Ѐ@îÉûÓ½89FÎv‚‘ˆ‰ÓÓŸ¶¤8‰ˆã^z׊öQœ;Ü9T.”äËýy£Šðdó‡XŠï=–ÕS‰nœMLOЉBb ‰ÞAH²Šë÷»WßRú$ÎÓ‡{Ké°.(üRø½¿]Ü|¹{ÀÊvAß¾àóé;†1‡:}ëYD2Û¼û”»®ELßçÕŠA›Boý÷ºN7›ðÄ딘VÝD1~"ÄÍaÕ›GêÿÎÈE{œ3h'-0µi•BzPb45ù>/ÒÚL©°3ZµW/ª‡h½}„¾üfÝV»0A!h"÷0vJe>Ã@å‹eÒe“¹e°pOc¯îó9ª¨tOraf6€>Öé*kFœB\§{{ý­_¬(Q›G—ÇTü>‡d]T%ð#BÜè±HO>ܼ(ææ"~ϳqš>ð£h*‹ÖQµç;æì-KGðÐt…$l¦ì||µÇÂqá.ñ`]ŸþS·Û+ 7¶‰CZ?™)åêûáÊ{àÇ=G®†mm÷Òîú½"/³KþÀ¦<}y…v©àÿiäôG#“0I.¼?óX89¦Pb&øù3Åî†{xÿ?{T†	endstream
+endobj
+2190 0 obj <<
+/Type /Page
+/Contents 2191 0 R
+/Resources 2189 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2171 0 R
 >> endobj
 2192 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F41 959 0 R /F39 917 0 R /F53 1052 0 R /F55 1060 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [2190 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2206 0 obj <<
-/Length 2259      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y[oã¶~ϯð£Ô\ÞE>f»éž»ÙœM(ÐöA±äXXYr%yƒô×wx“%™¶{p ¢©19œù曚,0ü‘…3Í©æH`"«í^¼À»WÄË,ƒÐr,õþéêÝ/,]h¤%•‹§õh-…°Rdñ”ÿžÜ<<ÜÞ¸ûízINÞ£ë¥À8ù|sÿíæ“›{¸Ö4¹ùxûx½$Z
-BD9‰“î—?¹ÿåãíýõŸO¿^Ý>
jU'˜þºúýO¼Èá¿^aÄ´‹Wø€Ñš.¶W\0$8ca¦ºz¼úï°àè­ýjÌ\($(—‹%§„Åí…pþeÊ1J•:Ø‹’˜½‚”±×r3?'sNãÅŽ¶B‘-ÙhK­§b¶åC[Ö}眑¹G·iÚÞ÷ÛmÖ¾¹ÍÚ=ûMá'v}ÙÔáËuîí5QÉË~[÷9×Ì”kD)MáF‘¶ÎWËUS¯_ŠÚK•—àʨFGxðVO1|EiyÁ5#©3®	RÖ5ßRBŒ$	AJæ•ú^¼ÕÙ¶˜«F˜Bišªóº
RåÆv  '4™j÷¸+VåÓÂZ\I£”XÕìÈùq$cLïFÙ&ë¾\eƳ‡!`ó%£*yÚ”~í¾ëÝèÙ/”¹Ç¬*s7Ì›mVÖ
¬ãKÆ"Ì› ööOWy±Îö•‡ ìf
ÏÇ.’	ÅÅ:FÍcØð)Šå%ØH™"ÊÄØŒ¥NÃf²°Ù]„ÍÎDÛ3#s¾³z¡ˆ^ÄP63Å&ˆaÚ£ÁV
ļ	f¦E²Údu]TîÕÔŽ^7…ò"×#†ã¯çÏ0Ž4KƒTUv}Q{UÖMTÍWždŒ:k»k³lKð:æ|„‰È®`2>l
-ˆN¹²¸³¨ä˜"L	ŸÂrŽFû÷>V§Ò馑Ô0)¦6&¤bC$€ãšíº¬ŽYHÀBZ©óÚ
Rõ&˜K&Sý¦˜Üð"éš½õÛªpÓ†€ÌÓiëdò¬Ïܬó> -QýâDBͲÀRM[þmI
-œ()Kîüš^H@r
-_v¾ÕH0>cœî
P
-PI©,wJ’ÔMï¦vm?ʼpY„ŠQP1hï€wyñã?W$‰¨ÄÁYæœfÕâ¯}	”	¼ëö‡%ÊUñ“ùàmõ`"c‹š—–Òáév®‹®s§&Jšl!¦Ç”ùܸtí麬wûEN©LuDÉf gäŒB"ÆÓ`îdb:ÎG>{å´Ùª/Œu0¬5¼dëžfÁÊÏGôb,Jl2Œo’ª¦
‡w5©š1"T%ðÄ.{Áç}Wän¦¬Yî¦mCÙcýc=aò!§>kÁ{{Ô¬r2àÏ}±#å
-Á{q(Œbü(€©ˆT^°¬s“”DûMÖ»]g>„wÖ‡îüŠq™*6Cý¦ÙW¾X{ö)לý$¡	D}žÐÆR§	m²„ÖŲ#†,5X(ËóÖÃyZT¥ˆ~^µ QmZRí›|<ÑmZRÑàJ’»7aT³I°óç²"|‡9I/eE†ˆRržÍê–ÍþC‚6³C‚¶ÆùÒ~çt¾„ªQÍþ·|騔JDLô¯Š·iËP5Íî9[}÷­ÂÄ‚0AhŠOˆœÆ"a¨“Ïcq$u‹AÊb±&W¨ž‚ÏV›¶iú¼lÀU¦–Ð;žUnŠh7Í­iö¨÷Í‘“ÖÉkÙoܨßÄ&ÄL…øYf¯‚ãh*ƒë]ç—lÜÓ’ÙúÍ}0|©_Jç¬Uß´þÍYÄC€	'—¯S»×²ªÜÒíµJö^+°¼ÅqÓ–‚>\&7þU–/}KAD±)]&l_š³9Vf»·qÂdN³ЦJé(4P¼½0$͆põÊò.¥°äµ-ûk ë¢vŸ±*¨K~x	—„Œ"6VL¢Ÿ™^vƒ£}–”þ	[Âú³]×ÍÞÒƒ™z;dB€²ší–cG\)R”Jz‘»0Òš]ìµ87“ºÐk¥NGð e¡¾¿ØkAškOõZgõz­c½¢½ÖD1»Ö]6v%?»¥© gc¬L‰žÇî%žtE·4¯µ-§Ìp=ÛZÌ2
-õ"Öÿù}/8d°ƒ/Ûm¤2ÀTæÇMxèË÷N¯«à5Ä –dUN9äçÜ€0%>ÖSˆ7uõ6ËA‡êÑTz³—‡Hßfþjl“ùDU†«­`ZáRñ‹/£ìq=ÖPŠA»‹%$M¦žÔo»ùüðéö1rz_úž'sOÚx•ªªyØ”CÞdš\HèÔ$¡Ê}s\º‘G*Œj/5ÇÞ©°…†±â˾µ=ØOnÖS¶ƒ•mº”&“QÃ>
-¶?ºñ[JŒã€Çá[jb	†%4h¥išÌ0s.Ûîª(¥ÄØ×fçxÿ¢ø×v{'‚MÇÑúªe×@Yî:ÌyòÃö†+ðŽiRÚ¦êb¬	¨MiÈÅf“Èj0$rÔ4ÄxA#)Ò°N×CúX£sï-öìãœiBÃ|*ëD)1¥Ý¬¶Òì.ÀàMļÐ^sÌÇ	â¤}µ¡¸à‰‹È!WªõèDÂ
‡8óµüí­ÛçæÓã—ËÁfVÿ¬à	ȘbôÂv$mW¤Mû¢DÀÔû»ûþÉ+•o¡ízˆ¥ÆSÉ×bí«zåC󳿈ã¥i)å$ïу´ÁÀlb—›oOÿùòõ²AîjhÇëÂS⣽5ñü÷3ôMÛ—ûCA8b\?p†qŘùmç<
-‘žçu7v õ˜€úÁ×m÷þ"ýX/¨20IÝ…ÓdÇ픦¾ÉÃ/þ
-JM ý¦©Ný°ʘ_ƒ"µûÿètøq
z¦WsC^$(eŽN¸˜«.Àµ1ÓˆîÿV—Íéendstream
-endobj
-2205 0 obj <<
-/Type /Page
-/Contents 2206 0 R
-/Resources 2204 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2213 0 R
+2193 0 obj <<
+/D [2190 0 R /XYZ 56.6929 546.7712 null]
 >> endobj
-2207 0 obj <<
-/D [2205 0 R /XYZ 85.0394 794.5015 null]
+2194 0 obj <<
+/D [2190 0 R /XYZ 56.6929 448.103 null]
 >> endobj
-2208 0 obj <<
-/D [2205 0 R /XYZ 85.0394 390.6346 null]
->> endobj
-2209 0 obj <<
-/D [2205 0 R /XYZ 85.0394 257.7108 null]
->> endobj
-2210 0 obj <<
-/D [2205 0 R /XYZ 85.0394 193.2733 null]
+2195 0 obj <<
+/D [2190 0 R /XYZ 56.6929 386.1077 null]
 >> endobj
 718 0 obj <<
-/D [2205 0 R /XYZ 85.0394 153.3455 null]
+/D [2190 0 R /XYZ 56.6929 347.8768 null]
 >> endobj
-2211 0 obj <<
-/D [2205 0 R /XYZ 85.0394 116.3439 null]
+2196 0 obj <<
+/D [2190 0 R /XYZ 56.6929 315.2212 null]
 >> endobj
-2212 0 obj <<
-/D [2205 0 R /XYZ 85.0394 83.9066 null]
+2197 0 obj <<
+/D [2190 0 R /XYZ 56.6929 279.9283 null]
 >> endobj
-2204 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R /F55 1060 0 R /F41 959 0 R /F48 975 0 R /F39 917 0 R >>
+2198 0 obj <<
+/D [2190 0 R /XYZ 56.6929 215.0111 null]
+>> endobj
+2199 0 obj <<
+/D [2190 0 R /XYZ 56.6929 155.9807 null]
+>> endobj
+2189 0 obj <<
+/Font << /F37 827 0 R /F53 1062 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2216 0 obj <<
-/Length 3132      
+2202 0 obj <<
+/Length 2681      
 /Filter /FlateDecode
 >>
 stream
-xÚ½ZÝoÛF÷_¡G¨6ûMòî)mœÀE뤵8 É-Ò¯©ˆT\÷¯ïÌÎ.ER+Ù‡Ìår¸;;¿ù ÄŒÃŸ˜Ël&³Y’if¸0³åæ‚ÏáÙ‡áih1¤úñîâÍ{•Ì2–YigwƒµRÆÓTÌîŠÏó™°ì–àówïnn?}¼yÿáêær!2cäüí§OW7ï®ÿ}¹†1Pr>ÿõíÍ¿ÞþBsŸ.3 ûpu{ùõîç‹«»ž­!ë‚+äéÛÅç¯|VÀ	~¾àLe©™=Á
g"Ëäls¡bF+fÖ·¿õžºW£¢œIeeDRÌ„`xª‘0LƬ’Ê	ãö¹n¶mÕN¢KR«f‰ÒŒmc[´4ÀÜ	¾X"„¶K8¶´ˆ©(P!WEQ·‹eS?<–õå‚ü?/rdñÍ{Øïð²à‚Y‘f°#¾–¯›]Õ­6D:ÞG±L'ÖS~
«®úÑ‘õ­a‰QÚ¿ôGù\ç›2²¸,ÕJLßE–T†¥ÖOºËë¢Ùb9¬ÿŸÈ²)Ktx¾ø	fÍS°04"2ò”¿šºì·ýF¸ñWZwl`©YÆ-¨\R
7n‘wW·?ý~ýéîúãMÿÒoÐaQÄÿ†ì,»}n!2°X.ÆC¦Ý›]þu\°ø]ƒ¾x©æÙD~Hê‹ãD¾§rùeÈÚÍ1¡¶è!o”´™(ò”'ç¹ë©"ì©IŽÙ»í!ªI¼Á+šoèJn§‚#߸»½þ€£ä€¶`gÜÎßb¹ø=¯Àbמv¹jªeØ3'µ¢Ur=_mòåbS4F-èÖûŒ`‘“hW¹ðY‰#…{ëÃc'3*Õ!w)ÆOŒÈ·àó»•7³¢|È÷ëÎç>íÑÚì¤YIÉ’X>oVª3f¨œY­¦[‚¿ð,yaË@Ùrh*‰lJ'[~ÚUuçÏž{÷[5;/•van÷L7.3‡kØl”Ú‰ÄIï{Líü3JD§P®3HPdòJä•Ê¿ŽÇT£ ‰Ô곪RVMOåTóGÌã¡>ÎŒ:®£Gþ¸E´:Ï[OanäïÂ0-@j#îF¯„ö™$\ˆU„lUP…5¢¡€ŒDù&ë®ZúpVðno¸"÷ÁùÞ}ð†:-“Š\Aµ#2=Š­>žFi(è³Å™Öï
-dfOÁÊKùÖ*ÚfØë;m,K…Â>ésܺÙE–TJdɨ¯pvr
-â­ÞZj“ÂŒïÁ3tØWÚ¹.ÛÖ7ÏRË’£@II­EǸo š©êí¾c±.:~™‘bdfÀç‰þ¤îKñvTr¼2´ÉpDÀg	9-T~–]é<ÏxixÊ]qÁµŸí^=ŒÚùAøph•A&6i8CC!º*Çrß}?†»¹Ìš&ÙÕ¡¤Cß<ÊRf±‡?)¢¨í†`v_|+‹Ó€&¨—m@uÐÕ0ûšÖËRõŠ¥Î¤/
-Ò—³|¢_C1#~	+Æ|Ý‚5¡})m櫦íhä~¥<æÎ4ÁµÅF©~e1Õ!o£àƒ‹ƒ¢žÚÀÅ
ÐhݳÒa—
¯¡å…cßjwc‚SmÂwxÊÄ/†]òãïxZ2yðÿÃǸÑ1 xd!í[ÂmÚß0À^$¾ŠWšÁ»îy[â7!Hþîå ×µ>Wã}gûÖ>Ò…—*‘c¾%vƹ1/0å„àzð*I}ƒ”‡Ì0ɘéØŸzˆÆsaÿ“Î'­êÏGÏ—yíc‹ò #ã9¨·sá¹:,éQ§š¹÷÷¤ï‚&7ù3ÍÕBÁCécË Ý6\ÖwX‰Aûq·
-­P¹¸œ5œ`Ó̪‹–^¦q«_¨š´î¿ÓÞ'IÀ@gÙ—!Õi`ꩆ¬iä…ý˜¤2=ÏW Šð5&‹Ÿ>Ę/·)HX²_:Wâ	þk^…E|ÁŠá†ŒpF8çl&ÚÒÑ·AÙƒ>`„óþ+…i€|v ×T&9þÂÇ!“dŒ@R»—ä¡îóðþÞ;©<8)º¡Ä^(Ô³þÕp’Ö¯ÓÐdî>¯Â¬ÓWw’¼Õ“¢/„éÖño#ìz§{zšü÷xS[ñÿwÙö¿qÙ£_Lˆ,ƒt4MÇÝúÛ«+báí/·#ëO~4>F|á†ø«Æ'fú'Sšt[¨lx„üC…¤õÇë›wôfæ+6a¶ÝkDšú½DŒÅN66Lýš×û<ö±	Ò8Hú¬=Ù¥ŵaøë§hð^Œÿó¬?&Ó	SP»ÅáG&€Œ=SÈ8˜Ü1ûŸcóþ7è=°:endstream
+xÚ­YÝsÛ¸÷_¡¹>=pø&˜<9‰suæòÑÆ7s3×{ %ÊbC‘:‘²ëtîï. (šŠsÓŽ.ÀÅb?‰‡Ÿ˜9øÊô,Í43\˜ÙbsÆg·0÷ã™kæqÑ|¸êåõÙoT:ËXf¥]¯¼ãΉÙõò×äâãÇË÷¯¯~9ŸKÓ—ì|n8OÞ]¼ÿùâ'¢}<Ïdrñãå'x•:µ°HhvþÛõÛÞ5௲Œ¥Ú XÈùï_¿b¯>¼ƒKÏ.¯{y‡g\¡°¿ŸýúŸ-áhoÏ8S™3³{xáLd™œmδQÌh¥"¥:ûtö÷žá`Ö:¥#£3N¦J’jJI&cVÁåçºü7)£íªâùù\	žü…H]CÏ¢^Ò Yѳ*ë‚Ô¤Å`>›Ç2aˆ÷®^.Ø¢©W´ôHc™LUÐgÙ[í’Í~±ÆQ–´åf[;"w뼞Ø-3L¹žGoŠåÉÝÀ|©qa)x‚âYr½.h³r.«‚öÚ·EKÔn½;.)ÂDÛå]±)ê®}NŸƒL~]³íʦnG«žÑdŽÂÌæR¦•cÁ 3Fz9ÚbwçÏèµ>¤×Hñ4Ívy‰çÄ7TÙ]fªµZÕNœÁjÆ5÷²Xåûª›
<ÅYŒ7–Ó´[$X5UÕÜKz»y g·ËÐH÷J¦5é¾½+)’|¹$3·-ÐÅý=<?DâÅM5º‘
+[†ÏÖMÛÑ辬*Ý„/Aöe˜[uàÛà“ñ'oÀqäz[ÞÅò@Êã»ûv,ˆVRä8$ÇÆœP·äL÷‘„gÓæ„!eÊ\*ÝÈŽèž¹ÚŒqiì؈҅óeC#ÕQfÁˆ@ˆÊÉ‚UYÅQ8 ý~]bÊò,— ‘tÌ7Ÿ:O&˜Hmrú R0Éu6Œ99—–[FfQËTy(>çÖÚä
+·íýxsH‚òÕaïr9±»‚`23È•ÊfÉÖÛ¿¹+Á+—þ¤@ljz’a[ooOZ4›Ï*HÆü

+JJhÙ´„R¤,å&}J=–k5¶3ð$aØy·)k"åôºÉ»Å:(lÄœîØeËúv*¡@¡—½EN¥•Î¸G
Ž®…-yùœˆ~L/ä\ŽÇHv!’]ÉŽJ#Rò=èüm¬‰Bº‡%1 !]|ö	Fo¤zXI(hÁ¤Ìºt\*¶²)Ǧé‰Ð´˺…æ¶ÙušI5VÄG±ÉmH°æ(ÁÚ`ML°6ñ|ý¨lhE¢.‘ÞÐ'Þ)ñ>5ḛ¦¬B˜Ã(¨Ì'X¯¡,Ó܇—)~"¦$­b‚:qz	0è¨"ÏX^úð¢Ø‚™¸¢/1!¶€tˆ-~ˆ-)“žvBRRôi÷›D=Ê
*á>îSsšñÁ5?X1€ñ!sÉ'#É´œŠ$Õ!’R>ˆ$ÌQä#iJ0ò¡ÏJi%x’ó€3ùÜ	„üYš“Ã&_·MÛ–7Uø(¸Îó© À*‘õdº.CíÎTÕžMͲy"¥pt!¿6€9”“¸†Â£˜ŠBèg¡I—¨)Ó¨&qÂw'¡§·N›=Âmiå8’u­A’oXá™ÓƒÚ({düó怃
+-!6Š†‡F¨”ÏpTï77Þ/‘áÍvÄ%®!
”¾@úuMØàjÕÛ ,'›^¡·<ûM[°I6®ðR*Ãg»ßn«ÒgBÝqÁqæð$Jà8º	‹B¾B~uÛyxñ ÞïCÆhß}«ä2÷f;ÞL}ƒÐ|l”/%¨2ÿ\Ј(ë7T
(áyEÔ»ßFx¬ÖN)Óø—Ý>YBœTØ«´ÙM±D,Üû÷7Õ®˜3}ЇÆñ îGd&C6¡ Q)”g9BÎÞR&–Úá…ŽwÙU¸R K¡Ru^?„ê‚Ÿ«.ùˆá¢Žœ¨ìz)-¿ÞkHÆyæßQhŽ®yëo(p|_vk„ùÜ»	R¨1\=ø*abÉA*%¡)A?…"Ñ™æ©s”ˆÑ‘>»ã »ob›ÈR«G¯M+Á–SÑ-óê¶ÙÁi6SAÉY¨þíÐúb}Q!)%“¢^ì"Î…‰SÿºŠÎ|ty R€L®ïŸN]@J?,òhNy8óqNûyFÝU4ÙÔ4’ÉßÞ]¼š¿{mÂ=Yf})yœ©z[ÙŲ¿À£™´_qèYŠ=Rszm‹ÉѹO‰0î±Âð¢'bfy[Ì­&*h³Y ‘RÈ×öÊý¾=Nìdù¡-âå^p+¼|½ŽñxØÒ_üdã²÷²‹ªéƒ»ì–ÍÞCÿ¾‡.«=ƒ¤ŽÐ2^Rï¸}gCOšÜçmh¢Üu±£ÆwØõr#5Êã•¿u;\Ó¹Müõ¡Pf^^½M‹3"„Žìv—o&\5\ĸ«_ÑŒr#^ƒøÓ‡Šu“®y%S°mH¦š´€Ïƒ¼í‰¸ƒÚlhíûŒ^	m¦}s™c’÷]áfã}­˜Š}ɤãDÔöÉ«6Hø¹nîë ^;µ'wL+Ymʯlª˜Pý¦Ï‚Š`Üà?ð%ÕÙ€ú–)‡²¡êRºëÆå½ÛÛ ‡ùqC3ñPþNi»ïØÄÁ¤5ÌôûëºÔ0Ž=eCP/Å:Ú»]—["QaÁ¹(ÎfAò}ïœã™”£›¬¶ù]^Vy£1
lò:^ò? Ú´!|*ŠQ¡¾üåâÝÇŸ.Ãb,·‘‡0OÍñ÷×ñ¯›v´¸,vP_/²¿=ÆV-K)eÄ}'*tû#ßÙeÙÑ?
sËyò¯™È{º»HQHX_5‹¼Â6íÅ6^> endobj
-2217 0 obj <<
-/D [2215 0 R /XYZ 56.6929 794.5015 null]
+2203 0 obj <<
+/D [2201 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2218 0 obj <<
-/D [2215 0 R /XYZ 56.6929 749.2278 null]
+2204 0 obj <<
+/D [2201 0 R /XYZ 85.0394 368.0049 null]
 >> endobj
-2219 0 obj <<
-/D [2215 0 R /XYZ 56.6929 677.9694 null]
+2200 0 obj <<
+/Font << /F37 827 0 R /F53 1062 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2220 0 obj <<
-/D [2215 0 R /XYZ 56.6929 495.229 null]
+2207 0 obj <<
+/Length 1896      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XKsÛ6¾ëWh|)5"Ä‹ ÛéA±Äm¬$¶Òé4É&a‹ŠTEªŠûøï]`AŠ’èÚ™Ž‹Åbß.HÇüèX†$ŒYzþ’«qLâ…ãùmOVD‚(¢ãyöÑ{A¨$xW³³Sÿôíìå«óÙħ±P›¾{w>;»øuâ33pw9}˜¾AÚ»I̼é«óëÉçùO£óy§V_up£Óƒq7øiGr¼…I@h³ñr$$'RpÞRŠÑõè}'°·j·š‚„ñ
ØBО-bF¤ŒÄX	EB¥Ð_ôýÄá~®›nò—¹Ø˜RK	rÛÙwÕ:oKä\,“Ô_fò»#hyQx­ÓµnÀf8O®øë‹è]øâçmüÛö×íŒÿòÛÏ›÷?þx‚{ýÁãþ±‹Ï_2Þ»‰Ï%‰B)a¬1-ëEiOòš…†½ä¦úC#MM–«B?sÂöÌE©Ýu™¥'2F"KÇ´Í‹åÞÜãQ™¾M6^ÕÛÔNÔ(µ^ÿ¡×N+ÇUTiR,ªºAò§<Ç	àGaB‘+)³YÖI†Û¹’¥ï¬È(‘*ˆ÷Íw7û(¥Ä3wœVË%¯a?c^S¹{
+£{Ú½»,¹Û/ÚßV[3£Š@oÏ|f¦ÊÛ.òt+Ë
Š¦Pµ;üÆ	Éô§ `¥½órwÈ`¡j¹ß™Û(å¥Ui$ÜmÖI“Wf»Š€t°w©ÓÆP!q‡Ô³ÑÉ÷ó
XWÕºÁÉ%o5E§ð6߀æÀ€vðŽHJÂMíسêÜÔ®
+§K
)â\‘àß"ªZâøП6oŽMDX6XÏF>Üüö®3hßV!Ô2¸„cþ9DÔÇwÄ„F`t§zô¹á3…LU€’•É·F»cö<+I(öŸé¢¥L•Ôq"’¦	0v!¾Át1ÇYÏðÈ™’uYÜ#¡5v†Œ=h4b0dÌ‚AAó¿…$oà¢(¶ê‹‡ÀM™%Ö9Y[>9aàóýŒ¬6ÍjcQ‹"æBéÌò€A(t*n3ÄaÔa¤D°.úȉ	—ªå1˜³®ŠzÈ®
+ ·cì ´Æh»­ÖÂCA jSÍ€uöÛBFX¶¬h­6رêÀhµÎI\ÒpÊ¡9ú¶¤Ùè·dMHd)§žq
¯¸‡ˆIDYô_CãÓúíé­ÓE…}ÚÉ—²Ú–8^‰¹òקÆÌvàvm'8ùÿ”£]oˆy'öÌÙôòï}}~5ªüüÙ¹é³/^}¸škÎ/ÞÎHbhÕ9Ãânë,§¡+ÊœÊ=
»3ºq«»Òo=áªMøOÒT¯äÄâa¨¤¡S¨[™!O»…¥Õ]™ÿéÂLÁ†R¯tš›ÃÛSór¨Fº6æ0eBó0~
+'UGXÄYÜVNy«Çì3ê›´”^§b¦y9¨d¦Œž’d2†Ò'[ÍiD{×ZèQ÷,ÌmÙk—‡pˆÅ…z@|H¢Löû^3Ök<°lšGÝÅìG1þM³e^æu‰m²Á®ô­F¿—©Ûv™”›¤Øv3:ª[˜Sƒ[µ®Ï]fLß\¿}<øM˜gAdžÏ\uîÕÀõ6IíSéö÷m«L-c-(þ?K_†‘ÁÜ°‡«ø\Àû
Úè}à˜~˜¿~{õ¸Y.»Öe®×÷5¸ÚUŒS0èœòÍrw®€&(켡hØ}€7G…aå
+ú>…¬3ƒ>ƒŠÁT©ãîÄjó	Þ<;¯á¶]Á牉ͪ*ž€®×÷eµªóúð˃Ñ#
+¹éq¹bCß	 (ÇLšZ;üÁ¼‚!vŽ¿ tŸ7çøÖ¦T|ô“Ïíèo$÷"T•Au`Ú€ê1
+jÚõè:™é€Ìö{@'ò6/¾Aä¢}m´’]ÇÂË.ž"|õ¨¾¶Ù?–Ç8}Àå­äÁ›”ÉÄÁÇlå°âvt(¾~TÝ$ËÖº®ŸnæQ‘éb]UM–õ{ðþ¢²—NèæQ¡ð²’ÇÔNÜ_ð@”y:
¤JÐeçÿþº·ûŠip)Švi·ßr+I`sØ*e§B©Þ~<Öý_ŠRdlendstream
+endobj
+2206 0 obj <<
+/Type /Page
+/Contents 2207 0 R
+/Resources 2205 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2171 0 R
 >> endobj
-2221 0 obj <<
-/D [2215 0 R /XYZ 56.6929 83.499 null]
+2208 0 obj <<
+/D [2206 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2209 0 obj <<
+/D [2206 0 R /XYZ 56.6929 449.4646 null]
+>> endobj
+2210 0 obj <<
+/D [2206 0 R /XYZ 56.6929 355.3738 null]
+>> endobj
+2211 0 obj <<
+/D [2206 0 R /XYZ 56.6929 285.1933 null]
+>> endobj
+722 0 obj <<
+/D [2206 0 R /XYZ 56.6929 241.275 null]
+>> endobj
+2212 0 obj <<
+/D [2206 0 R /XYZ 56.6929 202.5209 null]
+>> endobj
+2213 0 obj <<
+/D [2206 0 R /XYZ 56.6929 168.3311 null]
 >> endobj
 2214 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F41 959 0 R /F53 1052 0 R /F14 757 0 R /F23 754 0 R /F55 1060 0 R /F39 917 0 R >>
+/D [2206 0 R /XYZ 56.6929 95.2288 null]
+>> endobj
+2205 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F39 927 0 R /F53 1062 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2217 0 obj <<
+/Length 3179      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKã6¾÷¯ðÑ
Ä>%{šd&A›™ÙLX ›ƒÚ’»…Ø’cÉÝéüúTñeI¦ì>ˆ¦Jd©ê«'Å~l¡¡ÂÈEn$Q”©ÅzwCpï‡æiVh5¤úöþæÝ÷"_b2ž-î7ƒµ4¡Z³Å}ùëòý—/?}¸ûïíŠ+ºü–Ü®¥ËŸÞúåý¿ÝÜ—[×ïøøõvÅŒÌ%1…t]þüéÃw«ï>úþ‡Ÿn»ÿñæã}dkÈ:£yúãæ×ß袄7øñ†a´Z¼ÀJ˜1|±»‘J%…3Û›¯7ÿ‰îÚGS¢PB¥yžgƈQŠ„¡ÉV>~ýîç»/÷wŸíÛØgNò£‹7„K–YâCS®Wë¶Ùc‘ê„«á–F!4¿¼e Jl9DLÁŒoùÁú?ð=ǾÝù¬ê“Ô9øÃËþ˜à|à…†±ý7¸±û§ºsÛ­[Á$sþ:IàQ*ˆ“]d9Už0éŽJFl¿«úuºy6À®¢Ö^€É—'àû¹:$V†@¬…
+Rè^;´‹²>$Ö_‰L
Ê;²Œ` ¦e·¯Ö5Êí'—'ˆÕvôíݧ~.Ü|8ÖÛ˜eîo¬Ú”gY{/x¿&úW{mÁžkž+BàìŠê9‘,z¾™ÀïJµF€”=sbNâkýk‚]úãž`(à¢>P–<ËÎÝdYoµ»«ÙÈf²ÈdtWT.Ë
+ÿ5­TY´ÚÙMqÜöîϺÝíœW‚5¬¦Úº;qŒì–-A}`g!g‚idÆn·íK:ÊHWµ4êª&5A]6îxÎŽ
nYy™@8ø"o'|Î\Ò¸ù`Ìe½Ž2_"ÁÀ²fGN—±àhê–Ã
+˜—¶}+n쎮Ébê]¸Ës±µÝ3–í®¨›$é‚]”¿¸šúâDÑ
+åš–Ã2auÉ¢³«°¡1úJ_j@t4žÈbf3{4µ)`0»†—»ÄT 9gJLz‘PܹÇkß—·ƒXˆ3(ÄñŽeÓŽ^°Ê´ù}¢)$o<×*^IŒˆÒª˜ªñ¬Ø|Û±›¯½{Av6®†Û¥*.A	£±Ð~ã±H.uèˆ@,¤í8“c@&sÐÝ,Œ8f,W—q4¤šR¤²H:$dH¦E´P\»Kf
+Â*ÿ"w‘*ÁÞR
+¢ˆ¦lÌßS
+;ãpQË®=Z½­+7mó@¸:nMYô…›uÚ‡¯þlq‹$¡¸,ø§öPÿz£¶þÄ{žHAX
+;Ý¢„œøšîP·sE^ÙZ¯™1(¼{7µwh{®ËÊM$;ýLÞ•Õó;ÿ^‰ð¤Yì­ÚªVÅ‚œ¥k¼Ãþ°D½®lí¿C JoZgW·sSu{k¦3ŒjR£vѧ?´.P{G]7ûcOo©ñØõÔÈ´ÛŸéJLÈ<¶pgCÒy$òq\Ρ€ËÖÜÊKÃSÜõtb}DÁÅ·@²åIøN
¸Ù‰9[ ¡m~™Q·à¿oÁLÝ.ŠÒM;Ù†„ÇêÇj‚¸"Ãū̧©¶K4 ÏcªÏÊ¥†Êr˜Â£Êt^²,v(šÒ6 =DO-’‰ážÕ¡ïÔ
u´ÔûVú±lñÝgÓ;W2Ý!Õ¼C‹TÖ¡uW‹œ¢,Ω"ç"k±È9g-YäŒx'S<蟳åÝ7¬¹ÓeOq)*2ˆwª¨ë}`¦u6Š¸ºëBÁþ§N9§ƒN9§ãxiŸ™—nÄ?‹—þ3#lz¾?›¶MÙíþ¡Xÿî‹„‘m©ÀaóX±³+XP]Àb ²Xì“Á’§ ³õÓ¡m{5#ä—&ƒÒò"s‘*ÁÝ8¶rb$ÈwÄž¯¹	5·1s57d{B«+:žgrZsÿ=\O5·q=]£í¯öàï\D¼ÂÓeÉ®#Þäñ“‰—z»uKÇï`’·8nmãm%ÁÍ¿÷·ŠÒv"˜+žT•5¾›óÊìcÿ:˜bæk
nSço;,•"š«g–u!EØÏbnÁ]Û^4üwÂÚ†h60bmýDÌp³‹DÎí÷YnPoaýÉ®›öhÝN½ž"!ÃCë‘ÑF³
+8ÕøÍñóªï¢ÄqµÊ«VW²ãѼý"‹óãÕ*bÜa®ÊºÄT¬²Î˜JVYC®¼ÕZEY«Íä|§,Ï»Ò)3œ™©ÕF…/d<¬í }il"…ÃÍdÿq+8dŠÔ¼
óúé)/ìk05TÝm/š+¢h¬Åƒ×·¨ •Ïf`ñbÛ…·œìûóXLî©›~Ûl_'ÑgøM==c=ÙÀ°ƒUùvØS8¨C;+ˆ6Ñ%¨ØC"øq[\4~NóyúTÚ^-OãTPI„°­#ËŠŠI5e=~DyÎûßÕ—lendstream
+endobj
+2216 0 obj <<
+/Type /Page
+/Contents 2217 0 R
+/Resources 2215 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2221 0 R
+>> endobj
+2218 0 obj <<
+/D [2216 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2219 0 obj <<
+/D [2216 0 R /XYZ 85.0394 751.0357 null]
+>> endobj
+2220 0 obj <<
+/D [2216 0 R /XYZ 85.0394 641.026 null]
+>> endobj
+2215 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 2224 0 obj <<
-/Length 315       
+/Length 2062      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥’AOÂ0Çïý=n‡=ßëk·ö8` D¸‘˜N‚ÆÄA„ã·wc2¦âÉôÔ¾›ßÿ—’Äj‘´–‘Ó`Œ|(ʧj6ô•	N¡ ›êåâjÈ‘tàBÊü±ó–´–d¾^zñl–¤ƒñ½(ƒ^üÀ z·qºˆoš³™ï”’ÌÈ£ª…u.Do0H³ ?M‡£$õWùD$y‹ÕE'äšéU,W(×Uƒ‰@`g|¯6䜒…ІÁhæÓÉ‹Èļ}°3=^½¤Â°cUtÁ…"Iuƒo2Œƒ72ùõô®.RŹ£e 48Mú˜oËÍ~»)AÙǡ܇fÓßm»}ùüVüåƒ
Ô%.ÐcøoWç?¡#`kÕYC·£fG'¨ºéè'zkõ7û'²Ulendstream
+xÚ¥X[oÛ¸~ϯð£Ô<¼‰¢Î[Ú¤Ý,Ú$§ñ´}P,9Ö®,¥–¼Ùì¯ß©HsÄ$5œÎå›!Ōߘ%†™Lf³4Ó,á"™­¶G|vß>	O³D‹1ÕûåÑ>ªt–±ÌH3[®G¼,ãÖŠÙ²ø6Ï„aÇÀ‚ÏOO/®./>~:»8^ˆ,Iäüäêêìâôü÷ã…L8%çó/'¿|¦µ«ãÈ>]ÿXþzt¶Ô«.¸B~}ûÁgœà×#ÎTf“Ù=L8Y&gÛ#(–h¥ÂJ}t}ô¿áè«Û5…àL*##¶b&ÃSMŒ‘dÌ(©œ1Î~?ùrõ™ŽÔÈx|§†2u”K «ßµu‘§2–¤°B„($Â
†Â$žæÏò!ÂhL’]Ÿ÷å¶lúŽtî½ÅnüaÈ™õͪfg%Ú0y]dVîú`ð6b^1̓ð&ߖųöÍX
+IàI_Á3&Ò,{!t‚½FÙ1£SÖRö\Ÿ‘œ“Ï×—¯'rÿÎnំÁÉèƒ;ìˆÚq‡HyFK&lbêýùÅ)mͼRŶjª®‡\jw´ôµ\—cÍʧæJ¿ˆãeҀψ=‹Ùc¡§t"õÔ.'¿-¹üúºAΛ¾Ü5eOš\?t[M>´M×îúj¿}”«™Ò&øAQað¤çêEÑtc:—%L
+K1wf}F±ŒIÍ£špqú|—2¥~£&ŒUIˆEó¾më·„ÏCÓÞuUwXq”`©5j¦R°U’ˆX…ÀÔ•	¦w¼|°TH·1W=&ÙŠÇ@õôìŸß~&“øà‚aCÆåõm»pßF²
+^¦ÓI?×Í0ú3Âß$,M¤[7ƒë¦!X•8d¾‹°„@°&	x·Pl·ë*Šë'ökGƒGU„~¢ràÿG¬\°T‡ï‹5Ê°ÖÁñŸ¶)±?Ãÿˆf¢Ô,㈰ã;=»þðõüjy~yÿƒlÛaÿ³æ”"e:n`¯%$Oåp=ð„ì}B‚r+8'èåUuIiBá_œ£q1,`Ü]¡µ˜b\Qb<7Õc´'ôàÜlˆ²Ñõë¢íË ôŒÜBÁöÉë஘1¸W}WÖkè¼	§€îaZÌé§nWî*
+C|E ‘w°õ‡‚¡Üm6â0© P²C4v[±^ú5f}Òj`‰A?gcq…0Éu¸ƒ‚Û¦~ð
ø€§ZM8€²…[úÆõ½VPa‡Kz;Xfeß´”8”HAb-^ÁpßÏ}Eƒâ¿Ri¤kcá6‚Ù`í¼ZG×Gi¤}[› ‡~"èàž#@ÖW؇:ŒÖTa·4ynÀÚÜü(ÏIÿ-Å)Dvç®+ì
}þ¥kÀž>,ù&DÁUƈ—;ù1UxzÚÉT®Ám{2AL¸\7éÚÇÊ	4¹åéËÚ
TõÔA
NÕ»
+!ºI¼Á£V´ÞÒ/¥
+‰8Þ±¼>ÿ„£ômé	âŸuþÊ+ˆØÚÓ®6mµ
+2sr+F%×óÍ6_-¶E‚Á¨M}Îh©§)Ómòp]w¤0÷¸>^IÌÁŠ²:4/ÅôK"$ê-ø|¹ñaV”ë|_û+rÕ=áÍž+ì×å+AõHó|HyP›Ca)Âùóæ>å6íÎ[¢ÛCiÛùû·kÇñÞŒÖÞ!uV&_ßîýûÝÔcð­3hJdúF´•î|ìŽ=ÃÝß|#âtüßOËOè:Eü‘qkK¸ïÃf”BÅ…6O#É?B?Õý_ìòendstream
 endobj
 2223 0 obj <<
 /Type /Page
 /Contents 2224 0 R
 /Resources 2222 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2213 0 R
+/Parent 2221 0 R
 >> endobj
 2225 0 obj <<
-/D [2223 0 R /XYZ 85.0394 794.5015 null]
+/D [2223 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2226 0 obj <<
-/D [2223 0 R /XYZ 85.0394 752.4085 null]
+/D [2223 0 R /XYZ 56.6929 752.2293 null]
+>> endobj
+2227 0 obj <<
+/D [2223 0 R /XYZ 56.6929 623.4383 null]
+>> endobj
+2228 0 obj <<
+/D [2223 0 R /XYZ 56.6929 561.5469 null]
+>> endobj
+726 0 obj <<
+/D [2223 0 R /XYZ 56.6929 523.3883 null]
+>> endobj
+2229 0 obj <<
+/D [2223 0 R /XYZ 56.6929 487.1636 null]
+>> endobj
+2230 0 obj <<
+/D [2223 0 R /XYZ 56.6929 455.5032 null]
+>> endobj
+2231 0 obj <<
+/D [2223 0 R /XYZ 56.6929 390.69 null]
+>> endobj
+2232 0 obj <<
+/D [2223 0 R /XYZ 56.6929 319.8083 null]
+>> endobj
+2233 0 obj <<
+/D [2223 0 R /XYZ 56.6929 137.601 null]
 >> endobj
 2222 0 obj <<
-/Font << /F37 819 0 R /F21 730 0 R /F23 754 0 R >>
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R /F14 765 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1650 0 obj
-[722 0 R /Fit]
+2236 0 obj <<
+/Length 1987      
+/Filter /FlateDecode
+>>
+stream
+xÚ½X[oÛÆ~÷¯Ð#
D›½“ìyr''E뤵
+ í-®,¢©ˆTç×wfgW"iZnQàÀ€¹šîÎõ›Š‡?1Ëã*׳4×ÌpafËíŸÝÃÞûxæ‘iÞçz³¸xýN¥³œåVÚÙbÕ;+c<ËÄlQþ–\}út}óöÃÿ.çÒðä
»œΓŸ®n~½ú‘hŸ.s™\½¿¾½œ‹Ü	LÂ"ŸåÉÛ·7·óï?Þ¼{}sùÇ⇋ëÅQ¬¾è‚+”éóÅoðY	üpÁ™Ê33{€œ‰<—³í…6Š­T¤l.n/~>ØÛõ¯N™B›Œ©íln$˸œ¶gÜ€þóTfóüd/)¦ì¹Ð^ó?QÏ×ïŒéq
+Á²Ü€`žåO÷X[7¶‡PKÓ4›õo}"Û‘kB8Õ¿R+–š\¥»Ý¹eõ;çÒµ—s%tÒ­-@(\˜Ä‹æIÍjăÞ$¦âĺ«–EW5õé!DâCD%‹øVéVÅaÓѪ%óè¾!•ÈÁŸ:ö)˺ãižs •á,7ÂÆ™À­\Á(9ScúýÚU ænæ Å¥HÖnâv#0ÚM8sÞN\+4ËÓ<ú¯nöLjtHã)ß^<¥ÙÓlÈÖÒ²=z¨üPOÔá¡jÝ+4aÜÁû†sObJ¦Ë®™>: ²ttëvžè­›âÎmÈêJ§L“G«b¬šÍ¦yp%°•Ü=Ò“¤†E±¿YrØBüÅÇYŸ…Lƒê¦yâØ={5¡›ä)“Êæ#å˜ûZlwÇ–Í–M9Aa:ØB‹x'Å?,BüÃj{h» ($]®Ô(¼ÖÅGè%ÇŪÙo‹ŽÖ¨>z|)6UI˲ÙUMk¼î-—MÝVmWÕ÷Ã6®ëܾ
\eu_uñÇúq9І‹êpþÎí«¦lÙÄ
¸fSÃrmÅyðës=~G.öŸÇW¶k­_¸22M\Ùw]ž3-ÍèÊŸ•ß6¥ûsjÒ¾ª£êÍãÈK©‚%‚3zº¯»MQ]³¯º¯ñ¸==mqï"·¸3öÖ/›>×{G.oïýD±É™ÍT„³=E³]U›§åÆ€Õó,;/Ý‘kB¼AZpNÆÅP¾a¹1„(Æ$msð(°tD&ÐAZâ)‹® ê
+mŽ‹{W;"Ÿ ÈCûrÔì«o¾Aý±R%™ɪė©däÌ(º~J·mç@i%d)J-­€°èˆ´óR7_ªÒ¡˜]¨*¸ôºt_^½ž¢‘VË£³|lÁ©îó¡¸ð‰÷ÃÕÒ£„
J{ù"ü#Kߢ¸é±žtsíÚ–´™Å¶`„d•G‹‰q×@—D©êÝ¡cZfØkI13sª¶X…"Ú£í‡Þ²ÒàÅŸ%ä´Ér
ågÙ9Ÿy&X#pîé‰n
`´x
0j““ñ±{Ê¡Ö+
+44b‡é]ë£ß‡«Rªâ¢(‰L¶xâýã=§´¤’‚û^ÕbC<àÏÃT÷!uÆ`ßœzCô@9]£µ°±FWu‰ÝWÑníËŽåcž÷!é/¡µ·i¦FQ¿n›P;î\Ä7W>hãVçö< õ¹ž´#W¿ûvÏ
+ýÑB“­36™ç;rMH6À2		®¢ÝB@aˆ)m’uÓv´
+5g"j%€êApáE®tO••z56™Ž­Õ<|õÐF)hqë÷\`*jzv%õm°Þ5›jùHkBTM`B! ›2é(.N½hpK_@-™õ<ØÛ,Fˆ®NGœDRC”»ð›Ü]q[<µ¬V+ªËŠŠØvt¬7iÐÛ
t„Ãb]…N3Î.¾kŒÀcÜ[u“×°€jÜêæ&
sû`nzš¸dÞ|šz\g )rõECS
+“}í[SOBSªry^°#ׄdchJ!x‡¢ù{ÁÈòÔ‡ù[qŽ„‚6âoÁôÜŠáð"GHóq	„Ö¦¢¦gÄ#ÜŒx„ôÕq›ùô@é©Æxíÿƒ„LÓ!
+Ic_R–âËíá.$ª<%*¦¢Ì’§ÚðjÔ¤
ç4D"À9ÇORÆV̇HŽ2RN¥ /ÏF1õ> endobj
+2237 0 obj <<
+/D [2235 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2238 0 obj <<
+/D [2235 0 R /XYZ 85.0394 436.3514 null]
+>> endobj
+2239 0 obj <<
+/D [2235 0 R /XYZ 85.0394 376.2994 null]
+>> endobj
+2234 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1666 0 obj
+[730 0 R /Fit]
 endobj
-1235 0 obj
-[722 0 R /Fit]
+1528 0 obj
+[730 0 R /Fit]
 endobj
-2227 0 obj <<
+1245 0 obj
+[730 0 R /Fit]
+endobj
+2240 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1685 0 obj <<
+1697 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -10090,7 +10155,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü
 ¬‡¹rðpr‹t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññÃ…;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y{‚ÀN¿!v€ØÙââòø
€¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ	êõ'þÇëŸ ®.`¨
'&ïcNëcn[“ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ
-Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.9mYe¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
+Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.Ym
e5¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -10113,35 +10178,35 @@ $O
 t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç	Žð=Ï	añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGxd½DŽ…*~ÂJSÛ/
*ûÎÔF‹µëújQ‹jw	Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô.óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘	p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß	ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ
ñâSPÓKD³—dOjnÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“
_7T,Q1çTiHøBÕWL8­¡¾	 ,œ²£.±ßu2†)¶=–Oš ¹ÿêÚ´­Ùê²,
Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê	{>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM©	Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³	”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã
©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc	-@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜	…@ƒi/_	A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿ¼éõendstream
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿZfõ‹endstream
 endobj
-1686 0 obj <<
+1698 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 2228 0 R
-/BaseFont /ICPABH+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1684 0 R
+/Widths 2241 0 R
+/BaseFont /BPMHKA+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1696 0 R
 >> endobj
-1684 0 obj <<
+1696 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /ICPABH+URWPalladioL-Bold-Slant_167
+/FontName /BPMHKA+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1685 0 R
+/FontFile 1697 0 R
 >> endobj
-2228 0 obj
+2241 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1666 0 obj <<
+1683 0 obj <<
 /Length1 1630
 /Length2 6133
 /Length3 532
@@ -10153,7 +10218,7 @@ x
 Òy¦§aáèha
…«pJí•Ž HÀÈ(ã
 ±@Bá0Y$D¤±ÉB¬@¼¼ #Hîìå
 µµC‚XnxXÙÙ9þ²ürYzý‰ÜD" ¶0Ó̓;Äîì!o(þ×ZiÙ@! u
%5‹‚šHƒ¸Þ¡áf鵩@­ 0„dw9þqYÁaÖÐ_¥!¸n¸¤ Âb½	ƒxZAœA gˆ«¸yA [Wò¦H8
-³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`5yyö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
+³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`Ue-Eyö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
 ÿóü{é!Oˆ`zn%lŸš‘†¬"Ïéé—5úÐÁƒÑâ\\£ý:ß¿Þî—¾(Rf~QÂU;(zÕä5¾í|¹ªÌ¶ÖÛAæÈÜžÙË£ò¡g}ŸO4ÏôNˆ}-lZŒŸöU/Ê{LeÓP[wm©_ó™iÑÅ=àà;>WìýSVz÷|R†g_«”·¯´ÖÞ"®*ØþÊ”°yzÂÜÕ÷±§»ýðîûUJöìW8Œbî˜øL‘þ.Ù”OuJåÊߪݎË;BbubÁï<_^Ë¿Å`i¢KÙÅy¨yc@–‰Ÿ'\;ø$·®Q;S-”âs/,
9D¦Ô#,9ƦïKv²±SÐúê¿»èçö‰%…÷²õ-âÁ]3ëãÝ“±Ñ][™CæºÊlëŠÑLü‹¦ëÀ¢€5‘ؽrô›ìç3üÜ°˜üDÑSjÛðôä)Wï8Ž*öÜŸèž“3@'}~+ÏÝ6‘žˆ•Ø\Žpµ<züuÚ>AbåPóبLbZ÷a3ÒYÍEœVÁ= ¾‹­{·^®2<¿}5aq€©ÿ_5¹Ûðòµ÷>›À¥´ê$C}ÀXŠ¹­œÕ÷ji—û­€G‡/§Œdû-!j¹;Ë6#ÔÜŠ.Oé­×ôÎc´¼$z¾I(ñØÇ/Wj®½"¹ßKÒÿ¾ð{Lš¿ÞH¥hԻí:iÓFRF<g]Û39}—ÞÞF™8|à0­‰å‚Ô"¦¯£G$¼	ºêÆIª˜Ê΃.–Šô‹µŸE·ÛCqüQmæoi\7yªàmûŠJ…0:næÅÊØê®óÆ	XeŒ`Ãé’_ÿî½jâì…”Êr‰ÇO„DŸÓÕ6xÍ·o¯lŠýP¦ÿÎ*5„$8d”#ÙiWtu¿÷¾žG=kŸoHÉ]˜Ÿ:ã3ùN»­g}„™?&ì
 b݇a›yKÜ£%t×TcaÖËF˨?B:äÐ	3ÚZP‚ÌÆŠ}
fñφôˆƒTU‡J鉽žj:»«Ï‹ºôN)/ÂÕ	äE½¬^gº‹ ^/«k¯&6Ö7%³"”-ήQËòÍ“ñÆ‘r¾“'#LwDEëЙ}`?—$-`¤¦ÍC5Õ‡9æ3ÖXïžÊºUFC:ׇ¸T<íàìe¸z&îÄŠù @Õ!˜-“Ú½¡…´cEҼŸýÍó2¦±h’—Y#ªªÇSÀìjzaT
€Õx…^ÉÊ9%î5Fõ¡ƒ…™y	×±ªälš2$g$?˜ß{v€¢è§à,¯ŽÀnD£ÍfGªªSH4‡S"€ÚóôöóãNƒ^œ¤ä½t!¢+ÏøÝ÷n©X#õg«uW
³}ceS÷ö¸ïcZ¦BF%×#
èS=ªbÁõËFñÁp%ˆ&ˆ÷Ñÿø‡@§{›Â§F$
 ñÀèHvo»Vüy½¼Òç³³”ÎjÁÕŸ,_Âh^§–p³/â#Ó„HÊÀç„»ûÄŒ[‡¤Ê»B8Ò¬’%PË ™#¹&}Ô7uo(à–îu•úµÒ95ÀŒ¾?ËêcÕ8—ÄñâθÑ,™ê:f”†.‡Ðà¡ÝõÁ41hÀ›3):«;Ícƒ·ú‘¶Þ,èðY½:Nç5u…QEð‰rŸ–²ÌûŠ!&.ÜYâü×Éú;á$¤`×yme~b©@{•3*¹‡ô÷¤”
¥Åêg`iDÕ˜|)1IŸ\°êjñ˜Î™+ Ä&j‰wé„™–£Á{÷…á«-G3µ«®ô*UÅmÖ­ïè, ï!¦ öOµìl•yóâúŽàäç?MµŽÇ¾Ä팼®sÞÀ±x»åÅ!¼´œ®“X>ÒIÙ»—X,×EAœ;¯è%Š]"N?v6ÁnÁ$W¥0O«W4¸»Æ—NQI…>Äóq†z#ÚQû3]º¹Ñ
@@ -10171,128 +10236,126 @@ d 
 ÕB¾ª\h~8©$‰¼¼·ý˜7!g;É¥ƒ\®cf>}7›ùâžÐÙZسãÁÖ–Ü^-Už&(
 ÖËÓ»ÜIFÙØS­˜õOV_ºhýÐn-®
 X{$¢½‰¼û£@–rlZ™âɞˊ1o(­¶¨mèö¡Ðé»÷ÝõäIŒ]Œ_-ô‹¸Þûò'zŸT¶n76Gت–·&úìIĆ‹7ÎÔ‰‰f¾uä3¾õˆ;)EO4,Źk&l‰#õŽ¾„˜¬Ù¶³	½höâiF]	‹œx'´ÅfÊb\ñê{Ý?¬¹¶=ê3¤XTÕW©*®§‰\Ee¶©x‘@†Dz:ƒ!¡X¾ÂK”G½èß>c{BŒÍCŒ±¹0šUÕ¼ƒ¿ªÝ•5xfœéÉU“Nhèòã»Z–$8û훎·òБÞåú¸;ß¾2~%~QÍ÷*|6οÀ.©ó¶H&l]ážçµÐ[èù%¥κƬ!ÙrOxÆ!.B˜“zuW,Ôêr‹9å™ÊT°CHÖ‘_e‘‰ÿð:û5r€û3.ñ4v—W”ò]ª[)ïó–äÙÀ—݈H¾ÌûùSŽ¸+¹ºfS4çHõ¿ÞzyàÂ*/ç%Šâ׻͠Ï8ôæãmº'7…\ì°Å÷K)8ÐÁ@£bÅî\ç±ÄÝÊ‚×[g“©»5é«ÅÖ¡’'¯ÔíÌ¥ºégˆ<‚â¢Ï8TŠqùœ_Uå=¢¦#fœÞ*ª6í¶²*æ›\oi›–•`ûlj[ÛW*ˆ»ºœ2Ž(ËtŒp{ˆ¥6Í]š†}„¯>{?'CÆà§5zíEëÝÚÓÞ&vø¾öŠ
÷dYcØL‰8àÇÉu°à•GËÝšÎñtûëV²­ˆ’eÓëû­&KÅàჃ‘oS*.m•»8ÕîŒWQì3ÊDÌûj	OpHY²ï®f>×¼ù‰_ôŸö‘Ƥ‰´»ø|EÀ’=PzêîXDƒ%½+C£ˆ1_ù¶‡=AýYœ:&Aaú;æ¬U¾öÝ*“ÍXJ·=à²ùˆ1¦¬ý<ð»©,|#
O'Cƒµë“M]í¼æf°ºÜS4‡AÇ÷Mj€“Ò·ÐökxõÊáž™ËG‡ÞÕéú,óÔ92‚¬
߸gp0o9)ÁM£«&ChVF=Vv¯ñõ­Åž¡üÜÈT·Žïvä(Ê´ãé¿7jzä­ ¾¹Â6]E³ÚŸÉÞeIGOIùç…&˜+ÊZ Sl©
-Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀwDyŽendstream
+Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀ…Oy˜endstream
 endobj
-1667 0 obj <<
+1684 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 66
 /LastChar 78
-/Widths 2229 0 R
-/BaseFont /CNCFFU+URWPalladioL-BoldItal
-/FontDescriptor 1665 0 R
+/Widths 2242 0 R
+/BaseFont /MJSGHF+URWPalladioL-BoldItal
+/FontDescriptor 1682 0 R
 >> endobj
-1665 0 obj <<
+1682 0 obj <<
 /Ascent 728
 /CapHeight 669
 /Descent -256
-/FontName /CNCFFU+URWPalladioL-BoldItal
+/FontName /MJSGHF+URWPalladioL-BoldItal
 /ItalicAngle -9.9
 /StemV 114
 /XHeight 469
 /FontBBox [-170 -300 1073 935]
 /Flags 4
 /CharSet (/B/D/I/N)
-/FontFile 1666 0 R
+/FontFile 1683 0 R
 >> endobj
-2229 0 obj
+2242 0 obj
 [667 0 778 0 0 0 0 389 0 0 0 0 778 ]
 endobj
-1430 0 obj <<
+1440 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
-/Length 1711      
+/Length 1712      
 /Filter /FlateDecode
 >>
 stream
-xÚíRiTSבª¡¬2©¤j=,Œ‚¼ŒBBC1M˜d˜{CnIH@Ä
-UY±Ñ%£¨(V: Ô«ð
-8‘Vaù,Rµ*N½`]]¥?Û_o½sþœýíïìýïlšG¤Œ.„°
p(†t6ƒ-"©TÂfòÌbQh4+CC,l>߬Ôig`ñÜe.B",Í€#)jx‰¼'H< ÔÂ8¢T @ª Ô°–¬¡Th€S"0a`¡FÖNÜHkátÏ€!…Í¢$À8A)Ì	MT…ÞÒ¥½MeÀx:)
-xMÊô¤HC5Á*
-s5FvƒI-ÿ„¬©ÅCuÍj…v¢ü¤SÉ+´ˆÆð;Ó¦éR‚qt*5~#N
-CˆN;5+!D)DS40 ³—3XËßàHz(¢‡¡H„PªJ¡I‡'q…¦*!ý›ÔÁIÄr±Èç÷¯LF*”Ò`Àúƒ=³ÿˆI“pDâY‹MÉýö”8¥™Ub‚¦×(p\a CDF\`d…`=€õ¤b&Åò
- É*§Lü«/05pzúúàfÊÄì‘îM`}Zp0¦7Ò—qÃ%[±–û—•ý'¢R‡ã0JLŽiÐÛX…žÂ°VR,70¥ÿ–÷žÚV“#®êßtxKû¹­'MþŒ¡^—kxãrøƒ_·:Œs*ŽøŠ	©¸}ÔSÂ,³QÆÜÚãlvtó®Ø'›ñ@9”4íRY[ë{ÚÛïZZÓ}üèùôNÆ9ûºU÷ؼJêpÁôš›7^>ÎIÝØÑgqøò,¡$–^µŽþï¢+ã÷ð*ÌR}in¾§®¯,ÔÖÛÝ©·MüÂ2©ÝuSÀ‹Y,o½ª¿ƒÂÞŸºÐ[Ê_)Ìœï{-ºÜlÞð0Å67EH™9ÐåÍð0½Û-ÉË.	‘DÌ;Z᢬™§	«¦ÚÂõ­ëZ´è…|kýš<—ÔúNN@1;­qmmòØKÚ¯‹vL’øüyï³×…Ô–J£‡ûñi1>~ûƒ2¼|†¼ÛYTû«Ÿ™=âê/î ð^‡…mÚõg5JA,ÿz®Û#ŸyZ8”{‚1íÞòI×ù|ÝdÞ ÖÛðã.¢öW>üùbKá~NR¨(¾7ùŒü¦Ï¥Ú†óU!®µùÓÍM¡¡U‹šfb=Ás=]çûÏv&Xå@½Ór¡[_t_}6Ë…;>¶à˜À÷@÷ÿÁJ¢ÌÇ}äØnž—º“q_¾Ôè÷‹Ý¹ˆÚdC§_í	ó÷s–ì…äYô5{SÕDÔlÓñgí9ʯȶ+Ï:ûDØôª/u^Ÿ.õn£­¿\ûˆp*Š|^™ÌÀã‚δ´¢8j=>fÌàœùh=×?!åUwàᵫ»6>xtsù‚íë)‡þž>5MüiIÎë-#=a:gqS{¼½{Ôtûû>„?°ùìAgg@ìW‹[¨uçÿ3ºb
㬒Yš8ŸÛþqÔ\©­u£AnÖKÁŠ/‹»Yêú­ä‰;jnN+ÜJнY³ƒ÷Â’ÈôN,¢+ˆÝÜ9–
O2#åUQkûYsQþ_ࢀR+pÓ*ðTÊoÖŒ}endstream
+xÚíRiTSבª¡¬2©¤j=,Œy5„„1M ƒÄÜrKr/½Ü@R*©Ê²ˆ.EE©°ªÔ¥–X…WÀ‰´Šð€å³HÕª8õ‚uu•þl½õÎùsö·¿³÷w¾³i‘2†Â6À¡J08LŽK¥g6›B£ã°’@04DIÀBÀ|ÀJ½p—6_È[&äñ)4Œ¥q$YC¯`ú‰D:GTJH•„Ö‘5TJ-a*&ŒL ÒjÁÚ‰i`-œãé0Ĥp8BTØ'#(…5¡I‚ª1ÀCúÔ·©tO#E¯I™t@Š„0Tk¬¦°Vcd7˜ÔòOÈšZ-(3d2–qƒË#[±—û>ý'¢Jã0JLŽiÐÛXžÂ°VQ¬70•ß–÷žÚV#®ì8jOO›o>¼¥íÜÖ“f?æPŸË5¼á9üÁ¯Î[?FŽ9G|Å‚Ô¼^ê)Q–%SÆÚÚílqt£—ï“Íx ŠOœv©´µå=Ýíw­R¼üèùôNú9ûÚU÷8ü
+êpÁôê›7^>ÎIÙØÞkuøò,¦$”ž^µVü÷Ná•ñûaX%f­º47~ßS×WVjËí®”[Žf©TjwÝìÿb›nP÷µS8ûSZcJ+e™ó}®)ÊÌÀæ}sL@Sc„ô—™ýtA¿‡ùÝ.I^vqx´$jdÞÑrUõ<­XÕ®kY׬@/äÔ­ÉsI©ëàúqRöÐÖ&½¤ýºhÇô'	ÏŸ÷<{m¢6?PezظŸíí»?0ÝË{ˆÞƦÚ_ýÌâ«Ô|q—†÷8¬0µêþØ—Õ4*1‚ë¹n7Ž|æiåRî	Çt{Ëþ%]çýu£ew¼Ø`#ˆ½ˆ~ØWñðç‹Í¦ýÜÄÐพ¤3ò›Þ—jêÏW†¸ÖäOO°4††V.jœ‰u÷Íõpï7ÛI? šÖ]†Âûš³Y.¼ñ±Ç„>º^ø
þPei>ì³ Ç~pó¼”Ìûò¥™¾¿Ø‹¨I2vøÖœ°|?gÉ^HžÅX³7åXuDõ6ñ‘`Öž£‚º‡»²¬³ODß©KñBPë±ñéRz+mýåšG„SaäóŠ$&x¦¹ÅÑãc™éÜ3­çùÅ'¿ê
+8¼ö`Uæ®Ý\¾`ûzŠÐ¡¯»_@MZœózËHw˜ÞÁYÜØgEï5ßþ¾ôo>{ÐYïéóÕâ€fjíùÿŒ®XÃà:«å™lm¬wmß8
jªÐÕ¸Ñ ·KAÊd/«»Eêú­ä‰;jiJ5m%h‡^ž¨,V°rºWœôñ VVQÙbÉ)íR›i·§>.vxŠo:p5œ__¶
+¼U¹n¤|ÜÿNç¸>×õòpAûO§—IÕÒ×q²=IsÕFCÇœŒÆÎ’yNe†`†×–Óe~Îý┩a“Í|µ$úÆVÓ¶íšë•p…£Ž³9Z`à>;Óžg÷nvÁJ*õÔ´¸vÔ°¯6¼d ÷ÈŽ‹Qïç[îx)ÜKÄůlcµƒm¶¥ñ‡¸B—UCi÷…Š"ÇÚ`¼Dž§j½•¸yå´¶þø.‡íœƒš¬¢ÎÙùM3æïØô£Û£%é²ò/לãç¥+Άòzg}ë¹°PC@‰Ù'ÅU’óž~÷ôŽ}ÈÈ¢ÇÑgÌùÏ4=§}ËŠ$C—;D7[vÓj:µU%ù»¥³«]Ö¿æt¨í²ðª“ÿ®¶¢6Þ'­cÔ%Ä‹Wq'—º}mL*ä„t™†5¯Ê€ÐÃÍXˆãêž—Ö@fn®¨$¨óúÎaMb}ûµÒÜŸÐ(Y=u¼µrß,NT.+ u¾P`7ãÞWb?ý&©Šß?z^Üœpµûó‘5;ø/¬	,zB!CI¬èâͱnx’y(¯’ZÓÇþ›‹òÿÿTZX‰˜N‰§P~FûŒ­endstream
 endobj
-1431 0 obj <<
+1441 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2230 0 R
+/Encoding 2243 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 2231 0 R
-/BaseFont /CIETEC+CMMI10
-/FontDescriptor 1429 0 R
+/Widths 2244 0 R
+/BaseFont /UMVMTD+CMMI10
+/FontDescriptor 1439 0 R
 >> endobj
-1429 0 obj <<
+1439 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /CIETEC+CMMI10
+/FontName /UMVMTD+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1430 0 R
+/FontFile 1440 0 R
 >> endobj
-2231 0 obj
+2244 0 obj
 [778 0 778 ]
 endobj
-2230 0 obj <<
+2243 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
-1164 0 obj <<
+1174 0 obj <<
 /Length1 1199
 /Length2 2269
 /Length3 544
-/Length 3058      
+/Length 3057      
 /Filter /FlateDecode
 >>
 stream
-xÚíWiu#É…øwŽÛè1NxD¯Ñ
-ë¿?WhûµÚûÕ¶{
-Õ¾™¯lóéí»a!¬Û“d‹äTOøÊzœ1À7¶_Ó^ð+«£.œãém×Ù4¤ÙqÁ
•ú>¾ÑBãè†sÜ—o¤Ü÷–+5G—¿k*}TÐ^£®‚{¡*ÿ`±i“°Ø@C“€| †_>ª¬p—¶kIš·ˆ¶ÒÛj¾`‘‹Ö&æž=í}Zú¸ü‡Ü|D°¼™¿b^›Mkz«2û²kŒí%"eñÌÓš'ºžŽ»o´_«2#x̓¸aL	À]ÍALƘØáz‘·*4ÈÁ²ëKîŽ~Ps&ÙÚÓô³/ìG$S”îV_<ÚÔz,bJºaßg!ñ¾äql¥p¹·Ël‚ksâÛ^[‘Ÿe3øÜ6¿Y«(;=ÖDrh­Âöêõâ1tÕzŒŸNežG¦ÜØBJ*¸Ñ¬@2°~5^èj80±s]ØqŒÑ]Z_«)¤>DÐËçíîøi““]VèÛ¨–»¤äö;7i·ë Á¡´öYæ˽3‚Ò_×œhö	ÏИÛç}ë
=Øq`À5$ïj}›B”Õ…ó르·~öq×umz)§Øì9VúFÇ+›ÉÛ'½hSѾQ ¸$þPgÑðó‚v‘ïã¨cûĤ¨Mé󵩌¥=È—¾·²QßzγN¨°ïÎ~›SAéW`%±ÝÑ"ÝGñÄ+ÀT­¥DóÞNêç!ûá¾
árÚÓ2ÙõZ&’¡šë:;ýW(ÉŒ-䉪_÷8¯8Ê+ûëéþ£æz]Ù‡³­Ð4Tƒáoö7gæSñYÏÝÕ«\`2,ì^#hˆÊ	’‡y*k}tl›VÔÍÎbgªŠÄ»×ù06÷•¾Q}A¦·×,Ì6¥[Úñz«¦±	ã×ò6œ5Õ¼§ÌÍ5õâ3N~p!ãφ
-ä&¹—rÛ&jŒ$ž]E71M…8èN‹‰3ó¢ùÒ(!Ÿÿ=àðêSÍ!¾9|6óNn„ÛálãlìA刣׭=ºc¤*‘ %×à·‡ü[Žºß6ÆôŸA¦ç:µ~jm»º¾ûý€†kK™ã=¬šøT§	û“Ò|ÚY³„¶“”H‚È*Oµö…÷%hâáæÁ‚¬£A›·Ÿ?Z?K;‘x=ÿ×·Ý¿1CõmÌ©²kÏ°O§‘T6v¤æï›1霬6'ÛD•¬sëœä¥ ?H‰w¿%âÇF [”/›©¨¶y>8ݨ,D¶Ýº{ó3eùÔ3ÖG …P«Õ;U+¶—à‰jBrÃoÃêV¡råx{Óy¶r‰|£OO©’NÊ×÷I:MÊ:z¦Sªu2ãh¦4zx‹•ÌcS팶â“u#ŠoÓTŸœ'žú‚qô˜óvÑ+"s9ŽpÛy}@è€Y÷žÇü÷ù uòüžk­YºF~séyûœ>Äì«G‰:ÜAíò)̺·àÔÏõ—ÏìwÑ}ÂïtóÔýzÞêù’ÔdÅÄ=ʦzÏý;öŒ¨_Ž«@=ÞLÉë@8è’ËçŸLÕýþŒ)üä²åM<é­',ŽzУ8kt:ã­s<•¢«³R݇5{¦”x‘œÂ ‡«gæ‰úçSö”«4ÞöbØ”\,›¬Ouò°
Ôq{Žl‘y.ç»WuÇFóË×Òk½³®—øsóÍ@	ó+¼c9ÕÓØ)¦Ä^©^Œ«½*ÉÚõÑY±ûSIØiÚK—…ÄC¥É.£ü7ÕqzuŠOJGÔ£º,Q1ÁõE¥Ñ]{]|?:‹ÄÏcÏp«?>¾ŸÛÍÊHÛpP“f›¢BÓ	«(züúC©+‹8í7>U¹dĪH&=»üèdü†Þâš_rµß_bÈu0ÏH„.ßÑÊŠ~}<­[Ø«‹”KzZvGWLÄH.v,EÌÔ1Ž"Ê¿9Ý*¸)Ú\(‹§Œ'9ɤü>ñ6ß’_¤Iª#¡Û¶þÊ+â¶uók:{®m
-8Õ;e#H'ŒÆNeÌ<3†1Ã,ö-¢8ÙÊÒ&YrìE¨l‰E„P*J¢
Y¢Sï£Nõž^ßÞoïï}žÏ}_ÿëú_×õ¿¯ûã$Åi˜é> 5ÆÒ@#QF€=%À‡ÍÄái{4ö‚d¶-O @WRr¢°¨àš.hÉñ,
+†Á³ '_6`‡gZ(2Bé  5Jû»#a`”z8€Y ƒJ¡A†N`€4ŽH¥€Ä½ “Îf@¦@‚*\;3`IcPȾ,á¼×UUMMý§mhhø„}GȤi€2´©ôÀÕl…
HPáÄU_,	oE¤°VÛ¾,V ‘¦f 	B6$“„¤,MU¨X+Ñ’°JÀ„¯ê‡¡0@ÔX˜æZúÓè!´ˆ5!…FüÚ‘¨éL£±A[Ìß	þÓFY€.Jeˆ2À %øj®¦v
+¿‚èU3žFŒŠ¤$<•	FQH ôG0ñÁ Àb°Á¨ˆþ¹ƒ£Ñ‘B`> :’Ÿì$}ÛÛáYJ(à‰B¢PhµúþX탗H§QÃ~ºÛã@@ÓÆÊÕíwkµµúÿáiaA‡h5Ðú€†–€FC}êjÿÊúCïZ|µbñ”¿kEý¤´¥‘è€á·– -¿·2˜Ð¬ˆ¯£­
+ü“ߞ΢@ñsŒ¼Pº(h‚ zÍñú¾æýšÃšM¥~UñMÒ„	ìVU¡BgU
+á?¢ðjØq¿:º‚ß.Äßt¿ÂßØÍid*h µ¾)LkJ(HÄRXßo³ó]nâ×
+béLÊê‡BtÑ¿`N¾‚?
d2¡Cù
+4â/I­h:‘B#84¢xñ‡a&°H§¯'Å~ß“(P‰ 
+àCtÂŽC~5‡š–.šK‡h¼¸§Ý®ç¼ð…-§O¡r#¹Ûì%ýK¥uòç
²r1ØN_“*Ïõvë¹Ó¥­RôCü
-š‘…E„¹w%I½F^Úio´ùý&DÏª]*ã¨dNÞ+Ë°[»ÞÉ—/¸+™XÞÆ%ÒÅb¶.y¼œr€IË–Vò:L¨Š/ǽuØEv4‚=à´`P~q‡søv_«¿ÿQe·_ýëE‘Êfaïþüº1mଚ÷>Òî¥úF-w¯i-û–5’–/ruwkïQï¾äŠHy×b¡vRô"ûåkÉx·ƒå
+mEQeEo[Kçß­SUB¿P–}¸Òz¸•_x¨¹•G:Pƒ/•Ö¹IÚ¶'.YDatwš/[ä µp9Î{—<-û!'$kæ'ŸÛeݑ֡ȼâmsG\y+uÄô†ú™ÞgÓn[í6+Íó^sljN)è†lØL´‰-º~«B$-PÜ9ñeHÅ	ocGÖ˾t–ÄOT謩=ÙÚq*|V²ùÐg>‘¤iwT%¹ŸóB¼K[›‡ž;៥ӹ\·¿Þ¬w,+-ÆD|d³̦ázѲj‹¦/Ÿve®{¶f3¡¥?Ÿ˜£M˧o!ù"rºÀÅ`èý^ÐÓš†<äfFkpS0¯§÷›ýqs&g{1èY+—;'ç÷½8c»ï(Ö¾¤~,ãåÁùÇi¯ê†Î´y‡¥«ÍLòºõšÃî>2äœÛÐÔ%‰¹T½EBkçgo7·W¦—³‹Ìž£$otOZÏÜ>sgƒøD­uÅÝ­3ÔŒv\~a>W¸’ÊGœ_ßï%T`aÔÓ—!_•GÑÞÕöJÀxoÅ>ºá»#ãi"Õç·O8ìYåÕÂ/\e²çd[wý¸LÌ­acÉ“;9r¯lÚ„ëÏÄÁ(&]—ÄGyá1áãN¦&7Ûm{ù÷\móÕè±KG)曌ò»ÕñêB2¼„QŽÒfoC›Ö¡ušÃó5@EB'Ë%x)T»Ëm½OdÀ@K éíMËmSi–¶œÃUs¨¡ŠZìôµ\ѦzOŽƒ9ÙB¦ž\ÆIü/¥ÿÙ\ß&óRf×û:C±±d+Ý”…ì±x_ºô8²¥…+UŽ‡ü‰÷‰óþö“ŸêŽÙs-eÑïä„»Ï2Q2ÎBU?yÝʽ/fH¢®Z²õ{Äm±ã¤Ûmc”ÿ`)<-DZãSGWÖ¾wCj.íe÷P*"³=&ÌO
+K©LÌâ»Î?À±‚ဢ©¿îs¿îãªWb+¦†O¶s»aöz„òEÞ§³¿ÑùŸ^±¼i„ã‹"_ÔHÖ&íž8«l…¨šÌ·Qõ³
+œVAà£nwýóK°½êäåJ-·=iÖŵe‹ã¼M	!|î6zÁ®Ïáí‚RÏe|*ïÙj~åZZ½Wæuþb?vž(f~µ‡s*»f5/A;(ѯéb§Œ·ry|Aøþl"jŽüÒy9áXI’ó·ûMU´n£|ÏÓ’qÕÈ^KDtPSaITïAgŸN‚qK¨RvÍÇ'÷súé©¢Gå4Sm²’å‚ÉÚ¡%À_¸ÞHÊúBVúÝŸªœÓc”ÄÇ®<>'Ú_T÷AìKŽÖ»Ë4™nz©Oèùò=Œ¨W§Sûø={ñ9ø—Ñ!ewtô¦
eb¦’…Mb‰BÜÛs™¼;àBmÒFÄéDG©äß߿ɳäl•èŽï³iº:‰Û%°´©çÁµmþçbf­ù§Êóðァ»™óÉyâ\q˜UFdUvf¤Ý)‡ê„þ*uŽ%~–ãÛç
+b4rÍLiÒ™ïu
+IâB#ùz'FÏ`ÉNÕŠþù¢U[¢ŒTî…n"oɘJ3£d™&Ì :q{&Í> endobj
-1163 0 obj <<
+1173 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /YOVYVC+NimbusSanL-ReguItal
+/FontName /GEWXKF+NimbusSanL-ReguItal
 /ItalicAngle -12
 /StemV 88
 /XHeight 523
 /FontBBox [-178 -284 1108 953]
 /Flags 4
 /CharSet (/a/c/n)
-/FontFile 1164 0 R
+/FontFile 1174 0 R
 >> endobj
-2232 0 obj
+2245 0 obj
 [556 0 500 0 0 0 0 0 0 0 0 0 0 556 ]
 endobj
-1087 0 obj <<
+1097 0 obj <<
 /Length1 1608
 /Length2 7939
 /Length3 532
@@ -10303,7 +10366,7 @@ stream
 xÚívgPTݶ-HPPÉIhrM‘œirNlèZº›,Q@¢ 9G%#A2HÎ9ƒäŒd âC¿{ιõ½óëÞóëÕÛU»j¯9çsÌ9æZµY´tyd K¨"ÂÍäåЀÙ[:£tÁj<²8pk&`a‘CBÁhÂAŒ†>B!y¨@@%`È!Ý‘0[4€]_ǃ‹‹û_–ß!K÷xnw¢`6ÖÛ(áhu@ßBü7êB¡´-`
ƒCršZÆ 
%»’†>@	êE‚á-gK8Ì
  ³‚:  kÿk°B8@`¿KCñÞbÉ `Êj»Ýu³‚:þvq¡H{
 uû
€¡6H°ú¶hæ`w†ü&pk·Fü!äˆDÜFØßúnÁ´(4Ê
-	sDn³jÉ+þÅmFÿ΂ݺëÛHÂÊùwI|·0·^4怠¡nèß¹,¡å»ßæ¾sDÂþÐpFÁlþÅ€€„Ú€‘8…º…¹ÅþÝÕ	øoÕƒáîv#þDý“‚­y	€·9­Ð·¹m`|¿ä`ùÿ²Cœÿás"ÿ4ˆý÷ÌpÜ’CpwjMÀ§@ߦ°ÿÏTæýωüø?"ðDÞÿ¸×è¿âÿíyþ;´¢3®¶¿€¿.Àí
ƒ¨~ß1ÿW,Øwÿ7Ñ4„þÅð߀ÐàÛ6È8ØÜJÁÏËÿ—†R„¹A!Z0´•-À¿íÑ»¾Š„à·Zþi#€(,ü7Ÿž-ÌÊÎáwÓŸˆþqA g~+ÏÞ|z²Jº*š\¿MÿDiݪŽÖsw¼%ö_u¨# ÿ\üÆ•E¸jDâ~çðerÉö%e>w$ò¶J¨ˆ$k|X‰A\–³³Ëóõû9[GowWgó1Në:
Wz$>‹˜6!k˜¯S:”‰~‘g„e.0¦ãclKP«>»àÂÌ1yÕ’ ÀdÿS¡Õ¬çn9´éçï©|e>·'ëC‹›f§—ЛÙq€úYšµ«„8ë$fÚõSëÁ·RÞoÛ@*¾«ʹAÔguG…*|«eB‰;}ƒv©¢]ùßÖÒï6”‡yÛ}sx/Gj¢T«$Jñ£•H
âQ–®‹B~RlEÛ1w.ì*Çbr|¬½}$nÖ‡·Gs]> Ã?V1òx£+w¿³\õ9’e‡Ð†ŠØ¥ÍäÊv””7œœ¸äN­Ñ÷«/ùŠö.‹ú…&Ð)âá0äPùÝÚ…k¥èé¹éÛR§ö
 ^8³÷&sݱ­|&éŸî#6cÕ¯‡‹úœ‚œEë=öÚÊÔïƒ.Œ}(pÚéc8hXÔêëeM±¸ÄÈpefI­|š
 8xÏŽo‚¹
Lœ¸Uˆ–¤¹ŸjñÝq*½ºÏáÃ'äy•JâêA@"]1\j-L¢3wØ°¥`”µÇ,–>aZ¦¶où¿-Ž~æÚn‹åãQQNq—5%
zh±)è#*õò¸”l\ÌÕ/(YfÿY½wç½Jt½o­QêÅTHú{ò=Ó™5Ú
@@ -10339,35 +10402,35 @@ K
 8>ÔfN-öÓ¥]¥rÆp4’	w0N¼‚+à.ƒÅf4¢ÎfŒý˜¬ê/7r¦ÀCêOÝpñ%\ï‚©.úÌ•â{šÞ‚§mÝ’ó³éÁm÷µp7ßßçŽÆQ}⥜ñMÃècFn°ãH¶ÈH¿­D^{D
^HÒœð.xØ´Yæ^¥$ÃNèR¾äK'^é’²td?õ’¸I}²ß©fxaúÁ(‹Œ™K‹ŠÖâ€MÓÞ*ôSæ›iô‘ h	šŒ%–ýb¢¨¦—úˆ*äÝ*Wæò(#]V’Ü<ši#ÒY²•Š‚DÁ°¡ÃÕFFV鹕6ÁóÑÕ+3ÙøÛM~o£¼Wö¥Ø…Ú©5QÐ8ÿµ;¼³Óæ?¾z¤á½³0MñÇ€nZ_:¾ª"‰4Oñ÷
™Ë±NGÕÛØW,vÕxF™GM2Îzä}ézÚZç=¯‘ZO+Itš_¿Êk÷ïMjëgàÒk/^R\LsG‰
 ²©
 3ã½+ôÞÊ•÷aˆlª Ïn×–OBw:ëÌDöƒ^ቃ€¸Rn¹šd¢¯ÅÓò;SÓtd®ÌA~zM“èRVt}õÚ+'˜	†4~}µ÷°}³íÚš[T:áµ%|Å’Q"èXê³ÚÎÝ9"áòç0Tw³È‹d·¿Pô@åÉ@ÅìÓEâòxOæî¹Ã	åÏIXUb_4²üQ
¨:ù©^\õ47ãÇU¸µ&²ðc
óŒA«`á0Ôýµ˜—™žÌ‘¥ˆß·%¢y†.Sz¾M²hàž·ãý°óg
#$SÿçÅOÁëÏàBø[yã¦5åž Šq(OÜâƒL#‘'Þ/ãØ«*ûü©¯ð5X1œæ)ol×Ós[2L&³d´/øÿ—ÁÿøÀ
-#Ñ{0ÒŽàÿÎ)åendstream
+#Ñ{0ÒŽàÿö)çendstream
 endobj
-1088 0 obj <<
+1098 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 2233 0 R
-/BaseFont /TBGSJO+NimbusSanL-Bold
-/FontDescriptor 1086 0 R
+/Widths 2246 0 R
+/BaseFont /FJGWJS+NimbusSanL-Bold
+/FontDescriptor 1096 0 R
 >> endobj
-1086 0 obj <<
+1096 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /TBGSJO+NimbusSanL-Bold
+/FontName /FJGWJS+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
 /FontBBox [-173 -307 1003 949]
 /Flags 4
 /CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
-/FontFile 1087 0 R
+/FontFile 1097 0 R
 >> endobj
-2233 0 obj
+2246 0 obj
 [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
 endobj
-1084 0 obj <<
+1094 0 obj <<
 /Length1 1166
 /Length2 8686
 /Length3 544
@@ -10378,136 +10441,144 @@ stream
 xÚízUX\[ÖmàÜ¡pww—à.…+ pªp‚— Á58„àN°àîî—‚ËåœþO÷íÓ}ŸîÛýîÞ{­1æsαæþê¥h)ÕµX%-ÌArNŽ®¬œlBU°ƒ¹TËÌQ™UdíxyÍPhiµÁ®ö ÿ _iÈÌìä(cæúÂkÛ¸TÌ .'‡‡€/çËšƒû¯@'ˆ@vpò¨ƒ\A{°ã%ãdáærtÕrsv¶ƒ,5AP'7ˆ*°z©ì?³¤œ½ `kWƒŽ¦#33Ë¿NAAA€¹×_@[;è^î {'ç?2½HȃA—¢-ÿˆU·2“µ»þÑ.€ÁÆÕÕYˆÝÙÊô‚±A­ØA®ìŒ/…Ê:ZJ;9ü!EùÃ30dñÒ”ûß}³stòpôùØ
 ìhùgK–nÎì:Ž`7Ð[™ÿ	~Pþ…Yƒ\¼\‚\äiaÃþGJm/gП$ç°™£¥¯³“3ÀÊÌ
 ò[^(>P3wÀâòõù߉ß¡pr,Á®sõË1üKýYýc¯bæ
-{9Ø888Üÿ\¿¨¥“£½×¿ÂUÍ@v%Imu >óß{ÿg”””Ó‹$+'?€•K€÷eR^y¹ÿ®øO/þòáOTÝü?urüKò­£•@ðí¼øøWKî ôe6Ž1#àßõU\Á ÿFLjƒ—ãej^œÿu¤þÿ¯ƒõ÷rnööºÂð;/~@Ê€?±7ƒüG¸™ØÞ뿼ð÷@=Ð?¦ÿÿ óÖÕÌl!éhmÿO›ÀP9°'ÈRìjaóqùËeË?¿CºüÇ—`åäåü§m¶°sA¡/gñ'r´ü[JYG'K°£5@Ëõe*Í –ÿþ -Ü {þ< —wÿÚ[_
-‰#‡·–b6ulªƒr¨í}™7*	Ð1íŠî
-Åü~~f†K	{5òòµn<Ÿ‘Ð"+µÍ…¬Ìø6_‹æµ*߸R"mærÞ)™Yù§¼f©Ò;$¢)4ƒm‰Òæ숰óÇlÿðߪ†ßõˆßµ:ƒS½$}ôón†DF¨å´E‡…E®û•vX­}Yãïš²¢6~ì<ùцߊ닩²;ÎÊúÅ5ÃV±kÌ*å JÅï†]ç!
½CËN’’çd[Ñb}Ö}Þæ[öÕÎ’‚ëó-ñ`b‡2á­YsawE÷ëlMàÙzøüÆÅbú¶ÍÏ4œ2¤€³‚7¶#]×™±yÀ/u˜Ú44‚üÐ3e`r<#7(uR‹uçÛŠ5š¥Óæ×÷ÅÕ¯¦‚¥v„µ}oPíÇF`<—0ß•værÊ·Û³%©ÌÒ‹FI¤mô¢žô/ËÝqƒŸ†µ}FõD-V;üÏ'«‘ÊŽ™*¶Ð	™Újß ôÑïí_²ÆÍ¥
ÀFKR˳S’Æ~sUñí£û	· áÞü:e·}#^Á‰M•øÁš/Ð'FM¹ÿµ=¾ö6ç¡?R9ôÛf;Qq¹C‘ÐFÿï|ÓBáZM›‘8l#7ÙÅÙ
ú³òdÅ"‡3À•`{e&ËP`' ÅœŒÆ‹.tjåø]Rƒš·i‘É°Q|Õa;¿îÕ_¿zøz {îÁ™À—8»´üµÚq=oûõ·k€»fwþȶʣÀ÷çJ¼ùÀß=p½¥n”~Â{ÉPÓ›$
ñŽŒ Ùè`œ“êè_‰:ˆtHlÊÜ·2Ùs79ç ­oÛ§è‚Ô¨ŸOÝz¥ïŠa¯B5Z®á}ëËn¸àXrouáÖ3>ÄÝ>ßENÎ…¼öùÝhÀ‡•â$â ž`€â¸c)“½â@Íþädz®ÈˆèM6H6Â’é¿9 {5ÑRJ_ö=¨P€–üǸÜS¿‡ ´·¦ºIƒ¬:sš¶_|—qèYoÜü}¶ÆFfHoëǤÑâçîw=õË	5Ämï	¨íZ-~‘½“‚$y†E³dö¬Ó8<|›Û–=:ùeNžÍåbŽÈ;Øÿ”Òj$³ï§0æíÏb‘¾
-ÅWy\:T*‚}ò
-…ÉGÿÐJãöÄ{  ¨ÃÈÝÅÔiÜVnnFʹÁtj̧é-ÖÌ÷”–7!ÀýÙ¾¿C¹x—wï\áìŒz ]Ç}Ä?âU GEu=…Ó‹	jaF«AÓNQ(E®¥~°0FHÜdùósD7jé6Ã/Ç“½ÊAdl—ú;WyOAûÓ"Ôž½Òrã*ÙŒAÖŠ®ðïì”UIhYT¬Ž}¹¬:(k¥ì™š©˜¡%¬½}Ý"ÃòLÕ»÷a”°àmt>u‰fP:&&Õ2€ØŒsRÔ®
ZŽ!6{½‡doàgƒÛŸTÕ¯ØFø™G¿ÀÃÙWHn»–ÄÍ8ªÛÈÈ"¼8µM™XÇ„eÇ™¶HŠ`²LؤŠæ]§ÈþKÇÍÓ攟ä²#¥FÔÑ»ßþð³ÓI
-³çWD`û9ÒäÝ$ËýšžÅ7—©‘+1ì‘n
-eñß3:Æ=ûGÕU¿.Íúø¦	Li¿žÔubb¾¯j&ä©¢ëÝH[.=XÁŽôæU¸²Ã‘e\óJ”EuÒ$,ŸÜ5Ë:»‹¿çzFD@µÁ:^*ÃO1N]þö«
3!Óeg§N,!u*Õ™ÞŽ‘IiÙvÞ’é¬.\¹6áùütc/¹nA¦dCÜkÂüú`zJ$ÕT;ãŠÉÝæ»bðÍ&£·³ô€MÙqP-ž—:ÿ/ù¯y4tbòë¹PAàŒ¯Ú•r	÷χ§5‡»%~ßàkÈcÉÙ~|FÐPç›N\¡3$´ßÉ}W©fžoœx3Rlµà½ÏåmïfäÓå샭G0^CP±¬z¯.ÙÖìS@ÆøÎ-ýýUį…eZ77!›s°ØJ&P­ ˜üspä'ËK¹Ù¶v<ÇÕÀ™ñ§°š¼¥°µÅ·ö/Û0ï´V
5”U¢ƒ‹F¿‚Ù¶Ô•™â‰ýkMšÐ‘û¤?§ïj¢3J¢€ðçºùœŽâÈÄ·•ÙVºš³¾u+0î¯nÒŒm‡Õfe“rà¦&öuó
2̵èä±j =ç
E¤ØWÕ·Šü5p ŒÁüuΰ€?—âÃÛºvt}Í“‡Öh&:6UŸVûŸiäˆ28OwÜ;ÖÀáõb¹÷.Œ)ây"¬
üߟŸô©¢íÌÓ”]Î/¶ë‹¿;3Äð¦Úó¤­Óß‘ð¦n_4ŽÄ
-W€ì­‰6ÅBÛæ¯"Åç|üž[Ü‚'0{’ˆ”£aL©“¶m\Ãa5ãBÓ€™JJñ,"Œ†K”¡¾»G4ü½59‹Ã§zŒ™g± ¶ÁþU©QPJy½Âú)ÜwUþ€ŒúçiO	Æ}7œÌá8šÐp
-˜†OÔ¨‰PØøàVß]ñs<å#ýûµf²ÊÌWÄX,K½ˆ‘Р†Gáî[QØ°•€…,a¡ú÷²TG‹•áE¿ÄHo®ºBtÁ¦K×*5ôsŸܬ°ƒ÷:
-TêCBz…Ejä'Ô	
cäMí&B¬är¿ùÊÔé¤K0
!Ët_‹û"jÖDEËCžøÅد˜x)ø™©á½òYöý	ì])£ý¸¡ÍþŒ\{.£‡
-s¿6ùýáÜûßa¸lÊqö¦«ÉlÇ„zªu؉¶jòr4irªè/Šð–›ši}¬=Ú±¢ž£±¾†Ž¬VR4ØËã|hwFT+þòijÐú°ých;ôˆ4È*¬B¢ÿ¦€Ð6°$O¶^ÊÇÍ·0~ºSy æÍÿÍÂ'
ÓµâÙŒLšM½¤gà[A¿ŠÞc‹ÍÌ“[›i±“¿„M¼~®³yE'ÛçI9Ä\ûŠø>ûKÈͧÁæXå°·wžØ#ÝGT¢$5î\u¢;º§”-®18û¤X»†KkÏÅßòû»H(sª“¼xó¼è¼-ÀTÅèÛ‹ªv"1™=¼Ù2'1ýá,BK‚ǘOý=ÄžBÑùë[ÏÓ⟎c@«ne[Ø'Ýà†(ªÕÊuyo߯æá£-º±Ëm=ý„‚W8î»;<Ú±‹ƒÙzs,l¯ˆ·9Ëu?§\(^Ò‰“ȉ|-
-ôsˆÓ	Pî—¯böAGЕ=tÂb??y°÷(QZR›Ðs ­dóé¤Í\=*$3ËSfYå±s;9¿â6Œ¾;²e›\«kæã(u}5‰M§!Ðöe˜äÝQ'-ç{÷óF{…ýPë&=¼|ˆÙìÌ&Î’ÆåÁVí*]÷!ž£uàµFØwhIÏ)ò¹îÜäHYù
-ža“î‘fh³+œ‚Ö*CÜñ¡«i«Yezœ^²¶Æg‡ä‰ÖáȽ±b×.˜V+É>´@h¬ëÍ3Œ+	èyÑÅë]ûÊÖHgU€fþ¸Rf»‡‚w`¶:Cd÷Ýaè$ñz¹'¼ÿ9™?!!MÌVT¡æ?—Î7Ñ[Þõððëàoõ»ó]é¡Æ4Í­rƒQtb,Aï‹ïÎjJ6à}dÝŸâ?ÉpG¤Ø½Ø~wß²æ:™®¥¥[éä˜jR¹Nù•Õê~V¶=0L®DÚ!$¹*µÐÙµ+.¦O¡©”i¡R}Rn<Ä)תNUŒw‚„~W²K‰9-Ê“)øY%ÿÁôCöéQYÞ·AȦùAðÚ—w•Ðlu +FºgF„L|º÷Ì®,2Éî95 mL††ÿLçÈW­ªJú93a6ùí7êÙ·IÖÞb;}õ'vT5»‰É{£s†gÊ)»Vì–ë‹bY\Ÿ5è(&·ƒÌI§
-ã1~*]èÛ—ŽÙ‡Ðƃ”ûGàf{·ûÔ9½“V0˜š¤×`¢«%n'ô'ñ¿~Ã{º,ƒð`æl&‚S†Äó¾¥·-o„"ÄuòŽ§3YG\6¶_=2[žªœ6ÏŸ*<†Nc§FÊ”çm诟pƱ¢T *¸ŸÀLõ¾VÕm&ËP
-ÑœmhÎ6||ëÔ¸\Ùöz®N!qQê»ìÛo]*â>
-ќȖçiH	ÒÎÐx_~ƒ™Å>ç3nöe\\H¢fµî9(Zhs:Ò1?ÿ¢}5³ñÃù§üŠ)vÈyæã$këì¾dñlZw”°¯è´“(é)Þ;ØÝ
ʈƒ/ÊCZ²&h­â‚QDj¾•QocÚâ*eH™ÔbN€lWü[Ò±vq»lCc«ú—ŒÈÁ¤Ïð¸fŸÎ{µÒým%Þ
T¸TÃqQßt§‘Ï0‹ÍeƒÅÍ^oê!¾SÁR,Ú‘0Y¾Q/­uÐâÊMš"û¢…ú–þSsb•=0@ƒz'kJ<Î΄O…ÍnP©Ç/4¥%0º;‰ô^aøBBîC÷-EKší7´uørG£”.#žŽãÔKŽ£Ô/bu?Ñ”±#¡Å—*
Ü9(×6ìc}iQ[0[*|°¦]Ù@Nª}´UÒktn§ÉOc…ô‰Úö=œ.’+ý„Ø
G©s QÔ
-<àDKrøˆ– vWXØL[+(¨¼ôui
ùXN¸?<íW%fÁ;j`QsŽüÉZ’áÏQæ¥ÚbG3¨4ÆÎÌògUã#•šF0ÃÔV`w]§öGŒhýÈ6B¿‚Úš$˜ÿ€Þ°ÁNXîIcFN+ùÙ´:¼¨HàõthEAС¬Ñ,ñ¡½^ɨ¤kd¡½?sÖBF—#Iâ*ÙµÎP› w—žÍñ›ƒÅ5›}}†ÁW¤¬Có$øÞK¤b2Î`ÂöŒüqø¨~k	Áä6ÚB³=à*ÐؼBg%Ÿô	õßy”:í[Ú9Ú¿Z‡±“NÃ{N½¡ëÛ¼pœúµ6…y›–*§<ÆEØL¦|šØ¤€%8«ÁÆNN`oR]ª„Xlñ´3ã¯3ï÷ÞCÑÜa¬#æ¹S;…òù~ù²„­Î_‚Þª²¼­Eî€AAÑ^Í~?gãÜÔ‰æõ»Û÷……C9ü[¶7¬õ-Ë?ÄžUÎDÓ:C\–Å‘	Ä×…Xe
-šcK&Ž5Ï¢=trPォ¦â·ñ7?U%q^ÿväŸìöí„8&]2ì¶&ÑûŸ5ó¨ð·J²Ä²…|±i…¶ª¶ÃÛáËùÝ? ¾­øÞyÿ;œ:·Ä6Ú~ÝïVŸ¿Ó¿Át®«6p½!#ð©TH¾öÌ}S€‚„2#ŠÚäQ×|`IûXÉÔ}’2pVÿæˆ>ivÁ“T¼,Ôü¢ß3qZ\eºà<×fgö“(ûÅmdgZ1Ón&uX#7›N+Sql΂œu8Ê›Î|Ÿu;ñwí×ÈmÝ°‰”dh!\
-Fí¢–	¢ÇWB'u6ŠÑ—NÚƒtä£ÌÛ‡²ÞƒÃ­%=hð#,‡“úbç,ðÁ¶jî÷ÁˆØ¸ûn°å¢·ƒªÔc¢všŠåǯ†L¨ñ.ÁC;"&V‚”›W¤ÑÛj­Š]c%æ£ò'­Ê_+zOïIÏ©Þ[:£ÏÜü2}rÝåœ9ŸŸ=*n¬Ž³iÚ†{;Sîyw$zÈxkàª[шcFÅ1¡ŒR½Ô0Z;'iì+ÆG<¯B¤ñ´Yöª¨‡#†Ù”^°È;}xõJ)ÓêsÕÂB½ž||^$»(sþ‹"—ôÝCâ1ôYçö¯=:žÜ³°Íƒî%]ÈVùñ;2Peê"å(ªDxš µ	_ÆPAíËp”¼²`s|¢½`Èw‚ÓZE+t
ÚSÈáçåù(ÝL„¶±+ÌÙ¾ØüΗFEÁ*™Ö0{cÓ@©!¹l¬"URû{‰óõ’²õA“P‰íðçê#SqVá7ÕlÇ1՜Ԧòê°¥?6dØ>ÄD»~´ì!5âsCX6
k^o_¡Òö+Ù•_0—>ÁÓxÚ¼ÅÃHVƒMJ‹eGž 
?XeáuãÊÒú†ÓΤé“e¸¡¦^2ySn»½YùÅ'ÞæÀ\é!V*¸¼^É5z#2Á¼mÛXošŒìç´Szq/Šh8²èZDaýÖpóeÊ!±õàá’˜É>°¯®­;V5ÈD»~‹_céÍí“®õ؇$'”í"®qLì0—§—óû³ÌR,ubõn
-ÅPÍ+‹§+d«òtŽ]Ò½þ³ÍoÑÈj)ƒû;[Sz’ÆO™æ³<˜´Á¡43H˜µ³é6˜8ç)—#¸[áÅôÓ}FJ7j–ŒŒžFA1ÎÊåªÁÖ~|t¸o­WTd`^Wѧp|Ågºyß$ŠÍßbÌh²#Æ«„+o0Í&ÃhM|y:bIëDðâÜ>fÉ}çuÏÎZ_$Ø3Ä£"FٶɜË;¯2ÐÌ ®>¦j¬ûª”Ö:ª‘ôÙ—ÅøUÔŒA®æø'Þd>Wç4ó•_U«¿ÊXo—³”yüpÖ.íˆÖbÂÅT~Å~=ˆeHïY2J)>ªB$¨Q¶¯Í*êˆF±¼;Ì=Ù&{%¼¢ºêšÞZ¶O‹9¶HbÖw¢•Už®p[-ÃÕÇëãò6ª†µÞÈ?µc¼nÜó“íZé¢ÂDÍS—ÿ{>e:Z¥u•ŽEb›Û+–	…¶¡!’Ù’dÝ__9ÍY{;Ï®l­L9Lò5hBrÕ*]'†’ªÿ{ÅÛ­{ÿrØ£³æþäspÜó°‰Ö¨Wt!@TQq“;í©y€¥H®%ŽLP8.7Û„û‘±æÍMÔКûš6‘šÁ­¿›ƒí\óÔ|M$FÉ~p4×–šH*Y«Ù2\qŒ¹YæZ:¿£"öú0¢„Hâõ…„YŽ"öæ—–EcÈSFÁ&Ä=¡0E7`wòHÿÄþ9ߢ®ö;ŸYL#·¯Ì³Ö„…gŠc¬
-Ô…Ö¹™ºãº?Éê‚ú„‰×®áþ¹,L'åò#j2ï4ê•ï7cAIúy´ocpàß¹*y¹¢T„†è==lï5¸§D1Âs¹Ÿ¯2Ê´8çh†Œ4¸²¶u‹BSê71ó°ãÜ
„X—êyÉyJtèb‡ñ˜`1<]Î=ûÒ.ó`ô7HuŠeòW²OH:(kÑ….oa…^âÝܦ6ç£ÉWòƒøIˆF-Í–«ˆkÁsìü=ë2KÊ›`)Í.`î(/µ
)y©Ôt¦,èœLà‡*·7õA[hDp·/ß.‚EÔ“V!P<é‰ÁÀ¿b»Š=£+m™Pµ?vÔ17’I Þ<®"! 7MV
-úcd¸´fôwwX£l¾‡»C"žžá°Ó;Õ€Þ#§9ðñ’_7©Ÿ›K^¥ß÷[ŸŸ'}l«i3…ƒ–Œ—¨™ÎÏÑ¥û‡*eáÁÌ—F/S·ML¼Ó®)2_&àâ\Nujs4_}РEÜ‘*áq Å‰ÚiP¯|-²š§SÊG‹“¸`îK/¡K¶yÓ¡Ú~x°¦î¦Gp;·ï¤>«kñ#t-Š™;Ù¾÷wæ¹SxE”Ùc\‚ßh}U;Q
)5›wðhى嬭¦“qƒÑÔõηé™õ¥g2qÄ¢G¿žÄihq­˜?Ŭةæó;‰À_ð_Ïáìà,ŸŽG(ÝFµ7Vç«w°»ã‡6"­’—‘¥c,MD%Ñ\Kˆ©Åq:?ÍuKÞ·$I{½ŽˆÊ¬¿=P±T&U‰0îvi|åJ#¸ŽEÂûCìKwã¾Jo¤›ur¤'SÇÓN~8nØcqWòñjºøiY›¯#WÓ“!×Óß믬‡f•å}‡†XnÂcÀw²ñö|Öq\ƒnZ“E‘x!?ž‡¤‘PÂEl$Õ­.LÉ[—ά&ødcËL‰ÉÁ.-îÀÊ-§3§ÝáET‰kõ*ºk·Èh¡¿=¯ìRñП`É‘.~Ë¥î1úA;ë7í©”q¨ï›ˆ±÷[G…¯L»f4‚Ö0›ŒaÆ6ò9®6ÈÚ˜ëmRsA8«ÁŸ¨x›4Ax–¼¥êDÁ
Yï@šð“Bi8«R}WJå,|kò»]—ý%¸0riZü¶»Þn	G„­‘¾tAý
’§,Xéa¯+ЊÅAHú…™¦T+ï&°À·Y=LˆL-0ÓÍ¢Ÿäû1ÒÕ®25c{wc|XîÛ¦J!{Ý$ ¼
6Ô©q˜Ô†ýO#ª«¤Aö³‘,§ïlx¿•G.†
 'ÔÖÓøò´ *´PÃ(þb	ûÕ°_œ~ÐRlÔùYœ?ÆX‰³Xá¡Bö—߀z'öÇøøðo’?²kCÊéÈÚP¢b’F
Ì’2î“[Q…Î÷å]òÞqÖ‘(™gТFt
-䦶°¬"oucZ^£¯»¥ï}¦ñ¸¸Ãÿ²§ñü³µÿ$4W—ötëœ}¹Åêèb„”ÖÇZË0%/î	É`ó#“)±{¿ñÃ3Çî·}Žô„Ûá  +‰(&c¾!
Sb4ôékå͵þ˜aåØò;ú€£€ÿuÁÐh^314ÎjT+Ò2é·O­7<¦iz’2ðÎ"ÃÌ™. ¤@q'¤esú–¼ÔÅxzäY~&¯÷óG5Á]5Et„Ç2·¬Ý€UŽÿËåÿü?!`a2ƒ¸:9˜AìP|  ¨«äÿ§¡ü/róΉendstream
+{9Ø888Üÿ\¿¨¥“£½×¿ÂUÍ@vYu5]æ¿÷þÏ())§IVN~+—ïˤ¼(
+òrÿ]ñŸ^üåߨºøêäø—ä[G+'€à?Úyññ¯–ÜAèËlþcFÀ¿ë«:¹‚-@†Ž/ÇËÔ¼<8ÿëHýÿ_ëï9äÜìíÿt…áv^ü€”8boùp3°½×yáïz LÿÿAç­«™=ØBÒÑÚþŸ6¡r`O¥:ØÕÂæãò—Ë–~‡ u'(ø/ÀÊÉËù7NÛlaç‚B_ÎâO
+ähù·”²ŽN–`Gk€–ëËTšA,ÿ	üA[¸A /öüy@/ïþµ·¿y‚,Pçœ,„ƒmk‚[oª$I(™eÔ]Gþm!2¢ë!D
+[D«	“-Á'u™¯nòŽ<'Xð"Yeð&­øc‘#Ñô,åKXÈm®_l™Y¢o׃GÐoR:©‡;Ѧ¯êJ³Š÷ѧ‰mŠoâºë•Bå‚n‚‘7Cj¹sD¼˜<îcØGÌàwÛlÞ—q+Z/½²Í"^Ø|$Go-ÅlêØTåPÛû2oT cÚÝŠùýüÌ
yÚô~8!4}"–öj6ääkÝ8x>9"¡EVj›Y
+˜ñ)l¾ÍkU¾q¥DÚÌå¼S2³òOyÍR¥vHDShÛ!¤ÍÙaæÙþá¿U
¿ë-¿ku§zIúèçÝ‰ŒPËi‹.7
+‹\÷+í°Zû²Æß5eEmüØyò£
¿×Sewœ•õ‹k†­bטUÊA-”Šß
»,ÎCz7†–#œ$%Ïɶ$¢Å*:ú8¬û¼!Ì·ì«%×ç[âÁÄeÂ[³6æÂîŠî×ÙšÀ³õðù‹Åôm›Ÿi8e>Hg33nlGº®3có€_ê0µihù¡gÊÀäxFnPê¤ëηk,4K§ͯ_MKíkû ß 6ÚÀx.a¾+íÌå”o·gKR™¥
Œ’H!ÚèE=é_–9ºã4?
kûŒê‰Z*¬ wøŸOV#•3Ul# 2µÕ¾Aé£ßÚ¿d›K€–¤–g§$ýæªâ'ÚG÷nAüùuÊnûF¼‚›*ñƒ5_ /NŒšrþj{|í
lÎC¤rè·Ív¢âr‡"¡þßù¦…µš6#qØFn²‹³9ôgåÉŠEg€+Á öÊL–¡ÀN,@‹%8]è:ÔÊñ»¤>$5o5Ò"“a£ø0ªÃ4v~Ý«¿~õðõ@÷܃3/qviùk'´-âzÞ<öë#n×wÍîü‘m•Gï%Εxó¿{àzKÜ(ý„÷’¡¦7IâA³ÑÁ8&ÕÑ¿u<é‘Ø”¹oe²ænrÎA4ZÞ¶OÑ©Q?Ÿ&ºõJ=ÞÃ^…j´\!ÃûÖ—ÝpÁ±äÞ:ê íg|ˆ»}¾‹œœ
+yíó»Ñ€:+ÅIÄA=ÁÅqÇR&…{ÅšýÈÉô\‘Ñ›ll„%Ós@÷j¢¥”¾ì{P¡-ùq¹§~AioMu“Yuæ4m¿ø.ãг޸ùûlÌÞÖ5ŽI£ÅÏ+Üïzê#–jˆÛÞ)2PÛµZü"{7&Iò‹fÉìY§qxø6·-!{.t>ò1Êœ<›ËÅ‘w°ÿ;)¥ÕHfßO-`ÌÛžÅ"}Š¯ò¸t¨T1úä8
+“þ¡•Æí‰÷@@P‡‘»‹©ÝeÓ¸­
+ÜÜŒ”9rƒéÔ˜OÓ[¬™ï!)-oB€û³}‡rñ.ïÞ%¸ÂÙõ@
+º" "†9ûˆÄ«@ŽŠê&z
+§/ÔÂŒV‚¦¢PŠ\Ký`a0Œ¸É0òç?æˆn8Ô&Òm†_Ž'{•ƒ
+ÈxìúYxU‚Äb/Ö[áNŒe­pŠÞŽéPS{Dí÷æØ*÷¤ë½þ[@ìŠô`ŒJ´ÝŒ	I¢ömu:¶>ÿC˹@â!±S „Á‚Å5ä!4ˆ	•ï¯ÞÄü65ûö£¢M#·Dž^ëgœÒ–óÖp|Ø.õw®òž‚ö§E¨=z¥åÆU²ƒ¬]!áß9Ø)'ª’,4в¨XûrYuPÖJÙ35S1CKX{ûºE†å™ªwïÃ(aÁÛè|êÍ tþ MLªe±礨]´ClözÉÞÀÏ·?©ª_±ð3~‡³?®Üv-‰›qT·‘?Exqj›2± Ž	%ÊŽ3m‘Ád™°IÍ»O‘ý—Ž›§Í)?ÉeGJ¨£w¿ýág§“fϯˆÀös¤È»I–û5-<‹o.S#Wb$Ø#ÝÊâ¿gt{öª«$~]šõñM˜Ò~=©ëÄÄ|_ÕLÈSE×»=¶\z°‚éÍÿªpe‡#˸æ•(‹êþ¤I>X,>¹k–!tvÏõŒˆ0€jƒu¼T†ŸbœºüíWfB¦ËÎNXB0êTª3½#“Ò²í¼%ÿÒY]¸r;%lÂóùéÆ^rÝ‚:LɆ¸×„ùõÁô”H4ª©vÆ“»ÍwÅà›MFog雲ã ZÏ„	1˜ù (“­¶2}!¹ëïòúq56sžd
+ÕS”Åzo¢É-Ê–¯‘®xg`ùÕ56b]¿¶Ù0-÷9§ä:Э4•/ú*å^X2Ô`”.ªHa|œ¸BgH,h/¾“û®RÍ<ß81ðf¤ØþkÁ{ŸËÛÞÍȧËÙ/[`¼† bYõ^]²­Ù§,€ŒÝ?]ñ[úûªˆ_Ë2´nnB6+æ`±•L ZA1ùçàÈO–-–r³m)ìxŽ#ª3ã1Na5yK`k1Šoí_¶aÞi­$j(#ªD	Œ~%²m©+3!Äû×:š4¡#÷+.Ň·uíèúš'7þ­ÑL2tlª>­ö?ÓÈepžî¸w¬)ÂëÅrï])RÄ9òDXø¿3)>?éSEÛ™§)»œ_l×wfˆá!MµçIZ§¿#áMݾh‰¯Ù[m2Š…¶Í_EŠÏùøy:ÃÐî+“E±MªhF‘¨Pж\6([‹™Ò«úÓHJº#}M”•è˜ôNÄjø‰®Hæ…	ˆîÄ­™%°`WjÏsäìË…ýÜܱb-Ö9¨\t¨$ر&<Ç‘‡†gXp>Ûe5È7îç€WPèn÷ÑTÞ<Õt,Å.ã@©£ :ýDªÓŒ²™[9%þÁJî}<	:¶¸O`ö$)ÿF9ØR'm=4Ú¸†ÃkÆ…¦3•”âYD
—(C}whø{kx„¤G‹Ú<Ì|r‡Oõ3ÏbAl‚ý«R1¢ ”òz…õS¸ïªüõÏÓžŒûn8™Ãq4 á0
Ÿ¨Q¡°ñÁ­¾»âçxÊGú÷kÍd”™¯ˆ±0X–z#) A
ÂÝ·¢°a+Y::8ÂBõïe©Ž+Ë~‰‘ß\u„è‚M—®Ujèç>'¸…Yaïu:©Ô‡„ô
+‹ÔÈN¨ÆÈ›ÚM„XÉåxÔʈ•xšê®c€‘˜ç$KÁT@üäÛk?ÎT˜þ‹[ìöÀØ”†©´ý²Û7Ç´c¿ÆäâÛê̈GŒŠÈ9ob»ÊŒ¡˜‚üDò÷à-:=N&”b¬Ö,áämŠJ-)¸‡0&Ù{Þ‹zîoHª¿^ûûqN:zá¹HÏâxFbq‡Ô›–wˆ­)ÔµîNØUOíãõ¿ÊwáõAKŒðÉõñL
+ˆ°S‘bð(b¬Ùj›_äá~5BWg<÷7©TÑ_á-75ÓúX{´cE=Gc)|
Y­¤h°—ÇùÐVüå‰g¡õaûÇÐvèiUX…DÿM¡m`Ižl½”›oaü %t§ò@Ìšÿ›3„O¦kų™4-šzIÏÀ·‚~½Ç›™'·&>86Ób)&	›xý\góŠN¶Ï“rˆ¸öñ}ö—›OƒÍ±Êaoï<±Gº¨6DIjܹêDwtO)[\cpöI±v
—Öž‹¿å÷w‘PæT'yñæyÑy[€©ŠÑ·UíDb2{x³eNb$ú'Â+X"„–1Ÿú{ˆ=…¢ó×·ž¦Å?Ç€VÝʶ°OºÁ
QT«•ëòÞ¾_ÍÃG[tc—Ûzú	¯pÜw+vx´c-²
&ôæXØ^os>–%ê~þ:O¹<0P¼¤'‘ù&Zèç–
§/ Ü/_;Ä샎 +{è„Å~~ò`1ïQ¢´¤6¡ç@$&ZÉçÓI›¹*zTHf–§Ì²Êcçvr~Åm}wdË77¸V×ÌÇQêúj›NB íË0É»£NZÎ÷îç+Œö
+ú¡ÖMz*xù³Ù™Mœ%˃­ÚUºîCkÐQLn™“:OÆcüTº8з/²)¡>(÷ÀÍön÷©sz'­`04I¯ÁDWKÜNèOâý†÷tY$áÀÌ)Ø*L§‰ç};Jo[ÞEˆëä
Ng²Ž8¸ll¿zd¶Üì˹¸DÍjÝsP´Ðæt¤c~þEûj$fã‡óOùS&ìóÌÇIÖÖÙ}ÉâÙ´î(a_Ñi'QÒS¼w°º”=_”‡´dMÐZÅ£ˆÔ|+£ÞÆ´ÅTÊ29¨ÅœÙ®"ø·¤#.bíâvÙ†ÆVõ/‘ƒIŸáqÍ>#œ÷j¥ûÛJ¼¨p©†ã¢*¾éN#ža"›ËŠ›½Þ ÕC|§‚¥X´#`²|£^Zë Å•›4E2öE‡u-ý§æÄ*{`€õNÖ”xœ	Ÿ
+!›Ý RŽ_hJK`*twé½Âð!……܇î[ ‹–4
 ÚohëðåŽF(]F<
Æ©—G©_
+Äê~¢)cGB‹/U¸sP8®mØÇúÒ¢¶`¶Tø`M»"²€œéê¿ó(uÚ·´s´1~µc9&$†÷œzC×·yá8õkm
+ó6-UNy"Œ‹4°™L;ù4±IKpVƒœÀÞ¤ºT	±ØâigÆ%^gÞg¢¹ÃXGÌs§v
+å-òý0òe	[¿½UeyZ
ŠÜƒ‚¢½šý~Îƹ©Íëw·ï‡rø;)¶loXë[–ˆ;<ªœ‰¦u†¸,‹#ˆ¯±Ê4#Æ–LkžE{èä" Þ{WMÅoão~ªJ(â¼þíÈ?ÙíÛqLºdØmM¢1ö?kæQáo•d‰eùbÓ
+mUm‡·Ã—ó»@}[ñ½óþw8u"n‰m´ýºß­>?¦ƒé\Wm ázCFàS©þ|í™1ú¦	eFµÉ£®ùÀ’ö±’©û$-dà¬þÍ}Óì‚'©xY¨ùE¿gâ´¸ÊtÁy®y^8'À³ë²O¡¥=ÁŒlèAJ1ês|ügäÊi”KÀƒÇ§%RzP_BÏ„%Švà}ÌÎì'Qö!‹ÛÈδb¦/"ÜLê°Fn6V¦âØœ9ëp”7ù>ëvâïÚ¯‘Ûºa)ÉÐB¸"ŒÚE-D¯„Nêl£/0´é6ÈG™)¶e½'‡[KzÐ0àGX'õÅ0ÎYàƒmÕÜïƒ1±q÷#Ü`ËEoT©Ç"Dí,4Ë_
™Pã]‚‡vDL¬)7¯H£·>ÔZ»ÆJÌGåO&Z•¿VôžÞ“,žS½·tFŸ¹ùeúäºÊ9s>?{TÜXgÓ´
öv¦ÜóîHôñÖÀU·¢ÇŒŠcB¥z©a´vNÒØW:Žx^…Hãh³ìUQG³)½`‘wúðê•R¦Õ窅!…z=ùø¼HvQæüE.é	º‡Äcè³Îí_{t<¹ga›ÜKº­òãwe ÊÔEÊQU‰ð4Aj¾Œ¡‚Ú—á(yeÁæøD{Á*淋ŠVè>´§=ÂÏËòQº™mcW™³}±ù/Š‚U2­8`öÆ ¦RCrÙ:-XEª¤ö÷.çë%eë1‚&5 ÛáÏÕG¦â¬ÂoªÙŽbª9©MåÕaKl2È°}þˆ‰výhÙCjÄ熰lÖ¼Þ¾B¥)ìW²+¿`,.}‚;§7ð&´y‹‡‘¬›”ËŽÆ•¥õ
§IÓ'ËpCy¦¸ûÉúœzä_i½¯—V
àøPŒR”ünòöµIâ
+(ÿC–MsÕXAr^Ó17êLÙÌžlõ­$/xš®X;õi¢¥=bøŸ1_mb|L½dò¦Üw'>z²ò‹O¼#Ìÿ(€5¸ÒC¬Tpy½’kô:Fd‚yÛ¶±Þ4ÙÏi#¦ôâ^ÑpdѵˆÂú#¬áæË”CbëÁÃ%1“}`5^'\[v¬j ‰vý¿ÆÒ›Û'5\ë±IN"(Û
D\ã4˜Øa.O/;ç÷g™¥XêÄêÜŠ¡šWOWÈVå黤{ýg›ß¢‘ÕR÷w¶¦ô$Ÿ2Így0iƒCif0kgÓm0qÎS.Gp·Â‹'è§ûŒ”nÔ,=&‚,bœ”ËUƒ­üøèpß.Z®¨ÈÀ¼®¢O6àøŠÏtó¾I›¿Å˜ÑdGŒW	;VÞ`š#L†ÑšøòtÄ’Ö‰àŹ|Ì’ûÎëžµ¾H°gˆGEŒ²/l“9—w^e ™A]9|LÕX/öU)­;tT#é³/‹ñ«¨ƒ0\Í!ñO¼É|®Îiæ*¿ªV#”±Þ.g)óøá¬]Ú­Å„‹©(üŠý8zËÞ³e”R|6T…HP£l_›UÔbyv˜{²M6öJxEuÕ5½µlŸ!rl‘ĬïD+«<]á¶Z†«×ÇåmT
'j½‘3~jÇxݸç'3Úµ&ÒE…ˆ.š§.ÿ÷| Êu´Jë*‹Ä6·W,
+mCC$³%ɺ¿¾rš³övž]%ØZ™r˜äkЄäªUºN%U+þ÷Š¶[÷þå°GgÍýÉçà¸çaÿ¬Q9®èB€¨¢â&vÚSóK‘\K™ p\n¶	;÷#cÌ›š¨¡5÷5m"5ƒ[7Û¹æ©ùšHŒ’ýàh®-5‘T²V³d¸8âs³Ìµt~GEìõaD-‘Äë	³:EìÍ/-‹Æ§Œ‚Mˆ{ CaŠnÀîä‘þ‰ýs¾E]íw>³˜&Fn_™g­	ÎÇX¨
+­s3uÇ…u’Õõ	®]Ãý=rY˜NÊåGÔdÞi<Ô+ßoÆ‚’ôó"hßÇàÀ¿sUòrE©
Ñ{zØÞkpO‰(b„ær>_e”iqÎÑipemë…¦Ôobæa-Ƹ±.Õ=ò’ó”èÐÅã?0Ábxºœ{ö¥]æÁèo‘êËä¯dŸtPÖ¢]ÞÂ
+½Ä»¹MmÎG“¯ä7ñ“Z4š-W!ׂçØù{Öe–”7ÁRš5\ÀÜQ^jRòR©éLYÐ9)˜ÀUnoꃶ:6Јàn!_¾]‹¨'­B xÒƒÅv{FWÚ„3¡jì¨cn$“@¼y\D,B@nš¬ôÇÈpiÍèïï°FÙ|w‡4D<=Ãa§w&ª½GNsàã%¿nR>7=–¼J¿ï·>?OúØVÓf
+,;.Q39œŸ£K÷Uʃ™/!Œ^¦n›˜x§]Sd¾2LÀŹœêxÊVLÒ
•žÅöÍL² M‚ÌÇõ}õY‡Á¨ù
¦{×Ôÿ„mÆâ	Ul!Q‡"ߺÖÉê‡2ß\™ör­h”ôúÚ>™¯­ZŸÁ†åfÊ}Ôæh¾ú A‹¸"UÂã@‹µÒ ^øZe5O§”=Ž+&qÁÜ—^B—ló¦Cµ%üð`M=0ÜMàvnßI}V×âGèZ2w²}ïïÌs§ð2Š(³Ƹ¿Ñúªv¢R
+j6ïàѲËY[M'㣩ëÓ3ëK)ÎdâˆE~=‰ÓÐâZ1ŠY±SÍçw¿
+à¿(žÃÙÁY>Pºjo¬ÎWï`wÇmDZ%/#KÇXš$8ˆJ¢¹–'R‹5ât~šë–¼oI’öz•Yz b©MªaÜíÒøÊ•Fp‹„÷‡.Ø—îÆ/,|•ÞH7ëäH;O¦Ž9¦üpÜ°Çâ®0äã-ÔtñÓ²6_G®¦'B®§¿×_YÍ*Ëû
±Ü„?Æ€îdãí;ù¬ã¸Ý´&‹"ñB~<I#¡„‹6ØHxÂv›Üd-3&ƒÑÕx0rpëÓ»—Corý~éYš–Å]bæ¬Ù«Þîs‘Ú‘ŠfÈ)1‘j¾Ú‹8Í4ˆgùÙúµÇw9”BžëÕ%+š'4TU“¦ËÎøDµ°G¤çˆR°ßqsD±
uµîçpék3(F•i%	¶lOà¨Ù˜zp~Öu­3|#OO˜gàIÙ:t™V&Ñ‚Õ6àﲺKk΂Âø’P’’¤¡ˆèYƒ¾Výì{-s4]¤5Wghú
c!
+Ã{Q”(õ¦ú`í|ª[]˜’·.YMðÉÆ–™“ƒ]ZÜ•[NgN»Ã‹¨×ê-Tt×n9ÑB{^Ù¤â¡?Á’#]ü–KÝcôƒvÖoÚS)ãPß7cï·Ž
+_™v5Ìh­a6ÃŒmäs\mµ1;×Û,¤æ‚pVƒ?Qñ:7i‚ð,yK%Ô‰‚/²Þ4?à'…ÒpV¥ú®”ÊYøÖåw»:/û0JpaäÒ´øm'v¼ÝŽ[#}é<‚ú$OY°ÒÃ^;W ‹ƒô	<
+3M©VÞM`	€o³z˜™Z`¦›E?É÷c¤«?\ejÆö>îÆø°Ü·M• BöºI@;xl¨Sã0¨
ûŸFTWIƒìg#YNßÙð~+\@O,¨­¦ñåiA7Th¡†QüÅö«a¿8ý ¥Ù¨ó³8Œ±g±ÂC…ì/¿õNìññáß$d×.†”Ó‘µ¡DÅ$!Œ˜%eÜ''¶¢
+ïË»6ä½ã¬#Q2Ï EèÈMmaYEÞêÆ´¼F_wKßûLãqq‡ÿeO-âùgk=þIh®.íéÖ9ûr‹ÕÑÅ)­µ–aJ_Ü’ÁæG&Sb÷~ã‡gŽÝoûé	·ÃAAWQLÆ|C¦Ä,hèÓ×Ê›'jý1ÃʱåwôF5ÿ낡ѼfbhœÕ¨V¤eÒoŸZoxLÓô$eàÿD ‡™3]@IâNHËæô-y©‹ñôÈ="²üL^ïçj‚»j:&ŠèenY?º9«ÿ—ÊÿøBÀÂdqur0ƒØ¡ø@@PW'ÈÿOCù_œÎvendstream
 endobj
-1085 0 obj <<
+1095 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2234 0 R
-/BaseFont /KATPZX+NimbusSanL-Regu
-/FontDescriptor 1083 0 R
+/Widths 2247 0 R
+/BaseFont /EPMOHV+NimbusSanL-Regu
+/FontDescriptor 1093 0 R
 >> endobj
-1083 0 obj <<
+1093 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /KATPZX+NimbusSanL-Regu
+/FontName /EPMOHV+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
 /FontBBox [-174 -285 1001 953]
 /Flags 4
 /CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/five/seven/eight/nine/semicolon/A/B/C/D/E/F/H/I/L/N/O/P/R/S/T/U/W/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
-/FontFile 1084 0 R
+/FontFile 1094 0 R
 >> endobj
-2234 0 obj
+2247 0 obj
 [500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 278 556 556 556 556 0 556 0 556 556 556 0 278 0 0 0 0 0 667 667 722 722 667 611 0 722 278 0 0 556 0 722 778 667 0 722 667 611 722 0 944 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
 endobj
-1059 0 obj <<
+1069 0 obj <<
 /Length1 1624
-/Length2 8653
+/Length2 9819
 /Length3 532
-/Length 9516      
+/Length 10682     
 /Filter /FlateDecode
 >>
 stream
-xÚíweP\í–npw÷Á‚;$¸»»4Ð@c
MCpwÁÝIp·wÜ5xp
‚
ù¾{æL;¿fί[wWõ®ý®g­g黪šV]뵄Ä$q‚½æb稂-Ü\U Nʯ%!Vj`À3À‡ÎÀ a`ˆ“4è¬Ò K77€KHH qö„‚mla&M=fVV¶Jþ¨,<ÿ<[º‚mœŒÏî ˆ³#È	öLñ?6Ô0[ÀìH©©(¨Ê˜äTur 'èPw{NÅ ¶9¹‚˜Ö(ÀáïÀâdþ“š+û3—„+puY‚ŸÍ@– ç?Àu»º>À®(Ð	ö\v²tp³úÀ³ÜòW@ÎPȳ†ã3öL¦q…¹ZBÁÎ0À³WuiÙ¿ã„Ùa|»‚ŸaÄúYÓ
-béö'¥¿°gšg;¹` Ø_ €ØÕÙèùìû™Ì
-þ+7W°“Í?#`@A6@¨•ÈÕõ™æ™ûOuþ™'à¿dtvvðüËò—ÖƆ¹‚¬Ùѹ¸Ÿ}Zž}Û€Ð9þ‹‚“5ÀÅù·ÜÊÍù˜;úW˜þÌós@+ˆ“ƒ'À
-dΡ
-=»0ýϺÌþïkò¿¡Åÿ–ÿ[Úû¿kî¿öè¿\âÿí}þWjY7U ãóü½dÏ[PüÙ3€?‹ÆÅ
ôÙÁžÿÕ¿*êþŽôÙ¿b
-0às9$œlž[òš‹›óo1ØUì²RÃ,mÖ@‡çjý%×q²AÀN ç®þUÐg#NÎÁ´mÁ–öNÊÏ÷7r²ú×ØŸõWäZÚš’2Ú¬ÿÝnýKSýy`ڞΠÀÿq£§±úÏÃIIˆÀû5?à5·€ @— (Àåûßxü‹†ëŸg 
-öq²srržßÿøýódò/42N–«?3£:Y=Ù
-þÀ–nPèswÿºùÏIÿãü×Àƒ@ KôÅ9ˆ¥Hˆ]Zf:¬†$w`DÚ¨§‹a Ô¹¸^ûcA@¤Ó?-b]¨Üü¾:”½aLø±ÙsöÀùaK‘eû[±Ã«ÎÐI>¥/=swÞ
-c«ëv‡i1Vú¡Þ{ïÓå5DC~NÝí
MÓ¢{dª±V(êé
s½{AáËkgl?ËÔºDm¸
/ðk
-÷n®_õ
~èïnmýg¼•—!‰^©/=ÍaöO›¢b1cñ¶ùÍt”­Ëù*9}"¸¿m ²úÛÛMÃ×õ¾íM’""çïµÅ™/¼ÇƼÆ
±øQ@M#?oÚÆÃô_ªOçSsñ:vš¢_>ûL>[÷ÌA’çADµ¤(åa<Èÿ)I¿€»¦SÍï÷4k·UMB.íºéB±ÿõ;£¡¥:ÿ-0,ÏãZW3	Å=+	UÍK£+àAiqÄtzëdé’€~@	¿êœLÝ"…øXM]k'Vô®žE¡;·‡n9á—ï»D’ÖaƱҪ3Ò¡ek㔥Ñ
-=禊6Ù'

-ËÁZÚå¨ma츔»Mõø7Ô”óúºÁÐ.ôkët„‡Þ²¤ø˜Ò¹RY]Õ	ÊItª{äéo]
ͤàÕa‡ãéó½{“zêaõôê/ߧͽ&ß¾ð343Ãœkim¯R1Œ€Ø­g'ßßž-sÑIdªxYdÈa‡]…K¹rîI¤á;3d0Z'â½oÝ}×j…ï%Õö5´Šœ¶°\HaL×Þ@øMóÛp_t͇²þà8²Nõ²R•÷ù-GhßyÈ\¶q[†ð-ö8€ùA.ß~az
-ùßÄÄY§g•¿Jj®z³œ¿¨¾þS•p2>Ÿÿ÷D	MB°7õR·£“0¼Ã€‚B
-ÛMÂk'ôï4žap­šæZý]OÈuÉ¢‰êÛîzõ®¥nOlªkµð\|„Å=1wÄÖSË“FÊ¢ä<ßÖ÷ƒ"ÝœëvHeì÷E‚øz~2Ì‹ò4Éýfá½KoŒ¿<¶Ð8˜5+ía—aþ-öNÄÚpí'!¨¢‘‹”Nùh`î]ÐŽ„µw
ЙegçW¶µ’öŸ/¿ÏÙdhªÚק2
†ùó=Õo;Ë-÷çج¥Ãã.ç5†$‰›(b¾Rd>áè¢dˆéS×WslŽ6/ÕÝoÕЬJäÛ²bª5xSéZ	×´FJF—ãZkaäKío‡”“
I Ä˜j¢¢è|/Ý÷Ú¼üÎ’g–û5˨ëÍÏ׳ö:ê]€k×®~Cf)åŠwí²©ûdñ±8fYJ_{V=ÖájòF—Ã3þæ±q¾Íe¼™Zm9ÏÙŒ³3ÞÐü¦ëU·ÖìTS7‚	"{Ɉš'}#]Šé“ƒÞ½ÖävJPJ›id¿¶íJ?éÕê`Ê›ÐÃz”³ý“¡KQ:bH©i1J¯€¸m…¹_^›©ôî鵌ób¾W%G)‘óê\IݤMú·|W-D”[_$ò²Œ¨n¾´»LO„cá@óÚª®s‹=¹‰~ê³<-mñ…=¯TV.-yäzâOjKHú?®-Sêå
#Ê]a[¡ûÒãꄬ˜!ŸY™²HwÙù¶¡Ô#v™:RdIê3Ë¿tF}¨cR%JB}̹%…	ì?Á„ˆ¼Û9«Ú¶…YMN]R“Ub-¯<¾Òö(ü^»Ÿ3;æB¥¾«êDÐ`RgÎ^Ù·oJ ÕÕòWÂ'Ôô‰°8Z¼<תr?¶½~ è9:4v0çɺ{õé½ß¨íÅ?3ÞÇ	CÑ3yºz}£{m•Ã¯,]Ž­/g™!´ñU
3ÇÎBÀ8\UÞ”ÜwCªd!äÞTËŒÌÕ{-·R¦-»œc­¿§f
-ŒVëä—U‘PZ×ôxâ†b ÍCÉ–üi‘K¿
-–˺fÛšU6ÕÛUåïæˆ|±ï¿JÜi}/Iº~­–êûDµ´—ïb?‚œ>«©ˆö‘‰?;¯oBÄC¥ù¸îh>™Nª²þÐ+d¿8wã›b.®êsÚ—ÕÊ,>òñR³Ð'8âDN'’µ×)ag?ñY"…çÄnV_ðtÚ‰íe(|ȪdõÞ ­W{°hînÜ“+È©˜Ð1P3 âÏÔk>Îä(Î#¶’ëªù)'“½âM*Q'-`{´äj¸×Î-ë¯ôÿbëYa“°‡/IÈÙ¤6ÖÞ!š`M´Pe©°GÿG²³ëM¨ˆ]³òbÀÙ‘yí&=Y1>»aϾž¦æ<©HO0ÉãËYNä/ÚG‡v¹´hý²Žž~þ““Ñ_;hÆ”vg¨„•wêÿÞ¯ØÊv˜¢vfßv(ÑKvßà¨Àw½¯Ô$À(UØ”‚ë/È™Cb©~ÔˆÝ0Ö¼cÜLc‰hN{°ñ:Ùê+Ëí¾B±qóï$AA¨ü]¹çîD®u<¼lO/®zÖ9Kàx÷ÁS’XóÀsz ­ÈAUÓ]D/[†oøôÓ`z&£6ÍÎŒõÇj‘•O6`Â\Š÷yß
-6gª
;¾±ÀÅê9ó=ñ¦þì4ï›p–o»÷l
-®1'còìø²´pŽéüf(õ”l	²Oº‹éjU‡®¹Ôrƒ`šæ¸1
×,\jŸ¦»¼ºóSvALDú­™Eu\kÊ])7¹~£[;šzäÓj¥ëêÔ•.kŠ¼·øÆ³]œ)šƒ\Då*U=sÿg‰§vVQöå	R‹Š‰ÞÂorJ4ËÕALs^!¹®Å­××K“¾(gNñ:Ç"$oìN`%žYµËìÎ8yÅ´°X9«µõWe{oÖ÷ø*/ªƒ0çww2™ñkõCË3òIjÕ"Ÿž’`‡^åË
ÓKɼõ|£Á÷¶–àö·me¬Ã¸)¾ó]‰¹žóB¤aOn	2ŽÅîò«Q­ˆ¼€×AÆÙ]‹nã‰6Ã	§xå‘73l>ñ«†ùÐܯ=êq´ÔÀô#ò×ó†éLÝÕ¼Ìs8å¾V+V
Ükâ’£>m~–“¶Ôå4:áx¼43“C7“ÌH‡ñXOÃP§ŒÐñ9šoAf“IBJÔô¡ïòébÑÀgÚ7q+YßG!yîß1›y'º|oTÔX%¥÷6WSXõï6XeŽ|,2yB”ÓÌßöчo¼ÇwâFÔlót%mj‰nÑ÷Ã+;ùf	lYêNwò]“Ö~LÕø5Y2¥#!¬mb=;kÕ=À yuMP®2¢ßÿö¡¡ Û<¸ô-_ŒDhäÎæ‰ÆrpzüZ}Ú0ÝÈ­ÅÐIÑW*–yqŒûr?úPT~­„¾5b#D_šiQÿšóËÖvíWؤªÜãYúÇ„þl¢¬ïæê2Ü‹åÕ-¦y•Tô3Å-ʤ$[å®ïÃïv¯™‰±l9ƒÞŒâ&46$st¶ gS¢̓꺉›:É·’Ð-H$­(ÖmÇ®PUGÕúNb—Åæ$^ÏÖÙ
-ò`+áßÎÙ@Þç`@¿DjžøyÌ$9ꙧŸÙÊ«Ê_H!së´o¦D‹Ój ÂÅ*±Í	6ô“ož*RÅÙ™@<©E_—Yô|À‰–9C¶*áó–¶â†Ã†–¾4)ÿ~Ãøk‰ÙVÿä;h­éScLeqïÄZ&¹ºÜ½Cö×LGß©Tª5.6ãQ3Æ~
-þ±ºweK&¦pÈ)šüÕvÑÌ2ô+ “
-9z=Ì~”mÇópAÇZj_&´qåV¶u$¦±
C³_.Î
-–W䊧1º‡u8—•æóóœBüÉxeÓYPd:^lÎ!@X`ÏŠj.Õ‰–¯$3e˜$L©÷óq'†–}Ñ”6k€3’¸9Rï;‹yûϵåÌ3å`=>_jŠÌ÷ªôk‰ƒÚÕÆhˆ*­ö.¥›CÞ‡ð(=+©3nÝv"C|y‰¹V@{G§Pi~j–bjºÖ©ØB«~1¯Ä+ 'C”;øà¿,(M¢% ¯õ×zÕÌíšUÓ`¿d•¦ËýHÌ„‚ïkXÇ;—®zpÀGà'Ì:ÁjÊX¯Ó¶Ù¾f¢#­8†³Gï»+ªf¯êä׉i5¿Ê#gV2ÍO ïGûD«|®CþiU‚“ÄaÆÓ1ªëî7‡HÉ8ºþpÄ8÷Bº
T[‘ò­ª˜æ†x™E_ÒäsíÉ6=Ìkbç%AÙ“‡º¨m™þÈæFXn':o˜Õ°Ì8J©#f²;Ÿ€å±ë¡…<ºøÞ3ÛÂ},ecåñדÃ+n;â›q”Öv»*ûYïìÂ䯼$·iÕð)±…4»¦H*äÚºº—9¤lj%=‡~ñušú…Ê
Å;^{c¤O׬¸lN2y»Û˺ßL³Þýbü¿›.Ä䘕•SÄG)S;Ǥ+[]3iùùgtáâ ´¦½Ô—	³R…tË÷ KÖ =a O×°Ñ%ôÞóB€vIÁòÃPÆEiÝÓ8XÎSW²ÑAÓ­B£èÛ׶ã”®þ‹ô°µN?áo„ïóÚ‰8ytóÜ0üîdÒTt”Íà)©4îÒïì/Ë?a5 óßÀxdùþpæî5fÍ×µr.ÎxL…œÛAÚù9ÙbÉòºŽU‰¥C†¼Yñ‡§Ÿßú‡KñU,ùR"%ˆ¹3óî;Ït [œÓUè®dQaÜ•owÓ\Y­Þy÷ëØ)…ݨ;ŒîûPp|fWâ¸×Áß&ÞÏ%J‡ñ0_ˆ•ý…GÌ„¯æÀ§÷¦8Ã’KVIèñ¨<”’ö ÜÇ ²‹[Áî0XȘ¿?#ÉËb«Þ	5w]¤'*oFsGDõ>)9µO—Ä•üra6ÓÆ0åÛbT¼ñ•ÊpoÍoßP­ë§kžÿ™í,LtÖ05i{=à|sGÙ¥ùvEäBœ|Ž½÷¨ë¬
-=ËûEÉÜÈ-Æš“".µ^=”“·Þ„cWmyלtH.,)Y‚U›½86eœ|¥šdåÜ3RmjÑØÂßy½ãUñÀÿÒùdËùás¿,>žÃ9!ɪ _–åw†D™…JŒêq
|Ëúâ´—…®qî¹ì+:³sŒ#8[³REQ"ÒþAnÀ˜s±,µ\ò0ÙÕyi6m²œ”ÅS䣶i3\^takΓñzÕ3ölb¢/ùäÏ"kd#-Ãtä}5Ñó.µ“Å!©Ò?9éˆhaFh[t/ÖÐ"$K›ØÐz~!Žðzå:2Âð;“²sTc#ƒxÔD*‘¤›é®ñnçØEö7Ⱥ˜Î¡\9:B’7(H«Ê¸òB©á´Þ#cjq#²ð[ÚR/íð¤qwJ÷Ö€äp-ʪ\0÷×s=ª;L7Cç` ;ÞÌ‹&Ǭô;Ì‚d€d4bC§GYëEj¢B[u“÷%S|é”T5sÍ×ñêíÞ8¥»KÃÅ£*‰_{~*õÉé4¾–×5e§pWH3Yv(E·Žã2,ñDgÖ6Ò?ªe#Q6μü’q¼ù6rÏí»8Ç'M®è.³óf!*ü4žôãåìMù†{rxörwø]HqÓA¿ä¤:.UšBL	›m's?{)ÁÄ;\Wé1¦% }·ýh"Ëø$Pâq•|o*Ë‚}º‚§Ü7oŒ>Ng†ÁåÌŘMW¯r¬±«û„µ˜Žçjóø¾8.~*©
-rö4St\ÜŸV7#=rÇÏmÍRTx§kvò”·Ê³÷ö³Ö‘3S)d	Bºh›‰€ˆÃ
-ÊF|gå®Âa­´ˆ[ŠÓ$³HÂÁÌåå=P‘Ͷ‰${冷߰!4O°3>æÀ;†ó3ãŽ7^ɉû+ªx—}À[—®ËÆNÌ”_ÊdÙŸ*ˆ÷§Eou¶‡%rµÅqÊn†Ec6éæê\¾ Yow£ƒw7,¥f«$	•®ü¨”.fìEâäxÕéóY¦ü¼OQ:àDA§„H4hayOj‹O%‘Ñh/³srÑXŠºÌrCìZ:»+n»&M»¢Tí«H	Åès/}x„€7ï”M©à–ÙÅË«µ?L1ÓáD+ŒÄàÀôðæõ¬D¸^jã'BÒOUü@•ßƈ•"E¦6±#p/EÒ¬Ó}•¾«Šñ$–zF÷‰E^bOÇ\LÑ´–M|D/7¨®$ŠHeÓŒb ½(À³?Â.A
¥}ËïZº¢Óë:vð1l$€BÙÎqzD¹ËœØ¡·–_KÎËÓ7ìâ:¬}§I‡~o_.ÆSZ\Õ¨¯Ü£•¤Ò3K7fôpg^œ²¸¯¶;LÓ®ZG¦4…Ö|ÏÇši%#Ê­¯Á`?žBkúçA™¬fµu-ÜÅM
-çÅèìS`ýË<½‡t˜v³Ý+åm3r®Ýc*1?Lq!y6dHÃŽÑ0ž¬tV4è8~Ì0=DçÃ;o…£N¼¿÷ÕñûMh§·#…Š¼PäÛŠ0~Ĩ:Ž!t?w&ãÜ?NÅQ¶/¡_TM*¸ð@‰êfU&&—€`Bx¤ìâPg oßø5.FÇâSx”fALiÅðšà|ʼnÂ'þþ|WÝ<ƒÁÅG^}ÎYå×ÄèúÔ-LŒ„åòêþÕž›é«GðµØù­Â$ß8¢;®«jý	Á—0¤}ÿz`¡vƒ³PŨeÜ/x9‘áµý¼JçVâÍÜÊ·>˜.)Ÿ°4œÂΔ­¥zäáŒ<>0¶gs“|“$‚˜-›M0ÕÝÿhDeñÒß~õsoI¹azfãWEã´{Ðß)Zárˆzꢠ}ðE©·ÜåvT‹Ç"/wq Á¤;®ïnË#|0TÝ}­† w‡-x›®…²×šå	áé¬Ûé3¹k+l®c³ŽjÈyC"¿{8­¬ŽëÖÌ›¨OÉÅM\$YY¨{èS|–pgSœ œäân77¦ãýXÉxêNù©ë«Œ·Ø˜Ä€QRgÖû<ÓÑf
Å)>ÃcßcÿV8½O7´¾áyìݘ¢Ð´üØœŽßÈw³
i™Ex%§½åñ’¸t‰ ày­öÙx²•“‰Ê܇„íIàDîC°HóG‡Ëh¿’¯ÝØ(¡z¿ìLî<	ó*¢¨$ÎβÁN³íÔNG´ÖÆ*2y÷ƒ—¸ˆŒpD‰VdfÙV)¼€÷ÀU€¯¡é‘
«"P®8hÉ©墖¬?&—ÁÔEóðq*]aoB¸yÌ7*'mÎ6~cÉ¿ÜÚýu}*ÊÍ€Óñ«hg5ìMÿ™Îà¢âoDnþJ¬¶C"BùpxgŠ‹Xáè£6_†Û²8Ö­}Õ­’ÑõcX׊ŒØ*P?£ÅË¡LÕt8pRo3‡Ã6ÀÙ‹l|k¬úÉÏÏì¶á?!æÓäNªT×Hyµ\á6åIÝ!¶—å~ <µ2¤ÁÔ4@„öÊ2øaLEr!»í¬Ú³Lè
-ó%%a1o…HX%1Rg5|¾/°¨õVçŒrëxËý!Rës®¤'0!¾äŒ¿¦ÍÞN>)l5²·WŸk¢zå
-u•ç´{Fî}ŠMõIÙŽi›RᶗEžÍ…wÎDiÁ
YGŸ€Êù<‡C30aÅvœ¹ ¾ìKß2¡©¬'vÞšÉ@™†ÒE¹»!”ƒ‚Äh‰äŠ1°[e'ÒÙ×?/îs„aömÇjm2Þ±|¡´up!Žº­XºNûC–W!ñN5„¡7¦ÈDÿ·ëŽhÙúéÎç2[q‹¸åÛ	VNšªÙ¼¹ä˜.â0œ·x].ú‹ö˜ëOzƒ
7<’¬2°j:‹iÈÓy¦6eØ19Ã$ÐÑ·!ŸL‰=Í„æ¶úN`um£2¦>\Ö“*ϘqŽìK»ÀâÞŒ“‰u$ÏÝ
-»¦€Pj"I^1h_»Qâñ‡Þßh*б]Ç$2½[ïÑ.¯€ÍÖaFëGÕ˜5ñéÔ<å
-©"Q”[Ór£“È&TÛ;Sâá‚|Ò7‚Dˆh#^b=,‘߯èßcü„KÊm9ßWËa®£­hhñŒ.‹þ¶îNìùzI³8Èñ¤:`è÷[HRztŽ[È·Åâ÷Ý’ªÖL³ÿûá<&•ЭÛYf%¶D°ô–’¥›Z䊋ö—ë:Eu{þTâïn+‰OGŸò~U(ÈÉɤÎq=È[#é( xé¨êþn6€Š˜\­î83$zµ1úߎ0«¸ÄÕÃR#E©*ÌñU•‰6ÛtÖõH‘+	Û
-„ЭÜ]’)MÖŠi£ó—~Ãy¯ƒo¯¶ìO(†puà«g6§–……ûä*Ød,’“¨ÔÌd÷’ÇÝDVß›øhÍD®ÈÜÊaˆùù	ÞgN,Ìd ¹Vàã×m#¯EÍ¥9œ)úk÷è±DÂ?TøˆkT~¾±0
-{y/ïÂÒzá²¥ðªjÍmåô7|B‚¨Ž_ºv uW70L¶0è°|/E¡Ô°!5JÿY´•gý(Ž0%n}YY¹Ð9Ÿ…>ªX¤	Õ MŽü\š ™MBxù·(ZœþáUÝ¢¾Æ1Ž¸S|P´T1Óx¬p“¤‚‘ËNõÆßWHý´‘,¸r`Uô"(@Þ:5sò3ÌÒÇÜñAŒ^Ä‘ÓJpþ„Ýúæk¡åÉö¾Ü~¢Æ"Ò¶¯·Îi`Õ
-*EzäëêÇÑX¤È«Â]HÖ•ügNsööÖ@“fÏÜŸü¤iÚé©™9¨M{}uʲ¨¹':Ú‹¾œrÇsrÏf%‘‰R;ÑÑ`Þ¿²ÈMÚý qEãª?®ö{wQ?O{¾ÀŠ!¥s©ÞŒ÷CA0f!jºÔmY]ka¿Z»ø^C7µ™›C·ÞI&[ÞïÖ{…M«¥.)›^äFŽ”šÂÀ¤BšîÑì¡ŽãÈØ /\Lþ5gIòL†âˆ7!šù® ÏûL¾·:¢ýE^\¥nŒÌýÝ*ß¾&O
?pF_dÐS—i¬Þ`Ò­Ò7¯s¡V;ñ¦·n“^±ürØ¿CXÄnz¶‘X1¿yHÀ£:‰ƒu2sʱȡ²ý[þb0–Ú.¯VœáûVûu (?vù»CJƒõW«oD’€û¤{㵧A^'v›•\"íÏ\•®ã„ŒÎ;õð=Ÿ¼,5™ÏF‘}#Ïl\ÕºÖþðøF†,}‚d·ØXôÜâ>µ,âbë>½w,ˆ¿ÒÝΓ¹©µ3Ìýj‘Å­CGð.ñ0*…Vº÷QÊæ·ë2#9
M[ê†ýû’ø0¤ÞInŠ{lïeêÛT¬:Ø
-R|~hFœTõ'm4™ ÒWÃF»pyú~§ÔJíí8æ†<`rl¯4ÑqZtm§Îñ^ÕrÒA^'/4YñO[Ð=úrË~jjÚ»749ºX™šÁ6f^œÙé³Åâ\ÙŒz{K’¬!ÖìËû{„o:ëx$­Ôªáþò/ÃWÕbÜc;*Kθ;ø—á+¾Ý}iÀÆa°ç•>o+»X½ùiè(––Â.Gl€M)y'Žz§%êÅÕ5A®ƒŠä;–’¯ŒËI]¤’G›_¯[X	2ön(uÞ®E“‡“&ÓÛ¡@ÃP^yT”1½iÿ0V‡¨ãQÏ~ÓÔ.[ƒ;«‡ùxïtEÅZ$ƒ¨€  
-Mùà3Ë>¼œ¾%Ö
Ê;­sCÆõ†,…U„^‡ì}réè9«•‘ÉF!Ÿdbî™lD­7ùRéçg‡ø‡­èG€)AШøÌÃþ/¦ÝÔ]WBÌÖ˜Ú
oÊp{ÄS›ðW¸‹&Ç<‰ôFTûdq?îJ^+!ý$e_H¾78|ÉߘZ«ƒ"ÑÀù¿|Ðÿ?Áÿ–  qBíÑÿ¸3`$endstream
+xÚíweP\í–.Ü-84îîîÜ]h ±ÆÝ]ƒ‡	îîîÁ\ƒKà>äûî™3uîüš9¿nÝ®Ú]û]ÏZÏÒwUm
+5M	Kˆ9HâèÆÂÁÊ.P;˜»»*C•X$!ö–ªæö`À+ÀƒLC#åº!ŽÒ@7 @d	Y89È4)ˆ“·ØÚÆ
@¯­¡ËÀÄÄüOÉ€¹÷?WKW°µ#€öõÅdqr9º½Rü
5A €›
`¶¤TÕôåUäôr*Ú9#ÈhPsMÅ ¶9º‚V€ý߀ÄÑü'5WÖW.	Wà겿š¼,@N f€ÈÅìêúú»¬]€Žn¯5pƒÀŽöî–x•[Aþ
+ÈÉòªáðŠ½’©A\Ý\-\ÀNn€W¯jÒ²ÇéftûãÛü
+ V¯š–÷?)ý…½Ò¼¢n@°£+À
äåöÇ—9`	vu²z¿ú~%srÿ†»+ØÑúŸ0\@Ö@K{«ë+Í+÷Ÿêü3OÀÉèädïý—5ä/­ÿŒìæ
+²·bEæà|õiáöêÛìˆÌögXä­ ö¿å–îNÿÀ<@.ˆþÏÌ0¼´„8Ú{,AVÈl*·W—úÿY—Yÿ}Mþ7´øßÒàK{ÿwÍý×ý—Kü¿½ÏÿJ-ëno¯tx€¿—àuË@J€?{ðgÑ8»ƒþ/ ØÞû¿±úWE]Ðß‘þ!ûWLÞ
øZ	Gë×–°pp²²ÿ-»Ê‚½@–j`7€ÐþµZɵ-A.ö`GÐkWÿ*è«;û¿`Z6`;Ç?åçù9Zþkì¯ú+r6i	
	m9¦ÿn·þ¥©ö:nZÞN Àÿq£«±üÏÃIIˆÀ—…—ÀÂÉÇàçfðóqøÿ7ÿ¢áøçYèæö²³²³s^ÿÿñüódü/42ŽË?3£ét´|³ÿü-Ü]\^»û×ÍMúç¿òY //@,„Âl3²3Ýjñ?OHö÷rÀ‡;•4h}.ª†ôfDm
+T˜=Ö„³6N	>·yÏ9=í*0îö¾µ§ëIøS1ôb­Óvð1í…°™” eëÆùžÎ)m¼1àe×ÙÛšP×0)~„'êàrA<½a¢ò(Â¥¾vB°H¯OÀëÄl„®ýttL›rpsM7862<Ôs×·KÌ”—€D#äñ66È9XÌ@»Â7šZTflÅ(EbŠrÕ- ÚCš|•[=ÿ
+ë[™}uZRÌ&‚(¦ÑUúîÑwÄ—PÔ›˜@ƒ y?©È¨Y÷càóîî™8íÝ;|ñøØõ†²Ó<†À4°	"wgÀ\Ÿ~ù¦lˆ¿¢CHÎã]#)ÐÎv¦~@t U
+ˆwÀcñÓ#:êe(f˜ùN!ù»E“N.ú—¤ºp=J/ŒÚ–÷³ÄCïrÏßåêœÀJr=	©”§=M‡¾¤êr–»i×ð¼ÌÛîÖàI»n;>ÅÜgÕÁ¶×ˆ#òPzsð‰™ðIk©
¯€Ge%ý³™ßÊVøô‚JyÅ(¿BËTsÙ.‹OE×wô¢ÅîëšÇãzpzéc†˜á¶®îãIZ©G½—V™“/ߘ&)‹•ïÿm¢`{ÒÈÇ×Ø^¹Z©©UØ‘ÅŠI²ßÜ€}CCF²¨§êÒ‹|m•	û4ÐH˜š_¶P&«²½×ñS×H
ý>nÿ+Lú÷A©qÙ¸µZfMë꬙Ï7Q¨SSÔþ©öŽ®jeƒ(ˆíùfw§xk”Ò|ÙÊ>–AY²ÅèáxW‘R®ì‡!ØN4Y´V)Xqûž–Ø>R#áe.ðKkŸH¢Œ(»qG5FÇckʇB·	{ŒÕÊË”ã
+Ú"­r:ï5a¶Á6?`.„8Þ¢{ÞÄ'ZeŽçTÐ¥´U‹¬,«mž©à~K*à½ÿÚψOžêK¶Òçà(’áè9ÏËÝÇW}d˜Ë¤ð¾½jþæâ^'b3½Û¨*õ]Àë3…¸€uIE_ž\0GR‰wÙPáÙäAµ]pt°Êy¾ø¯OþØ6ÿɨI©·H3Rߡ߀ÃÑ`¶ÆkÎz:º0¸žÓ/¥ªÍkSv™ãËZåÌ:;╾C]üŸ+a|ã„·+j*b¿7Xâ{LR FÑÙψžN&€ÙëxYS”üªNZ]—ën—hѦn¦ÝÖ‚¥¬¤ŸÐ¼ö¥¾5é â'©ÒÜ>¥”Δš8Q£TZrɻߥL:ô0Rª‹pf÷æJ5…£Ó]Ä”	ßÝ ØÃ4¿|p¬˜Šþ5Èa¯&I¤<­%MÊÊR*—zíó†0ùî–Ç$In-e/€qÀ(L壛:éPa9¾:Õ€Uj·†îòÒh?Js'ÁêVÙ“wË`½©eï'Œz¿G– àf§ÂØ$©Õ\úîïÜy“ º1ê¢ó_Ú‡æ$óIчÞSÿ…<üËO¨­˜ähNÔ"º–@XéÁ2Tó2ì	[@OlüEhØbzÊÑ—ãæbf\·zÅ«9à\>#¯ó“`ZG
+Þ¡HtX«ØÂùî´1ø/M€™•“÷iöå¹?{1L a=Ïè‹-&Á4bÌUêðÚïj£OVXòdƒ'ã}”=Â+uìO°ZVÛæŸYû1ÎyAÿ.Á,ó/ÚfƒÂPÐñâÍèÇþɬDsšY¹²Dðxã1=‹ähCchK)‚>»â$q´cr?ÿÖ‰¯-«Ð¶Ÿe‰r[}]-»®î+c|ÏQ‹¯Åpµ(‰ß"7Ï°r½/õœ!‘ah˜Ä¦¬ûz‡¯ç=6š®«dRÊ~E¾ìs(¯&?ªi«À©Ò3;ÇxPMx¼MÈ廇=8lÓ@‘+¿ï2ýIð°æ
,ùE*ªç+ÊÐíBñyù¿¬7èò"fPþÍðóYÊÀý!„>VòŽeÑ y-ƒCwÁPµˆ–õbòž5®­}	Š}½s=ˆƒÁ‚Z+*ߘ3jàáóÕ\	(¥êùÕüºüÐ&8ŒG&#ЊºiàgÁHÿ‹:lqmùíÕøFŒáÛ@⶛/Ú"²¤¿íŒ}¬ÂÛ­@Ž'RX§xBž#VpßOÇNËø‚íAX9g]q¼¹Äín"{#,ªq
+wóÛeÏl„ÚR¾oñâI9#ªÌxŽÇø;en ëõïFÒµSÂ>ïɧߌ·¼Œ²Åãsá}–€íº’A÷x/âéR³c¢4ã*L?ŽË‰`±Õí4Iy[nK‘û•øŒ]ˆ&³òíUªŠ=ï®”Ró^äÒ°ÝE…øDÐMècF&ŒÝ1“܃EÕÝ%+5¾é'ËG39éÅ»ßÓiÕàý¸vЋ.çÇô 8™±ÄH|XA€¤6íþ: r!(`1É=i;¦úåÓú‘Äsóü[·,žiá >»g¶¿âî°·ö¯=vé`²£x÷å2A>#¸ÕÕ¼…2oÌöÏmR¦N$Ò89-YÕ_â	o—iUf·®éCýKcÜ6$^4Ó£Uèö~=LõÑ*7ì±ÉÅžÓ!óyæwè‰Z‘ÕD¸ м3
Ö <Ö/6­~’L±µÆëðÌwkyš.¾•]©¦[¸fØÇOùøûÊè#V<®%–MŠoíÞý‚9öÛ9°
~ñ”0·ýê^Ëoñå^5ütýéˆu¨š¥ð—ImS†2nJòˆÖ?ZüCâÇ[~÷ŽÖÅNæë_w6“ãD1l‡T4 ¹mn¤Á>§)ߥfYZÀˆ¦˜«:B¿=2=Mx›E¡ö0Þä´Ž–(Ì:¢Š˜:qR<	4Û)¯í|ÕG¤ÒG]1ìŽÕ;˜çãÑ1‡%Ì×Cw¾@nßµ üb´qH$+—È|šâAÊöÑÆ¥MVÔ¼l×»‰QÜåFéš`f
Ú¯§±ü–Æê—GŠY­ô{ßЪ‹!Ðœ$¹|³7¥ük$®]Ö¸Hô×
E ŸCIOk›“iÐ맛e¤	ú¦¤^'¹|+Þ5F>3´¦éÏ.¥JW?xѹ’.×~`Éë.ñVai²¾t/h½8÷.˜kÃÂNÌñiˆ“‡®cUºyŽNÉO¯»
+Î$S*ýèëe¬PìL”è‡ý(²¶´ÊCÆfd<ÍJTÝ—Må\ðÅÙ\»…7‡4z{þÇœÍ][…°q¸äè°7+Õgƒ/±Ó¤l½Ðæ—KË°ÊCsûjÂêBu)ÜeÐÔïðD'\4#vŠ‰?
+ÉŠœH—¢R); Ù:­|Øë‹œÎÉCp¿1<ÁN‰òb¤!ˆåð_»øQ™-­„kžE"\_~›,,b+!‹deøl =Gõ3®~öÑftWºÊ*0{QwÂß)<ùWiзÉ>JhLr(å–"ƒfodS•¸YŸ*ú>
ì	OÀžCvïú´±"bNÐ	¿C7*ü~õ÷ͦÀozEw½Ä©¹ãÌbáÔs_4)‘Õªâ+ìð—<»ó AÝüÑ7}¥ÏX)ÖrëÉ¿Cy_ø±SñTC¢NGÞiøa¬•UUªk°41¸ùú[INOö€š0?žóÅïÃ#1Iv*$å/Þ˜•ž²n5|½ÑÆZ Œ£2=s†ŽòYX¢ÌaM#Ø^GÍ=(œ o†+Plmrzè–²sOcõ`à|ŸpÐÿa5µP˽˜ø>]LÀº]¦üûÑÀ*ƒÒ&|­í—ÎÄBì¯	®µtx(uœ40ó^·xœ¾Ê)\´Ë“×”…5Ûè1ù‚ôa>Ï1™™õO[R;YïõËäÑ>Ñà:p6zÇ*Š*±7¬ß
+îRécLOšF’Ãö³|~ÀŸRèé)Я
˜I·ÿ2ŸTë²àØÒ„–YB)	†Ý…[§8OÆëL€8U¢ÔÔ—5êŽc$Bemøÿfu!ŽgWaRSö±;9®í橵»mÀ¸3DYþq•h{'Õ`eöÀ±ÌÕ.ë™›‹þÉXqÛbCm(Žµ’ûw9ió\äÀ‘=='T«`X^£ø„“Ä°¸lº‘c2Z¬C,Í9åô5S–K$œf/—Ýᛟ³¸™/FX	nT™ðq.+Ð6üñ/pã’Ñå
Z⺂Z¸QAÎÚçÊc—YÜŠ3Èuåòü=Aâ³Æe¡~’™ƒËÑ!=!·l«
+e¾ŽíûÉWAM+„Ö_­ƒÿÕñ‹\-Z¦ ’•Ãò»Ô;˜g½‘¶Ù)¨½šIˆò§ûR“é|RÅûIÜ·Ü÷^'ã4ë]¿:
7úϺßÛ9HˆÔ¿yî¯TÏÞõà ±„Ëîq²ýœ9	Ÿ–à Àc½)­ÒG£Öüå®~–þ#~ŸÑÑHSŠ’Nsë¹7•ž-x²÷ôCÎ9D´.̽oóÁ7ï€|¤»ñ­Ø·Ư_•0{=ùóž4m38Zæ¼a˱²@Þ6ISìQ«ù‰&ª+Hy}k#ëBÊú&¦úâÆa*«Ë•³£KÿE<öþCuó	¨x†$¯ß03÷ááÑ!–ø©±lŠA¡ÍÛìÃ*ÁÖàrOò›%†š17ß+U|¢1pb
`ˆëªÕ
ÚNÐúKß¡æØ´«ˆ(S—Ôx0lt^©ºOk_$ßO¶ò.¬¯Ý©½œùH‹Cx8@Œf§BÀw÷ïrî@xŒgŠ¹¥¬Òööðßê¦Få>õ»?[ÆèePž¨âfËó€7‘9
+õÚüâŽÖü£cçòN∉ވ^	#"cbÌXìW¼Y™ìq[âÄ˶KÄò““62Öz@ƒßØ[­wâ¶tÆ8DðF+•¸?êì°”|‘Ò®Œ‹gM[úÏž³Ûr¡©Ì°0”Ò0KÐuRÁ¬¹8tûb†Ñ<›’Ée¨ÖŠ[þ²	o+iÎ^<ÏS#K™Y5ðEÕ…–?‡vI³t.M_7ßÁãÃ…ßóNM¢ mçÞwâù±IVjx8/¶:Ù´¨×Ö$*ñ “2ÒžøÕ¯|*§´é¯R&óLÚt
+;e÷Íïi&‘nƒ}ÄåÆ >¶}Eñ
+Ú_©³È),tИBPg—^ÄLþ4=2FVüDq^¾ñ4ôՅ퉓 ÊŸsJÿƒwwæñ1ÔÑCíj¦¤qÄG÷RV íþ^úºØ@õY2ÚS½œ”–õ3rc¥~Ž)íê³€TLO)Û_²Vƒ'Ÿùð4ò¾W*2Š~(ùÇQCâ©ÙŠÈaqVR„»jõ®¹êü’àó÷ýèíáù
+â*Àl?¶²Œ«î—ø#ï/ë8ÌÚDëÇ
+ðÕL)©zË˵Êôšbt?´6y¸‹[‘ª¼y'ê3 ¾µ;ø½ ]æ›ý¼p  X/.ý3%Õ Kp»Ÿ;Õ¦G0iäÖ©s5çíGÒ‹wÉ»üœåêU¨úðÊ™ov,ÆYãV¢hµ1™0‰3(ÛSBmõ(¼ªv’÷h¸Š‡ü€€–øGðÁ~=Ã:KñQ×Üô§YÝmPéö®.Ýû¨fþ6üš-Z„spÌ´\¡üa\ÅFW””‹e³Ó3Ǧ’ÌÖSüÁýÆøàûóÊl¥²ÖϤ§%o+2ßñ/¹és"­ßôq¥öÔÓKë±ñyn<íæ£
k@2y™=Rj#2û²›mÃ(¶úð&1ÉéÌ·YÍóÕru¶Ö=QWá¬bex„~34#ðl7®±;'Ò…
+V¹Œ™o£ýL¥—Á¾ÆwvûdÇêÇÞ\B…éõ€cì̳AØŽD¾/”j¥ž©òΞx>|×£«Qó­kJ#¡‡»n—UΊ¡èjê~“d<Ù\}ÛIÛi‰2ГÙ)4igÝZo
±aJüŠä87=ؼî«*Ešiå aTŸWEG¿HÚ»Ã"¼Áú"{ì¿o·9!,<·MÍ…‘•Ih‰s·4+¼d
=>ÏÒ9.b˜1$wg{â„Ž¾£‰Í¬¬8¥W"¼žh-h%‰Ú¦«Là†gߧ ÊhæSoÚ±¼¿œ’1¹]cÉS› ¡„Ýñíœ8»SÀ÷Ä첞ÛV¹&éé¼*)L<ç²p¡#í[è}Çjaší°3÷Ð"v?!¬F¾jØr­"Û¬èà9£ë	ëä3Í³à„–Ç~½–Ðc§I_Í°^’¸êfô”-Y:/4ŽTÙ£Ü"0ÀÇ™)Q/wqžVWºÑ{ÿ.£›ýÒÌþÖyKdG†çÓO½3*‰XRƒö³2UåG4(ÔGN<`âëÚÎM¨èTFoXžÚ¨®´‘L®m 8oÌ:LS]1‚4ÕýRyú>×͉±Ò/Öµ/ù”¿9E¡ñ¨ÎlM‘Ú&fïgE±ãÏÝ«dX¸j~¡âŸCò	3¨ÓE•~6Ȉ‘¬áÞNô-¨Å¹óU<lòvò”6f(ßKNñêkQn±/i,†­àóûÐØrsâ"¾ýÄ=ÇÀÿÉîrœ¡;vÜ)ÌHÖFˆ1Õý2Š^ô8Ñc{=CÂp¤’ÄÔV̇ºÃÛ!9­¿Vá¿åËÎÊŒClEˆ×ÃœØþËQõ®q¤1Dq{æTmQ¨c™wX¢åc‹@CiEy¬L¤.¾‰ Œ)娻ž)Wú©PáHŒ_,èÂ<#?ÜÉÒ6â2ËWË»èXfRa&2!c%éòŒ2,Á›^¨»/Ìs¿³¿DQx™”ҷƨEÀºhèzß’Ò´å|x²Š£O(îéŠÆõƒ¿ŸP74c]ø‹m«ÎÀoƒªiþO4…~4Ç“CCŠ6Æ5¿Ø3R²–¿àm	´ZÕ¨l]¥{$—«®\7ØÈ’QÔÕps¹l¿¥Ú|!8K„kÔn|¹þ˜ª½NŽ°XÒŠFïÈ×àÅvçVócT6mŒ¿í@DÎ/ÈÊËáKÈÂs(ð8éqxê¾d+-Þ¡/®„_‡ŸÓÖÖÜöž½¿LtUîuGéÎlžRf·xïÉò¼
ŸåíÍ¢ÜÁX¯4‹×ÉC—=-‡:õ«{¤÷š§TÚ_!e$Á¨N§o3œ¢é8¹¿ä/§¹²öÔf–zV²'ÞˆÍäF/e ¥KÝ°‰5¤‹Ûy bO'MŸ‹[tQ_KûLˆ3ÜýšöÈ2ºØ/«•à«Ìð|B ž•L¯òÉ9z”yùmH÷ñÒ?!bløçfžÒoy3y­•ŒœtñX3U|`DŽÝÜ­ù	T^›G,Þ“©‰ìæÚ¦	GÍüïm.åJ>³#b½lmó‹¹µÅZ“D˜Æe3ãb|ƒÛO~Œ
+J+öïóËë§Pþ¤Ä"¡æûH‰Œä-BÿY+­…Ó*þQLÉ*â‹ãÃøBÅ“:#gw§Q4#”òóÛõœ²ª6‹y¬pÆK§Q¡“«¡õ<Þ@½³Ö‡¨QnÓ+ÚlÖü€yNþ¨½)0œWuΛ+í4üš—Ì&Tãé#90âþëòuYíÚtK뗫‚½#k´qêžiw!™ŒûQê–’± ‘Å|î9>g²E«€SFãί\tE%ðÃ;ç›»V¶=¾ßF„Ü·G·-2’Šëp„¿!ǹ‰MíbAHVoÚצhU9¼YÖ¥Ø>=%ÔMcPSõ'*s$²BQ™WñÞ§«ŽÔi]G+ö°yŽšŸÈ8–ssfÃ܉èu‚Ÿ&¡OnLPQ„Ä
ëøGÇ‘*늯úê‹hi?j´ì„ZKd’I3fR}åË}â´ûò]Tï·LE¼JXVx [Õɾ&ëÕµTY¡o6rÛW½±ŸÕg9dS“Ÿ³X×KšÇ'Öƃ„Ž/­É÷C8Ç°ñ÷¿>Tû²6/}3éyÔqÕpñN.–(S¶Ëœï®„÷ó$tÀª0Åk‡_cEhE5¯Úæg_uκ{•Ò
¸ÑŸŠ_dÈ=˜\«DüÄŸ§Çú/xl;h<ÄÊq±m'N1®ÉkrnžˆÑGîrzJ÷ø»j«2Å-ø¥é9 ¹û¸Êæ#jÐMžç¼çÄw·(Hz`û墱ÛZ—KÙ-ÌÌäS0;Öõ\3_â‰þ•„kC°5o9q†âsð»7ŠUhù‡œåyTÑ|ÛÀÜJà‰Z)lÝh¶¾B©Ì(Åö½mØGÔA›Êú<øRß°¾_Áçøs)^[k¬çˆZ"(ĉNb¦{Ôæ}´½ÆÒï'òê"[X„Ýâ-SHœd¨ÀaOÒÀÉâÉ lϘ‰*±Ä—¼t»ûÚ5”5*Ó«„òû'ô—Û²oô©áï]Ǥïß,){Óœï>æ†å_-Î5DßÉïdLEÅÞNP —²#SíAW›çu¬ïΰ!Hk„~—…fsÁ	{Ënx:G»¡oëÌ›I#ÄÅg/0¨~¢$9îÁ«Ö¡âü™e]´é¦m4 žÛXá,ÿ	
+è4C•#͈_ÂvÇzBÕÌ^‹ÿ€ïܦ¯Û^;ÁÔº¡IÁ3@æ´'ÁÕò5øˆãJ¹¾%X¡øÁ»¿1ÿ¸§üf›8Ï3Õ&÷@UX̪/È=mlð¡Xðôû}ªÊã`ÍÖKŽhñwáýµEùëÔk’MõÇjÅð49äXH>ÛÆ°—“ÌËY{ÈP"ãÝøøQÅÚð!E»nQ‹‚ÚDôÚW~XÓð¥+†‰ïÄç×IφÒKj¬ìF”_Ð'Ü ð×=o:
ág`®m•žÔ@sék~â2xηøZÉwþõÐÓû
+þ÷÷o!QL“°ßMÀÏ°gø±•ô˜bÂb¾iE]¶[”2¸‰'cø/W×ØhÿôqÖ7
+-$JåW¤¤íOVðªÜbë;,ÙA	Þ¸ÛuÿjB.€æžiK—O¨û‰I/èÖØOY/¾çñidàa˜ðæˆJ‘[›§™»òû©O?Oµ	N'‡Ä'=…|a†iÙEª³¤f5`ÉEï¬ÛÞ¤½{ê|·åE®§3m¸¡Ÿ¼!1-᛺I
+vbvÝ6HÇ™3`Ð6•SÛóxˆ4ÀÏ vÙs¢Ö“yx¹ŸÀ£5RhìŶ=3”\nc™¼.5~«šÑé¤ZåÄ…fµÞÝ=©ùÊ;8‹+ä?~u'FƒÆÒu	*¹¦Q¼QAñlÎÒ­-xò®vx¸TŠß’/
+šêìïû”÷—Š~ÞÄ`:5pFrnéš±Xe¤•ƒÚöz6Ç‚¹¼º@ƒ\Ÿ/HCc/5ÒÆÄÚ®ç!÷„ht1”^ÁËõêäÑ(p	Ëåó–ê­\	.ìùpl)Bo oÖ>`‚r¹C{—JÆÖûߣ„pߦ¡
+?¢YÈ)n˜<ÏÐÕñ Ÿxõ+î…µé@·“PJ³Ä6üE>ʲÂ_çËQÏGq½T¶0Ÿ61mp^
ºeÒ*дÒôDB—öÖ˜¯pƒÿT\…Ñ«N)4AY3Óû3¤ý#Ö\ŸXÛ(ad†³GÌJjonªðÔ‰¥'Ô³j[6m&qŒä$ÇN®¤@£û0^…-³˜þÃëøaÄ>‹YS¼9äÇŒ¿Ø Ò4£—röePÔQ´·ª²,Š˜¡æÏ»òJÌa¬l@†Ó
+T»>U8¬Oú²’\Ik/¬òËÅÃd_P$Õ„Ý*Ù»…ô¶’(ØÒjLþ±•%m¹NV%â°Î
“wÉ“(y*"é´èh&«Ž2&ÂÇñK’¶ ¶\ž©%=Rxž§××Jñ?|)¯PBé4_÷‚¨°üâ8Œ¶èAüiY³zÃ\KsÚ¨-"ÊÚ&^–Ë‹PâÎÔµê£Ý²e3;–È‘“©úCÕ¤šo¦FHß×1·íéùó‹ha¨Së0´•q.bð|ã#œƒ¾Iùþ4 oÄ1¾XŸ&¤˜ÜË!ŒiÉxËÓ‚Šj½|eQ
p‹“_ºŽùn•™åóôÝã†$2äÎÝJ \M%‡1¦Â'þÖ—õ¬$WÀ/‡–-*¤Ö:jî$`E´‡è‘€³’Á°nî'!nç$1Ï#h~™xU†|o’«Ø+k"÷›¢ÉB†%6ü¬-ê5 ½èÇÓRê–r€î|ÌÁ»!J.³ž>¼p‚®„*Üž0ªz©6£ãŠ,^±î†&ÒøB›cz­'5²“5(;¥÷Ê{kƵ)¼½z¤§S_
+šeã#z­h®×Ù㛌hŠïùÔÚ}Ñy©d"L펤wŽ×¥í+ÞVº§8½
ón±U9Ñiöõ¼å Ë`(mÚblwAÉxÑ<ª½'1ðØ2_ËÁ’âQ‰7áâ)ú|$÷’ôÈüc&K¶Y¥3d9¤ÓÄcâÀ®/p`¡ÚĶ›"ó^ÑÖ‰„A"¯’“;ÐTŽKàÈGÍÁ¨¨xð7Cc~EIUûû›sº÷ŠæKëb€YÁT¡Ûà—®€6%ô-‚Y¼Ù›~å…!#µcBŽÁSÿu#y¹6ÛðÎÙDDé©l)ÕЧ™µJŒˆsÁðò!7]ÇÑ>‡ß^în?GJmR¡ògÇOºíâòbñO<Ø¥Ÿ~Ú«:éªêÍ2ÈÎMy?øV𬅃¥…¿Á«¶±mbõG7ÌTR÷òX/3#`å
KîÖùö„„=«ë½7tÛÍÚz/Þ<ø>´à»[¯?o¸Õ
\ s6% >„®–{Ë"Lñ„k1ê{-^©c·òãÃÛA‰SÜÔ^S+ÿ›ôœs»Í¾ÅPË“£¬¦·ñKÁÊõ/´)ª¹N,nÊ~ÑÛÓN¥Bž›·«×2w!7èR !4'8®MHîJŒPèG"(îë×´ýgjÌgÙËgt¢HFÙ«XÌp\Eîa´îâs“ž.8rjÐeKTyAîÒ+vØ5ÓŸh0‘AMx”W{Õù…W4‡–ᄃt_ôcŠ:–ÌØð×ߟ¥¾wžî¦M̵ KòÑu³F‹H[èú›ö9¶³&£q	«Ñ†ª=1ŽÄã­–è×+5ó(ß˹o–Õ§WU»î`4­ÇO‚'¶b¡"@«þ/Óè†ÓÞ:s–þ,æÊÊBí¼Ü$\3ä±Û¶Z­æžM»bA
+¦FDÃöÖbŠX¨Þ‹­wýx‡áiUT_§ÞÙ÷dãÝ~JFŠjÔ–‚­ö‰Î8Üä_/Õ|m£…‘@ÔC̪aöçïUæEiݨnÅa'	Ð_oŠï¾ü²¹iÀ’¤VVÐYý3å‚\œš
+îöí˜:{Ñ„YÂdm…®ß¾«:Ùqèý¡“畧ÍÁÛöý×”×{ƒ§+*[÷^#å^®å5’Nxv‚dûJC"éIJÓ/
ßø÷9p²À–@‰ù¬ a½0á¯ú9•y+ˆ#Cé0i‘
ž6á˜}mu8£™xÁ¥<2¢Œ¶’';rÃd‚\-€m^8Ozåo­øûc[ck_\OÝE¥Bšƒ¼ÊÐ\ÑØAÊ
ùÖúÈõ·AòÀÛn¬»ÖÙT;¤õ
uóh«ÖVäÁ=î³
+B6~©t¦­Z¬‘†5Q
+qÔV9¨=Ò¬\ê(,7nB`.þ¸ªÑ‹
Bºô›äGNrLöéQú[¾‹îîê^M°7íÓÜB±”X¾èW´	ØIà›-ö7ãåsnñ
+cÖSñáq½ßo>Ê¿“•ùNhñNýاBAÖçƒÔU·° Ð^¸|P€£ì¶[S‡ïTq;¡¯tJZˆf[Bôf&‹ék#"¤|O6fhˆ‡ \ÉC¶®ñ‘×Ä/ïê>ï[80×ãFÞ…È}ž˾¼©_HVQkʈÆNcûP("¼²Z÷t›eÿ_þÿ?Áÿö  ‹Äèb‡ü„¶endstream
 endobj
-1060 0 obj <<
+1070 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 35
 /LastChar 122
-/Widths 2235 0 R
-/BaseFont /STRBET+NimbusMonL-BoldObli
-/FontDescriptor 1058 0 R
+/Widths 2248 0 R
+/BaseFont /DARAUG+NimbusMonL-BoldObli
+/FontDescriptor 1068 0 R
 >> endobj
-1058 0 obj <<
+1068 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /STRBET+NimbusMonL-BoldObli
+/FontName /DARAUG+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
 /FontBBox [-61 -278 840 871]
 /Flags 4
-/CharSet (/numbersign/hyphen/period/slash/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
-/FontFile 1059 0 R
+/CharSet (/numbersign/hyphen/period/slash/A/C/D/P/R/U/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
+/FontFile 1069 0 R
 >> endobj
-2235 0 obj
-[600 0 0 0 0 0 0 0 0 0 600 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
+2248 0 obj
+[600 0 0 0 0 0 0 0 0 0 600 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 0 600 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
 endobj
-1051 0 obj <<
+1061 0 obj <<
 /Length1 1630
 /Length2 10888
 /Length3 532
@@ -10520,68 +10591,84 @@ x
 www4Xp×àNp×à®yœs»ûö¸¯u÷¯7^±kìo͵撹öGC©¦É"nî`
 ’q°‡°°³²	TÀv¦®.ÊöJ, KWUS[0à
àF¦¡‘t!`{) $Й¤@f;???2
@ÒÁÑÓliÐkkè2011ÿÓò—ÀÔóß‘·H°¥=€öíÅ
dëàh²‡¼Qü·5A Ä
 °Û‚’ªjåUdô²*ÚY=ÈhPs}kÅ 6Ù»€ÎÛföæà¿Zsa}ãw.Ž 3ð[ÈÃäøÄp9Û]\ÞÞ`€¥3Ðò6ˆlofëjþWov‡¿rtvxó°{ÃÞÈÔ\ .fÎ`Gà-«š”Ì?ê„X!åv¿Á‹7Os3׿Zú{£yC!@°½ò€ü•Ë0»8Ú=ßr¿‘9:ƒÿ.ÃÕloùÏ
-˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒ¤´¸Ž¤&ÓuÃþí©ö¶	-OGàßÒè*;˜ÿÇá/		€7;€…ƒ“ÀËËàcg÷ý/2þMÃþϳ2âö°±²±±ÞþÿýùçéÓ¿ÐHÛ›9˜ÿµ9š ½ùÛ²ý‡á/ØÌÕÙùMã¿¿ÿ·¦ÿýü÷Úƒ@ 3ä_óf‚!ÖÙ™oy£R=]ì0¡Ž¥õZE…Õþü&Ï5¡¬
㯭žsGŽ/;
-Œ»C]ø¶ti ÓRß÷Ý…X«´m¼L»AŒJÑ2uc¼Ïf•ÖaõyØtv7GÕ5ŒJžáÉÆÛ8ÏîÞ»àRß:¢û™¥×Åãµc6¼Ãþöåè˜6ùàî–®oxp ¿ó®{‡„)7‰FÐ
6:À)—DT_»Â;’iºv—"®;)ˆmq*ó‚?˜1û5_ÝN[ë’ǯ=×ç³"/LIê}Ä£›k¼¶lBñ«¨¯¾-š|oRkÜó&[Þ&±ÝñreéòDQnßô?ª[K79Ð7/Ù/–_!ýmÛÑŸ	·¥Ê“žHÕ]Çy÷A8­\¼ÙŸ.¶h¬æèú†ô“­Bj£­Öè®{ŽúÈ£÷ öÖt=¿	!æ¢DÚ–¶bO„t8&óïû·ù#¿-L.Ii§¼µ\’îžhRºª®
xïNŒ¼LÒV°Î¼0È'È:”n]ó’¢k+ÏQbÙP2ÿ,ˆè鼕8S“š·³ìâ>mLÃÂÇp]_1Œƒ,Žbš¨ðM›zÁí\#¨m-˜$²¶Ó“S”4cW"Ó?£^—ò–aÇ¢;áû±ÝP<Ö‹„¬²Ý2²&‡øÕÒ<³A–dâôÝÞ¡Ÿ¶*Ô1ó—)‘º°ÄÚnÏýå>ð,üöUaƒîùÂ4ÜU/ÎÏ	ÅíºÏCÔ½!¼L0ûBkÎÝØŸfRkSGD:,þaX§}îK+žÉ¥÷ÆíÊa5òb=L§A!ô.
;õ“¹žEFìÎ`­;[aß9\²@§å~Ê3ùű
óRIáPE‚»PÊ•!¼ö.líblÃ!3¢µÚøœÔªÊì=ý°:5¢Ä§"/pïgúîéãÄÃ7<Ú_Ĥ(LF•žR.Ø31s[’\(œ‚®¤'¾t;ßw&YÒM’Žª?ºcmbU‹Š¶*´XÞ/‹ÿ2ä±I
€¡y—Öë^‚TûþÒAªHAmfŠÉ9ï§Û‘a_Ë®ÀÔa÷r;ôzp=§æ¬@[>`S÷µWøªNt°óäËa7&%êìXÕåÒÎ’Ñ{î›òwß1	$t®L+í÷âQzŸº4ðm_ÈaêBkzK‡H‚Ï©-M_„÷œp:º¤õ4 1°îNŒYIzÍWƒ‰Ûyì	©÷ù3TÃÛu&ÌÀ„†6Ó¦0¥ÇmŒBw‰éÛQ¯èIR´Së‚òj>ËŧÒ—‚øˆQ—Šæ†ßF™bp5S±7ìuŽ½§±ÔlI*ÖÃ(>Úñ¨$®ßi w­i!œQ4±±¨äÀÌÂ…vU|Ð÷üÇ’Y›¾wûuNWdtä[KÙm8~=¶iš5¾Íû]SMÖÑj.¾ ˆÁ±üqÉÒõƒÙøyÑ¿Z6k’ÅŸZåzÊIæ ù»:N=•´qo¯õ¹+¥„B™¡dì¡AÙÝÕÏYgOþ†¥tãµN•¶‚.“Ÿ„ŒE¤¥ïmvž÷ç]4Ú}Ò°'~ªRÉfv5cêÙ‰¯Ó‡)ë8jÒès°;C­L‡’~œ‹Ãò%¸ëP"¸ÞUÉì^ª¤6PçÚ'% ðãÔ'Nurp~Q
Ø÷}ñƒ:|Š©½lLÇŽH|·—ÜÝþ¶w›æAµù½	ân¹‡T¦:¿ËzÊ(ï!ɯÄú_͆vEÂëÁ|Ž¹Eʯ#«îu€U•ý9å™x¼.­dávÈ!ý:8ò¾€Ù€;pñJ#WT	¢Âª^Ûà'áHðmAFr4”,=gK3M¨Ì(R
-ª¦S0†¶5§(ƒç•ÒÃòÙ#ÀÀîœj›Ó=âéÈmoßÐ
-¸wÛõeä7ÊüÈ‚Wª¤I„ÜGñaquÂŒ†!q”ŠÂÓúF›ºNÑvw=É€ˆ
ø?©þ¤ÝÊCÌõýß{?~µCâ¤ÝXœì†q&ç1j;¯ãI¢™Ô§U$´ö2s«Q6·oÛ†±Œ•°ëãä'n¢ªÌ(" iÅÚPV Ý£BªÎµqt¸Ö•Ým™Y•d>Ã[¶‰’¿¦ÛV­¸‰õ»ë+WÓP¬Å`,kE}±_Ys™°‘/Îþ’Jre»\áÓZ¸^˜ÐèCcê?SBk@z©É{%7y44V‚ꪄ֯næíæ¹ßTd&…Ö9ª¥opøZ^G	ƒ¡ëƒDºqÏ’:]¢¾lÅþñKêà†îëÒ
7pR!42eƒI=%yøp¬?ó “yŸåðu]ËÛªˆ¢W¦@)Ñ>4F¢«À‘ºÎôÁö0òzú¬áN RJ‘½ÎwJúì‹
V9ûdõ®DlG"~›§’ö¯·AšnÃŽÍT
-ä’Þ›«+;Wœ‹ò,ïV‘äîIº9^Ü¡U½0~˜ðâÝ^^ñܤOgn}Â]^¿¡%K(îù˜§½ÉõUÙó˜×òÁîôò#!\ßÄY¾-¯GÑÁ¬]@öõuÉsXú‡°
_®l§Oìã¯U40&¢†b¾Ÿ»—è/IRÖ¯}à–ô
+Â|úÜ‚îûÓÎPTæŒæÒïy#Eâ݇¡·läl.ö§¥V²!*\æê~ÓP„«D‚Ò”ü×ûS»/æ8?Éôi|nerøóRÜ~PÁEˆYG=	Ò¿Ü@ìjpâ¹Á[8ü¿Ú.îþ?øšõ/“š Çͧա æÛ¥ØSXtÇ”ù"QkËy„_ž™rx
-îÑâ§Ó/ÆÔ€P	+°-¼ÝyתžVý(/}_#™mѱ¦€*¥f~[ópÏ8V†ÉÑ8ï„$gÿ" N:<3Uwñò›ðžÂp6­Ö‚ËI&Rü¬ÜŠÊ“‹pžÓo/8)Ô+~ÛJs§\¢­öÊlöí»i{UŸÈ»Ã»4´½ÌM_˜š?Å]FÌ©•A·Ö_\"Óƒ‚’Þ}#FGïK}g|ÿñÌàë":ŠEù×%ñ’õ.C!+6‹¼R±ˆà!Qê˜_};¼È#Ëö]¿?Ü~d'My*½{·8¿á+ínßû·/ŸuG«ø0¢ß§ÒÍéÌ–àb“'¥ÿî¤ûm>‚ÿ«?‚´Q	õÞ([ºÁfMÛÿŠƒ´–?Â…?¬Žžš.Tùô+ª©ãJ¦eUq8jrÜ…Yp?Á½Y~H…#úò=*Ïqí·Ï™‚T蓦ò¡E‡üA‚⫘Lm=ÏÊ72Ø÷]‹Õ™+eÉ¥½õ¦½=¾¼Eó@•3.¹w¹Gãd“•.Å/‹f\OFJ$Qó:ÑâTá…ݨ7BЖ_[E!üóèóªÝŸ$æžË	3D¦¹ã]DØùø#°¢R}’o²ä£K‘„Gâ%þJqI.Ö7Ï_5EÃ%óÅgAÓ^Ö³Þï2üúIk1Ý>Ĥ\V™$ÇÐÓÉL}mþ«Ôì~¹H£ŠêOð0Š1„M6kîwQ}¨ë;™[ŠmsÑ‚Èl…„
-ýò­Ã)8ȉÅ)7è_£Œ·ÆT÷ô壌mMÌœ+¤
-G¦©J¨ç­$î}0ÿx¯R7ë&K.iËP6RÔ.<,ë㺥1~4XÛ¸¥>÷Æ	ètž•>¢Â:Ñ#)á>æk[¾»ïÛ'Îåõž¬Ž"¥à P¼Ê!B5ÿi‹ÒÌÒ÷ÀI¯´æ6‰ïíÚK²j?uFéi‰W!Ü’½NÒ.TEtmúÖF°tŽ¹.†}-¾ü%`úµÙVîC¢p?VúŽÎëÏ-jû-fÃrÅó$î‹Ï„¬\AËÇlä¡NÉWô˜,ñ¡ït5맼À÷3Þµåb쑳¥+•æQ¹¦iÂSýÝ(Ý›Çi'o„ßFýØÕLã—$Ušfƒ)ß–J³6öoú«H ©ÝíISO×ûÏM§«ËS¥LLñ~ŸÅZcDòóJTIEsZÏYKÔT&6·)/ÇÃ,±L—,†»‡[Ò»sž£Ž‚gç¹9m˜½FVË",˜Ûx™£Ÿ¢Îúäç/û£ÜîdL3¨JÔ­Tú\±ÿHÉLÈïa…ºfNuöѯ&],rÁEÂÚ1DÚÇŠ
-Ÿ`bêTèÖ6çCÅx+Äèô@›þ`ÙvªlÐTw»J·ô+²ùøp4Tâî]” ðâú>êóXÿfßdO¤Ï£\Ï”H:[PC‹Ä²¡-‰­Çó|—ÕÏñÊŸ0ï³iov%§Ž=Æ‘»ñfLu³$ŒX«Dm|BØxz’‘:ÍDï¾T–[&n'îóšZ)	¶L`z˜÷Î(1ܦ—Éc¥œ˜*`ï3Ÿ+F(ò¿gVà/_JcÄh‡ÛÑ|¢Üm:rGæ-Ãì]07‰±?×›­‡¶­0RK4åÀí+—‚`îŽDÕÐLºÎ’ùˆ9>ñ¯ëwe£¯ÓÑ©<Ôº:n;=]7¶cm$Ïjô¨âÉåx¸Õ8>Ãp:'`=2’¬~'¡·:é'î•üc|±#úvN<z꧄ÇHxw+Ì­it2e³¼SjþdÊ]Ràwó£ºöÔBBBi‡žuexyUw5{GÿÏ«fçH¡ä‘Ë[‹ß›¹ö#±gàe©9H|CaÈ=¨«Ì¨D¥×òjî†æXJ(VrÙúg4€O8%¬i^ÙQ,*æî£%ÅgM¢b%D1dù×M¼	¾“ëÎWðY)•=¼´`¯¬¿l,TùáèõÅuqC'ïþDï7¼¤O¯·Äštéþ"Ìs¾Á%ÞÌø-".#S„ÚOXõNèWÇl„Ò]8T‹0üPÔ}zZÝ^„ð!¦Jr½fî:5…€c6Z¸ãGvÝ~Õ¦ÉþÍOqøÛÃÂÈ5Bl’÷eÆT5ª–ü€ÜØ­Özä€üÛW–ÎòÏÎBÝî”}]Äè»vµ}V­&–h	Ô0;5#ÙB탟{ˆ>â‚éñ¯/bú3 13„;6é:®ƒ"|sjü”;“ã´iK—‰Öcˆ­^#kJÚ•üMCG&³
Ú#©Áœ¶}äe-Yò
-iÓpn¥ISÖÎ.DŠkÞë‹eªñÔY’ªUÍwUûŠÔÅ+f*Fèuž“}¦ÛŠ„¢d„ë$;Ö	‚öaþr>wr9ÊDÛNý .Þt9J±”¨Ñ¸¯¦,'%PK·¸_OÑB¾h°^ï.ÖdYè1¦S+ïy‹Ô8=Ô®o	Yzàƒ+GQKè
AÈ>Ó$$½ôÏOòÇW[OV"õ>gç4BÚghFšdzج™}?щZ‹Å?fvÉè¶&Àߣ®Žp÷ào‹›ºÜH¿B*LÕ5ƒ$O1BœÞ«Y,Þ.8KÖåê
·XèHs÷'(ýB¾}±¡
-{&p–è°ÌO@¤)ˆ
-á(ÉÐ'k‚ï¾}ZuqåÙaÕa	àuß+•?®Ò,ç<Ü¢p)Lå¶c§z7ƒÜÇc®{Öß°Uþ­ÝûÁÞ_)Pùîã0Nh_4SÌbÉ-Œ”²:ã%¹îL¯EÑ)ƒªÇ7D.÷{¸>ÈL¾¯“G‰óEZ:|ÇL÷çÓmó’‹XÆ–U®“Ž€ã®$15ó³ºúP€àYqL4·ÉÎö‘Û¬¶o¾ûùp¹ü²D摧Íþl;Ux­!«l‹ùE‰og‚‹qAµ't­×µÃ u+¿@Ç9ÐìOH’÷ÏU„®‰­¶EÜO3—h¶ö‘LÓ†>ÛÎÁ~!ôñ.N}¾BrÕÇæ’ƒ»ÖcÕ2WTcs¹¤;¬êK´d✺Ïþ6õ¥o=¡H©[ôËÂð­›Aö&—ààÓ!ÿ@ôN¤ðàíÜÁ£E>&ð»&¡8Ö’QrÊÊQ\¹ìhV7᫦³ûOG)u¶¾oŸ 3pý¿@¼SÙGî;Uc›µaôLëí\
ô¨èPÖJ‚G!òÝÔ5£Î(Jµe¢–±Í´w}Ÿ^Êç
-ƒÉ/¡¤èïiÔò;ÌóêôÿLšUïÑ[læQÎaœ¦Ñ>ñ³G÷™=}!C‡áóoΤ…ÃTD^ê~÷Yñ5l{ž³×(᳓* ŠŸÏgé­?»ñ\²Àå'Ç…îñµþ@vǸŒ‡¨óÀ9šæ‚Ã?ŸŸ¾èxŠBœZ÷ö´köö†dqÏ‘"$!ˆ
íxðÿ"`£þmÍÓK›ë.¿ôe|ê:Ÿ†›%u@éœo('_
-¸=Äõ¹Â¨ìW|ÝóúõyÆ壹Œ	O<ã–H¦¾kû»TCT•3SQú˜8EŠ9·[Éi{ªðãá²Çäve=§ûïŸ$)e	Ù(ïöyï6bU_>`R¨ÿ™2Qt˜çR?=ÝIêbĉ&	¦yÍèZ÷;Ø%U¼å͇⌌àÊ·«6ŠnËLJ˜S2tqŠç+ÚóKÄ0H ûÓ'­½ª~Ï”aLø˜±ºÙ‰l½,£	;ˆ$ùubq¹ñÝ8cC¨.b/άKÌJáÖR7£¸§ôŵRì`çzËb“³Z'º½$ éëý€Õ÷ÒÞù¡À.(?ü<Óo' ÂX£¹
-½‚ü\Oãl}çÏ rÉ^ÜëcërhÁÄ{£x.;9¹ž³¸#ÛO}+öH‡Gzøå%
Æ®¼ð§AjS2kí;<)Ÿ@ZÍÆ»È`n#çPglvçxž–HhÑo°þ¦¯£mÉ،Ģo­»L£ÇQ“0íñÅùuâ#ø2†Nü®{Q[V¯Àj¿¢»þ?ƒNWô¨?ƒt›á%¦qGGö:¼®*x¼ÃÀÌžÙÍÙ^?£õgf‰•çûúpïîLÂTÅ7^\ý?0[ÅÃèQÄè$†À×}ÝŠIÃP±ªÇdYvgä‰e¦w©Þ$àŒ¢_™×¹Žéß™†Ø'DÂ9ËŒ?h2ó¸%¹ß̆Ó6UÖ¾—õ„¯m“±(ò¨øÈþ­ÉæD¥«‘÷§½ºwõ¦$MMó:2ž“ú©‘ƒ=‡3Ït]ÆF±°i\Çã“%N¥ŠaÿÝ£ÛEK¼ôÑ×îŒ6y.G­†(®AM†<ï¹Ö~Êyõ.‹ï—²À.õ8'_e#åBâ[7Q:¿žßämø"mƒbìSƒŽÆZáÂ
4¨YŒ•{t¿Op¡Æ¨à‹!|	‘õj—/™§ÐLve§eŸ(ú]<Žqž(Á¨ð칄…ÏÀßù¨;ïAJGZ0ý7ùˈ¾†[(-®P+Uìp¤ëñ|\—;ïùÝ27r¤v¨x©t¯½ <¢íæVþ–(ù’]”Û­®ÂãBB²ßâ	ïE›Üä ?•ïd
-ž¥̺”k®ÖPú-F3{^.|àƒM],¿Òck&Ïý"§^{9D_o·äË•ÄgDwŸÇ>B_6õ¦F§zJ­ïf¬E§9åGÆŠ(IK6na mü¹¢äßúta\‘±+O|oÛn™ÔĺàÙ_
$üÔ>­Šäkës±7¡{^´2ÐX
úñ©ã³¼€¥=Š&I×}µîäØsU5u¨ÿ’àï"VB”—~²rön‰Ã/A“¯>k]苬’)ŽÄìÂèÌ?vYèäF8ìúš®GFܧŠX$ã‡ÔbÐ¥åž_¤M2`c5ã&ÊÌ%RJÇϘáVqóÒä8Q8¬ÉÓ3·Õ"×ya䱈òòÚ9¹2äÈ6†KuÙÔtiA\d±þáf’wÃAé@To^¼¢*¤Ë€™Rö%̃°£üú‰Gë÷'xGJIÀ´‡P9	uÍ„ÒQÆ"òg…L*+cl4—æ…¬9rv*š0–4Û±Œt¦¾‘ÑÝIÕ:š»”IšWYøûèèNg+Qü¼v-Vê~Ã4"å4}/üÇ—’W'ŽÉŸŒrOá¿<·3Ül6¦//¦«Žwú–ƒNb©«þÄ2Y4·aG^¢11ýÎgœÅÖ¿£’,„0ˆÜËûîÛ·j˜pÔwS±¨W¨¯¹j¼~OÖÒÜÒh¨Ð÷pI•æ‘¹È{z^½3q½
ä9ƯLh>íïYæÇ(ì$%É†m]"’)_]VfíÁ[á›Æäæ1‰¿òŒ\³.ô1T•]âGö{ˆ¤V.¸/Sïd`´.òUuÚ‹î©>ŒÇ¥÷S?iI®9Ãq-Ý%áÌKõÞÉê(?:LÛ-·R†ÐAáç6=¥šp•3È)®²º/–}Ì?A\ÓžÎxŠ;­ŽZ›hðJ•ò¡žŠÔœjó\áÊ8ORø±ØÞþÚ‰«£%e
-M,b?Sœ†è‚-\	ì‰ûdVwÑIôœúá~Ö7ŽÄkeAø€›ÂG9”¬™C:¶œ<_}9TïrTÒ^%M…íŒC,[E
-tÓÎ@½*¯g :_‹»o]Ÿ°’cü‰·ÑcM
-}­+^ÂÂí¯e‚³é)À+-[‚fß7j5$‡=á›®bÖ;tZsa¹rz—xž,ÿ
°Â,ZAË°z˜wÃV‰”]AVrÉ|RMc:ù~pŽêˆ°Æ¸œÎõb².<„âÓ?øÕMÌlH~6ŽäÓl:Íx²_$j)ÊWA¼ëhEBuµ²¹ù%Gx	—iSÅÊ—Ž²ÅÄ© 2'BæȰ箦Q0h<´ó’ ÿž·§£Q-önµ‚q¡òS‡!»l˜ìÙŽSö£'ºN–³º,ÇTéW¦“ð¸Ç­gÈ‘²Ëê³ä‰#¡,Gd›äô‰ðýl$HÀûa—>7f»‚Z%ýÙS•²Ú@G÷Ø/RÝŠŠ¤`· ê²8f½ó¨ª»üqÄÎdX
Gû¤g¹Ë˜
»„_qvw3ƒ9T ÛáÏúmœ”@n¹aOJ‰
…yu†çêfÙ=Õú{ÝÓFÎLfN‹GäÔi"?þÖ}醊ÛUœ—_š›iN„z²ròÃõ3
-uÎÂüÕÏÍ{1T¨—t+jªNìpC4ç@ÖîÅfÙä:)0ýôðtòuwô›§`âèÃJ_Âåfò²¤p¡Éý@ ë¤åcùC¡î—rj¿ÁRµP“ÜüQ[öºC›¨˜2Jí¹~?„.ìpÞ»ÂVXz%˜©­^ŒºÎµ†×þ'R¹ÊxE˜•ú½Æ#´ÂETíö`…TÆ*‘Æ4d¹ÆÔÊô;é¯QÍ·ìe¿Éŵ§Ú-Œ™–¾~jͶœÅ`k(vï¯ûa¤æ ‰öឆ…ö*„þlØNÙçfr²ÇŠ1³|/0î4ÑÉÇýžjÈ¿>VùEƒ" OáZ¨zßû,q!¿å]3„*Øœì>ÀŽÅ­ˆ‘{+$v¤fx[VÿÁ§ðaXïòÞòÃݸ´îÖæ#¬OÆfe­Ž¨€Ägs·BÌgtíD·°¦1?éBmbvø¶—9¢¯'2S☟—øø/Ð]Å`œÎækâ$:DKØ$žr°[[/o•‡á‡¦„ô¨ÜëÏ~fwHý¥ÈC¸¯É½ßn	
-ê÷E6K¿­í‹zv
$àg¨¡Ñ8qx!]ü`b6#2•›PÖŠ>)ЦšôʈQІ)C(Õƒ}R~­­‡_¯˜>{š·u9;ƃn¡“íó'\	=…i{,Áe“b««=µÅ¹ÛˆÎÝ6ß®ãÑÜ€AŃšlôϺΛv6Úì	5ÕÍRjå8äò¬Úèpõh.	ÒÛþ1«,Sd¢Ïì^5
ö¢ ÚO舄iᔚ8Ž¨á§ˆCî¤M¾»ÙIrúdöÿÃß#58ƒ8øìꯦ‘c‡9<œÔ?Xé(õ£ƒÙFkcˆÊU#´gƒ–ŸA>fâÃ穬-mDñ{nÊ¢,B‘dKÝ*ÞFΑt0¸ß28°ê!Û™h—Ÿ"à}8Bò˜á"¥f]™M<"$‡[ÕënwYÅ—ÛuÌ6ÎG¹óê=¦™¨ˆG(fjwfÐÜÄÃú£Ù_Y×Òm¨õPø²—'MWußÛKjÓ\·EE}‚Sy识cÔPÞc
U»¿WÎ…{gÎV©)ûðqBÐPègõ‚ »€‘j´µJ¡!ýÌÇO^â®=ÓôÑF~÷H×¥[ñ²ÕÉ»yè¦<€]¯©RE›x†{r.¸õSz÷N®rÍcOdùñ6“ôíFƒZÅ»µp±êLÛll™ÞÔòÓž¾h¾s,ü×Ã"TqÂÝ^–Oãrç,ÙÅŸ¨ÅEò/*f’”Ž€˜›…#ê–úJ8Š\ÐTH6ÄÄëêVäùã§q_(7QÐNàQK¸7VÓ¯¾«v…!YԫΓ²QŠÚ—>÷m‚«“мNØY©ŽJÉèÀê5—I«^ê‘ËT3Ey+fèÏÛ¥ý¯Ô°€H7Û³k
‡9ùÔá?b&=eÖ–›ÆÓG"ÎkM•å­•ø‚ÚXaI\ßmhû]½“T†·8ŸNÀÝKmpæéðí”?Qã·°U[˜Éä”y­¤®|ïöZíµ§&”A¶ùLðÕ(ãðÎ^X&¿*HðÌ·lØgÔõ"‘‡³oÆÿ×aáTž'zûû¹®^u?%Àtc	¶èÁÁVuA†|£¸ÅÍ×”6>1Å'¨¥Ô2¼oòg ’o›Ê
KâúÂTðÝö3r
bBWnêPÑÕƒÕZì)dž¡ÌBT«Í´Añ5¾S5£æ̦¥ÐTU¢¯:Üê‹°¡À†zBnüm`Lô“š!±ÂH¾¤å–+Ž«I¾†ïSªùqS”Ñ&bFœ °–gVÁYòÌÒb‰‰(ôŽÜÄø¦XãÂ]¿ã>€)­—¨°ÇFÓ<äGFÝ«bºD•Š£nw…|œpg¾0ª“•MPü,‚›E˜ž±Y™ü§Û¢bÎl·×Ø‚³èÏl¨¡~æ!È¥ÔS.šÈåwò©‚h€9ƒÔU¨7w¾¤9“Ü‹”‰ór‘¤òá[ÊKâìÜX¯÷ÓÝn\t“Ó~¿ÔlOöü8Å’ëÝBj”Nf{橆uö{!^æ’™Y«‡w댰1Ù$M­,ÑgZÒƒŒÈ&“É‚FS´Ã§·…¥wlü4w ƒ#F.°Ëc’¼uÔi´íòE¿·Y±uÌÑrÂåäÎ3J2ý9}°ÃÒX¬søwéª0ÜwP1®¤Tv=gvM¢Ç6igU›÷* ¸WŽˆ%Ñú¦ó¡VÆÊ`Â/½Ù#»ÏÃâÒß¾!õÈŽb>"Ä*200œ7¬ÏT}èó fT÷¡·MEfº>³¼5qÖ€m®)½—ú~ètL‘×(æ{ŒùCõá¢^m„çÇ'y؈~
-EªÊqÓëTéCòâ¯yÇõ•+«ûv©FZpÇZòU1ì´‚îâD¨4ùÓ£Bªg9Œ¤ÁÆ{¾Púé™S›vÑ$‡¾\ñxllË5çÍiéõ$éTlFÚ—}GÈØf<üÈ -ü%ë2bh{açògôCÿ£ÜïW{e1¯éF¾'GŠ)Æa.¨³BG=(”ˆüªCÞÛjHk_×iêPtkºé7ïze›¶ý“tå9¬)U1M¯ž6¾¬ 4*k?¦‘<ꮢ±²àN|×P’.n¹||£ÜU+¶3F”MhÆœ¡¦9Ÿ?hHû›ç—nrÞ-ä0±Å‡ÝÖà’U·¢PA7ÄÜFwæ°'ŽÁìÓÖ‘–º@çPú)B²àFpéœ=ç(®é…àÎÂL„N·Í-þÄYØÒ.ŽF¹ÏîÀ1­ÇN4.ì—{œH¶/ªB¥0¿N­æ%@»&ZëÑ»BhÙœæ¹áí„WèºÑ$Kí[Êit9œßë;*ø¢FÜíƒPk—×xøOyŒüøŠ¼ÂÛ/¯OwÙóp»B"6àl:ˆ›ŠÕ‚U‘eP
-Ç^;áµ³†˜¸ÔÕñXðÞŸÀ»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼ø+[Xìè¤P˸—úòbhê~ƒÐT¥:J‹ìÛÔM,ŠÔšf4énhØ~Ÿûâè1çäí›}“ïÞ®ì”[/0ûË,¹Ø1¤ù…Ž 4E]MIw1Ÿx}ÿØ€®°ý`”dt.¨«]í»¬çŸ÷^²ÎبH¼â(kæOýGɯ¿Q"g‚ÏŸuú·­Añh{fº{iŒv®Ù¦=ò9Û)ÐÔ•#ùîÒé–KTå+§"»dåXïkø’S.ð„›÷]lÿÃòÿ'ø‚ÀÌt†8Ømÿ
-Ð:endstream
+˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒÒG}}M¦ÿê†ýÛSím ZžŽ À¿¥ÑUv0ÿÃ_<ov'/€——ÀÇÎîû_dü›†ýŸge Äì0`cecc¼ýÿûóÏÓ§¡‘¶7s0ÿks4!@{ó·eûÃ_°™«³ó›ÆÿoMÿûùïµ<@fÈ¿æÌC¬3²3!ßòF¥zºØaBK뵊
+ª:ý3"6ø+LžkBYÆ^[=çŽ_vw‡ºðmé:Ó@§¤¾ïº±ViÛx™vƒ>•¢eëÆxŸÍ*­Ãêó°éìnŽªk•<Ó·q:#žÝ1¼w+À¥¾uD÷3K¯‹ÇkÇlx‡ýíËÑ1mòÁÝ-]ßðà@ç\÷	Sn< ,mt€S.‰¨¾v…w$Ó6tí.E\wRÛâTæ!5,0cök¾º¶Ö%_{®ÏgE^˜’Ôûˆ%F79ÖxmÙ„âWQ5^}[4ùÞ¤Ö¸çM¶¼Lb»ãåÊÒå/ˆ¢Ü0¾éT·–nr¡o^²_,¿BúÛ¶£?%nK•'<(ª»ŽóîƒqZ¹x³?]lÑXÍÑõ#è'Z
„ÔF[­Ñ]÷õ‘GïA;ì­éz~BÌE‰´-mÅžépLæß÷oóG~ÿZ ™þ\’ÒNyk¹$Ý=ѤtU]ðÞ'x™¤¬`ya*Ou(ݺæ%E-ÖVž£Ä²¡dþYÑÓy+q¦&5ogÙÅ}Ú˜†/„Ếb3XÅ,4Qá›6õ‚Û¹FPÛZ0Idm§'§(iÆ®D¦F½.å-ÃŽEwÂ÷c»¡x¬	#Xe»edMñ«%¤yf1‚,É8Ä黽C?mU¨cæ/S"5ta‰µÝžûË}(àYøí«ÂÝó…i$¸«^$œ	ž4:ŠÛuŸ‡¨{Cx™`ö„Öœ»±?ͤÖ"¦ŽˆtXüðN5úÜ—V<“KïÛ•ÃjäÄz˜NƒBè]8vê#&s<;‹ŒØÁZw¶Â¾s¸>dNË3ü”gò‹c楒¡Š-v¡”+Cx+ì]ØÚÅ؆%BfDkµñ9©U•;Ù{úau kD‰OE^àÞ5ÎôÝÓlj‡ox´¿ˆ!„IQ˜0Œ:+=¥\°gcæ¶$¹P8]IO|év¾ïL²¤›$'U	~t?ÆÚĪmUh1°¼_ÿeÈc“'Bó.%¬×½©öý¥ƒT‘‚ÚÌ’sÞO·#þ–]©Ãî#ävèõ0à2z
+N#ÌY¶|À¦ ïk¯ðUè`çÉ—ÃnþLJÔÙ°ªË¥%£÷Ü;6åï¾$bHè\™VÚïÅ£ô,>uiàÛ¾ÃÔ…Öô.–‘ŸÿR[š¾:	!ï9áttIëi@b`ݳ’ôš¯·;1òØRïóg¨†·ë6L˜	
m¦MaJÛ…>îÓ·£^Ñ“¤h§Öå1Ô|–‹O'¤/ñ£.Í
¿2Åàj¦boØë4{Oc©Ù’T¬‡Q|´	âQy®Î:3Ôœ2¡L°
Ù§Ž#÷n¥¤Ý9Moƒ`q°²~ò¯Gµ@¾êú®ŒÉÇe ¶¯D&»æ%ĶvùT
+‡Î°çJå~ÙÑϽʵ‚ƒyQ^…ꢧø¼Ñ‘Ì’¬Û‚„ÛQ±´Ebʫ_¢”ªk”ÏϤáÞÔ¸´¦ÈŽÑh¿?ÏÊÁöóî›RõÍðð4$H1~Õ=@†ÁßjÓîÊ2½,Ë
ISd²2aI:<;‡…]?…Š1N]ˆ)[dÙ™L—DXÿ4ˆ—mA3¦™›Ì|}Ië
+Ž®õiŠ{ÉÈÏeÿeâ’‹ñNe ä±)ÃÆÎú%˜MÕºt¾Ó=ÒXóª Úø]UK/H\¿Ó82@6&îZÓB8£hbcQÉ™…íªø ?îùŽ'$³6-|îö뜮ÈèÈ· —²Ûp8üzlÓ4k|›÷»¦š¬¢Õ\|A,ƒcùã’¥ë5²	ðó¢µlÖ$‹?1´Êõ”“ÌAòwuœz*iãÞþ"^ês3VJ	…2CÉØCƒ²»«Ÿ³Îžü7K-èÆk*m\&?	‹HKßÛì<ïÏ»h´û¤aOüT¥’ÍìjÆÔ³^§/SÖq0Ô¤Ñç`w†Z
˜%ý8‡å:JpסDp½«’Ù½TIm ÎµOJ@àÇ©Oœêäàü¢°ïûâuøS{Ù˜Ž‘øn/¹»ý#lï;6̓jó{ÄÝr©Lu~—õ”QÞC’_ˆ;ô¿š7yÆÐöHîtÃï;µNö˜d|
¸ƒÎRëPaD3¡‚iÓ.k{Ï$ÀÈ)¤¯ˆ®œ {"JLÔÆl,—
+ƒ=®›Ê16#ÕÍ}ìŠ …׃?øs‹”#_GVÝë«*ûs4Ê3ñx]ZÉÂíCúu:pä}³wàâ•F®¨D…U½¶9ÀO‘àÛ‚Œäh(YzΖfšP™Q¤T!L§`m3jNQÏ…+¥‡å³G€Ý9Õ6§{ÄÓ)‘+ÚÞ¾¡pï"¶ëËÈo”ù‘¯TI“¹âÃâê„
Câ(…1>¦õ66$Œ6u¢íîz’ðR7üI»•‡˜ëú¿÷~ük‡ÄI»±8Ù
7â M"ÎcÔv^Ç“D3©O«HhíeæV£ln߶
c+a×ÇÉOÜDU™Q8D@ÒŠ´¡¬@»G…Tk7:âèp­+»!Û2³*É|†·l%M·­Zqëw×W®¦¡XŠÁXÖŠúb¾²æ2a"ÿ^œý%$•ä
+Êv¹Â§µp½þ0¡Ñ‡ÆÔ?~¦:„Ö€ôR“÷Jn<òhh¬ÕU	­_)ÜÌÛÍs¿©ÈL
+­sTJßà:ÿ𵼎6C׉tãž%uº"D}ÙŠýã—ÔÁ
Ý×¥nà¤BhdÊ“zJòðáþXæA'ó>Ëá뺖·UE¯L
+R¢}hŒDW#uéƒí;aäôôY	Â@¥”"=zï”ôÙ¬röÉê…]‰ØŽ6Dü6O%í_o	‚4݆›©È%½7WWv¯8åYÞ­"ÉÝ“$ts¼¸C«zaü0áÅ»½¼â¹IŸ.0ÎÜú„»¼~CK–PÜó1O{“뫲ç1¯åƒÜ!éåGB¸¾‰³:}[
+^¢ƒY»€ìëë’ç°ôa¾\ÙNŸØÇ_«h`LD
Å|?w/36Ð'^’¤¬_ûÀ-éV„ùô¹Ý÷§¡¨Ì=Ì¥ßó:6FŠÄ	ºCoÙÈÙ\ìO3J­dCT¸ÌÕý¦¡W‰6¥)ù¯÷§v3^Ìq~’éÓøÜÊäðç	¤¸ý :‚‹³Žz¤¹ØÕ àÄsƒ?¶pøµ] Ýý
~ðÿ4=ê_$&5AŽ›O«C1@Í·K±§°èŽ;(óE¢Ö–ó¿<3åðÜ£Å9N§_Œ©/¡
+V`[x!ºó®U=­úQ6_ú<¾F2Û¢cMUJÍü¶ æážp¬?’£3pÞ	IÎþD@?œtxfªî
+âå76á='„álZ­—“L¤øY1¸•'á<§ß^pR¨Wü¶”æN/¸D[í•ÙìÛwÓöþª>‘w‡whh{™›¾05	~Š»Œ˜S+ƒn­¿¸D¦%½ûÜMS)FŒŽÞ—úÎøþã™Á9ÖEt‹ò¯Kâ%ë]†BVly¥bÁC¢Ô1¿úv"x‘F–í»~¸ý4ÈNšòTz÷nq~ÃW:=:Úݾ÷o_>/ê0ŽVña2D¿O¥›Ó™-ÁÅ&OJÿÝI/öÛ|ÿW1h£ê½Q ¶tƒÍš¶ÿ'i-„X=5]¨òé-VTSÇ•LʪâpÔä¸9
+=²à~‚z³
+ü
+Gôå{Tž
âÚoŸ3©Ð'7LåC‹ùƒÅW1™Úzž•od°ï)
+2º«2WÊ’K{ëMz{|y‹æ'$€*g\rïr2ÆÉ&+]Š_͸>žŒ”H¢æu¢Å©Â»Qo„ ,¿¶ŠþBø1æÑæU»?I.Ì=—:fˆ$LsÇ»ˆ°5òñG`E¥ú$	ÞdÉG—"	ÄKü•â’\¬ož¿j<Š†3J;æ‹Ï‚¦½¬?8$f½ß)døô“Öbº}ˆI¹¬2IŽ¡§“™úÚüW©Ùýr‘FÕŸàac›l,ÖÝï¢ûP×w2·Û梑Ù
+		úå[‡Sp‹S(n
+пFo©îéËGÛš˜9WH :L9R•P/Î[IÜû`þñ^¥nÖM–\2Ò–= l¤¨#\xXÖÇuKcüh°¶qK'|î-ŒÐé=+}D…u¢GRÂ}<Ì׶ }w	Þ·OœË!ê=YEJÁA x•C„jþÓ¥™¥ï“^iÍmßÛµ—d3,Ô ~êŒÒÓ¯B¸%{œ."¤)\¨ŠèÚô­`és]ûZ|ùKÀôk³­Ü‡Dá~&¬ôן[Ôö[̆äŠçIÜŸ	Y
8¸‚–ÙÈC’¯è1Y&âCß=èjÖ=Ny90€ïg¼kËÅØ#fK1V*Í£2rMÓ„§úºQº7ÓNÞ¿ú±8ª™Æ/Iª4ÍS¾-•fl2ìßôW‘@R»Û“¦ž®÷Ÿ›NW—§J™˜"âý>‹µÆˆ†e7敨’Šæ´ž³–¨©LlnS^Ž‡%Xb™.Yw·¤wçÁÄԩЭm·Šð*$VˆÑé6ýÁ²íTÙ ©î>v•n'0èWdóñáhþ¨ÄÝ»(AàÅõ}Ôç±þ;ɞHŸG¹ž)‘t¶ †‰eC[[çù.«žã•?a6ÞgÓ*ÞìJN{Œ?"wã͘êfI±V
ˆÚø„°ñô$#uš‰Þ}©,·LÜNÜç5µRl™Àô0ïQb¸ÿL/“ÇJ91UÀÞg>WŒPäϬÀ^¾”ƈÑ·£ùD¹ÚtäŽÌ[†Ù»`nc®7Z=l[a$¤–hÊÛW.Á܉ª¡™t#œ%ós|â_×ïÊF?^§£Ry¨tuÜvzºnlÇÚHžÕèQÅ“Ëñp«q|†átNÀzd$Yý;OB/nuÒ?NÜ+ùÇøb-Fô'ìœxô>ÔO	‘ðîV:™ZÿÒèdÊfy§ÔüÉ”»¤ÀïæGuí¨…„„Ò=ë8ÊðòªîjöŽþŸWÍΑB#È#=–·¿7síGbÏÀÊ Rsø†Â:{PW™Q‰J®åÕÜÍ5°”P¬<ä²õÏh7 ž
+pJXÓ¼²£0XTþÌÝGKŠΚDÅJˆb
+Èò¯3šx9|'ׯà³R*{xiÁ^5X~ØX¨òÃÑÿê‹ëâ†$NÞüy‚æk|ëæ-=ÛÑö¶WbÆæ_‚ÆÙWSf/B(“Š•Ù;¾`“öúšï†wªÖ5Z©Ãˈp)íâÜÏ><[
+ÔO’ùr~QQoı±õûKiÌŠŒ)ÑÖm½Hƒ5Ñ‚EY±ÛN/DÑ¥ñ$ßÜ5dTókñXXd™ÅU+yëß·“&×¹’¯`ÿ.Èj>ä—D1—J–©)TH‚Ïl#´„“#G„C9”\Œ#×Æå
+·Œ“1ŽD-Zü†'˜ñÿ ²oË“X2—õ¡.j.ÇiET²<…¤¤C:£S¢‹Þ‹‹ª‚žvWA£A|AaŠS¶ws¢éJÃËËÑ`sÛË0úÐeÅžÈß~U¼Ëuûœj2$À	›.$zTXD\út]°¥|ˆ*ÞoxHŸ^o‰5éÒýE˜)æ|ƒK¼™ñ[D\F¦3´Ÿ°êЯŽÙ¥»p¨`ø¡ ©ûô´:º/¼áCL•äz3ÌÜuj
+Çl´pÇìºýªM“ý›Ÿâð!¶‡…‘k„Ø$ïËŒ©:jT-ù¹±[­õÈù&¶®,埅ºÝ)ûºˆÑ?víjÿ,ú¬ZM,Ñ4¨avjF²…Ú?÷;|Ä;Òã__Äôg@cfwlÒu\EøæÔø%(w&ÇiÓ–.­Ç[½FÖ”´+ù›†ŽLf5´9Fþ
+Rƒ9mûÉ	0ÊZ²ä'Ò¦áÜJ’¦¬œ]ˆ×¼×ËT㩳$U«šïªö
¨‹WÌTŒÐë<';ûL·'	EÉ×Iv¬-2&íÃüå|îär”‰¶úA]¼èr”*b?(Q£q_5LYNJ 4–nq¿ž¢…&|Ñ`½Þ]¬É²ÐcL§VÞó©qz¨)\ß²ôÀWŽ¢–Ђ|¦IHz韟䯶ž¬Dê}ÎÎi„´ÏÐŒ4É ô°Y…3!û~¢µ,‹Ìì’ÐmM%¾G]áîÁß7u¹‘~…T˜ªkIžb:…8½W³X¼]p–¬ËÕn±Ð‘æî'NP6ú…|ûbCöLà,5!Ña™Ÿ€HS%<ÂQ’ OÖß}û´êâʳêÃÀë¾Wþ*\¥XÎy¸EáR˜ÊmÇNõn¹Ç\÷¬¿a=ªü[»÷ƒ½¿R òÝÇaœÐ¾h¦˜Å’[)
duÆKrÝ™^‹¢SToˆ\î÷p}™|_'ç‹´tøŽ™îÎ5§Ûæ%#±Œ-«\'Ç]Ibjæguõ¡Á³â˜hn“í"·Ymß|÷óárùd‰Ì#O›ýÙv$ªðZCVÙó‹ÞÎ9â‚jOèZ¯k‡AêW~Žs ÙŸ<$ ][mŠ¸Ÿf&.Ñlí#™¦
}¶ƒýBèã]<"œú|…äªÌ%w­Çªe®¨:ÆærIwXÕ;—hÉÄ9uŸýmêK/:ß*zB‘R·è–…á[7ƒì!M .ÁÁ§CþèHáÁÛ9¸ƒG
+Š|LàwMBq¬%£ä”•£¸rÙѬn?,ÂWMg÷ŸŽRê:l}ß>Afàúx§²ÜwªÆ6kÃè™<ÖÛ¹èQÑ¡¬•,Bä»ÿ¨jF;œQ”kÊD-c›iïú>½”Ï“_B?HÑßÓ¨åw˜çÕéÿ™4«Þ£·ØÌ£œÃ8M£}âg.î3{úB†ÃçßœI‡©ˆ¼Ôýî²âkØö5>}Ññ…8)´îíi×ìí
Éâž#E$HB5Úñà!þEÀFýÛš§—6×]~éËøÔu>
7Kê€Ò#8ßPN¾p{ˆës…QÙ®øºçõëóŒË#:GsžxÆ-‘L}×öv©†¨*-f ¦ £
+ô1qŠs*n·’ÓöTáÇÃeÉ#ìÊz"N÷ß?IRʲQÞíóÞmĪ¾|À¤Pÿ3e¢è0Ï¥~z*º“ÔňMLóšÑµîw°KªxË›ÅÁ•oWmÝ–™”0¦dèâÏW´ç—ˆa‘@ö§OZ{Uý8ž)Øð1cu³ÙzYFvHòëÄâr/â»qƇP]Ä^œY—˜•Â­¥nF#.pOé‹k¥ØÁÎõ–Å&gµ>N8t{I@Ò×û«ï¥½óC]P~øy¦ßN@„±0Fszù¹žÆÙúΟAå’½¸Ö9ÆÖåЂ‰÷Fð\"vrr=gqG·ŸúV<ì ô>ðËKŒ\yá…OƒÔ¦dÖÚwxS>´šw‘ÁÜFΡÎØ
+ìx†¶€…Pøiõî>»"8–µý$<;"ä
+SÃ	à.C¨êÌæ~-÷fjóL£Ê°°’ÐL ,Š…&F€p(€~E]zsCW _Ùhv{.W~®Ï²éѬL´AÆæ}ÎñPô»xã1Ž}„¾lêMNõ”ZßÿÌX‹NsÊŒQ*’–lÜÂ@ÚøsEÉ¿õé &¸"cWžøÞ¶Ý2¨‰uÁ³¿Hø©}ZÉ×ÖçboB÷¼h1d ±ôãSÇgyK{M’®ûjÝɱçªjêPÿ%ÁßE¬„(/ýdåì݇_‚&
^|ÖºÐY!%/R‰Ù…ј/~ì²ÐÉpØõ5\Œ4¸N±:IÆ©Å¡KË=¿H7šdÀÆj2 Ç%L”™K¤”ŽŸ1íâæ¥Éq¢ pX“§gn«E®óÂÈcååµsr3dÈ‘m—격éÒ‚¸ÈbýÃÍ$Ҩ޼xETH—3¥ìK˜aGù5ôÖïOðŽ”’€i¡rêš	¥£ŒEäÏ
+™TVÆØi.ÌYs2þäìT4a,/h¶5béL}#£»“ªu4w)“4¯²ð÷ÐÐÎV¢øyí8Z¬Ôý†iDÊiú^ø%Ž/%¯N“?åžÂyn5f¸ÙlM_^LWïô-ÄRW-ü‰e²hnÃŽ¼DcbúÏ8‹­G%Ya¹—9öÝ·!nÕ0á¨%î¦bQ¯P_sÕxýž¬¥¹¥ÑP¡ïá’*Í#s‘÷ô¼zgâzÈsŒ9^™Ð|Úß³ÌQØIJ’$ÛºD$S¾º¬ÌÚƒ·Â7ÉÍ%bå1¸f]èc¨*ºÄÿŽì÷I­\p_¦ÞÉÀh]*ä«ê0´!ÜS}-$Jï§~Ò’\s†ãZ$ºK™—ê#¼“ÕQ~t˜¶Zn¥¡ƒÂÏmzJ5á*gS\eu_:,û˜‚¸¦=ñvZµ7Ñà•*åC=©ÿ8Õæ¹Â•qž¤ðc±½ýµWGKÊšXÄ.~¦8
Ð:[¸Ø÷ɬî&¢“è9õÃý¬o‰×Ê>‚ð7…r(Y#:2‡tl9y¾úr¨Þ婤½Jš
+Û‡
+X¶Šè¦zU^Ï„Au¾wߺ>a%Çøo£ÇšúZW0¼„…Û_Ë'fÓS€WZ¶;oÔ:kH{Â7ÿ\Ŭ%vè´æxêJ^Ò!Tl‘ñe‹˜Ñ'‚ý¥ÊhmTŒêaœÎu	µˆiîiäà¿¦×è¬öôÈPKœÁÜvµgœä‚!O’‘4C£b„¹\SsÀHd”§>Pr"VÈ/•Š4%þŽ/ÓÕº—‹âZK{ß .µö€˜4-ê‘3¾˜g/„)KHlHÜ(K@A“b²Çægu‚5Ø_î‘ŠXõ˜ëáD-vÏrÐÅ#Îoõ~i^Ϧˆì)Ý(w§¶¯W¸Á‡Œ–}ÿ]!AP±ÜŒ¸cÅÿÒæÃŽ¢~¾C¹ÕQ«ÁeìyènÉ‘>õ„2m‘~ sù6¯°mË„¡Ã_°L3ivœüj¼ãSB}Ârå.ô.ñLzÊ ¬,7§Dœ×š*Ë[+ñµ±Â’¸¾ÛÐþö»z'©!(n7p>,œ€»—ÚàÌÓáÛ)¢Æoa«¶0“É)óZI]ùÞíµÚkOM(ƒló™à«'PÆá;½°L~Uà™oٰϨ#:êE"gߌÿ®Â©øÛÀ˜è'5Cb…‘|IË-WW)’|
ߧTóã9¦(£MÄŒ8A`-Ϭ‚³ 噥ÅQ蹉ñM±0Æ…»~Ç}SZ/Q`Ž¦yÈŒºWÅt‰„+FÝî
+ù8áÎ|aU'+› øY7‹0=c;³2ùO!·EÅœÙn¯±gÑŸ3ØP#BýÌCK©=¦\4‘ËïäSÑs©«Poî|Hs&¹(çå"IåÃ9¶”#–ÄÙ=¸±^炙Ý,¸è&%¦ý~3¨ÙžìùqŠ%3$Ö»…Ô(ÌöÌS
êì÷B¼Ì%3³VïÖac²IšZY¢Ï´¤+‘M&“¦h‡O9nKïØøiî@GŒ\$`—Ç$yë¨ÓhÛå‹~o³
+b똣å„ËÉg”dúsú`‡ÿ¤±XçðïÒTa¸ï b\I©ìzÎìšDmÒΪ6%&îU@p¯K¢õMyž0Ƨf^`77+ì»vŸË×Ýr鄧śiyjÆä±­[@äÂHÙÓWö0øJ¦„¾hŸÆµ‰Ó-Õ}æC­4Œ•Á…_z/õýÐ!è˜"¯QÌ÷ó‡êÃE½ÚÏOò°ýŠ$T•ã&¦Ö©Ò‡:åÄ_óŽë+WV÷íR´àŽµä«bØiÝʼnPiò§	F…TÏrIƒŒ÷|¡ôÓ31¦6í¢I}¹âñØØ–kΛÓÒëIÒ©ØŒ´/ûŽ±!ÌxøA[(ø/JÖe"ÄÐöÂÎåÏè‡þG¹ß¯öÊ&b^Ó|OŽSŒÃ\Pg…ŽzP(ùU‡¼·ÕÖ¾®ÓÔ¡èÖtÓoÞõÊ6mû'éÊsXSªbš^=3l|YA.hTÖ~L"yÔ]Ec!eÁø®¡$]Ürù"øF¹«VlgŒ(›ÐŒ9BM
r>Ðö7Ï/Ýä¼[Èab‹-º­Á%«nE) 2‚nˆ¹îÌaOƒÙ§­="3,uΡôS6„dÁàÒ9{ÎQ\ÓÁ'œ…™<n›[ü‰³°¥9\rŸÝ!c$Zh\Ø/÷8‘l'^T…Ja&~ZÌK€vM´Ö£w…Ð8²9ÍsÃÛ	¯Ðu£I–Ú5¶”Óè*r8¿×w,TðEÿŒ¸Û+¡Ö.¯ñ6ðŸòùñy…·)^^Ÿî²ç,àv…DlÀÙt7«<«"Ë Ž½vÂjg
1q©«ã±à½?wÅ$Q]×UŽ^nŸfP:ø6ú?Ð’7¡‹±KN³Ìm—›"ýžãÿùzûv/K–ßMùts®x!ñW¶°ØÑI¡–q/	ôåÅÐÔý¡!+¨"J't”Ù·©šX©5ÍhÒÝаý>÷ÅÑcÎÉÛ7û&ß½]Ù)·^`ö—Yr±cHó#
+AhŠºš’îb>ñúþ±]aúÁ(Éè\PW»ÚwYÏ!>ï½d±Q‘xÅ
PÖÌŸú’_£DΟ?êôo[-‚âÑöÌt÷Òì\³M{äs¶S ©+GòÝ¥Ó,—©4ÊWNEvÉʱ<Þ×ð$§\à	/66ï»Øþ‡?äÿOðÿ™-èq°:Û ÿ½
+Їendstream
 endobj
-1052 0 obj <<
+1062 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 34
 /LastChar 122
-/Widths 2236 0 R
-/BaseFont /CEAVCS+NimbusMonL-ReguObli
-/FontDescriptor 1050 0 R
+/Widths 2249 0 R
+/BaseFont /LYZVZS+NimbusMonL-ReguObli
+/FontDescriptor 1060 0 R
 >> endobj
-1050 0 obj <<
+1060 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /CEAVCS+NimbusMonL-ReguObli
+/FontName /LYZVZS+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
 /FontBBox [-61 -237 774 811]
 /Flags 4
 /CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/slash/four/six/colon/B/C/D/F/I/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
-/FontFile 1051 0 R
+/FontFile 1061 0 R
 >> endobj
-2236 0 obj
+2249 0 obj
 [600 600 0 0 0 0 600 600 0 600 0 600 600 600 0 0 0 0 600 0 600 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 600 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-974 0 obj <<
+984 0 obj <<
 /Length1 1606
 /Length2 17112
 /Length3 532
@@ -10593,104 +10680,107 @@ xÚ¬
 .†ÖF#['*€©#ÀúßÀÈÎÖØâŸÒœèÿb	9Nö&F™¸™Øÿc¢Ø›8ÚX89ýýX8Ì
lÿöÀÙ`akdíbüOõ¦vÿJÈÞÑÍ_Û_0;'g'#G{gÀߨ
 ¢bÿÎÓÙÜÀùŸØNÍ;Ó¿žÆvF.ÿ”ô/Û_˜¿Vg['€³‰»ó?±MÆNöÖcÿ³w´øW.N¶fÿ•-ÀÑÄÌÀÑØÚÄÉé/Ì_ìºó_uþ·ê
ìí­=þuÚî_^ÿ+g'kSz&æ¿1œÿÆ6³°…aøgP$mMíLŒÿÖ»ØÿO›«‰ã¿DùÏÌPýMÂÀØÎÖÚ`lb
 à gçü7$€òÿŽeúÿ>’ÿ(þo!ø¿…Þÿ7rÿ“£ÿíÿ¿Þçÿ„s±¶–3°ù;ÿ^0€¿Æ øgÇüÿ|
l,¬=þÞÿé¨fòïÿO ’ÎÛ dkö—
-FzÆ+-œÄ,ÜMŒ,œÌ¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF#ãØ”Í-Œ¬lÿi:Û¿M&¶Æÿ™ù_zþ•7ƒ¼Šš²´$ÍnÓy)üeÝYÙÃþobÿ£Y;ãÿ%üƒ!,lçð¢ceÐ1spØ9™œL>ÿ‡hÿ‚aú/YÖÀÙÑ õ·dF¦þ?¾ÿ’tþ懭‘ñ?S¢äl`küw°þ—ⳑ‹£ã_>ÿu×ÿü?帉‰»‰ÌÚ²O°eú¯ç:ÌÜ‘IQ­>&БûÒFå¢ÿ»^¿ôð]®JýÏÚú¦iîïv¥sû¯C)꣱>kŠÞT“ë|<ªþä-òNš£@ÝRøŒµh¯›E™0MvFÕ£½IÅŸº%ŸøÓ,ŽP7/Tþ$®þh¤Ïö¾Fi
qè]HM@(u…çäI§/ÏC¿GG†{ïÀûqirâ Éx\ÁàÉ£ürp4U*½"¨—Ž3Ç'­1/ÍzG$91Ø7™Ây¶*GÜ|®1ïOåñ•`GíGˆ\.­=û“æúüq†;÷šLÉ»‰î«;¿ÐÄ“n\¤ÎõðÖYNùÜóÒ1àL—ëFb$]#b²ûób€aOžcxwK÷ ‘„%&B™‚ºo"ä¾²’UÏìU(­Ñdù?ç
‘îj\I‘näQÒ÷í9~5\ýYsÈ4Õ;¯>ꪅª®c`r
*§Ž¾í1I>T
-Ð÷ª-KCºæì¢]•ß@e›‡á±Í	R©e7ãÝ8æ¥X¼Ýú^¯bª¿fiWã¦Ç6hé("ôæ?ü…$ØVS̓÷â¹-Àõæ}DJš2½œœ$~T’D™ˆ‡…:Nq®ó#5ßì"	󧈼ˆÎQჶL–­Èµðc“Êç؉/WöýîŸX2ŸÈÈðxª©-“[¿F7žsWÆ{4B
-pÇ€úâLV›‰¨ÛE°¼õ`K«Vá½Öž\ºÍªk:K?>1ÁÆy9ãd™5@P2ƒ÷Í°]öþ6Í(9Ð`®¦ ~Ì¢ß
+¹9y´Æ¢]’ˆåþJ¿*ú¨	gÒöK“]?e’CÌ(m
-D\ïN¤Ô´|˜Ǧ¡‹Uf¥—øŒÉïÀúÒáè
-ûÙ
£)¨Ž&‹"º–Qª86Æ…‡â9xV6jƒxlˆÊù†º’2–^ù
-|Ò Ä;c
g¯lt_´û•jP°–
¼ãT³mê=-ŽÙ
-	ËÖ	/¨é?&§ Ã­¤oø
-%Ñ]µÃ³V‹Éµ‡†#hižrX£2¾K±²Å?²©Ç‹t3V<«×üHl'}µ“œ7ÂnhJ권buKÉ)O^Œ Z5‰OßöÚÖ?ý<ÿs88z™l­; %ÔVæËŒõ”ððßEôÌH«íjÚ~öÖ´Öb}ë­MùñÍê+GÝq’Yµ£[N¢+C1¸Ë¯öýµgî;ƒBµÖcæ4vP“"d×sžåxñ^ÚÁ9O^jŒŸ»e: £$‰µåf~)Z–Tz=a“2¨ÕæSÐÞ»V›áçp"êcýK¹Wåã»/Íx=‹
-RÚ8Ýw>SÓ¯S®A˜Ç©ó-×;%¾À˜úeiH—faP$÷Då€ãCã&¢A†C ѾB&eQ/MN¯µÊQg¿NÊèÑ8o©­?²ËˆR(iæŽO¿Œz‹~€èßöØ°ŸŸÊ€ù#!Î4uðÏU¤KqŸV!rÉœt„Èä´n"/«åâPH<8±Ìà%!*áÂÇbhO‰†o‹›Cd¨· †Q>ÎN{©’ÑòíÀkÕÍ=ý.8}"Æî™Ux§ñ~Ê©jG¤SY¹Ÿc[kÑ‘pœr)h‹xŽ7ó—Š›Æ]BöTx¿0¬ÝcàÏ}0p²¢A17y,óUø‚‚¢·…ø¿K,ZS¥VÇìóK—Àd=ˆúÓ‡j €Ÿ;¢’Ÿ×¡ôã+J‘RPl3ï˜ùÆïy4¬Ôx_½´oõƒŠHÅÔ·vS_ü
AåÒg˜Î_Ý„õ’~w?@’4ýQîï(á"[Eq¬ã si5׳¬ÄÈ—D|ÌŸ|çå¸K¬m@e½)ÿø’–
-ß$TAÂrü—ÇDUËx,¬mCFË„vh”V¬èæÝod%·Ýͼc‹ò¡R´©kð97Aa¸ö<ër Ñ¿5{ßîRÖÀª—Öì6 °¿ÒÅŽð.Îe“ž¿|€³ÉŒÎ¤Àa;ó›c	ø1憀^Ñå݈2ð#"ÎúÎøYkK?¤ãž4rIt\IIÛaë°†;ÒD™øÃW=ü÷œ÷YÅ+˜©rM‘!ˆÑ'ëâ§λ‡Þl
è‡ÕŽ¿MZaÆ©wO/ˆ¤ÿä‘¿<y±Ç-û"å{a«Øçé¹WÑs<¨ðÀ%ìÝH(*ævØÃíý¢_õ¦fŽÏZ5X¥¥6­›Þj<ßó±/¹ç*£ÅJÏ“o“¾™ˆÒ¼¬¡µ6"£Í·@¼çÂKtÛF3c‰¬#«;¾HõOR¹éGA½qW/}gTHLŠ‡Ö-'¾ŸÔkí2„}ÆÅ6ðû{î56Ë!l<À-€èÇUq;=t}ÃY)¬8Ýø3yìáœ9oÙìF€s#MSþ‘»Ží®@§$Ùýû(§îºÑ¶±ý¯ëÈ>loD‚K{à[ì1_s©–¤ÑLâ”Z|µÙÿ‡L§/:OMz}ÈÔïKHï~-ð_Åt¦¶Ÿ ë­‹­åÁüW“Ý$ýAƘ¹ß3¯œl×âr,ëâ€y¥&0•²jmÚqý[„ìÑL6Qb~´+¹PÄ-sÙø¿µ$ÈÑ*ªï
¥ðÈOÓ…¦JûèY[éýSækŒ¹©[üm}ÿ˜Ð6L÷èO³[²ò½¼ƒëÆÐNOp:„ùHïä7CĬ“ü]½yî´¶ïïÃ>Õ“·aý'×M½®qêäîbà_w–
ž]4ðÚÀˆ²öÒøÞó¬n+: §	Ìô 8û›cÑJR[2£mXÅw‹}y7ˆ×ÅLeD$ç,?Yh{³ÛÆBÅΙki¿ŽøК¿ Ø1ò°ºŸ;eó‚T›n|˜)94µ9uæÐ¥x´	ƒã½R
->ç³]æoM%„£¬ÎG)³‘4°ký‡ïbZ~ø ¼`_[hã»8ë<¾4²}$.îÁ³ÖÄ‚(¥ªæu†&ÿaÜÀ™y£Û2¤³‹Ô»¹T+ªJÀҙçÍÁØØJJ,šëò¾v\TP‚Êü´iÚõpÃsùâäFáã!ÌnT)^”"²À±R'ºƒÀ	q)J‡4`¿s]¼ÉZGâÒÒœƒ(BÖqˆú(““v&ø­3UÏ‚Bþñè›	™Œb‹Zˆüù Ir2Ÿվ¾îÄ›7ïX)c¼5&•‚OϺ÷•—2nµÏÄGýÓ¯?74¥Ü׳
Ž²Å­Tj(–Eãs‹ &‰Rð³ÐѵL‘ˆÁ3²pæuy6©Ì7k‰¨‘}¤TêÄoÊ"´wÂñls ò­Eâë2¦'jQ®,ßéàHˆ]í„äÛct?	ÁÕÑÊ,Ga³ýý¥­Ý2^¤d0•NUx¤$"e`à%~7*ýþ¬Ø挭©Ÿˆ{cÃl³?hZFCH7U£*´Ü‹Ç‚Ìy|±°8ô.šÎXAÐufóË ".Ä-_Z“MÄâë뙤—¡¹Â‡Ý÷í[áÉ\DZQR÷¡ x“à¼K)Ý)‚pÊåDÃ’«¼m“­HÁ•<¨üˆ´Ÿ_Ä1ÉðkH/·)(_|ýû2ª,B³i‡Ðñ4V®ÌCøY¹5õB2Ey»…yö47£h¬Bù\=m‡r94ÚOäjùãwiºð_w	ÎvMíð¬òüò[°4ê©—Tÿ³š™\Ó¯r»N1†c-8!âΤұtzžK,בZÅ5…ÍCÅg€„
»öˆÍÐJÎÑ=–|üËÊ,u‘,Yƒغù‹ÑîÇôBÞ¬ƒé\¦SM„L¿ÐÛºp`i5U])ÖìUæt™PÚŸhlA¨6`¦ãqµ"~g2è2êþ6d`{#Cn³W!Ïw¦I¼Lwdk J)ýK‡"™¬ô&¶ºV0ÀfÓ¡?þr83)J‚$È4?$ àE•´Åì²›¯:Ÿ
-Œ(iýŽà-º 7~õSLcüýkÅ!.0Yü:7—
`hPêoˆÜä¦ójÂlƒG¥v‚j»8Ç«Á¨›ÕäÅÆ6nÂN'éú3ÑX®ÐH¨Ïü%›zl½ýƒ©´T~Ú}ÂwlzŒ(D:ooV¯Ãúe@Xrݪ#ç‡d4C:«G‚nxŠôÒ¤Xç©þƒê¢dÑ^øÎg’´k½›Ú}Áîí{åÅÄõW·F°;ª¬ë§Â×òh`7d	H—”µNº’7G«5–-™¥ÏÃ1‹†d
®\É(¸¬®&Á€%þg›	R¤q[â’ÖÀ.Ê¡\ÔýÔG&ùƒÔä1Gô!ríØŽHÀÊÏôØD¾!eeÈ2¯ª
­òûôÅ![é@8Í1J©áRJËÁE·¤]wú³{D1Â_¤ Ó¿’²\ýz¯ö §D‚ßìñ¯Ìd$!ÉÝ–#/û$ÅVrþlAŒÕ„ž­·:@¬RÏhV‡ƒTW÷ði¼&ßVQžb‘¦°$Í?^ªøŠJj ¹vQÕ±:³´FRƒK«}ÏGL©ôÐ÷±ûûAÜ8€)dä±”Z®N¨æîuQÕw_ºLã®páý±•¯ŽÄ—¢9Qök¼`EËih[úª•³Á5?M”õÝãõû
ØÃ)’'¸Q·*ó4yΊìðüC[I&«Ýrx”/Ø`x0…oÝûsËÙsïsìêƒø—弫Œ诗´% \˜Ò„-qBÏÐá¹	†^nu^CE’¡ù‰ÝĶAµXþ¤@á¼ömÿÒ’JÀf)Ë‹MÞÈRÁëVSi•#w6VBÐù£®QŒßk¨£1#ð9‚ïq?ô¥VAØAÿו°¶ì.Ü5.óQøw¿­'zÁ7°…#|ÝX#c½r"ëòUt™îÖÔRìáϳ—åd—ã0Â{)ÒuŒÉô˜t’’•û6°Aêõvƒz»§ö»`~LÑ%óÌ·«š™,"QW½^CDDûa.˜ª¨ƒµ
ÜöBŒvUÛaÀvæƒ~ç÷%ƒ#™D@¬Êž±H•e—„7tà›¹¬6–O_pãÊÑŸÀ)ÏÐ÷#lžtñôË.jLt•¤ÍÊv)nè>¡á˜T‚nü%´öª•K]^sõ'lÙ²k2]¿÷þ5#Ä®j@o^'Å|³ÂÎp?èÅyIß»7ç ¶ÞJ\pA·F¾#Û÷jYó\a@D‚Y>›‘Sa?
-)‡¿ÕÖÏéÛNÄD]*¾ÔŸæ›õ·
­‡.kÙõ£a ü:ræ\e·ûá&ÈÉDŽ¿Œ™%_$$3}9šü• Š8$½¬€È¢þàÎg×™„¿ZuÎÚ8רË=~³a#›L]gŽyiðÎ+.ÐÇå‹6{™jšSksÀ›ø¥qéD¾~Èͯõ{Ó·Æm'¤v;?«A%qÐ7ú"úpM°!(ïx[„Ô]Ä,…u‹0~‘—Ý›°ùot…ÿ‘vm¸oŸÓÔ/˜àyÝSÝñ}Ó"‡ÍÿImñ@üñ¥Çýawú™¿9Zôèý	öI„÷,`¯ImJ/¿!UÕ†[ƒÒni$%µÖwjÂíÏ÷•y†’Úª? ü¸Ôî¿¥8«?—ÇÍá4êµq5‡g7¶}E¹l“lRŒg{©Ò2±°Ÿ.nÇL^ªJéˆYç¹¾‡(Š©?fÔ2ciÛŒ<¦É¥¼""—@ƒ Èí•Ú!kŽ	5+V=ÑÅQA+žß͸ÒË;vƒô%
ÎFº+s*)¼Xs9NÛß™üÑ¥˜L¦ºÿ[YÛyt¼ÿ²ô„
xÚ:tés®`	[Öx³(³û¥šrvrÓ vÝW+—ºù.myÙï=Ÿ†Ì†Q54ÕxÑîÊa•Ÿ‚T`ò—`È	„^3¥>5¥UºaÝH‚c™'x‚.löÓ°g™~»uFˆÄÈ8ˆò€bÿ.¸%Û »ðPâ*¡L;.w_÷<Ê/¸‚óŸ‡o£ov£~8ù8‘ïV¶qãf
-åÚ`qÈoa’:Üà}ÒË’àóI¡	Å¡H±`í ¾‹¢R¯u²Í3}›’«˜Œ(-ž ŒßDÇîwëôêé‚t­»Ìt«Ã¯W¹4#UâRwXPƯY“4ìg·FRß vßû<ÔxP>†uÂËe&+W-\O+NcÓÈ«¦ˆdÉÊç°Ÿuµ‚^¸Îö%oH¦£¾]ü¨G,ïjçís”'Ù#~3’âø‘JÝ’J¯E«N²A»‘_lØÙ1U¶c3 ˆ¾G»m+–¦VÙû©|¬-íÛ`»õ¿lf³$Ú«ôŒóÌžÕÅ›±Ëšûvy7ÅtU¯Z¥lÂÙñÏ,¿ Nªä@Ëäþ‡¼%NRs¦P†[¼‰P?ß”ÛI¤eo	Õ
wö¹¥@´!è&/Ä8Ù×öÐŒëÝñ‡þî…l<œ%š.Ò™{A•£@lŸA µÆ? wR,»SQ,H›ÀuQÚå¯>¡UAﻵÔ/£²­™Ï&/Ö…JVíù9@(üˆõ›œÏt\ F;éœt­Ha|þ­ZÇ)Ýb®4¶H„¸îbtÜ©.
-Dì2Çüߢ¿¢‚IÔnèEYÒÒÇe)ü²:V ùUš>иɚúq:…mɲ¶þUñNžY±B§Ýêƒ&³Ã¼]Rý*ÃŽûý=*n…ѽKv„hf0ó;!ØÅ.&f«RÚ„ Ï‹ë&e¤ãe}|“x$Ó½ââ;£kgž=çyÅg©Þ+a…¶’û.Î)†Ú`NËiߜʼnW«Uäç*i¼/W6æø>±§“ t6ó –p2/ÉõÚzî„øÑ=h>±`
-n5TÁšëÑ”’ÐX"GEÉ.4–ú&µ¼ ØØ…'Àú|€PÜLêar	¾0N1fo÷í¼Á¶Uå"‹*0âù$]s¨>ÓΆ”'â¾ÞÑØèÝf6qì©)¡}mZ€šÍûIÄN§
-Îþ@PD #V{¿Ö%þVõ|3ùÈ”JE3)&Níð{_’ Êm3™Î1 oåñ S“•/bì~O«¸8/*™Œ²éëíZφä(.Pÿ§žÏdÔö¤¾X<é§îrî9YJÛ)E抰z6Ø/v0
¡ªD°¾T㹋˜€7ýP“Ú¡ûµ¿^¶û°iDØF…ṳ̈9Ô\ðØDˆ“Ï%Ë;¥Ø—qëŒà2ß œNý.¶8bWÉI0Uy®ƒÎÈfPw³‘ Õ8ŒÌ"
Çsäs
-ZmØFÐÃʶÞïPhzI÷™ð€*qaBrÒ·Ø^ðƒMâÝàí-Õ¨ô¡À˜å®™ÂÞžÑÉö>u¼‰ŠÏãonŒ{óæâ<ŠéU¿˜f);›Íp±OË,¾†ª™ŸÔL~‡(ÂJšWQû¨
-`þ*
ÎŒÔÀh0±ì$(]J+?!uR[LGÓOÁ
->DGÓyØ}—(l
ø &‰åSß}fÄ	†ù©»7«ôÖÞ•ŸÑ;!)îüP_©cEìì_Ï“Á’TYj¥àê§ïS({	çÑd
-±
éÇ¥µ¨ÿ‹0Ò±«ö¡`¢/³I	Ph¦€ZhtDįcÅxBkô¹õ¾z힢Uˆ1áû-C^­î@\’ž¶Ê#f„†µ]òOÍÕ5Ñôh‚˜CGÚc(hƼ<@žðŒe/ºˆ¾]úyèŸãgT—–B„W‹:ƒÅ‹"p+EŒŒûE|ë7p<*6~¾R—”{N f.]Æ&‡•è…MÀNsr'=d/UMzW¿¨8ûÎ=ªŽ´n¸ÚvDôÓM=×ArY8sœ‹ªf(ú²"’å®êvj×;¥ôŠË7/“æÖö¹]Ë\Ù”7Ùë•azgòá¶gÌ)RàÞ%H}!³¡i°Re<Ñ 7¡%ý¿¹a¢d:£gteµIˆ­¨*’
-‡–oü‘éO' °xd"뙂T¯·3z^‡ø~LËÿ¡IÖBcP/giй.^ÿâ×úÔ¡/jƒX©ÛQÕ­€ÒÆ-Ô¦4Ê{Ù·hïgZ¼'ªF§ó.²$2ÈÙBÆúž07êÅÌJFØ“|Àmv®å·Ìù´"Ëæn0jª8xB¯QÎïïˆþ”âÞþÐßÙ«À|˜­jiu›¡lQæ5ý%ßzÅŒãÎv¥ú…>GïÀ•Nv.óY‹=Šð ðô"¦k
¿E)û›™,$i{;vÓSëœ†œSW¿BPPúËj…+ýá{ÛÏáûg¬ššLœ/
-¹,6:üâƒ^ÔX'€å9U¿œ‹fkM6¼¿tî˜è^‚(Ò2g¡I›yÕ²˜RôÓ(.ãcÃÿBM¶SaÓv¨‚/uø¹!&jìdR¥*ÿ!´BSJ‡ã !DË¢FT=B–žýÏm+›ä’…0Ñ¢­½ãmëIÆ}ÈATZS¾Ø ûú=óÀrèƒ!÷v§} ‚ü
|8âìñ,¼
-
’¦ž~o8LÃć4»DÜ϶ÒlÊô‰'´:Y'ϵ:X–¹ȃKKÖr97…üdé2
-{¡„Fuœ·3žÍÇoÕ‹Ü2C7§jy¸-Í@Šæ,dL//¢„KàôÌ°FYîÊ„³Ýþ9Å™êVþ©\ªGôZמL6ú3‹:—g›:‹¡RB£–†‘ž/Îç»v­KH©—Ôï[¾­mÁò¥®S%{ D4ÌuBÞ…ø,&ñ~‰‚F?Âì–\WöÉ¡r€ägµUê—ÚqqÜ6Mgy0#Ï•`¯Ô&Â~Œ[¢é°ŒnÒ#u"%`£–ŠžÏr­çgäeùÝy£ç#HZ@#‰F•Xý”ÚèíTÃl’Ä’2”XÇQ[ľN1’ÔD͸©ØÎbÜÙ{òdEÿÍžó¦˜ßTŸß¯£Y4v̪ߔcƒ>´ã¦´ŸÆ½;åø³U>.Y'²–¹.NŸöLM-©Í•åÂ߈¾x6·w\uÂTõ *ÁtÛ©X„ø6‡{AFi
íDñËèŒ}âýì¬pK?N2%-MK2{%¾,æ)ÝPÍh5WtK¼˜/ä%‹(ü¦„¶âVÝ?Èþ¾uôÎEšwž]“¨Jb	$Ùd+¦_wZ+MVÇ3”Fíh¹ÝG{>ôº0¬{ðÀ“[^ŽO0~öãÊô`1õYû
-*–÷oz ×PýÚúŽÇä–G”30¢ò
¡€?Žê)^¿)’£Êw8:B-sìFDò±û¹Õ.¯ýaËmwñ¶ÀBUôz8sš3&¥JÎ|ñ$¡9ê
-¿’ƒ½[žBš´¾™Kåd H*ž±yÈ"ýƒßýzêXê>ªµÌWÕŽ“Ѥi$&N“yu°BIsŒŒÓoLª¸IòD·»ñŸ’ÆãÇ•ÑlèE)÷—¡OŠÌ:˜¶O-h/_cÂ:u*	ý ‚(ÖÛõî9ç}y}F)ß×]>9]¾¬šæù%†­Ž8[pµŠ Úˆììˆ4eAäÙoÀÄÜ#	Ò¹äY¼I©[ˆˆu÷Ìp•)ÁæDÚøõl¡ù})¼ºjoÌa %h1•l­õíP”Eöd¡‹#ò!Œí±Y‡q4NaB¢#@÷3ÁÜ´*ìåFÖ‡ù–[>¼üózëþ2‰ØMÌDn…ÞÜwKØ¢Y(i£X‹ßüƒd¤ú9ò ¯L,ÿì“^^ñëàö­ÂóY%)µ4ÙZ\ÔötôÕW¯ù­i
¢7,qK“ñâ”-Ç?ÑúE@•àë#¼‰&+ƒÄ0¸Ø¡¸04ºœ5Ö–›ÿë“WåÔ/¶fLƉèß‹›¥0³Å¡u±yØ°Ðu:¯Û{®[’ĸ2Ï}’ cu¶Þ÷²' )¦Z`‡`\… c¬—ÖÙ±{OÑØD°Çré ám;€¸LÐl}
JÜ„Ž6‘nþ‹‚>°§nºxŽPc=‰6pÊè)L[‡+»†%ª}'¿P°aŽ‘45¨lG½>(ÅûE&-#Èkií·jEüÅ×Ö	"ŸûmUó˜SvL„„§=ªA2Ÿ¶_5J¶Ôø¿ÒU‹‡_O·V°mîl=
-æ7ÒÁÒq3‚`¦	t.Ó„c‰Nä•×wíÝZKGº¦Ô›.(ðÔà^æÕ—w[.,ÕZåŒ
-cGM}!;4šÍCnœ®2'ÖÊïìù®? Œå¯@9ÖË'Ñ®æp]CÖ-C¼Dû]QPÓ-}yhÎëzqã©Ýcô‚®ËÚ+›ß™A;tocšn’Éæ¤-O‹ÛÃWÓ•ºžÛóÛž:]‚é#Â_fbÈ°g‘øÌÇ
õPŠ€Ú†ÑPÅŽO£ªõdU “ï6dÍpŒ‹bçÆ©\¦©Þ÷Œ­;£&{"ÿÚé,–ŒO_»ÔÇÐ9V¼47M=ÍaÍ]:mÎïGAã›P.4”ªþ3€ãd—&•É–è*HfÅ„÷‚¼M:ÞÌk(g
-4–·öÈZýjHsóG··»èV
üY).üjcPÌ¥’»nÞÝtïw¼RÓTÔBÇA4MÚgw†çsI2½¾C®æÀɳ/™CŸÈ<€µƒòðð½·J'“8.}äjðg$Y[ì3úØ“ü=¸	ŒdÇäRŸ\4˜Y^ ßZóÖãD`LŒ³8äûX‡¸xã-·òú:Õ]PUˆo3‚¡©q¢ÎÈí¯¸âçü%­F~Ÿd¡Ü17br'ÓP¯Ú.~ÈFôêg´ªš’í2\x%ÃE…§é[#ùÍ[8‘çðÞÞª'Õª{±ôV2ZâvWùS×ve?sL¾d5׬¨sôßaJý.–óÌê0Í›øñ(#­FÎv}MD"]˜2?µfÕ_kÜ͇±MÞí'–‘nÇ[ gÞi×ê¨SÖ—¬€ðp:ªÌð/šEù3/ùkÑÍ Û1Æ•U
-ŠéÑ:kÅÖ ›r}’õéŽVbbérªïHÎ7Õã³ßêí¥‹_©¼“×2[ëAõ°çô­JCRz!»‘<ùq3mÔ¢W[M0hÒ VÊíaL¦3zb¥ÿÐCNãú?O“lVŠšßÍÒ4Øë>Rj•·•ÛéD[÷87ž9(ÎÔ ëR„Ç?Jáf±;V¬32Ýy‚¢ÈÚ«òßü2ž°é:;QU–8Ííx„µt¾n
-vÚÑKâåÅíÍÓ¿½Í~¬?קS§ÎªôÉžµè6.¤K±“H?R‡yþnv8Âax9™:¯¼&ýµêo<çßb%ðórÿDí;Ú%§1M–UΗUÈÁXÒ6G«NJ"€Ùíì£â%Àì”w¶ðtý—_7×¾`!—ø§‰×o>v²|îÁÈç™±ÈBu:ºXXv9’nn*Ç÷ÝŽ#*%)½—-“u¸3ôž¶ú¯?N	`
-;ÜÆŠF¸*Cb&Znf]C¡ÈN‹×6Á.þÂÑ,	èW91£ðà«iK;m+úbTèSpïGsÊuÊkÏ&ALH^Ö™FV{ð$	ÝkúÝMbxáñå6ÿa˜ƒØÅYå›a¹5°þ¦J0Ëšëö“©¾é™ý¡
-Ó†©"S—Ïz_¥¬Sþ@ÎlÀ£ì†D/®¨÷þ¹B­c0ˆb(	º
-ƒËsˆŸ.ÍÏxP£þþ\næèJµõN*·ƒ7A—^…¯f£èïnò˜Øc#ï|<ÐŒ¹a=íÂèœL¹Çt}N9@œí2ò“º¬ð;ŒÔ’`Ÿš瘓gÛ–»“(kw“Hˆ«fz#
ü«TU5aQW.;ì§øtÁTK!bñ6Û¨Ú±A2®Èü„è-£þ|âáŒMÍU5j2~áúˆ^]i‘åe-·¨^žÿWeoÙ~äèžÞÊ„×Cô®ïw=	ý²{ì}Åï÷šNå)àÒ„½\Š*‹Jò|±WŽMí¡±Òøòo-	kÈ“èZ±Õ6"Ù™þ\W7ϧGÂ}VÁc§Úª4ØXoM7ùwÂá›P«cþÕ’Ûl{lY
B‰©Ù/šÌÝÖíü¾ì–­˜T¡ÁÜ?ï°êšš+‰¾Å’Ñs­êŠGô†äv5¶ÈÍÌ?ÈÖ§éBÄ<wsÕÆصŸ×ŒD¦¤9	ߥKòã_Ý»›’«á`Ž]}‰µñnÃáhDÜÀÂ\É&*NNk…¤û0œ†»™¥
›ýÔº˜Å9}­Q}lêœDª0ŸœÛj2wü“¯µJ÷‹¡œéÃvµvz¬,Æ}úè"öìijƒŠyñý›·î ’±¼cæOˆq¸Ìpãd:3ö¬Õ¹$c¿_W#ò4ºÑ1¬ç¥†Á	z,8ÚÈÕD-æ h•’ö5Cºͧáƒ_%wÒªu¿ â#¤Ç”g!]7¾ô/BŒ]eh©IKôŠ2¦WTŸuÊÊŒk84æÍ¥0Ç‚AÞÈ;b•1b°mÍH;í>nôÏ¢ÖRÂ	/#NìqHºà0gÚ…>tí°§Vûa¶ ˜/æöŸñü|¥sçYà¨q³Ý,ÙŽÆ™(®”	¿œ^õÏ‚~¢­Ö>ʧÐÃwHv«;ø´þâÎMÌÿ$ìe™´´_ÚژтX–KµÆZåÀËÎ)\uñ–Ã2îvKËý XåEÛÒ7ÉG’”¡":1£ëVG½°â”ÀÑ&–Ê(è1ó›Û9‡?³3˜FÛRâåGcM-,‘kÖ!í¯±òÎuÈþ7æ;r…½VÌ+r“l«á¢ü”
³˜¿4{k{#í"øKMaëb³y÷ý©ÐØl/W^ïo<9[<˜W(§H‚I§,âkíŒ{·)G<«ªfÉÝqIbÙÈKá«J-p_¶×&,xÖú~Ã!C‘FŠ‘Aã”Vh0–à¼ùMeœ·È¾„B‰?MÓQNqXA÷žŒ#´wøÏ4æm¼ðS"u^5^á1vÛv"®3P£ÂîƒÃÂù^Ú&5ÄùïzFƒ@PD‹oŽ+'.ë²Üãa9…@4uÝlXÃÇ1ߟ¡X3Žª‡µ?c(µNn¢--0žà1ò†´Ñžácó—W¬¼ˆÉâL¦â™w ·9
-Ú…W¨•fI•M@ï±–KÉ­7‹û)Cc¢ïS`…,8'Îl[stÂ<¡\nc«¡T&8Ñew‹¹ƒã'}'ÅrW÷ ŸMì7#X1nfœ÷
~¸ŒÓ2Û*¡U§%›ˆÁÇ:èDMÂ|Ò.Ž«ªˆàc:š®)IËü*ŠÎ¿žê³Â:rê2:Ò©iWLÁÎ=¢wßÎÙàì­J5 d'XZ;UïÑ[ˆÉô+j£"dgO5!nYÙÚõmÒ/‡`ÈÛZ¦ 
Ã9LcZp)©Ê›ÓQ$7ÐâänX튌X,ðO“˜£Òâ'ؾe6\0˜`À2ÊâL—
ÁøÁbÂrQu
-ºâreA5n!Ñ…êì]Œ¨ÁºØ»‚õOWìõHƒ:Ô…—‡uÀÏk2Q:ú†Édf¬š¢µ‡$EÏÐï8f±æ™€âNØÔ@Gœ¹}\=ñõ°¨öˆ¨‹¼_W/nÀÄbÛíÿ¸¯ß0^8U¤>¾û=O?°g›¾U̧[aý;óþÓSX¦ä”gÚLÁ´·¹‹.võ@/Ò&ÿ”i:dÏk0G£u¨ð“rÏBž7gO‚w üúàü•–”À‰KY&jøœ7¼r2–á°WNÎxëh“õÒ¿Í7§LŽ„×VC@]ÒÖóºÁ*óë-Å ÃA;}üvñïiCU…—.úZl¬ õå?²ŠcHÕ¸´Ôu½ö!» »†ó±œW‚Ñ/ðó\Hvq•bf€úOÕy3¹;¾Ð¤ ² ÜŒ°š'ÿˆêIܯE|Ÿ¹
š­p:ÔC9èc!¦²VûCÕ7òÿ2]„2ø²âª³ç½ã,}Êø%(ê’r‡ɆfQþÏÈéª{ÃÅ3’u7õ(;†>Dî`…°éö'xN°?1jaóXDOÄOTÕYe¸S;&bïæ„Ÿ"=_ƒÕL+Æe)ëõP
-gŽ}“ú£qÍòÛ¨ù›ÂN•¥•îÉ/­„¼Ÿ¿¨ÎwýéN­ъ”⃞êöÉ(ú˜i.ŽJÓY{Ê…ë߃ˆêo&ãX
-Ë|åT¬N!{¶ L•„«a` K=ETBÔSEÐATMb§œ
-Q‡Æ~ËJlQ‹Rü¶×ZB§©{g¯^x™‡¾m€ï¨LŽ1p%õïø×ké\¤~}ôO½Ü8Ûu·×çqÏÜV»ì*æGj¸ÙÛ9ýèOâ÷Žû’VuûtñCv.¯ÉÞ¯²”ì U=Ú·rèöI3	Í¢¹ØO7(S~ãÈ”‡	«ÒÛšt”š®`½öÈl/ÅY¦37›„Û¦š ;ŠôÑ
à<‹ÆN–T‘Z.!`ßêã…”´I¼M%0,(`Y³¡mm¡ §&ymr¦-åɽ.§æo·œ¢ŒEŸ¼B91Œâƒ!ÈD4B\\ò.½Ÿ†‡b.ô¾=ƒq™“s,|Ö?¼´~8£»»³­
-Ñÿž¶l ÷ö"•äjÓ`Zo…hbµÌ}åÏ0—ŸùoÎ*˯µŸÞµöñæ/~úÕ'Kü@Tƒ¯k5{<‹i»ö—ROBz@-+µyÚª«1èûŒÂ·–µZë¿ÊnòEp7âPi«ú€pV¢;g.Oã­pÈTA3V.ÀÙòV…I’]UAÍÊ&¯æwú{¥,¿f
-ý’OP\h{†!Ë/:9*ÁþNª‘À„y†Ý¢›¼~¸®<rÍ¥Ø.k¹áR\ÄKÀõ=™Ê³ô¤µéšàš)É 
-Ìó¬¤^©êzX-Ta’•éÔUÚjLØ–‡ÁPϲ‘ Ú€,j%‚‹Bè_|³yŒß]¶to7ɹ¿"Á¡ÒW¾7ÉÔ9NÙbdÌ÷Î2s—O‹D"—MêÓ†l›Ñc,Å=Æ/¿ÎWDk¿þ-ţø¬‰tF%ÿÐjwÕïS;ù^É£ñšo?ñ
-ÆQ'?ßœ†*×3;ùQhþà“R¿«A±FÌb<\gÜÝ@ƒ×oìfg,ÙS¿´íw*0=a{ æŽ!Ù5"OBŃð4ûbü[ïR«r‰2Ó'VìÖĵv\PjÐÝh«»Œd
­ªÌ'3çÜŸ¬ô£uªü”.ø¡×cšÎO
-DSmÝ÷dU«TòȨr7)z¡mYÅÀX˜Ä5ê¦[Ø÷ËÅŸ"f ‰@êéqD„ç™Õ'~ñHA[€‹Vû¤“õ^C
-ݓ׀-xú€°šNceŸ[å˥ߺŽ1½é˜Ê®aYÝ«ÀF5PYåaÉ|3ãä¡ïbøM@©Nyav.åh­nî×ņ®ô²¡RŠÅ—ȬŒWyŸ¦Þtƒ7×ÔÀOkB¬œC@ƒž©êo´dÏ “I¿ü“Z©þä}\žÅ’gÎBT…bM+5êõHzJžìfy®âq
-C¸ÎÞ•¡‡›û/ìë aLãdU±Å,[g¯úWСÖX·V7~æQÈ¢%+ð?éצµ!ùUè³Êk5ãø&Z£Q‚É
[äxŽ-b÷uP…#Ïñ¾†E@qIÀ$ä;®ŽVçæ$#ÜíkôëtJ€\¶p5žr„º‘¢€$|H{U¡øæòƒK]N}¬ò†Ÿ€E×D°
-FÏ-¶6© †Â	߸ŒçânVä^… ]šMg\ÔKÇ·ä 9·/£‡õü7o¼¾¾Ð¼­ÎÉSö'ž”Q®¬þ´òB†‡Òe|°ià”¸[‹_Ý‘†6ùŒë.'¸cä½M½åÕr\S>‚K䃔t§C稶h5uREæ‹LU§­Òƒ˜Oôz VÇ‹;¬¤'áS™ÇOXñË€¿®›¦™;µWEƒeÔ #:0츜BøUª,ØÞèb
-Òó…2pÈ^Ù†:0|&e¦Õ,?‚HFkJæU'ý!qÆYµwß³HžÿÔ«œ;…ª»ž–3ª[œé@—hžÏuãrnL‘;®ˆ=bªy7¥E>°áíîä=HøŠõzŒ³šâs|Ó߶ª`KA
-Œõ_P-ç'„HS
-Л¨'ÁÚæãy¿ˆ
Re†êi[‘¯²2Ê2ýQ%™ÒZâû®žm-c¢‰LPe³o“=ÒÜi:èÑ'Ðr^ùÑ­ßÔ{?z$É&aM%*Æð®iÞ	ïÚ‹š%4Üôí#6¼±
-´!;h¾þGáÁj2Á|O¸D‡?ûµ“îw¹´`ªÓ¢¿¸‚’cçÅò¢†‰‡Î·¤ÌaŸŒÄÆ툗62A»wÆÕ(†“Øs/A'viÙ.Ü]Á‰µ‚7*‹4¥'O¢°vŒ÷øF34§¡Æág¢O¿u¬.t¼“®rõ–s}/¸šä”ôÛºö˜#=ÕdrõÔVL­WVŒªÙÄKã‰éS.“ (Õ;ãh"’€}R>•lÏs¯ì³²Ô!¶‹lAËE:ßy&ôœh»Æ2©×Äë2+Ù®HѳÁŸ¨0An´ë‡Lš@°ƒy‡ß[q8^:ZËÄc hjð-¦B_¦–¨ñº€ÛJT§ûš5j9È«>Ú)¢Û»nSÑj=³ÕXër÷Hl_—rß:¯0)]F:
”Ùtë,,pQ£î÷s²•õÒœúåx.Þ!ª±…» šMdÙŽ%󌥢À>­×בtÍýh;ÑN}ÅO™~ìx[ôÒ[ ô)Ò`Ç™[z€Ð¥Ç;ÿµbä¸
ý·ZÛ±ýW=mVùD×®9,«Ÿ³e,ëKj}Ü üïJ¼,®bðýÂò3Þ2¼ ­h=Á‰U,jï%
-ìé×¾
Ä92¯kƒG`µÕÂKþ{|*Œ”)ÎêÒˆÁÄRéAîCêD´Ó®ïÒ‰svѬµ>cj
-6müÍpHr£\Ik[xi×$¼šÉH$S<ÂÐ]­H;"þÏ]…h!ÎKÙçwœÙƒaƒ!Wo§têQ‘21¸¦e}œDó—ýªM¢Ê&ëÅ"þçÍÜ1IpÅQè—{ØAÛ»kJ‡³÷4°6ŒíîO«Ö*“YŒÝ*³A"Õ±«Ì
Õ	r¤eKãùŒ©$a^Hœ›Œ×ý‰ÞFïNûé)•7µ»‹i?¦:
¤®ý§"×ñ—á
-¦y¼5âéx
Î?8€†,ÄÙ%š¼ø*%q$GÐ]È%\íðÀ¸¯±ÆLÆø¤z*­Ë"7›U0ž$¥¨×”€ïøq*櫸×\~ghL[ü	¢rñY{âkây9‘ä¹_­-¡„­“ߣ|ÒœZ¿€ë˜û.†zžÜbé>1aNÓßø–à—ÒK!5hI¾?K3²<áŸ,ÞÅÁ¸²Ü$j:=úzåmÈ_N4ƒ˜Fäûq
-°’胱«T«þÃ5jíaƒ"¯‹¬Î×Эô'7kˆ]ú†A§òuSà‰epÀƒZ˜%ÆÅ…¹­Â¬¾=úð¤´~¸Pù*€üÕÝ+àŒVd˜¥ódqɈÎEX—dÓJHÁ+°:ƒÊ}Ð)#ôø@ײ!R»ÿ©€£ì–ù
-;\ùˆ¹¥e7ÍHÖx³¡l½ [sÉHù[êƒáëXôËUNÑõ¢iX–Ø«c4ë7û\Aº0«<{ Evg]8xp[lZщ5õè¹r÷ûGâÈm*Nêê:Q+|‡gµ}ÁÞ\d„äO¾>hžDä¡GXnöº
+b¸¬óÇ;½tÛÓÆŒ£6lÄ”Å>4ÌÑÑ0a=‡ˆ …˜Øà zb¸»6û€x{³IÝ)KÞí­[×î÷7ÑÙ€ï²jP8b*æñÛGŒŠw4£V³ü2ÎŒfu3^üL9OOW3èPq½*z5la:ÏÆ>?Òæ3zîÔL¢Ãùïú÷~¾­ÔŠŸ+qqj²„îÌoƒ¤2^›6Mäck~·H‡Ogi$q5|©/̾®¿îÁÛë3úï.7ÿ”,—síÃ[|EØ9 ®+Á
-ÐQk|/Û9¾ÑxÜÜúÙP7˜ªl©¼å©	敱<ý6œÍ¶Â=Ÿù	…3ñTI‡@TƒÌ07ƒI`5¼áô‡lcoƒ|áþü]¤ãÏ(^¡¥µºÈÕ6ÿCÞŒ
Ú롾—lšÒÚ´ë÷aµ1Óþÿ×Îœÿ3¡¹—çÈÊ–#Ɔå‘yLî£æhm+÷U¹bó±'ñ˜#GÒ,Ga<ç,÷s¤„9a§¥|I@µ>¬Ó‘ŸÂînÞñ	±mŒ¼?Áá¼ÃñqJ˜.áC{¸ÚsoÐþƒ–B•(­dfá¹È|ÄÕñÂï„Ó84šÁç2ˆ¥(phëž7ÓŽd5ÈìDÀµ€ÛæIl]Bå'IÑ¥ôFÛ܊ꨤ!šFó…L`0\ÁàÛ˜‰¾Q¹u3!skA$TˆBØó“É°`¬âŒéúŠƒŠ–%¹Î×
Aä÷öoŽûŸ»­w‡¾ÙºïÁ°bCL?í<:Ú
_Þi8eT)ŠD¨á~ÑH½ØÏ7ceÐès6µ™Â$ï|ûŘ‘ùËâæIPÈkfåöVÔBÓ(ü
-šþˆ/KnèEKØ(xÆÈìƒww¦\3¥kÔ!›ùÑÆlð›Qe8‚nÛh’8¯tãær|BUw•Q“)€gÏ£ŽWºè¥@Pñ„¥¾‡LZð7×(fÐlç9¬Œ bfr·Ñá·šPæ}p
-øš*›íßyýá“ãûB/1;Aì2ÕÙ3ÕSs±‘woÃñÕ“VÝÝíßv¼¯å¹ÜÆ{¯’XcÇú9'*:ÞÒˆVÂ)BSzŠ)Xý_ƒÓŠÖpm{§z¼¸—±u±)ôc¹ÿÕ)€+H2Qi·'Âڱ׉×b@akÊE¿¢vÉÃBakR‡å:›ñ†‡Fˆ~¨êÈ’Ìm®g4šv~\œI©¸
-^ýì¶<[7Û-ú%çq´Å5mââËÊž¶t“Bdc;|WÝÚú7–xSyåÈ4ØÇÖv´¦×ÅõQ«´˜„2ã¹Rwr\Œ¨ÇÂCÀVD
-­`Ú5øy÷»é@k"¢™5)Ï1·ØRù-DÒHÖ»¼ÍDdM†o3w»5Gv`LÐ2îä¯uÈoêb—r›[ˆv^Ð^P€ó]üQ¨‹ÔS^?¨Ïóè_û³£ 'C2T5ÍyÅ
[<;ËÛÜ}‹hLé4mMmÖéҎ/À}"ÑçB0%’éVE~µb(e’ ”峕UòïiN“ýië€ëÜ„{X#Œ=dÓ[娽	ÿÆOƒHð”£Vê
ªëvGJMGÚêåÄLX^9ymiZPpù˜B5«¬Âø#…sW+* ¨)¨OñD¾Ë_*Ïøy81¢ÎsY×/NI„8wÖ¦.¶v.rþ÷¥äïûˆÍžá¹ˆ“¤;éë7¤{®ÈEÕîÄìø‘VYƒÉïÌ|ÝWN`ÄþÅW‡Ù¾—›º‚ÔÂâsh™ËúÊIÆ(ˆxó^m¸ƒž²Ê+»O':QGrçÉ×æ[XFRž;j¸±·ùI•šà5A0	{Ab8A²T†’QmO@	i©Vél³¤Ó¸£CX;䆔¢$ŸaP÷ga†kq*Õ{²…nøglƒ’¼2GÞ Y•.ß“­õSlôŽß-%-½¯·e—ppÔW³8©×‘fÅ¡Ú=ΆþKbÿÿ‰À/$À'ê,öÍ–÷»endstream
+FzÆ+-œÄ,ÜMŒ,œÌ¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF#ãØ”Í-Œ¬lÿi:Û¿M&¶Æÿ™ù_zþ•7ÃÏŸ*òòJ4ÿ¹Mÿå¥ð—ugeû¿‰ý:díŒÿ—ð†°°;À‹Ž•@ÇÌÁ	`çdpr0ùü¢ý†é¿dYgGw€Öß’™þUøÿøþKÒù˜¶FvÆÿL‰’³­ñßÁú_ŠÌF.ŽŽùü×]ÿ[ðÿ”ÿ5â&&î&F0kËvF<Á–é¿2œë0sG&Eµú˜@GBìK•‹
+ükìzýÒÃw¹*õ?kC蛦¹¿Û=–Îí¿¥¨Æú0¬)zSM®óñ|H¨ú·È;9hŽtKá3.Ô¢½nevÀ4ÙUö&ê–|BàOw²8BݼPù“¸ø£‘>Û#ø¥5Ä¡w!5¡Ôž_'¾}ÛkZÿôóüwÎá\àèe"°µî€”PX™/,3"@<ÔSÂ{4ÂÑ3#­¶«i7.øÙ[ÓZ‹
ô­·6åÇ7«¯uÇeHfÕŽvl9‰®Åà.¿ÚCpôמ¹ï
+ÕZŒ™ÓØANvŠ]Ïy–ãÅ{iGçý2ê-úA¢ÿ}ÛcÃ~~*æcd@Œ„8ÓÔÁ?W‘2,Åi|Z…È%sÒJ CÓº‰¼¬–‹C!ýñàÄ~0w‚—„L¨„‹¡=%¾,jl‘¡Þ‚Fø8;í¤JNDË·¯U7÷ôw¸àô‰¸gVáÆû)§ª!‘Neå~Žm­EGÂýqÊ¥ -â9þÝÌ_*nÿAv	ÙSáýÀ°v€<÷ÁÀÉŠÅÜä±ÌWáŠÞâÿ.±hMe”:X³Ï/=\“õ 8èOª~îTˆJ~^‡Ò¯(E>JA±Y|̼cæ¿çÑ°>Pã}õÒ¾Õ*"SßRØM}ñ7•KŸa:uÖKúÝý
HÒôD¹¿£„‹lű"ŒƒÎ¥Õ\ÏR°#_ñ1ò—ã.±¶•õ¦üã7JZ*|“P9	{Èñ\U-ã±°¶
-Ú¡QZ±¢›w¿‘•Üv7óŽ-ʇJѦ®!ÀçÜ…áÚó¬Ë9€FÿýÖì=|»KYg¨^BX³Ø€ÀþJk8»8—MzþòÎ&38S‡uìTÌoŽ	$àǘ^zE—w#ÊÀˆd8ë;ãg]¬M,ýt’Ž{ÒÈ%Ñq%%mw„­Ãî@Jeâ_õðßsÞg¯`¦RÈ5EB† nDŸ¬‹Ÿ"8ïnx³E4 V;þ6Qh\„§Þ=½X ’þ“Gþòüåŷ싔셭bŸ§ç\EÏñ Â—°w#¡<ª˜Ûa·÷‹~uÔ›š9>kÕ`•–ÚX´nz«að|ÏǾävœ«Œ+=L6¾Møf"Hó²†ÖÚü‰Œ6ßñž?
+,ÐmÍŒ%²Ž¬î|ø"Õ?YHå¦õÆ]½ô!P!1):X·œø~R¯µËöÛÀï/ìº×Ø,‡°ñ·¢WÅýí`ôÐõ
g¥°âtãÏ䱇sæ¼e³Î4MùGî>8¶»’d÷ºëFÛÆö¿®3 û°½i.ío±Ç|Í¥Z’2D3yˆPPjñÕfGüf0¾è<5éõ!S¾/!u¾ûµÀÓš
+Ø:|‚¬·.¶–ó_Mv“ôacæ~ϼr²]‹Ë±¬ˆóÄa©Öbß:g×¯ïëb¥-±÷#ƒP!»‚ŒCîîœbL	ÓÞ˘]÷]¯* dÏÕ	§„n˜"}x3<	`C X‰ì4áJrÛBHõ“ÁÊ„edÔI¿Ì|`Zþ©Å	9;LgÇp™or¬øæ•šÀTʪµiÇõo²G3iØD‰ùÑ®äB·ÌeãÿBÖ’ G«¨¾7”2À#?Mš*í£gm¥côG=èÞ[|T^Êh¸Õ>w~õO¿þÜДr_Ï68È·R©¡XVÏ-‚˜$JÁÏBG×2E"ÏÈš×å=Ú¤2߬	'¢Fö‘bP©¿)‹ÐÞ	dzÍ~Èo´‰¯Ëd˜ž¨D¹²|§ƒ#!vµ’oÑý$WG+³…Íö÷—¶vËx‘’ÁT:UYà‘’ˆ”y€—øÞ¨ôû³b›3¶¦~"î
³Íþ i
!ÝT=ŒªÐr/2çñÅÂâлHh:cA×ušÍ/[L€ˆ¸?´4~i-pL6‹¯¯g’^†æ
+v߶o…'siEI݇‚>TàM‚ó.¥t§>À)—
7J®ò¶M¶"Wv,ð ò{ Ò~|oÄ$ï!½Ü¦ |ñõï˨²ͦBÇÓX¹2á{dåÖÔÈåuîæÙÓÜŒ¢±
+åsõ´ÊåÐh?‘«åŒß¥éÂExÜ%8Û5µÃ³ÊóËoÁÒ¨§^RýÏjfrM¿Êí8ÅŽµxà„ˆ;“JÇÒéy.±\Gj×tP6;L`Ÿ6ìRØ#6C+9G÷`Xòñ/+?þ±ÔE²d
n`ëæ/F»Óy³¦s™N520üBoëÂ¥ÕTu¥X³W™ÓeBi¢±¡Ú€™nŒÆÕŠøÉ t¢Ë¨ûCØí¹Í^„<ß™&ñ2Ý5’­*}¤ô/Šd²FЛØêZÁ?˜M‡þøËá̤(	’ Óü€þUÒ³Ën¾ê|*0¢¤ô;‚·èb€ÜøÕO1ñ÷¯‡¸ÀdñëxÜ\6€¡A©¼!r“›ÎWL¨	³
•Ú	ªí⯣nT“Û¸	;¤ëÏDc¹B#e >ó—lê±õ2ô¦ÒPùi÷	ß±é1¢é¼½Y½ë—aÉu«Žœ.@’Ñé¬	ºá)ÒK“b§úb¨‹’E{xaüá;ŸýIÒ®õnjgôO¸·ï•×_ÝÁ¬Ÿ
+_Ë£Ý% }\RÖ:èJÞd­ÖX¶d–>/Ä,n’5¸r%£à²ºš–øŸmV$H‘Æql=ˆKZ»(‡ruP÷S™äR“Çчȵc;"+?Ócù†”•!kȼª6´ÊïÓ‡l¥ýá4Ç(A¦†K)-Ý’vÝéÏîÅ‘‚LÿJÊr
÷è½Úƒž	~g°Ç¿2c‘„$St[Ž¼ì“[É]ø³1Vz¶ÞZè±J=£YR]5Þç9ðš|[EyŠEšÂ:4ÿx©â+*©æ>ØyDUÇêhÌÒ>I
.­ö=ý1ý¥Òc@ßÇîìq㦒ÇRj¹z8¡v˜»7ÖEUß}-Hè2¸Â…÷ÇvV:¼:_ŠæDÙ¯ñ‚-§¡mé«VÎ#PÔü4QÖw×ï7`§¸o¢JžàFݪ<^ÌÓä9+²Ãóm%™¬vËYàQ¾`ƒáÁ¾uïÏi,gϽϱ«â_–ó®2 ¿^Ò–L€pi`J¶Ä	=C‡ç&zM,¸M,<Ôy
1H†æ'vÛÕbù“nx…óÚ·ýKK*›¥,/6y#?H¯[M¥UŽÜÙX	AçºF1~¯¡ŽÆŒÀç¾ÇýЗZ]aý\WÂ2ز»p׸ÌGáÜý¶žèuvßÀŽðucŒõʉ¬ËWÑeºwXSH±‡?Ï^–“\ŽÃï¥H×y0&ÓcÒIJVîÛÀ©×Ûê	ïžÚï‚ù1E—Ì3ß®jf²ˆD]õz
I퇹`ª¢Ö6pÛ1ÚaTm‡Û™úß—Žd±*{Æ",T–]BÞÐoæ²V4ÚX>}Á+GC¦2ží-L¤JËÄÂ~º0¸3y©*¥#fç^ø¢(¦þ˜QËŒ¥m0ò˜&C–òŠˆ\
‚ ·sTj‡¬A:&Ô¬XõDGi¬x~7ãJ/oìØ
Ò—48é®Ì¨¤ðbÍå8m{|gòG—b2m˜êVüoidmçÑñþËÒ6ài;è<ҤϹ‚%lYãÍ¢xÌî—jzÈÙÉuLƒÚu_­\êæ»´åe¿÷|2Du\Ô`ÐTãE»+‡U>|
+RÉ_‚!'zÍ”FøÔ”Vé†u#	Žežà	º°ÙOLSÀžeúíÖEx!#ãp Ê^0ˆ1üS¸à–lƒîÂC‰«„2í¸Ü}Ýóx(¿à
+ξ.¼ÙúáäãD¾[ÙvÄ›)LH”k€Å!C¼…eHêtrƒ÷I/K‚Ì'…&‡"Å‚u´ƒø.BˆJ½ÖÉ6Ï<ômJ®b2¢´Û}ArL®'îz“$ær,ýíæ%¾Ù£ÔYª„	G…&ûÖÙ9s_CÆKàöÐÊÝQ"K+‚M=2èy_*ê‘®VrÇbæ“–©|.()$Yám¥¥ÎWîw‚45…[
+Ý÷B#?ƒôúT×ϧxß:ÉÜápø»ß­Ó«§Òµî2Ó­óƒ׌Èð“-„Z°è–¿
+	cHì›R¤»°C\qbl
+pïswóH
+kç„¡ºØ-y*ÄmkYÙ>â2š¸’Ë»§
+À§i°~†Ò°ŸÝI}ƒÚi|ïóPãAùÖ	/—™¬\µpe<­8M#¯š"’%+ŸÃ~ÖÕ
+zAâ:Û—p¼!™^ŒúvAò£b<±¼«·ÏQždWŒøÍHŠãD*uK*½­:ÉíF~±1`gÇTÙŽÍ€2 úí¶­XšZeï§òA°´´oƒíÖü²™Í’h¯Ò3Î3{VslÆ.kîÛåÝÓU½jh•²	gÇ?³ü‚:©’-“ûò–8HMÌ™Bnñ&Bý@|Sn'‘–½%T7ÜÙç–ÑN„ ›¼ãd_ÛC3®wÇú»²ñp–tjºHgîUŽUP°}Ö7þ€ÜI±ìrLEm° m×Ei—¿ú„V½ïÖR¿ŒÊ¶fn<›¼X*Yµçç¡4ò; Öor>Óqí¤sÒµ"…ñù·j§t‹¹ÒØ"⺋Ñq§º(±ËóˆþŠ
+&
SºY e	H;Hÿ—q¤ðËêXæWiú@ã&kêoÄé"´%ËÚúWÅ;yfÅ
+v«šÌóvI]ô«;î÷÷¨¸F÷.Ù¢™ÁTÌï„`/¸˜˜­Ji‚>S,®#˜”‘Ž—õñMâ‘lL÷Š‹ïŒ®zöœçŸ¥z¯„Ú^Hì»8§jƒ9Ux,§}s'^­V‘Ÿ«¤ñ¾`<@\-ؘãûÄvžN‚ðüìAåqy|ª“™Ç>$’ïÒÍÇH¬ðù·ÆHÄUÇMXá–&£‰.BÍÓTøÐÙ̃DXÂ5ʼ$×Chë¹âG÷ MøÄ‚)¸ÕPk®GSJBc‰%»ÐXê›XÔò‚bcžëóBq3©‡É%øÂ8Ř½Ý·óÛV•‹,,n¨Àˆç“tQÌ¡úL;Ržˆ?úzGc£Wt›qØı7¦¦„öµij6Cì';*8ûAŒ,XíüZ—ø[]ÔóÍä#S*Mͤ˜8µÃï}I‚(/´Íd:Ç€¾•[ăLMbT¾ˆý±û9<­þá⼨d2ʦ¯·Cj=’£¸@ýŸzv<“QÛ;úbñ¤ŸºË¹çd)m§™_h(ÂêÙ`¿ØÁ4t„0¨
,ÀúR
æ.bÞXôCMj‡î×ZüzÙîæaò3“æPgpÁc!Nn<—,ï”b^ÆM¬3‚Ëpü}ƒp:}|ô»DØâˆ]%'ÁTå¹:#›AÝÍF‚Vã0b0‹4pÏ‘Ï)hµaA+Ûz¿C¡è%mÜgªą	ÉIßb{Á6‰wƒ´·T£Ò‡c–wºf
+{{~D'ÛûÔ	ð.$*>>¿¹1îmÌ›ÿ‰ó(¦Wýbš¥ìl6ÃÅ>-³øªd~R3ù
+|hD +i^Dí£.(€ù«483R£ÁIJ“@¢t)­ü„ÔIm1iM?!+øM{äa÷]¢°A4àƒš$–O}÷™'ä§îÞ¬Ò[{/T|F¸óC}¥Œ±°sH|=OKRe©y”‚«Ÿ>¼O¡ì%œG“)Ä6<¦—rÔ¢þS,ÂHǮڇ‚‰¾Ì&%@¡™~j5¢ÐW¼Žã	­ÑçÖû:èµ{"ˆvfT!Æ„ï·yµºqIzÚ*˜mÖvÉ?5{T×0DÓ£	b9h¡ óòyÂ3–½è"
+øvéç¡ŽŸQ-\~X^Y<.ê/ŠÀ­1F0îñ­ßÀñ¨<ØøùJ]Rî9˜¹t›V¢6[8ýÍÉô½T5é]ý¢âì;÷¨:ÒB¸ájÛÑO7õ\CÉeáÌq.ªš¡èËŠH–»ªÛ©]ïd”Ò+>,ܼ`LšoXGØçv-seSÞd¯W†éɇ۞	0§H[x— ô…Ì>„^¤ÁvJ•
ð@FƒÞ„–ôÿ憉’étŒBžÑ	”ýÕ&!¶¢ªH*Z"¼ñG¦?€Ââ‘Š¬g
+R}¼nÜÎè-xâû1-ÿ;„&YA½œ¥AçºxýˆK\ëS‡¾¨
b¥nGU/0´J·P›Ò(ïeߢ½œiñž¨Î»È’È g1ë{"ÀÜ|¨G3+a/Lò·Ù¹–ß2çÓŠ,›»Á¨©âà	½F9¿¿#úSŠoxûCw|g¯óu`¶ªu¤MÔm†²	D™×ô—|ë3Ž;Û•êú½W:Ùe¸Ìg-ö(ƒÀkЋ˜®5ü¥ìTlf²¤íiìØMO­3prN]ý
+AAé/«®|ô‡ïm?‡ïŸý±jj2q¾4(æ²Øèð‹zQcaœ–çTýr.š­5Ùðþ~йc¢{	¢HËœ…"$mæUËbJÑO£¸Œ
ÿ5ÙN…MÛ¡
+¾Ôáç†8˜¨±“EH•.¨ü‡ÐFM)ŽC‚†-‹QõYzö?·­l’KÂDŠ¶öŽ·­'÷!QiMùbƒìè÷ÌË¡k†ÜÛö
+ò7ðሳÇW°tò>*4HN˜zú½á0
Ð\ìiüp?ØJ³)Ó'žÐêd<×ê`YæV .-Y#ÈåÜò/¥Ë(ì…ÕqÞÎx6¿ATK,rOÈÝœn¨åá¶4)š³m0½¼ˆ.Ó3Ãe¹+Îvûçg¨[ù§r©Ñk]x2ÙèÏ,Rè\žmê,†J	ZFFx¾8ŸïÚu¶.!¥^R¿o}ø¶¶Ê—ºNy”ì1€XÑ0×	yⳘÄû%
+ý³[r]Ù'‡Ê’œÕV©_jÇÅqÛ4åÁŒ¢ð›ÚŠC.Xuÿ ûûÖÑ;exhhÞyvM¢*Š%`d#­˜~Ýi­4Y}ÏtRµ£åvíùÐèÂ0°îÁO.,ly9.<ÁøÙ+ÓƒÅÔgí+¨XÞ¿é^Côkë;“[QÎÀˆ2È7ü=„þ8ª§xuü¦HŽ(ßáèµÌ±mÈÇîçV»¼ös„-·ÝÅØUÑ7êIàÌiΘ”*9óÅ“ „Rä¨+üJ^ôny
+QhNÐúf.•“"©xÆbä!‹4ö|/8ôë©c©û¨Ö2_Uÿ9NF“¦‘˜8MæÕÁ
+E$Í] 02vL¿1ý©â&ÉwxÝîÆ;|JWF³¡¥Ü_†>)27ê`Ú>µ ½|	ëÔ©$@ôƒ
+¢Xo׸çœ÷åõ¥|_wùät
ø²jšç—¶:âlÁÕ*‚h#²°#Ò”‘g¿s$Hç’gñ&¥n!"ÖÝ3Ã
T¦x›iã×/°…æ÷¥hüiXðꪽ1[„n” ÅT²µÖ·@Q
Û’….nŒÈ‡0¶ÇfÆÑ8…	‰ŽÝÏsÓª°—yXæ[vlùðNðÏë­ûË$b71¹þy/pß-aÿEˆf¡¤b-~Kð’‘êçȃ¾>0°hü³OzyůƒÛ{´
+Ïg•¤ÔÒdkqQÛÓÑW_½æ·¦5ˆÞ°Ä-IL>Ä‹S¶?üD#èU‚¯ð&š¬\Ãàb‡âÂÐèrÖX[nþ¯L^•S¿Øš1'¢/n–ÂÌò$µën/&glÑiø‡ÖÅæaCÀ^@×é4¾nï¹nIãÊ<÷I‚ŒÕÙzßËž€¤˜Zh‚q‚rŒ±^ZgÇî=D`ÁË¥ƒ†·ílâ2A³õ5(q:Ú0D~¸ø/
+úÀžºéâ9Bõ$ÚÀ
+¢§0mA®ìR–¨öüBQÀ†9FJÐÔ ²õú ï™´Œ ¯¥µßªñ_['ˆ|zì·UÍcNiØ11žö¨É|Ú~iÔ(ÙRãÿJ T-~=ÝZÁBd´¹³õ(˜ßHK?ÄÍ‚™&Ð=¸LszŒ%:‘W^ßµwk-iéšRoº ÀSKd€{™W_Þm¹°Tk•3*TŒ5õ…ìÐh6¹qºÊœX+¿C²ç¸:ü€2–¿ýåX/ŸD»šÃu
Y·ñíwEAM·ôå¡9ÿ®ëŧv[ŒÑº.h¯l~gfíмiŒiºI&›“~l<´<},n_MWêznÏo{êt	¦™‰!ÞEâ37ÔC)jFC
;>	ªÖ“UL¾Û5Ã1.Š§r™v¦zß3¶îŒš8 î‰ük§{°pX2>}íRCçXñÒ@Þ4õT4_d„5wé´9¿
5ŽoB¹ÐPªúÏŽ“=^šT&[¢« ™
+Üò6éx3¯¡œ)ÐlXÞ:Ø#kõ«!1ÌÍÝÞîv¢[m4ðg¥¸ð«AA07–JîºywÓ½ßñzHM_PQ=#Ñ4hŸÝžÏ%Éôúz¹F˜'Ͼd|"óÖÊÃÃ?öÞ*Là¸4vô‘«ÁŸ‘dm±Ï@êcOò÷à&Tp0’“K}rÑ`fUx~kÍ[q€11Îâïc
+àà·ÜÊèëTwAU!¾Í†¦vÆIˆ:#·¿âŠŸ?ò—´ù}’A„rÇ܈ÉL{@½j»<ø!Ñ«ŸÑªjH¶Ëpá•ž¦oHä7oáDžGÀ{{«žT«îÅÒ[Éh‰{Ø]åO]Ø•ýÌ1ù"Õ\³¢Î}Ї)õ»XÎ3«Â4oâ#Ä£Œ´9Ûõ4‰taÊüÔšU­q7Æ6y·ŸXDºoœy§]C¨£zLyX_°ÂÃé¨2ÿhfåϼäo¬E7ƒnÇWvV)(¦Gè¬[ƒHlÊõIÖ§;Z‰‰¥Ë©¾7"M8ßTÏ~«·—.~¥òN^Ël­ÕÞӷ*
Iée„ìFòäoÄÍ´]P‹^m5YÀ IƒZ)·O„1™Î艕þC9ëü(+3®áИ7—Âgry#ïˆUƈYÀ¶5DP í´û¸Ñ?‹ZK	'¼Œ8±Ç!é‚ÃœiúдÞZí‡Ù€b¾4šÛÆó3ð•Îg£ÆÍNt³d#8g¢¸R&ürzmÔ?ú‰¶ZûX(ŸBßv"Ù­~ìDãÒú‹;71ÿw°—1dÒÒ~ikcFbY.Õh•/;§pÔÅ[˸ÛAp,-÷ƒ@b!4–mKß$iHR
+„ŠèÄŒ®[1õŠSG›X*£ Ç|ÌonçþÌÎ`mKý‰—5µ°D®Y‡`´W¼ÆÊ;×!søߘïÈöZ1¯È
O²­†‹òS6ÌbþÒìu¬í´‹à[,5a„y¬‹ÍæÝ÷§Bc/°½\ix½¿ñälñ`^¡œ"	Z$6²ˆ¯µ3îMܦLñ¬ªš%KtÇ$]ˆe#/…¯*µÀ}ÙB\g˜°àYëû
‡E)F^SZ¡ÁXRP€óæ7•q>Þ"û
+%þ4MG9uÄbÝ{2ŽÐÞá?Ó˜·ñÂO‰t8ÔyÕx…ÇØmÛ‰¸Î@
+»3ç{i›TÔç¿ë
bA!-¾9®œ¸¬Ër‡åÐÔu³a
Ç|†bÍ8R¨ÖþŒ¡Ô:¹‰¶´Àx‚kÄÈÒF{†Í_^±ò"&‹3y˜fˆgÞÜæ(h^¡V˜%U
+4½ÇZj,%·Þ,î§	ˆ¾O²àœ8[°mÍÑ	ó„r¹yðUýF]O“/ñúó°6;^dï¾ê'7zSí2¯N,Ó$œ’*ÆÐru>‹ÔJ#*»"¦;ˆwá1Ô2nœ@f'=/M`AÕ÷	9£fqLwËÛ”Û.„­¶gReЛJZ^§í'~êúºÃÓ(ømawÇÃ2•ƒà.„¦n‡@¢.÷DVäý»±–dgÑõþ.ëßH±²9•P´G‘è&D1ÊnÕb"£B³¦˜ë*c°#•l'xýù¬†R™àD—Ý-掟TôË]]܃|6±ÿÝHŒ`Ÿ™qÞ7ø5â2NËl«„V.”l"Së [5	óI»8®ª"‚éhþ¹v¦$-?ò«<*:ÿzªÏ
+ëÈ©ËèH§¦]1;ÿõˆVÜ}8gƒ³·*Õ€’`iíT¾Go!&Ó¯¨Š=Õ„¸eeWh×·I?¼‚!okuš‚6@ç0IhÁ¥¤*oNG‘Ü@‹“»aµ+2bü±À?MbŽJ‹Ÿ`û8”ÙpÁ`‚Ë(‹3]6ã‹]ËEÕ)pèŠ_È•Õ¸…DGª³w1¢ëbï:ÖS<]±×#
êP^Ö}?¯ÉDéè&wv™±jŠ2Ô’=C¿ã˜Åš{dŠ;aWPqæöqQôÄ×âÚ#¢.ò~]½¸]‹m·ÿãnP¼~gÀxáT‘úøî÷<ýÀžmúV1Ÿn…õïÌûOOa™’Sži3ÓÞæ.ºØÕ½\H›üS¦é=¯ÁFÔ ÂOÊu<yÞœ=	ÞðëƒóWZRw&.e™¨1àsÜðÊ1ÈX†Ã^99kà­£MÖKÿND4ßœ29V^[
uI[ÏèN«Ì¯·ƒíôñÛÅ¿§
U^~¸Lèk±±‚Ô—ÿÈ*Ž!UãÒR×õÚ‡ì‚îÎÇr^	D¿ÀÏs!ÙÅUŠ™ê€jlp0Âjžü#ª7&q¿ñ}æ6h´Â9èPå „˜ÊZíUßËþËtÊàÈvŠ«Îž÷Ž³ô)ã” ¨HÊPJ$šEù?#§«î
;ÌXHÖÝÔ£ìú¹ƒ¦Ûœà9QÀþĨ…Íc=?QUg•áN혈½›~Šô|
V3­—E¤¬×C)œ9öMêÆ5Ëo£æ;l
+;U–Vº'¿P@´ò~þ¢:Üi<8ô_¤;µ^D+
+SŠzªÛ'_P èc¦¹8*Mgí)ÿ®O"z¨¿™Œc),ó•S±:…ìÙ‚0U®f„,õMP	QOAQ5‰r*Dû-+±E-JñÛ^k	z¤î¼.xáeú¶¾£29ÆÀ•hÔ¿ãC\¯¥s‘úõÑ?õrãl×Ý^ŸÇ=s[í²«˜©áfoçô£?=Šß;ò4]·ÓóUµkÁ”^ÚÖfÊÜúìKZ=lÔíÓÅÙ¹¼f${¿ÊvR²ƒVõPhÜÊ¡Û'Í$4‹æb?Ý 0dLù#S&¬JokÒQjº‚õÚ#³½g™ÎÜlZtn›j‚zì(nÐG7€#ð,;YREj¹†D€}«ÿ9RÒ&ñJ4•À° €e͆¶µ…‚œò„ K
+\=c¹²E®¾98wyÖP—Vg••ÄÌÀ÷	æy©é“ÜŠÎf´ÜÄ0pѼ!€Ÿ„üú†z·®Jn%ËAÈÐ=Ð
+âÚ?ÆCÏz|þ±rèou¤¥J¡ð9`º ·	5àñ 
û˜ä9X´É™¶”'÷ºœš¿=ÞrŠ2}òzåÄ0Š„ Ñq9pÉ»ô2|Š¹ÐûöÆeNαðYÿð6ÒúátŒîîF̶*Dÿ{ÚF°€ÜÛ‹,T’«Mƒi½¢‰UÔ2÷•?Ã\~æ¿9«,¿>Ö~z×ÚÇ›?¼ø1èW?œ,ñQ
¾®Õìñ,¦íÚ_J=	鵬Ôvæi«®Æ ï3
+ßZbÔj­ÿ*»5ÊÁÝtŠc@u¤A®èÂY‰îLœ@º<·Â!SÍX¹gË[&IvU5+{˜¼šßéüš)ôK>Aq¡í†,¿èä¨û;©Fæjt‹nòúá¸ZðpÈ5—b»¬=æ„7Jq/kÔ÷d*ÏÒ“Ö¦k‚k¦$ƒ*@2ϳ’z¥ªëaµP…IV¦SWi«1a[C=Ë.D‚j/²¨•.
+¡ñÍæ1V|wØÒ½Ý$çþŠ‡J_ùÞ$Sç8e‹‘1wÜ;ËÌ]>-‰D\6©O²mF±÷[¼ü:_­ýúc´ã²&Ò•üC«Ý
W
+¼Oíäwx%2Äk¾ýÄS(GQœü|sª\ÏìTäG¡ùƒOJý®Å1‹ñpqw
^¿±›±DdOuüÒ¶?Ü©Àô„í˜;†d×xˆ<	ÂÓì‹ño½K­Ê%ÊLœX±[×ÚqA©Aw£-¬î2’5´ª2ŸÌœs°ÒvÔ©BòSºã†^i:?)Mµuß“U@t®~PÉ#£ÊݤHè…¶eCcacÔ¨›l=bßS,Š˜&©§ÇžgVŸøÅ#m.fXí“NÖ{
)tO^¶|àéÂj8”ñ@‘eX€IÑa.²~SfÈá ay_èŸNWú-¬Þ7ºÒu<õÃà”µ}™î¸IÁTðg	Ãg´œä¥~%>Ðoë÷°"«q96.9ÓNüÿcSd÷¾d&"µ7‰GâxœÝ´EþïñDµÔÝÒ–Ó~í4íLÅ…oÅßìx2bÊS:_…´Ý·¿‚] £Âih£uÄب‘³XKbâf¨üÚ½¼‚•X®O”­…ÿ5ÿ0¡Y8÷PÚ-ö¥¶÷ãtR×
+DãäÈ¥1™ÈO¬=1ô'¦9ö‚ã²½m.6Ëš	'{`ê¡8à^†ÎD(|s÷éz¡¹¯Gœ1nßNqø‰f*O‘[Ö\Lbî,‡–Íáó±up¹÷ž!º«hÆ8j"cÔóΨڢë¸Sô²—59Ø™
+*Ÿgj.[‹šœ²¶'iº`Ǿ‚+¤ª$›ì¨éƒ?Îy¤*ÓÌmx¾'˜|g'%ï\Äu,áºn–¿öÓfñQ‚[P0¶ãW~Ø0N(GC¦û|n•/—~ë:Æô¦c*»†eu¬:Õ@md•‡%óÍŒ“‡¾‹á7¥:å…Ù¹”£µº¹_ºÒˆJ)_"³
+3b\å}šzÓ
JÜ\P?­	±r
jx¦ª¿Ñ’=‚N&ýòOj¥ú“÷qxKž9iPŠ5­Ô¨×#é)y²k˜åñÀ…Ôi¾ëk'ƒØ™{Ξ`Î숉{é5züñ-à@¶–bo˜zP«uxÿâ/ëSôê„¢ k¸ÎCSx¤`ŠÇ]ÒdÛÎ’E[”kÏîéÉç[DÁ†8ºÒ’èû¸ŠÇ)á:{W†nî¿°¯ƒ†1eŒ“UÅw°l½ê{\A‡ZcÝZÝø™G!‹–¬Àü¤_›Ö†äW¡Ï*¯ÕŒã›hF	&6l‘Gà}8¶ˆÝ×}@Ž<Ç_øÅ%“ï¸:Z›“Œp·¬Ñ¯Ó)rÙÂÕxÊ=BF@èFŠ’|ð!íQT…â›Ë.u9õ±Ê~r]Á*=o´Ø.ؤ‚jP
+'|ã2žˆ»Y‘{‚vi6	pQó9$¦û,ß’ƒäܾpŒnÔóß¼ñúføBó¶:'OÙŸxRF¹²úSÐÊfH—ñÁjx¤Sân-~uGÚä3®»œàŽ‘?ö6õ–WËqMù.‘RÒ£Ú¢ÔÔI™/2U¶JC~b>ÑëZ/î°’ž„OAf?aÅH,Oþj¸nšfîÔ^
–QƒŽL èÀ°ãFp6
+áW©²`{£‹)HÌÊÀ!{eêHÀð™”™V³ü"­)A˜Wô‡ÄgÕÞ}Ï"yþS¯rîªîzZΨnq¦]¢5z>×˹1Eî¸"öˆ=ªæÝ”>ùÀ†·»“÷ á+Öë1ÎjŠÏñLC~Û>ª‚-)0Ö?~AµœŸ"M)@o¢NœCh›çý>^ 6H•ªW¤mE¾ÊÊ(ËôG•LdbHk‰ï»z¶µŒ‰&2Ay”;!LöHs§é GŸ@ËyåG·~Sïýè‘$›„5•¨ÃG¸¦y'¼k/j–Ð@pÓ·ØðÆ*Іì ùú…«Éó=à1þì×nLº?ÜåÒ‚©N‹:üâ
+JŽË‹&:ß’nd0‡}2·#^ÚÈíÞAW£Nb_̽Ø¥e»pw'Ö
+Þ¨H,Ò”ž<1ˆ2,ÀÚ1BÞãÍÐœ†‡S\œ‰>ý~Ô±BºÐñNºÊÕ[Îõ½àBh’SÒoëÚcŽôT“ÉÕS?^X1µ^Y1ªfg/'¦gL¹L‚¢TïhŒ£‰HöIùT²=Ï
¼²ÏÊR‡Ø.²-é|ç™LÐs¢íˤ^¯Ë¬d»"EÏ¢Â4¹Ñ®2iÁæþ}oMÄáxéh-¢©Á·˜
+-|™Z¢Æënw(QîkÔ¨å ¯øh§HˆnïBºM}D«õÌVK`­ËÝ ±}]Ê}ë¼Â¤té\40PfÓ­³8<²ÀE	ŒºßÏÉV>ÔKsê—ã¹x‡¨Æ^ì‚j6‘e;–Ì3–Šû´^_GÒ5÷£íD;õ?eú5²ãmÑKklÒ§Hƒgn]èB—ïü׊‘ã6ôß.hun?Æö_õ´Yå]»æ°0¬|Îr”±X¬g,©õq€ð¿/(ñ²¸ŠÁ÷ËÏ~TxËò‚¶¢õ'V±¨½—(°§_û6çȼ®
ÕV/ùïñ©0R¦8«K#K¥¹©ÑN»b¼ H'ÎÙE³ÖúŽ=¨)Ø´=ð7Ã!eÈr%­mái¤]“ðj&#‘LñCwµ"íˆø?w-¢…8/
,d?œ3Ü9TpfR„
†\½Ò©GEÊÄàšz”õqMÌ_ö«6‰*›¬‹øŸ7sÇ$ÁG¡_îamï~¬)ÎÞÓÀÚ0¶»?­Z«Lf1v«|̉TÇ®27T0$È‘–-ç3¦’„y!=lpn2^÷'z½;í§§LTÞÔî,¦ý˜ê4ºöŸŠ\Ç_†+˜æñÖDˆ§ã58ÿàZT²<g—hòâ«”ÄMHAw!—pµÃã¾Æ3ã“ê©´.‹|ÜllRTÁx’”¢,\S:¼ãÇe¨˜¯â^sù¡1mñ'ˆÊIÄg퉯‰çåD’ç~µ¶„R¶N~òIsjýB®cî[¸êyr‹¥g@øðhÝéGÔz.Ó]8ß½¨DN¨÷9ÔPÙ;ÐLtl=«ä‡Ûä…^íH”K)cÞ˜ôª)骙Sg qWY¹›òÁ—n«ëlte¯Ë•K~Ǿֶ«uVÔél“µûÄ„:MW`à[‚_J/9„Ô Q$ùþ,ÍÈò0„²xã^È6>r“¨Eèôèë•·!9Ñb=’ïÇ)À^H¢Æ®R­úרµ‡Š¼.²:_C·ÒŸÜ¬!véÊ×M'–Ája–k>ä¶
+³úöèÓÒúáBå«òWw¯€3Z‘a–ΓÅ%#8ae\’M+!¯<Àê*÷A§ŒÐã]ËF„Híþ§Ž²[æ+ìpå#æ"”–Ý4#Yã͆²5~ô‚lÍ%K åo©†¯c=Ð/W9E׋f¤1`Yb¯ŽÑ¬ßìwré¬òîÙqxœuáHàÁm!°q8hE'ÖÔ£çÊÝï‰#·5z¨8©«ëD­ðžÕô{s’?ùú y‘s„aq¸Ùë6¬ˆá²Îïôò¸Õ3ëÛÊ¥=áØÕOx#U®Ù÷…ÅÉÊP|×ð1;Ò…\j1+‰zùkakÛŒ“|£ÃöËa?ªåå]íÉ
?çúåûÐlO3Ž6bØ°SøÐ0GGÄõB €bbƒèMˆáîÚì_âíÍ&u§,y´·n!\»ßßDg2¼ËªAሩ˜Ço1v(ÞÑŒZÍòË83šÕÍxAð3å<=]Í C}ÄõªPèÕ°…é<û,üH›Ïè¹S3‰ç¿ëßûù¶ZP+~®ÄQĩɺ3¿
’2ÈxmÚ4‘­ùÝ">¥‘xÄÕð¥b¼0ûºþºo¯Ïè¿»ÜüS²\εoñ
a瀸®+@G­ñ½8lçøFãqsëgCÝ`ª²	§ò–§&˜WÆòôÛp6Û
+cô|æ'`ÎÄS%Q
2ÃÜ&aÔð†Ó²YŒ½
ò…ûów‘Ž?£x…–Öê"WÛüy36h?¬‡jø^²iJkӮ߇ÕÆLgøÿ_;sþÏ„\ä^ž#g([Ž–Gæ1¹š£µ­ÜWåŠÍÇžÄcŽI³…ñœ³ÜÏ‘æX„ñœ†ž³
/rMåýï·÷yß?à»sÿâY#é»
NØ3íY¶À:U
®[‰‚‘¶BàkÝz™=iïÒA•áÓ>8â„ÒXò¨Dƒv–ŸxÃSê^c6GÑÃeï©z¬.£Yÿ¸O£Ø0^¬7“Seã¬ô ˆˆMî«>Ý…¸4g䯓Z}:ͬÈòjùÚqynýKs*)oŠ .¬Èøœ–ò%Õú°:L/D~
+»»yÇ&Ķ1òþ‡ókÄCÆ)aº„íájÏ1¼AøZ
+U¢´’™…ç"óWÇ¿NãÐhŸgÈ –6¢À¡yX¬{fÜL:’Õ ³kÔ6n›'±u	•Ÿ$E—Ò9ls+ª; ’†hNÍ2Ápƒoc&úFåÖÍ„Ì­‘P!
+aÏOB&Ã~€Y°R0ˆ3¦ë+*Z–ä:_7‘ßÛ¿	8ò~Bî¶Þúfë¾Ã2ˆ
1ý´óèhc4|yC¤1à”eP¥(¡†ûuF#õ`?wÜ<Œ•Ag ÏÙÔf
+“ü½óMìcFæ/.ˆ›'A!¯™•Û[QM£ð+hú#¾,¹¡.a£à#_°FÜÝ™rÍ”®Q‡lætD³ÁoF•}àº}l£Iâ¼Ò›Ëñ	UÝU>DM¦ž=:^颗fTAÅ–ú2iÁWÜ\£˜!@³ç°2‚ˆ™1ÈÝF‡ßjB™÷Ám(Dàkªl¶çõ‡OŽï½Æì±ËTgÏTOmÌÆ~DÞ½
ÇWÿM>Xuw·Ûuò¾–çrï½JbYëçœd¨è8lxK#Z	§Mé)>¦`eô_|
N+Zõíêñâ^ÆÖŦÐåþW§® ÉD¥ÝžkÇ^'Z\‹…­)ýþ‰Ú%…­I–ëlÆ!ú¡ª#K27¶¹žÑphÚùqq&¥â*xõ³ÛòÏ£|yìÏŽ‚œxÉPÔ4ç7lUðì,W`üm_p÷-¢1u¦Ó´5µY§J;¾÷QˆDŸÁ”H¦[uúÕŠ¡”I‚R–ÏVVÉ?¾§9Mö§­®sîa@0ö]Lo•£ör$ü?
"ÁPŽZ©7t>ªn¬Ú½CPŠM(
4
Xi«—3ayýåäµ¥iu@Áåc
+Õ¬²ãÎ]­¨€¢¦ b<Åwù.©D<ãçáĈ:Ïe]¿8%âÜY›>¸ØÚ¹8Èùß—’¿ï#6{†ç"L’îX¤¯ßî¹"V»³ãGZe
&¿3óu_9û_fû^nlê
+R‹Ï¡ev,;è+c$?  âÍ{µázÊ*¯ì>èD5É'_›oa9Iyî¨áÆFÜæk$Uj‚×À$ì‰áÉRJDµ=%¤¥Z¥³Í’fLãŽaíORŠ>’|„AÝŸ…®Å©Tï
Ⱥ៱
JòÊx€dUº|O¶ÖO±Ñ;~·”´ô¾Þ–]ÂÁQs\Íâ¤^Gš‡Rh÷8ú/‰ýü'¿ŸH|x¨Od°Ø?¶i÷Âendstream
 endobj
-975 0 obj <<
+985 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 2237 0 R
-/BaseFont /OUWTKI+NimbusMonL-Bold
-/FontDescriptor 973 0 R
+/Widths 2250 0 R
+/BaseFont /RRUOOS+NimbusMonL-Bold
+/FontDescriptor 983 0 R
 >> endobj
-973 0 obj <<
+983 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /OUWTKI+NimbusMonL-Bold
+/FontName /RRUOOS+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
 /FontBBox [-43 -278 681 871]
 /Flags 4
 /CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 974 0 R
+/FontFile 984 0 R
 >> endobj
-2237 0 obj
+2250 0 obj
 [600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-958 0 obj <<
+968 0 obj <<
 /Length1 1612
 /Length2 18760
 /Length3 532
@@ -10699,116 +10789,121 @@ endobj
 >>
 stream
 xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)Mlpdd"@C's[QC' 7@h˜™L\\\pd[;wsS3'¥š²

íYþ	ütÿŸž¿™Žæ¦6ò¿.@+[;k Ó_ˆÿëD àd˜˜["
-ŠšRòJ	y5€Ðè`hPtþien57Ú8©&¶«F¶6Ææÿ´æHÿKÈ`p´™ÿMºíþqÑì€Ö掎¿æŽSC§¿3p²˜ÛY9ÿCà¯ÝÄö_„ìlÿFXÿõýS´utr4r0·sü­ª(*þožNf†NÿÔv4ÿëØšü4¶5rþ§¥ùþÂüõ:šÛ8œ€nNÿÔú	›;ÚYºÿ­ýÌÎÁü_4œÍmLÿ‹-Àhjè`lttüóûŸéüWŸ€ÿ­{C;;+÷eÛþ+êq0wrZ™ÐÃ11ÿ­iäô·¶©¹
Ã?‹"ecb`bü·ÝØÙîú\€ÿå?;Cõ—„¡±­•;ÀhÇ oëô·$€òÿNeúÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î #¤¦.%KóŸoê¿¢ÿjï¤ên÷—ØÿhEÎÖøþÁ¶uxÒý½tÌ,ö¿9™˜¼ÿÕþÃô_g9C's7€öß–™þÕøÿøý×I÷?`ÄlŒlÿÙ'Cã¿ëõ¿ÿ¸œþªú¯ÿ·áÿyþ×¢n@#¸Õ߶Fö¥©F{1­(zR€—ùøÞ$T}¨›ä4z%ˆégQžW‹²ÛZìŒê»“JÊzÅïPߧ;X`®ž¨üH\
-üÐIí|ŒRëc1:QA¾Õžž‘'?=RŽõÜ@öíãÑäÄÂ’ñ¸@ ’GúÙçà	h©Ux†SA¥7!àÝ´_}jt{êå‘‘â’FX˾*šæ¯Ù´Ë¾'A¦·ð&Ê9H¶îWþÀ¼žŸŽäJœæšËýZw&sÄâmŸ
-쿵$
œÉ„®'~»¦ìw󬵮¦~íCÊ]™Qê,©wmÚ'c¤	w®Diµs$óÐY–1¾—f‡ÙÄ&>.jüäë賬9“5ÎÕu¨ÍÄV¤?m=Á8ib/4l¼˜’lºÖ’Ÿ$):Srïð¹ŒtéÇ#/sƒydŠü¡
_•vÏÐX¢ÖÙ"» ú”4Ú]Ô†Üf†·”-FêÕˆFG‚„ùs!kt>
-j8+¼="HOló‰à|V”LôIŽÅ_y·1A‘T5dSoEy%|Dm3N†Á‡P¥{ú¼ÞÆÙˆ
-šÔ0ã#¢DËFwˆ(¤ ÙÓ§~¾f%ž©Y·˜"<Ø™Él¶‹Ç¹ÿúä2Ý©²HˆîKöÿ¢Õê’2|Cu˜Äï4‡ÙbIYY`AýÝ«!ðc*	w¡)óÊ~#†!åÌDŠ¹p¼šÖ™(bðÆ%łߪÇ4òsœ.劎^Ëú0ª†'>
-dÇ$[ß4˜h3iï*#§†]Y·6_¡$l¥—\5Š´
-ÖƒGÒgÏt7êz \ÄØSÂèÑÝá	Kz¬Å~»šF£¦s>y{­)ÕCóaÑýû²Ú7×	Ý#ÓF¾o¯Q2v3äòÔן¼xÒ¾#x9s¬(ÃÇÊÒ÷öUX7Žqb‘ŠŒHö;QºÙö³ˆÊëí:²5p,sÍŠ˜VÚÜýXQý3j.jWô…¼¬[Ç2#oîä2’«²6¢£yé0O ÙÓËø8³)Kz¡l„ïzä^骟|‚gOH)àY	îó¸¢e¾,Ùê›Ì,ðŒ‚þ²Êsźy&Ê⥄ñϤì*“@bKiyäúk@WÁ»¾/ÿë÷îÆ5
Ï##êáù@¹‡ŽRƒ;ÇË6ÈV|¶å9{<)¼ç	QU+ó؉¬@"9ãå·¾9Ì-–†Æ¬»î³ØŽÈ³¼…„e†tY.ž±áWËÔÀ;žš¹„PfÙWÐBNûŠX÷a|nÓd5ÕR©¡Ûo÷¿]fǧ_$¿å0[^ž‚IpƒVzrEÄsÜó^Á¤ÑÏJó„½Ë®Ïô—qŠž€3«Çþt¿ipôøɼïÆ/ÑøµÑ7d™§©M’°{<1†/ß{€"Ãg'”Dnnë«J0VkÜ„},j6ä²6”ª’nå'Ž`gâ[ö
-õ	Ò””d³3þˆA*ú<ì;»ãçëȈÏÞr‘U¦Ξƒ	¸R64yEIÝ#ب[@“4ÂS»Ð¯«±÷è(pÖg/ä/ÄX»ÐÖ@­Å»b¾äcŠÅIî n¿¿„îçç3Ã"çU=^ó»\XºwV¯”¡ûB:Ï‘
-[—ÒØ$ ´zEø}:µ`s(éHô‚Å+X—³÷¶*5Â^ÁmøÆÊ$¶ïÉéGH
->êò:Û†ç-àñwN‰
-3“7º]Ç }"}xt¿-i7Ÿè¹½‚•
-üƉ¾ÏÑüІž@S&_#‰= ]Œ% ešPŠ†¼RŽ”oQÈJt{¸œñàº0ê8&ò½A"zXXª‰„^i$º@õÁh0škm}…“u­@îK/²OÊ\®zOóu#«"ùÈR.¯AÇ„ŠòÙôÐJ©4I°muþ`*?섨0­V2×~„/ŽZ.&òÂ×Ñ_ݼÇa)¼<¯l ‹¤ab˜wK¿ð[p…*¿–ªì˜F°_z¡>ôÿ-p¾þmQÌHtðFЇt½®
·Ð[Cr:Îæ'w|…ôSoñ;ÕdȇkM*a1eˆƒS¢ß%!¹J-¢¤tXäÖ’´–šBÎuÞ/
-p‡÷/ó¢nD(0ÂDã ,q®R5Î@¨)µŠ
ö|÷ò¤ºÛ\{=÷5¯ãƒ8zBuyÚ£e4O랊u¼z.©2Êqi¼ûTœ°,³Õ¸¼[¡~o$n{Ìq³¦×·1åŠ|…²Ï!§-4`f‘ך¹ïPÛ¹Ui«í!3ÏpN"LnR‰ôAQ“!ÄùðíSÆŽËî1ÕÔ9PƒoHT7-÷dâz7/ÉÐ÷3¯vU~2‰áW3Ýk"XŸ&¾L;Ï´Ö¾s°˜9¿O'`u?‹¶Ôi„ØCBs®Q‘ô±…ñ"¯Ïæ˜L#ÈÝœÿìUüÒ¹ùeŸáS©Ù_§Ó¢ªîÑ
_e(ò~
¾áÚÈÙ¼ßÕt2ƒÄI]Õ×Éuûͺ›WV>{€º^7¬K·ƒ9@3¤uÜq¿¯ØŒM(ÕAfW$ùÑ>Ž¢róÕõ'Üt*®IkÒæ·&„óÎãÔ£yù„2¦§äº VБÇ/êÀp4¹‡èT›ïwnÚuŠêæÔgW«È$&¥é®&tÏ„ZgqÙÇCȇŒ† ßðéårüc­ŽMÔEÇ×çÔkâÓåLÁG1‹^­?z&É ¢2™"«….^R,• ÀÜ ndAU]l$þôº<¤qJá9	[Rèç+œ„$E˜b…†F΂dù#ÕÒéËYûV·"r†Š}cà’³$#QZ0	ãû‡H„f¡ª÷›v«±*øöç9ꞧÇ)$¥!€4%J)Æ«B¡(kèè^«£ Œ¢K"ôŒÖIQ§.¾É°UDBó€â¼HÛHzõV¢’éç5柑&xã>fé.j/O§Î5$8žÔÎÅòíÊ°¿_ëqv–'´#zÑÚfs
-[Õ%:P+t¦*5Gil@ÐvmY‘ ‚œÁ‰~¦S JÖjn5£ë—ðys¬Ø0ÒÉð¹¼tOC»¯‰æ÷­™ÄiÐDX¯ÐåpÖïÆÎl¶TS†ffe2·©iB>²ˆÜKmV3	·ï¬I‰Àq>ü€~y
±z‘ô&VQ|!æ쨯tàZ…)"¡	?ëzÁ4%vïù2<€ºµ—ÊŠ¶ÍìA6hä挑ÿ>„ŒÔxZÜ5&R'!Ö§•gÜ…«¢ú½s’+ÔCÐ[ØÄx›)½ºo
-Ù¿®;ªôŠD™r]9@èšÌˆ“ÖS|æ[Û,
('|f¤~}Ã!Ónëw¦©®n”Š\8ÖgK½Uz:'=*"Ô›%FWHO´­Ú³ÒèÒõÖDÐ_|ÌÎ\ê\Û
-qá‚ú a¾ýGŸºî“•e
-™âîÑ~)Ü“U‚™$¹ß“ñA=‡C“ü‘:³œW•Pv Æû§hbÖ¼ð»AàlmoÎUÁùË7…¹í\~3È
-ÂÏå±äÑs‰TNŸ	+Ã<ˆ•9O¶¥fÈËDˆF§‹ÑÉöY廙l›¸·°6¿33ïáð\1ôb°	a÷	Á{ó|³m«é*Ê›}½"é?Yš,µÔ¹‹e§úPh‹ŽŸXEô¸º\©çÜ[ëgøV3C^à ±çSø¥$š ƒÛáÃ:“É»®’´ð¾ˆïÅ^ƒÑÁ´‹¶ù´ë¬†)à!jáìKøGR~ŽCkCœùŒBΔí!$ÐdÕˆV`¨­\ ©n¿»Gó§æHðnêÚïvœ&ëÌŠ":—íÞÕ^"Æ;bÊz³N¾0UÅÕ–ûÖ1ÃÁ,Ծ㢫|7ßoV};º:Mý³éØc£ôÂà¤=™MhüCÔgaì‘7¨²Âˆ±b®5_¡·¸/ÂH:L«
>r>Õ²"™y£6o„Aù±RQ ¼“_;N\¾L©µá%7¸àÀ‘¾g$µc [ž Ü80›=~Øü.¥T¿†ñ¥™^šW`/ž$8¢%S>ô”æý XÞ$'ñ.ά¡¥„2Éÿoƒã;At«!Äò‚´žÖ&\Åžã™dn£˜kjÓ¥³< -YRç˜oiæUìÚÆ‘ÌY	Kî%?ê5TXrz¶ë[È/¨£=gU0‰Ü„€UShW´1ûºzcw™>ÔXê1§†S\»²3Š‘ÎBaʉ@,ŒëÂ?/ßu3u¤ð;…®MXÛ;Í0¾z“ƒE9–T¨ÕÖ[x,ÐÏsô1Æ÷Ìó–Q£×©VNcÌ…ËrÖs,¨ ³“eeµ‚l€N0j—;î~÷–ê2›ZoºäÆ
JR¸¬Ý.nìÿ¦ÏR(šF½qqIéì{7¸–lƒ%Jåíi6.’±ñNJ„µ­~d¢Jă÷^Oß«ÑÉs!¨kgw%¼¤ó_†©ëÂ
-??zÜ…¤Ÿ'PìE¶e6¹-Vƒú£ò>áÂPe†–½Í•Gèf5©{AuÔ¦JÑø^V¡ÌP
-:Ù‰4GÌCe*Z­:?ß"íÖŠS$`ë¾*~=QîFf†£¾d5 ?Užaú9v¢÷"“T!KÈ
õð;[ùÛCµÛ²Ñä$|É•ÿ#]±·,ÄgåÂc>t-ƒôÏ/c!Ö’&,î—AØ$l‹ˆ4`¿Ì™é„G‘9h{±IK­àôáî·3ÂF£Ýйô±Peûw
-
8ø=ÇC¦ñÙ"ê®ÒL¨ì:0%»¸vÕ´HƒŒ?˜ø¾âù¢õ3™VF_?Òí)Û÷³qoTŒ²>ô£‚ùvî[±~á+Ó
ñ¢øøhÂ…ª>çV©Ã{‰iÜÁɾ,ÓPhF°1J4‘÷Ò.’×l"üˆæ
¿D9TäÝ!°hjky~ÒHTòövd@X|A¼—Õò/²áxxûfÙ	z¸|ÁV§Om×¾SD*gi[‹4i	p¯—ðƒ½ÐØv	)ilPcΙŒ€~9¤Í^-P>½•Sø¢ªÖ_Ñ:v}¼ú‰ø9#}hçp‘à;‡¾¢~¶&í@»Âªž$ûòYéØsE6ýPÈ¿Dpñˆò϶J
úy·#“Ø'PG‡ãŒY9ÇçzÖïIE ç©_¿+Pììk.Âî+çpnT+±µÇ1*#Xd4-.¹.f(܌̠n{Sš©|ãPtw90¿Ì§­ã=tÜr•xÿ’Yñ©Õa…@.i¾™?#E¬4*872lºGÝ›ü”òóÕƒ¹óšAúa§¢+lµh›¹cÿ[ÅU‚·_Q'ï–íMÇ7&U6æØ‹{tÍ3_ŸÔ_óerˆ$q¿E½â>$zr,¾.ÄBËëDÒ‰ú@û‡ÍDü”Ä­wPL+w1xàKDTjã_žKU÷‡Š¿÷ðN€úè±=©C;]‹‰ØÑ\z©r¸úÕ~ÈK*¼Æf:²}䥳ý]°¤Bu›B<+2¦ø¥Ø×Iÿ§½²¿S©ôûü¨·zM­<ƒïˆn1•ùu›Ó÷^Vú#:.æ?¿yÙž®ïµá§ðƒ£|`q^Iš©åâ:kÓãZFMd§Í‡ˆ¨><…÷Å4I)'16TØ͆Nß°`‹ð`	[€r	óz‡ÅÜl8±§’¹Ll[@Æh_ëí; Hk¢ÉjLÁf'‘Ö%З&så@µTýb[Ojöß	0®šm-Z‡µ<"ÂVç­wSp#H¸Í°ÿ,3L\g*±Ý¾–Ýçpg¡’^uІªH%a€ÃuQlàÎZK‡B£vHÕqe·lAW`¬úÑ–îxüFÁŽ¸“Õ7º¼ÎIhB($y{³ÓËòMSô~¥ã# Z|Ѻ6Æ×c>ÁB’Y”ï‚*¤ÓµEkèið„ûܲ²ê6ë#¥ÊxNÛµqqŠ®k%:ЂÃÏý0{Â4Û¤8¿ŸJØTá‡ð~UâjçµDg,Vå|ÌÙ)îmÛÁÎn$;ùâßÎWûË)6{ô2÷Å1§ßÿ2_Q.4ÓZxWG)ûqŠ·óGŠõ{RÜh¯ºÎW¦ãrzÞõÈÐKËDä]Üw¹Qöº¯G…\å#n—ë{aæÆŸð»Â¯U"¨k;`aEw}øŽ¦¢´Äætf	µŒu	&ßéæsÜk¶Qk¥pxNšnL’v’Ô(|)²FðcˆÇY£0c…‚Ø0cX{Ò}hƒ¸eÐúƒKŸ:†ohÁhdYÔ}îw¼Vj¾]½¹cû¦wní†PžQY@V)[7ôU5:Ò³ûÑ
7k"%W¥v3<ú[j¬ån–E¿kƒœm»ŠìŸ×—´[™Ý%I¤@DZrbÑll¯azQ?ÍüŽÂævFúµg. P³e†¼x€ÉôHý‚€#j(hôÄEÕÑ7z,œB-»§óÎ…5E«›}~i›“;e€b9i«À9úHðêùÚ§7~ Êã>OöᙯµÒ+7¿Ë„8Xu@HáÐG§6¤'Q{—ªß/R2§o´D^ÒEœ (¸ü,¯TcÏ©ÆìȽã‚Z]iÚXçKâ Ó«¦ŒÜ„Y¼ý}ÉkwïPï	<{.ÏÓ™O .õÔ‚Äñ|Ÿoh£‹êÙÕ†4ü&Æ
ÊÌŸ¢RÚ±¡™Hõš‰wó½é2)B­…‹·†ª"Ú7cHЭŽ8º̧\tøºlg%Ijð«]R˼a\nÝ8†÷¿ú³à!V#RÎ96áw¥1K©DŠŒ?VäÃÍBD\w.UȇH·:Êæ·7Ä­‰ö‘gBrny)A½Á4k1H´?ëÉà$œNŲ!ÉZS†^0yVÖldlƒËä~~;Þ¿g;¡Ð\ÚaæôK¾L‚ùõÛÛ“½O’l»,©	¿™[§
-¢ðBîBZYø ¡QÚ÷¥Ä:_}ÒbeÚ*r³9ò”¯Ô¿åÏ{ݘéËáªÝ]1÷WšeÂ…5âo#”‰Nb… ¨ô>¶ïÓAÎì·¼žíÉzàá]M¸Q»„)ˆ'°&má"²‡8øg+Gž‹-¯ðJÁÙ¶(!‚d%šò÷F¨é’‹Íü0ÓK^žŒð§.Úf9Õºi"‚Bœ‘תÂh‚0æ£Þ·/Dž¿V™¹6j©Û̇‡o—
-_0ß9ø™Ü®Á³@3&i¯)BBD‚Òr8ª¯sÿ’¶þø¶6ù5EåÇÁ‡›3§ŸÒûišI©R«‹ª]S¯Ðeÿzý!KþãÑÑÛ7çÙ96@:áO´ˆE(Q`¡W¡ÐêgÉCIචœ7·@ªÁ×N~ðOÎÏL ÔšîÑ„6t>æ€ñtFt&QòŒõk©ú¡Ì:	ZBw˜0.•Ö 
-X˜DöBà矉uƒRá±êëŒãù³"‹‡»½øS,VëUgÈÓÑ×Hë‡
Ö•Ø®ôh3ßõ½@gYa°«¯ÃK}\)ÚÖ„èoô}7dÔ{Â+ä’רþ‘ǟúiæpC8[bk%u‘I0: ]¯úíŽI*]¬NꌕԲî<'âÌ€Dq¥1öYßþù4ˆù;4Ù´Ô˜¥^ðžöE›:ãZ”¢‡ÖãßhSÁÒ"”‘æeGq	¿¸ú‚Ò®ˆ÷ñ"‰v=}ç¾ÌÅ%ű;>RÕw´ºÊuú)DãPèñåVÂ-{
i¢87£rC~zIu(a=/åÓ`éÇ
-`JVæ€ÝM?Ë-*\šFì\q¬w÷4³Ç"Ây'LÜi
æI²úвTxÝCxEåÇ7#Í=䬯šÐ]ÏÂ)9™šj^wpŸiuØ•°I/9c½šÙ;ˆ†YÂV%íÇ’:ðgEFÙÒ·O(–qS”•=ŽM.A¥ó¾5Æ·ôŸ·¸PF×/ *ÝXåï·Dê,oö°`ÐO„&ÄÓú1¢ç)ã”au§4‚x­¦"ô£šVKnþ?af¿½ðÒâº-©Þ(äM×4jý€‘âª[ Âx06Ä–3±ÊbV®gG¬$¨ˆX”£þÙ]0ML]B@! !k“ö'9iH„%7ØdÇýý³ê«VÂiH€ð‹Lêõº«§ÜTÉMÓ´1=1TäöÅ¢ÕæûH&LÏ5« "ŒúÞ¶jªÏa1¾5e‘ׯŠ9³dfƒC|—fS}½Á¢^3²Ry€!©ìcÊ^Ù±•CyÞ>æäŸGY›µöLˆ²Í+ðüw…¯‰‡›]E™†ÏIœº#½Á”“W¿ig/€¶0@hçnlÊäª5Áç®ýF6PI¥pKˆÈKUëqßoÁÎJôƒED=§É*óS½PlBø±a`
-^ñ2Ý9á4GÌMdHä:a,h&y	að;!Ù$õÖaÖ8|Z2ÃdÞ‹J‰Óc—…6‘Ñ}Äu"åÈÄ7)õ)ÚÞ”L#mõ0n—Ü^žÇl¡~c[øïz¡AèÖЕ–êÍ™qùÐEm)PF½÷¢xŠÔ–ŒisØ€ç³D6
&œ<ÝÍYï’Úl¥ç¬œs·ÚCò£ypKWFsš£jƒ“ÃÉs ÈÚË~
-¸š4?æ·q|CÇÂ[9ËÞnÑŽ¯U…”kCWvܾOøHBÔfGpÊñ¦Ú™uw"£Û¬‘M+<ÂREÍœËâ`Ôщ) SßêÓk3—ÌŒÊy‰m:ãs‚êf“BܲþàĨÙþ†¨4ÃJ´§¹=µ¬l%Ž»Wa*ÂÎK6#º=\{œ˜{áÒBz[òaey}1i%œ1ˆpÊeDNi±`à6^¥
-“V-Á …ê©>Zw>î^’:ðëÖ£,AÎó=a¼PP?N}“­8s3zxC4-áÙ'Ð@¢¯Äa0½ÌåŠ&vù& Ê«¹jÐ-OB;ó¹bîAl/­äÝÈ»÷
#o«²#yÁ?.¶Üè©®Ï²
-sf"7íȘ'z½½Aܬù;˜-Ø„º5½ŸPoö’RnÃã—§cÄ­d>­Õ‚ëmOévXš}Ý…["äC»Îµš Ú·ñfº ?jÊ…Šs$!ϧmAb÷yg‘Õ3–ã¾ú©Ÿ™ì‰YÊIÚÓjû[«Òaîë—e·Ù{/ûÀjÂé‰õÙÊZXÀüì˜à äa.ð–Ïæ\àß›¶üؼ¾~
ê¶Éþ¶ü5öZ	š‘X’oJQ˜iOÎãÅ[=Z)é!³»&ç–ÃîIëBå\Ý;»"B7›§ c)Œ—†Þa%ó‡ŸTÚÅLn_´´i·‘c•udg/U†Å=7
-BÎA>ȨÅt»î„ÞñMt7¡Š:»ùœ=2>ï((Ÿ!{GÅo’8DiåGÍlœ
ÊãVÍÒUŒÖº‘jÜ”Õíë
-ÞÐõ)δ¨ŠP=¥ŠúçÇ ºÚiÓNRŠÓ€„™m:ô¹¾@1??¡–­”x!MÕT•ÛŸAsË•-&I˜·ö@ãݪƒêE!F_Õç5²î´ÛT²«ô±.è-ó°{m”´YÐßžëÈC&ÐöºoÕ¬ìêW5iø·Š ¹Ž–ðûï~dÏFœöN{uÍUg¿a`BFtCÙ¾VØ-¯Vâe*ï@ì	@uòQµ
ä8L°4§2Ir©¶Ð“†¤o§¿Ù	§¥ëÁIÆtPÕ'ÆiÎâsëŽÉÇTЃF`Þ™0Úu­5hJ»½
Ù‡,KíÜкÔP¡f|éO7§Hf|dÑr^kç
Žß¼¥'@>¢íð@‘…„—Ä”ÄÄJÄÞ¿Ý>3„Œµ¬èZˆ›Ù¡R^XÚ9ÈÍjÕy0”Nš¯s„gA‚îWˆ™[Uú	£™2õÞzבl‡KØ6`ñ
-î†Å×°æËùß'™+¹O?àªH‡q@…ÑQœÙ–l.vk	-3Ô+¸GçQ@CX<¢â*î>Ö‰?7ëÝSY±ƒ°±÷a~ü¨=j ºíd„¾‚þÔ‘"Ød±ÊUU;•ÞÆrÝJéŒ$AøZ©uëÎñ³‰W´Bšgûû±wæp'Øbû5莵Ë#—½ë
¿É¥M!¹q¼V@«ßÂ=¼8жœÃñ!r1†À`^6]ÈÊü«o†c\'7 V;:šb˜€™Sì
-…eȤ½øÛ ]Ûq};—¼¿ý%W[J¨÷¡¼–Þè	aÁþ[Ò-@^ŸFðGH¿	ìÏÈÜ°<·eÕ@wô¨‰Îy«(‘«xd;{”«‰U¸otÁªDÕL
-˜ªˆÍ|Îóp—aÜ^§9Lî÷‹¥¨`=1OþLˆq‡p–*ÃsqÇwŸÚOuØÝã-ôõ•)D©Û¹(ÕDIÅ,$¬ßÌ÷!›xŠt¾+’V‚Zä\õ‰ØÑk‡¥	vÜå#
âiÑò2œK³ÈÖ–ª·K ?žfÁ_ž`á—À§,‡h@cÄÏÙ›‰„œ#¦å[àŒ‘æÈÝŒ‘IágWà^2/Œýäoö9œóê¹ÜüŒða yƒ?wR"”S;¦ÇG^ˆø3ðÙ»¥%3œj˺Ø&B–#vàXÂÃÇpçŽ7†.arï«ö •íWÓ~
j¤gb‹]ª6ɵvô±A`	Û·ŽîB	s8<«ò齓O`«ç( &»Rð¼ÕSÐó–=Ãê‘1ßì¼Û#ûžB6&L`¦­k7èT™7„,uxæ}ëåÊ{!,¯&šª‚i»FB6˜3=…ÎÀùÞþì…æe£Qµ5'ØŒ™Þ+ò@3îàœ•öÝÔÙÏ£’â»Ûö_:`n?ãô`}ò4	T躉l¶}™=aC,I‚#«&‘Ü÷Ó_rlïyÅ–$S—‡—8•í–æ
æý©ŠV7Wo¿ßγœ'“éžÁ©Z [ÆN«éaîÓó'¨5ˆé´ìiU÷ç+3=;–ov
–ç8\	õäñ›V†Ã4¼@jãÖ)ãì±Ü>ÒíªO+^xN¼s—]Ž»(¿ïi¥™¡ì
§±,¡ÝèAÒãÍúŸŽVjóºb,ÇnåCæWä¾E	±k‘
-^ú”ãh@RÄfíÁ•6—U
-×qóp&+yPå°1¦àÙÂ¥å Xˆ|¿ð$6Uç»’ÄŽ¸%¼ûm'v»!†æ^™íç Åä.°¥6q2Œ\õº«CÛ7E.ÄÔ—¨lwBÂæ8=÷_so09Fµtéf²ÅoÊRaáÜJýèb;†xŸ)ォGœþW¤ÈùQw¤ØØV„K˜7µºy$•o5MåÐà,=²æ_³4¥ñ3ž•÷°Ÿ
-áB«¦¨Û$EZk°`ë¥Y
5qÁ[œù¥ëÂF…:ÁƒN„´®jîܨ€›JV[‘
-ü™±8Ébº¢¾9àѲœ&Â&9h°¼§!`Z„ù“½M$¨'Ìé·Ç	ˆ‰b|ö]·[EÍ\çtHL”.=MSeî{F"ä(ËfIÜ
-ˆ4ƬÆx»ák&ªˆü•“KѡڪƎ5soõUKæU6Û‹m™³Ó<{WûFgsü2‘“+tëÑɇ¡ˆ§Ç—–Fë¹mù¨ö9¥ûŒí¬ (	Q«¿˜?©Fߧ$‹OÌr?ãZJŠM¿{m9ùœÄ1+É°‡!¨Ú‚§¨næòY:ŸAÈ‹Wv¿˜iq“~ˆRŠ:²«ªj½¤©Gc„ËZÐètúœùyF6¾K*Û[HzÒ§ib·I	þhŠÕ‘¿tîÈøhbþàáDëÊ0Žñ/—Í• W L|õ)ä™Ê~¸Ã$|hæ¼)½ü'CZHsöfW^È¡µ
„u™§™êÄð‰¼—9*ÙËŒÝÏO´OýbDòÎ7Ž¶³B	­DÖD3]‰xécFb\“4“ï› O`É@®0{”X«V%Üq7j·6Ç„ŒìÏõ¼Âør¶µ¦§@Üt,«"2ðÏǹ.Š­Ý§ã7‹ø£¯šr°>C;–wD72ÐAvIlU&m¡•˜E4Ù(`ý[wZQ3‡Ùµoœ'é†zDŒdØ'ü#mø
Ͻç[Ü#ñ™‰.i¡®îñϲzåª}:K-òÐm(¤²“™º>ÍÝ0«l7á¯r†Ûì%óÙSï)?ú±ãR™Â—wv“iQ— øð`gcÜabO©_7d@Óq¿"	™%qtÍGJ߃Ù56榑û¶5ù|[!Ä”L{ü÷ß_é$£½—zø[HŠëNκü-ÅÉEn4«Ržú˜‹¨ç£”v”bRŒiº&åõ8æzÜ®ºˆA¨.Ó}:pc“%„9¶³C@Ã×vt|jâ0òFóðÛqò¨|jùŠƒÊá~·l–‡kàVÞ5-¯$Ý3ð`z—º¨Ùû…>F½IÜÝJ² ? =q/ ØîAÏb“~Xc„\9+&•óEµ‡w)³SOS>}Sl´;#5(î=:·qøO\ᦦDø3ÖF@rTôÙoÈ'É@'áÛ¨9o;=Ò«M!±ë{2‡JÕöhU5ŒGÊÇÅúÔr–Ùèjšíê–uÀ@Ætáóå•­qW3gPÚž‘õ§/-‰Óî¨~%ŒŽòû‘„¿Fãk	Óü§:(™aÿýœßL
-íqÃoØ8\"ÉÄø‰m~'8
£Éùª¤\"~Ķº…puX‚8R±·ù;¤‡,qÞ\;1´L	AÈ›œ>lϴʘƒš¶ü¸\UÆækèK¬ôó(29÷ðJ3ôûõrï˜O²âåMçÑñBu”蓼!þ*²‰ñØx“–ãfðÔƒªáFb6ä([N£+þe÷#Ìó,+CðÇUÓ3Mcf‘ÐAñn0Ja¸Þ.H”#ÓJ>U³ÂåbFµîV?4™;>
-Û Ì_÷cvDMÄȺ„‘)˜3,fÅ·„@sž?X³¡˜ò\ªå$@Š$ÈW;ö=W!za(NGv È(èᇓÃY†CõdQ1”On?S9Ç>Oµ
-dõ›#.
-óÕu«ðaxÍ'¢T´Æ49¿}
-„¹ƒ°yeàêÙÔSYãæœjî×]…)Å’ÀY¡vSWòÀ­¢ÒGÕîUê£	ãþh4×
¯DTÚè¢Ë ¾ŠŒ}dœœ'.ßñ»c)sùÂ4E©”€cr'L’q!2XdêFÒ±!NMi€âñ¢ÂdÖ |H—^ÉuÞõ“ù¦?aÈísNfBèÈ(û;Ÿ>§[Q-„- ï$àKor§ËûI’;G¸],˜úJâAžXÚ€àvÞ9g•0žh}[ü £Å‹—T€%/WHþî×Dªÿ~Å!¬„ŒµWJQ;dZUüÁˆo	7êU
‰iT†dGà!y×"?αLÛuº·Ô~¡šŒ{U#[Ö÷g_SÚ®s·ßñs=„Ñý}Ž´þ^W@ƒ¨IÙ9¼£ýè@‡}Ó$0_>)’¤Èz®Ep,—ðóõ覲üˆì£å"è`06déðµÃ•GѶ`DÅÄÑrß‹èGÃõ¶F´(øLIÓÓ2¨ÄhŒÑ¢syçw-[ý $SŠQévÂÙG0p•|õL	ŸûŒM:2ßx¶åÊ®I÷ëžvH…¶ß]„,U5‰eÅæ°LX*º{Œ+—LÊjŸO}«nU²9¸ç\wýÓ/~cÝS4ƒRꩱT.&êò³Í66USQ–‘*·R°l"È÷è;/Z÷«ÁB5OmùǤA–
-ÈïQš4Zl’€AÍMNÒ1B.NèL·YÏ¥£ÌÊ©“0d›±)š„¢«ëOØF'Í<I('Ó.DÁ=Œ”³‡pEd­ùØøõmQÜÛÓJ:ëÔs††¥[H3h™7Â6uaÂÈ4UgÊh
{V†k|–¶ žd£å4A:kY’(‰®rŒ“JY55b¢Lï¾íV·œ2kÙzÙÛÌ9éúŒðlâÞõa÷xSkðJ–†µä{Út´çŽ[9¦3ñÇk4OÂK8­Ÿçå Û°¨oS3æÈàQÌà~i–¯³•úc"uË-ëe0¶Áÿ6µ¡ÉÞ†ÚÄÜøÊUƒÆï¼à쌪2ئ„T(™˜ž‚è ¡)ÙqìÔn»Fñ±Aò¼Œ
-~z#ë6 å˜Mmné©^«ŠÒŽ†y§×ù{?¤¾ó
ÃN[„!H-Èâ–‘Ôyúê³Ból«nsªYòU4Mö¤
©0lÕÜ´~µÇê½æ`¾ü™ñd™ÿÍ%ºŒ(„ïñÃpY0çh^zÑl™dɄ˱½ú¸çðG0Q'[9R3…m4cA¸Ôá÷¹öîY+x‡}Ê)¹ÕV¹„çþìm‚›sÞi
-chô„,	3 ‹
ï‘“#•ÃùG	ÖÑŠ9$5à »l|ëQλM}ž¥’>‚ÈÔ!¦}™n¿°B=…_½' qŠ=ò¼²D½JQ:|4ù	"V&71¢‡»Ê´XGŽÌ˜Û6¸XÉLjðD^«Pìˆ,0ª°>«ÇŒzK„Uê• Á;ð#
zJí™ÛGÃLtåk
­' , 2ýòô™ÏªÍÑk|Õ[~>'}A–ž­h¦M$™O¤{É™™aý|Fo¾á¦›\basmç­‚‹ÝjM߃½€—RÚ·Ž¤`W 5YC¶]Þœ}ËA…	IñFÝi„—¤>4Å1 <ÏÜïQ»ÔäJ!¼@ïµ/g”ÆL…˦Xx2¹Z‰—L¤xó¨jZ‹¿•…<	ËÍ(癵uèKvÝ%'
¹ä†¡&$XôÕÝevþŒÂ…--kZ"»À¤Kõ.C!5—ÔÖ²
NɆ	ÅŸ;DrR,çÖ‚ŒQŸ¥Hâ-A(wYœÐ%
- ±(ø'E5 Í0Á{'­WÈÐÐlûù
4·Oÿæþk¨ÕÏÙ€œ“æ¬)Tlý¼SM¢ÌºtÙö:ʇOI[|¹,™á
-¸}³i¼<nU·ƒÊ'D†7Òz;%s}S°l<•’y°46Ê–TZ¹eÛ]DÕ\Y¹ñ}˜en|(xèn)<¸ËŒ¢G/Çê‚«þf$'„ƒ":èuë	ìðx/’<€Â?‰CòSÁ064qcZŒz¸ÙÝü\! ;‰^¼·'PZÖ‰EvdŒ¢bòjGYþ=Ñh/«¹È´®ŸË	$8éÈ'kê¼²à
-%gsðùB§*÷Ä•TÝþô¶VÔ½~Þgÿ°s-Ãê¾ù¤‡I3ôÀâʨbŠÅ4ZŨǾdzçÏ—à	Áç‰÷ø׳ŠX]"ïe‰¥?ÂÛjš…<®ÛsÒfÔAgV+¢ÔŸ8ýdÚ¥_ÜÌl:ɶ™q
-L!
…a¥,C-CŒ}M¾~šÞƒÔCzâë—ò'|;¦DÜ‹	Ž‹¼”ýû·NsŠŠô
c‹Ð9T#qY%%ËGð	0Ù¥*÷f’®
-.³ã׋ÏLH]DÒ.½Å¦œÈçûNcxï*ÿÍRŒõjHGmwr$Æ›~üzXÉõ½c7G9±fRpÂÔ›õñ`ç¾/ŽFöøÍ¡Sësöe‘Ä¡ûůjrv±K±‚º‹—li¬@bÁ̧òÓµ¬FÁ§”L¡s¾´_úm\9G›8+¥£XmK‰^γ³æ&„m©œtðÞì]ª_l„Š@O3º] q—ÃX;Ü3œåá›
-kƒãåxÄüÁ‡¹C ¥"QPf¦CY_vŠÓÑô|‚ŸŽîdœîÃ:
eФÛw‘éûe« VÑê–†P-o‰ã¶*‚½—€:GçMøŸ¥ÀOr¿/CîlMk[6qÉŠP·eÙ0ÿ¸•Ëzý?TRÈõó·—Ï(ªå8“j$27BjߺÌèÖ–õ¦òãȹÿäâÌ-:N
^TüÚO`bŒvï	×o(<>yýeþðHó‚Tƒƒ2¸¹ÁíåÞ(å2Çæ¬9½³g¦F³Ùå’Ë?q…ÃNßJšPZØcš¹ÔiΑ88›ï…wäD&oô\<朕çÞ‡.'cve‰kÎþšØuôI¡]Èš‡þý+‡¨§Ä ~¸db D:{‹ÛÖq	•¢j+˜ZÖ+·?ÜT±æ­ºŸÀÜÀ!
-û:%é5¾¯åV¾çu™J°5Jòb´â"2jþä³àí=j¹òüÅÍ·½OÖ±¼×Ñi¥Réqødoeל}½j(áIaRFT¼‡{°˜Të‰n°‹W÷'½y@,}H5»A¬8ÑLØÑ]ƒ5ævYÛÐD"ßïŽÊDʺ°z¡Ž »z}ð…ˆÇÄ_@ïO>s0<#gr¹ñ´»f!bºÛèÊ5ƒ¢Ã–x¦ÐJÚ./°A>x»! jm–²sÞ7vÁßC}AœíÁ÷}Žn4XìÅVÄés¡%›†¹¢{Pû< ´éÔ Ì7¹d±·ÝÖ.´?²s1‹t¯}¼;¯±Ý½’×Gû»{UÔ.!ó!T-ºž¸9Çݯ~_’*gûkèŽvª»¦$û¦ÝU‰ô¥5Sü¼‘i÷I´Ï(Ô_:$³^‹â»Ù…eÑ\¯eÈk#Ü¡ðï…Šíw¿ÆÚæ'È­ÏòãJk-Yc¿ö3A2ûW´ìßßUøäë/5^]ïèø×¢ òÁoÀ&ÇÀÍ/úŸNÜ&ÞÞè\:?Fîö…)«pÈ:RªB¹TŠP¶×ÒªA
-¨ïÃÌ'l¿:¦ðè;{3¦Íäeµ—Ä;»¯McÕÒÚ-ÿXON´Â½²ùr0‘õC€ƒºÆ…L9ꉱSWËñÛÖþN2¼‹ÆvÃñ’ýÐ È*ö{ä•k^‡jogÊ"oØÊglÂóIüPÚ}tq(½Ÿ
-QCm6õv;1w²ª‡Hk_Êx½xµ™\Q\5“`b?ÛÓE„ÝH¦æX­Ž…äš»^ÁqL]ÙPºÀ³A‚ä£h]hò(0ã»d68ýÀëÓQ/eÃ`Ü›i0ÐñXV£ξ0žzGïZUOdCZ4[J)é?°µDäé*}ïuÒÌ{QýÜÕ‚äÕ_x®
-Ê’¸È˜”m€¿™»_–pÛD‹KÅ|iVWeeÀÀ«‰
„lÐÁôÿê4èT0Éëë]Ïd‹;PL¹£¥e!D*%)f­­Ð¾ì {ÄùíÐîòsÃÕ|0ŠLï-ûÈØÀªY‚èZ`ä<Üu´N!ìÆÂçaæ¨ÞôIJE OÕFÚØÙ‚™O¥ì鲟‹„œ*+aB5*êëˆYš0MŽŒ£>ÂãðSΚb¤³(=nìj‘·æÑ4W­ÁÂ-ÕÏ·­_ѱîíô‡Çº™·`î%âg›«ïW‘iІJmøª º¢Ô††ß‘$1½ÑØ“](snr…„L¹Rœ±¹UbµVfn3]ú‘ÛÀáˆÿ3È9ÆTÄk›“¯Bšž«µW¯ôoäˆ9u“lܲ‡vxvèô3Õ ÖÞlQ;,
ÿ®w½ß,Öf9z	ïï‹?ŽJ¬äl*+pË(ÑMÁ™ž eF×gº‡@‰<·5ð˜MêÍ	jmòÏ °ñksŒ]VY:zÅPÆ]•a£¿u_d„‰ê`”]&6ú‚–2#³ëb…S–ä|_'UBÉ9ÇØÔ*+‹©´ËY[–µ²zŽ’w
-Áë±(`°1BøÍéÑ÷kL»;B„/ˆ,à G70“›(Y:¥ö
-ùµi¸ŸÔ§îwX\Ÿy=rû„7"¬ˆiÝe6ÕÈý`Cõì¥oØ?g`ÍF朌‹ÀH‹†ò×ÓÕÏ‘`ñ»
‚ƒT~65Î.96,`³xõµôlë	Ä\θ;&¦!kÇ×å ÆæÁJôV>ÓÛnQ3­‹c…8¤„½aGãÐ$îÉ(»çf†A*"CÛï}„:¾¹Ìl{‹7nN^ÐÊ`„påƒå˘ÌV—Ûyþ2>÷{Ή	=½"ž;ôl`¦GS=)ÅhhR:êbÞ°ã}µ;íYÏHey~aN'¡¦o¦NQ»ð%`\ô?G°2™9×Á>ìSŠ¬7…¾»Ù6ò_qÛ§ÍȒΊŽ¤¦vغä.Ù#*Íõ¹²G-–à°Ã~3º½øÕNôdàÐH¬|ò€Ò>I6]ñs˜öüåÛ{ñ7cÌ	a8d?‡ÉNV¦æWíûê^ÙŸ\W’é†;ˆwÒ`–v0zA…füA©‰õ§$=›Ò¥˜ÖÒGVöašMŒs*(±Ó8üì¹äô¶^d•àŒ1÷·»s®ÛCºDdq
-I¢BŸîÙ¿¿²ÊXãÞLbÁcÔÅã‡Î0¸±hÿŸvæû
-‡ðgl2²¹¯u¶¯}gï™™³;dsvÉÙãlBvg”y8;âì…²et)Þ?âýíý¼Ïð„Û!O:hÛDr@Q9Ul:Ø«Táa¯a	..4EÿBÜÖÑôŽŒn†éü
-ïÔ2AÆìöâ©eîÛ›Ó¦;»ŠÞ¹‘°!¸„è`Ò]åU-YñÌëŸò¬ùM5ÁF³·&RGßw´+ùûè8šŒÁÈfïyFW
OU£wÀº$¾¿@i¼ù9ºùr¹>ÒHÝÂö§õÆe¢Íw{˜¡Ù
-,ùÌçÖ6ºþ‘ß‘—§ìä*ƒšA>SxÏå’ò§Oœ•Ãøjäwcâ]o¸‡´×ç?e•é%IômßÞl)·œ?Þ4‹™æI¿´—.¦Äì Ê×AÖŒqh}Ä_J¬Qêõu‘¦ZX´y7³xÄ,i’¸«^飯\µ1)Ík„ÝÅ	TÅ>¹Þðô3¥Ÿ¦õ1!}KGf³[ZdɦÚ^Ýs>¶ì¨¹…ç›ý˜“]û·çÁ ~V\Yƒ°ÕæÆÐ¥–tQrÿ=!ën¡¾5ó-b Ýmº¡ýŽþÒéÚŽëÁMyùAãýX	W	ÜKî(-ëß)¯Tà‰aß½ŸSñÖ*æHGÚàœ°\>|¢<ý(­³Ä¢­pš6>AÈ?!K•úÜû5wv")]mBßþsËäÖ»y¿ˆ~li¨c~Ÿ…Ýu¿û0Î_·÷§n¸>õã³@IIS¡å
0B}?)4ð“ìóßùöìä]ϧmÍ|—Ýý2žÌÉuf‹cHéwia3êêùçIRyïX”v*&äaëR¹r}"f>Kèbœ#òF¾¾R>ô•g*("¸AÄv%§U–ݹ°¾tðî—´"wXÈD	Kaë:¦Rô6½fFä’pìï8%/ÁB×lC«ÓùꉛAØ„‹ƒ™ÐȆpñ½ªWfÂDùtËÏÛƒ'qØV>“žÇëîä"9š#÷cõeŠÞ«øüt7–À“rELåÊ1<¯Z 
¡“gÌ^™7…fÖ¶†Î;xzÍ.—½°õ<µ@|˜¾÷º`ÜG¶ÁàÇ¡ÝQ‘ôÁö¥¿XmQ žh?ÝŠd„Zêà¸
w–_ã÷ëÛ“ÌWsƒÚHãØ´ðÕHPÎ#razoºÚ·¼§,ýÎ{=M¤LÅ;uD«&RVdz»Qò¿£Ài:ü:a‘Ѽr.<Ó!OÍÁãÏcL­ó*ó@ dbzâ2YÌóŒûäð<îº|¯t$âckÖvzÎÌfPW´ DSÄwÞqŸm¦DC\s+v¨Ò~b¥æg¢=R8+’(%ÖTúL茜m8ÀjñÕ|"Òr˜ü¯C1Ÿt)u+	ºakPâ&2?Ân6ˆ=Aù¹ä?úZ¨içiõêØÛfÄ·âw|šûÚѲiC©ÔŒ€}
-ogÓƒ1GC6E®Í]cdv®l}©µžÆÍE*û‚Xí
øVr,À8è–>7%×5/ÔQz 6@^î$Æ
-Ìkª¸â§hDlU¼v7X}ñÂúZ%fòb+†Î5ƒ;TÅHÿ$IÀÒR.X/+ùeÌö2¸Õ4•õ…6È(z¡ØîõÉìg,Í¢ÛäZ}~û JmÕg(±èe{u›"&Œ›Å?ci¸èàòÝþªxš»P1¡,›%7Ñ9¶£ÍCN„zD²O•EwŒöÐwAöº”\¼¥¶¥&†m—}É·åæ5FèHîñÁmÉæåwæµÃØ_ÁÆuIð*Š_7S§êö®B›¹æÑÜíä4žœ¹?B¸ivèÍÊ¢ûÙ‰Ð=ŠTgÜÍÎh QvUKœRŠ¡ÔÛ³=³·*ŸèÌ
»üÔÚÕ$dno(Î*ˆÍ¥e[­¨þ¶5ÐÛóÁ2¿±¹™eTFXôÑïŽj_â|§Ç9Ú ÆxŽüP$ßB^àâG:ƒÊÊòÎJ£Iÿ—¢baDѦËvwi¬†¹Ã¥Ë•4{ÓÖÓ/mJûW2S‡êrÚS–V¸&•ˆàúZ(^S'2×ä‹’L3:5¨V}JC9ÜÖË”2Jî(>9c·aïj<Ü(ÎQC…6Ç­ X)sSl„öϲژÑ߬n
-i¿5xÑ@>,Ïu> w?tiÓ¶0ûôIÏä#%(ù‰ö
-©«ˆ|LO†D¨Å÷¦gîÑå¼Þ8vÉC÷I~®O–ÙÍ>mŒáõÞ¢‰‘}‚
-^hâŒð·¹ œ£“hZ™Í/øÅ_à7œÀ+P¸¸&&êåî$+Nȶp®Ô
~I(–»c¹ÚŸYªÓÅg¶%ø¥p%ö>­’H¾iL¿\ÚõÐß(¦µâ_«8Cƒ—R{‹
-Žµrð¦ëØíû‹0Ê{‡˜ÊQê¸2‰«Zœa‰ƒ†*7Äc¹äJî„I›ÏüìÒ]©æÁ 1=Š¡å©òñS€MX¡¥GMøªéþP¢‹:*½ÙOT9†ÜD¨*ÀzÞÃ*Úž“¬ÿ°Ë_hg
-‚œ«ê9ŸjˆŠ"J7Þ®(ðhT(ìâ ª¦¼ÜðÊ™§Ä‹V¬áÝq
-oò]ç}£¯9B‘7õ·	öœH{È­’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤Ëq¸ŠÖˆÕ"™[Ø m¥cA¸¶¹"t8Q+PK¥ìó÷Ñ”¶ëÛãh_“	®$+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝåûm®Ý‘(ãŸÄ"Þïòwnúê›»ÉÕ”^«¦y$3î3i=+iÿWuÈæÔmâ’<£Ⱥ][±÷QgShSÝ»¤SñºïX±wû@`z>ÍÛòÈëB¶"Æ®.(ñôAàN¥Ã|³w®3¬ín1eqÞ¸XäL%­1;¹MÊ®¦*Åÿ^OìU©‘yo•½§ìRùùÑ©	lå™Õº©RéÓåú’ØyšQÝÅêØÌ·XçY2‹†¸Ä¾ŒPñ+«Ö$ßo¼7SæDEÏ–GÙËËGªvË.¼–Õ£ª¾PH^ ÍuòñjzZ+3àÆ´¤Nc<ÃÃe™åGKB.þ/Qü?øŸÜ|Ý]ƒà~.>ÿgÊßendstream
+ŠšRòJ	y5€Ðè`hPtþien57Ú8©&¶«F¶6Ææÿ´æHÿKÈ`p´™ÿMºíþqÑì€Ö掎¿æŽSC§¿3p²˜ÛY9ÿCà¯ÝÄö_„ìlÿFXÿõýS´utr4r0·sü­ª(*þožNf†NÿÔv4ÿëØšü4¶5rþ§¥ùþÂüõ:šÛ8œ€nNÿÔú	›;ÚYºÿ­ýÌÎÁü_4œÍmLÿ‹-Àhjè`lttüóûŸéüWŸ€ÿ­{C;;+÷eÛþ+êq0wrZ™ÐÃ11ÿ­iäô·¶©¹
Ã?‹"ecb`bü·ÝØÙîú\€ÿå?;Cõ—„¡±­•;ÀhÇ oëô·$€òÿNeúÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î "/%úCˆæ?ßÔE)þÕÞIÕÝî/±ÿÑŠœ­ñÿ:üƒ!,lëð¤û{é˜Y8ìr21yÿªý†é¿Îr†Næní¿-32ý«ñÿñû¯“îÀˆÙÙÿ³+*N†6Æ×ëþq9;8üUõ_7þoÃÿóü¯EÝ€Fp«¿mx‚,Ò2Ój±r‡'Eµû{™À‡ƒíJTøUÛöø¦…ípU¼×Ó7Ns¶¹/Ú}ìKSŒöbZQô¤/óñ½I¨ú
+P7É;8hôJÓÏ4¢<¯e·!´ØÕv'•”õŠß¡¾Ow°8À\=Qù‘¸ø¡“>Ú!ù¥ÖÇbt¢4‚|«-<=#O<~z¤ê¹ìÛǣɉ…%ãq@$ô³ÏÁÐR«ð§‚JoBÀ»i¿ú$ÔèöÔË##Å%°–}U4Í_³i—}O‚LoàM”slݯüy=?É+”8Í5—ûµîL&æˆÅÛ„?Ø;kI8“	]O0üvMÙïæYk]MýÚ‡”»02£ÔYRïÚµOÆH7î\‰$ÒjçH桳,,c|/ͳ‰M|\ÔøÉ×Ñ;gYs&kœ«ëP›‰­HÚz‚qÒÄ^hØx#:0%;Øt­%?!IRt¦äÞáséÒG_æóÈùC¾*íž¡±D­³EvAõ)i´»¨
¹Ío)([ŒÔ‡+!Œ4Ž	óçBÖx¨ö×éÀQ†Û–Í·´Š“çALb¸Ù…B ß%5Vy>©•õ_CäåwÍO?Xjb¸ËRˆ¢kŠìßFÆW‘¦³Âxýùb1£ôB:^‘átlØèöÇóžˆ}† -ß´Ç-_†‘À=DMá¢y;3pîÜÇ£àí	•"¢œÍ‰pGÄ/çk~ú’DÎv}û
Î|è8|ÔpVx{DžØæÁù¬(™è“‹¿ònc‚"©jȦފòJøˆÚfœƒ¡J÷ôy¼5Œ³4©aÆGD‰–îQHA²;§Oý|ÍJÑs{+ø}Ÿ£ù-0 
<¦L¾F{@ºK4@Ê84;/ 
y¥)ߢ•èöp9ãÁuaÔqLä
z?‚Dô°°Tÿ	½ÒHt<êƒÑ`4×Úú
+'ëZ;/€Ü
–^dŸ”¹\
ô0:ŸæëFVEò‘¥0\^ƒŽ	å³Ý1wé¡•>Rh’`ÛêüÁT~Ø	QaZ­d®ý:<_µ\Lä…5®£¿ºyÃRxy^Ù@I?ÂÄ0ï–~ÿà·à
+U~-UÙ1`¿ôB}èÿ[à|ýÛ¢˜‘èþà éz]n¡·†ätœÍOîø
+é+¦ÞâwªÉ"=ÖšTÂb.Ê;9§D¿KBr•ZDIé°É¬/$h-5…œë¼_àï_æE݈P`„‰ÆA/Xâ\¥$jœPSj9ìùîåIt·¹özîk^Çqô„êò´GËhžÖ=ëxõ\Se”ãÒx!÷©8aYf«qy·BýÞHÜö˜ãfM¯ocþÊù
+eŸCN[hÀÌ"¯5sß¡¶s«ÒVÛBfžáœD(˜Ü¤胢&BˆóáÛ§Œ—=Ü9bª©s ß¨nZîÉÄõn^’¡ïg^í*ªüdïfº×D°>M*|™vži­}ç`1;s~ŸNÀê~m©Ó±‡„æ\£"écã9D^ŸÍ1ÿ˜,F»9ÿÙªø¥só=Ê>çR³¿N§EUÝ£¾ÊPäý60|õ‘³9&x¿«é:d=ˆ“ºª¯’!êö9šu96¯¬|öu½nX—n/:s€fHë¸ã~_±›PªƒÍ®Hò£}&Eåæ«ëO¸éT\“Ö¤ÍoMç9œÇ!©Góò	eLOÉuA¬¡#_Ôáhr/Щ6ßïÜ:´ëÕÍ©Ï®$V‘ILJÓ]Mèž	µÎⲇ 
@¾áÓË9äøÇZ›¨6ŠŽ¯7Ï©"Öħ1Ê™‚b½ZôL’ADe2EV]¼¤X*Aþ8€?¸AÝÈ‚ªºØHüéuyHã”Âs*þ¶¤ÐÏW8=IŠ0Å
+
œÉò;Fª¥)Ò—³ö­nEäûÆÀ%g5HF¢´`Æ÷‘1ÌBTï7íVcUðíÏsÔ5#LðÆ}Ì Ó]Ô^žNkHp<¨‹7äÛ!”a¿Ö9âì-OhGô¢µÍæ<¶ªKt VèLUjŽÒ:Ø€ íÚ²"A9ƒýL§@•­ÕÜjF×/áóæX±a¤“á…sy鞆v_Íï[3‰Ó ‰°^¡Ê-à¬ßŒ!œÙl7¨¦ÍÌÊdnS;Ó>„|d¹—.Ú¬fnßY“ã|ø5ýòbõ"éM¬¢øBÍØ-P_éÀ'´
+S4DB~Öõ‚iJìÞóex1tk/•m›ÙƒlÐÈÍ#ÿ}7©ñ´¸jL¤NB¬O+ϸWEõ{ç$3W¨† ·°‰ñ6Szuß²]wTé‰2åº
+r€Ð5™'­§øÌ·¶YPNøÌHý ú†C¦ÝÖïLS]Ý(…3¹p¬Ï–z«ôtNzTD¨7KŒ:®žh[µg¥Ñ¤ë­‰ ¿ø˜¹Ô¹¶âÂõA?Â}ûŽ>uÝ'9*Ë25ÄÜ£ýR¹'«3Ir¿'ãƒz‡&ù#uf9¯*¡ì@Œ÷OÑĬyáw‚ÀÙÚÞœ«‚ó—o
+s%Ú¸üf„ŸËcɣ穜>V†	x*sžlKÍ?–‰N£“í³Þ;TÙ6qoam~gfÞÃá¹b:èÅ `Âî ƒ3öæùfÛVÓT”75"úzEÒ²4Yj©sÊNõ Ñ?±Šèqu""¸RϹ·ÖÏð­f†¼ÀA'bϧð!KI4@·Ã‡u&“w]!&$ià}ߊ½£ƒimói×Y
+RÀCÔÂÙ—ð¤ü‡Ö†8ó1…œ)ÛC0H Éª­ÀP[¹@SÝ~w0æOÍ‘àÝÔ´#Þ%ì8MÖ™E
+t.Û½«½DŒ/vÄ”õf&|aªŠ«-÷­c†ƒY¨}ÇEWùn¾ß¬úvtÿtšúgÓ±ÇFé…ÁI{>2›Ðø‡¨ÏÂØ#7nPe…cÄ\k¾Boq_„t˜V/|å|ªeE2óFm<Þƒòc):¥¢@y'¿v4œ¸}!™RkÃKnpÁÿ"}ÏHj/Æ*.@¶B™¡áì8³h¨ûÂò0:z$X(q»®%ù9ÞÃX*´ŒEŸ|ÆB¬-$MXÜ/ƒ°I,Ø iÀ~™3Ó	&"sÐöb“–ZÁéÃÝog„F#º¡séc¡Êöïpð{Ž‡Lã³EÔ]¥™PÙu`Jvqíªi‘0ñ}ÅóEëg2!­Œ:¾~¤ÛS¶ïgãÞ¨e}èGóíÜ+¶býÂW¦âEñ%,ðÑ„U|έR†÷Ó¸	‚“7|Y0¦¡ÐŒ`c”h"ï¥]$¯ÙDøy–¢U”÷³*Ëö;•»°žˆž½X€Vºi<„#ÑÅÒ8ù³‰·5òNéK#Û”îËÏNï‘r®[nXôf$AO"Ý–¸SVµ¼7ê^Y´]VsBe÷´g¬KI^¹A5Çr &&# zK½q*Ø"¥¸ÅSäVOlMš­åV:ìH™/*go¾|¿Û^B´÷£sä™Í/‚¬¨+“`‡™Dì	žº,Âe…9:Cf!3M¯ˆNïxnÀ>9ë·ÞxCaSB$È7{Od¤Ôt †ðˆÍŠcÅø»,Y™B‹áºoÛâUûà¸Í—¢§²Â‡W½`¢ñ"•oû›‹¶»í‹èoœSªÛ>¢UÍAÃo+«îÅ
—6/¿es^“Y?±Py2C™‹-ÆŒEöÏ´óŸ{.Ô&fÓAÄVUþDØ×™
+´ÂØ÷þÞŒ4à…÷r
Å› ‚$Œ¾£Q`ƒ-`¬×ðÇŽMéˆüyÀœJØ
ò`’…hQý)*¡ $ˆY
+5Ëñò­Àóv3.]”T'‘™×_ìÎ"ÀT'8±ìƒJÕ2,ί„q;§oék9ãñÙ^¼è½þ#±ª‘l VgÈDÝ/tHõÿ¨ÀQ—Œï±<=fYM[=€7
µ¡éPÅ°¯qdt³a³´Ÿ¸®‰ViÉ}Í~‰r¨È
ºC`%ÐÔÖòü¤‘ ¨ä=ìíÈ€°ø‚x.«å_dÃñð,öͲôpù‚­NŸÛ®}§ˆTÎÒ¶iÒà_/á	z¡±íRÒ*Ø Æ 3ýrI›½Z }z+§ðEU-8¬¿¢u6ìú xõ+ðsFúÐÎ3à"Áw}EýlMÚv…U=Iö1ä³Ò±çŠ:lú¡‰àâåŸm•ôònG&±O4 ŽÇ³rŽÏõ¬ß’Š@Î%R¿~W Ø)Ø×\„Ý=VÎáܨVbkcà6æŒ#°ÅóŽùI4MœÑb¸ï=pû{níÒË%ˆfcY¨¬×¿þécaöyqÌÝ1¯Æ ì—n7
+4?äÀYÜéV“yö2RS¨àÆ`{š,#JiHÂâ-ý»€ëbú@ùðsºÄÙÙÇ5NJ;Îið’s7?†™YJÂ’F4TïËý´äb„RêK,k"z’t&¼pwÛkßò1^šDFO²ÌÂ>1Ñk3V¾îÈNŽD{¶æDJ™¼oæà”1•±ææ¯\ÒeÖ/žôG};;’%Ú¨A{½Eì–6¿nn†  ê¢Î,%*îp5¤=¾š£Íi
+Yت^éιAÈ•Ë5í
+Ñaµ+Ë“º±\‹0ïdÅ C´Ð²(Ó©Öצpy§’éÛ …oû x#z–ÓŽú­iÅ6„_´'Æõœ¦?óØ&¢6ºT&V@t½E­B:3ç|¡7›Ãù)èq‘ y#釪sfWZâH«abzTÆcóY!ë>=ä€Ë„—ö†ÅŒÎF1-Ùòò}\Ò|3GŠXi
+TpndØtº7ù)åç«sç/4ƒ8ôÃNE#.VØjÑ6sÇþ·Šª,o¿¢N(Þ-Ú›:ŽoLªḻ9ö8èš?&f¾>©¾*æËäIâ~‹zÅ}HôäX|]ˆ…–5Ö‰¤õö3›‰ø/(‰[ï ˜Vîb6ðÀ—ˆ¨ÔÆ¿<—ªîïáõÑc{R‡vº±£¹ôRåpõ«ý—T6xÍtd=úÈKgû% º`I)„ê6…xVdLñK±¯“þO{e§Ré÷ù+Poõ šZyßÝb*óë6§ï½$¬ôG u\>Ì~ó²=]ÞkÃOáGùÀâ¼’þ4SËÅuÖ¦Ç5´ŒšÈN›Q;|8x
+ï‹i’6RNbl¨°›
(¾/`Á%àÁ¶åæõ‹¹ÙpbO$s™Ø¶€ŒÑ¾ÖÛw@‘ÖD“Õ˜‚ÍN"­K &.MæÊj©úŶžÔì¿(`\5ÛZ µ2kyD„¬Î[ï*¦à"þFp›aÿ
Xf˜¸ÎTb»}-»
ÎáÎB%½8ê 
U‘6J‡(ê¢ØÀµ–…Fíªãʜ؂¯ÀX-ô£-Ýñø>‚q'«o"ty’ЄP.Hòöf;¦—囦
+èýJÇF@´ø¢umŒ¯Æ8|‚…$³(ßUH§k‹ÖÐÓà	÷¹eeÕmÖGJ•#ðœ¶k%ââ];$ÖJt ‡Ÿû?`ö„i¶Iq~?•°©Âá/üªÄÕÎk‰ÎX¬Êù˜³SÜÛ¶‚ÜHvòÅ¿¯ö—Slöèeî‹*bN¿ÿe¾¢\h¦µð®ŽRöã
+oçë÷¤¸Ñ^u¯LÇåô¼ë‘¡—–‰È/º¸ïr£ìu_
+¹ÊGÜ.×÷ÂÌ?áw…_«DP×vÀÊîúðMEi‰Í;èÌjêL¾ÓÍç¸×l£ÖJáðœ4ݘ$í$©QøRdàdzFaÆ
+±aÆ°ö¤ûÐq#Ê õ;–>ußЂÑȲ¨ûÜ
î(x­Ô>|»zsÇöMïÜÚ
¡<£²€*¬R¶nè«jt¤g6ö!;¢nÖDJ®Jí¯/i·2»K’HŽc1äÄ¢):ÙØ^Ãô¢šù…Íí>ŒôkÏ\@¡fËyñ6“é‘úGÔPÐ艋ª£5nôXþ8…ZvOçkŠV7ûüÒ6'wÊÅrÒVrô‘àÔóµOoü@	”Ç}žìÃ3_k¥Wn~—	q°ê€Â¡NmHN¢ö.U¿_¤dNß9h‰¼¤‹8
@Qpù7Y^©Æž7RØ‘{ǵºÒ´±Î—ÄA¦WM¹	³xûû’×*îÞ¡Þxö\(ž§/2Ÿ@\ꩉãù>#ÞÐFÕ³«
iøMŒ”™?E¥´bC3%ê5îæ{ÓeR„Z)o
UE4´oÆ :[qt˜O¹èðuÙÎJ’ÔàW-º¤–yÃ*¸Ü,ºqï7ô/fÁC¬F¤œslÂïJc–R‰¬È3†›…ˆ¸î*\ª‘nu”Íooˆ[í)0"Ï„äÜòR‚zƒi"ÖbhÖ“
ÀI8ŠeC’µ¦½`ò6¬¬ÙÈØ—Éýüv¼ÏvB¡¹†5ÃÌé—|5˜,óë··'{Ÿ$ÿ0ØvYR~=2·NDá…Ü…´²ðAC£´ïK‰	t¾ú¤ÅÊ´Uäfsä)_©ËŸ÷º1Ó—ÃU»»bî¯41Ê„kÄßF(Ä
+AQé}lߧ‚>œ'Øoy=Û“õÀ!»šp£vSO`MÚ
+ÂEdqðÏVŽ<[^/à•‚³mQB(ÉJ4åïPÓ%›ù5`¦—¼<áN]´ÍrªuÓD…8#¯U…ÑxšŒŸžþØë$@Ñrˆ ¥åpT_ç6þ3$$mýñmmòkŠÊƒ!7gN?¥÷Ó
+4“R¥VU»4¦^¡ËþõúB–üLJ#£·nγsl€tŸh‹P¢ÀB¯B¡1ÔÏ’‡’ÀmA8onTƒ¯üàŸœŸ™@©5Ý£	m>è|Ìãé$Œè8L¢äë×RõC™u´„î0a\*;­A°0‰ì…ÀÏ?'ê=¤†CcÕ×ÇógEw{ñ§X<¬Ö«Î§¢¯‘Ö/¬+±]éÐf¾ë{Î"²Â.`W_‡—ú¸R2´
¬	ÑßèûnȨ÷„W:È%¯Qý#?‡uÓÌá†8p¶ÄÖKê"“`t@º^õÛ“TºXÔ+©eÝy,NÄ™‰âJcì³¾ýóiówh²i©1K½à#<í‹6uƵ(E
+¬Ç¿Ñ¦‚¤E(#ÍËŽâ~qõ¥]ïãDí
+zúÎ}™‹KŠcw|¤ªïhu•ëôSˆÆ¡ÐãË­„[ö:Ò-DqnFå†üô’êP>Âz^ʧÁÒÀ”¬Ì»›~–[T¸4عâXïîif%ŽE„óN˜¸þÒ:Í“dõ¡#d©ðº+†ðŠÊoFš{ÈY_5¡»$ž…Sr25Õ¼îà>Ó ë°+a“^r8Æz5³w
³„­JÚ%uàÏŠŒ²¥oŸP,ã¦8(+{(š\‚J)æ}kŒné?op¡Œ®_@U<º°4Êßo‰ÔYÞ<ìaÁ ŸMˆ§õcDÏSÆ)ÃêNiñZMEèG5­:—ÜüÂ.Ì{á¥Åu[R½Q0È›®iÔú#ÅU·@„ñ`lˆ-gb”Ŭ\ÏŽXIP'°(Gý³»`š˜º„€B@BÖ&íOrÒKn°ÉŽ‡{ûgÕ.V­„Óá™ÔëuVO¹©’›¦ic{b¨þÈí‹5D«Í÷‘(L˜žkVADõ½mÕTŸÃb|kÊ"¯=^sfÉ̇ ø.Íþ¦úzƒD?¼fd¥òCRØÇ”½²c+‡ò¼}ÌÉ?	Ž²69>jí™e›W"àùï
+.^7=º6Š2#0Ÿ“8uGzƒ)?&¯~Ó&Î^ma€ÐÎÝØ”ÉUk‚Ï]ûl ’4Já–‘—ªÖã¾ß‚•è‹ˆzN“Uæ§z¡Ø„ðcÃÀ4¼âeºsÂiŽ˜›ÈÈu"ÂXÐ MòÂàwB²Iê­Ã>¬qø´d†É¼•§Ç.m"£ûˆëDÊ!‘‰oRêS´½)™FÚêaÜ.¹½<ÙBý2ƶðÞ+ôBƒÐ­¡+-Õ›3ãò¡5ŠÚR" :zïEñ>©-Óæ°Îg‰lL8y$º›³Þ%µÙJÏX9?ænµ‡äFóà–®Œæ4GÕ'‡“ç@µ-–ýp5i~Ìoãø†Ž…·r–½Ý¢_«
+)׆þ®ì¸}Ÿð‘„¨ÍŽà”ÿâMµ3ëîDþþF·X#›Vx„¥Šš9—ÅÁ¨¢S@§¾Õ§+Öf.;™•óÛtÆçÕÍ&…¸eýÁˆQ³ý
Qi†•hOr{jY%ÙJw¯ÂT„—lFt{¸ö81÷(Â¥…ô¶äÃÊòûb2ÒJ8cá”ˈÒbÁÀm¼J&­Z‚A
+Õ!R3|´î|ܽ$uà×­GY‚œ	æ{Âx¡  ~.œú&[qæfôð†hZ³O D_‰Ã`z™7ÊMìòMA•WsÕ [ž„væsÅÜ!ƒØ^ZÉ»‘wïFÞVeGò‚\l¹ÑS\Ÿeæ"þÌDnÚ‘15Nôz{ƒ¸Yów0[°	ukz?¡Þì%¥
+Ü0†Ç/OLj[É|Z«×Ûž<Òí°4ûº·Dɇvk5A´oã	ÌtAÔ”	
+çHBžO+Ú‚ÄîóÎ"«g,Ç}õS?3Ù³”“´§+Ôö·V¥+ÂÜÖ/'Ên³÷^ö/€Õ…Óÿ곕µ°€ùÙ?"0ÁAÉÃ\(à-ŸÍ¹À/¾7mù±y}ýÔm“ýmùkìµ4#±$ß”
+¢0ÓžœÇ‹·z´RÒCfwMÎ-‡Ý
’օʹºwvE:…n6OAÆR	.
½Ã Kæÿ>©´‹™Ü¾hiÓn#Ç*ëÈÎ^ª‹{n„œƒ|Q‹évÝ	5¼ã›ènB	uv%ò9{d|ÞQP>CöŽŠß$qˆÒÊšÙ8”Ç­š¥«­u#Õ¸)«Û×¼¡ëSœiQ¡zJõÏA*tµÓ¦¤§	3;Ûtès-|b~0~B-Z)ñBšª©*·?ƒæ–+[L’0o!ìÆ»UÕ‹B"Œ¾ªÏ5jdÝi·©dVéc]Ð[æa÷Ú(i³ ¿=ב;†L íu߆+YÙÔ¯jÒðoAs-á÷!Þ;ýÈž8íöêš«Î~Ã0À„
+Œè†²}­°[^­ÄÊ"+4´Ÿê°»Ç[èë+SˆR·sQª‰’ŠYHX¿™ïC6ñé|W$­µÈ¹ê1±£×Kì¸ËG4ÄÓ:£å9d8—f‘%¬-Uo—@~<Í‚¿<ÀÂ/OY„рƈŸ²7	9ÿFL!Ë·$À#Í‘»%#“ÂÏ®À!¼d^ûÉßì#r8ç7Ôs¹ùáÃ@óî¤D((§vL¼ñgà³wKKf8Õ–u±M„ ,GìÀ±„#†áÎ7n$\*Âä2Þ
Ví/@3*Û¯¦"üÔHÏÄ»Tm’k7ìècƒÀ¶oÝ…æpxVåÓ{'ŸÀVÏQ@Lv¥ày«§ ç-{†Õ#c¾Ùy·Gö=…lL˜ÀL[×nЩ2oY4êðÌûÖË•÷>BX^M4UÓvŒ„l0gz
+ó½ýÙÍËF£jkN°3½WäfÜÁ)8+í':º/¨%²+žG%$Åw·í=¾tÀÜ~ÆéÁúäi*¨ÐuÙ>lû2{†X’GVM"¹ï§¿äØÞóŠ-I¦./q*#Ú-ÍÌûS­n®Þ~¿5f58O&Ó=ƒSµ@·ŒVÓÃܧçOPkÓÿhÙ)&ÒªîÏWfzv,Þ6ì,Ïp¸êÉã7­‡ixÔÆ­SÆ;Øc¹}¤ÛUŸV¼ðœxç.»wQ~ßÓJ3CÙNcYB»Ñƒ¤3Æ›õ?­ÔæuÅXŽÝʇÌ®þÈ}‹b×"¼ô)ÿÆ;Ñ€¤ˆÍ
+Ú‚+m.'ª®ãæáLVò ÊacL-À³…KË+@±ù~àI mªÎw3$‰/pKx÷ÛNìvþBͽ2ÛÏA‹É]`Kmâd¹êuW‡¶oŠ\ˆ©/QÙî„„!'Ìqzî¿æÞ`rŒjéÒÍd‹ß”¥
+¹•úÑÅ0vñ>R0Þ{W8ý34®H‘ó£îH±±­
+—0oj+tóH*ßj<šÊ¡ÁYzdÍ¿f1hJãg<+ïa??Â…VMQ·IŠ´Ö`ÁÖK)²jâ‚·8óK×…
+t‚i]ÕܹQ7•¬¶">ø'2cq’ÅuE}sÀ£e9L&„MrÐ`yOCÀ´ó'{›HPO˜ÒoÅø8ì»n·Šš¹Î1è˜(]zš¦ÊÜ÷ŒDÈQ–Í’>¸iŒYñvÃ×LT%ù+0&—¢1BµUkæÞê«–Ì«l
+¶Û2g§yö$®ö*Îæøe"'WèÖ£“C
N1.-ÖsÛòQí5rJ÷ÛYAQ&¢V1R7Œ¾'NI,Ÿ*˜å~Ƶ”›~÷Úrò9!ˆcV†aCPµO;;PÝÌå³(t>ƒ¯ì~0Óâ&ý¥tdW)T?&ÔzISÆ—µ Ñéô9óóŒl|—T¶·ô¤+NÓÄn“4üÑ«#éÜ‘ñÑÄüÁÉ֕aã_.›+A¯@™øêSÈ3•'üp‡IøÐÌySzùO‡´æìÍ®¼Ck;ë2O3Ô‰áy/sT²—»ŸŸhŸúĈäomg…Zˆ­‰fº9ðþÒnjĹ.&i&ß7AŸÀ’\aö(±V­J¸ãnÔœm>	ØŸ) þêy…ñålkMO¸éX8VEdàŸs][»NÆoñ3F_4å`}†v,ïˆnd ‚ì’تLÚB+;1‹h²QÀú·î´¢f)²kß8OÒ#õ:‰É°*NøG0Úðž{Ï·¸Gâ3]ÒB]ÝãŸeõÊUút–Zä¡ÛQ*He'3u}š&ºaVÙ0nÂ_å·	Ø5J泧Þ;R~&ôc5Æ¥:3…/ïì&Ó¢.AðáÁÎƸÃÄžR¿nÈ€¦ã~E2Kâèš”¾³klÌM"÷mkòù¶Bˆ)™öøï¿¿ÓIF{/õð·לuù[Š“‹ÜhV¥<õ!1QÏG)9ì(Å¥
ÒtM ËëqÌõþ¸]%tƒP]¦ûtàÆ&Ks:!lg‡€†)®7ì,èøÔ:Åaäæá·ãäQùÔò=•ÃýnÙ,×À­¼kZ^IºgàÁô.uQ³÷},Œz“¸»•dA@{â^@±ÝƒžÅ&ýþ°Æ¹rVL*ç‹jïRf§ž¦|ú¦ØhwFjPÜ{tnãðž¸Â1LM‰ðg6þ>¬€ä¨è!³ßO’N·3PsÞvz¤' W›Bb×÷d•ª;ì;Ъ"j7Ž”‹98ô©å,³ÑÕ4ÛÕ-뀌éÂçË+[ã®fΠ´=5"ëO_Z§ÝQýJå÷#	;~Æ×:¦ùOuP2Ãþû9¿™Úã†ß°q¸D’!ˆñÛü"Np G“óTI¹Düˆmuáê°q¤boówH/Xâ¼¹vbh™‚79}Øži•0!5mù'p¸ªŒÍ-ÖЗXéçQdrîá•fè÷ëåÞ1ŸdÅ˛Σã…ê(?ÞOCüUd;â±ñ.&-	ÆÍ á©UÃ&ÄlÈQ¶œFWüÊîG˜ç;!:XV†à
Ž«¦g.šÆÌ" ƒâÝ`”Âp¼](G¦•|ªf?„ËÄŒjݬ~h2w|¶A™¿îÇ숚ˆ‘u	#S0g0XÌŠo	æ<
~°fC1å¹TËI€I¯v8ì{0®BôÂPœŽì>@;QÐÃ'‡³
†êÉ2$¢b(ŸÜ~¦rŽ}žjÈê	6G\æ«ëVáÃðšOD©h#Œir~7úsaóÊÀ?Ô³©§²ÆÍ9Õܯ»
+%*RŠ
8$	²Bí¦®ä[D¥ªÝ«ÔGÆ;üÑh<®^‰¨´ÑE—@$|ûÈ89O\2¾ãw3ÆRæò…iŠR)ÇäN(˜$	âBd ±ÈÔ: ¤cCœšÒÅãE…É<¬)2@5ø.½’ë"¼ë'óMÂÛçœÌ„8
+БQöw>}N·>¢Z[@ßHÀ—ÞäN—÷“$wŽp»X0õ•Äƒ<±´Áí¼sÎ*`<Ñú¶øAF‹/©=J^®üݯ‰TÿýŠCX	k¯”¢vÈ´ªøƒßnÔ«Ó¨ÉŽ:ÁCò®E~$œ-b™¶ëþto©ýB5÷ªF¶¬ïϾ¦´]çnÿ¾ãçz£û-&úiý½®€Q“²sxGûÑû¦I`¾|R$I‘õ\‹àX.áçëÑMdù	ØGË7DÐÁ`lÈÒák‡)*¢mÁˆŠ‰£ä¾цëmhQ8ð™’¦;¦eP‰Ñ£EçòÎïZ¶úAI
+¦£Ò턳`à*ùê™>÷)›td¾ñlË•]“î×=í
+9l¿»YªjËŠÍa™°Tt÷W.™”Õ>/žú„	VݪdspÏ#¸îú§+^üƺ§h¥ÔS-b©\LÔåg›llª¦¢,#Un¥`ÙD2ïÑw^´îWƒ…jžÚòHƒ,ߣ4i´Ø$ƒšš4œ¤c„\œÐ9˜n³žK=F™•S'a&È6cS4	EV×#ž°Nšy’ QN¦]ˆ‚{4)gáŠÈZó±ñëÛ¢¸$¶§”tÖ©ç<
K·fÐ2o„mê„‘iª:Ï”)Ðö¬×ø,m/@=ÉFËi‚tÖ²$Q."]å+&•²jjÄD™Þ}Û­n38e(Ö²õ²·™s,ÒõáÙĽëÃîñ¦Öà#”
+,
kÉ÷´éhÏ·.rLgâ×hž„—pZ??ÎË;@·aQÞ¦fÍ‘Á£˜ÁüÒ,_g+õÇDê–[ÖË`lƒÿmjC“½
µ‰¹ñ•«ßyÁÙUe°M	©P21=ÑAC6R²ãxÖ¢Ó»ÌiI˜µnþ¡twÙW|$Ø©Ýv;Œ4âcƒäy.,üôFÖm@Ë1›ÚÜÒS½V%¥
òN)®#ò÷~H}ç†/œ¶CDÞË>K†·Õ04y\·ç¤Í¨ƒÎ¬VD©?qúÉ´K¿¸!˜Ù6t’m3ã˜B.
+ÂJY†Z†ûš|ý4-¼©‡ôÄÖ/äNø&vL‰¸y)û÷oæéÆ¡s¨Fâ²JJ–à!`²K-TîÍ$\\8fÇ®Ÿ™ºˆ¤]z‹9L9‘Ïÿö4ÆðÞ/Tþ&š¥ëÕŽÛîäHŒ7ýø1ô°’ë{ÇnŽrbÍ¤à„©7ëã!ÀÎ|#^ìñ›C§.Öçì1Ê"‰	>B÷‹=^Õäìb—bu/ÙÒXÄ‚™Oå§kY‚O)™:&Bç|i¿ôÚ¸rŽ:7q.8VJG±Ú–=
+¼œggÍMÛR9éà½Ù»T¿Ø6žft»@ã.‡±v¸g8ËÃ7ÖÇËñˆùƒs‡@JE¢ ÌL‡²¾ì§£é-ø?ÝÉ8݇uÊ I·ï*"3 Ò÷ËVA¬¢Õ-
¡Z"ÞÆmU{/)tŽÎ›ð?KŸä~_†ÜÙšÖ¶lâ’¡n˲aþq+—ôú¨¤ë1æo/+žQTËq&ÕHdn„Ô¾u
˜Ñ­-ëMåÇ‘sÿÉÅ™[tœ¼¨øµŸÀÄíÞ®ßPx|òúËüá‘æ/¨-epsƒÛ;ʽQÊeŽÍYszgÏLf²Ê%—â
+‡3¾•þ4¡´°Ç4s©Ó(œ#qp6ßïȈLÞè¹xÌ9ÿ*Ͻ-+\NÆ"ìÊלý4±ëè“B»5ýû/VQO‰Aüp
ÈÄ@ˆtö·­ã*EÕV0µ¬7Vn¸¨bÍ[u?¹CöuJ4,Òk|_Ë­|Ïë2•`k”äÅhÅEdÔ<üÉgÁÛ{Ôrä5ø‹›o{Ÿ¬cy¯£ÓJ¥Ò/âðÉÞ28Ê8®9!úzÕP“¤¨x÷6`1©ÖÝ`¯îOzó€Xú8jvƒXq¢™°£»kÌí²¶¡‰2D¾ß•‰”uaôBAwõúà‰¿
+€ÞŸ|æ`xFÎärãiwÍBÄt·Ñ9”kE‡-ñL¡•´]^`ƒ|ðv?B@ÕÚ,eç¼oì.9‚¿‡ú‚8ÛƒïûÝ
+2h°Ø‹­ˆÓçBJ6
	rD÷ öy@hÓ©A˜orÉbo»­]hdçb;é^ûxw^c»{$¯öw÷ª(:©]Bæ?0B¨Zt=qsŽ»_ý¾$UÎö×ÐíT!
vMIöM»ªéKk¦øy"Óî“hŸQ¨¿tHg½Å#v³Ë¢¹(^Ë×"F¸CáßÚï~µÍO[ŸåÇ•ÖZ²Æ~!íg‚dö¯hÙ¿¿«ðÉ×_j¼ºÞÑñ¯EAåƒß€MŽ›_ô?¸M¼½Ñ¹t~ŒÜ+ìSVáu¤T…r©¡l®¥Uƒ0P;Þ‡™OØ~uLáÑwöÞ5gL›É+Êj/1ˆwv_›Æª¥µ[þ±žœh…{eóåa"ë‡u™rÔc§®–㶭=üdxí†ã%û¡AUì÷È+×¼Ô4ÞΔEÞ°•ÏØ„ç“ø¡´ûèâPz?¢†Ú mê"ìvbîdU‘Ö¾”ñzñj3¹¢¸j&ÁÄ~¶§‹»‘LͱZ
+É5w½‚'☺²¡tg‚ÉGѺÐäQ`Æ9vÉlpúÿÖ§ÿ¢^ʆÁ.¸7%Ò` ã±¬Fœ}a<õŽÞµªž2Ȇ´h¶”RÒ`k‰ÉÓUúÞê¤/˜÷¢ú¹«É«¿ð\”)$q‘1)Ûÿ~3w¿,ᶉ:—ŠùÒ¬®ÊÊ€W6	Ù ƒé‡~ÕiЩ`’××»žÉv ˜rGK/ÊBˆTJRÌZ[¡}ÙAöˆóÛ¡Ýå熫"ø`™Þ[þö‘±U1²ѵÀÈyþ¸ëhBØ…ÏÃÌQ)¼é‰e‹@Ÿª"´±³ÿ2ŸJÙÒe5>	9UV„jTÔ׳4ašG}„Ç᧜5ÅHgQz>ÜØÕ"oÍ£i:,®Zƒ…[ªŸo[¿¢!cÝÛ)èu3oÁÜKÄÏ6W
Þ¯"Ó 
”ÚðUAtE©

¿#Ibz£±'»PæÜä
+	!˜s¥8cs;ªÄj­ÌÜfºô#·Ãÿg:‘s2$Œ©ˆ×6'?^1„4=Wk¯^éßÈsê&Ù¸e;ìðìÐégªA¬½Ù¢vXþ]ïz¿Y¬ÍrôÞ=
+Þ?”XÉÙTVà†Q¢›‚3=A(ÊŒ®?Ît??xnkà1›Ô›ÔÚäŸA`ã×0滬²tôŠ¡Œ»*!ÂFë¾ÈÕÁ(»L lô-eFf×Å
+§,Éù¾Nª„8’sŽ±©U WSi—³¶,keõ%ï"‚×cQ:Á`c„†3p›	Ò£ïטvv„_Y†)„A(@n`'7)$P²tJíòkÓp?
¨OÝï°¸>ózäö	o"DXÓº3Êlª‘ûÁ†êÙKß±6ÎÀš9ŒÌ9‘寧«Ÿ#Áâw©üljœ]rlXÀfñêjéÙÖ	ˆ¹œqwLLCÖŽ¯ËAŒÍƒ•è­0|¦·Ý¢fZ/Ç
+qH	{ÃŽÆ¡I<Ü“QvÏÍ‚TD†¶ßûu|s˜ÙöoÜœ¼ •ÁáÊË—1™­.·óüe|î÷œzzEݳÝ
U1d•1°Æ½™Ä<‚Ǩ‹Ç/œapbÑþ?íÌ÷?à3ÎÙdds_ël_ûÎÞ;33gwÈæì’³ÇÙ„ì2Î(ópvÄÙ+
+eËè2R¼ÄûÛûyŸ?à	·Cžtж‰ä€¢rªØt°W¨ÂÃ^Ã>\\hŠþ…¸­£éÝÓùÞ©e‚&
+ŒÙí?ÄSËÜ·7¦Mwv½	r#aCp	ÑÁ¤»Ê«Z²â™×?åYó›j‚foM¤Ž¾ïhWò÷%Ñq.4ƒ5ÍÞóŒ®:žªFï€uI|Òxóstóår}¤‘(º…íOëËD›ïö0C³Xò™Ï­mtý#¿#/OÙÉU5ƒ|¦ðžË%åOŸ8+‡!ðÕÈïÆÄ»Þpi¯ÏÊ*ÓK(’èÛ¾½ÙR„n9 ½i3Í“~i/]L‰ÙA•+®ƒ¬-ãÐúˆ¿”X£Ôëë"M3µ°hónf;ñˆYþÒ$qW½ÒG_¹jcR2š×»‹7¨Š}r¼áègJ?%Lë9bBú<–ŽÌ&f·´È’Mµ½>ºç|lÙQs-
+Ï7û1'»öoσAü¬¸²a«Í¡K-é¢äþ{." xÊDïùÐæI~˹G=Ö±?‚§>Èyüñ°“NÐ%îIß×µ¿è4É^)Oïä¥ç¾®ÁÉ’F°³¥1ŽžzÓ€SÚóJîi¸g_
~`ñ›1E!ûŽ±Ö]Óhcotí¿AàçUpö„ß*&"-š{~gò&ú{
…rO]ÉOœ…È”[‰„î£-•;J×VAЊü$JJX&Ê×"é 5
+¼ØñÆV¼_±  ’™c€AÆ
+€~g´¦™L#ZeöܬðrFVU
+¨ì¿öžÓpÇ£†äH¶Õ2Señϵt(å¶õOÖt†Ò[	\„¢73}ñƒça-ø{û9…Ô8‚Ãõa8K<ªä-™£UÍZˆjzìɲ¦Omuã–‹
+|BÖÝB|kæZÄ@ºÛt7B5úÿü¥/Òµ׃1šòò‚Æû±®¸—ÜQZÖ¿S^©Àþz?§â7*¬UÌ‘Ž´Á9a¸|ø2DyúQZg‰?D[á4m|‚B–*õ¹÷kîìDRºÚ0„¾ýç–É­wó~ýØÒPÇü>?
+»ë~÷aœ¿nïOÝp}ê#Æ)f’’¦„?BË`„ú~R(hà'Ùç¾óì
ØÉ»žOÛšù.»ûe<™“1êÌÇÒïÒÂfÔÕóÏ“¤òÞ!°(íTLÈÃÖ¥råúDÌ|–ÐÅ8Gä|}¥|è+ÏTPDpƒˆíJN5ª,»sa}èàÝ!/ÿhEî:±‰–ÂÖuL¥èmzÍŒÈ%áØß+pJ^‚…®Ù†V§óÕ7ƒ°	3¡‘
áâ9zU¯Ì…‰ò;é–Ÿ·(Nâ°­|&=×ÝÉEr4GîÇ4ê˽/Vñùén:,'劘ʕc(x^µ@$ÛL‰†¸æVìP¤ýÄJÍÏD{¤>pV$QJ¬©ô=˜Ð9Úp€Õâ«ùD¤å0ù_‡b>éRêVtÃÖ ÄMd~„Ýl{‚òsÉÞ!5õµPÓÎ!ÓêÕ±·ÍˆoÅï$ø4÷µ£e!Ó†R©û,ÞΦbŽ†lŠ\›»ÆÈì\Ùú$Rk=›‹Tö°
+Úð­,6äX€qÐ-}nJ®k^¨£ô@l€¼ÜI>Œ˜×TqÅOшتxín°úâ…õµ4JÌäÅVkw¨Š‘þI’€¥¤\°^0Vò˘íep«%"h*
êmQôB±Ýë“ÙÏXšEÿ¶Éµú0üöA•ÚªÏPbÑËöê6EL7‹:Æ6ÒpÑÁå»ý%Tñ4w bBY6Kn8¢slG›‡œ	.ôˆdŸ*‹îí¡ï8‚ìu)+¸"xJmKMÛ /û’oË3ÌkŒÐ‘ÜãƒÛ’ÍËïÌk‡;/°¿‚ë’àU¿n¦NÔí]…6sÍ£¹ÛÉi<9s„pÓ4ìЛ•E÷³¡{¨Î¸›Ñ(@£ìª–8¥C©·g{foU>Ñ™vù¨µ«IÈÜÞPœU›K)ʶZQýmk ·çƒe~cs3˨Œ°2è£ßÕ ¾ÄùNs´Añ,ù¡H¾…¼ÀÅt••å;:
+œ•F“þ/Eň¢M—íîÒX
=r‡K—+hö¦­y¢–éx>39+¥¸®¯k"½…Çl÷ÀJí„MÚÜ8ÁYËÜ&F¶”´Ñnýó'¶±_t¯…´²ÅÕÛ¥ ¼”žŸö8Gojü=ã6ÀçÞ}IP†C?äy¹l÷×MÜ8ºSJ§Y´%$<-ãw¼S9ðJU&tŽÞ[™#ÅÀ½5‘µc§O&QNðoMÂM/	…Ìþæ2¼`ÕE”n¼]QàѨPØÅA9TM;x¸á•3O‰­X»ãÞä»ÎúF_s„"oêoì9‘ö-Z%×/ÌÓÀ¨LÒ¬ŽÇçDrU‡¿¶Ï­š6ÞxÓÂï¯Å÷†½®w~¿Î~ÁX0nïýe´Ý&¤„’Wm»Š)Ôšë2ÒÄ`ÇŸ­B¢ž}dMÞ xì)㟂ñU‘dIÂçÍÊ>`O‹5ö7ÕKõ 5ñŽ£ÓÔ‹Á}äIZ-™óDZ´[ŠkA,è3úI—ãq­«E2·:±AÚJÇ‚p9lrEèp¢V —2JÙçï£)m×·ÇѾ&\!H !Wuy§|õ
¸ýkI±3ÓËôìünŠÐŠµ¼J§UÇ‘º;Ë÷Û\»#QÆ>‰E¼ßå
îÜôÕ7;w“«)½VM.òHfÜ7$fÒzVÒþ
®:ëÍ©Û"Ä%yF#u»¶b1:î£Î¦Ð¦ºwI§âtß±.bïö:Áô|š·!/ä‘×…lEŒ];\PâéƒÀJ-†ùfï\gX?ÚÝbÊâ¼q#°È™JZcvr›”)\MUŠÿ½žØ«R#óÞ*{OÙ¥òó£SØÊ3«uS¥Ò+¦Ë?:ô$±ó4£º‹Õ±™o	°Î³d
q‰ÿ|¡âWV¬I¾ßxo¦Ì=ˆ4Šž%,²——Tí–]x-«GU}¡:¼@šëäãÕô´:+VfÀiIÆx†‡Ë2Ë–„\ü_¢øð?¸ùº»Áý\}(þê…Þÿendstream
 endobj
-959 0 obj <<
+969 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 2238 0 R
-/BaseFont /KAUVIL+NimbusMonL-Regu
-/FontDescriptor 957 0 R
+/Widths 2251 0 R
+/BaseFont /SNIDXA+NimbusMonL-Regu
+/FontDescriptor 967 0 R
 >> endobj
-957 0 obj <<
+967 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /KAUVIL+NimbusMonL-Regu
+/FontName /SNIDXA+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
 /FontBBox [-12 -237 650 811]
 /Flags 4
 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 958 0 R
+/FontFile 968 0 R
 >> endobj
-2238 0 obj
+2251 0 obj
 [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-916 0 obj <<
+926 0 obj <<
 /Length1 1620
 /Length2 20127
 /Length3 532
@@ -10816,7 +10911,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA,ŒÌ<5e
ECkkC;Y)¡5௙’RÔh²°³3y@€Ðð퀅›› jgïîhafPÿå ¡££ÿ/Ë?.#÷ÿ@þF:Y˜Ù¾þ}pZÛÙÛmA)þ¯U€@È0µ°Dµ¤ä%Ô’òjI -ÐñoŠÎFÖÆYc ­`jç°þ÷`lgkbñOkNŒ¹„†'{ ±Åß0 ›1Ðþˆ`t´±prúû°p˜9Ú‚þÎd°°5¶v6ù§€¿vS»dïh÷×Ãæ/ö—LÑÎ	ädìhaüͪ(&ñï:A憠r;Yü…v¦=MìŒÿié_Ø_š¿(ÈÐÂÖ	ºþÉe˜X8Ù[ºÿÍý—ÌÞÑâ_e8;YØšýWôG ™¡£‰5ÐÉé/Í_î¦ó_}þ—î
íí­Ýÿm÷/¯ÿ¬Áä´6eD`ùö7§1èon3[¦¶Š”­©€…ùßvgûÿÀ\€Žÿõ?{†æo†&v¶Öî )“¼èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„³µµ¼¡
ð_A€ÿ¸c²€.ãÿÍÝÐÆÂÚýÿðß=5€ÿ®RhælmèøßáÓÛšýU„›‘ýßV'	7 ‰¢ÈØ`jhýwVÿ²«Ùš­-l5ý×8,ÌÌÿ
S5·0¶²ýgøìÿ†€¶&ÿ½ü¿2ý«x&5yu9ºÿý^ý—Ÿâ_ýAªîö@ÀÿŸDCÎÎä?ÿ°ˆˆØ¹<X8™¬ÌìÝ߃ÇÍÆâýÈø/"–ÿZË‚-ÜÚÌŒÌÌ,€¿ßÿñù¯•î£·5¶3ùgǨ€mMþn²ÿ4ü;;:þÕö_çþoÓÿ±þ×vÝ€Æë+vƼA–i™é :ÜÜ‘)1í>È‘`ûÒFÕ¢¿»^ß´°]îJƒÚ`ƦžßíîËçöŸ‡Ò´Gc}8ÖT½)Àë|"o
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA,ŒÌ<5e
ECkkC;Y)¡5௙’RÔh²°³3y@€Ðð퀅›› jgïîhafPÿå ¡££ÿ/Ë?.#÷ÿ@þF:Y˜Ù¾þ}pZÛÙÛmA)þ¯U€@È0µ°Dµ¤ä%Ô’òjI -ÐñoŠÎFÖÆYc ­`jç°þ÷`lgkbñOkNŒ¹„†'{ ±Åß0 ›1Ðþˆ`t´±prúû°p˜9Ú‚þÎd°°5¶v6ù§€¿vS»dïh÷×Ãæ/ö—LÑÎ	ädìhaüͪ(&ñï:A憠r;Yü…v¦=MìŒÿié_Ø_š¿(ÈÐÂÖ	ºþÉe˜X8Ù[ºÿÍý—ÌÞÑâ_e8;YØšýWôG ™¡£‰5ÐÉé/Í_î¦ó_}þ—î
íí­Ýÿm÷/¯ÿ¬Áä´6eD`ùö7§1èon3[¦¶Š”­©€…ùßvgûÿÀ\€Žÿõ?{†æo†&v¶Öî )“¼èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„³µµ¼¡
ð_A€ÿ¸c²€.ãÿÍÝÐÆÂÚýÿðß=5€ÿ®RhælmèøßáÓÛšýU„›‘ýßV'	7 ‰¢ÈØ`jhýwVÿ²«Ùš­-l5ý×8,ÌÌÿ
S5·0¶²ýgøìÿ†€¶&ÿ½ü¿2ý«x&IUEeU9ºÿý^ý—Ÿâ_ýAªîö@ÀÿŸDCÎÎä?ÿ°ˆˆØ¹<X8™¬ÌìÝ߃ÇÍÆâýÈø/"–ÿZË‚-ÜÚÌŒÌÌ,€¿ßÿñù¯•î£·5¶3ùgǨ€mMþn²ÿ4ü;;:þÕö_çþoÓÿ±þ×vÝ€Æë+vƼA–i™é :ÜÜ‘)1í>È‘`ûÒFÕ¢¿»^ß´°]îJƒÚ`ƦžßíîËçöŸ‡Ò´Gc}8ÖT½)Àë|"o
 šþô­¯œtGLz¥ÈéQž7K²;P?8˜Õö¦””õJ>`ˆg:Yánžiü(\
 ü°¾<Ù£ø§6Äbw¡5aÔž_|M<}~¢î½…î?$¤Ë‰…§äuBþéçC(øC­B¼ªùÕi{Ju¡glŸÏÏìC(»ƒ¢ÈbÓËZÁçjð§fÌÁpC@¶VBjä+s^"ò“£œŸpÖj×Ñm¡HNZ¬¹Šù—;Ão{ô«OŠ—©š}¾ŽÈïqM gÀÁõ@‰Î
@@ -10890,35 +10985,35 @@ K
 p÷†ÓºùáXk)iÇÝKqkùÈüÙ²ú´{Ô°!¢1µçsßÚ3‘à
æý“B òÐ2t¦£ƒ% ]–Aþu²"ÉÜß2åº.Ó
“ñx•s,õ)®k¾óÒ>hœýbyZÃ÷-ý$ËbÇ;¨´²*	#Œ6^ÿ´Œ‹Ä*jj¾}5™üÊ­tÿg ›­ûá=)ìGõ™;RVÛÚ½wV*îM\ˆšhßn`ÇPÙºzÇ'I~©VŽ;&븙i—wâc3:™S‹åa¥40ÏZ:	Moè¥Ø~ƒÐ#YcÑV„³IF^¸Övú¾&ÕÍBoªzôåÒ½¢šºˆ<è@ÕŽ!ÄVo£Cé·³s~íAãŸ)4°jsY™ÖÑÁ¤¤Òøɉ
cxg4Hc=‰‚­|(—æ3§‘»Ñô¯ðÑqr1¥~tÓ™²süçŸVý;Ë}I†õ„=*š½Â!³ ®8¸²ù	¢Ÿ{J½ÅhJ$‘¹Í2ÕtKcÇZ=P¶)»ûøÔÂwË,û«øƒˆcÌm#ãdxÐu!^	Ú9ûi7ŸÙJcÔŒ]+µ
jÆ»Ò_€[hI£YÉì0…òÇ*껪¦úݳj€í¨ž¨ß`Ù?8sGx9g3ÎîèñÙt÷:n:—SúluHx‹œ›ÍÉPo·«ÃJAüÕh€ß¾ÅW'ˆÃô´B ¶q…¡Jˆ`“ý kaæ®´bg>–MO”¶æB8uk—ÄþÙ7)Çê®Ü¿5GVQ(ë¿P­m-FG*åTA¸¡WK2z)·	Ž×?3Ì›QOl
 s¹xŽ5WË–§zGϺß?ÁyËÇDóÛ8Þ6<,óyÊœ³%ɾŠaîjôër¤ôç ³L.¸!åeÖ&A—¯y!qíµ¸`Û®8&ƒûCá°ˆ×P·KÄMZQƒñˆR“!»V¸x3ËßÀÃ'£l{…x|#”ÄÒ,ò9r&tã|¼a¥ïéæ3sawÄø²Ã××ÿuåÝ™×Ãùv¦&R®É;Ƴo©5$rÇâ¯%ì»iÕav·4ËEìØÔ;E6'µ…¹ïh;ž7\oqkÙñ*¯u¾+ÍNcýàÿOÃõÿû‚ÿ
-¹ƒ%ÔÕÝÙêjýnÂâendstream
+¹ƒ%ÔÕÝÙêjýª	âendstream
 endobj
-917 0 obj <<
+927 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2239 0 R
-/BaseFont /UONVBM+URWPalladioL-Ital
-/FontDescriptor 915 0 R
+/Widths 2252 0 R
+/BaseFont /GTPRTM+URWPalladioL-Ital
+/FontDescriptor 925 0 R
 >> endobj
-915 0 obj <<
+925 0 obj <<
 /Ascent 722
 /CapHeight 693
 /Descent -261
-/FontName /UONVBM+URWPalladioL-Ital
+/FontName /GTPRTM+URWPalladioL-Ital
 /ItalicAngle -9.5
 /StemV 78
 /XHeight 482
 /FontBBox [-170 -305 1010 941]
 /Flags 4
 /CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 916 0 R
+/FontFile 926 0 R
 >> endobj
-2239 0 obj
+2252 0 obj
 [528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
 endobj
-818 0 obj <<
+826 0 obj <<
 /Length1 1630
 /Length2 15892
 /Length3 532
@@ -10929,7 +11024,7 @@ stream
 xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kTªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸yZ@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
  ùËAKOÏð_–\¦^ÿütYÚ¨þ>¸mí€ö®)þŸÕ€@€«`²Ä””ud¥4RŠ) =ÐÙÄ ìfj2ȃ̀ö.@Z€…ƒ3Àö߀™ƒ½9蟭¹0ýåq˜\f ¿a@O3 ã?Àèlrqùû¹,Mì]ÿöÀÕ²7³u3ÿ§€¿v‡äèìð×Ãî/ö—LÙÁÅÕÅÌäè
 ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.W §ë?¹Ls‹£­‰×ßÜÉAÿ*ÃÍdoù_0œ–&Îæ¶@—¿4¹ÿéÎíð¿íÞÄÑÑÖë_ÑÿòúÏ@®.@[&V¶¿9Í\ÿæ¶Ù#0ÿ3*2öV–ÛÍÝÿs:ÿ«A4ÿÌíß"LÌìm½æ@fE׿)4ÿo*3ýωü? ñÿˆÀÿ#òþÿ÷¿kô¿âÿ¿çù¿SKºÙÚ*šØÿø; øç’±ÿ?¼Mì@¶^ÿ7ÿÿî©üw‘ÿWW“¿­±·ü+ãW&–¯ÿ@.’ O ¹2ÈÕÌ
-`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYJFMKJ‡þÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
+`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYB\EW^™þÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
 ™**À)—PHW£B¢ªU³m·WÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬OXÏ1Ï-¼§c-NÂ1ipÝ›í\AÖµ?ªª…¹{G.ž'Þ½µ$5õü^oDÌÒ’j8Á¬R/ë‰yÝ࣑<Ì`½^
 úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
 ¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨åÁ³ñÂjD•jÊ
@@ -10991,35 +11086,35 @@ MI
 ¿n$rÝ	XðD˜t
ÎõÓ…”2§—n„sÞmOÆ„ ˆ;²ÃßshuåU9ñÖ&;y-sõP~K*ªÅz4rnp´}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰ Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5½·x¯'_Ë
 c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'žWùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ‹Œ:…‘XF.ÿ§Òfb1\ÄñSÙ£Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.zàÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
 cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷5ØI*·[ÔrHîD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë …x;³°çlqf—š
“d79˜R€2õ¨)iµ†–Gö»€ê&‚—ÜÞ¨CšùŸeVò]ÏÓ~„ð¡T}îY¸dë`XÕìéÎ<òeJË»1ÒXê¤QáÀ#÷gX¹;«ÜÉà{}¤*½lÈ»€~.ž©kÜõVÅÇ®þÒ€§ú‘7ã$o—#€àkص<Éâ{
-¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,ÊæL5fªendstream
+¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,ÊæÀ×f endstream
 endobj
-819 0 obj <<
+827 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 40
 /LastChar 90
-/Widths 2240 0 R
-/BaseFont /GISWGY+URWPalladioL-Roma-Slant_167
-/FontDescriptor 817 0 R
+/Widths 2253 0 R
+/BaseFont /EDQZLP+URWPalladioL-Roma-Slant_167
+/FontDescriptor 825 0 R
 >> endobj
-817 0 obj <<
+825 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /GISWGY+URWPalladioL-Roma-Slant_167
+/FontName /EDQZLP+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
 /FontBBox [-166 -283 1021 943]
 /Flags 4
 /CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 818 0 R
+/FontFile 826 0 R
 >> endobj
-2240 0 obj
+2253 0 obj
 [333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
-756 0 obj <<
+764 0 obj <<
 /Length1 862
 /Length2 1251
 /Length3 532
@@ -11028,50 +11123,47 @@ endobj
 >>
 stream
 xÚíUkTgnõJÀ+Å€€¸
-æ2@	Š,’–;"R’		$˜$ \(PÁ Bå"Pi¥´^€ÊÅ`EÁS#BAn¬\uÝôØ¥?wíÙ™?ó>Ïó½ß3Ïûó™yxXH0ì„DÒGWïC ‰dœ‰‰#
-C"."؉`ÚÚ‚€ƒ8©Ù†F!Ó¨68À	B¹!`æøÉ’ÈpàÃ(—		WHÄùX&ļ&EðZZ!¼`!ŒFÂ,"—)‚á®GZrÄ°Àff‰ÃßR‘0*ÄLf˜ÉOÌ"ð¢ÌÆ‘Ül/sòß0µº¹“˜ÇsƒøKí—Súñ¹¼¨7
-„.Á(àŠ°`T°Zꯘs…Y\15ËA<.ÓAƒhE$[RW®Ð‰+Y\“°!ž^Æakµ,¾e#$Ogo'‹7s]&= ®@t *ÈïÔË5ø®ÆRB¹ €L$“ALˆ½o¿Wmö™€‰°¸‚€Bµ …¢pØ	Â**\–°sL"
-¶À¢‰ØŠ[+h	˜\”Ƀ™KS-±+ c™Ã‚ÈC!&̃Ù†-ßÀ+C‡[c8„¾°0€&äABÎ2ü×àètDC Ø[kìG@а±¡Æþ›)FQX Z>›Xüok6K`&®¯aÚ%‡æפTÆ}vîö÷4^´W©úÔ[üêâ
-¸¬XoêYO£QÙX‰âÊq>L®û9Óî¤6zY/Ó-ãË™RíWÒ‹+ü²¨ÍÄ^o|TRºtÝ+Ó1†,âà©Â¯ú´fôá™ovìì›Ùß®u–¥¤ûŸkšêÑÜlîuÂÜx«MßyõÁ÷·à£wmŸª‹Ï¿¾›9yëžÃ/tJ7•³í5ƒg ¹G¸@v¤\ná9êÐzW©8ªËZØèžÑ yb˜fœjò¬Í»B2›§óûÍpuü´ñÌ’Ù¯Ü5p͆ôkƒ·eÉפ¬„ýM†.í-9/·¶[¸I?
-!Y®¹8Z§×úÈççj0õµR}kyÜó
-(¬°6Ïpß“èˆïvÏûà3c‰_Ôœ:ô´¬A¦ÙÓ jï¹Ûç˜õ¢HíS-â*¾2'­ã'áG&¬:{nï/{˜ÀOKïÛ¯<kq™îÓ+µÌÖ‘¡c×Â)ÆÒnÓ/¾d¬­X/,5Û",½˜0žD8
-Vßèêï+'2çÆ1¦é:y!Wa9Á¶Ú¼e³´^§·öŒTÖ¯e¨> ÈŽÖ‘I«DA\öi͹¬ŒL@7O¿/Ôâ·ä'º>S©úŸW>-GÎìß–8î«Jao{14i1-œðÖ¤]ì.óKÕ7‚/6Ú[ͪ;TœÙ¨dÈ‘ÜŽt¿º9E)9œèé´³¿¿ˆúcê»ÍÅ¡„ċ'Õ›Î9³ñ£®z'Ê9Ïîõv5å†FÄ>Û	›äÞÐHœ=*MîP¬{‚¿aÔåï|ŸbŸ}$bÜÈCMÛ½BzÙN31‘¯â¸l£,fõ„M†åþ³J>#h3 ~ì‘	®ëÛ¾kßÔ‡š—
-½FOîúQE1·}[{€t¦ÆgË묃Ï:éºy…ýC{ÎOõ2"áȈê˜Ò]Ú/»„{¿ Iò=ÿ¿
—MEl,¸zSvUFt"´M¶
Ü,¶¦Ê>˜R\«º>.n¼ag*%)nQ|Og³Êò}/ü rb^Vš=ªnnê­_H
.†CwåÕÓPöS§‰J»©ª²Ú§ÞοÆSEìÏ9IzÔó\­¾MbPîK¯Nž)Õh{½Ý#»cØ}HG:oaN§Ô¬;·€tÛ½ú»ö±çÏÿ.±mÝ0á+OŠ±Õò
-irÄ™¨õä§;-{_q
-žS‹I•ÓñIî)×(U§Âi÷d•ãÄú¢ôó¿ºí)R¤¦,Dn+¾ÖT¹ç`>£Å»õͱMsÍ/“Ì”ßdU{¯5,é_,­è;FJT…ƒD;Ë]#t	c4æä§Å‰ƒóÝâÜƼÄ\7ÙåhrÖã2¤Ä¯ÍJ«_ÒsIس	Ž6h¯m¼ý÷4û£ÝfïÜ…ÓŠ¤ã.Ê51êýzÚwºœÊÇ´ÛëX{[oÙ‡;\ÕóÚÕZ”ú7‚ßüõY«MIˆQnFàDOáN]ý
9ûIl^>¼yÿ˜ú`n»çõÄtÍ¡ ù0ƒ/sÎ臯£(GÖGŒýÜߪ«¬¯?rª«;Å7ÎÅx¾C’zZ1½ywGáøž÷GŒýŸÓ]N«
ÌË4Ö&Wı:C¬ÐøCâÞØ/µ>)§p}P_^%û=-òøàþßà¢vuC¨áChî_
-¡þvendstream
+æ2@	Š&X4-wDP¤2$H20I0@¹,P ‚A…ÊE ÒJi½”‹ÁŠ‚§F„‚Ü4
+& X¹ê
+ºè±KîþÚ³3æ}žç{¿gž÷;ç33ñð&ÐÙHìŒÅÒ'Wïƒ ‰dœ™™
+Cb"܉aÚÛƒ]€T€lG£iT;œà„„E¢¼`®°púdQdÐ0ÊcABÀsaÖƒño„ŃőD€Îç^‹+D€,‚јMÄ Àæ±Ä@ÌâH‹Ž˜BØ-ÃlIØ[*FE˜)À3ù	€Yd#B~$À†98’‚ícNþ¦V6w–ðùn`±ýRJá!ùFÂ$b\6Œ
+WJ}áes®0›'¬d™bˆÏcÑ…Á| €6D²5u™à‰œyR˜íÁ³¸â‹à%²WZÁâ[2BrÝïãCwµz3×%Òâ	Åû#Ã`€üN½Tƒïj,%”'üÉD2Ä„Øûö+`ÅfŸ	Y›'(T[BQ(‡ ¬¢Ñ À²a)K1Ç$¢cK,š€ƒ ¸Å±‚Ö‰ÅCY|˜µ85ñ"»LPR–9ü'ˆLÁ0bÁ|˜ógØú
¼<ôw¸-†Cè;ËX¡">$â.Á
ŽÁ@¤ÑŠ=@°·Å~m;;jÌ¿	Y……⥳‰Åÿ¶æð°‘Á°fáz»–CRH^urEìgçnÿIëE[¥ºW³Ù¯66ŸÇŽñ¦žõ4	—Ž+¯—ãCúŸ³Nꢗ
2ÜÒ¿œ.ѽp%­¨Ü/+žÚDìñÆG&¦ÉÖ¼²2eÊÃœ*øZiHkBžùfÛöÞémqm:gÙ*Æ¡ssƒÝÚ-½NXšn¶ë=¯9ðþ&|äÀãέ“µqy×w²&nÝsazàEÎiæ
+Ž£vÐ44ûÀ‰P(¬/‡Bjr÷<‰
+ÿ®~çœ>#†øEõ©ƒOKëåÚÝõz î®»½N™/
+µÜ:4Ò(®’+³²Zîñ1~xܦ£ûöÞÒ‡ñ‚÷t¾ýÊ3 —á9¿ÒÈh¦r—õÉ/áÞÏo”~/øãoC¥“áëó¯Þ”_•	­­ý7‹l©Š£&•×*¯In8˜ËHÊ[Ÿ„ÓYlÿÒ<ß?¨Ý#Y—Uªš{êæSEaÐ]EÕÇ´y”óÔy¼Âa²²ÔŸö©÷¾_ã¨bÎ	úó_N’^'v?רk••ù2ªR¦¦K´Z_oõÈjrÔ“ÍYY2(Õk$ûš	@šýî~Ã{8sç—Ú·¬÷U$FÛëx7:á,?ÔyòÓæݯ¸ùOiD§È‡‹øÄuþ÷T«TêSFa´{ò€Š1b]aÚù_Ýv*S’ç#¶ä]k¬Øu ÙìÝòÀî؆٦—‰ªo2«Ý;Îe£º­µìÝ-·FC†èWµ$Aü6ÍŸd‡š@Â!ß¼tÍ›
‰ˆINzÀxwÁv}ÃuÙF{I¾?>¬iÿ˜ú`v«ç íøT6žßt˜)P<Ž>gòÃ×QGT#þkÃGîkÑWÕÕ9ÕÙ•ìëb:×.M9­œÚ¸³½›p|W¶û#找Ï.§5úçäZ«“ÊcÙ!õ6hÜAIOL¶—F¯Œ[°6°7·‚óžù?|pÿoð?Ñ»º!TŒ 4÷/Çfþnendstream
 endobj
-757 0 obj <<
+765 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2241 0 R
+/Encoding 2254 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 2242 0 R
-/BaseFont /QHSFUZ+CMSY10
-/FontDescriptor 755 0 R
+/Widths 2255 0 R
+/BaseFont /MTUUAM+CMSY10
+/FontDescriptor 763 0 R
 >> endobj
-755 0 obj <<
+763 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /QHSFUZ+CMSY10
+/FontName /MTUUAM+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
 /FontBBox [-29 -960 1116 775]
 /Flags 4
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 756 0 R
+/FontFile 764 0 R
 >> endobj
-2242 0 obj
+2255 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-2241 0 obj <<
+2254 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
-753 0 obj <<
+761 0 obj <<
 /Length1 1616
 /Length2 25334
 /Length3 532
@@ -11079,7 +11171,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNTLYTQ†êŸ©ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
+xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNSDEL@”꟩ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
 üPˆŸìá|ŒRbQ»š€ê
 ÏÎIOžŸÈ†ÆGG†{oÁú°©rb’p¹€Â’FúýÊÁæÓT©©jUmÛëÕb3ô]ÿ””sÂ
 Îl~^õ­H¹²çŸÈôÿbاÑÙ®ï岞ÒæNHÙ™C	½‰h1R^iC«ÙÂ{»AùÖˆqwÛÁxyÒWcÁ·ÿ¡y÷'‡—ÁOéTñ´šŸ­wôêuòÓsPMTUËçýNÀ(5±†ÅÄ ö¶‘ÛMüc,‚¨×]EI[™Y…	¸îˆ0^ÆMÏm}™×Ë 3ž@óɪ0öGƺ°>KÛyE‡“åÜTh6þÁØŸøÐJ¢w¢§æ_[c
³öB8xÕ¾Vk”Ô‚—I¯¿ä„÷gÞk‰òŒ+(}‘²Å+åýdä„P9Œ,U•äD¡&w("Z·´U¾D£|yÛ)Õ‚þ0ŽÖ)¹` Á6l¬NÒµ½žŒÍ&²˜ W	WâãÆ[.¸N5ÈõëZS†
@@ -11173,35 +11265,35 @@ A
 ­u|Ðí8t^ˆš/€‹MÝp­_’<{*ñ>Jn
ÐÅ—6¹s²R¯aÆ‹úr×€]9ä¯:²(`\‰áÉlA7¾ĦK”ž·†9z8nb64Ë¢jE¢$µ1V|·ZBËÐöX#Y»ͪföWßqYûlf/ö»­8Fj…›ë_X1¡ÁèínÕ
(N1©þ¢CÑð´ýÆ9(AÄEêÞ–«ôáÃÉ€ÖÜÑf}_¢£J¾:¤ íéJ$<ÂBÿˆSUÅöìMø›Yr¤˜¾ÃÈ×`Qíå?›Ù±VƒÝŽˆ½¸ÂˆÚÖñhÃÙƒXÔ‡7Ó¶,Í!Á•FÿÁEè^F¸¯xÀÁ¦ÿàB*·ÛvªR&¤N<•ê`¢µ+çN¼é¬
 g¤£Ê¾2f~mû„m}…i¶xÄãæužÙÆœ»‚ÙüÂx\Ôt{™CÀåò	›ËøýÈ·'5'	ªzqvipd×kµ»¶j©@ƒæ…:Íw¾?bøàôVs,%ãIP¡ÍSÃ…„A³ô‰ìDª`Ïûñ,{r˜¦fY—AÀ˜EÏ¡+LNä^õ,¸¬Y¼B™¡9ÛœÐç†dbTC4è¿JLWl©0Âkž ^¸ùT›Úò«¾¦ét«§^Þí§/‡3SÄ蚇dQœv(CÜ쇵È%#¾j0Æ7›5pEZ‡ì—,í¼éÀOÇéÃõ¤¯(CæýéZb4üÁP”™Γ{5Þ…k`åùÃJÙãpÔféAvs,µp̈Õ.¨±g¸Ño¡µ°±P9:Ý,'c|Ì1eÁh†M~‘fQÞúûdú9’LÈúôÖN0–"/Ó|8׃ҿ]‰/óûÚûس˜z$©Ôü³[<~q÷é#ƒä2
 'óP4I×¥ŸÐ?`b¬FH.÷R}ÿÀ#]«iÀAñ7FÌÐ5øùq6O‰Ç/êúWbõÑFåq-¢´ð
§]xžök%˜Ã–td˜¯‘ŒÎ¼r¿?qEµÀ¡Glq_åOÎ1ŠL$HülÓ‚|²ëÅ›:vÐ
Ø›¨†À<¬è2ëg8„7ë%j ÅL/ARWˆŠmõƒÑ±)Cðî&œ£Ò(q14ŒED;ÌjdWåqêÒÚ8ß'‡õt˜{r›`üz$¸~ЗV-ðr#QcªžÉ¹=H­EÍëCóIîÁÕŒ–aYÅuz8UG²þºÝ¡HJP+dGR]¤IؘNd'×DóN'é[ºqÆIÒĵF,·;Å—d•”©7•‘W­_ˆF®kô­é¢á£tΘ~­
yTjænUÀNöÂߥ6”éŸì¶\e>:3‚t{ù^÷p*kõ!1ñÖ3«/¥tŒëÖÈ|æeWç¯ÛQ#`IbýÍÃ$ŒPÍXÉSKUŽž¡’`ËAÅžþ›m­%N©ò’÷Y¥Ê¡K_º`ÕsYGõ¾ìŸö¨,4ƒ“³›¯HC'Ÿû89cá[ãÛ2?ÆN¼	ü±ù#°¥ª0ägã¶,Š¢œ¡. éj”¿ê?ÉxG# Ò+“Å.ă-†cå-Yo¢UÄVõñÈö15Ò»æ¾Ýc@@íéíAŸLüUÜêÏÉ…ÜÔ¿©ÿÌZÏ‚ñåÎSUn9“mbµf[‘€Š±ÑT8D1¿4г#hqÙך½E9É{Ь¶uîœb…M'­?/ÖGÐÿéε%¨˜Gš±Ñ3?hßó¤¸þa¶„çŽØyžÓ€’^`´ý×Þz\‹÷¶v«áP{ÑÑ•Ih~×`5»æ0ïfM…ÂÛ
-ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶ûf¹9endstream
+ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶û{ȹ5endstream
 endobj
-754 0 obj <<
+762 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2227 0 R
+/Encoding 2240 0 R
 /FirstChar 2
 /LastChar 216
-/Widths 2243 0 R
-/BaseFont /FGTFRM+URWPalladioL-Roma
-/FontDescriptor 752 0 R
+/Widths 2256 0 R
+/BaseFont /ZEUGAF+URWPalladioL-Roma
+/FontDescriptor 760 0 R
 >> endobj
-752 0 obj <<
+760 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /FGTFRM+URWPalladioL-Roma
+/FontName /ZEUGAF+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
 /FontBBox [-166 -283 1021 943]
 /Flags 4
 /CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/endash/emdash/Oslash)
-/FontFile 753 0 R
+/FontFile 761 0 R
 >> endobj
-2243 0 obj
+2256 0 obj
 [605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
 endobj
-729 0 obj <<
+737 0 obj <<
 /Length1 1614
 /Length2 24766
 /Length3 532
@@ -11209,7 +11301,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:
Q)ªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
+xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:%I	eªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
 Šº%`¸3LŽ7)ü‰]üQHžíá|ÒâP»šê
 ÿ\%ý}þ54>:2Ü{Ú„M•IÊå
 KåïƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó#\2®˜Æíß»OÍß
6.â'¢ÿp$iÊíù2ŸÒ;LÛ–Oòá ±Fóyº)‘ùµ©ãà~¥ŸC¡ë­„aø
ÅÑ«¨ÙûGæhg[&óâ<1—Xû²Âø{iª_“¸bf)¦Œ²§T˜
ÜÓ»GAe!ógF玦àUa!*ÚZ0Ÿðç/èa0¼€ž~£œ†äwÝo	âïfŸJ³xÛw®ÞaÇL¿õ0è^š`8¿Ú	Ù4Ùç÷Ï©4†V×"”]BÝ3pþà·½_) èIÞ\H$séåXŒ{Òb^Z,ÃÛ6ö©ÉÁ¬–R2µCÇŠ‰t(£ˆOܲÓ7‚9òó`e€²ä@y%0júAÈëRÿ˜à˜~xƒ4wÖ5çíÂàÖ±åmÝÓ×â}=Ð’tRX[>͔ҞÐRÔ "çH³l/é•_r> endobj
-728 0 obj <<
+736 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /EQYMFK+URWPalladioL-Bold
+/FontName /SQJIAT+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
-/FontFile 729 0 R
+/FontFile 737 0 R
 >> endobj
-2244 0 obj
+2257 0 obj
 [611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
-731 0 obj <<
+739 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2245 0 R
-/Kids [722 0 R 749 0 R 759 0 R 814 0 R 878 0 R 940 0 R]
+/Parent 2258 0 R
+/Kids [730 0 R 757 0 R 767 0 R 822 0 R 886 0 R 949 0 R]
 >> endobj
-976 0 obj <<
+986 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2245 0 R
-/Kids [964 0 R 978 0 R 992 0 R 1003 0 R 1010 0 R 1022 0 R]
+/Parent 2258 0 R
+/Kids [974 0 R 988 0 R 1002 0 R 1013 0 R 1020 0 R 1032 0 R]
 >> endobj
-1034 0 obj <<
+1044 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2245 0 R
-/Kids [1027 0 R 1036 0 R 1045 0 R 1055 0 R 1062 0 R 1068 0 R]
+/Parent 2258 0 R
+/Kids [1037 0 R 1046 0 R 1055 0 R 1065 0 R 1072 0 R 1078 0 R]
 >> endobj
-1092 0 obj <<
+1102 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2245 0 R
-/Kids [1076 0 R 1100 0 R 1110 0 R 1115 0 R 1119 0 R 1124 0 R]
+/Parent 2258 0 R
+/Kids [1086 0 R 1110 0 R 1120 0 R 1125 0 R 1129 0 R 1134 0 R]
 >> endobj
-1141 0 obj <<
+1151 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2245 0 R
-/Kids [1134 0 R 1143 0 R 1150 0 R 1156 0 R 1160 0 R 1172 0 R]
+/Parent 2258 0 R
+/Kids [1144 0 R 1153 0 R 1160 0 R 1166 0 R 1170 0 R 1182 0 R]
 >> endobj
-1182 0 obj <<
+1192 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2245 0 R
-/Kids [1176 0 R 1184 0 R 1188 0 R 1198 0 R 1203 0 R 1211 0 R]
+/Parent 2258 0 R
+/Kids [1186 0 R 1194 0 R 1198 0 R 1208 0 R 1213 0 R 1221 0 R]
 >> endobj
-1227 0 obj <<
+1237 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2246 0 R
-/Kids [1219 0 R 1229 0 R 1237 0 R 1248 0 R 1254 0 R 1260 0 R]
+/Parent 2259 0 R
+/Kids [1229 0 R 1239 0 R 1247 0 R 1258 0 R 1264 0 R 1270 0 R]
 >> endobj
-1269 0 obj <<
+1279 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2246 0 R
-/Kids [1266 0 R 1271 0 R 1278 0 R 1286 0 R 1293 0 R 1297 0 R]
+/Parent 2259 0 R
+/Kids [1276 0 R 1281 0 R 1288 0 R 1296 0 R 1303 0 R 1307 0 R]
 >> endobj
-1305 0 obj <<
+1315 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2246 0 R
-/Kids [1301 0 R 1307 0 R 1311 0 R 1318 0 R 1322 0 R 1329 0 R]
+/Parent 2259 0 R
+/Kids [1311 0 R 1317 0 R 1321 0 R 1328 0 R 1332 0 R 1339 0 R]
 >> endobj
-1342 0 obj <<
+1352 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2246 0 R
-/Kids [1339 0 R 1344 0 R 1348 0 R 1358 0 R 1365 0 R 1371 0 R]
+/Parent 2259 0 R
+/Kids [1349 0 R 1354 0 R 1358 0 R 1368 0 R 1375 0 R 1381 0 R]
 >> endobj
-1378 0 obj <<
+1388 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2246 0 R
-/Kids [1375 0 R 1380 0 R 1384 0 R 1392 0 R 1398 0 R 1404 0 R]
+/Parent 2259 0 R
+/Kids [1385 0 R 1390 0 R 1394 0 R 1402 0 R 1408 0 R 1414 0 R]
 >> endobj
-1417 0 obj <<
+1427 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2246 0 R
-/Kids [1411 0 R 1419 0 R 1425 0 R 1437 0 R 1442 0 R 1446 0 R]
+/Parent 2259 0 R
+/Kids [1421 0 R 1429 0 R 1435 0 R 1447 0 R 1452 0 R 1456 0 R]
 >> endobj
-1456 0 obj <<
+1466 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2247 0 R
-/Kids [1452 0 R 1458 0 R 1465 0 R 1473 0 R 1478 0 R 1482 0 R]
+/Parent 2260 0 R
+/Kids [1462 0 R 1468 0 R 1475 0 R 1483 0 R 1489 0 R 1494 0 R]
 >> endobj
-1489 0 obj <<
+1501 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2247 0 R
-/Kids [1486 0 R 1491 0 R 1499 0 R 1514 0 R 1528 0 R 1552 0 R]
+/Parent 2260 0 R
+/Kids [1498 0 R 1503 0 R 1511 0 R 1515 0 R 1530 0 R 1544 0 R]
 >> endobj
-1564 0 obj <<
+1574 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2247 0 R
-/Kids [1559 0 R 1566 0 R 1578 0 R 1582 0 R 1591 0 R 1601 0 R]
+/Parent 2260 0 R
+/Kids [1568 0 R 1576 0 R 1582 0 R 1594 0 R 1598 0 R 1607 0 R]
 >> endobj
-1619 0 obj <<
+1628 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2247 0 R
-/Kids [1613 0 R 1621 0 R 1627 0 R 1634 0 R 1643 0 R 1652 0 R]
+/Parent 2260 0 R
+/Kids [1617 0 R 1630 0 R 1637 0 R 1643 0 R 1650 0 R 1659 0 R]
 >> endobj
-1669 0 obj <<
+1674 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2247 0 R
-/Kids [1659 0 R 1671 0 R 1675 0 R 1681 0 R 1692 0 R 1696 0 R]
+/Parent 2260 0 R
+/Kids [1668 0 R 1676 0 R 1687 0 R 1693 0 R 1704 0 R 1708 0 R]
 >> endobj
-1710 0 obj <<
+1722 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2247 0 R
-/Kids [1700 0 R 1712 0 R 1716 0 R 1723 0 R 1733 0 R 1792 0 R]
+/Parent 2260 0 R
+/Kids [1712 0 R 1724 0 R 1728 0 R 1735 0 R 1745 0 R 1804 0 R]
 >> endobj
-1901 0 obj <<
+1913 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2248 0 R
-/Kids [1848 0 R 1903 0 R 1937 0 R 1946 0 R 1952 0 R 1957 0 R]
+/Parent 2261 0 R
+/Kids [1860 0 R 1915 0 R 1949 0 R 1958 0 R 1964 0 R 1969 0 R]
 >> endobj
-1965 0 obj <<
+1977 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2248 0 R
-/Kids [1961 0 R 1967 0 R 1978 0 R 1983 0 R 1995 0 R 2004 0 R]
+/Parent 2261 0 R
+/Kids [1973 0 R 1979 0 R 1990 0 R 1995 0 R 2007 0 R 2016 0 R]
 >> endobj
-2022 0 obj <<
+2034 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2248 0 R
-/Kids [2013 0 R 2024 0 R 2030 0 R 2035 0 R 2045 0 R 2057 0 R]
+/Parent 2261 0 R
+/Kids [2025 0 R 2036 0 R 2042 0 R 2047 0 R 2057 0 R 2069 0 R]
 >> endobj
-2074 0 obj <<
+2087 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2248 0 R
-/Kids [2065 0 R 2076 0 R 2080 0 R 2084 0 R 2094 0 R 2106 0 R]
+/Parent 2261 0 R
+/Kids [2076 0 R 2089 0 R 2093 0 R 2097 0 R 2102 0 R 2114 0 R]
 >> endobj
-2117 0 obj <<
+2128 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2248 0 R
-/Kids [2112 0 R 2119 0 R 2129 0 R 2133 0 R 2142 0 R 2150 0 R]
+/Parent 2261 0 R
+/Kids [2125 0 R 2130 0 R 2141 0 R 2146 0 R 2151 0 R 2163 0 R]
 >> endobj
-2159 0 obj <<
+2171 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2248 0 R
-/Kids [2155 0 R 2161 0 R 2171 0 R 2178 0 R 2188 0 R 2193 0 R]
+/Parent 2261 0 R
+/Kids [2168 0 R 2173 0 R 2179 0 R 2190 0 R 2201 0 R 2206 0 R]
 >> endobj
-2213 0 obj <<
+2221 0 obj <<
 /Type /Pages
 /Count 3
-/Parent 2249 0 R
-/Kids [2205 0 R 2215 0 R 2223 0 R]
+/Parent 2262 0 R
+/Kids [2216 0 R 2223 0 R 2235 0 R]
 >> endobj
-2245 0 obj <<
+2258 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2250 0 R
-/Kids [731 0 R 976 0 R 1034 0 R 1092 0 R 1141 0 R 1182 0 R]
+/Parent 2263 0 R
+/Kids [739 0 R 986 0 R 1044 0 R 1102 0 R 1151 0 R 1192 0 R]
 >> endobj
-2246 0 obj <<
+2259 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2250 0 R
-/Kids [1227 0 R 1269 0 R 1305 0 R 1342 0 R 1378 0 R 1417 0 R]
+/Parent 2263 0 R
+/Kids [1237 0 R 1279 0 R 1315 0 R 1352 0 R 1388 0 R 1427 0 R]
 >> endobj
-2247 0 obj <<
+2260 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2250 0 R
-/Kids [1456 0 R 1489 0 R 1564 0 R 1619 0 R 1669 0 R 1710 0 R]
+/Parent 2263 0 R
+/Kids [1466 0 R 1501 0 R 1574 0 R 1628 0 R 1674 0 R 1722 0 R]
 >> endobj
-2248 0 obj <<
+2261 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2250 0 R
-/Kids [1901 0 R 1965 0 R 2022 0 R 2074 0 R 2117 0 R 2159 0 R]
+/Parent 2263 0 R
+/Kids [1913 0 R 1977 0 R 2034 0 R 2087 0 R 2128 0 R 2171 0 R]
 >> endobj
-2249 0 obj <<
+2262 0 obj <<
 /Type /Pages
 /Count 3
-/Parent 2250 0 R
-/Kids [2213 0 R]
+/Parent 2263 0 R
+/Kids [2221 0 R]
 >> endobj
-2250 0 obj <<
+2263 0 obj <<
 /Type /Pages
 /Count 147
-/Kids [2245 0 R 2246 0 R 2247 0 R 2248 0 R 2249 0 R]
+/Kids [2258 0 R 2259 0 R 2260 0 R 2261 0 R 2262 0 R]
 >> endobj
-2251 0 obj <<
+2264 0 obj <<
 /Type /Outlines
 /First 7 0 R
-/Last 655 0 R
+/Last 663 0 R
 /Count 10
 >> endobj
+727 0 obj <<
+/Title 728 0 R
+/A 725 0 R
+/Parent 663 0 R
+/Prev 723 0 R
+>> endobj
+723 0 obj <<
+/Title 724 0 R
+/A 721 0 R
+/Parent 663 0 R
+/Prev 719 0 R
+/Next 727 0 R
+>> endobj
 719 0 obj <<
 /Title 720 0 R
 /A 717 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 715 0 R
+/Next 723 0 R
 >> endobj
 715 0 obj <<
 /Title 716 0 R
 /A 713 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 711 0 R
 /Next 719 0 R
 >> endobj
 711 0 obj <<
 /Title 712 0 R
 /A 709 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 707 0 R
 /Next 715 0 R
 >> endobj
 707 0 obj <<
 /Title 708 0 R
 /A 705 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 703 0 R
 /Next 711 0 R
 >> endobj
 703 0 obj <<
 /Title 704 0 R
 /A 701 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 699 0 R
 /Next 707 0 R
 >> endobj
 699 0 obj <<
 /Title 700 0 R
 /A 697 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 695 0 R
 /Next 703 0 R
 >> endobj
 695 0 obj <<
 /Title 696 0 R
 /A 693 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 691 0 R
 /Next 699 0 R
 >> endobj
 691 0 obj <<
 /Title 692 0 R
 /A 689 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 687 0 R
 /Next 695 0 R
 >> endobj
 687 0 obj <<
 /Title 688 0 R
 /A 685 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 683 0 R
 /Next 691 0 R
 >> endobj
 683 0 obj <<
 /Title 684 0 R
 /A 681 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 679 0 R
 /Next 687 0 R
 >> endobj
 679 0 obj <<
 /Title 680 0 R
 /A 677 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 675 0 R
 /Next 683 0 R
 >> endobj
 675 0 obj <<
 /Title 676 0 R
 /A 673 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 671 0 R
 /Next 679 0 R
 >> endobj
 671 0 obj <<
 /Title 672 0 R
 /A 669 0 R
-/Parent 655 0 R
+/Parent 663 0 R
 /Prev 667 0 R
 /Next 675 0 R
 >> endobj
 667 0 obj <<
 /Title 668 0 R
 /A 665 0 R
-/Parent 655 0 R
-/Prev 663 0 R
+/Parent 663 0 R
 /Next 671 0 R
 >> endobj
 663 0 obj <<
 /Title 664 0 R
 /A 661 0 R
-/Parent 655 0 R
-/Prev 659 0 R
-/Next 667 0 R
+/Parent 2264 0 R
+/Prev 627 0 R
+/First 667 0 R
+/Last 727 0 R
+/Count -16
 >> endobj
 659 0 obj <<
 /Title 660 0 R
 /A 657 0 R
-/Parent 655 0 R
-/Next 663 0 R
+/Parent 647 0 R
+/Prev 655 0 R
 >> endobj
 655 0 obj <<
 /Title 656 0 R
 /A 653 0 R
-/Parent 2251 0 R
-/Prev 619 0 R
-/First 659 0 R
-/Last 719 0 R
-/Count -16
+/Parent 647 0 R
+/Prev 651 0 R
+/Next 659 0 R
 >> endobj
 651 0 obj <<
 /Title 652 0 R
 /A 649 0 R
-/Parent 639 0 R
-/Prev 647 0 R
+/Parent 647 0 R
+/Next 655 0 R
 >> endobj
 647 0 obj <<
 /Title 648 0 R
 /A 645 0 R
-/Parent 639 0 R
-/Prev 643 0 R
-/Next 651 0 R
+/Parent 627 0 R
+/Prev 639 0 R
+/First 651 0 R
+/Last 659 0 R
+/Count -3
 >> endobj
 643 0 obj <<
 /Title 644 0 R
 /A 641 0 R
 /Parent 639 0 R
-/Next 647 0 R
 >> endobj
 639 0 obj <<
 /Title 640 0 R
 /A 637 0 R
-/Parent 619 0 R
+/Parent 627 0 R
 /Prev 631 0 R
+/Next 647 0 R
 /First 643 0 R
-/Last 651 0 R
-/Count -3
+/Last 643 0 R
+/Count -1
 >> endobj
 635 0 obj <<
 /Title 636 0 R
@@ -11682,8 +11790,7 @@ endobj
 631 0 obj <<
 /Title 632 0 R
 /A 629 0 R
-/Parent 619 0 R
-/Prev 623 0 R
+/Parent 627 0 R
 /Next 639 0 R
 /First 635 0 R
 /Last 635 0 R
@@ -11692,75 +11799,77 @@ endobj
 627 0 obj <<
 /Title 628 0 R
 /A 625 0 R
-/Parent 623 0 R
+/Parent 2264 0 R
+/Prev 607 0 R
+/Next 663 0 R
+/First 631 0 R
+/Last 647 0 R
+/Count -3
 >> endobj
 623 0 obj <<
 /Title 624 0 R
 /A 621 0 R
-/Parent 619 0 R
-/Next 631 0 R
-/First 627 0 R
-/Last 627 0 R
-/Count -1
+/Parent 607 0 R
+/Prev 619 0 R
 >> endobj
 619 0 obj <<
 /Title 620 0 R
 /A 617 0 R
-/Parent 2251 0 R
-/Prev 599 0 R
-/Next 655 0 R
-/First 623 0 R
-/Last 639 0 R
-/Count -3
+/Parent 607 0 R
+/Prev 611 0 R
+/Next 623 0 R
 >> endobj
 615 0 obj <<
 /Title 616 0 R
 /A 613 0 R
-/Parent 599 0 R
-/Prev 611 0 R
+/Parent 611 0 R
 >> endobj
 611 0 obj <<
 /Title 612 0 R
 /A 609 0 R
-/Parent 599 0 R
-/Prev 603 0 R
-/Next 615 0 R
+/Parent 607 0 R
+/Next 619 0 R
+/First 615 0 R
+/Last 615 0 R
+/Count -1
 >> endobj
 607 0 obj <<
 /Title 608 0 R
 /A 605 0 R
-/Parent 603 0 R
+/Parent 2264 0 R
+/Prev 583 0 R
+/Next 627 0 R
+/First 611 0 R
+/Last 623 0 R
+/Count -3
 >> endobj
 603 0 obj <<
 /Title 604 0 R
 /A 601 0 R
-/Parent 599 0 R
-/Next 611 0 R
-/First 607 0 R
-/Last 607 0 R
-/Count -1
+/Parent 583 0 R
+/Prev 591 0 R
 >> endobj
 599 0 obj <<
 /Title 600 0 R
 /A 597 0 R
-/Parent 2251 0 R
-/Prev 575 0 R
-/Next 619 0 R
-/First 603 0 R
-/Last 615 0 R
-/Count -3
+/Parent 591 0 R
+/Prev 595 0 R
 >> endobj
 595 0 obj <<
 /Title 596 0 R
 /A 593 0 R
-/Parent 575 0 R
-/Prev 583 0 R
+/Parent 591 0 R
+/Next 599 0 R
 >> endobj
 591 0 obj <<
 /Title 592 0 R
 /A 589 0 R
 /Parent 583 0 R
 /Prev 587 0 R
+/Next 603 0 R
+/First 595 0 R
+/Last 599 0 R
+/Count -2
 >> endobj
 587 0 obj <<
 /Title 588 0 R
@@ -11771,47 +11880,44 @@ endobj
 583 0 obj <<
 /Title 584 0 R
 /A 581 0 R
-/Parent 575 0 R
-/Prev 579 0 R
-/Next 595 0 R
+/Parent 2264 0 R
+/Prev 243 0 R
+/Next 607 0 R
 /First 587 0 R
-/Last 591 0 R
-/Count -2
+/Last 603 0 R
+/Count -3
 >> endobj
 579 0 obj <<
 /Title 580 0 R
 /A 577 0 R
-/Parent 575 0 R
-/Next 583 0 R
+/Parent 559 0 R
+/Prev 575 0 R
 >> endobj
 575 0 obj <<
 /Title 576 0 R
 /A 573 0 R
-/Parent 2251 0 R
-/Prev 243 0 R
-/Next 599 0 R
-/First 579 0 R
-/Last 595 0 R
-/Count -3
+/Parent 559 0 R
+/Prev 571 0 R
+/Next 579 0 R
 >> endobj
 571 0 obj <<
 /Title 572 0 R
 /A 569 0 R
-/Parent 551 0 R
+/Parent 559 0 R
 /Prev 567 0 R
+/Next 575 0 R
 >> endobj
 567 0 obj <<
 /Title 568 0 R
 /A 565 0 R
-/Parent 551 0 R
+/Parent 559 0 R
 /Prev 563 0 R
 /Next 571 0 R
 >> endobj
 563 0 obj <<
 /Title 564 0 R
 /A 561 0 R
-/Parent 551 0 R
-/Prev 559 0 R
+/Parent 559 0 R
 /Next 567 0 R
 >> endobj
 559 0 obj <<
@@ -11819,7 +11925,9 @@ endobj
 /A 557 0 R
 /Parent 551 0 R
 /Prev 555 0 R
-/Next 563 0 R
+/First 563 0 R
+/Last 579 0 R
+/Count -5
 >> endobj
 555 0 obj <<
 /Title 556 0 R
@@ -11830,152 +11938,153 @@ endobj
 551 0 obj <<
 /Title 552 0 R
 /A 549 0 R
-/Parent 543 0 R
-/Prev 547 0 R
+/Parent 243 0 R
+/Prev 495 0 R
 /First 555 0 R
-/Last 571 0 R
-/Count -5
+/Last 559 0 R
+/Count -2
 >> endobj
 547 0 obj <<
 /Title 548 0 R
 /A 545 0 R
-/Parent 543 0 R
-/Next 551 0 R
+/Parent 495 0 R
+/Prev 543 0 R
 >> endobj
 543 0 obj <<
 /Title 544 0 R
 /A 541 0 R
-/Parent 243 0 R
-/Prev 487 0 R
-/First 547 0 R
-/Last 551 0 R
-/Count -2
+/Parent 495 0 R
+/Prev 523 0 R
+/Next 547 0 R
 >> endobj
 539 0 obj <<
 /Title 540 0 R
 /A 537 0 R
-/Parent 487 0 R
+/Parent 523 0 R
 /Prev 535 0 R
 >> endobj
 535 0 obj <<
 /Title 536 0 R
 /A 533 0 R
-/Parent 487 0 R
-/Prev 515 0 R
+/Parent 523 0 R
+/Prev 531 0 R
 /Next 539 0 R
 >> endobj
 531 0 obj <<
 /Title 532 0 R
 /A 529 0 R
-/Parent 515 0 R
+/Parent 523 0 R
 /Prev 527 0 R
+/Next 535 0 R
 >> endobj
 527 0 obj <<
 /Title 528 0 R
 /A 525 0 R
-/Parent 515 0 R
-/Prev 523 0 R
+/Parent 523 0 R
 /Next 531 0 R
 >> endobj
 523 0 obj <<
 /Title 524 0 R
 /A 521 0 R
-/Parent 515 0 R
+/Parent 495 0 R
 /Prev 519 0 R
-/Next 527 0 R
+/Next 543 0 R
+/First 527 0 R
+/Last 539 0 R
+/Count -4
 >> endobj
 519 0 obj <<
 /Title 520 0 R
 /A 517 0 R
-/Parent 515 0 R
+/Parent 495 0 R
+/Prev 515 0 R
 /Next 523 0 R
 >> endobj
 515 0 obj <<
 /Title 516 0 R
 /A 513 0 R
-/Parent 487 0 R
+/Parent 495 0 R
 /Prev 511 0 R
-/Next 535 0 R
-/First 519 0 R
-/Last 531 0 R
-/Count -4
+/Next 519 0 R
 >> endobj
 511 0 obj <<
 /Title 512 0 R
 /A 509 0 R
-/Parent 487 0 R
-/Prev 507 0 R
+/Parent 495 0 R
+/Prev 499 0 R
 /Next 515 0 R
 >> endobj
 507 0 obj <<
 /Title 508 0 R
 /A 505 0 R
-/Parent 487 0 R
+/Parent 499 0 R
 /Prev 503 0 R
-/Next 511 0 R
 >> endobj
 503 0 obj <<
 /Title 504 0 R
 /A 501 0 R
-/Parent 487 0 R
-/Prev 491 0 R
+/Parent 499 0 R
 /Next 507 0 R
 >> endobj
 499 0 obj <<
 /Title 500 0 R
 /A 497 0 R
-/Parent 491 0 R
-/Prev 495 0 R
+/Parent 495 0 R
+/Next 511 0 R
+/First 503 0 R
+/Last 507 0 R
+/Count -2
 >> endobj
 495 0 obj <<
 /Title 496 0 R
 /A 493 0 R
-/Parent 491 0 R
-/Next 499 0 R
+/Parent 243 0 R
+/Prev 275 0 R
+/Next 551 0 R
+/First 499 0 R
+/Last 547 0 R
+/Count -7
 >> endobj
 491 0 obj <<
 /Title 492 0 R
 /A 489 0 R
-/Parent 487 0 R
-/Next 503 0 R
-/First 495 0 R
-/Last 499 0 R
-/Count -2
+/Parent 475 0 R
+/Prev 487 0 R
 >> endobj
 487 0 obj <<
 /Title 488 0 R
 /A 485 0 R
-/Parent 243 0 R
-/Prev 275 0 R
-/Next 543 0 R
-/First 491 0 R
-/Last 539 0 R
-/Count -7
+/Parent 475 0 R
+/Prev 483 0 R
+/Next 491 0 R
 >> endobj
 483 0 obj <<
 /Title 484 0 R
 /A 481 0 R
-/Parent 467 0 R
+/Parent 475 0 R
 /Prev 479 0 R
+/Next 487 0 R
 >> endobj
 479 0 obj <<
 /Title 480 0 R
 /A 477 0 R
-/Parent 467 0 R
-/Prev 475 0 R
+/Parent 475 0 R
 /Next 483 0 R
 >> endobj
 475 0 obj <<
 /Title 476 0 R
 /A 473 0 R
-/Parent 467 0 R
+/Parent 275 0 R
 /Prev 471 0 R
-/Next 479 0 R
+/First 479 0 R
+/Last 491 0 R
+/Count -4
 >> endobj
 471 0 obj <<
 /Title 472 0 R
 /A 469 0 R
-/Parent 467 0 R
+/Parent 275 0 R
+/Prev 467 0 R
 /Next 475 0 R
 >> endobj
 467 0 obj <<
@@ -11983,9 +12092,7 @@ endobj
 /A 465 0 R
 /Parent 275 0 R
 /Prev 463 0 R
-/First 471 0 R
-/Last 483 0 R
-/Count -4
+/Next 471 0 R
 >> endobj
 463 0 obj <<
 /Title 464 0 R
@@ -12322,10 +12429,10 @@ endobj
 /A 273 0 R
 /Parent 243 0 R
 /Prev 247 0 R
-/Next 487 0 R
+/Next 495 0 R
 /First 279 0 R
-/Last 467 0 R
-/Count -26
+/Last 475 0 R
+/Count -28
 >> endobj
 271 0 obj <<
 /Title 272 0 R
@@ -12381,11 +12488,11 @@ endobj
 243 0 obj <<
 /Title 244 0 R
 /A 241 0 R
-/Parent 2251 0 R
+/Parent 2264 0 R
 /Prev 231 0 R
-/Next 575 0 R
+/Next 583 0 R
 /First 247 0 R
-/Last 543 0 R
+/Last 551 0 R
 /Count -4
 >> endobj
 239 0 obj <<
@@ -12403,7 +12510,7 @@ endobj
 231 0 obj <<
 /Title 232 0 R
 /A 229 0 R
-/Parent 2251 0 R
+/Parent 2264 0 R
 /Prev 131 0 R
 /Next 243 0 R
 /First 235 0 R
@@ -12585,7 +12692,7 @@ endobj
 131 0 obj <<
 /Title 132 0 R
 /A 129 0 R
-/Parent 2251 0 R
+/Parent 2264 0 R
 /Prev 91 0 R
 /Next 231 0 R
 /First 135 0 R
@@ -12659,7 +12766,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 2251 0 R
+/Parent 2264 0 R
 /Prev 67 0 R
 /Next 131 0 R
 /First 95 0 R
@@ -12702,7 +12809,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 2251 0 R
+/Parent 2264 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -12811,2301 +12918,2314 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 2251 0 R
+/Parent 2264 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-2252 0 obj <<
-/Names [(Access_Control_Lists) 1679 0 R (Bv9ARM.ch01) 967 0 R (Bv9ARM.ch02) 1013 0 R (Bv9ARM.ch03) 1030 0 R (Bv9ARM.ch04) 1079 0 R (Bv9ARM.ch05) 1179 0 R (Bv9ARM.ch06) 1191 0 R (Bv9ARM.ch07) 1678 0 R (Bv9ARM.ch08) 1703 0 R (Bv9ARM.ch09) 1719 0 R (Bv9ARM.ch10) 1940 0 R (Configuration_File_Grammar) 1215 0 R (DNSSEC) 1147 0 R (Doc-Start) 727 0 R (Setting_TTLs) 1599 0 R (acache) 1020 0 R (access_control) 1354 0 R (acl) 1223 0 R (address_match_lists) 1196 0 R (admin_tools) 1053 0 R (appendix.A) 618 0 R (appendix.B) 654 0 R (bibliography) 1727 0 R (boolean_options) 1096 0 R (builtin) 1432 0 R (chapter*.1) 762 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 574 0 R (chapter.8) 598 0 R (cite.RFC1033) 1854 0 R (cite.RFC1034) 1739 0 R (cite.RFC1035) 1741 0 R (cite.RFC1101) 1836 0 R (cite.RFC1123) 1838 0 R (cite.RFC1183) 1798 0 R (cite.RFC1464) 1876 0 R (cite.RFC1535) 1784 0 R (cite.RFC1536) 1786 0 R (cite.RFC1537) 1856 0 R (cite.RFC1591) 1840 0 R (cite.RFC1706) 1800 0 R (cite.RFC1712) 1896 0 R (cite.RFC1713) 1878 0 R (cite.RFC1794) 1880 0 R (cite.RFC1876) 1802 0 R (cite.RFC1912) 1858 0 R (cite.RFC1982) 1788 0 R (cite.RFC1995) 1746 0 R (cite.RFC1996) 1748 0 R (cite.RFC2010) 1860 0 R (cite.RFC2052) 1804 0 R (cite.RFC2065) 1909 0 R (cite.RFC2136) 1750 0 R (cite.RFC2137) 1911 0 R (cite.RFC2163) 1806 0 R (cite.RFC2168) 1808 0 R (cite.RFC2181) 1752 0 R (cite.RFC2219) 1862 0 R (cite.RFC2230) 1810 0 R (cite.RFC2240) 1882 0 R (cite.RFC2308) 1754 0 R (cite.RFC2317) 1842 0 R (cite.RFC2345) 1884 0 R (cite.RFC2352) 1886 0 R (cite.RFC2535) 1913 0 R (cite.RFC2536) 1812 0 R (cite.RFC2537) 1814 0 R (cite.RFC2538) 1816 0 R (cite.RFC2539) 1818 0 R (cite.RFC2540) 1820 0 R (cite.RFC2671) 1756 0 R (cite.RFC2672) 1758 0 R (cite.RFC2673) 1898 0 R (cite.RFC2782) 1822 0 R (cite.RFC2825) 1866 0 R (cite.RFC2826) 1844 0 R (cite.RFC2845) 1760 0 R (cite.RFC2874) 1900 0 R (cite.RFC2915) 1824 0 R (cite.RFC2929) 1846 0 R (cite.RFC2930) 1762 0 R (cite.RFC2931) 1764 0 R (cite.RFC3007) 1766 0 R (cite.RFC3008) 1915 0 R (cite.RFC3071) 1888 0 R (cite.RFC3090) 1917 0 R (cite.RFC3110) 1826 0 R (cite.RFC3123) 1828 0 R (cite.RFC3225) 1772 0 R (cite.RFC3258) 1890 0 R (cite.RFC3445) 1919 0 R (cite.RFC3490) 1868 0 R (cite.RFC3491) 1870 0 R (cite.RFC3492) 1872 0 R (cite.RFC3596) 1830 0 R (cite.RFC3597) 1832 0 R (cite.RFC3645) 1768 0 R (cite.RFC3655) 1921 0 R (cite.RFC3658) 1923 0 R (cite.RFC3755) 1925 0 R (cite.RFC3757) 1927 0 R (cite.RFC3833) 1774 0 R (cite.RFC3845) 1929 0 R (cite.RFC3901) 1892 0 R (cite.RFC4033) 1776 0 R (cite.RFC4034) 1778 0 R (cite.RFC4035) 1780 0 R (cite.RFC4074) 1790 0 R (cite.RFC974) 1743 0 R (cite.id2507025) 1934 0 R (clients-per-query) 1650 0 R (configuration_file_elements) 1192 0 R (controls_statement_definition_and_usage) 1066 0 R (diagnostic_tools) 1001 0 R (dynamic_update) 1089 0 R (dynamic_update_policies) 1098 0 R (dynamic_update_security) 1363 0 R (empty) 1440 0 R (historical_dns_information) 1721 0 R (id2466552) 968 0 R (id2466576) 969 0 R (id2467534) 970 0 R (id2467544) 971 0 R (id2467716) 983 0 R (id2467737) 984 0 R (id2467771) 985 0 R (id2467856) 988 0 R (id2467948) 981 0 R (id2470253) 995 0 R (id2470277) 998 0 R (id2470375) 999 0 R (id2470396) 1000 0 R (id2470426) 1006 0 R (id2470530) 1007 0 R (id2470556) 1008 0 R (id2470590) 1014 0 R (id2470617) 1015 0 R (id2470630) 1016 0 R (id2470724) 1019 0 R (id2470734) 1025 0 R (id2470766) 1032 0 R (id2470782) 1033 0 R (id2470805) 1039 0 R (id2470822) 1040 0 R (id2471227) 1048 0 R (id2471233) 1049 0 R (id2473145) 1071 0 R (id2473157) 1072 0 R (id2473582) 1106 0 R (id2473601) 1107 0 R (id2474102) 1127 0 R (id2474119) 1128 0 R (id2474157) 1129 0 R (id2474176) 1130 0 R (id2474186) 1131 0 R (id2474229) 1132 0 R (id2474355) 1137 0 R (id2474404) 1139 0 R (id2474418) 1140 0 R (id2474603) 1146 0 R (id2474672) 1148 0 R (id2474819) 1153 0 R (id2474968) 1154 0 R (id2475138) 1166 0 R (id2475404) 1168 0 R (id2475426) 1169 0 R (id2475459) 1180 0 R (id2475606) 1193 0 R (id2476567) 1201 0 R (id2476595) 1206 0 R (id2476732) 1207 0 R (id2476747) 1208 0 R (id2476777) 1214 0 R (id2477057) 1216 0 R (id2477499) 1222 0 R (id2477542) 1224 0 R (id2477689) 1226 0 R (id2478117) 1234 0 R (id2478134) 1240 0 R (id2478157) 1241 0 R (id2478181) 1242 0 R (id2478340) 1246 0 R (id2478466) 1251 0 R (id2478518) 1252 0 R (id2479211) 1263 0 R (id2479877) 1274 0 R (id2480007) 1275 0 R (id2480396) 1281 0 R (id2480470) 1282 0 R (id2480534) 1289 0 R (id2480578) 1290 0 R (id2480593) 1291 0 R (id2483323) 1325 0 R (id2485161) 1351 0 R (id2485288) 1353 0 R (id2485725) 1368 0 R (id2486997) 1387 0 R (id2487057) 1389 0 R (id2487547) 1401 0 R (id2488118) 1415 0 R (id2489491) 1449 0 R (id2490584) 1468 0 R (id2490670) 1469 0 R (id2490722) 1470 0 R (id2490894) 1476 0 R (id2492302) 1494 0 R (id2492310) 1495 0 R (id2492315) 1496 0 R (id2492874) 1503 0 R (id2492907) 1504 0 R (id2494583) 1562 0 R (id2494937) 1569 0 R (id2494955) 1570 0 R (id2494976) 1573 0 R (id2495212) 1575 0 R (id2496451) 1585 0 R (id2496579) 1587 0 R (id2496737) 1588 0 R (id2497168) 1594 0 R (id2497304) 1596 0 R (id2497322) 1597 0 R (id2497795) 1604 0 R (id2497920) 1606 0 R (id2497934) 1607 0 R (id2498046) 1609 0 R (id2498069) 1610 0 R (id2498085) 1611 0 R (id2498146) 1616 0 R (id2498215) 1617 0 R (id2498251) 1618 0 R (id2498395) 1624 0 R (id2498974) 1631 0 R (id2499273) 1639 0 R (id2499278) 1640 0 R (id2500814) 1647 0 R (id2500821) 1648 0 R (id2501266) 1655 0 R (id2501271) 1656 0 R (id2502424) 1662 0 R (id2502456) 1663 0 R (id2502797) 1668 0 R (id2503040) 1688 0 R (id2503121) 1689 0 R (id2503180) 1690 0 R (id2503260) 1704 0 R (id2503266) 1705 0 R (id2503346) 1706 0 R (id2503363) 1707 0 R (id2503493) 1720 0 R (id2503596) 1726 0 R (id2503852) 1731 0 R (id2503854) 1737 0 R (id2503863) 1742 0 R (id2503886) 1738 0 R (id2503910) 1740 0 R (id2503946) 1751 0 R (id2503973) 1753 0 R (id2503998) 1745 0 R (id2504023) 1747 0 R (id2504046) 1749 0 R (id2504102) 1755 0 R (id2504129) 1757 0 R (id2504155) 1759 0 R (id2504217) 1761 0 R (id2504247) 1763 0 R (id2504277) 1765 0 R (id2504304) 1767 0 R (id2504378) 1770 0 R (id2504386) 1771 0 R (id2504412) 1773 0 R (id2504449) 1775 0 R (id2504514) 1777 0 R (id2504579) 1779 0 R (id2504644) 1782 0 R (id2504652) 1783 0 R (id2504678) 1785 0 R (id2504746) 1787 0 R (id2504850) 1789 0 R (id2504890) 1796 0 R (id2504896) 1797 0 R (id2504953) 1799 0 R (id2504990) 1807 0 R (id2505026) 1801 0 R (id2505217) 1803 0 R (id2505255) 1805 0 R (id2505281) 1809 0 R (id2505306) 1811 0 R (id2505333) 1813 0 R (id2505360) 1815 0 R (id2505399) 1817 0 R (id2505429) 1819 0 R (id2505459) 1821 0 R (id2505501) 1823 0 R (id2505534) 1825 0 R (id2505561) 1827 0 R (id2505585) 1829 0 R (id2505642) 1831 0 R (id2505667) 1834 0 R (id2505674) 1835 0 R (id2505700) 1837 0 R (id2505722) 1839 0 R (id2505746) 1841 0 R (id2505792) 1843 0 R (id2505815) 1845 0 R (id2505865) 1852 0 R (id2505873) 1853 0 R (id2505896) 1855 0 R (id2505923) 1857 0 R (id2505949) 1859 0 R (id2505986) 1861 0 R (id2506026) 1864 0 R (id2506032) 1865 0 R (id2506064) 1867 0 R (id2506109) 1869 0 R (id2506145) 1871 0 R (id2506171) 1874 0 R (id2506189) 1875 0 R (id2506212) 1877 0 R (id2506237) 1879 0 R (id2506263) 1881 0 R (id2506286) 1883 0 R (id2506332) 1885 0 R (id2506356) 1887 0 R (id2506382) 1889 0 R (id2506408) 1891 0 R (id2506445) 1894 0 R (id2506452) 1895 0 R (id2506509) 1897 0 R (id2506536) 1899 0 R (id2506572) 1907 0 R (id2506584) 1908 0 R (id2506624) 1910 0 R (id2506650) 1912 0 R (id2506680) 1914 0 R (id2506706) 1916 0 R (id2506732) 1918 0 R (id2506769) 1920 0 R (id2506805) 1922 0 R (id2506832) 1924 0 R (id2506858) 1926 0 R (id2506903) 1928 0 R (id2506945) 1931 0 R (id2506954) 1933 0 R (id2507025) 1935 0 R (incremental_zone_transfers) 1103 0 R (internet_drafts) 1930 0 R (ipv6addresses) 1170 0 R (journal) 1091 0 R (lwresd) 1181 0 R (man.ddns-confgen) 2211 0 R (man.dig) 1941 0 R (man.dnssec-dsfromkey) 1989 0 R (man.dnssec-keyfromlabel) 2007 0 R (man.dnssec-keygen) 2019 0 R (man.dnssec-revoke) 2042 0 R (man.dnssec-settime) 2053 0 R (man.dnssec-signzone) 2069 0 R (man.host) 1974 0 R (man.named) 2123 0 R (man.named-checkconf) 2090 0 R (man.named-checkzone) 2102 0 R (man.nsupdate) 2145 0 R (man.rndc) 2167 0 R (man.rndc-confgen) 2199 0 R (man.rndc.conf) 2183 0 R (notify) 1080 0 R (options) 1304 0 R (page.1) 726 0 R (page.10) 1005 0 R (page.100) 1683 0 R (page.101) 1694 0 R (page.102) 1698 0 R (page.103) 1702 0 R (page.104) 1714 0 R (page.105) 1718 0 R (page.106) 1725 0 R (page.107) 1735 0 R (page.108) 1794 0 R (page.109) 1850 0 R (page.11) 1012 0 R (page.110) 1905 0 R (page.111) 1939 0 R (page.112) 1948 0 R (page.113) 1954 0 R (page.114) 1959 0 R (page.115) 1963 0 R (page.116) 1969 0 R (page.117) 1980 0 R (page.118) 1985 0 R (page.119) 1997 0 R (page.12) 1024 0 R (page.120) 2006 0 R (page.121) 2015 0 R (page.122) 2026 0 R (page.123) 2032 0 R (page.124) 2037 0 R (page.125) 2047 0 R (page.126) 2059 0 R (page.127) 2067 0 R (page.128) 2078 0 R (page.129) 2082 0 R (page.13) 1029 0 R (page.130) 2086 0 R (page.131) 2096 0 R (page.132) 2108 0 R (page.133) 2114 0 R (page.134) 2121 0 R (page.135) 2131 0 R (page.136) 2135 0 R (page.137) 2144 0 R (page.138) 2152 0 R (page.139) 2157 0 R (page.14) 1038 0 R (page.140) 2163 0 R (page.141) 2173 0 R (page.142) 2180 0 R (page.143) 2190 0 R (page.144) 2195 0 R (page.145) 2207 0 R (page.146) 2217 0 R (page.147) 2225 0 R (page.15) 1047 0 R (page.16) 1057 0 R (page.17) 1064 0 R (page.18) 1070 0 R (page.19) 1078 0 R (page.2) 751 0 R (page.20) 1102 0 R (page.21) 1112 0 R (page.22) 1117 0 R (page.23) 1121 0 R (page.24) 1126 0 R (page.25) 1136 0 R (page.26) 1145 0 R (page.27) 1152 0 R (page.28) 1158 0 R (page.29) 1162 0 R (page.3) 761 0 R (page.30) 1174 0 R (page.31) 1178 0 R (page.32) 1186 0 R (page.33) 1190 0 R (page.34) 1200 0 R (page.35) 1205 0 R (page.36) 1213 0 R (page.37) 1221 0 R (page.38) 1231 0 R (page.39) 1239 0 R (page.4) 816 0 R (page.40) 1250 0 R (page.41) 1256 0 R (page.42) 1262 0 R (page.43) 1268 0 R (page.44) 1273 0 R (page.45) 1280 0 R (page.46) 1288 0 R (page.47) 1295 0 R (page.48) 1299 0 R (page.49) 1303 0 R (page.5) 880 0 R (page.50) 1309 0 R (page.51) 1313 0 R (page.52) 1320 0 R (page.53) 1324 0 R (page.54) 1331 0 R (page.55) 1341 0 R (page.56) 1346 0 R (page.57) 1350 0 R (page.58) 1360 0 R (page.59) 1367 0 R (page.6) 942 0 R (page.60) 1373 0 R (page.61) 1377 0 R (page.62) 1382 0 R (page.63) 1386 0 R (page.64) 1394 0 R (page.65) 1400 0 R (page.66) 1406 0 R (page.67) 1413 0 R (page.68) 1421 0 R (page.69) 1427 0 R (page.7) 966 0 R (page.70) 1439 0 R (page.71) 1444 0 R (page.72) 1448 0 R (page.73) 1454 0 R (page.74) 1460 0 R (page.75) 1467 0 R (page.76) 1475 0 R (page.77) 1480 0 R (page.78) 1484 0 R (page.79) 1488 0 R (page.8) 980 0 R (page.80) 1493 0 R (page.81) 1501 0 R (page.82) 1516 0 R (page.83) 1530 0 R (page.84) 1554 0 R (page.85) 1561 0 R (page.86) 1568 0 R (page.87) 1580 0 R (page.88) 1584 0 R (page.89) 1593 0 R (page.9) 994 0 R (page.90) 1603 0 R (page.91) 1615 0 R (page.92) 1623 0 R (page.93) 1629 0 R (page.94) 1636 0 R (page.95) 1645 0 R (page.96) 1654 0 R (page.97) 1661 0 R (page.98) 1673 0 R (page.99) 1677 0 R (proposed_standards) 1108 0 R (query_address) 1369 0 R (rfcs) 990 0 R (rndc) 1235 0 R (root_delegation_only) 1512 0 R (rrset_ordering) 1043 0 R (sample_configuration) 1031 0 R (section*.10) 1863 0 R (section*.100) 2146 0 R (section*.101) 2147 0 R (section*.102) 2148 0 R (section*.103) 2153 0 R (section*.104) 2158 0 R (section*.105) 2164 0 R (section*.106) 2165 0 R (section*.107) 2166 0 R (section*.108) 2168 0 R (section*.109) 2169 0 R (section*.11) 1873 0 R (section*.110) 2174 0 R (section*.111) 2175 0 R (section*.112) 2176 0 R (section*.113) 2181 0 R (section*.114) 2182 0 R (section*.115) 2184 0 R (section*.116) 2185 0 R (section*.117) 2186 0 R (section*.118) 2191 0 R (section*.119) 2196 0 R (section*.12) 1893 0 R (section*.120) 2197 0 R (section*.121) 2198 0 R (section*.122) 2200 0 R (section*.123) 2201 0 R (section*.124) 2202 0 R (section*.125) 2203 0 R (section*.126) 2208 0 R (section*.127) 2209 0 R (section*.128) 2210 0 R (section*.129) 2212 0 R (section*.13) 1906 0 R (section*.130) 2218 0 R (section*.131) 2219 0 R (section*.132) 2220 0 R (section*.133) 2221 0 R (section*.134) 2226 0 R (section*.14) 1932 0 R (section*.15) 1942 0 R (section*.16) 1943 0 R (section*.17) 1944 0 R (section*.18) 1949 0 R (section*.19) 1950 0 R (section*.2) 1730 0 R (section*.20) 1955 0 R (section*.21) 1964 0 R (section*.22) 1970 0 R (section*.23) 1971 0 R (section*.24) 1972 0 R (section*.25) 1973 0 R (section*.26) 1975 0 R (section*.27) 1976 0 R (section*.28) 1981 0 R (section*.29) 1986 0 R (section*.3) 1736 0 R (section*.30) 1987 0 R (section*.31) 1988 0 R (section*.32) 1990 0 R (section*.33) 1991 0 R (section*.34) 1992 0 R (section*.35) 1993 0 R (section*.36) 1998 0 R (section*.37) 1999 0 R (section*.38) 2000 0 R (section*.39) 2001 0 R (section*.4) 1744 0 R (section*.40) 2002 0 R (section*.41) 2008 0 R (section*.42) 2009 0 R (section*.43) 2010 0 R (section*.44) 2011 0 R (section*.45) 2016 0 R (section*.46) 2017 0 R (section*.47) 2018 0 R (section*.48) 2020 0 R (section*.49) 2021 0 R (section*.5) 1769 0 R (section*.50) 2027 0 R (section*.51) 2028 0 R (section*.52) 2033 0 R (section*.53) 2038 0 R (section*.54) 2039 0 R (section*.55) 2040 0 R (section*.56) 2041 0 R (section*.57) 2043 0 R (section*.58) 2048 0 R (section*.59) 2049 0 R (section*.6) 1781 0 R (section*.60) 2050 0 R (section*.61) 2051 0 R (section*.62) 2052 0 R (section*.63) 2054 0 R (section*.64) 2055 0 R (section*.65) 2060 0 R (section*.66) 2061 0 R (section*.67) 2062 0 R (section*.68) 2063 0 R (section*.69) 2068 0 R (section*.7) 1795 0 R (section*.70) 2070 0 R (section*.71) 2071 0 R (section*.72) 2072 0 R (section*.73) 2073 0 R (section*.74) 2087 0 R (section*.75) 2088 0 R (section*.76) 2089 0 R (section*.77) 2091 0 R (section*.78) 2092 0 R (section*.79) 2097 0 R (section*.8) 1833 0 R (section*.80) 2098 0 R (section*.81) 2099 0 R (section*.82) 2100 0 R (section*.83) 2101 0 R (section*.84) 2103 0 R (section*.85) 2104 0 R (section*.86) 2109 0 R (section*.87) 2110 0 R (section*.88) 2115 0 R (section*.89) 2116 0 R (section*.9) 1851 0 R (section*.90) 2122 0 R (section*.91) 2124 0 R (section*.92) 2125 0 R (section*.93) 2126 0 R (section*.94) 2127 0 R (section*.95) 2136 0 R (section*.96) 2137 0 R (section*.97) 2138 0 R (section*.98) 2139 0 R (section*.99) 2140 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 486 0 R (section.6.4) 542 0 R (section.7.1) 578 0 R (section.7.2) 582 0 R (section.7.3) 594 0 R (section.8.1) 602 0 R (section.8.2) 610 0 R (section.8.3) 614 0 R (section.A.1) 622 0 R (section.A.2) 630 0 R (section.A.3) 638 0 R (section.B.1) 658 0 R (section.B.10) 694 0 R (section.B.11) 698 0 R (section.B.12) 702 0 R (section.B.13) 706 0 R (section.B.14) 710 0 R (section.B.15) 714 0 R (section.B.16) 718 0 R (section.B.2) 662 0 R (section.B.3) 666 0 R (section.B.4) 670 0 R (section.B.5) 674 0 R (section.B.6) 678 0 R (section.B.7) 682 0 R (section.B.8) 686 0 R (section.B.9) 690 0 R (server_resource_limits) 1395 0 R (server_statement_definition_and_usage) 1337 0 R (server_statement_grammar) 1455 0 R (statistics) 1630 0 R (statistics_counters) 1638 0 R (statschannels) 1463 0 R (statsfile) 1316 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 346 0 R (subsection.6.2.16) 350 0 R (subsection.6.2.17) 430 0 R (subsection.6.2.18) 434 0 R (subsection.6.2.19) 438 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 442 0 R (subsection.6.2.21) 446 0 R (subsection.6.2.22) 450 0 R (subsection.6.2.23) 454 0 R (subsection.6.2.24) 458 0 R (subsection.6.2.25) 462 0 R (subsection.6.2.26) 466 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 490 0 R (subsection.6.3.2) 502 0 R (subsection.6.3.3) 506 0 R (subsection.6.3.4) 510 0 R (subsection.6.3.5) 514 0 R (subsection.6.3.6) 534 0 R (subsection.6.3.7) 538 0 R (subsection.6.4.1) 550 0 R (subsection.7.2.1) 586 0 R (subsection.7.2.2) 590 0 R (subsection.8.1.1) 606 0 R (subsection.A.1.1) 626 0 R (subsection.A.2.1) 634 0 R (subsection.A.3.1) 642 0 R (subsection.A.3.2) 646 0 R (subsection.A.3.3) 650 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.10.3) 326 0 R (subsubsection.6.2.16.1) 354 0 R (subsubsection.6.2.16.10) 390 0 R (subsubsection.6.2.16.11) 394 0 R (subsubsection.6.2.16.12) 398 0 R (subsubsection.6.2.16.13) 402 0 R (subsubsection.6.2.16.14) 406 0 R (subsubsection.6.2.16.15) 410 0 R (subsubsection.6.2.16.16) 414 0 R (subsubsection.6.2.16.17) 418 0 R (subsubsection.6.2.16.18) 422 0 R (subsubsection.6.2.16.19) 426 0 R (subsubsection.6.2.16.2) 358 0 R (subsubsection.6.2.16.3) 362 0 R (subsubsection.6.2.16.4) 366 0 R (subsubsection.6.2.16.5) 370 0 R (subsubsection.6.2.16.6) 374 0 R (subsubsection.6.2.16.7) 378 0 R (subsubsection.6.2.16.8) 382 0 R (subsubsection.6.2.16.9) 386 0 R (subsubsection.6.2.26.1) 470 0 R (subsubsection.6.2.26.2) 474 0 R (subsubsection.6.2.26.3) 478 0 R (subsubsection.6.2.26.4) 482 0 R (subsubsection.6.3.1.1) 494 0 R (subsubsection.6.3.1.2) 498 0 R (subsubsection.6.3.5.1) 518 0 R (subsubsection.6.3.5.2) 522 0 R (subsubsection.6.3.5.3) 526 0 R (subsubsection.6.3.5.4) 530 0 R (subsubsection.6.4.0.1) 546 0 R (subsubsection.6.4.1.1) 554 0 R (subsubsection.6.4.1.2) 558 0 R (subsubsection.6.4.1.3) 562 0 R (subsubsection.6.4.1.4) 566 0 R (subsubsection.6.4.1.5) 570 0 R (table.1.1) 972 0 R (table.1.2) 982 0 R (table.3.1) 1041 0 R (table.3.2) 1073 0 R (table.6.1) 1194 0 R (table.6.10) 1574 0 R (table.6.11) 1576 0 R (table.6.12) 1586 0 R (table.6.13) 1589 0 R (table.6.14) 1595 0 R (table.6.15) 1598 0 R (table.6.16) 1605 0 R (table.6.17) 1608 0 R (table.6.18) 1625 0 R (table.6.19) 1632 0 R (table.6.2) 1217 0 R (table.6.20) 1641 0 R (table.6.21) 1649 0 R (table.6.22) 1657 0 R (table.6.23) 1664 0 R (table.6.3) 1225 0 R (table.6.4) 1264 0 R (table.6.5) 1276 0 R (table.6.6) 1326 0 R (table.6.7) 1416 0 R (table.6.8) 1497 0 R (table.6.9) 1563 0 R (the_category_phrase) 1258 0 R (the_sortlist_statement) 1407 0 R (topology) 1402 0 R (tsig) 1122 0 R (tuning) 1422 0 R (types_of_resource_records_and_when_to_use_them) 989 0 R (view_statement_grammar) 1435 0 R (zone_statement_grammar) 1356 0 R (zone_transfers) 1097 0 R (zonefile_format) 1434 0 R]
+2265 0 obj <<
+/Names [(Access_Control_Lists) 1691 0 R (Bv9ARM.ch01) 977 0 R (Bv9ARM.ch02) 1023 0 R (Bv9ARM.ch03) 1040 0 R (Bv9ARM.ch04) 1089 0 R (Bv9ARM.ch05) 1189 0 R (Bv9ARM.ch06) 1201 0 R (Bv9ARM.ch07) 1690 0 R (Bv9ARM.ch08) 1715 0 R (Bv9ARM.ch09) 1731 0 R (Bv9ARM.ch10) 1952 0 R (Configuration_File_Grammar) 1225 0 R (DNSSEC) 1157 0 R (Doc-Start) 735 0 R (Setting_TTLs) 1615 0 R (acache) 1030 0 R (access_control) 1364 0 R (acl) 1233 0 R (address_match_lists) 1206 0 R (admin_tools) 1063 0 R (appendix.A) 626 0 R (appendix.B) 662 0 R (bibliography) 1739 0 R (boolean_options) 1106 0 R (builtin) 1442 0 R (chapter*.1) 770 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 582 0 R (chapter.8) 606 0 R (cite.RFC1033) 1866 0 R (cite.RFC1034) 1751 0 R (cite.RFC1035) 1753 0 R (cite.RFC1101) 1848 0 R (cite.RFC1123) 1850 0 R (cite.RFC1183) 1810 0 R (cite.RFC1464) 1888 0 R (cite.RFC1535) 1796 0 R (cite.RFC1536) 1798 0 R (cite.RFC1537) 1868 0 R (cite.RFC1591) 1852 0 R (cite.RFC1706) 1812 0 R (cite.RFC1712) 1908 0 R (cite.RFC1713) 1890 0 R (cite.RFC1794) 1892 0 R (cite.RFC1876) 1814 0 R (cite.RFC1912) 1870 0 R (cite.RFC1982) 1800 0 R (cite.RFC1995) 1758 0 R (cite.RFC1996) 1760 0 R (cite.RFC2010) 1872 0 R (cite.RFC2052) 1816 0 R (cite.RFC2065) 1921 0 R (cite.RFC2136) 1762 0 R (cite.RFC2137) 1923 0 R (cite.RFC2163) 1818 0 R (cite.RFC2168) 1820 0 R (cite.RFC2181) 1764 0 R (cite.RFC2219) 1874 0 R (cite.RFC2230) 1822 0 R (cite.RFC2240) 1894 0 R (cite.RFC2308) 1766 0 R (cite.RFC2317) 1854 0 R (cite.RFC2345) 1896 0 R (cite.RFC2352) 1898 0 R (cite.RFC2535) 1925 0 R (cite.RFC2536) 1824 0 R (cite.RFC2537) 1826 0 R (cite.RFC2538) 1828 0 R (cite.RFC2539) 1830 0 R (cite.RFC2540) 1832 0 R (cite.RFC2671) 1768 0 R (cite.RFC2672) 1770 0 R (cite.RFC2673) 1910 0 R (cite.RFC2782) 1834 0 R (cite.RFC2825) 1878 0 R (cite.RFC2826) 1856 0 R (cite.RFC2845) 1772 0 R (cite.RFC2874) 1912 0 R (cite.RFC2915) 1836 0 R (cite.RFC2929) 1858 0 R (cite.RFC2930) 1774 0 R (cite.RFC2931) 1776 0 R (cite.RFC3007) 1778 0 R (cite.RFC3008) 1927 0 R (cite.RFC3071) 1900 0 R (cite.RFC3090) 1929 0 R (cite.RFC3110) 1838 0 R (cite.RFC3123) 1840 0 R (cite.RFC3225) 1784 0 R (cite.RFC3258) 1902 0 R (cite.RFC3445) 1931 0 R (cite.RFC3490) 1880 0 R (cite.RFC3491) 1882 0 R (cite.RFC3492) 1884 0 R (cite.RFC3596) 1842 0 R (cite.RFC3597) 1844 0 R (cite.RFC3645) 1780 0 R (cite.RFC3655) 1933 0 R (cite.RFC3658) 1935 0 R (cite.RFC3755) 1937 0 R (cite.RFC3757) 1939 0 R (cite.RFC3833) 1786 0 R (cite.RFC3845) 1941 0 R (cite.RFC3901) 1904 0 R (cite.RFC4033) 1788 0 R (cite.RFC4034) 1790 0 R (cite.RFC4035) 1792 0 R (cite.RFC4074) 1802 0 R (cite.RFC974) 1755 0 R (cite.id2507217) 1946 0 R (clients-per-query) 1666 0 R (configuration_file_elements) 1202 0 R (controls_statement_definition_and_usage) 1076 0 R (diagnostic_tools) 1011 0 R (dynamic_update) 1099 0 R (dynamic_update_policies) 1108 0 R (dynamic_update_security) 1373 0 R (empty) 1450 0 R (historical_dns_information) 1733 0 R (id2466552) 978 0 R (id2466576) 979 0 R (id2467534) 980 0 R (id2467544) 981 0 R (id2467716) 993 0 R (id2467737) 994 0 R (id2467771) 995 0 R (id2467856) 998 0 R (id2467948) 991 0 R (id2470253) 1005 0 R (id2470277) 1008 0 R (id2470375) 1009 0 R (id2470396) 1010 0 R (id2470426) 1016 0 R (id2470530) 1017 0 R (id2470556) 1018 0 R (id2470590) 1024 0 R (id2470617) 1025 0 R (id2470630) 1026 0 R (id2470724) 1029 0 R (id2470734) 1035 0 R (id2470766) 1042 0 R (id2470782) 1043 0 R (id2470805) 1049 0 R (id2470822) 1050 0 R (id2471227) 1058 0 R (id2471233) 1059 0 R (id2473145) 1081 0 R (id2473157) 1082 0 R (id2473582) 1116 0 R (id2473601) 1117 0 R (id2474102) 1137 0 R (id2474119) 1138 0 R (id2474157) 1139 0 R (id2474176) 1140 0 R (id2474186) 1141 0 R (id2474229) 1142 0 R (id2474355) 1147 0 R (id2474404) 1149 0 R (id2474418) 1150 0 R (id2474603) 1156 0 R (id2474672) 1158 0 R (id2474819) 1163 0 R (id2474968) 1164 0 R (id2475287) 1176 0 R (id2475349) 1178 0 R (id2475370) 1179 0 R (id2475403) 1190 0 R (id2475550) 1203 0 R (id2476512) 1211 0 R (id2476539) 1216 0 R (id2476677) 1217 0 R (id2476692) 1218 0 R (id2476926) 1224 0 R (id2477001) 1226 0 R (id2477467) 1232 0 R (id2477510) 1234 0 R (id2477657) 1236 0 R (id2478085) 1244 0 R (id2478102) 1250 0 R (id2478125) 1251 0 R (id2478217) 1252 0 R (id2478308) 1256 0 R (id2478434) 1261 0 R (id2478486) 1262 0 R (id2479179) 1273 0 R (id2479777) 1284 0 R (id2479975) 1285 0 R (id2480364) 1291 0 R (id2480438) 1292 0 R (id2480502) 1299 0 R (id2480546) 1300 0 R (id2480561) 1301 0 R (id2483372) 1335 0 R (id2485278) 1361 0 R (id2485337) 1363 0 R (id2485774) 1378 0 R (id2486978) 1397 0 R (id2487037) 1399 0 R (id2487528) 1411 0 R (id2488167) 1425 0 R (id2489540) 1459 0 R (id2490497) 1478 0 R (id2490583) 1479 0 R (id2490634) 1480 0 R (id2490681) 1486 0 R (id2490801) 1487 0 R (id2491018) 1492 0 R (id2492631) 1506 0 R (id2492638) 1507 0 R (id2492644) 1508 0 R (id2493134) 1519 0 R (id2493168) 1520 0 R (id2494843) 1579 0 R (id2495334) 1585 0 R (id2495352) 1586 0 R (id2495372) 1589 0 R (id2495609) 1591 0 R (id2496848) 1601 0 R (id2496976) 1603 0 R (id2497133) 1604 0 R (id2497428) 1610 0 R (id2497564) 1612 0 R (id2497582) 1613 0 R (id2497987) 1620 0 R (id2498112) 1622 0 R (id2498126) 1623 0 R (id2498238) 1625 0 R (id2498261) 1626 0 R (id2498277) 1627 0 R (id2498338) 1633 0 R (id2498407) 1634 0 R (id2498512) 1635 0 R (id2498587) 1640 0 R (id2499098) 1647 0 R (id2499465) 1655 0 R (id2499470) 1656 0 R (id2501143) 1663 0 R (id2501149) 1664 0 R (id2501594) 1671 0 R (id2501600) 1672 0 R (id2502548) 1679 0 R (id2502580) 1680 0 R (id2503058) 1685 0 R (id2503232) 1700 0 R (id2503313) 1701 0 R (id2503372) 1702 0 R (id2503452) 1716 0 R (id2503458) 1717 0 R (id2503469) 1718 0 R (id2503555) 1719 0 R (id2503685) 1732 0 R (id2503925) 1738 0 R (id2504113) 1743 0 R (id2504115) 1749 0 R (id2504123) 1754 0 R (id2504147) 1750 0 R (id2504170) 1752 0 R (id2504206) 1763 0 R (id2504233) 1765 0 R (id2504259) 1757 0 R (id2504283) 1759 0 R (id2504375) 1761 0 R (id2504430) 1767 0 R (id2504457) 1769 0 R (id2504484) 1771 0 R (id2504614) 1773 0 R (id2504644) 1775 0 R (id2504674) 1777 0 R (id2504700) 1779 0 R (id2504775) 1782 0 R (id2504782) 1783 0 R (id2504809) 1785 0 R (id2504845) 1787 0 R (id2504910) 1789 0 R (id2504976) 1791 0 R (id2505041) 1794 0 R (id2505049) 1795 0 R (id2505075) 1797 0 R (id2505143) 1799 0 R (id2505178) 1801 0 R (id2505219) 1808 0 R (id2505224) 1809 0 R (id2505282) 1811 0 R (id2505319) 1819 0 R (id2505354) 1813 0 R (id2505409) 1815 0 R (id2505447) 1817 0 R (id2505473) 1821 0 R (id2505498) 1823 0 R (id2505525) 1825 0 R (id2505552) 1827 0 R (id2505591) 1829 0 R (id2505621) 1831 0 R (id2505651) 1833 0 R (id2505693) 1835 0 R (id2505726) 1837 0 R (id2505753) 1839 0 R (id2505777) 1841 0 R (id2505834) 1843 0 R (id2505859) 1846 0 R (id2505866) 1847 0 R (id2505892) 1849 0 R (id2505914) 1851 0 R (id2505938) 1853 0 R (id2505984) 1855 0 R (id2506007) 1857 0 R (id2506057) 1864 0 R (id2506065) 1865 0 R (id2506088) 1867 0 R (id2506115) 1869 0 R (id2506141) 1871 0 R (id2506178) 1873 0 R (id2506218) 1876 0 R (id2506224) 1877 0 R (id2506256) 1879 0 R (id2506301) 1881 0 R (id2506337) 1883 0 R (id2506363) 1886 0 R (id2506381) 1887 0 R (id2506404) 1889 0 R (id2506429) 1891 0 R (id2506455) 1893 0 R (id2506478) 1895 0 R (id2506524) 1897 0 R (id2506548) 1899 0 R (id2506574) 1901 0 R (id2506600) 1903 0 R (id2506637) 1906 0 R (id2506644) 1907 0 R (id2506701) 1909 0 R (id2506728) 1911 0 R (id2506833) 1919 0 R (id2506844) 1920 0 R (id2506884) 1922 0 R (id2506910) 1924 0 R (id2506940) 1926 0 R (id2506966) 1928 0 R (id2506993) 1930 0 R (id2507029) 1932 0 R (id2507065) 1934 0 R (id2507092) 1936 0 R (id2507118) 1938 0 R (id2507163) 1940 0 R (id2507205) 1943 0 R (id2507214) 1945 0 R (id2507217) 1947 0 R (incremental_zone_transfers) 1113 0 R (internet_drafts) 1942 0 R (ipv6addresses) 1180 0 R (journal) 1101 0 R (lwresd) 1191 0 R (man.ddns-confgen) 2229 0 R (man.dig) 1953 0 R (man.dnssec-dsfromkey) 2001 0 R (man.dnssec-keyfromlabel) 2019 0 R (man.dnssec-keygen) 2031 0 R (man.dnssec-revoke) 2054 0 R (man.dnssec-settime) 2065 0 R (man.dnssec-signzone) 2082 0 R (man.host) 1986 0 R (man.named) 2136 0 R (man.named-checkconf) 2107 0 R (man.named-checkzone) 2119 0 R (man.nsupdate) 2158 0 R (man.rndc) 2184 0 R (man.rndc-confgen) 2212 0 R (man.rndc.conf) 2196 0 R (notify) 1090 0 R (options) 1314 0 R (page.1) 734 0 R (page.10) 1015 0 R (page.100) 1695 0 R (page.101) 1706 0 R (page.102) 1710 0 R (page.103) 1714 0 R (page.104) 1726 0 R (page.105) 1730 0 R (page.106) 1737 0 R (page.107) 1747 0 R (page.108) 1806 0 R (page.109) 1862 0 R (page.11) 1022 0 R (page.110) 1917 0 R (page.111) 1951 0 R (page.112) 1960 0 R (page.113) 1966 0 R (page.114) 1971 0 R (page.115) 1975 0 R (page.116) 1981 0 R (page.117) 1992 0 R (page.118) 1997 0 R (page.119) 2009 0 R (page.12) 1034 0 R (page.120) 2018 0 R (page.121) 2027 0 R (page.122) 2038 0 R (page.123) 2044 0 R (page.124) 2049 0 R (page.125) 2059 0 R (page.126) 2071 0 R (page.127) 2078 0 R (page.128) 2091 0 R (page.129) 2095 0 R (page.13) 1039 0 R (page.130) 2099 0 R (page.131) 2104 0 R (page.132) 2116 0 R (page.133) 2127 0 R (page.134) 2132 0 R (page.135) 2143 0 R (page.136) 2148 0 R (page.137) 2153 0 R (page.138) 2165 0 R (page.139) 2170 0 R (page.14) 1048 0 R (page.140) 2175 0 R (page.141) 2181 0 R (page.142) 2192 0 R (page.143) 2203 0 R (page.144) 2208 0 R (page.145) 2218 0 R (page.146) 2225 0 R (page.147) 2237 0 R (page.15) 1057 0 R (page.16) 1067 0 R (page.17) 1074 0 R (page.18) 1080 0 R (page.19) 1088 0 R (page.2) 759 0 R (page.20) 1112 0 R (page.21) 1122 0 R (page.22) 1127 0 R (page.23) 1131 0 R (page.24) 1136 0 R (page.25) 1146 0 R (page.26) 1155 0 R (page.27) 1162 0 R (page.28) 1168 0 R (page.29) 1172 0 R (page.3) 769 0 R (page.30) 1184 0 R (page.31) 1188 0 R (page.32) 1196 0 R (page.33) 1200 0 R (page.34) 1210 0 R (page.35) 1215 0 R (page.36) 1223 0 R (page.37) 1231 0 R (page.38) 1241 0 R (page.39) 1249 0 R (page.4) 824 0 R (page.40) 1260 0 R (page.41) 1266 0 R (page.42) 1272 0 R (page.43) 1278 0 R (page.44) 1283 0 R (page.45) 1290 0 R (page.46) 1298 0 R (page.47) 1305 0 R (page.48) 1309 0 R (page.49) 1313 0 R (page.5) 888 0 R (page.50) 1319 0 R (page.51) 1323 0 R (page.52) 1330 0 R (page.53) 1334 0 R (page.54) 1341 0 R (page.55) 1351 0 R (page.56) 1356 0 R (page.57) 1360 0 R (page.58) 1370 0 R (page.59) 1377 0 R (page.6) 951 0 R (page.60) 1383 0 R (page.61) 1387 0 R (page.62) 1392 0 R (page.63) 1396 0 R (page.64) 1404 0 R (page.65) 1410 0 R (page.66) 1416 0 R (page.67) 1423 0 R (page.68) 1431 0 R (page.69) 1437 0 R (page.7) 976 0 R (page.70) 1449 0 R (page.71) 1454 0 R (page.72) 1458 0 R (page.73) 1464 0 R (page.74) 1470 0 R (page.75) 1477 0 R (page.76) 1485 0 R (page.77) 1491 0 R (page.78) 1496 0 R (page.79) 1500 0 R (page.8) 990 0 R (page.80) 1505 0 R (page.81) 1513 0 R (page.82) 1517 0 R (page.83) 1532 0 R (page.84) 1546 0 R (page.85) 1570 0 R (page.86) 1578 0 R (page.87) 1584 0 R (page.88) 1596 0 R (page.89) 1600 0 R (page.9) 1004 0 R (page.90) 1609 0 R (page.91) 1619 0 R (page.92) 1632 0 R (page.93) 1639 0 R (page.94) 1645 0 R (page.95) 1652 0 R (page.96) 1661 0 R (page.97) 1670 0 R (page.98) 1678 0 R (page.99) 1689 0 R (proposed_standards) 1118 0 R (query_address) 1379 0 R (rfcs) 1000 0 R (rndc) 1245 0 R (root_delegation_only) 1528 0 R (rrset_ordering) 1053 0 R (sample_configuration) 1041 0 R (section*.10) 1875 0 R (section*.100) 2157 0 R (section*.101) 2159 0 R (section*.102) 2160 0 R (section*.103) 2161 0 R (section*.104) 2166 0 R (section*.105) 2176 0 R (section*.106) 2177 0 R (section*.107) 2182 0 R (section*.108) 2183 0 R (section*.109) 2185 0 R (section*.11) 1885 0 R (section*.110) 2186 0 R (section*.111) 2187 0 R (section*.112) 2188 0 R (section*.113) 2193 0 R (section*.114) 2194 0 R (section*.115) 2195 0 R (section*.116) 2197 0 R (section*.117) 2198 0 R (section*.118) 2199 0 R (section*.119) 2204 0 R (section*.12) 1905 0 R (section*.120) 2209 0 R (section*.121) 2210 0 R (section*.122) 2211 0 R (section*.123) 2213 0 R (section*.124) 2214 0 R (section*.125) 2219 0 R (section*.126) 2220 0 R (section*.127) 2226 0 R (section*.128) 2227 0 R (section*.129) 2228 0 R (section*.13) 1918 0 R (section*.130) 2230 0 R (section*.131) 2231 0 R (section*.132) 2232 0 R (section*.133) 2233 0 R (section*.134) 2238 0 R (section*.135) 2239 0 R (section*.14) 1944 0 R (section*.15) 1954 0 R (section*.16) 1955 0 R (section*.17) 1956 0 R (section*.18) 1961 0 R (section*.19) 1962 0 R (section*.2) 1742 0 R (section*.20) 1967 0 R (section*.21) 1976 0 R (section*.22) 1982 0 R (section*.23) 1983 0 R (section*.24) 1984 0 R (section*.25) 1985 0 R (section*.26) 1987 0 R (section*.27) 1988 0 R (section*.28) 1993 0 R (section*.29) 1998 0 R (section*.3) 1748 0 R (section*.30) 1999 0 R (section*.31) 2000 0 R (section*.32) 2002 0 R (section*.33) 2003 0 R (section*.34) 2004 0 R (section*.35) 2005 0 R (section*.36) 2010 0 R (section*.37) 2011 0 R (section*.38) 2012 0 R (section*.39) 2013 0 R (section*.4) 1756 0 R (section*.40) 2014 0 R (section*.41) 2020 0 R (section*.42) 2021 0 R (section*.43) 2022 0 R (section*.44) 2023 0 R (section*.45) 2028 0 R (section*.46) 2029 0 R (section*.47) 2030 0 R (section*.48) 2032 0 R (section*.49) 2033 0 R (section*.5) 1781 0 R (section*.50) 2039 0 R (section*.51) 2040 0 R (section*.52) 2045 0 R (section*.53) 2050 0 R (section*.54) 2051 0 R (section*.55) 2052 0 R (section*.56) 2053 0 R (section*.57) 2055 0 R (section*.58) 2060 0 R (section*.59) 2061 0 R (section*.6) 1793 0 R (section*.60) 2062 0 R (section*.61) 2063 0 R (section*.62) 2064 0 R (section*.63) 2066 0 R (section*.64) 2067 0 R (section*.65) 2072 0 R (section*.66) 2073 0 R (section*.67) 2074 0 R (section*.68) 2079 0 R (section*.69) 2080 0 R (section*.7) 1807 0 R (section*.70) 2081 0 R (section*.71) 2083 0 R (section*.72) 2084 0 R (section*.73) 2085 0 R (section*.74) 2086 0 R (section*.75) 2100 0 R (section*.76) 2105 0 R (section*.77) 2106 0 R (section*.78) 2108 0 R (section*.79) 2109 0 R (section*.8) 1845 0 R (section*.80) 2110 0 R (section*.81) 2111 0 R (section*.82) 2112 0 R (section*.83) 2117 0 R (section*.84) 2118 0 R (section*.85) 2120 0 R (section*.86) 2121 0 R (section*.87) 2122 0 R (section*.88) 2123 0 R (section*.89) 2133 0 R (section*.9) 1863 0 R (section*.90) 2134 0 R (section*.91) 2135 0 R (section*.92) 2137 0 R (section*.93) 2138 0 R (section*.94) 2139 0 R (section*.95) 2144 0 R (section*.96) 2149 0 R (section*.97) 2154 0 R (section*.98) 2155 0 R (section*.99) 2156 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 494 0 R (section.6.4) 550 0 R (section.7.1) 586 0 R (section.7.2) 590 0 R (section.7.3) 602 0 R (section.8.1) 610 0 R (section.8.2) 618 0 R (section.8.3) 622 0 R (section.A.1) 630 0 R (section.A.2) 638 0 R (section.A.3) 646 0 R (section.B.1) 666 0 R (section.B.10) 702 0 R (section.B.11) 706 0 R (section.B.12) 710 0 R (section.B.13) 714 0 R (section.B.14) 718 0 R (section.B.15) 722 0 R (section.B.16) 726 0 R (section.B.2) 670 0 R (section.B.3) 674 0 R (section.B.4) 678 0 R (section.B.5) 682 0 R (section.B.6) 686 0 R (section.B.7) 690 0 R (section.B.8) 694 0 R (section.B.9) 698 0 R (server_resource_limits) 1405 0 R (server_statement_definition_and_usage) 1347 0 R (server_statement_grammar) 1465 0 R (statistics) 1646 0 R (statistics_counters) 1654 0 R (statschannels) 1473 0 R (statsfile) 1326 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 346 0 R (subsection.6.2.16) 350 0 R (subsection.6.2.17) 430 0 R (subsection.6.2.18) 434 0 R (subsection.6.2.19) 438 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 442 0 R (subsection.6.2.21) 446 0 R (subsection.6.2.22) 450 0 R (subsection.6.2.23) 454 0 R (subsection.6.2.24) 458 0 R (subsection.6.2.25) 462 0 R (subsection.6.2.26) 466 0 R (subsection.6.2.27) 470 0 R (subsection.6.2.28) 474 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 498 0 R (subsection.6.3.2) 510 0 R (subsection.6.3.3) 514 0 R (subsection.6.3.4) 518 0 R (subsection.6.3.5) 522 0 R (subsection.6.3.6) 542 0 R (subsection.6.3.7) 546 0 R (subsection.6.4.1) 558 0 R (subsection.7.2.1) 594 0 R (subsection.7.2.2) 598 0 R (subsection.8.1.1) 614 0 R (subsection.A.1.1) 634 0 R (subsection.A.2.1) 642 0 R (subsection.A.3.1) 650 0 R (subsection.A.3.2) 654 0 R (subsection.A.3.3) 658 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.10.3) 326 0 R (subsubsection.6.2.16.1) 354 0 R (subsubsection.6.2.16.10) 390 0 R (subsubsection.6.2.16.11) 394 0 R (subsubsection.6.2.16.12) 398 0 R (subsubsection.6.2.16.13) 402 0 R (subsubsection.6.2.16.14) 406 0 R (subsubsection.6.2.16.15) 410 0 R (subsubsection.6.2.16.16) 414 0 R (subsubsection.6.2.16.17) 418 0 R (subsubsection.6.2.16.18) 422 0 R (subsubsection.6.2.16.19) 426 0 R (subsubsection.6.2.16.2) 358 0 R (subsubsection.6.2.16.3) 362 0 R (subsubsection.6.2.16.4) 366 0 R (subsubsection.6.2.16.5) 370 0 R (subsubsection.6.2.16.6) 374 0 R (subsubsection.6.2.16.7) 378 0 R (subsubsection.6.2.16.8) 382 0 R (subsubsection.6.2.16.9) 386 0 R (subsubsection.6.2.28.1) 478 0 R (subsubsection.6.2.28.2) 482 0 R (subsubsection.6.2.28.3) 486 0 R (subsubsection.6.2.28.4) 490 0 R (subsubsection.6.3.1.1) 502 0 R (subsubsection.6.3.1.2) 506 0 R (subsubsection.6.3.5.1) 526 0 R (subsubsection.6.3.5.2) 530 0 R (subsubsection.6.3.5.3) 534 0 R (subsubsection.6.3.5.4) 538 0 R (subsubsection.6.4.0.1) 554 0 R (subsubsection.6.4.1.1) 562 0 R (subsubsection.6.4.1.2) 566 0 R (subsubsection.6.4.1.3) 570 0 R (subsubsection.6.4.1.4) 574 0 R (subsubsection.6.4.1.5) 578 0 R (table.1.1) 982 0 R (table.1.2) 992 0 R (table.3.1) 1051 0 R (table.3.2) 1083 0 R (table.6.1) 1204 0 R (table.6.10) 1590 0 R (table.6.11) 1592 0 R (table.6.12) 1602 0 R (table.6.13) 1605 0 R (table.6.14) 1611 0 R (table.6.15) 1614 0 R (table.6.16) 1621 0 R (table.6.17) 1624 0 R (table.6.18) 1641 0 R (table.6.19) 1648 0 R (table.6.2) 1227 0 R (table.6.20) 1657 0 R (table.6.21) 1665 0 R (table.6.22) 1673 0 R (table.6.23) 1681 0 R (table.6.3) 1235 0 R (table.6.4) 1274 0 R (table.6.5) 1286 0 R (table.6.6) 1336 0 R (table.6.7) 1426 0 R (table.6.8) 1509 0 R (table.6.9) 1580 0 R (the_category_phrase) 1268 0 R (the_sortlist_statement) 1417 0 R (topology) 1412 0 R (tsig) 1132 0 R (tuning) 1432 0 R (types_of_resource_records_and_when_to_use_them) 999 0 R (view_statement_grammar) 1445 0 R (zone_statement_grammar) 1366 0 R (zone_transfers) 1107 0 R (zonefile_format) 1444 0 R]
 /Limits [(Access_Control_Lists) (zonefile_format)]
 >> endobj
-2253 0 obj <<
-/Kids [2252 0 R]
+2266 0 obj <<
+/Kids [2265 0 R]
 >> endobj
-2254 0 obj <<
-/Dests 2253 0 R
+2267 0 obj <<
+/Dests 2266 0 R
 >> endobj
-2255 0 obj <<
+2268 0 obj <<
 /Type /Catalog
-/Pages 2250 0 R
-/Outlines 2251 0 R
-/Names 2254 0 R
+/Pages 2263 0 R
+/Outlines 2264 0 R
+/Names 2267 0 R
 /PageMode /UseOutlines 
-/OpenAction 721 0 R
+/OpenAction 729 0 R
 >> endobj
-2256 0 obj <<
+2269 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20090728202350Z)
+/CreationDate (D:20090903011315Z)
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 2257
+0 2270
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
 0000000004 00000 f 
 0000000000 00000 f 
 0000000009 00000 n 
-0000073067 00000 n 
-0000786905 00000 n 
+0000073723 00000 n 
+0000794710 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
-0000073191 00000 n 
-0000786833 00000 n 
+0000073847 00000 n 
+0000794638 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
-0000073316 00000 n 
-0000786747 00000 n 
+0000073972 00000 n 
+0000794552 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
-0000073441 00000 n 
-0000786661 00000 n 
+0000074097 00000 n 
+0000794466 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
-0000077766 00000 n 
-0000786551 00000 n 
+0000078422 00000 n 
+0000794356 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
-0000077890 00000 n 
-0000786477 00000 n 
+0000078546 00000 n 
+0000794282 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
-0000078015 00000 n 
-0000786390 00000 n 
+0000078671 00000 n 
+0000794195 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
-0000078139 00000 n 
-0000786303 00000 n 
+0000078795 00000 n 
+0000794108 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
-0000082418 00000 n 
-0000786179 00000 n 
+0000083084 00000 n 
+0000793984 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
-0000082543 00000 n 
-0000786105 00000 n 
+0000083212 00000 n 
+0000793910 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
-0000082668 00000 n 
-0000786018 00000 n 
+0000083340 00000 n 
+0000793823 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
-0000082793 00000 n 
-0000785944 00000 n 
+0000083468 00000 n 
+0000793749 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
-0000085772 00000 n 
-0000785820 00000 n 
+0000086450 00000 n 
+0000793625 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
-0000085900 00000 n 
-0000785759 00000 n 
+0000086578 00000 n 
+0000793564 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
-0000086028 00000 n 
-0000785685 00000 n 
+0000086706 00000 n 
+0000793490 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
-0000088970 00000 n 
-0000785560 00000 n 
+0000089648 00000 n 
+0000793365 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
-0000089098 00000 n 
-0000785486 00000 n 
+0000089776 00000 n 
+0000793291 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
-0000089226 00000 n 
-0000785399 00000 n 
+0000089904 00000 n 
+0000793204 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
-0000089354 00000 n 
-0000785312 00000 n 
+0000090032 00000 n 
+0000793117 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
-0000089481 00000 n 
-0000785225 00000 n 
+0000090159 00000 n 
+0000793030 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
-0000090558 00000 n 
-0000785151 00000 n 
+0000091236 00000 n 
+0000792956 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
-0000092217 00000 n 
-0000785023 00000 n 
+0000092895 00000 n 
+0000792828 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
-0000092344 00000 n 
-0000784910 00000 n 
+0000093022 00000 n 
+0000792715 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
-0000092472 00000 n 
-0000784834 00000 n 
+0000093150 00000 n 
+0000792639 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
-0000092600 00000 n 
-0000784757 00000 n 
+0000093278 00000 n 
+0000792562 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
-0000095046 00000 n 
-0000784666 00000 n 
+0000095724 00000 n 
+0000792471 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
-0000098384 00000 n 
-0000784549 00000 n 
+0000099062 00000 n 
+0000792354 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
-0000098512 00000 n 
-0000784431 00000 n 
+0000099190 00000 n 
+0000792236 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
-0000098640 00000 n 
-0000784352 00000 n 
+0000099318 00000 n 
+0000792157 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
-0000098769 00000 n 
-0000784273 00000 n 
+0000099447 00000 n 
+0000792078 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
-0000109591 00000 n 
-0000784194 00000 n 
+0000110269 00000 n 
+0000791999 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
-0000114900 00000 n 
-0000784062 00000 n 
+0000115577 00000 n 
+0000791867 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
-0000115029 00000 n 
-0000783983 00000 n 
+0000115706 00000 n 
+0000791788 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
-0000115158 00000 n 
-0000783851 00000 n 
+0000115835 00000 n 
+0000791656 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
-0000115287 00000 n 
-0000783786 00000 n 
+0000115964 00000 n 
+0000791591 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
-0000119662 00000 n 
-0000783693 00000 n 
+0000120339 00000 n 
+0000791498 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
-0000119791 00000 n 
-0000783561 00000 n 
+0000120468 00000 n 
+0000791366 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
-0000119920 00000 n 
-0000783496 00000 n 
+0000120597 00000 n 
+0000791301 00000 n 
 0000003632 00000 n 
 0000003681 00000 n 
-0000126737 00000 n 
-0000783364 00000 n 
+0000127414 00000 n 
+0000791169 00000 n 
 0000003730 00000 n 
 0000003758 00000 n 
-0000129588 00000 n 
-0000783246 00000 n 
+0000130265 00000 n 
+0000791051 00000 n 
 0000003812 00000 n 
 0000003881 00000 n 
-0000129717 00000 n 
-0000783167 00000 n 
+0000130394 00000 n 
+0000790972 00000 n 
 0000003940 00000 n 
 0000003988 00000 n 
-0000129846 00000 n 
-0000783088 00000 n 
+0000130523 00000 n 
+0000790893 00000 n 
 0000004047 00000 n 
 0000004092 00000 n 
-0000129975 00000 n 
-0000782995 00000 n 
+0000130652 00000 n 
+0000790800 00000 n 
 0000004146 00000 n 
 0000004214 00000 n 
-0000130104 00000 n 
-0000782902 00000 n 
+0000130781 00000 n 
+0000790707 00000 n 
 0000004268 00000 n 
 0000004338 00000 n 
-0000130233 00000 n 
-0000782809 00000 n 
+0000130910 00000 n 
+0000790614 00000 n 
 0000004392 00000 n 
 0000004455 00000 n 
-0000133966 00000 n 
-0000782716 00000 n 
+0000134643 00000 n 
+0000790521 00000 n 
 0000004509 00000 n 
 0000004564 00000 n 
-0000134095 00000 n 
-0000782637 00000 n 
+0000134772 00000 n 
+0000790442 00000 n 
 0000004618 00000 n 
 0000004650 00000 n 
-0000134224 00000 n 
-0000782544 00000 n 
+0000134901 00000 n 
+0000790349 00000 n 
 0000004699 00000 n 
 0000004727 00000 n 
-0000137828 00000 n 
-0000782451 00000 n 
+0000138505 00000 n 
+0000790256 00000 n 
 0000004776 00000 n 
 0000004808 00000 n 
-0000137957 00000 n 
-0000782319 00000 n 
+0000138634 00000 n 
+0000790124 00000 n 
 0000004857 00000 n 
 0000004887 00000 n 
-0000138086 00000 n 
-0000782240 00000 n 
+0000138763 00000 n 
+0000790045 00000 n 
 0000004941 00000 n 
 0000004982 00000 n 
-0000141781 00000 n 
-0000782147 00000 n 
+0000142493 00000 n 
+0000789952 00000 n 
 0000005036 00000 n 
 0000005078 00000 n 
-0000141908 00000 n 
-0000782068 00000 n 
+0000142622 00000 n 
+0000789873 00000 n 
 0000005132 00000 n 
 0000005177 00000 n 
-0000147777 00000 n 
-0000781950 00000 n 
+0000148577 00000 n 
+0000789755 00000 n 
 0000005226 00000 n 
 0000005272 00000 n 
-0000147905 00000 n 
-0000781871 00000 n 
+0000148706 00000 n 
+0000789676 00000 n 
 0000005326 00000 n 
 0000005386 00000 n 
-0000148034 00000 n 
-0000781792 00000 n 
+0000148835 00000 n 
+0000789597 00000 n 
 0000005440 00000 n 
 0000005509 00000 n 
-0000151218 00000 n 
-0000781659 00000 n 
+0000152019 00000 n 
+0000789464 00000 n 
 0000005556 00000 n 
 0000005609 00000 n 
-0000151347 00000 n 
-0000781580 00000 n 
+0000152148 00000 n 
+0000789385 00000 n 
 0000005658 00000 n 
 0000005714 00000 n 
-0000151476 00000 n 
-0000781501 00000 n 
+0000152277 00000 n 
+0000789306 00000 n 
 0000005763 00000 n 
 0000005812 00000 n 
-0000155745 00000 n 
-0000781368 00000 n 
+0000156546 00000 n 
+0000789173 00000 n 
 0000005859 00000 n 
 0000005911 00000 n 
-0000155874 00000 n 
-0000781250 00000 n 
+0000156675 00000 n 
+0000789055 00000 n 
 0000005960 00000 n 
 0000006011 00000 n 
-0000160564 00000 n 
-0000781132 00000 n 
+0000161365 00000 n 
+0000788937 00000 n 
 0000006065 00000 n 
 0000006110 00000 n 
-0000160692 00000 n 
-0000781053 00000 n 
+0000161493 00000 n 
+0000788858 00000 n 
 0000006169 00000 n 
 0000006203 00000 n 
-0000164282 00000 n 
-0000780974 00000 n 
+0000165083 00000 n 
+0000788779 00000 n 
 0000006262 00000 n 
 0000006310 00000 n 
-0000164411 00000 n 
-0000780856 00000 n 
+0000165212 00000 n 
+0000788661 00000 n 
 0000006364 00000 n 
 0000006404 00000 n 
-0000164540 00000 n 
-0000780777 00000 n 
+0000165341 00000 n 
+0000788582 00000 n 
 0000006463 00000 n 
 0000006497 00000 n 
-0000168316 00000 n 
-0000780698 00000 n 
+0000169117 00000 n 
+0000788503 00000 n 
 0000006556 00000 n 
 0000006604 00000 n 
-0000168445 00000 n 
-0000780565 00000 n 
+0000169246 00000 n 
+0000788370 00000 n 
 0000006653 00000 n 
 0000006703 00000 n 
-0000171463 00000 n 
-0000780486 00000 n 
+0000172314 00000 n 
+0000788291 00000 n 
 0000006757 00000 n 
 0000006804 00000 n 
-0000171591 00000 n 
-0000780393 00000 n 
+0000172442 00000 n 
+0000788198 00000 n 
 0000006858 00000 n 
 0000006918 00000 n 
-0000171849 00000 n 
-0000780300 00000 n 
+0000172701 00000 n 
+0000788105 00000 n 
 0000006972 00000 n 
 0000007024 00000 n 
-0000176981 00000 n 
-0000780207 00000 n 
+0000177881 00000 n 
+0000788012 00000 n 
 0000007078 00000 n 
 0000007143 00000 n 
-0000177110 00000 n 
-0000780114 00000 n 
+0000178010 00000 n 
+0000787919 00000 n 
 0000007197 00000 n 
 0000007248 00000 n 
-0000180582 00000 n 
-0000780021 00000 n 
+0000181484 00000 n 
+0000787826 00000 n 
 0000007302 00000 n 
 0000007366 00000 n 
-0000180711 00000 n 
-0000779928 00000 n 
+0000181613 00000 n 
+0000787733 00000 n 
 0000007420 00000 n 
 0000007467 00000 n 
-0000180840 00000 n 
-0000779835 00000 n 
+0000181742 00000 n 
+0000787640 00000 n 
 0000007521 00000 n 
 0000007581 00000 n 
-0000180969 00000 n 
-0000779742 00000 n 
+0000181871 00000 n 
+0000787547 00000 n 
 0000007635 00000 n 
 0000007686 00000 n 
-0000184985 00000 n 
-0000779610 00000 n 
+0000185887 00000 n 
+0000787415 00000 n 
 0000007741 00000 n 
 0000007806 00000 n 
-0000185114 00000 n 
-0000779531 00000 n 
+0000186016 00000 n 
+0000787336 00000 n 
 0000007866 00000 n 
 0000007913 00000 n 
-0000191930 00000 n 
-0000779438 00000 n 
+0000192832 00000 n 
+0000787243 00000 n 
 0000007973 00000 n 
 0000008021 00000 n 
-0000199062 00000 n 
-0000779359 00000 n 
+0000199964 00000 n 
+0000787164 00000 n 
 0000008081 00000 n 
 0000008135 00000 n 
-0000202763 00000 n 
-0000779266 00000 n 
+0000203665 00000 n 
+0000787071 00000 n 
 0000008190 00000 n 
 0000008240 00000 n 
-0000202892 00000 n 
-0000779173 00000 n 
+0000203794 00000 n 
+0000786978 00000 n 
 0000008295 00000 n 
 0000008358 00000 n 
-0000204623 00000 n 
-0000779080 00000 n 
+0000205525 00000 n 
+0000786885 00000 n 
 0000008413 00000 n 
 0000008465 00000 n 
-0000204752 00000 n 
-0000778987 00000 n 
+0000205654 00000 n 
+0000786792 00000 n 
 0000008520 00000 n 
 0000008585 00000 n 
-0000204880 00000 n 
-0000778894 00000 n 
+0000205782 00000 n 
+0000786699 00000 n 
 0000008640 00000 n 
 0000008692 00000 n 
-0000210942 00000 n 
-0000778761 00000 n 
+0000211844 00000 n 
+0000786566 00000 n 
 0000008747 00000 n 
 0000008812 00000 n 
-0000223413 00000 n 
-0000778682 00000 n 
+0000224498 00000 n 
+0000786487 00000 n 
 0000008872 00000 n 
 0000008916 00000 n 
-0000244763 00000 n 
-0000778589 00000 n 
+0000245848 00000 n 
+0000786394 00000 n 
 0000008976 00000 n 
 0000009015 00000 n 
-0000244891 00000 n 
-0000778496 00000 n 
+0000245976 00000 n 
+0000786301 00000 n 
 0000009075 00000 n 
 0000009122 00000 n 
-0000245020 00000 n 
-0000778403 00000 n 
+0000246105 00000 n 
+0000786208 00000 n 
 0000009182 00000 n 
 0000009225 00000 n 
-0000252262 00000 n 
-0000778310 00000 n 
+0000253347 00000 n 
+0000786115 00000 n 
 0000009285 00000 n 
 0000009324 00000 n 
-0000252391 00000 n 
-0000778217 00000 n 
+0000253476 00000 n 
+0000786022 00000 n 
 0000009384 00000 n 
 0000009426 00000 n 
-0000259194 00000 n 
-0000778124 00000 n 
+0000260279 00000 n 
+0000785929 00000 n 
 0000009486 00000 n 
 0000009529 00000 n 
-0000267237 00000 n 
-0000778031 00000 n 
+0000268322 00000 n 
+0000785836 00000 n 
 0000009589 00000 n 
 0000009632 00000 n 
-0000267366 00000 n 
-0000777938 00000 n 
+0000268451 00000 n 
+0000785743 00000 n 
 0000009692 00000 n 
 0000009753 00000 n 
-0000271538 00000 n 
-0000777845 00000 n 
+0000272623 00000 n 
+0000785650 00000 n 
 0000009814 00000 n 
 0000009866 00000 n 
-0000274900 00000 n 
-0000777752 00000 n 
+0000275985 00000 n 
+0000785557 00000 n 
 0000009927 00000 n 
 0000009980 00000 n 
-0000275029 00000 n 
-0000777659 00000 n 
+0000276114 00000 n 
+0000785464 00000 n 
 0000010041 00000 n 
 0000010079 00000 n 
-0000278873 00000 n 
-0000777566 00000 n 
+0000279958 00000 n 
+0000785371 00000 n 
 0000010140 00000 n 
 0000010192 00000 n 
-0000282289 00000 n 
-0000777473 00000 n 
+0000283374 00000 n 
+0000785278 00000 n 
 0000010253 00000 n 
 0000010297 00000 n 
-0000286459 00000 n 
-0000777380 00000 n 
+0000287544 00000 n 
+0000785185 00000 n 
 0000010358 00000 n 
 0000010394 00000 n 
-0000291377 00000 n 
-0000777287 00000 n 
+0000292462 00000 n 
+0000785092 00000 n 
 0000010455 00000 n 
 0000010518 00000 n 
-0000294738 00000 n 
-0000777194 00000 n 
+0000295823 00000 n 
+0000784999 00000 n 
 0000010579 00000 n 
 0000010629 00000 n 
-0000298528 00000 n 
-0000777101 00000 n 
+0000299613 00000 n 
+0000784906 00000 n 
 0000010690 00000 n 
 0000010746 00000 n 
-0000302709 00000 n 
-0000777022 00000 n 
+0000303794 00000 n 
+0000784827 00000 n 
 0000010807 00000 n 
 0000010854 00000 n 
-0000305864 00000 n 
-0000776929 00000 n 
+0000306949 00000 n 
+0000784734 00000 n 
 0000010909 00000 n 
 0000010960 00000 n 
-0000305993 00000 n 
-0000776836 00000 n 
+0000307078 00000 n 
+0000784641 00000 n 
 0000011015 00000 n 
 0000011079 00000 n 
-0000310879 00000 n 
-0000776743 00000 n 
+0000311964 00000 n 
+0000784548 00000 n 
 0000011134 00000 n 
 0000011198 00000 n 
-0000314907 00000 n 
-0000776650 00000 n 
+0000315845 00000 n 
+0000784455 00000 n 
 0000011253 00000 n 
 0000011330 00000 n 
-0000315036 00000 n 
-0000776557 00000 n 
+0000315974 00000 n 
+0000784362 00000 n 
 0000011385 00000 n 
 0000011442 00000 n 
-0000315165 00000 n 
-0000776464 00000 n 
+0000316103 00000 n 
+0000784269 00000 n 
 0000011497 00000 n 
 0000011567 00000 n 
-0000318596 00000 n 
-0000776371 00000 n 
+0000319957 00000 n 
+0000784176 00000 n 
 0000011622 00000 n 
-0000011671 00000 n 
-0000318725 00000 n 
-0000776278 00000 n 
-0000011726 00000 n 
-0000011788 00000 n 
-0000320479 00000 n 
-0000776185 00000 n 
-0000011843 00000 n 
-0000011892 00000 n 
-0000327398 00000 n 
-0000776067 00000 n 
-0000011947 00000 n 
-0000012009 00000 n 
-0000327527 00000 n 
-0000775988 00000 n 
-0000012069 00000 n 
-0000012108 00000 n 
-0000332780 00000 n 
-0000775895 00000 n 
-0000012168 00000 n 
-0000012202 00000 n 
-0000332909 00000 n 
-0000775802 00000 n 
-0000012262 00000 n 
-0000012303 00000 n 
-0000349063 00000 n 
-0000775723 00000 n 
-0000012363 00000 n 
-0000012415 00000 n 
-0000356420 00000 n 
-0000775591 00000 n 
-0000012464 00000 n 
-0000012497 00000 n 
-0000356549 00000 n 
-0000775473 00000 n 
-0000012551 00000 n 
-0000012623 00000 n 
-0000356676 00000 n 
-0000775394 00000 n 
-0000012682 00000 n 
-0000012726 00000 n 
-0000364028 00000 n 
-0000775315 00000 n 
-0000012785 00000 n 
-0000012838 00000 n 
-0000367680 00000 n 
-0000775222 00000 n 
-0000012892 00000 n 
-0000012942 00000 n 
-0000367939 00000 n 
-0000775129 00000 n 
-0000012996 00000 n 
-0000013034 00000 n 
-0000371369 00000 n 
-0000775036 00000 n 
-0000013088 00000 n 
-0000013137 00000 n 
-0000371628 00000 n 
-0000774904 00000 n 
-0000013191 00000 n 
-0000013243 00000 n 
-0000371756 00000 n 
-0000774825 00000 n 
-0000013302 00000 n 
-0000013347 00000 n 
-0000371885 00000 n 
-0000774732 00000 n 
-0000013406 00000 n 
-0000013458 00000 n 
-0000374833 00000 n 
-0000774639 00000 n 
-0000013517 00000 n 
-0000013570 00000 n 
-0000374962 00000 n 
-0000774560 00000 n 
-0000013629 00000 n 
-0000013678 00000 n 
-0000375091 00000 n 
-0000774467 00000 n 
-0000013732 00000 n 
-0000013812 00000 n 
-0000382219 00000 n 
-0000774388 00000 n 
+0000011679 00000 n 
+0000320086 00000 n 
+0000784083 00000 n 
+0000011734 00000 n 
+0000011804 00000 n 
+0000320214 00000 n 
+0000783990 00000 n 
+0000011859 00000 n 
+0000011908 00000 n 
+0000323686 00000 n 
+0000783897 00000 n 
+0000011963 00000 n 
+0000012025 00000 n 
+0000325436 00000 n 
+0000783804 00000 n 
+0000012080 00000 n 
+0000012129 00000 n 
+0000328551 00000 n 
+0000783686 00000 n 
+0000012184 00000 n 
+0000012246 00000 n 
+0000328680 00000 n 
+0000783607 00000 n 
+0000012306 00000 n 
+0000012345 00000 n 
+0000337762 00000 n 
+0000783514 00000 n 
+0000012405 00000 n 
+0000012439 00000 n 
+0000337891 00000 n 
+0000783421 00000 n 
+0000012499 00000 n 
+0000012540 00000 n 
+0000354043 00000 n 
+0000783342 00000 n 
+0000012600 00000 n 
+0000012652 00000 n 
+0000361402 00000 n 
+0000783210 00000 n 
+0000012701 00000 n 
+0000012734 00000 n 
+0000361531 00000 n 
+0000783092 00000 n 
+0000012788 00000 n 
+0000012860 00000 n 
+0000361658 00000 n 
+0000783013 00000 n 
+0000012919 00000 n 
+0000012963 00000 n 
+0000369009 00000 n 
+0000782934 00000 n 
+0000013022 00000 n 
+0000013075 00000 n 
+0000372657 00000 n 
+0000782841 00000 n 
+0000013129 00000 n 
+0000013179 00000 n 
+0000372916 00000 n 
+0000782748 00000 n 
+0000013233 00000 n 
+0000013271 00000 n 
+0000376350 00000 n 
+0000782655 00000 n 
+0000013325 00000 n 
+0000013374 00000 n 
+0000376609 00000 n 
+0000782523 00000 n 
+0000013428 00000 n 
+0000013480 00000 n 
+0000376737 00000 n 
+0000782444 00000 n 
+0000013539 00000 n 
+0000013584 00000 n 
+0000376866 00000 n 
+0000782351 00000 n 
+0000013643 00000 n 
+0000013695 00000 n 
+0000379812 00000 n 
+0000782258 00000 n 
+0000013754 00000 n 
+0000013807 00000 n 
+0000379941 00000 n 
+0000782179 00000 n 
 0000013866 00000 n 
 0000013915 00000 n 
-0000382348 00000 n 
-0000774270 00000 n 
-0000013964 00000 n 
-0000014004 00000 n 
-0000385788 00000 n 
-0000774191 00000 n 
-0000014063 00000 n 
-0000014110 00000 n 
-0000385917 00000 n 
-0000774073 00000 n 
-0000014164 00000 n 
-0000014209 00000 n 
-0000386046 00000 n 
-0000773994 00000 n 
-0000014268 00000 n 
-0000014327 00000 n 
-0000389802 00000 n 
-0000773901 00000 n 
-0000014386 00000 n 
-0000014450 00000 n 
-0000393519 00000 n 
-0000773808 00000 n 
-0000014509 00000 n 
-0000014565 00000 n 
-0000396536 00000 n 
-0000773715 00000 n 
-0000014624 00000 n 
-0000014682 00000 n 
-0000396794 00000 n 
-0000773636 00000 n 
-0000014741 00000 n 
-0000014803 00000 n 
-0000398956 00000 n 
-0000773503 00000 n 
-0000014850 00000 n 
-0000014902 00000 n 
-0000399085 00000 n 
-0000773424 00000 n 
-0000014951 00000 n 
-0000014995 00000 n 
-0000403120 00000 n 
-0000773292 00000 n 
-0000015044 00000 n 
-0000015085 00000 n 
-0000403249 00000 n 
-0000773213 00000 n 
+0000380070 00000 n 
+0000782086 00000 n 
+0000013969 00000 n 
+0000014049 00000 n 
+0000387198 00000 n 
+0000782007 00000 n 
+0000014103 00000 n 
+0000014152 00000 n 
+0000387327 00000 n 
+0000781889 00000 n 
+0000014201 00000 n 
+0000014241 00000 n 
+0000390767 00000 n 
+0000781810 00000 n 
+0000014300 00000 n 
+0000014347 00000 n 
+0000390896 00000 n 
+0000781692 00000 n 
+0000014401 00000 n 
+0000014446 00000 n 
+0000391025 00000 n 
+0000781613 00000 n 
+0000014505 00000 n 
+0000014564 00000 n 
+0000394781 00000 n 
+0000781520 00000 n 
+0000014623 00000 n 
+0000014687 00000 n 
+0000398501 00000 n 
+0000781427 00000 n 
+0000014746 00000 n 
+0000014802 00000 n 
+0000401515 00000 n 
+0000781334 00000 n 
+0000014861 00000 n 
+0000014919 00000 n 
+0000401773 00000 n 
+0000781255 00000 n 
+0000014978 00000 n 
+0000015040 00000 n 
+0000403552 00000 n 
+0000781122 00000 n 
+0000015087 00000 n 
 0000015139 00000 n 
-0000015187 00000 n 
-0000403377 00000 n 
-0000773134 00000 n 
-0000015241 00000 n 
-0000015292 00000 n 
-0000403506 00000 n 
-0000773055 00000 n 
-0000015341 00000 n 
-0000015388 00000 n 
-0000408100 00000 n 
-0000772922 00000 n 
-0000015435 00000 n 
-0000015472 00000 n 
-0000408229 00000 n 
-0000772804 00000 n 
-0000015521 00000 n 
-0000015560 00000 n 
-0000408358 00000 n 
-0000772739 00000 n 
-0000015614 00000 n 
-0000015692 00000 n 
-0000408487 00000 n 
-0000772646 00000 n 
-0000015741 00000 n 
-0000015808 00000 n 
-0000408616 00000 n 
-0000772567 00000 n 
-0000015857 00000 n 
-0000015902 00000 n 
-0000412056 00000 n 
-0000772434 00000 n 
-0000015950 00000 n 
-0000015982 00000 n 
-0000412185 00000 n 
-0000772316 00000 n 
-0000016031 00000 n 
-0000016070 00000 n 
-0000412314 00000 n 
-0000772251 00000 n 
-0000016124 00000 n 
-0000016185 00000 n 
-0000415995 00000 n 
-0000772119 00000 n 
-0000016234 00000 n 
-0000016291 00000 n 
-0000416124 00000 n 
-0000772054 00000 n 
-0000016345 00000 n 
-0000016394 00000 n 
-0000416253 00000 n 
-0000771936 00000 n 
-0000016443 00000 n 
-0000016505 00000 n 
-0000416382 00000 n 
-0000771857 00000 n 
-0000016559 00000 n 
-0000016614 00000 n 
-0000440404 00000 n 
-0000771764 00000 n 
-0000016668 00000 n 
-0000016709 00000 n 
-0000440533 00000 n 
-0000771685 00000 n 
-0000016763 00000 n 
-0000016815 00000 n 
-0000443264 00000 n 
-0000771565 00000 n 
-0000016863 00000 n 
-0000016897 00000 n 
-0000443393 00000 n 
-0000771486 00000 n 
+0000403681 00000 n 
+0000781043 00000 n 
+0000015188 00000 n 
+0000015232 00000 n 
+0000407716 00000 n 
+0000780911 00000 n 
+0000015281 00000 n 
+0000015322 00000 n 
+0000407845 00000 n 
+0000780832 00000 n 
+0000015376 00000 n 
+0000015424 00000 n 
+0000407973 00000 n 
+0000780753 00000 n 
+0000015478 00000 n 
+0000015529 00000 n 
+0000408102 00000 n 
+0000780674 00000 n 
+0000015578 00000 n 
+0000015625 00000 n 
+0000412696 00000 n 
+0000780541 00000 n 
+0000015672 00000 n 
+0000015709 00000 n 
+0000412825 00000 n 
+0000780423 00000 n 
+0000015758 00000 n 
+0000015797 00000 n 
+0000412954 00000 n 
+0000780358 00000 n 
+0000015851 00000 n 
+0000015929 00000 n 
+0000413083 00000 n 
+0000780265 00000 n 
+0000015978 00000 n 
+0000016045 00000 n 
+0000413212 00000 n 
+0000780186 00000 n 
+0000016094 00000 n 
+0000016139 00000 n 
+0000416652 00000 n 
+0000780053 00000 n 
+0000016187 00000 n 
+0000016219 00000 n 
+0000416781 00000 n 
+0000779935 00000 n 
+0000016268 00000 n 
+0000016307 00000 n 
+0000416910 00000 n 
+0000779870 00000 n 
+0000016361 00000 n 
+0000016422 00000 n 
+0000420591 00000 n 
+0000779738 00000 n 
+0000016471 00000 n 
+0000016528 00000 n 
+0000420720 00000 n 
+0000779673 00000 n 
+0000016582 00000 n 
+0000016631 00000 n 
+0000420849 00000 n 
+0000779555 00000 n 
+0000016680 00000 n 
+0000016742 00000 n 
+0000420978 00000 n 
+0000779476 00000 n 
+0000016796 00000 n 
+0000016851 00000 n 
+0000445001 00000 n 
+0000779383 00000 n 
+0000016905 00000 n 
 0000016946 00000 n 
-0000016973 00000 n 
-0000461215 00000 n 
-0000771393 00000 n 
-0000017022 00000 n 
-0000017050 00000 n 
-0000468743 00000 n 
-0000771300 00000 n 
-0000017099 00000 n 
-0000017139 00000 n 
-0000474695 00000 n 
-0000771207 00000 n 
-0000017188 00000 n 
-0000017231 00000 n 
-0000477755 00000 n 
-0000771114 00000 n 
-0000017280 00000 n 
-0000017317 00000 n 
-0000487749 00000 n 
-0000771021 00000 n 
-0000017366 00000 n 
-0000017403 00000 n 
-0000490125 00000 n 
-0000770928 00000 n 
-0000017452 00000 n 
-0000017490 00000 n 
-0000496622 00000 n 
-0000770835 00000 n 
-0000017539 00000 n 
-0000017578 00000 n 
-0000506412 00000 n 
-0000770742 00000 n 
-0000017627 00000 n 
-0000017666 00000 n 
-0000509135 00000 n 
-0000770649 00000 n 
-0000017716 00000 n 
-0000017756 00000 n 
-0000518834 00000 n 
-0000770556 00000 n 
-0000017806 00000 n 
-0000017836 00000 n 
-0000528975 00000 n 
-0000770463 00000 n 
-0000017886 00000 n 
-0000017919 00000 n 
-0000539122 00000 n 
-0000770370 00000 n 
-0000017969 00000 n 
-0000017998 00000 n 
-0000546416 00000 n 
-0000770277 00000 n 
-0000018048 00000 n 
-0000018082 00000 n 
-0000552104 00000 n 
-0000770184 00000 n 
-0000018132 00000 n 
-0000018169 00000 n 
-0000555371 00000 n 
-0000770105 00000 n 
-0000018219 00000 n 
-0000018256 00000 n 
-0000018625 00000 n 
-0000018747 00000 n 
-0000026576 00000 n 
-0000018309 00000 n 
-0000026450 00000 n 
-0000026513 00000 n 
-0000765233 00000 n 
-0000739290 00000 n 
-0000765059 00000 n 
-0000766258 00000 n 
-0000021610 00000 n 
-0000021827 00000 n 
-0000021896 00000 n 
-0000021965 00000 n 
-0000022033 00000 n 
-0000022101 00000 n 
-0000022150 00000 n 
-0000022197 00000 n 
-0000022530 00000 n 
-0000022552 00000 n 
-0000022720 00000 n 
-0000022885 00000 n 
-0000023054 00000 n 
-0000023233 00000 n 
-0000023542 00000 n 
-0000023702 00000 n 
-0000027940 00000 n 
-0000027755 00000 n 
-0000026676 00000 n 
-0000027877 00000 n 
-0000738069 00000 n 
-0000711548 00000 n 
-0000737895 00000 n 
-0000710863 00000 n 
-0000708719 00000 n 
-0000710699 00000 n 
-0000039644 00000 n 
-0000030995 00000 n 
-0000028025 00000 n 
-0000039518 00000 n 
-0000039581 00000 n 
-0000031529 00000 n 
-0000031683 00000 n 
-0000031840 00000 n 
-0000031997 00000 n 
-0000032153 00000 n 
-0000032310 00000 n 
-0000032472 00000 n 
-0000032633 00000 n 
-0000032794 00000 n 
-0000032956 00000 n 
-0000033123 00000 n 
-0000033290 00000 n 
-0000033455 00000 n 
-0000033617 00000 n 
-0000033783 00000 n 
-0000033944 00000 n 
-0000034099 00000 n 
-0000034256 00000 n 
-0000034412 00000 n 
-0000034569 00000 n 
-0000034726 00000 n 
-0000034883 00000 n 
-0000035037 00000 n 
-0000035193 00000 n 
-0000035355 00000 n 
-0000035517 00000 n 
-0000035673 00000 n 
-0000035828 00000 n 
-0000035990 00000 n 
-0000036157 00000 n 
-0000036323 00000 n 
-0000036484 00000 n 
-0000036639 00000 n 
-0000036796 00000 n 
-0000036953 00000 n 
-0000037115 00000 n 
-0000037272 00000 n 
-0000037429 00000 n 
-0000037591 00000 n 
-0000037748 00000 n 
-0000037910 00000 n 
-0000038077 00000 n 
-0000038243 00000 n 
-0000038405 00000 n 
-0000038567 00000 n 
-0000038729 00000 n 
-0000038891 00000 n 
-0000039053 00000 n 
-0000039208 00000 n 
-0000039363 00000 n 
-0000053036 00000 n 
-0000042981 00000 n 
-0000039729 00000 n 
-0000052973 00000 n 
-0000708168 00000 n 
-0000691087 00000 n 
-0000707984 00000 n 
-0000043571 00000 n 
-0000043734 00000 n 
-0000043897 00000 n 
-0000044060 00000 n 
-0000044218 00000 n 
-0000044381 00000 n 
-0000044544 00000 n 
-0000044699 00000 n 
-0000044857 00000 n 
-0000045015 00000 n 
-0000045171 00000 n 
-0000045329 00000 n 
-0000045492 00000 n 
-0000045660 00000 n 
-0000045828 00000 n 
-0000045991 00000 n 
-0000046159 00000 n 
-0000046327 00000 n 
-0000046484 00000 n 
-0000046647 00000 n 
-0000046810 00000 n 
-0000046972 00000 n 
-0000047134 00000 n 
-0000047297 00000 n 
-0000047459 00000 n 
-0000047621 00000 n 
-0000047784 00000 n 
-0000047947 00000 n 
-0000048110 00000 n 
-0000048278 00000 n 
-0000048447 00000 n 
-0000048616 00000 n 
-0000048779 00000 n 
-0000048943 00000 n 
-0000049107 00000 n 
-0000049270 00000 n 
-0000049434 00000 n 
-0000049598 00000 n 
-0000049767 00000 n 
-0000049936 00000 n 
-0000050105 00000 n 
-0000050274 00000 n 
-0000050443 00000 n 
-0000050612 00000 n 
-0000050781 00000 n 
-0000050950 00000 n 
-0000051119 00000 n 
-0000051289 00000 n 
-0000051459 00000 n 
-0000051628 00000 n 
-0000051798 00000 n 
-0000051968 00000 n 
-0000052136 00000 n 
-0000052305 00000 n 
-0000052475 00000 n 
-0000052643 00000 n 
-0000052811 00000 n 
-0000066246 00000 n 
-0000056696 00000 n 
-0000053134 00000 n 
-0000066183 00000 n 
-0000057270 00000 n 
-0000057433 00000 n 
-0000057596 00000 n 
-0000057759 00000 n 
-0000057922 00000 n 
-0000058085 00000 n 
-0000058248 00000 n 
-0000058411 00000 n 
-0000058574 00000 n 
-0000058737 00000 n 
-0000058905 00000 n 
-0000059073 00000 n 
-0000059241 00000 n 
-0000059409 00000 n 
-0000059565 00000 n 
-0000059726 00000 n 
-0000059893 00000 n 
-0000060060 00000 n 
-0000060221 00000 n 
-0000060383 00000 n 
-0000060545 00000 n 
-0000060707 00000 n 
-0000060874 00000 n 
-0000061041 00000 n 
-0000061208 00000 n 
-0000061375 00000 n 
-0000061537 00000 n 
-0000061699 00000 n 
-0000061856 00000 n 
-0000062023 00000 n 
-0000062185 00000 n 
-0000062351 00000 n 
-0000062518 00000 n 
-0000062685 00000 n 
-0000690198 00000 n 
-0000668867 00000 n 
-0000690024 00000 n 
-0000062851 00000 n 
-0000063018 00000 n 
-0000063172 00000 n 
-0000063329 00000 n 
-0000063486 00000 n 
-0000063648 00000 n 
-0000063810 00000 n 
-0000063967 00000 n 
-0000064122 00000 n 
-0000064278 00000 n 
-0000064440 00000 n 
-0000064597 00000 n 
-0000064753 00000 n 
-0000064909 00000 n 
-0000065066 00000 n 
-0000065228 00000 n 
-0000065385 00000 n 
-0000065547 00000 n 
-0000065704 00000 n 
-0000065864 00000 n 
-0000066023 00000 n 
-0000070516 00000 n 
-0000067515 00000 n 
-0000066357 00000 n 
-0000070453 00000 n 
-0000067785 00000 n 
-0000067941 00000 n 
-0000068098 00000 n 
-0000068254 00000 n 
-0000068411 00000 n 
-0000068567 00000 n 
-0000068724 00000 n 
-0000068881 00000 n 
-0000069038 00000 n 
-0000069193 00000 n 
-0000069350 00000 n 
-0000069507 00000 n 
-0000069665 00000 n 
-0000069823 00000 n 
-0000667901 00000 n 
-0000647934 00000 n 
-0000667728 00000 n 
-0000069981 00000 n 
-0000070137 00000 n 
-0000070295 00000 n 
-0000073692 00000 n 
-0000072882 00000 n 
-0000070627 00000 n 
-0000073004 00000 n 
-0000073128 00000 n 
-0000073253 00000 n 
-0000073378 00000 n 
-0000073503 00000 n 
-0000073566 00000 n 
-0000073629 00000 n 
-0000647140 00000 n 
-0000628823 00000 n 
-0000646967 00000 n 
-0000766376 00000 n 
-0000078263 00000 n 
-0000077083 00000 n 
-0000073816 00000 n 
-0000077577 00000 n 
-0000077640 00000 n 
-0000077703 00000 n 
-0000077827 00000 n 
-0000077952 00000 n 
-0000078077 00000 n 
-0000077233 00000 n 
-0000077426 00000 n 
-0000078200 00000 n 
-0000356613 00000 n 
-0000416446 00000 n 
-0000082919 00000 n 
-0000081882 00000 n 
-0000078387 00000 n 
-0000082355 00000 n 
-0000082480 00000 n 
-0000082032 00000 n 
-0000082194 00000 n 
-0000082605 00000 n 
-0000082730 00000 n 
-0000082855 00000 n 
-0000098704 00000 n 
-0000086156 00000 n 
-0000085582 00000 n 
-0000083043 00000 n 
-0000085707 00000 n 
-0000085835 00000 n 
-0000085963 00000 n 
-0000086091 00000 n 
-0000089609 00000 n 
-0000088444 00000 n 
-0000086268 00000 n 
-0000088905 00000 n 
-0000089033 00000 n 
-0000089161 00000 n 
-0000089289 00000 n 
-0000089417 00000 n 
-0000088599 00000 n 
-0000088752 00000 n 
-0000089544 00000 n 
-0000298592 00000 n 
-0000090686 00000 n 
-0000090368 00000 n 
-0000089695 00000 n 
-0000090493 00000 n 
-0000090621 00000 n 
-0000092729 00000 n 
-0000092026 00000 n 
-0000090785 00000 n 
-0000092152 00000 n 
-0000092280 00000 n 
-0000092407 00000 n 
-0000092535 00000 n 
-0000092664 00000 n 
-0000766497 00000 n 
-0000095305 00000 n 
-0000094675 00000 n 
-0000092828 00000 n 
-0000094981 00000 n 
-0000095110 00000 n 
-0000095175 00000 n 
-0000095240 00000 n 
-0000094822 00000 n 
-0000282353 00000 n 
-0000098898 00000 n 
-0000098193 00000 n 
-0000095417 00000 n 
-0000098319 00000 n 
-0000098448 00000 n 
-0000098575 00000 n 
-0000628140 00000 n 
-0000616078 00000 n 
-0000627961 00000 n 
-0000098833 00000 n 
-0000102481 00000 n 
-0000102290 00000 n 
-0000099024 00000 n 
-0000102416 00000 n 
-0000615529 00000 n 
-0000605712 00000 n 
-0000615350 00000 n 
-0000106944 00000 n 
-0000106545 00000 n 
-0000102647 00000 n 
-0000106879 00000 n 
-0000106692 00000 n 
-0000177045 00000 n 
-0000109848 00000 n 
-0000109400 00000 n 
-0000107083 00000 n 
-0000109526 00000 n 
-0000109654 00000 n 
-0000109719 00000 n 
-0000109784 00000 n 
-0000112697 00000 n 
-0000115415 00000 n 
-0000112532 00000 n 
-0000109973 00000 n 
-0000114835 00000 n 
-0000114964 00000 n 
-0000115093 00000 n 
-0000114340 00000 n 
-0000114502 00000 n 
-0000604814 00000 n 
-0000595018 00000 n 
-0000604640 00000 n 
-0000594454 00000 n 
-0000585367 00000 n 
-0000594279 00000 n 
-0000115222 00000 n 
-0000114664 00000 n 
-0000115351 00000 n 
-0000766622 00000 n 
-0000114169 00000 n 
-0000114227 00000 n 
-0000114317 00000 n 
-0000223477 00000 n 
-0000259257 00000 n 
-0000349127 00000 n 
-0000120047 00000 n 
-0000119113 00000 n 
-0000115584 00000 n 
-0000119597 00000 n 
-0000119726 00000 n 
-0000119269 00000 n 
-0000119435 00000 n 
-0000119855 00000 n 
-0000119983 00000 n 
-0000420473 00000 n 
-0000123706 00000 n 
-0000123326 00000 n 
-0000120199 00000 n 
-0000123641 00000 n 
-0000123473 00000 n 
-0000124879 00000 n 
-0000124688 00000 n 
-0000123831 00000 n 
-0000124814 00000 n 
-0000126866 00000 n 
-0000126546 00000 n 
-0000124978 00000 n 
-0000126672 00000 n 
-0000126801 00000 n 
-0000130361 00000 n 
-0000129397 00000 n 
-0000126978 00000 n 
-0000129523 00000 n 
-0000129652 00000 n 
-0000129781 00000 n 
-0000129910 00000 n 
-0000130039 00000 n 
-0000130168 00000 n 
-0000130297 00000 n 
-0000134352 00000 n 
-0000133583 00000 n 
-0000130499 00000 n 
-0000133901 00000 n 
-0000134030 00000 n 
-0000133730 00000 n 
-0000134159 00000 n 
-0000134288 00000 n 
-0000766747 00000 n 
-0000138215 00000 n 
-0000137637 00000 n 
-0000134490 00000 n 
-0000137763 00000 n 
-0000137892 00000 n 
-0000138021 00000 n 
-0000138150 00000 n 
-0000142037 00000 n 
-0000141590 00000 n 
-0000138353 00000 n 
-0000141716 00000 n 
-0000141845 00000 n 
-0000141972 00000 n 
-0000144339 00000 n 
-0000144148 00000 n 
-0000142162 00000 n 
-0000144274 00000 n 
-0000148163 00000 n 
-0000147404 00000 n 
-0000144481 00000 n 
-0000147712 00000 n 
-0000585092 00000 n 
-0000581733 00000 n 
-0000584913 00000 n 
-0000147841 00000 n 
-0000147551 00000 n 
-0000147969 00000 n 
-0000148098 00000 n 
-0000416188 00000 n 
-0000148934 00000 n 
-0000148743 00000 n 
-0000148345 00000 n 
-0000148869 00000 n 
-0000151605 00000 n 
-0000151027 00000 n 
-0000149033 00000 n 
-0000151153 00000 n 
-0000151282 00000 n 
-0000151411 00000 n 
-0000151540 00000 n 
-0000766872 00000 n 
-0000152045 00000 n 
-0000151854 00000 n 
-0000151704 00000 n 
-0000151980 00000 n 
-0000156132 00000 n 
-0000155366 00000 n 
-0000152087 00000 n 
-0000155680 00000 n 
-0000155809 00000 n 
-0000155937 00000 n 
-0000156002 00000 n 
-0000156067 00000 n 
-0000155513 00000 n 
-0000160628 00000 n 
-0000160820 00000 n 
-0000160373 00000 n 
-0000156231 00000 n 
-0000160499 00000 n 
-0000160755 00000 n 
-0000164669 00000 n 
-0000164091 00000 n 
-0000160945 00000 n 
-0000164217 00000 n 
-0000164346 00000 n 
-0000164475 00000 n 
-0000164604 00000 n 
-0000167325 00000 n 
-0000168703 00000 n 
-0000167199 00000 n 
-0000164807 00000 n 
-0000168251 00000 n 
-0000168380 00000 n 
-0000168509 00000 n 
-0000168574 00000 n 
-0000168638 00000 n 
-0000171978 00000 n 
-0000171272 00000 n 
-0000168858 00000 n 
-0000171398 00000 n 
-0000171526 00000 n 
-0000171655 00000 n 
-0000171719 00000 n 
-0000171784 00000 n 
-0000171913 00000 n 
-0000766997 00000 n 
-0000177236 00000 n 
-0000176450 00000 n 
-0000172090 00000 n 
-0000176916 00000 n 
-0000176606 00000 n 
-0000176757 00000 n 
-0000177173 00000 n 
-0000560360 00000 n 
-0000181098 00000 n 
-0000179827 00000 n 
-0000177374 00000 n 
-0000180517 00000 n 
-0000180646 00000 n 
-0000180775 00000 n 
-0000180904 00000 n 
-0000179992 00000 n 
-0000180144 00000 n 
-0000180330 00000 n 
-0000181033 00000 n 
-0000185243 00000 n 
-0000184794 00000 n 
-0000181224 00000 n 
-0000184920 00000 n 
-0000185049 00000 n 
-0000185178 00000 n 
-0000189146 00000 n 
-0000188767 00000 n 
-0000185368 00000 n 
-0000189081 00000 n 
-0000188914 00000 n 
-0000191994 00000 n 
-0000192189 00000 n 
-0000191739 00000 n 
-0000189258 00000 n 
-0000191865 00000 n 
-0000192059 00000 n 
-0000192124 00000 n 
-0000195744 00000 n 
-0000195553 00000 n 
-0000192301 00000 n 
-0000195679 00000 n 
-0000767122 00000 n 
-0000199321 00000 n 
-0000198871 00000 n 
-0000195856 00000 n 
-0000198997 00000 n 
-0000199126 00000 n 
-0000199191 00000 n 
-0000199256 00000 n 
-0000203021 00000 n 
-0000202236 00000 n 
-0000199433 00000 n 
-0000202698 00000 n 
-0000202827 00000 n 
-0000202956 00000 n 
-0000202392 00000 n 
-0000202545 00000 n 
-0000205009 00000 n 
-0000204432 00000 n 
-0000203133 00000 n 
-0000204558 00000 n 
-0000204687 00000 n 
-0000204816 00000 n 
-0000204944 00000 n 
-0000206518 00000 n 
-0000206327 00000 n 
-0000205121 00000 n 
-0000206453 00000 n 
-0000208060 00000 n 
-0000207869 00000 n 
-0000206617 00000 n 
-0000207995 00000 n 
-0000211071 00000 n 
-0000210751 00000 n 
-0000208159 00000 n 
-0000210877 00000 n 
-0000211006 00000 n 
-0000767247 00000 n 
-0000215172 00000 n 
-0000214981 00000 n 
-0000211197 00000 n 
-0000215107 00000 n 
-0000219640 00000 n 
-0000219092 00000 n 
-0000215310 00000 n 
-0000219575 00000 n 
-0000219248 00000 n 
-0000219405 00000 n 
-0000385852 00000 n 
-0000223542 00000 n 
-0000223222 00000 n 
-0000219765 00000 n 
-0000223348 00000 n 
-0000227639 00000 n 
-0000227145 00000 n 
-0000223667 00000 n 
-0000227444 00000 n 
-0000227509 00000 n 
-0000227574 00000 n 
-0000227292 00000 n 
-0000232663 00000 n 
-0000231532 00000 n 
-0000227764 00000 n 
-0000232598 00000 n 
-0000231715 00000 n 
-0000231871 00000 n 
-0000232055 00000 n 
-0000232228 00000 n 
-0000232413 00000 n 
-0000306057 00000 n 
-0000236985 00000 n 
-0000236794 00000 n 
-0000232844 00000 n 
-0000236920 00000 n 
-0000767372 00000 n 
-0000240880 00000 n 
-0000240689 00000 n 
-0000237110 00000 n 
-0000240815 00000 n 
-0000245149 00000 n 
-0000244208 00000 n 
-0000240992 00000 n 
-0000244698 00000 n 
-0000244826 00000 n 
-0000244364 00000 n 
-0000244955 00000 n 
-0000245084 00000 n 
-0000244533 00000 n 
-0000320543 00000 n 
-0000249165 00000 n 
-0000248602 00000 n 
-0000245318 00000 n 
-0000249100 00000 n 
-0000248758 00000 n 
-0000248929 00000 n 
-0000403570 00000 n 
-0000252520 00000 n 
-0000252071 00000 n 
-0000249334 00000 n 
-0000252197 00000 n 
-0000252326 00000 n 
-0000252455 00000 n 
-0000255913 00000 n 
-0000255722 00000 n 
-0000252645 00000 n 
-0000255848 00000 n 
-0000259322 00000 n 
-0000259003 00000 n 
-0000256082 00000 n 
-0000259129 00000 n 
-0000767497 00000 n 
-0000263123 00000 n 
-0000262932 00000 n 
-0000259478 00000 n 
-0000263058 00000 n 
-0000267495 00000 n 
-0000266681 00000 n 
-0000263292 00000 n 
-0000267172 00000 n 
-0000267301 00000 n 
-0000266837 00000 n 
-0000267430 00000 n 
-0000266997 00000 n 
-0000271667 00000 n 
-0000271171 00000 n 
-0000267650 00000 n 
-0000271473 00000 n 
-0000271602 00000 n 
-0000271318 00000 n 
-0000275157 00000 n 
-0000274709 00000 n 
-0000271792 00000 n 
-0000274835 00000 n 
-0000274964 00000 n 
-0000275093 00000 n 
-0000279001 00000 n 
-0000278335 00000 n 
-0000275312 00000 n 
-0000278808 00000 n 
-0000278936 00000 n 
-0000278491 00000 n 
-0000278653 00000 n 
-0000282548 00000 n 
-0000281908 00000 n 
-0000279170 00000 n 
-0000282224 00000 n 
-0000282055 00000 n 
-0000282418 00000 n 
-0000282483 00000 n 
-0000767622 00000 n 
-0000286588 00000 n 
-0000286085 00000 n 
-0000282731 00000 n 
-0000286394 00000 n 
-0000286523 00000 n 
-0000286232 00000 n 
-0000291506 00000 n 
-0000290828 00000 n 
-0000286756 00000 n 
-0000291312 00000 n 
-0000290984 00000 n 
-0000581378 00000 n 
-0000579381 00000 n 
-0000581213 00000 n 
-0000291441 00000 n 
-0000291145 00000 n 
-0000382283 00000 n 
-0000318660 00000 n 
-0000294867 00000 n 
-0000294547 00000 n 
-0000291632 00000 n 
-0000294673 00000 n 
-0000294802 00000 n 
-0000298657 00000 n 
-0000298337 00000 n 
-0000294992 00000 n 
-0000298463 00000 n 
-0000302838 00000 n 
-0000302347 00000 n 
-0000298812 00000 n 
-0000302644 00000 n 
-0000302773 00000 n 
-0000302494 00000 n 
-0000306122 00000 n 
-0000305673 00000 n 
-0000302964 00000 n 
-0000305799 00000 n 
-0000305928 00000 n 
-0000767747 00000 n 
-0000311008 00000 n 
-0000310349 00000 n 
-0000306234 00000 n 
-0000310814 00000 n 
-0000310505 00000 n 
-0000310655 00000 n 
-0000310943 00000 n 
-0000315294 00000 n 
-0000314541 00000 n 
-0000311120 00000 n 
-0000314842 00000 n 
-0000314971 00000 n 
-0000315100 00000 n 
-0000315229 00000 n 
-0000314688 00000 n 
-0000318854 00000 n 
-0000318405 00000 n 
-0000315406 00000 n 
-0000318531 00000 n 
-0000318789 00000 n 
-0000320608 00000 n 
-0000320288 00000 n 
-0000318966 00000 n 
-0000320414 00000 n 
-0000322150 00000 n 
-0000321959 00000 n 
-0000320720 00000 n 
-0000322085 00000 n 
-0000323492 00000 n 
-0000323301 00000 n 
-0000322249 00000 n 
-0000323427 00000 n 
-0000767872 00000 n 
-0000327786 00000 n 
-0000327207 00000 n 
-0000323591 00000 n 
-0000327333 00000 n 
-0000327462 00000 n 
-0000327591 00000 n 
-0000327656 00000 n 
-0000327721 00000 n 
-0000333038 00000 n 
-0000331195 00000 n 
-0000327898 00000 n 
-0000332715 00000 n 
-0000331405 00000 n 
-0000332844 00000 n 
-0000332973 00000 n 
-0000331573 00000 n 
-0000331735 00000 n 
-0000331897 00000 n 
-0000332059 00000 n 
-0000332221 00000 n 
-0000332383 00000 n 
-0000332554 00000 n 
-0000560327 00000 n 
-0000338318 00000 n 
-0000336394 00000 n 
-0000333150 00000 n 
-0000338253 00000 n 
-0000336622 00000 n 
-0000336785 00000 n 
-0000336948 00000 n 
-0000337111 00000 n 
-0000337273 00000 n 
-0000337436 00000 n 
-0000337598 00000 n 
-0000337758 00000 n 
-0000337917 00000 n 
-0000338085 00000 n 
-0000344795 00000 n 
-0000341234 00000 n 
-0000338443 00000 n 
-0000344730 00000 n 
-0000341552 00000 n 
-0000341713 00000 n 
-0000341875 00000 n 
-0000342037 00000 n 
-0000342198 00000 n 
-0000342360 00000 n 
-0000342514 00000 n 
-0000342677 00000 n 
-0000342831 00000 n 
-0000342984 00000 n 
-0000343137 00000 n 
-0000343291 00000 n 
-0000343453 00000 n 
-0000343615 00000 n 
-0000343775 00000 n 
-0000343935 00000 n 
-0000344097 00000 n 
-0000344257 00000 n 
-0000344416 00000 n 
-0000344569 00000 n 
-0000349192 00000 n 
-0000348362 00000 n 
-0000344907 00000 n 
-0000348998 00000 n 
-0000348527 00000 n 
-0000348682 00000 n 
-0000348845 00000 n 
-0000352687 00000 n 
-0000352367 00000 n 
-0000349331 00000 n 
-0000352493 00000 n 
-0000352558 00000 n 
-0000352622 00000 n 
-0000767997 00000 n 
-0000357065 00000 n 
-0000355868 00000 n 
-0000352856 00000 n 
-0000356355 00000 n 
-0000356484 00000 n 
-0000356740 00000 n 
-0000356024 00000 n 
-0000356194 00000 n 
-0000356805 00000 n 
-0000356870 00000 n 
-0000356935 00000 n 
-0000357000 00000 n 
-0000360241 00000 n 
-0000360050 00000 n 
-0000357177 00000 n 
-0000360176 00000 n 
-0000364285 00000 n 
-0000363709 00000 n 
-0000360327 00000 n 
-0000363835 00000 n 
-0000363900 00000 n 
-0000363965 00000 n 
-0000364092 00000 n 
-0000364157 00000 n 
-0000364221 00000 n 
-0000368067 00000 n 
-0000367359 00000 n 
-0000364410 00000 n 
-0000367485 00000 n 
-0000367550 00000 n 
-0000367615 00000 n 
-0000367744 00000 n 
-0000367809 00000 n 
-0000367874 00000 n 
-0000368003 00000 n 
-0000372013 00000 n 
-0000371048 00000 n 
-0000368192 00000 n 
-0000371174 00000 n 
-0000371239 00000 n 
-0000371304 00000 n 
-0000371433 00000 n 
-0000371498 00000 n 
-0000371563 00000 n 
-0000371691 00000 n 
-0000371820 00000 n 
-0000371949 00000 n 
-0000375220 00000 n 
-0000374642 00000 n 
-0000372223 00000 n 
-0000374768 00000 n 
-0000374897 00000 n 
-0000375026 00000 n 
-0000375155 00000 n 
-0000768122 00000 n 
-0000378645 00000 n 
-0000378324 00000 n 
-0000375417 00000 n 
-0000378450 00000 n 
-0000378515 00000 n 
-0000378580 00000 n 
-0000382607 00000 n 
-0000382028 00000 n 
-0000378770 00000 n 
-0000382154 00000 n 
-0000382412 00000 n 
-0000382477 00000 n 
-0000382542 00000 n 
-0000386305 00000 n 
-0000385416 00000 n 
-0000382732 00000 n 
-0000385723 00000 n 
-0000385563 00000 n 
-0000385981 00000 n 
-0000386110 00000 n 
-0000386175 00000 n 
-0000386240 00000 n 
-0000390057 00000 n 
-0000389425 00000 n 
-0000386417 00000 n 
-0000389737 00000 n 
-0000389572 00000 n 
-0000389866 00000 n 
-0000389929 00000 n 
-0000389992 00000 n 
-0000560294 00000 n 
-0000393777 00000 n 
-0000393328 00000 n 
-0000390169 00000 n 
-0000393454 00000 n 
-0000393582 00000 n 
-0000393647 00000 n 
-0000393712 00000 n 
-0000396923 00000 n 
-0000396345 00000 n 
-0000393889 00000 n 
-0000396471 00000 n 
-0000396600 00000 n 
-0000396665 00000 n 
-0000396729 00000 n 
-0000579100 00000 n 
-0000571816 00000 n 
-0000578920 00000 n 
-0000396858 00000 n 
-0000768247 00000 n 
-0000397404 00000 n 
-0000397213 00000 n 
-0000397063 00000 n 
-0000397339 00000 n 
-0000399214 00000 n 
-0000398765 00000 n 
-0000397446 00000 n 
-0000398891 00000 n 
-0000399020 00000 n 
-0000399149 00000 n 
-0000403635 00000 n 
-0000402692 00000 n 
-0000399326 00000 n 
-0000403055 00000 n 
-0000571495 00000 n 
-0000562282 00000 n 
-0000571309 00000 n 
-0000402839 00000 n 
-0000403184 00000 n 
-0000403312 00000 n 
-0000403441 00000 n 
-0000404990 00000 n 
-0000404799 00000 n 
-0000403872 00000 n 
-0000404925 00000 n 
-0000405430 00000 n 
-0000405239 00000 n 
-0000405089 00000 n 
-0000405365 00000 n 
-0000408744 00000 n 
-0000407518 00000 n 
-0000405472 00000 n 
-0000408035 00000 n 
-0000408164 00000 n 
-0000408293 00000 n 
-0000408422 00000 n 
-0000408551 00000 n 
-0000408680 00000 n 
-0000407674 00000 n 
-0000407846 00000 n 
-0000768372 00000 n 
-0000409198 00000 n 
-0000409007 00000 n 
-0000408857 00000 n 
-0000409133 00000 n 
-0000412443 00000 n 
-0000411865 00000 n 
-0000409240 00000 n 
-0000411991 00000 n 
-0000412120 00000 n 
-0000412249 00000 n 
-0000412378 00000 n 
-0000416638 00000 n 
-0000415420 00000 n 
-0000412529 00000 n 
-0000415930 00000 n 
-0000416059 00000 n 
-0000416317 00000 n 
-0000415576 00000 n 
-0000415755 00000 n 
-0000416510 00000 n 
-0000416574 00000 n 
-0000423525 00000 n 
-0000419697 00000 n 
-0000416791 00000 n 
-0000419823 00000 n 
-0000419888 00000 n 
-0000419953 00000 n 
-0000420018 00000 n 
-0000420083 00000 n 
-0000420148 00000 n 
-0000420213 00000 n 
-0000420278 00000 n 
-0000420343 00000 n 
-0000420408 00000 n 
-0000420538 00000 n 
-0000420603 00000 n 
-0000420668 00000 n 
-0000420733 00000 n 
-0000420798 00000 n 
-0000420863 00000 n 
-0000420928 00000 n 
-0000420993 00000 n 
-0000421058 00000 n 
-0000421123 00000 n 
-0000421188 00000 n 
-0000421253 00000 n 
-0000421318 00000 n 
-0000421383 00000 n 
-0000421448 00000 n 
-0000421513 00000 n 
-0000421578 00000 n 
-0000421643 00000 n 
-0000421708 00000 n 
-0000421773 00000 n 
-0000421838 00000 n 
-0000421903 00000 n 
-0000421968 00000 n 
-0000422033 00000 n 
-0000422097 00000 n 
-0000422162 00000 n 
-0000422227 00000 n 
-0000422292 00000 n 
-0000422357 00000 n 
-0000422422 00000 n 
-0000422487 00000 n 
-0000422552 00000 n 
-0000422617 00000 n 
-0000422682 00000 n 
-0000422747 00000 n 
-0000422812 00000 n 
-0000422877 00000 n 
-0000422942 00000 n 
-0000423007 00000 n 
-0000423072 00000 n 
-0000423137 00000 n 
-0000423202 00000 n 
-0000423267 00000 n 
-0000423332 00000 n 
-0000423397 00000 n 
-0000423461 00000 n 
-0000430171 00000 n 
-0000426607 00000 n 
-0000423637 00000 n 
-0000426733 00000 n 
-0000426798 00000 n 
-0000426863 00000 n 
-0000426928 00000 n 
-0000426993 00000 n 
-0000427058 00000 n 
-0000427123 00000 n 
-0000427188 00000 n 
-0000427253 00000 n 
-0000427318 00000 n 
-0000427383 00000 n 
-0000427448 00000 n 
-0000427512 00000 n 
-0000427577 00000 n 
-0000427642 00000 n 
-0000427707 00000 n 
-0000427772 00000 n 
-0000427837 00000 n 
-0000427902 00000 n 
-0000427967 00000 n 
-0000428032 00000 n 
-0000428097 00000 n 
-0000428162 00000 n 
-0000428227 00000 n 
-0000428291 00000 n 
-0000428356 00000 n 
-0000428421 00000 n 
-0000428486 00000 n 
-0000428551 00000 n 
-0000428616 00000 n 
-0000428681 00000 n 
-0000428746 00000 n 
-0000428811 00000 n 
-0000428876 00000 n 
-0000428941 00000 n 
-0000429006 00000 n 
-0000429071 00000 n 
-0000429136 00000 n 
-0000429201 00000 n 
-0000429266 00000 n 
-0000429330 00000 n 
-0000429394 00000 n 
-0000429458 00000 n 
-0000429523 00000 n 
-0000429588 00000 n 
-0000429653 00000 n 
-0000429718 00000 n 
-0000429783 00000 n 
-0000429848 00000 n 
-0000429913 00000 n 
-0000429978 00000 n 
-0000430043 00000 n 
-0000430107 00000 n 
-0000436344 00000 n 
-0000432906 00000 n 
-0000430283 00000 n 
-0000433032 00000 n 
-0000433097 00000 n 
-0000433162 00000 n 
-0000433227 00000 n 
-0000433292 00000 n 
-0000433357 00000 n 
-0000433422 00000 n 
-0000433487 00000 n 
-0000433552 00000 n 
-0000433617 00000 n 
-0000433682 00000 n 
-0000433747 00000 n 
-0000433812 00000 n 
-0000433877 00000 n 
-0000433942 00000 n 
-0000434007 00000 n 
-0000434072 00000 n 
-0000434137 00000 n 
-0000434202 00000 n 
-0000434267 00000 n 
-0000434332 00000 n 
-0000434397 00000 n 
-0000434462 00000 n 
-0000434527 00000 n 
-0000434592 00000 n 
-0000434657 00000 n 
-0000434722 00000 n 
-0000434787 00000 n 
-0000434852 00000 n 
-0000434917 00000 n 
-0000434982 00000 n 
-0000435047 00000 n 
-0000435112 00000 n 
-0000435177 00000 n 
-0000435241 00000 n 
-0000435306 00000 n 
-0000435371 00000 n 
-0000435436 00000 n 
-0000435501 00000 n 
-0000435566 00000 n 
-0000435631 00000 n 
-0000435696 00000 n 
-0000435761 00000 n 
-0000435826 00000 n 
-0000435891 00000 n 
-0000435956 00000 n 
-0000436021 00000 n 
-0000436086 00000 n 
-0000436151 00000 n 
-0000436216 00000 n 
-0000436280 00000 n 
-0000768497 00000 n 
-0000440922 00000 n 
-0000438658 00000 n 
-0000436456 00000 n 
-0000438784 00000 n 
-0000438849 00000 n 
-0000438914 00000 n 
-0000438979 00000 n 
-0000439044 00000 n 
-0000439109 00000 n 
-0000439174 00000 n 
-0000439239 00000 n 
-0000439304 00000 n 
-0000439369 00000 n 
-0000439434 00000 n 
-0000439499 00000 n 
-0000439564 00000 n 
-0000439629 00000 n 
-0000439691 00000 n 
-0000439755 00000 n 
-0000439820 00000 n 
-0000439884 00000 n 
-0000439949 00000 n 
-0000440014 00000 n 
-0000440079 00000 n 
-0000440144 00000 n 
-0000440209 00000 n 
-0000440274 00000 n 
-0000440339 00000 n 
-0000440468 00000 n 
-0000440597 00000 n 
-0000440662 00000 n 
-0000440727 00000 n 
-0000440792 00000 n 
-0000440857 00000 n 
-0000443717 00000 n 
-0000443073 00000 n 
-0000441047 00000 n 
-0000443199 00000 n 
-0000443328 00000 n 
-0000443457 00000 n 
-0000443522 00000 n 
-0000443587 00000 n 
-0000443652 00000 n 
-0000448055 00000 n 
-0000447735 00000 n 
-0000443830 00000 n 
+0000445130 00000 n 
+0000779304 00000 n 
+0000017000 00000 n 
+0000017052 00000 n 
 0000447861 00000 n 
-0000447926 00000 n 
-0000447991 00000 n 
-0000451655 00000 n 
-0000451400 00000 n 
-0000448208 00000 n 
-0000451526 00000 n 
-0000451591 00000 n 
-0000454903 00000 n 
-0000454712 00000 n 
-0000451794 00000 n 
-0000454838 00000 n 
-0000458631 00000 n 
-0000458375 00000 n 
-0000455029 00000 n 
-0000458501 00000 n 
-0000458566 00000 n 
-0000768622 00000 n 
-0000461472 00000 n 
-0000460764 00000 n 
-0000458770 00000 n 
-0000460890 00000 n 
-0000460955 00000 n 
-0000461020 00000 n 
-0000461085 00000 n 
-0000461150 00000 n 
-0000461279 00000 n 
-0000461344 00000 n 
-0000461408 00000 n 
-0000466140 00000 n 
-0000465884 00000 n 
-0000461611 00000 n 
-0000466010 00000 n 
-0000466075 00000 n 
-0000469130 00000 n 
-0000468357 00000 n 
-0000466266 00000 n 
-0000468483 00000 n 
-0000468548 00000 n 
-0000468613 00000 n 
-0000468678 00000 n 
-0000468807 00000 n 
-0000468872 00000 n 
-0000468935 00000 n 
-0000469000 00000 n 
-0000469065 00000 n 
-0000471963 00000 n 
-0000471451 00000 n 
-0000469283 00000 n 
-0000471577 00000 n 
-0000471642 00000 n 
-0000471707 00000 n 
-0000471770 00000 n 
-0000471834 00000 n 
-0000471899 00000 n 
-0000475084 00000 n 
-0000474504 00000 n 
-0000472115 00000 n 
-0000474630 00000 n 
-0000474759 00000 n 
-0000474824 00000 n 
-0000474889 00000 n 
-0000474954 00000 n 
-0000475019 00000 n 
-0000478014 00000 n 
-0000477369 00000 n 
-0000475224 00000 n 
-0000477495 00000 n 
-0000477560 00000 n 
-0000477625 00000 n 
-0000477690 00000 n 
-0000477819 00000 n 
-0000477884 00000 n 
-0000477949 00000 n 
-0000768747 00000 n 
-0000481515 00000 n 
-0000481194 00000 n 
-0000478180 00000 n 
-0000481320 00000 n 
-0000481385 00000 n 
-0000481450 00000 n 
-0000484988 00000 n 
-0000484732 00000 n 
-0000481641 00000 n 
-0000484858 00000 n 
-0000484923 00000 n 
-0000487942 00000 n 
-0000487299 00000 n 
-0000485114 00000 n 
-0000487425 00000 n 
-0000487490 00000 n 
-0000487555 00000 n 
-0000487620 00000 n 
-0000487684 00000 n 
-0000487813 00000 n 
-0000487878 00000 n 
-0000490382 00000 n 
-0000489610 00000 n 
-0000488107 00000 n 
-0000489736 00000 n 
-0000489801 00000 n 
-0000489866 00000 n 
-0000489930 00000 n 
-0000489995 00000 n 
-0000490060 00000 n 
-0000490189 00000 n 
-0000490254 00000 n 
-0000490318 00000 n 
-0000493850 00000 n 
-0000493400 00000 n 
-0000490535 00000 n 
-0000493526 00000 n 
-0000493591 00000 n 
-0000493656 00000 n 
-0000493721 00000 n 
-0000493786 00000 n 
-0000497010 00000 n 
-0000496366 00000 n 
-0000493989 00000 n 
-0000496492 00000 n 
-0000496557 00000 n 
-0000496686 00000 n 
-0000496751 00000 n 
-0000496815 00000 n 
-0000496880 00000 n 
-0000496945 00000 n 
-0000768872 00000 n 
-0000500745 00000 n 
-0000500554 00000 n 
-0000497150 00000 n 
-0000500680 00000 n 
-0000503988 00000 n 
-0000503797 00000 n 
-0000500871 00000 n 
-0000503923 00000 n 
-0000506670 00000 n 
-0000506026 00000 n 
-0000504128 00000 n 
-0000506152 00000 n 
-0000506217 00000 n 
-0000506282 00000 n 
-0000506347 00000 n 
-0000506476 00000 n 
-0000506541 00000 n 
-0000506606 00000 n 
-0000509394 00000 n 
-0000508620 00000 n 
-0000506822 00000 n 
-0000508746 00000 n 
-0000508811 00000 n 
-0000508876 00000 n 
-0000508941 00000 n 
-0000509005 00000 n 
-0000509070 00000 n 
+0000779184 00000 n 
+0000017100 00000 n 
+0000017134 00000 n 
+0000447990 00000 n 
+0000779105 00000 n 
+0000017183 00000 n 
+0000017210 00000 n 
+0000465812 00000 n 
+0000779012 00000 n 
+0000017259 00000 n 
+0000017287 00000 n 
+0000473346 00000 n 
+0000778919 00000 n 
+0000017336 00000 n 
+0000017376 00000 n 
+0000479375 00000 n 
+0000778826 00000 n 
+0000017425 00000 n 
+0000017468 00000 n 
+0000482435 00000 n 
+0000778733 00000 n 
+0000017517 00000 n 
+0000017554 00000 n 
+0000492648 00000 n 
+0000778640 00000 n 
+0000017603 00000 n 
+0000017640 00000 n 
+0000495024 00000 n 
+0000778547 00000 n 
+0000017689 00000 n 
+0000017727 00000 n 
+0000501508 00000 n 
+0000778454 00000 n 
+0000017776 00000 n 
+0000017815 00000 n 
+0000514234 00000 n 
+0000778361 00000 n 
+0000017864 00000 n 
+0000017903 00000 n 
+0000517201 00000 n 
+0000778268 00000 n 
+0000017953 00000 n 
+0000017993 00000 n 
+0000523477 00000 n 
+0000778175 00000 n 
+0000018043 00000 n 
+0000018073 00000 n 
+0000533159 00000 n 
+0000778082 00000 n 
+0000018123 00000 n 
+0000018156 00000 n 
+0000547778 00000 n 
+0000777989 00000 n 
+0000018206 00000 n 
+0000018235 00000 n 
+0000550974 00000 n 
+0000777896 00000 n 
+0000018285 00000 n 
+0000018319 00000 n 
+0000556971 00000 n 
+0000777803 00000 n 
+0000018369 00000 n 
+0000018406 00000 n 
+0000563615 00000 n 
+0000777724 00000 n 
+0000018456 00000 n 
+0000018493 00000 n 
+0000018862 00000 n 
+0000018984 00000 n 
+0000026813 00000 n 
+0000018546 00000 n 
+0000026687 00000 n 
+0000026750 00000 n 
+0000772851 00000 n 
+0000746908 00000 n 
+0000772677 00000 n 
+0000773876 00000 n 
+0000021847 00000 n 
+0000022064 00000 n 
+0000022133 00000 n 
+0000022202 00000 n 
+0000022270 00000 n 
+0000022338 00000 n 
+0000022387 00000 n 
+0000022434 00000 n 
+0000022767 00000 n 
+0000022789 00000 n 
+0000022957 00000 n 
+0000023122 00000 n 
+0000023291 00000 n 
+0000023470 00000 n 
+0000023779 00000 n 
+0000023939 00000 n 
+0000028177 00000 n 
+0000027992 00000 n 
+0000026913 00000 n 
+0000028114 00000 n 
+0000745687 00000 n 
+0000719166 00000 n 
+0000745513 00000 n 
+0000718481 00000 n 
+0000716337 00000 n 
+0000718317 00000 n 
+0000039881 00000 n 
+0000031232 00000 n 
+0000028262 00000 n 
+0000039755 00000 n 
+0000039818 00000 n 
+0000031766 00000 n 
+0000031920 00000 n 
+0000032077 00000 n 
+0000032234 00000 n 
+0000032390 00000 n 
+0000032547 00000 n 
+0000032709 00000 n 
+0000032870 00000 n 
+0000033031 00000 n 
+0000033193 00000 n 
+0000033360 00000 n 
+0000033527 00000 n 
+0000033692 00000 n 
+0000033854 00000 n 
+0000034020 00000 n 
+0000034181 00000 n 
+0000034336 00000 n 
+0000034493 00000 n 
+0000034649 00000 n 
+0000034806 00000 n 
+0000034963 00000 n 
+0000035120 00000 n 
+0000035274 00000 n 
+0000035430 00000 n 
+0000035592 00000 n 
+0000035754 00000 n 
+0000035910 00000 n 
+0000036065 00000 n 
+0000036227 00000 n 
+0000036394 00000 n 
+0000036560 00000 n 
+0000036721 00000 n 
+0000036876 00000 n 
+0000037033 00000 n 
+0000037190 00000 n 
+0000037352 00000 n 
+0000037509 00000 n 
+0000037666 00000 n 
+0000037828 00000 n 
+0000037985 00000 n 
+0000038147 00000 n 
+0000038314 00000 n 
+0000038480 00000 n 
+0000038642 00000 n 
+0000038804 00000 n 
+0000038966 00000 n 
+0000039128 00000 n 
+0000039290 00000 n 
+0000039445 00000 n 
+0000039600 00000 n 
+0000053273 00000 n 
+0000043218 00000 n 
+0000039966 00000 n 
+0000053210 00000 n 
+0000715786 00000 n 
+0000698705 00000 n 
+0000715602 00000 n 
+0000043808 00000 n 
+0000043971 00000 n 
+0000044134 00000 n 
+0000044297 00000 n 
+0000044455 00000 n 
+0000044618 00000 n 
+0000044781 00000 n 
+0000044936 00000 n 
+0000045094 00000 n 
+0000045252 00000 n 
+0000045408 00000 n 
+0000045566 00000 n 
+0000045729 00000 n 
+0000045897 00000 n 
+0000046065 00000 n 
+0000046228 00000 n 
+0000046396 00000 n 
+0000046564 00000 n 
+0000046721 00000 n 
+0000046884 00000 n 
+0000047047 00000 n 
+0000047209 00000 n 
+0000047371 00000 n 
+0000047534 00000 n 
+0000047696 00000 n 
+0000047858 00000 n 
+0000048021 00000 n 
+0000048184 00000 n 
+0000048347 00000 n 
+0000048515 00000 n 
+0000048684 00000 n 
+0000048853 00000 n 
+0000049016 00000 n 
+0000049180 00000 n 
+0000049344 00000 n 
+0000049507 00000 n 
+0000049671 00000 n 
+0000049835 00000 n 
+0000050004 00000 n 
+0000050173 00000 n 
+0000050342 00000 n 
+0000050511 00000 n 
+0000050680 00000 n 
+0000050849 00000 n 
+0000051018 00000 n 
+0000051187 00000 n 
+0000051356 00000 n 
+0000051526 00000 n 
+0000051696 00000 n 
+0000051865 00000 n 
+0000052035 00000 n 
+0000052205 00000 n 
+0000052373 00000 n 
+0000052542 00000 n 
+0000052712 00000 n 
+0000052880 00000 n 
+0000053048 00000 n 
+0000066642 00000 n 
+0000056931 00000 n 
+0000053371 00000 n 
+0000066579 00000 n 
+0000057513 00000 n 
+0000057676 00000 n 
+0000057839 00000 n 
+0000058002 00000 n 
+0000058165 00000 n 
+0000058327 00000 n 
+0000058489 00000 n 
+0000058651 00000 n 
+0000058813 00000 n 
+0000058975 00000 n 
+0000059137 00000 n 
+0000059299 00000 n 
+0000059466 00000 n 
+0000059633 00000 n 
+0000059800 00000 n 
+0000059967 00000 n 
+0000060124 00000 n 
+0000060286 00000 n 
+0000060453 00000 n 
+0000060620 00000 n 
+0000060782 00000 n 
+0000060944 00000 n 
+0000061106 00000 n 
+0000061268 00000 n 
+0000061435 00000 n 
+0000061602 00000 n 
+0000061769 00000 n 
+0000061936 00000 n 
+0000062098 00000 n 
+0000062260 00000 n 
+0000062417 00000 n 
+0000062584 00000 n 
+0000062746 00000 n 
+0000062913 00000 n 
+0000063080 00000 n 
+0000063246 00000 n 
+0000697816 00000 n 
+0000676485 00000 n 
+0000697642 00000 n 
+0000063412 00000 n 
+0000063578 00000 n 
+0000063733 00000 n 
+0000063889 00000 n 
+0000064046 00000 n 
+0000064208 00000 n 
+0000064370 00000 n 
+0000064527 00000 n 
+0000064682 00000 n 
+0000064839 00000 n 
+0000065001 00000 n 
+0000065158 00000 n 
+0000065315 00000 n 
+0000065470 00000 n 
+0000065626 00000 n 
+0000065787 00000 n 
+0000065943 00000 n 
+0000066104 00000 n 
+0000066259 00000 n 
+0000066419 00000 n 
+0000071172 00000 n 
+0000067996 00000 n 
+0000066753 00000 n 
+0000071109 00000 n 
+0000068274 00000 n 
+0000068436 00000 n 
+0000068592 00000 n 
+0000068749 00000 n 
+0000068906 00000 n 
+0000069063 00000 n 
+0000069220 00000 n 
+0000069377 00000 n 
+0000069534 00000 n 
+0000069691 00000 n 
+0000069848 00000 n 
+0000070005 00000 n 
+0000070163 00000 n 
+0000070320 00000 n 
+0000070478 00000 n 
+0000675519 00000 n 
+0000655552 00000 n 
+0000675346 00000 n 
+0000070636 00000 n 
+0000070794 00000 n 
+0000070951 00000 n 
+0000074348 00000 n 
+0000073538 00000 n 
+0000071283 00000 n 
+0000073660 00000 n 
+0000073784 00000 n 
+0000073909 00000 n 
+0000074034 00000 n 
+0000074159 00000 n 
+0000074222 00000 n 
+0000074285 00000 n 
+0000654758 00000 n 
+0000636441 00000 n 
+0000654585 00000 n 
+0000773994 00000 n 
+0000078919 00000 n 
+0000077739 00000 n 
+0000074472 00000 n 
+0000078233 00000 n 
+0000078296 00000 n 
+0000078359 00000 n 
+0000078483 00000 n 
+0000078608 00000 n 
+0000078733 00000 n 
+0000077889 00000 n 
+0000078082 00000 n 
+0000078856 00000 n 
+0000361595 00000 n 
+0000421042 00000 n 
+0000083596 00000 n 
+0000082539 00000 n 
+0000079043 00000 n 
+0000083019 00000 n 
+0000083147 00000 n 
+0000082694 00000 n 
+0000082857 00000 n 
+0000083275 00000 n 
+0000083403 00000 n 
+0000083531 00000 n 
+0000099382 00000 n 
+0000086834 00000 n 
+0000086260 00000 n 
+0000083721 00000 n 
+0000086385 00000 n 
+0000086513 00000 n 
+0000086641 00000 n 
+0000086769 00000 n 
+0000090287 00000 n 
+0000089122 00000 n 
+0000086946 00000 n 
+0000089583 00000 n 
+0000089711 00000 n 
+0000089839 00000 n 
+0000089967 00000 n 
+0000090095 00000 n 
+0000089277 00000 n 
+0000089430 00000 n 
+0000090222 00000 n 
+0000299677 00000 n 
+0000091364 00000 n 
+0000091046 00000 n 
+0000090373 00000 n 
+0000091171 00000 n 
+0000091299 00000 n 
+0000093407 00000 n 
+0000092704 00000 n 
+0000091463 00000 n 
+0000092830 00000 n 
+0000092958 00000 n 
+0000093085 00000 n 
+0000093213 00000 n 
+0000093342 00000 n 
+0000774116 00000 n 
+0000095983 00000 n 
+0000095353 00000 n 
+0000093506 00000 n 
+0000095659 00000 n 
+0000095788 00000 n 
+0000095853 00000 n 
+0000095918 00000 n 
+0000095500 00000 n 
+0000283438 00000 n 
+0000099576 00000 n 
+0000098871 00000 n 
+0000096095 00000 n 
+0000098997 00000 n 
+0000099126 00000 n 
+0000099253 00000 n 
+0000635758 00000 n 
+0000623696 00000 n 
+0000635579 00000 n 
+0000099511 00000 n 
+0000103159 00000 n 
+0000102968 00000 n 
+0000099702 00000 n 
+0000103094 00000 n 
+0000623123 00000 n 
+0000612140 00000 n 
+0000622944 00000 n 
+0000107622 00000 n 
+0000107223 00000 n 
+0000103325 00000 n 
+0000107557 00000 n 
+0000107370 00000 n 
+0000177945 00000 n 
+0000110526 00000 n 
+0000110078 00000 n 
+0000107761 00000 n 
+0000110204 00000 n 
+0000110332 00000 n 
+0000110397 00000 n 
+0000110462 00000 n 
+0000113374 00000 n 
+0000116092 00000 n 
+0000113209 00000 n 
+0000110651 00000 n 
+0000115512 00000 n 
+0000115641 00000 n 
+0000115770 00000 n 
+0000115017 00000 n 
+0000115179 00000 n 
+0000611242 00000 n 
+0000601446 00000 n 
+0000611068 00000 n 
+0000600882 00000 n 
+0000591795 00000 n 
+0000600707 00000 n 
+0000115899 00000 n 
+0000115341 00000 n 
+0000116028 00000 n 
+0000774241 00000 n 
+0000114846 00000 n 
+0000114904 00000 n 
+0000114994 00000 n 
+0000224562 00000 n 
+0000260342 00000 n 
+0000354107 00000 n 
+0000120724 00000 n 
+0000119790 00000 n 
+0000116261 00000 n 
+0000120274 00000 n 
+0000120403 00000 n 
+0000119946 00000 n 
+0000120112 00000 n 
+0000120532 00000 n 
+0000120660 00000 n 
+0000425070 00000 n 
+0000124383 00000 n 
+0000124003 00000 n 
+0000120876 00000 n 
+0000124318 00000 n 
+0000124150 00000 n 
+0000125556 00000 n 
+0000125365 00000 n 
+0000124508 00000 n 
+0000125491 00000 n 
+0000127543 00000 n 
+0000127223 00000 n 
+0000125655 00000 n 
+0000127349 00000 n 
+0000127478 00000 n 
+0000131038 00000 n 
+0000130074 00000 n 
+0000127655 00000 n 
+0000130200 00000 n 
+0000130329 00000 n 
+0000130458 00000 n 
+0000130587 00000 n 
+0000130716 00000 n 
+0000130845 00000 n 
+0000130974 00000 n 
+0000135029 00000 n 
+0000134260 00000 n 
+0000131176 00000 n 
+0000134578 00000 n 
+0000134707 00000 n 
+0000134407 00000 n 
+0000134836 00000 n 
+0000134965 00000 n 
+0000774366 00000 n 
+0000138892 00000 n 
+0000138314 00000 n 
+0000135167 00000 n 
+0000138440 00000 n 
+0000138569 00000 n 
+0000138698 00000 n 
+0000138827 00000 n 
+0000142751 00000 n 
+0000142302 00000 n 
+0000139030 00000 n 
+0000142428 00000 n 
+0000142557 00000 n 
+0000142686 00000 n 
+0000145145 00000 n 
+0000144954 00000 n 
+0000142876 00000 n 
+0000145080 00000 n 
+0000148964 00000 n 
+0000148204 00000 n 
+0000145287 00000 n 
+0000148512 00000 n 
+0000591520 00000 n 
+0000588162 00000 n 
+0000591341 00000 n 
+0000148641 00000 n 
+0000148351 00000 n 
+0000148770 00000 n 
+0000148899 00000 n 
+0000420784 00000 n 
+0000149735 00000 n 
+0000149544 00000 n 
+0000149146 00000 n 
+0000149670 00000 n 
+0000152406 00000 n 
+0000151828 00000 n 
+0000149834 00000 n 
+0000151954 00000 n 
+0000152083 00000 n 
+0000152212 00000 n 
+0000152341 00000 n 
+0000774491 00000 n 
+0000152846 00000 n 
+0000152655 00000 n 
+0000152505 00000 n 
+0000152781 00000 n 
+0000156933 00000 n 
+0000156167 00000 n 
+0000152888 00000 n 
+0000156481 00000 n 
+0000156610 00000 n 
+0000156738 00000 n 
+0000156803 00000 n 
+0000156868 00000 n 
+0000156314 00000 n 
+0000161429 00000 n 
+0000161621 00000 n 
+0000161174 00000 n 
+0000157032 00000 n 
+0000161300 00000 n 
+0000161556 00000 n 
+0000165470 00000 n 
+0000164892 00000 n 
+0000161746 00000 n 
+0000165018 00000 n 
+0000165147 00000 n 
+0000165276 00000 n 
+0000165405 00000 n 
+0000168126 00000 n 
+0000169504 00000 n 
+0000168000 00000 n 
+0000165608 00000 n 
+0000169052 00000 n 
+0000169181 00000 n 
+0000169310 00000 n 
+0000169375 00000 n 
+0000169439 00000 n 
+0000172827 00000 n 
+0000172123 00000 n 
+0000169659 00000 n 
+0000172249 00000 n 
+0000172378 00000 n 
+0000172506 00000 n 
+0000172571 00000 n 
+0000172636 00000 n 
+0000172762 00000 n 
+0000774616 00000 n 
+0000178138 00000 n 
+0000177350 00000 n 
+0000172939 00000 n 
+0000177816 00000 n 
+0000177506 00000 n 
+0000177657 00000 n 
+0000178074 00000 n 
+0000566788 00000 n 
+0000182000 00000 n 
+0000180729 00000 n 
+0000178276 00000 n 
+0000181419 00000 n 
+0000181548 00000 n 
+0000181677 00000 n 
+0000181806 00000 n 
+0000180894 00000 n 
+0000181046 00000 n 
+0000181232 00000 n 
+0000181935 00000 n 
+0000186145 00000 n 
+0000185696 00000 n 
+0000182126 00000 n 
+0000185822 00000 n 
+0000185951 00000 n 
+0000186080 00000 n 
+0000190048 00000 n 
+0000189669 00000 n 
+0000186270 00000 n 
+0000189983 00000 n 
+0000189816 00000 n 
+0000192896 00000 n 
+0000193091 00000 n 
+0000192641 00000 n 
+0000190160 00000 n 
+0000192767 00000 n 
+0000192961 00000 n 
+0000193026 00000 n 
+0000196646 00000 n 
+0000196455 00000 n 
+0000193203 00000 n 
+0000196581 00000 n 
+0000774741 00000 n 
+0000200223 00000 n 
+0000199773 00000 n 
+0000196758 00000 n 
+0000199899 00000 n 
+0000200028 00000 n 
+0000200093 00000 n 
+0000200158 00000 n 
+0000203923 00000 n 
+0000203138 00000 n 
+0000200335 00000 n 
+0000203600 00000 n 
+0000203729 00000 n 
+0000203858 00000 n 
+0000203294 00000 n 
+0000203447 00000 n 
+0000205911 00000 n 
+0000205334 00000 n 
+0000204035 00000 n 
+0000205460 00000 n 
+0000205589 00000 n 
+0000205718 00000 n 
+0000205846 00000 n 
+0000207420 00000 n 
+0000207229 00000 n 
+0000206023 00000 n 
+0000207355 00000 n 
+0000208962 00000 n 
+0000208771 00000 n 
+0000207519 00000 n 
+0000208897 00000 n 
+0000211973 00000 n 
+0000211653 00000 n 
+0000209061 00000 n 
+0000211779 00000 n 
+0000211908 00000 n 
+0000774866 00000 n 
+0000216233 00000 n 
+0000216042 00000 n 
+0000212099 00000 n 
+0000216168 00000 n 
+0000220700 00000 n 
+0000220152 00000 n 
+0000216371 00000 n 
+0000220635 00000 n 
+0000220308 00000 n 
+0000220465 00000 n 
+0000390831 00000 n 
+0000224627 00000 n 
+0000224307 00000 n 
+0000220825 00000 n 
+0000224433 00000 n 
+0000228724 00000 n 
+0000228230 00000 n 
+0000224752 00000 n 
+0000228529 00000 n 
+0000228594 00000 n 
+0000228659 00000 n 
+0000228377 00000 n 
+0000233748 00000 n 
+0000232617 00000 n 
+0000228849 00000 n 
+0000233683 00000 n 
+0000232800 00000 n 
+0000232956 00000 n 
+0000233140 00000 n 
+0000233313 00000 n 
+0000233498 00000 n 
+0000307142 00000 n 
+0000238070 00000 n 
+0000237879 00000 n 
+0000233929 00000 n 
+0000238005 00000 n 
+0000774991 00000 n 
+0000241965 00000 n 
+0000241774 00000 n 
+0000238195 00000 n 
+0000241900 00000 n 
+0000246234 00000 n 
+0000245293 00000 n 
+0000242077 00000 n 
+0000245783 00000 n 
+0000245911 00000 n 
+0000245449 00000 n 
+0000246040 00000 n 
+0000246169 00000 n 
+0000245618 00000 n 
+0000325500 00000 n 
+0000250250 00000 n 
+0000249687 00000 n 
+0000246403 00000 n 
+0000250185 00000 n 
+0000249843 00000 n 
+0000250014 00000 n 
+0000408166 00000 n 
+0000253605 00000 n 
+0000253156 00000 n 
+0000250419 00000 n 
+0000253282 00000 n 
+0000253411 00000 n 
+0000253540 00000 n 
+0000256998 00000 n 
+0000256807 00000 n 
+0000253730 00000 n 
+0000256933 00000 n 
+0000260407 00000 n 
+0000260088 00000 n 
+0000257167 00000 n 
+0000260214 00000 n 
+0000775116 00000 n 
+0000264208 00000 n 
+0000264017 00000 n 
+0000260563 00000 n 
+0000264143 00000 n 
+0000268580 00000 n 
+0000267766 00000 n 
+0000264377 00000 n 
+0000268257 00000 n 
+0000268386 00000 n 
+0000267922 00000 n 
+0000268515 00000 n 
+0000268082 00000 n 
+0000272752 00000 n 
+0000272256 00000 n 
+0000268735 00000 n 
+0000272558 00000 n 
+0000272687 00000 n 
+0000272403 00000 n 
+0000276242 00000 n 
+0000275794 00000 n 
+0000272877 00000 n 
+0000275920 00000 n 
+0000276049 00000 n 
+0000276178 00000 n 
+0000280086 00000 n 
+0000279420 00000 n 
+0000276397 00000 n 
+0000279893 00000 n 
+0000280021 00000 n 
+0000279576 00000 n 
+0000279738 00000 n 
+0000283633 00000 n 
+0000282993 00000 n 
+0000280255 00000 n 
+0000283309 00000 n 
+0000283140 00000 n 
+0000283503 00000 n 
+0000283568 00000 n 
+0000775241 00000 n 
+0000287673 00000 n 
+0000287170 00000 n 
+0000283816 00000 n 
+0000287479 00000 n 
+0000287608 00000 n 
+0000287317 00000 n 
+0000292591 00000 n 
+0000291913 00000 n 
+0000287841 00000 n 
+0000292397 00000 n 
+0000292069 00000 n 
+0000587807 00000 n 
+0000585809 00000 n 
+0000587642 00000 n 
+0000292526 00000 n 
+0000292230 00000 n 
+0000387262 00000 n 
+0000320278 00000 n 
+0000295952 00000 n 
+0000295632 00000 n 
+0000292717 00000 n 
+0000295758 00000 n 
+0000295887 00000 n 
+0000299742 00000 n 
+0000299422 00000 n 
+0000296077 00000 n 
+0000299548 00000 n 
+0000303923 00000 n 
+0000303432 00000 n 
+0000299897 00000 n 
+0000303729 00000 n 
+0000303858 00000 n 
+0000303579 00000 n 
+0000307207 00000 n 
+0000306758 00000 n 
+0000304049 00000 n 
+0000306884 00000 n 
+0000307013 00000 n 
+0000775366 00000 n 
+0000312093 00000 n 
+0000311434 00000 n 
+0000307319 00000 n 
+0000311899 00000 n 
+0000311590 00000 n 
+0000311740 00000 n 
+0000312028 00000 n 
+0000316232 00000 n 
+0000315479 00000 n 
+0000312205 00000 n 
+0000315780 00000 n 
+0000315909 00000 n 
+0000316038 00000 n 
+0000316167 00000 n 
+0000315626 00000 n 
+0000320342 00000 n 
+0000319766 00000 n 
+0000316344 00000 n 
+0000319892 00000 n 
+0000320021 00000 n 
+0000320149 00000 n 
+0000323815 00000 n 
+0000323495 00000 n 
+0000320467 00000 n 
+0000323621 00000 n 
+0000323750 00000 n 
+0000325565 00000 n 
+0000325245 00000 n 
+0000323927 00000 n 
+0000325371 00000 n 
+0000327118 00000 n 
+0000326927 00000 n 
+0000325677 00000 n 
+0000327053 00000 n 
+0000775491 00000 n 
+0000328936 00000 n 
+0000328360 00000 n 
+0000327217 00000 n 
+0000328486 00000 n 
+0000328615 00000 n 
+0000328744 00000 n 
+0000328808 00000 n 
+0000328872 00000 n 
+0000332781 00000 n 
+0000332590 00000 n 
+0000329048 00000 n 
+0000332716 00000 n 
+0000338020 00000 n 
+0000336178 00000 n 
+0000332893 00000 n 
+0000337697 00000 n 
+0000336388 00000 n 
+0000337826 00000 n 
+0000337955 00000 n 
+0000336555 00000 n 
+0000336717 00000 n 
+0000336879 00000 n 
+0000337041 00000 n 
+0000337203 00000 n 
+0000337365 00000 n 
+0000337536 00000 n 
+0000566755 00000 n 
+0000343300 00000 n 
+0000341376 00000 n 
+0000338132 00000 n 
+0000343235 00000 n 
+0000341604 00000 n 
+0000341767 00000 n 
+0000341928 00000 n 
+0000342089 00000 n 
+0000342251 00000 n 
+0000342414 00000 n 
+0000342576 00000 n 
+0000342739 00000 n 
+0000342900 00000 n 
+0000343067 00000 n 
+0000349778 00000 n 
+0000346211 00000 n 
+0000343425 00000 n 
+0000349713 00000 n 
+0000346529 00000 n 
+0000346690 00000 n 
+0000346852 00000 n 
+0000347014 00000 n 
+0000347175 00000 n 
+0000347337 00000 n 
+0000347491 00000 n 
+0000347654 00000 n 
+0000347807 00000 n 
+0000347960 00000 n 
+0000348110 00000 n 
+0000348264 00000 n 
+0000348426 00000 n 
+0000348588 00000 n 
+0000348750 00000 n 
+0000348912 00000 n 
+0000349074 00000 n 
+0000349236 00000 n 
+0000349398 00000 n 
+0000349552 00000 n 
+0000354172 00000 n 
+0000353346 00000 n 
+0000349890 00000 n 
+0000353978 00000 n 
+0000353511 00000 n 
+0000353662 00000 n 
+0000353825 00000 n 
+0000775616 00000 n 
+0000357662 00000 n 
+0000357342 00000 n 
+0000354311 00000 n 
+0000357468 00000 n 
+0000357533 00000 n 
+0000357597 00000 n 
+0000362047 00000 n 
+0000360849 00000 n 
+0000357831 00000 n 
+0000361337 00000 n 
+0000361466 00000 n 
+0000361722 00000 n 
+0000361005 00000 n 
+0000361175 00000 n 
+0000361787 00000 n 
+0000361852 00000 n 
+0000361917 00000 n 
+0000361982 00000 n 
+0000365222 00000 n 
+0000365031 00000 n 
+0000362159 00000 n 
+0000365157 00000 n 
+0000369266 00000 n 
+0000368690 00000 n 
+0000365308 00000 n 
+0000368816 00000 n 
+0000368881 00000 n 
+0000368946 00000 n 
+0000369073 00000 n 
+0000369138 00000 n 
+0000369202 00000 n 
+0000373044 00000 n 
+0000372336 00000 n 
+0000369391 00000 n 
+0000372462 00000 n 
+0000372527 00000 n 
+0000372592 00000 n 
+0000372721 00000 n 
+0000372786 00000 n 
+0000372851 00000 n 
+0000372980 00000 n 
+0000376994 00000 n 
+0000376029 00000 n 
+0000373169 00000 n 
+0000376155 00000 n 
+0000376220 00000 n 
+0000376285 00000 n 
+0000376414 00000 n 
+0000376479 00000 n 
+0000376544 00000 n 
+0000376672 00000 n 
+0000376801 00000 n 
+0000376930 00000 n 
+0000775741 00000 n 
+0000380199 00000 n 
+0000379621 00000 n 
+0000377204 00000 n 
+0000379747 00000 n 
+0000379876 00000 n 
+0000380005 00000 n 
+0000380134 00000 n 
+0000383626 00000 n 
+0000383305 00000 n 
+0000380396 00000 n 
+0000383431 00000 n 
+0000383496 00000 n 
+0000383561 00000 n 
+0000387586 00000 n 
+0000387007 00000 n 
+0000383751 00000 n 
+0000387133 00000 n 
+0000387391 00000 n 
+0000387456 00000 n 
+0000387521 00000 n 
+0000391284 00000 n 
+0000390395 00000 n 
+0000387711 00000 n 
+0000390702 00000 n 
+0000390542 00000 n 
+0000390960 00000 n 
+0000391089 00000 n 
+0000391154 00000 n 
+0000391219 00000 n 
+0000395036 00000 n 
+0000394404 00000 n 
+0000391396 00000 n 
+0000394716 00000 n 
+0000394551 00000 n 
+0000394845 00000 n 
+0000394908 00000 n 
+0000394971 00000 n 
+0000566722 00000 n 
+0000398759 00000 n 
+0000398310 00000 n 
+0000395148 00000 n 
+0000398436 00000 n 
+0000398564 00000 n 
+0000398629 00000 n 
+0000398694 00000 n 
+0000775866 00000 n 
+0000401902 00000 n 
+0000401324 00000 n 
+0000398871 00000 n 
+0000401450 00000 n 
+0000401579 00000 n 
+0000401644 00000 n 
+0000401708 00000 n 
+0000585528 00000 n 
+0000578244 00000 n 
+0000585348 00000 n 
+0000401837 00000 n 
+0000403810 00000 n 
+0000403361 00000 n 
+0000402042 00000 n 
+0000403487 00000 n 
+0000403616 00000 n 
+0000403745 00000 n 
+0000408231 00000 n 
+0000407288 00000 n 
+0000403922 00000 n 
+0000407651 00000 n 
+0000577923 00000 n 
+0000568710 00000 n 
+0000577737 00000 n 
+0000407435 00000 n 
+0000407780 00000 n 
+0000407908 00000 n 
+0000408037 00000 n 
+0000409586 00000 n 
+0000409395 00000 n 
+0000408468 00000 n 
+0000409521 00000 n 
+0000410026 00000 n 
+0000409835 00000 n 
+0000409685 00000 n 
+0000409961 00000 n 
+0000413340 00000 n 
+0000412114 00000 n 
+0000410068 00000 n 
+0000412631 00000 n 
+0000412760 00000 n 
+0000412889 00000 n 
+0000413018 00000 n 
+0000413147 00000 n 
+0000413276 00000 n 
+0000412270 00000 n 
+0000412442 00000 n 
+0000775991 00000 n 
+0000413794 00000 n 
+0000413603 00000 n 
+0000413453 00000 n 
+0000413729 00000 n 
+0000417039 00000 n 
+0000416461 00000 n 
+0000413836 00000 n 
+0000416587 00000 n 
+0000416716 00000 n 
+0000416845 00000 n 
+0000416974 00000 n 
+0000421235 00000 n 
+0000420016 00000 n 
+0000417125 00000 n 
+0000420526 00000 n 
+0000420655 00000 n 
+0000420913 00000 n 
+0000420172 00000 n 
+0000420351 00000 n 
+0000421107 00000 n 
+0000421171 00000 n 
+0000428122 00000 n 
+0000424294 00000 n 
+0000421388 00000 n 
+0000424420 00000 n 
+0000424485 00000 n 
+0000424550 00000 n 
+0000424615 00000 n 
+0000424680 00000 n 
+0000424745 00000 n 
+0000424810 00000 n 
+0000424875 00000 n 
+0000424940 00000 n 
+0000425005 00000 n 
+0000425135 00000 n 
+0000425200 00000 n 
+0000425265 00000 n 
+0000425330 00000 n 
+0000425395 00000 n 
+0000425460 00000 n 
+0000425525 00000 n 
+0000425590 00000 n 
+0000425655 00000 n 
+0000425720 00000 n 
+0000425785 00000 n 
+0000425850 00000 n 
+0000425915 00000 n 
+0000425980 00000 n 
+0000426045 00000 n 
+0000426110 00000 n 
+0000426175 00000 n 
+0000426240 00000 n 
+0000426305 00000 n 
+0000426370 00000 n 
+0000426435 00000 n 
+0000426500 00000 n 
+0000426565 00000 n 
+0000426630 00000 n 
+0000426694 00000 n 
+0000426759 00000 n 
+0000426824 00000 n 
+0000426889 00000 n 
+0000426954 00000 n 
+0000427019 00000 n 
+0000427084 00000 n 
+0000427149 00000 n 
+0000427214 00000 n 
+0000427279 00000 n 
+0000427344 00000 n 
+0000427409 00000 n 
+0000427474 00000 n 
+0000427539 00000 n 
+0000427604 00000 n 
+0000427669 00000 n 
+0000427734 00000 n 
+0000427799 00000 n 
+0000427864 00000 n 
+0000427929 00000 n 
+0000427994 00000 n 
+0000428058 00000 n 
+0000434768 00000 n 
+0000431204 00000 n 
+0000428234 00000 n 
+0000431330 00000 n 
+0000431395 00000 n 
+0000431460 00000 n 
+0000431525 00000 n 
+0000431590 00000 n 
+0000431655 00000 n 
+0000431720 00000 n 
+0000431785 00000 n 
+0000431850 00000 n 
+0000431915 00000 n 
+0000431980 00000 n 
+0000432045 00000 n 
+0000432109 00000 n 
+0000432174 00000 n 
+0000432239 00000 n 
+0000432304 00000 n 
+0000432369 00000 n 
+0000432434 00000 n 
+0000432499 00000 n 
+0000432564 00000 n 
+0000432629 00000 n 
+0000432694 00000 n 
+0000432759 00000 n 
+0000432824 00000 n 
+0000432888 00000 n 
+0000432953 00000 n 
+0000433018 00000 n 
+0000433083 00000 n 
+0000433148 00000 n 
+0000433213 00000 n 
+0000433278 00000 n 
+0000433343 00000 n 
+0000433408 00000 n 
+0000433473 00000 n 
+0000433538 00000 n 
+0000433603 00000 n 
+0000433668 00000 n 
+0000433733 00000 n 
+0000433798 00000 n 
+0000433863 00000 n 
+0000433927 00000 n 
+0000433991 00000 n 
+0000434055 00000 n 
+0000434120 00000 n 
+0000434185 00000 n 
+0000434250 00000 n 
+0000434315 00000 n 
+0000434380 00000 n 
+0000434445 00000 n 
+0000434510 00000 n 
+0000434575 00000 n 
+0000434640 00000 n 
+0000434704 00000 n 
+0000440941 00000 n 
+0000437503 00000 n 
+0000434880 00000 n 
+0000437629 00000 n 
+0000437694 00000 n 
+0000437759 00000 n 
+0000437824 00000 n 
+0000437889 00000 n 
+0000437954 00000 n 
+0000438019 00000 n 
+0000438084 00000 n 
+0000438149 00000 n 
+0000438214 00000 n 
+0000438279 00000 n 
+0000438344 00000 n 
+0000438409 00000 n 
+0000438474 00000 n 
+0000438539 00000 n 
+0000438604 00000 n 
+0000438669 00000 n 
+0000438734 00000 n 
+0000438799 00000 n 
+0000438864 00000 n 
+0000438929 00000 n 
+0000438994 00000 n 
+0000439059 00000 n 
+0000439124 00000 n 
+0000439189 00000 n 
+0000439254 00000 n 
+0000439319 00000 n 
+0000439384 00000 n 
+0000439449 00000 n 
+0000439514 00000 n 
+0000439579 00000 n 
+0000439644 00000 n 
+0000439709 00000 n 
+0000439774 00000 n 
+0000439838 00000 n 
+0000439903 00000 n 
+0000439968 00000 n 
+0000440033 00000 n 
+0000440098 00000 n 
+0000440163 00000 n 
+0000440228 00000 n 
+0000440293 00000 n 
+0000440358 00000 n 
+0000440423 00000 n 
+0000440488 00000 n 
+0000440553 00000 n 
+0000440618 00000 n 
+0000440683 00000 n 
+0000440748 00000 n 
+0000440813 00000 n 
+0000440877 00000 n 
+0000776116 00000 n 
+0000445519 00000 n 
+0000443255 00000 n 
+0000441053 00000 n 
+0000443381 00000 n 
+0000443446 00000 n 
+0000443511 00000 n 
+0000443576 00000 n 
+0000443641 00000 n 
+0000443706 00000 n 
+0000443771 00000 n 
+0000443836 00000 n 
+0000443901 00000 n 
+0000443966 00000 n 
+0000444031 00000 n 
+0000444096 00000 n 
+0000444161 00000 n 
+0000444226 00000 n 
+0000444288 00000 n 
+0000444352 00000 n 
+0000444417 00000 n 
+0000444481 00000 n 
+0000444546 00000 n 
+0000444611 00000 n 
+0000444676 00000 n 
+0000444741 00000 n 
+0000444806 00000 n 
+0000444871 00000 n 
+0000444936 00000 n 
+0000445065 00000 n 
+0000445194 00000 n 
+0000445259 00000 n 
+0000445324 00000 n 
+0000445389 00000 n 
+0000445454 00000 n 
+0000448314 00000 n 
+0000447670 00000 n 
+0000445644 00000 n 
+0000447796 00000 n 
+0000447925 00000 n 
+0000448054 00000 n 
+0000448119 00000 n 
+0000448184 00000 n 
+0000448249 00000 n 
+0000452652 00000 n 
+0000452332 00000 n 
+0000448427 00000 n 
+0000452458 00000 n 
+0000452523 00000 n 
+0000452588 00000 n 
+0000456252 00000 n 
+0000455997 00000 n 
+0000452805 00000 n 
+0000456123 00000 n 
+0000456188 00000 n 
+0000459500 00000 n 
+0000459309 00000 n 
+0000456391 00000 n 
+0000459435 00000 n 
+0000463228 00000 n 
+0000462972 00000 n 
+0000459626 00000 n 
+0000463098 00000 n 
+0000463163 00000 n 
+0000776241 00000 n 
+0000466069 00000 n 
+0000465361 00000 n 
+0000463367 00000 n 
+0000465487 00000 n 
+0000465552 00000 n 
+0000465617 00000 n 
+0000465682 00000 n 
+0000465747 00000 n 
+0000465876 00000 n 
+0000465941 00000 n 
+0000466005 00000 n 
+0000470737 00000 n 
+0000470481 00000 n 
+0000466208 00000 n 
+0000470607 00000 n 
+0000470672 00000 n 
+0000473733 00000 n 
+0000472960 00000 n 
+0000470863 00000 n 
+0000473086 00000 n 
+0000473151 00000 n 
+0000473216 00000 n 
+0000473281 00000 n 
+0000473410 00000 n 
+0000473475 00000 n 
+0000473538 00000 n 
+0000473603 00000 n 
+0000473668 00000 n 
+0000476643 00000 n 
+0000476128 00000 n 
+0000473886 00000 n 
+0000476254 00000 n 
+0000476319 00000 n 
+0000476384 00000 n 
+0000476449 00000 n 
+0000476514 00000 n 
+0000476579 00000 n 
+0000479764 00000 n 
+0000479184 00000 n 
+0000476795 00000 n 
+0000479310 00000 n 
+0000479439 00000 n 
+0000479504 00000 n 
+0000479569 00000 n 
+0000479634 00000 n 
+0000479699 00000 n 
+0000482694 00000 n 
+0000482049 00000 n 
+0000479904 00000 n 
+0000482175 00000 n 
+0000482240 00000 n 
+0000482305 00000 n 
+0000482370 00000 n 
+0000482499 00000 n 
+0000482564 00000 n 
+0000482629 00000 n 
+0000776366 00000 n 
+0000486310 00000 n 
+0000485990 00000 n 
+0000482860 00000 n 
+0000486116 00000 n 
+0000486181 00000 n 
+0000486245 00000 n 
+0000489745 00000 n 
+0000489489 00000 n 
+0000486436 00000 n 
+0000489615 00000 n 
+0000489680 00000 n 
+0000492841 00000 n 
+0000492198 00000 n 
+0000489871 00000 n 
+0000492324 00000 n 
+0000492389 00000 n 
+0000492454 00000 n 
+0000492519 00000 n 
+0000492583 00000 n 
+0000492712 00000 n 
+0000492777 00000 n 
+0000495281 00000 n 
+0000494509 00000 n 
+0000493006 00000 n 
+0000494635 00000 n 
+0000494700 00000 n 
+0000494765 00000 n 
+0000494829 00000 n 
+0000494894 00000 n 
+0000494959 00000 n 
+0000495088 00000 n 
+0000495153 00000 n 
+0000495217 00000 n 
+0000498683 00000 n 
+0000498297 00000 n 
+0000495434 00000 n 
+0000498423 00000 n 
+0000498488 00000 n 
+0000498553 00000 n 
+0000498618 00000 n 
+0000501897 00000 n 
+0000501122 00000 n 
+0000498809 00000 n 
+0000501248 00000 n 
+0000501313 00000 n 
+0000501378 00000 n 
+0000501443 00000 n 
+0000501572 00000 n 
+0000501637 00000 n 
+0000501702 00000 n 
+0000501767 00000 n 
+0000501832 00000 n 
+0000776491 00000 n 
+0000505743 00000 n 
+0000505552 00000 n 
+0000502050 00000 n 
+0000505678 00000 n 
+0000509073 00000 n 
+0000508882 00000 n 
+0000505869 00000 n 
+0000509008 00000 n 
+0000512118 00000 n 
+0000511862 00000 n 
 0000509199 00000 n 
-0000509264 00000 n 
-0000509329 00000 n 
-0000512665 00000 n 
-0000512344 00000 n 
-0000509547 00000 n 
-0000512470 00000 n 
-0000512535 00000 n 
-0000512600 00000 n 
-0000515904 00000 n 
-0000515584 00000 n 
-0000512805 00000 n 
-0000515710 00000 n 
-0000515775 00000 n 
-0000515840 00000 n 
-0000768997 00000 n 
-0000519223 00000 n 
-0000518578 00000 n 
-0000516043 00000 n 
-0000518704 00000 n 
-0000518769 00000 n 
-0000518898 00000 n 
-0000518963 00000 n 
-0000519028 00000 n 
-0000519093 00000 n 
-0000519158 00000 n 
-0000522298 00000 n 
-0000522107 00000 n 
-0000519363 00000 n 
-0000522233 00000 n 
-0000525061 00000 n 
-0000524548 00000 n 
-0000522509 00000 n 
-0000524674 00000 n 
-0000524739 00000 n 
-0000524803 00000 n 
-0000524868 00000 n 
-0000524933 00000 n 
-0000524998 00000 n 
-0000529299 00000 n 
-0000528784 00000 n 
-0000525270 00000 n 
-0000528910 00000 n 
-0000529039 00000 n 
-0000529104 00000 n 
-0000529169 00000 n 
-0000529234 00000 n 
-0000533385 00000 n 
-0000533129 00000 n 
-0000529425 00000 n 
-0000533255 00000 n 
-0000533320 00000 n 
-0000536595 00000 n 
-0000536339 00000 n 
-0000533511 00000 n 
-0000536465 00000 n 
-0000536530 00000 n 
-0000769122 00000 n 
-0000539380 00000 n 
-0000538736 00000 n 
-0000536721 00000 n 
-0000538862 00000 n 
-0000538927 00000 n 
-0000538992 00000 n 
-0000539057 00000 n 
-0000539186 00000 n 
-0000539251 00000 n 
-0000539316 00000 n 
-0000543149 00000 n 
-0000542764 00000 n 
-0000539532 00000 n 
-0000542890 00000 n 
-0000542955 00000 n 
-0000543019 00000 n 
-0000543084 00000 n 
-0000546740 00000 n 
-0000546095 00000 n 
-0000543289 00000 n 
-0000546221 00000 n 
-0000546286 00000 n 
-0000546351 00000 n 
-0000546480 00000 n 
-0000546545 00000 n 
-0000546610 00000 n 
-0000546675 00000 n 
-0000549011 00000 n 
-0000548755 00000 n 
-0000546892 00000 n 
-0000548881 00000 n 
-0000548946 00000 n 
-0000552492 00000 n 
-0000551718 00000 n 
-0000549150 00000 n 
-0000551844 00000 n 
-0000551909 00000 n 
-0000551974 00000 n 
-0000552039 00000 n 
-0000552167 00000 n 
-0000552232 00000 n 
-0000552297 00000 n 
-0000552362 00000 n 
-0000552427 00000 n 
-0000555564 00000 n 
-0000554985 00000 n 
-0000552645 00000 n 
-0000555111 00000 n 
-0000555176 00000 n 
-0000555241 00000 n 
-0000555306 00000 n 
-0000555435 00000 n 
-0000555500 00000 n 
-0000769247 00000 n 
-0000559377 00000 n 
-0000558929 00000 n 
-0000555716 00000 n 
-0000559055 00000 n 
-0000559120 00000 n 
-0000559185 00000 n 
-0000559250 00000 n 
-0000559314 00000 n 
-0000560195 00000 n 
-0000559939 00000 n 
-0000559543 00000 n 
-0000560065 00000 n 
-0000560130 00000 n 
-0000560393 00000 n 
-0000571737 00000 n 
-0000579326 00000 n 
-0000581625 00000 n 
-0000581594 00000 n 
-0000585312 00000 n 
-0000594753 00000 n 
-0000605260 00000 n 
-0000615823 00000 n 
-0000628528 00000 n 
-0000647595 00000 n 
-0000668482 00000 n 
-0000690625 00000 n 
-0000708520 00000 n 
-0000711350 00000 n 
-0000711120 00000 n 
-0000738657 00000 n 
-0000765768 00000 n 
-0000769345 00000 n 
-0000769469 00000 n 
-0000769595 00000 n 
-0000769721 00000 n 
-0000769847 00000 n 
-0000769927 00000 n 
-0000770028 00000 n 
-0000787015 00000 n 
-0000807186 00000 n 
-0000807227 00000 n 
-0000807267 00000 n 
-0000807401 00000 n 
+0000511988 00000 n 
+0000512053 00000 n 
+0000514686 00000 n 
+0000513913 00000 n 
+0000512271 00000 n 
+0000514039 00000 n 
+0000514104 00000 n 
+0000514169 00000 n 
+0000514298 00000 n 
+0000514363 00000 n 
+0000514428 00000 n 
+0000514493 00000 n 
+0000514558 00000 n 
+0000514623 00000 n 
+0000517590 00000 n 
+0000516880 00000 n 
+0000514839 00000 n 
+0000517006 00000 n 
+0000517071 00000 n 
+0000517136 00000 n 
+0000517265 00000 n 
+0000517330 00000 n 
+0000517395 00000 n 
+0000517460 00000 n 
+0000517525 00000 n 
+0000521139 00000 n 
+0000520948 00000 n 
+0000517743 00000 n 
+0000521074 00000 n 
+0000776616 00000 n 
+0000523800 00000 n 
+0000523091 00000 n 
+0000521265 00000 n 
+0000523217 00000 n 
+0000523282 00000 n 
+0000523347 00000 n 
+0000523412 00000 n 
+0000523541 00000 n 
+0000523606 00000 n 
+0000523671 00000 n 
+0000523735 00000 n 
+0000527315 00000 n 
+0000527059 00000 n 
+0000523953 00000 n 
+0000527185 00000 n 
+0000527250 00000 n 
+0000530252 00000 n 
+0000529996 00000 n 
+0000527526 00000 n 
+0000530122 00000 n 
+0000530187 00000 n 
+0000533482 00000 n 
+0000532708 00000 n 
+0000530463 00000 n 
+0000532834 00000 n 
+0000532899 00000 n 
+0000532964 00000 n 
+0000533029 00000 n 
+0000533094 00000 n 
+0000533222 00000 n 
+0000533287 00000 n 
+0000533352 00000 n 
+0000533417 00000 n 
+0000538095 00000 n 
+0000537840 00000 n 
+0000533634 00000 n 
+0000537966 00000 n 
+0000538031 00000 n 
+0000541877 00000 n 
+0000541686 00000 n 
+0000538221 00000 n 
+0000541812 00000 n 
+0000776741 00000 n 
+0000544708 00000 n 
+0000544387 00000 n 
+0000542003 00000 n 
+0000544513 00000 n 
+0000544578 00000 n 
+0000544643 00000 n 
+0000548167 00000 n 
+0000547457 00000 n 
+0000544860 00000 n 
+0000547583 00000 n 
+0000547648 00000 n 
+0000547713 00000 n 
+0000547842 00000 n 
+0000547907 00000 n 
+0000547972 00000 n 
+0000548037 00000 n 
+0000548102 00000 n 
+0000551298 00000 n 
+0000550589 00000 n 
+0000548307 00000 n 
+0000550715 00000 n 
+0000550780 00000 n 
+0000550845 00000 n 
+0000550909 00000 n 
+0000551038 00000 n 
+0000551103 00000 n 
+0000551168 00000 n 
+0000551233 00000 n 
+0000554482 00000 n 
+0000554226 00000 n 
+0000551464 00000 n 
+0000554352 00000 n 
+0000554417 00000 n 
+0000557228 00000 n 
+0000556585 00000 n 
+0000554608 00000 n 
+0000556711 00000 n 
+0000556776 00000 n 
+0000556841 00000 n 
+0000556906 00000 n 
+0000557034 00000 n 
+0000557099 00000 n 
+0000557164 00000 n 
+0000560960 00000 n 
+0000560640 00000 n 
+0000557380 00000 n 
+0000560766 00000 n 
+0000560831 00000 n 
+0000560896 00000 n 
+0000776866 00000 n 
+0000564001 00000 n 
+0000563229 00000 n 
+0000561086 00000 n 
+0000563355 00000 n 
+0000563420 00000 n 
+0000563485 00000 n 
+0000563550 00000 n 
+0000563679 00000 n 
+0000563744 00000 n 
+0000563809 00000 n 
+0000563872 00000 n 
+0000563937 00000 n 
+0000566569 00000 n 
+0000566248 00000 n 
+0000564180 00000 n 
+0000566374 00000 n 
+0000566439 00000 n 
+0000566504 00000 n 
+0000566821 00000 n 
+0000578165 00000 n 
+0000585754 00000 n 
+0000588054 00000 n 
+0000588023 00000 n 
+0000591740 00000 n 
+0000601181 00000 n 
+0000611688 00000 n 
+0000623429 00000 n 
+0000636146 00000 n 
+0000655213 00000 n 
+0000676100 00000 n 
+0000698243 00000 n 
+0000716138 00000 n 
+0000718968 00000 n 
+0000718738 00000 n 
+0000746275 00000 n 
+0000773386 00000 n 
+0000776964 00000 n 
+0000777088 00000 n 
+0000777214 00000 n 
+0000777340 00000 n 
+0000777466 00000 n 
+0000777546 00000 n 
+0000777647 00000 n 
+0000794820 00000 n 
+0000815118 00000 n 
+0000815159 00000 n 
+0000815199 00000 n 
+0000815333 00000 n 
 trailer
 <<
-/Size 2257
-/Root 2255 0 R
-/Info 2256 0 R
-/ID [ ]
+/Size 2270
+/Root 2268 0 R
+/Info 2269 0 R
+/ID [<9624E1A96827473083CB913E1B65D3B4> <9624E1A96827473083CB913E1B65D3B4>]
 >>
 startxref
-807659
+815591
 %%EOF

From bbc204a23719180dce68142ea2440c484e3ccb75 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 3 Sep 2009 04:09:58 +0000
Subject: [PATCH 099/385] 2669.   [func]          Update PKCS#11 support to
 support Keyper HSM.                         Update PKCS#11 patch to be
 against openssl-0.9.8i.

---
 CHANGES                                    |     3 +
 README.pkcs11                              |    45 +-
 contrib/pkcs11-keygen/README               |     2 +
 contrib/pkcs11-keygen/openssl-0.9.8g-patch |  8715 ------------
 contrib/pkcs11-keygen/openssl-0.9.8i-patch | 14221 +++++++++++++++++++
 lib/dns/dst_api.c                          |    19 +-
 lib/dns/dst_internal.h                     |     6 +-
 lib/dns/hmac_link.c                        |    20 +-
 lib/dns/openssl_link.c                     |    15 +-
 lib/dns/openssldh_link.c                   |     5 +-
 lib/dns/openssldsa_link.c                  |     5 +-
 lib/dns/opensslrsa_link.c                  |    59 +-
 12 files changed, 14360 insertions(+), 8755 deletions(-)
 delete mode 100644 contrib/pkcs11-keygen/openssl-0.9.8g-patch
 create mode 100644 contrib/pkcs11-keygen/openssl-0.9.8i-patch

diff --git a/CHANGES b/CHANGES
index dd97e65a20..daa74098c8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2669.	[func]		Update PKCS#11 support to support Keyper HSM.
+			Update PKCS#11 patch to be against openssl-0.9.8i.
+
 	--- 9.7.0a3 released ---
 
 2668.	[func]		Several improvements to dnssec-* tools, including:
diff --git a/README.pkcs11 b/README.pkcs11
index b58640de1c..7af9d242d0 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -4,8 +4,9 @@
 Prerequisite
 
 The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
-and some improvements, including user friendly PIN management.
+released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
+and some improvements, including user friendly PIN management. You may also
+use the original engine code.
 
 Compilation
 
@@ -14,7 +15,9 @@ Compilation
 PKCS#11 Libraries
 
 Tested with Solaris one with a SCA board and with openCryptoki with the
-software token.
+software token. Known to work on Linux and Windows 2003 server so
+should work on most operating systems. For AEP Keyper or any device used
+only for its protected key store, please switch to the sign-only engine.
 
 OpenSSL Engines
 
@@ -35,9 +38,13 @@ PKCS#11 tools
 The contrib/pkcs11-keygen directory contains a set of experimental tools
 to handle keys stored in a Hardware Security Module at the benefit of BIND.
 
-The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
+The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
 for the way to use it (these are the original notes so with the original
-path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
+path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
+a operating system which is not Solaris.)
+
+Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
+are functional.
 
 PIN management
 
@@ -55,7 +62,33 @@ OpenSSL configuration file (aka. openssl.cnf) by adding in it:
 	[ pkcs11_section ]
 	PIN = put__your__pin__value__here
 
-Note
+Slot management
+
+The engine tries to use the first best slot but it is recommended
+to simply use the slot 0 (usual default, meta-slot on Solaris).
+
+Sign-only engine
+
+openssl.../crypto/engibe/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
+a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
+has only the useful functions (i.e., signature with a RSA private
+key in the device protected key store and key loading).
+
+This engine should be used with a device which provides mainly
+a protected store and no acceleration. AEP Keyper is an example
+of such a device (BTW with the fully capable engine, key export
+must be enabled on this device and this configuration is not yet
+supported).
+
+Original engine
+
+If you are using the original engine and getpassphrase() is not defined, add:
+#define getpassphrase(x) getpass(x)
+in openssl.../crypto/engine/hw_pk11_pub.c
+
+Notes
 
 Some names here are registered trademarks, at least Solaris is a trademark
 of Sun Microsystems Inc...
+Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
+The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
diff --git a/contrib/pkcs11-keygen/README b/contrib/pkcs11-keygen/README
index 4104e17a4e..718208f063 100644
--- a/contrib/pkcs11-keygen/README
+++ b/contrib/pkcs11-keygen/README
@@ -4,6 +4,8 @@ an id of the keytag in hex.
 
 Run genkey.sh to generate a new key and call the other programs in turn.
 Run writekey.sh to load key to the key store from Kxxx.{key,private}.
+Run genkey, dnssec-keyfromlabel and optionally set_key_id when you have
+no perl or no Net::DNS::SEC perl module.
 
 genkey[.c] uses PKCS11 calls to generate keys.
 PEM_write_pubkey[.c] uses OpenSSL to write a public key from the key store
diff --git a/contrib/pkcs11-keygen/openssl-0.9.8g-patch b/contrib/pkcs11-keygen/openssl-0.9.8g-patch
deleted file mode 100644
index 6d93c687e3..0000000000
--- a/contrib/pkcs11-keygen/openssl-0.9.8g-patch
+++ /dev/null
@@ -1,8715 +0,0 @@
-diff -r -u -N openssl-0.9.8g/Configure openssl/Configure
---- openssl-0.9.8g/Configure	2007-09-16 14:24:17.000000000 +0200
-+++ openssl/Configure	2007-10-25 01:27:08.000000000 +0200
-@@ -10,7 +10,7 @@
- 
- # see INSTALL for instructions.
- 
--my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure  --pk11-libname=PK11_LIB_LOCATION [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
- 
- # Options:
- #
-@@ -19,6 +19,9 @@
- # --prefix      prefix for the OpenSSL include, lib and bin directories
- #               (Default: the OPENSSLDIR directory)
- #
-+# --pk11_libname  PKCS#11 library name.
-+#               (Default: none)
-+#
- # --install_prefix  Additional prefix for package builders (empty by
- #               default).  This needn't be set in advance, you can
- #               just as well use "make INSTALL_PREFIX=/whatever install".
-@@ -560,6 +563,8 @@
- my $idx_ranlib = $idx++;
- my $idx_arflags = $idx++;
- 
-+my $pk11_libname="";
-+
- my $prefix="";
- my $openssldir="";
- my $exe_ext="";
-@@ -738,6 +743,10 @@
- 				{
- 				$flags.=$_." ";
- 				}
-+                        elsif (/^--pk11-libname=(.*)$/)
-+                                {
-+                                $pk11_libname=$1;
-+                                }
- 			elsif (/^--prefix=(.*)$/)
- 				{
- 				$prefix=$1;
-@@ -861,6 +870,13 @@
- 	exit 0;
- }
- 
-+if (! $pk11_libname)
-+        {
-+        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
-+        print STDERR "See README.pkcs11 for more information.\n";
-+        exit 1;
-+        }
-+
- if ($target =~ m/^CygWin32(-.*)$/) {
- 	$target = "Cygwin".$1;
- }
-@@ -986,6 +1002,8 @@
- if ($flags ne "")	{ $cflags="$flags$cflags"; }
- else			{ $no_user_cflags=1;       }
- 
-+$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
-+
- # Kerberos settings.  The flavor must be provided from outside, either through
- # the script "config" or manually.
- if (!$no_krb5)
-@@ -1319,6 +1337,7 @@
- 	s/^VERSION=.*/VERSION=$version/;
- 	s/^MAJOR=.*/MAJOR=$major/;
- 	s/^MINOR=.*/MINOR=$minor/;
-+	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
- 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
- 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
- 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
-diff -r -u -N openssl-0.9.8g/crypto/engine/cryptoki.h openssl/crypto/engine/cryptoki.h
---- openssl-0.9.8g/crypto/engine/cryptoki.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/cryptoki.h	2007-10-25 01:27:09.000000000 +0200
-@@ -0,0 +1,103 @@
-+/*
-+ * CDDL HEADER START
-+ *
-+ * The contents of this file are subject to the terms of the
-+ * Common Development and Distribution License, Version 1.0 only
-+ * (the "License").  You may not use this file except in compliance
-+ * with the License.
-+ *
-+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-+ * or http://www.opensolaris.org/os/licensing.
-+ * See the License for the specific language governing permissions
-+ * and limitations under the License.
-+ *
-+ * When distributing Covered Code, include this CDDL HEADER in each
-+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-+ * If applicable, add the following below this CDDL HEADER, with the
-+ * fields enclosed by brackets "[]" replaced with your own identifying
-+ * information: Portions Copyright [yyyy] [name of copyright owner]
-+ *
-+ * CDDL HEADER END
-+ */
-+/*
-+ * Copyright 2003 Sun Microsystems, Inc.   All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+#ifndef	_CRYPTOKI_H
-+#define	_CRYPTOKI_H
-+
-+#pragma ident	"@(#)cryptoki.h	1.2	05/06/08 SMI"
-+
-+#ifdef	__cplusplus
-+extern "C" {
-+#endif
-+
-+#ifndef	CK_PTR
-+#define	CK_PTR *
-+#endif
-+
-+#ifndef CK_DEFINE_FUNCTION
-+#define	CK_DEFINE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION
-+#define	CK_DECLARE_FUNCTION(returnType, name) returnType name
-+#endif
-+
-+#ifndef CK_DECLARE_FUNCTION_POINTER
-+#define	CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef CK_CALLBACK_FUNCTION
-+#define	CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
-+#endif
-+
-+#ifndef NULL_PTR
-+#include 	/* For NULL */
-+#define	NULL_PTR NULL
-+#endif
-+
-+/*
-+ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
-+ */
-+#ifndef	CK_DISABLE_TRUE_FALSE
-+#define	CK_DISABLE_TRUE_FALSE
-+#ifndef	TRUE
-+#define	TRUE	1
-+#endif /* TRUE */
-+#ifndef	FALSE
-+#define	FALSE	0
-+#endif /* FALSE */
-+#endif /* CK_DISABLE_TRUE_FALSE */
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+#include "pkcs11.h"
-+
-+/* Solaris specific functions */
-+
-+#include 
-+
-+/*
-+ * SUNW_C_GetMechSession will initialize the framework and do all
-+ * the necessary PKCS#11 calls to create a session capable of
-+ * providing operations on the requested mechanism
-+ */
-+CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
-+    CK_SESSION_HANDLE_PTR hSession);
-+
-+/*
-+ * SUNW_C_KeyToObject will create a secret key object for the given
-+ * mechanism from the rawkey data.
-+ */
-+CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
-+    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
-+    CK_OBJECT_HANDLE_PTR obj);
-+
-+
-+#ifdef	__cplusplus
-+}
-+#endif
-+
-+#endif	/* _CRYPTOKI_H */
-diff -r -u -N openssl-0.9.8g/crypto/engine/eng_all.c openssl/crypto/engine/eng_all.c
---- openssl-0.9.8g/crypto/engine/eng_all.c	2007-01-04 23:55:25.000000000 +0100
-+++ openssl/crypto/engine/eng_all.c	2007-10-25 01:27:09.000000000 +0200
-@@ -107,6 +107,9 @@
- #if defined(__OpenBSD__) || defined(__FreeBSD__)
- 	ENGINE_load_cryptodev();
- #endif
-+#ifndef OPENSSL_NO_HW_PKCS11
-+	ENGINE_load_pk11();
-+#endif
- #endif
- 	}
- 
-diff -r -u -N openssl-0.9.8g/crypto/engine/engine.h openssl/crypto/engine/engine.h
---- openssl-0.9.8g/crypto/engine/engine.h	2005-11-06 18:48:59.000000000 +0100
-+++ openssl/crypto/engine/engine.h	2007-10-25 01:27:09.000000000 +0200
-@@ -332,6 +332,7 @@
- void ENGINE_load_ubsec(void);
- #endif
- void ENGINE_load_cryptodev(void);
-+void ENGINE_load_pk11(void);
- void ENGINE_load_padlock(void);
- void ENGINE_load_builtin_engines(void);
- 
-diff -r -u -N openssl-0.9.8g/crypto/engine/hw_pk11.c openssl/crypto/engine/hw_pk11.c
---- openssl-0.9.8g/crypto/engine/hw_pk11.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/hw_pk11.c	2007-10-29 23:31:11.000000000 +0100
-@@ -0,0 +1,2153 @@
-+/*
-+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+#pragma ident	"@(#)hw_pk11.c	1.12	07/07/05 SMI"
-+
-+/* crypto/engine/hw_pk11.c */
-+/* This product includes software developed by the OpenSSL Project for 
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by 
-+ * Afchine Madjlessi.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer. 
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+#undef DEBUG_SLOT_SELECTION
-+
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#include "hw_pk11_err.c"
-+
-+
-+/* The head of the free PK11 session list */
-+static struct PK11_SESSION_st *free_session = NULL;
-+
-+/* Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session();
-+void pk11_return_session(PK11_SESSION *sp);
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions();
-+static int pk11_setup_session(PK11_SESSION *sp);
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, 
-+	CK_OBJECT_HANDLE oh);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+/* Symmetric cipher and digest support functions */
-+static int cipher_nid_to_pk11(int nid);
-+static int pk11_usable_ciphers(const int **nids);
-+static int pk11_usable_digests(const int **nids);
-+static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+	const unsigned char *iv, int enc);
-+static int pk11_cipher_final(PK11_SESSION *sp);
-+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl);
-+static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
-+static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid);
-+static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid);
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx, 
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
-+static void check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key);
-+static int md_nid_to_pk11(int nid);
-+static int pk11_digest_init(EVP_MD_CTX *ctx);
-+static int pk11_digest_update(EVP_MD_CTX *ctx,const void *data,
-+	size_t count);
-+static int pk11_digest_final(EVP_MD_CTX *ctx,unsigned char *md);
-+static int pk11_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from);
-+static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
-+
-+static int pk11_choose_slot();
-+static int pk11_count_symmetric_cipher(int slot_id, CK_MECHANISM_TYPE mech,
-+    int *current_slot_n_cipher, int *local_cipher_nids, int id);
-+static int pk11_count_digest(int slot_id, CK_MECHANISM_TYPE mech,
-+    int *current_slot_n_digest, int *local_digest_nids, int id);
-+
-+/* Index for the supported ciphers */
-+#define PK11_DES_CBC		0
-+#define PK11_DES3_CBC		1
-+#define PK11_AES_CBC		2
-+#define PK11_RC4		3
-+
-+/* Index for the supported digests */
-+#define PK11_MD5		0
-+#define PK11_SHA1		1
-+
-+#define PK11_CIPHER_MAX		4	/* Max num of ciphers supported */
-+#define PK11_DIGEST_MAX		2	/* Max num of digests supported */
-+
-+#define PK11_KEY_LEN_MAX	24
-+
-+static int cipher_nids[PK11_CIPHER_MAX];
-+static int digest_nids[PK11_DIGEST_MAX];
-+static int cipher_count		= 0;
-+static int digest_count		= 0;
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_dsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_dh	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+typedef struct PK11_CIPHER_st 
-+	{
-+	int		id;
-+	int		nid;
-+	int		ivmax;
-+	int		key_len;
-+	CK_KEY_TYPE	key_type;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_CIPHER;
-+
-+static PK11_CIPHER ciphers[] = 
-+	{
-+	{PK11_DES_CBC,  NID_des_cbc,      8,  8,   CKK_DES,  CKM_DES_CBC, },
-+	{PK11_DES3_CBC, NID_des_ede3_cbc, 8,  24,  CKK_DES3, CKM_DES3_CBC, },
-+	{PK11_AES_CBC,  NID_aes_128_cbc,  16, 16,  CKK_AES,  CKM_AES_CBC, },
-+	{PK11_RC4,      NID_rc4,          0,  16,  CKK_RC4,  CKM_RC4, },
-+	};
-+
-+typedef struct PK11_DIGEST_st
-+	{
-+	int		id;
-+	int		nid;
-+	CK_MECHANISM_TYPE	mech_type;
-+	} PK11_DIGEST;
-+
-+static PK11_DIGEST digests[] = 
-+	{
-+	{PK11_MD5,	NID_md5,	CKM_MD5, },
-+	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
-+	{0,		NID_undef,	0xFFFF, },
-+	};
-+
-+/* Structure to be used for the cipher_data/md_data in 
-+ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same 
-+ * pk11 session in multiple cipher_update calls
-+ */
-+typedef struct PK11_CIPHER_STATE_st
-+	{
-+	PK11_SESSION	*sp;
-+	} PK11_CIPHER_STATE;
-+
-+
-+/* libcrypto EVP stuff - this is how we get wired to EVP so the engine
-+ * gets called when libcrypto requests a cipher NID.
-+ * Note how the PK11_CIPHER_STATE is used here.
-+ */
-+
-+/* DES CBC EVP */
-+static const EVP_CIPHER pk11_des_cbc = 
-+	{
-+	NID_des_cbc,
-+	8, 8, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof(PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+/* 3DES CBC EVP */
-+static const EVP_CIPHER pk11_3des_cbc = 
-+	{
-+	NID_des_ede3_cbc,
-+	8, 24, 8,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof(PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_aes_cbc = 
-+	{
-+	NID_aes_128_cbc,
-+	16, 16, 16,
-+	EVP_CIPH_CBC_MODE,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof(PK11_CIPHER_STATE),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+	};
-+
-+static const EVP_CIPHER pk11_rc4 =
-+	{
-+	NID_rc4,
-+	1,16,0,
-+	EVP_CIPH_VARIABLE_LENGTH,
-+	pk11_cipher_init,
-+	pk11_cipher_do_cipher,
-+	pk11_cipher_cleanup,
-+	sizeof(PK11_CIPHER_STATE),
-+	NULL,
-+	NULL,
-+	NULL
-+	};
-+
-+static const EVP_MD pk11_md5 =
-+	{
-+	NID_md5,
-+	NID_md5WithRSAEncryption,
-+	MD5_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	MD5_CBLOCK,
-+	sizeof(PK11_CIPHER_STATE),
-+	};
-+
-+static const EVP_MD pk11_sha1 =
-+	{
-+	NID_sha1,
-+	NID_sha1WithRSAEncryption,
-+	SHA_DIGEST_LENGTH,
-+	0,
-+	pk11_digest_init,
-+	pk11_digest_update,
-+	pk11_digest_final,
-+	pk11_digest_copy,
-+	pk11_digest_cleanup,
-+	EVP_PKEY_RSA_method,
-+	SHA_CBLOCK,
-+	sizeof(PK11_CIPHER_STATE),
-+	};
-+
-+/* Initialization function. Sets up various pk11 library components.
-+ */
-+/* The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE
-+ */
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name = "PKCS #11 engine support";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/* Cryptoki library
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
-+static CK_SLOT_ID SLOTID = 0;
-+static int pk11_auto_slot = 1;
-+char *pk11_pin;
-+static int pk11_library_initialized = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+	const RSA_METHOD *rsa = NULL;
-+	RSA_METHOD *pk11_rsa = PK11_RSA();
-+
-+	if (!pk11_library_initialized)
-+		pk11_library_init(e);
-+
-+	if(!ENGINE_set_id(e, engine_pk11_id) ||
-+	   !ENGINE_set_name(e, engine_pk11_name) ||
-+	   !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
-+	   !ENGINE_set_digests(e, pk11_engine_digests))
-+	   	return 0;
-+#ifndef OPENSSL_NO_RSA
-+	if(pk11_have_rsa == CK_TRUE)
-+		{
-+		if(!ENGINE_set_RSA(e, PK11_RSA()) ||
-+	           !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+	           !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return 0;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "OPENSSL_PKCS#11_ENGINE: registered RSA\n");
-+#endif /* DEBUG_SLOT_SELECTION */
-+		}
-+#endif
-+#ifndef OPENSSL_NO_DSA
-+	if(pk11_have_dsa == CK_TRUE)
-+		{	
-+	  	if (!ENGINE_set_DSA(e, PK11_DSA()))
-+			return 0;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "OPENSSL_PKCS#11_ENGINE: registered DSA\n");
-+#endif /* DEBUG_SLOT_SELECTION */
-+	    	}
-+#endif
-+#ifndef OPENSSL_NO_DH
-+	if(pk11_have_dh == CK_TRUE)
-+		{
-+	  	if (!ENGINE_set_DH(e, PK11_DH()))
-+			return 0;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "OPENSSL_PKCS#11_ENGINE: registered DH\n");
-+#endif /* DEBUG_SLOT_SELECTION */
-+	    	}
-+#endif
-+	if(pk11_have_random)
-+		{
-+		if(!ENGINE_set_RAND(e, &pk11_random))
-+			return 0;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "OPENSSL_PKCS#11_ENGINE: registered random\n");
-+#endif /* DEBUG_SLOT_SELECTION */
-+		}
-+	if(!ENGINE_set_init_function(e, pk11_init) ||
-+	   !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	   !ENGINE_set_finish_function(e, pk11_finish) ||
-+	   !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	   !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return 0;
-+
-+/* Apache calls OpenSSL function RSA_blinding_on() once during startup
-+ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
-+ * here, we wire it back to the OpenSSL software implementation. 
-+ * Since it is used only once, performance is not a concern. */
-+#ifndef OPENSSL_NO_RSA
-+        rsa = RSA_PKCS1_SSLeay();
-+        pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
-+        pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
-+#endif
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+	
-+	return 1;
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris
-+ */
-+#ifdef ENGINE_DYNAMIC_SUPPORT
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return 0;
-+
-+	if (!bind_pk11(e))
-+		return 0;
-+
-+	return 1;
-+	}	   
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return NULL;
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return NULL;
-+		}
-+
-+	return ret;
-+	}
-+
-+void ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/* Do not use dynamic PKCS#11 library on Solaris due to 
-+	 * security reasons. We will link it in statically
-+	 */
-+	/* Attempt to load PKCS#11 library 
-+	 */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11) 
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/* At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11 
-+	 * library before calling ENGINE_set_default since the latter 
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif
-+
-+/* These are the static string constants for the DSO file name and 
-+ * the function symbol names to bind to. 
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return PK11_LIBNAME;
-+
-+	return def_PK11_LIBNAME;
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return pk11_library_init(e);
-+}
-+
-+/* Initialization function. Sets up various pk11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	CK_ULONG ul_state_len;
-+	char tmp_buf[20];
-+
-+	if (pk11_library_initialized)
-+		return 1;
-+	
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the C_GetFunctionList function from the loaded library
-+	 */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso, 
-+		PK11_GET_FUNCTION_LIST);
-+	if ( !p )
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+ 
-+	/* get the full function list from the loaded library 
-+	 */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+ 
-+	rv = pFuncList->C_Initialize(NULL_PTR);
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetInfo(&info);
-+	if (rv != CKR_OK) 
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_GETINFO);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (pk11_choose_slot() == 0)
-+		goto err;
-+
-+	if (global_session == CK_INVALID_HANDLE)
-+		{
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_LIBRARY_INIT, PK11_R_OPENSESSION);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		}
-+
-+	/* Disable digest if C_GetOperationState is not supported since
-+	 * this function is required by OpenSSL digest copy function */
-+	if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
-+			== CKR_FUNCTION_NOT_SUPPORTED)
-+		digest_count = 0;
-+
-+	pk11_library_initialized = 1;
-+	return 1;
-+
-+err:
-+
-+	return 0;
-+	}
-+
-+/* Destructor (complements the "ENGINE_pk11()" constructor)
-+ */
-+static int pk11_destroy(ENGINE *e)
-+	{
-+	free_PK11_LIBNAME();
-+	ERR_unload_pk11_strings();
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+	return 1;
-+	}
-+
-+/* Termination function to clean up the session, the token, and 
-+ * the pk11 library.
-+ */
-+static int pk11_finish(ENGINE *e)
-+	{
-+
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
-+		goto err;
-+		}
-+
-+	assert(pFuncList != NULL);
-+
-+	if (pk11_free_all_sessions() == 0)
-+		goto err;
-+
-+	pFuncList->C_CloseSession(global_session);
-+	
-+	/* Since we are part of a library (libcrypto.so), calling this
-+	 * function may have side-effects.
-+	pFuncList->C_Finalize(NULL);
-+	 */
-+
-+	if (!DSO_free(pk11_dso))
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+	pk11_dso = NULL;
-+	pFuncList = NULL;
-+	pk11_library_initialized = 0;
-+
-+	return 1;
-+
-+err:
-+	return 0;
-+	}
-+
-+/* Standard engine interface function to set the dynamic library path */
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
-+	{
-+	int initialized = ((pk11_dso == NULL) ? 0 : 1);
-+
-+	switch(cmd)
-+		{
-+	case PK11_CMD_SO_PATH:
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return 0;
-+			}
-+
-+		if (initialized)
-+			{
-+			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
-+			return 0;
-+			}
-+
-+		return set_PK11_LIBNAME((const char*)p);
-+	case PK11_CMD_PIN:
-+		if (pk11_pin) {
-+			memset(pk11_pin, 0, strlen(pk11_pin));
-+			OPENSSL_free((void*)pk11_pin);
-+		}
-+		pk11_pin = NULL;
-+
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return 0;
-+			}
-+
-+		pk11_pin = BUF_strdup(p);
-+		if (pk11_pin == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
-+			return 0;
-+			}
-+		return 1;
-+	case PK11_CMD_SLOT:
-+		SLOTID = (CK_SLOT_ID)i;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "OPENSSL_PKCS#11_ENGINE: slot set\n");
-+#endif
-+		return 1;
-+	default:
-+		break;
-+		}
-+
-+	PK11err(PK11_F_CTRL,PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
-+
-+	return 0;
-+	}
-+
-+
-+/* Required function by the engine random interface. It does nothing here
-+ */
-+static void pk11_rand_cleanup(void)
-+	{
-+	return;
-+	}
-+
-+static void pk11_rand_add(const void *buf, int num, double add)
-+	{
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		return;
-+
-+	/* Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since 
-+	 * the calling functions do not care anyway
-+	 */
-+	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
-+	pk11_return_session(sp);
-+
-+	return;
-+	}
-+
-+static void pk11_rand_seed(const void *buf, int num)
-+	{
-+	pk11_rand_add(buf, num, 0);
-+	}
-+
-+static int pk11_rand_bytes(unsigned char *buf, int num)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp;
-+	
-+	if ((sp = pk11_get_session()) == NULL)
-+		return 0;
-+	
-+	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
-+	if (rv != CKR_OK)
-+		{
-+		char tmp_buf[20];
-+		PK11err(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		pk11_return_session(sp);
-+		return 0;
-+		}
-+
-+	pk11_return_session(sp);
-+	return 1;
-+	}
-+
-+
-+/* Required function by the engine random interface. It does nothing here
-+ */
-+static int pk11_rand_status(void)
-+	{
-+	return 1;
-+	}
-+
-+
-+PK11_SESSION *pk11_get_session()
-+	{
-+	PK11_SESSION *sp, *sp1;
-+	CK_RV rv;
-+	char tmp_buf[20];
-+
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+	if ((sp = free_session) == NULL)
-+		{
-+		if ((sp = OPENSSL_malloc(sizeof(PK11_SESSION))) == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION, 
-+				PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		memset(sp, 0, sizeof(PK11_SESSION));
-+		}
-+	else
-+		{
-+		free_session = sp->next;
-+		}
-+
-+	if (sp->pid != 0 && sp->pid != getpid())
-+		{
-+		/* We are a new process and thus need to free any inherated
-+		 * PK11_SESSION objects.
-+		 */
-+		while ((sp1 = free_session) != NULL)
-+			{
-+			free_session = sp1->next;
-+			OPENSSL_free(sp1);
-+			}
-+
-+		/* Initialize the process */
-+		rv = pFuncList->C_Initialize(NULL_PTR);
-+		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_INITIALIZE);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/* Choose slot here since the slot table is different on 
-+		 * this process.
-+		 */
-+		if (pk11_choose_slot() == 0)
-+			goto err;
-+
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_OPENSESSION);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/* It is an inherited session and needs re-initialization.
-+		 */
-+		if (pk11_setup_session(sp) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+	else if (sp->pid == 0)
-+		{
-+		/* It is a new session and needs initialization.
-+		 */
-+		if (pk11_setup_session(sp) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+
-+err:
-+	if (sp)
-+		sp->next = NULL;
-+
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+	return sp;
-+	}
-+
-+
-+void pk11_return_session(PK11_SESSION *sp)
-+	{
-+	if (sp == NULL || sp->pid != getpid())
-+		return;
-+
-+	
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+	sp->next = free_session;
-+	free_session = sp;
-+
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+	}
-+
-+
-+/* Destroy all objects. This function is called when the engine is finished
-+ */
-+static int pk11_free_all_sessions()
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp = NULL;
-+	pid_t mypid = getpid();
-+	int ret = 0;
-+
-+	pk11_destroy_rsa_key_objects(NULL);
-+	pk11_destroy_dsa_key_objects(NULL);
-+	pk11_destroy_dh_key_objects(NULL);
-+	pk11_destroy_cipher_key_objects(NULL);
-+	
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+	while ((sp = free_session) != NULL)
-+		{
-+		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
-+			{
-+			rv = pFuncList->C_CloseSession(sp->session);
-+			if (rv != CKR_OK)
-+				{
-+				char tmp_buf[20];
-+				PK11err(PK11_F_FREE_ALL_SESSIONS, 
-+					PK11_R_CLOSESESSION);
-+				snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+				ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+				}
-+			}
-+		if (sp->session_cipher != CK_INVALID_HANDLE && sp->pid == mypid)
-+			{
-+			rv = pFuncList->C_CloseSession(sp->session_cipher);
-+			if (rv != CKR_OK)
-+				{
-+				char tmp_buf[20];
-+				PK11err(PK11_F_FREE_ALL_SESSIONS, 
-+					PK11_R_CLOSESESSION);
-+				snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+				ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+				}
-+			}
-+		free_session = sp->next;
-+		OPENSSL_free(sp);
-+		}
-+	ret = 1;
-+err:
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+	return ret;
-+	}
-+
-+
-+static int pk11_setup_session(PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	sp->session = CK_INVALID_HANDLE;
-+	rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session);
-+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
-+		{
-+		/*
-+		 * We are probably a child process so force the
-+		 * reinitialize of the session
-+		 */
-+		pk11_library_initialized = 0;
-+		(void) pk11_library_init(NULL);
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &sp->session);
-+		}
-+	if (rv != CKR_OK)
-+		{
-+		char tmp_buf[20];
-+		PK11err(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		return 0;
-+		}
-+
-+	sp->session_cipher = CK_INVALID_HANDLE;
-+	rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session_cipher);
-+	if (rv != CKR_OK)
-+		{
-+		char tmp_buf[20];
-+
-+		(void) pFuncList->C_CloseSession(sp->session);
-+		sp->session = CK_INVALID_HANDLE;
-+
-+		PK11err(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		return 0;
-+		}
-+
-+	sp->pid = getpid();
-+	sp->rsa_pub_key = CK_INVALID_HANDLE;
-+	sp->rsa_priv_key = CK_INVALID_HANDLE;
-+	sp->dsa_pub_key = CK_INVALID_HANDLE;
-+	sp->dsa_priv_key = CK_INVALID_HANDLE;
-+	sp->dh_key = CK_INVALID_HANDLE;
-+	sp->cipher_key = CK_INVALID_HANDLE;
-+	sp->rsa = NULL;
-+	sp->dsa = NULL;
-+	sp->dh = NULL;
-+	sp->encrypt = -1;
-+
-+	return 1;
-+	}
-+
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+	if (session)
-+		local_free_session = session;
-+	else
-+		local_free_session = free_session;
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		if (sp->rsa_pub_key != CK_INVALID_HANDLE)
-+			{
-+			if (pk11_destroy_object(sp->session, 
-+				sp->rsa_pub_key) == 0)
-+				goto err;
-+			sp->rsa_pub_key = CK_INVALID_HANDLE;
-+			}
-+
-+		if (sp->rsa_priv_key != CK_INVALID_HANDLE)
-+			{
-+			if ((sp->rsa->flags & RSA_FLAG_EXT_PKEY) == 0 &&
-+			    pk11_destroy_object(sp->session, 
-+				sp->rsa_priv_key) == 0)
-+				goto err;
-+			sp->rsa_priv_key = CK_INVALID_HANDLE;
-+			}
-+
-+		sp->rsa = NULL;
-+		}
-+	ret = 1;
-+err:
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+	return ret;
-+	}
-+
-+int pk11_destroy_dsa_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+	if (session)
-+		local_free_session = session;
-+	else
-+		local_free_session = free_session;
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		if (sp->dsa_pub_key != CK_INVALID_HANDLE)
-+			{
-+			if (pk11_destroy_object(sp->session, 
-+				sp->dsa_pub_key) == 0)
-+				goto err;
-+			sp->dsa_pub_key = CK_INVALID_HANDLE;
-+			}
-+
-+		if (sp->dsa_priv_key != CK_INVALID_HANDLE)
-+			{
-+			if (pk11_destroy_object(sp->session, 
-+				sp->dsa_priv_key) == 0)
-+				goto err;
-+			sp->dsa_priv_key = CK_INVALID_HANDLE;
-+			}
-+
-+		sp->dsa = NULL;
-+		}
-+	ret = 1;
-+err:
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+	return ret;
-+	}
-+
-+int pk11_destroy_dh_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+	if (session)
-+		local_free_session = session;
-+	else
-+		local_free_session = free_session;
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		if (sp->dh_key != CK_INVALID_HANDLE)
-+			{
-+			if (pk11_destroy_object(sp->session, 
-+				sp->dh_key) == 0)
-+				goto err;
-+			sp->dh_key = CK_INVALID_HANDLE;
-+			}
-+
-+		sp->dh = NULL;
-+		}
-+	ret = 1;
-+err:
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+	return ret;
-+	}
-+
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
-+	{
-+	CK_RV rv;
-+	rv = pFuncList->C_DestroyObject(session, oh);
-+	if (rv != CKR_OK)
-+		{
-+		char tmp_buf[20];
-+		PK11err(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", 
-+			tmp_buf);
-+		return 0;
-+		}
-+
-+	return 1;
-+	}
-+
-+
-+/* Symmetric ciphers and digests support functions
-+ */
-+
-+static int
-+cipher_nid_to_pk11(int nid)
-+	{
-+	int i;
-+
-+	for (i = 0; i < PK11_CIPHER_MAX; i++)
-+		if (ciphers[i].nid == nid)
-+			return (ciphers[i].id);
-+	return (-1);
-+	}
-+
-+static int
-+pk11_usable_ciphers(const int **nids)
-+	{
-+	if (cipher_count > 0)
-+		*nids = cipher_nids;
-+	else
-+		*nids = NULL;
-+	return (cipher_count);
-+	}
-+
-+static int
-+pk11_usable_digests(const int **nids)
-+	{
-+	if (digest_count > 0)
-+		*nids = digest_nids;
-+	else
-+		*nids = NULL;
-+	return (digest_count);
-+	}
-+
-+static int
-+pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-+    const unsigned char *iv, int enc)
-+	{
-+	CK_RV rv;
-+	CK_MECHANISM mech;
-+	int index;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
-+	PK11_SESSION *sp;
-+	PK11_CIPHER *pcp;
-+	char tmp_buf[20];
-+	
-+	state->sp = NULL;
-+
-+	index = cipher_nid_to_pk11(ctx->cipher->nid);
-+	if (index < 0 || index >= PK11_CIPHER_MAX)
-+		return 0;
-+
-+	pcp = &ciphers[index];
-+	if (ctx->cipher->iv_len > pcp->ivmax || ctx->key_len != pcp->key_len)
-+		return 0;
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		return 0;
-+
-+	/* if applicable, the mechanism parameter is used for IV */
-+	mech.mechanism = pcp->mech_type;
-+	mech.pParameter = NULL;
-+	mech.ulParameterLen = 0;
-+
-+	/* The key object is destroyed here if it is not the current key
-+	 */
-+	check_new_cipher_key(sp, key);
-+	
-+	/* If the key is the same and the encryption is also the same,
-+	 * then just reuse it
-+	 */
-+	if (sp->cipher_key != CK_INVALID_HANDLE && sp->encrypt == ctx->encrypt)
-+		{
-+		state->sp = sp;
-+		return 1;
-+		}
-+
-+	/* Check if the key has been invalidated. If so, a new key object
-+	 * needs to be created.
-+	 */
-+	if (sp->cipher_key == CK_INVALID_HANDLE)
-+		{
-+		sp->cipher_key = pk11_get_cipher_key(
-+			ctx, key, pcp->key_type, sp);
-+		}
-+
-+	if (sp->encrypt != ctx->encrypt && sp->encrypt != -1)
-+		{
-+		/* The previous encryption/decryption
-+		 * is different. Need to terminate the previous
-+		 * active encryption/decryption here
-+		 */
-+		if (!pk11_cipher_final(sp))
-+			{
-+			pk11_return_session(sp);
-+			return 0;
-+			}
-+		}
-+
-+	if (sp->cipher_key == CK_INVALID_HANDLE)
-+		{
-+		pk11_return_session(sp);
-+		return 0;
-+		}
-+
-+	if (ctx->cipher->iv_len > 0)
-+		{
-+		mech.pParameter = (void *) ctx->iv;
-+		mech.ulParameterLen = ctx->cipher->iv_len;
-+		}
-+
-+	/* If we get here, the encryption needs to be reinitialized */
-+	if (ctx->encrypt)
-+		{
-+		rv = pFuncList->C_EncryptInit(sp->session_cipher, &mech, 
-+			sp->cipher_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_CIPHER_INIT, PK11_R_ENCRYPTINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return 0;
-+			}
-+		}
-+	else
-+		{
-+		rv = pFuncList->C_DecryptInit(sp->session_cipher, &mech, 
-+			sp->cipher_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_CIPHER_INIT, PK11_R_DECRYPTINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return 0;
-+			}
-+		}
-+
-+	sp->encrypt = ctx->encrypt;
-+	state->sp = sp;
-+
-+	return 1;
-+	}
-+
-+/* When reusing the same key in an encryption/decryption session for a 
-+ * decryption/encryption session, we need to close the active session
-+ * and recreate a new one. Note that the key is in the global session so
-+ * that it needs not be recreated.
-+ *
-+ * It is more appropriate to use C_En/DecryptFinish here. At the time of this
-+ * development, these two functions in the PKCS#11 libraries used return
-+ * unexpected errors when passing in 0 length output. It may be a good
-+ * idea to try them again if performance is a problem here and fix
-+ * C_En/DecryptFinial if there are bugs there causing the problem.
-+ */
-+static int
-+pk11_cipher_final(PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	char tmp_buf[20];
-+
-+	rv = pFuncList->C_CloseSession(sp->session_cipher);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_CIPHER_FINAL, PK11_R_CLOSESESSION);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		return 0;
-+		}
-+
-+	rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session_cipher);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_CIPHER_FINAL, PK11_R_OPENSESSION);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		return 0;
-+		}
-+
-+	return 1;
-+	}
-+
-+/* An engine interface function. The calling function allocates sufficient
-+ * memory for the output buffer "out" to hold the results */
-+static int
-+pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-+	const unsigned char *in, unsigned int inl)
-+	{
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
-+	PK11_SESSION *sp;
-+	CK_RV rv;
-+	unsigned long outl = inl;
-+	char tmp_buf[20];
-+
-+	if (state == NULL || state->sp == NULL)
-+		return 0;
-+
-+	sp = (PK11_SESSION *) state->sp;
-+
-+	if (!inl)
-+		return 1;
-+
-+	/* RC4 is the only stream cipher we support */
-+	if (ctx->cipher->nid != NID_rc4 && (inl % ctx->cipher->block_size) != 0)
-+		return 0;
-+
-+	if (ctx->encrypt)
-+		{
-+		rv = pFuncList->C_EncryptUpdate(sp->session_cipher, 
-+			(unsigned char *)in, inl, out, &outl);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_CIPHER_DO_CIPHER, 
-+				PK11_R_ENCRYPTUPDATE);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			return 0;
-+			}
-+		}
-+	else
-+		{
-+		rv = pFuncList->C_DecryptUpdate(sp->session_cipher, 
-+			(unsigned char *)in, inl, out, &outl);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_CIPHER_DO_CIPHER, 
-+				PK11_R_DECRYPTUPDATE);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			return 0;
-+			}
-+		}
-+
-+	/* for DES_CBC, DES3_CBC, AES_CBC, and RC4, the output size is always
-+	 * the same size of input
-+	 * The application has guaranteed to call the block ciphers with 
-+	 * correctly aligned buffers.
-+	 */
-+	if (inl != outl)
-+		return 0;
-+
-+	return 1;
-+	}
-+
-+/* Return the session to the pool. The C_EncryptFinal and C_DecryptFinal are
-+ * not used. Once a secret key is initialized, it is used until destroyed.
-+ */
-+static int
-+pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx)
-+	{
-+	PK11_CIPHER_STATE *state = ctx->cipher_data;
-+
-+	if (state != NULL && state->sp != NULL)
-+		{
-+		pk11_return_session(state->sp);
-+		state->sp = NULL;
-+		}
-+
-+	return 1;
-+	}
-+
-+/* Registered by the ENGINE when used to find out how to deal with
-+ * a particular NID in the ENGINE. This says what we'll do at the
-+ * top level - note, that list is restricted by what we answer with
-+ */
-+static int
-+pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
-+	const int **nids, int nid)
-+	{
-+	if (!cipher)
-+		return (pk11_usable_ciphers(nids));
-+
-+	switch (nid)
-+		{
-+		case NID_des_ede3_cbc:
-+			*cipher = &pk11_3des_cbc;
-+			break;
-+		case NID_des_cbc:
-+			*cipher = &pk11_des_cbc;
-+			break;
-+		case NID_aes_128_cbc:
-+			*cipher = &pk11_aes_cbc;
-+			break;
-+		case NID_rc4:
-+			*cipher = &pk11_rc4;
-+			break;
-+		default:
-+			*cipher = NULL;
-+			break;
-+		}
-+	return (*cipher != NULL);
-+	}
-+
-+static int
-+pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
-+	const int **nids, int nid)
-+	{
-+	if (!digest)
-+		return (pk11_usable_digests(nids));
-+
-+	switch (nid)
-+		{
-+		case NID_md5:
-+			*digest = &pk11_md5; 
-+			break;
-+		case NID_sha1:
-+			*digest = &pk11_sha1; 
-+			break;
-+		default:
-+			*digest = NULL;
-+			break;
-+		}
-+	return (*digest != NULL);
-+	}
-+
-+
-+/* Create a secret key object in a PKCS#11 session
-+ */
-+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx, 
-+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
-+	CK_ULONG ul_key_attr_count = 6;
-+	char tmp_buf[20];
-+
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void*) NULL, sizeof(CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void*) NULL, sizeof(CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof(false)},
-+		{CKA_ENCRYPT, &true, sizeof(true)},
-+		{CKA_DECRYPT, &true, sizeof(true)},
-+		{CKA_VALUE, (void*) NULL, 0},
-+		};
-+
-+	/* Create secret key object in global_session. All other sessions
-+	 * can use the key handles. Here is why:
-+	 * OpenSSL will call EncryptInit and EncryptUpdate using a secret key.
-+	 * It may then call DecryptInit and DecryptUpdate using the same key.
-+	 * To use the same key object, we need to call EncryptFinal with
-+	 * a 0 length message. Currently, this does not work for 3DES 
-+	 * mechanism. To get around this problem, we close the session and
-+	 * then create a new session to use the same key object. When a session
-+	 * is closed, all the object handles will be invalid. Thus, create key 
-+	 * objects in a global session, an individual session may be closed to
-+	 * terminate the active operation.
-+	 */
-+	CK_SESSION_HANDLE session = global_session;
-+	a_key_template[0].pValue = &obj_key;
-+	a_key_template[1].pValue = &key_type;
-+	a_key_template[5].pValue = (void *) key;
-+	a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
-+
-+	rv = pFuncList->C_CreateObject(session, 
-+		a_key_template, ul_key_attr_count, &h_key);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	/* Save the key information used in this session.
-+	 * The max can be saved is PK11_KEY_LEN_MAX.
-+	 */
-+	sp->key_len = ctx->key_len > PK11_KEY_LEN_MAX ? 
-+		PK11_KEY_LEN_MAX : ctx->key_len;
-+	memcpy(sp->key, key, sp->key_len);
-+err:
-+
-+	return h_key;
-+	}
-+
-+static int
-+md_nid_to_pk11(int nid)
-+	{
-+	int i;
-+
-+	for (i = 0; i < PK11_DIGEST_MAX; i++)
-+		if (digests[i].nid == nid)
-+			return (digests[i].id);
-+	return (-1);
-+	}
-+
-+static int 
-+pk11_digest_init(EVP_MD_CTX *ctx)
-+        { 
-+	CK_RV rv;
-+	CK_MECHANISM mech;
-+	int index;
-+	PK11_SESSION *sp;
-+	PK11_DIGEST *pdp;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
-+	
-+	state->sp = NULL;
-+
-+	index = md_nid_to_pk11(ctx->digest->type);
-+	if (index < 0 || index >= PK11_DIGEST_MAX)
-+		return 0;
-+
-+	pdp = &digests[index];
-+	if ((sp = pk11_get_session()) == NULL)
-+		return 0;
-+
-+	/* at present, no parameter is needed for supported digests */
-+	mech.mechanism = pdp->mech_type;
-+	mech.pParameter = NULL;
-+	mech.ulParameterLen = 0;
-+
-+	rv = pFuncList->C_DigestInit(sp->session, &mech);
-+
-+	if (rv != CKR_OK)
-+		{
-+		char tmp_buf[20];
-+		PK11err(PK11_F_DIGEST_INIT, PK11_R_DIGESTINIT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		pk11_return_session(sp);
-+		return 0;
-+		}
-+
-+	state->sp = sp;
-+
-+	return 1;
-+	}
-+
-+static int 
-+pk11_digest_update(EVP_MD_CTX *ctx,const void *data,size_t count)
-+        { 
-+	CK_RV rv;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
-+	
-+	/* 0 length message will cause a failure in C_DigestFinal */
-+	if (count == 0)
-+		return 1;
-+
-+	if (state == NULL || state->sp == NULL)
-+		return 0;
-+
-+	rv = pFuncList->C_DigestUpdate(state->sp->session, (CK_BYTE *) data,
-+		count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		char tmp_buf[20];
-+		PK11err(PK11_F_DIGEST_UPDATE, PK11_R_DIGESTUPDATE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		pk11_return_session(state->sp);
-+		state->sp = NULL;
-+		return 0;
-+		}
-+
-+	return 1;
-+	}
-+
-+static int 
-+pk11_digest_final(EVP_MD_CTX *ctx,unsigned char *md)
-+        { 
-+	CK_RV rv;
-+	unsigned long len;
-+	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
-+	len = ctx->digest->md_size;
-+	
-+	if (state == NULL || state->sp == NULL)
-+		return 0;
-+
-+	rv = pFuncList->C_DigestFinal(state->sp->session, md, &len);
-+
-+	if (rv != CKR_OK)
-+		{
-+		char tmp_buf[20];
-+		PK11err(PK11_F_DIGEST_FINAL, PK11_R_DIGESTFINAL);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		pk11_return_session(state->sp);
-+		state->sp = NULL;
-+		return 0;
-+		}
-+
-+	if (ctx->digest->md_size != len)
-+		return 0;
-+
-+	/* Final is called and digest is returned, so return the session
-+	 * to the pool
-+	 */
-+	pk11_return_session(state->sp);
-+	state->sp = NULL;
-+
-+	return 1;
-+	}
-+
-+static int 
-+pk11_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
-+        { 
-+	CK_RV rv;
-+	int ret = 0;
-+	PK11_CIPHER_STATE *state, *state_to;
-+	CK_BYTE_PTR pstate = NULL;
-+	CK_ULONG ul_state_len;
-+	char tmp_buf[20];
-+	
-+	/* The copy-from state */
-+	state = (PK11_CIPHER_STATE *) from->md_data;
-+	if (state == NULL || state->sp == NULL)
-+		goto err;
-+
-+	/* Initialize the copy-to state */
-+	if (!pk11_digest_init(to))
-+		goto err;
-+	state_to = (PK11_CIPHER_STATE *) to->md_data;
-+
-+	/* Get the size of the operation state of the copy-from session */
-+	rv = pFuncList->C_GetOperationState(state->sp->session, NULL, 
-+		&ul_state_len);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+	if (ul_state_len == 0)
-+		{
-+		goto err;
-+		}
-+
-+	pstate = OPENSSL_malloc(ul_state_len);
-+	if (pstate == NULL)
-+		{
-+		RSAerr(PK11_F_DIGEST_COPY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/* Get the operation state of the copy-from session */
-+	rv = pFuncList->C_GetOperationState(state->sp->session, pstate, 
-+		&ul_state_len);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	/* Set the operation state of the copy-to session */
-+	rv = pFuncList->C_SetOperationState(state_to->sp->session, pstate, 
-+		ul_state_len, 0, 0);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DIGEST_COPY, PK11_R_SET_OPERATION_STATE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	ret = 1;
-+err:
-+	if (pstate != NULL)
-+		OPENSSL_free(pstate);
-+
-+	return ret;
-+	}
-+
-+/* Return any pending session state to the pool */
-+static int
-+pk11_digest_cleanup(EVP_MD_CTX *ctx)
-+	{
-+	PK11_CIPHER_STATE *state = ctx->md_data;
-+	unsigned char buf[EVP_MAX_MD_SIZE];
-+
-+	if (state != NULL && state->sp != NULL)
-+		{
-+		/*
-+		 * If state->sp is not NULL then pk11_digest_final() has not
-+		 * been called yet. We must call it now to free any memory
-+		 * that might have been allocated in the token when
-+		 * pk11_digest_init() was called.
-+		 */
-+		pk11_digest_final(ctx,buf);
-+		pk11_return_session(state->sp);
-+		state->sp = NULL;
-+		}
-+
-+	return 1;
-+	}
-+
-+/* Check if the new key is the same as the key object in the session.
-+ * If the key is the same, no need to create a new key object. Otherwise,
-+ * the old key object needs to be destroyed and a new one will be created
-+ */
-+static void check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key)
-+	{
-+	if (memcmp(sp->key, key, sp->key_len) != 0)
-+		pk11_destroy_cipher_key_objects(sp);
-+	}
-+
-+/* Destroy one or more secret key objects. 
-+ */
-+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+	if (session)
-+		local_free_session = session;
-+	else
-+		local_free_session = free_session;
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		if (sp->cipher_key != CK_INVALID_HANDLE)
-+			{
-+			/* The secret key object is created in the 
-+			 * global_session. See pk11_get_cipher_key
-+			 */
-+			if (pk11_destroy_object(global_session, 
-+				sp->cipher_key) == 0)
-+				goto err;
-+			sp->cipher_key = CK_INVALID_HANDLE;
-+			}
-+		}
-+	ret = 1;
-+err:
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+	return ret;
-+	}
-+
-+
-+/*
-+ * Required mechanisms
-+ *
-+ * CKM_RSA_X_509
-+ * CKM_RSA_PKCS
-+ * CKM_DSA
-+ *
-+ * As long as these required mechanisms are met, it will return success. 
-+ * Otherwise, it will return failure and the engine initialization will fail. 
-+ * The application will then decide whether to use another engine or 
-+ * no engine.
-+ *
-+ * Symmetric ciphers optionally supported
-+ *
-+ * CKM_DES3_CBC
-+ * CKM_DES_CBC
-+ * CKM_AES_CBC
-+ * CKM_RC4
-+ *
-+ * Digests optionally supported
-+ *
-+ * CKM_MD5
-+ * CKM_SHA_1
-+ */
-+
-+static int 
-+pk11_choose_slot()
-+	{
-+	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
-+	CK_ULONG ulSlotCount = 0;
-+	CK_MECHANISM_INFO mech_info;
-+	CK_TOKEN_INFO token_info;
-+	int i;
-+	CK_RV rv;
-+	CK_SLOT_ID best_slot_sofar;
-+	CK_BBOOL found_candidate_slot = CK_FALSE;
-+	int slot_n_cipher = 0;
-+	int slot_n_digest = 0;
-+	CK_SLOT_ID current_slot = 0;
-+	int current_slot_n_cipher = 0;
-+	int current_slot_n_digest = 0;
-+
-+	int local_cipher_nids[PK11_CIPHER_MAX];
-+	int local_digest_nids[PK11_DIGEST_MAX];
-+	char tmp_buf[20];
-+	int retval = 0;
-+
-+	if (!pk11_auto_slot)
-+		return 1;
-+
-+	/* Get slot list for memory alloction */
-+	rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		return retval;
-+		}
-+
-+	if (ulSlotCount == 0) 
-+		{
-+		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST);
-+		return retval;
-+		}
-+
-+	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
-+
-+	if (pSlotList == NULL) 
-+		{
-+		RSAerr(PK11_F_CHOOSE_SLOT,PK11_R_MALLOC_FAILURE);
-+		return retval;
-+		}
-+
-+	/* Get the slot list for processing */
-+	rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
-+	if (rv != CKR_OK) 
-+		{
-+		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		OPENSSL_free(pSlotList);
-+		return retval;
-+		}
-+
-+	for (i = 0; i < ulSlotCount; i++) 
-+		{
-+		CK_BBOOL slot_has_rsa = CK_FALSE;
-+		CK_BBOOL slot_has_dsa = CK_FALSE;
-+		CK_BBOOL slot_has_dh = CK_FALSE;
-+		current_slot = pSlotList[i];
-+		current_slot_n_cipher = 0;
-+		current_slot_n_digest = 0;
-+		memset(local_cipher_nids, 0, sizeof(local_cipher_nids));
-+		memset(local_digest_nids, 0, sizeof(local_digest_nids));
-+
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "OPENSSL_PKCS#11_ENGINE: checking slot: %d\n",
-+		    current_slot);
-+#endif
-+		/* Check if slot has random support. */
-+		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
-+		if (rv != CKR_OK)
-+			continue;
-+
-+		if (token_info.flags & CKF_RNG)
-+			pk11_have_random = CK_TRUE;
-+
-+		/*
-+		 * Check if this slot is capable of signing and
-+		 * verifying with CKM_RSA_PKCS.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS, 
-+			&mech_info);
-+
-+		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
-+				(mech_info.flags & CKF_VERIFY)))
-+			{
-+			/*
-+			 * Check if this slot is capable of encryption,
-+			 * decryption, sign, and verify with CKM_RSA_X_509.
-+			 */
-+			rv = pFuncList->C_GetMechanismInfo(current_slot,
-+			  CKM_RSA_X_509, &mech_info);
-+
-+			if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
-+			    (mech_info.flags & CKF_VERIFY) &&
-+			    (mech_info.flags & CKF_ENCRYPT) &&
-+			    (mech_info.flags & CKF_VERIFY_RECOVER) &&
-+			    (mech_info.flags & CKF_DECRYPT)))
-+				slot_has_rsa = CK_TRUE;
-+			}
-+
-+		/*
-+		 * Check if this slot is capable of signing and
-+		 * verifying with CKM_DSA.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_DSA, 
-+			&mech_info);
-+		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
-+		    (mech_info.flags & CKF_VERIFY)))
-+			slot_has_dsa = CK_TRUE;
-+
-+		/*
-+		 * Check if this slot is capable of DH key generataion and
-+		 * derivation.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot,
-+		  CKM_DH_PKCS_KEY_PAIR_GEN, &mech_info);
-+
-+		if (rv == CKR_OK && (mech_info.flags & CKF_GENERATE_KEY_PAIR))
-+			{    
-+			rv = pFuncList->C_GetMechanismInfo(current_slot,
-+				CKM_DH_PKCS_DERIVE, &mech_info);
-+			if (rv == CKR_OK && (mech_info.flags & CKF_DERIVE))
-+				slot_has_dh = CK_TRUE;
-+			}
-+
-+		if (!found_candidate_slot &&
-+		    (slot_has_rsa || slot_has_dsa || slot_has_dh))
-+			{
-+#ifdef DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+			    "OPENSSL_PKCS#11_ENGINE: potential slot: %d\n",
-+			    current_slot);
-+#endif
-+			best_slot_sofar = current_slot;
-+			pk11_have_rsa = slot_has_rsa;
-+			pk11_have_dsa = slot_has_dsa;
-+			pk11_have_dh = slot_has_dh;
-+			found_candidate_slot = CK_TRUE;
-+#ifdef DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+		    	    "OPENSSL_PKCS#11_ENGINE: best so far slot: %d\n",
-+		    	    best_slot_sofar);
-+#endif
-+			}
-+
-+		/* Count symmetric cipher support. */
-+		if (!pk11_count_symmetric_cipher(current_slot, CKM_DES_CBC,
-+				¤t_slot_n_cipher, local_cipher_nids,
-+				PK11_DES_CBC))
-+			continue;
-+		if (!pk11_count_symmetric_cipher(current_slot, CKM_DES3_CBC,
-+				¤t_slot_n_cipher, local_cipher_nids,
-+				PK11_DES3_CBC))
-+			continue;
-+		if (!pk11_count_symmetric_cipher(current_slot, CKM_AES_CBC,
-+				¤t_slot_n_cipher, local_cipher_nids,
-+				PK11_AES_CBC))
-+			continue;
-+		if (!pk11_count_symmetric_cipher(current_slot, CKM_RC4,
-+				¤t_slot_n_cipher, local_cipher_nids,
-+				PK11_RC4))
-+			continue;
-+
-+		/* Count digest support */
-+		if (!pk11_count_digest(current_slot, CKM_MD5,
-+				¤t_slot_n_digest, local_digest_nids,
-+				PK11_MD5))
-+			continue;
-+		if (!pk11_count_digest(current_slot, CKM_SHA_1,
-+				¤t_slot_n_digest, local_digest_nids,
-+				PK11_SHA1))
-+			continue;
-+
-+		/*
-+		 * If the current slot supports more ciphers/digests than 
-+		 * the previous best one we change the current best to this one.
-+		 * otherwise leave it where it is.
-+		 */
-+		if (((current_slot_n_cipher > slot_n_cipher) &&
-+		    (current_slot_n_digest > slot_n_digest)) &&
-+		    ((slot_has_rsa == pk11_have_rsa) &&
-+		     (slot_has_dsa == pk11_have_dsa) &&
-+		     (slot_has_dh == pk11_have_dh)))
-+			{
-+			best_slot_sofar = current_slot;
-+			slot_n_cipher = current_slot_n_cipher;
-+			slot_n_digest = current_slot_n_digest;
-+
-+			memcpy(cipher_nids, local_cipher_nids, 
-+				sizeof(local_cipher_nids));
-+			memcpy(digest_nids, local_digest_nids, 
-+				sizeof(local_digest_nids));
-+			}
-+
-+		}
-+
-+	if (found_candidate_slot)
-+		{
-+		cipher_count = slot_n_cipher;
-+		digest_count = slot_n_digest;
-+		SLOTID = best_slot_sofar;
-+		retval = 1;
-+		}
-+	else
-+		{
-+		cipher_count = 0;
-+		digest_count = 0;
-+		}
-+
-+#ifdef DEBUG_SLOT_SELECTION
-+	fprintf(stderr,
-+	  "OPENSSL_PKCS#11_ENGINE: choose slot: %d\n", SLOTID);
-+	fprintf(stderr,
-+	  "OPENSSL_PKCS#11_ENGINE: pk11_have_rsa %d\n", pk11_have_rsa);
-+	fprintf(stderr,
-+	  "OPENSSL_PKCS#11_ENGINE: pk11_have_dsa %d\n", pk11_have_dsa);
-+	fprintf(stderr,
-+	  "OPENSSL_PKCS#11_ENGINE: pk11_have_dh %d\n", pk11_have_dh);
-+	fprintf(stderr,
-+	  "OPENSSL_PKCS#11_ENGINE: pk11_have_random %d\n", pk11_have_random);
-+#endif /* DEBUG_SLOT_SELECTION */
-+		
-+	if (pSlotList)
-+		OPENSSL_free(pSlotList);
-+
-+	return retval;
-+	}
-+
-+static int pk11_count_symmetric_cipher(int slot_id, CK_MECHANISM_TYPE mech,
-+    int *current_slot_n_cipher, int *local_cipher_nids, int id)
-+	{
-+	CK_MECHANISM_INFO mech_info;
-+	CK_RV rv;
-+
-+	rv = pFuncList->C_GetMechanismInfo(slot_id, mech, &mech_info);
-+
-+	if (rv != CKR_OK) 
-+		return 0;
-+
-+	if ((mech_info.flags & CKF_ENCRYPT) &&
-+			(mech_info.flags & CKF_DECRYPT))
-+		{
-+		local_cipher_nids[(*current_slot_n_cipher)++] = ciphers[id].nid;
-+		}
-+
-+	return 1;
-+	}
-+
-+
-+static int pk11_count_digest(int slot_id, CK_MECHANISM_TYPE mech,
-+    int *current_slot_n_digest, int *local_digest_nids, int id)
-+	{
-+	CK_MECHANISM_INFO mech_info;
-+	CK_RV rv;
-+
-+	rv = pFuncList->C_GetMechanismInfo(slot_id, mech, &mech_info);
-+
-+	if (rv != CKR_OK) 
-+		return 0;
-+
-+	if (mech_info.flags & CKF_DIGEST)
-+		{
-+		local_digest_nids[(*current_slot_n_digest)++] = digests[id].nid;
-+		}
-+
-+	return 1;
-+	}
-+
-+
-+#endif
-+#endif
-+
-diff -r -u -N openssl-0.9.8g/crypto/engine/hw_pk11_err.c openssl/crypto/engine/hw_pk11_err.c
---- openssl-0.9.8g/crypto/engine/hw_pk11_err.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/hw_pk11_err.c	2007-10-25 01:27:09.000000000 +0200
-@@ -0,0 +1,233 @@
-+/*
-+ * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+#pragma ident	"@(#)hw_pk11_err.c	1.2	04/06/22 SMI"
-+
-+/* crypto/engine/hw_pk11_err.c */
-+/* This product includes software developed by the OpenSSL Project for 
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by 
-+ * Afchine Madjlessi.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer. 
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include 
-+#include 
-+#include "hw_pk11_err.h"
-+
-+/* BEGIN ERROR CODES */
-+#ifndef OPENSSL_NO_ERR
-+static ERR_STRING_DATA pk11_str_functs[]=
-+{
-+    {ERR_PACK(0,PK11_F_INIT,0),	            "PK11_INIT"},
-+    {ERR_PACK(0,PK11_F_FINISH,0),	    "PK11_FINISH"},
-+    {ERR_PACK(0,PK11_F_DESTROY,0),	    "PK11_DESTROY"},
-+    {ERR_PACK(0,PK11_F_CTRL,0),	            "PK11_CTRL"},
-+    {ERR_PACK(0,PK11_F_RSA_INIT,0),	    "PK11_RSA_INIT"},
-+    {ERR_PACK(0,PK11_F_RSA_FINISH,0),	    "PK11_RSA_FINISH"},
-+    {ERR_PACK(0,PK11_F_GET_PUB_RSA_KEY,0),  "PK11_GET_PUB_RSA_KEY"},
-+    {ERR_PACK(0,PK11_F_GET_PRIV_RSA_KEY,0), "PK11_GET_PRIV_RSA_KEY"},
-+    {ERR_PACK(0,PK11_F_RSA_GEN_KEY,0),      "PK11_RSA_GEN_KEY"},
-+    {ERR_PACK(0,PK11_F_RSA_PUB_ENC,0),      "PK11_RSA_PUB_ENC"},
-+    {ERR_PACK(0,PK11_F_RSA_PRIV_ENC,0),     "PK11_RSA_PRIV_ENC"},
-+    {ERR_PACK(0,PK11_F_RSA_PUB_DEC,0),      "PK11_RSA_PUB_DEC"},
-+    {ERR_PACK(0,PK11_F_RSA_PRIV_DEC,0),     "PK11_RSA_PRIV_DEC"},
-+    {ERR_PACK(0,PK11_F_RSA_SIGN,0),	    "PK11_RSA_SIGN"},
-+    {ERR_PACK(0,PK11_F_RSA_VERIFY,0),	    "PK11_RSA_VERIFY"},
-+    {ERR_PACK(0,PK11_F_RAND_ADD,0),	    "PK11_RAND_ADD"},
-+    {ERR_PACK(0,PK11_F_RAND_BYTES,0),	    "PK11_RAND_BYTES"},
-+    {ERR_PACK(0,PK11_F_GET_SESSION,0),      "PK11_GET_SESSION"},
-+    {ERR_PACK(0,PK11_F_FREE_SESSION,0),     "PK11_FREE_SESSION"},
-+    {ERR_PACK(0,PK11_F_LOAD_PUBKEY,0),      "PK11_LOAD_PUBKEY"},
-+    {ERR_PACK(0,PK11_F_LOAD_PRIVKEY,0),     "PK11_LOAD_PRIV_KEY"},
-+    {ERR_PACK(0,PK11_F_RSA_PUB_ENC_LOW,0),  "PK11_RSA_PUB_ENC_LOW"},
-+    {ERR_PACK(0,PK11_F_RSA_PRIV_ENC_LOW,0), "PK11_RSA_PRIV_ENC_LOW"},
-+    {ERR_PACK(0,PK11_F_RSA_PUB_DEC_LOW,0),  "PK11_RSA_PUB_DEC_LOW"},
-+    {ERR_PACK(0,PK11_F_RSA_PRIV_DEC_LOW,0), "PK11_RSA_PRIV_DEC_LOW"},
-+    {ERR_PACK(0,PK11_F_DSA_SIGN,0),         "PK11_DSA_SIGN"},
-+    {ERR_PACK(0,PK11_F_DSA_VERIFY,0),       "PK11_DSA_VERIFY"},
-+    {ERR_PACK(0,PK11_F_DSA_INIT,0),         "PK11_DSA_INIT"},
-+    {ERR_PACK(0,PK11_F_DSA_FINISH,0),       "PK11_DSA_FINISH"},
-+    {ERR_PACK(0,PK11_F_GET_PUB_DSA_KEY,0),  "PK11_GET_PUB_DSA_KEY"},
-+    {ERR_PACK(0,PK11_F_GET_PRIV_DSA_KEY,0), "PK11_GET_PRIV_DSA_KEY"},
-+    {ERR_PACK(0,PK11_F_DH_INIT,0),          "PK11_DH_INIT"},
-+    {ERR_PACK(0,PK11_F_DH_FINISH,0),        "PK11_DH_FINISH"},
-+    {ERR_PACK(0,PK11_F_MOD_EXP_DH,0),       "PK11_MOD_EXP_DH"},
-+    {ERR_PACK(0,PK11_F_GET_DH_KEY,0),       "PK11_GET_DH_KEY"},
-+    {ERR_PACK(0,PK11_F_FREE_ALL_SESSIONS,0),"PK11_FREE_ALL_SESSIONS"},
-+    {ERR_PACK(0,PK11_F_SETUP_SESSION,0),    "PK11_SETUP_SESSION"},
-+    {ERR_PACK(0,PK11_F_DESTROY_OBJECT,0),   "PK11_DESTROY_OBJECT"},
-+    {ERR_PACK(0,PK11_F_CIPHER_INIT,0),      "PK11_CIPHER_INIT"},
-+    {ERR_PACK(0,PK11_F_CIPHER_DO_CIPHER,0), "PK11_CIPHER_DO_CIPHER"},
-+    {ERR_PACK(0,PK11_F_GET_CIPHER_KEY,0),   "PK11_GET_CIPHER_KEY"},
-+    {ERR_PACK(0,PK11_F_DIGEST_INIT,0),      "PK11_DIGEST_INIT"},
-+    {ERR_PACK(0,PK11_F_DIGEST_UPDATE,0),    "PK11_DIGEST_UPDATE"},
-+    {ERR_PACK(0,PK11_F_DIGEST_FINAL,0),     "PK11_DIGEST_FINAL"},
-+    {ERR_PACK(0,PK11_F_CHOOSE_SLOT,0),      "PK11_CHOOSE_SLOT"},
-+    {ERR_PACK(0,PK11_F_CIPHER_FINAL,0),     "PK11_CIPHER_FINAL"},
-+    {ERR_PACK(0,PK11_F_LIBRARY_INIT,0),     "PK11_LIBRARY_INIT"},
-+    {ERR_PACK(0,PK11_F_LOAD,0),             "ENGINE_LOAD_PK11"},
-+    {ERR_PACK(0,PK11_F_DH_GEN_KEY,0),       "PK11_DH_GEN_KEY"},
-+    {ERR_PACK(0,PK11_F_DH_COMP_KEY,0),      "PK11_DH_COMP_KEY"},
-+    {ERR_PACK(0,PK11_F_DIGEST_COPY,0),      "PK11_DIGEST_COPY"},
-+    {0,NULL}
-+};
-+
-+static ERR_STRING_DATA pk11_str_reasons[]=
-+{
-+    {PK11_R_ALREADY_LOADED                 ,"PKCS#11 DSO already loaded"},
-+    {PK11_R_DSO_FAILURE                    ,"unable to load PKCS#11 DSO"},
-+    {PK11_R_NOT_LOADED                     ,"PKCS#11 DSO not loaded"},
-+    {PK11_R_PASSED_NULL_PARAMETER          ,"null parameter passed"},
-+    {PK11_R_COMMAND_NOT_IMPLEMENTED        ,"command not implemented"},
-+    {PK11_R_INITIALIZE                     ,"C_Initialize failed"},
-+    {PK11_R_FINALIZE                       ,"C_Finalize failed"},
-+    {PK11_R_GETINFO                        ,"C_GetInfo faile"},
-+    {PK11_R_GETSLOTLIST                    ,"C_GetSlotList failed"},
-+    {PK11_R_NO_MODULUS_OR_NO_EXPONENT      ,"no modulus or no exponent"},
-+    {PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID  ,"attr sensitive or invalid"},
-+    {PK11_R_GETATTRIBUTVALUE               ,"C_GetAttributeValue failed"},
-+    {PK11_R_NO_MODULUS                     ,"no modulus"},
-+    {PK11_R_NO_EXPONENT                    ,"no exponent"},
-+    {PK11_R_FINDOBJECTSINIT                ,"C_FindObjectsInit failed"},
-+    {PK11_R_FINDOBJECTS                    ,"C_FindObjects failed"},
-+    {PK11_R_FINDOBJECTSFINAL               ,"C_FindObjectsFinal failed"},
-+    {PK11_R_CREATEOBJECT                   ,"C_CreateObject failed"},
-+    {PK11_R_DESTROYOBJECT                  ,"C_DestroyObject failed"},
-+    {PK11_R_OPENSESSION                    ,"C_OpenSession failed"},
-+    {PK11_R_CLOSESESSION                   ,"C_CloseSession failed"},
-+    {PK11_R_ENCRYPTINIT                    ,"C_EncryptInit failed"},
-+    {PK11_R_ENCRYPT                        ,"C_Encrypt failed"},
-+    {PK11_R_SIGNINIT                       ,"C_SignInit failed"},
-+    {PK11_R_SIGN                           ,"C_Sign failed"},
-+    {PK11_R_DECRYPTINIT                    ,"C_DecryptInit failed"},
-+    {PK11_R_DECRYPT                        ,"C_Decrypt failed"},
-+    {PK11_R_VERIFYINIT                     ,"C_VerifyRecover failed"},
-+    {PK11_R_VERIFY                         ,"C_Verify failed	"},
-+    {PK11_R_VERIFYRECOVERINIT              ,"C_VerifyRecoverInit failed"},
-+    {PK11_R_VERIFYRECOVER                  ,"C_VerifyRecover failed"},
-+    {PK11_R_GEN_KEY                        ,"C_GenerateKeyPair failed"},
-+    {PK11_R_SEEDRANDOM                     ,"C_SeedRandom failed"},
-+    {PK11_R_GENERATERANDOM                 ,"C_GenerateRandom failed"},
-+    {PK11_R_INVALID_MESSAGE_LENGTH         ,"invalid message length"},
-+    {PK11_R_UNKNOWN_ALGORITHM_TYPE         ,"unknown algorithm type"},
-+    {PK11_R_UNKNOWN_ASN1_OBJECT_ID         ,"unknown asn1 onject id"},
-+    {PK11_R_UNKNOWN_PADDING_TYPE           ,"unknown padding type"},
-+    {PK11_R_PADDING_CHECK_FAILED           ,"padding check failed"},
-+    {PK11_R_DIGEST_TOO_BIG                 ,"digest too big"},
-+    {PK11_R_MALLOC_FAILURE                 ,"malloc failure"},
-+    {PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctl command not implemented"},
-+    {PK11_R_DATA_GREATER_THAN_MOD_LEN      ,"data is bigger than mod"},
-+    {PK11_R_DATA_TOO_LARGE_FOR_MODULUS     ,"data is too larger for mod"},
-+    {PK11_R_MISSING_KEY_COMPONENT          ,"a dsa component is missing"},
-+    {PK11_R_INVALID_SIGNATURE_LENGTH       ,"invalid signature length"},
-+    {PK11_R_INVALID_DSA_SIGNATURE_R        ,"missing r in dsa verify"},
-+    {PK11_R_INVALID_DSA_SIGNATURE_S        ,"missing s in dsa verify"},
-+    {PK11_R_INCONSISTENT_KEY               ,"inconsistent key type"},
-+    {PK11_R_ENCRYPTUPDATE                  ,"C_EncryptUpdate failed"},
-+    {PK11_R_DECRYPTUPDATE                  ,"C_DecryptUpdate failed"},
-+    {PK11_R_DIGESTINIT                     ,"C_DigestInit failed"},
-+    {PK11_R_DIGESTUPDATE                   ,"C_DigestUpdate failed"},
-+    {PK11_R_DIGESTFINAL                    ,"C_DigestFinal failed"},
-+    {PK11_R_ENCRYPTFINAL                   ,"C_EncryptFinal failed"},
-+    {PK11_R_DECRYPTFINAL                   ,"C_DecryptFinal failed"},
-+    {PK11_R_NO_PRNG_SUPPORT                ,"Slot does not support PRNG"},
-+    {PK11_R_GETTOKENINFO                   ,"C_GetTokenInfo failed"},
-+    {PK11_R_DERIVEKEY                      ,"C_DeriveKey failed"},
-+    {PK11_R_GET_OPERATION_STATE            ,"C_GetOperationState failed"},
-+    {PK11_R_SET_OPERATION_STATE            ,"C_SetOperationState failed"},
-+    {0,NULL}
-+};
-+
-+#endif	
-+
-+static int pk11_lib_error_code=0;
-+static int pk11_error_init=1;
-+
-+static void ERR_load_pk11_strings(void)
-+{
-+    if (pk11_lib_error_code == 0)
-+	pk11_lib_error_code = ERR_get_next_error_library();
-+
-+    if (pk11_error_init)
-+    {
-+	pk11_error_init=0;
-+#ifndef OPENSSL_NO_ERR
-+	ERR_load_strings(pk11_lib_error_code,pk11_str_functs);
-+	ERR_load_strings(pk11_lib_error_code,pk11_str_reasons);
-+#endif
-+    }
-+}
-+
-+static void ERR_unload_pk11_strings(void)
-+{
-+    if (pk11_error_init == 0)
-+    {
-+#ifndef OPENSSL_NO_ERR
-+	ERR_unload_strings(pk11_lib_error_code,pk11_str_functs);
-+	ERR_unload_strings(pk11_lib_error_code,pk11_str_reasons);
-+#endif
-+	pk11_error_init = 1;
-+    }
-+}
-+
-+static void ERR_pk11_error(int function, int reason, char *file, int line)
-+{
-+    if (pk11_lib_error_code == 0)
-+	pk11_lib_error_code=ERR_get_next_error_library();
-+    ERR_PUT_error(pk11_lib_error_code,function,reason,file,line);
-+}
-diff -r -u -N openssl-0.9.8g/crypto/engine/hw_pk11_err.h openssl/crypto/engine/hw_pk11_err.h
---- openssl-0.9.8g/crypto/engine/hw_pk11_err.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/hw_pk11_err.h	2008-01-31 16:14:07.000000000 +0100
-@@ -0,0 +1,247 @@
-+/*
-+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+#pragma ident	"@(#)hw_pk11_err.h	1.2	04/06/22 SMI"
-+
-+/* crypto/engine/hw_pk11_err.h */
-+/* This product includes software developed by the OpenSSL Project for 
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by 
-+ * Afchine Madjlessi.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer. 
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#ifndef HW_PK11_ERR_H
-+#define HW_PK11_ERR_H
-+
-+/* CRYPTO_LOCK_RSA is defined in OpenSSL for RSA method. Since this pk11
-+ * engine replaces RSA method, we may reuse this lock here.
-+ */
-+#define CRYPTO_LOCK_PK11_ENGINE CRYPTO_LOCK_RSA
-+
-+static void ERR_load_pk11_strings(void);
-+static void ERR_pk11_error(int function, int reason, char *file, int line);
-+#define PK11err(f,r) ERR_pk11_error((f),(r),__FILE__,__LINE__)
-+
-+/* Error codes for the PK11 functions. */
-+
-+/* Function codes. */
-+
-+#define PK11_F_INIT 				100
-+#define PK11_F_FINISH 				101
-+#define PK11_F_DESTROY 				102
-+#define PK11_F_CTRL 				103
-+#define PK11_F_RSA_INIT 			104
-+#define PK11_F_RSA_FINISH 			105
-+#define PK11_F_GET_PUB_RSA_KEY 			106
-+#define PK11_F_GET_PRIV_RSA_KEY 		107
-+#define PK11_F_RSA_GEN_KEY 			108
-+#define PK11_F_RSA_PUB_ENC 			109
-+#define PK11_F_RSA_PRIV_ENC 			110
-+#define PK11_F_RSA_PUB_DEC 			111
-+#define PK11_F_RSA_PRIV_DEC 			112
-+#define PK11_F_RSA_SIGN 			113
-+#define PK11_F_RSA_VERIFY 			114
-+#define PK11_F_RAND_ADD 			115
-+#define PK11_F_RAND_BYTES 			116
-+#define PK11_F_GET_SESSION 			117
-+#define PK11_F_FREE_SESSION 			118
-+#define PK11_F_LOAD_PUBKEY 			119
-+#define PK11_F_LOAD_PRIVKEY 			120
-+#define PK11_F_RSA_PUB_ENC_LOW 			121
-+#define PK11_F_RSA_PRIV_ENC_LOW 		122
-+#define PK11_F_RSA_PUB_DEC_LOW 			123
-+#define PK11_F_RSA_PRIV_DEC_LOW 		124
-+#define PK11_F_DSA_SIGN				125
-+#define PK11_F_DSA_VERIFY			126
-+#define PK11_F_DSA_INIT				127
-+#define PK11_F_DSA_FINISH			128
-+#define PK11_F_GET_PUB_DSA_KEY 			129
-+#define PK11_F_GET_PRIV_DSA_KEY 		130
-+#define PK11_F_DH_INIT 				131
-+#define PK11_F_DH_FINISH 			132
-+#define PK11_F_MOD_EXP_DH 			133
-+#define PK11_F_GET_DH_KEY 			134
-+#define PK11_F_FREE_ALL_SESSIONS		135
-+#define PK11_F_SETUP_SESSION			136
-+#define PK11_F_DESTROY_OBJECT			137
-+#define PK11_F_CIPHER_INIT			138
-+#define PK11_F_CIPHER_DO_CIPHER			139
-+#define PK11_F_GET_CIPHER_KEY			140
-+#define PK11_F_DIGEST_INIT			141
-+#define PK11_F_DIGEST_UPDATE			142
-+#define PK11_F_DIGEST_FINAL			143
-+#define PK11_F_CHOOSE_SLOT			144
-+#define PK11_F_CIPHER_FINAL			145
-+#define PK11_F_LIBRARY_INIT 			146
-+#define PK11_F_LOAD 				147
-+#define PK11_F_DH_GEN_KEY			148
-+#define PK11_F_DH_COMP_KEY 			149
-+#define PK11_F_DIGEST_COPY 			150
-+
-+/* Reason codes. */
-+#define PK11_R_ALREADY_LOADED 			100
-+#define PK11_R_DSO_FAILURE 			101
-+#define PK11_R_NOT_LOADED 			102
-+#define PK11_R_PASSED_NULL_PARAMETER 		103
-+#define PK11_R_COMMAND_NOT_IMPLEMENTED 		104
-+#define PK11_R_INITIALIZE 			105
-+#define PK11_R_FINALIZE 			106
-+#define PK11_R_GETINFO 				107
-+#define PK11_R_GETSLOTLIST 			108
-+#define PK11_R_NO_MODULUS_OR_NO_EXPONENT 	109
-+#define PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID 	110
-+#define PK11_R_GETATTRIBUTVALUE 		111
-+#define PK11_R_NO_MODULUS 			112
-+#define PK11_R_NO_EXPONENT 			113
-+#define PK11_R_FINDOBJECTSINIT 			114
-+#define PK11_R_FINDOBJECTS 			115
-+#define PK11_R_FINDOBJECTSFINAL 		116
-+#define PK11_R_CREATEOBJECT 			118
-+#define PK11_R_DESTROYOBJECT 			119
-+#define PK11_R_OPENSESSION 			120
-+#define PK11_R_CLOSESESSION 			121
-+#define PK11_R_ENCRYPTINIT 			122
-+#define PK11_R_ENCRYPT 				123
-+#define PK11_R_SIGNINIT 			124
-+#define PK11_R_SIGN 				125
-+#define PK11_R_DECRYPTINIT 			126
-+#define PK11_R_DECRYPT 				127
-+#define PK11_R_VERIFYINIT 			128
-+#define PK11_R_VERIFY 				129
-+#define PK11_R_VERIFYRECOVERINIT 		130
-+#define PK11_R_VERIFYRECOVER 			131
-+#define PK11_R_GEN_KEY 				132
-+#define PK11_R_SEEDRANDOM 			133
-+#define PK11_R_GENERATERANDOM 			134
-+#define PK11_R_INVALID_MESSAGE_LENGTH 		135
-+#define PK11_R_UNKNOWN_ALGORITHM_TYPE 		136
-+#define PK11_R_UNKNOWN_ASN1_OBJECT_ID 		137
-+#define PK11_R_UNKNOWN_PADDING_TYPE 		138
-+#define PK11_R_PADDING_CHECK_FAILED 		139
-+#define PK11_R_DIGEST_TOO_BIG 			140
-+#define PK11_R_MALLOC_FAILURE 			141
-+#define PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED 	142
-+#define PK11_R_DATA_GREATER_THAN_MOD_LEN 	143
-+#define PK11_R_DATA_TOO_LARGE_FOR_MODULUS 	144
-+#define PK11_R_MISSING_KEY_COMPONENT		145
-+#define PK11_R_INVALID_SIGNATURE_LENGTH		146
-+#define PK11_R_INVALID_DSA_SIGNATURE_R		147
-+#define PK11_R_INVALID_DSA_SIGNATURE_S		148
-+#define PK11_R_INCONSISTENT_KEY			149
-+#define PK11_R_ENCRYPTUPDATE			150
-+#define PK11_R_DECRYPTUPDATE			151
-+#define PK11_R_DIGESTINIT			152
-+#define PK11_R_DIGESTUPDATE			153
-+#define PK11_R_DIGESTFINAL			154
-+#define PK11_R_ENCRYPTFINAL			155
-+#define PK11_R_DECRYPTFINAL			156
-+#define PK11_R_NO_PRNG_SUPPORT			157
-+#define PK11_R_GETTOKENINFO			158
-+#define PK11_R_DERIVEKEY			159
-+#define PK11_R_GET_OPERATION_STATE		160
-+#define PK11_R_SET_OPERATION_STATE		161
-+#define PK11_R_INVALID_PIN			162
-+#define PK11_R_TOO_MANY_OBJECTS			163
-+#define PK11_R_OBJECT_NOT_FOUND			164
-+
-+/* This structure encapsulates all reusable information for a PKCS#11
-+ * session. A list of this object is created on behalf of the
-+ * calling application using an on-demand method. When a new request
-+ * comes in, an object will be taken from the list (if there is one)
-+ * or a new one is created to handle the request. Note that not all
-+ * fields are used for every application. For example, an RSA-only
-+ * application only uses the RSA related fields */
-+typedef struct PK11_SESSION_st
-+        {
-+        struct PK11_SESSION_st *next;
-+        CK_SESSION_HANDLE       session;        /* PK11 session handle */
-+        CK_SESSION_HANDLE       session_cipher; /* PK11 sess handle for ciph */
-+        pid_t                   pid;            /* Current process ID */
-+        CK_OBJECT_HANDLE        rsa_pub_key;    /* RSA key handle in the sess */
-+	CK_OBJECT_HANDLE        rsa_priv_key;   /* RSA private key handle */
-+        CK_OBJECT_HANDLE        dsa_pub_key;    /* DSA pub key handle */
-+        CK_OBJECT_HANDLE        dsa_priv_key;   /* DSA priv key handle */
-+        CK_OBJECT_HANDLE        dh_key;         /* RSA pub key handle for DH */
-+        CK_OBJECT_HANDLE        cipher_key;     /* Cipher key handle */
-+        RSA                     *rsa;   /* Address of the RSA struct */
-+        void                    *dsa;   /* Address of the DSA structure */
-+        void                    *dh;    /* Address of the DH */
-+        unsigned char           key[24];/* Save the private key here */
-+        int                     key_len;/* Saved private key length */
-+        int                     encrypt;/* 1/0 for encrypt/decrypt */
-+        } PK11_SESSION;
-+
-+extern PK11_SESSION *pk11_get_session();
-+extern void pk11_return_session(PK11_SESSION *sp);
-+
-+extern int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+extern int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
-+extern int pk11_destroy_dh_key_objects(PK11_SESSION *session);
-+
-+extern RSA_METHOD *PK11_RSA(void);
-+extern DSA_METHOD *PK11_DSA(void);
-+extern DH_METHOD *PK11_DH(void);
-+
-+extern EVP_PKEY *pk11_load_privkey(ENGINE*, const char* pubkey_file,
-+        UI_METHOD *ui_method, void *callback_data);
-+extern EVP_PKEY *pk11_load_pubkey(ENGINE*, const char* pubkey_file,
-+        UI_METHOD *ui_method, void *callback_data);
-+
-+extern CK_FUNCTION_LIST_PTR pFuncList;
-+
-+#endif /* HW_PK11_ERR_H */
-diff -r -u -N openssl-0.9.8g/crypto/engine/hw_pk11_pub.c openssl/crypto/engine/hw_pk11_pub.c
---- openssl-0.9.8g/crypto/engine/hw_pk11_pub.c	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/hw_pk11_pub.c	2008-03-17 15:15:49.000000000 +0100
-@@ -0,0 +1,2616 @@
-+/*
-+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+#pragma ident	"@(#)hw_pk11_pub.c	1.4	07/05/10 SMI"
-+
-+/* crypto/engine/hw_pk11_pub.c */
-+/* This product includes software developed by the OpenSSL Project for 
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by 
-+ * Afchine Madjlessi.
-+ */
-+/* ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer. 
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#include "hw_pk11_err.c"
-+
-+#ifndef OPENSSL_NO_RSA
-+/* RSA stuff */
-+static int pk11_RSA_public_encrypt(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_private_encrypt(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_public_decrypt(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_private_decrypt(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa, int padding);
-+static int pk11_RSA_init(RSA *rsa);
-+static int pk11_RSA_finish(RSA *rsa);
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
-+static int pk11_RSA_verify(int dtype, const unsigned char *m, 
-+	unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, 
-+	const RSA *rsa);
-+EVP_PKEY *pk11_load_privkey(ENGINE*, const char* pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+EVP_PKEY *pk11_load_pubkey(ENGINE*, const char* pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+
-+static int pk11_RSA_public_encrypt_low(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa);
-+static int pk11_RSA_private_encrypt_low(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa);
-+static int pk11_RSA_public_decrypt_low(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa);
-+static int pk11_RSA_private_decrypt_low(int flen, const unsigned char *from, 
-+	unsigned char *to, RSA *rsa);
-+
-+static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA* rsa, PK11_SESSION *sp);
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, 
-+	PK11_SESSION *sp);
-+#endif
-+
-+/* DSA stuff */
-+#ifndef OPENSSL_NO_DSA
-+static int pk11_DSA_init(DSA *dsa);
-+static int pk11_DSA_finish(DSA *dsa);
-+static DSA_SIG *pk11_dsa_do_sign(const unsigned char *dgst, int dlen, 
-+	DSA *dsa);
-+static int pk11_dsa_do_verify(const unsigned char *dgst, int dgst_len,
-+	DSA_SIG *sig, DSA *dsa);
-+
-+static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa,
-+	PK11_SESSION *sp);
-+static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa, 
-+	PK11_SESSION *sp);
-+#endif
-+
-+/* DH stuff */
-+#ifndef OPENSSL_NO_DH
-+static int pk11_DH_init(DH *dh);
-+static int pk11_DH_finish(DH *dh);
-+static int pk11_DH_generate_key(DH *dh);
-+static int pk11_DH_compute_key(unsigned char *key,
-+	const BIGNUM *pub_key,DH *dh);
-+
-+static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh, PK11_SESSION *sp);
-+#endif
-+
-+static int init_template_value(BIGNUM *bn, CK_VOID_PTR *pValue,
-+        CK_ULONG *ulValueLen);
-+static void check_new_rsa_key(PK11_SESSION *sp, void *rsa);
-+static void check_new_dsa_key(PK11_SESSION *sp, void *dsa);
-+static void check_new_dh_key(PK11_SESSION *sp, void *dh);
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
-+
-+
-+#ifndef OPENSSL_NO_RSA
-+/* Our internal RSA_METHOD that we provide pointers to */
-+static RSA_METHOD pk11_rsa =
-+	{
-+	"PKCS#11 RSA method",
-+	pk11_RSA_public_encrypt,		/* rsa_pub_encrypt */
-+	pk11_RSA_public_decrypt,		/* rsa_pub_decrypt */
-+	pk11_RSA_private_encrypt,		/* rsa_priv_encrypt */
-+	pk11_RSA_private_decrypt,		/* rsa_priv_decrypt */
-+	NULL,					/* rsa_mod_exp */
-+	NULL,					/* bn_mod_exp */
-+	pk11_RSA_init,				/* init */
-+	pk11_RSA_finish,			/* finish */
-+	RSA_FLAG_SIGN_VER,			/* flags */
-+	NULL,					/* app_data */
-+	pk11_RSA_sign,				/* rsa_sign */
-+	pk11_RSA_verify/*,*/			/* rsa_verify */
-+	};
-+
-+RSA_METHOD *PK11_RSA(void)
-+	{
-+	return(&pk11_rsa);
-+	}
-+#endif
-+
-+#ifndef OPENSSL_NO_DSA
-+/* Our internal DSA_METHOD that we provide pointers to */
-+static DSA_METHOD pk11_dsa =
-+	{
-+	"PKCS#11 DSA method",
-+	pk11_dsa_do_sign, 	/* dsa_do_sign */
-+	NULL, 			/* dsa_sign_setup */
-+	pk11_dsa_do_verify, 	/* dsa_do_verify */
-+	NULL,			/* dsa_mod_exp */
-+	NULL, 			/* bn_mod_exp */
-+	pk11_DSA_init, 		/* init */
-+	pk11_DSA_finish, 	/* finish */
-+	0, 			/* flags */
-+	NULL 			/* app_data */
-+	};
-+
-+DSA_METHOD *PK11_DSA(void)
-+	{
-+	return(&pk11_dsa);
-+	}
-+
-+#endif
-+
-+
-+#ifndef OPENSSL_NO_DH
-+/* Our internal DH_METHOD that we provide pointers to */
-+static DH_METHOD pk11_dh =
-+	{
-+	"PKCS#11 DH method",
-+	pk11_DH_generate_key,	/* generate_key */
-+	pk11_DH_compute_key,	/* compute_key */
-+	NULL,			/* bn_mod_exp */
-+	pk11_DH_init,		/* init */
-+	pk11_DH_finish,		/* finish */
-+	0,			/* flags */
-+	NULL			/* app_data */
-+	};
-+
-+DH_METHOD *PK11_DH(void)
-+	{
-+	return(&pk11_dh);
-+	}
-+#endif
-+
-+/* Size of an SSL signature: MD5+SHA1
-+ */
-+#define SSL_SIG_LENGTH          36
-+
-+/* Lengths of DSA data and signature
-+ */
-+#define DSA_DATA_LEN            20
-+#define DSA_SIGNATURE_LEN       40
-+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
-+
-+#ifndef OPENSSL_NO_RSA
-+
-+/* Similiar to Openssl to take advantage of the paddings. The goal is to
-+ * support all paddings in this engine although PK11 library does not 
-+ * support all the paddings used in OpenSSL. 
-+ * The input errors should have been checked in the padding functions
-+ */
-+static int pk11_RSA_public_encrypt(int flen, const unsigned char *from,
-+		unsigned char *to, RSA *rsa, int padding)
-+	{
-+	int i,num=0,r= -1;
-+	unsigned char *buf=NULL;
-+
-+	num=BN_num_bytes(rsa->n);
-+	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_ENC,PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
-+		break;
-+#ifndef OPENSSL_NO_SHA
-+	case RSA_PKCS1_OAEP_PADDING:
-+		i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
-+		break;
-+#endif
-+	case RSA_SSLV23_PADDING:
-+		i=RSA_padding_add_SSLv23(buf,num,from,flen);
-+		break;
-+	case RSA_NO_PADDING:
-+		i=RSA_padding_add_none(buf,num,from,flen);
-+		break;
-+	default:
-+		RSAerr(PK11_F_RSA_PUB_ENC,PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (i <= 0) goto err;
-+
-+	/* PK11 functions are called here */
-+	r = pk11_RSA_public_encrypt_low(num, buf, to, rsa);
-+err:
-+	if (buf != NULL) 
-+		{
-+		OPENSSL_cleanse(buf,num);
-+		OPENSSL_free(buf);
-+		}
-+	return(r);
-+	}
-+
-+
-+/* Similar to Openssl to take advantage of the paddings. The input errors
-+ * should be catched in the padding functions
-+ */
-+static int pk11_RSA_private_encrypt(int flen, const unsigned char *from,
-+	     unsigned char *to, RSA *rsa, int padding)
-+	{
-+	int i,num=0,r= -1;
-+	unsigned char *buf=NULL;
-+
-+	num=BN_num_bytes(rsa->n);
-+	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_ENC,PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		i=RSA_padding_add_PKCS1_type_1(buf,num,from,flen);
-+		break;
-+	case RSA_NO_PADDING:
-+		i=RSA_padding_add_none(buf,num,from,flen);
-+		break;
-+	case RSA_SSLV23_PADDING:
-+	default:
-+		RSAerr(PK11_F_RSA_PRIV_ENC,PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (i <= 0) goto err;
-+
-+	/* PK11 functions are called here */
-+	r=pk11_RSA_private_encrypt_low(num, buf, to, rsa);
-+err:
-+	if (buf != NULL)
-+		{
-+		OPENSSL_cleanse(buf,num);
-+		OPENSSL_free(buf);
-+		}
-+	return(r);
-+	}
-+
-+/* Similar to Openssl. Input errors are also checked here
-+ */
-+static int pk11_RSA_private_decrypt(int flen, const unsigned char *from,
-+	     unsigned char *to, RSA *rsa, int padding)
-+	{
-+	BIGNUM f;
-+	int j,num=0,r= -1;
-+	unsigned char *p;
-+	unsigned char *buf=NULL;
-+
-+	BN_init(&f);
-+
-+	num=BN_num_bytes(rsa->n);
-+
-+	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_DEC,PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/* This check was for equality but PGP does evil things
-+	 * and chops off the top '0' bytes */
-+	if (flen > num)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_DEC,
-+			PK11_R_DATA_GREATER_THAN_MOD_LEN);
-+		goto err;
-+		}
-+
-+	/* make data into a big number */
-+	if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
-+
-+	if (BN_ucmp(&f, rsa->n) >= 0)
-+		{
-+		RSAerr(PK11_F_RSA_PRIV_DEC,
-+			PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
-+		goto err;
-+		}
-+
-+	/* PK11 functions are called here */
-+	r = pk11_RSA_private_decrypt_low(flen, from, buf, rsa);
-+
-+	/* PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
-+	 * Needs to skip these 0's paddings here */
-+	for (j = 0; j < r; j++)
-+		if (buf[j] != 0)
-+			break;
-+
-+	p = buf + j;
-+	j = r - j;  /* j is only used with no-padding mode */
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		r=RSA_padding_check_PKCS1_type_2(to,num,p,j,num);
-+		break;
-+#ifndef OPENSSL_NO_SHA
-+	case RSA_PKCS1_OAEP_PADDING:
-+		r=RSA_padding_check_PKCS1_OAEP(to,num,p,j,num,NULL,0);
-+		break;
-+#endif
-+ 	case RSA_SSLV23_PADDING:
-+		r=RSA_padding_check_SSLv23(to,num,p,j,num);
-+		break;
-+	case RSA_NO_PADDING:
-+		r=RSA_padding_check_none(to,num,p,j,num);
-+		break;
-+	default:
-+		RSAerr(PK11_F_RSA_PRIV_DEC,PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (r < 0)
-+		RSAerr(PK11_F_RSA_PRIV_DEC,PK11_R_PADDING_CHECK_FAILED);
-+
-+err:
-+	BN_clear_free(&f);
-+	if (buf != NULL)
-+		{
-+		OPENSSL_cleanse(buf,num);
-+		OPENSSL_free(buf);
-+		}
-+	return(r);
-+	}
-+
-+/* Similar to Openssl. Input errors are also checked here
-+ */
-+static int pk11_RSA_public_decrypt(int flen, const unsigned char *from,
-+	     unsigned char *to, RSA *rsa, int padding)
-+	{
-+	BIGNUM f;
-+	int i,num=0,r= -1;
-+	unsigned char *p;
-+	unsigned char *buf=NULL;
-+
-+	BN_init(&f);
-+	num=BN_num_bytes(rsa->n);
-+	buf=(unsigned char *)OPENSSL_malloc(num);
-+	if (buf == NULL)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_DEC,PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	/* This check was for equality but PGP does evil things
-+	 * and chops off the top '0' bytes */
-+	if (flen > num)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_DEC,PK11_R_DATA_GREATER_THAN_MOD_LEN);
-+		goto err;
-+		}
-+
-+	if (BN_bin2bn(from,flen,&f) == NULL) goto err;
-+
-+	if (BN_ucmp(&f, rsa->n) >= 0)
-+		{
-+		RSAerr(PK11_F_RSA_PUB_DEC,
-+			PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
-+		goto err;
-+		}
-+
-+	/* PK11 functions are called here */
-+	r = pk11_RSA_public_decrypt_low(flen, from, buf, rsa);
-+
-+	/* PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
-+	 * Needs to skip these 0's here */
-+	for (i = 0; i < r; i++)
-+		if (buf[i] != 0)
-+			break;
-+
-+	p = buf + i;
-+	i = r - i;  /* i is only used with no-padding mode */
-+
-+	switch (padding)
-+		{
-+	case RSA_PKCS1_PADDING:
-+		r=RSA_padding_check_PKCS1_type_1(to,num,p,i,num);
-+		break;
-+	case RSA_NO_PADDING:
-+		r=RSA_padding_check_none(to,num,p,i,num);
-+		break;
-+	default:
-+		RSAerr(PK11_F_RSA_PUB_DEC,PK11_R_UNKNOWN_PADDING_TYPE);
-+		goto err;
-+		}
-+	if (r < 0)
-+		RSAerr(PK11_F_RSA_PUB_DEC,PK11_R_PADDING_CHECK_FAILED);
-+
-+err:
-+	BN_clear_free(&f);
-+	if (buf != NULL)
-+		{
-+		OPENSSL_cleanse(buf,num);
-+		OPENSSL_free(buf);
-+		}
-+	return(r);
-+	}
-+
-+/* This function implements RSA public encryption using C_EncryptInit and
-+ * C_Encrypt pk11 interfaces. Note that the CKM_RSA_X_509 is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_public_encrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG bytes_encrypted=flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
-+	PK11_SESSION *sp;
-+	char tmp_buf[20];
-+	
-+	if ((sp = pk11_get_session()) == NULL)
-+		return -1;
-+
-+	check_new_rsa_key(sp, (void *) rsa);
-+	
-+	h_pub_key = sp->rsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->rsa_pub_key = 
-+			pk11_get_public_rsa_key(rsa, sp);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_EncryptInit(sp->session, p_mech, 
-+			h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PUB_ENC_LOW, 
-+				PK11_R_ENCRYPTINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+	
-+		rv = pFuncList->C_Encrypt(sp->session, 
-+			(unsigned char *)from, flen, to, &bytes_encrypted);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PUB_ENC_LOW, PK11_R_ENCRYPT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+		retval = bytes_encrypted;
-+		}
-+	
-+	pk11_return_session(sp);
-+	return retval;
-+	}
-+
-+
-+/* This function implements RSA private encryption using C_SignInit and 
-+ * C_Sign pk11 APIs. Note that CKM_RSA_X_509 is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_private_encrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG ul_sig_len=flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key= CK_INVALID_HANDLE;
-+	PK11_SESSION *sp;
-+	char tmp_buf[20];
-+	
-+	if ((sp = pk11_get_session()) == NULL)
-+		return -1;
-+	
-+	check_new_rsa_key(sp, (void *) rsa);
-+	
-+	h_priv_key = sp->rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->rsa_priv_key = 
-+			pk11_get_private_rsa_key(rsa, sp);
-+	
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech, 
-+			h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PRIV_ENC_LOW, PK11_R_SIGNINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+	
-+		rv = pFuncList->C_Sign(sp->session, 
-+			(unsigned char *)from, flen, to, &ul_sig_len);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PRIV_ENC_LOW, PK11_R_SIGN);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+
-+		retval = ul_sig_len;
-+		}
-+	
-+	pk11_return_session(sp);
-+	return retval;
-+	}
-+
-+
-+/* This function implements RSA private decryption using C_DecryptInit and
-+ * C_Decrypt pk11 APIs. Note that CKM_RSA_X_509 mechanism is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_private_decrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG bytes_decrypted = flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+	PK11_SESSION *sp;
-+	char tmp_buf[20];
-+	
-+	if ((sp = pk11_get_session()) == NULL)
-+		return -1;
-+	
-+	check_new_rsa_key(sp, (void *) rsa);
-+	
-+	h_priv_key = sp->rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->rsa_priv_key = 
-+			pk11_get_private_rsa_key(rsa, sp);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DecryptInit(sp->session, p_mech, 
-+			h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PRIV_DEC_LOW, 
-+				PK11_R_DECRYPTINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+	
-+		rv = pFuncList->C_Decrypt(sp->session, 
-+			(unsigned char *)from, flen, to, &bytes_decrypted);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PRIV_DEC_LOW, PK11_R_DECRYPT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+		retval = bytes_decrypted;
-+		}
-+
-+	pk11_return_session(sp);
-+	return retval;
-+	}
-+
-+
-+/* This function implements RSA public decryption using C_VerifyRecoverInit 
-+ * and C_VerifyRecover pk11 APIs. Note that CKM_RSA_X_509 is used here.
-+ * The calling function allocated sufficient memory in "to" to store results.
-+ */
-+static int pk11_RSA_public_decrypt_low(int flen,
-+	const unsigned char *from, unsigned char *to, RSA *rsa)
-+	{
-+	CK_ULONG bytes_decrypted = flen;
-+	int retval = -1;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
-+	PK11_SESSION *sp;
-+	char tmp_buf[20];
-+	
-+	if ((sp = pk11_get_session()) == NULL)
-+		return -1;
-+	
-+	check_new_rsa_key(sp, (void *) rsa);
-+	
-+	h_pub_key = sp->rsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->rsa_pub_key = 
-+			pk11_get_public_rsa_key(rsa, sp);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{	
-+		rv = pFuncList->C_VerifyRecoverInit(sp->session, 
-+			p_mech, h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PUB_DEC_LOW, 
-+				PK11_R_VERIFYRECOVERINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+	
-+		rv = pFuncList->C_VerifyRecover(sp->session, 
-+			(unsigned char *)from, flen, to, &bytes_decrypted);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_PUB_DEC_LOW, 
-+				PK11_R_VERIFYRECOVER);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			pk11_return_session(sp);
-+			return -1;
-+			}
-+		retval = bytes_decrypted;
-+		}
-+
-+	pk11_return_session(sp);
-+	return retval;
-+	}
-+
-+
-+static int pk11_RSA_init(RSA *rsa)
-+	{
-+	/* This flag in the RSA_METHOD enables the new rsa_sign, 
-+	 * rsa_verify functions. See rsa.h for details. */
-+	rsa->flags |= RSA_FLAG_SIGN_VER;
-+
-+	return 1;
-+	}
-+
-+
-+static int pk11_RSA_finish(RSA *rsa)
-+	{
-+	if (rsa->_method_mod_n != NULL)
-+		BN_MONT_CTX_free(rsa->_method_mod_n);
-+	if (rsa->_method_mod_p != NULL)
-+		BN_MONT_CTX_free(rsa->_method_mod_p);
-+	if (rsa->_method_mod_q != NULL)
-+		BN_MONT_CTX_free(rsa->_method_mod_q);
-+	
-+	return pk11_destroy_rsa_key_objects(NULL);
-+	}
-+
-+
-+/* Standard engine interface function. Majority codes here are from 
-+ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
-+ * See more details in rsa/rsa_sign.c */
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
-+	{
-+	X509_SIG sig;
-+	ASN1_TYPE parameter;
-+	int i,j;
-+	unsigned char *p,*s = NULL;
-+	X509_ALGOR algor;
-+	ASN1_OCTET_STRING digest;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+	PK11_SESSION *sp = NULL;
-+	int ret = 0;
-+	char tmp_buf[20];
-+	unsigned long ulsiglen;
-+
-+	/* Encode the digest */
-+	/* Special case: SSL signature, just check the length */
-+	if (type == NID_md5_sha1)
-+		{
-+		if (m_len != SSL_SIG_LENGTH)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, 
-+				PK11_R_INVALID_MESSAGE_LENGTH);
-+			goto err;
-+			}
-+		i = SSL_SIG_LENGTH;
-+		s = (unsigned char *)m;
-+		}
-+	else
-+		{
-+		sig.algor= &algor;
-+		sig.algor->algorithm=OBJ_nid2obj(type);
-+		if (sig.algor->algorithm == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, 
-+				PK11_R_UNKNOWN_ALGORITHM_TYPE);
-+			goto err;
-+			}
-+		if (sig.algor->algorithm->length == 0)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, 
-+				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
-+			goto err;
-+			}
-+		parameter.type=V_ASN1_NULL;
-+		parameter.value.ptr=NULL;
-+		sig.algor->parameter= ¶meter;
-+	
-+		sig.digest= &digest;
-+		sig.digest->data=(unsigned char *)m;
-+		sig.digest->length=m_len;
-+	
-+		i=i2d_X509_SIG(&sig,NULL);
-+		}
-+	
-+	j=RSA_size(rsa);
-+	if ((i-RSA_PKCS1_PADDING) > j)
-+		{
-+		PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
-+		goto err;
-+		}
-+	
-+	if (type != NID_md5_sha1)
-+		{
-+		s=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
-+		if (s == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		p=s;
-+		i2d_X509_SIG(&sig,&p);
-+		}
-+	
-+	if ((sp = pk11_get_session()) == NULL)
-+		goto err;
-+
-+	check_new_rsa_key(sp, (void *) rsa);
-+	
-+	h_priv_key = sp->rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->rsa_priv_key = 
-+			pk11_get_private_rsa_key((RSA *)rsa, sp);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, PK11_R_SIGNINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+
-+		ulsiglen = j;
-+		rv = pFuncList->C_Sign(sp->session, s, i, sigret, 
-+			(CK_ULONG_PTR) &ulsiglen);
-+		*siglen = ulsiglen;
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, PK11_R_SIGN);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		ret = 1;
-+		}
-+
-+err:
-+	if (type != NID_md5_sha1)
-+		{
-+		memset(s,0,(unsigned int)j+1);
-+		OPENSSL_free(s);
-+		}
-+	
-+	pk11_return_session(sp);
-+	return ret;
-+	}
-+
-+static int pk11_RSA_verify(int type, const unsigned char *m,
-+	unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
-+	const RSA *rsa)
-+	{
-+	X509_SIG sig;
-+	ASN1_TYPE parameter;
-+	int i,j;
-+	unsigned char *p,*s = NULL;
-+	X509_ALGOR algor;
-+	ASN1_OCTET_STRING digest;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_pub_key;
-+	PK11_SESSION *sp = NULL;
-+	int ret = 0;
-+	char tmp_buf[20];
-+
-+	/* Encode the digest	*/
-+	/* Special case: SSL signature, just check the length */
-+	if (type == NID_md5_sha1)
-+		{
-+		if (m_len != SSL_SIG_LENGTH)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY, 
-+				PK11_R_INVALID_MESSAGE_LENGTH);
-+			goto err;
-+			}
-+		i = SSL_SIG_LENGTH;
-+		s = (unsigned char *)m;
-+		}
-+	else
-+		{
-+		sig.algor= &algor;
-+		sig.algor->algorithm=OBJ_nid2obj(type);
-+		if (sig.algor->algorithm == NULL)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY, 
-+				PK11_R_UNKNOWN_ALGORITHM_TYPE);
-+			goto err;
-+			}
-+		if (sig.algor->algorithm->length == 0)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY, 
-+				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
-+			goto err;
-+			}
-+		parameter.type=V_ASN1_NULL;
-+		parameter.value.ptr=NULL;
-+		sig.algor->parameter= ¶meter;
-+		sig.digest= &digest;
-+		sig.digest->data=(unsigned char *)m;
-+		sig.digest->length=m_len;
-+		i=i2d_X509_SIG(&sig,NULL);
-+		}
-+	
-+	j=RSA_size(rsa);
-+	if ((i-RSA_PKCS1_PADDING) > j)
-+		{
-+		PK11err(PK11_F_RSA_VERIFY, PK11_R_DIGEST_TOO_BIG);
-+		goto err;
-+		}
-+	
-+	if (type != NID_md5_sha1)
-+		{
-+		s=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
-+		if (s == NULL)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		p=s;
-+		i2d_X509_SIG(&sig,&p);
-+		}
-+	
-+	if ((sp = pk11_get_session()) == NULL)
-+		goto err;
-+	
-+	check_new_rsa_key(sp, (void *) rsa);
-+	
-+	h_pub_key = sp->rsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->rsa_pub_key = 
-+			pk11_get_public_rsa_key((RSA *)rsa, sp);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_VerifyInit(sp->session, p_mech, 
-+			h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY, PK11_R_VERIFYINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		rv = pFuncList->C_Verify(sp->session, s, i, sigbuf, 
-+			(CK_ULONG)siglen);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_RSA_VERIFY, PK11_R_VERIFY);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		ret = 1;
-+		}
-+
-+err:
-+	if (type != NID_md5_sha1)
-+		{
-+		memset(s,0,(unsigned int)siglen);
-+		OPENSSL_free(s);
-+		}
-+
-+	pk11_return_session(sp);
-+	return ret;
-+	}
-+
-+static int hndidx_rsa = -1;
-+
-+struct key_info {
-+	CK_OBJECT_HANDLE handle;
-+	CK_SESSION_HANDLE session;
-+};
-+
-+/* Destroy the object when the last reference to it has gone.
-+ */
-+static void hndidx_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
-+			int ind, long argl, void *argp)
-+{
-+	struct key_info *key_info = item;
-+	CK_RV rv;
-+	char tmp_buf[20];
-+
-+	if (key_info != NULL)
-+		{
-+                rv = pFuncList->C_DestroyObject(key_info->session,
-+						key_info->handle);
-+                if (rv != CKR_OK)
-+                        {
-+                        PK11err(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT);
-+                        snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+                        ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+                        }
-+		free(item);
-+		}
-+}
-+
-+EVP_PKEY *pk11_load_privkey(ENGINE* e, const char* privkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey=NULL;
-+	FILE *privkey;
-+	CK_OBJECT_HANDLE  h_priv_key = CK_INVALID_HANDLE;
-+	RSA *rsa;
-+	PK11_SESSION *sp;
-+	/* everything else below needed for key by reference extension */
-+	char tmp_buf[20];
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	struct key_info *key_info = NULL; 
-+	extern char *pk11_pin;
-+
-+	/* we look for private keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		return NULL;
-+
-+	/*
-+	 * Use simple scheme "pkcs11:" for now.
-+	 */
-+	if (strstr(privkey_file, "pkcs11:") == privkey_file)
-+		{
-+		search_templ[2].pValue = strstr(privkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+		if (pk11_pin == NULL)
-+#ifndef OPENCRYPTOKI
-+			pk11_pin = getpassphrase("Enter PIN: ");
-+#else
-+			pk11_pin = getpass("Enter PIN: ");
-+#endif
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			fprintf(stderr, "C_Login -> %lx\n", rv);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_INVALID_PIN);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+		if ((rv = pFuncList->C_FindObjectsInit(sp->session,
-+		    search_templ, 3)) != CKR_OK)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_FINDOBJECTSINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_FINDOBJECTS);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lu", objcnt);
-+			ERR_add_error_data(2,
-+				"PK11 too many objects:", tmp_buf);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
-+			ERR_add_error_data(1, "PK11 object not found");
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+		if (hndidx_rsa == -1)
-+			hndidx_rsa = RSA_get_ex_new_index(0,
-+				        "pkcs11 RSA HSM key handle",
-+					NULL, NULL, hndidx_free);
-+
-+		key_info = malloc(sizeof(struct key_info));
-+		if (key_info == NULL)
-+			goto err;
-+
-+		pkey = EVP_PKEY_new();
-+		if (pkey == NULL)
-+			goto err;
-+
-+		rsa = RSA_new();
-+		if (rsa == NULL) {
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
-+
-+		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 2)) != CKR_OK)
-+			{
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_GETATTRIBUTVALUE);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * Now we have to initialize an OpenSSL RSA structure,
-+		 * everything else is 0 or NULL.
-+		 */
-+		rsa->meth = &pk11_rsa;
-+		rsa->engine = e;
-+		rsa->references = 2;
-+		rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
-+		key_info->handle = ks_key;
-+		key_info->session = sp->session;
-+		RSA_set_ex_data(rsa, hndidx_rsa, key_info);
-+		key_info = NULL;
-+		sp->rsa = rsa;
-+		sp->rsa_priv_key = ks_key;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+#ifdef OPENCRYPTOKI
-+		/* openCryptoki bug workaround */
-+		if (get_templ[1].ulValueLen == 0) {
-+			get_templ[1].ulValueLen = 1;
-+			attr_data[1][0] = 3;
-+		}
-+#endif
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((privkey=fopen(privkey_file,"r")) != NULL)
-+		{
-+		pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
-+		fclose(privkey);
-+		if (pkey)
-+			{
-+			rsa = EVP_PKEY_get1_RSA(pkey);
-+
-+			if (rsa)
-+				{
-+				check_new_rsa_key(sp, (void *) rsa);
-+	
-+				h_priv_key = pk11_get_private_rsa_key(rsa,
-+				sp);
-+			if (h_priv_key == CK_INVALID_HANDLE)
-+				{
-+				EVP_PKEY_free(pkey);
-+				pkey = NULL;
-+				}
-+			}
-+		else
-+			{
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			}
-+		}
-+	}
-+
-+err:
-+	if (key_info != NULL)
-+		free(key_info);
-+	pk11_return_session(sp);
-+	return(pkey);
-+	}
-+
-+EVP_PKEY *pk11_load_pubkey(ENGINE* e, const char* pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey=NULL;
-+	FILE *pubkey;
-+	CK_OBJECT_HANDLE  h_pub_key = CK_INVALID_HANDLE;
-+	RSA *rsa;
-+	PK11_SESSION *sp;
-+	/* everything else below needed for key by reference extension */
-+	char tmp_buf[20];
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	extern char *pk11_pin;
-+
-+	/* we look for private keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		return NULL;
-+
-+	/*
-+	 * Use simple scheme "pkcs11:" for now.
-+	 */
-+	if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
-+		{
-+		search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+#define ALLWAYS_LOGIN
-+#ifdef ALLWAYS_LOGIN
-+		if (pk11_pin == NULL)
-+#ifndef OPENCRYPTOKI
-+			pk11_pin = getpassphrase("Enter PIN: ");
-+#else
-+			pk11_pin = getpass("Enter PIN: ");
-+#endif
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			fprintf(stderr, "C_Login -> %lx\n", rv);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_INVALID_PIN);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+#endif
-+
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+		if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_FINDOBJECTSINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_FINDOBJECTS);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lu", objcnt);
-+			ERR_add_error_data(2,
-+				"PK11 too many objects:", tmp_buf);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
-+			ERR_add_error_data(1, "PK11 object not found");
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+
-+		sp->rsa_pub_key = ks_key;
-+		pkey = malloc(sizeof(EVP_PKEY));
-+		bzero(pkey, sizeof(EVP_PKEY));
-+		pkey->type = EVP_PKEY_RSA;
-+		pkey->references = 1;
-+
-+		rsa = pkey->pkey.rsa = sp->rsa = malloc(sizeof(RSA));
-+		bzero(rsa, sizeof(RSA));
-+
-+		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 3) != CKR_OK)
-+			{
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_GETATTRIBUTVALUE);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+
-+		/*
-+		 * Now we have to initialize an OpenSSL RSA structure,
-+		 * everything else is 0 or NULL.
-+		 */
-+		rsa->meth = &pk11_rsa;
-+		rsa->engine = e;
-+		rsa->references = 2;
-+		rsa->flags = RSA_FLAG_SIGN_VER;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((pubkey=fopen(pubkey_file,"r")) != NULL)
-+		{
-+		pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
-+		fclose(pubkey);
-+		if (pkey)
-+			{
-+			rsa = EVP_PKEY_get1_RSA(pkey);
-+			if (rsa)
-+				{
-+				check_new_rsa_key(sp, (void *) rsa);
-+	
-+				h_pub_key = pk11_get_public_rsa_key(rsa, sp);
-+				if (h_pub_key == CK_INVALID_HANDLE)
-+					{
-+					EVP_PKEY_free(pkey);
-+					pkey = NULL;
-+					}
-+				}
-+			else
-+				{
-+				EVP_PKEY_free(pkey);
-+				pkey = NULL;
-+				}
-+			}
-+		}
-+
-+err:
-+	pk11_return_session(sp);
-+	return(pkey);
-+	}
-+
-+/* Create a public key object in a session from a given rsa structure.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA* rsa, PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_ULONG found;
-+	CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
-+	CK_KEY_TYPE k_type = CKK_RSA;
-+	CK_ULONG ul_key_attr_count = 7;
-+	char tmp_buf[20];
-+
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof(CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof(CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof(true)},
-+		{CKA_ENCRYPT, &true, sizeof(true)},
-+		{CKA_VERIFY_RECOVER, &true, sizeof(true)},
-+		{CKA_MODULUS, (void *)NULL, 0},
-+		{CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
-+		};
-+
-+	int i;
-+	CK_SESSION_HANDLE session = sp->session;
-+
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	a_key_template[5].ulValueLen = BN_num_bytes(rsa->n);
-+	a_key_template[5].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)a_key_template[5].ulValueLen);
-+	if (a_key_template[5].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	BN_bn2bin(rsa->n, a_key_template[5].pValue);
-+
-+	a_key_template[6].ulValueLen = BN_num_bytes(rsa->e);
-+	a_key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)a_key_template[6].ulValueLen);
-+	if (a_key_template[6].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	BN_bn2bin(rsa->e, a_key_template[6].pValue);
-+
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template, 
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_FINDOBJECTSINIT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_FINDOBJECTS);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_FINDOBJECTSFINAL);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session, 
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_GET_PUB_RSA_KEY, 
-+				PK11_R_CREATEOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		}
-+
-+	sp->rsa = rsa;
-+
-+ err:
-+	for (i = 5; i <= 6; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return h_key;
-+
-+	}
-+
-+/* Create a private key object in the session from a given rsa structure
-+ */
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	int i;
-+	CK_ULONG found;
-+	CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
-+	CK_KEY_TYPE k_type = CKK_RSA;
-+	CK_ULONG ul_key_attr_count = 14;
-+	char tmp_buf[20];
-+
-+	/* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys
-+	 */
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof(CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof(CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof(true)},
-+		{CKA_SENSITIVE, &false, sizeof(true)},
-+		{CKA_DECRYPT, &true, sizeof(true)},
-+		{CKA_SIGN, &true, sizeof(true)},
-+		{CKA_MODULUS, (void *)NULL, 0},
-+		{CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
-+		{CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
-+		{CKA_PRIME_1, (void *)NULL, 0},
-+		{CKA_PRIME_2, (void *)NULL, 0},
-+		{CKA_EXPONENT_1, (void *)NULL, 0},
-+		{CKA_EXPONENT_2, (void *)NULL, 0},
-+		{CKA_COEFFICIENT, (void *)NULL, 0}
-+		};
-+	CK_SESSION_HANDLE session = sp->session;
-+
-+	if ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) {
-+		sp->rsa = rsa;
-+		return (*(CK_OBJECT_HANDLE_PTR)RSA_get_ex_data(rsa, hndidx_rsa));
-+	}
-+	
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	/* Put the private key components into the template */
-+	if (init_template_value(rsa->n, &a_key_template[6].pValue,
-+		&a_key_template[6].ulValueLen) == 0 ||
-+	    init_template_value(rsa->e, &a_key_template[7].pValue,
-+		&a_key_template[7].ulValueLen) == 0 ||
-+	    init_template_value(rsa->d, &a_key_template[8].pValue,
-+		&a_key_template[8].ulValueLen) == 0 ||
-+	    init_template_value(rsa->p, &a_key_template[9].pValue,
-+		&a_key_template[9].ulValueLen) == 0 ||
-+	    init_template_value(rsa->q, &a_key_template[10].pValue,
-+		&a_key_template[10].ulValueLen) == 0 ||
-+	    init_template_value(rsa->dmp1, &a_key_template[11].pValue,
-+		&a_key_template[11].ulValueLen) == 0 ||
-+	    init_template_value(rsa->dmq1, &a_key_template[12].pValue,
-+		&a_key_template[12].ulValueLen) == 0 ||
-+	    init_template_value(rsa->iqmp, &a_key_template[13].pValue,
-+		&a_key_template[13].ulValueLen) == 0)
-+		{
-+		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template, 
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_FINDOBJECTSINIT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_FINDOBJECTS);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_FINDOBJECTSFINAL);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session, 
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_GET_PRIV_RSA_KEY, 
-+				PK11_R_CREATEOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		}
-+
-+	sp->rsa = rsa;
-+
-+ err:
-+	/* 6 to 13 entries in the key template are key components
-+	 * They need to be freed apon exit or error.
-+	 */
-+	for (i = 6; i <= 13; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			memset(a_key_template[i].pValue, 0, 
-+				a_key_template[i].ulValueLen);
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return h_key;
-+	}
-+
-+#endif
-+
-+
-+#ifndef OPENSSL_NO_DSA
-+/* The DSA function implementation
-+ */
-+static int pk11_DSA_init(DSA *dsa)
-+	{
-+	return 1;
-+	}
-+
-+
-+static int pk11_DSA_finish(DSA *dsa)
-+	{
-+	return pk11_destroy_dsa_key_objects(NULL);
-+	}
-+
-+
-+static DSA_SIG *
-+pk11_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
-+	{
-+	BIGNUM *r = NULL, *s = NULL;
-+	int i;
-+	DSA_SIG *dsa_sig = NULL;
-+
-+	CK_RV rv;
-+	CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
-+	CK_MECHANISM *p_mech = &Mechanism_dsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+
-+	/* The signature is the concatenation of r and s, 
-+	 * each is 20 bytes long
-+	 */
-+	unsigned char sigret[DSA_SIGNATURE_LEN];
-+	unsigned long siglen = DSA_SIGNATURE_LEN;
-+	unsigned int siglen2 = DSA_SIGNATURE_LEN / 2;
-+
-+	PK11_SESSION *sp = NULL;
-+	char tmp_buf[20];
-+
-+	if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL)) 
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MISSING_KEY_COMPONENT);
-+		goto ret;
-+		}
-+
-+	i=BN_num_bytes(dsa->q); /* should be 20 */
-+	if (dlen > i)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_INVALID_SIGNATURE_LENGTH);
-+		goto ret;
-+		}
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		goto ret;
-+
-+	check_new_dsa_key(sp, (void *) dsa);
-+
-+	h_priv_key = sp->dsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->dsa_priv_key =
-+			pk11_get_private_dsa_key((DSA *)dsa, sp);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_DSA_SIGN, PK11_R_SIGNINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto ret;
-+			}
-+
-+		memset(sigret, 0, siglen);
-+		rv = pFuncList->C_Sign(sp->session, 
-+			(unsigned char*) dgst, dlen, sigret, 
-+			(CK_ULONG_PTR) &siglen);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_DSA_SIGN, PK11_R_SIGN);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto ret;
-+			}
-+		}
-+
-+
-+	if ((s = BN_new()) == NULL)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
-+		goto ret;
-+		}
-+
-+	if ((r = BN_new()) == NULL)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
-+		goto ret;
-+		}
-+
-+	if ((dsa_sig = DSA_SIG_new()) == NULL)
-+		{
-+		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
-+		goto ret;
-+		}
-+
-+	BN_bin2bn(sigret, siglen2, r);
-+	BN_bin2bn(&sigret[siglen2], siglen2, s);
-+
-+	dsa_sig->r = r;
-+	dsa_sig->s = s;
-+
-+ret:
-+	if (dsa_sig == NULL) 
-+		{
-+		if (r != NULL)
-+			BN_free(r);
-+		if (s != NULL)
-+			BN_free(s);
-+		}
-+
-+	pk11_return_session(sp);
-+	return (dsa_sig);
-+	}
-+
-+static int
-+pk11_dsa_do_verify(const unsigned char *dgst, int dlen, DSA_SIG *sig,
-+	DSA *dsa)
-+	{
-+	int i;
-+	CK_RV rv;
-+	int retval = 0;
-+	CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
-+	CK_MECHANISM *p_mech = &Mechanism_dsa;
-+	CK_OBJECT_HANDLE h_pub_key;
-+
-+	unsigned char sigbuf[DSA_SIGNATURE_LEN];
-+	unsigned long siglen = DSA_SIGNATURE_LEN;
-+	unsigned long siglen2 = DSA_SIGNATURE_LEN/2;
-+
-+	PK11_SESSION *sp = NULL;
-+	char tmp_buf[20];
-+
-+	if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
-+		{
-+		PK11err(PK11_F_DSA_VERIFY, 
-+			PK11_R_INVALID_DSA_SIGNATURE_R);
-+		goto ret;
-+		}
-+
-+	if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0) 
-+		{
-+		PK11err(PK11_F_DSA_VERIFY, 
-+			PK11_R_INVALID_DSA_SIGNATURE_S);
-+		goto ret;
-+		}
-+
-+	i = BN_num_bytes(dsa->q); /* should be 20 */
-+
-+	if (dlen > i)
-+		{
-+		PK11err(PK11_F_DSA_VERIFY, 
-+			PK11_R_INVALID_SIGNATURE_LENGTH);
-+		goto ret;
-+		}
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		goto ret;
-+	
-+	check_new_dsa_key(sp, (void *) dsa);
-+
-+	h_pub_key = sp->dsa_pub_key;
-+	if (h_pub_key == CK_INVALID_HANDLE)
-+		h_pub_key = sp->dsa_pub_key = 
-+			pk11_get_public_dsa_key((DSA *)dsa, sp);
-+
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_VerifyInit(sp->session, p_mech, 
-+			h_pub_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_DSA_VERIFY, PK11_R_VERIFYINIT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto ret;
-+			}
-+
-+		memset(sigbuf, 0, siglen);
-+		BN_bn2bin(sig->r, sigbuf);
-+		BN_bn2bin(sig->s, &sigbuf[siglen2]);
-+		
-+		rv = pFuncList->C_Verify(sp->session, 
-+			(unsigned char *) dgst, dlen, sigbuf, (CK_ULONG)siglen);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_DSA_VERIFY, PK11_R_VERIFY);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto ret;
-+			}
-+		}
-+
-+	retval = 1;
-+ret:
-+
-+	pk11_return_session(sp);
-+	return retval;
-+	}
-+
-+
-+/* Create a public key object in a session from a given dsa structure.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa, PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_ULONG found;
-+	CK_KEY_TYPE k_type = CKK_DSA;
-+	CK_ULONG ul_key_attr_count = 8;
-+	int i;
-+	char tmp_buf[20];
-+
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof(CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof(CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof(true)},
-+		{CKA_VERIFY, &true, sizeof(true)},
-+		{CKA_PRIME, (void *)NULL, 0},		/* p */
-+		{CKA_SUBPRIME, (void *)NULL, 0},	/* q */
-+		{CKA_BASE, (void *)NULL, 0},		/* g */
-+		{CKA_VALUE, (void *)NULL, 0}		/* pub_key - y */
-+		};
-+	CK_SESSION_HANDLE session = sp->session;
-+
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	if (init_template_value(dsa->p, &a_key_template[4].pValue,
-+		&a_key_template[4].ulValueLen) == 0 ||
-+	    init_template_value(dsa->q, &a_key_template[5].pValue,
-+		&a_key_template[5].ulValueLen) == 0 ||
-+	    init_template_value(dsa->g, &a_key_template[6].pValue,
-+		&a_key_template[6].ulValueLen) == 0 ||
-+	    init_template_value(dsa->pub_key, &a_key_template[7].pValue,
-+		&a_key_template[7].ulValueLen) == 0)
-+		{
-+		PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template, 
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_FINDOBJECTSINIT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_FINDOBJECTS);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_FINDOBJECTSFINAL);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session, 
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_GET_PUB_DSA_KEY, 
-+				PK11_R_CREATEOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		}
-+
-+	sp->dsa = dsa;
-+
-+ err:
-+	for (i = 4; i <= 7; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return h_key;
-+
-+	}
-+
-+/* Create a private key object in the session from a given dsa structure
-+ */
-+static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa, PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
-+	int i;
-+	char tmp_buf[20];
-+	CK_ULONG found;
-+	CK_KEY_TYPE k_type = CKK_DSA;
-+	CK_ULONG ul_key_attr_count = 9;
-+
-+	/* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys
-+	 */
-+	CK_ATTRIBUTE  a_key_template[] =
-+		{
-+		{CKA_CLASS, (void *) NULL, sizeof(CK_OBJECT_CLASS)},
-+		{CKA_KEY_TYPE, (void *) NULL, sizeof(CK_KEY_TYPE)},
-+		{CKA_TOKEN, &false, sizeof(true)},
-+		{CKA_SENSITIVE, &false, sizeof(true)},
-+		{CKA_SIGN, &true, sizeof(true)},
-+		{CKA_PRIME, (void *)NULL, 0},		/* p */
-+		{CKA_SUBPRIME, (void *)NULL, 0},	/* q */
-+		{CKA_BASE, (void *)NULL, 0},		/* g */
-+		{CKA_VALUE, (void *)NULL, 0}		/* priv_key - x */
-+		};
-+	CK_SESSION_HANDLE session = sp->session;
-+
-+	a_key_template[0].pValue = &o_key;
-+	a_key_template[1].pValue = &k_type;
-+
-+	/* Put the private key components into the template
-+	 */
-+	if (init_template_value(dsa->p, &a_key_template[5].pValue,
-+		&a_key_template[5].ulValueLen) == 0 ||
-+	    init_template_value(dsa->q, &a_key_template[6].pValue,
-+		&a_key_template[6].ulValueLen) == 0 ||
-+	    init_template_value(dsa->g, &a_key_template[7].pValue,
-+		&a_key_template[7].ulValueLen) == 0 ||
-+	    init_template_value(dsa->priv_key, &a_key_template[8].pValue,
-+		&a_key_template[8].ulValueLen) == 0)
-+		{
-+		PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsInit(session, a_key_template, 
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_FINDOBJECTSINIT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_FINDOBJECTS);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_FINDOBJECTSFINAL);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session, 
-+			a_key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_GET_PRIV_DSA_KEY, 
-+				PK11_R_CREATEOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		}
-+
-+	sp->dsa = dsa;
-+
-+err:
-+	/* 5 to 8 entries in the key template are key components
-+	 * They need to be freed apon exit or error.
-+	 */
-+	for (i = 5; i <= 8; i++)
-+		{
-+		if (a_key_template[i].pValue != NULL)
-+			{
-+			memset(a_key_template[i].pValue, 0,
-+				a_key_template[i].ulValueLen);
-+			OPENSSL_free(a_key_template[i].pValue);
-+			a_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return h_key;
-+
-+	}
-+#endif
-+
-+
-+#ifndef OPENSSL_NO_DH
-+
-+/* The DH function implementation
-+ */
-+static int pk11_DH_init(DH *dh)
-+	{
-+	return 1;
-+	}
-+
-+
-+static int pk11_DH_finish(DH *dh)
-+	{
-+	return pk11_destroy_dh_key_objects(NULL);
-+	}
-+
-+static int pk11_DH_generate_key(DH *dh)
-+	{
-+	CK_ULONG i;
-+	CK_RV rv, rv1;
-+	int ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	char tmp_buf[20];
-+	CK_BYTE_PTR reuse_mem;
-+
-+	CK_MECHANISM mechanism = {CKM_DH_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
-+	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
-+
-+	CK_ULONG ul_pub_key_attr_count = 3; 
-+	CK_ATTRIBUTE pub_key_template[] =
-+		{
-+		{CKA_PRIVATE, &false, sizeof(false)},
-+		{CKA_PRIME, (void *)NULL, 0},
-+		{CKA_BASE, (void *)NULL, 0}
-+		};
-+
-+	CK_ULONG ul_priv_key_attr_count = 3; 
-+	CK_ATTRIBUTE priv_key_template[] =
-+		{
-+		{CKA_PRIVATE, &false, sizeof(false)},
-+		{CKA_SENSITIVE, &false, sizeof(false)},
-+		{CKA_DERIVE, &true, sizeof(true)}
-+		};
-+
-+	CK_ULONG pub_key_attr_result_count = 1;
-+	CK_ATTRIBUTE pub_key_result[] =
-+		{
-+		{CKA_VALUE, (void *)NULL, 0}
-+		};
-+
-+	CK_ULONG priv_key_attr_result_count = 1;
-+	CK_ATTRIBUTE priv_key_result[] =
-+		{
-+		{CKA_VALUE, (void *)NULL, 0}
-+		};
-+
-+	pub_key_template[1].ulValueLen = BN_num_bytes(dh->p);
-+	if (pub_key_template[1].ulValueLen > 0)
-+		{
-+		pub_key_template[1].pValue = 
-+			OPENSSL_malloc(pub_key_template[1].ulValueLen);
-+		if (pub_key_template[1].pValue == NULL)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+
-+		i = BN_bn2bin(dh->p, pub_key_template[1].pValue);
-+		}
-+	else
-+		goto err;
-+
-+	pub_key_template[2].ulValueLen = BN_num_bytes(dh->g);
-+	if (pub_key_template[2].ulValueLen > 0)
-+		{
-+		pub_key_template[2].pValue = 
-+			OPENSSL_malloc(pub_key_template[2].ulValueLen);
-+		if (pub_key_template[2].pValue == NULL)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+
-+		i = BN_bn2bin(dh->g, pub_key_template[2].pValue);
-+		}
-+	else
-+		goto err;
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		goto err;
-+	
-+	rv = pFuncList->C_GenerateKeyPair(sp->session,
-+			   &mechanism,
-+			   pub_key_template,
-+			   ul_pub_key_attr_count,
-+			   priv_key_template,
-+			   ul_priv_key_attr_count,
-+			   &h_pub_key,
-+			   &h_priv_key);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DH_GEN_KEY, PK11_R_GEN_KEY);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	/* Reuse the larger memory allocated. We know the larger memory
-+	 * is sufficient for reuse */
-+	if (pub_key_template[1].ulValueLen > pub_key_template[2].ulValueLen)
-+		reuse_mem = pub_key_template[1].pValue;
-+	else
-+		reuse_mem = pub_key_template[2].pValue;
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key, 
-+		pub_key_result, pub_key_attr_result_count);
-+	rv1 = pFuncList->C_GetAttributeValue(sp->session, h_priv_key, 
-+		priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK || rv1 != CKR_OK)
-+		{
-+		rv = (rv != CKR_OK) ? rv : rv1;
-+		PK11err(PK11_F_DH_GEN_KEY, PK11_R_GETATTRIBUTVALUE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (((CK_LONG) pub_key_result[0].ulValueLen) <= 0 ||
-+		((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
-+		{
-+		PK11err(PK11_F_DH_GEN_KEY, PK11_R_GETATTRIBUTVALUE);
-+		goto err;
-+		}
-+	
-+	/* Reuse the memory allocated */
-+	pub_key_result[0].pValue = reuse_mem;
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key, 
-+		pub_key_result, pub_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DH_GEN_KEY, PK11_R_GETATTRIBUTVALUE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (pub_key_result[0].type == CKA_VALUE)
-+		{
-+		if (dh->pub_key == NULL)
-+			dh->pub_key = BN_new();
-+		dh->pub_key = BN_bin2bn(pub_key_result[0].pValue, 
-+			pub_key_result[0].ulValueLen, dh->pub_key);
-+		}
-+
-+	/* Reuse the memory allocated */
-+	priv_key_result[0].pValue = reuse_mem;
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_priv_key, 
-+		priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DH_GEN_KEY, PK11_R_GETATTRIBUTVALUE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (priv_key_result[0].type == CKA_VALUE)
-+		{
-+		if (dh->priv_key == NULL)
-+			dh->priv_key = BN_new();
-+		dh->priv_key = BN_bin2bn(priv_key_result[0].pValue, 
-+			priv_key_result[0].ulValueLen, dh->priv_key);
-+		}
-+
-+	ret = 1;
-+
-+err:
-+	 
-+	if (h_pub_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DestroyObject(sp->session, h_pub_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_DESTROYOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			}
-+		}
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DestroyObject(sp->session, h_priv_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_DH_GEN_KEY, PK11_R_DESTROYOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			}
-+		}
-+
-+	for (i = 1; i <= 2; i++)
-+		{
-+		if (pub_key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(pub_key_template[i].pValue);
-+			pub_key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	pk11_return_session(sp);
-+	return ret;
-+	}
-+
-+static int pk11_DH_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh)
-+	{
-+	int i;
-+	CK_MECHANISM mechanism = {CKM_DH_PKCS_DERIVE, NULL_PTR, 0};
-+	CK_OBJECT_CLASS key_class = CKO_SECRET_KEY;
-+	CK_KEY_TYPE key_type = CKK_GENERIC_SECRET;
-+	CK_OBJECT_HANDLE h_derived_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+
-+	CK_ULONG ul_priv_key_attr_count = 2;
-+	CK_ATTRIBUTE priv_key_template[] =
-+		{
-+		{CKA_CLASS, (void*) NULL, sizeof(key_class)},
-+		{CKA_KEY_TYPE, (void*) NULL,  sizeof(key_type)},
-+		};
-+
-+	CK_ULONG priv_key_attr_result_count = 1;
-+	CK_ATTRIBUTE priv_key_result[] =
-+		{
-+		{CKA_VALUE, (void *)NULL, 0}
-+		};
-+
-+	CK_RV rv;
-+	int ret = 0;
-+	PK11_SESSION *sp = NULL;
-+	char tmp_buf[20];
-+
-+	priv_key_template[0].pValue = &key_class;
-+	priv_key_template[1].pValue = &key_type;
-+
-+	if ((sp = pk11_get_session()) == NULL)
-+		goto err;
-+
-+	mechanism.ulParameterLen = BN_num_bytes(pub_key);
-+	mechanism.pParameter = OPENSSL_malloc(mechanism.ulParameterLen);
-+	if (mechanism.pParameter == NULL)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+	BN_bn2bin(pub_key, mechanism.pParameter);
-+
-+	check_new_dh_key(sp, dh);
-+
-+	h_key = sp->dh_key;
-+	if (h_key == CK_INVALID_HANDLE)
-+		h_key = sp->dh_key = pk11_get_dh_key((DH*) dh, sp);
-+
-+	if (h_key == CK_INVALID_HANDLE)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_CREATEOBJECT);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_DeriveKey(sp->session,
-+			   &mechanism,
-+			   h_key,
-+			   priv_key_template,
-+			   ul_priv_key_attr_count,
-+			   &h_derived_key);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_DERIVEKEY);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key, 
-+		priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE);
-+		goto err;
-+		}
-+	priv_key_result[0].pValue = 
-+		OPENSSL_malloc(priv_key_result[0].ulValueLen);
-+	if (!priv_key_result[0].pValue)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key, 
-+		priv_key_result, priv_key_attr_result_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	/* OpenSSL allocates the output buffer 'key' which is the same
-+	 * length of the public key. It is long enough for the derived key */
-+	if (priv_key_result[0].type == CKA_VALUE)
-+		{
-+		/* CKM_DH_PKCS_DERIVE mechanism is not supposed to strip
-+		 * leading zeros from a computed shared secret. However,
-+		 * OpenSSL always did it so we must do the same here. The
-+		 * vagueness of the spec regarding leading zero bytes was
-+		 * finally cleared with TLS 1.1 (RFC 4346) saying that leading
-+		 * zeros are stripped before the computed data is used as the
-+		 * pre-master secret.
-+		 */
-+		for (i = 0; i < priv_key_result[0].ulValueLen; ++i)
-+			{
-+			if (((char *) priv_key_result[0].pValue)[i] != 0)
-+				break;
-+			}
-+
-+		memcpy(key, ((char *) priv_key_result[0].pValue) + i, 
-+			priv_key_result[0].ulValueLen - i);
-+		ret = priv_key_result[0].ulValueLen - i;
-+		}
-+
-+err:
-+
-+	if (h_derived_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_DestroyObject(sp->session, h_derived_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_DH_COMP_KEY, PK11_R_DESTROYOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			}
-+		}
-+	if (priv_key_result[0].pValue)
-+		{ 
-+		OPENSSL_free(priv_key_result[0].pValue);
-+		priv_key_result[0].pValue = NULL;
-+		}
-+
-+	if (mechanism.pParameter)
-+		{
-+		OPENSSL_free(mechanism.pParameter);
-+		mechanism.pParameter = NULL;
-+		}
-+
-+	pk11_return_session(sp);
-+	return ret;
-+	}
-+
-+
-+static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh, PK11_SESSION *sp)
-+	{
-+	CK_RV rv;
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+	CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
-+	CK_KEY_TYPE key_type = CKK_DH;
-+	CK_ULONG found;
-+	int i;
-+	char tmp_buf[20];
-+
-+	CK_ULONG ul_key_attr_count = 7;
-+	CK_ATTRIBUTE key_template[] =
-+		{
-+		{CKA_CLASS, (void*) NULL, sizeof(class)},
-+		{CKA_KEY_TYPE, (void*) NULL, sizeof(key_type)},
-+		{CKA_DERIVE, &true, sizeof(true)},
-+		{CKA_PRIVATE, &false, sizeof(false)},
-+		{CKA_PRIME, (void *) NULL, 0},
-+		{CKA_BASE, (void *) NULL, 0},
-+		{CKA_VALUE, (void *) NULL, 0},
-+		};
-+
-+	CK_SESSION_HANDLE session = sp->session;
-+
-+	key_template[0].pValue = &class;
-+	key_template[1].pValue = &key_type;
-+
-+	key_template[4].ulValueLen = BN_num_bytes(dh->p);
-+	key_template[4].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)key_template[4].ulValueLen);
-+	if (key_template[4].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	BN_bn2bin(dh->p, key_template[4].pValue);
-+
-+	key_template[5].ulValueLen = BN_num_bytes(dh->g);
-+	key_template[5].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)key_template[5].ulValueLen);
-+	if (key_template[5].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	BN_bn2bin(dh->g, key_template[5].pValue);
-+
-+	key_template[6].ulValueLen = BN_num_bytes(dh->priv_key);
-+	key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
-+		(size_t)key_template[6].ulValueLen);
-+	if (key_template[6].pValue == NULL)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
-+		goto err;
-+		}
-+
-+	BN_bn2bin(dh->priv_key, key_template[6].pValue);
-+
-+	rv = pFuncList->C_FindObjectsInit(session, key_template, 
-+		ul_key_attr_count);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSINIT);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_FindObjectsFinal(session);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSFINAL);
-+		snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+		ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+		goto err;
-+		}
-+
-+	if (found == 0)
-+		{
-+		rv = pFuncList->C_CreateObject(session, 
-+			key_template, ul_key_attr_count, &h_key);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err(PK11_F_GET_DH_KEY, PK11_R_CREATEOBJECT);
-+			snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
-+			ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
-+			goto err;
-+			}
-+		}
-+
-+	sp->dh = dh;
-+
-+ err:
-+	for (i = 4; i <= 6; i++)
-+		{
-+		if (key_template[i].pValue != NULL)
-+			{
-+			OPENSSL_free(key_template[i].pValue);
-+			key_template[i].pValue = NULL;
-+			}
-+		}
-+
-+	return h_key;
-+	}
-+
-+#endif
-+
-+/* Local function to simplify key template population
-+ * Return 0 -- error, 1 -- no error
-+ */
-+static int init_template_value(BIGNUM *bn, CK_VOID_PTR *p_value, 
-+	CK_ULONG *ul_value_len)
-+	{
-+	CK_ULONG len = BN_num_bytes(bn);
-+	if (len == 0)
-+		return 1;
-+
-+	*ul_value_len = len;
-+	*p_value = (CK_VOID_PTR)OPENSSL_malloc((size_t) *ul_value_len);
-+	if (*p_value == NULL)
-+		return 0;
-+
-+	BN_bn2bin(bn, *p_value);
-+
-+	return 1;
-+	}
-+
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
-+	{
-+		if (attr->ulValueLen > 0)
-+			{
-+			*bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
-+			}
-+	}
-+
-+static void check_new_rsa_key(PK11_SESSION *sp, void *rsa)
-+	{
-+	if (sp->rsa != rsa)
-+		pk11_destroy_rsa_key_objects(sp);
-+	}
-+
-+static void check_new_dsa_key(PK11_SESSION *sp, void *dsa)
-+	{
-+	if (sp->dsa != dsa)
-+		pk11_destroy_dsa_key_objects(sp);
-+	}
-+
-+static void check_new_dh_key(PK11_SESSION *sp, void *dh)
-+	{
-+	if (sp->dh != dh)
-+		pk11_destroy_dh_key_objects(sp);
-+	}
-+
-+
-+#endif
-+#endif
-diff -r -u -N openssl-0.9.8g/crypto/engine/Makefile openssl/crypto/engine/Makefile
---- openssl-0.9.8g/crypto/engine/Makefile	2005-07-16 13:13:05.000000000 +0200
-+++ openssl/crypto/engine/Makefile	2007-10-25 01:27:09.000000000 +0200
-@@ -21,12 +21,14 @@
- 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
- 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
- 	tb_cipher.c tb_digest.c \
--	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
-+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
-+	hw_pk11.c hw_pk11_pub.c
- LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
- 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
- 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
- 	tb_cipher.o tb_digest.o \
--	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
-+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
-+	hw_pk11.o hw_pk11_pub.o
- 
- SRC= $(LIBSRC)
- 
-@@ -212,6 +214,54 @@
- eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
- eng_table.o: ../../include/openssl/symhacks.h ../cryptlib.h eng_int.h
- eng_table.o: eng_table.c
-+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c
-+hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-+hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
-+hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
-+hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-+hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
-+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
-+hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
-+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
-+hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
-+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
-+hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
-+hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-+hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
-+hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
-+hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
-+hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
-+hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
-+hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
-+hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
-+hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
-+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
-+hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
-+hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
-+hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
- tb_cipher.o: ../../e_os.h ../../include/openssl/bio.h
- tb_cipher.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
- tb_cipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-diff -r -u -N openssl-0.9.8g/crypto/engine/pkcs11f.h openssl/crypto/engine/pkcs11f.h
---- openssl-0.9.8g/crypto/engine/pkcs11f.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/pkcs11f.h	2007-10-25 01:27:09.000000000 +0200
-@@ -0,0 +1,912 @@
-+/* pkcs11f.h include file for PKCS #11. */
-+/* $Revision: 1.2 $ */
-+
-+/* License to copy and use this software is granted provided that it is
-+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+ * (Cryptoki)" in all material mentioning or referencing this software.
-+
-+ * License is also granted to make and use derivative works provided that
-+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
-+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
-+ * referencing the derived work.
-+
-+ * RSA Security Inc. makes no representations concerning either the 
-+ * merchantability of this software or the suitability of this software for
-+ * any particular purpose. It is provided "as is" without express or implied
-+ * warranty of any kind.
-+ */
-+
-+/* This header file contains pretty much everything about all the */
-+/* Cryptoki function prototypes.  Because this information is */
-+/* used for more than just declaring function prototypes, the */
-+/* order of the functions appearing herein is important, and */
-+/* should not be altered. */
-+
-+/* General-purpose */
-+
-+/* C_Initialize initializes the Cryptoki library. */
-+CK_PKCS11_FUNCTION_INFO(C_Initialize)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
-+                            * cast to CK_C_INITIALIZE_ARGS_PTR
-+                            * and dereferenced */
-+);
-+#endif
-+
-+
-+/* C_Finalize indicates that an application is done with the
-+ * Cryptoki library. */
-+CK_PKCS11_FUNCTION_INFO(C_Finalize)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
-+);
-+#endif
-+
-+
-+/* C_GetInfo returns general information about Cryptoki. */
-+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_INFO_PTR   pInfo  /* location that receives information */
-+);
-+#endif
-+
-+
-+/* C_GetFunctionList returns the function list. */
-+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
-+                                            * function list */
-+);
-+#endif
-+
-+
-+
-+/* Slot and token management */
-+
-+/* C_GetSlotList obtains a list of slots in the system. */
-+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
-+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
-+  CK_ULONG_PTR   pulCount       /* receives number of slots */
-+);
-+#endif
-+
-+
-+/* C_GetSlotInfo obtains information about a particular slot in
-+ * the system. */
-+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID       slotID,  /* the ID of the slot */
-+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
-+);
-+#endif
-+
-+
-+/* C_GetTokenInfo obtains information about a particular token
-+ * in the system. */
-+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
-+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
-+);
-+#endif
-+
-+
-+/* C_GetMechanismList obtains a list of mechanism types
-+ * supported by a token. */
-+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID            slotID,          /* ID of token's slot */
-+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
-+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
-+);
-+#endif
-+
-+
-+/* C_GetMechanismInfo obtains information about a particular
-+ * mechanism possibly supported by a token. */
-+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
-+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
-+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
-+);
-+#endif
-+
-+
-+/* C_InitToken initializes a token. */
-+CK_PKCS11_FUNCTION_INFO(C_InitToken)
-+#ifdef CK_NEED_ARG_LIST
-+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
-+(
-+  CK_SLOT_ID      slotID,    /* ID of the token's slot */
-+  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
-+  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
-+  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
-+);
-+#endif
-+
-+
-+/* C_InitPIN initializes the normal user's PIN. */
-+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
-+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
-+);
-+#endif
-+
-+
-+/* C_SetPIN modifies the PIN of the user who is logged in. */
-+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
-+  CK_ULONG          ulOldLen,  /* length of the old PIN */
-+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
-+  CK_ULONG          ulNewLen   /* length of the new PIN */
-+);
-+#endif
-+
-+
-+
-+/* Session management */
-+
-+/* C_OpenSession opens a session between an application and a
-+ * token. */
-+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID            slotID,        /* the slot's ID */
-+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
-+  CK_VOID_PTR           pApplication,  /* passed to callback */
-+  CK_NOTIFY             Notify,        /* callback function */
-+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
-+);
-+#endif
-+
-+
-+/* C_CloseSession closes a session between an application and a
-+ * token. */
-+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+/* C_CloseAllSessions closes all sessions with a token. */
-+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SLOT_ID     slotID  /* the token's slot */
-+);
-+#endif
-+
-+
-+/* C_GetSessionInfo obtains information about the session. */
-+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
-+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
-+);
-+#endif
-+
-+
-+/* C_GetOperationState obtains the state of the cryptographic operation
-+ * in a session. */
-+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,             /* session's handle */
-+  CK_BYTE_PTR       pOperationState,      /* gets state */
-+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
-+);
-+#endif
-+
-+
-+/* C_SetOperationState restores the state of the cryptographic
-+ * operation in a session. */
-+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR      pOperationState,      /* holds state */
-+  CK_ULONG         ulOperationStateLen,  /* holds state length */
-+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
-+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
-+);
-+#endif
-+
-+
-+/* C_Login logs a user into a token. */
-+CK_PKCS11_FUNCTION_INFO(C_Login)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_USER_TYPE      userType,  /* the user type */
-+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
-+  CK_ULONG          ulPinLen   /* the length of the PIN */
-+);
-+#endif
-+
-+
-+/* C_Logout logs a user out from a token. */
-+CK_PKCS11_FUNCTION_INFO(C_Logout)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+
-+/* Object management */
-+
-+/* C_CreateObject creates a new object. */
-+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
-+  CK_ULONG          ulCount,     /* attributes in template */
-+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
-+);
-+#endif
-+
-+
-+/* C_CopyObject copies an object, creating a new object for the
-+ * copy. */
-+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
-+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
-+  CK_ULONG             ulCount,     /* attributes in template */
-+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
-+);
-+#endif
-+
-+
-+/* C_DestroyObject destroys an object. */
-+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
-+);
-+#endif
-+
-+
-+/* C_GetObjectSize gets the size of an object in bytes. */
-+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
-+  CK_ULONG_PTR      pulSize    /* receives size of object */
-+);
-+#endif
-+
-+
-+/* C_GetAttributeValue obtains the value of one or more object
-+ * attributes. */
-+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
-+  CK_ULONG          ulCount     /* attributes in template */
-+);
-+#endif
-+
-+
-+/* C_SetAttributeValue modifies the value of one or more object
-+ * attributes */
-+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
-+  CK_ULONG          ulCount     /* attributes in template */
-+);
-+#endif
-+
-+
-+/* C_FindObjectsInit initializes a search for token and session
-+ * objects that match a template. */
-+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
-+  CK_ULONG          ulCount     /* attrs in search template */
-+);
-+#endif
-+
-+
-+/* C_FindObjects continues a search for token and session
-+ * objects that match a template, obtaining additional object
-+ * handles. */
-+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+ CK_SESSION_HANDLE    hSession,          /* session's handle */
-+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
-+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
-+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
-+);
-+#endif
-+
-+
-+/* C_FindObjectsFinal finishes a search for token and session
-+ * objects. */
-+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+
-+/* Encryption and decryption */
-+
-+/* C_EncryptInit initializes an encryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
-+);
-+#endif
-+
-+
-+/* C_Encrypt encrypts single-part data. */
-+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pData,               /* the plaintext data */
-+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
-+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
-+);
-+#endif
-+
-+
-+/* C_EncryptUpdate continues a multiple-part encryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,           /* session's handle */
-+  CK_BYTE_PTR       pPart,              /* the plaintext data */
-+  CK_ULONG          ulPartLen,          /* plaintext data len */
-+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
-+);
-+#endif
-+
-+
-+/* C_EncryptFinal finishes a multiple-part encryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,                /* session handle */
-+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
-+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
-+);
-+#endif
-+
-+
-+/* C_DecryptInit initializes a decryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
-+);
-+#endif
-+
-+
-+/* C_Decrypt decrypts encrypted data in a single part. */
-+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,           /* session's handle */
-+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
-+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
-+  CK_BYTE_PTR       pData,              /* gets plaintext */
-+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
-+);
-+#endif
-+
-+
-+/* C_DecryptUpdate continues a multiple-part decryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
-+  CK_ULONG          ulEncryptedPartLen,  /* input length */
-+  CK_BYTE_PTR       pPart,               /* gets plaintext */
-+  CK_ULONG_PTR      pulPartLen           /* p-text size */
-+);
-+#endif
-+
-+
-+/* C_DecryptFinal finishes a multiple-part decryption
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,       /* the session's handle */
-+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
-+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
-+);
-+#endif
-+
-+
-+
-+/* Message digesting */
-+
-+/* C_DigestInit initializes a message-digesting operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
-+);
-+#endif
-+
-+
-+/* C_Digest digests data in a single part. */
-+CK_PKCS11_FUNCTION_INFO(C_Digest)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,     /* the session's handle */
-+  CK_BYTE_PTR       pData,        /* data to be digested */
-+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
-+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
-+);
-+#endif
-+
-+
-+/* C_DigestUpdate continues a multiple-part message-digesting
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pPart,     /* data to be digested */
-+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
-+);
-+#endif
-+
-+
-+/* C_DigestKey continues a multi-part message-digesting
-+ * operation, by digesting the value of a secret key as part of
-+ * the data already digested. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
-+);
-+#endif
-+
-+
-+/* C_DigestFinal finishes a multiple-part message-digesting
-+ * operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,     /* the session's handle */
-+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
-+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
-+);
-+#endif
-+
-+
-+
-+/* Signing and MACing */
-+
-+/* C_SignInit initializes a signature (private key encryption)
-+ * operation, where the signature is (will be) an appendix to
-+ * the data, and plaintext cannot be recovered from the
-+ *signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
-+);
-+#endif
-+
-+
-+/* C_Sign signs (encrypts with private key) data in a single
-+ * part, where the signature is (will be) an appendix to the
-+ * data, and plaintext cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_Sign)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pData,           /* the data to sign */
-+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-+  CK_BYTE_PTR       pSignature,      /* gets the signature */
-+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-+);
-+#endif
-+
-+
-+/* C_SignUpdate continues a multiple-part signature operation,
-+ * where the signature is (will be) an appendix to the data, 
-+ * and plaintext cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pPart,     /* the data to sign */
-+  CK_ULONG          ulPartLen  /* count of bytes to sign */
-+);
-+#endif
-+
-+
-+/* C_SignFinal finishes a multiple-part signature operation, 
-+ * returning the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pSignature,      /* gets the signature */
-+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-+);
-+#endif
-+
-+
-+/* C_SignRecoverInit initializes a signature operation, where
-+ * the data can be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,   /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
-+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
-+);
-+#endif
-+
-+
-+/* C_SignRecover signs data in a single operation, where the
-+ * data can be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pData,           /* the data to sign */
-+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
-+  CK_BYTE_PTR       pSignature,      /* gets the signature */
-+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
-+);
-+#endif
-+
-+
-+
-+/* Verifying signatures and MACs */
-+
-+/* C_VerifyInit initializes a verification operation, where the
-+ * signature is an appendix to the data, and plaintext cannot
-+ *  cannot be recovered from the signature (e.g. DSA). */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
-+);
-+#endif
-+
-+
-+/* C_Verify verifies a signature in a single-part operation, 
-+ * where the signature is an appendix to the data, and plaintext
-+ * cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_Verify)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,       /* the session's handle */
-+  CK_BYTE_PTR       pData,          /* signed data */
-+  CK_ULONG          ulDataLen,      /* length of signed data */
-+  CK_BYTE_PTR       pSignature,     /* signature */
-+  CK_ULONG          ulSignatureLen  /* signature length*/
-+);
-+#endif
-+
-+
-+/* C_VerifyUpdate continues a multiple-part verification
-+ * operation, where the signature is an appendix to the data, 
-+ * and plaintext cannot be recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pPart,     /* signed data */
-+  CK_ULONG          ulPartLen  /* length of signed data */
-+);
-+#endif
-+
-+
-+/* C_VerifyFinal finishes a multiple-part verification
-+ * operation, checking the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,       /* the session's handle */
-+  CK_BYTE_PTR       pSignature,     /* signature to verify */
-+  CK_ULONG          ulSignatureLen  /* signature length */
-+);
-+#endif
-+
-+
-+/* C_VerifyRecoverInit initializes a signature verification
-+ * operation, where the data is recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
-+  CK_OBJECT_HANDLE  hKey         /* verification key */
-+);
-+#endif
-+
-+
-+/* C_VerifyRecover verifies a signature in a single-part
-+ * operation, where the data is recovered from the signature. */
-+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_BYTE_PTR       pSignature,      /* signature to verify */
-+  CK_ULONG          ulSignatureLen,  /* signature length */
-+  CK_BYTE_PTR       pData,           /* gets signed data */
-+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
-+);
-+#endif
-+
-+
-+
-+/* Dual-function cryptographic operations */
-+
-+/* C_DigestEncryptUpdate continues a multiple-part digesting
-+ * and encryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pPart,               /* the plaintext data */
-+  CK_ULONG          ulPartLen,           /* plaintext length */
-+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-+);
-+#endif
-+
-+
-+/* C_DecryptDigestUpdate continues a multiple-part decryption and
-+ * digesting operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-+  CK_BYTE_PTR       pPart,               /* gets plaintext */
-+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
-+);
-+#endif
-+
-+
-+/* C_SignEncryptUpdate continues a multiple-part signing and
-+ * encryption operation. */
-+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pPart,               /* the plaintext data */
-+  CK_ULONG          ulPartLen,           /* plaintext length */
-+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
-+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
-+);
-+#endif
-+
-+
-+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
-+ * verify operation. */
-+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,            /* session's handle */
-+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
-+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
-+  CK_BYTE_PTR       pPart,               /* gets plaintext */
-+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
-+);
-+#endif
-+
-+
-+
-+/* Key management */
-+
-+/* C_GenerateKey generates a secret key, creating a new key
-+ * object. */
-+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
-+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
-+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
-+  CK_ULONG             ulCount,     /* # of attrs in template */
-+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
-+);
-+#endif
-+
-+
-+/* C_GenerateKeyPair generates a public-key/private-key pair, 
-+ * creating new key objects. */
-+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,                    /* session
-+                                                     * handle */
-+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
-+                                                     * mech. */
-+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
-+                                                     * for pub.
-+                                                     * key */
-+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
-+                                                     * attrs. */
-+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
-+                                                     * for priv.
-+                                                     * key */
-+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
-+                                                     * attrs. */
-+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
-+                                                     * key
-+                                                     * handle */
-+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
-+                                                     * priv. key
-+                                                     * handle */
-+);
-+#endif
-+
-+
-+/* C_WrapKey wraps (i.e., encrypts) a key. */
-+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,        /* the session's handle */
-+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
-+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
-+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
-+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
-+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
-+);
-+#endif
-+
-+
-+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
-+ * key object. */
-+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,          /* session's handle */
-+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
-+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
-+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
-+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
-+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-+  CK_ULONG             ulAttributeCount,  /* template length */
-+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-+);
-+#endif
-+
-+
-+/* C_DeriveKey derives a key from a base key, creating a new key
-+ * object. */
-+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE    hSession,          /* session's handle */
-+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
-+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
-+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
-+  CK_ULONG             ulAttributeCount,  /* template length */
-+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
-+);
-+#endif
-+
-+
-+
-+/* Random number generation */
-+
-+/* C_SeedRandom mixes additional seed material into the token's
-+ * random number generator. */
-+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,  /* the session's handle */
-+  CK_BYTE_PTR       pSeed,     /* the seed material */
-+  CK_ULONG          ulSeedLen  /* length of seed material */
-+);
-+#endif
-+
-+
-+/* C_GenerateRandom generates random data. */
-+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession,    /* the session's handle */
-+  CK_BYTE_PTR       RandomData,  /* receives the random data */
-+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
-+);
-+#endif
-+
-+
-+
-+/* Parallel function management */
-+
-+/* C_GetFunctionStatus is a legacy function; it obtains an
-+ * updated status of a function running in parallel with an
-+ * application. */
-+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+/* C_CancelFunction is a legacy function; it cancels a function
-+ * running in parallel. */
-+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_SESSION_HANDLE hSession  /* the session's handle */
-+);
-+#endif
-+
-+
-+
-+/* Functions added in for Cryptoki Version 2.01 or later */
-+
-+/* C_WaitForSlotEvent waits for a slot event (token insertion,
-+ * removal, etc.) to occur. */
-+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
-+#ifdef CK_NEED_ARG_LIST
-+(
-+  CK_FLAGS flags,        /* blocking/nonblocking flag */
-+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
-+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
-+);
-+#endif
-diff -r -u -N openssl-0.9.8g/crypto/engine/pkcs11.h openssl/crypto/engine/pkcs11.h
---- openssl-0.9.8g/crypto/engine/pkcs11.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/pkcs11.h	2007-10-25 01:27:09.000000000 +0200
-@@ -0,0 +1,299 @@
-+/* pkcs11.h include file for PKCS #11. */
-+/* $Revision: 1.2 $ */
-+
-+/* License to copy and use this software is granted provided that it is
-+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+ * (Cryptoki)" in all material mentioning or referencing this software.
-+
-+ * License is also granted to make and use derivative works provided that
-+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
-+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
-+ * referencing the derived work.
-+
-+ * RSA Security Inc. makes no representations concerning either the 
-+ * merchantability of this software or the suitability of this software for
-+ * any particular purpose. It is provided "as is" without express or implied
-+ * warranty of any kind.
-+ */
-+
-+#ifndef _PKCS11_H_
-+#define _PKCS11_H_ 1
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/* Before including this file (pkcs11.h) (or pkcs11t.h by
-+ * itself), 6 platform-specific macros must be defined.  These
-+ * macros are described below, and typical definitions for them
-+ * are also given.  Be advised that these definitions can depend
-+ * on both the platform and the compiler used (and possibly also
-+ * on whether a Cryptoki library is linked statically or
-+ * dynamically).
-+ *
-+ * In addition to defining these 6 macros, the packing convention
-+ * for Cryptoki structures should be set.  The Cryptoki
-+ * convention on packing is that structures should be 1-byte
-+ * aligned.
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to produce
-+ * Win32 stuff, this might be done by using the following
-+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
-+ *
-+ * #pragma pack(push, cryptoki, 1)
-+ *
-+ * and using the following preprocessor directive after including
-+ * pkcs11.h or pkcs11t.h:
-+ *
-+ * #pragma pack(pop, cryptoki)
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to produce Win16 stuff, this might be done by using
-+ * the following preprocessor directive before including
-+ * pkcs11.h or pkcs11t.h:
-+ *
-+ * #pragma pack(1)
-+ *
-+ * In a UNIX environment, you're on your own for this.  You might
-+ * not need to do (or be able to do!) anything.
-+ *
-+ *
-+ * Now for the macros:
-+ *
-+ *
-+ * 1. CK_PTR: The indirection string for making a pointer to an
-+ * object.  It can be used like this:
-+ *
-+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to produce
-+ * Win32 stuff, it might be defined by:
-+ *
-+ * #define CK_PTR *
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to produce Win16 stuff, it might be defined by:
-+ *
-+ * #define CK_PTR far *
-+ *
-+ * In a typical UNIX environment, it might be defined by:
-+ *
-+ * #define CK_PTR *
-+ *
-+ *
-+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
-+ * an exportable Cryptoki library function definition out of a
-+ * return type and a function name.  It should be used in the
-+ * following fashion to define the exposed Cryptoki functions in
-+ * a Cryptoki library:
-+ *
-+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
-+ *   CK_VOID_PTR pReserved
-+ * )
-+ * {
-+ *   ...
-+ * }
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to define a
-+ * function in a Win32 Cryptoki .dll, it might be defined by:
-+ *
-+ * #define CK_DEFINE_FUNCTION(returnType, name) \
-+ *   returnType __declspec(dllexport) name
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to define a function in a Win16 Cryptoki .dll, it
-+ * might be defined by:
-+ *
-+ * #define CK_DEFINE_FUNCTION(returnType, name) \
-+ *   returnType __export _far _pascal name
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_DEFINE_FUNCTION(returnType, name) \
-+ *   returnType name
-+ *
-+ *
-+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
-+ * an importable Cryptoki library function declaration out of a
-+ * return type and a function name.  It should be used in the
-+ * following fashion:
-+ *
-+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
-+ *   CK_VOID_PTR pReserved
-+ * );
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to declare a
-+ * function in a Win32 Cryptoki .dll, it might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION(returnType, name) \
-+ *   returnType __declspec(dllimport) name
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to declare a function in a Win16 Cryptoki .dll, it
-+ * might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION(returnType, name) \
-+ *   returnType __export _far _pascal name
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION(returnType, name) \
-+ *   returnType name
-+ *
-+ *
-+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
-+ * which makes a Cryptoki API function pointer declaration or
-+ * function pointer type declaration out of a return type and a
-+ * function name.  It should be used in the following fashion:
-+ *
-+ * // Define funcPtr to be a pointer to a Cryptoki API function
-+ * // taking arguments args and returning CK_RV.
-+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
-+ *
-+ * or
-+ *
-+ * // Define funcPtrType to be the type of a pointer to a
-+ * // Cryptoki API function taking arguments args and returning
-+ * // CK_RV, and then define funcPtr to be a variable of type
-+ * // funcPtrType.
-+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
-+ * funcPtrType funcPtr;
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to access
-+ * functions in a Win32 Cryptoki .dll, in might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+ *   returnType __declspec(dllimport) (* name)
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to access functions in a Win16 Cryptoki .dll, it might
-+ * be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+ *   returnType __export _far _pascal (* name)
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+ *   returnType (* name)
-+ *
-+ *
-+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
-+ * a function pointer type for an application callback out of
-+ * a return type for the callback and a name for the callback.
-+ * It should be used in the following fashion:
-+ *
-+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
-+ *
-+ * to declare a function pointer, myCallback, to a callback
-+ * which takes arguments args and returns a CK_RV.  It can also
-+ * be used like this:
-+ *
-+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
-+ * myCallbackType myCallback;
-+ *
-+ * If you're using Microsoft Developer Studio 5.0 to do Win32
-+ * Cryptoki development, it might be defined by:
-+ *
-+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
-+ *   returnType (* name)
-+ *
-+ * If you're using an earlier version of Microsoft Developer
-+ * Studio to do Win16 development, it might be defined by:
-+ *
-+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
-+ *   returnType _far _pascal (* name)
-+ *
-+ * In a UNIX environment, it might be defined by:
-+ *
-+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
-+ *   returnType (* name)
-+ *
-+ *
-+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
-+ *
-+ * In any ANSI/ISO C environment (and in many others as well),
-+ * this should best be defined by
-+ *
-+ * #ifndef NULL_PTR
-+ * #define NULL_PTR 0
-+ * #endif
-+ */
-+
-+
-+/* All the various Cryptoki types and #define'd values are in the
-+ * file pkcs11t.h. */
-+#include "pkcs11t.h"
-+
-+#define __PASTE(x,y)      x##y
-+
-+
-+/* ==============================================================
-+ * Define the "extern" form of all the entry points.
-+ * ==============================================================
-+ */
-+
-+#define CK_NEED_ARG_LIST  1
-+#define CK_PKCS11_FUNCTION_INFO(name) \
-+  extern CK_DECLARE_FUNCTION(CK_RV, name)
-+
-+/* pkcs11f.h has all the information about the Cryptoki
-+ * function prototypes. */
-+#include "pkcs11f.h"
-+
-+#undef CK_NEED_ARG_LIST
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+
-+/* ==============================================================
-+ * Define the typedef form of all the entry points.  That is, for
-+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
-+ * a pointer to that kind of function.
-+ * ==============================================================
-+ */
-+
-+#define CK_NEED_ARG_LIST  1
-+#define CK_PKCS11_FUNCTION_INFO(name) \
-+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
-+
-+/* pkcs11f.h has all the information about the Cryptoki
-+ * function prototypes. */
-+#include "pkcs11f.h"
-+
-+#undef CK_NEED_ARG_LIST
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+
-+/* ==============================================================
-+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
-+ * contains a CK_VERSION indicating a library's Cryptoki version
-+ * and then a whole slew of function pointers to the routines in
-+ * the library.  This type was declared, but not defined, in
-+ * pkcs11t.h.
-+ * ==============================================================
-+ */
-+
-+#define CK_PKCS11_FUNCTION_INFO(name) \
-+  __PASTE(CK_,name) name;
-+  
-+struct CK_FUNCTION_LIST {
-+
-+  CK_VERSION    version;  /* Cryptoki version */
-+
-+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
-+/* pkcs11f.h has all the information about the Cryptoki
-+ * function prototypes. */
-+#include "pkcs11f.h"
-+
-+};
-+
-+#undef CK_PKCS11_FUNCTION_INFO
-+
-+
-+#undef __PASTE
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif
-diff -r -u -N openssl-0.9.8g/crypto/engine/pkcs11t.h openssl/crypto/engine/pkcs11t.h
---- openssl-0.9.8g/crypto/engine/pkcs11t.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/crypto/engine/pkcs11t.h	2007-10-25 01:27:09.000000000 +0200
-@@ -0,0 +1,1685 @@
-+/* pkcs11t.h include file for PKCS #11. */
-+/* $Revision: 1.2 $ */
-+
-+/* License to copy and use this software is granted provided that it is
-+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+ * (Cryptoki)" in all material mentioning or referencing this software.
-+
-+ * License is also granted to make and use derivative works provided that
-+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
-+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
-+ * referencing the derived work.
-+
-+ * RSA Security Inc. makes no representations concerning either the
-+ * merchantability of this software or the suitability of this software for
-+ * any particular purpose. It is provided "as is" without express or implied
-+ * warranty of any kind.
-+ */
-+
-+/* See top of pkcs11.h for information about the macros that
-+ * must be defined and the structure-packing conventions that
-+ * must be set before including this file. */
-+
-+#ifndef _PKCS11T_H_
-+#define _PKCS11T_H_ 1
-+
-+#define CK_TRUE 1
-+#define CK_FALSE 0
-+
-+#ifndef CK_DISABLE_TRUE_FALSE
-+#ifndef FALSE
-+#define FALSE CK_FALSE
-+#endif
-+
-+#ifndef TRUE
-+#define TRUE CK_TRUE
-+#endif
-+#endif
-+
-+/* an unsigned 8-bit value */
-+typedef unsigned char     CK_BYTE;
-+
-+/* an unsigned 8-bit character */
-+typedef CK_BYTE           CK_CHAR;
-+
-+/* an 8-bit UTF-8 character */
-+typedef CK_BYTE           CK_UTF8CHAR;
-+
-+/* a BYTE-sized Boolean flag */
-+typedef CK_BYTE           CK_BBOOL;
-+
-+/* an unsigned value, at least 32 bits long */
-+typedef unsigned long int CK_ULONG;
-+
-+/* a signed value, the same size as a CK_ULONG */
-+/* CK_LONG is new for v2.0 */
-+typedef long int          CK_LONG;
-+
-+/* at least 32 bits; each bit is a Boolean flag */
-+typedef CK_ULONG          CK_FLAGS;
-+
-+
-+/* some special values for certain CK_ULONG variables */
-+#define CK_UNAVAILABLE_INFORMATION (~0UL)
-+#define CK_EFFECTIVELY_INFINITE    0
-+
-+
-+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-+typedef void        CK_PTR   CK_VOID_PTR;
-+
-+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-+
-+
-+/* The following value is always invalid if used as a session */
-+/* handle or object handle */
-+#define CK_INVALID_HANDLE 0
-+
-+
-+typedef struct CK_VERSION {
-+  CK_BYTE       major;  /* integer portion of version number */
-+  CK_BYTE       minor;  /* 1/100ths portion of version number */
-+} CK_VERSION;
-+
-+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-+
-+
-+typedef struct CK_INFO {
-+  /* manufacturerID and libraryDecription have been changed from
-+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-+  CK_FLAGS      flags;               /* must be zero */
-+
-+  /* libraryDescription and libraryVersion are new for v2.0 */
-+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
-+  CK_VERSION    libraryVersion;          /* version of library */
-+} CK_INFO;
-+
-+typedef CK_INFO CK_PTR    CK_INFO_PTR;
-+
-+
-+/* CK_NOTIFICATION enumerates the types of notifications that
-+ * Cryptoki provides to an application */
-+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
-+ * for v2.0 */
-+typedef CK_ULONG CK_NOTIFICATION;
-+#define CKN_SURRENDER       0
-+
-+
-+typedef CK_ULONG          CK_SLOT_ID;
-+
-+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-+
-+
-+/* CK_SLOT_INFO provides information about a slot */
-+typedef struct CK_SLOT_INFO {
-+  /* slotDescription and manufacturerID have been changed from
-+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
-+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
-+  CK_FLAGS      flags;
-+
-+  /* hardwareVersion and firmwareVersion are new for v2.0 */
-+  CK_VERSION    hardwareVersion;  /* version of hardware */
-+  CK_VERSION    firmwareVersion;  /* version of firmware */
-+} CK_SLOT_INFO;
-+
-+/* flags: bit flags that provide capabilities of the slot
-+ *      Bit Flag              Mask        Meaning
-+ */
-+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-+
-+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-+
-+
-+/* CK_TOKEN_INFO provides information about a token */
-+typedef struct CK_TOKEN_INFO {
-+  /* label, manufacturerID, and model have been changed from
-+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
-+  CK_UTF8CHAR   label[32];           /* blank padded */
-+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
-+  CK_UTF8CHAR   model[16];           /* blank padded */
-+  CK_CHAR       serialNumber[16];    /* blank padded */
-+  CK_FLAGS      flags;               /* see below */
-+
-+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-+   * changed from CK_USHORT to CK_ULONG for v2.0 */
-+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-+  CK_ULONG      ulSessionCount;        /* sess. now open */
-+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-+  CK_ULONG      ulMaxPinLen;           /* in bytes */
-+  CK_ULONG      ulMinPinLen;           /* in bytes */
-+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-+
-+  /* hardwareVersion, firmwareVersion, and time are new for
-+   * v2.0 */
-+  CK_VERSION    hardwareVersion;       /* version of hardware */
-+  CK_VERSION    firmwareVersion;       /* version of firmware */
-+  CK_CHAR       utcTime[16];           /* time */
-+} CK_TOKEN_INFO;
-+
-+/* The flags parameter is defined as follows:
-+ *      Bit Flag                    Mask        Meaning
-+ */
-+#define CKF_RNG                     0x00000001  /* has random #
-+                                                 * generator */
-+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-+                                                 * write-
-+                                                 * protected */
-+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-+                                                 * login */
-+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-+                                                 * PIN is set */
-+
-+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
-+ * that means that *every* time the state of cryptographic
-+ * operations of a session is successfully saved, all keys
-+ * needed to continue those operations are stored in the state */
-+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-+
-+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
-+ * that the token has some sort of clock.  The time on that
-+ * clock is returned in the token info structure */
-+#define CKF_CLOCK_ON_TOKEN          0x00000040
-+
-+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
-+ * set, that means that there is some way for the user to login
-+ * without sending a PIN through the Cryptoki library itself */
-+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-+
-+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
-+ * that means that a single session with the token can perform
-+ * dual simultaneous cryptographic operations (digest and
-+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
-+ * and sign) */
-+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-+
-+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
-+ * token has been initialized using C_InitializeToken or an
-+ * equivalent mechanism outside the scope of PKCS #11.
-+ * Calling C_InitializeToken when this flag is set will cause
-+ * the token to be reinitialized. */
-+#define CKF_TOKEN_INITIALIZED       0x00000400
-+
-+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
-+ * true, the token supports secondary authentication for
-+ * private key objects. This flag is deprecated in v2.11 and
-+   onwards. */
-+#define CKF_SECONDARY_AUTHENTICATION  0x00000800
-+
-+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
-+ * incorrect user login PIN has been entered at least once
-+ * since the last successful authentication. */
-+#define CKF_USER_PIN_COUNT_LOW       0x00010000
-+
-+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
-+ * supplying an incorrect user PIN will it to become locked. */
-+#define CKF_USER_PIN_FINAL_TRY       0x00020000
-+
-+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
-+ * user PIN has been locked. User login to the token is not
-+ * possible. */
-+#define CKF_USER_PIN_LOCKED          0x00040000
-+
-+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
-+ * the user PIN value is the default value set by token
-+ * initialization or manufacturing, or the PIN has been
-+ * expired by the card. */
-+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
-+
-+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
-+ * incorrect SO login PIN has been entered at least once since
-+ * the last successful authentication. */
-+#define CKF_SO_PIN_COUNT_LOW         0x00100000
-+
-+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
-+ * supplying an incorrect SO PIN will it to become locked. */
-+#define CKF_SO_PIN_FINAL_TRY         0x00200000
-+
-+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
-+ * PIN has been locked. SO login to the token is not possible.
-+ */
-+#define CKF_SO_PIN_LOCKED            0x00400000
-+
-+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
-+ * the SO PIN value is the default value set by token
-+ * initialization or manufacturing, or the PIN has been
-+ * expired by the card. */
-+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
-+
-+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-+
-+
-+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
-+ * identifies a session */
-+typedef CK_ULONG          CK_SESSION_HANDLE;
-+
-+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-+
-+
-+/* CK_USER_TYPE enumerates the types of Cryptoki users */
-+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_USER_TYPE;
-+/* Security Officer */
-+#define CKU_SO    0
-+/* Normal user */
-+#define CKU_USER  1
-+/* Context specific (added in v2.20) */
-+#define CKU_CONTEXT_SPECIFIC   2
-+
-+/* CK_STATE enumerates the session states */
-+/* CK_STATE has been changed from an enum to a CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_STATE;
-+#define CKS_RO_PUBLIC_SESSION  0
-+#define CKS_RO_USER_FUNCTIONS  1
-+#define CKS_RW_PUBLIC_SESSION  2
-+#define CKS_RW_USER_FUNCTIONS  3
-+#define CKS_RW_SO_FUNCTIONS    4
-+
-+
-+/* CK_SESSION_INFO provides information about a session */
-+typedef struct CK_SESSION_INFO {
-+  CK_SLOT_ID    slotID;
-+  CK_STATE      state;
-+  CK_FLAGS      flags;          /* see below */
-+
-+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-+   * v2.0 */
-+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-+} CK_SESSION_INFO;
-+
-+/* The flags are defined in the following table:
-+ *      Bit Flag                Mask        Meaning
-+ */
-+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-+
-+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-+
-+
-+/* CK_OBJECT_HANDLE is a token-specific identifier for an
-+ * object  */
-+typedef CK_ULONG          CK_OBJECT_HANDLE;
-+
-+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-+
-+
-+/* CK_OBJECT_CLASS is a value that identifies the classes (or
-+ * types) of objects that Cryptoki recognizes.  It is defined
-+ * as follows: */
-+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_OBJECT_CLASS;
-+
-+/* The following classes of objects are defined: */
-+/* CKO_HW_FEATURE is new for v2.10 */
-+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
-+/* CKO_MECHANISM is new for v2.20 */
-+#define CKO_DATA              0x00000000
-+#define CKO_CERTIFICATE       0x00000001
-+#define CKO_PUBLIC_KEY        0x00000002
-+#define CKO_PRIVATE_KEY       0x00000003
-+#define CKO_SECRET_KEY        0x00000004
-+#define CKO_HW_FEATURE        0x00000005
-+#define CKO_DOMAIN_PARAMETERS 0x00000006
-+#define CKO_MECHANISM         0x00000007
-+#define CKO_VENDOR_DEFINED    0x80000000
-+
-+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-+
-+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
-+ * value that identifies the hardware feature type of an object
-+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
-+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-+
-+/* The following hardware feature types are defined */
-+/* CKH_USER_INTERFACE is new for v2.20 */
-+#define CKH_MONOTONIC_COUNTER  0x00000001
-+#define CKH_CLOCK           0x00000002
-+#define CKH_USER_INTERFACE  0x00000003
-+#define CKH_VENDOR_DEFINED  0x80000000
-+
-+/* CK_KEY_TYPE is a value that identifies a key type */
-+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-+typedef CK_ULONG          CK_KEY_TYPE;
-+
-+/* the following key types are defined: */
-+#define CKK_RSA             0x00000000
-+#define CKK_DSA             0x00000001
-+#define CKK_DH              0x00000002
-+
-+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
-+#define CKK_ECDSA           0x00000003
-+#define CKK_EC              0x00000003
-+#define CKK_X9_42_DH        0x00000004
-+#define CKK_KEA             0x00000005
-+
-+#define CKK_GENERIC_SECRET  0x00000010
-+#define CKK_RC2             0x00000011
-+#define CKK_RC4             0x00000012
-+#define CKK_DES             0x00000013
-+#define CKK_DES2            0x00000014
-+#define CKK_DES3            0x00000015
-+
-+/* all these key types are new for v2.0 */
-+#define CKK_CAST            0x00000016
-+#define CKK_CAST3           0x00000017
-+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
-+#define CKK_CAST5           0x00000018
-+#define CKK_CAST128         0x00000018
-+#define CKK_RC5             0x00000019
-+#define CKK_IDEA            0x0000001A
-+#define CKK_SKIPJACK        0x0000001B
-+#define CKK_BATON           0x0000001C
-+#define CKK_JUNIPER         0x0000001D
-+#define CKK_CDMF            0x0000001E
-+#define CKK_AES             0x0000001F
-+
-+/* BlowFish and TwoFish are new for v2.20 */
-+#define CKK_BLOWFISH        0x00000020
-+#define CKK_TWOFISH         0x00000021
-+
-+#define CKK_VENDOR_DEFINED  0x80000000
-+
-+
-+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
-+ * type */
-+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
-+ * for v2.0 */
-+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-+
-+/* The following certificate types are defined: */
-+/* CKC_X_509_ATTR_CERT is new for v2.10 */
-+/* CKC_WTLS is new for v2.20 */
-+#define CKC_X_509           0x00000000
-+#define CKC_X_509_ATTR_CERT 0x00000001
-+#define CKC_WTLS            0x00000002
-+#define CKC_VENDOR_DEFINED  0x80000000
-+
-+
-+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
-+ * type */
-+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-+
-+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
-+   consists of an array of values. */
-+#define CKF_ARRAY_ATTRIBUTE    0x40000000
-+
-+/* The following attribute types are defined: */
-+#define CKA_CLASS              0x00000000
-+#define CKA_TOKEN              0x00000001
-+#define CKA_PRIVATE            0x00000002
-+#define CKA_LABEL              0x00000003
-+#define CKA_APPLICATION        0x00000010
-+#define CKA_VALUE              0x00000011
-+
-+/* CKA_OBJECT_ID is new for v2.10 */
-+#define CKA_OBJECT_ID          0x00000012
-+
-+#define CKA_CERTIFICATE_TYPE   0x00000080
-+#define CKA_ISSUER             0x00000081
-+#define CKA_SERIAL_NUMBER      0x00000082
-+
-+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
-+ * for v2.10 */
-+#define CKA_AC_ISSUER          0x00000083
-+#define CKA_OWNER              0x00000084
-+#define CKA_ATTR_TYPES         0x00000085
-+
-+/* CKA_TRUSTED is new for v2.11 */
-+#define CKA_TRUSTED            0x00000086
-+
-+/* CKA_CERTIFICATE_CATEGORY ...
-+ * CKA_CHECK_VALUE are new for v2.20 */
-+#define CKA_CERTIFICATE_CATEGORY        0x00000087
-+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
-+#define CKA_URL                         0x00000089
-+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
-+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
-+#define CKA_CHECK_VALUE                 0x00000090
-+
-+#define CKA_KEY_TYPE           0x00000100
-+#define CKA_SUBJECT            0x00000101
-+#define CKA_ID                 0x00000102
-+#define CKA_SENSITIVE          0x00000103
-+#define CKA_ENCRYPT            0x00000104
-+#define CKA_DECRYPT            0x00000105
-+#define CKA_WRAP               0x00000106
-+#define CKA_UNWRAP             0x00000107
-+#define CKA_SIGN               0x00000108
-+#define CKA_SIGN_RECOVER       0x00000109
-+#define CKA_VERIFY             0x0000010A
-+#define CKA_VERIFY_RECOVER     0x0000010B
-+#define CKA_DERIVE             0x0000010C
-+#define CKA_START_DATE         0x00000110
-+#define CKA_END_DATE           0x00000111
-+#define CKA_MODULUS            0x00000120
-+#define CKA_MODULUS_BITS       0x00000121
-+#define CKA_PUBLIC_EXPONENT    0x00000122
-+#define CKA_PRIVATE_EXPONENT   0x00000123
-+#define CKA_PRIME_1            0x00000124
-+#define CKA_PRIME_2            0x00000125
-+#define CKA_EXPONENT_1         0x00000126
-+#define CKA_EXPONENT_2         0x00000127
-+#define CKA_COEFFICIENT        0x00000128
-+#define CKA_PRIME              0x00000130
-+#define CKA_SUBPRIME           0x00000131
-+#define CKA_BASE               0x00000132
-+
-+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
-+#define CKA_PRIME_BITS         0x00000133
-+#define CKA_SUBPRIME_BITS      0x00000134
-+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-+/* (To retain backwards-compatibility) */
-+
-+#define CKA_VALUE_BITS         0x00000160
-+#define CKA_VALUE_LEN          0x00000161
-+
-+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
-+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
-+ * and CKA_EC_POINT are new for v2.0 */
-+#define CKA_EXTRACTABLE        0x00000162
-+#define CKA_LOCAL              0x00000163
-+#define CKA_NEVER_EXTRACTABLE  0x00000164
-+#define CKA_ALWAYS_SENSITIVE   0x00000165
-+
-+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
-+#define CKA_KEY_GEN_MECHANISM  0x00000166
-+
-+#define CKA_MODIFIABLE         0x00000170
-+
-+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
-+ * CKA_EC_PARAMS is preferred. */
-+#define CKA_ECDSA_PARAMS       0x00000180
-+#define CKA_EC_PARAMS          0x00000180
-+
-+#define CKA_EC_POINT           0x00000181
-+
-+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
-+ * are new for v2.10. Deprecated in v2.11 and onwards. */
-+#define CKA_SECONDARY_AUTH     0x00000200
-+#define CKA_AUTH_PIN_FLAGS     0x00000201
-+
-+/* CKA_ALWAYS_AUTHENTICATE ...
-+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
-+#define CKA_ALWAYS_AUTHENTICATE  0x00000202
-+
-+#define CKA_WRAP_WITH_TRUSTED    0x00000210
-+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
-+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
-+
-+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
-+ * are new for v2.10 */
-+#define CKA_HW_FEATURE_TYPE    0x00000300
-+#define CKA_RESET_ON_INIT      0x00000301
-+#define CKA_HAS_RESET          0x00000302
-+
-+/* The following attributes are new for v2.20 */
-+#define CKA_PIXEL_X                     0x00000400
-+#define CKA_PIXEL_Y                     0x00000401
-+#define CKA_RESOLUTION                  0x00000402
-+#define CKA_CHAR_ROWS                   0x00000403
-+#define CKA_CHAR_COLUMNS                0x00000404
-+#define CKA_COLOR                       0x00000405
-+#define CKA_BITS_PER_PIXEL              0x00000406
-+#define CKA_CHAR_SETS                   0x00000480
-+#define CKA_ENCODING_METHODS            0x00000481
-+#define CKA_MIME_TYPES                  0x00000482
-+#define CKA_MECHANISM_TYPE              0x00000500
-+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
-+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
-+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
-+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
-+
-+#define CKA_VENDOR_DEFINED     0x80000000
-+
-+
-+/* CK_ATTRIBUTE is a structure that includes the type, length
-+ * and value of an attribute */
-+typedef struct CK_ATTRIBUTE {
-+  CK_ATTRIBUTE_TYPE type;
-+  CK_VOID_PTR       pValue;
-+
-+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-+  CK_ULONG          ulValueLen;  /* in bytes */
-+} CK_ATTRIBUTE;
-+
-+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-+
-+
-+/* CK_DATE is a structure that defines a date */
-+typedef struct CK_DATE{
-+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-+  CK_CHAR       month[2];  /* the month ("01" - "12") */
-+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-+} CK_DATE;
-+
-+
-+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
-+ * type */
-+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
-+ * v2.0 */
-+typedef CK_ULONG          CK_MECHANISM_TYPE;
-+
-+/* the following mechanism types are defined: */
-+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-+#define CKM_RSA_PKCS                   0x00000001
-+#define CKM_RSA_9796                   0x00000002
-+#define CKM_RSA_X_509                  0x00000003
-+
-+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
-+ * are new for v2.0.  They are mechanisms which hash and sign */
-+#define CKM_MD2_RSA_PKCS               0x00000004
-+#define CKM_MD5_RSA_PKCS               0x00000005
-+#define CKM_SHA1_RSA_PKCS              0x00000006
-+
-+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
-+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
-+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
-+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
-+#define CKM_RSA_PKCS_OAEP              0x00000009
-+
-+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
-+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
-+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
-+#define CKM_RSA_X9_31                  0x0000000B
-+#define CKM_SHA1_RSA_X9_31             0x0000000C
-+#define CKM_RSA_PKCS_PSS               0x0000000D
-+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
-+
-+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-+#define CKM_DSA                        0x00000011
-+#define CKM_DSA_SHA1                   0x00000012
-+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-+#define CKM_DH_PKCS_DERIVE             0x00000021
-+
-+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
-+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
-+ * v2.11 */
-+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
-+#define CKM_X9_42_DH_DERIVE            0x00000031
-+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
-+#define CKM_X9_42_MQV_DERIVE           0x00000033
-+
-+/* CKM_SHA256/384/512 are new for v2.20 */
-+#define CKM_SHA256_RSA_PKCS            0x00000040
-+#define CKM_SHA384_RSA_PKCS            0x00000041
-+#define CKM_SHA512_RSA_PKCS            0x00000042
-+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
-+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
-+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
-+
-+#define CKM_RC2_KEY_GEN                0x00000100
-+#define CKM_RC2_ECB                    0x00000101
-+#define CKM_RC2_CBC                    0x00000102
-+#define CKM_RC2_MAC                    0x00000103
-+
-+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-+#define CKM_RC2_MAC_GENERAL            0x00000104
-+#define CKM_RC2_CBC_PAD                0x00000105
-+
-+#define CKM_RC4_KEY_GEN                0x00000110
-+#define CKM_RC4                        0x00000111
-+#define CKM_DES_KEY_GEN                0x00000120
-+#define CKM_DES_ECB                    0x00000121
-+#define CKM_DES_CBC                    0x00000122
-+#define CKM_DES_MAC                    0x00000123
-+
-+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-+#define CKM_DES_MAC_GENERAL            0x00000124
-+#define CKM_DES_CBC_PAD                0x00000125
-+
-+#define CKM_DES2_KEY_GEN               0x00000130
-+#define CKM_DES3_KEY_GEN               0x00000131
-+#define CKM_DES3_ECB                   0x00000132
-+#define CKM_DES3_CBC                   0x00000133
-+#define CKM_DES3_MAC                   0x00000134
-+
-+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
-+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
-+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-+#define CKM_DES3_MAC_GENERAL           0x00000135
-+#define CKM_DES3_CBC_PAD               0x00000136
-+#define CKM_CDMF_KEY_GEN               0x00000140
-+#define CKM_CDMF_ECB                   0x00000141
-+#define CKM_CDMF_CBC                   0x00000142
-+#define CKM_CDMF_MAC                   0x00000143
-+#define CKM_CDMF_MAC_GENERAL           0x00000144
-+#define CKM_CDMF_CBC_PAD               0x00000145
-+
-+/* the following four DES mechanisms are new for v2.20 */
-+#define CKM_DES_OFB64                  0x00000150
-+#define CKM_DES_OFB8                   0x00000151
-+#define CKM_DES_CFB64                  0x00000152
-+#define CKM_DES_CFB8                   0x00000153
-+
-+#define CKM_MD2                        0x00000200
-+
-+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-+#define CKM_MD2_HMAC                   0x00000201
-+#define CKM_MD2_HMAC_GENERAL           0x00000202
-+
-+#define CKM_MD5                        0x00000210
-+
-+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-+#define CKM_MD5_HMAC                   0x00000211
-+#define CKM_MD5_HMAC_GENERAL           0x00000212
-+
-+#define CKM_SHA_1                      0x00000220
-+
-+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-+#define CKM_SHA_1_HMAC                 0x00000221
-+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-+
-+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
-+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
-+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
-+#define CKM_RIPEMD128                  0x00000230
-+#define CKM_RIPEMD128_HMAC             0x00000231
-+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
-+#define CKM_RIPEMD160                  0x00000240
-+#define CKM_RIPEMD160_HMAC             0x00000241
-+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
-+
-+/* CKM_SHA256/384/512 are new for v2.20 */
-+#define CKM_SHA256                     0x00000250
-+#define CKM_SHA256_HMAC                0x00000251
-+#define CKM_SHA256_HMAC_GENERAL        0x00000252
-+#define CKM_SHA384                     0x00000260
-+#define CKM_SHA384_HMAC                0x00000261
-+#define CKM_SHA384_HMAC_GENERAL        0x00000262
-+#define CKM_SHA512                     0x00000270
-+#define CKM_SHA512_HMAC                0x00000271
-+#define CKM_SHA512_HMAC_GENERAL        0x00000272
-+
-+/* All of the following mechanisms are new for v2.0 */
-+/* Note that CAST128 and CAST5 are the same algorithm */
-+#define CKM_CAST_KEY_GEN               0x00000300
-+#define CKM_CAST_ECB                   0x00000301
-+#define CKM_CAST_CBC                   0x00000302
-+#define CKM_CAST_MAC                   0x00000303
-+#define CKM_CAST_MAC_GENERAL           0x00000304
-+#define CKM_CAST_CBC_PAD               0x00000305
-+#define CKM_CAST3_KEY_GEN              0x00000310
-+#define CKM_CAST3_ECB                  0x00000311
-+#define CKM_CAST3_CBC                  0x00000312
-+#define CKM_CAST3_MAC                  0x00000313
-+#define CKM_CAST3_MAC_GENERAL          0x00000314
-+#define CKM_CAST3_CBC_PAD              0x00000315
-+#define CKM_CAST5_KEY_GEN              0x00000320
-+#define CKM_CAST128_KEY_GEN            0x00000320
-+#define CKM_CAST5_ECB                  0x00000321
-+#define CKM_CAST128_ECB                0x00000321
-+#define CKM_CAST5_CBC                  0x00000322
-+#define CKM_CAST128_CBC                0x00000322
-+#define CKM_CAST5_MAC                  0x00000323
-+#define CKM_CAST128_MAC                0x00000323
-+#define CKM_CAST5_MAC_GENERAL          0x00000324
-+#define CKM_CAST128_MAC_GENERAL        0x00000324
-+#define CKM_CAST5_CBC_PAD              0x00000325
-+#define CKM_CAST128_CBC_PAD            0x00000325
-+#define CKM_RC5_KEY_GEN                0x00000330
-+#define CKM_RC5_ECB                    0x00000331
-+#define CKM_RC5_CBC                    0x00000332
-+#define CKM_RC5_MAC                    0x00000333
-+#define CKM_RC5_MAC_GENERAL            0x00000334
-+#define CKM_RC5_CBC_PAD                0x00000335
-+#define CKM_IDEA_KEY_GEN               0x00000340
-+#define CKM_IDEA_ECB                   0x00000341
-+#define CKM_IDEA_CBC                   0x00000342
-+#define CKM_IDEA_MAC                   0x00000343
-+#define CKM_IDEA_MAC_GENERAL           0x00000344
-+#define CKM_IDEA_CBC_PAD               0x00000345
-+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-+#define CKM_XOR_BASE_AND_DATA          0x00000364
-+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-+
-+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
-+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
-+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
-+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
-+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
-+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
-+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
-+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
-+
-+/* CKM_TLS_PRF is new for v2.20 */
-+#define CKM_TLS_PRF                    0x00000378
-+
-+#define CKM_SSL3_MD5_MAC               0x00000380
-+#define CKM_SSL3_SHA1_MAC              0x00000381
-+#define CKM_MD5_KEY_DERIVATION         0x00000390
-+#define CKM_MD2_KEY_DERIVATION         0x00000391
-+#define CKM_SHA1_KEY_DERIVATION        0x00000392
-+
-+/* CKM_SHA256/384/512 are new for v2.20 */
-+#define CKM_SHA256_KEY_DERIVATION      0x00000393
-+#define CKM_SHA384_KEY_DERIVATION      0x00000394
-+#define CKM_SHA512_KEY_DERIVATION      0x00000395
-+
-+#define CKM_PBE_MD2_DES_CBC            0x000003A0
-+#define CKM_PBE_MD5_DES_CBC            0x000003A1
-+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-+#define CKM_PBE_SHA1_RC4_128           0x000003A6
-+#define CKM_PBE_SHA1_RC4_40            0x000003A7
-+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-+
-+/* CKM_PKCS5_PBKD2 is new for v2.10 */
-+#define CKM_PKCS5_PBKD2                0x000003B0
-+
-+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-+
-+/* WTLS mechanisms are new for v2.20 */
-+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
-+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
-+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
-+#define CKM_WTLS_PRF                        0x000003D3
-+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
-+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
-+
-+#define CKM_KEY_WRAP_LYNKS             0x00000400
-+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-+
-+/* CKM_CMS_SIG is new for v2.20 */
-+#define CKM_CMS_SIG                    0x00000500
-+
-+/* Fortezza mechanisms */
-+#define CKM_SKIPJACK_KEY_GEN           0x00001000
-+#define CKM_SKIPJACK_ECB64             0x00001001
-+#define CKM_SKIPJACK_CBC64             0x00001002
-+#define CKM_SKIPJACK_OFB64             0x00001003
-+#define CKM_SKIPJACK_CFB64             0x00001004
-+#define CKM_SKIPJACK_CFB32             0x00001005
-+#define CKM_SKIPJACK_CFB16             0x00001006
-+#define CKM_SKIPJACK_CFB8              0x00001007
-+#define CKM_SKIPJACK_WRAP              0x00001008
-+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-+#define CKM_SKIPJACK_RELAYX            0x0000100a
-+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-+#define CKM_KEA_KEY_DERIVE             0x00001011
-+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-+#define CKM_BATON_KEY_GEN              0x00001030
-+#define CKM_BATON_ECB128               0x00001031
-+#define CKM_BATON_ECB96                0x00001032
-+#define CKM_BATON_CBC128               0x00001033
-+#define CKM_BATON_COUNTER              0x00001034
-+#define CKM_BATON_SHUFFLE              0x00001035
-+#define CKM_BATON_WRAP                 0x00001036
-+
-+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
-+ * CKM_EC_KEY_PAIR_GEN is preferred */
-+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-+#define CKM_EC_KEY_PAIR_GEN            0x00001040
-+
-+#define CKM_ECDSA                      0x00001041
-+#define CKM_ECDSA_SHA1                 0x00001042
-+
-+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
-+ * are new for v2.11 */
-+#define CKM_ECDH1_DERIVE               0x00001050
-+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
-+#define CKM_ECMQV_DERIVE               0x00001052
-+
-+#define CKM_JUNIPER_KEY_GEN            0x00001060
-+#define CKM_JUNIPER_ECB128             0x00001061
-+#define CKM_JUNIPER_CBC128             0x00001062
-+#define CKM_JUNIPER_COUNTER            0x00001063
-+#define CKM_JUNIPER_SHUFFLE            0x00001064
-+#define CKM_JUNIPER_WRAP               0x00001065
-+#define CKM_FASTHASH                   0x00001070
-+
-+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
-+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
-+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
-+ * new for v2.11 */
-+#define CKM_AES_KEY_GEN                0x00001080
-+#define CKM_AES_ECB                    0x00001081
-+#define CKM_AES_CBC                    0x00001082
-+#define CKM_AES_MAC                    0x00001083
-+#define CKM_AES_MAC_GENERAL            0x00001084
-+#define CKM_AES_CBC_PAD                0x00001085
-+
-+/* BlowFish and TwoFish are new for v2.20 */
-+#define CKM_BLOWFISH_KEY_GEN           0x00001090
-+#define CKM_BLOWFISH_CBC               0x00001091
-+#define CKM_TWOFISH_KEY_GEN            0x00001092
-+#define CKM_TWOFISH_CBC                0x00001093
-+
-+
-+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
-+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
-+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
-+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
-+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
-+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
-+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
-+
-+#define CKM_DSA_PARAMETER_GEN          0x00002000
-+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
-+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
-+
-+#define CKM_VENDOR_DEFINED             0x80000000
-+
-+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-+
-+
-+/* CK_MECHANISM is a structure that specifies a particular
-+ * mechanism  */
-+typedef struct CK_MECHANISM {
-+  CK_MECHANISM_TYPE mechanism;
-+  CK_VOID_PTR       pParameter;
-+
-+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-+   * v2.0 */
-+  CK_ULONG          ulParameterLen;  /* in bytes */
-+} CK_MECHANISM;
-+
-+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-+
-+
-+/* CK_MECHANISM_INFO provides information about a particular
-+ * mechanism */
-+typedef struct CK_MECHANISM_INFO {
-+    CK_ULONG    ulMinKeySize;
-+    CK_ULONG    ulMaxKeySize;
-+    CK_FLAGS    flags;
-+} CK_MECHANISM_INFO;
-+
-+/* The flags are defined as follows:
-+ *      Bit Flag               Mask        Meaning */
-+#define CKF_HW                 0x00000001  /* performed by HW */
-+
-+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
-+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
-+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
-+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
-+ * a mechanism can be used for a particular task */
-+#define CKF_ENCRYPT            0x00000100
-+#define CKF_DECRYPT            0x00000200
-+#define CKF_DIGEST             0x00000400
-+#define CKF_SIGN               0x00000800
-+#define CKF_SIGN_RECOVER       0x00001000
-+#define CKF_VERIFY             0x00002000
-+#define CKF_VERIFY_RECOVER     0x00004000
-+#define CKF_GENERATE           0x00008000
-+#define CKF_GENERATE_KEY_PAIR  0x00010000
-+#define CKF_WRAP               0x00020000
-+#define CKF_UNWRAP             0x00040000
-+#define CKF_DERIVE             0x00080000
-+
-+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
-+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
-+ * describe a token's EC capabilities not available in mechanism
-+ * information. */
-+#define CKF_EC_F_P             0x00100000
-+#define CKF_EC_F_2M            0x00200000
-+#define CKF_EC_ECPARAMETERS    0x00400000
-+#define CKF_EC_NAMEDCURVE      0x00800000
-+#define CKF_EC_UNCOMPRESS      0x01000000
-+#define CKF_EC_COMPRESS        0x02000000
-+
-+#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
-+
-+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-+
-+
-+/* CK_RV is a value that identifies the return value of a
-+ * Cryptoki function */
-+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-+typedef CK_ULONG          CK_RV;
-+
-+#define CKR_OK                                0x00000000
-+#define CKR_CANCEL                            0x00000001
-+#define CKR_HOST_MEMORY                       0x00000002
-+#define CKR_SLOT_ID_INVALID                   0x00000003
-+
-+/* CKR_FLAGS_INVALID was removed for v2.0 */
-+
-+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-+#define CKR_GENERAL_ERROR                     0x00000005
-+#define CKR_FUNCTION_FAILED                   0x00000006
-+
-+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
-+ * and CKR_CANT_LOCK are new for v2.01 */
-+#define CKR_ARGUMENTS_BAD                     0x00000007
-+#define CKR_NO_EVENT                          0x00000008
-+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-+#define CKR_CANT_LOCK                         0x0000000A
-+
-+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-+#define CKR_DATA_INVALID                      0x00000020
-+#define CKR_DATA_LEN_RANGE                    0x00000021
-+#define CKR_DEVICE_ERROR                      0x00000030
-+#define CKR_DEVICE_MEMORY                     0x00000031
-+#define CKR_DEVICE_REMOVED                    0x00000032
-+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-+#define CKR_FUNCTION_CANCELED                 0x00000050
-+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-+
-+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-+
-+#define CKR_KEY_HANDLE_INVALID                0x00000060
-+
-+/* CKR_KEY_SENSITIVE was removed for v2.0 */
-+
-+#define CKR_KEY_SIZE_RANGE                    0x00000062
-+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-+
-+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
-+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
-+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
-+ * v2.0 */
-+#define CKR_KEY_NOT_NEEDED                    0x00000064
-+#define CKR_KEY_CHANGED                       0x00000065
-+#define CKR_KEY_NEEDED                        0x00000066
-+#define CKR_KEY_INDIGESTIBLE                  0x00000067
-+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-+
-+#define CKR_MECHANISM_INVALID                 0x00000070
-+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-+
-+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
-+ * were removed for v2.0 */
-+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-+#define CKR_OPERATION_ACTIVE                  0x00000090
-+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-+#define CKR_PIN_INCORRECT                     0x000000A0
-+#define CKR_PIN_INVALID                       0x000000A1
-+#define CKR_PIN_LEN_RANGE                     0x000000A2
-+
-+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-+#define CKR_PIN_EXPIRED                       0x000000A3
-+#define CKR_PIN_LOCKED                        0x000000A4
-+
-+#define CKR_SESSION_CLOSED                    0x000000B0
-+#define CKR_SESSION_COUNT                     0x000000B1
-+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-+#define CKR_SESSION_READ_ONLY                 0x000000B5
-+#define CKR_SESSION_EXISTS                    0x000000B6
-+
-+/* CKR_SESSION_READ_ONLY_EXISTS and
-+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-+
-+#define CKR_SIGNATURE_INVALID                 0x000000C0
-+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-+#define CKR_USER_NOT_LOGGED_IN                0x00000101
-+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-+#define CKR_USER_TYPE_INVALID                 0x00000103
-+
-+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
-+ * are new to v2.01 */
-+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-+#define CKR_USER_TOO_MANY_TYPES               0x00000105
-+
-+#define CKR_WRAPPED_KEY_INVALID               0x00000110
-+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-+
-+/* These are new to v2.0 */
-+#define CKR_RANDOM_NO_RNG                     0x00000121
-+
-+/* These are new to v2.11 */
-+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
-+
-+/* These are new to v2.0 */
-+#define CKR_BUFFER_TOO_SMALL                  0x00000150
-+#define CKR_SAVED_STATE_INVALID               0x00000160
-+#define CKR_INFORMATION_SENSITIVE             0x00000170
-+#define CKR_STATE_UNSAVEABLE                  0x00000180
-+
-+/* These are new to v2.01 */
-+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-+#define CKR_MUTEX_BAD                         0x000001A0
-+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-+
-+/* This is new to v2.20 */
-+#define CKR_FUNCTION_REJECTED                 0x00000200
-+
-+#define CKR_VENDOR_DEFINED                    0x80000000
-+
-+
-+/* CK_NOTIFY is an application callback that processes events */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-+  CK_SESSION_HANDLE hSession,     /* the session's handle */
-+  CK_NOTIFICATION   event,
-+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-+);
-+
-+
-+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
-+ * version and pointers of appropriate types to all the
-+ * Cryptoki functions */
-+/* CK_FUNCTION_LIST is new for v2.0 */
-+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-+
-+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-+
-+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-+
-+
-+/* CK_CREATEMUTEX is an application callback for creating a
-+ * mutex object */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-+);
-+
-+
-+/* CK_DESTROYMUTEX is an application callback for destroying a
-+ * mutex object */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-+  CK_VOID_PTR pMutex  /* pointer to mutex */
-+);
-+
-+
-+/* CK_LOCKMUTEX is an application callback for locking a mutex */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-+  CK_VOID_PTR pMutex  /* pointer to mutex */
-+);
-+
-+
-+/* CK_UNLOCKMUTEX is an application callback for unlocking a
-+ * mutex */
-+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-+  CK_VOID_PTR pMutex  /* pointer to mutex */
-+);
-+
-+
-+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
-+ * C_Initialize */
-+typedef struct CK_C_INITIALIZE_ARGS {
-+  CK_CREATEMUTEX CreateMutex;
-+  CK_DESTROYMUTEX DestroyMutex;
-+  CK_LOCKMUTEX LockMutex;
-+  CK_UNLOCKMUTEX UnlockMutex;
-+  CK_FLAGS flags;
-+  CK_VOID_PTR pReserved;
-+} CK_C_INITIALIZE_ARGS;
-+
-+/* flags: bit flags that provide capabilities of the slot
-+ *      Bit Flag                           Mask       Meaning
-+ */
-+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-+#define CKF_OS_LOCKING_OK                  0x00000002
-+
-+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-+
-+
-+/* additional flags for parameters to functions */
-+
-+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-+#define CKF_DONT_BLOCK     1
-+
-+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
-+ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
-+ * Generation Function (MGF) applied to a message block when
-+ * formatting a message block for the PKCS #1 OAEP encryption
-+ * scheme. */
-+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
-+
-+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
-+
-+/* The following MGFs are defined */
-+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
-+ * are new for v2.20 */
-+#define CKG_MGF1_SHA1         0x00000001
-+#define CKG_MGF1_SHA256       0x00000002
-+#define CKG_MGF1_SHA384       0x00000003
-+#define CKG_MGF1_SHA512       0x00000004
-+
-+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
-+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
-+ * of the encoding parameter when formatting a message block
-+ * for the PKCS #1 OAEP encryption scheme. */
-+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
-+
-+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
-+
-+/* The following encoding parameter sources are defined */
-+#define CKZ_DATA_SPECIFIED    0x00000001
-+
-+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
-+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
-+ * CKM_RSA_PKCS_OAEP mechanism. */
-+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
-+        CK_MECHANISM_TYPE hashAlg;
-+        CK_RSA_PKCS_MGF_TYPE mgf;
-+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-+        CK_VOID_PTR pSourceData;
-+        CK_ULONG ulSourceDataLen;
-+} CK_RSA_PKCS_OAEP_PARAMS;
-+
-+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
-+
-+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
-+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
-+ * CKM_RSA_PKCS_PSS mechanism(s). */
-+typedef struct CK_RSA_PKCS_PSS_PARAMS {
-+        CK_MECHANISM_TYPE    hashAlg;
-+        CK_RSA_PKCS_MGF_TYPE mgf;
-+        CK_ULONG             sLen;
-+} CK_RSA_PKCS_PSS_PARAMS;
-+
-+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
-+
-+/* CK_EC_KDF_TYPE is new for v2.11. */
-+typedef CK_ULONG CK_EC_KDF_TYPE;
-+
-+/* The following EC Key Derivation Functions are defined */
-+#define CKD_NULL                 0x00000001
-+#define CKD_SHA1_KDF             0x00000002
-+
-+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
-+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
-+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
-+ * where each party contributes one key pair.
-+ */
-+typedef struct CK_ECDH1_DERIVE_PARAMS {
-+  CK_EC_KDF_TYPE kdf;
-+  CK_ULONG ulSharedDataLen;
-+  CK_BYTE_PTR pSharedData;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+} CK_ECDH1_DERIVE_PARAMS;
-+
-+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
-+
-+
-+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
-+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
-+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
-+typedef struct CK_ECDH2_DERIVE_PARAMS {
-+  CK_EC_KDF_TYPE kdf;
-+  CK_ULONG ulSharedDataLen;
-+  CK_BYTE_PTR pSharedData;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+} CK_ECDH2_DERIVE_PARAMS;
-+
-+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
-+
-+typedef struct CK_ECMQV_DERIVE_PARAMS {
-+  CK_EC_KDF_TYPE kdf;
-+  CK_ULONG ulSharedDataLen;
-+  CK_BYTE_PTR pSharedData;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+  CK_OBJECT_HANDLE publicKey;
-+} CK_ECMQV_DERIVE_PARAMS;
-+
-+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
-+
-+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
-+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
-+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
-+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
-+
-+/* The following X9.42 DH key derivation functions are defined
-+   (besides CKD_NULL already defined : */
-+#define CKD_SHA1_KDF_ASN1        0x00000003
-+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
-+
-+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
-+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
-+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
-+ * contributes one key pair */
-+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
-+  CK_X9_42_DH_KDF_TYPE kdf;
-+  CK_ULONG ulOtherInfoLen;
-+  CK_BYTE_PTR pOtherInfo;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+} CK_X9_42_DH1_DERIVE_PARAMS;
-+
-+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
-+
-+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
-+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
-+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
-+ * mechanisms, where each party contributes two key pairs */
-+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
-+  CK_X9_42_DH_KDF_TYPE kdf;
-+  CK_ULONG ulOtherInfoLen;
-+  CK_BYTE_PTR pOtherInfo;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+} CK_X9_42_DH2_DERIVE_PARAMS;
-+
-+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
-+
-+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
-+  CK_X9_42_DH_KDF_TYPE kdf;
-+  CK_ULONG ulOtherInfoLen;
-+  CK_BYTE_PTR pOtherInfo;
-+  CK_ULONG ulPublicDataLen;
-+  CK_BYTE_PTR pPublicData;
-+  CK_ULONG ulPrivateDataLen;
-+  CK_OBJECT_HANDLE hPrivateData;
-+  CK_ULONG ulPublicDataLen2;
-+  CK_BYTE_PTR pPublicData2;
-+  CK_OBJECT_HANDLE publicKey;
-+} CK_X9_42_MQV_DERIVE_PARAMS;
-+
-+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
-+
-+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
-+ * CKM_KEA_DERIVE mechanism */
-+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-+typedef struct CK_KEA_DERIVE_PARAMS {
-+  CK_BBOOL      isSender;
-+  CK_ULONG      ulRandomLen;
-+  CK_BYTE_PTR   pRandomA;
-+  CK_BYTE_PTR   pRandomB;
-+  CK_ULONG      ulPublicDataLen;
-+  CK_BYTE_PTR   pPublicData;
-+} CK_KEA_DERIVE_PARAMS;
-+
-+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-+
-+
-+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
-+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
-+ * holds the effective keysize */
-+typedef CK_ULONG          CK_RC2_PARAMS;
-+
-+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-+
-+
-+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
-+ * mechanism */
-+typedef struct CK_RC2_CBC_PARAMS {
-+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-+   * v2.0 */
-+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-+
-+  CK_BYTE       iv[8];            /* IV for CBC mode */
-+} CK_RC2_CBC_PARAMS;
-+
-+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-+
-+
-+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
-+ * CKM_RC2_MAC_GENERAL mechanism */
-+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-+} CK_RC2_MAC_GENERAL_PARAMS;
-+
-+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-+
-+
-+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
-+ * CKM_RC5_MAC mechanisms */
-+/* CK_RC5_PARAMS is new for v2.0 */
-+typedef struct CK_RC5_PARAMS {
-+  CK_ULONG      ulWordsize;  /* wordsize in bits */
-+  CK_ULONG      ulRounds;    /* number of rounds */
-+} CK_RC5_PARAMS;
-+
-+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-+
-+
-+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
-+ * mechanism */
-+/* CK_RC5_CBC_PARAMS is new for v2.0 */
-+typedef struct CK_RC5_CBC_PARAMS {
-+  CK_ULONG      ulWordsize;  /* wordsize in bits */
-+  CK_ULONG      ulRounds;    /* number of rounds */
-+  CK_BYTE_PTR   pIv;         /* pointer to IV */
-+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-+} CK_RC5_CBC_PARAMS;
-+
-+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-+
-+
-+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
-+ * CKM_RC5_MAC_GENERAL mechanism */
-+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-+  CK_ULONG      ulWordsize;   /* wordsize in bits */
-+  CK_ULONG      ulRounds;     /* number of rounds */
-+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-+} CK_RC5_MAC_GENERAL_PARAMS;
-+
-+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-+
-+
-+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
-+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
-+ * the MAC */
-+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-+
-+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-+
-+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
-+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
-+  CK_BYTE      iv[8];
-+  CK_BYTE_PTR  pData;
-+  CK_ULONG     length;
-+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
-+  CK_BYTE      iv[16];
-+  CK_BYTE_PTR  pData;
-+  CK_ULONG     length;
-+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-+
-+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-+
-+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
-+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-+  CK_ULONG      ulPasswordLen;
-+  CK_BYTE_PTR   pPassword;
-+  CK_ULONG      ulPublicDataLen;
-+  CK_BYTE_PTR   pPublicData;
-+  CK_ULONG      ulPAndGLen;
-+  CK_ULONG      ulQLen;
-+  CK_ULONG      ulRandomLen;
-+  CK_BYTE_PTR   pRandomA;
-+  CK_BYTE_PTR   pPrimeP;
-+  CK_BYTE_PTR   pBaseG;
-+  CK_BYTE_PTR   pSubprimeQ;
-+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-+
-+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-+
-+
-+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
-+ * CKM_SKIPJACK_RELAYX mechanism */
-+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-+  CK_ULONG      ulOldWrappedXLen;
-+  CK_BYTE_PTR   pOldWrappedX;
-+  CK_ULONG      ulOldPasswordLen;
-+  CK_BYTE_PTR   pOldPassword;
-+  CK_ULONG      ulOldPublicDataLen;
-+  CK_BYTE_PTR   pOldPublicData;
-+  CK_ULONG      ulOldRandomLen;
-+  CK_BYTE_PTR   pOldRandomA;
-+  CK_ULONG      ulNewPasswordLen;
-+  CK_BYTE_PTR   pNewPassword;
-+  CK_ULONG      ulNewPublicDataLen;
-+  CK_BYTE_PTR   pNewPublicData;
-+  CK_ULONG      ulNewRandomLen;
-+  CK_BYTE_PTR   pNewRandomA;
-+} CK_SKIPJACK_RELAYX_PARAMS;
-+
-+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-+
-+
-+typedef struct CK_PBE_PARAMS {
-+  CK_BYTE_PTR      pInitVector;
-+  CK_UTF8CHAR_PTR  pPassword;
-+  CK_ULONG         ulPasswordLen;
-+  CK_BYTE_PTR      pSalt;
-+  CK_ULONG         ulSaltLen;
-+  CK_ULONG         ulIteration;
-+} CK_PBE_PARAMS;
-+
-+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-+
-+
-+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
-+ * CKM_KEY_WRAP_SET_OAEP mechanism */
-+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-+  CK_BYTE       bBC;     /* block contents byte */
-+  CK_BYTE_PTR   pX;      /* extra data */
-+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-+} CK_KEY_WRAP_SET_OAEP_PARAMS;
-+
-+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-+
-+
-+typedef struct CK_SSL3_RANDOM_DATA {
-+  CK_BYTE_PTR  pClientRandom;
-+  CK_ULONG     ulClientRandomLen;
-+  CK_BYTE_PTR  pServerRandom;
-+  CK_ULONG     ulServerRandomLen;
-+} CK_SSL3_RANDOM_DATA;
-+
-+
-+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-+  CK_SSL3_RANDOM_DATA RandomInfo;
-+  CK_VERSION_PTR pVersion;
-+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-+
-+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-+
-+
-+typedef struct CK_SSL3_KEY_MAT_OUT {
-+  CK_OBJECT_HANDLE hClientMacSecret;
-+  CK_OBJECT_HANDLE hServerMacSecret;
-+  CK_OBJECT_HANDLE hClientKey;
-+  CK_OBJECT_HANDLE hServerKey;
-+  CK_BYTE_PTR      pIVClient;
-+  CK_BYTE_PTR      pIVServer;
-+} CK_SSL3_KEY_MAT_OUT;
-+
-+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-+
-+
-+typedef struct CK_SSL3_KEY_MAT_PARAMS {
-+  CK_ULONG                ulMacSizeInBits;
-+  CK_ULONG                ulKeySizeInBits;
-+  CK_ULONG                ulIVSizeInBits;
-+  CK_BBOOL                bIsExport;
-+  CK_SSL3_RANDOM_DATA     RandomInfo;
-+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-+} CK_SSL3_KEY_MAT_PARAMS;
-+
-+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-+
-+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
-+typedef struct CK_TLS_PRF_PARAMS {
-+  CK_BYTE_PTR  pSeed;
-+  CK_ULONG     ulSeedLen;
-+  CK_BYTE_PTR  pLabel;
-+  CK_ULONG     ulLabelLen;
-+  CK_BYTE_PTR  pOutput;
-+  CK_ULONG_PTR pulOutputLen;
-+} CK_TLS_PRF_PARAMS;
-+
-+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
-+
-+/* WTLS is new for version 2.20 */
-+typedef struct CK_WTLS_RANDOM_DATA {
-+  CK_BYTE_PTR pClientRandom;
-+  CK_ULONG    ulClientRandomLen;
-+  CK_BYTE_PTR pServerRandom;
-+  CK_ULONG    ulServerRandomLen;
-+} CK_WTLS_RANDOM_DATA;
-+
-+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
-+
-+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
-+  CK_MECHANISM_TYPE   DigestMechanism;
-+  CK_WTLS_RANDOM_DATA RandomInfo;
-+  CK_BYTE_PTR         pVersion;
-+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
-+
-+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
-+
-+typedef struct CK_WTLS_PRF_PARAMS {
-+  CK_MECHANISM_TYPE DigestMechanism;
-+  CK_BYTE_PTR       pSeed;
-+  CK_ULONG          ulSeedLen;
-+  CK_BYTE_PTR       pLabel;
-+  CK_ULONG          ulLabelLen;
-+  CK_BYTE_PTR       pOutput;
-+  CK_ULONG_PTR      pulOutputLen;
-+} CK_WTLS_PRF_PARAMS;
-+
-+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
-+
-+typedef struct CK_WTLS_KEY_MAT_OUT {
-+  CK_OBJECT_HANDLE hMacSecret;
-+  CK_OBJECT_HANDLE hKey;
-+  CK_BYTE_PTR      pIV;
-+} CK_WTLS_KEY_MAT_OUT;
-+
-+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
-+
-+typedef struct CK_WTLS_KEY_MAT_PARAMS {
-+  CK_MECHANISM_TYPE       DigestMechanism;
-+  CK_ULONG                ulMacSizeInBits;
-+  CK_ULONG                ulKeySizeInBits;
-+  CK_ULONG                ulIVSizeInBits;
-+  CK_ULONG                ulSequenceNumber;
-+  CK_BBOOL                bIsExport;
-+  CK_WTLS_RANDOM_DATA     RandomInfo;
-+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-+} CK_WTLS_KEY_MAT_PARAMS;
-+
-+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
-+
-+/* CMS is new for version 2.20 */
-+typedef struct CK_CMS_SIG_PARAMS {
-+  CK_OBJECT_HANDLE      certificateHandle;
-+  CK_MECHANISM_PTR      pSigningMechanism;
-+  CK_MECHANISM_PTR      pDigestMechanism;
-+  CK_UTF8CHAR_PTR       pContentType;
-+  CK_BYTE_PTR           pRequestedAttributes;
-+  CK_ULONG              ulRequestedAttributesLen;
-+  CK_BYTE_PTR           pRequiredAttributes;
-+  CK_ULONG              ulRequiredAttributesLen;
-+} CK_CMS_SIG_PARAMS;
-+
-+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
-+
-+typedef struct CK_KEY_DERIVATION_STRING_DATA {
-+  CK_BYTE_PTR pData;
-+  CK_ULONG    ulLen;
-+} CK_KEY_DERIVATION_STRING_DATA;
-+
-+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-+  CK_KEY_DERIVATION_STRING_DATA_PTR;
-+
-+
-+/* The CK_EXTRACT_PARAMS is used for the
-+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
-+ * of the base key should be used as the first bit of the
-+ * derived key */
-+/* CK_EXTRACT_PARAMS is new for v2.0 */
-+typedef CK_ULONG CK_EXTRACT_PARAMS;
-+
-+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-+
-+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
-+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
-+ * indicate the Pseudo-Random Function (PRF) used to generate
-+ * key bits using PKCS #5 PBKDF2. */
-+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
-+
-+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
-+
-+/* The following PRFs are defined in PKCS #5 v2.0. */
-+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
-+
-+
-+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
-+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
-+ * source of the salt value when deriving a key using PKCS #5
-+ * PBKDF2. */
-+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
-+
-+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
-+
-+/* The following salt value sources are defined in PKCS #5 v2.0. */
-+#define CKZ_SALT_SPECIFIED        0x00000001
-+
-+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
-+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
-+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
-+typedef struct CK_PKCS5_PBKD2_PARAMS {
-+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
-+        CK_VOID_PTR                                pSaltSourceData;
-+        CK_ULONG                                   ulSaltSourceDataLen;
-+        CK_ULONG                                   iterations;
-+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-+        CK_VOID_PTR                                pPrfData;
-+        CK_ULONG                                   ulPrfDataLen;
-+        CK_UTF8CHAR_PTR                            pPassword;
-+        CK_ULONG_PTR                               ulPasswordLen;
-+} CK_PKCS5_PBKD2_PARAMS;
-+
-+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
-+
-+#endif
-diff -r -u -N openssl-0.9.8g/demos/easy_tls/cacerts.pem openssl/demos/easy_tls/cacerts.pem
---- openssl-0.9.8g/demos/easy_tls/cacerts.pem	2001-09-17 21:06:57.000000000 +0200
-+++ openssl/demos/easy_tls/cacerts.pem	2007-10-25 01:27:09.000000000 +0200
-@@ -1,4 +1,4 @@
--$Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-+$Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
- 
- issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
- subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-diff -r -u -N openssl-0.9.8g/demos/easy_tls/cert.pem openssl/demos/easy_tls/cert.pem
---- openssl-0.9.8g/demos/easy_tls/cert.pem	2001-09-17 21:06:57.000000000 +0200
-+++ openssl/demos/easy_tls/cert.pem	2007-10-25 01:27:09.000000000 +0200
-@@ -1,4 +1,4 @@
--$Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-+$Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
- 
- Example certificate and key.
- 
-diff -r -u -N openssl-0.9.8g/demos/easy_tls/easy-tls.c openssl/demos/easy_tls/easy-tls.c
---- openssl-0.9.8g/demos/easy_tls/easy-tls.c	2002-03-05 10:07:16.000000000 +0100
-+++ openssl/demos/easy_tls/easy-tls.c	2007-10-25 01:27:09.000000000 +0200
-@@ -1,7 +1,7 @@
- /* -*- Mode: C; c-file-style: "bsd" -*- */
- /*
-  * easy-tls.c -- generic TLS proxy.
-- * $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-+ * $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-  */
- /*
-  (c) Copyright 1999 Bodo Moeller.  All rights reserved.
-@@ -73,7 +73,7 @@
-  */
- 
- static char const rcsid[] =
--"$Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $";
-+"$Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $";
- 
- #include 
- #include 
-diff -r -u -N openssl-0.9.8g/demos/easy_tls/easy-tls.h openssl/demos/easy_tls/easy-tls.h
---- openssl-0.9.8g/demos/easy_tls/easy-tls.h	2001-09-17 21:06:59.000000000 +0200
-+++ openssl/demos/easy_tls/easy-tls.h	2007-10-25 01:27:09.000000000 +0200
-@@ -1,7 +1,7 @@
- /* -*- Mode: C; c-file-style: "bsd" -*- */
- /*
-  * easy-tls.h -- generic TLS proxy.
-- * $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-+ * $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-  */
- /*
-  * (c) Copyright 1999 Bodo Moeller.  All rights reserved.
-diff -r -u -N openssl-0.9.8g/demos/easy_tls/Makefile openssl/demos/easy_tls/Makefile
---- openssl-0.9.8g/demos/easy_tls/Makefile	2001-09-18 11:15:40.000000000 +0200
-+++ openssl/demos/easy_tls/Makefile	2007-10-25 01:27:09.000000000 +0200
-@@ -1,5 +1,5 @@
- # Makefile for easy-tls example application (rudimentary client and server)
--# $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-+# $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
- 
- SOLARIS_CFLAGS=-Wall -pedantic -g -O2
- SOLARIS_LIBS=-lxnet
-diff -r -u -N openssl-0.9.8g/demos/easy_tls/test.c openssl/demos/easy_tls/test.c
---- openssl-0.9.8g/demos/easy_tls/test.c	2001-09-17 21:06:59.000000000 +0200
-+++ openssl/demos/easy_tls/test.c	2007-10-25 01:27:09.000000000 +0200
-@@ -1,5 +1,5 @@
- /* test.c */
--/* $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $ */
-+/* $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $ */
- 
- #define L_PORT 9999
- #define C_PORT 443
-diff -r -u -N openssl-0.9.8g/demos/easy_tls/test.h openssl/demos/easy_tls/test.h
---- openssl-0.9.8g/demos/easy_tls/test.h	2001-09-17 21:07:00.000000000 +0200
-+++ openssl/demos/easy_tls/test.h	2007-10-25 01:27:09.000000000 +0200
-@@ -1,5 +1,5 @@
- /* test.h */
--/* $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $ */
-+/* $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $ */
- 
- 
- void test_process_init(int fd, int client_p, void *apparg);
-diff -r -u -N openssl-0.9.8g/engines/vendor_defns/hwcryptohook.h openssl/engines/vendor_defns/hwcryptohook.h
---- openssl-0.9.8g/engines/vendor_defns/hwcryptohook.h	2002-10-11 19:10:59.000000000 +0200
-+++ openssl/engines/vendor_defns/hwcryptohook.h	2007-10-25 01:27:09.000000000 +0200
-@@ -65,7 +65,7 @@
-  * please contact nCipher.
-  *
-  *
-- * $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-+ * $Id: openssl-0.9.8g-patch,v 1.2 2008/03/31 14:42:50 fdupont Exp $
-  */
- 
- #ifndef HWCRYPTOHOOK_H
-diff -r -u -N openssl-0.9.8g/Makefile.org openssl/Makefile.org
---- openssl-0.9.8g/Makefile.org	2007-04-24 01:49:54.000000000 +0200
-+++ openssl/Makefile.org	2007-10-25 01:27:08.000000000 +0200
-@@ -26,6 +26,9 @@
- INSTALL_PREFIX=
- INSTALLTOP=/usr/local/ssl
- 
-+# You must set this through --pk11-libname configure option.
-+PK11_LIB_LOCATION=
-+
- # Do not edit this manually. Use Configure --openssldir=DIR do change this!
- OPENSSLDIR=/usr/local/ssl
- 
-diff -r -u -N openssl-0.9.8g/README.pkcs11 openssl/README.pkcs11
---- openssl-0.9.8g/README.pkcs11	1970-01-01 01:00:00.000000000 +0100
-+++ openssl/README.pkcs11	2008-01-31 15:24:32.000000000 +0100
-@@ -0,0 +1,153 @@
-+PKCS#11 engine support for OpenSSL 0.9.8g
-+=========================================
-+
-+[Nov 21, 2007]
-+
-+This patch containing code available in OpenSolaris adds support for PKCS#11
-+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
-+OpenSSL 0.9.8g. Your system must provide PKCS#11 backend otherwise the patch
-+is useless.
-+
-+Patch can be applied like this:
-+
-+	tar xfzv openssl-0.9.8g.tar.gz
-+	cd openssl-0.9.8g
-+	patch -p1 < ../pkcs11_engine-0.9.8g.patch.2007-11-21
-+
-+It is designed to support pure acceleration for RSA, DSA, DH and all the
-+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
-+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
-+
-+It also contains experimental code for accessing RSA keys stored in pkcs#11 key
-+stores by reference. See below for more information.
-+
-+You must provide the location of PKCS#11 library in your system to the
-+configure script, eg. if you use libraries from openCryptoki project on Linux
-+AMD64 box, run configure like this:
-+
-+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
-+
-+To check whether newly built openssl really supports PKCS#11 it's enough to
-+run "apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in
-+the output.
-+
-+This patch was tested on Solaris against PKCS#11 engine available from Solaris
-+Cryptographic Framework (Solaris 10 and OpenSolaris) and also on Linux using
-+PKCS#11 libraries from openCryptoki project (see openCryptoki website
-+http://sourceforge.net/projects/opencryptoki for more information). Some Linux
-+distributions even ship those libraries with the system. The patch should work
-+on any system that is supported by OpenSSL itself and has functional PKCS#11
-+library.
-+
-+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
-+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
-+copyrighted by RSA Security Inc., see pkcs11.h for more information.
-+
-+Other added/modified code in this patch is copyrighted by Sun Microsystems,
-+Inc. and is released under the OpenSSL license (see LICENSE file for more
-+information).
-+
-+Revisions of patch for 0.9.8 branch
-+===================================
-+
-+2007-11-21
-+- update for 0.9.8g version 
-+- fixes in the draft code for "6607670 teach pkcs#11 engine how to use keys
-+  be reference" so that it doesn't coredump when the referenced key is not
-+  present
-+
-+2007-10-15
-+- update for 0.9.8f version 
-+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
-+
-+2007-10-02
-+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
-+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
-+
-+2007-09-26
-+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
-+	  significant performance drop
-+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
-+
-+2007-05-25
-+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
-+
-+2007-05-19
-+- initial patch for 0.9.8e using latest OpenSolaris code
-+
-+Notes
-+=====
-+
-+This patch version contains not very well tested code for referencing RSA keys
-+in keystores by labels. That code might and might not end up in OpenSolaris
-+code base in the future. If you use this particular functionality with this
-+patch I would be very grateful to get any feedback from you (please see my
-+contact in the bottom).
-+
-+Issues
-+------
-+- can't reference public keys inside of certificates using certificate label
-+- can't reference symetric keys
-+- simple references in form of "pkcs11:LABEL" only are supported now. This is
-+  supposed to be changed according to discussion on pkcs11 mailing list; comma
-+  separated list of attributes is planned to be used.
-+- getpassphrase(3c) is used for entering the PIN. This should be changed to a
-+  more general approach; to check if the process has allocated tty and use
-+  other means of entering the PIN if not.
-+
-+Usage
-+-----
-+See examples below using Solaris's pktool(1):
-+
-+# list private keys (note "mycert" label. Basically, we can't generate a
-+# pub/priv key pair with pktool(1) without creating a certificate. This should
-+# be changed in the future).
-+$ pktool list objtype=private
-+Enter PIN for Sun Software PKCS#11 softtoken  : 
-+Found 1 keys.
-+Key #1 - RSA private key:  mycert
-+
-+# this file is going to be signed
-+$ cat test
-+hello
-+
-+# sign it, note "pkcs11:mycert" private key's label
-+$ openssl rsautl -inkey pkcs11:mycert -out test2 -in test -sign -keyform e -engine pkcs11
-+engine "pkcs11" set.
-+Enter PIN:
-+
-+# export the certificate out of the keyring
-+$ pktool export keystore=pkcs11 label=mycert outfile=mycert.cert outformat=pem
-+Warning: file "mycert.cert" exists, will be overwritten.
-+Continue with export? y
-+
-+# verify using OpenSSL without pkcs#11 engine and with the certificate in the
-+# file. This is proof of concept that a file signed with key by reference is
-+# successfully verified when stock OpenSSL is used (I didn't have public key
-+# in the keystore, only the certificate. There is no way to reference a public
-+# key inside of the certificate).
-+$ openssl rsautl -verify -inkey mycert.cert -certin -in test2
-+hello
-+
-+API
-+---
-+You can use ENGINE_load_public_key() and ENGINE_load_private_key() functions
-+only. The 2nd parameter of those calls is the one to use for "pkcs11:LABEL"
-+filename overloading. If used that way, both functions will look for the key
-+in the available keystores. Only one such key must be present. The private key
-+is never extracted from the keystore. See OpenSSL's engine(3) or header file
-+openssl/engine.h for more information.
-+
-+Note that those functions return a pointer to EVP_PKEY structure that contains
-+all necessary information for accesing the key by label then. The pointer can be
-+used in other functions that work with RSA keys - X509_sign() for example. See
-+source code in apps/ subdirectory for reference.
-+
-+Feedback
-+========
-+
-+Please send feedback to security-discuss@opensolaris.org. The patch was
-+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
-+
-+Latest version should be always available on http://blogs.sun.com/janp.
-+
diff --git a/contrib/pkcs11-keygen/openssl-0.9.8i-patch b/contrib/pkcs11-keygen/openssl-0.9.8i-patch
new file mode 100644
index 0000000000..601504e155
--- /dev/null
+++ b/contrib/pkcs11-keygen/openssl-0.9.8i-patch
@@ -0,0 +1,14221 @@
+Index: openssl/Configure
+diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
+--- openssl/Configure:1.1.2.1	Fri Sep 12 14:47:00 2008
++++ openssl/Configure	Tue Dec 16 14:12:43 2008
+@@ -10,7 +10,7 @@
+ 
+ # see INSTALL for instructions.
+ 
+-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
++my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+ 
+ # Options:
+ #
+@@ -19,6 +19,9 @@
+ # --prefix      prefix for the OpenSSL include, lib and bin directories
+ #               (Default: the OPENSSLDIR directory)
+ #
++# --pk11-libname  PKCS#11 library name.
++#               (Default: none)
++#
+ # --install_prefix  Additional prefix for package builders (empty by
+ #               default).  This needn't be set in advance, you can
+ #               just as well use "make INSTALL_PREFIX=/whatever install".
+@@ -322,7 +325,7 @@
+ "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### IA-32 targets...
+ "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+ ####
+ "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+@@ -573,6 +576,9 @@
+ my $idx_ranlib = $idx++;
+ my $idx_arflags = $idx++;
+ 
++# PKCS#11 engine patch
++my $pk11_libname="";
++
+ my $prefix="";
+ my $openssldir="";
+ my $exe_ext="";
+@@ -755,6 +761,10 @@
+ 				{
+ 				$flags.=$_." ";
+ 				}
++                        elsif (/^--pk11-libname=(.*)$/)
++                                {
++                                $pk11_libname=$1;
++                                }
+ 			elsif (/^--prefix=(.*)$/)
+ 				{
+ 				$prefix=$1;
+@@ -878,6 +888,13 @@
+ 	exit 0;
+ }
+ 
++if (! $pk11_libname)
++        {
++        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
++        print STDERR "See README.pkcs11 for more information.\n";
++        exit 1;
++        }
++
+ if ($target =~ m/^CygWin32(-.*)$/) {
+ 	$target = "Cygwin".$1;
+ }
+@@ -1006,6 +1023,8 @@
+ if ($flags ne "")	{ $cflags="$flags$cflags"; }
+ else			{ $no_user_cflags=1;       }
+ 
++$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
++
+ # Kerberos settings.  The flavor must be provided from outside, either through
+ # the script "config" or manually.
+ if (!$no_krb5)
+@@ -1348,6 +1367,7 @@
+ 	s/^VERSION=.*/VERSION=$version/;
+ 	s/^MAJOR=.*/MAJOR=$major/;
+ 	s/^MINOR=.*/MINOR=$minor/;
++	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
+ 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
+ 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
+ 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
+Index: openssl/Makefile
+diff -u openssl/Makefile:1.1.2.1 openssl/Makefile:1.5
+--- openssl/Makefile:1.1.2.1	Mon Sep 15 15:27:21 2008
++++ openssl/Makefile	Mon Dec 15 12:55:31 2008
+@@ -11,11 +11,11 @@
+ SHLIB_VERSION_HISTORY=
+ SHLIB_MAJOR=0
+ SHLIB_MINOR=9.8
+-SHLIB_EXT=
+-PLATFORM=dist
+-OPTIONS= no-camellia no-capieng no-cms no-gmp no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-tlsext no-zlib no-zlib-dynamic
+-CONFIGURE_ARGS=dist
+-SHLIB_TARGET=
++SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
++PLATFORM=solaris64-x86_64-gcc
++OPTIONS=--pk11-libname=/usr/lib/64/libpkcs11.so.1 no-camellia no-capieng no-cms no-gmp no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-tlsext no-zlib no-zlib-dynamic
++CONFIGURE_ARGS=solaris64-x86_64-gcc --pk11-libname=/usr/lib/64/libpkcs11.so.1
++SHLIB_TARGET=solaris-shared
+ 
+ # HERE indicates where this Makefile lives.  This can be used to indicate
+ # where sub-Makefiles are expected to be.  Currently has very limited usage,
+@@ -28,6 +28,9 @@
+ INSTALL_PREFIX=
+ INSTALLTOP=/usr/local/ssl
+ 
++# You must set this through --pk11-libname configure option.
++PK11_LIB_LOCATION=/usr/lib/64/libpkcs11.so.1
++
+ # Do not edit this manually. Use Configure --openssldir=DIR do change this!
+ OPENSSLDIR=/usr/local/ssl
+ 
+@@ -59,11 +62,11 @@
+ # equal 4.
+ # PKCS1_CHECK - pkcs1 tests.
+ 
+-CC= cc
+-CFLAG= -O
++CC= gcc
++CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPK11_LIB_LOCATION=\"/usr/lib/64/libpkcs11.so.1\" -m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
+ DEPFLAG= -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED -DOPENSSL_NO_TLSEXT 
+ PEX_LIBS= 
+-EX_LIBS= 
++EX_LIBS= -lsocket -lnsl -ldl
+ EXE_EXT= 
+ ARFLAGS= 
+ AR=ar $(ARFLAGS) r
+@@ -71,7 +74,7 @@
+ PERL= /usr/bin/perl
+ TAR= tar
+ TARFLAGS= --no-recursion
+-MAKEDEPPROG=makedepend
++MAKEDEPPROG= gcc
+ 
+ # We let the C compiler driver to take care of .s files. This is done in
+ # order to be excused from maintaining a separate set of architecture
+@@ -86,16 +89,16 @@
+ PROCESSOR= 
+ 
+ # CPUID module collects small commonly used assembler snippets
+-CPUID_OBJ= 
+-BN_ASM= bn_asm.o
++CPUID_OBJ= x86_64cpuid.o
++BN_ASM= x86_64-gcc.o x86_64-mont.o
+ DES_ENC= des_enc.o fcrypt_b.o
+-AES_ASM_OBJ= aes_core.o aes_cbc.o
++AES_ASM_OBJ= aes-x86_64.o
+ BF_ENC= bf_enc.o
+ CAST_ENC= c_enc.o
+-RC4_ENC= rc4_enc.o rc4_skey.o
++RC4_ENC= rc4-x86_64.o
+ RC5_ENC= rc5_enc.o
+-MD5_ASM_OBJ= 
+-SHA1_ASM_OBJ= 
++MD5_ASM_OBJ= md5-x86_64.o
++SHA1_ASM_OBJ= sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
+ RMD160_ASM_OBJ= 
+ 
+ # KRB5 stuff
+@@ -141,8 +144,8 @@
+ SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
+ SHARED_SSL=libssl$(SHLIB_EXT)
+ SHARED_LIBS=
+-SHARED_LIBS_LINK_EXTS=
+-SHARED_LDFLAGS=
++SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
++SHARED_LDFLAGS=-m64 -shared -static-libgcc
+ 
+ GENERAL=        Makefile
+ BASENAME=       openssl
+Index: openssl/Makefile.org
+diff -u openssl/Makefile.org:1.1.2.1 openssl/Makefile.org:1.2
+--- openssl/Makefile.org:1.1.2.1	Thu Apr  3 23:03:39 2008
++++ openssl/Makefile.org	Fri Aug 29 16:19:02 2008
+@@ -26,6 +26,9 @@
+ INSTALL_PREFIX=
+ INSTALLTOP=/usr/local/ssl
+ 
++# You must set this through --pk11-libname configure option.
++PK11_LIB_LOCATION=
++
+ # Do not edit this manually. Use Configure --openssldir=DIR do change this!
+ OPENSSLDIR=/usr/local/ssl
+ 
+Index: openssl/README.pkcs11
+diff -u /dev/null openssl/README.pkcs11:1.4
+--- /dev/null	Wed Sep  2 11:37:22 2009
++++ openssl/README.pkcs11	Mon Dec 15 12:59:11 2008
+@@ -0,0 +1,218 @@
++PKCS#11 engine support for OpenSSL 0.9.8i
++=========================================
++
++[December 2, 2008]
++
++Contents:
++
++Overview
++Revisions of patch for 0.9.8 branch
++FAQs
++Feedback
++
++Overview
++========
++
++This patch containing code available in OpenSolaris adds support for PKCS#11
++engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
++OpenSSL 0.9.8i source code distribution as shipped by OpenSSL.Org. Your system
++must provide PKCS#11 backend otherwise the patch is useless. You provide the
++PKCS#11 library name during the build configuration phase, see below.
++
++Patch can be applied like this:
++
++	# NOTE: use gtar if on Solaris
++	tar xfzv openssl-0.9.8i.tar.gz
++	# now download the patch to the current directory
++	# ...
++	cd openssl-0.9.8i
++	# NOTE: use gpatch if on Solaris	
++	patch -p1 < ../pkcs11_engine-0.9.8i.patch.2008-12-02
++
++It is designed to support pure acceleration for RSA, DSA, DH and all the
++symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
++except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
++
++According to the PKCS#11 providers installed on your machine, it can support
++following mechanisms:
++
++	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
++	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
++	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
++	SHA256, SHA384, SHA512
++
++Note that for AES counter mode the application must provide their own EVP
++functions since OpenSSL doesn't support counter mode through EVP yet. You may
++see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
++example of code that uses the PKCS#11 engine and deals with the fork-safety
++problem (see engine.c and packet.c files if interested).
++
+++------------------------------------------------------------------------------+
++| NOTE: this patch version does NOT contain experimental code for accessing    |
++| RSA keys stored in PKCS#11 key stores by reference. Some problems were found |
++| (thanks to all who wrote me!) and due to my ENOTIME problem I may address    |
++| those issues in the next version of the patch that will have that code back, |
++| hopefully fixed.                                                             |
+++------------------------------------------------------------------------------+
++
++You must provide the location of PKCS#11 library in your system to the
++configure script. You will be instructed to do that when you try to run the
++config script:
++
++	$ ./config 
++	Operating system: i86pc-whatever-solaris2
++	Configuring for solaris-x86-cc
++	You must set --pk11-libname for PKCS#11 library.
++	See README.pkcs11 for more information.
++
++Taking openCryptoki project on Linux AMD64 box as an example, you would run
++configure script like this:
++
++	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
++
++To check whether newly built openssl really supports PKCS#11 it's enough to run
++"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
++output. If you see no PKCS#11 engine support check that the built openssl binary
++and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
++
++This patch was tested on Solaris against PKCS#11 engine available from Solaris
++Cryptographic Framework (Solaris 10 and OpenSolaris) and also on Linux using
++PKCS#11 libraries from openCryptoki project (see openCryptoki website
++http://sourceforge.net/projects/opencryptoki for more information). Some Linux
++distributions even ship those libraries with the system. The patch should work
++on any system that is supported by OpenSSL itself and has functional PKCS#11
++library.
++
++The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
++copyrighted by RSA Security Inc., see pkcs11.h for more information.
++
++Other added/modified code in this patch is copyrighted by Sun Microsystems,
++Inc. and is released under the OpenSSL license (see LICENSE file for more
++information).
++
++Revisions of patch for 0.9.8 branch
++===================================
++
++2008-12-02
++- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
++
++	6723504 more granular locking in PKCS#11 engine
++	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
++	6710420 PKCS#11 engine source should be lint clean
++	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
++		it seriously
++	6746712 PKCS#11 engine source code should be cstyle clean
++	6731380 return codes of several functions are not checked in the PKCS#11
++		engine code
++	6746735 PKCS#11 engine should use extended FILE space API
++	6734038 Apache SSL web server using the pkcs11 engine fails to start if
++		meta slot is disabled
++
++2008-08-01
++- fixed bug
++
++	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
++		and digests
++
++- Solaris specific code for slot selection made automatic
++
++2008-07-29
++- update the patch to OpenSSL 0.9.8h version
++- pkcs11t.h updated to the latest version:
++
++	6545665 make CKM_AES_CTR available to non-kernel users
++
++- fixed bugs in the engine code:
++
++	6602801 PK11_SESSION cache has to employ reference counting scheme for
++		asymmetric key operations
++	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
++		atomically
++	6607307 pkcs#11 engine can't read RSA private keys
++	6652362 pk11_RSA_finish() is cutting corners
++	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
++		suboptimal way
++	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
++		resilient to destroy failures
++	6667273 OpenSSL engine should not use free() but OPENSSL_free()
++	6670363 PKCS#11 engine fails to reuse existing symmetric keys
++	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
++	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
++		of big numbers leading to failures
++	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
++		-1
++	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
++	6707129 return values from BN_new() in pk11_DH_generate_key() are not
++		checked
++	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
++		structure reuse
++	6707782 OpenSSL PKCS#11 engine pretends to be aware of
++		OPENSSL_NO_{RSA,DSA,DH}
++	defines but fails miserably
++	6709966 make check_new_*() to return values to indicate cache hit/miss
++	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
++		generate_params parameter
++	6709513 PKCS#11 engine sets IV length even for ECB modes
++	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
++		PKCS#11 engine
++	6728871 PKCS#11 engine must reset global_session in pk11_finish()
++
++- new features and enhancements:
++
++	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
++	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
++	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
++		ciphers and digests
++
++2007-10-15
++- update for 0.9.8f version
++- update for "6607670 teach pkcs#11 engine how to use keys be reference"
++
++2007-10-02
++- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
++- draft for "6607307 pkcs#11 engine can't read RSA private keys"
++
++2007-09-26
++- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
++	  significant performance drop
++- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
++
++2007-05-25
++- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
++
++2007-05-19
++- initial patch for 0.9.8e using latest OpenSolaris code
++
++FAQs
++====
++
++(1) my build failed on Linux distro with this error:
++
++../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
++hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
++
++	- don't use "no-threads" when configuring
++	- if you didn't then OpenSSL failed to create a threaded library by
++	  default. You may manually edit Configure and try again. Look for the
++	  architecture that Configure printed, for example:
++
++Configured for linux-elf.
++
++	- then edit Configure, find string "linux-elf" (inluding the quotes),
++	  and add flags to support threads to the 4th column of the 2nd string.
++	  If you build with GCC then adding "-pthread" should be enough. With
++	  "linux-elf" as an example, you would add " -pthread" right after
++	  "-D_REENTRANT", like this:
++
++....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
++
++
++Feedback
++========
++
++Please send feedback to security-discuss@opensolaris.org. The patch was
++created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
++
++Latest version should be always available on http://blogs.sun.com/janp.
++
+Index: openssl/apps/md4.c
+diff -u /dev/null openssl/apps/md4.c:1.2
+--- /dev/null	Wed Sep  2 11:37:22 2009
++++ openssl/apps/md4.c	Fri Aug 29 15:36:16 2008
+@@ -0,0 +1,127 @@
++/* crypto/md4/md4.c */
++/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++ * All rights reserved.
++ *
++ * This package is an SSL implementation written
++ * by Eric Young (eay@cryptsoft.com).
++ * The implementation was written so as to conform with Netscapes SSL.
++ * 
++ * This library is free for commercial and non-commercial use as long as
++ * the following conditions are aheared to.  The following conditions
++ * apply to all code found in this distribution, be it the RC4, RSA,
++ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
++ * included with this distribution is covered by the same copyright terms
++ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
++ * 
++ * Copyright remains Eric Young's, and as such any Copyright notices in
++ * the code are not to be removed.
++ * If this package is used in a product, Eric Young should be given attribution
++ * as the author of the parts of the library used.
++ * This can be in the form of a textual message at program startup or
++ * in documentation (online or textual) provided with the package.
++ * 
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ *    must display the following acknowledgement:
++ *    "This product includes cryptographic software written by
++ *     Eric Young (eay@cryptsoft.com)"
++ *    The word 'cryptographic' can be left out if the rouines from the library
++ *    being used are not cryptographic related :-).
++ * 4. If you include any Windows specific code (or a derivative thereof) from 
++ *    the apps directory (application code) you must include an acknowledgement:
++ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
++ * 
++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ * 
++ * The licence and distribution terms for any publically available version or
++ * derivative of this code cannot be changed.  i.e. this code cannot simply be
++ * copied and put under another distribution licence
++ * [including the GNU Public Licence.]
++ */
++
++#include 
++#include 
++#include 
++
++#define BUFSIZE	1024*16
++
++void do_fp(FILE *f);
++void pt(unsigned char *md);
++#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
++int read(int, void *, unsigned int);
++#endif
++
++int main(int argc, char **argv)
++	{
++	int i,err=0;
++	FILE *IN;
++
++	if (argc == 1)
++		{
++		do_fp(stdin);
++		}
++	else
++		{
++		for (i=1; i	/* For NULL */
++#define	NULL_PTR NULL
++#endif
++
++/*
++ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
++ */
++#ifndef	CK_DISABLE_TRUE_FALSE
++#define	CK_DISABLE_TRUE_FALSE
++#ifndef	TRUE
++#define	TRUE	1
++#endif /* TRUE */
++#ifndef	FALSE
++#define	FALSE	0
++#endif /* FALSE */
++#endif /* CK_DISABLE_TRUE_FALSE */
++
++#undef CK_PKCS11_FUNCTION_INFO
++
++#include "pkcs11.h"
++
++/* Solaris specific functions */
++
++#include 
++
++/*
++ * SUNW_C_GetMechSession will initialize the framework and do all
++ * the necessary PKCS#11 calls to create a session capable of
++ * providing operations on the requested mechanism
++ */
++CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
++    CK_SESSION_HANDLE_PTR hSession);
++
++/*
++ * SUNW_C_KeyToObject will create a secret key object for the given
++ * mechanism from the rawkey data.
++ */
++CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
++    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
++    CK_OBJECT_HANDLE_PTR obj);
++
++
++#ifdef	__cplusplus
++}
++#endif
++
++#endif	/* _CRYPTOKI_H */
+Index: openssl/crypto/engine/eng_all.c
+diff -u openssl/crypto/engine/eng_all.c:1.1.2.1 openssl/crypto/engine/eng_all.c:1.2
+--- openssl/crypto/engine/eng_all.c:1.1.2.1	Wed Jun  4 18:01:39 2008
++++ openssl/crypto/engine/eng_all.c	Wed Oct 15 15:39:48 2008
+@@ -110,6 +110,9 @@
+ #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
+ 	ENGINE_load_capi();
+ #endif
++#ifndef OPENSSL_NO_HW_PKCS11
++	ENGINE_load_pk11();
++#endif
+ #endif
+ 	}
+ 
+Index: openssl/crypto/engine/engine.h
+diff -u openssl/crypto/engine/engine.h:1.1.2.1 openssl/crypto/engine/engine.h:1.2
+--- openssl/crypto/engine/engine.h:1.1.2.1	Wed Jun  4 18:01:40 2008
++++ openssl/crypto/engine/engine.h	Wed Oct 15 15:39:48 2008
+@@ -337,6 +337,7 @@
+ void ENGINE_load_ubsec(void);
+ #endif
+ void ENGINE_load_cryptodev(void);
++void ENGINE_load_pk11(void);
+ void ENGINE_load_padlock(void);
+ void ENGINE_load_builtin_engines(void);
+ #ifndef OPENSSL_NO_CAPIENG
+Index: openssl/crypto/engine/hw_pk11-kp.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11-kp.c:1.20
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/hw_pk11-kp.c	Tue Sep  1 06:02:18 2009
+@@ -0,0 +1,1611 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Modified to keep only RNG and RSA Sign */
++
++#ifdef OPENSSL_NO_RSA
++#error RSA is disabled
++#endif
++
++#include 
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++#ifdef OPENSSL_SYS_WIN32
++typedef int pid_t;
++#define getpid() GetCurrentProcessId()
++#define NOPTHREADS
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++	returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++	returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++	returnType __declspec(dllimport) (* name)
++#else
++#include 
++#include 
++#include 
++#endif
++
++#ifndef NOPTHREADS
++#include 
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++
++/* label for debug messages printed on stderr */
++#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
++/* prints a lot of debug messages on stderr about slot selection process */
++#undef	DEBUG_SLOT_SELECTION
++
++#ifndef OPENSSL_NO_DSA
++#define OPENSSL_NO_DSA
++#endif
++#ifndef OPENSSL_NO_DH
++#define OPENSSL_NO_DH
++#endif
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11_err.c"
++
++/* PKCS#11 session caches and their locks for all operation types */
++static PK11_CACHE session_cache[OP_MAX];
++
++/*
++ * As stated in v2.20, 11.7 Object Management Function, in section for
++ * C_FindObjectsInit(), at most one search operation may be active at a given
++ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
++ * grouped together to form one atomic search operation. This is already
++ * ensured by the property of unique PKCS#11 session handle used for each
++ * PK11_SESSION object.
++ *
++ * This is however not the biggest concern - maintaining consistency of the
++ * underlying object store is more important. The same section of the spec also
++ * says that one thread can be in the middle of a search operation while another
++ * thread destroys the object matching the search template which would result in
++ * invalid handle returned from the search operation.
++ *
++ * Hence, the following locks are used for both protection of the object stores.
++ * They are also used for active list protection.
++ */
++#ifndef NOPTHREADS
++pthread_mutex_t *find_lock[OP_MAX] = { NULL };
++#endif
++
++/*
++ * lists of asymmetric key handles which are active (referenced by at least one
++ * PK11_SESSION structure, either held by a thread or present in free_session
++ * list) for given algorithm type
++ */
++PK11_active *active_list[OP_MAX] = { NULL };
++
++/*
++ * Create all secret key objects in a global session so that they are available
++ * to use for other sessions. These other sessions may be opened or closed
++ * without losing the secret key objects.
++ */
++static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
++
++/* ENGINE level stuff */
++static int pk11_init(ENGINE *e);
++static int pk11_library_init(ENGINE *e);
++static int pk11_finish(ENGINE *e);
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
++static int pk11_destroy(ENGINE *e);
++
++/* RAND stuff */
++static void pk11_rand_seed(const void *buf, int num);
++static void pk11_rand_add(const void *buf, int num, double add_entropy);
++static void pk11_rand_cleanup(void);
++static int pk11_rand_bytes(unsigned char *buf, int num);
++static int pk11_rand_status(void);
++
++/* These functions are also used in other files */
++PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
++void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++
++/* active list manipulation functions used in this file */
++extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
++extern void pk11_free_active_list(PK11_OPTYPE type);
++
++int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
++int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++
++/* Local helper functions */
++static int pk11_free_all_sessions(void);
++static int pk11_free_session_list(PK11_OPTYPE optype);
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++static int pk11_destroy_object(CK_SESSION_HANDLE session,
++	CK_OBJECT_HANDLE oh);
++static const char *get_PK11_LIBNAME(void);
++static void free_PK11_LIBNAME(void);
++static long set_PK11_LIBNAME(const char *name);
++
++static int pk11_choose_slots(int *any_slot_found);
++
++static int pk11_init_all_locks(void);
++static void pk11_free_all_locks(void);
++
++#define	TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
++	{								\
++	if (uselock)							\
++		LOCK_OBJSTORE(alg_type);				\
++	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
++		{							\
++		retval = pk11_destroy_object(sess_hdl, obj_hdl);	\
++		}							\
++	if (uselock)							\
++		UNLOCK_OBJSTORE(alg_type);				\
++	}
++
++#define	TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
++	{								\
++	if (uselock)							\
++		LOCK_OBJSTORE(alg_type);				\
++	(void) pk11_active_delete(obj_hdl, alg_type);			\
++	if (uselock)							\
++		UNLOCK_OBJSTORE(alg_type);				\
++	}
++
++static CK_BBOOL pk11_have_rsa	= CK_FALSE;
++static CK_BBOOL pk11_have_random = CK_FALSE;
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * The definitions for control commands specific to this engine
++ */
++#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
++#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
++#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
++static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
++	{
++		{
++		PK11_CMD_SO_PATH,
++		"SO_PATH",
++		"Specifies the path to the 'pkcs#11' shared library",
++		ENGINE_CMD_FLAG_STRING
++		},
++		{
++		PK11_CMD_PIN,
++		"PIN",
++		"Specifies the pin code",
++		ENGINE_CMD_FLAG_STRING
++		},
++		{
++		PK11_CMD_SLOT,
++		"SLOT",
++		"Specifies the slot (default is auto select)",
++		ENGINE_CMD_FLAG_NUMERIC,
++		},
++		{0, NULL, NULL, 0}
++	};
++
++
++static RAND_METHOD pk11_random =
++	{
++	pk11_rand_seed,
++	pk11_rand_bytes,
++	pk11_rand_cleanup,
++	pk11_rand_add,
++	pk11_rand_bytes,
++	pk11_rand_status
++	};
++
++
++/* Constants used when creating the ENGINE */
++static const char *engine_pk11_id = "pkcs11";
++static const char *engine_pk11_name = "PKCS #11 engine support";
++
++CK_FUNCTION_LIST_PTR pFuncList = NULL;
++static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
++
++/*
++ * These is the static string constant for the DSO file name and the function
++ * symbol names to bind to.
++ */
++static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
++
++static CK_SLOT_ID pubkey_SLOTID = 0;
++static CK_SLOT_ID rand_SLOTID = 0;
++static CK_SLOT_ID SLOTID = 0;
++char *pk11_pin = NULL;
++static CK_BBOOL pk11_library_initialized = FALSE;
++static CK_BBOOL pk11_atfork_initialized = FALSE;
++static int pk11_pid = 0;
++
++static DSO *pk11_dso = NULL;
++
++/* allocate and initialize all locks used by the engine itself */
++static int pk11_init_all_locks(void)
++	{
++#ifndef NOPTHREADS
++	int type;
++
++	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++	if (find_lock[OP_RSA] == NULL)
++		goto malloc_err;
++	(void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++
++	for (type = 0; type < OP_MAX; type++)
++		{
++		session_cache[type].lock =
++		    OPENSSL_malloc(sizeof (pthread_mutex_t));
++		if (session_cache[type].lock == NULL)
++			goto malloc_err;
++		(void) pthread_mutex_init(session_cache[type].lock, NULL);
++		}
++
++	return (1);
++
++malloc_err:
++	pk11_free_all_locks();
++	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
++	return (0);
++#else
++	return (1);
++#endif
++	}
++
++static void pk11_free_all_locks(void)
++	{
++#ifndef NOPTHREADS
++	int type;
++
++	if (find_lock[OP_RSA] != NULL)
++		{
++		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
++		OPENSSL_free(find_lock[OP_RSA]);
++		find_lock[OP_RSA] = NULL;
++		}
++
++	for (type = 0; type < OP_MAX; type++)
++		{
++		if (session_cache[type].lock != NULL)
++			{
++			(void) pthread_mutex_destroy(session_cache[type].lock);
++			OPENSSL_free(session_cache[type].lock);
++			session_cache[type].lock = NULL;
++			}
++		}
++#endif
++	}
++
++/*
++ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
++ */
++static int bind_pk11(ENGINE *e)
++	{
++	if (!pk11_library_initialized)
++		if (!pk11_library_init(e))
++			return (0);
++
++	if (!ENGINE_set_id(e, engine_pk11_id) ||
++	    !ENGINE_set_name(e, engine_pk11_name))
++		return (0);
++
++	if (pk11_have_rsa == CK_TRUE)
++		{
++		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
++		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
++		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++
++	if (pk11_have_random)
++		{
++		if (!ENGINE_set_RAND(e, &pk11_random))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered random\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++	if (!ENGINE_set_init_function(e, pk11_init) ||
++	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
++	    !ENGINE_set_finish_function(e, pk11_finish) ||
++	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
++	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
++		return (0);
++
++	/* Ensure the pk11 error handling is set up */
++	ERR_load_pk11_strings();
++
++	return (1);
++	}
++
++/* Dynamic engine support is disabled at a higher level for Solaris */
++#ifdef	ENGINE_DYNAMIC_SUPPORT
++static int bind_helper(ENGINE *e, const char *id)
++	{
++	if (id && (strcmp(id, engine_pk11_id) != 0))
++		return (0);
++
++	if (!bind_pk11(e))
++		return (0);
++
++	return (1);
++	}
++
++IMPLEMENT_DYNAMIC_CHECK_FN()
++IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
++
++#else
++static ENGINE *engine_pk11(void)
++	{
++	ENGINE *ret = ENGINE_new();
++
++	if (!ret)
++		return (NULL);
++
++	if (!bind_pk11(ret))
++		{
++		ENGINE_free(ret);
++		return (NULL);
++		}
++
++	return (ret);
++	}
++
++void
++ENGINE_load_pk11(void)
++	{
++	ENGINE *e_pk11 = NULL;
++
++	/*
++	 * Do not use dynamic PKCS#11 library on Solaris due to
++	 * security reasons. We will link it in statically.
++	 */
++	/* Attempt to load PKCS#11 library */
++	if (!pk11_dso)
++		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
++		return;
++		}
++
++	e_pk11 = engine_pk11();
++	if (!e_pk11)
++		{
++		DSO_free(pk11_dso);
++		pk11_dso = NULL;
++		return;
++		}
++
++	/*
++	 * At this point, the pk11 shared library is either dynamically
++	 * loaded or statically linked in. So, initialize the pk11
++	 * library before calling ENGINE_set_default since the latter
++	 * needs cipher and digest algorithm information
++	 */
++	if (!pk11_library_init(e_pk11))
++		{
++		DSO_free(pk11_dso);
++		pk11_dso = NULL;
++		ENGINE_free(e_pk11);
++		return;
++		}
++
++	ENGINE_add(e_pk11);
++
++	ENGINE_free(e_pk11);
++	ERR_clear_error();
++	}
++#endif	/* ENGINE_DYNAMIC_SUPPORT */
++
++/*
++ * These are the static string constants for the DSO file name and
++ * the function symbol names to bind to.
++ */
++static const char *PK11_LIBNAME = NULL;
++
++static const char *get_PK11_LIBNAME(void)
++	{
++	if (PK11_LIBNAME)
++		return (PK11_LIBNAME);
++
++	return (def_PK11_LIBNAME);
++	}
++
++static void free_PK11_LIBNAME(void)
++	{
++	if (PK11_LIBNAME)
++		OPENSSL_free((void*)PK11_LIBNAME);
++
++	PK11_LIBNAME = NULL;
++	}
++
++static long set_PK11_LIBNAME(const char *name)
++	{
++	free_PK11_LIBNAME();
++
++	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
++	}
++
++/* acquire all engine specific mutexes before fork */
++static void pk11_fork_prepare(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	LOCK_OBJSTORE(OP_RSA);
++	for (i = 0; i < OP_MAX; i++)
++		{
++		(void) pthread_mutex_lock(session_cache[i].lock);
++		}
++#endif
++	}
++
++/* release all engine specific mutexes */
++static void pk11_fork_parent(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	for (i = OP_MAX - 1; i >= 0; i--)
++		{
++		(void) pthread_mutex_unlock(session_cache[i].lock);
++		}
++	UNLOCK_OBJSTORE(OP_RSA);
++#endif
++	}
++
++/*
++ * same situation as in parent - we need to unlock all locks to make them
++ * accessible to all threads.
++ */
++static void pk11_fork_child(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	for (i = OP_MAX - 1; i >= 0; i--)
++		{
++		(void) pthread_mutex_unlock(session_cache[i].lock);
++		}
++	UNLOCK_OBJSTORE(OP_RSA);
++#endif
++	}
++
++/* Initialization function for the pk11 engine */
++static int pk11_init(ENGINE *e)
++{
++	return (pk11_library_init(e));
++}
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * It selects a slot based on predefined critiera. In the process, it also
++ * count how many ciphers and digests to support. Since the cipher and
++ * digest information is needed when setting default engine, this function
++ * needs to be called before calling ENGINE_set_default.
++ */
++/* ARGSUSED */
++static int pk11_library_init(ENGINE *e)
++	{
++	CK_C_GetFunctionList p;
++	CK_RV rv = CKR_OK;
++	CK_INFO info;
++	int any_slot_found;
++	int i;
++#ifndef OPENSSL_SYS_WIN32
++	struct sigaction sigint_act, sigterm_act, sighup_act;
++#endif
++
++	/*
++	 * pk11_library_initialized is set to 0 in pk11_finish() which is called
++	 * from ENGINE_finish(). However, if there is still at least one
++	 * existing functional reference to the engine (see engine(3) for more
++	 * information), pk11_finish() is skipped. For example, this can happen
++	 * if an application forgets to clear one cipher context. In case of a
++	 * fork() when the application is finishing the engine so that it can be
++	 * reinitialized in the child, forgotten functional reference causes
++	 * pk11_library_initialized to stay 1. In that case we need the PID
++	 * check so that we properly initialize the engine again.
++	 */
++	if (pk11_library_initialized)
++		{
++		if (pk11_pid == getpid())
++			{
++			return (1);
++			}
++		else
++			{
++			global_session = CK_INVALID_HANDLE;
++			/*
++			 * free the locks first to prevent memory leak in case
++			 * the application calls fork() without finishing the
++			 * engine first.
++			 */
++			pk11_free_all_locks();
++			}
++		}
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	/* get the C_GetFunctionList function from the loaded library */
++	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
++		PK11_GET_FUNCTION_LIST);
++	if (!p)
++		{
++		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	/* get the full function list from the loaded library */
++	rv = p(&pFuncList);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
++		goto err;
++		}
++
++#ifndef OPENSSL_SYS_WIN32
++	/* Not all PKCS#11 library are signal safe! */
++
++	(void) memset(&sigint_act, 0, sizeof(sigint_act));
++	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
++	(void) memset(&sighup_act, 0, sizeof(sighup_act));
++	(void) sigaction(SIGINT, NULL, &sigint_act);
++	(void) sigaction(SIGTERM, NULL, &sigterm_act);
++	(void) sigaction(SIGHUP, NULL, &sighup_act);
++#endif
++	rv = pFuncList->C_Initialize(NULL_PTR);
++#ifndef OPENSSL_SYS_WIN32
++	(void) sigaction(SIGINT, &sigint_act, NULL);
++	(void) sigaction(SIGTERM, &sigterm_act, NULL);
++	(void) sigaction(SIGHUP, &sighup_act, NULL);
++#endif
++	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_GetInfo(&info);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
++		goto err;
++		}
++
++	if (pk11_choose_slots(&any_slot_found) == 0)
++		goto err;
++
++	/*
++	 * The library we use, set in def_PK11_LIBNAME, may not offer any
++	 * slot(s). In that case, we must not proceed but we must not return an
++	 * error. The reason is that applications that try to set up the PKCS#11
++	 * engine don't exit on error during the engine initialization just
++	 * because no slot was present.
++	 */
++	if (any_slot_found == 0)
++		return (1);
++
++	if (global_session == CK_INVALID_HANDLE)
++		{
++		/* Open the global_session for the new process */
++		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &global_session);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LIBRARY_INIT,
++			    PK11_R_OPENSESSION, rv);
++			goto err;
++			}
++		}
++
++	pk11_library_initialized = TRUE;
++	pk11_pid = getpid();
++	/*
++	 * if initialization of the locks fails pk11_init_all_locks()
++	 * will do the cleanup.
++	 */
++	if (!pk11_init_all_locks())
++		goto err;
++	for (i = 0; i < OP_MAX; i++)
++		session_cache[i].head = NULL;
++	/*
++	 * initialize active lists. We only use active lists
++	 * for asymmetric ciphers.
++	 */
++	for (i = 0; i < OP_MAX; i++)
++		active_list[i] = NULL;
++
++#ifndef NOPTHREADS
++	if (!pk11_atfork_initialized)
++		{
++		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
++		    pk11_fork_child) != 0)
++			{
++			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
++			goto err;
++			}
++		pk11_atfork_initialized = TRUE;
++		}
++#endif
++
++	return (1);
++
++err:
++	return (0);
++	}
++
++/* Destructor (complements the "ENGINE_pk11()" constructor) */
++/* ARGSUSED */
++static int pk11_destroy(ENGINE *e)
++	{
++	free_PK11_LIBNAME();
++	ERR_unload_pk11_strings();
++	if (pk11_pin) {
++		memset(pk11_pin, 0, strlen(pk11_pin));
++		OPENSSL_free((void*)pk11_pin);
++	}
++	pk11_pin = NULL;
++	return (1);
++	}
++
++/*
++ * Termination function to clean up the session, the token, and the pk11
++ * library.
++ */
++/* ARGSUSED */
++static int pk11_finish(ENGINE *e)
++	{
++	int i;
++
++	if (pk11_pin) {
++		memset(pk11_pin, 0, strlen(pk11_pin));
++		OPENSSL_free((void*)pk11_pin);
++	}
++	pk11_pin = NULL;
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
++		goto err;
++		}
++
++	OPENSSL_assert(pFuncList != NULL);
++
++	if (pk11_free_all_sessions() == 0)
++		goto err;
++
++	/* free all active lists */
++	for (i = 0; i < OP_MAX; i++)
++		pk11_free_active_list(i);
++
++	pFuncList->C_CloseSession(global_session);
++	global_session = CK_INVALID_HANDLE;
++
++	/*
++	 * Since we are part of a library (libcrypto.so), calling this function
++	 * may have side-effects.
++	 */
++#if 0
++	pFuncList->C_Finalize(NULL);
++#endif
++
++	if (!DSO_free(pk11_dso))
++		{
++		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++	pk11_dso = NULL;
++	pFuncList = NULL;
++	pk11_library_initialized = FALSE;
++	pk11_pid = 0;
++	/*
++	 * There is no way how to unregister atfork handlers (other than
++	 * unloading the library) so we just free the locks. For this reason
++	 * the atfork handlers check if the engine is initialized and bail out
++	 * immediately if not. This is necessary in case a process finishes
++	 * the engine before calling fork().
++	 */
++	pk11_free_all_locks();
++
++	return (1);
++
++err:
++	return (0);
++	}
++
++/* Standard engine interface function to set the dynamic library path */
++/* ARGSUSED */
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
++	{
++	int initialized = ((pk11_dso == NULL) ? 0 : 1);
++
++	switch (cmd)
++		{
++	case PK11_CMD_SO_PATH:
++		if (p == NULL)
++			{
++			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++			return (0);
++			}
++
++		if (initialized)
++			{
++			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
++			return (0);
++			}
++
++		return (set_PK11_LIBNAME((const char *)p));
++	case PK11_CMD_PIN:
++		if (pk11_pin) {
++			memset(pk11_pin, 0, strlen(pk11_pin));
++			OPENSSL_free((void*)pk11_pin);
++		}
++		pk11_pin = NULL;
++
++		if (p == NULL)
++			{
++			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++			return (0);
++			}
++
++		pk11_pin = BUF_strdup(p);
++		if (pk11_pin == NULL)
++			{
++			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
++			return (0);
++			}
++		return (1);
++	case PK11_CMD_SLOT:
++		SLOTID = (CK_SLOT_ID)i;
++#ifdef DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: slot set\n", PK11_DBG);
++#endif
++		return (1);
++	default:
++		break;
++		}
++
++	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
++
++	return (0);
++	}
++
++
++/* Required function by the engine random interface. It does nothing here */
++static void pk11_rand_cleanup(void)
++	{
++	return;
++	}
++
++/* ARGSUSED */
++static void pk11_rand_add(const void *buf, int num, double add)
++	{
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RAND)) == NULL)
++		return;
++
++	/*
++	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
++	 * the calling functions do not care anyway
++	 */
++	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
++	pk11_return_session(sp, OP_RAND);
++
++	return;
++	}
++
++static void pk11_rand_seed(const void *buf, int num)
++	{
++	pk11_rand_add(buf, num, 0);
++	}
++
++static int pk11_rand_bytes(unsigned char *buf, int num)
++	{
++	CK_RV rv;
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RAND)) == NULL)
++		return (0);
++
++	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
++		pk11_return_session(sp, OP_RAND);
++		return (0);
++		}
++
++	pk11_return_session(sp, OP_RAND);
++	return (1);
++	}
++
++/* Required function by the engine random interface. It does nothing here */
++static int pk11_rand_status(void)
++	{
++	return (1);
++	}
++
++/* Free all BIGNUM structures from PK11_SESSION. */
++static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++	switch (optype)
++		{
++		case OP_RSA:
++			if (sp->opdata_rsa_n_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_n_num);
++				sp->opdata_rsa_n_num = NULL;
++				}
++			if (sp->opdata_rsa_e_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_e_num);
++				sp->opdata_rsa_e_num = NULL;
++				}
++			if (sp->opdata_rsa_d_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_d_num);
++				sp->opdata_rsa_d_num = NULL;
++				}
++			break;
++		default:
++			break;
++		}
++	}
++
++/*
++ * Get new PK11_SESSION structure ready for use. Every process must have
++ * its own freelist of PK11_SESSION structures so handle fork() here
++ * by destroying the old and creating new freelist.
++ * The returned PK11_SESSION structure is disconnected from the freelist.
++ */
++PK11_SESSION *
++pk11_get_session(PK11_OPTYPE optype)
++	{
++	PK11_SESSION *sp = NULL, *sp1, *freelist;
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock = NULL;
++#endif
++	CK_RV rv;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_GET_SESSION,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return (NULL);
++		}
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	sp = freelist;
++
++	/*
++	 * If the free list is empty, allocate new unitialized (filled
++	 * with zeroes) PK11_SESSION structure otherwise return first
++	 * structure from the freelist.
++	 */
++	if (sp == NULL)
++		{
++		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
++			{
++			PK11err(PK11_F_GET_SESSION,
++				PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		(void) memset(sp, 0, sizeof (PK11_SESSION));
++		}
++	else
++		{
++		freelist = sp->next;
++		}
++
++	if (sp->pid != 0 && sp->pid != getpid())
++		{
++		/*
++		 * We are a new process and thus need to free any inherited
++		 * PK11_SESSION objects.
++		 */
++		while ((sp1 = freelist) != NULL)
++			{
++			freelist = sp1->next;
++			/*
++			 * NOTE: we do not want to call pk11_free_all_sessions()
++			 * here because it would close underlying PKCS#11
++			 * sessions and destroy all objects.
++			 */
++			pk11_free_nums(sp1, optype);
++			OPENSSL_free(sp1);
++			}
++
++		/* we have to free the active list as well. */
++		pk11_free_active_list(optype);
++
++		/* Initialize the process */
++		rv = pFuncList->C_Initialize(NULL_PTR);
++		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++			{
++			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
++			    rv);
++			OPENSSL_free(sp);
++			sp = NULL;
++			goto err;
++			}
++
++		/*
++		 * Choose slot here since the slot table is different on this
++		 * process. If we are here then we must have found at least one
++		 * usable slot before so we don't need to check any_slot_found.
++		 * See pk11_library_init()'s usage of this function for more
++		 * information.
++		 */
++		if (pk11_choose_slots(NULL) == 0)
++			goto err;
++
++		/* Open the global_session for the new process */
++		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &global_session);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
++			    rv);
++			OPENSSL_free(sp);
++			sp = NULL;
++			goto err;
++			}
++
++		/* It is an inherited session and needs re-initialization. */
++		if (pk11_setup_session(sp, optype) == 0)
++			{
++			OPENSSL_free(sp);
++			sp = NULL;
++			}
++		}
++	if (sp->pid == 0)
++		{
++		/* It is a new session and needs initialization. */
++		if (pk11_setup_session(sp, optype) == 0)
++			{
++			OPENSSL_free(sp);
++			sp = NULL;
++			}
++		}
++
++	/* set new head for the list of PK11_SESSION objects */
++	session_cache[optype].head = freelist;
++
++err:
++	if (sp != NULL)
++		sp->next = NULL;
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (sp);
++	}
++
++
++void
++pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock;
++#endif
++	PK11_SESSION *freelist;
++
++	if (sp == NULL || sp->pid != getpid())
++		return;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_RETURN_SESSION,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return;
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	sp->next = freelist;
++	session_cache[optype].head = sp;
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	}
++
++
++/* Destroy all objects. This function is called when the engine is finished */
++static int pk11_free_all_sessions()
++	{
++	int ret = 1;
++	int type;
++
++	(void) pk11_destroy_rsa_key_objects(NULL);
++
++	/*
++	 * We try to release as much as we can but any error means that we will
++	 * return 0 on exit.
++	 */
++	for (type = 0; type < OP_MAX; type++)
++		{
++		if (pk11_free_session_list(type) == 0)
++			ret = 0;
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy session structures from the linked list specified. Free as many
++ * sessions as possible but any failure in C_CloseSession() means that we
++ * return an error on return.
++ */
++static int pk11_free_session_list(PK11_OPTYPE optype)
++	{
++	CK_RV rv;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *freelist = NULL;
++	pid_t mypid = getpid();
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock;
++#endif
++	int ret = 1;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_FREE_ALL_SESSIONS,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return (0);
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	while ((sp = freelist) != NULL)
++		{
++		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
++			{
++			rv = pFuncList->C_CloseSession(sp->session);
++			if (rv != CKR_OK)
++				{
++				PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
++					PK11_R_CLOSESESSION, rv);
++				ret = 0;
++				}
++			}
++		freelist = sp->next;
++		pk11_free_nums(sp, optype);
++		OPENSSL_free(sp);
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	return (ret);
++	}
++
++
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++	CK_RV rv;
++	CK_SLOT_ID myslot;
++
++	switch (optype)
++		{
++		case OP_RSA:
++			myslot = pubkey_SLOTID;
++			break;
++		case OP_RAND:
++			myslot = rand_SLOTID;
++			break;
++		default:
++			PK11err(PK11_F_SETUP_SESSION,
++			    PK11_R_INVALID_OPERATION_TYPE);
++			return (0);
++		}
++
++	sp->session = CK_INVALID_HANDLE;
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
++#endif	/* DEBUG_SLOT_SELECTION */
++	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++		NULL_PTR, NULL_PTR, &sp->session);
++	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
++		{
++		/*
++		 * We are probably a child process so force the
++		 * reinitialize of the session
++		 */
++		pk11_library_initialized = FALSE;
++		if (!pk11_library_init(NULL))
++			return (0);
++		rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &sp->session);
++		}
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
++		return (0);
++		}
++
++	sp->pid = getpid();
++
++	if (optype == OP_RSA)
++		{
++		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_pub = NULL;
++		sp->opdata_rsa_n_num = NULL;
++		sp->opdata_rsa_e_num = NULL;
++		sp->opdata_rsa_priv = NULL;
++		sp->opdata_rsa_d_num = NULL;
++		}
++
++	return (1);
++	}
++
++/* Destroy RSA public key from single session. */
++int
++pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
++		    ret, uselock, OP_RSA);
++		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_pub = NULL;
++		if (sp->opdata_rsa_n_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_n_num);
++			sp->opdata_rsa_n_num = NULL;
++			}
++		if (sp->opdata_rsa_e_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_e_num);
++			sp->opdata_rsa_e_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/* Destroy RSA private key from single session. */
++int
++pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DELETE(sp->session,
++			       sp->opdata_rsa_priv_key,
++			       ret, uselock, OP_RSA);
++		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_priv = NULL;
++		if (sp->opdata_rsa_d_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_d_num);
++			sp->opdata_rsa_d_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
++ * objects in the free list.
++ */
++int
++pk11_destroy_rsa_key_objects(PK11_SESSION *session)
++	{
++	int ret = 1;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *local_free_session;
++	CK_BBOOL uselock = TRUE;
++
++	if (session != NULL)
++		local_free_session = session;
++	else
++		{
++#ifndef NOPTHREADS
++		(void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++#else
++		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++		local_free_session = session_cache[OP_RSA].head;
++		uselock = FALSE;
++		}
++
++	/*
++	 * go through the list of sessions and delete key objects
++	 */
++	while ((sp = local_free_session) != NULL)
++		{
++		local_free_session = sp->next;
++
++		/*
++		 * Do not terminate list traversal if one of the
++		 * destroy operations fails.
++		 */
++		if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		}
++
++#ifndef NOPTHREADS
++	if (session == NULL)
++		(void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++#else
++	if (session == NULL)
++		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (ret);
++	}
++
++static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
++	{
++	CK_RV rv;
++	rv = pFuncList->C_DestroyObject(session, oh);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
++		    rv);
++		return (0);
++		}
++
++	return (1);
++	}
++
++
++/*
++ * Public key mechanisms optionally supported
++ *
++ * CKM_RSA_X_509
++ * CKM_RSA_PKCS
++ *
++ * The first slot that supports at least one of those mechanisms is chosen as a
++ * public key slot.
++ *
++ * The output of this function is a set of global variables indicating which
++ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
++ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
++ * variables carry information about which slot was chosen for (a) public key
++ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
++ */
++static int
++pk11_choose_slots(int *any_slot_found)
++	{
++	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
++	CK_ULONG ulSlotCount = 0;
++	CK_MECHANISM_INFO mech_info;
++	CK_TOKEN_INFO token_info;
++	unsigned int i;
++	CK_RV rv;
++	CK_SLOT_ID best_slot_sofar = 0;
++	CK_BBOOL found_candidate_slot = CK_FALSE;
++	CK_SLOT_ID current_slot = 0;
++
++	/* let's initialize the output parameter */
++	if (any_slot_found != NULL)
++		*any_slot_found = 0;
++
++	/* Get slot list for memory allocation */
++	rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++		return (0);
++		}
++
++	/* it's not an error if we didn't find any providers */
++	if (ulSlotCount == 0)
++		{
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		return (1);
++		}
++
++	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
++
++	if (pSlotList == NULL)
++		{
++		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
++		return (0);
++		}
++
++	/* Get the slot list for processing */
++	rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++		OPENSSL_free(pSlotList);
++		return (0);
++		}
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
++	fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
++
++	fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++	for (i = 0; i < ulSlotCount; i++)
++		{
++		current_slot = pSlotList[i];
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++		/* Check if slot has random support. */
++		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++		if (rv != CKR_OK)
++			continue;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		if (token_info.flags & CKF_RNG)
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++			pk11_have_random = CK_TRUE;
++			rand_SLOTID = current_slot;
++			break;
++			}
++		}
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	pubkey_SLOTID = pSlotList[0];
++	for (i = 0; i < ulSlotCount; i++)
++		{
++		CK_BBOOL slot_has_rsa = CK_FALSE;
++		current_slot = pSlotList[i];
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++		if (rv != CKR_OK)
++			continue;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		/*
++		 * Check if this slot is capable of signing with CKM_RSA_PKCS.
++		 */
++		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
++			&mech_info);
++
++		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN)))
++			{
++			slot_has_rsa = CK_TRUE;
++			}
++
++		if (!found_candidate_slot && slot_has_rsa)
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++			fprintf(stderr,
++			    "%s: potential slot: %d\n", PK11_DBG, current_slot);
++#endif	/* DEBUG_SLOT_SELECTION */
++			best_slot_sofar = current_slot;
++			pk11_have_rsa = slot_has_rsa;
++			found_candidate_slot = CK_TRUE;
++#ifdef	DEBUG_SLOT_SELECTION
++			fprintf(stderr,
++			    "%s: setting found_candidate_slot to CK_TRUE\n",
++			    PK11_DBG);
++			fprintf(stderr,
++			    "%s: best so far slot: %d\n", PK11_DBG,
++			    best_slot_sofar);
++			}
++		else
++			{
++			fprintf(stderr,
++			    "%s: no rsa\n", PK11_DBG);
++			}
++#else
++			} /* if */
++#endif	/* DEBUG_SLOT_SELECTION */
++		} /* for */
++
++	if (found_candidate_slot)
++		{
++		pubkey_SLOTID = best_slot_sofar;
++		}
++
++	/*SLOTID = pSlotList[0];*/
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr,
++	    "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
++	fprintf(stderr,
++	    "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
++	fprintf(stderr,
++	    "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
++	fprintf(stderr,
++	    "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	if (pSlotList != NULL)
++		OPENSSL_free(pSlotList);
++
++	if (any_slot_found != NULL)
++		*any_slot_found = 1;
++	return (1);
++	}
++
++#endif	/* OPENSSL_NO_HW_PK11 */
++#endif	/* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/hw_pk11.c	Fri Aug 28 06:31:09 2009
+@@ -0,0 +1,3916 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#include 
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#ifndef OPENSSL_NO_RSA
++#include 
++#endif
++#ifndef OPENSSL_NO_DSA
++#include 
++#endif
++#ifndef OPENSSL_NO_DH
++#include 
++#endif
++#include 
++#include 
++#include 
++#include 
++
++#ifdef OPENSSL_SYS_WIN32
++typedef int pid_t;
++#define getpid() GetCurrentProcessId()
++#define NOPTHREADS
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++	returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++	returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++	returnType __declspec(dllimport) (* name)
++#else
++#include 
++#include 
++#include 
++#endif
++
++#ifndef NOPTHREADS
++#include 
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++
++/* label for debug messages printed on stderr */
++#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
++/* prints a lot of debug messages on stderr about slot selection process */
++#undef	DEBUG_SLOT_SELECTION
++/*
++ * Solaris specific code. See comment at check_hw_mechanisms() for more
++ * information.
++ */
++#if defined (__SVR4) && defined (__sun)
++#undef	SOLARIS_HW_SLOT_SELECTION
++#endif
++
++/*
++ * AES counter mode is not supported in the OpenSSL EVP API yet and neither
++ * there are official OIDs for mechanisms based on this mode. With our changes,
++ * an application can define its own EVP calls for AES counter mode and then
++ * it can make use of hardware acceleration through this engine. However, it's
++ * better if we keep AES CTR support code under ifdef's.
++ */
++#define	SOLARIS_AES_CTR
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11_err.c"
++
++#ifdef	SOLARIS_AES_CTR
++/*
++ * NIDs for AES counter mode that will be defined during the engine
++ * initialization.
++ */
++int NID_aes_128_ctr = NID_undef;
++int NID_aes_192_ctr = NID_undef;
++int NID_aes_256_ctr = NID_undef;
++#endif	/* SOLARIS_AES_CTR */
++
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++/*
++ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
++ * library. See comment at check_hw_mechanisms() for more information.
++ */
++int *hw_cnids;
++int *hw_dnids;
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++
++/* PKCS#11 session caches and their locks for all operation types */
++static PK11_CACHE session_cache[OP_MAX];
++
++/*
++ * As stated in v2.20, 11.7 Object Management Function, in section for
++ * C_FindObjectsInit(), at most one search operation may be active at a given
++ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
++ * grouped together to form one atomic search operation. This is already
++ * ensured by the property of unique PKCS#11 session handle used for each
++ * PK11_SESSION object.
++ *
++ * This is however not the biggest concern - maintaining consistency of the
++ * underlying object store is more important. The same section of the spec also
++ * says that one thread can be in the middle of a search operation while another
++ * thread destroys the object matching the search template which would result in
++ * invalid handle returned from the search operation.
++ *
++ * Hence, the following locks are used for both protection of the object stores.
++ * They are also used for active list protection.
++ */
++#ifndef NOPTHREADS
++pthread_mutex_t *find_lock[OP_MAX] = { NULL };
++#endif
++
++/*
++ * lists of asymmetric key handles which are active (referenced by at least one
++ * PK11_SESSION structure, either held by a thread or present in free_session
++ * list) for given algorithm type
++ */
++PK11_active *active_list[OP_MAX] = { NULL };
++
++/*
++ * Create all secret key objects in a global session so that they are available
++ * to use for other sessions. These other sessions may be opened or closed
++ * without losing the secret key objects.
++ */
++static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
++
++/* ENGINE level stuff */
++static int pk11_init(ENGINE *e);
++static int pk11_library_init(ENGINE *e);
++static int pk11_finish(ENGINE *e);
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
++static int pk11_destroy(ENGINE *e);
++
++/* RAND stuff */
++static void pk11_rand_seed(const void *buf, int num);
++static void pk11_rand_add(const void *buf, int num, double add_entropy);
++static void pk11_rand_cleanup(void);
++static int pk11_rand_bytes(unsigned char *buf, int num);
++static int pk11_rand_status(void);
++
++/* These functions are also used in other files */
++PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
++void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++
++/* active list manipulation functions used in this file */
++extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
++extern void pk11_free_active_list(PK11_OPTYPE type);
++
++#ifndef OPENSSL_NO_RSA
++int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
++int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++#endif
++#ifndef OPENSSL_NO_DSA
++int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
++int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++#endif
++#ifndef OPENSSL_NO_DH
++int pk11_destroy_dh_key_objects(PK11_SESSION *session);
++int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
++#endif
++
++/* Local helper functions */
++static int pk11_free_all_sessions(void);
++static int pk11_free_session_list(PK11_OPTYPE optype);
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
++static int pk11_destroy_object(CK_SESSION_HANDLE session,
++	CK_OBJECT_HANDLE oh);
++static const char *get_PK11_LIBNAME(void);
++static void free_PK11_LIBNAME(void);
++static long set_PK11_LIBNAME(const char *name);
++
++/* Symmetric cipher and digest support functions */
++static int cipher_nid_to_pk11(int nid);
++#ifdef	SOLARIS_AES_CTR
++static int pk11_add_NID(char *sn, char *ln);
++static int pk11_add_aes_ctr_NIDs(void);
++#endif	/* SOLARIS_AES_CTR */
++static int pk11_usable_ciphers(const int **nids);
++static int pk11_usable_digests(const int **nids);
++static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++	const unsigned char *iv, int enc);
++static int pk11_cipher_final(PK11_SESSION *sp);
++static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++	const unsigned char *in, unsigned int inl);
++static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
++static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
++	const int **nids, int nid);
++static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
++	const int **nids, int nid);
++static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
++	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
++static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
++	int key_len);
++static int md_nid_to_pk11(int nid);
++static int pk11_digest_init(EVP_MD_CTX *ctx);
++static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
++	size_t count);
++static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
++static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
++static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
++
++static int pk11_choose_slots(int *any_slot_found);
++static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
++    CK_SLOT_ID current_slot, int *current_slot_n_cipher,
++    int *local_cipher_nids);
++static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
++    CK_SLOT_ID current_slot, int *current_slot_n_digest,
++    int *local_digest_nids);
++static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
++    CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
++    int id);
++static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
++    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
++    int id);
++
++static int pk11_init_all_locks(void);
++static void pk11_free_all_locks(void);
++
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++static int check_hw_mechanisms(void);
++static int nid_in_table(int nid, int *nid_table);
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++
++/* Index for the supported ciphers */
++enum pk11_cipher_id {
++	PK11_DES_CBC,
++	PK11_DES3_CBC,
++	PK11_DES_ECB,
++	PK11_DES3_ECB,
++	PK11_RC4,
++	PK11_AES_128_CBC,
++	PK11_AES_192_CBC,
++	PK11_AES_256_CBC,
++	PK11_AES_128_ECB,
++	PK11_AES_192_ECB,
++	PK11_AES_256_ECB,
++	PK11_BLOWFISH_CBC,
++#ifdef	SOLARIS_AES_CTR
++	PK11_AES_128_CTR,
++	PK11_AES_192_CTR,
++	PK11_AES_256_CTR,
++#endif	/* SOLARIS_AES_CTR */
++	PK11_CIPHER_MAX
++};
++
++/* Index for the supported digests */
++enum pk11_digest_id {
++	PK11_MD5,
++	PK11_SHA1,
++	PK11_SHA224,
++	PK11_SHA256,
++	PK11_SHA384,
++	PK11_SHA512,
++	PK11_DIGEST_MAX
++};
++
++#define	TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
++	{								\
++	if (uselock)							\
++		LOCK_OBJSTORE(alg_type);				\
++	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
++		{							\
++		retval = pk11_destroy_object(sess_hdl, obj_hdl);	\
++		}							\
++	if (uselock)							\
++		UNLOCK_OBJSTORE(alg_type);				\
++	}
++
++#define	TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
++	{								\
++	if (uselock)							\
++		LOCK_OBJSTORE(alg_type);				\
++	(void) pk11_active_delete(obj_hdl, alg_type);			\
++	if (uselock)							\
++		UNLOCK_OBJSTORE(alg_type);				\
++	}
++
++static int cipher_nids[PK11_CIPHER_MAX];
++static int digest_nids[PK11_DIGEST_MAX];
++static int cipher_count		= 0;
++static int digest_count		= 0;
++static CK_BBOOL pk11_have_rsa	= CK_FALSE;
++static CK_BBOOL pk11_have_recover = CK_FALSE;
++static CK_BBOOL pk11_have_dsa	= CK_FALSE;
++static CK_BBOOL pk11_have_dh	= CK_FALSE;
++static CK_BBOOL pk11_have_random = CK_FALSE;
++
++typedef struct PK11_CIPHER_st
++	{
++	enum pk11_cipher_id	id;
++	int			nid;
++	int			iv_len;
++	int			key_len;
++	CK_KEY_TYPE		key_type;
++	CK_MECHANISM_TYPE	mech_type;
++	} PK11_CIPHER;
++
++static PK11_CIPHER ciphers[] =
++	{
++	{ PK11_DES_CBC,		NID_des_cbc,		8,	8,
++		CKK_DES,	CKM_DES_CBC, },
++	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,
++		CKK_DES3,	CKM_DES3_CBC, },
++	{ PK11_DES_ECB,		NID_des_ecb,		0,	8,
++		CKK_DES,	CKM_DES_ECB, },
++	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,
++		CKK_DES3,	CKM_DES3_ECB, },
++	{ PK11_RC4,		NID_rc4,		0,	16,
++		CKK_RC4,	CKM_RC4, },
++	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,
++		CKK_AES,	CKM_AES_CBC, },
++	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,
++		CKK_AES,	CKM_AES_CBC, },
++	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,
++		CKK_AES,	CKM_AES_CBC, },
++	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,
++		CKK_AES,	CKM_AES_ECB, },
++	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,
++		CKK_AES,	CKM_AES_ECB, },
++	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,
++		CKK_AES,	CKM_AES_ECB, },
++	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,
++		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
++#ifdef	SOLARIS_AES_CTR
++	/* we don't know the correct NIDs until the engine is initialized */
++	{ PK11_AES_128_CTR,	NID_undef,		16,	16,
++		CKK_AES,	CKM_AES_CTR, },
++	{ PK11_AES_192_CTR,	NID_undef,		16,	24,
++		CKK_AES,	CKM_AES_CTR, },
++	{ PK11_AES_256_CTR,	NID_undef,		16,	32,
++		CKK_AES,	CKM_AES_CTR, },
++#endif	/* SOLARIS_AES_CTR */
++	};
++
++typedef struct PK11_DIGEST_st
++	{
++	enum pk11_digest_id	id;
++	int			nid;
++	CK_MECHANISM_TYPE	mech_type;
++	} PK11_DIGEST;
++
++static PK11_DIGEST digests[] =
++	{
++	{PK11_MD5,	NID_md5,	CKM_MD5, },
++	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
++	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
++	{PK11_SHA256,	NID_sha256,	CKM_SHA256, },
++	{PK11_SHA384,	NID_sha384,	CKM_SHA384, },
++	{PK11_SHA512,	NID_sha512,	CKM_SHA512, },
++	{0,		NID_undef,	0xFFFF, },
++	};
++
++/*
++ * Structure to be used for the cipher_data/md_data in
++ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
++ * session in multiple cipher_update calls
++ */
++typedef struct PK11_CIPHER_STATE_st
++	{
++	PK11_SESSION	*sp;
++	} PK11_CIPHER_STATE;
++
++
++/*
++ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
++ * called when libcrypto requests a cipher NID.
++ *
++ * Note how the PK11_CIPHER_STATE is used here.
++ */
++
++/* DES CBC EVP */
++static const EVP_CIPHER pk11_des_cbc =
++	{
++	NID_des_cbc,
++	8, 8, 8,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++/* 3DES CBC EVP */
++static const EVP_CIPHER pk11_3des_cbc =
++	{
++	NID_des_ede3_cbc,
++	8, 24, 8,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++/*
++ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
++ * get_asn1_parameters fields are set to NULL.
++ */
++static const EVP_CIPHER pk11_des_ecb =
++	{
++	NID_des_ecb,
++	8, 8, 8,
++	EVP_CIPH_ECB_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	NULL,
++	NULL,
++	NULL
++	};
++
++static const EVP_CIPHER pk11_3des_ecb =
++	{
++	NID_des_ede3_ecb,
++	8, 24, 8,
++	EVP_CIPH_ECB_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	NULL,
++	NULL,
++	NULL
++	};
++
++
++static const EVP_CIPHER pk11_aes_128_cbc =
++	{
++	NID_aes_128_cbc,
++	16, 16, 16,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++static const EVP_CIPHER pk11_aes_192_cbc =
++	{
++	NID_aes_192_cbc,
++	16, 24, 16,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++static const EVP_CIPHER pk11_aes_256_cbc =
++	{
++	NID_aes_256_cbc,
++	16, 32, 16,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++/*
++ * ECB modes don't use IV so that's why set_asn1_parameters and
++ * get_asn1_parameters are set to NULL.
++ */
++static const EVP_CIPHER pk11_aes_128_ecb =
++	{
++	NID_aes_128_ecb,
++	16, 16, 0,
++	EVP_CIPH_ECB_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	NULL,
++	NULL,
++	NULL
++	};
++
++static const EVP_CIPHER pk11_aes_192_ecb =
++	{
++	NID_aes_192_ecb,
++	16, 24, 0,
++	EVP_CIPH_ECB_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	NULL,
++	NULL,
++	NULL
++	};
++
++static const EVP_CIPHER pk11_aes_256_ecb =
++	{
++	NID_aes_256_ecb,
++	16, 32, 0,
++	EVP_CIPH_ECB_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	NULL,
++	NULL,
++	NULL
++	};
++
++#ifdef	SOLARIS_AES_CTR
++/*
++ * NID_undef's will be changed to the AES counter mode NIDs as soon they are
++ * created in pk11_library_init(). Note that the need to change these structures
++ * is the reason why we don't define them with the const keyword.
++ */
++static EVP_CIPHER pk11_aes_128_ctr =
++	{
++	NID_undef,
++	16, 16, 16,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++static EVP_CIPHER pk11_aes_192_ctr =
++	{
++	NID_undef,
++	16, 24, 16,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++static EVP_CIPHER pk11_aes_256_ctr =
++	{
++	NID_undef,
++	16, 32, 16,
++	EVP_CIPH_CBC_MODE,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++#endif	/* SOLARIS_AES_CTR */
++
++static const EVP_CIPHER pk11_bf_cbc =
++	{
++	NID_bf_cbc,
++	8, 16, 8,
++	EVP_CIPH_VARIABLE_LENGTH,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	EVP_CIPHER_set_asn1_iv,
++	EVP_CIPHER_get_asn1_iv,
++	NULL
++	};
++
++static const EVP_CIPHER pk11_rc4 =
++	{
++	NID_rc4,
++	1, 16, 0,
++	EVP_CIPH_VARIABLE_LENGTH,
++	pk11_cipher_init,
++	pk11_cipher_do_cipher,
++	pk11_cipher_cleanup,
++	sizeof (PK11_CIPHER_STATE),
++	NULL,
++	NULL,
++	NULL
++	};
++
++static const EVP_MD pk11_md5 =
++	{
++	NID_md5,
++	NID_md5WithRSAEncryption,
++	MD5_DIGEST_LENGTH,
++	0,
++	pk11_digest_init,
++	pk11_digest_update,
++	pk11_digest_final,
++	pk11_digest_copy,
++	pk11_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	MD5_CBLOCK,
++	sizeof (PK11_CIPHER_STATE),
++	};
++
++static const EVP_MD pk11_sha1 =
++	{
++	NID_sha1,
++	NID_sha1WithRSAEncryption,
++	SHA_DIGEST_LENGTH,
++	0,
++	pk11_digest_init,
++	pk11_digest_update,
++	pk11_digest_final,
++	pk11_digest_copy,
++	pk11_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	SHA_CBLOCK,
++	sizeof (PK11_CIPHER_STATE),
++	};
++
++static const EVP_MD pk11_sha224 =
++	{
++	NID_sha224,
++	NID_sha224WithRSAEncryption,
++	SHA224_DIGEST_LENGTH,
++	0,
++	pk11_digest_init,
++	pk11_digest_update,
++	pk11_digest_final,
++	pk11_digest_copy,
++	pk11_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	/* SHA-224 uses the same cblock size as SHA-256 */
++	SHA256_CBLOCK,
++	sizeof (PK11_CIPHER_STATE),
++	};
++
++static const EVP_MD pk11_sha256 =
++	{
++	NID_sha256,
++	NID_sha256WithRSAEncryption,
++	SHA256_DIGEST_LENGTH,
++	0,
++	pk11_digest_init,
++	pk11_digest_update,
++	pk11_digest_final,
++	pk11_digest_copy,
++	pk11_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	SHA256_CBLOCK,
++	sizeof (PK11_CIPHER_STATE),
++	};
++
++static const EVP_MD pk11_sha384 =
++	{
++	NID_sha384,
++	NID_sha384WithRSAEncryption,
++	SHA384_DIGEST_LENGTH,
++	0,
++	pk11_digest_init,
++	pk11_digest_update,
++	pk11_digest_final,
++	pk11_digest_copy,
++	pk11_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	/* SHA-384 uses the same cblock size as SHA-512 */
++	SHA512_CBLOCK,
++	sizeof (PK11_CIPHER_STATE),
++	};
++
++static const EVP_MD pk11_sha512 =
++	{
++	NID_sha512,
++	NID_sha512WithRSAEncryption,
++	SHA512_DIGEST_LENGTH,
++	0,
++	pk11_digest_init,
++	pk11_digest_update,
++	pk11_digest_final,
++	pk11_digest_copy,
++	pk11_digest_cleanup,
++	EVP_PKEY_RSA_method,
++	SHA512_CBLOCK,
++	sizeof (PK11_CIPHER_STATE),
++	};
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * The definitions for control commands specific to this engine
++ */
++#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
++#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
++#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
++static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
++	{
++		{
++		PK11_CMD_SO_PATH,
++		"SO_PATH",
++		"Specifies the path to the 'pkcs#11' shared library",
++		ENGINE_CMD_FLAG_STRING
++		},
++		{
++		PK11_CMD_PIN,
++		"PIN",
++		"Specifies the pin code",
++		ENGINE_CMD_FLAG_STRING
++		},
++		{
++		PK11_CMD_SLOT,
++		"SLOT",
++		"Specifies the slot (default is auto select)",
++		ENGINE_CMD_FLAG_NUMERIC,
++		},
++		{0, NULL, NULL, 0}
++	};
++
++
++static RAND_METHOD pk11_random =
++	{
++	pk11_rand_seed,
++	pk11_rand_bytes,
++	pk11_rand_cleanup,
++	pk11_rand_add,
++	pk11_rand_bytes,
++	pk11_rand_status
++	};
++
++
++/* Constants used when creating the ENGINE */
++static const char *engine_pk11_id = "pkcs11";
++static const char *engine_pk11_name = "PKCS #11 engine support";
++
++CK_FUNCTION_LIST_PTR pFuncList = NULL;
++static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
++
++/*
++ * These is the static string constant for the DSO file name and the function
++ * symbol names to bind to.
++ */
++static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
++
++static CK_BBOOL true = TRUE;
++static CK_BBOOL false = FALSE;
++static CK_SLOT_ID pubkey_SLOTID = 0;
++static CK_SLOT_ID rand_SLOTID = 0;
++static CK_SLOT_ID SLOTID = 0;
++char *pk11_pin = NULL;
++static CK_BBOOL pk11_library_initialized = FALSE;
++static CK_BBOOL pk11_atfork_initialized = FALSE;
++static int pk11_pid = 0;
++
++static DSO *pk11_dso = NULL;
++
++/* allocate and initialize all locks used by the engine itself */
++static int pk11_init_all_locks(void)
++	{
++#ifndef NOPTHREADS
++	int type;
++
++#ifndef OPENSSL_NO_RSA
++	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++	if (find_lock[OP_RSA] == NULL)
++		goto malloc_err;
++	(void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++#endif /* OPENSSL_NO_RSA */
++
++#ifndef OPENSSL_NO_DSA
++	find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++	if (find_lock[OP_DSA] == NULL)
++		goto malloc_err;
++	(void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++#endif /* OPENSSL_NO_DSA */
++
++#ifndef OPENSSL_NO_DH
++	find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++	if (find_lock[OP_DH] == NULL)
++		goto malloc_err;
++	(void) pthread_mutex_init(find_lock[OP_DH], NULL);
++#endif /* OPENSSL_NO_DH */
++
++	for (type = 0; type < OP_MAX; type++)
++		{
++		session_cache[type].lock =
++		    OPENSSL_malloc(sizeof (pthread_mutex_t));
++		if (session_cache[type].lock == NULL)
++			goto malloc_err;
++		(void) pthread_mutex_init(session_cache[type].lock, NULL);
++		}
++
++	return (1);
++
++malloc_err:
++	pk11_free_all_locks();
++	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
++	return (0);
++#else
++	return (1);
++#endif
++	}
++
++static void pk11_free_all_locks(void)
++	{
++#ifndef NOPTHREADS
++	int type;
++
++#ifndef OPENSSL_NO_RSA
++	if (find_lock[OP_RSA] != NULL)
++		{
++		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
++		OPENSSL_free(find_lock[OP_RSA]);
++		find_lock[OP_RSA] = NULL;
++		}
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++	if (find_lock[OP_DSA] != NULL)
++		{
++		(void) pthread_mutex_destroy(find_lock[OP_DSA]);
++		OPENSSL_free(find_lock[OP_DSA]);
++		find_lock[OP_DSA] = NULL;
++		}
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++	if (find_lock[OP_DH] != NULL)
++		{
++		(void) pthread_mutex_destroy(find_lock[OP_DH]);
++		OPENSSL_free(find_lock[OP_DH]);
++		find_lock[OP_DH] = NULL;
++		}
++#endif /* OPENSSL_NO_DH */
++
++	for (type = 0; type < OP_MAX; type++)
++		{
++		if (session_cache[type].lock != NULL)
++			{
++			(void) pthread_mutex_destroy(session_cache[type].lock);
++			OPENSSL_free(session_cache[type].lock);
++			session_cache[type].lock = NULL;
++			}
++		}
++#endif
++	}
++
++/*
++ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
++ */
++static int bind_pk11(ENGINE *e)
++	{
++#ifndef OPENSSL_NO_RSA
++	const RSA_METHOD *rsa = NULL;
++	RSA_METHOD *pk11_rsa = PK11_RSA();
++#endif	/* OPENSSL_NO_RSA */
++	if (!pk11_library_initialized)
++		if (!pk11_library_init(e))
++			return (0);
++
++	if (!ENGINE_set_id(e, engine_pk11_id) ||
++	    !ENGINE_set_name(e, engine_pk11_name) ||
++	    !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
++	    !ENGINE_set_digests(e, pk11_engine_digests))
++		return (0);
++#ifndef OPENSSL_NO_RSA
++	if (pk11_have_rsa == CK_TRUE)
++		{
++		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
++		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
++		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++#endif	/* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++	if (pk11_have_dsa == CK_TRUE)
++		{
++		if (!ENGINE_set_DSA(e, PK11_DSA()))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++#endif	/* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++	if (pk11_have_dh == CK_TRUE)
++		{
++		if (!ENGINE_set_DH(e, PK11_DH()))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered DH\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++#endif	/* OPENSSL_NO_DH */
++	if (pk11_have_random)
++		{
++		if (!ENGINE_set_RAND(e, &pk11_random))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered random\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++	if (!ENGINE_set_init_function(e, pk11_init) ||
++	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
++	    !ENGINE_set_finish_function(e, pk11_finish) ||
++	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
++	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
++		return (0);
++
++/*
++ * Apache calls OpenSSL function RSA_blinding_on() once during startup
++ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
++ * here, we wire it back to the OpenSSL software implementation.
++ * Since it is used only once, performance is not a concern.
++ */
++#ifndef OPENSSL_NO_RSA
++	rsa = RSA_PKCS1_SSLeay();
++	pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
++	pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
++	if (pk11_have_recover != CK_TRUE)
++		pk11_rsa->rsa_pub_dec = rsa->rsa_pub_dec;
++#endif	/* OPENSSL_NO_RSA */
++
++	/* Ensure the pk11 error handling is set up */
++	ERR_load_pk11_strings();
++
++	return (1);
++	}
++
++/* Dynamic engine support is disabled at a higher level for Solaris */
++#ifdef	ENGINE_DYNAMIC_SUPPORT
++static int bind_helper(ENGINE *e, const char *id)
++	{
++	if (id && (strcmp(id, engine_pk11_id) != 0))
++		return (0);
++
++	if (!bind_pk11(e))
++		return (0);
++
++	return (1);
++	}
++
++IMPLEMENT_DYNAMIC_CHECK_FN()
++IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
++
++#else
++static ENGINE *engine_pk11(void)
++	{
++	ENGINE *ret = ENGINE_new();
++
++	if (!ret)
++		return (NULL);
++
++	if (!bind_pk11(ret))
++		{
++		ENGINE_free(ret);
++		return (NULL);
++		}
++
++	return (ret);
++	}
++
++void
++ENGINE_load_pk11(void)
++	{
++	ENGINE *e_pk11 = NULL;
++
++	/*
++	 * Do not use dynamic PKCS#11 library on Solaris due to
++	 * security reasons. We will link it in statically.
++	 */
++	/* Attempt to load PKCS#11 library */
++	if (!pk11_dso)
++		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
++		return;
++		}
++
++	e_pk11 = engine_pk11();
++	if (!e_pk11)
++		{
++		DSO_free(pk11_dso);
++		pk11_dso = NULL;
++		return;
++		}
++
++	/*
++	 * At this point, the pk11 shared library is either dynamically
++	 * loaded or statically linked in. So, initialize the pk11
++	 * library before calling ENGINE_set_default since the latter
++	 * needs cipher and digest algorithm information
++	 */
++	if (!pk11_library_init(e_pk11))
++		{
++		DSO_free(pk11_dso);
++		pk11_dso = NULL;
++		ENGINE_free(e_pk11);
++		return;
++		}
++
++	ENGINE_add(e_pk11);
++
++	ENGINE_free(e_pk11);
++	ERR_clear_error();
++	}
++#endif	/* ENGINE_DYNAMIC_SUPPORT */
++
++/*
++ * These are the static string constants for the DSO file name and
++ * the function symbol names to bind to.
++ */
++static const char *PK11_LIBNAME = NULL;
++
++static const char *get_PK11_LIBNAME(void)
++	{
++	if (PK11_LIBNAME)
++		return (PK11_LIBNAME);
++
++	return (def_PK11_LIBNAME);
++	}
++
++static void free_PK11_LIBNAME(void)
++	{
++	if (PK11_LIBNAME)
++		OPENSSL_free((void*)PK11_LIBNAME);
++
++	PK11_LIBNAME = NULL;
++	}
++
++static long set_PK11_LIBNAME(const char *name)
++	{
++	free_PK11_LIBNAME();
++
++	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
++	}
++
++/* acquire all engine specific mutexes before fork */
++static void pk11_fork_prepare(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	LOCK_OBJSTORE(OP_RSA);
++	LOCK_OBJSTORE(OP_DSA);
++	LOCK_OBJSTORE(OP_DH);
++	for (i = 0; i < OP_MAX; i++)
++		{
++		(void) pthread_mutex_lock(session_cache[i].lock);
++		}
++#endif
++	}
++
++/* release all engine specific mutexes */
++static void pk11_fork_parent(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	for (i = OP_MAX - 1; i >= 0; i--)
++		{
++		(void) pthread_mutex_unlock(session_cache[i].lock);
++		}
++	UNLOCK_OBJSTORE(OP_DH);
++	UNLOCK_OBJSTORE(OP_DSA);
++	UNLOCK_OBJSTORE(OP_RSA);
++#endif
++	}
++
++/*
++ * same situation as in parent - we need to unlock all locks to make them
++ * accessible to all threads.
++ */
++static void pk11_fork_child(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	for (i = OP_MAX - 1; i >= 0; i--)
++		{
++		(void) pthread_mutex_unlock(session_cache[i].lock);
++		}
++	UNLOCK_OBJSTORE(OP_DH);
++	UNLOCK_OBJSTORE(OP_DSA);
++	UNLOCK_OBJSTORE(OP_RSA);
++#endif
++	}
++
++/* Initialization function for the pk11 engine */
++static int pk11_init(ENGINE *e)
++{
++	return (pk11_library_init(e));
++}
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * It selects a slot based on predefined critiera. In the process, it also
++ * count how many ciphers and digests to support. Since the cipher and
++ * digest information is needed when setting default engine, this function
++ * needs to be called before calling ENGINE_set_default.
++ */
++/* ARGSUSED */
++static int pk11_library_init(ENGINE *e)
++	{
++	CK_C_GetFunctionList p;
++	CK_RV rv = CKR_OK;
++	CK_INFO info;
++	CK_ULONG ul_state_len;
++	int any_slot_found;
++	int i;
++#ifndef OPENSSL_SYS_WIN32
++	struct sigaction sigint_act, sigterm_act, sighup_act;
++#endif
++
++	/*
++	 * pk11_library_initialized is set to 0 in pk11_finish() which is called
++	 * from ENGINE_finish(). However, if there is still at least one
++	 * existing functional reference to the engine (see engine(3) for more
++	 * information), pk11_finish() is skipped. For example, this can happen
++	 * if an application forgets to clear one cipher context. In case of a
++	 * fork() when the application is finishing the engine so that it can be
++	 * reinitialized in the child, forgotten functional reference causes
++	 * pk11_library_initialized to stay 1. In that case we need the PID
++	 * check so that we properly initialize the engine again.
++	 */
++	if (pk11_library_initialized)
++		{
++		if (pk11_pid == getpid())
++			{
++			return (1);
++			}
++		else
++			{
++			global_session = CK_INVALID_HANDLE;
++			/*
++			 * free the locks first to prevent memory leak in case
++			 * the application calls fork() without finishing the
++			 * engine first.
++			 */
++			pk11_free_all_locks();
++			}
++		}
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++#ifdef	SOLARIS_AES_CTR
++	/*
++	 * We must do this before we start working with slots since we need all
++	 * NIDs there.
++	 */
++	if (pk11_add_aes_ctr_NIDs() == 0)
++		goto err;
++#endif	/* SOLARIS_AES_CTR */
++
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++	if (check_hw_mechanisms() == 0)
++		goto err;
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++
++	/* get the C_GetFunctionList function from the loaded library */
++	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
++		PK11_GET_FUNCTION_LIST);
++	if (!p)
++		{
++		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	/* get the full function list from the loaded library */
++	rv = p(&pFuncList);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
++		goto err;
++		}
++
++#ifndef OPENSSL_SYS_WIN32
++	/* Not all PKCS#11 library are signal safe! */
++
++	(void) memset(&sigint_act, 0, sizeof(sigint_act));
++	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
++	(void) memset(&sighup_act, 0, sizeof(sighup_act));
++	(void) sigaction(SIGINT, NULL, &sigint_act);
++	(void) sigaction(SIGTERM, NULL, &sigterm_act);
++	(void) sigaction(SIGHUP, NULL, &sighup_act);
++#endif
++	rv = pFuncList->C_Initialize(NULL_PTR);
++#ifndef OPENSSL_SYS_WIN32
++	(void) sigaction(SIGINT, &sigint_act, NULL);
++	(void) sigaction(SIGTERM, &sigterm_act, NULL);
++	(void) sigaction(SIGHUP, &sighup_act, NULL);
++#endif
++	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_GetInfo(&info);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
++		goto err;
++		}
++
++	if (pk11_choose_slots(&any_slot_found) == 0)
++		goto err;
++
++	/*
++	 * The library we use, set in def_PK11_LIBNAME, may not offer any
++	 * slot(s). In that case, we must not proceed but we must not return an
++	 * error. The reason is that applications that try to set up the PKCS#11
++	 * engine don't exit on error during the engine initialization just
++	 * because no slot was present.
++	 */
++	if (any_slot_found == 0)
++		return (1);
++
++	if (global_session == CK_INVALID_HANDLE)
++		{
++		/* Open the global_session for the new process */
++		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &global_session);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LIBRARY_INIT,
++			    PK11_R_OPENSESSION, rv);
++			goto err;
++			}
++		}
++
++	/*
++	 * Disable digest if C_GetOperationState is not supported since
++	 * this function is required by OpenSSL digest copy function
++	 */
++	/* Keyper fails to return CKR_FUNCTION_NOT_SUPPORTED */
++	if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
++			!= CKR_OK) {
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: C_GetOperationState() not supported, "
++		    "setting digest_count to 0\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		digest_count = 0;
++	}
++
++	pk11_library_initialized = TRUE;
++	pk11_pid = getpid();
++	/*
++	 * if initialization of the locks fails pk11_init_all_locks()
++	 * will do the cleanup.
++	 */
++	if (!pk11_init_all_locks())
++		goto err;
++	for (i = 0; i < OP_MAX; i++)
++		session_cache[i].head = NULL;
++	/*
++	 * initialize active lists. We only use active lists
++	 * for asymmetric ciphers.
++	 */
++	for (i = 0; i < OP_MAX; i++)
++		active_list[i] = NULL;
++
++#ifndef NOPTHREADS
++	if (!pk11_atfork_initialized)
++		{
++		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
++		    pk11_fork_child) != 0)
++			{
++			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
++			goto err;
++			}
++		pk11_atfork_initialized = TRUE;
++		}
++#endif
++
++	return (1);
++
++err:
++	return (0);
++	}
++
++/* Destructor (complements the "ENGINE_pk11()" constructor) */
++/* ARGSUSED */
++static int pk11_destroy(ENGINE *e)
++	{
++	free_PK11_LIBNAME();
++	ERR_unload_pk11_strings();
++	if (pk11_pin) {
++		memset(pk11_pin, 0, strlen(pk11_pin));
++		OPENSSL_free((void*)pk11_pin);
++	}
++	pk11_pin = NULL;
++	return (1);
++	}
++
++/*
++ * Termination function to clean up the session, the token, and the pk11
++ * library.
++ */
++/* ARGSUSED */
++static int pk11_finish(ENGINE *e)
++	{
++	int i;
++
++	if (pk11_pin) {
++		memset(pk11_pin, 0, strlen(pk11_pin));
++		OPENSSL_free((void*)pk11_pin);
++	}
++	pk11_pin = NULL;
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
++		goto err;
++		}
++
++	OPENSSL_assert(pFuncList != NULL);
++
++	if (pk11_free_all_sessions() == 0)
++		goto err;
++
++	/* free all active lists */
++	for (i = 0; i < OP_MAX; i++)
++		pk11_free_active_list(i);
++
++	pFuncList->C_CloseSession(global_session);
++	global_session = CK_INVALID_HANDLE;
++
++	/*
++	 * Since we are part of a library (libcrypto.so), calling this function
++	 * may have side-effects.
++	 */
++#if 0
++	pFuncList->C_Finalize(NULL);
++#endif
++
++	if (!DSO_free(pk11_dso))
++		{
++		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++	pk11_dso = NULL;
++	pFuncList = NULL;
++	pk11_library_initialized = FALSE;
++	pk11_pid = 0;
++	/*
++	 * There is no way how to unregister atfork handlers (other than
++	 * unloading the library) so we just free the locks. For this reason
++	 * the atfork handlers check if the engine is initialized and bail out
++	 * immediately if not. This is necessary in case a process finishes
++	 * the engine before calling fork().
++	 */
++	pk11_free_all_locks();
++
++	return (1);
++
++err:
++	return (0);
++	}
++
++/* Standard engine interface function to set the dynamic library path */
++/* ARGSUSED */
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
++	{
++	int initialized = ((pk11_dso == NULL) ? 0 : 1);
++
++	switch (cmd)
++		{
++	case PK11_CMD_SO_PATH:
++		if (p == NULL)
++			{
++			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++			return (0);
++			}
++
++		if (initialized)
++			{
++			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
++			return (0);
++			}
++
++		return (set_PK11_LIBNAME((const char *)p));
++	case PK11_CMD_PIN:
++		if (pk11_pin) {
++			memset(pk11_pin, 0, strlen(pk11_pin));
++			OPENSSL_free((void*)pk11_pin);
++		}
++		pk11_pin = NULL;
++
++		if (p == NULL)
++			{
++			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++			return (0);
++			}
++
++		pk11_pin = BUF_strdup(p);
++		if (pk11_pin == NULL)
++			{
++			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
++			return (0);
++			}
++		return (1);
++	case PK11_CMD_SLOT:
++		SLOTID = (CK_SLOT_ID)i;
++#ifdef DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: slot set\n", PK11_DBG);
++#endif
++		return (1);
++	default:
++		break;
++		}
++
++	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
++
++	return (0);
++	}
++
++
++/* Required function by the engine random interface. It does nothing here */
++static void pk11_rand_cleanup(void)
++	{
++	return;
++	}
++
++/* ARGSUSED */
++static void pk11_rand_add(const void *buf, int num, double add)
++	{
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RAND)) == NULL)
++		return;
++
++	/*
++	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
++	 * the calling functions do not care anyway
++	 */
++	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
++	pk11_return_session(sp, OP_RAND);
++
++	return;
++	}
++
++static void pk11_rand_seed(const void *buf, int num)
++	{
++	pk11_rand_add(buf, num, 0);
++	}
++
++static int pk11_rand_bytes(unsigned char *buf, int num)
++	{
++	CK_RV rv;
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RAND)) == NULL)
++		return (0);
++
++	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
++		pk11_return_session(sp, OP_RAND);
++		return (0);
++		}
++
++	pk11_return_session(sp, OP_RAND);
++	return (1);
++	}
++
++/* Required function by the engine random interface. It does nothing here */
++static int pk11_rand_status(void)
++	{
++	return (1);
++	}
++
++/* Free all BIGNUM structures from PK11_SESSION. */
++static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++	switch (optype)
++		{
++#ifndef	OPENSSL_NO_RSA
++		case OP_RSA:
++			if (sp->opdata_rsa_n_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_n_num);
++				sp->opdata_rsa_n_num = NULL;
++				}
++			if (sp->opdata_rsa_e_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_e_num);
++				sp->opdata_rsa_e_num = NULL;
++				}
++			if (sp->opdata_rsa_d_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_d_num);
++				sp->opdata_rsa_d_num = NULL;
++				}
++			break;
++#endif
++#ifndef	OPENSSL_NO_DSA
++		case OP_DSA:
++			if (sp->opdata_dsa_pub_num != NULL)
++				{
++				BN_free(sp->opdata_dsa_pub_num);
++				sp->opdata_dsa_pub_num = NULL;
++				}
++			if (sp->opdata_dsa_priv_num != NULL)
++				{
++				BN_free(sp->opdata_dsa_priv_num);
++				sp->opdata_dsa_priv_num = NULL;
++				}
++			break;
++#endif
++#ifndef	OPENSSL_NO_DH
++		case OP_DH:
++			if (sp->opdata_dh_priv_num != NULL)
++				{
++				BN_free(sp->opdata_dh_priv_num);
++				sp->opdata_dh_priv_num = NULL;
++				}
++			break;
++#endif
++		default:
++			break;
++		}
++	}
++
++/*
++ * Get new PK11_SESSION structure ready for use. Every process must have
++ * its own freelist of PK11_SESSION structures so handle fork() here
++ * by destroying the old and creating new freelist.
++ * The returned PK11_SESSION structure is disconnected from the freelist.
++ */
++PK11_SESSION *
++pk11_get_session(PK11_OPTYPE optype)
++	{
++	PK11_SESSION *sp = NULL, *sp1, *freelist;
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock = NULL;
++#endif
++	CK_RV rv;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_GET_SESSION,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return (NULL);
++		}
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	sp = freelist;
++
++	/*
++	 * If the free list is empty, allocate new unitialized (filled
++	 * with zeroes) PK11_SESSION structure otherwise return first
++	 * structure from the freelist.
++	 */
++	if (sp == NULL)
++		{
++		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
++			{
++			PK11err(PK11_F_GET_SESSION,
++				PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		(void) memset(sp, 0, sizeof (PK11_SESSION));
++		}
++	else
++		{
++		freelist = sp->next;
++		}
++
++	if (sp->pid != 0 && sp->pid != getpid())
++		{
++		/*
++		 * We are a new process and thus need to free any inherited
++		 * PK11_SESSION objects.
++		 */
++		while ((sp1 = freelist) != NULL)
++			{
++			freelist = sp1->next;
++			/*
++			 * NOTE: we do not want to call pk11_free_all_sessions()
++			 * here because it would close underlying PKCS#11
++			 * sessions and destroy all objects.
++			 */
++			pk11_free_nums(sp1, optype);
++			OPENSSL_free(sp1);
++			}
++
++		/* we have to free the active list as well. */
++		pk11_free_active_list(optype);
++
++		/* Initialize the process */
++		rv = pFuncList->C_Initialize(NULL_PTR);
++		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++			{
++			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
++			    rv);
++			OPENSSL_free(sp);
++			sp = NULL;
++			goto err;
++			}
++
++		/*
++		 * Choose slot here since the slot table is different on this
++		 * process. If we are here then we must have found at least one
++		 * usable slot before so we don't need to check any_slot_found.
++		 * See pk11_library_init()'s usage of this function for more
++		 * information.
++		 */
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++		if (check_hw_mechanisms() == 0)
++			goto err;
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++		if (pk11_choose_slots(NULL) == 0)
++			goto err;
++
++		/* Open the global_session for the new process */
++		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &global_session);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
++			    rv);
++			OPENSSL_free(sp);
++			sp = NULL;
++			goto err;
++			}
++
++		/* It is an inherited session and needs re-initialization. */
++		if (pk11_setup_session(sp, optype) == 0)
++			{
++			OPENSSL_free(sp);
++			sp = NULL;
++			}
++		}
++	if (sp->pid == 0)
++		{
++		/* It is a new session and needs initialization. */
++		if (pk11_setup_session(sp, optype) == 0)
++			{
++			OPENSSL_free(sp);
++			sp = NULL;
++			}
++		}
++
++	/* set new head for the list of PK11_SESSION objects */
++	session_cache[optype].head = freelist;
++
++err:
++	if (sp != NULL)
++		sp->next = NULL;
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (sp);
++	}
++
++
++void
++pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock;
++#endif
++	PK11_SESSION *freelist;
++
++	if (sp == NULL || sp->pid != getpid())
++		return;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_RETURN_SESSION,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return;
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	sp->next = freelist;
++	session_cache[optype].head = sp;
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	}
++
++
++/* Destroy all objects. This function is called when the engine is finished */
++static int pk11_free_all_sessions()
++	{
++	int ret = 1;
++	int type;
++
++#ifndef OPENSSL_NO_RSA
++	(void) pk11_destroy_rsa_key_objects(NULL);
++#endif	/* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++	(void) pk11_destroy_dsa_key_objects(NULL);
++#endif	/* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++	(void) pk11_destroy_dh_key_objects(NULL);
++#endif	/* OPENSSL_NO_DH */
++	(void) pk11_destroy_cipher_key_objects(NULL);
++
++	/*
++	 * We try to release as much as we can but any error means that we will
++	 * return 0 on exit.
++	 */
++	for (type = 0; type < OP_MAX; type++)
++		{
++		if (pk11_free_session_list(type) == 0)
++			ret = 0;
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy session structures from the linked list specified. Free as many
++ * sessions as possible but any failure in C_CloseSession() means that we
++ * return an error on return.
++ */
++static int pk11_free_session_list(PK11_OPTYPE optype)
++	{
++	CK_RV rv;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *freelist = NULL;
++	pid_t mypid = getpid();
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock;
++#endif
++	int ret = 1;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_FREE_ALL_SESSIONS,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return (0);
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	while ((sp = freelist) != NULL)
++		{
++		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
++			{
++			rv = pFuncList->C_CloseSession(sp->session);
++			if (rv != CKR_OK)
++				{
++				PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
++					PK11_R_CLOSESESSION, rv);
++				ret = 0;
++				}
++			}
++		freelist = sp->next;
++		pk11_free_nums(sp, optype);
++		OPENSSL_free(sp);
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	return (ret);
++	}
++
++
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++	CK_RV rv;
++	CK_SLOT_ID myslot;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++			myslot = pubkey_SLOTID;
++			break;
++		case OP_RAND:
++			myslot = rand_SLOTID;
++			break;
++		case OP_DIGEST:
++		case OP_CIPHER:
++			myslot = SLOTID;
++			break;
++		default:
++			PK11err(PK11_F_SETUP_SESSION,
++			    PK11_R_INVALID_OPERATION_TYPE);
++			return (0);
++		}
++
++	sp->session = CK_INVALID_HANDLE;
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
++#endif	/* DEBUG_SLOT_SELECTION */
++	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++		NULL_PTR, NULL_PTR, &sp->session);
++	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
++		{
++		/*
++		 * We are probably a child process so force the
++		 * reinitialize of the session
++		 */
++		pk11_library_initialized = FALSE;
++		if (!pk11_library_init(NULL))
++			return (0);
++		rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &sp->session);
++		}
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
++		return (0);
++		}
++
++	sp->pid = getpid();
++
++	switch (optype)
++		{
++#ifndef OPENSSL_NO_RSA
++		case OP_RSA:
++			sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++			sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++			sp->opdata_rsa_pub = NULL;
++			sp->opdata_rsa_n_num = NULL;
++			sp->opdata_rsa_e_num = NULL;
++			sp->opdata_rsa_priv = NULL;
++			sp->opdata_rsa_d_num = NULL;
++			break;
++#endif	/* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++		case OP_DSA:
++			sp->opdata_dsa_pub_key = CK_INVALID_HANDLE;
++			sp->opdata_dsa_priv_key = CK_INVALID_HANDLE;
++			sp->opdata_dsa_pub = NULL;
++			sp->opdata_dsa_pub_num = NULL;
++			sp->opdata_dsa_priv = NULL;
++			sp->opdata_dsa_priv_num = NULL;
++			break;
++#endif	/* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++		case OP_DH:
++			sp->opdata_dh_key = CK_INVALID_HANDLE;
++			sp->opdata_dh = NULL;
++			sp->opdata_dh_priv_num = NULL;
++			break;
++#endif	/* OPENSSL_NO_DH */
++		case OP_CIPHER:
++			sp->opdata_cipher_key = CK_INVALID_HANDLE;
++			sp->opdata_encrypt = -1;
++			break;
++		default:
++			break;
++		}
++
++	return (1);
++	}
++
++#ifndef OPENSSL_NO_RSA
++/* Destroy RSA public key from single session. */
++int
++pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
++		    ret, uselock, OP_RSA);
++		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_pub = NULL;
++		if (sp->opdata_rsa_n_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_n_num);
++			sp->opdata_rsa_n_num = NULL;
++			}
++		if (sp->opdata_rsa_e_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_e_num);
++			sp->opdata_rsa_e_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/* Destroy RSA private key from single session. */
++int
++pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
++		{
++		if ((sp->opdata_rsa_priv->flags & RSA_FLAG_EXT_PKEY) != 0)
++			{
++			TRY_OBJ_DELETE(sp->session,
++				       sp->opdata_rsa_priv_key,
++				       ret, uselock, OP_RSA);
++			}
++		else
++			{
++			TRY_OBJ_DESTROY(sp->session,
++					sp->opdata_rsa_priv_key,
++					ret, uselock, OP_RSA);
++			}
++		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_priv = NULL;
++		if (sp->opdata_rsa_d_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_d_num);
++			sp->opdata_rsa_d_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
++ * objects in the free list.
++ */
++int
++pk11_destroy_rsa_key_objects(PK11_SESSION *session)
++	{
++	int ret = 1;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *local_free_session;
++	CK_BBOOL uselock = TRUE;
++
++	if (session != NULL)
++		local_free_session = session;
++	else
++		{
++#ifndef NOPTHREADS
++		(void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++#else
++		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++		local_free_session = session_cache[OP_RSA].head;
++		uselock = FALSE;
++		}
++
++	/*
++	 * go through the list of sessions and delete key objects
++	 */
++	while ((sp = local_free_session) != NULL)
++		{
++		local_free_session = sp->next;
++
++		/*
++		 * Do not terminate list traversal if one of the
++		 * destroy operations fails.
++		 */
++		if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		}
++
++#ifndef NOPTHREADS
++	if (session == NULL)
++		(void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++#else
++	if (session == NULL)
++		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (ret);
++	}
++#endif	/* OPENSSL_NO_RSA */
++
++#ifndef OPENSSL_NO_DSA
++/* Destroy DSA public key from single session. */
++int
++pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_dsa_pub_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DESTROY(sp->session, sp->opdata_dsa_pub_key,
++		    ret, uselock, OP_DSA);
++		sp->opdata_dsa_pub_key = CK_INVALID_HANDLE;
++		sp->opdata_dsa_pub = NULL;
++		if (sp->opdata_dsa_pub_num != NULL)
++			{
++			BN_free(sp->opdata_dsa_pub_num);
++			sp->opdata_dsa_pub_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/* Destroy DSA private key from single session. */
++int
++pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_dsa_priv_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DESTROY(sp->session, sp->opdata_dsa_priv_key,
++		    ret, uselock, OP_DSA);
++		sp->opdata_dsa_priv_key = CK_INVALID_HANDLE;
++		sp->opdata_dsa_priv = NULL;
++		if (sp->opdata_dsa_priv_num != NULL)
++			{
++			BN_free(sp->opdata_dsa_priv_num);
++			sp->opdata_dsa_priv_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy DSA key object wrapper. If session is NULL, try to destroy all
++ * objects in the free list.
++ */
++int
++pk11_destroy_dsa_key_objects(PK11_SESSION *session)
++	{
++	int ret = 1;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *local_free_session;
++	CK_BBOOL uselock = TRUE;
++
++	if (session != NULL)
++		local_free_session = session;
++	else
++		{
++#ifndef NOPTHREADS
++		(void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++#else
++		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++		local_free_session = session_cache[OP_DSA].head;
++		uselock = FALSE;
++		}
++
++	/*
++	 * go through the list of sessions and delete key objects
++	 */
++	while ((sp = local_free_session) != NULL)
++		{
++		local_free_session = sp->next;
++
++		/*
++		 * Do not terminate list traversal if one of the
++		 * destroy operations fails.
++		 */
++		if (pk11_destroy_dsa_object_pub(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		if (pk11_destroy_dsa_object_priv(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		}
++
++#ifndef NOPTHREADS
++	if (session == NULL)
++		(void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++#else
++	if (session == NULL)
++		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (ret);
++	}
++#endif	/* OPENSSL_NO_DSA */
++
++#ifndef OPENSSL_NO_DH
++/* Destroy DH key from single session. */
++int
++pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_dh_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DESTROY(sp->session, sp->opdata_dh_key,
++		    ret, uselock, OP_DH);
++		sp->opdata_dh_key = CK_INVALID_HANDLE;
++		sp->opdata_dh = NULL;
++		if (sp->opdata_dh_priv_num != NULL)
++			{
++			BN_free(sp->opdata_dh_priv_num);
++			sp->opdata_dh_priv_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy DH key object wrapper.
++ *
++ * arg0: pointer to PKCS#11 engine session structure
++ *       if session is NULL, try to destroy all objects in the free list
++ */
++int
++pk11_destroy_dh_key_objects(PK11_SESSION *session)
++	{
++	int ret = 1;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *local_free_session;
++	CK_BBOOL uselock = TRUE;
++
++	if (session != NULL)
++		local_free_session = session;
++	else
++		{
++#ifndef NOPTHREADS
++		(void) pthread_mutex_lock(session_cache[OP_DH].lock);
++#else
++		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++		local_free_session = session_cache[OP_DH].head;
++		uselock = FALSE;
++		}
++
++	while ((sp = local_free_session) != NULL)
++		{
++		local_free_session = sp->next;
++
++		/*
++		 * Do not terminate list traversal if one of the
++		 * destroy operations fails.
++		 */
++		if (pk11_destroy_dh_object(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		}
++
++#ifndef NOPTHREADS
++	if (session == NULL)
++		(void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++#else
++	if (session == NULL)
++		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (ret);
++	}
++#endif	/* OPENSSL_NO_DH */
++
++static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
++	{
++	CK_RV rv;
++	rv = pFuncList->C_DestroyObject(session, oh);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
++		    rv);
++		return (0);
++		}
++
++	return (1);
++	}
++
++
++/* Symmetric ciphers and digests support functions */
++
++static int
++cipher_nid_to_pk11(int nid)
++	{
++	int i;
++
++	for (i = 0; i < PK11_CIPHER_MAX; i++)
++		if (ciphers[i].nid == nid)
++			return (ciphers[i].id);
++	return (-1);
++	}
++
++static int
++pk11_usable_ciphers(const int **nids)
++	{
++	if (cipher_count > 0)
++		*nids = cipher_nids;
++	else
++		*nids = NULL;
++	return (cipher_count);
++	}
++
++static int
++pk11_usable_digests(const int **nids)
++	{
++	if (digest_count > 0)
++		*nids = digest_nids;
++	else
++		*nids = NULL;
++	return (digest_count);
++	}
++
++/*
++ * Init context for encryption or decryption using a symmetric key.
++ */
++static int pk11_init_symmetric(EVP_CIPHER_CTX *ctx, PK11_CIPHER *pcipher,
++	PK11_SESSION *sp, CK_MECHANISM_PTR pmech)
++	{
++	CK_RV rv;
++#ifdef	SOLARIS_AES_CTR
++	CK_AES_CTR_PARAMS ctr_params;
++#endif	/* SOLARIS_AES_CTR */
++
++	/*
++	 * We expect pmech->mechanism to be already set and
++	 * pParameter/ulParameterLen initialized to NULL/0 before
++	 * pk11_init_symetric() is called.
++	 */
++	OPENSSL_assert(pmech->mechanism != 0);
++	OPENSSL_assert(pmech->pParameter == NULL);
++	OPENSSL_assert(pmech->ulParameterLen == 0);
++
++#ifdef	SOLARIS_AES_CTR
++	if (ctx->cipher->nid == NID_aes_128_ctr ||
++	    ctx->cipher->nid == NID_aes_192_ctr ||
++	    ctx->cipher->nid == NID_aes_256_ctr)
++		{
++		pmech->pParameter = (void *)(&ctr_params);
++		pmech->ulParameterLen = sizeof (ctr_params);
++		/*
++		 * For now, we are limited to the fixed length of the counter,
++		 * it covers the whole counter block. That's what RFC 4344
++		 * needs. For more information on internal structure of the
++		 * counter block, see RFC 3686. If needed in the future, we can
++		 * add code so that the counter length can be set via
++		 * ENGINE_ctrl() function.
++		 */
++		ctr_params.ulCounterBits = AES_BLOCK_SIZE * 8;
++		OPENSSL_assert(pcipher->iv_len == AES_BLOCK_SIZE);
++		(void) memcpy(ctr_params.cb, ctx->iv, AES_BLOCK_SIZE);
++		}
++	else
++#endif	/* SOLARIS_AES_CTR */
++		{
++		if (pcipher->iv_len > 0)
++			{
++			pmech->pParameter = (void *)ctx->iv;
++			pmech->ulParameterLen = pcipher->iv_len;
++			}
++		}
++
++	/* if we get here, the encryption needs to be reinitialized */
++	if (ctx->encrypt)
++		rv = pFuncList->C_EncryptInit(sp->session, pmech,
++			sp->opdata_cipher_key);
++	else
++		rv = pFuncList->C_DecryptInit(sp->session, pmech,
++			sp->opdata_cipher_key);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CIPHER_INIT, ctx->encrypt ?
++		    PK11_R_ENCRYPTINIT : PK11_R_DECRYPTINIT, rv);
++		pk11_return_session(sp, OP_CIPHER);
++		return (0);
++		}
++
++	return (1);
++	}
++
++/* ARGSUSED */
++static int
++pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++    const unsigned char *iv, int enc)
++	{
++	CK_MECHANISM mech;
++	int index;
++	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
++	PK11_SESSION *sp;
++	PK11_CIPHER *p_ciph_table_row;
++
++	state->sp = NULL;
++
++	index = cipher_nid_to_pk11(ctx->cipher->nid);
++	if (index < 0 || index >= PK11_CIPHER_MAX)
++		return (0);
++
++	p_ciph_table_row = &ciphers[index];
++	/*
++	 * iv_len in the ctx->cipher structure is the maximum IV length for the
++	 * current cipher and it must be less or equal to the IV length in our
++	 * ciphers table. The key length must match precisely. Every application
++	 * can define its own EVP functions so this code serves as a sanity
++	 * check.
++	 *
++	 * Note that the reason why the IV length in ctx->cipher might be
++	 * greater than the actual length is that OpenSSL uses BLOCK_CIPHER_defs
++	 * macro to define functions that return EVP structures for all DES
++	 * modes. So, even ECB modes get 8 byte IV.
++	 */
++	if (ctx->cipher->iv_len < p_ciph_table_row->iv_len ||
++	    ctx->key_len != p_ciph_table_row->key_len)
++		{
++		PK11err(PK11_F_CIPHER_INIT, PK11_R_KEY_OR_IV_LEN_PROBLEM);
++		return (0);
++		}
++
++	if ((sp = pk11_get_session(OP_CIPHER)) == NULL)
++		return (0);
++
++	/* if applicable, the mechanism parameter is used for IV */
++	mech.mechanism = p_ciph_table_row->mech_type;
++	mech.pParameter = NULL;
++	mech.ulParameterLen = 0;
++
++	/* The key object is destroyed here if it is not the current key. */
++	(void) check_new_cipher_key(sp, key, p_ciph_table_row->key_len);
++
++	/*
++	 * If the key is the same and the encryption is also the same, then
++	 * just reuse it. However, we must not forget to reinitialize the
++	 * context that was finalized in pk11_cipher_cleanup().
++	 */
++	if (sp->opdata_cipher_key != CK_INVALID_HANDLE &&
++	    sp->opdata_encrypt == ctx->encrypt)
++		{
++		state->sp = sp;
++		if (pk11_init_symmetric(ctx, p_ciph_table_row, sp, &mech) == 0)
++			return (0);
++
++		return (1);
++		}
++
++	/*
++	 * Check if the key has been invalidated. If so, a new key object
++	 * needs to be created.
++	 */
++	if (sp->opdata_cipher_key == CK_INVALID_HANDLE)
++		{
++		sp->opdata_cipher_key = pk11_get_cipher_key(
++			ctx, key, p_ciph_table_row->key_type, sp);
++		}
++
++	if (sp->opdata_encrypt != ctx->encrypt && sp->opdata_encrypt != -1)
++		{
++		/*
++		 * The previous encryption/decryption is different. Need to
++		 * terminate the previous * active encryption/decryption here.
++		 */
++		if (!pk11_cipher_final(sp))
++			{
++			pk11_return_session(sp, OP_CIPHER);
++			return (0);
++			}
++		}
++
++	if (sp->opdata_cipher_key == CK_INVALID_HANDLE)
++		{
++		pk11_return_session(sp, OP_CIPHER);
++		return (0);
++		}
++
++	/* now initialize the context with a new key */
++	if (pk11_init_symmetric(ctx, p_ciph_table_row, sp, &mech) == 0)
++		return (0);
++
++	sp->opdata_encrypt = ctx->encrypt;
++	state->sp = sp;
++
++	return (1);
++	}
++
++/*
++ * When reusing the same key in an encryption/decryption session for a
++ * decryption/encryption session, we need to close the active session
++ * and recreate a new one. Note that the key is in the global session so
++ * that it needs not be recreated.
++ *
++ * It is more appropriate to use C_En/DecryptFinish here. At the time of this
++ * development, these two functions in the PKCS#11 libraries used return
++ * unexpected errors when passing in 0 length output. It may be a good
++ * idea to try them again if performance is a problem here and fix
++ * C_En/DecryptFinial if there are bugs there causing the problem.
++ */
++static int
++pk11_cipher_final(PK11_SESSION *sp)
++	{
++	CK_RV rv;
++
++	rv = pFuncList->C_CloseSession(sp->session);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CIPHER_FINAL, PK11_R_CLOSESESSION, rv);
++		return (0);
++		}
++
++	rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++		NULL_PTR, NULL_PTR, &sp->session);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CIPHER_FINAL, PK11_R_OPENSESSION, rv);
++		return (0);
++		}
++
++	return (1);
++	}
++
++/*
++ * An engine interface function. The calling function allocates sufficient
++ * memory for the output buffer "out" to hold the results.
++ */
++static int
++pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++	const unsigned char *in, unsigned int inl)
++	{
++	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
++	PK11_SESSION *sp;
++	CK_RV rv;
++	unsigned long outl = inl;
++
++	if (state == NULL || state->sp == NULL)
++		return (0);
++
++	sp = (PK11_SESSION *) state->sp;
++
++	if (!inl)
++		return (1);
++
++	/* RC4 is the only stream cipher we support */
++	if (ctx->cipher->nid != NID_rc4 && (inl % ctx->cipher->block_size) != 0)
++		return (0);
++
++	if (ctx->encrypt)
++		{
++		rv = pFuncList->C_EncryptUpdate(sp->session,
++			(unsigned char *)in, inl, out, &outl);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_CIPHER_DO_CIPHER,
++			    PK11_R_ENCRYPTUPDATE, rv);
++			return (0);
++			}
++		}
++	else
++		{
++		rv = pFuncList->C_DecryptUpdate(sp->session,
++			(unsigned char *)in, inl, out, &outl);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_CIPHER_DO_CIPHER,
++			    PK11_R_DECRYPTUPDATE, rv);
++			return (0);
++			}
++		}
++
++	/*
++	 * For DES_CBC, DES3_CBC, AES_CBC, and RC4, the output size is always
++	 * the same size of input.
++	 * The application has guaranteed to call the block ciphers with
++	 * correctly aligned buffers.
++	 */
++	if (inl != outl)
++		return (0);
++
++	return (1);
++	}
++
++/*
++ * Return the session to the pool. Calling C_EncryptFinal() and C_DecryptFinal()
++ * here is the right thing because in EVP_DecryptFinal_ex(), engine's
++ * do_cipher() is not even called, and in EVP_EncryptFinal_ex() it is called but
++ * the engine can't find out that it's the finalizing call. We wouldn't
++ * necessarily have to finalize the context here since reinitializing it with
++ * C_(Encrypt|Decrypt)Init() should be fine but for the sake of correctness,
++ * let's do it. Some implementations might leak memory if the previously used
++ * context is initialized without finalizing it first.
++ */
++static int
++pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx)
++	{
++	CK_RV rv;
++	CK_ULONG len = EVP_MAX_BLOCK_LENGTH;
++	CK_BYTE buf[EVP_MAX_BLOCK_LENGTH];
++	PK11_CIPHER_STATE *state = ctx->cipher_data;
++
++	if (state != NULL && state->sp != NULL)
++		{
++		/*
++		 * We are not interested in the data here, we just need to get
++		 * rid of the context.
++		 */
++		if (ctx->encrypt)
++			rv = pFuncList->C_EncryptFinal(
++			    state->sp->session, buf, &len);
++		else
++			rv = pFuncList->C_DecryptFinal(
++			    state->sp->session, buf, &len);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_CIPHER_CLEANUP, ctx->encrypt ?
++			    PK11_R_ENCRYPTFINAL : PK11_R_DECRYPTFINAL, rv);
++			pk11_return_session(state->sp, OP_CIPHER);
++			return (0);
++			}
++
++		pk11_return_session(state->sp, OP_CIPHER);
++		state->sp = NULL;
++		}
++
++	return (1);
++	}
++
++/*
++ * Registered by the ENGINE when used to find out how to deal with
++ * a particular NID in the ENGINE. This says what we'll do at the
++ * top level - note, that list is restricted by what we answer with
++ */
++/* ARGSUSED */
++static int
++pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
++	const int **nids, int nid)
++	{
++	if (!cipher)
++		return (pk11_usable_ciphers(nids));
++
++	switch (nid)
++		{
++		case NID_des_ede3_cbc:
++			*cipher = &pk11_3des_cbc;
++			break;
++		case NID_des_cbc:
++			*cipher = &pk11_des_cbc;
++			break;
++		case NID_des_ede3_ecb:
++			*cipher = &pk11_3des_ecb;
++			break;
++		case NID_des_ecb:
++			*cipher = &pk11_des_ecb;
++			break;
++		case NID_aes_128_cbc:
++			*cipher = &pk11_aes_128_cbc;
++			break;
++		case NID_aes_192_cbc:
++			*cipher = &pk11_aes_192_cbc;
++			break;
++		case NID_aes_256_cbc:
++			*cipher = &pk11_aes_256_cbc;
++			break;
++		case NID_aes_128_ecb:
++			*cipher = &pk11_aes_128_ecb;
++			break;
++		case NID_aes_192_ecb:
++			*cipher = &pk11_aes_192_ecb;
++			break;
++		case NID_aes_256_ecb:
++			*cipher = &pk11_aes_256_ecb;
++			break;
++		case NID_bf_cbc:
++			*cipher = &pk11_bf_cbc;
++			break;
++		case NID_rc4:
++			*cipher = &pk11_rc4;
++			break;
++		default:
++#ifdef	SOLARIS_AES_CTR
++			/*
++			 * These can't be in separated cases because the NIDs
++			 * here are not constants.
++			 */
++			if (nid == NID_aes_128_ctr)
++				*cipher = &pk11_aes_128_ctr;
++			else if (nid == NID_aes_192_ctr)
++				*cipher = &pk11_aes_192_ctr;
++			else if (nid == NID_aes_256_ctr)
++				*cipher = &pk11_aes_256_ctr;
++			else
++#endif	/* SOLARIS_AES_CTR */
++			*cipher = NULL;
++			break;
++		}
++	return (*cipher != NULL);
++	}
++
++/* ARGSUSED */
++static int
++pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
++	const int **nids, int nid)
++	{
++	if (!digest)
++		return (pk11_usable_digests(nids));
++
++	switch (nid)
++		{
++		case NID_md5:
++			*digest = &pk11_md5;
++			break;
++		case NID_sha1:
++			*digest = &pk11_sha1;
++			break;
++		case NID_sha224:
++			*digest = &pk11_sha224;
++			break;
++		case NID_sha256:
++			*digest = &pk11_sha256;
++			break;
++		case NID_sha384:
++			*digest = &pk11_sha384;
++			break;
++		case NID_sha512:
++			*digest = &pk11_sha512;
++			break;
++		default:
++			*digest = NULL;
++			break;
++		}
++	return (*digest != NULL);
++	}
++
++
++/* Create a secret key object in a PKCS#11 session */
++static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
++	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp)
++	{
++	CK_RV rv;
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++	CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
++	CK_ULONG ul_key_attr_count = 6;
++
++	CK_ATTRIBUTE  a_key_template[] =
++		{
++		{CKA_CLASS, (void*) NULL, sizeof (CK_OBJECT_CLASS)},
++		{CKA_KEY_TYPE, (void*) NULL, sizeof (CK_KEY_TYPE)},
++		{CKA_TOKEN, &false, sizeof (false)},
++		{CKA_ENCRYPT, &true, sizeof (true)},
++		{CKA_DECRYPT, &true, sizeof (true)},
++		{CKA_VALUE, (void*) NULL, 0},
++		};
++
++	/*
++	 * Create secret key object in global_session. All other sessions
++	 * can use the key handles. Here is why:
++	 * OpenSSL will call EncryptInit and EncryptUpdate using a secret key.
++	 * It may then call DecryptInit and DecryptUpdate using the same key.
++	 * To use the same key object, we need to call EncryptFinal with
++	 * a 0 length message. Currently, this does not work for 3DES
++	 * mechanism. To get around this problem, we close the session and
++	 * then create a new session to use the same key object. When a session
++	 * is closed, all the object handles will be invalid. Thus, create key
++	 * objects in a global session, an individual session may be closed to
++	 * terminate the active operation.
++	 */
++	CK_SESSION_HANDLE session = global_session;
++	a_key_template[0].pValue = &obj_key;
++	a_key_template[1].pValue = &key_type;
++	a_key_template[5].pValue = (void *) key;
++	a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
++
++	rv = pFuncList->C_CreateObject(session,
++		a_key_template, ul_key_attr_count, &h_key);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
++		    rv);
++		goto err;
++		}
++
++	/*
++	 * Save the key information used in this session.
++	 * The max can be saved is PK11_KEY_LEN_MAX.
++	 */
++	sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
++		PK11_KEY_LEN_MAX : ctx->key_len;
++	(void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++err:
++
++	return (h_key);
++	}
++
++static int
++md_nid_to_pk11(int nid)
++	{
++	int i;
++
++	for (i = 0; i < PK11_DIGEST_MAX; i++)
++		if (digests[i].nid == nid)
++			return (digests[i].id);
++	return (-1);
++	}
++
++static int
++pk11_digest_init(EVP_MD_CTX *ctx)
++	{
++	CK_RV rv;
++	CK_MECHANISM mech;
++	int index;
++	PK11_SESSION *sp;
++	PK11_DIGEST *pdp;
++	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
++
++	state->sp = NULL;
++
++	index = md_nid_to_pk11(ctx->digest->type);
++	if (index < 0 || index >= PK11_DIGEST_MAX)
++		return (0);
++
++	pdp = &digests[index];
++	if ((sp = pk11_get_session(OP_DIGEST)) == NULL)
++		return (0);
++
++	/* at present, no parameter is needed for supported digests */
++	mech.mechanism = pdp->mech_type;
++	mech.pParameter = NULL;
++	mech.ulParameterLen = 0;
++
++	rv = pFuncList->C_DigestInit(sp->session, &mech);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DIGEST_INIT, PK11_R_DIGESTINIT, rv);
++		pk11_return_session(sp, OP_DIGEST);
++		return (0);
++		}
++
++	state->sp = sp;
++
++	return (1);
++	}
++
++static int
++pk11_digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
++	{
++	CK_RV rv;
++	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
++
++	/* 0 length message will cause a failure in C_DigestFinal */
++	if (count == 0)
++		return (1);
++
++	if (state == NULL || state->sp == NULL)
++		return (0);
++
++	rv = pFuncList->C_DigestUpdate(state->sp->session, (CK_BYTE *) data,
++		count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DIGEST_UPDATE, PK11_R_DIGESTUPDATE, rv);
++		pk11_return_session(state->sp, OP_DIGEST);
++		state->sp = NULL;
++		return (0);
++		}
++
++	return (1);
++	}
++
++static int
++pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
++	{
++	CK_RV rv;
++	unsigned long len;
++	PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
++	len = ctx->digest->md_size;
++
++	if (state == NULL || state->sp == NULL)
++		return (0);
++
++	rv = pFuncList->C_DigestFinal(state->sp->session, md, &len);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DIGEST_FINAL, PK11_R_DIGESTFINAL, rv);
++		pk11_return_session(state->sp, OP_DIGEST);
++		state->sp = NULL;
++		return (0);
++		}
++
++	if (ctx->digest->md_size != len)
++		return (0);
++
++	/*
++	 * Final is called and digest is returned, so return the session
++	 * to the pool
++	 */
++	pk11_return_session(state->sp, OP_DIGEST);
++	state->sp = NULL;
++
++	return (1);
++	}
++
++static int
++pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
++	{
++	CK_RV rv;
++	int ret = 0;
++	PK11_CIPHER_STATE *state, *state_to;
++	CK_BYTE_PTR pstate = NULL;
++	CK_ULONG ul_state_len;
++
++	/* The copy-from state */
++	state = (PK11_CIPHER_STATE *) from->md_data;
++	if (state == NULL || state->sp == NULL)
++		goto err;
++
++	/* Initialize the copy-to state */
++	if (!pk11_digest_init(to))
++		goto err;
++	state_to = (PK11_CIPHER_STATE *) to->md_data;
++
++	/* Get the size of the operation state of the copy-from session */
++	rv = pFuncList->C_GetOperationState(state->sp->session, NULL,
++		&ul_state_len);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE,
++		    rv);
++		goto err;
++		}
++	if (ul_state_len == 0)
++		{
++		goto err;
++		}
++
++	pstate = OPENSSL_malloc(ul_state_len);
++	if (pstate == NULL)
++		{
++		PK11err(PK11_F_DIGEST_COPY, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	/* Get the operation state of the copy-from session */
++	rv = pFuncList->C_GetOperationState(state->sp->session, pstate,
++		&ul_state_len);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE,
++		    rv);
++		goto err;
++		}
++
++	/* Set the operation state of the copy-to session */
++	rv = pFuncList->C_SetOperationState(state_to->sp->session, pstate,
++		ul_state_len, 0, 0);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DIGEST_COPY,
++		    PK11_R_SET_OPERATION_STATE, rv);
++		goto err;
++		}
++
++	ret = 1;
++err:
++	if (pstate != NULL)
++		OPENSSL_free(pstate);
++
++	return (ret);
++	}
++
++/* Return any pending session state to the pool */
++static int
++pk11_digest_cleanup(EVP_MD_CTX *ctx)
++	{
++	PK11_CIPHER_STATE *state = ctx->md_data;
++	unsigned char buf[EVP_MAX_MD_SIZE];
++
++	if (state != NULL && state->sp != NULL)
++		{
++		/*
++		 * If state->sp is not NULL then pk11_digest_final() has not
++		 * been called yet. We must call it now to free any memory
++		 * that might have been allocated in the token when
++		 * pk11_digest_init() was called. pk11_digest_final()
++		 * will return the session to the cache.
++		 */
++		if (!pk11_digest_final(ctx, buf))
++			return (0);
++		}
++
++	return (1);
++	}
++
++/*
++ * Check if the new key is the same as the key object in the session. If the key
++ * is the same, no need to create a new key object. Otherwise, the old key
++ * object needs to be destroyed and a new one will be created. Return 1 for
++ * cache hit, 0 for cache miss. Note that we must check the key length first
++ * otherwise we could end up reusing a different, longer key with the same
++ * prefix.
++ */
++static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
++	int key_len)
++	{
++	if (sp->opdata_key_len != key_len ||
++	    memcmp(sp->opdata_key, key, key_len) != 0)
++		{
++		(void) pk11_destroy_cipher_key_objects(sp);
++		return (0);
++		}
++	return (1);
++	}
++
++/* Destroy one or more secret key objects. */
++static int pk11_destroy_cipher_key_objects(PK11_SESSION *session)
++	{
++	int ret = 0;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *local_free_session;
++
++	if (session != NULL)
++		local_free_session = session;
++	else
++		{
++#ifndef NOPTHREADS
++		(void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++#else
++		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++		local_free_session = session_cache[OP_CIPHER].head;
++		}
++
++	while ((sp = local_free_session) != NULL)
++		{
++		local_free_session = sp->next;
++
++		if (sp->opdata_cipher_key != CK_INVALID_HANDLE)
++			{
++			/*
++			 * The secret key object is created in the
++			 * global_session. See pk11_get_cipher_key
++			 */
++			if (pk11_destroy_object(global_session,
++				sp->opdata_cipher_key) == 0)
++				goto err;
++			sp->opdata_cipher_key = CK_INVALID_HANDLE;
++			}
++		}
++	ret = 1;
++err:
++
++#ifndef NOPTHREADS
++	if (session == NULL)
++		(void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++#else
++	if (session == NULL)
++		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (ret);
++	}
++
++
++/*
++ * Public key mechanisms optionally supported
++ *
++ * CKM_RSA_X_509
++ * CKM_RSA_PKCS
++ * CKM_DSA
++ *
++ * The first slot that supports at least one of those mechanisms is chosen as a
++ * public key slot.
++ *
++ * Symmetric ciphers optionally supported
++ *
++ * CKM_DES3_CBC
++ * CKM_DES_CBC
++ * CKM_AES_CBC
++ * CKM_DES3_ECB
++ * CKM_DES_ECB
++ * CKM_AES_ECB
++ * CKM_AES_CTR
++ * CKM_RC4
++ * CKM_BLOWFISH_CBC
++ *
++ * Digests optionally supported
++ *
++ * CKM_MD5
++ * CKM_SHA_1
++ * CKM_SHA224
++ * CKM_SHA256
++ * CKM_SHA384
++ * CKM_SHA512
++ *
++ * The output of this function is a set of global variables indicating which
++ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
++ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
++ * variables carry information about which slot was chosen for (a) public key
++ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
++ */
++static int
++pk11_choose_slots(int *any_slot_found)
++	{
++	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
++	CK_ULONG ulSlotCount = 0;
++	CK_MECHANISM_INFO mech_info;
++	CK_TOKEN_INFO token_info;
++	unsigned int i;
++	CK_RV rv;
++	CK_SLOT_ID best_slot_sofar = 0;
++	CK_BBOOL found_candidate_slot = CK_FALSE;
++	int slot_n_cipher = 0;
++	int slot_n_digest = 0;
++	CK_SLOT_ID current_slot = 0;
++	int current_slot_n_cipher = 0;
++	int current_slot_n_digest = 0;
++
++	int local_cipher_nids[PK11_CIPHER_MAX];
++	int local_digest_nids[PK11_DIGEST_MAX];
++
++	/* let's initialize the output parameter */
++	if (any_slot_found != NULL)
++		*any_slot_found = 0;
++
++	/* Get slot list for memory allocation */
++	rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++		return (0);
++		}
++
++	/* it's not an error if we didn't find any providers */
++	if (ulSlotCount == 0)
++		{
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		return (1);
++		}
++
++	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
++
++	if (pSlotList == NULL)
++		{
++		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
++		return (0);
++		}
++
++	/* Get the slot list for processing */
++	rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++		OPENSSL_free(pSlotList);
++		return (0);
++		}
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
++	fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
++
++	fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++	for (i = 0; i < ulSlotCount; i++)
++		{
++		current_slot = pSlotList[i];
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++		/* Check if slot has random support. */
++		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++		if (rv != CKR_OK)
++			continue;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		if (token_info.flags & CKF_RNG)
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++			pk11_have_random = CK_TRUE;
++			rand_SLOTID = current_slot;
++			break;
++			}
++		}
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	pubkey_SLOTID = pSlotList[0];
++	for (i = 0; i < ulSlotCount; i++)
++		{
++		CK_BBOOL slot_has_rsa = CK_FALSE;
++		CK_BBOOL slot_has_recover = CK_FALSE;
++		CK_BBOOL slot_has_dsa = CK_FALSE;
++		CK_BBOOL slot_has_dh = CK_FALSE;
++		current_slot = pSlotList[i];
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++		if (rv != CKR_OK)
++			continue;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++#ifndef OPENSSL_NO_RSA
++		/*
++		 * Check if this slot is capable of signing and
++		 * verifying with CKM_RSA_PKCS.
++		 */
++		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
++			&mech_info);
++
++		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
++				(mech_info.flags & CKF_VERIFY)))
++			{
++			/*
++			 * Check if this slot is capable of encryption,
++			 * decryption, sign, and verify with CKM_RSA_X_509.
++			 */
++			rv = pFuncList->C_GetMechanismInfo(current_slot,
++			    CKM_RSA_X_509, &mech_info);
++
++			if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
++			    (mech_info.flags & CKF_VERIFY) &&
++			    (mech_info.flags & CKF_ENCRYPT) &&
++			    (mech_info.flags & CKF_DECRYPT)))
++				{
++				slot_has_rsa = CK_TRUE;
++				if (mech_info.flags & CKF_VERIFY_RECOVER)
++					{
++					slot_has_recover = CK_TRUE;
++					}
++				}
++			}
++#endif	/* OPENSSL_NO_RSA */
++
++#ifndef OPENSSL_NO_DSA
++		/*
++		 * Check if this slot is capable of signing and
++		 * verifying with CKM_DSA.
++		 */
++		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_DSA,
++			&mech_info);
++		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
++		    (mech_info.flags & CKF_VERIFY)))
++			{
++			slot_has_dsa = CK_TRUE;
++			}
++
++#endif	/* OPENSSL_NO_DSA */
++
++#ifndef OPENSSL_NO_DH
++		/*
++		 * Check if this slot is capable of DH key generataion and
++		 * derivation.
++		 */
++		rv = pFuncList->C_GetMechanismInfo(current_slot,
++		    CKM_DH_PKCS_KEY_PAIR_GEN, &mech_info);
++
++		if (rv == CKR_OK && (mech_info.flags & CKF_GENERATE_KEY_PAIR))
++			{
++			rv = pFuncList->C_GetMechanismInfo(current_slot,
++				CKM_DH_PKCS_DERIVE, &mech_info);
++			if (rv == CKR_OK && (mech_info.flags & CKF_DERIVE))
++				{
++				slot_has_dh = CK_TRUE;
++				}
++			}
++#endif	/* OPENSSL_NO_DH */
++
++		if (!found_candidate_slot &&
++		    (slot_has_rsa || slot_has_dsa || slot_has_dh))
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++			fprintf(stderr,
++			    "%s: potential slot: %d\n", PK11_DBG, current_slot);
++#endif	/* DEBUG_SLOT_SELECTION */
++			best_slot_sofar = current_slot;
++			pk11_have_rsa = slot_has_rsa;
++			pk11_have_recover = slot_has_recover;
++			pk11_have_dsa = slot_has_dsa;
++			pk11_have_dh = slot_has_dh;
++			found_candidate_slot = CK_TRUE;
++#ifdef	DEBUG_SLOT_SELECTION
++			fprintf(stderr,
++			    "%s: setting found_candidate_slot to CK_TRUE\n",
++			    PK11_DBG);
++			fprintf(stderr,
++			    "%s: best so far slot: %d\n", PK11_DBG,
++			    best_slot_sofar);
++			}
++		else
++			{
++			fprintf(stderr,
++			    "%s: no rsa/dsa/dh\n", PK11_DBG);
++			}
++#else
++			} /* if */
++#endif	/* DEBUG_SLOT_SELECTION */
++		} /* for */
++
++	if (found_candidate_slot)
++		{
++		pubkey_SLOTID = best_slot_sofar;
++		}
++
++	found_candidate_slot = CK_FALSE;
++	best_slot_sofar = 0;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: == checking cipher/digest ==\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	SLOTID = pSlotList[0];
++	for (i = 0; i < ulSlotCount; i++)
++		{
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		current_slot = pSlotList[i];
++		current_slot_n_cipher = 0;
++		current_slot_n_digest = 0;
++		(void) memset(local_cipher_nids, 0, sizeof (local_cipher_nids));
++		(void) memset(local_digest_nids, 0, sizeof (local_digest_nids));
++
++		pk11_find_symmetric_ciphers(pFuncList, current_slot,
++		    ¤t_slot_n_cipher, local_cipher_nids);
++
++		pk11_find_digests(pFuncList, current_slot,
++		    ¤t_slot_n_digest, local_digest_nids);
++
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: current_slot_n_cipher %d\n", PK11_DBG,
++			current_slot_n_cipher);
++		fprintf(stderr, "%s: current_slot_n_digest %d\n", PK11_DBG,
++			current_slot_n_digest);
++		fprintf(stderr, "%s: best so far cipher/digest slot: %d\n",
++			PK11_DBG, best_slot_sofar);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		/*
++		 * If the current slot supports more ciphers/digests than
++		 * the previous best one we change the current best to this one,
++		 * otherwise leave it where it is.
++		 */
++		if ((current_slot_n_cipher + current_slot_n_digest) >
++		    (slot_n_cipher + slot_n_digest))
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++			fprintf(stderr,
++				"%s: changing best so far slot to %d\n",
++				PK11_DBG, current_slot);
++#endif	/* DEBUG_SLOT_SELECTION */
++			best_slot_sofar = SLOTID = current_slot;
++			cipher_count = slot_n_cipher = current_slot_n_cipher;
++			digest_count = slot_n_digest = current_slot_n_digest;
++			(void) memcpy(cipher_nids, local_cipher_nids,
++			    sizeof (local_cipher_nids));
++			(void) memcpy(digest_nids, local_digest_nids, 
++			    sizeof (local_digest_nids));
++			}
++		}
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr,
++	    "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
++	fprintf(stderr,
++	    "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
++	fprintf(stderr,
++	    "%s: chosen cipher/digest slot: %d\n", PK11_DBG, SLOTID);
++	fprintf(stderr,
++	    "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
++	fprintf(stderr,
++	    "%s: pk11_have_recover %d\n", PK11_DBG, pk11_have_recover);
++	fprintf(stderr,
++	    "%s: pk11_have_dsa %d\n", PK11_DBG, pk11_have_dsa);
++	fprintf(stderr,
++	    "%s: pk11_have_dh %d\n", PK11_DBG, pk11_have_dh);
++	fprintf(stderr,
++	    "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
++	fprintf(stderr,
++	    "%s: cipher_count %d\n", PK11_DBG, cipher_count);
++	fprintf(stderr,
++	    "%s: digest_count %d\n", PK11_DBG, digest_count);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	if (pSlotList != NULL)
++		OPENSSL_free(pSlotList);
++
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++	OPENSSL_free(hw_cnids);
++	OPENSSL_free(hw_dnids);
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++
++	if (any_slot_found != NULL)
++		*any_slot_found = 1;
++	return (1);
++	}
++
++static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR pflist,
++    int slot_id, CK_MECHANISM_TYPE mech, int *current_slot_n_cipher,
++    int *local_cipher_nids, int id)
++	{
++	CK_MECHANISM_INFO mech_info;
++	CK_RV rv;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
++#endif	/* DEBUG_SLOT_SELECTION */
++	rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
++
++	if (rv != CKR_OK)
++		{
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, " not found\n");
++#endif	/* DEBUG_SLOT_SELECTION */
++		return;
++		}
++
++	if ((mech_info.flags & CKF_ENCRYPT) &&
++	    (mech_info.flags & CKF_DECRYPT))
++		{
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++		if (nid_in_table(ciphers[id].nid, hw_cnids))
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, " usable\n");
++#endif	/* DEBUG_SLOT_SELECTION */
++			local_cipher_nids[(*current_slot_n_cipher)++] =
++			    ciphers[id].nid;
++			}
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++#ifdef	DEBUG_SLOT_SELECTION
++		else
++			{
++		fprintf(stderr, " rejected, software implementation only\n");
++			}
++#endif	/* DEBUG_SLOT_SELECTION */
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++		}
++#ifdef	DEBUG_SLOT_SELECTION
++	else
++		{
++		fprintf(stderr, " unusable\n");
++		}
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	return;
++	}
++
++static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
++    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
++    int id)
++	{
++	CK_MECHANISM_INFO mech_info;
++	CK_RV rv;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
++#endif	/* DEBUG_SLOT_SELECTION */
++	rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
++
++	if (rv != CKR_OK)
++		{
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, " not found\n");
++#endif	/* DEBUG_SLOT_SELECTION */
++		return;
++		}
++
++	if (mech_info.flags & CKF_DIGEST)
++		{
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++		if (nid_in_table(digests[id].nid, hw_dnids))
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, " usable\n");
++#endif	/* DEBUG_SLOT_SELECTION */
++			local_digest_nids[(*current_slot_n_digest)++] =
++			    digests[id].nid;
++			}
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++#ifdef	DEBUG_SLOT_SELECTION
++		else
++			{
++		fprintf(stderr, " rejected, software implementation only\n");
++			}
++#endif	/* DEBUG_SLOT_SELECTION */
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++		}
++#ifdef	DEBUG_SLOT_SELECTION
++	else
++		{
++		fprintf(stderr, " unusable\n");
++		}
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	return;
++	}
++
++#ifdef	SOLARIS_AES_CTR
++/* create a new NID when we have no OID for that mechanism */
++static int pk11_add_NID(char *sn, char *ln)
++	{
++	ASN1_OBJECT *o;
++	int nid;
++
++	if ((o = ASN1_OBJECT_create(OBJ_new_nid(1), (unsigned char *)"",
++	    1, sn, ln)) == NULL)
++		{
++		return (0);
++		}
++
++	/* will return NID_undef on error */
++	nid = OBJ_add_object(o);
++	ASN1_OBJECT_free(o);
++
++	return (nid);
++	}
++
++/*
++ * Create new NIDs for AES counter mode. OpenSSL doesn't support them now so we
++ * have to help ourselves here.
++ */
++static int pk11_add_aes_ctr_NIDs(void)
++	{
++	/* are we already set? */
++	if (NID_aes_256_ctr != NID_undef)
++		return (1);
++
++	/*
++	 * There are no official names for AES counter modes yet so we just
++	 * follow the format of those that exist.
++	 */
++	if ((NID_aes_128_ctr = pk11_add_NID("AES-128-CTR", "aes-128-ctr")) ==
++	    NID_undef)
++		goto err;
++	ciphers[PK11_AES_128_CTR].nid = pk11_aes_128_ctr.nid = NID_aes_128_ctr;
++	if ((NID_aes_192_ctr = pk11_add_NID("AES-192-CTR", "aes-192-ctr")) ==
++	    NID_undef)
++		goto err;
++	ciphers[PK11_AES_192_CTR].nid = pk11_aes_192_ctr.nid = NID_aes_192_ctr;
++	if ((NID_aes_256_ctr = pk11_add_NID("AES-256-CTR", "aes-256-ctr")) ==
++	    NID_undef)
++		goto err;
++	ciphers[PK11_AES_256_CTR].nid = pk11_aes_256_ctr.nid = NID_aes_256_ctr;
++	return (1);
++
++err:
++	PK11err(PK11_F_ADD_AES_CTR_NIDS, PK11_R_ADD_NID_FAILED);
++	return (0);
++	}
++#endif	/* SOLARIS_AES_CTR */
++
++/* Find what symmetric ciphers this slot supports. */
++static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
++    CK_SLOT_ID current_slot, int *current_slot_n_cipher, int *local_cipher_nids)
++	{
++	int i;
++
++	for (i = 0; i < PK11_CIPHER_MAX; ++i)
++		{
++		pk11_get_symmetric_cipher(pflist, current_slot,
++		    ciphers[i].mech_type, current_slot_n_cipher,
++		    local_cipher_nids, ciphers[i].id);
++		}
++	}
++
++/* Find what digest algorithms this slot supports. */
++static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
++    CK_SLOT_ID current_slot, int *current_slot_n_digest, int *local_digest_nids)
++	{
++	int i;
++
++	for (i = 0; i < PK11_DIGEST_MAX; ++i)
++		{
++		pk11_get_digest(pflist, current_slot, digests[i].mech_type,
++		    current_slot_n_digest, local_digest_nids, digests[i].id);
++		}
++	}
++
++#ifdef	SOLARIS_HW_SLOT_SELECTION
++/*
++ * It would be great if we could use pkcs11_kernel directly since this library
++ * offers hardware slots only. That's the easiest way to achieve the situation
++ * where we use the hardware accelerators when present and OpenSSL native code
++ * otherwise. That presumes the fact that OpenSSL native code is faster than the
++ * code in the soft token. It's a logical assumption - Crypto Framework has some
++ * inherent overhead so going there for the software implementation of a
++ * mechanism should be logically slower in contrast to the OpenSSL native code,
++ * presuming that both implementations are of similar speed. For example, the
++ * soft token for AES is roughly three times slower than OpenSSL for 64 byte
++ * blocks and still 20% slower for 8KB blocks. So, if we want to ship products
++ * that use the PKCS#11 engine by default, we must somehow avoid that regression
++ * on machines without hardware acceleration. That's why switching to the
++ * pkcs11_kernel library seems like a very good idea.
++ *
++ * The problem is that OpenSSL built with SunStudio is roughly 2x slower for
++ * asymmetric operations (RSA/DSA/DH) than the soft token built with the same
++ * compiler. That means that if we switched to pkcs11_kernel from the libpkcs11
++ * library, we would have had a performance regression on machines without
++ * hardware acceleration for asymmetric operations for all applications that use
++ * the PKCS#11 engine. There is one such application - Apache web server since
++ * it's shipped configured to use the PKCS#11 engine by default. Having said
++ * that, we can't switch to the pkcs11_kernel library now and have to come with
++ * a solution that, on non-accelerated machines, uses the OpenSSL native code
++ * for all symmetric ciphers and digests while it uses the soft token for
++ * asymmetric operations.
++ *
++ * This is the idea: dlopen() pkcs11_kernel directly and find out what
++ * mechanisms are there. We don't care about duplications (more slots can
++ * support the same mechanism), we just want to know what mechanisms can be
++ * possibly supported in hardware on that particular machine. As said before,
++ * pkcs11_kernel will show you hardware providers only.
++ *
++ * Then, we rely on the fact that since we use libpkcs11 library we will find
++ * the metaslot. When we go through the metaslot's mechanisms for symmetric
++ * ciphers and digests, we check that any found mechanism is in the table
++ * created using the pkcs11_kernel library. So, as a result we have two arrays
++ * of mechanisms that were advertised as supported in hardware which was the
++ * goal of that whole excercise. Thus, we can use libpkcs11 but avoid soft token
++ * code for symmetric ciphers and digests. See pk11_choose_slots() for more
++ * information.
++ *
++ * This is Solaris specific code, if SOLARIS_HW_SLOT_SELECTION is not defined
++ * the code won't be used.
++ */
++#if defined(__sparcv9) || defined(__x86_64) || defined(__amd64)
++static const char pkcs11_kernel[] = "/usr/lib/security/64/pkcs11_kernel.so.1";
++#else
++static const char pkcs11_kernel[] = "/usr/lib/security/pkcs11_kernel.so.1";
++#endif
++
++/*
++ * Check hardware capabilities of the machines. The output are two lists,
++ * hw_cnids and hw_dnids, that contain hardware mechanisms found in all hardware
++ * providers together. They are not sorted and may contain duplicate mechanisms.
++ */
++static int check_hw_mechanisms(void)
++	{
++	int i;
++	CK_RV rv;
++	void *handle;
++	CK_C_GetFunctionList p;
++	CK_TOKEN_INFO token_info;
++	CK_ULONG ulSlotCount = 0;
++	int n_cipher = 0, n_digest = 0;
++	CK_FUNCTION_LIST_PTR pflist = NULL;
++	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
++	int *tmp_hw_cnids = NULL, *tmp_hw_dnids = NULL;
++	int hw_ctable_size, hw_dtable_size;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: SOLARIS_HW_SLOT_SELECTION code running\n",
++	    PK11_DBG);
++#endif
++	if ((handle = dlopen(pkcs11_kernel, RTLD_LAZY)) == NULL)
++		{
++		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	if ((p = (CK_C_GetFunctionList)dlsym(handle,
++	    PK11_GET_FUNCTION_LIST)) == NULL)
++		{
++		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	/* get the full function list from the loaded library */
++	if (p(&pflist) != CKR_OK)
++		{
++		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	rv = pflist->C_Initialize(NULL_PTR);
++	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++		{
++		PK11err_add_data(PK11_F_CHECK_HW_MECHANISMS,
++		    PK11_R_INITIALIZE, rv);
++		goto err;
++		}
++
++	if (pflist->C_GetSlotList(0, NULL_PTR, &ulSlotCount) != CKR_OK)
++		{
++		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_GETSLOTLIST);
++		goto err;
++		}
++
++	/* no slots, set the hw mechanism tables as empty */
++	if (ulSlotCount == 0)
++		{
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: no hardware mechanisms found\n", PK11_DBG);
++#endif
++		hw_cnids = OPENSSL_malloc(sizeof (int));
++		hw_dnids = OPENSSL_malloc(sizeof (int));
++		if (hw_cnids == NULL || hw_dnids == NULL)
++			{
++			PK11err(PK11_F_CHECK_HW_MECHANISMS,
++			    PK11_R_MALLOC_FAILURE);
++			return (0);
++			}
++		/* this means empty tables */
++		hw_cnids[0] = NID_undef;
++		hw_dnids[0] = NID_undef;
++		return (1);
++		}
++
++	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
++	if (pSlotList == NULL)
++		{
++		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	/* Get the slot list for processing */
++	if (pflist->C_GetSlotList(0, pSlotList, &ulSlotCount) != CKR_OK)
++		{
++		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_GETSLOTLIST);
++		goto err;
++		}
++
++	/*
++	 * We don't care about duplicit mechanisms in multiple slots and also
++	 * reserve one slot for the terminal NID_undef which we use to stop the
++	 * search.
++	 */
++	hw_ctable_size = ulSlotCount * PK11_CIPHER_MAX + 1;
++	hw_dtable_size = ulSlotCount * PK11_DIGEST_MAX + 1;
++	tmp_hw_cnids = OPENSSL_malloc(hw_ctable_size * sizeof (int));
++	tmp_hw_dnids = OPENSSL_malloc(hw_dtable_size * sizeof (int));
++	if (tmp_hw_cnids == NULL || tmp_hw_dnids == NULL)
++		{
++		PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	/*
++	 * Do not use memset since we should not rely on the fact that NID_undef
++	 * is zero now.
++	 */
++	for (i = 0; i < hw_ctable_size; ++i)
++		tmp_hw_cnids[i] = NID_undef;
++	for (i = 0; i < hw_dtable_size; ++i)
++		tmp_hw_dnids[i] = NID_undef;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, pkcs11_kernel);
++	fprintf(stderr, "%s: found %d hardware slots\n", PK11_DBG, ulSlotCount);
++	fprintf(stderr, "%s: now looking for mechs supported in hw\n",
++	    PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	for (i = 0; i < ulSlotCount; i++)
++		{
++		if (pflist->C_GetTokenInfo(pSlotList[i], &token_info) != CKR_OK)
++			continue;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		/*
++		 * We are filling the hw mech tables here. Global tables are
++		 * still NULL so all mechanisms are put into tmp tables.
++		 */
++		pk11_find_symmetric_ciphers(pflist, pSlotList[i],
++		    &n_cipher, tmp_hw_cnids);
++		pk11_find_digests(pflist, pSlotList[i],
++		    &n_digest, tmp_hw_dnids);
++		}
++
++	/*
++	 * Since we are part of a library (libcrypto.so), calling this function
++	 * may have side-effects. Also, C_Finalize() is triggered by
++	 * dlclose(3C).
++	 */
++#if 0
++	pflist->C_Finalize(NULL);
++#endif
++	OPENSSL_free(pSlotList);
++	(void) dlclose(handle);
++	hw_cnids = tmp_hw_cnids;
++	hw_dnids = tmp_hw_dnids;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: hw mechs check complete\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++	return (1);
++
++err:
++	if (pSlotList != NULL)
++		OPENSSL_free(pSlotList);
++	if (tmp_hw_cnids != NULL)
++		OPENSSL_free(tmp_hw_cnids);
++	if (tmp_hw_dnids != NULL)
++		OPENSSL_free(tmp_hw_dnids);
++
++	return (0);
++	}
++
++/*
++ * Check presence of a NID in the table of NIDs. The table may be NULL (i.e.,
++ * non-existent).
++ */
++static int nid_in_table(int nid, int *nid_table)
++	{
++	int i = 0;
++
++	/*
++	 * a special case. NULL means that we are initializing a new
++	 * table.
++	 */
++	if (nid_table == NULL)
++		return (1);
++
++	/*
++	 * the table is never full, there is always at least one
++	 * NID_undef.
++	 */
++	while (nid_table[i] != NID_undef)
++		{
++		if (nid_table[i++] == nid)
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, " (NID %d in hw table, idx %d)", nid, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++			return (1);
++			}
++		}
++
++	return (0);
++	}
++#endif	/* SOLARIS_HW_SLOT_SELECTION */
++
++#endif	/* OPENSSL_NO_HW_PK11 */
++#endif	/* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11_err.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/hw_pk11_err.c	Wed Dec 17 16:14:26 2008
+@@ -0,0 +1,259 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_err.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#include 
++#include 
++#include "hw_pk11_err.h"
++
++/* BEGIN ERROR CODES */
++#ifndef OPENSSL_NO_ERR
++static ERR_STRING_DATA pk11_str_functs[]=
++{
++{ ERR_PACK(0, PK11_F_INIT, 0),			"PK11_INIT"},
++{ ERR_PACK(0, PK11_F_FINISH, 0),		"PK11_FINISH"},
++{ ERR_PACK(0, PK11_F_DESTROY, 0),		"PK11_DESTROY"},
++{ ERR_PACK(0, PK11_F_CTRL, 0),			"PK11_CTRL"},
++{ ERR_PACK(0, PK11_F_RSA_INIT, 0),		"PK11_RSA_INIT"},
++{ ERR_PACK(0, PK11_F_RSA_FINISH, 0),		"PK11_RSA_FINISH"},
++{ ERR_PACK(0, PK11_F_GET_PUB_RSA_KEY, 0),	"PK11_GET_PUB_RSA_KEY"},
++{ ERR_PACK(0, PK11_F_GET_PRIV_RSA_KEY, 0),	"PK11_GET_PRIV_RSA_KEY"},
++{ ERR_PACK(0, PK11_F_RSA_GEN_KEY, 0),		"PK11_RSA_GEN_KEY"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_ENC, 0),		"PK11_RSA_PUB_ENC"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC, 0),		"PK11_RSA_PRIV_ENC"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_DEC, 0),		"PK11_RSA_PUB_DEC"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC, 0),		"PK11_RSA_PRIV_DEC"},
++{ ERR_PACK(0, PK11_F_RSA_SIGN, 0),		"PK11_RSA_SIGN"},
++{ ERR_PACK(0, PK11_F_RSA_VERIFY, 0),		"PK11_RSA_VERIFY"},
++{ ERR_PACK(0, PK11_F_RAND_ADD, 0),		"PK11_RAND_ADD"},
++{ ERR_PACK(0, PK11_F_RAND_BYTES, 0),		"PK11_RAND_BYTES"},
++{ ERR_PACK(0, PK11_F_GET_SESSION, 0),		"PK11_GET_SESSION"},
++{ ERR_PACK(0, PK11_F_FREE_SESSION, 0),		"PK11_FREE_SESSION"},
++{ ERR_PACK(0, PK11_F_LOAD_PUBKEY, 0),		"PK11_LOAD_PUBKEY"},
++{ ERR_PACK(0, PK11_F_LOAD_PRIVKEY, 0),		"PK11_LOAD_PRIV_KEY"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_ENC_LOW, 0),	"PK11_RSA_PUB_ENC_LOW"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC_LOW, 0),	"PK11_RSA_PRIV_ENC_LOW"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_DEC_LOW, 0),	"PK11_RSA_PUB_DEC_LOW"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC_LOW, 0),	"PK11_RSA_PRIV_DEC_LOW"},
++{ ERR_PACK(0, PK11_F_DSA_SIGN, 0),		"PK11_DSA_SIGN"},
++{ ERR_PACK(0, PK11_F_DSA_VERIFY, 0),		"PK11_DSA_VERIFY"},
++{ ERR_PACK(0, PK11_F_DSA_INIT, 0),		"PK11_DSA_INIT"},
++{ ERR_PACK(0, PK11_F_DSA_FINISH, 0),		"PK11_DSA_FINISH"},
++{ ERR_PACK(0, PK11_F_GET_PUB_DSA_KEY, 0),	"PK11_GET_PUB_DSA_KEY"},
++{ ERR_PACK(0, PK11_F_GET_PRIV_DSA_KEY, 0),	"PK11_GET_PRIV_DSA_KEY"},
++{ ERR_PACK(0, PK11_F_DH_INIT, 0),		"PK11_DH_INIT"},
++{ ERR_PACK(0, PK11_F_DH_FINISH, 0),		"PK11_DH_FINISH"},
++{ ERR_PACK(0, PK11_F_MOD_EXP_DH, 0),		"PK11_MOD_EXP_DH"},
++{ ERR_PACK(0, PK11_F_GET_DH_KEY, 0),		"PK11_GET_DH_KEY"},
++{ ERR_PACK(0, PK11_F_FREE_ALL_SESSIONS, 0),	"PK11_FREE_ALL_SESSIONS"},
++{ ERR_PACK(0, PK11_F_SETUP_SESSION, 0),		"PK11_SETUP_SESSION"},
++{ ERR_PACK(0, PK11_F_DESTROY_OBJECT, 0),	"PK11_DESTROY_OBJECT"},
++{ ERR_PACK(0, PK11_F_CIPHER_INIT, 0),		"PK11_CIPHER_INIT"},
++{ ERR_PACK(0, PK11_F_CIPHER_DO_CIPHER, 0),	"PK11_CIPHER_DO_CIPHER"},
++{ ERR_PACK(0, PK11_F_GET_CIPHER_KEY, 0),	"PK11_GET_CIPHER_KEY"},
++{ ERR_PACK(0, PK11_F_DIGEST_INIT, 0),		"PK11_DIGEST_INIT"},
++{ ERR_PACK(0, PK11_F_DIGEST_UPDATE, 0),		"PK11_DIGEST_UPDATE"},
++{ ERR_PACK(0, PK11_F_DIGEST_FINAL, 0),		"PK11_DIGEST_FINAL"},
++{ ERR_PACK(0, PK11_F_CHOOSE_SLOT, 0),		"PK11_CHOOSE_SLOT"},
++{ ERR_PACK(0, PK11_F_CIPHER_FINAL, 0),		"PK11_CIPHER_FINAL"},
++{ ERR_PACK(0, PK11_F_LIBRARY_INIT, 0),		"PK11_LIBRARY_INIT"},
++{ ERR_PACK(0, PK11_F_LOAD, 0),			"ENGINE_LOAD_PK11"},
++{ ERR_PACK(0, PK11_F_DH_GEN_KEY, 0),		"PK11_DH_GEN_KEY"},
++{ ERR_PACK(0, PK11_F_DH_COMP_KEY, 0),		"PK11_DH_COMP_KEY"},
++{ ERR_PACK(0, PK11_F_DIGEST_COPY, 0),		"PK11_DIGEST_COPY"},
++{ ERR_PACK(0, PK11_F_CIPHER_CLEANUP, 0),	"PK11_CIPHER_CLEANUP"},
++{ ERR_PACK(0, PK11_F_ACTIVE_ADD, 0),		"PK11_ACTIVE_ADD"},
++{ ERR_PACK(0, PK11_F_ACTIVE_DELETE, 0),		"PK11_ACTIVE_DELETE"},
++{ ERR_PACK(0, PK11_F_CHECK_HW_MECHANISMS, 0),	"PK11_CHECK_HW_MECHANISMS"},
++{ ERR_PACK(0, PK11_F_INIT_SYMMETRIC, 0),	"PK11_INIT_SYMMETRIC"},
++{ ERR_PACK(0, PK11_F_ADD_AES_CTR_NIDS, 0),	"PK11_ADD_AES_CTR_NIDS"},
++{ 0, NULL}
++};
++
++static ERR_STRING_DATA pk11_str_reasons[]=
++{
++{ PK11_R_ALREADY_LOADED,		"PKCS#11 DSO already loaded"},
++{ PK11_R_DSO_FAILURE,			"unable to load PKCS#11 DSO"},
++{ PK11_R_NOT_LOADED,			"PKCS#11 DSO not loaded"},
++{ PK11_R_PASSED_NULL_PARAMETER,		"null parameter passed"},
++{ PK11_R_COMMAND_NOT_IMPLEMENTED,	"command not implemented"},
++{ PK11_R_INITIALIZE,			"C_Initialize failed"},
++{ PK11_R_FINALIZE,			"C_Finalize failed"},
++{ PK11_R_GETINFO,			"C_GetInfo faile"},
++{ PK11_R_GETSLOTLIST,			"C_GetSlotList failed"},
++{ PK11_R_NO_MODULUS_OR_NO_EXPONENT,	"no modulus or no exponent"},
++{ PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID,	"attr sensitive or invalid"},
++{ PK11_R_GETATTRIBUTVALUE,		"C_GetAttributeValue failed"},
++{ PK11_R_NO_MODULUS,			"no modulus"},
++{ PK11_R_NO_EXPONENT,			"no exponent"},
++{ PK11_R_FINDOBJECTSINIT,		"C_FindObjectsInit failed"},
++{ PK11_R_FINDOBJECTS,			"C_FindObjects failed"},
++{ PK11_R_FINDOBJECTSFINAL,		"C_FindObjectsFinal failed"},
++{ PK11_R_CREATEOBJECT,			"C_CreateObject failed"},
++{ PK11_R_DESTROYOBJECT,			"C_DestroyObject failed"},
++{ PK11_R_OPENSESSION,			"C_OpenSession failed"},
++{ PK11_R_CLOSESESSION,			"C_CloseSession failed"},
++{ PK11_R_ENCRYPTINIT,			"C_EncryptInit failed"},
++{ PK11_R_ENCRYPT,			"C_Encrypt failed"},
++{ PK11_R_SIGNINIT,			"C_SignInit failed"},
++{ PK11_R_SIGN,				"C_Sign failed"},
++{ PK11_R_DECRYPTINIT,			"C_DecryptInit failed"},
++{ PK11_R_DECRYPT,			"C_Decrypt failed"},
++{ PK11_R_VERIFYINIT,			"C_VerifyRecover failed"},
++{ PK11_R_VERIFY,			"C_Verify failed"},
++{ PK11_R_VERIFYRECOVERINIT,		"C_VerifyRecoverInit failed"},
++{ PK11_R_VERIFYRECOVER,			"C_VerifyRecover failed"},
++{ PK11_R_GEN_KEY,			"C_GenerateKeyPair failed"},
++{ PK11_R_SEEDRANDOM,			"C_SeedRandom failed"},
++{ PK11_R_GENERATERANDOM,		"C_GenerateRandom failed"},
++{ PK11_R_INVALID_MESSAGE_LENGTH,	"invalid message length"},
++{ PK11_R_UNKNOWN_ALGORITHM_TYPE,	"unknown algorithm type"},
++{ PK11_R_UNKNOWN_ASN1_OBJECT_ID,	"unknown asn1 onject id"},
++{ PK11_R_UNKNOWN_PADDING_TYPE,		"unknown padding type"},
++{ PK11_R_PADDING_CHECK_FAILED,		"padding check failed"},
++{ PK11_R_DIGEST_TOO_BIG,		"digest too big"},
++{ PK11_R_MALLOC_FAILURE,		"malloc failure"},
++{ PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED,	"ctl command not implemented"},
++{ PK11_R_DATA_GREATER_THAN_MOD_LEN,	"data is bigger than mod"},
++{ PK11_R_DATA_TOO_LARGE_FOR_MODULUS,	"data is too larger for mod"},
++{ PK11_R_MISSING_KEY_COMPONENT,		"a dsa component is missing"},
++{ PK11_R_INVALID_SIGNATURE_LENGTH,	"invalid signature length"},
++{ PK11_R_INVALID_DSA_SIGNATURE_R,	"missing r in dsa verify"},
++{ PK11_R_INVALID_DSA_SIGNATURE_S,	"missing s in dsa verify"},
++{ PK11_R_INCONSISTENT_KEY,		"inconsistent key type"},
++{ PK11_R_ENCRYPTUPDATE,			"C_EncryptUpdate failed"},
++{ PK11_R_DECRYPTUPDATE,			"C_DecryptUpdate failed"},
++{ PK11_R_DIGESTINIT,			"C_DigestInit failed"},
++{ PK11_R_DIGESTUPDATE,			"C_DigestUpdate failed"},
++{ PK11_R_DIGESTFINAL,			"C_DigestFinal failed"},
++{ PK11_R_ENCRYPTFINAL,			"C_EncryptFinal failed"},
++{ PK11_R_DECRYPTFINAL,			"C_DecryptFinal failed"},
++{ PK11_R_NO_PRNG_SUPPORT,		"Slot does not support PRNG"},
++{ PK11_R_GETTOKENINFO,			"C_GetTokenInfo failed"},
++{ PK11_R_DERIVEKEY,			"C_DeriveKey failed"},
++{ PK11_R_GET_OPERATION_STATE,		"C_GetOperationState failed"},
++{ PK11_R_SET_OPERATION_STATE,		"C_SetOperationState failed"},
++{ PK11_R_INVALID_PIN,			"invalid PIN"},
++{ PK11_R_TOO_MANY_OBJECTS,		"too many objects"},
++{ PK11_R_OBJECT_NOT_FOUND,		"object not found"},
++{ PK11_R_INVALID_HANDLE,		"invalid PKCS#11 object handle"},
++{ PK11_R_KEY_OR_IV_LEN_PROBLEM,		"IV or key length incorrect"},
++{ PK11_R_INVALID_OPERATION_TYPE,	"invalid operation type"},
++{ PK11_R_ADD_NID_FAILED,		"failed to add NID" },
++{ 0,	NULL}
++};
++#endif	/* OPENSSL_NO_ERR */
++
++static int pk11_lib_error_code = 0;
++static int pk11_error_init = 1;
++
++static void
++ERR_load_pk11_strings(void)
++	{
++	if (pk11_lib_error_code == 0)
++		pk11_lib_error_code = ERR_get_next_error_library();
++
++	if (pk11_error_init)
++		{
++		pk11_error_init = 0;
++#ifndef OPENSSL_NO_ERR
++		ERR_load_strings(pk11_lib_error_code, pk11_str_functs);
++		ERR_load_strings(pk11_lib_error_code, pk11_str_reasons);
++#endif
++		}
++}
++
++static void
++ERR_unload_pk11_strings(void)
++	{
++	if (pk11_error_init == 0)
++		{
++#ifndef OPENSSL_NO_ERR
++		ERR_unload_strings(pk11_lib_error_code, pk11_str_functs);
++		ERR_unload_strings(pk11_lib_error_code, pk11_str_reasons);
++#endif
++		pk11_error_init = 1;
++		}
++}
++
++void
++ERR_pk11_error(int function, int reason, char *file, int line)
++{
++	if (pk11_lib_error_code == 0)
++		pk11_lib_error_code = ERR_get_next_error_library();
++	ERR_PUT_error(pk11_lib_error_code, function, reason, file, line);
++}
++
++void
++PK11err_add_data(int function, int reason, CK_RV rv)
++{
++	char tmp_buf[20];
++
++	PK11err(function, reason);
++	(void) BIO_snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
++	ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
++}
+Index: openssl/crypto/engine/hw_pk11_err.h
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/hw_pk11_err.h	Wed Dec 17 15:01:45 2008
+@@ -0,0 +1,402 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_err.h */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#ifndef	HW_PK11_ERR_H
++#define	HW_PK11_ERR_H
++
++void ERR_pk11_error(int function, int reason, char *file, int line);
++void PK11err_add_data(int function, int reason, CK_RV rv);
++#define	PK11err(f, r)	ERR_pk11_error((f), (r), __FILE__, __LINE__)
++
++/* Error codes for the PK11 functions. */
++
++/* Function codes. */
++
++#define	PK11_F_INIT 				100
++#define	PK11_F_FINISH				101
++#define	PK11_F_DESTROY 				102
++#define	PK11_F_CTRL 				103
++#define	PK11_F_RSA_INIT 			104
++#define	PK11_F_RSA_FINISH 			105
++#define	PK11_F_GET_PUB_RSA_KEY 			106
++#define	PK11_F_GET_PRIV_RSA_KEY 		107
++#define	PK11_F_RSA_GEN_KEY 			108
++#define	PK11_F_RSA_PUB_ENC 			109
++#define	PK11_F_RSA_PRIV_ENC 			110
++#define	PK11_F_RSA_PUB_DEC 			111
++#define	PK11_F_RSA_PRIV_DEC 			112
++#define	PK11_F_RSA_SIGN 			113
++#define	PK11_F_RSA_VERIFY 			114
++#define	PK11_F_RAND_ADD 			115
++#define	PK11_F_RAND_BYTES 			116
++#define	PK11_F_GET_SESSION 			117
++#define	PK11_F_FREE_SESSION 			118
++#define	PK11_F_LOAD_PUBKEY 			119
++#define	PK11_F_LOAD_PRIVKEY 			120
++#define	PK11_F_RSA_PUB_ENC_LOW 			121
++#define	PK11_F_RSA_PRIV_ENC_LOW 		122
++#define	PK11_F_RSA_PUB_DEC_LOW 			123
++#define	PK11_F_RSA_PRIV_DEC_LOW 		124
++#define	PK11_F_DSA_SIGN				125
++#define	PK11_F_DSA_VERIFY			126
++#define	PK11_F_DSA_INIT				127
++#define	PK11_F_DSA_FINISH			128
++#define	PK11_F_GET_PUB_DSA_KEY 			129
++#define	PK11_F_GET_PRIV_DSA_KEY 		130
++#define	PK11_F_DH_INIT 				131
++#define	PK11_F_DH_FINISH 			132
++#define	PK11_F_MOD_EXP_DH 			133
++#define	PK11_F_GET_DH_KEY 			134
++#define	PK11_F_FREE_ALL_SESSIONS		135
++#define	PK11_F_SETUP_SESSION			136
++#define	PK11_F_DESTROY_OBJECT			137
++#define	PK11_F_CIPHER_INIT			138
++#define	PK11_F_CIPHER_DO_CIPHER			139
++#define	PK11_F_GET_CIPHER_KEY			140
++#define	PK11_F_DIGEST_INIT			141
++#define	PK11_F_DIGEST_UPDATE			142
++#define	PK11_F_DIGEST_FINAL			143
++#define	PK11_F_CHOOSE_SLOT			144
++#define	PK11_F_CIPHER_FINAL			145
++#define	PK11_F_LIBRARY_INIT 			146
++#define	PK11_F_LOAD 				147
++#define	PK11_F_DH_GEN_KEY			148
++#define	PK11_F_DH_COMP_KEY 			149
++#define	PK11_F_DIGEST_COPY 			150
++#define	PK11_F_CIPHER_CLEANUP			151
++#define	PK11_F_ACTIVE_ADD			152
++#define	PK11_F_ACTIVE_DELETE			153
++#define	PK11_F_CHECK_HW_MECHANISMS		154
++#define	PK11_F_INIT_SYMMETRIC			155
++#define	PK11_F_ADD_AES_CTR_NIDS			156
++#define	PK11_F_INIT_ALL_LOCKS			157
++#define	PK11_F_RETURN_SESSION			158
++
++/* Reason codes. */
++#define	PK11_R_ALREADY_LOADED 			100
++#define	PK11_R_DSO_FAILURE 			101
++#define	PK11_R_NOT_LOADED 			102
++#define	PK11_R_PASSED_NULL_PARAMETER 		103
++#define	PK11_R_COMMAND_NOT_IMPLEMENTED 		104
++#define	PK11_R_INITIALIZE 			105
++#define	PK11_R_FINALIZE 			106
++#define	PK11_R_GETINFO 				107
++#define	PK11_R_GETSLOTLIST 			108
++#define	PK11_R_NO_MODULUS_OR_NO_EXPONENT 	109
++#define	PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID 	110
++#define	PK11_R_GETATTRIBUTVALUE 		111
++#define	PK11_R_NO_MODULUS 			112
++#define	PK11_R_NO_EXPONENT 			113
++#define	PK11_R_FINDOBJECTSINIT 			114
++#define	PK11_R_FINDOBJECTS 			115
++#define	PK11_R_FINDOBJECTSFINAL 		116
++#define	PK11_R_CREATEOBJECT 			118
++#define	PK11_R_DESTROYOBJECT 			119
++#define	PK11_R_OPENSESSION 			120
++#define	PK11_R_CLOSESESSION 			121
++#define	PK11_R_ENCRYPTINIT 			122
++#define	PK11_R_ENCRYPT 				123
++#define	PK11_R_SIGNINIT 			124
++#define	PK11_R_SIGN 				125
++#define	PK11_R_DECRYPTINIT 			126
++#define	PK11_R_DECRYPT 				127
++#define	PK11_R_VERIFYINIT 			128
++#define	PK11_R_VERIFY 				129
++#define	PK11_R_VERIFYRECOVERINIT 		130
++#define	PK11_R_VERIFYRECOVER 			131
++#define	PK11_R_GEN_KEY 				132
++#define	PK11_R_SEEDRANDOM 			133
++#define	PK11_R_GENERATERANDOM 			134
++#define	PK11_R_INVALID_MESSAGE_LENGTH 		135
++#define	PK11_R_UNKNOWN_ALGORITHM_TYPE 		136
++#define	PK11_R_UNKNOWN_ASN1_OBJECT_ID 		137
++#define	PK11_R_UNKNOWN_PADDING_TYPE 		138
++#define	PK11_R_PADDING_CHECK_FAILED 		139
++#define	PK11_R_DIGEST_TOO_BIG 			140
++#define	PK11_R_MALLOC_FAILURE 			141
++#define	PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED 	142
++#define	PK11_R_DATA_GREATER_THAN_MOD_LEN 	143
++#define	PK11_R_DATA_TOO_LARGE_FOR_MODULUS 	144
++#define	PK11_R_MISSING_KEY_COMPONENT		145
++#define	PK11_R_INVALID_SIGNATURE_LENGTH		146
++#define	PK11_R_INVALID_DSA_SIGNATURE_R		147
++#define	PK11_R_INVALID_DSA_SIGNATURE_S		148
++#define	PK11_R_INCONSISTENT_KEY			149
++#define	PK11_R_ENCRYPTUPDATE			150
++#define	PK11_R_DECRYPTUPDATE			151
++#define	PK11_R_DIGESTINIT			152
++#define	PK11_R_DIGESTUPDATE			153
++#define	PK11_R_DIGESTFINAL			154
++#define	PK11_R_ENCRYPTFINAL			155
++#define	PK11_R_DECRYPTFINAL			156
++#define	PK11_R_NO_PRNG_SUPPORT			157
++#define	PK11_R_GETTOKENINFO			158
++#define	PK11_R_DERIVEKEY			159
++#define	PK11_R_GET_OPERATION_STATE		160
++#define	PK11_R_SET_OPERATION_STATE		161
++#define	PK11_R_INVALID_HANDLE			162
++#define	PK11_R_KEY_OR_IV_LEN_PROBLEM		163
++#define	PK11_R_INVALID_OPERATION_TYPE		164
++#define	PK11_R_ADD_NID_FAILED			165
++#define	PK11_R_ATFORK_FAILED			166
++#define	PK11_R_INVALID_PIN			167
++#define	PK11_R_TOO_MANY_OBJECTS			168
++#define	PK11_R_OBJECT_NOT_FOUND			169
++
++/* max byte length of a symetric key we support */
++#define	PK11_KEY_LEN_MAX			32
++
++#ifdef NOPTHREADS
++/*
++ * CRYPTO_LOCK_PK11_ENGINE lock is primarily used for the protection of the
++ * free_session list and active_list but generally serves as a global
++ * per-process lock for the whole engine.
++ *
++ * We reuse CRYPTO_LOCK_EC lock (which is defined in OpenSSL for EC method) as
++ * the global engine lock. This is not optimal w.r.t. performance but
++ * it's safe.
++ */
++#define CRYPTO_LOCK_PK11_ENGINE	CRYPTO_LOCK_EC
++#endif
++
++/*
++ * This structure encapsulates all reusable information for a PKCS#11
++ * session. A list of these objects is created on behalf of the
++ * calling application using an on-demand method. Each operation
++ * type (see PK11_OPTYPE below) has its own per-process list.
++ * Each of the lists is basically a cache for faster PKCS#11 object
++ * access to avoid expensive C_Find{,Init,Final}Object() calls.
++ *
++ * When a new request comes in, an object will be taken from the list
++ * (if there is one) or a new one is created to handle the request
++ * (if the list is empty). See pk11_get_session() on how it is done.
++ */
++typedef struct PK11_st_SESSION
++	{
++	struct PK11_st_SESSION	*next;
++	CK_SESSION_HANDLE	session;	/* PK11 session handle */
++	pid_t			pid;		/* Current process ID */
++	union
++		{
++#ifndef OPENSSL_NO_RSA
++		struct
++			{
++			CK_OBJECT_HANDLE	rsa_pub_key; /* pub handle */
++			CK_OBJECT_HANDLE	rsa_priv_key; /* priv handle */
++			RSA			*rsa_pub; /* pub key addr */
++			BIGNUM			*rsa_n_num; /* pub modulus */
++			BIGNUM			*rsa_e_num; /* pub exponent */
++			RSA			*rsa_priv; /* priv key addr */
++			BIGNUM			*rsa_d_num; /* priv exponent */
++			} u_RSA;
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++		struct
++			{
++			CK_OBJECT_HANDLE	dsa_pub_key; /* pub handle */
++			CK_OBJECT_HANDLE	dsa_priv_key; /* priv handle */
++			DSA			*dsa_pub; /* pub key addr */
++			BIGNUM			*dsa_pub_num; /* pub key */
++			DSA			*dsa_priv; /* priv key addr */
++			BIGNUM			*dsa_priv_num; /* priv key */
++			} u_DSA;
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++		struct
++			{
++			CK_OBJECT_HANDLE	dh_key; /* key handle */
++			DH			*dh; /* dh key addr */
++			BIGNUM			*dh_priv_num; /* priv dh key */
++			} u_DH;
++#endif /* OPENSSL_NO_DH */
++		struct
++			{
++			CK_OBJECT_HANDLE	cipher_key; /* key handle */
++			unsigned char		key[PK11_KEY_LEN_MAX];
++			int			key_len; /* priv key len */
++			int			encrypt; /* 1/0 enc/decr */
++			} u_cipher;
++		} opdata_u;
++	} PK11_SESSION;
++
++#define	opdata_rsa_pub_key	opdata_u.u_RSA.rsa_pub_key
++#define	opdata_rsa_priv_key	opdata_u.u_RSA.rsa_priv_key
++#define	opdata_rsa_pub		opdata_u.u_RSA.rsa_pub
++#define	opdata_rsa_priv		opdata_u.u_RSA.rsa_priv
++#define	opdata_rsa_n_num	opdata_u.u_RSA.rsa_n_num
++#define	opdata_rsa_e_num	opdata_u.u_RSA.rsa_e_num
++#define	opdata_rsa_d_num	opdata_u.u_RSA.rsa_d_num
++#define	opdata_dsa_pub_key	opdata_u.u_DSA.dsa_pub_key
++#define	opdata_dsa_priv_key	opdata_u.u_DSA.dsa_priv_key
++#define	opdata_dsa_pub		opdata_u.u_DSA.dsa_pub
++#define	opdata_dsa_pub_num	opdata_u.u_DSA.dsa_pub_num
++#define	opdata_dsa_priv		opdata_u.u_DSA.dsa_priv
++#define	opdata_dsa_priv_num	opdata_u.u_DSA.dsa_priv_num
++#define	opdata_dh_key		opdata_u.u_DH.dh_key
++#define	opdata_dh		opdata_u.u_DH.dh
++#define	opdata_dh_priv_num	opdata_u.u_DH.dh_priv_num
++#define	opdata_cipher_key	opdata_u.u_cipher.cipher_key
++#define	opdata_key		opdata_u.u_cipher.key
++#define	opdata_key_len		opdata_u.u_cipher.key_len
++#define	opdata_encrypt		opdata_u.u_cipher.encrypt
++
++/*
++ * We have 3 different groups of operation types:
++ *   1) asymmetric operations
++ *   2) random operations
++ *   3) symmetric and digest operations
++ *
++ * This division into groups stems from the fact that it's common that hardware
++ * providers may support operations from one group only. For example, hardware
++ * providers on UltraSPARC T2, n2rng(7d), ncp(7d), and n2cp(7d), each support
++ * only a single group of operations.
++ *
++ * For every group a different slot can be chosen. That means that we must have
++ * at least 3 different lists of cached PKCS#11 sessions since sessions from
++ * different groups may be initialized in different slots.
++ *
++ * To provide locking granularity in multithreaded environment, the groups are
++ * further splitted into types with each type having a separate session cache.
++ */
++typedef enum PK11_OPTYPE_ENUM
++	{
++	OP_RAND,
++	OP_RSA,
++	OP_DSA,
++	OP_DH,
++	OP_CIPHER,
++	OP_DIGEST,
++	OP_MAX
++	} PK11_OPTYPE;
++
++/*
++ * This structure contains the heads of the lists forming the object caches
++ * and locks associated with the lists.
++ */
++typedef struct PK11_st_CACHE
++	{
++	PK11_SESSION *head;
++#ifndef NOPTHREADS
++	pthread_mutex_t *lock;
++#endif
++	} PK11_CACHE;
++
++/* structure for tracking handles of asymmetric key objects */
++typedef struct PK11_active_st
++	{
++	CK_OBJECT_HANDLE h;
++	unsigned int refcnt;
++	struct PK11_active_st *prev;
++	struct PK11_active_st *next;
++	} PK11_active;
++
++#ifndef NOPTHREADS
++extern pthread_mutex_t *find_lock[];
++#endif
++extern PK11_active *active_list[];
++
++#ifndef NOPTHREADS
++#define	LOCK_OBJSTORE(alg_type)	\
++	(void) pthread_mutex_lock(find_lock[alg_type])
++#define	UNLOCK_OBJSTORE(alg_type)	\
++	(void) pthread_mutex_unlock(find_lock[alg_type])
++#else
++#define	LOCK_OBJSTORE(alg_type)	\
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
++#define	UNLOCK_OBJSTORE(alg_type)	\
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE)
++#endif
++
++extern PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
++extern void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++
++#ifndef OPENSSL_NO_RSA
++extern int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
++extern int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++extern int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++extern EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++extern EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++extern RSA_METHOD *PK11_RSA(void);
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++extern int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
++extern int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++extern int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++extern DSA_METHOD *PK11_DSA(void);
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++extern int pk11_destroy_dh_key_objects(PK11_SESSION *session);
++extern int pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock);
++extern DH_METHOD *PK11_DH(void);
++#endif /* OPENSSL_NO_DH */
++
++extern CK_FUNCTION_LIST_PTR pFuncList;
++
++#endif /* HW_PK11_ERR_H */
+Index: openssl/crypto/engine/hw_pk11_pub-kp.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub-kp.c:1.21
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/hw_pk11_pub-kp.c	Tue Sep  1 06:02:18 2009
+@@ -0,0 +1,896 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_pub.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Modified to keep only RNG and RSA Sign */
++
++#ifdef OPENSSL_NO_RSA
++#error RSA is disabled
++#endif
++
++#include 
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++#ifdef OPENSSL_SYS_WIN32
++#define NOPTHREADS
++typedef int pid_t;
++#define HAVE_GETPASSPHRASE
++static char *getpassphrase(const char *prompt);
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++	returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++	returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++	returnType __declspec(dllimport) (* name)
++#else
++#include 
++#endif
++
++#ifndef NOPTHREADS
++#include 
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++
++#ifndef OPENSSL_NO_DSA
++#define OPENSSL_NO_DSA
++#endif
++#ifndef OPENSSL_NO_DH
++#define OPENSSL_NO_DH
++#endif
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11_err.h"
++
++#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
++#define getpassphrase(x)	getpass(x)
++#endif
++
++/* RSA stuff */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++	unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
++EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
++	BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
++
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
++
++/* Read mode string to be used for fopen() */
++#if SOLARIS_OPENSSL
++static char *read_mode_flags = "rF";
++#else
++static char *read_mode_flags = "r";
++#endif
++
++/*
++ * increment/create reference for an asymmetric key handle via active list
++ * manipulation. If active list operation fails, unlock (if locked), set error
++ * variable and jump to the specified label.
++ */
++#define	KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label)	\
++	{								\
++	if (pk11_active_add(key_handle, alg_type) < 0)			\
++		{							\
++		var = TRUE;						\
++		if (unlock)						\
++			UNLOCK_OBJSTORE(alg_type);			\
++		goto label;						\
++		}							\
++	}
++
++/*
++ * Find active list entry according to object handle and return pointer to the
++ * entry otherwise return NULL.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry;
++
++	for (entry = active_list[type]; entry != NULL; entry = entry->next)
++		if (entry->h == h)
++			return (entry);
++
++	return (NULL);
++	}
++
++/*
++ * Search for an entry in the active list using PKCS#11 object handle as a
++ * search key and return refcnt of the found/created entry or -1 in case of
++ * failure.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry = NULL;
++
++	if (h == CK_INVALID_HANDLE)
++		{
++		PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
++		return (-1);
++		}
++
++	/* search for entry in the active list */
++	if ((entry = pk11_active_find(h, type)) != NULL)
++		entry->refcnt++;
++	else
++		{
++		/* not found, create new entry and add it to the list */
++		entry = OPENSSL_malloc(sizeof (PK11_active));
++		if (entry == NULL)
++			{
++			PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
++			return (-1);
++			}
++		entry->h = h;
++		entry->refcnt = 1;
++		entry->prev = NULL;
++		entry->next = NULL;
++		/* connect the newly created entry to the list */
++		if (active_list[type] == NULL)
++			active_list[type] = entry;
++		else /* make the entry first in the list */
++			{
++			entry->next = active_list[type];
++			active_list[type]->prev = entry;
++			active_list[type] = entry;
++			}
++		}
++
++	return (entry->refcnt);
++	}
++
++/*
++ * Remove active list entry from the list and free it.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++void
++pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
++	{
++	PK11_active *prev_entry;
++
++	/* remove the entry from the list and free it */
++	if ((prev_entry = entry->prev) != NULL)
++		{
++		prev_entry->next = entry->next;
++		if (entry->next != NULL)
++			entry->next->prev = prev_entry;
++		}
++	else
++		{
++		active_list[type] = entry->next;
++		/* we were the first but not the only one */
++		if (entry->next != NULL)
++			entry->next->prev = NULL;
++		}
++
++	/* sanitization */
++	entry->h = CK_INVALID_HANDLE;
++	entry->prev = NULL;
++	entry->next = NULL;
++	OPENSSL_free(entry);
++	}
++
++/* Free all entries from the active list. */
++void
++pk11_free_active_list(PK11_OPTYPE type)
++	{
++	PK11_active *entry;
++
++	/* only for asymmetric types since only they have C_Find* locks. */
++	switch (type)
++		{
++		case OP_RSA:
++			break;
++		default:
++			return;
++		}
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(type);
++	while ((entry = active_list[type]) != NULL)
++		pk11_active_remove(entry, type);
++	UNLOCK_OBJSTORE(type);
++	}
++
++/*
++ * Search for active list entry associated with given PKCS#11 object handle,
++ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
++ *
++ * Return 1 if the PKCS#11 object associated with the entry has no references,
++ * return 0 if there is at least one reference, -1 on error.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry = NULL;
++
++	if ((entry = pk11_active_find(h, type)) == NULL)
++		{
++		PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
++		return (-1);
++		}
++
++	OPENSSL_assert(entry->refcnt > 0);
++	entry->refcnt--;
++	if (entry->refcnt == 0)
++		{
++		pk11_active_remove(entry, type);
++		return (1);
++		}
++
++	return (0);
++	}
++
++/* Our internal RSA_METHOD that we provide pointers to */
++static RSA_METHOD pk11_rsa;
++
++RSA_METHOD *
++PK11_RSA(void)
++	{
++	const RSA_METHOD *rsa;
++
++	if (pk11_rsa.name == NULL)
++		{
++		rsa = RSA_PKCS1_SSLeay();
++		memcpy(&pk11_rsa, rsa, sizeof(*rsa));
++		pk11_rsa.name = "PKCS#11 RSA method";
++		pk11_rsa.rsa_sign = pk11_RSA_sign;
++		}
++	return (&pk11_rsa);
++	}
++
++/* Size of an SSL signature: MD5+SHA1 */
++#define	SSL_SIG_LENGTH		36
++
++/*
++ * Standard engine interface function. Majority codes here are from
++ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
++ * See more details in rsa/rsa_sign.c
++ */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++	unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
++	{
++	X509_SIG sig;
++	ASN1_TYPE parameter;
++	int i, j = 0;
++	unsigned char *p, *s = NULL;
++	X509_ALGOR algor;
++	ASN1_OCTET_STRING digest;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_priv_key;
++	PK11_SESSION *sp = NULL;
++	int ret = 0;
++	unsigned long ulsiglen;
++
++	/* Encode the digest */
++	/* Special case: SSL signature, just check the length */
++	if (type == NID_md5_sha1)
++		{
++		if (m_len != SSL_SIG_LENGTH)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_INVALID_MESSAGE_LENGTH);
++			goto err;
++			}
++		i = SSL_SIG_LENGTH;
++		s = (unsigned char *)m;
++		}
++	else
++		{
++		sig.algor = &algor;
++		sig.algor->algorithm = OBJ_nid2obj(type);
++		if (sig.algor->algorithm == NULL)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_UNKNOWN_ALGORITHM_TYPE);
++			goto err;
++			}
++		if (sig.algor->algorithm->length == 0)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
++			goto err;
++			}
++		parameter.type = V_ASN1_NULL;
++		parameter.value.ptr = NULL;
++		sig.algor->parameter = ¶meter;
++
++		sig.digest = &digest;
++		sig.digest->data = (unsigned char *)m;
++		sig.digest->length = m_len;
++
++		i = i2d_X509_SIG(&sig, NULL);
++		}
++
++	j = RSA_size(rsa);
++	if ((i - RSA_PKCS1_PADDING) > j)
++		{
++		PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
++		goto err;
++		}
++
++	if (type != NID_md5_sha1)
++		{
++		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
++		if (s == NULL)
++			{
++			PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		p = s;
++		(void) i2d_X509_SIG(&sig, &p);
++		}
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		goto err;
++
++	(void) check_new_rsa_key_priv(sp, rsa);
++
++	h_priv_key = sp->opdata_rsa_priv_key;
++	if (h_priv_key == CK_INVALID_HANDLE)
++		h_priv_key = sp->opdata_rsa_priv_key =
++			pk11_get_private_rsa_key((RSA *)rsa,
++			    &sp->opdata_rsa_priv,
++			    &sp->opdata_rsa_d_num, sp->session);
++
++	if (h_priv_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
++			goto err;
++			}
++
++		ulsiglen = j;
++		rv = pFuncList->C_Sign(sp->session, s, i, sigret,
++			(CK_ULONG_PTR) &ulsiglen);
++		*siglen = ulsiglen;
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
++			goto err;
++			}
++		ret = 1;
++		}
++
++err:
++	if ((type != NID_md5_sha1) && (s != NULL))
++		{
++		(void) memset(s, 0, (unsigned int)(j + 1));
++		OPENSSL_free(s);
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (ret);
++	}
++
++static int hndidx_rsa = -1;
++
++/* load RSA private key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
++	UI_METHOD *ui_method, void *callback_data)
++	{
++	EVP_PKEY *pkey = NULL;
++	FILE *privkey;
++	RSA *rsa;
++	PK11_SESSION *sp = NULL;
++	/* everything else below needed for key by reference extension */
++	CK_RV rv;
++	CK_ULONG objcnt = 0;
++	CK_BBOOL is_token = TRUE;
++	CK_BYTE attr_data[2][1024];
++	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
++	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
++	extern char *pk11_pin;
++
++	/* we look for private keys only */
++	CK_ATTRIBUTE search_templ[] =
++		{
++		{CKA_TOKEN, &is_token, sizeof(is_token)},
++		{CKA_CLASS, &key_class, sizeof(key_class)},
++		{CKA_LABEL, NULL, 0}
++		};
++
++	/* these attributes are needed to initialize OpenSSL RSA structure */
++	CK_ATTRIBUTE get_templ[] =
++		{
++		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
++		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
++		};
++
++	/*
++	 * Use simple scheme "pkcs11:" for now.
++	 */
++	if (strstr(privkey_file, "pkcs11:") == privkey_file)
++		{
++		if ((sp = pk11_get_session(OP_RSA)) == NULL)
++			return (NULL);
++
++		search_templ[2].pValue = strstr(privkey_file, ":") + 1;
++		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++		if (pk11_pin == NULL)
++			{
++			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++			if (pk11_pin == NULL)
++				{
++				PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++			}
++		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++			{
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_INVALID_PIN, rv);
++			goto err;
++			}
++
++		LOCK_OBJSTORE(OP_RSA);
++		if ((rv = pFuncList->C_FindObjectsInit(sp->session,
++		    search_templ, 3)) != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_FINDOBJECTSINIT, rv);
++			goto err;
++			}
++
++		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++		if (rv != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_FINDOBJECTS, rv);
++			goto err;
++			}
++
++		if (objcnt > 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
++			goto err;
++			}
++
++		if (objcnt != 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
++			goto err;
++			}
++
++		(void) pFuncList->C_FindObjectsFinal(sp->session);
++		UNLOCK_OBJSTORE(OP_RSA);
++
++		if (hndidx_rsa == -1)
++			hndidx_rsa = RSA_get_ex_new_index(0,
++				        "pkcs11 RSA HSM key handle",
++					NULL, NULL, NULL);
++
++		pkey = EVP_PKEY_new();
++		if (pkey == NULL)
++			goto err;
++
++		rsa = RSA_new_method(e);
++		if (rsa == NULL) {
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++		}
++		EVP_PKEY_set1_RSA(pkey, rsa);
++
++		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
++		    get_templ, 2)) != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_GETATTRIBUTVALUE, rv);
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++			}
++
++		/* Note: these flags are critical! */
++		rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
++		RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
++		(void) check_new_rsa_key_priv(sp, rsa);
++		sp->opdata_rsa_priv = rsa;
++		sp->opdata_rsa_priv_key = ks_key;
++
++		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++		}
++	else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
++		{
++		pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
++		(void) fclose(privkey);
++		}
++
++err:
++	if (sp != NULL)
++		pk11_return_session(sp, OP_RSA);
++	return (pkey);
++	}
++
++/* load RSA public key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data)
++	{
++	EVP_PKEY *pkey = NULL;
++	FILE *pubkey;
++	RSA *rsa;
++	PK11_SESSION *sp = NULL;
++	/* everything else below needed for key by reference extension */
++	CK_RV rv;
++	CK_ULONG objcnt = 0;
++	CK_BBOOL is_token = TRUE;
++	CK_BYTE attr_data[2][1024];
++	CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
++	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
++	extern char *pk11_pin;
++
++	/* we look for public keys only */
++	CK_ATTRIBUTE search_templ[] =
++		{
++		{CKA_TOKEN, &is_token, sizeof(is_token)},
++		{CKA_CLASS, &key_class, sizeof(key_class)},
++		{CKA_LABEL, NULL, 0}
++		};
++
++	/* these attributes are needed to initialize OpenSSL RSA structure */
++	CK_ATTRIBUTE get_templ[] =
++		{
++		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
++		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
++		};
++
++	/*
++	 * Use simple scheme "pkcs11:" for now.
++	 */
++	if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
++		{
++		if ((sp = pk11_get_session(OP_RSA)) == NULL)
++			return (NULL);
++
++		search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
++		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++#define ALLWAYS_LOGIN
++#ifdef ALLWAYS_LOGIN
++		if (pk11_pin == NULL)
++			{
++			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++			if (pk11_pin == NULL)
++				{
++				PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++			}
++		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++			{
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_INVALID_PIN, rv);
++			goto err;
++			}
++#endif
++
++		LOCK_OBJSTORE(OP_RSA);
++		if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_FINDOBJECTSINIT, rv);
++			goto err;
++			}
++		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++		if (rv != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_FINDOBJECTS, rv);
++			goto err;
++			}
++
++		if (objcnt > 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
++			goto err;
++			}
++
++		if (objcnt != 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
++			goto err;
++			}
++
++		(void) pFuncList->C_FindObjectsFinal(sp->session);
++		UNLOCK_OBJSTORE(OP_RSA);
++
++		sp->opdata_rsa_pub_key = ks_key;
++		pkey = EVP_PKEY_new();
++		if (pkey == NULL)
++			goto err;
++
++		rsa = RSA_new_method(e);
++		if (rsa == NULL) {
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++		}
++		EVP_PKEY_set1_RSA(pkey, rsa);
++
++		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
++		    get_templ, 2) != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_GETATTRIBUTVALUE, rv);
++			goto err;
++			}
++
++		(void) check_new_rsa_key_pub(sp, rsa);
++		sp->opdata_rsa_pub = rsa;
++
++		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++		}
++	else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
++		{
++		pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
++		(void) fclose(pubkey);
++		}
++
++err:
++	if (sp != NULL)
++		pk11_return_session(sp, OP_RSA);
++	return (pkey);
++	}
++
++/*
++ * Create a private key object in the session from a given rsa structure.
++ * The *rsa_d_num pointer is non-NULL for RSA private keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
++    RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
++	{
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++
++	if ((rsa->flags & RSA_FLAG_EXT_PKEY) == 0) {
++		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_INCONSISTENT_KEY);
++		return (h_key);
++	}
++	
++	h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
++	(void) pk11_active_add(h_key, OP_RSA);
++	if (key_ptr != NULL)
++		*key_ptr = rsa;
++	if (rsa_d_num != NULL)
++		{
++		if (rsa->d == NULL)
++			*rsa_d_num = NULL;
++		else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
++			{
++			PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
++			return (h_key);
++			}
++		}
++	return (h_key);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
++	{
++	/*
++	 * Provide protection against RSA structure reuse by making the
++	 * check for cache hit stronger. Only public components of RSA
++	 * key matter here so it is sufficient to compare them with values
++	 * cached in PK11_SESSION structure.
++	 */
++	if ((sp->opdata_rsa_pub != rsa) ||
++	    (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
++	    (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_rsa_object_pub(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
++	{
++	/*
++	 * Provide protection against RSA structure reuse by making the
++	 * check for cache hit stronger. Comparing private exponent of RSA
++	 * key with value cached in PK11_SESSION structure should
++	 * be sufficient.
++	 */
++	if ((sp->opdata_rsa_priv != rsa) ||
++	    (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
++	    ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_rsa_object_priv(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
++	{
++	if (attr->ulValueLen > 0)
++		{
++		*bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
++		}
++	}
++
++#ifdef	OPENSSL_SYS_WIN32
++char *getpassphrase(const char *prompt)
++	{
++	static char buf[128];
++	HANDLE h;
++	DWORD cc, mode;
++	int cnt;
++
++	h = GetStdHandle(STD_INPUT_HANDLE);
++	fputs(prompt, stderr);
++	fflush(stderr);
++	fflush(stdout);
++	FlushConsoleInputBuffer(h);
++	GetConsoleMode(h, &mode);
++	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
++
++	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
++		{
++		ReadFile(h, buf + cnt, 1, &cc, NULL);
++		if (buf[cnt] == '\r')
++			break;
++		fputc('*', stdout);
++		fflush(stderr);
++		fflush(stdout);
++		}
++
++	SetConsoleMode(h, mode);
++	buf[cnt] = '\0';
++	fputs("\n", stderr);
++	return buf;
++	}
++#endif	/* OPENSSL_SYS_WIN32 */
++#endif	/* OPENSSL_NO_HW_PK11 */
++#endif	/* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11_pub.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/hw_pk11_pub.c	Fri Aug 28 06:31:09 2009
+@@ -0,0 +1,3137 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_pub.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#include 
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#ifndef OPENSSL_NO_RSA
++#include 
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++#include 
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++#include 
++#endif /* OPENSSL_NO_DH */
++#include 
++#include 
++#include 
++
++#ifdef OPENSSL_SYS_WIN32
++#define NOPTHREADS
++typedef int pid_t;
++#define HAVE_GETPASSPHRASE
++static char *getpassphrase(const char *prompt);
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++	returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++	returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++	returnType __declspec(dllimport) (* name)
++#else
++#include 
++#endif
++
++#ifndef NOPTHREADS
++#include 
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11_err.h"
++
++#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
++#define getpassphrase(x)	getpass(x)
++#endif
++
++#ifndef OPENSSL_NO_RSA
++/* RSA stuff */
++static int pk11_RSA_public_encrypt(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_private_encrypt(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_public_decrypt(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_private_decrypt(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_init(RSA *rsa);
++static int pk11_RSA_finish(RSA *rsa);
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++	unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
++static int pk11_RSA_verify(int dtype, const unsigned char *m,
++	unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
++	const RSA *rsa);
++EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++
++static int pk11_RSA_public_encrypt_low(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa);
++static int pk11_RSA_private_encrypt_low(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa);
++static int pk11_RSA_public_decrypt_low(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa);
++static int pk11_RSA_private_decrypt_low(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa);
++
++static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA* rsa, RSA** key_ptr,
++	BIGNUM **rsa_n_num, BIGNUM **rsa_e_num, CK_SESSION_HANDLE session);
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
++	BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
++
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
++#endif
++
++/* DSA stuff */
++#ifndef OPENSSL_NO_DSA
++static int pk11_DSA_init(DSA *dsa);
++static int pk11_DSA_finish(DSA *dsa);
++static DSA_SIG *pk11_dsa_do_sign(const unsigned char *dgst, int dlen,
++	DSA *dsa);
++static int pk11_dsa_do_verify(const unsigned char *dgst, int dgst_len,
++	DSA_SIG *sig, DSA *dsa);
++
++static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa, DSA **key_ptr,
++	BIGNUM **dsa_pub_num, CK_SESSION_HANDLE session);
++static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa, DSA **key_ptr,
++	BIGNUM **dsa_priv_num, CK_SESSION_HANDLE session);
++
++static int check_new_dsa_key_pub(PK11_SESSION *sp, DSA *dsa);
++static int check_new_dsa_key_priv(PK11_SESSION *sp, DSA *dsa);
++#endif
++
++/* DH stuff */
++#ifndef OPENSSL_NO_DH
++static int pk11_DH_init(DH *dh);
++static int pk11_DH_finish(DH *dh);
++static int pk11_DH_generate_key(DH *dh);
++static int pk11_DH_compute_key(unsigned char *key,
++	const BIGNUM *pub_key, DH *dh);
++
++static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh, DH **key_ptr,
++	BIGNUM **priv_key, CK_SESSION_HANDLE session);
++
++static int check_new_dh_key(PK11_SESSION *sp, DH *dh);
++#endif
++
++static int init_template_value(BIGNUM *bn, CK_VOID_PTR *pValue,
++	CK_ULONG *ulValueLen);
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
++
++/* Read mode string to be used for fopen() */
++#if SOLARIS_OPENSSL
++static char *read_mode_flags = "rF";
++#else
++static char *read_mode_flags = "r";
++#endif
++
++/*
++ * increment/create reference for an asymmetric key handle via active list
++ * manipulation. If active list operation fails, unlock (if locked), set error
++ * variable and jump to the specified label.
++ */
++#define	KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label)	\
++	{								\
++	if (pk11_active_add(key_handle, alg_type) < 0)			\
++		{							\
++		var = TRUE;						\
++		if (unlock)						\
++			UNLOCK_OBJSTORE(alg_type);			\
++		goto label;						\
++		}							\
++	}
++
++/*
++ * Find active list entry according to object handle and return pointer to the
++ * entry otherwise return NULL.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry;
++
++	for (entry = active_list[type]; entry != NULL; entry = entry->next)
++		if (entry->h == h)
++			return (entry);
++
++	return (NULL);
++	}
++
++/*
++ * Search for an entry in the active list using PKCS#11 object handle as a
++ * search key and return refcnt of the found/created entry or -1 in case of
++ * failure.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry = NULL;
++
++	if (h == CK_INVALID_HANDLE)
++		{
++		PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
++		return (-1);
++		}
++
++	/* search for entry in the active list */
++	if ((entry = pk11_active_find(h, type)) != NULL)
++		entry->refcnt++;
++	else
++		{
++		/* not found, create new entry and add it to the list */
++		entry = OPENSSL_malloc(sizeof (PK11_active));
++		if (entry == NULL)
++			{
++			PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
++			return (-1);
++			}
++		entry->h = h;
++		entry->refcnt = 1;
++		entry->prev = NULL;
++		entry->next = NULL;
++		/* connect the newly created entry to the list */
++		if (active_list[type] == NULL)
++			active_list[type] = entry;
++		else /* make the entry first in the list */
++			{
++			entry->next = active_list[type];
++			active_list[type]->prev = entry;
++			active_list[type] = entry;
++			}
++		}
++
++	return (entry->refcnt);
++	}
++
++/*
++ * Remove active list entry from the list and free it.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++void
++pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
++	{
++	PK11_active *prev_entry;
++
++	/* remove the entry from the list and free it */
++	if ((prev_entry = entry->prev) != NULL)
++		{
++		prev_entry->next = entry->next;
++		if (entry->next != NULL)
++			entry->next->prev = prev_entry;
++		}
++	else
++		{
++		active_list[type] = entry->next;
++		/* we were the first but not the only one */
++		if (entry->next != NULL)
++			entry->next->prev = NULL;
++		}
++
++	/* sanitization */
++	entry->h = CK_INVALID_HANDLE;
++	entry->prev = NULL;
++	entry->next = NULL;
++	OPENSSL_free(entry);
++	}
++
++/* Free all entries from the active list. */
++void
++pk11_free_active_list(PK11_OPTYPE type)
++	{
++	PK11_active *entry;
++
++	/* only for asymmetric types since only they have C_Find* locks. */
++	switch (type)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++			break;
++		default:
++			return;
++		}
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(type);
++	while ((entry = active_list[type]) != NULL)
++		pk11_active_remove(entry, type);
++	UNLOCK_OBJSTORE(type);
++	}
++
++/*
++ * Search for active list entry associated with given PKCS#11 object handle,
++ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
++ *
++ * Return 1 if the PKCS#11 object associated with the entry has no references,
++ * return 0 if there is at least one reference, -1 on error.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry = NULL;
++
++	if ((entry = pk11_active_find(h, type)) == NULL)
++		{
++		PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
++		return (-1);
++		}
++
++	OPENSSL_assert(entry->refcnt > 0);
++	entry->refcnt--;
++	if (entry->refcnt == 0)
++		{
++		pk11_active_remove(entry, type);
++		return (1);
++		}
++
++	return (0);
++	}
++
++#ifndef OPENSSL_NO_RSA
++/* Our internal RSA_METHOD that we provide pointers to */
++static RSA_METHOD pk11_rsa =
++	{
++	"PKCS#11 RSA method",
++	pk11_RSA_public_encrypt,		/* rsa_pub_encrypt */
++	pk11_RSA_public_decrypt,		/* rsa_pub_decrypt */
++	pk11_RSA_private_encrypt,		/* rsa_priv_encrypt */
++	pk11_RSA_private_decrypt,		/* rsa_priv_decrypt */
++	NULL,					/* rsa_mod_exp */
++	NULL,					/* bn_mod_exp */
++	pk11_RSA_init,				/* init */
++	pk11_RSA_finish,			/* finish */
++	RSA_FLAG_SIGN_VER,			/* flags */
++	NULL,					/* app_data */
++	pk11_RSA_sign,				/* rsa_sign */
++	pk11_RSA_verify				/* rsa_verify */
++	};
++
++RSA_METHOD *
++PK11_RSA(void)
++	{
++	return (&pk11_rsa);
++	}
++#endif
++
++#ifndef OPENSSL_NO_DSA
++/* Our internal DSA_METHOD that we provide pointers to */
++static DSA_METHOD pk11_dsa =
++	{
++	"PKCS#11 DSA method",
++	pk11_dsa_do_sign, 	/* dsa_do_sign */
++	NULL, 			/* dsa_sign_setup */
++	pk11_dsa_do_verify, 	/* dsa_do_verify */
++	NULL,			/* dsa_mod_exp */
++	NULL, 			/* bn_mod_exp */
++	pk11_DSA_init, 		/* init */
++	pk11_DSA_finish, 	/* finish */
++	0, 			/* flags */
++	NULL 			/* app_data */
++	};
++
++DSA_METHOD *
++PK11_DSA(void)
++	{
++	return (&pk11_dsa);
++	}
++#endif
++
++#ifndef OPENSSL_NO_DH
++/*
++ * PKCS #11 V2.20, section 11.2 specifies that the number of bytes needed for
++ * output buffer may somewhat exceed the precise number of bytes needed, but
++ * should not exceed it by a large amount. That may be caused, for example, by
++ * rounding it up to multiple of X in the underlying bignum library. 8 should be
++ * enough.
++ */
++#define	DH_BUF_RESERVE	8
++
++/* Our internal DH_METHOD that we provide pointers to */
++static DH_METHOD pk11_dh =
++	{
++	"PKCS#11 DH method",
++	pk11_DH_generate_key,	/* generate_key */
++	pk11_DH_compute_key,	/* compute_key */
++	NULL,			/* bn_mod_exp */
++	pk11_DH_init,		/* init */
++	pk11_DH_finish,		/* finish */
++	0,			/* flags */
++	NULL,			/* app_data */
++	NULL			/* generate_params */
++	};
++
++DH_METHOD *
++PK11_DH(void)
++	{
++	return (&pk11_dh);
++	}
++#endif
++
++/* Size of an SSL signature: MD5+SHA1 */
++#define	SSL_SIG_LENGTH		36
++
++/* Lengths of DSA data and signature */
++#define	DSA_DATA_LEN		20
++#define	DSA_SIGNATURE_LEN	40
++
++static CK_BBOOL true = TRUE;
++static CK_BBOOL false = FALSE;
++
++#ifndef OPENSSL_NO_RSA
++/*
++ * Similiar to OpenSSL to take advantage of the paddings. The goal is to
++ * support all paddings in this engine although PK11 library does not
++ * support all the paddings used in OpenSSL.
++ * The input errors should have been checked in the padding functions.
++ */
++static int pk11_RSA_public_encrypt(int flen, const unsigned char *from,
++		unsigned char *to, RSA *rsa, int padding)
++	{
++	int i, num = 0, r = -1;
++	unsigned char *buf = NULL;
++
++	num = BN_num_bytes(rsa->n);
++	if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
++		{
++		RSAerr(PK11_F_RSA_PUB_ENC, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	switch (padding)
++		{
++	case RSA_PKCS1_PADDING:
++		i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
++		break;
++#ifndef OPENSSL_NO_SHA
++	case RSA_PKCS1_OAEP_PADDING:
++		i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
++		break;
++#endif
++	case RSA_SSLV23_PADDING:
++		i = RSA_padding_add_SSLv23(buf, num, from, flen);
++		break;
++	case RSA_NO_PADDING:
++		i = RSA_padding_add_none(buf, num, from, flen);
++		break;
++	default:
++		RSAerr(PK11_F_RSA_PUB_ENC, PK11_R_UNKNOWN_PADDING_TYPE);
++		goto err;
++		}
++	if (i <= 0) goto err;
++
++	/* PK11 functions are called here */
++	r = pk11_RSA_public_encrypt_low(num, buf, to, rsa);
++err:
++	if (buf != NULL)
++		{
++		OPENSSL_cleanse(buf, num);
++		OPENSSL_free(buf);
++		}
++	return (r);
++	}
++
++
++/*
++ * Similar to Openssl to take advantage of the paddings. The input errors
++ * should be catched in the padding functions
++ */
++static int pk11_RSA_private_encrypt(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa, int padding)
++	{
++	int i, num = 0, r = -1;
++	unsigned char *buf = NULL;
++
++	num = BN_num_bytes(rsa->n);
++	if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
++		{
++		RSAerr(PK11_F_RSA_PRIV_ENC, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	switch (padding)
++		{
++	case RSA_PKCS1_PADDING:
++		i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
++		break;
++	case RSA_NO_PADDING:
++		i = RSA_padding_add_none(buf, num, from, flen);
++		break;
++	case RSA_SSLV23_PADDING:
++	default:
++		RSAerr(PK11_F_RSA_PRIV_ENC, PK11_R_UNKNOWN_PADDING_TYPE);
++		goto err;
++		}
++	if (i <= 0) goto err;
++
++	/* PK11 functions are called here */
++	r = pk11_RSA_private_encrypt_low(num, buf, to, rsa);
++err:
++	if (buf != NULL)
++		{
++		OPENSSL_cleanse(buf, num);
++		OPENSSL_free(buf);
++		}
++	return (r);
++	}
++
++/* Similar to OpenSSL code. Input errors are also checked here */
++static int pk11_RSA_private_decrypt(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa, int padding)
++	{
++	BIGNUM f;
++	int j, num = 0, r = -1;
++	unsigned char *p;
++	unsigned char *buf = NULL;
++
++	BN_init(&f);
++
++	num = BN_num_bytes(rsa->n);
++
++	if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
++		{
++		RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	/*
++	 * This check was for equality but PGP does evil things
++	 * and chops off the top '0' bytes
++	 */
++	if (flen > num)
++		{
++		RSAerr(PK11_F_RSA_PRIV_DEC,
++			PK11_R_DATA_GREATER_THAN_MOD_LEN);
++		goto err;
++		}
++
++	/* make data into a big number */
++	if (BN_bin2bn(from, (int)flen, &f) == NULL)
++		goto err;
++
++	if (BN_ucmp(&f, rsa->n) >= 0)
++		{
++		RSAerr(PK11_F_RSA_PRIV_DEC,
++			PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
++		goto err;
++		}
++
++	/* PK11 functions are called here */
++	r = pk11_RSA_private_decrypt_low(flen, from, buf, rsa);
++
++	/*
++	 * PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
++	 * Needs to skip these 0's paddings here.
++	 */
++	for (j = 0; j < r; j++)
++		if (buf[j] != 0)
++			break;
++
++	p = buf + j;
++	j = r - j;  /* j is only used with no-padding mode */
++
++	switch (padding)
++		{
++	case RSA_PKCS1_PADDING:
++		r = RSA_padding_check_PKCS1_type_2(to, num, p, j, num);
++		break;
++#ifndef OPENSSL_NO_SHA
++	case RSA_PKCS1_OAEP_PADDING:
++		r = RSA_padding_check_PKCS1_OAEP(to, num, p, j, num, NULL, 0);
++		break;
++#endif
++	case RSA_SSLV23_PADDING:
++		r = RSA_padding_check_SSLv23(to, num, p, j, num);
++		break;
++	case RSA_NO_PADDING:
++		r = RSA_padding_check_none(to, num, p, j, num);
++		break;
++	default:
++		RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_UNKNOWN_PADDING_TYPE);
++		goto err;
++		}
++	if (r < 0)
++		RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_PADDING_CHECK_FAILED);
++
++err:
++	BN_clear_free(&f);
++	if (buf != NULL)
++		{
++		OPENSSL_cleanse(buf, num);
++		OPENSSL_free(buf);
++		}
++	return (r);
++	}
++
++/* Similar to OpenSSL code. Input errors are also checked here */
++static int pk11_RSA_public_decrypt(int flen, const unsigned char *from,
++	unsigned char *to, RSA *rsa, int padding)
++	{
++	BIGNUM f;
++	int i, num = 0, r = -1;
++	unsigned char *p;
++	unsigned char *buf = NULL;
++
++	BN_init(&f);
++	num = BN_num_bytes(rsa->n);
++	buf = (unsigned char *)OPENSSL_malloc(num);
++	if (buf == NULL)
++		{
++		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	/*
++	 * This check was for equality but PGP does evil things
++	 * and chops off the top '0' bytes
++	 */
++	if (flen > num)
++		{
++		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_DATA_GREATER_THAN_MOD_LEN);
++		goto err;
++		}
++
++	if (BN_bin2bn(from, flen, &f) == NULL)
++		goto err;
++
++	if (BN_ucmp(&f, rsa->n) >= 0)
++		{
++		RSAerr(PK11_F_RSA_PUB_DEC,
++			PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
++		goto err;
++		}
++
++	/* PK11 functions are called here */
++	r = pk11_RSA_public_decrypt_low(flen, from, buf, rsa);
++
++	/*
++	 * PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
++	 * Needs to skip these 0's here
++	 */
++	for (i = 0; i < r; i++)
++		if (buf[i] != 0)
++			break;
++
++	p = buf + i;
++	i = r - i;  /* i is only used with no-padding mode */
++
++	switch (padding)
++		{
++	case RSA_PKCS1_PADDING:
++		r = RSA_padding_check_PKCS1_type_1(to, num, p, i, num);
++		break;
++	case RSA_NO_PADDING:
++		r = RSA_padding_check_none(to, num, p, i, num);
++		break;
++	default:
++		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_UNKNOWN_PADDING_TYPE);
++		goto err;
++		}
++	if (r < 0)
++		RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_PADDING_CHECK_FAILED);
++
++err:
++	BN_clear_free(&f);
++	if (buf != NULL)
++		{
++		OPENSSL_cleanse(buf, num);
++		OPENSSL_free(buf);
++		}
++	return (r);
++	}
++
++/*
++ * This function implements RSA public encryption using C_EncryptInit and
++ * C_Encrypt pk11 interfaces. Note that the CKM_RSA_X_509 is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_public_encrypt_low(int flen,
++	const unsigned char *from, unsigned char *to, RSA *rsa)
++	{
++	CK_ULONG bytes_encrypted = flen;
++	int retval = -1;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		return (-1);
++
++	(void) check_new_rsa_key_pub(sp, rsa);
++
++	h_pub_key = sp->opdata_rsa_pub_key;
++	if (h_pub_key == CK_INVALID_HANDLE)
++		h_pub_key = sp->opdata_rsa_pub_key =
++			pk11_get_public_rsa_key(rsa, &sp->opdata_rsa_pub,
++			    &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
++			    sp->session);
++
++	if (h_pub_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_EncryptInit(sp->session, p_mech,
++			h_pub_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PUB_ENC_LOW,
++			    PK11_R_ENCRYPTINIT, rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++
++		rv = pFuncList->C_Encrypt(sp->session,
++			(unsigned char *)from, flen, to, &bytes_encrypted);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PUB_ENC_LOW,
++			    PK11_R_ENCRYPT, rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++		retval = bytes_encrypted;
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (retval);
++	}
++
++
++/*
++ * This function implements RSA private encryption using C_SignInit and
++ * C_Sign pk11 APIs. Note that CKM_RSA_X_509 is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_private_encrypt_low(int flen,
++	const unsigned char *from, unsigned char *to, RSA *rsa)
++	{
++	CK_ULONG ul_sig_len = flen;
++	int retval = -1;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		return (-1);
++
++	(void) check_new_rsa_key_priv(sp, rsa);
++
++	h_priv_key = sp->opdata_rsa_priv_key;
++	if (h_priv_key == CK_INVALID_HANDLE)
++		h_priv_key = sp->opdata_rsa_priv_key =
++			pk11_get_private_rsa_key(rsa, &sp->opdata_rsa_priv,
++			    &sp->opdata_rsa_d_num, sp->session);
++
++	if (h_priv_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_SignInit(sp->session, p_mech,
++			h_priv_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PRIV_ENC_LOW,
++			    PK11_R_SIGNINIT, rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++
++		rv = pFuncList->C_Sign(sp->session,
++			(unsigned char *)from, flen, to, &ul_sig_len);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PRIV_ENC_LOW, PK11_R_SIGN,
++			    rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++
++		retval = ul_sig_len;
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (retval);
++	}
++
++
++/*
++ * This function implements RSA private decryption using C_DecryptInit and
++ * C_Decrypt pk11 APIs. Note that CKM_RSA_X_509 mechanism is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_private_decrypt_low(int flen,
++	const unsigned char *from, unsigned char *to, RSA *rsa)
++	{
++	CK_ULONG bytes_decrypted = flen;
++	int retval = -1;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_priv_key;
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		return (-1);
++
++	(void) check_new_rsa_key_priv(sp, rsa);
++
++	h_priv_key = sp->opdata_rsa_priv_key;
++	if (h_priv_key == CK_INVALID_HANDLE)
++		h_priv_key = sp->opdata_rsa_priv_key =
++			pk11_get_private_rsa_key(rsa, &sp->opdata_rsa_priv,
++			    &sp->opdata_rsa_d_num, sp->session);
++
++	if (h_priv_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_DecryptInit(sp->session, p_mech,
++			h_priv_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PRIV_DEC_LOW,
++				PK11_R_DECRYPTINIT, rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++
++		rv = pFuncList->C_Decrypt(sp->session,
++			(unsigned char *)from, flen, to, &bytes_decrypted);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PRIV_DEC_LOW,
++			    PK11_R_DECRYPT, rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++		retval = bytes_decrypted;
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (retval);
++	}
++
++
++/*
++ * This function implements RSA public decryption using C_VerifyRecoverInit
++ * and C_VerifyRecover pk11 APIs. Note that CKM_RSA_X_509 is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_public_decrypt_low(int flen,
++	const unsigned char *from, unsigned char *to, RSA *rsa)
++	{
++	CK_ULONG bytes_decrypted = flen;
++	int retval = -1;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		return (-1);
++
++	(void) check_new_rsa_key_pub(sp, rsa);
++
++	h_pub_key = sp->opdata_rsa_pub_key;
++	if (h_pub_key == CK_INVALID_HANDLE)
++		h_pub_key = sp->opdata_rsa_pub_key =
++			pk11_get_public_rsa_key(rsa, &sp->opdata_rsa_pub,
++			    &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
++			    sp->session);
++
++	if (h_pub_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_VerifyRecoverInit(sp->session,
++			p_mech, h_pub_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PUB_DEC_LOW,
++				PK11_R_VERIFYRECOVERINIT, rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++
++		rv = pFuncList->C_VerifyRecover(sp->session,
++			(unsigned char *)from, flen, to, &bytes_decrypted);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_PUB_DEC_LOW,
++			    PK11_R_VERIFYRECOVER, rv);
++			pk11_return_session(sp, OP_RSA);
++			return (-1);
++			}
++		retval = bytes_decrypted;
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (retval);
++	}
++
++static int pk11_RSA_init(RSA *rsa)
++	{
++	/*
++	 * This flag in the RSA_METHOD enables the new rsa_sign,
++	 * rsa_verify functions. See rsa.h for details.
++	 */
++	rsa->flags |= RSA_FLAG_SIGN_VER;
++
++	return (1);
++	}
++
++static int pk11_RSA_finish(RSA *rsa)
++	{
++	/*
++	 * Since we are overloading OpenSSL's native RSA_eay_finish() we need
++	 * to do the same as in the original function, i.e. to free bignum
++	 * structures.
++	 */
++	if (rsa->_method_mod_n != NULL)
++		BN_MONT_CTX_free(rsa->_method_mod_n);
++	if (rsa->_method_mod_p != NULL)
++		BN_MONT_CTX_free(rsa->_method_mod_p);
++	if (rsa->_method_mod_q != NULL)
++		BN_MONT_CTX_free(rsa->_method_mod_q);
++
++	return (1);
++	}
++
++/*
++ * Standard engine interface function. Majority codes here are from
++ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
++ * See more details in rsa/rsa_sign.c
++ */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++	unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
++	{
++	X509_SIG sig;
++	ASN1_TYPE parameter;
++	int i, j = 0;
++	unsigned char *p, *s = NULL;
++	X509_ALGOR algor;
++	ASN1_OCTET_STRING digest;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_priv_key;
++	PK11_SESSION *sp = NULL;
++	int ret = 0;
++	unsigned long ulsiglen;
++
++	/* Encode the digest */
++	/* Special case: SSL signature, just check the length */
++	if (type == NID_md5_sha1)
++		{
++		if (m_len != SSL_SIG_LENGTH)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_INVALID_MESSAGE_LENGTH);
++			goto err;
++			}
++		i = SSL_SIG_LENGTH;
++		s = (unsigned char *)m;
++		}
++	else
++		{
++		sig.algor = &algor;
++		sig.algor->algorithm = OBJ_nid2obj(type);
++		if (sig.algor->algorithm == NULL)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_UNKNOWN_ALGORITHM_TYPE);
++			goto err;
++			}
++		if (sig.algor->algorithm->length == 0)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
++			goto err;
++			}
++		parameter.type = V_ASN1_NULL;
++		parameter.value.ptr = NULL;
++		sig.algor->parameter = ¶meter;
++
++		sig.digest = &digest;
++		sig.digest->data = (unsigned char *)m;
++		sig.digest->length = m_len;
++
++		i = i2d_X509_SIG(&sig, NULL);
++		}
++
++	j = RSA_size(rsa);
++	if ((i - RSA_PKCS1_PADDING) > j)
++		{
++		PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
++		goto err;
++		}
++
++	if (type != NID_md5_sha1)
++		{
++		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
++		if (s == NULL)
++			{
++			PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		p = s;
++		(void) i2d_X509_SIG(&sig, &p);
++		}
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		goto err;
++
++	(void) check_new_rsa_key_priv(sp, rsa);
++
++	h_priv_key = sp->opdata_rsa_priv_key;
++	if (h_priv_key == CK_INVALID_HANDLE)
++		h_priv_key = sp->opdata_rsa_priv_key =
++			pk11_get_private_rsa_key((RSA *)rsa,
++			    &sp->opdata_rsa_priv,
++			    &sp->opdata_rsa_d_num, sp->session);
++
++	if (h_priv_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
++			goto err;
++			}
++
++		ulsiglen = j;
++		rv = pFuncList->C_Sign(sp->session, s, i, sigret,
++			(CK_ULONG_PTR) &ulsiglen);
++		*siglen = ulsiglen;
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
++			goto err;
++			}
++		ret = 1;
++		}
++
++err:
++	if ((type != NID_md5_sha1) && (s != NULL))
++		{
++		(void) memset(s, 0, (unsigned int)(j + 1));
++		OPENSSL_free(s);
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (ret);
++	}
++
++static int pk11_RSA_verify(int type, const unsigned char *m,
++	unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
++	const RSA *rsa)
++	{
++	X509_SIG sig;
++	ASN1_TYPE parameter;
++	int i, j = 0;
++	unsigned char *p, *s = NULL;
++	X509_ALGOR algor;
++	ASN1_OCTET_STRING digest;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_pub_key;
++	PK11_SESSION *sp = NULL;
++	int ret = 0;
++
++	/* Encode the digest	*/
++	/* Special case: SSL signature, just check the length */
++	if (type == NID_md5_sha1)
++		{
++		if (m_len != SSL_SIG_LENGTH)
++			{
++			PK11err(PK11_F_RSA_VERIFY,
++				PK11_R_INVALID_MESSAGE_LENGTH);
++			goto err;
++			}
++		i = SSL_SIG_LENGTH;
++		s = (unsigned char *)m;
++		}
++	else
++		{
++		sig.algor = &algor;
++		sig.algor->algorithm = OBJ_nid2obj(type);
++		if (sig.algor->algorithm == NULL)
++			{
++			PK11err(PK11_F_RSA_VERIFY,
++				PK11_R_UNKNOWN_ALGORITHM_TYPE);
++			goto err;
++			}
++		if (sig.algor->algorithm->length == 0)
++			{
++			PK11err(PK11_F_RSA_VERIFY,
++				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
++			goto err;
++			}
++		parameter.type = V_ASN1_NULL;
++		parameter.value.ptr = NULL;
++		sig.algor->parameter = ¶meter;
++		sig.digest = &digest;
++		sig.digest->data = (unsigned char *)m;
++		sig.digest->length = m_len;
++		i = i2d_X509_SIG(&sig, NULL);
++		}
++
++	j = RSA_size(rsa);
++	if ((i - RSA_PKCS1_PADDING) > j)
++		{
++		PK11err(PK11_F_RSA_VERIFY, PK11_R_DIGEST_TOO_BIG);
++		goto err;
++		}
++
++	if (type != NID_md5_sha1)
++		{
++		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
++		if (s == NULL)
++			{
++			PK11err(PK11_F_RSA_VERIFY, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		p = s;
++		(void) i2d_X509_SIG(&sig, &p);
++		}
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		goto err;
++
++	(void) check_new_rsa_key_pub(sp, rsa);
++
++	h_pub_key = sp->opdata_rsa_pub_key;
++	if (h_pub_key == CK_INVALID_HANDLE)
++		h_pub_key = sp->opdata_rsa_pub_key =
++			pk11_get_public_rsa_key((RSA *)rsa, &sp->opdata_rsa_pub,
++			    &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
++			    sp->session);
++
++	if (h_pub_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_VerifyInit(sp->session, p_mech,
++			h_pub_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_VERIFY, PK11_R_VERIFYINIT,
++			    rv);
++			goto err;
++			}
++		rv = pFuncList->C_Verify(sp->session, s, i, sigbuf,
++			(CK_ULONG)siglen);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_VERIFY, PK11_R_VERIFY, rv);
++			goto err;
++			}
++		ret = 1;
++		}
++
++err:
++	if ((type != NID_md5_sha1) && (s != NULL))
++		{
++		(void) memset(s, 0, (unsigned int)(j + 1));
++		OPENSSL_free(s);
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (ret);
++	}
++
++static int hndidx_rsa = -1;
++
++/* load RSA private key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
++	UI_METHOD *ui_method, void *callback_data)
++	{
++	EVP_PKEY *pkey = NULL;
++	FILE *privkey;
++	CK_OBJECT_HANDLE  h_priv_key = CK_INVALID_HANDLE;
++	RSA *rsa;
++	PK11_SESSION *sp;
++	/* everything else below needed for key by reference extension */
++	CK_RV rv;
++	CK_ULONG objcnt = 0;
++	CK_BBOOL is_token = TRUE;
++	CK_BYTE attr_data[2][1024];
++	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
++	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
++	extern char *pk11_pin;
++
++	/* we look for private keys only */
++	CK_ATTRIBUTE search_templ[] =
++		{
++		{CKA_TOKEN, &is_token, sizeof(is_token)},
++		{CKA_CLASS, &key_class, sizeof(key_class)},
++		{CKA_LABEL, NULL, 0}
++		};
++
++	/* these attributes are needed to initialize OpenSSL RSA structure */
++	CK_ATTRIBUTE get_templ[] =
++		{
++		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
++		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
++		};
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		return (NULL);
++
++	/*
++	 * Use simple scheme "pkcs11:" for now.
++	 */
++	if (strstr(privkey_file, "pkcs11:") == privkey_file)
++		{
++		search_templ[2].pValue = strstr(privkey_file, ":") + 1;
++		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++		if (pk11_pin == NULL)
++			{
++			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++			if (pk11_pin == NULL)
++				{
++				PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++			}
++		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++			{
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_INVALID_PIN, rv);
++			goto err;
++			}
++
++		LOCK_OBJSTORE(OP_RSA);
++		if ((rv = pFuncList->C_FindObjectsInit(sp->session,
++		    search_templ, 3)) != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_FINDOBJECTSINIT, rv);
++			goto err;
++			}
++
++		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++		if (rv != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_FINDOBJECTS, rv);
++			goto err;
++			}
++
++		if (objcnt > 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
++			goto err;
++			}
++
++		if (objcnt != 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
++			goto err;
++			}
++
++		(void) pFuncList->C_FindObjectsFinal(sp->session);
++		UNLOCK_OBJSTORE(OP_RSA);
++
++		if (hndidx_rsa == -1)
++			hndidx_rsa = RSA_get_ex_new_index(0,
++				        "pkcs11 RSA HSM key handle",
++					NULL, NULL, NULL);
++
++		pkey = EVP_PKEY_new();
++		if (pkey == NULL)
++			goto err;
++
++		rsa = RSA_new_method(e);
++		if (rsa == NULL) {
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++		}
++		EVP_PKEY_set1_RSA(pkey, rsa);
++
++		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
++		    get_templ, 2)) != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_GETATTRIBUTVALUE, rv);
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++			}
++
++		/*
++		 * Now we have to initialize an OpenSSL RSA structure,
++		 * everything else is 0 or NULL.
++		 */
++		rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
++		RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
++		(void) check_new_rsa_key_priv(sp, rsa);
++		sp->opdata_rsa_priv = rsa;
++		sp->opdata_rsa_priv_key = ks_key;
++
++		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++		}
++	else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
++		{
++		pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
++		(void) fclose(privkey);
++		if (pkey != NULL)
++			{
++			rsa = EVP_PKEY_get1_RSA(pkey);
++			if (rsa != NULL)
++				{
++				(void) check_new_rsa_key_priv(sp, rsa);
++
++				h_priv_key = sp->opdata_rsa_priv_key =
++				    pk11_get_private_rsa_key(rsa,
++				    &sp->opdata_rsa_priv, &sp->opdata_rsa_d_num,
++				    sp->session);
++				if (h_priv_key == CK_INVALID_HANDLE)
++					{
++					EVP_PKEY_free(pkey);
++					pkey = NULL;
++					}
++				}
++			else
++				{
++				EVP_PKEY_free(pkey);
++				pkey = NULL;
++				}
++			}
++		}
++
++err:
++	pk11_return_session(sp, OP_RSA);
++	return (pkey);
++	}
++
++/* load RSA public key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data)
++	{
++	EVP_PKEY *pkey = NULL;
++	FILE *pubkey;
++	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++	RSA *rsa;
++	PK11_SESSION *sp;
++	/* everything else below needed for key by reference extension */
++	CK_RV rv;
++	CK_ULONG objcnt = 0;
++	CK_BBOOL is_token = TRUE;
++	CK_BYTE attr_data[2][1024];
++	CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
++	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
++	extern char *pk11_pin;
++
++	/* we look for public keys only */
++	CK_ATTRIBUTE search_templ[] =
++		{
++		{CKA_TOKEN, &is_token, sizeof(is_token)},
++		{CKA_CLASS, &key_class, sizeof(key_class)},
++		{CKA_LABEL, NULL, 0}
++		};
++
++	/* these attributes are needed to initialize OpenSSL RSA structure */
++	CK_ATTRIBUTE get_templ[] =
++		{
++		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
++		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
++		};
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		return (NULL);
++
++	/*
++	 * Use simple scheme "pkcs11:" for now.
++	 */
++	if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
++		{
++		search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
++		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++#define ALLWAYS_LOGIN
++#ifdef ALLWAYS_LOGIN
++		if (pk11_pin == NULL)
++			{
++			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++			if (pk11_pin == NULL)
++				{
++				PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++			}
++		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++			{
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_INVALID_PIN, rv);
++			goto err;
++			}
++#endif
++
++		LOCK_OBJSTORE(OP_RSA);
++		if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_FINDOBJECTSINIT, rv);
++			goto err;
++			}
++		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++		if (rv != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_FINDOBJECTS, rv);
++			goto err;
++			}
++
++		if (objcnt > 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
++			goto err;
++			}
++
++		if (objcnt != 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
++			goto err;
++			}
++
++		(void) pFuncList->C_FindObjectsFinal(sp->session);
++		UNLOCK_OBJSTORE(OP_RSA);
++
++		sp->opdata_rsa_pub_key = ks_key;
++		pkey = EVP_PKEY_new();
++		if (pkey == NULL)
++			goto err;
++
++		rsa = RSA_new_method(e);
++		if (rsa == NULL) {
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++		}
++		EVP_PKEY_set1_RSA(pkey, rsa);
++
++		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
++		    get_templ, 2) != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_GETATTRIBUTVALUE, rv);
++			goto err;
++			}
++
++		/*
++		 * Now we have to initialize an OpenSSL RSA structure,
++		 * everything else is 0 or NULL.
++		 */
++		rsa->flags = RSA_FLAG_SIGN_VER;
++		(void) check_new_rsa_key_pub(sp, rsa);
++		sp->opdata_rsa_pub = rsa;
++
++		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++		}
++	else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
++		{
++		pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
++		(void) fclose(pubkey);
++		if (pkey != NULL)
++			{
++			rsa = EVP_PKEY_get1_RSA(pkey);
++			if (rsa != NULL)
++				{
++				(void) check_new_rsa_key_pub(sp, rsa);
++
++				h_pub_key = sp->opdata_rsa_pub_key =
++				    pk11_get_public_rsa_key(rsa,
++				    &sp->opdata_rsa_pub, &sp->opdata_rsa_n_num,
++				    &sp->opdata_rsa_e_num, sp->session);
++				if (h_pub_key == CK_INVALID_HANDLE)
++					{
++					EVP_PKEY_free(pkey);
++					pkey = NULL;
++					}
++				}
++			else
++				{
++				EVP_PKEY_free(pkey);
++				pkey = NULL;
++				}
++			}
++		}
++
++err:
++	pk11_return_session(sp, OP_RSA);
++	return (pkey);
++	}
++
++/*
++ * Create a public key object in a session from a given rsa structure.
++ * The *rsa_n_num and *rsa_e_num pointers are non-NULL for RSA public keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA *rsa,
++    RSA **key_ptr, BIGNUM **rsa_n_num, BIGNUM **rsa_e_num,
++    CK_SESSION_HANDLE session)
++	{
++	CK_RV rv;
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++	CK_ULONG found;
++	CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
++	CK_KEY_TYPE k_type = CKK_RSA;
++	CK_ULONG ul_key_attr_count = 8;
++	CK_BBOOL rollback = FALSE;
++
++	CK_ATTRIBUTE  a_key_template[] =
++		{
++		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++		{CKA_TOKEN, &false, sizeof (true)},
++		{CKA_ENCRYPT, &true, sizeof (true)},
++		{CKA_VERIFY, &true, sizeof (true)},
++		{CKA_VERIFY_RECOVER, &true, sizeof (true)},
++		{CKA_MODULUS, (void *)NULL, 0},
++		{CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
++		};
++
++	int i;
++
++	a_key_template[0].pValue = &o_key;
++	a_key_template[1].pValue = &k_type;
++
++	a_key_template[6].ulValueLen = BN_num_bytes(rsa->n);
++	a_key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++		(size_t)a_key_template[6].ulValueLen);
++	if (a_key_template[6].pValue == NULL)
++		{
++		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	BN_bn2bin(rsa->n, a_key_template[6].pValue);
++
++	a_key_template[7].ulValueLen = BN_num_bytes(rsa->e);
++	a_key_template[7].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++		(size_t)a_key_template[7].ulValueLen);
++	if (a_key_template[7].pValue == NULL)
++		{
++		PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	BN_bn2bin(rsa->e, a_key_template[7].pValue);
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(OP_RSA);
++	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++		ul_key_attr_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, PK11_R_FINDOBJECTSINIT,
++		    rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
++		    PK11_R_FINDOBJECTS, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjectsFinal(session);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
++		    PK11_R_FINDOBJECTSFINAL, rv);
++		goto err;
++		}
++
++	if (found == 0)
++		{
++		rv = pFuncList->C_CreateObject(session,
++			a_key_template, ul_key_attr_count, &h_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
++			    PK11_R_CREATEOBJECT, rv);
++			goto err;
++			}
++		}
++
++	if (rsa_n_num != NULL)
++		if ((*rsa_n_num = BN_dup(rsa->n)) == NULL)
++			{
++			PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++			rollback = TRUE;
++			goto err;
++			}
++	if (rsa_e_num != NULL)
++		if ((*rsa_e_num = BN_dup(rsa->e)) == NULL)
++			{
++			PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++			BN_free(*rsa_n_num);
++			*rsa_n_num = NULL;
++			rollback = TRUE;
++			goto err;
++			}
++
++	/* LINTED: E_CONSTANT_CONDITION */
++	KEY_HANDLE_REFHOLD(h_key, OP_RSA, FALSE, rollback, err);
++	if (key_ptr != NULL)
++		*key_ptr = rsa;
++
++err:
++	if (rollback)
++		{
++		/*
++		 * We do not care about the return value from C_DestroyObject()
++		 * since we are doing rollback.
++		 */
++		if (found == 0)
++			(void) pFuncList->C_DestroyObject(session, h_key);
++		h_key = CK_INVALID_HANDLE;
++		}
++
++	UNLOCK_OBJSTORE(OP_RSA);
++
++malloc_err:
++	for (i = 6; i <= 7; i++)
++		{
++		if (a_key_template[i].pValue != NULL)
++			{
++			OPENSSL_free(a_key_template[i].pValue);
++			a_key_template[i].pValue = NULL;
++			}
++		}
++
++	return (h_key);
++	}
++
++/*
++ * Create a private key object in the session from a given rsa structure.
++ * The *rsa_d_num pointer is non-NULL for RSA private keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
++    RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
++	{
++	CK_RV rv;
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++	int i;
++	CK_ULONG found;
++	CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
++	CK_KEY_TYPE k_type = CKK_RSA;
++	CK_ULONG ul_key_attr_count = 14;
++	CK_BBOOL rollback = FALSE;
++
++	/* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys */
++	CK_ATTRIBUTE  a_key_template[] =
++		{
++		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++		{CKA_TOKEN, &false, sizeof (true)},
++		{CKA_SENSITIVE, &false, sizeof (true)},
++		{CKA_DECRYPT, &true, sizeof (true)},
++		{CKA_SIGN, &true, sizeof (true)},
++		{CKA_MODULUS, (void *)NULL, 0},
++		{CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
++		{CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
++		{CKA_PRIME_1, (void *)NULL, 0},
++		{CKA_PRIME_2, (void *)NULL, 0},
++		{CKA_EXPONENT_1, (void *)NULL, 0},
++		{CKA_EXPONENT_2, (void *)NULL, 0},
++		{CKA_COEFFICIENT, (void *)NULL, 0}
++		};
++
++	if ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) {
++		h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
++		LOCK_OBJSTORE(OP_RSA);
++		goto set;
++	}
++	
++	a_key_template[0].pValue = &o_key;
++	a_key_template[1].pValue = &k_type;
++
++	/* Put the private key components into the template */
++	if (init_template_value(rsa->n, &a_key_template[6].pValue,
++		&a_key_template[6].ulValueLen) == 0 ||
++	    init_template_value(rsa->e, &a_key_template[7].pValue,
++		&a_key_template[7].ulValueLen) == 0 ||
++	    init_template_value(rsa->d, &a_key_template[8].pValue,
++		&a_key_template[8].ulValueLen) == 0 ||
++	    init_template_value(rsa->p, &a_key_template[9].pValue,
++		&a_key_template[9].ulValueLen) == 0 ||
++	    init_template_value(rsa->q, &a_key_template[10].pValue,
++		&a_key_template[10].ulValueLen) == 0 ||
++	    init_template_value(rsa->dmp1, &a_key_template[11].pValue,
++		&a_key_template[11].ulValueLen) == 0 ||
++	    init_template_value(rsa->dmq1, &a_key_template[12].pValue,
++		&a_key_template[12].ulValueLen) == 0 ||
++	    init_template_value(rsa->iqmp, &a_key_template[13].pValue,
++		&a_key_template[13].ulValueLen) == 0)
++		{
++		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(OP_RSA);
++	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++		ul_key_attr_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++		    PK11_R_FINDOBJECTSINIT, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++		    PK11_R_FINDOBJECTS, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjectsFinal(session);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++		    PK11_R_FINDOBJECTSFINAL, rv);
++		goto err;
++		}
++
++	if (found == 0)
++		{
++		rv = pFuncList->C_CreateObject(session,
++			a_key_template, ul_key_attr_count, &h_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++				PK11_R_CREATEOBJECT, rv);
++			goto err;
++			}
++		}
++
++set:
++	if (rsa_d_num != NULL)
++		{
++		if (rsa->d == NULL)
++			*rsa_d_num = NULL;
++		else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
++			{
++			PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
++			rollback = TRUE;
++			goto err;
++			}
++		}
++
++	/* LINTED: E_CONSTANT_CONDITION */
++	KEY_HANDLE_REFHOLD(h_key, OP_RSA, FALSE, rollback, err);
++	if (key_ptr != NULL)
++		*key_ptr = rsa;
++
++err:
++	if (rollback)
++		{
++		/*
++		 * We do not care about the return value from C_DestroyObject()
++		 * since we are doing rollback.
++		 */
++		if (found == 0 &&
++		    (rsa->flags & RSA_FLAG_EXT_PKEY) == 0)
++			(void) pFuncList->C_DestroyObject(session, h_key);
++		h_key = CK_INVALID_HANDLE;
++		}
++
++	UNLOCK_OBJSTORE(OP_RSA);
++
++malloc_err:
++	/*
++	 * 6 to 13 entries in the key template are key components.
++	 * They need to be freed apon exit or error.
++	 */
++	for (i = 6; i <= 13; i++)
++		{
++		if (a_key_template[i].pValue != NULL)
++			{
++			(void) memset(a_key_template[i].pValue, 0,
++				a_key_template[i].ulValueLen);
++			OPENSSL_free(a_key_template[i].pValue);
++			a_key_template[i].pValue = NULL;
++			}
++		}
++
++	return (h_key);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
++	{
++	/*
++	 * Provide protection against RSA structure reuse by making the
++	 * check for cache hit stronger. Only public components of RSA
++	 * key matter here so it is sufficient to compare them with values
++	 * cached in PK11_SESSION structure.
++	 */
++	if ((sp->opdata_rsa_pub != rsa) ||
++	    (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
++	    (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_rsa_object_pub(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
++	{
++	/*
++	 * Provide protection against RSA structure reuse by making the
++	 * check for cache hit stronger. Comparing private exponent of RSA
++	 * key with value cached in PK11_SESSION structure should
++	 * be sufficient.
++	 */
++	if ((sp->opdata_rsa_priv != rsa) ||
++	    (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
++	    ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_rsa_object_priv(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++#endif
++
++#ifndef OPENSSL_NO_DSA
++/* The DSA function implementation */
++/* ARGSUSED */
++static int pk11_DSA_init(DSA *dsa)
++	{
++	return (1);
++	}
++
++/* ARGSUSED */
++static int pk11_DSA_finish(DSA *dsa)
++	{
++	return (1);
++	}
++
++
++static DSA_SIG *
++pk11_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
++	{
++	BIGNUM *r = NULL, *s = NULL;
++	int i;
++	DSA_SIG *dsa_sig = NULL;
++
++	CK_RV rv;
++	CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
++	CK_MECHANISM *p_mech = &Mechanism_dsa;
++	CK_OBJECT_HANDLE h_priv_key;
++
++	/*
++	 * The signature is the concatenation of r and s,
++	 * each is 20 bytes long
++	 */
++	unsigned char sigret[DSA_SIGNATURE_LEN];
++	unsigned long siglen = DSA_SIGNATURE_LEN;
++	unsigned int siglen2 = DSA_SIGNATURE_LEN / 2;
++
++	PK11_SESSION *sp = NULL;
++
++	if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
++		{
++		PK11err(PK11_F_DSA_SIGN, PK11_R_MISSING_KEY_COMPONENT);
++		goto ret;
++		}
++
++	i = BN_num_bytes(dsa->q); /* should be 20 */
++	if (dlen > i)
++		{
++		PK11err(PK11_F_DSA_SIGN, PK11_R_INVALID_SIGNATURE_LENGTH);
++		goto ret;
++		}
++
++	if ((sp = pk11_get_session(OP_DSA)) == NULL)
++		goto ret;
++
++	(void) check_new_dsa_key_priv(sp, dsa);
++
++	h_priv_key = sp->opdata_dsa_priv_key;
++	if (h_priv_key == CK_INVALID_HANDLE)
++		h_priv_key = sp->opdata_dsa_priv_key =
++			pk11_get_private_dsa_key((DSA *)dsa,
++			    &sp->opdata_dsa_priv,
++			    &sp->opdata_dsa_priv_num, sp->session);
++
++	if (h_priv_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_DSA_SIGN, PK11_R_SIGNINIT, rv);
++			goto ret;
++			}
++
++		(void) memset(sigret, 0, siglen);
++		rv = pFuncList->C_Sign(sp->session,
++			(unsigned char*) dgst, dlen, sigret,
++			(CK_ULONG_PTR) &siglen);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_DSA_SIGN, PK11_R_SIGN, rv);
++			goto ret;
++			}
++		}
++
++
++	if ((s = BN_new()) == NULL)
++		{
++		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++		goto ret;
++		}
++
++	if ((r = BN_new()) == NULL)
++		{
++		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++		goto ret;
++		}
++
++	if ((dsa_sig = DSA_SIG_new()) == NULL)
++		{
++		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++		goto ret;
++		}
++
++	if (BN_bin2bn(sigret, siglen2, r) == NULL ||
++	    BN_bin2bn(&sigret[siglen2], siglen2, s) == NULL)
++		{
++		PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++		goto ret;
++		}
++
++	dsa_sig->r = r;
++	dsa_sig->s = s;
++
++ret:
++	if (dsa_sig == NULL)
++		{
++		if (r != NULL)
++			BN_free(r);
++		if (s != NULL)
++			BN_free(s);
++		}
++
++	pk11_return_session(sp, OP_DSA);
++	return (dsa_sig);
++	}
++
++static int
++pk11_dsa_do_verify(const unsigned char *dgst, int dlen, DSA_SIG *sig,
++	DSA *dsa)
++	{
++	int i;
++	CK_RV rv;
++	int retval = 0;
++	CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
++	CK_MECHANISM *p_mech = &Mechanism_dsa;
++	CK_OBJECT_HANDLE h_pub_key;
++
++	unsigned char sigbuf[DSA_SIGNATURE_LEN];
++	unsigned long siglen = DSA_SIGNATURE_LEN;
++	unsigned long siglen2 = DSA_SIGNATURE_LEN/2;
++
++	PK11_SESSION *sp = NULL;
++
++	if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
++		{
++		PK11err(PK11_F_DSA_VERIFY,
++			PK11_R_INVALID_DSA_SIGNATURE_R);
++		goto ret;
++		}
++
++	if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
++		{
++		PK11err(PK11_F_DSA_VERIFY,
++			PK11_R_INVALID_DSA_SIGNATURE_S);
++		goto ret;
++		}
++
++	i = BN_num_bytes(dsa->q); /* should be 20 */
++
++	if (dlen > i)
++		{
++		PK11err(PK11_F_DSA_VERIFY,
++			PK11_R_INVALID_SIGNATURE_LENGTH);
++		goto ret;
++		}
++
++	if ((sp = pk11_get_session(OP_DSA)) == NULL)
++		goto ret;
++
++	(void) check_new_dsa_key_pub(sp, dsa);
++
++	h_pub_key = sp->opdata_dsa_pub_key;
++	if (h_pub_key == CK_INVALID_HANDLE)
++		h_pub_key = sp->opdata_dsa_pub_key =
++			pk11_get_public_dsa_key((DSA *)dsa, &sp->opdata_dsa_pub,
++			    &sp->opdata_dsa_pub_num, sp->session);
++
++	if (h_pub_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_VerifyInit(sp->session, p_mech,
++			h_pub_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_DSA_VERIFY, PK11_R_VERIFYINIT,
++			    rv);
++			goto ret;
++			}
++
++		/*
++		 * The representation of each of the two big numbers could
++		 * be shorter than DSA_SIGNATURE_LEN/2 bytes so we need
++		 * to act accordingly and shift if necessary.
++		 */
++		(void) memset(sigbuf, 0, siglen);
++		BN_bn2bin(sig->r, sigbuf + siglen2 - BN_num_bytes(sig->r));
++		BN_bn2bin(sig->s, &sigbuf[siglen2] + siglen2 -
++		    BN_num_bytes(sig->s));
++
++		rv = pFuncList->C_Verify(sp->session,
++			(unsigned char *) dgst, dlen, sigbuf, (CK_ULONG)siglen);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_DSA_VERIFY, PK11_R_VERIFY, rv);
++			goto ret;
++			}
++		}
++
++	retval = 1;
++ret:
++
++	pk11_return_session(sp, OP_DSA);
++	return (retval);
++	}
++
++
++/*
++ * Create a public key object in a session from a given dsa structure.
++ * The *dsa_pub_num pointer is non-NULL for DSA public keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa,
++    DSA **key_ptr, BIGNUM **dsa_pub_num, CK_SESSION_HANDLE session)
++	{
++	CK_RV rv;
++	CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++	CK_ULONG found;
++	CK_KEY_TYPE k_type = CKK_DSA;
++	CK_ULONG ul_key_attr_count = 8;
++	CK_BBOOL rollback = FALSE;
++	int i;
++
++	CK_ATTRIBUTE  a_key_template[] =
++		{
++		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++		{CKA_TOKEN, &false, sizeof (true)},
++		{CKA_VERIFY, &true, sizeof (true)},
++		{CKA_PRIME, (void *)NULL, 0},		/* p */
++		{CKA_SUBPRIME, (void *)NULL, 0},	/* q */
++		{CKA_BASE, (void *)NULL, 0},		/* g */
++		{CKA_VALUE, (void *)NULL, 0}		/* pub_key - y */
++		};
++
++	a_key_template[0].pValue = &o_key;
++	a_key_template[1].pValue = &k_type;
++
++	if (init_template_value(dsa->p, &a_key_template[4].pValue,
++		&a_key_template[4].ulValueLen) == 0 ||
++	    init_template_value(dsa->q, &a_key_template[5].pValue,
++		&a_key_template[5].ulValueLen) == 0 ||
++	    init_template_value(dsa->g, &a_key_template[6].pValue,
++		&a_key_template[6].ulValueLen) == 0 ||
++	    init_template_value(dsa->pub_key, &a_key_template[7].pValue,
++		&a_key_template[7].ulValueLen) == 0)
++		{
++		PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(OP_DSA);
++	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++		ul_key_attr_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PUB_DSA_KEY, PK11_R_FINDOBJECTSINIT,
++		    rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
++		    PK11_R_FINDOBJECTS, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjectsFinal(session);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
++		    PK11_R_FINDOBJECTSFINAL, rv);
++		goto err;
++		}
++
++	if (found == 0)
++		{
++		rv = pFuncList->C_CreateObject(session,
++			a_key_template, ul_key_attr_count, &h_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
++			    PK11_R_CREATEOBJECT, rv);
++			goto err;
++			}
++		}
++
++	if (dsa_pub_num != NULL)
++		if ((*dsa_pub_num = BN_dup(dsa->pub_key)) == NULL)
++			{
++			PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_MALLOC_FAILURE);
++			rollback = TRUE;
++			goto err;
++			}
++
++	/* LINTED: E_CONSTANT_CONDITION */
++	KEY_HANDLE_REFHOLD(h_key, OP_DSA, FALSE, rollback, err);
++	if (key_ptr != NULL)
++		*key_ptr = dsa;
++
++err:
++	if (rollback)
++		{
++		/*
++		 * We do not care about the return value from C_DestroyObject()
++		 * since we are doing rollback.
++		 */
++		if (found == 0)
++			(void) pFuncList->C_DestroyObject(session, h_key);
++		h_key = CK_INVALID_HANDLE;
++		}
++
++	UNLOCK_OBJSTORE(OP_DSA);
++
++malloc_err:
++	for (i = 4; i <= 7; i++)
++		{
++		if (a_key_template[i].pValue != NULL)
++			{
++			OPENSSL_free(a_key_template[i].pValue);
++			a_key_template[i].pValue = NULL;
++			}
++		}
++
++	return (h_key);
++	}
++
++/*
++ * Create a private key object in the session from a given dsa structure
++ * The *dsa_priv_num pointer is non-NULL for DSA private keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa,
++    DSA **key_ptr, BIGNUM **dsa_priv_num, CK_SESSION_HANDLE session)
++	{
++	CK_RV rv;
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++	CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
++	int i;
++	CK_ULONG found;
++	CK_KEY_TYPE k_type = CKK_DSA;
++	CK_ULONG ul_key_attr_count = 9;
++	CK_BBOOL rollback = FALSE;
++
++	/* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys */
++	CK_ATTRIBUTE  a_key_template[] =
++		{
++		{CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++		{CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++		{CKA_TOKEN, &false, sizeof (true)},
++		{CKA_SENSITIVE, &false, sizeof (true)},
++		{CKA_SIGN, &true, sizeof (true)},
++		{CKA_PRIME, (void *)NULL, 0},		/* p */
++		{CKA_SUBPRIME, (void *)NULL, 0},	/* q */
++		{CKA_BASE, (void *)NULL, 0},		/* g */
++		{CKA_VALUE, (void *)NULL, 0}		/* priv_key - x */
++		};
++
++	a_key_template[0].pValue = &o_key;
++	a_key_template[1].pValue = &k_type;
++
++	/* Put the private key components into the template */
++	if (init_template_value(dsa->p, &a_key_template[5].pValue,
++		&a_key_template[5].ulValueLen) == 0 ||
++	    init_template_value(dsa->q, &a_key_template[6].pValue,
++		&a_key_template[6].ulValueLen) == 0 ||
++	    init_template_value(dsa->g, &a_key_template[7].pValue,
++		&a_key_template[7].ulValueLen) == 0 ||
++	    init_template_value(dsa->priv_key, &a_key_template[8].pValue,
++		&a_key_template[8].ulValueLen) == 0)
++		{
++		PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(OP_DSA);
++	rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++		ul_key_attr_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++		    PK11_R_FINDOBJECTSINIT, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++		    PK11_R_FINDOBJECTS, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjectsFinal(session);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++		    PK11_R_FINDOBJECTSFINAL, rv);
++		goto err;
++		}
++
++	if (found == 0)
++		{
++		rv = pFuncList->C_CreateObject(session,
++			a_key_template, ul_key_attr_count, &h_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++			    PK11_R_CREATEOBJECT, rv);
++			goto err;
++			}
++		}
++
++	if (dsa_priv_num != NULL)
++		if ((*dsa_priv_num = BN_dup(dsa->priv_key)) == NULL)
++			{
++			PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_MALLOC_FAILURE);
++			rollback = TRUE;
++			goto err;
++			}
++
++	/* LINTED: E_CONSTANT_CONDITION */
++	KEY_HANDLE_REFHOLD(h_key, OP_DSA, FALSE, rollback, err);
++	if (key_ptr != NULL)
++		*key_ptr = dsa;
++
++err:
++	if (rollback)
++		{
++		/*
++		 * We do not care about the return value from C_DestroyObject()
++		 * since we are doing rollback.
++		 */
++		if (found == 0)
++			(void) pFuncList->C_DestroyObject(session, h_key);
++		h_key = CK_INVALID_HANDLE;
++		}
++
++	UNLOCK_OBJSTORE(OP_DSA);
++
++malloc_err:
++	/*
++	 * 5 to 8 entries in the key template are key components.
++	 * They need to be freed apon exit or error.
++	 */
++	for (i = 5; i <= 8; i++)
++		{
++		if (a_key_template[i].pValue != NULL)
++			{
++			(void) memset(a_key_template[i].pValue, 0,
++				a_key_template[i].ulValueLen);
++			OPENSSL_free(a_key_template[i].pValue);
++			a_key_template[i].pValue = NULL;
++			}
++		}
++
++	return (h_key);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_dsa_key_pub(PK11_SESSION *sp, DSA *dsa)
++	{
++	/*
++	 * Provide protection against DSA structure reuse by making the
++	 * check for cache hit stronger. Only public key component of DSA
++	 * key matters here so it is sufficient to compare it with value
++	 * cached in PK11_SESSION structure.
++	 */
++	if ((sp->opdata_dsa_pub != dsa) ||
++	    (BN_cmp(sp->opdata_dsa_pub_num, dsa->pub_key) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_dsa_object_pub(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_dsa_key_priv(PK11_SESSION *sp, DSA *dsa)
++	{
++	/*
++	 * Provide protection against DSA structure reuse by making the
++	 * check for cache hit stronger. Only private key component of DSA
++	 * key matters here so it is sufficient to compare it with value
++	 * cached in PK11_SESSION structure.
++	 */
++	if ((sp->opdata_dsa_priv != dsa) ||
++	    (BN_cmp(sp->opdata_dsa_priv_num, dsa->priv_key) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_dsa_object_priv(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++#endif
++
++
++#ifndef OPENSSL_NO_DH
++/* The DH function implementation */
++/* ARGSUSED */
++static int pk11_DH_init(DH *dh)
++	{
++	return (1);
++	}
++
++/* ARGSUSED */
++static int pk11_DH_finish(DH *dh)
++	{
++	return (1);
++	}
++
++/*
++ * Generate DH key-pair.
++ *
++ * Warning: Unlike OpenSSL's DH_generate_key(3) we ignore dh->priv_key
++ * and override it even if it is set. OpenSSL does not touch dh->priv_key
++ * if set and just computes dh->pub_key. It looks like PKCS#11 standard
++ * is not capable of providing this functionality. This could be a problem
++ * for applications relying on OpenSSL's semantics.
++ */
++static int pk11_DH_generate_key(DH *dh)
++	{
++	CK_ULONG i;
++	CK_RV rv, rv1;
++	int reuse_mem_len = 0, ret = 0;
++	PK11_SESSION *sp = NULL;
++	CK_BYTE_PTR reuse_mem;
++
++	CK_MECHANISM mechanism = {CKM_DH_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
++	CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++	CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
++
++	CK_ULONG ul_pub_key_attr_count = 3;
++	CK_ATTRIBUTE pub_key_template[] =
++		{
++		{CKA_PRIVATE, &false, sizeof (false)},
++		{CKA_PRIME, (void *)NULL, 0},
++		{CKA_BASE, (void *)NULL, 0}
++		};
++
++	CK_ULONG ul_priv_key_attr_count = 3;
++	CK_ATTRIBUTE priv_key_template[] =
++		{
++		{CKA_PRIVATE, &false, sizeof (false)},
++		{CKA_SENSITIVE, &false, sizeof (false)},
++		{CKA_DERIVE, &true, sizeof (true)}
++		};
++
++	CK_ULONG pub_key_attr_result_count = 1;
++	CK_ATTRIBUTE pub_key_result[] =
++		{
++		{CKA_VALUE, (void *)NULL, 0}
++		};
++
++	CK_ULONG priv_key_attr_result_count = 1;
++	CK_ATTRIBUTE priv_key_result[] =
++		{
++		{CKA_VALUE, (void *)NULL, 0}
++		};
++
++	pub_key_template[1].ulValueLen = BN_num_bytes(dh->p);
++	if (pub_key_template[1].ulValueLen > 0)
++		{
++		/*
++		 * We must not increase ulValueLen by DH_BUF_RESERVE since that
++		 * could cause the same rounding problem. See definition of
++		 * DH_BUF_RESERVE above.
++		 */
++		pub_key_template[1].pValue =
++			OPENSSL_malloc(pub_key_template[1].ulValueLen +
++			DH_BUF_RESERVE);
++		if (pub_key_template[1].pValue == NULL)
++			{
++			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++
++		i = BN_bn2bin(dh->p, pub_key_template[1].pValue);
++		}
++	else
++		goto err;
++
++	pub_key_template[2].ulValueLen = BN_num_bytes(dh->g);
++	if (pub_key_template[2].ulValueLen > 0)
++		{
++		pub_key_template[2].pValue =
++			OPENSSL_malloc(pub_key_template[2].ulValueLen +
++			DH_BUF_RESERVE);
++		if (pub_key_template[2].pValue == NULL)
++			{
++			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++
++		i = BN_bn2bin(dh->g, pub_key_template[2].pValue);
++		}
++	else
++		goto err;
++
++	/*
++	 * Note: we are only using PK11_SESSION structure for getting
++	 *	 a session handle. The objects created in this function are
++	 *	 destroyed before return and thus not cached.
++	 */
++	if ((sp = pk11_get_session(OP_DH)) == NULL)
++		goto err;
++
++	rv = pFuncList->C_GenerateKeyPair(sp->session,
++	    &mechanism,
++	    pub_key_template,
++	    ul_pub_key_attr_count,
++	    priv_key_template,
++	    ul_priv_key_attr_count,
++	    &h_pub_key,
++	    &h_priv_key);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DH_GEN_KEY, PK11_R_GEN_KEY, rv);
++		goto err;
++		}
++
++	/*
++	 * Reuse the larger memory allocated. We know the larger memory
++	 * should be sufficient for reuse.
++	 */
++	if (pub_key_template[1].ulValueLen > pub_key_template[2].ulValueLen)
++		{
++		reuse_mem = pub_key_template[1].pValue;
++		reuse_mem_len = pub_key_template[1].ulValueLen + DH_BUF_RESERVE;
++		}
++	else
++		{
++		reuse_mem = pub_key_template[2].pValue;
++		reuse_mem_len = pub_key_template[2].ulValueLen + DH_BUF_RESERVE;
++		}
++
++	rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key,
++		pub_key_result, pub_key_attr_result_count);
++	rv1 = pFuncList->C_GetAttributeValue(sp->session, h_priv_key,
++		priv_key_result, priv_key_attr_result_count);
++
++	if (rv != CKR_OK || rv1 != CKR_OK)
++		{
++		rv = (rv != CKR_OK) ? rv : rv1;
++		PK11err_add_data(PK11_F_DH_GEN_KEY,
++		    PK11_R_GETATTRIBUTVALUE, rv);
++		goto err;
++		}
++
++	if (((CK_LONG) pub_key_result[0].ulValueLen) <= 0 ||
++		((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
++		{
++		PK11err(PK11_F_DH_GEN_KEY, PK11_R_GETATTRIBUTVALUE);
++		goto err;
++		}
++
++	/* Reuse the memory allocated */
++	pub_key_result[0].pValue = reuse_mem;
++	pub_key_result[0].ulValueLen = reuse_mem_len;
++
++	rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key,
++		pub_key_result, pub_key_attr_result_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DH_GEN_KEY,
++		    PK11_R_GETATTRIBUTVALUE, rv);
++		goto err;
++		}
++
++	if (pub_key_result[0].type == CKA_VALUE)
++		{
++		if (dh->pub_key == NULL)
++			if ((dh->pub_key = BN_new()) == NULL)
++				{
++				PK11err(PK11_F_DH_GEN_KEY,
++					PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++		dh->pub_key = BN_bin2bn(pub_key_result[0].pValue,
++			pub_key_result[0].ulValueLen, dh->pub_key);
++		if (dh->pub_key == NULL)
++			{
++			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		}
++
++	/* Reuse the memory allocated */
++	priv_key_result[0].pValue = reuse_mem;
++	priv_key_result[0].ulValueLen = reuse_mem_len;
++
++	rv = pFuncList->C_GetAttributeValue(sp->session, h_priv_key,
++		priv_key_result, priv_key_attr_result_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DH_GEN_KEY,
++		    PK11_R_GETATTRIBUTVALUE, rv);
++		goto err;
++		}
++
++	if (priv_key_result[0].type == CKA_VALUE)
++		{
++		if (dh->priv_key == NULL)
++			if ((dh->priv_key = BN_new()) == NULL)
++				{
++				PK11err(PK11_F_DH_GEN_KEY,
++					PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++		dh->priv_key = BN_bin2bn(priv_key_result[0].pValue,
++			priv_key_result[0].ulValueLen, dh->priv_key);
++		if (dh->priv_key == NULL)
++			{
++			PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		}
++
++	ret = 1;
++
++err:
++
++	if (h_pub_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_DestroyObject(sp->session, h_pub_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_DH_GEN_KEY,
++			    PK11_R_DESTROYOBJECT, rv);
++			}
++		}
++
++	if (h_priv_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_DestroyObject(sp->session, h_priv_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_DH_GEN_KEY,
++			    PK11_R_DESTROYOBJECT, rv);
++			}
++		}
++
++	for (i = 1; i <= 2; i++)
++		{
++		if (pub_key_template[i].pValue != NULL)
++			{
++			OPENSSL_free(pub_key_template[i].pValue);
++			pub_key_template[i].pValue = NULL;
++			}
++		}
++
++	pk11_return_session(sp, OP_DH);
++	return (ret);
++	}
++
++static int pk11_DH_compute_key(unsigned char *key, const BIGNUM *pub_key,
++	DH *dh)
++	{
++	unsigned int i;
++	CK_MECHANISM mechanism = {CKM_DH_PKCS_DERIVE, NULL_PTR, 0};
++	CK_OBJECT_CLASS key_class = CKO_SECRET_KEY;
++	CK_KEY_TYPE key_type = CKK_GENERIC_SECRET;
++	CK_OBJECT_HANDLE h_derived_key = CK_INVALID_HANDLE;
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++
++	CK_ULONG ul_priv_key_attr_count = 2;
++	CK_ATTRIBUTE priv_key_template[] =
++		{
++		{CKA_CLASS, (void*) NULL, sizeof (key_class)},
++		{CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
++		};
++
++	CK_ULONG priv_key_attr_result_count = 1;
++	CK_ATTRIBUTE priv_key_result[] =
++		{
++		{CKA_VALUE, (void *)NULL, 0}
++		};
++
++	CK_RV rv;
++	int ret = -1;
++	PK11_SESSION *sp = NULL;
++
++	if (dh->priv_key == NULL)
++		goto err;
++
++	priv_key_template[0].pValue = &key_class;
++	priv_key_template[1].pValue = &key_type;
++
++	if ((sp = pk11_get_session(OP_DH)) == NULL)
++		goto err;
++
++	mechanism.ulParameterLen = BN_num_bytes(pub_key);
++	mechanism.pParameter = OPENSSL_malloc(mechanism.ulParameterLen);
++	if (mechanism.pParameter == NULL)
++		{
++		PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++	BN_bn2bin(pub_key, mechanism.pParameter);
++
++	(void) check_new_dh_key(sp, dh);
++
++	h_key = sp->opdata_dh_key;
++	if (h_key == CK_INVALID_HANDLE)
++		h_key = sp->opdata_dh_key =
++			pk11_get_dh_key((DH*) dh, &sp->opdata_dh,
++			    &sp->opdata_dh_priv_num, sp->session);
++
++	if (h_key == CK_INVALID_HANDLE)
++		{
++		PK11err(PK11_F_DH_COMP_KEY, PK11_R_CREATEOBJECT);
++		goto err;
++		}
++
++	rv = pFuncList->C_DeriveKey(sp->session,
++	    &mechanism,
++	    h_key,
++	    priv_key_template,
++	    ul_priv_key_attr_count,
++	    &h_derived_key);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_DERIVEKEY, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key,
++	    priv_key_result, priv_key_attr_result_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE,
++		    rv);
++		goto err;
++		}
++
++	if (((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
++		{
++		PK11err(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE);
++		goto err;
++		}
++	priv_key_result[0].pValue =
++		OPENSSL_malloc(priv_key_result[0].ulValueLen);
++	if (!priv_key_result[0].pValue)
++		{
++		PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
++		goto err;
++		}
++
++	rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key,
++		priv_key_result, priv_key_attr_result_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE,
++		    rv);
++		goto err;
++		}
++
++	/*
++	 * OpenSSL allocates the output buffer 'key' which is the same
++	 * length of the public key. It is long enough for the derived key
++	 */
++	if (priv_key_result[0].type == CKA_VALUE)
++		{
++		/*
++		 * CKM_DH_PKCS_DERIVE mechanism is not supposed to strip
++		 * leading zeros from a computed shared secret. However,
++		 * OpenSSL always did it so we must do the same here. The
++		 * vagueness of the spec regarding leading zero bytes was
++		 * finally cleared with TLS 1.1 (RFC 4346) saying that leading
++		 * zeros are stripped before the computed data is used as the
++		 * pre-master secret.
++		 */
++		for (i = 0; i < priv_key_result[0].ulValueLen; ++i)
++			{
++			if (((char *)priv_key_result[0].pValue)[i] != 0)
++				break;
++			}
++
++		(void) memcpy(key, ((char *)priv_key_result[0].pValue) + i,
++			priv_key_result[0].ulValueLen - i);
++		ret = priv_key_result[0].ulValueLen - i;
++		}
++
++err:
++
++	if (h_derived_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_DestroyObject(sp->session, h_derived_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_DH_COMP_KEY,
++			    PK11_R_DESTROYOBJECT, rv);
++			}
++		}
++	if (priv_key_result[0].pValue)
++		{
++		OPENSSL_free(priv_key_result[0].pValue);
++		priv_key_result[0].pValue = NULL;
++		}
++
++	if (mechanism.pParameter)
++		{
++		OPENSSL_free(mechanism.pParameter);
++		mechanism.pParameter = NULL;
++		}
++
++	pk11_return_session(sp, OP_DH);
++	return (ret);
++	}
++
++
++static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh,
++	DH **key_ptr, BIGNUM **dh_priv_num, CK_SESSION_HANDLE session)
++	{
++	CK_RV rv;
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++	CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
++	CK_KEY_TYPE key_type = CKK_DH;
++	CK_ULONG found;
++	CK_BBOOL rollback = FALSE;
++	int i;
++
++	CK_ULONG ul_key_attr_count = 7;
++	CK_ATTRIBUTE key_template[] =
++		{
++		{CKA_CLASS, (void*) NULL, sizeof (class)},
++		{CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
++		{CKA_DERIVE, &true, sizeof (true)},
++		{CKA_PRIVATE, &false, sizeof (false)},
++		{CKA_PRIME, (void *) NULL, 0},
++		{CKA_BASE, (void *) NULL, 0},
++		{CKA_VALUE, (void *) NULL, 0},
++		};
++
++	key_template[0].pValue = &class;
++	key_template[1].pValue = &key_type;
++
++	key_template[4].ulValueLen = BN_num_bytes(dh->p);
++	key_template[4].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++		(size_t)key_template[4].ulValueLen);
++	if (key_template[4].pValue == NULL)
++		{
++		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	BN_bn2bin(dh->p, key_template[4].pValue);
++
++	key_template[5].ulValueLen = BN_num_bytes(dh->g);
++	key_template[5].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++		(size_t)key_template[5].ulValueLen);
++	if (key_template[5].pValue == NULL)
++		{
++		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	BN_bn2bin(dh->g, key_template[5].pValue);
++
++	key_template[6].ulValueLen = BN_num_bytes(dh->priv_key);
++	key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++		(size_t)key_template[6].ulValueLen);
++	if (key_template[6].pValue == NULL)
++		{
++		PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++		goto malloc_err;
++		}
++
++	BN_bn2bin(dh->priv_key, key_template[6].pValue);
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(OP_DH);
++	rv = pFuncList->C_FindObjectsInit(session, key_template,
++		ul_key_attr_count);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSINIT, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_FindObjectsFinal(session);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSFINAL,
++		    rv);
++		goto err;
++		}
++
++	if (found == 0)
++		{
++		rv = pFuncList->C_CreateObject(session,
++			key_template, ul_key_attr_count, &h_key);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_CREATEOBJECT,
++			    rv);
++			goto err;
++			}
++		}
++
++	if (dh_priv_num != NULL)
++		if ((*dh_priv_num = BN_dup(dh->priv_key)) == NULL)
++			{
++			PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++			rollback = TRUE;
++			goto err;
++			}
++
++	/* LINTED: E_CONSTANT_CONDITION */
++	KEY_HANDLE_REFHOLD(h_key, OP_DH, FALSE, rollback, err);
++	if (key_ptr != NULL)
++		*key_ptr = dh;
++
++err:
++	if (rollback)
++		{
++		/*
++		 * We do not care about the return value from C_DestroyObject()
++		 * since we are doing rollback.
++		 */
++		if (found == 0)
++			(void) pFuncList->C_DestroyObject(session, h_key);
++		h_key = CK_INVALID_HANDLE;
++		}
++
++	UNLOCK_OBJSTORE(OP_DH);
++
++malloc_err:
++	for (i = 4; i <= 6; i++)
++		{
++		if (key_template[i].pValue != NULL)
++			{
++			OPENSSL_free(key_template[i].pValue);
++			key_template[i].pValue = NULL;
++			}
++		}
++
++	return (h_key);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ *
++ * Note: we rely on pk11_destroy_dh_key_objects() to set sp->opdata_dh
++ *       to CK_INVALID_HANDLE even when it fails to destroy the object.
++ */
++static int check_new_dh_key(PK11_SESSION *sp, DH *dh)
++	{
++	/*
++	 * Provide protection against DH structure reuse by making the
++	 * check for cache hit stronger. Private key component of DH key
++	 * is unique so it is sufficient to compare it with value cached
++	 * in PK11_SESSION structure.
++	 */
++	if ((sp->opdata_dh != dh) ||
++	    (BN_cmp(sp->opdata_dh_priv_num, dh->priv_key) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_dh_object(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++#endif
++
++/*
++ * Local function to simplify key template population
++ * Return 0 -- error, 1 -- no error
++ */
++static int init_template_value(BIGNUM *bn, CK_VOID_PTR *p_value,
++	CK_ULONG *ul_value_len)
++	{
++	CK_ULONG len = BN_num_bytes(bn);
++	if (len == 0)
++		return (1);
++
++	*ul_value_len = len;
++	*p_value = (CK_VOID_PTR)OPENSSL_malloc((size_t)*ul_value_len);
++	if (*p_value == NULL)
++		return (0);
++
++	BN_bn2bin(bn, *p_value);
++
++	return (1);
++	}
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
++	{
++	if (attr->ulValueLen > 0)
++		{
++		*bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
++		}
++	}
++#ifdef	OPENSSL_SYS_WIN32
++char *getpassphrase(const char *prompt)
++	{
++	static char buf[128];
++	HANDLE h;
++	DWORD cc, mode;
++	int cnt;
++
++	h = GetStdHandle(STD_INPUT_HANDLE);
++	fputs(prompt, stderr);
++	fflush(stderr);
++	fflush(stdout);
++	FlushConsoleInputBuffer(h);
++	GetConsoleMode(h, &mode);
++	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
++
++	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
++		{
++		ReadFile(h, buf + cnt, 1, &cc, NULL);
++		if (buf[cnt] == '\r')
++			break;
++		fputc('*', stdout);
++		fflush(stderr);
++		fflush(stdout);
++		}
++
++	SetConsoleMode(h, mode);
++	buf[cnt] = '\0';
++	fputs("\n", stderr);
++	return buf;
++	}
++#endif	/* OPENSSL_SYS_WIN32 */
++#endif	/* OPENSSL_NO_HW_PK11 */
++#endif	/* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/pkcs11.h
+diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/pkcs11.h	Wed Oct 24 23:27:09 2007
+@@ -0,0 +1,299 @@
++/* pkcs11.h include file for PKCS #11. */
++/* $Revision: 1.2 $ */
++
++/* License to copy and use this software is granted provided that it is
++ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++ * (Cryptoki)" in all material mentioning or referencing this software.
++
++ * License is also granted to make and use derivative works provided that
++ * such works are identified as "derived from the RSA Security Inc. PKCS #11
++ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
++ * referencing the derived work.
++
++ * RSA Security Inc. makes no representations concerning either the 
++ * merchantability of this software or the suitability of this software for
++ * any particular purpose. It is provided "as is" without express or implied
++ * warranty of any kind.
++ */
++
++#ifndef _PKCS11_H_
++#define _PKCS11_H_ 1
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++/* Before including this file (pkcs11.h) (or pkcs11t.h by
++ * itself), 6 platform-specific macros must be defined.  These
++ * macros are described below, and typical definitions for them
++ * are also given.  Be advised that these definitions can depend
++ * on both the platform and the compiler used (and possibly also
++ * on whether a Cryptoki library is linked statically or
++ * dynamically).
++ *
++ * In addition to defining these 6 macros, the packing convention
++ * for Cryptoki structures should be set.  The Cryptoki
++ * convention on packing is that structures should be 1-byte
++ * aligned.
++ *
++ * If you're using Microsoft Developer Studio 5.0 to produce
++ * Win32 stuff, this might be done by using the following
++ * preprocessor directive before including pkcs11.h or pkcs11t.h:
++ *
++ * #pragma pack(push, cryptoki, 1)
++ *
++ * and using the following preprocessor directive after including
++ * pkcs11.h or pkcs11t.h:
++ *
++ * #pragma pack(pop, cryptoki)
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to produce Win16 stuff, this might be done by using
++ * the following preprocessor directive before including
++ * pkcs11.h or pkcs11t.h:
++ *
++ * #pragma pack(1)
++ *
++ * In a UNIX environment, you're on your own for this.  You might
++ * not need to do (or be able to do!) anything.
++ *
++ *
++ * Now for the macros:
++ *
++ *
++ * 1. CK_PTR: The indirection string for making a pointer to an
++ * object.  It can be used like this:
++ *
++ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
++ *
++ * If you're using Microsoft Developer Studio 5.0 to produce
++ * Win32 stuff, it might be defined by:
++ *
++ * #define CK_PTR *
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to produce Win16 stuff, it might be defined by:
++ *
++ * #define CK_PTR far *
++ *
++ * In a typical UNIX environment, it might be defined by:
++ *
++ * #define CK_PTR *
++ *
++ *
++ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
++ * an exportable Cryptoki library function definition out of a
++ * return type and a function name.  It should be used in the
++ * following fashion to define the exposed Cryptoki functions in
++ * a Cryptoki library:
++ *
++ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
++ *   CK_VOID_PTR pReserved
++ * )
++ * {
++ *   ...
++ * }
++ *
++ * If you're using Microsoft Developer Studio 5.0 to define a
++ * function in a Win32 Cryptoki .dll, it might be defined by:
++ *
++ * #define CK_DEFINE_FUNCTION(returnType, name) \
++ *   returnType __declspec(dllexport) name
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to define a function in a Win16 Cryptoki .dll, it
++ * might be defined by:
++ *
++ * #define CK_DEFINE_FUNCTION(returnType, name) \
++ *   returnType __export _far _pascal name
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_DEFINE_FUNCTION(returnType, name) \
++ *   returnType name
++ *
++ *
++ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
++ * an importable Cryptoki library function declaration out of a
++ * return type and a function name.  It should be used in the
++ * following fashion:
++ *
++ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
++ *   CK_VOID_PTR pReserved
++ * );
++ *
++ * If you're using Microsoft Developer Studio 5.0 to declare a
++ * function in a Win32 Cryptoki .dll, it might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION(returnType, name) \
++ *   returnType __declspec(dllimport) name
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to declare a function in a Win16 Cryptoki .dll, it
++ * might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION(returnType, name) \
++ *   returnType __export _far _pascal name
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION(returnType, name) \
++ *   returnType name
++ *
++ *
++ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
++ * which makes a Cryptoki API function pointer declaration or
++ * function pointer type declaration out of a return type and a
++ * function name.  It should be used in the following fashion:
++ *
++ * // Define funcPtr to be a pointer to a Cryptoki API function
++ * // taking arguments args and returning CK_RV.
++ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
++ *
++ * or
++ *
++ * // Define funcPtrType to be the type of a pointer to a
++ * // Cryptoki API function taking arguments args and returning
++ * // CK_RV, and then define funcPtr to be a variable of type
++ * // funcPtrType.
++ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
++ * funcPtrType funcPtr;
++ *
++ * If you're using Microsoft Developer Studio 5.0 to access
++ * functions in a Win32 Cryptoki .dll, in might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ *   returnType __declspec(dllimport) (* name)
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to access functions in a Win16 Cryptoki .dll, it might
++ * be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ *   returnType __export _far _pascal (* name)
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ *   returnType (* name)
++ *
++ *
++ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
++ * a function pointer type for an application callback out of
++ * a return type for the callback and a name for the callback.
++ * It should be used in the following fashion:
++ *
++ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
++ *
++ * to declare a function pointer, myCallback, to a callback
++ * which takes arguments args and returns a CK_RV.  It can also
++ * be used like this:
++ *
++ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
++ * myCallbackType myCallback;
++ *
++ * If you're using Microsoft Developer Studio 5.0 to do Win32
++ * Cryptoki development, it might be defined by:
++ *
++ * #define CK_CALLBACK_FUNCTION(returnType, name) \
++ *   returnType (* name)
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to do Win16 development, it might be defined by:
++ *
++ * #define CK_CALLBACK_FUNCTION(returnType, name) \
++ *   returnType _far _pascal (* name)
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_CALLBACK_FUNCTION(returnType, name) \
++ *   returnType (* name)
++ *
++ *
++ * 6. NULL_PTR: This macro is the value of a NULL pointer.
++ *
++ * In any ANSI/ISO C environment (and in many others as well),
++ * this should best be defined by
++ *
++ * #ifndef NULL_PTR
++ * #define NULL_PTR 0
++ * #endif
++ */
++
++
++/* All the various Cryptoki types and #define'd values are in the
++ * file pkcs11t.h. */
++#include "pkcs11t.h"
++
++#define __PASTE(x,y)      x##y
++
++
++/* ==============================================================
++ * Define the "extern" form of all the entry points.
++ * ==============================================================
++ */
++
++#define CK_NEED_ARG_LIST  1
++#define CK_PKCS11_FUNCTION_INFO(name) \
++  extern CK_DECLARE_FUNCTION(CK_RV, name)
++
++/* pkcs11f.h has all the information about the Cryptoki
++ * function prototypes. */
++#include "pkcs11f.h"
++
++#undef CK_NEED_ARG_LIST
++#undef CK_PKCS11_FUNCTION_INFO
++
++
++/* ==============================================================
++ * Define the typedef form of all the entry points.  That is, for
++ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
++ * a pointer to that kind of function.
++ * ==============================================================
++ */
++
++#define CK_NEED_ARG_LIST  1
++#define CK_PKCS11_FUNCTION_INFO(name) \
++  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
++
++/* pkcs11f.h has all the information about the Cryptoki
++ * function prototypes. */
++#include "pkcs11f.h"
++
++#undef CK_NEED_ARG_LIST
++#undef CK_PKCS11_FUNCTION_INFO
++
++
++/* ==============================================================
++ * Define structed vector of entry points.  A CK_FUNCTION_LIST
++ * contains a CK_VERSION indicating a library's Cryptoki version
++ * and then a whole slew of function pointers to the routines in
++ * the library.  This type was declared, but not defined, in
++ * pkcs11t.h.
++ * ==============================================================
++ */
++
++#define CK_PKCS11_FUNCTION_INFO(name) \
++  __PASTE(CK_,name) name;
++  
++struct CK_FUNCTION_LIST {
++
++  CK_VERSION    version;  /* Cryptoki version */
++
++/* Pile all the function pointers into the CK_FUNCTION_LIST. */
++/* pkcs11f.h has all the information about the Cryptoki
++ * function prototypes. */
++#include "pkcs11f.h"
++
++};
++
++#undef CK_PKCS11_FUNCTION_INFO
++
++
++#undef __PASTE
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif
+Index: openssl/crypto/engine/pkcs11f.h
+diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/pkcs11f.h	Wed Oct 24 23:27:09 2007
+@@ -0,0 +1,912 @@
++/* pkcs11f.h include file for PKCS #11. */
++/* $Revision: 1.2 $ */
++
++/* License to copy and use this software is granted provided that it is
++ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++ * (Cryptoki)" in all material mentioning or referencing this software.
++
++ * License is also granted to make and use derivative works provided that
++ * such works are identified as "derived from the RSA Security Inc. PKCS #11
++ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
++ * referencing the derived work.
++
++ * RSA Security Inc. makes no representations concerning either the 
++ * merchantability of this software or the suitability of this software for
++ * any particular purpose. It is provided "as is" without express or implied
++ * warranty of any kind.
++ */
++
++/* This header file contains pretty much everything about all the */
++/* Cryptoki function prototypes.  Because this information is */
++/* used for more than just declaring function prototypes, the */
++/* order of the functions appearing herein is important, and */
++/* should not be altered. */
++
++/* General-purpose */
++
++/* C_Initialize initializes the Cryptoki library. */
++CK_PKCS11_FUNCTION_INFO(C_Initialize)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
++                            * cast to CK_C_INITIALIZE_ARGS_PTR
++                            * and dereferenced */
++);
++#endif
++
++
++/* C_Finalize indicates that an application is done with the
++ * Cryptoki library. */
++CK_PKCS11_FUNCTION_INFO(C_Finalize)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
++);
++#endif
++
++
++/* C_GetInfo returns general information about Cryptoki. */
++CK_PKCS11_FUNCTION_INFO(C_GetInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_INFO_PTR   pInfo  /* location that receives information */
++);
++#endif
++
++
++/* C_GetFunctionList returns the function list. */
++CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
++                                            * function list */
++);
++#endif
++
++
++
++/* Slot and token management */
++
++/* C_GetSlotList obtains a list of slots in the system. */
++CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
++  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
++  CK_ULONG_PTR   pulCount       /* receives number of slots */
++);
++#endif
++
++
++/* C_GetSlotInfo obtains information about a particular slot in
++ * the system. */
++CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SLOT_ID       slotID,  /* the ID of the slot */
++  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
++);
++#endif
++
++
++/* C_GetTokenInfo obtains information about a particular token
++ * in the system. */
++CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SLOT_ID        slotID,  /* ID of the token's slot */
++  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
++);
++#endif
++
++
++/* C_GetMechanismList obtains a list of mechanism types
++ * supported by a token. */
++CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SLOT_ID            slotID,          /* ID of token's slot */
++  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
++  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
++);
++#endif
++
++
++/* C_GetMechanismInfo obtains information about a particular
++ * mechanism possibly supported by a token. */
++CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SLOT_ID            slotID,  /* ID of the token's slot */
++  CK_MECHANISM_TYPE     type,    /* type of mechanism */
++  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
++);
++#endif
++
++
++/* C_InitToken initializes a token. */
++CK_PKCS11_FUNCTION_INFO(C_InitToken)
++#ifdef CK_NEED_ARG_LIST
++/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
++(
++  CK_SLOT_ID      slotID,    /* ID of the token's slot */
++  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
++  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
++  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
++);
++#endif
++
++
++/* C_InitPIN initializes the normal user's PIN. */
++CK_PKCS11_FUNCTION_INFO(C_InitPIN)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
++  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
++);
++#endif
++
++
++/* C_SetPIN modifies the PIN of the user who is logged in. */
++CK_PKCS11_FUNCTION_INFO(C_SetPIN)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
++  CK_ULONG          ulOldLen,  /* length of the old PIN */
++  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
++  CK_ULONG          ulNewLen   /* length of the new PIN */
++);
++#endif
++
++
++
++/* Session management */
++
++/* C_OpenSession opens a session between an application and a
++ * token. */
++CK_PKCS11_FUNCTION_INFO(C_OpenSession)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SLOT_ID            slotID,        /* the slot's ID */
++  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
++  CK_VOID_PTR           pApplication,  /* passed to callback */
++  CK_NOTIFY             Notify,        /* callback function */
++  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
++);
++#endif
++
++
++/* C_CloseSession closes a session between an application and a
++ * token. */
++CK_PKCS11_FUNCTION_INFO(C_CloseSession)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession  /* the session's handle */
++);
++#endif
++
++
++/* C_CloseAllSessions closes all sessions with a token. */
++CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SLOT_ID     slotID  /* the token's slot */
++);
++#endif
++
++
++/* C_GetSessionInfo obtains information about the session. */
++CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE   hSession,  /* the session's handle */
++  CK_SESSION_INFO_PTR pInfo      /* receives session info */
++);
++#endif
++
++
++/* C_GetOperationState obtains the state of the cryptographic operation
++ * in a session. */
++CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,             /* session's handle */
++  CK_BYTE_PTR       pOperationState,      /* gets state */
++  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
++);
++#endif
++
++
++/* C_SetOperationState restores the state of the cryptographic
++ * operation in a session. */
++CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,            /* session's handle */
++  CK_BYTE_PTR      pOperationState,      /* holds state */
++  CK_ULONG         ulOperationStateLen,  /* holds state length */
++  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
++  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
++);
++#endif
++
++
++/* C_Login logs a user into a token. */
++CK_PKCS11_FUNCTION_INFO(C_Login)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_USER_TYPE      userType,  /* the user type */
++  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
++  CK_ULONG          ulPinLen   /* the length of the PIN */
++);
++#endif
++
++
++/* C_Logout logs a user out from a token. */
++CK_PKCS11_FUNCTION_INFO(C_Logout)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession  /* the session's handle */
++);
++#endif
++
++
++
++/* Object management */
++
++/* C_CreateObject creates a new object. */
++CK_PKCS11_FUNCTION_INFO(C_CreateObject)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,    /* the session's handle */
++  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
++  CK_ULONG          ulCount,     /* attributes in template */
++  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
++);
++#endif
++
++
++/* C_CopyObject copies an object, creating a new object for the
++ * copy. */
++CK_PKCS11_FUNCTION_INFO(C_CopyObject)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE    hSession,    /* the session's handle */
++  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
++  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
++  CK_ULONG             ulCount,     /* attributes in template */
++  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
++);
++#endif
++
++
++/* C_DestroyObject destroys an object. */
++CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_OBJECT_HANDLE  hObject    /* the object's handle */
++);
++#endif
++
++
++/* C_GetObjectSize gets the size of an object in bytes. */
++CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
++  CK_ULONG_PTR      pulSize    /* receives size of object */
++);
++#endif
++
++
++/* C_GetAttributeValue obtains the value of one or more object
++ * attributes. */
++CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,   /* the session's handle */
++  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
++  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
++  CK_ULONG          ulCount     /* attributes in template */
++);
++#endif
++
++
++/* C_SetAttributeValue modifies the value of one or more object
++ * attributes */
++CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,   /* the session's handle */
++  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
++  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
++  CK_ULONG          ulCount     /* attributes in template */
++);
++#endif
++
++
++/* C_FindObjectsInit initializes a search for token and session
++ * objects that match a template. */
++CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,   /* the session's handle */
++  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
++  CK_ULONG          ulCount     /* attrs in search template */
++);
++#endif
++
++
++/* C_FindObjects continues a search for token and session
++ * objects that match a template, obtaining additional object
++ * handles. */
++CK_PKCS11_FUNCTION_INFO(C_FindObjects)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE    hSession,          /* session's handle */
++ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
++ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
++ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
++);
++#endif
++
++
++/* C_FindObjectsFinal finishes a search for token and session
++ * objects. */
++CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession  /* the session's handle */
++);
++#endif
++
++
++
++/* Encryption and decryption */
++
++/* C_EncryptInit initializes an encryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,    /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
++  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
++);
++#endif
++
++
++/* C_Encrypt encrypts single-part data. */
++CK_PKCS11_FUNCTION_INFO(C_Encrypt)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,            /* session's handle */
++  CK_BYTE_PTR       pData,               /* the plaintext data */
++  CK_ULONG          ulDataLen,           /* bytes of plaintext */
++  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
++  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
++);
++#endif
++
++
++/* C_EncryptUpdate continues a multiple-part encryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,           /* session's handle */
++  CK_BYTE_PTR       pPart,              /* the plaintext data */
++  CK_ULONG          ulPartLen,          /* plaintext data len */
++  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
++  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
++);
++#endif
++
++
++/* C_EncryptFinal finishes a multiple-part encryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,                /* session handle */
++  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
++  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
++);
++#endif
++
++
++/* C_DecryptInit initializes a decryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,    /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
++  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
++);
++#endif
++
++
++/* C_Decrypt decrypts encrypted data in a single part. */
++CK_PKCS11_FUNCTION_INFO(C_Decrypt)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,           /* session's handle */
++  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
++  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
++  CK_BYTE_PTR       pData,              /* gets plaintext */
++  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
++);
++#endif
++
++
++/* C_DecryptUpdate continues a multiple-part decryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,            /* session's handle */
++  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
++  CK_ULONG          ulEncryptedPartLen,  /* input length */
++  CK_BYTE_PTR       pPart,               /* gets plaintext */
++  CK_ULONG_PTR      pulPartLen           /* p-text size */
++);
++#endif
++
++
++/* C_DecryptFinal finishes a multiple-part decryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,       /* the session's handle */
++  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
++  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
++);
++#endif
++
++
++
++/* Message digesting */
++
++/* C_DigestInit initializes a message-digesting operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,   /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
++);
++#endif
++
++
++/* C_Digest digests data in a single part. */
++CK_PKCS11_FUNCTION_INFO(C_Digest)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,     /* the session's handle */
++  CK_BYTE_PTR       pData,        /* data to be digested */
++  CK_ULONG          ulDataLen,    /* bytes of data to digest */
++  CK_BYTE_PTR       pDigest,      /* gets the message digest */
++  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
++);
++#endif
++
++
++/* C_DigestUpdate continues a multiple-part message-digesting
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_BYTE_PTR       pPart,     /* data to be digested */
++  CK_ULONG          ulPartLen  /* bytes of data to be digested */
++);
++#endif
++
++
++/* C_DigestKey continues a multi-part message-digesting
++ * operation, by digesting the value of a secret key as part of
++ * the data already digested. */
++CK_PKCS11_FUNCTION_INFO(C_DigestKey)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
++);
++#endif
++
++
++/* C_DigestFinal finishes a multiple-part message-digesting
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,     /* the session's handle */
++  CK_BYTE_PTR       pDigest,      /* gets the message digest */
++  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
++);
++#endif
++
++
++
++/* Signing and MACing */
++
++/* C_SignInit initializes a signature (private key encryption)
++ * operation, where the signature is (will be) an appendix to
++ * the data, and plaintext cannot be recovered from the
++ *signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,    /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
++  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
++);
++#endif
++
++
++/* C_Sign signs (encrypts with private key) data in a single
++ * part, where the signature is (will be) an appendix to the
++ * data, and plaintext cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_Sign)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,        /* the session's handle */
++  CK_BYTE_PTR       pData,           /* the data to sign */
++  CK_ULONG          ulDataLen,       /* count of bytes to sign */
++  CK_BYTE_PTR       pSignature,      /* gets the signature */
++  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
++);
++#endif
++
++
++/* C_SignUpdate continues a multiple-part signature operation,
++ * where the signature is (will be) an appendix to the data, 
++ * and plaintext cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_BYTE_PTR       pPart,     /* the data to sign */
++  CK_ULONG          ulPartLen  /* count of bytes to sign */
++);
++#endif
++
++
++/* C_SignFinal finishes a multiple-part signature operation, 
++ * returning the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,        /* the session's handle */
++  CK_BYTE_PTR       pSignature,      /* gets the signature */
++  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
++);
++#endif
++
++
++/* C_SignRecoverInit initializes a signature operation, where
++ * the data can be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,   /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
++  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
++);
++#endif
++
++
++/* C_SignRecover signs data in a single operation, where the
++ * data can be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignRecover)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,        /* the session's handle */
++  CK_BYTE_PTR       pData,           /* the data to sign */
++  CK_ULONG          ulDataLen,       /* count of bytes to sign */
++  CK_BYTE_PTR       pSignature,      /* gets the signature */
++  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
++);
++#endif
++
++
++
++/* Verifying signatures and MACs */
++
++/* C_VerifyInit initializes a verification operation, where the
++ * signature is an appendix to the data, and plaintext cannot
++ *  cannot be recovered from the signature (e.g. DSA). */
++CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,    /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
++  CK_OBJECT_HANDLE  hKey         /* verification key */ 
++);
++#endif
++
++
++/* C_Verify verifies a signature in a single-part operation, 
++ * where the signature is an appendix to the data, and plaintext
++ * cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_Verify)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,       /* the session's handle */
++  CK_BYTE_PTR       pData,          /* signed data */
++  CK_ULONG          ulDataLen,      /* length of signed data */
++  CK_BYTE_PTR       pSignature,     /* signature */
++  CK_ULONG          ulSignatureLen  /* signature length*/
++);
++#endif
++
++
++/* C_VerifyUpdate continues a multiple-part verification
++ * operation, where the signature is an appendix to the data, 
++ * and plaintext cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_BYTE_PTR       pPart,     /* signed data */
++  CK_ULONG          ulPartLen  /* length of signed data */
++);
++#endif
++
++
++/* C_VerifyFinal finishes a multiple-part verification
++ * operation, checking the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,       /* the session's handle */
++  CK_BYTE_PTR       pSignature,     /* signature to verify */
++  CK_ULONG          ulSignatureLen  /* signature length */
++);
++#endif
++
++
++/* C_VerifyRecoverInit initializes a signature verification
++ * operation, where the data is recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,    /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
++  CK_OBJECT_HANDLE  hKey         /* verification key */
++);
++#endif
++
++
++/* C_VerifyRecover verifies a signature in a single-part
++ * operation, where the data is recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,        /* the session's handle */
++  CK_BYTE_PTR       pSignature,      /* signature to verify */
++  CK_ULONG          ulSignatureLen,  /* signature length */
++  CK_BYTE_PTR       pData,           /* gets signed data */
++  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
++);
++#endif
++
++
++
++/* Dual-function cryptographic operations */
++
++/* C_DigestEncryptUpdate continues a multiple-part digesting
++ * and encryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,            /* session's handle */
++  CK_BYTE_PTR       pPart,               /* the plaintext data */
++  CK_ULONG          ulPartLen,           /* plaintext length */
++  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
++  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
++);
++#endif
++
++
++/* C_DecryptDigestUpdate continues a multiple-part decryption and
++ * digesting operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,            /* session's handle */
++  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
++  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
++  CK_BYTE_PTR       pPart,               /* gets plaintext */
++  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
++);
++#endif
++
++
++/* C_SignEncryptUpdate continues a multiple-part signing and
++ * encryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,            /* session's handle */
++  CK_BYTE_PTR       pPart,               /* the plaintext data */
++  CK_ULONG          ulPartLen,           /* plaintext length */
++  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
++  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
++);
++#endif
++
++
++/* C_DecryptVerifyUpdate continues a multiple-part decryption and
++ * verify operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,            /* session's handle */
++  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
++  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
++  CK_BYTE_PTR       pPart,               /* gets plaintext */
++  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
++);
++#endif
++
++
++
++/* Key management */
++
++/* C_GenerateKey generates a secret key, creating a new key
++ * object. */
++CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE    hSession,    /* the session's handle */
++  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
++  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
++  CK_ULONG             ulCount,     /* # of attrs in template */
++  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
++);
++#endif
++
++
++/* C_GenerateKeyPair generates a public-key/private-key pair, 
++ * creating new key objects. */
++CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE    hSession,                    /* session
++                                                     * handle */
++  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
++                                                     * mech. */
++  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
++                                                     * for pub.
++                                                     * key */
++  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
++                                                     * attrs. */
++  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
++                                                     * for priv.
++                                                     * key */
++  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
++                                                     * attrs. */
++  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
++                                                     * key
++                                                     * handle */
++  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
++                                                     * priv. key
++                                                     * handle */
++);
++#endif
++
++
++/* C_WrapKey wraps (i.e., encrypts) a key. */
++CK_PKCS11_FUNCTION_INFO(C_WrapKey)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,        /* the session's handle */
++  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
++  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
++  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
++  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
++  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
++);
++#endif
++
++
++/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
++ * key object. */
++CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE    hSession,          /* session's handle */
++  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
++  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
++  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
++  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
++  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
++  CK_ULONG             ulAttributeCount,  /* template length */
++  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
++);
++#endif
++
++
++/* C_DeriveKey derives a key from a base key, creating a new key
++ * object. */
++CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE    hSession,          /* session's handle */
++  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
++  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
++  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
++  CK_ULONG             ulAttributeCount,  /* template length */
++  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
++);
++#endif
++
++
++
++/* Random number generation */
++
++/* C_SeedRandom mixes additional seed material into the token's
++ * random number generator. */
++CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,  /* the session's handle */
++  CK_BYTE_PTR       pSeed,     /* the seed material */
++  CK_ULONG          ulSeedLen  /* length of seed material */
++);
++#endif
++
++
++/* C_GenerateRandom generates random data. */
++CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession,    /* the session's handle */
++  CK_BYTE_PTR       RandomData,  /* receives the random data */
++  CK_ULONG          ulRandomLen  /* # of bytes to generate */
++);
++#endif
++
++
++
++/* Parallel function management */
++
++/* C_GetFunctionStatus is a legacy function; it obtains an
++ * updated status of a function running in parallel with an
++ * application. */
++CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession  /* the session's handle */
++);
++#endif
++
++
++/* C_CancelFunction is a legacy function; it cancels a function
++ * running in parallel. */
++CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_SESSION_HANDLE hSession  /* the session's handle */
++);
++#endif
++
++
++
++/* Functions added in for Cryptoki Version 2.01 or later */
++
++/* C_WaitForSlotEvent waits for a slot event (token insertion,
++ * removal, etc.) to occur. */
++CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
++#ifdef CK_NEED_ARG_LIST
++(
++  CK_FLAGS flags,        /* blocking/nonblocking flag */
++  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
++  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
++);
++#endif
+Index: openssl/crypto/engine/pkcs11t.h
+diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
+--- /dev/null	Wed Sep  2 11:37:23 2009
++++ openssl/crypto/engine/pkcs11t.h	Sat Aug 30 11:58:07 2008
+@@ -0,0 +1,1885 @@
++/* pkcs11t.h include file for PKCS #11. */
++/* $Revision: 1.2 $ */
++
++/* License to copy and use this software is granted provided that it is
++ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++ * (Cryptoki)" in all material mentioning or referencing this software.
++
++ * License is also granted to make and use derivative works provided that
++ * such works are identified as "derived from the RSA Security Inc. PKCS #11
++ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
++ * referencing the derived work.
++
++ * RSA Security Inc. makes no representations concerning either the
++ * merchantability of this software or the suitability of this software for
++ * any particular purpose. It is provided "as is" without express or implied
++ * warranty of any kind.
++ */
++
++/* See top of pkcs11.h for information about the macros that
++ * must be defined and the structure-packing conventions that
++ * must be set before including this file. */
++
++#ifndef _PKCS11T_H_
++#define _PKCS11T_H_ 1
++
++#define CRYPTOKI_VERSION_MAJOR 2
++#define CRYPTOKI_VERSION_MINOR 20
++#define CRYPTOKI_VERSION_AMENDMENT 3
++
++#define CK_TRUE 1
++#define CK_FALSE 0
++
++#ifndef CK_DISABLE_TRUE_FALSE
++#ifndef FALSE
++#define FALSE CK_FALSE
++#endif
++
++#ifndef TRUE
++#define TRUE CK_TRUE
++#endif
++#endif
++
++/* an unsigned 8-bit value */
++typedef unsigned char     CK_BYTE;
++
++/* an unsigned 8-bit character */
++typedef CK_BYTE           CK_CHAR;
++
++/* an 8-bit UTF-8 character */
++typedef CK_BYTE           CK_UTF8CHAR;
++
++/* a BYTE-sized Boolean flag */
++typedef CK_BYTE           CK_BBOOL;
++
++/* an unsigned value, at least 32 bits long */
++typedef unsigned long int CK_ULONG;
++
++/* a signed value, the same size as a CK_ULONG */
++/* CK_LONG is new for v2.0 */
++typedef long int          CK_LONG;
++
++/* at least 32 bits; each bit is a Boolean flag */
++typedef CK_ULONG          CK_FLAGS;
++
++
++/* some special values for certain CK_ULONG variables */
++#define CK_UNAVAILABLE_INFORMATION (~0UL)
++#define CK_EFFECTIVELY_INFINITE    0
++
++
++typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
++typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
++typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
++typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
++typedef void        CK_PTR   CK_VOID_PTR;
++
++/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
++typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
++
++
++/* The following value is always invalid if used as a session */
++/* handle or object handle */
++#define CK_INVALID_HANDLE 0
++
++
++typedef struct CK_VERSION {
++  CK_BYTE       major;  /* integer portion of version number */
++  CK_BYTE       minor;  /* 1/100ths portion of version number */
++} CK_VERSION;
++
++typedef CK_VERSION CK_PTR CK_VERSION_PTR;
++
++
++typedef struct CK_INFO {
++  /* manufacturerID and libraryDecription have been changed from
++   * CK_CHAR to CK_UTF8CHAR for v2.10 */
++  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
++  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
++  CK_FLAGS      flags;               /* must be zero */
++
++  /* libraryDescription and libraryVersion are new for v2.0 */
++  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
++  CK_VERSION    libraryVersion;          /* version of library */
++} CK_INFO;
++
++typedef CK_INFO CK_PTR    CK_INFO_PTR;
++
++
++/* CK_NOTIFICATION enumerates the types of notifications that
++ * Cryptoki provides to an application */
++/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
++ * for v2.0 */
++typedef CK_ULONG CK_NOTIFICATION;
++#define CKN_SURRENDER       0
++
++/* The following notification is new for PKCS #11 v2.20 amendment 3 */
++#define CKN_OTP_CHANGED     1
++
++
++typedef CK_ULONG          CK_SLOT_ID;
++
++typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
++
++
++/* CK_SLOT_INFO provides information about a slot */
++typedef struct CK_SLOT_INFO {
++  /* slotDescription and manufacturerID have been changed from
++   * CK_CHAR to CK_UTF8CHAR for v2.10 */
++  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
++  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
++  CK_FLAGS      flags;
++
++  /* hardwareVersion and firmwareVersion are new for v2.0 */
++  CK_VERSION    hardwareVersion;  /* version of hardware */
++  CK_VERSION    firmwareVersion;  /* version of firmware */
++} CK_SLOT_INFO;
++
++/* flags: bit flags that provide capabilities of the slot
++ *      Bit Flag              Mask        Meaning
++ */
++#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
++#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
++#define CKF_HW_SLOT           0x00000004  /* hardware slot */
++
++typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
++
++
++/* CK_TOKEN_INFO provides information about a token */
++typedef struct CK_TOKEN_INFO {
++  /* label, manufacturerID, and model have been changed from
++   * CK_CHAR to CK_UTF8CHAR for v2.10 */
++  CK_UTF8CHAR   label[32];           /* blank padded */
++  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
++  CK_UTF8CHAR   model[16];           /* blank padded */
++  CK_CHAR       serialNumber[16];    /* blank padded */
++  CK_FLAGS      flags;               /* see below */
++
++  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
++   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
++   * changed from CK_USHORT to CK_ULONG for v2.0 */
++  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
++  CK_ULONG      ulSessionCount;        /* sess. now open */
++  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
++  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
++  CK_ULONG      ulMaxPinLen;           /* in bytes */
++  CK_ULONG      ulMinPinLen;           /* in bytes */
++  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
++  CK_ULONG      ulFreePublicMemory;    /* in bytes */
++  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
++  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
++
++  /* hardwareVersion, firmwareVersion, and time are new for
++   * v2.0 */
++  CK_VERSION    hardwareVersion;       /* version of hardware */
++  CK_VERSION    firmwareVersion;       /* version of firmware */
++  CK_CHAR       utcTime[16];           /* time */
++} CK_TOKEN_INFO;
++
++/* The flags parameter is defined as follows:
++ *      Bit Flag                    Mask        Meaning
++ */
++#define CKF_RNG                     0x00000001  /* has random #
++                                                 * generator */
++#define CKF_WRITE_PROTECTED         0x00000002  /* token is
++                                                 * write-
++                                                 * protected */
++#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
++                                                 * login */
++#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
++                                                 * PIN is set */
++
++/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
++ * that means that *every* time the state of cryptographic
++ * operations of a session is successfully saved, all keys
++ * needed to continue those operations are stored in the state */
++#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
++
++/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
++ * that the token has some sort of clock.  The time on that
++ * clock is returned in the token info structure */
++#define CKF_CLOCK_ON_TOKEN          0x00000040
++
++/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
++ * set, that means that there is some way for the user to login
++ * without sending a PIN through the Cryptoki library itself */
++#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
++
++/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
++ * that means that a single session with the token can perform
++ * dual simultaneous cryptographic operations (digest and
++ * encrypt; decrypt and digest; sign and encrypt; and decrypt
++ * and sign) */
++#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
++
++/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
++ * token has been initialized using C_InitializeToken or an
++ * equivalent mechanism outside the scope of PKCS #11.
++ * Calling C_InitializeToken when this flag is set will cause
++ * the token to be reinitialized. */
++#define CKF_TOKEN_INITIALIZED       0x00000400
++
++/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
++ * true, the token supports secondary authentication for
++ * private key objects. This flag is deprecated in v2.11 and
++   onwards. */
++#define CKF_SECONDARY_AUTHENTICATION  0x00000800
++
++/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
++ * incorrect user login PIN has been entered at least once
++ * since the last successful authentication. */
++#define CKF_USER_PIN_COUNT_LOW       0x00010000
++
++/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
++ * supplying an incorrect user PIN will it to become locked. */
++#define CKF_USER_PIN_FINAL_TRY       0x00020000
++
++/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
++ * user PIN has been locked. User login to the token is not
++ * possible. */
++#define CKF_USER_PIN_LOCKED          0x00040000
++
++/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
++ * the user PIN value is the default value set by token
++ * initialization or manufacturing, or the PIN has been
++ * expired by the card. */
++#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
++
++/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
++ * incorrect SO login PIN has been entered at least once since
++ * the last successful authentication. */
++#define CKF_SO_PIN_COUNT_LOW         0x00100000
++
++/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
++ * supplying an incorrect SO PIN will it to become locked. */
++#define CKF_SO_PIN_FINAL_TRY         0x00200000
++
++/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
++ * PIN has been locked. SO login to the token is not possible.
++ */
++#define CKF_SO_PIN_LOCKED            0x00400000
++
++/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
++ * the SO PIN value is the default value set by token
++ * initialization or manufacturing, or the PIN has been
++ * expired by the card. */
++#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
++
++typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
++
++
++/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
++ * identifies a session */
++typedef CK_ULONG          CK_SESSION_HANDLE;
++
++typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
++
++
++/* CK_USER_TYPE enumerates the types of Cryptoki users */
++/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG          CK_USER_TYPE;
++/* Security Officer */
++#define CKU_SO    0
++/* Normal user */
++#define CKU_USER  1
++/* Context specific (added in v2.20) */
++#define CKU_CONTEXT_SPECIFIC   2
++
++/* CK_STATE enumerates the session states */
++/* CK_STATE has been changed from an enum to a CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG          CK_STATE;
++#define CKS_RO_PUBLIC_SESSION  0
++#define CKS_RO_USER_FUNCTIONS  1
++#define CKS_RW_PUBLIC_SESSION  2
++#define CKS_RW_USER_FUNCTIONS  3
++#define CKS_RW_SO_FUNCTIONS    4
++
++
++/* CK_SESSION_INFO provides information about a session */
++typedef struct CK_SESSION_INFO {
++  CK_SLOT_ID    slotID;
++  CK_STATE      state;
++  CK_FLAGS      flags;          /* see below */
++
++  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
++   * v2.0 */
++  CK_ULONG      ulDeviceError;  /* device-dependent error code */
++} CK_SESSION_INFO;
++
++/* The flags are defined in the following table:
++ *      Bit Flag                Mask        Meaning
++ */
++#define CKF_RW_SESSION          0x00000002  /* session is r/w */
++#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
++
++typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
++
++
++/* CK_OBJECT_HANDLE is a token-specific identifier for an
++ * object  */
++typedef CK_ULONG          CK_OBJECT_HANDLE;
++
++typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
++
++
++/* CK_OBJECT_CLASS is a value that identifies the classes (or
++ * types) of objects that Cryptoki recognizes.  It is defined
++ * as follows: */
++/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG          CK_OBJECT_CLASS;
++
++/* The following classes of objects are defined: */
++/* CKO_HW_FEATURE is new for v2.10 */
++/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
++/* CKO_MECHANISM is new for v2.20 */
++#define CKO_DATA              0x00000000
++#define CKO_CERTIFICATE       0x00000001
++#define CKO_PUBLIC_KEY        0x00000002
++#define CKO_PRIVATE_KEY       0x00000003
++#define CKO_SECRET_KEY        0x00000004
++#define CKO_HW_FEATURE        0x00000005
++#define CKO_DOMAIN_PARAMETERS 0x00000006
++#define CKO_MECHANISM         0x00000007
++
++/* CKO_OTP_KEY is new for PKCS #11 v2.20 amendment 1 */
++#define CKO_OTP_KEY           0x00000008
++
++#define CKO_VENDOR_DEFINED    0x80000000
++
++typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
++
++/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
++ * value that identifies the hardware feature type of an object
++ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
++typedef CK_ULONG          CK_HW_FEATURE_TYPE;
++
++/* The following hardware feature types are defined */
++/* CKH_USER_INTERFACE is new for v2.20 */
++#define CKH_MONOTONIC_COUNTER  0x00000001
++#define CKH_CLOCK           0x00000002
++#define CKH_USER_INTERFACE  0x00000003
++#define CKH_VENDOR_DEFINED  0x80000000
++
++/* CK_KEY_TYPE is a value that identifies a key type */
++/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
++typedef CK_ULONG          CK_KEY_TYPE;
++
++/* the following key types are defined: */
++#define CKK_RSA             0x00000000
++#define CKK_DSA             0x00000001
++#define CKK_DH              0x00000002
++
++/* CKK_ECDSA and CKK_KEA are new for v2.0 */
++/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
++#define CKK_ECDSA           0x00000003
++#define CKK_EC              0x00000003
++#define CKK_X9_42_DH        0x00000004
++#define CKK_KEA             0x00000005
++
++#define CKK_GENERIC_SECRET  0x00000010
++#define CKK_RC2             0x00000011
++#define CKK_RC4             0x00000012
++#define CKK_DES             0x00000013
++#define CKK_DES2            0x00000014
++#define CKK_DES3            0x00000015
++
++/* all these key types are new for v2.0 */
++#define CKK_CAST            0x00000016
++#define CKK_CAST3           0x00000017
++/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
++#define CKK_CAST5           0x00000018
++#define CKK_CAST128         0x00000018
++#define CKK_RC5             0x00000019
++#define CKK_IDEA            0x0000001A
++#define CKK_SKIPJACK        0x0000001B
++#define CKK_BATON           0x0000001C
++#define CKK_JUNIPER         0x0000001D
++#define CKK_CDMF            0x0000001E
++#define CKK_AES             0x0000001F
++
++/* BlowFish and TwoFish are new for v2.20 */
++#define CKK_BLOWFISH        0x00000020
++#define CKK_TWOFISH         0x00000021
++
++/* SecurID, HOTP, and ACTI are new for PKCS #11 v2.20 amendment 1 */
++#define CKK_SECURID         0x00000022
++#define CKK_HOTP            0x00000023
++#define CKK_ACTI            0x00000024
++
++/* Camellia is new for PKCS #11 v2.20 amendment 3 */
++#define CKK_CAMELLIA                   0x00000025
++/* ARIA is new for PKCS #11 v2.20 amendment 3 */
++#define CKK_ARIA                       0x00000026
++
++
++#define CKK_VENDOR_DEFINED  0x80000000
++
++
++/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
++ * type */
++/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
++ * for v2.0 */
++typedef CK_ULONG          CK_CERTIFICATE_TYPE;
++
++/* The following certificate types are defined: */
++/* CKC_X_509_ATTR_CERT is new for v2.10 */
++/* CKC_WTLS is new for v2.20 */
++#define CKC_X_509           0x00000000
++#define CKC_X_509_ATTR_CERT 0x00000001
++#define CKC_WTLS            0x00000002
++#define CKC_VENDOR_DEFINED  0x80000000
++
++
++/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
++ * type */
++/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
++
++/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
++   consists of an array of values. */
++#define CKF_ARRAY_ATTRIBUTE    0x40000000
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
++   and relates to the CKA_OTP_FORMAT attribute */
++#define CK_OTP_FORMAT_DECIMAL      0
++#define CK_OTP_FORMAT_HEXADECIMAL  1
++#define CK_OTP_FORMAT_ALPHANUMERIC 2
++#define CK_OTP_FORMAT_BINARY       3
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
++   and relates to the CKA_OTP_..._REQUIREMENT attributes */
++#define CK_OTP_PARAM_IGNORED       0
++#define CK_OTP_PARAM_OPTIONAL      1
++#define CK_OTP_PARAM_MANDATORY     2
++
++/* The following attribute types are defined: */
++#define CKA_CLASS              0x00000000
++#define CKA_TOKEN              0x00000001
++#define CKA_PRIVATE            0x00000002
++#define CKA_LABEL              0x00000003
++#define CKA_APPLICATION        0x00000010
++#define CKA_VALUE              0x00000011
++
++/* CKA_OBJECT_ID is new for v2.10 */
++#define CKA_OBJECT_ID          0x00000012
++
++#define CKA_CERTIFICATE_TYPE   0x00000080
++#define CKA_ISSUER             0x00000081
++#define CKA_SERIAL_NUMBER      0x00000082
++
++/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
++ * for v2.10 */
++#define CKA_AC_ISSUER          0x00000083
++#define CKA_OWNER              0x00000084
++#define CKA_ATTR_TYPES         0x00000085
++
++/* CKA_TRUSTED is new for v2.11 */
++#define CKA_TRUSTED            0x00000086
++
++/* CKA_CERTIFICATE_CATEGORY ...
++ * CKA_CHECK_VALUE are new for v2.20 */
++#define CKA_CERTIFICATE_CATEGORY        0x00000087
++#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
++#define CKA_URL                         0x00000089
++#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
++#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
++#define CKA_CHECK_VALUE                 0x00000090
++
++#define CKA_KEY_TYPE           0x00000100
++#define CKA_SUBJECT            0x00000101
++#define CKA_ID                 0x00000102
++#define CKA_SENSITIVE          0x00000103
++#define CKA_ENCRYPT            0x00000104
++#define CKA_DECRYPT            0x00000105
++#define CKA_WRAP               0x00000106
++#define CKA_UNWRAP             0x00000107
++#define CKA_SIGN               0x00000108
++#define CKA_SIGN_RECOVER       0x00000109
++#define CKA_VERIFY             0x0000010A
++#define CKA_VERIFY_RECOVER     0x0000010B
++#define CKA_DERIVE             0x0000010C
++#define CKA_START_DATE         0x00000110
++#define CKA_END_DATE           0x00000111
++#define CKA_MODULUS            0x00000120
++#define CKA_MODULUS_BITS       0x00000121
++#define CKA_PUBLIC_EXPONENT    0x00000122
++#define CKA_PRIVATE_EXPONENT   0x00000123
++#define CKA_PRIME_1            0x00000124
++#define CKA_PRIME_2            0x00000125
++#define CKA_EXPONENT_1         0x00000126
++#define CKA_EXPONENT_2         0x00000127
++#define CKA_COEFFICIENT        0x00000128
++#define CKA_PRIME              0x00000130
++#define CKA_SUBPRIME           0x00000131
++#define CKA_BASE               0x00000132
++
++/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
++#define CKA_PRIME_BITS         0x00000133
++#define CKA_SUBPRIME_BITS      0x00000134
++#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
++/* (To retain backwards-compatibility) */
++
++#define CKA_VALUE_BITS         0x00000160
++#define CKA_VALUE_LEN          0x00000161
++
++/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
++ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
++ * and CKA_EC_POINT are new for v2.0 */
++#define CKA_EXTRACTABLE        0x00000162
++#define CKA_LOCAL              0x00000163
++#define CKA_NEVER_EXTRACTABLE  0x00000164
++#define CKA_ALWAYS_SENSITIVE   0x00000165
++
++/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
++#define CKA_KEY_GEN_MECHANISM  0x00000166
++
++#define CKA_MODIFIABLE         0x00000170
++
++/* CKA_ECDSA_PARAMS is deprecated in v2.11,
++ * CKA_EC_PARAMS is preferred. */
++#define CKA_ECDSA_PARAMS       0x00000180
++#define CKA_EC_PARAMS          0x00000180
++
++#define CKA_EC_POINT           0x00000181
++
++/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
++ * are new for v2.10. Deprecated in v2.11 and onwards. */
++#define CKA_SECONDARY_AUTH     0x00000200
++#define CKA_AUTH_PIN_FLAGS     0x00000201
++
++/* CKA_ALWAYS_AUTHENTICATE ...
++ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
++#define CKA_ALWAYS_AUTHENTICATE  0x00000202
++
++#define CKA_WRAP_WITH_TRUSTED    0x00000210
++#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
++#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
++
++/* CKA_OTP... atttributes are new for PKCS #11 v2.20 amendment 3. */
++#define CKA_OTP_FORMAT                0x00000220
++#define CKA_OTP_LENGTH                0x00000221
++#define CKA_OTP_TIME_INTERVAL         0x00000222
++#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223
++#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224
++#define CKA_OTP_TIME_REQUIREMENT      0x00000225
++#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226
++#define CKA_OTP_PIN_REQUIREMENT       0x00000227
++#define CKA_OTP_COUNTER               0x0000022E
++#define CKA_OTP_TIME                  0x0000022F
++#define CKA_OTP_USER_IDENTIFIER       0x0000022A
++#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022B
++#define CKA_OTP_SERVICE_LOGO          0x0000022C
++#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022D
++
++
++/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
++ * are new for v2.10 */
++#define CKA_HW_FEATURE_TYPE    0x00000300
++#define CKA_RESET_ON_INIT      0x00000301
++#define CKA_HAS_RESET          0x00000302
++
++/* The following attributes are new for v2.20 */
++#define CKA_PIXEL_X                     0x00000400
++#define CKA_PIXEL_Y                     0x00000401
++#define CKA_RESOLUTION                  0x00000402
++#define CKA_CHAR_ROWS                   0x00000403
++#define CKA_CHAR_COLUMNS                0x00000404
++#define CKA_COLOR                       0x00000405
++#define CKA_BITS_PER_PIXEL              0x00000406
++#define CKA_CHAR_SETS                   0x00000480
++#define CKA_ENCODING_METHODS            0x00000481
++#define CKA_MIME_TYPES                  0x00000482
++#define CKA_MECHANISM_TYPE              0x00000500
++#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
++#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
++#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
++#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
++
++#define CKA_VENDOR_DEFINED     0x80000000
++
++/* CK_ATTRIBUTE is a structure that includes the type, length
++ * and value of an attribute */
++typedef struct CK_ATTRIBUTE {
++  CK_ATTRIBUTE_TYPE type;
++  CK_VOID_PTR       pValue;
++
++  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
++  CK_ULONG          ulValueLen;  /* in bytes */
++} CK_ATTRIBUTE;
++
++typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
++
++
++/* CK_DATE is a structure that defines a date */
++typedef struct CK_DATE{
++  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
++  CK_CHAR       month[2];  /* the month ("01" - "12") */
++  CK_CHAR       day[2];    /* the day   ("01" - "31") */
++} CK_DATE;
++
++
++/* CK_MECHANISM_TYPE is a value that identifies a mechanism
++ * type */
++/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG          CK_MECHANISM_TYPE;
++
++/* the following mechanism types are defined: */
++#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
++#define CKM_RSA_PKCS                   0x00000001
++#define CKM_RSA_9796                   0x00000002
++#define CKM_RSA_X_509                  0x00000003
++
++/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
++ * are new for v2.0.  They are mechanisms which hash and sign */
++#define CKM_MD2_RSA_PKCS               0x00000004
++#define CKM_MD5_RSA_PKCS               0x00000005
++#define CKM_SHA1_RSA_PKCS              0x00000006
++
++/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
++ * CKM_RSA_PKCS_OAEP are new for v2.10 */
++#define CKM_RIPEMD128_RSA_PKCS         0x00000007
++#define CKM_RIPEMD160_RSA_PKCS         0x00000008
++#define CKM_RSA_PKCS_OAEP              0x00000009
++
++/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
++ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
++#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
++#define CKM_RSA_X9_31                  0x0000000B
++#define CKM_SHA1_RSA_X9_31             0x0000000C
++#define CKM_RSA_PKCS_PSS               0x0000000D
++#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
++
++#define CKM_DSA_KEY_PAIR_GEN           0x00000010
++#define CKM_DSA                        0x00000011
++#define CKM_DSA_SHA1                   0x00000012
++#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
++#define CKM_DH_PKCS_DERIVE             0x00000021
++
++/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
++ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
++ * v2.11 */
++#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
++#define CKM_X9_42_DH_DERIVE            0x00000031
++#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
++#define CKM_X9_42_MQV_DERIVE           0x00000033
++
++/* CKM_SHA256/384/512 are new for v2.20 */
++#define CKM_SHA256_RSA_PKCS            0x00000040
++#define CKM_SHA384_RSA_PKCS            0x00000041
++#define CKM_SHA512_RSA_PKCS            0x00000042
++#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
++#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
++#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
++
++/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
++#define CKM_SHA224_RSA_PKCS            0x00000046
++#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
++
++#define CKM_RC2_KEY_GEN                0x00000100
++#define CKM_RC2_ECB                    0x00000101
++#define CKM_RC2_CBC                    0x00000102
++#define CKM_RC2_MAC                    0x00000103
++
++/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
++#define CKM_RC2_MAC_GENERAL            0x00000104
++#define CKM_RC2_CBC_PAD                0x00000105
++
++#define CKM_RC4_KEY_GEN                0x00000110
++#define CKM_RC4                        0x00000111
++#define CKM_DES_KEY_GEN                0x00000120
++#define CKM_DES_ECB                    0x00000121
++#define CKM_DES_CBC                    0x00000122
++#define CKM_DES_MAC                    0x00000123
++
++/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
++#define CKM_DES_MAC_GENERAL            0x00000124
++#define CKM_DES_CBC_PAD                0x00000125
++
++#define CKM_DES2_KEY_GEN               0x00000130
++#define CKM_DES3_KEY_GEN               0x00000131
++#define CKM_DES3_ECB                   0x00000132
++#define CKM_DES3_CBC                   0x00000133
++#define CKM_DES3_MAC                   0x00000134
++
++/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
++ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
++ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
++#define CKM_DES3_MAC_GENERAL           0x00000135
++#define CKM_DES3_CBC_PAD               0x00000136
++#define CKM_CDMF_KEY_GEN               0x00000140
++#define CKM_CDMF_ECB                   0x00000141
++#define CKM_CDMF_CBC                   0x00000142
++#define CKM_CDMF_MAC                   0x00000143
++#define CKM_CDMF_MAC_GENERAL           0x00000144
++#define CKM_CDMF_CBC_PAD               0x00000145
++
++/* the following four DES mechanisms are new for v2.20 */
++#define CKM_DES_OFB64                  0x00000150
++#define CKM_DES_OFB8                   0x00000151
++#define CKM_DES_CFB64                  0x00000152
++#define CKM_DES_CFB8                   0x00000153
++
++#define CKM_MD2                        0x00000200
++
++/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
++#define CKM_MD2_HMAC                   0x00000201
++#define CKM_MD2_HMAC_GENERAL           0x00000202
++
++#define CKM_MD5                        0x00000210
++
++/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
++#define CKM_MD5_HMAC                   0x00000211
++#define CKM_MD5_HMAC_GENERAL           0x00000212
++
++#define CKM_SHA_1                      0x00000220
++
++/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
++#define CKM_SHA_1_HMAC                 0x00000221
++#define CKM_SHA_1_HMAC_GENERAL         0x00000222
++
++/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
++ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
++ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
++#define CKM_RIPEMD128                  0x00000230
++#define CKM_RIPEMD128_HMAC             0x00000231
++#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
++#define CKM_RIPEMD160                  0x00000240
++#define CKM_RIPEMD160_HMAC             0x00000241
++#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
++
++/* CKM_SHA256/384/512 are new for v2.20 */
++#define CKM_SHA256                     0x00000250
++#define CKM_SHA256_HMAC                0x00000251
++#define CKM_SHA256_HMAC_GENERAL        0x00000252
++
++/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_SHA224                     0x00000255
++#define CKM_SHA224_HMAC                0x00000256
++#define CKM_SHA224_HMAC_GENERAL        0x00000257
++
++#define CKM_SHA384                     0x00000260
++#define CKM_SHA384_HMAC                0x00000261
++#define CKM_SHA384_HMAC_GENERAL        0x00000262
++#define CKM_SHA512                     0x00000270
++#define CKM_SHA512_HMAC                0x00000271
++#define CKM_SHA512_HMAC_GENERAL        0x00000272
++
++/* SecurID is new for PKCS #11 v2.20 amendment 1 */
++#define CKM_SECURID_KEY_GEN            0x00000280
++#define CKM_SECURID                    0x00000282
++
++/* HOTP is new for PKCS #11 v2.20 amendment 1 */
++#define CKM_HOTP_KEY_GEN    0x00000290
++#define CKM_HOTP            0x00000291
++
++/* ACTI is new for PKCS #11 v2.20 amendment 1 */
++#define CKM_ACTI            0x000002A0
++#define CKM_ACTI_KEY_GEN    0x000002A1
++
++/* All of the following mechanisms are new for v2.0 */
++/* Note that CAST128 and CAST5 are the same algorithm */
++#define CKM_CAST_KEY_GEN               0x00000300
++#define CKM_CAST_ECB                   0x00000301
++#define CKM_CAST_CBC                   0x00000302
++#define CKM_CAST_MAC                   0x00000303
++#define CKM_CAST_MAC_GENERAL           0x00000304
++#define CKM_CAST_CBC_PAD               0x00000305
++#define CKM_CAST3_KEY_GEN              0x00000310
++#define CKM_CAST3_ECB                  0x00000311
++#define CKM_CAST3_CBC                  0x00000312
++#define CKM_CAST3_MAC                  0x00000313
++#define CKM_CAST3_MAC_GENERAL          0x00000314
++#define CKM_CAST3_CBC_PAD              0x00000315
++#define CKM_CAST5_KEY_GEN              0x00000320
++#define CKM_CAST128_KEY_GEN            0x00000320
++#define CKM_CAST5_ECB                  0x00000321
++#define CKM_CAST128_ECB                0x00000321
++#define CKM_CAST5_CBC                  0x00000322
++#define CKM_CAST128_CBC                0x00000322
++#define CKM_CAST5_MAC                  0x00000323
++#define CKM_CAST128_MAC                0x00000323
++#define CKM_CAST5_MAC_GENERAL          0x00000324
++#define CKM_CAST128_MAC_GENERAL        0x00000324
++#define CKM_CAST5_CBC_PAD              0x00000325
++#define CKM_CAST128_CBC_PAD            0x00000325
++#define CKM_RC5_KEY_GEN                0x00000330
++#define CKM_RC5_ECB                    0x00000331
++#define CKM_RC5_CBC                    0x00000332
++#define CKM_RC5_MAC                    0x00000333
++#define CKM_RC5_MAC_GENERAL            0x00000334
++#define CKM_RC5_CBC_PAD                0x00000335
++#define CKM_IDEA_KEY_GEN               0x00000340
++#define CKM_IDEA_ECB                   0x00000341
++#define CKM_IDEA_CBC                   0x00000342
++#define CKM_IDEA_MAC                   0x00000343
++#define CKM_IDEA_MAC_GENERAL           0x00000344
++#define CKM_IDEA_CBC_PAD               0x00000345
++#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
++#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
++#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
++#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
++#define CKM_XOR_BASE_AND_DATA          0x00000364
++#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
++#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
++#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
++#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
++
++/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
++ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
++ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
++#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
++#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
++#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
++#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
++#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
++
++/* CKM_TLS_PRF is new for v2.20 */
++#define CKM_TLS_PRF                    0x00000378
++
++#define CKM_SSL3_MD5_MAC               0x00000380
++#define CKM_SSL3_SHA1_MAC              0x00000381
++#define CKM_MD5_KEY_DERIVATION         0x00000390
++#define CKM_MD2_KEY_DERIVATION         0x00000391
++#define CKM_SHA1_KEY_DERIVATION        0x00000392
++
++/* CKM_SHA256/384/512 are new for v2.20 */
++#define CKM_SHA256_KEY_DERIVATION      0x00000393
++#define CKM_SHA384_KEY_DERIVATION      0x00000394
++#define CKM_SHA512_KEY_DERIVATION      0x00000395
++
++/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_SHA224_KEY_DERIVATION      0x00000396
++
++#define CKM_PBE_MD2_DES_CBC            0x000003A0
++#define CKM_PBE_MD5_DES_CBC            0x000003A1
++#define CKM_PBE_MD5_CAST_CBC           0x000003A2
++#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
++#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
++#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
++#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
++#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
++#define CKM_PBE_SHA1_RC4_128           0x000003A6
++#define CKM_PBE_SHA1_RC4_40            0x000003A7
++#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
++#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
++#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
++#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
++
++/* CKM_PKCS5_PBKD2 is new for v2.10 */
++#define CKM_PKCS5_PBKD2                0x000003B0
++
++#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
++
++/* WTLS mechanisms are new for v2.20 */
++#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
++#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
++#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
++#define CKM_WTLS_PRF                        0x000003D3
++#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
++#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
++
++#define CKM_KEY_WRAP_LYNKS             0x00000400
++#define CKM_KEY_WRAP_SET_OAEP          0x00000401
++
++/* CKM_CMS_SIG is new for v2.20 */
++#define CKM_CMS_SIG                    0x00000500
++
++/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
++#define CKM_KIP_DERIVE                 0x00000510
++#define CKM_KIP_WRAP                   0x00000511
++#define CKM_KIP_MAC                    0x00000512
++
++/* Camellia is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_CAMELLIA_KEY_GEN           0x00000550
++#define CKM_CAMELLIA_ECB               0x00000551
++#define CKM_CAMELLIA_CBC               0x00000552
++#define CKM_CAMELLIA_MAC               0x00000553
++#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
++#define CKM_CAMELLIA_CBC_PAD           0x00000555
++#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
++#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
++#define CKM_CAMELLIA_CTR               0x00000558
++
++/* ARIA is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_ARIA_KEY_GEN               0x00000560
++#define CKM_ARIA_ECB                   0x00000561
++#define CKM_ARIA_CBC                   0x00000562
++#define CKM_ARIA_MAC                   0x00000563
++#define CKM_ARIA_MAC_GENERAL           0x00000564
++#define CKM_ARIA_CBC_PAD               0x00000565
++#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
++#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
++
++/* Fortezza mechanisms */
++#define CKM_SKIPJACK_KEY_GEN           0x00001000
++#define CKM_SKIPJACK_ECB64             0x00001001
++#define CKM_SKIPJACK_CBC64             0x00001002
++#define CKM_SKIPJACK_OFB64             0x00001003
++#define CKM_SKIPJACK_CFB64             0x00001004
++#define CKM_SKIPJACK_CFB32             0x00001005
++#define CKM_SKIPJACK_CFB16             0x00001006
++#define CKM_SKIPJACK_CFB8              0x00001007
++#define CKM_SKIPJACK_WRAP              0x00001008
++#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
++#define CKM_SKIPJACK_RELAYX            0x0000100a
++#define CKM_KEA_KEY_PAIR_GEN           0x00001010
++#define CKM_KEA_KEY_DERIVE             0x00001011
++#define CKM_FORTEZZA_TIMESTAMP         0x00001020
++#define CKM_BATON_KEY_GEN              0x00001030
++#define CKM_BATON_ECB128               0x00001031
++#define CKM_BATON_ECB96                0x00001032
++#define CKM_BATON_CBC128               0x00001033
++#define CKM_BATON_COUNTER              0x00001034
++#define CKM_BATON_SHUFFLE              0x00001035
++#define CKM_BATON_WRAP                 0x00001036
++
++/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
++ * CKM_EC_KEY_PAIR_GEN is preferred */
++#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
++#define CKM_EC_KEY_PAIR_GEN            0x00001040
++
++#define CKM_ECDSA                      0x00001041
++#define CKM_ECDSA_SHA1                 0x00001042
++
++/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
++ * are new for v2.11 */
++#define CKM_ECDH1_DERIVE               0x00001050
++#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
++#define CKM_ECMQV_DERIVE               0x00001052
++
++#define CKM_JUNIPER_KEY_GEN            0x00001060
++#define CKM_JUNIPER_ECB128             0x00001061
++#define CKM_JUNIPER_CBC128             0x00001062
++#define CKM_JUNIPER_COUNTER            0x00001063
++#define CKM_JUNIPER_SHUFFLE            0x00001064
++#define CKM_JUNIPER_WRAP               0x00001065
++#define CKM_FASTHASH                   0x00001070
++
++/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
++ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
++ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
++ * new for v2.11 */
++#define CKM_AES_KEY_GEN                0x00001080
++#define CKM_AES_ECB                    0x00001081
++#define CKM_AES_CBC                    0x00001082
++#define CKM_AES_MAC                    0x00001083
++#define CKM_AES_MAC_GENERAL            0x00001084
++#define CKM_AES_CBC_PAD                0x00001085
++
++/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_AES_CTR                    0x00001086
++
++/* BlowFish and TwoFish are new for v2.20 */
++#define CKM_BLOWFISH_KEY_GEN           0x00001090
++#define CKM_BLOWFISH_CBC               0x00001091
++#define CKM_TWOFISH_KEY_GEN            0x00001092
++#define CKM_TWOFISH_CBC                0x00001093
++
++
++/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
++#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
++#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
++#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
++#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
++#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
++#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
++
++#define CKM_DSA_PARAMETER_GEN          0x00002000
++#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
++#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
++
++#define CKM_VENDOR_DEFINED             0x80000000
++
++typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
++
++
++/* CK_MECHANISM is a structure that specifies a particular
++ * mechanism  */
++typedef struct CK_MECHANISM {
++  CK_MECHANISM_TYPE mechanism;
++  CK_VOID_PTR       pParameter;
++
++  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
++   * v2.0 */
++  CK_ULONG          ulParameterLen;  /* in bytes */
++} CK_MECHANISM;
++
++typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
++
++
++/* CK_MECHANISM_INFO provides information about a particular
++ * mechanism */
++typedef struct CK_MECHANISM_INFO {
++    CK_ULONG    ulMinKeySize;
++    CK_ULONG    ulMaxKeySize;
++    CK_FLAGS    flags;
++} CK_MECHANISM_INFO;
++
++/* The flags are defined as follows:
++ *      Bit Flag               Mask        Meaning */
++#define CKF_HW                 0x00000001  /* performed by HW */
++
++/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
++ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
++ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
++ * and CKF_DERIVE are new for v2.0.  They specify whether or not
++ * a mechanism can be used for a particular task */
++#define CKF_ENCRYPT            0x00000100
++#define CKF_DECRYPT            0x00000200
++#define CKF_DIGEST             0x00000400
++#define CKF_SIGN               0x00000800
++#define CKF_SIGN_RECOVER       0x00001000
++#define CKF_VERIFY             0x00002000
++#define CKF_VERIFY_RECOVER     0x00004000
++#define CKF_GENERATE           0x00008000
++#define CKF_GENERATE_KEY_PAIR  0x00010000
++#define CKF_WRAP               0x00020000
++#define CKF_UNWRAP             0x00040000
++#define CKF_DERIVE             0x00080000
++
++/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
++ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
++ * describe a token's EC capabilities not available in mechanism
++ * information. */
++#define CKF_EC_F_P             0x00100000
++#define CKF_EC_F_2M            0x00200000
++#define CKF_EC_ECPARAMETERS    0x00400000
++#define CKF_EC_NAMEDCURVE      0x00800000
++#define CKF_EC_UNCOMPRESS      0x01000000
++#define CKF_EC_COMPRESS        0x02000000
++
++#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
++
++typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
++
++
++/* CK_RV is a value that identifies the return value of a
++ * Cryptoki function */
++/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
++typedef CK_ULONG          CK_RV;
++
++#define CKR_OK                                0x00000000
++#define CKR_CANCEL                            0x00000001
++#define CKR_HOST_MEMORY                       0x00000002
++#define CKR_SLOT_ID_INVALID                   0x00000003
++
++/* CKR_FLAGS_INVALID was removed for v2.0 */
++
++/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
++#define CKR_GENERAL_ERROR                     0x00000005
++#define CKR_FUNCTION_FAILED                   0x00000006
++
++/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
++ * and CKR_CANT_LOCK are new for v2.01 */
++#define CKR_ARGUMENTS_BAD                     0x00000007
++#define CKR_NO_EVENT                          0x00000008
++#define CKR_NEED_TO_CREATE_THREADS            0x00000009
++#define CKR_CANT_LOCK                         0x0000000A
++
++#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
++#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
++#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
++#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
++#define CKR_DATA_INVALID                      0x00000020
++#define CKR_DATA_LEN_RANGE                    0x00000021
++#define CKR_DEVICE_ERROR                      0x00000030
++#define CKR_DEVICE_MEMORY                     0x00000031
++#define CKR_DEVICE_REMOVED                    0x00000032
++#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
++#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
++#define CKR_FUNCTION_CANCELED                 0x00000050
++#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
++
++/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
++#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
++
++#define CKR_KEY_HANDLE_INVALID                0x00000060
++
++/* CKR_KEY_SENSITIVE was removed for v2.0 */
++
++#define CKR_KEY_SIZE_RANGE                    0x00000062
++#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
++
++/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
++ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
++ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
++ * v2.0 */
++#define CKR_KEY_NOT_NEEDED                    0x00000064
++#define CKR_KEY_CHANGED                       0x00000065
++#define CKR_KEY_NEEDED                        0x00000066
++#define CKR_KEY_INDIGESTIBLE                  0x00000067
++#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
++#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
++#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
++
++#define CKR_MECHANISM_INVALID                 0x00000070
++#define CKR_MECHANISM_PARAM_INVALID           0x00000071
++
++/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
++ * were removed for v2.0 */
++#define CKR_OBJECT_HANDLE_INVALID             0x00000082
++#define CKR_OPERATION_ACTIVE                  0x00000090
++#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
++#define CKR_PIN_INCORRECT                     0x000000A0
++#define CKR_PIN_INVALID                       0x000000A1
++#define CKR_PIN_LEN_RANGE                     0x000000A2
++
++/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
++#define CKR_PIN_EXPIRED                       0x000000A3
++#define CKR_PIN_LOCKED                        0x000000A4
++
++#define CKR_SESSION_CLOSED                    0x000000B0
++#define CKR_SESSION_COUNT                     0x000000B1
++#define CKR_SESSION_HANDLE_INVALID            0x000000B3
++#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
++#define CKR_SESSION_READ_ONLY                 0x000000B5
++#define CKR_SESSION_EXISTS                    0x000000B6
++
++/* CKR_SESSION_READ_ONLY_EXISTS and
++ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
++#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
++#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
++
++#define CKR_SIGNATURE_INVALID                 0x000000C0
++#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
++#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
++#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
++#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
++#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
++#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
++#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
++#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
++#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
++#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
++#define CKR_USER_NOT_LOGGED_IN                0x00000101
++#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
++#define CKR_USER_TYPE_INVALID                 0x00000103
++
++/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
++ * are new to v2.01 */
++#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
++#define CKR_USER_TOO_MANY_TYPES               0x00000105
++
++#define CKR_WRAPPED_KEY_INVALID               0x00000110
++#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
++#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
++#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
++#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
++#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
++
++/* These are new to v2.0 */
++#define CKR_RANDOM_NO_RNG                     0x00000121
++
++/* These are new to v2.11 */
++#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
++
++/* These are new to v2.0 */
++#define CKR_BUFFER_TOO_SMALL                  0x00000150
++#define CKR_SAVED_STATE_INVALID               0x00000160
++#define CKR_INFORMATION_SENSITIVE             0x00000170
++#define CKR_STATE_UNSAVEABLE                  0x00000180
++
++/* These are new to v2.01 */
++#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
++#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
++#define CKR_MUTEX_BAD                         0x000001A0
++#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
++
++/* The following return values are new for PKCS #11 v2.20 amendment 3 */
++#define CKR_NEW_PIN_MODE                      0x000001B0
++#define CKR_NEXT_OTP                          0x000001B1
++
++/* This is new to v2.20 */
++#define CKR_FUNCTION_REJECTED                 0x00000200
++
++#define CKR_VENDOR_DEFINED                    0x80000000
++
++
++/* CK_NOTIFY is an application callback that processes events */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
++  CK_SESSION_HANDLE hSession,     /* the session's handle */
++  CK_NOTIFICATION   event,
++  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
++);
++
++
++/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
++ * version and pointers of appropriate types to all the
++ * Cryptoki functions */
++/* CK_FUNCTION_LIST is new for v2.0 */
++typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
++
++typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
++
++typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
++
++
++/* CK_CREATEMUTEX is an application callback for creating a
++ * mutex object */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
++  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
++);
++
++
++/* CK_DESTROYMUTEX is an application callback for destroying a
++ * mutex object */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
++  CK_VOID_PTR pMutex  /* pointer to mutex */
++);
++
++
++/* CK_LOCKMUTEX is an application callback for locking a mutex */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
++  CK_VOID_PTR pMutex  /* pointer to mutex */
++);
++
++
++/* CK_UNLOCKMUTEX is an application callback for unlocking a
++ * mutex */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
++  CK_VOID_PTR pMutex  /* pointer to mutex */
++);
++
++
++/* CK_C_INITIALIZE_ARGS provides the optional arguments to
++ * C_Initialize */
++typedef struct CK_C_INITIALIZE_ARGS {
++  CK_CREATEMUTEX CreateMutex;
++  CK_DESTROYMUTEX DestroyMutex;
++  CK_LOCKMUTEX LockMutex;
++  CK_UNLOCKMUTEX UnlockMutex;
++  CK_FLAGS flags;
++  CK_VOID_PTR pReserved;
++} CK_C_INITIALIZE_ARGS;
++
++/* flags: bit flags that provide capabilities of the slot
++ *      Bit Flag                           Mask       Meaning
++ */
++#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
++#define CKF_OS_LOCKING_OK                  0x00000002
++
++typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
++
++
++/* additional flags for parameters to functions */
++
++/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
++#define CKF_DONT_BLOCK     1
++
++/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
++ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
++ * Generation Function (MGF) applied to a message block when
++ * formatting a message block for the PKCS #1 OAEP encryption
++ * scheme. */
++typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
++
++typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
++
++/* The following MGFs are defined */
++/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
++ * are new for v2.20 */
++#define CKG_MGF1_SHA1         0x00000001
++#define CKG_MGF1_SHA256       0x00000002
++#define CKG_MGF1_SHA384       0x00000003
++#define CKG_MGF1_SHA512       0x00000004
++/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
++#define CKG_MGF1_SHA224       0x00000005
++
++/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
++ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
++ * of the encoding parameter when formatting a message block
++ * for the PKCS #1 OAEP encryption scheme. */
++typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
++
++typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
++
++/* The following encoding parameter sources are defined */
++#define CKZ_DATA_SPECIFIED    0x00000001
++
++/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
++ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
++ * CKM_RSA_PKCS_OAEP mechanism. */
++typedef struct CK_RSA_PKCS_OAEP_PARAMS {
++        CK_MECHANISM_TYPE hashAlg;
++        CK_RSA_PKCS_MGF_TYPE mgf;
++        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
++        CK_VOID_PTR pSourceData;
++        CK_ULONG ulSourceDataLen;
++} CK_RSA_PKCS_OAEP_PARAMS;
++
++typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
++
++/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
++ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
++ * CKM_RSA_PKCS_PSS mechanism(s). */
++typedef struct CK_RSA_PKCS_PSS_PARAMS {
++        CK_MECHANISM_TYPE    hashAlg;
++        CK_RSA_PKCS_MGF_TYPE mgf;
++        CK_ULONG             sLen;
++} CK_RSA_PKCS_PSS_PARAMS;
++
++typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
++
++/* CK_EC_KDF_TYPE is new for v2.11. */
++typedef CK_ULONG CK_EC_KDF_TYPE;
++
++/* The following EC Key Derivation Functions are defined */
++#define CKD_NULL                 0x00000001
++#define CKD_SHA1_KDF             0x00000002
++
++/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
++ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
++ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
++ * where each party contributes one key pair.
++ */
++typedef struct CK_ECDH1_DERIVE_PARAMS {
++  CK_EC_KDF_TYPE kdf;
++  CK_ULONG ulSharedDataLen;
++  CK_BYTE_PTR pSharedData;
++  CK_ULONG ulPublicDataLen;
++  CK_BYTE_PTR pPublicData;
++} CK_ECDH1_DERIVE_PARAMS;
++
++typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
++
++
++/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
++ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
++ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
++typedef struct CK_ECDH2_DERIVE_PARAMS {
++  CK_EC_KDF_TYPE kdf;
++  CK_ULONG ulSharedDataLen;
++  CK_BYTE_PTR pSharedData;
++  CK_ULONG ulPublicDataLen;
++  CK_BYTE_PTR pPublicData;
++  CK_ULONG ulPrivateDataLen;
++  CK_OBJECT_HANDLE hPrivateData;
++  CK_ULONG ulPublicDataLen2;
++  CK_BYTE_PTR pPublicData2;
++} CK_ECDH2_DERIVE_PARAMS;
++
++typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
++
++typedef struct CK_ECMQV_DERIVE_PARAMS {
++  CK_EC_KDF_TYPE kdf;
++  CK_ULONG ulSharedDataLen;
++  CK_BYTE_PTR pSharedData;
++  CK_ULONG ulPublicDataLen;
++  CK_BYTE_PTR pPublicData;
++  CK_ULONG ulPrivateDataLen;
++  CK_OBJECT_HANDLE hPrivateData;
++  CK_ULONG ulPublicDataLen2;
++  CK_BYTE_PTR pPublicData2;
++  CK_OBJECT_HANDLE publicKey;
++} CK_ECMQV_DERIVE_PARAMS;
++
++typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
++
++/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
++ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
++typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
++typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
++
++/* The following X9.42 DH key derivation functions are defined
++   (besides CKD_NULL already defined : */
++#define CKD_SHA1_KDF_ASN1        0x00000003
++#define CKD_SHA1_KDF_CONCATENATE 0x00000004
++
++/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
++ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
++ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
++ * contributes one key pair */
++typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
++  CK_X9_42_DH_KDF_TYPE kdf;
++  CK_ULONG ulOtherInfoLen;
++  CK_BYTE_PTR pOtherInfo;
++  CK_ULONG ulPublicDataLen;
++  CK_BYTE_PTR pPublicData;
++} CK_X9_42_DH1_DERIVE_PARAMS;
++
++typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
++
++/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
++ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
++ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
++ * mechanisms, where each party contributes two key pairs */
++typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
++  CK_X9_42_DH_KDF_TYPE kdf;
++  CK_ULONG ulOtherInfoLen;
++  CK_BYTE_PTR pOtherInfo;
++  CK_ULONG ulPublicDataLen;
++  CK_BYTE_PTR pPublicData;
++  CK_ULONG ulPrivateDataLen;
++  CK_OBJECT_HANDLE hPrivateData;
++  CK_ULONG ulPublicDataLen2;
++  CK_BYTE_PTR pPublicData2;
++} CK_X9_42_DH2_DERIVE_PARAMS;
++
++typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
++
++typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
++  CK_X9_42_DH_KDF_TYPE kdf;
++  CK_ULONG ulOtherInfoLen;
++  CK_BYTE_PTR pOtherInfo;
++  CK_ULONG ulPublicDataLen;
++  CK_BYTE_PTR pPublicData;
++  CK_ULONG ulPrivateDataLen;
++  CK_OBJECT_HANDLE hPrivateData;
++  CK_ULONG ulPublicDataLen2;
++  CK_BYTE_PTR pPublicData2;
++  CK_OBJECT_HANDLE publicKey;
++} CK_X9_42_MQV_DERIVE_PARAMS;
++
++typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
++
++/* CK_KEA_DERIVE_PARAMS provides the parameters to the
++ * CKM_KEA_DERIVE mechanism */
++/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
++typedef struct CK_KEA_DERIVE_PARAMS {
++  CK_BBOOL      isSender;
++  CK_ULONG      ulRandomLen;
++  CK_BYTE_PTR   pRandomA;
++  CK_BYTE_PTR   pRandomB;
++  CK_ULONG      ulPublicDataLen;
++  CK_BYTE_PTR   pPublicData;
++} CK_KEA_DERIVE_PARAMS;
++
++typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
++
++
++/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
++ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
++ * holds the effective keysize */
++typedef CK_ULONG          CK_RC2_PARAMS;
++
++typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
++
++
++/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
++ * mechanism */
++typedef struct CK_RC2_CBC_PARAMS {
++  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
++   * v2.0 */
++  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
++
++  CK_BYTE       iv[8];            /* IV for CBC mode */
++} CK_RC2_CBC_PARAMS;
++
++typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
++
++
++/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
++ * CKM_RC2_MAC_GENERAL mechanism */
++/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
++typedef struct CK_RC2_MAC_GENERAL_PARAMS {
++  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
++  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
++} CK_RC2_MAC_GENERAL_PARAMS;
++
++typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
++  CK_RC2_MAC_GENERAL_PARAMS_PTR;
++
++
++/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
++ * CKM_RC5_MAC mechanisms */
++/* CK_RC5_PARAMS is new for v2.0 */
++typedef struct CK_RC5_PARAMS {
++  CK_ULONG      ulWordsize;  /* wordsize in bits */
++  CK_ULONG      ulRounds;    /* number of rounds */
++} CK_RC5_PARAMS;
++
++typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
++
++
++/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
++ * mechanism */
++/* CK_RC5_CBC_PARAMS is new for v2.0 */
++typedef struct CK_RC5_CBC_PARAMS {
++  CK_ULONG      ulWordsize;  /* wordsize in bits */
++  CK_ULONG      ulRounds;    /* number of rounds */
++  CK_BYTE_PTR   pIv;         /* pointer to IV */
++  CK_ULONG      ulIvLen;     /* length of IV in bytes */
++} CK_RC5_CBC_PARAMS;
++
++typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
++
++
++/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
++ * CKM_RC5_MAC_GENERAL mechanism */
++/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
++typedef struct CK_RC5_MAC_GENERAL_PARAMS {
++  CK_ULONG      ulWordsize;   /* wordsize in bits */
++  CK_ULONG      ulRounds;     /* number of rounds */
++  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
++} CK_RC5_MAC_GENERAL_PARAMS;
++
++typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
++  CK_RC5_MAC_GENERAL_PARAMS_PTR;
++
++
++/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
++ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
++ * the MAC */
++/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
++typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
++
++typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
++
++/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
++typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
++  CK_BYTE      iv[8];
++  CK_BYTE_PTR  pData;
++  CK_ULONG     length;
++} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
++  CK_BYTE      iv[16];
++  CK_BYTE_PTR  pData;
++  CK_ULONG     length;
++} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
++ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
++/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
++typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
++  CK_ULONG      ulPasswordLen;
++  CK_BYTE_PTR   pPassword;
++  CK_ULONG      ulPublicDataLen;
++  CK_BYTE_PTR   pPublicData;
++  CK_ULONG      ulPAndGLen;
++  CK_ULONG      ulQLen;
++  CK_ULONG      ulRandomLen;
++  CK_BYTE_PTR   pRandomA;
++  CK_BYTE_PTR   pPrimeP;
++  CK_BYTE_PTR   pBaseG;
++  CK_BYTE_PTR   pSubprimeQ;
++} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
++
++typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
++  CK_SKIPJACK_PRIVATE_WRAP_PTR;
++
++
++/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
++ * CKM_SKIPJACK_RELAYX mechanism */
++/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
++typedef struct CK_SKIPJACK_RELAYX_PARAMS {
++  CK_ULONG      ulOldWrappedXLen;
++  CK_BYTE_PTR   pOldWrappedX;
++  CK_ULONG      ulOldPasswordLen;
++  CK_BYTE_PTR   pOldPassword;
++  CK_ULONG      ulOldPublicDataLen;
++  CK_BYTE_PTR   pOldPublicData;
++  CK_ULONG      ulOldRandomLen;
++  CK_BYTE_PTR   pOldRandomA;
++  CK_ULONG      ulNewPasswordLen;
++  CK_BYTE_PTR   pNewPassword;
++  CK_ULONG      ulNewPublicDataLen;
++  CK_BYTE_PTR   pNewPublicData;
++  CK_ULONG      ulNewRandomLen;
++  CK_BYTE_PTR   pNewRandomA;
++} CK_SKIPJACK_RELAYX_PARAMS;
++
++typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
++  CK_SKIPJACK_RELAYX_PARAMS_PTR;
++
++
++typedef struct CK_PBE_PARAMS {
++  CK_BYTE_PTR      pInitVector;
++  CK_UTF8CHAR_PTR  pPassword;
++  CK_ULONG         ulPasswordLen;
++  CK_BYTE_PTR      pSalt;
++  CK_ULONG         ulSaltLen;
++  CK_ULONG         ulIteration;
++} CK_PBE_PARAMS;
++
++typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
++
++
++/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
++ * CKM_KEY_WRAP_SET_OAEP mechanism */
++/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
++typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
++  CK_BYTE       bBC;     /* block contents byte */
++  CK_BYTE_PTR   pX;      /* extra data */
++  CK_ULONG      ulXLen;  /* length of extra data in bytes */
++} CK_KEY_WRAP_SET_OAEP_PARAMS;
++
++typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
++  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
++
++
++typedef struct CK_SSL3_RANDOM_DATA {
++  CK_BYTE_PTR  pClientRandom;
++  CK_ULONG     ulClientRandomLen;
++  CK_BYTE_PTR  pServerRandom;
++  CK_ULONG     ulServerRandomLen;
++} CK_SSL3_RANDOM_DATA;
++
++
++typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
++  CK_SSL3_RANDOM_DATA RandomInfo;
++  CK_VERSION_PTR pVersion;
++} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
++
++typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
++  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
++
++
++typedef struct CK_SSL3_KEY_MAT_OUT {
++  CK_OBJECT_HANDLE hClientMacSecret;
++  CK_OBJECT_HANDLE hServerMacSecret;
++  CK_OBJECT_HANDLE hClientKey;
++  CK_OBJECT_HANDLE hServerKey;
++  CK_BYTE_PTR      pIVClient;
++  CK_BYTE_PTR      pIVServer;
++} CK_SSL3_KEY_MAT_OUT;
++
++typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
++
++
++typedef struct CK_SSL3_KEY_MAT_PARAMS {
++  CK_ULONG                ulMacSizeInBits;
++  CK_ULONG                ulKeySizeInBits;
++  CK_ULONG                ulIVSizeInBits;
++  CK_BBOOL                bIsExport;
++  CK_SSL3_RANDOM_DATA     RandomInfo;
++  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
++} CK_SSL3_KEY_MAT_PARAMS;
++
++typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
++
++/* CK_TLS_PRF_PARAMS is new for version 2.20 */
++typedef struct CK_TLS_PRF_PARAMS {
++  CK_BYTE_PTR  pSeed;
++  CK_ULONG     ulSeedLen;
++  CK_BYTE_PTR  pLabel;
++  CK_ULONG     ulLabelLen;
++  CK_BYTE_PTR  pOutput;
++  CK_ULONG_PTR pulOutputLen;
++} CK_TLS_PRF_PARAMS;
++
++typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
++
++/* WTLS is new for version 2.20 */
++typedef struct CK_WTLS_RANDOM_DATA {
++  CK_BYTE_PTR pClientRandom;
++  CK_ULONG    ulClientRandomLen;
++  CK_BYTE_PTR pServerRandom;
++  CK_ULONG    ulServerRandomLen;
++} CK_WTLS_RANDOM_DATA;
++
++typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
++
++typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
++  CK_MECHANISM_TYPE   DigestMechanism;
++  CK_WTLS_RANDOM_DATA RandomInfo;
++  CK_BYTE_PTR         pVersion;
++} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
++
++typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
++  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
++
++typedef struct CK_WTLS_PRF_PARAMS {
++  CK_MECHANISM_TYPE DigestMechanism;
++  CK_BYTE_PTR       pSeed;
++  CK_ULONG          ulSeedLen;
++  CK_BYTE_PTR       pLabel;
++  CK_ULONG          ulLabelLen;
++  CK_BYTE_PTR       pOutput;
++  CK_ULONG_PTR      pulOutputLen;
++} CK_WTLS_PRF_PARAMS;
++
++typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
++
++typedef struct CK_WTLS_KEY_MAT_OUT {
++  CK_OBJECT_HANDLE hMacSecret;
++  CK_OBJECT_HANDLE hKey;
++  CK_BYTE_PTR      pIV;
++} CK_WTLS_KEY_MAT_OUT;
++
++typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
++
++typedef struct CK_WTLS_KEY_MAT_PARAMS {
++  CK_MECHANISM_TYPE       DigestMechanism;
++  CK_ULONG                ulMacSizeInBits;
++  CK_ULONG                ulKeySizeInBits;
++  CK_ULONG                ulIVSizeInBits;
++  CK_ULONG                ulSequenceNumber;
++  CK_BBOOL                bIsExport;
++  CK_WTLS_RANDOM_DATA     RandomInfo;
++  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
++} CK_WTLS_KEY_MAT_PARAMS;
++
++typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
++
++/* CMS is new for version 2.20 */
++typedef struct CK_CMS_SIG_PARAMS {
++  CK_OBJECT_HANDLE      certificateHandle;
++  CK_MECHANISM_PTR      pSigningMechanism;
++  CK_MECHANISM_PTR      pDigestMechanism;
++  CK_UTF8CHAR_PTR       pContentType;
++  CK_BYTE_PTR           pRequestedAttributes;
++  CK_ULONG              ulRequestedAttributesLen;
++  CK_BYTE_PTR           pRequiredAttributes;
++  CK_ULONG              ulRequiredAttributesLen;
++} CK_CMS_SIG_PARAMS;
++
++typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
++
++typedef struct CK_KEY_DERIVATION_STRING_DATA {
++  CK_BYTE_PTR pData;
++  CK_ULONG    ulLen;
++} CK_KEY_DERIVATION_STRING_DATA;
++
++typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
++  CK_KEY_DERIVATION_STRING_DATA_PTR;
++
++
++/* The CK_EXTRACT_PARAMS is used for the
++ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
++ * of the base key should be used as the first bit of the
++ * derived key */
++/* CK_EXTRACT_PARAMS is new for v2.0 */
++typedef CK_ULONG CK_EXTRACT_PARAMS;
++
++typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
++
++/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
++ * indicate the Pseudo-Random Function (PRF) used to generate
++ * key bits using PKCS #5 PBKDF2. */
++typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
++
++typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
++
++/* The following PRFs are defined in PKCS #5 v2.0. */
++#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
++
++
++/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
++ * source of the salt value when deriving a key using PKCS #5
++ * PBKDF2. */
++typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
++
++typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
++
++/* The following salt value sources are defined in PKCS #5 v2.0. */
++#define CKZ_SALT_SPECIFIED        0x00000001
++
++/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
++ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
++ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
++typedef struct CK_PKCS5_PBKD2_PARAMS {
++        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
++        CK_VOID_PTR                                pSaltSourceData;
++        CK_ULONG                                   ulSaltSourceDataLen;
++        CK_ULONG                                   iterations;
++        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++        CK_VOID_PTR                                pPrfData;
++        CK_ULONG                                   ulPrfDataLen;
++        CK_UTF8CHAR_PTR                            pPassword;
++        CK_ULONG_PTR                               ulPasswordLen;
++} CK_PKCS5_PBKD2_PARAMS;
++
++typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
++
++/* All CK_OTP structs are new for PKCS #11 v2.20 amendment 3 */
++
++typedef CK_ULONG CK_OTP_PARAM_TYPE;
++typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */
++
++typedef struct CK_OTP_PARAM {
++    CK_OTP_PARAM_TYPE type;
++    CK_VOID_PTR pValue;
++    CK_ULONG ulValueLen;
++} CK_OTP_PARAM;
++
++typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
++
++typedef struct CK_OTP_PARAMS {
++    CK_OTP_PARAM_PTR pParams;
++    CK_ULONG ulCount;
++} CK_OTP_PARAMS;
++
++typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
++
++typedef struct CK_OTP_SIGNATURE_INFO {
++    CK_OTP_PARAM_PTR pParams;
++    CK_ULONG ulCount;
++} CK_OTP_SIGNATURE_INFO;
++
++typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
++#define CK_OTP_VALUE          0
++#define CK_OTP_PIN            1
++#define CK_OTP_CHALLENGE      2
++#define CK_OTP_TIME           3
++#define CK_OTP_COUNTER        4
++#define CK_OTP_FLAGS          5
++#define CK_OTP_OUTPUT_LENGTH  6
++#define CK_OTP_OUTPUT_FORMAT  7
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
++#define CKF_NEXT_OTP          0x00000001
++#define CKF_EXCLUDE_TIME      0x00000002
++#define CKF_EXCLUDE_COUNTER   0x00000004
++#define CKF_EXCLUDE_CHALLENGE 0x00000008
++#define CKF_EXCLUDE_PIN       0x00000010
++#define CKF_USER_FRIENDLY_OTP 0x00000020
++
++/* CK_KIP_PARAMS is new for PKCS #11 v2.20 amendment 2 */
++typedef struct CK_KIP_PARAMS {
++    CK_MECHANISM_PTR  pMechanism;
++    CK_OBJECT_HANDLE  hKey;
++    CK_BYTE_PTR       pSeed;
++    CK_ULONG          ulSeedLen;
++} CK_KIP_PARAMS;
++
++typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
++
++/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_AES_CTR_PARAMS {
++    CK_ULONG ulCounterBits;
++    CK_BYTE cb[16];
++} CK_AES_CTR_PARAMS;
++
++typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
++
++/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_CAMELLIA_CTR_PARAMS {
++    CK_ULONG ulCounterBits;
++    CK_BYTE cb[16];
++} CK_CAMELLIA_CTR_PARAMS;
++
++typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
++
++/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
++    CK_BYTE      iv[16];
++    CK_BYTE_PTR  pData;
++    CK_ULONG     length;
++} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
++    CK_BYTE      iv[16];
++    CK_BYTE_PTR  pData;
++    CK_ULONG     length;
++} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++#endif
+Index: openssl/util/libeay.num
+diff -u openssl/util/libeay.num:1.1.2.1 openssl/util/libeay.num:1.4
+--- openssl/util/libeay.num:1.1.2.1	Sun Jun 22 01:10:04 2008
++++ openssl/util/libeay.num	Wed Dec 17 14:54:59 2008
+@@ -3700,3 +3700,4 @@
+ FIPS_dsa_sig_encode                     4089	NOEXIST::FUNCTION:
+ CRYPTO_dbg_remove_all_info              4090	NOEXIST::FUNCTION:
+ OPENSSL_init                            4091	NOEXIST::FUNCTION:
++ENGINE_load_pk11                        4092	EXIST::FUNCTION:ENGINE
+Index: openssl/util/mk1mf.pl
+diff -u openssl/util/mk1mf.pl:1.1.2.1 openssl/util/mk1mf.pl:1.5
+--- openssl/util/mk1mf.pl:1.1.2.1	Thu Jun  5 15:09:40 2008
++++ openssl/util/mk1mf.pl	Wed Dec 17 16:56:20 2008
+@@ -299,6 +299,9 @@
+ 	if ($key eq "ZLIB_INCLUDE")
+ 		{ $cflags .= " $val" if $val ne "";}
+ 
++	if ($key eq "PK11_LIB_LOCATION")
++		{ $cflags .= " -D$key=\\\"$val\\\"" if $val ne "";}
++
+ 	if ($key eq "LIBZLIB")
+ 		{ $zlib_lib = "$val" if $val ne "";}
+ 
+Index: openssl/util/pl/VC-32.pl
+diff -u openssl/util/pl/VC-32.pl:1.1.2.1 openssl/util/pl/VC-32.pl:1.4
+--- openssl/util/pl/VC-32.pl:1.1.2.1	Fri Jun  6 20:48:57 2008
++++ openssl/util/pl/VC-32.pl	Thu Jan  1 14:38:50 2009
+@@ -99,7 +99,7 @@
+     my $f = $shlib?' /MD':' /MT';
+     $lib_cflag='/Zl' if (!$shlib);	# remove /DEFAULTLIBs from static lib
+     $opt_cflags=$f.' /Ox /O2 /Ob2';
+-    $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
++    $dbg_cflags=$f.'d /Od /Zi -DDEBUG -D_DEBUG';
+     $lflags="/nologo /subsystem:console /opt:ref";
+     }
+ $mlflags='';
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index ae08c00670..429060e497 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.28 2009/09/02 06:29:01 each Exp $
+ * $Id: dst_api.c,v 1.29 2009/09/03 04:09:58 marka Exp $
  */
 
 /*! \file */
@@ -432,7 +432,6 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
 {
 	isc_result_t result;
 	dst_key_t *pubkey = NULL, *key = NULL;
-	dns_keytag_t id;
 	char *newfilename = NULL;
 	int newfilenamelen = 0;
 	isc_lex_t *lex = NULL;
@@ -489,11 +488,10 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
 	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
 			     pubkey->key_flags, pubkey->key_proto, 0,
 			     pubkey->key_class, mctx);
-	id = pubkey->key_id;
-	dst_key_free(&pubkey);
-
-	if (key == NULL)
+	if (key == NULL) {
+		dst_key_free(&pubkey);
 		return (ISC_R_NOMEMORY);
+	}
 
 	if (key->func->parse == NULL)
 		RETERR(DST_R_UNSUPPORTEDALG);
@@ -512,17 +510,20 @@ dst_key_fromnamedfile(const char *filename, const char *dirname,
 	RETERR(isc_lex_openfile(lex, newfilename));
 	isc_mem_put(mctx, newfilename, newfilenamelen);
 
-	RETERR(key->func->parse(key, lex));
+	RETERR(key->func->parse(key, lex, pubkey));
 	isc_lex_destroy(&lex);
 
 	RETERR(computeid(key));
 
-	if (id != key->key_id)
+	if (pubkey->key_id != key->key_id)
 		RETERR(DST_R_INVALIDPRIVATEKEY);
+	dst_key_free(&pubkey);
 
 	*keyp = key;
 	return (ISC_R_SUCCESS);
  out:
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
 	if (newfilename != NULL)
 		isc_mem_put(mctx, newfilename, newfilenamelen);
 	if (lex != NULL)
@@ -657,7 +658,7 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
 
 	RETERR(isc_lex_create(key->mctx, 1500, &lex));
 	RETERR(isc_lex_openbuffer(lex, buffer));
-	RETERR(key->func->parse(key, lex));
+	RETERR(key->func->parse(key, lex, NULL));
  out:
 	if (lex != NULL)
 		isc_lex_destroy(&lex);
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 7adc68d328..c597a6beff 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.16 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dst_internal.h,v 1.17 2009/09/03 04:09:58 marka Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -173,7 +173,9 @@ struct dst_func {
 	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
 	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
 	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
-	isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer);
+	isc_result_t (*parse)(dst_key_t *key,
+			      isc_lex_t *lexer,
+			      dst_key_t *pub);
 
 	/* cleanup */
 	void (*cleanup)(void);
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index fce98d708f..3c0a2bafca 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.11 2008/04/01 23:47:10 tbox Exp $
+ * $Id: hmac_link.c,v 1.12 2009/09/03 04:09:58 marka Exp $
  */
 
 #include 
@@ -268,13 +268,14 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
 	if (result != ISC_R_SUCCESS)
@@ -537,13 +538,14 @@ hmacsha1_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA1, lexer, mctx,
 				       &priv);
@@ -807,13 +809,14 @@ hmacsha224_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA224, lexer, mctx,
 				       &priv);
@@ -1077,13 +1080,14 @@ hmacsha256_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA256, lexer, mctx,
 				       &priv);
@@ -1347,13 +1351,14 @@ hmacsha384_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA384, lexer, mctx,
 				       &priv);
@@ -1617,13 +1622,14 @@ hmacsha512_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA512, lexer, mctx,
 				       &priv);
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 41e9e2f512..cb223ae58a 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.25 2009/02/11 03:04:18 jinmei Exp $
+ * $Id: openssl_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -223,7 +223,7 @@ dst__openssl_init() {
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_rm;
 	}
-#endif /* USE_PKCS11 */
+#else /* USE_PKCS11 */
 	if (engine_id != NULL) {
 		e = ENGINE_by_id(engine_id);
 		if (e == NULL) {
@@ -237,6 +237,8 @@ dst__openssl_init() {
 		}
 		ENGINE_set_default(e, ENGINE_METHOD_ALL);
 		ENGINE_free(e);
+		if (he == NULL)
+			he = e;
 	} else {
 		ENGINE_register_all_complete();
 		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
@@ -251,6 +253,7 @@ dst__openssl_init() {
 			}
 		}
 	}
+#endif /* USE_PKCS11 */
 	re = ENGINE_get_default_RAND();
 	if (re == NULL) {
 		re = ENGINE_new();
@@ -292,10 +295,11 @@ dst__openssl_destroy() {
 #endif
 	EVP_cleanup();
 #if defined(USE_ENGINE)
-	if (e != NULL) {
+	if (he != NULL)
+		ENGINE_finish(he);
+	else if (e != NULL)
 		ENGINE_finish(e);
-		e = NULL;
-	}
+	he = e = NULL;
 #if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
 	ENGINE_cleanup();
 #endif
@@ -345,7 +349,6 @@ dst__openssl_getengine(const char *name) {
 
 	UNUSED(name);
 
-
 #if defined(USE_ENGINE)
 	return (he);
 #else
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index abc3b7c2b3..66cf5e14dc 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.14 2008/04/01 23:47:10 tbox Exp $
+ * $Id: openssldh_link.c,v 1.15 2009/09/03 04:09:58 marka Exp $
  */
 
 #ifdef OPENSSL
@@ -476,7 +476,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
+openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@@ -484,6 +484,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
 	isc_mem_t *mctx;
 #define DST_RET(a) {ret = a; goto err;}
 
+	UNUSED(pub);
 	mctx = key->mctx;
 
 	/* read private key file */
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index 815eff1d07..3cad0f907a 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.15 2009/01/14 23:48:00 tbox Exp $ */
+/* $Id: openssldsa_link.c,v 1.16 2009/09/03 04:09:58 marka Exp $ */
 
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -512,7 +512,7 @@ openssldsa_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
+openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@@ -520,6 +520,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	isc_mem_t *mctx = key->mctx;
 #define DST_RET(a) {ret = a; goto err;}
 
+	UNUSED(pub);
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 5f1f811795..395dfdfc7f 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.25 2009/08/18 07:45:14 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -767,16 +767,52 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
+rsa_check(RSA *rsa, RSA *pub)
+{
+	/* Public parameters should be the same but if they are not set
+	 * copy them from the public key. */
+	if (pub != NULL) {
+		if (rsa->n != NULL) {
+			if (BN_cmp(rsa->n, pub->n) != 0)
+				return (DST_R_INVALIDPRIVATEKEY);
+		} else {
+			rsa->n = pub->n;
+			pub->n = NULL;
+		}
+		if (rsa->e != NULL) {
+			if (BN_cmp(rsa->e, pub->e) != 0)
+				return (DST_R_INVALIDPRIVATEKEY);
+		} else {
+			rsa->e = pub->e;
+			pub->e = NULL;
+		}
+	}
+	if (rsa->n == NULL || rsa->e == NULL)
+		return (DST_R_INVALIDPRIVATEKEY);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
-	RSA *rsa = NULL;
+	RSA *rsa = NULL, *pubrsa = NULL;
 	ENGINE *e = NULL;
 	isc_mem_t *mctx = key->mctx;
 	const char *name = NULL, *label = NULL;
 	EVP_PKEY *pkey = NULL;
 
+#if USE_EVP
+	if (pub != NULL && pub->keydata.pkey != NULL)
+		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
+#else
+	if (pub != NULL && pub->keydata.rsa != NULL) {
+		pubrsa = pub->keydata.rsa;
+		pub->keydata.rsa = NULL;
+	}
+#endif
+
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
@@ -815,16 +851,20 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 		key->label = isc_mem_strdup(key->mctx, label);
 		if (key->label == NULL)
 			DST_RET(ISC_R_NOMEMORY);
+		rsa = EVP_PKEY_get1_RSA(pkey);
+		if (rsa == NULL)
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
 		key->key_size = EVP_PKEY_bits(pkey);
 #if USE_EVP
 		key->keydata.pkey = pkey;
 #else
-		key->keydata.rsa = EVP_PKEY_get1_RSA(pkey);
-		if (rsa == NULL)
-			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		key->keydata.rsa = rsa;
 		EVP_PKEY_free(pkey);
 #endif
 		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
 		return (ISC_R_SUCCESS);
 	}
 
@@ -889,8 +929,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
 
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
 	key->key_size = BN_num_bits(rsa->n);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 #if USE_EVP
 	RSA_free(rsa);
 #endif
@@ -904,6 +949,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 #endif
 	if (rsa != NULL)
 		RSA_free(rsa);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 	opensslrsa_destroy(key);
 	dst__privstruct_free(&priv, mctx);
 	memset(&priv, 0, sizeof(priv));

From f4b1fec88859fc8d4c56bb5a5b2ff4a66dfed006 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 3 Sep 2009 04:33:13 +0000
Subject: [PATCH 100/385] remove md4.c from patch

---
 contrib/pkcs11-keygen/openssl-0.9.8i-patch | 138 +--------------------
 1 file changed, 3 insertions(+), 135 deletions(-)

diff --git a/contrib/pkcs11-keygen/openssl-0.9.8i-patch b/contrib/pkcs11-keygen/openssl-0.9.8i-patch
index 601504e155..27ddf0a86a 100644
--- a/contrib/pkcs11-keygen/openssl-0.9.8i-patch
+++ b/contrib/pkcs11-keygen/openssl-0.9.8i-patch
@@ -408,138 +408,6 @@ diff -u /dev/null openssl/README.pkcs11:1.4
 +
 +Latest version should be always available on http://blogs.sun.com/janp.
 +
-Index: openssl/apps/md4.c
-diff -u /dev/null openssl/apps/md4.c:1.2
---- /dev/null	Wed Sep  2 11:37:22 2009
-+++ openssl/apps/md4.c	Fri Aug 29 15:36:16 2008
-@@ -0,0 +1,127 @@
-+/* crypto/md4/md4.c */
-+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
-+ * All rights reserved.
-+ *
-+ * This package is an SSL implementation written
-+ * by Eric Young (eay@cryptsoft.com).
-+ * The implementation was written so as to conform with Netscapes SSL.
-+ * 
-+ * This library is free for commercial and non-commercial use as long as
-+ * the following conditions are aheared to.  The following conditions
-+ * apply to all code found in this distribution, be it the RC4, RSA,
-+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
-+ * included with this distribution is covered by the same copyright terms
-+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
-+ * 
-+ * Copyright remains Eric Young's, and as such any Copyright notices in
-+ * the code are not to be removed.
-+ * If this package is used in a product, Eric Young should be given attribution
-+ * as the author of the parts of the library used.
-+ * This can be in the form of a textual message at program startup or
-+ * in documentation (online or textual) provided with the package.
-+ * 
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in the
-+ *    documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ *    must display the following acknowledgement:
-+ *    "This product includes cryptographic software written by
-+ *     Eric Young (eay@cryptsoft.com)"
-+ *    The word 'cryptographic' can be left out if the rouines from the library
-+ *    being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from 
-+ *    the apps directory (application code) you must include an acknowledgement:
-+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
-+ * 
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ * 
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#include 
-+#include 
-+#include 
-+
-+#define BUFSIZE	1024*16
-+
-+void do_fp(FILE *f);
-+void pt(unsigned char *md);
-+#if !defined(_OSD_POSIX) && !defined(__DJGPP__)
-+int read(int, void *, unsigned int);
-+#endif
-+
-+int main(int argc, char **argv)
-+	{
-+	int i,err=0;
-+	FILE *IN;
-+
-+	if (argc == 1)
-+		{
-+		do_fp(stdin);
-+		}
-+	else
-+		{
-+		for (i=1; i
Date: Thu, 3 Sep 2009 13:43:52 +0000
Subject: [PATCH 101/385] oldkey must be initialized to NULL

---
 bin/dnssec/dnssec-keyfromlabel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index f0df650ee3..56165fd60f 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.10 2009/09/01 00:22:24 jinmei Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.11 2009/09/03 13:43:52 fdupont Exp $ */
 
 /*! \file */
 
@@ -87,7 +87,7 @@ main(int argc, char **argv) {
 	char		*directory = NULL;
 	char		*classname = NULL;
 	char		*endp;
-	dst_key_t	*key = NULL, *oldkey;
+	dst_key_t	*key = NULL, *oldkey = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
 	isc_uint16_t	flags = 0, ksk = 0, revoke = 0;

From 760a6c5ac1f2b3706a9e0af7e12786b9c633e3e9 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Thu, 3 Sep 2009 13:51:46 +0000
Subject: [PATCH 102/385] remove extra ./Makefile

---
 contrib/pkcs11-keygen/openssl-0.9.8i-patch | 95 +---------------------
 1 file changed, 3 insertions(+), 92 deletions(-)

diff --git a/contrib/pkcs11-keygen/openssl-0.9.8i-patch b/contrib/pkcs11-keygen/openssl-0.9.8i-patch
index 27ddf0a86a..0ea5beeccc 100644
--- a/contrib/pkcs11-keygen/openssl-0.9.8i-patch
+++ b/contrib/pkcs11-keygen/openssl-0.9.8i-patch
@@ -82,95 +82,6 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
  	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
  	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
-Index: openssl/Makefile
-diff -u openssl/Makefile:1.1.2.1 openssl/Makefile:1.5
---- openssl/Makefile:1.1.2.1	Mon Sep 15 15:27:21 2008
-+++ openssl/Makefile	Mon Dec 15 12:55:31 2008
-@@ -11,11 +11,11 @@
- SHLIB_VERSION_HISTORY=
- SHLIB_MAJOR=0
- SHLIB_MINOR=9.8
--SHLIB_EXT=
--PLATFORM=dist
--OPTIONS= no-camellia no-capieng no-cms no-gmp no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-tlsext no-zlib no-zlib-dynamic
--CONFIGURE_ARGS=dist
--SHLIB_TARGET=
-+SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-+PLATFORM=solaris64-x86_64-gcc
-+OPTIONS=--pk11-libname=/usr/lib/64/libpkcs11.so.1 no-camellia no-capieng no-cms no-gmp no-krb5 no-mdc2 no-montasm no-rc5 no-rfc3779 no-seed no-shared no-tlsext no-zlib no-zlib-dynamic
-+CONFIGURE_ARGS=solaris64-x86_64-gcc --pk11-libname=/usr/lib/64/libpkcs11.so.1
-+SHLIB_TARGET=solaris-shared
- 
- # HERE indicates where this Makefile lives.  This can be used to indicate
- # where sub-Makefiles are expected to be.  Currently has very limited usage,
-@@ -28,6 +28,9 @@
- INSTALL_PREFIX=
- INSTALLTOP=/usr/local/ssl
- 
-+# You must set this through --pk11-libname configure option.
-+PK11_LIB_LOCATION=/usr/lib/64/libpkcs11.so.1
-+
- # Do not edit this manually. Use Configure --openssldir=DIR do change this!
- OPENSSLDIR=/usr/local/ssl
- 
-@@ -59,11 +62,11 @@
- # equal 4.
- # PKCS1_CHECK - pkcs1 tests.
- 
--CC= cc
--CFLAG= -O
-+CC= gcc
-+CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPK11_LIB_LOCATION=\"/usr/lib/64/libpkcs11.so.1\" -m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
- DEPFLAG= -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED -DOPENSSL_NO_TLSEXT 
- PEX_LIBS= 
--EX_LIBS= 
-+EX_LIBS= -lsocket -lnsl -ldl
- EXE_EXT= 
- ARFLAGS= 
- AR=ar $(ARFLAGS) r
-@@ -71,7 +74,7 @@
- PERL= /usr/bin/perl
- TAR= tar
- TARFLAGS= --no-recursion
--MAKEDEPPROG=makedepend
-+MAKEDEPPROG= gcc
- 
- # We let the C compiler driver to take care of .s files. This is done in
- # order to be excused from maintaining a separate set of architecture
-@@ -86,16 +89,16 @@
- PROCESSOR= 
- 
- # CPUID module collects small commonly used assembler snippets
--CPUID_OBJ= 
--BN_ASM= bn_asm.o
-+CPUID_OBJ= x86_64cpuid.o
-+BN_ASM= x86_64-gcc.o x86_64-mont.o
- DES_ENC= des_enc.o fcrypt_b.o
--AES_ASM_OBJ= aes_core.o aes_cbc.o
-+AES_ASM_OBJ= aes-x86_64.o
- BF_ENC= bf_enc.o
- CAST_ENC= c_enc.o
--RC4_ENC= rc4_enc.o rc4_skey.o
-+RC4_ENC= rc4-x86_64.o
- RC5_ENC= rc5_enc.o
--MD5_ASM_OBJ= 
--SHA1_ASM_OBJ= 
-+MD5_ASM_OBJ= md5-x86_64.o
-+SHA1_ASM_OBJ= sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
- RMD160_ASM_OBJ= 
- 
- # KRB5 stuff
-@@ -141,8 +144,8 @@
- SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
- SHARED_SSL=libssl$(SHLIB_EXT)
- SHARED_LIBS=
--SHARED_LIBS_LINK_EXTS=
--SHARED_LDFLAGS=
-+SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
-+SHARED_LDFLAGS=-m64 -shared -static-libgcc
- 
- GENERAL=        Makefile
- BASENAME=       openssl
 Index: openssl/Makefile.org
 diff -u openssl/Makefile.org:1.1.2.1 openssl/Makefile.org:1.2
 --- openssl/Makefile.org:1.1.2.1	Thu Apr  3 23:03:39 2008
@@ -10946,7 +10857,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
 +++ openssl/crypto/engine/pkcs11.h	Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,299 @@
 +/* pkcs11.h include file for PKCS #11. */
-+/* $Revision: 1.3 $ */
++/* $Revision: 1.4 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -11250,7 +11161,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
 +++ openssl/crypto/engine/pkcs11f.h	Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,912 @@
 +/* pkcs11f.h include file for PKCS #11. */
-+/* $Revision: 1.3 $ */
++/* $Revision: 1.4 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -12167,7 +12078,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
 +++ openssl/crypto/engine/pkcs11t.h	Sat Aug 30 11:58:07 2008
 @@ -0,0 +1,1885 @@
 +/* pkcs11t.h include file for PKCS #11. */
-+/* $Revision: 1.3 $ */
++/* $Revision: 1.4 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface

From 2e465236957ff6a9ba2f7dea1db80a250ecb3466 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 3 Sep 2009 20:28:46 +0000
Subject: [PATCH 103/385] update cvsignore files

---
 lib/export/dns/.cvsignore             | 3 +++
 lib/export/dns/include/dns/.cvsignore | 3 +++
 lib/export/irs/.cvsignore             | 1 +
 lib/export/isc/.cvsignore             | 1 +
 lib/export/isc/Makefile.in            | 6 +++---
 lib/export/isccfg/.cvsignore          | 1 +
 lib/export/samples/.cvsignore         | 6 ++++++
 7 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/lib/export/dns/.cvsignore b/lib/export/dns/.cvsignore
index f3c7a7c5da..6ee29f9529 100644
--- a/lib/export/dns/.cvsignore
+++ b/lib/export/dns/.cvsignore
@@ -1 +1,4 @@
 Makefile
+code.h
+gen
+timestamp
diff --git a/lib/export/dns/include/dns/.cvsignore b/lib/export/dns/include/dns/.cvsignore
index f3c7a7c5da..960dd99eeb 100644
--- a/lib/export/dns/include/dns/.cvsignore
+++ b/lib/export/dns/include/dns/.cvsignore
@@ -1 +1,4 @@
 Makefile
+enumclass.h
+enumtype.h
+rdatastruct.h
diff --git a/lib/export/irs/.cvsignore b/lib/export/irs/.cvsignore
index f3c7a7c5da..8df5b29f00 100644
--- a/lib/export/irs/.cvsignore
+++ b/lib/export/irs/.cvsignore
@@ -1 +1,2 @@
 Makefile
+timestamp
diff --git a/lib/export/isc/.cvsignore b/lib/export/isc/.cvsignore
index f3c7a7c5da..8df5b29f00 100644
--- a/lib/export/isc/.cvsignore
+++ b/lib/export/isc/.cvsignore
@@ -1 +1,2 @@
 Makefile
+timestamp
diff --git a/lib/export/isc/Makefile.in b/lib/export/isc/Makefile.in
index 9939515c33..52f6b37b1f 100644
--- a/lib/export/isc/Makefile.in
+++ b/lib/export/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+# $Id: Makefile.in,v 1.4 2009/09/03 20:28:46 each Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@top_srcdir@/lib/isc
@@ -59,7 +59,7 @@ WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 
 # Alphabetically
 OBJS =		@ISC_EXTRA_OBJS@ \
-		assertions.@O@ base32.@O@ \
+		assertions.@O@ backtrace.@O@ backtrace-emptytbl.@O@ base32.@O@ \
 		base64.@O@ buffer.@O@ bufferlist.@O@ \
 		error.@O@ event.@O@ \
 		hash.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
@@ -82,7 +82,7 @@ APISRCS =	app_api.c mem_api.c socket_api.c \
 ISCDRIVERSRCS =	mem.c task.c lib.c timer.c heap.c
 
 SRCS =		@ISC_EXTRA_SRCS@ \
-		assertions.c base32.c \
+		assertions.c backtrace.c backtrace-emptytbl.c base32.c \
 		base64.c buffer.c bufferlist.c \
 		error.c event.c \
 		hash.c hex.c hmacmd5.c hmacsha.c \
diff --git a/lib/export/isccfg/.cvsignore b/lib/export/isccfg/.cvsignore
index f3c7a7c5da..8df5b29f00 100644
--- a/lib/export/isccfg/.cvsignore
+++ b/lib/export/isccfg/.cvsignore
@@ -1 +1,2 @@
 Makefile
+timestamp
diff --git a/lib/export/samples/.cvsignore b/lib/export/samples/.cvsignore
index 28be5a30a5..5e42ccc5a3 100644
--- a/lib/export/samples/.cvsignore
+++ b/lib/export/samples/.cvsignore
@@ -1,2 +1,8 @@
 Makefile
 Makefile-postinstall
+nsprobe
+sample
+sample-async
+sample-gai
+sample-request
+sample-update

From 0984eeca5b41a8678def4433bd6de51888ce0b04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Thu, 3 Sep 2009 21:45:46 +0000
Subject: [PATCH 104/385] added workaround for a recent change
 thatview->secroots is not created with view. [RT #20209]

---
 lib/dns/client.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/dns/client.c b/lib/dns/client.c
index 0990e219ba..3124cf4642 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: client.c,v 1.5 2009/09/03 21:45:46 jinmei Exp $ */
 
 #include 
 
@@ -307,7 +307,19 @@ dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 
 	result = dns_view_create(mctx, rdclass, DNS_CLIENTVIEW_NAME, &view);
 	if (result != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
+		return (result);
+
+	/*
+	 * Workaround for a recent change in dns_view_create(): proactively
+	 * create view->secroots if it's not created with view creation.
+	 */
+	if (view->secroots == NULL) {
+		result = dns_keytable_create(mctx, &view->secroots);
+		if (result != ISC_R_SUCCESS) {
+			dns_view_detach(&view);
+			return (result);
+		}
+	}
 
 	result = dns_view_createresolver(view, taskmgr, ntasks, socketmgr,
 					 timermgr, 0, dispatchmgr,

From af55bddf26801cc3807b0eec46824ecbd016b663 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Thu, 3 Sep 2009 21:55:13 +0000
Subject: [PATCH 105/385] cleanup: fixed incorrect ifdef [RT #20210]

---
 lib/isc/timer.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index ef6996d8a8..f9c4bf8653 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.93 2009/09/02 04:25:19 jinmei Exp $ */
+/* $Id: timer.c,v 1.94 2009/09/03 21:55:13 jinmei Exp $ */
 
 /*! \file */
 
@@ -172,13 +172,15 @@ static struct isc__timermethods {
 
 static struct isc__timermgrmethods {
 	isc_timermgrmethods_t methods;
+#ifndef BIND9
 	void *poke;		/* see above */
+#endif
 } timermgrmethods = {
 	{
 		isc__timermgr_destroy,
 		isc__timer_create
 	}
-#ifdef BIND9
+#ifndef BIND9
 	,
 	(void *)isc__timermgr_poke
 #endif

From 78cb74fab4665da2e2641ba909c6f59f74cc4193 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 3 Sep 2009 23:30:32 +0000
Subject: [PATCH 106/385] newcopyrights

---
 util/copyrights | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 53e118524a..d400cb9255 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -8,7 +8,7 @@
 ./README					X	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./README.idnkit					X	2005,2009
 ./README.libdns					X	2009
-./README.pkcs11					X	2008
+./README.pkcs11					X	2008,2009
 ./README.rfc5011				X	2009
 ./acconfig.h					C	1999,2000,2001,2002,2003,2004,2005,2007,2008
 ./aclocal.m4					X	1999,2000,2001
@@ -1242,7 +1242,7 @@
 ./contrib/nslint-2.1a3/savestr.h		X	2001
 ./contrib/nslint-2.1a3/strerror.c		X	2001
 ./contrib/pkcs11-keygen/PEM_write_pubkey.c	X	2008
-./contrib/pkcs11-keygen/README			X	2008
+./contrib/pkcs11-keygen/README			X	2008,2009
 ./contrib/pkcs11-keygen/destroyobj.c		X	2008
 ./contrib/pkcs11-keygen/genkey.c		X	2008
 ./contrib/pkcs11-keygen/genkey.sh		X	2008
@@ -1250,6 +1250,7 @@
 ./contrib/pkcs11-keygen/keydump.pl		X	2008
 ./contrib/pkcs11-keygen/listobjs.c		X	2008
 ./contrib/pkcs11-keygen/openssl-0.9.8g-patch	X	2008
+./contrib/pkcs11-keygen/openssl-0.9.8i-patch	X	2009
 ./contrib/pkcs11-keygen/readkey.c		X	2008
 ./contrib/pkcs11-keygen/set_key_id.c		X	2008
 ./contrib/pkcs11-keygen/writekey.c		X	2008
@@ -1662,7 +1663,7 @@
 ./lib/dns/gen.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
 ./lib/dns/gssapi_link.c				C	2000,2001,2002,2004,2005,2006,2007,2008
 ./lib/dns/gssapictx.c				C	2000,2001,2004,2005,2006,2007,2008,2009
-./lib/dns/hmac_link.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008
+./lib/dns/hmac_link.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/include/.cvsignore			X	1998,1999,2000,2001
 ./lib/dns/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007
 ./lib/dns/include/dns/.cvsignore		X	1998,1999,2000,2001
@@ -1767,7 +1768,7 @@
 ./lib/dns/nsec.c				C	1999,2000,2001,2003,2004,2005,2007,2008,2009
 ./lib/dns/nsec3.c				C	2006,2008,2009
 ./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
-./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008
+./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/openssldsa_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/order.c				C	2002,2004,2005,2007

From 7b1894bec19213c4480cbd750a7dfd5728b31ed4 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 3 Sep 2009 23:48:13 +0000
Subject: [PATCH 107/385] update copyright notice

---
 lib/dns/hmac_link.c      | 4 ++--
 lib/dns/openssldh_link.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 3c0a2bafca..1fe5db6407 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.12 2009/09/03 04:09:58 marka Exp $
+ * $Id: hmac_link.c,v 1.13 2009/09/03 23:48:12 tbox Exp $
  */
 
 #include 
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 66cf5e14dc..43506d5555 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.15 2009/09/03 04:09:58 marka Exp $
+ * $Id: openssldh_link.c,v 1.16 2009/09/03 23:48:13 tbox Exp $
  */
 
 #ifdef OPENSSL

From 730e25bf1121ada7e5ee3f33812dc25faa182294 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 4 Sep 2009 00:46:09 +0000
Subject: [PATCH 108/385] 'test' uses '=' not '=='

---
 configure    | 4 ++--
 configure.in | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 7d0e639861..c5409f3b1e 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.462 2009/09/01 18:41:05 jinmei Exp $
+# $Id: configure,v 1.463 2009/09/04 00:46:09 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -26000,7 +26000,7 @@ fi
 case $want_symtable in
 yes|all|minimal)
 
-	if test "$PERL" == ""
+	if test "$PERL" = ""
 	then
 		{ { echo "$as_me:$LINENO: error: Internal symbol table requires perl but no perl is found.
 Install perl or explicitly disable the feature by --disable-symtable." >&5
diff --git a/configure.in b/configure.in
index f224951cc1..f2b745f882 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.476 $)
+AC_REVISION($Revision: 1.477 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1335,7 +1335,7 @@ AC_ARG_ENABLE(symtable,
 case $want_symtable in
 yes|all|minimal)
 	
-	if test "$PERL" == ""
+	if test "$PERL" = ""
 	then
 		AC_MSG_ERROR([Internal symbol table requires perl but no perl is found.
 Install perl or explicitly disable the feature by --disable-symtable.])

From 2d13af354aa50ad491714cdf928f2c812ca6e923 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 4 Sep 2009 00:49:50 +0000
Subject: [PATCH 109/385] isc_resourcevalue_t is unsigned. use
 %ISC_PRINT_QUADFORMATu

---
 bin/named/server.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index 3b67836cca..4b9b6fa518 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.546 2009/09/01 23:47:44 tbox Exp $ */
+/* $Id: server.c,v 1.547 2009/09/04 00:49:50 marka Exp $ */
 
 /*! \file */
 
@@ -3265,7 +3265,7 @@ set_limit(const cfg_obj_t **maps, const char *configname,
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      result == ISC_R_SUCCESS ?
 			ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
-		      "set maximum %s to %" ISC_PRINT_QUADFORMAT "d: %s",
+		      "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
 		      description, value, isc_result_totext(result));
 }
 

From 762682e99007bd6e3232251798315aad1e54cf35 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 4 Sep 2009 02:09:33 +0000
Subject: [PATCH 110/385] make getpass dependent on HAVE_GETPASS

---
 contrib/pkcs11-keygen/genkey.c   | 2 +-
 contrib/pkcs11-keygen/listobjs.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/pkcs11-keygen/genkey.c b/contrib/pkcs11-keygen/genkey.c
index fc70391635..d1269243d4 100644
--- a/contrib/pkcs11-keygen/genkey.c
+++ b/contrib/pkcs11-keygen/genkey.c
@@ -137,7 +137,7 @@ main(int argc, char *argv[])
 
     /* Login to the Token (Keystore) */
     if (!pin)
-#ifndef OPENCRYPTOKI
+#ifndef HAVE_GETPASS
         pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
 #else
         pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
diff --git a/contrib/pkcs11-keygen/listobjs.c b/contrib/pkcs11-keygen/listobjs.c
index 68e22ec843..efe95ee278 100644
--- a/contrib/pkcs11-keygen/listobjs.c
+++ b/contrib/pkcs11-keygen/listobjs.c
@@ -101,7 +101,7 @@ main(int argc, char *argv[])
     /* Login to the Token (Keystore) */
     if (!public) {
 	if (!pin)
-#ifndef OPENCRYPTOKI
+#ifndef HAVE_GETPASS
 	    pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
 #else
 	    pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");

From 06eb464ae29f5a66e9a3cf07200eec9a7f0564e9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 4 Sep 2009 02:31:29 +0000
Subject: [PATCH 111/385] ALG_FORMATSIZE -> 20

---
 bin/dnssec/dnssectool.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index a77a5b4bd1..df714e703b 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.24 2009/09/02 23:48:01 tbox Exp $ */
+/* $Id: dnssectool.h,v 1.25 2009/09/04 02:31:29 marka Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -45,7 +45,7 @@ type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
 
 void
 alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
-#define ALG_FORMATSIZE 10
+#define ALG_FORMATSIZE 20
 
 void
 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);

From 8b5f99861f73229af08bb6893d99d797688f96af Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 4 Sep 2009 03:58:57 +0000
Subject: [PATCH 112/385] use HAVE_GETPASS

---
 contrib/pkcs11-keygen/destroyobj.c | 2 +-
 contrib/pkcs11-keygen/readkey.c    | 2 +-
 contrib/pkcs11-keygen/set_key_id.c | 2 +-
 contrib/pkcs11-keygen/writekey.c   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/contrib/pkcs11-keygen/destroyobj.c b/contrib/pkcs11-keygen/destroyobj.c
index 9c714d8e90..0883978403 100644
--- a/contrib/pkcs11-keygen/destroyobj.c
+++ b/contrib/pkcs11-keygen/destroyobj.c
@@ -93,7 +93,7 @@ main(int argc, char *argv[])
 
     /* Login to the Token (Keystore) */
     if (!pin)
-#ifndef OPENCRYPTOKI
+#ifndef HAVE_GETPASS
 	pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
 #else
 	pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
diff --git a/contrib/pkcs11-keygen/readkey.c b/contrib/pkcs11-keygen/readkey.c
index 869717c732..551e90fdf8 100644
--- a/contrib/pkcs11-keygen/readkey.c
+++ b/contrib/pkcs11-keygen/readkey.c
@@ -117,7 +117,7 @@ main(int argc, char *argv[])
 
     /* Login to the Token (Keystore) */
     if (!pin)
-#ifndef OPENCRYPTOKI
+#ifndef HAVE_GETPASS
         pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
 #else
         pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
diff --git a/contrib/pkcs11-keygen/set_key_id.c b/contrib/pkcs11-keygen/set_key_id.c
index 5c3a3c409c..f2d8bcb8cf 100644
--- a/contrib/pkcs11-keygen/set_key_id.c
+++ b/contrib/pkcs11-keygen/set_key_id.c
@@ -101,7 +101,7 @@ main(int argc, char *argv[])
 
     /* Login to the Token (Keystore) */
     if (!pin)
-#ifndef OPENCRYPTOKI
+#ifndef HAVE_GETPASS
         pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
 #else
         pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
diff --git a/contrib/pkcs11-keygen/writekey.c b/contrib/pkcs11-keygen/writekey.c
index 3d1ba99d71..d0aacb2702 100644
--- a/contrib/pkcs11-keygen/writekey.c
+++ b/contrib/pkcs11-keygen/writekey.c
@@ -139,7 +139,7 @@ main(int argc, char *argv[])
 
     /* Login to the Token (Keystore) */
     if (!pin)
-#ifndef OPENCRYPTOKI
+#ifndef HAVE_GETPASS
         pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
 #else
         pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");

From 8d0a1ede2fe6d7c101ba59223772780c8b5b201d Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 4 Sep 2009 16:57:22 +0000
Subject: [PATCH 113/385] RT #20213: - correctly use -K option in dnssec-keygen
 - fix an improper free() in dnssec-revoke - fix grammar in dnssec-settime

---
 bin/dnssec/dnssec-keygen.c  |  8 +++++---
 bin/dnssec/dnssec-revoke.c  | 12 ++++++++++--
 bin/dnssec/dnssec-settime.c |  4 ++--
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index d71226720e..affb064f49 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.92 2009/09/02 23:48:01 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.93 2009/09/04 16:57:22 each Exp $ */
 
 /*! \file */
 
@@ -704,7 +704,8 @@ main(int argc, char **argv) {
 		 * case we return failure.
 		 */
 		ret = dst_key_fromfile(name, dst_key_id(key), alg,
-				       DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
+				       DST_TYPE_PRIVATE, directory,
+				       mctx, &oldkey);
 		/* do not overwrite an existing key  */
 		if (ret == ISC_R_SUCCESS) {
 			dst_key_free(&oldkey);
@@ -715,7 +716,8 @@ main(int argc, char **argv) {
 		if (conflict == ISC_TRUE) {
 			if (verbose > 0) {
 				isc_buffer_clear(&buf);
-				ret = dst_key_buildfilename(key, 0, NULL, &buf);
+				ret = dst_key_buildfilename(key, 0, directory,
+							    &buf);
 				fprintf(stderr,
 					"%s: %s already exists, "
 					"generating a new key\n",
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 634fc71128..4a86d74f9a 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.10 2009/09/02 23:48:01 tbox Exp $ */
+/* $Id: dnssec-revoke.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
 
 /*! \file */
 
@@ -96,7 +96,15 @@ main(int argc, char **argv) {
 			force = ISC_TRUE;
 			break;
 		    case 'K':
-			dir = isc_commandline_argument;
+			/*
+			 * We don't have to copy it here, but do it to
+			 * simplify cleanup later
+			 */
+			dir = isc_mem_strdup(mctx, isc_commandline_argument);
+			if (dir == NULL) {
+				fatal("Failed to allocate memory for "
+				      "directory");
+			}
 			break;
 		    case 'r':
 			remove = ISC_TRUE;
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 90e374769a..10e972d125 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.10 2009/09/02 23:48:01 tbox Exp $ */
+/* $Id: dnssec-settime.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
 
 /*! \file */
 
@@ -203,7 +203,7 @@ main(int argc, char **argv) {
 			directory = isc_mem_strdup(mctx,
 						   isc_commandline_argument);
 			if (directory == NULL) {
-				fatal("Failed to memory allocation for "
+				fatal("Failed to allocate memory for "
 				      "directory");
 			}
 			break;

From 30a60d2aff0ec1810262a8b8efc532e28b32bd57 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 4 Sep 2009 17:14:58 +0000
Subject: [PATCH 114/385] On some slower systems the startup is delayed and
 this causes an apparent transfer failure on the initial calls to dig.  Adding
 a test here to make sure the zones are fully loaded before attempting to
 query them.

---
 bin/tests/system/nsupdate/tests.sh | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 0fe02c49f2..4de05ba962 100644
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -15,13 +15,31 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.27 2009/07/29 23:47:43 tbox Exp $
+# $Id: tests.sh,v 1.28 2009/09/04 17:14:58 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 status=0
 
+# wait for zone transfer to complete
+tries=0
+while true; do
+    if [ $tries -eq 10 ]
+    then
+        exit 1
+    fi
+
+    if grep "example.nil/IN.*Transfer completed" ns2/named.run > /dev/null
+    then
+        break
+    else
+        echo "I:zones are not fully loaded, waiting..."
+        tries=`expr $tries + 1`
+        sleep 1
+    fi
+done
+
 echo "I:fetching first copy of zone before update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
 	@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1

From 82629edf81d6ce977440eb5ce3314cdeb0fa14da Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 4 Sep 2009 17:47:26 +0000
Subject: [PATCH 115/385] jinmei's updated mem.h, which uses macros to generate
 function prototypes. this change was needed to support the bind9 build and
 export library build on both *nix and win32.  cleanup from change
 2660/rt19369.

---
 lib/isc/include/isc/mem.h | 54 ++++++++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 23 deletions(-)

diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index ef6e3c89c9..c043e6924c 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.84 2009/09/02 23:43:54 each Exp $ */
+/* $Id: mem.h,v 1.85 2009/09/04 17:47:26 each Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
@@ -152,11 +152,19 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 #endif
 
 
-#define isc_mem_get(c, s)	isc___mem_get((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_allocate(c, s)	isc___mem_allocate((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_reallocate(c, p, s) isc___mem_reallocate((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_strdup(c, p)	isc___mem_strdup((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_get(c)	isc___mempool_get((c) _ISC_MEM_FILELINE)
+#ifdef WIN32
+#define ISCMEMFUNC(sfx) isc___mem_ ## sfx
+#define ISCMEMPOOLFUNC(sfx) isc___mempool_ ## sfx
+#else
+#define ISCMEMFUNC(sfx) isc__mem_ ## sfx
+#define ISCMEMPOOLFUNC(sfx) isc__mempool_ ## sfx
+#endif
+
+#define isc_mem_get(c, s)	ISCMEMFUNC(get)((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_allocate(c, s)	ISCMEMFUNC(allocate)((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_reallocate(c, p, s) ISCMEMFUNC(reallocate)((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_strdup(c, p)	ISCMEMFUNC(strdup)((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_get(c)	ISCMEMPOOLFUNC(get)((c) _ISC_MEM_FILELINE)
 
 /*%
  * isc_mem_putanddetach() is a convenience function for use where you
@@ -258,30 +266,30 @@ struct isc_mempool {
 #if ISC_MEM_DEBUG
 #define isc_mem_put(c, p, s) \
 	do { \
-		isc___mem_put((c), (p), (s) _ISC_MEM_FILELINE); \
+		ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE);	\
 		(p) = NULL; \
 	} while (0)
 #define isc_mem_putanddetach(c, p, s) \
 	do { \
-		isc___mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE); \
+		ISCMEMFUNC(putanddetach)((c), (p), (s) _ISC_MEM_FILELINE); \
 		(p) = NULL; \
 	} while (0)
 #define isc_mem_free(c, p) \
 	do { \
-		isc___mem_free((c), (p) _ISC_MEM_FILELINE); \
+		ISCMEMFUNC(free)((c), (p) _ISC_MEM_FILELINE);	\
 		(p) = NULL; \
 	} while (0)
 #define isc_mempool_put(c, p) \
 	do { \
-		isc___mempool_put((c), (p) _ISC_MEM_FILELINE); \
+		ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE);	\
 		(p) = NULL; \
 	} while (0)
 #else
-#define isc_mem_put(c, p, s)	isc___mem_put((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_put(c, p, s)	ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE)
 #define isc_mem_putanddetach(c, p, s) \
-	isc___mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_free(c, p)	isc___mem_free((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_put(c, p)	isc__mempool_put((c), (p) _ISC_MEM_FILELINE)
+	ISCMEMFUNC(putanddetach)((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_free(c, p)	ISCMEMFUNC(free)((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_put(c, p)	ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE)
 #endif
 
 /*@{*/
@@ -673,23 +681,23 @@ isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
  * Pseudo-private functions for use via macros.  Do not call directly.
  */
 void *
-isc___mem_get(isc_mem_t *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(get)(isc_mem_t *, size_t _ISC_MEM_FLARG);
 void
-isc___mem_putanddetach(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(putanddetach)(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
 void
-isc___mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(put)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void *
-isc___mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(allocate)(isc_mem_t *, size_t _ISC_MEM_FLARG);
 void *
-isc___mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(reallocate)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void
-isc___mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
+ISCMEMFUNC(free)(isc_mem_t *, void * _ISC_MEM_FLARG);
 char *
-isc___mem_strdup(isc_mem_t *, const char *_ISC_MEM_FLARG);
+ISCMEMFUNC(strdup)(isc_mem_t *, const char *_ISC_MEM_FLARG);
 void *
-isc___mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
+ISCMEMPOOLFUNC(get)(isc_mempool_t * _ISC_MEM_FLARG);
 void
-isc___mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
+ISCMEMPOOLFUNC(put)(isc_mempool_t *, void * _ISC_MEM_FLARG);
 
 #ifdef USE_MEMIMPREGISTER
 

From 2eb6a502bcb30f5738bf7fe871f5000ba24b1f19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Fri, 4 Sep 2009 18:13:44 +0000
Subject: [PATCH 116/385] added a missing .c file to SRC

---
 lib/isc/Makefile.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index bbe3cd01e8..15f5a7dc3b 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.102 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.103 2009/09/04 18:13:44 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -67,8 +67,8 @@ SYMTBLOBJS =	backtrace-emptytbl.@O@
 
 # Alphabetically
 SRCS =		@ISC_EXTRA_SRCS@ \
-		assertions.c base32.c base64.c bitstring.c buffer.c \
-		bufferlist.c commandline.c error.c event.c \
+		assertions.c backtrace.c base32.c base64.c bitstring.c \
+		buffer.c bufferlist.c commandline.c error.c event.c \
 		heap.c hex.c hmacmd5.c hmacsha.c \
 		httpd.c inet_aton.c iterated_hash.c \
 		lex.c lfsr.c lib.c log.c \

From 457144a0c69e0aa242386f35498e41dc8bfc1610 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Fri, 4 Sep 2009 18:51:37 +0000
Subject: [PATCH 117/385] explained the portability workaround macro for isc__
 vs isc___

---
 lib/isc/include/isc/mem.h | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index c043e6924c..6d9f606383 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.85 2009/09/04 17:47:26 each Exp $ */
+/* $Id: mem.h,v 1.86 2009/09/04 18:51:37 jinmei Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
@@ -152,6 +152,16 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 #endif
 
 
+/*%<
+ * We use either isc___mem (three underscores) or isc__mem (two) depending on
+ * whether it's for BIND9's internal purpose (with -DBIND9) or generic export
+ * library.  This condition is generally handled in isc/namespace.h, but for
+ * Windows it doesn't work if it involves multiple times of macro expansion
+ * (such as isc_mem to isc__mem then to isc___mem).  The following definitions
+ * are used to work around this portability issue.  Right now, we don't support
+ * the export library for Windows, so we always use the three-underscore
+ * version.
+ */
 #ifdef WIN32
 #define ISCMEMFUNC(sfx) isc___mem_ ## sfx
 #define ISCMEMPOOLFUNC(sfx) isc___mempool_ ## sfx

From acb6750f8fe974a4f4471bb7dffd768818aed745 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 4 Sep 2009 23:18:05 +0000
Subject: [PATCH 118/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 5290c9d8d1..8eb793d783 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -205,6 +205,7 @@ rt19248				new	each	// 2009-01-28 00:25 +0000
 rt19256				new	jinmei	// 2009-01-29 00:55 +0000
 rt19284				new	each	// 2009-01-30 20:31 +0000
 rt19284_jinmeihack		new	
+rt19294				new	fdupont	// 2009-09-04 11:49 +0000
 rt19300				new	each	// 2009-02-05 23:51 +0000
 rt19301				new	each	// 2009-02-19 07:28 +0000
 rt19310				new	marka	// 2009-02-11 09:42 +0000

From 121bd24f4b8b2fc87cc945757b0c87e7e7656489 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 4 Sep 2009 23:30:34 +0000
Subject: [PATCH 119/385] newcopyrights

---
 util/copyrights | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index d400cb9255..364d0cfc3e 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1243,17 +1243,17 @@
 ./contrib/nslint-2.1a3/strerror.c		X	2001
 ./contrib/pkcs11-keygen/PEM_write_pubkey.c	X	2008
 ./contrib/pkcs11-keygen/README			X	2008,2009
-./contrib/pkcs11-keygen/destroyobj.c		X	2008
-./contrib/pkcs11-keygen/genkey.c		X	2008
+./contrib/pkcs11-keygen/destroyobj.c		X	2008,2009
+./contrib/pkcs11-keygen/genkey.c		X	2008,2009
 ./contrib/pkcs11-keygen/genkey.sh		X	2008
 ./contrib/pkcs11-keygen/keyconv.pl		X	2008
 ./contrib/pkcs11-keygen/keydump.pl		X	2008
-./contrib/pkcs11-keygen/listobjs.c		X	2008
+./contrib/pkcs11-keygen/listobjs.c		X	2008,2009
 ./contrib/pkcs11-keygen/openssl-0.9.8g-patch	X	2008
 ./contrib/pkcs11-keygen/openssl-0.9.8i-patch	X	2009
-./contrib/pkcs11-keygen/readkey.c		X	2008
-./contrib/pkcs11-keygen/set_key_id.c		X	2008
-./contrib/pkcs11-keygen/writekey.c		X	2008
+./contrib/pkcs11-keygen/readkey.c		X	2008,2009
+./contrib/pkcs11-keygen/set_key_id.c		X	2008,2009
+./contrib/pkcs11-keygen/writekey.c		X	2008,2009
 ./contrib/pkcs11-keygen/writekey.sh		X	2008
 ./contrib/query-loc-0.4.0/ADDRESSES		X	2008
 ./contrib/query-loc-0.4.0/ALGO			X	2008

From 09386e47d14d62cae3e3ae0a822836af0d74dd85 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Sun, 6 Sep 2009 17:47:15 +0000
Subject: [PATCH 120/385] moved release tag up

---
 CHANGES | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index daa74098c8..b1a55506f7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,8 @@
+	--- 9.7.0a3 released ---
+
 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
 			Update PKCS#11 patch to be against openssl-0.9.8i.
 
-	--- 9.7.0a3 released ---
-
 2668.	[func]		Several improvements to dnssec-* tools, including:
 			- dnssec-keygen and dnssec-settime can now set key
 			  metadata fields 0 (to unset a value, use "none")

From 0b8385f5c51def183dbccd1bc569ea8fe092dfb2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 7 Sep 2009 02:08:51 +0000
Subject: [PATCH 121/385] 2670.   [bug]           Unexpected connect failures
 failed to log enough                         information to be useful. [RT
 #20205]

---
 CHANGES               | 3 +++
 lib/isc/unix/socket.c | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index b1a55506f7..a02274925a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2670.	[bug]		Unexpected connect failures failed to log enough
+			information to be useful. [RT #20205]
+
 	--- 9.7.0a3 released ---
 
 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index ccd495a856..e2e06934ee 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.323 2009/09/02 04:25:19 jinmei Exp $ */
+/* $Id: socket.c,v 1.324 2009/09/07 02:08:51 marka Exp $ */
 
 /*! \file */
 
@@ -5065,6 +5065,7 @@ isc__socket_connect(isc_socket_t *sock0, isc_sockaddr_t *addr,
 	isc__socketmgr_t *manager;
 	int cc;
 	char strbuf[ISC_STRERRORSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
 
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(addr != NULL);
@@ -5133,7 +5134,9 @@ isc__socket_connect(isc_socket_t *sock0, isc_sockaddr_t *addr,
 		sock->connected = 0;
 
 		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "%d/%s", errno, strbuf);
+		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "connect(%s) %d/%s",
+				 addrbuf, errno, strbuf);
 
 		UNLOCK(&sock->lock);
 		inc_stats(sock->manager->stats,

From 1f821c10583d9cddbaf3626a96ff8cf10cdb645b Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 7 Sep 2009 12:58:33 +0000
Subject: [PATCH 122/385] merge rt19294

---
 CHANGES                                |   5 +
 bin/dnssec/dnssec-keyfromlabel.c       | 173 ++++++++++++++++++++-----
 bin/dnssec/dnssec-keyfromlabel.docbook | 124 ++++++++++++++++--
 bin/dnssec/dnssec-keygen.c             |   6 +-
 lib/dns/opensslrsa_link.c              |  62 ++++++---
 5 files changed, 303 insertions(+), 67 deletions(-)

diff --git a/CHANGES b/CHANGES
index a02274925a..f6a22810e1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2671.	[bug]		Add support for PKCS#11 providers not returning
+			the public exponent in RSA private keys
+			(OpenCryptoki for instance) in
+			dnssec-keyfromlabel. [RT #19294]
+
 2670.	[bug]		Unexpected connect failures failed to log enough
 			information to be useful. [RT #20205]
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 56165fd60f..4f93adccf7 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,12 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.11 2009/09/03 13:43:52 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.12 2009/09/07 12:54:59 fdupont Exp $ */
 
 /*! \file */
 
 #include 
 
+#include 
 #include 
 
 #include 
@@ -58,25 +59,32 @@ usage(void) {
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
 	fprintf(stderr, "    -a algorithm: %s\n", algs);
-	fprintf(stderr, "    -l label: label of the key\n");
+	fprintf(stderr, "    -l label: label of the keys\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
-	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
 	fprintf(stderr, "    -c  (default: IN)\n");
-	fprintf(stderr, "    -f keyflag (KSK or REVOKE)\n");
+	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
 	fprintf(stderr, "    -K directory: directory in which to place "
 			"key files\n");
+	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
+	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
+	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
+	fprintf(stderr, "    -p : default: 3 [dnssec]\n");
 	fprintf(stderr, "    -t : "
 		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 		"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -p : "
-	       "default: 3 [dnssec]\n");
 	fprintf(stderr, "    -v \n");
-	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
+	fprintf(stderr, "Date options:\n");
+	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
+	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
+	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
+	fprintf(stderr, "    -U date/[+-]offset: set key unpublication date\n");
+	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
+			" dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K++.key, "
-		"K++.private\n");
+			"K++.private\n");
 
 	exit (-1);
 }
@@ -84,15 +92,15 @@ usage(void) {
 int
 main(int argc, char **argv) {
 	char		*algname = NULL, *nametype = NULL, *type = NULL;
-	char		*directory = NULL;
+	const char	*directory = NULL;
 	char		*classname = NULL;
 	char		*endp;
 	dst_key_t	*key = NULL, *oldkey = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
-	isc_uint16_t	flags = 0, ksk = 0, revoke = 0;
+	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
 	dns_secalg_t	alg;
-	isc_boolean_t	null_key = ISC_FALSE;
+	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
 	int		ch;
 	int		protocol = -1, signatory = 0;
@@ -104,7 +112,16 @@ main(int argc, char **argv) {
 	isc_entropy_t	*ectx = NULL;
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
-	char		*label = NULL;
+	char		*label = NULL, *engine = NULL;
+	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
+	isc_stdtime_t	unpublish = 0, delete = 0;
+	isc_stdtime_t	now;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -115,22 +132,26 @@ main(int argc, char **argv) {
 
 	isc_commandline_errprint = ISC_FALSE;
 
+	isc_stdtime_get(&now);
+
 	while ((ch = isc_commandline_parse(argc, argv,
-					 "a:c:f:K:kl:n:p:t:v:Fh")) != -1)
+				"a:Cc:f:K:kl:n:p:t:v:FhP:A:R:U:D:")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
 			algname = isc_commandline_argument;
 			break;
+		case 'C':
+			oldstyle = ISC_TRUE;
+			break;
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
 		case 'f':
-			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
-				ksk = DNS_KEYFLAG_KSK;
-			else if (strcasecmp(isc_commandline_argument,
-					    "REVOKE") == 0)
-				revoke = DNS_KEYFLAG_REVOKE;
+			if (toupper(isc_commandline_argument[0]) == 'K')
+				kskflag = DNS_KEYFLAG_KSK;
+			else if (toupper(isc_commandline_argument[0]) == 'R')
+				revflag = DNS_KEYFLAG_REVOKE;
 			else
 				fatal("unknown flag '%s'",
 				      isc_commandline_argument);
@@ -161,6 +182,66 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
+		case 'P':
+			if (setpub || unsetpub)
+				fatal("-P specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setpub = ISC_TRUE;
+				publish = strtotime(isc_commandline_argument,
+						    now, now);
+			} else {
+				unsetpub = ISC_TRUE;
+			}
+			break;
+		case 'A':
+			if (setact || unsetact)
+				fatal("-A specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setact = ISC_TRUE;
+				activate = strtotime(isc_commandline_argument,
+						     now, now);
+			} else {
+				unsetact = ISC_TRUE;
+			}
+			break;
+		case 'R':
+			if (setrev || unsetrev)
+				fatal("-R specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setrev = ISC_TRUE;
+				revoke = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+				unsetrev = ISC_TRUE;
+			}
+			break;
+		case 'U':
+			if (setunpub || unsetunpub)
+				fatal("-U specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setunpub = ISC_TRUE;
+				unpublish = strtotime(isc_commandline_argument,
+						      now, now);
+			} else {
+				unsetunpub = ISC_TRUE;
+			}
+			break;
+		case 'D':
+			if (setdel || unsetdel)
+				fatal("-D specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setdel = ISC_TRUE;
+				delete = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+				unsetdel = ISC_TRUE;
+			}
+			break;
 		case 'F':
 			/* Reserved for FIPS mode */
 			/* FALLTHROUGH */
@@ -245,11 +326,14 @@ main(int argc, char **argv) {
 
 	rdclass = strtoclass(classname);
 
+	if (directory == NULL)
+		directory = ".";
+
 	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
 		flags |= signatory;
 	else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
-		flags |= ksk;
-		flags |= revoke;
+		flags |= kskflag;
+		flags |= revflag;
 	}
 
 	if (protocol == -1)
@@ -278,14 +362,11 @@ main(int argc, char **argv) {
 		fatal("invalid key name %s: %s", argv[isc_commandline_index],
 		      isc_result_totext(ret));
 
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
-		null_key = ISC_TRUE;
-
 	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 
 	/* associate the key */
 	ret = dst_key_fromlabel(name, alg, flags, protocol,
-				rdclass, "", label, NULL, mctx, &key);
+				rdclass, engine, label, NULL, mctx, &key);
 	isc_entropy_stopcallbacksources(ectx);
 
 	if (ret != ISC_R_SUCCESS) {
@@ -293,16 +374,43 @@ main(int argc, char **argv) {
 		char algstr[ALG_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof(namestr));
 		alg_format(alg, algstr, sizeof(algstr));
-		fatal("failed to generate key %s/%s: %s\n",
+		fatal("failed to get key %s/%s: %s\n",
 		      namestr, algstr, isc_result_totext(ret));
 		exit(-1);
 	}
 
+	/*
+	 * Set key timing metadata (unless using -C)
+	 */
+	if (!oldstyle) {
+		dst_key_settime(key, DST_TIME_CREATED, now);
+
+		if (setpub)
+			dst_key_settime(key, DST_TIME_PUBLISH, publish);
+		if (setact)
+			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
+		if (setrev)
+			dst_key_settime(key, DST_TIME_REVOKE, revoke);
+		if (setunpub)
+			dst_key_settime(key, DST_TIME_UNPUBLISH, unpublish);
+		if (setdel)
+			dst_key_settime(key, DST_TIME_DELETE, delete);
+	} else {
+		if (setpub || setact || setrev || setunpub ||
+		    setdel || unsetpub || unsetact ||
+		    unsetrev || unsetunpub || unsetdel)
+			fatal("cannot use -C together with "
+			      "-P, -A, -R, -U, or -D options");
+		/*
+		 * Compatibility mode: Private-key-format
+		 * should be set to 1.2.
+		 */
+		dst_key_setprivateformat(key, 1, 2);
+	}
+
 	/*
 	 * Try to read a key with the same name, alg and id from disk.
-	 * If there is one we must continue generating a new one
-	 * unless we were asked to generate a null key, in which
-	 * case we return failure.
+	 * If there is one we must return failure.
 	 */
 	ret = dst_key_fromfile(name, dst_key_id(key), alg,
 			       DST_TYPE_PRIVATE, directory, mctx, &oldkey);
@@ -310,10 +418,7 @@ main(int argc, char **argv) {
 	if (ret == ISC_R_SUCCESS) {
 		isc_buffer_clear(&buf);
 		ret = dst_key_buildfilename(key, 0, directory, &buf);
-		fprintf(stderr, "%s: %s already exists\n",
-			program, filename);
-		dst_key_free(&key);
-		exit (1);
+		fatal("%s: %s already exists\n", program, filename);
 	}
 
 	ret = dst_key_tofile(key, options, directory);
@@ -325,7 +430,7 @@ main(int argc, char **argv) {
 	}
 
 	isc_buffer_clear(&buf);
-	ret = dst_key_buildfilename(key, 0, directory, &buf);
+	ret = dst_key_buildfilename(key, 0, NULL, &buf);
 	printf("%s\n", filename);
 	dst_key_free(&key);
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 1e478d93a3..4beb25b9fe 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     February 8, 2008
@@ -47,13 +47,18 @@
       dnssec-keyfromlabel
       -a algorithm
       -l label
+      
       
+      
       
       
       
       
+      
       
+      
       
+      
       
       name
     
@@ -66,6 +71,11 @@
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  
     
+    
+      The  of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    
   
 
   
@@ -77,8 +87,8 @@
         
 	  
 	    Selects the cryptographic algorithm.  The value of
-	     must be one of RSAMD5 (RSA)
-	    or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+	     must be one of RSAMD5 (RSA),
+	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
 	    These values are case insensitive.
 	  
           
@@ -110,8 +120,22 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.
+          
+        
+      
+
+      
+        -C
+        
+          
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, dnssec-keyfromlabel
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	     option suppresses them.
           
         
       
@@ -131,7 +155,7 @@
         
           
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
           
         
       
@@ -141,7 +165,7 @@
         
           
             Prints a short summary of the options and arguments to
-            dnssec-keygen.
+            dnssec-keyfromlabel.
           
         
       
@@ -168,7 +192,7 @@
         -p protocol
         
           
-            Sets the protocol value for the generated key.  The protocol
+            Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
@@ -200,6 +224,80 @@
     
   
 
+  
+    TIMING OPTIONS
+
+    
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    
+
+    
+      
+        -P date/offset
+        
+          
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.
+          
+        
+      
+
+      
+        -A date/offset
+        
+          
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included and the zone and used to sign
+            it.
+          
+        
+      
+
+      
+        -R date/offset
+        
+          
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          
+        
+      
+
+      
+        -U date/offset
+        
+          
+            Sets the date on which the key is to be unpublished.  After that
+            date, the key will no longer be included in the zone, but it
+            may remain in the key repository.
+          
+        
+      
+
+      
+        -D date/offset
+        
+          
+            Sets the date on which the key is to be deleted.  After that
+            date, the key can be removed from the key repository.
+            NOTE: Keys are not currently deleted automatically; this field
+            is included for informational purposes and for future
+            development.
+          
+        
+      
+    
+  
+
   
     GENERATED KEY FILES
     
@@ -216,8 +314,7 @@
       
       
         aaa is the numeric representation
-          of the
-          algorithm.
+          of the algorithm.
         
       
       
@@ -231,8 +328,7 @@
       on the printed string.  Knnnn.+aaa+iiiii.key
       contains the public key, and
       Knnnn.+aaa+iiiii.private contains the
-      private
-      key.
+      private key.
     
     
       The .key file contains a DNS KEY record
@@ -241,8 +337,8 @@
       statement).
     
     
-      The .private file contains algorithm
-      specific
+      The .private file contains
+      algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index affb064f49..c5e696eca3 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.93 2009/09/04 16:57:22 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.94 2009/09/07 12:54:59 fdupont Exp $ */
 
 /*! \file */
 
@@ -699,8 +699,8 @@ main(int argc, char **argv) {
 
 		/*
 		 * Try to read a key with the same name, alg and id from disk.
-		 * If there is one we must continue generating a new one
-		 * unless we were asked to generate a null key, in which
+		 * If there is one we must continue generating a different
+		 * key unless we were asked to generate a null key, in which
 		 * case we return failure.
 		 */
 		ret = dst_key_fromfile(name, dst_key_id(key), alg,
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 395dfdfc7f..828ca3bd6f 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.27 2009/09/07 12:54:59 fdupont Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -800,7 +800,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	RSA *rsa = NULL, *pubrsa = NULL;
 	ENGINE *e = NULL;
 	isc_mem_t *mctx = key->mctx;
-	const char *name = NULL, *label = NULL;
+	const char *engine = NULL, *label = NULL;
 	EVP_PKEY *pkey = NULL;
 
 #if USE_EVP
@@ -821,7 +821,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	for (i = 0; i < priv.nelements; i++) {
 		switch (priv.elements[i].tag) {
 		case TAG_RSA_ENGINE:
-			name = (char *)priv.elements[i].data;
+			engine = (char *)priv.elements[i].data;
 			break;
 		case TAG_RSA_LABEL:
 			label = (char *)priv.elements[i].data;
@@ -834,10 +834,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	 * Is this key is stored in a HSM?
 	 * See if we can fetch it.
 	 */
-	if (name != NULL || label != NULL) {
-		INSIST(name != NULL);
-		INSIST(label != NULL);
-		e = dst__openssl_getengine(name);
+	if (label != NULL) {
+		if (engine == NULL)
+			DST_RET(DST_R_NOENGINE);
+		e = dst__openssl_getengine(engine);
 		if (e == NULL)
 			DST_RET(DST_R_NOENGINE);
 		pkey = ENGINE_load_private_key(e, label, NULL, NULL);
@@ -845,7 +845,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 			/* ERR_print_errors_fp(stderr); */
 			DST_RET(ISC_R_NOTFOUND);
 		}
-		key->engine = isc_mem_strdup(key->mctx, name);
+		key->engine = isc_mem_strdup(key->mctx, engine);
 		if (key->engine == NULL)
 			DST_RET(ISC_R_NOMEMORY);
 		key->label = isc_mem_strdup(key->mctx, label);
@@ -856,9 +856,12 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 		if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
 			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pubrsa != NULL)
+			RSA_free(pubrsa);
 		key->key_size = EVP_PKEY_bits(pkey);
 #if USE_EVP
 		key->keydata.pkey = pkey;
+		RSA_free(rsa);
 #else
 		key->keydata.rsa = rsa;
 		EVP_PKEY_free(pkey);
@@ -877,9 +880,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	pkey = EVP_PKEY_new();
 	if (pkey == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+	if (!EVP_PKEY_set1_RSA(pkey, rsa))
 		DST_RET(ISC_R_FAILURE);
-	}
 	key->keydata.pkey = pkey;
 #else
 	key->keydata.rsa = rsa;
@@ -964,33 +966,61 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	ENGINE *e = NULL;
 	isc_result_t ret;
 	EVP_PKEY *pkey = NULL;
+	RSA *rsa = NULL, *pubrsa = NULL;
+	char *colon;
 
 	UNUSED(pin);
 
 	e = dst__openssl_getengine(engine);
 	if (e == NULL)
 		DST_RET(DST_R_NOENGINE);
+	pkey = ENGINE_load_public_key(e, label, NULL, NULL);
+	if (pkey != NULL) {
+		pubrsa = EVP_PKEY_get1_RSA(pkey);
+		EVP_PKEY_free(pkey);
+		if (pubrsa == NULL)
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
 	if (pkey == NULL)
 		DST_RET(ISC_R_NOTFOUND);
-	key->engine = isc_mem_strdup(key->mctx, label);
-	if (key->engine == NULL)
-		DST_RET(ISC_R_NOMEMORY);
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	} else {
+		key->engine = isc_mem_strdup(key->mctx, label);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		colon = strchr(key->engine, ':');
+		if (colon != NULL)
+			*colon = '\0';
+	}
 	key->label = isc_mem_strdup(key->mctx, label);
 	if (key->label == NULL)
 		DST_RET(ISC_R_NOMEMORY);
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL)
+		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 	key->key_size = EVP_PKEY_bits(pkey);
 #if USE_EVP
 	key->keydata.pkey = pkey;
+	RSA_free(rsa);
 #else
-	key->keydata.rsa = EVP_PKEY_get1_RSA(pkey);
+	key->keydata.rsa = rsa;
 	EVP_PKEY_free(pkey);
-	if (key->keydata.rsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 #endif
 	return (ISC_R_SUCCESS);
 
  err:
+	if (rsa != NULL)
+		RSA_free(rsa);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 	if (pkey != NULL)
 		EVP_PKEY_free(pkey);
 	return (ret);

From 6cdb18f5d45331602919d3e11bff7f4f9b8905ad Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 7 Sep 2009 15:56:01 +0000
Subject: [PATCH 123/385] bump release tag

---
 CHANGES | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index f6a22810e1..7af8522e43 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+	--- 9.7.0a3 released ---
+
 2671.	[bug]		Add support for PKCS#11 providers not returning
 			the public exponent in RSA private keys
 			(OpenCryptoki for instance) in
@@ -6,8 +8,6 @@
 2670.	[bug]		Unexpected connect failures failed to log enough
 			information to be useful. [RT #20205]
 
-	--- 9.7.0a3 released ---
-
 2669.	[func]		Update PKCS#11 support to support Keyper HSM.
 			Update PKCS#11 patch to be against openssl-0.9.8i.
 

From bf1fb08416fa674a91152cc8d4b4d48324da19fc Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 7 Sep 2009 21:19:21 +0000
Subject: [PATCH 124/385] PKCS#11 includes from OpenCryptoki project

---
 .../pkcs11-keygen/opencryptoki/apiclient.h    |  481 +++++
 contrib/pkcs11-keygen/opencryptoki/pkcs11.h   |  297 +++
 .../pkcs11-keygen/opencryptoki/pkcs11types.h  | 1865 +++++++++++++++++
 3 files changed, 2643 insertions(+)
 create mode 100644 contrib/pkcs11-keygen/opencryptoki/apiclient.h
 create mode 100644 contrib/pkcs11-keygen/opencryptoki/pkcs11.h
 create mode 100644 contrib/pkcs11-keygen/opencryptoki/pkcs11types.h

diff --git a/contrib/pkcs11-keygen/opencryptoki/apiclient.h b/contrib/pkcs11-keygen/opencryptoki/apiclient.h
new file mode 100644
index 0000000000..6e84c54f9d
--- /dev/null
+++ b/contrib/pkcs11-keygen/opencryptoki/apiclient.h
@@ -0,0 +1,481 @@
+/*
+ * $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/pkcs11-keygen/opencryptoki/Attic/apiclient.h,v 1.1 2009/09/07 21:19:21 fdupont Exp $
+ */
+
+
+/*
+             Common Public License Version 0.5
+
+             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
+             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
+             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
+             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+             1. DEFINITIONS
+
+             "Contribution" means: 
+                   a) in the case of the initial Contributor, the
+                   initial code and documentation distributed under
+                   this Agreement, and 
+
+                   b) in the case of each subsequent Contributor:
+                   i) changes to the Program, and
+                   ii) additions to the Program;
+
+                   where such changes and/or additions to the Program
+                   originate from and are distributed by that
+                   particular Contributor. A Contribution 'originates'
+                   from a Contributor if it was added to the Program
+                   by such Contributor itself or anyone acting on such
+                   Contributor's behalf. Contributions do not include
+                   additions to the Program which: (i) are separate
+                   modules of software distributed in conjunction with
+                   the Program under their own license agreement, and
+                   (ii) are not derivative works of the Program.
+
+
+             "Contributor" means any person or entity that distributes
+             the Program.
+
+             "Licensed Patents " mean patent claims licensable by a
+             Contributor which are necessarily infringed by the use or
+             sale of its Contribution alone or when combined with the
+             Program. 
+
+             "Program" means the Contributions distributed in
+             accordance with this Agreement.
+
+             "Recipient" means anyone who receives the Program under
+             this Agreement, including all Contributors.
+
+             2. GRANT OF RIGHTS
+
+                   a) Subject to the terms of this Agreement, each
+                   Contributor hereby grants Recipient a
+                   non-exclusive, worldwide, royalty-free copyright
+                   license to reproduce, prepare derivative works of,
+                   publicly display, publicly perform, distribute and
+                   sublicense the Contribution of such Contributor, if
+                   any, and such derivative works, in source code and
+                   object code form.
+
+                   b) Subject to the terms of this Agreement, each
+                   Contributor hereby grants Recipient a
+                   non-exclusive, worldwide, royalty-free patent
+                   license under Licensed Patents to make, use, sell,
+                   offer to sell, import and otherwise transfer the
+                   Contribution of such Contributor, if any, in source
+                   code and object code form. This patent license
+                   shall apply to the combination of the Contribution
+                   and the Program if, at the time the Contribution is
+                   added by the Contributor, such addition of the
+                   Contribution causes such combination to be covered
+                   by the Licensed Patents. The patent license shall
+                   not apply to any other combinations which include
+                   the Contribution. No hardware per se is licensed
+                   hereunder.
+
+                   c) Recipient understands that although each
+                   Contributor grants the licenses to its
+                   Contributions set forth herein, no assurances are
+                   provided by any Contributor that the Program does
+                   not infringe the patent or other intellectual
+                   property rights of any other entity. Each
+                   Contributor disclaims any liability to Recipient
+                   for claims brought by any other entity based on
+                   infringement of intellectual property rights or
+                   otherwise. As a condition to exercising the rights
+                   and licenses granted hereunder, each Recipient
+                   hereby assumes sole responsibility to secure any
+                   other intellectual property rights needed, if any.
+
+                   For example, if a third party patent license is
+                   required to allow Recipient to distribute the
+                   Program, it is Recipient's responsibility to
+                   acquire that license before distributing the
+                   Program.
+
+                   d) Each Contributor represents that to its
+                   knowledge it has sufficient copyright rights in its
+                   Contribution, if any, to grant the copyright
+                   license set forth in this Agreement.
+
+             3. REQUIREMENTS
+
+             A Contributor may choose to distribute the Program in
+             object code form under its own license agreement, provided
+             that:
+                   a) it complies with the terms and conditions of
+                   this Agreement; and
+
+                   b) its license agreement:
+                   i) effectively disclaims on behalf of all
+                   Contributors all warranties and conditions, express
+                   and implied, including warranties or conditions of
+                   title and non-infringement, and implied warranties
+                   or conditions of merchantability and fitness for a
+                   particular purpose;
+
+                   ii) effectively excludes on behalf of all
+                   Contributors all liability for damages, including
+                   direct, indirect, special, incidental and
+                   consequential damages, such as lost profits;
+
+                   iii) states that any provisions which differ from
+                   this Agreement are offered by that Contributor
+                   alone and not by any other party; and
+
+                   iv) states that source code for the Program is
+                   available from such Contributor, and informs
+                   licensees how to obtain it in a reasonable manner
+                   on or through a medium customarily used for
+                   software exchange.
+
+             When the Program is made available in source code form:
+                   a) it must be made available under this Agreement;
+                   and
+                   b) a copy of this Agreement must be included with
+                   each copy of the Program. 
+
+             Contributors may not remove or alter any copyright notices
+             contained within the Program.
+
+             Each Contributor must identify itself as the originator of
+             its Contribution, if any, in a manner that reasonably
+             allows subsequent Recipients to identify the originator of
+             the Contribution. 
+
+
+             4. COMMERCIAL DISTRIBUTION
+
+             Commercial distributors of software may accept certain
+             responsibilities with respect to end users, business
+             partners and the like. While this license is intended to
+             facilitate the commercial use of the Program, the
+             Contributor who includes the Program in a commercial
+             product offering should do so in a manner which does not
+             create potential liability for other Contributors.
+             Therefore, if a Contributor includes the Program in a
+             commercial product offering, such Contributor ("Commercial
+             Contributor") hereby agrees to defend and indemnify every
+             other Contributor ("Indemnified Contributor") against any
+             losses, damages and costs (collectively "Losses") arising
+             from claims, lawsuits and other legal actions brought by a
+             third party against the Indemnified Contributor to the
+             extent caused by the acts or omissions of such Commercial
+             Contributor in connection with its distribution of the
+             Program in a commercial product offering. The obligations
+             in this section do not apply to any claims or Losses
+             relating to any actual or alleged intellectual property
+             infringement. In order to qualify, an Indemnified
+             Contributor must: a) promptly notify the Commercial
+             Contributor in writing of such claim, and b) allow the
+             Commercial Contributor to control, and cooperate with the
+             Commercial Contributor in, the defense and any related
+             settlement negotiations. The Indemnified Contributor may
+             participate in any such claim at its own expense.
+
+
+             For example, a Contributor might include the Program in a
+             commercial product offering, Product X. That Contributor
+             is then a Commercial Contributor. If that Commercial
+             Contributor then makes performance claims, or offers
+             warranties related to Product X, those performance claims
+             and warranties are such Commercial Contributor's
+             responsibility alone. Under this section, the Commercial
+             Contributor would have to defend claims against the other
+             Contributors related to those performance claims and
+             warranties, and if a court requires any other Contributor
+             to pay any damages as a result, the Commercial Contributor
+             must pay those damages.
+
+
+             5. NO WARRANTY
+
+             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
+             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
+             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
+             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
+             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
+             responsible for determining the appropriateness of using
+             and distributing the Program and assumes all risks
+             associated with its exercise of rights under this
+             Agreement, including but not limited to the risks and
+             costs of program errors, compliance with applicable laws,
+             damage to or loss of data, programs or equipment, and
+             unavailability or interruption of operations. 
+
+             6. DISCLAIMER OF LIABILITY
+             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
+             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
+             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
+             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
+             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
+             POSSIBILITY OF SUCH DAMAGES.
+
+             7. GENERAL
+
+             If any provision of this Agreement is invalid or
+             unenforceable under applicable law, it shall not affect
+             the validity or enforceability of the remainder of the
+             terms of this Agreement, and without further action by the
+             parties hereto, such provision shall be reformed to the
+             minimum extent necessary to make such provision valid and
+             enforceable.
+
+
+             If Recipient institutes patent litigation against a
+             Contributor with respect to a patent applicable to
+             software (including a cross-claim or counterclaim in a
+             lawsuit), then any patent licenses granted by that
+             Contributor to such Recipient under this Agreement shall
+             terminate as of the date such litigation is filed. In
+             addition, If Recipient institutes patent litigation
+             against any entity (including a cross-claim or
+             counterclaim in a lawsuit) alleging that the Program
+             itself (excluding combinations of the Program with other
+             software or hardware) infringes such Recipient's
+             patent(s), then such Recipient's rights granted under
+             Section 2(b) shall terminate as of the date such
+             litigation is filed.
+
+             All Recipient's rights under this Agreement shall
+             terminate if it fails to comply with any of the material
+             terms or conditions of this Agreement and does not cure
+             such failure in a reasonable period of time after becoming
+             aware of such noncompliance. If all Recipient's rights
+             under this Agreement terminate, Recipient agrees to cease
+             use and distribution of the Program as soon as reasonably
+             practicable. However, Recipient's obligations under this
+             Agreement and any licenses granted by Recipient relating
+             to the Program shall continue and survive. 
+
+             Everyone is permitted to copy and distribute copies of
+             this Agreement, but in order to avoid inconsistency the
+             Agreement is copyrighted and may only be modified in the
+             following manner. The Agreement Steward reserves the right
+             to publish new versions (including revisions) of this
+             Agreement from time to time. No one other than the
+             Agreement Steward has the right to modify this Agreement.
+
+             IBM is the initial Agreement Steward. IBM may assign the
+             responsibility to serve as the Agreement Steward to a
+             suitable separate entity. Each new version of the
+             Agreement will be given a distinguishing version number.
+             The Program (including Contributions) may always be
+             distributed subject to the version of the Agreement under
+             which it was received. In addition, after a new version of
+             the Agreement is published, Contributor may elect to
+             distribute the Program (including its Contributions) under
+             the new version. Except as expressly stated in Sections
+             2(a) and 2(b) above, Recipient receives no rights or
+             licenses to the intellectual property of any Contributor
+             under this Agreement, whether expressly, by implication,
+             estoppel or otherwise. All rights in the Program not
+             expressly granted under this Agreement are reserved.
+
+
+             This Agreement is governed by the laws of the State of New
+             York and the intellectual property laws of the United
+             States of America. No party to this Agreement will bring a
+             legal action under this Agreement more than one year after
+             the cause of action arose. Each party waives its rights to
+             a jury trial in any resulting litigation. 
+
+
+
+*/
+
+/* (C) COPYRIGHT International Business Machines Corp. 2001          */
+
+
+#ifndef _APICLIENT_H
+#define _APICLIENT_H
+
+
+#include "pkcs11types.h"
+
+
+
+#define VERSION_MAJOR  2  // Version 2 of the PKCS library
+#define VERSION_MINOR  01 // minor revision .10 of PKCS11
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+CK_RV C_CancelFunction ( CK_SESSION_HANDLE );
+
+CK_RV C_CloseAllSessions ( CK_SLOT_ID );
+
+CK_RV C_CloseSession ( CK_SESSION_HANDLE );
+
+CK_RV C_CopyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+                             CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR );
+
+CK_RV C_CreateObject ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG,
+                               CK_OBJECT_HANDLE_PTR );
+
+CK_RV C_Decrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                          CK_ULONG_PTR );
+
+CK_RV C_DecryptDigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                      CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_DecryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_DecryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
+
+CK_RV C_DecryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                                CK_ULONG_PTR );
+
+CK_RV C_DecryptVerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                      CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_DeriveKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+                            CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR );
+
+CK_RV C_DestroyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE );
+
+CK_RV C_Digest ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                         CK_ULONG_PTR );
+
+CK_RV C_DigestEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                      CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_DigestFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_DigestInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR );
+
+CK_RV C_DigestKey ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE );
+
+CK_RV C_DigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
+
+CK_RV C_Encrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                          CK_ULONG_PTR );
+
+CK_RV C_EncryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_EncryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
+
+CK_RV C_EncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                                CK_ULONG_PTR );
+
+CK_RV C_Finalize ( CK_VOID_PTR );
+
+CK_RV C_FindObjects ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG,
+                              CK_ULONG_PTR );
+
+CK_RV C_FindObjectsFinal ( CK_SESSION_HANDLE );
+
+CK_RV C_FindObjectsInit ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG );
+
+CK_RV C_GenerateKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
+                              CK_ULONG, CK_OBJECT_HANDLE_PTR );
+
+CK_RV C_GenerateKeyPair ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
+                                  CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
+                                  CK_OBJECT_HANDLE_PTR, CK_OBJECT_HANDLE_PTR );
+
+CK_RV C_GenerateRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
+
+CK_RV C_GetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+                                    CK_ATTRIBUTE_PTR, CK_ULONG );
+
+CK_RV C_GetFunctionList ( CK_FUNCTION_LIST_PTR_PTR );
+
+CK_RV C_GetFunctionStatus ( CK_SESSION_HANDLE );
+
+CK_RV C_GetInfo ( CK_INFO_PTR );
+
+CK_RV C_GetMechanismInfo ( CK_SLOT_ID, CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR );
+
+CK_RV C_GetMechanismList ( CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, CK_ULONG_PTR );
+
+CK_RV C_GetObjectSize ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR );
+
+CK_RV C_GetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_GetSessionInfo ( CK_SESSION_HANDLE, CK_SESSION_INFO_PTR );
+
+CK_RV C_GetSlotInfo ( CK_SLOT_ID, CK_SLOT_INFO_PTR );
+
+CK_RV C_GetSlotList ( CK_BBOOL, CK_SLOT_ID_PTR, CK_ULONG_PTR );
+
+CK_RV C_GetTokenInfo ( CK_SLOT_ID, CK_TOKEN_INFO_PTR );
+
+CK_RV C_Initialize ( CK_VOID_PTR );
+
+CK_RV C_InitPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG );
+
+CK_RV C_InitToken ( CK_SLOT_ID, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR );
+
+CK_RV C_Login ( CK_SESSION_HANDLE, CK_USER_TYPE, CK_CHAR_PTR, CK_ULONG );
+
+CK_RV C_Logout ( CK_SESSION_HANDLE );
+
+CK_RV C_OpenSession ( CK_SLOT_ID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY,
+                              CK_SESSION_HANDLE_PTR );
+
+CK_RV C_SeedRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
+
+CK_RV C_SetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
+                                    CK_ATTRIBUTE_PTR, CK_ULONG );
+
+CK_RV C_SetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                    CK_OBJECT_HANDLE, CK_OBJECT_HANDLE );
+
+CK_RV C_SetPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR, CK_ULONG );
+
+CK_RV C_Sign ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                       CK_ULONG_PTR );
+
+CK_RV C_SignEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
+                                    CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_SignFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
+
+CK_RV C_SignInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
+
+CK_RV C_SignRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                              CK_ULONG_PTR );
+
+CK_RV C_SignRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
+
+CK_RV C_SignUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
+
+CK_RV C_UnwrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+                            CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
+                            CK_OBJECT_HANDLE_PTR );
+
+CK_RV C_Verify ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG );
+
+CK_RV C_VerifyFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
+
+CK_RV C_VerifyInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
+
+CK_RV C_VerifyRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
+                                CK_ULONG_PTR );
+
+CK_RV C_VerifyRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
+
+CK_RV C_VerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
+
+CK_RV C_WaitForSlotEvent ( CK_FLAGS, CK_SLOT_ID_PTR, CK_VOID_PTR );
+
+CK_RV C_WrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
+                          CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // _APICLIENT_H
+
+
diff --git a/contrib/pkcs11-keygen/opencryptoki/pkcs11.h b/contrib/pkcs11-keygen/opencryptoki/pkcs11.h
new file mode 100644
index 0000000000..bf1fe59f9e
--- /dev/null
+++ b/contrib/pkcs11-keygen/opencryptoki/pkcs11.h
@@ -0,0 +1,297 @@
+/*
+             Common Public License Version 0.5
+
+             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
+             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
+             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
+             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+             1. DEFINITIONS
+
+             "Contribution" means: 
+                   a) in the case of the initial Contributor, the
+                   initial code and documentation distributed under
+                   this Agreement, and 
+
+                   b) in the case of each subsequent Contributor:
+                   i) changes to the Program, and
+                   ii) additions to the Program;
+
+                   where such changes and/or additions to the Program
+                   originate from and are distributed by that
+                   particular Contributor. A Contribution 'originates'
+                   from a Contributor if it was added to the Program
+                   by such Contributor itself or anyone acting on such
+                   Contributor's behalf. Contributions do not include
+                   additions to the Program which: (i) are separate
+                   modules of software distributed in conjunction with
+                   the Program under their own license agreement, and
+                   (ii) are not derivative works of the Program.
+
+
+             "Contributor" means any person or entity that distributes
+             the Program.
+
+             "Licensed Patents " mean patent claims licensable by a
+             Contributor which are necessarily infringed by the use or
+             sale of its Contribution alone or when combined with the
+             Program. 
+
+             "Program" means the Contributions distributed in
+             accordance with this Agreement.
+
+             "Recipient" means anyone who receives the Program under
+             this Agreement, including all Contributors.
+
+             2. GRANT OF RIGHTS
+
+                   a) Subject to the terms of this Agreement, each
+                   Contributor hereby grants Recipient a
+                   non-exclusive, worldwide, royalty-free copyright
+                   license to reproduce, prepare derivative works of,
+                   publicly display, publicly perform, distribute and
+                   sublicense the Contribution of such Contributor, if
+                   any, and such derivative works, in source code and
+                   object code form.
+
+                   b) Subject to the terms of this Agreement, each
+                   Contributor hereby grants Recipient a
+                   non-exclusive, worldwide, royalty-free patent
+                   license under Licensed Patents to make, use, sell,
+                   offer to sell, import and otherwise transfer the
+                   Contribution of such Contributor, if any, in source
+                   code and object code form. This patent license
+                   shall apply to the combination of the Contribution
+                   and the Program if, at the time the Contribution is
+                   added by the Contributor, such addition of the
+                   Contribution causes such combination to be covered
+                   by the Licensed Patents. The patent license shall
+                   not apply to any other combinations which include
+                   the Contribution. No hardware per se is licensed
+                   hereunder.
+
+                   c) Recipient understands that although each
+                   Contributor grants the licenses to its
+                   Contributions set forth herein, no assurances are
+                   provided by any Contributor that the Program does
+                   not infringe the patent or other intellectual
+                   property rights of any other entity. Each
+                   Contributor disclaims any liability to Recipient
+                   for claims brought by any other entity based on
+                   infringement of intellectual property rights or
+                   otherwise. As a condition to exercising the rights
+                   and licenses granted hereunder, each Recipient
+                   hereby assumes sole responsibility to secure any
+                   other intellectual property rights needed, if any.
+
+                   For example, if a third party patent license is
+                   required to allow Recipient to distribute the
+                   Program, it is Recipient's responsibility to
+                   acquire that license before distributing the
+                   Program.
+
+                   d) Each Contributor represents that to its
+                   knowledge it has sufficient copyright rights in its
+                   Contribution, if any, to grant the copyright
+                   license set forth in this Agreement.
+
+             3. REQUIREMENTS
+
+             A Contributor may choose to distribute the Program in
+             object code form under its own license agreement, provided
+             that:
+                   a) it complies with the terms and conditions of
+                   this Agreement; and
+
+                   b) its license agreement:
+                   i) effectively disclaims on behalf of all
+                   Contributors all warranties and conditions, express
+                   and implied, including warranties or conditions of
+                   title and non-infringement, and implied warranties
+                   or conditions of merchantability and fitness for a
+                   particular purpose;
+
+                   ii) effectively excludes on behalf of all
+                   Contributors all liability for damages, including
+                   direct, indirect, special, incidental and
+                   consequential damages, such as lost profits;
+
+                   iii) states that any provisions which differ from
+                   this Agreement are offered by that Contributor
+                   alone and not by any other party; and
+
+                   iv) states that source code for the Program is
+                   available from such Contributor, and informs
+                   licensees how to obtain it in a reasonable manner
+                   on or through a medium customarily used for
+                   software exchange.
+
+             When the Program is made available in source code form:
+                   a) it must be made available under this Agreement;
+                   and
+                   b) a copy of this Agreement must be included with
+                   each copy of the Program. 
+
+             Contributors may not remove or alter any copyright notices
+             contained within the Program.
+
+             Each Contributor must identify itself as the originator of
+             its Contribution, if any, in a manner that reasonably
+             allows subsequent Recipients to identify the originator of
+             the Contribution. 
+
+
+             4. COMMERCIAL DISTRIBUTION
+
+             Commercial distributors of software may accept certain
+             responsibilities with respect to end users, business
+             partners and the like. While this license is intended to
+             facilitate the commercial use of the Program, the
+             Contributor who includes the Program in a commercial
+             product offering should do so in a manner which does not
+             create potential liability for other Contributors.
+             Therefore, if a Contributor includes the Program in a
+             commercial product offering, such Contributor ("Commercial
+             Contributor") hereby agrees to defend and indemnify every
+             other Contributor ("Indemnified Contributor") against any
+             losses, damages and costs (collectively "Losses") arising
+             from claims, lawsuits and other legal actions brought by a
+             third party against the Indemnified Contributor to the
+             extent caused by the acts or omissions of such Commercial
+             Contributor in connection with its distribution of the
+             Program in a commercial product offering. The obligations
+             in this section do not apply to any claims or Losses
+             relating to any actual or alleged intellectual property
+             infringement. In order to qualify, an Indemnified
+             Contributor must: a) promptly notify the Commercial
+             Contributor in writing of such claim, and b) allow the
+             Commercial Contributor to control, and cooperate with the
+             Commercial Contributor in, the defense and any related
+             settlement negotiations. The Indemnified Contributor may
+             participate in any such claim at its own expense.
+
+
+             For example, a Contributor might include the Program in a
+             commercial product offering, Product X. That Contributor
+             is then a Commercial Contributor. If that Commercial
+             Contributor then makes performance claims, or offers
+             warranties related to Product X, those performance claims
+             and warranties are such Commercial Contributor's
+             responsibility alone. Under this section, the Commercial
+             Contributor would have to defend claims against the other
+             Contributors related to those performance claims and
+             warranties, and if a court requires any other Contributor
+             to pay any damages as a result, the Commercial Contributor
+             must pay those damages.
+
+
+             5. NO WARRANTY
+
+             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
+             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
+             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
+             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
+             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
+             responsible for determining the appropriateness of using
+             and distributing the Program and assumes all risks
+             associated with its exercise of rights under this
+             Agreement, including but not limited to the risks and
+             costs of program errors, compliance with applicable laws,
+             damage to or loss of data, programs or equipment, and
+             unavailability or interruption of operations. 
+
+             6. DISCLAIMER OF LIABILITY
+             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
+             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
+             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
+             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
+             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
+             POSSIBILITY OF SUCH DAMAGES.
+
+             7. GENERAL
+
+             If any provision of this Agreement is invalid or
+             unenforceable under applicable law, it shall not affect
+             the validity or enforceability of the remainder of the
+             terms of this Agreement, and without further action by the
+             parties hereto, such provision shall be reformed to the
+             minimum extent necessary to make such provision valid and
+             enforceable.
+
+
+             If Recipient institutes patent litigation against a
+             Contributor with respect to a patent applicable to
+             software (including a cross-claim or counterclaim in a
+             lawsuit), then any patent licenses granted by that
+             Contributor to such Recipient under this Agreement shall
+             terminate as of the date such litigation is filed. In
+             addition, If Recipient institutes patent litigation
+             against any entity (including a cross-claim or
+             counterclaim in a lawsuit) alleging that the Program
+             itself (excluding combinations of the Program with other
+             software or hardware) infringes such Recipient's
+             patent(s), then such Recipient's rights granted under
+             Section 2(b) shall terminate as of the date such
+             litigation is filed.
+
+             All Recipient's rights under this Agreement shall
+             terminate if it fails to comply with any of the material
+             terms or conditions of this Agreement and does not cure
+             such failure in a reasonable period of time after becoming
+             aware of such noncompliance. If all Recipient's rights
+             under this Agreement terminate, Recipient agrees to cease
+             use and distribution of the Program as soon as reasonably
+             practicable. However, Recipient's obligations under this
+             Agreement and any licenses granted by Recipient relating
+             to the Program shall continue and survive. 
+
+             Everyone is permitted to copy and distribute copies of
+             this Agreement, but in order to avoid inconsistency the
+             Agreement is copyrighted and may only be modified in the
+             following manner. The Agreement Steward reserves the right
+             to publish new versions (including revisions) of this
+             Agreement from time to time. No one other than the
+             Agreement Steward has the right to modify this Agreement.
+
+             IBM is the initial Agreement Steward. IBM may assign the
+             responsibility to serve as the Agreement Steward to a
+             suitable separate entity. Each new version of the
+             Agreement will be given a distinguishing version number.
+             The Program (including Contributions) may always be
+             distributed subject to the version of the Agreement under
+             which it was received. In addition, after a new version of
+             the Agreement is published, Contributor may elect to
+             distribute the Program (including its Contributions) under
+             the new version. Except as expressly stated in Sections
+             2(a) and 2(b) above, Recipient receives no rights or
+             licenses to the intellectual property of any Contributor
+             under this Agreement, whether expressly, by implication,
+             estoppel or otherwise. All rights in the Program not
+             expressly granted under this Agreement are reserved.
+
+
+             This Agreement is governed by the laws of the State of New
+             York and the intellectual property laws of the United
+             States of America. No party to this Agreement will bring a
+             legal action under this Agreement more than one year after
+             the cause of action arose. Each party waives its rights to
+             a jury trial in any resulting litigation. 
+
+
+
+*/
+
+/* (c) COPYRIGHT International Business Machines Corp. 2001          */
+
+#ifndef OPENCRYPTOKI_PKCS11_H
+#define OPENCRYPTOKI_PKCS11_H
+
+#include 
+#include 
+
+#endif
diff --git a/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h b/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h
new file mode 100644
index 0000000000..f9f72e731b
--- /dev/null
+++ b/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h
@@ -0,0 +1,1865 @@
+/*
+ * $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/pkcs11-keygen/opencryptoki/Attic/pkcs11types.h,v 1.1 2009/09/07 21:19:21 fdupont Exp $
+ */
+
+/*
+             Common Public License Version 0.5
+
+             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
+             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
+             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
+             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+             1. DEFINITIONS
+
+             "Contribution" means: 
+                   a) in the case of the initial Contributor, the
+                   initial code and documentation distributed under
+                   this Agreement, and 
+
+                   b) in the case of each subsequent Contributor:
+                   i) changes to the Program, and
+                   ii) additions to the Program;
+
+                   where such changes and/or additions to the Program
+                   originate from and are distributed by that
+                   particular Contributor. A Contribution 'originates'
+                   from a Contributor if it was added to the Program
+                   by such Contributor itself or anyone acting on such
+                   Contributor's behalf. Contributions do not include
+                   additions to the Program which: (i) are separate
+                   modules of software distributed in conjunction with
+                   the Program under their own license agreement, and
+                   (ii) are not derivative works of the Program.
+
+
+             "Contributor" means any person or entity that distributes
+             the Program.
+
+             "Licensed Patents " mean patent claims licensable by a
+             Contributor which are necessarily infringed by the use or
+             sale of its Contribution alone or when combined with the
+             Program. 
+
+             "Program" means the Contributions distributed in
+             accordance with this Agreement.
+
+             "Recipient" means anyone who receives the Program under
+             this Agreement, including all Contributors.
+
+             2. GRANT OF RIGHTS
+
+                   a) Subject to the terms of this Agreement, each
+                   Contributor hereby grants Recipient a
+                   non-exclusive, worldwide, royalty-free copyright
+                   license to reproduce, prepare derivative works of,
+                   publicly display, publicly perform, distribute and
+                   sublicense the Contribution of such Contributor, if
+                   any, and such derivative works, in source code and
+                   object code form.
+
+                   b) Subject to the terms of this Agreement, each
+                   Contributor hereby grants Recipient a
+                   non-exclusive, worldwide, royalty-free patent
+                   license under Licensed Patents to make, use, sell,
+                   offer to sell, import and otherwise transfer the
+                   Contribution of such Contributor, if any, in source
+                   code and object code form. This patent license
+                   shall apply to the combination of the Contribution
+                   and the Program if, at the time the Contribution is
+                   added by the Contributor, such addition of the
+                   Contribution causes such combination to be covered
+                   by the Licensed Patents. The patent license shall
+                   not apply to any other combinations which include
+                   the Contribution. No hardware per se is licensed
+                   hereunder.
+
+                   c) Recipient understands that although each
+                   Contributor grants the licenses to its
+                   Contributions set forth herein, no assurances are
+                   provided by any Contributor that the Program does
+                   not infringe the patent or other intellectual
+                   property rights of any other entity. Each
+                   Contributor disclaims any liability to Recipient
+                   for claims brought by any other entity based on
+                   infringement of intellectual property rights or
+                   otherwise. As a condition to exercising the rights
+                   and licenses granted hereunder, each Recipient
+                   hereby assumes sole responsibility to secure any
+                   other intellectual property rights needed, if any.
+
+                   For example, if a third party patent license is
+                   required to allow Recipient to distribute the
+                   Program, it is Recipient's responsibility to
+                   acquire that license before distributing the
+                   Program.
+
+                   d) Each Contributor represents that to its
+                   knowledge it has sufficient copyright rights in its
+                   Contribution, if any, to grant the copyright
+                   license set forth in this Agreement.
+
+             3. REQUIREMENTS
+
+             A Contributor may choose to distribute the Program in
+             object code form under its own license agreement, provided
+             that:
+                   a) it complies with the terms and conditions of
+                   this Agreement; and
+
+                   b) its license agreement:
+                   i) effectively disclaims on behalf of all
+                   Contributors all warranties and conditions, express
+                   and implied, including warranties or conditions of
+                   title and non-infringement, and implied warranties
+                   or conditions of merchantability and fitness for a
+                   particular purpose;
+
+                   ii) effectively excludes on behalf of all
+                   Contributors all liability for damages, including
+                   direct, indirect, special, incidental and
+                   consequential damages, such as lost profits;
+
+                   iii) states that any provisions which differ from
+                   this Agreement are offered by that Contributor
+                   alone and not by any other party; and
+
+                   iv) states that source code for the Program is
+                   available from such Contributor, and informs
+                   licensees how to obtain it in a reasonable manner
+                   on or through a medium customarily used for
+                   software exchange.
+
+             When the Program is made available in source code form:
+                   a) it must be made available under this Agreement;
+                   and
+                   b) a copy of this Agreement must be included with
+                   each copy of the Program. 
+
+             Contributors may not remove or alter any copyright notices
+             contained within the Program.
+
+             Each Contributor must identify itself as the originator of
+             its Contribution, if any, in a manner that reasonably
+             allows subsequent Recipients to identify the originator of
+             the Contribution. 
+
+
+             4. COMMERCIAL DISTRIBUTION
+
+             Commercial distributors of software may accept certain
+             responsibilities with respect to end users, business
+             partners and the like. While this license is intended to
+             facilitate the commercial use of the Program, the
+             Contributor who includes the Program in a commercial
+             product offering should do so in a manner which does not
+             create potential liability for other Contributors.
+             Therefore, if a Contributor includes the Program in a
+             commercial product offering, such Contributor ("Commercial
+             Contributor") hereby agrees to defend and indemnify every
+             other Contributor ("Indemnified Contributor") against any
+             losses, damages and costs (collectively "Losses") arising
+             from claims, lawsuits and other legal actions brought by a
+             third party against the Indemnified Contributor to the
+             extent caused by the acts or omissions of such Commercial
+             Contributor in connection with its distribution of the
+             Program in a commercial product offering. The obligations
+             in this section do not apply to any claims or Losses
+             relating to any actual or alleged intellectual property
+             infringement. In order to qualify, an Indemnified
+             Contributor must: a) promptly notify the Commercial
+             Contributor in writing of such claim, and b) allow the
+             Commercial Contributor to control, and cooperate with the
+             Commercial Contributor in, the defense and any related
+             settlement negotiations. The Indemnified Contributor may
+             participate in any such claim at its own expense.
+
+
+             For example, a Contributor might include the Program in a
+             commercial product offering, Product X. That Contributor
+             is then a Commercial Contributor. If that Commercial
+             Contributor then makes performance claims, or offers
+             warranties related to Product X, those performance claims
+             and warranties are such Commercial Contributor's
+             responsibility alone. Under this section, the Commercial
+             Contributor would have to defend claims against the other
+             Contributors related to those performance claims and
+             warranties, and if a court requires any other Contributor
+             to pay any damages as a result, the Commercial Contributor
+             must pay those damages.
+
+
+             5. NO WARRANTY
+
+             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
+             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
+             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
+             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
+             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
+             responsible for determining the appropriateness of using
+             and distributing the Program and assumes all risks
+             associated with its exercise of rights under this
+             Agreement, including but not limited to the risks and
+             costs of program errors, compliance with applicable laws,
+             damage to or loss of data, programs or equipment, and
+             unavailability or interruption of operations. 
+
+             6. DISCLAIMER OF LIABILITY
+             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
+             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
+             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
+             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
+             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
+             POSSIBILITY OF SUCH DAMAGES.
+
+             7. GENERAL
+
+             If any provision of this Agreement is invalid or
+             unenforceable under applicable law, it shall not affect
+             the validity or enforceability of the remainder of the
+             terms of this Agreement, and without further action by the
+             parties hereto, such provision shall be reformed to the
+             minimum extent necessary to make such provision valid and
+             enforceable.
+
+
+             If Recipient institutes patent litigation against a
+             Contributor with respect to a patent applicable to
+             software (including a cross-claim or counterclaim in a
+             lawsuit), then any patent licenses granted by that
+             Contributor to such Recipient under this Agreement shall
+             terminate as of the date such litigation is filed. In
+             addition, If Recipient institutes patent litigation
+             against any entity (including a cross-claim or
+             counterclaim in a lawsuit) alleging that the Program
+             itself (excluding combinations of the Program with other
+             software or hardware) infringes such Recipient's
+             patent(s), then such Recipient's rights granted under
+             Section 2(b) shall terminate as of the date such
+             litigation is filed.
+
+             All Recipient's rights under this Agreement shall
+             terminate if it fails to comply with any of the material
+             terms or conditions of this Agreement and does not cure
+             such failure in a reasonable period of time after becoming
+             aware of such noncompliance. If all Recipient's rights
+             under this Agreement terminate, Recipient agrees to cease
+             use and distribution of the Program as soon as reasonably
+             practicable. However, Recipient's obligations under this
+             Agreement and any licenses granted by Recipient relating
+             to the Program shall continue and survive. 
+
+             Everyone is permitted to copy and distribute copies of
+             this Agreement, but in order to avoid inconsistency the
+             Agreement is copyrighted and may only be modified in the
+             following manner. The Agreement Steward reserves the right
+             to publish new versions (including revisions) of this
+             Agreement from time to time. No one other than the
+             Agreement Steward has the right to modify this Agreement.
+
+             IBM is the initial Agreement Steward. IBM may assign the
+             responsibility to serve as the Agreement Steward to a
+             suitable separate entity. Each new version of the
+             Agreement will be given a distinguishing version number.
+             The Program (including Contributions) may always be
+             distributed subject to the version of the Agreement under
+             which it was received. In addition, after a new version of
+             the Agreement is published, Contributor may elect to
+             distribute the Program (including its Contributions) under
+             the new version. Except as expressly stated in Sections
+             2(a) and 2(b) above, Recipient receives no rights or
+             licenses to the intellectual property of any Contributor
+             under this Agreement, whether expressly, by implication,
+             estoppel or otherwise. All rights in the Program not
+             expressly granted under this Agreement are reserved.
+
+
+             This Agreement is governed by the laws of the State of New
+             York and the intellectual property laws of the United
+             States of America. No party to this Agreement will bring a
+             legal action under this Agreement more than one year after
+             the cause of action arose. Each party waives its rights to
+             a jury trial in any resulting litigation. 
+
+
+
+*/
+
+/* (C) COPYRIGHT International Business Machines Corp. 2001          */
+
+
+//----------------------------------------------------------------------------
+//
+// File: PKCS11Types.h
+//
+//
+//----------------------------------------------------------------------------
+
+
+#ifndef _PKCS11TYPES_H_
+#define _PKCS11TYPES_H_
+
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#ifndef FALSE
+#define FALSE             0
+#endif
+
+#ifndef TRUE
+#define TRUE              (!FALSE)
+#endif
+
+// AIX Addition for 64Bit work.
+// All types are 32bit types, therefore the longs have to be
+// typedefed to be 32bit values.
+typedef unsigned int uint_32;
+typedef int int_32;
+
+#define CK_PTR *
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+  returnType (* name)
+
+#ifndef NULL_PTR
+	#define NULL_PTR ((void *) NULL)
+#endif /* NULL_PTR */
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE    0
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
+  CK_CHAR       manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+
+  /* libraryDescription and libraryVersion are new for v2.0 */
+  CK_CHAR       libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER       0
+
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+  CK_CHAR       slotDescription[64];  /* blank padded */
+  CK_CHAR       manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  /* hardwareVersion and firmwareVersion are new for v2.0 */
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+  CK_CHAR       label[32];           /* blank padded */
+  CK_CHAR       manufacturerID[32];  /* blank padded */
+  CK_CHAR       model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+   * changed from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+
+  /* hardwareVersion, firmwareVersion, and time are new for
+   * v2.0 */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning
+ */
+#define CKF_RNG                     0x00000001  /* has random #
+                                                 * generator */
+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
+                                                 * write-
+                                                 * protected */
+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
+                                                 * login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
+                                                 * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN          0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
+
+/* CKF_TOKEN_INITIALIZED is new for v2.11. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of this standard.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED		0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION is new for v2.11.  If it is
+ * true, the token supports secondary authentication for private
+ * key objects. According to the 2.11 spec pg. 45, this flag
+ * is deprecated and this flags should never be true. */
+#define CKF_SECONDARY_AUTHENTICATION	0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW is new in v2.11.  This flag is true
+ * is an incorrect user PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW		0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY is new in v2.11.  This flag is true if
+ * supplying an incorrect user PIN will cause it to become
+ * locked. */
+#define CKF_USER_PIN_FINAL_TRY		0x00020000
+
+/* CKF_USER_PIN_LOCKED is new in v2.11.  This is true if the
+ * user PIN has been locked.  User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED		0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED is new in v2.11.  This flag is
+ * true if the user PIN value is the default value set by
+ * token initialization of manufacturing, or the PIN has
+ * been expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED	0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW is new in v2.11.  This flag is true if
+ * and incorrect SO login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW		0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY is new in v2.11.  This flag is true if
+ * supplying an incorrect SO PIN will cause it to become 
+ * locked. */
+#define CKF_SO_PIN_FINAL_TRY		0x00200000
+
+/* CKF_SO_PIN_LOCKED is new in v2.11.  This flag is true if
+ * the SO PIN has been locked.  User login to the token is not
+ * possible. */
+#define CKF_SO_PIN_LOCKED		0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED is new in v2.11. This flag is true
+ * if the SO PIN calue is the default value set by token init-
+ * ialization of manufacturing, or the PIN has been expired by
+ * the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED	0x00800000
+
+#if 0
+/* IBM extended Token Info Flags - defined by Michael Hamann */
+/* These Flags are not part of PKCS#11 Version 2.01          */
+
+/* This will be used to track the state of login retries     */
+#define CKF_USER_PIN_COUNT_LOW      0x00010000
+#define CKF_USER_PIN_FINAL_TRY      0x00020000
+#define CKF_USER_PIN_LOCKED         0x00040000
+#define CKF_USER_PIN_MANUFACT_VALUE 0x00080000
+
+#define CKF_SO_PIN_COUNT_LOW        0x00100000
+#define CKF_SO_PIN_FINAL_TRY        0x00200000
+#define CKF_SO_PIN_LOCKED           0x00400000
+#define CKF_SO_PIN_MANUFACT_VALUE   0x00800000
+#endif
+
+/*  other IBM extended Token info Flags 05/29/99  */
+#define CKF_SO_PIN_DERIVED          0x01000000  // Sec Officer pin on card is derived from card id
+#define CKF_SO_CARD                 0x02000000  // Security Officer Card
+/* End of IBM extented Token Info Flags   */
+
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO    0
+/* Normal user */
+#define CKU_USER  1
+
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION  0
+#define CKS_RO_USER_FUNCTIONS  1
+#define CKS_RW_PUBLIC_SESSION  2
+#define CKS_RW_USER_FUNCTIONS  3
+#define CKS_RW_SO_FUNCTIONS    4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+
+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object  */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes.  It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+#define CKO_DATA              0x00000000
+#define CKO_CERTIFICATE       0x00000001
+#define CKO_PUBLIC_KEY        0x00000002
+#define CKO_PRIVATE_KEY       0x00000003
+#define CKO_SECRET_KEY        0x00000004
+/* CKO_HW_FEATURE and CKO_DOMAIN_PARAMETERS are new for v2.11 */
+#define CKO_HW_FEATURE        0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_VENDOR_DEFINED    0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is a value that identifies a hardware
+ * feature type of a device. This is new for v2.11.
+ */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined: */
+#define CKH_MONOTONIC_COUNTER	0x00000001
+#define CKH_CLOCK		0x00000002
+#define CKH_VENDOR_DEFINED	0x80000000
+
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA             0x00000000
+#define CKK_DSA             0x00000001
+#define CKK_DH              0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred */
+#define CKK_ECDSA           0x00000003
+#define CKK_EC              0x00000003
+#define CKK_X9_42_DH        0x00000004
+#define CKK_KEA             0x00000005
+
+#define CKK_GENERIC_SECRET  0x00000010
+#define CKK_RC2             0x00000011
+#define CKK_RC4             0x00000012
+#define CKK_DES             0x00000013
+#define CKK_DES2            0x00000014
+#define CKK_DES3            0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST            0x00000016
+#define CKK_CAST3           0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred */
+#define CKK_CAST5           0x00000018
+#define CKK_CAST128         0x00000018  /* CAST128=CAST5 */
+#define CKK_RC5             0x00000019
+#define CKK_IDEA            0x0000001A
+#define CKK_SKIPJACK        0x0000001B
+#define CKK_BATON           0x0000001C
+#define CKK_JUNIPER         0x0000001D
+#define CKK_CDMF            0x0000001E
+/* CKK_AES is new for v2.11 */
+#define CKK_AES             0x0000001F
+
+#define CKK_VENDOR_DEFINED  0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+#define CKC_X_509           0x00000000
+/* CKC_X_509_ATTR_CERT is new for v2.11 */
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_VENDOR_DEFINED  0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000
+#define CKA_TOKEN              0x00000001
+#define CKA_PRIVATE            0x00000002
+#define CKA_LABEL              0x00000003
+#define CKA_APPLICATION        0x00000010
+#define CKA_VALUE              0x00000011
+/* CKA_OBJECT_ID is new for v2.11 */
+#define CKA_OBJECT_ID          0x00000012
+#define CKA_CERTIFICATE_TYPE   0x00000080
+#define CKA_ISSUER             0x00000081
+#define CKA_SERIAL_NUMBER      0x00000082
+/* CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES and CKA_TRUSTED 
+ * are new for v2.11 */
+#define CKA_AC_ISSUER          0x00000083
+#define CKA_OWNER              0x00000084
+#define CKA_ATTR_TYPES         0x00000085
+#define CKA_TRUSTED            0x00000086
+
+#define CKA_KEY_TYPE           0x00000100
+#define CKA_SUBJECT            0x00000101
+#define CKA_ID                 0x00000102
+#define CKA_SENSITIVE          0x00000103
+#define CKA_ENCRYPT            0x00000104
+#define CKA_DECRYPT            0x00000105
+#define CKA_WRAP               0x00000106
+#define CKA_UNWRAP             0x00000107
+#define CKA_SIGN               0x00000108
+#define CKA_SIGN_RECOVER       0x00000109
+#define CKA_VERIFY             0x0000010A
+#define CKA_VERIFY_RECOVER     0x0000010B
+#define CKA_DERIVE             0x0000010C
+#define CKA_START_DATE         0x00000110
+#define CKA_END_DATE           0x00000111
+#define CKA_MODULUS            0x00000120
+#define CKA_MODULUS_BITS       0x00000121
+#define CKA_PUBLIC_EXPONENT    0x00000122
+#define CKA_PRIVATE_EXPONENT   0x00000123
+#define CKA_PRIME_1            0x00000124
+#define CKA_PRIME_2            0x00000125
+#define CKA_EXPONENT_1         0x00000126
+#define CKA_EXPONENT_2         0x00000127
+#define CKA_COEFFICIENT        0x00000128
+#define CKA_PRIME              0x00000130
+#define CKA_SUBPRIME           0x00000131
+#define CKA_BASE               0x00000132
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS         0x00000133
+#define CKA_SUBPRIME_BITS      0x00000134
+
+#define CKA_VALUE_BITS         0x00000160
+#define CKA_VALUE_LEN          0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE        0x00000162
+#define CKA_LOCAL              0x00000163
+#define CKA_NEVER_EXTRACTABLE  0x00000164
+#define CKA_ALWAYS_SENSITIVE   0x00000165
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM  0x00000166
+#define CKA_MODIFIABLE         0x00000170
+/* CKA_ECDSA_PARAMS is deprecated in v2.11, CKA_EC_PARAMS is preferred */
+#define CKA_ECDSA_PARAMS       0x00000180
+#define CKA_EC_PARAMS          0x00000180
+#define CKA_EC_POINT           0x00000181
+/* The following are new for v2.11 */
+#define CKA_SECONDARY_AUTH     0x00000200
+#define CKA_AUTH_PIN_FLAGS     0x00000201
+#define CKA_HW_FEATURE_TYPE    0x00000300
+#define CKA_RESET_ON_INIT      0x00000301
+#define CKA_HAS_RESET          0x00000302
+
+#define CKA_VENDOR_DEFINED     0x80000000
+
+/* For use in storing objects that have an encrypted or otherwise
+ * opaque attribute. Support has been added to use this attribute
+ * in key objects only. */
+#define CKA_IBM_OPAQUE         CKA_VENDOR_DEFINED + 1
+
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+
+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
+#define CKM_RSA_PKCS                   0x00000001
+#define CKM_RSA_9796                   0x00000002
+#define CKM_RSA_X_509                  0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0.  They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS               0x00000004
+#define CKM_MD5_RSA_PKCS               0x00000005
+#define CKM_SHA1_RSA_PKCS              0x00000006
+/* The following are new for v2.11: */
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
+#define CKM_RSA_PKCS_OAEP              0x00000009
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
+#define CKM_RSA_X9_31                  0x0000000B
+#define CKM_SHA1_RSA_X9_31             0x0000000C
+#define CKM_RSA_PKCS_PSS               0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
+#define CKM_DSA                        0x00000011
+#define CKM_DSA_SHA1                   0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
+#define CKM_DH_PKCS_DERIVE             0x00000021
+/* The following are new for v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
+#define CKM_X9_42_DH_DERIVE            0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
+#define CKM_X9_42_MQV_DERIVE           0x00000033
+
+#define CKM_SHA256_RSA_PKCS            0x00000043
+
+#define CKM_RC2_KEY_GEN                0x00000100
+#define CKM_RC2_ECB                    0x00000101
+#define CKM_RC2_CBC                    0x00000102
+#define CKM_RC2_MAC                    0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL            0x00000104
+#define CKM_RC2_CBC_PAD                0x00000105
+
+#define CKM_RC4_KEY_GEN                0x00000110
+#define CKM_RC4                        0x00000111
+#define CKM_DES_KEY_GEN                0x00000120
+#define CKM_DES_ECB                    0x00000121
+#define CKM_DES_CBC                    0x00000122
+#define CKM_DES_MAC                    0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL            0x00000124
+#define CKM_DES_CBC_PAD                0x00000125
+
+#define CKM_DES2_KEY_GEN               0x00000130
+#define CKM_DES3_KEY_GEN               0x00000131
+#define CKM_DES3_ECB                   0x00000132
+#define CKM_DES3_CBC                   0x00000133
+#define CKM_DES3_MAC                   0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL           0x00000135
+#define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_CDMF_KEY_GEN               0x00000140
+#define CKM_CDMF_ECB                   0x00000141
+#define CKM_CDMF_CBC                   0x00000142
+#define CKM_CDMF_MAC                   0x00000143
+#define CKM_CDMF_MAC_GENERAL           0x00000144
+#define CKM_CDMF_CBC_PAD               0x00000145
+
+#define CKM_MD2                        0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC                   0x00000201
+#define CKM_MD2_HMAC_GENERAL           0x00000202
+
+#define CKM_MD5                        0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC                   0x00000211
+#define CKM_MD5_HMAC_GENERAL           0x00000212
+
+#define CKM_SHA_1                      0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC                 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
+
+/* The following are new for v2.11 */
+#define CKM_RIPEMD128                  0x00000230
+#define CKM_RIPEMD128_HMAC             0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
+#define CKM_RIPEMD160                  0x00000240
+#define CKM_RIPEMD160_HMAC             0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
+
+#define CKM_SHA256                     0x00000250
+#define CKM_SHA256_HMAC                0x00000251
+#define CKM_SHA256_HMAC_GENERAL        0x00000252
+#define CKM_SHA384                     0x00000260
+#define CKM_SHA384_HMAC                0x00000261
+#define CKM_SHA384_HMAC_GENERAL        0x00000262
+#define CKM_SHA512                     0x00000270
+#define CKM_SHA512_HMAC                0x00000271
+#define CKM_SHA512_HMAC_GENERAL        0x00000272
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN               0x00000300
+#define CKM_CAST_ECB                   0x00000301
+#define CKM_CAST_CBC                   0x00000302
+#define CKM_CAST_MAC                   0x00000303
+#define CKM_CAST_MAC_GENERAL           0x00000304
+#define CKM_CAST_CBC_PAD               0x00000305
+#define CKM_CAST3_KEY_GEN              0x00000310
+#define CKM_CAST3_ECB                  0x00000311
+#define CKM_CAST3_CBC                  0x00000312
+#define CKM_CAST3_MAC                  0x00000313
+#define CKM_CAST3_MAC_GENERAL          0x00000314
+#define CKM_CAST3_CBC_PAD              0x00000315
+#define CKM_CAST5_KEY_GEN              0x00000320
+#define CKM_CAST128_KEY_GEN            0x00000320
+#define CKM_CAST5_ECB                  0x00000321
+#define CKM_CAST128_ECB                0x00000321
+#define CKM_CAST5_CBC                  0x00000322
+#define CKM_CAST128_CBC                0x00000322
+#define CKM_CAST5_MAC                  0x00000323
+#define CKM_CAST128_MAC                0x00000323
+#define CKM_CAST5_MAC_GENERAL          0x00000324
+#define CKM_CAST128_MAC_GENERAL        0x00000324
+#define CKM_CAST5_CBC_PAD              0x00000325
+#define CKM_CAST128_CBC_PAD            0x00000325
+#define CKM_RC5_KEY_GEN                0x00000330
+#define CKM_RC5_ECB                    0x00000331
+#define CKM_RC5_CBC                    0x00000332
+#define CKM_RC5_MAC                    0x00000333
+#define CKM_RC5_MAC_GENERAL            0x00000334
+#define CKM_RC5_CBC_PAD                0x00000335
+#define CKM_IDEA_KEY_GEN               0x00000340
+#define CKM_IDEA_ECB                   0x00000341
+#define CKM_IDEA_CBC                   0x00000342
+#define CKM_IDEA_MAC                   0x00000343
+#define CKM_IDEA_MAC_GENERAL           0x00000344
+#define CKM_IDEA_CBC_PAD               0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
+#define CKM_XOR_BASE_AND_DATA          0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
+/* The following are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
+
+#define CKM_SSL3_MD5_MAC               0x00000380
+#define CKM_SSL3_SHA1_MAC              0x00000381
+#define CKM_MD5_KEY_DERIVATION         0x00000390
+#define CKM_MD2_KEY_DERIVATION         0x00000391
+#define CKM_SHA1_KEY_DERIVATION        0x00000392
+#define CKM_SHA256_KEY_DERIVATION      0x00000393
+#define CKM_PBE_MD2_DES_CBC            0x000003A0
+#define CKM_PBE_MD5_DES_CBC            0x000003A1
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
+#define CKM_PBE_SHA1_RC4_128           0x000003A6
+#define CKM_PBE_SHA1_RC4_40            0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
+/* CKM_PKCS5_PBKD2 is new for v2.11 */
+#define CKM_PKCS5_PBKD2                0x000003B0
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
+#define CKM_KEY_WRAP_LYNKS             0x00000400
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN           0x00001000
+#define CKM_SKIPJACK_ECB64             0x00001001
+#define CKM_SKIPJACK_CBC64             0x00001002
+#define CKM_SKIPJACK_OFB64             0x00001003
+#define CKM_SKIPJACK_CFB64             0x00001004
+#define CKM_SKIPJACK_CFB32             0x00001005
+#define CKM_SKIPJACK_CFB16             0x00001006
+#define CKM_SKIPJACK_CFB8              0x00001007
+#define CKM_SKIPJACK_WRAP              0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
+#define CKM_SKIPJACK_RELAYX            0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
+#define CKM_KEA_KEY_DERIVE             0x00001011
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
+#define CKM_BATON_KEY_GEN              0x00001030
+#define CKM_BATON_ECB128               0x00001031
+#define CKM_BATON_ECB96                0x00001032
+#define CKM_BATON_CBC128               0x00001033
+#define CKM_BATON_COUNTER              0x00001034
+#define CKM_BATON_SHUFFLE              0x00001035
+#define CKM_BATON_WRAP                 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, 
+ * CKM_EC_KEY_PAIR_GEN is preferred. */
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
+#define CKM_EC_KEY_PAIR_GEN            0x00001040
+#define CKM_ECDSA                      0x00001041
+#define CKM_ECDSA_SHA1                 0x00001042
+/* The following are new for v2.11 */
+#define CKM_ECDH1_DERIVE               0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
+#define CKM_ECMQV_DERIVE               0x00001052
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060
+#define CKM_JUNIPER_ECB128             0x00001061
+#define CKM_JUNIPER_CBC128             0x00001062
+#define CKM_JUNIPER_COUNTER            0x00001063
+#define CKM_JUNIPER_SHUFFLE            0x00001064
+#define CKM_JUNIPER_WRAP               0x00001065
+#define CKM_FASTHASH                   0x00001070
+/* The following are new for v2.11 */
+#define CKM_AES_KEY_GEN                0x00001080
+#define CKM_AES_ECB                    0x00001081
+#define CKM_AES_CBC                    0x00001082
+#define CKM_AES_MAC                    0x00001083
+#define CKM_AES_MAC_GENERAL            0x00001084
+#define CKM_AES_CBC_PAD                0x00001085
+#define CKM_DSA_PARAMETER_GEN          0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
+
+#define CKM_VENDOR_DEFINED             0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism  */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+
+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask        Meaning */
+#define CKF_HW                 0x00000001  /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT            0x00000100
+#define CKF_DECRYPT            0x00000200
+#define CKF_DIGEST             0x00000400
+#define CKF_SIGN               0x00000800
+#define CKF_SIGN_RECOVER       0x00001000
+#define CKF_VERIFY             0x00002000
+#define CKF_VERIFY_RECOVER     0x00004000
+#define CKF_GENERATE           0x00008000
+#define CKF_GENERATE_KEY_PAIR  0x00010000
+#define CKF_WRAP               0x00020000
+#define CKF_UNWRAP             0x00040000
+#define CKF_DERIVE             0x00080000
+/* The following are new for v2.11 */
+#define CKF_EC_F_P             0x00100000
+#define CKF_EC_F_2M            0x00200000
+#define CKF_EC_ECPARAMETERS    0x00400000
+#define CKF_EC_NAMEDCURVE      0x00800000
+#define CKF_EC_UNCOMPRESS      0x01000000
+#define CKF_EC_COMPRESS        0x02000000
+
+#define CKF_EXTENSION          0x80000000  /* FALSE for 2.01 */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000
+#define CKR_CANCEL                            0x00000001
+#define CKR_HOST_MEMORY                       0x00000002
+#define CKR_SLOT_ID_INVALID                   0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR                     0x00000005
+#define CKR_FUNCTION_FAILED                   0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD                     0x00000007
+#define CKR_NO_EVENT                          0x00000008
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
+#define CKR_CANT_LOCK                         0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+#define CKR_DATA_INVALID                      0x00000020
+#define CKR_DATA_LEN_RANGE                    0x00000021
+#define CKR_DEVICE_ERROR                      0x00000030
+#define CKR_DEVICE_MEMORY                     0x00000031
+#define CKR_DEVICE_REMOVED                    0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
+#define CKR_FUNCTION_CANCELED                 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED                    0x00000064
+#define CKR_KEY_CHANGED                       0x00000065
+#define CKR_KEY_NEEDED                        0x00000066
+#define CKR_KEY_INDIGESTIBLE                  0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
+
+#define CKR_MECHANISM_INVALID                 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
+#define CKR_OPERATION_ACTIVE                  0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
+#define CKR_PIN_INCORRECT                     0x000000A0
+#define CKR_PIN_INVALID                       0x000000A1
+#define CKR_PIN_LEN_RANGE                     0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED                       0x000000A3
+#define CKR_PIN_LOCKED                        0x000000A4
+
+#define CKR_SESSION_CLOSED                    0x000000B0
+#define CKR_SESSION_COUNT                     0x000000B1
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
+#define CKR_SESSION_READ_ONLY                 0x000000B5
+#define CKR_SESSION_EXISTS                    0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
+#define CKR_USER_NOT_LOGGED_IN                0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
+#define CKR_USER_TYPE_INVALID                 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
+#define CKR_USER_TOO_MANY_TYPES               0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG                     0x00000121
+/* CKR_DOMAIN_PARAMS_INVALID is new for v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
+#define CKR_BUFFER_TOO_SMALL                  0x00000150
+#define CKR_SAVED_STATE_INVALID               0x00000160
+#define CKR_INFORMATION_SENSITIVE             0x00000170
+#define CKR_STATE_UNSAVEABLE                  0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
+#define CKR_MUTEX_BAD                         0x000001A0
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
+
+#define CKR_VENDOR_DEFINED                    0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+// SAB the mutex ones had pf infront previously..
+// The spec says otherwise.
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX  CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX    LockMutex;
+  CK_UNLOCKMUTEX  UnlockMutex;
+  CK_FLAGS        flags;
+  CK_VOID_PTR     pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK                  0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_CHAR_PTR  pInitVector;
+  CK_CHAR_PTR  pPassword;
+  CK_ULONG     ulPasswordLen;
+  CK_CHAR_PTR  pSalt;
+  CK_ULONG     ulSaltLen;
+  CK_ULONG     ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+typedef CK_RV	(CK_PTR CK_C_Initialize)
+						(CK_VOID_PTR pReserved);
+typedef CK_RV	(CK_PTR  CK_C_Finalize)
+						(CK_VOID_PTR pReserved);
+typedef CK_RV	(CK_PTR  CK_C_Terminate)
+						(void);
+typedef CK_RV	(CK_PTR  CK_C_GetInfo)
+						(CK_INFO_PTR pInfo);
+typedef CK_RV	(CK_PTR  CK_C_GetFunctionList)
+						(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
+typedef CK_RV	(CK_PTR  CK_C_GetSlotList)
+						(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+						 CK_ULONG_PTR pusCount);
+typedef CK_RV	(CK_PTR  CK_C_GetSlotInfo)
+						(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo);
+typedef CK_RV	(CK_PTR  CK_C_GetTokenInfo)
+						(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
+typedef CK_RV	(CK_PTR  CK_C_GetMechanismList)
+						(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList,
+						 CK_ULONG_PTR pusCount);
+typedef CK_RV	(CK_PTR  CK_C_GetMechanismInfo)
+						(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+						 CK_MECHANISM_INFO_PTR pInfo);
+typedef CK_RV	(CK_PTR  CK_C_InitToken)
+						(CK_SLOT_ID slotID, CK_CHAR_PTR pPin, CK_ULONG usPinLen,
+						 CK_CHAR_PTR pLabel);
+typedef CK_RV	(CK_PTR  CK_C_InitPIN)
+						(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pPin,
+						 CK_ULONG usPinLen);
+typedef CK_RV	(CK_PTR  CK_C_SetPIN)
+						(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
+						 CK_ULONG usOldLen, CK_CHAR_PTR pNewPin,
+						 CK_ULONG usNewLen);
+typedef CK_RV	(CK_PTR  CK_C_OpenSession)
+						(CK_SLOT_ID slotID, CK_FLAGS flags,
+						 CK_VOID_PTR pApplication,
+						 CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+						 CK_NOTIFICATION event, CK_VOID_PTR pApplication),
+						 CK_SESSION_HANDLE_PTR phSession);
+typedef CK_RV	(CK_PTR  CK_C_CloseSession)
+						(CK_SESSION_HANDLE hSession);
+typedef CK_RV	(CK_PTR  CK_C_CloseAllSessions)
+						(CK_SLOT_ID slotID);
+typedef CK_RV	(CK_PTR  CK_C_GetSessionInfo)
+						(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo);
+typedef CK_RV	(CK_PTR  CK_C_GetOperationState)
+						(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
+						 CK_ULONG_PTR pulOperationStateLen);
+typedef CK_RV	(CK_PTR  CK_C_SetOperationState)
+						(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
+						 CK_ULONG ulOperationStateLen,
+						 CK_OBJECT_HANDLE hEncryptionKey,
+						 CK_OBJECT_HANDLE hAuthenticationKey);
+typedef CK_RV	(CK_PTR  CK_C_Login)(CK_SESSION_HANDLE hSession,
+						 CK_USER_TYPE userType, CK_CHAR_PTR pPin,
+						 CK_ULONG usPinLen);
+typedef CK_RV	(CK_PTR  CK_C_Logout)(CK_SESSION_HANDLE hSession);
+typedef CK_RV	(CK_PTR  CK_C_CreateObject)
+						(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+						 CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
+typedef CK_RV	(CK_PTR  CK_C_CopyObject)
+						(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+						 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
+						 CK_OBJECT_HANDLE_PTR phNewObject);
+typedef CK_RV (CK_PTR  CK_C_DestroyObject)
+                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
+typedef CK_RV(CK_PTR  CK_C_GetObjectSize)
+                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                        CK_ULONG_PTR pusSize);
+typedef CK_RV(CK_PTR  CK_C_GetAttributeValue)
+                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+typedef CK_RV(CK_PTR  CK_C_SetAttributeValue)
+                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+typedef CK_RV (CK_PTR  CK_C_FindObjectsInit)
+                       (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+                        CK_ULONG usCount);
+typedef CK_RV (CK_PTR  CK_C_FindObjects)
+                       (CK_SESSION_HANDLE hSession,
+                        CK_OBJECT_HANDLE_PTR phObject, CK_ULONG usMaxObjectCount,
+                        CK_ULONG_PTR pusObjectCount);
+typedef CK_RV (CK_PTR  CK_C_FindObjectsFinal)
+                       (CK_SESSION_HANDLE hSession);
+typedef CK_RV (CK_PTR  CK_C_EncryptInit)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hKey);
+typedef CK_RV (CK_PTR  CK_C_Encrypt)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+                        CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
+                        CK_ULONG_PTR pusEncryptedDataLen);
+typedef CK_RV (CK_PTR  CK_C_EncryptUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                        CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,
+                        CK_ULONG_PTR pusEncryptedPartLen);
+typedef CK_RV (CK_PTR  CK_C_EncryptFinal)
+                       (CK_SESSION_HANDLE hSession,
+                        CK_BYTE_PTR pLastEncryptedPart,
+                        CK_ULONG_PTR pusLastEncryptedPartLen);
+typedef CK_RV (CK_PTR  CK_C_DecryptInit)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hKey);
+typedef CK_RV (CK_PTR  CK_C_Decrypt)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
+                        CK_ULONG usEncryptedDataLen, CK_BYTE_PTR pData,
+                        CK_ULONG_PTR pusDataLen);
+typedef CK_RV (CK_PTR  CK_C_DecryptUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
+                        CK_ULONG usEncryptedPartLen, CK_BYTE_PTR pPart,
+                        CK_ULONG_PTR pusPartLen);
+typedef CK_RV (CK_PTR  CK_C_DecryptFinal)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
+                        CK_ULONG_PTR pusLastPartLen);
+typedef CK_RV (CK_PTR  CK_C_DigestInit)
+                       (CK_SESSION_HANDLE hSession,
+                        CK_MECHANISM_PTR pMechanism);
+typedef CK_RV (CK_PTR  CK_C_Digest)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+                        CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
+                        CK_ULONG_PTR pusDigestLen);
+typedef CK_RV (CK_PTR  CK_C_DigestUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                        CK_ULONG usPartLen);
+typedef CK_RV (CK_PTR  CK_C_DigestKey)
+                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey);
+typedef CK_RV (CK_PTR  CK_C_DigestFinal)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+                        CK_ULONG_PTR pusDigestLen);
+typedef CK_RV (CK_PTR  CK_C_SignInit)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hKey);
+typedef CK_RV (CK_PTR  CK_C_Sign)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
+                        CK_ULONG_PTR pusSignatureLen);
+typedef CK_RV (CK_PTR  CK_C_SignUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                        CK_ULONG usPartLen);
+typedef CK_RV (CK_PTR  CK_C_SignFinal)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+                        CK_ULONG_PTR pusSignatureLen);
+typedef CK_RV (CK_PTR  CK_C_SignRecoverInit)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hKey);
+typedef CK_RV (CK_PTR  CK_C_SignRecover)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
+                        CK_ULONG_PTR pusSignatureLen);
+typedef CK_RV (CK_PTR  CK_C_VerifyInit)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hKey);
+typedef CK_RV (CK_PTR  CK_C_Verify)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
+                        CK_ULONG usSignatureLen);
+typedef CK_RV (CK_PTR  CK_C_VerifyUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                        CK_ULONG usPartLen);
+typedef CK_RV (CK_PTR  CK_C_VerifyFinal)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+                        CK_ULONG usSignatureLen);
+typedef CK_RV (CK_PTR  CK_C_VerifyRecoverInit)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hKey);
+typedef CK_RV (CK_PTR  CK_C_VerifyRecover)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+                        CK_ULONG usSignatureLen, CK_BYTE_PTR pData,
+                        CK_ULONG_PTR pusDataLen);
+typedef CK_RV (CK_PTR  CK_C_DigestEncryptUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                        CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
+                        CK_ULONG_PTR pulEncryptedPartLen);
+typedef CK_RV (CK_PTR  CK_C_DecryptDigestUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
+                        CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
+                        CK_ULONG_PTR pulPartLen);
+typedef CK_RV (CK_PTR  CK_C_SignEncryptUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                        CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
+                        CK_ULONG_PTR pulEncryptedPartLen);
+typedef CK_RV (CK_PTR  CK_C_DecryptVerifyUpdate)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
+                        CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
+                        CK_ULONG_PTR pulPartLen);
+typedef CK_RV (CK_PTR  CK_C_GenerateKey)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
+                        CK_OBJECT_HANDLE_PTR phKey);
+typedef CK_RV (CK_PTR  CK_C_GenerateKeyPair)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+                        CK_ULONG usPublicKeyAttributeCount,
+                        CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+                        CK_ULONG usPrivateKeyAttributeCount,
+                        CK_OBJECT_HANDLE_PTR phPrivateKey,
+                        CK_OBJECT_HANDLE_PTR phPublicKey);
+typedef CK_RV (CK_PTR  CK_C_WrapKey)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
+                        CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pusWrappedKeyLen);
+typedef CK_RV (CK_PTR  CK_C_UnwrapKey)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hUnwrappingKey, CK_BYTE_PTR pWrappedKey,
+                        CK_ULONG usWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate,
+                        CK_ULONG usAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
+typedef CK_RV (CK_PTR  CK_C_DeriveKey)
+                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                        CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+                        CK_ULONG usAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
+typedef CK_RV (CK_PTR  CK_C_SeedRandom)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+                        CK_ULONG usSeedLen);
+typedef CK_RV (CK_PTR  CK_C_GenerateRandom)
+                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData,
+                        CK_ULONG usRandomLen);
+typedef CK_RV (CK_PTR  CK_C_GetFunctionStatus)
+                       (CK_SESSION_HANDLE hSession);
+typedef CK_RV (CK_PTR  CK_C_CancelFunction)
+                       (CK_SESSION_HANDLE hSession);
+typedef CK_RV	(CK_PTR  CK_Notify)
+						(CK_SESSION_HANDLE hSession, CK_NOTIFICATION event,
+						 CK_VOID_PTR pApplication);
+typedef CK_RV	(CK_PTR  CK_C_WaitForSlotEvent)
+						(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
+						 CK_VOID_PTR pReserved);
+
+struct CK_FUNCTION_LIST {
+	CK_VERSION version;
+	CK_C_Initialize C_Initialize;
+	CK_C_Finalize C_Finalize;
+	CK_C_GetInfo C_GetInfo;
+	CK_C_GetFunctionList C_GetFunctionList;
+	CK_C_GetSlotList C_GetSlotList;
+	CK_C_GetSlotInfo C_GetSlotInfo;
+	CK_C_GetTokenInfo C_GetTokenInfo;
+	CK_C_GetMechanismList C_GetMechanismList;
+	CK_C_GetMechanismInfo C_GetMechanismInfo;
+	CK_C_InitToken C_InitToken;
+	CK_C_InitPIN C_InitPIN;
+	CK_C_SetPIN C_SetPIN;
+	CK_C_OpenSession C_OpenSession;
+	CK_C_CloseSession C_CloseSession;
+	CK_C_CloseAllSessions C_CloseAllSessions;
+	CK_C_GetSessionInfo C_GetSessionInfo;
+	CK_C_GetOperationState C_GetOperationState;
+	CK_C_SetOperationState C_SetOperationState;
+	CK_C_Login C_Login;
+	CK_C_Logout C_Logout;
+	CK_C_CreateObject C_CreateObject;
+	CK_C_CopyObject C_CopyObject;
+	CK_C_DestroyObject C_DestroyObject;
+	CK_C_GetObjectSize C_GetObjectSize;
+	CK_C_GetAttributeValue C_GetAttributeValue;
+	CK_C_SetAttributeValue C_SetAttributeValue;
+	CK_C_FindObjectsInit C_FindObjectsInit;
+	CK_C_FindObjects C_FindObjects;
+	CK_C_FindObjectsFinal C_FindObjectsFinal;
+	CK_C_EncryptInit C_EncryptInit;
+	CK_C_Encrypt C_Encrypt;
+	CK_C_EncryptUpdate C_EncryptUpdate;
+	CK_C_EncryptFinal C_EncryptFinal;
+	CK_C_DecryptInit C_DecryptInit;
+	CK_C_Decrypt C_Decrypt;
+	CK_C_DecryptUpdate C_DecryptUpdate;
+	CK_C_DecryptFinal C_DecryptFinal;
+	CK_C_DigestInit C_DigestInit;
+	CK_C_Digest C_Digest;
+	CK_C_DigestUpdate C_DigestUpdate;
+	CK_C_DigestKey C_DigestKey;
+	CK_C_DigestFinal C_DigestFinal;
+	CK_C_SignInit C_SignInit;
+	CK_C_Sign C_Sign;
+	CK_C_SignUpdate C_SignUpdate;
+	CK_C_SignFinal C_SignFinal;
+	CK_C_SignRecoverInit C_SignRecoverInit;
+	CK_C_SignRecover C_SignRecover;
+	CK_C_VerifyInit C_VerifyInit;
+	CK_C_Verify C_Verify;
+	CK_C_VerifyUpdate C_VerifyUpdate;
+	CK_C_VerifyFinal C_VerifyFinal;
+	CK_C_VerifyRecoverInit C_VerifyRecoverInit;
+	CK_C_VerifyRecover C_VerifyRecover;
+	CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
+	CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
+	CK_C_SignEncryptUpdate C_SignEncryptUpdate;
+	CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
+	CK_C_GenerateKey C_GenerateKey;
+	CK_C_GenerateKeyPair C_GenerateKeyPair;
+	CK_C_WrapKey C_WrapKey;
+	CK_C_UnwrapKey C_UnwrapKey;
+	CK_C_DeriveKey C_DeriveKey;
+	CK_C_SeedRandom C_SeedRandom;
+	CK_C_GenerateRandom C_GenerateRandom;
+	CK_C_GetFunctionStatus C_GetFunctionStatus;
+	CK_C_CancelFunction C_CancelFunction;
+	CK_C_WaitForSlotEvent C_WaitForSlotEvent;
+};
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // _PKCS11TYPES_H_

From 210970a2488bb4c7eb679b3cbd918a9031fc5649 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 7 Sep 2009 23:11:48 +0000
Subject: [PATCH 125/385] two votes for keys -> key pair

---
 bin/dnssec/dnssec-keyfromlabel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 4f93adccf7..af3504d7ec 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.12 2009/09/07 12:54:59 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.13 2009/09/07 23:11:48 fdupont Exp $ */
 
 /*! \file */
 
@@ -59,7 +59,7 @@ usage(void) {
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
 	fprintf(stderr, "    -a algorithm: %s\n", algs);
-	fprintf(stderr, "    -l label: label of the keys\n");
+	fprintf(stderr, "    -l label: label of the key pair\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -c  (default: IN)\n");

From 822e877c4cd2a254fddd70d6cdf24fa374c98312 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Mon, 7 Sep 2009 23:30:31 +0000
Subject: [PATCH 126/385] newcopyrights

---
 util/copyrights | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/util/copyrights b/util/copyrights
index 364d0cfc3e..f56125fe5b 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1249,6 +1249,9 @@
 ./contrib/pkcs11-keygen/keyconv.pl		X	2008
 ./contrib/pkcs11-keygen/keydump.pl		X	2008
 ./contrib/pkcs11-keygen/listobjs.c		X	2008,2009
+./contrib/pkcs11-keygen/opencryptoki/apiclient.h	X	2009
+./contrib/pkcs11-keygen/opencryptoki/pkcs11.h	X	2009
+./contrib/pkcs11-keygen/opencryptoki/pkcs11types.h	X	2009
 ./contrib/pkcs11-keygen/openssl-0.9.8g-patch	X	2008
 ./contrib/pkcs11-keygen/openssl-0.9.8i-patch	X	2009
 ./contrib/pkcs11-keygen/readkey.c		X	2008,2009

From c7d32c0b0ff4c01f0d4479af3410d3c06044d48a Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 8 Sep 2009 01:14:42 +0000
Subject: [PATCH 127/385] regen

---
 bin/dnssec/dnssec-keyfromlabel.8     | 55 ++++++++++++++--
 bin/dnssec/dnssec-keyfromlabel.html  | 99 ++++++++++++++++++++++------
 doc/arm/man.ddns-confgen.html        | 10 +--
 doc/arm/man.dnssec-keyfromlabel.html | 99 ++++++++++++++++++++++------
 doc/arm/man.dnssec-keygen.html       | 16 ++---
 doc/arm/man.dnssec-revoke.html       | 10 +--
 doc/arm/man.dnssec-settime.html      | 14 ++--
 doc/arm/man.dnssec-signzone.html     | 12 ++--
 doc/arm/man.named-checkconf.html     | 12 ++--
 doc/arm/man.named-checkzone.html     | 12 ++--
 doc/arm/man.named.html               | 16 ++---
 doc/arm/man.nsupdate.html            | 14 ++--
 doc/arm/man.rndc-confgen.html        | 12 ++--
 doc/arm/man.rndc.conf.html           | 12 ++--
 doc/arm/man.rndc.html                | 12 ++--
 15 files changed, 282 insertions(+), 123 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index 10c46edbe5..62e261df8e 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.9 2009/07/20 01:13:18 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.10 2009/09/08 01:14:42 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,18 +32,22 @@
 dnssec\-keyfromlabel \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 20
-\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-U\ \fR\fB\fIdate/offset\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keyfromlabel\fR
 gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
+.PP
+The
+\fBname\fR
+of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
 .SH "OPTIONS"
 .PP
 \-a \fIalgorithm\fR
 .RS 4
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
-must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
+must be one of RSAMD5 (RSA), RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
 .sp
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
 .sp
@@ -62,6 +66,15 @@ Specifies the owner type of the key. The value of
 must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
 .RE
 .PP
+\-C
+.RS 4
+Compatibility mode: generates an old\-style key, without any metadata. By default,
+\fBdnssec\-keyfromlabel\fR
+will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
+\fB\-C\fR
+option suppresses them.
+.RE
+.PP
 \-c \fIclass\fR
 .RS 4
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
@@ -69,13 +82,13 @@ Indicates that the DNS record containing the key should have the specified class
 .PP
 \-f \fIflag\fR
 .RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
 .RE
 .PP
 \-h
 .RS 4
 Prints a short summary of the options and arguments to
-\fBdnssec\-keygen\fR.
+\fBdnssec\-keyfromlabel\fR.
 .RE
 .PP
 \-K \fIdirectory\fR
@@ -90,7 +103,7 @@ Generate KEY records rather than DNSKEY records.
 .PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
 .RE
 .PP
 \-t \fItype\fR
@@ -104,6 +117,34 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
 .RS 4
 Sets the debugging level.
 .RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it.
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-U \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be unpublished. After that date, the key will no longer be included in the zone, but it may remain in the key repository.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key can be removed from the key repository. NOTE: Keys are not currently deleted automatically; this field is included for informational purposes and for future development.
+.RE
 .SH "GENERATED KEY FILES"
 .PP
 When
@@ -137,7 +178,7 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o
 .PP
 The
 \fI.private\fR
-file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
+file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
 .SH "SEE ALSO"
 .PP
 \fBdnssec\-keygen\fR(8),
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index c081c2e012..2764a5a1de 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -28,25 +28,30 @@
 

 

 
Synopsis

-
dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-K directory] [-n nametype] [-p protocol] [-t type] [-v level] {name}

+
dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-U date/offset] [-v level] {name}

 

 

-
DESCRIPTION

+
DESCRIPTION

 
dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  
     

+

+      The name of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    

 

 

-
OPTIONS

+
OPTIONS

 

 
-a algorithm

 

 

 	    Selects the cryptographic algorithm.  The value of
-	    algorithm must be one of RSAMD5 (RSA)
-	    or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+	    algorithm must be one of RSAMD5 (RSA),
+	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
 	    These values are case insensitive.
 	  

 

@@ -69,8 +74,17 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.
+          

+
-C

+

+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, dnssec-keyfromlabel
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    -C option suppresses them.
           

 
-c class

 

@@ -80,12 +94,12 @@
 
-f flag

 

             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
           

 
-h

 

             Prints a short summary of the options and arguments to
-            dnssec-keygen.
+            dnssec-keyfromlabel.
           

 
-K directory

 

@@ -97,7 +111,7 @@
           

 
-p protocol

 

-            Sets the protocol value for the generated key.  The protocol
+            Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
@@ -116,7 +130,54 @@
 

 

 

-
GENERATED KEY FILES

+
TIMING OPTIONS

+

+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    

+

+
-P date/offset

+

+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.
+          

+
-A date/offset

+

+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included and the zone and used to sign
+            it.
+          

+
-R date/offset

+

+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          

+
-U date/offset

+

+            Sets the date on which the key is to be unpublished.  After that
+            date, the key will no longer be included in the zone, but it
+            may remain in the key repository.
+          

+
-D date/offset

+

+            Sets the date on which the key is to be deleted.  After that
+            date, the key can be removed from the key repository.
+            NOTE: Keys are not currently deleted automatically; this field
+            is included for informational purposes and for future
+            development.
+          

+

+

+

+
GENERATED KEY FILES

 

       When dnssec-keyfromlabel completes
       successfully,
@@ -128,8 +189,7 @@
 
  • nnnn is the key name.
         
    • 
 
  • aaa is the numeric representation
-          of the
-          algorithm.
+          of the algorithm.
         
    • 
 
  • iiiii is the key identifier (or
           footprint).
@@ -140,8 +200,7 @@
       on the printed string.  Knnnn.+aaa+iiiii.key
       contains the public key, and
       Knnnn.+aaa+iiiii.private contains the
-      private
-      key.
+      private key.
     
    
 
    
       The .key file contains a DNS KEY record
@@ -150,14 +209,14 @@
       statement).
     
    
 
    
-      The .private file contains algorithm
-      specific
+      The .private file contains
+      algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     
    
 
    • 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -167,7 +226,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index c333ded46f..f25b277dc9 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 0fe11c6e9f..d177445b16 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,25 +47,30 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-K directory] [-n nametype] [-p protocol] [-t type] [-v level] {name}
    
+
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-U date/offset] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  
     
    
+
    
+      The name of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
 
    
 	    Selects the cryptographic algorithm.  The value of
-	    algorithm must be one of RSAMD5 (RSA)
-	    or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+	    algorithm must be one of RSAMD5 (RSA),
+	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
 	    These values are case insensitive.
 	  
    
 
    
@@ -88,8 +93,17 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.
+          
    
+
    -C
    
+
    
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, dnssec-keyfromlabel
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    -C option suppresses them.
           
    
 
    -c class
    
 
    
@@ -99,12 +113,12 @@
 
    -f flag
    
 
    
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
           
    
 
    -h
    
 
    
             Prints a short summary of the options and arguments to
-            dnssec-keygen.
+            dnssec-keyfromlabel.
           
    
 
    -K directory
    
 
    
@@ -116,7 +130,7 @@
           
    
 
    -p protocol
    
 
    
-            Sets the protocol value for the generated key.  The protocol
+            Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
@@ -135,7 +149,54 @@
 
    
 
    
 
    
-
    GENERATED KEY FILES
    
+
    TIMING OPTIONS
    
+
    
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    
    
+
    
+
    -P date/offset
    
+
    
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.
+          
    
+
    -A date/offset
    
+
    
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included and the zone and used to sign
+            it.
+          
    
+
    -R date/offset
    
+
    
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          
    
+
    -U date/offset
    
+
    
+            Sets the date on which the key is to be unpublished.  After that
+            date, the key will no longer be included in the zone, but it
+            may remain in the key repository.
+          
    
+
    -D date/offset
    
+
    
+            Sets the date on which the key is to be deleted.  After that
+            date, the key can be removed from the key repository.
+            NOTE: Keys are not currently deleted automatically; this field
+            is included for informational purposes and for future
+            development.
+          
    
+
    
+
    
+
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -147,8 +208,7 @@
 
  • nnnn is the key name.
         
    • 
 
  • aaa is the numeric representation
-          of the
-          algorithm.
+          of the algorithm.
         
    • 
 
  • iiiii is the key identifier (or
           footprint).
@@ -159,8 +219,7 @@
       on the printed string.  Knnnn.+aaa+iiiii.key
       contains the public key, and
       Knnnn.+aaa+iiiii.private contains the
-      private
-      key.
+      private key.
     
    
 
    
       The .key file contains a DNS KEY record
@@ -169,14 +228,14 @@
       statement).
     
    
 
    
-      The .private file contains algorithm
-      specific
+      The .private file contains
+      algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     
    
 
    • 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -186,7 +245,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 76c1fb62e0..fefeaa7825 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-g generator] [-h] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-U date/offset] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -226,7 +226,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -273,7 +273,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -319,7 +319,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -340,7 +340,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -349,7 +349,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 9396e59333..4020c1a0c9 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -86,14 +86,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 6146b93b37..c02f1d8efd 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-fr] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-U date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -101,7 +101,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -148,7 +148,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -174,7 +174,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -182,7 +182,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index b4706285a6..3e52b6a58a 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -362,7 +362,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -391,14 +391,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index a0de1afb8c..3f166f03d0 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 38346d3b68..e9a0fe9737 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 829da5d0bc..57a0af06b3 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +276,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -289,7 +289,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +302,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 1a901314b4..5eb0685191 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index c5fa62420a..6f33554ffb 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 4958631a85..b940710f95 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index db62de4fef..a4537a9282 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From 8a86c12ec245eb3838f48ffbc5a01fb9b7666a60 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 8 Sep 2009 03:39:30 +0000
Subject: [PATCH 128/385] Instead of removing all of util from the release kit,
 retain util/mksymtbl.pl.

---
 util/kit.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/util/kit.sh b/util/kit.sh
index e09c4c3fcd..f4019a14fb 100644
--- a/util/kit.sh
+++ b/util/kit.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: kit.sh,v 1.36 2009/08/14 06:17:20 marka Exp $
+# $Id: kit.sh,v 1.37 2009/09/08 03:39:30 each Exp $
 
 # Make a release kit
 #
@@ -114,11 +114,15 @@ fi
 # we still delete them from releases just in case something 
 # gets accidentally resurrected.
 
-rm -rf TODO EXCLUDED conftools util doc/design doc/dev doc/expired \
+rm -rf TODO EXCLUDED conftools doc/design doc/dev doc/expired \
     doc/html doc/todo doc/private bin/lwresd doc/man \
     lib/lwres/man/resolver.5 \
     bin/tests/system/relay lib/cfg
 
+# Remove everything but mksymtbl.pl from util
+find ./util -name mksymtbl.pl -prune -o -type f -print | xargs rm -rf
+
+# Remove all .cvsignore files
 find . -name .cvsignore -print | xargs rm
 
 # The following files should be executable.

From d7e3784c77d2648bf9a8a3c767a7978bd77a0c0b Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 8 Sep 2009 06:00:11 +0000
Subject: [PATCH 129/385] Now that include files are in place in the
 opencryptoki subdirectory, remove "#ifndef OPENCRYPTOKI" conditionals

---
 contrib/pkcs11-keygen/destroyobj.c | 5 -----
 contrib/pkcs11-keygen/genkey.c     | 5 -----
 contrib/pkcs11-keygen/listobjs.c   | 5 -----
 contrib/pkcs11-keygen/readkey.c    | 5 -----
 contrib/pkcs11-keygen/set_key_id.c | 5 -----
 contrib/pkcs11-keygen/writekey.c   | 5 -----
 6 files changed, 30 deletions(-)

diff --git a/contrib/pkcs11-keygen/destroyobj.c b/contrib/pkcs11-keygen/destroyobj.c
index 0883978403..e7068e4d62 100644
--- a/contrib/pkcs11-keygen/destroyobj.c
+++ b/contrib/pkcs11-keygen/destroyobj.c
@@ -7,12 +7,7 @@
 #include 
 #include 
 #include 
-#ifndef OPENCRYPTOKI
-#include 
-#include 
-#else
 #include 
-#endif
 
 int
 main(int argc, char *argv[])
diff --git a/contrib/pkcs11-keygen/genkey.c b/contrib/pkcs11-keygen/genkey.c
index d1269243d4..45a9e3cd68 100644
--- a/contrib/pkcs11-keygen/genkey.c
+++ b/contrib/pkcs11-keygen/genkey.c
@@ -17,12 +17,7 @@
 #include 
 #include 
 #include 
-#ifndef OPENCRYPTOKI
-#include 
-#include 
-#else
 #include 
-#endif
 
 /* Define static key template values */
 static CK_BBOOL truevalue = TRUE;
diff --git a/contrib/pkcs11-keygen/listobjs.c b/contrib/pkcs11-keygen/listobjs.c
index efe95ee278..3fb6eaa80f 100644
--- a/contrib/pkcs11-keygen/listobjs.c
+++ b/contrib/pkcs11-keygen/listobjs.c
@@ -7,12 +7,7 @@
 #include 
 #include 
 #include 
-#ifndef OPENCRYPTOKI
-#include 
-#include 
-#else
 #include 
-#endif
 
 int
 main(int argc, char *argv[])
diff --git a/contrib/pkcs11-keygen/readkey.c b/contrib/pkcs11-keygen/readkey.c
index 551e90fdf8..ced0fa9c0a 100644
--- a/contrib/pkcs11-keygen/readkey.c
+++ b/contrib/pkcs11-keygen/readkey.c
@@ -7,12 +7,7 @@
 #include 
 #include 
 #include 
-#ifndef OPENCRYPTOKI
-#include 
-#include 
-#else
 #include 
-#endif
 #include 
 #include 
 #include 
diff --git a/contrib/pkcs11-keygen/set_key_id.c b/contrib/pkcs11-keygen/set_key_id.c
index f2d8bcb8cf..3cb1cd3a04 100644
--- a/contrib/pkcs11-keygen/set_key_id.c
+++ b/contrib/pkcs11-keygen/set_key_id.c
@@ -7,12 +7,7 @@
 #include 
 #include 
 #include 
-#ifndef OPENCRYPTOKI
-#include 
-#include 
-#else
 #include 
-#endif
 
 int
 main(int argc, char *argv[])
diff --git a/contrib/pkcs11-keygen/writekey.c b/contrib/pkcs11-keygen/writekey.c
index d0aacb2702..b532963d4a 100644
--- a/contrib/pkcs11-keygen/writekey.c
+++ b/contrib/pkcs11-keygen/writekey.c
@@ -7,12 +7,7 @@
 #include 
 #include 
 #include 
-#ifndef OPENCRYPTOKI
-#include 
-#include 
-#else
 #include 
-#endif
 #include 
 #include 
 #include 

From d7c15f7c371ba2e39797d9c38b9ff4b41253302a Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 8 Sep 2009 06:54:00 +0000
Subject: [PATCH 130/385] - new README.pkcs11 - old README.pkcs11 moved to
 contrib/pkcs11-keygen/PKCS11-NOTES

---
 README.pkcs11                      | 331 +++++++++++++++++++++++------
 contrib/pkcs11-keygen/PKCS11-NOTES |  94 ++++++++
 2 files changed, 355 insertions(+), 70 deletions(-)
 create mode 100644 contrib/pkcs11-keygen/PKCS11-NOTES

diff --git a/README.pkcs11 b/README.pkcs11
index 7af9d242d0..a7200d6c79 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -1,94 +1,285 @@
 
-			BIND-9 PKCS#11 support
+		BIND 9 PKCS #11 (Cryptoki) support
 
-Prerequisite
+INTRODUCTION
 
-The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
-and some improvements, including user friendly PIN management. You may also
-use the original engine code.
+PKCS #11 (Public Key Cryptography Standard #11) defines a platform-
+independent API for the control of hardware security modules (HSMs)
+and other cryptographic support devices. 
 
-Compilation
+BIND 9 is known to work with two HSMs:  The Sun SCA 6000 cryptographic
+acceration board, tested under OpenSolaris x86, and the AEP Keyper
+network-attached key storage device, tested with a Debian Linux system.
+(The Keyper has also been tested with Windows 2003 and found to work,
+but with some stability problems that have not yet been resolved.)
 
-"configure --with-pkcs11 ..."
+PREREQUISITES
 
-PKCS#11 Libraries
+See the HSM vendor documentation for information about installing,
+initializing, testing and troubleshooting the HSM.
 
-Tested with Solaris one with a SCA board and with openCryptoki with the
-software token. Known to work on Linux and Windows 2003 server so
-should work on most operating systems. For AEP Keyper or any device used
-only for its protected key store, please switch to the sign-only engine.
+BIND 9 uses OpenSSL for cryptography, but stock OpenSSL does not
+yet fully support PKCS #11.  However, a PKCS #11 engine for OpenSSL
+is available from the OpenSolaris project.  It has been modified by
+ISC to work with with BIND 9, and with further improvements to provide
+features such as PIN management.
 
-OpenSSL Engines
+The modified OpenSSL depends on a PKCS #11 shared library object,
+which is provided by the HSM vendor and is specific to the HSM to
+be controlled.
 
-With PKCS#11 support the PKCS#11 engine is statically loaded but at its
-initialization it dynamically loads the PKCS#11 objects.
-Even the pre commands are therefore unused they are defined with:
- SO_PATH:
-   define: PKCS11_SO_PATH
-   default: /usr/local/lib/engines/engine_pkcs11.so
- MODULE_PATH:
-   define: PKCS11_MODULE_PATH
-   default: /usr/lib/libpkcs11.so
-Without PKCS#11 support, a specific OpenSSL engine can be still used
-by defining ENGINE_ID at compile time.
+The OpenSSL code is included in BIND 9.7.0a3 release in the form
+of a context diff against OpenSSL 0.9.8i.  Before building BIND 9
+PKCS #11 support, it will be necessary to build OpenSSL with this
+patch in place, and provide it with the path to the HSM-specific
+PKCS #11 library.
 
-PKCS#11 tools
+Obtain OpenSSL 0.9.8i:
 
-The contrib/pkcs11-keygen directory contains a set of experimental tools
-to handle keys stored in a Hardware Security Module at the benefit of BIND.
+    wget http://www.openssl.org/source/openssl-0.9.8i.tar.gz
 
-The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
-for the way to use it (these are the original notes so with the original
-path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
-a operating system which is not Solaris.)
+Extract the tarball:
 
-Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
-are functional.
+    tar zxf openssl-0.9.8i.tar.gz
 
-PIN management
+Apply the patch from the BIND 9 release:
 
-With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
-each time it is required. With the improved engine, the PIN should be
-entered the first time it is required or can be configured in the
-OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- - at the beginning:
-	openssl_conf = openssl_def
- - at any place these sections:
-	[ openssl_def ]
-	engines = engine_section
-	[ engine_section ]
-	pkcs11 = pkcs11_section
-	[ pkcs11_section ]
-	PIN = put__your__pin__value__here
+    patch -p1 -d openssl-0.9.8i \
+            < bind-9.7.0a3/contrib/pkcs11-keygen/openssl-0.9.8i-patch 
 
-Slot management
+(Note that the patch file may not be compatible with the "patch" utility
+on all operating systems.  You may need to install GNU patch.)
 
-The engine tries to use the first best slot but it is recommended
-to simply use the slot 0 (usual default, meta-slot on Solaris).
+When building OpenSSL, place it in a non-standard location so that it
+does not interfere with OpenSSL libraries elsewhere on the system.
+In the following examples, we choose to install into "/opt/pkcs11/usr".
+We will use this location when we configure BIND 9.
 
-Sign-only engine
+    EXAMPLE 1--BUILDING OPENSSL FOR THE AEP KEYPER ON LINUX:
 
-openssl.../crypto/engibe/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
-a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
-has only the useful functions (i.e., signature with a RSA private
-key in the device protected key store and key loading).
+    The AEP Keyper is a highly-secured key storage device, but it does not
+    provide hardware cryptographic acceleration.  It can carry out
+    cryptographic operations, but it is probably slower than your
+    system's CPU, so it is most efficient to use it only for operations
+    that require the secured private key.
 
-This engine should be used with a device which provides mainly
-a protected store and no acceleration. AEP Keyper is an example
-of such a device (BTW with the fully capable engine, key export
-must be enabled on this device and this configuration is not yet
-supported).
+    The patched OpenSSL source tree includes two versions of the PKCS #11
+    engine, one of which uses the HSM for all cryptographic operations, and
+    the other only uses it for signing.  To build with the signing-only
+    engine:
 
-Original engine
+        cp openssl-0.9.8i/crypto/engine/hw_pk11-kp.c \
+           openssl-0.9.8i/crypto/engine/hw_pk11.c
+        cp openssl-0.9.8i/crypto/engine/hw_pk11_pub-kp.c \
+           openssl-0.9.8i/crypto/engine/hw_pk11_pub.c
 
-If you are using the original engine and getpassphrase() is not defined, add:
-#define getpassphrase(x) getpass(x)
-in openssl.../crypto/engine/hw_pk11_pub.c
+    The Keyper-specific PKCS #11 shared library object is provided
+    by AEP.  In this example, we place it /opt/pkcs11/usr/lib:
 
-Notes
+        cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so
 
-Some names here are registered trademarks, at least Solaris is a trademark
-of Sun Microsystems Inc...
-Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
-The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
+    Note that the this library is only available for Linux as a 32-bit
+    binary.  If we are compiling on a 64-bit Linux system, it is necessary
+    to force a 32-bit build, by specifying -m32 in the build options.
+
+    Finally, the Keyper library requires threads, so we must specify -pthread.
+    
+        cd openssl-0.9.8i
+        ./Configure linux-generic32 -m32 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --prefix=/opt/pkcs11/usr
+
+    After configuring, run "make" and "make test".  If "make test" fails
+    with "pthread_atfork() not found", you forgot to add the -pthread
+    above.
+
+    EXAMPLE 2--BUILDING OPENSSL FOR THE SCA 6000 ON SOLARIS:
+
+    The SCA-6000 PKCS #11 library is provided as a system library, libpkcs11.
+
+    In this example, we are building on OpenSolaris x86 on an AMD64 system.
+
+        cd openssl-0.9.8i
+        ./Configure solaris64-x86_64-cc -xarch=amd64 \
+            --pk11-libname=/usr/lib/64/libpkcs11.so \
+            --prefix=/opt/pkcs11/usr
+
+    After configuring, run "make" and "make test".
+
+Once you have built OpenSSL, run "apps/openssl engine" to confirm that
+PKCS #11 support was compiled in correctly.  The output should include the
+line:
+
+        (pkcs11) PKCS #11 engine support
+
+If the output is correct, run "make install".
+
+BUILDING BIND 9
+
+When building BIND 9, the location of the custom-built OpenSSL
+library must be specified via configure.
+
+    EXAMPLE 3--CONFIGURING BIND 9 FOR LINUX
+
+    To link with the PKCS #11 library, threads must be enabled in the bind9
+    build.
+
+    Since the PKCS #11 library is only available as a 32-bit binary, if
+    we are building on a 64-bit host, we must force a 32-bit build by
+    adding "-m32" to the CC options on the "configure" command line.
+
+        cd ../bind-9.7.0a3
+        ./configure CC="gcc -m32" --enable-threads \
+            --with-openssl=/opt/pkcs11/usr
+
+    EXAMPLE 4--CONFIGURING BIND 9 FOR SOLARIS
+
+    To link with the PKCS #11 library, threads must be enabled in the bind9
+    build.
+
+        cd ../bind-9.7.0a3
+        ./configure CC="cc -xarch=adm64" --enable-threads \
+            --with-openssl=/opt/pkcs11/usr
+
+If configure complains about OpenSSL not working, you may have a 32/64-bit
+architecture mismatch.  Or, you may have incorrectly specified the path to
+OpenSSL (it should be the same as the --prefix argument to the OpenSSL
+Configure).  
+
+After configuring, run "make", "make test" and "make install".
+
+PKCS #11 TOOLS
+
+The contrib/pkcs11-keygen directory contains a set of experimental
+tools to operate an HSM for the benefit of BIND 9, including "genkey" to
+generate a new key pair within the HSM, and "listobjs" to list keys
+currently available.
+
+These tools are not yet complete, not documented, and not supported
+by ISC.  As of BIND 9.7.0a3, they still lack such basic amenities as
+a Makefile.  Other commercial or open-source PKCS #11 tools may be
+available which are better-suited to the job.  However, in the
+absence of those tools, the ones provided in contrib/pkcs11-keygen
+can get you started.
+
+    EXAMPLE 5--BUILDING TOOLS ON LINUX:
+
+    gcc -m32 -DHAVE_GETPASS -I. -L /opt/pkcs11/usr/lib \
+        genkey.c -o genkey -lpkcs11
+    gcc -m32 -DHAVE_GETPASS -I. -L /opt/pkcs11/usr/lib \
+        listobjs.c -o listobjs -lpkcs11
+    gcc -m32 -DHAVE_GETPASS -I. -L /opt/pkcs11/usr/lib \
+        destroyobj.c -o destroyobj -lpkcs11
+    cd ../..
+
+    EXAMPLE 6--BUILDING TOOLS ON SOLARIS:
+
+    cc -xarch=amd64 -I. -L /opt/pkcs11/usr/lib \
+        genkey.c -o genkey -lcrypto -lpkcs11 -lsocket
+    cc -xarch=amd64 -I. -L /opt/pkcs11/usr/lib \
+        listobjs.c -o listobjs -lcrypto -lpkcs11 -lsocket
+    cc -xarch=amd64 -I. -L /opt/pkcs11/usr/lib \
+        destroyobj.c -o destroyobj -lcrypto -lpkcs11 -lsocket
+    cd ../..
+
+USING THE HSM
+
+First, we must set up the runtime environment so the OpenSSL and PKCS #11
+libraries can be loaded:
+
+    export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
+
+When operating an AEP Keyper, it is also necessary to specify the
+location of the "machine" file, which provides information about the
+Keyper to the PKCS #11 library.  For example, if the machine file is in
+/opt/Keyper/PKCS11Provider/machine, use:
+
+    export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
+
+These environment variables must be set whenever running any tool
+which uses the HSM, including genkey, listobjs, destroyobj,
+dnssec-keyfromlabel, dnssec-signzone, and named.
+
+We can now create and use keys in the HSM.  In this case, we will
+create a 2048 bit key and give it the label "sample-ksk":
+
+    contrib/pkcs11-keygen/genkey -b 2048 -l sample-ksk
+
+To confirm that the key exists:
+
+    contrib/pkcs11-keygen/listobjs
+    Enter PIN:
+    object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] 
+    object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] 
+
+Before using this key to sign a zone, we must create a pair of BIND 9
+key files.  The "dnssec-keyfromlabel" utility does this.  In this case,
+we will be using the HSM key "sample-ksk" as the key-signing key for
+"example.net":
+
+    dnssec-keyfromlabel -a NSEC3RSASHA1 -l pkcs11:sample-ksk -f KSK example.net
+
+(Note:  It is necessary to specify "pkcs11:" before the key's label;
+otherwise the PCKS #11 engine will look for the key on disk rather than
+in the HSM.  If you forget to do this, dnssec-keyfromlabel will return
+"not found".)
+
+The resulting K*.key and K*.private files can now be used to sign the
+zone.  Unlike normal K* files, which contain both public and private
+key data, these files will contain only the public key data, plus an
+identifier for the private key which remains stored within the HSM.
+The HSM handles signing with the private key.
+
+If you wish to generate a second key in the HSM for use as a zone-signing
+key, follow the same procedure above, using a different keylabel, a
+smaller key size, and omitting "-f KSK" from the dnssec-keyfromlabel
+arguments:
+
+    contrib/pkcs11-keygen/genkey -b 1024 -l sample-zsk
+    dnssec-keyfromlabel -a NSEC3RSASHA1 -l pkcs11:sample-zsk example.net
+
+Alternatively, you may prefer to generate a conventional on-disk key, using
+dnssec-keygen:
+
+    dnssec-keygen -a NSEC3RSASHA1 -b 1024 example.net
+
+This provides less security than an HSM key, but since HSMs are often
+slower at signing than your system's CPU, it may be more efficient to
+reserve HSM keys for the less-frequent key-signing operation.  The
+zone-signing key can be rolled more frequently, if you wish, to
+compensate for a reduction in key security.
+
+Now you can sign the zone.  (Note: If not using the -S option to
+dnssec-signzone, it will be necessary to add the contents of both
+K*.key files to the zone master file before signing it.)
+
+    dnssec-signzone -S example.net
+    Enter PIN:
+    Verifying the zone using the following algorithms: NSEC3RSASHA1.
+    Zone signing complete:
+    Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
+    example.net.signed
+
+RUNNING NAMED WITH AUTOMATIC ZONE RE-SIGNING
+
+If you want named to dynamically re-sign zones using HSM keys, and/or to
+to sign new records inserted via nsupdate, then named must have access
+to the HSM PIN.  This can be accomplished by placing the PIN into the
+openssl.cnf file (in the above examples, /opt/pkcs11/usr/ssl/openssl.cnf).
+
+The location of the openssl.cnf file can be overridden by setting the
+OPENSSL_CONF environment variable before running named.
+
+Sample openssl.cnf:
+
+        openssl_conf = openssl_def
+        [ openssl_def ]
+        engines = engine_section
+        [ engine_section ]
+        pkcs11 = pkcs11_section
+        [ pkcs11_section ]
+        PIN = 
+
+PLEASE NOTE:  Placing the HSM's PIN in a text file in this manner
+may reduce the security advantage of using an HSM.  Be sure this
+is what you want to do before configuring BIND 9 in this way.
diff --git a/contrib/pkcs11-keygen/PKCS11-NOTES b/contrib/pkcs11-keygen/PKCS11-NOTES
new file mode 100644
index 0000000000..7af9d242d0
--- /dev/null
+++ b/contrib/pkcs11-keygen/PKCS11-NOTES
@@ -0,0 +1,94 @@
+
+			BIND-9 PKCS#11 support
+
+Prerequisite
+
+The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
+released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
+and some improvements, including user friendly PIN management. You may also
+use the original engine code.
+
+Compilation
+
+"configure --with-pkcs11 ..."
+
+PKCS#11 Libraries
+
+Tested with Solaris one with a SCA board and with openCryptoki with the
+software token. Known to work on Linux and Windows 2003 server so
+should work on most operating systems. For AEP Keyper or any device used
+only for its protected key store, please switch to the sign-only engine.
+
+OpenSSL Engines
+
+With PKCS#11 support the PKCS#11 engine is statically loaded but at its
+initialization it dynamically loads the PKCS#11 objects.
+Even the pre commands are therefore unused they are defined with:
+ SO_PATH:
+   define: PKCS11_SO_PATH
+   default: /usr/local/lib/engines/engine_pkcs11.so
+ MODULE_PATH:
+   define: PKCS11_MODULE_PATH
+   default: /usr/lib/libpkcs11.so
+Without PKCS#11 support, a specific OpenSSL engine can be still used
+by defining ENGINE_ID at compile time.
+
+PKCS#11 tools
+
+The contrib/pkcs11-keygen directory contains a set of experimental tools
+to handle keys stored in a Hardware Security Module at the benefit of BIND.
+
+The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
+for the way to use it (these are the original notes so with the original
+path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
+a operating system which is not Solaris.)
+
+Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
+are functional.
+
+PIN management
+
+With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
+each time it is required. With the improved engine, the PIN should be
+entered the first time it is required or can be configured in the
+OpenSSL configuration file (aka. openssl.cnf) by adding in it:
+ - at the beginning:
+	openssl_conf = openssl_def
+ - at any place these sections:
+	[ openssl_def ]
+	engines = engine_section
+	[ engine_section ]
+	pkcs11 = pkcs11_section
+	[ pkcs11_section ]
+	PIN = put__your__pin__value__here
+
+Slot management
+
+The engine tries to use the first best slot but it is recommended
+to simply use the slot 0 (usual default, meta-slot on Solaris).
+
+Sign-only engine
+
+openssl.../crypto/engibe/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
+a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
+has only the useful functions (i.e., signature with a RSA private
+key in the device protected key store and key loading).
+
+This engine should be used with a device which provides mainly
+a protected store and no acceleration. AEP Keyper is an example
+of such a device (BTW with the fully capable engine, key export
+must be enabled on this device and this configuration is not yet
+supported).
+
+Original engine
+
+If you are using the original engine and getpassphrase() is not defined, add:
+#define getpassphrase(x) getpass(x)
+in openssl.../crypto/engine/hw_pk11_pub.c
+
+Notes
+
+Some names here are registered trademarks, at least Solaris is a trademark
+of Sun Microsystems Inc...
+Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
+The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.

From 5e4d54bc796bbf8c37e9e582ee651499ea79dd21 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 8 Sep 2009 07:07:13 +0000
Subject: [PATCH 131/385] grammar fix

---
 README.pkcs11 | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/README.pkcs11 b/README.pkcs11
index a7200d6c79..63297aabdf 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -21,8 +21,8 @@ initializing, testing and troubleshooting the HSM.
 BIND 9 uses OpenSSL for cryptography, but stock OpenSSL does not
 yet fully support PKCS #11.  However, a PKCS #11 engine for OpenSSL
 is available from the OpenSolaris project.  It has been modified by
-ISC to work with with BIND 9, and with further improvements to provide
-features such as PIN management.
+ISC to work with with BIND 9 and to provide new features such as
+PIN management.
 
 The modified OpenSSL depends on a PKCS #11 shared library object,
 which is provided by the HSM vendor and is specific to the HSM to
@@ -64,9 +64,9 @@ We will use this location when we configure BIND 9.
     that require the secured private key.
 
     The patched OpenSSL source tree includes two versions of the PKCS #11
-    engine, one of which uses the HSM for all cryptographic operations, and
-    the other only uses it for signing.  To build with the signing-only
-    engine:
+    engine; one uses the HSM for all cryptographic operations, and the
+    other only uses it for signing.  The signing-only engine is recommended
+    for the Keyper.  To build OpenSSL with the signing-only engine:
 
         cp openssl-0.9.8i/crypto/engine/hw_pk11-kp.c \
            openssl-0.9.8i/crypto/engine/hw_pk11.c
@@ -78,9 +78,9 @@ We will use this location when we configure BIND 9.
 
         cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so
 
-    Note that the this library is only available for Linux as a 32-bit
-    binary.  If we are compiling on a 64-bit Linux system, it is necessary
-    to force a 32-bit build, by specifying -m32 in the build options.
+    This library is only available for Linux as a 32-bit binary.  If we are
+    compiling on a 64-bit Linux system, it is necessary to force a 32-bit
+    build, by specifying -m32 in the build options.
 
     Finally, the Keyper library requires threads, so we must specify -pthread.
     
@@ -124,7 +124,7 @@ library must be specified via configure.
     To link with the PKCS #11 library, threads must be enabled in the bind9
     build.
 
-    Since the PKCS #11 library is only available as a 32-bit binary, if
+    The PKCS #11 library is only available as a 32-bit binary.  If
     we are building on a 64-bit host, we must force a 32-bit build by
     adding "-m32" to the CC options on the "configure" command line.
 

From d247c0d92a85ab10b38bdcdae2b458426f27fb20 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 8 Sep 2009 07:20:39 +0000
Subject: [PATCH 132/385] new draft

---
 ...aft-ietf-dnsext-dnssec-bis-updates-09.txt} | 324 +++++++++---------
 1 file changed, 162 insertions(+), 162 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-dnssec-bis-updates-08.txt => draft-ietf-dnsext-dnssec-bis-updates-09.txt} (74%)

diff --git a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-08.txt b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt
similarity index 74%
rename from doc/draft/draft-ietf-dnsext-dnssec-bis-updates-08.txt
rename to doc/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt
index dc108cbf83..0953e28b47 100644
--- a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-08.txt
+++ b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt
@@ -5,12 +5,12 @@ Network Working Group                                          S. Weiler
 Internet-Draft                                              SPARTA, Inc.
 Updates: 4033, 4034, 4035, 5155                                D. Blacka
 (if approved)                                             VeriSign, Inc.
-Intended status: Standards Track                        January 14, 2009
-Expires: July 18, 2009
+Intended status: Standards Track                       September 5, 2009
+Expires: March 9, 2010
 
 
          Clarifications and Implementation Notes for DNSSECbis
-                draft-ietf-dnsext-dnssec-bis-updates-08
+                draft-ietf-dnsext-dnssec-bis-updates-09
 
 Status of this Memo
 
@@ -33,7 +33,7 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on July 18, 2009.
+   This Internet-Draft will expire on March 9, 2010.
 
 Copyright Notice
 
@@ -41,25 +41,22 @@ Copyright Notice
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents
-   (http://trustee.ietf.org/license-info) in effect on the date of
-   publication of this document.  Please review these documents
-   carefully, as they describe your rights and restrictions with respect
-   to this document.
-
-
-
-
-
-
-Weiler & Blacka           Expires July 18, 2009                 [Page 1]
-
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
-
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 
 Abstract
 
    This document is a collection of technical clarifications to the
+
+
+
+Weiler & Blacka           Expires March 9, 2010                 [Page 1]
+
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
+
+
    DNSSECbis document set.  It is meant to serve as a resource to
    implementors as well as a repository of DNSSECbis errata.
 
@@ -72,24 +69,24 @@ Table of Contents
    2.  Important Additions to DNSSSECbis  . . . . . . . . . . . . . .  3
      2.1.  NSEC3 Support  . . . . . . . . . . . . . . . . . . . . . .  3
      2.2.  SHA-256 Support  . . . . . . . . . . . . . . . . . . . . .  3
-   3.  Significant Concerns . . . . . . . . . . . . . . . . . . . . .  4
+   3.  Security Concerns  . . . . . . . . . . . . . . . . . . . . . .  4
      3.1.  Clarifications on Non-Existence Proofs . . . . . . . . . .  4
      3.2.  Validating Responses to an ANY Query . . . . . . . . . . .  4
      3.3.  Check for CNAME  . . . . . . . . . . . . . . . . . . . . .  5
      3.4.  Insecure Delegation Proofs . . . . . . . . . . . . . . . .  5
-     3.5.  Errors in Canonical Form Type Code List  . . . . . . . . .  5
    4.  Interoperability Concerns  . . . . . . . . . . . . . . . . . .  5
-     4.1.  Unknown DS Message Digest Algorithms . . . . . . . . . . .  5
-     4.2.  Private Algorithms . . . . . . . . . . . . . . . . . . . .  6
-     4.3.  Caution About Local Policy and Multiple RRSIGs . . . . . .  6
-     4.4.  Key Tag Calculation  . . . . . . . . . . . . . . . . . . .  7
-     4.5.  Setting the DO Bit on Replies  . . . . . . . . . . . . . .  7
-     4.6.  Setting the AD bit on Replies  . . . . . . . . . . . . . .  7
-     4.7.  Setting the CD bit on Requests . . . . . . . . . . . . . .  8
-     4.8.  Nested Trust Anchors . . . . . . . . . . . . . . . . . . .  8
+     4.1.  Errors in Canonical Form Type Code List  . . . . . . . . .  5
+     4.2.  Unknown DS Message Digest Algorithms . . . . . . . . . . .  5
+     4.3.  Private Algorithms . . . . . . . . . . . . . . . . . . . .  6
+     4.4.  Caution About Local Policy and Multiple RRSIGs . . . . . .  7
+     4.5.  Key Tag Calculation  . . . . . . . . . . . . . . . . . . .  7
+     4.6.  Setting the DO Bit on Replies  . . . . . . . . . . . . . .  7
+     4.7.  Setting the AD bit on Replies  . . . . . . . . . . . . . .  7
+     4.8.  Setting the CD bit on Requests . . . . . . . . . . . . . .  8
+     4.9.  Nested Trust Anchors . . . . . . . . . . . . . . . . . . .  8
    5.  Minor Corrections and Clarifications . . . . . . . . . . . . .  8
      5.1.  Finding Zone Cuts  . . . . . . . . . . . . . . . . . . . .  8
-     5.2.  Clarifications on DNSKEY Usage . . . . . . . . . . . . . .  8
+     5.2.  Clarifications on DNSKEY Usage . . . . . . . . . . . . . .  9
      5.3.  Errors in Examples . . . . . . . . . . . . . . . . . . . .  9
      5.4.  Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . .  9
    6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
@@ -108,15 +105,19 @@ Table of Contents
 
 
 
-Weiler & Blacka           Expires July 18, 2009                 [Page 2]
+
+
+
+Weiler & Blacka           Expires March 9, 2010                 [Page 2]
 
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
 
 
 1.  Introduction and Terminology
 
-   This document lists some clarifications and corrections to DNSSECbis,
-   as described in [RFC4033], [RFC4034], and [RFC4035].
+   This document lists some additions, clarifications and corrections to
+   the core DNSSECbis specification, as originally described in
+   [RFC4033], [RFC4034], and [RFC4035].
 
    It is intended to serve as a resource for implementors and as a
    repository of items that need to be addressed when advancing the
@@ -126,8 +127,8 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
 
    The clarifications to DNSSECbis are sorted according to their
    importance, starting with ones which could, if ignored, lead to
-   security and stability problems and progressing down to
-   clarifications that are expected to have little operational impact.
+   security problems and progressing down to clarifications that are
+   expected to have little operational impact.
 
 1.2.  Terminology
 
@@ -138,16 +139,17 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
 
 2.  Important Additions to DNSSSECbis
 
-   This section provides
+   This section updates the set of core DNSSEC protocol documents
+   originally specified in Section 10 of [RFC4033].
 
 2.1.  NSEC3 Support
 
    [RFC5155] describes the use and behavior of the NSEC3 and NSEC3PARAM
    records for hashed denial of existence.  Validator implementations
-   are strongly encouraged to include support for NSEC3 as a number of
-   highly visible zones are expected to use it.  Validators that do not
-   support validation of responses using NSEC3 will likely be hampered
-   in validating large portions of the DNS space.
+   are strongly encouraged to include support for NSEC3 because a number
+   of highly visible zones are expected to use it.  Validators that do
+   not support validation of responses using NSEC3 will likely be
+   hampered in validating large portions of the DNS space.
 
    [RFC5155] should be considered part of the DNS Security Document
    Family as described by [RFC4033], Section 10.
@@ -156,35 +158,33 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
 
    [RFC4509] describes the use of SHA-256 as a digest algorithm for use
    with Delegation Signer (DS) RRs.  [I-D.ietf-dnsext-dnssec-rsasha256]
-   describes the use of the RSASHA256 algorthim for use in DNSKEY and
+   describes the use of the RSASHA256 algorithm for use in DNSKEY and
    RRSIG RRs.  Validator implementations are strongly encouraged to
    include support for this algorithm for DS, DNSKEY, and RRSIG records.
 
-   Both [RFC4509] and [I-D.ietf-dnsext-dnssec-rsasha256] should also be
 
 
-
-Weiler & Blacka           Expires July 18, 2009                 [Page 3]
+Weiler & Blacka           Expires March 9, 2010                 [Page 3]
 
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
 
 
+   Both [RFC4509] and [I-D.ietf-dnsext-dnssec-rsasha256] should also be
    considered part of the DNS Security Document Family as described by
    [RFC4033], Section 10.
 
 
-3.  Significant Concerns
+3.  Security Concerns
 
    This section provides clarifications that, if overlooked, could lead
-   to security issues or major interoperability problems.
+   to security issues.
 
 3.1.  Clarifications on Non-Existence Proofs
 
-   [RFC4035] Section 5.4 underspecifies the algorithm for checking non-
+   [RFC4035] Section 5.4 under-specifies the algorithm for checking non-
    existence proofs.  In particular, the algorithm as presented would
    incorrectly allow an NSEC or NSEC3 RR from an ancestor zone to prove
-   the non-existence of other RRs at that name in the child zone or
-   other names in the child zone.
+   the non-existence of RRs in the child zone.
 
    An "ancestor delegation" NSEC RR (or NSEC3 RR) is one with:
 
@@ -209,43 +209,51 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
 
    [RFC4035] does not address how to validate responses when QTYPE=*.
    As described in Section 6.2.2 of [RFC1034], a proper response to
-   QTYPE=* may include a subset of the RRsets at a given name -- it is
-   not necessary to include all RRsets at the QNAME in the response.
+   QTYPE=* may include a subset of the RRsets at a given name.  That is,
+   it is not necessary to include all RRsets at the QNAME in the
+   response.
 
-   When validating a response to QTYPE=*, validate all received RRsets
-   that match QNAME and QCLASS.  If any of those RRsets fail validation,
-   treat the answer as Bogus.  If there are no RRsets matching QNAME and
-   QCLASS, validate that fact using the rules in [RFC4035] Section 5.4
-   (as clarified in this document).  To be clear, a validator must not
+   When validating a response to QTYPE=*, all received RRsets that match
+   QNAME and QCLASS MUST be validated.  If any of those RRsets fail
+   validation, the answer is considered Bogus.  If there are no RRsets
+   matching QNAME and QCLASS, that fact MUST be validated according to
 
 
 
-Weiler & Blacka           Expires July 18, 2009                 [Page 4]
+Weiler & Blacka           Expires March 9, 2010                 [Page 4]
 
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
 
 
-   expect to receive all records at the QNAME in response to QTYPE=*.
+   the rules in [RFC4035] Section 5.4 (as clarified in this document).
+   To be clear, a validator must not expect to receive all records at
+   the QNAME in response to QTYPE=*.
 
 3.3.  Check for CNAME
 
    Section 5 of [RFC4035] says little about validating responses based
    on (or that should be based on) CNAMEs.  When validating a NOERROR/
    NODATA response, validators MUST check the CNAME bit in the matching
-   NSEC or NSEC3 RR's type bitmap.  If the CNAME bit is set, the
-   validator MUST validate the CNAME RR and follow it, as appropriate.
+   NSEC or NSEC3 RR's type bitmap in addition to the bit for the query
+   type.  Without this check, an attacker could successfully transform a
+   positive CNAME response into a NOERROR/NODATA response.
 
 3.4.  Insecure Delegation Proofs
 
    [RFC4035] Section 5.2 specifies that a validator, when proving a
    delegation is not secure, needs to check for the absence of the DS
    and SOA bits in the NSEC (or NSEC3) type bitmap.  The validator also
-   needs to check for the presence of the NS bit in the NSEC (or NSEC3)
-   RR (proving that there is, indeed, a delegation).  If this is not
-   checked, spoofed unsigned delegations might be used to claim that an
-   existing signed record is not signed.
+   needs to check for the presence of the NS bit in the matching NSEC
+   (or NSEC3) RR (proving that there is, indeed, a delegation), or
+   alternately make sure that the delegation is covered by an NSEC3 RR
+   with the Opt-Out flag set.  If this is not checked, spoofed unsigned
+   delegations might be used to claim that an existing signed record is
+   not signed.
 
-3.5.  Errors in Canonical Form Type Code List
+
+4.  Interoperability Concerns
+
+4.1.  Errors in Canonical Form Type Code List
 
    When canonicalizing DNS names, DNS names in the RDATA section of NSEC
    and RRSIG resource records are not downcased.
@@ -260,27 +268,25 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    Since HINFO records contain no domain names, they are not subject to
    downcasing.
 
-
-4.  Interoperability Concerns
-
-4.1.  Unknown DS Message Digest Algorithms
+4.2.  Unknown DS Message Digest Algorithms
 
    Section 5.2 of [RFC4035] includes rules for how to handle delegations
-   to zones that are signed with entirely unsupported algorithms, as
-   indicated by the algorithms shown in those zone's DS RRsets.  It does
-   not explicitly address how to handle DS records that use unsupported
-   message digest algorithms.  In brief, DS records using unknown or
-   unsupported message digest algorithms MUST be treated the same way as
-   DS records referring to DNSKEY RRs of unknown or unsupported
-   algorithms.
+   to zones that are signed with entirely unsupported public key
+   algorithms, as indicated by the key algorithms shown in those zone's
 
 
 
-Weiler & Blacka           Expires July 18, 2009                 [Page 5]
+Weiler & Blacka           Expires March 9, 2010                 [Page 5]
 
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
 
 
+   DS RRsets.  It does not explicitly address how to handle DS records
+   that use unsupported message digest algorithms.  In brief, DS records
+   using unknown or unsupported message digest algorithms MUST be
+   treated the same way as DS records referring to DNSKEY RRs of unknown
+   or unsupported public key algorithms.
+
    The existing text says:
 
       If the validator does not support any of the algorithms listed in
@@ -291,15 +297,15 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
       described above.
 
    To paraphrase the above, when determining the security status of a
-   zone, a validator discards (for this purpose only) any DS records
-   listing unknown or unsupported algorithms.  If none are left, the
-   zone is treated as if it were unsigned.
+   zone, a validator disregards any DS records listing unknown or
+   unsupported algorithms.  If none are left, the zone is treated as if
+   it were unsigned.
 
    Modified to consider DS message digest algorithms, a validator also
-   discards any DS records using unknown or unsupported message digest
+   disregards any DS records using unknown or unsupported message digest
    algorithms.
 
-4.2.  Private Algorithms
+4.3.  Private Algorithms
 
    As discussed above, section 5.2 of [RFC4035] requires that validators
    make decisions about the security status of zones based on the public
@@ -313,30 +319,30 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    needed.  In the remaining cases, the security status of the zone
    depends on whether or not the resolver supports any of the private
    algorithms in use (provided that these DS records use supported hash
-   functions, as discussed in Section 4.1).  In these cases, the
+   functions, as discussed in Section 4.2).  In these cases, the
    resolver MUST retrieve the corresponding DNSKEY for each private
    algorithm DS record and examine the public key field to determine the
    algorithm in use.  The security-aware resolver MUST ensure that the
    hash of the DNSKEY RR's owner name and RDATA matches the digest in
    the DS RR.  If they do not match, and no other DS establishes that
-   the zone is secure, the referral should be considered BAD data, as
+   the zone is secure, the referral should be considered Bogus data, as
    discussed in [RFC4035].
 
    This clarification facilitates the broader use of private algorithms,
+
+
+
+Weiler & Blacka           Expires March 9, 2010                 [Page 6]
+
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
+
+
    as suggested by [RFC4955].
 
-4.3.  Caution About Local Policy and Multiple RRSIGs
+4.4.  Caution About Local Policy and Multiple RRSIGs
 
    When multiple RRSIGs cover a given RRset, [RFC4035] Section 5.3.3
    suggests that "the local resolver security policy determines whether
-
-
-
-Weiler & Blacka           Expires July 18, 2009                 [Page 6]
-
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
-
-
    the resolver also has to test these RRSIG RRs and how to resolve
    conflicts if these RRSIG RRs lead to differing results."  In most
    cases, a resolver would be well advised to accept any valid RRSIG as
@@ -352,7 +358,7 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    method described in section 4.2.1.2 of [RFC4641] might not work
    reliably.
 
-4.4.  Key Tag Calculation
+4.5.  Key Tag Calculation
 
    [RFC4034] Appendix B.1 incorrectly defines the Key Tag field
    calculation for algorithm 1.  It correctly says that the Key Tag is
@@ -361,7 +367,7 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    say that this is 4th to last and 3rd to last octets of the public key
    modulus.  It is, in fact, the 3rd to last and 2nd to last octets.
 
-4.5.  Setting the DO Bit on Replies
+4.6.  Setting the DO Bit on Replies
 
    [RFC4035] does not provide any instructions to servers as to how to
    set the DO bit.  Some authoritative server implementations have
@@ -370,7 +376,7 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    responses.  Either behavior is permitted.  To be clear, in replies to
    queries with the DO-bit set servers may or may not set the DO bit.
 
-4.6.  Setting the AD bit on Replies
+4.7.  Setting the AD bit on Replies
 
    Section 3.2.3 of [RFC4035] describes under which conditions a
    validating resolver should set or clear the AD bit in a response.  In
@@ -379,6 +385,14 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    conditions listed in RFC 4035, section 3.2.3, and the request
    contained either a set DO bit or a set AD bit.
 
+
+
+
+Weiler & Blacka           Expires March 9, 2010                 [Page 7]
+
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
+
+
    Note that the use of the AD bit in the query was previously
    undefined.  This document defines it as a signal indicating that the
    requester understands and is interested in the value of the AD bit in
@@ -386,23 +400,16 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    understands the AD bit without also requesting DNSSEC data via the DO
    bit.
 
-
-
-Weiler & Blacka           Expires July 18, 2009                 [Page 7]
-
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
-
-
-4.7.  Setting the CD bit on Requests
+4.8.  Setting the CD bit on Requests
 
    When processing a request with the CD bit set, the resolver MUST set
    the CD bit on its upstream queries.
 
-4.8.  Nested Trust Anchors
+4.9.  Nested Trust Anchors
 
    A DNSSEC validator may be configured such that, for a given response,
    more than one trust anchor could be used to validate the chain of
-   trust to the response zone.  For example, imagine a validor
+   trust to the response zone.  For example, imagine a validator
    configured with trust anchors for "example." and "zone.example."
    When the validator is asked to validate a response to
    "www.sub.zone.example.", either trust anchor could apply.
@@ -431,6 +438,17 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    does not already have the parent's NS RRset.  Section 4.2 of
    [RFC4035] specifies a mechanism for doing that.
 
+
+
+
+
+
+
+Weiler & Blacka           Expires March 9, 2010                 [Page 8]
+
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
+
+
 5.2.  Clarifications on DNSKEY Usage
 
    Questions of the form "can I use a different DNSKEY for signing this
@@ -441,14 +459,6 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    the size of the DNSKEY RRset.  However, be aware that there is no way
    to tell resolvers what a particularly DNSKEY is supposed to be used
    for -- any DNSKEY in the zone's signed DNSKEY RRset may be used to
-
-
-
-Weiler & Blacka           Expires July 18, 2009                 [Page 8]
-
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
-
-
    authenticate any RRset in the zone.  For example, if a weaker or less
    trusted DNSKEY is being used to authenticate NSEC RRsets or all
    dynamically updated records, that same DNSKEY can also be used to
@@ -480,14 +490,21 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
 
 5.4.  Errors in RFC 5155
 
-   A NSEC3 record, that matches an Empty Non-Terminal, effectively has
-   no type associated with it.  This NSEC3 record has an empty type bit
+   A NSEC3 record that matches an Empty Non-Terminal effectively has no
+   type associated with it.  This NSEC3 record has an empty type bit
    map.  Section 3.2.1 of [RFC5155] contains the statement:
 
       Blocks with no types present MUST NOT be included.
 
    However, the same section contains a regular expression:
 
+
+
+Weiler & Blacka           Expires March 9, 2010                 [Page 9]
+
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
+
+
       Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
 
    The plus sign in the regular expression indicates that there is one
@@ -496,15 +513,6 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    contradicts with the first statement.  Therefore, the correct text in
    RFC 5155 3.2.1 should be:
 
-
-
-
-
-Weiler & Blacka           Expires July 18, 2009                 [Page 9]
-
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
-
-
       Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )*
 
 
@@ -515,16 +523,15 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
 
 7.  Security Considerations
 
-   This document does not make fundamental changes to the DNSSEC
-   protocol, as it was generally understood when DNSSECbis was
-   published.  It does, however, address some ambiguities and omissions
-   in those documents that, if not recognized and addressed in
+   This document adds two cryptographic features to the core DNSSEC
+   protocol.  Additionally, it addresses some ambiguities and omissions
+   in the core DNSSEC documents that, if not recognized and addressed in
    implementations, could lead to security failures.  In particular, the
    validation algorithm clarifications in Section 3 are critical for
    preserving the security properties DNSSEC offers.  Furthermore,
    failure to address some of the interoperability concerns in Section 4
    could limit the ability to later change or expand DNSSEC, including
-   by adding new algorithms.
+   adding new algorithms.
 
 
 8.  References
@@ -534,8 +541,8 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
    [I-D.ietf-dnsext-dnssec-rsasha256]
               Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY
               and RRSIG Resource Records for DNSSEC",
-              draft-ietf-dnsext-dnssec-rsasha256-10 (work in progress),
-              January 2009.
+              draft-ietf-dnsext-dnssec-rsasha256-14 (work in progress),
+              June 2009.
 
    [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
               RFC 1034, STD 13, November 1987.
@@ -547,20 +554,19 @@ Internet-Draft       DNSSECbis Implementation Notes         January 2009
               Rose, "DNS Security Introduction and Requirements",
               RFC 4033, March 2005.
 
+
+
+Weiler & Blacka           Expires March 9, 2010                [Page 10]
+
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
+
+
    [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
               Rose, "Resource Records for the DNS Security Extensions",
               RFC 4034, March 2005.
 
    [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
               Rose, "Protocol Modifications for the DNS Security
-
-
-
-Weiler & Blacka           Expires July 18, 2009                [Page 10]
-
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
-
-
               Extensions", RFC 4035, March 2005.
 
    [RFC4509]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
@@ -592,17 +598,25 @@ Appendix A.  Acknowledgments
    provided text suitable for inclusion in this document.
 
    The lack of specificity about handling private algorithms, as
-   described in Section 4.2, and the lack of specificity in handling ANY
+   described in Section 4.3, and the lack of specificity in handling ANY
    queries, as described in Section 3.2, were discovered by David
    Blacka.
 
    The error in algorithm 1 key tag calculation, as described in
-   Section 4.4, was found by Abhijit Hayatnagarkar.  Donald Eastlake
-   contributed text for Section 4.4.
+   Section 4.5, was found by Abhijit Hayatnagarkar.  Donald Eastlake
+   contributed text for Section 4.5.
 
    The bug relating to delegation NSEC RR's in Section 3.1 was found by
    Roy Badami.  Roy Arends found the related problem with DNAME.
 
+
+
+
+Weiler & Blacka           Expires March 9, 2010                [Page 11]
+
+Internet-Draft       DNSSECbis Implementation Notes       September 2009
+
+
    The errors in the [RFC4035] examples were found by Roy Arends, who
    also contributed text for Section 5.3 of this document.
 
@@ -611,12 +625,6 @@ Appendix A.  Acknowledgments
    comments on the text of this document.
 
 
-
-Weiler & Blacka           Expires July 18, 2009                [Page 11]
-
-Internet-Draft       DNSSECbis Implementation Notes         January 2009
-
-
 Authors' Addresses
 
    Samuel Weiler
@@ -660,13 +668,5 @@ Authors' Addresses
 
 
 
-
-
-
-
-
-
-
-
-Weiler & Blacka           Expires July 18, 2009                [Page 12]
+Weiler & Blacka           Expires March 9, 2010                [Page 12]
 

From fc47f5d6f1bf7fcd8731cc50197e9a67521c7437 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Tue, 8 Sep 2009 12:52:23 +0000
Subject: [PATCH 133/385] typo

---
 contrib/pkcs11-keygen/PKCS11-NOTES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/pkcs11-keygen/PKCS11-NOTES b/contrib/pkcs11-keygen/PKCS11-NOTES
index 7af9d242d0..2d07e9f2b5 100644
--- a/contrib/pkcs11-keygen/PKCS11-NOTES
+++ b/contrib/pkcs11-keygen/PKCS11-NOTES
@@ -69,7 +69,7 @@ to simply use the slot 0 (usual default, meta-slot on Solaris).
 
 Sign-only engine
 
-openssl.../crypto/engibe/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
+openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
 a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
 has only the useful functions (i.e., signature with a RSA private
 key in the device protected key store and key loading).

From e7de5dcef603397f5942758930222d9d44e052ff Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Tue, 8 Sep 2009 13:04:29 +0000
Subject: [PATCH 134/385] typo, cf RT20219

---
 lib/isc/win32/net.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c
index 3785f8abdf..1153af79a2 100644
--- a/lib/isc/win32/net.c
+++ b/lib/isc/win32/net.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.18 2008/08/08 05:06:49 marka Exp $ */
+/* $Id: net.c,v 1.19 2009/09/08 13:04:29 fdupont Exp $ */
 
 #include 
 
@@ -197,7 +197,7 @@ try_ipv6only(void) {
 	ipv6only_result = ISC_R_SUCCESS;
 
 close:
-	closeocket(s);
+	closesocket(s);
 	return;
 #endif /* IPV6_V6ONLY */
 }

From 2636aac047134e5e6e1bcbe39dece97d774a47e4 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 8 Sep 2009 15:32:11 +0000
Subject: [PATCH 135/385] - s/OpenSolaris/Solaris/ - s/Windows 2003/Windows
 Server 2003/ - use the term "PKCS #11 provider"

---
 README.pkcs11 | 43 +++++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/README.pkcs11 b/README.pkcs11
index 63297aabdf..f789232c21 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -8,10 +8,10 @@ independent API for the control of hardware security modules (HSMs)
 and other cryptographic support devices. 
 
 BIND 9 is known to work with two HSMs:  The Sun SCA 6000 cryptographic
-acceration board, tested under OpenSolaris x86, and the AEP Keyper
+acceration board, tested under Solaris x86, and the AEP Keyper
 network-attached key storage device, tested with a Debian Linux system.
-(The Keyper has also been tested with Windows 2003 and found to work,
-but with some stability problems that have not yet been resolved.)
+(The Keyper has also been tested with Windows Server 2003 and found to
+work, but with some stability problems that have not yet been resolved.)
 
 PREREQUISITES
 
@@ -22,17 +22,19 @@ BIND 9 uses OpenSSL for cryptography, but stock OpenSSL does not
 yet fully support PKCS #11.  However, a PKCS #11 engine for OpenSSL
 is available from the OpenSolaris project.  It has been modified by
 ISC to work with with BIND 9 and to provide new features such as
-PIN management.
+PIN management and key by reference.
 
-The modified OpenSSL depends on a PKCS #11 shared library object,
-which is provided by the HSM vendor and is specific to the HSM to
-be controlled.
+The modified OpenSSL depends on a "PKCS #11 provider".  This is a shared
+library object, providing a low-level PKCS #11 interface to the HSM
+hardware; it is dynamically loaded by OpenSSL at runtime.  The PKCS #11
+provider comes from the HSM vendor, and and is specific to the HSM to be
+controlled.
 
-The OpenSSL code is included in BIND 9.7.0a3 release in the form
-of a context diff against OpenSSL 0.9.8i.  Before building BIND 9
-PKCS #11 support, it will be necessary to build OpenSSL with this
-patch in place, and provide it with the path to the HSM-specific
-PKCS #11 library.
+The modified OpenSSL code is included in BIND 9.7.0a3 release in the form
+of a context diff against OpenSSL 0.9.8i.  Before building BIND 9 with
+PKCS #11 support, it will be necessary to build OpenSSL with this patch
+in place and inform it of the path to the HSM-specific PKCS #11 provider
+library.
 
 Obtain OpenSSL 0.9.8i:
 
@@ -57,8 +59,8 @@ We will use this location when we configure BIND 9.
 
     EXAMPLE 1--BUILDING OPENSSL FOR THE AEP KEYPER ON LINUX:
 
-    The AEP Keyper is a highly-secured key storage device, but it does not
-    provide hardware cryptographic acceleration.  It can carry out
+    The AEP Keyper is a highly-secured key storage device, but it does
+    not provide hardware cryptographic acceleration.  It can carry out
     cryptographic operations, but it is probably slower than your
     system's CPU, so it is most efficient to use it only for operations
     that require the secured private key.
@@ -73,8 +75,8 @@ We will use this location when we configure BIND 9.
         cp openssl-0.9.8i/crypto/engine/hw_pk11_pub-kp.c \
            openssl-0.9.8i/crypto/engine/hw_pk11_pub.c
 
-    The Keyper-specific PKCS #11 shared library object is provided
-    by AEP.  In this example, we place it /opt/pkcs11/usr/lib:
+    The Keyper-specific PKCS #11 provider library is delivered with the
+    Keyper software.  In this example, we place it /opt/pkcs11/usr/lib:
 
         cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so
 
@@ -95,9 +97,10 @@ We will use this location when we configure BIND 9.
 
     EXAMPLE 2--BUILDING OPENSSL FOR THE SCA 6000 ON SOLARIS:
 
-    The SCA-6000 PKCS #11 library is provided as a system library, libpkcs11.
+    The SCA-6000 PKCS #11 provider is installed as a system library,
+    libpkcs11.
 
-    In this example, we are building on OpenSolaris x86 on an AMD64 system.
+    In this example, we are building on Solaris x86 on an AMD64 system.
 
         cd openssl-0.9.8i
         ./Configure solaris64-x86_64-cc -xarch=amd64 \
@@ -190,8 +193,8 @@ libraries can be loaded:
     export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}
 
 When operating an AEP Keyper, it is also necessary to specify the
-location of the "machine" file, which provides information about the
-Keyper to the PKCS #11 library.  For example, if the machine file is in
+location of the "machine" file, which stores information about the Keyper
+for use by PKCS #11 provider library.  If the machine file is in
 /opt/Keyper/PKCS11Provider/machine, use:
 
     export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider

From 523598fafa87b0b1abb5a3a2913522e5e0716f6d Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 8 Sep 2009 16:33:01 +0000
Subject: [PATCH 136/385] - update README for a3 release - update
 README.rfc5011 to remove info now in the ARM, and to add   smart-signing info

---
 README         |  7 +++--
 README.rfc5011 | 75 +++++++++++++++++---------------------------------
 2 files changed, 30 insertions(+), 52 deletions(-)

diff --git a/README b/README
index 333a881a35..eae294c6f8 100644
--- a/README
+++ b/README
@@ -62,7 +62,8 @@ BIND 9.7.0
 	  share a single cache.
 	- DNS rebinding attack prevention.
 	- New default values for dnssec-keygen parameters.
-	- Support for RFC 5011 (automated trust anchor maintenance).
+	- Support for RFC 5011 automated trust anchor maintenance
+          (see README.rfc5011 for additional details).
 	- Smart signing: simplified tools for zone signing and key
 	  maintenance.
 	- The "statistics-channels" option is now available on Windows.
@@ -72,11 +73,13 @@ BIND 9.7.0
           a stack backtrace an assertion failure, to aid in debugging.
         - A "tools only" installation mode on Windows, which only installs
           dig, host, nslookup and nsupdate.
+        - Improved PKCS#11 support, including Keyper support (see
+          README.pkcs11 for additional details).
 
 	Planned but not complete in this alpha:
 
 	- Fully automatic signing of zones by "named"
-        - Improved PKCS#11 support, including Keyper support
+        - Additional PKCS#11 support, including multiple OpenSSL engines
 
 BIND 9.6.0
 
diff --git a/README.rfc5011 b/README.rfc5011
index 539d3ba84c..02aac566a9 100644
--- a/README.rfc5011
+++ b/README.rfc5011
@@ -1,11 +1,18 @@
+
+                        BIND 9 RFC 5011 support
+
 BIND 9.7.0 introduces support for RFC 5011, dynamic trust anchor
 management.  Using this feature allows named to keep track of changes to
 critical DNSSEC keys without any need for the operator to make changes to
 configuration files.
 
-As of 9.7.0a1, the syntax for using RFC5011 is expected to change, so
-proper documentation has yet to be written.  This file is intended to
-provide enough information to get started.
+VALIDATING RESOLVER
+-------------------
+
+To configure a validating resolver to use RFC5011 to maintain a trust
+anchor, configure the trust anchor using a "managed-keys" statement.
+Information about this can be found in the ARM, in the section titled
+"managed-keys Statement Definition".
 
 AUTHORITATIVE SERVER
 --------------------
@@ -22,6 +29,14 @@ will recheck the zone periodically, and after 30 days, if the new key is
 still there, then the key will be accepted by the resolver as a valid
 trust anchor for the zone.
 
+The easiest way to place a stand-by key in a zone is to use the "smart
+signing" features of dnssec-signzone.  If a key with a publication date
+in the past, but an activation date in the future, "dnssec-signzone -S"
+will include the DNSKEY record in the zone, but will not sign with it:
+
+    $ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net
+    $ dnssec-signzone -S -K keys example.net
+
 At any time after this 30-day acceptance timer has expired, the active
 KSK can be revoked and the zone can be "rolled over" to one of the
 standby KSKs.
@@ -31,52 +46,12 @@ the REVOKED bit to the key flags and re-generates the K*.key and K*.private
 files.
 
 After revoking the active key, the zone must be signed with both the
-revoked KSK and the new active KSK.  Once a key has been revoked and
-used to sign the DNSKEY RRset in which it appears, that key will never
-again be accepted as a valid trust anchor by the resolver.  However,
-validation can proceed using the new active key (which had been accepted
-by the resolver when it was a stand-by key).
+revoked KSK and the new active KSK.  (Smart signing takes care of this
+automatically.)
+
+Once a key has been revoked and used to sign the DNSKEY RRset in which it
+appears, that key will never again be accepted as a valid trust anchor by
+the resolver.  However, validation can proceed using the new active key
+(which had been accepted by the resolver when it was a stand-by key).
 
 See RFC 5011 for more details on key rollover scenarios.
-
-VALIDATING RESOLVER
--------------------
-
-NOTE: This is expected to change before 9.7.0 is final!
-
-To configure a validating resolver to use RFC5011 to maintain a trust
-anchor, configure the trust anchor using a "managed-keys" statement
-instead of a "trusted-keys" statement.
-
-A "managed-keys" statement contains a list of keys to be maintained,
-with information on how they are to be initialized the first time.  The
-only initialization method supported in BIND 9.7.0 is "initial-key".
-This means the "managed-keys" statement itself will contain a copy of
-the initializing key.  In future releases, keys may be initialized by
-other methods, removing the need to incorporate a copy of an intializing
-key in named.conf.
-
-Example:
-
-managed-keys {
-	sample.domain. initial-key 257 3 5 "BEAAAAPHMu ...";
-};
-
-At first glance this is very similar to a "trusted-keys" statement,
-differing only in the presence of the second field, "initial-key".
-However, whereas a trusted key is trusted permanently until it is
-removed from named.conf, this key would only be trusted once, for
-as long as it takes to initialize RFC5011 key maintenance.
-
-The first time named runs with a managed key configured in named.conf,
-it fetches the DNSKEY RRset directly from the zone apex, and validates
-it using the key specified in the "managed-keys" statement, as above.
-If the DNSKEY RRset is validly signed, then it is used as the basis for
-a new managed keys database.
-
-From that point on, whenever named loads, it sees the "managed-keys"
-statement, checks to make sure RFC5011 key maintenance has already been
-initialized for the specified zone, and if so, it simply moves on.
-No action will be taken unless a key is *removed* from the "managed-keys"
-statement--in which case that zone is removed from the managed keys
-database as well, and RFC5011 key maintenance will no longer be used.

From 14cd8ac04c999fd1d2e620856330e808cae57950 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 8 Sep 2009 23:23:22 +0000
Subject: [PATCH 137/385] 2672.   [bug]           Don't enable searching in
 'host' when doing reverse                         lookups. [RT #20218]

---
 CHANGES        | 3 +++
 bin/dig/host.c | 5 ++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7af8522e43..7bb9eb7f8f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2672.	[bug]		Don't enable searching in 'host' when doing reverse
+			lookups. [RT #20218]
+
 	--- 9.7.0a3 released ---
 
 2671.	[bug]		Add support for PKCS#11 providers not returning
diff --git a/bin/dig/host.c b/bin/dig/host.c
index 8e414a483c..a278a3df81 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.118 2009/05/06 23:47:50 tbox Exp $ */
+/* $Id: host.c,v 1.119 2009/09/08 23:23:22 marka Exp $ */
 
 /*! \file */
 
@@ -839,11 +839,10 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	} else {
 		strncpy(lookup->textname, hostname, sizeof(lookup->textname));
 		lookup->textname[sizeof(lookup->textname)-1]=0;
+		usesearch = ISC_TRUE;
 	}
 	lookup->new_search = ISC_TRUE;
 	ISC_LIST_APPEND(lookup_list, lookup, link);
-
-	usesearch = ISC_TRUE;
 }
 
 int

From 9f0225ba7e69a36e546ef40107d86c1ba04f10db Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 8 Sep 2009 23:30:35 +0000
Subject: [PATCH 138/385] newcopyrights

---
 util/copyrights | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index f56125fe5b..5e966f63c1 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1242,6 +1242,7 @@
 ./contrib/nslint-2.1a3/savestr.h		X	2001
 ./contrib/nslint-2.1a3/strerror.c		X	2001
 ./contrib/pkcs11-keygen/PEM_write_pubkey.c	X	2008
+./contrib/pkcs11-keygen/PKCS11-NOTES		X	2009
 ./contrib/pkcs11-keygen/README			X	2008,2009
 ./contrib/pkcs11-keygen/destroyobj.c		X	2008,2009
 ./contrib/pkcs11-keygen/genkey.c		X	2008,2009
@@ -2318,7 +2319,7 @@
 ./lib/isc/win32/libisc.dsp			X	2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/isc/win32/libisc.dsw			X	2001
 ./lib/isc/win32/libisc.mak			X	2001,2002,2003,2004,2005,2006,2007,2008,2009
-./lib/isc/win32/net.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008
+./lib/isc/win32/net.c				C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009
 ./lib/isc/win32/netdb.h				C	2000,2001,2004,2006,2007,2009
 ./lib/isc/win32/ntgroups.c			C	2001,2004,2006,2007
 ./lib/isc/win32/ntpaths.c			C	2001,2004,2007,2009

From d8b801bd1992d344d1bbf424c5ad2667a2023186 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 8 Sep 2009 23:41:50 +0000
Subject: [PATCH 139/385] update copyright notice

---
 lib/isc/win32/net.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c
index 1153af79a2..b88349d1c9 100644
--- a/lib/isc/win32/net.c
+++ b/lib/isc/win32/net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.19 2009/09/08 13:04:29 fdupont Exp $ */
+/* $Id: net.c,v 1.20 2009/09/08 23:41:50 tbox Exp $ */
 
 #include 
 

From 7c87a8bf7bc525f9b3ce80e7c12928a226e37d2b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 9 Sep 2009 04:27:40 +0000
Subject: [PATCH 140/385] remove util if empty, for pre 9.7

---
 util/kit.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/util/kit.sh b/util/kit.sh
index f4019a14fb..b15a304306 100644
--- a/util/kit.sh
+++ b/util/kit.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: kit.sh,v 1.37 2009/09/08 03:39:30 each Exp $
+# $Id: kit.sh,v 1.38 2009/09/09 04:27:40 marka Exp $
 
 # Make a release kit
 #
@@ -120,7 +120,8 @@ rm -rf TODO EXCLUDED conftools doc/design doc/dev doc/expired \
     bin/tests/system/relay lib/cfg
 
 # Remove everything but mksymtbl.pl from util
-find ./util -name mksymtbl.pl -prune -o -type f -print | xargs rm -rf
+find util -name mksymtbl.pl -prune -o -type f -print | xargs rm -f
+find util -depth -type d -print | xargs rmdir -p
 
 # Remove all .cvsignore files
 find . -name .cvsignore -print | xargs rm

From 05398561e0221fe1fef1457627a50c60bddbb022 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 9 Sep 2009 04:48:01 +0000
Subject: [PATCH 141/385] make more portable

---
 util/kit.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/kit.sh b/util/kit.sh
index b15a304306..6f5bf6be44 100644
--- a/util/kit.sh
+++ b/util/kit.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: kit.sh,v 1.38 2009/09/09 04:27:40 marka Exp $
+# $Id: kit.sh,v 1.39 2009/09/09 04:48:01 marka Exp $
 
 # Make a release kit
 #
@@ -121,7 +121,7 @@ rm -rf TODO EXCLUDED conftools doc/design doc/dev doc/expired \
 
 # Remove everything but mksymtbl.pl from util
 find util -name mksymtbl.pl -prune -o -type f -print | xargs rm -f
-find util -depth -type d -print | xargs rmdir -p
+find util -depth -type d -print | xargs rmdir 2>/dev/null
 
 # Remove all .cvsignore files
 find . -name .cvsignore -print | xargs rm

From 08927bbead14fabe75277a42482e3bce3deda831 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 9 Sep 2009 06:42:15 +0000
Subject: [PATCH 142/385] Simplify solaris build instructions, it had some
 unnecessary compile options

---
 README.pkcs11 | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/README.pkcs11 b/README.pkcs11
index f789232c21..d56c5120b0 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -103,10 +103,12 @@ We will use this location when we configure BIND 9.
     In this example, we are building on Solaris x86 on an AMD64 system.
 
         cd openssl-0.9.8i
-        ./Configure solaris64-x86_64-cc -xarch=amd64 \
+        ./Configure solaris64-x86_64-cc \
             --pk11-libname=/usr/lib/64/libpkcs11.so \
             --prefix=/opt/pkcs11/usr
 
+    (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
+
     After configuring, run "make" and "make test".
 
 Once you have built OpenSSL, run "apps/openssl engine" to confirm that
@@ -124,8 +126,8 @@ library must be specified via configure.
 
     EXAMPLE 3--CONFIGURING BIND 9 FOR LINUX
 
-    To link with the PKCS #11 library, threads must be enabled in the bind9
-    build.
+    To link with the PKCS #11 provider, threads must be enabled in the
+    BIND 9 build.
 
     The PKCS #11 library is only available as a 32-bit binary.  If
     we are building on a 64-bit host, we must force a 32-bit build by
@@ -137,13 +139,15 @@ library must be specified via configure.
 
     EXAMPLE 4--CONFIGURING BIND 9 FOR SOLARIS
 
-    To link with the PKCS #11 library, threads must be enabled in the bind9
-    build.
+    To link with the PKCS #11 provider, threads must be enabled in the
+    BIND 9 build.
 
         cd ../bind-9.7.0a3
-        ./configure CC="cc -xarch=adm64" --enable-threads \
+        ./configure CC="cc -xarch=amd64" --enable-threads \
             --with-openssl=/opt/pkcs11/usr
 
+    (For a 32-bit build, omit CC="cc -xarch=amd64".)
+
 If configure complains about OpenSSL not working, you may have a 32/64-bit
 architecture mismatch.  Or, you may have incorrectly specified the path to
 OpenSSL (it should be the same as the --prefix argument to the OpenSSL
@@ -177,12 +181,9 @@ can get you started.
 
     EXAMPLE 6--BUILDING TOOLS ON SOLARIS:
 
-    cc -xarch=amd64 -I. -L /opt/pkcs11/usr/lib \
-        genkey.c -o genkey -lcrypto -lpkcs11 -lsocket
-    cc -xarch=amd64 -I. -L /opt/pkcs11/usr/lib \
-        listobjs.c -o listobjs -lcrypto -lpkcs11 -lsocket
-    cc -xarch=amd64 -I. -L /opt/pkcs11/usr/lib \
-        destroyobj.c -o destroyobj -lcrypto -lpkcs11 -lsocket
+    cc -I. -L /opt/pkcs11/usr/lib genkey.c -o genkey -lpkcs11
+    cc -I. -L /opt/pkcs11/usr/lib listobjs.c -o listobjs -lpkcs11
+    cc -I. -L /opt/pkcs11/usr/lib destroyobj.c -o destroyobj -lpkcs11
     cd ../..
 
 USING THE HSM

From 4c9c08e4a17b8930568fd6c7968b7556034c8a61 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 9 Sep 2009 07:15:24 +0000
Subject: [PATCH 143/385] more solaris/sca6000 simplification

---
 README.pkcs11 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.pkcs11 b/README.pkcs11
index d56c5120b0..b232add901 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -181,9 +181,9 @@ can get you started.
 
     EXAMPLE 6--BUILDING TOOLS ON SOLARIS:
 
-    cc -I. -L /opt/pkcs11/usr/lib genkey.c -o genkey -lpkcs11
-    cc -I. -L /opt/pkcs11/usr/lib listobjs.c -o listobjs -lpkcs11
-    cc -I. -L /opt/pkcs11/usr/lib destroyobj.c -o destroyobj -lpkcs11
+    cc -I. genkey.c -o genkey -lpkcs11
+    cc -I. listobjs.c -o listobjs -lpkcs11
+    cc -I. destroyobj.c -o destroyobj -lpkcs11
     cd ../..
 
 USING THE HSM

From 8036473e6c508314cef872dc64e9fe998eaa55d9 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 9 Sep 2009 15:44:33 +0000
Subject: [PATCH 144/385] Update comment, since the key isn't actually going to
 expire in 9/2009 after all.

---
 bind.keys | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bind.keys b/bind.keys
index a54ad97791..511dff4f01 100644
--- a/bind.keys
+++ b/bind.keys
@@ -1,5 +1,6 @@
 managed-keys {
-        # NOTE: This key expires September 2009 
-        # Go to https://www.isc.org/solutions/dlv to download a replacement
+        # NOTE: This key is current as of September 2009.
+        # If it fails to initialize correctly, it may have expired;
+        # see https://www.isc.org/solutions/dlv for a replacement.
 	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
 };

From 31f1c9a2413cf81c1f7d7ddbe1cbce8535f8c30d Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 9 Sep 2009 23:30:30 +0000
Subject: [PATCH 145/385] regen

---
 bin/named/bind.keys.h | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h
index 433173e782..1c8a4aba11 100644
--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -1,15 +1,17 @@
 #define TRUSTED_KEYS "\
 trusted-keys {\n\
-        # NOTE: This key expires September 2009 \n\
-        # Go to https://www.isc.org/solutions/dlv to download a replacement\n\
+        # NOTE: This key is current as of September 2009.\n\
+        # If it fails to initialize correctly, it may have expired;\n\
+        # see https://www.isc.org/solutions/dlv for a replacement.\n\
 	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
 };\n\
 "
 
 #define MANAGED_KEYS "\
 managed-keys {\n\
-        # NOTE: This key expires September 2009 \n\
-        # Go to https://www.isc.org/solutions/dlv to download a replacement\n\
+        # NOTE: This key is current as of September 2009.\n\
+        # If it fails to initialize correctly, it may have expired;\n\
+        # see https://www.isc.org/solutions/dlv for a replacement.\n\
 	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
 };\n\
 "

From c211111e64f9765be8a5521a7f0ef4379f9e3cb6 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 10 Sep 2009 01:43:09 +0000
Subject: [PATCH 146/385] more cleanup

---
 README.pkcs11 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.pkcs11 b/README.pkcs11
index b232add901..72103732eb 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -179,7 +179,7 @@ can get you started.
         destroyobj.c -o destroyobj -lpkcs11
     cd ../..
 
-    EXAMPLE 6--BUILDING TOOLS ON SOLARIS:
+    EXAMPLE 6--BUILDING TOOLS ON SOLARIS WITH SCA 6000:
 
     cc -I. genkey.c -o genkey -lpkcs11
     cc -I. listobjs.c -o listobjs -lpkcs11

From dbabab1f37f9f1713d2179ce4bb4600499a1a3b1 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 10 Sep 2009 01:47:09 +0000
Subject: [PATCH 147/385] rt20045: - sync_keyzone() could leak ISC_R_NOMORE,
 causing zone_postload() to think   it had failed - journal roll-forward on
 key zones complained about having the wrong   number of SOA records -
 dns_soa_buildrdata() could return a pointer to memory allocated on the  
 stack

---
 lib/dns/include/dns/soa.h |  20 ++++-
 lib/dns/soa.c             |  10 ++-
 lib/dns/zone.c            | 163 ++++++++++++++++++++++++--------------
 3 files changed, 127 insertions(+), 66 deletions(-)

diff --git a/lib/dns/include/dns/soa.h b/lib/dns/include/dns/soa.h
index 81425d46c6..696235eea8 100644
--- a/lib/dns/include/dns/soa.h
+++ b/lib/dns/include/dns/soa.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.h,v 1.11 2009/07/01 23:47:36 tbox Exp $ */
+/* $Id: soa.h,v 1.12 2009/09/10 01:47:09 each Exp $ */
 
 #ifndef DNS_SOA_H
 #define DNS_SOA_H 1
@@ -40,12 +40,28 @@
 
 ISC_LANG_BEGINDECLS
 
+#define DNS_SOA_BUFFERSIZE      ((2 * DNS_NAME_MAXWIRE) + (4 * 5))
+
 isc_result_t
 dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
 		   dns_rdataclass_t rdclass,
 		   isc_uint32_t serial, isc_uint32_t refresh,
 		   isc_uint32_t retry, isc_uint32_t expire,
-		   isc_uint32_t minimum, dns_rdata_t *rdata);
+		   isc_uint32_t minimum, unsigned char *buffer,
+		   dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of an SOA record.
+ *
+ * Requires:
+ *\li   buffer  Points to a temporary buffer of at least
+ *              DNS_SOA_BUFFERSIZE bytes.
+ *\li   rdata   Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata       Contains a valid SOA rdata.  The 'data' member
+ *  			refers to 'buffer'.
+ */
+
 isc_uint32_t
 dns_soa_getserial(dns_rdata_t *rdata);
 isc_uint32_t
diff --git a/lib/dns/soa.c b/lib/dns/soa.c
index a68d0aa92f..bc10d123f3 100644
--- a/lib/dns/soa.c
+++ b/lib/dns/soa.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.c,v 1.10 2009/07/01 23:47:36 tbox Exp $ */
+/* $Id: soa.c,v 1.11 2009/09/10 01:47:08 each Exp $ */
 
 /*! \file */
 
@@ -67,14 +67,17 @@ dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
 		   dns_rdataclass_t rdclass,
 		   isc_uint32_t serial, isc_uint32_t refresh,
 		   isc_uint32_t retry, isc_uint32_t expire,
-		   isc_uint32_t minimum, dns_rdata_t *rdata) {
+		   isc_uint32_t minimum, unsigned char *buffer,
+		   dns_rdata_t *rdata) {
 	dns_rdata_soa_t soa;
-	char soadata[DNS_NAME_FORMATSIZE];
 	isc_buffer_t rdatabuf;
 
 	REQUIRE(origin != NULL);
 	REQUIRE(contact != NULL);
 
+	memset(buffer, 0, DNS_SOA_BUFFERSIZE);
+	isc_buffer_init(&rdatabuf, buffer, DNS_SOA_BUFFERSIZE);
+
 	soa.common.rdtype = dns_rdatatype_soa;
 	soa.common.rdclass = rdclass;
 	soa.mctx = NULL;
@@ -88,7 +91,6 @@ dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
 	dns_name_init(&soa.contact, NULL);
 	dns_name_clone(contact, &soa.contact);
 
-	isc_buffer_init(&rdatabuf, soadata, sizeof(soadata));
 	return (dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_soa,
 				      &soa, &rdatabuf));
 }
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2a21bc3e10..f1bd6be76a 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.504 2009/09/01 07:04:12 each Exp $ */
+/* $Id: zone.c,v 1.505 2009/09/10 01:47:08 each Exp $ */
 
 /*! \file */
 
@@ -2891,6 +2891,49 @@ zone_journal(dns_zone_t *zone, dns_diff_t *diff, const char *caller) {
 	}
 }
 
+/*
+ * Create an SOA record for a newly-created zone
+ */
+static isc_result_t
+add_soa(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+        unsigned char buf[DNS_SOA_BUFFERSIZE];
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
+
+	dns_diff_init(zone->mctx, &diff);
+	result = dns_db_newversion(db, &ver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_db_newversion -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Build SOA record */
+	result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
+				    0, 0, 0, 0, 0, buf, &rdata);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_soa_buildrdata -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD,
+			       &zone->origin, 0, &rdata);
+
+failure:
+	dns_diff_clear(&diff);
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, ISC_TF(result == ISC_R_SUCCESS));
+
+	return (result);
+}
+
 /*
  * Synchronize the set of initializing keys found in managed-keys {}
  * statements with the set of trust anchors found in the managed-keys.bind
@@ -2900,7 +2943,7 @@ zone_journal(dns_zone_t *zone, dns_diff_t *diff, const char *caller) {
  * the key zone with the initializing key(s) for that domain.
  */
 static isc_result_t
-sync_keyzone(dns_zone_t *zone, dns_db_t *db, isc_boolean_t addsoa) {
+sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_boolean_t changed = ISC_FALSE;
 	dns_rbtnodechain_t chain;
@@ -2920,6 +2963,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db, isc_boolean_t addsoa) {
 	origin = dns_fixedname_name(&fn);
 
 	dns_diff_init(zone->mctx, &diff);
+
 	result = dns_db_newversion(db, &ver);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
@@ -2928,68 +2972,46 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db, isc_boolean_t addsoa) {
 		goto failure;
 	}
 
-	if (addsoa) {
-		/* If this zone is being newly created, make an SOA record. */
-		dns_rdata_t rdata = DNS_RDATA_INIT;
+	/*
+	 * Walk the zone DB.  If we find any keys whose names are no longer
+	 * in managed-keys (or *are* in trusted-keys, meaning they are
+	 * permanent and not RFC5011-maintained), delete them from the
+	 * zone.  Otherwise call load_secroots(), which loads keys into
+	 * secroots as appropriate.
+	 */
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit)) {
+		dns_rdataset_t *rdataset;
+		dns_name_t *rrname = NULL;
+		isc_uint32_t ttl;
 
-		dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating key zone");
-
-		result = dns_soa_buildrdata(&zone->origin, dns_rootname,
-					    zone->rdclass,
-					    0, 0, 0, 0, 0, &rdata);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "sync_keyzone:dns_soa_buildrdata -> %s\n",
-				     dns_result_totext(result));
+		dns_rriterator_current(&rrit, &rrname, &ttl,
+				       &rdataset, NULL);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			dns_rriterator_destroy(&rrit);
 			goto failure;
 		}
 
-		CHECK(update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD,
-				    &zone->origin, 0, &rdata));
-	} else {
-		/*
-		 * Zone is not new, so walk the zone DB; if we find any keys
-		 * whose names are no longer in managed-keys (or *are*
-		 * in trusted-keys, meaning they are permanent and not
-		 * RFC5011-maintained), delete them from the zone.  Otherwise
-		 * call load_secroots(), which loads keys into secroots as
-		 * appropriate.
-		 */
-		dns_rriterator_init(&rrit, db, ver, 0);
-		for (result = dns_rriterator_first(&rrit);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rriterator_nextrrset(&rrit)) {
-			dns_rdataset_t *rdataset;
-			dns_name_t *rrname = NULL;
-			isc_uint32_t ttl;
+		if (rdataset->type != dns_rdatatype_keydata)
+			continue;
 
-			dns_rriterator_current(&rrit, &rrname, &ttl,
-					       &rdataset, NULL);
-			if (!dns_rdataset_isassociated(rdataset)) {
-				dns_rriterator_destroy(&rrit);
-				goto failure;
-			}
+		result = dns_keytable_find(sr, rrname, &keynode);
 
-			if (rdataset->type != dns_rdatatype_keydata)
-				continue;
-
-			result = dns_keytable_find(sr, rrname, &keynode);
-
-			if ((result != ISC_R_SUCCESS &&
-			     result != DNS_R_PARTIALMATCH) ||
-			    dns_keynode_managed(keynode) == ISC_FALSE) {
-				CHECK(delete_keydata(db, ver, &diff,
-						     rrname, rdataset));
-			} else {
-				load_secroots(zone, rrname, rdataset);
-			}
-
-			if (keynode != NULL)
-				dns_keytable_detachkeynode(sr, &keynode);
+		if ((result != ISC_R_SUCCESS &&
+		     result != DNS_R_PARTIALMATCH) ||
+		    dns_keynode_managed(keynode) == ISC_FALSE) {
+			CHECK(delete_keydata(db, ver, &diff,
+					     rrname, rdataset));
+		} else {
+			load_secroots(zone, rrname, rdataset);
 		}
 
-		dns_rriterator_destroy(&rrit);
+		if (keynode != NULL)
+			dns_keytable_detachkeynode(sr, &keynode);
 	}
+	dns_rriterator_destroy(&rrit);
 
 	/*
 	 * Now walk secroots to find any managed keys that aren't
@@ -3036,6 +3058,9 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db, isc_boolean_t addsoa) {
 	}
 	RWUNLOCK(&sr->rwlock, isc_rwlocktype_write);
 
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
 	if (changed) {
 		/* Write changes to journal file. */
 		result = increment_soa_serial(db, ver, &diff, zone->mctx);
@@ -3065,6 +3090,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	isc_time_t now;
 	isc_boolean_t needdump = ISC_FALSE;
 	isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	isc_boolean_t nomaster = ISC_FALSE;
 	unsigned int options;
 
 	TIME_NOW(&now);
@@ -3091,6 +3117,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 				     "loading from master file %s failed: %s",
 				     zone->masterfile,
 				     dns_result_totext(result));
+			nomaster = ISC_TRUE;
 		}
 
 		if (zone->type != dns_zone_key)
@@ -3106,6 +3133,18 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	else
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
 
+	/* 
+	 * If there's no master file for a key zone, then the zone is new:
+	 * create an SOA record.  (We do this now, instead of later, so that
+	 * if there happens to be a journal file, we can roll forward from
+	 * a sane starting point.)
+	 */
+	if (nomaster && zone->type == dns_zone_key) {
+		result = add_soa(zone, db);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
 	/*
 	 * Apply update log, if any, on initial load.
 	 */
@@ -3272,7 +3311,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		break;
 
 	case dns_zone_key:
-		result = sync_keyzone(zone, db, ISC_TF(soacount == 0));
+		zone->serial = serial;
+		result = sync_keyzone(zone, db);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		break;
@@ -3317,8 +3357,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 
 	result = ISC_R_SUCCESS;
 
-	if (needdump)
-		zone_needdump(zone, DNS_DUMP_DELAY);
+	if (needdump) {
+		if (zone->type == dns_zone_key)
+			zone_needdump(zone, 30);
+		else
+			zone_needdump(zone, DNS_DUMP_DELAY);
+	}
 
 	if (zone->task != NULL) {
 		if (zone->type == dns_zone_master) {
@@ -3569,15 +3613,14 @@ zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
 		 isc_uint32_t *expire, isc_uint32_t *minimum,
 		 unsigned int *errors)
 {
-	dns_dbversion_t *version;
 	isc_result_t result;
 	isc_result_t answer = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
 	dns_dbnode_t *node;
 
 	REQUIRE(db != NULL);
 	REQUIRE(zone != NULL);
 
-	version = NULL;
 	dns_db_currentversion(db, &version);
 
 	node = NULL;

From a457576b5870940202b72d7ae28026f93282e2da Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 10 Sep 2009 01:49:29 +0000
Subject: [PATCH 148/385] "dnssec-lookaside auto" crashed if named was built
 without openssl [rt20231]

---
 bin/named/server.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index 4b9b6fa518..4258ee9dcc 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.547 2009/09/04 00:49:50 marka Exp $ */
+/* $Id: server.c,v 1.548 2009/09/10 01:49:29 each Exp $ */
 
 /*! \file */
 
@@ -552,7 +552,6 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 			    "ignoring %s key for '%s': no crypto support",
 			    managed ? "managed" : "trusted",
 			    keynamestr);
-		result = ISC_R_SUCCESS;
 	} else {
 		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
 			    "configuring %s key for '%s': %s",
@@ -593,6 +592,8 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 	}
 
  cleanup:
+	if (result == DST_R_NOCRYPTO)
+		result = ISC_R_SUCCESS;
 	return (result);
 }
 

From be63f34b6af410ff34a169657625c12394b4f8e7 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 10 Sep 2009 02:16:26 +0000
Subject: [PATCH 149/385] wrong change numbers.

---
 CHANGES | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7bb9eb7f8f..6e81eb29fe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,15 @@
+	--- 9.7.0a3 released ---
+
+2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
+			without openssl. [RT #20231]
+
+2673.	[bug]		The managed-keys.bind zone file could fail to
+			load due to a spurious result from sync_keyzone()
+			[RT #20045]
+
 2672.	[bug]		Don't enable searching in 'host' when doing reverse
 			lookups. [RT #20218]
 
-	--- 9.7.0a3 released ---
-
 2671.	[bug]		Add support for PKCS#11 providers not returning
 			the public exponent in RSA private keys
 			(OpenCryptoki for instance) in

From 0e7cb68ea0c0bf27d1a02b02c501045faef27ae2 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 10 Sep 2009 02:18:40 +0000
Subject: [PATCH 150/385] fix implicit memset() declaration

---
 lib/dns/soa.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/dns/soa.c b/lib/dns/soa.c
index bc10d123f3..1b58bfec12 100644
--- a/lib/dns/soa.c
+++ b/lib/dns/soa.c
@@ -15,11 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.c,v 1.11 2009/09/10 01:47:08 each Exp $ */
+/* $Id: soa.c,v 1.12 2009/09/10 02:18:40 each Exp $ */
 
 /*! \file */
 
 #include 
+#include 
 
 #include 
 #include 

From f267b27f0e1cdc55c7f1ca2a56632ce36907ff63 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 10 Sep 2009 05:09:31 +0000
Subject: [PATCH 151/385] 2675.   [bug]           dnssec-signzone could crash
 if the key directory                         did not exist. [RT #20232]

---
 CHANGES          |  3 +++
 lib/dns/dnssec.c | 11 +++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6e81eb29fe..46aaadcaa2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2675.   [bug]           dnssec-signzone could crash if the key directory
+                        did not exist. [RT #20232]
+
 	--- 9.7.0a3 released ---
 
 2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 664e4989ee..aa5833f0d1 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.100 2009/09/02 23:48:02 tbox Exp $
+ * $Id: dnssec.c,v 1.101 2009/09/10 05:09:31 each Exp $
  */
 
 /*! \file */
@@ -1101,6 +1101,7 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
 			    isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
 {
 	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t dir_open = ISC_FALSE;
 	dns_dnsseckeylist_t list;
 	isc_dir_t dir;
 	dns_dnsseckey_t *key = NULL;
@@ -1111,14 +1112,15 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
 
 	REQUIRE(keylist != NULL);
 	ISC_LIST_INIT(list);
+	isc_dir_init(&dir);
 
 	isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
 	RETERR(dns_name_totext(origin, ISC_FALSE, &b));
 	len = isc_buffer_usedlength(&b);
 	namebuf[len] = '\0';
 
-	isc_dir_init(&dir);
 	RETERR(isc_dir_open(&dir, directory));
+	dir_open = ISC_TRUE;
 
 	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
 		if (dir.entry.name[0] == 'K' &&
@@ -1126,7 +1128,7 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
 		    dir.entry.name[len + 1] == '+' &&
 		    strncasecmp(dir.entry.name + 1, namebuf, len) == 0) {
 			p = strrchr(dir.entry.name, '.');
-			if (strcmp(p, ".private") != 0)
+			if (p != NULL && strcmp(p, ".private") != 0)
 				continue;
 
 			dstkey = NULL;
@@ -1153,7 +1155,8 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
 		result = ISC_R_NOTFOUND;
 
  failure:
-	isc_dir_close(&dir);
+	if (dir_open)
+		isc_dir_close(&dir);
 	INSIST(key == NULL);
 	while ((key = ISC_LIST_HEAD(list)) != NULL) {
 		ISC_LIST_UNLINK(list, key, link);

From 6d7e30b030790a6bda4f1b57fda3e2dacffc7499 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 10 Sep 2009 23:48:00 +0000
Subject: [PATCH 152/385] update copyright notice

---
 lib/dns/zone.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f1bd6be76a..c7b963f7c1 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.505 2009/09/10 01:47:08 each Exp $ */
+/* $Id: zone.c,v 1.506 2009/09/10 23:48:00 tbox Exp $ */
 
 /*! \file */
 
@@ -2898,7 +2898,7 @@ static isc_result_t
 add_soa(dns_zone_t *zone, dns_db_t *db) {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-        unsigned char buf[DNS_SOA_BUFFERSIZE];
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t diff;
 
@@ -3133,7 +3133,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	else
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
 
-	/* 
+	/*
 	 * If there's no master file for a key zone, then the zone is new:
 	 * create an SOA record.  (We do this now, instead of later, so that
 	 * if there happens to be a journal file, we can roll forward from

From f819b54e3803d20e444c3dd318c1a877c3ad4172 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 11 Sep 2009 23:18:12 +0000
Subject: [PATCH 153/385] auto update

---
 doc/private/branches | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 8eb793d783..4ccc426cff 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -200,6 +200,7 @@ rt19113				new	fdupont	// 2009-01-10 17:53 +0000
 rt19198				new	marka	// 2009-01-23 02:19 +0000
 rt19209				new	marka	// 2009-02-05 01:10 +0000
 rt19234				new	fdupont	// 2009-02-12 14:15 +0000
+rt19234a			new	fdupont	// 2009-09-11 22:20 +0000
 rt19240				new	jinmei	// 2009-01-26 23:31 +0000
 rt19248				new	each	// 2009-01-28 00:25 +0000
 rt19256				new	jinmei	// 2009-01-29 00:55 +0000
@@ -238,6 +239,8 @@ rt20037				new	marka	// 2009-08-11 07:46 +0000
 rt20044				new	fdupont	// 2009-08-07 18:59 +0000
 rt20062				new	marka	// 2009-08-10 05:00 +0000
 rt20112				new	marka	// 2009-08-18 05:22 +0000
+rt20247				new	each	// 2009-09-11 03:22 +0000
+rt20253				new	sar	// 2009-09-11 22:17 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 2fa5af7b736eac0092845c5ccbddf6cc00d0321e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Mon, 14 Sep 2009 18:31:15 +0000
Subject: [PATCH 154/385] 2676.	[bug]		--with-export-installdir
 should have been 			--with-export-includedir. [RT #20252]

---
 CHANGES      | 3 +++
 configure.in | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 46aaadcaa2..4d4381a474 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2676.	[bug]		--with-export-installdir should have been
+			--with-export-includedir. [RT #20252]
+
 2675.   [bug]           dnssec-signzone could crash if the key directory
                         did not exist. [RT #20232]
 
diff --git a/configure.in b/configure.in
index f2b745f882..458e56d8e4 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.477 $)
+AC_REVISION($Revision: 1.478 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1409,11 +1409,11 @@ if test -z "$export_libdir"; then
 fi
 AC_SUBST(export_libdir)
 
-AC_ARG_WITH(export-installdir,
-	[  --with-export-installdir[=PATH]
+AC_ARG_WITH(export-includedir,
+	[  --with-export-includedir[=PATH]
                         installation directory for the header files of the
                         export library [[PREFIX/include/bind9]]],
-	export_installdir="$withval",)
+	export_includedir="$withval",)
 if test -z "$export_includedir"; then
 	export_includedir="\${prefix}/include/bind9/"
 fi

From d00827dabc7c9060b2653e2e76fa87b69e154e95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Mon, 14 Sep 2009 18:31:47 +0000
Subject: [PATCH 155/385] regen

---
 configure | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/configure b/configure
index c5409f3b1e..25bbe5d897 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.463 2009/09/04 00:46:09 marka Exp $
+# $Id: configure,v 1.464 2009/09/14 18:31:47 jinmei Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.476 .
+# From configure.in Revision: 1.478 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -1687,7 +1687,7 @@ Optional Packages:
   --with-export-libdir=PATH
                         installation directory for the export library
                         [EPREFIX/lib/bind9]
-  --with-export-installdir=PATH
+  --with-export-includedir=PATH
                         installation directory for the header files of the
                         export library [PREFIX/include/bind9]
   --with-kame=PATH	  use Kame IPv6 default path /usr/local/v6
@@ -26084,9 +26084,9 @@ fi
 
 
 
-# Check whether --with-export-installdir was given.
-if test "${with_export_installdir+set}" = set; then
-  withval=$with_export_installdir; export_installdir="$withval"
+# Check whether --with-export-includedir was given.
+if test "${with_export_includedir+set}" = set; then
+  withval=$with_export_includedir; export_includedir="$withval"
 fi
 
 if test -z "$export_includedir"; then

From b843f577bbcd6660fbaa506d9e55b156c689a5a8 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 14 Sep 2009 18:45:45 +0000
Subject: [PATCH 156/385] 2677.	[func]		Changes to key metadata
 behavior: 			- Keys without "publish" or "active" dates set
 will 			  no longer be used for smart signing.  However, 
 		  those dates will be set to "now" by default when 	
 	  a key is created; to generate a key but not use 		
   it yet, use dnssec-keygen -G. 			- New "inactive" date
 (dnssec-keygen/settime -I) 			  sets the time when a key is
 no longer used for 			  signing but is still published. 
 		- The "unpublished" date (-U) is deprecated in 		
   favor of "deleted" (-D). 			[rt20247]

---
 CHANGES                                | 13 +++++
 bin/dnssec/dnssec-keyfromlabel.c       | 57 ++++++++++++-------
 bin/dnssec/dnssec-keyfromlabel.docbook | 33 +++++++----
 bin/dnssec/dnssec-keygen.c             | 76 ++++++++++++++++----------
 bin/dnssec/dnssec-keygen.docbook       | 35 ++++++++----
 bin/dnssec/dnssec-settime.c            | 48 ++++++++--------
 bin/dnssec/dnssec-settime.docbook      | 22 ++++----
 lib/dns/dnssec.c                       | 34 ++++++------
 lib/dns/dst_api.c                      |  4 +-
 lib/dns/include/dst/dst.h              |  4 +-
 10 files changed, 199 insertions(+), 127 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4d4381a474..40073781ae 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,16 @@
+2677.	[func]		Changes to key metadata behavior:
+			- Keys without "publish" or "active" dates set will
+			  no longer be used for smart signing.  However,
+			  those dates will be set to "now" by default when
+			  a key is created; to generate a key but not use
+			  it yet, use dnssec-keygen -G.
+			- New "inactive" date (dnssec-keygen/settime -I)
+			  sets the time when a key is no longer used for
+			  signing but is still published.
+			- The "unpublished" date (-U) is deprecated in
+			  favor of "deleted" (-D).
+			[rt20247]
+
 2676.	[bug]		--with-export-installdir should have been
 			--with-export-includedir. [RT #20252]
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index af3504d7ec..42cdce5819 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.13 2009/09/07 23:11:48 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.14 2009/09/14 18:45:45 each Exp $ */
 
 /*! \file */
 
@@ -78,10 +78,11 @@ usage(void) {
 	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
 	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
 	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
-	fprintf(stderr, "    -U date/[+-]offset: set key unpublication date\n");
+	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
 	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
-			" dates\n");
+			" all dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K++.key, "
 			"K++.private\n");
@@ -114,14 +115,15 @@ main(int argc, char **argv) {
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	char		*label = NULL, *engine = NULL;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t	unpublish = 0, delete = 0;
+	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -135,7 +137,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-				"a:Cc:f:K:kl:n:p:t:v:FhP:A:R:U:D:")) != -1)
+				"a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -182,6 +184,9 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
+		case 'G':
+			genonly = ISC_TRUE;
+			break;
 		case 'P':
 			if (setpub || unsetpub)
 				fatal("-P specified more than once");
@@ -218,16 +223,16 @@ main(int argc, char **argv) {
 				unsetrev = ISC_TRUE;
 			}
 			break;
-		case 'U':
-			if (setunpub || unsetunpub)
-				fatal("-U specified more than once");
+		case 'I':
+			if (setinact || unsetinact)
+				fatal("-I specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
-				setunpub = ISC_TRUE;
-				unpublish = strtotime(isc_commandline_argument,
-						      now, now);
+				setinact = ISC_TRUE;
+				inactive = strtotime(isc_commandline_argument,
+						     now, now);
 			} else {
-				unsetunpub = ISC_TRUE;
+				unsetinact = ISC_TRUE;
 			}
 			break;
 		case 'D':
@@ -381,26 +386,40 @@ main(int argc, char **argv) {
 
 	/*
 	 * Set key timing metadata (unless using -C)
+	 *
+	 * Publish and activation dates are set to "now" by default, but
+	 * can be overridden.  Creation date is always set to "now".
 	 */
 	if (!oldstyle) {
 		dst_key_settime(key, DST_TIME_CREATED, now);
 
+		if (genonly && (setpub || setact))
+			fatal("cannot use -G together with -P or -A options");
+
 		if (setpub)
 			dst_key_settime(key, DST_TIME_PUBLISH, publish);
+		else if (!genonly)
+			dst_key_settime(key, DST_TIME_PUBLISH, now);
+
 		if (setact)
 			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
+		else if (!genonly)
+			dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
 		if (setrev)
 			dst_key_settime(key, DST_TIME_REVOKE, revoke);
-		if (setunpub)
-			dst_key_settime(key, DST_TIME_UNPUBLISH, unpublish);
+
+		if (setinact)
+			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
+
 		if (setdel)
 			dst_key_settime(key, DST_TIME_DELETE, delete);
 	} else {
-		if (setpub || setact || setrev || setunpub ||
+		if (setpub || setact || setrev || setinact ||
 		    setdel || unsetpub || unsetact ||
-		    unsetrev || unsetunpub || unsetdel)
+		    unsetrev || unsetinact || unsetdel || genonly)
 			fatal("cannot use -C together with "
-			      "-P, -A, -R, -U, or -D options");
+			      "-P, -A, -R, -I, -D, or -G options");
 		/*
 		 * Compatibility mode: Private-key-format
 		 * should be set to 1.2.
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 4beb25b9fe..6d2f70e6ee 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     February 8, 2008
@@ -51,6 +51,8 @@
       
       
       
+      
+      
       
       
       
@@ -58,7 +60,6 @@
       
       
       
-      
       
       name
     
@@ -160,6 +161,16 @@
         
       
 
+      
+        -G
+        
+          
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          
+        
+      
+
       
         -h
         
@@ -245,7 +256,8 @@
           
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           
         
       
@@ -256,7 +268,8 @@
           
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           
         
       
@@ -276,9 +289,9 @@
         -U date/offset
         
           
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
         
       
@@ -288,10 +301,8 @@
         
           
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
         
       
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index c5e696eca3..12089c7aab 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.94 2009/09/07 12:54:59 fdupont Exp $ */
+/* $Id: dnssec-keygen.c,v 1.95 2009/09/14 18:45:45 each Exp $ */
 
 /*! \file */
 
@@ -131,13 +131,16 @@ usage(void) {
 	fprintf(stderr, "	usage | trace | record | size | mctx\n");
 	fprintf(stderr, "    -v : set verbosity level (0 - 10)\n");
 	fprintf(stderr, "Date options:\n");
-	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
-	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
+	fprintf(stderr, "    -P date/[+-]offset: set key publication date "
+						"(default: now)\n");
+	fprintf(stderr, "    -A date/[+-]offset: set key activation date "
+						"(default: now)\n");
 	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
-	fprintf(stderr, "    -U date/[+-]offset: set key unpublication date\n");
+	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
 	fprintf(stderr, "    -C: generate a backward-compatible key, omitting "
-			"dates\n");
+			"all dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K++.key, "
 			"K++.private\n");
@@ -172,14 +175,15 @@ main(int argc, char **argv) {
 	int		dbits = 0;
 	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
-	isc_stdtime_t	unpublish = 0, delete = 0;
+	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -191,7 +195,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hP:A:R:U:D:"
+#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'm':
@@ -310,6 +314,9 @@ main(int argc, char **argv) {
 		case 'z':
 			/* already the default */
 			break;
+		case 'G':
+			genonly = ISC_TRUE;
+			break;
 		case 'P':
 			if (setpub || unsetpub)
 				fatal("-P specified more than once");
@@ -346,16 +353,16 @@ main(int argc, char **argv) {
 				unsetrev = ISC_TRUE;
 			}
 			break;
-		case 'U':
-			if (setunpub || unsetunpub)
-				fatal("-U specified more than once");
+		case 'I':
+			if (setinact || unsetinact)
+				fatal("-I specified more than once");
 
 			if (strcasecmp(isc_commandline_argument, "none")) {
-				setunpub = ISC_TRUE;
-				unpublish = strtotime(isc_commandline_argument,
-						      now, now);
+				setinact = ISC_TRUE;
+				inactive = strtotime(isc_commandline_argument,
+						     now, now);
 			} else {
-				unsetunpub = ISC_TRUE;
+				unsetinact = ISC_TRUE;
 			}
 			break;
 		case 'D':
@@ -665,31 +672,44 @@ main(int argc, char **argv) {
 
 		/*
 		 * Set key timing metadata (unless using -C)
+		 *
+		 * Publish and activation dates are set to "now" by default,
+		 * but can be overridden.  Creation date is always set to
+		 * "now".
 		 */
 		if (!oldstyle) {
 			dst_key_settime(key, DST_TIME_CREATED, now);
 
+			if (genonly && (setpub || setact))
+				fatal("cannot use -G together with "
+				      "-P or -A options");
+
 			if (setpub)
-				dst_key_settime(key, DST_TIME_PUBLISH,
-						publish);
+				dst_key_settime(key, DST_TIME_PUBLISH, publish);
+			else if (!genonly)
+				dst_key_settime(key, DST_TIME_PUBLISH, now);
+
 			if (setact)
 				dst_key_settime(key, DST_TIME_ACTIVATE,
 						activate);
+			else if (!genonly)
+				dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
 			if (setrev)
-				dst_key_settime(key, DST_TIME_REVOKE,
-						revoke);
-			if (setunpub)
-				dst_key_settime(key, DST_TIME_UNPUBLISH,
-						unpublish);
+				dst_key_settime(key, DST_TIME_REVOKE, revoke);
+
+			if (setinact)
+				dst_key_settime(key, DST_TIME_INACTIVE,
+						inactive);
+
 			if (setdel)
-				dst_key_settime(key, DST_TIME_DELETE,
-						delete);
+				dst_key_settime(key, DST_TIME_DELETE, delete);
 		} else {
-			if (setpub || setact || setrev || setunpub ||
+			if (setpub || setact || setrev || setinact ||
 			    setdel || unsetpub || unsetact ||
-			    unsetrev || unsetunpub || unsetdel)
+			    unsetrev || unsetinact || unsetdel || genonly)
 				fatal("cannot use -C together with "
-				      "-P, -A, -R, -U, or -D options");
+				      "-P, -A, -R, -I, -D, or -G options");
 			/*
 			 * Compatibility mode: Private-key-format
 			 * should be set to 1.2.
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 2ff764ac1d..c0d8ba2898 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -66,8 +66,10 @@
       
       
       
+      
       
       
+      
       
       
       
@@ -76,7 +78,6 @@
       
       
       
-      
       
       
       name
@@ -224,6 +225,16 @@
         
       
 
+      
+        -G
+        
+          
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          
+        
+      
+
       
         -g generator
         
@@ -365,7 +376,8 @@
           
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           
         
       
@@ -376,7 +388,8 @@
           
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           
         
       
@@ -393,12 +406,12 @@
       
 
       
-        -U date/offset
+        -I date/offset
         
           
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
         
       
@@ -408,10 +421,8 @@
         
           
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
         
       
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 10e972d125..ba6eb3954a 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.12 2009/09/14 18:45:45 each Exp $ */
 
 /*! \file */
 
@@ -66,8 +66,8 @@ usage(void) {
 						     "activation date\n");
 	fprintf(stderr, "    -R date/[+-]offset/none: set key "
 						     "revocation date\n");
-	fprintf(stderr, "    -U date/[+-]offset/none: set key "
-						     "unpublication date\n");
+	fprintf(stderr, "    -I date/[+-]offset/none: set key "
+						     "inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset/none: set key "
 						     "deletion date\n");
 	fprintf(stderr, "Printing options:\n");
@@ -119,16 +119,16 @@ main(int argc, char **argv) {
 	isc_buffer_t buf;
 	int major, minor;
 	isc_stdtime_t	now;
-	isc_stdtime_t	pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
+	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
-	isc_boolean_t	setrev = ISC_FALSE, setunpub = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
-	isc_boolean_t	unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
 	isc_boolean_t	printcreate = ISC_FALSE, printpub = ISC_FALSE;
 	isc_boolean_t	printact = ISC_FALSE,  printrev = ISC_FALSE;
-	isc_boolean_t	printunpub = ISC_FALSE, printdel = ISC_FALSE;
+	isc_boolean_t	printinact = ISC_FALSE, printdel = ISC_FALSE;
 	isc_boolean_t	forceupdate = ISC_FALSE;
 	isc_boolean_t   epoch = ISC_FALSE;
 	isc_boolean_t   changed = ISC_FALSE;
@@ -147,7 +147,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "fK:uhp:v:P:A:R:U:D:")) != -1) {
+					   "fK:uhp:v:P:A:R:I:D:")) != -1) {
 		switch (ch) {
 		case 'f':
 			forceupdate = ISC_TRUE;
@@ -159,7 +159,7 @@ main(int argc, char **argv) {
 				printpub = ISC_TRUE;
 				printact = ISC_TRUE;
 				printrev = ISC_TRUE;
-				printunpub = ISC_TRUE;
+				printinact = ISC_TRUE;
 				printdel = ISC_TRUE;
 				break;
 			}
@@ -178,8 +178,8 @@ main(int argc, char **argv) {
 				case 'R':
 					printrev = ISC_TRUE;
 					break;
-				case 'U':
-					printunpub = ISC_TRUE;
+				case 'I':
+					printinact = ISC_TRUE;
 					break;
 				case 'D':
 					printdel = ISC_TRUE;
@@ -251,16 +251,16 @@ main(int argc, char **argv) {
 						now, now);
 			}
 			break;
-		case 'U':
-			if (setunpub || unsetunpub)
-				fatal("-U specified more than once");
+		case 'I':
+			if (setinact || unsetinact)
+				fatal("-I specified more than once");
 
 			changed = ISC_TRUE;
 			if (!strcasecmp(isc_commandline_argument, "none")) {
-				unsetunpub = ISC_TRUE;
+				unsetinact = ISC_TRUE;
 			} else {
-				setunpub = ISC_TRUE;
-				unpub = strtotime(isc_commandline_argument,
+				setinact = ISC_TRUE;
+				inact = strtotime(isc_commandline_argument,
 						now, now);
 			}
 			break;
@@ -360,7 +360,7 @@ main(int argc, char **argv) {
 		dst_key_unsettime(key, DST_TIME_ACTIVATE);
 
 	if (setrev) {
-		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
 			fprintf(stderr, "%s: warning: Key %s is already "
 					"revoked; changing the revocation date "
 					"will not affect this.\n",
@@ -375,10 +375,10 @@ main(int argc, char **argv) {
 		dst_key_unsettime(key, DST_TIME_REVOKE);
 	}
 
-	if (setunpub)
-		dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
-	else if (unsetunpub)
-		dst_key_unsettime(key, DST_TIME_UNPUBLISH);
+	if (setinact)
+		dst_key_settime(key, DST_TIME_INACTIVE, inact);
+	else if (unsetinact)
+		dst_key_unsettime(key, DST_TIME_INACTIVE);
 
 	if (setdel)
 		dst_key_settime(key, DST_TIME_DELETE, del);
@@ -400,8 +400,8 @@ main(int argc, char **argv) {
 	if (printrev)
 		printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
 
-	if (printunpub)
-		printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
+	if (printinact)
+		printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
 
 	if (printdel)
 		printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index 224df4d3dc..43d7c732fe 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     July 15, 2009
@@ -44,12 +44,12 @@
   
     
       dnssec-settime
-      
+      
       
       
       
       
-      
+      
       
       
       
@@ -62,7 +62,7 @@
     dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the , ,
-      , , and 
+      , , and 
       options.  The metadata can then be used by
       dnssec-signzone or other signing software to
       determine when a key is to be published, whether it should be
@@ -178,12 +178,12 @@
       
 
       
-        -U date/offset
+        -I date/offset
         
           
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
         
       
@@ -193,10 +193,8 @@
         
           
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
         
       
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index aa5833f0d1..91ebc2c817 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.101 2009/09/10 05:09:31 each Exp $
+ * $Id: dnssec.c,v 1.102 2009/09/14 18:45:45 each Exp $
  */
 
 /*! \file */
@@ -1004,9 +1004,9 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
 static void
 get_hints(dns_dnsseckey_t *key) {
 	isc_result_t result;
-	isc_stdtime_t now, publish, active, revoke, unpublish, delete;
+	isc_stdtime_t now, publish, active, revoke, inactive, delete;
 	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
-	isc_boolean_t revset = ISC_FALSE, remset = ISC_FALSE;
+	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
 	isc_boolean_t delset = ISC_FALSE;
 
 	REQUIRE(key != NULL && key->key != NULL);
@@ -1025,26 +1025,20 @@ get_hints(dns_dnsseckey_t *key) {
 	if (result == ISC_R_SUCCESS)
 		revset = ISC_TRUE;
 
-	result = dst_key_gettime(key->key, DST_TIME_UNPUBLISH, &unpublish);
+	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
 	if (result == ISC_R_SUCCESS)
-		remset = ISC_TRUE;
+		inactset = ISC_TRUE;
 
 	result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
 	if (result == ISC_R_SUCCESS)
 		delset = ISC_TRUE;
 
-	/* No metadata set: Publish and sign.  */
-	if (!pubset && !actset && !revset && !remset && !delset) {
-		key->hint_sign = ISC_TRUE;
-		key->hint_publish = ISC_TRUE;
-	}
-
 	/* Metadata says publish (but possibly not activate) */
-	if (pubset && publish < now)
+	if (pubset && publish <= now)
 		key->hint_publish = ISC_TRUE;
 
 	/* Metadata says activate (so we must also publish) */
-	if (actset && active < now) {
+	if (actset && active <= now) {
 		key->hint_sign = ISC_TRUE;
 		key->hint_publish = ISC_TRUE;
 	}
@@ -1064,6 +1058,14 @@ get_hints(dns_dnsseckey_t *key) {
 		key->prepublish = active - now;
 	}
 
+	/*
+	 * Key has been marked inactive: we can continue publishing,
+	 * but don't sign.
+	 */
+	if (key->hint_publish && inactset && inactive <= now) {
+		key->hint_sign = ISC_FALSE;
+	}
+
 	/*
 	 * Metadata says revoke.  If the key is published,
 	 * we *have to* sign with it per RFC5011--even if it was
@@ -1082,11 +1084,9 @@ get_hints(dns_dnsseckey_t *key) {
 	}
 
 	/*
-	 * Metadata says unpublish or delete, so don't publish
-	 * this key or sign with it.
+	 * Metadata says delete, so don't publish this key or sign with it.
 	 */
-	if ((remset && unpublish < now) ||
-	    (delset && delete < now)) {
+	if (delset && delete <= now) {
 		key->hint_publish = ISC_FALSE;
 		key->hint_sign = ISC_FALSE;
 		key->hint_remove = ISC_TRUE;
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 429060e497..be3999d02f 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.29 2009/09/03 04:09:58 marka Exp $
+ * $Id: dst_api.c,v 1.30 2009/09/14 18:45:45 each Exp $
  */
 
 /*! \file */
@@ -1274,7 +1274,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 		printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
 		printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
 		printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
-		printtime(key, DST_TIME_UNPUBLISH, "; Unpublish", fp);
+		printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
 		printtime(key, DST_TIME_DELETE, "; Delete", fp);
 	}
 
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 258e6143c2..fb0d73b8d3 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.17 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dst.h,v 1.18 2009/09/14 18:45:45 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -84,7 +84,7 @@ typedef struct dst_context 	dst_context_t;
 #define DST_TIME_PUBLISH	1
 #define DST_TIME_ACTIVATE	2
 #define DST_TIME_REVOKE 	3
-#define DST_TIME_UNPUBLISH	4
+#define DST_TIME_INACTIVE	4
 #define DST_TIME_DELETE 	5
 #define DST_MAX_TIMES		5
 

From a12c8549d62d16cfcdf51c9ba9cdf7065191b4f6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 14 Sep 2009 23:13:37 +0000
Subject: [PATCH 157/385] 2678.   [func]          Treat DS queries as if
 "minimal-response yes;"                         was set. [RT #20258]

---
 CHANGES           | 3 +++
 bin/named/query.c | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 40073781ae..f10bdedfab 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2678.	[func]		Treat DS queries as if "minimal-response yes;"
+			was set. [RT #20258]
+
 2677.	[func]		Changes to key metadata behavior:
 			- Keys without "publish" or "active" dates set will
 			  no longer be used for smart signing.  However,
diff --git a/bin/named/query.c b/bin/named/query.c
index b31335258d..12a53e5c49 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.326 2009/08/05 02:09:04 marka Exp $ */
+/* $Id: query.c,v 1.327 2009/09/14 23:13:37 marka Exp $ */
 
 /*! \file */
 
@@ -5130,9 +5130,9 @@ ns_query_start(ns_client_t *client) {
 	}
 
 	/*
-	 * Turn on minimal response for DNSKEY queries.
+	 * Turn on minimal response for DNSKEY and DS queries.
 	 */
-	if (qtype == dns_rdatatype_dnskey)
+	if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds)
 		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
 					     NS_QUERYATTR_NOADDITIONAL);
 

From 5e38811a8ff60fbff8b4a8cc2c7b7a9eb658b833 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Mon, 14 Sep 2009 23:18:43 +0000
Subject: [PATCH 158/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 4ccc426cff..66607f1844 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -238,6 +238,7 @@ rt20023				new	fdupont	// 2009-07-31 15:08 +0000
 rt20037				new	marka	// 2009-08-11 07:46 +0000
 rt20044				new	fdupont	// 2009-08-07 18:59 +0000
 rt20062				new	marka	// 2009-08-10 05:00 +0000
+rt20062a			new	marka	// 2009-09-14 04:51 +0000
 rt20112				new	marka	// 2009-08-18 05:22 +0000
 rt20247				new	each	// 2009-09-11 03:22 +0000
 rt20253				new	sar	// 2009-09-11 22:17 +0000

From f8e3e03cacd16ffb923a9603fca23a9e1a1fee07 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 15 Sep 2009 01:14:42 +0000
Subject: [PATCH 159/385] regen

---
 bin/dnssec/dnssec-keyfromlabel.8     | 17 +++++++----
 bin/dnssec/dnssec-keyfromlabel.html  | 39 ++++++++++++++-----------
 bin/dnssec/dnssec-keygen.8           | 19 +++++++-----
 bin/dnssec/dnssec-keygen.html        | 43 ++++++++++++++++------------
 bin/dnssec/dnssec-settime.8          | 12 ++++----
 bin/dnssec/dnssec-settime.html       | 20 ++++++-------
 doc/arm/man.ddns-confgen.html        | 10 +++----
 doc/arm/man.dnssec-keyfromlabel.html | 39 ++++++++++++++-----------
 doc/arm/man.dnssec-keygen.html       | 43 ++++++++++++++++------------
 doc/arm/man.dnssec-revoke.html       | 10 +++----
 doc/arm/man.dnssec-settime.html      | 32 ++++++++++-----------
 doc/arm/man.dnssec-signzone.html     | 12 ++++----
 doc/arm/man.named-checkconf.html     | 12 ++++----
 doc/arm/man.named-checkzone.html     | 12 ++++----
 doc/arm/man.named.html               | 16 +++++------
 doc/arm/man.nsupdate.html            | 14 ++++-----
 doc/arm/man.rndc-confgen.html        | 12 ++++----
 doc/arm/man.rndc.conf.html           | 12 ++++----
 doc/arm/man.rndc.html                | 12 ++++----
 19 files changed, 206 insertions(+), 180 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index 62e261df8e..21a73f270c 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.10 2009/09/08 01:14:42 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.11 2009/09/15 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 dnssec\-keyfromlabel \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 20
-\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-U\ \fR\fB\fIdate/offset\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keyfromlabel\fR
@@ -85,6 +85,11 @@ Indicates that the DNS record containing the key should have the specified class
 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
 .RE
 .PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
+.RE
+.PP
 \-h
 .RS 4
 Prints a short summary of the options and arguments to
@@ -123,12 +128,12 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument
 .PP
 \-P \fIdate/offset\fR
 .RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
 .RE
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it.
+Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
 .RE
 .PP
 \-R \fIdate/offset\fR
@@ -138,12 +143,12 @@ Sets the date on which the key is to be revoked. After that date, the key will b
 .PP
 \-U \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be unpublished. After that date, the key will no longer be included in the zone, but it may remain in the key repository.
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted. After that date, the key can be removed from the key repository. NOTE: Keys are not currently deleted automatically; this field is included for informational purposes and for future development.
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
 .RE
 .SH "GENERATED KEY FILES"
 .PP
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index 2764a5a1de..5c91d6e5c1 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -28,10 +28,10 @@
 
    
 
    
 
    Synopsis
    
-
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-U date/offset] [-v level] {name}
    
+
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -44,7 +44,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -96,6 +96,11 @@
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
           
    
+
    -G
    
+
    
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          
    
 
    -h
    
 
    
             Prints a short summary of the options and arguments to
@@ -130,7 +135,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -146,13 +151,15 @@
 
    
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           
    
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           
    
 
    -R date/offset
    
 
    
@@ -162,22 +169,20 @@
           
    
 
    -U date/offset
    
 
    
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
    
 
    -D date/offset
    
 
    
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
    
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -216,7 +221,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -226,7 +231,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index f171a1b824..aa861af026 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.47 2009/09/03 01:14:41 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.48 2009/09/15 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 dnssec\-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 14
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-U\ \fR\fB\fIdate/offset\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -106,6 +106,11 @@ If generating an RSAMD5/RSASHA1 key, use a large exponent.
 Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
 .RE
 .PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
+.RE
+.PP
 \-g \fIgenerator\fR
 .RS 4
 If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
@@ -173,12 +178,12 @@ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument
 .PP
 \-P \fIdate/offset\fR
 .RS 4
-Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
 .RE
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it.
+Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
 .RE
 .PP
 \-R \fIdate/offset\fR
@@ -186,14 +191,14 @@ Sets the date on which the key is to be activated. After that date, the key will
 Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
 .RE
 .PP
-\-U \fIdate/offset\fR
+\-I \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be unpublished. After that date, the key will no longer be included in the zone, but it may remain in the key repository.
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted. After that date, the key can be removed from the key repository. NOTE: Keys are not currently deleted automatically; this field is included for informational purposes and for future development.
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
 .RE
 .SH "GENERATED KEYS"
 .PP
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 518f71bc9e..0cf59b3af0 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-g generator] [-h] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-U date/offset] [-v level] [-z] {name}
    
+
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -46,7 +46,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -134,6 +134,11 @@
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
           
    
+
    -G
    
+
    
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          
    
 
    -g generator
    
 
    
             If generating a Diffie Hellman key, use this generator.
@@ -208,7 +213,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -224,13 +229,15 @@
 
    
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           
    
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           
    
 
    -R date/offset
    
 
    
@@ -238,24 +245,22 @@
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
           
    
-
    -U date/offset
    
+
    -I date/offset
    
 
    
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
    
 
    -D date/offset
    
 
    
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
    
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -301,7 +306,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -322,7 +327,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -331,7 +336,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
index 42a21d1166..ab32b8f531 100644
--- a/bin/dnssec/dnssec-settime.8
+++ b/bin/dnssec/dnssec-settime.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-settime.8,v 1.5 2009/09/03 01:14:41 tbox Exp $
+.\" $Id: dnssec-settime.8,v 1.6 2009/09/15 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 dnssec\-settime \- Set the key timing metadata for a DNSSEC key
 .SH "SYNOPSIS"
 .HP 15
-\fBdnssec\-settime\fR [\fB\-fr\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-U\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {keyfile}
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-settime\fR
@@ -40,7 +40,7 @@ reads a DNSSEC private key file and sets the key timing metadata as specified by
 \fB\-P\fR,
 \fB\-A\fR,
 \fB\-R\fR,
-\fB\-U\fR, and
+\fB\-I\fR, and
 \fB\-D\fR
 options. The metadata can then be used by
 \fBdnssec\-signzone\fR
@@ -95,14 +95,14 @@ Sets the date on which the key is to be activated. After that date, the key will
 Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
 .RE
 .PP
-\-U \fIdate/offset\fR
+\-I \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be unpublished. After that date, the key will no longer be included in the zone, but it may remain in the key repository.
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
 .RE
 .PP
 \-D \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be deleted. After that date, the key can be removed from the key repository. NOTE: Keys are not currently deleted automatically; this field is included for informational purposes and for future development.
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
 .RE
 .SH "PRINTING OPTIONS"
 .PP
diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html
index aa711d3d64..338dd240df 100644
--- a/bin/dnssec/dnssec-settime.html
+++ b/bin/dnssec/dnssec-settime.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 
@@ -29,14 +29,14 @@
 
 
    
 
    Synopsis
    
-
    dnssec-settime  [-fr] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-U date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
+
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
 
    
 
    
 
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
-      -R, -U, and -D
+      -R, -I, and -D
       options.  The metadata can then be used by
       dnssec-signzone or other signing software to
       determine when a key is to be published, whether it should be
@@ -113,19 +113,17 @@
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
           
    
-
    -U date/offset
    
+
    -I date/offset
    
 
    
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
    
 
    -D date/offset
    
 
    
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
    
 
    
 
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index f25b277dc9..98df9d0446 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index d177445b16..8b2d1cc474 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-U date/offset] [-v level] {name}
    
+
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -115,6 +115,11 @@
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
           
    
+
    -G
    
+
    
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          
    
 
    -h
    
 
    
             Prints a short summary of the options and arguments to
@@ -149,7 +154,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -165,13 +170,15 @@
 
    
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           
    
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           
    
 
    -R date/offset
    
 
    
@@ -181,22 +188,20 @@
           
    
 
    -U date/offset
    
 
    
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
    
 
    -D date/offset
    
 
    
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
    
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -235,7 +240,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -245,7 +250,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index fefeaa7825..d0b437cb8f 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-g generator] [-h] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-U date/offset] [-v level] [-z] {name}
    
+
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -152,6 +152,11 @@
             Set the specified flag in the flag field of the KEY/DNSKEY record.
             The only recognized flags are KSK (Key Signing Key) and REVOKE.
           
    
+
    -G
    
+
    
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
+          
    
 
    -g generator
    
 
    
             If generating a Diffie Hellman key, use this generator.
@@ -226,7 +231,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -242,13 +247,15 @@
 
    
             Sets the date on which a key is to be published to the zone.
             After that date, the key will be included in the zone but will
-            not be used to sign it.
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
           
    
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
             date, the key will be included and the zone and used to sign
-            it.
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
           
    
 
    -R date/offset
    
 
    
@@ -256,24 +263,22 @@
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
           
    
-
    -U date/offset
    
+
    -I date/offset
    
 
    
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
    
 
    -D date/offset
    
 
    
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
    
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -319,7 +324,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -340,7 +345,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -349,7 +354,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 4020c1a0c9..d1ce5870db 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -86,14 +86,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index c02f1d8efd..4525a1326b 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,14 +47,14 @@
 
 
    
 
    Synopsis
    
-
    dnssec-settime  [-fr] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-U date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
+
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
-      -R, -U, and -D
+      -R, -I, and -D
       options.  The metadata can then be used by
       dnssec-signzone or other signing software to
       determine when a key is to be published, whether it should be
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -101,7 +101,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -131,24 +131,22 @@
             date, the key will be flagged as revoked.  It will be included
             in the zone and will be used to sign it.
           
    
-
    -U date/offset
    
+
    -I date/offset
    
 
    
-            Sets the date on which the key is to be unpublished.  After that
-            date, the key will no longer be included in the zone, but it
-            may remain in the key repository.
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
           
    
 
    -D date/offset
    
 
    
             Sets the date on which the key is to be deleted.  After that
-            date, the key can be removed from the key repository.
-            NOTE: Keys are not currently deleted automatically; this field
-            is included for informational purposes and for future
-            development.
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
           
    
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -174,7 +172,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -182,7 +180,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 3e52b6a58a..4752e5a0c3 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -362,7 +362,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -391,14 +391,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 3f166f03d0..62c38ef0c5 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index e9a0fe9737..b90b4dee49 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 57a0af06b3..af7c350c64 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +276,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -289,7 +289,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +302,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 5eb0685191..0e93dc5ec1 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 6f33554ffb..11c394d911 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index b940710f95..5c767aee49 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index a4537a9282..93bcb263e5 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From d514c0dc9b7f369a94d79c709b77a8f3a08afd84 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 15 Sep 2009 03:13:44 +0000
Subject: [PATCH 160/385] 2679.	[func]		dig -k can now accept TSIG
 keys in named.conf 			format.  [RT #20031]

---
 CHANGES                   |   5 +-
 bin/dig/Makefile.in       |   8 +-
 bin/dig/dig.c             | 147 ++++++++++++-------------------
 bin/dig/dighost.c         | 176 +++++++++++++++++++++++++++++++++++++-
 bin/dig/include/dig/dig.h |   9 +-
 bin/dig/nslookup.c        |  18 +---
 6 files changed, 244 insertions(+), 119 deletions(-)

diff --git a/CHANGES b/CHANGES
index f10bdedfab..782d57bfed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2679.	[func]		dig -k can now accept TSIG keys in named.conf
+			format.  [RT #20031]
+
 2678.	[func]		Treat DS queries as if "minimal-response yes;"
 			was set. [RT #20258]
 
@@ -12,7 +15,7 @@
 			  signing but is still published.
 			- The "unpublished" date (-U) is deprecated in
 			  favor of "deleted" (-D).
-			[rt20247]
+			[RT #20247]
 
 2676.	[bug]		--with-export-installdir should have been
 			--with-export-includedir. [RT #20252]
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 3cb1bd1fb4..6021a5f96c 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.44 2009/09/02 23:48:01 tbox Exp $
+# $Id: Makefile.in,v 1.45 2009/09/15 03:13:43 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} ${LWRES_INCLUDES}
+		${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
 
 CDEFINES =	-DBIND9 -DVERSION=\"${VERSION}\"
 CWARNINGS =
@@ -45,8 +45,8 @@ LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
 		${LWRESDEPLIBS}
 
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
-		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCLIBS} @IDNLIBS@ @LIBS@
 
 NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCNOSYMLIBS} \
 		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index ad9269f51f..56165b771e 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.229 2009/05/06 10:16:32 fdupont Exp $ */
+/* $Id: dig.c,v 1.230 2009/09/15 03:13:43 each Exp $ */
 
 /*! \file */
 
@@ -671,19 +671,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	}
 }
 
-static isc_uint32_t
-parse_uint(char *arg, const char *desc, isc_uint32_t max) {
-	isc_result_t result;
-	isc_uint32_t tmp;
-
-	result = isc_parse_uint32(&tmp, arg, 10);
-	if (result == ISC_R_SUCCESS && tmp > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS)
-		fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
-	return (tmp);
-}
-
 /*%
  * We're not using isc_commandline_parse() here since the command line
  * syntax of dig is quite a bit different from that which can be described
@@ -695,8 +682,10 @@ static void
 plus_option(char *option, isc_boolean_t is_batchfile,
 	    dig_lookup_t *lookup)
 {
+	isc_result_t result;
 	char option_store[256];
 	char *cmd, *value, *ptr;
+	isc_uint32_t num;
 	isc_boolean_t state = ISC_TRUE;
 #ifdef DIG_SIGCHASE
 	size_t n;
@@ -785,8 +774,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			lookup->udpsize = (isc_uint16_t) parse_uint(value,
-						    "buffer size", COMMSIZE);
+			result = parse_uint(&num, value, COMMSIZE,
+					    "buffer size");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse buffer size");
+			lookup->udpsize = num;
 			break;
 		default:
 			goto invalid_option;
@@ -851,7 +843,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 		}
 		if (value == NULL)
 			goto need_value;
-		lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
+		result = parse_uint(&num, value, 255, "edns");
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't parse edns");
+		lookup->edns = num;
 		break;
 	case 'f': /* fail */
 		FULLCHECK("fail");
@@ -881,7 +876,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			ndots = parse_uint(value, "ndots", MAXNDOTS);
+			result = parse_uint(&num, value, MAXNDOTS, "ndots");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse ndots");
+			ndots = num;
 			break;
 		case 's':
 			switch (cmd[2]) {
@@ -946,8 +944,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 					goto need_value;
 				if (!state)
 					goto invalid_option;
-				lookup->retries = parse_uint(value, "retries",
-						       MAXTRIES - 1);
+				result = parse_uint(&lookup->retries, value,
+						    MAXTRIES - 1, "retries");
+				if (result != ISC_R_SUCCESS)
+					fatal("Couldn't parse retries");
 				lookup->retries++;
 				break;
 			default:
@@ -1023,7 +1023,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			timeout = parse_uint(value, "timeout", MAXTIMEOUT);
+			result = parse_uint(&timeout, value, MAXTIMEOUT,
+					    "timeout");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse timeout");
 			if (timeout == 0)
 				timeout = 1;
 			break;
@@ -1056,8 +1059,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 					goto need_value;
 				if (!state)
 					goto invalid_option;
-				lookup->retries = parse_uint(value, "tries",
-							     MAXTRIES);
+				result = parse_uint(&lookup->retries, value,
+						    MAXTRIES, "tries");
+				if (result != ISC_R_SUCCESS)
+					fatal("Couldn't parse tries");
 				if (lookup->retries == 0)
 					lookup->retries = 1;
 				break;
@@ -1123,6 +1128,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	struct in6_addr in6;
 	in_port_t srcport;
 	char *hash, *cmd;
+	isc_uint32_t num;
 
 	while (strpbrk(option, single_dash_opts) == &option[0]) {
 		/*
@@ -1197,9 +1203,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	case 'b':
 		hash = strchr(value, '#');
 		if (hash != NULL) {
-			srcport = (in_port_t)
-				parse_uint(hash + 1,
-					   "port number", MAXPORT);
+			result = parse_uint(&num, hash + 1, MAXPORT,
+					    "port number");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse port number");
+			srcport = num;
 			*hash = '\0';
 		} else
 			srcport = 0;
@@ -1243,7 +1251,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		keyfile[sizeof(keyfile)-1]=0;
 		return (value_from_next);
 	case 'p':
-		port = (in_port_t) parse_uint(value, "port number", MAXPORT);
+		result = parse_uint(&num, value, MAXPORT, "port number");
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't parse port number");
+		port = num;
 		return (value_from_next);
 	case 'q':
 		if (!config_only) {
@@ -1286,11 +1297,14 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 						"extra type option\n");
 			}
 			if (rdtype == dns_rdatatype_ixfr) {
+				isc_uint32_t serial;
 				(*lookup)->rdtype = dns_rdatatype_ixfr;
 				(*lookup)->rdtypeset = ISC_TRUE;
-				(*lookup)->ixfr_serial =
-					parse_uint(&value[5], "serial number",
-						MAXSERIAL);
+				result = parse_uint(&serial, &value[5],
+					   MAXSERIAL, "serial number");
+				if (result != ISC_R_SUCCESS)
+					fatal("Couldn't parse serial number");
+				(*lookup)->ixfr_serial = serial;
 				(*lookup)->section_question = plusquest;
 				(*lookup)->comments = pluscomm;
 				(*lookup)->tcp_mode = ISC_TRUE;
@@ -1318,65 +1332,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			usage();
 		ptr3 = next_token(&value,":"); /* secret or NULL */
 		if (ptr3 != NULL) {
-			if (strcasecmp(ptr, "hmac-md5") == 0) {
-				hmacname = DNS_TSIG_HMACMD5_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
-				hmacname = DNS_TSIG_HMACMD5_NAME;
-				digestbits = parse_uint(&ptr[9],
-							"digest-bits [0..128]",
-							128);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
-				hmacname = DNS_TSIG_HMACSHA1_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
-				hmacname = DNS_TSIG_HMACSHA1_NAME;
-				digestbits = parse_uint(&ptr[10],
-							"digest-bits [0..160]",
-							160);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
-				hmacname = DNS_TSIG_HMACSHA224_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA224_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..224]",
-							224);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
-				hmacname = DNS_TSIG_HMACSHA256_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA256_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..256]",
-							256);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
-				hmacname = DNS_TSIG_HMACSHA384_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA384_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..384]",
-							384);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
-				hmacname = DNS_TSIG_HMACSHA512_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA512_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..512]",
-							512);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else {
-				fprintf(stderr, ";; Warning, ignoring "
-					"invalid TSIG algorithm %s\n", ptr);
-				return (value_from_next);
-			}
+			parse_hmac(ptr);
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else  {
@@ -1624,13 +1580,18 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 							"extra type option\n");
 					}
 					if (rdtype == dns_rdatatype_ixfr) {
+						isc_uint32_t serial;
 						lookup->rdtype =
 							dns_rdatatype_ixfr;
 						lookup->rdtypeset = ISC_TRUE;
-						lookup->ixfr_serial =
-							parse_uint(&rv[0][5],
-								"serial number",
-								MAXSERIAL);
+						result = parse_uint(&serial,
+								    &rv[0][5],
+								    MAXSERIAL,
+							      "serial number");
+						if (result != ISC_R_SUCCESS)
+							fatal("Couldn't parse "
+							      "serial number");
+						lookup->ixfr_serial = serial;
 						lookup->section_question =
 							plusquest;
 						lookup->comments = pluscomm;
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index f1fa25ef7b..4b6764dda9 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.324 2009/09/01 00:22:24 jinmei Exp $ */
+/* $Id: dighost.c,v 1.325 2009/09/15 03:13:43 each Exp $ */
 
 /*! \file
  *  \note
@@ -53,6 +53,7 @@
 #include 
 #endif
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -71,10 +72,12 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #ifdef DIG_SIGCHASE
 #include 
 #endif
+#include 
 #include 
 #include 
 #include 
@@ -84,6 +87,8 @@
 #include 
 #include 
 
+#include 
+
 #include 
 #include 
 
@@ -121,6 +126,7 @@ in_port_t port = 53;
 unsigned int timeout = 0;
 unsigned int extrabytes;
 isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
 isc_taskmgr_t *taskmgr = NULL;
 isc_task_t *global_task = NULL;
 isc_timermgr_t *timermgr = NULL;
@@ -940,15 +946,164 @@ setup_text_key(void) {
 	isc_buffer_free(&namebuf);
 }
 
+isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc) {
+	isc_uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, 10);
+	if (result == ISC_R_SUCCESS && n > max)
+		result = ISC_R_RANGE;
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc,
+		       value, isc_result_totext(result));
+		return (result);
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_uint32_t
+parse_bits(char *arg, const char *desc, isc_uint32_t max) {
+        isc_result_t result;
+        isc_uint32_t tmp;
+
+        result = parse_uint(&tmp, arg, max, desc);
+        if (result != ISC_R_SUCCESS)
+                fatal("couldn't parse digest bits");
+        tmp = (tmp + 7) & ~0x7U;
+        return (tmp);
+}
+
+
+/*
+ * Parse HMAC algorithm specification
+ */
+void
+parse_hmac(const char *hmac) {
+	char buf[20];
+	int len;
+
+	REQUIRE(hmac != NULL);
+
+	len = strlen(hmac);
+        if (len >= (int) sizeof(buf))
+		fatal("unknown key type '%.*s'", len, hmac);
+	strncpy(buf, hmac, sizeof(buf));
+
+	digestbits = 0;
+
+	if (strcasecmp(buf, "hmac-md5") == 0) {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
+	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		digestbits = 0;
+	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
+	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
+	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
+	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
+	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
+	} else {
+		fprintf(stderr, ";; Warning, ignoring "
+			"invalid TSIG algorithm %s\n", buf);
+	}
+}
+
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_confkey(void) {
+	isc_log_t *lctx = NULL;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *file = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	const char *keyname;
+	const char *secretstr;
+	const char *algorithm;
+	isc_result_t result;
+
+	if (! isc_file_exists(keyfile))
+		return (ISC_R_FILENOTFOUND);
+
+	result = cfg_parser_create(mctx, lctx, &pctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
+				&file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_map_get(file, "key", &key);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(void) cfg_map_get(key, "secret", &secretobj);
+	(void) cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL)
+		fatal("key must have algorithm and secret");
+
+	keyname = cfg_obj_asstring(cfg_map_getname(key));
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithm = cfg_obj_asstring(algorithmobj);
+
+	strncpy(keynametext, keyname, sizeof(keynametext));
+	strncpy(keysecret, secretstr, sizeof(keysecret));
+	parse_hmac(algorithm);
+	setup_text_key();
+
+ cleanup:
+	if (pctx != NULL) {
+		if (file != NULL)
+			cfg_obj_destroy(pctx, &file);
+		cfg_parser_destroy(&pctx);
+	}
+
+	return (result);
+}
+
 static void
 setup_file_key(void) {
 	isc_result_t result;
 	dst_key_t *dstkey = NULL;
 
 	debug("setup_file_key()");
+
+	/* Try reading the key from a K* pair */
 	result = dst_key_fromnamedfile(keyfile, NULL,
 				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
 				       &dstkey);
+
+	/* If that didn't work, try reading it as a session.key keyfile */
+	if (result != ISC_R_SUCCESS) {
+		result = read_confkey();
+		if (result == ISC_R_SUCCESS)
+			return;
+	}
+
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "Couldn't read key from %s: %s\n",
 			keyfile, isc_result_totext(result));
@@ -1137,6 +1292,7 @@ set_search_domain(char *domain) {
 void
 setup_libs(void) {
 	isc_result_t result;
+	isc_logconfig_t *logconfig = NULL;
 
 	debug("setup_libs()");
 
@@ -1153,6 +1309,18 @@ setup_libs(void) {
 	result = isc_mem_create(0, 0, &mctx);
 	check_result(result, "isc_mem_create");
 
+	result = isc_log_create(mctx, &lctx, &logconfig);
+	check_result(result, "isc_log_create");
+
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+	check_result(result, "isc_log_usechannel");
+
+	isc_log_setdebuglevel(lctx, 0);
+
 	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
 	check_result(result, "isc_taskmgr_create");
 
@@ -3557,9 +3725,11 @@ destroy_libs(void) {
 		free_name(&chase_signame, mctx);
 #endif
 
-	debug("Destroy memory");
-
 #endif
+	debug("Removing log context");
+	isc_log_destroy(&lctx);
+
+	debug("Destroy memory");
 	if (memdebugging != 0)
 		isc_mem_stats(mctx, stderr);
 	if (mctx != NULL)
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index bf8a06cabc..8d319fbb11 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.108 2008/12/16 02:57:24 jinmei Exp $ */
+/* $Id: dig.h,v 1.109 2009/09/15 03:13:44 each Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
@@ -325,6 +325,13 @@ setup_libs(void);
 void
 setup_system(void);
 
+isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc);
+
+void
+parse_hmac(const char *hmacstr);
+
 dig_lookup_t *
 requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
 
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 9340eb3f0d..22614b415f 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.122 2009/05/06 23:47:50 tbox Exp $ */
+/* $Id: nslookup.c,v 1.123 2009/09/15 03:13:43 each Exp $ */
 
 #include 
 
@@ -540,22 +540,6 @@ safecpy(char *dest, char *src, int size) {
 	dest[size-1] = 0;
 }
 
-static isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc) {
-	isc_uint32_t n;
-	isc_result_t result = isc_parse_uint32(&n, value, 10);
-	if (result == ISC_R_SUCCESS && n > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS) {
-		printf("invalid %s '%s': %s\n", desc,
-		       value, isc_result_totext(result));
-		return result;
-	}
-	*uip = n;
-	return (ISC_R_SUCCESS);
-}
-
 static void
 set_port(const char *value) {
 	isc_uint32_t n;

From 32c7a00e26d533c153ba79220ca75d6cf081c566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 15 Sep 2009 19:12:03 +0000
Subject: [PATCH 161/385] s/--with-export-installdir/--with-export-includedir/

---
 README.libdns | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.libdns b/README.libdns
index 2a16b7b1ba..e00444f99b 100644
--- a/README.libdns
+++ b/README.libdns
@@ -56,7 +56,7 @@ under the lib/export/samples directory (see below).
 This will install library object files under the directory specified
 by the --with-export-libdir configure option (default:
 EPREFIX/lib/bind9), and header files under the directory specified by
-the --with-export-installdir configure option (default:
+the --with-export-includedir configure option (default:
 PREFIX/include/bind9).
 
 To see how to build your own application after the installation, see
@@ -272,4 +272,4 @@ As of this writing, there is no formal "manual" of the libraries,
 except this document, header files (some of them provide pretty
 detailed explanations), and sample application programs.
 
-; $Id: README.libdns,v 1.2 2009/09/01 00:22:24 jinmei Exp $
+; $Id: README.libdns,v 1.3 2009/09/15 19:12:03 jinmei Exp $

From 0e4fda8862cc0d04a54faba5c54eab5e7517ec58 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 15 Sep 2009 19:30:28 +0000
Subject: [PATCH 162/385] typo fix

---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index eae294c6f8..048d5abab3 100644
--- a/README
+++ b/README
@@ -70,7 +70,7 @@ BIND 9.7.0
         - A new DNSSEC-aware libdns API for use by non-BIND9 applications
           (see README.libdns for details).
         - On some platforms, named and other binaries can now print out
-          a stack backtrace an assertion failure, to aid in debugging.
+          a stack backtrace on assertion failure, to aid in debugging.
         - A "tools only" installation mode on Windows, which only installs
           dig, host, nslookup and nsupdate.
         - Improved PKCS#11 support, including Keyper support (see

From 866a531c59f4005b6857b633a0db6ef00e7741ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 15 Sep 2009 23:17:22 +0000
Subject: [PATCH 163/385] typo in a warning message (found in rt #20280)

---
 configure.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.in b/configure.in
index 458e56d8e4..6a2741ff3e 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.478 $)
+AC_REVISION($Revision: 1.479 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -1341,7 +1341,7 @@ yes|all|minimal)
 Install perl or explicitly disable the feature by --disable-symtable.])
 	fi
 	if test "$use_libtool" = "yes"; then
-		AC_MSG_WARN([Internal symbol table does not work with libtool.  Disabling symtbol table.])
+		AC_MSG_WARN([Internal symbol table does not work with libtool.  Disabling symbol table.])
 	else
 		MKSYMTBL_PROGRAM="$PERL"
 		if test $want_symtable = all; then

From edabc8134dcde199b3ca4200aef9a6ec34164b00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Tue, 15 Sep 2009 23:18:00 +0000
Subject: [PATCH 164/385] regen

---
 configure | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 25bbe5d897..084d1e8677 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.464 2009/09/14 18:31:47 jinmei Exp $
+# $Id: configure,v 1.465 2009/09/15 23:18:00 jinmei Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.478 .
+# From configure.in Revision: 1.479 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -26009,8 +26009,8 @@ Install perl or explicitly disable the feature by --disable-symtable." >&2;}
    { (exit 1); exit 1; }; }
 	fi
 	if test "$use_libtool" = "yes"; then
-		{ echo "$as_me:$LINENO: WARNING: Internal symbol table does not work with libtool.  Disabling symtbol table." >&5
-echo "$as_me: WARNING: Internal symbol table does not work with libtool.  Disabling symtbol table." >&2;}
+		{ echo "$as_me:$LINENO: WARNING: Internal symbol table does not work with libtool.  Disabling symbol table." >&5
+echo "$as_me: WARNING: Internal symbol table does not work with libtool.  Disabling symbol table." >&2;}
 	else
 		MKSYMTBL_PROGRAM="$PERL"
 		if test $want_symtable = all; then

From 4479e4cea3e01355c7e3931ac89a388423168bcd Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 15 Sep 2009 23:19:01 +0000
Subject: [PATCH 165/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 66607f1844..9778e23f9d 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -233,6 +233,7 @@ rt19874				new	each	// 2009-08-05 22:36 +0000
 rt19875				new	each	// 2009-07-04 22:47 +0000
 rt19910				new	marka	// 2009-07-09 02:38 +0000
 rt19942				new	each	// 2009-08-27 23:01 +0000
+rt19943				new	each	// 2009-09-15 03:18 +0000
 rt20001				new	each	// 2009-08-05 15:54 +0000
 rt20023				new	fdupont	// 2009-07-31 15:08 +0000
 rt20037				new	marka	// 2009-08-11 07:46 +0000

From 1a06700908f5a1d9f4a8d51285a0fd971e2f9117 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 15 Sep 2009 23:30:30 +0000
Subject: [PATCH 166/385] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 5e966f63c1..9a70b2c2c5 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -72,7 +72,7 @@
 ./bin/dig/host.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2009
 ./bin/dig/host.docbook				SGML	2000,2001,2002,2004,2005,2007,2008,2009
 ./bin/dig/host.html				HTML	DOCBOOK
-./bin/dig/include/dig/dig.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2008
+./bin/dig/include/dig/dig.h			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/dig/nslookup.1				MAN	DOCBOOK
 ./bin/dig/nslookup.c				C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/dig/nslookup.docbook			SGML	2004,2005,2006,2007

From 4765fc7c3f8fdf565a6e49bb11c1d10efee4cef7 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 15 Sep 2009 23:48:09 +0000
Subject: [PATCH 167/385] update copyright notice

---
 bin/dig/dighost.c         | 18 +++++++++---------
 bin/dig/include/dig/dig.h |  4 ++--
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 4b6764dda9..7b81605304 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.325 2009/09/15 03:13:43 each Exp $ */
+/* $Id: dighost.c,v 1.326 2009/09/15 23:48:09 tbox Exp $ */
 
 /*! \file
  *  \note
@@ -964,14 +964,14 @@ parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
 
 static isc_uint32_t
 parse_bits(char *arg, const char *desc, isc_uint32_t max) {
-        isc_result_t result;
-        isc_uint32_t tmp;
+	isc_result_t result;
+	isc_uint32_t tmp;
 
-        result = parse_uint(&tmp, arg, max, desc);
-        if (result != ISC_R_SUCCESS)
-                fatal("couldn't parse digest bits");
-        tmp = (tmp + 7) & ~0x7U;
-        return (tmp);
+	result = parse_uint(&tmp, arg, max, desc);
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't parse digest bits");
+	tmp = (tmp + 7) & ~0x7U;
+	return (tmp);
 }
 
 
@@ -986,7 +986,7 @@ parse_hmac(const char *hmac) {
 	REQUIRE(hmac != NULL);
 
 	len = strlen(hmac);
-        if (len >= (int) sizeof(buf))
+	if (len >= (int) sizeof(buf))
 		fatal("unknown key type '%.*s'", len, hmac);
 	strncpy(buf, hmac, sizeof(buf));
 
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index 8d319fbb11..d463afb35f 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.109 2009/09/15 03:13:44 each Exp $ */
+/* $Id: dig.h,v 1.110 2009/09/15 23:48:09 tbox Exp $ */
 
 #ifndef DIG_H
 #define DIG_H

From 8b5a11217c8ebe25df3d60b52c2c25620c9e87b0 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Thu, 17 Sep 2009 22:51:59 +0000
Subject: [PATCH 168/385] from contrib/pkcs11-keygen

---
 bin/pkcs11/pkcs11-destroy.c | 178 +++++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-keygen.c  | 201 ++++++++++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-list.c    | 192 ++++++++++++++++++++++++++++++++++
 3 files changed, 571 insertions(+)
 create mode 100644 bin/pkcs11/pkcs11-destroy.c
 create mode 100644 bin/pkcs11/pkcs11-keygen.c
 create mode 100644 bin/pkcs11/pkcs11-list.c

diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
new file mode 100644
index 0000000000..e7068e4d62
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -0,0 +1,178 @@
+/* destroyobj [-s $slot] [-i $id | -l $label] [-p $pin] */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+int
+main(int argc, char *argv[])
+{
+    CK_RV rv;
+    CK_SLOT_ID slot = 0;
+    CK_SESSION_HANDLE hSession;
+    CK_UTF8CHAR *pin = NULL;
+    CK_BYTE attr_id[2];
+    CK_OBJECT_HANDLE akey[50];
+    char *label = NULL;
+    int error = 0;
+    int id = 0, i = 0;
+    int c, errflg = 0;
+    CK_ULONG ulObjectCount;
+    CK_ATTRIBUTE search_template[] = {
+	{CKA_ID, &attr_id, sizeof(attr_id)}
+    };
+    extern char *optarg;
+    extern int optopt;
+
+    while ((c = getopt(argc, argv, ":s:i:l:p:")) != -1) {
+	switch (c) {
+	case 's':
+	    slot = atoi(optarg);
+	    break;
+	case 'i':
+	    id = atoi(optarg);
+	    id &= 0xffff;
+	    break;
+	case 'l':
+	    label = optarg;
+	    break;
+	case 'p':
+	    pin = (CK_UTF8CHAR *)optarg;
+	    break;
+	case ':':
+	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
+	    errflg++;
+	    break;
+	case '?':
+	default:
+	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+	    errflg++;
+	}
+    }
+    if (errflg || ((!id) && (!label))) {
+	fprintf(stderr,
+		"usage: destroykey [-s slot] [-i id | -l label] [-p pin]\n");
+	exit(1);
+    }
+    if (id) {
+	printf("id %i\n", id);
+	attr_id[0] = (id >> 8) & 0xff;
+	attr_id[1] = id & 0xff;
+    } else if (label) {
+	printf("label %s\n", label);
+	search_template[0].type = CKA_LABEL;
+	search_template[0].pValue = label;
+	search_template[0].ulValueLen = strlen(label);
+    }
+
+    /* Initialize the CRYPTOKI library */
+    rv = C_Initialize(NULL_PTR);
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
+	exit(1);
+    }
+
+    /* Open a session on the slot found */
+    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
+		       NULL_PTR, NULL_PTR, &hSession);
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
+	error = 1;
+	goto exit_program;
+    }
+
+    /* Login to the Token (Keystore) */
+    if (!pin)
+#ifndef HAVE_GETPASS
+	pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+#else
+	pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
+#endif
+    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+    memset(pin, 0, strlen((char *)pin));
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
+	error = 1;
+	goto exit_session;
+    }
+
+    rv = C_FindObjectsInit(hSession, search_template,
+			   ((id != 0) || (label != NULL)) ? 1 : 0); 
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
+	error = 1;
+	goto exit_session;
+    }
+    
+    rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
+	error = 1;
+	goto exit_search;
+    }
+
+    for (i = 0; i < ulObjectCount; i++) {
+	CK_OBJECT_CLASS oclass = 0;
+	CK_BYTE labelbuf[64 + 1];
+	CK_BYTE idbuf[64];
+	CK_ATTRIBUTE attr_template[] = {
+	    {CKA_CLASS, &oclass, sizeof(oclass)},
+	    {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
+	    {CKA_ID, idbuf, sizeof(idbuf)}
+	};
+	int j, len;
+
+	memset(labelbuf, 0, sizeof(labelbuf));
+	memset(idbuf, 0, sizeof(idbuf));
+
+	rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
+	if (rv != CKR_OK) {
+	    fprintf(stderr, "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
+	    error = 1;
+	    goto exit_search;
+	}
+	len = attr_template[2].ulValueLen;
+	printf("object[%d]: class %d label '%s' id[%u] ",
+	       i, oclass, labelbuf, attr_template[2].ulValueLen);
+	if (len > 4)
+	    len = 4;
+	for (j = 0; j < len; j++)
+	    printf("%02x", idbuf[j]);
+	if (attr_template[2].ulValueLen > len)
+	    printf("...\n");
+	else
+	    printf("\n");
+    }
+
+    /* give a chance to kill this */
+    printf("sleeping 5 seconds...\n");
+    sleep(5);
+
+    for (i = 0; i < ulObjectCount; i++) {
+	rv = C_DestroyObject(hSession, akey[i]);
+	if (rv != CKR_OK) {
+	    fprintf(stderr, "C_DestroyObject[%d]: rv = 0x%.8X\n", i, rv);
+	    error = 1;
+	}
+    }
+
+ exit_search:
+    rv = C_FindObjectsFinal(hSession);
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
+	error = 1;
+    }
+
+ exit_session:
+    (void) C_CloseSession(hSession);
+
+ exit_program:
+    (void) C_Finalize(NULL_PTR);
+
+    exit(error);
+}
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
new file mode 100644
index 0000000000..45a9e3cd68
--- /dev/null
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -0,0 +1,201 @@
+/* genkey - pkcs11 rsa key generator
+ *
+ * create RSASHA1 key in the keystore of an SCA6000
+ * The calculation of key tag is left to the script
+ * that converts the key into a DNSKEY RR and inserts 
+ * it into a zone file.
+ *
+ * usage:
+ * genkey [-P] [-s slot] -b keysize -l label [-p pin] 
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+/* Define static key template values */
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[])
+{
+    CK_RV rv;
+    CK_SLOT_ID slot = 0;
+    CK_MECHANISM genmech;
+    CK_SESSION_HANDLE hSession;
+    CK_UTF8CHAR *pin = NULL;
+    CK_ULONG modulusbits = 0;
+    CK_CHAR *label = NULL;
+    CK_OBJECT_HANDLE privatekey, publickey;
+    CK_BYTE public_exponent[3];
+    int error = 0;
+    int i = 0;
+    int c, errflg = 0;
+    int hide = 1;
+    CK_ULONG ulObjectCount;
+    /* Set search template */
+    CK_ATTRIBUTE search_template[] = {
+        {CKA_LABEL, NULL_PTR, 0}
+    };
+    CK_ATTRIBUTE publickey_template[] = {
+        {CKA_LABEL, NULL_PTR, 0},
+        {CKA_VERIFY, &truevalue, sizeof (truevalue)},
+        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
+        {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
+        {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
+    };
+    CK_ATTRIBUTE privatekey_template[] = {
+        {CKA_LABEL, NULL_PTR, 0},
+        {CKA_SIGN, &truevalue, sizeof (truevalue)},
+        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
+        {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
+        {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
+        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
+    };
+    extern char *optarg;
+    extern int optopt;
+    
+    while ((c = getopt(argc, argv, ":Ps:b:i:l:p:")) != -1) {
+        switch (c) {
+	case 'P':
+	    hide = 0;
+	    break;
+	case 's':
+	    slot = atoi(optarg);
+	    break;
+        case 'b':
+            modulusbits = atoi(optarg);
+            break;
+        case 'l':
+            label = (CK_CHAR *)optarg;
+            break;
+        case 'p':
+            pin = (CK_UTF8CHAR *)optarg;
+            break;
+        case ':':
+            fprintf(stderr, "Option -%c requires an operand\n", optopt);
+            errflg++;
+            break;
+        case '?':
+	default:
+            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+            errflg++;
+        }
+    }
+    if ((errflg) || (!modulusbits) || (!label)) {
+        fprintf(stderr,
+		"usage: genkey [-P] [-s slot] -b keysize -l label [-p pin]\n");
+        exit(2);
+    }
+    
+    search_template[0].pValue = label;
+    search_template[0].ulValueLen = strlen((char *)label);
+    publickey_template[0].pValue = label;
+    publickey_template[0].ulValueLen = strlen((char *)label);
+    privatekey_template[0].pValue = label;
+    privatekey_template[0].ulValueLen = strlen((char *)label);
+
+    /* Set public exponent to 65537 */
+    public_exponent[0] = 0x01;
+    public_exponent[1] = 0x00;
+    public_exponent[2] = 0x01;
+
+    /* Set up mechanism for generating key pair */
+    genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+    genmech.pParameter = NULL_PTR;
+    genmech.ulParameterLen = 0;
+
+    /* Initialize the CRYPTOKI library */
+    rv = C_Initialize(NULL_PTR);
+
+    if (rv != CKR_OK) {
+        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
+	exit(1);
+    }
+
+    /* Open a session on the slot found */
+    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
+		       NULL_PTR, NULL_PTR, &hSession);
+
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
+	error = 1;
+	goto exit_program;
+    }
+
+    /* Login to the Token (Keystore) */
+    if (!pin)
+#ifndef HAVE_GETPASS
+        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+#else
+        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
+#endif
+    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+    memset(pin, 0, strlen((char *)pin));
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
+        error = 1;
+        goto exit_session;
+    }
+   
+    /* check if a key with the same id already exists */
+    rv = C_FindObjectsInit(hSession, search_template, 1); 
+    if (rv != CKR_OK) {
+        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
+        error = 1;
+        goto exit_session;
+    }
+    rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
+    if (rv != CKR_OK) {
+        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
+        error = 1;
+        goto exit_search;
+    }
+    if (ulObjectCount != 0) {
+        fprintf(stderr, "Key already exists.\n");
+        error = 1;
+        goto exit_search;
+    }
+    
+    /* Set attributes if the key is not to be hidden */
+    if (!hide) {
+        privatekey_template[4].pValue = &falsevalue;
+	privatekey_template[5].pValue = &truevalue;
+    }
+
+    /* Generate Key pair for signing/verifying */
+    rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
+			   (sizeof (publickey_template) /
+			    sizeof (CK_ATTRIBUTE)),
+			   privatekey_template,
+			   (sizeof (privatekey_template) /
+			    sizeof (CK_ATTRIBUTE)),
+			   &publickey, &privatekey);
+        
+    if (rv != CKR_OK) {
+        fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8X\n", rv);
+        error = 1;
+    }
+    
+ exit_search:
+    rv = C_FindObjectsFinal(hSession);
+    if (rv != CKR_OK) {
+        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
+        error = 1;
+    }
+
+ exit_session:
+    (void) C_CloseSession(hSession);
+
+ exit_program:
+    (void) C_Finalize(NULL_PTR);
+
+    exit(error);
+}
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
new file mode 100644
index 0000000000..3fb6eaa80f
--- /dev/null
+++ b/bin/pkcs11/pkcs11-list.c
@@ -0,0 +1,192 @@
+/* listobjs [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+int
+main(int argc, char *argv[])
+{
+    CK_RV rv;
+    CK_SLOT_ID slot = 0;
+    CK_SESSION_HANDLE hSession;
+    CK_UTF8CHAR *pin = NULL;
+    CK_BYTE attr_id[2];
+    CK_OBJECT_HANDLE akey[50];
+    char *label = NULL;
+    int error = 0, public = 0, all = 0;
+    int i = 0, id = 0;
+    int c, errflg = 0;
+    CK_ULONG ulObjectCount;
+    CK_ATTRIBUTE search_template[] = {
+	{CKA_ID, &attr_id, sizeof(attr_id)}
+    };
+    extern char *optarg;
+    extern int optopt;
+
+    while ((c = getopt(argc, argv, ":s:i:l:p:P")) != -1) {
+	switch (c) {
+	case 'P':
+	    public = 1;
+	    break;
+	case 's':
+	    slot = atoi(optarg);
+	    break;
+	case 'i':
+	    id = atoi(optarg);
+	    id &= 0xffff;
+	    break;
+	case 'l':
+	    label = optarg;
+	    break;
+	case 'p':
+	    pin = (CK_UTF8CHAR *)optarg;
+	    break;
+	case ':':
+	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
+	    errflg++;
+	    break;
+	case '?':
+	default:
+	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+	    errflg++;
+	}
+    }
+    if (errflg) {
+	fprintf(stderr,
+		"usage: listobjs [-P] [-s slot] [-p pin] -i id | $label\n");
+	exit(1);
+    }
+    if ((!id) && (!label))
+	all = 1;
+    if (slot)
+	printf("slot %d\n", slot);
+    if (id) {
+	printf("id %i\n", id);
+	attr_id[0] = (id >> 8) & 0xff;
+	attr_id[1] = id & 0xff;
+    } else if (label) {
+	printf("label %s\n", label);
+	search_template[0].type = CKA_LABEL;
+	search_template[0].pValue = label;
+	search_template[0].ulValueLen = strlen(label);
+    }
+
+    /* Initialize the CRYPTOKI library */
+    rv = C_Initialize(NULL_PTR);
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
+	exit(1);
+    }
+
+    /* Open a session on the slot found */
+    rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
+		       NULL_PTR, NULL_PTR, &hSession);
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
+	error = 1;
+	goto exit_program;
+    }
+
+    /* Login to the Token (Keystore) */
+    if (!public) {
+	if (!pin)
+#ifndef HAVE_GETPASS
+	    pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+#else
+	    pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
+#endif
+	rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+	memset(pin, 0, strlen((char *)pin));
+	if (rv != CKR_OK) {
+	    fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
+	    error = 1;
+	    goto exit_session;
+	}
+    }
+
+    rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
+	error = 1;
+	goto exit_session;
+    }
+    
+    ulObjectCount = 1;
+    while (ulObjectCount) {
+	rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+	if (rv != CKR_OK) {
+	    fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
+	    error = 1;
+	    goto exit_search;
+	}
+
+	for (i = 0; i < ulObjectCount; i++) {
+	    CK_OBJECT_CLASS oclass = 0;
+	    CK_BYTE labelbuf[64 + 1];
+	    CK_BYTE idbuf[64];
+	    CK_ATTRIBUTE attr_template[] = {
+		{CKA_CLASS, &oclass, sizeof(oclass)},
+		{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
+		{CKA_ID, idbuf, sizeof(idbuf)}
+	    };
+	    int j, len;
+
+	    memset(labelbuf, 0, sizeof(labelbuf));
+	    memset(idbuf, 0, sizeof(idbuf));
+
+	    rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
+	    if (rv != CKR_OK) {
+		fprintf(stderr,
+			"C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
+		if (rv = CKR_BUFFER_TOO_SMALL)
+		    fprintf(stderr, "%d too small: %u %u %u\n", i,
+			    attr_template[0].ulValueLen,
+			    attr_template[1].ulValueLen,
+			    attr_template[2].ulValueLen);
+		error = 1;
+		continue;
+	    }
+
+	    len = attr_template[2].ulValueLen;
+	    printf("object[%d]: handle %u class %d label[%u] '%s' id[%u] ",
+		   i, akey[i], oclass,
+		   attr_template[1].ulValueLen, labelbuf,
+		   attr_template[2].ulValueLen);
+	    if (len == 2) {
+		id = (idbuf[0] << 8) & 0xff00;
+		id |= idbuf[1] & 0xff;
+		printf("%i\n", id);
+	    } else {
+		if (len > 8)
+		    len = 8;
+		for (j = 0; j < len; j++)
+		    printf("%02x", idbuf[j]);
+		if (attr_template[2].ulValueLen > len)
+		    printf("...\n");
+		else
+		    printf("\n");
+	    }
+	}
+    }
+
+ exit_search:
+    rv = C_FindObjectsFinal(hSession);
+    if (rv != CKR_OK) {
+	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
+	error = 1;
+    }
+
+ exit_session:
+    (void) C_CloseSession(hSession);
+
+ exit_program:
+    (void) C_Finalize(NULL_PTR);
+
+    exit(error);
+}

From be728633c1a1d77b3e3ae8ece7cecedb39019187 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Thu, 17 Sep 2009 22:55:59 +0000
Subject: [PATCH 169/385] init .cvsignore

---
 bin/pkcs11/.cvsignore | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 bin/pkcs11/.cvsignore

diff --git a/bin/pkcs11/.cvsignore b/bin/pkcs11/.cvsignore
new file mode 100644
index 0000000000..094f46543f
--- /dev/null
+++ b/bin/pkcs11/.cvsignore
@@ -0,0 +1,3 @@
+pkcs11-destroy
+pkcs11-keygen
+pkcs11-list

From 56e7dc0c24b04210dcbffb180a9e35644fb820da Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 17 Sep 2009 23:30:25 +0000
Subject: [PATCH 170/385] newcopyrights

---
 util/copyrights | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/util/copyrights b/util/copyrights
index 9a70b2c2c5..ead6dc7523 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -229,6 +229,10 @@
 ./bin/nsupdate/win32/nsupdate.dsp		X	2001,2004,2005,2009
 ./bin/nsupdate/win32/nsupdate.dsw		X	2001
 ./bin/nsupdate/win32/nsupdate.mak		X	2001,2002,2004,2005,2006,2009
+./bin/pkcs11/.cvsignore				X	2009
+./bin/pkcs11/pkcs11-destroy.c			C	2009
+./bin/pkcs11/pkcs11-keygen.c			C	2009
+./bin/pkcs11/pkcs11-list.c			C	2009
 ./bin/rndc/.cvsignore				X	2000,2001
 ./bin/rndc/Makefile.in				MAKE	2000,2001,2002,2004,2007,2009
 ./bin/rndc/include/rndc/os.h			C	2001,2004,2005,2007,2009

From 6b87f604311735826a0b2e1bde672a2a4f352892 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Thu, 17 Sep 2009 23:34:39 +0000
Subject: [PATCH 171/385] Move some contrib/pkcs11-keygen to bin/pkcs11 RT
 #20067

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 782d57bfed..385341d1cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2680.	[func]		Move some contrib/pkcs11-keygen to bin/pkcs11.
+			[RT #20067]
+
 2679.	[func]		dig -k can now accept TSIG keys in named.conf
 			format.  [RT #20031]
 

From 3351ccbd5c1961404044f8273d54dad405f53960 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 17 Sep 2009 23:45:08 +0000
Subject: [PATCH 172/385] update

---
 util/copyrights | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index ead6dc7523..a1f7270645 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -230,9 +230,9 @@
 ./bin/nsupdate/win32/nsupdate.dsw		X	2001
 ./bin/nsupdate/win32/nsupdate.mak		X	2001,2002,2004,2005,2006,2009
 ./bin/pkcs11/.cvsignore				X	2009
-./bin/pkcs11/pkcs11-destroy.c			C	2009
-./bin/pkcs11/pkcs11-keygen.c			C	2009
-./bin/pkcs11/pkcs11-list.c			C	2009
+./bin/pkcs11/pkcs11-destroy.c			X	2009
+./bin/pkcs11/pkcs11-keygen.c			X	2009
+./bin/pkcs11/pkcs11-list.c			X	2009
 ./bin/rndc/.cvsignore				X	2000,2001
 ./bin/rndc/Makefile.in				MAKE	2000,2001,2002,2004,2007,2009
 ./bin/rndc/include/rndc/os.h			C	2001,2004,2005,2007,2009

From 0e32dda1768312e55d612246e51685bb2d450207 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 17 Sep 2009 23:46:34 +0000
Subject: [PATCH 173/385] add include , and update comments to use
 the new names

---
 bin/pkcs11/pkcs11-destroy.c | 4 +++-
 bin/pkcs11/pkcs11-keygen.c  | 6 ++++--
 bin/pkcs11/pkcs11-list.c    | 4 +++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
index e7068e4d62..a6a663dcb5 100644
--- a/bin/pkcs11/pkcs11-destroy.c
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -1,4 +1,6 @@
-/* destroyobj [-s $slot] [-i $id | -l $label] [-p $pin] */
+/* pkcs11-destroy [-s $slot] [-i $id | -l $label] [-p $pin] */
+
+#include 
 
 #include 
 #include 
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index 45a9e3cd68..72e3afd4e6 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -1,4 +1,4 @@
-/* genkey - pkcs11 rsa key generator
+/* pkcs11-keygen - pkcs11 rsa key generator
  *
  * create RSASHA1 key in the keystore of an SCA6000
  * The calculation of key tag is left to the script
@@ -6,10 +6,12 @@
  * it into a zone file.
  *
  * usage:
- * genkey [-P] [-s slot] -b keysize -l label [-p pin] 
+ * pkcs11-keygen [-P] [-s slot] -b keysize -l label [-p pin] 
  *
  */
 
+#include 
+
 #include 
 #include 
 #include 
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
index 3fb6eaa80f..2abb56afdb 100644
--- a/bin/pkcs11/pkcs11-list.c
+++ b/bin/pkcs11/pkcs11-list.c
@@ -1,4 +1,6 @@
-/* listobjs [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
+/* pkcs11-list [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
+
+#include 
 
 #include 
 #include 

From 148e9f3feb94056762445817f8c3aa480b0a7531 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Fri, 18 Sep 2009 07:18:04 +0000
Subject: [PATCH 174/385] removed a non-existent .h.  gmake (which is assumed
 to be used to build the exportlib) ignores it so it doesn't cause a trouble
 in practice, but should still better be fixed.

(found by Shawn, I confirmed it.)
---
 lib/export/dns/include/dns/Makefile.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/export/dns/include/dns/Makefile.in b/lib/export/dns/include/dns/Makefile.in
index 5e04d88538..2d7f2c78b3 100644
--- a/lib/export/dns/include/dns/Makefile.in
+++ b/lib/export/dns/include/dns/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+# $Id: Makefile.in,v 1.4 2009/09/18 07:18:04 jinmei Exp $
 
 srcdir =	@srcdir@
 top_srcdir =	@top_srcdir@
@@ -29,7 +29,7 @@ HEADERS =	acl.h adb.h byaddr.h \
 		master.h masterdump.h message.h \
 		name.h ncache.h nsec.h nsec3.h \
 		peer.h portlist.h \
-		rbt.h rbtdb.h rcode.h rdata.h rdataclass.h \
+		rbt.h rcode.h rdata.h rdataclass.h \
 		rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \
 		request.h resolver.h result.h \
 		secalg.h secproto.h soa.h stats.h \

From 1def9132114f9a3994782e2350dfecfcc9b5871d Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Fri, 18 Sep 2009 11:07:04 +0000
Subject: [PATCH 175/385] config.h issue is fixed: cleanup

---
 bin/pkcs11/pkcs11-destroy.c | 2 --
 bin/pkcs11/pkcs11-keygen.c  | 2 --
 bin/pkcs11/pkcs11-list.c    | 2 --
 3 files changed, 6 deletions(-)

diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
index a6a663dcb5..9c58dabb66 100644
--- a/bin/pkcs11/pkcs11-destroy.c
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -1,7 +1,5 @@
 /* pkcs11-destroy [-s $slot] [-i $id | -l $label] [-p $pin] */
 
-#include 
-
 #include 
 #include 
 #include 
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index 72e3afd4e6..53ce2961f1 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -10,8 +10,6 @@
  *
  */
 
-#include 
-
 #include 
 #include 
 #include 
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
index 2abb56afdb..79bfd328b9 100644
--- a/bin/pkcs11/pkcs11-list.c
+++ b/bin/pkcs11/pkcs11-list.c
@@ -1,7 +1,5 @@
 /* pkcs11-list [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
 
-#include 
-
 #include 
 #include 
 #include 

From b0dafbb3094476b74182b7b32f2eb84aaeab9fa9 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Fri, 18 Sep 2009 13:14:47 +0000
Subject: [PATCH 176/385] spelling

---
 bin/tools/genrandom.docbook | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/tools/genrandom.docbook b/bin/tools/genrandom.docbook
index f17dfd7a04..581c93679d 100644
--- a/bin/tools/genrandom.docbook
+++ b/bin/tools/genrandom.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Feb 19, 2009
@@ -53,7 +53,7 @@
     DESCRIPTION
     
       genrandom
-      generates a file containing a specified quantity of psuedo-random
+      generates a file containing a specified quantity of pseudo-random
       data, which can be used as a source of entropy for other commands
       on systems with no random device.
     

From 790e471f6e97fd4da5dc03dd34824d814a50b9a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Fri, 18 Sep 2009 21:55:21 +0000
Subject: [PATCH 177/385] 2681.	[bug]		IPSECKEY RR of gateway type 3
 was not correctly 			decoded [RT #20269].

BIND 9.7.0, 9.6.2, 9.5.2, 9.4.4
---
 CHANGES                             | 3 +++
 lib/dns/rdata/generic/ipseckey_45.c | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 385341d1cf..2dd3bb7fba 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
+			decoded [RT #20269].
+
 2680.	[func]		Move some contrib/pkcs11-keygen to bin/pkcs11.
 			[RT #20067]
 
diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c
index 15c7cdcf59..2cf13b2831 100644
--- a/lib/dns/rdata/generic/ipseckey_45.c
+++ b/lib/dns/rdata/generic/ipseckey_45.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.c,v 1.6 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: ipseckey_45.c,v 1.7 2009/09/18 21:55:21 jinmei Exp $ */
 
 #ifndef RDATA_GENERIC_IPSECKEY_45_C
 #define RDATA_GENERIC_IPSECKEY_45_C
@@ -243,6 +243,7 @@ fromwire_ipseckey(ARGS_FROMWIRE) {
 		isc_buffer_forward(source, 3);
 		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
 		isc_buffer_activeregion(source, ®ion);
+		isc_buffer_forward(source, region.length);
 		return(mem_tobuffer(target, region.base, region.length));
 
 	default:

From b67b58ebe73b98f2907d7f3ea02e69a7fa8ba35e Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Fri, 18 Sep 2009 22:08:55 +0000
Subject: [PATCH 178/385] small improvement (rt20291)

---
 bin/confgen/ddns-confgen.docbook | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/bin/confgen/ddns-confgen.docbook b/bin/confgen/ddns-confgen.docbook
index bd707bac60..cedfbf5726 100644
--- a/bin/confgen/ddns-confgen.docbook
+++ b/bin/confgen/ddns-confgen.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Jan 29, 2009
@@ -48,7 +48,10 @@
       
       
       
-      
+      
+        -s name
+        -z zone
+      
       
       name
     

From fa5748c1ab40cf6acf681ddeb89c1784b864e59e Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 18 Sep 2009 23:18:31 +0000
Subject: [PATCH 179/385] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 9778e23f9d..d7ddb00b08 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -241,8 +241,10 @@ rt20044				new	fdupont	// 2009-08-07 18:59 +0000
 rt20062				new	marka	// 2009-08-10 05:00 +0000
 rt20062a			new	marka	// 2009-09-14 04:51 +0000
 rt20112				new	marka	// 2009-08-18 05:22 +0000
+rt20225				new	fdupont	// 2009-09-18 11:50 +0000
 rt20247				new	each	// 2009-09-11 03:22 +0000
 rt20253				new	sar	// 2009-09-11 22:17 +0000
+rt20257				new	fdupont	// 2009-09-18 16:53 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From d2ebd5d5fba00a44ca49462c6cd4390e9876a137 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 19 Sep 2009 01:14:52 +0000
Subject: [PATCH 180/385] regen

---
 bin/confgen/ddns-confgen.8    |  4 ++--
 bin/confgen/ddns-confgen.html | 12 ++++++------
 bin/tools/genrandom.8         |  4 ++--
 bin/tools/genrandom.html      |  4 ++--
 doc/arm/man.ddns-confgen.html | 12 ++++++------
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/bin/confgen/ddns-confgen.8 b/bin/confgen/ddns-confgen.8
index b0e5c3d623..6f56458077 100644
--- a/bin/confgen/ddns-confgen.8
+++ b/bin/confgen/ddns-confgen.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: ddns-confgen.8,v 1.9 2009/07/11 01:12:45 tbox Exp $
+.\" $Id: ddns-confgen.8,v 1.10 2009/09/19 01:14:52 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 ddns\-confgen \- ddns key generation tool
 .SH "SYNOPSIS"
 .HP 13
-\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ name\ |\ \-z\ zone\fR] [\fB\-q\fR] [name]
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
 .SH "DESCRIPTION"
 .PP
 \fBddns\-confgen\fR
diff --git a/bin/confgen/ddns-confgen.html b/bin/confgen/ddns-confgen.html
index 5ba98d0007..18f9d75ba7 100644
--- a/bin/confgen/ddns-confgen.html
+++ b/bin/confgen/ddns-confgen.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -28,10 +28,10 @@
 
    
 
    
 
    Synopsis
    
-
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]
    
+
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -125,7 +125,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -133,7 +133,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/tools/genrandom.8 b/bin/tools/genrandom.8
index 6c49a07016..7fd8213135 100644
--- a/bin/tools/genrandom.8
+++ b/bin/tools/genrandom.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: genrandom.8,v 1.4 2009/03/03 01:12:26 tbox Exp $
+.\" $Id: genrandom.8,v 1.5 2009/09/19 01:14:52 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -36,7 +36,7 @@ genrandom \- generate a file containing random data
 .SH "DESCRIPTION"
 .PP
 \fBgenrandom\fR
-generates a file containing a specified quantity of psuedo\-random data, which can be used as a source of entropy for other commands on systems with no random device.
+generates a file containing a specified quantity of pseudo\-random data, which can be used as a source of entropy for other commands on systems with no random device.
 .SH "ARGUMENTS"
 .PP
 size
diff --git a/bin/tools/genrandom.html b/bin/tools/genrandom.html
index 32fbb841ee..d6fe8130a2 100644
--- a/bin/tools/genrandom.html
+++ b/bin/tools/genrandom.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 
@@ -35,7 +35,7 @@
 
    DESCRIPTION
    
 
    
       genrandom
-      generates a file containing a specified quantity of psuedo-random
+      generates a file containing a specified quantity of pseudo-random
       data, which can be used as a source of entropy for other commands
       on systems with no random device.
     
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 98df9d0446..ee879410e6 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,10 +45,10 @@
 
 
    
 
    Synopsis
    
-
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [-s name | -z zone] [-q] [name]
    
+
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From c9424f08b013c676ac07173d5b058721ea632875 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Sat, 19 Sep 2009 21:47:13 +0000
Subject: [PATCH 181/385] fixed the position of the period.

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 2dd3bb7fba..6eaeb75482 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
-			decoded [RT #20269].
+			decoded. [RT #20269]
 
 2680.	[func]		Move some contrib/pkcs11-keygen to bin/pkcs11.
 			[RT #20067]

From d081840d42755b08ea5800df45906c6746e8f1fd Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 19 Sep 2009 23:18:26 +0000
Subject: [PATCH 182/385] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index d7ddb00b08..12016f27ba 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -242,6 +242,8 @@ rt20062				new	marka	// 2009-08-10 05:00 +0000
 rt20062a			new	marka	// 2009-09-14 04:51 +0000
 rt20112				new	marka	// 2009-08-18 05:22 +0000
 rt20225				new	fdupont	// 2009-09-18 11:50 +0000
+rt20230				new	fdupont	// 2009-09-19 22:45 +0000
+rt20236				new	fdupont	// 2009-09-19 22:34 +0000
 rt20247				new	each	// 2009-09-11 03:22 +0000
 rt20253				new	sar	// 2009-09-11 22:17 +0000
 rt20257				new	fdupont	// 2009-09-18 16:53 +0000

From 54f046661437f246f09981a8d2bbbd3f9aec4184 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sun, 20 Sep 2009 23:18:28 +0000
Subject: [PATCH 183/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 12016f27ba..7c0d9689a9 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -241,6 +241,7 @@ rt20044				new	fdupont	// 2009-08-07 18:59 +0000
 rt20062				new	marka	// 2009-08-10 05:00 +0000
 rt20062a			new	marka	// 2009-09-14 04:51 +0000
 rt20112				new	marka	// 2009-08-18 05:22 +0000
+rt20191				new	vjs	// 2009-09-20 01:55 +0000
 rt20225				new	fdupont	// 2009-09-18 11:50 +0000
 rt20230				new	fdupont	// 2009-09-19 22:45 +0000
 rt20236				new	fdupont	// 2009-09-19 22:34 +0000

From adb6972f01a0908251bafeaf3e20a85c51268122 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Tue, 22 Sep 2009 08:38:14 +0000
Subject: [PATCH 184/385] minor fix, cf 20295

---
 lib/dns/zone.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c7b963f7c1..3f5fbdd217 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.506 2009/09/10 23:48:00 tbox Exp $ */
+/* $Id: zone.c,v 1.507 2009/09/22 08:38:14 fdupont Exp $ */
 
 /*! \file */
 
@@ -12912,7 +12912,8 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
 
  cleanup:
 	if (signing != NULL) {
-		dns_db_detach(&signing->db);
+		if (signing->db != NULL)
+			dns_db_detach(&signing->db);
 		if (signing->dbiterator != NULL)
 			dns_dbiterator_destroy(&signing->dbiterator);
 		isc_mem_put(zone->mctx, signing, sizeof *signing);

From 2f4d747a267026e6298ba9ece22c9dfa0ac254da Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Tue, 22 Sep 2009 08:47:55 +0000
Subject: [PATCH 185/385] "configure --enable-symtable=all" failed to build.
 [RT #20282]

---
 CHANGES                  | 3 +++
 bin/confgen/Makefile.in  | 3 ++-
 bin/dig/Makefile.in      | 6 +++---
 bin/nsupdate/Makefile.in | 4 ++--
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6eaeb75482..07e85c19aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2682.	[bug]		"configure --enable-symtable=all" failed to
+			build. [RT #20282]
+
 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
 			decoded. [RT #20269]
 
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 5bfdc6adfe..ed790a01ce 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.7 2009/09/22 08:47:55 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -31,6 +31,7 @@ CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 6021a5f96c..8945efbb97 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.45 2009/09/15 03:13:43 each Exp $
+# $Id: Makefile.in,v 1.46 2009/09/22 08:47:55 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -48,8 +48,8 @@ DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
 		${ISCLIBS} @IDNLIBS@ @LIBS@
 
-NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCNOSYMLIBS} \
-		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
 
 SUBDIRS =
 
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index b2ce180684..5f896a464c 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.34 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.35 2009/09/22 08:47:55 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -46,7 +46,7 @@ DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
 
-NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCNOSYMLIBS} ${ISCCFGLIBS} @LIBS@
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
 
 SUBDIRS =
 

From 011d0b7dc81e51ac5ea150935c1d9613212b58cf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 23 Sep 2009 04:30:16 +0000
Subject: [PATCH 186/385] 2683.   [bug]           dnssec-signzone should clean
 out old NSEC3 chains when                         the NSEC3 parameters used
 to sign the zone change.                         [RT #20246]

---
 CHANGES                      |   4 ++
 bin/dnssec/dnssec-signzone.c | 128 ++++++++++++++++-------------------
 2 files changed, 63 insertions(+), 69 deletions(-)

diff --git a/CHANGES b/CHANGES
index 07e85c19aa..9bb222ac01 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
+			the NSEC3 parameters used to sign the zone change.
+			[RT #20246]
+
 2682.	[bug]		"configure --enable-symtable=all" failed to
 			build. [RT #20282]
 
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index a9e356423e..674423d0e6 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.229 2009/09/02 06:29:00 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.230 2009/09/23 04:30:16 marka Exp $ */
 
 /*! \file */
 
@@ -174,8 +174,9 @@ static dns_ttl_t keyttl;
 static void
 sign(isc_task_t *task, isc_event_t *event);
 
-static isc_boolean_t
-nsec3only(dns_dbnode_t *node);
+#define check_dns_dbiterator_current(result) \
+	check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
+		     "dns_dbiterator_current()")
 
 static void
 dumpnode(dns_name_t *name, dns_dbnode_t *node) {
@@ -1618,7 +1619,8 @@ verifyzone(void) {
 	while (!done) {
 		isc_boolean_t isdelegation = ISC_FALSE;
 
-		dns_dbiterator_current(dbiter, &node, name);
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
 		if (delegation(name, node, NULL)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
@@ -1631,8 +1633,7 @@ verifyzone(void) {
 		while (result == ISC_R_SUCCESS) {
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
-			if (result != ISC_R_SUCCESS)
-				break;
+			check_dns_dbiterator_current(result);
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut)))
@@ -1660,7 +1661,8 @@ verifyzone(void) {
 	for (result = dns_dbiterator_first(dbiter);
 	     result == ISC_R_SUCCESS;
 	     result = dns_dbiterator_next(dbiter) ) {
-		dns_dbiterator_current(dbiter, &node, name);
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
 		verifynode(name, node, ISC_FALSE, &rdataset,
 			   ksk_algorithms, bad_algorithms);
 		dns_db_detachnode(gdb, &node);
@@ -1725,7 +1727,7 @@ signapex(void) {
 	result = dns_dbiterator_seek(gdbiter, gorigin);
 	check_result(result, "dns_dbiterator_seek()");
 	result = dns_dbiterator_current(gdbiter, &node, name);
-	check_result(result, "dns_dbiterator_current()");
+	check_dns_dbiterator_current(result);
 	signname(node, name);
 	dumpnode(name, node);
 	cleannode(gdb, gversion, node);
@@ -1777,9 +1779,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 	found = ISC_FALSE;
 	while (!found) {
 		result = dns_dbiterator_current(gdbiter, &node, name);
-		if (result != ISC_R_SUCCESS)
-			fatal("failure iterating database: %s",
-			      isc_result_totext(result));
+		check_dns_dbiterator_current(result);
 		/*
 		 * The origin was handled by signapex().
 		 */
@@ -1974,7 +1974,8 @@ nsecify(void) {
 	check_result(result, "dns_dbiterator_first()");
 
 	while (!done) {
-		dns_dbiterator_current(dbiter, &node, name);
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
 		if (delegation(name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
@@ -1987,8 +1988,7 @@ nsecify(void) {
 			isc_boolean_t active = ISC_FALSE;
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
-			if (result != ISC_R_SUCCESS)
-				break;
+			check_dns_dbiterator_current(result);
 			active = active_node(nextnode);
 			if (!active) {
 				dns_db_detachnode(gdb, &nextnode);
@@ -2021,37 +2021,6 @@ nsecify(void) {
 	dns_dbiterator_destroy(&dbiter);
 }
 
-/*%
- * Does this node only contain NSEC3 records or RRSIG records or is empty.
- */
-static isc_boolean_t
-nsec3only(dns_dbnode_t *node) {
-	dns_rdatasetiter_t *rdsiter = NULL;
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	isc_boolean_t answer = ISC_TRUE;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec3 &&
-		    rdataset.type != dns_rdatatype_rrsig) {
-			answer = ISC_FALSE;
-			result = ISC_R_NOMORE;
-		} else
-			result = dns_rdatasetiter_next(rdsiter);
-		dns_rdataset_disassociate(&rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed: %s",
-		      isc_result_totext(result));
-	dns_rdatasetiter_destroy(&rdsiter);
-	return (answer);
-}
-
 static void
 addnsec3param(const unsigned char *salt, size_t salt_length,
 	      unsigned int iterations)
@@ -2092,6 +2061,16 @@ addnsec3param(const unsigned char *salt, size_t salt_length,
 
 	result = dns_db_findnode(gdb, gorigin, ISC_TRUE, &node);
 	check_result(result, "dns_db_find(gorigin)");
+
+	/*
+	 * Delete any current NSEC3PARAM records.
+	 */
+	result = dns_db_deleterdataset(gdb, node, gversion,
+				       dns_rdatatype_nsec3param, 0);
+	if (result == DNS_R_UNCHANGED)
+		result = ISC_R_SUCCESS;
+	check_result(result, "dddnsec3param: dns_db_deleterdataset()");
+
 	result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset,
 				    DNS_DBADD_MERGE, NULL);
 	if (result == DNS_R_UNCHANGED)
@@ -2180,6 +2159,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 	isc_buffer_t target;
 	isc_result_t result;
 	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
+	isc_boolean_t exists;
 
 	/*
 	 * Get the first label.
@@ -2201,8 +2181,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 
 	hash[isc_buffer_usedlength(&target)] = 0;
 
-	if (hashlist_exists(hashlist, hash))
-		return;
+	exists = hashlist_exists(hashlist, hash);
 
 	/*
 	 * Verify that the NSEC3 parameters match the current ones
@@ -2217,8 +2196,8 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 		return;
 
 	/*
-	 * Delete any matching NSEC3 records which have parameters that
-	 * match the NSEC3 chain we are building.
+	 * Delete any NSEC3 records which are not part of the current
+	 * NSEC3 chain.
 	 */
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
@@ -2227,11 +2206,11 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 		dns_rdataset_current(&rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		if (nsec3.hash == hashalg &&
+		if (exists && nsec3.hash == hashalg &&
 		    nsec3.iterations == iterations &&
 		    nsec3.salt_length == salt_length &&
 		    !memcmp(nsec3.salt, salt, salt_length))
-			break;
+			continue;
 		rdatalist.rdclass = rdata.rdclass;
 		rdatalist.type = rdata.type;
 		rdatalist.covers = 0;
@@ -2245,7 +2224,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 		result = dns_db_subtractrdataset(gdb, node, gversion,
 						 &delrdataset, 0, NULL);
 		dns_rdataset_disassociate(&delrdataset);
-		if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
+		if (result != ISC_R_SUCCESS && result != DNS_R_NXRRSET)
 			check_result(result, "dns_db_subtractrdataset(NSEC3)");
 		delete_rrsigs = ISC_TRUE;
 	}
@@ -2300,14 +2279,14 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 	check_result(result, "dns_dbiterator_first()");
 
 	while (!done) {
-		dns_dbiterator_current(dbiter, &node, name);
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
-			if (result != ISC_R_SUCCESS)
-				break;
+			check_dns_dbiterator_current(result);
 			active = active_node(nextnode);
 			if (!active) {
 				dns_db_detachnode(gdb, &nextnode);
@@ -2389,6 +2368,26 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 
 	addnsec3param(salt, salt_length, iterations);
 
+	/*
+	 * Clean out NSEC3 records which don't match this chain.
+	 */
+	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	for (result = dns_dbiterator_first(dbiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter)) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		nsec3clean(name, node, hashalg, iterations, salt, salt_length,
+			   hashlist);
+		dns_db_detachnode(gdb, &node);
+	}
+	dns_dbiterator_destroy(&dbiter);
+
+	/*
+	 * Generate / complete the new chain.
+	 */
 	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 
@@ -2396,25 +2395,16 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 	check_result(result, "dns_dbiterator_first()");
 
 	while (!done) {
-		dns_dbiterator_current(dbiter, &node, name);
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
-			if (result != ISC_R_SUCCESS)
-				break;
-			/*
-			 * Cleanout NSEC3 RRsets which don't exist in the
-			 * hash table.
-			 */
-			nsec3clean(nextname, nextnode, hashalg, iterations,
-				   salt, salt_length, hashlist);
-			/*
-			 * Skip NSEC3 only nodes when looking for the next
-			 * node in the zone.  Also skips now empty nodes.
-			 */
-			if (nsec3only(nextnode)) {
+			check_dns_dbiterator_current(result);
+			active = active_node(nextnode);
+			if (!active) {
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;

From 8436cc14ba43418d60da21eee1ed045570edbd58 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 23 Sep 2009 06:21:36 +0000
Subject: [PATCH 187/385] 2684.	[cleanup]	dig: formalize +ad and +cd as
 synonyms for 			+adflag and +cdflag.  [RT #19305]

---
 CHANGES       |  3 +++
 bin/dig/dig.c | 14 +++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9bb222ac01..bf48ca9418 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
+			+adflag and +cdflag.  [RT #19305]
+
 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
 			the NSEC3 parameters used to sign the zone change.
 			[RT #20246]
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 56165b771e..66e76e4f98 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.230 2009/09/15 03:13:43 each Exp $ */
+/* $Id: dig.c,v 1.231 2009/09/23 06:21:36 each Exp $ */
 
 /*! \file */
 
@@ -733,6 +733,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				lookup->section_additional = state;
 				break;
 			case 'f': /* adflag */
+			case '\0': /* +ad is a synonym for +adflag */
 				FULLCHECK("adflag");
 				lookup->adflag = state;
 				break;
@@ -787,8 +788,15 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	case 'c':
 		switch (cmd[1]) {
 		case 'd':/* cdflag */
-			FULLCHECK("cdflag");
-			lookup->cdflag = state;
+			switch (cmd[2]) {
+			case 'f': /* cdflag */
+			case '\0': /* +cd is a synonym for +cdflag */
+				FULLCHECK("cdflag");
+				lookup->cdflag = state;
+				break;
+			default:
+				goto invalid_option;
+			}
 			break;
 		case 'l': /* cl */
 			FULLCHECK("cl");

From 3d3b7e5a5b2f50341ee582aae48a14b5189c00ef Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Wed, 23 Sep 2009 10:43:53 +0000
Subject: [PATCH 188/385] pkcs11 tools were moved (20067)

---
 .../pkcs11-keygen/opencryptoki/apiclient.h    |  481 -----
 contrib/pkcs11-keygen/opencryptoki/pkcs11.h   |  297 ---
 .../pkcs11-keygen/opencryptoki/pkcs11types.h  | 1865 -----------------
 3 files changed, 2643 deletions(-)
 delete mode 100644 contrib/pkcs11-keygen/opencryptoki/apiclient.h
 delete mode 100644 contrib/pkcs11-keygen/opencryptoki/pkcs11.h
 delete mode 100644 contrib/pkcs11-keygen/opencryptoki/pkcs11types.h

diff --git a/contrib/pkcs11-keygen/opencryptoki/apiclient.h b/contrib/pkcs11-keygen/opencryptoki/apiclient.h
deleted file mode 100644
index 6e84c54f9d..0000000000
--- a/contrib/pkcs11-keygen/opencryptoki/apiclient.h
+++ /dev/null
@@ -1,481 +0,0 @@
-/*
- * $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/pkcs11-keygen/opencryptoki/Attic/apiclient.h,v 1.1 2009/09/07 21:19:21 fdupont Exp $
- */
-
-
-/*
-             Common Public License Version 0.5
-
-             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
-             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
-             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
-             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-             1. DEFINITIONS
-
-             "Contribution" means: 
-                   a) in the case of the initial Contributor, the
-                   initial code and documentation distributed under
-                   this Agreement, and 
-
-                   b) in the case of each subsequent Contributor:
-                   i) changes to the Program, and
-                   ii) additions to the Program;
-
-                   where such changes and/or additions to the Program
-                   originate from and are distributed by that
-                   particular Contributor. A Contribution 'originates'
-                   from a Contributor if it was added to the Program
-                   by such Contributor itself or anyone acting on such
-                   Contributor's behalf. Contributions do not include
-                   additions to the Program which: (i) are separate
-                   modules of software distributed in conjunction with
-                   the Program under their own license agreement, and
-                   (ii) are not derivative works of the Program.
-
-
-             "Contributor" means any person or entity that distributes
-             the Program.
-
-             "Licensed Patents " mean patent claims licensable by a
-             Contributor which are necessarily infringed by the use or
-             sale of its Contribution alone or when combined with the
-             Program. 
-
-             "Program" means the Contributions distributed in
-             accordance with this Agreement.
-
-             "Recipient" means anyone who receives the Program under
-             this Agreement, including all Contributors.
-
-             2. GRANT OF RIGHTS
-
-                   a) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free copyright
-                   license to reproduce, prepare derivative works of,
-                   publicly display, publicly perform, distribute and
-                   sublicense the Contribution of such Contributor, if
-                   any, and such derivative works, in source code and
-                   object code form.
-
-                   b) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free patent
-                   license under Licensed Patents to make, use, sell,
-                   offer to sell, import and otherwise transfer the
-                   Contribution of such Contributor, if any, in source
-                   code and object code form. This patent license
-                   shall apply to the combination of the Contribution
-                   and the Program if, at the time the Contribution is
-                   added by the Contributor, such addition of the
-                   Contribution causes such combination to be covered
-                   by the Licensed Patents. The patent license shall
-                   not apply to any other combinations which include
-                   the Contribution. No hardware per se is licensed
-                   hereunder.
-
-                   c) Recipient understands that although each
-                   Contributor grants the licenses to its
-                   Contributions set forth herein, no assurances are
-                   provided by any Contributor that the Program does
-                   not infringe the patent or other intellectual
-                   property rights of any other entity. Each
-                   Contributor disclaims any liability to Recipient
-                   for claims brought by any other entity based on
-                   infringement of intellectual property rights or
-                   otherwise. As a condition to exercising the rights
-                   and licenses granted hereunder, each Recipient
-                   hereby assumes sole responsibility to secure any
-                   other intellectual property rights needed, if any.
-
-                   For example, if a third party patent license is
-                   required to allow Recipient to distribute the
-                   Program, it is Recipient's responsibility to
-                   acquire that license before distributing the
-                   Program.
-
-                   d) Each Contributor represents that to its
-                   knowledge it has sufficient copyright rights in its
-                   Contribution, if any, to grant the copyright
-                   license set forth in this Agreement.
-
-             3. REQUIREMENTS
-
-             A Contributor may choose to distribute the Program in
-             object code form under its own license agreement, provided
-             that:
-                   a) it complies with the terms and conditions of
-                   this Agreement; and
-
-                   b) its license agreement:
-                   i) effectively disclaims on behalf of all
-                   Contributors all warranties and conditions, express
-                   and implied, including warranties or conditions of
-                   title and non-infringement, and implied warranties
-                   or conditions of merchantability and fitness for a
-                   particular purpose;
-
-                   ii) effectively excludes on behalf of all
-                   Contributors all liability for damages, including
-                   direct, indirect, special, incidental and
-                   consequential damages, such as lost profits;
-
-                   iii) states that any provisions which differ from
-                   this Agreement are offered by that Contributor
-                   alone and not by any other party; and
-
-                   iv) states that source code for the Program is
-                   available from such Contributor, and informs
-                   licensees how to obtain it in a reasonable manner
-                   on or through a medium customarily used for
-                   software exchange.
-
-             When the Program is made available in source code form:
-                   a) it must be made available under this Agreement;
-                   and
-                   b) a copy of this Agreement must be included with
-                   each copy of the Program. 
-
-             Contributors may not remove or alter any copyright notices
-             contained within the Program.
-
-             Each Contributor must identify itself as the originator of
-             its Contribution, if any, in a manner that reasonably
-             allows subsequent Recipients to identify the originator of
-             the Contribution. 
-
-
-             4. COMMERCIAL DISTRIBUTION
-
-             Commercial distributors of software may accept certain
-             responsibilities with respect to end users, business
-             partners and the like. While this license is intended to
-             facilitate the commercial use of the Program, the
-             Contributor who includes the Program in a commercial
-             product offering should do so in a manner which does not
-             create potential liability for other Contributors.
-             Therefore, if a Contributor includes the Program in a
-             commercial product offering, such Contributor ("Commercial
-             Contributor") hereby agrees to defend and indemnify every
-             other Contributor ("Indemnified Contributor") against any
-             losses, damages and costs (collectively "Losses") arising
-             from claims, lawsuits and other legal actions brought by a
-             third party against the Indemnified Contributor to the
-             extent caused by the acts or omissions of such Commercial
-             Contributor in connection with its distribution of the
-             Program in a commercial product offering. The obligations
-             in this section do not apply to any claims or Losses
-             relating to any actual or alleged intellectual property
-             infringement. In order to qualify, an Indemnified
-             Contributor must: a) promptly notify the Commercial
-             Contributor in writing of such claim, and b) allow the
-             Commercial Contributor to control, and cooperate with the
-             Commercial Contributor in, the defense and any related
-             settlement negotiations. The Indemnified Contributor may
-             participate in any such claim at its own expense.
-
-
-             For example, a Contributor might include the Program in a
-             commercial product offering, Product X. That Contributor
-             is then a Commercial Contributor. If that Commercial
-             Contributor then makes performance claims, or offers
-             warranties related to Product X, those performance claims
-             and warranties are such Commercial Contributor's
-             responsibility alone. Under this section, the Commercial
-             Contributor would have to defend claims against the other
-             Contributors related to those performance claims and
-             warranties, and if a court requires any other Contributor
-             to pay any damages as a result, the Commercial Contributor
-             must pay those damages.
-
-
-             5. NO WARRANTY
-
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
-             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
-             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
-             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
-             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
-             responsible for determining the appropriateness of using
-             and distributing the Program and assumes all risks
-             associated with its exercise of rights under this
-             Agreement, including but not limited to the risks and
-             costs of program errors, compliance with applicable laws,
-             damage to or loss of data, programs or equipment, and
-             unavailability or interruption of operations. 
-
-             6. DISCLAIMER OF LIABILITY
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
-             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
-             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
-             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
-             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
-             POSSIBILITY OF SUCH DAMAGES.
-
-             7. GENERAL
-
-             If any provision of this Agreement is invalid or
-             unenforceable under applicable law, it shall not affect
-             the validity or enforceability of the remainder of the
-             terms of this Agreement, and without further action by the
-             parties hereto, such provision shall be reformed to the
-             minimum extent necessary to make such provision valid and
-             enforceable.
-
-
-             If Recipient institutes patent litigation against a
-             Contributor with respect to a patent applicable to
-             software (including a cross-claim or counterclaim in a
-             lawsuit), then any patent licenses granted by that
-             Contributor to such Recipient under this Agreement shall
-             terminate as of the date such litigation is filed. In
-             addition, If Recipient institutes patent litigation
-             against any entity (including a cross-claim or
-             counterclaim in a lawsuit) alleging that the Program
-             itself (excluding combinations of the Program with other
-             software or hardware) infringes such Recipient's
-             patent(s), then such Recipient's rights granted under
-             Section 2(b) shall terminate as of the date such
-             litigation is filed.
-
-             All Recipient's rights under this Agreement shall
-             terminate if it fails to comply with any of the material
-             terms or conditions of this Agreement and does not cure
-             such failure in a reasonable period of time after becoming
-             aware of such noncompliance. If all Recipient's rights
-             under this Agreement terminate, Recipient agrees to cease
-             use and distribution of the Program as soon as reasonably
-             practicable. However, Recipient's obligations under this
-             Agreement and any licenses granted by Recipient relating
-             to the Program shall continue and survive. 
-
-             Everyone is permitted to copy and distribute copies of
-             this Agreement, but in order to avoid inconsistency the
-             Agreement is copyrighted and may only be modified in the
-             following manner. The Agreement Steward reserves the right
-             to publish new versions (including revisions) of this
-             Agreement from time to time. No one other than the
-             Agreement Steward has the right to modify this Agreement.
-
-             IBM is the initial Agreement Steward. IBM may assign the
-             responsibility to serve as the Agreement Steward to a
-             suitable separate entity. Each new version of the
-             Agreement will be given a distinguishing version number.
-             The Program (including Contributions) may always be
-             distributed subject to the version of the Agreement under
-             which it was received. In addition, after a new version of
-             the Agreement is published, Contributor may elect to
-             distribute the Program (including its Contributions) under
-             the new version. Except as expressly stated in Sections
-             2(a) and 2(b) above, Recipient receives no rights or
-             licenses to the intellectual property of any Contributor
-             under this Agreement, whether expressly, by implication,
-             estoppel or otherwise. All rights in the Program not
-             expressly granted under this Agreement are reserved.
-
-
-             This Agreement is governed by the laws of the State of New
-             York and the intellectual property laws of the United
-             States of America. No party to this Agreement will bring a
-             legal action under this Agreement more than one year after
-             the cause of action arose. Each party waives its rights to
-             a jury trial in any resulting litigation. 
-
-
-
-*/
-
-/* (C) COPYRIGHT International Business Machines Corp. 2001          */
-
-
-#ifndef _APICLIENT_H
-#define _APICLIENT_H
-
-
-#include "pkcs11types.h"
-
-
-
-#define VERSION_MAJOR  2  // Version 2 of the PKCS library
-#define VERSION_MINOR  01 // minor revision .10 of PKCS11
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-CK_RV C_CancelFunction ( CK_SESSION_HANDLE );
-
-CK_RV C_CloseAllSessions ( CK_SLOT_ID );
-
-CK_RV C_CloseSession ( CK_SESSION_HANDLE );
-
-CK_RV C_CopyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
-                             CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_CreateObject ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG,
-                               CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_Decrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                          CK_ULONG_PTR );
-
-CK_RV C_DecryptDigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                      CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DecryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DecryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_DecryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                                CK_ULONG_PTR );
-
-CK_RV C_DecryptVerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                      CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DeriveKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
-                            CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_DestroyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE );
-
-CK_RV C_Digest ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                         CK_ULONG_PTR );
-
-CK_RV C_DigestEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                      CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DigestFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_DigestInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR );
-
-CK_RV C_DigestKey ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE );
-
-CK_RV C_DigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_Encrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                          CK_ULONG_PTR );
-
-CK_RV C_EncryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_EncryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_EncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                                CK_ULONG_PTR );
-
-CK_RV C_Finalize ( CK_VOID_PTR );
-
-CK_RV C_FindObjects ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG,
-                              CK_ULONG_PTR );
-
-CK_RV C_FindObjectsFinal ( CK_SESSION_HANDLE );
-
-CK_RV C_FindObjectsInit ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG );
-
-CK_RV C_GenerateKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
-                              CK_ULONG, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_GenerateKeyPair ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR,
-                                  CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
-                                  CK_OBJECT_HANDLE_PTR, CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_GenerateRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_GetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
-                                    CK_ATTRIBUTE_PTR, CK_ULONG );
-
-CK_RV C_GetFunctionList ( CK_FUNCTION_LIST_PTR_PTR );
-
-CK_RV C_GetFunctionStatus ( CK_SESSION_HANDLE );
-
-CK_RV C_GetInfo ( CK_INFO_PTR );
-
-CK_RV C_GetMechanismInfo ( CK_SLOT_ID, CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR );
-
-CK_RV C_GetMechanismList ( CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, CK_ULONG_PTR );
-
-CK_RV C_GetObjectSize ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR );
-
-CK_RV C_GetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_GetSessionInfo ( CK_SESSION_HANDLE, CK_SESSION_INFO_PTR );
-
-CK_RV C_GetSlotInfo ( CK_SLOT_ID, CK_SLOT_INFO_PTR );
-
-CK_RV C_GetSlotList ( CK_BBOOL, CK_SLOT_ID_PTR, CK_ULONG_PTR );
-
-CK_RV C_GetTokenInfo ( CK_SLOT_ID, CK_TOKEN_INFO_PTR );
-
-CK_RV C_Initialize ( CK_VOID_PTR );
-
-CK_RV C_InitPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG );
-
-CK_RV C_InitToken ( CK_SLOT_ID, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR );
-
-CK_RV C_Login ( CK_SESSION_HANDLE, CK_USER_TYPE, CK_CHAR_PTR, CK_ULONG );
-
-CK_RV C_Logout ( CK_SESSION_HANDLE );
-
-CK_RV C_OpenSession ( CK_SLOT_ID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY,
-                              CK_SESSION_HANDLE_PTR );
-
-CK_RV C_SeedRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_SetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE,
-                                    CK_ATTRIBUTE_PTR, CK_ULONG );
-
-CK_RV C_SetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                    CK_OBJECT_HANDLE, CK_OBJECT_HANDLE );
-
-CK_RV C_SetPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR, CK_ULONG );
-
-CK_RV C_Sign ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                       CK_ULONG_PTR );
-
-CK_RV C_SignEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG,
-                                    CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_SignFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-CK_RV C_SignInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_SignRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                              CK_ULONG_PTR );
-
-CK_RV C_SignRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_SignUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_UnwrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
-                            CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG,
-                            CK_OBJECT_HANDLE_PTR );
-
-CK_RV C_Verify ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_VerifyFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_VerifyInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_VerifyRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR,
-                                CK_ULONG_PTR );
-
-CK_RV C_VerifyRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE );
-
-CK_RV C_VerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG );
-
-CK_RV C_WaitForSlotEvent ( CK_FLAGS, CK_SLOT_ID_PTR, CK_VOID_PTR );
-
-CK_RV C_WrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE,
-                          CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _APICLIENT_H
-
-
diff --git a/contrib/pkcs11-keygen/opencryptoki/pkcs11.h b/contrib/pkcs11-keygen/opencryptoki/pkcs11.h
deleted file mode 100644
index bf1fe59f9e..0000000000
--- a/contrib/pkcs11-keygen/opencryptoki/pkcs11.h
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
-             Common Public License Version 0.5
-
-             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
-             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
-             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
-             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-             1. DEFINITIONS
-
-             "Contribution" means: 
-                   a) in the case of the initial Contributor, the
-                   initial code and documentation distributed under
-                   this Agreement, and 
-
-                   b) in the case of each subsequent Contributor:
-                   i) changes to the Program, and
-                   ii) additions to the Program;
-
-                   where such changes and/or additions to the Program
-                   originate from and are distributed by that
-                   particular Contributor. A Contribution 'originates'
-                   from a Contributor if it was added to the Program
-                   by such Contributor itself or anyone acting on such
-                   Contributor's behalf. Contributions do not include
-                   additions to the Program which: (i) are separate
-                   modules of software distributed in conjunction with
-                   the Program under their own license agreement, and
-                   (ii) are not derivative works of the Program.
-
-
-             "Contributor" means any person or entity that distributes
-             the Program.
-
-             "Licensed Patents " mean patent claims licensable by a
-             Contributor which are necessarily infringed by the use or
-             sale of its Contribution alone or when combined with the
-             Program. 
-
-             "Program" means the Contributions distributed in
-             accordance with this Agreement.
-
-             "Recipient" means anyone who receives the Program under
-             this Agreement, including all Contributors.
-
-             2. GRANT OF RIGHTS
-
-                   a) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free copyright
-                   license to reproduce, prepare derivative works of,
-                   publicly display, publicly perform, distribute and
-                   sublicense the Contribution of such Contributor, if
-                   any, and such derivative works, in source code and
-                   object code form.
-
-                   b) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free patent
-                   license under Licensed Patents to make, use, sell,
-                   offer to sell, import and otherwise transfer the
-                   Contribution of such Contributor, if any, in source
-                   code and object code form. This patent license
-                   shall apply to the combination of the Contribution
-                   and the Program if, at the time the Contribution is
-                   added by the Contributor, such addition of the
-                   Contribution causes such combination to be covered
-                   by the Licensed Patents. The patent license shall
-                   not apply to any other combinations which include
-                   the Contribution. No hardware per se is licensed
-                   hereunder.
-
-                   c) Recipient understands that although each
-                   Contributor grants the licenses to its
-                   Contributions set forth herein, no assurances are
-                   provided by any Contributor that the Program does
-                   not infringe the patent or other intellectual
-                   property rights of any other entity. Each
-                   Contributor disclaims any liability to Recipient
-                   for claims brought by any other entity based on
-                   infringement of intellectual property rights or
-                   otherwise. As a condition to exercising the rights
-                   and licenses granted hereunder, each Recipient
-                   hereby assumes sole responsibility to secure any
-                   other intellectual property rights needed, if any.
-
-                   For example, if a third party patent license is
-                   required to allow Recipient to distribute the
-                   Program, it is Recipient's responsibility to
-                   acquire that license before distributing the
-                   Program.
-
-                   d) Each Contributor represents that to its
-                   knowledge it has sufficient copyright rights in its
-                   Contribution, if any, to grant the copyright
-                   license set forth in this Agreement.
-
-             3. REQUIREMENTS
-
-             A Contributor may choose to distribute the Program in
-             object code form under its own license agreement, provided
-             that:
-                   a) it complies with the terms and conditions of
-                   this Agreement; and
-
-                   b) its license agreement:
-                   i) effectively disclaims on behalf of all
-                   Contributors all warranties and conditions, express
-                   and implied, including warranties or conditions of
-                   title and non-infringement, and implied warranties
-                   or conditions of merchantability and fitness for a
-                   particular purpose;
-
-                   ii) effectively excludes on behalf of all
-                   Contributors all liability for damages, including
-                   direct, indirect, special, incidental and
-                   consequential damages, such as lost profits;
-
-                   iii) states that any provisions which differ from
-                   this Agreement are offered by that Contributor
-                   alone and not by any other party; and
-
-                   iv) states that source code for the Program is
-                   available from such Contributor, and informs
-                   licensees how to obtain it in a reasonable manner
-                   on or through a medium customarily used for
-                   software exchange.
-
-             When the Program is made available in source code form:
-                   a) it must be made available under this Agreement;
-                   and
-                   b) a copy of this Agreement must be included with
-                   each copy of the Program. 
-
-             Contributors may not remove or alter any copyright notices
-             contained within the Program.
-
-             Each Contributor must identify itself as the originator of
-             its Contribution, if any, in a manner that reasonably
-             allows subsequent Recipients to identify the originator of
-             the Contribution. 
-
-
-             4. COMMERCIAL DISTRIBUTION
-
-             Commercial distributors of software may accept certain
-             responsibilities with respect to end users, business
-             partners and the like. While this license is intended to
-             facilitate the commercial use of the Program, the
-             Contributor who includes the Program in a commercial
-             product offering should do so in a manner which does not
-             create potential liability for other Contributors.
-             Therefore, if a Contributor includes the Program in a
-             commercial product offering, such Contributor ("Commercial
-             Contributor") hereby agrees to defend and indemnify every
-             other Contributor ("Indemnified Contributor") against any
-             losses, damages and costs (collectively "Losses") arising
-             from claims, lawsuits and other legal actions brought by a
-             third party against the Indemnified Contributor to the
-             extent caused by the acts or omissions of such Commercial
-             Contributor in connection with its distribution of the
-             Program in a commercial product offering. The obligations
-             in this section do not apply to any claims or Losses
-             relating to any actual or alleged intellectual property
-             infringement. In order to qualify, an Indemnified
-             Contributor must: a) promptly notify the Commercial
-             Contributor in writing of such claim, and b) allow the
-             Commercial Contributor to control, and cooperate with the
-             Commercial Contributor in, the defense and any related
-             settlement negotiations. The Indemnified Contributor may
-             participate in any such claim at its own expense.
-
-
-             For example, a Contributor might include the Program in a
-             commercial product offering, Product X. That Contributor
-             is then a Commercial Contributor. If that Commercial
-             Contributor then makes performance claims, or offers
-             warranties related to Product X, those performance claims
-             and warranties are such Commercial Contributor's
-             responsibility alone. Under this section, the Commercial
-             Contributor would have to defend claims against the other
-             Contributors related to those performance claims and
-             warranties, and if a court requires any other Contributor
-             to pay any damages as a result, the Commercial Contributor
-             must pay those damages.
-
-
-             5. NO WARRANTY
-
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
-             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
-             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
-             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
-             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
-             responsible for determining the appropriateness of using
-             and distributing the Program and assumes all risks
-             associated with its exercise of rights under this
-             Agreement, including but not limited to the risks and
-             costs of program errors, compliance with applicable laws,
-             damage to or loss of data, programs or equipment, and
-             unavailability or interruption of operations. 
-
-             6. DISCLAIMER OF LIABILITY
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
-             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
-             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
-             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
-             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
-             POSSIBILITY OF SUCH DAMAGES.
-
-             7. GENERAL
-
-             If any provision of this Agreement is invalid or
-             unenforceable under applicable law, it shall not affect
-             the validity or enforceability of the remainder of the
-             terms of this Agreement, and without further action by the
-             parties hereto, such provision shall be reformed to the
-             minimum extent necessary to make such provision valid and
-             enforceable.
-
-
-             If Recipient institutes patent litigation against a
-             Contributor with respect to a patent applicable to
-             software (including a cross-claim or counterclaim in a
-             lawsuit), then any patent licenses granted by that
-             Contributor to such Recipient under this Agreement shall
-             terminate as of the date such litigation is filed. In
-             addition, If Recipient institutes patent litigation
-             against any entity (including a cross-claim or
-             counterclaim in a lawsuit) alleging that the Program
-             itself (excluding combinations of the Program with other
-             software or hardware) infringes such Recipient's
-             patent(s), then such Recipient's rights granted under
-             Section 2(b) shall terminate as of the date such
-             litigation is filed.
-
-             All Recipient's rights under this Agreement shall
-             terminate if it fails to comply with any of the material
-             terms or conditions of this Agreement and does not cure
-             such failure in a reasonable period of time after becoming
-             aware of such noncompliance. If all Recipient's rights
-             under this Agreement terminate, Recipient agrees to cease
-             use and distribution of the Program as soon as reasonably
-             practicable. However, Recipient's obligations under this
-             Agreement and any licenses granted by Recipient relating
-             to the Program shall continue and survive. 
-
-             Everyone is permitted to copy and distribute copies of
-             this Agreement, but in order to avoid inconsistency the
-             Agreement is copyrighted and may only be modified in the
-             following manner. The Agreement Steward reserves the right
-             to publish new versions (including revisions) of this
-             Agreement from time to time. No one other than the
-             Agreement Steward has the right to modify this Agreement.
-
-             IBM is the initial Agreement Steward. IBM may assign the
-             responsibility to serve as the Agreement Steward to a
-             suitable separate entity. Each new version of the
-             Agreement will be given a distinguishing version number.
-             The Program (including Contributions) may always be
-             distributed subject to the version of the Agreement under
-             which it was received. In addition, after a new version of
-             the Agreement is published, Contributor may elect to
-             distribute the Program (including its Contributions) under
-             the new version. Except as expressly stated in Sections
-             2(a) and 2(b) above, Recipient receives no rights or
-             licenses to the intellectual property of any Contributor
-             under this Agreement, whether expressly, by implication,
-             estoppel or otherwise. All rights in the Program not
-             expressly granted under this Agreement are reserved.
-
-
-             This Agreement is governed by the laws of the State of New
-             York and the intellectual property laws of the United
-             States of America. No party to this Agreement will bring a
-             legal action under this Agreement more than one year after
-             the cause of action arose. Each party waives its rights to
-             a jury trial in any resulting litigation. 
-
-
-
-*/
-
-/* (c) COPYRIGHT International Business Machines Corp. 2001          */
-
-#ifndef OPENCRYPTOKI_PKCS11_H
-#define OPENCRYPTOKI_PKCS11_H
-
-#include 
-#include 
-
-#endif
diff --git a/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h b/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h
deleted file mode 100644
index f9f72e731b..0000000000
--- a/contrib/pkcs11-keygen/opencryptoki/pkcs11types.h
+++ /dev/null
@@ -1,1865 +0,0 @@
-/*
- * $Header: /u0/home/explorer/proj/ISC/git-conversion/cvsroot/bind9/contrib/pkcs11-keygen/opencryptoki/Attic/pkcs11types.h,v 1.1 2009/09/07 21:19:21 fdupont Exp $
- */
-
-/*
-             Common Public License Version 0.5
-
-             THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
-             THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
-             REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
-             RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-             1. DEFINITIONS
-
-             "Contribution" means: 
-                   a) in the case of the initial Contributor, the
-                   initial code and documentation distributed under
-                   this Agreement, and 
-
-                   b) in the case of each subsequent Contributor:
-                   i) changes to the Program, and
-                   ii) additions to the Program;
-
-                   where such changes and/or additions to the Program
-                   originate from and are distributed by that
-                   particular Contributor. A Contribution 'originates'
-                   from a Contributor if it was added to the Program
-                   by such Contributor itself or anyone acting on such
-                   Contributor's behalf. Contributions do not include
-                   additions to the Program which: (i) are separate
-                   modules of software distributed in conjunction with
-                   the Program under their own license agreement, and
-                   (ii) are not derivative works of the Program.
-
-
-             "Contributor" means any person or entity that distributes
-             the Program.
-
-             "Licensed Patents " mean patent claims licensable by a
-             Contributor which are necessarily infringed by the use or
-             sale of its Contribution alone or when combined with the
-             Program. 
-
-             "Program" means the Contributions distributed in
-             accordance with this Agreement.
-
-             "Recipient" means anyone who receives the Program under
-             this Agreement, including all Contributors.
-
-             2. GRANT OF RIGHTS
-
-                   a) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free copyright
-                   license to reproduce, prepare derivative works of,
-                   publicly display, publicly perform, distribute and
-                   sublicense the Contribution of such Contributor, if
-                   any, and such derivative works, in source code and
-                   object code form.
-
-                   b) Subject to the terms of this Agreement, each
-                   Contributor hereby grants Recipient a
-                   non-exclusive, worldwide, royalty-free patent
-                   license under Licensed Patents to make, use, sell,
-                   offer to sell, import and otherwise transfer the
-                   Contribution of such Contributor, if any, in source
-                   code and object code form. This patent license
-                   shall apply to the combination of the Contribution
-                   and the Program if, at the time the Contribution is
-                   added by the Contributor, such addition of the
-                   Contribution causes such combination to be covered
-                   by the Licensed Patents. The patent license shall
-                   not apply to any other combinations which include
-                   the Contribution. No hardware per se is licensed
-                   hereunder.
-
-                   c) Recipient understands that although each
-                   Contributor grants the licenses to its
-                   Contributions set forth herein, no assurances are
-                   provided by any Contributor that the Program does
-                   not infringe the patent or other intellectual
-                   property rights of any other entity. Each
-                   Contributor disclaims any liability to Recipient
-                   for claims brought by any other entity based on
-                   infringement of intellectual property rights or
-                   otherwise. As a condition to exercising the rights
-                   and licenses granted hereunder, each Recipient
-                   hereby assumes sole responsibility to secure any
-                   other intellectual property rights needed, if any.
-
-                   For example, if a third party patent license is
-                   required to allow Recipient to distribute the
-                   Program, it is Recipient's responsibility to
-                   acquire that license before distributing the
-                   Program.
-
-                   d) Each Contributor represents that to its
-                   knowledge it has sufficient copyright rights in its
-                   Contribution, if any, to grant the copyright
-                   license set forth in this Agreement.
-
-             3. REQUIREMENTS
-
-             A Contributor may choose to distribute the Program in
-             object code form under its own license agreement, provided
-             that:
-                   a) it complies with the terms and conditions of
-                   this Agreement; and
-
-                   b) its license agreement:
-                   i) effectively disclaims on behalf of all
-                   Contributors all warranties and conditions, express
-                   and implied, including warranties or conditions of
-                   title and non-infringement, and implied warranties
-                   or conditions of merchantability and fitness for a
-                   particular purpose;
-
-                   ii) effectively excludes on behalf of all
-                   Contributors all liability for damages, including
-                   direct, indirect, special, incidental and
-                   consequential damages, such as lost profits;
-
-                   iii) states that any provisions which differ from
-                   this Agreement are offered by that Contributor
-                   alone and not by any other party; and
-
-                   iv) states that source code for the Program is
-                   available from such Contributor, and informs
-                   licensees how to obtain it in a reasonable manner
-                   on or through a medium customarily used for
-                   software exchange.
-
-             When the Program is made available in source code form:
-                   a) it must be made available under this Agreement;
-                   and
-                   b) a copy of this Agreement must be included with
-                   each copy of the Program. 
-
-             Contributors may not remove or alter any copyright notices
-             contained within the Program.
-
-             Each Contributor must identify itself as the originator of
-             its Contribution, if any, in a manner that reasonably
-             allows subsequent Recipients to identify the originator of
-             the Contribution. 
-
-
-             4. COMMERCIAL DISTRIBUTION
-
-             Commercial distributors of software may accept certain
-             responsibilities with respect to end users, business
-             partners and the like. While this license is intended to
-             facilitate the commercial use of the Program, the
-             Contributor who includes the Program in a commercial
-             product offering should do so in a manner which does not
-             create potential liability for other Contributors.
-             Therefore, if a Contributor includes the Program in a
-             commercial product offering, such Contributor ("Commercial
-             Contributor") hereby agrees to defend and indemnify every
-             other Contributor ("Indemnified Contributor") against any
-             losses, damages and costs (collectively "Losses") arising
-             from claims, lawsuits and other legal actions brought by a
-             third party against the Indemnified Contributor to the
-             extent caused by the acts or omissions of such Commercial
-             Contributor in connection with its distribution of the
-             Program in a commercial product offering. The obligations
-             in this section do not apply to any claims or Losses
-             relating to any actual or alleged intellectual property
-             infringement. In order to qualify, an Indemnified
-             Contributor must: a) promptly notify the Commercial
-             Contributor in writing of such claim, and b) allow the
-             Commercial Contributor to control, and cooperate with the
-             Commercial Contributor in, the defense and any related
-             settlement negotiations. The Indemnified Contributor may
-             participate in any such claim at its own expense.
-
-
-             For example, a Contributor might include the Program in a
-             commercial product offering, Product X. That Contributor
-             is then a Commercial Contributor. If that Commercial
-             Contributor then makes performance claims, or offers
-             warranties related to Product X, those performance claims
-             and warranties are such Commercial Contributor's
-             responsibility alone. Under this section, the Commercial
-             Contributor would have to defend claims against the other
-             Contributors related to those performance claims and
-             warranties, and if a court requires any other Contributor
-             to pay any damages as a result, the Commercial Contributor
-             must pay those damages.
-
-
-             5. NO WARRANTY
-
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
-             PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
-             WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
-             IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
-             CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR
-             FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
-             responsible for determining the appropriateness of using
-             and distributing the Program and assumes all risks
-             associated with its exercise of rights under this
-             Agreement, including but not limited to the risks and
-             costs of program errors, compliance with applicable laws,
-             damage to or loss of data, programs or equipment, and
-             unavailability or interruption of operations. 
-
-             6. DISCLAIMER OF LIABILITY
-             EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
-             RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
-             FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-             OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
-             LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-             LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-             (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-             OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
-             OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
-             POSSIBILITY OF SUCH DAMAGES.
-
-             7. GENERAL
-
-             If any provision of this Agreement is invalid or
-             unenforceable under applicable law, it shall not affect
-             the validity or enforceability of the remainder of the
-             terms of this Agreement, and without further action by the
-             parties hereto, such provision shall be reformed to the
-             minimum extent necessary to make such provision valid and
-             enforceable.
-
-
-             If Recipient institutes patent litigation against a
-             Contributor with respect to a patent applicable to
-             software (including a cross-claim or counterclaim in a
-             lawsuit), then any patent licenses granted by that
-             Contributor to such Recipient under this Agreement shall
-             terminate as of the date such litigation is filed. In
-             addition, If Recipient institutes patent litigation
-             against any entity (including a cross-claim or
-             counterclaim in a lawsuit) alleging that the Program
-             itself (excluding combinations of the Program with other
-             software or hardware) infringes such Recipient's
-             patent(s), then such Recipient's rights granted under
-             Section 2(b) shall terminate as of the date such
-             litigation is filed.
-
-             All Recipient's rights under this Agreement shall
-             terminate if it fails to comply with any of the material
-             terms or conditions of this Agreement and does not cure
-             such failure in a reasonable period of time after becoming
-             aware of such noncompliance. If all Recipient's rights
-             under this Agreement terminate, Recipient agrees to cease
-             use and distribution of the Program as soon as reasonably
-             practicable. However, Recipient's obligations under this
-             Agreement and any licenses granted by Recipient relating
-             to the Program shall continue and survive. 
-
-             Everyone is permitted to copy and distribute copies of
-             this Agreement, but in order to avoid inconsistency the
-             Agreement is copyrighted and may only be modified in the
-             following manner. The Agreement Steward reserves the right
-             to publish new versions (including revisions) of this
-             Agreement from time to time. No one other than the
-             Agreement Steward has the right to modify this Agreement.
-
-             IBM is the initial Agreement Steward. IBM may assign the
-             responsibility to serve as the Agreement Steward to a
-             suitable separate entity. Each new version of the
-             Agreement will be given a distinguishing version number.
-             The Program (including Contributions) may always be
-             distributed subject to the version of the Agreement under
-             which it was received. In addition, after a new version of
-             the Agreement is published, Contributor may elect to
-             distribute the Program (including its Contributions) under
-             the new version. Except as expressly stated in Sections
-             2(a) and 2(b) above, Recipient receives no rights or
-             licenses to the intellectual property of any Contributor
-             under this Agreement, whether expressly, by implication,
-             estoppel or otherwise. All rights in the Program not
-             expressly granted under this Agreement are reserved.
-
-
-             This Agreement is governed by the laws of the State of New
-             York and the intellectual property laws of the United
-             States of America. No party to this Agreement will bring a
-             legal action under this Agreement more than one year after
-             the cause of action arose. Each party waives its rights to
-             a jury trial in any resulting litigation. 
-
-
-
-*/
-
-/* (C) COPYRIGHT International Business Machines Corp. 2001          */
-
-
-//----------------------------------------------------------------------------
-//
-// File: PKCS11Types.h
-//
-//
-//----------------------------------------------------------------------------
-
-
-#ifndef _PKCS11TYPES_H_
-#define _PKCS11TYPES_H_
-
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-#ifndef FALSE
-#define FALSE             0
-#endif
-
-#ifndef TRUE
-#define TRUE              (!FALSE)
-#endif
-
-// AIX Addition for 64Bit work.
-// All types are 32bit types, therefore the longs have to be
-// typedefed to be 32bit values.
-typedef unsigned int uint_32;
-typedef int int_32;
-
-#define CK_PTR *
-
-#define CK_CALLBACK_FUNCTION(returnType, name) \
-  returnType (* name)
-
-#ifndef NULL_PTR
-	#define NULL_PTR ((void *) NULL)
-#endif /* NULL_PTR */
-
-/* an unsigned 8-bit value */
-typedef unsigned char     CK_BYTE;
-
-/* an unsigned 8-bit character */
-typedef CK_BYTE           CK_CHAR;
-
-/* an 8-bit UTF-8 character */
-typedef CK_BYTE           CK_UTF8CHAR;
-
-/* a BYTE-sized Boolean flag */
-typedef CK_BYTE           CK_BBOOL;
-
-/* an unsigned value, at least 32 bits long */
-typedef unsigned long int CK_ULONG;
-
-/* a signed value, the same size as a CK_ULONG */
-/* CK_LONG is new for v2.0 */
-typedef long int          CK_LONG;
-
-/* at least 32 bits; each bit is a Boolean flag */
-typedef CK_ULONG          CK_FLAGS;
-
-
-/* some special values for certain CK_ULONG variables */
-#define CK_UNAVAILABLE_INFORMATION (~0UL)
-#define CK_EFFECTIVELY_INFINITE    0
-
-
-typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
-typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
-typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
-typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
-typedef void        CK_PTR   CK_VOID_PTR;
-
-/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
-typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
-
-
-/* The following value is always invalid if used as a session */
-/* handle or object handle */
-#define CK_INVALID_HANDLE 0
-
-
-typedef struct CK_VERSION {
-  CK_BYTE       major;  /* integer portion of version number */
-  CK_BYTE       minor;  /* 1/100ths portion of version number */
-} CK_VERSION;
-
-typedef CK_VERSION CK_PTR CK_VERSION_PTR;
-
-
-typedef struct CK_INFO {
-  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_FLAGS      flags;               /* must be zero */
-
-  /* libraryDescription and libraryVersion are new for v2.0 */
-  CK_CHAR       libraryDescription[32];  /* blank padded */
-  CK_VERSION    libraryVersion;          /* version of library */
-} CK_INFO;
-
-typedef CK_INFO CK_PTR    CK_INFO_PTR;
-
-
-/* CK_NOTIFICATION enumerates the types of notifications that
- * Cryptoki provides to an application */
-/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
- * for v2.0 */
-typedef CK_ULONG CK_NOTIFICATION;
-#define CKN_SURRENDER       0
-
-
-typedef CK_ULONG          CK_SLOT_ID;
-
-typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
-
-
-/* CK_SLOT_INFO provides information about a slot */
-typedef struct CK_SLOT_INFO {
-  CK_CHAR       slotDescription[64];  /* blank padded */
-  CK_CHAR       manufacturerID[32];   /* blank padded */
-  CK_FLAGS      flags;
-
-  /* hardwareVersion and firmwareVersion are new for v2.0 */
-  CK_VERSION    hardwareVersion;  /* version of hardware */
-  CK_VERSION    firmwareVersion;  /* version of firmware */
-} CK_SLOT_INFO;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag              Mask        Meaning
- */
-#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
-#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
-#define CKF_HW_SLOT           0x00000004  /* hardware slot */
-
-typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
-
-
-/* CK_TOKEN_INFO provides information about a token */
-typedef struct CK_TOKEN_INFO {
-  CK_CHAR       label[32];           /* blank padded */
-  CK_CHAR       manufacturerID[32];  /* blank padded */
-  CK_CHAR       model[16];           /* blank padded */
-  CK_CHAR       serialNumber[16];    /* blank padded */
-  CK_FLAGS      flags;               /* see below */
-
-  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
-   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
-   * changed from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
-  CK_ULONG      ulSessionCount;        /* sess. now open */
-  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
-  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
-  CK_ULONG      ulMaxPinLen;           /* in bytes */
-  CK_ULONG      ulMinPinLen;           /* in bytes */
-  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
-  CK_ULONG      ulFreePublicMemory;    /* in bytes */
-  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
-  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
-
-  /* hardwareVersion, firmwareVersion, and time are new for
-   * v2.0 */
-  CK_VERSION    hardwareVersion;       /* version of hardware */
-  CK_VERSION    firmwareVersion;       /* version of firmware */
-  CK_CHAR       utcTime[16];           /* time */
-} CK_TOKEN_INFO;
-
-/* The flags parameter is defined as follows:
- *      Bit Flag                    Mask        Meaning
- */
-#define CKF_RNG                     0x00000001  /* has random #
-                                                 * generator */
-#define CKF_WRITE_PROTECTED         0x00000002  /* token is
-                                                 * write-
-                                                 * protected */
-#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
-                                                 * login */
-#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
-                                                 * PIN is set */
-
-/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
- * that means that *every* time the state of cryptographic
- * operations of a session is successfully saved, all keys
- * needed to continue those operations are stored in the state */
-#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
-
-/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
- * that the token has some sort of clock.  The time on that
- * clock is returned in the token info structure */
-#define CKF_CLOCK_ON_TOKEN          0x00000040
-
-/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
- * set, that means that there is some way for the user to login
- * without sending a PIN through the Cryptoki library itself */
-#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
-
-/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
- * that means that a single session with the token can perform
- * dual simultaneous cryptographic operations (digest and
- * encrypt; decrypt and digest; sign and encrypt; and decrypt
- * and sign) */
-#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
-
-/* CKF_TOKEN_INITIALIZED is new for v2.11. If it is true, the
- * token has been initialized using C_InitializeToken or an
- * equivalent mechanism outside the scope of this standard.
- * Calling C_InitializeToken when this flag is set will cause
- * the token to be reinitialized. */
-#define CKF_TOKEN_INITIALIZED		0x00000400
-
-/* CKF_SECONDARY_AUTHENTICATION is new for v2.11.  If it is
- * true, the token supports secondary authentication for private
- * key objects. According to the 2.11 spec pg. 45, this flag
- * is deprecated and this flags should never be true. */
-#define CKF_SECONDARY_AUTHENTICATION	0x00000800
-
-/* CKF_USER_PIN_COUNT_LOW is new in v2.11.  This flag is true
- * is an incorrect user PIN has been entered at least once
- * since the last successful authentication. */
-#define CKF_USER_PIN_COUNT_LOW		0x00010000
-
-/* CKF_USER_PIN_FINAL_TRY is new in v2.11.  This flag is true if
- * supplying an incorrect user PIN will cause it to become
- * locked. */
-#define CKF_USER_PIN_FINAL_TRY		0x00020000
-
-/* CKF_USER_PIN_LOCKED is new in v2.11.  This is true if the
- * user PIN has been locked.  User login to the token is not
- * possible. */
-#define CKF_USER_PIN_LOCKED		0x00040000
-
-/* CKF_USER_PIN_TO_BE_CHANGED is new in v2.11.  This flag is
- * true if the user PIN value is the default value set by
- * token initialization of manufacturing, or the PIN has
- * been expired by the card. */
-#define CKF_USER_PIN_TO_BE_CHANGED	0x00080000
-
-/* CKF_SO_PIN_COUNT_LOW is new in v2.11.  This flag is true if
- * and incorrect SO login PIN has been entered at least once
- * since the last successful authentication. */
-#define CKF_SO_PIN_COUNT_LOW		0x00100000
-
-/* CKF_SO_PIN_FINAL_TRY is new in v2.11.  This flag is true if
- * supplying an incorrect SO PIN will cause it to become 
- * locked. */
-#define CKF_SO_PIN_FINAL_TRY		0x00200000
-
-/* CKF_SO_PIN_LOCKED is new in v2.11.  This flag is true if
- * the SO PIN has been locked.  User login to the token is not
- * possible. */
-#define CKF_SO_PIN_LOCKED		0x00400000
-
-/* CKF_SO_PIN_TO_BE_CHANGED is new in v2.11. This flag is true
- * if the SO PIN calue is the default value set by token init-
- * ialization of manufacturing, or the PIN has been expired by
- * the card. */
-#define CKF_SO_PIN_TO_BE_CHANGED	0x00800000
-
-#if 0
-/* IBM extended Token Info Flags - defined by Michael Hamann */
-/* These Flags are not part of PKCS#11 Version 2.01          */
-
-/* This will be used to track the state of login retries     */
-#define CKF_USER_PIN_COUNT_LOW      0x00010000
-#define CKF_USER_PIN_FINAL_TRY      0x00020000
-#define CKF_USER_PIN_LOCKED         0x00040000
-#define CKF_USER_PIN_MANUFACT_VALUE 0x00080000
-
-#define CKF_SO_PIN_COUNT_LOW        0x00100000
-#define CKF_SO_PIN_FINAL_TRY        0x00200000
-#define CKF_SO_PIN_LOCKED           0x00400000
-#define CKF_SO_PIN_MANUFACT_VALUE   0x00800000
-#endif
-
-/*  other IBM extended Token info Flags 05/29/99  */
-#define CKF_SO_PIN_DERIVED          0x01000000  // Sec Officer pin on card is derived from card id
-#define CKF_SO_CARD                 0x02000000  // Security Officer Card
-/* End of IBM extented Token Info Flags   */
-
-
-typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
-
-/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
- * identifies a session */
-typedef CK_ULONG          CK_SESSION_HANDLE;
-
-typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
-
-
-/* CK_USER_TYPE enumerates the types of Cryptoki users */
-/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_USER_TYPE;
-/* Security Officer */
-#define CKU_SO    0
-/* Normal user */
-#define CKU_USER  1
-
-
-/* CK_STATE enumerates the session states */
-/* CK_STATE has been changed from an enum to a CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_STATE;
-#define CKS_RO_PUBLIC_SESSION  0
-#define CKS_RO_USER_FUNCTIONS  1
-#define CKS_RW_PUBLIC_SESSION  2
-#define CKS_RW_USER_FUNCTIONS  3
-#define CKS_RW_SO_FUNCTIONS    4
-
-
-/* CK_SESSION_INFO provides information about a session */
-typedef struct CK_SESSION_INFO {
-  CK_SLOT_ID    slotID;
-  CK_STATE      state;
-  CK_FLAGS      flags;          /* see below */
-
-  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulDeviceError;  /* device-dependent error code */
-} CK_SESSION_INFO;
-
-/* The flags are defined in the following table:
- *      Bit Flag                Mask        Meaning
- */
-#define CKF_RW_SESSION          0x00000002  /* session is r/w */
-#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
-
-typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
-
-
-/* CK_OBJECT_HANDLE is a token-specific identifier for an
- * object  */
-typedef CK_ULONG          CK_OBJECT_HANDLE;
-
-typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
-
-
-/* CK_OBJECT_CLASS is a value that identifies the classes (or
- * types) of objects that Cryptoki recognizes.  It is defined
- * as follows: */
-/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_OBJECT_CLASS;
-
-/* The following classes of objects are defined: */
-#define CKO_DATA              0x00000000
-#define CKO_CERTIFICATE       0x00000001
-#define CKO_PUBLIC_KEY        0x00000002
-#define CKO_PRIVATE_KEY       0x00000003
-#define CKO_SECRET_KEY        0x00000004
-/* CKO_HW_FEATURE and CKO_DOMAIN_PARAMETERS are new for v2.11 */
-#define CKO_HW_FEATURE        0x00000005
-#define CKO_DOMAIN_PARAMETERS 0x00000006
-#define CKO_VENDOR_DEFINED    0x80000000
-
-typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
-
-/* CK_HW_FEATURE_TYPE is a value that identifies a hardware
- * feature type of a device. This is new for v2.11.
- */
-typedef CK_ULONG          CK_HW_FEATURE_TYPE;
-
-/* The following hardware feature types are defined: */
-#define CKH_MONOTONIC_COUNTER	0x00000001
-#define CKH_CLOCK		0x00000002
-#define CKH_VENDOR_DEFINED	0x80000000
-
-
-/* CK_KEY_TYPE is a value that identifies a key type */
-/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_KEY_TYPE;
-
-/* the following key types are defined: */
-#define CKK_RSA             0x00000000
-#define CKK_DSA             0x00000001
-#define CKK_DH              0x00000002
-
-/* CKK_ECDSA and CKK_KEA are new for v2.0 */
-/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred */
-#define CKK_ECDSA           0x00000003
-#define CKK_EC              0x00000003
-#define CKK_X9_42_DH        0x00000004
-#define CKK_KEA             0x00000005
-
-#define CKK_GENERIC_SECRET  0x00000010
-#define CKK_RC2             0x00000011
-#define CKK_RC4             0x00000012
-#define CKK_DES             0x00000013
-#define CKK_DES2            0x00000014
-#define CKK_DES3            0x00000015
-
-/* all these key types are new for v2.0 */
-#define CKK_CAST            0x00000016
-#define CKK_CAST3           0x00000017
-/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred */
-#define CKK_CAST5           0x00000018
-#define CKK_CAST128         0x00000018  /* CAST128=CAST5 */
-#define CKK_RC5             0x00000019
-#define CKK_IDEA            0x0000001A
-#define CKK_SKIPJACK        0x0000001B
-#define CKK_BATON           0x0000001C
-#define CKK_JUNIPER         0x0000001D
-#define CKK_CDMF            0x0000001E
-/* CKK_AES is new for v2.11 */
-#define CKK_AES             0x0000001F
-
-#define CKK_VENDOR_DEFINED  0x80000000
-
-
-/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
- * type */
-/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
- * for v2.0 */
-typedef CK_ULONG          CK_CERTIFICATE_TYPE;
-
-/* The following certificate types are defined: */
-#define CKC_X_509           0x00000000
-/* CKC_X_509_ATTR_CERT is new for v2.11 */
-#define CKC_X_509_ATTR_CERT 0x00000001
-#define CKC_VENDOR_DEFINED  0x80000000
-
-
-/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
- * type */
-/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
-
-/* The following attribute types are defined: */
-#define CKA_CLASS              0x00000000
-#define CKA_TOKEN              0x00000001
-#define CKA_PRIVATE            0x00000002
-#define CKA_LABEL              0x00000003
-#define CKA_APPLICATION        0x00000010
-#define CKA_VALUE              0x00000011
-/* CKA_OBJECT_ID is new for v2.11 */
-#define CKA_OBJECT_ID          0x00000012
-#define CKA_CERTIFICATE_TYPE   0x00000080
-#define CKA_ISSUER             0x00000081
-#define CKA_SERIAL_NUMBER      0x00000082
-/* CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES and CKA_TRUSTED 
- * are new for v2.11 */
-#define CKA_AC_ISSUER          0x00000083
-#define CKA_OWNER              0x00000084
-#define CKA_ATTR_TYPES         0x00000085
-#define CKA_TRUSTED            0x00000086
-
-#define CKA_KEY_TYPE           0x00000100
-#define CKA_SUBJECT            0x00000101
-#define CKA_ID                 0x00000102
-#define CKA_SENSITIVE          0x00000103
-#define CKA_ENCRYPT            0x00000104
-#define CKA_DECRYPT            0x00000105
-#define CKA_WRAP               0x00000106
-#define CKA_UNWRAP             0x00000107
-#define CKA_SIGN               0x00000108
-#define CKA_SIGN_RECOVER       0x00000109
-#define CKA_VERIFY             0x0000010A
-#define CKA_VERIFY_RECOVER     0x0000010B
-#define CKA_DERIVE             0x0000010C
-#define CKA_START_DATE         0x00000110
-#define CKA_END_DATE           0x00000111
-#define CKA_MODULUS            0x00000120
-#define CKA_MODULUS_BITS       0x00000121
-#define CKA_PUBLIC_EXPONENT    0x00000122
-#define CKA_PRIVATE_EXPONENT   0x00000123
-#define CKA_PRIME_1            0x00000124
-#define CKA_PRIME_2            0x00000125
-#define CKA_EXPONENT_1         0x00000126
-#define CKA_EXPONENT_2         0x00000127
-#define CKA_COEFFICIENT        0x00000128
-#define CKA_PRIME              0x00000130
-#define CKA_SUBPRIME           0x00000131
-#define CKA_BASE               0x00000132
-/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
-#define CKA_PRIME_BITS         0x00000133
-#define CKA_SUBPRIME_BITS      0x00000134
-
-#define CKA_VALUE_BITS         0x00000160
-#define CKA_VALUE_LEN          0x00000161
-
-/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
- * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
- * and CKA_EC_POINT are new for v2.0 */
-#define CKA_EXTRACTABLE        0x00000162
-#define CKA_LOCAL              0x00000163
-#define CKA_NEVER_EXTRACTABLE  0x00000164
-#define CKA_ALWAYS_SENSITIVE   0x00000165
-/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
-#define CKA_KEY_GEN_MECHANISM  0x00000166
-#define CKA_MODIFIABLE         0x00000170
-/* CKA_ECDSA_PARAMS is deprecated in v2.11, CKA_EC_PARAMS is preferred */
-#define CKA_ECDSA_PARAMS       0x00000180
-#define CKA_EC_PARAMS          0x00000180
-#define CKA_EC_POINT           0x00000181
-/* The following are new for v2.11 */
-#define CKA_SECONDARY_AUTH     0x00000200
-#define CKA_AUTH_PIN_FLAGS     0x00000201
-#define CKA_HW_FEATURE_TYPE    0x00000300
-#define CKA_RESET_ON_INIT      0x00000301
-#define CKA_HAS_RESET          0x00000302
-
-#define CKA_VENDOR_DEFINED     0x80000000
-
-/* For use in storing objects that have an encrypted or otherwise
- * opaque attribute. Support has been added to use this attribute
- * in key objects only. */
-#define CKA_IBM_OPAQUE         CKA_VENDOR_DEFINED + 1
-
-
-/* CK_ATTRIBUTE is a structure that includes the type, length
- * and value of an attribute */
-typedef struct CK_ATTRIBUTE {
-  CK_ATTRIBUTE_TYPE type;
-  CK_VOID_PTR       pValue;
-
-  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
-  CK_ULONG          ulValueLen;  /* in bytes */
-} CK_ATTRIBUTE;
-
-typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
-
-
-/* CK_DATE is a structure that defines a date */
-typedef struct CK_DATE{
-  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
-  CK_CHAR       month[2];  /* the month ("01" - "12") */
-  CK_CHAR       day[2];    /* the day   ("01" - "31") */
-} CK_DATE;
-
-
-/* CK_MECHANISM_TYPE is a value that identifies a mechanism
- * type */
-/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
- * v2.0 */
-typedef CK_ULONG          CK_MECHANISM_TYPE;
-
-/* the following mechanism types are defined: */
-#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
-#define CKM_RSA_PKCS                   0x00000001
-#define CKM_RSA_9796                   0x00000002
-#define CKM_RSA_X_509                  0x00000003
-
-/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
- * are new for v2.0.  They are mechanisms which hash and sign */
-#define CKM_MD2_RSA_PKCS               0x00000004
-#define CKM_MD5_RSA_PKCS               0x00000005
-#define CKM_SHA1_RSA_PKCS              0x00000006
-/* The following are new for v2.11: */
-#define CKM_RIPEMD128_RSA_PKCS         0x00000007
-#define CKM_RIPEMD160_RSA_PKCS         0x00000008
-#define CKM_RSA_PKCS_OAEP              0x00000009
-#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
-#define CKM_RSA_X9_31                  0x0000000B
-#define CKM_SHA1_RSA_X9_31             0x0000000C
-#define CKM_RSA_PKCS_PSS               0x0000000D
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
-
-#define CKM_DSA_KEY_PAIR_GEN           0x00000010
-#define CKM_DSA                        0x00000011
-#define CKM_DSA_SHA1                   0x00000012
-#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
-#define CKM_DH_PKCS_DERIVE             0x00000021
-/* The following are new for v2.11 */
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
-#define CKM_X9_42_DH_DERIVE            0x00000031
-#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
-#define CKM_X9_42_MQV_DERIVE           0x00000033
-
-#define CKM_SHA256_RSA_PKCS            0x00000043
-
-#define CKM_RC2_KEY_GEN                0x00000100
-#define CKM_RC2_ECB                    0x00000101
-#define CKM_RC2_CBC                    0x00000102
-#define CKM_RC2_MAC                    0x00000103
-
-/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
-#define CKM_RC2_MAC_GENERAL            0x00000104
-#define CKM_RC2_CBC_PAD                0x00000105
-
-#define CKM_RC4_KEY_GEN                0x00000110
-#define CKM_RC4                        0x00000111
-#define CKM_DES_KEY_GEN                0x00000120
-#define CKM_DES_ECB                    0x00000121
-#define CKM_DES_CBC                    0x00000122
-#define CKM_DES_MAC                    0x00000123
-
-/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
-#define CKM_DES_MAC_GENERAL            0x00000124
-#define CKM_DES_CBC_PAD                0x00000125
-
-#define CKM_DES2_KEY_GEN               0x00000130
-#define CKM_DES3_KEY_GEN               0x00000131
-#define CKM_DES3_ECB                   0x00000132
-#define CKM_DES3_CBC                   0x00000133
-#define CKM_DES3_MAC                   0x00000134
-
-/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
- * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
-#define CKM_DES3_MAC_GENERAL           0x00000135
-#define CKM_DES3_CBC_PAD               0x00000136
-#define CKM_CDMF_KEY_GEN               0x00000140
-#define CKM_CDMF_ECB                   0x00000141
-#define CKM_CDMF_CBC                   0x00000142
-#define CKM_CDMF_MAC                   0x00000143
-#define CKM_CDMF_MAC_GENERAL           0x00000144
-#define CKM_CDMF_CBC_PAD               0x00000145
-
-#define CKM_MD2                        0x00000200
-
-/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD2_HMAC                   0x00000201
-#define CKM_MD2_HMAC_GENERAL           0x00000202
-
-#define CKM_MD5                        0x00000210
-
-/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
-#define CKM_MD5_HMAC                   0x00000211
-#define CKM_MD5_HMAC_GENERAL           0x00000212
-
-#define CKM_SHA_1                      0x00000220
-
-/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
-#define CKM_SHA_1_HMAC                 0x00000221
-#define CKM_SHA_1_HMAC_GENERAL         0x00000222
-
-/* The following are new for v2.11 */
-#define CKM_RIPEMD128                  0x00000230
-#define CKM_RIPEMD128_HMAC             0x00000231
-#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
-#define CKM_RIPEMD160                  0x00000240
-#define CKM_RIPEMD160_HMAC             0x00000241
-#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
-
-#define CKM_SHA256                     0x00000250
-#define CKM_SHA256_HMAC                0x00000251
-#define CKM_SHA256_HMAC_GENERAL        0x00000252
-#define CKM_SHA384                     0x00000260
-#define CKM_SHA384_HMAC                0x00000261
-#define CKM_SHA384_HMAC_GENERAL        0x00000262
-#define CKM_SHA512                     0x00000270
-#define CKM_SHA512_HMAC                0x00000271
-#define CKM_SHA512_HMAC_GENERAL        0x00000272
-
-/* All of the following mechanisms are new for v2.0 */
-/* Note that CAST128 and CAST5 are the same algorithm */
-#define CKM_CAST_KEY_GEN               0x00000300
-#define CKM_CAST_ECB                   0x00000301
-#define CKM_CAST_CBC                   0x00000302
-#define CKM_CAST_MAC                   0x00000303
-#define CKM_CAST_MAC_GENERAL           0x00000304
-#define CKM_CAST_CBC_PAD               0x00000305
-#define CKM_CAST3_KEY_GEN              0x00000310
-#define CKM_CAST3_ECB                  0x00000311
-#define CKM_CAST3_CBC                  0x00000312
-#define CKM_CAST3_MAC                  0x00000313
-#define CKM_CAST3_MAC_GENERAL          0x00000314
-#define CKM_CAST3_CBC_PAD              0x00000315
-#define CKM_CAST5_KEY_GEN              0x00000320
-#define CKM_CAST128_KEY_GEN            0x00000320
-#define CKM_CAST5_ECB                  0x00000321
-#define CKM_CAST128_ECB                0x00000321
-#define CKM_CAST5_CBC                  0x00000322
-#define CKM_CAST128_CBC                0x00000322
-#define CKM_CAST5_MAC                  0x00000323
-#define CKM_CAST128_MAC                0x00000323
-#define CKM_CAST5_MAC_GENERAL          0x00000324
-#define CKM_CAST128_MAC_GENERAL        0x00000324
-#define CKM_CAST5_CBC_PAD              0x00000325
-#define CKM_CAST128_CBC_PAD            0x00000325
-#define CKM_RC5_KEY_GEN                0x00000330
-#define CKM_RC5_ECB                    0x00000331
-#define CKM_RC5_CBC                    0x00000332
-#define CKM_RC5_MAC                    0x00000333
-#define CKM_RC5_MAC_GENERAL            0x00000334
-#define CKM_RC5_CBC_PAD                0x00000335
-#define CKM_IDEA_KEY_GEN               0x00000340
-#define CKM_IDEA_ECB                   0x00000341
-#define CKM_IDEA_CBC                   0x00000342
-#define CKM_IDEA_MAC                   0x00000343
-#define CKM_IDEA_MAC_GENERAL           0x00000344
-#define CKM_IDEA_CBC_PAD               0x00000345
-#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
-#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
-#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
-#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
-#define CKM_XOR_BASE_AND_DATA          0x00000364
-#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
-#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
-#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
-#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
-/* The following are new for v2.11 */
-#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
-#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
-#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
-#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
-#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
-
-#define CKM_SSL3_MD5_MAC               0x00000380
-#define CKM_SSL3_SHA1_MAC              0x00000381
-#define CKM_MD5_KEY_DERIVATION         0x00000390
-#define CKM_MD2_KEY_DERIVATION         0x00000391
-#define CKM_SHA1_KEY_DERIVATION        0x00000392
-#define CKM_SHA256_KEY_DERIVATION      0x00000393
-#define CKM_PBE_MD2_DES_CBC            0x000003A0
-#define CKM_PBE_MD5_DES_CBC            0x000003A1
-#define CKM_PBE_MD5_CAST_CBC           0x000003A2
-#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
-#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
-#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
-#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
-#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
-#define CKM_PBE_SHA1_RC4_128           0x000003A6
-#define CKM_PBE_SHA1_RC4_40            0x000003A7
-#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
-#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
-#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
-#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
-/* CKM_PKCS5_PBKD2 is new for v2.11 */
-#define CKM_PKCS5_PBKD2                0x000003B0
-#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-#define CKM_KEY_WRAP_LYNKS             0x00000400
-#define CKM_KEY_WRAP_SET_OAEP          0x00000401
-
-/* Fortezza mechanisms */
-#define CKM_SKIPJACK_KEY_GEN           0x00001000
-#define CKM_SKIPJACK_ECB64             0x00001001
-#define CKM_SKIPJACK_CBC64             0x00001002
-#define CKM_SKIPJACK_OFB64             0x00001003
-#define CKM_SKIPJACK_CFB64             0x00001004
-#define CKM_SKIPJACK_CFB32             0x00001005
-#define CKM_SKIPJACK_CFB16             0x00001006
-#define CKM_SKIPJACK_CFB8              0x00001007
-#define CKM_SKIPJACK_WRAP              0x00001008
-#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
-#define CKM_SKIPJACK_RELAYX            0x0000100a
-#define CKM_KEA_KEY_PAIR_GEN           0x00001010
-#define CKM_KEA_KEY_DERIVE             0x00001011
-#define CKM_FORTEZZA_TIMESTAMP         0x00001020
-#define CKM_BATON_KEY_GEN              0x00001030
-#define CKM_BATON_ECB128               0x00001031
-#define CKM_BATON_ECB96                0x00001032
-#define CKM_BATON_CBC128               0x00001033
-#define CKM_BATON_COUNTER              0x00001034
-#define CKM_BATON_SHUFFLE              0x00001035
-#define CKM_BATON_WRAP                 0x00001036
-
-/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, 
- * CKM_EC_KEY_PAIR_GEN is preferred. */
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
-#define CKM_EC_KEY_PAIR_GEN            0x00001040
-#define CKM_ECDSA                      0x00001041
-#define CKM_ECDSA_SHA1                 0x00001042
-/* The following are new for v2.11 */
-#define CKM_ECDH1_DERIVE               0x00001050
-#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
-#define CKM_ECMQV_DERIVE               0x00001052
-
-#define CKM_JUNIPER_KEY_GEN            0x00001060
-#define CKM_JUNIPER_ECB128             0x00001061
-#define CKM_JUNIPER_CBC128             0x00001062
-#define CKM_JUNIPER_COUNTER            0x00001063
-#define CKM_JUNIPER_SHUFFLE            0x00001064
-#define CKM_JUNIPER_WRAP               0x00001065
-#define CKM_FASTHASH                   0x00001070
-/* The following are new for v2.11 */
-#define CKM_AES_KEY_GEN                0x00001080
-#define CKM_AES_ECB                    0x00001081
-#define CKM_AES_CBC                    0x00001082
-#define CKM_AES_MAC                    0x00001083
-#define CKM_AES_MAC_GENERAL            0x00001084
-#define CKM_AES_CBC_PAD                0x00001085
-#define CKM_DSA_PARAMETER_GEN          0x00002000
-#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
-#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
-
-#define CKM_VENDOR_DEFINED             0x80000000
-
-typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
-
-
-/* CK_MECHANISM is a structure that specifies a particular
- * mechanism  */
-typedef struct CK_MECHANISM {
-  CK_MECHANISM_TYPE mechanism;
-  CK_VOID_PTR       pParameter;
-
-  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG          ulParameterLen;  /* in bytes */
-} CK_MECHANISM;
-
-typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
-
-
-/* CK_MECHANISM_INFO provides information about a particular
- * mechanism */
-typedef struct CK_MECHANISM_INFO {
-    CK_ULONG    ulMinKeySize;
-    CK_ULONG    ulMaxKeySize;
-    CK_FLAGS    flags;
-} CK_MECHANISM_INFO;
-
-/* The flags are defined as follows:
- *      Bit Flag               Mask        Meaning */
-#define CKF_HW                 0x00000001  /* performed by HW */
-
-/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
- * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
- * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
- * and CKF_DERIVE are new for v2.0.  They specify whether or not
- * a mechanism can be used for a particular task */
-#define CKF_ENCRYPT            0x00000100
-#define CKF_DECRYPT            0x00000200
-#define CKF_DIGEST             0x00000400
-#define CKF_SIGN               0x00000800
-#define CKF_SIGN_RECOVER       0x00001000
-#define CKF_VERIFY             0x00002000
-#define CKF_VERIFY_RECOVER     0x00004000
-#define CKF_GENERATE           0x00008000
-#define CKF_GENERATE_KEY_PAIR  0x00010000
-#define CKF_WRAP               0x00020000
-#define CKF_UNWRAP             0x00040000
-#define CKF_DERIVE             0x00080000
-/* The following are new for v2.11 */
-#define CKF_EC_F_P             0x00100000
-#define CKF_EC_F_2M            0x00200000
-#define CKF_EC_ECPARAMETERS    0x00400000
-#define CKF_EC_NAMEDCURVE      0x00800000
-#define CKF_EC_UNCOMPRESS      0x01000000
-#define CKF_EC_COMPRESS        0x02000000
-
-#define CKF_EXTENSION          0x80000000  /* FALSE for 2.01 */
-
-typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
-
-
-/* CK_RV is a value that identifies the return value of a
- * Cryptoki function */
-/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
-typedef CK_ULONG          CK_RV;
-
-#define CKR_OK                                0x00000000
-#define CKR_CANCEL                            0x00000001
-#define CKR_HOST_MEMORY                       0x00000002
-#define CKR_SLOT_ID_INVALID                   0x00000003
-
-/* CKR_FLAGS_INVALID was removed for v2.0 */
-
-/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
-#define CKR_GENERAL_ERROR                     0x00000005
-#define CKR_FUNCTION_FAILED                   0x00000006
-
-/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
- * and CKR_CANT_LOCK are new for v2.01 */
-#define CKR_ARGUMENTS_BAD                     0x00000007
-#define CKR_NO_EVENT                          0x00000008
-#define CKR_NEED_TO_CREATE_THREADS            0x00000009
-#define CKR_CANT_LOCK                         0x0000000A
-
-#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
-#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
-#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
-#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
-#define CKR_DATA_INVALID                      0x00000020
-#define CKR_DATA_LEN_RANGE                    0x00000021
-#define CKR_DEVICE_ERROR                      0x00000030
-#define CKR_DEVICE_MEMORY                     0x00000031
-#define CKR_DEVICE_REMOVED                    0x00000032
-#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
-#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
-#define CKR_FUNCTION_CANCELED                 0x00000050
-#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
-
-/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
-#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
-
-#define CKR_KEY_HANDLE_INVALID                0x00000060
-
-/* CKR_KEY_SENSITIVE was removed for v2.0 */
-
-#define CKR_KEY_SIZE_RANGE                    0x00000062
-#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
-
-/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
- * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
- * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
- * v2.0 */
-#define CKR_KEY_NOT_NEEDED                    0x00000064
-#define CKR_KEY_CHANGED                       0x00000065
-#define CKR_KEY_NEEDED                        0x00000066
-#define CKR_KEY_INDIGESTIBLE                  0x00000067
-#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
-#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
-#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-
-#define CKR_MECHANISM_INVALID                 0x00000070
-#define CKR_MECHANISM_PARAM_INVALID           0x00000071
-
-/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
- * were removed for v2.0 */
-#define CKR_OBJECT_HANDLE_INVALID             0x00000082
-#define CKR_OPERATION_ACTIVE                  0x00000090
-#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
-#define CKR_PIN_INCORRECT                     0x000000A0
-#define CKR_PIN_INVALID                       0x000000A1
-#define CKR_PIN_LEN_RANGE                     0x000000A2
-
-/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
-#define CKR_PIN_EXPIRED                       0x000000A3
-#define CKR_PIN_LOCKED                        0x000000A4
-
-#define CKR_SESSION_CLOSED                    0x000000B0
-#define CKR_SESSION_COUNT                     0x000000B1
-#define CKR_SESSION_HANDLE_INVALID            0x000000B3
-#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
-#define CKR_SESSION_READ_ONLY                 0x000000B5
-#define CKR_SESSION_EXISTS                    0x000000B6
-
-/* CKR_SESSION_READ_ONLY_EXISTS and
- * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
-#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
-#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
-
-#define CKR_SIGNATURE_INVALID                 0x000000C0
-#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
-#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
-#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
-#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
-#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
-#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
-#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
-#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
-#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
-#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
-#define CKR_USER_NOT_LOGGED_IN                0x00000101
-#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
-#define CKR_USER_TYPE_INVALID                 0x00000103
-
-/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
- * are new to v2.01 */
-#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
-#define CKR_USER_TOO_MANY_TYPES               0x00000105
-
-#define CKR_WRAPPED_KEY_INVALID               0x00000110
-#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
-#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
-#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
-#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
-#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
-
-/* These are new to v2.0 */
-#define CKR_RANDOM_NO_RNG                     0x00000121
-/* CKR_DOMAIN_PARAMS_INVALID is new for v2.11 */
-#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
-#define CKR_BUFFER_TOO_SMALL                  0x00000150
-#define CKR_SAVED_STATE_INVALID               0x00000160
-#define CKR_INFORMATION_SENSITIVE             0x00000170
-#define CKR_STATE_UNSAVEABLE                  0x00000180
-
-/* These are new to v2.01 */
-#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
-#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
-#define CKR_MUTEX_BAD                         0x000001A0
-#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
-
-#define CKR_VENDOR_DEFINED                    0x80000000
-
-
-/* CK_NOTIFY is an application callback that processes events */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
-  CK_SESSION_HANDLE hSession,     /* the session's handle */
-  CK_NOTIFICATION   event,
-  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
-);
-
-/* CK_CREATEMUTEX is an application callback for creating a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
-  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
-);
-
-
-/* CK_DESTROYMUTEX is an application callback for destroying a
- * mutex object */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_LOCKMUTEX is an application callback for locking a mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_UNLOCKMUTEX is an application callback for unlocking a
- * mutex */
-typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
-  CK_VOID_PTR pMutex  /* pointer to mutex */
-);
-
-
-/* CK_C_INITIALIZE_ARGS provides the optional arguments to
- * C_Initialize */
-// SAB the mutex ones had pf infront previously..
-// The spec says otherwise.
-typedef struct CK_C_INITIALIZE_ARGS {
-  CK_CREATEMUTEX  CreateMutex;
-  CK_DESTROYMUTEX DestroyMutex;
-  CK_LOCKMUTEX    LockMutex;
-  CK_UNLOCKMUTEX  UnlockMutex;
-  CK_FLAGS        flags;
-  CK_VOID_PTR     pReserved;
-} CK_C_INITIALIZE_ARGS;
-
-/* flags: bit flags that provide capabilities of the slot
- *      Bit Flag                           Mask       Meaning
- */
-#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
-#define CKF_OS_LOCKING_OK                  0x00000002
-
-typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
-
-
-/* additional flags for parameters to functions */
-
-/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
-#define CKF_DONT_BLOCK     1
-
-
-/* CK_KEA_DERIVE_PARAMS provides the parameters to the
- * CKM_KEA_DERIVE mechanism */
-/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
-typedef struct CK_KEA_DERIVE_PARAMS {
-  CK_BBOOL      isSender;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pRandomB;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-} CK_KEA_DERIVE_PARAMS;
-
-typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
-
-
-/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
- * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
- * holds the effective keysize */
-typedef CK_ULONG          CK_RC2_PARAMS;
-
-typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
-
-
-/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
- * mechanism */
-typedef struct CK_RC2_CBC_PARAMS {
-  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
-   * v2.0 */
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-
-  CK_BYTE       iv[8];            /* IV for CBC mode */
-} CK_RC2_CBC_PARAMS;
-
-typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
-
-
-/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC2_MAC_GENERAL mechanism */
-/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC2_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
-  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
-} CK_RC2_MAC_GENERAL_PARAMS;
-
-typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC2_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
- * CKM_RC5_MAC mechanisms */
-/* CK_RC5_PARAMS is new for v2.0 */
-typedef struct CK_RC5_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-} CK_RC5_PARAMS;
-
-typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
-
-
-/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
- * mechanism */
-/* CK_RC5_CBC_PARAMS is new for v2.0 */
-typedef struct CK_RC5_CBC_PARAMS {
-  CK_ULONG      ulWordsize;  /* wordsize in bits */
-  CK_ULONG      ulRounds;    /* number of rounds */
-  CK_BYTE_PTR   pIv;         /* pointer to IV */
-  CK_ULONG      ulIvLen;     /* length of IV in bytes */
-} CK_RC5_CBC_PARAMS;
-
-typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
-
-
-/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
- * CKM_RC5_MAC_GENERAL mechanism */
-/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef struct CK_RC5_MAC_GENERAL_PARAMS {
-  CK_ULONG      ulWordsize;   /* wordsize in bits */
-  CK_ULONG      ulRounds;     /* number of rounds */
-  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
-} CK_RC5_MAC_GENERAL_PARAMS;
-
-typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
-  CK_RC5_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
- * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
- * the MAC */
-/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
-typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
-
-typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
-
-
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
- * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
-/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
-  CK_ULONG      ulPasswordLen;
-  CK_BYTE_PTR   pPassword;
-  CK_ULONG      ulPublicDataLen;
-  CK_BYTE_PTR   pPublicData;
-  CK_ULONG      ulPAndGLen;
-  CK_ULONG      ulQLen;
-  CK_ULONG      ulRandomLen;
-  CK_BYTE_PTR   pRandomA;
-  CK_BYTE_PTR   pPrimeP;
-  CK_BYTE_PTR   pBaseG;
-  CK_BYTE_PTR   pSubprimeQ;
-} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
-
-typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
-  CK_SKIPJACK_PRIVATE_WRAP_PTR;
-
-
-/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
- * CKM_SKIPJACK_RELAYX mechanism */
-/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
-typedef struct CK_SKIPJACK_RELAYX_PARAMS {
-  CK_ULONG      ulOldWrappedXLen;
-  CK_BYTE_PTR   pOldWrappedX;
-  CK_ULONG      ulOldPasswordLen;
-  CK_BYTE_PTR   pOldPassword;
-  CK_ULONG      ulOldPublicDataLen;
-  CK_BYTE_PTR   pOldPublicData;
-  CK_ULONG      ulOldRandomLen;
-  CK_BYTE_PTR   pOldRandomA;
-  CK_ULONG      ulNewPasswordLen;
-  CK_BYTE_PTR   pNewPassword;
-  CK_ULONG      ulNewPublicDataLen;
-  CK_BYTE_PTR   pNewPublicData;
-  CK_ULONG      ulNewRandomLen;
-  CK_BYTE_PTR   pNewRandomA;
-} CK_SKIPJACK_RELAYX_PARAMS;
-
-typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
-  CK_SKIPJACK_RELAYX_PARAMS_PTR;
-
-
-typedef struct CK_PBE_PARAMS {
-  CK_CHAR_PTR  pInitVector;
-  CK_CHAR_PTR  pPassword;
-  CK_ULONG     ulPasswordLen;
-  CK_CHAR_PTR  pSalt;
-  CK_ULONG     ulSaltLen;
-  CK_ULONG     ulIteration;
-} CK_PBE_PARAMS;
-
-typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
-
-
-/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
- * CKM_KEY_WRAP_SET_OAEP mechanism */
-/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
-typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
-  CK_BYTE       bBC;     /* block contents byte */
-  CK_BYTE_PTR   pX;      /* extra data */
-  CK_ULONG      ulXLen;  /* length of extra data in bytes */
-} CK_KEY_WRAP_SET_OAEP_PARAMS;
-
-typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
-  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_RANDOM_DATA {
-  CK_BYTE_PTR  pClientRandom;
-  CK_ULONG     ulClientRandomLen;
-  CK_BYTE_PTR  pServerRandom;
-  CK_ULONG     ulServerRandomLen;
-} CK_SSL3_RANDOM_DATA;
-
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
-  CK_SSL3_RANDOM_DATA RandomInfo;
-  CK_VERSION_PTR pVersion;
-} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
-
-typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hClientMacSecret;
-  CK_OBJECT_HANDLE hServerMacSecret;
-  CK_OBJECT_HANDLE hClientKey;
-  CK_OBJECT_HANDLE hServerKey;
-  CK_BYTE_PTR      pIVClient;
-  CK_BYTE_PTR      pIVServer;
-} CK_SSL3_KEY_MAT_OUT;
-
-typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
-
-
-typedef struct CK_SSL3_KEY_MAT_PARAMS {
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_BBOOL                bIsExport;
-  CK_SSL3_RANDOM_DATA     RandomInfo;
-  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_SSL3_KEY_MAT_PARAMS;
-
-typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
-
-
-typedef struct CK_KEY_DERIVATION_STRING_DATA {
-  CK_BYTE_PTR pData;
-  CK_ULONG    ulLen;
-} CK_KEY_DERIVATION_STRING_DATA;
-
-typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
-  CK_KEY_DERIVATION_STRING_DATA_PTR;
-
-
-/* The CK_EXTRACT_PARAMS is used for the
- * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
- * of the base key should be used as the first bit of the
- * derived key */
-/* CK_EXTRACT_PARAMS is new for v2.0 */
-typedef CK_ULONG CK_EXTRACT_PARAMS;
-
-typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
-
-
-/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
- * version and pointers of appropriate types to all the
- * Cryptoki functions */
-/* CK_FUNCTION_LIST is new for v2.0 */
-typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
-
-typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
-
-typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
-
-typedef CK_RV	(CK_PTR CK_C_Initialize)
-						(CK_VOID_PTR pReserved);
-typedef CK_RV	(CK_PTR  CK_C_Finalize)
-						(CK_VOID_PTR pReserved);
-typedef CK_RV	(CK_PTR  CK_C_Terminate)
-						(void);
-typedef CK_RV	(CK_PTR  CK_C_GetInfo)
-						(CK_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetFunctionList)
-						(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
-typedef CK_RV	(CK_PTR  CK_C_GetSlotList)
-						(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
-						 CK_ULONG_PTR pusCount);
-typedef CK_RV	(CK_PTR  CK_C_GetSlotInfo)
-						(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetTokenInfo)
-						(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetMechanismList)
-						(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList,
-						 CK_ULONG_PTR pusCount);
-typedef CK_RV	(CK_PTR  CK_C_GetMechanismInfo)
-						(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
-						 CK_MECHANISM_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_InitToken)
-						(CK_SLOT_ID slotID, CK_CHAR_PTR pPin, CK_ULONG usPinLen,
-						 CK_CHAR_PTR pLabel);
-typedef CK_RV	(CK_PTR  CK_C_InitPIN)
-						(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pPin,
-						 CK_ULONG usPinLen);
-typedef CK_RV	(CK_PTR  CK_C_SetPIN)
-						(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
-						 CK_ULONG usOldLen, CK_CHAR_PTR pNewPin,
-						 CK_ULONG usNewLen);
-typedef CK_RV	(CK_PTR  CK_C_OpenSession)
-						(CK_SLOT_ID slotID, CK_FLAGS flags,
-						 CK_VOID_PTR pApplication,
-						 CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
-						 CK_NOTIFICATION event, CK_VOID_PTR pApplication),
-						 CK_SESSION_HANDLE_PTR phSession);
-typedef CK_RV	(CK_PTR  CK_C_CloseSession)
-						(CK_SESSION_HANDLE hSession);
-typedef CK_RV	(CK_PTR  CK_C_CloseAllSessions)
-						(CK_SLOT_ID slotID);
-typedef CK_RV	(CK_PTR  CK_C_GetSessionInfo)
-						(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo);
-typedef CK_RV	(CK_PTR  CK_C_GetOperationState)
-						(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
-						 CK_ULONG_PTR pulOperationStateLen);
-typedef CK_RV	(CK_PTR  CK_C_SetOperationState)
-						(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
-						 CK_ULONG ulOperationStateLen,
-						 CK_OBJECT_HANDLE hEncryptionKey,
-						 CK_OBJECT_HANDLE hAuthenticationKey);
-typedef CK_RV	(CK_PTR  CK_C_Login)(CK_SESSION_HANDLE hSession,
-						 CK_USER_TYPE userType, CK_CHAR_PTR pPin,
-						 CK_ULONG usPinLen);
-typedef CK_RV	(CK_PTR  CK_C_Logout)(CK_SESSION_HANDLE hSession);
-typedef CK_RV	(CK_PTR  CK_C_CreateObject)
-						(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
-						 CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
-typedef CK_RV	(CK_PTR  CK_C_CopyObject)
-						(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-						 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
-						 CK_OBJECT_HANDLE_PTR phNewObject);
-typedef CK_RV (CK_PTR  CK_C_DestroyObject)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
-typedef CK_RV(CK_PTR  CK_C_GetObjectSize)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-                        CK_ULONG_PTR pusSize);
-typedef CK_RV(CK_PTR  CK_C_GetAttributeValue)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
-typedef CK_RV(CK_PTR  CK_C_SetAttributeValue)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
-                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
-typedef CK_RV (CK_PTR  CK_C_FindObjectsInit)
-                       (CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
-                        CK_ULONG usCount);
-typedef CK_RV (CK_PTR  CK_C_FindObjects)
-                       (CK_SESSION_HANDLE hSession,
-                        CK_OBJECT_HANDLE_PTR phObject, CK_ULONG usMaxObjectCount,
-                        CK_ULONG_PTR pusObjectCount);
-typedef CK_RV (CK_PTR  CK_C_FindObjectsFinal)
-                       (CK_SESSION_HANDLE hSession);
-typedef CK_RV (CK_PTR  CK_C_EncryptInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Encrypt)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
-                        CK_ULONG_PTR pusEncryptedDataLen);
-typedef CK_RV (CK_PTR  CK_C_EncryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG_PTR pusEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_EncryptFinal)
-                       (CK_SESSION_HANDLE hSession,
-                        CK_BYTE_PTR pLastEncryptedPart,
-                        CK_ULONG_PTR pusLastEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Decrypt)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
-                        CK_ULONG usEncryptedDataLen, CK_BYTE_PTR pData,
-                        CK_ULONG_PTR pusDataLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG usEncryptedPartLen, CK_BYTE_PTR pPart,
-                        CK_ULONG_PTR pusPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
-                        CK_ULONG_PTR pusLastPartLen);
-typedef CK_RV (CK_PTR  CK_C_DigestInit)
-                       (CK_SESSION_HANDLE hSession,
-                        CK_MECHANISM_PTR pMechanism);
-typedef CK_RV (CK_PTR  CK_C_Digest)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
-                        CK_ULONG_PTR pusDigestLen);
-typedef CK_RV (CK_PTR  CK_C_DigestUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen);
-typedef CK_RV (CK_PTR  CK_C_DigestKey)
-                       (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_DigestFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
-                        CK_ULONG_PTR pusDigestLen);
-typedef CK_RV (CK_PTR  CK_C_SignInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Sign)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
-                        CK_ULONG_PTR pusSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_SignUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen);
-typedef CK_RV (CK_PTR  CK_C_SignFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
-                        CK_ULONG_PTR pusSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_SignRecoverInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_SignRecover)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
-                        CK_ULONG_PTR pusSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_Verify)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
-                        CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
-                        CK_ULONG usSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG usPartLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyFinal)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
-                        CK_ULONG usSignatureLen);
-typedef CK_RV (CK_PTR  CK_C_VerifyRecoverInit)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hKey);
-typedef CK_RV (CK_PTR  CK_C_VerifyRecover)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
-                        CK_ULONG usSignatureLen, CK_BYTE_PTR pData,
-                        CK_ULONG_PTR pusDataLen);
-typedef CK_RV (CK_PTR  CK_C_DigestEncryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG_PTR pulEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptDigestUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
-                        CK_ULONG_PTR pulPartLen);
-typedef CK_RV (CK_PTR  CK_C_SignEncryptUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
-                        CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG_PTR pulEncryptedPartLen);
-typedef CK_RV (CK_PTR  CK_C_DecryptVerifyUpdate)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
-                        CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
-                        CK_ULONG_PTR pulPartLen);
-typedef CK_RV (CK_PTR  CK_C_GenerateKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
-                        CK_OBJECT_HANDLE_PTR phKey);
-typedef CK_RV (CK_PTR  CK_C_GenerateKeyPair)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-                        CK_ULONG usPublicKeyAttributeCount,
-                        CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-                        CK_ULONG usPrivateKeyAttributeCount,
-                        CK_OBJECT_HANDLE_PTR phPrivateKey,
-                        CK_OBJECT_HANDLE_PTR phPublicKey);
-typedef CK_RV (CK_PTR  CK_C_WrapKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
-                        CK_BYTE_PTR pWrappedKey, CK_ULONG_PTR pusWrappedKeyLen);
-typedef CK_RV (CK_PTR  CK_C_UnwrapKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hUnwrappingKey, CK_BYTE_PTR pWrappedKey,
-                        CK_ULONG usWrappedKeyLen, CK_ATTRIBUTE_PTR pTemplate,
-                        CK_ULONG usAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
-typedef CK_RV (CK_PTR  CK_C_DeriveKey)
-                       (CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-                        CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
-                        CK_ULONG usAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
-typedef CK_RV (CK_PTR  CK_C_SeedRandom)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
-                        CK_ULONG usSeedLen);
-typedef CK_RV (CK_PTR  CK_C_GenerateRandom)
-                       (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData,
-                        CK_ULONG usRandomLen);
-typedef CK_RV (CK_PTR  CK_C_GetFunctionStatus)
-                       (CK_SESSION_HANDLE hSession);
-typedef CK_RV (CK_PTR  CK_C_CancelFunction)
-                       (CK_SESSION_HANDLE hSession);
-typedef CK_RV	(CK_PTR  CK_Notify)
-						(CK_SESSION_HANDLE hSession, CK_NOTIFICATION event,
-						 CK_VOID_PTR pApplication);
-typedef CK_RV	(CK_PTR  CK_C_WaitForSlotEvent)
-						(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
-						 CK_VOID_PTR pReserved);
-
-struct CK_FUNCTION_LIST {
-	CK_VERSION version;
-	CK_C_Initialize C_Initialize;
-	CK_C_Finalize C_Finalize;
-	CK_C_GetInfo C_GetInfo;
-	CK_C_GetFunctionList C_GetFunctionList;
-	CK_C_GetSlotList C_GetSlotList;
-	CK_C_GetSlotInfo C_GetSlotInfo;
-	CK_C_GetTokenInfo C_GetTokenInfo;
-	CK_C_GetMechanismList C_GetMechanismList;
-	CK_C_GetMechanismInfo C_GetMechanismInfo;
-	CK_C_InitToken C_InitToken;
-	CK_C_InitPIN C_InitPIN;
-	CK_C_SetPIN C_SetPIN;
-	CK_C_OpenSession C_OpenSession;
-	CK_C_CloseSession C_CloseSession;
-	CK_C_CloseAllSessions C_CloseAllSessions;
-	CK_C_GetSessionInfo C_GetSessionInfo;
-	CK_C_GetOperationState C_GetOperationState;
-	CK_C_SetOperationState C_SetOperationState;
-	CK_C_Login C_Login;
-	CK_C_Logout C_Logout;
-	CK_C_CreateObject C_CreateObject;
-	CK_C_CopyObject C_CopyObject;
-	CK_C_DestroyObject C_DestroyObject;
-	CK_C_GetObjectSize C_GetObjectSize;
-	CK_C_GetAttributeValue C_GetAttributeValue;
-	CK_C_SetAttributeValue C_SetAttributeValue;
-	CK_C_FindObjectsInit C_FindObjectsInit;
-	CK_C_FindObjects C_FindObjects;
-	CK_C_FindObjectsFinal C_FindObjectsFinal;
-	CK_C_EncryptInit C_EncryptInit;
-	CK_C_Encrypt C_Encrypt;
-	CK_C_EncryptUpdate C_EncryptUpdate;
-	CK_C_EncryptFinal C_EncryptFinal;
-	CK_C_DecryptInit C_DecryptInit;
-	CK_C_Decrypt C_Decrypt;
-	CK_C_DecryptUpdate C_DecryptUpdate;
-	CK_C_DecryptFinal C_DecryptFinal;
-	CK_C_DigestInit C_DigestInit;
-	CK_C_Digest C_Digest;
-	CK_C_DigestUpdate C_DigestUpdate;
-	CK_C_DigestKey C_DigestKey;
-	CK_C_DigestFinal C_DigestFinal;
-	CK_C_SignInit C_SignInit;
-	CK_C_Sign C_Sign;
-	CK_C_SignUpdate C_SignUpdate;
-	CK_C_SignFinal C_SignFinal;
-	CK_C_SignRecoverInit C_SignRecoverInit;
-	CK_C_SignRecover C_SignRecover;
-	CK_C_VerifyInit C_VerifyInit;
-	CK_C_Verify C_Verify;
-	CK_C_VerifyUpdate C_VerifyUpdate;
-	CK_C_VerifyFinal C_VerifyFinal;
-	CK_C_VerifyRecoverInit C_VerifyRecoverInit;
-	CK_C_VerifyRecover C_VerifyRecover;
-	CK_C_DigestEncryptUpdate C_DigestEncryptUpdate;
-	CK_C_DecryptDigestUpdate C_DecryptDigestUpdate;
-	CK_C_SignEncryptUpdate C_SignEncryptUpdate;
-	CK_C_DecryptVerifyUpdate C_DecryptVerifyUpdate;
-	CK_C_GenerateKey C_GenerateKey;
-	CK_C_GenerateKeyPair C_GenerateKeyPair;
-	CK_C_WrapKey C_WrapKey;
-	CK_C_UnwrapKey C_UnwrapKey;
-	CK_C_DeriveKey C_DeriveKey;
-	CK_C_SeedRandom C_SeedRandom;
-	CK_C_GenerateRandom C_GenerateRandom;
-	CK_C_GetFunctionStatus C_GetFunctionStatus;
-	CK_C_CancelFunction C_CancelFunction;
-	CK_C_WaitForSlotEvent C_WaitForSlotEvent;
-};
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _PKCS11TYPES_H_

From 2946e44c8670d5820557aa666f922bbf0e14a1c1 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Wed, 23 Sep 2009 10:52:18 +0000
Subject: [PATCH 189/385] pkcs11 tools were moved (20067)

---
 contrib/pkcs11-keygen/PEM_write_pubkey.c | 124 -----------------------
 contrib/pkcs11-keygen/PKCS11-NOTES       |  94 -----------------
 contrib/pkcs11-keygen/README             |  20 ----
 3 files changed, 238 deletions(-)
 delete mode 100644 contrib/pkcs11-keygen/PEM_write_pubkey.c
 delete mode 100644 contrib/pkcs11-keygen/PKCS11-NOTES
 delete mode 100644 contrib/pkcs11-keygen/README

diff --git a/contrib/pkcs11-keygen/PEM_write_pubkey.c b/contrib/pkcs11-keygen/PEM_write_pubkey.c
deleted file mode 100644
index 65def63214..0000000000
--- a/contrib/pkcs11-keygen/PEM_write_pubkey.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* OpenSSL tool
- *
- * usage: PEM_write_pubkey -e engine -p pin -k keyname -f filename
- */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-extern int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
-
-int
-main(int argc, char *argv[])
-{
-    ENGINE *e;
-    EVP_PKEY *pub_key;
-    FILE *fp;
-    char *engine = NULL;
-    char *pin = NULL;
-    char *keyname = NULL;
-    char *filename = NULL;
-    int c, errflg = 0;
-    extern char *optarg;
-    extern int optopt;
-       
-    while ((c = getopt(argc, argv, ":e:p:k:f:")) != -1) {
-        switch (c) {
-        case 'e':
-            engine = optarg;
-            break;
-	case 'p':
-	    pin = optarg;
-	    break;
-        case 'k':
-            keyname = optarg;
-            break;
-        case 'f':
-            filename = optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!engine) || (!filename) || (!keyname)) {
-        fprintf(stderr,
-		"usage: PEM_write_pubkey -e engine [-p pin] "
-		"-k keyname -f filename\n");
-        exit(1);
-    }
-    
-    /* Load the config file */
-    OPENSSL_config(NULL);
-
-    /* Register engine */
-    e = ENGINE_by_id(engine);
-    if (!e) {
-        /* the engine isn't available */
-        printf("The engine isn't available\n");
-	ERR_print_errors_fp(stderr);
-        exit(1);
-    }
-    
-    /* Send PIN to engine */
-    if (pin && !ENGINE_ctrl_cmd_string(e, "PIN", pin, 0)){
-        printf("Error sending PIN to engine\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-    
-    if (!ENGINE_init(e)) {
-        /* the engine couldn't initialise, release 'e' */
-        printf("The engine couldn't initialise\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-
-    if (!ENGINE_register_RSA(e)){
-        /* This should only happen when 'e' can't initialise, but the previous
-	 * statement suggests it did. */
-        printf("This should not happen\n");
-	ERR_print_errors_fp(stderr);
-        exit(1);
-    }
-    
-    /* Load public key */
-    pub_key = ENGINE_load_public_key(e, keyname, NULL, NULL);
-    if (pub_key == NULL) {
-        /* No public key */
-        printf("Error loading public key\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-
-    /* write public key to file in PEM format */
-    fp = fopen(filename, "w");
-    if (fp == NULL) {
-        printf("Error opening output file.\n");
-	ENGINE_free(e);
-        exit(1);
-    }
-     
-    if (!PEM_write_PUBKEY(fp, pub_key)) {
-        /* Error writing public key */
-        printf("Error writing public key");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-    
-    fclose(fp);
-    exit(0);
-}
diff --git a/contrib/pkcs11-keygen/PKCS11-NOTES b/contrib/pkcs11-keygen/PKCS11-NOTES
deleted file mode 100644
index 2d07e9f2b5..0000000000
--- a/contrib/pkcs11-keygen/PKCS11-NOTES
+++ /dev/null
@@ -1,94 +0,0 @@
-
-			BIND-9 PKCS#11 support
-
-Prerequisite
-
-The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
-and some improvements, including user friendly PIN management. You may also
-use the original engine code.
-
-Compilation
-
-"configure --with-pkcs11 ..."
-
-PKCS#11 Libraries
-
-Tested with Solaris one with a SCA board and with openCryptoki with the
-software token. Known to work on Linux and Windows 2003 server so
-should work on most operating systems. For AEP Keyper or any device used
-only for its protected key store, please switch to the sign-only engine.
-
-OpenSSL Engines
-
-With PKCS#11 support the PKCS#11 engine is statically loaded but at its
-initialization it dynamically loads the PKCS#11 objects.
-Even the pre commands are therefore unused they are defined with:
- SO_PATH:
-   define: PKCS11_SO_PATH
-   default: /usr/local/lib/engines/engine_pkcs11.so
- MODULE_PATH:
-   define: PKCS11_MODULE_PATH
-   default: /usr/lib/libpkcs11.so
-Without PKCS#11 support, a specific OpenSSL engine can be still used
-by defining ENGINE_ID at compile time.
-
-PKCS#11 tools
-
-The contrib/pkcs11-keygen directory contains a set of experimental tools
-to handle keys stored in a Hardware Security Module at the benefit of BIND.
-
-The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
-for the way to use it (these are the original notes so with the original
-path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
-a operating system which is not Solaris.)
-
-Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
-are functional.
-
-PIN management
-
-With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
-each time it is required. With the improved engine, the PIN should be
-entered the first time it is required or can be configured in the
-OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- - at the beginning:
-	openssl_conf = openssl_def
- - at any place these sections:
-	[ openssl_def ]
-	engines = engine_section
-	[ engine_section ]
-	pkcs11 = pkcs11_section
-	[ pkcs11_section ]
-	PIN = put__your__pin__value__here
-
-Slot management
-
-The engine tries to use the first best slot but it is recommended
-to simply use the slot 0 (usual default, meta-slot on Solaris).
-
-Sign-only engine
-
-openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
-a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
-has only the useful functions (i.e., signature with a RSA private
-key in the device protected key store and key loading).
-
-This engine should be used with a device which provides mainly
-a protected store and no acceleration. AEP Keyper is an example
-of such a device (BTW with the fully capable engine, key export
-must be enabled on this device and this configuration is not yet
-supported).
-
-Original engine
-
-If you are using the original engine and getpassphrase() is not defined, add:
-#define getpassphrase(x) getpass(x)
-in openssl.../crypto/engine/hw_pk11_pub.c
-
-Notes
-
-Some names here are registered trademarks, at least Solaris is a trademark
-of Sun Microsystems Inc...
-Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
-The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
diff --git a/contrib/pkcs11-keygen/README b/contrib/pkcs11-keygen/README
deleted file mode 100644
index 718208f063..0000000000
--- a/contrib/pkcs11-keygen/README
+++ /dev/null
@@ -1,20 +0,0 @@
-This is a set of utilities that when used together create rsa keys in
-a PKCS11 keystore. The keys will have a label of "zone,zsk|ksk,xxx" and
-an id of the keytag in hex.
-
-Run genkey.sh to generate a new key and call the other programs in turn.
-Run writekey.sh to load key to the key store from Kxxx.{key,private}.
-Run genkey, dnssec-keyfromlabel and optionally set_key_id when you have
-no perl or no Net::DNS::SEC perl module.
-
-genkey[.c] uses PKCS11 calls to generate keys.
-PEM_write_pubkey[.c] uses OpenSSL to write a public key from the key store
- into a file in PEM format.
-keyconv.pl uses Net::DNS::SEC to calculate the key tag and to write out
- a DNSKEY RR into a file.
-set_key_id[.c] uses PKCS11 to set to the key id == keytag in the key store.
-readkey[.c] and writekey[.c] extracts and loads a key from/to the key store.
-keydump.pl uses Net::DNS::SEC to get the key from a Kxxx.private file and
- write it into a file in PEM format.
-
-listobjs and destroyobjs browse the key store, prints or destroys objects.

From e25451b66ce773eed69ada005818ee3b40d0b555 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Wed, 23 Sep 2009 10:54:46 +0000
Subject: [PATCH 190/385] pkcs11 tools were moved (20067)

---
 bin/pkcs11/OLD-PKCS11-NOTES        |  94 ++++++++
 contrib/pkcs11-keygen/README       |   1 +
 contrib/pkcs11-keygen/destroyobj.c | 178 ---------------
 contrib/pkcs11-keygen/genkey.c     | 201 ----------------
 contrib/pkcs11-keygen/genkey.sh    |  55 -----
 contrib/pkcs11-keygen/keyconv.pl   |  61 -----
 contrib/pkcs11-keygen/keydump.pl   |  26 ---
 contrib/pkcs11-keygen/listobjs.c   | 192 ----------------
 contrib/pkcs11-keygen/readkey.c    | 225 ------------------
 contrib/pkcs11-keygen/set_key_id.c | 154 -------------
 contrib/pkcs11-keygen/writekey.c   | 355 -----------------------------
 contrib/pkcs11-keygen/writekey.sh  |  73 ------
 12 files changed, 95 insertions(+), 1520 deletions(-)
 create mode 100644 bin/pkcs11/OLD-PKCS11-NOTES
 create mode 100644 contrib/pkcs11-keygen/README
 delete mode 100644 contrib/pkcs11-keygen/destroyobj.c
 delete mode 100644 contrib/pkcs11-keygen/genkey.c
 delete mode 100755 contrib/pkcs11-keygen/genkey.sh
 delete mode 100755 contrib/pkcs11-keygen/keyconv.pl
 delete mode 100755 contrib/pkcs11-keygen/keydump.pl
 delete mode 100644 contrib/pkcs11-keygen/listobjs.c
 delete mode 100644 contrib/pkcs11-keygen/readkey.c
 delete mode 100644 contrib/pkcs11-keygen/set_key_id.c
 delete mode 100644 contrib/pkcs11-keygen/writekey.c
 delete mode 100755 contrib/pkcs11-keygen/writekey.sh

diff --git a/bin/pkcs11/OLD-PKCS11-NOTES b/bin/pkcs11/OLD-PKCS11-NOTES
new file mode 100644
index 0000000000..2d07e9f2b5
--- /dev/null
+++ b/bin/pkcs11/OLD-PKCS11-NOTES
@@ -0,0 +1,94 @@
+
+			BIND-9 PKCS#11 support
+
+Prerequisite
+
+The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
+released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
+and some improvements, including user friendly PIN management. You may also
+use the original engine code.
+
+Compilation
+
+"configure --with-pkcs11 ..."
+
+PKCS#11 Libraries
+
+Tested with Solaris one with a SCA board and with openCryptoki with the
+software token. Known to work on Linux and Windows 2003 server so
+should work on most operating systems. For AEP Keyper or any device used
+only for its protected key store, please switch to the sign-only engine.
+
+OpenSSL Engines
+
+With PKCS#11 support the PKCS#11 engine is statically loaded but at its
+initialization it dynamically loads the PKCS#11 objects.
+Even the pre commands are therefore unused they are defined with:
+ SO_PATH:
+   define: PKCS11_SO_PATH
+   default: /usr/local/lib/engines/engine_pkcs11.so
+ MODULE_PATH:
+   define: PKCS11_MODULE_PATH
+   default: /usr/lib/libpkcs11.so
+Without PKCS#11 support, a specific OpenSSL engine can be still used
+by defining ENGINE_ID at compile time.
+
+PKCS#11 tools
+
+The contrib/pkcs11-keygen directory contains a set of experimental tools
+to handle keys stored in a Hardware Security Module at the benefit of BIND.
+
+The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
+for the way to use it (these are the original notes so with the original
+path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
+a operating system which is not Solaris.)
+
+Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
+are functional.
+
+PIN management
+
+With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
+each time it is required. With the improved engine, the PIN should be
+entered the first time it is required or can be configured in the
+OpenSSL configuration file (aka. openssl.cnf) by adding in it:
+ - at the beginning:
+	openssl_conf = openssl_def
+ - at any place these sections:
+	[ openssl_def ]
+	engines = engine_section
+	[ engine_section ]
+	pkcs11 = pkcs11_section
+	[ pkcs11_section ]
+	PIN = put__your__pin__value__here
+
+Slot management
+
+The engine tries to use the first best slot but it is recommended
+to simply use the slot 0 (usual default, meta-slot on Solaris).
+
+Sign-only engine
+
+openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
+a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
+has only the useful functions (i.e., signature with a RSA private
+key in the device protected key store and key loading).
+
+This engine should be used with a device which provides mainly
+a protected store and no acceleration. AEP Keyper is an example
+of such a device (BTW with the fully capable engine, key export
+must be enabled on this device and this configuration is not yet
+supported).
+
+Original engine
+
+If you are using the original engine and getpassphrase() is not defined, add:
+#define getpassphrase(x) getpass(x)
+in openssl.../crypto/engine/hw_pk11_pub.c
+
+Notes
+
+Some names here are registered trademarks, at least Solaris is a trademark
+of Sun Microsystems Inc...
+Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
+The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
diff --git a/contrib/pkcs11-keygen/README b/contrib/pkcs11-keygen/README
new file mode 100644
index 0000000000..caac9824d0
--- /dev/null
+++ b/contrib/pkcs11-keygen/README
@@ -0,0 +1 @@
+Moved to ${top}/bin/pkcs11
diff --git a/contrib/pkcs11-keygen/destroyobj.c b/contrib/pkcs11-keygen/destroyobj.c
deleted file mode 100644
index e7068e4d62..0000000000
--- a/contrib/pkcs11-keygen/destroyobj.c
+++ /dev/null
@@ -1,178 +0,0 @@
-/* destroyobj [-s $slot] [-i $id | -l $label] [-p $pin] */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE attr_id[2];
-    CK_OBJECT_HANDLE akey[50];
-    char *label = NULL;
-    int error = 0;
-    int id = 0, i = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &attr_id, sizeof(attr_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:i:l:p:")) != -1) {
-	switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-	case 'i':
-	    id = atoi(optarg);
-	    id &= 0xffff;
-	    break;
-	case 'l':
-	    label = optarg;
-	    break;
-	case 'p':
-	    pin = (CK_UTF8CHAR *)optarg;
-	    break;
-	case ':':
-	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
-	    errflg++;
-	    break;
-	case '?':
-	default:
-	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-	    errflg++;
-	}
-    }
-    if (errflg || ((!id) && (!label))) {
-	fprintf(stderr,
-		"usage: destroykey [-s slot] [-i id | -l label] [-p pin]\n");
-	exit(1);
-    }
-    if (id) {
-	printf("id %i\n", id);
-	attr_id[0] = (id >> 8) & 0xff;
-	attr_id[1] = id & 0xff;
-    } else if (label) {
-	printf("label %s\n", label);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-	pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-	pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template,
-			   ((id != 0) || (label != NULL)) ? 1 : 0); 
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-    
-    rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-
-    for (i = 0; i < ulObjectCount; i++) {
-	CK_OBJECT_CLASS oclass = 0;
-	CK_BYTE labelbuf[64 + 1];
-	CK_BYTE idbuf[64];
-	CK_ATTRIBUTE attr_template[] = {
-	    {CKA_CLASS, &oclass, sizeof(oclass)},
-	    {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
-	    {CKA_ID, idbuf, sizeof(idbuf)}
-	};
-	int j, len;
-
-	memset(labelbuf, 0, sizeof(labelbuf));
-	memset(idbuf, 0, sizeof(idbuf));
-
-	rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
-	    error = 1;
-	    goto exit_search;
-	}
-	len = attr_template[2].ulValueLen;
-	printf("object[%d]: class %d label '%s' id[%u] ",
-	       i, oclass, labelbuf, attr_template[2].ulValueLen);
-	if (len > 4)
-	    len = 4;
-	for (j = 0; j < len; j++)
-	    printf("%02x", idbuf[j]);
-	if (attr_template[2].ulValueLen > len)
-	    printf("...\n");
-	else
-	    printf("\n");
-    }
-
-    /* give a chance to kill this */
-    printf("sleeping 5 seconds...\n");
-    sleep(5);
-
-    for (i = 0; i < ulObjectCount; i++) {
-	rv = C_DestroyObject(hSession, akey[i]);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_DestroyObject[%d]: rv = 0x%.8X\n", i, rv);
-	    error = 1;
-	}
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-	error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/genkey.c b/contrib/pkcs11-keygen/genkey.c
deleted file mode 100644
index 45a9e3cd68..0000000000
--- a/contrib/pkcs11-keygen/genkey.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/* genkey - pkcs11 rsa key generator
- *
- * create RSASHA1 key in the keystore of an SCA6000
- * The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts 
- * it into a zone file.
- *
- * usage:
- * genkey [-P] [-s slot] -b keysize -l label [-p pin] 
- *
- */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_MECHANISM genmech;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_ULONG modulusbits = 0;
-    CK_CHAR *label = NULL;
-    CK_OBJECT_HANDLE privatekey, publickey;
-    CK_BYTE public_exponent[3];
-    int error = 0;
-    int i = 0;
-    int c, errflg = 0;
-    int hide = 1;
-    CK_ULONG ulObjectCount;
-    /* Set search template */
-    CK_ATTRIBUTE search_template[] = {
-        {CKA_LABEL, NULL_PTR, 0}
-    };
-    CK_ATTRIBUTE publickey_template[] = {
-        {CKA_LABEL, NULL_PTR, 0},
-        {CKA_VERIFY, &truevalue, sizeof (truevalue)},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-        {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
-        {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
-    };
-    CK_ATTRIBUTE privatekey_template[] = {
-        {CKA_LABEL, NULL_PTR, 0},
-        {CKA_SIGN, &truevalue, sizeof (truevalue)},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-        {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
-        {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
-        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
-    };
-    extern char *optarg;
-    extern int optopt;
-    
-    while ((c = getopt(argc, argv, ":Ps:b:i:l:p:")) != -1) {
-        switch (c) {
-	case 'P':
-	    hide = 0;
-	    break;
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'b':
-            modulusbits = atoi(optarg);
-            break;
-        case 'l':
-            label = (CK_CHAR *)optarg;
-            break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!modulusbits) || (!label)) {
-        fprintf(stderr,
-		"usage: genkey [-P] [-s slot] -b keysize -l label [-p pin]\n");
-        exit(2);
-    }
-    
-    search_template[0].pValue = label;
-    search_template[0].ulValueLen = strlen((char *)label);
-    publickey_template[0].pValue = label;
-    publickey_template[0].ulValueLen = strlen((char *)label);
-    privatekey_template[0].pValue = label;
-    privatekey_template[0].ulValueLen = strlen((char *)label);
-
-    /* Set public exponent to 65537 */
-    public_exponent[0] = 0x01;
-    public_exponent[1] = 0x00;
-    public_exponent[2] = 0x01;
-
-    /* Set up mechanism for generating key pair */
-    genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-    genmech.pParameter = NULL_PTR;
-    genmech.ulParameterLen = 0;
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-   
-    /* check if a key with the same id already exists */
-    rv = C_FindObjectsInit(hSession, search_template, 1); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_search;
-    }
-    if (ulObjectCount != 0) {
-        fprintf(stderr, "Key already exists.\n");
-        error = 1;
-        goto exit_search;
-    }
-    
-    /* Set attributes if the key is not to be hidden */
-    if (!hide) {
-        privatekey_template[4].pValue = &falsevalue;
-	privatekey_template[5].pValue = &truevalue;
-    }
-
-    /* Generate Key pair for signing/verifying */
-    rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
-			   (sizeof (publickey_template) /
-			    sizeof (CK_ATTRIBUTE)),
-			   privatekey_template,
-			   (sizeof (privatekey_template) /
-			    sizeof (CK_ATTRIBUTE)),
-			   &publickey, &privatekey);
-        
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-    
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/genkey.sh b/contrib/pkcs11-keygen/genkey.sh
deleted file mode 100755
index f5bf146899..0000000000
--- a/contrib/pkcs11-keygen/genkey.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/usr/bin/bash
-
-usage="Usage: $0 -z zone -x ext -p pin -b bits -e engine [-f] -k key_path"
-tmp_file=/tmp/cur_key.$$
-while getopts ":z:x:p:t:k:b:e:f" opt; do
-  case $opt in
-    z  ) zone=$OPTARG ;;
-    x  ) ext=$OPTARG ;;
-    p  ) pin=$OPTARG ;;
-    t  ) id=$OPTARG ;;
-    f  ) flag="ksk" ;;
-    e  ) engine=$OPTARG ;;
-    b  ) bits=$OPTARG ;;
-    k  ) key_path=$OPTARG ;;
-    \? ) echo $usage 
-	 exit 1 ;;
-   esac
-done
-shift $(($OPTIND -1))
-
-if [ ! "$zone" -o ! "$ext" -o ! "$pin" -o ! "$engine" -o ! "$bits" -o ! "$key_path" ] ; then
-  echo $usage
-  exit 1
-fi
-
-if [ "$flag" ] ; then
-  label="$zone,$flag,$ext"
-else
-  label="$zone,zsk,$ext"
-fi
-
-# for testing
-mypath=.
-
-echo "Generating key"
-$mypath/genkey -b $bits -l $label -p $pin
-if [ $? -ne 0 ] ; then exit 1 ; fi
-
-echo "Exporting public key"
-$mypath/PEM_write_pubkey -e $engine -p $pin -k pkcs11:$label -f $tmp_file
-if [ $? -ne 0 ] ; then exit 1 ; fi
-
-echo "Generating DNSKEY RR"
-if [ "$flag" ] ; then
-  keytag=`$mypath/keyconv.pl -a 5 -k -e $engine -l $label -p $key_path -i $tmp_file $zone`
-else
-  keytag=`$mypath/keyconv.pl -a 5 -e $engine -l $label -p $key_path -i $tmp_file $zone`
-fi
-
-if [ ! $keytag ] ; then rm $tmp_file; exit 1 ; fi
-
-echo "Set key id"
-$mypath/set_key_id -l $label -n $keytag -p $pin
-
-rm $tmp_file
diff --git a/contrib/pkcs11-keygen/keyconv.pl b/contrib/pkcs11-keygen/keyconv.pl
deleted file mode 100755
index c68124c81b..0000000000
--- a/contrib/pkcs11-keygen/keyconv.pl
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use Crypt::OpenSSL::RSA;
-use Getopt::Std;
-use MIME::Base64;
-use Net::DNS;
-use Net::DNS::SEC;
-
-my %option;
-getopts('a:e:i:l:p:hk',\%option);
-
-die "usage: keyconv.pl [-a alg] [-k (to indicate KSK)] -e engine -l label [-p (path to store key)] -i filename domainname\n" if $option{h} || (not defined $option{i}) || (not defined $option{e}) || (not defined $option{l});
-
-# The default path is local.
-$option{p} || ($option{p}="./");
-
-# The default algorithm is 5.
-$option{a} || ($option{a}=5);
-
-$option{k} || ($option{k}=0);
-
-# The algorithm is either 5 or 133.
-$option{a}==5 || $option{a}==133 || die "algorithm must be 5 or 133\n";
-
-# standard flags (value is 256) plus optionally the KSK flag.
-my $flags=(256 + $option{k});
-
-open(PFILE, $option{i});
-   my @fc = ;
-close(PFILE);
-
-my $rsa = Crypt::OpenSSL::RSA->new_public_key(join "", @fc);
-
-my ($m,$e)= $rsa->get_key_parameters;
-
-(my $l=pack("Cn",0,length($e->to_bin))) =~ s/^\000{2}//;
-
-my $rrkey=$l.$e->to_bin.$m->to_bin;
-my $keystr = $ARGV[0]. ". IN DNSKEY $flags 3 $option{a} ".encode_base64($rrkey,"");
-my $keyrr = Net::DNS::RR->new($keystr);
-
-open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".key");
-print PFILE $ARGV[0], ". IN DNSKEY $flags 3 $option{a} ",encode_base64($rrkey,"")."\n";
-close(PFILE);
-
-open(PFILE, "> $option{p}/K".$ARGV[0].".+".sprintf("%03d",$option{a})."+".$keyrr->keytag.".private");
-print PFILE "Private-key-format: v1.2\n";
-print PFILE "Algorithm: ", $option{a}, " (RSASHA1)\n";
-print PFILE "Modulus: ".encode_base64($m->to_bin,"")."\n";
-print PFILE "PublicExponent: ".encode_base64($e->to_bin,"")."\n";
-my $engine="";
-$engine=encode_base64($option{e}."\0","");
-print PFILE "Engine: ", $engine, "\n";
-my $label="";
-$option{k}==0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
-$option{k}!=0 && ($label=encode_base64($option{e}.":".$option{l}."\0",""));
-print PFILE "Label: ", $label, "\n";
-close(PFILE);
-
-print $keyrr->keytag;
diff --git a/contrib/pkcs11-keygen/keydump.pl b/contrib/pkcs11-keygen/keydump.pl
deleted file mode 100755
index acbb00c36d..0000000000
--- a/contrib/pkcs11-keygen/keydump.pl
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use Getopt::Std;
-use Crypt::OpenSSL::RSA;
-use Net::DNS::SEC;
-
-my %option;
-getopts('k:p:o:h',\%option);
-
-$option{h} || (not defined $option{k}) || (not defined $option{p}) || (not defined $option{o}) && die "usage: keydump.pl -k Kxxx.key -p Kxxx.priv -o pem\n";
-
-my $rsa = Net::DNS::SEC::Private->new($option{p});
-
-open(PFILE, "> $option{o}");
-print PFILE $rsa->dump_rsa_private_der;
-close(PFILE);
-
-open(KFILE, "< $option{k}");
-my @fc = ;
-close(KFILE);
-
-my $keyrr = Net::DNS::RR->new(join "", @fc);
-
-print $keyrr->flags;
-
diff --git a/contrib/pkcs11-keygen/listobjs.c b/contrib/pkcs11-keygen/listobjs.c
deleted file mode 100644
index 3fb6eaa80f..0000000000
--- a/contrib/pkcs11-keygen/listobjs.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/* listobjs [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE attr_id[2];
-    CK_OBJECT_HANDLE akey[50];
-    char *label = NULL;
-    int error = 0, public = 0, all = 0;
-    int i = 0, id = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &attr_id, sizeof(attr_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:i:l:p:P")) != -1) {
-	switch (c) {
-	case 'P':
-	    public = 1;
-	    break;
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-	case 'i':
-	    id = atoi(optarg);
-	    id &= 0xffff;
-	    break;
-	case 'l':
-	    label = optarg;
-	    break;
-	case 'p':
-	    pin = (CK_UTF8CHAR *)optarg;
-	    break;
-	case ':':
-	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
-	    errflg++;
-	    break;
-	case '?':
-	default:
-	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-	    errflg++;
-	}
-    }
-    if (errflg) {
-	fprintf(stderr,
-		"usage: listobjs [-P] [-s slot] [-p pin] -i id | $label\n");
-	exit(1);
-    }
-    if ((!id) && (!label))
-	all = 1;
-    if (slot)
-	printf("slot %d\n", slot);
-    if (id) {
-	printf("id %i\n", id);
-	attr_id[0] = (id >> 8) & 0xff;
-	attr_id[1] = id & 0xff;
-    } else if (label) {
-	printf("label %s\n", label);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!public) {
-	if (!pin)
-#ifndef HAVE_GETPASS
-	    pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-	    pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-	rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-	memset(pin, 0, strlen((char *)pin));
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-	    error = 1;
-	    goto exit_session;
-	}
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-    
-    ulObjectCount = 1;
-    while (ulObjectCount) {
-	rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	    error = 1;
-	    goto exit_search;
-	}
-
-	for (i = 0; i < ulObjectCount; i++) {
-	    CK_OBJECT_CLASS oclass = 0;
-	    CK_BYTE labelbuf[64 + 1];
-	    CK_BYTE idbuf[64];
-	    CK_ATTRIBUTE attr_template[] = {
-		{CKA_CLASS, &oclass, sizeof(oclass)},
-		{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
-		{CKA_ID, idbuf, sizeof(idbuf)}
-	    };
-	    int j, len;
-
-	    memset(labelbuf, 0, sizeof(labelbuf));
-	    memset(idbuf, 0, sizeof(idbuf));
-
-	    rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
-	    if (rv != CKR_OK) {
-		fprintf(stderr,
-			"C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
-		if (rv = CKR_BUFFER_TOO_SMALL)
-		    fprintf(stderr, "%d too small: %u %u %u\n", i,
-			    attr_template[0].ulValueLen,
-			    attr_template[1].ulValueLen,
-			    attr_template[2].ulValueLen);
-		error = 1;
-		continue;
-	    }
-
-	    len = attr_template[2].ulValueLen;
-	    printf("object[%d]: handle %u class %d label[%u] '%s' id[%u] ",
-		   i, akey[i], oclass,
-		   attr_template[1].ulValueLen, labelbuf,
-		   attr_template[2].ulValueLen);
-	    if (len == 2) {
-		id = (idbuf[0] << 8) & 0xff00;
-		id |= idbuf[1] & 0xff;
-		printf("%i\n", id);
-	    } else {
-		if (len > 8)
-		    len = 8;
-		for (j = 0; j < len; j++)
-		    printf("%02x", idbuf[j]);
-		if (attr_template[2].ulValueLen > len)
-		    printf("...\n");
-		else
-		    printf("\n");
-	    }
-	}
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-	error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/readkey.c b/contrib/pkcs11-keygen/readkey.c
deleted file mode 100644
index ced0fa9c0a..0000000000
--- a/contrib/pkcs11-keygen/readkey.c
+++ /dev/null
@@ -1,225 +0,0 @@
-/* readkey [-s $slot] -l $label [-p $pin] -f $filename */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-static CK_BBOOL truevalue = TRUE;
-
-int
-main(int argc, char *argv[])
-{
-    RSA *rsa = NULL;
-    FILE *fp;
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    char *label;
-    CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
-    CK_OBJECT_CLASS kclass = CKO_PRIVATE_KEY;
-    char *filename;
-    int error = 0;
-    int i = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_LABEL, NULL, 0},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-	{CKA_CLASS, &kclass, sizeof (kclass)}
-    };
-    CK_BYTE id[32];
-    CK_BYTE data[8][1024];
-    CK_ATTRIBUTE attr_template[] = {
-        {CKA_ID, &id, sizeof (id)},
-	{CKA_MODULUS, (void *)data[0], 1024},          /* n */
-	{CKA_PUBLIC_EXPONENT, (void *)data[1], 1024},  /* e */
-	{CKA_PRIVATE_EXPONENT, (void *)data[2], 1024}, /* d */
-	{CKA_PRIME_1, (void *)data[3], 1024},          /* p */
-	{CKA_PRIME_2, (void *)data[4], 1024},          /* q */
-	{CKA_EXPONENT_1, (void *)data[5], 1024},       /* dmp1 */
-	{CKA_EXPONENT_2, (void *)data[6], 1024},       /* dmq1 */
-	{CKA_COEFFICIENT, (void *)data[7], 1024}       /* iqmp */
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:l:p:f:")) != -1) {
-        switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'l':
-            label = optarg;
-            break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-	case 'f':
-	    filename = optarg;
-	    break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!label) || (!filename)) {
-        fprintf(stderr,
-		"usage: readkey [-s slot] -l label [-p pin] -f filename\n");
-        exit(1);
-    }
-    if (slot)
-        printf("slot %d\n", slot);
-
-    /* Initialize OpenSSL library */
-    OPENSSL_config(NULL);
-    rsa = RSA_new();
-    if (!rsa) {
-        fprintf(stderr, "RSA_new failed\n");
-	ERR_print_errors_fp(stderr);
-	exit(1);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-        exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-
-    /* Set search template. */
-    if (strstr(label, "pkcs11:") == label)
-        label = strstr(label, ":") + 1;
-    search_template[0].pValue = label;
-    search_template[0].ulValueLen = strlen(label);
-
-    rv = C_FindObjectsInit(hSession, search_template, 3); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    
-    rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-    if (ulObjectCount == 0) {
-        fprintf(stderr, "C_FindObjects: can't find the key\n");
-	error = 1;
-	goto exit_search;
-    }
-
-    rv = C_GetAttributeValue(hSession, key, attr_template, 9);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_GetAttributeValue: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-
-    printf("ID[%u]=", attr_template[0].ulValueLen);
-    for (i = 0; i < attr_template[0].ulValueLen; i++)
-        printf("%02x", id[i]);
-    printf("\n");
-
-    if (attr_template[1].ulValueLen > 0)
-        rsa->n = BN_bin2bn(data[0], attr_template[1].ulValueLen, NULL);
-    if (attr_template[2].ulValueLen > 0)
-        rsa->e = BN_bin2bn(data[1], attr_template[2].ulValueLen, NULL);
-    if (attr_template[3].ulValueLen > 0)
-        rsa->d = BN_bin2bn(data[2], attr_template[3].ulValueLen, NULL);
-    if (attr_template[4].ulValueLen > 0)
-        rsa->p = BN_bin2bn(data[3], attr_template[4].ulValueLen, NULL);
-    if (attr_template[5].ulValueLen > 0)
-        rsa->q = BN_bin2bn(data[4], attr_template[5].ulValueLen, NULL);
-    if (attr_template[6].ulValueLen > 0)
-        rsa->dmp1 = BN_bin2bn(data[5], attr_template[6].ulValueLen, NULL);
-    if (attr_template[7].ulValueLen > 0)
-        rsa->dmq1 = BN_bin2bn(data[6], attr_template[7].ulValueLen, NULL);
-    if (attr_template[8].ulValueLen > 0)
-        rsa->iqmp = BN_bin2bn(data[7], attr_template[8].ulValueLen, NULL);
-
-    rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-    if (ulObjectCount != 0) {
-        fprintf(stderr, "C_FindObjects: found extra keys?\n");
-	error = 1;
-	goto exit_search;
-    }
-
-    printf("RSA=");
-    RSA_print_fp(stdout, rsa, 4);
-
-    fp = fopen(filename, "w");
-    if (fp == NULL) {
-        printf("Error opening output file.\n");
-	error = 1;
-	goto exit_search;
-    }
-
-    if (!PEM_write_RSAPrivateKey(fp, rsa, NULL, NULL, 0, NULL, NULL)) {
-        printf("Error writing output file.\n");
-	ERR_print_errors_fp(stderr);
-	error = 1;
-	goto exit_search;
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/set_key_id.c b/contrib/pkcs11-keygen/set_key_id.c
deleted file mode 100644
index 3cb1cd3a04..0000000000
--- a/contrib/pkcs11-keygen/set_key_id.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* set_key_id [-s slot] [-p $pin] -n $keytag {-i $id | -l $label} */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-int
-main(int argc, char *argv[])
-{
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE old_id[2], new_id[2];
-    CK_OBJECT_HANDLE akey;
-    int error = 0;
-    int i = 0;
-    int c, errflg = 0;
-    char *label = NULL;
-    CK_ULONG ulObjectCount;
-    int oid = 0, nid = 0;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &old_id, sizeof(old_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-
-    while ((c = getopt(argc, argv, ":s:i:n:l:p:")) != -1) {
-        switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'i':
-            oid = atoi(optarg);
-	    oid &= 0xffff;
-	    old_id[0] = (oid >> 8) & 0xff;
-	    old_id[1] = oid & 0xff;
-            break;
-        case 'n':
-            nid = atoi(optarg);
-	    nid &= 0xffff;
-            new_id[0] = (nid >> 8) & 0xff;
-            new_id[1] = nid & 0xff;
-            break;
-	case 'l':
-	    label = optarg;
-	    break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!nid) || ((!oid) && (!label))) {
-        fprintf(stderr,
-		"usage: set_key_id [-s slot] [-p pin] -n new_id "
-		"{ -i old_id | -l label }\n");
-        exit(1);
-    }
-    if (!label)
-	printf("old %i new %i\n", oid, nid);
-    else {
-	printf("label %s new %i\n", label, nid);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-        exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template, 1); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    
-    ulObjectCount = 1;
-    while(ulObjectCount) {
-        rv = C_FindObjects(hSession, &akey, 1, &ulObjectCount);
-        if (rv != CKR_OK) {
-            fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-            error = 1;
-            goto exit_search;
-        } else if (ulObjectCount) {       
-            /* Set update template. */
-            CK_ATTRIBUTE new_template[] = {
-                {CKA_ID, &new_id, sizeof(new_id)}
-            };
-
-            rv = C_SetAttributeValue(hSession, akey, new_template, 1);
-            if (rv != CKR_OK) {
-                fprintf(stderr, "C_SetAttributeValue: rv = 0x%.8X\n", rv);
-                error = 1;
-            }
-        }
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/writekey.c b/contrib/pkcs11-keygen/writekey.c
deleted file mode 100644
index b532963d4a..0000000000
--- a/contrib/pkcs11-keygen/writekey.c
+++ /dev/null
@@ -1,355 +0,0 @@
-/* writekey [-s $slot] [-p $pin] -l $label -i $id -f $filename */
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-int
-main(int argc, char *argv[])
-{
-    ENGINE *e;
-    RSA *rsa = NULL;
-    FILE *fp;
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE new_id[2];
-    CK_OBJECT_HANDLE key = CK_INVALID_HANDLE;
-    CK_OBJECT_CLASS kclass;
-    CK_KEY_TYPE ktype = CKK_RSA;
-    CK_ATTRIBUTE template[50];
-    CK_ULONG template_size;
-    CK_BYTE data[8][1024];
-    CK_ULONG ulObjectCount;
-    char *label = NULL, *filename = NULL;
-    int id = 0;
-    int error = 0;
-    int c, errflg = 0;
-    extern char *optarg;
-    extern int optopt;
-    
-    while ((c = getopt(argc, argv, ":s:l:i:p:f:")) != -1) {
-        switch (c) {
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-        case 'l':
-            label = optarg;
-            break;
-        case 'i':
-            id = atoi(optarg);
-	    id &= 0xffff;
-            break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-	case 'f':
-	    filename = optarg;
-	    break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!label) || (!id) || (!filename)) {
-        fprintf(stderr,
-		"usage: writekey [-s slot] [-p pin] -l label -i id "
-		"-f filename\n");
-        exit(2);
-    }
-    
-    /* Load the config file */
-    OPENSSL_config(NULL);
-
-    /* Register engine */
-    e = ENGINE_by_id("pkcs11");
-    if (!e) {
-        /* the engine isn't available */
-        printf("The engine isn't available\n");
-	ERR_print_errors_fp(stderr);
-        exit(1);
-    }
-    
-    if (!ENGINE_init(e)) {
-        /* the engine couldn't initialise, release 'e' */
-        printf("The engine couldn't initialise\n");
-	ERR_print_errors_fp(stderr);
-        ENGINE_free(e);
-        exit(1);
-    }
-
-    /* Read the key */
-    fp = fopen(filename, "r");
-    if (fp == NULL) {
-        printf("Error opening input file.\n");
-	ENGINE_free(e);
-	exit(1);
-    }
-
-    rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
-    (void) fclose(fp);
-    if (rsa == NULL) {
-        printf("Error reading input file.\n");
-	ERR_print_errors_fp(stderr);
-	ENGINE_free(e);
-	exit(1);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
-	ENGINE_free(e);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-#ifndef HAVE_GETPASS
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-   
-    /* fill the search template */
-    if (strstr(label, "pkcs11:") == label)
-        label = strstr(label, ":") + 1;
-    kclass = CKO_PRIVATE_KEY;
-    template[0].type = CKA_TOKEN;
-    template[0].pValue = &truevalue;
-    template[0].ulValueLen = sizeof (truevalue);
-    template[1].type = CKA_CLASS;
-    template[1].pValue = &kclass;
-    template[1].ulValueLen = sizeof (kclass);
-    template[2].type = CKA_LABEL;
-    template[2].pValue = label;
-    template[2].ulValueLen = strlen(label);
-
-    /* check if a key with the same label already exists */
-    rv = C_FindObjectsInit(hSession, template, 3); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    rv = C_FindObjects(hSession, &key, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
-        error = 1;
-        goto exit_search;
-    }
-    if (ulObjectCount != 0) {
-        fprintf(stderr, "Key already exists.\n");
-        error = 1;
-        goto exit_search;
-    }
-    
-    /* fill attributes for the public key */
-    new_id[0] = (id >> 8) & 0xff;
-    new_id[1] = id & 0xff;
-    kclass = CKO_PUBLIC_KEY;
-    if (BN_num_bytes(rsa->n) > 1024) {
-        fprintf(stderr, "RSA modulus too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->n, data[0]);
-    if (BN_num_bytes(rsa->e) > 1024) {
-        fprintf(stderr, "RSA public exponent too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->e, data[1]);
-    if (BN_num_bytes(rsa->d) > 1024) {
-        fprintf(stderr, "RSA private exponent too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->d, data[2]);
-    if (BN_num_bytes(rsa->p) > 1024) {
-        fprintf(stderr, "RSA prime 1 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->p, data[3]);
-    if (BN_num_bytes(rsa->q) > 1024) {
-        fprintf(stderr, "RSA prime 2 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->q, data[4]);
-    if (BN_num_bytes(rsa->dmp1) > 1024) {
-        fprintf(stderr, "RSA exponent 1 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->dmp1, data[5]);
-    if (BN_num_bytes(rsa->dmq1) > 1024) {
-        fprintf(stderr, "RSA exponent 2 too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->dmq1, data[6]);
-    if (BN_num_bytes(rsa->iqmp) > 1024) {
-        fprintf(stderr, "RSA coefficient too large\n");
-	error = 1;
-	goto exit_search;
-    }
-    BN_bn2bin(rsa->iqmp, data[7]);
-
-    template[0].type = CKA_TOKEN;
-    template[0].pValue = &truevalue;
-    template[0].ulValueLen = sizeof (truevalue);
-    template[1].type = CKA_CLASS;
-    template[1].pValue = &kclass;
-    template[1].ulValueLen = sizeof (kclass);
-    template[2].type = CKA_LABEL;
-    template[2].pValue = label;
-    template[2].ulValueLen = strlen(label);
-    template[3].type = CKA_ID;
-    template[3].pValue = new_id;
-    template[3].ulValueLen = sizeof (new_id);
-    template[4].type = CKA_KEY_TYPE;
-    template[4].pValue = &ktype;
-    template[4].ulValueLen = sizeof (ktype);
-    template[5].type = CKA_ENCRYPT;
-    template[5].pValue = &truevalue;
-    template[5].ulValueLen = sizeof (truevalue);
-    template[6].type = CKA_VERIFY;
-    template[6].pValue = &truevalue;
-    template[6].ulValueLen = sizeof (truevalue);
-    template[7].type = CKA_VERIFY_RECOVER;
-    template[7].pValue = &truevalue;
-    template[7].ulValueLen = sizeof (truevalue);
-    template[8].type = CKA_MODULUS;
-    template[8].pValue = data[0];
-    template[8].ulValueLen = BN_num_bytes(rsa->n);
-    template[9].type = CKA_PUBLIC_EXPONENT;
-    template[9].pValue = data[1];
-    template[9].ulValueLen = BN_num_bytes(rsa->e);
-
-    rv = C_CreateObject(hSession, template, 10, &key);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_CreateObject (pub): Error = 0x%.8X\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-
-    /* fill attributes for the private key */
-    kclass = CKO_PRIVATE_KEY;
-    template[0].type = CKA_TOKEN;
-    template[0].pValue = &truevalue;
-    template[0].ulValueLen = sizeof (truevalue);
-    template[1].type = CKA_CLASS;
-    template[1].pValue = &kclass;
-    template[1].ulValueLen = sizeof (kclass);
-    template[2].type = CKA_LABEL;
-    template[2].pValue = label;
-    template[2].ulValueLen = strlen(label);
-    template[3].type = CKA_ID;
-    template[3].pValue = new_id;
-    template[3].ulValueLen = sizeof (new_id);
-    template[4].type = CKA_KEY_TYPE;
-    template[4].pValue = &ktype;
-    template[4].ulValueLen = sizeof (ktype);
-    template[5].type = CKA_SENSITIVE;
-    template[5].pValue = &falsevalue;
-    template[5].ulValueLen = sizeof (falsevalue);
-    template[6].type = CKA_EXTRACTABLE;
-    template[6].pValue = &truevalue;
-    template[6].ulValueLen = sizeof (truevalue);
-    template[7].type = CKA_DECRYPT;
-    template[7].pValue = &truevalue;
-    template[7].ulValueLen = sizeof (truevalue);
-    template[8].type = CKA_SIGN;
-    template[8].pValue = &truevalue;
-    template[8].ulValueLen = sizeof (truevalue);
-    template[9].type = CKA_SIGN_RECOVER;
-    template[9].pValue = &truevalue;
-    template[9].ulValueLen = sizeof (truevalue);
-    template[10].type = CKA_MODULUS;
-    template[10].pValue = data[0];
-    template[10].ulValueLen = BN_num_bytes(rsa->n);
-    template[11].type = CKA_PUBLIC_EXPONENT;
-    template[11].pValue = data[1];
-    template[11].ulValueLen = BN_num_bytes(rsa->e);
-    template[12].type = CKA_PRIVATE_EXPONENT;
-    template[12].pValue = data[2];
-    template[12].ulValueLen = BN_num_bytes(rsa->d);
-    template[13].type = CKA_PRIME_1;
-    template[13].pValue = data[3];
-    template[13].ulValueLen = BN_num_bytes(rsa->p);
-    template[14].type = CKA_PRIME_2;
-    template[14].pValue = data[4];
-    template[14].ulValueLen = BN_num_bytes(rsa->q);
-    template[15].type = CKA_EXPONENT_1;
-    template[15].pValue = data[5];
-    template[15].ulValueLen = BN_num_bytes(rsa->dmp1);
-    template[16].type = CKA_EXPONENT_2;
-    template[16].pValue = data[6];
-    template[16].ulValueLen = BN_num_bytes(rsa->dmq1);
-    template[17].type = CKA_COEFFICIENT;
-    template[17].pValue = data[7];
-    template[17].ulValueLen = BN_num_bytes(rsa->iqmp);
-
-    rv = C_CreateObject(hSession, template, 18, &key);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_CreateObject (priv): Error = 0x%.8X\n", rv);
-	(void) C_DestroyObject(hSession, key);
-	error = 1;
-	goto exit_search;
-    }
-
- exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
-        error = 1;
-    }
-
- exit_session:
-    (void) C_CloseSession(hSession);
-
- exit_program:
-    (void) C_Finalize(NULL_PTR);
-    ENGINE_free(e);
-    ENGINE_cleanup();
-
-    exit(error);
-}
diff --git a/contrib/pkcs11-keygen/writekey.sh b/contrib/pkcs11-keygen/writekey.sh
deleted file mode 100755
index 9b235d090a..0000000000
--- a/contrib/pkcs11-keygen/writekey.sh
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/bin/bash --debug
-
-usage="Usage: $0 -x ext -p pin -f keyrootname"
-tmp_file=/tmp/cur_pem.$$
-while getopts ":x:p:f:" opt; do
-  case $opt in
-    x  ) ext=$OPTARG ;;
-    p  ) pin=$OPTARG ;;
-    f  ) root=$OPTARG ;;
-    \? ) echo $usage 
-	 exit 1 ;;
-   esac
-done
-shift $(($OPTIND -1))
-
-if [ ! "$ext" -o ! "$pin" -o ! "$root" ] ; then
-  echo $usage
-  exit 1
-fi
-
-keyfile=${root}.key
-privfile=${root}.private
-file=`basename $root | sed 's/^K//'`
-zone=`echo $file | awk -F+ '{ print $1 }' | sed 's/\.$//'`
-algo=`echo $file | awk -F+ '{ print $2 }'`
-tag=`echo $file | awk -F+ '{ print $3 }'`
-
-# debug
-echo 'zone: ' $zone
-echo 'algo: ' $algo
-echo 'tag: ' $tag
-
-if [ ! -r "$keyfile" ] ; then
-  echo "can't read " $keyfile
-  exit 1
-fi
-if [ ! -r "$privfile" ] ; then
-  echo "can't read " $privfile
-  exit 1
-fi
-
-if [ "$algo" != "005" ] ; then
-  echo 'algorithm must be 005'
-  exit 1
-fi
-
-# for testing
-mypath=.
-
-echo 'Reading key files'
-flag=`$mypath/keydump.pl -k $keyfile -p $privfile -o $tmp_file`
-
-if [ "$flag" = "256" ] ; then
-  label=$zone,zsk,$ext
-elif [ "$flag" = "257" ] ; then
-  label=$zone,ksk,$ext
-else
-  echo 'flag must be 256 or 257'
-  rm $tmp_file
-  exit 1
-fi
-
-echo "Label will be '"$label"'"
-$mypath/writekey -p $pin -l $label -i $tag -f $tmp_file
-
-rm $tmp_file
-
-echo 'Now you can add at the end of ' $privfile
-/usr/bin/perl <
Date: Wed, 23 Sep 2009 10:56:33 +0000
Subject: [PATCH 191/385] adjust 2680 (RT #20067)

---
 CHANGES | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index bf48ca9418..2f8db4def3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,8 +11,7 @@
 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
 			decoded. [RT #20269]
 
-2680.	[func]		Move some contrib/pkcs11-keygen to bin/pkcs11.
-			[RT #20067]
+2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
 
 2679.	[func]		dig -k can now accept TSIG keys in named.conf
 			format.  [RT #20031]

From 40d3bb52b628ca40052ff93de549219001d4afc1 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Wed, 23 Sep 2009 11:09:38 +0000
Subject: [PATCH 192/385] adjust for RT #20067

---
 README.pkcs11 | 46 +++++++++++++---------------------------------
 1 file changed, 13 insertions(+), 33 deletions(-)

diff --git a/README.pkcs11 b/README.pkcs11
index 72103732eb..81bd4176a9 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -135,7 +135,8 @@ library must be specified via configure.
 
         cd ../bind-9.7.0a3
         ./configure CC="gcc -m32" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr
+            --with-openssl=/opt/pkcs11/usr \
+            --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so
 
     EXAMPLE 4--CONFIGURING BIND 9 FOR SOLARIS
 
@@ -144,7 +145,8 @@ library must be specified via configure.
 
         cd ../bind-9.7.0a3
         ./configure CC="cc -xarch=amd64" --enable-threads \
-            --with-openssl=/opt/pkcs11/usr
+            --with-openssl=/opt/pkcs11/usr \
+            -with-pkcs11=/usr/lib/64/libpkcs11.so
 
     (For a 32-bit build, omit CC="cc -xarch=amd64".)
 
@@ -157,34 +159,12 @@ After configuring, run "make", "make test" and "make install".
 
 PKCS #11 TOOLS
 
-The contrib/pkcs11-keygen directory contains a set of experimental
-tools to operate an HSM for the benefit of BIND 9, including "genkey" to
-generate a new key pair within the HSM, and "listobjs" to list keys
-currently available.
+The bin/pkcs11 directory contains a set of tools to operate an HSM for
+the benefit of BIND 9, including "pkcs11-keygen" to generate a new key
+pair within the HSM, "pkcs11-list" to list objects currently available
+and "pkcs11-destroy" to remove objects.
 
-These tools are not yet complete, not documented, and not supported
-by ISC.  As of BIND 9.7.0a3, they still lack such basic amenities as
-a Makefile.  Other commercial or open-source PKCS #11 tools may be
-available which are better-suited to the job.  However, in the
-absence of those tools, the ones provided in contrib/pkcs11-keygen
-can get you started.
-
-    EXAMPLE 5--BUILDING TOOLS ON LINUX:
-
-    gcc -m32 -DHAVE_GETPASS -I. -L /opt/pkcs11/usr/lib \
-        genkey.c -o genkey -lpkcs11
-    gcc -m32 -DHAVE_GETPASS -I. -L /opt/pkcs11/usr/lib \
-        listobjs.c -o listobjs -lpkcs11
-    gcc -m32 -DHAVE_GETPASS -I. -L /opt/pkcs11/usr/lib \
-        destroyobj.c -o destroyobj -lpkcs11
-    cd ../..
-
-    EXAMPLE 6--BUILDING TOOLS ON SOLARIS WITH SCA 6000:
-
-    cc -I. genkey.c -o genkey -lpkcs11
-    cc -I. listobjs.c -o listobjs -lpkcs11
-    cc -I. destroyobj.c -o destroyobj -lpkcs11
-    cd ../..
+<<>>
 
 USING THE HSM
 
@@ -201,17 +181,17 @@ for use by PKCS #11 provider library.  If the machine file is in
     export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
 
 These environment variables must be set whenever running any tool
-which uses the HSM, including genkey, listobjs, destroyobj,
+which uses the HSM, including pkcs11-keygen, pkcs11-list, pkcs11-destroy,
 dnssec-keyfromlabel, dnssec-signzone, and named.
 
 We can now create and use keys in the HSM.  In this case, we will
 create a 2048 bit key and give it the label "sample-ksk":
 
-    contrib/pkcs11-keygen/genkey -b 2048 -l sample-ksk
+    pkcs11-keygen -b 2048 -l sample-ksk
 
 To confirm that the key exists:
 
-    contrib/pkcs11-keygen/listobjs
+    pkcs11-list
     Enter PIN:
     object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] 
     object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] 
@@ -239,7 +219,7 @@ key, follow the same procedure above, using a different keylabel, a
 smaller key size, and omitting "-f KSK" from the dnssec-keyfromlabel
 arguments:
 
-    contrib/pkcs11-keygen/genkey -b 1024 -l sample-zsk
+    pkcs11-keygen -b 1024 -l sample-zsk
     dnssec-keyfromlabel -a NSEC3RSASHA1 -l pkcs11:sample-zsk example.net
 
 Alternatively, you may prefer to generate a conventional on-disk key, using

From 6839f8b6dffbecfe06b846b2f8253ed3a2232c85 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Wed, 23 Sep 2009 11:16:50 +0000
Subject: [PATCH 193/385] cleanup USE_EVP_RSA (RT #20044)

---
 lib/dns/dst_internal.h    | 4 ++--
 lib/dns/opensslrsa_link.c | 5 +----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index c597a6beff..69ea338310 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.17 2009/09/03 04:09:58 marka Exp $ */
+/* $Id: dst_internal.h,v 1.18 2009/09/23 11:16:50 fdupont Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -100,7 +100,7 @@ struct dst_key {
 		void *generic;
 		gss_ctx_id_t gssctx;
 #ifdef OPENSSL
-#if USE_EVP_RSA
+#if !defined(USE_EVP) || !USE_EVP
 		RSA *rsa;
 #endif
 		DSA *dsa;
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 828ca3bd6f..13f6b944be 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,15 +17,12 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.27 2009/09/07 12:54:59 fdupont Exp $
+ * $Id: opensslrsa_link.c,v 1.28 2009/09/23 11:16:50 fdupont Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
 #define USE_EVP 1
 #endif
-#if USE_EVP
-#define USE_EVP_RSA 1
-#endif
 
 #include 
 

From 484076c3255e0cc5b179ad736cd930900e4bb06b Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Wed, 23 Sep 2009 13:27:59 +0000
Subject: [PATCH 194/385] move to zkt 0,99c (RT #20054)

---
 CHANGES                                       |    2 +
 contrib/zkt/CHANGELOG                         |   56 +-
 contrib/zkt/Makefile.in                       |   56 +-
 contrib/zkt/README                            |   11 +-
 contrib/zkt/README.logging                    |    1 +
 contrib/zkt/TODO                              |   11 +-
 contrib/zkt/config.h.in                       |   12 +-
 contrib/zkt/config_zkt.h                      |   22 +-
 contrib/zkt/configure                         | 5675 +++++++++--------
 contrib/zkt/configure.ac                      |  142 +
 contrib/zkt/dki.c                             |   64 +-
 contrib/zkt/dki.h                             |    2 +
 contrib/zkt/dnssec-signer.c                   |  244 +-
 contrib/zkt/dnssec-zkt.c                      |    8 +-
 contrib/zkt/doc/KeyRollover.ms                |   95 +
 contrib/zkt/doc/KeyRollover.ps                |  304 +
 .../draft-gudmundsson-life-of-dnskey-00.txt   |  616 ++
 .../doc/draft-ietf-dnsop-rfc4641bis-01.txt    | 2128 ++++++
 contrib/zkt/doc/rfc4641.txt                   | 1963 ++++++
 contrib/zkt/doc/rfc5011.txt                   |  787 +++
 contrib/zkt/examples/flat/dist.sh             |    4 +-
 contrib/zkt/examples/flat/dnssec-signer.sh    |   14 +
 contrib/zkt/examples/flat/dnssec.conf         |    8 +-
 .../example.net/Kexample.net.+005+04157.key   |    3 -
 .../Kexample.net.+005+04157.private           |   10 -
 ...lished => Kexample.net.+005+07308.private} |    0
 .../example.net/Kexample.net.+005+24545.key   |    3 +
 .../Kexample.net.+005+24545.published         |   10 +
 .../example.net/Kexample.net.+005+33840.key   |    3 +
 .../Kexample.net.+005+33840.published         |   10 +
 .../Kexample.net.+005+34925.depreciated       |   10 +
 .../example.net/Kexample.net.+005+34925.key   |    3 +
 .../example.net/Kexample.net.+005+48089.key   |    3 +
 .../Kexample.net.+005+48089.private           |   10 +
 .../zkt/examples/flat/example.net/dnskey.db   |   44 +-
 .../flat/example.net/dsset-example.net.       |    4 +-
 ...+01764.key => kexample.net.+005+01764.key} |    3 +-
 ...rivate => kexample.net.+005+01764.private} |    0
 .../flat/example.net/keyset-example.net.      |   18 +-
 contrib/zkt/examples/flat/example.net/zone.db |    2 +-
 .../examples/flat/example.net/zone.db.signed  |  267 +-
 .../flat/keysets/dlvset-sub.example.net.      |    4 +-
 .../examples/flat/keysets/dsset-example.net.  |    4 +-
 .../flat/keysets/dsset-sub.example.net.       |    4 +-
 .../examples/flat/keysets/keyset-example.net. |   18 +-
 .../flat/keysets/keyset-sub.example.net.      |   12 +-
 contrib/zkt/examples/flat/named.conf          |   12 +-
 .../Ksub.example.net.+006+04710.key           |    3 -
 .../Ksub.example.net.+006+04710.published     |    7 -
 .../Ksub.example.net.+006+05823.key           |    3 -
 .../Ksub.example.net.+006+05823.private       |    7 -
 .../Ksub.example.net.+006+22440.depreciated   |    7 -
 .../Ksub.example.net.+006+22440.key           |    3 -
 .../Ksub.example.net.+007+14600.depreciated   |   10 +
 .../Ksub.example.net.+007+14600.key           |    3 +
 .../Ksub.example.net.+007+18846.key           |    3 -
 .../Ksub.example.net.+007+18846.private       |   10 -
 .../Ksub.example.net.+007+32345.key           |    3 +
 .../Ksub.example.net.+007+32345.private       |   10 +
 .../Ksub.example.net.+007+48516.key           |    3 +
 .../Ksub.example.net.+007+48516.private       |   10 +
 .../examples/flat/sub.example.net/dnskey.db   |   52 +-
 .../examples/flat/sub.example.net/dnssec.conf |    4 +-
 .../flat/sub.example.net/zone.db.signed       |  201 +-
 contrib/zkt/examples/flat/zkt.log             |  892 +++
 .../de/example.de/Kexample.de.+005+11327.key  |    3 -
 .../example.de/Kexample.de.+005+11327.private |   10 -
 .../de/example.de/Kexample.de.+005+55529.key  |    3 +
 .../example.de/Kexample.de.+005+55529.private |   10 +
 .../hierarchical/de/example.de/dnskey.db      |   14 +-
 .../de/example.de/keyset-sub.example.de.      |   10 +-
 .../Ksub.example.de.+001+04031.key            |    3 -
 .../Ksub.example.de.+001+04031.published      |   10 -
 .../Ksub.example.de.+001+11091.key            |    3 +
 .../Ksub.example.de.+001+11091.published      |   10 +
 .../Ksub.example.de.+001+38598.key            |    3 +
 .../Ksub.example.de.+001+38598.private        |   10 +
 .../Ksub.example.de.+001+39146.key            |    3 -
 .../Ksub.example.de.+001+39146.private        |   10 -
 .../Ksub.example.de.+001+59924.depreciated    |   10 -
 .../Ksub.example.de.+001+59924.key            |    3 -
 .../Ksub.example.de.+001+60332.key            |    3 +
 .../Ksub.example.de.+001+60332.private        |   10 +
 .../Ksub.example.de.+005+24426.key            |    3 +
 .../Ksub.example.de.+005+24426.private        |   10 +
 .../Ksub.example.de.+005+26451.key            |    3 +
 .../Ksub.example.de.+005+26451.private        |   10 +
 .../Ksub.example.de.+005+37547.key            |    3 +
 .../Ksub.example.de.+005+37547.private        |   10 +
 .../Ksub.example.de.+005+57863.key            |    3 +
 .../Ksub.example.de.+005+57863.published      |   10 +
 .../sub.example.de/dlvset-sub.example.de.     |   10 +-
 .../de/example.de/sub.example.de/dnskey.db    |   68 +-
 .../sub.example.de/dsset-sub.example.de.      |   10 +-
 .../sub.example.de/keyset-sub.example.de.     |   33 +-
 ...785.key => ksub.example.de.+005+31785.key} |    0
 ...ate => ksub.example.de.+005+31785.private} |    0
 ...595.key => ksub.example.de.+005+56595.key} |    0
 ...ate => ksub.example.de.+005+56595.private} |    0
 .../sub.example.de/parent-sub.example.de.     |   10 +-
 .../de/example.de/sub.example.de/zone.db      |    2 +-
 .../example.de/sub.example.de/zone.db.signed  |  297 +-
 .../hierarchical/de/example.de/zone.db        |    2 +-
 .../hierarchical/de/example.de/zone.db.signed |  174 +-
 contrib/zkt/man/dnssec-signer.8               |   36 +-
 contrib/zkt/man/dnssec-signer.8.html          |  151 +-
 contrib/zkt/man/dnssec-signer.8.pdf           |  Bin 0 -> 12482 bytes
 contrib/zkt/man/dnssec-zkt.8                  |   22 +-
 contrib/zkt/man/dnssec-zkt.8.html             |   99 +-
 contrib/zkt/man/dnssec-zkt.8.pdf              |  Bin 0 -> 12950 bytes
 contrib/zkt/misc.c                            |  266 +-
 contrib/zkt/misc.h                            |    5 +-
 contrib/zkt/ncparse.c                         |   20 +-
 contrib/zkt/ncparse.h                         |    2 +-
 contrib/zkt/nscomm.c                          |  203 +
 contrib/zkt/nscomm.h                          |   52 +
 contrib/zkt/rollover.c                        |   87 +-
 contrib/zkt/soaserial.c                       |  269 +
 contrib/zkt/soaserial.h                       |   41 +
 contrib/zkt/tags                              |  131 +-
 contrib/zkt/zconf.c                           |   77 +-
 contrib/zkt/zconf.h                           |   36 +-
 122 files changed, 12116 insertions(+), 4080 deletions(-)
 create mode 100644 contrib/zkt/configure.ac
 create mode 100644 contrib/zkt/doc/KeyRollover.ms
 create mode 100644 contrib/zkt/doc/KeyRollover.ps
 create mode 100644 contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
 create mode 100644 contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
 create mode 100644 contrib/zkt/doc/rfc4641.txt
 create mode 100644 contrib/zkt/doc/rfc5011.txt
 create mode 100755 contrib/zkt/examples/flat/dnssec-signer.sh
 delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key
 delete mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private
 rename contrib/zkt/examples/flat/example.net/{Kexample.net.+005+07308.published => Kexample.net.+005+07308.private} (100%)
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
 create mode 100644 contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
 rename contrib/zkt/examples/flat/example.net/{Kexample.net.+005+01764.key => kexample.net.+005+01764.key} (72%)
 rename contrib/zkt/examples/flat/example.net/{Kexample.net.+005+01764.private => kexample.net.+005+01764.private} (100%)
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key
 create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
 create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key
 delete mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private
 create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
 create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
 create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
 create mode 100644 contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated
 delete mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
 create mode 100644 contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
 rename contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/{Ksub.example.de.+005+31785.key => ksub.example.de.+005+31785.key} (100%)
 rename contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/{Ksub.example.de.+005+31785.private => ksub.example.de.+005+31785.private} (100%)
 rename contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/{Ksub.example.de.+005+56595.key => ksub.example.de.+005+56595.key} (100%)
 rename contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/{Ksub.example.de.+005+56595.private => ksub.example.de.+005+56595.private} (100%)
 create mode 100644 contrib/zkt/man/dnssec-signer.8.pdf
 create mode 100644 contrib/zkt/man/dnssec-zkt.8.pdf
 create mode 100644 contrib/zkt/nscomm.c
 create mode 100644 contrib/zkt/nscomm.h
 create mode 100644 contrib/zkt/soaserial.c
 create mode 100644 contrib/zkt/soaserial.h

diff --git a/CHANGES b/CHANGES
index 2f8db4def3..23b7222951 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
+
 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
 			+adflag and +cdflag.  [RT #19305]
 
diff --git a/contrib/zkt/CHANGELOG b/contrib/zkt/CHANGELOG
index 33db8ee326..423797f990 100644
--- a/contrib/zkt/CHANGELOG
+++ b/contrib/zkt/CHANGELOG
@@ -1,4 +1,58 @@
-zkt 0.98 -- 30. Dec 2008
+zkt 0.99c -- 1. Aug 2009
+
+* misc	dnssec-signer command line option vars changed to storage
+	class static.
+
+* port	setenv() replaced by putenv() in misc.c
+
+* misc	Install binaries in prefix/bin instead of $HOME/bin.
+	Fixing some spelling errors in dnssec-signzone.8 and
+	dnssec-zkt.8.
+	Thanks to Mans Nilsson.
+
+* port	timegm() check added to configure.ac
+
+* misc	configure.ac, Makefile.in, and doc is now part of distribution
+
+* bug	off by one error fixed in splitpath()
+
+* misc	is_dotfile() renamed to is_dotfilename() (misc.c)
+
+* misc	inc_soaserial() sourced out to soaserial.c
+
+* misc	reload() functions sourced out to nscomm.c
+
+* bug	Introducing parameter "KeyAlgorithm" for both ZSK and
+	KSK keys instead of separate KSK and ZSK algorithms.
+	New functions dki_algo() and dki_findalgo().
+
+* bug	Redirect stderr message (additionally to stdout) of
+	dnssec-signzone command to pipe.
+	Pick up last line of output for logging.
+
+* misc	"Sig_GenerateDS" is no longer a hidden parameter.
+
+* misc	"make clean" now remove the binary files
+	New target "distclean" added to Makefile
+
+* bug	Wrong typecast in zconf.c parsing CONF_TIMEINT (Thanks to Frederick
+	Soderblum and Peter Norin for the patch)
+	Changed all TIMEINT parameter values to long.
+
+* bug	If someone changes the zone.db file in dynamic mode, this will be treated
+	the same way as an initial setup, so the zone.db file will be used as new
+	input file (Thanks to Shane Wegner for this patch)
+
+* bug	Option nsec3_param added to dnssec-signzone command for dynamic zones.
+
+* func	New option "NamedChrootDir" added to dnssec.conf to specify the
+	directory of a chrooted named. Without such an option
+	"dnssec-signer -N named.conf" couldn't find the zone file directory.
+
+* misc 	Default ZSK lifetime set to 12 weeks instead of 3 months (30days) to
+	suppress the warning message about ZSK keysize of 512 bits.
+
+zkt 0.98 -- 28. Dec 2008
 
 * misc 	Target "install-man" added to Makefile
 	man files moved to sub directory "man"
diff --git a/contrib/zkt/Makefile.in b/contrib/zkt/Makefile.in
index 2de9427c9e..7c61450e50 100644
--- a/contrib/zkt/Makefile.in
+++ b/contrib/zkt/Makefile.in
@@ -6,7 +6,6 @@
 
 prefix	=	@prefix@
 mandir	=	@mandir@
-INSTALL_DIR =	$$HOME/bin
 
 CC	=	@CC@
 
@@ -25,11 +24,12 @@ VERSION =	@PACKAGE_VERSION@
 
 HEADER	=	dki.h misc.h domaincmp.h zconf.h config_zkt.h \
 		config.h.in strlist.h zone.h zkt.h debug.h \
-		ncparse.h log.h rollover.h
+		ncparse.h log.h rollover.h nscomm.h soaserial.h
 SRC_ALL	=	dki.c misc.c domaincmp.c zconf.c log.c
 OBJ_ALL	=	$(SRC_ALL:.c=.o)
 
-SRC_SIG	=	dnssec-signer.c zone.c ncparse.c rollover.c
+SRC_SIG	=	dnssec-signer.c zone.c ncparse.c rollover.c \
+		nscomm.c soaserial.c
 OBJ_SIG	=	$(SRC_SIG:.c=.o)
 MAN_SIG	=	dnssec-signer.8
 PROG_SIG=	dnssec-signer
@@ -47,17 +47,18 @@ PROG_SER=	zkt-soaserial
 MAN_ALL	=	$(MAN_ZKT) $(MAN_SIG) #$(MAN_SER)
 OTHER	=	README README.logging TODO LICENSE CHANGELOG tags Makefile.in \
 		configure examples
-SAVE	=	$(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) man $(OTHER)
-MNTSAVE	=	$(SAVE) configure.ac config.h.in doc 
+SAVE	=	$(HEADER) $(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(OTHER) \
+		man configure.ac config.h.in doc
+#MNTSAVE	=	$(SAVE) configure.ac config.h.in doc 
 
 
 all:	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
 
-macos:		## for MAC OS
+macos:		## for MAC OS (depreciated)
 macos:
 	$(MAKE) CFLAGS="$(CFLAGS) -D HAS_UTYPES=0" all
 
-solaris:	## for solaris
+solaris:	## for solaris (depreciated)
 solaris:
 	@$(MAKE) CFLAGS="$(CFLAGS) -D HAVE_GETOPT_LONG=0" all
 
@@ -74,13 +75,16 @@ $(PROG_ZKT):	$(OBJ_ZKT) $(OBJ_ALL) Makefile
 $(PROG_SER):	$(OBJ_SER) Makefile
 	$(CC) $(LDFLAGS) $(OBJ_SER) -o $(PROG_SER)
 
-install:	## install binaries in INSTALL_DIR
+install:	## install binaries in prefix/bin
 install:	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
-	cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(INSTALL_DIR)
+		test -d $(prefix)/bin || mkdir -p $(prefix)/bin
+		cp $(PROG_ZKT) $(PROG_SIG) $(PROG_SER) $(prefix)/bin/
 
 install-man:	## install man pages in mandir
 install-man:
-	test -d $(mandir)/man8/ && cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
+	test -d $(mandir)/man8/ || mkdir -p $(mandir)/man8/
+	cp -p man/$(MAN_ZKT) man/$(MAN_SIG) $(mandir)/man8/
+
 
 
 tags:		## create tags file
@@ -89,20 +93,19 @@ tags:	$(SRC_ALL) $(SRC_SIG) $(SRC_ZKT) $(SRC_SER)
 
 clean:		## remove objectfiles and binaries
 clean:
-	rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL)
+	-rm -f $(OBJ_SIG) $(OBJ_ZKT) $(OBJ_SER) $(OBJ_ALL) \
+	$(PROG_ZKT) $(PROG_SIG) $(PROG_SER)
+
+distclean:	## remove objectfiles, binaries and distribution files
+distclean:	clean
+	-rm -f Makefile config.h config.log config.status config.cache \
+	$(PROJECT)-$(VERSION).tar.gz
 
-dist:		## create tar file for distribution
-dist:	$(PROJECT)-$(VERSION).tar.gz
 tar:		## create tar file for distribution
 tar:	$(PROJECT)-$(VERSION).tar.gz
 
-maintain:	## create configure script
-maintain:	configure
-
-mainttar:	## create tar file for maintenance
-mainttar:	$(PROJECT)-maint-$(VERSION).tar.gz
-
-configure:	configure.ac
+configure:	## create configure script
+configure:	configure.ac Makefile.in
 	autoconf && autoheader
 
 man:	man/$(MAN_ZKT).html man/$(MAN_ZKT).pdf man/$(MAN_SIG).html man/$(MAN_SIG).pdf
@@ -124,12 +127,6 @@ $(PROJECT)-$(VERSION).tar.gz:	$(SAVE)
 		cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-$(VERSION).tar.gz $$distfiles ;\
 	)
 
-$(PROJECT)-maint-$(VERSION).tar.gz:	$(MNTSAVE)
-	(	\
-		distfiles=`ls -d $(MNTSAVE) | sed 's|^|$(PROJECT)-$(VERSION)/|'` ;\
-		cd .. && tar czvf $(PROJECT)-$(VERSION)/$(PROJECT)-maint-$(VERSION).tar.gz $$distfiles ;\
-	)
-
 depend:
 	$(CC) -MM $(SRC_SIG) $(SRC_ZKT) $(SRC_SER) $(SRC_ALL)
 
@@ -138,14 +135,17 @@ help:
 
 ## all dependicies
 #:r !make depend
-#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
+#gcc -MM dnssec-signer.c zone.c ncparse.c rollover.c nscomm.c soaserial.c dnssec-zkt.c strlist.c zkt.c zkt-soaserial.c dki.c misc.c domaincmp.c zconf.c log.c
 dnssec-signer.o: dnssec-signer.c config_zkt.h zconf.h debug.h misc.h \
-  ncparse.h zone.h dki.h rollover.h log.h
+  ncparse.h nscomm.h zone.h dki.h log.h soaserial.h rollover.h
 zone.o: zone.c config_zkt.h debug.h domaincmp.h misc.h zconf.h dki.h \
   zone.h
 ncparse.o: ncparse.c debug.h misc.h zconf.h log.h ncparse.h
 rollover.o: rollover.c config_zkt.h zconf.h debug.h misc.h zone.h dki.h \
   log.h rollover.h
+nscomm.o: nscomm.c config_zkt.h zconf.h nscomm.h zone.h dki.h log.h \
+  misc.h debug.h
+soaserial.o: soaserial.c config_zkt.h zconf.h log.h debug.h soaserial.h
 dnssec-zkt.o: dnssec-zkt.c config_zkt.h debug.h misc.h zconf.h strlist.h \
   dki.h zkt.h
 strlist.o: strlist.c strlist.h
diff --git a/contrib/zkt/README b/contrib/zkt/README
index 2009a44e15..de95c08e36 100644
--- a/contrib/zkt/README
+++ b/contrib/zkt/README
@@ -1,7 +1,7 @@
 #
 #	README  dnssec zone key tool
 #
-#	(c) March 2005 - Dec 2008 by  Holger Zuleger  hznet
+#	(c) March 2005 - Aug 2009 by  Holger Zuleger  hznet
 #	(c) for domaincmp Aug 2005 by Karle Boss & H. Zuleger (kaho)
 #	(c) for zconf.c by Jeroen Masar & Holger Zuleger
 #
@@ -16,13 +16,13 @@ The complete software stands under BSD licence (see LICENCE file)
 
 To build the software:
 a) Get the current version of zkt
-	$ wget http://www.hznet.de/dns/zkt/zkt-0.98.tar.gz
+	$ wget http://www.hznet.de/dns/zkt/zkt-0.99c.tar.gz
 
 b) Unpack
-	$ tar xzvf zkt-0.98.tar.gz
+	$ tar xzvf zkt-0.99c.tar.gz
 
 c) Change to dir
-	$ cd zkt-0.98
+	$ cd zkt-0.99c
 
 d) Run configure script
 	$ ./configure
@@ -33,7 +33,8 @@ f) Compile
 	$ make
 
 g) Install
-	$ make install	# this will copy the binarys to $HOME/bin
+	# make install
+	# make install-man
 
 h) (optional) Install and modify the default dnssec.conf file 
 	$ ./dnssec-zkt -c "" -Z > /var/named/dnssec.conf
diff --git a/contrib/zkt/README.logging b/contrib/zkt/README.logging
index e130751373..dc9293a9ca 100644
--- a/contrib/zkt/README.logging
+++ b/contrib/zkt/README.logging
@@ -55,6 +55,7 @@ Current logging messages:
 		Start and stop of dnssec-signer
 		Re-signing events 
 		Key rollover events
+		KSK key generation and revoking
 		Zone reload resp. freeze/thaw of dynamic zone
 	LG_INFO: Currently none
 		planned:
diff --git a/contrib/zkt/TODO b/contrib/zkt/TODO
index fc532105e8..12abdb059b 100644
--- a/contrib/zkt/TODO
+++ b/contrib/zkt/TODO
@@ -1,16 +1,15 @@
-TODO list as of zkt-0.97
+TODO list as of zkt-0.99
 
 general:
 	Renaming of the tools to zkt-* ? 
 
 dnssec-zkt:
  feat	option to specify the key age as remaining lifetime
-	(Option -i inverse age ?) As of v0.95 the key lifetime
-	is stored at the key itself, so this could be possibly
-	implemented without big effort(?).
+	(Option -i inverse age ?).
 
 dnssec-signer:
- bug	Distribute_Cmd will not work properly on dynamic zones
+ bug	Distribute_Cmd wouldn't work properly on dynamic zones
+ 	(missing freeze, thaw; copy Keyfiles instead of signed zone file)
 
  bug	Automatic KSK rollover of dynamic zones will only work if the parent
  	uses the standard name for the signed zonefile (zonefile.db.signed).
@@ -19,7 +18,7 @@ dnssec-signer:
  	(Key removal is not recognized by dosigning () function )
 
  bug	There is no online checking of the key material by design.
- 	So the signer command checks the status of the key as they
+ 	The signer command checks the status of the key as they
 	are represented in the file system and not in the zone.
 	The dnssec maintainer is responsible for the lifeliness of the
 	data in the hosted domain.
diff --git a/contrib/zkt/config.h.in b/contrib/zkt/config.h.in
index fa6ef0fafa..76b786b15f 100644
--- a/contrib/zkt/config.h.in
+++ b/contrib/zkt/config.h.in
@@ -34,6 +34,9 @@
 /* Define to 1 if you have the `gettimeofday' function. */
 #undef HAVE_GETTIMEOFDAY
 
+/* Define to 1 if you have the `getuid' function. */
+#undef HAVE_GETUID
+
 /* Define to 1 if you have the  header file. */
 #undef HAVE_INTTYPES_H
 
@@ -53,8 +56,8 @@
 /* Define to 1 if you have the  header file. */
 #undef HAVE_NETDB_H
 
-/* Define to 1 if you have the `setenv' function. */
-#undef HAVE_SETENV
+/* Define to 1 if you have the `putenv' function. */
+#undef HAVE_PUTENV
 
 /* Define to 1 if you have the `socket' function. */
 #undef HAVE_SOCKET
@@ -119,6 +122,9 @@
 /* Define to 1 if you have the  header file. */
 #undef HAVE_SYS_TYPES_H
 
+/* Define to 1 if you have the `timegm' function. */
+#undef HAVE_TIMEGM
+
 /* Define to 1 if you have the `tzset' function. */
 #undef HAVE_TZSET
 
@@ -198,7 +204,7 @@
 /* Define to rpl_malloc if the replacement function should be used. */
 #undef malloc
 
-/* Define to `unsigned' if  does not define. */
+/* Define to `unsigned int' if  does not define. */
 #undef size_t
 
 /* Define to `unsigned char' if  does not define. */
diff --git a/contrib/zkt/config_zkt.h b/contrib/zkt/config_zkt.h
index 96c0d890c3..b1035293a4 100644
--- a/contrib/zkt/config_zkt.h
+++ b/contrib/zkt/config_zkt.h
@@ -37,10 +37,6 @@
 #ifndef CONFIG_ZKT_H
 # define CONFIG_ZKT_H
 
-#ifndef HAS_TIMEGM
-# define	HAS_TIMEGM	1
-#endif
-
 #ifndef LOG_FNAMETMPL
 # define	LOG_FNAMETMPL	"/zkt-%04d-%02d-%02dT%02d%02d%02dZ.log"
 #endif
@@ -52,13 +48,9 @@
 # define	HAS_UTYPES	1
 #endif
 
-#ifndef HAVE_GETOPT_LONG
-# define	HAVE_GETOPT_LONG	1
-#endif
-
-#ifndef HAVE_STRFTIME
-# define	HAVE_STRFTIME	1
-#endif
+/* # define	HAVE_TIMEGM		1	*/
+/* # define	HAVE_GETOPT_LONG	1	*/
+/* # define	HAVE_STRFTIME		1	*/
 
 #ifndef TTL_IN_KEYFILE_ALLOWED
 # define	TTL_IN_KEYFILE_ALLOWED	1
@@ -84,6 +76,10 @@
 # define	LOG_WITH_LEVEL		1
 #endif
 
+#ifndef ALWAYS_CHECK_KEYSETFILES
+# define	ALWAYS_CHECK_KEYSETFILES	1
+#endif
+
 #ifndef CONFIG_PATH
 # define	CONFIG_PATH	"/var/named/"
 #endif
@@ -104,9 +100,9 @@
 
 #ifndef ZKT_VERSION
 # if defined(USE_TREE) && USE_TREE
-#  define	ZKT_VERSION	"vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+#  define	ZKT_VERSION	"vT0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
 # else
-#  define	ZKT_VERSION	"v0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+#  define	ZKT_VERSION	"v0.99c (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
 # endif
 #endif
 
diff --git a/contrib/zkt/configure b/contrib/zkt/configure
index cc796cdcb7..8d4d49639d 100755
--- a/contrib/zkt/configure
+++ b/contrib/zkt/configure
@@ -1,83 +1,37 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for ZKT 0.98.
+# Generated by GNU Autoconf 2.61 for ZKT 0.99c.
 #
 # Report bugs to .
 #
-# Copyright (C) 2003 Free Software Foundation, Inc.
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
 
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
   # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
-fi
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
+  setopt NO_GLOB_SUBST
 else
-  as_unset=false
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
 fi
 
 
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
 
 
-# Name of the executable.
-as_me=`$as_basename "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-
-
-# PATH needs CR, and LINENO needs CR and PATH.
+# PATH needs CR
 # Avoid depending upon Character Ranges.
 as_cr_letters='abcdefghijklmnopqrstuvwxyz'
 as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
@@ -98,124 +52,466 @@ if test "${PATH_SEPARATOR+set}" != set; then
   rm -f conf$$.sh
 fi
 
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
 
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
 done
+IFS=$as_save_IFS
 
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
   fi
-  if test ! -f "$as_myself"; then
-    { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+if test "x$CONFIG_SHELL" = x; then
+  if (eval ":") 2>/dev/null; then
+  as_have_required=yes
+else
+  as_have_required=no
+fi
+
+  if test $as_have_required = yes && 	 (eval ":
+(as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0) || { (exit 1); exit 1; }
+
+(
+  as_lineno_1=\$LINENO
+  as_lineno_2=\$LINENO
+  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+") 2> /dev/null; then
+  :
+else
+  as_candidate_shells=
     as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
+  case $as_dir in
 	 /*)
-	   if ("$as_dir/$as_base" -c '
+	   for as_base in sh bash ksh sh5; do
+	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
+	   done;;
+       esac
+done
+IFS=$as_save_IFS
+
+
+      for as_shell in $as_candidate_shells $SHELL; do
+	 # Try only shells that exist, to save several forks.
+	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+_ASEOF
+}; then
+  CONFIG_SHELL=$as_shell
+	       as_have_required=yes
+	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+(as_func_return () {
+  (exit $1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = "$1" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test $exitcode = 0) || { (exit 1); exit 1; }
+
+(
   as_lineno_1=$LINENO
   as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
   test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+
+_ASEOF
+}; then
+  break
+fi
+
+fi
+
+      done
+
+      if test "x$CONFIG_SHELL" != x; then
+  for as_var in BASH_ENV ENV
+        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+        done
+        export CONFIG_SHELL
+        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+
+    if test $as_have_required = no; then
+  echo This script requires a shell more modern than all the
+      echo shells that I found on your system.  Please install a
+      echo modern shell, or manually run the script under such a
+      echo shell if you do have one.
+      { (exit 1); exit 1; }
+fi
+
+
+fi
+
+fi
+
+
+
+(eval "as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0") || {
+  echo No shell found that supports shell functions.
+  echo Please tell autoconf@gnu.org about your system,
+  echo including any error possibly output before this
+  echo message
+}
+
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
 
   # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
   # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
   # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
     sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
       N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
       t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
+      s/-\n.*//
     ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
+  chmod +x "$as_me.lineno" ||
     { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
   # Exit status is that of the last command.
   exit
 }
 
 
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
 esac
 
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
 rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
 echo >conf$$.file
 if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
 elif ln conf$$.file conf$$ 2>/dev/null; then
   as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
 if mkdir -p . 2>/dev/null; then
   as_mkdir_p=:
@@ -224,7 +520,28 @@ else
   as_mkdir_p=false
 fi
 
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -233,86 +550,134 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
 
+exec 7<&0 &1
 
 # Name of the host.
 # hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
 # so uname gets run too.
 ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
 
-exec 6>&1
-
 #
 # Initializations.
 #
 ac_default_prefix=/usr/local
+ac_clean_files=
 ac_config_libobj_dir=.
+LIBOBJS=
 cross_compiling=no
 subdirs=
 MFLAGS=
 MAKEFLAGS=
 SHELL=${CONFIG_SHELL-/bin/sh}
 
-# Maximum number of lines to put in a shell here document.
-# This variable seems obsolete.  It should probably be removed, and
-# only ac_max_sed_lines should be used.
-: ${ac_max_here_lines=38}
-
 # Identity of this package.
 PACKAGE_NAME='ZKT'
 PACKAGE_TARNAME='zkt'
-PACKAGE_VERSION='0.98'
-PACKAGE_STRING='ZKT 0.98'
+PACKAGE_VERSION='0.99c'
+PACKAGE_STRING='ZKT 0.99c'
 PACKAGE_BUGREPORT='Holger Zuleger hznet.de'
 
 ac_unique_file="dnssec-zkt.c"
 # Factoring default headers for most tests.
 ac_includes_default="\
 #include 
-#if HAVE_SYS_TYPES_H
+#ifdef HAVE_SYS_TYPES_H
 # include 
 #endif
-#if HAVE_SYS_STAT_H
+#ifdef HAVE_SYS_STAT_H
 # include 
 #endif
-#if STDC_HEADERS
+#ifdef STDC_HEADERS
 # include 
 # include 
 #else
-# if HAVE_STDLIB_H
+# ifdef HAVE_STDLIB_H
 #  include 
 # endif
 #endif
-#if HAVE_STRING_H
-# if !STDC_HEADERS && HAVE_MEMORY_H
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
 #  include 
 # endif
 # include 
 #endif
-#if HAVE_STRINGS_H
+#ifdef HAVE_STRINGS_H
 # include 
 #endif
-#if HAVE_INTTYPES_H
+#ifdef HAVE_INTTYPES_H
 # include 
-#else
-# if HAVE_STDINT_H
-#  include 
-# endif
 #endif
-#if HAVE_UNISTD_H
+#ifdef HAVE_STDINT_H
+# include 
+#endif
+#ifdef HAVE_UNISTD_H
 # include 
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SIGNZONE_PROG CPP EGREP LIBOBJS LTLIBOBJS'
+ac_header_list=
+ac_func_list=
+ac_subst_vars='SHELL
+PATH_SEPARATOR
+PACKAGE_NAME
+PACKAGE_TARNAME
+PACKAGE_VERSION
+PACKAGE_STRING
+PACKAGE_BUGREPORT
+exec_prefix
+prefix
+program_transform_name
+bindir
+sbindir
+libexecdir
+datarootdir
+datadir
+sysconfdir
+sharedstatedir
+localstatedir
+includedir
+oldincludedir
+docdir
+infodir
+htmldir
+dvidir
+pdfdir
+psdir
+libdir
+localedir
+mandir
+DEFS
+ECHO_C
+ECHO_N
+ECHO_T
+LIBS
+build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+CPPFLAGS
+ac_ct_CC
+EXEEXT
+OBJEXT
+SIGNZONE_PROG
+CPP
+GREP
+EGREP
+LIBOBJS
+LTLIBOBJS'
 ac_subst_files=''
+      ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP'
+
 
 # Initialize some variables set by options.
 ac_init_help=
@@ -339,34 +704,48 @@ x_libraries=NONE
 # and all the variables that are supposed to be based on exec_prefix
 # by default will actually change.
 # Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
 bindir='${exec_prefix}/bin'
 sbindir='${exec_prefix}/sbin'
 libexecdir='${exec_prefix}/libexec'
-datadir='${prefix}/share'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
-libdir='${exec_prefix}/lib'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
-infodir='${prefix}/info'
-mandir='${prefix}/man'
+docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
 
 ac_prev=
+ac_dashdash=
 for ac_option
 do
   # If the previous option needs an argument, assign it.
   if test -n "$ac_prev"; then
-    eval "$ac_prev=\$ac_option"
+    eval $ac_prev=\$ac_option
     ac_prev=
     continue
   fi
 
-  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
+  case $ac_option in
+  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *)	ac_optarg=yes ;;
+  esac
 
   # Accept the important Cygnus configure options, so we can diagnose typos.
 
-  case $ac_option in
+  case $ac_dashdash$ac_option in
+  --)
+    ac_dashdash=yes ;;
 
   -bindir | --bindir | --bindi | --bind | --bin | --bi)
     ac_prev=bindir ;;
@@ -388,33 +767,45 @@ do
   --config-cache | -C)
     cache_file=config.cache ;;
 
-  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+  -datadir | --datadir | --datadi | --datad)
     ac_prev=datadir ;;
-  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
-  | --da=*)
+  -datadir=* | --datadir=* | --datadi=* | --datad=*)
     datadir=$ac_optarg ;;
 
+  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+  | --dataroo | --dataro | --datar)
+    ac_prev=datarootdir ;;
+  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+    datarootdir=$ac_optarg ;;
+
   -disable-* | --disable-*)
     ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    eval "enable_$ac_feature=no" ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=no ;;
+
+  -docdir | --docdir | --docdi | --doc | --do)
+    ac_prev=docdir ;;
+  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+    docdir=$ac_optarg ;;
+
+  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+    ac_prev=dvidir ;;
+  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+    dvidir=$ac_optarg ;;
 
   -enable-* | --enable-*)
     ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "enable_$ac_feature='$ac_optarg'" ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=\$ac_optarg ;;
 
   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
@@ -441,6 +832,12 @@ do
   -host=* | --host=* | --hos=* | --ho=*)
     host_alias=$ac_optarg ;;
 
+  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+    ac_prev=htmldir ;;
+  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+  | --ht=*)
+    htmldir=$ac_optarg ;;
+
   -includedir | --includedir | --includedi | --included | --include \
   | --includ | --inclu | --incl | --inc)
     ac_prev=includedir ;;
@@ -465,13 +862,16 @@ do
   | --libexe=* | --libex=* | --libe=*)
     libexecdir=$ac_optarg ;;
 
+  -localedir | --localedir | --localedi | --localed | --locale)
+    ac_prev=localedir ;;
+  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+    localedir=$ac_optarg ;;
+
   -localstatedir | --localstatedir | --localstatedi | --localstated \
-  | --localstate | --localstat | --localsta | --localst \
-  | --locals | --local | --loca | --loc | --lo)
+  | --localstate | --localstat | --localsta | --localst | --locals)
     ac_prev=localstatedir ;;
   -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
-  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
-  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
     localstatedir=$ac_optarg ;;
 
   -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
@@ -536,6 +936,16 @@ do
   | --progr-tra=* | --program-tr=* | --program-t=*)
     program_transform_name=$ac_optarg ;;
 
+  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+    ac_prev=pdfdir ;;
+  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+    pdfdir=$ac_optarg ;;
+
+  -psdir | --psdir | --psdi | --psd | --ps)
+    ac_prev=psdir ;;
+  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+    psdir=$ac_optarg ;;
+
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
@@ -588,24 +998,20 @@ do
   -with-* | --with-*)
     ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package| sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "with_$ac_package='$ac_optarg'" ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=\$ac_optarg ;;
 
   -without-* | --without-*)
     ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/-/_/g'`
-    eval "with_$ac_package=no" ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=no ;;
 
   --x)
     # Obsolete; use --with-x.
@@ -636,8 +1042,7 @@ Try \`$0 --help' for more information." >&2
     expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
       { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
    { (exit 1); exit 1; }; }
-    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
-    eval "$ac_envvar='$ac_optarg'"
+    eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
 
   *)
@@ -657,27 +1062,19 @@ if test -n "$ac_prev"; then
    { (exit 1); exit 1; }; }
 fi
 
-# Be sure to have absolute paths.
-for ac_var in exec_prefix prefix
+# Be sure to have absolute directory names.
+for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+		datadir sysconfdir sharedstatedir localstatedir includedir \
+		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+		libdir localedir mandir
 do
-  eval ac_val=$`echo $ac_var`
+  eval ac_val=\$$ac_var
   case $ac_val in
-    [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# Be sure to have absolute paths.
-for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
-	      localstatedir libdir includedir oldincludedir infodir mandir
-do
-  eval ac_val=$`echo $ac_var`
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
+    [\\/$]* | ?:[\\/]* )  continue;;
+    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
+  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+   { (exit 1); exit 1; }; }
 done
 
 # There might be people who depend on the old broken behavior: `$host'
@@ -704,74 +1101,76 @@ test -n "$host_alias" && ac_tool_prefix=$host_alias-
 test "$silent" = yes && exec 6>/dev/null
 
 
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+  { echo "$as_me: error: Working directory cannot be determined" >&2
+   { (exit 1); exit 1; }; }
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+  { echo "$as_me: error: pwd does not report name of working directory" >&2
+   { (exit 1); exit 1; }; }
+
+
 # Find the source files, if location was not specified.
 if test -z "$srcdir"; then
   ac_srcdir_defaulted=yes
-  # Try the directory containing this script, then its parent.
-  ac_confdir=`(dirname "$0") 2>/dev/null ||
+  # Try the directory containing this script, then the parent directory.
+  ac_confdir=`$as_dirname -- "$0" ||
 $as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$0" : 'X\(//\)[^/]' \| \
 	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$0" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
   srcdir=$ac_confdir
-  if test ! -r $srcdir/$ac_unique_file; then
+  if test ! -r "$srcdir/$ac_unique_file"; then
     srcdir=..
   fi
 else
   ac_srcdir_defaulted=no
 fi
-if test ! -r $srcdir/$ac_unique_file; then
-  if test "$ac_srcdir_defaulted" = yes; then
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
+if test ! -r "$srcdir/$ac_unique_file"; then
+  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
    { (exit 1); exit 1; }; }
-  else
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-   { (exit 1); exit 1; }; }
-  fi
 fi
-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
-  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
    { (exit 1); exit 1; }; }
-srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
-ac_env_build_alias_set=${build_alias+set}
-ac_env_build_alias_value=$build_alias
-ac_cv_env_build_alias_set=${build_alias+set}
-ac_cv_env_build_alias_value=$build_alias
-ac_env_host_alias_set=${host_alias+set}
-ac_env_host_alias_value=$host_alias
-ac_cv_env_host_alias_set=${host_alias+set}
-ac_cv_env_host_alias_value=$host_alias
-ac_env_target_alias_set=${target_alias+set}
-ac_env_target_alias_value=$target_alias
-ac_cv_env_target_alias_set=${target_alias+set}
-ac_cv_env_target_alias_value=$target_alias
-ac_env_CC_set=${CC+set}
-ac_env_CC_value=$CC
-ac_cv_env_CC_set=${CC+set}
-ac_cv_env_CC_value=$CC
-ac_env_CFLAGS_set=${CFLAGS+set}
-ac_env_CFLAGS_value=$CFLAGS
-ac_cv_env_CFLAGS_set=${CFLAGS+set}
-ac_cv_env_CFLAGS_value=$CFLAGS
-ac_env_LDFLAGS_set=${LDFLAGS+set}
-ac_env_LDFLAGS_value=$LDFLAGS
-ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
-ac_cv_env_LDFLAGS_value=$LDFLAGS
-ac_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_env_CPPFLAGS_value=$CPPFLAGS
-ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_cv_env_CPPFLAGS_value=$CPPFLAGS
-ac_env_CPP_set=${CPP+set}
-ac_env_CPP_value=$CPP
-ac_cv_env_CPP_set=${CPP+set}
-ac_cv_env_CPP_value=$CPP
+	pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+  srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+  eval ac_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_env_${ac_var}_value=\$${ac_var}
+  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
 
 #
 # Report the --help message.
@@ -780,7 +1179,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ZKT 0.98 to adapt to many kinds of systems.
+\`configure' configures ZKT 0.99c to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -800,9 +1199,6 @@ Configuration:
   -n, --no-create         do not create output files
       --srcdir=DIR        find the sources in DIR [configure dir or \`..']
 
-_ACEOF
-
-  cat <<_ACEOF
 Installation directories:
   --prefix=PREFIX         install architecture-independent files in PREFIX
 			  [$ac_default_prefix]
@@ -820,15 +1216,22 @@ Fine tuning of the installation directories:
   --bindir=DIR           user executables [EPREFIX/bin]
   --sbindir=DIR          system admin executables [EPREFIX/sbin]
   --libexecdir=DIR       program executables [EPREFIX/libexec]
-  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
   --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
   --libdir=DIR           object code libraries [EPREFIX/lib]
   --includedir=DIR       C header files [PREFIX/include]
   --oldincludedir=DIR    C header files for non-gcc [/usr/include]
-  --infodir=DIR          info documentation [PREFIX/info]
-  --mandir=DIR           man documentation [PREFIX/man]
+  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR          info documentation [DATAROOTDIR/info]
+  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR           man documentation [DATAROOTDIR/man]
+  --docdir=DIR           documentation root [DATAROOTDIR/doc/zkt]
+  --htmldir=DIR          html documentation [DOCDIR]
+  --dvidir=DIR           dvi documentation [DOCDIR]
+  --pdfdir=DIR           pdf documentation [DOCDIR]
+  --psdir=DIR            ps documentation [DOCDIR]
 _ACEOF
 
   cat <<\_ACEOF
@@ -837,7 +1240,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of ZKT 0.98:";;
+     short | recursive ) echo "Configuration of ZKT 0.99c:";;
    esac
   cat <<\_ACEOF
 
@@ -861,8 +1264,9 @@ Some influential environment variables:
   CFLAGS      C compiler flags
   LDFLAGS     linker flags, e.g. -L if you have libraries in a
               nonstandard directory 
-  CPPFLAGS    C/C++ preprocessor flags, e.g. -I if you have
-              headers in a nonstandard directory 
+  LIBS        libraries to pass to the linker, e.g. -l
+  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I if
+              you have headers in a nonstandard directory 
   CPP         C preprocessor
 
 Use these variables to override the choices made by `configure' or to help
@@ -870,120 +1274,86 @@ it to find libraries and programs with nonstandard names/locations.
 
 Report bugs to .
 _ACEOF
+ac_status=$?
 fi
 
 if test "$ac_init_help" = "recursive"; then
   # If there are subdirs, report their specific --help.
-  ac_popdir=`pwd`
   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d $ac_dir || continue
+    test -d "$ac_dir" || continue
     ac_builddir=.
 
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
   ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
 
 case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
+  .)  # We are building in place.
     ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
     ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
 esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
 
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
-
-    cd $ac_dir
-    # Check for guested configure; otherwise get Cygnus style configure.
-    if test -f $ac_srcdir/configure.gnu; then
-      echo
-      $SHELL $ac_srcdir/configure.gnu  --help=recursive
-    elif test -f $ac_srcdir/configure; then
-      echo
-      $SHELL $ac_srcdir/configure  --help=recursive
-    elif test -f $ac_srcdir/configure.ac ||
-	   test -f $ac_srcdir/configure.in; then
-      echo
-      $ac_configure --help
+    cd "$ac_dir" || { ac_status=$?; continue; }
+    # Check for guested configure.
+    if test -f "$ac_srcdir/configure.gnu"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+    elif test -f "$ac_srcdir/configure"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure" --help=recursive
     else
       echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-    fi
-    cd $ac_popdir
+    fi || ac_status=$?
+    cd "$ac_pwd" || { ac_status=$?; break; }
   done
 fi
 
-test -n "$ac_init_help" && exit 0
+test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ZKT configure 0.98
-generated by GNU Autoconf 2.59
+ZKT configure 0.99c
+generated by GNU Autoconf 2.61
 
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
-  exit 0
+  exit
 fi
-exec 5>config.log
-cat >&5 <<_ACEOF
+cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ZKT $as_me 0.98, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
+It was created by ZKT $as_me 0.99c, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
 
 _ACEOF
+exec 5>>config.log
 {
 cat <<_ASUNAME
 ## --------- ##
@@ -1002,7 +1372,7 @@ uname -v = `(uname -v) 2>/dev/null || echo unknown`
 /bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
 /usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
 /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
+/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
 /bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
 /usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
 /bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
@@ -1016,6 +1386,7 @@ do
   test -z "$as_dir" && as_dir=.
   echo "PATH: $as_dir"
 done
+IFS=$as_save_IFS
 
 } >&5
 
@@ -1037,7 +1408,6 @@ _ACEOF
 ac_configure_args=
 ac_configure_args0=
 ac_configure_args1=
-ac_sep=
 ac_must_keep_next=false
 for ac_pass in 1 2
 do
@@ -1048,7 +1418,7 @@ do
     -q | -quiet | --quiet | --quie | --qui | --qu | --q \
     | -silent | --silent | --silen | --sile | --sil)
       continue ;;
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+    *\'*)
       ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
     esac
     case $ac_pass in
@@ -1070,9 +1440,7 @@ do
 	  -* ) ac_must_keep_next=true ;;
 	esac
       fi
-      ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
-      # Get rid of the leading space.
-      ac_sep=" "
+      ac_configure_args="$ac_configure_args '$ac_arg'"
       ;;
     esac
   done
@@ -1083,8 +1451,8 @@ $as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_
 # When interrupted or exit'd, cleanup temporary files, and complete
 # config.log.  We remove comments because anyway the quotes in there
 # would cause problems or look ugly.
-# WARNING: Be sure not to use single quotes in there, as some shells,
-# such as our DU 5.0 friend, will then `close' the trap.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
 trap 'exit_status=$?
   # Save into config.log some information that might help in debugging.
   {
@@ -1097,20 +1465,34 @@ trap 'exit_status=$?
 _ASBOX
     echo
     # The following way of writing the cache mishandles newlines in values,
-{
+(
+  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
   (set) 2>&1 |
-    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
+    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
       sed -n \
-	"s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
-      ;;
+	"s/'\''/'\''\\\\'\'''\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+      ;; #(
     *)
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
       ;;
-    esac;
-}
+    esac |
+    sort
+)
     echo
 
     cat <<\_ASBOX
@@ -1121,22 +1503,28 @@ _ASBOX
     echo
     for ac_var in $ac_subst_vars
     do
-      eval ac_val=$`echo $ac_var`
-      echo "$ac_var='"'"'$ac_val'"'"'"
+      eval ac_val=\$$ac_var
+      case $ac_val in
+      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      esac
+      echo "$ac_var='\''$ac_val'\''"
     done | sort
     echo
 
     if test -n "$ac_subst_files"; then
       cat <<\_ASBOX
-## ------------- ##
-## Output files. ##
-## ------------- ##
+## ------------------- ##
+## File substitutions. ##
+## ------------------- ##
 _ASBOX
       echo
       for ac_var in $ac_subst_files
       do
-	eval ac_val=$`echo $ac_var`
-	echo "$ac_var='"'"'$ac_val'"'"'"
+	eval ac_val=\$$ac_var
+	case $ac_val in
+	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	esac
+	echo "$ac_var='\''$ac_val'\''"
       done | sort
       echo
     fi
@@ -1148,26 +1536,24 @@ _ASBOX
 ## ----------- ##
 _ASBOX
       echo
-      sed "/^$/d" confdefs.h | sort
+      cat confdefs.h
       echo
     fi
     test "$ac_signal" != 0 &&
       echo "$as_me: caught signal $ac_signal"
     echo "$as_me: exit $exit_status"
   } >&5
-  rm -f core *.core &&
-  rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
+  rm -f core *.core core.conftest.* &&
+    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
     exit $exit_status
-     ' 0
+' 0
 for ac_signal in 1 2 13 15; do
   trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
 done
 ac_signal=0
 
 # confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo >confdefs.h
+rm -f -r conftest* confdefs.h
 
 # Predefined preprocessor variables.
 
@@ -1198,14 +1584,17 @@ _ACEOF
 
 # Let the site file select an alternate cache file if it wants to.
 # Prefer explicitly selected file to automatically selected ones.
-if test -z "$CONFIG_SITE"; then
-  if test "x$prefix" != xNONE; then
-    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
-  else
-    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
-  fi
+if test -n "$CONFIG_SITE"; then
+  set x "$CONFIG_SITE"
+elif test "x$prefix" != xNONE; then
+  set x "$prefix/share/config.site" "$prefix/etc/config.site"
+else
+  set x "$ac_default_prefix/share/config.site" \
+	"$ac_default_prefix/etc/config.site"
 fi
-for ac_site_file in $CONFIG_SITE; do
+shift
+for ac_site_file
+do
   if test -r "$ac_site_file"; then
     { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
 echo "$as_me: loading site script $ac_site_file" >&6;}
@@ -1221,8 +1610,8 @@ if test -r "$cache_file"; then
     { echo "$as_me:$LINENO: loading cache $cache_file" >&5
 echo "$as_me: loading cache $cache_file" >&6;}
     case $cache_file in
-      [\\/]* | ?:[\\/]* ) . $cache_file;;
-      *)                      . ./$cache_file;;
+      [\\/]* | ?:[\\/]* ) . "$cache_file";;
+      *)                      . "./$cache_file";;
     esac
   fi
 else
@@ -1231,15 +1620,18 @@ echo "$as_me: creating cache $cache_file" >&6;}
   >$cache_file
 fi
 
+ac_header_list="$ac_header_list sys/time.h"
+ac_header_list="$ac_header_list unistd.h"
+ac_func_list="$ac_func_list alarm"
+ac_header_list="$ac_header_list utime.h"
 # Check that the precious variables saved in the cache have kept the same
 # value.
 ac_cache_corrupted=false
-for ac_var in `(set) 2>&1 |
-	       sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
+for ac_var in $ac_precious_vars; do
   eval ac_old_set=\$ac_cv_env_${ac_var}_set
   eval ac_new_set=\$ac_env_${ac_var}_set
-  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
-  eval ac_new_val="\$ac_env_${ac_var}_value"
+  eval ac_old_val=\$ac_cv_env_${ac_var}_value
+  eval ac_new_val=\$ac_env_${ac_var}_value
   case $ac_old_set,$ac_new_set in
     set,)
       { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
@@ -1264,8 +1656,7 @@ echo "$as_me:   current value: $ac_new_val" >&2;}
   # Pass precious variables to config.status.
   if test "$ac_new_set" = set; then
     case $ac_new_val in
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
     *) ac_arg=$ac_var=$ac_new_val ;;
     esac
     case " $ac_configure_args " in
@@ -1282,6 +1673,30 @@ echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start ov
    { (exit 1); exit 1; }; }
 fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -1290,34 +1705,9 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
 ### Files to test to check if src dir contains the package
 
-          ac_config_headers="$ac_config_headers config.h"
+ac_config_headers="$ac_config_headers config.h"
 
 
 
@@ -1330,8 +1720,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1344,32 +1734,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$ac_cv_prog_CC"; then
   ac_ct_CC=$CC
   # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1382,36 +1774,51 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="gcc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-  CC=$ac_ct_CC
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
 else
   CC="$ac_cv_prog_CC"
 fi
 
 if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1424,74 +1831,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
+
   fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  CC=$ac_ct_CC
-else
-  CC="$ac_cv_prog_CC"
-fi
-
 fi
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1505,7 +1872,7 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
        ac_prog_rejected=yes
        continue
@@ -1516,6 +1883,7 @@ do
   fi
 done
 done
+IFS=$as_save_IFS
 
 if test $ac_prog_rejected = yes; then
   # We found a bogon in the path, so make sure we never use it.
@@ -1533,22 +1901,23 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
 fi
 if test -z "$CC"; then
   if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl
+  for ac_prog in cl.exe
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1561,36 +1930,38 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
     test -n "$CC" && break
   done
 fi
 if test -z "$CC"; then
   ac_ct_CC=$CC
-  for ac_prog in cl
+  for ac_prog in cl.exe
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1603,29 +1974,45 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
 fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
+
   test -n "$ac_ct_CC" && break
 done
 
-  CC=$ac_ct_CC
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
 fi
 
 fi
@@ -1638,21 +2025,35 @@ See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 
 # Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
-     "checking for C compiler version" >&5
+echo "$as_me:$LINENO: checking for C compiler version" >&5
 ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5
-  (eval $ac_compiler --version &5) 2>&5
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v &5\"") >&5
-  (eval $ac_compiler -v &5) 2>&5
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V &5\"") >&5
-  (eval $ac_compiler -V &5) 2>&5
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
@@ -1677,47 +2078,77 @@ ac_clean_files="$ac_clean_files a.out a.exe b.out"
 # Try to create an executable without -o first, disregard a.out.
 # It will help us diagnose broken compilers, and finding out an intuition
 # of exeext.
-echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
 ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
-  (eval $ac_link_default) 2>&5
+#
+# List of possible output files, starting from the most likely.
+# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+# only as a last resort.  b.out is created by i960 compilers.
+ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+#
+# The IRIX 6 linker writes into existing files which may not be
+# executable, retaining their permissions.  Remove them first so a
+# subsequent execution test works.
+ac_rmfiles=
+for ac_file in $ac_files
+do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+  esac
+done
+rm -f $ac_rmfiles
+
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link_default") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
-  # Find the output, starting from the most likely.  This scheme is
-# not robust to junk in `.', hence go to wildcards (a.*) only as a last
-# resort.
-
-# Be careful to initialize this variable, since it used to be cached.
-# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
-ac_cv_exeext=
-# b.out is created by i960 compilers.
-for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
+  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile.  We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
 do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
-	;;
-    conftest.$ac_ext )
-	# This is the source file.
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
 	;;
     [ab].out )
 	# We found the default executable, but exeext='' is most
 	# certainly right.
 	break;;
     *.* )
-	ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	# FIXME: I believe we export ac_cv_exeext for Libtool,
-	# but it would be cool to find out if it's true.  Does anybody
-	# maintain Libtool? --akim.
-	export ac_cv_exeext
+        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	then :; else
+	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	fi
+	# We set ac_cv_exeext here because the later test for it is not
+	# safe: cross compilers may not add the suffix if given an `-o'
+	# argument, so we may need to know it at that point already.
+	# Even if this section looks crufty: it has the advantage of
+	# actually working.
 	break;;
     * )
 	break;;
   esac
 done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
 else
+  ac_file=''
+fi
+
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
+if test -z "$ac_file"; then
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
@@ -1729,19 +2160,21 @@ See \`config.log' for more details." >&2;}
 fi
 
 ac_exeext=$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6
 
-# Check the compiler produces executables we can run.  If not, either
+# Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
 # FIXME: These cross compiler hacks should be removed for Autoconf 3.0
 # If not cross compiling, check that we can run a simple program.
 if test "$cross_compiling" != yes; then
   if { ac_try='./$ac_file'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -1760,22 +2193,27 @@ See \`config.log' for more details." >&2;}
     fi
   fi
 fi
-echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 
 rm -f a.out a.exe conftest$ac_cv_exeext b.out
 ac_clean_files=$ac_clean_files_save
-# Check the compiler produces executables we can run.  If not, either
+# Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6
+{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6; }
 
-echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
@@ -1786,9 +2224,8 @@ if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
 for ac_file in conftest.exe conftest conftest.*; do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
     *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	  export ac_cv_exeext
 	  break;;
     * ) break;;
   esac
@@ -1802,14 +2239,14 @@ See \`config.log' for more details." >&2;}
 fi
 
 rm -f conftest$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6; }
 
 rm -f conftest.$ac_ext
 EXEEXT=$ac_cv_exeext
 ac_exeext=$EXEEXT
-echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
 if test "${ac_cv_objext+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1829,14 +2266,20 @@ main ()
 }
 _ACEOF
 rm -f conftest.o conftest.obj
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
-  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
+  for ac_file in conftest.o conftest.obj conftest.*; do
+  test -f "$ac_file" || continue;
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
        break;;
   esac
@@ -1854,12 +2297,12 @@ fi
 
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6; }
 OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
-echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
 if test "${ac_cv_c_compiler_gnu+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -1882,50 +2325,49 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_compiler_gnu=no
+	ac_compiler_gnu=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
 GCC=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
-CFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cc_g+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  cat >conftest.$ac_ext <<_ACEOF
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
@@ -1941,38 +2383,118 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_g=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_prog_cc_g=no
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
 if test "$ac_test_CFLAGS" = set; then
   CFLAGS=$ac_save_CFLAGS
 elif test $ac_cv_prog_cc_g = yes; then
@@ -1988,12 +2510,12 @@ else
     CFLAGS=
   fi
 fi
-echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
-echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_stdc+set}" = set; then
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_prog_cc_stdc=no
+  ac_cv_prog_cc_c89=no
 ac_save_CC=$CC
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2027,12 +2549,17 @@ static char *f (char * (*g) (char **, int), char **p, ...)
 /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
    function prototypes and stuff, but not '\xHH' hex character constants.
    These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std1 is added to get
+   as 'x'.  The following induces an error, until -std is added to get
    proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
    array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std1.  */
+   that's true only with -std.  */
 int osf4_cc_array ['\x00' == 0 ? 1 : -1];
 
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
 int test (int i, double x);
 struct s1 {int (*f) (int a);};
 struct s2 {int (*f) (double a);};
@@ -2047,205 +2574,57 @@ return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
   return 0;
 }
 _ACEOF
-# Don't try gcc -ansi; that turns off useful extensions and
-# breaks some systems' header files.
-# AIX			-qlanglvl=ansi
-# Ultrix and OSF/1	-std1
-# HP-UX 10.20 and later	-Ae
-# HP-UX older versions	-Aa -D_HPUX_SOURCE
-# SVR4			-Xc -D__EXTENSIONS__
-for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
 do
   CC="$ac_save_CC $ac_arg"
   rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_stdc=$ac_arg
-break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext
+
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
 done
-rm -f conftest.$ac_ext conftest.$ac_objext
+rm -f conftest.$ac_ext
 CC=$ac_save_CC
 
 fi
-
-case "x$ac_cv_prog_cc_stdc" in
-  x|xno)
-    echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6 ;;
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+  xno)
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
   *)
-    echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
-    CC="$CC $ac_cv_prog_cc_stdc" ;;
+    CC="$CC $ac_cv_prog_cc_c89"
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
 esac
 
-# Some people use a C++ compiler to compile C.  Since we use `exit',
-# in C++ we need to declare it.  In case someone uses the same compiler
-# for both compiling C and C++ we need to have the C++ compiler decide
-# the declaration of exit, since it's the most demanding environment.
-cat >conftest.$ac_ext <<_ACEOF
-#ifndef __cplusplus
-  choke me
-#endif
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  for ac_declaration in \
-   '' \
-   'extern "C" void std::exit (int) throw (); using std::exit;' \
-   'extern "C" void std::exit (int); using std::exit;' \
-   'extern "C" void exit (int) throw ();' \
-   'extern "C" void exit (int);' \
-   'void exit (int);'
-do
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-#include 
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
 
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
-  echo '#ifdef __cplusplus' >>confdefs.h
-  echo $ac_declaration      >>confdefs.h
-  echo '#endif'             >>confdefs.h
-fi
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -2256,8 +2635,8 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 ### find out the path to BIND utils and version
 # Extract the first word of "dnssec-signzone", so it can be a program name with args.
 set dummy dnssec-signzone; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_SIGNZONE_PROG+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2272,34 +2651,34 @@ do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_SIGNZONE_PROG="$as_dir/$ac_word$ac_exec_ext"
     echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
 done
+IFS=$as_save_IFS
 
   ;;
 esac
 fi
 SIGNZONE_PROG=$ac_cv_path_SIGNZONE_PROG
-
 if test -n "$SIGNZONE_PROG"; then
-  echo "$as_me:$LINENO: result: $SIGNZONE_PROG" >&5
-echo "${ECHO_T}$SIGNZONE_PROG" >&6
+  { echo "$as_me:$LINENO: result: $SIGNZONE_PROG" >&5
+echo "${ECHO_T}$SIGNZONE_PROG" >&6; }
 else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-bind_util_path=`dirname "$SIGNZONE_PROG"`
+
 if test -z "$SIGNZONE_PROG" ; then
 #        AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
         { echo "$as_me:$LINENO: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&5
 echo "$as_me: WARNING: *** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***" >&2;}
 else
-
+	bind_util_path=`dirname "$SIGNZONE_PROG"`
 	# define BIND_UTIL_PATH in config.h.in
 
 cat >>confdefs.h <<_ACEOF
@@ -2307,7 +2686,6 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 	# define BIND_VERSION in config.h.in
-	#bind_version=`$SIGNZONE_PROG 2>&1 | sed -n -e "/Version:/s/Version: \(\[0-9\]\[0-9\.\]*\).*/\1/p" | tr -d "."`
 	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
 
 cat >>confdefs.h <<_ACEOF
@@ -2322,8 +2700,8 @@ ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
@@ -2357,24 +2735,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -2383,9 +2759,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2395,24 +2772,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include 
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -2423,6 +2798,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -2440,8 +2816,8 @@ fi
 else
   ac_cv_prog_CPP=$CPP
 fi
-echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6
+{ echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6; }
 ac_preproc_ok=false
 for ac_c_preproc_warn_flag in '' yes
 do
@@ -2464,24 +2840,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 #endif
 		     Syntax error
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   :
 else
   echo "$as_me: failed program was:" >&5
@@ -2490,9 +2864,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
   # Broken: fails on valid input.
 continue
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
-  # OK, works on sane cases.  Now check whether non-existent headers
+  # OK, works on sane cases.  Now check whether nonexistent headers
   # can be detected and how.
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -2502,24 +2877,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include 
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   # Broken: success on invalid input.
 continue
 else
@@ -2530,6 +2903,7 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ac_preproc_ok=:
 break
 fi
+
 rm -f conftest.err conftest.$ac_ext
 
 done
@@ -2552,23 +2926,170 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6
-if test "${ac_cv_prog_egrep+set}" = set; then
+{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
+  # Extract the first word of "grep ggrep" to use in msg output
+if test -z "$GREP"; then
+set dummy grep ggrep; ac_prog_name=$2
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_GREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in grep ggrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+    # Check for GNU ac_path_GREP and select it if it is found.
+  # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'GREP' >> "conftest.nl"
+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_GREP="$ac_path_GREP"
+      ac_path_GREP_max=$ac_count
     fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_GREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+GREP="$ac_cv_path_GREP"
+if test -z "$GREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_GREP=$GREP
 fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
-echo "${ECHO_T}$ac_cv_prog_egrep" >&6
- EGREP=$ac_cv_prog_egrep
 
 
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
+
+
+{ echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     # Extract the first word of "egrep" to use in msg output
+if test -z "$EGREP"; then
+set dummy egrep; ac_prog_name=$2
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_EGREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in egrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+    # Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_EGREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+EGREP="$ac_cv_path_EGREP"
+if test -z "$EGREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_EGREP=$EGREP
+fi
+
+
+   fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
+
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2592,35 +3113,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_stdc=no
+	ac_cv_header_stdc=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
@@ -2676,6 +3193,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include 
+#include 
 #if ((' ' & 0x0FF) == 0x020)
 # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
 # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
@@ -2695,18 +3213,27 @@ main ()
   for (i = 0; i < 256; i++)
     if (XOR (islower (i), ISLOWER (i))
 	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
+      return 2;
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -2719,12 +3246,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
 fi
 fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -2747,9 +3276,9 @@ for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
 		  inttypes.h stdint.h unistd.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -2763,38 +3292,35 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_Header=no"
+	eval "$as_ac_Header=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -2805,8 +3331,8 @@ fi
 done
 
 
-echo "$as_me:$LINENO: checking for uint" >&5
-echo $ECHO_N "checking for uint... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uint" >&5
+echo $ECHO_N "checking for uint... $ECHO_C" >&6; }
 if test "${ac_cv_type_uint+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2817,50 +3343,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef uint ac__type_new_;
 int
 main ()
 {
-if ((uint *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uint))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uint=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uint=no
+	ac_cv_type_uint=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uint" >&5
-echo "${ECHO_T}$ac_cv_type_uint" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uint" >&5
+echo "${ECHO_T}$ac_cv_type_uint" >&6; }
 if test $ac_cv_type_uint = yes; then
   :
 else
@@ -2871,8 +3394,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for ulong" >&5
-echo $ECHO_N "checking for ulong... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ulong" >&5
+echo $ECHO_N "checking for ulong... $ECHO_C" >&6; }
 if test "${ac_cv_type_ulong+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2883,50 +3406,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef ulong ac__type_new_;
 int
 main ()
 {
-if ((ulong *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (ulong))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_ulong=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_ulong=no
+	ac_cv_type_ulong=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ulong" >&5
-echo "${ECHO_T}$ac_cv_type_ulong" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ulong" >&5
+echo "${ECHO_T}$ac_cv_type_ulong" >&6; }
 if test $ac_cv_type_ulong = yes; then
   :
 else
@@ -2937,8 +3457,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for ushort" >&5
-echo $ECHO_N "checking for ushort... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ushort" >&5
+echo $ECHO_N "checking for ushort... $ECHO_C" >&6; }
 if test "${ac_cv_type_ushort+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -2949,50 +3469,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef ushort ac__type_new_;
 int
 main ()
 {
-if ((ushort *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (ushort))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_ushort=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_ushort=no
+	ac_cv_type_ushort=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_ushort" >&5
-echo "${ECHO_T}$ac_cv_type_ushort" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ushort" >&5
+echo "${ECHO_T}$ac_cv_type_ushort" >&6; }
 if test $ac_cv_type_ushort = yes; then
   :
 else
@@ -3003,8 +3520,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for uchar" >&5
-echo $ECHO_N "checking for uchar... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uchar" >&5
+echo $ECHO_N "checking for uchar... $ECHO_C" >&6; }
 if test "${ac_cv_type_uchar+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3015,50 +3532,47 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef uchar ac__type_new_;
 int
 main ()
 {
-if ((uchar *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (uchar))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_uchar=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_uchar=no
+	ac_cv_type_uchar=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uchar" >&5
-echo "${ECHO_T}$ac_cv_type_uchar" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uchar" >&5
+echo "${ECHO_T}$ac_cv_type_uchar" >&6; }
 if test $ac_cv_type_uchar = yes; then
   :
 else
@@ -3071,11 +3585,11 @@ fi
 
 
 ### define configure arguments
-# Check whether --enable-printtimezone or --disable-printtimezone was given.
+# Check whether --enable-printtimezone was given.
 if test "${enable_printtimezone+set}" = set; then
-  enableval="$enable_printtimezone"
-  printtimezone=$enableval
-fi;
+  enableval=$enable_printtimezone; printtimezone=$enableval
+fi
+
 printtimezone=0
 test "$printtimezone" = yes && printtimezone=1
 
@@ -3084,11 +3598,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-printyear or --disable-printyear was given.
+# Check whether --enable-printyear was given.
 if test "${enable_printyear+set}" = set; then
-  enableval="$enable_printyear"
-  printyear=$enableval
-fi;
+  enableval=$enable_printyear; printyear=$enableval
+fi
+
 printyear=0
 test "$printyear" = yes && printyear=1
 
@@ -3097,11 +3611,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-logprogname or --disable-logprogname was given.
+# Check whether --enable-logprogname was given.
 if test "${enable_logprogname+set}" = set; then
-  enableval="$enable_logprogname"
-  logprogname=$enableval
-fi;
+  enableval=$enable_logprogname; logprogname=$enableval
+fi
+
 logprogname=0
 test "$logprogname" = yes && logprogname=1
 
@@ -3110,11 +3624,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-logtimestamp or --disable-logtimestamp was given.
+# Check whether --enable-logtimestamp was given.
 if test "${enable_logtimestamp+set}" = set; then
-  enableval="$enable_logtimestamp"
-  logtimestamp=$enableval
-fi;
+  enableval=$enable_logtimestamp; logtimestamp=$enableval
+fi
+
 logtimestamp=1
 test "$logtimestamp" = no && logtimestamp=0
 
@@ -3123,11 +3637,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-loglevel or --disable-loglevel was given.
+# Check whether --enable-loglevel was given.
 if test "${enable_loglevel+set}" = set; then
-  enableval="$enable_loglevel"
-  loglevel=$enableval
-fi;
+  enableval=$enable_loglevel; loglevel=$enableval
+fi
+
 loglevel=1
 test "$loglevel" = no && loglevel=0
 
@@ -3136,11 +3650,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
-# Check whether --enable-ttl_in_keyfile or --disable-ttl_in_keyfile was given.
+# Check whether --enable-ttl_in_keyfile was given.
 if test "${enable_ttl_in_keyfile+set}" = set; then
-  enableval="$enable_ttl_in_keyfile"
-  ttl_in_keyfile=$enableval
-fi;
+  enableval=$enable_ttl_in_keyfile; ttl_in_keyfile=$enableval
+fi
+
 ttl_in_keyfile=1
 test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
 
@@ -3150,11 +3664,11 @@ _ACEOF
 
 
 configpath="/var/named"
-# Check whether --enable-configpath or --disable-configpath was given.
+# Check whether --enable-configpath was given.
 if test "${enable_configpath+set}" = set; then
-  enableval="$enable_configpath"
-  configpath=$enableval
-fi;
+  enableval=$enable_configpath; configpath=$enableval
+fi
+
 case "$configpath" in
 yes)
 	configpath="/var/named"
@@ -3173,11 +3687,11 @@ _ACEOF
 
 usetree=1
 t="T"
-# Check whether --enable-tree or --disable-tree was given.
+# Check whether --enable-tree was given.
 if test "${enable_tree+set}" = set; then
-  enableval="$enable_tree"
-  usetree=$enableval
-fi;
+  enableval=$enable_tree; usetree=$enableval
+fi
+
 if test "$usetree" = no
 then
 	usetree=0
@@ -3191,7 +3705,7 @@ _ACEOF
 
 
 cat >>confdefs.h <<_ACEOF
-#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de"
+#define ZKT_VERSION "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de"
 _ACEOF
 
 
@@ -3207,9 +3721,9 @@ _ACEOF
 ac_header_dirent=no
 for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h; do
   as_ac_Header=`echo "ac_cv_header_dirent_$ac_hdr" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_hdr that defines DIR" >&5
-echo $ECHO_N "checking for $ac_hdr that defines DIR... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_hdr that defines DIR" >&5
+echo $ECHO_N "checking for $ac_hdr that defines DIR... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -3231,38 +3745,35 @@ return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_Header=no"
+	eval "$as_ac_Header=no"
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_hdr" | $as_tr_cpp` 1
@@ -3274,13 +3785,12 @@ fi
 done
 # Two versions of opendir et al. are in -ldir and -lx on SCO Xenix.
 if test $ac_header_dirent = dirent.h; then
-  echo "$as_me:$LINENO: checking for library containing opendir" >&5
-echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for library containing opendir" >&5
+echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6; }
 if test "${ac_cv_search_opendir+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_func_search_save_LIBS=$LIBS
-ac_cv_search_opendir=no
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3288,126 +3798,83 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char opendir ();
 int
 main ()
 {
-opendir ();
+return opendir ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="none required"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test "$ac_cv_search_opendir" = no; then
-  for ac_lib in dir; do
+for ac_lib in '' dir; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
     LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char opendir ();
-int
-main ()
-{
-opendir ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="-l$ac_lib"
-break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_search_opendir=$ac_res
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-  done
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_opendir+set}" = set; then
+  break
 fi
+done
+if test "${ac_cv_search_opendir+set}" = set; then
+  :
+else
+  ac_cv_search_opendir=no
+fi
+rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
-echo "${ECHO_T}$ac_cv_search_opendir" >&6
-if test "$ac_cv_search_opendir" != no; then
-  test "$ac_cv_search_opendir" = "none required" || LIBS="$ac_cv_search_opendir $LIBS"
+{ echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
+echo "${ECHO_T}$ac_cv_search_opendir" >&6; }
+ac_res=$ac_cv_search_opendir
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
 fi
 
 else
-  echo "$as_me:$LINENO: checking for library containing opendir" >&5
-echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6
+  { echo "$as_me:$LINENO: checking for library containing opendir" >&5
+echo $ECHO_N "checking for library containing opendir... $ECHO_C" >&6; }
 if test "${ac_cv_search_opendir+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_func_search_save_LIBS=$LIBS
-ac_cv_search_opendir=no
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3415,122 +3882,80 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char opendir ();
 int
 main ()
 {
-opendir ();
+return opendir ();
   ;
   return 0;
 }
 _ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="none required"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test "$ac_cv_search_opendir" = no; then
-  for ac_lib in x; do
+for ac_lib in '' x; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
     LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-    cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char opendir ();
-int
-main ()
-{
-opendir ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+  fi
+  rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_search_opendir="-l$ac_lib"
-break
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_search_opendir=$ac_res
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
+
 fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-  done
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext
+  if test "${ac_cv_search_opendir+set}" = set; then
+  break
 fi
+done
+if test "${ac_cv_search_opendir+set}" = set; then
+  :
+else
+  ac_cv_search_opendir=no
+fi
+rm conftest.$ac_ext
 LIBS=$ac_func_search_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
-echo "${ECHO_T}$ac_cv_search_opendir" >&6
-if test "$ac_cv_search_opendir" != no; then
-  test "$ac_cv_search_opendir" = "none required" || LIBS="$ac_cv_search_opendir $LIBS"
+{ echo "$as_me:$LINENO: result: $ac_cv_search_opendir" >&5
+echo "${ECHO_T}$ac_cv_search_opendir" >&6; }
+ac_res=$ac_cv_search_opendir
+if test "$ac_res" != no; then
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
 fi
 
 fi
 
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3554,35 +3979,31 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_stdc=no
+	ac_cv_header_stdc=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
@@ -3638,6 +4059,7 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include 
+#include 
 #if ((' ' & 0x0FF) == 0x020)
 # define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
 # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
@@ -3657,18 +4079,27 @@ main ()
   for (i = 0; i < 256; i++)
     if (XOR (islower (i), ISLOWER (i))
 	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
+      return 2;
+  return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -3681,12 +4112,14 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
 fi
 fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -3710,18 +4143,19 @@ fi
 for ac_header in fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3732,41 +4166,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -3775,24 +4205,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -3800,9 +4228,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -3826,25 +4255,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
+    ( cat <<\_ASBOX
 ## -------------------------------------- ##
 ## Report this to Holger Zuleger hznet.de ##
 ## -------------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -3859,8 +4287,8 @@ done
 
 
 ### Checks for typedefs, structures, and compiler characteristics.
-echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6; }
 if test "${ac_cv_c_const+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3878,10 +4306,10 @@ main ()
 #ifndef __cplusplus
   /* Ultrix mips cc rejects this.  */
   typedef int charset[2];
-  const charset x;
+  const charset cs;
   /* SunOS 4.1.1 cc rejects this.  */
-  char const *const *ccp;
-  char **p;
+  char const *const *pcpcc;
+  char **ppc;
   /* NEC SVR4.0.2 mips cc rejects this.  */
   struct point {int x, y;};
   static struct point const zero = {0,0};
@@ -3890,16 +4318,17 @@ main ()
      an arm of an if-expression whose if-part is not a constant
      expression */
   const char *g = "string";
-  ccp = &g + (g ? g-g : 0);
+  pcpcc = &g + (g ? g-g : 0);
   /* HPUX 7.0 cc rejects these. */
-  ++ccp;
-  p = (char**) ccp;
-  ccp = (char const *const *) p;
+  ++pcpcc;
+  ppc = (char**) pcpcc;
+  pcpcc = (char const *const *) ppc;
   { /* SCO 3.2v4 cc rejects this.  */
     char *t;
     char const *s = 0 ? (char *) 0 : (char const *) 0;
 
     *t++ = 0;
+    if (s) return 0;
   }
   { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
     int x[] = {25, 17};
@@ -3918,7 +4347,9 @@ main ()
   }
   { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
     const int foo = 10;
+    if (!foo) return 0;
   }
+  return !cs[0] && !zero.x;
 #endif
 
   ;
@@ -3926,38 +4357,34 @@ main ()
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_c_const=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_c_const=no
+	ac_cv_c_const=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-echo "${ECHO_T}$ac_cv_c_const" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6; }
 if test $ac_cv_c_const = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -3966,8 +4393,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for size_t" >&5
-echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_size_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -3978,62 +4405,59 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef size_t ac__type_new_;
 int
 main ()
 {
-if ((size_t *) 0)
+if ((ac__type_new_ *) 0)
   return 0;
-if (sizeof (size_t))
+if (sizeof (ac__type_new_))
   return 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_type_size_t=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_type_size_t=no
+	ac_cv_type_size_t=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
-echo "${ECHO_T}$ac_cv_type_size_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6; }
 if test $ac_cv_type_size_t = yes; then
   :
 else
 
 cat >>confdefs.h <<_ACEOF
-#define size_t unsigned
+#define size_t unsigned int
 _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
 if test "${ac_cv_header_time+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4057,38 +4481,34 @@ return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_header_time=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_header_time=no
+	ac_cv_header_time=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6; }
 if test $ac_cv_header_time = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4097,8 +4517,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
-echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether struct tm is in sys/time.h or time.h" >&5
+echo $ECHO_N "checking whether struct tm is in sys/time.h or time.h... $ECHO_C" >&6; }
 if test "${ac_cv_struct_tm+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4114,44 +4534,42 @@ cat >>conftest.$ac_ext <<_ACEOF
 int
 main ()
 {
-struct tm *tp; tp->tm_sec;
+struct tm tm;
+				     int *p = &tm.tm_sec;
+ 				     return !p;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_cv_struct_tm=time.h
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_struct_tm=sys/time.h
+	ac_cv_struct_tm=sys/time.h
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
-echo "${ECHO_T}$ac_cv_struct_tm" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_struct_tm" >&5
+echo "${ECHO_T}$ac_cv_struct_tm" >&6; }
 if test $ac_cv_struct_tm = sys/time.h; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4160,8 +4578,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
-echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for uid_t in sys/types.h" >&5
+echo $ECHO_N "checking for uid_t in sys/types.h... $ECHO_C" >&6; }
 if test "${ac_cv_type_uid_t+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4183,8 +4601,8 @@ fi
 rm -f conftest*
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
-echo "${ECHO_T}$ac_cv_type_uid_t" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uid_t" >&5
+echo "${ECHO_T}$ac_cv_type_uid_t" >&6; }
 if test $ac_cv_type_uid_t = no; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4201,8 +4619,8 @@ fi
 
 
 ### Checks for library functions.
-echo "$as_me:$LINENO: checking whether closedir returns void" >&5
-echo $ECHO_N "checking whether closedir returns void... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether closedir returns void" >&5
+echo $ECHO_N "checking whether closedir returns void... $ECHO_C" >&6; }
 if test "${ac_cv_func_closedir_void+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4224,19 +4642,28 @@ int closedir ();
 int
 main ()
 {
-exit (closedir (opendir (".")) != 0);
+return closedir (opendir (".")) != 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -4249,11 +4676,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_closedir_void=yes
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_closedir_void" >&5
-echo "${ECHO_T}$ac_cv_func_closedir_void" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_closedir_void" >&5
+echo "${ECHO_T}$ac_cv_func_closedir_void" >&6; }
 if test $ac_cv_func_closedir_void = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4262,8 +4691,8 @@ _ACEOF
 
 fi
 
-echo "$as_me:$LINENO: checking for error_at_line" >&5
-echo $ECHO_N "checking for error_at_line... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for error_at_line" >&5
+echo $ECHO_N "checking for error_at_line... $ECHO_C" >&6; }
 if test "${ac_cv_lib_error_at_line+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4273,56 +4702,51 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-$ac_includes_default
+#include 
 int
 main ()
 {
-error_at_line (0, 0, "", 0, "");
+error_at_line (0, 0, "", 0, "an error occurred");
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_error_at_line=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_error_at_line=no
+	ac_cv_lib_error_at_line=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_error_at_line" >&5
-echo "${ECHO_T}$ac_cv_lib_error_at_line" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_error_at_line" >&5
+echo "${ECHO_T}$ac_cv_lib_error_at_line" >&6; }
 if test $ac_cv_lib_error_at_line = no; then
-  case $LIBOBJS in
-    "error.$ac_objext"   | \
-  *" error.$ac_objext"   | \
-    "error.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" error.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS error.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS error.$ac_objext"
+ ;;
 esac
 
 fi
@@ -4331,18 +4755,19 @@ fi
 for ac_header in stdlib.h
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4353,41 +4778,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4396,24 +4817,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -4421,9 +4840,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -4447,25 +4867,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
+    ( cat <<\_ASBOX
 ## -------------------------------------- ##
 ## Report this to Holger Zuleger hznet.de ##
 ## -------------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -4477,8 +4896,8 @@ fi
 
 done
 
-echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
-echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for GNU libc compatible malloc" >&5
+echo $ECHO_N "checking for GNU libc compatible malloc... $ECHO_C" >&6; }
 if test "${ac_cv_func_malloc_0_nonnull+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4491,7 +4910,7 @@ _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#if STDC_HEADERS || HAVE_STDLIB_H
+#if defined STDC_HEADERS || defined HAVE_STDLIB_H
 # include 
 #else
 char *malloc ();
@@ -4500,19 +4919,28 @@ char *malloc ();
 int
 main ()
 {
-exit (malloc (0) ? 0 : 1);
+return ! malloc (0);
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -4525,11 +4953,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_malloc_0_nonnull=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
-echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_malloc_0_nonnull" >&5
+echo "${ECHO_T}$ac_cv_func_malloc_0_nonnull" >&6; }
 if test $ac_cv_func_malloc_0_nonnull = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4541,12 +4971,10 @@ else
 #define HAVE_MALLOC 0
 _ACEOF
 
-   case $LIBOBJS in
-    "malloc.$ac_objext"   | \
-  *" malloc.$ac_objext"   | \
-    "malloc.$ac_objext "* | \
+   case " $LIBOBJS " in
   *" malloc.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS malloc.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS malloc.$ac_objext"
+ ;;
 esac
 
 
@@ -4561,21 +4989,23 @@ fi
 
 
 
-for ac_header in stdlib.h sys/time.h unistd.h
+
+for ac_header in $ac_header_list
 do
 as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4586,41 +5016,37 @@ $ac_includes_default
 #include <$ac_header>
 _ACEOF
 rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_header_compiler=no
+	ac_header_compiler=no
 fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4629,24 +5055,22 @@ cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <$ac_header>
 _ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
   ac_header_preproc=yes
 else
   echo "$as_me: failed program was:" >&5
@@ -4654,9 +5078,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
+
 rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
@@ -4680,25 +5105,24 @@ echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\
 echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
     { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
 echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
+    ( cat <<\_ASBOX
 ## -------------------------------------- ##
 ## Report this to Holger Zuleger hznet.de ##
 ## -------------------------------------- ##
 _ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
 if test `eval echo '${'$as_ac_Header'}'` = yes; then
@@ -4711,12 +5135,19 @@ fi
 done
 
 
-for ac_func in alarm
+
+
+
+
+
+
+
+for ac_func in $ac_func_list
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -4742,68 +5173,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -4812,8 +5235,24 @@ _ACEOF
 fi
 done
 
-echo "$as_me:$LINENO: checking for working mktime" >&5
-echo $ECHO_N "checking for working mktime... $ECHO_C" >&6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking for working mktime" >&5
+echo $ECHO_N "checking for working mktime... $ECHO_C" >&6; }
 if test "${ac_cv_func_working_mktime+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -4827,26 +5266,24 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 /* Test program from Paul Eggert and Tony Leneis.  */
-#if TIME_WITH_SYS_TIME
+#ifdef TIME_WITH_SYS_TIME
 # include 
 # include 
 #else
-# if HAVE_SYS_TIME_H
+# ifdef HAVE_SYS_TIME_H
 #  include 
 # else
 #  include 
 # endif
 #endif
 
-#if HAVE_STDLIB_H
-# include 
-#endif
+#include 
 
-#if HAVE_UNISTD_H
+#ifdef HAVE_UNISTD_H
 # include 
 #endif
 
-#if !HAVE_ALARM
+#ifndef HAVE_ALARM
 # define alarm(X) /* empty */
 #endif
 
@@ -4863,9 +5300,9 @@ static char *tz_strings[] = {
 };
 #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0]))
 
-/* Fail if mktime fails to convert a date in the spring-forward gap.
+/* Return 0 if mktime fails to convert a date in the spring-forward gap.
    Based on a problem report from Andreas Jaeger.  */
-static void
+static int
 spring_forward_gap ()
 {
   /* glibc (up to about 1998-10-07) failed this test. */
@@ -4884,29 +5321,27 @@ spring_forward_gap ()
   tm.tm_min = 0;
   tm.tm_sec = 0;
   tm.tm_isdst = -1;
-  if (mktime (&tm) == (time_t)-1)
-    exit (1);
+  return mktime (&tm) != (time_t) -1;
 }
 
-static void
+static int
 mktime_test1 (now)
      time_t now;
 {
   struct tm *lt;
-  if ((lt = localtime (&now)) && mktime (lt) != now)
-    exit (1);
+  return ! (lt = localtime (&now)) || mktime (lt) == now;
 }
 
-static void
+static int
 mktime_test (now)
      time_t now;
 {
-  mktime_test1 (now);
-  mktime_test1 ((time_t) (time_t_max - now));
-  mktime_test1 ((time_t) (time_t_min + now));
+  return (mktime_test1 (now)
+	  && mktime_test1 ((time_t) (time_t_max - now))
+	  && mktime_test1 ((time_t) (time_t_min + now)));
 }
 
-static void
+static int
 irix_6_4_bug ()
 {
   /* Based on code from Ariel Faigon.  */
@@ -4919,11 +5354,10 @@ irix_6_4_bug ()
   tm.tm_sec = 0;
   tm.tm_isdst = -1;
   mktime (&tm);
-  if (tm.tm_mon != 2 || tm.tm_mday != 31)
-    exit (1);
+  return tm.tm_mon == 2 && tm.tm_mday == 31;
 }
 
-static void
+static int
 bigtime_test (j)
      int j;
 {
@@ -4945,8 +5379,39 @@ bigtime_test (j)
 	     && lt->tm_wday == tm.tm_wday
 	     && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst)
 		  == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst))))
-	exit (1);
+	return 0;
     }
+  return 1;
+}
+
+static int
+year_2050_test ()
+{
+  /* The correct answer for 2050-02-01 00:00:00 in Pacific time,
+     ignoring leap seconds.  */
+  unsigned long int answer = 2527315200UL;
+
+  struct tm tm;
+  time_t t;
+  tm.tm_year = 2050 - 1900;
+  tm.tm_mon = 2 - 1;
+  tm.tm_mday = 1;
+  tm.tm_hour = tm.tm_min = tm.tm_sec = 0;
+  tm.tm_isdst = -1;
+
+  /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0"
+     instead of "TZ=America/Vancouver" in order to detect the bug even
+     on systems that don't support the Olson extension, or don't have the
+     full zoneinfo tables installed.  */
+  putenv ("TZ=PST8PDT,M4.1.0,M10.5.0");
+
+  t = mktime (&tm);
+
+  /* Check that the result is either a failure, or close enough
+     to the correct answer that we can assume the discrepancy is
+     due to leap seconds.  */
+  return (t == (time_t) -1
+	  || (0 < t && answer - 120 <= t && t <= answer + 120));
 }
 
 int
@@ -4973,28 +5438,39 @@ main ()
 	putenv (tz_strings[i]);
 
       for (t = 0; t <= time_t_max - delta; t += delta)
-	mktime_test (t);
-      mktime_test ((time_t) 1);
-      mktime_test ((time_t) (60 * 60));
-      mktime_test ((time_t) (60 * 60 * 24));
+	if (! mktime_test (t))
+	  return 1;
+      if (! (mktime_test ((time_t) 1)
+	     && mktime_test ((time_t) (60 * 60))
+	     && mktime_test ((time_t) (60 * 60 * 24))))
+	return 1;
 
       for (j = 1; 0 < j; j *= 2)
-	bigtime_test (j);
-      bigtime_test (j - 1);
+	if (! bigtime_test (j))
+	  return 1;
+      if (! bigtime_test (j - 1))
+	return 1;
     }
-  irix_6_4_bug ();
-  spring_forward_gap ();
-  exit (0);
+  return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ());
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -5007,24 +5483,24 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_working_mktime=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_working_mktime" >&5
-echo "${ECHO_T}$ac_cv_func_working_mktime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_working_mktime" >&5
+echo "${ECHO_T}$ac_cv_func_working_mktime" >&6; }
 if test $ac_cv_func_working_mktime = no; then
-  case $LIBOBJS in
-    "mktime.$ac_objext"   | \
-  *" mktime.$ac_objext"   | \
-    "mktime.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" mktime.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS mktime.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS mktime.$ac_objext"
+ ;;
 esac
 
 fi
 
-echo "$as_me:$LINENO: checking whether lstat dereferences a symlink specified with a trailing slash" >&5
-echo $ECHO_N "checking whether lstat dereferences a symlink specified with a trailing slash... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether lstat dereferences a symlink specified with a trailing slash" >&5
+echo $ECHO_N "checking whether lstat dereferences a symlink specified with a trailing slash... $ECHO_C" >&6; }
 if test "${ac_cv_func_lstat_dereferences_slashed_symlink+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5048,19 +5524,28 @@ struct stat sbuf;
      /* Linux will dereference the symlink and fail.
 	That is better in the sense that it means we will not
 	have to compile and use the lstat wrapper.  */
-     exit (lstat ("conftest.sym/", &sbuf) ? 0 : 1);
+     return lstat ("conftest.sym/", &sbuf) == 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -5073,8 +5558,10 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_lstat_dereferences_slashed_symlink=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 else
   # If the `ln -s' command failed, then we probably don't even
   # have an lstat function.
@@ -5083,8 +5570,8 @@ fi
 rm -f conftest.sym conftest.file
 
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5
-echo "${ECHO_T}$ac_cv_func_lstat_dereferences_slashed_symlink" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5
+echo "${ECHO_T}$ac_cv_func_lstat_dereferences_slashed_symlink" >&6; }
 
 test $ac_cv_func_lstat_dereferences_slashed_symlink = yes &&
 
@@ -5094,18 +5581,16 @@ _ACEOF
 
 
 if test $ac_cv_func_lstat_dereferences_slashed_symlink = no; then
-  case $LIBOBJS in
-    "lstat.$ac_objext"   | \
-  *" lstat.$ac_objext"   | \
-    "lstat.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" lstat.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS lstat.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS lstat.$ac_objext"
+ ;;
 esac
 
 fi
 
-echo "$as_me:$LINENO: checking whether stat accepts an empty string" >&5
-echo $ECHO_N "checking whether stat accepts an empty string... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking whether stat accepts an empty string" >&5
+echo $ECHO_N "checking whether stat accepts an empty string... $ECHO_C" >&6; }
 if test "${ac_cv_func_stat_empty_string_bug+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5123,43 +5608,52 @@ int
 main ()
 {
 struct stat sbuf;
-  exit (stat ("", &sbuf) ? 1 : 0);
+  return stat ("", &sbuf) == 0;
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  ac_cv_func_stat_empty_string_bug=yes
+  ac_cv_func_stat_empty_string_bug=no
 else
   echo "$as_me: program exited with status $ac_status" >&5
 echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-ac_cv_func_stat_empty_string_bug=no
+ac_cv_func_stat_empty_string_bug=yes
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_stat_empty_string_bug" >&5
-echo "${ECHO_T}$ac_cv_func_stat_empty_string_bug" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_stat_empty_string_bug" >&5
+echo "${ECHO_T}$ac_cv_func_stat_empty_string_bug" >&6; }
 if test $ac_cv_func_stat_empty_string_bug = yes; then
-  case $LIBOBJS in
-    "stat.$ac_objext"   | \
-  *" stat.$ac_objext"   | \
-    "stat.$ac_objext "* | \
+  case " $LIBOBJS " in
   *" stat.$ac_objext "* ) ;;
-  *) LIBOBJS="$LIBOBJS stat.$ac_objext" ;;
+  *) LIBOBJS="$LIBOBJS stat.$ac_objext"
+ ;;
 esac
 
 
@@ -5173,9 +5667,9 @@ fi
 for ac_func in strftime
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -5201,68 +5695,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -5270,8 +5756,8 @@ _ACEOF
 
 else
   # strftime is in -lintl on SCO UNIX.
-echo "$as_me:$LINENO: checking for strftime in -lintl" >&5
-echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for strftime in -lintl" >&5
+echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_intl_strftime+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5284,56 +5770,53 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char strftime ();
 int
 main ()
 {
-strftime ();
+return strftime ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_intl_strftime=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_lib_intl_strftime=no
+	ac_cv_lib_intl_strftime=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_intl_strftime" >&5
-echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_intl_strftime" >&5
+echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6; }
 if test $ac_cv_lib_intl_strftime = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_STRFTIME 1
@@ -5345,8 +5828,16 @@ fi
 fi
 done
 
-echo "$as_me:$LINENO: checking whether utime accepts a null argument" >&5
-echo $ECHO_N "checking whether utime accepts a null argument... $ECHO_C" >&6
+
+
+
+
+
+
+
+
+{ echo "$as_me:$LINENO: checking whether utime accepts a null argument" >&5
+echo $ECHO_N "checking whether utime accepts a null argument... $ECHO_C" >&6; }
 if test "${ac_cv_func_utime_null+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5362,27 +5853,39 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+	       #ifdef HAVE_UTIME_H
+	       # include 
+	       #endif
 int
 main ()
 {
 struct stat s, t;
-  exit (!(stat ("conftest.data", &s) == 0
-	  && utime ("conftest.data", (long *)0) == 0
-	  && stat ("conftest.data", &t) == 0
-	  && t.st_mtime >= s.st_mtime
-	  && t.st_mtime - s.st_mtime < 120));
+  return ! (stat ("conftest.data", &s) == 0
+	    && utime ("conftest.data", 0) == 0
+	    && stat ("conftest.data", &t) == 0
+	    && t.st_mtime >= s.st_mtime
+	    && t.st_mtime - s.st_mtime < 120);
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
   ac_status=$?
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
@@ -5395,12 +5898,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 ( exit $ac_status )
 ac_cv_func_utime_null=no
 fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
-rm -f core *.core
+
+
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func_utime_null" >&5
-echo "${ECHO_T}$ac_cv_func_utime_null" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func_utime_null" >&5
+echo "${ECHO_T}$ac_cv_func_utime_null" >&6; }
 if test $ac_cv_func_utime_null = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -5414,9 +5918,9 @@ rm -f conftest.data
 for ac_func in vprintf
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -5442,75 +5946,67 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
-echo "$as_me:$LINENO: checking for _doprnt" >&5
-echo $ECHO_N "checking for _doprnt... $ECHO_C" >&6
+{ echo "$as_me:$LINENO: checking for _doprnt" >&5
+echo $ECHO_N "checking for _doprnt... $ECHO_C" >&6; }
 if test "${ac_cv_func__doprnt+set}" = set; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
@@ -5537,68 +6033,59 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef _doprnt
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char _doprnt ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub__doprnt) || defined (__stub____doprnt)
+#if defined __stub__doprnt || defined __stub____doprnt
 choke me
-#else
-char (*f) () = _doprnt;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != _doprnt;
+return _doprnt ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func__doprnt=yes
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-ac_cv_func__doprnt=no
+	ac_cv_func__doprnt=no
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: $ac_cv_func__doprnt" >&5
-echo "${ECHO_T}$ac_cv_func__doprnt" >&6
+{ echo "$as_me:$LINENO: result: $ac_cv_func__doprnt" >&5
+echo "${ECHO_T}$ac_cv_func__doprnt" >&6; }
 if test $ac_cv_func__doprnt = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -5612,6 +6099,7 @@ done
 
 
 # 2008-07-04 getopt_long added
+# 2009-07-30 timegm added
 
 
 
@@ -5625,12 +6113,14 @@ done
 
 
 
-for ac_func in getopt_long gettimeofday memset setenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime
+
+
+for ac_func in getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
   echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -5656,68 +6146,60 @@ cat >>conftest.$ac_ext <<_ACEOF
 
 #undef $ac_func
 
-/* Override any gcc2 internal prototype to avoid an error.  */
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
 #ifdef __cplusplus
 extern "C"
-{
 #endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
 char $ac_func ();
 /* The GNU C library defines this for functions which it implements
     to always fail with ENOSYS.  Some functions are actually named
     something starting with __ and the normal name is an alias.  */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+#if defined __stub_$ac_func || defined __stub___$ac_func
 choke me
-#else
-char (*f) () = $ac_func;
-#endif
-#ifdef __cplusplus
-}
 #endif
 
 int
 main ()
 {
-return f != $ac_func;
+return $ac_func ();
   ;
   return 0;
 }
 _ACEOF
 rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
   echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
   echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-eval "$as_ac_var=no"
+	eval "$as_ac_var=no"
 fi
-rm -f conftest.err conftest.$ac_objext \
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
@@ -5728,7 +6210,7 @@ done
 
 
 
-          ac_config_files="$ac_config_files Makefile"
+ac_config_files="$ac_config_files Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5748,39 +6230,58 @@ _ACEOF
 
 # The following way of writing the cache mishandles newlines in values,
 # but we know of no workaround that is simple, portable, and efficient.
-# So, don't put newlines in cache variables' values.
+# So, we kill variables containing newlines.
 # Ultrix sh set writes to stderr and can't be redirected directly,
 # and sets the high bit in the cache file unless we assign to the vars.
-{
+(
+  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
+
   (set) 2>&1 |
-    case `(ac_space=' '; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
+    case $as_nl`(ac_space=' '; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
       # `set' does not quote correctly, so add quotes (double-quote
       # substitution turns \\\\ into \\, and sed turns \\ into \).
       sed -n \
 	"s/'/'\\\\''/g;
 	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-      ;;
+      ;; #(
     *)
       # `set' quotes correctly as required by POSIX, so do not add quotes.
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
       ;;
-    esac;
-} |
+    esac |
+    sort
+) |
   sed '
+     /^ac_cv_env_/b end
      t clear
-     : clear
+     :clear
      s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
      t end
-     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
-     : end' >>confcache
-if diff $cache_file confcache >/dev/null 2>&1; then :; else
-  if test -w $cache_file; then
-    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+  if test -w "$cache_file"; then
+    test "x$cache_file" != "x/dev/null" &&
+      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
     cat confcache >$cache_file
   else
-    echo "not updating unwritable cache $cache_file"
+    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
 rm -f confcache
@@ -5789,32 +6290,18 @@ test "x$prefix" = xNONE && prefix=$ac_default_prefix
 # Let make expand exec_prefix.
 test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
 
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/;
-s/:*\${srcdir}:*/:/;
-s/:*@srcdir@:*/:/;
-s/^\([^=]*=[	 ]*\):*/\1/;
-s/:*$//;
-s/^[^=]*=[	 ]*$//;
-}'
-fi
-
 DEFS=-DHAVE_CONFIG_H
 
 ac_libobjs=
 ac_ltlibobjs=
 for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   # 1. Remove the extension, and $U if already installed.
-  ac_i=`echo "$ac_i" |
-	 sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
-  # 2. Add them.
-  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
+  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+  ac_i=`echo "$ac_i" | sed "$ac_script"`
+  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+  #    will be set to the directory where LIBOBJS objects are built.
+  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
 done
 LIBOBJS=$ac_libobjs
 
@@ -5845,73 +6332,26 @@ cat >>$CONFIG_STATUS <<\_ACEOF
 ## M4sh Initialization.  ##
 ## --------------------- ##
 
-# Be Bourne compatible
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
   # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
-fi
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
+  setopt NO_GLOB_SUBST
 else
-  as_unset=false
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
 fi
 
 
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
 
 
-# Name of the executable.
-as_me=`$as_basename "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-
-
-# PATH needs CR, and LINENO needs CR and PATH.
+# PATH needs CR
 # Avoid depending upon Character Ranges.
 as_cr_letters='abcdefghijklmnopqrstuvwxyz'
 as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
@@ -5932,126 +6372,198 @@ if test "${PATH_SEPARATOR+set}" != set; then
   rm -f conf$$.sh
 fi
 
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
 
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
 done
+IFS=$as_save_IFS
 
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
-echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
 do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
-	 /*)
-	   if ("$as_dir/$as_base" -c '
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+
   as_lineno_1=$LINENO
   as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
   test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
 
   # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
   # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
   # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
     sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
       N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
       t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
+      s/-\n.*//
     ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
-echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
   # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
   # Exit status is that of the last command.
   exit
 }
 
 
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
 esac
 
-if expr a : '\(a\)' >/dev/null 2>&1; then
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
 else
   as_expr=false
 fi
 
 rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
 echo >conf$$.file
 if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
 elif ln conf$$.file conf$$ 2>/dev/null; then
   as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
-rm -f conf$$ conf$$.exe conf$$.file
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
 
 if mkdir -p . 2>/dev/null; then
   as_mkdir_p=:
@@ -6060,7 +6572,28 @@ else
   as_mkdir_p=false
 fi
 
-as_executable_p="test -f"
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
 
 # Sed expression to map a string onto a valid CPP name.
 as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
@@ -6069,31 +6602,14 @@ as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
 as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
 
 
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
 exec 6>&1
 
-# Open the log real soon, to keep \$[0] and so on meaningful, and to
+# Save the log message, to keep $[0] and so on meaningful, and to
 # report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.  Logging --version etc. is OK.
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-} >&5
-cat >&5 <<_CSEOF
-
-This file was extended by ZKT $as_me 0.98, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
+# values after options handling.
+ac_log="
+This file was extended by ZKT $as_me 0.99c, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -6101,30 +6617,19 @@ generated by GNU Autoconf 2.59.  Invocation command line was
   CONFIG_COMMANDS = $CONFIG_COMMANDS
   $ $0 $@
 
-_CSEOF
-echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
-echo >&5
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
 _ACEOF
 
+cat >>$CONFIG_STATUS <<_ACEOF
 # Files that config.status was made for.
-if test -n "$ac_config_files"; then
-  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
-fi
+config_files="$ac_config_files"
+config_headers="$ac_config_headers"
 
-if test -n "$ac_config_headers"; then
-  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_links"; then
-  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_commands"; then
-  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
-fi
+_ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
-
 ac_cs_usage="\
 \`$as_me' instantiates files from templates according to the
 current configuration.
@@ -6132,7 +6637,7 @@ current configuration.
 Usage: $0 [OPTIONS] [FILE]...
 
   -h, --help       print this help, then exit
-  -V, --version    print version number, then exit
+  -V, --version    print version number and configuration settings, then exit
   -q, --quiet      do not print progress messages
   -d, --debug      don't remove temporary files
       --recheck    update $as_me by reconfiguring in the same conditions
@@ -6148,18 +6653,20 @@ Configuration headers:
 $config_headers
 
 Report bugs to ."
-_ACEOF
 
+_ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-ZKT config.status 0.98
-configured by $0, generated by GNU Autoconf 2.59,
-  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
+ZKT config.status 0.99c
+configured by $0, generated by GNU Autoconf 2.61,
+  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
-Copyright (C) 2003 Free Software Foundation, Inc.
+Copyright (C) 2006 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
-srcdir=$srcdir
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
 _ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
@@ -6170,39 +6677,24 @@ while test $# != 0
 do
   case $1 in
   --*=*)
-    ac_option=`expr "x$1" : 'x\([^=]*\)='`
-    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
     ac_shift=:
     ;;
-  -*)
+  *)
     ac_option=$1
     ac_optarg=$2
     ac_shift=shift
     ;;
-  *) # This is not an option, so the user has probably given explicit
-     # arguments.
-     ac_option=$1
-     ac_need_defaults=false;;
   esac
 
   case $ac_option in
   # Handling of the options.
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
     ac_cs_recheck=: ;;
-  --version | --vers* | -V )
-    echo "$ac_cs_version"; exit 0 ;;
-  --he | --h)
-    # Conflict between --help and --header
-    { { echo "$as_me:$LINENO: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&2;}
-   { (exit 1); exit 1; }; };;
-  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit 0 ;;
-  --debug | --d* | -d )
+  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+    echo "$ac_cs_version"; exit ;;
+  --debug | --debu | --deb | --de | --d | -d )
     debug=: ;;
   --file | --fil | --fi | --f )
     $ac_shift
@@ -6212,18 +6704,24 @@ Try \`$0 --help' for more information." >&2;}
     $ac_shift
     CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
     ac_need_defaults=false;;
+  --he | --h)
+    # Conflict between --help and --header
+    { echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit ;;
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil | --si | --s)
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2;}
+  -*) { echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; } ;;
 
-  *) ac_config_targets="$ac_config_targets $1" ;;
+  *) ac_config_targets="$ac_config_targets $1"
+     ac_need_defaults=false ;;
 
   esac
   shift
@@ -6239,29 +6737,43 @@ fi
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 if \$ac_cs_recheck; then
-  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_SHELL=$SHELL
+  export CONFIG_SHELL
+  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
 fi
 
 _ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+  echo "$ac_log"
+} >&5
 
-
-
-
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+_ACEOF
 
 cat >>$CONFIG_STATUS <<\_ACEOF
+
+# Handling of arguments.
 for ac_config_target in $ac_config_targets
 do
-  case "$ac_config_target" in
-  # Handling of arguments.
-  "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-  "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+  case $ac_config_target in
+    "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+
   *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
 echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
    { (exit 1); exit 1; }; };;
   esac
 done
 
+
 # If the user did not use the arguments to specify the items to instantiate,
 # then the envvar interface is used.  Set only those that are not.
 # We use the long form for the default assignment because of an extremely
@@ -6272,292 +6784,360 @@ if $ac_need_defaults; then
 fi
 
 # Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason to put it here, and in addition,
+# simply because there is no reason against having it here, and in addition,
 # creating and moving files from /tmp can sometimes cause problems.
-# Create a temporary directory, and hook for its removal unless debugging.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
 $debug ||
 {
-  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+  tmp=
+  trap 'exit_status=$?
+  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
   trap '{ (exit 1); exit 1; }' 1 2 13 15
 }
-
 # Create a (secure) tmp directory for tmp files.
 
 {
-  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
+  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
   test -n "$tmp" && test -d "$tmp"
 }  ||
 {
-  tmp=./confstat$$-$RANDOM
-  (umask 077 && mkdir $tmp)
+  tmp=./conf$$-$RANDOM
+  (umask 077 && mkdir "$tmp")
 } ||
 {
    echo "$me: cannot create a temporary directory in ." >&2
    { (exit 1); exit 1; }
 }
 
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-
 #
-# CONFIG_FILES section.
+# Set up the sed scripts for CONFIG_FILES section.
 #
 
 # No need to generate the scripts if there are no CONFIG_FILES.
 # This happens for instance when ./config.status config.h
-if test -n "\$CONFIG_FILES"; then
-  # Protect against being on the right side of a sed subst in config.status.
-  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
-   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
-s,@SHELL@,$SHELL,;t t
-s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
-s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
-s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
-s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
-s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
-s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
-s,@exec_prefix@,$exec_prefix,;t t
-s,@prefix@,$prefix,;t t
-s,@program_transform_name@,$program_transform_name,;t t
-s,@bindir@,$bindir,;t t
-s,@sbindir@,$sbindir,;t t
-s,@libexecdir@,$libexecdir,;t t
-s,@datadir@,$datadir,;t t
-s,@sysconfdir@,$sysconfdir,;t t
-s,@sharedstatedir@,$sharedstatedir,;t t
-s,@localstatedir@,$localstatedir,;t t
-s,@libdir@,$libdir,;t t
-s,@includedir@,$includedir,;t t
-s,@oldincludedir@,$oldincludedir,;t t
-s,@infodir@,$infodir,;t t
-s,@mandir@,$mandir,;t t
-s,@build_alias@,$build_alias,;t t
-s,@host_alias@,$host_alias,;t t
-s,@target_alias@,$target_alias,;t t
-s,@DEFS@,$DEFS,;t t
-s,@ECHO_C@,$ECHO_C,;t t
-s,@ECHO_N@,$ECHO_N,;t t
-s,@ECHO_T@,$ECHO_T,;t t
-s,@LIBS@,$LIBS,;t t
-s,@CC@,$CC,;t t
-s,@CFLAGS@,$CFLAGS,;t t
-s,@LDFLAGS@,$LDFLAGS,;t t
-s,@CPPFLAGS@,$CPPFLAGS,;t t
-s,@ac_ct_CC@,$ac_ct_CC,;t t
-s,@EXEEXT@,$EXEEXT,;t t
-s,@OBJEXT@,$OBJEXT,;t t
-s,@SIGNZONE_PROG@,$SIGNZONE_PROG,;t t
-s,@CPP@,$CPP,;t t
-s,@EGREP@,$EGREP,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
-s,@LTLIBOBJS@,$LTLIBOBJS,;t t
-CEOF
+if test -n "$CONFIG_FILES"; then
 
 _ACEOF
 
-  cat >>$CONFIG_STATUS <<\_ACEOF
-  # Split the substitutions into bite-sized pieces for seds with
-  # small command number limits, like on Digital OSF/1 and HP-UX.
-  ac_max_sed_lines=48
-  ac_sed_frag=1 # Number of current file.
-  ac_beg=1 # First line for current file.
-  ac_end=$ac_max_sed_lines # Line after last line for current file.
-  ac_more_lines=:
-  ac_sed_cmds=
-  while $ac_more_lines; do
-    if test $ac_beg -gt 1; then
-      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    else
-      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    fi
-    if test ! -s $tmp/subs.frag; then
-      ac_more_lines=false
-    else
-      # The purpose of the label and of the branching condition is to
-      # speed up the sed processing (if there are no `@' at all, there
-      # is no need to browse any of the substitutions).
-      # These are the two extra sed commands mentioned above.
-      (echo ':t
-  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
-      if test -z "$ac_sed_cmds"; then
-	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
-      else
-	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
-      fi
-      ac_sed_frag=`expr $ac_sed_frag + 1`
-      ac_beg=$ac_end
-      ac_end=`expr $ac_end + $ac_max_sed_lines`
-    fi
-  done
-  if test -z "$ac_sed_cmds"; then
-    ac_sed_cmds=cat
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+SIGNZONE_PROG!$SIGNZONE_PROG$ac_delim
+CPP!$CPP$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 50; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS >$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
+_ACEOF
+
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[	 ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[	 ]*$//
+}'
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF
 fi # test -n "$CONFIG_FILES"
 
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
+
+for ac_tag in  :F $CONFIG_FILES  :H $CONFIG_HEADERS
+do
+  case $ac_tag in
+  :[FHLC]) ac_mode=$ac_tag; continue;;
+  esac
+  case $ac_mode$ac_tag in
+  :[FHL]*:*);;
+  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+   { (exit 1); exit 1; }; };;
+  :[FH]-) ac_tag=-:-;;
+  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+  esac
+  ac_save_IFS=$IFS
+  IFS=:
+  set x $ac_tag
+  IFS=$ac_save_IFS
+  shift
+  ac_file=$1
+  shift
+
+  case $ac_mode in
+  :L) ac_source=$1;;
+  :[FH])
+    ac_file_inputs=
+    for ac_f
+    do
+      case $ac_f in
+      -) ac_f="$tmp/stdin";;
+      *) # Look for the file first in the build tree, then in the source tree
+	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
+	 # because $ac_f cannot contain `:'.
+	 test -f "$ac_f" ||
+	   case $ac_f in
+	   [\\/$]*) false;;
+	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+	   esac ||
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+   { (exit 1); exit 1; }; };;
+      esac
+      ac_file_inputs="$ac_file_inputs $ac_f"
+    done
+
+    # Let's still pretend it is `configure' which instantiates (i.e., don't
+    # use $as_me), people would be surprised to read:
+    #    /* config.h.  Generated by config.status.  */
+    configure_input="Generated from "`IFS=:
+	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+    if test x"$ac_file" != x-; then
+      configure_input="$ac_file.  $configure_input"
+      { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    fi
+
+    case $ac_tag in
+    *:-:* | *:-) cat >"$tmp/stdin";;
+    esac
+    ;;
   esac
 
-  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
-  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+  ac_dir=`$as_dirname -- "$ac_file" ||
 $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$ac_file" : 'X\(//\)[^/]' \| \
 	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-  { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  { as_dir="$ac_dir"
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
     as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
 $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$as_dir" : 'X\(//\)[^/]' \| \
 	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
 echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
     done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
    { (exit 1); exit 1; }; }; }
-
   ac_builddir=.
 
-if test "$ac_dir" != .; then
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
   ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
 
 case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
+  .)  # We are building in place.
     ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
     ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
-esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
 esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
 
 
+  case $ac_mode in
+  :F)
+  #
+  # CONFIG_FILE
+  #
 
-  if test x"$ac_file" != x-; then
-    { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-    rm -f "$ac_file"
-  fi
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    configure_input=
-  else
-    configure_input="$ac_file.  "
-  fi
-  configure_input=$configure_input"Generated from `echo $ac_file_in |
-				     sed 's,.*/,,'` by configure."
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
 _ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+
+case `sed -n '/datarootdir/ {
+  p
+  q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+' $ac_file_inputs` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+  ac_datarootdir_hack='
+  s&@datadir@&$datadir&g
+  s&@docdir@&$docdir&g
+  s&@infodir@&$infodir&g
+  s&@localedir@&$localedir&g
+  s&@mandir@&$mandir&g
+    s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
 cat >>$CONFIG_STATUS <<_ACEOF
   sed "$ac_vpsub
 $extrasub
@@ -6565,251 +7145,136 @@ _ACEOF
 cat >>$CONFIG_STATUS <<\_ACEOF
 :t
 /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s,@configure_input@,$configure_input,;t t
-s,@srcdir@,$ac_srcdir,;t t
-s,@abs_srcdir@,$ac_abs_srcdir,;t t
-s,@top_srcdir@,$ac_top_srcdir,;t t
-s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
-s,@builddir@,$ac_builddir,;t t
-s,@abs_builddir@,$ac_abs_builddir,;t t
-s,@top_builddir@,$ac_top_builddir,;t t
-s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
-" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
-  rm -f $tmp/stdin
-  if test x"$ac_file" != x-; then
-    mv $tmp/out $ac_file
-  else
-    cat $tmp/out
-    rm -f $tmp/out
-  fi
+s&@configure_input@&$configure_input&;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+$ac_datarootdir_hack
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" >$tmp/out
 
-done
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&5
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&2;}
 
-#
-# CONFIG_HEADER section.
-#
-
-# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
-# NAME is the cpp macro being defined and VALUE is the value it is being given.
-#
-# ac_d sets the value in "#define NAME VALUE" lines.
-ac_dA='s,^\([	 ]*\)#\([	 ]*define[	 ][	 ]*\)'
-ac_dB='[	 ].*$,\1#\2'
-ac_dC=' '
-ac_dD=',;t'
-# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
-ac_uA='s,^\([	 ]*\)#\([	 ]*\)undef\([	 ][	 ]*\)'
-ac_uB='$,\1#\2define\3'
-ac_uC=' '
-ac_uD=',;t'
-
-for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  rm -f "$tmp/stdin"
   case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
+  -) cat "$tmp/out"; rm -f "$tmp/out";;
+  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
   esac
-
-  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 # Do quote $f, to prevent DOS paths from being IFS'd.
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
-  # Remove the trailing spaces.
-  sed 's/[	 ]*$//' $ac_file_inputs >$tmp/in
-
+ ;;
+  :H)
+  #
+  # CONFIG_HEADER
+  #
 _ACEOF
 
-# Transform confdefs.h into two sed scripts, `conftest.defines' and
-# `conftest.undefs', that substitutes the proper values into
-# config.h.in to produce config.h.  The first handles `#define'
-# templates, and the second `#undef' templates.
-# And first: Protect against being on the right side of a sed subst in
-# config.status.  Protect against being in an unquoted here document
-# in config.status.
-rm -f conftest.defines conftest.undefs
-# Using a here document instead of a string reduces the quoting nightmare.
-# Putting comments in sed scripts is not portable.
-#
-# `end' is used to avoid that the second main sed command (meant for
-# 0-ary CPP macros) applies to n-ary macro definitions.
-# See the Autoconf documentation for `clear'.
-cat >confdef2sed.sed <<\_ACEOF
-s/[\\&,]/\\&/g
-s,[\\$`],\\&,g
-t clear
-: clear
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*\)\(([^)]*)\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
-t end
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
-: end
-_ACEOF
-# If some macros were called several times there might be several times
-# the same #defines, which is useless.  Nevertheless, we may not want to
-# sort them, since we want the *last* AC-DEFINE to be honored.
-uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
-sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
-rm -f confdef2sed.sed
+# Transform confdefs.h into a sed script `conftest.defines', that
+# substitutes the proper values into config.h.in to produce config.h.
+rm -f conftest.defines conftest.tail
+# First, append a space to every undef/define line, to ease matching.
+echo 's/$/ /' >conftest.defines
+# Then, protect against being on the right side of a sed subst, or in
+# an unquoted here document, in config.status.  If some macros were
+# called several times there might be several #defines for the same
+# symbol, which is useless.  But do not sort them, since the last
+# AC_DEFINE must be honored.
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where
+# NAME is the cpp macro being defined, VALUE is the value it is being given.
+# PARAMS is the parameter list in the macro definition--in most cases, it's
+# just an empty string.
+ac_dA='s,^\\([	 #]*\\)[^	 ]*\\([	 ]*'
+ac_dB='\\)[	 (].*,\\1define\\2'
+ac_dC=' '
+ac_dD=' ,'
 
-# This sed command replaces #undef with comments.  This is necessary, for
+uniq confdefs.h |
+  sed -n '
+	t rset
+	:rset
+	s/^[	 ]*#[	 ]*define[	 ][	 ]*//
+	t ok
+	d
+	:ok
+	s/[\\&,]/\\&/g
+	s/^\('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p
+	s/^\('"$ac_word_re"'\)[	 ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p
+  ' >>conftest.defines
+
+# Remove the space that was appended to ease matching.
+# Then replace #undef with comments.  This is necessary, for
 # example, in the case of _POSIX_SOURCE, which is predefined and required
 # on some systems where configure will not decide to define it.
-cat >>conftest.undefs <<\_ACEOF
-s,^[	 ]*#[	 ]*undef[	 ][	 ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
-_ACEOF
+# (The regexp can be short, since the line contains either #define or #undef.)
+echo 's/ $//
+s,^[	 #]*u.*,/* & */,' >>conftest.defines
 
-# Break up conftest.defines because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
-echo '  if grep "^[	 ]*#[	 ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
-echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
-echo '  :' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.defines >/dev/null
+# Break up conftest.defines:
+ac_max_sed_lines=50
+
+# First sed command is:	 sed -f defines.sed $ac_file_inputs >"$tmp/out1"
+# Second one is:	 sed -f defines.sed "$tmp/out1" >"$tmp/out2"
+# Third one will be:	 sed -f defines.sed "$tmp/out2" >"$tmp/out1"
+# et cetera.
+ac_in='$ac_file_inputs'
+ac_out='"$tmp/out1"'
+ac_nxt='"$tmp/out2"'
+
+while :
 do
-  # Write a limited-size here document to $tmp/defines.sed.
-  echo '  cat >$tmp/defines.sed <>$CONFIG_STATUS
-  # Speed up: don't consider the non `#define' lines.
-  echo '/^[	 ]*#[	 ]*define/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+  # Write a here document:
+    cat >>$CONFIG_STATUS <<_ACEOF
+    # First, check the format of the line:
+    cat >"\$tmp/defines.sed" <<\\CEOF
+/^[	 ]*#[	 ]*undef[	 ][	 ]*$ac_word_re[	 ]*\$/b def
+/^[	 ]*#[	 ]*define[	 ][	 ]*$ac_word_re[(	 ]/b def
+b
+:def
+_ACEOF
+  sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS
   echo 'CEOF
-  sed -f $tmp/defines.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+    sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS
+  ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in
+  sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail
+  grep . conftest.tail >/dev/null || break
   rm -f conftest.defines
   mv conftest.tail conftest.defines
 done
-rm -f conftest.defines
-echo '  fi # grep' >>$CONFIG_STATUS
-echo >>$CONFIG_STATUS
-
-# Break up conftest.undefs because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.undefs >/dev/null
-do
-  # Write a limited-size here document to $tmp/undefs.sed.
-  echo '  cat >$tmp/undefs.sed <>$CONFIG_STATUS
-  # Speed up: don't consider the non `#undef'
-  echo '/^[	 ]*#[	 ]*undef/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
-  echo 'CEOF
-  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
-  rm -f conftest.undefs
-  mv conftest.tail conftest.undefs
-done
-rm -f conftest.undefs
+rm -f conftest.defines conftest.tail
 
+echo "ac_result=$ac_in" >>$CONFIG_STATUS
 cat >>$CONFIG_STATUS <<\_ACEOF
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    echo "/* Generated by configure.  */" >$tmp/config.h
-  else
-    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
-  fi
-  cat $tmp/in >>$tmp/config.h
-  rm -f $tmp/in
   if test x"$ac_file" != x-; then
-    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
+    echo "/* $configure_input  */" >"$tmp/config.h"
+    cat "$ac_result" >>"$tmp/config.h"
+    if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then
       { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
 echo "$as_me: $ac_file is unchanged" >&6;}
     else
-      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-      { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
-    as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-
       rm -f $ac_file
-      mv $tmp/config.h $ac_file
+      mv "$tmp/config.h" $ac_file
     fi
   else
-    cat $tmp/config.h
-    rm -f $tmp/config.h
+    echo "/* $configure_input  */"
+    cat "$ac_result"
   fi
-done
-_ACEOF
+  rm -f "$tmp/out12"
+ ;;
+
+
+  esac
+
+done # for ac_tag
 
-cat >>$CONFIG_STATUS <<\_ACEOF
 
 { (exit 0); exit 0; }
 _ACEOF
diff --git a/contrib/zkt/configure.ac b/contrib/zkt/configure.ac
new file mode 100644
index 0000000000..0b0f1c00da
--- /dev/null
+++ b/contrib/zkt/configure.ac
@@ -0,0 +1,142 @@
+#                                               -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+#
+#	@(#) configure.ac 
+#
+#	2008-06-27	initial setup
+#	2008-06-29	add of BIND path checking
+#	2008-06-30	add of arg checkings
+#	2008-07-02	additional arg checkings
+#	2008-07-04	check for getopt_long() added
+#	2008-08-30	check for unsigned integer types
+#	2008-10-01	if BIND_UTIL_PATH check failed, use config_zkt.h setting as last resort
+#	2009-07-30	check for timegm() added
+#
+
+AC_PREREQ(2.59)
+
+### Package name and current version
+AC_INIT(ZKT, 0.99c, Holger Zuleger hznet.de)
+dnl AC_REVISION($Revision: 1.1 $)
+
+### Files to test to check if src dir contains the package
+AC_CONFIG_SRCDIR([dnssec-zkt.c])
+AC_CONFIG_HEADER([config.h])
+
+
+### Checks for programs.
+AC_PROG_CC
+
+### find out the path to BIND utils and version
+AC_PATH_PROG([SIGNZONE_PROG], dnssec-signzone)
+if test -z "$SIGNZONE_PROG" ; then
+#        AC_MSG_ERROR([*** 'BIND dnssec-signzone dnssec-keygen' missing, please install or fix your \$PATH ***])
+        AC_MSG_WARN([*** 'BIND dnssec-signzone' missing, use default BIND_UTIL_PATH and BIND_VERSION setting out of config_zkt.h ***])
+else
+	bind_util_path=`dirname "$SIGNZONE_PROG"`
+	# define BIND_UTIL_PATH in config.h.in
+	AC_DEFINE_UNQUOTED(BIND_UTIL_PATH, "$bind_util_path/", Path to BIND utilities)
+	# define BIND_VERSION in config.h.in
+	bind_version=`$SIGNZONE_PROG 2>&1 | grep "Version:" | tr -cd "0-9" | sed "s/^\(...\).*/\1/"`
+	AC_DEFINE_UNQUOTED(BIND_VERSION, $bind_version, BIND version as integer number without dots)
+fi
+
+AC_CHECK_TYPE(uint, unsigned int)
+AC_CHECK_TYPE(ulong, unsigned long)
+AC_CHECK_TYPE(ushort, unsigned short)
+AC_CHECK_TYPE(uchar, unsigned char)
+
+### define configure arguments
+AC_ARG_ENABLE([printtimezone], AC_HELP_STRING( [--enable-print-timezone], [print out timezone]), [printtimezone=$enableval])
+printtimezone=0
+test "$printtimezone" = yes && printtimezone=1
+AC_DEFINE_UNQUOTED(PRINT_TIMEZONE, $printtimezone, print out timezone)
+
+AC_ARG_ENABLE([printyear], AC_HELP_STRING( [--enable-print-age], [print age of year]), [printyear=$enableval])
+printyear=0
+test "$printyear" = yes && printyear=1
+AC_DEFINE_UNQUOTED(PRINT_AGE_OF_YEAR, $printyear, print age of year)
+
+AC_ARG_ENABLE([logprogname], AC_HELP_STRING( [--enable-log-progname], [log with progname]), [logprogname=$enableval])
+logprogname=0
+test "$logprogname" = yes && logprogname=1
+AC_DEFINE_UNQUOTED(LOG_WITH_PROGNAME, $logprogname, log with progname)
+
+AC_ARG_ENABLE([logtimestamp], AC_HELP_STRING( [--disable-log-timestamp], [do not log with timestamp]), [logtimestamp=$enableval])
+logtimestamp=1
+test "$logtimestamp" = no && logtimestamp=0
+AC_DEFINE_UNQUOTED(LOG_WITH_TIMESTAMP, $logtimestamp, log with timestamp)
+
+AC_ARG_ENABLE([loglevel], AC_HELP_STRING( [--disable-log-level], [do not log with level]), [loglevel=$enableval])
+loglevel=1
+test "$loglevel" = no && loglevel=0
+AC_DEFINE_UNQUOTED(LOG_WITH_LEVEL, $loglevel, log with level)
+
+AC_ARG_ENABLE([ttl_in_keyfile], AC_HELP_STRING( [--disable-ttl-in-keyfiles], [do not allow TTL values in keyfiles]), [ttl_in_keyfile=$enableval])
+ttl_in_keyfile=1
+test "$ttl_in_keyfile" = no && ttl_in_keyfile=0
+AC_DEFINE_UNQUOTED(TTL_IN_KEYFILE_ALLOWED, $ttl_in_keyfile, TTL in keyfiles allowed)
+
+configpath="/var/named"
+AC_ARG_ENABLE([configpath], 
+	AC_HELP_STRING( [--enable-configpath=PATH], [set path of config file (defaults to /var/named)]),
+	[configpath=$enableval])
+case "$configpath" in
+yes)
+	configpath="/var/named"
+	;;
+no)
+	configpath=""
+	;;
+*)
+	;;
+esac
+AC_DEFINE_UNQUOTED(CONFIG_PATH, "$configpath/", [set path of config file (defaults to /var/named)])
+
+usetree=1
+t="T"
+AC_ARG_ENABLE([tree], 
+	AC_HELP_STRING( [--disable-tree], [use single linked list instead of binary tree data structure for dnssec-zkt]),
+	[usetree=$enableval])
+if test "$usetree" = no
+then
+	usetree=0
+	t=""
+fi
+AC_DEFINE_UNQUOTED(USE_TREE, $usetree, Use TREE data structure for dnssec-zkt)
+
+AC_DEFINE_UNQUOTED(ZKT_VERSION, "v$t$PACKAGE_VERSION (c) Feb 2005 - Aug 2009 Holger Zuleger hznet.de", ZKT version string)
+
+### Checks for libraries.
+
+
+### Checks for header files.
+AC_HEADER_DIRENT
+AC_HEADER_STDC
+AC_CHECK_HEADERS([fcntl.h netdb.h stdlib.h getopt.h string.h strings.h sys/socket.h sys/time.h sys/types.h syslog.h unistd.h utime.h])
+
+
+### Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+AC_STRUCT_TM
+AC_TYPE_UID_T
+
+
+### Checks for library functions.
+AC_FUNC_CLOSEDIR_VOID
+AC_FUNC_ERROR_AT_LINE
+AC_FUNC_MALLOC
+AC_FUNC_MKTIME
+AC_FUNC_STAT
+AC_FUNC_STRFTIME
+AC_FUNC_UTIME_NULL
+AC_FUNC_VPRINTF
+# 2008-07-04 getopt_long added
+# 2009-07-30 timegm added
+AC_CHECK_FUNCS([getopt_long gettimeofday memset putenv socket strcasecmp strchr strdup strerror strncasecmp strrchr tzset utime getuid timegm])
+
+
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
diff --git a/contrib/zkt/dki.c b/contrib/zkt/dki.c
index c6320294bd..b6a68db4bc 100644
--- a/contrib/zkt/dki.c
+++ b/contrib/zkt/dki.c
@@ -400,7 +400,7 @@ int	dki_readdir (const char *dir, dki_t **listp, int recursive)
 
 	while ( (dentp = readdir (dirp)) != NULL )
 	{
-		if ( is_dotfile (dentp->d_name) )
+		if ( is_dotfilename (dentp->d_name) )
 			continue;
 
 		dbg_val ("directory: check %s\n", dentp->d_name);
@@ -679,7 +679,6 @@ int	dki_prt_dnskeyttl (const dki_t *dkp, FILE *fp, int ttl)
 {
 	char	*p;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return 0;
 
@@ -711,7 +710,6 @@ int	dki_prt_dnskey_raw (const dki_t *dkp, FILE *fp)
 {
 	int	days;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return 0;
 
@@ -741,7 +739,6 @@ int	dki_prt_comment (const dki_t *dkp, FILE *fp)
 {
 	int	len = 0;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return len;
 	len += fprintf (fp, "; %s  ", dkp->name);
@@ -761,7 +758,6 @@ int	dki_prt_trustedkey (const dki_t *dkp, FILE *fp)
 	int	spaces;
 	int	len = 0;
 
-	dki_estr[0] = '\0';
 	if ( dkp == NULL )
 		return len;
 	len += fprintf (fp, "\"%s\"  ", dkp->name);
@@ -792,7 +788,6 @@ int	dki_cmp (const dki_t *a, const dki_t *b)
 {
 	int	res;
 
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -816,7 +811,6 @@ int	dki_allcmp (const dki_t *a, const dki_t *b)
 {
 	int	res;
 
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -842,7 +836,6 @@ int	dki_allcmp (const dki_t *a, const dki_t *b)
 *****************************************************************/
 int	dki_namecmp (const dki_t *a, const dki_t *b)
 {
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -853,7 +846,6 @@ int	dki_namecmp (const dki_t *a, const dki_t *b)
 *****************************************************************/
 int	dki_tagcmp (const dki_t *a, const dki_t *b)
 {
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
@@ -866,19 +858,26 @@ int	dki_tagcmp (const dki_t *a, const dki_t *b)
 *****************************************************************/
 int	dki_timecmp (const dki_t *a, const dki_t *b)
 {
-	dki_estr[0] = '\0';
 	if ( a == NULL ) return -1;
 	if ( b == NULL ) return 1;
 
 	return ((ulong)a->time - (ulong)b->time);
 }
 
+/*****************************************************************
+**	dki_algo ()	return the algorithm of the key
+*****************************************************************/
+time_t	dki_algo (const dki_t *dkp)
+{
+	assert (dkp != NULL);
+	return (dkp->algo);
+}
+
 /*****************************************************************
 **	dki_time ()	return the timestamp of the key
 *****************************************************************/
 time_t	dki_time (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->time);
 }
@@ -888,7 +887,6 @@ time_t	dki_time (const dki_t *dkp)
 *****************************************************************/
 time_t	dki_exptime (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->exptime);
 }
@@ -898,7 +896,6 @@ time_t	dki_exptime (const dki_t *dkp)
 *****************************************************************/
 time_t	dki_lifetime (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->lifetime);
 }
@@ -908,7 +905,6 @@ time_t	dki_lifetime (const dki_t *dkp)
 *****************************************************************/
 ushort	dki_lifetimedays (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->lifetime / DAYSEC);
 }
@@ -918,7 +914,6 @@ ushort	dki_lifetimedays (const dki_t *dkp)
 *****************************************************************/
 time_t	dki_gentime (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->gentime > 0L ? dkp->gentime: dkp->time);
 }
@@ -933,7 +928,6 @@ ushort	dki_setlifetime (dki_t *dkp, int days)
 	ulong	lifetsec;
 	char	path[MAX_PATHSIZE+1];
 
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 
 	lifetsec = dkp->lifetime;		/* old lifetime */
@@ -959,7 +953,6 @@ time_t	dki_setexptime (dki_t *dkp, time_t sec)
 	char	path[MAX_PATHSIZE+1];
 	time_t	oldexptime;
 
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 
 	dbg_val1 ("dki_setexptime (%ld)\n", sec);
@@ -980,7 +973,6 @@ time_t	dki_setexptime (dki_t *dkp, time_t sec)
 *****************************************************************/
 int	dki_age (const dki_t *dkp, time_t curr)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return ((ulong)curr - (ulong)dkp->time);
 }
@@ -990,7 +982,6 @@ int	dki_age (const dki_t *dkp, time_t curr)
 *****************************************************************/
 dk_flag_t	dki_getflag (const dki_t *dkp, time_t curr)
 {
-	dki_estr[0] = '\0';
 	return dkp->flags;
 }
 
@@ -999,7 +990,6 @@ dk_flag_t	dki_getflag (const dki_t *dkp, time_t curr)
 *****************************************************************/
 dk_flag_t	dki_setflag (dki_t *dkp, dk_flag_t flag)
 {
-	dki_estr[0] = '\0';
 	return dkp->flags |= (ushort)flag;
 }
 
@@ -1008,7 +998,6 @@ dk_flag_t	dki_setflag (dki_t *dkp, dk_flag_t flag)
 *****************************************************************/
 dk_flag_t	dki_unsetflag (dki_t *dkp, dk_flag_t flag)
 {
-	dki_estr[0] = '\0';
 	return dkp->flags &= ~((ushort)flag);
 }
 
@@ -1017,7 +1006,6 @@ dk_flag_t	dki_unsetflag (dki_t *dkp, dk_flag_t flag)
 *****************************************************************/
 int	dki_isksk (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->flags & DK_FLAG_KSK) == DK_FLAG_KSK;
 }
@@ -1027,7 +1015,6 @@ int	dki_isksk (const dki_t *dkp)
 *****************************************************************/
 int	dki_isrevoked (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->flags & DK_FLAG_REVOKE) == DK_FLAG_REVOKE;
 }
@@ -1037,7 +1024,6 @@ int	dki_isrevoked (const dki_t *dkp)
 *****************************************************************/
 int	dki_isdepreciated (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	return dki_status (dkp) == DKI_DEPRECIATED;
 }
 
@@ -1046,7 +1032,6 @@ int	dki_isdepreciated (const dki_t *dkp)
 *****************************************************************/
 int	dki_isactive (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	return dki_status (dkp) == DKI_ACTIVE;
 }
 
@@ -1055,7 +1040,6 @@ int	dki_isactive (const dki_t *dkp)
 *****************************************************************/
 int	dki_ispublished (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	return dki_status (dkp) == DKI_PUBLISHED;
 }
 
@@ -1065,7 +1049,6 @@ int	dki_ispublished (const dki_t *dkp)
 *****************************************************************/
 dk_status_t	dki_status (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	return (dkp->status);
 }
@@ -1075,7 +1058,6 @@ dk_status_t	dki_status (const dki_t *dkp)
 *****************************************************************/
 const	char	*dki_statusstr (const dki_t *dkp)
 {
-	dki_estr[0] = '\0';
 	assert (dkp != NULL);
 	switch ( dkp->status )
 	{
@@ -1099,7 +1081,6 @@ dki_t	*dki_add (dki_t **list, dki_t *new)
 	dki_t	*curr;
 	dki_t	*last;
 
-	dki_estr[0] = '\0';
 	if ( list == NULL )
 		return NULL;
 	if ( new == NULL )
@@ -1129,7 +1110,6 @@ const dki_t	*dki_search (const dki_t *list, int tag, const char *name)
 {
 	const dki_t	*curr;
 
-	dki_estr[0] = '\0';
 	curr = list;
 	if ( tag )
 		while ( curr && (tag != curr->tag ||
@@ -1152,7 +1132,6 @@ dki_t	*dki_tadd (dki_t **tree, dki_t *new)
 {
 	dki_t	**p;
 
-	dki_estr[0] = '\0';
 	p = tsearch (new, tree, dki_namecmp);
 	if ( *p == new )
 		dbg_val ("dki_tadd: New entry %s added\n", new->name);
@@ -1174,7 +1153,6 @@ const dki_t	*dki_tsearch (const dki_t *tree, int tag, const char *name)
 	dki_t	search;
 	dki_t	**p;
 
-	dki_estr[0] = '\0';
 	search.tag = tag;
 	snprintf (search.name, sizeof (search.name), "%s", name);
 	p = tfind (&search, &tree, dki_namecmp);
@@ -1193,7 +1171,6 @@ const dki_t	*dki_find (const dki_t *list, int ksk, int status, int no)
 	const	dki_t	*dkp;
 	const	dki_t	*last;
 
-	dki_estr[0] = '\0';
 	last = NULL;
 	for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
 		if ( dki_isksk (dkp) == ksk && dki_status (dkp) == status )
@@ -1204,3 +1181,24 @@ const dki_t	*dki_find (const dki_t *list, int ksk, int status, int no)
 
 	return last;
 }
+
+/*****************************************************************
+**	dki_findalgo ()	find the n'th ksk or zsk key with given
+**			algorithm and status
+*****************************************************************/
+const dki_t	*dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no)
+{
+	const	dki_t	*dkp;
+	const	dki_t	*last;
+
+	last = NULL;
+	for ( dkp = list; no > 0 && dkp; dkp = dkp->next )
+		if ( dki_isksk (dkp) == ksk && dki_algo (dkp) == alg &&
+						dki_status (dkp) == status )
+		{
+			no--;
+			last = dkp;
+		}
+
+	return last;
+}
diff --git a/contrib/zkt/dki.h b/contrib/zkt/dki.h
index e50c3a29d3..a8b3426363 100644
--- a/contrib/zkt/dki.h
+++ b/contrib/zkt/dki.h
@@ -163,6 +163,7 @@ extern	int	dki_isdepreciated (const dki_t *dkp);
 extern	int	dki_isrevoked (const dki_t *dkp);
 extern	int	dki_isactive (const dki_t *dkp);
 extern	int	dki_ispublished (const dki_t *dkp);
+extern	time_t	dki_algo (const dki_t *dkp);
 extern	time_t	dki_time (const dki_t *dkp);
 extern	time_t	dki_exptime (const dki_t *dkp);
 extern	time_t	dki_gentime (const dki_t *dkp);
@@ -179,6 +180,7 @@ extern	dki_t	*dki_add (dki_t **dkp, dki_t *new);
 extern	const dki_t	*dki_tsearch (const dki_t *tree, int tag, const char *name);
 extern	const dki_t	*dki_search (const dki_t *list, int tag, const char *name);
 extern	const dki_t	*dki_find (const dki_t *list, int ksk, int status, int first);
+extern	const dki_t	*dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no);
 extern	void	dki_free (dki_t *dkp);
 extern	void	dki_freelist (dki_t **listp);
 extern	char	*dki_algo2str (int algo);
diff --git a/contrib/zkt/dnssec-signer.c b/contrib/zkt/dnssec-signer.c
index a971cb2f90..69b69d54e8 100644
--- a/contrib/zkt/dnssec-signer.c
+++ b/contrib/zkt/dnssec-signer.c
@@ -57,6 +57,8 @@
 # include "debug.h"
 # include "misc.h"
 # include "ncparse.h"
+# include "nscomm.h"
+# include "soaserial.h"
 # include "zone.h"
 # include "dki.h"
 # include "rollover.h"
@@ -100,9 +102,6 @@ static	int	check_keydb_timestamp (dki_t *keylist, time_t reftime);
 static	int	new_keysetfiles (const char *dir, time_t zone_signing_time);
 static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl);
 static	int	sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf);
-static	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
-static	int	reload_zone (const char *domain, const zconf_t *z);
-static	int	dist_and_reload (const zone_t *zp);
 static	void	register_key (dki_t *listp, const zconf_t *z);
 static	void	copy_keyset (const char *dir, const char *domain, const zconf_t *conf);
 
@@ -112,11 +111,11 @@ extern  int	opterr;
 extern  int	optind;
 extern  char	*optarg;
 const	char	*progname;
-const	char	*viewname = NULL;
-const	char	*logfile = NULL;
-const	char	*origin = NULL;
-const	char	*namedconf = NULL;
-const	char	*dirname = NULL;
+static	const	char	*viewname = NULL;
+static	const	char	*logfile = NULL;
+static	const	char	*origin = NULL;
+static	const	char	*namedconf = NULL;
+static	const	char	*dirname = NULL;
 static	int	verbose = 0;
 static	int	force = 0;
 static	int	reloadflag = 0;
@@ -135,7 +134,9 @@ int	main (int argc, char *const argv[])
 {
 	int	c;
 	int	errcnt;
+#if defined(HAVE_GETOPT_LONG) && HAVE_GETOPT_LONG
 	int	opt_index;
+#endif
 	char	errstr[255+1];
 	char	*p;
 	const	char	*defconfname;
@@ -147,7 +148,7 @@ int	main (int argc, char *const argv[])
 	viewname = getnameappendix (progname, "dnssec-signer");
 
 	defconfname = getdefconfname (viewname);
-	config = loadconfig ("", (zconf_t *)NULL);	/* load built in config */
+	config = loadconfig ("", (zconf_t *)NULL);	/* load build-in config */
 	if ( fileexist (defconfname) )			/* load default config file */
 		config = loadconfig (defconfname, config);
 	if ( config == NULL )
@@ -202,11 +203,11 @@ int	main (int argc, char *const argv[])
 			break;
 #if defined(BIND_VERSION) && BIND_VERSION >= 940
 		case 'd':
-#if BIND_VERSION >= 960
+# if BIND_VERSION >= 960
 			set_bind96_dynzone (dynamic_zone);
-#else
+# else
 			set_bind94_dynzone(dynamic_zone);
-#endif
+# endif
 			/* dynamic zone requires a name server reload... */
 			reloadflag = 0;		/* ...but "rndc thaw" reloads the zone anyway */
 			break;
@@ -215,7 +216,8 @@ int	main (int argc, char *const argv[])
 			noexec = 1;
 			break;
 		case 'r':
-			reloadflag = 1;
+			if ( !dynamic_zone )	/* dynamic zones don't need a rndc reload (see "-d" */
+				reloadflag = 1;
 			break;
 		case 'v':
 			verbose++;
@@ -238,6 +240,7 @@ int	main (int argc, char *const argv[])
 	/* store some of the commandline parameter in the config structure */
 	setconfigpar (config, "--view", viewname);
 	setconfigpar (config, "-v", &verbose);
+	setconfigpar (config, "--noexec", &noexec);
 	if ( logfile == NULL )
 		logfile = config->logfile;
 
@@ -276,7 +279,7 @@ int	main (int argc, char *const argv[])
 		memset (dir, '\0', sizeof (dir));
 		if ( config->zonedir )
 			strncpy (dir, config->zonedir, sizeof(dir));
-		if ( !parse_namedconf (namedconf, dir, sizeof (dir), add2zonelist) )
+		if ( !parse_namedconf (namedconf, config->chroot_dir, dir, sizeof (dir), add2zonelist) )
 			fatal ("Can't read file %s as namedconf file\n", namedconf);
 		if ( zonelist == NULL )
 			fatal ("No signed zone found in file %s\n", namedconf);
@@ -423,7 +426,7 @@ static	int	parsedir (const char *dir, zone_t **zp, const zconf_t *conf)
 
 	while ( (dentp = readdir (dirp)) != NULL )
 	{
-		if ( is_dotfile (dentp->d_name) )
+		if ( is_dotfilename (dentp->d_name) )
 			continue;
 
 		pathname (path, sizeof (path), dir, dentp->d_name, NULL);
@@ -496,10 +499,16 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 	if ( !newkey )
 		newkey = check_keydb_timestamp (zp->keys, file_mtime (path));
 
-	/* if we work in subdir mode, check if there is a new keyset- file */
 	newkeysetfile = 0;
+#if defined(ALWAYS_CHECK_KEYSETFILES) && ALWAYS_CHECK_KEYSETFILES	/* patch from Shane Wegner 15. June 2009 */
+	/* check if there is a new keyset- file */
+	if ( !newkey )
+		newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#else
+	/* if we work in subdir mode, check if there is a new keyset- file */
 	if ( !newkey && zp->conf->keysetdir && strcmp (zp->conf->keysetdir, "..") == 0 )
 		newkeysetfile = new_keysetfiles (zp->dir, zfilesig_time);
+#endif
 
 	/**
 	** Check if it is time to do a re-sign. This is the case if
@@ -605,13 +614,21 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 
 			pathname (zfile, sizeof (zfile), zp->dir, zp->file, NULL);
 			pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
-			if ( filesize (path) == 0L )	/* initial signing request */
+			if ( filesize (path) == 0L )    /* initial signing request ? */
 			{
 				verbmesg (1, zp->conf, "\tDynamic Zone signing: Initial signing request: Add DNSKEYs to zonefile\n");
 				copyfile (zfile, path, zp->conf->keyfile);
 			}
+#if 1
+			else if ( zfile_time > zfilesig_time )  /* zone.db is newer than signed file */
+			{
+				verbmesg (1, zp->conf, "\tDynamic Zone signing: zone file manually edited: Use it as new input file\n");
+				copyfile (zfile, path, NULL);
+			}
+#endif
 			verbmesg (1, zp->conf, "\tDynamic Zone signing: copy old signed zone file %s to new input file %s\n",
 										path, zfile); 
+
 			if ( newkey )	/* if we have new keys, they should be added to the zone file */
 				copyzonefile (path, zfile, zp->conf->keyfile);
 			else		/* else we can do a simple file copy */
@@ -621,7 +638,7 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 		timer = start_timer ();
 		if ( (err = sign_zone (zp->dir, zp->zone, zp->file, zp->conf)) < 0 )
 		{
-			error ("Signing of zone %s failed (%d)!\n", zp->zone, err);
+			error ("\tSigning of zone %s failed (%d)!\n", zp->zone, err);
 			lg_mesg (LG_ERROR, "\"%s\": signing failed!", zp->zone);
 		}
 		timer = stop_timer (timer);
@@ -629,6 +646,7 @@ static	int	dosigning (zone_t *zonelist, zone_t *zp)
 		if ( dynamic_zone )
 			dyn_update_freeze (zp->zone, zp->conf, 0);	/* thaw dynamic zone file */
 
+		if ( err >= 0 )
 		{
 		const	char	*tstr = str_delspace (age2str (timer));
 
@@ -807,27 +825,12 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 
 	nsec3param[0] = '\0';
 #if defined(BIND_VERSION) && BIND_VERSION >= 960
-	if ( conf->z_algo == DK_ALGO_NSEC3DSA || conf->z_algo == DK_ALGO_NSEC3RSASHA1 )
+	if ( conf->k_algo == DK_ALGO_NSEC3DSA || conf->k_algo == DK_ALGO_NSEC3RSASHA1 )
 	{
-		static	char	hexstr[] = "0123456789ABCDEF";
-		static	int	seed = 0;
 		char	salt[510+1];	/* salt has a maximum of 255 bytes == 510 hex nibbles */
-		int	saltlen = 0;	/* current length of salt in hex nibbles */
-		int	i;
-		int	hex;
 
-		if ( seed == 0 )
-			srandom (seed = (unsigned int)time (NULL));
-
-		saltlen = conf->saltbits / 4;
-		for ( i = 0; i < saltlen; i++ )
-		{
-			hex = random () % 16;
-			assert ( hex >= 0 && hex < 16 );
-			salt[i] = hexstr[hex];
-		}
-		salt[i] = '\0';
-		snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
+		if ( gensalt (salt, sizeof (salt), conf->saltbits) )
+			snprintf (nsec3param, sizeof (nsec3param), "-3 %s ", salt);
 	}
 #endif
 
@@ -847,23 +850,34 @@ static	int	sign_zone (const char *dir, const char *domain, const char *file, con
 	dbg_line();
 #if defined(BIND_VERSION) && BIND_VERSION >= 940
 	if ( dynamic_zone )
-		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s-o %s -e +%d %s -N increment -f %s.dsigned %s K*.private",
-			dir, SIGNCMD, param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
+		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s -N increment -f %s.dsigned %s K*.private 2>&1",
+			dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file, file);
 	else
 #endif
-		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%d %s %s K*.private",
+		snprintf (cmd, sizeof (cmd), "cd %s; %s %s %s%s%s%s%s-o %s -e +%ld %s %s K*.private 2>&1",
 			dir, SIGNCMD, param, nsec3param, gends, pseudo, rparam, keysetdir, domain, conf->sigvalidity, str, file);
 	verbmesg (2, conf, "\t  Run cmd \"%s\"\n", cmd);
 	*str = '\0';
 	if ( noexec == 0 )
 	{
+#if 0
 		if ( (fp = popen (cmd, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
 			return -1;
+#else
+		if ( (fp = popen (cmd, "r")) == NULL )
+			return -1;
+		str[0] = '\0';
+		while ( fgets (str, sizeof str, fp) != NULL )	/* eat up all output until the last line */
+			;
+#endif
 		pclose (fp);
 	}
 
 	dbg_line();
 	verbmesg (2, conf, "\t  Cmd dnssec-signzone return: \"%s\"\n", str_chop (str, '\n'));
+	len = strlen (str) - 6;
+	if ( len < 0 || strcmp (str+len, "signed") != 0 )
+		return -1;
 
 	return 0;
 }
@@ -897,155 +911,3 @@ static	void	copy_keyset (const char *dir, const char *domain, const zconf_t *con
 		}
 	}
 }
-
-static	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
-{
-	char	cmdline[254+1];
-	char	str[254+1];
-	char	*action;
-	FILE	*fp;
-
-	assert (z != NULL);
-	if ( freeze )
-		action = "freeze";
-	else
-		action = "thaw";
-
-	if ( z->view )
-		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
-	else
-		snprintf (str, sizeof (str), "\"%s\"", domain);
-
-	lg_mesg (LG_NOTICE, "%s: %s dynamic zone", str, action);
-	verbmesg (1, z, "\t%s dynamic zone %s\n", action, str);
-
-	if ( z->view )
-		snprintf (cmdline, sizeof (cmdline), "%s %s %s IN %s", RELOADCMD, action, domain, z->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s %s %s", RELOADCMD, action, domain);
-
-	verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -1;
-		pclose (fp);
-	}
-
-	verbmesg (2, z, "\t  rndc %s return: \"%s\"\n", action, str_chop (str, '\n'));
-
-	return 0;
-}
-
-/*****************************************************************
-**	distribute and reload a zone via "distribute_command"
-*****************************************************************/
-static	int	dist_and_reload (const zone_t *zp)
-{
-	char	path[MAX_PATHSIZE+1];
-	char	cmdline[254+1];
-	char	zone[254+1];
-	char	str[254+1];
-	FILE	*fp;
-
-	assert (zp != NULL);
-	assert (zp->conf->dist_cmd != NULL);
-
-	if ( !is_exec_ok (zp->conf->dist_cmd) )
-	{
-		char	*mesg;
-
-		if ( getuid () == 0 )
-			mesg = "\tDistribution command %s not run as root\n";
-		else
-			mesg = "\tDistribution command %s not run due to strange file mode settings\n";
-
-		verbmesg (1, zp->conf, mesg, zp->conf->dist_cmd);
-		lg_mesg (LG_ERROR, "exec of distribution command %s disabled due to security reasons", zp->conf->dist_cmd);
-
-		return -1;
-	}
-
-	if ( zp->conf->view )
-		snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
-	else
-		snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
-
-
-	pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
-
-	lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
-	verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
-	if ( zp->conf->view )
-		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
-
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -2;
-		pclose (fp);
-		verbmesg (2, zp->conf, "\t  %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
-	}
-
-
-	lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
-	verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
-	if ( zp->conf->view )
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
-
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -2;
-		pclose (fp);
-		verbmesg (2, zp->conf, "\t  %s reload return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
-	}
-
-	return 0;
-}
-
-/*****************************************************************
-**	reload a zone via "rndc"
-*****************************************************************/
-static	int	reload_zone (const char *domain, const zconf_t *z)
-{
-	char	cmdline[254+1];
-	char	str[254+1];
-	FILE	*fp;
-
-	assert (z != NULL);
-	// fprintf (stderr, "reload_zone %d :%s: :%s:\n", z->verbosity, domain, z->view);
-	if ( z->view )
-		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
-	else
-		snprintf (str, sizeof (str), "\"%s\"", domain);
-
-	lg_mesg (LG_NOTICE, "%s: reload triggered", str);
-	verbmesg (1, z, "\tReload zone %s\n", str);
-
-	if ( z->view )
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s IN %s", RELOADCMD, domain, z->view);
-	else
-		snprintf (cmdline, sizeof (cmdline), "%s reload %s", RELOADCMD, domain);
-
-	*str = '\0';
-	if ( noexec == 0 )
-	{
-		verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
-		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
-			return -1;
-		pclose (fp);
-		verbmesg (2, z, "\t  rndc reload return: \"%s\"\n", str_chop (str, '\n'));
-	}
-
-	return 0;
-}
diff --git a/contrib/zkt/dnssec-zkt.c b/contrib/zkt/dnssec-zkt.c
index 07ba693417..bfc92d9c0d 100644
--- a/contrib/zkt/dnssec-zkt.c
+++ b/contrib/zkt/dnssec-zkt.c
@@ -428,7 +428,7 @@ static	void    usage (char *mesg, zconf_t *cp)
         sopt_usage ("\tusage: %s -C  [-k] [-dpr] [-c config] [dir ...]\n", progname);
         lopt_usage ("\tusage: %s --create= [-k] [-dpr] [-c config] [dir ...]\n", progname);
         fprintf (stderr, "\t\tKSK (use -k):  %s %d bits\n", dki_algo2str (cp->k_algo), cp->k_bits);
-        fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->z_algo), cp->z_bits);
+        fprintf (stderr, "\t\tZSK (default): %s %d bits\n", dki_algo2str (cp->k_algo), cp->z_bits);
         fprintf (stderr, "\n");
         fprintf (stderr, "Change key status of specified key to published, active or depreciated\n");
         fprintf (stderr, "\t( := tag | tag:name) \n");
@@ -508,7 +508,7 @@ static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *co
 	}
 	
 	if  ( zskflag )
-		dkp = dki_new (dir, keyname, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+		dkp = dki_new (dir, keyname, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
 	else
 		dkp = dki_new (dir, keyname, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
 	if ( dkp == NULL )
@@ -657,7 +657,7 @@ static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const z
 		}
 
 		// dkp = keylist;	/* use old key to create the parent file */
-		if ( (dkp = (dki_t *)dki_find (keylist, 1, 'a', 1)) == NULL )	/* find the oldest active ksk to create the parent file */
+		if ( (dkp = (dki_t *)dki_findalgo (keylist, 1, conf->k_algo, 'a', 1)) == NULL )	/* find the oldest active ksk to create the parent file */
 			fatal ("ksk_rollover phase1: Couldn't find the old active key\n");
 		if ( !create_parent_file (path, phase, key_ttl, dkp) )
 			fatal ("Couldn't create parentfile %s\n", path);
@@ -743,7 +743,7 @@ static	int	parsedirectory (const char *dir, dki_t **listp)
 
 	while ( (dentp = readdir (dirp)) != NULL )
 	{
-		if ( is_dotfile (dentp->d_name) )
+		if ( is_dotfilename (dentp->d_name) )
 			continue;
 
 		dbg_val ("directory: check %s\n", dentp->d_name);
diff --git a/contrib/zkt/doc/KeyRollover.ms b/contrib/zkt/doc/KeyRollover.ms
new file mode 100644
index 0000000000..d6d1a3480b
--- /dev/null
+++ b/contrib/zkt/doc/KeyRollover.ms
@@ -0,0 +1,95 @@
+.NH 1
+DNS Key Status Types and Filenames
+.PP
+.TS
+cfB	| cfB	  s	| cfB	s	| cfB	| cfB
+cfB	| cfB	| cfB	| cfB	| cfB	| cfB	| cfB
+l	| l	| n	| l	| l	| c	| lfCW	.
+Status	Key	Filename	used for	dnssec-zkt
+\^	Type	Flags	public	private	signing?	label
+_
+active	ZSK	256	.key	.private	y	act ive
+	KSK	257	.key	.private	y	act ive
+.sp 0.2
+published	ZSK	256	.key	.published	n	pub lished
+	KSK	257	.key	.private	n	sta ndby
+.sp 0.2
+depreciated (retired)	ZSK	256	.key	.depreciated	n	dep reciated
+.sp 0.2
+revoked	KSK	385	.key	.private	y	rev oked
+.sp 0.2
+removed	KSK	257	k*.key	k*.private	n	-
+.sp 0.2
+sep	KSK	257	.key	-	n	sep
+.ig
+.sp 0.2
+(master	KSK	257	M...key	.private	n	-)
+..
+.TE
+.SP 2
+.NH 1
+Key rollover 
+.PP
+.NH 2
+Zone signing key rollover (pre-publish RFC4641)
+.PP
+.TS
+rfB	 cfB	|cfB	|cfB	|cfB
+lfB	|cfB	|cfB	|cfB	|cfB
+l	|l	|l	|l	|l	.
+action		create	change	remove
+keys		newkey	sig key	old key
+_
+zsk1	active	active	depreciated	
+zsk2		published	active	active
+.sp 0.3
+RRSIG	zsk1	zsk1	zsk2	zsk2	
+.TE
+.SP 2
+.NH 2
+Key signing key rollover (double signature RFC4641)
+.PP
+.TS
+rfB	 cfB	|cfB	|cfB	|cfB
+lfB	|cfB	|cfB	|cfB	|cfB
+l	|l	|l	|l	|l	.
+action		create	change	remove
+keys		newkey	delegation	old key
+_
+ksk\d1\u	active	active	active	
+ksk\d2\u		active	active	active
+.sp 0.3
+DNSKEY RRSIG	ksk1	ksk1,ksk2	ksk1,ksk2	ksk2	
+.sp 0.3
+DS at parent	DS\d1\u	DS\d1\u	DS\d2\u	DS\d2\u
+.TE
+.\"RRSIG	DNSKEY\dksk1\u	DNSKEY\dksk1,ksk2\u	DNSKEY\dksk1,ksk2\u	DNSKEY\dksk2\u	
+.SP 2
+.NH 2
+Key signing key rollover (rfc5011)
+.PP
+.TS
+rfB	 cfB	|cfB	|cfB
+lfB	|cfB	|cfB	|cfB
+l	|l	|l	|l	.
+action		newkey 	change delegation
+keys		& rollover	& remove old key
+_
+ksk\d1\u	active	revoke\v'-0.2'\(dg\v'+0.2'		
+ksk\d2\u	standby	active	active
+ksk\d3\u		standby\v'-0.2'\(dd\v'+0.2'	standby
+.sp 0.3
+DNSKEY RRSIG	ksk1	ksk1,ksk2	ksk2
+.sp 0.3
+Parent DS	DS\d1\u	DS\d1\u	DS\d2\u
+	DS\d2\u	DS\d2\u	DS\d3\u
+.TE
+.LP
+\v'-0.2'\(dg\v'0.2'
+Have to remain until the remove hold-down time is expired,
+which is 30days at a minimum.
+.LP
+\v'-0.2'\(dd\v'0.2'
+Will be the standby key after the hold-down time is expired
+.br
+Add holdtime \(eq max(30days, TTL of DNSKEY)
diff --git a/contrib/zkt/doc/KeyRollover.ps b/contrib/zkt/doc/KeyRollover.ps
new file mode 100644
index 0000000000..7f22fdead4
--- /dev/null
+++ b/contrib/zkt/doc/KeyRollover.ps
@@ -0,0 +1,304 @@
+%!PS-Adobe-3.0
+%%Creator: groff version 1.19.2
+%%CreationDate: Mon Jul 14 23:23:30 2008
+%%DocumentNeededResources: font Times-Bold
+%%+ font Times-Roman
+%%+ font Courier
+%%+ font Symbol
+%%DocumentSuppliedResources: procset grops 1.19 2
+%%Pages: 1
+%%PageOrder: Ascend
+%%DocumentMedia: Default 595 842 0 () ()
+%%Orientation: Portrait
+%%EndComments
+%%BeginDefaults
+%%PageMedia: Default
+%%EndDefaults
+%%BeginProlog
+%%BeginResource: procset grops 1.19 2
+%!PS-Adobe-3.0 Resource-ProcSet
+/setpacking where{
+pop
+currentpacking
+true setpacking
+}if
+/grops 120 dict dup begin
+/SC 32 def
+/A/show load def
+/B{0 SC 3 -1 roll widthshow}bind def
+/C{0 exch ashow}bind def
+/D{0 exch 0 SC 5 2 roll awidthshow}bind def
+/E{0 rmoveto show}bind def
+/F{0 rmoveto 0 SC 3 -1 roll widthshow}bind def
+/G{0 rmoveto 0 exch ashow}bind def
+/H{0 rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/I{0 exch rmoveto show}bind def
+/J{0 exch rmoveto 0 SC 3 -1 roll widthshow}bind def
+/K{0 exch rmoveto 0 exch ashow}bind def
+/L{0 exch rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/M{rmoveto show}bind def
+/N{rmoveto 0 SC 3 -1 roll widthshow}bind def
+/O{rmoveto 0 exch ashow}bind def
+/P{rmoveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/Q{moveto show}bind def
+/R{moveto 0 SC 3 -1 roll widthshow}bind def
+/S{moveto 0 exch ashow}bind def
+/T{moveto 0 exch 0 SC 5 2 roll awidthshow}bind def
+/SF{
+findfont exch
+[exch dup 0 exch 0 exch neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/MF{
+findfont
+[5 2 roll
+0 3 1 roll
+neg 0 0]makefont
+dup setfont
+[exch/setfont cvx]cvx bind def
+}bind def
+/level0 0 def
+/RES 0 def
+/PL 0 def
+/LS 0 def
+/MANUAL{
+statusdict begin/manualfeed true store end
+}bind def
+/PLG{
+gsave newpath clippath pathbbox grestore
+exch pop add exch pop
+}bind def
+/BP{
+/level0 save def
+1 setlinecap
+1 setlinejoin
+72 RES div dup scale
+LS{
+90 rotate
+}{
+0 PL translate
+}ifelse
+1 -1 scale
+}bind def
+/EP{
+level0 restore
+showpage
+}def
+/DA{
+newpath arcn stroke
+}bind def
+/SN{
+transform
+.25 sub exch .25 sub exch
+round .25 add exch round .25 add exch
+itransform
+}bind def
+/DL{
+SN
+moveto
+SN
+lineto stroke
+}bind def
+/DC{
+newpath 0 360 arc closepath
+}bind def
+/TM matrix def
+/DE{
+TM currentmatrix pop
+translate scale newpath 0 0 .5 0 360 arc closepath
+TM setmatrix
+}bind def
+/RC/rcurveto load def
+/RL/rlineto load def
+/ST/stroke load def
+/MT/moveto load def
+/CL/closepath load def
+/Fr{
+setrgbcolor fill
+}bind def
+/setcmykcolor where{
+pop
+/Fk{
+setcmykcolor fill
+}bind def
+}if
+/Fg{
+setgray fill
+}bind def
+/FL/fill load def
+/LW/setlinewidth load def
+/Cr/setrgbcolor load def
+/setcmykcolor where{
+pop
+/Ck/setcmykcolor load def
+}if
+/Cg/setgray load def
+/RE{
+findfont
+dup maxlength 1 index/FontName known not{1 add}if dict begin
+{
+1 index/FID ne{def}{pop pop}ifelse
+}forall
+/Encoding exch def
+dup/FontName exch def
+currentdict end definefont pop
+}bind def
+/DEFS 0 def
+/EBEGIN{
+moveto
+DEFS begin
+}bind def
+/EEND/end load def
+/CNT 0 def
+/level1 0 def
+/PBEGIN{
+/level1 save def
+translate
+div 3 1 roll div exch scale
+neg exch neg exch translate
+0 setgray
+0 setlinecap
+1 setlinewidth
+0 setlinejoin
+10 setmiterlimit
+[]0 setdash
+/setstrokeadjust where{
+pop
+false setstrokeadjust
+}if
+/setoverprint where{
+pop
+false setoverprint
+}if
+newpath
+/CNT countdictstack def
+userdict begin
+/showpage{}def
+/setpagedevice{}def
+}bind def
+/PEND{
+countdictstack CNT sub{end}repeat
+level1 restore
+}bind def
+end def
+/setpacking where{
+pop
+setpacking
+}if
+%%EndResource
+%%EndProlog
+%%BeginSetup
+%%BeginFeature: *PageSize Default
+<< /PageSize [ 595 842 ] /ImagingBBox null >> setpagedevice
+%%EndFeature
+%%IncludeResource: font Times-Bold
+%%IncludeResource: font Times-Roman
+%%IncludeResource: font Courier
+%%IncludeResource: font Symbol
+grops begin/DEFS 1 dict def DEFS begin/u{.001 mul}bind def end/RES 72
+def/PL 841.89 def/LS false def/ENC0[/asciicircum/asciitilde/Scaron
+/Zcaron/scaron/zcaron/Ydieresis/trademark/quotesingle/Euro/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/space/exclam/quotedbl/numbersign/dollar/percent
+/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen
+/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon
+/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O
+/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/circumflex
+/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y
+/z/braceleft/bar/braceright/tilde/.notdef/quotesinglbase/guillemotleft
+/guillemotright/bullet/florin/fraction/perthousand/dagger/daggerdbl
+/endash/emdash/ff/fi/fl/ffi/ffl/dotlessi/dotlessj/grave/hungarumlaut
+/dotaccent/breve/caron/ring/ogonek/quotedblleft/quotedblright/oe/lslash
+/quotedblbase/OE/Lslash/.notdef/exclamdown/cent/sterling/currency/yen
+/brokenbar/section/dieresis/copyright/ordfeminine/guilsinglleft
+/logicalnot/minus/registered/macron/degree/plusminus/twosuperior
+/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior
+/ordmasculine/guilsinglright/onequarter/onehalf/threequarters
+/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE
+/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
+/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
+/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
+/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
+/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
+/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash
+/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]def
+/Courier@0 ENC0/Courier RE/Times-Roman@0 ENC0/Times-Roman RE
+/Times-Bold@0 ENC0/Times-Bold RE
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+BP
+%%EndPageSetup
+/F0 10/Times-Bold@0 SF 2.5(1. DNS)72 84 R -.25(Ke)2.5 G 2.5(yS).25 G
+(tatus T)-2.5 E(ypes and Filenames)-.74 E -.25(Ke)189.22 105.6 S 63.235
+(yF).25 G 40.415(ilename used)-63.235 F -.25(fo)2.5 G 29.33(rd).25 G
+(nssec-zkt)-29.33 E -.74(Ty)168.35 117.6 S 12.5(pe Flags).74 F 23.57
+(public pri)16.95 F -.1(va)-.1 G 21.62(te signing?).1 F(label)40.72 E
+(Status)99.34 111.6 Q .4 LW 473.8 122.1 72 122.1 DL/F1 10/Times-Roman@0
+SF(acti)72 131.6 Q 70.67 -.15(ve Z)-.25 H 18.43(SK 256).15 F(.k)18.89 E
+26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F/F2 10
+/Courier@0 SF(act ive)30.285 E F1 17.32(KSK 257)168.35 143.6 R(.k)18.89
+E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G 46.605(te y).25 F F2
+(act ive)30.285 E F1 54.96(published ZSK)72 158 R 16.39(256 .k)20.93 F
+26.69 -.15(ey .)-.1 H 34.985(published n).15 F F2(pub lished)30.285 E F1
+17.32(KSK 257)168.35 170 R(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E
+-.25(va)-.25 G 46.605(te n).25 F F2(sta ndby)30.285 E F1
+(depreciated \(retired\))72 184.4 Q 18.43(ZSK 256)15 F(.k)18.89 E 26.69
+-.15(ey .)-.1 H 27.785(depreciated n).15 F F2(dep reciated)30.285 E F1
+(re)72 198.8 Q -.2(vo)-.25 G -.1(ke).2 G 64.69(dK).1 G 17.32(SK 385)
+-64.69 F(.k)18.89 E 26.69 -.15(ey .)-.1 H(pri).15 E -.25(va)-.25 G
+46.605(te y).25 F F2(rev oked)30.285 E F1(remo)72 213.2 Q -.15(ve)-.15 G
+61.66(dK).15 G 17.32(SK 257)-61.66 F(k*.k)18.89 E 16.69 -.15(ey k)-.1 H
+(*.pri).15 E -.25(va)-.25 G 36.605(te n).25 F F2(-)30.285 E F1 80.52
+(sep KSK)72 227.6 R 16.39(257 .k)19.82 F 26.69 -.15(ey -)-.1 H(n)75.695
+E F2(sep)30.285 E 394.3 96.1 394.3 230.1 DL 343.73 96.1 343.73 230.1 DL
+280.14 108.1 280.14 230.1 DL 234.56 96.1 234.56 230.1 DL 196.78 108.1
+196.78 230.1 DL 160.85 96.1 160.85 230.1 DL F0 2.5(2. K)72 257.6 R(ey r)
+-.25 E(ollo)-.18 E -.1(ve)-.1 G(r).1 E 2.5(2.1. Zone)72 285.2 R
+(signing k)2.5 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G(pr)
+-2.5 E(e-publish RFC4641\))-.18 E 57.47(action cr)75.34 306.8 R 27.035
+(eate change)-.18 F -.18(re)23.045 G(mo).18 E -.1(ve)-.1 G -.1(ke)72
+318.8 S 65.025(ys newk).1 F 24.395(ey sig)-.1 F -.1(ke)2.5 G 23.775(yo)
+.1 G(ld k)-23.775 E(ey)-.1 E 301.18 323.3 72 323.3 DL F1 23.62
+(zsk1 acti)72 332.8 R 12.8 -.15(ve a)-.25 H(cti).15 E 28.21 -.15(ve d)
+-.25 H(epreciated).15 E 62.1(zsk2 published)72 344.8 R(acti)15 E 35.41
+-.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G 12.5(RRSIG zsk1)72 360.4 R
+33.06(zsk1 zsk2)20.15 F(zsk2)42.76 E 262.41 297.3 262.41 362.9 DL 201.32
+297.3 201.32 362.9 DL 147.43 297.3 147.43 362.9 DL 108.95 309.3 108.95
+362.9 DL F0 2.5(2.2. K)72 390.4 R(ey signing k)-.25 E(ey r)-.1 E(ollo)
+-.18 E -.1(ve)-.1 G 2.5(r\().1 G(double signatur)-2.5 E 2.5(eR)-.18 G
+(FC4641\))-2.5 E 58.165(action cr)118.39 412 R 26.63(eate change)-.18 F
+-.18(re)21.945 G(mo).18 E -.1(ve)-.1 G -.1(ke)72 424 S 108.77(ys newk).1
+F 16.58(ey delegation)-.1 F(old k)15.265 E(ey)-.1 E 343.42 428.5 72
+428.5 DL F1(ksk)72 438 Q(1)5 I(acti)68.61 -5 M 12.8 -.15(ve a)-.25 H
+(cti).15 E 29.6 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 450 Q
+(2)5 I(acti)107.09 -5 M 29.6 -.15(ve a)-.25 H(cti).15 E 33.21 -.15(ve a)
+-.25 H(cti).15 E -.15(ve)-.25 G(DNSKEY RRSIG)72 465.6 Q 17.09
+(ksk1 ksk1,ksk2)15 F 16.11(ksk1,ksk2 ksk2)15 F(DS at parent)72 481.2 Q
+(DS)37.51 E(1)5 I(DS)20.7 -5 M(1)5 I(DS)37.5 -5 M(2)5 I(DS)41.11 -5 M(2)
+5 I 304.65 402.5 304.65 483.7 DL 245.76 402.5 245.76 483.7 DL 190.48
+402.5 190.48 483.7 DL 152 414.5 152 483.7 DL F0 2.5(2.3. K)72 511.2 R
+(ey signing k)-.25 E(ey r)-.1 E(ollo)-.18 E -.1(ve)-.1 G 2.5(r\().1 G
+(rfc5011\))-2.5 E 63.465(action newk)118.39 532.8 R 19.855(ey change)-.1
+F(delegation)2.5 E -.1(ke)72 544.8 S 112.32(ys &).1 F -.18(ro)2.5 G(llo)
+.18 E -.1(ve)-.1 G 15.525(r&).1 G -.18(re)-13.025 G(mo).18 E .2 -.1
+(ve o)-.1 H(ld k).1 E(ey)-.1 E 341.33 549.3 72 549.3 DL F1(ksk)72 558.8
+Q(1)5 I(acti)68.61 -5 M 20.43 -.15(ve r)-.25 H -2.2 -.25(ev o).15 H -.1
+(ke).25 G<87>.1 -2.4 M(ksk)72 570.8 Q(2)5 I 12.5(standby acti)68.61 -5 N
+33.65 -.15(ve a)-.25 H(cti).15 E -.15(ve)-.25 G(ksk)72 582.8 Q(3)5 I
+(standby)114.72 -5 M<88>-2.4 I(standby)23.22 2.4 M(DNSKEY RRSIG)72 598.4
+Q 24.72(ksk1 ksk1,ksk2)15 F(ksk2)19.05 E -.15(Pa)72 614 S(rent DS).15 E
+(DS)46.82 E(1)5 I(DS)28.33 -5 M(1)5 I(DS)41.55 -5 M(2)5 I(DS)159.5 626 Q
+(2)5 I(DS)28.33 -5 M(2)5 I(DS)41.55 -5 M(3)5 I 257.44 523.3 257.44 628.5
+DL 198.11 523.3 198.11 628.5 DL 152 535.3 152 628.5 DL<87>72 645.2 Q(Ha)
+2.5 2.4 M .3 -.15(ve t)-.2 H 2.5(or).15 G(emain until the remo)-2.5 E .3
+-.15(ve h)-.15 H(old-do).15 E(wn time is e)-.25 E
+(xpired, which is 30days at a minimum.)-.15 E<88>72 660.8 Q -.4(Wi)2.5
+2.4 O(ll be the standby k).4 E .3 -.15(ey a)-.1 H(fter the hold-do).15 E
+(wn time is e)-.25 E(xpired)-.15 E(Add holdtime)72 675.2 Q/F3 10/Symbol
+SF(=)2.5 E F1(max\(30days, TTL of DNSKEY\))2.5 E 0 Cg EP
+%%Trailer
+end
+%%EOF
diff --git a/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt b/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
new file mode 100644
index 0000000000..18cda6c742
--- /dev/null
+++ b/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
@@ -0,0 +1,616 @@
+
+
+
+Intended Status: Informational                            O. Gudmundsson
+Network Working Group                                OGUD Consulting LLC
+Internet-Draft                                                  J. Ihren
+Expires: August 21, 2008                                             AAB
+                                                       February 18, 2008
+
+
+                Names of States in the life of a DNSKEY
+                  draft-gudmundsson-life-of-dnskey-00
+
+Status of this Memo
+
+   By submitting this Internet-Draft, each author represents that any
+   applicable patent or other IPR claims of which he or she is aware
+   have been or will be disclosed, and any of which he or she becomes
+   aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 21, 2008.
+
+Copyright Notice
+
+   Copyright (C) The IETF Trust (2008).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 1]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+Abstract
+
+   This document recommends a specific terminology to use when
+   expressing the state that a DNSKEY is in at particular time.  This
+   does not affect how the protocol operates in any way.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  DNSKEY timeline  . . . . . . . . . . . . . . . . . . . . . . .  4
+   3.  Life stages of a DNSKEY  . . . . . . . . . . . . . . . . . . .  5
+     3.1.  Generated  . . . . . . . . . . . . . . . . . . . . . . . .  5
+     3.2.  Published  . . . . . . . . . . . . . . . . . . . . . . . .  5
+       3.2.1.  Pre-Publication  . . . . . . . . . . . . . . . . . . .  5
+       3.2.2.  Out-Of-Band Publication  . . . . . . . . . . . . . . .  5
+     3.3.  Active . . . . . . . . . . . . . . . . . . . . . . . . . .  5
+     3.4.  Retired  . . . . . . . . . . . . . . . . . . . . . . . . .  5
+     3.5.  Removed  . . . . . . . . . . . . . . . . . . . . . . . . .  6
+       3.5.1.  Lame . . . . . . . . . . . . . . . . . . . . . . . . .  6
+       3.5.2.  Stale  . . . . . . . . . . . . . . . . . . . . . . . .  6
+     3.6.  Revoked  . . . . . . . . . . . . . . . . . . . . . . . . .  6
+   4.  Security considerations  . . . . . . . . . . . . . . . . . . .  7
+   5.  IANA considerations  . . . . . . . . . . . . . . . . . . . . .  8
+   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
+     6.1.  Normative References . . . . . . . . . . . . . . . . . . .  9
+     6.2.  Informative References . . . . . . . . . . . . . . . . . .  9
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
+   Intellectual Property and Copyright Statements . . . . . . . . . . 11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 2]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+1.  Introduction
+
+   When the editors of this document where comparing their DNSSEC key
+   management projects they discovered that they where discussing
+   roughly the same thing but using different terminology.
+
+   This document presents a unified terminology to use when describing
+   the current state of a DNSKEY.
+
+   The DNSSEC standards documents ([1], [2] and [3]) do not address the
+   required states for the key management of a DNSSEC key.  The DNSSEC
+   Operational Practices [4] document does propose that keys be
+   published before use but uses inconsistent or confusing terms.  This
+   document assumes basic understanding of DNSSEC and key management.
+
+   The terms proposed in this document attempt to avoid any confusion
+   and make the states of keys to be as clear as possible.  The terms
+   used in this document are intended as a operational supplement to the
+   terms defined in Section 2 of [1].
+
+   To large extent this discussion is motivated by Trust anchor keys but
+   the same terminology can be used for zone signing keys.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 3]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+2.  DNSKEY timeline
+
+   The model in this document is that keys progress through a state
+   machine along a one-way path, keys never move to an earlier states.
+
+
+
+   GENERATED----------> PUBLISHED ---> ACTIVE ---> RETIRED --> REMOVED
+    |                   ^       |        |            |         ^
+    |                   |       |        |            v         |
+    +--> Pre-PUBLISHED--+       +--------+---------> REVOKED ---+
+
+
+   DNSKEY time line.
+
+   There are few more states that are defined below but these apply only
+   to the publisher of TA's and the consumer of TA's.  Two of these are
+   sub-sets of the Published state, the other two are error states.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 4]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+3.  Life stages of a DNSKEY
+
+3.1.  Generated
+
+   Once a key is generated it enters state Generated and stays there
+   until the next state.  While in this state only the owner of the key
+   is aware of its existence and can prepare for its future use.
+
+3.2.  Published
+
+   Once the key is added to the DNSKEY set of a zone the key is there
+   for the world to see, or published.  The key needs to remain in this
+   state for some time to propagate to all validators that have cached
+   the prior version of the DNSKEY set.  In the case of KSK the key
+   should remain in this state for a longer time as documented in DNSSEC
+   Timers RFC [5].
+
+3.2.1.  Pre-Publication
+
+   In certain circumstances a zone owner may want to give out a new
+   Trust Anchor before exposing the actual public key.  In this case the
+   zone can publish a DS record of the key.  This allows others to
+   configure the trust anchor but will not be able to use the key until
+   the key is published in the DNSKEY RRset.
+
+3.2.2.  Out-Of-Band Publication
+
+   In certain circumstances a domain may want to give out a new Trust
+   Anchor outside DNS to give others a long lead time to configure the
+   new key as trust anchor.  The reason people may want to do this is to
+   keep the size of the DNSKEY set smaller and only add new trust anchor
+   just before the key goes into use.  One likely use for this is the
+   DNS "." root key as it does not have a parent that can publish a DS
+   record for it.  The publication mechanism does not matter it can be
+   any one of web-site, advertisement in Financial Times and other
+   international publication, e-mail to DNS related mailing lists, etc..
+
+3.3.  Active
+
+   The key is in ACTIVE state while it is actively signing data in the
+   zone it resides in.  It is one of the the keys that are signing the
+   zone or parts of the zone.
+
+3.4.  Retired
+
+   When the key is no longer used for signing the zone it enters state
+   Retired.  In this state there may still be signatures by the key in
+   cached data from the zone available at recursive servers, but the
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 5]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+   authoritative servers for the zone do no longer carry any signatures
+   generated by the key.
+
+3.5.  Removed
+
+   Once the key is removed from the DNSKEY RRset it enters the state
+   Removed.  At this point all signatures by the key that may still be
+   temporarily valid will fail to verify once the validator refreshes
+   the DNSKEY RRset in its memory.
+
+   Therefore "removal" of a key is typically not done until all the
+   cached signatures have expired.  Entering this state too early may
+   cause number of validators to end up with STALE Trust Anchors.
+
+3.5.1.  Lame
+
+   A Trust Anchor is Lame if the parent continues to publish DS pointing
+   to the key after it has been removed from the DNSKEY RRset.  A Trust
+   Anchor is arguably Lame if there are no signatures by a Retired KSK
+   in the zone.
+
+3.5.2.  Stale
+
+   A Stale Trust Anchor is an old TA that remains in a validators list
+   of active key(s) after the key has been removed from the zone's
+   DNSKEY RRset.
+
+3.6.  Revoked
+
+   There are times when a zone wants to signal that a particular key
+   should not be used at all.  The mechanism to do this is to set the
+   REVOKE bit [5].  Any key in any of the while the key is the DNSSKEY
+   set can be exited to Revoked state.  After some time in the Revoke
+   state the key will be Removed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 6]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+4.  Security considerations
+
+   TBD
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 7]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+5.  IANA considerations
+
+   This document does not have any IANA actions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 8]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+6.  References
+
+6.1.  Normative References
+
+6.2.  Informative References
+
+   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "DNS Security Introduction and Requirements", RFC 4033,
+        March 2005.
+
+   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Resource Records for the DNS Security Extensions", RFC 4034,
+        March 2005.
+
+   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+        "Protocol Modifications for the DNS Security Extensions",
+        RFC 4035, March 2005.
+
+   [4]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+        RFC 4641, September 2006.
+
+   [5]  StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+        Anchors", RFC 5011, September 2007.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008                [Page 9]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+Authors' Addresses
+
+   Olafur Gudmundsson
+   OGUD Consulting LLC
+   3821 Village Park Drive
+   Chevy Chase, MD  20815
+   USA
+
+   Email: ogud@ogud.com
+
+
+   Johan Ihren
+   Automatica, AB
+   Bellmansgatan 30
+   Stockholm,   SE-118 47
+   Sweden
+
+   Email: johani@automatica.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008               [Page 10]
+
+Internet-Draft           DNSSEC Key life stages.           February 2008
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2008).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+Gudmundsson & Ihren      Expires August 21, 2008               [Page 11]
+
diff --git a/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt b/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
new file mode 100644
index 0000000000..fbc46c116f
--- /dev/null
+++ b/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
@@ -0,0 +1,2128 @@
+
+
+
+DNSOP                                                         O. Kolkman
+Internet-Draft                                                NLnet Labs
+Obsoletes: 2541 (if approved)                                  R. Gieben
+Intended status: BCP
+Expires: September 8, 2009                                 March 7, 2009
+
+
+                DNSSEC Operational Practices, Version 2
+                     draft-ietf-dnsop-rfc4641bis-01
+
+Status of This Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.  This document may contain material
+   from IETF Documents or IETF Contributions published or made publicly
+   available before November 10, 2008.  The person(s) controlling the
+   copyright in some of this material may not have granted the IETF
+   Trust the right to allow modifications of such material outside the
+   IETF Standards Process.  Without obtaining an adequate license from
+   the person(s) controlling the copyright in such materials, this
+   document may not be modified outside the IETF Standards Process, and
+   derivative works of it may not be created outside the IETF Standards
+   Process, except to format it for publication as an RFC or to
+   translate it into languages other than English.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on September 8, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 1]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document describes a set of practices for operating the DNS with
+   security extensions (DNSSEC).  The target audience is zone
+   administrators deploying DNSSEC.
+
+   The document discusses operational aspects of using keys and
+   signatures in the DNS.  It discusses issues of key generation, key
+   storage, signature generation, key rollover, and related policies.
+
+   This document obsoletes RFC 2541, as it covers more operational
+   ground and gives more up-to-date requirements with respect to key
+   sizes and the new DNSSEC specification.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1.  The Use of the Term 'key'  . . . . . . . . . . . . . . . .  5
+     1.2.  Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
+   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
+   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
+     3.1.  Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
+       3.1.1.  Motivations for the KSK and ZSK Separation . . . . . .  7
+       3.1.2.  Differentiation for 'High-Level' Zones . . . . . . . .  9
+     3.2.  Key Generation . . . . . . . . . . . . . . . . . . . . . .  9
+     3.3.  Key Effectivity Period . . . . . . . . . . . . . . . . . .  9
+     3.4.  Key Algorithm  . . . . . . . . . . . . . . . . . . . . . . 10
+     3.5.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . . 10
+     3.6.  Private Key Storage  . . . . . . . . . . . . . . . . . . . 11
+   4.  Signature Generation, Key Rollover, and Related Policies . . . 12
+     4.1.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 12
+       4.1.1.  Time Considerations  . . . . . . . . . . . . . . . . . 13
+     4.2.  Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 15
+       4.2.1.  Zone Signing Key Rollovers . . . . . . . . . . . . . . 15
+         4.2.1.1.  Pre-Publish Key Rollover . . . . . . . . . . . . . 15
+         4.2.1.2.  Double Signature Zone Signing Key Rollover . . . . 17
+         4.2.1.3.  Pros and Cons of the Schemes . . . . . . . . . . . 19
+       4.2.2.  Key Signing Key Rollovers  . . . . . . . . . . . . . . 19
+       4.2.3.  Difference Between ZSK and KSK Rollovers . . . . . . . 21
+       4.2.4.  Key algorithm rollover . . . . . . . . . . . . . . . . 22
+       4.2.5.  Automated Key Rollovers  . . . . . . . . . . . . . . . 23
+     4.3.  Planning for Emergency Key Rollover  . . . . . . . . . . . 24
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 2]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+       4.3.1.  KSK Compromise . . . . . . . . . . . . . . . . . . . . 24
+         4.3.1.1.  Keeping the Chain of Trust Intact  . . . . . . . . 25
+         4.3.1.2.  Breaking the Chain of Trust  . . . . . . . . . . . 26
+       4.3.2.  ZSK Compromise . . . . . . . . . . . . . . . . . . . . 26
+       4.3.3.  Compromises of Keys Anchored in Resolvers  . . . . . . 26
+     4.4.  Parental Policies  . . . . . . . . . . . . . . . . . . . . 27
+       4.4.1.  Initial Key Exchanges and Parental Policies
+               Considerations . . . . . . . . . . . . . . . . . . . . 27
+       4.4.2.  Storing Keys or Hashes?  . . . . . . . . . . . . . . . 27
+       4.4.3.  Security Lameness  . . . . . . . . . . . . . . . . . . 28
+       4.4.4.  DS Signature Validity Period . . . . . . . . . . . . . 28
+       4.4.5.  (Non) Cooperating Registrars . . . . . . . . . . . . . 29
+   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 30
+   6.  IANA considerations  . . . . . . . . . . . . . . . . . . . . . 30
+   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 30
+   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
+     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 31
+     8.2.  Informative References . . . . . . . . . . . . . . . . . . 31
+   Appendix A.  Terminology . . . . . . . . . . . . . . . . . . . . . 32
+   Appendix B.  Zone Signing Key Rollover How-To  . . . . . . . . . . 34
+   Appendix C.  Typographic Conventions . . . . . . . . . . . . . . . 34
+   Appendix D.  Document Editing History  . . . . . . . . . . . . . . 37
+     D.1.  draft-ietf-dnsop-rfc4641-00  . . . . . . . . . . . . . . . 37
+     D.2.  version 0->1 . . . . . . . . . . . . . . . . . . . . . . . 37
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 3]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+1.  Introduction
+
+   This document describes how to run a DNS Security (DNSSEC)-enabled
+   environment.  It is intended for operators who have knowledge of the
+   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+   See RFC 4033 [3] for an introduction to DNSSEC, RFC 4034 [4] for the
+   newly introduced Resource Records (RRs), and RFC 4035 [5] for the
+   protocol changes.
+
+   During workshops and early operational deployment tests, operators
+   and system administrators have gained experience about operating the
+   DNS with security extensions (DNSSEC).  This document translates
+   these experiences into a set of practices for zone administrators.
+   At the time of writing, there exists very little experience with
+   DNSSEC in production environments; this document should therefore
+   explicitly not be seen as representing 'Best Current Practices'.
+   [OK: Is this document ripe enough to shoot for BCP?]
+
+   The procedures herein are focused on the maintenance of signed zones
+   (i.e., signing and publishing zones on authoritative servers).  It is
+   intended that maintenance of zones such as re-signing or key
+   rollovers be transparent to any verifying clients on the Internet.
+
+   The structure of this document is as follows.  In Section 2, we
+   discuss the importance of keeping the "chain of trust" intact.
+   Aspects of key generation and storage of private keys are discussed
+   in Section 3; the focus in this section is mainly on the private part
+   of the key(s).  Section 4 describes considerations concerning the
+   public part of the keys.  Since these public keys appear in the DNS
+   one has to take into account all kinds of timing issues, which are
+   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
+   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
+   considerations on how parents deal with their children's public keys
+   in order to maintain chains of trust.
+
+   The typographic conventions used in this document are explained in
+   Appendix C.
+
+   Since this is a document with operational suggestions and there are
+   no protocol specifications, the RFC 2119 [6] language does not apply.
+
+   This document [OK: when approved] obsoletes RFC 4641 [16].
+
+   [OK: Editorial comments and questions are indicated by square
+   brackets and editor innitials]
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 4]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+1.1.  The Use of the Term 'key'
+
+   It is assumed that the reader is familiar with the concept of
+   asymmetric keys on which DNSSEC is based (public key cryptography
+   RFC4949 [17]).  Therefore, this document will use the term 'key'
+   rather loosely.  Where it is written that 'a key is used to sign
+   data' it is assumed that the reader understands that it is the
+   private part of the key pair that is used for signing.  It is also
+   assumed that the reader understands that the public part of the key
+   pair is published in the DNSKEY Resource Record and that it is the
+   public part that is used in key exchanges.
+
+1.2.  Time Definitions
+
+   In this document, we will be using a number of time-related terms.
+   The following definitions apply:
+
+   o  "Signature validity period" The period that a signature is valid.
+      It starts at the time specified in the signature inception field
+      of the RRSIG RR and ends at the time specified in the expiration
+      field of the RRSIG RR.
+
+   o  "Signature publication period" Time after which a signature (made
+      with a specific key) is replaced with a new signature (made with
+      the same key).  This replacement takes place by publishing the
+      relevant RRSIG in the master zone file.  After one stops
+      publishing an RRSIG in a zone, it may take a while before the
+      RRSIG has expired from caches and has actually been removed from
+      the DNS.
+
+   o  "Key effectivity period" The period during which a key pair is
+      expected to be effective.  This period is defined as the time
+      between the first inception time stamp and the last expiration
+      date of any signature made with this key, regardless of any
+      discontinuity in the use of the key.  The key effectivity period
+      can span multiple signature validity periods.
+
+   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+      value of the TTLs from the complete set of RRs in a zone.  Note
+      that the minimum TTL is not the same as the MINIMUM field in the
+      SOA RR.  See [9] for more information.
+
+2.  Keeping the Chain of Trust Intact
+
+   Maintaining a valid chain of trust is important because broken chains
+   of trust will result in data being marked as Bogus (as defined in [3]
+   Section 5), which may cause entire (sub)domains to become invisible
+   to verifying clients.  The administrators of secured zones have to
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 5]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   realize that their zone is, to verifying clients, part of a chain of
+   trust.
+
+   As mentioned in the introduction, the procedures herein are intended
+   to ensure that maintenance of zones, such as re-signing or key
+   rollovers, will be transparent to the verifying clients on the
+   Internet.
+
+   Administrators of secured zones will have to keep in mind that data
+   published on an authoritative primary server will not be immediately
+   seen by verifying clients; it may take some time for the data to be
+   transferred to other secondary authoritative nameservers and clients
+   may be fetching data from caching non-authoritative servers.  In this
+   light, note that the time for a zone transfer from master to slave is
+   negligible when using NOTIFY [8] and incremental transfer (IXFR) [7].
+   It increases when full zone transfers (AXFR) are used in combination
+   with NOTIFY.  It increases even more if you rely on full zone
+   transfers based on only the SOA timing parameters for refresh.
+
+   For the verifying clients, it is important that data from secured
+   zones can be used to build chains of trust regardless of whether the
+   data came directly from an authoritative server, a caching
+   nameserver, or some middle box.  Only by carefully using the
+   available timing parameters can a zone administrator ensure that the
+   data necessary for verification can be obtained.
+
+   The responsibility for maintaining the chain of trust is shared by
+   administrators of secured zones in the chain of trust.  This is most
+   obvious in the case of a 'key compromise' when a trade-off between
+   maintaining a valid chain of trust and replacing the compromised keys
+   as soon as possible must be made.  Then zone administrators will have
+   to make a trade-off, between keeping the chain of trust intact --
+   thereby allowing for attacks with the compromised key -- or
+   deliberately breaking the chain of trust and making secured
+   subdomains invisible to security-aware resolvers.  Also see
+   Section 4.3.
+
+3.  Keys Generation and Storage
+
+   This section describes a number of considerations with respect to the
+   security of keys.  It deals with the generation, effectivity period,
+   size, and storage of private keys.
+
+3.1.  Zone and Key Signing Keys
+
+   The DNSSEC validation protocol does not distinguish between different
+   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
+   practice, operators use Key Signing and Zone Signing Keys and use the
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 6]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   so-called Secure Entry Point (SEP) [5] flag to distinguish between
+   them during operations.  The dynamics and considerations are
+   discussed below.
+
+   To make zone re-signing and key rollover procedures easier to
+   implement, it is possible to use one or more keys as Key Signing Keys
+   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
+   Other keys can be used to sign all the RRSets in a zone and are
+   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
+   that KSKs are the subset of keys that are used for key exchanges with
+   the parent and potentially for configuration as trusted anchors --
+   the SEP keys.  In this document, we assume a one-to-one mapping
+   between KSK and SEP keys and we assume the SEP flag to be set on all
+   KSKs.
+
+3.1.1.  Motivations for the KSK and ZSK Separation
+
+   Differentiating between the KSK and ZSK functions has several
+   advantages:
+
+   o  No parent/child interaction is required when ZSKs are updated.
+
+   o  [OK: Bullet removed, strawman Paul Hoffman]
+
+   o  As the KSK is only used to sign a key set, which is most probably
+      updated less frequently than other data in the zone, it can be
+      stored separately from and in a safer location than the ZSK.
+
+   o  A KSK can have a longer key effectivity period.
+
+   For almost any method of key management and zone signing, the KSK is
+   used less frequently than the ZSK.  Once a key set is signed with the
+   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
+   compromised, it can be simply dropped from the key set.  The new key
+   set is then re-signed with the KSK.
+
+   Given the assumption that for KSKs the SEP flag is set, the KSK can
+   be distinguished from a ZSK by examining the flag field in the DNSKEY
+   RR.  If the flag field is an odd number it is a KSK.  If it is an
+   even number it is a ZSK.
+
+   The Zone Signing Key can be used to sign all the data in a zone on a
+   regular basis.  When a Zone Signing Key is to be rolled, no
+   interaction with the parent is needed.  This allows for signature
+   validity periods on the order of days.
+
+   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+   zone.  If a Key Signing Key is to be rolled over, there will be
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 7]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   interactions with parties other than the zone administrator.  If
+   there is a parent zone, these can include the registry of the parent
+   zone or administrators of verifying resolvers that have the
+   particular key configured as secure entry points.  If this is a trust
+   anchor, everyone relying on the trust anchor needs to roll over to
+   the new key.  The latter may be subject to stability costs if
+   automated trust-anchor rollover mechanisms (such as e.g.  RFC5011
+   [18]) are not in place.  Hence, the key effectivity period of these
+   keys can and should be made much longer.
+
+   There are two schools of thought on rolling a KSK that is not a trust
+   anchor [OK: One can never be sure a KSK is _not_ a trust anchor]:
+
+   o  It should be done regularly (possibly every few months) so that a
+      key rollover remains an operational routine.
+
+   o  It should only be done when it is known or strongly suspected that
+      the key has been compromised in order to reduce the stability
+      issues on systems where the rollover does not happen cleanly.
+
+   There is no widespread agreement on which of these two schools of
+   thought is better for different deployments of DNSSEC.  There is a
+   stability cost every time a non-anchor KSK is rolled over, but it is
+   possibly low if the communication between the child and the parent is
+   good.  On the other hand, the only completely effective way to tell
+   if the communication is good is to test it periodically.  Thus,
+   rolling a KSK with a parent is only done for two reasons: to test and
+   verify the rolling system to prepare for an emergency, and in the
+   case of an actual emergency.
+
+   [OK: The paragraph below is a straw-man by Paul Hoffman] Because of
+   the difficulty of getting all users of a trust anchor to replace an
+   old trust anchor with a new one, a KSK that is a trust anchor should
+   never be rolled unless it is known or strongly suspected that the key
+   has been compromised.
+
+   [OK: This is an alternative straw-man by Olaf Kolkman] The same
+   operational concerns apply to the rollover of KSKs that are used as
+   trust-anchors.  Since the administrator of a zone can not be certain
+   that the zone's KSK is in use as a trust-anchor she will have to
+   assume that a rollover will cause a stability cost for the users that
+   did configure her key as a trust-anchor.  Those costs can be
+   minimized by automating the rollover RFC5011 [18] and by rolling the
+   key regularly, and advertising such, so that the operators of
+   recursive nameservers will put the appropriate mechanism in place to
+   deal with these stability costs, or, in other words, budget for these
+   costs instead of incuring them unexpectedly.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 8]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+3.1.2.  Differentiation for 'High-Level' Zones
+
+   In an earlier version of this document we made a differentiation
+   between KSKs used for zones that are high in the DNS hierarchy versus
+   KSKs used for zones low in that hierarchy.  We have come to realize
+   that there are other considerations that argue such differentiation
+   does not need to be made.
+
+   Longer keys are not useful because the crypto guidance is that
+   everyone should use keys that no one can break.  Also, it is
+   impossible to judge which zones are more or less valuable to an
+   attacker.  An attack can only be used if the compromise is unnoticed
+   and the attacker can act as an man-in-the-middle attack (MITM) in an
+   unnoticed way.  If .example is compromised and the attacker forges
+   answers for somebank.example and sends them out as an MITM, when the
+   attack is discovered it will be simple to prove that .example has
+   been compromised and the KSK will be rolled.  Defining a long-term
+   successful attack is difficult for keys at any level.
+
+3.2.  Key Generation
+
+   Careful generation of all keys is a sometimes overlooked but
+   absolutely essential element in any cryptographically secure system.
+   The strongest algorithms used with the longest keys are still of no
+   use if an adversary can guess enough to lower the size of the likely
+   key space so that it can be exhaustively searched.  Technical
+   suggestions for the generation of random keys will be found in RFC
+   4086 [14] and NIST SP 800-900 [20].  One should carefully assess if
+   the random number generator used during key generation adheres to
+   these suggestions.
+
+   Keys with a long effectivity period are particularly sensitive as
+   they will represent a more valuable target and be subject to attack
+   for a longer time than short-period keys.  It is strongly recommended
+   that long-term key generation occur off-line in a manner isolated
+   from the network via an air gap or, at a minimum, high-level secure
+   hardware.
+
+3.3.  Key Effectivity Period
+
+   From a purely operational perspective, a reasonable key effectivity
+   period for KSKs that have a parent zone is 13 months, with the intent
+   to replace them after 12 months.  An intended key effectivity period
+   of a month is reasonable for Zone Signing Keys.  This annual rollover
+   gives operational practice to rollovers.
+
+   Ignoring the operational perspective, a reasonable effectivity period
+   for KSKs that have a parent zone is of the order of 2 decades or
+
+
+
+Kolkman & Gieben        Expires September 8, 2009               [Page 9]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   longer.  That is, if one does not plan to test the rollover
+   procedure, the key should be effective essentially forever, and then
+   only rolled over in case of emergency.
+
+   The "operational habit" argument also applies to trust anchor
+   reconfiguration.  If a short key effectivity period is used and the
+   trust anchor configuration has to be revisited on a regular basis,
+   the odds that the configuration tends to be forgotten is smaller.
+   The trade-off is against a system that is so dynamic that
+   administrators of the validating clients will not be able to follow
+   the modifications.Note that if a trust anchor replacement is done
+   incorrectly, the entire zone that the trust anchor covers will become
+   bogus until the trust anchor is corrected.
+
+   Key effectivity periods can be made very short, as in a few minutes.
+   But when replacing keys one has to take the considerations from
+   Section 4.1 and Section 4.2 into account.
+
+3.4.  Key Algorithm
+
+   There are currently two types of signature algorithms that can be
+   used in DNSSEC: RSA and DSA.  Both are fully specified in many
+   freely-available documents, and both are widely considered to be
+   patent-free.  The creation of signatures wiht RSA and DSA takes
+   roughly the same time, but DSA is about ten times slower for
+   signature verification.
+
+   We suggest the use of either RSA/SHA-1 or RSA/SHA-256 as the
+   preferred signature algorithms.  Both have advantages and
+   disadvantages.  RSA/SHA-1 has been deployed for many years, while
+   RSA/SHA-256 has only begun to be deployed.  On the other hand, it is
+   expected that if effective attacks on either algorithm appeark, they
+   will appear for RSA/SHA-1 first.  RSA/MD5 should not be considered
+   for use because RSA/MD5 will very likely be the first common-use
+   signature algorithm to have an effective attack.
+
+   At the time of publication, it is known that the SHA-1 hash has
+   cryptanalysis issues.  There is work in progress on addressing these
+   issues.  We recommend the use of public key algorithms based on
+   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+   algorithms are available in protocol specifications (see [21] and
+   [22]) and implementations.
+
+3.5.  Key Sizes
+
+   DNSSEC signing keys should be large enough to avoid all know
+   cryptographic attacks during the lifetime of the key.  To date,
+   despite huge efforts, no one has broken a regular 1024-bit key; in
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 10]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   fact, the best completed attack is estimated to be the equivalent of
+   a 700-bit key.  An attacker breaking a 1024-bit signing key would
+   need expend phenominal amounts of networked computing power in a way
+   that would not be detected in order to break a single key.  Because
+   of this, it is estimated that most zones can safely use 1024-bit keys
+   for at least the next ten years.  A 1024-bit asymmetric key has an
+   approximate equivalent strength of a symmetric 80-bit key.
+
+   Keys that are used as extremely high value trust anchors, or non-
+   anchor keys that may be difficult to roll over, may want to use
+   lengths longer than 1024 bits.  Typically, the next larger key size
+   used is 2048 bits, which have the approximate equivalent strength of
+   a symmetric 112-bit key.  In a standard CPU, it takes about four
+   times as long to sign or verify with a 2048-bit key as it does with a
+   1024-bit key.
+
+   Another way to decide on the size of key to use is to remember that
+   the phenominal effort it takes for an attacker to break a 1024-bit
+   key is the same regardless of how the key is used.  If an attacker
+   has the capability of breaking a 1024-bit DNSSEC key, he also has the
+   capability of breaking one of the many 1024-bit TLS trust anchor keys
+   that are installed with web browsers.  If the value of a DNSSEC key
+   is lower to the attacker than the value of a TLS trust anchor, the
+   attacker will use the resources to attack the TLS trust anchor.
+
+   It is possible that there is a unexpected improvement in the ability
+   for attackers to beak keys, and that such an attack would make it
+   feasible to break 1024-bit keys but not 2048-bit keys.  If such an
+   improvement happens, it is likely that there will be a huge amount of
+   publicity, particularly because of the large number of 1024-bit TLS
+   trust anchors build into popular web browsers.  At that time, all
+   1024-bit keys (both ones with parent zones and ones that are trust
+   anchors) can be rolled over and replaced with larger keys.
+
+   Earlier documents (including the previous version of this document)
+   urged the use of longer keys in situations where a particular key was
+   "heavily used".  That advice may have been true 15 years ago, but it
+   is not true today when using RSA or DSA algorithms and keys of 1024
+   bits or higher.
+
+3.6.  Private Key Storage
+
+   It is recommended that, where possible, zone private keys and the
+   zone file master copy that is to be signed be kept and used in off-
+   line, non-network-connected, physically secure machines only.
+   Periodically, an application can be run to add authentication to a
+   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
+   transferred.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 11]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   When relying on dynamic update to manage a signed zone [11], be aware
+   that at least one private key of the zone will have to reside on the
+   master server.  This key is only as secure as the amount of exposure
+   the server receives to unknown clients and the security of the host.
+   Although not mandatory, one could administer the DNS in the following
+   way.  The master that processes the dynamic updates is unavailable
+   from generic hosts on the Internet, it is not listed in the NS RRSet,
+   although its name appears in the SOA RRs MNAME field.  The
+   nameservers in the NS RRSet are able to receive zone updates through
+   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
+   approach is known as the "hidden master" setup.
+
+   The ideal situation is to have a one-way information flow to the
+   network to avoid the possibility of tampering from the network.
+   Keeping the zone master file on-line on the network and simply
+   cycling it through an off-line signer does not do this.  The on-line
+   version could still be tampered with if the host it resides on is
+   compromised.  For maximum security, the master copy of the zone file
+   should be off-net and should not be updated based on an unsecured
+   network mediated communication.
+
+   In general, keeping a zone file off-line will not be practical and
+   the machines on which zone files are maintained will be connected to
+   a network.  Operators are advised to take security measures to shield
+   unauthorized access to the master copy.
+
+   For dynamically updated secured zones [11], both the master copy and
+   the private key that is used to update signatures on updated RRs will
+   need to be on-line.
+
+4.  Signature Generation, Key Rollover, and Related Policies
+
+4.1.  Time in DNSSEC
+
+   Without DNSSEC, all times in the DNS are relative.  The SOA fields
+   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+   elapsed after a slave server synchronized with a master server.  The
+   Time to Live (TTL) value and the SOA RR minimum TTL parameter [9] are
+   used to determine how long a forwarder should cache data after it has
+   been fetched from an authoritative server.  By using a signature
+   validity period, DNSSEC introduces the notion of an absolute time in
+   the DNS.  Signatures in DNSSEC have an expiration date after which
+   the signature is marked as invalid and the signed data is to be
+   considered Bogus.
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 12]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+4.1.1.  Time Considerations
+
+   Because of the expiration of signatures, one should consider the
+   following:
+
+   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
+      of your signature validity period.
+
+         If the TTL would be of similar order as the signature validity
+         period, then all RRSets fetched during the validity period
+         would be cached until the signature expiration time.  Section
+         7.1 of [3] suggests that "the resolver may use the time
+         remaining before expiration of the signature validity period of
+         a signed RRSet as an upper bound for the TTL".  As a result,
+         query load on authoritative servers would peak at signature
+         expiration time, as this is also the time at which records
+         simultaneously expire from caches.
+
+         To avoid query load peaks, we suggest the TTL on all the RRs in
+         your zone to be at least a few times smaller than your
+         signature validity period.
+
+   o  We suggest the signature publication period to end at least one
+      Maximum Zone TTL duration before the end of the signature validity
+      period.
+
+         Re-signing a zone shortly before the end of the signature
+         validity period may cause simultaneous expiration of data from
+         caches.  This in turn may lead to peaks in the load on
+         authoritative servers.
+
+   o  We suggest the Minimum Zone TTL to be long enough to both fetch
+      and verify all the RRs in the trust chain.  In workshop
+      environments, it has been demonstrated [19] that a low TTL (under
+      5 to 10 minutes) caused disruptions because of the following two
+      problems:
+
+         1.  During validation, some data may expire before the
+         validation is complete.  The validator should be able to keep
+         all data until it is completed.  This applies to all RRs needed
+         to complete the chain of trust: DSes, DNSKEYs, RRSIGs, and the
+         final answers, i.e., the RRSet that is returned for the initial
+         query.
+
+         2.  Frequent verification causes load on recursive nameservers.
+         Data at delegation points, DSes, DNSKEYs, and RRSIGs benefit
+         from caching.  The TTL on those should be relatively long.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 13]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   o  Slave servers will need to be able to fetch newly signed zones
+      well before the RRSIGs in the zone served by the slave server pass
+      their signature expiration time.
+
+         When a slave server is out of sync with its master and data in
+         a zone is signed by expired signatures, it may be better for
+         the slave server not to give out any answer.
+
+         Normally, a slave server that is not able to contact a master
+         server for an extended period will expire a zone.  When that
+         happens, the server will respond differently to queries for
+         that zone.  Some servers issue SERVFAIL, whereas others turn
+         off the 'AA' bit in the answers.  The time of expiration is set
+         in the SOA record and is relative to the last successful
+         refresh between the master and the slave servers.  There exists
+         no coupling between the signature expiration of RRSIGs in the
+         zone and the expire parameter in the SOA.
+
+         If the server serves a DNSSEC zone, then it may well happen
+         that the signatures expire well before the SOA expiration timer
+         counts down to zero.  It is not possible to completely prevent
+         this from happening by tweaking the SOA parameters.
+
+         However, the effects can be minimized where the SOA expiration
+         time is equal to or shorter than the signature validity period.
+
+         The consequence of an authoritative server not being able to
+         update a zone, whilst that zone includes expired signatures, is
+         that non-secure resolvers will continue to be able to resolve
+         data served by the particular slave servers while security-
+         aware resolvers will experience problems because of answers
+         being marked as Bogus.
+
+         We suggest the SOA expiration timer being approximately one
+         third or one fourth of the signature validity period.  It will
+         allow problems with transfers from the master server to be
+         noticed before the actual signature times out.
+
+         We also suggest that operators of nameservers that supply
+         secondary services develop 'watch dogs' to spot upcoming
+         signature expirations in zones they slave, and take appropriate
+         action.
+
+         When determining the value for the expiration parameter one has
+         to take the following into account: What are the chances that
+         all my secondaries expire the zone?  How quickly can I reach an
+         administrator of secondary servers to load a valid zone?  These
+         questions are not DNSSEC specific but may influence the choice
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 14]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+         of your signature validity intervals.
+
+4.2.  Key Rollovers
+
+   Regardless of whether a zone uses periodic key rollovers in order to
+   practice for emergencies, or only rolls over keys in an emergency,
+   key rollovers are a fact of life when using DNSSEC.  Zone
+   administrators who are in the process of rolling their keys have to
+   take into account that data published in previous versions of their
+   zone still lives in caches.  When deploying DNSSEC, this becomes an
+   important consideration; ignoring data that may be in caches may lead
+   to loss of service for clients.
+
+   The most pressing example of this occurs when zone material signed
+   with an old key is being validated by a resolver that does not have
+   the old zone key cached.  If the old key is no longer present in the
+   current zone, this validation fails, marking the data "Bogus".
+   Alternatively, an attempt could be made to validate data that is
+   signed with a new key against an old key that lives in a local cache,
+   also resulting in data being marked "Bogus".
+
+4.2.1.  Zone Signing Key Rollovers
+
+   For "Zone Signing Key rollovers", there are two ways to make sure
+   that during the rollover data still cached can be verified with the
+   new key sets or newly generated signatures can be verified with the
+   keys still in caches.  One schema, described in Section 4.2.1.2, uses
+   double signatures; the other uses key pre-publication
+   (Section 4.2.1.1).  The pros, cons, and recommendations are described
+   in Section 4.2.1.3.
+
+4.2.1.1.  Pre-Publish Key Rollover
+
+   This section shows how to perform a ZSK rollover without the need to
+   sign all the data in a zone twice -- the "pre-publish key rollover".
+   This method has advantages in the case of a key compromise.  If the
+   old key is compromised, the new key has already been distributed in
+   the DNS.  The zone administrator is then able to quickly switch to
+   the new key and remove the compromised key from the zone.  Another
+   major advantage is that the zone size does not double, as is the case
+   with the double signature ZSK rollover.  A small "how-to" for this
+   kind of rollover can be found in Appendix B.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 15]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Pre-publish key rollover involves four stages as follows:
+
+   ----------------------------------------------------------------
+    initial         new DNSKEY       new RRSIGs      DNSKEY removal
+   ----------------------------------------------------------------
+    SOA0            SOA1             SOA2            SOA3
+    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+
+    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+                    DNSKEY11         DNSKEY11
+    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+   ----------------------------------------------------------------
+
+   Pre-Publish Key Rollover
+
+   initial:  Initial version of the zone: DNSKEY 1 is the Key Signing
+      Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY:  DNSKEY 11 is introduced into the key set.  Note that no
+      signatures are generated with this key yet, but this does not
+      secure against brute force attacks on the public key.  The minimum
+      duration of this pre-roll phase is the time it takes for the data
+      to propagate to the authoritative servers plus TTL value of the
+      key set.
+
+   new RRSIGs:  At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+      used to sign the data in the zone exclusively (i.e., all the
+      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
+      remains published in the key set.  This way data that was loaded
+      into caches from version 1 of the zone can still be verified with
+      key sets fetched from version 2 of the zone.  The minimum time
+      that the key set including DNSKEY 10 is to be published is the
+      time that it takes for zone data from the previous version of the
+      zone to expire from old caches, i.e., the time it takes for this
+      zone to propagate to all authoritative servers plus the Maximum
+      Zone TTL value of any of the data in the previous version of the
+      zone.
+
+   DNSKEY removal:  DNSKEY 10 is removed from the zone.  The key set,
+      now only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+      DNSKEY 1.
+
+   The above scheme can be simplified by always publishing the "future"
+   key immediately after the rollover.  The scheme would look as follows
+   (we show two rollovers); the future key is introduced in "new DNSKEY"
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 16]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+   (II)":
+
+
+       initial             new RRSIGs          new DNSKEY
+      -----------------------------------------------------------------
+       SOA0                SOA1                SOA2
+       RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
+
+       DNSKEY1             DNSKEY1             DNSKEY1
+       DNSKEY10            DNSKEY10            DNSKEY11
+       DNSKEY11            DNSKEY11            DNSKEY12
+       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
+       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
+       ----------------------------------------------------------------
+
+       ----------------------------------------------------------------
+       new RRSIGs (II)     new DNSKEY (II)
+       ----------------------------------------------------------------
+       SOA3                SOA4
+       RRSIG12(SOA3)       RRSIG12(SOA4)
+
+       DNSKEY1             DNSKEY1
+       DNSKEY11            DNSKEY12
+       DNSKEY12            DNSKEY13
+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
+       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
+       ----------------------------------------------------------------
+
+   Pre-Publish Key Rollover, Showing Two Rollovers
+
+   Note that the key introduced in the "new DNSKEY" phase is not used
+   for production yet; the private key can thus be stored in a
+   physically secure manner and does not need to be 'fetched' every time
+   a zone needs to be signed.
+
+4.2.1.2.  Double Signature Zone Signing Key Rollover
+
+   This section shows how to perform a ZSK key rollover using the double
+   zone data signature scheme, aptly named "double signature rollover".
+
+   During the "new DNSKEY" stage the new version of the zone file will
+   need to propagate to all authoritative servers and the data that
+   exists in (distant) caches will need to expire, requiring at least
+   the Maximum Zone TTL.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 17]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Double signature ZSK rollover involves three stages as follows:
+
+      ----------------------------------------------------------------
+      initial             new DNSKEY         DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0                SOA1               SOA2
+      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
+                          RRSIG11(SOA1)
+      DNSKEY1             DNSKEY1            DNSKEY1
+      DNSKEY10            DNSKEY10           DNSKEY11
+                          DNSKEY11
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
+                          RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+   Double Signature Zone Signing Key Rollover
+
+   initial:  Initial Version of the zone: DNSKEY 1 is the Key Signing
+      Key. DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY:  At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+      introduced into the key set and all the data in the zone is signed
+      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
+      continue until all data from version 0 of the zone has expired
+      from remote caches.  This will take at least the Maximum Zone TTL
+      of version 0 of the zone.
+
+   DNSKEY removal:  DNSKEY 10 is removed from the zone.  All the
+      signatures from DNSKEY 10 are removed from the zone.  The key set,
+      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+   At every instance, RRSIGs from the previous version of the zone can
+   be verified with the DNSKEY RRSet from the current version and the
+   other way around.  The data from the current version can be verified
+   with the data from the previous version of the zone.  The duration of
+   the "new DNSKEY" phase and the period between rollovers should be at
+   least the Maximum Zone TTL.
+
+   Making sure that the "new DNSKEY" phase lasts until the signature
+   expiration time of the data in the initial version of the zone is
+   recommended.  This way all caches are cleared of the old signatures.
+   However, this duration could be considerably longer than the Maximum
+   Zone TTL, making the rollover a lengthy procedure.
+
+   Note that in this example we assumed that the zone was not modified
+   during the rollover.  New data can be introduced in the zone as long
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 18]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   as it is signed with both keys.
+
+4.2.1.3.  Pros and Cons of the Schemes
+
+   Pre-publish key rollover:  This rollover does not involve signing the
+      zone data twice.  Instead, before the actual rollover, the new key
+      is published in the key set and thus is available for
+      cryptanalysis attacks.  A small disadvantage is that this process
+      requires four steps.  Also the pre-publish scheme involves more
+      parental work when used for KSK rollovers as explained in
+      Section 4.2.3.
+
+   Double signature ZSK rollover:  The drawback of this signing scheme
+      is that during the rollover the number of signatures in your zone
+      doubles; this may be prohibitive if you have very big zones.  An
+      advantage is that it only requires three steps.
+
+4.2.2.  Key Signing Key Rollovers
+
+   For the rollover of a Key Signing Key, the same considerations as for
+   the rollover of a Zone Signing Key apply.  However, we can use a
+   double signature scheme to guarantee that old data (only the apex key
+   set) in caches can be verified with a new key set and vice versa.
+   Since only the key set is signed with a KSK, zone size considerations
+   do not apply.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 19]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   --------------------------------------------------------------------
+       initial        new DNSKEY        DS change       DNSKEY removal
+   --------------------------------------------------------------------
+     Parent:
+       SOA0           -------->         SOA1            -------->
+       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
+       DS1            -------->         DS2             -------->
+       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
+
+
+     Child:
+       SOA0            SOA1             -------->       SOA2
+       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
+                                        -------->
+       DNSKEY1         DNSKEY1          -------->       DNSKEY2
+                       DNSKEY2          -------->
+       DNSKEY10        DNSKEY10         -------->       DNSKEY10
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
+                       RRSIG2 (DNSKEY)  -------->
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+   Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+   initial:  Initial version of the zone.  The parental DS points to
+      DNSKEY1.  Before the rollover starts, the child will have to
+      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+      is needed during the rollover and we refer to the value as TTL_DS.
+
+   new DNSKEY:  During the "new DNSKEY" phase, the zone administrator
+      generates a second KSK, DNSKEY2.  The key is provided to the
+      parent, and the child will have to wait until a new DS RR has been
+      generated that points to DNSKEY2.  After that DS RR has been
+      published on all servers authoritative for the parent's zone, the
+      zone administrator has to wait at least TTL_DS to make sure that
+      the old DS RR has expired from caches.
+
+   DS change:  The parent replaces DS1 with DS2.
+
+   DNSKEY removal:  DNSKEY1 has been removed.
+
+   The scenario above puts the responsibility for maintaining a valid
+   chain of trust with the child.  It also is based on the premise that
+   the parent only has one DS RR (per algorithm) per zone.  An
+   alternative mechanism has been considered.  Using an established
+   trust relation, the interaction can be performed in-band, and the
+   removal of the keys by the child can possibly be signaled by the
+   parent.  In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 20]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   RRs at the parent.  Since at the moment of writing the protocol for
+   this interaction has not been developed, further discussion is out of
+   scope for this document.
+
+4.2.3.  Difference Between ZSK and KSK Rollovers
+
+   Note that KSK rollovers and ZSK rollovers are different in the sense
+   that a KSK rollover requires interaction with the parent (and
+   possibly replacing of trust anchors) and the ensuing delay while
+   waiting for it.
+
+   A zone key rollover can be handled in two different ways: pre-publish
+   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+   As the KSK is used to validate the key set and because the KSK is not
+   changed during a ZSK rollover, a cache is able to validate the new
+   key set of the zone.  The pre-publish method would also work for a
+   KSK rollover.  The records that are to be pre-published are the
+   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
+   We first describe the rollover scheme and then indicate these
+   drawbacks.
+
+
+   --------------------------------------------------------------------
+     initial         new DS           new DNSKEY      DS/DNSKEY removal
+   --------------------------------------------------------------------
+   Parent:
+     SOA0            SOA1             -------->       SOA2
+     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
+     DS1             DS1              -------->       DS2
+                     DS2              -------->
+     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
+
+   Child:
+     SOA0            -------->        SOA1            SOA1
+     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
+                     -------->
+     DNSKEY1         -------->        DNSKEY2         DNSKEY2
+                     -------->
+     DNSKEY10        -------->        DNSKEY10        DNSKEY10
+     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
+     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+   Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+   When the child zone wants to roll, it notifies the parent during the
+   "new DS" phase and submits the new key (or the corresponding DS) to
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 21]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
+   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
+   which can take place as soon as the new DS set propagated through the
+   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
+   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+   record can be deleted.
+
+   The drawbacks of this scheme are that during the "new DS" phase the
+   parent cannot verify the match between the DS2 RR and DNSKEY2 using
+   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
+   "security lame" key (see Section 4.4.3).  Finally, the child-parent
+   interaction consists of two steps.  The "double signature" method
+   only needs one interaction.
+
+4.2.4.  Key algorithm rollover
+
+   [OK: The txt of this section is a strawman for the issue in: http://
+   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+   ]
+
+   A special class of keyrollover is the rollover of key algorithms
+   (either adding a new algorithm, removing an old algorithm, or both),
+   additional steps are needed to retain integrity during the rollover.
+
+   Because of the algorithm downgrade protection in RFC4035 section 2.2,
+   you may not have a key of an algorithm for which you do not have
+   signatures.
+
+   When adding a new algorithm, the signatures should be added first.
+   After the TTL has expired, and caches have dropped the old data
+   covered by those signatures, the DNSKEY with the new algorithm can be
+   added.  When removing an old algorithm, the DNSKEY should be removed
+   first.
+
+   To do both, the following steps can be used.  For simplicity, we use
+   a zone that is only signed by one zone signing key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 22]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   ----------------------------------------------------------------
+   1 Initial           2 New RRSIGS       3 New DNSKEY
+   ----------------------------------------------------------------
+   SOA0                SOA1               SOA2
+   RRSIG1(SOA0)        RRSIG1(SOA1)       RRSIG1(SOA2)
+                       RRSIG2(SOA1)       RRSIG2(SOA2)
+
+   DNSKEY1             DNSKEY1            DNSKEY1
+   RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     DNSKEY2
+                       RRSIG2(DNSKEY)     RRSIG1(DNSKEY)
+                                          RRSIG2(DNSKEY)
+   ----------------------------------------------------------------
+   4 Remove DNSKEY     5 Remove RRSIGS
+   ----------------------------------------------------------------
+   SOA3                SOA4
+   RRSIG1(SOA3)        RRSIG2(SOA4)
+   RRSIG2(SOA3)
+
+   DNSKEY2             DNSKEY2
+   RRSIG1(DNSKEY)      RRSIG2(DNSKEY)
+   RRSIG2(DNSKEY)
+   ----------------------------------------------------------------
+
+   Stages of Deployment during an Algorithm Rollover.
+
+   In step 2, the signatures for the new key are added, but the key
+   itself is not.  While in theory, the signatures of the keyset should
+   always be synchronized with the keyset itself, it can be possible
+   that RRSIGS are requested separately, so it might be prudent to also
+   sign the DNSKEY set with the new signature.
+
+   After the cache data has expired, the new key can be added to the
+   zone, as done in step 3.
+
+   The next step is to remove the old algorithm.  This time the key
+   needs to be removed first, before removing the signatures.  The key
+   is removed in step 4, and after the cache data has expired, the
+   signatures can be removed in step 5.
+
+   The above steps ensure that during the rollover to a new algorithm,
+   the integrity of the zone is never broken.
+
+4.2.5.  Automated Key Rollovers
+
+   As keys must be renewed periodically, there is some motivation to
+   automate the rollover process.  Consider the following:
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 23]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   o  ZSK rollovers are easy to automate as only the child zone is
+      involved.
+
+   o  A KSK rollover needs interaction between parent and child.  Data
+      exchange is needed to provide the new keys to the parent;
+      consequently, this data must be authenticated and integrity must
+      be guaranteed in order to avoid attacks on the rollover.
+
+4.3.  Planning for Emergency Key Rollover
+
+   This section deals with preparation for a possible key compromise.
+   Our advice is to have a documented procedure ready for when a key
+   compromise is suspected or confirmed.
+
+   When the private material of one of your keys is compromised it can
+   be used for as long as a valid trust chain exists.  A trust chain
+   remains intact for
+
+   o  as long as a signature over the compromised key in the trust chain
+      is valid,
+
+   o  as long as a parental DS RR (and signature) points to the
+      compromised key,
+
+   o  as long as the key is anchored in a resolver and is used as a
+      starting point for validation (this is generally the hardest to
+      update).
+
+   While a trust chain to your compromised key exists, your namespace is
+   vulnerable to abuse by anyone who has obtained illegitimate
+   possession of the key.  Zone operators have to make a trade-off if
+   the abuse of the compromised key is worse than having data in caches
+   that cannot be validated.  If the zone operator chooses to break the
+   trust chain to the compromised key, data in caches signed with this
+   key cannot be validated.  However, if the zone administrator chooses
+   to take the path of a regular rollover, the malicious key holder can
+   spoof data so that it appears to be valid.
+
+4.3.1.  KSK Compromise
+
+   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+   as long as the compromised KSK is configured as trust anchor or a
+   parental DS points to it.
+
+   A compromised KSK can be used to sign the key set of an attacker's
+   zone.  That zone could be used to poison the DNS.
+
+   Therefore, when the KSK has been compromised, the trust anchor or the
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 24]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   parental DS should be replaced as soon as possible.  It is local
+   policy whether to break the trust chain during the emergency
+   rollover.  The trust chain would be broken when the compromised KSK
+   is removed from the child's zone while the parent still has a DS
+   pointing to the compromised KSK (the assumption is that there is only
+   one DS at the parent.  If there are multiple DSes this does not apply
+   -- however the chain of trust of this particular key is broken).
+
+   Note that an attacker's zone still uses the compromised KSK and the
+   presence of a parental DS would cause the data in this zone to appear
+   as valid.  Removing the compromised key would cause the attacker's
+   zone to appear as valid and the child's zone as Bogus.  Therefore, we
+   advise not to remove the KSK before the parent has a DS to a new KSK
+   in place.
+
+4.3.1.1.  Keeping the Chain of Trust Intact
+
+   If we follow this advice, the timing of the replacement of the KSK is
+   somewhat critical.  The goal is to remove the compromised KSK as soon
+   as the new DS RR is available at the parent.  And also make sure that
+   the signature made with a new KSK over the key set with the
+   compromised KSK in it expires just after the new DS appears at the
+   parent, thus removing the old cruft in one swoop.
+
+   The procedure is as follows:
+
+   1.  Introduce a new KSK into the key set, keep the compromised KSK in
+       the key set.
+
+   2.  Sign the key set, with a short validity period.  The validity
+       period should expire shortly after the DS is expected to appear
+       in the parent and the old DSes have expired from caches.
+
+   3.  Upload the DS for this new key to the parent.
+
+   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
+       to appear in the authoritative servers and then wait as long as
+       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
+       and modify/extend the expiration time.
+
+   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
+       key set using your "normal" validity interval.
+
+   An additional danger of a key compromise is that the compromised key
+   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+   nameserver changes at the parent.  When that happens, the domain may
+   be in dispute.  An authenticated out-of-band and secure notify
+   mechanism to contact a parent is needed in this case.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 25]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Note that this is only a problem when the DNSKEY and or DS records
+   are used for authentication at the parent.
+
+4.3.1.2.  Breaking the Chain of Trust
+
+   There are two methods to break the chain of trust.  The first method
+   causes the child zone to appear 'Bogus' to validating resolvers.  The
+   other causes the child zone to appear 'insecure'.  These are
+   described below.
+
+   In the method that causes the child zone to appear 'Bogus' to
+   validating resolvers, the child zone replaces the current KSK with a
+   new one and re-signs the key set.  Next it sends the DS of the new
+   key to the parent.  Only after the parent has placed the new DS in
+   the zone is the child's chain of trust repaired.
+
+   An alternative method of breaking the chain of trust is by removing
+   the DS RRs from the parent zone altogether.  As a result, the child
+   zone would become insecure.
+
+4.3.2.  ZSK Compromise
+
+   Primarily because there is no parental interaction required when a
+   ZSK is compromised, the situation is less severe than with a KSK
+   compromise.  The zone must still be re-signed with a new ZSK as soon
+   as possible.  As this is a local operation and requires no
+   communication between the parent and child, this can be achieved
+   fairly quickly.  However, one has to take into account that just as
+   with a normal rollover the immediate disappearance of the old
+   compromised key may lead to verification problems.  Also note that as
+   long as the RRSIG over the compromised ZSK is not expired the zone
+   may be still at risk.
+
+4.3.3.  Compromises of Keys Anchored in Resolvers
+
+   A key can also be pre-configured in resolvers.  For instance, if
+   DNSSEC is successfully deployed the root key may be pre-configured in
+   most security aware resolvers.
+
+   If trust-anchor keys are compromised, the resolvers using these keys
+   should be notified of this fact.  Zone administrators may consider
+   setting up a mailing list to communicate the fact that a SEP key is
+   about to be rolled over.  This communication will of course need to
+   be authenticated, e.g., by using digital signatures.
+
+   End-users faced with the task of updating an anchored key should
+   always validate the new key.  New keys should be authenticated out-
+   of-band, for example, through the use of an announcement website that
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 26]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   is secured using secure sockets (TLS) [23].
+
+4.4.  Parental Policies
+
+4.4.1.  Initial Key Exchanges and Parental Policies Considerations
+
+   The initial key exchange is always subject to the policies set by the
+   parent.  When designing a key exchange policy one should take into
+   account that the authentication and authorization mechanisms used
+   during a key exchange should be as strong as the authentication and
+   authorization mechanisms used for the exchange of delegation
+   information between parent and child.  That is, there is no implicit
+   need in DNSSEC to make the authentication process stronger than it
+   was in DNS.
+
+   Using the DNS itself as the source for the actual DNSKEY material,
+   with an out-of-band check on the validity of the DNSKEY, has the
+   benefit that it reduces the chances of user error.  A DNSKEY query
+   tool can make use of the SEP bit [5] to select the proper key from a
+   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+   sent.  It can validate the self-signature over a key; thereby
+   verifying the ownership of the private key material.  Fetching the
+   DNSKEY from the DNS ensures that the chain of trust remains intact
+   once the parent publishes the DS RR indicating the child is secure.
+
+   Note: the out-of-band verification is still needed when the key
+   material is fetched via the DNS.  The parent can never be sure
+   whether or not the DNSKEY RRs have been spoofed.
+
+4.4.2.  Storing Keys or Hashes?
+
+   When designing a registry system one should consider which of the
+   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
+   might wish to have a DS published using a message digest algorithm
+   not yet understood by the registry, the registry can't count on being
+   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
+   that registry systems at least support storing DS records.
+
+   It may also be useful to store DNSKEYs, since having them may help
+   during troubleshooting and, as long as the child's chosen message
+   digest is supported, the overhead of generating DS records from them
+   is minimal.  Having an out-of-band mechanism, such as a registry
+   directory (e.g., Whois), to find out which keys are used to generate
+   DS Resource Records for specific owners and/or zones may also help
+   with troubleshooting.
+
+   The storage considerations also relate to the design of the customer
+   interface and the method by which data is transferred between
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 27]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   registrant and registry; Will the child zone administrator be able to
+   upload DS RRs with unknown hash algorithms or does the interface only
+   allow DNSKEYs?  In the registry-registrar model, one can use the
+   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+   which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3.  Security Lameness
+
+   Security lameness is defined as what happens when a parent has a DS
+   RR pointing to a non-existing DNSKEY RR.  When this happens, the
+   child's zone may be marked "Bogus" by verifying DNS clients.
+
+   As part of a comprehensive delegation check, the parent could, at key
+   exchange time, verify that the child's key is actually configured in
+   the DNS.  However, if a parent does not understand the hashing
+   algorithm used by child, the parental checks are limited to only
+   comparing the key id.
+
+   Child zones should be very careful in removing DNSKEY material,
+   specifically SEP keys, for which a DS RR exists.
+
+   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+   take time to propagate through the DNS.
+
+4.4.4.  DS Signature Validity Period
+
+   Since the DS can be replayed as long as it has a valid signature, a
+   short signature validity period over the DS minimizes the time a
+   child is vulnerable in the case of a compromise of the child's
+   KSK(s).  A signature validity period that is too short introduces the
+   possibility that a zone is marked "Bogus" in case of a configuration
+   error in the signer.  There may not be enough time to fix the
+   problems before signatures expire.  Something as mundane as operator
+   unavailability during weekends shows the need for DS signature
+   validity periods longer than 2 days.  We recommend an absolute
+   minimum for a DS signature validity period of a few days.
+
+   The maximum signature validity period of the DS record depends on how
+   long child zones are willing to be vulnerable after a key compromise.
+   On the other hand, shortening the DS signature validity interval
+   increases the operational risk for the parent.  Therefore, the parent
+   may have policy to use a signature validity interval that is
+   considerably longer than the child would hope for.
+
+   A compromise between the operational constraints of the parent and
+   minimizing damage for the child may result in a DS signature validity
+   period somewhere between a week and months.
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 28]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   In addition to the signature validity period, which sets a lower
+   bound on the number of times the zone owner will need to sign the
+   zone data and which sets an upper bound to the time a child is
+   vulnerable after key compromise, there is the TTL value on the DS
+   RRs.  Shortening the TTL means that the authoritative servers will
+   see more queries.  But on the other hand, a short TTL lowers the
+   persistence of DS RRSets in caches thereby increasing the speed with
+   which updated DS RRSets propagate through the DNS.
+
+4.4.5.  (Non) Cooperating Registrars
+
+   [OK: this is a first strawman, and is intended to start the
+   discussion of the issue.  By no means this is intended to be a final
+   text.]
+
+   The parent-child relation is often described in terms of a (thin)
+   registry model.  Where a registry maintains the parent zone, and the
+   registrant (the user of the child-domain name), deals with the
+   registry through an intermediary called a registrar.  (See [12] for a
+   comprehensive definition).  Registrants may out-source the
+   maintenance of their DNS system, including the maintenance of DNSSEC
+   key material, to the registrar or to another third party.  The entity
+   that has control over the DNS zone and its keys may prevent the
+   registrant to make a timely move to a different registrar.  [OK: I
+   use the term registrar below while it is the operator of the DNS zone
+   who is the actual culprit.  For instance, the case also applies when
+   a registrant passes a zone to another registrant.  Should I just use
+   "DNS Administrator"?]
+
+   Suppose that the registrant wants to move from losing registrar A to
+   gaining registrar B. Let us first look what would happen in a
+   cooperative environment.  The assumption is that registrar A will not
+   hand off any private key material to registrar B because that would
+   be a trivial case.
+
+   In a cooperating environment one could proceed with a pre-publish ZSK
+   rollover whereby registrar A pre-publishes the ZSK of registrar B,
+   combined with a double signature KSK rollover where the two
+   registrars exchange public keys and independently generate a
+   signature over the keysets that they combine and both publish in the
+   zone.
+
+   In the non-cooperative case matters are more complicated.  The
+   loosing registrar A may not cooperate and leave the data in the DNS
+   as is.  In the extreme case registrar A may become obstructive and
+   publish a DNSKEY RR with a high TTL and corresponding signature
+   validity so that registrar A's DNSKEY, would end up in caches for, in
+   theory, tens of years.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 29]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   The problem arises when a validator tries to validate with A's key
+   and there is no signature material produced with Registrars A
+   available in the delegation path after redelegation from registrar A
+   to registrar B has taken place.  One could imagine a rollover
+   scenario where registrar B pulls all RRSIGs created by registar A and
+   publishes those in conjunction with its own signatures, but that
+   would not allow any changes in the zone content.  Since a
+   redelegation took place the NS RRset has -- per definition-- changed
+   so such rollover scenario will not work.  Besides if zone transfers
+   are not allowed by A and NSEC3 is deployed in the A's zone then
+   registrar B will not have certainty that all of A's RRSIGs are
+   transfered.
+
+   The only viable option for the registrant is to publish its zone
+   unsigned and ask the registry to remove the DS pointing to registrar
+   A for as long as the DNSKEY of registrar A, or any of the signatures
+   produced by registrar A are likely to appear in caches, which as
+   mentioned above could in theory be for tens of years.  [OK: Some
+   implementations limit the time data is cached.  Although that is not
+   a protocol requirement (and may even be considered a protocol
+   violation) it seems that that practice may limit the impact of this
+   problem, is that worth mentioning?]
+
+   [OK: This is really the point that I'm trying to make, is the above
+   text needed?]  There is no operational methodology to work around
+   this business issue and proper contractual relations ships between
+   registrants and their registrars seem to be the only solution to cope
+   with these problems.
+
+5.  Security Considerations
+
+   DNSSEC adds data integrity to the DNS.  This document tries to assess
+   the operational considerations to maintain a stable and secure DNSSEC
+   service.  Not taking into account the 'data propagation' properties
+   in the DNS will cause validation failures and may make secured zones
+   unavailable to security-aware resolvers.
+
+6.  IANA considerations
+
+   There are no IANA considerations with respect to this document
+
+7.  Acknowledgments
+
+   Most of the text of this document is copied from RFC4641 [16] people
+   involved in that work were in random order: Rip Loomis, Olafur
+   Gudmundsson, Wesley Griffin, Michael Richardson, Scott Rose, Rick van
+   Rein, Tim McGinnis, Gilles Guette Olivier Courtay, Sam Weiler, Jelte
+   Jansen, Niall O'Reilly, Holger Zuleger, Ed Lewis, Hilarie Orman,
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 30]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Marcos Sanz, Peter Koch, Mike StJohns, Emmar Bretherick, Adrian
+   Bedford, and Lindy Foster, G. Guette, and O. Courtay.
+
+   For this version of the document we would like to acknowldge:
+
+   o  Paul Hoffman for his contribution on the choice of cryptographic
+      paramenters and addressing some of the trust anchor issues.
+
+   o  Jelte Jansen provided the text in Section 4.2.4
+
+8.  References
+
+8.1.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities",
+         STD 13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033,
+         March 2005.
+
+   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions",
+         RFC 4035, March 2005.
+
+8.2.  Informative References
+
+   [6]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [7]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+         August 1996.
+
+   [8]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+         (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [9]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [10]  Eastlake, D., "DNS Security Operational Considerations",
+         RFC 2541, March 1999.
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 31]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
+
+   [12]  Hollenbeck, S., "Generic Registry-Registrar Protocol
+         Requirements", RFC 3375, September 2002.
+
+   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
+         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+         April 2004.
+
+   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+         Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible Provisioning Protocol (EPP)",
+         RFC 4310, December 2005.
+
+   [16]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+         RFC 4641, September 2006.
+
+   [17]  Shirey, R., "Internet Security Glossary, Version 2", RFC 4949,
+         August 2007.
+
+   [18]  StJohns, M., "Automated Updates of DNS Security (DNSSEC) Trust
+         Anchors", RFC 5011, September 2007.
+
+   [19]  Rose, S., "NIST DNSSEC workshop notes",  , June 2001.
+
+   [20]  Barker, E. and J. Kelsey, "Recommendation for Random Number
+         Generation Using Deterministic Random Bit Generators
+         (Revised)", Nist Special Publication 800-90, March 2007.
+
+   [21]  Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
+         RRSIG Resource Records for  DNSSEC",
+         draft-ietf-dnsext-dnssec-rsasha256-05 (work in progress),
+         July 2008.
+
+   [22]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+         Resource Records (RRs)", RFC 4509, May 2006.
+
+   [23]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+         T. Wright, "Transport Layer Security (TLS) Extensions",
+         RFC 4366, April 2006.
+
+Appendix A.  Terminology
+
+   In this document, there is some jargon used that is defined in other
+   documents.  In most cases, we have not copied the text from the
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 32]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   documents defining the terms but have given a more elaborate
+   explanation of the meaning.  Note that these explanations should not
+   be seen as authoritative.
+
+   Anchored key:  A DNSKEY configured in resolvers around the globe.
+      This key is hard to update, hence the term anchored.
+
+   Bogus:  Also see Section 5 of [3].  An RRSet in DNSSEC is marked
+      "Bogus" when a signature of an RRSet does not validate against a
+      DNSKEY.
+
+   Key Signing Key or KSK:  A Key Signing Key (KSK) is a key that is
+      used exclusively for signing the apex key set.  The fact that a
+      key is a KSK is only relevant to the signing tool.
+
+   Key size:  The term 'key size' can be substituted by 'modulus size'
+      throughout the document.  It is mathematically more correct to use
+      modulus size, but as this is a document directed at operators we
+      feel more at ease with the term key size.
+
+   Private and public keys:  DNSSEC secures the DNS through the use of
+      public key cryptography.  Public key cryptography is based on the
+      existence of two (mathematically related) keys, a public key and a
+      private key.  The public keys are published in the DNS by use of
+      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
+      remain private.
+
+   Key rollover:  A key rollover (also called key supercession in some
+      environments) is the act of replacing one key pair with another at
+      the end of a key effectivity period.
+
+   Secure Entry Point (SEP) key:  A KSK that has a parental DS record
+      pointing to it or is configured as a trust anchor.  Although not
+      required by the protocol, we recommend that the SEP flag [5] is
+      set on these keys.
+
+   Self-signature:  This only applies to signatures over DNSKEYs; a
+      signature made with DNSKEY x, over DNSKEY x is called a self-
+      signature.  Note: without further information, self-signatures
+      convey no trust.  They are useful to check the authenticity of the
+      DNSKEY, i.e., they can be used as a hash.
+
+   Singing the zone file:  The term used for the event where an
+      administrator joyfully signs its zone file while producing melodic
+      sound patterns.
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 33]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   Signer:  The system that has access to the private key material and
+      signs the Resource Record sets in a zone.  A signer may be
+      configured to sign only parts of the zone, e.g., only those RRSets
+      for which existing signatures are about to expire.
+
+   Zone Signing Key (ZSK):  A key that is used for signing all data in a
+      zone (except, perhaps, the DNSKEY RRSet).  The fact that a key is
+      a ZSK is only relevant to the signing tool.
+
+   Zone administrator:  The 'role' that is responsible for signing a
+      zone and publishing it on the primary authoritative server.
+
+Appendix B.  Zone Signing Key Rollover How-To
+
+   Using the pre-published signature scheme and the most conservative
+   method to assure oneself that data does not live in caches, here
+   follows the "how-to".
+
+   Step 0:  The preparation: Create two keys and publish both in your
+      key set.  Mark one of the keys "active" and the other "published".
+      Use the "active" key for signing your zone data.  Store the
+      private part of the "published" key, preferably off-line.  The
+      protocol does not provide for attributes to mark a key as active
+      or published.  This is something you have to do on your own,
+      through the use of a notebook or key management tool.
+
+   Step 1:  Determine expiration: At the beginning of the rollover make
+      a note of the highest expiration time of signatures in your zone
+      file created with the current key marked as active.  Wait until
+      the expiration time marked in Step 1 has passed.
+
+   Step 2:  Then start using the key that was marked "published" to sign
+      your data (i.e., mark it "active").  Stop using the key that was
+      marked "active"; mark it "rolled".
+
+   Step 3:  It is safe to engage in a new rollover (Step 1) after at
+      least one signature validity period.
+
+Appendix C.  Typographic Conventions
+
+   The following typographic conventions are used in this document:
+
+   Key notation:  A key is denoted by DNSKEYx, where x is a number or an
+      identifier, x could be thought of as the key id.
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 34]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   RRSet notations:  RRs are only denoted by the type.  All other
+      information -- owner, class, rdata, and TTL -- is left out.  Thus:
+      "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
+      list of RRs.  A example of this would be "A1, A2", specifying the
+      RRSet containing two "A" records.  This could again be abbreviated
+      to just "A".
+
+   Signature notation:  Signatures are denoted as RRSIGx(RRSet), which
+      means that RRSet is signed with DNSKEYx.
+
+   Zone representation:  Using the above notation we have simplified the
+      representation of a signed zone by leaving out all unnecessary
+      details such as the names and by representing all data by "SOAx"
+
+   SOA representation:  SOAs are represented as SOAx, where x is the
+      serial number.
+
+   Using this notation the following signed zone:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 35]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
+                            2006022100   ; serial
+                            86400        ; refresh (  24 hours)
+                            7200         ; retry   (   2 hours)
+                            3600000      ; expire  (1000 hours)
+                            28800 )      ; minimum (   8 hours)
+                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  cmL62SI6iAX46xGNQAdQ... )
+                     86400  NS      a.example.net.
+                     86400  NS      b.example.net.
+                     86400  RRSIG   NS 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  SO5epiJei19AjXoUpFnQ ... )
+                     86400  DNSKEY  256 3 5 (
+                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+                     86400  DNSKEY  257 3 5 (
+                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  J4zCe8QX4tXVGjV4e1r9... )
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 15 example.net.
+                                  keVDCOpsSeDReyV6O... )
+                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  obj3HEp1GjnmhRjX... )
+   a.example.net.    86400  IN TXT  "A label"
+                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  IkDMlRdYLmXH7QJnuF3v... )
+                     86400  NSEC    b.example.com. TXT RRSIG NSEC
+                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  bZMjoZ3bHjnEz0nIsPMM... )
+                     ...
+
+   is reduced to the following representation:
+
+       SOA2006022100
+       RRSIG14(SOA2006022100)
+       DNSKEY14
+       DNSKEY15
+
+       RRSIG14(KEY)
+       RRSIG15(KEY)
+
+   The rest of the zone data has the same signature as the SOA record,
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 36]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   i.e., an RRSIG created with DNSKEY 14.
+
+Appendix D.  Document Editing History
+
+   [To be removed prior to publication as an RFC]
+
+D.1.  draft-ietf-dnsop-rfc4641-00
+
+   Version 0 was differs from RFC4641 in the following ways.
+
+   o  Status of this memo appropriate for I-D
+
+   o  TOC formatting differs.
+
+   o  Whitespaces, linebreaks, and pagebreaks may be slightly different
+      because of xml2rfc generation.
+
+   o  References slightly reordered.
+
+   o  Applied the errata from
+      http://www.rfc-editor.org/errata_search.php?rfc=4641
+
+   o  Inserted trivial "IANA considertations" section.
+
+   In other words it should not contain substantive changes in content
+   as intended by the workinggroup for the original RFC4641.
+
+D.2.  version 0->1
+
+   Cryptography details rewritten.  (See http://www.nlnetlabs.nl/svn/
+   rfc4641bis/trunk/open-issues/cryptography_flawed)
+
+   o  Reference to NIST 800-90 added
+
+   o  RSA/SHA256 is being recommended in addition to RSA/SHA1.
+
+   o  Complete rewrite of Section 3.5 removing the table and suggesting
+      a keysize of 1024 for keys in use for less than 8 years, issued up
+      to at least 2015.
+
+   o  Replaced the reference to Schneiers' applied cryptograpy with a
+      reference to RFC4949.
+
+   o  Removed the KSK for high level zones consideration
+
+   Applied some differentiation with respect of the use of a KSK for
+   parent or trust-anchor relation http://www.nlnetlabs.nl/svn/
+   rfc4641bis/trunk/open-issues/differentiation_trustanchor_parent
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 37]
+
+Internet-Draft   DNSSEC Operational Practices, Version 2      March 2009
+
+
+   http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+   rollover_assumptions
+
+   Added Section 4.2.4 as suggested by Jelte Jansen in http://
+   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/Key_algorithm_roll
+
+   Added Section 4.4.5 Issue identified by Antoin Verschuur http://
+   www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/
+   non-cooperative-registrars
+
+   In Appendix A: ZSK does not nescessarily sign the DNSKEY RRset.
+
+   $Id: draft-ietf-dnsop-rfc4641bis-01.txt,v 1.1 2009/09/23 13:22:50 fdupont Exp $
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   EMail: olaf@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+   Miek Gieben
+
+
+   EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben        Expires September 8, 2009              [Page 38]
+
diff --git a/contrib/zkt/doc/rfc4641.txt b/contrib/zkt/doc/rfc4641.txt
new file mode 100644
index 0000000000..0a013bcba5
--- /dev/null
+++ b/contrib/zkt/doc/rfc4641.txt
@@ -0,0 +1,1963 @@
+
+
+
+
+
+
+Network Working Group                                         O. Kolkman
+Request for Comments: 4641                                     R. Gieben
+Obsoletes: 2541                                               NLnet Labs
+Category: Informational                                   September 2006
+
+
+                      DNSSEC Operational Practices
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2006).
+
+Abstract
+
+   This document describes a set of practices for operating the DNS with
+   security extensions (DNSSEC).  The target audience is zone
+   administrators deploying DNSSEC.
+
+   The document discusses operational aspects of using keys and
+   signatures in the DNS.  It discusses issues of key generation, key
+   storage, signature generation, key rollover, and related policies.
+
+   This document obsoletes RFC 2541, as it covers more operational
+   ground and gives more up-to-date requirements with respect to key
+   sizes and the new DNSSEC specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 1]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Table of Contents
+
+   1. Introduction ....................................................3
+      1.1. The Use of the Term 'key' ..................................4
+      1.2. Time Definitions ...........................................4
+   2. Keeping the Chain of Trust Intact ...............................5
+   3. Keys Generation and Storage .....................................6
+      3.1. Zone and Key Signing Keys ..................................6
+           3.1.1. Motivations for the KSK and ZSK Separation ..........6
+           3.1.2. KSKs for High-Level Zones ...........................7
+      3.2. Key Generation .............................................8
+      3.3. Key Effectivity Period .....................................8
+      3.4. Key Algorithm ..............................................9
+      3.5. Key Sizes ..................................................9
+      3.6. Private Key Storage .......................................11
+   4. Signature Generation, Key Rollover, and Related Policies .......12
+      4.1. Time in DNSSEC ............................................12
+           4.1.1. Time Considerations ................................12
+      4.2. Key Rollovers .............................................14
+           4.2.1. Zone Signing Key Rollovers .........................14
+                  4.2.1.1. Pre-Publish Key Rollover ..................15
+                  4.2.1.2. Double Signature Zone Signing Key
+                           Rollover ..................................17
+                  4.2.1.3. Pros and Cons of the Schemes ..............18
+           4.2.2. Key Signing Key Rollovers ..........................18
+           4.2.3. Difference Between ZSK and KSK Rollovers ...........20
+           4.2.4. Automated Key Rollovers ............................21
+      4.3. Planning for Emergency Key Rollover .......................21
+           4.3.1. KSK Compromise .....................................22
+                  4.3.1.1. Keeping the Chain of Trust Intact .........22
+                  4.3.1.2. Breaking the Chain of Trust ...............23
+           4.3.2. ZSK Compromise .....................................23
+           4.3.3. Compromises of Keys Anchored in Resolvers ..........24
+      4.4. Parental Policies .........................................24
+           4.4.1. Initial Key Exchanges and Parental Policies
+                  Considerations .....................................24
+           4.4.2. Storing Keys or Hashes? ............................25
+           4.4.3. Security Lameness ..................................25
+           4.4.4. DS Signature Validity Period .......................26
+   5. Security Considerations ........................................26
+   6. Acknowledgments ................................................26
+   7. References .....................................................27
+      7.1. Normative References ......................................27
+      7.2. Informative References ....................................28
+   Appendix A. Terminology ...........................................30
+   Appendix B. Zone Signing Key Rollover How-To ......................31
+   Appendix C. Typographic Conventions ...............................32
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 2]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+1.  Introduction
+
+   This document describes how to run a DNS Security (DNSSEC)-enabled
+   environment.  It is intended for operators who have knowledge of the
+   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
+   See RFC 4033 [4] for an introduction to DNSSEC, RFC 4034 [5] for the
+   newly introduced Resource Records (RRs), and RFC 4035 [6] for the
+   protocol changes.
+
+   During workshops and early operational deployment tests, operators
+   and system administrators have gained experience about operating the
+   DNS with security extensions (DNSSEC).  This document translates
+   these experiences into a set of practices for zone administrators.
+   At the time of writing, there exists very little experience with
+   DNSSEC in production environments; this document should therefore
+   explicitly not be seen as representing 'Best Current Practices'.
+
+   The procedures herein are focused on the maintenance of signed zones
+   (i.e., signing and publishing zones on authoritative servers).  It is
+   intended that maintenance of zones such as re-signing or key
+   rollovers be transparent to any verifying clients on the Internet.
+
+   The structure of this document is as follows.  In Section 2, we
+   discuss the importance of keeping the "chain of trust" intact.
+   Aspects of key generation and storage of private keys are discussed
+   in Section 3; the focus in this section is mainly on the private part
+   of the key(s).  Section 4 describes considerations concerning the
+   public part of the keys.  Since these public keys appear in the DNS
+   one has to take into account all kinds of timing issues, which are
+   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
+   rollover, or supercession, of keys.  Finally, Section 4.4 discusses
+   considerations on how parents deal with their children's public keys
+   in order to maintain chains of trust.
+
+   The typographic conventions used in this document are explained in
+   Appendix C.
+
+   Since this is a document with operational suggestions and there are
+   no protocol specifications, the RFC 2119 [7] language does not apply.
+
+   This document obsoletes RFC 2541 [12] to reflect the evolution of the
+   underlying DNSSEC protocol since then.  Changes in the choice of
+   cryptographic algorithms, DNS record types and type names, and the
+   parent-child key and signature exchange demanded a major rewrite and
+   additional information and explanation.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 3]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+1.1.  The Use of the Term 'key'
+
+   It is assumed that the reader is familiar with the concept of
+   asymmetric keys on which DNSSEC is based (public key cryptography
+   [17]).  Therefore, this document will use the term 'key' rather
+   loosely.  Where it is written that 'a key is used to sign data' it is
+   assumed that the reader understands that it is the private part of
+   the key pair that is used for signing.  It is also assumed that the
+   reader understands that the public part of the key pair is published
+   in the DNSKEY Resource Record and that it is the public part that is
+   used in key exchanges.
+
+1.2.  Time Definitions
+
+   In this document, we will be using a number of time-related terms.
+   The following definitions apply:
+
+   o  "Signature validity period" The period that a signature is valid.
+      It starts at the time specified in the signature inception field
+      of the RRSIG RR and ends at the time specified in the expiration
+      field of the RRSIG RR.
+
+   o  "Signature publication period" Time after which a signature (made
+      with a specific key) is replaced with a new signature (made with
+      the same key).  This replacement takes place by publishing the
+      relevant RRSIG in the master zone file.  After one stops
+      publishing an RRSIG in a zone, it may take a while before the
+      RRSIG has expired from caches and has actually been removed from
+      the DNS.
+
+   o  "Key effectivity period" The period during which a key pair is
+      expected to be effective.  This period is defined as the time
+      between the first inception time stamp and the last expiration
+      date of any signature made with this key, regardless of any
+      discontinuity in the use of the key.  The key effectivity period
+      can span multiple signature validity periods.
+
+   o  "Maximum/Minimum Zone Time to Live (TTL)" The maximum or minimum
+      value of the TTLs from the complete set of RRs in a zone.  Note
+      that the minimum TTL is not the same as the MINIMUM field in the
+      SOA RR.  See [11] for more information.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 4]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+2.  Keeping the Chain of Trust Intact
+
+   Maintaining a valid chain of trust is important because broken chains
+   of trust will result in data being marked as Bogus (as defined in [4]
+   Section 5), which may cause entire (sub)domains to become invisible
+   to verifying clients.  The administrators of secured zones have to
+   realize that their zone is, to verifying clients, part of a chain of
+   trust.
+
+   As mentioned in the introduction, the procedures herein are intended
+   to ensure that maintenance of zones, such as re-signing or key
+   rollovers, will be transparent to the verifying clients on the
+   Internet.
+
+   Administrators of secured zones will have to keep in mind that data
+   published on an authoritative primary server will not be immediately
+   seen by verifying clients; it may take some time for the data to be
+   transferred to other secondary authoritative nameservers and clients
+   may be fetching data from caching non-authoritative servers.  In this
+   light, note that the time for a zone transfer from master to slave is
+   negligible when using NOTIFY [9] and incremental transfer (IXFR) [8].
+   It increases when full zone transfers (AXFR) are used in combination
+   with NOTIFY.  It increases even more if you rely on full zone
+   transfers based on only the SOA timing parameters for refresh.
+
+   For the verifying clients, it is important that data from secured
+   zones can be used to build chains of trust regardless of whether the
+   data came directly from an authoritative server, a caching
+   nameserver, or some middle box.  Only by carefully using the
+   available timing parameters can a zone administrator ensure that the
+   data necessary for verification can be obtained.
+
+   The responsibility for maintaining the chain of trust is shared by
+   administrators of secured zones in the chain of trust.  This is most
+   obvious in the case of a 'key compromise' when a trade-off between
+   maintaining a valid chain of trust and replacing the compromised keys
+   as soon as possible must be made.  Then zone administrators will have
+   to make a trade-off, between keeping the chain of trust intact --
+   thereby allowing for attacks with the compromised key -- or
+   deliberately breaking the chain of trust and making secured
+   subdomains invisible to security-aware resolvers.  Also see Section
+   4.3.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 5]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+3.  Keys Generation and Storage
+
+   This section describes a number of considerations with respect to the
+   security of keys.  It deals with the generation, effectivity period,
+   size, and storage of private keys.
+
+3.1.  Zone and Key Signing Keys
+
+   The DNSSEC validation protocol does not distinguish between different
+   types of DNSKEYs.  All DNSKEYs can be used during the validation.  In
+   practice, operators use Key Signing and Zone Signing Keys and use the
+   so-called Secure Entry Point (SEP) [3] flag to distinguish between
+   them during operations.  The dynamics and considerations are
+   discussed below.
+
+   To make zone re-signing and key rollover procedures easier to
+   implement, it is possible to use one or more keys as Key Signing Keys
+   (KSKs).  These keys will only sign the apex DNSKEY RRSet in a zone.
+   Other keys can be used to sign all the RRSets in a zone and are
+   referred to as Zone Signing Keys (ZSKs).  In this document, we assume
+   that KSKs are the subset of keys that are used for key exchanges with
+   the parent and potentially for configuration as trusted anchors --
+   the SEP keys.  In this document, we assume a one-to-one mapping
+   between KSK and SEP keys and we assume the SEP flag to be set on all
+   KSKs.
+
+3.1.1.  Motivations for the KSK and ZSK Separation
+
+   Differentiating between the KSK and ZSK functions has several
+   advantages:
+
+   o  No parent/child interaction is required when ZSKs are updated.
+
+   o  The KSK can be made stronger (i.e., using more bits in the key
+      material).  This has little operational impact since it is only
+      used to sign a small fraction of the zone data.  Also, the KSK is
+      only used to verify the zone's key set, not for other RRSets in
+      the zone.
+
+   o  As the KSK is only used to sign a key set, which is most probably
+      updated less frequently than other data in the zone, it can be
+      stored separately from and in a safer location than the ZSK.
+
+   o  A KSK can have a longer key effectivity period.
+
+   For almost any method of key management and zone signing, the KSK is
+   used less frequently than the ZSK.  Once a key set is signed with the
+   KSK, all the keys in the key set can be used as ZSKs.  If a ZSK is
+
+
+
+Kolkman & Gieben             Informational                      [Page 6]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   compromised, it can be simply dropped from the key set.  The new key
+   set is then re-signed with the KSK.
+
+   Given the assumption that for KSKs the SEP flag is set, the KSK can
+   be distinguished from a ZSK by examining the flag field in the DNSKEY
+   RR.  If the flag field is an odd number it is a KSK.  If it is an
+   even number it is a ZSK.
+
+   The Zone Signing Key can be used to sign all the data in a zone on a
+   regular basis.  When a Zone Signing Key is to be rolled, no
+   interaction with the parent is needed.  This allows for signature
+   validity periods on the order of days.
+
+   The Key Signing Key is only to be used to sign the DNSKEY RRs in a
+   zone.  If a Key Signing Key is to be rolled over, there will be
+   interactions with parties other than the zone administrator.  These
+   can include the registry of the parent zone or administrators of
+   verifying resolvers that have the particular key configured as secure
+   entry points.  Hence, the key effectivity period of these keys can
+   and should be made much longer.  Although, given a long enough key,
+   the key effectivity period can be on the order of years, we suggest
+   planning for a key effectivity on the order of a few months so that a
+   key rollover remains an operational routine.
+
+3.1.2.  KSKs for High-Level Zones
+
+   Higher-level zones are generally more sensitive than lower-level
+   zones.  Anyone controlling or breaking the security of a zone thereby
+   obtains authority over all of its subdomains (except in the case of
+   resolvers that have locally configured the public key of a subdomain,
+   in which case this, and only this, subdomain wouldn't be affected by
+   the compromise of the parent zone).  Therefore, extra care should be
+   taken with high-level zones, and strong keys should be used.
+
+   The root zone is the most critical of all zones.  Someone controlling
+   or compromising the security of the root zone would control the
+   entire DNS namespace of all resolvers using that root zone (except in
+   the case of resolvers that have locally configured the public key of
+   a subdomain).  Therefore, the utmost care must be taken in the
+   securing of the root zone.  The strongest and most carefully handled
+   keys should be used.  The root zone private key should always be kept
+   off-line.
+
+   Many resolvers will start at a root server for their access to and
+   authentication of DNS data.  Securely updating the trust anchors in
+   an enormous population of resolvers around the world will be
+   extremely difficult.
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 7]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+3.2.  Key Generation
+
+   Careful generation of all keys is a sometimes overlooked but
+   absolutely essential element in any cryptographically secure system.
+   The strongest algorithms used with the longest keys are still of no
+   use if an adversary can guess enough to lower the size of the likely
+   key space so that it can be exhaustively searched.  Technical
+   suggestions for the generation of random keys will be found in RFC
+   4086 [14].  One should carefully assess if the random number
+   generator used during key generation adheres to these suggestions.
+
+   Keys with a long effectivity period are particularly sensitive as
+   they will represent a more valuable target and be subject to attack
+   for a longer time than short-period keys.  It is strongly recommended
+   that long-term key generation occur off-line in a manner isolated
+   from the network via an air gap or, at a minimum, high-level secure
+   hardware.
+
+3.3.  Key Effectivity Period
+
+   For various reasons, keys in DNSSEC need to be changed once in a
+   while.  The longer a key is in use, the greater the probability that
+   it will have been compromised through carelessness, accident,
+   espionage, or cryptanalysis.  Furthermore, when key rollovers are too
+   rare an event, they will not become part of the operational habit and
+   there is risk that nobody on-site will remember the procedure for
+   rollover when the need is there.
+
+   From a purely operational perspective, a reasonable key effectivity
+   period for Key Signing Keys is 13 months, with the intent to replace
+   them after 12 months.  An intended key effectivity period of a month
+   is reasonable for Zone Signing Keys.
+
+   For key sizes that match these effectivity periods, see Section 3.5.
+
+   As argued in Section 3.1.2, securely updating trust anchors will be
+   extremely difficult.  On the other hand, the "operational habit"
+   argument does also apply to trust anchor reconfiguration.  If a short
+   key effectivity period is used and the trust anchor configuration has
+   to be revisited on a regular basis, the odds that the configuration
+   tends to be forgotten is smaller.  The trade-off is against a system
+   that is so dynamic that administrators of the validating clients will
+   not be able to follow the modifications.
+
+   Key effectivity periods can be made very short, as in a few minutes.
+   But when replacing keys one has to take the considerations from
+   Section 4.1 and Section 4.2 into account.
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 8]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+3.4.  Key Algorithm
+
+   There are currently three different types of algorithms that can be
+   used in DNSSEC: RSA, DSA, and elliptic curve cryptography.  The
+   latter is fairly new and has yet to be standardized for usage in
+   DNSSEC.
+
+   RSA has been developed in an open and transparent manner.  As the
+   patent on RSA expired in 2000, its use is now also free.
+
+   DSA has been developed by the National Institute of Standards and
+   Technology (NIST).  The creation of signatures takes roughly the same
+   time as with RSA, but is 10 to 40 times as slow for verification
+   [17].
+
+   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
+   key.  The current known attacks on RSA can be defeated by making your
+   key longer.  As the MD5 hashing algorithm is showing cracks, we
+   recommend the usage of SHA-1.
+
+   At the time of publication, it is known that the SHA-1 hash has
+   cryptanalysis issues.  There is work in progress on addressing these
+   issues.  We recommend the use of public key algorithms based on
+   hashes stronger than SHA-1 (e.g., SHA-256), as soon as these
+   algorithms are available in protocol specifications (see [19] and
+   [20]) and implementations.
+
+3.5.  Key Sizes
+
+   When choosing key sizes, zone administrators will need to take into
+   account how long a key will be used, how much data will be signed
+   during the key publication period (see Section 8.10 of [17]), and,
+   optionally, how large the key size of the parent is.  As the chain of
+   trust really is "a chain", there is not much sense in making one of
+   the keys in the chain several times larger then the others.  As
+   always, it's the weakest link that defines the strength of the entire
+   chain.  Also see Section 3.1.1 for a discussion of how keys serving
+   different roles (ZSK vs. KSK) may need different key sizes.
+
+   Generating a key of the correct size is a difficult problem; RFC 3766
+   [13] tries to deal with that problem.  The first part of the
+   selection procedure in Section 1 of the RFC states:
+
+      1. Determine the attack resistance necessary to satisfy the
+         security requirements of the application.  Do this by
+         estimating the minimum number of computer operations that the
+         attacker will be forced to do in order to compromise the
+
+
+
+
+Kolkman & Gieben             Informational                      [Page 9]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         security of the system and then take the logarithm base two of
+         that number.  Call that logarithm value "n".
+
+         A 1996 report recommended 90 bits as a good all-around choice
+         for system security.  The 90 bit number should be increased by
+         about 2/3 bit/year, or about 96 bits in 2005.
+
+   [13] goes on to explain how this number "n" can be used to calculate
+   the key sizes in public key cryptography.  This culminated in the
+   table given below (slightly modified for our purpose):
+
+      +-------------+-----------+--------------+
+      | System      |           |              |
+      | requirement | Symmetric | RSA or DSA   |
+      | for attack  | key size  | modulus size |
+      | resistance  | (bits)    | (bits)       |
+      | (bits)      |           |              |
+      +-------------+-----------+--------------+
+      |     70      |     70    |      947     |
+      |     80      |     80    |     1228     |
+      |     90      |     90    |     1553     |
+      |    100      |    100    |     1926     |
+      |    150      |    150    |     4575     |
+      |    200      |    200    |     8719     |
+      |    250      |    250    |    14596     |
+      +-------------+-----------+--------------+
+
+   The key sizes given are rather large.  This is because these keys are
+   resilient against a trillionaire attacker.  Assuming this rich
+   attacker will not attack your key and that the key is rolled over
+   once a year, we come to the following recommendations about KSK
+   sizes: 1024 bits for low-value domains, 1300 bits for medium-value
+   domains, and 2048 bits for high-value domains.
+
+   Whether a domain is of low, medium, or high value depends solely on
+   the views of the zone owner.  One could, for instance, view leaf
+   nodes in the DNS as of low value, and top-level domains (TLDs) or the
+   root zone of high value.  The suggested key sizes should be safe for
+   the next 5 years.
+
+   As ZSKs can be rolled over more easily (and thus more often), the key
+   sizes can be made smaller.  But as said in the introduction of this
+   paragraph, making the ZSKs' key sizes too small (in relation to the
+   KSKs' sizes) doesn't make much sense.  Try to limit the difference in
+   size to about 100 bits.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 10]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Note that nobody can see into the future and that these key sizes are
+   only provided here as a guide.  Further information can be found in
+   [16] and Section 7.5 of [17].  It should be noted though that [16] is
+   already considered overly optimistic about what key sizes are
+   considered safe.
+
+   One final note concerning key sizes.  Larger keys will increase the
+   sizes of the RRSIG and DNSKEY records and will therefore increase the
+   chance of DNS UDP packet overflow.  Also, the time it takes to
+   validate and create RRSIGs increases with larger keys, so don't
+   needlessly double your key sizes.
+
+3.6.  Private Key Storage
+
+   It is recommended that, where possible, zone private keys and the
+   zone file master copy that is to be signed be kept and used in off-
+   line, non-network-connected, physically secure machines only.
+   Periodically, an application can be run to add authentication to a
+   zone by adding RRSIG and NSEC RRs.  Then the augmented file can be
+   transferred.
+
+   When relying on dynamic update to manage a signed zone [10], be aware
+   that at least one private key of the zone will have to reside on the
+   master server.  This key is only as secure as the amount of exposure
+   the server receives to unknown clients and the security of the host.
+   Although not mandatory, one could administer the DNS in the following
+   way.  The master that processes the dynamic updates is unavailable
+   from generic hosts on the Internet, it is not listed in the NS RR
+   set, although its name appears in the SOA RRs MNAME field.  The
+   nameservers in the NS RRSet are able to receive zone updates through
+   NOTIFY, IXFR, AXFR, or an out-of-band distribution mechanism.  This
+   approach is known as the "hidden master" setup.
+
+   The ideal situation is to have a one-way information flow to the
+   network to avoid the possibility of tampering from the network.
+   Keeping the zone master file on-line on the network and simply
+   cycling it through an off-line signer does not do this.  The on-line
+   version could still be tampered with if the host it resides on is
+   compromised.  For maximum security, the master copy of the zone file
+   should be off-net and should not be updated based on an unsecured
+   network mediated communication.
+
+   In general, keeping a zone file off-line will not be practical and
+   the machines on which zone files are maintained will be connected to
+   a network.  Operators are advised to take security measures to shield
+   unauthorized access to the master copy.
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 11]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   For dynamically updated secured zones [10], both the master copy and
+   the private key that is used to update signatures on updated RRs will
+   need to be on-line.
+
+4.  Signature Generation, Key Rollover, and Related Policies
+
+4.1.  Time in DNSSEC
+
+   Without DNSSEC, all times in the DNS are relative.  The SOA fields
+   REFRESH, RETRY, and EXPIRATION are timers used to determine the time
+   elapsed after a slave server synchronized with a master server.  The
+   Time to Live (TTL) value and the SOA RR minimum TTL parameter [11]
+   are used to determine how long a forwarder should cache data after it
+   has been fetched from an authoritative server.  By using a signature
+   validity period, DNSSEC introduces the notion of an absolute time in
+   the DNS.  Signatures in DNSSEC have an expiration date after which
+   the signature is marked as invalid and the signed data is to be
+   considered Bogus.
+
+4.1.1.  Time Considerations
+
+   Because of the expiration of signatures, one should consider the
+   following:
+
+   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
+      of your signature validity period.
+
+         If the TTL would be of similar order as the signature validity
+         period, then all RRSets fetched during the validity period
+         would be cached until the signature expiration time.  Section
+         7.1 of [4] suggests that "the resolver may use the time
+         remaining before expiration of the signature validity period of
+         a signed RRSet as an upper bound for the TTL".  As a result,
+         query load on authoritative servers would peak at signature
+         expiration time, as this is also the time at which records
+         simultaneously expire from caches.
+
+         To avoid query load peaks, we suggest the TTL on all the RRs in
+         your zone to be at least a few times smaller than your
+         signature validity period.
+
+   o  We suggest the signature publication period to end at least one
+      Maximum Zone TTL duration before the end of the signature validity
+      period.
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 12]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         Re-signing a zone shortly before the end of the signature
+         validity period may cause simultaneous expiration of data from
+         caches.  This in turn may lead to peaks in the load on
+         authoritative servers.
+
+   o  We suggest the Minimum Zone TTL to be long enough to both fetch
+      and verify all the RRs in the trust chain.  In workshop
+      environments, it has been demonstrated [18] that a low TTL (under
+      5 to 10 minutes) caused disruptions because of the following two
+      problems:
+
+         1.  During validation, some data may expire before the
+             validation is complete.  The validator should be able to
+             keep all data until it is completed.  This applies to all
+             RRs needed to complete the chain of trust: DSes, DNSKEYs,
+             RRSIGs, and the final answers, i.e., the RRSet that is
+             returned for the initial query.
+
+         2.  Frequent verification causes load on recursive nameservers.
+             Data at delegation points, DSes, DNSKEYs, and RRSIGs
+             benefit from caching.  The TTL on those should be
+             relatively long.
+
+   o  Slave servers will need to be able to fetch newly signed zones
+      well before the RRSIGs in the zone served by the slave server pass
+      their signature expiration time.
+
+         When a slave server is out of sync with its master and data in
+         a zone is signed by expired signatures, it may be better for
+         the slave server not to give out any answer.
+
+         Normally, a slave server that is not able to contact a master
+         server for an extended period will expire a zone.  When that
+         happens, the server will respond differently to queries for
+         that zone.  Some servers issue SERVFAIL, whereas others turn
+         off the 'AA' bit in the answers.  The time of expiration is set
+         in the SOA record and is relative to the last successful
+         refresh between the master and the slave servers.  There exists
+         no coupling between the signature expiration of RRSIGs in the
+         zone and the expire parameter in the SOA.
+
+         If the server serves a DNSSEC zone, then it may well happen
+         that the signatures expire well before the SOA expiration timer
+         counts down to zero.  It is not possible to completely prevent
+         this from happening by tweaking the SOA parameters.  However,
+         the effects can be minimized where the SOA expiration time is
+         equal to or shorter than the signature validity period.  The
+         consequence of an authoritative server not being able to update
+
+
+
+Kolkman & Gieben             Informational                     [Page 13]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+         a zone, whilst that zone includes expired signatures, is that
+         non-secure resolvers will continue to be able to resolve data
+         served by the particular slave servers while security-aware
+         resolvers will experience problems because of answers being
+         marked as Bogus.
+
+         We suggest the SOA expiration timer being approximately one
+         third or one fourth of the signature validity period.  It will
+         allow problems with transfers from the master server to be
+         noticed before the actual signature times out.  We also suggest
+         that operators of nameservers that supply secondary services
+         develop 'watch dogs' to spot upcoming signature expirations in
+         zones they slave, and take appropriate action.
+
+         When determining the value for the expiration parameter one has
+         to take the following into account: What are the chances that
+         all my secondaries expire the zone? How quickly can I reach an
+         administrator of secondary servers to load a valid zone?  These
+         questions are not DNSSEC specific but may influence the choice
+         of your signature validity intervals.
+
+4.2.  Key Rollovers
+
+   A DNSSEC key cannot be used forever (see Section 3.3).  So key
+   rollovers -- or supercessions, as they are sometimes called -- are a
+   fact of life when using DNSSEC.  Zone administrators who are in the
+   process of rolling their keys have to take into account that data
+   published in previous versions of their zone still lives in caches.
+   When deploying DNSSEC, this becomes an important consideration;
+   ignoring data that may be in caches may lead to loss of service for
+   clients.
+
+   The most pressing example of this occurs when zone material signed
+   with an old key is being validated by a resolver that does not have
+   the old zone key cached.  If the old key is no longer present in the
+   current zone, this validation fails, marking the data "Bogus".
+   Alternatively, an attempt could be made to validate data that is
+   signed with a new key against an old key that lives in a local cache,
+   also resulting in data being marked "Bogus".
+
+4.2.1.  Zone Signing Key Rollovers
+
+   For "Zone Signing Key rollovers", there are two ways to make sure
+   that during the rollover data still cached can be verified with the
+   new key sets or newly generated signatures can be verified with the
+   keys still in caches.  One schema, described in Section 4.2.1.2, uses
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 14]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   double signatures; the other uses key pre-publication (Section
+   4.2.1.1).  The pros, cons, and recommendations are described in
+   Section 4.2.1.3.
+
+4.2.1.1.  Pre-Publish Key Rollover
+
+   This section shows how to perform a ZSK rollover without the need to
+   sign all the data in a zone twice -- the "pre-publish key rollover".
+   This method has advantages in the case of a key compromise.  If the
+   old key is compromised, the new key has already been distributed in
+   the DNS.  The zone administrator is then able to quickly switch to
+   the new key and remove the compromised key from the zone.  Another
+   major advantage is that the zone size does not double, as is the case
+   with the double signature ZSK rollover.  A small "how-to" for this
+   kind of rollover can be found in Appendix B.
+
+   Pre-publish key rollover involves four stages as follows:
+
+      ----------------------------------------------------------------
+      initial         new DNSKEY       new RRSIGs      DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0            SOA1             SOA2            SOA3
+      RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
+
+      DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
+      DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
+      DNSKEY11         DNSKEY11
+      RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
+      RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+                         Pre-Publish Key Rollover
+
+   initial: Initial version of the zone: DNSKEY 1 is the Key Signing
+      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY: DNSKEY 11 is introduced into the key set.  Note that no
+      signatures are generated with this key yet, but this does not
+      secure against brute force attacks on the public key.  The minimum
+      duration of this pre-roll phase is the time it takes for the data
+      to propagate to the authoritative servers plus TTL value of the
+      key set.
+
+   new RRSIGs: At the "new RRSIGs" stage (SOA serial 2), DNSKEY 11 is
+      used to sign the data in the zone exclusively (i.e., all the
+      signatures from DNSKEY 10 are removed from the zone).  DNSKEY 10
+      remains published in the key set.  This way data that was loaded
+
+
+
+Kolkman & Gieben             Informational                     [Page 15]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+      into caches from version 1 of the zone can still be verified with
+      key sets fetched from version 2 of the zone.  The minimum time
+      that the key set including DNSKEY 10 is to be published is the
+      time that it takes for zone data from the previous version of the
+      zone to expire from old caches, i.e., the time it takes for this
+      zone to propagate to all authoritative servers plus the Maximum
+      Zone TTL value of any of the data in the previous version of the
+      zone.
+
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  The key set, now
+      only containing DNSKEY 1 and DNSKEY 11, is re-signed with the
+      DNSKEY 1.
+
+   The above scheme can be simplified by always publishing the "future"
+   key immediately after the rollover.  The scheme would look as follows
+   (we show two rollovers); the future key is introduced in "new DNSKEY"
+   as DNSKEY 12 and again a newer one, numbered 13, in "new DNSKEY
+   (II)":
+
+      ----------------------------------------------------------------
+      initial             new RRSIGs          new DNSKEY
+      ----------------------------------------------------------------
+      SOA0                SOA1                SOA2
+      RRSIG10(SOA0)       RRSIG11(SOA1)       RRSIG11(SOA2)
+
+      DNSKEY1             DNSKEY1             DNSKEY1
+      DNSKEY10            DNSKEY10            DNSKEY11
+      DNSKEY11            DNSKEY11            DNSKEY12
+      RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+      ----------------------------------------------------------------
+      new RRSIGs (II)     new DNSKEY (II)
+      ----------------------------------------------------------------
+      SOA3                SOA4
+      RRSIG12(SOA3)       RRSIG12(SOA4)
+
+      DNSKEY1             DNSKEY1
+      DNSKEY11            DNSKEY12
+      DNSKEY12            DNSKEY13
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
+      RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
+      ----------------------------------------------------------------
+
+              Pre-Publish Key Rollover, Showing Two Rollovers
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 16]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Note that the key introduced in the "new DNSKEY" phase is not used
+   for production yet; the private key can thus be stored in a
+   physically secure manner and does not need to be 'fetched' every time
+   a zone needs to be signed.
+
+4.2.1.2.  Double Signature Zone Signing Key Rollover
+
+   This section shows how to perform a ZSK key rollover using the double
+   zone data signature scheme, aptly named "double signature rollover".
+
+   During the "new DNSKEY" stage the new version of the zone file will
+   need to propagate to all authoritative servers and the data that
+   exists in (distant) caches will need to expire, requiring at least
+   the Maximum Zone TTL.
+
+   Double signature ZSK rollover involves three stages as follows:
+
+      ----------------------------------------------------------------
+      initial             new DNSKEY         DNSKEY removal
+      ----------------------------------------------------------------
+      SOA0                SOA1               SOA2
+      RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
+      RRSIG11(SOA1)
+
+      DNSKEY1             DNSKEY1            DNSKEY1
+      DNSKEY10            DNSKEY10           DNSKEY11
+      DNSKEY11
+      RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
+      RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
+      RRSIG11(DNSKEY)
+      ----------------------------------------------------------------
+
+                Double Signature Zone Signing Key Rollover
+
+   initial: Initial Version of the zone: DNSKEY 1 is the Key Signing
+      Key.  DNSKEY 10 is used to sign all the data of the zone, the Zone
+      Signing Key.
+
+   new DNSKEY: At the "New DNSKEY" stage (SOA serial 1) DNSKEY 11 is
+      introduced into the key set and all the data in the zone is signed
+      with DNSKEY 10 and DNSKEY 11.  The rollover period will need to
+      continue until all data from version 0 of the zone has expired
+      from remote caches.  This will take at least the Maximum Zone TTL
+      of version 0 of the zone.
+
+   DNSKEY removal: DNSKEY 10 is removed from the zone.  All the
+      signatures from DNSKEY 10 are removed from the zone.  The key set,
+      now only containing DNSKEY 11, is re-signed with DNSKEY 1.
+
+
+
+Kolkman & Gieben             Informational                     [Page 17]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   At every instance, RRSIGs from the previous version of the zone can
+   be verified with the DNSKEY RRSet from the current version and the
+   other way around.  The data from the current version can be verified
+   with the data from the previous version of the zone.  The duration of
+   the "new DNSKEY" phase and the period between rollovers should be at
+   least the Maximum Zone TTL.
+
+   Making sure that the "new DNSKEY" phase lasts until the signature
+   expiration time of the data in initial version of the zone is
+   recommended.  This way all caches are cleared of the old signatures.
+   However, this duration could be considerably longer than the Maximum
+   Zone TTL, making the rollover a lengthy procedure.
+
+   Note that in this example we assumed that the zone was not modified
+   during the rollover.  New data can be introduced in the zone as long
+   as it is signed with both keys.
+
+4.2.1.3.  Pros and Cons of the Schemes
+
+   Pre-publish key rollover: This rollover does not involve signing the
+      zone data twice.  Instead, before the actual rollover, the new key
+      is published in the key set and thus is available for
+      cryptanalysis attacks.  A small disadvantage is that this process
+      requires four steps.  Also the pre-publish scheme involves more
+      parental work when used for KSK rollovers as explained in Section
+      4.2.3.
+
+   Double signature ZSK rollover: The drawback of this signing scheme is
+      that during the rollover the number of signatures in your zone
+      doubles; this may be prohibitive if you have very big zones.  An
+      advantage is that it only requires three steps.
+
+4.2.2.  Key Signing Key Rollovers
+
+   For the rollover of a Key Signing Key, the same considerations as for
+   the rollover of a Zone Signing Key apply.  However, we can use a
+   double signature scheme to guarantee that old data (only the apex key
+   set) in caches can be verified with a new key set and vice versa.
+   Since only the key set is signed with a KSK, zone size considerations
+   do not apply.
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 18]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   --------------------------------------------------------------------
+       initial        new DNSKEY        DS change       DNSKEY removal
+   --------------------------------------------------------------------
+     Parent:
+       SOA0           -------->         SOA1            -------->
+       RRSIGpar(SOA0) -------->         RRSIGpar(SOA1)  -------->
+       DS1            -------->         DS2             -------->
+       RRSIGpar(DS)   -------->         RRSIGpar(DS)    -------->
+
+
+     Child:
+       SOA0            SOA1             -------->       SOA2
+       RRSIG10(SOA0)   RRSIG10(SOA1)    -------->       RRSIG10(SOA2)
+                                        -------->
+       DNSKEY1         DNSKEY1          -------->       DNSKEY2
+                       DNSKEY2          -------->
+       DNSKEY10        DNSKEY10         -------->       DNSKEY10
+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  -------->       RRSIG2 (DNSKEY)
+                       RRSIG2 (DNSKEY)  -------->
+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  -------->       RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+   Stages of Deployment for a Double Signature Key Signing Key Rollover
+
+   initial: Initial version of the zone.  The parental DS points to
+      DNSKEY1.  Before the rollover starts, the child will have to
+      verify what the TTL is of the DS RR that points to DNSKEY1 -- it
+      is needed during the rollover and we refer to the value as TTL_DS.
+
+   new DNSKEY: During the "new DNSKEY" phase, the zone administrator
+      generates a second KSK, DNSKEY2.  The key is provided to the
+      parent, and the child will have to wait until a new DS RR has been
+      generated that points to DNSKEY2.  After that DS RR has been
+      published on all servers authoritative for the parent's zone, the
+      zone administrator has to wait at least TTL_DS to make sure that
+      the old DS RR has expired from caches.
+
+   DS change: The parent replaces DS1 with DS2.
+
+   DNSKEY removal: DNSKEY1 has been removed.
+
+   The scenario above puts the responsibility for maintaining a valid
+   chain of trust with the child.  It also is based on the premise that
+   the parent only has one DS RR (per algorithm) per zone.  An
+   alternative mechanism has been considered.  Using an established
+   trust relation, the interaction can be performed in-band, and the
+   removal of the keys by the child can possibly be signaled by the
+   parent.  In this mechanism, there are periods where there are two DS
+
+
+
+Kolkman & Gieben             Informational                     [Page 19]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   RRs at the parent.  Since at the moment of writing the protocol for
+   this interaction has not been developed, further discussion is out of
+   scope for this document.
+
+4.2.3.  Difference Between ZSK and KSK Rollovers
+
+   Note that KSK rollovers and ZSK rollovers are different in the sense
+   that a KSK rollover requires interaction with the parent (and
+   possibly replacing of trust anchors) and the ensuing delay while
+   waiting for it.
+
+   A zone key rollover can be handled in two different ways: pre-publish
+   (Section 4.2.1.1) and double signature (Section 4.2.1.2).
+
+   As the KSK is used to validate the key set and because the KSK is not
+   changed during a ZSK rollover, a cache is able to validate the new
+   key set of the zone.  The pre-publish method would also work for a
+   KSK rollover.  The records that are to be pre-published are the
+   parental DS RRs.  The pre-publish method has some drawbacks for KSKs.
+   We first describe the rollover scheme and then indicate these
+   drawbacks.
+
+   --------------------------------------------------------------------
+     initial         new DS           new DNSKEY      DS/DNSKEY removal
+   --------------------------------------------------------------------
+   Parent:
+     SOA0            SOA1             -------->       SOA2
+     RRSIGpar(SOA0)  RRSIGpar(SOA1)   -------->       RRSIGpar(SOA2)
+     DS1             DS1              -------->       DS2
+                     DS2              -------->
+     RRSIGpar(DS)    RRSIGpar(DS)     -------->       RRSIGpar(DS)
+
+
+   Child:
+     SOA0            -------->        SOA1            SOA1
+     RRSIG10(SOA0)   -------->        RRSIG10(SOA1)   RRSIG10(SOA1)
+                     -------->
+     DNSKEY1         -------->        DNSKEY2         DNSKEY2
+                     -------->
+     DNSKEY10        -------->        DNSKEY10        DNSKEY10
+     RRSIG1 (DNSKEY) -------->        RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
+     RRSIG10(DNSKEY) -------->        RRSIG10(DNSKEY) RRSIG10(DNSKEY)
+   --------------------------------------------------------------------
+
+      Stages of Deployment for a Pre-Publish Key Signing Key Rollover
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 20]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   When the child zone wants to roll, it notifies the parent during the
+   "new DS" phase and submits the new key (or the corresponding DS) to
+   the parent.  The parent publishes DS1 and DS2, pointing to DNSKEY1
+   and DNSKEY2, respectively.  During the rollover ("new DNSKEY" phase),
+   which can take place as soon as the new DS set propagated through the
+   DNS, the child replaces DNSKEY1 with DNSKEY2.  Immediately after that
+   ("DS/DNSKEY removal" phase), it can notify the parent that the old DS
+   record can be deleted.
+
+   The drawbacks of this scheme are that during the "new DS" phase the
+   parent cannot verify the match between the DS2 RR and DNSKEY2 using
+   the DNS -- as DNSKEY2 is not yet published.  Besides, we introduce a
+   "security lame" key (see Section 4.4.3).  Finally, the child-parent
+   interaction consists of two steps.  The "double signature" method
+   only needs one interaction.
+
+4.2.4.  Automated Key Rollovers
+
+   As keys must be renewed periodically, there is some motivation to
+   automate the rollover process.  Consider the following:
+
+   o  ZSK rollovers are easy to automate as only the child zone is
+      involved.
+
+   o  A KSK rollover needs interaction between parent and child.  Data
+      exchange is needed to provide the new keys to the parent;
+      consequently, this data must be authenticated and integrity must
+      be guaranteed in order to avoid attacks on the rollover.
+
+4.3.  Planning for Emergency Key Rollover
+
+   This section deals with preparation for a possible key compromise.
+   Our advice is to have a documented procedure ready for when a key
+   compromise is suspected or confirmed.
+
+   When the private material of one of your keys is compromised it can
+   be used for as long as a valid trust chain exists.  A trust chain
+   remains intact for
+
+   o  as long as a signature over the compromised key in the trust chain
+      is valid,
+
+   o  as long as a parental DS RR (and signature) points to the
+      compromised key,
+
+   o  as long as the key is anchored in a resolver and is used as a
+      starting point for validation (this is generally the hardest to
+      update).
+
+
+
+Kolkman & Gieben             Informational                     [Page 21]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   While a trust chain to your compromised key exists, your namespace is
+   vulnerable to abuse by anyone who has obtained illegitimate
+   possession of the key.  Zone operators have to make a trade-off if
+   the abuse of the compromised key is worse than having data in caches
+   that cannot be validated.  If the zone operator chooses to break the
+   trust chain to the compromised key, data in caches signed with this
+   key cannot be validated.  However, if the zone administrator chooses
+   to take the path of a regular rollover, the malicious key holder can
+   spoof data so that it appears to be valid.
+
+4.3.1.  KSK Compromise
+
+   A zone containing a DNSKEY RRSet with a compromised KSK is vulnerable
+   as long as the compromised KSK is configured as trust anchor or a
+   parental DS points to it.
+
+   A compromised KSK can be used to sign the key set of an attacker's
+   zone.  That zone could be used to poison the DNS.
+
+   Therefore, when the KSK has been compromised, the trust anchor or the
+   parental DS should be replaced as soon as possible.  It is local
+   policy whether to break the trust chain during the emergency
+   rollover.  The trust chain would be broken when the compromised KSK
+   is removed from the child's zone while the parent still has a DS
+   pointing to the compromised KSK (the assumption is that there is only
+   one DS at the parent.  If there are multiple DSes this does not apply
+   -- however the chain of trust of this particular key is broken).
+
+   Note that an attacker's zone still uses the compromised KSK and the
+   presence of a parental DS would cause the data in this zone to appear
+   as valid.  Removing the compromised key would cause the attacker's
+   zone to appear as valid and the child's zone as Bogus.  Therefore, we
+   advise not to remove the KSK before the parent has a DS to a new KSK
+   in place.
+
+4.3.1.1.  Keeping the Chain of Trust Intact
+
+   If we follow this advice, the timing of the replacement of the KSK is
+   somewhat critical.  The goal is to remove the compromised KSK as soon
+   as the new DS RR is available at the parent.  And also make sure that
+   the signature made with a new KSK over the key set with the
+   compromised KSK in it expires just after the new DS appears at the
+   parent, thus removing the old cruft in one swoop.
+
+   The procedure is as follows:
+
+   1.  Introduce a new KSK into the key set, keep the compromised KSK in
+       the key set.
+
+
+
+Kolkman & Gieben             Informational                     [Page 22]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   2.  Sign the key set, with a short validity period.  The validity
+       period should expire shortly after the DS is expected to appear
+       in the parent and the old DSes have expired from caches.
+
+   3.  Upload the DS for this new key to the parent.
+
+   4.  Follow the procedure of the regular KSK rollover: Wait for the DS
+       to appear in the authoritative servers and then wait as long as
+       the TTL of the old DS RRs.  If necessary re-sign the DNSKEY RRSet
+       and modify/extend the expiration time.
+
+   5.  Remove the compromised DNSKEY RR from the zone and re-sign the
+       key set using your "normal" validity interval.
+
+   An additional danger of a key compromise is that the compromised key
+   could be used to facilitate a legitimate DNSKEY/DS rollover and/or
+   nameserver changes at the parent.  When that happens, the domain may
+   be in dispute.  An authenticated out-of-band and secure notify
+   mechanism to contact a parent is needed in this case.
+
+   Note that this is only a problem when the DNSKEY and or DS records
+   are used for authentication at the parent.
+
+4.3.1.2.  Breaking the Chain of Trust
+
+   There are two methods to break the chain of trust.  The first method
+   causes the child zone to appear 'Bogus' to validating resolvers.  The
+   other causes the child zone to appear 'insecure'.  These are
+   described below.
+
+   In the method that causes the child zone to appear 'Bogus' to
+   validating resolvers, the child zone replaces the current KSK with a
+   new one and re-signs the key set.  Next it sends the DS of the new
+   key to the parent.  Only after the parent has placed the new DS in
+   the zone is the child's chain of trust repaired.
+
+   An alternative method of breaking the chain of trust is by removing
+   the DS RRs from the parent zone altogether.  As a result, the child
+   zone would become insecure.
+
+4.3.2.  ZSK Compromise
+
+   Primarily because there is no parental interaction required when a
+   ZSK is compromised, the situation is less severe than with a KSK
+   compromise.  The zone must still be re-signed with a new ZSK as soon
+   as possible.  As this is a local operation and requires no
+   communication between the parent and child, this can be achieved
+   fairly quickly.  However, one has to take into account that just as
+
+
+
+Kolkman & Gieben             Informational                     [Page 23]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   with a normal rollover the immediate disappearance of the old
+   compromised key may lead to verification problems.  Also note that as
+   long as the RRSIG over the compromised ZSK is not expired the zone
+   may be still at risk.
+
+4.3.3.  Compromises of Keys Anchored in Resolvers
+
+   A key can also be pre-configured in resolvers.  For instance, if
+   DNSSEC is successfully deployed the root key may be pre-configured in
+   most security aware resolvers.
+
+   If trust-anchor keys are compromised, the resolvers using these keys
+   should be notified of this fact.  Zone administrators may consider
+   setting up a mailing list to communicate the fact that a SEP key is
+   about to be rolled over.  This communication will of course need to
+   be authenticated, e.g., by using digital signatures.
+
+   End-users faced with the task of updating an anchored key should
+   always validate the new key.  New keys should be authenticated out-
+   of-band, for example, through the use of an announcement website that
+   is secured using secure sockets (TLS) [21].
+
+4.4.  Parental Policies
+
+4.4.1.  Initial Key Exchanges and Parental Policies Considerations
+
+   The initial key exchange is always subject to the policies set by the
+   parent.  When designing a key exchange policy one should take into
+   account that the authentication and authorization mechanisms used
+   during a key exchange should be as strong as the authentication and
+   authorization mechanisms used for the exchange of delegation
+   information between parent and child.  That is, there is no implicit
+   need in DNSSEC to make the authentication process stronger than it
+   was in DNS.
+
+   Using the DNS itself as the source for the actual DNSKEY material,
+   with an out-of-band check on the validity of the DNSKEY, has the
+   benefit that it reduces the chances of user error.  A DNSKEY query
+   tool can make use of the SEP bit [3] to select the proper key from a
+   DNSSEC key set, thereby reducing the chance that the wrong DNSKEY is
+   sent.  It can validate the self-signature over a key; thereby
+   verifying the ownership of the private key material.  Fetching the
+   DNSKEY from the DNS ensures that the chain of trust remains intact
+   once the parent publishes the DS RR indicating the child is secure.
+
+   Note: the out-of-band verification is still needed when the key
+   material is fetched via the DNS.  The parent can never be sure
+   whether or not the DNSKEY RRs have been spoofed.
+
+
+
+Kolkman & Gieben             Informational                     [Page 24]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+4.4.2.  Storing Keys or Hashes?
+
+   When designing a registry system one should consider which of the
+   DNSKEYs and/or the corresponding DSes to store.  Since a child zone
+   might wish to have a DS published using a message digest algorithm
+   not yet understood by the registry, the registry can't count on being
+   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
+   that registry systems at least support storing DS records.
+
+   It may also be useful to store DNSKEYs, since having them may help
+   during troubleshooting and, as long as the child's chosen message
+   digest is supported, the overhead of generating DS records from them
+   is minimal.  Having an out-of-band mechanism, such as a registry
+   directory (e.g., Whois), to find out which keys are used to generate
+   DS Resource Records for specific owners and/or zones may also help
+   with troubleshooting.
+
+   The storage considerations also relate to the design of the customer
+   interface and the method by which data is transferred between
+   registrant and registry; Will the child zone administrator be able to
+   upload DS RRs with unknown hash algorithms or does the interface only
+   allow DNSKEYs?  In the registry-registrar model, one can use the
+   DNSSEC extensions to the Extensible Provisioning Protocol (EPP) [15],
+   which allows transfer of DS RRs and optionally DNSKEY RRs.
+
+4.4.3.  Security Lameness
+
+   Security lameness is defined as what happens when a parent has a DS
+   RR pointing to a non-existing DNSKEY RR.  When this happens, the
+   child's zone may be marked "Bogus" by verifying DNS clients.
+
+   As part of a comprehensive delegation check, the parent could, at key
+   exchange time, verify that the child's key is actually configured in
+   the DNS.  However, if a parent does not understand the hashing
+   algorithm used by child, the parental checks are limited to only
+   comparing the key id.
+
+   Child zones should be very careful in removing DNSKEY material,
+   specifically SEP keys, for which a DS RR exists.
+
+   Once a zone is "security lame", a fix (e.g., removing a DS RR) will
+   take time to propagate through the DNS.
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 25]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+4.4.4.  DS Signature Validity Period
+
+   Since the DS can be replayed as long as it has a valid signature, a
+   short signature validity period over the DS minimizes the time a
+   child is vulnerable in the case of a compromise of the child's
+   KSK(s).  A signature validity period that is too short introduces the
+   possibility that a zone is marked "Bogus" in case of a configuration
+   error in the signer.  There may not be enough time to fix the
+   problems before signatures expire.  Something as mundane as operator
+   unavailability during weekends shows the need for DS signature
+   validity periods longer than 2 days.  We recommend an absolute
+   minimum for a DS signature validity period of a few days.
+
+   The maximum signature validity period of the DS record depends on how
+   long child zones are willing to be vulnerable after a key compromise.
+   On the other hand, shortening the DS signature validity interval
+   increases the operational risk for the parent.  Therefore, the parent
+   may have policy to use a signature validity interval that is
+   considerably longer than the child would hope for.
+
+   A compromise between the operational constraints of the parent and
+   minimizing damage for the child may result in a DS signature validity
+   period somewhere between a week and months.
+
+   In addition to the signature validity period, which sets a lower
+   bound on the number of times the zone owner will need to sign the
+   zone data and which sets an upper bound to the time a child is
+   vulnerable after key compromise, there is the TTL value on the DS
+   RRs.  Shortening the TTL means that the authoritative servers will
+   see more queries.  But on the other hand, a short TTL lowers the
+   persistence of DS RRSets in caches thereby increasing the speed with
+   which updated DS RRSets propagate through the DNS.
+
+5.  Security Considerations
+
+   DNSSEC adds data integrity to the DNS.  This document tries to assess
+   the operational considerations to maintain a stable and secure DNSSEC
+   service.  Not taking into account the 'data propagation' properties
+   in the DNS will cause validation failures and may make secured zones
+   unavailable to security-aware resolvers.
+
+6.  Acknowledgments
+
+   Most of the ideas in this document were the result of collective
+   efforts during workshops, discussions, and tryouts.
+
+   At the risk of forgetting individuals who were the original
+   contributors of the ideas, we would like to acknowledge people who
+
+
+
+Kolkman & Gieben             Informational                     [Page 26]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   were actively involved in the compilation of this document.  In
+   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
+   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
+   Olivier Courtay, Sam Weiler, Jelte Jansen, Niall O'Reilly, Holger
+   Zuleger, Ed Lewis, Hilarie Orman, Marcos Sanz, and Peter Koch.
+
+   Some material in this document has been copied from RFC 2541 [12].
+
+   Mike StJohns designed the key exchange between parent and child
+   mentioned in the last paragraph of Section 4.2.2
+
+   Section 4.2.4 was supplied by G. Guette and O. Courtay.
+
+   Emma Bretherick, Adrian Bedford, and Lindy Foster corrected many of
+   the spelling and style issues.
+
+   Kolkman and Gieben take the blame for introducing all miscakes (sic).
+
+   While working on this document, Kolkman was employed by the RIPE NCC
+   and Gieben was employed by NLnet Labs.
+
+7.  References
+
+7.1.  Normative References
+
+   [1]   Mockapetris, P., "Domain names - concepts and facilities", STD
+         13, RFC 1034, November 1987.
+
+   [2]   Mockapetris, P., "Domain names - implementation and
+         specification", STD 13, RFC 1035, November 1987.
+
+   [3]   Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System
+         KEY (DNSKEY) Resource Record (RR) Secure Entry Point (SEP)
+         Flag", RFC 3757, May 2004.
+
+   [4]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "DNS Security Introduction and Requirements", RFC 4033, March
+         2005.
+
+   [5]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Resource Records for the DNS Security Extensions", RFC 4034,
+         March 2005.
+
+   [6]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
+         "Protocol Modifications for the DNS Security Extensions", RFC
+         4035, March 2005.
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 27]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+7.2.  Informative References
+
+   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [8]   Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995, August
+         1996.
+
+   [9]   Vixie, P., "A Mechanism for Prompt Notification of Zone Changes
+         (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [10]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
+
+   [11]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+         RFC 2308, March 1998.
+
+   [12]  Eastlake, D., "DNS Security Operational Considerations", RFC
+         2541, March 1999.
+
+   [13]  Orman, H. and P. Hoffman, "Determining Strengths For Public
+         Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766,
+         April 2004.
+
+   [14]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
+         Requirements for Security", BCP 106, RFC 4086, June 2005.
+
+   [15]  Hollenbeck, S., "Domain Name System (DNS) Security Extensions
+         Mapping for the Extensible Provisioning Protocol (EPP)", RFC
+         4310, December 2005.
+
+   [16]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
+         Sizes", The Journal of Cryptology 14 (255-293), 2001.
+
+   [17]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
+         Source Code in C", ISBN (hardcover) 0-471-12845-7, ISBN
+         (paperback) 0-471-59756-2, Published by John Wiley & Sons Inc.,
+         1996.
+
+   [18]  Rose, S., "NIST DNSSEC workshop notes", June 2001.
+
+   [19]  Jansen, J., "Use of RSA/SHA-256 DNSKEY and RRSIG Resource
+         Records in DNSSEC", Work in Progress, January 2006.
+
+   [20]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer (DS)
+         Resource Records (RRs)", RFC 4509, May 2006.
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 28]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   [21]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
+         T. Wright, "Transport Layer Security (TLS) Extensions", RFC
+         4366, April 2006.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 29]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Appendix A.  Terminology
+
+   In this document, there is some jargon used that is defined in other
+   documents.  In most cases, we have not copied the text from the
+   documents defining the terms but have given a more elaborate
+   explanation of the meaning.  Note that these explanations should not
+   be seen as authoritative.
+
+   Anchored key: A DNSKEY configured in resolvers around the globe.
+      This key is hard to update, hence the term anchored.
+
+   Bogus: Also see Section 5 of [4].  An RRSet in DNSSEC is marked
+      "Bogus" when a signature of an RRSet does not validate against a
+      DNSKEY.
+
+   Key Signing Key or KSK: A Key Signing Key (KSK) is a key that is used
+      exclusively for signing the apex key set.  The fact that a key is
+      a KSK is only relevant to the signing tool.
+
+   Key size: The term 'key size' can be substituted by 'modulus size'
+      throughout the document.  It is mathematically more correct to use
+      modulus size, but as this is a document directed at operators we
+      feel more at ease with the term key size.
+
+   Private and public keys: DNSSEC secures the DNS through the use of
+      public key cryptography.  Public key cryptography is based on the
+      existence of two (mathematically related) keys, a public key and a
+      private key.  The public keys are published in the DNS by use of
+      the DNSKEY Resource Record (DNSKEY RR).  Private keys should
+      remain private.
+
+   Key rollover: A key rollover (also called key supercession in some
+      environments) is the act of replacing one key pair with another at
+      the end of a key effectivity period.
+
+   Secure Entry Point (SEP) key: A KSK that has a parental DS record
+      pointing to it or is configured as a trust anchor.  Although not
+      required by the protocol, we recommend that the SEP flag [3] is
+      set on these keys.
+
+   Self-signature: This only applies to signatures over DNSKEYs; a
+      signature made with DNSKEY x, over DNSKEY x is called a self-
+      signature.  Note: without further information, self-signatures
+      convey no trust.  They are useful to check the authenticity of the
+      DNSKEY, i.e., they can be used as a hash.
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 30]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+   Singing the zone file: The term used for the event where an
+      administrator joyfully signs its zone file while producing melodic
+      sound patterns.
+
+   Signer: The system that has access to the private key material and
+      signs the Resource Record sets in a zone.  A signer may be
+      configured to sign only parts of the zone, e.g., only those RRSets
+      for which existing signatures are about to expire.
+
+   Zone Signing Key (ZSK): A key that is used for signing all data in a
+      zone.  The fact that a key is a ZSK is only relevant to the
+      signing tool.
+
+   Zone administrator: The 'role' that is responsible for signing a zone
+      and publishing it on the primary authoritative server.
+
+Appendix B.  Zone Signing Key Rollover How-To
+
+   Using the pre-published signature scheme and the most conservative
+   method to assure oneself that data does not live in caches, here
+   follows the "how-to".
+
+   Step 0: The preparation: Create two keys and publish both in your key
+      set.  Mark one of the keys "active" and the other "published".
+      Use the "active" key for signing your zone data.  Store the
+      private part of the "published" key, preferably off-line.  The
+      protocol does not provide for attributes to mark a key as active
+      or published.  This is something you have to do on your own,
+      through the use of a notebook or key management tool.
+
+   Step 1: Determine expiration: At the beginning of the rollover make a
+      note of the highest expiration time of signatures in your zone
+      file created with the current key marked as active.  Wait until
+      the expiration time marked in Step 1 has passed.
+
+   Step 2: Then start using the key that was marked "published" to sign
+      your data (i.e., mark it "active").  Stop using the key that was
+      marked "active"; mark it "rolled".
+
+   Step 3: It is safe to engage in a new rollover (Step 1) after at
+      least one signature validity period.
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 31]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Appendix C.  Typographic Conventions
+
+   The following typographic conventions are used in this document:
+
+   Key notation: A key is denoted by DNSKEYx, where x is a number or an
+   identifier, x could be thought of as the key id.
+
+   RRSet notations: RRs are only denoted by the type.  All other
+   information -- owner, class, rdata, and TTL--is left out.  Thus:
+   "example.com 3600 IN A 192.0.2.1" is reduced to "A".  RRSets are a
+   list of RRs.  A example of this would be "A1, A2", specifying the
+   RRSet containing two "A" records.  This could again be abbreviated to
+   just "A".
+
+   Signature notation: Signatures are denoted as RRSIGx(RRSet), which
+   means that RRSet is signed with DNSKEYx.
+
+   Zone representation: Using the above notation we have simplified the
+   representation of a signed zone by leaving out all unnecessary
+   details such as the names and by representing all data by "SOAx"
+
+   SOA representation: SOAs are represented as SOAx, where x is the
+   serial number.
+
+   Using this notation the following signed zone:
+
+   example.net.      86400  IN SOA  ns.example.net. bert.example.net. (
+                            2006022100   ; serial
+                            86400        ; refresh (  24 hours)
+                            7200         ; retry   (   2 hours)
+                            3600000      ; expire  (1000 hours)
+                            28800 )      ; minimum (   8 hours)
+                     86400  RRSIG   SOA 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  cmL62SI6iAX46xGNQAdQ... )
+                     86400  NS      a.iana-servers.net.
+                     86400  NS      b.iana-servers.net.
+                     86400  RRSIG   NS 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  SO5epiJei19AjXoUpFnQ ... )
+                     86400  DNSKEY  256 3 5 (
+                                  EtRB9MP5/AvOuVO0I8XDxy0... ) ; id = 14
+                     86400  DNSKEY  257 3 5 (
+                                  gsPW/Yy19GzYIY+Gnr8HABU... ) ; id = 15
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 14 example.net.
+                                  J4zCe8QX4tXVGjV4e1r9... )
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 32]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+                     86400  RRSIG   DNSKEY 5 2 86400 20130522213204 (
+                                  20130422213204 15 example.net.
+                                  keVDCOpsSeDReyV6O... )
+                     86400  RRSIG   NSEC 5 2 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  obj3HEp1GjnmhRjX... )
+   a.example.net.    86400  IN TXT  "A label"
+                     86400  RRSIG   TXT 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  IkDMlRdYLmXH7QJnuF3v... )
+                     86400  NSEC    b.example.com. TXT RRSIG NSEC
+                     86400  RRSIG   NSEC 5 3 86400 20130507213204 (
+                                  20130407213204 14 example.net.
+                                  bZMjoZ3bHjnEz0nIsPMM... )
+                     ...
+
+   is reduced to the following representation:
+
+       SOA2006022100
+       RRSIG14(SOA2006022100)
+       DNSKEY14
+       DNSKEY15
+
+       RRSIG14(KEY)
+       RRSIG15(KEY)
+
+   The rest of the zone data has the same signature as the SOA record,
+   i.e., an RRSIG created with DNSKEY 14.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 33]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098 VA
+   The Netherlands
+
+   EMail: olaf@nlnetlabs.nl
+   URI:   http://www.nlnetlabs.nl
+
+
+   R. (Miek) Gieben
+
+   EMail: miek@miek.nl
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 34]
+
+RFC 4641              DNSSEC Operational Practices        September 2006
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2006).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is provided by the IETF
+   Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Kolkman & Gieben             Informational                     [Page 35]
+
diff --git a/contrib/zkt/doc/rfc5011.txt b/contrib/zkt/doc/rfc5011.txt
new file mode 100644
index 0000000000..42235e977f
--- /dev/null
+++ b/contrib/zkt/doc/rfc5011.txt
@@ -0,0 +1,787 @@
+
+
+
+
+
+
+Network Working Group                                         M. StJohns
+Request for Comments: 5011                                   Independent
+Category: Standards Track                                 September 2007
+
+
+        Automated Updates of DNS Security (DNSSEC) Trust Anchors
+
+Status of This Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This document describes a means for automated, authenticated, and
+   authorized updating of DNSSEC "trust anchors".  The method provides
+   protection against N-1 key compromises of N keys in the trust point
+   key set.  Based on the trust established by the presence of a current
+   anchor, other anchors may be added at the same place in the
+   hierarchy, and, ultimately, supplant the existing anchor(s).
+
+   This mechanism will require changes to resolver management behavior
+   (but not resolver resolution behavior), and the addition of a single
+   flag bit to the DNSKEY record.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                     [Page 1]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+Table of Contents
+
+   1. Introduction ....................................................2
+      1.1. Compliance Nomenclature ....................................3
+   2. Theory of Operation .............................................3
+      2.1. Revocation .................................................4
+      2.2. Add Hold-Down ..............................................4
+      2.3. Active Refresh .............................................5
+      2.4. Resolver Parameters ........................................6
+           2.4.1. Add Hold-Down Time ..................................6
+           2.4.2. Remove Hold-Down Time ...............................6
+           2.4.3. Minimum Trust Anchors per Trust Point ...............6
+   3. Changes to DNSKEY RDATA Wire Format .............................6
+   4. State Table .....................................................6
+      4.1. Events .....................................................7
+      4.2. States .....................................................7
+   5. Trust Point Deletion ............................................8
+   6. Scenarios - Informative .........................................9
+      6.1. Adding a Trust Anchor ......................................9
+      6.2. Deleting a Trust Anchor ....................................9
+      6.3. Key Roll-Over .............................................10
+      6.4. Active Key Compromised ....................................10
+      6.5. Stand-by Key Compromised ..................................10
+      6.6. Trust Point Deletion ......................................10
+   7. IANA Considerations ............................................11
+   8. Security Considerations ........................................11
+      8.1. Key Ownership vs. Acceptance Policy .......................11
+      8.2. Multiple Key Compromise ...................................12
+      8.3. Dynamic Updates ...........................................12
+   9. Normative References ...........................................12
+   10. Informative References ........................................12
+
+1.  Introduction
+
+   As part of the reality of fielding DNSSEC (Domain Name System
+   Security Extensions) [RFC4033] [RFC4034] [RFC4035], the community has
+   come to the realization that there will not be one signed name space,
+   but rather islands of signed name spaces each originating from
+   specific points (i.e., 'trust points') in the DNS tree.  Each of
+   those islands will be identified by the trust point name, and
+   validated by at least one associated public key.  For the purpose of
+   this document, we'll call the association of that name and a
+   particular key a 'trust anchor'.  A particular trust point can have
+   more than one key designated as a trust anchor.
+
+   For a DNSSEC-aware resolver to validate information in a DNSSEC
+   protected branch of the hierarchy, it must have knowledge of a trust
+   anchor applicable to that branch.  It may also have more than one
+
+
+
+StJohns                     Standards Track                     [Page 2]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   trust anchor for any given trust point.  Under current rules, a chain
+   of trust for DNSSEC-protected data that chains its way back to ANY
+   known trust anchor is considered 'secure'.
+
+   Because of the probable balkanization of the DNSSEC tree due to
+   signing voids at key locations, a resolver may need to know literally
+   thousands of trust anchors to perform its duties (e.g., consider an
+   unsigned ".COM").  Requiring the owner of the resolver to manually
+   manage these many relationships is problematic.  It's even more
+   problematic when considering the eventual requirement for key
+   replacement/update for a given trust anchor.  The mechanism described
+   herein won't help with the initial configuration of the trust anchors
+   in the resolvers, but should make trust point key
+   replacement/rollover more viable.
+
+   As mentioned above, this document describes a mechanism whereby a
+   resolver can update the trust anchors for a given trust point, mainly
+   without human intervention at the resolver.  There are some corner
+   cases discussed (e.g., multiple key compromise) that may require
+   manual intervention, but they should be few and far between.  This
+   document DOES NOT discuss the general problem of the initial
+   configuration of trust anchors for the resolver.
+
+1.1.  Compliance Nomenclature
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in BCP 14, [RFC2119].
+
+2.  Theory of Operation
+
+   The general concept of this mechanism is that existing trust anchors
+   can be used to authenticate new trust anchors at the same point in
+   the DNS hierarchy.  When a zone operator adds a new SEP key (i.e., a
+   DNSKEY with the Secure Entry Point bit set) (see [RFC4034], Section
+   2.1.1) to a trust point DNSKEY RRSet, and when that RRSet is
+   validated by an existing trust anchor, then the resolver can add the
+   new key to its set of valid trust anchors for that trust point.
+
+   There are some issues with this approach that need to be mitigated.
+   For example, a compromise of one of the existing keys could allow an
+   attacker to add their own 'valid' data.  This implies a need for a
+   method to revoke an existing key regardless of whether or not that
+   key is compromised.  As another example, assuming a single key
+   compromise, we need to prevent an attacker from adding a new key and
+   revoking all the other old keys.
+
+
+
+
+
+StJohns                     Standards Track                     [Page 3]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+2.1.  Revocation
+
+   Assume two trust anchor keys A and B.  Assume that B has been
+   compromised.  Without a specific revocation bit, B could invalidate A
+   simply by sending out a signed trust point key set that didn't
+   contain A.  To fix this, we add a mechanism that requires knowledge
+   of the private key of a DNSKEY to revoke that DNSKEY.
+
+   A key is considered revoked when the resolver sees the key in a
+   self-signed RRSet and the key has the REVOKE bit (see Section 7
+   below) set to '1'.  Once the resolver sees the REVOKE bit, it MUST
+   NOT use this key as a trust anchor or for any other purpose except to
+   validate the RRSIG it signed over the DNSKEY RRSet specifically for
+   the purpose of validating the revocation.  Unlike the 'Add' operation
+   below, revocation is immediate and permanent upon receipt of a valid
+   revocation at the resolver.
+
+   A self-signed RRSet is a DNSKEY RRSet that contains the specific
+   DNSKEY and for which there is a corresponding validated RRSIG record.
+   It's not a special DNSKEY RRSet, just a way of describing the
+   validation requirements for that RRSet.
+
+   N.B.: A DNSKEY with the REVOKE bit set has a different fingerprint
+   than one without the bit set.  This affects the matching of a DNSKEY
+   to DS records in the parent [RFC3755], or the fingerprint stored at a
+   resolver used to configure a trust point.
+
+   In the given example, the attacker could revoke B because it has
+   knowledge of B's private key, but could not revoke A.
+
+2.2.  Add Hold-Down
+
+   Assume two trust point keys A and B.  Assume that B has been
+   compromised.  An attacker could generate and add a new trust anchor
+   key C (by adding C to the DNSKEY RRSet and signing it with B), and
+   then invalidate the compromised key.  This would result in both the
+   attacker and owner being able to sign data in the zone and have it
+   accepted as valid by resolvers.
+
+   To mitigate but not completely solve this problem, we add a hold-down
+   time to the addition of the trust anchor.  When the resolver sees a
+   new SEP key in a validated trust point DNSKEY RRSet, the resolver
+   starts an acceptance timer, and remembers all the keys that validated
+   the RRSet.  If the resolver ever sees the DNSKEY RRSet without the
+   new key but validly signed, it stops the acceptance process for that
+   key and resets the acceptance timer.  If all of the keys that were
+
+
+
+
+
+StJohns                     Standards Track                     [Page 4]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   originally used to validate this key are revoked prior to the timer
+   expiring, the resolver stops the acceptance process and resets the
+   timer.
+
+   Once the timer expires, the new key will be added as a trust anchor
+   the next time the validated RRSet with the new key is seen at the
+   resolver.  The resolver MUST NOT treat the new key as a trust anchor
+   until the hold-down time expires AND it has retrieved and validated a
+   DNSKEY RRSet after the hold-down time that contains the new key.
+
+   N.B.: Once the resolver has accepted a key as a trust anchor, the key
+   MUST be considered a valid trust anchor by that resolver until
+   explicitly revoked as described above.
+
+   In the given example, the zone owner can recover from a compromise by
+   revoking B and adding a new key D and signing the DNSKEY RRSet with
+   both A and B.
+
+   The reason this does not completely solve the problem has to do with
+   the distributed nature of DNS.  The resolver only knows what it sees.
+   A determined attacker who holds one compromised key could keep a
+   single resolver from realizing that the key had been compromised by
+   intercepting 'real' data from the originating zone and substituting
+   their own (e.g., using the example, signed only by B).  This is no
+   worse than the current situation assuming a compromised key.
+
+2.3.  Active Refresh
+
+   A resolver that has been configured for an automatic update of keys
+   from a particular trust point MUST query that trust point (e.g., do a
+   lookup for the DNSKEY RRSet and related RRSIG records) no less often
+   than the lesser of 15 days, half the original TTL for the DNSKEY
+   RRSet, or half the RRSIG expiration interval and no more often than
+   once per hour.  The expiration interval is the amount of time from
+   when the RRSIG was last retrieved until the expiration time in the
+   RRSIG.  That is, queryInterval = MAX(1 hr, MIN (15 days, 1/2*OrigTTL,
+   1/2*RRSigExpirationInterval))
+
+   If the query fails, the resolver MUST repeat the query until
+   satisfied no more often than once an hour and no less often than the
+   lesser of 1 day, 10% of the original TTL, or 10% of the original
+   expiration interval.  That is, retryTime = MAX (1 hour, MIN (1 day,
+   .1 * origTTL, .1 * expireInterval)).
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                     [Page 5]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+2.4.  Resolver Parameters
+
+2.4.1.  Add Hold-Down Time
+
+   The add hold-down time is 30 days or the expiration time of the
+   original TTL of the first trust point DNSKEY RRSet that contained the
+   new key, whichever is greater.  This ensures that at least two
+   validated DNSKEY RRSets that contain the new key MUST be seen by the
+   resolver prior to the key's acceptance.
+
+2.4.2.  Remove Hold-Down Time
+
+   The remove hold-down time is 30 days.  This parameter is solely a key
+   management database bookeeping parameter.  Failure to remove
+   information about the state of defunct keys from the database will
+   not adversely impact the security of this protocol, but may end up
+   with a database cluttered with obsolete key information.
+
+2.4.3.  Minimum Trust Anchors per Trust Point
+
+   A compliant resolver MUST be able to manage at least five SEP keys
+   per trust point.
+
+3.  Changes to DNSKEY RDATA Wire Format
+
+   Bit 8 of the DNSKEY Flags field is designated as the 'REVOKE' flag.
+   If this bit is set to '1', AND the resolver sees an RRSIG(DNSKEY)
+   signed by the associated key, then the resolver MUST consider this
+   key permanently invalid for all purposes except for validating the
+   revocation.
+
+4.  State Table
+
+   The most important thing to understand is the resolver's view of any
+   key at a trust point.  The following state table describes this view
+   at various points in the key's lifetime.  The table is a normative
+   part of this specification.  The initial state of the key is 'Start'.
+   The resolver's view of the state of the key changes as various events
+   occur.
+
+   This is the state of a trust-point key as seen from the resolver.
+   The column on the left indicates the current state.  The header at
+   the top shows the next state.  The intersection of the two shows the
+   event that will cause the state to transition from the current state
+   to the next.
+
+
+
+
+
+
+StJohns                     Standards Track                     [Page 6]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+                             NEXT STATE
+           --------------------------------------------------
+    FROM   |Start  |AddPend |Valid  |Missing|Revoked|Removed|
+   ----------------------------------------------------------
+   Start   |       |NewKey  |       |       |       |       |
+   ----------------------------------------------------------
+   AddPend |KeyRem |        |AddTime|       |       |       |
+   ----------------------------------------------------------
+   Valid   |       |        |       |KeyRem |Revbit |       |
+   ----------------------------------------------------------
+   Missing |       |        |KeyPres|       |Revbit |       |
+   ----------------------------------------------------------
+   Revoked |       |        |       |       |       |RemTime|
+   ----------------------------------------------------------
+   Removed |       |        |       |       |       |       |
+   ----------------------------------------------------------
+
+                           State Table
+
+4.1.  Events
+
+   NewKey   The resolver sees a valid DNSKEY RRSet with a new SEP key.
+            That key will become a new trust anchor for the named trust
+            point after it's been present in the RRSet for at least 'add
+            time'.
+
+   KeyPres  The key has returned to the valid DNSKEY RRSet.
+
+   KeyRem   The resolver sees a valid DNSKEY RRSet that does not contain
+            this key.
+
+   AddTime  The key has been in every valid DNSKEY RRSet seen for at
+            least the 'add time'.
+
+   RemTime  A revoked key has been missing from the trust-point DNSKEY
+            RRSet for sufficient time to be removed from the trust set.
+
+   RevBit   The key has appeared in the trust anchor DNSKEY RRSet with
+            its "REVOKED" bit set, and there is an RRSig over the DNSKEY
+            RRSet signed by this key.
+
+4.2.  States
+
+   Start    The key doesn't yet exist as a trust anchor at the resolver.
+            It may or may not exist at the zone server, but either
+            hasn't yet been seen at the resolver or was seen but was
+            absent from the last DNSKEY RRSet (e.g., KeyRem event).
+
+
+
+
+StJohns                     Standards Track                     [Page 7]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   AddPend  The key has been seen at the resolver, has its 'SEP' bit
+            set, and has been included in a validated DNSKEY RRSet.
+            There is a hold-down time for the key before it can be used
+            as a trust anchor.
+
+   Valid    The key has been seen at the resolver and has been included
+            in all validated DNSKEY RRSets from the time it was first
+            seen through the hold-down time.  It is now valid for
+            verifying RRSets that arrive after the hold-down time.
+            Clarification: The DNSKEY RRSet does not need to be
+            continuously present at the resolver (e.g., its TTL might
+            expire).  If the RRSet is seen and is validated (i.e.,
+            verifies against an existing trust anchor), this key MUST be
+            in the RRSet, otherwise a 'KeyRem' event is triggered.
+
+   Missing  This is an abnormal state.  The key remains a valid trust-
+            point key, but was not seen at the resolver in the last
+            validated DNSKEY RRSet.  This is an abnormal state because
+            the zone operator should be using the REVOKE bit prior to
+            removal.
+
+   Revoked  This is the state a key moves to once the resolver sees an
+            RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet
+            contains this key with its REVOKE bit set to '1'.  Once in
+            this state, this key MUST permanently be considered invalid
+            as a trust anchor.
+
+   Removed  After a fairly long hold-down time, information about this
+            key may be purged from the resolver.  A key in the removed
+            state MUST NOT be considered a valid trust anchor.  (Note:
+            this state is more or less equivalent to the "Start" state,
+            except that it's bad practice to re-introduce previously
+            used keys -- think of this as the holding state for all the
+            old keys for which the resolver no longer needs to track
+            state.)
+
+5.  Trust Point Deletion
+
+   A trust point that has all of its trust anchors revoked is considered
+   deleted and is treated as if the trust point was never configured.
+   If there are no superior configured trust points, data at and below
+   the deleted trust point are considered insecure by the resolver.  If
+   there ARE superior configured trust points, data at and below the
+   deleted trust point are evaluated with respect to the superior trust
+   point(s).
+
+   Alternately, a trust point that is subordinate to another configured
+   trust point MAY be deleted by a resolver after 180 days, where such a
+
+
+
+StJohns                     Standards Track                     [Page 8]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   subordinate trust point validly chains to a superior trust point.
+   The decision to delete the subordinate trust anchor is a local
+   configuration decision.  Once the subordinate trust point is deleted,
+   validation of the subordinate zone is dependent on validating the
+   chain of trust to the superior trust point.
+
+6.  Scenarios - Informative
+
+   The suggested model for operation is to have one active key and one
+   stand-by key at each trust point.  The active key will be used to
+   sign the DNSKEY RRSet.  The stand-by key will not normally sign this
+   RRSet, but the resolver will accept it as a trust anchor if/when it
+   sees the signature on the trust point DNSKEY RRSet.
+
+   Since the stand-by key is not in active signing use, the associated
+   private key may (and should) be provided with additional protections
+   not normally available to a key that must be used frequently (e.g.,
+   locked in a safe, split among many parties, etc).  Notionally, the
+   stand-by key should be less subject to compromise than an active key,
+   but that will be dependent on operational concerns not addressed
+   here.
+
+6.1.  Adding a Trust Anchor
+
+   Assume an existing trust anchor key 'A'.
+
+   1.  Generate a new key pair.
+
+   2.  Create a DNSKEY record from the key pair and set the SEP and Zone
+       Key bits.
+
+   3.  Add the DNSKEY to the RRSet.
+
+   4.  Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
+       'A'.
+
+   5.  Wait for various resolvers' timers to go off and for them to
+       retrieve the new DNSKEY RRSet and signatures.
+
+   6.  The new trust anchor will be populated at the resolvers on the
+       schedule described by the state table and update algorithm -- see
+       Sections 2 and 4 above.
+
+6.2.  Deleting a Trust Anchor
+
+   Assume existing trust anchors 'A' and 'B' and that you want to revoke
+   and delete 'A'.
+
+
+
+
+StJohns                     Standards Track                     [Page 9]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   1.  Set the revocation bit on key 'A'.
+
+   2.  Sign the DNSKEY RRSet with both 'A' and 'B'.  'A' is now revoked.
+       The operator should include the revoked 'A' in the RRSet for at
+       least the remove hold-down time, but then may remove it from the
+       DNSKEY RRSet.
+
+6.3.  Key Roll-Over
+
+   Assume existing keys A and B. 'A' is actively in use (i.e. has been
+   signing the DNSKEY RRSet).  'B' was the stand-by key. (i.e. has been
+   in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
+   used to sign the RRSet).
+
+      1.  Generate a new key pair 'C'.
+      2.  Add 'C' to the DNSKEY RRSet.
+      3.  Set the revocation bit on key 'A'.
+      4.  Sign the RRSet with 'A' and 'B'.
+
+   'A' is now revoked, 'B' is now the active key, and 'C' will be the
+   stand-by key once the hold-down expires.  The operator should include
+   the revoked 'A' in the RRSet for at least the remove hold-down time,
+   but may then remove it from the DNSKEY RRSet.
+
+6.4.  Active Key Compromised
+
+   This is the same as the mechanism for Key Roll-Over (Section 6.3)
+   above, assuming 'A' is the active key.
+
+6.5.  Stand-by Key Compromised
+
+   Using the same assumptions and naming conventions as Key Roll-Over
+   (Section 6.3) above:
+
+      1.  Generate a new key pair 'C'.
+      2.  Add 'C' to the DNSKEY RRSet.
+      3.  Set the revocation bit on key 'B'.
+      4.  Sign the RRSet with 'A' and 'B'.
+
+   'B' is now revoked, 'A' remains the active key, and 'C' will be the
+   stand-by key once the hold-down expires.  'B' should continue to be
+   included in the RRSet for the remove hold-down time.
+
+6.6.  Trust Point Deletion
+
+   To delete a trust point that is subordinate to another configured
+   trust point (e.g., example.com to .com) requires some juggling of the
+   data.  The specific process is:
+
+
+
+StJohns                     Standards Track                    [Page 10]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+   1.  Generate a new DNSKEY and DS record and provide the DS record to
+       the parent along with DS records for the old keys.
+
+   2.  Once the parent has published the DSs, add the new DNSKEY to the
+       RRSet and revoke ALL of the old keys at the same time, while
+       signing the DNSKEY RRSet with all of the old and new keys.
+
+   3.  After 30 days, stop publishing the old, revoked keys and remove
+       any corresponding DS records in the parent.
+
+   Revoking the old trust-point keys at the same time as adding new keys
+   that chain to a superior trust prevents the resolver from adding the
+   new keys as trust anchors.  Adding DS records for the old keys avoids
+   a race condition where either the subordinate zone becomes unsecure
+   (because the trust point was deleted) or becomes bogus (because it
+   didn't chain to the superior zone).
+
+7.  IANA Considerations
+
+   The IANA has assigned a bit in the DNSKEY flags field (see Section 7
+   of [RFC4034]) for the REVOKE bit (8).
+
+8.  Security Considerations
+
+   In addition to the following sections, see also Theory of Operation
+   above (Section 2) and especially Section 2.2 for related discussions.
+
+   Security considerations for trust anchor rollover not specific to
+   this protocol are discussed in [RFC4986].
+
+8.1.  Key Ownership vs. Acceptance Policy
+
+   The reader should note that, while the zone owner is responsible for
+   creating and distributing keys, it's wholly the decision of the
+   resolver owner as to whether to accept such keys for the
+   authentication of the zone information.  This implies the decision to
+   update trust-anchor keys based on trusting a current trust-anchor key
+   is also the resolver owner's decision.
+
+   The resolver owner (and resolver implementers) MAY choose to permit
+   or prevent key status updates based on this mechanism for specific
+   trust points.  If they choose to prevent the automated updates, they
+   will need to establish a mechanism for manual or other out-of-band
+   updates, which are outside the scope of this document.
+
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 11]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+8.2.  Multiple Key Compromise
+
+   This scheme permits recovery as long as at least one valid trust-
+   anchor key remains uncompromised, e.g., if there are three keys, you
+   can recover if two of them are compromised.  The zone owner should
+   determine their own level of comfort with respect to the number of
+   active, valid trust anchors in a zone and should be prepared to
+   implement recovery procedures once they detect a compromise.  A
+   manual or other out-of-band update of all resolvers will be required
+   if all trust-anchor keys at a trust point are compromised.
+
+8.3.  Dynamic Updates
+
+   Allowing a resolver to update its trust anchor set based on in-band
+   key information is potentially less secure than a manual process.
+   However, given the nature of the DNS, the number of resolvers that
+   would require update if a trust anchor key were compromised, and the
+   lack of a standard management framework for DNS, this approach is no
+   worse than the existing situation.
+
+9.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer (DS)", RFC 3755, May 2004.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements", RFC
+              4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+10.  Informative References
+
+   [RFC4986]  Eland, H., Mundy, R., Crocker, S., and S. Krishnaswamy,
+              "Requirements Related to DNS Security (DNSSEC) Trust
+              Anchor Rollover", RFC 4986, August 2007.
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 12]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+Author's Address
+
+   Michael StJohns
+   Independent
+
+   EMail: mstjohns@comcast.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 13]
+
+RFC 5011                  Trust Anchor Update             September 2007
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2007).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+StJohns                     Standards Track                    [Page 14]
+
diff --git a/contrib/zkt/examples/flat/dist.sh b/contrib/zkt/examples/flat/dist.sh
index c112f559e8..e2131ee96f 100755
--- a/contrib/zkt/examples/flat/dist.sh
+++ b/contrib/zkt/examples/flat/dist.sh
@@ -60,8 +60,8 @@ distribute)
 	fi
 	;;
 reload)
-	echo "rndc $action $zone $view"
-	: rndc $action $zone $view
+	echo "rndc $action $domain $view"
+	: rndc $action $domain $view
 	;;
 *)
 	usage "illegal action $action"
diff --git a/contrib/zkt/examples/flat/dnssec-signer.sh b/contrib/zkt/examples/flat/dnssec-signer.sh
new file mode 100755
index 0000000000..435909dce1
--- /dev/null
+++ b/contrib/zkt/examples/flat/dnssec-signer.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+#	Shell script to start the dnssec-signer
+#	command out of the example directory
+#
+
+chroot `pwd` ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
+
+if test ! -f dnssec.conf
+then
+	echo Please start this skript out of the flat or hierarchical sub directory
+	exit 1
+fi
+ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer "$@"
diff --git a/contrib/zkt/examples/flat/dnssec.conf b/contrib/zkt/examples/flat/dnssec.conf
index 1996184585..80b411ff3f 100644
--- a/contrib/zkt/examples/flat/dnssec.conf
+++ b/contrib/zkt/examples/flat/dnssec.conf
@@ -1,5 +1,5 @@
 #   
-#   	@(#) dnssec.conf vT0.98 (c) Feb 2005 - Sep 2008 Holger Zuleger hznet.de
+#   	@(#) dnssec.conf vT0.99a (c) Feb 2005 - Jul 2009 Holger Zuleger hznet.de
 #   
 
 #   dnssec-zkt options
@@ -18,12 +18,11 @@ KEY_TTL:	1h	# (3600 seconds)
 Serialformat:	incremental
 
 #   signing key parameters
+Key_algo:	RSASHA1	# (Algorithm ID 5)
 KSK_lifetime:	60d	# (5184000 seconds)
-KSK_algo:	RSASHA1	# (Algorithm ID 5)
 KSK_bits:	1300
 KSK_randfile:	"/dev/urandom"
 ZSK_lifetime:	2w	# (1209600 seconds)
-ZSK_algo:	RSASHA1	# (Algorithm ID 5)
 ZSK_bits:	512
 ZSK_randfile:	"/dev/urandom"
 SaltBits:	24
@@ -39,5 +38,6 @@ Zonefile:	"zone.db"
 KeySetDir:	"../keysets"
 DLV_Domain:	""
 Sig_Pseudorand:	True
-Sig_Parameter:	""
+Sig_GenerateDS:	True
+Sig_Parameter:	"-n 1"
 Distribute_Cmd:	"./dist.sh"
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key
deleted file mode 100644
index 5dc79b5df2..0000000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081116175850
-;%	lifetime=90d
-example.net. IN DNSKEY  256 3 5 BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private
deleted file mode 100644
index e9a79372a4..0000000000
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: yh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
-PublicExponent: AQAAAAE=
-PrivateExponent: XHrB+Ib/yjBFNUQoB66abHOazbj5hDkaprg0ygOwDdrxLSpwrYHQAn5H6JPlGhcTZHN5X1nF4M7GlGlbRah0oQ==
-Prime1: 7T9UFlW1S4Dnditz/D0PmPdJ+fiozB+wz8xxRuOT4zE=
-Prime2: 2hjLgVBakXblbcuQ08UYHkP00pMp+45mK+L5M35OpS8=
-Exponent1: CPzNNspgw6XVf63vdcnEP55k7wMVttStCJw8+r3T5FE=
-Exponent2: t8JDeQOEiO2L0dbIkuANjXOBiCauM6fnRHanvKcwmrs=
-Coefficient: ObUC9ojBjcCKuGvPqXfWD20iXRpkzVsHjrJqcLXRqw4=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
similarity index 100%
rename from contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.published
rename to contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
new file mode 100644
index 0000000000..a28a8891fa
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090730151357
+;%	lifetime=84d
+example.net. IN DNSKEY  256 3 5 BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
new file mode 100644
index 0000000000..6ed54839e2
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: 12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: QGedp/HTzh6rYQGFLCnFHIM8mo5AxWZng293NH1AjxjGas5dmGZazN7l1XVRC3vsrkJnEo4vufmn3PiXEN5+cQ==
+Prime1: 9xNBI9Hnmg90Tt4dTmbd3vwYOnPMY3bUT8LK7ST9AW8=
+Prime2: 3zJmVknraflkD8SdS8KS30TnMdS45kfTLrLfGapkul8=
+Exponent1: 3QgVQB/5/207T9FsSmaLCerWRHXc2rhk2SzIgkizh+k=
+Exponent2: jFPAst+viSJxygltwZn3WPEL1+JeMFK99nilMa7YVLc=
+Coefficient: 7duJdlOhBkQ0IDwI5Hiedteo7phE7GPedy5MVHpPcjM=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
new file mode 100644
index 0000000000..abf941e0f6
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090228113129
+;%	lifetime=60d
+example.net. IN DNSKEY  257 3 5 BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc +MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug aQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
new file mode 100644
index 0000000000..443b143c31
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: CwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhugaQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: BhlkW6GKcOvDGyVAj7rEqpvEVd+t8H3WkifdhulioLIppKBuJlzzhSORjGojm6KYwcQl78F/7kHgKn2S5jBVk0FZr3vUR7Z6wbO80Ic9lOaFMBz0uYvUIYLGpFJvsVAFWv9sOkLK5iwFs6JehrSgxDbMfyBd8hpdN7mWOYD51p5HJMVvdqAw82mZoELQdlWM5tUzZdyx0jnAPtnYV+IxVa5CgQ==
+Prime1: A41vXEkXlyvOuNbnByXKgw4BfHHp4LjpDsm4F35SD56Pvw1BFHtrgm/U7oJZQUBvyW2CcCe0Ria1iY4OjB/jdv2c4+GPhq1LizHquadfwHfAzw==
+Prime2: AxwrEOiIRMkPEobov43MiBtbFKGA7QnN7DOD/QTFOA8a7IMhUDHU7pQbJASXpUaLKLSrAMeRNKwSyHXq34WFUzP4HK6ubuLn2k5YxhWRDbwpRw==
+Exponent1: Ao+dprhY0qEAYGjF6wdwxyIDFAoU/g+1gwS566bRiIrYdXN9OoLRHHH7r3v8tfgjKckQAXbjVKfV9MYNpnW8jYqmSOvAXXjLtHtyBcJQOs89gQ==
+Exponent2: 9AwIcMdFNsAzAsXHLQwN3lvQUce4cpuxw/GKnKTu9rsmqtbz9Al4qLSTsXYxErdSZ7xwIxX/PYeCywc0zZjd5fbGGOBv/fApfRgECVQWSNpJ
+Coefficient: 1hDGT7Cnck4tyDJDUZHVK2ejowz2RlqzqN/BAMEfi+k3b/Ild6pdHNHu2mDYkFRqSIU4zVAVxeplrTKoXvVmmb8iWF/3jNLL/eKxYinNHe1P
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
new file mode 100644
index 0000000000..8e89f26564
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: pYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: ZF1rC+0JIyhAQNFXPtcPW8S3iggmyY5AH+yXDDqpM1qx3a3NY5/BfuHFYDtsfHAB2DOjgqQmADly2B9NMhoJ4Q==
+Prime1: 2jtxQTZzjZuyqSRk4PBk/nx+VqrVFdSvHUyXb2EjNrU=
+Prime2: wizFiwOCJBiVDOjA0Zq9VuWk4+Fa7TNpkXp0//Y+NQU=
+Exponent1: ORIEM1AkgXP+KkRQcZI6qW+fXhrdUsegVW42eGRzEmk=
+Exponent2: YHsutgi+2qKtY/38Uu3e7bnHVhpUO7ZAcgPh00vd1yk=
+Coefficient: Z5qDNIXQpU91m32R1HPPK75ASx5ah4/Gd4jw/SHsnDk=
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
new file mode 100644
index 0000000000..7678a29cc6
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615075841
+;%	lifetime=14d
+example.net. IN DNSKEY  256 3 5 BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
new file mode 100644
index 0000000000..f1df500b3c
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630093509
+;%	lifetime=14d
+example.net. IN DNSKEY  256 3 5 BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
new file mode 100644
index 0000000000..fe31c85ddb
--- /dev/null
+++ b/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: zN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+PublicExponent: AQAAAAE=
+PrivateExponent: a9MzQ8dBy0kkwjUECnf6X02Q8URTNL+8IuJIOjD0sVbtt04trek0iioQkWNVBn7m7o1vrIijQ4AuMe9xqyiRyQ==
+Prime1: /m1HDAGWnLeuYTLhlNxQBg+vUDjDPXOFXFvOg5Vkjlc=
+Prime2: ziIYCdlrKqZkIpyt6AuPsRDqs2kNlkiwWT8D4D7J3L0=
+Exponent1: Sd/Kn+FrTrMRZucUyXyGoKyfX6uReD4Kv0XYAqtk9+s=
+Exponent2: KAcgSeMQeZPaabpFZMR9O4h2j4WwD5PysJsQKq1i9DE=
+Coefficient: NBFD1eKzJOpi9G1tF88xmnNvNBbyEtgf0EuV4JAwTrs=
diff --git a/contrib/zkt/examples/flat/example.net/dnskey.db b/contrib/zkt/examples/flat/example.net/dnskey.db
index d1828cc60e..90a6e5b1ff 100644
--- a/contrib/zkt/examples/flat/example.net/dnskey.db
+++ b/contrib/zkt/examples/flat/example.net/dnskey.db
@@ -2,21 +2,21 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:08:02
+;	 Last generation time Jul 30 2009 17:13:57
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; example.net.  tag=1764  algo=RSASHA1  generated Nov 16 2008 18:58:50
-example.net. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8
-			VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs
-			lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+
-			YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU
-			8w==
-		) ; key id = 1764
+; example.net.  tag=33840  algo=RSASHA1  generated Feb 28 2009 12:31:29
+example.net. 14400 IN DNSKEY  257 3 5 (
+			BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y1fNROZtCrUSAFca8c4Dc
+			+MK9phlqEtBihnMSBjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXneM4n
+			m52unLpZfQu0B0h/zwDLrfmedyqqZYb7grXDqFwT0EnI4cL/Ybr40H7u
+			SUyVyLM3c5a8V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7Il5cqhug
+			aQ==
+		) ; key id = 33840
 
-; example.net.  tag=7308  algo=RSASHA1  generated Nov 16 2008 18:58:50
-example.net. 3600 IN DNSKEY  257 3 5 (
+; example.net.  tag=7308  algo=RSASHA1  generated Feb 28 2009 12:31:29
+example.net. 14400 IN DNSKEY  257 3 5 (
 			BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnhJc5oFj+sQLmCvj6hGFfQ
 			oUkI67jTMkIzQlflQ3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+YlSbGJ
 			w2vVXcBr463AUAlENzSDS35D1x8zOgZOg34rL+1uFn0HBSI0xusYRAlU
@@ -25,9 +25,21 @@ example.net. 3600 IN DNSKEY  257 3 5 (
 		) ; key id = 7308
 
 ; ***  List of Zone Signing Keys  ***
-; example.net.  tag=4157  algo=RSASHA1  generated Dec 09 2008 14:08:16
-example.net. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1y5L0ayZ23+17ira2IBRS
-			ouCHAmIYYR+JqGMjc0IQF7PAryhN2olWcINK/w==
-		) ; key id = 4157
+; example.net.  tag=34925  algo=RSASHA1  generated Jun 17 2009 16:36:16
+example.net. 14400 IN DNSKEY  256 3 5 (
+			BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWkmp9lsX3C7xkqd8eYwXWj
+			w2ijRq0QPahQxqFYm/hhC77xJoVwSeOtXdmKiQ==
+		) ; key id = 34925
+
+; example.net.  tag=48089  algo=RSASHA1  generated Jun 30 2009 11:35:09
+example.net. 14400 IN DNSKEY  256 3 5 (
+			BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0nxfyHfXpMdwtqrMFSrkd
+			IboUDtNZBsw+LJmadHRQZDfu79tEz8MUid7aOw==
+		) ; key id = 48089
+
+; example.net.  tag=24545  algo=RSASHA1  generated Jul 30 2009 17:13:57
+example.net. 14400 IN DNSKEY  256 3 5 (
+			BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA1G78HQ8W+LsPz3UTQxKZ
+			WhmAhB2LZqK2t4rcoAhDVW0hZ6DSDuV/0kouMQ==
+		) ; key id = 24545
 
diff --git a/contrib/zkt/examples/flat/example.net/dsset-example.net. b/contrib/zkt/examples/flat/example.net/dsset-example.net.
index f07c9b9cfe..ec2e02237f 100644
--- a/contrib/zkt/examples/flat/example.net/dsset-example.net.
+++ b/contrib/zkt/examples/flat/example.net/dsset-example.net.
@@ -1,4 +1,4 @@
-example.net.		IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
-example.net.		IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
 example.net.		IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
 example.net.		IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
+example.net.		IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
+example.net.		IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.key b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
similarity index 72%
rename from contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.key
rename to contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
index bd273d37f0..a0d65e84e1 100644
--- a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.key
+++ b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
@@ -1,3 +1,4 @@
 ;%	generationtime=20080506212634
 ;%	lifetime=60d
-example.net. IN DNSKEY  257 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
+;%	expirationtime=20090228113128
+example.net. IN DNSKEY  385 3 5 BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYVY4wCi2UVjhcehvIb2bF8 VJH2Q9/0ubQR1vQ2VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5HDrs lyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtmDUktDjZgsyVshFHVJShBUSj+ YpnfQkndGViDAbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH+B9rLlBU 8w==
diff --git a/contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.private b/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
similarity index 100%
rename from contrib/zkt/examples/flat/example.net/Kexample.net.+005+01764.private
rename to contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
diff --git a/contrib/zkt/examples/flat/example.net/keyset-example.net. b/contrib/zkt/examples/flat/example.net/keyset-example.net.
index 47311feb74..eba52b9ca6 100644
--- a/contrib/zkt/examples/flat/example.net/keyset-example.net.
+++ b/contrib/zkt/examples/flat/example.net/keyset-example.net.
@@ -1,5 +1,14 @@
 $ORIGIN .
 example.net		7200	IN DNSKEY 257 3 5 (
+					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+					Il5cqhugaQ==
+					) ; key id = 33840
+			7200	IN DNSKEY 257 3 5 (
 					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
 					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
 					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@@ -8,12 +17,3 @@ example.net		7200	IN DNSKEY 257 3 5 (
 					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
 					JT9+p0yB/Q==
 					) ; key id = 7308
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
-					Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
-					VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
-					HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
-					DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
-					AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
-					+B9rLlBU8w==
-					) ; key id = 1764
diff --git a/contrib/zkt/examples/flat/example.net/zone.db b/contrib/zkt/examples/flat/example.net/zone.db
index 98fdfd6788..9310d4033b 100644
--- a/contrib/zkt/examples/flat/example.net/zone.db
+++ b/contrib/zkt/examples/flat/example.net/zone.db
@@ -11,7 +11,7 @@ $TTL	7200
 ;				0123456789;
 ;	It's also possible to use the date format e.g. 2005040101
 @	IN SOA	ns1.example.net. hostmaster.example.net.  (
-				333       ; Serial	
+				350       ; Serial	
 				43200	; Refresh
 				1800	; Retry
 				2W	; Expire
diff --git a/contrib/zkt/examples/flat/example.net/zone.db.signed b/contrib/zkt/examples/flat/example.net/zone.db.signed
index 8795d222d7..761f0c4b0f 100644
--- a/contrib/zkt/examples/flat/example.net/zone.db.signed
+++ b/contrib/zkt/examples/flat/example.net/zone.db.signed
@@ -1,36 +1,55 @@
-; File written on Sun Dec 28 23:08:02 2008
-; dnssec_signzone version 9.6.0
+; File written on Thu Jul 30 17:13:57 2009
+; dnssec_signzone version 9.7.0a1
 example.net.		7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					333        ; serial
+					350        ; serial
 					43200      ; refresh (12 hours)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 5 2 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					UqDcRU7Et3DQF9VF+1AmHFXLa9L2x6LYA1ZS
-					shG02/N9gH+2uNnxxBvuGDkSzTl5C52csvbw
-					LZnWW56sPCShiw== )
+			7200	RRSIG	SOA 5 2 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					ef9jaM2b3mfW7Kt8CfONPqtWve+OA7+sxDph
+					ffNDdF4G2wd9hosI5S9Sz8BOIJGzcg2tsgaB
+					gOjVmH4Ywf+oKg== )
 			7200	NS	ns1.example.net.
 			7200	NS	ns2.example.net.
-			7200	RRSIG	NS 5 2 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					i4OCvNnG2BWy6gYbUnwv1xi6MRQjbDl6ts8o
-					28CxUNmBX/r3RWlewQiyO8acGC2UJUdWz7So
-					gbHJqojIAjjpbA== )
+			7200	RRSIG	NS 5 2 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					F05kFb45lMYUbgimn1ACKyIU61+oYOg3sMHU
+					FxJd+qg9erf2//q7k4sFC9KPqpuLoLxeq7zl
+					Mk6meHS+9wsneQ== )
 			7200	NSEC	a.example.net. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					g963zm5F91sPNl955WRBExCcKJehXmTjyw0K
-					ISKE7Dq77Z8zKkTpgf1QWhVe3UOLRRbXwRnC
-					aQh+jaXNE3vIag== )
-			3600	DNSKEY	256 3 5 (
-					BQEAAAAByh7oI/YjOdxlfjCWa2Qowuujjst1
-					y5L0ayZ23+17ira2IBRSouCHAmIYYR+JqGMj
-					c0IQF7PAryhN2olWcINK/w==
-					) ; key id = 4157
-			3600	DNSKEY	257 3 5 (
+			7200	RRSIG	NSEC 5 2 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					OGO1Xb1nWaMl1cgCatUx3MbFzS/3N78l2FWJ
+					9nj41937o+SaC///0hsrluM8NWCj1ROyZU3e
+					olkU38g+o0fkPQ== )
+			14400	DNSKEY	256 3 5 (
+					BQEAAAABpYc2cSHkPcRoLfvndzNke696mmWk
+					mp9lsX3C7xkqd8eYwXWjw2ijRq0QPahQxqFY
+					m/hhC77xJoVwSeOtXdmKiQ==
+					) ; key id = 34925
+			14400	DNSKEY	256 3 5 (
+					BQEAAAABzN3RkyF1Kvf3Go97BN7rNERR86F0
+					nxfyHfXpMdwtqrMFSrkdIboUDtNZBsw+LJma
+					dHRQZDfu79tEz8MUid7aOw==
+					) ; key id = 48089
+			14400	DNSKEY	256 3 5 (
+					BQEAAAAB12pqReCbmKHzRtk4wbc6xRCSXZoA
+					1G78HQ8W+LsPz3UTQxKZWhmAhB2LZqK2t4rc
+					oAhDVW0hZ6DSDuV/0kouMQ==
+					) ; key id = 24545
+			14400	DNSKEY	257 3 5 (
+					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+					Il5cqhugaQ==
+					) ; key id = 33840
+			14400	DNSKEY	257 3 5 (
 					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
 					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
 					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@@ -39,128 +58,108 @@ example.net.		7200	IN SOA	ns1.example.net. hostmaster.example.net. (
 					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
 					JT9+p0yB/Q==
 					) ; key id = 7308
-			3600	DNSKEY	257 3 5 (
-					BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
-					Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
-					VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
-					HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
-					DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
-					AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
-					+B9rLlBU8w==
-					) ; key id = 1764
-			3600	RRSIG	DNSKEY 5 2 3600 20090103210802 (
-					20081228210802 1764 example.net.
-					DMU1/sQwNC9bxNCo+SGM1JpHAkWGCRoSEswb
-					2EV/YDWwF19IM2J/sz+9JB6h7esETapCg4qY
-					5SCBrgbMEvQNRL0t16K7ciAHYNKLTbMG0uaP
-					yEOVQ0/ZofoDEsYJYScyO3hC58F2Vl/YSBFo
-					hfkYvtrjrrDQqU9Uh8U1rcROIXNJF/FyDSuj
-					Ca2fzHlCvnJRfF/Djg7DOjXIlWBThc4kI12v
-					xw== )
-			3600	RRSIG	DNSKEY 5 2 3600 20090103210802 (
-					20081228210802 4157 example.net.
-					gH+J4h1fRmX5QS/wocZKerd9RqgrFR/0m1HE
-					O+GYS4Q4X19TnGQW4Bq6w/QRI/5OiJH3YR2R
-					9MW3EmYMKX9Tuw== )
+			14400	RRSIG	DNSKEY 5 2 14400 20090809141357 (
+					20090730141357 7308 example.net.
+					CblyOQR4HbF8PQi+tJYtrbqGQzk6tHz2XUTN
+					UVGYKgU/J/bs3VtuuAze57v0rCLf90wH2tGv
+					PonbPBacTW0dULrtxDH0Y3bNeT6IiRNWtNi/
+					r54PttqJO++MX9f1KkV2g5Y0R5rOuefVTqO8
+					ww9SUO3GPc0W16tyFboziOhwN9XSlJsIAeNN
+					B8jeltRi5KAxUZXpWHS0XqkpcREZOVPHVEEq
+					YQ== )
+			14400	RRSIG	DNSKEY 5 2 14400 20090809141357 (
+					20090730141357 48089 example.net.
+					XbZb9oFt54WIQrIaTh8YyzJ+uzIah7bCO0yg
+					XHUHAIbf1xu9sljmwlzBNLJFq5hPj+q1kvJc
+					62464sVZH+EfWg== )
 a.example.net.		7200	IN A	1.2.3.1
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					nh9TDSy8L61ccYJiLAL632N4FIvUpDCvsdcf
-					0HhGA8b++YADE5gX346coX1L0Oy+DB9eHIAZ
-					PCfli582EhPwKA== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					st9XUmF9rcxpT3yqZzHmRh1iCA7BHpzKVQPg
+					1iVLZatjDPcqeA2UDHBqbxE3RA6CGrHsONEs
+					nzR8X0uN22BTIA== )
 			7200	NSEC	b.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					LCe66yRV1gez4AbSq7/SaPznvzuUPRnf+vh2
-					Fuv3IlCszc0Bdo/fAyUQcc9LRo8hrvfYFDjI
-					TFe3Mm0U0A5Lew== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					qEtyoL6etYfuriLJuEo0R2gxeCLM7n05FE4s
+					ig0NeorNk7ic89SY24owmYYJ/FbI532vhLHv
+					0n6P1jVIBVTNOg== )
 b.example.net.		7200	IN MX	10 a.example.net.
-			7200	RRSIG	MX 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					oQuNvNDrqblLnEl5arNz+3YlBC9j33tp7OzF
-					MptYqb32rDNB/YivuxeiBWNt7ykFmdXh1P94
-					DZ8Qq2J8lIW1DA== )
+			7200	RRSIG	MX 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					oEeEMSxEXtlVpp1Rm5Z2Je6gAIggCRWUxthN
+					S1aEOIwVYcxIDlwLqbXoUVpcSaPGMATdGZnH
+					UGStzfIl/8troQ== )
 			7200	NSEC	d.example.net. MX RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					GF6J2HjZ4xrkdT2a6Zjukl5sUSwejQkzzx2+
-					pLRQ/RXtfkcMrO5xpsOZ8AqeZjySUMEGjS2U
-					RUlbzM0y/70x4g== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					fdtI/Qb/Smf6p0sD10Zx5oDgD0GsX0WUAMLQ
+					sDy3SFatpYio68dSfEP1cnayp/px2eLvTfVm
+					5lDVj28RqfZ7Pw== )
 d.example.net.		7200	IN A	1.2.3.3
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					T9LBUwsAKM+3yh1wizaGqWvqfLOqfuTzZhpm
-					tmpDPZXzSjJ8pj4KO3f8eA7ygo52bY8hNzTh
-					2hwGBAQlb1ACpA== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					nTtV5w9QKqFLl164G4vTcAsMT5v09tpyvTVh
+					Oe7MYeRnN2SBxHt1ScJdjQ5/bLYwLE0eeCYn
+					4OEF4w8WGhL67A== )
 			7200	AAAA	2001:db8::3
-			7200	RRSIG	AAAA 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					gpBuR+r14AbjVJLx48k8plwo52RG6taN03XU
-					8uUgfOSpJSprjpvhEzKt1h87aGtmZScoS/WH
-					3D3f2Xz4e+r6QA== )
+			7200	RRSIG	AAAA 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					d+E/L0pu10u6zO8ZwsES0OCxBJmSvFm1QUkd
+					qgHxZXZi7pj2bOtZGOCxQwMHg0CvNQ9mVxL0
+					J3JSNlXGbwHSgQ== )
 			7200	NSEC	localhost.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					fSM90YN/6UVuUPbVTuhSj2Zzxdn+3TkVIXq6
-					CjpGxAxDGa5Uh3x6ExZUg3n7N7TWcuyN2fZV
-					va8VlkEJeAHd/g== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					D8lZPkhs2FOYW9hyLryxKnx0NPzIDqOI4keb
+					YhrJuCmLLRe4vyEbdNLmV76g6ZKG9oCkgh3a
+					zgIUX0pOt281Bw== )
 localhost.example.net.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					I0tSvJaBTdG0RTfOTkzDyW2iSKdX555aN5Ux
-					a4l5gJhiY4tpN1NNofQK8xbdZvJi+F0JBsb4
-					qctstfW97RAnZw== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					jvmKKKCZ6sDIrQROwXMzPTEd9qgriYYRyMLw
+					EkOuubrkDlJkWVs7rx4d4zmrtoU5qr0sNB3m
+					kNSeEuoa+qR+eg== )
 			7200	NSEC	ns1.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					pORPHi5yJId4IynH/UcNM1kL9kyJqO65+iku
-					G5z9A2CS+aJy39Am6Nbr11GN6SAVcOmSjjeA
-					SOAdxGlWWpwAvA== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					oAMInMyMsQj9TZVQfJq6TmBONduujt6kcQpP
+					0qFe7WI4Cc4AH+hy1cGkeBCPS1+0WoG4rqBw
+					3OFb0GRqEXDc5w== )
 ns1.example.net.	7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					mPktHGQ4Cvn6JwysjndL8/dZhtht6bGq1OZI
-					qR4SSqIc14Yfbbee819fwuw/JGaaTFyItDU2
-					AIU8Ix2FrNLcQA== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					W5E+VE/68hF1gjsyZM6FU1Ynao1/78xNYnAr
+					o4fwADHCCXw1/TDbMbp9LCzgNoUfKjWjJCn6
+					89OCX/es/0rTtA== )
 			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					I+i9d3dewJTTmK1J5gbMlsjodEDjV57fHDbv
-					3haEPH6WHn/9W3P9eTDRIVEIvSVCEObAJyem
-					ItOMKZOxlRTF5Q== )
+			7200	RRSIG	AAAA 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					wUAOaDeX1NQh5pm8VfjXJ9QCE0HK5rdyXcyP
+					Sreh+AjyA2UVksG6Rd8/8WWv2YPwD8LtOZfv
+					OVzIQY+ltEOSvg== )
 			7200	NSEC	ns2.example.net. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					KF6bVYTEEuOgaYTrD1BhY6dyYtp1k7uPQAbe
-					+8aDk4OJwtL681t91XIT/TRXvKwiSVH4M7Un
-					ZOFI4o33/oIJag== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					cu58jBfTX3IrVthmTxmvKuj76N7OtkuRWqkz
+					wNqyKtLjTaW2hEvt6Wnd/F7Py/xiKS6aEFIK
+					iovzZNBDetmiBg== )
 ns2.example.net.	7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					pLL55Ja/b/pGnWdYP2tAOtx84xyKiEdD/oPC
-					7prF8HCXLJgbFdnJ3JkZ1umAPbsRrEkFIFII
-					wGwfrjMkM9c8zw== )
+			7200	RRSIG	A 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					Qs5E1Bc10de+JJW26BhWzvDvxA4ssyB57QN2
+					3uk1jgoqi4f91/xvvoy45eQtOIflmNlKV1up
+					ZESuqA8PJwq9hQ== )
 			7200	NSEC	sub.example.net. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					b5AfO/ekdK8rQBAiyGcjCSFHOLCYfdVJP7DD
-					FsNKBjkJj+jLz3P1lJClTrgc4gv7EmRlZncd
-					YOzblBcjylZqAw== )
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					DIqhTgeHJasScNvLEnUzqLectmRRQhKpFINK
+					+NWEL/CM27SCiOLLYu5Mz2YHLVpz2VoV/V32
+					YVpaLtAlA5Gc1g== )
 sub.example.net.	7200	IN NS	ns1.example.net.
-			7200	DS	18846 7 1 (
-					71103B8D50793E190E48D99E95B48D9F20C4
-					04C6 )
-			7200	DS	18846 7 2 (
-					42A13BAC66BEB451B6BF17A51FC2C141B765
-					D3E9B952C689BA4B572DC1AF2FCC )
-			7200	RRSIG	DS 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					HeLgZtRjTPXR8HDw0uHiavKTmJTJU2ryunVf
-					JR8vASP8QT2D4hD0BvCUzQdIB23+oB9eY2dx
-					f9WtEwKY89dcTQ== )
-			7200	NSEC	example.net. NS DS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090103210802 (
-					20081228210802 4157 example.net.
-					XViJS+mWV3mddMCV25zV9i3ZpRlBsQIr/Guq
-					wJYzIiBP3F5cY+GbzOyjLdRnuy9pIeCUmEIN
-					0XsanfbJHcTm8w== )
+			7200	NSEC	example.net. NS RRSIG NSEC
+			7200	RRSIG	NSEC 5 3 7200 20090809141357 (
+					20090730141357 48089 example.net.
+					qRqoIDBDuxWo403SI0B3ZPiAMSWV48HWUDi/
+					bUPuGtKCaw43OuG4RgMBlItzxrmw5AMlcsGw
+					+dpIoVdHzGqmdg== )
diff --git a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
index 8537da0250..b9d0017467 100644
--- a/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
+++ b/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
@@ -1,2 +1,2 @@
-sub.example.net.dlv.trusted-keys.de. IN	DLV 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.dlv.trusted-keys.de. IN	DLV 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+sub.example.net.dlv.trusted-keys.de. IN	DLV 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net.dlv.trusted-keys.de. IN	DLV 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
diff --git a/contrib/zkt/examples/flat/keysets/dsset-example.net. b/contrib/zkt/examples/flat/keysets/dsset-example.net.
index f07c9b9cfe..ec2e02237f 100644
--- a/contrib/zkt/examples/flat/keysets/dsset-example.net.
+++ b/contrib/zkt/examples/flat/keysets/dsset-example.net.
@@ -1,4 +1,4 @@
-example.net.		IN DS 1764 5 1 A6F060DDE8DE45CA7FD1C21E2F39C477F214795F
-example.net.		IN DS 1764 5 2 B7109245C60ACEDD1630E145477FDF574D5BD9CABE530AAC6D7192DB 7FBFAA3F
 example.net.		IN DS 7308 5 1 16CD09D37EC1FEC2952BE41A5C5E2485C1B0C445
 example.net.		IN DS 7308 5 2 FD31B2F54526FAA8131A3311452729467FA7AD5D7D14CA6584B4C41B 0B384D8E
+example.net.		IN DS 33840 5 1 A554D150A7F958080235B9A361082937B65EB7C4
+example.net.		IN DS 33840 5 2 044406C788E4B659573DEED74F4EAEC9E7FAC431CB6932C39DABF704 30A6102B
diff --git a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net. b/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
index f35581d0ce..0ae4af62f4 100644
--- a/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
+++ b/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
@@ -1,2 +1,2 @@
-sub.example.net.	IN DS 18846 7 1 71103B8D50793E190E48D99E95B48D9F20C404C6
-sub.example.net.	IN DS 18846 7 2 42A13BAC66BEB451B6BF17A51FC2C141B765D3E9B952C689BA4B572D C1AF2FCC
+sub.example.net.	IN DS 48516 7 1 CC5E20F75F02BE11BC040960669A3F5058F30DC0
+sub.example.net.	IN DS 48516 7 2 D124B0B50CF51780707FFBF91DC305617832C09E21F32F28B8A88EFB E1F03ACE
diff --git a/contrib/zkt/examples/flat/keysets/keyset-example.net. b/contrib/zkt/examples/flat/keysets/keyset-example.net.
index 47311feb74..eba52b9ca6 100644
--- a/contrib/zkt/examples/flat/keysets/keyset-example.net.
+++ b/contrib/zkt/examples/flat/keysets/keyset-example.net.
@@ -1,5 +1,14 @@
 $ORIGIN .
 example.net		7200	IN DNSKEY 257 3 5 (
+					BQEAAAABCwxfQLjMaLsvSPFYMFyi/Z5l6f/y
+					1fNROZtCrUSAFca8c4Dc+MK9phlqEtBihnMS
+					BjFsuhyq1w++ubzZF3rVduVXP+loeEW5cGXn
+					eM4nm52unLpZfQu0B0h/zwDLrfmedyqqZYb7
+					grXDqFwT0EnI4cL/Ybr40H7uSUyVyLM3c5a8
+					V5RDA2t1PImy7UURv6qusCsRslw+mM5jG0S7
+					Il5cqhugaQ==
+					) ; key id = 33840
+			7200	IN DNSKEY 257 3 5 (
 					BQEAAAABDG+2bUQuvTgeYA99bx5wXDsiaQnh
 					Jc5oFj+sQLmCvj6hGFfQoUkI67jTMkIzQlfl
 					Q3UHBfAnQMeFAhhQLrG+/cMXldZN3360Q+Yl
@@ -8,12 +17,3 @@ example.net		7200	IN DNSKEY 257 3 5 (
 					A1e/wVthbnx1DGbuy+fM5g1inAAbgmGwyaX5
 					JT9+p0yB/Q==
 					) ; key id = 7308
-			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABDUi2uSUlDjESbnrnY5wd8+pXxhYV
-					Y4wCi2UVjhcehvIb2bF8VJH2Q9/0ubQR1vQ2
-					VJhsGUj3A7bdTfbMETPxKkZaDpc9lCYrm0z5
-					HDrslyx4bSb4JX/iCyhgYZXrTVb9WyLXjUtm
-					DUktDjZgsyVshFHVJShBUSj+YpnfQkndGViD
-					AbJRycXDYEF1hCNmTK3KsR1JS9dXMKI3WidH
-					+B9rLlBU8w==
-					) ; key id = 1764
diff --git a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net. b/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
index 5c58fad59a..17e31b8381 100644
--- a/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
+++ b/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
@@ -1,8 +1,8 @@
 $ORIGIN .
 sub.example.net		7200	IN DNSKEY 257 3 7 (
-					AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
-					3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
-					dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
-					pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
-					VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
-					) ; key id = 18846
+					AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
+					jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
+					/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
+					H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
+					ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
+					) ; key id = 48516
diff --git a/contrib/zkt/examples/flat/named.conf b/contrib/zkt/examples/flat/named.conf
index 0e8551c0c7..2d4cb9f0e6 100644
--- a/contrib/zkt/examples/flat/named.conf
+++ b/contrib/zkt/examples/flat/named.conf
@@ -96,4 +96,14 @@ zone "0.0.127.in-addr.ARPA" in {
 	file "127.0.0.zone";
 };
 
-include "zone.conf";
+#include "zone.conf";
+
+zone "example.NET." in {
+	type master;
+	file "example.net/zone.db.signed";
+};
+
+zone "sub.example.NET." in {
+	type master;
+	file "sub.example.net/zone.db.signed";
+};
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key
deleted file mode 100644
index 80d1ca0c87..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081228220628
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 6 AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI v8lZ
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published
deleted file mode 100644
index f10110daef..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): vkFZckOUzy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1zgQ==
-Subprime(q): qHjRa5osHmJx2NpT9a+wCWA7CLk=
-Base(g): t9Qo3KI9nqhaA9i/vXOmHah4S/+KYgi2oWjP6z2sksF6/NEg2+6dLWefgWKruCLbWaImIbreEcSg2vlj+RsHTQ==
-Private_value(x): J9kC0094M4urh22UyajBvYp6OUU=
-Public_value(y): rfdSEO07PKqymWRw5N+ivNzs1ipxdThpEiJIu5H6FslIunCQDHZ3N97j3/u4pxILjeEq9oeEFxjZuNoSiL/JWQ==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key
deleted file mode 100644
index 2cb92c468a..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081216133130
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 6 AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi 7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp +U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn /UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0 DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls lfy1
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private
deleted file mode 100644
index 50a0c9429e..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): 50c8zvi1zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp+Q==
-Subprime(q): zVTFuNMY3m0bMsXC3ULBHHiaUM8=
-Base(g): TVs1TYPKiksqFlHn7pI3m7tHu2VAIaWZ6wTjIAPaQsFgC8GhJeA+E+f9QNBbPTzHchphW9VxBxwECC57g2H9EQ==
-Private_value(x): LnevSOPwRhakaa7vYh1YBwGWIh8=
-Public_value(y): NwN9ucIKHYWeFToIQrCqIxfrtA1y7lmGOoeilp+MrraOjTAW+YV0g2mDE4IiWDuTEu/XfO+iyDycr95pbJX8tQ==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated
deleted file mode 100644
index 14edffd135..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 6 (?)
-Prime(p): j+A/58oThRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qPoQ==
-Subprime(q): kuawB/eONoc0BjGmDIKOerRKBkM=
-Base(g): C/CRAij2ID/BEajrSxPOHaMWdQ06G5zfI6el3MIZtMFvNxBQypZ3VRawKbBeOncxvSMSX/ecw5MeJDKXCWfi7Q==
-Private_value(x): HZ/c+Fa0T/qv5IwEmPEF681ckVw=
-Public_value(y): bvjS4V5v38HzFvDmzxxq09i13mBupQ79O5ZLNyxoyE17kHNcKD6/ggVPSVx1jDymtgE9FLYgo1OoKh9qdNrG0w==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key
deleted file mode 100644
index 0269761c41..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081209130816
-;%	lifetime=3d
-sub.example.net. IN DNSKEY  256 3 6 AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0 2sbT
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
new file mode 100644
index 0000000000..27036fe68d
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: vwuuUkg4CTWLdI8+DIv9NW1dPbKQA6QZVcv+QgjmV7ewfxR31/n7c5usrUUQ+j1YHXM3AgIXhCN62OpQa1rgCQ==
+PublicExponent: AQAB
+PrivateExponent: LiSPHRaOWkMRhLyYOwWQyde5Xo6DVC3NZLiZl694mxS63YmbB5SYh9OILMunQCxRpxya94lqgt9DvSEGMvzlgQ==
+Prime1: 56furA32AKokZoRN8W/SC+l9MsENy1BFI4rodT3YNRE=
+Prime2: 0x89E2ZEeaPUp/Ox2qnRTXlB6h25P/SBxiGA31WBG3k=
+Exponent1: Km5UBSe5e32ulSh+rk5xBsWJrRY3VJorT8tNsMvXIkE=
+Exponent2: Caa/8AcY0ka/Df6B/vEMdHI6pS0+rsHKvPgDIDKUeGE=
+Coefficient: 1lvL+tM8iRj7MttO3zC4lQsO+8nPruMDBnYMzTVPGAI=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
new file mode 100644
index 0000000000..98cb5afb3a
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090624144422
+;%	lifetime=3d
+sub.example.net. IN DNSKEY  256 3 7 AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5 +3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key
deleted file mode 100644
index 688d4212df..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081125154049
-;%	lifetime=60d
-sub.example.net. IN DNSKEY  257 3 7 AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP 7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq fu8SrJ0f
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private
deleted file mode 100644
index 5b5edbb3e5..0000000000
--- a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 7 (?)
-Modulus: 451+rtzB+GXdovwGVREaeA8D7cjYTcbdc9ETthrD81yjtpeiscomBEUygzfSruMMFq50t5cL/985ADDY/m8LDK4eYgWjh+VefnWwx4WlZ0/sTx+aLiT9igIRK768G9/6tlYMxWiyPxVUQhspNwkTXo2x3WWzUUgZ+Kp+7xKsnR8=
-PublicExponent: AQAB
-PrivateExponent: J0mYBDa2hFmQ2AEIVsaM+wwccX6pV0NsFgGQlW4pRGhJGcsymd16kmIfRebsxqMKAyA5pTa9K30sKYxE6CXikgpm1+TqQtH3CQJGEz81gf5/c/RgHdG4+bygPrKeW1vA7dI5jsEQ8wnhBAJa0jDIt8f0bP9G5rGYyxctmmC8mgE=
-Prime1: 8gsI7gGw1oPDMLhQHMx3NorrKgy1wMu3/anCcIEEe1OflmSNHzb0Y4hQ8Zl97EyU6ZuPAGlnI4MfykK2V35orw==
-Prime2: 8L163OyeS3aLn+Bxfxlc/6OZGat5b6C5RKFzvdJ9/7ZxM1woegJCe8DD0wwuKwNs7go+venTI4O7L1ZB0jJOkQ==
-Exponent1: aJiOLlQ6uCjOk+JCdH+DUOWthEljzcH7a7oNlZKbfjP/9fzT41ZbPBvvZsh+2zuo6l7X6ESkVntWpJA5vguZbw==
-Exponent2: a4mIh4VfFICI0Er3B/pxc3RF4JSbc0TNXZ3tUL7lL8P0fyfMoOu/fP5Xuz+2o9os34xOCJGZkkS26edTEa0NMQ==
-Coefficient: sEYTrLAosmx+x8M2BBdTYLddTSbv3xXDlqHeCNxajW4bhhbjkn3oMCWQfaq7Oke4zeUXPOAYjaf8Ve2oLD9fzg==
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
new file mode 100644
index 0000000000..bd7002d907
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630093509
+;%	lifetime=3d
+sub.example.net. IN DNSKEY  256 3 7 AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
new file mode 100644
index 0000000000..03dfe535ff
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: 24opa7iwrJyDng5gmdzj9PNvU4W/EbCECHilWmXTTcmvFP+lCMjD/MkUSdSDAIMOYZ982rvdJuTKSdPJdhF7aQ==
+PublicExponent: AQAB
+PrivateExponent: M7mksrWsIq8pr4axqe7KYr8sXqBneTJ+mURbqSXOmEfZrlUlW0GwbOoVcDwrStuknXF+34wo5Q3cMwk0DX95UQ==
+Prime1: +rQpJtsPO9HubmItf5eIz0quciGA5CnaMrhkB00JGEU=
+Prime2: 4C12MHLPRcYtMLNzbTOkqBWhRiBRy33Q/djerAxswtU=
+Exponent1: zyXjxtZEPRJWJ2D55S5JfbZgc69ZN62ZPEV9aUbu190=
+Exponent2: NMpf367Zopu1fpdzog6cQry9Oq9Xs6zQL0cHwMo4PnU=
+Coefficient: dT+ysdkCUq1RU+toH16kAW5F7eQ3dAMGsYIII+scCYo=
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
new file mode 100644
index 0000000000..717e2bed3e
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090624144206
+;%	lifetime=7d
+sub.example.net. IN DNSKEY  257 3 7 AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5 UPSENnx3
diff --git a/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
new file mode 100644
index 0000000000..78137a9516
--- /dev/null
+++ b/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 7 (NSEC3RSASHA1)
+Modulus: xUmAx/vXLQzYp+uGIAogeSFLwyWCYpuORoFjnrNlEBAzAcnIw4NlwiAFC8+TEbD/Viv/m/dls7BUKPvN5h+9761GxdcERhO+js84sT0fSIx/r2+rtDGHzb+r4ukEfXzXyIOEGfqrR/vDDgWWjsHe7nMl/oUe6Xwk/HlQ9IQ2fHc=
+PublicExponent: AQAB
+PrivateExponent: pXM0BgLE/KnmVESnsdzsSMlMkTa2tt1/ns9J7UDDQ4piTGCd9qEOSJOzx6jnzJFkQS8a6QC8EMqSeeBaV2BNVucg336ie2jH+VVwBsrRzFdTTEr5Wouw62PWiW/FV285oxootXoGHeCTmVbwVBKfYrX6Wputp/sUc1haLL54COk=
+Prime1: 5zo/AB88LX6pEk65CGtBjkB6Jx0RcR2Ekq0Q/GU8HkAsZxPhwnJAbp3pZs65g/Od4vh/lz/Uv/FTLX8efOTMKw==
+Prime2: 2mxkQwk63bu3aeoAR1T1uwf7V9rty0QLZlyeVSGasfB+dv9Dihh9f7IXBX88VsMUIp7DPINm87sMi+jEJOSO5Q==
+Exponent1: vUjIJABt0cxa+VqqTAMJQjr0BCreiVuhmDTGr+brhNQBxUvYRsYiiqsIUxmtciAuwousXxNoxMv3zEnAmnrtyw==
+Exponent2: NhajWWpetmv2xnaY7REf7NnUJvRi8HQAMq/60XAJ48h/OK6LphXcdhO+2bChW4bhZJVWGZUcmHyYZckVUWF79Q==
+Coefficient: tA/0qGPPL9RkgGhV4Bz/cBi6vOTTan0zpOPE+R/jabmSIrF9k9igghZvhHPG9bnMi5mY8cekzUm6bbOejZjy3g==
diff --git a/contrib/zkt/examples/flat/sub.example.net/dnskey.db b/contrib/zkt/examples/flat/sub.example.net/dnskey.db
index 7d4c4acb8c..e312396ea6 100644
--- a/contrib/zkt/examples/flat/sub.example.net/dnskey.db
+++ b/contrib/zkt/examples/flat/sub.example.net/dnskey.db
@@ -2,46 +2,28 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:08:02
+;	 Last generation time Jun 30 2009 13:02:21
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; sub.example.net.  tag=18846  algo=NSEC3RSASHA1  generated Nov 25 2008 16:40:49
+; sub.example.net.  tag=48516  algo=NSEC3RSASHA1  generated Jun 24 2009 16:42:06
 sub.example.net. 3600 IN DNSKEY  257 3 7 (
-			AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G3XPRE7Yaw/Nco7aXorHK
-			JgRFMoM30q7jDBaudLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeFpWdP
-			7E8fmi4k/YoCESu+vBvf+rZWDMVosj8VVEIbKTcJE16Nsd1ls1FIGfiq
-			fu8SrJ0f
-		) ; key id = 18846
+			AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKbjkaBY56zZRAQMwHJyMOD
+			ZcIgBQvPkxGw/1Yr/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9H0iM
+			f69vq7Qxh82/q+LpBH1818iDhBn6q0f7ww4Flo7B3u5zJf6FHul8JPx5
+			UPSENnx3
+		) ; key id = 48516
 
 ; ***  List of Zone Signing Keys  ***
-; sub.example.net.  tag=5823  algo=NSEC3DSA  generated Dec 28 2008 23:06:27
-sub.example.net. 3600 IN DNSKEY  256 3 6 (
-			AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1zrCvWeR2s851pF1lyqoi
-			7w+KlRmWrsEyyGS+HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1EtNp
-			+U1bNU2DyopLKhZR5+6SN5u7R7tlQCGlmesE4yAD2kLBYAvBoSXgPhPn
-			/UDQWz08x3IaYVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghCsKojF+u0
-			DXLuWYY6h6KWn4yuto6NMBb5hXSDaYMTgiJYO5MS79d876LIPJyv3mls
-			lfy1
-		) ; key id = 5823
+; sub.example.net.  tag=32345  algo=NSEC3RSASHA1  generated Jun 30 2009 13:02:04
+sub.example.net. 3600 IN DNSKEY  256 3 7 (
+			AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGwhAh4pVpl003JrxT/pQjI
+			w/zJFEnUgwCDDmGffNq73SbkyknTyXYRe2k=
+		) ; key id = 32345
 
-; sub.example.net.  tag=22440  algo=NSEC3DSA  generated Dec 28 2008 23:06:27
-sub.example.net. 3600 IN DNSKEY  256 3 6 (
-			AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oThRkOD+cmyxsyLP0qrQco
-			zEPyY+SI5/7cj1chepu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73x4qP
-			oQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc3yOnpdzCGbTBbzcQUMqWd1UW
-			sCmwXjp3Mb0jEl/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObPHGrT2LXe
-			YG6lDv07lks3LGjITXuQc1woPr+CBU9JXHWMPKa2AT0UtiCjU6gqH2p0
-			2sbT
-		) ; key id = 22440
-
-; sub.example.net.  tag=4710  algo=NSEC3DSA  generated Dec 28 2008 23:06:28
-sub.example.net. 3600 IN DNSKEY  256 3 6 (
-			AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOUzy7Bj+uFawiZePzJ376i
-			jMX7LHr8z1NNhNOBRhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3At1z
-			gbfUKNyiPZ6oWgPYv71zph2oeEv/imIItqFoz+s9rJLBevzRINvunS1n
-			n4Fiq7gi21miJiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk36K83OzW
-			KnF1OGkSIki7kfoWyUi6cJAMdnc33uPf+7inEguN4Sr2h4QXGNm42hKI
-			v8lZ
-		) ; key id = 4710
+; sub.example.net.  tag=14600  algo=NSEC3RSASHA1  generated Jun 30 2009 13:02:04
+sub.example.net. 3600 IN DNSKEY  256 3 7 (
+			AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOkGVXL/kII5le3sH8Ud9f5
+			+3ObrK1FEPo9WB1zNwICF4QjetjqUGta4Ak=
+		) ; key id = 14600
 
diff --git a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf b/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
index 30ae923c45..8f90edb161 100644
--- a/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
+++ b/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
@@ -4,12 +4,12 @@ sigvalidity 	2d
 max_ttl 	90s
 
 Serialformat:	unixtime
-zsk_lifetime 	3m
+ksk_lifetime 	1w
 ksk_algo 	N3RSASHA1
 ksk_bits 	1024
 
 zsk_lifetime 	3d
-zsk_algo 	NSEC3DSA
+zsk_algo 	N3RSASHA1
 zsk_bits 	512
 
 dlv_domain	"dlv.trusted-keys.de"
diff --git a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed b/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
index 79cc5e73d2..c82f3ff090 100644
--- a/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
+++ b/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
@@ -1,116 +1,109 @@
-; File written on Sun Dec 28 23:08:02 2008
-; dnssec_signzone version 9.6.0
+; File written on Tue Jun 30 13:02:21 2009
+; dnssec_signzone version 9.7.0a1
 sub.example.net.	7200	IN SOA	ns1.example.net. hostmaster.example.net. (
-					1230502082 ; serial
+					1246359741 ; serial
 					86400      ; refresh (1 day)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 6 3 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMwSbl1AvSw6nz/6SAX26uwD5BAKYAxmfBIq
-					ynkaiFplhArpE1dTqlU= )
+			7200	RRSIG	SOA 7 3 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					xaNZK008xUwN1mWIUMpMNljZ7mOsYyzQ89ug
+					Ephuttdlqm5KdMAlopa9Qfgw+83YQzyonAKj
+					beUBuNmOKBwgQw== )
 			7200	NS	ns1.example.net.
-			7200	RRSIG	NS 6 3 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AFIZX6ddVm4v+ae2F4zcVgp0jJHow+jKe+LC
-					YYNpRqF42vDPsri4shw= )
-			3600	DNSKEY	256 3 6 (
-					AJLmsAf3jjaHNAYxpgyCjnq0SgZDj+A/58oT
-					hRkOD+cmyxsyLP0qrQcozEPyY+SI5/7cj1ch
-					epu4me5ek8kaxKMxecDzP79mSCiX60J/Zl73
-					x4qPoQvwkQIo9iA/wRGo60sTzh2jFnUNOhuc
-					3yOnpdzCGbTBbzcQUMqWd1UWsCmwXjp3Mb0j
-					El/3nMOTHiQylwln4u1u+NLhXm/fwfMW8ObP
-					HGrT2LXeYG6lDv07lks3LGjITXuQc1woPr+C
-					BU9JXHWMPKa2AT0UtiCjU6gqH2p02sbT
-					) ; key id = 22440
-			3600	DNSKEY	256 3 6 (
-					AKh40WuaLB5icdjaU/WvsAlgOwi5vkFZckOU
-					zy7Bj+uFawiZePzJ376ijMX7LHr8z1NNhNOB
-					RhUNxd3yJUjLVzWmoPu6oilpY0T/7JM2IQO3
-					At1zgbfUKNyiPZ6oWgPYv71zph2oeEv/imII
-					tqFoz+s9rJLBevzRINvunS1nn4Fiq7gi21mi
-					JiG63hHEoNr5Y/kbB02t91IQ7Ts8qrKZZHDk
-					36K83OzWKnF1OGkSIki7kfoWyUi6cJAMdnc3
-					3uPf+7inEguN4Sr2h4QXGNm42hKIv8lZ
-					) ; key id = 4710
-			3600	DNSKEY	256 3 6 (
-					AM1UxbjTGN5tGzLFwt1CwRx4mlDP50c8zvi1
-					zrCvWeR2s851pF1lyqoi7w+KlRmWrsEyyGS+
-					HmnxyQDaY1+TYi+gJzHVS1kVv98x1ggg8Gb1
-					EtNp+U1bNU2DyopLKhZR5+6SN5u7R7tlQCGl
-					mesE4yAD2kLBYAvBoSXgPhPn/UDQWz08x3Ia
-					YVvVcQccBAgue4Nh/RE3A325wgodhZ4VOghC
-					sKojF+u0DXLuWYY6h6KWn4yuto6NMBb5hXSD
-					aYMTgiJYO5MS79d876LIPJyv3mlslfy1
-					) ; key id = 5823
+			7200	RRSIG	NS 7 3 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					xVsGH4dLDwHBhRo/R+BlQMgdXW5Y80xVEiYY
+					jrPH3A1j8i+PotbNA0F7eKA/0fKFmj4biCAK
+					LPErXQ8ObaggQA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAb8LrlJIOAk1i3SPPgyL/TVtXT2ykAOk
+					GVXL/kII5le3sH8Ud9f5+3ObrK1FEPo9WB1z
+					NwICF4QjetjqUGta4Ak=
+					) ; key id = 14600
+			3600	DNSKEY	256 3 7 (
+					AwEAAduKKWu4sKycg54OYJnc4/Tzb1OFvxGw
+					hAh4pVpl003JrxT/pQjIw/zJFEnUgwCDDmGf
+					fNq73SbkyknTyXYRe2k=
+					) ; key id = 32345
 			3600	DNSKEY	257 3 7 (
-					AwEAAeOdfq7cwfhl3aL8BlURGngPA+3I2E3G
-					3XPRE7Yaw/Nco7aXorHKJgRFMoM30q7jDBau
-					dLeXC//fOQAw2P5vCwyuHmIFo4flXn51sMeF
-					pWdP7E8fmi4k/YoCESu+vBvf+rZWDMVosj8V
-					VEIbKTcJE16Nsd1ls1FIGfiqfu8SrJ0f
-					) ; key id = 18846
-			3600	RRSIG	DNSKEY 6 3 3600 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMh2mLe04LwOikgp7Djk5OD+VjsxHWFIrM5K
-					eZ9TwWum0+c3KRc0Ye0= )
-			3600	RRSIG	DNSKEY 7 3 3600 20081230210802 (
-					20081228210802 18846 sub.example.net.
-					oXtpSP1gJIoDZ4HUjdlGV6wyS0VPHp9pv7hB
-					t8sOWSTxSAQ2D1u+2bHK97lE7c1TJUqNsQO7
-					YiTwCvfeypt/9QWSFg8d8TrUTaFvUyZO9yJM
-					HEeJvoV9+TmRsqT1M4vYNO6OY9zBrqQF8Jov
-					gblJkg3ftGhllMDdz8JlIe3m35U= )
-			0	NSEC3PARAM 1 0 100 B5EA98
-			0	RRSIG	NSEC3PARAM 6 3 0 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AEK69arso3M/F6qdvHBnEaS7PYoMPzkXeut8
-					f7tQNJi/n/57iOXxBtY= )
+					AwEAAcVJgMf71y0M2KfrhiAKIHkhS8MlgmKb
+					jkaBY56zZRAQMwHJyMODZcIgBQvPkxGw/1Yr
+					/5v3ZbOwVCj7zeYfve+tRsXXBEYTvo7POLE9
+					H0iMf69vq7Qxh82/q+LpBH1818iDhBn6q0f7
+					ww4Flo7B3u5zJf6FHul8JPx5UPSENnx3
+					) ; key id = 48516
+			3600	RRSIG	DNSKEY 7 3 3600 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					2P0CEAUnKV6Pa3Ryl1naH9Ve/va1k7oKyJyB
+					dinSyD/UVnGV7+iipUgDOcOAbNCYBCUVfKE9
+					GcBg3KQvJl0+AQ== )
+			3600	RRSIG	DNSKEY 7 3 3600 20090702100221 (
+					20090630100221 48516 sub.example.net.
+					PB5I2/PuswNIxwDykcQEc/4+aUx/dJg9YfXx
+					f1gZL5ayZK01dVYsoZ8USV9IEX27NqFwjQO/
+					iTgB3eAEeBf4283XZ3VeXQRJ4iaMbL42TVid
+					qlKHQgniTPJAoytNRFVDvU3196YJECb8Z7L5
+					F6avz0sLu3gtDu/nwyyK/5Hf3kM= )
+			0	NSEC3PARAM 1 0 100 86F43F
+			0	RRSIG	NSEC3PARAM 7 3 0 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					e6ABPEvRsRxDn/6VaDlZWctckrXmO3KhmTF0
+					gtn7V+kR5J07XF+iS7jnfpEDUJWSRhJDTtVV
+					3uTWjwSs7kyfDQ== )
 a.sub.example.net.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					ACtzcM76XGO0nQg0MNi/3xIA17I/Zl7dpLie
-					L+UWpvdyC01FhiJ9nBc= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					GEvo0V/h1H5LQz1hAd6FtgN1cX/FR1ADLDjD
+					LEcrzGVBqPCB7OjyXVsHqjq3uGmFI7uZn+K/
+					hXTkHJif/0w78g== )
 b.sub.example.net.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMvlob5onyssxa/DQ13dtCp9pL9sHw4pruqq
-					PI85Joh+QNgM26VGXRA= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					OVvrujb8/jziQqf37zHnTOQCz2e5RAVCpdt4
+					rqd8U/Jzf36tKkPD1qSIJ8zJaAY3LfOLNYDU
+					T10UWy4dnxfoNQ== )
 c.sub.example.net.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AJAcwAkedEjx4i28vF/Uu31BDly6Hmc5LI9R
-					19PqH1vAijma5No2x5Q= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					b8A0VTnFi194xkeSKpK6iHcgDvuKGSFzZHSd
+					qPmMwJzflTmsLTxgXEZ9KY4BDbccSTaJVEwr
+					JJ+/QuqBHFyISQ== )
 localhost.sub.example.net. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					ACgSEXi/TbpF35NNFs8zocciqhZtwDL5C4e/
-					6hTGwvl3Z+IjCjf8oDc= )
-ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AGjJ1uwyqNVcHgz3aFQZhvNFpBEPXdQaEeKo
-					/1Joi1+1g5r7AqEPgbU= )
-FLIRT946Q32FSU4Q1ISRK4UJAFMRNHEE.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 J961TISKA95UUNS1JAV5OMBDNS342B6O A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AERaVeALOfnnt/33oq5dDu08p3oyfYET59xd
-					x6I2CRIOFUr7LkHm2ro= )
-J961TISKA95UUNS1JAV5OMBDNS342B6O.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					ADgp7RYKJ95X9iLaS/O0N75fzc/yjA3NhVnv
-					hDKrUluwi2qYv1/AOIk= )
-KJVHLHHLAADEDFM1ONPEIBM68DIIPI6O.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN A RRSIG
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AMkFnz9tj86fr4NmFDnrqDNFlkgMAhRY/fR3
-					SGzdb8LfKdbWCRwYtu0= )
-TE1BL0NOCKMSQ7ARERPVQTM4NBVRN6CN.sub.example.net. 7200 IN NSEC3	1 0 100 B5EA98 ANQ08MJB3Q48CAVL5MEKLHUA2EG2808A NS SOA RRSIG DNSKEY NSEC3PARAM
-			7200	RRSIG	NSEC3 6 4 7200 20081230210802 (
-					20081228210802 5823 sub.example.net.
-					AHYEmiF12gwP5LOpUfqK+uHzj7cwuxlGXNT7
-					OdhDcXznJd5bkkQuoFY= )
+			7200	RRSIG	A 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					HtRrjUhpveofocEBNMEc++mYg9oYfZgnANA5
+					TyuS20tcCw/rAhGh3E3vMyhBBq4Ps1QT74+f
+					S06Z9C5YaKI7ig== )
+7EJ08VDH70TNH3I9SD4MDBVA4S00PALI.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					L1QIfw4hfGk4jSWBeWWGviTAt/2i1wRXE2Qe
+					yspyHNhG38jzGKXR5WH7FLdBzbqMHUHv9i+k
+					/t2mOvXB11pLqQ== )
+AFRQ27Q7JGUJ2SA0AVDKT2DLILIGBLUG.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F D0RE91KNGIR4STOQOPTK16C5C63NN2S0 NS SOA RRSIG DNSKEY NSEC3PARAM
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					I7JJTzzkJF3lB/A68KCuihWUMUY9PCW39PEa
+					axi5WDld4ceWVoGx18mPePrlmvjwepo9UGqc
+					ivGHaozr64hBjg== )
+D0RE91KNGIR4STOQOPTK16C5C63NN2S0.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F K46BIT3RVSBTLC8I8H312CFSNECEJ3S4 A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					Q1g/fnqJl9tq35CoDFccQ7Ba7BcSzcsY35J5
+					h5DgaHkaAmj6QOX1pdfIuVhw0Ow9aBB4XrZo
+					wHjm0Ab+ez7COg== )
+K46BIT3RVSBTLC8I8H312CFSNECEJ3S4.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0 A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					AIfEvkwdU9GE5bBp8OBc0xJtjfF7NAVMkquB
+					2UQzZgZP+63/nq2+uml+79Gwlc7KBjLjLfRr
+					eARbsKjcsRJF7A== )
+L5LI4EFLKNFCE0APSP91SBRCOT0PHLQ0.sub.example.net. 7200 IN NSEC3	1 0 100 86F43F 7EJ08VDH70TNH3I9SD4MDBVA4S00PALI A RRSIG
+			7200	RRSIG	NSEC3 7 4 7200 20090702100221 (
+					20090630100221 32345 sub.example.net.
+					IVMkxbD3eWr39sqXSJ6ARCyiMjeFB6xs+Bxc
+					BRKJ6TCRBRHDlp1Rf7AM+jQgKMAe3Tm+OqVn
+					zBrGA0FxGvo4Pg== )
diff --git a/contrib/zkt/examples/flat/zkt.log b/contrib/zkt/examples/flat/zkt.log
index 40729a8387..74582ddf26 100644
--- a/contrib/zkt/examples/flat/zkt.log
+++ b/contrib/zkt/examples/flat/zkt.log
@@ -137,3 +137,895 @@
 2008-12-28 23:08:02.534: debug: 	Signing completed after 0s.
 2008-12-28 23:08:02.534: debug: 
 2008-12-28 23:08:02.534: notice: end of run: 0 errors occured
+2009-02-28 12:31:26.082: notice: ------------------------------------------------------------
+2009-02-28 12:31:26.083: notice: running ../../dnssec-signer -N named.conf 
+2009-02-28 12:31:26.100: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:31:26.100: debug: 	Check RFC5011 status
+2009-02-28 12:31:26.100: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:31:26.100: debug: 	Check KSK status
+2009-02-28 12:31:26.100: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h35m58s
+2009-02-28 12:31:26.100: debug: 	Check ZSK status
+2009-02-28 12:31:26.100: debug: 	Lifetime(390 sec) of depreciated key 22440 exceeded (5315758 sec)
+2009-02-28 12:31:26.100: info: "sub.example.net.": old ZSK 22440 removed
+2009-02-28 12:31:26.101: debug: 		->remove it
+2009-02-28 12:31:26.101: debug: 	Lifetime(259200 +/-150 sec) of active key 5823 exceeded (5315758 sec)
+2009-02-28 12:31:26.101: debug: 		->depreciate it
+2009-02-28 12:31:26.101: debug: 		->activate published key 4710
+2009-02-28 12:31:26.101: notice: "sub.example.net.": lifetime of zone signing key 5823 exceeded: ZSK rollover done
+2009-02-28 12:31:26.101: debug: 	New key for publishing needed
+2009-02-28 12:31:28.559: debug: 		->creating new key 32820
+2009-02-28 12:31:28.559: info: "sub.example.net.": new key 32820 generated for publishing
+2009-02-28 12:31:28.559: debug: 	Re-signing necessary: Modfied zone key set
+2009-02-28 12:31:28.560: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:31:28.560: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-02-28 12:31:28.560: debug: 	Signing zone "sub.example.net."
+2009-02-28 12:31:28.560: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone  -3 FC6C7C -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-02-28 12:31:28.803: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:31:28.803: debug: 	Signing completed after 0s.
+2009-02-28 12:31:28.803: debug: 
+2009-02-28 12:31:28.803: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:31:28.803: debug: 	Check RFC5011 status
+2009-02-28 12:31:28.803: notice: "example.net.": starting rfc5011 rollover
+2009-02-28 12:31:28.803: debug: 	Lifetime of Key Signing Key 1764 exceeded (8w5d12h36m): Starting rfc5011 rollover!
+2009-02-28 12:31:28.803: debug: 		=>Generating new standby key signing key
+2009-02-28 12:31:29.067: info: "example.net.": generated new standby KSK 33840
+2009-02-28 12:31:29.067: debug: 		=>Activating old standby key 7308 
+2009-02-28 12:31:29.068: debug: 		=>Revoking old active key 1764 
+2009-02-28 12:31:29.068: debug: 	Check ZSK status
+2009-02-28 12:31:29.068: debug: 	Re-signing necessary: Modfied zone key set
+2009-02-28 12:31:29.068: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:31:29.068: debug: 	Writing key file "././example.net/dnskey.db"
+2009-02-28 12:31:29.069: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-02-28 12:31:29.069: debug: 	Signing zone "example.net."
+2009-02-28 12:31:29.069: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-02-28 12:31:29.206: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:31:29.206: debug: 	Signing completed after 0s.
+2009-02-28 12:31:29.206: debug: 
+2009-02-28 12:31:29.206: notice: end of run: 0 errors occured
+2009-02-28 12:31:34.121: notice: ------------------------------------------------------------
+2009-02-28 12:31:34.121: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:31:34.126: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:31:34.126: debug: 	Check RFC5011 status
+2009-02-28 12:31:34.126: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:31:34.126: debug: 	Check KSK status
+2009-02-28 12:31:34.126: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h36m6s
+2009-02-28 12:31:34.126: debug: 	Check ZSK status
+2009-02-28 12:31:34.126: debug: 	Re-signing not necessary!
+2009-02-28 12:31:34.126: debug: 	Check if there is a parent file to copy
+2009-02-28 12:31:34.126: debug: 
+2009-02-28 12:31:34.126: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:31:34.126: debug: 	Check RFC5011 status
+2009-02-28 12:31:34.126: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:31:34.126: debug: 	Check ZSK status
+2009-02-28 12:31:34.126: debug: 	Re-signing not necessary!
+2009-02-28 12:31:34.126: debug: 	Check if there is a parent file to copy
+2009-02-28 12:31:34.126: debug: 
+2009-02-28 12:31:34.126: notice: end of run: 0 errors occured
+2009-02-28 12:32:49.522: notice: ------------------------------------------------------------
+2009-02-28 12:32:49.522: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:32:49.525: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:32:49.525: debug: 	Check RFC5011 status
+2009-02-28 12:32:49.525: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:32:49.525: debug: 	Check KSK status
+2009-02-28 12:32:49.525: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h37m21s
+2009-02-28 12:32:49.525: debug: 	Check ZSK status
+2009-02-28 12:32:49.526: debug: 	Re-signing not necessary!
+2009-02-28 12:32:49.526: debug: 	Check if there is a parent file to copy
+2009-02-28 12:32:49.526: debug: 
+2009-02-28 12:32:49.526: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:32:49.526: debug: 	Check RFC5011 status
+2009-02-28 12:32:49.526: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:32:49.526: debug: 	Check ZSK status
+2009-02-28 12:32:49.526: debug: 	Re-signing not necessary!
+2009-02-28 12:32:49.526: debug: 	Check if there is a parent file to copy
+2009-02-28 12:32:49.527: debug: 
+2009-02-28 12:32:49.527: notice: end of run: 0 errors occured
+2009-02-28 12:42:47.999: notice: ------------------------------------------------------------
+2009-02-28 12:42:48.000: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:45:56.491: notice: ------------------------------------------------------------
+2009-02-28 12:45:56.491: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:50:13.057: notice: ------------------------------------------------------------
+2009-02-28 12:50:13.057: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:50:54.700: notice: ------------------------------------------------------------
+2009-02-28 12:50:54.700: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:52:23.926: notice: ------------------------------------------------------------
+2009-02-28 12:52:23.926: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:52:23.933: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-02-28 12:52:23.934: debug: 	Check RFC5011 status
+2009-02-28 12:52:23.934: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:52:23.934: debug: 	Check KSK status
+2009-02-28 12:52:23.934: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h56m55s
+2009-02-28 12:52:23.934: debug: 	Check ZSK status
+2009-02-28 12:52:23.934: debug: 	Lifetime(390 sec) of depreciated key 5823 exceeded (1257 sec)
+2009-02-28 12:52:23.934: info: "sub.example.net.": old ZSK 5823 removed
+2009-02-28 12:52:23.934: debug: 		->remove it
+2009-02-28 12:52:23.934: debug: 	Re-signing necessary: Modfied zone key set
+2009-02-28 12:52:23.934: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-02-28 12:52:23.934: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-02-28 12:52:23.935: debug: 	Signing zone "sub.example.net."
+2009-02-28 12:52:23.935: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone  -3 A4756D -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-02-28 12:52:24.701: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-02-28 12:52:24.701: debug: 	Signing completed after 1s.
+2009-02-28 12:52:24.701: debug: 
+2009-02-28 12:52:24.701: debug: parsing zone "example.net." in dir "././example.net"
+2009-02-28 12:52:24.701: debug: 	Check RFC5011 status
+2009-02-28 12:52:24.701: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:52:24.701: debug: 	Check ZSK status
+2009-02-28 12:52:24.701: debug: 	Re-signing not necessary!
+2009-02-28 12:52:24.701: debug: 	Check if there is a parent file to copy
+2009-02-28 12:52:24.701: debug: 
+2009-02-28 12:52:24.701: notice: end of run: 0 errors occured
+2009-02-28 12:53:08.325: notice: ------------------------------------------------------------
+2009-02-28 12:53:08.325: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:53:48.858: notice: ------------------------------------------------------------
+2009-02-28 12:53:48.858: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:54:09.878: notice: ------------------------------------------------------------
+2009-02-28 12:54:09.878: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-02-28 12:54:09.885: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
+2009-02-28 12:54:09.885: debug: 	Check RFC5011 status
+2009-02-28 12:54:09.885: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-02-28 12:54:09.885: debug: 	Check KSK status
+2009-02-28 12:54:09.886: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 1d12h58m41s
+2009-02-28 12:54:09.886: debug: 	Check ZSK status
+2009-02-28 12:54:09.886: debug: 	Re-signing not necessary!
+2009-02-28 12:54:09.886: debug: 	Check if there is a parent file to copy
+2009-02-28 12:54:09.886: debug: 
+2009-02-28 12:54:09.886: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
+2009-02-28 12:54:09.886: debug: 	Check RFC5011 status
+2009-02-28 12:54:09.886: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-02-28 12:54:09.886: debug: 	Check ZSK status
+2009-02-28 12:54:09.886: debug: 	Re-signing not necessary!
+2009-02-28 12:54:09.886: debug: 	Check if there is a parent file to copy
+2009-02-28 12:54:09.886: debug: 
+2009-02-28 12:54:09.886: notice: end of run: 0 errors occured
+2009-02-28 12:55:02.579: notice: ------------------------------------------------------------
+2009-02-28 12:55:02.579: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-03 19:13:47.524: notice: ------------------------------------------------------------
+2009-03-03 19:13:47.524: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-03 19:13:47.532: debug: parsing zone "sub.example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net"
+2009-03-03 19:13:47.532: debug: 	Check RFC5011 status
+2009-03-03 19:13:47.532: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:13:47.532: debug: 	Check KSK status
+2009-03-03 19:13:47.533: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h18m19s
+2009-03-03 19:13:47.533: debug: 	Check ZSK status
+2009-03-03 19:13:47.533: debug: 	Lifetime(259200 +/-150 sec) of active key 4710 exceeded (283341 sec)
+2009-03-03 19:13:47.533: debug: 		->depreciate it
+2009-03-03 19:13:47.533: debug: 		->activate published key 32820
+2009-03-03 19:13:47.533: notice: "sub.example.net.": lifetime of zone signing key 4710 exceeded: ZSK rollover done
+2009-03-03 19:13:47.533: debug: 	New key for publishing needed
+2009-03-03 19:13:48.366: debug: 		->creating new key 49656
+2009-03-03 19:13:48.366: info: "sub.example.net.": new key 49656 generated for publishing
+2009-03-03 19:13:48.366: debug: 	Re-signing necessary: Modfied zone key set
+2009-03-03 19:13:48.366: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-03-03 19:13:48.367: debug: 	Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net/dnskey.db"
+2009-03-03 19:13:48.367: debug: 	Signing zone "sub.example.net."
+2009-03-03 19:13:48.367: debug: 	  Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./sub.example.net; /usr/local/sbin/dnssec-signzone  -3 BCB121 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-03 19:13:48.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-03 19:13:48.543: debug: 	Signing completed after 0s.
+2009-03-03 19:13:48.543: debug: 
+2009-03-03 19:13:48.543: debug: parsing zone "example.net." in dir "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net"
+2009-03-03 19:13:48.543: debug: 	Check RFC5011 status
+2009-03-03 19:13:48.543: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:13:48.543: debug: 	Check ZSK status
+2009-03-03 19:13:48.543: debug: 	Re-signing necessary: re-signing interval (2d) reached
+2009-03-03 19:13:48.543: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached
+2009-03-03 19:13:48.543: debug: 	Writing key file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/dnskey.db"
+2009-03-03 19:13:48.544: debug: 	Incrementing serial number in file "/home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net/zone.db"
+2009-03-03 19:13:48.544: debug: 	Signing zone "example.net."
+2009-03-03 19:13:48.544: debug: 	  Run cmd "cd /home/hoz/share/named/dnssec-signer/zkt-0.99/examples/flat/./example.net; /usr/local/sbin/dnssec-signzone  -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-03 19:13:48.723: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-03 19:13:48.723: debug: 	Signing completed after 0s.
+2009-03-03 19:13:48.723: debug: 
+2009-03-03 19:13:48.724: notice: end of run: 0 errors occured
+2009-03-03 19:14:16.121: notice: ------------------------------------------------------------
+2009-03-03 19:14:16.121: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf 
+2009-03-03 19:14:30.231: notice: ------------------------------------------------------------
+2009-03-03 19:14:30.231: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf 
+2009-03-03 19:15:37.851: notice: ------------------------------------------------------------
+2009-03-03 19:15:37.851: notice: running ../../dnssec-signer -O namedchrootdir: . -v -v -N named.conf 
+2009-03-03 19:15:37.853: debug: parsing zone "sub.example.net." in dir "./././sub.example.net"
+2009-03-03 19:15:37.853: debug: 	Check RFC5011 status
+2009-03-03 19:15:37.853: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:15:37.853: debug: 	Check KSK status
+2009-03-03 19:15:37.853: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m9s
+2009-03-03 19:15:37.853: debug: 	Check ZSK status
+2009-03-03 19:15:37.853: debug: 	Re-signing not necessary!
+2009-03-03 19:15:37.853: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:37.853: debug: 
+2009-03-03 19:15:37.853: debug: parsing zone "example.net." in dir "./././example.net"
+2009-03-03 19:15:37.853: debug: 	Check RFC5011 status
+2009-03-03 19:15:37.853: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:15:37.853: debug: 	Check ZSK status
+2009-03-03 19:15:37.853: debug: 	Re-signing not necessary!
+2009-03-03 19:15:37.853: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:37.853: debug: 
+2009-03-03 19:15:37.853: notice: end of run: 0 errors occured
+2009-03-03 19:15:44.219: notice: ------------------------------------------------------------
+2009-03-03 19:15:44.219: notice: running ../../dnssec-signer -O namedchrootdir: /var/named -v -v -N named.conf 
+2009-03-03 19:15:49.305: notice: ------------------------------------------------------------
+2009-03-03 19:15:49.305: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-03 19:15:49.308: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-03 19:15:49.308: debug: 	Check RFC5011 status
+2009-03-03 19:15:49.308: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-03 19:15:49.308: debug: 	Check KSK status
+2009-03-03 19:15:49.309: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 4d19h20m21s
+2009-03-03 19:15:49.309: debug: 	Check ZSK status
+2009-03-03 19:15:49.309: debug: 	Re-signing not necessary!
+2009-03-03 19:15:49.309: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:49.309: debug: 
+2009-03-03 19:15:49.309: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-03 19:15:49.310: debug: 	Check RFC5011 status
+2009-03-03 19:15:49.310: debug: zone "example.net.": found revoked key with exptime of: Feb 28 2009 12:31:28
+2009-03-03 19:15:49.310: debug: 	Check ZSK status
+2009-03-03 19:15:49.310: debug: 	Re-signing not necessary!
+2009-03-03 19:15:49.310: debug: 	Check if there is a parent file to copy
+2009-03-03 19:15:49.310: debug: 
+2009-03-03 19:15:49.310: notice: end of run: 0 errors occured
+2009-03-04 18:07:38.441: notice: ------------------------------------------------------------
+2009-03-04 18:07:38.441: notice: running ../../dnssec-signer -v -v -N named.conf 
+2009-03-04 18:07:38.459: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:07:38.459: debug: 	Check RFC5011 status
+2009-03-04 18:07:38.459: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:07:38.459: debug: 	Check KSK status
+2009-03-04 18:07:38.459: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m10s
+2009-03-04 18:07:38.459: debug: 	Check ZSK status
+2009-03-04 18:07:38.459: debug: 	Lifetime(390 sec) of depreciated key 4710 exceeded (82431 sec)
+2009-03-04 18:07:38.459: info: "sub.example.net.": old ZSK 4710 removed
+2009-03-04 18:07:38.459: debug: 		->remove it
+2009-03-04 18:07:38.459: debug: 	Re-signing necessary: Modfied zone key set
+2009-03-04 18:07:38.459: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-03-04 18:07:38.459: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:07:38.460: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:07:38.460: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 33B698 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:07:38.635: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:07:38.635: debug: 	Signing completed after 0s.
+2009-03-04 18:07:38.635: debug: 
+2009-03-04 18:07:38.635: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:07:38.635: debug: 	Check RFC5011 status
+2009-03-04 18:07:38.635: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:07:38.636: debug: 	Check ZSK status
+2009-03-04 18:07:38.636: debug: 	Re-signing not necessary!
+2009-03-04 18:07:38.636: debug: 	Check if there is a parent file to copy
+2009-03-04 18:07:38.636: debug: 
+2009-03-04 18:07:38.636: notice: end of run: 0 errors occured
+2009-03-04 18:07:54.353: notice: ------------------------------------------------------------
+2009-03-04 18:07:54.353: notice: running ../../dnssec-signer -r -v -v -N named.conf 
+2009-03-04 18:07:54.357: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:07:54.357: debug: 	Check RFC5011 status
+2009-03-04 18:07:54.357: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:07:54.357: debug: 	Check KSK status
+2009-03-04 18:07:54.357: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m26s
+2009-03-04 18:07:54.357: debug: 	Check ZSK status
+2009-03-04 18:07:54.357: debug: 	Re-signing not necessary!
+2009-03-04 18:07:54.357: debug: 	Check if there is a parent file to copy
+2009-03-04 18:07:54.357: debug: 
+2009-03-04 18:07:54.357: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:07:54.357: debug: 	Check RFC5011 status
+2009-03-04 18:07:54.357: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:07:54.358: debug: 	Check ZSK status
+2009-03-04 18:07:54.358: debug: 	Re-signing not necessary!
+2009-03-04 18:07:54.358: debug: 	Check if there is a parent file to copy
+2009-03-04 18:07:54.358: debug: 
+2009-03-04 18:07:54.358: notice: end of run: 0 errors occured
+2009-03-04 18:08:25.210: notice: ------------------------------------------------------------
+2009-03-04 18:08:25.210: notice: running ../../dnssec-signer -r -v -v -N named.conf 
+2009-03-04 18:08:25.212: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:25.212: debug: 	Check RFC5011 status
+2009-03-04 18:08:25.213: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:25.213: debug: 	Check KSK status
+2009-03-04 18:08:25.213: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h12m57s
+2009-03-04 18:08:25.213: debug: 	Check ZSK status
+2009-03-04 18:08:25.213: debug: 	Re-signing not necessary!
+2009-03-04 18:08:25.213: debug: 	Check if there is a parent file to copy
+2009-03-04 18:08:25.213: debug: 
+2009-03-04 18:08:25.214: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:25.214: debug: 	Check RFC5011 status
+2009-03-04 18:08:25.214: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:25.214: debug: 	Check ZSK status
+2009-03-04 18:08:25.214: debug: 	Re-signing not necessary!
+2009-03-04 18:08:25.214: debug: 	Check if there is a parent file to copy
+2009-03-04 18:08:25.214: debug: 
+2009-03-04 18:08:25.216: notice: end of run: 0 errors occured
+2009-03-04 18:08:32.379: notice: ------------------------------------------------------------
+2009-03-04 18:08:32.379: notice: running ../../dnssec-signer -f -v -v -N named.conf 
+2009-03-04 18:08:32.381: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:32.381: debug: 	Check RFC5011 status
+2009-03-04 18:08:32.381: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:32.381: debug: 	Check KSK status
+2009-03-04 18:08:32.381: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m4s
+2009-03-04 18:08:32.381: debug: 	Check ZSK status
+2009-03-04 18:08:32.381: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:32.381: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:32.381: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:32.382: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:08:32.382: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 2 -3 A0BEB8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:08:32.896: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:32.896: debug: 	Signing completed after 0s.
+2009-03-04 18:08:32.896: debug: 
+2009-03-04 18:08:32.896: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:32.896: debug: 	Check RFC5011 status
+2009-03-04 18:08:32.896: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:32.896: debug: 	Check ZSK status
+2009-03-04 18:08:32.896: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:32.896: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:32.896: debug: 	Writing key file "././example.net/dnskey.db"
+2009-03-04 18:08:32.897: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:08:32.897: debug: 	Signing zone "example.net."
+2009-03-04 18:08:32.897: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 2 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-04 18:08:33.042: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:33.042: debug: 	Signing completed after 1s.
+2009-03-04 18:08:33.042: debug: 
+2009-03-04 18:08:33.043: notice: end of run: 0 errors occured
+2009-03-04 18:08:46.381: notice: ------------------------------------------------------------
+2009-03-04 18:08:46.381: notice: running ../../dnssec-signer -f -v -v -N named.conf 
+2009-03-04 18:08:46.385: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:46.385: debug: 	Check RFC5011 status
+2009-03-04 18:08:46.385: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:46.385: debug: 	Check KSK status
+2009-03-04 18:08:46.385: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m18s
+2009-03-04 18:08:46.385: debug: 	Check ZSK status
+2009-03-04 18:08:46.385: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:46.385: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:46.385: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:46.386: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:08:46.386: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 0 -3 1864E1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:08:46.990: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:46.991: debug: 	Signing completed after 0s.
+2009-03-04 18:08:46.991: debug: 
+2009-03-04 18:08:46.991: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:08:46.991: debug: 	Check RFC5011 status
+2009-03-04 18:08:46.991: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:08:46.991: debug: 	Check ZSK status
+2009-03-04 18:08:46.991: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:46.991: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:46.991: debug: 	Writing key file "././example.net/dnskey.db"
+2009-03-04 18:08:46.992: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:08:46.992: debug: 	Signing zone "example.net."
+2009-03-04 18:08:46.993: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 0 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-04 18:08:47.149: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:08:47.149: debug: 	Signing completed after 1s.
+2009-03-04 18:08:47.149: debug: 
+2009-03-04 18:08:47.149: notice: end of run: 0 errors occured
+2009-03-04 18:08:59.141: notice: ------------------------------------------------------------
+2009-03-04 18:08:59.141: notice: running ../../dnssec-signer -f -v -v -N named.conf 
+2009-03-04 18:08:59.145: debug: parsing zone "sub.example.net." in dir "././sub.example.net"
+2009-03-04 18:08:59.145: debug: 	Check RFC5011 status
+2009-03-04 18:08:59.145: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-03-04 18:08:59.145: debug: 	Check KSK status
+2009-03-04 18:08:59.145: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 5d18h13m31s
+2009-03-04 18:08:59.145: debug: 	Check ZSK status
+2009-03-04 18:08:59.145: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:08:59.146: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-03-04 18:08:59.146: debug: 	Writing key file "././sub.example.net/dnskey.db"
+2009-03-04 18:08:59.146: debug: 	Signing zone "sub.example.net."
+2009-03-04 18:08:59.146: debug: 	  Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 945691 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-03-04 18:09:00.082: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:09:00.082: debug: 	Signing completed after 1s.
+2009-03-04 18:09:00.082: debug: 
+2009-03-04 18:09:00.083: debug: parsing zone "example.net." in dir "././example.net"
+2009-03-04 18:09:00.083: debug: 	Check RFC5011 status
+2009-03-04 18:09:00.083: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-03-04 18:09:00.083: debug: 	Check ZSK status
+2009-03-04 18:09:00.083: debug: 	Re-signing necessary: Option -f
+2009-03-04 18:09:00.083: notice: "example.net.": re-signing triggered: Option -f
+2009-03-04 18:09:00.083: debug: 	Writing key file "././example.net/dnskey.db"
+2009-03-04 18:09:00.084: debug: 	Incrementing serial number in file "././example.net/zone.db"
+2009-03-04 18:09:00.084: debug: 	Signing zone "example.net."
+2009-03-04 18:09:00.084: debug: 	  Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-03-04 18:09:00.238: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-03-04 18:09:00.238: debug: 	Signing completed after 0s.
+2009-03-04 18:09:00.238: debug: 
+2009-03-04 18:09:00.238: notice: end of run: 0 errors occured
+2009-06-15 09:58:41.205: notice: ------------------------------------------------------------
+2009-06-15 09:58:41.205: notice: running ../../dnssec-signer -v -v 
+2009-06-15 09:58:41.226: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-15 09:58:41.226: debug: 	Check RFC5011 status
+2009-06-15 09:58:41.226: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-15 09:58:41.226: debug: 	Check KSK status
+2009-06-15 09:58:41.227: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w3d9h3m13s
+2009-06-15 09:58:41.227: debug: 	Check ZSK status
+2009-06-15 09:58:41.227: debug: 	Lifetime(259200 +/-150 sec) of active key 32820 exceeded (8948694 sec)
+2009-06-15 09:58:41.227: debug: 		->depreciate it
+2009-06-15 09:58:41.227: debug: 		->activate published key 49656
+2009-06-15 09:58:41.227: notice: "sub.example.net.": lifetime of zone signing key 32820 exceeded: ZSK rollover done
+2009-06-15 09:58:41.227: debug: 	New key for publishing needed
+2009-06-15 09:58:41.346: debug: 		->creating new key 37135
+2009-06-15 09:58:41.346: info: "sub.example.net.": new key 37135 generated for publishing
+2009-06-15 09:58:41.346: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-15 09:58:41.346: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-15 09:58:41.346: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-15 09:58:41.346: debug: 	Signing zone "sub.example.net."
+2009-06-15 09:58:41.346: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 11D7FD -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-15 09:58:41.399: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-15 09:58:41.399: debug: 	Signing completed after 0s.
+2009-06-15 09:58:41.399: debug: 
+2009-06-15 09:58:41.399: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-15 09:58:41.399: debug: 	Check RFC5011 status
+2009-06-15 09:58:41.399: debug: zone "example.net.": found revoked key (id=1764 exptime=Feb 28 2009 12:31:28); waiting for remove hold down time
+2009-06-15 09:58:41.399: debug: 	Remove revoked key 1764 which is older than 30 days
+2009-06-15 09:58:41.400: notice: zone "example.net.": removing revoked key 1764
+2009-06-15 09:58:41.400: debug: 	Check ZSK status
+2009-06-15 09:58:41.400: debug: 	Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14547793 sec)
+2009-06-15 09:58:41.400: debug: 		->waiting for published key
+2009-06-15 09:58:41.400: notice: "example.net.": lifetime of zone signing key 4157 exceeded since 11w1d9h3m13s: ZSK rollover deferred: waiting for published key
+2009-06-15 09:58:41.400: debug: 	New key for publishing needed
+2009-06-15 09:58:41.499: debug: 		->creating new key 34925
+2009-06-15 09:58:41.499: info: "example.net.": new key 34925 generated for publishing
+2009-06-15 09:58:41.499: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-15 09:58:41.499: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-15 09:58:41.499: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-15 09:58:41.499: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-15 09:58:41.499: debug: 	Signing zone "example.net."
+2009-06-15 09:58:41.499: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-15 09:58:41.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-15 09:58:41.543: debug: 	Signing completed after 0s.
+2009-06-15 09:58:41.543: debug: 
+2009-06-15 09:58:41.543: notice: end of run: 0 errors occured
+2009-06-17 16:36:16.761: notice: ------------------------------------------------------------
+2009-06-17 16:36:16.761: notice: running ../../dnssec-signer -v -v 
+2009-06-17 16:36:16.792: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-17 16:36:16.792: debug: 	Check RFC5011 status
+2009-06-17 16:36:16.792: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-17 16:36:16.792: debug: 	Check KSK status
+2009-06-17 16:36:16.792: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 15w5d15h40m48s
+2009-06-17 16:36:16.792: debug: 	Check ZSK status
+2009-06-17 16:36:16.792: debug: 	Lifetime(390 sec) of depreciated key 32820 exceeded (196655 sec)
+2009-06-17 16:36:16.792: info: "sub.example.net.": old ZSK 32820 removed
+2009-06-17 16:36:16.792: debug: 		->remove it
+2009-06-17 16:36:16.792: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-17 16:36:16.792: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-17 16:36:16.792: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-17 16:36:16.793: debug: 	Signing zone "sub.example.net."
+2009-06-17 16:36:16.793: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 4214E6 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-17 16:36:16.984: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-17 16:36:16.984: debug: 	Signing completed after 0s.
+2009-06-17 16:36:16.984: debug: 
+2009-06-17 16:36:16.984: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-17 16:36:16.984: debug: 	Check RFC5011 status
+2009-06-17 16:36:16.984: debug: 	Check ZSK status
+2009-06-17 16:36:16.984: debug: 	Lifetime(7776000 +/-150 sec) of active key 4157 exceeded (14744448 sec)
+2009-06-17 16:36:16.984: debug: 		->depreciate it
+2009-06-17 16:36:16.984: debug: 		->activate published key 34925
+2009-06-17 16:36:16.984: notice: "example.net.": lifetime of zone signing key 4157 exceeded: ZSK rollover done
+2009-06-17 16:36:16.984: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-17 16:36:16.984: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-17 16:36:16.984: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-17 16:36:16.985: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-17 16:36:16.985: debug: 	Signing zone "example.net."
+2009-06-17 16:36:16.985: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-17 16:36:17.102: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-17 16:36:17.102: debug: 	Signing completed after 1s.
+2009-06-17 16:36:17.102: debug: 
+2009-06-17 16:36:17.102: notice: end of run: 0 errors occured
+2009-06-24 16:33:27.617: notice: ------------------------------------------------------------
+2009-06-24 16:33:27.617: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:33:27.619: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:33:27.619: debug: 	Check RFC5011 status
+2009-06-24 16:33:27.620: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:33:27.620: debug: 	Check KSK status
+2009-06-24 16:33:27.620: warning: "sub.example.net.": lifetime of key signing key 18846 exceeded since 16w5d15h37m59s
+2009-06-24 16:33:27.620: debug: 	Check ZSK status
+2009-06-24 16:33:27.620: debug: 	Lifetime(259200 +/-150 sec) of active key 49656 exceeded (801286 sec)
+2009-06-24 16:33:27.620: debug: 		->depreciate it
+2009-06-24 16:33:27.620: debug: 		->activate published key 37135
+2009-06-24 16:33:27.620: notice: "sub.example.net.": lifetime of zone signing key 49656 exceeded: ZSK rollover done
+2009-06-24 16:33:27.620: debug: 	New key for publishing needed
+2009-06-24 16:33:27.751: debug: 		->creating new key 25272
+2009-06-24 16:33:27.751: info: "sub.example.net.": new key 25272 generated for publishing
+2009-06-24 16:33:27.751: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:33:27.751: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:33:27.751: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:33:27.751: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:33:27.751: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50C9C8 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:33:27.859: error: "sub.example.net.": signing failed!
+2009-06-24 16:33:27.859: debug: 	Signing completed after 0s.
+2009-06-24 16:33:27.859: debug: 
+2009-06-24 16:33:27.859: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:33:27.859: debug: 	Check RFC5011 status
+2009-06-24 16:33:27.859: debug: 	Check ZSK status
+2009-06-24 16:33:27.859: debug: 	Lifetime(29100 sec) of depreciated key 4157 exceeded (604631 sec)
+2009-06-24 16:33:27.859: info: "example.net.": old ZSK 4157 removed
+2009-06-24 16:33:27.860: debug: 		->remove it
+2009-06-24 16:33:27.860: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:33:27.860: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:33:27.860: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:33:27.860: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:33:27.860: debug: 	Signing zone "example.net."
+2009-06-24 16:33:27.860: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:33:27.966: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:33:27.966: debug: 	Signing completed after 0s.
+2009-06-24 16:33:27.966: debug: 
+2009-06-24 16:33:27.966: notice: end of run: 1 error occured
+2009-06-24 16:42:06.709: notice: ------------------------------------------------------------
+2009-06-24 16:42:06.709: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:42:06.711: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:06.711: debug: 	Check RFC5011 status
+2009-06-24 16:42:06.711: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:06.711: debug: 	Check KSK status
+2009-06-24 16:42:06.711: debug: 	No active KSK found: generate new one
+2009-06-24 16:42:06.855: info: "sub.example.net.": generated new KSK 48516
+2009-06-24 16:42:06.855: debug: 	Check ZSK status
+2009-06-24 16:42:06.855: debug: 	No active ZSK found: generate new one
+2009-06-24 16:42:06.883: info: "sub.example.net.": generated new ZSK 33383
+2009-06-24 16:42:06.883: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:42:06.883: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:42:06.883: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:06.883: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:42:06.883: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:06.905: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:06.905: debug: 	Signing completed after 0s.
+2009-06-24 16:42:06.905: debug: 
+2009-06-24 16:42:06.905: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:06.905: debug: 	Check RFC5011 status
+2009-06-24 16:42:06.905: debug: 	Check ZSK status
+2009-06-24 16:42:06.905: debug: 	Re-signing not necessary!
+2009-06-24 16:42:06.905: debug: 	Check if there is a parent file to copy
+2009-06-24 16:42:06.905: debug: 
+2009-06-24 16:42:06.905: notice: end of run: 1 error occured
+2009-06-24 16:42:31.402: notice: ------------------------------------------------------------
+2009-06-24 16:42:31.402: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:42:31.404: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:31.404: debug: 	Check RFC5011 status
+2009-06-24 16:42:31.404: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:31.404: debug: 	Check KSK status
+2009-06-24 16:42:31.404: debug: 	Check ZSK status
+2009-06-24 16:42:31.404: debug: 	Re-signing necessary: Modified keys
+2009-06-24 16:42:31.405: notice: "sub.example.net.": re-signing triggered: Modified keys
+2009-06-24 16:42:31.405: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:31.405: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:42:31.405: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:31.449: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:31.450: debug: 	Signing completed after 0s.
+2009-06-24 16:42:31.450: debug: 
+2009-06-24 16:42:31.450: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:31.450: debug: 	Check RFC5011 status
+2009-06-24 16:42:31.450: debug: 	Check ZSK status
+2009-06-24 16:42:31.450: debug: 	Re-signing not necessary!
+2009-06-24 16:42:31.450: debug: 	Check if there is a parent file to copy
+2009-06-24 16:42:31.450: debug: 
+2009-06-24 16:42:31.450: notice: end of run: 1 error occured
+2009-06-24 16:42:48.193: notice: ------------------------------------------------------------
+2009-06-24 16:42:48.193: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:42:48.195: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:42:48.195: debug: 	Check RFC5011 status
+2009-06-24 16:42:48.195: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:42:48.195: debug: 	Check KSK status
+2009-06-24 16:42:48.195: debug: 	Check ZSK status
+2009-06-24 16:42:48.195: debug: 	Re-signing necessary: Modified keys
+2009-06-24 16:42:48.195: notice: "sub.example.net.": re-signing triggered: Modified keys
+2009-06-24 16:42:48.195: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:42:48.195: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:42:48.195: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 F46ADF -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:42:48.212: error: "sub.example.net.": signing failed!
+2009-06-24 16:42:48.212: debug: 	Signing completed after 0s.
+2009-06-24 16:42:48.212: debug: 
+2009-06-24 16:42:48.212: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:42:48.212: debug: 	Check RFC5011 status
+2009-06-24 16:42:48.212: debug: 	Check ZSK status
+2009-06-24 16:42:48.212: debug: 	Re-signing not necessary!
+2009-06-24 16:42:48.212: debug: 	Check if there is a parent file to copy
+2009-06-24 16:42:48.212: debug: 
+2009-06-24 16:42:48.212: notice: end of run: 1 error occured
+2009-06-24 16:44:22.959: notice: ------------------------------------------------------------
+2009-06-24 16:44:22.959: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:44:22.961: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:44:22.961: debug: 	Check RFC5011 status
+2009-06-24 16:44:22.961: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:44:22.961: debug: 	Check KSK status
+2009-06-24 16:44:22.961: debug: 	Check ZSK status
+2009-06-24 16:44:22.961: debug: 	No active ZSK found: generate new one
+2009-06-24 16:44:23.008: info: "sub.example.net.": generated new ZSK 14600
+2009-06-24 16:44:23.008: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-24 16:44:23.008: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-24 16:44:23.009: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:44:23.009: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:44:23.009: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86BF2F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:44:23.040: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:44:23.040: debug: 	Signing completed after 0s.
+2009-06-24 16:44:23.040: debug: 
+2009-06-24 16:44:23.040: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:44:23.040: debug: 	Check RFC5011 status
+2009-06-24 16:44:23.040: debug: 	Check ZSK status
+2009-06-24 16:44:23.040: debug: 	Re-signing not necessary!
+2009-06-24 16:44:23.040: debug: 	Check if there is a parent file to copy
+2009-06-24 16:44:23.040: debug: 
+2009-06-24 16:44:23.040: notice: end of run: 0 errors occured
+2009-06-24 16:50:36.189: notice: ------------------------------------------------------------
+2009-06-24 16:50:36.189: notice: running ../../dnssec-signer -v -v 
+2009-06-24 16:50:36.191: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:36.191: debug: 	Check RFC5011 status
+2009-06-24 16:50:36.191: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:36.191: debug: 	Check KSK status
+2009-06-24 16:50:36.192: debug: 	Check ZSK status
+2009-06-24 16:50:36.192: debug: 	Re-signing not necessary!
+2009-06-24 16:50:36.192: debug: 	Check if there is a parent file to copy
+2009-06-24 16:50:36.192: debug: 
+2009-06-24 16:50:36.192: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:36.192: debug: 	Check RFC5011 status
+2009-06-24 16:50:36.192: debug: 	Check ZSK status
+2009-06-24 16:50:36.193: debug: 	Re-signing not necessary!
+2009-06-24 16:50:36.193: debug: 	Check if there is a parent file to copy
+2009-06-24 16:50:36.193: debug: 
+2009-06-24 16:50:36.193: notice: end of run: 0 errors occured
+2009-06-24 16:50:42.877: notice: ------------------------------------------------------------
+2009-06-24 16:50:42.877: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:50:42.879: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:42.879: debug: 	Check RFC5011 status
+2009-06-24 16:50:42.879: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:42.879: debug: 	Check KSK status
+2009-06-24 16:50:42.879: debug: 	Check ZSK status
+2009-06-24 16:50:42.879: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:42.879: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:42.879: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:50:42.879: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:50:42.879: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 FB37DB -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:50:42.932: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:42.932: debug: 	Signing completed after 0s.
+2009-06-24 16:50:42.932: debug: 
+2009-06-24 16:50:42.932: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:42.932: debug: 	Check RFC5011 status
+2009-06-24 16:50:42.932: debug: 	Check ZSK status
+2009-06-24 16:50:42.932: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:42.932: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:42.932: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:50:42.933: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:50:42.933: debug: 	Signing zone "example.net."
+2009-06-24 16:50:42.933: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:50:42.978: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:42.978: debug: 	Signing completed after 0s.
+2009-06-24 16:50:42.978: debug: 
+2009-06-24 16:50:42.979: notice: end of run: 0 errors occured
+2009-06-24 16:50:51.923: notice: ------------------------------------------------------------
+2009-06-24 16:50:51.923: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:50:51.924: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:50:51.924: debug: 	Check RFC5011 status
+2009-06-24 16:50:51.924: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:50:51.924: debug: 	Check KSK status
+2009-06-24 16:50:51.924: debug: 	Check ZSK status
+2009-06-24 16:50:51.925: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:51.925: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:51.925: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:50:51.925: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:50:51.925: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E830EA -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:50:51.972: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:51.973: debug: 	Signing completed after 0s.
+2009-06-24 16:50:51.973: debug: 
+2009-06-24 16:50:51.973: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:50:51.973: debug: 	Check RFC5011 status
+2009-06-24 16:50:51.973: debug: 	Check ZSK status
+2009-06-24 16:50:51.973: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:50:51.973: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:50:51.973: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:50:51.973: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:50:51.973: debug: 	Signing zone "example.net."
+2009-06-24 16:50:51.973: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:50:52.017: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:50:52.017: debug: 	Signing completed after 1s.
+2009-06-24 16:50:52.017: debug: 
+2009-06-24 16:50:52.017: notice: end of run: 0 errors occured
+2009-06-24 16:51:19.914: notice: ------------------------------------------------------------
+2009-06-24 16:51:19.914: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:51:19.916: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:51:19.916: debug: 	Check RFC5011 status
+2009-06-24 16:51:19.916: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:51:19.916: debug: 	Check KSK status
+2009-06-24 16:51:19.916: debug: 	Check ZSK status
+2009-06-24 16:51:19.916: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:51:19.916: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:51:19.916: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:51:19.917: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:51:19.917: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 8DBC26 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private"
+2009-06-24 16:51:19.969: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:51:19.969: debug: 	Signing completed after 0s.
+2009-06-24 16:51:19.969: debug: 
+2009-06-24 16:51:19.969: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:51:19.969: debug: 	Check RFC5011 status
+2009-06-24 16:51:19.969: debug: 	Check ZSK status
+2009-06-24 16:51:19.969: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:51:19.969: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:51:19.969: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:51:19.969: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:51:19.969: debug: 	Signing zone "example.net."
+2009-06-24 16:51:19.969: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private"
+2009-06-24 16:51:20.018: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 16:51:20.018: debug: 	Signing completed after 1s.
+2009-06-24 16:51:20.018: debug: 
+2009-06-24 16:51:20.018: notice: end of run: 0 errors occured
+2009-06-24 16:55:38.094: notice: ------------------------------------------------------------
+2009-06-24 16:55:38.094: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 16:55:38.096: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 16:55:38.096: debug: 	Check RFC5011 status
+2009-06-24 16:55:38.096: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 16:55:38.096: debug: 	Check KSK status
+2009-06-24 16:55:38.096: debug: 	Check ZSK status
+2009-06-24 16:55:38.096: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:55:38.096: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 16:55:38.096: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 16:55:38.097: debug: 	Signing zone "sub.example.net."
+2009-06-24 16:55:38.097: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 69AB8E -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-24 16:55:38.144: debug: 	  Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: NSEC3RSASHA1."
+2009-06-24 16:55:38.144: debug: 	Signing completed after 0s.
+2009-06-24 16:55:38.144: debug: 
+2009-06-24 16:55:38.144: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 16:55:38.144: debug: 	Check RFC5011 status
+2009-06-24 16:55:38.144: debug: 	Check ZSK status
+2009-06-24 16:55:38.144: debug: 	Re-signing necessary: Option -f
+2009-06-24 16:55:38.144: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 16:55:38.144: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 16:55:38.144: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 16:55:38.144: debug: 	Signing zone "example.net."
+2009-06-24 16:55:38.144: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-24 16:55:38.182: debug: 	  Cmd dnssec-signzone return: "Verifying the zone using the following algorithms: RSASHA1."
+2009-06-24 16:55:38.182: debug: 	Signing completed after 0s.
+2009-06-24 16:55:38.182: debug: 
+2009-06-24 16:55:38.182: notice: end of run: 0 errors occured
+2009-06-24 17:12:06.145: notice: ------------------------------------------------------------
+2009-06-24 17:12:06.145: notice: running ../../dnssec-signer -v -v -f 
+2009-06-24 17:12:06.147: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-24 17:12:06.147: debug: 	Check RFC5011 status
+2009-06-24 17:12:06.147: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-24 17:12:06.147: debug: 	Check KSK status
+2009-06-24 17:12:06.147: debug: 	Check ZSK status
+2009-06-24 17:12:06.147: debug: 	Re-signing necessary: Option -f
+2009-06-24 17:12:06.147: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-24 17:12:06.147: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-24 17:12:06.147: debug: 	Signing zone "sub.example.net."
+2009-06-24 17:12:06.147: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 589BFC -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-24 17:12:06.204: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 17:12:06.204: debug: 	Signing completed after 0s.
+2009-06-24 17:12:06.204: debug: 
+2009-06-24 17:12:06.204: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-24 17:12:06.204: debug: 	Check RFC5011 status
+2009-06-24 17:12:06.204: debug: 	Check ZSK status
+2009-06-24 17:12:06.204: debug: 	Re-signing necessary: Option -f
+2009-06-24 17:12:06.205: notice: "example.net.": re-signing triggered: Option -f
+2009-06-24 17:12:06.205: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-24 17:12:06.205: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-24 17:12:06.205: debug: 	Signing zone "example.net."
+2009-06-24 17:12:06.205: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-24 17:12:06.259: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-24 17:12:06.259: debug: 	Signing completed after 0s.
+2009-06-24 17:12:06.259: debug: 
+2009-06-24 17:12:06.259: notice: end of run: 0 errors occured
+2009-06-30 11:35:09.298: notice: ------------------------------------------------------------
+2009-06-30 11:35:09.298: notice: running ../../dnssec-signer -v -v 
+2009-06-30 11:35:09.326: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 11:35:09.326: debug: 	Check RFC5011 status
+2009-06-30 11:35:09.326: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 11:35:09.326: debug: 	Check KSK status
+2009-06-30 11:35:09.326: debug: 	Check ZSK status
+2009-06-30 11:35:09.326: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (499847 sec)
+2009-06-30 11:35:09.326: debug: 		->waiting for published key
+2009-06-30 11:35:09.326: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d18h50m47s: ZSK rollover deferred: waiting for published key
+2009-06-30 11:35:09.326: debug: 	New key for publishing needed
+2009-06-30 11:35:09.482: debug: 		->creating new key 32345
+2009-06-30 11:35:09.482: info: "sub.example.net.": new key 32345 generated for publishing
+2009-06-30 11:35:09.482: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-30 11:35:09.483: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 11:35:09.483: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 11:35:09.483: debug: 	Signing zone "sub.example.net."
+2009-06-30 11:35:09.483: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 E84B0F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 11:35:09.838: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 11:35:09.838: debug: 	Signing completed after 0s.
+2009-06-30 11:35:09.838: debug: 
+2009-06-30 11:35:09.838: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 11:35:09.838: debug: 	Check RFC5011 status
+2009-06-30 11:35:09.838: debug: 	Check ZSK status
+2009-06-30 11:35:09.838: debug: 	New key for publishing needed
+2009-06-30 11:35:09.896: debug: 		->creating new key 48089
+2009-06-30 11:35:09.896: info: "example.net.": new key 48089 generated for publishing
+2009-06-30 11:35:09.896: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-30 11:35:09.897: notice: "example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 11:35:09.897: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-30 11:35:09.897: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 11:35:09.897: debug: 	Signing zone "example.net."
+2009-06-30 11:35:09.897: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-30 11:35:09.997: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 11:35:09.997: debug: 	Signing completed after 0s.
+2009-06-30 11:35:09.997: debug: 
+2009-06-30 11:35:09.997: notice: end of run: 0 errors occured
+2009-06-30 12:01:53.878: notice: ------------------------------------------------------------
+2009-06-30 12:01:53.878: notice: running ../../dnssec-signer -v -v 
+2009-06-30 12:01:53.880: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 12:01:53.881: debug: 	Check RFC5011 status
+2009-06-30 12:01:53.881: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 12:01:53.881: debug: 	Check KSK status
+2009-06-30 12:01:53.881: debug: 	Check ZSK status
+2009-06-30 12:01:53.881: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501451 sec)
+2009-06-30 12:01:53.881: debug: 		->waiting for published key
+2009-06-30 12:01:53.881: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m31s: ZSK rollover deferred: waiting for published key
+2009-06-30 12:01:53.881: debug: 	Re-signing not necessary!
+2009-06-30 12:01:53.881: debug: 	Check if there is a parent file to copy
+2009-06-30 12:01:53.881: debug: 
+2009-06-30 12:01:53.881: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 12:01:53.881: debug: 	Check RFC5011 status
+2009-06-30 12:01:53.881: debug: 	Check ZSK status
+2009-06-30 12:01:53.881: debug: 	Re-signing not necessary!
+2009-06-30 12:01:53.881: debug: 	Check if there is a parent file to copy
+2009-06-30 12:01:53.881: debug: 
+2009-06-30 12:01:53.881: notice: end of run: 0 errors occured
+2009-06-30 12:02:05.490: notice: ------------------------------------------------------------
+2009-06-30 12:02:05.490: notice: running ../../dnssec-signer -f -v -v 
+2009-06-30 12:02:05.492: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 12:02:05.492: debug: 	Check RFC5011 status
+2009-06-30 12:02:05.492: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 12:02:05.492: debug: 	Check KSK status
+2009-06-30 12:02:05.492: debug: 	Check ZSK status
+2009-06-30 12:02:05.492: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (501463 sec)
+2009-06-30 12:02:05.492: debug: 		->waiting for published key
+2009-06-30 12:02:05.492: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded since 2d19h17m43s: ZSK rollover deferred: waiting for published key
+2009-06-30 12:02:05.492: debug: 	Re-signing necessary: Option -f
+2009-06-30 12:02:05.492: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-30 12:02:05.492: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 12:02:05.492: debug: 	Signing zone "sub.example.net."
+2009-06-30 12:02:05.492: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 50B303 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 12:02:05.543: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 12:02:05.543: debug: 	Signing completed after 0s.
+2009-06-30 12:02:05.543: debug: 
+2009-06-30 12:02:05.543: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 12:02:05.543: debug: 	Check RFC5011 status
+2009-06-30 12:02:05.543: debug: 	Check ZSK status
+2009-06-30 12:02:05.543: debug: 	Re-signing necessary: Option -f
+2009-06-30 12:02:05.543: notice: "example.net.": re-signing triggered: Option -f
+2009-06-30 12:02:05.543: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-30 12:02:05.544: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 12:02:05.544: debug: 	Signing zone "example.net."
+2009-06-30 12:02:05.544: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-30 12:02:05.602: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 12:02:05.602: debug: 	Signing completed after 0s.
+2009-06-30 12:02:05.602: debug: 
+2009-06-30 12:02:05.602: notice: end of run: 0 errors occured
+2009-06-30 13:02:04.436: notice: ------------------------------------------------------------
+2009-06-30 13:02:04.436: notice: running ../../dnssec-signer -v -v 
+2009-06-30 13:02:04.438: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 13:02:04.438: debug: 	Check RFC5011 status
+2009-06-30 13:02:04.438: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 13:02:04.438: debug: 	Check KSK status
+2009-06-30 13:02:04.438: debug: 	Check ZSK status
+2009-06-30 13:02:04.438: debug: 	Lifetime(259200 +/-150 sec) of active key 14600 exceeded (505062 sec)
+2009-06-30 13:02:04.438: debug: 		->depreciate it
+2009-06-30 13:02:04.439: debug: 		->activate published key 32345
+2009-06-30 13:02:04.439: notice: "sub.example.net.": lifetime of zone signing key 14600 exceeded: ZSK rollover done
+2009-06-30 13:02:04.439: debug: 	Re-signing necessary: Modfied zone key set
+2009-06-30 13:02:04.439: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
+2009-06-30 13:02:04.439: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 13:02:04.439: debug: 	Signing zone "sub.example.net."
+2009-06-30 13:02:04.439: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 0140D2 -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 13:02:04.491: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:04.491: debug: 	Signing completed after 0s.
+2009-06-30 13:02:04.491: debug: 
+2009-06-30 13:02:04.491: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 13:02:04.491: debug: 	Check RFC5011 status
+2009-06-30 13:02:04.491: debug: 	Check ZSK status
+2009-06-30 13:02:04.491: debug: 	Re-signing not necessary!
+2009-06-30 13:02:04.491: debug: 	Check if there is a parent file to copy
+2009-06-30 13:02:04.491: debug: 
+2009-06-30 13:02:04.491: notice: end of run: 0 errors occured
+2009-06-30 13:02:21.019: notice: ------------------------------------------------------------
+2009-06-30 13:02:21.019: notice: running ../../dnssec-signer -f -v -v 
+2009-06-30 13:02:21.021: debug: parsing zone "sub.example.net." in dir "./sub.example.net"
+2009-06-30 13:02:21.021: debug: 	Check RFC5011 status
+2009-06-30 13:02:21.021: debug: 		->not a rfc5011 zone, looking for a regular ksk rollover
+2009-06-30 13:02:21.021: debug: 	Check KSK status
+2009-06-30 13:02:21.021: debug: 	Check ZSK status
+2009-06-30 13:02:21.022: debug: 	Re-signing necessary: Option -f
+2009-06-30 13:02:21.022: notice: "sub.example.net.": re-signing triggered: Option -f
+2009-06-30 13:02:21.022: debug: 	Writing key file "./sub.example.net/dnskey.db"
+2009-06-30 13:02:21.022: debug: 	Signing zone "sub.example.net."
+2009-06-30 13:02:21.022: debug: 	  Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 86F43F -g -p -d ../keysets -o sub.example.net. -e +172800 -l dlv.trusted-keys.de -N unixtime zone.db K*.private 2>&1"
+2009-06-30 13:02:21.070: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:21.070: debug: 	Signing completed after 0s.
+2009-06-30 13:02:21.070: debug: 
+2009-06-30 13:02:21.070: debug: parsing zone "example.net." in dir "./example.net"
+2009-06-30 13:02:21.070: debug: 	Check RFC5011 status
+2009-06-30 13:02:21.070: debug: 	Check ZSK status
+2009-06-30 13:02:21.070: debug: 	Re-signing necessary: Option -f
+2009-06-30 13:02:21.070: notice: "example.net.": re-signing triggered: Option -f
+2009-06-30 13:02:21.071: debug: 	Writing key file "./example.net/dnskey.db"
+2009-06-30 13:02:21.071: debug: 	Incrementing serial number in file "./example.net/zone.db"
+2009-06-30 13:02:21.071: debug: 	Signing zone "example.net."
+2009-06-30 13:02:21.071: debug: 	  Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -g -p -d ../keysets -o example.net. -e +518400  zone.db K*.private 2>&1"
+2009-06-30 13:02:21.121: debug: 	  Cmd dnssec-signzone return: "zone.db.signed"
+2009-06-30 13:02:21.121: debug: 	Signing completed after 0s.
+2009-06-30 13:02:21.121: debug: 
+2009-06-30 13:02:21.121: notice: end of run: 0 errors occured
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key
deleted file mode 100644
index 554986d50e..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20080914221502
-;%	lifetime=90d
-example.de. IN DNSKEY  256 3 5 BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private
deleted file mode 100644
index dda12aa89c..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+11327.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 5 (RSASHA1)
-Modulus: qbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuRNpn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: h7mIMjyW6H7MpJIYWhTgerkh5pR9LbSJbuA/cKp9AU18blpyk4xOzIYGw0SXBqFezHpF0I6BEzSikgwyF1RDAQ==
-Prime1: 1YdJ1XTzsyvAgEjhutvSA4RSkCyPGsTZ81wxZcifWtE=
-Prime2: y3EofwE/nv2kF6/I2STrb3A8gbsBx5D4/6SiKFuHDg0=
-Exponent1: vjWx9G8qNVnlPPWD9uc/6um1vS2+yvriFV3MIMIZL/E=
-Exponent2: o/Jlw/TZ/IrlSvzNCc+xeF8qpip51onZ6fOFFjQ+QQ==
-Coefficient: K/UescJkRXWQr6FmABrKx3kalg748qkaWqvrY101OeY=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
new file mode 100644
index 0000000000..d59a22387b
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615065826
+;%	lifetime=28d
+example.de. IN DNSKEY  256 3 5 BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
new file mode 100644
index 0000000000..e9662eb0d2
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: ty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: Sgdg/vt18JrFh/MgiSh6g/DUiIosmsQlu5QWp5Zep+rUNf0aUZkS4ywyMGGlfUE4LyzvAJD8HkxI3/Xt8rIm1Q==
+Prime1: 3TyP1P5STSSTQDaPCYf/H6kJZ92k9X9OaGLoZHSjQoM=
+Prime2: 0/bjZ7845gImcCtvCthOPQMiVZcAhEzlrS8A6bs7I2c=
+Exponent1: OjNeVeQqqqpfClERHq9yR/OmkMQBY7Zw5ArUZNCbXG0=
+Exponent2: mEFLtn8DnI1G8b583qzvs5Qwa9cYjTiZU3WHjs6ROfc=
+Coefficient: IT6JOaFB5uiS9EzlTAA1zJD44EpkTAggFoPkRfJG4Ao=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
index 6fb2c44a13..71d47f267f 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
@@ -2,11 +2,11 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:06:40
+;	 Last generation time Jul 04 2009 01:30:24
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; example.de.  tag=47280  algo=RSASHA1  generated Nov 16 2008 19:00:40
+; example.de.  tag=47280  algo=RSASHA1  generated Dec 28 2008 23:55:28
 example.de. 3600 IN DNSKEY  257 3 5 (
 			BQEAAAABDV7kFHqVcWLoSAShdlXU5LKUdyU4LlsJGYMr8oIpjEzvwonR
 			mX5pRiEjVhTwx+vx6eWluv6txXVu+F0g2ykmqUQdMfPYWmD9AJOqvc2t
@@ -15,7 +15,7 @@ example.de. 3600 IN DNSKEY  257 3 5 (
 			uw==
 		) ; key id = 47280
 
-; example.de.  tag=37983  algo=RSASHA1  generated Nov 16 2008 19:00:40
+; example.de.  tag=37983  algo=RSASHA1  generated Dec 28 2008 23:55:28
 example.de. 3600 IN DNSKEY  257 3 5 (
 			BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+Nvz17GBu85jmigMuvZQU
 			YZBVUmJNNBbCNStlz+Y+1pGg9HbWFvn0tpH/bm4mZPlJmk+WxQhHz7eT
@@ -25,9 +25,9 @@ example.de. 3600 IN DNSKEY  257 3 5 (
 		) ; key id = 37983
 
 ; ***  List of Zone Signing Keys  ***
-; example.de.  tag=11327  algo=RSASHA1  generated Nov 16 2008 19:00:40
+; example.de.  tag=55529  algo=RSASHA1  generated Jun 24 2009 17:12:33
 example.de. 3600 IN DNSKEY  256 3 5 (
-			BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchYFYUD2lnvJKeq7ATwesuR
-			Npn17Erjz09GhDn9l2J92dAy8m4uofcdFkYKnQ==
-		) ; key id = 11327
+			BQEAAAABty5HRSBzUDY5SVgORw+KKE64SjmqEpFtFNiG4JOre/bnmzAC
+			XE/jgr5BK4Fd1hqBk/zizzUe4+dbj+jORPirtQ==
+		) ; key id = 55529
 
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
index 27cb7b9e8f..9b0fba30be 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
@@ -1,7 +1,7 @@
 ; KSK rollover phase2 (this is the new key)
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
-			pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
-			cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
-			GLv3a4BbGFc=
-		) ; key id = 56595
+			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+			04a9eVgvhME=
+		) ; key id = 26451
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key
deleted file mode 100644
index 19151efec3..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081228220640
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published
deleted file mode 100644
index ea99d83d83..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgNcV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: uXBzw9Ow7+rVGZ4XZlUjLoBxRUAdN207E+mvZ+OadkH4f7l3PNYJYVn2hTvTZb8v6vhKc/sOoenMRAMavK2oCQ==
-Prime1: 97fUb9zU6zIQ6P53ykjHwpMriBptXWkqH4LUKrtqAYs=
-Prime2: 8Q9XIHa/vuddNXGbnv1WjhQ+BLULtEHoAor6Zz/AczM=
-Exponent1: lys3DhbjPd0964qLcwyI0qZ5lMviMzFBbB/IOthfYnc=
-Exponent2: 2csu2XGtql2o+T1SXeXc6JtC8prIJ+mJuXa0FapeHBc=
-Coefficient: 0+x8jSWVmxWNuZlQNW0mZBFS5cEgll+u0t17KXdh6nI=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
new file mode 100644
index 0000000000..2448a3d3d0
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090624151233
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 1 BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+ 2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
new file mode 100644
index 0000000000..e3416b959a
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: uRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
+PublicExponent: AQAAAAE=
+PrivateExponent: aSzCu6CvJa0ABmgFOLLsIpvCHkuGUUszn56T6JrEqbFrVapdYaYlaw76m6aQ/esEx5jRqBjmbjTlbI3mtblxQQ==
+Prime1: 6k517gzC9UDjFcveMB+lfD18Q/2SO3yiy+ugDdxtzok=
+Prime2: yjLNwFrUyQvebLb3EeUpvaPyFAru/KFhbskaGlKUfkk=
+Exponent1: xMVCDp0L87uIsqvOGWoXvzO5uyK1ING1Eff/EAwWCzE=
+Exponent2: g4KaqnwxQrZdgAPma04NWpQk7vEgzKdKOBCVILhW+QE=
+Coefficient: fZsDNVAIdQYAD281j3BfVnraBU/jnNTCxxz/zAKJexw=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
new file mode 100644
index 0000000000..901a1ff9a1
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615065624
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 1 BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
new file mode 100644
index 0000000000..ea34cfeae6
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: stcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
+PublicExponent: AQAAAAE=
+PrivateExponent: p47j7xj0y+cF9AFjsRfak8KNTAyzUmw31PNlocOWNArcC7YzNA/E1xdjsdTICI6f47Ozuk0XSCS26Evd9D0UIQ==
+Prime1: 40dBU3fjj3rXcUO9bgSVeMwJjbeXFi+x8WZ5v0UQjPE=
+Prime2: yXC+OLWVbVu0NOCHolcQfyk2SepCknuZZ/DCn3j2+zs=
+Exponent1: hlGqyB1o6RWsLL3V2bTKssQYn6smvuUCHQrdyWira/E=
+Exponent2: xKKBa6eOsCOygJAI9OK8k1jUp8HQKQTNUJ3lUWEVn88=
+Coefficient: pCt9BOElLNatY5c0uSpUav2GbAyIkJ6ngFLj39q4Om8=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key
deleted file mode 100644
index 16443f991b..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081216163027
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw 9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private
deleted file mode 100644
index fe9768c2f4..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
-PublicExponent: AQAAAAE=
-PrivateExponent: pqVDVhiSmZyjz4IM3xFkks4yc4MToD2EWbPKp4j8v4RETHjec3F9YYIMpkGaYoNqkx3+yvWpYPPy4YideIu3wQ==
-Prime1: +1CFbP41B3shnGApkHvZYr3439pvg5KO60ykyewDDUU=
-Prime2: 5+EDE42uEwgwiaPs+n4hXruj+K3ewL7cTY1HS7rPpWk=
-Exponent1: tuWKUuBr0ajPkrvq1OdN0EcuggHhuizHNMl9ApAxBYU=
-Exponent2: CHyQ5qkbFlgzbbfyXvjS6aonXu0vRQXN6xEpDrTAiek=
-Coefficient: i4dbOUlePz8KFhOt0/8FImz2TAd2zZ0hryj4uAQbtUY=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated
deleted file mode 100644
index 08c0368df6..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: mjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jBeymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
-PublicExponent: AQAAAAE=
-PrivateExponent: MPsUwCUqooIUfhCOmRxnn6ZhxzH+CpJOfJ1K0njPwjaQKm8ACnVpM7Fr3mv5b9m0TXNn3jpfQgD+mHzopnR8gQ==
-Prime1: y24Ur3BJ40hhvFGqAPXaUEJcrEZIy4aCq2TxRSfFWs8=
-Prime2: whV4QY7Syoe/CDglpRb/X1ZROUYNLo1y+uXMoSNtaYU=
-Exponent1: DQywtacomS2IXan7sOtmkcWxxe7P6jTtI5KjlN4IhD0=
-Exponent2: N/KfPaxytWiti6+d2E9B00TCwndDQq/vnJ2iYGdNp9k=
-Coefficient: Lp80HvUH/WDwsH1akU1UWbN2n4m3g/hLtihVVuzf0s0=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key
deleted file mode 100644
index d5ded3a052..0000000000
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key
+++ /dev/null
@@ -1,3 +0,0 @@
-;%	generationtime=20081120072448
-;%	lifetime=2d
-sub.example.de. IN DNSKEY  256 3 1 BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
new file mode 100644
index 0000000000..eb466736a1
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090703233023
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 1 BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ jyZPu//rrNM=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
new file mode 100644
index 0000000000..819b8ec9e5
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: xmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+PublicExponent: AQAAAAE=
+PrivateExponent: XlDWosjdpEbIW8ZRePu+4sLTs+RCmA9bvovqke/u0Ihkf6zWx6J2DnYj182ohyoJlVr1NnLILTkNhJn6JI0uBqJ7KRDVXl+U2mHnQNwGqbBu2X7Jie4xFMp233n6Z/HNpj5RM5THQ5tFEJk+TIvq/Hm9z8fvAaeYnHVhrTTJL8E=
+Prime1: /igp3zZZKfWKdgOkCgHxL8hHemOTtGfEpi6ZYkffjLKiSOZJdMNHjLXEBCxsYN/z0nB0XXhIbSoUAv/EQVoiGw==
+Prime2: x9Fnz8jP/a1OIK9P0BDnEmjXFB8oa5T9/qpKGA39mH/8qUnlrjlXOYfD/3tWSdEJYFVVnfC5j+toAL+S0xwLqQ==
+Exponent1: 8Jzwnn7H+XAirDxPLBq1LUGyVU6HwB5iBzomgzRwIYcVyZ42703Hj+EWJDDcA8do637glysqT+TJspaoJHwOLQ==
+Exponent2: AcOgKCzXdN3++cGAJxOS/MSETfFCWn1msgTeTw744kqGLVdnN3qX5yXGrneVjZGziKYLzLnKOs07AkT2uthRuQ==
+Coefficient: czI2hMFi9kfCMkcNwKWk+3sGUD7bXNI7HVmkTS6dnCmB6jGIlN3gtqDlNFLd7RcHhicOMGpIHE6JVT8vSkfouA==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
new file mode 100644
index 0000000000..66523d4e1c
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630103352
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 5 BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp 3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878 vlXrwWNo4Pk=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
new file mode 100644
index 0000000000..fd15204068
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: tnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+PublicExponent: AQAAAAE=
+PrivateExponent: WGyscUMH71EaEXIbZdRFZ6J951l/3sXPtaivtQkOHt0E0bmHhqqqLta8HN/2xZR0w1+W/VAV6sCHXoTzhs82qUQOV6QpkR2tmN+etB/CNdGKrT+VvXrD75TJbCeegPeCvjnWbivAsmC2l46ogTMY0M1VZxJrWPKxpmEeQhxNFz0=
+Prime1: 5s6qRA7112fgOe/e+nq85LK/PkwOOoyOabhoJOL7I/5i9F5eBWBel4PCEaemGrGNk0zKqRFmE/Zs4DU2JsUMGw==
+Prime2: yl1x7nEIDegqhVwO/dvATBC0v8oVNRmqo8aBB/6apdOcuToBTSPrq+qPnq3ehRNK2Oz4CVYtoNtF9Xt+GtUwew==
+Exponent1: WoQRwLNR/Gu7SXDr4Y6A6eZ4YmwPqeistIcAmUaDxFREAn6eDxTJVA/tYeDKZ8L8sREOsdURTzkdePR+fHF/6w==
+Exponent2: U3eTb0W5WVGW+v7jyBGlzoZciU7nZNajKLo0X6GriGfpcfctnjsSQL3hjQzZRk0y7YIIdgtv0ApV5iTmQ9FUvw==
+Coefficient: hdjOg1UkqrwW5sVyS4o1KEW0Sipue+s3O8AZ11BVa2jt6ijqazZRQTMQBSoRpu8N+h5+jA1CvJmXUYTCRocSew==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
new file mode 100644
index 0000000000..abcbd117d9
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090615065826
+;%	lifetime=5d
+sub.example.de. IN DNSKEY  257 3 5 BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY 04a9eVgvhME=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
new file mode 100644
index 0000000000..78a8c1f19d
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: u2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBznW7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+PublicExponent: AQAAAAE=
+PrivateExponent: opFdHZAmZ2/cdNYkJs+CD0jU3nK/atMHKnKtsczlAC7p4eqmS2vRj54oe+yG204gZ3yzLp6yIp3TALfutc5HICmuyfMUdliiaUn3dcbzcc6QK9XgcEJPSz2X5Ot04CdgafNZ5g6s4r2zWSSRBYsZtCeZbevIH4KJcJjh/D5IDF0=
+Prime1: 7SZBGa/9lloRYImdEH5auLkCDGezv+AGKFtMm/UjQ8KwezpxtjFz+KsWckEtyUkDIIPWAQ3t4iND118Nb7L8Uw==
+Prime2: ykU794Iygwej+0ZsLsDju3Iulniy2qtvQ4CrS6zu6D0BzuiQyAEI9V1PThMnIfHlIA3g8rGRK8AAARiCrNh4Gw==
+Exponent1: tcJZs75GusGfQ7z3N//r+rp67thZlOV3RY//4mm+t3Hg4qZEw02A9kSmNdiBb0VzVhKIHd3OFvXCkdKa5fj6Qw==
+Exponent2: nyGlgUHTHESEFHfdJEIxVvRNa12iG179Mfu7ytWNpKUV9EvAP1WfyoGlLEmhhwENii/xK1e4qwxNk1yjBtQ8CQ==
+Coefficient: r2Nfc/szQ0mm/kJdfenPpWVbdvAML1RSt7CxaNUfYqmnuMRP12LMJazAApIweJKNI0u4qDBLIHhAwbXKFtLm1A==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
new file mode 100644
index 0000000000..c621dacc14
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090630100243
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 5 BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy 5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
new file mode 100644
index 0000000000..0cfadf3542
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: zVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
+PublicExponent: AQAAAAE=
+PrivateExponent: v0UmLwzL0RBea93NN1Q/yMFvFHSI30Np9yxdVCxDjq6zYrCiv2UTwXzPCyG1JWhclopzNII3DYR9ISgha58QCQ==
+Prime1: +Bo/midKqM2wRrPj4owYKZuocaTi9oEWb+MstOkOWe0=
+Prime2: 09q0bHeQfNY3OQsry+f2Csa2koLUcmfxxf23bzElKBs=
+Exponent1: DORw4XBF3dMjMygLL0A7KTeQlW0iDgSD7tAPMTKSmhk=
+Exponent2: BLC9fqcbNVq9EslHvNzhH6ElMO1bysgB3rAUKhk4Srs=
+Coefficient: jtQYbg6K63W4zqe6HCxXpI9N5vqwlZ/bK9T0JQZjX94=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
new file mode 100644
index 0000000000..abcde6965c
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
@@ -0,0 +1,3 @@
+;%	generationtime=20090703233023
+;%	lifetime=2d
+sub.example.de. IN DNSKEY  256 3 5 BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1 XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
new file mode 100644
index 0000000000..dbaaaea977
--- /dev/null
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: umjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
+PublicExponent: AQAAAAE=
+PrivateExponent: QuAiyiQQUiopUhjwXZa0E5s+tj4pf/de2jaKwQKGaXbhZMX3ispK85LKkvjGr1ABA4+w59cnMHaeKk7nHRVDCQ==
+Prime1: 3eK3/XpauQNk2f7fpzOZOYokiS4Nx55XmGxUu3gTPiU=
+Prime2: 1xHRlPz8vYslUMhZxgNZY9fzczJzjbjFP005iokb+Ks=
+Exponent1: CjTZf3NTj0mEQLOYF6HIoIkNlBTQjLHIauAjx16Er1k=
+Exponent2: z10pNT3TMAYu/V+nkLnw0afwXjvF8KtgwIw8j5rD7B0=
+Coefficient: wAh2F+9cb8rF+bp/spymV25IGtBq+ht/TU8Rt7PRrLc=
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
index d2b84f7089..0a83288d8b 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
@@ -1,6 +1,8 @@
-sub.example.de.dlv.trusted-keys.net. IN	DLV 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
-sub.example.de.dlv.trusted-keys.net. IN	DLV 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
+sub.example.de.dlv.trusted-keys.net. IN	DLV 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
+sub.example.de.dlv.trusted-keys.net. IN	DLV 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
+sub.example.de.dlv.trusted-keys.net. IN	DLV 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
+sub.example.de.dlv.trusted-keys.net. IN	DLV 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
 sub.example.de.dlv.trusted-keys.net. IN	DLV 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
 sub.example.de.dlv.trusted-keys.net. IN	DLV 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.dlv.trusted-keys.net. IN	DLV 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
-sub.example.de.dlv.trusted-keys.net. IN	DLV 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
+sub.example.de.dlv.trusted-keys.net. IN	DLV 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
+sub.example.de.dlv.trusted-keys.net. IN	DLV 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
index 38c3c70e19..68d9dfb627 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
@@ -2,11 +2,11 @@
 ;	!!! Don't edit this file by hand.
 ;	!!! It will be generated by dnssec-signer.
 ;
-;	 Last generation time Dec 28 2008 23:06:40
+;	 Last generation time Jul 04 2009 01:30:24
 ;
 
 ;  ***  List of Key Signing Keys  ***
-; sub.example.de.  tag=40956  algo=RSASHA1  generated Oct 03 2008 01:02:19
+; sub.example.de.  tag=40956  algo=RSASHA1  generated Dec 28 2008 23:55:28
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
 			BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw48XBb+ECUiiiI5wklFOjg
 			CyN1Yr9j1QYsvsYvyVxF4uMSbQ4p0JDyYwtxwVG3EACUK6vUsvTidHO/
@@ -14,38 +14,52 @@ sub.example.de. 3600 IN DNSKEY  257 3 5 (
 			ISRyLtFdi10=
 		) ; key id = 40956
 
-; sub.example.de.  tag=56595  algo=RSASHA1  generated Oct 03 2008 23:27:15
+; sub.example.de.  tag=26451  algo=RSASHA1  generated Jun 15 2009 08:58:26
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
-			pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
-			cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
-			GLv3a4BbGFc=
-		) ; key id = 56595
+			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+			04a9eVgvhME=
+		) ; key id = 26451
 
-; sub.example.de.  tag=31785  algo=RSASHA1  generated Dec 16 2008 17:32:13
+; sub.example.de.  tag=24426  algo=RSASHA1  generated Jun 30 2009 12:33:52
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59igc30zlVBFugkWd9wjsxX
-			T5mNmmg8pceNgOgV4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJxfWEE
-			J9LOQPPbnEPAJrEQzqtt5crVc687oyWYg9UGZBconBIAeefO2h19hVji
-			qj6JGXl48/0=
-		) ; key id = 31785
+			BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4WPKm0H4fm0zLnRldMT/D
+			xRX4I8Lc2Iq+oQ2cpOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQuRrp
+			3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X0KBLqokJHyy9Chp+ui188878
+			vlXrwWNo4Pk=
+		) ; key id = 24426
+
+; sub.example.de.  tag=60332  algo=RSAMD5  generated Jul 04 2009 01:30:23
+sub.example.de. 3600 IN DNSKEY  257 3 1 (
+			BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4LHa2gARHpalrNFJp6jwQ
+			f7bXR0SaPU+gpcJW/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6gYYg
+			oSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKbvV6X9KPqu0lMFpLDk+7Q/NUZ
+			jyZPu//rrNM=
+		) ; key id = 60332
 
 ; ***  List of Zone Signing Keys  ***
-; sub.example.de.  tag=59924  algo=RSAMD5  generated Dec 16 2008 17:30:27
+; sub.example.de.  tag=11091  algo=RSAMD5  generated Jun 24 2009 17:12:33
 sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+cU4MucX+3xq6Emve8Q/jB
-			eymytqtCmRli/G0ROBlid0KE2rxJ7rDekuoUiw==
-		) ; key id = 59924
+			BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpvStPAUwu8gkgIr6FDAWf+
+			2J9ZbvLQ8hGBESwQeuyJ87LiXfGpR/X/MCtTEQ==
+		) ; key id = 11091
 
-; sub.example.de.  tag=39146  algo=RSAMD5  generated Dec 16 2008 17:30:27
+; sub.example.de.  tag=38598  algo=RSAMD5  generated Jun 24 2009 17:12:33
 sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObjeSZsRLJkmrYa+cWJSqmw
-			9b7xlpaO+uBE5pkz/9GKXXOH+o/q+dBCoZjqTQ==
-		) ; key id = 39146
+			BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOmlgVCmx8eHJbUVZr5AZQJe
+			zC1dsF5FrZi6LEVUBgwiMj4XdqFLLuNzjJbGiw==
+		) ; key id = 38598
 
-; sub.example.de.  tag=4031  algo=RSAMD5  generated Dec 28 2008 23:06:40
-sub.example.de. 3600 IN DNSKEY  256 3 1 (
-			BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE10FHTeLeGsVUxBx+O/HgN
-			cV4elmXG/wGBvDjx4vQsbPO5WDiIoXmDUg+/sQ==
-		) ; key id = 4031
+; sub.example.de.  tag=37547  algo=RSASHA1  generated Jun 30 2009 12:02:43
+sub.example.de. 3600 IN DNSKEY  256 3 5 (
+			BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yGBvbmgX1vpzCF1Rqor1qy
+			5p2KvSGtgCFOclqeabWDGzKm3MbybdKLLtGD/w==
+		) ; key id = 37547
+
+; sub.example.de.  tag=57863  algo=RSASHA1  generated Jul 04 2009 01:30:23
+sub.example.de. 3600 IN DNSKEY  256 3 5 (
+			BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjtYHmyAd2vQwfIXZeKkzK1
+			XC7eFCuXuLk+A+hxCoFgziaYXEnU0OjHM/Vatw==
+		) ; key id = 57863
 
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
index 9e2970a962..e34d70d4ea 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
@@ -1,6 +1,8 @@
-sub.example.de.		IN DS 31785 5 1 3D56DD760ECF5184EAAE810F523934239F3D5AA5
-sub.example.de.		IN DS 31785 5 2 BAF6AFA18EED60E28AFFDB6094DCE3095A0C6B039D2DF8020580F6BD E43B76F9
+sub.example.de.		IN DS 24426 5 1 564822662A51682C216B0DEABD5DDE6F54865961
+sub.example.de.		IN DS 24426 5 2 A5CC9112ED2FA79C2BEDABD7437A80BC0B72803FDDCC028068A10926 38556CA2
+sub.example.de.		IN DS 26451 5 1 317B8B00E2518957ED982C4872659A5E7F85783E
+sub.example.de.		IN DS 26451 5 2 C5492796671C24EA74C30B39371E94AD1A3DD2EA8977B4949B08422C 16217B2A
 sub.example.de.		IN DS 40956 5 1 F3BC3C3D8EF9A21CCCD983FA01D308C36824E79A
 sub.example.de.		IN DS 40956 5 2 F276443895C23D052089011BED4BB2683067C1397D62EEF726BFF4F2 4B5981A1
-sub.example.de.		IN DS 56595 5 1 839C43F0267473F1335354384D91BFD70145AC01
-sub.example.de.		IN DS 56595 5 2 37F3AA854D2B7B2A9FAE3868EB37FFB08E1EDE2E14AF4D259E6C46B0 27D5C5B7
+sub.example.de.		IN DS 60332 1 1 88D80941398321D0137C2780DD685C62696D3E75
+sub.example.de.		IN DS 60332 1 2 D1F7B2A3EA5C5248E5B88AB4E98D3BA5E7B8247728B97F197AEAAEF2 A35A1BD4
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
index 2535a30942..d2f21e1707 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
@@ -1,18 +1,25 @@
 $ORIGIN .
-sub.example.de		7200	IN DNSKEY 257 3 5 (
-					BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc
-					7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe6
-					2RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBA
-					jrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmB
-					cCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
-					) ; key id = 56595
+sub.example.de		7200	IN DNSKEY 257 3 1 (
+					BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
+					LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
+					/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
+					gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
+					vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+					) ; key id = 60332
 			7200	IN DNSKEY 257 3 5 (
-					BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59i
-					gc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV
-					4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJx
-					fWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWY
-					g9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
-					) ; key id = 31785
+					BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
+					WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
+					pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
+					uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
+					0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+					) ; key id = 24426
+			7200	IN DNSKEY 257 3 5 (
+					BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
+					W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
+					yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
+					ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
+					0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+					) ; key id = 26451
 			7200	IN DNSKEY 257 3 5 (
 					BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
 					8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
similarity index 100%
rename from contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.key
rename to contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
similarity index 100%
rename from contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.private
rename to contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.key b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
similarity index 100%
rename from contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.key
rename to contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.private b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
similarity index 100%
rename from contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.private
rename to contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
index 27cb7b9e8f..9b0fba30be 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
@@ -1,7 +1,7 @@
 ; KSK rollover phase2 (this is the new key)
 sub.example.de. 3600 IN DNSKEY  257 3 5 (
-			BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc7uzNfjzrCL9VNvD4Aayd
-			pGIqeqC05rLCILe62RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBAjrbl
-			cV1T2xziS0rUBHMtgQlp3da0xOAqZVmBcCJChytISJJmtuh0qryY1Z3n
-			GLv3a4BbGFc=
-		) ; key id = 56595
+			BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4qW+F6A0PuQnYdH4autBzn
+			W7kseAHbH8ABl8XryOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/ZGny
+			j51lpTZU2Hazr1hMJpA/KevtDPjkraGY0UxtfF32I/xfOlYixImhZHlY
+			04a9eVgvhME=
+		) ; key id = 26451
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
index f04c19a2fd..466908a22f 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
@@ -7,7 +7,7 @@
 $TTL 7200
 
 @ 	IN SOA	ns1.example.de. hostmaster.example.de.  (
-				2008122801; Serial (up to 10 digits)
+				2009070301; Serial (up to 10 digits)
 				86400	; Refresh	(RIPE recommendation if NOTIFY is used)
 				1800	; Retry
 				2W	; Expire
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
index 066477c517..ef53f5741e 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
+++ b/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
@@ -1,58 +1,85 @@
-; File written on Sun Dec 28 23:06:40 2008
-; dnssec_signzone version 9.6.0
+; File written on Sat Jul  4 01:32:17 2009
+; dnssec_signzone version 9.7.0a1
 sub.example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
-					2008122801 ; serial
+					2009070301 ; serial
 					86400      ; refresh (1 day)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 1 3 7200 20081230210417 (
-					20081228210640 39146 sub.example.de.
-					XM/3402boromtkWjxtvE0SHpUW3J5ITudixH
-					Ol/DXfSIUiv5Km5ekQueBMgMIEMFkYHxRYH/
-					CRDCu4gTzYJElw== )
+			7200	RRSIG	SOA 1 3 7200 20090705220522 (
+					20090703223217 38598 sub.example.de.
+					JgCBS7//ArxzV4ZFw1uu5ermsqBelp/HnmeF
+					1V/2j71/lSIS+1H/o2appt6Ox11KnAqML0Zi
+					D6KRnBt1xAbXmA== )
+			7200	RRSIG	SOA 5 3 7200 20090705220711 (
+					20090703223217 37547 sub.example.de.
+					gt/Cnm3ltYYKX1h1xUEM8xfGlovwilUCf9TK
+					E6lUZL9w56DY8WDaz+5kdh4FfiXbprTgzjGA
+					LMGc9HSP79dRuA== )
 			7200	NS	ns1.example.de.
-			7200	RRSIG	NS 1 3 7200 20081230210435 (
-					20081228210640 39146 sub.example.de.
-					YGkNNi+q2byWBB2AnRrZ0fY9eOzOkcvlW98U
-					Ti/2LoJhn+LrVNSOG5Xbd7o3KfoxnyyFS+lh
-					IwcTPCxkYyTv2A== )
+			7200	RRSIG	NS 1 3 7200 20090705222744 (
+					20090703223217 38598 sub.example.de.
+					Gor5vVdsREkojunDB1+1EOzQcsOhjO+RP+CQ
+					9MEdAtqXqfJaqn2BxAkjANy7UWiPbIei3QnT
+					MBmpop2wmSzjHg== )
+			7200	RRSIG	NS 5 3 7200 20090705221546 (
+					20090703223217 37547 sub.example.de.
+					GOWmEt+2ye6zuH1BdUrzEpmjbLTjrqzTwpOP
+					CBop0iM/TeSKv3OIpzbCscn68XsKdALKx6J5
+					vsnk1e7z4qdMnQ== )
 			7200	NSEC	a.sub.example.de. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 1 3 7200 20081230205813 (
-					20081228210640 39146 sub.example.de.
-					dR8j2F8b+725x9Ipuym92XPF0CfLywcU8rVd
-					kMwIEHYqvxHtAGgMS7Rg6ehc1Dyu/4AxK5Le
-					xQpUFau71SR5zA== )
+			7200	RRSIG	NSEC 1 3 7200 20090705222040 (
+					20090703223217 38598 sub.example.de.
+					DzeJgkKvZsVnlRG6x1CjJsqE7ZW7STTfq0ND
+					v3whxX6+ODSLWtttakOYZU5ih6YKKbqtxxOi
+					WpV1PcoUZ0g2PQ== )
+			7200	RRSIG	NSEC 5 3 7200 20090705222545 (
+					20090703223217 37547 sub.example.de.
+					fG3D1B9ERox7BwFF2pFOT7D89+6f/3Ti1xUK
+					rc/kv17mlcxJDzzNtBx7dmKl/jPIccWFEe+d
+					WaeKi5AZKRsCsg== )
 			3600	DNSKEY	256 3 1 (
-					BQEAAAABmjp7RFegQjGnrXbRQ4uk0Wdxj4+c
-					U4MucX+3xq6Emve8Q/jBeymytqtCmRli/G0R
-					OBlid0KE2rxJ7rDekuoUiw==
-					) ; key id = 59924
+					BQEAAAABstcKWFjuZzMhpTjdJzom5hleqOml
+					gVCmx8eHJbUVZr5AZQJezC1dsF5FrZi6LEVU
+					BgwiMj4XdqFLLuNzjJbGiw==
+					) ; key id = 38598
 			3600	DNSKEY	256 3 1 (
-					BQEAAAAB46KNL8HNsVPnvBw24iONL++CrObj
-					eSZsRLJkmrYa+cWJSqmw9b7xlpaO+uBE5pkz
-					/9GKXXOH+o/q+dBCoZjqTQ==
-					) ; key id = 39146
-			3600	DNSKEY	256 3 1 (
-					BQEAAAAB6ULnEaSHOrlAYtx8LDD0KvOoyJE1
-					0FHTeLeGsVUxBx+O/HgNcV4elmXG/wGBvDjx
-					4vQsbPO5WDiIoXmDUg+/sQ==
-					) ; key id = 4031
+					BQEAAAABuRBoscD6vMybohNhieTSpbBgZSpv
+					StPAUwu8gkgIr6FDAWf+2J9ZbvLQ8hGBESwQ
+					euyJ87LiXfGpR/X/MCtTEQ==
+					) ; key id = 11091
+			3600	DNSKEY	256 3 5 (
+					BQEAAAABumjaO1Ql3WqOqRVP+u/N8FMumGjt
+					YHmyAd2vQwfIXZeKkzK1XC7eFCuXuLk+A+hx
+					CoFgziaYXEnU0OjHM/Vatw==
+					) ; key id = 57863
+			3600	DNSKEY	256 3 5 (
+					BQEAAAABzVGXoctTcq8a4MnjhW78Z4z/S7yG
+					BvbmgX1vpzCF1Rqor1qy5p2KvSGtgCFOclqe
+					abWDGzKm3MbybdKLLtGD/w==
+					) ; key id = 37547
+			3600	DNSKEY	257 3 1 (
+					BQEAAAABxmEeZyUrN83wG66weBOurn/+nds4
+					LHa2gARHpalrNFJp6jwQf7bXR0SaPU+gpcJW
+					/iJzkZemr+1gQOe0rwSjd4W1FGIW0WRG6LR6
+					gYYgoSaUsOc7Px2vVF1YE1jHcBu7BYtXfgKb
+					vV6X9KPqu0lMFpLDk+7Q/NUZjyZPu//rrNM=
+					) ; key id = 60332
 			3600	DNSKEY	257 3 5 (
-					BQEAAAABolXOM+J0RdjVTzlptvXKqtwxQQkc
-					7uzNfjzrCL9VNvD4AaydpGIqeqC05rLCILe6
-					2RRgCnQOs62kcUySrxRkmuAkkfONwU5PhXBA
-					jrblcV1T2xziS0rUBHMtgQlp3da0xOAqZVmB
-					cCJChytISJJmtuh0qryY1Z3nGLv3a4BbGFc=
-					) ; key id = 56595
+					BQEAAAABtnNSJcG6PU7RTitfJ4aVUM6Pclu4
+					WPKm0H4fm0zLnRldMT/DxRX4I8Lc2Iq+oQ2c
+					pOAhHvtsJ+boTX0j4aQjIPolRFZUfhr7o0wQ
+					uRrp3f4fMGzezcR1UsqRLG7+2KF9cq4H7u1X
+					0KBLqokJHyy9Chp+ui188878vlXrwWNo4Pk=
+					) ; key id = 24426
 			3600	DNSKEY	257 3 5 (
-					BQEAAAABvFi0FuW1hnSuYpaWPBhN7/hQo59i
-					gc30zlVBFugkWd9wjsxXT5mNmmg8pceNgOgV
-					4+0bHBgQlAkC0I605MlTdljra6dLBsxIneJx
-					fWEEJ9LOQPPbnEPAJrEQzqtt5crVc687oyWY
-					g9UGZBconBIAeefO2h19hVjiqj6JGXl48/0=
-					) ; key id = 31785
+					BQEAAAABu2BSOupQez5A9uJYlPzNwRyAwP4q
+					W+F6A0PuQnYdH4autBznW7kseAHbH8ABl8Xr
+					yOiVwt2zRwyYjkujA0yOPE83mD/o9Y+J/PU/
+					ZGnyj51lpTZU2Hazr1hMJpA/KevtDPjkraGY
+					0UxtfF32I/xfOlYixImhZHlY04a9eVgvhME=
+					) ; key id = 26451
 			3600	DNSKEY	257 3 5 (
 					BQEAAAAB1c44bXfWMzPJQ0k35Gz0euAPGkw4
 					8XBb+ECUiiiI5wklFOjgCyN1Yr9j1QYsvsYv
@@ -60,77 +87,129 @@ sub.example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
 					dHO/zxIflx5YGrB6ENTJcztRsp40EO1wBOmB
 					geX+aCC07zpu3SuKxzaiwTnUISRyLtFdi10=
 					) ; key id = 40956
-			3600	RRSIG	DNSKEY 1 3 3600 20081230204044 (
-					20081228210640 39146 sub.example.de.
-					rdyBfWCdLqJSLOIg22HSMNpLQTV1GLsg2w5Q
-					thtAdJWWdN+YDJfeeD+jkJvwWoQSouleSRdM
-					MHZ69c4Fp0KlUg== )
-			3600	RRSIG	DNSKEY 5 3 3600 20081230204405 (
-					20081228210640 56595 sub.example.de.
-					B4kvh0gQqHNBdwiABmUwMJ+Iqi2dKSsDQTKj
-					0rtquoGkVbbB1mKqGeA0EWjts9g388evvZGz
-					hpHVeXQQds4OxRTpt+XlQejbL98RB+8xM+I9
-					clj31Dg22MYkzogVqk7VBYTfZN/frK5co5WO
-					E+aX97skAkBO8C9rZshwsISbFR0= )
-			3600	RRSIG	DNSKEY 5 3 3600 20081230205150 (
-					20081228210640 31785 sub.example.de.
-					SiQmiuudpKBGbtKxHupnbvkksCBkYwihgyhl
-					kznLuR+GjrZKE4GuzYNAspe5CkDCSbNUHbl2
-					CbPFjU4lvGyShA3UtzSM2Cx4SAGi4JtRh7XC
-					DtXNIuZK4GBwprUD5nffYAH9Q7Pck9fhl8u8
-					YP0JapJ+GV9dx2iSKdbb1JKE8zk= )
-			3600	RRSIG	DNSKEY 5 3 3600 20081230205404 (
-					20081228210640 40956 sub.example.de.
-					jQty/hjEoHR/lx/tNopuPFNZQ0VF4Qdi37I0
-					q2A084KeBTh4v2hgTUA0B00hVncllfgUlOYl
-					HbvgHzqhLZPrx2qvtvFlPRmj7FlwjJbXRt5T
-					5JBAMP4IMfd0W6SDsuo1saVVZuiAQPicBbN8
-					Rc0Tgde1NEy2rlyVLkk7uKLB0pU= )
+			3600	RRSIG	DNSKEY 1 3 3600 20090705221028 (
+					20090703223217 60332 sub.example.de.
+					xVnKSgfSjfIEzeJVBlSPfJWDmkG/sGvQQaUc
+					P6kHUugus9z+MwnPpXKCwvSufQQJHzmUuMG4
+					hk29luebSAK+bm8s6lExQQDpUTNWnOxlIrb/
+					pQJp7tsBfN8wfZnOg+FrtLSiWzbN+jRyq+Us
+					6IUopL10tPSalhTp9UleZSUkZyA= )
+			3600	RRSIG	DNSKEY 1 3 3600 20090705221035 (
+					20090703223217 38598 sub.example.de.
+					fq6OWIKGHtdavvZx8pkieeF+DdA7P13nvW1c
+					cSmrRsfFFBx8SMJ6H9zFX4FPuoDSsNb8xnNB
+					i7LKN5hMK+uKvw== )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705220958 (
+					20090703223217 40956 sub.example.de.
+					z3M5xdXXWOywAa9BPtVMzsMWmHumq4rbYyNB
+					e/in7ijwMwRTZ2pOfK5ccOBMhFE8TaRQrZD5
+					2eP2uqdUE4Jkhr42y5e8+o8ShuKxXIlkGao3
+					oFdCIwPElIUswnWs3i44Hz2SCFVnnCz8PXQL
+					VtxuyGMtrFGuRFh3xC14bi/U5LE= )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705221542 (
+					20090703223217 37547 sub.example.de.
+					bRPadfI4qu6Xl4SCQ+i97/IANaCsE78L+LTG
+					1ckVTUmWbDZwj6RjJofdx5Mm1LlM6pi5hAJ2
+					7vDjTlynq0uFyg== )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705222555 (
+					20090703223217 26451 sub.example.de.
+					Eu2lW/SJDyKHZ0zLIV3Co80+D9ykkULXEJpR
+					BpvhG6wa9R9i0z/QEQc3QWUt2sDPOYDX61wh
+					iP87yVmb2B1IFMU/VW33d2xZgcK2NGSMk0QI
+					g2T6jXk+uWd9ribgfWT57Xf3Qr2D+Zl23mOR
+					Q/C/bJgOmq9mZt4vNOBTvgmuHqw= )
+			3600	RRSIG	DNSKEY 5 3 3600 20090705222912 (
+					20090703223217 24426 sub.example.de.
+					ktIrKORfmsOtyUj47zBb1p/3wp/aA2GIT9dI
+					e+mDK6Kvvc3Rb+UZe2689vAMwq7/lMvRhHQR
+					25Od0UIU77XuW/trIczippIl78ISPwKSiEN0
+					LUO9kUf9yZ2dqsZMxMKXWZMSVYXY0ja8zSY5
+					v9HafpYQx24FTD99v6DcjMvQu/M= )
 a.sub.example.de.	7200	IN A	1.2.3.4
-			7200	RRSIG	A 1 4 7200 20081230210029 (
-					20081228210640 39146 sub.example.de.
-					Mfh4ntlgKOlE1vleYbD8tN8VfvHEYbIZ1/bG
-					TWEu2pQNK2YLC7mLfVQWW3bcpzlmOucmWFJq
-					XXH+nnsftjxZog== )
+			7200	RRSIG	A 1 4 7200 20090705222143 (
+					20090703223217 38598 sub.example.de.
+					A9WVnbcBJW3L+GOND3BJdtrzK3G/klcIWp8l
+					0WW1HTbiJAFMxizNWVjyGKU3ciydtawT7gVS
+					guDWYW++F1vv4w== )
+			7200	RRSIG	A 5 4 7200 20090705223053 (
+					20090703223217 37547 sub.example.de.
+					kZWrAPgslp1YjZtfWhSgQfpegRrVVjVGLPhi
+					5OAwpJ14sWmXe+Ty7PbDM1icKdt3DwmGHtk7
+					jkFkcdEu6pH3rQ== )
 			7200	NSEC	b.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230210434 (
-					20081228210640 39146 sub.example.de.
-					hKTSoLDwWufmjaQnW53kLzog9MfMK3eUcjHr
-					98uOCfKY3xRFqxHn0UmUvfaHSrCaMGRuwH0H
-					84fk3FvVO3Sg4g== )
+			7200	RRSIG	NSEC 1 4 7200 20090705221732 (
+					20090703223217 38598 sub.example.de.
+					Jb666TyzO/8OaJKtEsg/baMAwV3WgLzplwKi
+					0FcSu89AMMTEtYDkJx3PSinttrkK/74SHCQI
+					QprLeptnAT88wQ== )
+			7200	RRSIG	NSEC 5 4 7200 20090705223013 (
+					20090703223217 37547 sub.example.de.
+					L7pmPJgNOV4XpcN2BsUti0OyVNp3SZu58z8w
+					nJk6Na21sO6gorCh0T9r9GYK0JbJVk6BC+9D
+					BBQkH4YqqkPxXQ== )
 b.sub.example.de.	7200	IN A	1.2.3.5
-			7200	RRSIG	A 1 4 7200 20081230210628 (
-					20081228210640 39146 sub.example.de.
-					LP1xgEzTIlc0w57Ohv9HwJ9eAeGFGeMDM3Ag
-					9oA18G8lUWpzTX66D9sHKdpDxCo8IX8IuosE
-					AO4BjHjFytWPLQ== )
+			7200	RRSIG	A 1 4 7200 20090705223139 (
+					20090703223217 38598 sub.example.de.
+					gaoCOBLTR+bfk7O73vH80nP37xchqjh4S8gk
+					aIhiXZwmVYwWatlzhB8ZK/qhs4mRLqs3Rpte
+					QVYtDIC2+AOstw== )
+			7200	RRSIG	A 5 4 7200 20090705221720 (
+					20090703223217 37547 sub.example.de.
+					A4+jPotrDIV4JgxRNjH/2vtFW9RNM4g0acRI
+					tpEoOAphse9Ki7/KDJDYRyjlNqNOYoPSlDlz
+					rWlKXai3MYg7VQ== )
 			7200	NSEC	c.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230204400 (
-					20081228210640 39146 sub.example.de.
-					2tmWQXRQEOF5tojcBhFRMVe5pp0V1tA+Jk8M
-					svsYT1ukbaJ3QeDOaTGUA604hLEm7J+uapy+
-					LTvOcKZl65st6g== )
+			7200	RRSIG	NSEC 1 4 7200 20090705223117 (
+					20090703223217 38598 sub.example.de.
+					DuFAapyfyrTDnYkgkkGZG6JyiWa2yWbSbvB/
+					EbiaA//ffEEFvoHPt+md+ctHtw7inP3WZ0jf
+					IBAStKfocnPfxA== )
+			7200	RRSIG	NSEC 5 4 7200 20090705222451 (
+					20090703223217 37547 sub.example.de.
+					y4eQUHYVVEDsXXjtx3YZ5mGtrdL8x7e3F5HK
+					J/jTwHDYvCq+/xqaXdOGIDl1TZYN4Z+/mgud
+					ePUilJqZI7+d0A== )
 c.sub.example.de.	7200	IN A	1.2.3.6
-			7200	RRSIG	A 1 4 7200 20081230205321 (
-					20081228210640 39146 sub.example.de.
-					m5/r/M1tF0d3rEU/kmubSZdV5ZmdKWmcCWTo
-					kv+oTux07+5dS7XisCHT+ufjiFkIgI3cf9I6
-					bbtEMaChCRmwhA== )
+			7200	RRSIG	A 1 4 7200 20090705220747 (
+					20090703223217 38598 sub.example.de.
+					AhUeZDcL2x0nT4K1ueLzpti37wP0p+nBCO1h
+					N1asQJycnjayQ49nVwXuOPjFtO5SpUijl/gf
+					rsvFrG2Eyf8KyQ== )
+			7200	RRSIG	A 5 4 7200 20090705221402 (
+					20090703223217 37547 sub.example.de.
+					I9UX1XpqYmFXZKfS0SJn7eAahEGlDvTO/miW
+					5sAvWS1PDIPiGs6eNIKEjmCcy1bTCR8TdCF4
+					eDzbZncW5J57bA== )
 			7200	NSEC	localhost.sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230204731 (
-					20081228210640 39146 sub.example.de.
-					WZAiKmtmMVq69fGpQAxKXFj9179lZm1qd7qs
-					gyiutFjWtQTRQFI6wxHyhh1WXdagtI2AjR9V
-					eGdKUuoZ9n22yA== )
+			7200	RRSIG	NSEC 1 4 7200 20090705221655 (
+					20090703223217 38598 sub.example.de.
+					spoeS9+UVDFk3i6OuzJDg+dYm1UGVd1dd/1H
+					c0Cg7Wn5FjKwAuxVh6Fkwo+gnfFeuNqXULp7
+					2oZVaizjK0xxdA== )
+			7200	RRSIG	NSEC 5 4 7200 20090705220501 (
+					20090703223217 37547 sub.example.de.
+					qjJcnn8GAR948AasHOuT3grziFXevNKdIdd0
+					JsThsXekPAFoe/o/Wj7a/aRBQpdSQHfbHs66
+					ehXm31OmY1Z1MQ== )
 localhost.sub.example.de. 7200	IN A	127.0.0.1
-			7200	RRSIG	A 1 4 7200 20081230205746 (
-					20081228210640 39146 sub.example.de.
-					Vc48b7SkFZO1e4lNIti+Iw9vPSgxANdhakP/
-					oqjKgxMMr+dmk0Vn29DYBTH+bkR7nBpccP9l
-					qe0UCeieNSgqOg== )
+			7200	RRSIG	A 1 4 7200 20090705223018 (
+					20090703223217 38598 sub.example.de.
+					KKzhk8TIfVygE1HXHyno+5JRUa/HjZXlCyqO
+					IXPpEh2AGQjbEy9lJOXbfH15explsbFUl8iS
+					oFdkIwDqvk/ldw== )
+			7200	RRSIG	A 5 4 7200 20090705221933 (
+					20090703223217 37547 sub.example.de.
+					X5HZEaT+hbuvxoOng20cDqYGepR2ud7q7ASs
+					ADVuZx38VBtj02Gbp0xyM8LnjjrKD6McQC35
+					lqRrrcEvaMIFYA== )
 			7200	NSEC	sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 1 4 7200 20081230203757 (
-					20081228210640 39146 sub.example.de.
-					StI4gda9HqSmD1/1zcW/wJaFXvd8zKRHnH89
-					nrUy4C6PWJ+9Tqs4QhYm1AzAtZRwSEasS0jX
-					g0mFyc6p12gXqg== )
+			7200	RRSIG	NSEC 1 4 7200 20090705223031 (
+					20090703223217 38598 sub.example.de.
+					nUE795F1yE6+61N2UQb2Kmm4PpTBpdwGiPD5
+					RfETf5J3Y/7M6GuUw7Rrl5G5FHN9vzz4IJLB
+					XeLxR6WY4FdXFg== )
+			7200	RRSIG	NSEC 5 4 7200 20090705222830 (
+					20090703223217 37547 sub.example.de.
+					YitlICV/U/5iwY5vYd4Huwpyx3O317WuufiP
+					8Ci4kDa6pp7bzM+q5INYGn5ZuFUb6bk1LrJG
+					hu9IzPp4IpAwhQ== )
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db b/contrib/zkt/examples/hierarchical/de/example.de/zone.db
index 917cd79f44..b3d0034372 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db
+++ b/contrib/zkt/examples/hierarchical/de/example.de/zone.db
@@ -11,7 +11,7 @@ $TTL	7200
 ;				0123456789;
 ;	It's also possible to use the date format e.g. 2005040101
 @	IN SOA	ns1.example.de. hostmaster.example.de.  (
-				269       ; Serial	
+				277       ; Serial	
 				43200	; Refresh
 				1800	; Retry
 				2W	; Expire
diff --git a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed b/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
index 9fdf5dfb1b..1bfd112b77 100644
--- a/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
+++ b/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
@@ -1,35 +1,35 @@
-; File written on Sun Dec 28 23:06:40 2008
-; dnssec_signzone version 9.6.0
+; File written on Sat Jul  4 01:33:59 2009
+; dnssec_signzone version 9.7.0a1
 example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
-					269        ; serial
+					277        ; serial
 					43200      ; refresh (12 hours)
 					1800       ; retry (30 minutes)
 					1209600    ; expire (2 weeks)
 					7200       ; minimum (2 hours)
 					)
-			7200	RRSIG	SOA 5 2 7200 20090107205708 (
-					20081228210640 11327 example.de.
-					KC6gXko+4iRmpofCb+uOs5e0Jgq4CJVUgsw3
-					jjXDsra7FXWybJj9FgO5cdy2KHbV/cQJ5Li6
-					bgH2E0gZpcYrvA== )
+			7200	RRSIG	SOA 5 2 7200 20090713220611 (
+					20090703223359 55529 example.de.
+					rwMt/rMQ9Ioun/qZlL4nTW9J7rg3hZs+8Jxu
+					+GJ3IWDRFzf3ri9A5+ZWubnZs+eXkDtlxDQ5
+					hsQYk04gxowbNw== )
 			7200	NS	ns1.example.de.
 			7200	NS	ns2.example.de.
-			7200	RRSIG	NS 5 2 7200 20090107205857 (
-					20081228210640 11327 example.de.
-					P5GvCnGqZ3+rGh4fZtGmYfezyI4swQXFVdtp
-					UkhR8SBDRgC9HQU5qZw7g7cbuO/CrRUWZLuf
-					NYgJvaeyoL8Khw== )
+			7200	RRSIG	NS 5 2 7200 20090713221949 (
+					20090703223359 55529 example.de.
+					ehIVNiOaHHevfb3GkYt79MSmwzzMUCHvOGOf
+					MSI3QqG+Z0rS+wjI1pXdJxnVbzLldkZThBAZ
+					wwZVvOnfyye+Bg== )
 			7200	NSEC	localhost.example.de. NS SOA RRSIG NSEC DNSKEY
-			7200	RRSIG	NSEC 5 2 7200 20090107204400 (
-					20081228210640 11327 example.de.
-					cdjSIAQDouZldROWir7R4/k6xcwbvOUcOmNO
-					rkGROzjrQf3IdE7vCwxLj/KavLqK5OIhSztf
-					Xx9lY5RJWhhxQA== )
+			7200	RRSIG	NSEC 5 2 7200 20090713221831 (
+					20090703223359 55529 example.de.
+					B4vUFaDg29C95e0nstt6d6hsOYqiGWfMchp3
+					MHb2FuYZN369T+OjJxBO3jaxhB6JLhQQT+CA
+					Kbdednz3+3mpbw== )
 			3600	DNSKEY	256 3 5 (
-					BQEAAAABqbCqCu2ncgLw+0oWWiveBVK3zchY
-					FYUD2lnvJKeq7ATwesuRNpn17Erjz09GhDn9
-					l2J92dAy8m4uofcdFkYKnQ==
-					) ; key id = 11327
+					BQEAAAABty5HRSBzUDY5SVgORw+KKE64Sjmq
+					EpFtFNiG4JOre/bnmzACXE/jgr5BK4Fd1hqB
+					k/zizzUe4+dbj+jORPirtQ==
+					) ; key id = 55529
 			3600	DNSKEY	257 3 5 (
 					BQEAAAABDOkPawC/tCqSITj6lvzcIPwcMEX+
 					Nvz17GBu85jmigMuvZQUYZBVUmJNNBbCNStl
@@ -48,77 +48,77 @@ example.de.		7200	IN SOA	ns1.example.de. hostmaster.example.de. (
 					GDjN4zQce8rHCe+LNB1GfaIASkMWjdgxNNAs
 					K9bqDM8Euw==
 					) ; key id = 47280
-			3600	RRSIG	DNSKEY 5 2 3600 20090107203935 (
-					20081228210640 47280 example.de.
-					Bk6rghHHe5smNETUq9iRY6JWr4gSZirMv6Pr
-					Sv6AuRNYbHz1K0ZMhQxdjkYbz7WidOtjtolm
-					lO2LGZreuNuU8vTbBNxJYTLHUDtncncuYQZR
-					htD5hsgGVyeYgEo5X+aIz0+NjrdJrkh3aDZd
-					k6FO0ga5+kmbg9My/C1vvnLgjWUaqjP3vnFB
-					9mO5sb30X6qv3VT2d6A4DDqzCucYAphCSuSP
-					jw== )
-			3600	RRSIG	DNSKEY 5 2 3600 20090107205931 (
-					20081228210640 11327 example.de.
-					EW0xShpQjjJnNl94XIe3SBqW/Ml2o5J5R5pf
-					pIp2NAVwE2lrBzukxjHQ+M4PPF2EtIUW9lF4
-					AFrLMfn3ymVnCw== )
+			3600	RRSIG	DNSKEY 5 2 3600 20090713222248 (
+					20090703223359 47280 example.de.
+					AnxgMlrm0RcJPTcgO40Ul+k8T0B5YYF3PE4O
+					DjZ6GwdU0RGtIswtrD5JQoaEm0rJcckU7zaP
+					372CkCbdapzMbTafjx90KpnPGNka2umUEoU+
+					wE1T0EmEHPsNy1UnxXpNgrtUlLQ7+wypX85h
+					H4xIhkZLt3rc/xfztObawFkw1PvjdBMp1ySY
+					9jz8TPWSotfItRz2UDSWmFz2+Mt3fuKhvnWp
+					sw== )
+			3600	RRSIG	DNSKEY 5 2 3600 20090713222256 (
+					20090703223359 55529 example.de.
+					kahO5eo6d+HIuROuIhprEG5vMnsVK1c8jueZ
+					ThPa3YVVL3hSP7h79FPugMb6paqBSi0CW/0x
+					X32Vx3fHL2R7Cw== )
 localhost.example.de.	7200	IN A	127.0.0.1
-			7200	RRSIG	A 5 3 7200 20090107205407 (
-					20081228210640 11327 example.de.
-					WSfYUmVVSaPb9nKWyCzczQDcjqlY+QsUSFlx
-					FN7OuARdi5JHQ6b/z3y9zrsUJOhuqM1XiF7H
-					+Y9WEsWuNjmzmw== )
+			7200	RRSIG	A 5 3 7200 20090713220920 (
+					20090703223359 55529 example.de.
+					hQddObpj6XKM06r/fZB3uXW5K44vepmmJs9Z
+					4IDPRBwG+YzZCkUly58N5soSFxiF50Ieaq4M
+					pmC47X42c1EHKg== )
 			7200	NSEC	ns1.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107204235 (
-					20081228210640 11327 example.de.
-					URFD9Qy9xizej4LokkN8xqqGE4A4Fbe7S33O
-					vlUr1mw1Kx4zlzscUtGYAuMsHZgi/Rlyppib
-					XW+Fd3NHsYhisg== )
+			7200	RRSIG	NSEC 5 3 7200 20090713222053 (
+					20090703223359 55529 example.de.
+					OednWdOSDAxJXwuc3OugwSYPvOFl29c98R1s
+					cPyovg8NoQnSAyXlqANUrOEHKzXekelzGV53
+					wzfFHCmIuJZ5Fw== )
 ns1.example.de.		7200	IN A	1.0.0.5
-			7200	RRSIG	A 5 3 7200 20090107204603 (
-					20081228210640 11327 example.de.
-					ZO17IgiAhdKtukAJEHIQyN+RqUHWOMvsDod8
-					XAFuBfunAeul+LiSjupWQDOijQoOfa5uVMRT
-					1wFhEqz//YgXkQ== )
+			7200	RRSIG	A 5 3 7200 20090713221855 (
+					20090703223359 55529 example.de.
+					TXWHh/P5XR0krzYb0io4o1/42AeNGcPcdHob
+					iiFJCKHmyX8hVVysHfvvN6wB1XqLOWsSNxsZ
+					pwPbr9JcTJDMPA== )
 			7200	AAAA	2001:db8::53
-			7200	RRSIG	AAAA 5 3 7200 20090107204610 (
-					20081228210640 11327 example.de.
-					S4aYxgu/DoVFaM0xdQ7WhfMaPK5sPt4ksZXx
-					rsNKCpL1JdNP9S78H4Iy1RUJ0I9i1EAFiWOl
-					0JhVSprPJJiOIg== )
+			7200	RRSIG	AAAA 5 3 7200 20090713221023 (
+					20090703223359 55529 example.de.
+					meShWaTBanhROgGlnwQq0KNmEKJbjLluTj7Z
+					ELbMUvgmTc1qLBCDHzWtp8sWWXz5UbMacL9X
+					F7Ncp5dAbBO2lQ== )
 			7200	NSEC	ns2.example.de. A AAAA RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107210249 (
-					20081228210640 11327 example.de.
-					XVIz/mWN2RQ5mm20RYOytSl5Q7n9LNMenB6d
-					HpT1kaDLYSdPXd3ZlvBCNNMdNhMFmZTBxAxL
-					b0Mz8eoLdsy6Lg== )
+			7200	RRSIG	NSEC 5 3 7200 20090713221918 (
+					20090703223359 55529 example.de.
+					B4mBvLOjzjuahaarR0UJwf+2IpLo0Hj6Jxj9
+					WfKlMrUVJOmm2Hbq0Amk/L0NSeqD+W1eNlux
+					6EVYdyJm4f+wlw== )
 ns2.example.de.		7200	IN A	1.2.0.6
-			7200	RRSIG	A 5 3 7200 20090107204524 (
-					20081228210640 11327 example.de.
-					fCtOEIQlgh4XDJTZdmh0MBBHOlXvvCR4L+bR
-					gKBOUUtzaeL+FuXo8zyrWKuOp6hXj8eOceEL
-					oZCrKrjJBbHrJA== )
+			7200	RRSIG	A 5 3 7200 20090713221339 (
+					20090703223359 55529 example.de.
+					FPMu/4JWrPbRMPXm8Hyx3AD+lRn4jCZ70WZh
+					LSADXIx3lZfEGy14x4UD7iLUiC/9TPl1aY6w
+					q9R3ZLNhVmMbyw== )
 			7200	NSEC	sub.example.de. A RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107210617 (
-					20081228210640 11327 example.de.
-					R4s8H352jY7amgr0bNRmhW4oXD++1itgbk33
-					OMDY3cbEEmZ+NonMRDkIOb4cTjDh4in9otMs
-					Cl2vNscx9VO9QQ== )
+			7200	RRSIG	NSEC 5 3 7200 20090713221447 (
+					20090703223359 55529 example.de.
+					DINiU0MiPkSyMjyJzKYuj3FgRlE92LubLU7v
+					eFufAQJM8hXe7oc+JfOSVDhpKdyF2ayd+w/e
+					TTnmaF7c65FZvw== )
 sub.example.de.		7200	IN NS	ns1.example.de.
-			7200	DS	56595 5 1 (
-					839C43F0267473F1335354384D91BFD70145
-					AC01 )
-			7200	DS	56595 5 2 (
-					37F3AA854D2B7B2A9FAE3868EB37FFB08E1E
-					DE2E14AF4D259E6C46B027D5C5B7 )
-			7200	RRSIG	DS 5 3 7200 20090107204420 (
-					20081228210640 11327 example.de.
-					ksOzuWcVDmEEipMetLHeNfWjhSiGizHN5qUL
-					H78iOQsu9/zGDuMlLt1ysY+B2vAASCl5jVTp
-					B5vr9CTvewcyAA== )
+			7200	DS	26451 5 1 (
+					317B8B00E2518957ED982C4872659A5E7F85
+					783E )
+			7200	DS	26451 5 2 (
+					C5492796671C24EA74C30B39371E94AD1A3D
+					D2EA8977B4949B08422C16217B2A )
+			7200	RRSIG	DS 5 3 7200 20090713222900 (
+					20090703223359 55529 example.de.
+					hfoghbLW7Xd1CnLwcA/k6NM54/U34M1j5ELo
+					0S+r5jbhy6rBj3kE8PRWCvLkpFclVyTAt0nq
+					pS69INoz+7pmeg== )
 			7200	NSEC	example.de. NS DS RRSIG NSEC
-			7200	RRSIG	NSEC 5 3 7200 20090107204025 (
-					20081228210640 11327 example.de.
-					pyIEOLCMXk7H4wDJ2IwJdoUxvm7UdDlHpsVR
-					gsgyogrsRb7xjnWQJ/lwHso+cmcGwvMoD/Qz
-					IjVpouYPkbRe3w== )
+			7200	RRSIG	NSEC 5 3 7200 20090713220837 (
+					20090703223359 55529 example.de.
+					mrR2sfL826pwQ3+/3X3/z8b3eOecBVYTdAmT
+					tVml23Zegq0EYJlQUiaTH5uP47vu/tsBRba8
+					TzIh0TVdyfiFyw== )
diff --git a/contrib/zkt/man/dnssec-signer.8 b/contrib/zkt/man/dnssec-signer.8
index 62ee1fcbe0..45c1d61232 100644
--- a/contrib/zkt/man/dnssec-signer.8
+++ b/contrib/zkt/man/dnssec-signer.8
@@ -1,4 +1,4 @@
-.TH dnssec-signer 8 "December 28, 2008" "ZKT 0.98" ""
+.TH dnssec-signer 8 "Aug 1, 2009" "ZKT 0.99b" ""
 \" turn off hyphenation
 .\"	if n .nh
 .nh
@@ -59,7 +59,7 @@ command is a wrapper around
 and
 .I dnssec-keygen(8)
 to sign a zone and manage the necessary zone keys.
-It's able to increment the serial number before signing the zone
+It is able to increment the serial number before signing the zone
 and can trigger
 .I named(8)
 to reload the signed zone file.
@@ -82,10 +82,10 @@ All master zone statements will be scanned for filenames
 ending with ".signed".
 These zones will be checked if the necessary zone- and key signing keys
 are existent and fresh enough to be used in the signing process.
-If some out-dated keys where found, new keying material will be generated via
+If one or more  out-dated keys are found, new keying material will be generated via
 the
 .I dnssec-keygen(8)
-command and the old ones will be marked as depreciated.
+command and the old keys will be marked as depreciated.
 So the command do anything needed for a zone key rollover as defined by [2].
 .PP
 If the resigning interval is reached or any new key must be announced,
@@ -99,14 +99,14 @@ is given, the
 command will be called to reload the zone on the
 nameserver.
 .PP
-In the second form of the command it's possible to specify a directory
+In the second form of the command it is possible to specify a directory
 tree with the option
 .B \-D
 .IR dir .
 Every secure zone found in a subdirectory below
 .I dir
 will be signed.
-However, it's also possible to reduce the signing to those
+However, it is also possible to reduce the signing to those
 zones given as arguments.
 In directory mode the pre-requisite is, that the directory name is
 exactly (including the trailing dot) the same as the zone name.
@@ -115,7 +115,7 @@ In the last form of the command, the functionality is more or less the same
 as the
 .I dnssec-signzone (8)
 command.
-The parameter specify the zone file name and the option
+The parameter specifies the zone file name and the option
 .B \-o
 takes the name of the zone.
 .PP
@@ -142,7 +142,7 @@ logfiles are created with a name like
 .fam T
 .\" \&.
 If the argument is not an absolute path name and a zone directory
-is specified in the config file, this will prepend the given name.
+is specified in the config file, this will be prepended to the given name.
 This option is also settable in the dnssec.conf file via the parameter
 .BI LogFile .
 .br
@@ -170,7 +170,7 @@ to file and syslog.
 Try to read the default configuration out of a file named
 .I dnssec-.conf .
 Instead of specifying the \-V or --view option every time,
-it's also possible to create a hard or softlink to the
+it is also possible to create a hard- or softlink to the
 executable file with an additional name like 
 .I dnssec-zkt- .
 .TP
@@ -181,7 +181,7 @@ will be used.
 .TP
 .BI \-O " optstr" ", \-\-config-option=" optstr
 Set any config file option via the commandline.
-Several config file options could be specified at the argument string
+Several config file options can be specified via the argument string
 but have to be delimited by semicolon (or newline).
 .TP
 .BR \-f ", " \-\-force
@@ -198,9 +198,9 @@ Currently this option is of very limited usage.
 Reload the zone via
 .I rndc(8)
 after successful signing.
-In a production environment it's recommended to use this option
+In a production environment it is recommended to use this option
 to be sure that a freshly signed zone will be immediately propagated.
-However, that's only feasable if the named runs on the signing
+However, that's only feasable if named runs on the signing
 machine, which is not recommended.
 Otherwise the signed zonefile must be copied to the production
 server before reloading the zone.
@@ -261,7 +261,7 @@ files.
 .B ZSK_lifetime 2d;' \-v \-v \-o example.net. zone.db
 .fam T
 .br
-Sign the example.net zone but overwrite some config file values with the parameters
+Sign the example.net zone but override some config file values with parameters
 given on the commandline.
 
 .SH Zone setup and initial preparation
@@ -349,7 +349,7 @@ left justified in a field of at least 10 spaces!
 .fi
 .fam T
 .\}
-If you use a BIND Verison of 9.4 or greater and
+If you use BIND version 9.4 or later and
 use the unixtime format for the serial number (See parameter
 Serialformat in 
 .IR dnssec.conf )
@@ -409,16 +409,14 @@ file (parameter
 
 .SH BUGS
 .PP
-The zone name given as an argument must be ending with a dot.
-.PP
 The named.conf parser is a bit rudimental and not
 very well tested.
 
-.SH AUTHOR
-Holger Zuleger 
+.SH AUTHORS
+Holger Zuleger, Mans Nilsson
 
 .SH COPYRIGHT
-Copyright (c) 2005 \- 2008 by Holger Zuleger.
+Copyright (c) 2005 \- 2009 by Holger Zuleger.
 Licensed under the BSD Licence. There is NO warranty; not even for MERCHANTABILITY or
 FITNESS FOR A PARTICULAR PURPOSE.
 .\"--------------------------------------------------
diff --git a/contrib/zkt/man/dnssec-signer.8.html b/contrib/zkt/man/dnssec-signer.8.html
index a0c362d962..ffe6a74e43 100644
--- a/contrib/zkt/man/dnssec-signer.8.html
+++ b/contrib/zkt/man/dnssec-signer.8.html
@@ -1,5 +1,5 @@
-
-
+
+
 
 
@@ -8,16 +8,17 @@
 
 
 
 dnssec-signer
 
 
 
 
-
    dnssec-signer
    
+
    dnssec-signer
    
 
 NAME
    
 SYNOPSYS
    
@@ -28,22 +29,24 @@
 ENVIRONMENT VARIABLES
    
 FILES
    
 BUGS
    
-AUTHOR
    
+AUTHORS
    
 COPYRIGHT
    
 SEE ALSO
    
 
 
    
 
 
+
    NAME
 
-
    NAME
    
+
 
 
 
    dnssec-signer
 — Secure DNS zone signing tool
    
 
+
    SYNOPSYS
 
-
    SYNOPSYS
    
+
 
 
 
@@ -64,19 +67,20 @@ dnssec-signer [−L|--logfile file]
 [−v]] −o origin
 [zonefile]
    
 
+
    DESCRIPTION
 
-
    DESCRIPTION
    
+
 
 
 
    The
 dnssec-signer command is a wrapper around
 dnssec-signzone(8) and dnssec-keygen(8) to
-sign a zone and manage the necessary zone keys. It’s
-able to increment the serial number before signing the zone
-and can trigger named(8) to reload the signed zone
-file. The command controls several secure zones and, if
-started in regular intervals via cron(8), can do all
-that stuff automatically.
    
+sign a zone and manage the necessary zone keys. It is able
+to increment the serial number before signing the zone and
+can trigger named(8) to reload the signed zone file.
+The command controls several secure zones and, if started in
+regular intervals via cron(8), can do all that stuff
+automatically.
    
 
 
    In the most
 useful usage scenario the command will be called with option
@@ -90,11 +94,12 @@ specify the name of the view. All master zone statements
 will be scanned for filenames ending with
 ".signed". These zones will be checked if the
 necessary zone- and key signing keys are existent and fresh
-enough to be used in the signing process. If some out-dated
-keys where found, new keying material will be generated via
-the dnssec-keygen(8) command and the old ones will be
-marked as depreciated. So the command do anything needed for
-a zone key rollover as defined by [2].
    
+enough to be used in the signing process. If one or more
+out-dated keys are found, new keying material will be
+generated via the dnssec-keygen(8) command and the
+old keys will be marked as depreciated. So the command do
+anything needed for a zone key rollover as defined by
+[2].
    
 
 
    If the
 resigning interval is reached or any new key must be
@@ -105,19 +110,18 @@ given, the rndc(8) command will be called to reload
 the zone on the nameserver.
    
 
 
    In the second
-form of the command it’s possible to specify a
-directory tree with the option −D dir.
-Every secure zone found in a subdirectory below dir
-will be signed. However, it’s also possible to reduce
-the signing to those zones given as arguments. In directory
-mode the pre-requisite is, that the directory name is
-exactly (including the trailing dot) the same as the zone
-name.
    
+form of the command it is possible to specify a directory
+tree with the option −D dir. Every
+secure zone found in a subdirectory below dir will be
+signed. However, it is also possible to reduce the signing
+to those zones given as arguments. In directory mode the
+pre-requisite is, that the directory name is exactly
+(including the trailing dot) the same as the zone name.
    
 
 
    In the last
 form of the command, the functionality is more or less the
 same as the dnssec-signzone (8) command. The
-parameter specify the zone file name and the option
+parameter specifies the zone file name and the option
 −o takes the name of the zone.
    
 
 
    If neither
@@ -126,8 +130,9 @@ given, then the default directory specified in the
 dnssec.conf file by the parameter zonedir will
 be used as top level directory.
    
 
+
    OPTIONS
 
-
    OPTIONS
    
+
 
 
 
@@ -139,9 +144,10 @@ be used as top level directory.
    
 or a directory where logfiles are created with a name like
 zkt-YYYY-MM-DDThhmmssZ.log. If the
 argument is not an absolute path name and a zone directory
-is specified in the config file, this will prepend the given
-name. This option is also settable in the dnssec.conf file
-via the parameter LogFile. 
    
+is specified in the config file, this will be prepended to
+the given name. This option is also settable in the
+dnssec.conf file via the parameter LogFile.
+
    
 The default is no file logging, but error logging to syslog
 with facility USER at level ERROR is enabled
 by default. These parameters are settable via the config
@@ -158,10 +164,9 @@ logged with level DEBUG to file and syslog.
    
 
    Try to read the default
 configuration out of a file named
 dnssec-<view>.conf . Instead of specifying the
-−V or --view option every time, it’s also
-possible to create a hard or softlink to the executable file
-with an additional name like dnssec-zkt-<view>
-.
    
+−V or --view option every time, it is also possible to
+create a hard- or softlink to the executable file with an
+additional name like dnssec-zkt-<view> .
    
 
 
    −c file,
 −−config=file
    
@@ -175,9 +180,9 @@ read or build-in defaults will be used.
    
 −−config-option=optstr
    
 
 
    Set any config file option via
-the commandline. Several config file options could be
-specified at the argument string but have to be delimited by
-semicolon (or newline).
    
+the commandline. Several config file options can be
+specified via the argument string but have to be delimited
+by semicolon (or newline).
    
 
 
    −f,
 −−force
    
@@ -198,15 +203,14 @@ of very limited usage.
    
 
 
    Reload the zone via
 rndc(8) after successful signing. In a production
-environment it’s recommended to use this option to be
-sure that a freshly signed zone will be immediately
-propagated. However, that’s only feasable if the named
-runs on the signing machine, which is not recommended.
-Otherwise the signed zonefile must be copied to the
-production server before reloading the zone. If this is the
-case, the parameter propagation in the
-dnssec.conf file must be set to a reasonable
-value.
    
+environment it is recommended to use this option to be sure
+that a freshly signed zone will be immediately propagated.
+However, that’s only feasable if named runs on the
+signing machine, which is not recommended. Otherwise the
+signed zonefile must be copied to the production server
+before reloading the zone. If this is the case, the
+parameter propagation in the dnssec.conf file
+must be set to a reasonable value.
    
 
 
    −v,
 −−verbose
    
@@ -219,8 +223,9 @@ second −v will be a little more verbose.
    
 
 
    Print out the online help.
    
 
+
    SAMPLE USAGE
 
-
    SAMPLE USAGE
    
+
 
 
 
@@ -263,11 +268,12 @@ Sigvalidity 28h; \
    
 
 
    ZSK_lifetime 2d;’
 −v −v −o example.net. zone.db 
    
-Sign the example.net zone but overwrite some config file
-values with the parameters given on the commandline.
    
+Sign the example.net zone but override some config file
+values with parameters given on the commandline.
    
 
+
    Zone setup and initial preparation
 
-
    Zone setup and initial preparation
    
+
 
 
 
    Create a
@@ -322,10 +328,10 @@ SOA-Record
    
 
    For automatic incrementation of
 the serial number, the SOA-Record must be formated, so that
 the serial number is on a single line and left justified in
-a field of at least 10 spaces! If you use a BIND Verison of
-9.4 or greater and use the unixtime format for the serial
-number (See parameter Serialformat in dnssec.conf)
-than this is not necessary.
    
+a field of at least 10 spaces! If you use BIND version 9.4
+or later and use the unixtime format for the serial number
+(See parameter Serialformat in dnssec.conf) than this
+is not necessary.
    
 
 
    Try to sign the zone
    
 
@@ -338,8 +344,9 @@ $ dnssec-signer −o example.net. 
    
 to create the initial keying material and a signed zone
 file. Then try to load the file on the name server.
    
 
+
    ENVIRONMENT VARIABLES
 
-
    ENVIRONMENT VARIABLES
    
+
 
 
 
@@ -348,8 +355,9 @@ file. Then try to load the file on the name server.
    
 
    Specifies the name of the
 default global configuration files.
    
 
+
    FILES
 
-
    FILES
    
+
 
 
 
@@ -385,34 +393,35 @@ via the dnssec configuration file (parameter
 of the file is settable via the dnssec configuration file
 (parameter zonefile).
    
 
+
    BUGS
 
-
    BUGS
    
+
 
 
-
    The zone name
-given as an argument must be ending with a dot.
    
-
 
    The named.conf
 parser is a bit rudimental and not very well tested.
    
 
-
-
    AUTHOR
    
+
    AUTHORS
+
+
    
 
 
-
    Holger
-Zuleger
    
+
    Holger Zuleger,
+Mans Nilsson
    
 
+
    COPYRIGHT
 
-
    COPYRIGHT
    
+
 
 
 
    Copyright (c)
-2005 − 2008 by Holger Zuleger. Licensed under the BSD
+2005 − 2009 by Holger Zuleger. Licensed under the BSD
 Licence. There is NO warranty; not even for MERCHANTABILITY
 or FITNESS FOR A PARTICULAR PURPOSE.
    
 
+
    SEE ALSO
 
-
    SEE ALSO
    
+
 
 
 
diff --git a/contrib/zkt/man/dnssec-signer.8.pdf b/contrib/zkt/man/dnssec-signer.8.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..a98456525d6450d46ade07fbb8145eb3c5b320fb
GIT binary patch
literal 12482
zcmch-WmsLw(l(3+*f<1t3qiNw?(P!YgF|q4g1ZwSNC*zWEx5aT2oiz?cMbND%*;76
zlbLfpf4+D9*=yITuD-jfx~f`e6h+0Ez|0T;P2XP3djK0bh}_o562Qv~lr^z2b22Aq
zf21e_#VxFzOdQC8;?{;vCZZ-UZH-O%`2mhj4km`L0B-5~S_=+DeVE?g)Mc+}hMrc=
z-}G$cN=KWAgfVhaexQH5+J(gf#jdqC*@WC_w~eg)9q0aK<2QcTBjw^NIkkr8_INCO
zOWyKX2OZ_qM&A2YpgkSM9|&
z%jKKrfbtJ;z3o$=^C?KUL7%(#>YZJ5)=ZtKe-@m(kf~wdSbzvozwZEzt~G+RUTZ6L
z+a(Fj)w^vqx81Z?IOcP!40&Yv
zCYeKb%N;(hs7qW;J;6Qdq|J7K1N8UQ$1VkPr@o}~4Mzzu#Fw`jco)eA9=H$C2s&j=
zU$>N%RtrAojA`zSqFLeJOjH}~_%I)B#LvxLAY`EG^Ds-_@d7ud%07>O)<0XC9H?st
z8sUU7c!qrf#zT;=MWFPC?K<06ZdzfBIu%s*$rmOyv7Ta7oXOn#4m^yF`i@S{&2?Y%
zrb8z3m)dy!gpA+{Y=WmaF9XO=wv2W{?v9~)QnTRuVzi6bOvNysKH%B;*}ew$d`0HG
z|F}BN!#qiJAyRG0O{>rHpvmT+*CY*sC#|4YPU@?WvCM-zQ@2LSfAj5)udnCv+U@Fy
zl^GLi#Pw$>W67sfuVb?F1t(I{SgW=;-WHcgvBZb(1@Bzovg)&)EtI(=&|M4_@-D)~
zlo=N-GaxuwY!;#=4`F&0wJaiJTfZDml*Kg$8
zT~@*BwIautP;KYJ`(%M~)ZkpPiKqpZxmYbx)=HYY@!gsRswZ=B-T*~_FusHjfz~tR
z>R5|FO%(Q(?-R6m*j-8n;&4>&h){@JzKvToF*N
z3aVKVK{8>o%(2>2Q99{DPP)4#M}%KtxQwd3fm=Mj=71a(V(k8{Z8N{
zyqc@N%=w}V?t+yBe}IcUx_PFq^vTtdXh@UFC$`Y8#gg{irhFsz)KpSonCJO=CtC@Cz+0$r~o`@=c+4_Y_z_=*2bP9KVTUl#+MnGoL!vAiinb()hrB#~HUT`DOvv$3Q*?`SS~r
zsp>w6LDQ4HCV$_q?@u4NN~L^x*u2dW7!<2UFFix57<)P##Z4m#hJARB1&t`eU-Vwc
zTGZN49PfXMMI{#-(t)FO>4YQ57lWgAl1_({W_z9V1GR)Yecn!Ht}_T9D$K
z86Um28O6@>b0q5Yk;=`ElA3XQE~ESw
zBx6VU0>952TD7`JJTw{~C^yp`zFcT-9(WQ&^Msz%2=a-hz9rq#i%2sA1_kapY$V_P%{i_oA
zr^t;&s}4d?{qk=niebfa8IJvsp5KIiAv~fCg|Bhv8n;K~->ENQ>qTuw{A&C{Y1SGf
z`4mM1>Pj+LRQb#Pcn*;IuA``WI-4>09(4=jz~$YErmo?!vyK|BsnvG^+MWPrrNqp*
zQR|oSi(}`VJQ7jRjPJ>PgrnW@@t^1G=nf=mD?y?201)AvQWxZ4x1U54vg7P9G6Mvr
zUbv4!_DsDwPJkW
zC&y;z^-d9nLzSv%dmm~`q8u?@_j46=kX*r}y+G+iElD0*sXKq*xPLoWk_yK7444Ad
zK8h`nwf_mWakd(s_ritCo{-lTz)6D40Zy>+HDR|~J5fVwm78&q?*29{b@p4nhVU|P
z=BfagJop4HF$`+29%OkMKSAgl*!i%1+(HWSY(h*pd6sZmPDIA1$%j1lAD%k{>ICVQ
z8u%m)r}es=iT1gxC69An3E?gqoI(XoFg-yJBi8Is0&;DH^V2Yhp7P!KQy5k60M;}#qnk8$BPp4?5PytZQh3SDH
zX-JhI7e)IlaQKx#bktT<9!8Pm5{g$K5(zU-=loGCpZK7lcVX~GB_`e5*v>VH0+aiO
zsr$E6lOZ>n{6mr}w@St?WsOX$J!mCt{q6fv{Hv%RbukAOpl$;7R}`(h^6q|2TN}|3C&4S75CX7DFa5va|}az)E+Sae_I84EkxR@
zupmHL@l|RuJYP>dmbA{(&x{|snzya^ZC;1-5N(w&m|8yr;B&5p6O(P%r()QO?|M~Z
ztm5Fq1m0f=a;rrkX}!JdU)Zlp?#i_&Ov8Opx}3UEiB?#A;^f!KdoYBYt#kZoI2+#H
z7iGG+moa;pT)w0(^#ai$F+t<0_ITz&-6$fi$38W;o_If|&D$_^PHy#-HEgg(kG-^^
z`u&0>6jkgOf_<;|!PphLFQFBS_ddOYt1WCy+a^o%fTgFONP^N2*Bxe$m?J9tEMs2f
zDC6<&Wb64+R{9CuXNIqfd7dI3UW!xaqaj}_DY|Jae3nDVc(1?BG%zS_xxJrp8t@8P
zt^Qn>;E#dHKL0>`^sH&K3bH-GV-$HaqF0R(9mS$M^J4JhoM3NM2ee2ZSPgE59r?9s
z6cNn3HkwivTPV77;?&*RS~h9c;D$+wQT&P4qIO)&8xn7o<6vE7-rJGr8+Cd6pw%2&
zs+H!L)icZ3;tH70`UyMpEfyc8seQ69)k81~3g+Ee)Pz&Ddxwy@dv3}SJ=(W6+;?HYXu#X&JxdZt8@%T0+c(3Ud0m+2lha{NL=HT
zvhUBaO;8+;bTT>>a3>A0*O(29gSF=r#lwDw6qc)gx6{gCc+PU^4NiV
ziqESr3x-bX>%x>QQ2P1CdC>NSEc(L>f?TX_n8cQ+9N(PQ+bX=Y&*ZRON=43nX~1g8
zo5F=%pr!1LFUF1~cxhO#_>P=0BNEyb;tYm}P)s44@fO02NQrHP$igKZq36S)Q5v~d
z$>4?^ro{Kzmxp%D$_11*Zv
ziBwb~rW7MKuyxNd{^8K20IN&Vmp-{dZleqR{XRi
zV6WuPC;6)&1hYXal
zN(3V_7)cklT85+{ILysOHt#Nljs5%Hh?K*?a+Eub({3>id2@N7%@K5sMJ_b;GoC8U
z7TC4
zVFFsHJ&+|eFV1fW_>hK;@vwpF=nl1^v4qn4sZ7#MoN`6<0u=SNdQ~&DjVmkbmgxQ#
z9U_KfY+_^l`!e$J?Z?vd$Aa_6FAF;>8{l^u_}6tQ`2Vypt<_v`Sp10TJ*U1hlAaj+
ztlhKWWJQ3CwP1lyzXEiy+!D5O}b`FT0zI+HmRBv$z>
zes9A2Ab5T==sSq-o11Ds?*IV~v$k~mb5s`JB+rYP&As!GME+0KV`s?ed9U-7y4i24
zK`3{M6(e1#>TKS?A!q$BtW`}XRV6q)cjmR%w6jCQ9)_K>SJg$M%>~N7Nio_;0!XJQ
z3lsHOF7d6nKEv#J)liv$Q(mw_hQNdfG+!sI09zJ+(yP<$&CAn`uHmtG-b|n^dSmaU
zRBSaH-kG2vLh~7a|9d0LS`l>==Y@)!q|iI^^&<5>v?{ZGLxcTf)cW{y*QyT!1L21D
zzO~T-?KhZNuISFd8Q7%7G7Qu9oNflRCZTfKnCeC|lKmN%k~Z5`9&LnH#gNW1veD+<
zuAL-)lLI0@<`xh2(%oKW!f%!nnS9etBu&YC<3oe$Lz-8!N|89Tyd4VgGcgg=-9DL{
zRI&R@@i|j+xin!+XP?fV-tK
z-?ByLMfu-ci{{DL3TsMq9_$Kl{|@N4Y}Nm_IukT|wh@Rfu5;V!h2KA9%)(s}*>
zYB6cf@yTh^l-;
zf1Iuw`Mw2)eBianZWRRZ%zj&X0PvJ};Hkeg;7b1$)!1>RG^XO*)$wplp!;#Y-E#~r
zfR2Z5ZG!ihWlOwnqs^0fiwO)RxCv06-tyoM@rHb4{#xYxpz`!g|5mRk<(cbQq?Gdq
zWhSyuW1E;=>Y?d;`Mlh`DJpeew9P5A7U;Rp!g*swpfEMGj^l!sij^)6-Mq3plp2P;MLx)$Xs@nD?LNMBX_n>@wOZ=26e7Zt3B4$_Lfo-|_E$=yMDd=#6nxK~UrEZ#TlljS4GxUUnsTXufs
z{2WKCN>ePqa(Pa7;W>QianqbuhmeEe{GM}s73EuiIU19*^ycfB7|8~75^tS%yA@3I
z-(6f)4Od8<$1BHXHHwNOgm#8KLU+qP3iaXkgUK9uC!xpuk$qJspFZQqQ>ph(VZno6
zlbpS~GI0`K_M41KYI0<{RUxXgUBj^HIjUUtkf3P5VhxGa3xKsXnZTP{SFHO$XQwzz
zGQNmNUBxTDaWP(<)_wZ5j@dS>S+2x6P$UsM;x_bk0#ue9bJ+31lC(XY#Kx(oRT}AKoJ}(a9Uw0Y0*xp#yA`6v3`hwoByFUEM_l?f_70GjdG~USiFH_Ci)cQzmQq`XiO^P2p-oNjJj*$*tG5bTzbFt#Vk~j*
zrxa32l|EfB%m((dL_rhhC>?T&27?9eNYF6t1^-uf5ARm;zCga(>U4`@wYi6f
zMO}{t1ilWuQzW00IDfDPEj;gL7k$!aRG^5Qm-S1bp-29!5
zVDa`q*_8rDdFbXWd{)|9KqNSf83wOj0v`%;3_s&{w`ZAxKO?lq6whvyoBKWUI9vQ$
zwyxTYeTQl+A#oH#KX4f!@|d^TK58D6ZYVi+52;
zE)y(Eiw
znjOIP+K>HKMNKxrW1x&B++(UPceuWaaW(AEi_oxzL)>nnjA9-&YhogEpJAxXPS?ut|Op
zg9}C~ITdJ9T|vW%_HYv8^H2N6S!t;SO0UvNXO(<~Ol-R-?D+NB9$YzaF;cHlJ)O1_
z=3V-ws(lHPiaush$xY9U-sl}C|B{(~scTvBzOi5A_`7`^S@-Xsv%BREG
z%!v-|poBKkeGUWF5X9qgn#;)ayHB
z@wi%LOeca`sAaZ8&&XbV7V^3E=_0RgP=-2Ek^_F9sShFQ9ZN-gt>Yc0QC%qs?|tIq
zc!78Oodcy~9pjf$_GgXyqn3rRbAbO-%X0m4#sUHTUk+LFH1=&4*>Ud#6gptwi#6Tw
z!{4{Y_Pmc?dphOZSI9R4Q;Ub}F1k?67SCW|t&r7G9`Cx>lKWhlC4n`95@|0K%UxiU
z?^5Sp9{(JvOW0}6GGd=G(Ssp!h23&;!ozOITKg*>}{QE
z$9c+!opbJzm6E~ZSGwQgbv&mYn0*7spLv_ZegZ-Ay*y&_Iqko(!qc7?Lr6Pa`0|Y1
zfeag#7~+W?L@g!U73PXT9i_HO_V@%RI*Bw5aqD0!ExW>HC)4?~P_k_dqq5u3XM-OS
zZay?l`5e5u(drZ~9g&Zk7gp?$dwN`3M7C2gahs3scWl2|4fln8fIFo0?Kha!aOk$N
zL@qzgq=u9UauCw%FG)=b2L8zSLS6lEBP9!6^D}Yr8Rt7i{YL^X)mP!#kZwktlDCV?
zZ2H0g(Dofign{_%d&VrwGIsPvetAAfT`(PvDD?~Qk-dw}?i(aCDx{F|`QmXpeK+*u
z<$)GK=-aT_DyXZoK^zN`#Z0%ym(739`BLiP>%GtHEZ#e
zb!mFpnepWU?p2F3Iucy{x>Wi{4M_MZ>2Rj&8*Gec4J*QQ1Y8#4=mts94xm&+7;}!-
zH0&QM*-sr+UDnK@x^GF+9S2F$VRg~I5=dGQA^~{Or?aQ_PocgG6;F~B6z$M1H)|!m
z)q&kMR7Iq4ZP2sHxbN^s36!I@kDjCM7a?3hs*8y{<>aT^WCgUHLscXNI(TTTl5aCMu>h2)V9+YOzNfWqi
z@HVtYaw64o{4*b#Foi*Kl6bIzoPQJnhPN{U26IGfM&e1GN@JBP57@VF
zAOVgP2>UPV;`ce|6?D|2#qfAJ-@1JnEBHc@_O2<-X!d9vyth`o;!{
zr7YZY%~=xloHt#s^0^b9O=
zk$X?|*;idP)=Gk~0z+SD2L_J*(MBlcJoQOUZg;%QGE?!5IztWGRs)Ue_e3P5L>LQhqRK
ztaqUOd?w$*5AYo`w8vka16|Q-^lDs&zYJ5P;1WTnr4jadpMmb<2#r!DjAqI#%T(R(ZKv_Gz03}WYc=CaAE36NNTE^(x!=_
z?fMi)c+r_~T+s5sU0H@#Pf?xO5Op*5rpX2h7^tmv2Z%9{TBuOiVhdTYRr)itVezRW
zJDX1A@yNd6sbD0@g1%+|eYkZQ2l|R)GN>b)*CMWuo2sXVGPWlzg4*squiFw%dqU7p
zt5qCH3>llcQ`cS`$T;UXe#FrFwwQE|DvB8XaBefT)r+`XuYV*&iyYHJJk(6yOHFXI
z%xf}2#OBg`{b3c>EMYwD&PFA13B{JcgGDI8cS81USAbq|MAXvQK$%gHkS15tZC_HO
zW$cV9C}X~!6
z#x#92xtz495R0?942!2QmPs*8&kZ(PGi&b8lxVc?*x`bsS-4q{9Fi9GjLaUq==YNP
zPurZ{d%liz!5@%GXSI2>4h7`)D6f52nJ-MFWSukTGt_)>vVekuiCz9d_}
z-2{LGwe&d9ab<)Y>t?&nri97#2`~~h*t=QcRT83
z-zBYs4DkptSN=AXI-e$`J!RIxa7d2(m7}b+&9#>F=J%@L28k4HUeqb#{JxBv;`Sbv
zP2}TzFiI)=O0*a0m(c^4NyI~SIp>MIa~?s=mpc|Al4y!Sj(m*>h!{q`;Mx;aKdh^?
zZ0CY9Dp%Il%pD=Qb`0Vb{AXBGScnzQ9yzcX$^sy5Qrm-2Us1v8d`ob5`-K%WKbNk&
zPq2V5jP?Q@$uDKk&vNEx*#iMV{wRAOEWegLtpAs?$N9yA!zw3+_cw;dO_PmMa_TR&
zH=_9Q6(WAn1$Cz6wI-3|%YGS^VxNXNhRgQ^2qc%R47j9)YtuY@{rpE!=-=+1Mw!r|TGVea^
zMQG%?n|k4`(=Z=3$BUun`Ilj$Xg>jQYqh247_(N0`K1a+8XGFfHAZc3V$f{iy(h!T
zba~}yI@Ru9M>0A7QD4B^HlNR#G_Ycqv%Z?%b%cq%*MQO50W9F4tCU;$1Ws>IxH`%(
zmHzofi4!dgjxEKgTI>cuFQzEDhlqIH1z9>7K!sn0IPchXnNq1i+q{I_TzAOHw!CG-
z>y6H3ce?_2&HTj%V{PtEO+CYUhjC$g>ex$Mq%@j-dFF1LG9)+~(Mlve2_#)_l4>^N
zjCb8*(vG?;h?oPJBvNRVMW}b3py8G)fu0@GXXG8wSc$EtT;iom6n-6EM{v5Le}`4!
z6(9rif|&?67#95%A-nRsE=K^r)$?JgwEho?44=#xPzrF|`EC$JS~4U78lO86U0H(z
zpf^9Vhec41PA?q3sQh?TL=+kfI{}{@bwbbhy73;IRo<&npruHJy)&C{?cEv1#%bv;
ze*$xGGqtSi`c$(spYlw2vV{}{VFFKZVT7FU+>GTTfkHMiwv1gkOr4agr6HKW)f)@d
z1HJ3u=`-}H0k_!#XYGtR#-l>K)y5HTLdYheY_$(rW7quEgXL^w);HwAXwR~z*DmYM
zQf^c%EE#2^w8=L69`*fdQZ2mBpI*C}(Y6Ydtod0rF>m;D0y1Q6J(wNS847W2s*h@1
z&vw&?uc^FD{;tLnqM6K7mzV5eKwsJq7*y~*M2TW~|o
zlI2w;8mJ#@;_MniNZ^n3Xp!a=9v?Tkkh(=a$(-JW`jcy5Od{TC5Ux
zze`uYr*)2yod-IsB(=`U!*fQj8ed|
z=>Ki*V@%}(kv{!Q+GbD>>@+c+@f6)`*u52s>Rpbdlc`t3)ke|g+?)cY4^ogunvKD0
zhl1_c10UGi!LvrN2dB&J=gplApXu+BV+vG;Yg4}ljUU0_N6_HnWc?#%{6TuWji%~u
zX983-G&2FpnHXCb3fsDoYyVg^v4bJx99$4x08rW1>G5tFIp~qg!NkUi{71Y|ek7YX
z+B!SDG;w?sqUd1zQpLnc8~AwXjU1?I;^y?&PTcm98T=df&Bz^M9fGCpbUc?%&`j7+G7`
zJO5^lpJ5UJ{1*g&Qp0d_qkJwm#+mQPgY(KyLF7AI}`v-mhDMUUdBV*^6CJxWVR20c2%xxW=9A7$E
z*g27NGK1OZ9`n%S-D)QbTN}~GtoB@#8v+7xfjB{|5HJf1E9CLJoUQRcf8yu=Jpj2m
zn3w`UaR2wjvpHP3l02Z6o03IxHuj|=3n_hoWJscS-F1U14GzajHCFDRA3lEb=|091a&TJoxtRLBq94KXDYD@kz^8tWTqU74o@Adi@
rT=w}7BfhuF5ILFG)BQ@({gH.conf .
 Instead of specifying the \-V or --view option every time,
-it's also possible to create a hard or softlink to the
+it is also possible to create a hard or softlink to the
 executable file to give it an additional name like 
 .I dnssec-zkt- .
 .TP
@@ -252,7 +252,7 @@ This will be useful in combination with wildcard arguments
 to prevent dnsssec-zkt to list all keys found in subdirectories. 
 For example "dnssec-zkt -d *" will print out a list of all keys only found in
 the current directory.
-Maybe it's easier to use "dnssec-zkt ." instead (without -r set).
+Maybe it is easier to use "dnssec-zkt ." instead (without -r set).
 The option works similar to the \-d option of
 .IR ls(1) .
 .TP
@@ -417,6 +417,7 @@ Depreciate the key with tag "12345" below the current directory,
 .TP
 .fam C
 .B "dnssec-zkt --view intern 
+.fam T
 Print out a list of all zone keys found below the directory where all
 the zones of view intern live.
 There should be a seperate dnssec config file
@@ -429,8 +430,11 @@ with a directory option to take affect of this.
 Same as above.
 The binary file
 .I dnssec-zkt
-have linked to
-.I dnssec-zkt-intern .
+has another link, named
+.I dnssec-zkt-intern
+made, and 
+.I dnssec-zkt
+examines argv[0] to find a view whose zones it proceeds to process.
 
 .SH ENVIRONMENT VARIABLES
 .TP
@@ -462,8 +466,8 @@ and the ksk rollover options
 insist on domain names ending with a dot.
 .PP
 
-.SH AUTHOR
-Holger Zuleger 
+.SH AUTHORS
+Holger Zuleger, Mans Nilsson
 
 .SH COPYRIGHT
 Copyright (c) 2005 \- 2008 by Holger Zuleger.
diff --git a/contrib/zkt/man/dnssec-zkt.8.html b/contrib/zkt/man/dnssec-zkt.8.html
index 9bab81f63a..3c53d04cff 100644
--- a/contrib/zkt/man/dnssec-zkt.8.html
+++ b/contrib/zkt/man/dnssec-zkt.8.html
@@ -1,5 +1,5 @@
-
-
+
+
 
 
@@ -8,16 +8,17 @@
 
 
 
 dnssec-zkt
 
 
 
 
-
    dnssec-zkt
    
+
    dnssec-zkt
    
 
 NAME
    
 SYNOPSYS
    
@@ -28,22 +29,24 @@
 ENVIRONMENT VARIABLES
    
 FILES
    
 BUGS
    
-AUTHOR
    
+AUTHORS
    
 COPYRIGHT
    
 SEE ALSO
    
 
 
    
 
 
+
    NAME
 
-
    NAME
    
+
 
 
 
    dnssec-zkt
 — Secure DNS zone key tool
    
 
+
    SYNOPSYS
 
-
    SYNOPSYS
    
+
 
 
 
@@ -135,8 +138,9 @@ dnssec-zkt −0 | −−ksk-roll-stat
 do.ma.in. [−V|--view view]
 [−c file]
    
 
+
    DESCRIPTION
 
-
    DESCRIPTION
    
+
 
 
 
    The
@@ -147,24 +151,25 @@ management.
    
 
    In the common
 usage the command prints out information about all dnssec
 (zone) keys found in the given (or predefined default)
-directory. It’s also possible to specify keyfiles
-(K*.key) as arguments. With option −r
-subdirectories will be searched recursively, and all dnssec
-keys found will be listed sorted by domain name, key type
-and generation time. In that mode the use of the
-−p option may be helpful to find the location
-of the keyfile in the directory tree.
    
+directory. It is also possible to specify keyfiles (K*.key)
+as arguments. With option −r subdirectories
+will be searched recursively, and all dnssec keys found will
+be listed sorted by domain name, key type and generation
+time. In that mode the use of the −p option may
+be helpful to find the location of the keyfile in the
+directory tree.
    
 
 
    Other forms of
 the command print out keys in a format suitable for a
 trusted-key section or as a DNSKEY resource record.
    
 
 
    The command is
-also useful in dns key management. It allows key livetime
-monitoring and status change.
    
+also useful in dns key management. It offers monitoring of
+key lifetime and modification of key status.
    
 
+
    GENERAL OPTIONS
 
-
    GENERAL OPTIONS
    
+
 
 
 
@@ -174,10 +179,9 @@ monitoring and status change.
    
 
    Try to read the default
 configuration out of a file named
 dnssec-<view>.conf . Instead of specifying the
-−V or --view option every time, it’s also
-possible to create a hard or softlink to the executable file
-to give it an additional name like
-dnssec-zkt-<view> .
    
+−V or --view option every time, it is also possible to
+create a hard or softlink to the executable file to give it
+an additional name like dnssec-zkt-<view> .
    
 
 
    −c file,
 −−config=file
    
@@ -209,7 +213,7 @@ will be useful in combination with wildcard arguments to
 prevent dnsssec-zkt to list all keys found in
 subdirectories. For example "dnssec-zkt -d *" will
 print out a list of all keys only found in the current
-directory. Maybe it’s easier to use "dnssec-zkt
+directory. Maybe it is easier to use "dnssec-zkt
 ." instead (without -r set). The option works similar
 to the −d option of ls(1).
    
 
@@ -281,25 +285,25 @@ time.
    
 Also settable in the dnssec.conf file (Parameter:
 PrintTime).
    
 
-
    
 
 

    
+
    −h
    
     
+
    No header or trusted-key section header and trailer in
+-T mode
    
 
    
 
 
 
 
-
-
    −h
         		
 
 
 
-
    No header or
-trusted-key section header and trailer in -T mode
    
 
    
 
+
    COMMAND OPTIONS
 
-
    COMMAND OPTIONS
    
+
 
 
 
@@ -398,8 +402,9 @@ in experimental status and is mainly for the use in an
 hierachical environment. Use --ksk-rollover for a little
 more detailed description.
    
 
+
    SAMPLE USAGE
 
-
    SAMPLE USAGE
    
+
 
 
 
    dnssec-zkt
@@ -447,11 +452,14 @@ affect of this.
    
 
    dnssec-zkt-intern
    
 
 
    Same as above. The binary file
-dnssec-zkt have linked to dnssec-zkt-intern
-.
    
+dnssec-zkt has another link, named
+dnssec-zkt-intern made, and dnssec-zkt
+examines argv[0] to find a view whose zones it proceeds to
+process.
    
 
+
    ENVIRONMENT VARIABLES
 
-
    ENVIRONMENT VARIABLES
    
+
 
 
 
@@ -460,8 +468,9 @@ affect of this.
    
 
    Specifies the name of the
 default global configuration files.
    
 
+
    FILES
 
-
    FILES
    
+
 
 
 
@@ -483,8 +492,9 @@ configuration file.
    
 
    Local configuration file (only
 used in −C mode).
    
 
+
    BUGS
 
-
    BUGS
    
+
 
 
 
    Some of the
@@ -493,15 +503,17 @@ modes. 
    
 The option −l and the ksk rollover options
 insist on domain names ending with a dot.
    
 
-
-
    AUTHOR
    
+
    AUTHORS
+
+
    
 
 
-
    Holger
-Zuleger
    
+
    Holger Zuleger,
+Mans Nilsson
    
 
+
    COPYRIGHT
 
-
    COPYRIGHT
    
+
 
 
 
    Copyright (c)
@@ -509,8 +521,9 @@ Zuleger
    
 Licences. There is NO warranty; not even for MERCHANTABILITY
 or FITNESS FOR A PARTICULAR PURPOSE.
    
 
+
    SEE ALSO
 
-
    SEE ALSO
    
+
 
 
 
diff --git a/contrib/zkt/man/dnssec-zkt.8.pdf b/contrib/zkt/man/dnssec-zkt.8.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..4e88297601fa3af80e11c2fb134df5f57cd6b01b
GIT binary patch
literal 12950
zcmch7WmsIxwk?vN0TSG4+-VvbcXxN!#vOtaJOp=0aQEPr;7)Lt5L|-0274s?>~prA
z``z#Txc#TQ$C_1ZtZ6lC)udDu6=wu7u^>_Q?MLSzu>qI?_QqC7yu3hJh@H8M1%Ukt
zQ3i@z+PFZR06=jYBNvD$#Khhd!q1Q7?BWD5vPE)FJJ30>Tj0dLKPp^li^XBnxI?GS
zVjN3{3$)>}Yyf@U&N~yS+7=~PIF)p&*>TY~jMezUb4W?MOYhWB6Nn0jK~58=O>wlj
z`ss=|>|BAS`&sZ-;X{k2g77)fUDNwJFzF>?i7(^Kw*A=`gJsFH4sR|;B7`_hsgZGS
zJ|kgcyzH9`3P}z~F-}di#`LXVOJ+{TW8s;voEd2Wh4|U?h+;!oLS$BkKxlpWfOzvs
z`*sv}>1WuWd_(ID`GBKn+2t8zd}CtiV6&i<@2lF6b<04b(c$aA7ME&d!{9Zw|Q;X1u~Oq8pE(E3+w`bfd1&&urzfO`X9g
zP2azs&3qBkeuh~;c-#@J^(R%s{RLORN}iU!)dpB^HJv6CM|+}q0bX?
z3W5gprJgEXvmX?Ku&ia@?3%#5KjkF5=mOKj`FOp5oH(Md+8#qR`F4aHeGk3`r-8^o
z=7iTH66A-63lEY|Dd;Ey#1(PQEuLX-H=-(Eq6K{w{6sHOZ`c%Krn(Y4PK@4{g#%co
z7^)#|JH+p{g(Gp;79X~Zl=NI&^Cj+_w<0c%19eWBq90~5->q|%;
zOEppN2L#?|sNJI_G^)}vAS|n#4CrQd9Nuu7IkaVy_HZVMDPKelLU-K
z$PD$kGd--1(nVZ3xk91((;}Dm8d#_9Db|R!ermyeffpd*`!>EAC>Ht_2}U{6{=wuN
zvGOxrh1o@2;JarxR*4It*F|JOCT;i2Uc`o7(CRSk7hW68cnxd|`c(N;uZisnhM-mK
z!NVuq9rI={+0)hpL<%0(f>qHcB_ji61mKzY{BBd*A(^nrMD6!-D{sBp8B6oB|xZ3Oq$#Ie)XHwh{h+BCl*zZU7?QabnM*cFqw!cfoZFJI
zf=~X7(9G-&es?fxT+##R-Sh+O7sChRrISW;{Xrv(JFiV}#1Fou%d>w8*58wZ%yXJ3
z8$VwZ$}zNjS(l4Iwa?i{psHtO8Z*dYp&>lG1q-`b-_NcVdYXRX_yK1xZy?La$&O!2
zo&M-*W$&FXZ8cg2QPnN`fg9U3)JaJ1{oVly@5Lu}$}
z^Ai|wdISUup{X((7i_MwCSI`*4DKWw&t)|Vf4JtVB<$udrc}`&#VwYwxb4*l15274
zt2(H4HIA_xnM6ofujgz@Oz&S-Ka0Hk2y|=e;7y24>aeo+7!x{P`geJ19g%qmVk|p@K
zD^7X6W!7>4oc~M$bheI(lOBm?dBt?m&-^Lf$R>1LKu&~4=k(#OW*2=^r>kvsgaS^U
z_A5nv)9M?9psbiW;Ioik5!{Mz>9>@_P!W4Cw!O=hisOwP5ix0oaPSBC$KNrBJf8c$
zvQ=Z%<7Cc4Lna90mHsUIJ<=R{tO-N;{>L9K`9RRKPcbWFZPEDk&c4dGWZ+ig~^+
zo55!0wh?>9l#2MF;4nSCX;m3xr)r{(G-3gKIG+7_v3*;y*MkoYyg_{PXSTcJBLS%&
z#ig^^G&b^{f{hS#7TweFV_qh*}DZ0}R-*&!DY85<$B7o+V>C1VL5qT_1Ss|zl
zO{sE12D$PzNfu=_7g6OVRAN(^w5&9Yeb(WO`HLEV#~77Yh5UJxmIIpeapavwL*5ty
zDuO+oFHBOaAMQ5Jd&YS*=CdSKI&Sxrw^^34kZp4~fXc{ufk*kY8Q+2*ngf%Skg4im
zvWM21lwZvGOrB(jgk5b?289-llM!NUPNtNk*7o2MEik_`lwEg;%tBEM?owB*m1lab
z1hdTXK}sQ?D}^tWTFk!^
z%7K3rkxLKQ6-j&q!$P;vpZIj(O1)FN4KS$N?MA&^9RD(&Y7QKyrzgDf?b|y%5L`ga
z8hK}B=2Db0U1asfWp*%wKN8pDAmP4f0Lg`6+2o^dA86ZnAI+@TvIH
zU1ojCrE7g=+65H!-)Iu|3UPb&a#mg8!M^l%(Ht>w?c@?Cco;9vE}!E8LQL+yG2fu&rQ==0izRjs=GfSOH{ZNvmCMUl=
z@KMaD^%?B89+j9?8p9c+Zh&25E4u<~X)D5yLM@JMuk3O0>vKM`lraYzgMD4pme=)g
zr|bd3V+j}}wj^1uF8XR$t%4qK&>Z=lgp88?D@413Ms}?f*xXBbmS&1F>PZ+`@ZYkZ
zk+Y1!2KW*BiHbGHy6SAX8_xtt!aRevJ1;$rU{Q2xRvCJ;Iq#3Z7lZ8dQ%9{0>p?@AZJik98N`|#
zfQcvqz9OwgLq&~pv_y%XFTlWvyio8vwpc+Hp_9UiUcI!QxGu#t_F_{y>)hT
zzMYa8Gl*43-+pW~fJA@jRo=$6H&U}2T_>4)eUl$|R6n_B7jyl6BbTwQC<=(5aG3hh
zFY^&5#oXrrVrTlVvh(TJ&r0cO#^>1}72>ib(WP7w0;=a|t@>#AB
zyrE1>fTM!a_fx$QiaqF#wdI=GARXWG=jq;`=pyZ-kSLwzxYoENnM8RB=*P39OfFR}
zX|YJMfLbh6$h3QqHXe|Sc&XwwIs;jlc+5%(K#Xc#=Ct;44-ChE0I
zj!0!tm^wG2TgsnB*c?{mRPT7T=(R1Q&BiwC$M!sGq#Crx5i*8Gl&xB;=!->H>}Mt{
zP~_8TaM=X;+D3~AxLiLgq@A~cCE(3=ESNayFps`gjEJs$|9LZdq5kH;6-B+I{>G|R
z2~I*m)wO=yWw~wxtfU;rwtlTB3rTuE*g6ACi|?(i=$~m@;Vz948!A@HC{z8jzI25?vi@jP8?<+XxKy6qw`+wB*~tPS8M#ErhJD3_F@L=XFP=K
zVk^5Z!$>pT0h{BN0Jomqwp3qP2~$U546{*m6{ECE^?1^E6fzbmw2({>j5raRZ$u)?J9|h*RPA9WHV{ttK!;>Q8X2*%(eq#-?$L$jcIgO{m1yRL_G+)##(M_ro8P<2t08
z4-+eBr9P!6PRb!LMGS)sI8pPiH8jPlCoxMZLt^-)duRt}&4oKIxCj;tdi1={7#TF%
zmqS11<__d07Wt~_;E>ieQs5wwmdjW$Z{dyBOC4kmHt)PC+h))V#ss4|^_5w>jY1vv
z2yXddfkMvsGT}DW=tWsxTFC5Xr-onbsUyKNJld7YTP_dBl)#!Yse5J^VmXGZ
zJvY+)noto1xzMXa1&)zViHAGh$!TVx4d=Fd^{csc6qiCrE{$?2%sW0&(Oo@DSRv#w
z+c+vxPtBhi%
zv*%-CAKkisB&!IhHigu%nvz{+Akx7v0rNO&g(6UjCe1^Jg_Re4`HMS9ukM`|)A|Kn
zr=Un)a&ID>a@jav_uO`3d7wZ%gjJGthyAAd-?(U1X^J#OTmsq?8HMH6j
z6pi5Ubv0(~JkA0YML+18ie24gbkK22Nugj)YqY+=!!}I-8Q=xbVInxG7H4SXW=hbr
z(vZGPu0CV-ka(WsoJZN{wn7G1$jSuM3LCd-S?jE?MU6yOoWRqby6v&p&~GZ@2>aaF
z)IcU2bLwj3-O=85Ar?U}Ekb1=vC9?C=~?IVdUTP-cfGU+JNIiU->R}eoq#tysemy5;M@)eX7dF8ZZiK
zOP=Ot%0|yxBe2_pZ9l-8K=phCB61&L?_()eW*qk{R1j!!O6w
zXB>%IenFaJ&D)nhhLkV;;7Hh@C8UAaj`?c;k=CYR47U@-*w^L@5vH^S>#IkibAivg
zKyievxGc^sB7Zo>G!G?hos;8`BD@NBZ~I
zKfH_h;I2-N!qeKT(mkuQmUcXg=LOM@S*IFZt85)cq#Wk^2)c*AyH(lC+U|s0;0Ct%
zt1ze>zivzO8&1{E^OW&gHpqZR?9b7a3yd>F+h~@ak
zDC{dv=`&7T+FD=%trfGRqAF!oAo=ds3Dfp(!L;xN{kq#s>#BMBL%su)eHdP~KjL0>
z!{rlS*>fau^F7~{toZ`D93FxS_2G8?eAMS@R;E*hU&u+CZqZKFpKRh(rcCIDOzcCG
zUPyL)dIo*;3JzRzb+Gf?W!M?YJs}iP&pm&Ar=YxkEW|}b^ApZ<0>yx7SJb$mbOmB)
zifKA%GHhA#;n|KNKKPvvo&}!wr>VXe$MgszAKx0(+iIZmJTw3u9ZE7jM_n?!2Ux21
zPKN}3*gOnIU*bXxu*|U}N8qDv^-ocgwb@Z31n``bn7_rjtms&1Fiq)RH|&f+{cgVm
zSj?7kq$Be_qoTR0TKpQyb#7z8DE=BoGttYTQ7(X;1fM&xL~5^RLjNJy7CO8Nx*O4h
z1ywPBAid-ED%*WClssj-%LKchK5p9>THcn!>s3
zn{Pdue4I>uE@#c}KQrRXeL0(mP=`*8``)oP4oVEX%0V~ZJRC8v5rQsJ>)*ld?6BHP
zYZ@cx)QY*;NEv+2aV41%p}%D%R5+XMnI@ZxwLs569&fU3HnT?8uszbo%Mzd=shDs1
zhRPi)8Hd9D6}OIQN11Qh#Bx1R?HGLSD{O$0;7#$BD1W)8tIPoTtB-Vrqjm@3cxQ*=
zI#@kit=fKs&u6y3c3q2O3Gl03RKh`=3f7iVG}6W-#l(C94zb6~lkl-!;)bMolcb;+
zFd_c-Ze{!U(`&x^b_nkXU)N~YsOCK8d@t0YF$&@%CmbR`Mr;kd)NMbBTDB>FKzw|F
z_qw2q`CFa*s{sC0D08rb|6M3^{Jl`-{NEJHb=pey-`LULTvY%rDXjs6F_^T{Xg-qh
z`i`^2F*5a>S*|1-i8g!9^tO~AiE!=_KV_~xy0cPcp9W7
zkj8jcVjDiZ+t76A^g%Zx{!82F>?2p8Pbq@>cL#hs%kXmg($u5`tQ|XK-P0|TT~rms
zM218MK$+XbQyi2ZRO?gsSfJ+*Fy2-((!4QnOj0IQsb1^!)?CKk81aT~!qT!I3Cen-
zbMh_|_W`$_(vmEY_f*lYVWR|)TG0QQ%xxfUINLI;gxq5uGqv1~SjvN_OwuzsKkl+K
zL$ppBPriK
zv+asfdhdNmA4?xFfUaq=^hK0Zvvx)1o$E-^p`4|7tE?qHEAc`!y%4!`OAlXh2)>h)
z$4lNZ~!tr|<&ia>s|#`QTOBE7IdCht6PDD#VdC5?UmJgHa<}o7~%SfSyB8
z9?0f!mbqbzrhBD88GA;|PVYqWD*)LhURnW?$bn_rE2@vFM5W3?eni?YLpx~{nLN9g
zQq)4*hfbL(380C<$24n;G@j
zN?wF|F9a~fsj2r2(T7J#{(iK+zzkZC0__^#Szqmo(N>D2nXKBbjs5=@+gisE)iM~vb$muCORF)
zGdk^&61N7qkG-U3=nmAWVboSO80}Aps|KgM;u?|aI9J`+NsGuKmKBkAddNxJXxXJ+
zhr)8;LUg<{(OZr!OXUumq>zVoN#ukwImua|Fm{m)#l;qsdu?%G-L!#=pPkg@+vZPY#%ABW4VWk&1W-@w=yRw@o
zXE5#c*~^=T%NG4`o`>NlhRBfBIZoUf>$r&VBs0B|)7%hs8d!X5X+upXXahV~wXts8
z*3St)Kjcf=&Xgr&7^_(i
zAFsH@AQ{YgxzPsmpdXzOG~szCSoR
z`Yy#($y2T$Gh0DT^tOPk^1hII{qnNDU%}DxU7Z&8g9O?DyB-&>Fd#PNY(6IQo-*K(
zEtui$A!AUlRCN$B(%B|vRB!t*7Y2~?byzOa-YS&Dr^h!ReP)9+1%kTP<
zIQjda!GgGDtp4w
z2Ajux$bVBciJyunAa7CA;r$F<_
z>jAt9Iv6HG`YhF3pS2OkSYSA$jSj-icgY
zj|m!+N|2ILPOKyognVoX%?26Zs&bQ@c96U~Q}PJ&Hg8K~rn7&*fIGHQ(J-*1TEM`U
zu<@Jct$TlQR3N$(9TU-npdLWvf*#p%Qa`vC2101o#U-ykMF!ErA6FXeIN9maQLNk>rJ9yo1ioaZ5IsIM9V14Vf>q
z?6mBQ7aCXDa5
z6(^zGd>uDEl_=K4HV&$JoZshyWIo;L*1vu69*1DBvm-)O#egoaF1Z^qn6?vL+$fAA8imR|nI;(~|XJzK|cvZ45?VLZEk%%I`iw=*=YT|9-
zj2?U5zBrf$R1pj@jveW@4rmUd5_WfLU5vVqa_^=hqHCv+P6=>QxgznJsmLih@+xm4
zHI~plHT0K(eIalK5Iglu&gRhwHPfslwIR3Cbd6D-^{RYUmY3hO#tPT?FaeTi;y^k439*Nks=4g>`5
zu8D4TCKsI3LaC)0+8#$J(an7fa1@G%?cInxtokW3;r95!kZDqBA#~_THpyVNj&lSI
z?qT#2&#B9@wYlhni)N9e3+Sgspps*wUYMRvp
zEvb!lJj&xNVL$fWaGAEwZ`Wzie)*HMI2}i{+^10UZD%zL43elNcC9=QgLd#NYZgLe
zwY^@KM`5E^-bF;C!@WZuz6)~;X9x^cH+C;fqH_Lw`1L6{mB4811aIL}vpFtiwa542
z$_H!f`f%{uvGRdoQWeJYO^l9nX;k;z7IAME#nP)g2-LEWF)j!&vx8w9p?8V|9Nc)~>xud+vDVM%QGQpq)77>}4_me3mo
ztxhk;8*fKb_!Yw@3N7_0#){$_XUM%74dVSM^1cl(uRVOF*cz4be5N!PJ{#&dVnoeT
z%w%!WxfI=Xt3AeV6PiN9t{Zd^lpT(=pikq@uX2o|5p`RIw=_NDdN(|M>IrI9M=pt=FDRT5XebO{&28
zFc1Q#jkU@Aj?juGGihH{m`gw7=gmJmZq{B*?t#tX%kq3ZfYvUFkxJ&97qpg_6zLm^
z$m91x>NG1%xFz(CfH1?_{6((QZa$Q?Azcc6k!$Gv%>h&k;Yij1A494XC#Mm`htj#`
z+6%^uX47@>aTjhVM#@|0{Vz8O_i~jqkwwO9?gRDgp7jkEM&WM*n-*YbsKs+y_-4O+
zW_mNWCX~#054F5l+p_dQUcqD`8Hg2e%u^cMnzDbmz>Ue~zAUgG5<;@Xf&_6#@KDIOGn4brUliEe3)yYllvu>!JMzvJi
zM4VN1G2>FCdyU?6YIwtk&lwhL+~e7MVyCTmE#5BGlwuVLtf3GFw{(4~c!N;k`NI!|
z|M~K3(r@R4qtyI?$F1gNrb_P`AJ+?-!2vQD89p3czOTO2ThW9Fku0xTJsJwc=J)3>
z?H(P}7Js#TMQouHZb1&918AFBIg@;Hf7#17O66~RyPXHqieWWAS-3__4PNor0mdmZ
zYFl-Uo_+6W}*+iZt*;$(hh|MAHS$Paz{ORKiPf!VYaFN;L{QM
z?im&STASW`?vonKLS*u<6v}{#Z?!(1S}$?;nvnPC6YzKkutXh_5zefyHKOANB5WPe
z!FPv83z*EEM8sg)ek5oCmf*Amhg9>bm!-n~>Z4*p;4e^mRNqS7m7~$I9kwU^o*`{^
z;>rm`elIXFde1QXUT#!;@+JR=`t>zZvlme9yWrbbU_$s;+L+!MtUPoG_CRNJUKoW%0zVuzNM-NcMm(<1tu{V#x
z@K{TLrk`H!@3a-tprfRnZPE{Fpe^1-tZGC6-h^AJ}Fx!HDiMm6d9#4&{#~!|IVLAf+P)ELpvXVhV=Bq+UJ9+C;
zgcvy8}BUmaISRbWTs70hY
zajz`!V-60Ee3a{Bl{~hd3?_(ye(sf)sqOH`U`(!w0XwX0n8SGRb5&hUq`7yJR8Bs1
zaQfQ^xR86^bqhD7vDYAI(Qq0N1^Jt)*8wc25O{i?@8updNfW)(##Yy!c
zkoZ?&vu-qu0*?OPb>WRx?yfFWs`F%Zp^7x}p5NOD*6wI0y?pu1o^WKw_8~1Jk|-Wet-vrxQy>Fh^Mx
zQ!-oc6x?2-8ijpil=G$+Bmrg3T#?|!9cZOVMwKmRFX}=3<#hFm?qhi{^rqe>SoI`a
zetf=2nrB9Up8F#J7=GB<@5D(k98wr)Y2j3I$l(v-#8>EDHE*w5cjP2u#CG6K?SdMS
zvoq0C3R|D)PSdF$jBwz+$B*3|_pyU@_b
z+96BxHowX4crmb><2m+CH{6tQnlkT!ExEMuO!_4i_sqp%hQJa%mN>M6Z|5AK**}8j${UK@F8z09_0yfE1-~WMmCi+WE-hdGAZcPZ
z0R3(K__Z$lTt7f;%>Q0LejZc*#GX1ZRXrRaKt&^S2v81UYH1{F?+(yme!9#KVgYb)
zvFITImF-=g`Y{2_Pf|`0I~TyuV{hdr7~*XI+Q|gs{4|N8lf8)w#6{=nm`5A{RE4;^
zJdG2#e-Z}$T&a|ip87a}B2WLH#ybOk_J96@p2+@U_H*g_Kce&Rd;f>duXFrA@%jC<
z|NlTeT)*q$4}5;UF8w1PmY??cztIoNZ^r$TxqcNJf8_I@zK17UKe-R!m;X2efHIb*
z&Hx>xUri85PyX}sF+jh1dy#%UgEEpH;ORMEKlugtr%U{9|35$8lZcUvk&V6i@ALkf
z)9>6co8%A82Q-ZTHE^ZnBFzvlZl#V5-;Swfr`h3#!j|C!^j=mY*Yj(@PtudMW6IQ|2j
zKUnGCY<^Ri)RQM!n*1}H-@4BK8=Jo-f&aqhmzw^dncvIxr`+)uD*s(Azj^R~Bk~7t
z_@C7Bi^xA3>ksMmDN&ogHi0TX`
zl<{dqxmlQ*xtKYb!7LzFRxs%4x}3e~KVRbK|5tFjJ3-8lm;o%DNX-BK0NB~sSlIw(
zfZs3>h=uFP);~W0yWcSu5ZjX#|BQj2z`tV5?BJ*H|C8L)pTEg5vv9CIMZ}-vKp-~u
zC-eLnV`2W8sQ!$BI60nj&R;MN)~D?97mOABH#uew&c9+$TsZ#9g_({0XAJ#iJ}~p&
zxG;0EJUPIhdzPpGuIz<<>F*yX#;V3DoOxA6-!UZlMex&iVypzBI0LS2LPq)%-".
 *****************************************************************/
 const	char	*getnameappendix (const char *progname, const char *basename)
 {
@@ -124,7 +120,6 @@ const	char	*getdefconfname (const char *view)
 	return buf;	
 }
 
-#if 1
 /*****************************************************************
 **	domain_canonicdup (s)
 **	returns NULL or a pointer to a dynamic string containing the
@@ -157,7 +152,7 @@ char	*domain_canonicdup (const char *s)
 
 	return new;
 }
-#else
+#if 0		/* replaced by domain_canonicdup */
 /*****************************************************************
 **	str_tolowerdup (s)
 *****************************************************************/
@@ -186,8 +181,8 @@ char	*str_delspace (char *s)
 	char	*start;
 	char	*p;
 
-	if ( !s )	/* is there a string ? */
-		return s;
+	if ( !s )	/* no string present ? */
+		return NULL;
 
 	start = s;
 	for ( p = s; *p; p++ )
@@ -312,14 +307,18 @@ void	parseurl (char *url, char **proto, char **host, char **port, char **para)
 }
 
 /*****************************************************************
-**	splitpath (path, size, filename)
+**	splitpath (path, pathsize, filename)
+**	if filename is build of "path/file" then copy filename to path
+**	and split of the filename part.
+**	return pointer to filename part in path or NULL if path is too
+**	small to hold "path+filename"
 *****************************************************************/
-const	char	*splitpath (char *path, size_t size, const char *filename)
+const	char	*splitpath (char *path, size_t psize, const char *filename)
 {
 	char 	*p;
 
 	if ( !path )
-		return filename;
+		return NULL;
 
 	*path = '\0';
 	if ( !filename )
@@ -327,11 +326,11 @@ const	char	*splitpath (char *path, size_t size, const char *filename)
 
 	if ( (p = strrchr (filename, '/')) )	/* file arg contains path ? */
 	{
-		if ( strlen (filename) > size )
+		if ( strlen (filename) + 1 > psize )
 			return filename;
 
-		strcpy (path, filename);
-		path[p-filename] = '\0';
+		strcpy (path, filename);	/* copy whole filename to path */
+		path[p-filename] = '\0';	/* split of the file part */
 		filename = ++p;
 	}
 	return filename;
@@ -433,11 +432,11 @@ int	is_keyfilename (const char *name)
 }
 
 /*****************************************************************
-**	is_dotfile (name)
+**	is_dotfilename (name)
 **	Check if the given pathname 'name' looks like "." or "..".
 **	Returns 0 | 1
 *****************************************************************/
-int	is_dotfile (const char *name)
+int	is_dotfilename (const char *name)
 {
 	if ( name && (
 	     (name[0] == '.' && name[1] == '\0') || 
@@ -792,22 +791,23 @@ time_t	timestr2time (const char *timestr)
 	t.tm_mon -= 1;
 	t.tm_isdst = 0;
 
-#if defined(HAS_TIMEGM) && HAS_TIMEGM
+#if defined(HAVE_TIMEGM) && HAVE_TIMEGM
 	sec = timegm (&t);
 #else
 	{
-	time_t ret;
-	char *tz;
+	char	tzstr[31+1];
+	char	*tz;
 
 	tz = getenv("TZ");
-	// setenv("TZ", "", 1);
-	setenv("TZ", "UTC", 1);
+	snprintf (tzstr, sizeof (tzstr), "TZ=%s", "UTC");
+	putenv (tzstr);
 	tzset();
 	sec = mktime(&t);
 	if (tz)
-		setenv("TZ", tz, 1);
+		snprintf (tzstr, sizeof (tzstr), "TZ=%s", tz);
 	else
-		unsetenv("TZ");
+		snprintf (tzstr, sizeof (tzstr), "TZ=%s", "");
+	putenv (tzstr);
 	tzset();
 	}
 #endif
@@ -986,215 +986,41 @@ time_t	stop_timer (time_t start)
 	return stop - start;
 }
 
+
 /****************************************************************
 **
-**	int	inc_serial (filename, use_unixtime)
+**	int	gensalt (saltstr, sizeofstalstr, bits)
 **
-**	This function depends on a special syntax formating the
-**	SOA record in the zone file!!
+**	generate a random hexstring of 'bits' salt and store it
+**	in saltstr. return 1 on success, otherwise 0.
 **
-**	To match the SOA record, the SOA RR must be formatted
-**	like this:
-**	@ [ttl]   IN  SOA   (
-**	      1234567890; serial number 
-**	      86400	 ; other values
-**				...
-**	The space from the first digit of the serial number to
-**	the first none white space char or to the end of the line
-**	must be at least 10 characters!
-**	So you have to left justify the serial number in a field
-**	of at least 10 characters like this:
-**	      1         ; Serial 
-**
-****************************************************************/
-int	inc_serial (const char *fname, int use_unixtime)
+*****************************************************************/
+int	gensalt (char *salt, size_t saltsize, int saltbits)
 {
-	FILE	*fp;
-	char	buf[4095+1];
-	int	error;
+	static	char	hexstr[] = "0123456789ABCDEF";
+	static	int	seed = 0;
+	int	saltlen = 0;	/* current length of salt in hex nibbles */
+	int	i;
+	int	hex;
 
-	/**
-	   since BIND 9.4, there is a dnssec-signzone option available for
-	   serial number increment.
-	   If the user request "unixtime" than use this mechanism 
-	**/
-#if defined(BIND_VERSION) && BIND_VERSION >= 940
-	if ( use_unixtime )
+	if ( seed == 0 )
+		srandom (seed = (unsigned int)time (NULL));
+
+	saltlen = saltbits / 4;
+	if ( saltlen+1 > saltsize )
 		return 0;
-#endif
-	if ( (fp = fopen (fname, "r+")) == NULL )
-		return -1;
 
-		/* read until the line matches the beginning of a soa record ... */
-	while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
-		;
-
-	if ( feof (fp) )
+	for ( i = 0; i < saltlen; i++ )
 	{
-		fclose (fp);
-		return -2;
+		hex = random () % 16;
+		assert ( hex >= 0 && hex < 16 );
+		salt[i] = hexstr[hex];
 	}
+	salt[i] = '\0';
 
-	error = inc_soa_serial (fp, use_unixtime);	/* .. inc soa serial no ... */
-
-	if ( fclose (fp) != 0 )
-		return -5;
-	return error;
+	return 1;
 }
 
-/*****************************************************************
-**	check if line is the beginning of a SOA RR record, thus
-**	containing the string "IN .* SOA" and ends with a '('
-**	returns 1 if true
-*****************************************************************/
-static	int	is_soa_rr (const char *line)
-{
-	const	char	*p;
-
-	assert ( line != NULL );
-
-	if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") )	/* line contains "IN" and "SOA" */
-	{
-		p = line + strlen (line) - 1;
-		while ( p > line && isspace (*p) )
-			p--;
-		if ( *p == '(' )	/* last character have to be a '(' to start a multi line record */
-			return 1;
-	}
-
-	return 0;
-}
-
-/*****************************************************************
-**	Find string 'search' in 'str' and ignore case in comparison.
-**	returns the position of 'search' in 'str' or NULL if not found.
-*****************************************************************/
-static	const	char	*strfindstr (const char *str, const char *search)
-{
-	const	char	*p;
-	int		c;
-
-	assert ( str != NULL );
-	assert ( search != NULL );
-
-	c = tolower (*search);
-	p = str;
-	do {
-		while ( *p && tolower (*p) != c )
-			p++;
-		if ( strncasecmp (p, search, strlen (search)) == 0 )
-			return p;
-		p++;
-	} while ( *p );
-
-	return NULL;
-}
-
-/*****************************************************************
-**	return the serial number of the current day in the form
-**	of YYYYmmdd00
-*****************************************************************/
-static	ulong	today_serialtime ()
-{
-	struct	tm	*t;
-	ulong	serialtime;
-	time_t	now;
-
-	now =  time (NULL);
-	t = gmtime (&now);
-	serialtime = (t->tm_year + 1900) * 10000;
-	serialtime += (t->tm_mon+1) * 100;
-	serialtime += t->tm_mday;
-	serialtime *= 100;
-
-	return serialtime;
-}
-
-/*****************************************************************
-**	inc_soa_serial (fp, use_unixtime)
-**	increment the soa serial number of the file 'fp'
-**	'fp' must be opened "r+"
-*****************************************************************/
-static	int	inc_soa_serial (FILE *fp, int use_unixtime)
-{
-	int	c;
-	long	pos,	eos;
-	ulong	serial;
-	int	digits;
-	ulong	today;
-
-	/* move forward until any non ws reached */
-	while ( (c = getc (fp)) != EOF && isspace (c) )
-		;
-	ungetc (c, fp);		/* push back the last char */
-
-	pos = ftell (fp);	/* mark position */
-
-	serial = 0L;	/* read in the current serial number */
-	/* be aware of the trailing space in the format string !! */
-	if ( fscanf (fp, "%lu ", &serial) != 1 )	/* try to get serial no */
-		return -3;
-	eos = ftell (fp);	/* mark first non digit/ws character pos */
-
-	digits = eos - pos;
-	if ( digits < 10 )	/* not enough space for serial no ? */
-		return -4;
-
-	if ( use_unixtime )
-		today = time (NULL);
-	else
-	{
-		today = today_serialtime ();	/* YYYYmmdd00 */
-		if ( serial > 1970010100L && serial < today )	
-			serial = today;			/* set to current time */
-		serial++;			/* increment anyway */
-	}
-
-	fseek (fp, pos, SEEK_SET);	/* go back to the beginning */
-	fprintf (fp, "%-*lu", digits, serial);	/* write as many chars as before */
-
-	return 1;	/* yep! */
-}
-
-/*****************************************************************
-**	return the error text of the inc_serial return coode
-*****************************************************************/
-const	char	*inc_errstr (int err)
-{
-	switch ( err )
-	{
-	case -1:	return "couldn't open zone file for modifying";
-	case -2:	return "unexpected end of file";
-	case -3:	return "no serial number found in zone file";
-	case -4:	return "not enough space left for serialno";
-	case -5:	return "error on closing zone file";
-	}
-	return "";
-}
-
-#ifdef SOA_TEST
-const char *progname;
-main (int argc, char *argv[])
-{
-	ulong	now;
-	int	err;
-	char	cmd[255];
-
-	progname = *argv;
-
-	now = today_serialtime ();
-	printf ("now = %lu\n", now);
-
-	if ( (err = inc_serial (argv[1], 0)) <= 0 )
-	{
-		error ("can't change serial errno=%d\n", err);
-		exit (1);
-	}
-
-	snprintf (cmd, sizeof(cmd), "head -15 %s", argv[1]);
-	system (cmd);
-}
-#endif
 
 #ifdef COPYZONE_TEST
 const char *progname;
diff --git a/contrib/zkt/misc.h b/contrib/zkt/misc.h
index c9c55171e1..11028d472d 100644
--- a/contrib/zkt/misc.h
+++ b/contrib/zkt/misc.h
@@ -79,10 +79,9 @@ extern	void    fatal (char *fmt, ...);
 extern	void    logmesg (char *fmt, ...);
 extern	void	verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...);
 extern	void	logflush (void);
-extern	int	inc_serial (const char *fname, int use_unixtime);
-extern	const	char	*inc_errstr (int err);
+extern	int	gensalt (char *salt, size_t saltsize, int saltbits);
 extern	char	*str_untaint (char *str);
 extern	char	*str_chop (char *str, char c);
-extern	int	is_dotfile (const char *name);
+extern	int	is_dotfilename (const char *name);
 extern	void	parseurl (char *url, char **proto, char **host, char **port, char **para);
 #endif
diff --git a/contrib/zkt/ncparse.c b/contrib/zkt/ncparse.c
index e67f4b0a7d..159e5ab8e9 100644
--- a/contrib/zkt/ncparse.c
+++ b/contrib/zkt/ncparse.c
@@ -186,14 +186,14 @@ static	int	gettok (FILE *fp, char *val, size_t valsize)
 
 /*****************************************************************
 **
-**	parse_namedconf (const char *filename, int (*func) ())
+**	parse_namedconf (const char *filename, chroot_dir, dir, dirsize, int (*func) ())
 **
 **	Very dumb named.conf parser.
 **	- In a zone declaration the _first_ keyword MUST be "type"
 **	- For every master zone "func (directory, zone, filename)" will be called
 **
 *****************************************************************/
-int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())
+int	parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())
 {
 	FILE	*fp;
 	int	tok;
@@ -234,7 +234,15 @@ int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func
 					snprintf (path, sizeof (path), "%s/%s", dir, strval);
 				else
 					snprintf (path, sizeof (path), "%s", strval);
-				snprintf (dir, dirsize, "%s", path);
+
+				/* prepend chroot directory (do it only once) */
+				if ( chroot_dir && *chroot_dir )
+				{
+					snprintf (dir, dirsize, "%s%s%s", chroot_dir, *path == '/' ? "": "/", path);
+					chroot_dir = NULL;
+				}
+				else
+					snprintf (dir, dirsize, "%s", path);
 				dbg_val ("parse_namedconf: new dir \"%s\" \n", dir);
 			}	
 		}	
@@ -246,7 +254,7 @@ int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func
 					snprintf (path, sizeof (path), "%s/%s", dir, strval);
 				else
 					snprintf (path, sizeof (path), "%s", strval);
-				if ( !parse_namedconf (path, dir, dirsize, func) )
+				if ( !parse_namedconf (path, chroot_dir, dir, dirsize, func) )
 					return 0;
 			}
 			else
@@ -310,8 +318,8 @@ main (int argc, char *argv[])
 
 	directory[0] = '\0';
 	if ( --argc == 0 )
-		parse_namedconf ("/var/named/named.conf", directory, sizeof (directory), printzone);
+		parse_namedconf ("/var/named/named.conf", NULL, directory, sizeof (directory), printzone);
 	else 
-		parse_namedconf (argv[1], directory, sizeof (directory), printzone);
+		parse_namedconf (argv[1], NULL, directory, sizeof (directory), printzone);
 }
 #endif
diff --git a/contrib/zkt/ncparse.h b/contrib/zkt/ncparse.h
index 4383c634f7..35d571ddc7 100644
--- a/contrib/zkt/ncparse.h
+++ b/contrib/zkt/ncparse.h
@@ -37,5 +37,5 @@
 
 #ifndef NCPARSE_H
 # define NCPARSE_H
-extern	int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ());
+extern	int	parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ());
 #endif
diff --git a/contrib/zkt/nscomm.c b/contrib/zkt/nscomm.c
new file mode 100644
index 0000000000..244035a3e8
--- /dev/null
+++ b/contrib/zkt/nscomm.c
@@ -0,0 +1,203 @@
+/*****************************************************************
+**
+**	@(#) nscomm.c  (c) 2005 - 2009  Holger Zuleger  hznet.de
+**
+**	Copyright (c) 2005 - 2009, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include 
+
+#ifdef HAVE_CONFIG_H
+# include 
+#endif
+
+#include "config_zkt.h"
+#include "zconf.h"
+#define extern
+#include "nscomm.h"
+#undef extern
+
+
+/*****************************************************************
+**	dyn_update_freeze ()
+*****************************************************************/
+int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)
+{
+	char	cmdline[254+1];
+	char	str[254+1];
+	char	*action;
+	FILE	*fp;
+
+	assert (z != NULL);
+	if ( freeze )
+		action = "freeze";
+	else
+		action = "thaw";
+
+	if ( z->view )
+		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
+	else
+		snprintf (str, sizeof (str), "\"%s\"", domain);
+
+	lg_mesg (LG_NOTICE, "%s: %s dynamic zone", str, action);
+	verbmesg (1, z, "\t%s dynamic zone %s\n", action, str);
+
+	if ( z->view )
+		snprintf (cmdline, sizeof (cmdline), "%s %s %s IN %s", RELOADCMD, action, domain, z->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s %s %s", RELOADCMD, action, domain);
+
+	verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
+	*str = '\0';
+	if ( z->noexec == 0 )
+	{
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -1;
+		pclose (fp);
+	}
+
+	verbmesg (2, z, "\t  rndc %s return: \"%s\"\n", action, str_chop (str, '\n'));
+
+	return 0;
+}
+
+/*****************************************************************
+**	distribute and reload a zone via "distribute_command"
+*****************************************************************/
+int	dist_and_reload (const zone_t *zp)
+{
+	char	path[MAX_PATHSIZE+1];
+	char	cmdline[254+1];
+	char	zone[254+1];
+	char	str[254+1];
+	FILE	*fp;
+
+	assert (zp != NULL);
+	assert (zp->conf->dist_cmd != NULL);
+
+	if ( !is_exec_ok (zp->conf->dist_cmd) )
+	{
+		char	*mesg;
+
+		if ( getuid () == 0 )
+			mesg = "\tDistribution command %s not run as root\n";
+		else
+			mesg = "\tDistribution command %s not run due to strange file mode settings\n";
+
+		verbmesg (1, zp->conf, mesg, zp->conf->dist_cmd);
+		lg_mesg (LG_ERROR, "exec of distribution command %s disabled due to security reasons", zp->conf->dist_cmd);
+
+		return -1;
+	}
+
+	if ( zp->conf->view )
+		snprintf (zone, sizeof (zone), "\"%s\" in view \"%s\"", zp->zone, zp->conf->view);
+	else
+		snprintf (zone, sizeof (zone), "\"%s\"", zp->zone);
+
+
+	pathname (path, sizeof (path), zp->dir, zp->sfile, NULL);
+
+	lg_mesg (LG_NOTICE, "%s: distribution triggered", zone);
+	verbmesg (1, zp->conf, "\tDistribute zone %s\n", zone);
+	if ( zp->conf->view )
+		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s distribute %s %s", zp->conf->dist_cmd, zp->zone, path);
+
+	*str = '\0';
+	if ( zp->conf->noexec == 0 )
+	{
+		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -2;
+		pclose (fp);
+		verbmesg (2, zp->conf, "\t  %s distribute return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+	}
+
+
+	lg_mesg (LG_NOTICE, "%s: reload triggered", zone);
+	verbmesg (1, zp->conf, "\tReload zone %s\n", zone);
+	if ( zp->conf->view )
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s %s", zp->conf->dist_cmd, zp->zone, path, zp->conf->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s %s", zp->conf->dist_cmd, zp->zone, path);
+
+	*str = '\0';
+	if ( zp->conf->noexec == 0 )
+	{
+		verbmesg (2, zp->conf, "\t  Run cmd \"%s\"\n", cmdline);
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -2;
+		pclose (fp);
+		verbmesg (2, zp->conf, "\t  %s reload return: \"%s\"\n", zp->conf->dist_cmd, str_chop (str, '\n'));
+	}
+
+	return 0;
+}
+
+/*****************************************************************
+**	reload a zone via "rndc"
+*****************************************************************/
+int	reload_zone (const char *domain, const zconf_t *z)
+{
+	char	cmdline[254+1];
+	char	str[254+1];
+	FILE	*fp;
+
+	assert (z != NULL);
+	dbg_val3 ("reload_zone %d :%s: :%s:\n", z->verbosity, domain, z->view);
+	if ( z->view )
+		snprintf (str, sizeof (str), "\"%s\" in view \"%s\"", domain, z->view);
+	else
+		snprintf (str, sizeof (str), "\"%s\"", domain);
+
+	lg_mesg (LG_NOTICE, "%s: reload triggered", str);
+	verbmesg (1, z, "\tReload zone %s\n", str);
+
+	if ( z->view )
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s IN %s", RELOADCMD, domain, z->view);
+	else
+		snprintf (cmdline, sizeof (cmdline), "%s reload %s", RELOADCMD, domain);
+
+	*str = '\0';
+	if ( z->noexec == 0 )
+	{
+		verbmesg (2, z, "\t  Run cmd \"%s\"\n", cmdline);
+		if ( (fp = popen (cmdline, "r")) == NULL || fgets (str, sizeof str, fp) == NULL )
+			return -1;
+		pclose (fp);
+		verbmesg (2, z, "\t  rndc reload return: \"%s\"\n", str_chop (str, '\n'));
+	}
+
+	return 0;
+}
diff --git a/contrib/zkt/nscomm.h b/contrib/zkt/nscomm.h
new file mode 100644
index 0000000000..c4621dcedd
--- /dev/null
+++ b/contrib/zkt/nscomm.h
@@ -0,0 +1,52 @@
+/*****************************************************************
+**
+**	@(#) nscomm.h  (c) 2005 - 2009  Holger Zuleger  hznet.de
+**
+**	Copyright (c) 2005 - 2009, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+#ifndef NSCOMM_H
+# include 
+# include 
+# include 
+
+# include "zconf.h"
+# include "zone.h"
+# include "log.h"
+# include "misc.h"
+# include "debug.h"
+# define NSCOMM_H
+
+extern	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze);
+extern	int	reload_zone (const char *domain, const zconf_t *z);
+extern	int	dist_and_reload (const zone_t *zp);
+#endif
diff --git a/contrib/zkt/rollover.c b/contrib/zkt/rollover.c
index e2b754fb16..104ef45bb4 100644
--- a/contrib/zkt/rollover.c
+++ b/contrib/zkt/rollover.c
@@ -72,7 +72,24 @@ static	dki_t	*genkey (dki_t **listp, const char *dir, const char *domain, int ks
 	if ( ksk )
 		dkp = dki_new (dir, domain, DKI_KSK, conf->k_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
 	else
-		dkp = dki_new (dir, domain, DKI_ZSK, conf->z_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+		dkp = dki_new (dir, domain, DKI_ZSK, conf->k_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
+	dki_add (listp, dkp);
+	dki_setstatus (dkp, status);
+
+	return dkp;
+}
+
+static	dki_t	*genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)
+{
+	dki_t	*dkp;
+
+	if ( listp == NULL || domain == NULL )
+		return NULL;
+
+	if ( ksk )
+		dkp = dki_new (dir, domain, DKI_KSK, conf->k2_algo, conf->k_bits, conf->k_random, conf->k_life / DAYSEC);
+	else
+		dkp = dki_new (dir, domain, DKI_ZSK, conf->k2_algo, conf->z_bits, conf->z_random, conf->z_life / DAYSEC);
 	dki_add (listp, dkp);
 	dki_setstatus (dkp, status);
 
@@ -235,7 +252,7 @@ static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
 	/* check if we have to change the ksk ? */
 	if ( lifetime > 0 && age > lifetime && !fileexist (path) )	/* lifetime is over and no kskrollover in progress */
 	{
-		/* we are using hierachical mode and the parent directory contains a signed zone ? */
+		/* we are in hierachical mode and the parent directory contains a signed zone ? */
 		if ( z->keysetdir && strcmp (z->keysetdir, "..") == 0 && is_parentdirsigned (zonelist, zp) )
 		{
 			verbmesg (2, z, "\t\tkskrollover: create new key signing key\n");
@@ -249,7 +266,7 @@ static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)
 			lg_mesg (LG_INFO, "\"%s\": kskrollover phase1: New key %d generated", zp->zone, ksk->tag);
 
 			/* find the oldest active ksk to create the parent file */
-			if ( (ksk = (dki_t *)dki_find (zp->keys, 1, 'a', 1)) == NULL )
+			if ( (ksk = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, zp->conf->k_algo, 'a', 1)) == NULL )
 				lg_mesg (LG_ERROR, "kskrollover phase1: Couldn't find the old active key\n");
 			if ( !create_parent_file (path, 1, z->key_ttl, ksk) )
 				lg_mesg (LG_ERROR, "Couldn't create parentfile %s\n", path);
@@ -373,7 +390,8 @@ int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
 	{
 		exptime = get_exptime (dkp, z);
 		if ( dki_isrevoked (dkp) )
-			lg_mesg (LG_DEBUG, "zone \"%s\": found revoked key with exptime of: %s", domain, time2str (exptime, 's'));
+			lg_mesg (LG_DEBUG, "zone \"%s\": found revoked key (id=%d exptime=%s); waiting for remove hold down time",
+							domain, dkp->tag, time2str (exptime, 's'));
 
 		/* revoked key is older than 30 days? */
 		if ( dki_isrevoked (dkp) && currtime > exptime + REMOVE_HOLD_DOWN )
@@ -408,7 +426,7 @@ int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
 	lg_mesg (LG_DEBUG, "Stb time: %s", time2str (dki_time (standbykey), 's'));
 	lg_mesg (LG_DEBUG, "Stb time+wait: %s", time2str (dki_time (standbykey) + min (DAYSEC * 30, z->key_ttl), 's'));
 #endif
-	/* At the time we first introduce a standby key, the lifetime of the current KSK should not be expired, */
+	/* At the first time we introduce a standby key, the lifetime of the current KSK shouldn't be expired, */
 	/* otherwise we run into an (nearly) immediate key rollover!	*/
 	if ( currtime > exptime && currtime > dki_time (standbykey) + min (ADD_HOLD_DOWN, z->key_ttl) )
 	{
@@ -423,7 +441,7 @@ int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zco
 			lg_mesg (LG_ERROR, "\%s\": can't generate new standby KSK", domain);
 		}
 		else
-			lg_mesg (LG_INFO, "\"%s\": generated new standby KSK %d", domain, dkp->tag);
+			lg_mesg (LG_NOTICE, "\"%s\": generated new standby KSK %d", domain, dkp->tag);
 
 		/* standby key gets active  */
 		verbmesg (2, z, "\t\t=>Activating old standby key %d \n", standbykey->tag);
@@ -462,7 +480,7 @@ int	kskstatus (zone_t *zonelist, zone_t *zp)
 
 	verbmesg (1, z, "\tCheck KSK status\n");
 	/* check if a key signing key exist ? */
-	akey = (dki_t *)dki_find (zp->keys, 1, 'a', 1);
+	akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k_algo, 'a', 1);
 	if ( akey == NULL )
 	{
 		verbmesg (1, z, "\tNo active KSK found: generate new one\n");
@@ -477,9 +495,31 @@ int	kskstatus (zone_t *zonelist, zone_t *zp)
 			lg_mesg (LG_INFO, "\"%s\": generated new KSK %d", zp->zone, akey->tag);
 		return akey != NULL;	/* return value of 1 forces a resigning of the zone */
 	}
-	else	/* try to start a full automatic ksk rollover */
+	else	/* try to start a full automated ksk rollover */
 		kskrollover (akey, zonelist, zp);
 
+	/* is a second algorithm requested ? (since 0.99) */
+	if ( z->k2_algo && z->k2_algo != z->k_algo )
+	{
+		/* check for ksk supporting the additional algorithm */
+		akey = (dki_t *)dki_findalgo (zp->keys, DKI_KSK, z->k2_algo, 'a', 1);
+		if ( akey == NULL )
+		{
+			verbmesg (1, z, "\tNo active KSK for second algorithm found: generate new one\n");
+			akey = genkey2 (&zp->keys, zp->dir, zp->zone, DKI_KSK, z, DKI_ACTIVE);
+			if ( !akey )
+			{
+				error ("\tcould not generate new KSK for 2nd algorithm\n");
+				lg_mesg (LG_ERROR, "\"%s\": can't generate new KSK for 2nd algorithm: \"%s\"",
+									zp->zone, dki_geterrstr());
+			}
+			else
+				lg_mesg (LG_INFO, "\"%s\": generated new KSK %d for 2nd algorithm",
+										zp->zone, akey->tag);
+			return 1;	/* return value of 1 forces a resigning of the zone */
+		}
+	}
+
 	return 0;
 }
 
@@ -540,7 +580,7 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 	/* check status of active key */
 	dbg_msg("zskstatus check status of active key ");
 	lifetime = z->z_life;			/* global configured lifetime for zsk */
-	akey = (dki_t *)dki_find (*listp, 0, 'a', 1);
+	akey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'a', 1);
 	if ( akey == NULL && lifetime > 0 )	/* no active key found */
 	{
 		verbmesg (1, z, "\tNo active ZSK found: generate new one\n");
@@ -560,9 +600,9 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 					lifetime, (OFFSET) , akey->tag, dki_age (akey, currtime) );
 
 			/* depreciate the key only if there is another active or published key */
-			if ( (nextkey = (dki_t *)dki_find (*listp, 0, 'a', 2)) == NULL ||
+			if ( (nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'a', 2)) == NULL ||
 			      nextkey == akey )
-				nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
+				nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1);
 
 			/* Is the published key sufficient long in the zone ? */
 			/* As mentioned by Olaf, this should be the ttl of the DNSKEY RR ! */
@@ -591,7 +631,7 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 	 * time will be checked just before the active key will be removed.
 	 * See above).
 	 */
-	nextkey = (dki_t *)dki_find (*listp, 0, 'p', 1);
+	nextkey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k_algo, 'p', 1);
 	if ( nextkey == NULL && lifetime > 0 && (akey == NULL ||
 	     dki_age (akey, currtime + z->resign) > lifetime - (OFFSET)) )
 	{
@@ -611,6 +651,29 @@ int	zskstatus (dki_t **listp, const char *dir, const char *domain, const zconf_t
 								domain, dki_geterrstr());
 		}
 	}
+
+	/* is a second algorithm requested ? (since 0.99) */
+	if ( z->k2_algo && z->k2_algo != z->k_algo )
+	{
+		/* check for zsk supporting the additional algorithm */
+		akey = (dki_t *)dki_findalgo (*listp, DKI_ZSK, z->k2_algo, 'a', 1);
+		if ( akey == NULL )
+		{
+			verbmesg (1, z, "\tNo active ZSK for second algorithm found: generate new one\n");
+			akey = genkey2 (listp, dir, domain, DKI_ZSK, z, DKI_ACTIVE);
+			if ( !akey )
+			{
+				error ("\tcould not generate new ZSK for 2nd algorithm\n");
+				lg_mesg (LG_ERROR, "\"%s\": can't generate new ZSK for 2nd algorithm: \"%s\"",
+									domain, dki_geterrstr());
+			}
+			else
+				lg_mesg (LG_INFO, "\"%s\": generated new ZSK %d for 2nd algorithm",
+										domain, akey->tag);
+			return 1;	/* return value of 1 forces a resigning of the zone */
+		}
+	}
+
 	return keychange;
 }
 
diff --git a/contrib/zkt/soaserial.c b/contrib/zkt/soaserial.c
new file mode 100644
index 0000000000..0f6eb2196e
--- /dev/null
+++ b/contrib/zkt/soaserial.c
@@ -0,0 +1,269 @@
+/*****************************************************************
+**
+**	@(#) soaserial.c -- helper function for the dnssec zone key tools
+**
+**	Copyright (c) Jan 2005, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+# include 
+# include 
+# include 
+# include 
+# include 
+# include 
+# include 
+# include 
+# include 
+#ifdef HAVE_CONFIG_H
+# include 
+#endif
+# include "config_zkt.h"
+# include "zconf.h"
+# include "log.h"
+# include "debug.h"
+#define extern
+# include "soaserial.h"
+#undef extern
+
+static	int	inc_soa_serial (FILE *fp, int use_unixtime);
+static	int	is_soa_rr (const char *line);
+static	const	char	*strfindstr (const char *str, const char *search);
+
+
+/****************************************************************
+**
+**	int	inc_serial (filename, use_unixtime)
+**
+**	This function depends on a special syntax formating the
+**	SOA record in the zone file!!
+**
+**	To match the SOA record, the SOA RR must be formatted
+**	like this:
+**	@ [ttl]   IN  SOA   (
+**	      1234567890; serial number 
+**	      86400	 ; other values
+**				...
+**	The space from the first digit of the serial number to
+**	the first none white space char or to the end of the line
+**	must be at least 10 characters!
+**	So you have to left justify the serial number in a field
+**	of at least 10 characters like this:
+**	      1         ; Serial 
+**
+****************************************************************/
+int	inc_serial (const char *fname, int use_unixtime)
+{
+	FILE	*fp;
+	char	buf[4095+1];
+	int	error;
+
+	/**
+	   since BIND 9.4, there is a dnssec-signzone option available for
+	   serial number increment.
+	   If the user requests "unixtime"; then use this mechanism.
+	**/
+#if defined(BIND_VERSION) && BIND_VERSION >= 940
+	if ( use_unixtime )
+		return 0;
+#endif
+	if ( (fp = fopen (fname, "r+")) == NULL )
+		return -1;
+
+		/* read until the line matches the beginning of a soa record ... */
+	while ( fgets (buf, sizeof buf, fp) && !is_soa_rr (buf) )
+		;
+
+	if ( feof (fp) )
+	{
+		fclose (fp);
+		return -2;
+	}
+
+	error = inc_soa_serial (fp, use_unixtime);	/* .. inc soa serial no ... */
+
+	if ( fclose (fp) != 0 )
+		return -5;
+	return error;
+}
+
+/*****************************************************************
+**	check if line is the beginning of a SOA RR record, thus
+**	containing the string "IN .* SOA" and ends with a '('
+**	returns 1 if true
+*****************************************************************/
+static	int	is_soa_rr (const char *line)
+{
+	const	char	*p;
+
+	assert ( line != NULL );
+
+	if ( (p = strfindstr (line, "IN")) && strfindstr (p+2, "SOA") )	/* line contains "IN" and "SOA" */
+	{
+		p = line + strlen (line) - 1;
+		while ( p > line && isspace (*p) )
+			p--;
+		if ( *p == '(' )	/* last character have to be a '(' to start a multi line record */
+			return 1;
+	}
+
+	return 0;
+}
+
+/*****************************************************************
+**	Find string 'search' in 'str' and ignore case in comparison.
+**	returns the position of 'search' in 'str' or NULL if not found.
+*****************************************************************/
+static	const	char	*strfindstr (const char *str, const char *search)
+{
+	const	char	*p;
+	int		c;
+
+	assert ( str != NULL );
+	assert ( search != NULL );
+
+	c = tolower (*search);
+	p = str;
+	do {
+		while ( *p && tolower (*p) != c )
+			p++;
+		if ( strncasecmp (p, search, strlen (search)) == 0 )
+			return p;
+		p++;
+	} while ( *p );
+
+	return NULL;
+}
+
+/*****************************************************************
+**	return the serial number of the given time in the form
+**	of YYYYmmdd00 as ulong value
+*****************************************************************/
+static	ulong	serialtime (time_t sec)
+{
+	struct	tm	*t;
+	ulong	serialtime;
+
+	t = gmtime (&sec);
+	serialtime = (t->tm_year + 1900) * 10000;
+	serialtime += (t->tm_mon+1) * 100;
+	serialtime += t->tm_mday;
+	serialtime *= 100;
+
+	return serialtime;
+}
+
+/*****************************************************************
+**	inc_soa_serial (fp, use_unixtime)
+**	increment the soa serial number of the file 'fp'
+**	'fp' must be opened "r+"
+*****************************************************************/
+static	int	inc_soa_serial (FILE *fp, int use_unixtime)
+{
+	int	c;
+	long	pos,	eos;
+	ulong	serial;
+	int	digits;
+	ulong	today;
+
+	/* move forward until any non ws reached */
+	while ( (c = getc (fp)) != EOF && isspace (c) )
+		;
+	ungetc (c, fp);		/* push back the last char */
+
+	pos = ftell (fp);	/* mark position */
+
+	serial = 0L;	/* read in the current serial number */
+	/* be aware of the trailing space in the format string !! */
+	if ( fscanf (fp, "%lu ", &serial) != 1 )	/* try to get serial no */
+		return -3;
+	eos = ftell (fp);	/* mark first non digit/ws character pos */
+
+	digits = eos - pos;
+	if ( digits < 10 )	/* not enough space for serial no ? */
+		return -4;
+
+	today = time (NULL);
+	if ( !use_unixtime )
+	{
+		today = serialtime (today);	/* YYYYmmdd00 */
+		if ( serial > 1970010100L && serial < today )	
+			serial = today;			/* set to current time */
+		serial++;			/* increment anyway */
+	}
+
+	fseek (fp, pos, SEEK_SET);	/* go back to the beginning */
+	fprintf (fp, "%-*lu", digits, serial);	/* write as many chars as before */
+
+	return 1;	/* yep! */
+}
+
+/*****************************************************************
+**	return the error text of the inc_serial return coode
+*****************************************************************/
+const	char	*inc_errstr (int err)
+{
+	switch ( err )
+	{
+	case -1:	return "couldn't open zone file for modifying";
+	case -2:	return "unexpected end of file";
+	case -3:	return "no serial number found in zone file";
+	case -4:	return "not enough space left for serialno";
+	case -5:	return "error on closing zone file";
+	}
+	return "";
+}
+
+#ifdef SOA_TEST
+const char *progname;
+main (int argc, char *argv[])
+{
+	ulong	now;
+	int	err;
+	char	cmd[255];
+
+	progname = *argv;
+
+	now = time (NULL);
+	now = serialtime (now);
+	printf ("now = %lu\n", now);
+
+	if ( (err = inc_serial (argv[1], 0)) <= 0 )
+	{
+		error ("can't change serial errno=%d\n", err);
+		exit (1);
+	}
+
+	snprintf (cmd, sizeof(cmd), "head -15 %s", argv[1]);
+	system (cmd);
+}
+#endif
+
diff --git a/contrib/zkt/soaserial.h b/contrib/zkt/soaserial.h
new file mode 100644
index 0000000000..08e34eec4d
--- /dev/null
+++ b/contrib/zkt/soaserial.h
@@ -0,0 +1,41 @@
+/*****************************************************************
+**
+**	@(#) soserial.h  (c) 2005 - 2007  Holger Zuleger  hznet.de
+**
+**	Copyright (c) 2005 - 2007, Holger Zuleger HZnet. All rights reserved.
+**
+**	This software is open source.
+**
+**	Redistribution and use in source and binary forms, with or without
+**	modification, are permitted provided that the following conditions
+**	are met:
+**
+**	Redistributions of source code must retain the above copyright notice,
+**	this list of conditions and the following disclaimer.
+**
+**	Redistributions in binary form must reproduce the above copyright notice,
+**	this list of conditions and the following disclaimer in the documentation
+**	and/or other materials provided with the distribution.
+**
+**	Neither the name of Holger Zuleger HZnet nor the names of its contributors may
+**	be used to endorse or promote products derived from this software without
+**	specific prior written permission.
+**
+**	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+**	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+**	TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+**	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+**	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+**	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+**	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+**	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+**	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+**	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+**	POSSIBILITY OF SUCH DAMAGE.
+**
+*****************************************************************/
+#ifndef SOASERIAL_H
+# define SOASERIAL_H
+extern	int	inc_serial (const char *fname, int use_unixtime);
+extern	const	char	*inc_errstr (int err);
+#endif
diff --git a/contrib/zkt/tags b/contrib/zkt/tags
index 4fc5a23748..f64df2dba0 100644
--- a/contrib/zkt/tags
+++ b/contrib/zkt/tags
@@ -3,24 +3,24 @@
 !_TAG_PROGRAM_AUTHOR	Darren Hiebert	/dhiebert@users.sourceforge.net/
 !_TAG_PROGRAM_NAME	Exuberant Ctags	//
 !_TAG_PROGRAM_URL	http://ctags.sourceforge.net	/official site/
-!_TAG_PROGRAM_VERSION	5.5.4	//
-CONF_ALGO	zconf.c	/^	CONF_ALGO,$/;"	e	file:
-CONF_BOOL	zconf.c	/^	CONF_BOOL,$/;"	e	file:
-CONF_COMMENT	zconf.c	/^	CONF_COMMENT,$/;"	e	file:
-CONF_END	zconf.c	/^	CONF_END = 0,$/;"	e	file:
-CONF_FACILITY	zconf.c	/^	CONF_FACILITY,$/;"	e	file:
-CONF_INT	zconf.c	/^	CONF_INT,$/;"	e	file:
-CONF_LEVEL	zconf.c	/^	CONF_LEVEL,$/;"	e	file:
-CONF_SERIAL	zconf.c	/^	CONF_SERIAL,$/;"	e	file:
-CONF_STRING	zconf.c	/^	CONF_STRING,$/;"	e	file:
-CONF_TIMEINT	zconf.c	/^	CONF_TIMEINT,$/;"	e	file:
-ISCOMMENT	zconf.c	68;"	d	file:
-ISDELIM	zconf.c	70;"	d	file:
-ISTRUE	zconf.c	66;"	d	file:
-KEYSET_FILE_PFX	dnssec-signer.c	691;"	d	file:
+!_TAG_PROGRAM_VERSION	5.6	//
+CONF_ALGO	zconf.c	/^	CONF_ALGO,$/;"	e	enum:__anon2	file:
+CONF_BOOL	zconf.c	/^	CONF_BOOL,$/;"	e	enum:__anon2	file:
+CONF_COMMENT	zconf.c	/^	CONF_COMMENT,$/;"	e	enum:__anon2	file:
+CONF_END	zconf.c	/^	CONF_END = 0,$/;"	e	enum:__anon2	file:
+CONF_FACILITY	zconf.c	/^	CONF_FACILITY,$/;"	e	enum:__anon2	file:
+CONF_INT	zconf.c	/^	CONF_INT,$/;"	e	enum:__anon2	file:
+CONF_LEVEL	zconf.c	/^	CONF_LEVEL,$/;"	e	enum:__anon2	file:
+CONF_SERIAL	zconf.c	/^	CONF_SERIAL,$/;"	e	enum:__anon2	file:
+CONF_STRING	zconf.c	/^	CONF_STRING,$/;"	e	enum:__anon2	file:
+CONF_TIMEINT	zconf.c	/^	CONF_TIMEINT,$/;"	e	enum:__anon2	file:
+ISCOMMENT	zconf.c	67;"	d	file:
+ISDELIM	zconf.c	69;"	d	file:
+ISTRUE	zconf.c	65;"	d	file:
+KEYSET_FILE_PFX	dnssec-signer.c	709;"	d	file:
 KeyWords	ncparse.c	/^static struct KeyWords {$/;"	s	file:
 MAXFNAME	log.c	97;"	d	file:
-STRCONFIG_DELIMITER	zconf.c	513;"	d	file:
+STRCONFIG_DELIMITER	zconf.c	529;"	d	file:
 TAINTEDCHARS	misc.c	60;"	d	file:
 TOK_DELEGATION	ncparse.c	59;"	d	file:
 TOK_DIR	ncparse.c	49;"	d	file:
@@ -36,17 +36,17 @@ TOK_TYPE	ncparse.c	53;"	d	file:
 TOK_UNKNOWN	ncparse.c	64;"	d	file:
 TOK_VIEW	ncparse.c	60;"	d	file:
 TOK_ZONE	ncparse.c	52;"	d	file:
-a	domaincmp.c	/^         char    *a;$/;"	m	file:
+a	domaincmp.c	/^         char    *a;$/;"	m	struct:__anon1	file:
 add2zonelist	dnssec-signer.c	/^static	int	add2zonelist (const char *dir, const char *view, const char *zone, const char *file)$/;"	f	file:
 age2str	misc.c	/^char	*age2str (time_t sec)$/;"	f
 ageflag	dnssec-zkt.c	/^int	ageflag = 0;$/;"	v
-b	domaincmp.c	/^         char    *b;$/;"	m	file:
-bind94_dynzone	dnssec-signer.c	131;"	d	file:
-bind96_dynzone	dnssec-signer.c	132;"	d	file:
+b	domaincmp.c	/^         char    *b;$/;"	m	struct:__anon1	file:
+bind94_dynzone	dnssec-signer.c	130;"	d	file:
+bind96_dynzone	dnssec-signer.c	131;"	d	file:
 bool2str	zconf.c	/^static	const char	*bool2str (int val)$/;"	f	file:
 check_keydb_timestamp	dnssec-signer.c	/^static	int	check_keydb_timestamp (dki_t *keylist, time_t reftime)$/;"	f	file:
 checkconfig	zconf.c	/^int	checkconfig (const zconf_t *z)$/;"	f
-cmdline	zconf.c	/^	int	cmdline;	\/* is this a command line parameter ? *\/$/;"	m	file:
+cmdline	zconf.c	/^	int	cmdline;	\/* is this a command line parameter ? *\/$/;"	m	struct:__anon3	file:
 cmpfile	misc.c	/^int	cmpfile (const char *file1, const char *file2)$/;"	f
 config	dnssec-signer.c	/^static	zconf_t	*config;$/;"	v	file:
 config	zconf.c	/^static	zconf_t	*config;$/;"	v	file:
@@ -57,13 +57,14 @@ copyzonefile	misc.c	/^int	copyzonefile (const char *fromfile, const char *tofile
 create_parent_file	dnssec-zkt.c	/^static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;"	f	file:
 create_parent_file	rollover.c	/^static	int	create_parent_file (const char *fname, int phase, int ttl, const dki_t *dkp)$/;"	f	file:
 createkey	dnssec-zkt.c	/^static	void	createkey (const char *keyname, const dki_t *list, const zconf_t *conf)$/;"	f	file:
-ctype_t	zconf.c	/^} ctype_t;$/;"	t	file:
+ctype_t	zconf.c	/^} ctype_t;$/;"	t	typeref:enum:__anon2	file:
 def	zconf.c	/^static	zconf_t	def = {$/;"	v	file:
 dirflag	dnssec-zkt.c	/^static	int	dirflag = 0;$/;"	v	file:
-dirname	dnssec-signer.c	/^const	char	*dirname = NULL;$/;"	v
-dist_and_reload	dnssec-signer.c	/^static	int	dist_and_reload (const zone_t *zp)$/;"	f	file:
+dirname	dnssec-signer.c	/^static	const	char	*dirname = NULL;$/;"	v	file:
+dist_and_reload	nscomm.c	/^int	dist_and_reload (const zone_t *zp)$/;"	f
 dki_add	dki.c	/^dki_t	*dki_add (dki_t **list, dki_t *new)$/;"	f
 dki_age	dki.c	/^int	dki_age (const dki_t *dkp, time_t curr)$/;"	f
+dki_algo	dki.c	/^time_t	dki_algo (const dki_t *dkp)$/;"	f
 dki_algo2sstr	dki.c	/^char	*dki_algo2sstr (int algo)$/;"	f
 dki_algo2str	dki.c	/^char	*dki_algo2str (int algo)$/;"	f
 dki_allcmp	dki.c	/^int	dki_allcmp (const dki_t *a, const dki_t *b)$/;"	f
@@ -73,6 +74,7 @@ dki_destroy	dki.c	/^dki_t	*dki_destroy (dki_t *dkp)$/;"	f
 dki_estr	dki.c	/^static	char	dki_estr[255+1];$/;"	v	file:
 dki_exptime	dki.c	/^time_t	dki_exptime (const dki_t *dkp)$/;"	f
 dki_find	dki.c	/^const dki_t	*dki_find (const dki_t *list, int ksk, int status, int no)$/;"	f
+dki_findalgo	dki.c	/^const dki_t	*dki_findalgo (const dki_t *list, int ksk, int alg, int status, int no)$/;"	f
 dki_free	dki.c	/^void	dki_free (dki_t *dkp)$/;"	f
 dki_freelist	dki.c	/^void	dki_freelist (dki_t **listp)$/;"	f
 dki_gentime	dki.c	/^time_t	dki_gentime (const dki_t *dkp)$/;"	f
@@ -117,10 +119,10 @@ domain_canonicdup	misc.c	/^char	*domain_canonicdup (const char *s)$/;"	f
 domaincmp	domaincmp.c	/^int     domaincmp (const char *a, const char *b)$/;"	f
 dosigning	dnssec-signer.c	/^static	int	dosigning (zone_t *zonelist, zone_t *zp)$/;"	f	file:
 dupconfig	zconf.c	/^zconf_t	*dupconfig (const zconf_t *conf)$/;"	f
-dyn_update_freeze	dnssec-signer.c	/^static	int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;"	f	file:
+dyn_update_freeze	nscomm.c	/^int	dyn_update_freeze (const char *domain, const zconf_t *z, int freeze)$/;"	f
 dynamic_zone	dnssec-signer.c	/^static	int	dynamic_zone = 0;	\/* dynamic zone ? *\/$/;"	v	file:
 error	misc.c	/^void error (char *fmt, ...)$/;"	f
-ex	domaincmp.c	/^} ex[] = {$/;"	v	file:
+ex	domaincmp.c	/^} ex[] = {$/;"	v	typeref:struct:__anon1	file:
 exptimeflag	dnssec-zkt.c	/^int	exptimeflag = 0;$/;"	v
 extern	dki.c	59;"	d	file:
 extern	dki.c	61;"	d	file:
@@ -132,10 +134,14 @@ extern	misc.c	56;"	d	file:
 extern	misc.c	58;"	d	file:
 extern	ncparse.c	44;"	d	file:
 extern	ncparse.c	46;"	d	file:
+extern	nscomm.c	45;"	d	file:
+extern	nscomm.c	47;"	d	file:
 extern	rollover.c	57;"	d	file:
 extern	rollover.c	59;"	d	file:
-extern	zconf.c	61;"	d	file:
-extern	zconf.c	63;"	d	file:
+extern	soaserial.c	53;"	d	file:
+extern	soaserial.c	55;"	d	file:
+extern	zconf.c	60;"	d	file:
+extern	zconf.c	62;"	d	file:
 extern	zkt.c	47;"	d	file:
 extern	zkt.c	49;"	d	file:
 extern	zone.c	53;"	d	file:
@@ -147,6 +153,8 @@ fileexist	misc.c	/^int	fileexist (const char *name)$/;"	f
 filesize	misc.c	/^size_t	filesize (const char *name)$/;"	f
 force	dnssec-signer.c	/^static	int	force = 0;$/;"	v	file:
 genkey	rollover.c	/^static	dki_t	*genkey (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;"	f	file:
+genkey2	rollover.c	/^static	dki_t	*genkey2 (dki_t **listp, const char *dir, const char *domain, int ksk, const zconf_t *conf, int status)$/;"	f	file:
+gensalt	misc.c	/^int	gensalt (char *salt, size_t saltsize, int saltbits)$/;"	f
 get_exptime	rollover.c	/^static	time_t	get_exptime (dki_t *key, const zconf_t *z)$/;"	f	file:
 get_parent_phase	dnssec-zkt.c	/^static	int	get_parent_phase (const char *file)$/;"	f	file:
 get_parent_phase	rollover.c	/^static	int	get_parent_phase (const char *file)$/;"	f	file:
@@ -156,15 +164,15 @@ gettok	ncparse.c	/^static	int	gettok (FILE *fp, char *val, size_t valsize)$/;"	f
 goto_labelstart	domaincmp.c	47;"	d	file:
 headerflag	dnssec-zkt.c	/^int	headerflag = 1;$/;"	v
 in_strarr	misc.c	/^int	in_strarr (const char *str, char *const arr[], int cnt)$/;"	f
-inc_errstr	misc.c	/^const	char	*inc_errstr (int err)$/;"	f
-inc_serial	misc.c	/^int	inc_serial (const char *fname, int use_unixtime)$/;"	f
-inc_soa_serial	misc.c	/^static	int	inc_soa_serial (FILE *fp, int use_unixtime)$/;"	f	file:
+inc_errstr	soaserial.c	/^const	char	*inc_errstr (int err)$/;"	f
+inc_serial	soaserial.c	/^int	inc_serial (const char *fname, int use_unixtime)$/;"	f
+inc_soa_serial	soaserial.c	/^static	int	inc_soa_serial (FILE *fp, int use_unixtime)$/;"	f	file:
 is_directory	misc.c	/^int	is_directory (const char *name)$/;"	f
-is_dotfile	misc.c	/^int	is_dotfile (const char *name)$/;"	f
+is_dotfilename	misc.c	/^int	is_dotfilename (const char *name)$/;"	f
 is_exec_ok	misc.c	/^int	is_exec_ok (const char *prog)$/;"	f
 is_keyfilename	misc.c	/^int	is_keyfilename (const char *name)$/;"	f
 is_parentdirsigned	rollover.c	/^static	int	is_parentdirsigned (const zone_t *zonelist, const zone_t *zp)$/;"	f	file:
-is_soa_rr	misc.c	/^static	int	is_soa_rr (const char *line)$/;"	f	file:
+is_soa_rr	soaserial.c	/^static	int	is_soa_rr (const char *line)$/;"	f	file:
 isinlist	strlist.c	/^int	isinlist (const char *str, const char *list)$/;"	f
 ksk5011status	rollover.c	/^int	ksk5011status (dki_t **listp, const char *dir, const char *domain, const zconf_t *z)$/;"	f
 ksk_roll	dnssec-zkt.c	/^static	void	ksk_roll (const char *keyname, int phase, const dki_t *list, const zconf_t *conf)$/;"	f	file:
@@ -172,10 +180,10 @@ kskdomain	dnssec-zkt.c	/^static	char	*kskdomain = "";$/;"	v	file:
 kskflag	dnssec-zkt.c	/^int	kskflag = 1;$/;"	v
 kskrollover	rollover.c	/^static	int	kskrollover (dki_t *ksk, zone_t *zonelist, zone_t *zp)$/;"	f	file:
 kskstatus	rollover.c	/^int	kskstatus (zone_t *zonelist, zone_t *zp)$/;"	f
-kw	ncparse.c	/^} kw[] = {$/;"	v	file:
-label	zconf.c	/^	char	*label;		\/* the name of the paramter *\/$/;"	m	file:
+kw	ncparse.c	/^} kw[] = {$/;"	v	typeref:struct:KeyWords	file:
+label	zconf.c	/^	char	*label;		\/* the name of the paramter *\/$/;"	m	struct:__anon3	file:
 labellist	dnssec-zkt.c	/^char	*labellist = NULL;$/;"	v
-level	log.c	/^	lg_lvl_t	level;$/;"	m	file:
+level	log.c	/^	lg_lvl_t	level;$/;"	m	struct:__anon4	file:
 lg_args	log.c	/^void	lg_args (lg_lvl_t level, int argc, char * const argv[])$/;"	f
 lg_close	log.c	/^int	lg_close ()$/;"	f
 lg_errcnt	log.c	/^static	long	lg_errcnt;$/;"	v	file:
@@ -193,7 +201,7 @@ lg_reseterrcnt	log.c	/^long	lg_reseterrcnt ()$/;"	f
 lg_seterrcnt	log.c	/^long	lg_seterrcnt (long value)$/;"	f
 lg_str2lvl	log.c	/^lg_lvl_t	lg_str2lvl (const char *name)$/;"	f
 lg_str2syslog	log.c	/^int	lg_str2syslog (const char *facility)$/;"	f
-lg_symtbl_t	log.c	/^} lg_symtbl_t;$/;"	t	file:
+lg_symtbl_t	log.c	/^} lg_symtbl_t;$/;"	t	typeref:struct:__anon4	file:
 lg_syslogging	log.c	/^static	int	lg_syslogging;$/;"	v	file:
 lifetime	dnssec-zkt.c	/^int	lifetime = 0;$/;"	v
 lifetimeflag	dnssec-zkt.c	/^int	lifetimeflag = 0;$/;"	v
@@ -204,17 +212,17 @@ list_trustedkey	zkt.c	/^static	void	list_trustedkey (const dki_t **nodep, const
 ljustflag	dnssec-zkt.c	/^int	ljustflag = 0;$/;"	v
 loadconfig	zconf.c	/^zconf_t	*loadconfig (const char *filename, zconf_t *z)$/;"	f
 loadconfig_fromstr	zconf.c	/^zconf_t	*loadconfig_fromstr (const char *str, zconf_t *z)$/;"	f
-logfile	dnssec-signer.c	/^const	char	*logfile = NULL;$/;"	v
+logfile	dnssec-signer.c	/^static	const	char	*logfile = NULL;$/;"	v	file:
 logflush	misc.c	/^void logflush ()$/;"	f
 logmesg	misc.c	/^void logmesg (char *fmt, ...)$/;"	f
-long_options	dnssec-signer.c	/^static struct option long_options[] = {$/;"	v	file:
-long_options	dnssec-zkt.c	/^static struct option long_options[] = {$/;"	v	file:
-lopt_usage	dnssec-signer.c	323;"	d	file:
+long_options	dnssec-signer.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
+long_options	dnssec-zkt.c	/^static struct option long_options[] = {$/;"	v	typeref:struct:option	file:
 lopt_usage	dnssec-signer.c	326;"	d	file:
+lopt_usage	dnssec-signer.c	329;"	d	file:
 lopt_usage	dnssec-zkt.c	402;"	d	file:
 lopt_usage	dnssec-zkt.c	405;"	d	file:
-loptstr	dnssec-signer.c	324;"	d	file:
 loptstr	dnssec-signer.c	327;"	d	file:
+loptstr	dnssec-signer.c	330;"	d	file:
 loptstr	dnssec-zkt.c	403;"	d	file:
 loptstr	dnssec-zkt.c	406;"	d	file:
 main	dnssec-signer.c	/^int	main (int argc, char *const argv[])$/;"	f
@@ -223,15 +231,16 @@ main	domaincmp.c	/^main (int argc, char *argv[])$/;"	f
 main	log.c	/^int	main (int argc, char *argv[])$/;"	f
 main	misc.c	/^main (int argc, char *argv[])$/;"	f
 main	ncparse.c	/^main (int argc, char *argv[])$/;"	f
+main	soaserial.c	/^main (int argc, char *argv[])$/;"	f
 main	strlist.c	/^main (int argc, char *argv[])$/;"	f
 main	zconf.c	/^main (int argc, char *argv[])$/;"	f
 main	zkt-soaserial.c	/^int	main (int argc, char *argv[])$/;"	f
 name	ncparse.c	/^	char	*name;$/;"	m	struct:KeyWords	file:
-namedconf	dnssec-signer.c	/^const	char	*namedconf = NULL;$/;"	v
+namedconf	dnssec-signer.c	/^static	const	char	*namedconf = NULL;$/;"	v	file:
 new_keysetfiles	dnssec-signer.c	/^static	int	new_keysetfiles (const char *dir, time_t zone_signing_time)$/;"	f	file:
 noexec	dnssec-signer.c	/^static	int	noexec = 0;$/;"	v	file:
-origin	dnssec-signer.c	/^const	char	*origin = NULL;$/;"	v
-parse_namedconf	ncparse.c	/^int	parse_namedconf (const char *filename, char *dir, size_t dirsize, int (*func) ())$/;"	f
+origin	dnssec-signer.c	/^static	const	char	*origin = NULL;$/;"	v	file:
+parse_namedconf	ncparse.c	/^int	parse_namedconf (const char *filename, const char *chroot_dir, char *dir, size_t dirsize, int (*func) ())$/;"	f
 parseconfigline	zconf.c	/^static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)$/;"	f	file:
 parsedir	dnssec-signer.c	/^static	int	parsedir (const char *dir, zone_t **zp, const zconf_t *conf)$/;"	f	file:
 parsedirectory	dnssec-zkt.c	/^static	int	parsedirectory (const char *dir, dki_t **listp)$/;"	f	file:
@@ -252,41 +261,42 @@ progname	domaincmp.c	/^const char	*progname;$/;"	v
 progname	log.c	/^const char *progname;$/;"	v
 progname	misc.c	/^const char *progname;$/;"	v
 progname	ncparse.c	/^char	*progname;$/;"	v
+progname	soaserial.c	/^const char *progname;$/;"	v
 progname	zconf.c	/^const char *progname;$/;"	v
 progname	zkt-soaserial.c	/^static	const char *progname;$/;"	v	file:
 read_serial_fromfile	zkt-soaserial.c	/^static	int	read_serial_fromfile (const char *fname, unsigned long *serial)$/;"	f	file:
 recflag	dnssec-zkt.c	/^static	int	recflag = RECURSIVE;$/;"	v	file:
 register_key	dnssec-signer.c	/^static	void	register_key (dki_t *list, const zconf_t *z)$/;"	f	file:
-reload_zone	dnssec-signer.c	/^static	int	reload_zone (const char *domain, const zconf_t *z)$/;"	f	file:
+reload_zone	nscomm.c	/^int	reload_zone (const char *domain, const zconf_t *z)$/;"	f
 reloadflag	dnssec-signer.c	/^static	int	reloadflag = 0;$/;"	v	file:
-res	domaincmp.c	/^         int     res;$/;"	m	file:
+res	domaincmp.c	/^         int     res;$/;"	m	struct:__anon1	file:
 searchitem	zkt.c	/^static	int	searchitem;$/;"	v	file:
 searchkw	ncparse.c	/^static	int	searchkw (const char *keyword)$/;"	f	file:
 searchresult	zkt.c	/^static	const	dki_t	*searchresult;$/;"	v	file:
+serialtime	soaserial.c	/^static	ulong	serialtime (time_t sec)$/;"	f	file:
 set_all_varptr	zconf.c	/^static	void set_all_varptr (zconf_t *cp)$/;"	f	file:
-set_bind94_dynzone	dnssec-signer.c	129;"	d	file:
-set_bind96_dynzone	dnssec-signer.c	130;"	d	file:
+set_bind94_dynzone	dnssec-signer.c	128;"	d	file:
+set_bind96_dynzone	dnssec-signer.c	129;"	d	file:
 set_keylifetime	zkt.c	/^static	void	set_keylifetime (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
 set_varptr	zconf.c	/^static	int set_varptr (char *entry, void *ptr)$/;"	f	file:
 setconfigpar	zconf.c	/^int	setconfigpar (zconf_t *config, char *entry, const void *pval)$/;"	f
 setglobalflags	dnssec-zkt.c	/^static	void	setglobalflags (zconf_t *config)$/;"	f	file:
-short_options	dnssec-signer.c	66;"	d	file:
 short_options	dnssec-signer.c	68;"	d	file:
+short_options	dnssec-signer.c	70;"	d	file:
 short_options	dnssec-zkt.c	89;"	d	file:
 sign_zone	dnssec-signer.c	/^static	int	sign_zone (const char *dir, const char *domain, const char *file, const zconf_t *conf)$/;"	f	file:
-sopt_usage	dnssec-signer.c	321;"	d	file:
+sopt_usage	dnssec-signer.c	324;"	d	file:
 sopt_usage	dnssec-zkt.c	400;"	d	file:
-splitpath	misc.c	/^const	char	*splitpath (char *path, size_t size, const char *filename)$/;"	f
+splitpath	misc.c	/^const	char	*splitpath (char *path, size_t psize, const char *filename)$/;"	f
 start_timer	misc.c	/^time_t	start_timer ()$/;"	f
 stop_timer	misc.c	/^time_t	stop_timer (time_t start)$/;"	f
-str	log.c	/^	const	char	*str;$/;"	m	file:
+str	log.c	/^	const	char	*str;$/;"	m	struct:__anon4	file:
 str_chop	misc.c	/^char	*str_chop (char *str, char c)$/;"	f
 str_delspace	misc.c	/^char	*str_delspace (char *s)$/;"	f
-str_tolowerdup	misc.c	/^char	*str_tolowerdup (const char *s)$/;"	f
 str_untaint	misc.c	/^char	*str_untaint (char *str)$/;"	f
-strfindstr	misc.c	/^static	const	char	*strfindstr (const char *str, const char *search)$/;"	f	file:
+strfindstr	soaserial.c	/^static	const	char	*strfindstr (const char *str, const char *search)$/;"	f	file:
 symtbl	log.c	/^static	lg_symtbl_t	symtbl[] = {$/;"	v	file:
-syslog_level	log.c	/^	int		syslog_level;$/;"	m	file:
+syslog_level	log.c	/^	int		syslog_level;$/;"	m	struct:__anon4	file:
 tag_search	zkt.c	/^static	void	tag_search (const dki_t **nodep, const VISIT which, int depth)$/;"	f	file:
 time2isostr	misc.c	/^char	*time2isostr (time_t sec, int precision)$/;"	f
 time2str	misc.c	/^char	*time2str (time_t sec, int precision)$/;"	f
@@ -294,23 +304,22 @@ timeflag	dnssec-zkt.c	/^int	timeflag = 1;$/;"	v
 timeint2str	zconf.c	/^static	const char	*timeint2str (ulong val)$/;"	f	file:
 timestr	zkt-soaserial.c	/^static	char	*timestr (time_t sec)$/;"	f	file:
 timestr2time	misc.c	/^time_t	timestr2time (const char *timestr)$/;"	f
-today_serialtime	misc.c	/^static	ulong	today_serialtime ()$/;"	f	file:
 tok	ncparse.c	/^	int	tok;$/;"	m	struct:KeyWords	file:
 tok2str	ncparse.c	/^static	const char	*tok2str (int  tok)$/;"	f	file:
 touch	misc.c	/^int	touch (const char *fname, time_t sec)$/;"	f
 trustedkeyflag	dnssec-zkt.c	/^static	int	trustedkeyflag = 0;$/;"	v	file:
-type	zconf.c	/^	ctype_t	type;		\/* the parameter type *\/$/;"	m	file:
+type	zconf.c	/^	ctype_t	type;		\/* the parameter type *\/$/;"	m	struct:__anon3	file:
 unprepstrlist	strlist.c	/^char	*unprepstrlist (char *list, char delimc)$/;"	f
 usage	dnssec-signer.c	/^static	void	usage (char *mesg, zconf_t *conf)$/;"	f	file:
 usage	dnssec-zkt.c	/^static	void    usage (char *mesg, zconf_t *cp)$/;"	f	file:
 usage	zkt-soaserial.c	/^static	void	usage (const char *msg)$/;"	f	file:
-var	zconf.c	/^	void	*var;		\/* pointer to the parameter variable *\/$/;"	m	file:
+var	zconf.c	/^	void	*var;		\/* pointer to the parameter variable *\/$/;"	m	struct:__anon3	file:
 verbmesg	misc.c	/^void	verbmesg (int verblvl, const zconf_t *conf, char *fmt, ...)$/;"	f
 verbose	dnssec-signer.c	/^static	int	verbose = 0;$/;"	v	file:
 view	dnssec-zkt.c	/^static	const	char	*view = "";$/;"	v	file:
-viewname	dnssec-signer.c	/^const	char	*viewname = NULL;$/;"	v
+viewname	dnssec-signer.c	/^static	const	char	*viewname = NULL;$/;"	v	file:
 writekeyfile	dnssec-signer.c	/^static	int	writekeyfile (const char *fname, const dki_t *list, int key_ttl)$/;"	f	file:
-zconf_para_t	zconf.c	/^} zconf_para_t;$/;"	t	file:
+zconf_para_t	zconf.c	/^} zconf_para_t;$/;"	t	typeref:struct:__anon3	file:
 zkt_list_dnskeys	zkt.c	/^void	zkt_list_dnskeys (const dki_t *data)$/;"	f
 zkt_list_keys	zkt.c	/^void	zkt_list_keys (const dki_t *data)$/;"	f
 zkt_list_trustedkeys	zkt.c	/^void	zkt_list_trustedkeys (const dki_t *data)$/;"	f
diff --git a/contrib/zkt/zconf.c b/contrib/zkt/zconf.c
index 831d1815d8..5c7a66f88f 100644
--- a/contrib/zkt/zconf.c
+++ b/contrib/zkt/zconf.c
@@ -5,8 +5,7 @@
 **	Most of the code is from the SixXS Heartbeat Client
 **	written by Jeroen Massar 
 **
-**	New config types and some slightly code changes
-**	by Holger Zuleger
+**	New config types and some slightly code changes by Holger Zuleger
 **
 **	Copyright (c) Aug 2005, Jeroen Massar, Holger Zuleger.
 **	All rights reserved.
@@ -91,15 +90,18 @@ static	zconf_t	def = {
 	PRINTTIME, PRINTAGE, LJUST,
 	SIG_VALIDITY, MAX_TTL, KEY_TTL, PROPTIME, Incremental,
 	RESIGN_INT,
-	KSK_LIFETIME, KSK_ALGO, KSK_BITS, KSK_RANDOM,
-	ZSK_LIFETIME, ZSK_ALGO, ZSK_BITS, ZSK_RANDOM,
+	KEY_ALGO, ADDITIONAL_KEY_ALGO,
+	KSK_LIFETIME, KSK_BITS, KSK_RANDOM,
+	ZSK_LIFETIME, ZSK_BITS, ZSK_RANDOM,
 	SALTLEN,
-	NULL, /* viewname cmdline paramter */
+	NULL, /* viewname cmdline parameter */
+	0, /* noexec cmdline parameter */
 	LOGFILE, LOGLEVEL, SYSLOGFACILITY, SYSLOGLEVEL, VERBOSELOG, 0,
 	DNSKEYFILE, ZONEFILE, KEYSETDIR,
 	LOOKASIDEDOMAIN,
 	SIG_RANDOM, SIG_PSEUDO, SIG_GENDS, SIG_PARAM,
-	DIST_CMD	/* deafults to NULL which means to run "rndc reload" */
+	DIST_CMD,	/* defaults to NULL which means to run "rndc reload" */
+	NAMED_CHROOT
 };
 
 typedef	struct {
@@ -136,12 +138,15 @@ static	zconf_para_t	confpara[] = {
 
 	{ "",			0,	CONF_COMMENT,	NULL },
 	{ "",			0,	CONF_COMMENT,	"signing key parameters"},
+	{ "Key_algo",		0,	CONF_ALGO,	&def.k_algo },	/* now used as general KEY algoritjm (KSK & ZSK) */
+	{ "AddKey_algo",	0,	CONF_ALGO,	&def.k2_algo },		/* second key algorithm added (v0.99) */
 	{ "KSK_lifetime",	0,	CONF_TIMEINT,	&def.k_life },
-	{ "KSK_algo",		0,	CONF_ALGO,	&def.k_algo },
+	{ "KSK_algo",		1,	CONF_ALGO,	&def.k_algo },	/* old KSK value changed to key algorithm */
 	{ "KSK_bits",		0,	CONF_INT,	&def.k_bits },
 	{ "KSK_randfile",	0,	CONF_STRING,	&def.k_random },
 	{ "ZSK_lifetime",	0,	CONF_TIMEINT,	&def.z_life },
-	{ "ZSK_algo",		0,	CONF_ALGO,	&def.z_algo },
+	/* { "ZSK_algo",		1,	CONF_ALGO,	&def.z_algo },		ZSK algo removed (set to same as ksk) */
+	{ "ZSK_algo",		1,	CONF_ALGO,	&def.k2_algo },		/* if someone using it already, map the algo to the additional key algorithm */
 	{ "ZSK_bits",		0,	CONF_INT,	&def.z_bits },
 	{ "ZSK_randfile",	0,	CONF_STRING,	&def.z_random },
 	{ "SaltBits",		0,	CONF_INT,	&def.saltbits },
@@ -149,6 +154,7 @@ static	zconf_para_t	confpara[] = {
 	{ "",			0,	CONF_COMMENT,	NULL },
 	{ "",			0,	CONF_COMMENT,	"dnssec-signer options"},
 	{ "--view",		1,	CONF_STRING,	&def.view },
+	{ "--noexec",		1,	CONF_BOOL,	&def.noexec },
 	{ "LogFile",		0,	CONF_STRING,	&def.logfile },
 	{ "LogLevel",		0,	CONF_LEVEL,	&def.loglevel },
 	{ "SyslogFacility",	0,	CONF_FACILITY,	&def.syslogfacility },
@@ -161,9 +167,10 @@ static	zconf_para_t	confpara[] = {
 	{ "DLV_Domain",		0,	CONF_STRING,	&def.lookaside },
 	{ "Sig_Randfile",	0,	CONF_STRING,	&def.sig_random },
 	{ "Sig_Pseudorand",	0,	CONF_BOOL,	&def.sig_pseudo },
-	{ "Sig_GenerateDS",	1,	CONF_BOOL,	&def.sig_gends },
+	{ "Sig_GenerateDS",	0,	CONF_BOOL,	&def.sig_gends },
 	{ "Sig_Parameter",	0,	CONF_STRING,	&def.sig_param },
 	{ "Distribute_Cmd",	0,	CONF_STRING,	&def.dist_cmd },
+	{ "NamedChrootDir",	0,	CONF_STRING,	&def.chroot_dir },
 
 	{ NULL,			0,	CONF_END,	NULL},
 };
@@ -229,18 +236,22 @@ static	void set_all_varptr (zconf_t *cp)
 #endif
 	set_varptr ("serialformat", &cp->serialform);
 
+	set_varptr ("key_algo", &cp->k_algo);
+	set_varptr ("addkey_algo", &cp->k2_algo);
 	set_varptr ("ksk_lifetime", &cp->k_life);
-	set_varptr ("ksk_algo", &cp->k_algo);
+	set_varptr ("ksk_algo", &cp->k_algo);		/* to be removed in next release */
 	set_varptr ("ksk_bits", &cp->k_bits);
 	set_varptr ("ksk_randfile", &cp->k_random);
 
 	set_varptr ("zsk_lifetime", &cp->z_life);
-	set_varptr ("zsk_algo", &cp->z_algo);
+	// set_varptr ("zsk_algo", &cp->z_algo);
+	set_varptr ("zsk_algo", &cp->k2_algo);
 	set_varptr ("zsk_bits", &cp->z_bits);
 	set_varptr ("zsk_randfile", &cp->z_random);
 	set_varptr ("saltbits", &cp->saltbits);
 
 	set_varptr ("--view", &cp->view);
+	set_varptr ("--noexec", &cp->noexec);
 	set_varptr ("logfile", &cp->logfile);
 	set_varptr ("loglevel", &cp->loglevel);
 	set_varptr ("syslogfacility", &cp->syslogfacility);
@@ -256,6 +267,7 @@ static	void set_all_varptr (zconf_t *cp)
 	set_varptr ("sig_generateds", &cp->sig_gends);
 	set_varptr ("sig_parameter", &cp->sig_param);
 	set_varptr ("distribute_cmd", &cp->dist_cmd);
+	set_varptr ("namedchrootdir", &cp->chroot_dir);
 }
 
 static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
@@ -325,7 +337,7 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 		{
 			char	**str;
 			char	quantity;
-			int	ival;
+			long	lval;
 
 			found = 1;
 			switch ( c->type )
@@ -342,18 +354,18 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 				break;
 			case CONF_TIMEINT:
 				quantity = 'd';
-				sscanf (val, "%d%c", &ival, &quantity);
+				sscanf (val, "%ld%c", &lval, &quantity);
 				if  ( quantity == 'm' )
-					ival *= MINSEC;
+					lval *= MINSEC;
 				else if  ( quantity == 'h' )
-					ival *= HOURSEC;
+					lval *= HOURSEC;
 				else if  ( quantity == 'd' )
-					ival *= DAYSEC;
+					lval *= DAYSEC;
 				else if  ( quantity == 'w' )
-					ival *= WEEKSEC;
+					lval *= WEEKSEC;
 				else if  ( quantity == 'y' )
-					ival *= YEARSEC;
-				(*(int *)c->var) = ival;
+					lval *= YEARSEC;
+				(*(long *)c->var) = lval;
 				break;
 			case CONF_ALGO:
 				if ( strcasecmp (val, "rsa") == 0 || strcasecmp (val, "rsamd5") == 0 )
@@ -398,6 +410,7 @@ static	void	parseconfigline (char *buf, unsigned int line, zconf_t *z)
 static	void	printconfigline (FILE *fp, zconf_para_t *cp)
 {
 	int	i;
+	long	lval;
 
 	assert (fp != NULL);
 	assert (cp != NULL);
@@ -435,16 +448,19 @@ static	void	printconfigline (FILE *fp, zconf_para_t *cp)
 		fprintf (fp, "%s:\t%s\n", cp->label, bool2str ( *(int*)cp->var ));
 		break;
 	case CONF_TIMEINT:
-		i = *(ulong*)cp->var;
-		fprintf (fp, "%s:\t%s", cp->label, timeint2str (i));
-		if ( i )
-			fprintf (fp, "\t# (%d seconds)", i);
+		lval = *(ulong*)cp->var;	/* in that case it should be of type ulong */
+		fprintf (fp, "%s:\t%s", cp->label, timeint2str (lval));
+		if ( lval )
+			fprintf (fp, "\t# (%ld seconds)", lval);
 		putc ('\n', fp);
 		break;
 	case CONF_ALGO:
 		i = *(int*)cp->var;
-		fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
-		fprintf (fp, "\t# (Algorithm ID %d)\n", i);
+		if ( i )
+		{
+			fprintf (fp, "%s:\t%s", cp->label, dki_algo2str (i));
+			fprintf (fp, "\t# (Algorithm ID %d)\n", i);
+		}
 		break;
 	case CONF_SERIAL:
 		fprintf (fp, "%s:\t", cp->label);
@@ -599,11 +615,12 @@ int	setconfigpar (zconf_t *config, char *entry, const void *pval)
 				/* fall through */
 			case CONF_ALGO:
 				/* fall through */
-			case CONF_TIMEINT:
-				/* fall through */
 			case CONF_INT:
 				*((int *)c->var) = *((int *)pval);
 				break;
+			case CONF_TIMEINT:
+				*((long *)c->var) = *((long *)pval);
+				break;
 			case CONF_SERIAL:
 				*((serial_form_t *)c->var) = *((serial_form_t *)pval);
 				break;
@@ -728,12 +745,12 @@ int	checkconfig (const zconf_t *z)
 	if ( z->resign < (z->max_ttl + z->proptime) )
 	{
 		fprintf (stderr, "Re-signing interval (%s) should be ", timeint2str (z->resign));
-		fprintf (stderr, "greater than max_ttl (%d) plus ", z->max_ttl);
-		fprintf (stderr, "propagation time (%d)\n", z->proptime);
+		fprintf (stderr, "greater than max_ttl (%ld) plus ", z->max_ttl);
+		fprintf (stderr, "propagation time (%ld)\n", z->proptime);
 	}
 
 	if ( z->max_ttl >= z->sigvalidity )
-		fprintf (stderr, "Max TTL (%d) should be less than signatur validity (%d)\n",
+		fprintf (stderr, "Max TTL (%ld) should be less than signature validity (%ld)\n",
 								z->max_ttl, z->sigvalidity);
 
 	if ( z->z_life > (12 * WEEKSEC) * (z->z_bits / 512.) )
diff --git a/contrib/zkt/zconf.h b/contrib/zkt/zconf.h
index 08adfd9b23..a0c919e33e 100644
--- a/contrib/zkt/zconf.h
+++ b/contrib/zkt/zconf.h
@@ -39,7 +39,7 @@
 # define ZCONF_H
 
 
-# define	MINSEC	60
+# define	MINSEC	60L
 # define	HOURSEC	(MINSEC * 60)
 # define	DAYSEC	(HOURSEC * 24)
 # define	WEEKSEC	(DAYSEC * 7)
@@ -64,13 +64,19 @@
 #if 0
 # define	ZSK_LIFETIME	((SIG_VALID_DAYS * 3) * DAYSEC)	/* set to three times the sig validity */
 #else
-# define	ZSK_LIFETIME	((MONTH * 3) * DAYSEC)	/* set fixed to 3 month */
+# if 0
+#  define	ZSK_LIFETIME	((MONTH * 3) * DAYSEC)	/* set fixed to 3 month */
+# else
+#  define	ZSK_LIFETIME	(12 * WEEKSEC)	/* set fixed to 3 month */
+# endif
 #endif
 
-# define	KSK_ALGO	(DK_ALGO_RSASHA1)
+/* # define	KSK_ALGO	(DK_ALGO_RSASHA1)	KSK_ALGO renamed to KEY_ALGO (v0.99) */
+# define	KEY_ALGO	(DK_ALGO_RSASHA1)	/* general KEY_ALGO used for both ksk and zsk */
+# define	ADDITIONAL_KEY_ALGO	0
 # define	KSK_BITS	(1300)
 # define	KSK_RANDOM	"/dev/urandom"	/* was NULL before v0.94 */
-# define	ZSK_ALGO	(DK_ALGO_RSASHA1)
+/* # define	ZSK_ALGO	(DK_ALGO_RSASHA1)	ZSK_ALGO has to be the same as KSK, so this is no longer used (v0.99) */
 # define	ZSK_BITS	(512)
 # define	ZSK_RANDOM	"/dev/urandom"
 # define	SALTLEN		24		/* salt length in bits (resolution is 4 bits)*/
@@ -94,6 +100,7 @@
 # define	SIG_GENDS	1
 # define	SIG_PARAM	""
 # define	DIST_CMD	NULL	/* default is to run "rndc reload" */
+# define	NAMED_CHROOT	NULL	/* default is none */
 
 #ifndef CONFIG_PATH
 # define	CONFIG_PATH	"/var/named/"
@@ -126,27 +133,29 @@ typedef	struct zconf	{
 	int	printtime;
 	int	printage;
 	int	ljust;
-	int	sigvalidity;	/* should be less than expire time */
-	int	max_ttl;	/* should be set to the maximum used ttl in the zone */
-	int	key_ttl;
-	int	proptime;	/* expected time offset for zone propagation */
+	long	sigvalidity;	/* should be less than expire time */
+	long	max_ttl;	/* should be set to the maximum used ttl in the zone */
+	long	key_ttl;
+	long	proptime;	/* expected time offset for zone propagation */
 #if defined (DEF_TTL)
-	int	def_ttl;	/* default ttl set in soa record  */
+	long	def_ttl;	/* default ttl set in soa record  */
 #endif
 	serial_form_t	serialform;	/* format of serial no */
-	int	resign;		/* resign interval */
+	long	resign;		/* resign interval */
 
-	int	k_life;
 	int	k_algo;
+	int	k2_algo;
+	long	k_life;
 	int	k_bits;
 	char	*k_random;
-	int	z_life;
-	int	z_algo;
+	long	z_life;
+	/* int	z_algo;		no longer used; renamed to k2_algo (v0.99) */
 	int	z_bits;
 	char	*z_random;
 	int	saltbits;
 
 	char	*view;
+	int	noexec;
 	// char	*errlog;
 	char	*logfile;
 	char	*loglevel;
@@ -163,6 +172,7 @@ typedef	struct zconf	{
 	int	sig_gends;
 	char	*sig_param;
 	char	*dist_cmd;	/* cmd to run instead of "rndc reload" */
+	char	*chroot_dir;	/* chroot directory of named */
 } zconf_t;
 
 extern	zconf_t	*loadconfig (const char *filename, zconf_t *z);

From 4d0e2cf9b9ffcf5941b347e6bea084a12455e388 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 23 Sep 2009 14:05:11 +0000
Subject: [PATCH 195/385] 2684.   [bug]           dnssec-signzone should clean
 the old NSEC chain when                         signing with NSEC3 and vica
 versa. [RT #20301]

---
 CHANGES                      |   3 +
 bin/dnssec/dnssec-signzone.c | 136 +++++++++++++++++++++++++++--------
 2 files changed, 109 insertions(+), 30 deletions(-)

diff --git a/CHANGES b/CHANGES
index 23b7222951..8d46092628 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2684.	[bug]		dnssec-signzone should clean the old NSEC chain when
+			signing with NSEC3 and vica versa. [RT #20301]
+
 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
 
 2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 674423d0e6..cc4da17fbf 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.230 2009/09/23 04:30:16 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.231 2009/09/23 14:05:11 marka Exp $ */
 
 /*! \file */
 
@@ -1069,6 +1069,20 @@ active_node(dns_dbnode_t *node) {
 			type = rdataset.type;
 			covers = rdataset.covers;
 			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * Delete the NSEC chain if we are signing with
+			 * NSEC3.
+			 */
+			if (nsec_datatype == dns_rdatatype_nsec3 &&
+			    (type == dns_rdatatype_nsec ||
+			     covers == dns_rdatatype_nsec)) {
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion, type,
+							       covers);
+				check_result(result,
+					   "dns_db_deleterdataset(nsec/rrsig)");
+				continue;
+			}
 			if (type != dns_rdatatype_rrsig)
 				continue;
 			found = ISC_FALSE;
@@ -1098,32 +1112,6 @@ active_node(dns_dbnode_t *node) {
 			fatal("rdataset iteration failed: %s",
 			      isc_result_totext(result));
 		dns_rdatasetiter_destroy(&rdsiter2);
-
-#if 0
-		/*
-		 * Delete all NSEC records and RRSIG(NSEC) if we are in
-		 * NSEC3 mode and vica versa.
-		 */
-		for (result = dns_rdatasetiter_first(rdsiter2);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter2)) {
-			dns_rdatasetiter_current(rdsiter, &rdataset);
-			type = rdataset.type;
-			covers = rdataset.covers;
-			if (type == dns_rdatatype_rrsig)
-				type = covers;
-			dns_rdataset_disassociate(&rdataset);
-			if (type == nsec_datatype ||
-			    (type != dns_rdatatype_nsec &&
-			     type != dns_rdatatype_nsec3))
-				continue;
-			if (covers != 0)
-				type = dns_rdatatype_rrsig;
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       type, covers);
-			check_result(result, "dns_db_deleterdataset()");
-		}
-#endif
 	}
 	dns_rdatasetiter_destroy(&rdsiter);
 
@@ -1948,7 +1936,7 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
 }
 
 /*%
- * Generate NSEC records for the zone.
+ * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records
  */
 static void
 nsecify(void) {
@@ -1956,10 +1944,14 @@ nsecify(void) {
 	dns_dbnode_t *node = NULL, *nextnode = NULL;
 	dns_fixedname_t fname, fnextname, fzonecut;
 	dns_name_t *name, *nextname, *zonecut;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdatatype_t type, covers;
 	isc_boolean_t done = ISC_FALSE;
 	isc_result_t result;
 	isc_uint32_t nsttl = 0;
 
+	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
 	dns_fixedname_init(&fnextname);
@@ -1967,12 +1959,67 @@ nsecify(void) {
 	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;
 
+	/*
+	 * Remove any NSEC3 chains.
+	 */
+	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+	for (result = dns_dbiterator_first(dbiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter)) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+		check_result(result, "dns_db_allrdatasets()");
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter)) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			type = rdataset.type;
+			covers = rdataset.covers;
+			dns_rdataset_disassociate(&rdataset);
+			result = dns_db_deleterdataset(gdb, node, gversion, type,
+						       covers);
+			check_result(result,
+				     "dns_db_deleterdataset(nsec3param/rrsig)");
+		}
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(gdb, &node);
+	}
+	dns_dbiterator_destroy(&dbiter);
+	
 	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 
+	result = dns_dbiterator_current(dbiter, &node, name);
+	check_dns_dbiterator_current(result);
+	/*
+	 * Delete any NSEC3PARAM records at the apex.
+	 */
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+		if (type == dns_rdatatype_nsec3param ||
+		    covers == dns_rdatatype_nsec3param) {
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result,
+				     "dns_db_deleterdataset(nsec3param/rrsig)");
+			continue;
+		}
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+	dns_db_detachnode(gdb, &node);
+
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
@@ -2255,13 +2302,17 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 	dns_dbnode_t *node = NULL, *nextnode = NULL;
 	dns_fixedname_t fname, fnextname, fzonecut;
 	dns_name_t *name, *nextname, *zonecut;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdatatype_t type, covers;
+	int order;
+	isc_boolean_t active;
 	isc_boolean_t done = ISC_FALSE;
 	isc_result_t result;
-	isc_boolean_t active;
 	isc_uint32_t nsttl = 0;
 	unsigned int count, nlabels;
-	int order;
 
+	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
 	dns_fixedname_init(&fnextname);
@@ -2278,6 +2329,31 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 
+	result = dns_dbiterator_current(dbiter, &node, name);
+	check_dns_dbiterator_current(result);
+	/*
+	 * Delete any NSEC records at the apex.
+	 */
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+		if (type == dns_rdatatype_nsec || covers == dns_rdatatype_nsec) {
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result,
+				     "dns_db_deleterdataset(nsec3param/rrsig)");
+			continue;
+		}
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+	dns_db_detachnode(gdb, &node);
+
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);

From 53c22b8e0da67ca756ca309d5f84db9c189cd0a2 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 23 Sep 2009 16:01:57 +0000
Subject: [PATCH 196/385] 2685.	[bug]		Fixed dnssec-signzone -S
 handling of revoked keys. 			Also, added warnings when
 revoking a ZSK, as this is 			not defined by protocol (but
 is legal).  [RT #19943]

---
 CHANGES                          |   4 +
 bin/dnssec/dnssec-keyfromlabel.c |  11 +-
 bin/dnssec/dnssec-keygen.c       |  15 +-
 bin/dnssec/dnssec-revoke.c       |   9 +-
 bin/dnssec/dnssec-settime.c      |   7 +-
 bin/dnssec/dnssec-signzone.c     | 233 +++++++++++++++++++------------
 lib/dns/dst_api.c                |  91 ++++++++++--
 lib/dns/include/dst/dst.h        |  27 +++-
 8 files changed, 291 insertions(+), 106 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8d46092628..288072e488 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2685.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
+			Also, added warnings when revoking a ZSK, as this is
+			not defined by protocol (but is legal).  [RT #19943]
+
 2684.	[bug]		dnssec-signzone should clean the old NSEC chain when
 			signing with NSEC3 and vica versa. [RT #20301]
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 42cdce5819..8baa19870b 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.14 2009/09/14 18:45:45 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.15 2009/09/23 16:01:56 each Exp $ */
 
 /*! \file */
 
@@ -406,8 +406,15 @@ main(int argc, char **argv) {
 		else if (!genonly)
 			dst_key_settime(key, DST_TIME_ACTIVATE, now);
 
-		if (setrev)
+		if (setrev) {
+			if (kskflag == 0)
+				fprintf(stderr, "%s: warning: Key is "
+					"not flagged as a KSK, but -R "
+					"was used. Revoking a ZSK is "
+					"legal, but undefined.\n",
+					program);
 			dst_key_settime(key, DST_TIME_REVOKE, revoke);
+		}
 
 		if (setinact)
 			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 12089c7aab..5cdf108e2b 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.95 2009/09/14 18:45:45 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.96 2009/09/23 16:01:56 each Exp $ */
 
 /*! \file */
 
@@ -686,17 +686,24 @@ main(int argc, char **argv) {
 
 			if (setpub)
 				dst_key_settime(key, DST_TIME_PUBLISH, publish);
-			else if (!genonly)
+			else if (!genonly && !setact)
 				dst_key_settime(key, DST_TIME_PUBLISH, now);
 
 			if (setact)
 				dst_key_settime(key, DST_TIME_ACTIVATE,
 						activate);
-			else if (!genonly)
+			else if (!genonly && !setpub)
 				dst_key_settime(key, DST_TIME_ACTIVATE, now);
 
-			if (setrev)
+			if (setrev) {
+				if (kskflag == 0)
+					fprintf(stderr, "%s: warning: Key is "
+						"not flagged as a KSK, but -R "
+						"was used. Revoking a ZSK is "
+						"legal, but undefined.\n",
+						program);
 				dst_key_settime(key, DST_TIME_REVOKE, revoke);
+			}
 
 			if (setinact)
 				dst_key_settime(key, DST_TIME_INACTIVE,
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 4a86d74f9a..2b484ad9eb 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.12 2009/09/23 16:01:56 each Exp $ */
 
 /*! \file */
 
@@ -171,6 +171,13 @@ main(int argc, char **argv) {
 	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
 		isc_stdtime_t now;
 
+
+		if ((flags & DNS_KEYFLAG_KSK) == 0)
+			fprintf(stderr, "%s: warning: Key is not flagged "
+					"as a KSK. Revoking a ZSK is "
+					"legal, but undefined.\n",
+					program);
+
 		isc_stdtime_get(&now);
 		dst_key_settime(key, DST_TIME_REVOKE, now);
 
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index ba6eb3954a..848ac1550b 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.12 2009/09/14 18:45:45 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.13 2009/09/23 16:01:56 each Exp $ */
 
 /*! \file */
 
@@ -365,6 +365,11 @@ main(int argc, char **argv) {
 					"revoked; changing the revocation date "
 					"will not affect this.\n",
 					program, keystr);
+		if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
+			fprintf(stderr, "%s: warning: Key %s is not flagged as "
+					"a KSK, but -R was used.  Revoking a "
+					"ZSK is legal, but undefined.\n",
+					program, keystr);
 		dst_key_settime(key, DST_TIME_REVOKE, rev);
 	} else if (unsetrev) {
 		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index cc4da17fbf..db856de9de 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.231 2009/09/23 14:05:11 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.232 2009/09/23 16:01:56 each Exp $ */
 
 /*! \file */
 
@@ -271,13 +271,13 @@ static dns_dnsseckey_t *
 keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
 	dns_dnsseckey_t *key;
 
-	key = ISC_LIST_HEAD(keylist);
-	while (key != NULL) {
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
 		if (rrsig->keyid == dst_key_id(key->key) &&
 		    rrsig->algorithm == dst_key_alg(key->key) &&
 		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
 			return (key);
-		key = ISC_LIST_NEXT(key, link);
 	}
 	return (NULL);
 }
@@ -327,13 +327,11 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	if (result == ISC_R_SUCCESS) {
 		dst_key_free(&pubkey);
 		dns_dnsseckey_create(mctx, &privkey, &key);
-		key->force_publish = ISC_TRUE;
-		key->force_sign = ISC_FALSE;
 	} else {
 		dns_dnsseckey_create(mctx, &pubkey, &key);
-		key->force_publish = ISC_TRUE;
-		key->force_sign = ISC_FALSE;
 	}
+	key->force_publish = ISC_TRUE;
+	key->force_sign = ISC_FALSE;
 	ISC_LIST_APPEND(keylist, key, link);
 
 	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
@@ -372,11 +370,11 @@ expecttofindkey(dns_name_t *name) {
 }
 
 static inline isc_boolean_t
-setverifies(dns_name_t *name, dns_rdataset_t *set, dns_dnsseckey_t *key,
+setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	    dns_rdata_t *rrsig)
 {
 	isc_result_t result;
-	result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig);
+	result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
 	if (result == ISC_R_SUCCESS) {
 		INCSTAT(nverified);
 		return (ISC_TRUE);
@@ -479,8 +477,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 			if (!expired)
 				keep = ISC_TRUE;
 		} else if (issigningkey(key)) {
-			if (!expired && setverifies(name, set, key, &sigrdata))
-			{
+			if (!expired && setverifies(name, set, key->key,
+						    &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
 				wassignedby[key->index] = ISC_TRUE;
@@ -494,8 +492,8 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 				resign = ISC_TRUE;
 			}
 		} else if (iszonekey(key)) {
-			if (!expired && setverifies(name, set, key, &sigrdata))
-			{
+			if (!expired && setverifies(name, set, key->key,
+						    &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
 				wassignedby[key->index] = ISC_TRUE;
@@ -1443,8 +1441,10 @@ verifyzone(void) {
 	isc_boolean_t goodksk = ISC_FALSE;
 	isc_boolean_t goodzsk = ISC_FALSE;
 	isc_result_t result;
-	unsigned char revoked[256];
-	unsigned char standby[256];
+	unsigned char revoked_ksk[256];
+	unsigned char revoked_zsk[256];
+	unsigned char standby_ksk[256];
+	unsigned char standby_zsk[256];
 	unsigned char ksk_algorithms[256];
 	unsigned char zsk_algorithms[256];
 	unsigned char bad_algorithms[256];
@@ -1473,8 +1473,10 @@ verifyzone(void) {
 	if (!dns_rdataset_isassociated(&sigrdataset))
 		fatal("cannot find DNSKEY RRSIGs\n");
 
-	memset(revoked, 0, sizeof(revoked));
-	memset(standby, 0, sizeof(revoked));
+	memset(revoked_ksk, 0, sizeof(revoked_ksk));
+	memset(revoked_zsk, 0, sizeof(revoked_zsk));
+	memset(standby_ksk, 0, sizeof(standby_ksk));
+	memset(standby_zsk, 0, sizeof(standby_zsk));
 	memset(ksk_algorithms, 0, sizeof(ksk_algorithms));
 	memset(zsk_algorithms, 0, sizeof(zsk_algorithms));
 	memset(bad_algorithms, 0, sizeof(bad_algorithms));
@@ -1514,8 +1516,11 @@ verifyzone(void) {
 				      (int)isc_buffer_usedlength(&buf), buffer);
 			}
 			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			     revoked[dnskey.algorithm] != 255)
-				revoked[dnskey.algorithm]++;
+			     revoked_ksk[dnskey.algorithm] != 255)
+				revoked_ksk[dnskey.algorithm]++;
+			else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
+				 revoked_zsk[dnskey.algorithm] != 255)
+				revoked_zsk[dnskey.algorithm]++;
 		} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
 			if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
 					      &sigrdataset, ISC_FALSE, mctx)) {
@@ -1523,8 +1528,8 @@ verifyzone(void) {
 					ksk_algorithms[dnskey.algorithm]++;
 				goodksk = ISC_TRUE;
 			} else {
-				if (standby[dnskey.algorithm] != 255)
-					standby[dnskey.algorithm]++;
+				if (standby_ksk[dnskey.algorithm] != 255)
+					standby_ksk[dnskey.algorithm]++;
 			}
 		} else if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
 						&sigrdataset, ISC_FALSE,
@@ -1537,8 +1542,8 @@ verifyzone(void) {
 				zsk_algorithms[dnskey.algorithm]++;
 			goodzsk = ISC_TRUE;
 		} else {
-			if (zsk_algorithms[dnskey.algorithm] != 255)
-				zsk_algorithms[dnskey.algorithm]++;
+			if (standby_zsk[dnskey.algorithm] != 255)
+				standby_zsk[dnskey.algorithm]++;
 #ifdef ALLOW_KSKLESS_ZONES
 			allzsksigned = ISC_FALSE;
 #endif
@@ -1686,13 +1691,18 @@ verifyzone(void) {
 		for (i = 0; i < 256; i++) {
 			if ((zsk_algorithms[i] != 0) ||
 			    (ksk_algorithms[i] != 0) ||
-			    (revoked[i] != 0) || (standby[i] != 0)) {
+			    (standby_zsk[i] != 0) || (standby_ksk[i] != 0) ||
+			    (revoked_ksk[i] != 0) || (revoked_zsk[i] != 0)) {
 				alg_format(i, algbuf, sizeof(algbuf));
-				fprintf(stderr, "Algorithm: %s: ZSKs: %u, "
-					"KSKs: %u active, %u revoked, %u "
-					"stand-by\n", algbuf,
-					zsk_algorithms[i], ksk_algorithms[i],
-					revoked[i], standby[i]);
+				fprintf(stderr, "Algorithm: %s: KSKs: "
+					"%u active, %u stand-by, %u revoked\n",
+					algbuf, ksk_algorithms[i],
+					standby_ksk[i], revoked_ksk[i]);
+				fprintf(stderr, "%*sZSKs: "
+				        "%u active, %u stand-by, %u revoked\n",
+					(int) strlen(algbuf) + 13, "",
+					zsk_algorithms[i],
+					standby_zsk[i], revoked_zsk[i]);
 			}
 		}
 	}
@@ -2623,8 +2633,10 @@ loadzonekeys(dns_db_t *db) {
 		dns_dnsseckey_t *key = NULL;
 
 		dns_dnsseckey_create(mctx, &keys[i], &key);
-		key->force_publish = ISC_TRUE;
-		key->force_sign = dst_key_isprivate(key->key);
+		if (key->legacy) {
+			key->force_publish = ISC_TRUE;
+			key->force_sign = dst_key_isprivate(key->key);
+		}
 		key->source = dns_keysource_zoneapex;
 		ISC_LIST_APPEND(keylist, key, link);
 	}
@@ -2680,8 +2692,8 @@ loadzonepubkeys(dns_db_t *db) {
 		}
 
 		dns_dnsseckey_create(mctx, &pubkey, &key);
-		key->force_publish = ISC_TRUE;
-		key->force_sign = ISC_FALSE;
+		if (key->legacy)
+			key->force_publish = ISC_TRUE;
 		ISC_LIST_APPEND(keylist, key, link);
  next:
 		result = dns_rdataset_next(&rdataset);
@@ -2748,18 +2760,20 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 	 * - If so, and if the metadata says it should be removed:
 	 *   remove it from keylist and from the DNSKEY set
 	 * - Otherwise, make sure keylist has up-to-date metadata
-	 *
-	 *   (XXXEACH: logic is needed to make sure revoked keys
-	 *   can be matched correctly with nonrevoked)
 	 */
 
 	key1 = ISC_LIST_HEAD(matchkeys);
 	while (key1 != NULL) {
+		isc_boolean_t key_revoked = ISC_FALSE;
 		for (key2 = ISC_LIST_HEAD(keylist);
 		     key2 != NULL;
 		     key2 = ISC_LIST_NEXT(key2, link)) {
-			if (dst_key_compare(key1->key, key2->key))
+			if (dst_key_pubcompare(key1->key, key2->key,
+					       ISC_TRUE)) {
+				key_revoked = ISC_TF(dst_key_flags(key1->key) !=
+						     dst_key_flags(key2->key));
 				break;
+			}
 		}
 
 		/*
@@ -2794,6 +2808,47 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 						      &dnskey, &tuple);
 			check_result(result, "dns_difftuple_create");
 			dns_diff_append(&del, &tuple);
+		} else if (key_revoked &&
+			 (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
+			dns_dnsseckey_t *next;
+
+			/*
+			 * A key in the DNSKEY set has been revoked in the
+			 * key repository.  We need to remove the old
+			 * version and pull in the new one.
+			 */
+			make_dnskey(key2->key, &dnskey);
+			alg_format(dst_key_alg(key2->key), alg, sizeof(alg));
+			fprintf(stderr, "Replacing revoked key %d/%s in "
+					"DNSKEY RRset.\n",
+					dst_key_id(key2->key), alg);
+
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
+						      gorigin, keyttl,
+						      &dnskey, &tuple);
+			check_result(result, "dns_difftuple_create");
+			dns_diff_append(&del, &tuple);
+
+			ISC_LIST_UNLINK(keylist, key2, link);
+			dns_dnsseckey_destroy(mctx, &key2);
+
+			next = ISC_LIST_NEXT(key1, link);
+			ISC_LIST_UNLINK(matchkeys, key1, link);
+			ISC_LIST_APPEND(keylist, key1, link);
+
+			/*
+			 * XXX: The revoke flag is only defined for trust
+			 * anchors.  Setting the flag on a non-KSK is legal,
+			 * but not defined in any RFC.  It seems reasonable
+			 * to treat it the same as a KSK: keep it in the
+			 * zone and sign the DNSKEY set with it, but not
+			 * sign other records with it.
+			 */
+			if (iszsk(key1))
+				key1->ksk = ISC_TRUE;
+
+			key1 = next;
+			continue;
 		} else {
 			key2->hint_publish = key1->hint_publish;
 			key2->hint_sign = key1->hint_sign;
@@ -3575,52 +3630,52 @@ main(int argc, char *argv[]) {
 	ISC_LIST_INIT(keylist);
 	isc_rwlock_init(&keylist_lock, 0, 0);
 
-	if (argc == 0) {
+	if (argc == 0)
 		loadzonekeys(gdb);
-	} else {
-		for (i = 0; i < argc; i++) {
-			dst_key_t *newkey = NULL;
 
-			result = dst_key_fromnamedfile(argv[i], directory,
-						       DST_TYPE_PUBLIC |
-						       DST_TYPE_PRIVATE,
-						       mctx, &newkey);
-			if (result != ISC_R_SUCCESS)
-				fatal("cannot load dnskey %s: %s", argv[i],
-				      isc_result_totext(result));
+	for (i = 0; i < argc; i++) {
+		dst_key_t *newkey = NULL;
 
-			if (!dns_name_equal(gorigin, dst_key_name(newkey)))
-				fatal("key %s not at origin\n", argv[i]);
+		result = dst_key_fromnamedfile(argv[i], directory,
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &newkey);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot load dnskey %s: %s", argv[i],
+			      isc_result_totext(result));
 
-			key = ISC_LIST_HEAD(keylist);
-			while (key != NULL) {
-				dst_key_t *dkey = key->key;
-				if (dst_key_id(dkey) == dst_key_id(newkey) &&
-				    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-				    dns_name_equal(dst_key_name(dkey),
-						   dst_key_name(newkey)))
-				{
-					if (!dst_key_isprivate(dkey))
-						fatal("cannot sign zone with "
-						      "non-private dnskey %s",
-						      argv[i]);
-					break;
-				}
-				key = ISC_LIST_NEXT(key, link);
+		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+			fatal("key %s not at origin\n", argv[i]);
+
+		/* Skip any duplicates */
+		for (key = ISC_LIST_HEAD(keylist);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			dst_key_t *dkey = key->key;
+			if (dst_key_id(dkey) == dst_key_id(newkey) &&
+			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
+			    dns_name_equal(dst_key_name(dkey), gorigin)) {
+				if (!dst_key_isprivate(dkey))
+					fatal("cannot sign zone with "
+					      "non-private dnskey %s",
+					      argv[i]);
+				break;
 			}
-			if (key == NULL) {
-				dns_dnsseckey_create(mctx, &newkey, &key);
-				key->force_publish = ISC_TRUE;
-				key->force_sign = ISC_TRUE;
-				key->source = dns_keysource_user;
-				ISC_LIST_APPEND(keylist, key, link);
-			} else
-				dst_key_free(&newkey);
 		}
-
-		loadzonepubkeys(gdb);
+		if (key == NULL) {
+			/* We haven't seen this key before */
+			dns_dnsseckey_create(mctx, &newkey, &key);
+			key->force_publish = ISC_TRUE;
+			key->force_sign = ISC_TRUE;
+			key->source = dns_keysource_user;
+			ISC_LIST_APPEND(keylist, key, link);
+		} else
+			dst_key_free(&newkey);
 	}
 
+	if (argc != 0)
+		loadzonepubkeys(gdb);
+
 	for (i = 0; i < ndskeys; i++) {
 		dst_key_t *newkey = NULL;
 
@@ -3635,32 +3690,34 @@ main(int argc, char *argv[]) {
 		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
 			fatal("key %s not at origin\n", dskeyfile[i]);
 
-		key = ISC_LIST_HEAD(keylist);
-		while (key != NULL) {
+		/* Skip any duplicates */
+		for (key = ISC_LIST_HEAD(keylist);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
 			dst_key_t *dkey = key->key;
 			if (dst_key_id(dkey) == dst_key_id(newkey) &&
 			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-			    dns_name_equal(dst_key_name(dkey),
-					   dst_key_name(newkey)))
-			{
-				/* Override key flags. */
+			    dns_name_equal(dst_key_name(dkey), gorigin)) {
+				/*
+				 * Key was already in keylist, but we
+				 * must make sure it has the right
+				 * dnsseckey flags.
+				 */
+				key->ksk = ISC_TRUE;
 				key->force_publish = ISC_TRUE;
 				key->force_sign = ISC_TRUE;
 				key->source = dns_keysource_user;
-				key->ksk = ISC_TRUE;
-				dst_key_free(&dkey);
-				key->key = newkey;
+				dst_key_free(&newkey);
 				break;
 			}
-			key = ISC_LIST_NEXT(key, link);
 		}
 		if (key == NULL) {
-			/* Override dnskey flags. */
+			/* We haven't seen this key before */
 			dns_dnsseckey_create(mctx, &newkey, &key);
+			key->ksk = ISC_TRUE;
 			key->force_publish = ISC_TRUE;
 			key->force_sign = ISC_TRUE;
 			key->source = dns_keysource_user;
-			key->ksk = ISC_TRUE;
 			ISC_LIST_APPEND(keylist, key, link);
 		}
 	}
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index be3999d02f..22a95f8975 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.30 2009/09/14 18:45:45 each Exp $
+ * $Id: dst_api.c,v 1.31 2009/09/23 16:01:57 each Exp $
  */
 
 /*! \file */
@@ -825,25 +825,100 @@ dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
 	key->fmt_minor = minor;
 }
 
-isc_boolean_t
-dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
+static isc_boolean_t
+comparekeys(const dst_key_t *key1, const dst_key_t *key2,
+	    isc_boolean_t match_revoked_key,
+	    isc_boolean_t (*compare)())
+{
 	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key1));
 	REQUIRE(VALID_KEY(key2));
 
 	if (key1 == key2)
 		return (ISC_TRUE);
+
 	if (key1 == NULL || key2 == NULL)
 		return (ISC_FALSE);
-	if (key1->key_alg == key2->key_alg &&
-	    key1->key_id == key2->key_id &&
-	    key1->func->compare != NULL &&
-	    key1->func->compare(key1, key2) == ISC_TRUE)
-		return (ISC_TRUE);
+
+	if (key1->key_alg != key2->key_alg)
+		return (ISC_FALSE);
+
+	/*
+	 * For all algorithms except RSAMD5, revoking the key
+	 * changes the key ID, increasing it by 128.  If we want to
+	 * be able to find matching keys even if one of them is the
+	 * revoked version of the other one, then we need to check
+	 * for that possibility.
+	 */
+	if (key1->key_id != key2->key_id) {
+		if (!match_revoked_key)
+			return (ISC_FALSE);
+		if (key1->key_alg == DST_ALG_RSAMD5)
+			return (ISC_FALSE);
+		if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
+		    (key2->key_flags & DNS_KEYFLAG_REVOKE))
+			return (ISC_FALSE);
+		if ((key1->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&
+		    key1->key_id != ((key2->key_id + 128) & 0xffff))
+			return (ISC_FALSE);
+		if ((key2->key_flags & DNS_KEYFLAG_REVOKE) != 0 &&
+		    key2->key_id != ((key1->key_id + 128) & 0xffff))
+			return (ISC_FALSE);
+	}
+
+	if (compare != NULL)
+		return (compare(key1, key2));
 	else
 		return (ISC_FALSE);
 }
 
+
+/*
+ * Compares only the public portion of two keys, by converting them
+ * both to wire format and comparing the results.
+ */
+static isc_boolean_t
+pub_compare(dst_key_t *key1, dst_key_t *key2) {
+	isc_result_t result;
+	unsigned char txt1[DST_KEY_MAXSIZE], txt2[DST_KEY_MAXSIZE];
+	isc_buffer_t b1, b2;
+	isc_region_t r1, r2;
+	isc_uint16_t flags;
+
+	flags = key1->key_flags;
+	key1->key_flags = 0;
+	isc_buffer_init(&b1, txt1, sizeof(txt1));
+	result = dst_key_todns(key1, &b1);
+	key1->key_flags = flags;
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	flags = key2->key_flags;
+	key2->key_flags = 0;
+	isc_buffer_init(&b2, txt2, sizeof(txt2));
+	result = dst_key_todns(key2, &b2);
+	key2->key_flags = flags;
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	isc_buffer_usedregion(&b1, &r1);
+	isc_buffer_usedregion(&b2, &r2);
+	return (ISC_TF(isc_region_compare(&r1, &r2) == 0));
+}
+
+isc_boolean_t
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	return (comparekeys(key1, key2, ISC_FALSE, key1->func->compare));
+}
+
+isc_boolean_t
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   isc_boolean_t match_revoked_key)
+{
+	return (comparekeys(key1, key2, match_revoked_key, pub_compare));
+}
+
+
 isc_boolean_t
 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	REQUIRE(dst_initialized == ISC_TRUE);
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index fb0d73b8d3..4cdb4c0057 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.18 2009/09/14 18:45:45 each Exp $ */
+/* $Id: dst.h,v 1.19 2009/09/23 16:01:57 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -494,7 +494,10 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 isc_boolean_t
 dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
 /*%<
- * Compares two DST keys.
+ * Compares two DST keys.  Returns true if they match, false otherwise.
+ *
+ * Keys ARE NOT considered to match if one of them is the revoked version
+ * of the other.
  *
  * Requires:
  *\li	"key1" is a valid key.
@@ -506,6 +509,26 @@ dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
  */
 
 isc_boolean_t
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   isc_boolean_t match_revoked_key);
+/*%<
+ * Compares only the public portions of two DST keys.  Returns true
+ * if they match, false otherwise.  This allows us, for example, to
+ * determine whether a public key found in a zone matches up with a
+ * key pair found on disk.
+ *
+ * If match_revoked_key is TRUE, then keys ARE considered to match if one
+ * of them is the revoked version of the other. Otherwise, they are not.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	ISC_TRUE
+ * \li	ISC_FALSE
+ */
+isc_boolean_t
 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
 /*%<
  * Compares the parameters of two DST keys.  This is used to determine if

From b3c8f1e9e864c30d1bb68fdf1ba7eb242c24be6e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 23 Sep 2009 20:36:58 +0000
Subject: [PATCH 197/385] number

---
 CHANGES | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 288072e488..1ced4ed010 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,8 @@
-2685.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
+2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
 			Also, added warnings when revoking a ZSK, as this is
 			not defined by protocol (but is legal).  [RT #19943]
 
-2684.	[bug]		dnssec-signzone should clean the old NSEC chain when
+2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
 			signing with NSEC3 and vica versa. [RT #20301]
 
 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]

From 91c6a86724e34827bdedfa3245986b31e0653ef2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 23 Sep 2009 21:27:39 +0000
Subject: [PATCH 198/385] spelling

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 1ced4ed010..2aa5426ec1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,7 +3,7 @@
 			not defined by protocol (but is legal).  [RT #19943]
 
 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
-			signing with NSEC3 and vica versa. [RT #20301]
+			signing with NSEC3 and vice versa. [RT #20301]
 
 2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
 

From 3a2a2463f2ec42666dd225e7bcfb26c41bcac38e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 23 Sep 2009 22:15:24 +0000
Subject: [PATCH 199/385] new draft

---
 .../draft-ietf-dnsext-rfc3597-bis-00.txt      | 395 ++++++++++++++++++
 1 file changed, 395 insertions(+)
 create mode 100644 doc/draft/draft-ietf-dnsext-rfc3597-bis-00.txt

diff --git a/doc/draft/draft-ietf-dnsext-rfc3597-bis-00.txt b/doc/draft/draft-ietf-dnsext-rfc3597-bis-00.txt
new file mode 100644
index 0000000000..ee35cb91af
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-rfc3597-bis-00.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+INTERNET-DRAFT                                             A. Gustafsson
+                                          Araneus Information Systems Oy
+                                                      September 23, 2009
+
+Intended status: Draft Standard
+Obsoletes: RFC3597
+
+           Handling of Unknown DNS Resource Record (RR) Types
+                  draft-ietf-dnsext-rfc3597-bis-00.txt
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/1id-abstracts.html
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors. All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   Extending the Domain Name System (DNS) with new Resource Record (RR)
+   types should not requires changes to name server software.  This
+   document specifies how new RR types are transparently handled by DNS
+   software.
+
+
+
+
+Expires March 2010           Standards Track                    [Page 1]
+
+draft-ietf-dnsext-rfc3597-bis-00.txt                           July 2009
+
+
+1.  Introduction
+
+   The DNS [RFC1034] is designed to be extensible to support new
+   services through the introduction of new resource record (RR) types.
+   Nevertheless, DNS implementations have historically required software
+   changes to support new RR types, not only at the authoritative DNS
+   server providing the new information and the client making use of it,
+   but also at all slave servers for the zone containing it, and in some
+   cases also at caching name servers and forwarders used by the client.
+   Because the deployment of new DNS software is slow and expensive,
+   this has been a significant impediment to supporting new services in
+   the DNS.
+
+   [RFC3597] defined DNS implementation behavior and procedures for
+   defining new RR types aimed at simplifying the deployment of new RR
+   types by allowing them to be treated transparently by existing
+   implementations.  Thanks to the widespread adoption of that
+   specification, much of the DNS is now capable of handling new record
+   types without software changes.
+
+   This document is a self-contained revised specification supplanting
+   and obsoleting [RFC3597].
+
+2.  Definitions
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+   An "RR of unknown type" is an RR whose RDATA format is not known to
+   the DNS implementation at hand, and whose type is not an assigned
+   QTYPE or Meta-TYPE as specified in [RFC5395] (section 3.1) nor within
+   the range reserved in that section for assignment only to QTYPEs and
+   Meta-TYPEs.  Such an RR cannot be converted to a type-specific text
+   format, compressed, or otherwise handled in a type-specific way.
+
+   In the case of a type whose RDATA format is class specific, an RR is
+   considered to be of unknown type when the RDATA format for that
+   combination of type and class is not known.
+
+3.  Transparency
+
+   To enable new RR types to be deployed without server changes, name
+   servers and resolvers MUST handle RRs of unknown type transparently.
+   That is, they must treat the RDATA section of such RRs as
+   unstructured binary data, storing and transmitting it without change
+   [RFC1123].
+
+
+
+
+Expires March 2010           Standards Track                    [Page 2]
+
+draft-ietf-dnsext-rfc3597-bis-00.txt                           July 2009
+
+
+   To ensure the correct operation of equality comparison (section 6)
+   and of the DNSSEC canonical form (section 7) when an RR type is known
+   to some but not all of the servers involved, servers MUST also
+   exactly preserve the RDATA of RRs of known type, except for changes
+   due to compression or decompression where allowed by section 4 of
+   this document.  In particular, the character case of domain names
+   that are not subject to compression MUST be preserved.
+
+4.  Domain Name Compression
+
+   RRs containing compression pointers in the RDATA part cannot be
+   treated transparently, as the compression pointers are only
+   meaningful within the context of a DNS message.  Transparently
+   copying the RDATA into a new DNS message would cause the compression
+   pointers to point at the corresponding location in the new message,
+   which now contains unrelated data.  This would cause the compressed
+   name to be corrupted.
+
+   To avoid such corruption, servers MUST NOT compress domain names
+   embedded in the RDATA of types that are class-specific or not well-
+   known.  This requirement was stated in [RFC1123] without defining the
+   term "well-known"; it is hereby specified that only the RR types
+   defined in [RFC1035] are to be considered "well-known".
+
+   Receiving servers MUST decompress domain names in RRs of well-known
+   type, and SHOULD also decompress RRs of type RP, AFSDB, RT, SIG, PX,
+   NXT, NAPTR, and SRV to ensure interoperability with implementations
+   predating [RFC3597].
+
+   Specifications for new RR types that contain domain names within
+   their RDATA MUST NOT allow the use of name compression for those
+   names, and SHOULD explicitly state that the embedded domain names
+   MUST NOT be compressed.
+
+   As noted in [RFC1123], the owner name of an RR is always eligible for
+   compression.
+
+5.  Text Representation
+
+   In the "type" field of a master file line, an unknown RR type is
+   represented by the word "TYPE" immediately followed by the decimal RR
+   type number, with no intervening whitespace.  In the "class" field,
+   an unknown class is similarly represented as the word "CLASS"
+   immediately followed by the decimal class number.
+
+   This convention allows types and classes to be distinguished from
+   each other and from TTL values, allowing the "[] []
+    " and "[] []  " forms of
+
+
+
+Expires March 2010           Standards Track                    [Page 3]
+
+draft-ietf-dnsext-rfc3597-bis-00.txt                           July 2009
+
+
+   [RFC1035] to both be unambiguously parsed.
+
+   The RDATA section of an RR of unknown type is represented as a
+   sequence of white space separated words as follows:
+
+      The special token \# (a backslash immediately followed by a hash
+      sign), which identifies the RDATA as having the generic encoding
+      defined herein rather than a traditional type-specific encoding.
+
+      An unsigned decimal integer specifying the RDATA length in octets.
+
+      Zero or more words of hexadecimal data encoding the actual RDATA
+      field, each containing an even number of hexadecimal digits.
+
+   If the RDATA is of zero length, the text representation contains only
+   the \# token and the single zero representing the length.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Expires March 2010           Standards Track                    [Page 4]
+
+draft-ietf-dnsext-rfc3597-bis-00.txt                           July 2009
+
+
+   An implementation MAY also choose to represent some RRs of known type
+   using the above generic representations for the type, class and/or
+   RDATA, which carries the benefit of making the resulting master file
+   portable to servers where these types are unknown.  Using the generic
+   representation for the RDATA of an RR of known type can also be
+   useful in the case of an RR type where the text format varies
+   depending on a version, protocol, or similar field (or several)
+   embedded in the RDATA when such a field has a value for which no text
+   format is known, e.g., a LOC RR [RFC1876] with a VERSION other than
+   0.
+
+   Even though an RR of known type represented in the \# format is
+   effectively treated as an unknown type for the purpose of parsing the
+   RDATA text representation, all further processing by the server MUST
+   treat it as a known type and take into account any applicable type-
+   specific rules regarding compression, canonicalization, etc.
+
+   The following are examples of RRs represented in this manner,
+   illustrating various combinations of generic and type-specific
+   encodings for the different fields of the master file format:
+
+      a.example.   CLASS32     TYPE731         \# 6 abcd (
+                                               ef 01 23 45 )
+      b.example.   HS          TYPE62347       \# 0
+      e.example.   IN          A               \# 4 C0000201
+      e.example.   CLASS1      TYPE1           192.0.2.1
+
+6.  Equality Comparison
+
+   Certain DNS protocols, notably Dynamic Update [RFC2136], require RRs
+   to be compared for equality.  Two RRs of the same unknown type are
+   considered equal when their RDATA is bitwise equal.  To ensure that
+   the outcome of the comparison is identical whether the RR is known to
+   the server or not, specifications for new RR types MUST NOT specify
+   type-specific comparison rules.
+
+   This implies that embedded domain names, being included in the
+   overall bitwise comparison, are compared in a case-sensitive manner.
+
+   As a result, when a new RR type contains one or more embedded domain
+   names, it is possible to have multiple RRs owned by the same name
+   that differ only in the character case of the embedded domain
+   name(s).  This is similar to the existing possibility of multiple TXT
+   records differing only in character case, and not expected to cause
+   any problems in practice.
+
+
+
+
+
+
+Expires March 2010           Standards Track                    [Page 5]
+
+draft-ietf-dnsext-rfc3597-bis-00.txt                           July 2009
+
+
+7.  DNSSEC Considerations
+
+   The rules for the DNSSEC canonical form and ordering were updated to
+   support transparent treatment of unknown types in [RFC3597].  Those
+   updates have subsequently been integrated into the base DNSSEC
+   specification, such that the DNSSEC canonical form and ordering are
+   now specified in [RFC4034] or its successors rather than in this
+   document.
+
+8.  Additional Section Processing
+
+   Unknown RR types cause no additional section processing.  Future RR
+   type specifications MAY specify type-specific additional section
+   processing rules, but any such processing MUST be optional as it can
+   only be performed by servers for which the RR type in case is known.
+
+9.  IANA Considerations
+
+   This document does not require any IANA actions.
+
+10.  Security Considerations
+
+   This specification is not believed to cause any new security
+   problems, nor to solve any existing ones.
+
+11.  Normative References
+
+   [RFC1034]   Mockapetris, P., "Domain Names - Concepts and
+               Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC1035]   Mockapetris, P., "Domain Names - Implementation and
+               Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]   Braden, R., Ed., "Requirements for Internet Hosts --
+               Application and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
+               Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC5395]   Eastlake, D., "Domain Name System (DNS) IANA
+               Considerations", BCP 42, RFC 5395, November 2008.
+
+12.  Informative References
+
+   [RFC1876]   Davis, C., Vixie, P., Goodwin, T. and I. Dickinson, "A
+               Means for Expressing Location Information in the Domain
+               Name System", RFC 1876, January 1996.
+
+
+
+
+Expires March 2010           Standards Track                    [Page 6]
+
+draft-ietf-dnsext-rfc3597-bis-00.txt                           July 2009
+
+
+   [RFC2136]   Vixie, P., Ed., Thomson, S., Rekhter, Y. and J. Bound,
+               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+               RFC 2136, April 1997.
+
+   [RFC3597]   Gustafsson, A., "Handling of Unknown DNS Resource Record
+               (RR) Types", RFC 3597, September 2003.
+
+   [RFC4034]   Arends, R., Austein, R., Larson, M., Massey, D., and S.
+               Rose, "Resource Records for the DNS Security Extensions",
+               RFC 4034, March 2005.
+
+14.  Author's Address
+
+   Andreas Gustafsson
+   Araneus Information Systems Oy
+   PL 110
+   02321 Espoo
+   Finland
+
+   Phone: +358 40 547 2099
+   EMail: gson@araneus.fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Expires March 2010           Standards Track                    [Page 7]
+

From 4344643693ed3a92000d7835effa788e9c5e33a6 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 23 Sep 2009 23:18:35 +0000
Subject: [PATCH 200/385] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 7c0d9689a9..5bae379cef 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -234,6 +234,7 @@ rt19875				new	each	// 2009-07-04 22:47 +0000
 rt19910				new	marka	// 2009-07-09 02:38 +0000
 rt19942				new	each	// 2009-08-27 23:01 +0000
 rt19943				new	each	// 2009-09-15 03:18 +0000
+rt19943a			new	each	// 2009-09-23 16:06 +0000
 rt20001				new	each	// 2009-08-05 15:54 +0000
 rt20023				new	fdupont	// 2009-07-31 15:08 +0000
 rt20037				new	marka	// 2009-08-11 07:46 +0000
@@ -243,6 +244,7 @@ rt20062a			new	marka	// 2009-09-14 04:51 +0000
 rt20112				new	marka	// 2009-08-18 05:22 +0000
 rt20191				new	vjs	// 2009-09-20 01:55 +0000
 rt20225				new	fdupont	// 2009-09-18 11:50 +0000
+rt20229				new	fdupont	// 2009-09-23 22:33 +0000
 rt20230				new	fdupont	// 2009-09-19 22:45 +0000
 rt20236				new	fdupont	// 2009-09-19 22:34 +0000
 rt20247				new	each	// 2009-09-11 03:22 +0000

From d48690af7a64a064f6a3c8c507ad99e54105d1e1 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 23 Sep 2009 23:47:56 +0000
Subject: [PATCH 201/385] update copyright notice

---
 bin/dnssec/dnssec-signzone.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index db856de9de..2e77e5fb5c 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.232 2009/09/23 16:01:56 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.233 2009/09/23 23:47:56 tbox Exp $ */
 
 /*! \file */
 
@@ -1699,7 +1699,7 @@ verifyzone(void) {
 					algbuf, ksk_algorithms[i],
 					standby_ksk[i], revoked_ksk[i]);
 				fprintf(stderr, "%*sZSKs: "
-				        "%u active, %u stand-by, %u revoked\n",
+					"%u active, %u stand-by, %u revoked\n",
 					(int) strlen(algbuf) + 13, "",
 					zsk_algorithms[i],
 					standby_zsk[i], revoked_zsk[i]);
@@ -1997,7 +1997,7 @@ nsecify(void) {
 		dns_db_detachnode(gdb, &node);
 	}
 	dns_dbiterator_destroy(&dbiter);
-	
+
 	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 

From 8292deab031e7599cd7622aa7675fbe139ca6095 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 24 Sep 2009 03:04:33 +0000
Subject: [PATCH 202/385] OLD-PKCS11-NOTES

---
 util/copyrights | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/copyrights b/util/copyrights
index a1f7270645..fb42b52749 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -230,6 +230,7 @@
 ./bin/nsupdate/win32/nsupdate.dsw		X	2001
 ./bin/nsupdate/win32/nsupdate.mak		X	2001,2002,2004,2005,2006,2009
 ./bin/pkcs11/.cvsignore				X	2009
+./bin/pkcs11/OLD-PKCS11-NOTES			X	2009
 ./bin/pkcs11/pkcs11-destroy.c			X	2009
 ./bin/pkcs11/pkcs11-keygen.c			X	2009
 ./bin/pkcs11/pkcs11-list.c			X	2009

From 63a18001052c56b8ca0a8ca97066bc4e1ed6f7ee Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 24 Sep 2009 04:36:28 +0000
Subject: [PATCH 203/385] Fix several problems introduced by rt19943

---
 bin/dnssec/dnssec-signzone.c | 115 ++++++++++++++++++++---------------
 1 file changed, 67 insertions(+), 48 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 2e77e5fb5c..d7d170219f 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.233 2009/09/23 23:47:56 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.234 2009/09/24 04:36:28 each Exp $ */
 
 /*! \file */
 
@@ -163,6 +163,7 @@ static isc_boolean_t unknownalg = ISC_FALSE;
 static isc_boolean_t disable_zone_check = ISC_FALSE;
 static isc_boolean_t set_keyttl = ISC_FALSE;
 static dns_ttl_t keyttl;
+static isc_boolean_t smartsign = ISC_FALSE;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -1553,42 +1554,54 @@ verifyzone(void) {
 	}
 	dns_rdataset_disassociate(&sigrdataset);
 
-	if (!goodksk) {
 #ifdef ALLOW_KSKLESS_ZONES
-		if (!goodzsk)
-			fatal("no self signing keys found");
-		fprintf(stderr, "No self signing KSK found. Using self signed "
-			"ZSK's for active algorithm list.\n");
+	if (!goodksk) {
+		if (!ignore_kskflag)
+			fprintf(stderr, "No self signing KSK found. Using "
+					"self signed ZSK's for active "
+					"algorithm list.\n");
 		memcpy(ksk_algorithms, self_algorithms, sizeof(ksk_algorithms));
 		if (!allzsksigned)
 			fprintf(stderr, "warning: not all ZSK's are self "
 				"signed.\n");
-#else
-		fatal("no self signed KSK's found");
-#endif
 	}
+#else
+	if (!goodksk) {
+		fatal("no self signed KSK's found");
+	}
+#endif
 
 	fprintf(stderr, "Verifying the zone using the following algorithms:");
 	for (i = 0; i < 256; i++) {
-		if (ksk_algorithms[i] != 0) {
+#ifdef ALLOW_KSKLESS_ZONES
+		if (ksk_algorithms[i] != 0 || zsk_algorithms[i] != 0)
+#else
+		if (ksk_algorithms[i] != 0)
+#endif
+		{
 			alg_format(i, algbuf, sizeof(algbuf));
 			fprintf(stderr, " %s", algbuf);
 		}
 	}
 	fprintf(stderr, ".\n");
 
-	for (i = 0; i < 256; i++) {
-		/*
-		 * The counts should both be zero or both be non-zero.
-		 * Mark the algorithm as bad if this is not met.
-		 */
-		if ((ksk_algorithms[i] != 0) == (zsk_algorithms[i] != 0))
-			continue;
-		alg_format(i, algbuf, sizeof(algbuf));
-		fprintf(stderr, "Missing %s for algorithm %s\n",
-			(ksk_algorithms[i] != 0) ? "ZSK" : "self signing KSK",
-			algbuf);
-		bad_algorithms[i] = 1;
+	if (!ignore_kskflag) {
+		for (i = 0; i < 256; i++) {
+			/*
+			 * The counts should both be zero or both be non-zero.
+			 * Mark the algorithm as bad if this is not met.
+			 */
+			if ((ksk_algorithms[i] != 0) ==
+			    (zsk_algorithms[i] != 0))
+				continue;
+			alg_format(i, algbuf, sizeof(algbuf));
+			fprintf(stderr, "Missing %s for algorithm %s\n",
+				(ksk_algorithms[i] != 0)
+				   ? "ZSK"
+				   : "self signing KSK",
+				algbuf);
+			bad_algorithms[i] = 1;
+		}
 	}
 
 	/*
@@ -1683,7 +1696,7 @@ verifyzone(void) {
 		fatal("DNSSEC completeness test failed.");
 	}
 
-	if (goodksk) {
+	if (goodksk || ignore_kskflag) {
 		/*
 		 * Print the success summary.
 		 */
@@ -2633,7 +2646,7 @@ loadzonekeys(dns_db_t *db) {
 		dns_dnsseckey_t *key = NULL;
 
 		dns_dnsseckey_create(mctx, &keys[i], &key);
-		if (key->legacy) {
+		if (key->legacy || !smartsign) {
 			key->force_publish = ISC_TRUE;
 			key->force_sign = dst_key_isprivate(key->key);
 		}
@@ -2691,10 +2704,26 @@ loadzonepubkeys(dns_db_t *db) {
 			goto next;
 		}
 
-		dns_dnsseckey_create(mctx, &pubkey, &key);
-		if (key->legacy)
-			key->force_publish = ISC_TRUE;
-		ISC_LIST_APPEND(keylist, key, link);
+		/* Skip duplicates */
+		for (key = ISC_LIST_HEAD(keylist);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			dst_key_t *dkey = key->key;
+			if (dst_key_id(dkey) == dst_key_id(pubkey) &&
+			    dst_key_alg(dkey) == dst_key_alg(pubkey) &&
+			    dns_name_equal(dst_key_name(dkey), gorigin))
+				break;
+		}
+		if (key == NULL) {
+			dns_dnsseckey_create(mctx, &pubkey, &key);
+			if (key->legacy)
+				key->force_publish = ISC_TRUE;
+			key->force_sign = ISC_FALSE;
+			key->hint_sign = ISC_FALSE;
+			ISC_LIST_APPEND(keylist, key, link);
+		} else {
+			dst_key_free(&pubkey);
+		}
  next:
 		result = dns_rdataset_next(&rdataset);
 	}
@@ -3269,7 +3298,6 @@ main(int argc, char *argv[]) {
 	size_t salt_length = 0;
 	unsigned char saltbuf[255];
 	hashlist_t hashlist;
-	isc_boolean_t smartsign = ISC_FALSE;
 	isc_boolean_t make_keyset = ISC_FALSE;
 
 #define CMDLINE_FLAGS "3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tUv:z"
@@ -3694,32 +3722,23 @@ main(int argc, char *argv[]) {
 		for (key = ISC_LIST_HEAD(keylist);
 		     key != NULL;
 		     key = ISC_LIST_NEXT(key, link)) {
-			dst_key_t *dkey = key->key;
-			if (dst_key_id(dkey) == dst_key_id(newkey) &&
-			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-			    dns_name_equal(dst_key_name(dkey), gorigin)) {
-				/*
-				 * Key was already in keylist, but we
-				 * must make sure it has the right
-				 * dnsseckey flags.
-				 */
-				key->ksk = ISC_TRUE;
-				key->force_publish = ISC_TRUE;
-				key->force_sign = ISC_TRUE;
-				key->source = dns_keysource_user;
-				dst_key_free(&newkey);
+			if (dst_key_id(key->key) == dst_key_id(newkey) &&
+			    dst_key_alg(key->key) == dst_key_alg(newkey) &&
+			    dns_name_equal(dst_key_name(key->key), gorigin))
 				break;
-			}
 		}
 		if (key == NULL) {
 			/* We haven't seen this key before */
 			dns_dnsseckey_create(mctx, &newkey, &key);
-			key->ksk = ISC_TRUE;
-			key->force_publish = ISC_TRUE;
-			key->force_sign = ISC_TRUE;
-			key->source = dns_keysource_user;
 			ISC_LIST_APPEND(keylist, key, link);
+		} else {
+			dst_key_free(&key->key);
+			key->key = newkey;
 		}
+		key->force_publish = ISC_TRUE;
+		key->force_sign = ISC_TRUE;
+		key->source = dns_keysource_user;
+		key->ksk = ISC_TRUE;
 	}
 
 	/*

From 69338455d91b46bef10a2d73beafa05df49ed2d9 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 24 Sep 2009 06:37:50 +0000
Subject: [PATCH 204/385] 2688.   [bug]           Use INTERFACE_F_POINTTOPOINT,
 not IFF_POINTOPOINT,                         to decide to fetch the
 destination address. [RT #20305]

---
 CHANGES                          | 3 +++
 lib/isc/unix/ifiter_getifaddrs.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2aa5426ec1..0ccb81cee4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
+			to decide to fetch the destination address. [RT #20305]
+
 2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
 			Also, added warnings when revoking a ZSK, as this is
 			not defined by protocol (but is legal).  [RT #19943]
diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c
index b576d4632f..7ca5cf258b 100644
--- a/lib/isc/unix/ifiter_getifaddrs.c
+++ b/lib/isc/unix/ifiter_getifaddrs.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_getifaddrs.c,v 1.11 2008/03/20 23:47:00 tbox Exp $ */
+/* $Id: ifiter_getifaddrs.c,v 1.12 2009/09/24 06:37:50 marka Exp $ */
 
 /*! \file
  * \brief
@@ -181,7 +181,7 @@ internal_current(isc_interfaceiter_t *iter) {
 			 ifa->ifa_name);
 
 	if (ifa->ifa_dstaddr != NULL &&
-	    (iter->current.flags & IFF_POINTOPOINT) != 0)
+	    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
 		get_addr(family, &iter->current.dstaddress, ifa->ifa_dstaddr,
 			 ifa->ifa_name);
 

From 78092514b3256664785e123562ecd0ef3faf1999 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Thu, 24 Sep 2009 13:03:39 +0000
Subject: [PATCH 205/385] trivial typo

---
 win32utils/win32-build.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index cf181c37a1..85023589c6 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: win32-build.txt,v 1.16 2009/09/02 08:41:06 fdupont Exp $
+$Id: win32-build.txt,v 1.17 2009/09/24 13:03:39 fdupont Exp $
 
        BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009
 
@@ -64,7 +64,7 @@ to see if the build instructions have changed:
   cd openssl-0.9.8k
   perl Configure VC-WIN32 --prefix=c:/openssl
   ms\do_masm
-  nmake /f ms\ntll.mak
+  nmake /f ms\ntdll.mak
 
 Step 2: Download and build libxml2
 

From c59a7b06297c27404695d61f8e4186e1d6fabb38 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Thu, 24 Sep 2009 14:39:17 +0000
Subject: [PATCH 206/385] missing updates in recent changes

---
 bin/dig/win32/dig.dsp      |  8 ++++----
 bin/dig/win32/dig.mak      | 10 ++++++----
 bin/dig/win32/dighost.dsp  |  4 ++--
 bin/dig/win32/host.dsp     |  8 ++++----
 bin/dig/win32/host.mak     | 10 ++++++----
 bin/dig/win32/nslookup.dsp |  8 ++++----
 bin/dig/win32/nslookup.mak | 10 ++++++----
 lib/dns/win32/libdns.def   |  1 +
 8 files changed, 33 insertions(+), 26 deletions(-)

diff --git a/bin/dig/win32/dig.dsp b/bin/dig/win32/dig.dsp
index 67848cba12..db03dfbc52 100644
--- a/bin/dig/win32/dig.dsp
+++ b/bin/dig/win32/dig.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dig.exe"
 
 !ELSEIF  "$(CFG)" == "dig - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept
 
 !ENDIF 
 
diff --git a/bin/dig/win32/dig.mak b/bin/dig/win32/dig.mak
index a5818fba04..4e33508068 100644
--- a/bin/dig/win32/dig.mak
+++ b/bin/dig/win32/dig.mak
@@ -132,18 +132,19 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\dig.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
 BSC32_SBRS= \
 	
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dig.pdb" /machine:I386 /out:"../../../Build/Release/dig.exe" 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dig.pdb" /machine:I386 /out:"../../../Build/Release/dig.exe" 
 LINK32_OBJS= \
 	"$(INTDIR)\dig.obj" \
 	"$(INTDIR)\dighost.obj" \
 	"..\..\..\lib\dns\win32\Release\libdns.lib" \
 	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
 	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
 	"..\..\..\lib\lwres\win32\Release\liblwres.lib"
 
@@ -191,7 +192,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\dig.bsc" 
 BSC32_SBRS= \
@@ -204,12 +205,13 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dig.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dig.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dig.exe" /pdbtype:sept 
 LINK32_OBJS= \
 	"$(INTDIR)\dig.obj" \
 	"$(INTDIR)\dighost.obj" \
 	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
 	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
 	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
 	"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
 
diff --git a/bin/dig/win32/dighost.dsp b/bin/dig/win32/dighost.dsp
index f865e14500..51a2b0f5b5 100644
--- a/bin/dig/win32/dighost.dsp
+++ b/bin/dig/win32/dighost.dsp
@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddighost
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fddighost
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddighost
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fddighost
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
diff --git a/bin/dig/win32/host.dsp b/bin/dig/win32/host.dsp
index 30731a7d4d..aa0c600bc6 100644
--- a/bin/dig/win32/host.dsp
+++ b/bin/dig/win32/host.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/dighost.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/host.exe"
 
 !ELSEIF  "$(CFG)" == "host - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/dighost.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept
 
 !ENDIF 
 
diff --git a/bin/dig/win32/host.mak b/bin/dig/win32/host.mak
index fca3b16de2..ec02686109 100644
--- a/bin/dig/win32/host.mak
+++ b/bin/dig/win32/host.mak
@@ -132,18 +132,19 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\host.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
 BSC32_SBRS= \
 	
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\host.pdb" /machine:I386 /out:"../../../Build/Release/host.exe" 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\host.pdb" /machine:I386 /out:"../../../Build/Release/host.exe" 
 LINK32_OBJS= \
 	"$(INTDIR)\dighost.obj" \
 	"$(INTDIR)\host.obj" \
 	"..\..\..\lib\dns\win32\Release\libdns.lib" \
 	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
 	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
 	"..\..\..\lib\lwres\win32\Release\liblwres.lib"
 
@@ -191,7 +192,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\host.bsc" 
 BSC32_SBRS= \
@@ -204,12 +205,13 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\host.pdb" /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\host.pdb" /debug /machine:I386 /out:"../../../Build/Debug/host.exe" /pdbtype:sept 
 LINK32_OBJS= \
 	"$(INTDIR)\dighost.obj" \
 	"$(INTDIR)\host.obj" \
 	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
 	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
 	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
 	"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
 
diff --git a/bin/dig/win32/nslookup.dsp b/bin/dig/win32/nslookup.dsp
index 2898bc503e..abd9cc53d2 100644
--- a/bin/dig/win32/nslookup.dsp
+++ b/bin/dig/win32/nslookup.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nslookup.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nslookup.exe"
 
 !ELSEIF  "$(CFG)" == "nslookup - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept
 
 !ENDIF 
 
diff --git a/bin/dig/win32/nslookup.mak b/bin/dig/win32/nslookup.mak
index a69f4dda62..e4604686e5 100644
--- a/bin/dig/win32/nslookup.mak
+++ b/bin/dig/win32/nslookup.mak
@@ -132,18 +132,19 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nslookup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
 BSC32_SBRS= \
 	
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nslookup.pdb" /machine:I386 /out:"../../../Build/Release/nslookup.exe" 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/bind9/win32/Release/libbind9.lib  ../../../lib/lwres/win32/Release/liblwres.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nslookup.pdb" /machine:I386 /out:"../../../Build/Release/nslookup.exe" 
 LINK32_OBJS= \
 	"$(INTDIR)\dighost.obj" \
 	"$(INTDIR)\nslookup.obj" \
 	"..\..\..\lib\dns\win32\Release\libdns.lib" \
 	"..\..\..\lib\isc\win32\Release\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib" \
 	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
 	"..\..\..\lib\lwres\win32\Release\liblwres.lib"
 
@@ -191,7 +192,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nslookup.bsc" 
 BSC32_SBRS= \
@@ -204,12 +205,13 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nslookup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept 
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/bind9/win32/Debug/libbind9.lib  ../../../lib/lwres/win32/Debug/liblwres.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nslookup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nslookup.exe" /pdbtype:sept 
 LINK32_OBJS= \
 	"$(INTDIR)\dighost.obj" \
 	"$(INTDIR)\nslookup.obj" \
 	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
 	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
+	"..\..\..\lib\isccfg\win32\Debug\libisccfg.lib" \
 	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
 	"..\..\..\lib\lwres\win32\Debug\liblwres.lib"
 
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index f934ad7dc4..a979447e62 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -875,6 +875,7 @@ dst_key_iszonekey
 dst_key_name
 dst_key_paramcompare
 dst_key_proto
+dst_key_pubcompare
 dst_key_secretsize
 dst_key_setbits
 dst_key_setflags

From 0f869e8d52fec87684c7551dcc0f315a7ed19da1 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 24 Sep 2009 22:19:08 +0000
Subject: [PATCH 207/385] 2689.   [bug]           Correctly handle snprintf
 result. [RT #20306]

---
 CHANGES           | 2 ++
 lib/dns/dst_api.c | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 0ccb81cee4..fc119fd13c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2689.	[bug]		Correctly handle snprintf result. [RT #20306]
+
 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
 			to decide to fetch the destination address. [RT #20305]
 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 22a95f8975..70c1fe323e 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.31 2009/09/23 16:01:57 each Exp $
+ * $Id: dst_api.c,v 1.32 2009/09/24 22:19:08 marka Exp $
  */
 
 /*! \file */
@@ -1508,6 +1508,8 @@ addsuffix(char *filename, unsigned int len, const char *odirname,
 		n = snprintf(filename, len, "%s/%.*s%s",
 			     odirname, olen, ofilename, suffix);
 	if (n < 0)
+		return (ISC_R_FAILURE);
+	if (n >= len)
 		return (ISC_R_NOSPACE);
 	return (ISC_R_SUCCESS);
 }

From 9e6a0b09c0b9537d5b3a0c2945eea1240f9d4556 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 24 Sep 2009 23:18:21 +0000
Subject: [PATCH 208/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 5bae379cef..d8533977db 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -250,6 +250,7 @@ rt20236				new	fdupont	// 2009-09-19 22:34 +0000
 rt20247				new	each	// 2009-09-11 03:22 +0000
 rt20253				new	sar	// 2009-09-11 22:17 +0000
 rt20257				new	fdupont	// 2009-09-18 16:53 +0000
+rt20304				new	each	// 2009-09-24 22:57 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 78d7186253dfed549ec0ce2d7c2b08a7978ede9c Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 24 Sep 2009 23:30:34 +0000
Subject: [PATCH 209/385] newcopyrights

---
 util/copyrights | 65 +++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 58 insertions(+), 7 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index fb42b52749..e46adde2cf 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1323,20 +1323,28 @@
 ./contrib/zkt/Makefile.in			X	2008,2009
 ./contrib/zkt/README				X	2008,2009
 ./contrib/zkt/README.logging			X	2008,2009
-./contrib/zkt/TODO				X	2008
-./contrib/zkt/config.h.in			X	2008
+./contrib/zkt/TODO				X	2008,2009
+./contrib/zkt/config.h.in			X	2008,2009
 ./contrib/zkt/config_zkt.h			X	2008,2009
 ./contrib/zkt/configure				X	2008,2009
+./contrib/zkt/configure.ac			X	2009
 ./contrib/zkt/debug.h				X	2008
 ./contrib/zkt/dki.c				X	2008,2009
 ./contrib/zkt/dki.h				X	2008,2009
 ./contrib/zkt/dnssec-signer.c			X	2008,2009
 ./contrib/zkt/dnssec-zkt.c			X	2008,2009
+./contrib/zkt/doc/KeyRollover.ms		X	2009
+./contrib/zkt/doc/KeyRollover.ps		X	2009
+./contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt	X	2009
+./contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt	X	2009
+./contrib/zkt/doc/rfc4641.txt			X	2009
+./contrib/zkt/doc/rfc5011.txt			X	2009
 ./contrib/zkt/domaincmp.c			X	2008
 ./contrib/zkt/domaincmp.h			X	2008
 ./contrib/zkt/examples/dnssec-signer.sh		X	2008
 ./contrib/zkt/examples/dnssec-zkt.sh		X	2008
-./contrib/zkt/examples/flat/dist.sh		X	2008
+./contrib/zkt/examples/flat/dist.sh		X	2008,2009
+./contrib/zkt/examples/flat/dnssec-signer.sh	X	2009
 ./contrib/zkt/examples/flat/dnssec.conf		X	2008,2009
 ./contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key	X	2009
 ./contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private	X	2009
@@ -1356,9 +1364,20 @@
 ./contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.key	X	2009
 ./contrib/zkt/examples/flat/example.net/Kexample.net.+005+04157.private	X	2009
 ./contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private	X	2009
 ./contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.published	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key	X	2009
+./contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private	X	2009
 ./contrib/zkt/examples/flat/example.net/dnskey.db	X	2009
 ./contrib/zkt/examples/flat/example.net/dsset-example.net.	X	2009
+./contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key	X	2009
+./contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private	X	2009
 ./contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key	X	2009
 ./contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private	X	2009
 ./contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key	X	2009
@@ -1373,15 +1392,21 @@
 ./contrib/zkt/examples/flat/keysets/keyset-dyn.example.net.	X	2008
 ./contrib/zkt/examples/flat/keysets/keyset-example.net.	X	2008,2009
 ./contrib/zkt/examples/flat/keysets/keyset-sub.example.net.	X	2008,2009
-./contrib/zkt/examples/flat/named.conf		X	2008
+./contrib/zkt/examples/flat/named.conf		X	2008,2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.key	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+04710.published	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.key	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+05823.private	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.depreciated	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+006+22440.key	X	2009
+./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated	X	2009
+./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.key	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+18846.private	X	2009
+./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key	X	2009
+./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private	X	2009
+./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key	X	2009
+./contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net.	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/dnskey.db	X	2009
 ./contrib/zkt/examples/flat/sub.example.net/dnssec.conf	X	2009
@@ -1399,6 +1424,8 @@
 ./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/dnskey.db	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de.	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key	X	2009
@@ -1411,16 +1438,30 @@
 ./contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+04031.published	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+39146.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.depreciated	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+59924.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+31785.private	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+56595.private	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf	X	2009
@@ -1428,8 +1469,12 @@
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key	X	2009
+./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db	X	2009
 ./contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed	X	2009
@@ -1482,14 +1527,20 @@
 ./contrib/zkt/log.h				X	2008
 ./contrib/zkt/man/dnssec-signer.8		X	2009
 ./contrib/zkt/man/dnssec-signer.8.html		X	2009
+./contrib/zkt/man/dnssec-signer.8.pdf		X	2009
 ./contrib/zkt/man/dnssec-zkt.8			X	2009
 ./contrib/zkt/man/dnssec-zkt.8.html		X	2009
+./contrib/zkt/man/dnssec-zkt.8.pdf		X	2009
 ./contrib/zkt/misc.c				X	2008,2009
 ./contrib/zkt/misc.h				X	2008,2009
-./contrib/zkt/ncparse.c				X	2008
-./contrib/zkt/ncparse.h				X	2008
+./contrib/zkt/ncparse.c				X	2008,2009
+./contrib/zkt/ncparse.h				X	2008,2009
+./contrib/zkt/nscomm.c				X	2009
+./contrib/zkt/nscomm.h				X	2009
 ./contrib/zkt/rollover.c			X	2008,2009
 ./contrib/zkt/rollover.h			X	2008,2009
+./contrib/zkt/soaserial.c			X	2009
+./contrib/zkt/soaserial.h			X	2009
 ./contrib/zkt/strlist.c				X	2008,2009
 ./contrib/zkt/strlist.h				X	2008
 ./contrib/zkt/tags				X	2008,2009
@@ -2247,7 +2298,7 @@
 ./lib/isc/unix/errno2result.h			C	2000,2001,2004,2005,2007
 ./lib/isc/unix/file.c				C	2000,2001,2002,2004,2005,2007,2009
 ./lib/isc/unix/fsaccess.c			C	2000,2001,2004,2005,2006,2007
-./lib/isc/unix/ifiter_getifaddrs.c		C	2003,2004,2005,2007,2008
+./lib/isc/unix/ifiter_getifaddrs.c		C	2003,2004,2005,2007,2008,2009
 ./lib/isc/unix/ifiter_ioctl.c			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/isc/unix/ifiter_sysctl.c			C	1999,2000,2001,2002,2003,2004,2005,2007
 ./lib/isc/unix/include/.cvsignore		X	1998,1999,2000,2001

From b4336342d10c8f925c1fa6565be90572848417f2 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 24 Sep 2009 23:48:13 +0000
Subject: [PATCH 210/385] update copyright notice

---
 lib/isc/unix/ifiter_getifaddrs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c
index 7ca5cf258b..637450aaf4 100644
--- a/lib/isc/unix/ifiter_getifaddrs.c
+++ b/lib/isc/unix/ifiter_getifaddrs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_getifaddrs.c,v 1.12 2009/09/24 06:37:50 marka Exp $ */
+/* $Id: ifiter_getifaddrs.c,v 1.13 2009/09/24 23:48:13 tbox Exp $ */
 
 /*! \file
  * \brief

From b4cc584425beb0e920b67afab5faccdc1d31fb00 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 25 Sep 2009 01:07:36 +0000
Subject: [PATCH 211/385] new draft

---
 ...draft-ietf-dnsext-rfc2672bis-dname-17.txt} | 641 +++++++++---------
 1 file changed, 321 insertions(+), 320 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-rfc2672bis-dname-13.txt => draft-ietf-dnsext-rfc2672bis-dname-17.txt} (64%)

diff --git a/doc/draft/draft-ietf-dnsext-rfc2672bis-dname-13.txt b/doc/draft/draft-ietf-dnsext-rfc2672bis-dname-17.txt
similarity index 64%
rename from doc/draft/draft-ietf-dnsext-rfc2672bis-dname-13.txt
rename to doc/draft/draft-ietf-dnsext-rfc2672bis-dname-17.txt
index 13195bb4a2..9f0591e7c2 100644
--- a/doc/draft/draft-ietf-dnsext-rfc2672bis-dname-13.txt
+++ b/doc/draft/draft-ietf-dnsext-rfc2672bis-dname-17.txt
@@ -5,20 +5,28 @@ DNS Extensions Working Group                                     S. Rose
 Internet-Draft                                                      NIST
 Obsoletes: 2672 (if approved)                              W. Wijngaards
 Updates: 3363,4294                                            NLnet Labs
-(if approved)                                                May 2, 2008
+(if approved)                                         September 24, 2009
 Intended status: Standards Track
-Expires: November 3, 2008
+Expires: March 28, 2010
 
 
                  Update to DNAME Redirection in the DNS
-                 draft-ietf-dnsext-rfc2672bis-dname-13
+                 draft-ietf-dnsext-rfc2672bis-dname-17
 
 Status of This Memo
 
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.  This document may contain material
+   from IETF Documents or IETF Contributions published or made publicly
+   available before November 10, 2008.  The person(s) controlling the
+   copyright in some of this material may not have granted the IETF
+   Trust the right to allow modifications of such material outside the
+   IETF Standards Process.  Without obtaining an adequate license from
+   the person(s) controlling the copyright in such materials, this
+   document may not be modified outside the IETF Standards Process, and
+   derivative works of it may not be created outside the IETF Standards
+   Process, except to format it for publication as an RFC or to
+   translate it into languages other than English.
 
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF), its areas, and its working groups.  Note that
@@ -36,81 +44,129 @@ Status of This Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on November 3, 2008.
+   This Internet-Draft will expire on March 28, 2010.
 
 Copyright Notice
 
-   Copyright (C) The IETF Trust (2008).
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                 [Page 1]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
 
 Abstract
 
    The DNAME record provides redirection for a sub-tree of the domain
    name tree in the DNS system.  That is, all names that end with a
    particular suffix are redirected to another part of the DNS.  This is
-   an update of the original specification in RFC 2672, also aligning
+   a revision of the original specification in RFC 2672, also aligning
    RFC 3363 and RFC 4294 with this revision.
 
-
-
-Rose & Wijngaards       Expires November 3, 2008                [Page 1]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
 Requirements Language
 
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
    document are to be interpreted as described in RFC 2119 [RFC2119].
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                 [Page 2]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
 Table of Contents
 
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
 
-   2.  The DNAME Resource Record  . . . . . . . . . . . . . . . . . .  3
-     2.1.  Format . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     2.2.  The DNAME Substitution . . . . . . . . . . . . . . . . . .  4
-     2.3.  DNAME Apex not Redirected itself . . . . . . . . . . . . .  5
-     2.4.  Names Next to and Below a DNAME Record . . . . . . . . . .  6
-     2.5.  Compression of the DNAME record. . . . . . . . . . . . . .  6
+   2.  The DNAME Resource Record  . . . . . . . . . . . . . . . . . .  4
+     2.1.  Format . . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     2.2.  The DNAME Substitution . . . . . . . . . . . . . . . . . .  5
+     2.3.  DNAME Apex not Redirected itself . . . . . . . . . . . . .  6
+     2.4.  Names Next to and Below a DNAME Record . . . . . . . . . .  7
+     2.5.  Compression of the DNAME record. . . . . . . . . . . . . .  7
 
-   3.  Processing . . . . . . . . . . . . . . . . . . . . . . . . . .  7
-     3.1.  CNAME synthesis and UD bit . . . . . . . . . . . . . . . .  7
+   3.  Processing . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+     3.1.  CNAME synthesis  . . . . . . . . . . . . . . . . . . . . .  8
      3.2.  Server algorithm . . . . . . . . . . . . . . . . . . . . .  8
-     3.3.  Wildcards  . . . . . . . . . . . . . . . . . . . . . . . .  9
+     3.3.  Wildcards  . . . . . . . . . . . . . . . . . . . . . . . . 10
      3.4.  Acceptance and Intermediate Storage  . . . . . . . . . . . 10
 
-   4.  DNAME Discussions in Other Documents . . . . . . . . . . . . . 10
+   4.  DNAME Discussions in Other Documents . . . . . . . . . . . . . 11
 
    5.  Other Issues with DNAME  . . . . . . . . . . . . . . . . . . . 12
      5.1.  Canonical hostnames cannot be below DNAME owners . . . . . 12
      5.2.  Dynamic Update and DNAME . . . . . . . . . . . . . . . . . 12
-     5.3.  DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 12
-       5.3.1.  DNAME bit in NSEC type map . . . . . . . . . . . . . . 12
-       5.3.2.  Validators Must Understand DNAME . . . . . . . . . . . 12
-         5.3.2.1.  DNAME in Bitmap Causes Invalid Name Error  . . . . 13
-         5.3.2.2.  Valid Name Error Response Involving DNAME in
-                   Bitmap . . . . . . . . . . . . . . . . . . . . . . 13
-         5.3.2.3.  Response With Synthesized CNAME  . . . . . . . . . 13
+     5.3.  DNSSEC and DNAME . . . . . . . . . . . . . . . . . . . . . 13
+       5.3.1.  Signed DNAME, Unsigned Synthesized CNAME . . . . . . . 13
+       5.3.2.  DNAME Bit in NSEC Type Map . . . . . . . . . . . . . . 13
+       5.3.3.  DNAME Chains as Strong as the Weakest Link . . . . . . 13
+       5.3.4.  Validators Must Understand DNAME . . . . . . . . . . . 13
+         5.3.4.1.  DNAME in Bitmap Causes Invalid Name Error  . . . . 13
+         5.3.4.2.  Valid Name Error Response Involving DNAME in
+                   Bitmap . . . . . . . . . . . . . . . . . . . . . . 14
+         5.3.4.3.  Response With Synthesized CNAME  . . . . . . . . . 14
 
-   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 14
+   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
 
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 14
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
 
-   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 14
+   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 15
 
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
-     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 14
-     9.2.  Informative References . . . . . . . . . . . . . . . . . . 15
+   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
+     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 15
+     9.2.  Informative References . . . . . . . . . . . . . . . . . . 16
 
 
 
 
 
 
-Rose & Wijngaards       Expires November 3, 2008                [Page 2]
+
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                 [Page 3]
 
-Internet-Draft              DNAME Redirection                   May 2008
+Internet-Draft              DNAME Redirection             September 2009
 
 
 1.  Introduction
@@ -135,7 +191,7 @@ Internet-Draft              DNAME Redirection                   May 2008
    "foo.example.net".  Had the query name been "www.foo.example.com" the
    new query name would be "www.foo.example.net".
 
-   This document is an update of the original specification of DNAME in
+   This document is a revision of the original specification of DNAME in
    RFC 2672 [RFC2672].  DNAME was conceived to help with the problem of
    maintaining address-to-name mappings in a context of network
    renumbering.  With a careful set-up, a renumbering event in the
@@ -143,17 +199,14 @@ Internet-Draft              DNAME Redirection                   May 2008
    address-to-name mappings.  Examples in practice are classless reverse
    address space delegations.
 
-   Another usage of DNAME lies in redirection of name spaces.  For
-   example, a zone administrator may want sub-trees of the DNS to
-   contain the same information.  Examples include punycode alternates
-   for domain spaces.  DNAME is also used for the redirection of ENUM
-   domains to another maintaining party.
+   Another usage of DNAME lies in aliasing of name spaces.  For example,
+   a zone administrator may want sub-trees of the DNS to contain the
+   same information.  Examples include punycode alternates for domain
+   spaces.
 
-   This update to DNAME does not change the wire format or the handling
-   of DNAME Resource Records by existing software.  A new UD (Understand
-   DNAME) bit in the EDNS flags field can be used to signal that CNAME
-   synthesis is not needed.  Discussion is added on problems that may be
-   encountered when using DNAME.
+   This revision to DNAME does not change the wire format or the
+   handling of DNAME Resource Records.  Discussion is added on problems
+   that may be encountered when using DNAME.
 
 2.  The DNAME Resource Record
 
@@ -164,9 +217,12 @@ Internet-Draft              DNAME Redirection                   May 2008
 
 
 
-Rose & Wijngaards       Expires November 3, 2008                [Page 3]
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                 [Page 4]
 
-Internet-Draft              DNAME Redirection                   May 2008
+Internet-Draft              DNAME Redirection             September 2009
 
 
    Its RDATA is comprised of a single field, , which contains a
@@ -193,7 +249,7 @@ Internet-Draft              DNAME Redirection                   May 2008
    is found to own a DNAME resource record a DNAME substitution occurs.
    The name being sought may be the original query name or a name that
    is the result of a CNAME resource record being followed or a
-   previously encountered DNAME.  As is the case of finding a CNAME
+   previously encountered DNAME.  As in the case when finding a CNAME
    resource record or NS resource record set, the processing of a DNAME
    will happen prior to finding the desired domain name.
 
@@ -220,9 +276,9 @@ Internet-Draft              DNAME Redirection                   May 2008
 
 
 
-Rose & Wijngaards       Expires November 3, 2008                [Page 4]
+Rose & Wijngaards        Expires March 28, 2010                 [Page 5]
 
-Internet-Draft              DNAME Redirection                   May 2008
+Internet-Draft              DNAME Redirection             September 2009
 
 
    In the table below, the QNAME refers to the query name.  The owner is
@@ -231,8 +287,8 @@ Internet-Draft              DNAME Redirection                   May 2008
    the DNAME substitution on the query name. "no match" means that the
    query did not match the DNAME and thus no substitution is performed
    and a possible error message is returned (if no other result is
-   possible).  In the examples below, 'cyc' and 'shortloop' contain
-   loops.
+   possible).  Thus every line contains one example substitution.  In
+   the examples below, 'cyc' and 'shortloop' contain loops.
 
     QNAME            owner  DNAME   target         result
     ---------------- -------------- -------------- -----------------
@@ -262,46 +318,45 @@ Internet-Draft              DNAME Redirection                   May 2008
    The domain name can get too long during substitution.  For example,
    suppose the target name of the DNAME RR is 250 octets in length
    (multiple labels), if an incoming QNAME that has a first label over 5
-   octets in length, the result of the result would be a name over 255
-   octets.  If this occurs the server returns an RCODE of YXDOMAIN
-   [RFC2136].  The DNAME record and its signature (if the zone is
-   signed) are included in the answer as proof for the YXDOMAIN (value
-   6) RCODE.
+   octets in length, the result would be a name over 255 octets.  If
+   this occurs the server returns an RCODE of YXDOMAIN [RFC2136].  The
+   DNAME record and its signature (if the zone is signed) are included
+   in the answer as proof for the YXDOMAIN (value 6) RCODE.
 
 2.3.  DNAME Apex not Redirected itself
 
    Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its
    owner name; the owner name of a DNAME is not redirected itself.  The
    domain name that owns a DNAME record is allowed to have other
+   resource record types at that domain name, except DNAMEs, CNAMEs or
 
 
 
-Rose & Wijngaards       Expires November 3, 2008                [Page 5]
+Rose & Wijngaards        Expires March 28, 2010                 [Page 6]
 
-Internet-Draft              DNAME Redirection                   May 2008
+Internet-Draft              DNAME Redirection             September 2009
 
 
-   resource record types at that domain name, except DNAMEs or CNAMEs.
-   This means that DNAME RRs are not allowed at the parent side of a
-   delegation point but are allowed at a zone apex.
+   other types that have restrictions on what they can co-exist with.
+   DNAME RRs are not allowed at the parent side of a delegation point
+   but are allowed at a zone apex.
 
-   The reason for this decision was that one can have a DNAME at the
-   zone apex.  There still is a need to have the customary SOA and NS
-   resource records at the zone apex.  This means that DNAME does not
-   mirror a zone completely, as it does not mirror the zone apex.
+   There still is a need to have the customary SOA and NS resource
+   records at the zone apex.  This means that DNAME does not mirror a
+   zone completely, as it does not mirror the zone apex.
 
    These rules also allow DNAME records to be queried through RFC 1034
    [RFC1034] compliant, DNAME-unaware caches.
 
 2.4.  Names Next to and Below a DNAME Record
 
-   Resource records MUST NOT exist at any domain name subordinate to the
-   owner of a DNAME RR.  To get the contents for names subordinate to
-   that owner, the DNAME redirection must be invoked and the resulting
-   target queried.  A server MAY refuse to load a zone that has data at
-   a domain name subordinate to a domain name owning a DNAME RR.  If the
-   server does load the zone, those names below the DNAME RR will be
-   occluded, RFC 2136 [RFC2136], section 7.18.  Also a server SHOULD
+   Resource records MUST NOT exist at any sub-domain of the owner of a
+   DNAME RR.  To get the contents for names subordinate to that owner
+   name, the DNAME redirection must be invoked and the resulting target
+   queried.  A server MAY refuse to load a zone that has data at a sub-
+   domain of a domain name owning a DNAME RR.  If the server does load
+   the zone, those names below the DNAME RR will be occluded as
+   described in RFC 2136 [RFC2136], section 7.18.  Also a server SHOULD
    refuse to load a zone subordinate to the owner of a DNAME record in
    the ancestor zone.  See Section 5.2 for further discussion related to
    dynamic update.
@@ -321,82 +376,54 @@ Internet-Draft              DNAME Redirection                   May 2008
 
    Although the previous DNAME specification [RFC2672] (that is
    obsoleted by this specification) talked about signaling to allow
-   compression of the target name, such signaling is not specified.
+   compression of the target name, such signaling has never been
+   specified and this document also does not specify this signaling
+   behavior.
 
-   RFC 2672 stated that the EDNS version had a meaning for understanding
-   of DNAME and DNAME target name compression.  This document updates
-   RFC 2672, in that there is no EDNS version signaling for DNAME.
-   However, the flags section of EDNS(0) is updated with a Understand-
-   DNAME flag by this document (See Section 3.3).
+   RFC 2672 (obsoleted by this document) stated that the EDNS version
+   had a meaning for understanding of DNAME and DNAME target name
+   compression.  This document revises RFC 2672, in that there is no
+   EDNS version signaling for DNAME.
 
 
 
 
-Rose & Wijngaards       Expires November 3, 2008                [Page 6]
+Rose & Wijngaards        Expires March 28, 2010                 [Page 7]
 
-Internet-Draft              DNAME Redirection                   May 2008
+Internet-Draft              DNAME Redirection             September 2009
 
 
 3.  Processing
 
-   The DNAME RR causes type NS additional section processing.
+   The DNAME RR causes type NS additional section processing.  This
+   refers to action at step 6 of the server algorithm outlined in
+   section 3.2.
 
-3.1.  CNAME synthesis and UD bit
+3.1.  CNAME synthesis
 
-   When preparing an response, a server upon performing a DNAME
-   substitution will in all cases include the DNAME RR used in the
-   answer section.  A CNAME RR record with TTL equal to the
-   corresponding DNAME RR is synthesized and included in the answer
-   section for old resolvers.  The owner name of the CNAME is the QNAME
-   of the query.  DNSSEC [RFC4033], [RFC4034], [RFC4035] says that the
-   synthesized CNAME does not have to be signed.  The DNAME has an RRSIG
-   and a validating resolver can check the CNAME against the DNAME
-   record and validate the DNAME record.
+   When preparing a response, a server performing a DNAME substitution
+   will in all cases include the relevant DNAME RR in the answer
+   section.  A CNAME RR with TTL equal to the corresponding DNAME RR is
+   synthesized and included in the answer section.  The owner name of
+   the CNAME is the QNAME of the query.  The DNSSEC specification
+   [RFC4033], [RFC4034], [RFC4035] says that the synthesized CNAME does
+   not have to be signed.  The DNAME has an RRSIG and a validating
+   resolver can check the CNAME against the DNAME record and validate
+   the signature over the DNAME RR.
 
    Resolvers MUST be able to handle a synthesized CNAME TTL of zero or
    equal to the TTL of the corresponding DNAME record.  A TTL of zero
    means that the CNAME can be discarded immediately after processing
-   the answer.  DNAME aware resolvers can set the Understand-DNAME (UD
-   bit) to receive a response with only the DNAME RR and no synthesized
-   CNAMEs.
-
-   The UD bit is part of the EDNS [RFC2671] extended RCODE and Flags
-   field.  It is used to omit server processing, transmission and
-   resolver processing of unsigned synthesized CNAMEs.  Resolvers can
-   set this in a query to request omission of the synthesized CNAMEs.
-   Servers copy the UD bit to the response, and can omit synthesized
-   CNAMEs from the answer.  Older resolvers do not set the UD bit, and
-   older servers do not copy the UD bit to the answer, and will not omit
-   synthesized CNAMEs.
-
-   Updated EDNS extended RCODE and Flags field.
-
-               +0 (MSB)                +1 (LSB)
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   0: |   EXTENDED-RCODE      |       VERSION         |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   2: |DO|UD|                 Z                       |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   the answer.
 
    Servers MUST be able to answer a query for a synthesized CNAME.  Like
    other query types this invokes the DNAME, and synthesizes the CNAME
    into the answer.
 
-
-
-
-
-
-
-Rose & Wijngaards       Expires November 3, 2008                [Page 7]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
 3.2.  Server algorithm
 
-   Below the server algorithm, which appeared in RFC 2672 Section 4.1,
-   is expanded to handle the UD (Understand DNAME) bit.
+   Below is the server algorithm, which appeared in RFC 2672 Section
+   4.1.
 
    1.  Set or clear the value of recursion available in the response
        depending on whether the name server is willing to provide
@@ -404,13 +431,24 @@ Internet-Draft              DNAME Redirection                   May 2008
        requested via the RD bit in the query, go to step 5, otherwise
        step 2.
 
+
    2.  Search the available zones for the zone which is the nearest
        ancestor to QNAME.  If such a zone is found, go to step 3,
        otherwise step 4.
 
+
    3.  Start matching down, label by label, in the zone.  The matching
        process can terminate several ways:
 
+
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                 [Page 8]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
        A.  If the whole of QNAME is matched, we have found the node.
 
            If the data at the node is a CNAME, and QTYPE does not match
@@ -421,6 +459,7 @@ Internet-Draft              DNAME Redirection                   May 2008
            Otherwise, copy all RRs which match QTYPE into the answer
            section and go to step 6.
 
+
        B.  If a match would take us out of the authoritative data, we
            have a referral.  This happens when we encounter a node with
            NS RRs marking cuts along the bottom of a zone.
@@ -431,6 +470,7 @@ Internet-Draft              DNAME Redirection                   May 2008
            available from authoritative data or the cache.  Go to step
            4.
 
+
        C.  If at some label, a match is impossible (i.e., the
            corresponding label does not exist), look to see whether the
            last label matched has a DNAME record.
@@ -439,20 +479,9 @@ Internet-Draft              DNAME Redirection                   May 2008
            the answer section.  If substitution of its  for its
             in QNAME would overflow the legal size for a , set RCODE to YXDOMAIN [RFC2136] and exit; otherwise
-           perform the substitution and continue.  If the EDNS OPT
-           record is present in the query and the UD bit is set, the
-
-
-
-Rose & Wijngaards       Expires November 3, 2008                [Page 8]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
-           server MAY copy the UD bit to the answer EDNS OPT record, and
-           omit CNAME synthesis.  Else the server MUST synthesize a
-           CNAME record as described above and include it in the answer
-           section.  Go back to step 1.
+           perform the substitution and continue.  The server MUST
+           synthesize a CNAME record as described above and include it
+           in the answer section.  Go back to step 1.
 
            If there was no DNAME record, look to see if the "*" label
            exists.
@@ -468,10 +497,19 @@ Internet-Draft              DNAME Redirection                   May 2008
            set the owner of the RR to be QNAME, and not the node with
            the "*" label.  If the data at the node with the "*" label is
            a CNAME, and QTYPE doesn't match CNAME, copy the CNAME RR
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                 [Page 9]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
            into the answer section of the response changing the owner
            name to the QNAME, change QNAME to the canonical name in the
            CNAME RR, and go back to step 1.  Otherwise, Go to step 6.
 
+
    4.  Start matching down in the cache.  If QNAME is found in the
        cache, copy all RRs attached to it that match QTYPE into the
        answer section.  If QNAME is not found in the cache but a DNAME
@@ -480,10 +518,12 @@ Internet-Draft              DNAME Redirection                   May 2008
        authoritative data, look for the best one from the cache, and put
        it in the authority section.  Go to step 6.
 
+
    5.  Use the local resolver or a copy of its algorithm to answer the
        query.  Store the results, including any intermediate CNAMEs and
        DNAMEs, in the answer section of the response.
 
+
    6.  Using local data only, attempt to add other RRs which may be
        useful to the additional section of the query.  Exit.
 
@@ -497,14 +537,6 @@ Internet-Draft              DNAME Redirection                   May 2008
 
    The use of DNAME in conjunction with wildcards is discouraged
    [RFC4592].  Thus records of the form "*.example.com DNAME
-
-
-
-Rose & Wijngaards       Expires November 3, 2008                [Page 9]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
    example.net" SHOULD NOT be used.
 
    The interaction between the expansion of the wildcard and the
@@ -514,53 +546,40 @@ Internet-Draft              DNAME Redirection                   May 2008
 
    A server MAY give a warning that the behavior is unspecified if such
    a wildcarded DNAME is loaded.  The server MAY refuse it, refuse to
-   load or refuse dynamic update.
+   load the zone or refuse dynamic updates.
 
 3.4.  Acceptance and Intermediate Storage
 
-   DNS caches can encounter data at names below the owner name of a
-   DNAME RR, due to a change at the authoritative server where data from
-   before and after the change resides in the cache.  This conflict
-   situation is a transitional phase, that ends when the old data times
-   out.  The cache can opt to store both old and new data and treat each
-   as if the other did not exist, or drop the old data, or drop the
-   longer domain name.  In any approach, consistency returns after the
-   older data TTL times out.
+   Recursive caching name servers can encounter data at names below the
+   owner name of a DNAME RR, due to a change at the authoritative server
+   where data from before and after the change resides in the cache.
 
-   DNS caches MUST perform CNAME synthesis on behalf of DNAME-ignorant
-   clients.  A DNS cache that understands DNAMEs can send out queries on
-   behalf of clients with the UD bit set (See Section 3.1).  After
-   receiving the answers the DNS cache sends replies to DNAME ignorant
-   clients that include DNAMEs and synthesized CNAMEs.
+
+
+Rose & Wijngaards        Expires March 28, 2010                [Page 10]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
+   This conflict situation is a transitional phase that ends when the
+   old data times out.  The caching name server can opt to store both
+   old and new data and treat each as if the other did not exist, or
+   drop the old data, or drop the longer domain name.  In any approach,
+   consistency returns after the older data TTL times out.
+
+   Recursive caching name servers MUST perform CNAME synthesis on behalf
+   of clients.
+
+   If a recursive caching name server encounters a DNAME RR which
+   contradicts information already in the cache (excluding CNAME
+   records), it SHOULD NOT cache the DNAME RR, but it MAY cache the
+   CNAME record received along with it, subject to the rules for CNAME.
 
 4.  DNAME Discussions in Other Documents
 
    In [RFC2181], in Section 10.3., the discussion on MX and NS records
    touches on redirection by CNAMEs, but this also holds for DNAMEs.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Rose & Wijngaards       Expires November 3, 2008               [Page 10]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
    Excerpt from 10.3.  MX and NS records (in RFC 2181).
 
            The domain name used as the value of a NS resource record,
@@ -585,6 +604,19 @@ Internet-Draft              DNAME Redirection                   May 2008
    would greatly improve the manageability of the IPv6 reverse tree.
    These changes are made explicit below.
 
+
+
+
+
+
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                [Page 11]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
    In [RFC3363], the paragraph
 
      "The issues for DNAME in the reverse mapping tree appears to be
@@ -607,16 +639,6 @@ Internet-Draft              DNAME Redirection                   May 2008
      "Those nodes are NOT RECOMMENDED to support the experimental
      A6 Resource Record [RFC3363]."
 
-
-
-
-
-
-Rose & Wijngaards       Expires November 3, 2008               [Page 11]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
 5.  Other Issues with DNAME
 
    There are several issues to be aware of about the use of DNAME.
@@ -643,68 +665,100 @@ Internet-Draft              DNAME Redirection                   May 2008
 
    DNAME records can be added, changed and removed in a zone using
    dynamic update transactions.  Adding a DNAME RR to a zone occludes
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                [Page 12]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
    any domain names that may exist under the added DNAME.
 
-   A server MUST ignore a dynamic update message that attempts to add a
+   A server MUST reject a dynamic update message that attempts to add a
    DNAME RR at a name that already has a CNAME RR or another DNAME RR
    associated with that name.
 
 5.3.  DNSSEC and DNAME
 
-5.3.1.  DNAME bit in NSEC type map
+   The following subsections specify the behavior of implementations
+   that understand both DNSSEC and DNAME (synthesis).
 
-   When a validator checks the NSEC RRs returned on a name error
-   response, it SHOULD check that the DNAME bit is not set.  If the
-   DNAME bit is set then the DNAME substitution should have been done,
-   but has not.
+5.3.1.  Signed DNAME, Unsigned Synthesized CNAME
 
-5.3.2.  Validators Must Understand DNAME
+   In any response, a signed DNAME RR indicates a non-terminal
+   redirection of the query.  There might or might not be a server
+   synthesized CNAME in the answer section; if there is, the CNAME will
+   never be signed.  For a DNSSEC validator, verification of the DNAME
+   RR and then checking that the CNAME was properly synthesized is
+   sufficient proof.
 
-   Examples of why DNSSEC validators MUST understand DNAME.
+5.3.2.  DNAME Bit in NSEC Type Map
+
+   In any negative response, the NSEC or NSEC3 [RFC5155] record type bit
+   map SHOULD be checked to see that there was no DNAME that could have
+   been applied.  If the DNAME bit in the type bit map is set and the
+   query name is a subdomain of the closest encloser that is asserted,
+   then DNAME substitution should have been done, but the substitution
+   has not been done as specified.
+
+5.3.3.  DNAME Chains as Strong as the Weakest Link
+
+   A response can contain a chain of DNAME and CNAME redirections.  That
+   chain can end in a positive answer or a negative (no name error or no
+   data error) reply.  Each step in that chain results in resource
+   records added to the answer or authority section of the response.
+   Only if all steps are secure can the AD bit be set for the response.
+   If one of the steps is bogus, the result is bogus.
+
+5.3.4.  Validators Must Understand DNAME
+
+   Below are examples of why DNSSEC validators MUST understand DNAME.
+   In the examples below, SOA records, wildcard denial NSECs and other
+   material not under discussion has been omitted.
+
+5.3.4.1.  DNAME in Bitmap Causes Invalid Name Error
 
 
 
 
 
 
-
-Rose & Wijngaards       Expires November 3, 2008               [Page 12]
+Rose & Wijngaards        Expires March 28, 2010                [Page 13]
 
-Internet-Draft              DNAME Redirection                   May 2008
+Internet-Draft              DNAME Redirection             September 2009
 
 
-5.3.2.1.  DNAME in Bitmap Causes Invalid Name Error
-
    ;; Header: QR AA DO RCODE=3(NXDOMAIN)
    ;; Question
    foo.bar.example.com. IN A
-   ;; Answer
+   ;; Authority
    bar.example.com. NSEC dub.example.com. A DNAME
    bar.example.com. RRSIG NSEC [valid signature]
 
-   If this is the response, then only by understanding that the DNAME
-   bit means that foo.bar.example.com needed to have been redirected by
-   the DNAME, the validator can see that it is a BOGUS reply from an
-   attacker that collated existing records from the DNS to create a
-   confusing reply.
+   If this is the received response, then only by understanding that the
+   DNAME bit in the NSEC bitmap means that foo.bar.example.com needed to
+   have been redirected by the DNAME, the validator can see that it is a
+   BOGUS reply from an attacker that collated existing records from the
+   DNS to create a confusing reply.
 
    If the DNAME bit had not been set in the NSEC record above then the
    answer would have validated as a correct name error response.
 
-5.3.2.2.  Valid Name Error Response Involving DNAME in Bitmap
+5.3.4.2.  Valid Name Error Response Involving DNAME in Bitmap
 
    ;; Header: QR AA DO RCODE=3(NXDOMAIN)
    ;; Question
    cee.example.com. IN A
-   ;; Answer
+   ;; Authority
    bar.example.com. NSEC dub.example.com. A DNAME
    bar.example.com. RRSIG NSEC [valid signature]
 
-   This reply has the same NSEC records as the example above, but with
-   this query name (cee.example.com), the answer is validated, because
-   'cee' does not get redirected by the DNAME at 'bar'.
+   This response has the same NSEC records as the example above, but
+   with this query name (cee.example.com), the answer is validated,
+   because 'cee' does not get redirected by the DNAME at 'bar'.
 
-5.3.2.3.  Response With Synthesized CNAME
+5.3.4.3.  Response With Synthesized CNAME
 
    ;; Header: QR AA DO RCODE=0(NOERROR)
    ;; Question
@@ -714,37 +768,36 @@ Internet-Draft              DNAME Redirection                   May 2008
    bar.example.com. RRSIG DNAME [valid signature]
    foo.bar.example.com. CNAME foo.bar.example.net.
 
-   The answer shown above has the synthesized CNAME included.  However,
-   the CNAME has no signature, since the server does not sign online.
-   So it cannot be trusted.  It could be altered by an attacker to be
-   foo.bar.example.com CNAME bla.bla.example.  The DNAME record does
-   have its signature included, since it does not change for every query
-   name.  The validator must verify the DNAME signature and then
+   The response shown above has the synthesized CNAME included.
+   However, the CNAME has no signature, since the server does not sign
+   online.  So this response cannot be trusted.  It could be altered by
+   an attacker to be foo.bar.example.com CNAME bla.bla.example.  The
+   DNAME record does have its signature included, since it does not
+   change.  The validator must verify the DNAME signature and then
    recursively resolve further to query for the foo.bar.example.net A
-
-
-
-Rose & Wijngaards       Expires November 3, 2008               [Page 13]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
    record.
 
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                [Page 14]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
 6.  IANA Considerations
 
    The DNAME Resource Record type code 39 (decimal) originally has been
    registered by [RFC2672].  IANA should update the DNS resource record
    registry to point to this document for RR type 39.
 
-   This draft requests the second highest bit in the EDNS flags field
-   for the Understand-DNAME (UD) flag.
-
 7.  Security Considerations
 
    DNAME redirects queries elsewhere, which may impact security based on
    policy and the security status of the zone with the DNAME and the
-   redirection zone's security status.
+   redirection zone's security status.  For validating resolvers, the
+   lowest security status of the links in the chain of CNAME and DNAME
+   redirections is applied to the result.
 
    If a validating resolver accepts wildcarded DNAMEs, this creates
    security issues.  Since the processing of a wildcarded DNAME is non-
@@ -754,7 +807,7 @@ Internet-Draft              DNAME Redirection                   May 2008
    of wildcarded DNAMEs is discouraged in any case [RFC4592].
 
    A validating resolver MUST understand DNAME, according to [RFC4034].
-   In Section 5.3.2 examples are given that illustrate this need.
+   The examples in Section 5.3.4 illustrate this need.
 
 8.  Acknowledgments
 
@@ -762,7 +815,8 @@ Internet-Draft              DNAME Redirection                   May 2008
    beginning this effort to address the issues related to the DNAME RR
    type.  The authors would also like to acknowledge Paul Vixie, Ed
    Lewis, Mark Andrews, Mike StJohns, Niall O'Reilly, Sam Weiler, Alfred
-   Hines and Kevin Darcy for their review and comments on this document.
+   Hoenes and Kevin Darcy for their review and comments on this
+   document.
 
 9.  References
 
@@ -777,24 +831,21 @@ Internet-Draft              DNAME Redirection                   May 2008
    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.
 
-
-
-
-Rose & Wijngaards       Expires November 3, 2008               [Page 14]
-
-Internet-Draft              DNAME Redirection                   May 2008
-
-
    [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+
+
+
+Rose & Wijngaards        Expires March 28, 2010                [Page 15]
+
+Internet-Draft              DNAME Redirection             September 2009
+
+
               RFC 2136, April 1997.
 
    [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
               Specification", RFC 2181, July 1997.
 
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
-              RFC 2671, August 1999.
-
    [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
               specifying the location of services (DNS SRV)", RFC 2782,
               February 2000.
@@ -817,6 +868,10 @@ Internet-Draft              DNAME Redirection                   May 2008
    [RFC4592]  Lewis, E., "The Role of Wildcards in the Domain Name
               System", RFC 4592, July 2006.
 
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+              Security (DNSSEC) Hashed Authenticated Denial of
+              Existence", RFC 5155, March 2008.
+
 9.2.  Informative References
 
    [RFC1912]  Barr, D., "Common DNS Operational and Configuration
@@ -836,9 +891,10 @@ Internet-Draft              DNAME Redirection                   May 2008
 
 
 
-Rose & Wijngaards       Expires November 3, 2008               [Page 15]
+
+Rose & Wijngaards        Expires March 28, 2010                [Page 16]
 
-Internet-Draft              DNAME Redirection                   May 2008
+Internet-Draft              DNAME Redirection             September 2009
 
 
 Authors' Addresses
@@ -856,8 +912,8 @@ Authors' Addresses
 
    Wouter Wijngaards
    NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
+   Science Park 140
+   Amsterdam  1098 XG
    The Netherlands
 
    Phone: +31-20-888-4551
@@ -892,61 +948,6 @@ Authors' Addresses
 
 
 
-Rose & Wijngaards       Expires November 3, 2008               [Page 16]
+Rose & Wijngaards        Expires March 28, 2010                [Page 17]
 
-Internet-Draft              DNAME Redirection                   May 2008
 
-
-Full Copyright Statement
-
-   Copyright (C) The IETF Trust (2008).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
-   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
-   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is provided by the IETF
-   Administrative Support Activity (IASA).
-
-
-
-
-
-
-
-Rose & Wijngaards       Expires November 3, 2008               [Page 17]
-

From 11144f86dc74531c401f511a331c8c18de53e140 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 25 Sep 2009 01:42:09 +0000
Subject: [PATCH 212/385] silence signed/unsigned comparision warning

---
 lib/dns/dst_api.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 70c1fe323e..cdf8a7c09c 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.32 2009/09/24 22:19:08 marka Exp $
+ * $Id: dst_api.c,v 1.33 2009/09/25 01:42:09 marka Exp $
  */
 
 /*! \file */
@@ -1509,7 +1509,7 @@ addsuffix(char *filename, unsigned int len, const char *odirname,
 			     odirname, olen, ofilename, suffix);
 	if (n < 0)
 		return (ISC_R_FAILURE);
-	if (n >= len)
+	if ((unsigned int)n >= len)
 		return (ISC_R_NOSPACE);
 	return (ISC_R_SUCCESS);
 }

From ef830a775010eba69f6d5332aff0bc9ed9d21c55 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 25 Sep 2009 02:44:06 +0000
Subject: [PATCH 213/385] use (char *) for {get,set}sockopt argument

---
 lib/isc/win32/socket.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index 459e286f00..10c76ec315 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.78 2009/09/02 18:32:25 each Exp $ */
+/* $Id: socket.c,v 1.79 2009/09/25 02:44:06 marka Exp $ */
 
 /* This code uses functions which are only available on Server 2003 and
  * higher, and Windows XP and higher.
@@ -1689,7 +1689,7 @@ isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		/* 2292bis */
 		if ((pf == AF_INET6)
 		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
-				   (void *)&on, sizeof(on)) < 0)) {
+				   (char *)&on, sizeof(on)) < 0)) {
 			isc__strerror(WSAGetLastError(), strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "setsockopt(%d, IPV6_RECVPKTINFO) "
@@ -1704,7 +1704,7 @@ isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		/* 2292 */
 		if ((pf == AF_INET6)
 		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
-				   (void *)&on, sizeof(on)) < 0)) {
+				   (char *)&on, sizeof(on)) < 0)) {
 			isc__strerror(WSAGetLastError(), strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
@@ -1721,7 +1721,7 @@ isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		if (pf == AF_INET6) {
 			(void)setsockopt(sock->fd, IPPROTO_IPV6,
 					 IPV6_USE_MIN_MTU,
-					 (void *)&on, sizeof(on));
+					 (char *)&on, sizeof(on));
 		}
 #endif
 #endif /* ISC_PLATFORM_HAVEIPV6 */
@@ -1730,11 +1730,11 @@ isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 #if defined(SO_RCVBUF)
 	       optlen = sizeof(size);
 	       if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
-			      (void *)&size, &optlen) >= 0 &&
+			      (char *)&size, &optlen) >= 0 &&
 		    size < RCVBUFSIZE) {
 		       size = RCVBUFSIZE;
 		       (void)setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
-					(void *)&size, sizeof(size));
+					(char *)&size, sizeof(size));
 	       }
 #endif
 
@@ -1990,7 +1990,7 @@ internal_accept(isc_socket_t *sock, IoCompletionInfo *lpo, int accept_errno) {
 	INSIST(result == ISC_R_SUCCESS);
 
 	INSIST(setsockopt(nsock->fd, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT,
-	       (char *)&sock->fd, sizeof(sock->fd)) == 0);
+	                  (char *)&sock->fd, sizeof(sock->fd)) == 0);
 
 	/*
 	 * Hook it up into the manager.
@@ -2096,7 +2096,8 @@ internal_connect(isc_socket_t *sock, IoCompletionInfo *lpo, int connect_errno) {
 					 strbuf);
 		}
 	} else {
-		INSIST(setsockopt(sock->fd, SOL_SOCKET, SO_UPDATE_CONNECT_CONTEXT, NULL, 0) == 0);
+		INSIST(setsockopt(sock->fd, SOL_SOCKET,
+				  SO_UPDATE_CONNECT_CONTEXT, NULL, 0) == 0);
 		cdev->result = ISC_R_SUCCESS;
 		sock->connected = 1;
 		socket_log(__LINE__, sock, &sock->address, IOEVENT,
@@ -3034,7 +3035,7 @@ isc__socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
 	 */
 	if ((options & ISC_SOCKET_REUSEADDRESS) != 0 &&
 	    isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
-	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (char *)&on,
 		       sizeof(on)) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "setsockopt(%d) %s", sock->fd,
@@ -3620,7 +3621,7 @@ isc__socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
 #ifdef IPV6_V6ONLY
 	if (sock->pf == AF_INET6) {
 		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
-				 (void *)&onoff, sizeof(onoff));
+				 (char *)&onoff, sizeof(onoff));
 	}
 #endif
 }

From ff850b81c814787c72e96b162f47a208665814c4 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 25 Sep 2009 05:48:17 +0000
Subject: [PATCH 214/385] 2690.   [bug]           win32: fix
 isc_thread_key_getspecific() prototype.                         [RT #20315]

---
 CHANGES                            | 3 +++
 lib/isc/win32/include/isc/thread.h | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index fc119fd13c..7906b30071 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2690.	[bug]	 	win32: fix isc_thread_key_getspecific() prototype.
+			[RT #20315]
+
 2689.	[bug]		Correctly handle snprintf result. [RT #20306]
 
 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h
index 78e663f457..a463686d51 100644
--- a/lib/isc/win32/include/isc/thread.h
+++ b/lib/isc/win32/include/isc/thread.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.22 2007/06/19 23:47:20 tbox Exp $ */
+/* $Id: thread.h,v 1.23 2009/09/25 05:48:17 marka Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
@@ -90,7 +90,7 @@ int
 isc_thread_key_delete(isc_thread_key_t key);
 
 void *
-isc_thread_key_getspecific(isc_thread_key);
+isc_thread_key_getspecific(isc_thread_key_t);
 
 int
 isc_thread_key_setspecific(isc_thread_key_t key, void *value);

From fb596cc9af28ab5bf71c6796ebd1809654307a08 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 25 Sep 2009 06:47:50 +0000
Subject: [PATCH 215/385] 2691.	[func]		dnssec-signzone: retain the
 existing NSEC or NSEC3 			chain when re-signing a
 previously-signed zone. 			Use -u to modify NSEC3
 parameters or switch 			between NSEC and NSEC3. [RT #20304]

---
 CHANGES                             |   5 +
 bin/dnssec/dnssec-signzone.c        | 175 +++++++++++++++++++++++-----
 bin/dnssec/dnssec-signzone.docbook  |  23 +++-
 bin/tests/system/dnssec/ns3/sign.sh |  12 +-
 4 files changed, 182 insertions(+), 33 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7906b30071..f3926a5c9f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
+			chain when re-signing a previously-signed zone.
+			Use -u to modify NSEC3 parameters or switch
+			between NSEC and NSEC3. [RT #20304]
+
 2690.	[bug]	 	win32: fix isc_thread_key_getspecific() prototype.
 			[RT #20315]
 
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index d7d170219f..aed0b4b05e 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.234 2009/09/24 04:36:28 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.235 2009/09/25 06:47:50 each Exp $ */
 
 /*! \file */
 
@@ -147,6 +147,10 @@ static dns_dbiterator_t *gdbiter;	/* The database iterator */
 static dns_rdataclass_t gclass;		/* The class */
 static dns_name_t *gorigin;		/* The database origin */
 static int nsec3flags = 0;
+static dns_iterations_t nsec3iter = 100U;
+static unsigned char saltbuf[255];
+static unsigned char *salt = saltbuf;
+static size_t salt_length = 0;
 static isc_task_t *master = NULL;
 static unsigned int ntasks = 0;
 static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
@@ -161,6 +165,7 @@ static unsigned int serialformat = SOA_SERIAL_KEEP;
 static unsigned int hash_length = 0;
 static isc_boolean_t unknownalg = ISC_FALSE;
 static isc_boolean_t disable_zone_check = ISC_FALSE;
+static isc_boolean_t update_chain = ISC_FALSE;
 static isc_boolean_t set_keyttl = ISC_FALSE;
 static dns_ttl_t keyttl;
 static isc_boolean_t smartsign = ISC_FALSE;
@@ -2001,8 +2006,8 @@ nsecify(void) {
 			type = rdataset.type;
 			covers = rdataset.covers;
 			dns_rdataset_disassociate(&rdataset);
-			result = dns_db_deleterdataset(gdb, node, gversion, type,
-						       covers);
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
 			check_result(result,
 				     "dns_db_deleterdataset(nsec3param/rrsig)");
 		}
@@ -2019,6 +2024,7 @@ nsecify(void) {
 
 	result = dns_dbiterator_current(dbiter, &node, name);
 	check_dns_dbiterator_current(result);
+
 	/*
 	 * Delete any NSEC3PARAM records at the apex.
 	 */
@@ -2354,6 +2360,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 
 	result = dns_dbiterator_current(dbiter, &node, name);
 	check_dns_dbiterator_current(result);
+
 	/*
 	 * Delete any NSEC records at the apex.
 	 */
@@ -2366,7 +2373,12 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 		type = rdataset.type;
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
-		if (type == dns_rdatatype_nsec || covers == dns_rdatatype_nsec) {
+		if (type == dns_rdatatype_nsec ||
+		    covers == dns_rdatatype_nsec) {
+			if (!update_chain)
+				fatal("Zone contains NSEC records.  Use -u "
+				      "to update to NSEC3.");
+
 			result = dns_db_deleterdataset(gdb, node, gversion,
 						       type, covers);
 			check_result(result,
@@ -3012,6 +3024,100 @@ warnifallksk(dns_db_t *db) {
 	}
 }
 
+static void
+set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
+		isc_boolean_t set_optout, isc_boolean_t set_iter)
+{
+	isc_result_t result;
+	dns_dbversion_t *ver = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	dns_fixedname_t fname;
+	dns_name_t *hashname;
+	unsigned char orig_salt[256];
+	size_t orig_saltlen;
+	dns_hash_t orig_hash;
+	isc_uint16_t orig_iter;
+
+	dns_db_currentversion(gdb, &ver);
+
+	orig_saltlen = sizeof(orig_salt);
+	result = dns_db_getnsec3parameters(gdb, ver, &orig_hash, NULL, 
+					   &orig_iter, orig_salt,
+					   &orig_saltlen);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	nsec_datatype = dns_rdatatype_nsec3;
+
+	if (!update_chain && set_salt) {
+		if (salt_length != orig_saltlen ||
+		    memcmp(saltbuf, orig_salt, salt_length) != 0)
+			fatal("An NSEC3 chain exists with a different salt. "
+			      "Use -u to update it.");
+	} else if (!set_salt) {
+		salt_length = orig_saltlen;
+		memcpy(saltbuf, orig_salt, orig_saltlen);
+		salt = saltbuf;
+	}
+
+	if (!update_chain && set_iter) {
+		if (nsec3iter != orig_iter)
+			fatal("An NSEC3 chain exists with different "
+			      "iterations. Use -u to update it.");
+	} else if (!set_iter)
+		nsec3iter = orig_iter;
+
+	/*
+	 * Find an NSEC3 record to get the current OPTOUT value.
+	 * (This assumes all NSEC3 records agree.)
+	 */
+
+	dns_fixedname_init(&fname);
+        hashname = dns_fixedname_name(&fname);
+	result = dns_nsec3_hashname(&fname, NULL, NULL,
+				    gorigin, gorigin, dns_hash_sha1,
+				    orig_iter, orig_salt, orig_saltlen);
+	check_result(result, "dns_nsec3_hashname");
+
+	result = dns_db_findnsec3node(gdb, hashname, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_nsec3,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+                goto cleanup;
+
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	if (!update_chain && set_optout) {
+		if (nsec3flags != nsec3.flags)
+			fatal("An NSEC3 chain exists with%s OPTOUT. "
+			      "Use -u -%s to %s it.",
+			      OPTOUT(nsec3.flags) ? "" : "out",
+			      OPTOUT(nsec3.flags) ? "AA" : "A",
+			      OPTOUT(nsec3.flags) ? "clear" : "set");
+	} else if (!set_optout)
+		nsec3flags = nsec3.flags;
+
+	dns_rdata_freestruct(&nsec3);
+
+ cleanup:
+        if (dns_rdataset_isassociated(&rdataset))
+                dns_rdataset_disassociate(&rdataset);
+        if (node != NULL)
+                dns_db_detachnode(gdb, &node);
+        dns_db_closeversion(gdb, &ver, ISC_FALSE);
+}
+
 static void
 writeset(const char *prefix, dns_rdatatype_t type) {
 	char *filename;
@@ -3177,9 +3283,9 @@ usage(void) {
 	fprintf(stderr, "Version: %s\n", VERSION);
 
 	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-S:\tsmart signing: automatically finds key\n"
-			"\t\tfiles for the zone and determines they are to\n"
-			"\t\tbe used\n");
+	fprintf(stderr, "\t-S:\tsmart signing: automatically finds key files\n"
+			"\t\tfor the zone and determines how they are to "
+			"be used\n");
 	fprintf(stderr, "\t-K directory:\n");
 	fprintf(stderr, "\t\tdirectory to find key files (.)\n");
 	fprintf(stderr, "\t-d directory:\n");
@@ -3221,6 +3327,8 @@ usage(void) {
 	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs");
 	fprintf(stderr, "\t-t:\t");
 	fprintf(stderr, "print statistics\n");
+	fprintf(stderr, "\t-u:\t");
+	fprintf(stderr, "update or replace an existing NSEC/NSEC3 chain\n");
 	fprintf(stderr, "\t-C:\tgenerate a keyset file, for compatibility\n"
 			"\t\twith older versions of dnssec-signzone -g\n");
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
@@ -3293,14 +3401,14 @@ main(int argc, char *argv[]) {
 	isc_task_t **tasks = NULL;
 	isc_buffer_t b;
 	int len;
-	unsigned int iterations = 100U;
-	const unsigned char *salt = NULL;
-	size_t salt_length = 0;
-	unsigned char saltbuf[255];
 	hashlist_t hashlist;
 	isc_boolean_t make_keyset = ISC_FALSE;
-
-#define CMDLINE_FLAGS "3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tUv:z"
+	isc_boolean_t set_salt = ISC_FALSE;
+	isc_boolean_t set_optout = ISC_FALSE;
+	isc_boolean_t set_iter = ISC_FALSE;
+  
+#define CMDLINE_FLAGS \
+	"3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
 
 	/*
 	 * Process memory debugging argument first.
@@ -3340,7 +3448,9 @@ main(int argc, char *argv[]) {
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case '3':
-			if (strcmp(isc_commandline_argument, "-")) {
+			set_salt = ISC_TRUE;
+			nsec_datatype = dns_rdatatype_nsec3;
+			if (strcmp(isc_commandline_argument, "-") != 0) {
 				isc_buffer_t target;
 				char *sarg;
 
@@ -3350,17 +3460,16 @@ main(int argc, char *argv[]) {
 				result = isc_hex_decodestring(sarg, &target);
 				check_result(result,
 					     "isc_hex_decodestring(salt)");
-				salt = saltbuf;
 				salt_length = isc_buffer_usedlength(&target);
-			} else {
-				salt = saltbuf;
-				salt_length = 0;
 			}
-			nsec_datatype = dns_rdatatype_nsec3;
 			break;
 
 		case 'A':
-			nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
+			set_optout = ISC_TRUE;
+			if (OPTOUT(nsec3flags))
+				nsec3flags &= ~DNS_NSEC3FLAG_OPTOUT;
+			else
+				nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
 			break;
 
 		case 'a':
@@ -3398,11 +3507,11 @@ main(int argc, char *argv[]) {
 			break;
 
 		case 'H':
-			iterations = strtoul(isc_commandline_argument,
-					     &endp, 0);
+			set_iter = ISC_TRUE;
+			nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
 				fatal("iterations must be numeric");
-			if (iterations > 0xffffU)
+			if (nsec3iter  > 0xffffU)
 				fatal("iterations too big");
 			break;
 
@@ -3504,6 +3613,10 @@ main(int argc, char *argv[]) {
 			unknownalg = ISC_TRUE;
 			break;
 
+		case 'u':
+			update_chain = ISC_TRUE;
+			break;
+
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
@@ -3622,7 +3735,8 @@ main(int argc, char *argv[]) {
 		else if (strcasecmp(serialformatstr, "unixtime") == 0)
 			serialformat = SOA_SERIAL_UNIXTIME;
 		else
-			fatal("unknown soa serial format: %s\n", serialformatstr);
+			fatal("unknown soa serial format: %s\n",
+			      serialformatstr);
 	}
 
 	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
@@ -3639,6 +3753,15 @@ main(int argc, char *argv[]) {
 	if (!set_keyttl)
 		keyttl = soa_ttl;
 
+	/*
+	 * Check for any existing NSEC3 parameters in the zone,
+	 * and use them as defaults if -u was not specified.
+	 */
+	if (update_chain && !set_optout && !set_iter && !set_salt)
+		nsec_datatype = dns_rdatatype_nsec;
+	else
+		set_nsec3params(update_chain, set_salt, set_optout, set_iter);
+
 	if (IS_NSEC3) {
 		isc_boolean_t answer;
 		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
@@ -3769,7 +3892,7 @@ main(int argc, char *argv[]) {
 		unsigned int max;
 		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
 		check_result(result, "dns_nsec3_maxiterations()");
-		if (iterations > max)
+		if (nsec3iter > max)
 			fatal("NSEC3 iterations too big for weakest DNSKEY "
 			      "strength. Maximum iterations allowed %u.", max);
 	}
@@ -3794,7 +3917,7 @@ main(int argc, char *argv[]) {
 	}
 
 	if (IS_NSEC3)
-		nsec3ify(dns_hash_sha1, iterations, salt, salt_length,
+		nsec3ify(dns_hash_sha1, nsec3iter, salt, salt_length,
 			 &hashlist);
 	else
 		nsecify();
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index d6e5bb79a9..75ac03e7dc 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 05, 2009
@@ -80,6 +80,7 @@
       
       
       
+      
       
       
       
@@ -515,6 +516,20 @@
         
       
 
+      
+        -u
+        
+          
+            Update NSEC/NSEC3 chain when re-signing a previously signed
+            zone.  With this option, a zone signed with NSEC can be
+            switched to NSEC3, or a zone signed with NSEC3 can
+            be switch to NSEC or to NSEC3 with different parameters.
+            Without this option, dnssec-signzone will
+            retain the existing chain when re-signing.
+          
+        
+      
+
       
         -v level
         
@@ -562,6 +577,12 @@
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
           
+          
+	    Using this option twice (i.e., )
+	    turns the OPTOUT flag off for all records.  This is useful
+	    when using the  option to modify an NSEC3
+	    chain which previously had OPTOUT set.
+          
         
       
 
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 84ebd21c33..cc91ef6213 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.27 2009/06/04 02:56:47 tbox Exp $
+# $Id: sign.sh,v 1.28 2009/09/25 06:47:50 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -213,12 +213,12 @@ cat $infile $keyname.key >$zonefile
 
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -P -3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -P -3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -P -3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -P -3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null

From 1e3c9961bb12a68aad1f4739b5f1bbb644ff1f7c Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 25 Sep 2009 14:30:10 +0000
Subject: [PATCH 216/385] Move dns_rdataset_init() call earlier so "goto
 cleanup" won't trigger an assert in dns_rdataset_isassociated().  (This is
 trivial, I'm going to commit without review.)

---
 bin/dnssec/dnssec-signzone.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index aed0b4b05e..a31ebb502d 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.235 2009/09/25 06:47:50 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.236 2009/09/25 14:30:10 each Exp $ */
 
 /*! \file */
 
@@ -3042,6 +3042,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	isc_uint16_t orig_iter;
 
 	dns_db_currentversion(gdb, &ver);
+	dns_rdataset_init(&rdataset);
 
 	orig_saltlen = sizeof(orig_salt);
 	result = dns_db_getnsec3parameters(gdb, ver, &orig_hash, NULL, 
@@ -3086,7 +3087,6 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_nsec3,
 				     0, 0, &rdataset, NULL);
 	if (result != ISC_R_SUCCESS)

From 67cf78711676473e42d5af93ba036c6e972efb56 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 25 Sep 2009 23:18:21 +0000
Subject: [PATCH 217/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index d8533977db..3e8207276c 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -251,6 +251,7 @@ rt20247				new	each	// 2009-09-11 03:22 +0000
 rt20253				new	sar	// 2009-09-11 22:17 +0000
 rt20257				new	fdupont	// 2009-09-18 16:53 +0000
 rt20304				new	each	// 2009-09-24 22:57 +0000
+rt20310				new	each	// 2009-09-25 00:29 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 98215f712033f868cc65cc2e54894bf770517883 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 25 Sep 2009 23:30:33 +0000
Subject: [PATCH 218/385] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index e46adde2cf..38b5162af8 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2364,7 +2364,7 @@
 ./lib/isc/win32/include/isc/stdtime.h		C	1999,2000,2001,2004,2005,2007
 ./lib/isc/win32/include/isc/strerror.h		C	2001,2004,2007
 ./lib/isc/win32/include/isc/syslog.h		C	1999,2000,2001,2004,2007
-./lib/isc/win32/include/isc/thread.h		C	1998,1999,2000,2001,2004,2005,2007
+./lib/isc/win32/include/isc/thread.h		C	1998,1999,2000,2001,2004,2005,2007,2009
 ./lib/isc/win32/include/isc/time.h		C	1998,1999,2000,2001,2004,2006,2007,2008,2009
 ./lib/isc/win32/include/isc/win32os.h		C	2002,2004,2007,2009
 ./lib/isc/win32/interfaceiter.c			C	1999,2000,2001,2004,2007,2008,2009

From 627f3e0805e2ee948e1f8c42f2251084aac388e9 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 25 Sep 2009 23:48:13 +0000
Subject: [PATCH 219/385] update copyright notice

---
 bin/dnssec/dnssec-signzone.c       | 20 ++++++++++----------
 lib/isc/win32/include/isc/thread.h | 10 +++++-----
 lib/isc/win32/socket.c             |  4 ++--
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index a31ebb502d..3672947037 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.236 2009/09/25 14:30:10 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.237 2009/09/25 23:48:10 tbox Exp $ */
 
 /*! \file */
 
@@ -3045,7 +3045,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	dns_rdataset_init(&rdataset);
 
 	orig_saltlen = sizeof(orig_salt);
-	result = dns_db_getnsec3parameters(gdb, ver, &orig_hash, NULL, 
+	result = dns_db_getnsec3parameters(gdb, ver, &orig_hash, NULL,
 					   &orig_iter, orig_salt,
 					   &orig_saltlen);
 	if (result != ISC_R_SUCCESS)
@@ -3077,7 +3077,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	 */
 
 	dns_fixedname_init(&fname);
-        hashname = dns_fixedname_name(&fname);
+	hashname = dns_fixedname_name(&fname);
 	result = dns_nsec3_hashname(&fname, NULL, NULL,
 				    gorigin, gorigin, dns_hash_sha1,
 				    orig_iter, orig_salt, orig_saltlen);
@@ -3090,7 +3090,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_nsec3,
 				     0, 0, &rdataset, NULL);
 	if (result != ISC_R_SUCCESS)
-                goto cleanup;
+		goto cleanup;
 
 	result = dns_rdataset_first(&rdataset);
 	check_result(result, "dns_rdataset_first");
@@ -3111,11 +3111,11 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	dns_rdata_freestruct(&nsec3);
 
  cleanup:
-        if (dns_rdataset_isassociated(&rdataset))
-                dns_rdataset_disassociate(&rdataset);
-        if (node != NULL)
-                dns_db_detachnode(gdb, &node);
-        dns_db_closeversion(gdb, &ver, ISC_FALSE);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(gdb, &node);
+	dns_db_closeversion(gdb, &ver, ISC_FALSE);
 }
 
 static void
@@ -3406,7 +3406,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t set_salt = ISC_FALSE;
 	isc_boolean_t set_optout = ISC_FALSE;
 	isc_boolean_t set_iter = ISC_FALSE;
-  
+
 #define CMDLINE_FLAGS \
 	"3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
 
diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h
index a463686d51..73759ee23c 100644
--- a/lib/isc/win32/include/isc/thread.h
+++ b/lib/isc/win32/include/isc/thread.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.23 2009/09/25 05:48:17 marka Exp $ */
+/* $Id: thread.h,v 1.24 2009/09/25 23:48:13 tbox Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
@@ -37,18 +37,18 @@ inline BOOL IsValidHandle( HANDLE hHandle) {
 /* validate wait return codes... */
 inline BOOL WaitSucceeded( DWORD dwWaitResult, DWORD dwHandleCount) {
     return ((dwWaitResult >= WAIT_OBJECT_0) &&
-            (dwWaitResult < WAIT_OBJECT_0 + dwHandleCount));
+	    (dwWaitResult < WAIT_OBJECT_0 + dwHandleCount));
 }
 
 inline BOOL WaitAbandoned( DWORD dwWaitResult, DWORD dwHandleCount) {
     return ((dwWaitResult >= WAIT_ABANDONED_0) &&
-            (dwWaitResult < WAIT_ABANDONED_0 + dwHandleCount));
+	    (dwWaitResult < WAIT_ABANDONED_0 + dwHandleCount));
 }
 
 inline BOOL WaitTimeout( DWORD dwWaitResult) {
     return (dwWaitResult == WAIT_TIMEOUT);
 }
-    
+
 inline BOOL WaitFailed( DWORD dwWaitResult) {
     return (dwWaitResult == WAIT_FAILED);
 }
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index 10c76ec315..2cd69abfdf 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.79 2009/09/25 02:44:06 marka Exp $ */
+/* $Id: socket.c,v 1.80 2009/09/25 23:48:11 tbox Exp $ */
 
 /* This code uses functions which are only available on Server 2003 and
  * higher, and Windows XP and higher.
@@ -1990,7 +1990,7 @@ internal_accept(isc_socket_t *sock, IoCompletionInfo *lpo, int accept_errno) {
 	INSIST(result == ISC_R_SUCCESS);
 
 	INSIST(setsockopt(nsock->fd, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT,
-	                  (char *)&sock->fd, sizeof(sock->fd)) == 0);
+			  (char *)&sock->fd, sizeof(sock->fd)) == 0);
 
 	/*
 	 * Hook it up into the manager.

From f3d1a0ba5228251d902a6acf3c8b05cb6842f992 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 26 Sep 2009 01:14:51 +0000
Subject: [PATCH 220/385] regen

---
 bin/dnssec/dnssec-signzone.8     | 16 +++++++++++++--
 bin/dnssec/dnssec-signzone.html  | 35 ++++++++++++++++++++++++--------
 doc/arm/man.ddns-confgen.html    | 10 ++++-----
 doc/arm/man.dnssec-signzone.html | 35 ++++++++++++++++++++++++--------
 doc/arm/man.named-checkconf.html | 12 +++++------
 doc/arm/man.named-checkzone.html | 12 +++++------
 doc/arm/man.named.html           | 16 +++++++--------
 doc/arm/man.nsupdate.html        | 14 ++++++-------
 doc/arm/man.rndc-confgen.html    | 12 +++++------
 doc/arm/man.rndc.conf.html       | 12 +++++------
 doc/arm/man.rndc.html            | 12 +++++------
 11 files changed, 116 insertions(+), 70 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index f14bd18b68..b53cde649d 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.52 2009/09/03 01:14:41 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.53 2009/09/26 01:14:51 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
@@ -269,6 +269,13 @@ Specifies the TTL to be used for new DNSKEY records imported into the zone from
 Print statistics at completion.
 .RE
 .PP
+\-u
+.RS 4
+Update NSEC/NSEC3 chain when re\-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option,
+\fBdnssec\-signzone\fR
+will retain the existing chain when re\-signing.
+.RE
+.PP
 \-v \fIlevel\fR
 .RS 4
 Sets the debugging level.
@@ -292,6 +299,11 @@ When generating a NSEC3 chain use this many interations. The default is 100.
 \-A
 .RS 4
 When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
+.sp
+Using this option twice (i.e.,
+\fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the
+\fB\-u\fR
+option to modify an NSEC3 chain which previously had OPTOUT set.
 .RE
 .PP
 zonefile
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index c72b702650..18a90ec9dd 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 
    
 
    
 
    Synopsis
    
-
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
+
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -304,6 +304,15 @@
 
    
             Print statistics at completion.
           
    
+
    -u
    
+
    
+            Update NSEC/NSEC3 chain when re-signing a previously signed
+            zone.  With this option, a zone signed with NSEC can be
+            switched to NSEC3, or a zone signed with NSEC3 can
+            be switch to NSEC or to NSEC3 with different parameters.
+            Without this option, dnssec-signzone will
+            retain the existing chain when re-signing.
+          
    
 
    -v level
    
 
    
             Sets the debugging level.
@@ -324,11 +333,19 @@
 	    default is 100.
           
    
 
    -A
    
-
    
+
    
+
    
 	    When generating a NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
-          
    
+          
    
+
    
+	    Using this option twice (i.e., -AA)
+	    turns the OPTOUT flag off for all records.  This is useful
+	    when using the -u option to modify an NSEC3
+	    chain which previously had OPTOUT set.
+          
    
+
    zonefile

    The file containing the zone to be signed. @@ -344,7 +361,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

    The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -373,14 +390,14 @@ db.example.com.signed %

    -

    SEE ALSO

    +

    SEE ALSO

    dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033.

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index ee879410e6..474ff53e37 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -48,7 +48,7 @@

    ddns-confgen [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name | -z zone ] [-q] [name]

    -

    DESCRIPTION

    +

    DESCRIPTION

    ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -75,7 +75,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a algorithm

    @@ -142,7 +142,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    nsupdate(1), named.conf(5), named(8), @@ -150,7 +150,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 4752e5a0c3..7ee4c1a1ab 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -47,10 +47,10 @@

    Synopsis

    -

    dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

    +

    dnssec-signzone [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]

    -

    DESCRIPTION

    +

    DESCRIPTION

    dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a

    @@ -322,6 +322,15 @@

    Print statistics at completion.

    +
    -u
    +

    + Update NSEC/NSEC3 chain when re-signing a previously signed + zone. With this option, a zone signed with NSEC can be + switched to NSEC3, or a zone signed with NSEC3 can + be switch to NSEC or to NSEC3 with different parameters. + Without this option, dnssec-signzone will + retain the existing chain when re-signing. +

    -v level

    Sets the debugging level. @@ -342,11 +351,19 @@ default is 100.

    -A
    -

    +

    +

    When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations. -

    +

    +

    + Using this option twice (i.e., -AA) + turns the OPTOUT flag off for all records. This is useful + when using the -u option to modify an NSEC3 + chain which previously had OPTOUT set. +

    +
    zonefile

    The file containing the zone to be signed. @@ -362,7 +379,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

    The following command signs the example.com zone with the DSA key generated by dnssec-keygen @@ -391,14 +408,14 @@ db.example.com.signed %

    -

    SEE ALSO

    +

    SEE ALSO

    dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 4033.

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 62c38ef0c5..745faebe11 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,14 +50,14 @@

    named-checkconf [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]

    -

    DESCRIPTION

    +

    DESCRIPTION

    named-checkconf checks the syntax, but not the semantics, of a named configuration file.

    -

    OPTIONS

    +

    OPTIONS

    -h

    @@ -96,21 +96,21 @@

    -

    RETURN VALUES

    +

    RETURN VALUES

    named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.

    -

    SEE ALSO

    +

    SEE ALSO

    named(8), named-checkzone(8), BIND 9 Administrator Reference Manual.

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index b90b4dee49..c520f33bca 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -51,7 +51,7 @@

    named-compilezone [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}

    -

    DESCRIPTION

    +

    DESCRIPTION

    named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -d

    @@ -257,14 +257,14 @@

    -

    RETURN VALUES

    +

    RETURN VALUES

    named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.

    -

    SEE ALSO

    +

    SEE ALSO

    named(8), named-checkconf(8), RFC 1035, @@ -272,7 +272,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index af7c350c64..5bb57709a9 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    named [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]

    -

    DESCRIPTION

    +

    DESCRIPTION

    named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -4

    @@ -238,7 +238,7 @@

    -

    SIGNALS

    +

    SIGNALS

    In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -259,7 +259,7 @@

    -

    CONFIGURATION

    +

    CONFIGURATION

    The named configuration file is too complex to describe in detail here. A complete description is provided @@ -276,7 +276,7 @@

    -

    FILES

    +

    FILES

    /etc/named.conf

    @@ -289,7 +289,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    RFC 1033, RFC 1034, RFC 1035, @@ -302,7 +302,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 0e93dc5ec1..0ba9f0eab4 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    nsupdate [-d] [-D] [[-g] | [-o] | [-l] | [-y [hmac:]keyname:secret] | [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]

    -

    DESCRIPTION

    +

    DESCRIPTION

    nsupdate is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. @@ -205,7 +205,7 @@

    -

    INPUT FORMAT

    +

    INPUT FORMAT

    nsupdate reads input from filename @@ -469,7 +469,7 @@

    -

    EXAMPLES

    +

    EXAMPLES

    The examples below show how nsupdate @@ -523,7 +523,7 @@

    -

    FILES

    +

    FILES

    /etc/resolv.conf

    @@ -546,7 +546,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    RFC2136, RFC3007, RFC2104, @@ -560,7 +560,7 @@

    -

    BUGS

    +

    BUGS

    The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 11c394d911..4c29cdcaa6 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -a
    @@ -173,7 +173,7 @@
    -

    EXAMPLES

    +

    EXAMPLES

    To allow rndc to be used with no manual configuration, run @@ -190,7 +190,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc(8), rndc.conf(5), named(8), @@ -198,7 +198,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index 5c767aee49..6df266ca9f 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    rndc.conf

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@

    -

    EXAMPLE

    +

    EXAMPLE

           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
    -

    NAME SERVER CONFIGURATION

    +

    NAME SERVER CONFIGURATION

    The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf @@ -219,7 +219,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc(8), rndc-confgen(8), mmencode(1), @@ -227,7 +227,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index 93bcb263e5..41c61cf092 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -50,7 +50,7 @@

    rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}

    -

    DESCRIPTION

    +

    DESCRIPTION

    rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@

    -

    OPTIONS

    +

    OPTIONS

    -b source-address

    @@ -151,7 +151,7 @@

    -

    LIMITATIONS

    +

    LIMITATIONS

    rndc does not yet support all the commands of the BIND 8 ndc utility. @@ -165,7 +165,7 @@

    -

    SEE ALSO

    +

    SEE ALSO

    rndc.conf(5), rndc-confgen(8), named(8), @@ -175,7 +175,7 @@

    -

    AUTHOR

    +

    AUTHOR

    Internet Systems Consortium

    From a4720d523ebc3cae621517b538af5ac911f7cb20 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sat, 26 Sep 2009 23:18:17 +0000 Subject: [PATCH 221/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 3e8207276c..1e61b3cb66 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -249,6 +249,7 @@ rt20230 new fdupont // 2009-09-19 22:45 +0000 rt20236 new fdupont // 2009-09-19 22:34 +0000 rt20247 new each // 2009-09-11 03:22 +0000 rt20253 new sar // 2009-09-11 22:17 +0000 +rt20256 new fdupont // 2009-09-26 11:02 +0000 rt20257 new fdupont // 2009-09-18 16:53 +0000 rt20304 new each // 2009-09-24 22:57 +0000 rt20310 new each // 2009-09-25 00:29 +0000 From 242ba12742b030f63f954c93244cb51bffbb7fb7 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 28 Sep 2009 23:18:51 +0000 Subject: [PATCH 222/385] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index 1e61b3cb66..a4984404d8 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -250,7 +250,9 @@ rt20236 new fdupont // 2009-09-19 22:34 +0000 rt20247 new each // 2009-09-11 03:22 +0000 rt20253 new sar // 2009-09-11 22:17 +0000 rt20256 new fdupont // 2009-09-26 11:02 +0000 +rt20256a new fdupont // 2009-09-28 10:50 +0000 rt20257 new fdupont // 2009-09-18 16:53 +0000 +rt20257a new fdupont // 2009-09-28 08:58 +0000 rt20304 new each // 2009-09-24 22:57 +0000 rt20310 new each // 2009-09-25 00:29 +0000 shane_dbbackend open From 1e733ffc1103667dd6cf0eae01f5dfd0c84c5108 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 29 Sep 2009 04:38:23 +0000 Subject: [PATCH 223/385] 2792. [port] win32: 32/64 bit cleanups. [RT #128244] --- CHANGES | 2 ++ bin/win32/BINDInstall/AccountInfo.cpp | 8 ++++---- bin/win32/BINDInstall/BINDInstall.cpp | 4 ++-- bin/win32/BINDInstall/BINDInstallDlg.cpp | 6 +++--- lib/isc/win32/include/isc/thread.h | 4 ++-- lib/isc/win32/ntgroups.c | 4 ++-- 6 files changed, 15 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index f3926a5c9f..62018c56dd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2792. [port] win32: 32/64 bit cleanups. [RT #128244] + 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 chain when re-signing a previously-signed zone. Use -u to modify NSEC3 parameters or switch diff --git a/bin/win32/BINDInstall/AccountInfo.cpp b/bin/win32/BINDInstall/AccountInfo.cpp index 5b28a2362d..7503e90d3b 100644 --- a/bin/win32/BINDInstall/AccountInfo.cpp +++ b/bin/win32/BINDInstall/AccountInfo.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: AccountInfo.cpp,v 1.8 2007/06/19 23:47:07 tbox Exp $ */ +/* $Id: AccountInfo.cpp,v 1.9 2009/09/29 04:37:08 marka Exp $ */ #ifndef UNICODE #define UNICODE @@ -183,8 +183,8 @@ CreateServiceAccount(char *name, char *password) { DWORD dwError = 0; NET_API_STATUS nStatus; - unsigned int namelen = strlen(name); - unsigned int passwdlen = strlen(password); + size_t namelen = strlen(name); + size_t passwdlen = strlen(password); wchar_t AccountName[MAX_NAME_LENGTH]; wchar_t AccountPassword[MAX_NAME_LENGTH]; @@ -251,7 +251,7 @@ AddPrivilegeToAcccount(LPTSTR name, LPWSTR PrivilegeName) { void InitLsaString(PLSA_UNICODE_STRING LsaString, LPWSTR String){ - DWORD StringLength; + size_t StringLength; if (String == NULL) { LsaString->Buffer = NULL; diff --git a/bin/win32/BINDInstall/BINDInstall.cpp b/bin/win32/BINDInstall/BINDInstall.cpp index f9dc5bcac1..3d430e1c3c 100644 --- a/bin/win32/BINDInstall/BINDInstall.cpp +++ b/bin/win32/BINDInstall/BINDInstall.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstall.cpp,v 1.7 2007/06/19 23:47:07 tbox Exp $ */ +/* $Id: BINDInstall.cpp,v 1.8 2009/09/29 04:37:08 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -88,7 +88,7 @@ BOOL CBINDInstallApp::InitInstance() CBINDInstallDlg dlg; m_pMainWnd = &dlg; - int nResponse = dlg.DoModal(); + INT_PTR nResponse = dlg.DoModal(); if (nResponse == IDOK) { // TODO: Place code here to handle when the dialog is diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index a09766418f..7fd50d6821 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstallDlg.cpp,v 1.44 2009/09/01 06:51:47 marka Exp $ */ +/* $Id: BINDInstallDlg.cpp,v 1.45 2009/09/29 04:37:08 marka Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation @@ -238,7 +238,7 @@ BOOL CBINDInstallDlg::OnInitDialog() { char *fptr = &filename[0]; GetModuleFileName(NULL, filename, MAX_PATH); char *dptr = strrchr(filename,'\\'); - int index = dptr - fptr; + size_t index = dptr - fptr; strncpy(dirname, filename, index); dirname[index] = '\0'; CString Dirname(dirname); @@ -970,7 +970,7 @@ void CBINDInstallDlg::RegisterMessages() { /* Add the Event-ID message-file name to the subkey. */ if (RegSetValueEx(hKey, "EventMessageFile", 0, REG_EXPAND_SZ, - (LPBYTE)pszMsgDLL, strlen(pszMsgDLL) + 1) != ERROR_SUCCESS) + (LPBYTE)pszMsgDLL, (DWORD)(strlen(pszMsgDLL) + 1)) != ERROR_SUCCESS) throw(Exception(IDS_ERR_SET_VALUE, GetErrMessage())); /* Set the supported types flags and addit to the subkey. */ diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h index 73759ee23c..2eb923b2e6 100644 --- a/lib/isc/win32/include/isc/thread.h +++ b/lib/isc/win32/include/isc/thread.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: thread.h,v 1.24 2009/09/25 23:48:13 tbox Exp $ */ +/* $Id: thread.h,v 1.25 2009/09/29 04:37:08 marka Exp $ */ #ifndef ISC_THREAD_H #define ISC_THREAD_H 1 @@ -65,7 +65,7 @@ inline DWORD WaitAbandonedIndex( DWORD dwWaitResult) { typedef HANDLE isc_thread_t; -typedef unsigned int isc_threadresult_t; +typedef DWORD isc_threadresult_t; typedef void * isc_threadarg_t; typedef isc_threadresult_t (WINAPI *isc_threadfunc_t)(isc_threadarg_t); typedef DWORD isc_thread_key_t; diff --git a/lib/isc/win32/ntgroups.c b/lib/isc/win32/ntgroups.c index 351adc5e74..9c3d5acc15 100644 --- a/lib/isc/win32/ntgroups.c +++ b/lib/isc/win32/ntgroups.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ntgroups.c,v 1.10 2007/06/19 23:47:19 tbox Exp $ */ +/* $Id: ntgroups.c,v 1.11 2009/09/29 04:37:08 marka Exp $ */ /* * The NT Groups have two groups that are not well documented and are @@ -63,7 +63,7 @@ isc_ntsecurity_getaccountgroups(char *username, char **GroupList, DWORD dwTotalEntries = 0; NET_API_STATUS nStatus; DWORD dwTotalCount = 0; - int retlen; + size_t retlen; wchar_t user[MAX_NAME_LENGTH]; retlen = mbstowcs(user, username, MAX_NAME_LENGTH); From debd489a44363870f96f75818e89ec27d3cab736 Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Tue, 29 Sep 2009 15:06:07 +0000 Subject: [PATCH 224/385] noreturn RT #20257 --- CHANGES | 4 +++- bin/check/named-checkconf.c | 5 ++++- bin/check/named-checkzone.c | 5 ++++- bin/confgen/ddns-confgen.c | 5 ++++- bin/confgen/rndc-confgen.c | 5 ++++- bin/confgen/util.h | 8 +++++--- bin/dig/dig.c | 5 ++++- bin/dig/host.c | 5 ++++- bin/dig/include/dig/dig.h | 7 ++++--- bin/dnssec/dnssec-dsfromkey.c | 5 ++++- bin/dnssec/dnssec-keyfromlabel.c | 5 ++++- bin/dnssec/dnssec-keygen.c | 5 ++++- bin/dnssec/dnssec-revoke.c | 5 ++++- bin/dnssec/dnssec-settime.c | 5 ++++- bin/dnssec/dnssec-signzone.c | 5 ++++- bin/dnssec/dnssectool.h | 7 ++++--- bin/named/include/named/main.h | 7 ++++--- bin/named/main.c | 11 ++++++++--- bin/named/server.c | 6 +++--- bin/nsupdate/nsupdate.c | 8 +++++--- bin/rndc/rndc.c | 5 ++++- bin/rndc/util.h | 8 +++++--- bin/tools/nsec3hash.c | 5 ++++- configure.in | 16 +++++++++++++++- lib/dns/include/dns/rbt.h | 4 ++-- lib/export/samples/nsprobe.c | 7 +++++-- lib/export/samples/sample-async.c | 7 +++++-- lib/export/samples/sample-request.c | 7 +++++-- lib/export/samples/sample-update.c | 7 +++++-- lib/export/samples/sample.c | 7 +++++-- lib/isc/assertions.c | 23 +++++++++++++++-------- lib/isc/include/isc/assertions.h | 6 ++++-- lib/isc/include/isc/error.h | 7 ++++--- lib/isc/include/isc/platform.h.in | 8 +++++++- lib/isc/include/isc/refcount.h | 6 +++--- lib/isc/win32/include/isc/platform.h | 8 +++++++- lib/isc/win32/libisc.def | 2 +- 37 files changed, 180 insertions(+), 71 deletions(-) diff --git a/CHANGES b/CHANGES index 62018c56dd..44304cf062 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,6 @@ -2792. [port] win32: 32/64 bit cleanups. [RT #128244] +2793. [port] Add some noreturn attributes. [RT #20257] + +2792. [port] win32: 32/64 bit cleanups. [RT #20335] 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 chain when re-signing a previously-signed zone. diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index 51c40704e9..3ef766cc84 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkconf.c,v 1.49 2009/07/13 06:57:21 marka Exp $ */ +/* $Id: named-checkconf.c,v 1.50 2009/09/29 15:06:05 fdupont Exp $ */ /*! \file */ @@ -59,6 +59,9 @@ isc_log_t *logc = NULL; } while (0) /*% usage */ +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] " diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c index 88f3347480..c36152b3e9 100644 --- a/bin/check/named-checkzone.c +++ b/bin/check/named-checkzone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named-checkzone.c,v 1.54 2009/05/29 02:14:31 marka Exp $ */ +/* $Id: named-checkzone.c,v 1.55 2009/09/29 15:06:05 fdupont Exp $ */ /*! \file */ @@ -70,6 +70,9 @@ static enum { progmode_check, progmode_compile } progmode; } \ } while (0) +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c index c2ec61e1dc..44f9c27dfc 100644 --- a/bin/confgen/ddns-confgen.c +++ b/bin/confgen/ddns-confgen.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ddns-confgen.c,v 1.8 2009/07/29 17:52:00 each Exp $ */ +/* $Id: ddns-confgen.c,v 1.9 2009/09/29 15:06:05 fdupont Exp $ */ /*! \file */ @@ -60,6 +60,9 @@ const char *progname; isc_boolean_t verbose = ISC_FALSE; +ISC_PLATFORM_NORETURN_PRE static void +usage(int status) ISC_PLATFORM_NORETURN_POST; + static void usage(int status) { diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index 33647eea1e..cea8cc7da7 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc-confgen.c,v 1.4 2009/06/15 23:47:59 tbox Exp $ */ +/* $Id: rndc-confgen.c,v 1.5 2009/09/29 15:06:05 fdupont Exp $ */ /*! \file */ @@ -69,6 +69,9 @@ isc_boolean_t verbose = ISC_FALSE; const char *keyfile, *keydef; +ISC_PLATFORM_NORETURN_PRE static void +usage(int status) ISC_PLATFORM_NORETURN_POST; + static void usage(int status) { diff --git a/bin/confgen/util.h b/bin/confgen/util.h index 89a09d7ca7..f3b2ec9dee 100644 --- a/bin/confgen/util.h +++ b/bin/confgen/util.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */ +/* $Id: util.h,v 1.4 2009/09/29 15:06:05 fdupont Exp $ */ #ifndef RNDC_UTIL_H #define RNDC_UTIL_H 1 @@ -22,6 +22,7 @@ /*! \file */ #include +#include #include @@ -42,8 +43,9 @@ ISC_LANG_BEGINDECLS void notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2); -void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +ISC_PLATFORM_NORETURN_PRE void +fatal(const char *format, ...) +ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; ISC_LANG_ENDDECLS diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 66e76e4f98..884cc95388 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.231 2009/09/23 06:21:36 each Exp $ */ +/* $Id: dig.c,v 1.232 2009/09/29 15:06:05 fdupont Exp $ */ /*! \file */ @@ -138,6 +138,9 @@ print_usage(FILE *fp) { " [ host [@local-server] {local-d-opt} [...]]\n", fp); } +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { print_usage(stderr); diff --git a/bin/dig/host.c b/bin/dig/host.c index a278a3df81..6a00cfce32 100644 --- a/bin/dig/host.c +++ b/bin/dig/host.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: host.c,v 1.119 2009/09/08 23:23:22 marka Exp $ */ +/* $Id: host.c,v 1.120 2009/09/29 15:06:05 fdupont Exp $ */ /*! \file */ @@ -141,6 +141,9 @@ rcode_totext(dns_rcode_t rcode) return totext.deconsttext; } +ISC_PLATFORM_NORETURN_PRE static void +show_usage(void) ISC_PLATFORM_NORETURN_POST; + static void show_usage(void) { fputs( diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h index d463afb35f..5ac1d30e60 100644 --- a/bin/dig/include/dig/dig.h +++ b/bin/dig/include/dig/dig.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.h,v 1.110 2009/09/15 23:48:09 tbox Exp $ */ +/* $Id: dig.h,v 1.111 2009/09/29 15:06:06 fdupont Exp $ */ #ifndef DIG_H #define DIG_H @@ -292,8 +292,9 @@ isc_result_t get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int, isc_boolean_t strict); -void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +ISC_PLATFORM_NORETURN_PRE void +fatal(const char *format, ...) +ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; void debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 9b1b55a8b7..9a89b56965 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-dsfromkey.c,v 1.13 2009/09/01 00:22:24 jinmei Exp $ */ +/* $Id: dnssec-dsfromkey.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -282,6 +282,9 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside, putchar('\n'); } +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, "Usage:\n"); diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 8baa19870b..370b02a5e9 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keyfromlabel.c,v 1.15 2009/09/23 16:01:56 each Exp $ */ +/* $Id: dnssec-keyfromlabel.c,v 1.16 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -51,6 +51,9 @@ int verbose; static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" " NSEC3DSA | NSEC3RSASHA1"; +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, "Usage:\n"); diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 5cdf108e2b..86d8bbdee1 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.96 2009/09/23 16:01:56 each Exp $ */ +/* $Id: dnssec-keygen.c,v 1.97 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -73,6 +73,9 @@ dsa_size_ok(int size) { return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0)); } +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, "Usage:\n"); diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 2b484ad9eb..7f2f6d301c 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-revoke.c,v 1.12 2009/09/23 16:01:56 each Exp $ */ +/* $Id: dnssec-revoke.c,v 1.13 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -46,6 +46,9 @@ int verbose; static isc_mem_t *mctx = NULL; +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, "Usage:\n"); diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 848ac1550b..ff323c337d 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.13 2009/09/23 16:01:56 each Exp $ */ +/* $Id: dnssec-settime.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -48,6 +48,9 @@ int verbose; static isc_mem_t *mctx = NULL; +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, "Usage:\n"); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 3672947037..4e9ed94983 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.237 2009/09/25 23:48:10 tbox Exp $ */ +/* $Id: dnssec-signzone.c,v 1.238 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -3273,6 +3273,9 @@ print_version(FILE *fp) { fprintf(fp, "; dnssec_signzone version " VERSION "\n"); } +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void usage(void) { fprintf(stderr, "Usage:\n"); diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index df714e703b..40213bcfd8 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.h,v 1.25 2009/09/04 02:31:29 marka Exp $ */ +/* $Id: dnssectool.h,v 1.26 2009/09/29 15:06:06 fdupont Exp $ */ #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 @@ -27,8 +27,9 @@ typedef void (fatalcallback_t)(void); -void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +ISC_PLATFORM_NORETURN_PRE void +fatal(const char *format, ...) +ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; void setfatalcallback(fatalcallback_t *callback); diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h index e834539467..d91dd39871 100644 --- a/bin/named/include/named/main.h +++ b/bin/named/include/named/main.h @@ -15,15 +15,16 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */ +/* $Id: main.h,v 1.16 2009/09/29 15:06:06 fdupont Exp $ */ #ifndef NAMED_MAIN_H #define NAMED_MAIN_H 1 /*! \file */ -void -ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +ISC_PLATFORM_NORETURN_PRE void +ns_main_earlyfatal(const char *format, ...) +ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; void ns_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); diff --git a/bin/named/main.c b/bin/named/main.c index b0f0514133..c6a640dd95 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.173 2009/09/01 18:40:25 jinmei Exp $ */ +/* $Id: main.c,v 1.174 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -138,6 +138,10 @@ ns_main_earlyfatal(const char *format, ...) { exit(1); } +ISC_PLATFORM_NORETURN_PRE static void +assertion_failed(const char *file, int line, isc_assertiontype_t type, + const char *cond) ISC_PLATFORM_NORETURN_POST; + static void assertion_failed(const char *file, int line, isc_assertiontype_t type, const char *cond) @@ -207,9 +211,10 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type, exit(1); } -static void +ISC_PLATFORM_NORETURN_PRE static void library_fatal_error(const char *file, int line, const char *format, - va_list args) ISC_FORMAT_PRINTF(3, 0); + va_list args) +ISC_FORMAT_PRINTF(3, 0) ISC_PLATFORM_NORETURN_POST; static void library_fatal_error(const char *file, int line, const char *format, diff --git a/bin/named/server.c b/bin/named/server.c index 4258ee9dcc..4f81a99361 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.548 2009/09/10 01:49:29 each Exp $ */ +/* $Id: server.c,v 1.549 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -243,8 +243,8 @@ static const struct { { NULL, ISC_FALSE } }; -static void -fatal(const char *msg, isc_result_t result); +ISC_PLATFORM_NORETURN_PRE static void +fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST; static void ns_server_reload(isc_task_t *task, isc_event_t *event); diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index c62a8418bf..a24590ad54 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsupdate.c,v 1.172 2009/09/01 00:22:25 jinmei Exp $ */ +/* $Id: nsupdate.c,v 1.173 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -181,8 +181,10 @@ typedef struct nsu_requestinfo { static void sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, dns_message_t *msg, dns_request_t **request); -static void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); + +ISC_PLATFORM_NORETURN_PRE static void +fatal(const char *format, ...) +ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; static void debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index 532ce901f7..6ea6355606 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rndc.c,v 1.125 2009/05/04 17:38:56 jreed Exp $ */ +/* $Id: rndc.c,v 1.126 2009/09/29 15:06:06 fdupont Exp $ */ /*! \file */ @@ -90,6 +90,9 @@ static isc_uint32_t serial; static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task); +ISC_PLATFORM_NORETURN_PRE static void +usage(int status) ISC_PLATFORM_NORETURN_POST; + static void usage(int status) { fprintf(stderr, "\ diff --git a/bin/rndc/util.h b/bin/rndc/util.h index 7adcaa5bfa..14b011ba52 100644 --- a/bin/rndc/util.h +++ b/bin/rndc/util.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.h,v 1.10 2007/06/19 23:46:59 tbox Exp $ */ +/* $Id: util.h,v 1.11 2009/09/29 15:06:06 fdupont Exp $ */ #ifndef RNDC_UTIL_H #define RNDC_UTIL_H 1 @@ -23,6 +23,7 @@ /*! \file */ #include +#include #include @@ -43,8 +44,9 @@ ISC_LANG_BEGINDECLS void notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2); -void -fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2); +ISC_PLATFORM_NORETURN_PRE void +fatal(const char *format, ...) +ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; ISC_LANG_ENDDECLS diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c index 65bddf6fec..13702674eb 100644 --- a/bin/tools/nsec3hash.c +++ b/bin/tools/nsec3hash.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3hash.c,v 1.4 2009/03/07 23:47:45 tbox Exp $ */ +/* $Id: nsec3hash.c,v 1.5 2009/09/29 15:06:06 fdupont Exp $ */ #include @@ -36,6 +36,9 @@ const char *program = "nsec3hash"; +ISC_PLATFORM_NORETURN_PRE static void +fatal(const char *format, ...) ISC_PLATFORM_NORETURN_POST; + static void fatal(const char *format, ...) { va_list args; diff --git a/configure.in b/configure.in index 6a2741ff3e..73c4477935 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.479 $) +AC_REVISION($Revision: 1.480 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -338,6 +338,20 @@ AC_TRY_COMPILE([],[long long i = 0; return (0);], ISC_PLATFORM_HAVELONGLONG="#undef ISC_PLATFORM_HAVELONGLONG"]) AC_SUBST(ISC_PLATFORM_HAVELONGLONG) +# +# check for GCC noreturn attribute +# +AC_MSG_CHECKING(for GCC noreturn attribute) +AC_TRY_COMPILE([],[void foo() __attribute__((noreturn));], + [AC_MSG_RESULT(yes) + ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE" + ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST __attribute__((noreturn))"], + [AC_MSG_RESULT(no) + ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE" + ISC_PLATFORM_NORETURN="#define ISC_PLATFORM_NORETURN_POST"]) +AC_SUBST(ISC_PLATFORM_NORETURN_PRE) +AC_SUBST(ISC_PLATFORM_NORETURN_POST) + # # check if we have lifconf # diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h index bd11f40b13..a33bda4d34 100644 --- a/lib/dns/include/dns/rbt.h +++ b/lib/dns/include/dns/rbt.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbt.h,v 1.73 2009/01/17 23:47:43 tbox Exp $ */ +/* $Id: rbt.h,v 1.74 2009/09/29 15:06:06 fdupont Exp $ */ #ifndef DNS_RBT_H #define DNS_RBT_H 1 @@ -909,7 +909,7 @@ dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name); } while (0) #else /* DNS_RBT_USEISCREFCOUNT */ #define dns_rbtnode_refinit(node, n) ((node)->references = (n)) -#define dns_rbtnode_refdestroy(node) (REQUIRE((node)->references == 0)) +#define dns_rbtnode_refdestroy(node) REQUIRE((node)->references == 0) #define dns_rbtnode_refcurrent(node) ((node)->references) #define dns_rbtnode_refincrement0(node, refs) \ do { \ diff --git a/lib/export/samples/nsprobe.c b/lib/export/samples/nsprobe.c index e706e29023..1fc364c9d0 100644 --- a/lib/export/samples/nsprobe.c +++ b/lib/export/samples/nsprobe.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsprobe.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: nsprobe.c,v 1.5 2009/09/29 15:06:06 fdupont Exp $ */ #include @@ -1015,8 +1015,11 @@ probe_domain(struct probe_trans *trans) { return (result); } +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void -usage() { +usage(void) { fprintf(stderr, "usage: nsprobe [-d] [-v [-v...]] [-c cache_address] " "[input_file]\n"); diff --git a/lib/export/samples/sample-async.c b/lib/export/samples/sample-async.c index 014b6a65d0..e646e795e9 100644 --- a/lib/export/samples/sample-async.c +++ b/lib/export/samples/sample-async.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sample-async.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: sample-async.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */ #include @@ -247,8 +247,11 @@ dispatch_query(struct query_trans *trans) { return (result); } +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void -usage() { +usage(void) { fprintf(stderr, "usage: sample-async [-s server_address] [-t RR type] " "input_file\n"); diff --git a/lib/export/samples/sample-request.c b/lib/export/samples/sample-request.c index 4d7d2fc9ef..d5d2312e30 100644 --- a/lib/export/samples/sample-request.c +++ b/lib/export/samples/sample-request.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sample-request.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: sample-request.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */ #include @@ -57,8 +57,11 @@ static isc_mem_t *mctx; static dns_fixedname_t fixedqname; +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void -usage() { +usage(void) { fprintf(stderr, "sample-request [-t RRtype] server_address hostname\n"); exit(1); diff --git a/lib/export/samples/sample-update.c b/lib/export/samples/sample-update.c index c614e77c6e..7357106e7f 100644 --- a/lib/export/samples/sample-update.c +++ b/lib/export/samples/sample-update.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sample-update.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: sample-update.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */ #include @@ -67,8 +67,11 @@ static void update_addordelete(isc_mem_t *mctx, char *cmdline, isc_boolean_t isdelete, dns_name_t *name); static void evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name); +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void -usage() { +usage(void) { fprintf(stderr, "sample-update " "[-a auth_server] " "[-k keyfile] " diff --git a/lib/export/samples/sample.c b/lib/export/samples/sample.c index f547e893e9..7fc6a303ff 100644 --- a/lib/export/samples/sample.c +++ b/lib/export/samples/sample.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sample.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: sample.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */ #include @@ -78,8 +78,11 @@ printdata(dns_rdataset_t *rdataset, dns_name_t *owner) { return (ISC_R_SUCCESS); } +ISC_PLATFORM_NORETURN_PRE static void +usage(void) ISC_PLATFORM_NORETURN_POST; + static void -usage() { +usage(void) { fprintf(stderr, "sample [-t RRtype] " "[[-a algorithm] [-e] -k keyname -K keystring] " "[-s domain:serveraddr_for_domain ] " diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c index 368e90052c..31c4fe7c9f 100644 --- a/lib/isc/assertions.c +++ b/lib/isc/assertions.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: assertions.c,v 1.25 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: assertions.c,v 1.26 2009/09/29 15:06:07 fdupont Exp $ */ /*! \file */ @@ -39,24 +39,33 @@ /*% * Forward. */ -/* coverity[+kill] */ static void default_callback(const char *, int, isc_assertiontype_t, const char *); +static isc_assertioncallback_t isc_assertion_failed_cb = default_callback; + /*% * Public. */ -LIBISC_EXTERNAL_DATA isc_assertioncallback_t isc_assertion_failed = - default_callback; +/*% assertion failed handler */ +/* coverity[+kill] */ +void +isc_assertion_failed(const char *file, int line, isc_assertiontype_t type, + const char *cond) +{ + isc_assertion_failed_cb(file, line, type, cond); + abort(); + /* NOTREACHED */ +} /*% Set callback. */ void isc_assertion_setcallback(isc_assertioncallback_t cb) { if (cb == NULL) - isc_assertion_failed = default_callback; + isc_assertion_failed_cb = default_callback; else - isc_assertion_failed = cb; + isc_assertion_failed_cb = cb; } /*% Type to Text */ @@ -127,6 +136,4 @@ default_callback(const char *file, int line, isc_assertiontype_t type, } } fflush(stderr); - abort(); - /* NOTREACHED */ } diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h index b031152169..26d3fa1dbe 100644 --- a/lib/isc/include/isc/assertions.h +++ b/lib/isc/include/isc/assertions.h @@ -16,7 +16,7 @@ */ /* - * $Id: assertions.h,v 1.26 2008/10/15 23:47:31 tbox Exp $ + * $Id: assertions.h,v 1.27 2009/09/29 15:06:07 fdupont Exp $ */ /*! \file isc/assertions.h */ @@ -41,7 +41,9 @@ typedef void (*isc_assertioncallback_t)(const char *, int, isc_assertiontype_t, const char *); /* coverity[+kill] */ -LIBISC_EXTERNAL_DATA extern isc_assertioncallback_t isc_assertion_failed; +ISC_PLATFORM_NORETURN_PRE +void isc_assertion_failed(const char *, int, isc_assertiontype_t, + const char *) ISC_PLATFORM_NORETURN_POST; void isc_assertion_setcallback(isc_assertioncallback_t); diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h index efb9b5f3a1..160b549b1e 100644 --- a/lib/isc/include/isc/error.h +++ b/lib/isc/include/isc/error.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: error.h,v 1.20 2007/06/19 23:47:18 tbox Exp $ */ +/* $Id: error.h,v 1.21 2009/09/29 15:06:07 fdupont Exp $ */ #ifndef ISC_ERROR_H #define ISC_ERROR_H 1 @@ -26,6 +26,7 @@ #include #include +#include ISC_LANG_BEGINDECLS @@ -45,9 +46,9 @@ isc_error_unexpected(const char *, int, const char *, ...) ISC_FORMAT_PRINTF(3, 4); /*% fatal error */ -void +ISC_PLATFORM_NORETURN_PRE void isc_error_fatal(const char *, int, const char *, ...) - ISC_FORMAT_PRINTF(3, 4); +ISC_FORMAT_PRINTF(3, 4) ISC_PLATFORM_NORETURN_POST; /*% runtimecheck error */ void diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in index ef49d3298d..eb2ff0bfad 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: platform.h.in,v 1.52 2009/09/01 18:40:25 jinmei Exp $ */ +/* $Id: platform.h.in,v 1.53 2009/09/29 15:06:07 fdupont Exp $ */ #ifndef ISC_PLATFORM_H #define ISC_PLATFORM_H 1 @@ -294,6 +294,12 @@ */ @ISC_PLATFORM_OPENSSLHASH@ +/* + * Defines for the noreturn attribute. + */ +@ISC_PLATFORM_NORETURN_PRE@ +@ISC_PLATFORM_NORETURN_POST@ + /*** *** Windows dll support. ***/ diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h index 6ab14ae732..98086b71a8 100644 --- a/lib/isc/include/isc/refcount.h +++ b/lib/isc/include/isc/refcount.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: refcount.h,v 1.15 2007/06/19 23:47:18 tbox Exp $ */ +/* $Id: refcount.h,v 1.16 2009/09/29 15:06:07 fdupont Exp $ */ #ifndef ISC_REFCOUNT_H #define ISC_REFCOUNT_H 1 @@ -103,7 +103,7 @@ typedef struct isc_refcount { isc_int32_t refs; } isc_refcount_t; -#define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0)) +#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0) #define isc_refcount_current(rp) ((unsigned int)((rp)->refs)) #define isc_refcount_increment0(rp, tp) \ @@ -192,7 +192,7 @@ typedef struct isc_refcount { int refs; } isc_refcount_t; -#define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0)) +#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0) #define isc_refcount_current(rp) ((unsigned int)((rp)->refs)) #define isc_refcount_increment0(rp, tp) \ diff --git a/lib/isc/win32/include/isc/platform.h b/lib/isc/win32/include/isc/platform.h index 3e23fe2b87..b9c0c26d50 100644 --- a/lib/isc/win32/include/isc/platform.h +++ b/lib/isc/win32/include/isc/platform.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: platform.h,v 1.17 2008/12/01 03:51:47 marka Exp $ */ +/* $Id: platform.h,v 1.18 2009/09/29 15:06:07 fdupont Exp $ */ #ifndef ISC_PLATFORM_H #define ISC_PLATFORM_H 1 @@ -63,6 +63,12 @@ */ #undef ISC_PLATFORM_HAVESYSUNH +/* + * Defines for the noreturn attribute. + */ +#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn) +#define ISC_PLATFORM_NORETURN_POST + /* * Set up a macro for importing and exporting from the DLL */ diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def index 4133c419c6..c1eebe4011 100644 --- a/lib/isc/win32/libisc.def +++ b/lib/isc/win32/libisc.def @@ -48,6 +48,7 @@ isc__app_run isc__app_shutdown isc__app_start isc__app_unblock +isc_assertion_failed isc_assertion_setcallback isc_assertion_typetotext isc_backtrace_getsymbol @@ -552,7 +553,6 @@ syslog EXPORTS -isc_assertion_failed DATA isc_commandline_argument DATA isc_commandline_errprint DATA isc_commandline_index DATA From c300f45d7bc762ed7fc0784751ad08a28a586807 Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Tue, 29 Sep 2009 15:08:12 +0000 Subject: [PATCH 225/385] 20257 configure --- configure | 115 +++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 87 insertions(+), 28 deletions(-) diff --git a/configure b/configure index 084d1e8677..b7aad8c498 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.465 2009/09/15 23:18:00 jinmei Exp $ +# $Id: configure,v 1.466 2009/09/29 15:08:12 fdupont Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.479 . +# From configure.in Revision: 1.480 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.61. # @@ -883,6 +883,8 @@ ETAGS PERL ISC_SOCKADDR_LEN_T ISC_PLATFORM_HAVELONGLONG +ISC_PLATFORM_NORETURN_PRE +ISC_PLATFORM_NORETURN_POST ISC_PLATFORM_HAVELIFCONF ISC_PLATFORM_HAVEKQUEUE ISC_PLATFORM_HAVEEPOLL @@ -3955,7 +3957,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 3958 "configure"' > conftest.$ac_ext + echo '#line 3960 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -6903,11 +6905,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6906: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6908: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6910: \$? = $ac_status" >&5 + echo "$as_me:6912: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7193,11 +7195,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7196: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7198: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7200: \$? = $ac_status" >&5 + echo "$as_me:7202: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -7297,11 +7299,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7300: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7302: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:7304: \$? = $ac_status" >&5 + echo "$as_me:7306: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9661,7 +9663,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:12171: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:12173: \$? = $ac_status" >&5 + echo "$as_me:12175: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -12270,11 +12272,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:12273: $lt_compile\"" >&5) + (eval echo "\"\$as_me:12275: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:12277: \$? = $ac_status" >&5 + echo "$as_me:12279: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13853,11 +13855,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13856: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13858: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13860: \$? = $ac_status" >&5 + echo "$as_me:13862: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -13957,11 +13959,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13960: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13962: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13964: \$? = $ac_status" >&5 + echo "$as_me:13966: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -16168,11 +16170,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16171: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16173: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16175: \$? = $ac_status" >&5 + echo "$as_me:16177: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16458,11 +16460,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16461: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16463: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16465: \$? = $ac_status" >&5 + echo "$as_me:16467: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16562,11 +16564,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16565: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16567: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16569: \$? = $ac_status" >&5 + echo "$as_me:16571: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -21619,6 +21621,61 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# +# check for GCC noreturn attribute +# +{ echo "$as_me:$LINENO: checking for GCC noreturn attribute" >&5 +echo $ECHO_N "checking for GCC noreturn attribute... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +int +main () +{ +void foo() __attribute__((noreturn)); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + { echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6; } + ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE" + ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST __attribute__((noreturn))" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + { echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6; } + ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE" + ISC_PLATFORM_NORETURN="#define ISC_PLATFORM_NORETURN_POST" +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + + # # check if we have lifconf # @@ -34137,6 +34194,8 @@ ETAGS!$ETAGS$ac_delim PERL!$PERL$ac_delim ISC_SOCKADDR_LEN_T!$ISC_SOCKADDR_LEN_T$ac_delim ISC_PLATFORM_HAVELONGLONG!$ISC_PLATFORM_HAVELONGLONG$ac_delim +ISC_PLATFORM_NORETURN_PRE!$ISC_PLATFORM_NORETURN_PRE$ac_delim +ISC_PLATFORM_NORETURN_POST!$ISC_PLATFORM_NORETURN_POST$ac_delim ISC_PLATFORM_HAVELIFCONF!$ISC_PLATFORM_HAVELIFCONF$ac_delim ISC_PLATFORM_HAVEKQUEUE!$ISC_PLATFORM_HAVEKQUEUE$ac_delim ISC_PLATFORM_HAVEEPOLL!$ISC_PLATFORM_HAVEEPOLL$ac_delim @@ -34214,8 +34273,6 @@ ISC_LWRES_SETHOSTENTINT!$ISC_LWRES_SETHOSTENTINT$ac_delim ISC_LWRES_ENDHOSTENTINT!$ISC_LWRES_ENDHOSTENTINT$ac_delim ISC_LWRES_GETNETBYADDRINADDR!$ISC_LWRES_GETNETBYADDRINADDR$ac_delim ISC_LWRES_SETNETENTINT!$ISC_LWRES_SETNETENTINT$ac_delim -ISC_LWRES_ENDNETENTINT!$ISC_LWRES_ENDNETENTINT$ac_delim -ISC_LWRES_GETHOSTBYADDRVOID!$ISC_LWRES_GETHOSTBYADDRVOID$ac_delim _ACEOF if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then @@ -34257,6 +34314,8 @@ _ACEOF ac_delim='%!_!# ' for ac_last_try in false false false false false :; do cat >conf$$subs.sed <<_ACEOF +ISC_LWRES_ENDNETENTINT!$ISC_LWRES_ENDNETENTINT$ac_delim +ISC_LWRES_GETHOSTBYADDRVOID!$ISC_LWRES_GETHOSTBYADDRVOID$ac_delim ISC_LWRES_NEEDHERRNO!$ISC_LWRES_NEEDHERRNO$ac_delim ISC_LWRES_GETIPNODEPROTO!$ISC_LWRES_GETIPNODEPROTO$ac_delim ISC_LWRES_GETADDRINFOPROTO!$ISC_LWRES_GETADDRINFOPROTO$ac_delim @@ -34339,7 +34398,7 @@ LIBOBJS!$LIBOBJS$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim _ACEOF - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 80; then + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 82; then break elif $ac_last_try; then { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 From a93a66f61872a92ef4a272ca998aaff954ab4fed Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 29 Sep 2009 22:17:34 +0000 Subject: [PATCH 226/385] 2794. [bug] Reduce default NSEC3 iterations from 100 to 10. [RT #19970] --- CHANGES | 3 +++ bin/dnssec/dnssec-signzone.c | 10 +++++----- bin/dnssec/dnssec-signzone.docbook | 10 +++++----- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 44304cf062..aefcc840ff 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2794. [bug] Reduce default NSEC3 iterations from 100 to 10. + [RT #19970] + 2793. [port] Add some noreturn attributes. [RT #20257] 2792. [port] win32: 32/64 bit cleanups. [RT #20335] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 4e9ed94983..cfa01f7811 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.238 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: dnssec-signzone.c,v 1.239 2009/09/29 22:17:34 each Exp $ */ /*! \file */ @@ -147,7 +147,7 @@ static dns_dbiterator_t *gdbiter; /* The database iterator */ static dns_rdataclass_t gclass; /* The class */ static dns_name_t *gorigin; /* The database origin */ static int nsec3flags = 0; -static dns_iterations_t nsec3iter = 100U; +static dns_iterations_t nsec3iter = 10U; static unsigned char saltbuf[255]; static unsigned char *salt = saltbuf; static size_t salt_length = 0; @@ -3337,9 +3337,9 @@ usage(void) { fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); fprintf(stderr, "\t-k key_signing_key\n"); fprintf(stderr, "\t-l lookasidezone\n"); - fprintf(stderr, "\t-3 salt (NSEC3 salt)\n"); - fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n"); - fprintf(stderr, "\t-A (NSEC3 optout)\n"); + fprintf(stderr, "\t-3 NSEC3 salt\n"); + fprintf(stderr, "\t-H NSEC3 iterations (10)\n"); + fprintf(stderr, "\t-A NSEC3 optout\n"); fprintf(stderr, "\t-z:\t"); fprintf(stderr, "ignore KSK flag in DNSKEYs"); diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 75ac03e7dc..9a3dc364ae 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 05, 2009 @@ -552,7 +552,7 @@ -3 salt - Generate a NSEC3 chain with the given hex encoded salt. + Generate an NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain. @@ -563,8 +563,8 @@ -H iterations - When generating a NSEC3 chain use this many interations. The - default is 100. + When generating an NSEC3 chain, use this many interations. The + default is 10. @@ -573,7 +573,7 @@ -A - When generating a NSEC3 chain set the OPTOUT flag on all + When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations. From f5212c68d000367d6cff812b45acd3013365a589 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 29 Sep 2009 23:18:56 +0000 Subject: [PATCH 227/385] auto update --- doc/private/branches | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/private/branches b/doc/private/branches index a4984404d8..9329968a5d 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -251,10 +251,12 @@ rt20247 new each // 2009-09-11 03:22 +0000 rt20253 new sar // 2009-09-11 22:17 +0000 rt20256 new fdupont // 2009-09-26 11:02 +0000 rt20256a new fdupont // 2009-09-28 10:50 +0000 +rt20256b new fdupont // 2009-09-29 15:31 +0000 rt20257 new fdupont // 2009-09-18 16:53 +0000 rt20257a new fdupont // 2009-09-28 08:58 +0000 rt20304 new each // 2009-09-24 22:57 +0000 rt20310 new each // 2009-09-25 00:29 +0000 +rt20339 new vjs // 2009-09-29 20:44 +0000 shane_dbbackend open skan open explorer skan-metazones1 private explorer From 7f79131f9a8e804b93c57f3c679065cce878b726 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 29 Sep 2009 23:30:36 +0000 Subject: [PATCH 228/385] newcopyrights --- util/copyrights | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/util/copyrights b/util/copyrights index 38b5162af8..8ba9d3ef01 100644 --- a/util/copyrights +++ b/util/copyrights @@ -163,7 +163,7 @@ ./bin/named/include/named/lwdclient.h C 2000,2001,2004,2005,2007,2009 ./bin/named/include/named/lwresd.h C 2000,2001,2004,2005,2006,2007 ./bin/named/include/named/lwsearch.h C 2000,2001,2004,2005,2007 -./bin/named/include/named/main.h C 1999,2000,2001,2002,2004,2005,2007 +./bin/named/include/named/main.h C 1999,2000,2001,2002,2004,2005,2007,2009 ./bin/named/include/named/notify.h C 1999,2000,2001,2004,2005,2007,2009 ./bin/named/include/named/ns_smf_globals.h C 2005,2007 ./bin/named/include/named/query.h C 1999,2000,2001,2002,2004,2005,2007 @@ -246,7 +246,7 @@ ./bin/rndc/rndc.docbook SGML 2000,2001,2004,2005,2007 ./bin/rndc/rndc.html HTML DOCBOOK ./bin/rndc/util.c C 2000,2001,2004,2005,2007 -./bin/rndc/util.h C 2000,2001,2004,2005,2007 +./bin/rndc/util.h C 2000,2001,2004,2005,2007,2009 ./bin/rndc/win32/rndc.dsp X 2001,2004,2005,2006,2009 ./bin/rndc/win32/rndc.dsw X 2001 ./bin/rndc/win32/rndc.mak X 2001,2002,2004,2005,2006,2009 @@ -956,9 +956,9 @@ ./bin/tools/nsec3hash.c C 2006,2008,2009 ./bin/tools/nsec3hash.docbook SGML 2009 ./bin/tools/nsec3hash.html HTML 2009 -./bin/win32/BINDInstall/AccountInfo.cpp C.PORTION 2001,2002,2004,2007 +./bin/win32/BINDInstall/AccountInfo.cpp C.PORTION 2001,2002,2004,2007,2009 ./bin/win32/BINDInstall/AccountInfo.h C 2001,2004,2007 -./bin/win32/BINDInstall/BINDInstall.cpp C.PORTION 2001,2004,2007 +./bin/win32/BINDInstall/BINDInstall.cpp C.PORTION 2001,2004,2007,2009 ./bin/win32/BINDInstall/BINDInstall.dsp X 2001,2007,2009 ./bin/win32/BINDInstall/BINDInstall.dsw X 2001 ./bin/win32/BINDInstall/BINDInstall.h C.PORTION 2001,2004,2007 @@ -2117,7 +2117,7 @@ ./lib/isc/include/isc/.cvsignore X 1998,1999,2000,2001 ./lib/isc/include/isc/Makefile.in MAKE 1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009 ./lib/isc/include/isc/app.h C 1999,2000,2001,2004,2005,2006,2007,2009 -./lib/isc/include/isc/assertions.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008 +./lib/isc/include/isc/assertions.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009 ./lib/isc/include/isc/backtrace.h C 2009 ./lib/isc/include/isc/base32.h C 2008 ./lib/isc/include/isc/base64.h C 1999,2000,2001,2004,2005,2006,2007 @@ -2127,7 +2127,7 @@ ./lib/isc/include/isc/bufferlist.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/isc/include/isc/commandline.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/isc/include/isc/entropy.h C 2000,2001,2004,2005,2006,2007,2009 -./lib/isc/include/isc/error.h C 1998,1999,2000,2001,2004,2005,2006,2007 +./lib/isc/include/isc/error.h C 1998,1999,2000,2001,2004,2005,2006,2007,2009 ./lib/isc/include/isc/event.h C 1998,1999,2000,2001,2002,2004,2005,2006,2007 ./lib/isc/include/isc/eventclass.h C 1998,1999,2000,2001,2004,2005,2007 ./lib/isc/include/isc/file.h C 2000,2001,2004,2005,2006,2007,2009 @@ -2167,7 +2167,7 @@ ./lib/isc/include/isc/radix.h C 2007,2008 ./lib/isc/include/isc/random.h C 1999,2000,2001,2004,2005,2006,2007,2009 ./lib/isc/include/isc/ratelimiter.h C 1999,2000,2001,2002,2004,2005,2006,2007,2009 -./lib/isc/include/isc/refcount.h C 2001,2003,2004,2005,2006,2007 +./lib/isc/include/isc/refcount.h C 2001,2003,2004,2005,2006,2007,2009 ./lib/isc/include/isc/region.h C 1998,1999,2000,2001,2002,2004,2005,2006,2007 ./lib/isc/include/isc/resource.h C 2000,2001,2004,2005,2006,2007,2008 ./lib/isc/include/isc/result.h C 1998,1999,2000,2001,2003,2004,2005,2006,2007,2008,2009 @@ -2359,7 +2359,7 @@ ./lib/isc/win32/include/isc/ntpaths.h C 2000,2001,2004,2007,2009 ./lib/isc/win32/include/isc/offset.h C 2000,2001,2004,2007 ./lib/isc/win32/include/isc/once.h C 1999,2000,2001,2004,2007 -./lib/isc/win32/include/isc/platform.h C 2001,2004,2005,2007,2008 +./lib/isc/win32/include/isc/platform.h C 2001,2004,2005,2007,2008,2009 ./lib/isc/win32/include/isc/stat.h C 2000,2001,2003,2004,2007 ./lib/isc/win32/include/isc/stdtime.h C 1999,2000,2001,2004,2005,2007 ./lib/isc/win32/include/isc/strerror.h C 2001,2004,2007 @@ -2377,7 +2377,7 @@ ./lib/isc/win32/libisc.mak X 2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/isc/win32/net.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2009 ./lib/isc/win32/netdb.h C 2000,2001,2004,2006,2007,2009 -./lib/isc/win32/ntgroups.c C 2001,2004,2006,2007 +./lib/isc/win32/ntgroups.c C 2001,2004,2006,2007,2009 ./lib/isc/win32/ntpaths.c C 2001,2004,2007,2009 ./lib/isc/win32/once.c C 1999,2000,2001,2004,2007 ./lib/isc/win32/os.c C 2000,2001,2002,2004,2007 From 61dd99bfae0ffa8ec193cf48fc86e4fa246a06e2 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 29 Sep 2009 23:48:04 +0000 Subject: [PATCH 229/385] update copyright notice --- bin/named/include/named/main.h | 4 +-- bin/rndc/util.h | 6 ++-- bin/win32/BINDInstall/AccountInfo.cpp | 20 ++++++------ bin/win32/BINDInstall/BINDInstall.cpp | 4 +-- lib/isc/include/isc/assertions.h | 4 +-- lib/isc/include/isc/error.h | 4 +-- lib/isc/include/isc/refcount.h | 8 ++--- lib/isc/win32/include/isc/platform.h | 4 +-- lib/isc/win32/ntgroups.c | 44 +++++++++++++-------------- 9 files changed, 49 insertions(+), 49 deletions(-) diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h index d91dd39871..44251fa825 100644 --- a/bin/named/include/named/main.h +++ b/bin/named/include/named/main.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.h,v 1.16 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: main.h,v 1.17 2009/09/29 23:48:03 tbox Exp $ */ #ifndef NAMED_MAIN_H #define NAMED_MAIN_H 1 diff --git a/bin/rndc/util.h b/bin/rndc/util.h index 14b011ba52..d7277148ff 100644 --- a/bin/rndc/util.h +++ b/bin/rndc/util.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: util.h,v 1.11 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: util.h,v 1.12 2009/09/29 23:48:03 tbox Exp $ */ #ifndef RNDC_UTIL_H #define RNDC_UTIL_H 1 @@ -44,7 +44,7 @@ ISC_LANG_BEGINDECLS void notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2); -ISC_PLATFORM_NORETURN_PRE void +ISC_PLATFORM_NORETURN_PRE void fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST; diff --git a/bin/win32/BINDInstall/AccountInfo.cpp b/bin/win32/BINDInstall/AccountInfo.cpp index 7503e90d3b..ec3e106fa4 100644 --- a/bin/win32/BINDInstall/AccountInfo.cpp +++ b/bin/win32/BINDInstall/AccountInfo.cpp @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 2001, 2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: AccountInfo.cpp,v 1.9 2009/09/29 04:37:08 marka Exp $ */ +/* $Id: AccountInfo.cpp,v 1.10 2009/09/29 23:48:04 tbox Exp $ */ #ifndef UNICODE #define UNICODE @@ -108,7 +108,7 @@ DisplayWinError( int GetAccountPrivileges(char *name, wchar_t **PrivList, unsigned int *PrivCount, char **Accounts, unsigned int *totalAccounts, - int maxAccounts) + int maxAccounts) { LSA_HANDLE PolicyHandle; TCHAR AccountName[256]; /* static account name buffer */ @@ -153,8 +153,8 @@ GetAccountPrivileges(char *name, wchar_t **PrivList, unsigned int *PrivCount, /* Obtain the SID of the user/group. */ if (!GetAccountSid(NULL, AccountName, &pSid)) continue; /* Try the next one */ - /* Get the Privileges allocated to this SID */ - if ((Status = GetPrivilegesOnAccount(PolicyHandle, pSid, + /* Get the Privileges allocated to this SID */ + if ((Status = GetPrivilegesOnAccount(PolicyHandle, pSid, PrivList, PrivCount)) == STATUS_SUCCESS) { iRetVal=RTN_OK; @@ -193,7 +193,7 @@ CreateServiceAccount(char *name, char *password) { /* * Set up the USER_INFO_1 structure. - * USER_PRIV_USER: name is required here when creating an account + * USER_PRIV_USER: name is required here when creating an account * rather than an administrator or a guest. */ @@ -239,7 +239,7 @@ AddPrivilegeToAcccount(LPTSTR name, LPWSTR PrivilegeName) { if (!GetAccountSid(NULL, AccountName, &pSid)) return (RTN_NOACCOUNT); - err = LsaNtStatusToWinError(SetPrivilegeOnAccount(PolicyHandle, + err = LsaNtStatusToWinError(SetPrivilegeOnAccount(PolicyHandle, pSid, PrivilegeName, TRUE)); LsaClose(PolicyHandle); @@ -327,7 +327,7 @@ GetAccountSid(LPTSTR SystemName, LPTSTR AccountName, PSID *Sid) { cbReferencedDomain)) == NULL) __leave; } - else + else __leave; } bSuccess = TRUE; @@ -370,7 +370,7 @@ SetPrivilegeOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid, NTSTATUS GetPrivilegesOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid, - wchar_t **PrivList, unsigned int *PrivCount) + wchar_t **PrivList, unsigned int *PrivCount) { NTSTATUS Status; LSA_UNICODE_STRING *UserRights; @@ -395,7 +395,7 @@ GetPrivilegesOnAccount(LSA_HANDLE PolicyHandle, PSID AccountSid, break; } if (found != 0) { - PrivList[*PrivCount] = + PrivList[*PrivCount] = (wchar_t *)malloc(UserRights[i].MaximumLength); if (PrivList[*PrivCount] == NULL) return (RTN_NOMEMORY); diff --git a/bin/win32/BINDInstall/BINDInstall.cpp b/bin/win32/BINDInstall/BINDInstall.cpp index 3d430e1c3c..608f4cf231 100644 --- a/bin/win32/BINDInstall/BINDInstall.cpp +++ b/bin/win32/BINDInstall/BINDInstall.cpp @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: BINDInstall.cpp,v 1.8 2009/09/29 04:37:08 marka Exp $ */ +/* $Id: BINDInstall.cpp,v 1.9 2009/09/29 23:48:04 tbox Exp $ */ /* * Copyright (c) 1999-2000 by Nortel Networks Corporation diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h index 26d3fa1dbe..2c81b1ae98 100644 --- a/lib/isc/include/isc/assertions.h +++ b/lib/isc/include/isc/assertions.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1997-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +16,7 @@ */ /* - * $Id: assertions.h,v 1.27 2009/09/29 15:06:07 fdupont Exp $ + * $Id: assertions.h,v 1.28 2009/09/29 23:48:04 tbox Exp $ */ /*! \file isc/assertions.h */ diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h index 160b549b1e..e0cdfa83e7 100644 --- a/lib/isc/include/isc/error.h +++ b/lib/isc/include/isc/error.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1998-2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: error.h,v 1.21 2009/09/29 15:06:07 fdupont Exp $ */ +/* $Id: error.h,v 1.22 2009/09/29 23:48:04 tbox Exp $ */ #ifndef ISC_ERROR_H #define ISC_ERROR_H 1 diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h index 98086b71a8..b72b1585be 100644 --- a/lib/isc/include/isc/refcount.h +++ b/lib/isc/include/isc/refcount.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: refcount.h,v 1.16 2009/09/29 15:06:07 fdupont Exp $ */ +/* $Id: refcount.h,v 1.17 2009/09/29 23:48:04 tbox Exp $ */ #ifndef ISC_REFCOUNT_H #define ISC_REFCOUNT_H 1 @@ -28,7 +28,7 @@ #include /*! \file isc/refcount.h - * \brief Implements a locked reference counter. + * \brief Implements a locked reference counter. * * These functions may actually be * implemented using macros, and implementations of these macros are below. @@ -42,7 +42,7 @@ ISC_LANG_BEGINDECLS * Function prototypes */ -/* +/* * isc_result_t * isc_refcount_init(isc_refcount_t *ref, unsigned int n); * diff --git a/lib/isc/win32/include/isc/platform.h b/lib/isc/win32/include/isc/platform.h index b9c0c26d50..d632d3cf7e 100644 --- a/lib/isc/win32/include/isc/platform.h +++ b/lib/isc/win32/include/isc/platform.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: platform.h,v 1.18 2009/09/29 15:06:07 fdupont Exp $ */ +/* $Id: platform.h,v 1.19 2009/09/29 23:48:04 tbox Exp $ */ #ifndef ISC_PLATFORM_H #define ISC_PLATFORM_H 1 diff --git a/lib/isc/win32/ntgroups.c b/lib/isc/win32/ntgroups.c index 9c3d5acc15..729cf07e74 100644 --- a/lib/isc/win32/ntgroups.c +++ b/lib/isc/win32/ntgroups.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2006, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2006, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2001 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ntgroups.c,v 1.11 2009/09/29 04:37:08 marka Exp $ */ +/* $Id: ntgroups.c,v 1.12 2009/09/29 23:48:04 tbox Exp $ */ /* * The NT Groups have two groups that are not well documented and are @@ -70,21 +70,21 @@ isc_ntsecurity_getaccountgroups(char *username, char **GroupList, *totalGroups = 0; /* - * Call the NetUserGetLocalGroups function + * Call the NetUserGetLocalGroups function * specifying information level 0. * - * The LG_INCLUDE_INDIRECT flag specifies that the - * function should also return the names of the local + * The LG_INCLUDE_INDIRECT flag specifies that the + * function should also return the names of the local * groups in which the user is indirectly a member. */ nStatus = NetUserGetLocalGroups(NULL, - user, - dwLevel, - dwFlags, - (LPBYTE *) &pBuf, - dwPrefMaxLen, - &dwEntriesRead, - &dwTotalEntries); + user, + dwLevel, + dwFlags, + (LPBYTE *) &pBuf, + dwPrefMaxLen, + &dwEntriesRead, + &dwTotalEntries); /* * See if the call succeeds, */ @@ -103,7 +103,7 @@ isc_ntsecurity_getaccountgroups(char *username, char **GroupList, /* * Loop through the entries */ - for (i = 0; + for (i = 0; (i < dwEntriesRead && *totalGroups < maxgroups); i++) { assert(pTmpLBuf != NULL); if (pTmpLBuf == NULL) @@ -127,17 +127,17 @@ isc_ntsecurity_getaccountgroups(char *username, char **GroupList, if (pBuf != NULL) NetApiBufferFree(pBuf); - + /* * Call the NetUserGetGroups function, specifying level 0. */ nStatus = NetUserGetGroups(NULL, - user, - dwLevel, - (LPBYTE*)&pgrpBuf, - dwPrefMaxLen, - &dwEntriesRead, - &dwTotalEntries); + user, + dwLevel, + (LPBYTE*)&pgrpBuf, + dwPrefMaxLen, + &dwEntriesRead, + &dwTotalEntries); /* * See if the call succeeds, */ @@ -149,13 +149,13 @@ isc_ntsecurity_getaccountgroups(char *username, char **GroupList, if (nStatus == NERR_UserNotFound) dwEntriesRead = 0; } - + if (pgrpBuf != NULL) { pTmpBuf = pgrpBuf; /* * Loop through the entries */ - for (i = 0; + for (i = 0; (i < dwEntriesRead && *totalGroups < maxgroups); i++) { assert(pTmpBuf != NULL); From 66fec05962ae85e63c4aa568d44a962db5bbc902 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 30 Sep 2009 01:14:47 +0000 Subject: [PATCH 230/385] regen --- bin/dnssec/dnssec-signzone.8 | 8 ++++---- bin/dnssec/dnssec-signzone.html | 10 +++++----- doc/arm/man.dnssec-signzone.html | 10 +++++----- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8 index b53cde649d..f4d483e20a 100644 --- a/bin/dnssec/dnssec-signzone.8 +++ b/bin/dnssec/dnssec-signzone.8 @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.53 2009/09/26 01:14:51 tbox Exp $ +.\" $Id: dnssec-signzone.8,v 1.54 2009/09/30 01:14:47 tbox Exp $ .\" .hy 0 .ad l @@ -288,17 +288,17 @@ Ignore KSK flag on key when determining what to sign. .PP \-3 \fIsalt\fR .RS 4 -Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain. +Generate an NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain. .RE .PP \-H \fIiterations\fR .RS 4 -When generating a NSEC3 chain use this many interations. The default is 100. +When generating an NSEC3 chain, use this many interations. The default is 10. .RE .PP \-A .RS 4 -When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations. +When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations. .sp Using this option twice (i.e., \fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html index 18a90ec9dd..f1806b64b3 100644 --- a/bin/dnssec/dnssec-signzone.html +++ b/bin/dnssec/dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -323,19 +323,19 @@

    -3 salt

    - Generate a NSEC3 chain with the given hex encoded salt. + Generate an NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain.

    -H iterations

    - When generating a NSEC3 chain use this many interations. The - default is 100. + When generating an NSEC3 chain, use this many interations. The + default is 10.

    -A

    - When generating a NSEC3 chain set the OPTOUT flag on all + When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.

    diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index 7ee4c1a1ab..7f8d7e8a8c 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -341,19 +341,19 @@

    -3 salt

    - Generate a NSEC3 chain with the given hex encoded salt. + Generate an NSEC3 chain with the given hex encoded salt. A dash (salt) can be used to indicate that no salt is to be used when generating the NSEC3 chain.

    -H iterations

    - When generating a NSEC3 chain use this many interations. The - default is 100. + When generating an NSEC3 chain, use this many interations. The + default is 10.

    -A

    - When generating a NSEC3 chain set the OPTOUT flag on all + When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.

    From 4977518a4c906da7c7cf2c5bba2cef2ccd1a409a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Sep 2009 02:17:50 +0000 Subject: [PATCH 231/385] fix CHANGES --- CHANGES | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index aefcc840ff..c23002338e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,9 +1,9 @@ -2794. [bug] Reduce default NSEC3 iterations from 100 to 10. +2694. [bug] Reduce default NSEC3 iterations from 100 to 10. [RT #19970] -2793. [port] Add some noreturn attributes. [RT #20257] +2693. [port] Add some noreturn attributes. [RT #20257] -2792. [port] win32: 32/64 bit cleanups. [RT #20335] +2692. [port] win32: 32/64 bit cleanups. [RT #20335] 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 chain when re-signing a previously-signed zone. From bafa76b324e2336d707a158cccdb309df30bca65 Mon Sep 17 00:00:00 2001 From: Shawn Routhier Date: Thu, 1 Oct 2009 01:30:01 +0000 Subject: [PATCH 232/385] Updates to fdwatch code to support DHCP/DDNS code, ticket rt20253. --- CHANGES | 7 ++++++ lib/isc/include/isc/msgs.h | 4 +-- lib/isc/include/isc/namespace.h | 5 ++-- lib/isc/include/isc/socket.h | 37 ++++++++++++++++++++++++++- lib/isc/include/isc/types.h | 4 +-- lib/isc/socket_api.c | 22 ++++++++++++++++- lib/isc/unix/socket.c | 44 ++++++++++++++++++++++++++++----- 7 files changed, 109 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index c23002338e..0e32dd900e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +2695. [func] DHCP/DDNS - update fdwatch code for use by + DHCP. Modify the api to isc_sockfdwatch_t (the + callback funciton for isc_socket_fdwatchcreate) + to include information about the direction (read + or write) and add isc_socket_fdwatchpoke. + [RT #20253] + 2694. [bug] Reduce default NSEC3 iterations from 100 to 10. [RT #19970] diff --git a/lib/isc/include/isc/msgs.h b/lib/isc/include/isc/msgs.h index d8f2787a28..14d0967a1d 100644 --- a/lib/isc/include/isc/msgs.h +++ b/lib/isc/include/isc/msgs.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: msgs.h,v 1.17 2008/08/08 06:28:59 tbox Exp $ */ +/* $Id: msgs.h,v 1.18 2009/10/01 01:30:01 sar Exp $ */ #ifndef ISC_MSGS_H #define ISC_MSGS_H 1 @@ -156,7 +156,7 @@ #define ISC_MSG_FILTER 1421 /*%< setsockopt(SO_ACCEPTFILTER): %s */ #define ISC_MSG_TOOMANYHANDLES 1422 /*%< %s: too many open WSA event handles: %s */ - +#define ISC_MSG_POKED 1423 /*%< "poked flags: %d" */ #define ISC_MSG_AWAKE 1502 /*%< "awake" */ #define ISC_MSG_WORKING 1503 /*%< "working" */ diff --git a/lib/isc/include/isc/namespace.h b/lib/isc/include/isc/namespace.h index 33ec63a38f..4fa05ac4ef 100644 --- a/lib/isc/include/isc/namespace.h +++ b/lib/isc/include/isc/namespace.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: namespace.h,v 1.4 2009/09/02 23:48:03 tbox Exp $ */ +/* $Id: namespace.h,v 1.5 2009/10/01 01:30:01 sar Exp $ */ #ifndef ISCAPI_NAMESPACE_H #define ISCAPI_NAMESPACE_H 1 @@ -109,7 +109,6 @@ #define isc_socket_listen isc__socket_listen #define isc_socket_accept isc__socket_accept #define isc_socket_connect isc__socket_connect -#define isc_socket_fdwatchcreate isc__socket_fdwatchcreate #define isc_socket_getname isc__socket_getname #define isc_socket_gettag isc__socket_gettag #define isc_socket_getpeername isc__socket_getpeername @@ -123,6 +122,8 @@ #define isc_socketmgr_setstats isc__socketmgr_setstats #define isc_socketmgr_setreserved isc__socketmgr_setreserved #define isc__socketmgr_maxudp isc___socketmgr_maxudp +#define isc_socket_fdwatchcreate isc__socket_fdwatchcreate +#define isc_socket_fdwatchpoke isc__socket_fdwatchpoke #define isc_task_create isc__task_create #define isc_task_attach isc__task_attach diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h index 376dcc09ad..c4ab0e2959 100644 --- a/lib/isc/include/isc/socket.h +++ b/lib/isc/include/isc/socket.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.h,v 1.93 2009/09/02 23:43:54 each Exp $ */ +/* $Id: socket.h,v 1.94 2009/10/01 01:30:01 sar Exp $ */ #ifndef ISC_SOCKET_H #define ISC_SOCKET_H 1 @@ -266,6 +266,11 @@ typedef struct isc_socketmgrmethods { isc_result_t (*socketcreate)(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, isc_socket_t **socketp); + isc_result_t (*fdwatchcreate)(isc_socketmgr_t *manager, int fd, + int flags, + isc_sockfdwatch_t callback, + void *cbarg, isc_task_t *task, + isc_socket_t **socketp); } isc_socketmgrmethods_t; typedef struct isc_socketmethods { @@ -290,6 +295,7 @@ typedef struct isc_socketmethods { isc_sockaddr_t *addressp); isc_sockettype_t (*gettype)(isc_socket_t *sock); void (*ipv6only)(isc_socket_t *sock, isc_boolean_t yes); + isc_result_t (*fdwatchpoke)(isc_socket_t *sock, int flags); } isc_socketmethods_t; /*% @@ -379,6 +385,35 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, *\li #ISC_R_UNEXPECTED */ +isc_result_t +isc_socket_fdwatchpoke(isc_socket_t *sock, + int flags); +/*%< + * Poke a file descriptor watch socket informing the manager that it + * should restart watching the socket + * + * Note: + * + *\li 'sock' is the socket returned by isc_socket_fdwatchcreate + * + *\li 'flags' indicates what the manager should watch for on the socket + * in addition to what it may already be watching. It can be one or + * both of ISC_SOCKFDWATCH_READ and ISC_SOCKFDWATCH_WRITE. To + * temporarily disable watching on a socket the value indicating + * no more data should be returned from the call back routine. + * + *\li This function is not available on Windows. + * + * Requires: + * + *\li 'sock' is a valid isc socket + * + * + * Returns: + * + *\li #ISC_R_SUCCESS + */ + isc_result_t isc_socket_create(isc_socketmgr_t *manager, int pf, diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h index 03ada89a1c..906bad176f 100644 --- a/lib/isc/include/isc/types.h +++ b/lib/isc/include/isc/types.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: types.h,v 1.50 2009/09/01 18:40:25 jinmei Exp $ */ +/* $Id: types.h,v 1.51 2009/10/01 01:30:01 sar Exp $ */ #ifndef ISC_TYPES_H #define ISC_TYPES_H 1 @@ -98,7 +98,7 @@ typedef struct isc_timer isc_timer_t; /*%< Timer */ typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */ typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *); -typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *); +typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int); /* The following cannot be listed alphabetically due to forward reference */ typedef isc_result_t (isc_httpdaction_t)(const char *url, diff --git a/lib/isc/socket_api.c b/lib/isc/socket_api.c index 8ba206070c..95075f5a65 100644 --- a/lib/isc/socket_api.c +++ b/lib/isc/socket_api.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket_api.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: socket_api.c,v 1.5 2009/10/01 01:30:01 sar Exp $ */ #include @@ -194,3 +194,23 @@ isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) { UNUSED(name); UNUSED(tag); } + +isc_result_t +isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags, + isc_sockfdwatch_t callback, void *cbarg, + isc_task_t *task, isc_socket_t **socketp) +{ + REQUIRE(ISCAPI_SOCKETMGR_VALID(manager)); + + return (manager->methods->fdwatchcreate(manager, fd, flags, + callback, cbarg, task, + socketp)); +} + +isc_result_t +isc_socket_fdwatchpoke(isc_socket_t *sock, int flags) +{ + REQUIRE(ISCAPI_SOCKET_VALID(sock)); + + return(sock->methods->fdwatchpoke(sock, flags)); +} diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c index e2e06934ee..663a03ab10 100644 --- a/lib/isc/unix/socket.c +++ b/lib/isc/unix/socket.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: socket.c,v 1.324 2009/09/07 02:08:51 marka Exp $ */ +/* $Id: socket.c,v 1.325 2009/10/01 01:30:01 sar Exp $ */ /*! \file */ @@ -535,6 +535,13 @@ ISC_SOCKETFUNC_SCOPE void isc__socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer); #endif +ISC_SOCKETFUNC_SCOPE isc_result_t +isc__socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags, + isc_sockfdwatch_t callback, void *cbarg, + isc_task_t *task, isc_socket_t **socketp); +ISC_SOCKETFUNC_SCOPE isc_result_t +isc__socket_fdwatchpoke(isc_socket_t *sock, int flags); + static struct { isc_socketmethods_t methods; @@ -556,7 +563,8 @@ static struct { isc__socket_cancel, isc__socket_getsockname, isc__socket_gettype, - isc__socket_ipv6only + isc__socket_ipv6only, + isc__socket_fdwatchpoke } #ifndef BIND9 , @@ -571,7 +579,8 @@ static struct { static isc_socketmgrmethods_t socketmgrmethods = { isc__socketmgr_destroy, - isc__socket_create + isc__socket_create, + isc__socket_fdwatchcreate }; #define SELECT_POKE_SHUTDOWN (-1) @@ -2553,6 +2562,7 @@ isc__socket_open(isc_socket_t *sock0) { return (result); } +#endif /* BIND9 */ /* * Create a new 'type' socket managed by 'manager'. Events @@ -2617,7 +2627,29 @@ isc__socket_fdwatchcreate(isc_socketmgr_t *manager0, int fd, int flags, return (ISC_R_SUCCESS); } -#endif /* BIND9 */ + +/* Indicate to the manager that it should watch the socket again. + * This can be used to restart watching if the previous event handler + * didn't indicate there was more data to be processed. Primarily + * it is for writing but could be used for reading if desired */ + +ISC_SOCKETFUNC_SCOPE isc_result_t +isc__socket_fdwatchpoke(isc_socket_t *sock0, int flags) +{ + isc__socket_t *sock = (isc__socket_t *)sock0; + + REQUIRE(VALID_SOCKET(sock)); + + if (flags & ISC_SOCKFDWATCH_READ) + select_poke(sock->manager, sock->fd, SELECT_POKE_READ); + if (flags & ISC_SOCKFDWATCH_WRITE) + select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE); + + socket_log(sock, NULL, TRACE, isc_msgcat, ISC_MSGSET_SOCKET, + ISC_MSG_POKED, "fdwatch-poked flags: %d", flags); + + return (ISC_R_SUCCESS); +} /* * Attach to a socket. Caller must explicitly detach when it is done. @@ -3276,7 +3308,7 @@ internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) { UNLOCK(&sock->lock); more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock, - sock->fdwatcharg); + sock->fdwatcharg, ISC_SOCKFDWATCH_WRITE); LOCK(&sock->lock); sock->pending_send = 0; @@ -3317,7 +3349,7 @@ internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) { UNLOCK(&sock->lock); more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock, - sock->fdwatcharg); + sock->fdwatcharg, ISC_SOCKFDWATCH_READ); LOCK(&sock->lock); sock->pending_recv = 0; From eb95d2e917b3f71c33a8be53eac75eb191ee5a9d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 1 Oct 2009 04:06:37 +0000 Subject: [PATCH 233/385] 2696. [bug] named failed to successfully process some valid acl constructs. [RT #20308] --- CHANGES | 3 +++ lib/isccfg/aclconf.c | 23 +++++++++++++++++------ 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 0e32dd900e..f80a595c31 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2696. [bug] named failed to successfully process some valid + acl constructs. [RT #20308] + 2695. [func] DHCP/DDNS - update fdwatch code for use by DHCP. Modify the api to isc_sockfdwatch_t (the callback funciton for isc_socket_fdwatchcreate) diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index 2b7719444f..e6a7dd6dfd 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: aclconf.c,v 1.25 2009/09/01 00:22:28 jinmei Exp $ */ +/* $Id: aclconf.c,v 1.26 2009/10/01 04:06:37 marka Exp $ */ #include @@ -168,26 +168,36 @@ convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx, * parent. */ static int -count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx) +count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx, + isc_boolean_t *has_negative) { const cfg_listelt_t *elt; const cfg_obj_t *cacl = NULL; isc_result_t result; int n = 0; + if (has_negative != NULL) + *has_negative = ISC_FALSE; + for (elt = cfg_list_first(caml); elt != NULL; elt = cfg_list_next(elt)) { const cfg_obj_t *ce = cfg_listelt_value(elt); /* negated element; just get the value. */ - if (cfg_obj_istuple(ce)) + if (cfg_obj_istuple(ce)) { ce = cfg_tuple_get(ce, "value"); + if (has_negative != NULL) + *has_negative = ISC_TRUE; + } if (cfg_obj_istype(ce, &cfg_type_keyref)) { n++; } else if (cfg_obj_islist(ce)) { - n += count_acl_elements(ce, cctx); + isc_boolean_t negative; + n += count_acl_elements(ce, cctx, &negative); + if (negative) + n++; } else if (cfg_obj_isstring(ce)) { const char *name = cfg_obj_asstring(ce); if (strcasecmp(name, "localhost") == 0 || @@ -197,7 +207,8 @@ count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx) strcasecmp(name, "none") != 0) { result = get_acl_def(cctx, name, &cacl); if (result == ISC_R_SUCCESS) - n += count_acl_elements(cacl, cctx) + 1; + n += count_acl_elements(cacl, cctx, + NULL) + 1; } } } @@ -246,7 +257,7 @@ cfg_acl_fromconfig(const cfg_obj_t *caml, int nelem; if (nest_level == 0) - nelem = count_acl_elements(caml, cctx); + nelem = count_acl_elements(caml, cctx, NULL); else nelem = cfg_list_length(caml, ISC_FALSE); From cf7432f74761107ac3cbafadc524b5d650919fed Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 1 Oct 2009 04:43:30 +0000 Subject: [PATCH 234/385] 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and S_IFREG are defined after including . [RT #20309] --- CHANGES | 140 ++++++++++++++++--------------- lib/isc/win32/include/isc/stat.h | 15 +++- 2 files changed, 86 insertions(+), 69 deletions(-) diff --git a/CHANGES b/CHANGES index f80a595c31..e9f8d65d30 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and + S_IFREG are defined after including . + [RT #20309] + 2696. [bug] named failed to successfully process some valid acl constructs. [RT #20308] @@ -20,7 +24,7 @@ Use -u to modify NSEC3 parameters or switch between NSEC and NSEC3. [RT #20304] -2690. [bug] win32: fix isc_thread_key_getspecific() prototype. +2690. [bug] win32: fix isc_thread_key_getspecific() prototype. [RT #20315] 2689. [bug] Correctly handle snprintf result. [RT #20306] @@ -74,7 +78,7 @@ 2676. [bug] --with-export-installdir should have been --with-export-includedir. [RT #20252] -2675. [bug] dnssec-signzone could crash if the key directory +2675. [bug] dnssec-signzone could crash if the key directory did not exist. [RT #20232] --- 9.7.0a3 released --- @@ -120,14 +124,14 @@ 2665. [func] Clarify syntax for managed-keys {} statement, add ARM documentation about RFC 5011 support. [RT #19874] -2664. [bug] create_keydata() and minimal_update() in zone.c +2664. [bug] create_keydata() and minimal_update() in zone.c didn't properly check return values for some functions. [RT #19956] 2663. [func] win32: allow named to run as a service using "NT AUTHORITY\LocalService" as the account. [RT #19977] -2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() +2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr() returned a misleading error code when lwresd was down. [RT #20028] @@ -242,8 +246,8 @@ 2629. [port] Check for seteuid()/setegid(), use setresuid()/ setresgid() if not present. [RT #19932] - -2628. [port] linux: Allow /var/run/named/named.pid to be opened + +2628. [port] linux: Allow /var/run/named/named.pid to be opened at startup with reduced capabilities in operation. [RT #19884] @@ -261,7 +265,7 @@ 2623. [bug] Named started seaches for DS non-optimally. [RT #19915] 2622. [bug] Printing of named.conf grammar was broken. [RT #19919] - + 2621. [doc] Made copyright boilterplate consistent. [RT #19833] 2620. [bug] Delay thawing the zone until the reload of it has @@ -298,7 +302,7 @@ or with the -f KSK option, a 2048-bit RSASHA1 key-signing key. [RT #19300] -2611. [func] Add -l option to dnssec-dsfromkey to generate +2611. [func] Add -l option to dnssec-dsfromkey to generate DLV records instead of DS records. [RT #19300] 2610. [port] sunos: Change #2363 was not complete. [RT #19796] @@ -314,7 +318,7 @@ named process using the session key generated by named [RT #19284] - + 2608. [func] Perform post signing verification checks in dnssec-signzone. These can be disabled with -P. @@ -380,7 +384,7 @@ [RT #19542] 2589. [bug] dns_db_unregister() failed to clear '*dbimp'. - [RT #19626] + [RT #19626] 2588. [bug] SO_REUSEADDR could be set unconditionally after failure of bind(2) call. This should be rare and mostly @@ -455,7 +459,7 @@ [RT #19209] 2569. [func] Move journalprint, nsec3hash, and genrandom - commands from bin/tests into bin/tools; + commands from bin/tests into bin/tools; "make install" will put them in $sbindir. [RT #19301] 2568. [bug] Report when the write to indicate a otherwise @@ -505,7 +509,7 @@ 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the error checks in the correct order resulting in the wrong error code sometimes being returned. [RT #19249] - + 2555. [func] dig: when emitting a hex dump also display the corresponding characters. [RT #19258] @@ -582,8 +586,8 @@ 2529. [cleanup] Upgrade libtool to silence complaints from recent version of autoconf. [RT #18657] -2528. [cleanup] Silence spurious configure warning about - --datarootdir [RT #19096] +2528. [cleanup] Silence spurious configure warning about + --datarootdir [RT #19096] 2527. [placeholder] @@ -650,7 +654,7 @@ oldest query or refusing to recurse due to quota. [RT #19022] -2506. [port] solaris: Check at configure time if +2506. [port] solaris: Check at configure time if hack_shutup_pthreadonceinit is needed. [RT #19037] 2505. [port] Treat amd64 similarly to x86_64 when determining @@ -749,7 +753,7 @@ 2478. [bug] 'addresses' could be used uninitialized in configure_forward(). [RT #18800] - + 2477. [bug] dig: the global option to print the command line is +cmd not print_cmd. Update the output to reflect this. [RT #17008] @@ -765,7 +769,7 @@ 2473. [port] linux: raise the limit on open files to the possible maximum value before spawning threads; 'files' - specified in named.conf doesn't seem to work with + specified in named.conf doesn't seem to work with threads as expected. [RT #18784] 2472. [port] linux: check the number of available cpu's before @@ -794,7 +798,7 @@ 2464. [port] linux: check that a capability is present before trying to set it. [RT #18135] -2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket +2463. [port] linux: POSIX doesn't include the IPv6 Advanced Socket API and glibc hides parts of the IPv6 Advanced Socket API as a result. This is stupid as it breaks how the two halves (Basic and Advanced) of the IPv6 Socket API @@ -824,7 +828,7 @@ 2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any address, regardless of family. They now correctly distinguish IPv4 from IPv6. [RT #18559] - + 2455. [bug] Stop metadata being transferred via axfr/ixfr. [RT #18639] @@ -864,7 +868,7 @@ 2442. [bug] A lock could be destroyed twice. [RT# 18626] -2441. [bug] isc_radix_insert() could copy radix tree nodes +2441. [bug] isc_radix_insert() could copy radix tree nodes incompletely. [RT #18573] 2440. [bug] named-checkconf used an incorrect test to determine @@ -921,7 +925,7 @@ implementation. Allow the use of kqueue, epoll and /dev/poll to be selected at compile time. [RT #18277] - + 2423. [security] Randomize server selection on queries, so as to make forgery a little more difficult. Instead of always preferring the server with the lowest RTT, @@ -989,9 +993,9 @@ 2406. [placeholder] -2405. [cleanup] The default value for dnssec-validation was changed to - "yes" in 9.5.0-P1 and all subsequent releases; this - was inadvertently omitted from CHANGES at the time. +2405. [cleanup] The default value for dnssec-validation was changed to + "yes" in 9.5.0-P1 and all subsequent releases; this + was inadvertently omitted from CHANGES at the time. 2404. [port] hpux: files unlimited support. @@ -1067,7 +1071,7 @@ 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET proofs which, in turn, caused validation failures for insecure zones immediately below a secure zone - the server was authoritative for. [RT #18112] + the server was authoritative for. [RT #18112] 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant TLDs and supported RRs with TTLs [RT #17972] @@ -1115,7 +1119,7 @@ 2363. [port] sunos: pre-set "lt_cv_sys_max_cmd_len=4096;". [RT #17513] -2362. [cleanup] Make "rrset-order fixed" a compile-time option. +2362. [cleanup] Make "rrset-order fixed" a compile-time option. settable by "./configure --enable-fixed-rrset". Disabled by default. [RT #17977] @@ -1198,12 +1202,12 @@ interfaces if there are not listen-on-v6 clauses in named.conf. [RT #17581] -2335. [port] sunos: libbind and *printf() support for long long. +2335. [port] sunos: libbind and *printf() support for long long. [RT #17513] 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one bug in fromstruct_txt(). [RT #17609] - + 2333. [bug] Fix off by one error in isc_time_nowplusinterval(). [RT #17608] @@ -1248,7 +1252,7 @@ 2320. [func] Make statistics counters thread-safe for platforms that support certain atomic operations. [RT #17466] -2319. [bug] Silence Coverity warnings in +2319. [bug] Silence Coverity warnings in lib/dns/rdata/in_1/apl_42.c. [RT #17469] 2318. [port] sunos fixes for libbind. [RT #17514] @@ -1300,7 +1304,7 @@ 2301. [bug] Remove resource leak and fix error messages in bin/tests/system/lwresd/lwtest.c. [RT #17474] -2300. [bug] Fixed failure to close open file in +2300. [bug] Fixed failure to close open file in bin/tests/names/t_names.c. [RT #17473] 2299. [bug] Remove unnecessary NULL check in @@ -1423,7 +1427,7 @@ 2261. [bug] Fix memory leak with "any" and "none" ACLs [RT #17272] 2260. [bug] Reported wrong clients-per-query when increasing the - value. [RT #17236] + value. [RT #17236] 2259. [placeholder] @@ -1445,10 +1449,10 @@ intermediate values as timer->idle was reset by isc_timer_touch(). [RT #17243] -2253. [func] "max-cache-size" defaults to 32M. +2253. [func] "max-cache-size" defaults to 32M. "max-acache-size" defaults to 16M. -2252. [bug] Fixed errors in sortlist code [RT #17216] +2252. [bug] Fixed errors in sortlist code [RT #17216] 2251. [placeholder] @@ -1456,11 +1460,11 @@ memory statistics file should be written or not. Additionally named's -m option will cause the statistics file to be written. [RT #17113] - -2249. [bug] Only set Authentic Data bit if client requested - DNSSEC, per RFC 3655 [RT #17175] -2248. [cleanup] Fix several errors reported by Coverity. [RT #17160] +2249. [bug] Only set Authentic Data bit if client requested + DNSSEC, per RFC 3655 [RT #17175] + +2248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 2247. [doc] Sort doc/misc/options. [RT #17067] @@ -1501,11 +1505,11 @@ 2235. [bug] was not being installed. [RT #17135] -2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] - -2233. [func] Add support for O(1) ACL processing, based on - radix tree code originally written by Kevin - Brintnall. [RT #16288] +2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] + +2233. [func] Add support for O(1) ACL processing, based on + radix tree code originally written by Kevin + Brintnall. [RT #16288] 2232. [bug] dns_adb_findaddrinfo() could fail and return ISC_R_SUCCESS. [RT #17137] @@ -1526,7 +1530,7 @@ 2226. [placeholder] 2225. [bug] More support for systems with no IPv4 addresses. - [RT #17111] + [RT #17111] 2224. [bug] Defer journal compaction if a xfrin is in progress. [RT #17119] @@ -1534,7 +1538,7 @@ 2223. [bug] Make a new journal when compacting. [RT #17119] 2222. [func] named-checkconf now checks server key references. - [RT #17097] + [RT #17097] 2221. [bug] Set the event result code to reflect the actual record turned to caller when a cache update is @@ -1543,7 +1547,7 @@ 2220. [bug] win32: Address a race condition in final shutdown of the Windows socket code. [RT #17028] - + 2219. [bug] Apply zone consistency checks to additions, not removals, when updating. [RT #17049] @@ -1553,7 +1557,7 @@ 2217. [func] Adjust update log levels. [RT #17092] 2216. [cleanup] Fix a number of errors reported by Coverity. - [RT #17094] + [RT #17094] 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] @@ -1599,7 +1603,7 @@ localhost;) is used. [RT #16987] - + 2205. [bug] libbind: change #2119 broke thread support. [RT #16982] 2204. [bug] "rndc flushanme name unknown-view" caused named @@ -1738,7 +1742,7 @@ allow-query-on, allow-recursion-on and allow-query-cache-on. [RT #16291] -2164. [bug] The code to determine how named-checkzone / +2164. [bug] The code to determine how named-checkzone / named-compilezone was called failed under windows. [RT #16764] @@ -1945,14 +1949,14 @@ 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and net_cidr_ntop_ipv6(). [RT #16388] - + 2094. [contrib] Update named-bootconf. [RT# 16404] 2093. [bug] named-checkzone -s was broken. 2092. [bug] win32: dig, host, nslookup. Use registry config if resolv.conf does not exist or no nameservers - listed. [RT #15877] + listed. [RT #15877] 2091. [port] dighost.c: race condition on cleanup. [RT #16417] @@ -2356,7 +2360,7 @@ 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] -1963. [port] Tru64 4.0E doesn't support send() and recv(). +1963. [port] Tru64 4.0E doesn't support send() and recv(). [RT #15586] 1962. [bug] Named failed to clear old update-policy when it @@ -2399,7 +2403,7 @@ 1951. [security] Drop queries from particular well known ports. Don't return FORMERR to queries from particular well known ports. [RT #15636] - + 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket. This prevents the source address being set for TCP connections. [RT #15628] @@ -2421,7 +2425,7 @@ 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. To generate a RSAMD5 key you must explicitly request RSAMD5. [RT #13780] - + 1944. [cleanup] isc_hash_create() does not need a read/write lock. [RT #15522] @@ -2533,7 +2537,7 @@ [RT #15034] 1905. [bug] Strings returned from cfg_obj_asstring() should be - treated as read-only. The prototype for + treated as read-only. The prototype for cfg_obj_asstring() has been updated to reflect this. [RT #15256] @@ -2665,10 +2669,10 @@ 1863. [bug] rrset-order "fixed" error messages not complete. 1862. [func] Add additional zone data constancy checks. - named-checkzone has extended checking of NS, MX and + named-checkzone has extended checking of NS, MX and SRV record and the hosts they reference. named has extended post zone load checks. - New zone options: check-mx and integrity-check. + New zone options: check-mx and integrity-check. [RT #4940] 1861. [bug] dig could trigger a INSIST on certain malformed @@ -2711,9 +2715,9 @@ 1848. [bug] Improve SMF integration. [RT #13238] 1847. [bug] isc_ondestroy_init() is called too late in - dns_rbtdb_create()/dns_rbtdb64_create(). + dns_rbtdb_create()/dns_rbtdb64_create(). [RT #13661] - + 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer . @@ -3005,7 +3009,7 @@ [RT #12866] 1748. [func] dig now returns the byte count for axfr/ixfr. - + 1747. [bug] BIND 8 compatibility: named/named-checkconf failed to parse "host-statistics-max" in named.conf. @@ -3023,7 +3027,7 @@ requested number of worker threads then destruction of the manager would trigger an INSIST() failure. [RT #12790] - + 1742. [bug] Deleting all records at a node then adding a previously existing record, in a single UPDATE transaction, failed to leave / regenerate the @@ -3034,7 +3038,7 @@ 1740. [bug] Replace rbt's hash algorithm as it performed badly with certain zones. [RT #12729] - + NOTE: a hash context now needs to be established via isc_hash_create() if the application was not already doing this. @@ -3049,7 +3053,7 @@ 1736. [bug] dst_key_fromnamedfile() could fail to read a public key. [RT #12687] - + 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. [RE #12688] @@ -3226,7 +3230,7 @@ 1675. [bug] named would sometimes add extra NSEC records to the authority section. - + 1674. [port] linux: increase buffer size used to scan /proc/net/if_inet6. @@ -3300,7 +3304,7 @@ 1648. [func] Update dnssec-lookaside named.conf syntax to support multiple dnssec-lookaside namespaces (not yet - implemented). + implemented). 1647. [bug] It was possible trigger a INSIST when chasing a DS record that required walking back over a empty node. @@ -3330,7 +3334,7 @@ 1638. [bug] "ixfr-from-differences" could generate a REQUIRE failure if the journal open failed. [RT #11347] - + 1637. [bug] Node reference leak on error in addnoqname(). 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if @@ -3424,21 +3428,21 @@ 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] -1606. [bug] DLV insecurity proof was failing. +1606. [bug] DLV insecurity proof was failing. 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initialized structure. - + 1603. [bug] nsupdate: set interactive based on isatty(). [RT# 10929] 1602. [bug] Logging to a file failed unless a size was specified. [RT# 10925] -1601. [bug] Silence spurious warning 'both "recursion no;" and +1601. [bug] Silence spurious warning 'both "recursion no;" and "allow-recursion" active' warning from view "_bind". [RT# 10920] diff --git a/lib/isc/win32/include/isc/stat.h b/lib/isc/win32/include/isc/stat.h index 2638a916dd..2966ebf0f5 100644 --- a/lib/isc/win32/include/isc/stat.h +++ b/lib/isc/win32/include/isc/stat.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: stat.h,v 1.7 2007/06/19 23:47:20 tbox Exp $ */ +/* $Id: stat.h,v 1.8 2009/10/01 04:43:30 marka Exp $ */ #ifndef ISC_STAT_H #define ISC_STAT_H 1 @@ -36,6 +36,19 @@ #define S_IROTH _S_IREAD /* Other read permission */ #define S_IWOTH _S_IWRITE /* Other write permission */ +#ifndef S_IFMT +# define S_IFMT _S_IFMT +#endif +#ifndef S_IFDIR +# define S_IFDIR _S_IFDIR +#endif +#ifndef S_IFCHR +# define S_IFCHR _S_IFCHR +#endif +#ifndef S_IFREG +# define S_IFREG _S_IFREG +#endif + #ifndef S_ISDIR # define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) #endif From 098097efb95046a4a5285b6dae95dea3e3b70853 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 1 Oct 2009 23:30:45 +0000 Subject: [PATCH 235/385] newcopyrights --- util/copyrights | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/copyrights b/util/copyrights index 8ba9d3ef01..b0ed8a6d67 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2152,7 +2152,7 @@ ./lib/isc/include/isc/md5.h C 2000,2001,2004,2005,2006,2007,2009 ./lib/isc/include/isc/mem.h C 1997,1998,1999,2000,2001,2004,2005,2006,2007,2008,2009 ./lib/isc/include/isc/msgcat.h C 1999,2000,2001,2004,2005,2007 -./lib/isc/include/isc/msgs.h C 2000,2001,2002,2003,2004,2005,2006,2007,2008 +./lib/isc/include/isc/msgs.h C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/isc/include/isc/mutexblock.h C 1999,2000,2001,2004,2005,2006,2007 ./lib/isc/include/isc/namespace.h C 2009 ./lib/isc/include/isc/netaddr.h C 1998,1999,2000,2001,2002,2004,2005,2006,2007,2009 @@ -2360,7 +2360,7 @@ ./lib/isc/win32/include/isc/offset.h C 2000,2001,2004,2007 ./lib/isc/win32/include/isc/once.h C 1999,2000,2001,2004,2007 ./lib/isc/win32/include/isc/platform.h C 2001,2004,2005,2007,2008,2009 -./lib/isc/win32/include/isc/stat.h C 2000,2001,2003,2004,2007 +./lib/isc/win32/include/isc/stat.h C 2000,2001,2003,2004,2007,2009 ./lib/isc/win32/include/isc/stdtime.h C 1999,2000,2001,2004,2005,2007 ./lib/isc/win32/include/isc/strerror.h C 2001,2004,2007 ./lib/isc/win32/include/isc/syslog.h C 1999,2000,2001,2004,2007 From edb08fdf7b0da58ef11f218088b582a45ebbe5fc Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 1 Oct 2009 23:48:08 +0000 Subject: [PATCH 236/385] update copyright notice --- lib/isc/include/isc/msgs.h | 4 ++-- lib/isc/win32/include/isc/stat.h | 6 +++--- lib/isccfg/aclconf.c | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/isc/include/isc/msgs.h b/lib/isc/include/isc/msgs.h index 14d0967a1d..f780284691 100644 --- a/lib/isc/include/isc/msgs.h +++ b/lib/isc/include/isc/msgs.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: msgs.h,v 1.18 2009/10/01 01:30:01 sar Exp $ */ +/* $Id: msgs.h,v 1.19 2009/10/01 23:48:08 tbox Exp $ */ #ifndef ISC_MSGS_H #define ISC_MSGS_H 1 diff --git a/lib/isc/win32/include/isc/stat.h b/lib/isc/win32/include/isc/stat.h index 2966ebf0f5..2c822b9e7d 100644 --- a/lib/isc/win32/include/isc/stat.h +++ b/lib/isc/win32/include/isc/stat.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007, 2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: stat.h,v 1.8 2009/10/01 04:43:30 marka Exp $ */ +/* $Id: stat.h,v 1.9 2009/10/01 23:48:08 tbox Exp $ */ #ifndef ISC_STAT_H #define ISC_STAT_H 1 @@ -24,7 +24,7 @@ /* open() under unix allows setting of read/write permissions * at the owner, group and other levels. These don't exist in NT - * We'll just map them all to the NT equivalent + * We'll just map them all to the NT equivalent */ #define S_IREAD _S_IREAD /* read permission, owner */ diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index e6a7dd6dfd..0a240e987c 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: aclconf.c,v 1.26 2009/10/01 04:06:37 marka Exp $ */ +/* $Id: aclconf.c,v 1.27 2009/10/01 23:48:08 tbox Exp $ */ #include @@ -208,7 +208,7 @@ count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx, result = get_acl_def(cctx, name, &cacl); if (result == ISC_R_SUCCESS) n += count_acl_elements(cacl, cctx, - NULL) + 1; + NULL) + 1; } } } From 339c130823ff00cdfa70d1f0a8922199aa37f33c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 2 Oct 2009 06:28:27 +0000 Subject: [PATCH 237/385] ISC_PLATFORM_NORETURN_POST not ISC_PLATFORM_NORETURN --- configure | 6 +++--- configure.in | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/configure b/configure index b7aad8c498..97cb06f8f8 100755 --- a/configure +++ b/configure @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. # -# $Id: configure,v 1.466 2009/09/29 15:08:12 fdupont Exp $ +# $Id: configure,v 1.467 2009/10/02 06:28:27 marka Exp $ # # Portions Copyright (C) 1996-2001 Nominum, Inc. # @@ -29,7 +29,7 @@ # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# From configure.in Revision: 1.480 . +# From configure.in Revision: 1.481 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.61. # @@ -21669,7 +21669,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 { echo "$as_me:$LINENO: result: no" >&5 echo "${ECHO_T}no" >&6; } ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE" - ISC_PLATFORM_NORETURN="#define ISC_PLATFORM_NORETURN_POST" + ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext diff --git a/configure.in b/configure.in index 73c4477935..202eb39a61 100644 --- a/configure.in +++ b/configure.in @@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl esyscmd([sed "s/^/# /" COPYRIGHT])dnl AC_DIVERT_POP()dnl -AC_REVISION($Revision: 1.480 $) +AC_REVISION($Revision: 1.481 $) AC_INIT(lib/dns/name.c) AC_PREREQ(2.59) @@ -348,7 +348,7 @@ AC_TRY_COMPILE([],[void foo() __attribute__((noreturn));], ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST __attribute__((noreturn))"], [AC_MSG_RESULT(no) ISC_PLATFORM_NORETURN_PRE="#define ISC_PLATFORM_NORETURN_PRE" - ISC_PLATFORM_NORETURN="#define ISC_PLATFORM_NORETURN_POST"]) + ISC_PLATFORM_NORETURN_POST="#define ISC_PLATFORM_NORETURN_POST"]) AC_SUBST(ISC_PLATFORM_NORETURN_PRE) AC_SUBST(ISC_PLATFORM_NORETURN_POST) From 3d0d370eb9f72af473e9f0c4f3ee4c4ade3a0e52 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Fri, 2 Oct 2009 23:18:41 +0000 Subject: [PATCH 238/385] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 9329968a5d..5d07c9d103 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -235,6 +235,7 @@ rt19910 new marka // 2009-07-09 02:38 +0000 rt19942 new each // 2009-08-27 23:01 +0000 rt19943 new each // 2009-09-15 03:18 +0000 rt19943a new each // 2009-09-23 16:06 +0000 +rt19943b new each // 2009-10-02 05:42 +0000 rt20001 new each // 2009-08-05 15:54 +0000 rt20023 new fdupont // 2009-07-31 15:08 +0000 rt20037 new marka // 2009-08-11 07:46 +0000 From 4256ffffb9da267edf7925597714afaacabebf5a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 3 Oct 2009 16:24:51 +0000 Subject: [PATCH 239/385] add placeholder --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index e9f8d65d30..bb99e55b68 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2698. [placeholder] + 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and S_IFREG are defined after including . [RT #20309] From 121079934564d8cedaec267dbfb6597bb784303e Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 3 Oct 2009 18:03:54 +0000 Subject: [PATCH 240/385] Add /* NOTREACHED */ comments --- bin/dig/dig.c | 5 ++++- bin/dnssec/dnssec-keyfromlabel.c | 3 ++- bin/dnssec/dnssec-keygen.c | 3 ++- bin/dnssec/dnssec-signzone.c | 3 ++- bin/dnssec/dnssectool.c | 4 +++- lib/dns/rbtdb.c | 3 ++- 6 files changed, 15 insertions(+), 6 deletions(-) diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 884cc95388..9783024bc8 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.232 2009/09/29 15:06:05 fdupont Exp $ */ +/* $Id: dig.c,v 1.233 2009/10/03 18:03:53 each Exp $ */ /*! \file */ @@ -1155,6 +1155,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, have_ipv6 = ISC_FALSE; } else { fatal("can't find IPv4 networking"); + /* NOTREACHED */ return (ISC_FALSE); } break; @@ -1164,6 +1165,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, have_ipv4 = ISC_FALSE; } else { fatal("can't find IPv6 networking"); + /* NOTREACHED */ return (ISC_FALSE); } break; @@ -1387,6 +1389,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, fprintf(stderr, "Invalid option: -%s\n", option); usage(); } + /* NOTREACHED */ return (ISC_FALSE); } diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 370b02a5e9..f0e41d1101 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keyfromlabel.c,v 1.16 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: dnssec-keyfromlabel.c,v 1.17 2009/10/03 18:03:53 each Exp $ */ /*! \file */ @@ -384,6 +384,7 @@ main(int argc, char **argv) { alg_format(alg, algstr, sizeof(algstr)); fatal("failed to get key %s/%s: %s\n", namestr, algstr, isc_result_totext(ret)); + /* NOTREACHED */ exit(-1); } diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 86d8bbdee1..0c5d497fce 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.97 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: dnssec-keygen.c,v 1.98 2009/10/03 18:03:53 each Exp $ */ /*! \file */ @@ -668,6 +668,7 @@ main(int argc, char **argv) { alg_format(alg, algstr, sizeof(algstr)); fatal("failed to generate key %s/%s: %s\n", namestr, algstr, isc_result_totext(ret)); + /* NOTREACHED */ exit(-1); } diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index cfa01f7811..5532e1a34e 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.239 2009/09/29 22:17:34 each Exp $ */ +/* $Id: dnssec-signzone.c,v 1.240 2009/10/03 18:03:54 each Exp $ */ /*! \file */ @@ -372,6 +372,7 @@ expecttofindkey(dns_name_t *name) { dns_name_format(name, namestr, sizeof(namestr)); fatal("failure looking for '%s DNSKEY' in database: %s", namestr, isc_result_totext(result)); + /* NOTREACHED */ return (ISC_FALSE); /* removes a warning */ } diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 62f3da33ba..22111ef529 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.53 2009/09/03 00:12:23 each Exp $ */ +/* $Id: dnssectool.c,v 1.54 2009/10/03 18:03:54 each Exp $ */ /*! \file */ @@ -282,6 +282,7 @@ time_units(isc_stdtime_t offset, char *suffix, const char *str) { default: fatal("time value %s is invalid", str); } + /* NOTREACHED */ break; case 'W': case 'w': return (offset * (7 * 24 * 3600)); @@ -294,6 +295,7 @@ time_units(isc_stdtime_t offset, char *suffix, const char *str) { default: fatal("time value %s is invalid", str); } + /* NOTREACHED */ return(0); /* silence compiler warning */ } diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 0bbf3d9c97..4d08629a8e 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.278 2009/09/01 00:22:26 jinmei Exp $ */ +/* $Id: rbtdb.c,v 1.279 2009/10/03 18:03:54 each Exp $ */ /*! \file */ @@ -3916,6 +3916,7 @@ zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options, FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!"); + /* NOTREACHED */ return (ISC_R_NOTIMPLEMENTED); } From c36ba263d6318740da965f5351fe09e74f1d8aa2 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 3 Oct 2009 22:39:27 +0000 Subject: [PATCH 241/385] 2699. [bug] Missing lock in rbtdb.c. [RT #20037] --- CHANGES | 2 ++ lib/dns/rbtdb.c | 76 +++++++++++++++++++++++-------------------------- 2 files changed, 38 insertions(+), 40 deletions(-) diff --git a/CHANGES b/CHANGES index bb99e55b68..2bdd290d02 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2699. [bug] Missing lock in rbtdb.c. [RT #20037] + 2698. [placeholder] 2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 4d08629a8e..0249ed8588 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.279 2009/10/03 18:03:54 each Exp $ */ +/* $Id: rbtdb.c,v 1.280 2009/10/03 22:39:27 each Exp $ */ /*! \file */ @@ -258,21 +258,8 @@ typedef struct rdatasetheader { dns_rbtnode_t *node; isc_stdtime_t last_used; - ISC_LINK(struct rdatasetheader) lru_link; - /*%< - * Used for LRU-based cache management. We should probably make - * these cache-DB specific. We might also make it a pointer and - * ensure only the top header has a valid link to save memory. - * The linked-list is locked by the rbtdb->lrulock. - */ + ISC_LINK(struct rdatasetheader) link; - /* - * It's possible this should not be here anymore, but instead - * referenced from the bucket's heap directly. - */ -#if 0 - isc_heap_t *heap; -#endif unsigned int heap_index; /*%< * Used for TTL-based cache cleaning. @@ -1229,7 +1216,7 @@ free_noqname(isc_mem_t *mctx, struct noqname **noqname) { static inline void init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h) { - ISC_LINK_INIT(h, lru_link); + ISC_LINK_INIT(h, link); h->heap_index = 0; #if TRACE_HEADER @@ -1269,8 +1256,10 @@ free_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *rdataset) } idx = rdataset->node->locknum; - if (ISC_LINK_LINKED(rdataset, lru_link)) - ISC_LIST_UNLINK(rbtdb->rdatasets[idx], rdataset, lru_link); + if (ISC_LINK_LINKED(rdataset, link)) { + INSIST(IS_CACHE(rbtdb)); + ISC_LIST_UNLINK(rbtdb->rdatasets[idx], rdataset, link); + } if (rdataset->heap_index != 0) isc_heap_delete(rbtdb->heaps[idx], rdataset->heap_index); rdataset->heap_index = 0; @@ -2296,17 +2285,18 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { for (header = HEAD(resigned_list); header != NULL; header = HEAD(resigned_list)) { - ISC_LIST_UNLINK(resigned_list, header, lru_link); - if (rollback) { - nodelock_t *lock; - lock = &rbtdb->node_locks[header->node->locknum].lock; - NODE_LOCK(lock, isc_rwlocktype_write); + nodelock_t *lock; + + ISC_LIST_UNLINK(resigned_list, header, link); + + lock = &rbtdb->node_locks[header->node->locknum].lock; + NODE_LOCK(lock, isc_rwlocktype_write); + if (rollback) resign_insert(rbtdb, header->node->locknum, header); - NODE_UNLOCK(lock, isc_rwlocktype_write); - } decrement_reference(rbtdb, header->node, least_serial, isc_rwlocktype_write, isc_rwlocktype_none, ISC_FALSE); + NODE_UNLOCK(lock, isc_rwlocktype_write); } if (!EMPTY(cleanup_list)) { @@ -5416,8 +5406,10 @@ static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) { isc_result_t result; + INSIST(!IS_CACHE(rbtdb)); INSIST(newheader->heap_index == 0); - INSIST(!ISC_LINK_LINKED(newheader, lru_link)); + INSIST(!ISC_LINK_LINKED(newheader, link)); + result = isc_heap_insert(rbtdb->heaps[idx], newheader); return (result); } @@ -5743,7 +5735,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { ISC_LIST_PREPEND(rbtdb->rdatasets[idx], - newheader, lru_link); + newheader, link); /* * XXXMLG We don't check the return value * here. If it fails, we will not do TTL @@ -5802,7 +5794,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { ISC_LIST_PREPEND(rbtdb->rdatasets[idx], - newheader, lru_link); + newheader, link); isc_heap_insert(rbtdb->heaps[idx], newheader); } else if (RESIGN(newheader)) { resign_insert(rbtdb, idx, newheader); @@ -6535,11 +6527,17 @@ static void delete_callback(void *data, void *arg) { dns_rbtdb_t *rbtdb = arg; rdatasetheader_t *current, *next; - - for (current = data; current != NULL; current = next) { + unsigned int locknum; + + current = data; + locknum = current->node->locknum; + NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); + while (current != NULL) { next = current->next; free_rdataset(rbtdb, rbtdb->common.mctx, current); + current = next; } + NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); } static isc_boolean_t @@ -6777,7 +6775,7 @@ resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version) header = rdataset->private3; header--; - RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read); + RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); NODE_LOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); /* @@ -6787,11 +6785,11 @@ resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version) new_reference(rbtdb, node); isc_heap_delete(rbtdb->heaps[node->locknum], header->heap_index); header->heap_index = 0; - ISC_LIST_APPEND(rbtversion->resigned_list, header, lru_link); + ISC_LIST_APPEND(rbtversion->resigned_list, header, link); NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); - RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read); + RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); } static dns_stats_t * @@ -8554,13 +8552,11 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, INSIST(IS_CACHE(rbtdb)); /* To be checked: can we really assume this? XXXMLG */ - INSIST(ISC_LINK_LINKED(header, lru_link)); + INSIST(ISC_LINK_LINKED(header, link)); - ISC_LIST_UNLINK(rbtdb->rdatasets[header->node->locknum], - header, lru_link); + ISC_LIST_UNLINK(rbtdb->rdatasets[header->node->locknum], header, link); header->last_used = now; - ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], - header, lru_link); + ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); } /*% @@ -8596,7 +8592,7 @@ overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); header != NULL && purgecount > 0; header = header_prev) { - header_prev = ISC_LIST_PREV(header, lru_link); + header_prev = ISC_LIST_PREV(header, link); /* * Unlink the entry at this point to avoid checking it * again even if it's currently used someone else and @@ -8605,7 +8601,7 @@ overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, * TTL was reset to 0. */ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, - lru_link); + link); expire_header(rbtdb, header, tree_locked); purgecount--; } From 1a0eecfe694275dfadccc6074aaa4340845cc85d Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sat, 3 Oct 2009 23:35:28 +0000 Subject: [PATCH 242/385] 2700. [doc] The match-mapped-addresses option is discouraged. [RT #12252] --- CHANGES | 3 +++ doc/arm/Bv9ARM-book.xml | 18 ++++++++++-------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 2bdd290d02..958313aa2a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2700. [doc] The match-mapped-addresses option is discouraged. + [RT #12252] + 2699. [bug] Missing lock in rbtdb.c. [RT #20037] 2698. [placeholder] diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 1e55d84b1f..7cc9de752e 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -6176,13 +6176,15 @@ options { If yes, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address. - Enabling this option is sometimes useful on IPv6-enabled - Linux - systems, to work around a kernel quirk that causes IPv4 - TCP connections such as zone transfers to be accepted - on an IPv6 socket using mapped addresses, causing - address match lists designed for IPv4 to fail to match. - The use of this option for any other purpose is discouraged. + + + This option was introduced to work around a kernel quirk + in some operating systems that causes IPv4 TCP + connections, such as zone transfers, to be accepted on an + IPv6 socket using mapped addresses. This caused address + match lists designed for IPv4 to fail to match. However, + named now solves this problem + internally. The use of this option is discouraged. From 4fa2649d5762e0dfb9efba146fb08debb564f21a Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sat, 3 Oct 2009 23:48:10 +0000 Subject: [PATCH 243/385] update copyright notice --- lib/dns/rbtdb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 0249ed8588..cf8a5e6a0a 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.280 2009/10/03 22:39:27 each Exp $ */ +/* $Id: rbtdb.c,v 1.281 2009/10/03 23:48:10 tbox Exp $ */ /*! \file */ @@ -2291,7 +2291,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { lock = &rbtdb->node_locks[header->node->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_write); - if (rollback) + if (rollback) resign_insert(rbtdb, header->node->locknum, header); decrement_reference(rbtdb, header->node, least_serial, isc_rwlocktype_write, isc_rwlocktype_none, @@ -6528,7 +6528,7 @@ delete_callback(void *data, void *arg) { dns_rbtdb_t *rbtdb = arg; rdatasetheader_t *current, *next; unsigned int locknum; - + current = data; locknum = current->node->locknum; NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); From 04ecc85ca69027c4d56b4a11ce5bafb21ebf3966 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Sun, 4 Oct 2009 01:14:58 +0000 Subject: [PATCH 244/385] regen --- doc/arm/Bv9ARM.ch06.html | 114 +++++++++-------- doc/arm/Bv9ARM.ch07.html | 14 +-- doc/arm/Bv9ARM.ch08.html | 18 +-- doc/arm/Bv9ARM.ch09.html | 180 +++++++++++++-------------- doc/arm/Bv9ARM.html | 46 +++---- doc/arm/man.ddns-confgen.html | 10 +- doc/arm/man.dig.html | 20 +-- doc/arm/man.dnssec-dsfromkey.html | 16 +-- doc/arm/man.dnssec-keyfromlabel.html | 14 +-- doc/arm/man.dnssec-keygen.html | 16 +-- doc/arm/man.dnssec-revoke.html | 10 +- doc/arm/man.dnssec-settime.html | 14 +-- doc/arm/man.dnssec-signzone.html | 12 +- doc/arm/man.host.html | 10 +- doc/arm/man.named-checkconf.html | 12 +- doc/arm/man.named-checkzone.html | 12 +- doc/arm/man.named.html | 16 +-- doc/arm/man.nsupdate.html | 14 +-- doc/arm/man.rndc-confgen.html | 12 +- doc/arm/man.rndc.conf.html | 12 +- doc/arm/man.rndc.html | 12 +- 21 files changed, 294 insertions(+), 290 deletions(-) diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 68543607dd..00e0c62dd1 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -78,28 +78,28 @@
    server Statement Definition and Usage
    statistics-channels Statement Grammar
    -
    statistics-channels Statement Definition and +
    statistics-channels Statement Definition and Usage
    -
    trusted-keys Statement Grammar
    -
    trusted-keys Statement Definition +
    trusted-keys Statement Grammar
    +
    trusted-keys Statement Definition and Usage
    -
    managed-keys Statement Grammar
    -
    managed-keys Statement Definition +
    managed-keys Statement Grammar
    +
    managed-keys Statement Definition and Usage
    view Statement Grammar
    -
    view Statement Definition and Usage
    +
    view Statement Definition and Usage
    zone Statement Grammar
    -
    zone Statement Definition and Usage
    +
    zone Statement Definition and Usage
    -
    Zone File
    +
    Zone File
    Types of Resource Records and When to Use Them
    -
    Discussion of MX Records
    +
    Discussion of MX Records
    Setting TTLs
    -
    Inverse Mapping in IPv4
    -
    Other Zone File Directives
    -
    BIND Master File Extension: the $GENERATE Directive
    +
    Inverse Mapping in IPv4
    +
    Other Zone File Directives
    +
    BIND Master File Extension: the $GENERATE Directive
    Additional File Formats
    BIND9 Statistics
    @@ -3171,18 +3171,22 @@ options {

    match-mapped-addresses
    -

    +

    +

    If yes, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address. - Enabling this option is sometimes useful on IPv6-enabled - Linux - systems, to work around a kernel quirk that causes IPv4 - TCP connections such as zone transfers to be accepted - on an IPv6 socket using mapped addresses, causing - address match lists designed for IPv4 to fail to match. - The use of this option for any other purpose is discouraged. -

    +

    +

    + This option was introduced to work around a kernel quirk + in some operating systems that causes IPv4 TCP + connections, such as zone transfers, to be accepted on an + IPv6 socket using mapped addresses. This caused address + match lists designed for IPv4 to fail to match. However, + named now solves this problem + internally. The use of this option is discouraged. +

    +
    ixfr-from-differences

    @@ -3362,7 +3366,7 @@ options {

    -Forwarding

    +Forwarding

    The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3406,7 +3410,7 @@ options {

    -Dual-stack Servers

    +Dual-stack Servers

    Dual-stack servers are used as servers of last resort to work around @@ -3603,7 +3607,7 @@ options {

    -Interfaces

    +Interfaces

    The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -4055,7 +4059,7 @@ avoid-v6-udp-ports {};

    -UDP Port Lists

    +UDP Port Lists

    use-v4-udp-ports, avoid-v4-udp-ports, @@ -4097,7 +4101,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

    -Operating System Resource Limits

    +Operating System Resource Limits

    The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -4259,7 +4263,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

    -Periodic Task Intervals

    +Periodic Task Intervals
    cleaning-interval

    @@ -5055,7 +5059,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };

    -Content Filtering

    +Content Filtering

    BIND 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -5385,7 +5389,7 @@ deny-answer-aliases { "example.net"; };

    -statistics-channels Statement Definition and +statistics-channels Statement Definition and Usage

    The statistics-channels statement @@ -5436,7 +5440,7 @@ deny-answer-aliases { "example.net"; };

    -trusted-keys Statement Grammar

    +trusted-keys Statement Grammar
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5445,7 +5449,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5485,7 +5489,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5494,7 +5498,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5604,7 +5608,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5881,10 +5885,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    @@ -6095,7 +6099,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6117,7 +6121,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6747,7 +6751,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6760,7 +6764,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7497,7 +7501,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7700,7 +7704,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7956,7 +7960,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8017,7 +8021,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8032,7 +8036,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8043,7 +8047,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8072,7 +8076,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8108,7 +8112,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8127,7 +8131,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8551,7 +8555,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9108,7 +9112,7 @@ HOST-127.EXAMPLE. MX 0 .
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
 

 
 
    @@ -9262,7 +9266,7 @@ HOST-127.EXAMPLE. MX 0 .
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
 

 
 
    @@ -9645,7 +9649,7 @@ HOST-127.EXAMPLE. MX 0 .
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9800,7 +9804,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 531c63c15e..08b4038503 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index d15cd3dbdf..04e92412e2 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 81d1791e0e..e477a3587d 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 65c51472dc..2c518a1b6a 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,28 +157,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 474ff53e37..c7bdacf3d3 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 807c025f70..2b01f9be06 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index b56ca82516..8ccf6fbe81 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 8b2d1cc474..af96c6f68a 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -154,7 +154,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -201,7 +201,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -240,7 +240,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -250,7 +250,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index d0b437cb8f..87b451a808 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -231,7 +231,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -278,7 +278,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -324,7 +324,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -345,7 +345,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -354,7 +354,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index d1ce5870db..bf611d8289 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -86,14 +86,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 4525a1326b..14f6a681e5 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -101,7 +101,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -146,7 +146,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -172,7 +172,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -180,7 +180,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 7f8d7e8a8c..54c67edab1 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -379,7 +379,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -408,14 +408,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index f8343f2cc4..14dd3d4c28 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 745faebe11..72bcccda6e 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index c520f33bca..15210c19a0 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 5bb57709a9..548473cdfb 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +259,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +276,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -289,7 +289,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +302,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 0ba9f0eab4..db8db679a9 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 4c29cdcaa6..18a331e3cb 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 6df266ca9f..3cbd8411f4 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 41c61cf092..b111bbbdea 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From 58b81e715134c2304b9058c8476b9bf10a55daca Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sun, 4 Oct 2009 23:18:24 +0000
Subject: [PATCH 245/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 5d07c9d103..a79989d263 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -247,6 +247,7 @@ rt20191				new	vjs	// 2009-09-20 01:55 +0000
 rt20225				new	fdupont	// 2009-09-18 11:50 +0000
 rt20229				new	fdupont	// 2009-09-23 22:33 +0000
 rt20230				new	fdupont	// 2009-09-19 22:45 +0000
+rt20230a			new	fdupont	// 2009-10-04 14:49 +0000
 rt20236				new	fdupont	// 2009-09-19 22:34 +0000
 rt20247				new	each	// 2009-09-11 03:22 +0000
 rt20253				new	sar	// 2009-09-11 22:17 +0000

From 48b6d2f585d753ac89a11cb5bafb14f239e08430 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 5 Oct 2009 01:49:59 +0000
Subject: [PATCH 246/385] 2701.	[doc]		Correction to ARM: hmac-md5 is
 no longer the only 			supported TSIG key algorithm. [RT
 #18046]

---
 CHANGES                 |  3 +++
 FAQ                     | 16 ++++++++--------
 FAQ.xml                 | 18 +++++++++---------
 doc/arm/Bv9ARM-book.xml | 23 ++++++++++-------------
 4 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/CHANGES b/CHANGES
index 958313aa2a..5e2513734d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
+			supported TSIG key algorithm. [RT #18046]
+
 2700.	[doc]		The match-mapped-addresses option is discouraged.
 			[RT #12252]
 
diff --git a/FAQ b/FAQ
index 4df1d764ce..a2d1686c4e 100644
--- a/FAQ
+++ b/FAQ
@@ -153,8 +153,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 
    Master 10.0.1.1:
            key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
            };
            view "internal" {
                    match-clients { !key external; // reject message ment for the
@@ -174,8 +174,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
 
    Slave 10.0.1.2:
            key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
            };
            view "internal" {
                    match-clients { !key external; 10.0.1/24; };
@@ -225,13 +225,13 @@ A: You choose one view to be master and the second a slave and transfer
 
    Master 10.0.1.1:
            key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
+                   algorithm hmac-sha256;
+                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
            };
 
            key "mykey" {
-                   algorithm hmac-md5;
-                   secret "yyyyyyyy";
+                   algorithm hmac-sha256;
+                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
            };
 
            view "internal" {
diff --git a/FAQ.xml b/FAQ.xml
index 7e7a4bab07..ea51916599 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
    
   Frequently Asked Questions about BIND 9
@@ -319,8 +319,8 @@ Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
 	  
 Master 10.0.1.1:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 	view "internal" {
 		match-clients { !key external; // reject message ment for the
@@ -340,8 +340,8 @@ Master 10.0.1.1:
 
 Slave 10.0.1.2:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 	view "internal" {
 		match-clients { !key external; 10.0.1/24; };
@@ -429,13 +429,13 @@ named-checkzone example.com tmp
 	  
 Master 10.0.1.1:
 	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
+		algorithm hmac-sha256;
+		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 	};
 
 	key "mykey" {
-		algorithm hmac-md5;
-		secret "yyyyyyyy";
+		algorithm hmac-sha256;
+		secret "yyyyyyyyyyyyyyyyyyyyyyyy";
 	};
 
 	view "internal" {
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 7cc9de752e..ee4af5b9d3 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -2086,17 +2086,16 @@ nameserver 172.16.72.4
         
           Automatic Generation
           
-            The following command will generate a 128-bit (16 byte) HMAC-MD5
+            The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
-            are easier to read. Note that the maximum key length is 512 bits;
-            keys longer than that will be digested with MD5 to produce a
-            128-bit key.
+            are easier to read. Note that the maximum key length is the digest
+            length, here 256 bits.
           
           
-            dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.
+            dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.
           
           
-            The key is in the file Khost1-host2.+157+00000.private.
+            The key is in the file Khost1-host2.+163+00000.private.
             Nothing directly uses this file, but the base-64 encoded string
             following "Key:"
             can be extracted from the file and used as a shared secret:
@@ -2138,18 +2137,16 @@ nameserver 172.16.72.4
 
 
 key host1-host2. {
-  algorithm hmac-md5;
+  algorithm hmac-sha256;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 
 
         
-          The algorithm, hmac-md5, is the only one supported by BIND.
           The secret is the one generated above. Since this is a secret, it
-          is recommended that either named.conf be non-world
-          readable, or the key directive be added to a non-world readable
-          file that is included by
-          named.conf.
+          is recommended that either named.conf be
+          non-world readable, or the key directive be added to a non-world
+          readable file that is included by named.conf.
         
         
           At this point, the key is recognized. This means that if the

From 78e0199a3920d7f9d7aa8b5cc0e14f6ecf9ee0fb Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 11:12:45 +0000
Subject: [PATCH 247/385] update OpenSSL PKCS#11 patch (19143)

---
 .../pkcs11/openssl-0.9.8k-patch               | 231 ++++++++++--------
 1 file changed, 123 insertions(+), 108 deletions(-)
 rename contrib/pkcs11-keygen/openssl-0.9.8i-patch => bin/pkcs11/openssl-0.9.8k-patch (98%)

diff --git a/contrib/pkcs11-keygen/openssl-0.9.8i-patch b/bin/pkcs11/openssl-0.9.8k-patch
similarity index 98%
rename from contrib/pkcs11-keygen/openssl-0.9.8i-patch
rename to bin/pkcs11/openssl-0.9.8k-patch
index 0ea5beeccc..79f3aa80a7 100644
--- a/contrib/pkcs11-keygen/openssl-0.9.8i-patch
+++ b/bin/pkcs11/openssl-0.9.8k-patch
@@ -1,17 +1,17 @@
 Index: openssl/Configure
-diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
---- openssl/Configure:1.1.2.1	Fri Sep 12 14:47:00 2008
-+++ openssl/Configure	Tue Dec 16 14:12:43 2008
-@@ -10,7 +10,7 @@
+diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.6
+--- openssl/Configure:1.1.3.1	Mon Feb 16 08:44:22 2009
++++ openssl/Configure	Fri Sep  4 10:43:21 2009
+@@ -12,7 +12,7 @@
  
  # see INSTALL for instructions.
  
--my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+-my $usage="Usage: Configure [no- ...] [enable- ...] [experimental- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
++my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION [no- ...] [enable- ...] [experimental- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
  
  # Options:
  #
-@@ -19,6 +19,9 @@
+@@ -21,6 +21,9 @@
  # --prefix      prefix for the OpenSSL include, lib and bin directories
  #               (Default: the OPENSSLDIR directory)
  #
@@ -21,7 +21,7 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  # --install_prefix  Additional prefix for package builders (empty by
  #               default).  This needn't be set in advance, you can
  #               just as well use "make INSTALL_PREFIX=/whatever install".
-@@ -322,7 +325,7 @@
+@@ -329,7 +332,7 @@
  "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  #### IA-32 targets...
  "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -30,7 +30,7 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
  ####
  "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -573,6 +576,9 @@
+@@ -580,6 +583,9 @@
  my $idx_ranlib = $idx++;
  my $idx_arflags = $idx++;
  
@@ -40,7 +40,7 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  my $prefix="";
  my $openssldir="";
  my $exe_ext="";
-@@ -755,6 +761,10 @@
+@@ -812,6 +818,10 @@
  				{
  				$flags.=$_." ";
  				}
@@ -51,7 +51,7 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  			elsif (/^--prefix=(.*)$/)
  				{
  				$prefix=$1;
-@@ -878,6 +888,13 @@
+@@ -943,6 +953,13 @@
  	exit 0;
  }
  
@@ -65,7 +65,7 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  if ($target =~ m/^CygWin32(-.*)$/) {
  	$target = "Cygwin".$1;
  }
-@@ -1006,6 +1023,8 @@
+@@ -1103,6 +1120,8 @@
  if ($flags ne "")	{ $cflags="$flags$cflags"; }
  else			{ $no_user_cflags=1;       }
  
@@ -74,7 +74,7 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  # Kerberos settings.  The flavor must be provided from outside, either through
  # the script "config" or manually.
  if (!$no_krb5)
-@@ -1348,6 +1367,7 @@
+@@ -1456,6 +1475,7 @@
  	s/^VERSION=.*/VERSION=$version/;
  	s/^MAJOR=.*/MAJOR=$major/;
  	s/^MINOR=.*/MINOR=$minor/;
@@ -83,9 +83,9 @@ diff -u openssl/Configure:1.1.2.1 openssl/Configure:1.5
  	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
  	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
 Index: openssl/Makefile.org
-diff -u openssl/Makefile.org:1.1.2.1 openssl/Makefile.org:1.2
---- openssl/Makefile.org:1.1.2.1	Thu Apr  3 23:03:39 2008
-+++ openssl/Makefile.org	Fri Aug 29 16:19:02 2008
+diff -u openssl/Makefile.org:1.1.3.1 openssl/Makefile.org:1.3
+--- openssl/Makefile.org:1.1.3.1	Tue Mar  3 22:40:29 2009
++++ openssl/Makefile.org	Fri Sep  4 10:43:21 2009
 @@ -26,6 +26,9 @@
  INSTALL_PREFIX=
  INSTALLTOP=/usr/local/ssl
@@ -97,19 +97,19 @@ diff -u openssl/Makefile.org:1.1.2.1 openssl/Makefile.org:1.2
  OPENSSLDIR=/usr/local/ssl
  
 Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.4
---- /dev/null	Wed Sep  2 11:37:22 2009
-+++ openssl/README.pkcs11	Mon Dec 15 12:59:11 2008
-@@ -0,0 +1,218 @@
-+PKCS#11 engine support for OpenSSL 0.9.8i
+diff -u /dev/null openssl/README.pkcs11:1.5
+--- /dev/null	Mon Oct  5 11:08:12 2009
++++ openssl/README.pkcs11	Fri Sep  4 10:43:21 2009
+@@ -0,0 +1,230 @@
++PKCS#11 engine support for OpenSSL 0.9.8j
 +=========================================
 +
-+[December 2, 2008]
++[March 11, 2009]
 +
 +Contents:
 +
 +Overview
-+Revisions of patch for 0.9.8 branch
++Revisions of the patch for 0.9.8 branch
 +FAQs
 +Feedback
 +
@@ -118,19 +118,19 @@ diff -u /dev/null openssl/README.pkcs11:1.4
 +
 +This patch containing code available in OpenSolaris adds support for PKCS#11
 +engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
-+OpenSSL 0.9.8i source code distribution as shipped by OpenSSL.Org. Your system
++OpenSSL 0.9.8j source code distribution as shipped by OpenSSL.Org. Your system
 +must provide PKCS#11 backend otherwise the patch is useless. You provide the
 +PKCS#11 library name during the build configuration phase, see below.
 +
 +Patch can be applied like this:
 +
 +	# NOTE: use gtar if on Solaris
-+	tar xfzv openssl-0.9.8i.tar.gz
++	tar xfzv openssl-0.9.8j.tar.gz
 +	# now download the patch to the current directory
 +	# ...
-+	cd openssl-0.9.8i
-+	# NOTE: use gpatch if on Solaris	
-+	patch -p1 < ../pkcs11_engine-0.9.8i.patch.2008-12-02
++	cd openssl-0.9.8j
++	# NOTE: must use gpatch if on Solaris (is part of the system)
++	patch -p1 < path-to/pkcs11_engine-0.9.8j.patch.2009-03-11
 +
 +It is designed to support pure acceleration for RSA, DSA, DH and all the
 +symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
@@ -154,8 +154,8 @@ diff -u /dev/null openssl/README.pkcs11:1.4
 +| NOTE: this patch version does NOT contain experimental code for accessing    |
 +| RSA keys stored in PKCS#11 key stores by reference. Some problems were found |
 +| (thanks to all who wrote me!) and due to my ENOTIME problem I may address    |
-+| those issues in the next version of the patch that will have that code back, |
-+| hopefully fixed.                                                             |
++| those issues in a future version of the patch that will have that code back, |
++| hopefully fixed.                                                             | 
 ++------------------------------------------------------------------------------+
 +
 +You must provide the location of PKCS#11 library in your system to the
@@ -194,8 +194,20 @@ diff -u /dev/null openssl/README.pkcs11:1.4
 +Inc. and is released under the OpenSSL license (see LICENSE file for more
 +information).
 +
-+Revisions of patch for 0.9.8 branch
-+===================================
++Revisions of the patch for 0.9.8 branch
++=======================================
++
++2009-03-11
++- adjusted for OpenSSL version 0.9.8j 
++
++- README.pkcs11 moved out of the patch, and is shipped together with it in a
++  tarball instead so that it can be read before the patch is applied.
++
++- fixed bugs:
++
++	6804216 pkcs#11 engine should support a key length range for RC4
++	6734038 Apache SSL web server using the pkcs11 engine fails to start if
++		meta slot is disabled
 +
 +2008-12-02
 +- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
@@ -320,20 +332,20 @@ diff -u /dev/null openssl/README.pkcs11:1.4
 +Latest version should be always available on http://blogs.sun.com/janp.
 +
 Index: openssl/crypto/opensslconf.h
-diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
---- openssl/crypto/opensslconf.h:1.1.2.1	Mon Sep 15 15:27:21 2008
-+++ openssl/crypto/opensslconf.h	Mon Dec 15 13:00:52 2008
-@@ -36,6 +36,9 @@
- #endif
+diff -u openssl/crypto/opensslconf.h:1.1.3.1 openssl/crypto/opensslconf.h:1.5
+--- openssl/crypto/opensslconf.h:1.1.3.1	Wed Mar 25 13:11:43 2009
++++ openssl/crypto/opensslconf.h	Fri Sep  4 10:43:21 2009
+@@ -38,6 +38,9 @@
  
  #endif /* OPENSSL_DOING_MAKEDEPEND */
+ 
 +#ifndef OPENSSL_THREADS
 +# define OPENSSL_THREADS
 +#endif
  #ifndef OPENSSL_NO_DYNAMIC_ENGINE
  # define OPENSSL_NO_DYNAMIC_ENGINE
  #endif
-@@ -77,6 +80,8 @@
+@@ -79,6 +82,8 @@
  # endif
  #endif
  
@@ -341,8 +353,8 @@ diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
 +
  /* crypto/opensslconf.h.in */
  
- /* Generate 80386 code? */
-@@ -123,7 +128,7 @@
+ #ifdef OPENSSL_DOING_MAKEDEPEND
+@@ -140,7 +145,7 @@
   * This enables code handling data aligned at natural CPU word
   * boundary. See crypto/rc4/rc4_enc.c for further details.
   */
@@ -351,7 +363,7 @@ diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
  #endif
  #endif
  
-@@ -131,7 +136,7 @@
+@@ -148,7 +153,7 @@
  /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
   * %20 speed up (longs are 8 bytes, int's are 4). */
  #ifndef DES_LONG
@@ -360,7 +372,7 @@ diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
  #endif
  #endif
  
-@@ -145,9 +150,9 @@
+@@ -162,9 +167,9 @@
  /* The prime number generation stuff may not work when
   * EIGHT_BIT but I don't care since I've only used this mode
   * for debuging the bignum libraries */
@@ -372,7 +384,7 @@ diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
  #undef SIXTEEN_BIT
  #undef EIGHT_BIT
  #endif
-@@ -161,7 +166,7 @@
+@@ -178,7 +183,7 @@
  
  #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
  #define CONFIG_HEADER_BF_LOCL_H
@@ -381,7 +393,7 @@ diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
  #endif /* HEADER_BF_LOCL_H */
  
  #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-@@ -191,7 +196,7 @@
+@@ -208,7 +213,7 @@
  /* Unroll the inner loop, this sometimes helps, sometimes hinders.
   * Very mucy CPU dependant */
  #ifndef DES_UNROLL
@@ -391,9 +403,9 @@ diff -u openssl/crypto/opensslconf.h:1.1.2.1 openssl/crypto/opensslconf.h:1.4
  
  /* These default values were supplied by
 Index: openssl/crypto/engine/Makefile
-diff -u openssl/crypto/engine/Makefile:1.1.2.1 openssl/crypto/engine/Makefile:1.3
---- openssl/crypto/engine/Makefile:1.1.2.1	Sun Sep 14 16:43:34 2008
-+++ openssl/crypto/engine/Makefile	Wed Oct 15 21:03:29 2008
+diff -u openssl/crypto/engine/Makefile:1.1.3.1 openssl/crypto/engine/Makefile:1.4
+--- openssl/crypto/engine/Makefile:1.1.3.1	Wed Sep 17 17:10:59 2008
++++ openssl/crypto/engine/Makefile	Fri Sep  4 10:43:22 2009
 @@ -21,12 +21,14 @@
  	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
  	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
@@ -411,7 +423,7 @@ diff -u openssl/crypto/engine/Makefile:1.1.2.1 openssl/crypto/engine/Makefile:1.
  
  SRC= $(LIBSRC)
  
-@@ -279,6 +281,54 @@
+@@ -286,6 +288,54 @@
  eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
  eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
  eng_table.o: eng_table.c
@@ -468,7 +480,7 @@ diff -u openssl/crypto/engine/Makefile:1.1.2.1 openssl/crypto/engine/Makefile:1.
  tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 Index: openssl/crypto/engine/cryptoki.h
 diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
 @@ -0,0 +1,103 @@
 +/*
@@ -575,8 +587,8 @@ diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
 +
 +#endif	/* _CRYPTOKI_H */
 Index: openssl/crypto/engine/eng_all.c
-diff -u openssl/crypto/engine/eng_all.c:1.1.2.1 openssl/crypto/engine/eng_all.c:1.2
---- openssl/crypto/engine/eng_all.c:1.1.2.1	Wed Jun  4 18:01:39 2008
+diff -u openssl/crypto/engine/eng_all.c:1.1.3.1 openssl/crypto/engine/eng_all.c:1.2
+--- openssl/crypto/engine/eng_all.c:1.1.3.1	Wed Jun  4 18:01:39 2008
 +++ openssl/crypto/engine/eng_all.c	Wed Oct 15 15:39:48 2008
 @@ -110,6 +110,9 @@
  #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
@@ -589,8 +601,8 @@ diff -u openssl/crypto/engine/eng_all.c:1.1.2.1 openssl/crypto/engine/eng_all.c:
  	}
  
 Index: openssl/crypto/engine/engine.h
-diff -u openssl/crypto/engine/engine.h:1.1.2.1 openssl/crypto/engine/engine.h:1.2
---- openssl/crypto/engine/engine.h:1.1.2.1	Wed Jun  4 18:01:40 2008
+diff -u openssl/crypto/engine/engine.h:1.1.3.1 openssl/crypto/engine/engine.h:1.2
+--- openssl/crypto/engine/engine.h:1.1.3.1	Wed Jun  4 18:01:40 2008
 +++ openssl/crypto/engine/engine.h	Wed Oct 15 15:39:48 2008
 @@ -337,6 +337,7 @@
  void ENGINE_load_ubsec(void);
@@ -602,7 +614,7 @@ diff -u openssl/crypto/engine/engine.h:1.1.2.1 openssl/crypto/engine/engine.h:1.
  #ifndef OPENSSL_NO_CAPIENG
 Index: openssl/crypto/engine/hw_pk11-kp.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11-kp.c:1.20
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/hw_pk11-kp.c	Tue Sep  1 06:02:18 2009
 @@ -0,0 +1,1611 @@
 +/*
@@ -2217,10 +2229,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11-kp.c:1.20
 +#endif	/* OPENSSL_NO_HW_PK11 */
 +#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
---- /dev/null	Wed Sep  2 11:37:23 2009
-+++ openssl/crypto/engine/hw_pk11.c	Fri Aug 28 06:31:09 2009
-@@ -0,0 +1,3916 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
+--- /dev/null	Mon Oct  5 11:08:14 2009
++++ openssl/crypto/engine/hw_pk11.c	Fri Sep  4 10:43:22 2009
+@@ -0,0 +1,3919 @@
 +/*
 + * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -2601,44 +2613,45 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
 +	enum pk11_cipher_id	id;
 +	int			nid;
 +	int			iv_len;
-+	int			key_len;
++	int			min_key_len;
++	int			max_key_len;
 +	CK_KEY_TYPE		key_type;
 +	CK_MECHANISM_TYPE	mech_type;
 +	} PK11_CIPHER;
 +
 +static PK11_CIPHER ciphers[] =
 +	{
-+	{ PK11_DES_CBC,		NID_des_cbc,		8,	8,
++	{ PK11_DES_CBC,		NID_des_cbc,		8,	 8,   8,
 +		CKK_DES,	CKM_DES_CBC, },
-+	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,
++	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,  24,
 +		CKK_DES3,	CKM_DES3_CBC, },
-+	{ PK11_DES_ECB,		NID_des_ecb,		0,	8,
++	{ PK11_DES_ECB,		NID_des_ecb,		0,	 8,   8,
 +		CKK_DES,	CKM_DES_ECB, },
-+	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,
++	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,  24,
 +		CKK_DES3,	CKM_DES3_ECB, },
-+	{ PK11_RC4,		NID_rc4,		0,	16,
++	{ PK11_RC4,		NID_rc4,		0,	16, 256,
 +		CKK_RC4,	CKM_RC4, },
-+	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,
++	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,  16,
 +		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,
++	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,  24,
 +		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,
++	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,  32,
 +		CKK_AES,	CKM_AES_CBC, },
-+	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,
++	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,  16,
 +		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,
++	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,  24,
 +		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,
++	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,  32,
 +		CKK_AES,	CKM_AES_ECB, },
-+	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,
++	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,  16,
 +		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
 +#ifdef	SOLARIS_AES_CTR
 +	/* we don't know the correct NIDs until the engine is initialized */
-+	{ PK11_AES_128_CTR,	NID_undef,		16,	16,
++	{ PK11_AES_128_CTR,	NID_undef,		16,	16,  16,
 +		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_192_CTR,	NID_undef,		16,	24,
++	{ PK11_AES_192_CTR,	NID_undef,		16,	24,  24,
 +		CKK_AES,	CKM_AES_CTR, },
-+	{ PK11_AES_256_CTR,	NID_undef,		16,	32,
++	{ PK11_AES_256_CTR,	NID_undef,		16,	32,  32,
 +		CKK_AES,	CKM_AES_CTR, },
 +#endif	/* SOLARIS_AES_CTR */
 +	};
@@ -4681,9 +4694,11 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
 +	/*
 +	 * iv_len in the ctx->cipher structure is the maximum IV length for the
 +	 * current cipher and it must be less or equal to the IV length in our
-+	 * ciphers table. The key length must match precisely. Every application
-+	 * can define its own EVP functions so this code serves as a sanity
-+	 * check.
++	 * ciphers table. The key length must be in the allowed interval. From
++	 * all cipher modes that the PKCS#11 engine supports only RC4 allows a
++	 * key length to be in some range, all other NIDs have a precise key
++	 * length. Every application can define its own EVP functions so this
++	 * code serves as a sanity check.
 +	 *
 +	 * Note that the reason why the IV length in ctx->cipher might be
 +	 * greater than the actual length is that OpenSSL uses BLOCK_CIPHER_defs
@@ -4691,11 +4706,11 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
 +	 * modes. So, even ECB modes get 8 byte IV.
 +	 */
 +	if (ctx->cipher->iv_len < p_ciph_table_row->iv_len ||
-+	    ctx->key_len != p_ciph_table_row->key_len)
-+		{
++	    ctx->key_len < p_ciph_table_row->min_key_len ||
++	    ctx->key_len > p_ciph_table_row->max_key_len) {
 +		PK11err(PK11_F_CIPHER_INIT, PK11_R_KEY_OR_IV_LEN_PROBLEM);
 +		return (0);
-+		}
++	}
 +
 +	if ((sp = pk11_get_session(OP_CIPHER)) == NULL)
 +		return (0);
@@ -4706,7 +4721,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
 +	mech.ulParameterLen = 0;
 +
 +	/* The key object is destroyed here if it is not the current key. */
-+	(void) check_new_cipher_key(sp, key, p_ciph_table_row->key_len);
++	(void) check_new_cipher_key(sp, key, ctx->key_len);
 +
 +	/*
 +	 * If the key is the same and the encryption is also the same, then
@@ -6139,7 +6154,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.24
 +#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11_err.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/hw_pk11_err.c	Wed Dec 17 16:14:26 2008
 @@ -0,0 +1,259 @@
 +/*
@@ -6403,7 +6418,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4
 +}
 Index: openssl/crypto/engine/hw_pk11_err.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/hw_pk11_err.h	Wed Dec 17 15:01:45 2008
 @@ -0,0 +1,402 @@
 +/*
@@ -6810,7 +6825,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9
 +#endif /* HW_PK11_ERR_H */
 Index: openssl/crypto/engine/hw_pk11_pub-kp.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_pub-kp.c:1.21
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/hw_pk11_pub-kp.c	Tue Sep  1 06:02:18 2009
 @@ -0,0 +1,896 @@
 +/*
@@ -7711,7 +7726,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub-kp.c:1.21
 +#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11_pub.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/hw_pk11_pub.c	Fri Aug 28 06:31:09 2009
 @@ -0,0 +1,3137 @@
 +/*
@@ -10853,11 +10868,11 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
 +#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/pkcs11.h
 diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/pkcs11.h	Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,299 @@
 +/* pkcs11.h include file for PKCS #11. */
-+/* $Revision: 1.4 $ */
++/* $Revision: 1.1 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -11157,11 +11172,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11f.h
 diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/pkcs11f.h	Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,912 @@
 +/* pkcs11f.h include file for PKCS #11. */
-+/* $Revision: 1.4 $ */
++/* $Revision: 1.1 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -12074,11 +12089,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11t.h
 diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null	Wed Sep  2 11:37:23 2009
+--- /dev/null	Mon Oct  5 11:08:14 2009
 +++ openssl/crypto/engine/pkcs11t.h	Sat Aug 30 11:58:07 2008
 @@ -0,0 +1,1885 @@
 +/* pkcs11t.h include file for PKCS #11. */
-+/* $Revision: 1.4 $ */
++/* $Revision: 1.1 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -13963,19 +13978,19 @@ diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
 +
 +#endif
 Index: openssl/util/libeay.num
-diff -u openssl/util/libeay.num:1.1.2.1 openssl/util/libeay.num:1.4
---- openssl/util/libeay.num:1.1.2.1	Sun Jun 22 01:10:04 2008
-+++ openssl/util/libeay.num	Wed Dec 17 14:54:59 2008
-@@ -3700,3 +3700,4 @@
- FIPS_dsa_sig_encode                     4089	NOEXIST::FUNCTION:
- CRYPTO_dbg_remove_all_info              4090	NOEXIST::FUNCTION:
- OPENSSL_init                            4091	NOEXIST::FUNCTION:
-+ENGINE_load_pk11                        4092	EXIST::FUNCTION:ENGINE
+diff -u openssl/util/libeay.num:1.1.3.1 openssl/util/libeay.num:1.5
+--- openssl/util/libeay.num:1.1.3.1	Mon Feb  2 00:27:56 2009
++++ openssl/util/libeay.num	Fri Sep  4 10:43:22 2009
+@@ -3725,3 +3725,4 @@
+ JPAKE_STEP3A_init                       4111	EXIST::FUNCTION:JPAKE
+ ERR_load_JPAKE_strings                  4112	EXIST::FUNCTION:JPAKE
+ JPAKE_STEP2_init                        4113	EXIST::FUNCTION:JPAKE
++ENGINE_load_pk11                        4114	EXIST::FUNCTION:ENGINE
 Index: openssl/util/mk1mf.pl
-diff -u openssl/util/mk1mf.pl:1.1.2.1 openssl/util/mk1mf.pl:1.5
---- openssl/util/mk1mf.pl:1.1.2.1	Thu Jun  5 15:09:40 2008
-+++ openssl/util/mk1mf.pl	Wed Dec 17 16:56:20 2008
-@@ -299,6 +299,9 @@
+diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.6
+--- openssl/util/mk1mf.pl:1.1.3.1	Tue Dec  2 23:50:21 2008
++++ openssl/util/mk1mf.pl	Fri Sep  4 10:43:23 2009
+@@ -322,6 +322,9 @@
  	if ($key eq "ZLIB_INCLUDE")
  		{ $cflags .= " $val" if $val ne "";}
  
@@ -13986,11 +14001,11 @@ diff -u openssl/util/mk1mf.pl:1.1.2.1 openssl/util/mk1mf.pl:1.5
  		{ $zlib_lib = "$val" if $val ne "";}
  
 Index: openssl/util/pl/VC-32.pl
-diff -u openssl/util/pl/VC-32.pl:1.1.2.1 openssl/util/pl/VC-32.pl:1.4
---- openssl/util/pl/VC-32.pl:1.1.2.1	Fri Jun  6 20:48:57 2008
-+++ openssl/util/pl/VC-32.pl	Thu Jan  1 14:38:50 2009
-@@ -99,7 +99,7 @@
-     my $f = $shlib?' /MD':' /MT';
+diff -u openssl/util/pl/VC-32.pl:1.1.3.1 openssl/util/pl/VC-32.pl:1.5
+--- openssl/util/pl/VC-32.pl:1.1.3.1	Mon Mar  9 12:14:08 2009
++++ openssl/util/pl/VC-32.pl	Fri Sep  4 10:43:23 2009
+@@ -113,7 +113,7 @@
+     my $f = $shlib || $fips ?' /MD':' /MT';
      $lib_cflag='/Zl' if (!$shlib);	# remove /DEFAULTLIBs from static lib
      $opt_cflags=$f.' /Ox /O2 /Ob2';
 -    $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';

From a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 12:07:08 +0000
Subject: [PATCH 248/385] pkcs11 rt20225

---
 bin/Makefile.in                   |    5 +-
 bin/pkcs11/.cvsignore             |    1 +
 bin/pkcs11/Makefile.in            |   74 ++
 bin/pkcs11/include/pkcs11.h       |  299 +++++
 bin/pkcs11/include/pkcs11f.h      |  912 ++++++++++++++
 bin/pkcs11/include/pkcs11t.h      | 1885 +++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-destroy.c       |   59 +-
 bin/pkcs11/pkcs11-destroy.docbook |  147 +++
 bin/pkcs11/pkcs11-keygen.c        |   49 +-
 bin/pkcs11/pkcs11-keygen.docbook  |  160 +++
 bin/pkcs11/pkcs11-list.c          |   65 +-
 bin/pkcs11/pkcs11-list.docbook    |  151 +++
 bin/pkcs11/unix/cryptoki.h        |   48 +
 bin/pkcs11/unix/unix.c            |  318 +++++
 bin/pkcs11/win32/cryptoki.h       |   66 +
 bin/pkcs11/win32/win32.c          |  356 ++++++
 configure.in                      |   31 +-
 17 files changed, 4557 insertions(+), 69 deletions(-)
 create mode 100644 bin/pkcs11/Makefile.in
 create mode 100644 bin/pkcs11/include/pkcs11.h
 create mode 100644 bin/pkcs11/include/pkcs11f.h
 create mode 100644 bin/pkcs11/include/pkcs11t.h
 create mode 100644 bin/pkcs11/pkcs11-destroy.docbook
 create mode 100644 bin/pkcs11/pkcs11-keygen.docbook
 create mode 100644 bin/pkcs11/pkcs11-list.docbook
 create mode 100644 bin/pkcs11/unix/cryptoki.h
 create mode 100644 bin/pkcs11/unix/unix.c
 create mode 100644 bin/pkcs11/win32/cryptoki.h
 create mode 100644 bin/pkcs11/win32/win32.c

diff --git a/bin/Makefile.in b/bin/Makefile.in
index 2218ae3a72..e4805520e7 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -13,13 +13,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2009/06/10 00:27:21 each Exp $
+# $Id: Makefile.in,v 1.29 2009/10/05 12:07:08 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named rndc dig dnssec tests tools nsupdate check confgen
+SUBDIRS =	named rndc dig dnssec tests tools nsupdate \
+		check confgen @PKCS11_TOOLS@
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/bin/pkcs11/.cvsignore b/bin/pkcs11/.cvsignore
index 094f46543f..e26a12ef93 100644
--- a/bin/pkcs11/.cvsignore
+++ b/bin/pkcs11/.cvsignore
@@ -1,3 +1,4 @@
+Makefile
 pkcs11-destroy
 pkcs11-keygen
 pkcs11-list
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
new file mode 100644
index 0000000000..a5bf56657d
--- /dev/null
+++ b/bin/pkcs11/Makefile.in
@@ -0,0 +1,74 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/10/05 12:07:08 fdupont Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER =	@PKCS11_PROVIDER@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix
+
+CDEFINES =	-DPK11_LIB_LOCATION=\"${PROVIDER}\"
+
+# if FORCE_STATIC_PROVIDER: LIBS = ${PROVIDER}
+LIBS =		-ldl
+
+SUBDIRS =
+
+TARGETS =	pkcs11-keygen@EXEEXT@ pkcs11-list@EXEEXT@ \
+		pkcs11-destroy@EXEEXT@
+SRCS =		pkcs11-keygen.c pkcs11-list.c pkcs11-destroy.c
+
+MANPAGES =	pkcs11-keygen.8 pkcs11-list.8 pkcs11-destroy.8
+HTMLPAGES =	pkcs11-keygen.html pkcs11-list.html pkcs11-destroy.html
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.c
+	${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+	-o $@ @srcdir@/pkcs11-keygen.c ${LIBS}
+
+pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.c
+	${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+	-o $@ @srcdir@/pkcs11-list.c ${LIBS}
+
+pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.c
+	${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+	-o $@ @srcdir@/pkcs11-destroy.c ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs
+	${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/bin/pkcs11/include/pkcs11.h b/bin/pkcs11/include/pkcs11.h
new file mode 100644
index 0000000000..9261e1e4c3
--- /dev/null
+++ b/bin/pkcs11/include/pkcs11.h
@@ -0,0 +1,299 @@
+/* pkcs11.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for Cryptoki structures should be set.  The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this.  You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable Cryptoki library function definition out of a
+ * return type and a function name.  It should be used in the
+ * following fashion to define the exposed Cryptoki functions in
+ * a Cryptoki library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * )
+ * {
+ *   ...
+ * }
+ *
+ * If you're using Microsoft Developer Studio 5.0 to define a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllexport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to define a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y)      x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+  
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/bin/pkcs11/include/pkcs11f.h b/bin/pkcs11/include/pkcs11f.h
new file mode 100644
index 0000000000..dec6315dd1
--- /dev/null
+++ b/bin/pkcs11/include/pkcs11f.h
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This header file contains pretty much everything about all the */
+/* Cryptoki function prototypes.  Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+  CK_SLOT_ID      slotID,    /* ID of the token's slot */
+  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
+  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ *  cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session
+                                                     * handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
+                                                     * mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
+                                                     * for pub.
+                                                     * key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
+                                                     * attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
+                                                     * for priv.
+                                                     * key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
+                                                     * attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
+                                                     * key
+                                                     * handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
+                                                     * priv. key
+                                                     * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for Cryptoki Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
diff --git a/bin/pkcs11/include/pkcs11t.h b/bin/pkcs11/include/pkcs11t.h
new file mode 100644
index 0000000000..add49e4830
--- /dev/null
+++ b/bin/pkcs11/include/pkcs11t.h
@@ -0,0 +1,1885 @@
+/* pkcs11t.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file. */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CRYPTOKI_VERSION_MAJOR 2
+#define CRYPTOKI_VERSION_MINOR 20
+#define CRYPTOKI_VERSION_AMENDMENT 3
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE    0
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+  /* manufacturerID and libraryDecription have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+
+  /* libraryDescription and libraryVersion are new for v2.0 */
+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER       0
+
+/* The following notification is new for PKCS #11 v2.20 amendment 3 */
+#define CKN_OTP_CHANGED     1
+
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+  /* slotDescription and manufacturerID have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  /* hardwareVersion and firmwareVersion are new for v2.0 */
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+  /* label, manufacturerID, and model have been changed from
+   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   label[32];           /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_UTF8CHAR   model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+   * changed from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+
+  /* hardwareVersion, firmwareVersion, and time are new for
+   * v2.0 */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning
+ */
+#define CKF_RNG                     0x00000001  /* has random #
+                                                 * generator */
+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
+                                                 * write-
+                                                 * protected */
+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
+                                                 * login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
+                                                 * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN          0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED       0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+ * true, the token supports secondary authentication for
+ * private key objects. This flag is deprecated in v2.11 and
+   onwards. */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED          0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED            0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO    0
+/* Normal user */
+#define CKU_USER  1
+/* Context specific (added in v2.20) */
+#define CKU_CONTEXT_SPECIFIC   2
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION  0
+#define CKS_RO_USER_FUNCTIONS  1
+#define CKS_RW_PUBLIC_SESSION  2
+#define CKS_RW_USER_FUNCTIONS  3
+#define CKS_RW_SO_FUNCTIONS    4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+
+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object  */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes.  It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+/* CKO_MECHANISM is new for v2.20 */
+#define CKO_DATA              0x00000000
+#define CKO_CERTIFICATE       0x00000001
+#define CKO_PUBLIC_KEY        0x00000002
+#define CKO_PRIVATE_KEY       0x00000003
+#define CKO_SECRET_KEY        0x00000004
+#define CKO_HW_FEATURE        0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_MECHANISM         0x00000007
+
+/* CKO_OTP_KEY is new for PKCS #11 v2.20 amendment 1 */
+#define CKO_OTP_KEY           0x00000008
+
+#define CKO_VENDOR_DEFINED    0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+/* CKH_USER_INTERFACE is new for v2.20 */
+#define CKH_MONOTONIC_COUNTER  0x00000001
+#define CKH_CLOCK           0x00000002
+#define CKH_USER_INTERFACE  0x00000003
+#define CKH_VENDOR_DEFINED  0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA             0x00000000
+#define CKK_DSA             0x00000001
+#define CKK_DH              0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
+#define CKK_ECDSA           0x00000003
+#define CKK_EC              0x00000003
+#define CKK_X9_42_DH        0x00000004
+#define CKK_KEA             0x00000005
+
+#define CKK_GENERIC_SECRET  0x00000010
+#define CKK_RC2             0x00000011
+#define CKK_RC4             0x00000012
+#define CKK_DES             0x00000013
+#define CKK_DES2            0x00000014
+#define CKK_DES3            0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST            0x00000016
+#define CKK_CAST3           0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
+#define CKK_CAST5           0x00000018
+#define CKK_CAST128         0x00000018
+#define CKK_RC5             0x00000019
+#define CKK_IDEA            0x0000001A
+#define CKK_SKIPJACK        0x0000001B
+#define CKK_BATON           0x0000001C
+#define CKK_JUNIPER         0x0000001D
+#define CKK_CDMF            0x0000001E
+#define CKK_AES             0x0000001F
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKK_BLOWFISH        0x00000020
+#define CKK_TWOFISH         0x00000021
+
+/* SecurID, HOTP, and ACTI are new for PKCS #11 v2.20 amendment 1 */
+#define CKK_SECURID         0x00000022
+#define CKK_HOTP            0x00000023
+#define CKK_ACTI            0x00000024
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_CAMELLIA                   0x00000025
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_ARIA                       0x00000026
+
+
+#define CKK_VENDOR_DEFINED  0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+/* CKC_WTLS is new for v2.20 */
+#define CKC_X_509           0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_WTLS            0x00000002
+#define CKC_VENDOR_DEFINED  0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+   consists of an array of values. */
+#define CKF_ARRAY_ATTRIBUTE    0x40000000
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
+   and relates to the CKA_OTP_FORMAT attribute */
+#define CK_OTP_FORMAT_DECIMAL      0
+#define CK_OTP_FORMAT_HEXADECIMAL  1
+#define CK_OTP_FORMAT_ALPHANUMERIC 2
+#define CK_OTP_FORMAT_BINARY       3
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
+   and relates to the CKA_OTP_..._REQUIREMENT attributes */
+#define CK_OTP_PARAM_IGNORED       0
+#define CK_OTP_PARAM_OPTIONAL      1
+#define CK_OTP_PARAM_MANDATORY     2
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000
+#define CKA_TOKEN              0x00000001
+#define CKA_PRIVATE            0x00000002
+#define CKA_LABEL              0x00000003
+#define CKA_APPLICATION        0x00000010
+#define CKA_VALUE              0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID          0x00000012
+
+#define CKA_CERTIFICATE_TYPE   0x00000080
+#define CKA_ISSUER             0x00000081
+#define CKA_SERIAL_NUMBER      0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
+ * for v2.10 */
+#define CKA_AC_ISSUER          0x00000083
+#define CKA_OWNER              0x00000084
+#define CKA_ATTR_TYPES         0x00000085
+
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED            0x00000086
+
+/* CKA_CERTIFICATE_CATEGORY ...
+ * CKA_CHECK_VALUE are new for v2.20 */
+#define CKA_CERTIFICATE_CATEGORY        0x00000087
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
+#define CKA_URL                         0x00000089
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
+#define CKA_CHECK_VALUE                 0x00000090
+
+#define CKA_KEY_TYPE           0x00000100
+#define CKA_SUBJECT            0x00000101
+#define CKA_ID                 0x00000102
+#define CKA_SENSITIVE          0x00000103
+#define CKA_ENCRYPT            0x00000104
+#define CKA_DECRYPT            0x00000105
+#define CKA_WRAP               0x00000106
+#define CKA_UNWRAP             0x00000107
+#define CKA_SIGN               0x00000108
+#define CKA_SIGN_RECOVER       0x00000109
+#define CKA_VERIFY             0x0000010A
+#define CKA_VERIFY_RECOVER     0x0000010B
+#define CKA_DERIVE             0x0000010C
+#define CKA_START_DATE         0x00000110
+#define CKA_END_DATE           0x00000111
+#define CKA_MODULUS            0x00000120
+#define CKA_MODULUS_BITS       0x00000121
+#define CKA_PUBLIC_EXPONENT    0x00000122
+#define CKA_PRIVATE_EXPONENT   0x00000123
+#define CKA_PRIME_1            0x00000124
+#define CKA_PRIME_2            0x00000125
+#define CKA_EXPONENT_1         0x00000126
+#define CKA_EXPONENT_2         0x00000127
+#define CKA_COEFFICIENT        0x00000128
+#define CKA_PRIME              0x00000130
+#define CKA_SUBPRIME           0x00000131
+#define CKA_BASE               0x00000132
+
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS         0x00000133
+#define CKA_SUBPRIME_BITS      0x00000134
+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
+/* (To retain backwards-compatibility) */
+
+#define CKA_VALUE_BITS         0x00000160
+#define CKA_VALUE_LEN          0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE        0x00000162
+#define CKA_LOCAL              0x00000163
+#define CKA_NEVER_EXTRACTABLE  0x00000164
+#define CKA_ALWAYS_SENSITIVE   0x00000165
+
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM  0x00000166
+
+#define CKA_MODIFIABLE         0x00000170
+
+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
+ * CKA_EC_PARAMS is preferred. */
+#define CKA_ECDSA_PARAMS       0x00000180
+#define CKA_EC_PARAMS          0x00000180
+
+#define CKA_EC_POINT           0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ * are new for v2.10. Deprecated in v2.11 and onwards. */
+#define CKA_SECONDARY_AUTH     0x00000200
+#define CKA_AUTH_PIN_FLAGS     0x00000201
+
+/* CKA_ALWAYS_AUTHENTICATE ...
+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
+#define CKA_ALWAYS_AUTHENTICATE  0x00000202
+
+#define CKA_WRAP_WITH_TRUSTED    0x00000210
+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
+
+/* CKA_OTP... atttributes are new for PKCS #11 v2.20 amendment 3. */
+#define CKA_OTP_FORMAT                0x00000220
+#define CKA_OTP_LENGTH                0x00000221
+#define CKA_OTP_TIME_INTERVAL         0x00000222
+#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223
+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224
+#define CKA_OTP_TIME_REQUIREMENT      0x00000225
+#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226
+#define CKA_OTP_PIN_REQUIREMENT       0x00000227
+#define CKA_OTP_COUNTER               0x0000022E
+#define CKA_OTP_TIME                  0x0000022F
+#define CKA_OTP_USER_IDENTIFIER       0x0000022A
+#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022B
+#define CKA_OTP_SERVICE_LOGO          0x0000022C
+#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022D
+
+
+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_HW_FEATURE_TYPE    0x00000300
+#define CKA_RESET_ON_INIT      0x00000301
+#define CKA_HAS_RESET          0x00000302
+
+/* The following attributes are new for v2.20 */
+#define CKA_PIXEL_X                     0x00000400
+#define CKA_PIXEL_Y                     0x00000401
+#define CKA_RESOLUTION                  0x00000402
+#define CKA_CHAR_ROWS                   0x00000403
+#define CKA_CHAR_COLUMNS                0x00000404
+#define CKA_COLOR                       0x00000405
+#define CKA_BITS_PER_PIXEL              0x00000406
+#define CKA_CHAR_SETS                   0x00000480
+#define CKA_ENCODING_METHODS            0x00000481
+#define CKA_MIME_TYPES                  0x00000482
+#define CKA_MECHANISM_TYPE              0x00000500
+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
+
+#define CKA_VENDOR_DEFINED     0x80000000
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+
+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
+#define CKM_RSA_PKCS                   0x00000001
+#define CKM_RSA_9796                   0x00000002
+#define CKM_RSA_X_509                  0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0.  They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS               0x00000004
+#define CKM_MD5_RSA_PKCS               0x00000005
+#define CKM_SHA1_RSA_PKCS              0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
+#define CKM_RSA_PKCS_OAEP              0x00000009
+
+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
+#define CKM_RSA_X9_31                  0x0000000B
+#define CKM_SHA1_RSA_X9_31             0x0000000C
+#define CKM_RSA_PKCS_PSS               0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
+#define CKM_DSA                        0x00000011
+#define CKM_DSA_SHA1                   0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
+#define CKM_DH_PKCS_DERIVE             0x00000021
+
+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
+ * v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
+#define CKM_X9_42_DH_DERIVE            0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
+#define CKM_X9_42_MQV_DERIVE           0x00000033
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_RSA_PKCS            0x00000040
+#define CKM_SHA384_RSA_PKCS            0x00000041
+#define CKM_SHA512_RSA_PKCS            0x00000042
+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
+
+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_RSA_PKCS            0x00000046
+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047
+
+#define CKM_RC2_KEY_GEN                0x00000100
+#define CKM_RC2_ECB                    0x00000101
+#define CKM_RC2_CBC                    0x00000102
+#define CKM_RC2_MAC                    0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL            0x00000104
+#define CKM_RC2_CBC_PAD                0x00000105
+
+#define CKM_RC4_KEY_GEN                0x00000110
+#define CKM_RC4                        0x00000111
+#define CKM_DES_KEY_GEN                0x00000120
+#define CKM_DES_ECB                    0x00000121
+#define CKM_DES_CBC                    0x00000122
+#define CKM_DES_MAC                    0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL            0x00000124
+#define CKM_DES_CBC_PAD                0x00000125
+
+#define CKM_DES2_KEY_GEN               0x00000130
+#define CKM_DES3_KEY_GEN               0x00000131
+#define CKM_DES3_ECB                   0x00000132
+#define CKM_DES3_CBC                   0x00000133
+#define CKM_DES3_MAC                   0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL           0x00000135
+#define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_CDMF_KEY_GEN               0x00000140
+#define CKM_CDMF_ECB                   0x00000141
+#define CKM_CDMF_CBC                   0x00000142
+#define CKM_CDMF_MAC                   0x00000143
+#define CKM_CDMF_MAC_GENERAL           0x00000144
+#define CKM_CDMF_CBC_PAD               0x00000145
+
+/* the following four DES mechanisms are new for v2.20 */
+#define CKM_DES_OFB64                  0x00000150
+#define CKM_DES_OFB8                   0x00000151
+#define CKM_DES_CFB64                  0x00000152
+#define CKM_DES_CFB8                   0x00000153
+
+#define CKM_MD2                        0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC                   0x00000201
+#define CKM_MD2_HMAC_GENERAL           0x00000202
+
+#define CKM_MD5                        0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC                   0x00000211
+#define CKM_MD5_HMAC_GENERAL           0x00000212
+
+#define CKM_SHA_1                      0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC                 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128                  0x00000230
+#define CKM_RIPEMD128_HMAC             0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
+#define CKM_RIPEMD160                  0x00000240
+#define CKM_RIPEMD160_HMAC             0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256                     0x00000250
+#define CKM_SHA256_HMAC                0x00000251
+#define CKM_SHA256_HMAC_GENERAL        0x00000252
+
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224                     0x00000255
+#define CKM_SHA224_HMAC                0x00000256
+#define CKM_SHA224_HMAC_GENERAL        0x00000257
+
+#define CKM_SHA384                     0x00000260
+#define CKM_SHA384_HMAC                0x00000261
+#define CKM_SHA384_HMAC_GENERAL        0x00000262
+#define CKM_SHA512                     0x00000270
+#define CKM_SHA512_HMAC                0x00000271
+#define CKM_SHA512_HMAC_GENERAL        0x00000272
+
+/* SecurID is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_SECURID_KEY_GEN            0x00000280
+#define CKM_SECURID                    0x00000282
+
+/* HOTP is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_HOTP_KEY_GEN    0x00000290
+#define CKM_HOTP            0x00000291
+
+/* ACTI is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_ACTI            0x000002A0
+#define CKM_ACTI_KEY_GEN    0x000002A1
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN               0x00000300
+#define CKM_CAST_ECB                   0x00000301
+#define CKM_CAST_CBC                   0x00000302
+#define CKM_CAST_MAC                   0x00000303
+#define CKM_CAST_MAC_GENERAL           0x00000304
+#define CKM_CAST_CBC_PAD               0x00000305
+#define CKM_CAST3_KEY_GEN              0x00000310
+#define CKM_CAST3_ECB                  0x00000311
+#define CKM_CAST3_CBC                  0x00000312
+#define CKM_CAST3_MAC                  0x00000313
+#define CKM_CAST3_MAC_GENERAL          0x00000314
+#define CKM_CAST3_CBC_PAD              0x00000315
+#define CKM_CAST5_KEY_GEN              0x00000320
+#define CKM_CAST128_KEY_GEN            0x00000320
+#define CKM_CAST5_ECB                  0x00000321
+#define CKM_CAST128_ECB                0x00000321
+#define CKM_CAST5_CBC                  0x00000322
+#define CKM_CAST128_CBC                0x00000322
+#define CKM_CAST5_MAC                  0x00000323
+#define CKM_CAST128_MAC                0x00000323
+#define CKM_CAST5_MAC_GENERAL          0x00000324
+#define CKM_CAST128_MAC_GENERAL        0x00000324
+#define CKM_CAST5_CBC_PAD              0x00000325
+#define CKM_CAST128_CBC_PAD            0x00000325
+#define CKM_RC5_KEY_GEN                0x00000330
+#define CKM_RC5_ECB                    0x00000331
+#define CKM_RC5_CBC                    0x00000332
+#define CKM_RC5_MAC                    0x00000333
+#define CKM_RC5_MAC_GENERAL            0x00000334
+#define CKM_RC5_CBC_PAD                0x00000335
+#define CKM_IDEA_KEY_GEN               0x00000340
+#define CKM_IDEA_ECB                   0x00000341
+#define CKM_IDEA_CBC                   0x00000342
+#define CKM_IDEA_MAC                   0x00000343
+#define CKM_IDEA_MAC_GENERAL           0x00000344
+#define CKM_IDEA_CBC_PAD               0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
+#define CKM_XOR_BASE_AND_DATA          0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
+
+/* CKM_TLS_PRF is new for v2.20 */
+#define CKM_TLS_PRF                    0x00000378
+
+#define CKM_SSL3_MD5_MAC               0x00000380
+#define CKM_SSL3_SHA1_MAC              0x00000381
+#define CKM_MD5_KEY_DERIVATION         0x00000390
+#define CKM_MD2_KEY_DERIVATION         0x00000391
+#define CKM_SHA1_KEY_DERIVATION        0x00000392
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_KEY_DERIVATION      0x00000393
+#define CKM_SHA384_KEY_DERIVATION      0x00000394
+#define CKM_SHA512_KEY_DERIVATION      0x00000395
+
+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_KEY_DERIVATION      0x00000396
+
+#define CKM_PBE_MD2_DES_CBC            0x000003A0
+#define CKM_PBE_MD5_DES_CBC            0x000003A1
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
+#define CKM_PBE_SHA1_RC4_128           0x000003A6
+#define CKM_PBE_SHA1_RC4_40            0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2                0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
+
+/* WTLS mechanisms are new for v2.20 */
+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
+#define CKM_WTLS_PRF                        0x000003D3
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
+
+#define CKM_KEY_WRAP_LYNKS             0x00000400
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
+
+/* CKM_CMS_SIG is new for v2.20 */
+#define CKM_CMS_SIG                    0x00000500
+
+/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
+#define CKM_KIP_DERIVE	               0x00000510
+#define CKM_KIP_WRAP	               0x00000511
+#define CKM_KIP_MAC	               0x00000512
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_CAMELLIA_KEY_GEN           0x00000550
+#define CKM_CAMELLIA_ECB               0x00000551
+#define CKM_CAMELLIA_CBC               0x00000552
+#define CKM_CAMELLIA_MAC               0x00000553
+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554
+#define CKM_CAMELLIA_CBC_PAD           0x00000555
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557
+#define CKM_CAMELLIA_CTR               0x00000558
+
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_ARIA_KEY_GEN               0x00000560
+#define CKM_ARIA_ECB                   0x00000561
+#define CKM_ARIA_CBC                   0x00000562
+#define CKM_ARIA_MAC                   0x00000563
+#define CKM_ARIA_MAC_GENERAL           0x00000564
+#define CKM_ARIA_CBC_PAD               0x00000565
+#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
+#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN           0x00001000
+#define CKM_SKIPJACK_ECB64             0x00001001
+#define CKM_SKIPJACK_CBC64             0x00001002
+#define CKM_SKIPJACK_OFB64             0x00001003
+#define CKM_SKIPJACK_CFB64             0x00001004
+#define CKM_SKIPJACK_CFB32             0x00001005
+#define CKM_SKIPJACK_CFB16             0x00001006
+#define CKM_SKIPJACK_CFB8              0x00001007
+#define CKM_SKIPJACK_WRAP              0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
+#define CKM_SKIPJACK_RELAYX            0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
+#define CKM_KEA_KEY_DERIVE             0x00001011
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
+#define CKM_BATON_KEY_GEN              0x00001030
+#define CKM_BATON_ECB128               0x00001031
+#define CKM_BATON_ECB96                0x00001032
+#define CKM_BATON_CBC128               0x00001033
+#define CKM_BATON_COUNTER              0x00001034
+#define CKM_BATON_SHUFFLE              0x00001035
+#define CKM_BATON_WRAP                 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
+ * CKM_EC_KEY_PAIR_GEN is preferred */
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
+#define CKM_EC_KEY_PAIR_GEN            0x00001040
+
+#define CKM_ECDSA                      0x00001041
+#define CKM_ECDSA_SHA1                 0x00001042
+
+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
+ * are new for v2.11 */
+#define CKM_ECDH1_DERIVE               0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
+#define CKM_ECMQV_DERIVE               0x00001052
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060
+#define CKM_JUNIPER_ECB128             0x00001061
+#define CKM_JUNIPER_CBC128             0x00001062
+#define CKM_JUNIPER_COUNTER            0x00001063
+#define CKM_JUNIPER_SHUFFLE            0x00001064
+#define CKM_JUNIPER_WRAP               0x00001065
+#define CKM_FASTHASH                   0x00001070
+
+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
+ * new for v2.11 */
+#define CKM_AES_KEY_GEN                0x00001080
+#define CKM_AES_ECB                    0x00001081
+#define CKM_AES_CBC                    0x00001082
+#define CKM_AES_MAC                    0x00001083
+#define CKM_AES_MAC_GENERAL            0x00001084
+#define CKM_AES_CBC_PAD                0x00001085
+
+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_AES_CTR                    0x00001086
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKM_BLOWFISH_KEY_GEN           0x00001090
+#define CKM_BLOWFISH_CBC               0x00001091
+#define CKM_TWOFISH_KEY_GEN            0x00001092
+#define CKM_TWOFISH_CBC                0x00001093
+
+
+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
+
+#define CKM_DSA_PARAMETER_GEN          0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
+
+#define CKM_VENDOR_DEFINED             0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism  */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+
+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask        Meaning */
+#define CKF_HW                 0x00000001  /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT            0x00000100
+#define CKF_DECRYPT            0x00000200
+#define CKF_DIGEST             0x00000400
+#define CKF_SIGN               0x00000800
+#define CKF_SIGN_RECOVER       0x00001000
+#define CKF_VERIFY             0x00002000
+#define CKF_VERIFY_RECOVER     0x00004000
+#define CKF_GENERATE           0x00008000
+#define CKF_GENERATE_KEY_PAIR  0x00010000
+#define CKF_WRAP               0x00020000
+#define CKF_UNWRAP             0x00040000
+#define CKF_DERIVE             0x00080000
+
+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
+ * describe a token's EC capabilities not available in mechanism
+ * information. */
+#define CKF_EC_F_P             0x00100000
+#define CKF_EC_F_2M            0x00200000
+#define CKF_EC_ECPARAMETERS    0x00400000
+#define CKF_EC_NAMEDCURVE      0x00800000
+#define CKF_EC_UNCOMPRESS      0x01000000
+#define CKF_EC_COMPRESS        0x02000000
+
+#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000
+#define CKR_CANCEL                            0x00000001
+#define CKR_HOST_MEMORY                       0x00000002
+#define CKR_SLOT_ID_INVALID                   0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR                     0x00000005
+#define CKR_FUNCTION_FAILED                   0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD                     0x00000007
+#define CKR_NO_EVENT                          0x00000008
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
+#define CKR_CANT_LOCK                         0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+#define CKR_DATA_INVALID                      0x00000020
+#define CKR_DATA_LEN_RANGE                    0x00000021
+#define CKR_DEVICE_ERROR                      0x00000030
+#define CKR_DEVICE_MEMORY                     0x00000031
+#define CKR_DEVICE_REMOVED                    0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
+#define CKR_FUNCTION_CANCELED                 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED                    0x00000064
+#define CKR_KEY_CHANGED                       0x00000065
+#define CKR_KEY_NEEDED                        0x00000066
+#define CKR_KEY_INDIGESTIBLE                  0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
+
+#define CKR_MECHANISM_INVALID                 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
+#define CKR_OPERATION_ACTIVE                  0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
+#define CKR_PIN_INCORRECT                     0x000000A0
+#define CKR_PIN_INVALID                       0x000000A1
+#define CKR_PIN_LEN_RANGE                     0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED                       0x000000A3
+#define CKR_PIN_LOCKED                        0x000000A4
+
+#define CKR_SESSION_CLOSED                    0x000000B0
+#define CKR_SESSION_COUNT                     0x000000B1
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
+#define CKR_SESSION_READ_ONLY                 0x000000B5
+#define CKR_SESSION_EXISTS                    0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
+#define CKR_USER_NOT_LOGGED_IN                0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
+#define CKR_USER_TYPE_INVALID                 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
+#define CKR_USER_TOO_MANY_TYPES               0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG                     0x00000121
+
+/* These are new to v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL                  0x00000150
+#define CKR_SAVED_STATE_INVALID               0x00000160
+#define CKR_INFORMATION_SENSITIVE             0x00000170
+#define CKR_STATE_UNSAVEABLE                  0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
+#define CKR_MUTEX_BAD                         0x000001A0
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
+
+/* The following return values are new for PKCS #11 v2.20 amendment 3 */
+#define CKR_NEW_PIN_MODE                      0x000001B0
+#define CKR_NEXT_OTP                          0x000001B1
+
+/* This is new to v2.20 */
+#define CKR_FUNCTION_REJECTED                 0x00000200
+
+#define CKR_VENDOR_DEFINED                    0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK                  0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
+ * are new for v2.20 */
+#define CKG_MGF1_SHA1         0x00000001
+#define CKG_MGF1_SHA256       0x00000002
+#define CKG_MGF1_SHA384       0x00000003
+#define CKG_MGF1_SHA512       0x00000004
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKG_MGF1_SHA224       0x00000005
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED    0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+        CK_MECHANISM_TYPE hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+        CK_VOID_PTR pSourceData;
+        CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s). */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+        CK_MECHANISM_TYPE    hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_ULONG             sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+/* CK_EC_KDF_TYPE is new for v2.11. */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL                 0x00000001
+#define CKD_SHA1_KDF             0x00000002
+
+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+
+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* The following X9.42 DH key derivation functions are defined
+   (besides CKD_NULL already defined : */
+#define CKD_SHA1_KDF_ASN1        0x00000003
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
+
+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[8];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[16];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_BYTE_PTR      pInitVector;
+  CK_UTF8CHAR_PTR  pPassword;
+  CK_ULONG         ulPasswordLen;
+  CK_BYTE_PTR      pSalt;
+  CK_ULONG         ulSaltLen;
+  CK_ULONG         ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
+typedef struct CK_TLS_PRF_PARAMS {
+  CK_BYTE_PTR  pSeed;
+  CK_ULONG     ulSeedLen;
+  CK_BYTE_PTR  pLabel;
+  CK_ULONG     ulLabelLen;
+  CK_BYTE_PTR  pOutput;
+  CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+/* WTLS is new for version 2.20 */
+typedef struct CK_WTLS_RANDOM_DATA {
+  CK_BYTE_PTR pClientRandom;
+  CK_ULONG    ulClientRandomLen;
+  CK_BYTE_PTR pServerRandom;
+  CK_ULONG    ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+  CK_MECHANISM_TYPE   DigestMechanism;
+  CK_WTLS_RANDOM_DATA RandomInfo;
+  CK_BYTE_PTR         pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+  CK_MECHANISM_TYPE DigestMechanism;
+  CK_BYTE_PTR       pSeed;
+  CK_ULONG          ulSeedLen;
+  CK_BYTE_PTR       pLabel;
+  CK_ULONG          ulLabelLen;
+  CK_BYTE_PTR       pOutput;
+  CK_ULONG_PTR      pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hMacSecret;
+  CK_OBJECT_HANDLE hKey;
+  CK_BYTE_PTR      pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+  CK_MECHANISM_TYPE       DigestMechanism;
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_ULONG                ulSequenceNumber;
+  CK_BBOOL                bIsExport;
+  CK_WTLS_RANDOM_DATA     RandomInfo;
+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+/* CMS is new for version 2.20 */
+typedef struct CK_CMS_SIG_PARAMS {
+  CK_OBJECT_HANDLE      certificateHandle;
+  CK_MECHANISM_PTR      pSigningMechanism;
+  CK_MECHANISM_PTR      pDigestMechanism;
+  CK_UTF8CHAR_PTR       pContentType;
+  CK_BYTE_PTR           pRequestedAttributes;
+  CK_ULONG              ulRequestedAttributesLen;
+  CK_BYTE_PTR           pRequiredAttributes;
+  CK_ULONG              ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED        0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
+        CK_VOID_PTR                                pSaltSourceData;
+        CK_ULONG                                   ulSaltSourceDataLen;
+        CK_ULONG                                   iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR                                pPrfData;
+        CK_ULONG                                   ulPrfDataLen;
+        CK_UTF8CHAR_PTR                            pPassword;
+        CK_ULONG_PTR                               ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* All CK_OTP structs are new for PKCS #11 v2.20 amendment 3 */
+
+typedef CK_ULONG CK_OTP_PARAM_TYPE;
+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */
+
+typedef struct CK_OTP_PARAM {
+    CK_OTP_PARAM_TYPE type;
+    CK_VOID_PTR pValue;
+    CK_ULONG ulValueLen;
+} CK_OTP_PARAM;
+
+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
+
+typedef struct CK_OTP_PARAMS {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_PARAMS;
+
+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
+
+typedef struct CK_OTP_SIGNATURE_INFO {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_SIGNATURE_INFO;
+
+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
+#define CK_OTP_VALUE          0
+#define CK_OTP_PIN            1
+#define CK_OTP_CHALLENGE      2
+#define CK_OTP_TIME           3
+#define CK_OTP_COUNTER        4
+#define CK_OTP_FLAGS          5
+#define CK_OTP_OUTPUT_LENGTH  6
+#define CK_OTP_OUTPUT_FORMAT  7
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
+#define CKF_NEXT_OTP          0x00000001
+#define CKF_EXCLUDE_TIME      0x00000002
+#define CKF_EXCLUDE_COUNTER   0x00000004
+#define CKF_EXCLUDE_CHALLENGE 0x00000008
+#define CKF_EXCLUDE_PIN       0x00000010
+#define CKF_USER_FRIENDLY_OTP 0x00000020
+
+/* CK_KIP_PARAMS is new for PKCS #11 v2.20 amendment 2 */
+typedef struct CK_KIP_PARAMS {
+    CK_MECHANISM_PTR  pMechanism;
+    CK_OBJECT_HANDLE  hKey;
+    CK_BYTE_PTR       pSeed;
+    CK_ULONG          ulSeedLen;
+} CK_KIP_PARAMS;
+
+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
+
+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_AES_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_AES_CTR_PARAMS;
+
+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_CAMELLIA_CTR_PARAMS;
+
+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE      iv[16];
+    CK_BYTE_PTR  pData;
+    CK_ULONG     length;
+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE      iv[16];
+    CK_BYTE_PTR  pData;
+    CK_ULONG     length;
+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#endif
diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
index 9c58dabb66..21c322222f 100644
--- a/bin/pkcs11/pkcs11-destroy.c
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -1,13 +1,25 @@
-/* pkcs11-destroy [-s $slot] [-i $id | -l $label] [-p $pin] */
+/* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */
 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
 #include 
-#include 
+#include "cryptoki.h"
+
+#ifdef WIN32
+#define sleep(x)	Sleep(x)
+#include "win32.c"
+#else
+#ifndef FORCE_STATIC_PROVIDER
+#include "unix.c"
+#endif
+#endif
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)	getpass(x)
+#endif
 
 int
 main(int argc, char *argv[])
@@ -20,7 +32,7 @@ main(int argc, char *argv[])
     CK_OBJECT_HANDLE akey[50];
     char *label = NULL;
     int error = 0;
-    int id = 0, i = 0;
+    unsigned int id = 0, i = 0;
     int c, errflg = 0;
     CK_ULONG ulObjectCount;
     CK_ATTRIBUTE search_template[] = {
@@ -29,8 +41,11 @@ main(int argc, char *argv[])
     extern char *optarg;
     extern int optopt;
 
-    while ((c = getopt(argc, argv, ":s:i:l:p:")) != -1) {
+    while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) {
 	switch (c) {
+	case 'm':
+	    pk11_libname = optarg;
+	    break;
 	case 's':
 	    slot = atoi(optarg);
 	    break;
@@ -56,7 +71,8 @@ main(int argc, char *argv[])
     }
     if (errflg || ((!id) && (!label))) {
 	fprintf(stderr,
-		"usage: destroykey [-s slot] [-i id | -l label] [-p pin]\n");
+		"usage: pkcs11-destroy [-m module] [-s slot] "
+		"[-i id | -l label] [-p pin]\n");
 	exit(1);
     }
     if (id) {
@@ -73,7 +89,12 @@ main(int argc, char *argv[])
     /* Initialize the CRYPTOKI library */
     rv = C_Initialize(NULL_PTR);
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
+	if (rv == 0xfe)
+	    fprintf(stderr,
+		    "Can't load or link module \"%s\"\n",
+		    pk11_libname);
+	else
+	    fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
 	exit(1);
     }
 
@@ -81,22 +102,18 @@ main(int argc, char *argv[])
     rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
 		       NULL_PTR, NULL_PTR, &hSession);
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
 	error = 1;
 	goto exit_program;
     }
 
     /* Login to the Token (Keystore) */
     if (!pin)
-#ifndef HAVE_GETPASS
 	pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-	pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
     rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
     memset(pin, 0, strlen((char *)pin));
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
 	error = 1;
 	goto exit_session;
     }
@@ -104,14 +121,14 @@ main(int argc, char *argv[])
     rv = C_FindObjectsInit(hSession, search_template,
 			   ((id != 0) || (label != NULL)) ? 1 : 0); 
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
 	error = 1;
 	goto exit_session;
     }
     
     rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
 	error = 1;
 	goto exit_search;
     }
@@ -125,22 +142,24 @@ main(int argc, char *argv[])
 	    {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
 	    {CKA_ID, idbuf, sizeof(idbuf)}
 	};
-	int j, len;
+	unsigned int j, len;
 
 	memset(labelbuf, 0, sizeof(labelbuf));
 	memset(idbuf, 0, sizeof(idbuf));
 
 	rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
 	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
+	    fprintf(stderr, "C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i, rv);
 	    error = 1;
 	    goto exit_search;
 	}
 	len = attr_template[2].ulValueLen;
-	printf("object[%d]: class %d label '%s' id[%u] ",
+	printf("object[%u]: class %lu label '%s' id[%lu] ",
 	       i, oclass, labelbuf, attr_template[2].ulValueLen);
 	if (len > 4)
 	    len = 4;
+	if (len > 0)
+	    printf("0x");
 	for (j = 0; j < len; j++)
 	    printf("%02x", idbuf[j]);
 	if (attr_template[2].ulValueLen > len)
@@ -156,7 +175,7 @@ main(int argc, char *argv[])
     for (i = 0; i < ulObjectCount; i++) {
 	rv = C_DestroyObject(hSession, akey[i]);
 	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_DestroyObject[%d]: rv = 0x%.8X\n", i, rv);
+	    fprintf(stderr, "C_DestroyObject[%u]: rv = 0x%.8lX\n", i, rv);
 	    error = 1;
 	}
     }
@@ -164,7 +183,7 @@ main(int argc, char *argv[])
  exit_search:
     rv = C_FindObjectsFinal(hSession);
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
 	error = 1;
     }
 
diff --git a/bin/pkcs11/pkcs11-destroy.docbook b/bin/pkcs11/pkcs11-destroy.docbook
new file mode 100644
index 0000000000..b4c2048167
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.docbook
@@ -0,0 +1,147 @@
+]>
+
+
+
+
+  
+    Sep 18, 2009
+  
+
+  
+    pkcs11-destroy
+    8
+    BIND9
+  
+
+  
+    pkcs11-destroy
+    destroy PKCS#11 objects
+  
+
+  
+    
+      2009
+      Internet Systems Consortium, Inc. ("ISC")
+    
+  
+
+  
+    
+      pkcs11-destroy
+      
+      
+      
+        -i ID
+        -l label
+      
+      
+    
+  
+
+  
+    DESCRIPTION
+    
+      pkcs11-destroy destroys keys stored in a
+      PKCS#11 device, identified by their  or
+      .
+    
+    
+      Matching keys are displayed before being destroyed.  There is a
+      five second delay to allow the user to interrupt the process
+      before the destruction takes place.
+    
+  
+
+  
+    ARGUMENTS
+    
+      
+        -m module
+        
+          
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          
+        
+      
+
+      
+        -s slot
+        
+          
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
+          
+        
+      
+
+      
+        -i ID
+        
+          
+            Destroy keys with the given object ID.
+          
+        
+      
+
+      
+        -l label
+        
+          
+            Destroy keys with the given label.
+          
+        
+      
+
+      
+        -p PIN
+        
+          
+            Specify the PIN for the device.  If no PIN is provided on the
+            command line, pkcs11-destroy will prompt for it.
+          
+        
+      
+    
+  
+
+  
+    SEE ALSO
+    
+      
+        pkcs11-list3
+      ,
+      
+        pkcs11-keygen3
+      
+    
+  
+
+  
+    AUTHOR
+    Internet Systems Consortium
+    
+  
+
+
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index 53ce2961f1..cd951e3fd6 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -6,18 +6,29 @@
  * it into a zone file.
  *
  * usage:
- * pkcs11-keygen [-P] [-s slot] -b keysize -l label [-p pin] 
+ * pkcs11-keygen [-P] [-m module] [-s slot] -b keysize -l label [-p pin] 
  *
  */
 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
 #include 
-#include 
+#include "cryptoki.h"
+
+#ifdef WIN32
+#include "win32.c"
+#else
+#ifndef FORCE_STATIC_PROVIDER
+#include "unix.c"
+#endif
+#endif
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)	getpass(x)
+#endif
 
 /* Define static key template values */
 static CK_BBOOL truevalue = TRUE;
@@ -36,7 +47,6 @@ main(int argc, char *argv[])
     CK_OBJECT_HANDLE privatekey, publickey;
     CK_BYTE public_exponent[3];
     int error = 0;
-    int i = 0;
     int c, errflg = 0;
     int hide = 1;
     CK_ULONG ulObjectCount;
@@ -62,11 +72,14 @@ main(int argc, char *argv[])
     extern char *optarg;
     extern int optopt;
     
-    while ((c = getopt(argc, argv, ":Ps:b:i:l:p:")) != -1) {
+    while ((c = getopt(argc, argv, ":Pm:s:b:i:l:p:")) != -1) {
         switch (c) {
 	case 'P':
 	    hide = 0;
 	    break;
+	case 'm':
+	    pk11_libname = optarg;
+	    break;
 	case 's':
 	    slot = atoi(optarg);
 	    break;
@@ -91,7 +104,8 @@ main(int argc, char *argv[])
     }
     if ((errflg) || (!modulusbits) || (!label)) {
         fprintf(stderr,
-		"usage: genkey [-P] [-s slot] -b keysize -l label [-p pin]\n");
+		"usage: pkcs11-keygen [-P] [-m module] [-s slot] "
+		"-b keysize -l label [-p pin]\n");
         exit(2);
     }
     
@@ -116,7 +130,12 @@ main(int argc, char *argv[])
     rv = C_Initialize(NULL_PTR);
 
     if (rv != CKR_OK) {
-        fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
+	if (rv == 0xfe)
+	    fprintf(stderr,
+		    "Can't load or link module \"%s\"\n",
+		    pk11_libname);
+	else
+	    fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
 	exit(1);
     }
 
@@ -125,22 +144,18 @@ main(int argc, char *argv[])
 		       NULL_PTR, NULL_PTR, &hSession);
 
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
 	error = 1;
 	goto exit_program;
     }
 
     /* Login to the Token (Keystore) */
     if (!pin)
-#ifndef HAVE_GETPASS
         pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-        pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
     rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
     memset(pin, 0, strlen((char *)pin));
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
         error = 1;
         goto exit_session;
     }
@@ -148,13 +163,13 @@ main(int argc, char *argv[])
     /* check if a key with the same id already exists */
     rv = C_FindObjectsInit(hSession, search_template, 1); 
     if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
+        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
         error = 1;
         goto exit_session;
     }
     rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
     if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
+        fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
         error = 1;
         goto exit_search;
     }
@@ -180,14 +195,14 @@ main(int argc, char *argv[])
 			   &publickey, &privatekey);
         
     if (rv != CKR_OK) {
-        fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8X\n", rv);
+        fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
         error = 1;
     }
     
  exit_search:
     rv = C_FindObjectsFinal(hSession);
     if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
+        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
         error = 1;
     }
 
diff --git a/bin/pkcs11/pkcs11-keygen.docbook b/bin/pkcs11/pkcs11-keygen.docbook
new file mode 100644
index 0000000000..8c62aba039
--- /dev/null
+++ b/bin/pkcs11/pkcs11-keygen.docbook
@@ -0,0 +1,160 @@
+]>
+
+
+
+
+  
+    Sep 18, 2009
+  
+
+  
+    pkcs11-keygen
+    8
+    BIND9
+  
+
+  
+    pkcs11-keygen
+    generate RSA keys on a PKCS#11 device
+  
+
+  
+    
+      2009
+      Internet Systems Consortium, Inc. ("ISC")
+    
+  
+
+  
+    
+      pkcs11-keygen
+      
+      
+      
+      -b keysize
+      -l label
+      
+    
+  
+
+  
+    DESCRIPTION
+    
+      pkcs11-keygen causes a PKCS#11 device to generate
+      a new RSA key pair with the specified  and
+      with  bits of modulus.
+    
+  
+
+  
+    ARGUMENTS
+    
+      
+        -P
+        
+          
+            Set the new private key to be non-sensitive and extractable.
+            The allows the private key data to be read from the PKCS#11
+            device.  The default is for private keys to be sensitive and
+            non-extractable.
+          
+        
+      
+
+      
+        -m module
+        
+          
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          
+        
+      
+
+      
+        -s slot
+        
+          
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
+          
+        
+      
+
+      
+        -b keysize
+        
+          
+            Create the key pair with  bits of
+            modulus.
+          
+        
+      
+
+      
+        -l label
+        
+          
+            Create key objects with the given label.
+          
+        
+      
+
+      
+        -p PIN
+        
+          
+            Specify the PIN for the device.  If no PIN is provided on the
+            command line, pkcs11-keygen will prompt for it.
+          
+        
+      
+    
+  
+
+  
+    SEE ALSO
+    
+      
+        pkcs11-list3
+      ,
+      
+        pkcs11-destroy3
+      
+    
+  
+
+  
+    CAVEAT
+    The public exponent is hard-wired to 65537.
+    The command should optionally set the object ID too.
+  
+
+  
+    AUTHOR
+    Internet Systems Consortium
+    
+  
+
+
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
index 79bfd328b9..094664e6c4 100644
--- a/bin/pkcs11/pkcs11-list.c
+++ b/bin/pkcs11/pkcs11-list.c
@@ -1,13 +1,24 @@
-/* pkcs11-list [-P] [-s slot] [-i $id | -l $label] [-p $pin] */
+/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */
 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
 #include 
-#include 
+#include "cryptoki.h"
+
+#ifdef WIN32
+#include "win32.c"
+#else
+#ifndef FORCE_STATIC_PROVIDER
+#include "unix.c"
+#endif
+#endif
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)	getpass(x)
+#endif
 
 int
 main(int argc, char *argv[])
@@ -20,7 +31,7 @@ main(int argc, char *argv[])
     CK_OBJECT_HANDLE akey[50];
     char *label = NULL;
     int error = 0, public = 0, all = 0;
-    int i = 0, id = 0;
+    unsigned int i = 0, id = 0;
     int c, errflg = 0;
     CK_ULONG ulObjectCount;
     CK_ATTRIBUTE search_template[] = {
@@ -29,11 +40,14 @@ main(int argc, char *argv[])
     extern char *optarg;
     extern int optopt;
 
-    while ((c = getopt(argc, argv, ":s:i:l:p:P")) != -1) {
+    while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) {
 	switch (c) {
 	case 'P':
 	    public = 1;
 	    break;
+	case 'm':
+	    pk11_libname = optarg;
+	    break;
 	case 's':
 	    slot = atoi(optarg);
 	    break;
@@ -59,13 +73,14 @@ main(int argc, char *argv[])
     }
     if (errflg) {
 	fprintf(stderr,
-		"usage: listobjs [-P] [-s slot] [-p pin] -i id | $label\n");
+		"usage: pkcs11-list [-P] [-m module] [-s slot] "
+		"[-i id | -l label] [-p pin]\n");
 	exit(1);
     }
     if ((!id) && (!label))
 	all = 1;
     if (slot)
-	printf("slot %d\n", slot);
+	printf("slot %lu\n", slot);
     if (id) {
 	printf("id %i\n", id);
 	attr_id[0] = (id >> 8) & 0xff;
@@ -80,7 +95,12 @@ main(int argc, char *argv[])
     /* Initialize the CRYPTOKI library */
     rv = C_Initialize(NULL_PTR);
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_Initialize: Error = 0x%.8X\n", rv);
+	if (rv == 0xfe)
+	    fprintf(stderr,
+		    "Can't load or link module \"%s\"\n",
+		    pk11_libname);
+	else
+	    fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
 	exit(1);
     }
 
@@ -88,7 +108,7 @@ main(int argc, char *argv[])
     rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
 		       NULL_PTR, NULL_PTR, &hSession);
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
 	error = 1;
 	goto exit_program;
     }
@@ -96,15 +116,11 @@ main(int argc, char *argv[])
     /* Login to the Token (Keystore) */
     if (!public) {
 	if (!pin)
-#ifndef HAVE_GETPASS
 	    pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-#else
-	    pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
-#endif
 	rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
 	memset(pin, 0, strlen((char *)pin));
 	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_Login: Error = 0x%.8X\n", rv);
+	    fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
 	    error = 1;
 	    goto exit_session;
 	}
@@ -112,7 +128,7 @@ main(int argc, char *argv[])
 
     rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
 	error = 1;
 	goto exit_session;
     }
@@ -121,7 +137,7 @@ main(int argc, char *argv[])
     while (ulObjectCount) {
 	rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
 	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_FindObjects: Error = 0x%.8X\n", rv);
+	    fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
 	    error = 1;
 	    goto exit_search;
 	}
@@ -135,7 +151,7 @@ main(int argc, char *argv[])
 		{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
 		{CKA_ID, idbuf, sizeof(idbuf)}
 	    };
-	    int j, len;
+	    unsigned int j, len;
 
 	    memset(labelbuf, 0, sizeof(labelbuf));
 	    memset(idbuf, 0, sizeof(idbuf));
@@ -143,9 +159,9 @@ main(int argc, char *argv[])
 	    rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
 	    if (rv != CKR_OK) {
 		fprintf(stderr,
-			"C_GetAttributeValue[%d]: rv = 0x%.8X\n", i, rv);
-		if (rv = CKR_BUFFER_TOO_SMALL)
-		    fprintf(stderr, "%d too small: %u %u %u\n", i,
+			"C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i, rv);
+		if (rv == CKR_BUFFER_TOO_SMALL)
+		    fprintf(stderr, "%u too small: %lu %lu %lu\n", i,
 			    attr_template[0].ulValueLen,
 			    attr_template[1].ulValueLen,
 			    attr_template[2].ulValueLen);
@@ -154,17 +170,20 @@ main(int argc, char *argv[])
 	    }
 
 	    len = attr_template[2].ulValueLen;
-	    printf("object[%d]: handle %u class %d label[%u] '%s' id[%u] ",
+	    printf("object[%u]: handle %lu class %lu "
+		   "label[%lu] '%s' id[%lu] ",
 		   i, akey[i], oclass,
 		   attr_template[1].ulValueLen, labelbuf,
 		   attr_template[2].ulValueLen);
 	    if (len == 2) {
 		id = (idbuf[0] << 8) & 0xff00;
 		id |= idbuf[1] & 0xff;
-		printf("%i\n", id);
+		printf("%u\n", id);
 	    } else {
 		if (len > 8)
 		    len = 8;
+		if (len > 0)
+		    printf("0x");
 		for (j = 0; j < len; j++)
 		    printf("%02x", idbuf[j]);
 		if (attr_template[2].ulValueLen > len)
@@ -178,7 +197,7 @@ main(int argc, char *argv[])
  exit_search:
     rv = C_FindObjectsFinal(hSession);
     if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8X\n", rv);
+	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
 	error = 1;
     }
 
diff --git a/bin/pkcs11/pkcs11-list.docbook b/bin/pkcs11/pkcs11-list.docbook
new file mode 100644
index 0000000000..db8a01e00f
--- /dev/null
+++ b/bin/pkcs11/pkcs11-list.docbook
@@ -0,0 +1,151 @@
+]>
+
+
+
+
+  
+    Sep 18, 2009
+  
+
+  
+    pkcs11-list
+    8
+    BIND9
+  
+
+  
+    pkcs11-list
+    list PKCS#11 objects
+  
+
+  
+    
+      2009
+      Internet Systems Consortium, Inc. ("ISC")
+    
+  
+
+  
+    
+      pkcs11-list
+      
+      
+      
+      -i ID
+      -l label
+      
+    
+  
+
+  
+    DESCRIPTION
+    
+      pkcs11-list
+      lists the PKCS#11 objects with  or
+       or by default all objects.
+    
+  
+
+  
+    ARGUMENTS
+    
+      
+        -P
+        
+          
+            List only the public objects. (Note that on some PKCS#11
+            devices, all objects are private.)
+          
+        
+      
+
+      
+        -m module
+        
+          
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          
+        
+      
+
+      
+        -s slot
+        
+          
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
+          
+        
+      
+
+      
+        -i ID
+        
+          
+            List only key objects with the given object ID.
+          
+        
+      
+
+      
+        -l label
+        
+          
+            List only key objects with the given label.
+          
+        
+      
+
+      
+        -p PIN
+        
+          
+            Specify the PIN for the device.  If no PIN is provided on the
+            command line, pkcs11-list will prompt for it.
+          
+        
+      
+    
+  
+
+  
+    SEE ALSO
+    
+      
+        pkcs11-keygen3
+      ,
+      
+        pkcs11-destroy3
+      
+    
+  
+
+  
+    AUTHOR
+    Internet Systems Consortium
+    
+  
+
+
diff --git a/bin/pkcs11/unix/cryptoki.h b/bin/pkcs11/unix/cryptoki.h
new file mode 100644
index 0000000000..7b63280e8f
--- /dev/null
+++ b/bin/pkcs11/unix/cryptoki.h
@@ -0,0 +1,48 @@
+/* cryptoki.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This is a sample file containing the top level include directives
+ * for building Unix Cryptoki libraries and applications.
+ */
+
+#ifndef ___CRYPTOKI_H_INC___
+#define ___CRYPTOKI_H_INC___
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+  returnType name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+  returnType name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+  returnType (* name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+  returnType (* name)
+
+/* NULL is in unistd.h */
+#include 
+#define NULL_PTR NULL
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+#include "pkcs11.h"
+
+#endif /* ___CRYPTOKI_H_INC___ */
diff --git a/bin/pkcs11/unix/unix.c b/bin/pkcs11/unix/unix.c
new file mode 100644
index 0000000000..026f5a748e
--- /dev/null
+++ b/bin/pkcs11/unix/unix.c
@@ -0,0 +1,318 @@
+/* dynamic loader (ifndef FORCE_STATIC_PROVIDER) */
+
+#include 
+
+/* load PKCS11 dynamic object */
+
+#ifndef PK11_LIB_LOCATION
+#error "PK11_LIB_LOCATION is not set"
+#endif
+
+const char *pk11_libname = PK11_LIB_LOCATION;
+
+void *hPK11 = NULL;
+
+#define C_Initialize isc_C_Initialize
+
+CK_RV
+C_Initialize(CK_VOID_PTR pReserved);
+
+CK_RV
+C_Initialize(CK_VOID_PTR pReserved)
+{
+	CK_C_Initialize sym;
+
+	hPK11 = dlopen(pk11_libname, RTLD_NOW);
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(pReserved);
+}
+
+#define C_Finalize isc_C_Finalize
+
+CK_RV
+C_Finalize(CK_VOID_PTR pReserved);
+
+CK_RV
+C_Finalize(CK_VOID_PTR pReserved)
+{
+	CK_C_Finalize sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(pReserved);
+}
+
+#define C_OpenSession isc_C_OpenSession
+
+CK_RV
+C_OpenSession(CK_SLOT_ID slotID,
+	      CK_FLAGS flags,
+	      CK_VOID_PTR pApplication,
+	      CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+				CK_NOTIFICATION event,
+				CK_VOID_PTR pApplication),
+	      CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV
+C_OpenSession(CK_SLOT_ID slotID,
+	      CK_FLAGS flags,
+	      CK_VOID_PTR pApplication,
+	      CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+				CK_NOTIFICATION event,
+				CK_VOID_PTR pApplication),
+	      CK_SESSION_HANDLE_PTR phSession)
+{
+	CK_C_OpenSession sym;
+
+	if (hPK11 == NULL)
+		hPK11 = dlopen(pk11_libname, RTLD_NOW);
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+#define C_CloseSession isc_C_CloseSession
+
+CK_RV
+C_CloseSession(CK_SESSION_HANDLE hSession);
+
+CK_RV
+C_CloseSession(CK_SESSION_HANDLE hSession)
+{
+	CK_C_CloseSession sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession);
+}
+
+#define C_Login isc_C_Login
+
+CK_RV
+C_Login(CK_SESSION_HANDLE hSession,
+	CK_USER_TYPE userType,
+	CK_CHAR_PTR pPin,
+	CK_ULONG usPinLen);
+
+CK_RV
+C_Login(CK_SESSION_HANDLE hSession,
+	CK_USER_TYPE userType,
+	CK_CHAR_PTR pPin,
+	CK_ULONG usPinLen)
+{
+	CK_C_Login sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_Login)dlsym(hPK11, "C_Login");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+#define C_CreateObject isc_C_CreateObject
+
+CK_RV
+C_CreateObject(CK_SESSION_HANDLE hSession,
+	       CK_ATTRIBUTE_PTR pTemplate,
+	       CK_ULONG usCount,
+	       CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV
+C_CreateObject(CK_SESSION_HANDLE hSession,
+	       CK_ATTRIBUTE_PTR pTemplate,
+	       CK_ULONG usCount,
+	       CK_OBJECT_HANDLE_PTR phObject)
+{
+	CK_C_CreateObject sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+#define C_DestroyObject isc_C_DestroyObject
+
+CK_RV
+C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
+
+CK_RV
+C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+	CK_C_DestroyObject sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, hObject);
+}
+
+#define C_GetAttributeValue isc_C_GetAttributeValue
+
+CK_RV
+C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount);
+
+CK_RV
+C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount)
+{
+	CK_C_GetAttributeValue sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_GetAttributeValue)dlsym(hPK11, "C_GetAttributeValue");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_SetAttributeValue isc_C_SetAttributeValue
+
+CK_RV
+C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount);
+
+CK_RV
+C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount)
+{
+	CK_C_SetAttributeValue sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_SetAttributeValue)dlsym(hPK11, "C_SetAttributeValue");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_FindObjectsInit isc_C_FindObjectsInit
+
+CK_RV
+C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+		  CK_ATTRIBUTE_PTR pTemplate,
+		  CK_ULONG usCount);
+
+CK_RV
+C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+		  CK_ATTRIBUTE_PTR pTemplate,
+		  CK_ULONG usCount)
+{
+	CK_C_FindObjectsInit sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, pTemplate, usCount);
+}
+
+#define C_FindObjects isc_C_FindObjects
+
+CK_RV
+C_FindObjects(CK_SESSION_HANDLE hSession,
+	      CK_OBJECT_HANDLE_PTR phObject,
+	      CK_ULONG usMaxObjectCount,
+	      CK_ULONG_PTR pusObjectCount);
+
+CK_RV
+C_FindObjects(CK_SESSION_HANDLE hSession,
+	      CK_OBJECT_HANDLE_PTR phObject,
+	      CK_ULONG usMaxObjectCount,
+	      CK_ULONG_PTR pusObjectCount)
+{
+	CK_C_FindObjects sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+#define C_FindObjectsFinal isc_C_FindObjectsFinal
+
+CK_RV
+C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
+
+CK_RV
+C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+	CK_C_FindObjectsFinal sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_FindObjectsFinal)dlsym(hPK11, "C_FindObjectsFinal");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession);
+}
+
+#define C_GenerateKeyPair isc_C_GenerateKeyPair
+
+CK_RV
+C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+		  CK_MECHANISM_PTR pMechanism,
+		  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		  CK_ULONG usPublicKeyAttributeCount,
+		  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		  CK_ULONG usPrivateKeyAttributeCount,
+		  CK_OBJECT_HANDLE_PTR phPrivateKey,
+		  CK_OBJECT_HANDLE_PTR phPublicKey);
+
+CK_RV
+C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+		  CK_MECHANISM_PTR pMechanism,
+		  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		  CK_ULONG usPublicKeyAttributeCount,
+		  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		  CK_ULONG usPrivateKeyAttributeCount,
+		  CK_OBJECT_HANDLE_PTR phPrivateKey,
+		  CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+	CK_C_GenerateKeyPair sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession,
+		      pMechanism,
+		      pPublicKeyTemplate,
+		      usPublicKeyAttributeCount,
+		      pPrivateKeyTemplate,
+		      usPrivateKeyAttributeCount,
+		      phPrivateKey,
+		      phPublicKey);
+}
diff --git a/bin/pkcs11/win32/cryptoki.h b/bin/pkcs11/win32/cryptoki.h
new file mode 100644
index 0000000000..c1b18f8484
--- /dev/null
+++ b/bin/pkcs11/win32/cryptoki.h
@@ -0,0 +1,66 @@
+/* cryptoki.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This is a sample file containing the top level include directives
+ * for building Win32 Cryptoki libraries and applications.
+ */
+
+#ifndef ___CRYPTOKI_H_INC___
+#define ___CRYPTOKI_H_INC___
+
+#pragma pack(push, cryptoki, 1)
+
+/* Specifies that the function is a DLL entry point. */
+#define CK_IMPORT_SPEC __declspec(dllimport)
+
+/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do
+ * not define it in applications.
+ */
+#ifdef CRYPTOKI_EXPORTS
+/* Specified that the function is an exported DLL entry point. */
+#define CK_EXPORT_SPEC __declspec(dllexport) 
+#else
+#define CK_EXPORT_SPEC CK_IMPORT_SPEC 
+#endif
+
+/* Ensures the calling convention for Win32 builds */
+#define CK_CALL_SPEC __cdecl
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+  returnType CK_EXPORT_SPEC CK_CALL_SPEC name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+  returnType CK_EXPORT_SPEC CK_CALL_SPEC name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+  returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+  returnType (CK_CALL_SPEC CK_PTR name)
+
+#ifndef NULL_PTR
+#define NULL_PTR 0
+#endif
+
+#include "pkcs11.h"
+
+#pragma pack(pop, cryptoki)
+
+#endif /* ___CRYPTOKI_H_INC___ */
diff --git a/bin/pkcs11/win32/win32.c b/bin/pkcs11/win32/win32.c
new file mode 100644
index 0000000000..d93937c0e6
--- /dev/null
+++ b/bin/pkcs11/win32/win32.c
@@ -0,0 +1,356 @@
+/* missing code for WIN32 */
+
+#include 
+#include 
+
+#define HAVE_GETPASSPHRASE
+
+char *
+getpassphrase(const char *prompt)
+{
+	static char buf[128];
+	HANDLE h;
+	DWORD cc, mode;
+	int cnt;
+
+	h = GetStdHandle(STD_INPUT_HANDLE);
+	fputs(prompt, stderr);
+	fflush(stderr);
+	fflush(stdout);
+	FlushConsoleInputBuffer(h);
+	GetConsoleMode(h, &mode);
+	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
+
+	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
+	{
+		ReadFile(h, buf + cnt, 1, &cc, NULL);
+		if (buf[cnt] == '\r')
+			break;
+		fputc('*', stdout);
+		fflush(stderr);
+		fflush(stdout);
+	}
+
+	SetConsoleMode(h, mode);
+	buf[cnt] = '\0';
+	fputs("\n", stderr);
+	return buf;
+}
+
+/* From ISC isc_commandline_parse() */
+
+int optind = 1;		/* index into parent argv vector */
+int optopt;		/* character checked for validity */
+char *optarg;		/* argument associated with option */
+static char endopt = '\0';
+
+#define	BADOPT	(int)'?'
+#define	BADARG	(int)':'
+#define	ENDOPT	&endopt
+
+int
+getopt(int nargc, char * const nargv[], const char *ostr)
+{
+	static char *place = ENDOPT;		/* option letter processing */
+	char *option;				/* option letter list index */
+
+	if (*place == '\0') {			/* update scanning pointer */
+		place = nargv[optind];
+		if (optind >= nargc || *place++ != '-') {
+			/* index out of range or points to non-option */
+			place = ENDOPT;
+			return (-1);
+		}
+		optopt = *place++;
+		if (optopt == '-' && *place == '\0') {
+			/* "--" signals end of options */
+			++optind;
+			place = ENDOPT;
+			return (-1);
+		}
+	} else
+		optopt = *place++;
+
+	/* See if option letter is one the caller wanted... */
+	if (optopt == ':' || (option = strchr(ostr, optopt)) == NULL) {
+		if (*place == '\0')
+			++optind;
+		return (BADOPT);
+	}
+
+	if (*++option != ':') {
+		/* option doesn't take an argument */
+		optarg = NULL;
+		if (*place == '\0')
+			++optind;
+	} else {
+		/* option needs an argument */
+		if (*place != '\0')
+			/* -D1 style */
+			optarg = place;
+		else if (nargc > ++optind)
+			/* -D 1 style */
+			optarg = nargv[optind];
+		else {
+			/* needed but absent */
+			place = ENDOPT;
+			if (*ostr == ':')
+				return (BADARG);
+			return (BADOPT);
+		}
+		place = ENDOPT;
+		++optind;
+	}
+	return (optopt);
+}
+
+/* load PKCS11 DLL */
+
+#ifndef PK11_LIB_LOCATION
+#define PK11_LIB_LOCATION "bp201w32HSM"
+#endif
+
+const char pk11_libname[] = PK11_LIB_LOCATION ".dll";
+
+HINSTANCE hPK11 = NULL;
+
+#define C_Initialize isc_C_Initialize
+
+CK_RV
+C_Initialize(CK_VOID_PTR pReserved)
+{
+	CK_C_Initialize sym;
+
+	hPK11 = LoadLibraryA(pk11_libname);
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(pReserved);
+}
+
+#define C_Finalize isc_C_Finalize
+
+CK_RV
+C_Finalize(CK_VOID_PTR pReserved)
+{
+	CK_C_Finalize sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(pReserved);
+}
+
+#define C_OpenSession isc_C_OpenSession
+
+CK_RV
+C_OpenSession(CK_SLOT_ID slotID,
+	      CK_FLAGS flags,
+	      CK_VOID_PTR pApplication,
+	      CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+				CK_NOTIFICATION event,
+				CK_VOID_PTR pApplication),
+	      CK_SESSION_HANDLE_PTR phSession)
+{
+	CK_C_OpenSession sym;
+
+	if (hPK11 == NULL)
+		hPK11 = LoadLibraryA(pk11_libname);
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+#define C_CloseSession isc_C_CloseSession
+
+CK_RV
+C_CloseSession(CK_SESSION_HANDLE hSession)
+{
+	CK_C_CloseSession sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_CloseSession)GetProcAddress(hPK11, "C_CloseSession");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession);
+}
+
+#define C_Login isc_C_Login
+
+CK_RV
+C_Login(CK_SESSION_HANDLE hSession,
+	CK_USER_TYPE userType,
+	CK_CHAR_PTR pPin,
+	CK_ULONG usPinLen)
+{
+	CK_C_Login sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+#define C_CreateObject isc_C_CreateObject
+
+CK_RV
+C_CreateObject(CK_SESSION_HANDLE hSession,
+	       CK_ATTRIBUTE_PTR pTemplate,
+	       CK_ULONG usCount,
+	       CK_OBJECT_HANDLE_PTR phObject)
+{
+	CK_C_CreateObject sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_CreateObject)GetProcAddress(hPK11, "C_CreateObject");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+#define C_DestroyObject isc_C_DestroyObject
+
+CK_RV
+C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+	CK_C_DestroyObject sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_DestroyObject)GetProcAddress(hPK11, "C_DestroyObject");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, hObject);
+}
+
+#define C_GetAttributeValue isc_C_GetAttributeValue
+
+CK_RV
+C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount)
+{
+	CK_C_GetAttributeValue sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11,
+						     "C_GetAttributeValue");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_SetAttributeValue isc_C_SetAttributeValue
+
+CK_RV
+C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount)
+{
+	CK_C_SetAttributeValue sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11,
+						     "C_SetAttributeValue");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_FindObjectsInit isc_C_FindObjectsInit
+
+CK_RV
+C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+		  CK_ATTRIBUTE_PTR pTemplate,
+		  CK_ULONG usCount)
+{
+	CK_C_FindObjectsInit sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11,
+						   "C_FindObjectsInit");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, pTemplate, usCount);
+}
+
+#define C_FindObjects isc_C_FindObjects
+
+CK_RV
+C_FindObjects(CK_SESSION_HANDLE hSession,
+	      CK_OBJECT_HANDLE_PTR phObject,
+	      CK_ULONG usMaxObjectCount,
+	      CK_ULONG_PTR pusObjectCount)
+{
+	CK_C_FindObjects sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+#define C_FindObjectsFinal isc_C_FindObjectsFinal
+
+CK_RV
+C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+	CK_C_FindObjectsFinal sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11,
+						    "C_FindObjectsFinal");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession);
+}
+
+#define C_GenerateKeyPair isc_C_GenerateKeyPair
+
+CK_RV
+C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+		  CK_MECHANISM_PTR pMechanism,
+		  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		  CK_ULONG usPublicKeyAttributeCount,
+		  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		  CK_ULONG usPrivateKeyAttributeCount,
+		  CK_OBJECT_HANDLE_PTR phPrivateKey,
+		  CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+	CK_C_GenerateKeyPair sym;
+
+	if (hPK11 == NULL)
+		return 0xfe;
+	sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11,
+						   "C_GenerateKeyPair");
+	if (sym == NULL)
+		return 0xff;
+	return (*sym)(hSession,
+		      pMechanism,
+		      pPublicKeyTemplate,
+		      usPublicKeyAttributeCount,
+		      pPrivateKeyTemplate,
+		      usPrivateKeyAttributeCount,
+		      phPrivateKey,
+		      phPublicKey);
+}
diff --git a/configure.in b/configure.in
index 202eb39a61..81ccd963df 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.481 $)
+AC_REVISION($Revision: 1.482 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -710,22 +710,38 @@ AC_SUBST(ISC_OPENSSL_INC)
 
 AC_MSG_CHECKING(for PKCS11 support)
 AC_ARG_WITH(pkcs11,
-[  --with-pkcs11           Build with PKCS11 support],
-   use_pkcs11="yes", use_pkcs11="no")
+[  --with-pkcs11[=PATH]      Build with PKCS11 support [yes|no|path]
+                          (PATH is for the PKCS11 provider)],
+   use_pkcs11="$withval", use_pkcs11="no")
 
 case "$use_pkcs11" in
-	no)
+	no|'')
 		AC_MSG_RESULT(disabled)
-		USE_PKCS11=""
+		USE_PKCS11=''
 		;;
-	yes)
+	yes|*)
 		AC_MSG_RESULT(using OpenSSL with PKCS11 support)
 		USE_PKCS11='-DUSE_PKCS11'
 		;;
 esac
-
 AC_SUBST(USE_PKCS11)
 
+AC_MSG_CHECKING(for PKCS11 tools)
+case "$use_pkcs11" in
+	no|yes|'')
+		AC_MSG_RESULT(disabled)
+		PKCS11_PROVIDER="undefined"
+		PKCS11_TOOLS=''
+		;;
+       *)
+		AC_MSG_RESULT(PKCS11 provider is "$use_pkcs11")
+		PKCS11_PROVIDER="$use_pkcs11"
+		PKCS11_TOOLS=pkcs11
+		;;
+esac
+AC_SUBST(PKCS11_PROVIDER)
+AC_SUBST(PKCS11_TOOLS)
+
 AC_MSG_CHECKING(for GSSAPI library)
 AC_ARG_WITH(gssapi,
 [  --with-gssapi=PATH      Specify path for system-supplied GSSAPI],
@@ -3179,6 +3195,7 @@ AC_CONFIG_FILES([
 	bin/tests/headerdep_test.sh
 	bin/tools/Makefile
 	bin/dnssec/Makefile
+	bin/pkcs11/Makefile
 	doc/Makefile
 	doc/arm/Makefile
 	doc/misc/Makefile

From b091b4bb803b830d2d5a9e71b6648b669655d7dc Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 12:13:15 +0000
Subject: [PATCH 249/385] regen

---
 bin/pkcs11/pkcs11-destroy.8    | 82 +++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-destroy.html | 88 +++++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-keygen.8     | 93 ++++++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-keygen.html  | 96 ++++++++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-list.8       | 86 ++++++++++++++++++++++++++++++
 bin/pkcs11/pkcs11-list.html    | 88 +++++++++++++++++++++++++++++++
 configure                      | 92 ++++++++++++++++++++------------
 7 files changed, 591 insertions(+), 34 deletions(-)
 create mode 100644 bin/pkcs11/pkcs11-destroy.8
 create mode 100644 bin/pkcs11/pkcs11-destroy.html
 create mode 100644 bin/pkcs11/pkcs11-keygen.8
 create mode 100644 bin/pkcs11/pkcs11-keygen.html
 create mode 100644 bin/pkcs11/pkcs11-list.8
 create mode 100644 bin/pkcs11/pkcs11-list.html

diff --git a/bin/pkcs11/pkcs11-destroy.8 b/bin/pkcs11/pkcs11-destroy.8
new file mode 100644
index 0000000000..c10de4ab4e
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.8
@@ -0,0 +1,82 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-destroy.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: pkcs11\-destroy
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 
+.\"      Date: Sep 18, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "PKCS11\-DESTROY" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-destroy \- destroy PKCS#11 objects
+.SH "SYNOPSIS"
+.HP 15
+\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-destroy\fR
+destroys keys stored in a PKCS#11 device, identified by their
+\fBID\fR
+or
+\fBlabel\fR.
+.PP
+Matching keys are displayed before being destroyed. There is a five second delay to allow the user to interrupt the process before the destruction takes place.
+.SH "ARGUMENTS"
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
+.PP
+\-i \fIID\fR
+.RS 4
+Destroy keys with the given object ID.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Destroy keys with the given label.
+.RE
+.PP
+\-p \fIPIN\fR
+.RS 4
+Specify the PIN for the device. If no PIN is provided on the command line,
+\fBpkcs11\-destroy\fR
+will prompt for it.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpkcs11\-list\fR(3),
+\fBpkcs11\-keygen\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/pkcs11/pkcs11-destroy.html b/bin/pkcs11/pkcs11-destroy.html
new file mode 100644
index 0000000000..3f0adf4538
--- /dev/null
+++ b/bin/pkcs11/pkcs11-destroy.html
@@ -0,0 +1,88 @@
+
+
+
+
+
+pkcs11-destroy
+
+
+
    
+
    
+
    
+
    Name
    
+
    pkcs11-destroy — destroy PKCS#11 objects
    
+
    
+
    
+
    Synopsis
    
+
    pkcs11-destroy  [-m module] [-s slot] { -i ID  |   -l label } [-p PIN]
    
+
    
+
    
+
    DESCRIPTION
    
+
    
+      pkcs11-destroy destroys keys stored in a
+      PKCS#11 device, identified by their ID or
+      label.
+    
    
+
    
+      Matching keys are displayed before being destroyed.  There is a
+      five second delay to allow the user to interrupt the process
+      before the destruction takes place.
+    
    
+
    
+
    
+
    ARGUMENTS
    
+
    
+
    -m module
    
+
    
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          
    
+
    -s slot
    
+
    
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
+          
    
+
    -i ID
    
+
    
+            Destroy keys with the given object ID.
+          
    
+
    -l label
    
+
    
+            Destroy keys with the given label.
+          
    
+
    -p PIN
    
+
    
+            Specify the PIN for the device.  If no PIN is provided on the
+            command line, pkcs11-destroy will prompt for it.
+          
    
+
    
+
    
+
    
+
    SEE ALSO
    
+
    
+      pkcs11-list(3),
+      pkcs11-keygen(3)
+    
    
+
    
+
    
+
    AUTHOR
    
+
    Internet Systems Consortium
+    
    
+
    
+
    
+
diff --git a/bin/pkcs11/pkcs11-keygen.8 b/bin/pkcs11/pkcs11-keygen.8
new file mode 100644
index 0000000000..db761ad63b
--- /dev/null
+++ b/bin/pkcs11/pkcs11-keygen.8
@@ -0,0 +1,93 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-keygen.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: pkcs11\-keygen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 
+.\"      Date: Sep 18, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "PKCS11\-KEYGEN" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-keygen \- generate RSA keys on a PKCS#11 device
+.SH "SYNOPSIS"
+.HP 14
+\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-keygen\fR
+causes a PKCS#11 device to generate a new RSA key pair with the specified
+\fBlabel\fR
+and with
+\fBkeysize\fR
+bits of modulus.
+.SH "ARGUMENTS"
+.PP
+\-P
+.RS 4
+Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable.
+.RE
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
+.PP
+\-b \fIkeysize\fR
+.RS 4
+Create the key pair with
+\fBkeysize\fR
+bits of modulus.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Create key objects with the given label.
+.RE
+.PP
+\-p \fIPIN\fR
+.RS 4
+Specify the PIN for the device. If no PIN is provided on the command line,
+\fBpkcs11\-keygen\fR
+will prompt for it.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpkcs11\-list\fR(3),
+\fBpkcs11\-destroy\fR(3)
+.SH "CAVEAT"
+.PP
+The public exponent is hard\-wired to 65537.
+.PP
+The command should optionally set the object ID too.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/pkcs11/pkcs11-keygen.html b/bin/pkcs11/pkcs11-keygen.html
new file mode 100644
index 0000000000..77410e8633
--- /dev/null
+++ b/bin/pkcs11/pkcs11-keygen.html
@@ -0,0 +1,96 @@
+
+
+
+
+
+pkcs11-keygen
+
+
+
    
+
    
+
    
+
    Name
    
+
    pkcs11-keygen — generate RSA keys on a PKCS#11 device
    
+
    
+
    
+
    Synopsis
    
+
    pkcs11-keygen  [-P] [-m module] [-s slot] {-b keysize} {-l label} [-p PIN]
    
+
    
+
    
+
    DESCRIPTION
    
+
    
+      pkcs11-keygen causes a PKCS#11 device to generate
+      a new RSA key pair with the specified label and
+      with keysize bits of modulus.
+    
    
+
    
+
    
+
    ARGUMENTS
    
+
    
+
    -P
    
+
    
+            Set the new private key to be non-sensitive and extractable.
+            The allows the private key data to be read from the PKCS#11
+            device.  The default is for private keys to be sensitive and
+            non-extractable.
+          
    
+
    -m module
    
+
    
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          
    
+
    -s slot
    
+
    
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
+          
    
+
    -b keysize
    
+
    
+            Create the key pair with keysize bits of
+            modulus.
+          
    
+
    -l label
    
+
    
+            Create key objects with the given label.
+          
    
+
    -p PIN
    
+
    
+            Specify the PIN for the device.  If no PIN is provided on the
+            command line, pkcs11-keygen will prompt for it.
+          
    
+
    
+
    
+
    
+
    SEE ALSO
    
+
    
+      pkcs11-list(3),
+      pkcs11-destroy(3)
+    
    
+
    
+
    
+
    CAVEAT
    
+
    The public exponent is hard-wired to 65537.
    
+
    The command should optionally set the object ID too.
    
+
    
+
    
+
    AUTHOR
    
+
    Internet Systems Consortium
+    
    
+
    
+
    
+
diff --git a/bin/pkcs11/pkcs11-list.8 b/bin/pkcs11/pkcs11-list.8
new file mode 100644
index 0000000000..dd3f21f8df
--- /dev/null
+++ b/bin/pkcs11/pkcs11-list.8
@@ -0,0 +1,86 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-list.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: pkcs11\-list
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 
+.\"      Date: Sep 18, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "PKCS11\-LIST" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-list \- list PKCS#11 objects
+.SH "SYNOPSIS"
+.HP 12
+\fBpkcs11\-list\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\-i\ \fIID\fR] [\-l\ \fIlabel\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-list\fR
+lists the PKCS#11 objects with
+\fBID\fR
+or
+\fBlabel\fR
+or by default all objects.
+.SH "ARGUMENTS"
+.PP
+\-P
+.RS 4
+List only the public objects. (Note that on some PKCS#11 devices, all objects are private.)
+.RE
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
+.PP
+\-i \fIID\fR
+.RS 4
+List only key objects with the given object ID.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+List only key objects with the given label.
+.RE
+.PP
+\-p \fIPIN\fR
+.RS 4
+Specify the PIN for the device. If no PIN is provided on the command line,
+\fBpkcs11\-list\fR
+will prompt for it.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpkcs11\-keygen\fR(3),
+\fBpkcs11\-destroy\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/pkcs11/pkcs11-list.html b/bin/pkcs11/pkcs11-list.html
new file mode 100644
index 0000000000..8e8c5ceb2c
--- /dev/null
+++ b/bin/pkcs11/pkcs11-list.html
@@ -0,0 +1,88 @@
+
+
+
+
+
+pkcs11-list
+
+
+
    
+
    
+
    
+
    Name
    
+
    pkcs11-list — list PKCS#11 objects
    
+
    
+
    
+
    Synopsis
    
+
    pkcs11-list  [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]
    
+
    
+
    
+
    DESCRIPTION
    
+
    
+      pkcs11-list
+      lists the PKCS#11 objects with ID or
+      label or by default all objects.
+    
    
+
    
+
    
+
    ARGUMENTS
    
+
    
+
    -P
    
+
    
+            List only the public objects. (Note that on some PKCS#11
+            devices, all objects are private.)
+          
    
+
    -m module
    
+
    
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          
    
+
    -s slot
    
+
    
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
+          
    
+
    -i ID
    
+
    
+            List only key objects with the given object ID.
+          
    
+
    -l label
    
+
    
+            List only key objects with the given label.
+          
    
+
    -p PIN
    
+
    
+            Specify the PIN for the device.  If no PIN is provided on the
+            command line, pkcs11-list will prompt for it.
+          
    
+
    
+
    
+
    
+
    SEE ALSO
    
+
    
+      pkcs11-keygen(3),
+      pkcs11-destroy(3)
+    
    
+
    
+
    
+
    AUTHOR
    
+
    Internet Systems Consortium
+    
    
+
    
+
    
+
diff --git a/configure b/configure
index 97cb06f8f8..96a47c54bc 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.467 2009/10/02 06:28:27 marka Exp $
+# $Id: configure,v 1.468 2009/10/05 12:09:35 fdupont Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.481 .
+# From configure.in Revision: 1.482 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -896,6 +896,8 @@ DST_OPENSSL_INC
 ISC_PLATFORM_OPENSSLHASH
 ISC_OPENSSL_INC
 USE_PKCS11
+PKCS11_PROVIDER
+PKCS11_TOOLS
 ISC_PLATFORM_HAVEGSSAPI
 ISC_PLATFORM_GSSAPIHEADER
 USE_GSSAPI
@@ -1679,7 +1681,8 @@ Optional Packages:
   --with-tags[=TAGS]      include additional configurations [automatic]
   --with-openssl=PATH     Build with OpenSSL yes|no|path.
 			  (Required for DNSSEC)
-  --with-pkcs11           Build with PKCS11 support
+  --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
+                          (PATH is for the PKCS11 provider)
   --with-gssapi=PATH      Specify path for system-supplied GSSAPI
   --with-randomdev=PATH   Specify path for random device
   --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)
@@ -3957,7 +3960,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 3960 "configure"' > conftest.$ac_ext
+  echo '#line 3963 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -6905,11 +6908,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6908: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6911: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6912: \$? = $ac_status" >&5
+   echo "$as_me:6915: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7195,11 +7198,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7198: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7201: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7202: \$? = $ac_status" >&5
+   echo "$as_me:7205: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7299,11 +7302,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7302: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7305: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7306: \$? = $ac_status" >&5
+   echo "$as_me:7309: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9663,7 +9666,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:12174: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12175: \$? = $ac_status" >&5
+   echo "$as_me:12178: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -12272,11 +12275,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12275: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12278: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12279: \$? = $ac_status" >&5
+   echo "$as_me:12282: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13855,11 +13858,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13858: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13861: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13862: \$? = $ac_status" >&5
+   echo "$as_me:13865: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13959,11 +13962,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13962: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13965: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13966: \$? = $ac_status" >&5
+   echo "$as_me:13969: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16170,11 +16173,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16173: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16176: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16177: \$? = $ac_status" >&5
+   echo "$as_me:16180: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16460,11 +16463,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16463: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16466: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16467: \$? = $ac_status" >&5
+   echo "$as_me:16470: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16564,11 +16567,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16567: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16570: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16571: \$? = $ac_status" >&5
+   echo "$as_me:16574: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -22843,19 +22846,19 @@ echo $ECHO_N "checking for PKCS11 support... $ECHO_C" >&6; }
 
 # Check whether --with-pkcs11 was given.
 if test "${with_pkcs11+set}" = set; then
-  withval=$with_pkcs11; use_pkcs11="yes"
+  withval=$with_pkcs11; use_pkcs11="$withval"
 else
   use_pkcs11="no"
 fi
 
 
 case "$use_pkcs11" in
-	no)
+	no|'')
 		{ echo "$as_me:$LINENO: result: disabled" >&5
 echo "${ECHO_T}disabled" >&6; }
-		USE_PKCS11=""
+		USE_PKCS11=''
 		;;
-	yes)
+	yes|*)
 		{ echo "$as_me:$LINENO: result: using OpenSSL with PKCS11 support" >&5
 echo "${ECHO_T}using OpenSSL with PKCS11 support" >&6; }
 		USE_PKCS11='-DUSE_PKCS11'
@@ -22863,6 +22866,24 @@ echo "${ECHO_T}using OpenSSL with PKCS11 support" >&6; }
 esac
 
 
+{ echo "$as_me:$LINENO: checking for PKCS11 tools" >&5
+echo $ECHO_N "checking for PKCS11 tools... $ECHO_C" >&6; }
+case "$use_pkcs11" in
+	no|yes|'')
+		{ echo "$as_me:$LINENO: result: disabled" >&5
+echo "${ECHO_T}disabled" >&6; }
+		PKCS11_PROVIDER="undefined"
+		PKCS11_TOOLS=''
+		;;
+       *)
+		{ echo "$as_me:$LINENO: result: PKCS11 provider is \"$use_pkcs11\"" >&5
+echo "${ECHO_T}PKCS11 provider is \"$use_pkcs11\"" >&6; }
+		PKCS11_PROVIDER="$use_pkcs11"
+		PKCS11_TOOLS=pkcs11
+		;;
+esac
+
+
 
 { echo "$as_me:$LINENO: checking for GSSAPI library" >&5
 echo $ECHO_N "checking for GSSAPI library... $ECHO_C" >&6; }
@@ -33281,7 +33302,7 @@ ac_config_commands="$ac_config_commands chmod"
 # elsewhere if there's a good reason for doing so.
 #
 
-ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/export/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/tools/Makefile bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
+ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/export/Makefile lib/export/isc/Makefile lib/export/isc/include/Makefile lib/export/isc/include/isc/Makefile lib/export/isc/unix/Makefile lib/export/isc/unix/include/Makefile lib/export/isc/unix/include/isc/Makefile lib/export/isc/nls/Makefile lib/export/isc/$thread_dir/Makefile lib/export/isc/$thread_dir/include/Makefile lib/export/isc/$thread_dir/include/isc/Makefile lib/export/dns/Makefile lib/export/dns/include/Makefile lib/export/dns/include/dns/Makefile lib/export/dns/include/dst/Makefile lib/export/irs/Makefile lib/export/irs/include/Makefile lib/export/irs/include/irs/Makefile lib/export/isccfg/Makefile lib/export/isccfg/include/Makefile lib/export/isccfg/include/isccfg/Makefile lib/export/samples/Makefile lib/export/samples/Makefile-postinstall lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/tools/Makefile bin/dnssec/Makefile bin/pkcs11/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
 
 
 #
@@ -33949,6 +33970,7 @@ do
     "bin/tests/headerdep_test.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/headerdep_test.sh" ;;
     "bin/tools/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tools/Makefile" ;;
     "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
+    "bin/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pkcs11/Makefile" ;;
     "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
     "doc/arm/Makefile") CONFIG_FILES="$CONFIG_FILES doc/arm/Makefile" ;;
     "doc/misc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/misc/Makefile" ;;
@@ -34207,6 +34229,8 @@ DST_OPENSSL_INC!$DST_OPENSSL_INC$ac_delim
 ISC_PLATFORM_OPENSSLHASH!$ISC_PLATFORM_OPENSSLHASH$ac_delim
 ISC_OPENSSL_INC!$ISC_OPENSSL_INC$ac_delim
 USE_PKCS11!$USE_PKCS11$ac_delim
+PKCS11_PROVIDER!$PKCS11_PROVIDER$ac_delim
+PKCS11_TOOLS!$PKCS11_TOOLS$ac_delim
 ISC_PLATFORM_HAVEGSSAPI!$ISC_PLATFORM_HAVEGSSAPI$ac_delim
 ISC_PLATFORM_GSSAPIHEADER!$ISC_PLATFORM_GSSAPIHEADER$ac_delim
 USE_GSSAPI!$USE_GSSAPI$ac_delim
@@ -34271,8 +34295,6 @@ ISC_IRS_NEEDADDRINFO!$ISC_IRS_NEEDADDRINFO$ac_delim
 ISC_LWRES_NEEDRRSETINFO!$ISC_LWRES_NEEDRRSETINFO$ac_delim
 ISC_LWRES_SETHOSTENTINT!$ISC_LWRES_SETHOSTENTINT$ac_delim
 ISC_LWRES_ENDHOSTENTINT!$ISC_LWRES_ENDHOSTENTINT$ac_delim
-ISC_LWRES_GETNETBYADDRINADDR!$ISC_LWRES_GETNETBYADDRINADDR$ac_delim
-ISC_LWRES_SETNETENTINT!$ISC_LWRES_SETNETENTINT$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -34314,6 +34336,8 @@ _ACEOF
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+ISC_LWRES_GETNETBYADDRINADDR!$ISC_LWRES_GETNETBYADDRINADDR$ac_delim
+ISC_LWRES_SETNETENTINT!$ISC_LWRES_SETNETENTINT$ac_delim
 ISC_LWRES_ENDNETENTINT!$ISC_LWRES_ENDNETENTINT$ac_delim
 ISC_LWRES_GETHOSTBYADDRVOID!$ISC_LWRES_GETHOSTBYADDRVOID$ac_delim
 ISC_LWRES_NEEDHERRNO!$ISC_LWRES_NEEDHERRNO$ac_delim
@@ -34398,7 +34422,7 @@ LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 82; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 84; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

From f89a9bcf1c02b9b350b8d29e47b48fdc0d334d2a Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 12:23:11 +0000
Subject: [PATCH 250/385] pkcs11 rt20236

---
 bin/pkcs11/pkcs11-keygen.c       | 68 +++++++++++++++++++++++++-------
 bin/pkcs11/pkcs11-keygen.docbook | 34 +++++++++++++---
 2 files changed, 82 insertions(+), 20 deletions(-)

diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index cd951e3fd6..230ec1aef3 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -6,7 +6,8 @@
  * it into a zone file.
  *
  * usage:
- * pkcs11-keygen [-P] [-m module] [-s slot] -b keysize -l label [-p pin] 
+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
+ *               -l label [-i id] [-p pin] 
  *
  */
 
@@ -45,10 +46,14 @@ main(int argc, char *argv[])
     CK_ULONG modulusbits = 0;
     CK_CHAR *label = NULL;
     CK_OBJECT_HANDLE privatekey, publickey;
-    CK_BYTE public_exponent[3];
+    CK_BYTE public_exponent[5];
+    CK_ULONG expsize = 3;
     int error = 0;
     int c, errflg = 0;
     int hide = 1;
+    int idlen = 0;
+    unsigned long id = 0;
+    CK_BYTE idbuf[4];
     CK_ULONG ulObjectCount;
     /* Set search template */
     CK_ATTRIBUTE search_template[] = {
@@ -59,20 +64,24 @@ main(int argc, char *argv[])
         {CKA_VERIFY, &truevalue, sizeof (truevalue)},
         {CKA_TOKEN, &truevalue, sizeof (truevalue)},
         {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
-        {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
+        {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
+	{CKA_ID, &idbuf, idlen}
     };
+    CK_ULONG publickey_attrcnt = 6;
     CK_ATTRIBUTE privatekey_template[] = {
         {CKA_LABEL, NULL_PTR, 0},
         {CKA_SIGN, &truevalue, sizeof (truevalue)},
         {CKA_TOKEN, &truevalue, sizeof (truevalue)},
         {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
         {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
-        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
+        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)},
+	{CKA_ID, &idbuf, idlen}
     };
+    CK_ULONG privatekey_attrcnt = 7;
     extern char *optarg;
     extern int optopt;
     
-    while ((c = getopt(argc, argv, ":Pm:s:b:i:l:p:")) != -1) {
+    while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
         switch (c) {
 	case 'P':
 	    hide = 0;
@@ -83,12 +92,19 @@ main(int argc, char *argv[])
 	case 's':
 	    slot = atoi(optarg);
 	    break;
+	case 'e':
+	    expsize = 5;
+	    break;
         case 'b':
             modulusbits = atoi(optarg);
             break;
         case 'l':
             label = (CK_CHAR *)optarg;
             break;
+	case 'i':
+	    id = strtoul(optarg, NULL, 0);
+	    idlen = 4;
+	    break;
         case 'p':
             pin = (CK_UTF8CHAR *)optarg;
             break;
@@ -104,8 +120,10 @@ main(int argc, char *argv[])
     }
     if ((errflg) || (!modulusbits) || (!label)) {
         fprintf(stderr,
-		"usage: pkcs11-keygen [-P] [-m module] [-s slot] "
-		"-b keysize -l label [-p pin]\n");
+		"usage: pkcs11-keygen "
+		"[-P] [-m module] [-s slot] [-e] -b keysize\n"
+		"                     "
+		"-l label [-i id] [-p pin]\n");
         exit(2);
     }
     
@@ -116,16 +134,39 @@ main(int argc, char *argv[])
     privatekey_template[0].pValue = label;
     privatekey_template[0].ulValueLen = strlen((char *)label);
 
-    /* Set public exponent to 65537 */
+    /* Set public exponent to F4 or F5 */
     public_exponent[0] = 0x01;
     public_exponent[1] = 0x00;
-    public_exponent[2] = 0x01;
+    if (expsize == 3)
+	public_exponent[2] = 0x01;
+    else {
+	publickey_template[4].ulValueLen = expsize;
+	public_exponent[2] = 0x00;
+	public_exponent[3] = 0x00;
+	public_exponent[4] = 0x01;
+    }
 
     /* Set up mechanism for generating key pair */
     genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
     genmech.pParameter = NULL_PTR;
     genmech.ulParameterLen = 0;
 
+    if (idlen == 0) {
+        publickey_attrcnt--;
+        privatekey_attrcnt--;
+    } else if (id <= 0xffff) {
+	idlen = 2;
+	publickey_template[5].ulValueLen = idlen;
+	privatekey_template[6].ulValueLen = idlen;
+	idbuf[0] = id >> 8;
+	idbuf[1] = id & 0xff;
+    } else {
+        idbuf[0] = id >> 24;
+	idbuf[1] = (id >> 16) & 0xff;
+	idbuf[2] = (id >> 8) & 0xff;
+	idbuf[3] = id & 0xff;
+    }
+
     /* Initialize the CRYPTOKI library */
     rv = C_Initialize(NULL_PTR);
 
@@ -186,12 +227,9 @@ main(int argc, char *argv[])
     }
 
     /* Generate Key pair for signing/verifying */
-    rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
-			   (sizeof (publickey_template) /
-			    sizeof (CK_ATTRIBUTE)),
-			   privatekey_template,
-			   (sizeof (privatekey_template) /
-			    sizeof (CK_ATTRIBUTE)),
+    rv = C_GenerateKeyPair(hSession, &genmech,
+			   publickey_template, publickey_attrcnt,
+			   privatekey_template, privatekey_attrcnt,
 			   &publickey, &privatekey);
         
     if (rv != CKR_OK) {
diff --git a/bin/pkcs11/pkcs11-keygen.docbook b/bin/pkcs11/pkcs11-keygen.docbook
index 8c62aba039..7c4ba084c8 100644
--- a/bin/pkcs11/pkcs11-keygen.docbook
+++ b/bin/pkcs11/pkcs11-keygen.docbook
@@ -1,6 +1,6 @@
 ]>
+               []>
 
 
-
+
 
   
     Sep 18, 2009
@@ -47,8 +47,10 @@
       
       
       
+      
       -b keysize
       -l label
+      
       
     
   
@@ -98,6 +100,15 @@
         
       
 
+      
+        -e
+        
+          
+            Use a large exponent.
+          
+        
+      
+
       
         -b keysize
         
@@ -113,6 +124,17 @@
         
           
             Create key objects with the given label.
+            This name must be unique.
+          
+        
+      
+
+      
+        -i id
+        
+          
+            Create key objects with id. The id is either
+            an unsigned short 2 byte or an unsigned long 4 byte number.
           
         
       
@@ -137,14 +159,16 @@
       ,
       
         pkcs11-destroy3
-      
+      ,
+      
+        dnssec-keyfromlabel3
+      ,
         
   
 
   
     CAVEAT
-    The public exponent is hard-wired to 65537.
-    The command should optionally set the object ID too.
+    Some PKCS#11 providers crash with big public exponent.
   
 
   

From 247806c82065fc5dcc3d25cfdb0de2725553f237 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 12:25:29 +0000
Subject: [PATCH 251/385] regen

---
 bin/pkcs11/pkcs11-keygen.8    | 23 ++++++++++++++++-------
 bin/pkcs11/pkcs11-keygen.html | 30 ++++++++++++++++++++----------
 2 files changed, 36 insertions(+), 17 deletions(-)

diff --git a/bin/pkcs11/pkcs11-keygen.8 b/bin/pkcs11/pkcs11-keygen.8
index db761ad63b..93ba99db29 100644
--- a/bin/pkcs11/pkcs11-keygen.8
+++ b/bin/pkcs11/pkcs11-keygen.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: pkcs11-keygen.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\" $Id: pkcs11-keygen.8,v 1.3 2009/10/05 12:25:29 fdupont Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 pkcs11\-keygen \- generate RSA keys on a PKCS#11 device
 .SH "SYNOPSIS"
 .HP 14
-\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\fB\-e\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBpkcs11\-keygen\fR
@@ -58,6 +58,11 @@ Specify the PKCS#11 provider module. This must be the full path to a shared libr
 Open the session with the given PKCS#11 slot. The default is slot 0.
 .RE
 .PP
+\-e
+.RS 4
+Use a large exponent.
+.RE
+.PP
 \-b \fIkeysize\fR
 .RS 4
 Create the key pair with
@@ -67,7 +72,12 @@ bits of modulus.
 .PP
 \-l \fIlabel\fR
 .RS 4
-Create key objects with the given label.
+Create key objects with the given label. This name must be unique.
+.RE
+.PP
+\-i \fIid\fR
+.RS 4
+Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
 .RE
 .PP
 \-p \fIPIN\fR
@@ -79,12 +89,11 @@ will prompt for it.
 .SH "SEE ALSO"
 .PP
 \fBpkcs11\-list\fR(3),
-\fBpkcs11\-destroy\fR(3)
+\fBpkcs11\-destroy\fR(3),
+\fBdnssec\-keyfromlabel\fR(3),
 .SH "CAVEAT"
 .PP
-The public exponent is hard\-wired to 65537.
-.PP
-The command should optionally set the object ID too.
+Some PKCS#11 providers crash with big public exponent.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
diff --git a/bin/pkcs11/pkcs11-keygen.html b/bin/pkcs11/pkcs11-keygen.html
index 77410e8633..1292cf6508 100644
--- a/bin/pkcs11/pkcs11-keygen.html
+++ b/bin/pkcs11/pkcs11-keygen.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -28,10 +28,10 @@
 
    
 
    
 
    Synopsis
    
-
    pkcs11-keygen  [-P] [-m module] [-s slot] {-b keysize} {-l label} [-p PIN]
    
+
    pkcs11-keygen  [-P] [-m module] [-s slot] [-e] {-b keysize} {-l label} [-i id] [-p PIN]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    
       pkcs11-keygen causes a PKCS#11 device to generate
       a new RSA key pair with the specified label and
@@ -39,7 +39,7 @@
     
    
 
    
 
    
-
    ARGUMENTS
    
+
    ARGUMENTS
    
 
    
 
    -P
    
 
    
@@ -59,6 +59,10 @@
             Open the session with the given PKCS#11 slot.  The default is
             slot 0.
           
    
+
    -e
    
+
    
+            Use a large exponent.
+          
    
 
    -b keysize
    
 
    
             Create the key pair with keysize bits of
@@ -67,6 +71,12 @@
 
    -l label
    
 
    
             Create key objects with the given label.
+            This name must be unique.
+          
    
+
    -i id
    
+
    
+            Create key objects with id. The id is either
+            an unsigned short 2 byte or an unsigned long 4 byte number.
           
    
 
    -p PIN
    
 
    
@@ -76,19 +86,19 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       pkcs11-list(3),
-      pkcs11-destroy(3)
+      pkcs11-destroy(3),
+      dnssec-keyfromlabel(3),
     
    
 
    
 
    
-
    CAVEAT
    
-
    The public exponent is hard-wired to 65537.
    
-
    The command should optionally set the object ID too.
    
+
    CAVEAT
    
+
    Some PKCS#11 providers crash with big public exponent.
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From d220cab39d70d95166746ef8c88013a3840cca9f Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 13:02:31 +0000
Subject: [PATCH 252/385] pkcs11 rt20229

---
 bin/pkcs11/pkcs11-keygen.c   |  12 +-
 bin/pkcs11/win32/destroy.dsp | 119 ++++++++++++++
 bin/pkcs11/win32/destroy.dsw |  29 ++++
 bin/pkcs11/win32/destroy.mak | 296 +++++++++++++++++++++++++++++++++++
 bin/pkcs11/win32/keygen.dsp  | 119 ++++++++++++++
 bin/pkcs11/win32/keygen.dsw  |  29 ++++
 bin/pkcs11/win32/keygen.mak  | 296 +++++++++++++++++++++++++++++++++++
 bin/pkcs11/win32/list.dsp    | 119 ++++++++++++++
 bin/pkcs11/win32/list.dsw    |  29 ++++
 bin/pkcs11/win32/list.mak    | 296 +++++++++++++++++++++++++++++++++++
 bin/pkcs11/win32/pkcs11.dsw  |  53 +++++++
 bin/pkcs11/win32/setprovider |  71 +++++++++
 bin/pkcs11/win32/win32.c     |  10 +-
 13 files changed, 1470 insertions(+), 8 deletions(-)
 create mode 100644 bin/pkcs11/win32/destroy.dsp
 create mode 100644 bin/pkcs11/win32/destroy.dsw
 create mode 100644 bin/pkcs11/win32/destroy.mak
 create mode 100644 bin/pkcs11/win32/keygen.dsp
 create mode 100644 bin/pkcs11/win32/keygen.dsw
 create mode 100644 bin/pkcs11/win32/keygen.mak
 create mode 100644 bin/pkcs11/win32/list.dsp
 create mode 100644 bin/pkcs11/win32/list.dsw
 create mode 100644 bin/pkcs11/win32/list.mak
 create mode 100644 bin/pkcs11/win32/pkcs11.dsw
 create mode 100644 bin/pkcs11/win32/setprovider

diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index 230ec1aef3..df25556c4c 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -158,13 +158,13 @@ main(int argc, char *argv[])
 	idlen = 2;
 	publickey_template[5].ulValueLen = idlen;
 	privatekey_template[6].ulValueLen = idlen;
-	idbuf[0] = id >> 8;
-	idbuf[1] = id & 0xff;
+	idbuf[0] = (CK_BYTE) (id >> 8);
+	idbuf[1] = (CK_BYTE) id;
     } else {
-        idbuf[0] = id >> 24;
-	idbuf[1] = (id >> 16) & 0xff;
-	idbuf[2] = (id >> 8) & 0xff;
-	idbuf[3] = id & 0xff;
+        idbuf[0] = (CK_BYTE) (id >> 24);
+	idbuf[1] = (CK_BYTE) (id >> 16);
+	idbuf[2] = (CK_BYTE) (id >> 8);
+	idbuf[3] = (CK_BYTE) id;
     }
 
     /* Initialize the CRYPTOKI library */
diff --git a/bin/pkcs11/win32/destroy.dsp b/bin/pkcs11/win32/destroy.dsp
new file mode 100644
index 0000000000..a8d76c20c8
--- /dev/null
+++ b/bin/pkcs11/win32/destroy.dsp
@@ -0,0 +1,119 @@
+# Microsoft Developer Studio Project File - Name="destroy" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=destroy - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "destroy.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "destroy.mak" CFG="destroy - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "destroy - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "destroy - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "destroy - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"./Release/pkcs11-destroy.exe"
+
+!ELSEIF  "$(CFG)" == "destroy - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"./Debug/pkcs11-destroy.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "destroy - Win32 Release"
+# Name "destroy - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\pkcs11-destroy.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=".\cryptoki.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11t.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11f.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/pkcs11/win32/destroy.dsw b/bin/pkcs11/win32/destroy.dsw
new file mode 100644
index 0000000000..d1379b2456
--- /dev/null
+++ b/bin/pkcs11/win32/destroy.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "destroy"=".\destroy.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/pkcs11/win32/destroy.mak b/bin/pkcs11/win32/destroy.mak
new file mode 100644
index 0000000000..f84ac75603
--- /dev/null
+++ b/bin/pkcs11/win32/destroy.mak
@@ -0,0 +1,296 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on destroy.dsp
+!IF "$(CFG)" == ""
+CFG=destroy - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to destroy - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "destroy - Win32 Release" && "$(CFG)" != "destroy - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "destroy.mak" CFG="destroy - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "destroy - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "destroy - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "destroy - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "destroy - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : ".\Release\pkcs11-destroy.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-destroy.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase ".\Release\pkcs11-destroy.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\destroy.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\destroy.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /machine:I386 /out:"./Release/pkcs11-destroy.exe" 
+LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"
+
+".\Release\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "destroy - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : ".\Debug\pkcs11-destroy.exe" "$(OUTDIR)\destroy.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-destroy.obj"
+	-@erase "$(INTDIR)\pkcs11-destroy.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\pkcs11-destroy.pdb"
+	-@erase "$(OUTDIR)\destroy.bsc"
+	-@erase ".\Debug\pkcs11-destroy.exe"
+	-@erase ".\Debug\pkcs11-destroy.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\destroy.bsc" 
+BSC32_SBRS= "$(INTDIR)\pkcs11-destroy.sbr"
+
+"$(OUTDIR)\destroy.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug /machine:I386 /out:"./Debug/pkcs11-destroy.exe" /pdbtype:sept 
+LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"
+
+".\Debug\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("destroy.dep")
+!INCLUDE "destroy.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "destroy.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "destroy - Win32 Release" || "$(CFG)" == "destroy - Win32 Debug"
+SOURCE="..\pkcs11-destroy.c"
+
+!IF  "$(CFG)" == "destroy - Win32 Release"
+
+
+"$(INTDIR)\pkcs11-destroy.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "destroy - Win32 Debug"
+
+
+"$(INTDIR)\pkcs11-destroy.obj"	"$(INTDIR)\pkcs11-destroy.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include 
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+
+
+
+<< KEEP
diff --git a/bin/pkcs11/win32/keygen.dsp b/bin/pkcs11/win32/keygen.dsp
new file mode 100644
index 0000000000..80df0c7bd5
--- /dev/null
+++ b/bin/pkcs11/win32/keygen.dsp
@@ -0,0 +1,119 @@
+# Microsoft Developer Studio Project File - Name="keygen" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=keygen - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "keygen.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"./Release/pkcs11-keygen.exe"
+
+!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"./Debug/pkcs11-keygen.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "keygen - Win32 Release"
+# Name "keygen - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\pkcs11-keygen.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=".\cryptoki.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11t.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11f.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/pkcs11/win32/keygen.dsw b/bin/pkcs11/win32/keygen.dsw
new file mode 100644
index 0000000000..bdd633e4e9
--- /dev/null
+++ b/bin/pkcs11/win32/keygen.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "keygen"=".\keygen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/pkcs11/win32/keygen.mak b/bin/pkcs11/win32/keygen.mak
new file mode 100644
index 0000000000..6e13454fbf
--- /dev/null
+++ b/bin/pkcs11/win32/keygen.mak
@@ -0,0 +1,296 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on keygen.dsp
+!IF "$(CFG)" == ""
+CFG=keygen - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to keygen - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "keygen - Win32 Release" && "$(CFG)" != "keygen - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : ".\Release\pkcs11-keygen.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-keygen.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase ".\Release\pkcs11-keygen.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /machine:I386 /out:"./Release/pkcs11-keygen.exe" 
+LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"
+
+".\Release\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : ".\Debug\pkcs11-keygen.exe" "$(OUTDIR)\keygen.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-keygen.obj"
+	-@erase "$(INTDIR)\pkcs11-keygen.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\pkcs11-keygen.pdb"
+	-@erase "$(OUTDIR)\keygen.bsc"
+	-@erase ".\Debug\pkcs11-keygen.exe"
+	-@erase ".\Debug\pkcs11-keygen.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 
+BSC32_SBRS= "$(INTDIR)\pkcs11-keygen.sbr"
+
+"$(OUTDIR)\keygen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug /machine:I386 /out:"./Debug/pkcs11-keygen.exe" /pdbtype:sept 
+LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"
+
+".\Debug\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("keygen.dep")
+!INCLUDE "keygen.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "keygen.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "keygen - Win32 Release" || "$(CFG)" == "keygen - Win32 Debug"
+SOURCE="..\pkcs11-keygen.c"
+
+!IF  "$(CFG)" == "keygen - Win32 Release"
+
+
+"$(INTDIR)\pkcs11-keygen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
+
+
+"$(INTDIR)\pkcs11-keygen.obj"	"$(INTDIR)\pkcs11-keygen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include 
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+
+
+
+<< KEEP
diff --git a/bin/pkcs11/win32/list.dsp b/bin/pkcs11/win32/list.dsp
new file mode 100644
index 0000000000..514b516c50
--- /dev/null
+++ b/bin/pkcs11/win32/list.dsp
@@ -0,0 +1,119 @@
+# Microsoft Developer Studio Project File - Name="list" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=list - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "list.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "list.mak" CFG="list - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "list - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "list - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "list - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"./Release/pkcs11-list.exe"
+
+!ELSEIF  "$(CFG)" == "list - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"./Debug/pkcs11-list.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "list - Win32 Release"
+# Name "list - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\pkcs11-list.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=".\cryptoki.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11t.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11f.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/pkcs11/win32/list.dsw b/bin/pkcs11/win32/list.dsw
new file mode 100644
index 0000000000..6b4b781220
--- /dev/null
+++ b/bin/pkcs11/win32/list.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "list"=".\list.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/pkcs11/win32/list.mak b/bin/pkcs11/win32/list.mak
new file mode 100644
index 0000000000..8fcc585b69
--- /dev/null
+++ b/bin/pkcs11/win32/list.mak
@@ -0,0 +1,296 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on list.dsp
+!IF "$(CFG)" == ""
+CFG=list - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to list - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "list - Win32 Release" && "$(CFG)" != "list - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "list.mak" CFG="list - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "list - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "list - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "list - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "list - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : ".\Release\pkcs11-list.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-list.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase ".\Release\pkcs11-list.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\list.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\list.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" /machine:I386 /out:"./Release/pkcs11-list.exe" 
+LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"
+
+".\Release\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "list - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : ".\Debug\pkcs11-list.exe" "$(OUTDIR)\list.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-list.obj"
+	-@erase "$(INTDIR)\pkcs11-list.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\pkcs11-list.pdb"
+	-@erase "$(OUTDIR)\list.bsc"
+	-@erase ".\Debug\pkcs11-list.exe"
+	-@erase ".\Debug\pkcs11-list.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\list.bsc" 
+BSC32_SBRS= "$(INTDIR)\pkcs11-list.sbr"
+
+"$(OUTDIR)\list.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug /machine:I386 /out:"./Debug/pkcs11-list.exe" /pdbtype:sept 
+LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"
+
+".\Debug\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("list.dep")
+!INCLUDE "list.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "list.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "list - Win32 Release" || "$(CFG)" == "list - Win32 Debug"
+SOURCE="..\pkcs11-list.c"
+
+!IF  "$(CFG)" == "list - Win32 Release"
+
+
+"$(INTDIR)\pkcs11-list.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "list - Win32 Debug"
+
+
+"$(INTDIR)\pkcs11-list.obj"	"$(INTDIR)\pkcs11-list.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include 
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+
+
+
+<< KEEP
diff --git a/bin/pkcs11/win32/pkcs11.dsw b/bin/pkcs11/win32/pkcs11.dsw
new file mode 100644
index 0000000000..d335fe2f75
--- /dev/null
+++ b/bin/pkcs11/win32/pkcs11.dsw
@@ -0,0 +1,53 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "keygen"=".\keygen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "list"=".\list.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "destroy"=".\destroy.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/pkcs11/win32/setprovider b/bin/pkcs11/win32/setprovider
new file mode 100644
index 0000000000..5b35b146ca
--- /dev/null
+++ b/bin/pkcs11/win32/setprovider
@@ -0,0 +1,71 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setprovider,v 1.2 2009/10/05 13:02:31 fdupont Exp $
+
+# setprovider
+# This script sets the provider name in the build scripts.
+#
+# for instance: setprovider bp201w32HSM
+#
+
+if ($#ARGV != 0) {
+	die "Usage: perl setprovider \n"
+}
+
+my $provider=$ARGV[0];
+
+$provider =~ s|\.[dD][lL][lL]$||;
+
+# List of files that need to be updated
+@filelist = ("./keygen.mak", "./keygen.dsp",
+	     "./list.mak", "./list.dsp",
+	     "./destroy.mak", "./destroy.dsp");
+
+# function to replace the provider define
+sub updatefile {
+        my($filename, $substr, $line);
+        my(@Lines);
+
+        $filename = $_[0];
+        $substr   = $_[1];
+
+        open (RFILE, $filename) || die "Can't open file $filename: $!";
+        @Lines = ;
+        close (RFILE);
+
+        # Replace the string
+        foreach $line (@Lines) {
+                $line =~ s/unknown_provider/$substr/gi;
+        }
+        #update the file
+        open (RFILE, ">$filename") || die "Can't open file $filename: $!";
+        foreach $line (@Lines) {
+               print RFILE $line;
+        }
+        close(RFILE);
+}
+
+#Update the list of files
+if ($provider ne 0) {
+   $ind = 0;
+   print "Provider is $provider\n";
+   foreach $file (@filelist) {
+        print "Updating file $file\n";
+	updatefile($file, $provider);
+	$ind++;
+   }
+}
diff --git a/bin/pkcs11/win32/win32.c b/bin/pkcs11/win32/win32.c
index d93937c0e6..5c39654128 100644
--- a/bin/pkcs11/win32/win32.c
+++ b/bin/pkcs11/win32/win32.c
@@ -107,10 +107,10 @@ getopt(int nargc, char * const nargv[], const char *ostr)
 /* load PKCS11 DLL */
 
 #ifndef PK11_LIB_LOCATION
-#define PK11_LIB_LOCATION "bp201w32HSM"
+#error "PK11_LIB_LOCATION is not defined"
 #endif
 
-const char pk11_libname[] = PK11_LIB_LOCATION ".dll";
+const char *pk11_libname = PK11_LIB_LOCATION ".dll";
 
 HINSTANCE hPK11 = NULL;
 
@@ -121,6 +121,12 @@ C_Initialize(CK_VOID_PTR pReserved)
 {
 	CK_C_Initialize sym;
 
+	if (pk11_libname == NULL)
+		return 0xfe;
+	/* Visual Studio convertion issue... */
+	if (*pk11_libname == ' ')
+		pk11_libname++;
+
 	hPK11 = LoadLibraryA(pk11_libname);
 
 	if (hPK11 == NULL)

From e8537284778a55355fc60565a5aa14e17d15db37 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 13:20:06 +0000
Subject: [PATCH 253/385] update OpenSSL PKCS#11 patch (rt19910)

---
 bin/pkcs11/openssl-0.9.8k-patch | 5453 ++++++++++++++++---------------
 1 file changed, 2875 insertions(+), 2578 deletions(-)

diff --git a/bin/pkcs11/openssl-0.9.8k-patch b/bin/pkcs11/openssl-0.9.8k-patch
index 79f3aa80a7..f97396a6a9 100644
--- a/bin/pkcs11/openssl-0.9.8k-patch
+++ b/bin/pkcs11/openssl-0.9.8k-patch
@@ -1,27 +1,30 @@
 Index: openssl/Configure
-diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.6
+diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7
 --- openssl/Configure:1.1.3.1	Mon Feb 16 08:44:22 2009
-+++ openssl/Configure	Fri Sep  4 10:43:21 2009
++++ openssl/Configure	Mon Oct  5 13:16:50 2009
 @@ -12,7 +12,7 @@
  
  # see INSTALL for instructions.
  
 -my $usage="Usage: Configure [no- ...] [enable- ...] [experimental- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
-+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION [no- ...] [enable- ...] [experimental- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
++my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION --pk11-flavor=FLAVOR [no- ...] [enable- ...] [experimental- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
  
  # Options:
  #
-@@ -21,6 +21,9 @@
+@@ -21,6 +21,12 @@
  # --prefix      prefix for the OpenSSL include, lib and bin directories
  #               (Default: the OPENSSLDIR directory)
  #
 +# --pk11-libname  PKCS#11 library name.
-+#               (Default: none)
++#               (No default)
++#
++# --pk11-flavor either crypto-accelerator or sign-only
++#               (No default)
 +#
  # --install_prefix  Additional prefix for package builders (empty by
  #               default).  This needn't be set in advance, you can
  #               just as well use "make INSTALL_PREFIX=/whatever install".
-@@ -329,7 +332,7 @@
+@@ -329,7 +335,7 @@
  "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  #### IA-32 targets...
  "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -30,17 +33,27 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.6
  "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
  ####
  "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-@@ -580,6 +583,9 @@
+@@ -337,7 +343,7 @@
+ "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### SPARC Linux setups
+ # Ray Miller  has patiently
+ # assisted with debugging of following two configs.
+@@ -580,6 +586,10 @@
  my $idx_ranlib = $idx++;
  my $idx_arflags = $idx++;
  
 +# PKCS#11 engine patch
 +my $pk11_libname="";
++my $pk11_flavor="";
 +
  my $prefix="";
  my $openssldir="";
  my $exe_ext="";
-@@ -812,6 +818,10 @@
+@@ -812,6 +822,14 @@
  				{
  				$flags.=$_." ";
  				}
@@ -48,10 +61,14 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.6
 +                                {
 +                                $pk11_libname=$1;
 +                                }
++			elsif (/^--pk11-flavor=(.*)$/)
++				{
++				$pk11_flavor=$1;
++				}
  			elsif (/^--prefix=(.*)$/)
  				{
  				$prefix=$1;
-@@ -943,6 +953,13 @@
+@@ -943,6 +961,22 @@
  	exit 0;
  }
  
@@ -61,11 +78,46 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.6
 +        print STDERR "See README.pkcs11 for more information.\n";
 +        exit 1;
 +        }
++
++if (! $pk11_flavor
++    || !($pk11_flavor eq "crypto-accelerator" || $pk11_flavor eq "sign-only"))
++	{
++	print STDERR "You must set --pk11-flavor.\n";
++	print STDERR "Choices are crypto-accelerator and sign-only.\n";
++	print STDERR "See README.pkcs11 for more information.\n";
++	exit 1;
++	}
 +
  if ($target =~ m/^CygWin32(-.*)$/) {
  	$target = "Cygwin".$1;
  }
-@@ -1103,6 +1120,8 @@
+@@ -1057,6 +1091,25 @@
+ 	print "\n";
+ 	}
+ 
++if ($pk11_flavor eq "crypto-accelerator")
++	{
++	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11SO\n";
++	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
++	$depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
++	$options .= " no-hw-pkcs11so";
++	print "    no-hw-pkcs11so  [pk11-flavor]";
++	print " OPENSSL_NO_HW_PKCS11SO\n";
++	}
++else
++	{
++	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11CA\n";
++	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
++	$depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
++	$options .= " no-hw-pkcs11ca";
++	print "    no-hw-pkcs11ca  [pk11-flavor]";
++	print " OPENSSL_NO_HW_PKCS11CA\n";
++}
++
+ my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
+ 
+ $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
+@@ -1103,6 +1156,8 @@
  if ($flags ne "")	{ $cflags="$flags$cflags"; }
  else			{ $no_user_cflags=1;       }
  
@@ -74,7 +126,7 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.6
  # Kerberos settings.  The flavor must be provided from outside, either through
  # the script "config" or manually.
  if (!$no_krb5)
-@@ -1456,6 +1475,7 @@
+@@ -1456,6 +1511,7 @@
  	s/^VERSION=.*/VERSION=$version/;
  	s/^MAJOR=.*/MAJOR=$major/;
  	s/^MINOR=.*/MINOR=$minor/;
@@ -97,10 +149,27 @@ diff -u openssl/Makefile.org:1.1.3.1 openssl/Makefile.org:1.3
  OPENSSLDIR=/usr/local/ssl
  
 Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.5
---- /dev/null	Mon Oct  5 11:08:12 2009
-+++ openssl/README.pkcs11	Fri Sep  4 10:43:21 2009
-@@ -0,0 +1,230 @@
+diff -u /dev/null openssl/README.pkcs11:1.6
+--- /dev/null	Mon Oct  5 13:17:23 2009
++++ openssl/README.pkcs11	Mon Oct  5 13:16:50 2009
+@@ -0,0 +1,247 @@
++ISC modified
++============
++
++The PKCS#11 engine exists in two flavors, crypto-accelerator and
++sign-only. The first one is from the Solaris patch and uses the
++PKCS#11 device for all crypto operations it supports. The second
++is a stripped down version which provides only the useful
++function (i.e., signature with a RSA private key in the device
++protected key store and key loading).
++
++As a hint PKCS#11 boards should use the crypto-accelerator flavor,
++external PKCS#11 devices the sign-only. SCA 6000 is an example
++of the first, AEP Keyper of the second.
++
++Note it is mandatory to set a pk11-flavor (and only one) in
++config/Configure.
++
 +PKCS#11 engine support for OpenSSL 0.9.8j
 +=========================================
 +
@@ -403,27 +472,27 @@ diff -u openssl/crypto/opensslconf.h:1.1.3.1 openssl/crypto/opensslconf.h:1.5
  
  /* These default values were supplied by
 Index: openssl/crypto/engine/Makefile
-diff -u openssl/crypto/engine/Makefile:1.1.3.1 openssl/crypto/engine/Makefile:1.4
+diff -u openssl/crypto/engine/Makefile:1.1.3.1 openssl/crypto/engine/Makefile:1.5
 --- openssl/crypto/engine/Makefile:1.1.3.1	Wed Sep 17 17:10:59 2008
-+++ openssl/crypto/engine/Makefile	Fri Sep  4 10:43:22 2009
++++ openssl/crypto/engine/Makefile	Mon Oct  5 13:16:50 2009
 @@ -21,12 +21,14 @@
  	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
  	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
  	tb_cipher.c tb_digest.c \
 -	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
 +	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
-+	hw_pk11.c hw_pk11_pub.c
++	hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c
  LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
  	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
  	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
  	tb_cipher.o tb_digest.o \
 -	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
 +	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
-+	hw_pk11.o hw_pk11_pub.o
++	hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o
  
  SRC= $(LIBSRC)
  
-@@ -286,6 +288,54 @@
+@@ -286,6 +288,102 @@
  eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
  eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
  eng_table.o: eng_table.c
@@ -475,12 +544,60 @@ diff -u openssl/crypto/engine/Makefile:1.1.3.1 openssl/crypto/engine/Makefile:1.
 +hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
 +hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
 +hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
++hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
++hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
++hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
++hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
++hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
++hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
++hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
++hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h
++hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
++hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
++hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
++hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
++hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
++hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
++hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
++hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
++hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
++hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
++hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
++hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
++hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
++hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h
++hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c
++hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
++hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
++hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
++hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
++hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
++hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
++hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
++hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
++hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
++hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
++hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
++hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
++hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
++hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
++hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
++hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
++hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
++hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
++hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
++hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
++hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
++hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
++hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c
  tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
  tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
  tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 Index: openssl/crypto/engine/cryptoki.h
 diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null	Mon Oct  5 11:08:14 2009
+--- /dev/null	Mon Oct  5 13:17:24 2009
 +++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
 @@ -0,0 +1,103 @@
 +/*
@@ -587,1652 +704,62 @@ diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
 +
 +#endif	/* _CRYPTOKI_H */
 Index: openssl/crypto/engine/eng_all.c
-diff -u openssl/crypto/engine/eng_all.c:1.1.3.1 openssl/crypto/engine/eng_all.c:1.2
+diff -u openssl/crypto/engine/eng_all.c:1.1.3.1 openssl/crypto/engine/eng_all.c:1.3
 --- openssl/crypto/engine/eng_all.c:1.1.3.1	Wed Jun  4 18:01:39 2008
-+++ openssl/crypto/engine/eng_all.c	Wed Oct 15 15:39:48 2008
-@@ -110,6 +110,9 @@
++++ openssl/crypto/engine/eng_all.c	Mon Oct  5 13:16:50 2009
+@@ -110,6 +110,14 @@
  #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
  	ENGINE_load_capi();
  #endif
 +#ifndef OPENSSL_NO_HW_PKCS11
-+	ENGINE_load_pk11();
++#ifndef OPENSSL_NO_HW_PKCS11CA
++	ENGINE_load_pk11ca();
++#endif
++#ifndef OPENSSL_NO_HW_PKCS11SO
++	ENGINE_load_pk11so();
++#endif
 +#endif
  #endif
  	}
  
+Index: openssl/crypto/engine/eng_list.c
+diff -u openssl/crypto/engine/eng_list.c:1.1.3.1 openssl/crypto/engine/eng_list.c:1.2
+--- openssl/crypto/engine/eng_list.c:1.1.3.1	Sat Aug  6 10:34:35 2005
++++ openssl/crypto/engine/eng_list.c	Mon Oct  5 13:16:50 2009
+@@ -408,7 +408,11 @@
+ 				!ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
+ 					load_dir, 0) ||
+ 				!ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
++			{
++				if (iterator)
++					ENGINE_free(iterator);
+ 				goto notfound;
++			}
+ 		return iterator;
+ 		}
+ notfound:
 Index: openssl/crypto/engine/engine.h
-diff -u openssl/crypto/engine/engine.h:1.1.3.1 openssl/crypto/engine/engine.h:1.2
+diff -u openssl/crypto/engine/engine.h:1.1.3.1 openssl/crypto/engine/engine.h:1.3
 --- openssl/crypto/engine/engine.h:1.1.3.1	Wed Jun  4 18:01:40 2008
-+++ openssl/crypto/engine/engine.h	Wed Oct 15 15:39:48 2008
-@@ -337,6 +337,7 @@
++++ openssl/crypto/engine/engine.h	Mon Oct  5 13:16:50 2009
+@@ -337,6 +337,12 @@
  void ENGINE_load_ubsec(void);
  #endif
  void ENGINE_load_cryptodev(void);
-+void ENGINE_load_pk11(void);
++#ifndef OPENSSL_NO_HW_PKCS11CA
++void ENGINE_load_pk11ca(void);
++#endif
++#ifndef OPENSSL_NO_HW_PKCS11SO
++void ENGINE_load_pk11so(void);
++#endif
  void ENGINE_load_padlock(void);
  void ENGINE_load_builtin_engines(void);
  #ifndef OPENSSL_NO_CAPIENG
-Index: openssl/crypto/engine/hw_pk11-kp.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11-kp.c:1.20
---- /dev/null	Mon Oct  5 11:08:14 2009
-+++ openssl/crypto/engine/hw_pk11-kp.c	Tue Sep  1 06:02:18 2009
-@@ -0,0 +1,1611 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* Modified to keep only RNG and RSA Sign */
-+
-+#ifdef OPENSSL_NO_RSA
-+#error RSA is disabled
-+#endif
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#ifdef OPENSSL_SYS_WIN32
-+typedef int pid_t;
-+#define getpid() GetCurrentProcessId()
-+#define NOPTHREADS
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include 
-+#include 
-+#include 
-+#endif
-+
-+#ifndef NOPTHREADS
-+#include 
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+/* label for debug messages printed on stderr */
-+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
-+/* prints a lot of debug messages on stderr about slot selection process */
-+#undef	DEBUG_SLOT_SELECTION
-+
-+#ifndef OPENSSL_NO_DSA
-+#define OPENSSL_NO_DSA
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#define OPENSSL_NO_DH
-+#endif
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11_err.c"
-+
-+/* PKCS#11 session caches and their locks for all operation types */
-+static PK11_CACHE session_cache[OP_MAX];
-+
-+/*
-+ * As stated in v2.20, 11.7 Object Management Function, in section for
-+ * C_FindObjectsInit(), at most one search operation may be active at a given
-+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
-+ * grouped together to form one atomic search operation. This is already
-+ * ensured by the property of unique PKCS#11 session handle used for each
-+ * PK11_SESSION object.
-+ *
-+ * This is however not the biggest concern - maintaining consistency of the
-+ * underlying object store is more important. The same section of the spec also
-+ * says that one thread can be in the middle of a search operation while another
-+ * thread destroys the object matching the search template which would result in
-+ * invalid handle returned from the search operation.
-+ *
-+ * Hence, the following locks are used for both protection of the object stores.
-+ * They are also used for active list protection.
-+ */
-+#ifndef NOPTHREADS
-+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
-+#endif
-+
-+/*
-+ * lists of asymmetric key handles which are active (referenced by at least one
-+ * PK11_SESSION structure, either held by a thread or present in free_session
-+ * list) for given algorithm type
-+ */
-+PK11_active *active_list[OP_MAX] = { NULL };
-+
-+/*
-+ * Create all secret key objects in a global session so that they are available
-+ * to use for other sessions. These other sessions may be opened or closed
-+ * without losing the secret key objects.
-+ */
-+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
-+
-+/* ENGINE level stuff */
-+static int pk11_init(ENGINE *e);
-+static int pk11_library_init(ENGINE *e);
-+static int pk11_finish(ENGINE *e);
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
-+static int pk11_destroy(ENGINE *e);
-+
-+/* RAND stuff */
-+static void pk11_rand_seed(const void *buf, int num);
-+static void pk11_rand_add(const void *buf, int num, double add_entropy);
-+static void pk11_rand_cleanup(void);
-+static int pk11_rand_bytes(unsigned char *buf, int num);
-+static int pk11_rand_status(void);
-+
-+/* These functions are also used in other files */
-+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
-+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+
-+/* active list manipulation functions used in this file */
-+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
-+extern void pk11_free_active_list(PK11_OPTYPE type);
-+
-+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
-+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
-+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
-+
-+/* Local helper functions */
-+static int pk11_free_all_sessions(void);
-+static int pk11_free_session_list(PK11_OPTYPE optype);
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
-+static int pk11_destroy_object(CK_SESSION_HANDLE session,
-+	CK_OBJECT_HANDLE oh);
-+static const char *get_PK11_LIBNAME(void);
-+static void free_PK11_LIBNAME(void);
-+static long set_PK11_LIBNAME(const char *name);
-+
-+static int pk11_choose_slots(int *any_slot_found);
-+
-+static int pk11_init_all_locks(void);
-+static void pk11_free_all_locks(void);
-+
-+#define	TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
-+		{							\
-+		retval = pk11_destroy_object(sess_hdl, obj_hdl);	\
-+		}							\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+#define	TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
-+	{								\
-+	if (uselock)							\
-+		LOCK_OBJSTORE(alg_type);				\
-+	(void) pk11_active_delete(obj_hdl, alg_type);			\
-+	if (uselock)							\
-+		UNLOCK_OBJSTORE(alg_type);				\
-+	}
-+
-+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
-+static CK_BBOOL pk11_have_random = CK_FALSE;
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * The definitions for control commands specific to this engine
-+ */
-+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
-+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
-+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
-+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
-+	{
-+		{
-+		PK11_CMD_SO_PATH,
-+		"SO_PATH",
-+		"Specifies the path to the 'pkcs#11' shared library",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_PIN,
-+		"PIN",
-+		"Specifies the pin code",
-+		ENGINE_CMD_FLAG_STRING
-+		},
-+		{
-+		PK11_CMD_SLOT,
-+		"SLOT",
-+		"Specifies the slot (default is auto select)",
-+		ENGINE_CMD_FLAG_NUMERIC,
-+		},
-+		{0, NULL, NULL, 0}
-+	};
-+
-+
-+static RAND_METHOD pk11_random =
-+	{
-+	pk11_rand_seed,
-+	pk11_rand_bytes,
-+	pk11_rand_cleanup,
-+	pk11_rand_add,
-+	pk11_rand_bytes,
-+	pk11_rand_status
-+	};
-+
-+
-+/* Constants used when creating the ENGINE */
-+static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name = "PKCS #11 engine support";
-+
-+CK_FUNCTION_LIST_PTR pFuncList = NULL;
-+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
-+
-+/*
-+ * These is the static string constant for the DSO file name and the function
-+ * symbol names to bind to.
-+ */
-+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
-+
-+static CK_SLOT_ID pubkey_SLOTID = 0;
-+static CK_SLOT_ID rand_SLOTID = 0;
-+static CK_SLOT_ID SLOTID = 0;
-+char *pk11_pin = NULL;
-+static CK_BBOOL pk11_library_initialized = FALSE;
-+static CK_BBOOL pk11_atfork_initialized = FALSE;
-+static int pk11_pid = 0;
-+
-+static DSO *pk11_dso = NULL;
-+
-+/* allocate and initialize all locks used by the engine itself */
-+static int pk11_init_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
-+	if (find_lock[OP_RSA] == NULL)
-+		goto malloc_err;
-+	(void) pthread_mutex_init(find_lock[OP_RSA], NULL);
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		session_cache[type].lock =
-+		    OPENSSL_malloc(sizeof (pthread_mutex_t));
-+		if (session_cache[type].lock == NULL)
-+			goto malloc_err;
-+		(void) pthread_mutex_init(session_cache[type].lock, NULL);
-+		}
-+
-+	return (1);
-+
-+malloc_err:
-+	pk11_free_all_locks();
-+	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
-+	return (0);
-+#else
-+	return (1);
-+#endif
-+	}
-+
-+static void pk11_free_all_locks(void)
-+	{
-+#ifndef NOPTHREADS
-+	int type;
-+
-+	if (find_lock[OP_RSA] != NULL)
-+		{
-+		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
-+		OPENSSL_free(find_lock[OP_RSA]);
-+		find_lock[OP_RSA] = NULL;
-+		}
-+
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (session_cache[type].lock != NULL)
-+			{
-+			(void) pthread_mutex_destroy(session_cache[type].lock);
-+			OPENSSL_free(session_cache[type].lock);
-+			session_cache[type].lock = NULL;
-+			}
-+		}
-+#endif
-+	}
-+
-+/*
-+ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
-+ */
-+static int bind_pk11(ENGINE *e)
-+	{
-+	if (!pk11_library_initialized)
-+		if (!pk11_library_init(e))
-+			return (0);
-+
-+	if (!ENGINE_set_id(e, engine_pk11_id) ||
-+	    !ENGINE_set_name(e, engine_pk11_name))
-+		return (0);
-+
-+	if (pk11_have_rsa == CK_TRUE)
-+		{
-+		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
-+		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
-+		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+
-+	if (pk11_have_random)
-+		{
-+		if (!ENGINE_set_RAND(e, &pk11_random))
-+			return (0);
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: registered random\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		}
-+	if (!ENGINE_set_init_function(e, pk11_init) ||
-+	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
-+	    !ENGINE_set_finish_function(e, pk11_finish) ||
-+	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
-+	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
-+		return (0);
-+
-+	/* Ensure the pk11 error handling is set up */
-+	ERR_load_pk11_strings();
-+
-+	return (1);
-+	}
-+
-+/* Dynamic engine support is disabled at a higher level for Solaris */
-+#ifdef	ENGINE_DYNAMIC_SUPPORT
-+static int bind_helper(ENGINE *e, const char *id)
-+	{
-+	if (id && (strcmp(id, engine_pk11_id) != 0))
-+		return (0);
-+
-+	if (!bind_pk11(e))
-+		return (0);
-+
-+	return (1);
-+	}
-+
-+IMPLEMENT_DYNAMIC_CHECK_FN()
-+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
-+
-+#else
-+static ENGINE *engine_pk11(void)
-+	{
-+	ENGINE *ret = ENGINE_new();
-+
-+	if (!ret)
-+		return (NULL);
-+
-+	if (!bind_pk11(ret))
-+		{
-+		ENGINE_free(ret);
-+		return (NULL);
-+		}
-+
-+	return (ret);
-+	}
-+
-+void
-+ENGINE_load_pk11(void)
-+	{
-+	ENGINE *e_pk11 = NULL;
-+
-+	/*
-+	 * Do not use dynamic PKCS#11 library on Solaris due to
-+	 * security reasons. We will link it in statically.
-+	 */
-+	/* Attempt to load PKCS#11 library */
-+	if (!pk11_dso)
-+		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
-+		return;
-+		}
-+
-+	e_pk11 = engine_pk11();
-+	if (!e_pk11)
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		return;
-+		}
-+
-+	/*
-+	 * At this point, the pk11 shared library is either dynamically
-+	 * loaded or statically linked in. So, initialize the pk11
-+	 * library before calling ENGINE_set_default since the latter
-+	 * needs cipher and digest algorithm information
-+	 */
-+	if (!pk11_library_init(e_pk11))
-+		{
-+		DSO_free(pk11_dso);
-+		pk11_dso = NULL;
-+		ENGINE_free(e_pk11);
-+		return;
-+		}
-+
-+	ENGINE_add(e_pk11);
-+
-+	ENGINE_free(e_pk11);
-+	ERR_clear_error();
-+	}
-+#endif	/* ENGINE_DYNAMIC_SUPPORT */
-+
-+/*
-+ * These are the static string constants for the DSO file name and
-+ * the function symbol names to bind to.
-+ */
-+static const char *PK11_LIBNAME = NULL;
-+
-+static const char *get_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		return (PK11_LIBNAME);
-+
-+	return (def_PK11_LIBNAME);
-+	}
-+
-+static void free_PK11_LIBNAME(void)
-+	{
-+	if (PK11_LIBNAME)
-+		OPENSSL_free((void*)PK11_LIBNAME);
-+
-+	PK11_LIBNAME = NULL;
-+	}
-+
-+static long set_PK11_LIBNAME(const char *name)
-+	{
-+	free_PK11_LIBNAME();
-+
-+	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
-+	}
-+
-+/* acquire all engine specific mutexes before fork */
-+static void pk11_fork_prepare(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	LOCK_OBJSTORE(OP_RSA);
-+	for (i = 0; i < OP_MAX; i++)
-+		{
-+		(void) pthread_mutex_lock(session_cache[i].lock);
-+		}
-+#endif
-+	}
-+
-+/* release all engine specific mutexes */
-+static void pk11_fork_parent(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_RSA);
-+#endif
-+	}
-+
-+/*
-+ * same situation as in parent - we need to unlock all locks to make them
-+ * accessible to all threads.
-+ */
-+static void pk11_fork_child(void)
-+	{
-+#ifndef NOPTHREADS
-+	int i;
-+
-+	if (!pk11_library_initialized)
-+		return;
-+
-+	for (i = OP_MAX - 1; i >= 0; i--)
-+		{
-+		(void) pthread_mutex_unlock(session_cache[i].lock);
-+		}
-+	UNLOCK_OBJSTORE(OP_RSA);
-+#endif
-+	}
-+
-+/* Initialization function for the pk11 engine */
-+static int pk11_init(ENGINE *e)
-+{
-+	return (pk11_library_init(e));
-+}
-+
-+/*
-+ * Initialization function. Sets up various PKCS#11 library components.
-+ * It selects a slot based on predefined critiera. In the process, it also
-+ * count how many ciphers and digests to support. Since the cipher and
-+ * digest information is needed when setting default engine, this function
-+ * needs to be called before calling ENGINE_set_default.
-+ */
-+/* ARGSUSED */
-+static int pk11_library_init(ENGINE *e)
-+	{
-+	CK_C_GetFunctionList p;
-+	CK_RV rv = CKR_OK;
-+	CK_INFO info;
-+	int any_slot_found;
-+	int i;
-+#ifndef OPENSSL_SYS_WIN32
-+	struct sigaction sigint_act, sigterm_act, sighup_act;
-+#endif
-+
-+	/*
-+	 * pk11_library_initialized is set to 0 in pk11_finish() which is called
-+	 * from ENGINE_finish(). However, if there is still at least one
-+	 * existing functional reference to the engine (see engine(3) for more
-+	 * information), pk11_finish() is skipped. For example, this can happen
-+	 * if an application forgets to clear one cipher context. In case of a
-+	 * fork() when the application is finishing the engine so that it can be
-+	 * reinitialized in the child, forgotten functional reference causes
-+	 * pk11_library_initialized to stay 1. In that case we need the PID
-+	 * check so that we properly initialize the engine again.
-+	 */
-+	if (pk11_library_initialized)
-+		{
-+		if (pk11_pid == getpid())
-+			{
-+			return (1);
-+			}
-+		else
-+			{
-+			global_session = CK_INVALID_HANDLE;
-+			/*
-+			 * free the locks first to prevent memory leak in case
-+			 * the application calls fork() without finishing the
-+			 * engine first.
-+			 */
-+			pk11_free_all_locks();
-+			}
-+		}
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the C_GetFunctionList function from the loaded library */
-+	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
-+		PK11_GET_FUNCTION_LIST);
-+	if (!p)
-+		{
-+		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+
-+	/* get the full function list from the loaded library */
-+	rv = p(&pFuncList);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
-+		goto err;
-+		}
-+
-+#ifndef OPENSSL_SYS_WIN32
-+	/* Not all PKCS#11 library are signal safe! */
-+
-+	(void) memset(&sigint_act, 0, sizeof(sigint_act));
-+	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
-+	(void) memset(&sighup_act, 0, sizeof(sighup_act));
-+	(void) sigaction(SIGINT, NULL, &sigint_act);
-+	(void) sigaction(SIGTERM, NULL, &sigterm_act);
-+	(void) sigaction(SIGHUP, NULL, &sighup_act);
-+#endif
-+	rv = pFuncList->C_Initialize(NULL_PTR);
-+#ifndef OPENSSL_SYS_WIN32
-+	(void) sigaction(SIGINT, &sigint_act, NULL);
-+	(void) sigaction(SIGTERM, &sigterm_act, NULL);
-+	(void) sigaction(SIGHUP, &sighup_act, NULL);
-+#endif
-+	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
-+		goto err;
-+		}
-+
-+	rv = pFuncList->C_GetInfo(&info);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
-+		goto err;
-+		}
-+
-+	if (pk11_choose_slots(&any_slot_found) == 0)
-+		goto err;
-+
-+	/*
-+	 * The library we use, set in def_PK11_LIBNAME, may not offer any
-+	 * slot(s). In that case, we must not proceed but we must not return an
-+	 * error. The reason is that applications that try to set up the PKCS#11
-+	 * engine don't exit on error during the engine initialization just
-+	 * because no slot was present.
-+	 */
-+	if (any_slot_found == 0)
-+		return (1);
-+
-+	if (global_session == CK_INVALID_HANDLE)
-+		{
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LIBRARY_INIT,
-+			    PK11_R_OPENSESSION, rv);
-+			goto err;
-+			}
-+		}
-+
-+	pk11_library_initialized = TRUE;
-+	pk11_pid = getpid();
-+	/*
-+	 * if initialization of the locks fails pk11_init_all_locks()
-+	 * will do the cleanup.
-+	 */
-+	if (!pk11_init_all_locks())
-+		goto err;
-+	for (i = 0; i < OP_MAX; i++)
-+		session_cache[i].head = NULL;
-+	/*
-+	 * initialize active lists. We only use active lists
-+	 * for asymmetric ciphers.
-+	 */
-+	for (i = 0; i < OP_MAX; i++)
-+		active_list[i] = NULL;
-+
-+#ifndef NOPTHREADS
-+	if (!pk11_atfork_initialized)
-+		{
-+		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
-+		    pk11_fork_child) != 0)
-+			{
-+			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
-+			goto err;
-+			}
-+		pk11_atfork_initialized = TRUE;
-+		}
-+#endif
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Destructor (complements the "ENGINE_pk11()" constructor) */
-+/* ARGSUSED */
-+static int pk11_destroy(ENGINE *e)
-+	{
-+	free_PK11_LIBNAME();
-+	ERR_unload_pk11_strings();
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+	return (1);
-+	}
-+
-+/*
-+ * Termination function to clean up the session, the token, and the pk11
-+ * library.
-+ */
-+/* ARGSUSED */
-+static int pk11_finish(ENGINE *e)
-+	{
-+	int i;
-+
-+	if (pk11_pin) {
-+		memset(pk11_pin, 0, strlen(pk11_pin));
-+		OPENSSL_free((void*)pk11_pin);
-+	}
-+	pk11_pin = NULL;
-+
-+	if (pk11_dso == NULL)
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
-+		goto err;
-+		}
-+
-+	OPENSSL_assert(pFuncList != NULL);
-+
-+	if (pk11_free_all_sessions() == 0)
-+		goto err;
-+
-+	/* free all active lists */
-+	for (i = 0; i < OP_MAX; i++)
-+		pk11_free_active_list(i);
-+
-+	pFuncList->C_CloseSession(global_session);
-+	global_session = CK_INVALID_HANDLE;
-+
-+	/*
-+	 * Since we are part of a library (libcrypto.so), calling this function
-+	 * may have side-effects.
-+	 */
-+#if 0
-+	pFuncList->C_Finalize(NULL);
-+#endif
-+
-+	if (!DSO_free(pk11_dso))
-+		{
-+		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
-+		goto err;
-+		}
-+	pk11_dso = NULL;
-+	pFuncList = NULL;
-+	pk11_library_initialized = FALSE;
-+	pk11_pid = 0;
-+	/*
-+	 * There is no way how to unregister atfork handlers (other than
-+	 * unloading the library) so we just free the locks. For this reason
-+	 * the atfork handlers check if the engine is initialized and bail out
-+	 * immediately if not. This is necessary in case a process finishes
-+	 * the engine before calling fork().
-+	 */
-+	pk11_free_all_locks();
-+
-+	return (1);
-+
-+err:
-+	return (0);
-+	}
-+
-+/* Standard engine interface function to set the dynamic library path */
-+/* ARGSUSED */
-+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
-+	{
-+	int initialized = ((pk11_dso == NULL) ? 0 : 1);
-+
-+	switch (cmd)
-+		{
-+	case PK11_CMD_SO_PATH:
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		if (initialized)
-+			{
-+			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
-+			return (0);
-+			}
-+
-+		return (set_PK11_LIBNAME((const char *)p));
-+	case PK11_CMD_PIN:
-+		if (pk11_pin) {
-+			memset(pk11_pin, 0, strlen(pk11_pin));
-+			OPENSSL_free((void*)pk11_pin);
-+		}
-+		pk11_pin = NULL;
-+
-+		if (p == NULL)
-+			{
-+			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-+			return (0);
-+			}
-+
-+		pk11_pin = BUF_strdup(p);
-+		if (pk11_pin == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
-+			return (0);
-+			}
-+		return (1);
-+	case PK11_CMD_SLOT:
-+		SLOTID = (CK_SLOT_ID)i;
-+#ifdef DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: slot set\n", PK11_DBG);
-+#endif
-+		return (1);
-+	default:
-+		break;
-+		}
-+
-+	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
-+
-+	return (0);
-+	}
-+
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static void pk11_rand_cleanup(void)
-+	{
-+	return;
-+	}
-+
-+/* ARGSUSED */
-+static void pk11_rand_add(const void *buf, int num, double add)
-+	{
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return;
-+
-+	/*
-+	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
-+	 * the calling functions do not care anyway
-+	 */
-+	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
-+	pk11_return_session(sp, OP_RAND);
-+
-+	return;
-+	}
-+
-+static void pk11_rand_seed(const void *buf, int num)
-+	{
-+	pk11_rand_add(buf, num, 0);
-+	}
-+
-+static int pk11_rand_bytes(unsigned char *buf, int num)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp;
-+
-+	if ((sp = pk11_get_session(OP_RAND)) == NULL)
-+		return (0);
-+
-+	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
-+		pk11_return_session(sp, OP_RAND);
-+		return (0);
-+		}
-+
-+	pk11_return_session(sp, OP_RAND);
-+	return (1);
-+	}
-+
-+/* Required function by the engine random interface. It does nothing here */
-+static int pk11_rand_status(void)
-+	{
-+	return (1);
-+	}
-+
-+/* Free all BIGNUM structures from PK11_SESSION. */
-+static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+			if (sp->opdata_rsa_n_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_n_num);
-+				sp->opdata_rsa_n_num = NULL;
-+				}
-+			if (sp->opdata_rsa_e_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_e_num);
-+				sp->opdata_rsa_e_num = NULL;
-+				}
-+			if (sp->opdata_rsa_d_num != NULL)
-+				{
-+				BN_free(sp->opdata_rsa_d_num);
-+				sp->opdata_rsa_d_num = NULL;
-+				}
-+			break;
-+		default:
-+			break;
-+		}
-+	}
-+
-+/*
-+ * Get new PK11_SESSION structure ready for use. Every process must have
-+ * its own freelist of PK11_SESSION structures so handle fork() here
-+ * by destroying the old and creating new freelist.
-+ * The returned PK11_SESSION structure is disconnected from the freelist.
-+ */
-+PK11_SESSION *
-+pk11_get_session(PK11_OPTYPE optype)
-+	{
-+	PK11_SESSION *sp = NULL, *sp1, *freelist;
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock = NULL;
-+#endif
-+	CK_RV rv;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (NULL);
-+		}
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	sp = freelist;
-+
-+	/*
-+	 * If the free list is empty, allocate new unitialized (filled
-+	 * with zeroes) PK11_SESSION structure otherwise return first
-+	 * structure from the freelist.
-+	 */
-+	if (sp == NULL)
-+		{
-+		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
-+			{
-+			PK11err(PK11_F_GET_SESSION,
-+				PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		(void) memset(sp, 0, sizeof (PK11_SESSION));
-+		}
-+	else
-+		{
-+		freelist = sp->next;
-+		}
-+
-+	if (sp->pid != 0 && sp->pid != getpid())
-+		{
-+		/*
-+		 * We are a new process and thus need to free any inherited
-+		 * PK11_SESSION objects.
-+		 */
-+		while ((sp1 = freelist) != NULL)
-+			{
-+			freelist = sp1->next;
-+			/*
-+			 * NOTE: we do not want to call pk11_free_all_sessions()
-+			 * here because it would close underlying PKCS#11
-+			 * sessions and destroy all objects.
-+			 */
-+			pk11_free_nums(sp1, optype);
-+			OPENSSL_free(sp1);
-+			}
-+
-+		/* we have to free the active list as well. */
-+		pk11_free_active_list(optype);
-+
-+		/* Initialize the process */
-+		rv = pFuncList->C_Initialize(NULL_PTR);
-+		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/*
-+		 * Choose slot here since the slot table is different on this
-+		 * process. If we are here then we must have found at least one
-+		 * usable slot before so we don't need to check any_slot_found.
-+		 * See pk11_library_init()'s usage of this function for more
-+		 * information.
-+		 */
-+		if (pk11_choose_slots(NULL) == 0)
-+			goto err;
-+
-+		/* Open the global_session for the new process */
-+		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &global_session);
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
-+			    rv);
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			goto err;
-+			}
-+
-+		/* It is an inherited session and needs re-initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+	if (sp->pid == 0)
-+		{
-+		/* It is a new session and needs initialization. */
-+		if (pk11_setup_session(sp, optype) == 0)
-+			{
-+			OPENSSL_free(sp);
-+			sp = NULL;
-+			}
-+		}
-+
-+	/* set new head for the list of PK11_SESSION objects */
-+	session_cache[optype].head = freelist;
-+
-+err:
-+	if (sp != NULL)
-+		sp->next = NULL;
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (sp);
-+	}
-+
-+
-+void
-+pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	PK11_SESSION *freelist;
-+
-+	if (sp == NULL || sp->pid != getpid())
-+		return;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_RETURN_SESSION,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return;
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	sp->next = freelist;
-+	session_cache[optype].head = sp;
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	}
-+
-+
-+/* Destroy all objects. This function is called when the engine is finished */
-+static int pk11_free_all_sessions()
-+	{
-+	int ret = 1;
-+	int type;
-+
-+	(void) pk11_destroy_rsa_key_objects(NULL);
-+
-+	/*
-+	 * We try to release as much as we can but any error means that we will
-+	 * return 0 on exit.
-+	 */
-+	for (type = 0; type < OP_MAX; type++)
-+		{
-+		if (pk11_free_session_list(type) == 0)
-+			ret = 0;
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy session structures from the linked list specified. Free as many
-+ * sessions as possible but any failure in C_CloseSession() means that we
-+ * return an error on return.
-+ */
-+static int pk11_free_session_list(PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *freelist = NULL;
-+	pid_t mypid = getpid();
-+#ifndef NOPTHREADS
-+	pthread_mutex_t *freelist_lock;
-+#endif
-+	int ret = 1;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+		case OP_DSA:
-+		case OP_DH:
-+		case OP_RAND:
-+		case OP_DIGEST:
-+		case OP_CIPHER:
-+#ifndef NOPTHREADS
-+			freelist_lock = session_cache[optype].lock;
-+#endif
-+			break;
-+		default:
-+			PK11err(PK11_F_FREE_ALL_SESSIONS,
-+				PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_lock(freelist_lock);
-+#else
-+	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	freelist = session_cache[optype].head;
-+	while ((sp = freelist) != NULL)
-+		{
-+		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
-+			{
-+			rv = pFuncList->C_CloseSession(sp->session);
-+			if (rv != CKR_OK)
-+				{
-+				PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
-+					PK11_R_CLOSESESSION, rv);
-+				ret = 0;
-+				}
-+			}
-+		freelist = sp->next;
-+		pk11_free_nums(sp, optype);
-+		OPENSSL_free(sp);
-+		}
-+
-+#ifndef NOPTHREADS
-+	(void) pthread_mutex_unlock(freelist_lock);
-+#else
-+	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+	return (ret);
-+	}
-+
-+
-+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
-+	{
-+	CK_RV rv;
-+	CK_SLOT_ID myslot;
-+
-+	switch (optype)
-+		{
-+		case OP_RSA:
-+			myslot = pubkey_SLOTID;
-+			break;
-+		case OP_RAND:
-+			myslot = rand_SLOTID;
-+			break;
-+		default:
-+			PK11err(PK11_F_SETUP_SESSION,
-+			    PK11_R_INVALID_OPERATION_TYPE);
-+			return (0);
-+		}
-+
-+	sp->session = CK_INVALID_HANDLE;
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+		NULL_PTR, NULL_PTR, &sp->session);
-+	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
-+		{
-+		/*
-+		 * We are probably a child process so force the
-+		 * reinitialize of the session
-+		 */
-+		pk11_library_initialized = FALSE;
-+		if (!pk11_library_init(NULL))
-+			return (0);
-+		rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
-+			NULL_PTR, NULL_PTR, &sp->session);
-+		}
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
-+		return (0);
-+		}
-+
-+	sp->pid = getpid();
-+
-+	if (optype == OP_RSA)
-+		{
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub = NULL;
-+		sp->opdata_rsa_n_num = NULL;
-+		sp->opdata_rsa_e_num = NULL;
-+		sp->opdata_rsa_priv = NULL;
-+		sp->opdata_rsa_d_num = NULL;
-+		}
-+
-+	return (1);
-+	}
-+
-+/* Destroy RSA public key from single session. */
-+int
-+pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
-+		    ret, uselock, OP_RSA);
-+		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_pub = NULL;
-+		if (sp->opdata_rsa_n_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_n_num);
-+			sp->opdata_rsa_n_num = NULL;
-+			}
-+		if (sp->opdata_rsa_e_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_e_num);
-+			sp->opdata_rsa_e_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/* Destroy RSA private key from single session. */
-+int
-+pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
-+	{
-+	int ret = 0;
-+
-+	if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
-+		{
-+		TRY_OBJ_DELETE(sp->session,
-+			       sp->opdata_rsa_priv_key,
-+			       ret, uselock, OP_RSA);
-+		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
-+		sp->opdata_rsa_priv = NULL;
-+		if (sp->opdata_rsa_d_num != NULL)
-+			{
-+			BN_free(sp->opdata_rsa_d_num);
-+			sp->opdata_rsa_d_num = NULL;
-+			}
-+		}
-+
-+	return (ret);
-+	}
-+
-+/*
-+ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
-+ * objects in the free list.
-+ */
-+int
-+pk11_destroy_rsa_key_objects(PK11_SESSION *session)
-+	{
-+	int ret = 1;
-+	PK11_SESSION *sp = NULL;
-+	PK11_SESSION *local_free_session;
-+	CK_BBOOL uselock = TRUE;
-+
-+	if (session != NULL)
-+		local_free_session = session;
-+	else
-+		{
-+#ifndef NOPTHREADS
-+		(void) pthread_mutex_lock(session_cache[OP_RSA].lock);
-+#else
-+		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+		local_free_session = session_cache[OP_RSA].head;
-+		uselock = FALSE;
-+		}
-+
-+	/*
-+	 * go through the list of sessions and delete key objects
-+	 */
-+	while ((sp = local_free_session) != NULL)
-+		{
-+		local_free_session = sp->next;
-+
-+		/*
-+		 * Do not terminate list traversal if one of the
-+		 * destroy operations fails.
-+		 */
-+		if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
-+			{
-+			ret = 0;
-+			continue;
-+			}
-+		}
-+
-+#ifndef NOPTHREADS
-+	if (session == NULL)
-+		(void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
-+#else
-+	if (session == NULL)
-+		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
-+#endif
-+
-+	return (ret);
-+	}
-+
-+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
-+	{
-+	CK_RV rv;
-+	rv = pFuncList->C_DestroyObject(session, oh);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
-+		    rv);
-+		return (0);
-+		}
-+
-+	return (1);
-+	}
-+
-+
-+/*
-+ * Public key mechanisms optionally supported
-+ *
-+ * CKM_RSA_X_509
-+ * CKM_RSA_PKCS
-+ *
-+ * The first slot that supports at least one of those mechanisms is chosen as a
-+ * public key slot.
-+ *
-+ * The output of this function is a set of global variables indicating which
-+ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
-+ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
-+ * variables carry information about which slot was chosen for (a) public key
-+ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
-+ */
-+static int
-+pk11_choose_slots(int *any_slot_found)
-+	{
-+	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
-+	CK_ULONG ulSlotCount = 0;
-+	CK_MECHANISM_INFO mech_info;
-+	CK_TOKEN_INFO token_info;
-+	unsigned int i;
-+	CK_RV rv;
-+	CK_SLOT_ID best_slot_sofar = 0;
-+	CK_BBOOL found_candidate_slot = CK_FALSE;
-+	CK_SLOT_ID current_slot = 0;
-+
-+	/* let's initialize the output parameter */
-+	if (any_slot_found != NULL)
-+		*any_slot_found = 0;
-+
-+	/* Get slot list for memory allocation */
-+	rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
-+
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
-+		return (0);
-+		}
-+
-+	/* it's not an error if we didn't find any providers */
-+	if (ulSlotCount == 0)
-+		{
-+#ifdef	DEBUG_SLOT_SELECTION
-+		fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		return (1);
-+		}
-+
-+	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
-+
-+	if (pSlotList == NULL)
-+		{
-+		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
-+		return (0);
-+		}
-+
-+	/* Get the slot list for processing */
-+	rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
-+	if (rv != CKR_OK)
-+		{
-+		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
-+		OPENSSL_free(pSlotList);
-+		return (0);
-+		}
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
-+	fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
-+
-+	fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+		current_slot = pSlotList[i];
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		/* Check if slot has random support. */
-+		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
-+		if (rv != CKR_OK)
-+			continue;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		if (token_info.flags & CKF_RNG)
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			pk11_have_random = CK_TRUE;
-+			rand_SLOTID = current_slot;
-+			break;
-+			}
-+		}
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	pubkey_SLOTID = pSlotList[0];
-+	for (i = 0; i < ulSlotCount; i++)
-+		{
-+		CK_BBOOL slot_has_rsa = CK_FALSE;
-+		current_slot = pSlotList[i];
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
-+		if (rv != CKR_OK)
-+			continue;
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+		/*
-+		 * Check if this slot is capable of signing with CKM_RSA_PKCS.
-+		 */
-+		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
-+			&mech_info);
-+
-+		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN)))
-+			{
-+			slot_has_rsa = CK_TRUE;
-+			}
-+
-+		if (!found_candidate_slot && slot_has_rsa)
-+			{
-+#ifdef	DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+			    "%s: potential slot: %d\n", PK11_DBG, current_slot);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+			best_slot_sofar = current_slot;
-+			pk11_have_rsa = slot_has_rsa;
-+			found_candidate_slot = CK_TRUE;
-+#ifdef	DEBUG_SLOT_SELECTION
-+			fprintf(stderr,
-+			    "%s: setting found_candidate_slot to CK_TRUE\n",
-+			    PK11_DBG);
-+			fprintf(stderr,
-+			    "%s: best so far slot: %d\n", PK11_DBG,
-+			    best_slot_sofar);
-+			}
-+		else
-+			{
-+			fprintf(stderr,
-+			    "%s: no rsa\n", PK11_DBG);
-+			}
-+#else
-+			} /* if */
-+#endif	/* DEBUG_SLOT_SELECTION */
-+		} /* for */
-+
-+	if (found_candidate_slot)
-+		{
-+		pubkey_SLOTID = best_slot_sofar;
-+		}
-+
-+	/*SLOTID = pSlotList[0];*/
-+
-+#ifdef	DEBUG_SLOT_SELECTION
-+	fprintf(stderr,
-+	    "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
-+	fprintf(stderr,
-+	    "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
-+	fprintf(stderr,
-+	    "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
-+	fprintf(stderr,
-+	    "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
-+#endif	/* DEBUG_SLOT_SELECTION */
-+
-+	if (pSlotList != NULL)
-+		OPENSSL_free(pSlotList);
-+
-+	if (any_slot_found != NULL)
-+		*any_slot_found = 1;
-+	return (1);
-+	}
-+
-+#endif	/* OPENSSL_NO_HW_PK11 */
-+#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
---- /dev/null	Mon Oct  5 11:08:14 2009
-+++ openssl/crypto/engine/hw_pk11.c	Fri Sep  4 10:43:22 2009
-@@ -0,0 +1,3919 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26
+--- /dev/null	Mon Oct  5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11.c	Mon Oct  5 13:16:50 2009
+@@ -0,0 +1,3927 @@
 +/*
 + * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -2354,11 +881,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
 +
 +#ifndef OPENSSL_NO_HW
 +#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11CA
 +
 +/* label for debug messages printed on stderr */
 +#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
 +/* prints a lot of debug messages on stderr about slot selection process */
-+#undef	DEBUG_SLOT_SELECTION
++/* #undef	DEBUG_SLOT_SELECTION */
 +/*
 + * Solaris specific code. See comment at check_hw_mechanisms() for more
 + * information.
@@ -2385,6 +913,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
 +#include "cryptoki.h"
 +#include "pkcs11.h"
 +#endif
++#include "hw_pk11ca.h"
 +#include "hw_pk11_err.c"
 +
 +#ifdef	SOLARIS_AES_CTR
@@ -2392,9 +921,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
 + * NIDs for AES counter mode that will be defined during the engine
 + * initialization.
 + */
-+int NID_aes_128_ctr = NID_undef;
-+int NID_aes_192_ctr = NID_undef;
-+int NID_aes_256_ctr = NID_undef;
++static int NID_aes_128_ctr = NID_undef;
++static int NID_aes_192_ctr = NID_undef;
++static int NID_aes_256_ctr = NID_undef;
 +#endif	/* SOLARIS_AES_CTR */
 +
 +#ifdef	SOLARIS_HW_SLOT_SELECTION
@@ -2402,8 +931,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
 + * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
 + * library. See comment at check_hw_mechanisms() for more information.
 + */
-+int *hw_cnids;
-+int *hw_dnids;
++static int *hw_cnids;
++static int *hw_dnids;
 +#endif	/* SOLARIS_HW_SLOT_SELECTION */
 +
 +/* PKCS#11 session caches and their locks for all operation types */
@@ -3061,8 +1590,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
 +
 +
 +/* Constants used when creating the ENGINE */
++#ifdef OPENSSL_NO_HW_PK11SO
++#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
++#endif
 +static const char *engine_pk11_id = "pkcs11";
-+static const char *engine_pk11_name = "PKCS #11 engine support";
++static const char *engine_pk11_name =
++	"PKCS #11 engine support (crypto accelerator)";
 +
 +CK_FUNCTION_LIST_PTR pFuncList = NULL;
 +static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
@@ -3261,6 +1794,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
 +
 +/* Dynamic engine support is disabled at a higher level for Solaris */
 +#ifdef	ENGINE_DYNAMIC_SUPPORT
++#error  "dynamic engine not supported"
 +static int bind_helper(ENGINE *e, const char *id)
 +	{
 +	if (id && (strcmp(id, engine_pk11_id) != 0))
@@ -6150,11 +4684,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.25
 +	}
 +#endif	/* SOLARIS_HW_SLOT_SELECTION */
 +
++#endif	/* OPENSSL_NO_HW_PK11CA */
 +#endif	/* OPENSSL_NO_HW_PK11 */
 +#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11_err.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4
---- /dev/null	Mon Oct  5 11:08:14 2009
+--- /dev/null	Mon Oct  5 13:17:24 2009
 +++ openssl/crypto/engine/hw_pk11_err.c	Wed Dec 17 16:14:26 2008
 @@ -0,0 +1,259 @@
 +/*
@@ -6418,7 +4953,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4
 +}
 Index: openssl/crypto/engine/hw_pk11_err.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9
---- /dev/null	Mon Oct  5 11:08:14 2009
+--- /dev/null	Mon Oct  5 13:17:24 2009
 +++ openssl/crypto/engine/hw_pk11_err.h	Wed Dec 17 15:01:45 2008
 @@ -0,0 +1,402 @@
 +/*
@@ -6823,912 +5358,11 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9
 +extern CK_FUNCTION_LIST_PTR pFuncList;
 +
 +#endif /* HW_PK11_ERR_H */
-Index: openssl/crypto/engine/hw_pk11_pub-kp.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub-kp.c:1.21
---- /dev/null	Mon Oct  5 11:08:14 2009
-+++ openssl/crypto/engine/hw_pk11_pub-kp.c	Tue Sep  1 06:02:18 2009
-@@ -0,0 +1,896 @@
-+/*
-+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
-+ * Use is subject to license terms.
-+ */
-+
-+/* crypto/engine/hw_pk11_pub.c */
-+/*
-+ * This product includes software developed by the OpenSSL Project for
-+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
-+ *
-+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
-+ * Afchine Madjlessi.
-+ */
-+/*
-+ * ====================================================================
-+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    licensing@OpenSSL.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+/* Modified to keep only RNG and RSA Sign */
-+
-+#ifdef OPENSSL_NO_RSA
-+#error RSA is disabled
-+#endif
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+#include 
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#define NOPTHREADS
-+typedef int pid_t;
-+#define HAVE_GETPASSPHRASE
-+static char *getpassphrase(const char *prompt);
-+#ifndef NULL_PTR
-+#define NULL_PTR NULL
-+#endif
-+#define CK_DEFINE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllexport) name
-+#define CK_DECLARE_FUNCTION(returnType, name) \
-+	returnType __declspec(dllimport) name
-+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
-+	returnType __declspec(dllimport) (* name)
-+#else
-+#include 
-+#endif
-+
-+#ifndef NOPTHREADS
-+#include 
-+#endif
-+
-+#ifndef OPENSSL_NO_HW
-+#ifndef OPENSSL_NO_HW_PK11
-+
-+#ifndef OPENSSL_NO_DSA
-+#define OPENSSL_NO_DSA
-+#endif
-+#ifndef OPENSSL_NO_DH
-+#define OPENSSL_NO_DH
-+#endif
-+
-+#ifdef OPENSSL_SYS_WIN32
-+#pragma pack(push, cryptoki, 1)
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#pragma pack(pop, cryptoki)
-+#else
-+#include "cryptoki.h"
-+#include "pkcs11.h"
-+#endif
-+#include "hw_pk11_err.h"
-+
-+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-+#define getpassphrase(x)	getpass(x)
-+#endif
-+
-+/* RSA stuff */
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
-+EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data);
-+
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
-+	BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
-+
-+static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
-+static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
-+
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
-+
-+/* Read mode string to be used for fopen() */
-+#if SOLARIS_OPENSSL
-+static char *read_mode_flags = "rF";
-+#else
-+static char *read_mode_flags = "r";
-+#endif
-+
-+/*
-+ * increment/create reference for an asymmetric key handle via active list
-+ * manipulation. If active list operation fails, unlock (if locked), set error
-+ * variable and jump to the specified label.
-+ */
-+#define	KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label)	\
-+	{								\
-+	if (pk11_active_add(key_handle, alg_type) < 0)			\
-+		{							\
-+		var = TRUE;						\
-+		if (unlock)						\
-+			UNLOCK_OBJSTORE(alg_type);			\
-+		goto label;						\
-+		}							\
-+	}
-+
-+/*
-+ * Find active list entry according to object handle and return pointer to the
-+ * entry otherwise return NULL.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry;
-+
-+	for (entry = active_list[type]; entry != NULL; entry = entry->next)
-+		if (entry->h == h)
-+			return (entry);
-+
-+	return (NULL);
-+	}
-+
-+/*
-+ * Search for an entry in the active list using PKCS#11 object handle as a
-+ * search key and return refcnt of the found/created entry or -1 in case of
-+ * failure.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+int
-+pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry = NULL;
-+
-+	if (h == CK_INVALID_HANDLE)
-+		{
-+		PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
-+		return (-1);
-+		}
-+
-+	/* search for entry in the active list */
-+	if ((entry = pk11_active_find(h, type)) != NULL)
-+		entry->refcnt++;
-+	else
-+		{
-+		/* not found, create new entry and add it to the list */
-+		entry = OPENSSL_malloc(sizeof (PK11_active));
-+		if (entry == NULL)
-+			{
-+			PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
-+			return (-1);
-+			}
-+		entry->h = h;
-+		entry->refcnt = 1;
-+		entry->prev = NULL;
-+		entry->next = NULL;
-+		/* connect the newly created entry to the list */
-+		if (active_list[type] == NULL)
-+			active_list[type] = entry;
-+		else /* make the entry first in the list */
-+			{
-+			entry->next = active_list[type];
-+			active_list[type]->prev = entry;
-+			active_list[type] = entry;
-+			}
-+		}
-+
-+	return (entry->refcnt);
-+	}
-+
-+/*
-+ * Remove active list entry from the list and free it.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+void
-+pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
-+	{
-+	PK11_active *prev_entry;
-+
-+	/* remove the entry from the list and free it */
-+	if ((prev_entry = entry->prev) != NULL)
-+		{
-+		prev_entry->next = entry->next;
-+		if (entry->next != NULL)
-+			entry->next->prev = prev_entry;
-+		}
-+	else
-+		{
-+		active_list[type] = entry->next;
-+		/* we were the first but not the only one */
-+		if (entry->next != NULL)
-+			entry->next->prev = NULL;
-+		}
-+
-+	/* sanitization */
-+	entry->h = CK_INVALID_HANDLE;
-+	entry->prev = NULL;
-+	entry->next = NULL;
-+	OPENSSL_free(entry);
-+	}
-+
-+/* Free all entries from the active list. */
-+void
-+pk11_free_active_list(PK11_OPTYPE type)
-+	{
-+	PK11_active *entry;
-+
-+	/* only for asymmetric types since only they have C_Find* locks. */
-+	switch (type)
-+		{
-+		case OP_RSA:
-+			break;
-+		default:
-+			return;
-+		}
-+
-+	/* see find_lock array definition for more info on object locking */
-+	LOCK_OBJSTORE(type);
-+	while ((entry = active_list[type]) != NULL)
-+		pk11_active_remove(entry, type);
-+	UNLOCK_OBJSTORE(type);
-+	}
-+
-+/*
-+ * Search for active list entry associated with given PKCS#11 object handle,
-+ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
-+ *
-+ * Return 1 if the PKCS#11 object associated with the entry has no references,
-+ * return 0 if there is at least one reference, -1 on error.
-+ *
-+ * This function presumes it is called with lock protecting the active list
-+ * held.
-+ */
-+int
-+pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
-+	{
-+	PK11_active *entry = NULL;
-+
-+	if ((entry = pk11_active_find(h, type)) == NULL)
-+		{
-+		PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
-+		return (-1);
-+		}
-+
-+	OPENSSL_assert(entry->refcnt > 0);
-+	entry->refcnt--;
-+	if (entry->refcnt == 0)
-+		{
-+		pk11_active_remove(entry, type);
-+		return (1);
-+		}
-+
-+	return (0);
-+	}
-+
-+/* Our internal RSA_METHOD that we provide pointers to */
-+static RSA_METHOD pk11_rsa;
-+
-+RSA_METHOD *
-+PK11_RSA(void)
-+	{
-+	const RSA_METHOD *rsa;
-+
-+	if (pk11_rsa.name == NULL)
-+		{
-+		rsa = RSA_PKCS1_SSLeay();
-+		memcpy(&pk11_rsa, rsa, sizeof(*rsa));
-+		pk11_rsa.name = "PKCS#11 RSA method";
-+		pk11_rsa.rsa_sign = pk11_RSA_sign;
-+		}
-+	return (&pk11_rsa);
-+	}
-+
-+/* Size of an SSL signature: MD5+SHA1 */
-+#define	SSL_SIG_LENGTH		36
-+
-+/*
-+ * Standard engine interface function. Majority codes here are from
-+ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
-+ * See more details in rsa/rsa_sign.c
-+ */
-+static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
-+	unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
-+	{
-+	X509_SIG sig;
-+	ASN1_TYPE parameter;
-+	int i, j = 0;
-+	unsigned char *p, *s = NULL;
-+	X509_ALGOR algor;
-+	ASN1_OCTET_STRING digest;
-+	CK_RV rv;
-+	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
-+	CK_MECHANISM *p_mech = &mech_rsa;
-+	CK_OBJECT_HANDLE h_priv_key;
-+	PK11_SESSION *sp = NULL;
-+	int ret = 0;
-+	unsigned long ulsiglen;
-+
-+	/* Encode the digest */
-+	/* Special case: SSL signature, just check the length */
-+	if (type == NID_md5_sha1)
-+		{
-+		if (m_len != SSL_SIG_LENGTH)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_INVALID_MESSAGE_LENGTH);
-+			goto err;
-+			}
-+		i = SSL_SIG_LENGTH;
-+		s = (unsigned char *)m;
-+		}
-+	else
-+		{
-+		sig.algor = &algor;
-+		sig.algor->algorithm = OBJ_nid2obj(type);
-+		if (sig.algor->algorithm == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_UNKNOWN_ALGORITHM_TYPE);
-+			goto err;
-+			}
-+		if (sig.algor->algorithm->length == 0)
-+			{
-+			PK11err(PK11_F_RSA_SIGN,
-+				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
-+			goto err;
-+			}
-+		parameter.type = V_ASN1_NULL;
-+		parameter.value.ptr = NULL;
-+		sig.algor->parameter = ¶meter;
-+
-+		sig.digest = &digest;
-+		sig.digest->data = (unsigned char *)m;
-+		sig.digest->length = m_len;
-+
-+		i = i2d_X509_SIG(&sig, NULL);
-+		}
-+
-+	j = RSA_size(rsa);
-+	if ((i - RSA_PKCS1_PADDING) > j)
-+		{
-+		PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
-+		goto err;
-+		}
-+
-+	if (type != NID_md5_sha1)
-+		{
-+		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
-+		if (s == NULL)
-+			{
-+			PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
-+			goto err;
-+			}
-+		p = s;
-+		(void) i2d_X509_SIG(&sig, &p);
-+		}
-+
-+	if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+		goto err;
-+
-+	(void) check_new_rsa_key_priv(sp, rsa);
-+
-+	h_priv_key = sp->opdata_rsa_priv_key;
-+	if (h_priv_key == CK_INVALID_HANDLE)
-+		h_priv_key = sp->opdata_rsa_priv_key =
-+			pk11_get_private_rsa_key((RSA *)rsa,
-+			    &sp->opdata_rsa_priv,
-+			    &sp->opdata_rsa_d_num, sp->session);
-+
-+	if (h_priv_key != CK_INVALID_HANDLE)
-+		{
-+		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
-+			goto err;
-+			}
-+
-+		ulsiglen = j;
-+		rv = pFuncList->C_Sign(sp->session, s, i, sigret,
-+			(CK_ULONG_PTR) &ulsiglen);
-+		*siglen = ulsiglen;
-+
-+		if (rv != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
-+			goto err;
-+			}
-+		ret = 1;
-+		}
-+
-+err:
-+	if ((type != NID_md5_sha1) && (s != NULL))
-+		{
-+		(void) memset(s, 0, (unsigned int)(j + 1));
-+		OPENSSL_free(s);
-+		}
-+
-+	pk11_return_session(sp, OP_RSA);
-+	return (ret);
-+	}
-+
-+static int hndidx_rsa = -1;
-+
-+/* load RSA private key from a file */
-+/* ARGSUSED */
-+EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey = NULL;
-+	FILE *privkey;
-+	RSA *rsa;
-+	PK11_SESSION *sp = NULL;
-+	/* everything else below needed for key by reference extension */
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	extern char *pk11_pin;
-+
-+	/* we look for private keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	/*
-+	 * Use simple scheme "pkcs11:" for now.
-+	 */
-+	if (strstr(privkey_file, "pkcs11:") == privkey_file)
-+		{
-+		if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+			return (NULL);
-+
-+		search_templ[2].pValue = strstr(privkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+		if (pk11_pin == NULL)
-+			{
-+			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
-+
-+			if (pk11_pin == NULL)
-+				{
-+				PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+			}
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_INVALID_PIN, rv);
-+			goto err;
-+			}
-+
-+		LOCK_OBJSTORE(OP_RSA);
-+		if ((rv = pFuncList->C_FindObjectsInit(sp->session,
-+		    search_templ, 3)) != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_FINDOBJECTSINIT, rv);
-+			goto err;
-+			}
-+
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_FINDOBJECTS, rv);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		UNLOCK_OBJSTORE(OP_RSA);
-+
-+		if (hndidx_rsa == -1)
-+			hndidx_rsa = RSA_get_ex_new_index(0,
-+				        "pkcs11 RSA HSM key handle",
-+					NULL, NULL, NULL);
-+
-+		pkey = EVP_PKEY_new();
-+		if (pkey == NULL)
-+			goto err;
-+
-+		rsa = RSA_new_method(e);
-+		if (rsa == NULL) {
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
-+
-+		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 2)) != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
-+					 PK11_R_GETATTRIBUTVALUE, rv);
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+			}
-+
-+		/* Note: these flags are critical! */
-+		rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
-+		RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
-+		(void) check_new_rsa_key_priv(sp, rsa);
-+		sp->opdata_rsa_priv = rsa;
-+		sp->opdata_rsa_priv_key = ks_key;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
-+		{
-+		pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
-+		(void) fclose(privkey);
-+		}
-+
-+err:
-+	if (sp != NULL)
-+		pk11_return_session(sp, OP_RSA);
-+	return (pkey);
-+	}
-+
-+/* load RSA public key from a file */
-+/* ARGSUSED */
-+EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
-+	UI_METHOD *ui_method, void *callback_data)
-+	{
-+	EVP_PKEY *pkey = NULL;
-+	FILE *pubkey;
-+	RSA *rsa;
-+	PK11_SESSION *sp = NULL;
-+	/* everything else below needed for key by reference extension */
-+	CK_RV rv;
-+	CK_ULONG objcnt = 0;
-+	CK_BBOOL is_token = TRUE;
-+	CK_BYTE attr_data[2][1024];
-+	CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
-+	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
-+	extern char *pk11_pin;
-+
-+	/* we look for public keys only */
-+	CK_ATTRIBUTE search_templ[] =
-+		{
-+		{CKA_TOKEN, &is_token, sizeof(is_token)},
-+		{CKA_CLASS, &key_class, sizeof(key_class)},
-+		{CKA_LABEL, NULL, 0}
-+		};
-+
-+	/* these attributes are needed to initialize OpenSSL RSA structure */
-+	CK_ATTRIBUTE get_templ[] =
-+		{
-+		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
-+		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
-+		};
-+
-+	/*
-+	 * Use simple scheme "pkcs11:" for now.
-+	 */
-+	if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
-+		{
-+		if ((sp = pk11_get_session(OP_RSA)) == NULL)
-+			return (NULL);
-+
-+		search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
-+		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
-+
-+#define ALLWAYS_LOGIN
-+#ifdef ALLWAYS_LOGIN
-+		if (pk11_pin == NULL)
-+			{
-+			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
-+
-+			if (pk11_pin == NULL)
-+				{
-+				PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
-+				goto err;
-+				}
-+			}
-+		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
-+		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_INVALID_PIN, rv);
-+			goto err;
-+			}
-+#endif
-+
-+		LOCK_OBJSTORE(OP_RSA);
-+		if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_FINDOBJECTSINIT, rv);
-+			goto err;
-+			}
-+		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
-+		if (rv != CKR_OK)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_FINDOBJECTS, rv);
-+			goto err;
-+			}
-+
-+		if (objcnt > 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
-+			goto err;
-+			}
-+
-+		if (objcnt != 1)
-+			{
-+			UNLOCK_OBJSTORE(OP_RSA);
-+			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
-+			goto err;
-+			}
-+
-+		(void) pFuncList->C_FindObjectsFinal(sp->session);
-+		UNLOCK_OBJSTORE(OP_RSA);
-+
-+		sp->opdata_rsa_pub_key = ks_key;
-+		pkey = EVP_PKEY_new();
-+		if (pkey == NULL)
-+			goto err;
-+
-+		rsa = RSA_new_method(e);
-+		if (rsa == NULL) {
-+			EVP_PKEY_free(pkey);
-+			pkey = NULL;
-+			goto err;
-+		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
-+
-+		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
-+		    get_templ, 2) != CKR_OK)
-+			{
-+			PK11err_add_data(PK11_F_LOAD_PUBKEY,
-+					 PK11_R_GETATTRIBUTVALUE, rv);
-+			goto err;
-+			}
-+
-+		(void) check_new_rsa_key_pub(sp, rsa);
-+		sp->opdata_rsa_pub = rsa;
-+
-+		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
-+		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
-+		}
-+	else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
-+		{
-+		pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
-+		(void) fclose(pubkey);
-+		}
-+
-+err:
-+	if (sp != NULL)
-+		pk11_return_session(sp, OP_RSA);
-+	return (pkey);
-+	}
-+
-+/*
-+ * Create a private key object in the session from a given rsa structure.
-+ * The *rsa_d_num pointer is non-NULL for RSA private keys.
-+ */
-+static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
-+    RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
-+	{
-+	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
-+
-+	if ((rsa->flags & RSA_FLAG_EXT_PKEY) == 0) {
-+		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_INCONSISTENT_KEY);
-+		return (h_key);
-+	}
-+	
-+	h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
-+	(void) pk11_active_add(h_key, OP_RSA);
-+	if (key_ptr != NULL)
-+		*key_ptr = rsa;
-+	if (rsa_d_num != NULL)
-+		{
-+		if (rsa->d == NULL)
-+			*rsa_d_num = NULL;
-+		else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
-+			{
-+			PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
-+			return (h_key);
-+			}
-+		}
-+	return (h_key);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
-+	{
-+	/*
-+	 * Provide protection against RSA structure reuse by making the
-+	 * check for cache hit stronger. Only public components of RSA
-+	 * key matter here so it is sufficient to compare them with values
-+	 * cached in PK11_SESSION structure.
-+	 */
-+	if ((sp->opdata_rsa_pub != rsa) ||
-+	    (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
-+	    (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_rsa_object_pub(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+
-+/*
-+ * Check for cache miss and clean the object pointer and handle
-+ * in such case. Return 1 for cache hit, 0 for cache miss.
-+ */
-+static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
-+	{
-+	/*
-+	 * Provide protection against RSA structure reuse by making the
-+	 * check for cache hit stronger. Comparing private exponent of RSA
-+	 * key with value cached in PK11_SESSION structure should
-+	 * be sufficient.
-+	 */
-+	if ((sp->opdata_rsa_priv != rsa) ||
-+	    (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
-+	    ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
-+		{
-+		/*
-+		 * We do not check the return value because even in case of
-+		 * failure the sp structure will have both key pointer
-+		 * and object handle cleaned and pk11_destroy_object()
-+		 * reports the failure to the OpenSSL error message buffer.
-+		 */
-+		(void) pk11_destroy_rsa_object_priv(sp, TRUE);
-+		return (0);
-+		}
-+	return (1);
-+	}
-+
-+static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
-+	{
-+	if (attr->ulValueLen > 0)
-+		{
-+		*bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
-+		}
-+	}
-+
-+#ifdef	OPENSSL_SYS_WIN32
-+char *getpassphrase(const char *prompt)
-+	{
-+	static char buf[128];
-+	HANDLE h;
-+	DWORD cc, mode;
-+	int cnt;
-+
-+	h = GetStdHandle(STD_INPUT_HANDLE);
-+	fputs(prompt, stderr);
-+	fflush(stderr);
-+	fflush(stdout);
-+	FlushConsoleInputBuffer(h);
-+	GetConsoleMode(h, &mode);
-+	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
-+
-+	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
-+		{
-+		ReadFile(h, buf + cnt, 1, &cc, NULL);
-+		if (buf[cnt] == '\r')
-+			break;
-+		fputc('*', stdout);
-+		fflush(stderr);
-+		fflush(stdout);
-+		}
-+
-+	SetConsoleMode(h, mode);
-+	buf[cnt] = '\0';
-+	fputs("\n", stderr);
-+	return buf;
-+	}
-+#endif	/* OPENSSL_SYS_WIN32 */
-+#endif	/* OPENSSL_NO_HW_PK11 */
-+#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
---- /dev/null	Mon Oct  5 11:08:14 2009
-+++ openssl/crypto/engine/hw_pk11_pub.c	Fri Aug 28 06:31:09 2009
-@@ -0,0 +1,3137 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32
+--- /dev/null	Mon Oct  5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11_pub.c	Mon Oct  5 13:16:55 2009
+@@ -0,0 +1,3140 @@
 +/*
 + * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -7847,6 +5481,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
 +
 +#ifndef OPENSSL_NO_HW
 +#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11CA
 +
 +#ifdef OPENSSL_SYS_WIN32
 +#pragma pack(push, cryptoki, 1)
@@ -7857,6 +5492,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
 +#include "cryptoki.h"
 +#include "pkcs11.h"
 +#endif
++#include "hw_pk11ca.h"
 +#include "hw_pk11_err.h"
 +
 +#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
@@ -9094,7 +6730,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
 +			pkey = NULL;
 +			goto err;
 +		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
++		EVP_PKEY_assign_RSA(pkey, rsa);
 +
 +		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +		    get_templ, 2)) != CKR_OK)
@@ -9264,7 +6900,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
 +			pkey = NULL;
 +			goto err;
 +		}
-+		EVP_PKEY_set1_RSA(pkey, rsa);
++		EVP_PKEY_assign_RSA(pkey, rsa);
 +
 +		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +		    get_templ, 2) != CKR_OK)
@@ -10864,15 +8500,2609 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.31
 +	return buf;
 +	}
 +#endif	/* OPENSSL_SYS_WIN32 */
++#endif	/* OPENSSL_NO_HW_PK11CA */
++#endif	/* OPENSSL_NO_HW_PK11 */
++#endif	/* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11ca.h
+diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2
+--- /dev/null	Mon Oct  5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11ca.h	Mon Oct  5 13:17:03 2009
+@@ -0,0 +1,28 @@
++/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
++
++#define find_lock			pk11ca_find_lock
++#define active_list			pk11ca_active_list
++#define ERR_pk11_error			ERR_pk11ca_error
++#define PK11err_add_data		PK11CAerr_add_data
++#define pk11_get_session		pk11ca_get_session
++#define pk11_return_session		pk11ca_return_session
++#define pk11_active_add			pk11ca_active_add
++#define pk11_active_delete		pk11ca_active_delete
++#define pk11_active_remove		pk11ca_active_remove
++#define pk11_free_active_list		pk11ca_free_active_list
++#define pk11_destroy_rsa_key_objects	pk11ca_destroy_rsa_key_objects
++#define pk11_destroy_rsa_object_pub	pk11ca_destroy_rsa_object_pub
++#define pk11_destroy_rsa_object_priv	pk11ca_destroy_rsa_object_priv
++#define pk11_load_privkey		pk11ca_load_privkey
++#define pk11_load_pubkey		pk11ca_load_pubkey
++#define PK11_RSA			PK11CA_RSA
++#define pk11_destroy_dsa_key_objects	pk11ca_destroy_dsa_key_objects
++#define pk11_destroy_dsa_object_pub	pk11ca_destroy_dsa_object_pub
++#define pk11_destroy_dsa_object_priv	pk11ca_destroy_dsa_object_priv
++#define PK11_DSA			PK11CA_DSA
++#define pk11_destroy_dh_key_objects	pk11ca_destroy_dh_key_objects
++#define pk11_destroy_dh_object		pk11ca_destroy_dh_object
++#define PK11_DH				PK11CA_DH
++#define pFuncList			pk11ca_pFuncList
++#define pk11_pin			pk11ca_pin
++#define ENGINE_load_pk11		ENGINE_load_pk11ca
+Index: openssl/crypto/engine/hw_pk11so.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.2
+--- /dev/null	Mon Oct  5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11so.c	Mon Oct  5 13:17:03 2009
+@@ -0,0 +1,1618 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Modified to keep only RNG and RSA Sign */
++
++#ifdef OPENSSL_NO_RSA
++#error RSA is disabled
++#endif
++
++#include 
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++#ifdef OPENSSL_SYS_WIN32
++typedef int pid_t;
++#define getpid() GetCurrentProcessId()
++#define NOPTHREADS
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++	returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++	returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++	returnType __declspec(dllimport) (* name)
++#else
++#include 
++#include 
++#include 
++#endif
++
++#ifndef NOPTHREADS
++#include 
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11SO
++
++/* label for debug messages printed on stderr */
++#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
++/* prints a lot of debug messages on stderr about slot selection process */
++/*#undef	DEBUG_SLOT_SELECTION */
++
++#ifndef OPENSSL_NO_DSA
++#define OPENSSL_NO_DSA
++#endif
++#ifndef OPENSSL_NO_DH
++#define OPENSSL_NO_DH
++#endif
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11so.h"
++#include "hw_pk11_err.c"
++
++/* PKCS#11 session caches and their locks for all operation types */
++static PK11_CACHE session_cache[OP_MAX];
++
++/*
++ * As stated in v2.20, 11.7 Object Management Function, in section for
++ * C_FindObjectsInit(), at most one search operation may be active at a given
++ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
++ * grouped together to form one atomic search operation. This is already
++ * ensured by the property of unique PKCS#11 session handle used for each
++ * PK11_SESSION object.
++ *
++ * This is however not the biggest concern - maintaining consistency of the
++ * underlying object store is more important. The same section of the spec also
++ * says that one thread can be in the middle of a search operation while another
++ * thread destroys the object matching the search template which would result in
++ * invalid handle returned from the search operation.
++ *
++ * Hence, the following locks are used for both protection of the object stores.
++ * They are also used for active list protection.
++ */
++#ifndef NOPTHREADS
++pthread_mutex_t *find_lock[OP_MAX] = { NULL };
++#endif
++
++/*
++ * lists of asymmetric key handles which are active (referenced by at least one
++ * PK11_SESSION structure, either held by a thread or present in free_session
++ * list) for given algorithm type
++ */
++PK11_active *active_list[OP_MAX] = { NULL };
++
++/*
++ * Create all secret key objects in a global session so that they are available
++ * to use for other sessions. These other sessions may be opened or closed
++ * without losing the secret key objects.
++ */
++static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
++
++/* ENGINE level stuff */
++static int pk11_init(ENGINE *e);
++static int pk11_library_init(ENGINE *e);
++static int pk11_finish(ENGINE *e);
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
++static int pk11_destroy(ENGINE *e);
++
++/* RAND stuff */
++static void pk11_rand_seed(const void *buf, int num);
++static void pk11_rand_add(const void *buf, int num, double add_entropy);
++static void pk11_rand_cleanup(void);
++static int pk11_rand_bytes(unsigned char *buf, int num);
++static int pk11_rand_status(void);
++
++/* These functions are also used in other files */
++PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
++void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++
++/* active list manipulation functions used in this file */
++extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
++extern void pk11_free_active_list(PK11_OPTYPE type);
++
++int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
++int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++
++/* Local helper functions */
++static int pk11_free_all_sessions(void);
++static int pk11_free_session_list(PK11_OPTYPE optype);
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++static int pk11_destroy_object(CK_SESSION_HANDLE session,
++	CK_OBJECT_HANDLE oh);
++static const char *get_PK11_LIBNAME(void);
++static void free_PK11_LIBNAME(void);
++static long set_PK11_LIBNAME(const char *name);
++
++static int pk11_choose_slots(int *any_slot_found);
++
++static int pk11_init_all_locks(void);
++static void pk11_free_all_locks(void);
++
++#define	TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
++	{								\
++	if (uselock)							\
++		LOCK_OBJSTORE(alg_type);				\
++	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
++		{							\
++		retval = pk11_destroy_object(sess_hdl, obj_hdl);	\
++		}							\
++	if (uselock)							\
++		UNLOCK_OBJSTORE(alg_type);				\
++	}
++
++#define	TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type)	\
++	{								\
++	if (uselock)							\
++		LOCK_OBJSTORE(alg_type);				\
++	(void) pk11_active_delete(obj_hdl, alg_type);			\
++	if (uselock)							\
++		UNLOCK_OBJSTORE(alg_type);				\
++	}
++
++static CK_BBOOL pk11_have_rsa	= CK_FALSE;
++static CK_BBOOL pk11_have_random = CK_FALSE;
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * The definitions for control commands specific to this engine
++ */
++#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
++#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
++#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
++static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
++	{
++		{
++		PK11_CMD_SO_PATH,
++		"SO_PATH",
++		"Specifies the path to the 'pkcs#11' shared library",
++		ENGINE_CMD_FLAG_STRING
++		},
++		{
++		PK11_CMD_PIN,
++		"PIN",
++		"Specifies the pin code",
++		ENGINE_CMD_FLAG_STRING
++		},
++		{
++		PK11_CMD_SLOT,
++		"SLOT",
++		"Specifies the slot (default is auto select)",
++		ENGINE_CMD_FLAG_NUMERIC,
++		},
++		{0, NULL, NULL, 0}
++	};
++
++
++static RAND_METHOD pk11_random =
++	{
++	pk11_rand_seed,
++	pk11_rand_bytes,
++	pk11_rand_cleanup,
++	pk11_rand_add,
++	pk11_rand_bytes,
++	pk11_rand_status
++	};
++
++
++/* Constants used when creating the ENGINE */
++#ifdef OPENSSL_NO_HW_PK11CA
++#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
++#endif
++static const char *engine_pk11_id = "pkcs11";
++static const char *engine_pk11_name = "PKCS #11 engine support (sign only)";
++
++CK_FUNCTION_LIST_PTR pFuncList = NULL;
++static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
++
++/*
++ * These is the static string constant for the DSO file name and the function
++ * symbol names to bind to.
++ */
++static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
++
++static CK_SLOT_ID pubkey_SLOTID = 0;
++static CK_SLOT_ID rand_SLOTID = 0;
++static CK_SLOT_ID SLOTID = 0;
++char *pk11_pin = NULL;
++static CK_BBOOL pk11_library_initialized = FALSE;
++static CK_BBOOL pk11_atfork_initialized = FALSE;
++static int pk11_pid = 0;
++
++static DSO *pk11_dso = NULL;
++
++/* allocate and initialize all locks used by the engine itself */
++static int pk11_init_all_locks(void)
++	{
++#ifndef NOPTHREADS
++	int type;
++
++	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++	if (find_lock[OP_RSA] == NULL)
++		goto malloc_err;
++	(void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++
++	for (type = 0; type < OP_MAX; type++)
++		{
++		session_cache[type].lock =
++		    OPENSSL_malloc(sizeof (pthread_mutex_t));
++		if (session_cache[type].lock == NULL)
++			goto malloc_err;
++		(void) pthread_mutex_init(session_cache[type].lock, NULL);
++		}
++
++	return (1);
++
++malloc_err:
++	pk11_free_all_locks();
++	PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
++	return (0);
++#else
++	return (1);
++#endif
++	}
++
++static void pk11_free_all_locks(void)
++	{
++#ifndef NOPTHREADS
++	int type;
++
++	if (find_lock[OP_RSA] != NULL)
++		{
++		(void) pthread_mutex_destroy(find_lock[OP_RSA]);
++		OPENSSL_free(find_lock[OP_RSA]);
++		find_lock[OP_RSA] = NULL;
++		}
++
++	for (type = 0; type < OP_MAX; type++)
++		{
++		if (session_cache[type].lock != NULL)
++			{
++			(void) pthread_mutex_destroy(session_cache[type].lock);
++			OPENSSL_free(session_cache[type].lock);
++			session_cache[type].lock = NULL;
++			}
++		}
++#endif
++	}
++
++/*
++ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
++ */
++static int bind_pk11(ENGINE *e)
++	{
++	if (!pk11_library_initialized)
++		if (!pk11_library_init(e))
++			return (0);
++
++	if (!ENGINE_set_id(e, engine_pk11_id) ||
++	    !ENGINE_set_name(e, engine_pk11_name))
++		return (0);
++
++	if (pk11_have_rsa == CK_TRUE)
++		{
++		if (!ENGINE_set_RSA(e, PK11_RSA()) ||
++		    !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
++		    !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++
++	if (pk11_have_random)
++		{
++		if (!ENGINE_set_RAND(e, &pk11_random))
++			return (0);
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: registered random\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		}
++	if (!ENGINE_set_init_function(e, pk11_init) ||
++	    !ENGINE_set_destroy_function(e, pk11_destroy) ||
++	    !ENGINE_set_finish_function(e, pk11_finish) ||
++	    !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
++	    !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
++		return (0);
++
++	/* Ensure the pk11 error handling is set up */
++	ERR_load_pk11_strings();
++
++	return (1);
++	}
++
++/* Dynamic engine support is disabled at a higher level for Solaris */
++#ifdef	ENGINE_DYNAMIC_SUPPORT
++#error	"dynamic engine not supported"
++static int bind_helper(ENGINE *e, const char *id)
++	{
++	if (id && (strcmp(id, engine_pk11_id) != 0))
++		return (0);
++
++	if (!bind_pk11(e))
++		return (0);
++
++	return (1);
++	}
++
++IMPLEMENT_DYNAMIC_CHECK_FN()
++IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
++
++#else
++static ENGINE *engine_pk11(void)
++	{
++	ENGINE *ret = ENGINE_new();
++
++	if (!ret)
++		return (NULL);
++
++	if (!bind_pk11(ret))
++		{
++		ENGINE_free(ret);
++		return (NULL);
++		}
++
++	return (ret);
++	}
++
++void
++ENGINE_load_pk11(void)
++	{
++	ENGINE *e_pk11 = NULL;
++
++	/*
++	 * Do not use dynamic PKCS#11 library on Solaris due to
++	 * security reasons. We will link it in statically.
++	 */
++	/* Attempt to load PKCS#11 library */
++	if (!pk11_dso)
++		pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
++		return;
++		}
++
++	e_pk11 = engine_pk11();
++	if (!e_pk11)
++		{
++		DSO_free(pk11_dso);
++		pk11_dso = NULL;
++		return;
++		}
++
++	/*
++	 * At this point, the pk11 shared library is either dynamically
++	 * loaded or statically linked in. So, initialize the pk11
++	 * library before calling ENGINE_set_default since the latter
++	 * needs cipher and digest algorithm information
++	 */
++	if (!pk11_library_init(e_pk11))
++		{
++		DSO_free(pk11_dso);
++		pk11_dso = NULL;
++		ENGINE_free(e_pk11);
++		return;
++		}
++
++	ENGINE_add(e_pk11);
++
++	ENGINE_free(e_pk11);
++	ERR_clear_error();
++	}
++#endif	/* ENGINE_DYNAMIC_SUPPORT */
++
++/*
++ * These are the static string constants for the DSO file name and
++ * the function symbol names to bind to.
++ */
++static const char *PK11_LIBNAME = NULL;
++
++static const char *get_PK11_LIBNAME(void)
++	{
++	if (PK11_LIBNAME)
++		return (PK11_LIBNAME);
++
++	return (def_PK11_LIBNAME);
++	}
++
++static void free_PK11_LIBNAME(void)
++	{
++	if (PK11_LIBNAME)
++		OPENSSL_free((void*)PK11_LIBNAME);
++
++	PK11_LIBNAME = NULL;
++	}
++
++static long set_PK11_LIBNAME(const char *name)
++	{
++	free_PK11_LIBNAME();
++
++	return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
++	}
++
++/* acquire all engine specific mutexes before fork */
++static void pk11_fork_prepare(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	LOCK_OBJSTORE(OP_RSA);
++	for (i = 0; i < OP_MAX; i++)
++		{
++		(void) pthread_mutex_lock(session_cache[i].lock);
++		}
++#endif
++	}
++
++/* release all engine specific mutexes */
++static void pk11_fork_parent(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	for (i = OP_MAX - 1; i >= 0; i--)
++		{
++		(void) pthread_mutex_unlock(session_cache[i].lock);
++		}
++	UNLOCK_OBJSTORE(OP_RSA);
++#endif
++	}
++
++/*
++ * same situation as in parent - we need to unlock all locks to make them
++ * accessible to all threads.
++ */
++static void pk11_fork_child(void)
++	{
++#ifndef NOPTHREADS
++	int i;
++
++	if (!pk11_library_initialized)
++		return;
++
++	for (i = OP_MAX - 1; i >= 0; i--)
++		{
++		(void) pthread_mutex_unlock(session_cache[i].lock);
++		}
++	UNLOCK_OBJSTORE(OP_RSA);
++#endif
++	}
++
++/* Initialization function for the pk11 engine */
++static int pk11_init(ENGINE *e)
++{
++	return (pk11_library_init(e));
++}
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * It selects a slot based on predefined critiera. In the process, it also
++ * count how many ciphers and digests to support. Since the cipher and
++ * digest information is needed when setting default engine, this function
++ * needs to be called before calling ENGINE_set_default.
++ */
++/* ARGSUSED */
++static int pk11_library_init(ENGINE *e)
++	{
++	CK_C_GetFunctionList p;
++	CK_RV rv = CKR_OK;
++	CK_INFO info;
++	int any_slot_found;
++	int i;
++#ifndef OPENSSL_SYS_WIN32
++	struct sigaction sigint_act, sigterm_act, sighup_act;
++#endif
++
++	/*
++	 * pk11_library_initialized is set to 0 in pk11_finish() which is called
++	 * from ENGINE_finish(). However, if there is still at least one
++	 * existing functional reference to the engine (see engine(3) for more
++	 * information), pk11_finish() is skipped. For example, this can happen
++	 * if an application forgets to clear one cipher context. In case of a
++	 * fork() when the application is finishing the engine so that it can be
++	 * reinitialized in the child, forgotten functional reference causes
++	 * pk11_library_initialized to stay 1. In that case we need the PID
++	 * check so that we properly initialize the engine again.
++	 */
++	if (pk11_library_initialized)
++		{
++		if (pk11_pid == getpid())
++			{
++			return (1);
++			}
++		else
++			{
++			global_session = CK_INVALID_HANDLE;
++			/*
++			 * free the locks first to prevent memory leak in case
++			 * the application calls fork() without finishing the
++			 * engine first.
++			 */
++			pk11_free_all_locks();
++			}
++		}
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	/* get the C_GetFunctionList function from the loaded library */
++	p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
++		PK11_GET_FUNCTION_LIST);
++	if (!p)
++		{
++		PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++
++	/* get the full function list from the loaded library */
++	rv = p(&pFuncList);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
++		goto err;
++		}
++
++#ifndef OPENSSL_SYS_WIN32
++	/* Not all PKCS#11 library are signal safe! */
++
++	(void) memset(&sigint_act, 0, sizeof(sigint_act));
++	(void) memset(&sigterm_act, 0, sizeof(sigterm_act));
++	(void) memset(&sighup_act, 0, sizeof(sighup_act));
++	(void) sigaction(SIGINT, NULL, &sigint_act);
++	(void) sigaction(SIGTERM, NULL, &sigterm_act);
++	(void) sigaction(SIGHUP, NULL, &sighup_act);
++#endif
++	rv = pFuncList->C_Initialize(NULL_PTR);
++#ifndef OPENSSL_SYS_WIN32
++	(void) sigaction(SIGINT, &sigint_act, NULL);
++	(void) sigaction(SIGTERM, &sigterm_act, NULL);
++	(void) sigaction(SIGHUP, &sighup_act, NULL);
++#endif
++	if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
++		goto err;
++		}
++
++	rv = pFuncList->C_GetInfo(&info);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
++		goto err;
++		}
++
++	if (pk11_choose_slots(&any_slot_found) == 0)
++		goto err;
++
++	/*
++	 * The library we use, set in def_PK11_LIBNAME, may not offer any
++	 * slot(s). In that case, we must not proceed but we must not return an
++	 * error. The reason is that applications that try to set up the PKCS#11
++	 * engine don't exit on error during the engine initialization just
++	 * because no slot was present.
++	 */
++	if (any_slot_found == 0)
++		return (1);
++
++	if (global_session == CK_INVALID_HANDLE)
++		{
++		/* Open the global_session for the new process */
++		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &global_session);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LIBRARY_INIT,
++			    PK11_R_OPENSESSION, rv);
++			goto err;
++			}
++		}
++
++	pk11_library_initialized = TRUE;
++	pk11_pid = getpid();
++	/*
++	 * if initialization of the locks fails pk11_init_all_locks()
++	 * will do the cleanup.
++	 */
++	if (!pk11_init_all_locks())
++		goto err;
++	for (i = 0; i < OP_MAX; i++)
++		session_cache[i].head = NULL;
++	/*
++	 * initialize active lists. We only use active lists
++	 * for asymmetric ciphers.
++	 */
++	for (i = 0; i < OP_MAX; i++)
++		active_list[i] = NULL;
++
++#ifndef NOPTHREADS
++	if (!pk11_atfork_initialized)
++		{
++		if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
++		    pk11_fork_child) != 0)
++			{
++			PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
++			goto err;
++			}
++		pk11_atfork_initialized = TRUE;
++		}
++#endif
++
++	return (1);
++
++err:
++	return (0);
++	}
++
++/* Destructor (complements the "ENGINE_pk11()" constructor) */
++/* ARGSUSED */
++static int pk11_destroy(ENGINE *e)
++	{
++	free_PK11_LIBNAME();
++	ERR_unload_pk11_strings();
++	if (pk11_pin) {
++		memset(pk11_pin, 0, strlen(pk11_pin));
++		OPENSSL_free((void*)pk11_pin);
++	}
++	pk11_pin = NULL;
++	return (1);
++	}
++
++/*
++ * Termination function to clean up the session, the token, and the pk11
++ * library.
++ */
++/* ARGSUSED */
++static int pk11_finish(ENGINE *e)
++	{
++	int i;
++
++	if (pk11_pin) {
++		memset(pk11_pin, 0, strlen(pk11_pin));
++		OPENSSL_free((void*)pk11_pin);
++	}
++	pk11_pin = NULL;
++
++	if (pk11_dso == NULL)
++		{
++		PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
++		goto err;
++		}
++
++	OPENSSL_assert(pFuncList != NULL);
++
++	if (pk11_free_all_sessions() == 0)
++		goto err;
++
++	/* free all active lists */
++	for (i = 0; i < OP_MAX; i++)
++		pk11_free_active_list(i);
++
++	pFuncList->C_CloseSession(global_session);
++	global_session = CK_INVALID_HANDLE;
++
++	/*
++	 * Since we are part of a library (libcrypto.so), calling this function
++	 * may have side-effects.
++	 */
++#if 0
++	pFuncList->C_Finalize(NULL);
++#endif
++
++	if (!DSO_free(pk11_dso))
++		{
++		PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
++		goto err;
++		}
++	pk11_dso = NULL;
++	pFuncList = NULL;
++	pk11_library_initialized = FALSE;
++	pk11_pid = 0;
++	/*
++	 * There is no way how to unregister atfork handlers (other than
++	 * unloading the library) so we just free the locks. For this reason
++	 * the atfork handlers check if the engine is initialized and bail out
++	 * immediately if not. This is necessary in case a process finishes
++	 * the engine before calling fork().
++	 */
++	pk11_free_all_locks();
++
++	return (1);
++
++err:
++	return (0);
++	}
++
++/* Standard engine interface function to set the dynamic library path */
++/* ARGSUSED */
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
++	{
++	int initialized = ((pk11_dso == NULL) ? 0 : 1);
++
++	switch (cmd)
++		{
++	case PK11_CMD_SO_PATH:
++		if (p == NULL)
++			{
++			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++			return (0);
++			}
++
++		if (initialized)
++			{
++			PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
++			return (0);
++			}
++
++		return (set_PK11_LIBNAME((const char *)p));
++	case PK11_CMD_PIN:
++		if (pk11_pin) {
++			memset(pk11_pin, 0, strlen(pk11_pin));
++			OPENSSL_free((void*)pk11_pin);
++		}
++		pk11_pin = NULL;
++
++		if (p == NULL)
++			{
++			PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++			return (0);
++			}
++
++		pk11_pin = BUF_strdup(p);
++		if (pk11_pin == NULL)
++			{
++			PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
++			return (0);
++			}
++		return (1);
++	case PK11_CMD_SLOT:
++		SLOTID = (CK_SLOT_ID)i;
++#ifdef DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: slot set\n", PK11_DBG);
++#endif
++		return (1);
++	default:
++		break;
++		}
++
++	PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
++
++	return (0);
++	}
++
++
++/* Required function by the engine random interface. It does nothing here */
++static void pk11_rand_cleanup(void)
++	{
++	return;
++	}
++
++/* ARGSUSED */
++static void pk11_rand_add(const void *buf, int num, double add)
++	{
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RAND)) == NULL)
++		return;
++
++	/*
++	 * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
++	 * the calling functions do not care anyway
++	 */
++	pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
++	pk11_return_session(sp, OP_RAND);
++
++	return;
++	}
++
++static void pk11_rand_seed(const void *buf, int num)
++	{
++	pk11_rand_add(buf, num, 0);
++	}
++
++static int pk11_rand_bytes(unsigned char *buf, int num)
++	{
++	CK_RV rv;
++	PK11_SESSION *sp;
++
++	if ((sp = pk11_get_session(OP_RAND)) == NULL)
++		return (0);
++
++	rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
++		pk11_return_session(sp, OP_RAND);
++		return (0);
++		}
++
++	pk11_return_session(sp, OP_RAND);
++	return (1);
++	}
++
++/* Required function by the engine random interface. It does nothing here */
++static int pk11_rand_status(void)
++	{
++	return (1);
++	}
++
++/* Free all BIGNUM structures from PK11_SESSION. */
++static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++	switch (optype)
++		{
++		case OP_RSA:
++			if (sp->opdata_rsa_n_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_n_num);
++				sp->opdata_rsa_n_num = NULL;
++				}
++			if (sp->opdata_rsa_e_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_e_num);
++				sp->opdata_rsa_e_num = NULL;
++				}
++			if (sp->opdata_rsa_d_num != NULL)
++				{
++				BN_free(sp->opdata_rsa_d_num);
++				sp->opdata_rsa_d_num = NULL;
++				}
++			break;
++		default:
++			break;
++		}
++	}
++
++/*
++ * Get new PK11_SESSION structure ready for use. Every process must have
++ * its own freelist of PK11_SESSION structures so handle fork() here
++ * by destroying the old and creating new freelist.
++ * The returned PK11_SESSION structure is disconnected from the freelist.
++ */
++PK11_SESSION *
++pk11_get_session(PK11_OPTYPE optype)
++	{
++	PK11_SESSION *sp = NULL, *sp1, *freelist;
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock = NULL;
++#endif
++	CK_RV rv;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_GET_SESSION,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return (NULL);
++		}
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	sp = freelist;
++
++	/*
++	 * If the free list is empty, allocate new unitialized (filled
++	 * with zeroes) PK11_SESSION structure otherwise return first
++	 * structure from the freelist.
++	 */
++	if (sp == NULL)
++		{
++		if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
++			{
++			PK11err(PK11_F_GET_SESSION,
++				PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		(void) memset(sp, 0, sizeof (PK11_SESSION));
++		}
++	else
++		{
++		freelist = sp->next;
++		}
++
++	if (sp->pid != 0 && sp->pid != getpid())
++		{
++		/*
++		 * We are a new process and thus need to free any inherited
++		 * PK11_SESSION objects.
++		 */
++		while ((sp1 = freelist) != NULL)
++			{
++			freelist = sp1->next;
++			/*
++			 * NOTE: we do not want to call pk11_free_all_sessions()
++			 * here because it would close underlying PKCS#11
++			 * sessions and destroy all objects.
++			 */
++			pk11_free_nums(sp1, optype);
++			OPENSSL_free(sp1);
++			}
++
++		/* we have to free the active list as well. */
++		pk11_free_active_list(optype);
++
++		/* Initialize the process */
++		rv = pFuncList->C_Initialize(NULL_PTR);
++		if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++			{
++			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
++			    rv);
++			OPENSSL_free(sp);
++			sp = NULL;
++			goto err;
++			}
++
++		/*
++		 * Choose slot here since the slot table is different on this
++		 * process. If we are here then we must have found at least one
++		 * usable slot before so we don't need to check any_slot_found.
++		 * See pk11_library_init()'s usage of this function for more
++		 * information.
++		 */
++		if (pk11_choose_slots(NULL) == 0)
++			goto err;
++
++		/* Open the global_session for the new process */
++		rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &global_session);
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
++			    rv);
++			OPENSSL_free(sp);
++			sp = NULL;
++			goto err;
++			}
++
++		/* It is an inherited session and needs re-initialization. */
++		if (pk11_setup_session(sp, optype) == 0)
++			{
++			OPENSSL_free(sp);
++			sp = NULL;
++			}
++		}
++	if (sp->pid == 0)
++		{
++		/* It is a new session and needs initialization. */
++		if (pk11_setup_session(sp, optype) == 0)
++			{
++			OPENSSL_free(sp);
++			sp = NULL;
++			}
++		}
++
++	/* set new head for the list of PK11_SESSION objects */
++	session_cache[optype].head = freelist;
++
++err:
++	if (sp != NULL)
++		sp->next = NULL;
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (sp);
++	}
++
++
++void
++pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock;
++#endif
++	PK11_SESSION *freelist;
++
++	if (sp == NULL || sp->pid != getpid())
++		return;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_RETURN_SESSION,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return;
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	sp->next = freelist;
++	session_cache[optype].head = sp;
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	}
++
++
++/* Destroy all objects. This function is called when the engine is finished */
++static int pk11_free_all_sessions()
++	{
++	int ret = 1;
++	int type;
++
++	(void) pk11_destroy_rsa_key_objects(NULL);
++
++	/*
++	 * We try to release as much as we can but any error means that we will
++	 * return 0 on exit.
++	 */
++	for (type = 0; type < OP_MAX; type++)
++		{
++		if (pk11_free_session_list(type) == 0)
++			ret = 0;
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy session structures from the linked list specified. Free as many
++ * sessions as possible but any failure in C_CloseSession() means that we
++ * return an error on return.
++ */
++static int pk11_free_session_list(PK11_OPTYPE optype)
++	{
++	CK_RV rv;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *freelist = NULL;
++	pid_t mypid = getpid();
++#ifndef NOPTHREADS
++	pthread_mutex_t *freelist_lock;
++#endif
++	int ret = 1;
++
++	switch (optype)
++		{
++		case OP_RSA:
++		case OP_DSA:
++		case OP_DH:
++		case OP_RAND:
++		case OP_DIGEST:
++		case OP_CIPHER:
++#ifndef NOPTHREADS
++			freelist_lock = session_cache[optype].lock;
++#endif
++			break;
++		default:
++			PK11err(PK11_F_FREE_ALL_SESSIONS,
++				PK11_R_INVALID_OPERATION_TYPE);
++			return (0);
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_lock(freelist_lock);
++#else
++	CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	freelist = session_cache[optype].head;
++	while ((sp = freelist) != NULL)
++		{
++		if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
++			{
++			rv = pFuncList->C_CloseSession(sp->session);
++			if (rv != CKR_OK)
++				{
++				PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
++					PK11_R_CLOSESESSION, rv);
++				ret = 0;
++				}
++			}
++		freelist = sp->next;
++		pk11_free_nums(sp, optype);
++		OPENSSL_free(sp);
++		}
++
++#ifndef NOPTHREADS
++	(void) pthread_mutex_unlock(freelist_lock);
++#else
++	CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++	return (ret);
++	}
++
++
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++	{
++	CK_RV rv;
++	CK_SLOT_ID myslot;
++
++	switch (optype)
++		{
++		case OP_RSA:
++			myslot = pubkey_SLOTID;
++			break;
++		case OP_RAND:
++			myslot = rand_SLOTID;
++			break;
++		default:
++			PK11err(PK11_F_SETUP_SESSION,
++			    PK11_R_INVALID_OPERATION_TYPE);
++			return (0);
++		}
++
++	sp->session = CK_INVALID_HANDLE;
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
++#endif	/* DEBUG_SLOT_SELECTION */
++	rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++		NULL_PTR, NULL_PTR, &sp->session);
++	if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
++		{
++		/*
++		 * We are probably a child process so force the
++		 * reinitialize of the session
++		 */
++		pk11_library_initialized = FALSE;
++		if (!pk11_library_init(NULL))
++			return (0);
++		rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++			NULL_PTR, NULL_PTR, &sp->session);
++		}
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
++		return (0);
++		}
++
++	sp->pid = getpid();
++
++	if (optype == OP_RSA)
++		{
++		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_pub = NULL;
++		sp->opdata_rsa_n_num = NULL;
++		sp->opdata_rsa_e_num = NULL;
++		sp->opdata_rsa_priv = NULL;
++		sp->opdata_rsa_d_num = NULL;
++		}
++
++	return (1);
++	}
++
++/* Destroy RSA public key from single session. */
++int
++pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
++		    ret, uselock, OP_RSA);
++		sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_pub = NULL;
++		if (sp->opdata_rsa_n_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_n_num);
++			sp->opdata_rsa_n_num = NULL;
++			}
++		if (sp->opdata_rsa_e_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_e_num);
++			sp->opdata_rsa_e_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/* Destroy RSA private key from single session. */
++int
++pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
++	{
++	int ret = 0;
++
++	if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
++		{
++		TRY_OBJ_DELETE(sp->session,
++			       sp->opdata_rsa_priv_key,
++			       ret, uselock, OP_RSA);
++		sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++		sp->opdata_rsa_priv = NULL;
++		if (sp->opdata_rsa_d_num != NULL)
++			{
++			BN_free(sp->opdata_rsa_d_num);
++			sp->opdata_rsa_d_num = NULL;
++			}
++		}
++
++	return (ret);
++	}
++
++/*
++ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
++ * objects in the free list.
++ */
++int
++pk11_destroy_rsa_key_objects(PK11_SESSION *session)
++	{
++	int ret = 1;
++	PK11_SESSION *sp = NULL;
++	PK11_SESSION *local_free_session;
++	CK_BBOOL uselock = TRUE;
++
++	if (session != NULL)
++		local_free_session = session;
++	else
++		{
++#ifndef NOPTHREADS
++		(void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++#else
++		CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++		local_free_session = session_cache[OP_RSA].head;
++		uselock = FALSE;
++		}
++
++	/*
++	 * go through the list of sessions and delete key objects
++	 */
++	while ((sp = local_free_session) != NULL)
++		{
++		local_free_session = sp->next;
++
++		/*
++		 * Do not terminate list traversal if one of the
++		 * destroy operations fails.
++		 */
++		if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
++			{
++			ret = 0;
++			continue;
++			}
++		}
++
++#ifndef NOPTHREADS
++	if (session == NULL)
++		(void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++#else
++	if (session == NULL)
++		CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++	return (ret);
++	}
++
++static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
++	{
++	CK_RV rv;
++	rv = pFuncList->C_DestroyObject(session, oh);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
++		    rv);
++		return (0);
++		}
++
++	return (1);
++	}
++
++
++/*
++ * Public key mechanisms optionally supported
++ *
++ * CKM_RSA_X_509
++ * CKM_RSA_PKCS
++ *
++ * The first slot that supports at least one of those mechanisms is chosen as a
++ * public key slot.
++ *
++ * The output of this function is a set of global variables indicating which
++ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
++ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
++ * variables carry information about which slot was chosen for (a) public key
++ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
++ */
++static int
++pk11_choose_slots(int *any_slot_found)
++	{
++	CK_SLOT_ID_PTR pSlotList = NULL_PTR;
++	CK_ULONG ulSlotCount = 0;
++	CK_MECHANISM_INFO mech_info;
++	CK_TOKEN_INFO token_info;
++	unsigned int i;
++	CK_RV rv;
++	CK_SLOT_ID best_slot_sofar = 0;
++	CK_BBOOL found_candidate_slot = CK_FALSE;
++	CK_SLOT_ID current_slot = 0;
++
++	/* let's initialize the output parameter */
++	if (any_slot_found != NULL)
++		*any_slot_found = 0;
++
++	/* Get slot list for memory allocation */
++	rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
++
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++		return (0);
++		}
++
++	/* it's not an error if we didn't find any providers */
++	if (ulSlotCount == 0)
++		{
++#ifdef	DEBUG_SLOT_SELECTION
++		fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++		return (1);
++		}
++
++	pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
++
++	if (pSlotList == NULL)
++		{
++		PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
++		return (0);
++		}
++
++	/* Get the slot list for processing */
++	rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
++	if (rv != CKR_OK)
++		{
++		PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++		OPENSSL_free(pSlotList);
++		return (0);
++		}
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
++	fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
++
++	fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++	for (i = 0; i < ulSlotCount; i++)
++		{
++		current_slot = pSlotList[i];
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++		/* Check if slot has random support. */
++		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++		if (rv != CKR_OK)
++			continue;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		if (token_info.flags & CKF_RNG)
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++			pk11_have_random = CK_TRUE;
++			rand_SLOTID = current_slot;
++			break;
++			}
++		}
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	pubkey_SLOTID = pSlotList[0];
++	for (i = 0; i < ulSlotCount; i++)
++		{
++		CK_BBOOL slot_has_rsa = CK_FALSE;
++		current_slot = pSlotList[i];
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif	/* DEBUG_SLOT_SELECTION */
++		rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++		if (rv != CKR_OK)
++			continue;
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++		/*
++		 * Check if this slot is capable of signing with CKM_RSA_PKCS.
++		 */
++		rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
++			&mech_info);
++
++		if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN)))
++			{
++			slot_has_rsa = CK_TRUE;
++			}
++
++		if (!found_candidate_slot && slot_has_rsa)
++			{
++#ifdef	DEBUG_SLOT_SELECTION
++			fprintf(stderr,
++			    "%s: potential slot: %d\n", PK11_DBG, current_slot);
++#endif	/* DEBUG_SLOT_SELECTION */
++			best_slot_sofar = current_slot;
++			pk11_have_rsa = slot_has_rsa;
++			found_candidate_slot = CK_TRUE;
++#ifdef	DEBUG_SLOT_SELECTION
++			fprintf(stderr,
++			    "%s: setting found_candidate_slot to CK_TRUE\n",
++			    PK11_DBG);
++			fprintf(stderr,
++			    "%s: best so far slot: %d\n", PK11_DBG,
++			    best_slot_sofar);
++			}
++		else
++			{
++			fprintf(stderr,
++			    "%s: no rsa\n", PK11_DBG);
++			}
++#else
++			} /* if */
++#endif	/* DEBUG_SLOT_SELECTION */
++		} /* for */
++
++	if (found_candidate_slot)
++		{
++		pubkey_SLOTID = best_slot_sofar;
++		}
++
++	/*SLOTID = pSlotList[0];*/
++
++#ifdef	DEBUG_SLOT_SELECTION
++	fprintf(stderr,
++	    "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
++	fprintf(stderr,
++	    "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
++	fprintf(stderr,
++	    "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
++	fprintf(stderr,
++	    "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
++#endif	/* DEBUG_SLOT_SELECTION */
++
++	if (pSlotList != NULL)
++		OPENSSL_free(pSlotList);
++
++	if (any_slot_found != NULL)
++		*any_slot_found = 1;
++	return (1);
++	}
++
++#endif	/* OPENSSL_NO_HW_PK11SO */
++#endif	/* OPENSSL_NO_HW_PK11 */
++#endif	/* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11so.h
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2
+--- /dev/null	Mon Oct  5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11so.h	Mon Oct  5 13:17:03 2009
+@@ -0,0 +1,28 @@
++/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
++
++#define find_lock			pk11so_find_lock
++#define active_list			pk11so_active_list
++#define ERR_pk11_error			ERR_pk11so_error
++#define PK11err_add_data		PK11SOerr_add_data
++#define pk11_get_session		pk11so_get_session
++#define pk11_return_session		pk11so_return_session
++#define pk11_active_add			pk11so_active_add
++#define pk11_active_delete		pk11so_active_delete
++#define pk11_active_remove		pk11so_active_remove
++#define pk11_free_active_list		pk11so_free_active_list
++#define pk11_destroy_rsa_key_objects	pk11so_destroy_rsa_key_objects
++#define pk11_destroy_rsa_object_pub	pk11so_destroy_rsa_object_pub
++#define pk11_destroy_rsa_object_priv	pk11so_destroy_rsa_object_priv
++#define pk11_load_privkey		pk11so_load_privkey
++#define pk11_load_pubkey		pk11so_load_pubkey
++#define PK11_RSA			PK11SO_RSA
++#define pk11_destroy_dsa_key_objects	pk11so_destroy_dsa_key_objects
++#define pk11_destroy_dsa_object_pub	pk11so_destroy_dsa_object_pub
++#define pk11_destroy_dsa_object_priv	pk11so_destroy_dsa_object_priv
++#define PK11_DSA			PK11SO_DSA
++#define pk11_destroy_dh_key_objects	pk11so_destroy_dh_key_objects
++#define pk11_destroy_dh_object		pk11so_destroy_dh_object
++#define PK11_DH				PK11SO_DH
++#define pFuncList			pk11so_pFuncList
++#define pk11_pin			pk11so_pin
++#define ENGINE_load_pk11		ENGINE_load_pk11so
+Index: openssl/crypto/engine/hw_pk11so_pub.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2
+--- /dev/null	Mon Oct  5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11so_pub.c	Mon Oct  5 13:17:03 2009
+@@ -0,0 +1,899 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_pub.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Modified to keep only RNG and RSA Sign */
++
++#ifdef OPENSSL_NO_RSA
++#error RSA is disabled
++#endif
++
++#include 
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++#ifdef OPENSSL_SYS_WIN32
++#define NOPTHREADS
++typedef int pid_t;
++#define HAVE_GETPASSPHRASE
++static char *getpassphrase(const char *prompt);
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++	returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++	returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++	returnType __declspec(dllimport) (* name)
++#else
++#include 
++#endif
++
++#ifndef NOPTHREADS
++#include 
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11SO
++
++#ifndef OPENSSL_NO_DSA
++#define OPENSSL_NO_DSA
++#endif
++#ifndef OPENSSL_NO_DH
++#define OPENSSL_NO_DH
++#endif
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11so.h"
++#include "hw_pk11_err.h"
++
++#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
++#define getpassphrase(x)	getpass(x)
++#endif
++
++/* RSA stuff */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++	unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
++EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data);
++
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
++	BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
++
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
++
++/* Read mode string to be used for fopen() */
++#if SOLARIS_OPENSSL
++static char *read_mode_flags = "rF";
++#else
++static char *read_mode_flags = "r";
++#endif
++
++/*
++ * increment/create reference for an asymmetric key handle via active list
++ * manipulation. If active list operation fails, unlock (if locked), set error
++ * variable and jump to the specified label.
++ */
++#define	KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label)	\
++	{								\
++	if (pk11_active_add(key_handle, alg_type) < 0)			\
++		{							\
++		var = TRUE;						\
++		if (unlock)						\
++			UNLOCK_OBJSTORE(alg_type);			\
++		goto label;						\
++		}							\
++	}
++
++/*
++ * Find active list entry according to object handle and return pointer to the
++ * entry otherwise return NULL.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry;
++
++	for (entry = active_list[type]; entry != NULL; entry = entry->next)
++		if (entry->h == h)
++			return (entry);
++
++	return (NULL);
++	}
++
++/*
++ * Search for an entry in the active list using PKCS#11 object handle as a
++ * search key and return refcnt of the found/created entry or -1 in case of
++ * failure.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry = NULL;
++
++	if (h == CK_INVALID_HANDLE)
++		{
++		PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
++		return (-1);
++		}
++
++	/* search for entry in the active list */
++	if ((entry = pk11_active_find(h, type)) != NULL)
++		entry->refcnt++;
++	else
++		{
++		/* not found, create new entry and add it to the list */
++		entry = OPENSSL_malloc(sizeof (PK11_active));
++		if (entry == NULL)
++			{
++			PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
++			return (-1);
++			}
++		entry->h = h;
++		entry->refcnt = 1;
++		entry->prev = NULL;
++		entry->next = NULL;
++		/* connect the newly created entry to the list */
++		if (active_list[type] == NULL)
++			active_list[type] = entry;
++		else /* make the entry first in the list */
++			{
++			entry->next = active_list[type];
++			active_list[type]->prev = entry;
++			active_list[type] = entry;
++			}
++		}
++
++	return (entry->refcnt);
++	}
++
++/*
++ * Remove active list entry from the list and free it.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++void
++pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
++	{
++	PK11_active *prev_entry;
++
++	/* remove the entry from the list and free it */
++	if ((prev_entry = entry->prev) != NULL)
++		{
++		prev_entry->next = entry->next;
++		if (entry->next != NULL)
++			entry->next->prev = prev_entry;
++		}
++	else
++		{
++		active_list[type] = entry->next;
++		/* we were the first but not the only one */
++		if (entry->next != NULL)
++			entry->next->prev = NULL;
++		}
++
++	/* sanitization */
++	entry->h = CK_INVALID_HANDLE;
++	entry->prev = NULL;
++	entry->next = NULL;
++	OPENSSL_free(entry);
++	}
++
++/* Free all entries from the active list. */
++void
++pk11_free_active_list(PK11_OPTYPE type)
++	{
++	PK11_active *entry;
++
++	/* only for asymmetric types since only they have C_Find* locks. */
++	switch (type)
++		{
++		case OP_RSA:
++			break;
++		default:
++			return;
++		}
++
++	/* see find_lock array definition for more info on object locking */
++	LOCK_OBJSTORE(type);
++	while ((entry = active_list[type]) != NULL)
++		pk11_active_remove(entry, type);
++	UNLOCK_OBJSTORE(type);
++	}
++
++/*
++ * Search for active list entry associated with given PKCS#11 object handle,
++ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
++ *
++ * Return 1 if the PKCS#11 object associated with the entry has no references,
++ * return 0 if there is at least one reference, -1 on error.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++	{
++	PK11_active *entry = NULL;
++
++	if ((entry = pk11_active_find(h, type)) == NULL)
++		{
++		PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
++		return (-1);
++		}
++
++	OPENSSL_assert(entry->refcnt > 0);
++	entry->refcnt--;
++	if (entry->refcnt == 0)
++		{
++		pk11_active_remove(entry, type);
++		return (1);
++		}
++
++	return (0);
++	}
++
++/* Our internal RSA_METHOD that we provide pointers to */
++static RSA_METHOD pk11_rsa;
++
++RSA_METHOD *
++PK11_RSA(void)
++	{
++	const RSA_METHOD *rsa;
++
++	if (pk11_rsa.name == NULL)
++		{
++		rsa = RSA_PKCS1_SSLeay();
++		memcpy(&pk11_rsa, rsa, sizeof(*rsa));
++		pk11_rsa.name = "PKCS#11 RSA method";
++		pk11_rsa.rsa_sign = pk11_RSA_sign;
++		}
++	return (&pk11_rsa);
++	}
++
++/* Size of an SSL signature: MD5+SHA1 */
++#define	SSL_SIG_LENGTH		36
++
++/*
++ * Standard engine interface function. Majority codes here are from
++ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
++ * See more details in rsa/rsa_sign.c
++ */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++	unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
++	{
++	X509_SIG sig;
++	ASN1_TYPE parameter;
++	int i, j = 0;
++	unsigned char *p, *s = NULL;
++	X509_ALGOR algor;
++	ASN1_OCTET_STRING digest;
++	CK_RV rv;
++	CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
++	CK_MECHANISM *p_mech = &mech_rsa;
++	CK_OBJECT_HANDLE h_priv_key;
++	PK11_SESSION *sp = NULL;
++	int ret = 0;
++	unsigned long ulsiglen;
++
++	/* Encode the digest */
++	/* Special case: SSL signature, just check the length */
++	if (type == NID_md5_sha1)
++		{
++		if (m_len != SSL_SIG_LENGTH)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_INVALID_MESSAGE_LENGTH);
++			goto err;
++			}
++		i = SSL_SIG_LENGTH;
++		s = (unsigned char *)m;
++		}
++	else
++		{
++		sig.algor = &algor;
++		sig.algor->algorithm = OBJ_nid2obj(type);
++		if (sig.algor->algorithm == NULL)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_UNKNOWN_ALGORITHM_TYPE);
++			goto err;
++			}
++		if (sig.algor->algorithm->length == 0)
++			{
++			PK11err(PK11_F_RSA_SIGN,
++				PK11_R_UNKNOWN_ASN1_OBJECT_ID);
++			goto err;
++			}
++		parameter.type = V_ASN1_NULL;
++		parameter.value.ptr = NULL;
++		sig.algor->parameter = ¶meter;
++
++		sig.digest = &digest;
++		sig.digest->data = (unsigned char *)m;
++		sig.digest->length = m_len;
++
++		i = i2d_X509_SIG(&sig, NULL);
++		}
++
++	j = RSA_size(rsa);
++	if ((i - RSA_PKCS1_PADDING) > j)
++		{
++		PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
++		goto err;
++		}
++
++	if (type != NID_md5_sha1)
++		{
++		s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
++		if (s == NULL)
++			{
++			PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
++			goto err;
++			}
++		p = s;
++		(void) i2d_X509_SIG(&sig, &p);
++		}
++
++	if ((sp = pk11_get_session(OP_RSA)) == NULL)
++		goto err;
++
++	(void) check_new_rsa_key_priv(sp, rsa);
++
++	h_priv_key = sp->opdata_rsa_priv_key;
++	if (h_priv_key == CK_INVALID_HANDLE)
++		h_priv_key = sp->opdata_rsa_priv_key =
++			pk11_get_private_rsa_key((RSA *)rsa,
++			    &sp->opdata_rsa_priv,
++			    &sp->opdata_rsa_d_num, sp->session);
++
++	if (h_priv_key != CK_INVALID_HANDLE)
++		{
++		rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
++			goto err;
++			}
++
++		ulsiglen = j;
++		rv = pFuncList->C_Sign(sp->session, s, i, sigret,
++			(CK_ULONG_PTR) &ulsiglen);
++		*siglen = ulsiglen;
++
++		if (rv != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
++			goto err;
++			}
++		ret = 1;
++		}
++
++err:
++	if ((type != NID_md5_sha1) && (s != NULL))
++		{
++		(void) memset(s, 0, (unsigned int)(j + 1));
++		OPENSSL_free(s);
++		}
++
++	pk11_return_session(sp, OP_RSA);
++	return (ret);
++	}
++
++static int hndidx_rsa = -1;
++
++/* load RSA private key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
++	UI_METHOD *ui_method, void *callback_data)
++	{
++	EVP_PKEY *pkey = NULL;
++	FILE *privkey;
++	RSA *rsa;
++	PK11_SESSION *sp = NULL;
++	/* everything else below needed for key by reference extension */
++	CK_RV rv;
++	CK_ULONG objcnt = 0;
++	CK_BBOOL is_token = TRUE;
++	CK_BYTE attr_data[2][1024];
++	CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
++	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
++	extern char *pk11_pin;
++
++	/* we look for private keys only */
++	CK_ATTRIBUTE search_templ[] =
++		{
++		{CKA_TOKEN, &is_token, sizeof(is_token)},
++		{CKA_CLASS, &key_class, sizeof(key_class)},
++		{CKA_LABEL, NULL, 0}
++		};
++
++	/* these attributes are needed to initialize OpenSSL RSA structure */
++	CK_ATTRIBUTE get_templ[] =
++		{
++		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
++		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
++		};
++
++	/*
++	 * Use simple scheme "pkcs11:" for now.
++	 */
++	if (strstr(privkey_file, "pkcs11:") == privkey_file)
++		{
++		if ((sp = pk11_get_session(OP_RSA)) == NULL)
++			return (NULL);
++
++		search_templ[2].pValue = strstr(privkey_file, ":") + 1;
++		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++		if (pk11_pin == NULL)
++			{
++			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++			if (pk11_pin == NULL)
++				{
++				PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++			}
++		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++			{
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_INVALID_PIN, rv);
++			goto err;
++			}
++
++		LOCK_OBJSTORE(OP_RSA);
++		if ((rv = pFuncList->C_FindObjectsInit(sp->session,
++		    search_templ, 3)) != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_FINDOBJECTSINIT, rv);
++			goto err;
++			}
++
++		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++		if (rv != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_FINDOBJECTS, rv);
++			goto err;
++			}
++
++		if (objcnt > 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
++			goto err;
++			}
++
++		if (objcnt != 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
++			goto err;
++			}
++
++		(void) pFuncList->C_FindObjectsFinal(sp->session);
++		UNLOCK_OBJSTORE(OP_RSA);
++
++		if (hndidx_rsa == -1)
++			hndidx_rsa = RSA_get_ex_new_index(0,
++				        "pkcs11 RSA HSM key handle",
++					NULL, NULL, NULL);
++
++		pkey = EVP_PKEY_new();
++		if (pkey == NULL)
++			goto err;
++
++		rsa = RSA_new_method(e);
++		if (rsa == NULL) {
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++		}
++		EVP_PKEY_assign_RSA(pkey, rsa);
++
++		if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
++		    get_templ, 2)) != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++					 PK11_R_GETATTRIBUTVALUE, rv);
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++			}
++
++		/* Note: these flags are critical! */
++		rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
++		RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
++		(void) check_new_rsa_key_priv(sp, rsa);
++		sp->opdata_rsa_priv = rsa;
++		sp->opdata_rsa_priv_key = ks_key;
++
++		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++		}
++	else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
++		{
++		pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
++		(void) fclose(privkey);
++		}
++
++err:
++	if (sp != NULL)
++		pk11_return_session(sp, OP_RSA);
++	return (pkey);
++	}
++
++/* load RSA public key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
++	UI_METHOD *ui_method, void *callback_data)
++	{
++	EVP_PKEY *pkey = NULL;
++	FILE *pubkey;
++	RSA *rsa;
++	PK11_SESSION *sp = NULL;
++	/* everything else below needed for key by reference extension */
++	CK_RV rv;
++	CK_ULONG objcnt = 0;
++	CK_BBOOL is_token = TRUE;
++	CK_BYTE attr_data[2][1024];
++	CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
++	CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE;	/* key in keystore */
++	extern char *pk11_pin;
++
++	/* we look for public keys only */
++	CK_ATTRIBUTE search_templ[] =
++		{
++		{CKA_TOKEN, &is_token, sizeof(is_token)},
++		{CKA_CLASS, &key_class, sizeof(key_class)},
++		{CKA_LABEL, NULL, 0}
++		};
++
++	/* these attributes are needed to initialize OpenSSL RSA structure */
++	CK_ATTRIBUTE get_templ[] =
++		{
++		{CKA_MODULUS, (void *)attr_data[0], 1024},	    /* n */
++		{CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024},  /* e */
++		};
++
++	/*
++	 * Use simple scheme "pkcs11:" for now.
++	 */
++	if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
++		{
++		if ((sp = pk11_get_session(OP_RSA)) == NULL)
++			return (NULL);
++
++		search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
++		search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++#define ALLWAYS_LOGIN
++#ifdef ALLWAYS_LOGIN
++		if (pk11_pin == NULL)
++			{
++			pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++			if (pk11_pin == NULL)
++				{
++				PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
++				goto err;
++				}
++			}
++		if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++		    strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++			{
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_INVALID_PIN, rv);
++			goto err;
++			}
++#endif
++
++		LOCK_OBJSTORE(OP_RSA);
++		if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_FINDOBJECTSINIT, rv);
++			goto err;
++			}
++		rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++		if (rv != CKR_OK)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_FINDOBJECTS, rv);
++			goto err;
++			}
++
++		if (objcnt > 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
++			goto err;
++			}
++
++		if (objcnt != 1)
++			{
++			UNLOCK_OBJSTORE(OP_RSA);
++			PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
++			goto err;
++			}
++
++		(void) pFuncList->C_FindObjectsFinal(sp->session);
++		UNLOCK_OBJSTORE(OP_RSA);
++
++		sp->opdata_rsa_pub_key = ks_key;
++		pkey = EVP_PKEY_new();
++		if (pkey == NULL)
++			goto err;
++
++		rsa = RSA_new_method(e);
++		if (rsa == NULL) {
++			EVP_PKEY_free(pkey);
++			pkey = NULL;
++			goto err;
++		}
++		EVP_PKEY_assign_RSA(pkey, rsa);
++
++		if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
++		    get_templ, 2) != CKR_OK)
++			{
++			PK11err_add_data(PK11_F_LOAD_PUBKEY,
++					 PK11_R_GETATTRIBUTVALUE, rv);
++			goto err;
++			}
++
++		(void) check_new_rsa_key_pub(sp, rsa);
++		sp->opdata_rsa_pub = rsa;
++
++		attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++		attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++		}
++	else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
++		{
++		pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
++		(void) fclose(pubkey);
++		}
++
++err:
++	if (sp != NULL)
++		pk11_return_session(sp, OP_RSA);
++	return (pkey);
++	}
++
++/*
++ * Create a private key object in the session from a given rsa structure.
++ * The *rsa_d_num pointer is non-NULL for RSA private keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
++    RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
++	{
++	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++
++	if ((rsa->flags & RSA_FLAG_EXT_PKEY) == 0) {
++		PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_INCONSISTENT_KEY);
++		return (h_key);
++	}
++	
++	h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
++	(void) pk11_active_add(h_key, OP_RSA);
++	if (key_ptr != NULL)
++		*key_ptr = rsa;
++	if (rsa_d_num != NULL)
++		{
++		if (rsa->d == NULL)
++			*rsa_d_num = NULL;
++		else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
++			{
++			PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
++			return (h_key);
++			}
++		}
++	return (h_key);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
++	{
++	/*
++	 * Provide protection against RSA structure reuse by making the
++	 * check for cache hit stronger. Only public components of RSA
++	 * key matter here so it is sufficient to compare them with values
++	 * cached in PK11_SESSION structure.
++	 */
++	if ((sp->opdata_rsa_pub != rsa) ||
++	    (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
++	    (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_rsa_object_pub(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
++	{
++	/*
++	 * Provide protection against RSA structure reuse by making the
++	 * check for cache hit stronger. Comparing private exponent of RSA
++	 * key with value cached in PK11_SESSION structure should
++	 * be sufficient.
++	 */
++	if ((sp->opdata_rsa_priv != rsa) ||
++	    (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
++	    ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
++		{
++		/*
++		 * We do not check the return value because even in case of
++		 * failure the sp structure will have both key pointer
++		 * and object handle cleaned and pk11_destroy_object()
++		 * reports the failure to the OpenSSL error message buffer.
++		 */
++		(void) pk11_destroy_rsa_object_priv(sp, TRUE);
++		return (0);
++		}
++	return (1);
++	}
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
++	{
++	if (attr->ulValueLen > 0)
++		{
++		*bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
++		}
++	}
++
++#ifdef	OPENSSL_SYS_WIN32
++char *getpassphrase(const char *prompt)
++	{
++	static char buf[128];
++	HANDLE h;
++	DWORD cc, mode;
++	int cnt;
++
++	h = GetStdHandle(STD_INPUT_HANDLE);
++	fputs(prompt, stderr);
++	fflush(stderr);
++	fflush(stdout);
++	FlushConsoleInputBuffer(h);
++	GetConsoleMode(h, &mode);
++	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
++
++	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
++		{
++		ReadFile(h, buf + cnt, 1, &cc, NULL);
++		if (buf[cnt] == '\r')
++			break;
++		fputc('*', stdout);
++		fflush(stderr);
++		fflush(stdout);
++		}
++
++	SetConsoleMode(h, mode);
++	buf[cnt] = '\0';
++	fputs("\n", stderr);
++	return buf;
++	}
++#endif	/* OPENSSL_SYS_WIN32 */
++#endif	/* OPENSSL_NO_HW_PK11SO */
 +#endif	/* OPENSSL_NO_HW_PK11 */
 +#endif	/* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/pkcs11.h
 diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null	Mon Oct  5 11:08:14 2009
+--- /dev/null	Mon Oct  5 13:17:24 2009
 +++ openssl/crypto/engine/pkcs11.h	Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,299 @@
 +/* pkcs11.h include file for PKCS #11. */
-+/* $Revision: 1.1 $ */
++/* $Revision: 1.2 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -11172,11 +11402,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11f.h
 diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null	Mon Oct  5 11:08:14 2009
+--- /dev/null	Mon Oct  5 13:17:24 2009
 +++ openssl/crypto/engine/pkcs11f.h	Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,912 @@
 +/* pkcs11f.h include file for PKCS #11. */
-+/* $Revision: 1.1 $ */
++/* $Revision: 1.2 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -12089,11 +12319,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11t.h
 diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null	Mon Oct  5 11:08:14 2009
+--- /dev/null	Mon Oct  5 13:17:24 2009
 +++ openssl/crypto/engine/pkcs11t.h	Sat Aug 30 11:58:07 2008
 @@ -0,0 +1,1885 @@
 +/* pkcs11t.h include file for PKCS #11. */
-+/* $Revision: 1.1 $ */
++/* $Revision: 1.2 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
@@ -13978,19 +14208,38 @@ diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
 +
 +#endif
 Index: openssl/util/libeay.num
-diff -u openssl/util/libeay.num:1.1.3.1 openssl/util/libeay.num:1.5
+diff -u openssl/util/libeay.num:1.1.3.1 openssl/util/libeay.num:1.6
 --- openssl/util/libeay.num:1.1.3.1	Mon Feb  2 00:27:56 2009
-+++ openssl/util/libeay.num	Fri Sep  4 10:43:22 2009
-@@ -3725,3 +3725,4 @@
++++ openssl/util/libeay.num	Mon Oct  5 13:17:03 2009
+@@ -3725,3 +3725,5 @@
  JPAKE_STEP3A_init                       4111	EXIST::FUNCTION:JPAKE
  ERR_load_JPAKE_strings                  4112	EXIST::FUNCTION:JPAKE
  JPAKE_STEP2_init                        4113	EXIST::FUNCTION:JPAKE
-+ENGINE_load_pk11                        4114	EXIST::FUNCTION:ENGINE
++ENGINE_load_pk11ca                      4114	EXIST::FUNCTION:HW_PKCS11CA,ENGINE
++ENGINE_load_pk11so                      4114	EXIST::FUNCTION:HW_PKCS11SO,ENGINE
 Index: openssl/util/mk1mf.pl
-diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.6
+diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.7
 --- openssl/util/mk1mf.pl:1.1.3.1	Tue Dec  2 23:50:21 2008
-+++ openssl/util/mk1mf.pl	Fri Sep  4 10:43:23 2009
-@@ -322,6 +322,9 @@
++++ openssl/util/mk1mf.pl	Mon Oct  5 13:17:05 2009
+@@ -87,6 +87,8 @@
+ 	no-ecdh					- No ECDH
+ 	no-engine				- No engine
+ 	no-hw					- No hw
++	no-hw-pkcs11ca				- No hw PKCS#11 CA flavor
++	no-hw-pkcs11so				- No hw PKCS#11 SO flavor
+ 	nasm 					- Use NASM for x86 asm
+ 	nw-nasm					- Use NASM x86 asm for NetWare
+ 	nw-mwasm				- Use Metrowerks x86 asm for NetWare
+@@ -242,6 +244,8 @@
+ $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
+ $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
+ $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
++$cflags.=" -DOPENSSL_NO_HW_PKCS11CA"   if $no_hw_pkcs11ca;
++$cflags.=" -DOPENSSL_NO_HW_PKCS11SO"   if $no_hw_pkcs11so;
+ $cflags.=" -DOPENSSL_FIPS"    if $fips;
+ $cflags.= " -DZLIB" if $zlib_opt;
+ $cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
+@@ -322,6 +326,9 @@
  	if ($key eq "ZLIB_INCLUDE")
  		{ $cflags .= " $val" if $val ne "";}
  
@@ -14000,6 +14249,54 @@ diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.6
  	if ($key eq "LIBZLIB")
  		{ $zlib_lib = "$val" if $val ne "";}
  
+@@ -1300,6 +1307,8 @@
+ 		"no-ecdh" => \$no_ecdh,
+ 		"no-engine" => \$no_engine,
+ 		"no-hw" => \$no_hw,
++		"no-hw-pkcs11ca" => \$no_hw_pkcs11ca,
++		"no-hw-pkcs11so" => \$no_hw_pkcs11so,
+ 		"just-ssl" =>
+ 			[\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast,
+ 			  \$no_md2, \$no_sha, \$no_mdc2, \$no_dsa, \$no_dh,
+Index: openssl/util/mkdef.pl
+diff -u openssl/util/mkdef.pl:1.1.3.1 openssl/util/mkdef.pl:1.5
+--- openssl/util/mkdef.pl:1.1.3.1	Mon Nov 24 16:14:15 2008
++++ openssl/util/mkdef.pl	Mon Oct  5 13:17:05 2009
+@@ -93,7 +93,7 @@
+ 			 # External "algorithms"
+ 			 "FP_API", "STDIO", "SOCK", "KRB5", "DGRAM",
+ 			 # Engines
+-			 "STATIC_ENGINE", "ENGINE", "HW", "GMP",
++			 "STATIC_ENGINE", "ENGINE", "HW", "GMP", "HW_PKCS11CA", "HW_PKCS11SO",
+ 			 # RFC3779 support 
+ 			 "RFC3779",
+ 			 # TLS extension support
+@@ -122,6 +122,7 @@
+ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
+ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
+ my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_camellia;
++my $no_pkcs11ca; my $no_pkcs11so;
+ my $no_seed;
+ my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated;
+ my $no_rfc3779; my $no_tlsext; my $no_cms; my $no_capieng; my $no_jpake;
+@@ -214,6 +215,8 @@
+ 	elsif (/^no-cms$/)	{ $no_cms=1; }
+ 	elsif (/^no-capieng$/)	{ $no_capieng=1; }
+ 	elsif (/^no-jpake$/)	{ $no_jpake=1; }
++	elsif (/^no-hw-pkcs11ca$/) { $no_pkcs11ca=1; }
++	elsif (/^no-hw-pkcs11so$/) { $no_pkcs11so=1; }
+ 	}
+ 
+ 
+@@ -1138,6 +1141,8 @@
+ 			if ($keyword eq "KRB5" && $no_krb5) { return 0; }
+ 			if ($keyword eq "ENGINE" && $no_engine) { return 0; }
+ 			if ($keyword eq "HW" && $no_hw) { return 0; }
++			if ($keyword eq "HW_PKCS11CA" && $no_pkcs11ca) { return 0; }
++			if ($keyword eq "HW_PKCS11SO" && $no_pkcs11so) { return 0; }
+ 			if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
+ 			if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
+ 			if ($keyword eq "GMP" && $no_gmp) { return 0; }
 Index: openssl/util/pl/VC-32.pl
 diff -u openssl/util/pl/VC-32.pl:1.1.3.1 openssl/util/pl/VC-32.pl:1.5
 --- openssl/util/pl/VC-32.pl:1.1.3.1	Mon Mar  9 12:14:08 2009

From b56f3f5c6663a40852866cbca469f680f7118e79 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 13:39:45 +0000
Subject: [PATCH 254/385] PKCS#11 20225 & all

---
 CHANGES       |  2 ++
 README.pkcs11 | 60 ++++++++++++++++++++++++++++-----------------------
 2 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5e2513734d..d2421b974e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
+
 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
 			supported TSIG key algorithm. [RT #18046]
 
diff --git a/README.pkcs11 b/README.pkcs11
index 81bd4176a9..5b6fac4fd9 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -9,9 +9,8 @@ and other cryptographic support devices.
 
 BIND 9 is known to work with two HSMs:  The Sun SCA 6000 cryptographic
 acceration board, tested under Solaris x86, and the AEP Keyper
-network-attached key storage device, tested with a Debian Linux system.
-(The Keyper has also been tested with Windows Server 2003 and found to
-work, but with some stability problems that have not yet been resolved.)
+network-attached key storage device, tested with a Debian Linux system,
+Solaris x86 and Windows Server 2003.
 
 PREREQUISITES
 
@@ -24,30 +23,37 @@ is available from the OpenSolaris project.  It has been modified by
 ISC to work with with BIND 9 and to provide new features such as
 PIN management and key by reference.
 
+The PKCS#11 engine supports two flavors:
+ - the crypto-accelerator which uses the PKCS#11 device for all crypto
+  operations it supports. This is the right choice for the SCA 6000.
+ - the sign-only which was stripped down and provides only the
+  useful features for a secure key store. The Keyper must use this
+  flavor.
+
 The modified OpenSSL depends on a "PKCS #11 provider".  This is a shared
 library object, providing a low-level PKCS #11 interface to the HSM
 hardware; it is dynamically loaded by OpenSSL at runtime.  The PKCS #11
 provider comes from the HSM vendor, and and is specific to the HSM to be
 controlled.
 
-The modified OpenSSL code is included in BIND 9.7.0a3 release in the form
-of a context diff against OpenSSL 0.9.8i.  Before building BIND 9 with
+The modified OpenSSL code is included in BIND 9.7.0b1 release in the form
+of a context diff against OpenSSL 0.9.8k.  Before building BIND 9 with
 PKCS #11 support, it will be necessary to build OpenSSL with this patch
 in place and inform it of the path to the HSM-specific PKCS #11 provider
 library.
 
-Obtain OpenSSL 0.9.8i:
+Obtain OpenSSL 0.9.8k:
 
-    wget http://www.openssl.org/source/openssl-0.9.8i.tar.gz
+    wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz
 
 Extract the tarball:
 
-    tar zxf openssl-0.9.8i.tar.gz
+    tar zxf openssl-0.9.8k.tar.gz
 
 Apply the patch from the BIND 9 release:
 
-    patch -p1 -d openssl-0.9.8i \
-            < bind-9.7.0a3/contrib/pkcs11-keygen/openssl-0.9.8i-patch 
+    patch -p1 -d openssl-0.9.8k \
+            < bind-9.7.0b1/bin/pkcs11/openssl-0.9.8k-patch 
 
 (Note that the patch file may not be compatible with the "patch" utility
 on all operating systems.  You may need to install GNU patch.)
@@ -63,17 +69,8 @@ We will use this location when we configure BIND 9.
     not provide hardware cryptographic acceleration.  It can carry out
     cryptographic operations, but it is probably slower than your
     system's CPU, so it is most efficient to use it only for operations
-    that require the secured private key.
-
-    The patched OpenSSL source tree includes two versions of the PKCS #11
-    engine; one uses the HSM for all cryptographic operations, and the
-    other only uses it for signing.  The signing-only engine is recommended
-    for the Keyper.  To build OpenSSL with the signing-only engine:
-
-        cp openssl-0.9.8i/crypto/engine/hw_pk11-kp.c \
-           openssl-0.9.8i/crypto/engine/hw_pk11.c
-        cp openssl-0.9.8i/crypto/engine/hw_pk11_pub-kp.c \
-           openssl-0.9.8i/crypto/engine/hw_pk11_pub.c
+    that require the secured private key. This is why the PKCS#11
+    engine flavor shall be 'sign-only'.
 
     The Keyper-specific PKCS #11 provider library is delivered with the
     Keyper software.  In this example, we place it /opt/pkcs11/usr/lib:
@@ -86,9 +83,10 @@ We will use this location when we configure BIND 9.
 
     Finally, the Keyper library requires threads, so we must specify -pthread.
     
-        cd openssl-0.9.8i
+        cd openssl-0.9.8k
         ./Configure linux-generic32 -m32 -pthread \
             --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
             --prefix=/opt/pkcs11/usr
 
     After configuring, run "make" and "make test".  If "make test" fails
@@ -98,13 +96,15 @@ We will use this location when we configure BIND 9.
     EXAMPLE 2--BUILDING OPENSSL FOR THE SCA 6000 ON SOLARIS:
 
     The SCA-6000 PKCS #11 provider is installed as a system library,
-    libpkcs11.
+    libpkcs11. It is a true crypto accelerator, up to 4 times faster
+    than any CPU, so the flavor shall be 'crypto-accelerator'.
 
     In this example, we are building on Solaris x86 on an AMD64 system.
 
-        cd openssl-0.9.8i
+        cd openssl-0.9.8k
         ./Configure solaris64-x86_64-cc \
             --pk11-libname=/usr/lib/64/libpkcs11.so \
+            --pk11-flavor=crypto-accelerator \
             --prefix=/opt/pkcs11/usr
 
     (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
@@ -117,6 +117,8 @@ line:
 
         (pkcs11) PKCS #11 engine support
 
+<<"apps/openssl engine -t" to see if initialization is correct (available)>>
+
 If the output is correct, run "make install".
 
 BUILDING BIND 9
@@ -133,7 +135,7 @@ library must be specified via configure.
     we are building on a 64-bit host, we must force a 32-bit build by
     adding "-m32" to the CC options on the "configure" command line.
 
-        cd ../bind-9.7.0a3
+        cd ../bind-9.7.0b1
         ./configure CC="gcc -m32" --enable-threads \
             --with-openssl=/opt/pkcs11/usr \
             --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so
@@ -143,10 +145,10 @@ library must be specified via configure.
     To link with the PKCS #11 provider, threads must be enabled in the
     BIND 9 build.
 
-        cd ../bind-9.7.0a3
+        cd ../bind-9.7.0b1
         ./configure CC="cc -xarch=amd64" --enable-threads \
             --with-openssl=/opt/pkcs11/usr \
-            -with-pkcs11=/usr/lib/64/libpkcs11.so
+            --with-pkcs11=/usr/lib/64/libpkcs11.so
 
     (For a 32-bit build, omit CC="cc -xarch=amd64".)
 
@@ -208,6 +210,10 @@ otherwise the PCKS #11 engine will look for the key on disk rather than
 in the HSM.  If you forget to do this, dnssec-keyfromlabel will return
 "not found".)
 
+<>
+<>
+
 The resulting K*.key and K*.private files can now be used to sign the
 zone.  Unlike normal K* files, which contain both public and private
 key data, these files will contain only the public key data, plus an

From 8b78c993cb475cc94e88560941b28c37684789d9 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 17:30:49 +0000
Subject: [PATCH 255/385] explicit engine rt20230a

---
 CHANGES                                |   4 +
 bin/dnssec/Makefile.in                 |   4 +-
 bin/dnssec/dnssec-dsfromkey.c          |   5 +-
 bin/dnssec/dnssec-keyfromlabel.c       |  37 ++--
 bin/dnssec/dnssec-keyfromlabel.docbook |  18 +-
 bin/dnssec/dnssec-keygen.c             |  24 ++-
 bin/dnssec/dnssec-keygen.docbook       |  15 +-
 bin/dnssec/dnssec-revoke.c             |  26 ++-
 bin/dnssec/dnssec-revoke.docbook       |  13 +-
 bin/dnssec/dnssec-settime.c            |  25 ++-
 bin/dnssec/dnssec-settime.docbook      |  13 +-
 bin/dnssec/dnssec-signzone.c           |  61 ++++---
 bin/dnssec/dnssec-signzone.docbook     |  15 +-
 bin/named/Makefile.in                  |   4 +-
 bin/named/include/named/globals.h      |   8 +-
 bin/named/main.c                       |  12 +-
 bin/named/named.docbook                |  17 +-
 bin/named/server.c                     |   5 +-
 lib/dns/Makefile.in                    |   4 +-
 lib/dns/dst_api.c                      |  16 +-
 lib/dns/dst_internal.h                 |   4 +-
 lib/dns/dst_openssl.h                  |   7 +-
 lib/dns/include/dst/dst.h              |   7 +-
 lib/dns/openssl_link.c                 | 234 +++++++------------------
 lib/dns/opensslrsa_link.c              |   4 +-
 lib/isc/task.c                         |  10 +-
 lib/isc/timer.c                        |  10 +-
 27 files changed, 348 insertions(+), 254 deletions(-)

diff --git a/CHANGES b/CHANGES
index d2421b974e..72125d4eb7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2703.	[func]		Introduce an OpenSSL "engine" argument with -E
+			for all binaries which can take benefit of
+			crypto hardware. [RT #20230]
+
 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
 
 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 2af3838fa8..39471eedfe 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.40 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.41 2009/10/05 17:30:49 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =	-DBIND9 -DVERSION=\"${VERSION}\" 
+CDEFINES =	-DBIND9 -DVERSION=\"${VERSION}\" @USE_PKCS11@
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 9a89b56965..3d062f1175 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-dsfromkey.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -440,7 +440,8 @@ main(int argc, char **argv) {
 	result = dst_lib_init(mctx, ectx,
 			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
 	setup_logging(verbose, mctx, &log);
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index f0e41d1101..556082230a 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.17 2009/10/03 18:03:53 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -63,20 +63,28 @@ usage(void) {
 	fprintf(stderr, "Required options:\n");
 	fprintf(stderr, "    -a algorithm: %s\n", algs);
 	fprintf(stderr, "    -l label: label of the key pair\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "      (for instance \"pkcs11:foo\"\n");
+#else
+	fprintf(stderr, "    -E enginename\n");
+#endif
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -c  (default: IN)\n");
+	fprintf(stderr, "    -c class (default: IN)\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E enginename (default: pkcs11)\n");
+#endif
 	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
 	fprintf(stderr, "    -K directory: directory in which to place "
 			"key files\n");
 	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    -p : default: 3 [dnssec]\n");
-	fprintf(stderr, "    -t : "
+	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
+	fprintf(stderr, "    -t type: "
 		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 		"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -v \n");
+	fprintf(stderr, "    -v verbose level\n");
 	fprintf(stderr, "Date options:\n");
 	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
 	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
@@ -97,6 +105,11 @@ int
 main(int argc, char **argv) {
 	char		*algname = NULL, *nametype = NULL, *type = NULL;
 	const char	*directory = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = "pkcs11";
+#else
+	const char	*engine = NULL;
+#endif
 	char		*classname = NULL;
 	char		*endp;
 	dst_key_t	*key = NULL, *oldkey = NULL;
@@ -116,7 +129,7 @@ main(int argc, char **argv) {
 	isc_entropy_t	*ectx = NULL;
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
-	char		*label = NULL, *engine = NULL;
+	char		*label = NULL;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
@@ -140,7 +153,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-				"a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
+				"a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -152,6 +165,9 @@ main(int argc, char **argv) {
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'f':
 			if (toupper(isc_commandline_argument[0]) == 'K')
 				kskflag = DNS_KEYFLAG_KSK;
@@ -270,10 +286,11 @@ main(int argc, char **argv) {
 
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init(mctx, ectx,
-			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	ret = dst_lib_init2(mctx, ectx, engine,
+			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(ret));
 
 	setup_logging(verbose, mctx, &log);
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 6d2f70e6ee..b80e0b1cae 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     February 8, 2008
@@ -50,6 +50,7 @@
       
       
       
+      
       
       
       
@@ -102,12 +103,23 @@
         
       
 
+      
+        -E engine
+        
+          
+            Specifies the name of the crypto hardware (OpenSSL engine).
+            When compiled with PKCS#11 support it defaults to pcks11.
+          
+        
+      
+
       
         -l label
         
           
-            Specifies the label of keys in the crypto hardware
-            (PKCS#11 device).
+            Specifies the label of keys in the crypto hardware (OpenSSL
+            engine). An example for the pkcs11 engine is pkcs11:foo
+            (note the string pkcs11 is in both E and l options.)
           
         
       
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 0c5d497fce..d1a4efa345 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.98 2009/10/03 18:03:53 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -115,6 +115,11 @@ usage(void) {
 	fprintf(stderr, "	 (DNSKEY generation defaults to ZONE)\n");
 	fprintf(stderr, "    -c : (default: IN)\n");
 	fprintf(stderr, "    -d  (0 => max, default)\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E  (default \"pkcs11\")\n");
+#else
+	fprintf(stderr, "    -E \n");
+#endif
 	fprintf(stderr, "    -e: use large exponent (RSAMD5/RSASHA1 only)\n");
 	fprintf(stderr, "    -f : KSK | REVOKE\n");
 	fprintf(stderr, "    -g : use specified generator "
@@ -173,6 +178,11 @@ main(int argc, char **argv) {
 	isc_buffer_t	buf;
 	isc_log_t	*log = NULL;
 	isc_entropy_t	*ectx = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = "pkcs11";
+#else
+	const char	*engine = NULL;
+#endif
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
@@ -198,7 +208,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
+#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'm':
@@ -247,6 +257,9 @@ main(int argc, char **argv) {
 			if (*endp != '\0' || dbits < 0)
 				fatal("-d requires a non-negative number");
 			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'e':
 			rsa_exp = 1;
 			break;
@@ -400,10 +413,11 @@ main(int argc, char **argv) {
 
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init(mctx, ectx,
-			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	ret = dst_lib_init2(mctx, ectx, engine,
+			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(ret));
 
 	setup_logging(verbose, mctx, &log);
 
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index c0d8ba2898..1daa979788 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -64,6 +64,7 @@
       
       
       
+      
       
       
       
@@ -206,6 +207,18 @@
         
       
 
+      
+        -E engine
+        
+          
+            Uses a crypto hardware (OpenSSL engine) for random number
+            and, when supported, key generation. When compiled with PKCS#11
+            support it defaults to pcks11, the empty name resets it to
+            no engine.
+          
+        
+      
+
       
         -e
         
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 7f2f6d301c..40168c4f80 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.13 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-revoke.c,v 1.14 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -54,6 +54,13 @@ usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
 	fprintf(stderr, "    -f:	   force overwrite\n");
 	fprintf(stderr, "    -K directory: use directory for key files\n");
 	fprintf(stderr, "    -h:	   help\n");
@@ -70,6 +77,11 @@ usage(void) {
 int
 main(int argc, char **argv) {
 	isc_result_t result;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
 	char *filename = NULL, *dir = NULL;
 	char newname[1024], oldname[1024];
 	char keystr[KEY_FORMATSIZE];
@@ -93,8 +105,11 @@ main(int argc, char **argv) {
 
 	isc_commandline_errprint = ISC_FALSE;
 
-	while ((ch = isc_commandline_parse(argc, argv, "fK:rhv:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, "EfK:rhv:")) != -1) {
 		switch (ch) {
+		    case 'E':
+			engine = isc_commandline_argument;
+			break;
 		    case 'f':
 			force = ISC_TRUE;
 			break;
@@ -150,10 +165,11 @@ main(int argc, char **argv) {
 	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
 	if (result != ISC_R_SUCCESS)
 		fatal("Could not initialize hash");
-	result = dst_lib_init(mctx, ectx,
-			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	result = dst_lib_init2(mctx, ectx, engine,
+			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize dst");
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
 	result = dst_key_fromnamedfile(filename, dir,
diff --git a/bin/dnssec/dnssec-revoke.docbook b/bin/dnssec/dnssec-revoke.docbook
index 3143928559..e010fcbb9d 100644
--- a/bin/dnssec/dnssec-revoke.docbook
+++ b/bin/dnssec/dnssec-revoke.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 1, 2009
@@ -47,6 +47,7 @@
       
       
       
+      
       
       keyfile
     
@@ -102,6 +103,16 @@
         
       
 
+      
+        -E engine
+        
+          
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
+        
+      
+
       
         -f
         
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index ff323c337d..471403e398 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-settime.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -57,6 +57,12 @@ usage(void) {
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "General options:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
 	fprintf(stderr, "    -f:                 force update of old-style "
 						 "keys\n");
 	fprintf(stderr, "    -K directory:       set key file location\n");
@@ -112,6 +118,11 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
 int
 main(int argc, char **argv) {
 	isc_result_t result;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
 	char *filename = NULL, *directory = NULL;
 	char newname[1024];
 	char keystr[KEY_FORMATSIZE];
@@ -150,8 +161,11 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "fK:uhp:v:P:A:R:I:D:")) != -1) {
+					   "EfK:uhp:v:P:A:R:I:D:")) != -1) {
 		switch (ch) {
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'f':
 			forceupdate = ISC_TRUE;
 			break;
@@ -313,10 +327,11 @@ main(int argc, char **argv) {
 	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
 	if (result != ISC_R_SUCCESS)
 		fatal("Could not initialize hash");
-	result = dst_lib_init(mctx, ectx,
-			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	result = dst_lib_init2(mctx, ectx, engine,
+			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize dst");
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
 	result = dst_key_fromnamedfile(filename, directory,
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index 43d7c732fe..54e49b76b6 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     July 15, 2009
@@ -53,6 +53,7 @@
       
       
       
+      
       keyfile
     
   
@@ -127,6 +128,16 @@
           
         
       
+
+      
+        -E engine
+        
+          
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
+        
+      
     
   
 
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 5532e1a34e..7de39d05e6 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.240 2009/10/03 18:03:54 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.241 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -3324,6 +3324,13 @@ usage(void) {
 	fprintf(stderr, "\t-a:\t");
 	fprintf(stderr, "verify generated signatures\n");
 	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
 	fprintf(stderr, "\t-p:\t");
 	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
 	fprintf(stderr, "\t-P:\t");
@@ -3398,6 +3405,11 @@ main(int argc, char *argv[]) {
 	isc_result_t result;
 	isc_log_t *log = NULL;
 	isc_boolean_t pseudorandom = ISC_FALSE;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
 	unsigned int eflags;
 	isc_boolean_t free_output = ISC_FALSE;
 	int tempfilelen;
@@ -3412,7 +3424,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t set_iter = ISC_FALSE;
 
 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
+	"3:AaCc:Dd:Ee:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
 
 	/*
 	 * Process memory debugging argument first.
@@ -3494,8 +3506,8 @@ main(int argc, char *argv[]) {
 				fatal("DS directory must be non-empty string");
 			break;
 
-		case 'K':
-			directory = isc_commandline_argument;
+		case 'E':
+			engine = isc_commandline_argument;
 			break;
 
 		case 'e':
@@ -3523,6 +3535,10 @@ main(int argc, char *argv[]) {
 			usage();
 			break;
 
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -3531,10 +3547,6 @@ main(int argc, char *argv[]) {
 				      "positive");
 			break;
 
-		case 'I':
-			inputformatstr = isc_commandline_argument;
-			break;
-
 		case 'j':
 			endp = NULL;
 			jitter = strtol(isc_commandline_argument, &endp, 0);
@@ -3542,6 +3554,10 @@ main(int argc, char *argv[]) {
 				fatal("jitter must be numeric and positive");
 			break;
 
+		case 'K':
+			directory = isc_commandline_argument;
+			break;
+
 		case 'k':
 			if (ndskeys == MAXDSKEYS)
 				fatal("too many key-signing keys specified");
@@ -3563,6 +3579,10 @@ main(int argc, char *argv[]) {
 		case 'm':
 			break;
 
+		case 'N':
+			serialformatstr = isc_commandline_argument;
+			break;
+
 		case 'n':
 			endp = NULL;
 			ntasks = strtol(isc_commandline_argument, &endp, 0);
@@ -3570,39 +3590,35 @@ main(int argc, char *argv[]) {
 				fatal("number of cpus must be numeric");
 			break;
 
-		case 'N':
-			serialformatstr = isc_commandline_argument;
+		case 'O':
+			outputformatstr = isc_commandline_argument;
 			break;
 
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
 
-		case 'O':
-			outputformatstr = isc_commandline_argument;
+		case 'P':
+			disable_zone_check = ISC_TRUE;
 			break;
 
 		case 'p':
 			pseudorandom = ISC_TRUE;
 			break;
 
-		case 'P':
-			disable_zone_check = ISC_TRUE;
-			break;
-
 		case 'r':
 			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
 
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-
 		case 'S':
 			smartsign = ISC_TRUE;
 			generateds = ISC_TRUE;
 			break;
 
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+
 		case 'T':
 			endp = NULL;
 			set_keyttl = ISC_TRUE;
@@ -3659,9 +3675,10 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("could not create hash context");
 
-	result = dst_lib_init(mctx, ectx, eflags);
+	result = dst_lib_init2(mctx, ectx, engine, eflags);
 	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
 
 	isc_stdtime_get(&now);
 
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 9a3dc364ae..aa3d506220 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 05, 2009
@@ -60,6 +60,7 @@
       
       
       
+      
       
       
       
@@ -149,6 +150,18 @@
         
       
 
+      
+        -E engine
+        
+          
+            Uses a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
+        
+      
+
       
         -g
         
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index a5cbc1e4d6..8898a24797 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.106 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.107 2009/10/05 17:30:49 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -45,7 +45,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
 
-CDEFINES =      -DBIND9 @USE_DLZ@
+CDEFINES =      -DBIND9 @USE_DLZ@ @USE_PKCS11@
 
 CWARNINGS =
 
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 3e81642272..26297c8744 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.85 2009/07/14 23:47:53 tbox Exp $ */
+/* $Id: globals.h,v 1.86 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -139,6 +139,12 @@ EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
 
 EXTERN const char *		ns_g_username		INIT(NULL);
 
+#ifdef USE_PKCS11
+EXTERN const char *		ns_g_engine		INIT("pkcs11");
+#else
+EXTERN const char *		ns_g_engine		INIT(NULL);
+#endif
+
 EXTERN int			ns_g_listen		INIT(3);
 EXTERN isc_time_t		ns_g_boottime;
 EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);
diff --git a/bin/named/main.c b/bin/named/main.c
index c6a640dd95..15b39268d0 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.174 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: main.c,v 1.175 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -298,8 +298,9 @@ usage(void) {
 	}
 	fprintf(stderr,
 		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
-		"[-f|-g] [-n number_of_cpus]\n"
-		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
+		"[-E engine] [-f|-g]\n"
+		"             [-n number_of_cpus] [-p port] [-s] "
+		"[-t chrootdir] [-u username]\n"
 		"             [-m {usage|trace|record|size|mctx}]\n");
 }
 
@@ -408,7 +409,7 @@ parse_command_line(int argc, char *argv[]) {
 
 	isc_commandline_errprint = ISC_FALSE;
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "46c:C:d:fFgi:lm:n:N:p:P:"
+					   "46c:C:d:E:fFgi:lm:n:N:p:P:"
 					   "sS:t:T:u:vVx:")) != -1) {
 		switch (ch) {
 		case '4':
@@ -444,6 +445,9 @@ parse_command_line(int argc, char *argv[]) {
 			ns_g_debuglevel = parse_int(isc_commandline_argument,
 						    "debug level");
 			break;
+		case 'E':
+			ns_g_engine = isc_commandline_argument;
+			break;
 		case 'f':
 			ns_g_foreground = ISC_TRUE;
 			break;
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index 1bbef3e709..c748911e24 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     May 21, 2009
@@ -60,6 +60,7 @@
       
       
       
+      
       
       
       
@@ -116,6 +117,7 @@
           
         
       
+
       
         -c config-file
         
@@ -144,6 +146,19 @@
         
       
 
+      
+        -E engine-name
+        
+          
+            Use a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance re-signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            engine-name
+            defaults to pkcs11, the empty name resets it to no engine.
+          
+        
+      
+
       
         -f
         
diff --git a/bin/named/server.c b/bin/named/server.c
index 4f81a99361..87870f99ff 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.549 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: server.c,v 1.550 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -4650,7 +4650,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "allocating reload event");
 
-	CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY),
+	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
+				 ns_g_engine, ISC_ENTROPY_GOODONLY),
 		   "initializing DST");
 
 	server->tkeyctx = NULL;
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index eef55f1e27..d1acc2b35a 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.166 2009/09/01 00:22:26 jinmei Exp $
+# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -34,7 +34,7 @@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
 		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =	-DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
+CDEFINES =	-DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ \
 		${USE_ISC_SPNEGO}
 
 CWARNINGS =
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index cdf8a7c09c..9c4427dfe4 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.33 2009/09/25 01:42:09 marka Exp $
+ * $Id: dst_api.c,v 1.34 2009/10/05 17:30:49 fdupont Exp $
  */
 
 /*! \file */
@@ -146,6 +146,12 @@ default_memfree(void *arg, void *ptr) {
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
+	return (dst_lib_init2(mctx, ectx, NULL, eflags));
+}
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags) {
 	isc_result_t result;
 
 	REQUIRE(mctx != NULL);
@@ -173,7 +179,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_mem_setname(dst__memory_pool, "dst", NULL);
+#ifndef OPENSSL_LEAKS
 	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
+#endif
 #else
 	isc_mem_attach(mctx, &dst__memory_pool);
 #endif
@@ -192,7 +200,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
 #ifdef OPENSSL
-	RETERR(dst__openssl_init());
+	RETERR(dst__openssl_init(engine));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
@@ -209,6 +217,8 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	return (ISC_R_SUCCESS);
 
  out:
+	/* avoid immediate crash! */
+	dst_initialized = ISC_TRUE;
 	dst_lib_destroy();
 	return (result);
 }
@@ -1520,6 +1530,8 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 	unsigned int flags = dst_entropy_flags;
 	if (pseudo)
 		flags &= ~ISC_ENTROPY_GOODONLY;
+	else
+		flags |= ISC_ENTROPY_BLOCKING;
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
 #else
 	UNUSED(buf);
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 69ea338310..7d2935c8bc 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.18 2009/09/23 11:16:50 fdupont Exp $ */
+/* $Id: dst_internal.h,v 1.19 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -187,7 +187,7 @@ struct dst_func {
 /*%
  * Initializers
  */
-isc_result_t dst__openssl_init(void);
+isc_result_t dst__openssl_init(const char *engine);
 
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index 80eef93496..cb19044a26 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_openssl.h,v 1.7 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: dst_openssl.h,v 1.8 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1
@@ -29,10 +29,7 @@ isc_result_t
 dst__openssl_toresult(isc_result_t fallback);
 
 ENGINE *
-dst__openssl_getengine(const char *name);
-
-isc_result_t
-dst__openssl_setdefault(const char *name);
+dst__openssl_getengine(const char *engine);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 4cdb4c0057..dab99f0009 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.19 2009/09/23 16:01:57 each Exp $ */
+/* $Id: dst.h,v 1.20 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -94,6 +94,10 @@ typedef struct dst_context 	dst_context_t;
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags);
 /*%<
  * Initializes the DST subsystem.
  *
@@ -104,6 +108,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
  * Returns:
  * \li	ISC_R_SUCCESS
  * \li	ISC_R_NOMEMORY
+ * \li	DST_R_NOENGINE
  *
  * Ensures:
  * \li	DST is properly initialized.
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index cb223ae58a..04999b0b5c 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $
+ * $Id: openssl_link.c,v 1.27 2009/10/05 17:30:49 fdupont Exp $
  */
 #ifdef OPENSSL
 
@@ -45,6 +45,8 @@
 #include 
 #include 
 
+#include 
+
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
@@ -60,12 +62,6 @@
 
 #ifdef USE_ENGINE
 #include 
-
-#ifdef ENGINE_ID
-const char *engine_id = ENGINE_ID;
-#else
-const char *engine_id;
-#endif
 #endif
 
 static RAND_METHOD *rm = NULL;
@@ -74,15 +70,7 @@ static isc_mutex_t *locks = NULL;
 static int nlocks;
 
 #ifdef USE_ENGINE
-static ENGINE *e;
-static ENGINE *he;
-#endif
-
-#ifdef USE_PKCS11
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
-			 const char **pre_cmds, int pre_num,
-			 const char **post_cmds, int post_num);
+static ENGINE *e = NULL;
 #endif
 
 static int
@@ -135,8 +123,16 @@ id_callback(void) {
 
 static void *
 mem_alloc(size_t size) {
+#ifdef OPENSSL_LEAKS
+	void *ptr;
+
+	INSIST(dst__memory_pool != NULL);
+	ptr = isc_mem_allocate(dst__memory_pool, size);
+	return (ptr);
+#else
 	INSIST(dst__memory_pool != NULL);
 	return (isc_mem_allocate(dst__memory_pool, size));
+#endif
 }
 
 static void
@@ -148,16 +144,26 @@ mem_free(void *ptr) {
 
 static void *
 mem_realloc(void *ptr, size_t size) {
+#ifdef OPENSSL_LEAKS
+	void *rptr;
+
+	INSIST(dst__memory_pool != NULL);
+	rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
+	return (rptr);
+#else
 	INSIST(dst__memory_pool != NULL);
 	return (isc_mem_reallocate(dst__memory_pool, ptr, size));
+#endif
 }
 
 isc_result_t
-dst__openssl_init() {
+dst__openssl_init(const char *engine) {
 	isc_result_t result;
 #ifdef USE_ENGINE
-	/* const char  *name; */
 	ENGINE *re;
+#else
+
+	UNUSED(engine);
 #endif
 
 #ifdef  DNS_CRYPTO_LEAKS
@@ -187,73 +193,26 @@ dst__openssl_init() {
 	rm->add = entropy_add;
 	rm->pseudorand = entropy_getpseudo;
 	rm->status = entropy_status;
+
 #ifdef USE_ENGINE
 	OPENSSL_config(NULL);
-#ifdef USE_PKCS11
-#ifndef PKCS11_SO_PATH
-#define PKCS11_SO_PATH		"/usr/local/lib/engines/engine_pkcs11.so"
-#endif
-#ifndef PKCS11_MODULE_PATH
-#define PKCS11_MODULE_PATH	"/usr/lib/libpkcs11.so"
-#endif
-	{
-		/*
-		 * to use this to config the PIN, add in openssl.cnf:
-		 *  - at the beginning: "openssl_conf = openssl_def"
-		 *  - at any place these sections:
-		 * [ openssl_def ]
-		 * engines = engine_section
-		 * [ engine_section ]
-		 * pkcs11 = pkcs11_section
-		 * [ pkcs11_section ]
-		 * PIN = my___pin
-		 */
 
-		const char *pre_cmds[] = {
-			"SO_PATH", PKCS11_SO_PATH,
-			"LOAD", NULL,
-			"MODULE_PATH", PKCS11_MODULE_PATH
-		};
-		const char *post_cmds[] = {
-			/* "PIN", "my___pin" */
-		};
-		result = dst__openssl_load_engine("pkcs11", "pkcs11",
-						  pre_cmds, 0,
-						  post_cmds, /*1*/ 0);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_rm;
-	}
-#else /* USE_PKCS11 */
-	if (engine_id != NULL) {
-		e = ENGINE_by_id(engine_id);
+	if (engine != NULL && *engine == '\0')
+		engine = NULL;
+
+	if (engine != NULL) {
+		e = ENGINE_by_id(engine);
 		if (e == NULL) {
-			result = ISC_R_NOTFOUND;
+			result = DST_R_NOENGINE;
 			goto cleanup_rm;
 		}
-		if (!ENGINE_init(e)) {
-			result = ISC_R_FAILURE;
-			ENGINE_free(e);
+		/* This will init the engine. */
+		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+			result = DST_R_NOENGINE;
 			goto cleanup_rm;
 		}
-		ENGINE_set_default(e, ENGINE_METHOD_ALL);
-		ENGINE_free(e);
-		if (he == NULL)
-			he = e;
-	} else {
-		ENGINE_register_all_complete();
-		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
-
-			/*
-			 * Something weird here. If we call ENGINE_finish()
-			 * ENGINE_get_default_RAND() will fail.
-			 */
-			if (ENGINE_init(e)) {
-				if (he == NULL)
-					he = e;
-			}
-		}
 	}
-#endif /* USE_PKCS11 */
+
 	re = ENGINE_get_default_RAND();
 	if (re == NULL) {
 		re = ENGINE_new();
@@ -266,7 +225,6 @@ dst__openssl_init() {
 		ENGINE_free(re);
 	} else
 		ENGINE_finish(re);
-
 #else
 	RAND_set_rand_method(rm);
 #endif /* USE_ENGINE */
@@ -274,13 +232,18 @@ dst__openssl_init() {
 
 #ifdef USE_ENGINE
  cleanup_rm:
+	if (e != NULL)
+		ENGINE_free(e);
+	e = NULL;
 	mem_free(rm);
+	rm = NULL;
 #endif
  cleanup_mutexinit:
 	CRYPTO_set_locking_callback(NULL);
 	DESTROYMUTEXBLOCK(locks, nlocks);
  cleanup_mutexalloc:
 	mem_free(locks);
+	locks = NULL;
 	return (result);
 }
 
@@ -290,16 +253,22 @@ dst__openssl_destroy() {
 	/*
 	 * Sequence taken from apps_shutdown() in .
 	 */
-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-	CONF_modules_unload(1);
+	if (rm != NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+		RAND_cleanup();
 #endif
+		mem_free(rm);
+		rm = NULL;
+	}
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+	CONF_modules_free();
+#endif
+	OBJ_cleanup();
 	EVP_cleanup();
 #if defined(USE_ENGINE)
-	if (he != NULL)
-		ENGINE_finish(he);
-	else if (e != NULL)
-		ENGINE_finish(e);
-	he = e = NULL;
+	if (e != NULL)
+		ENGINE_free(e);
+	e = NULL;
 #if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
 	ENGINE_cleanup();
 #endif
@@ -308,23 +277,18 @@ dst__openssl_destroy() {
 	CRYPTO_cleanup_all_ex_data();
 #endif
 	ERR_clear_error();
-	ERR_free_strings();
 	ERR_remove_state(0);
+	ERR_free_strings();
 
 #ifdef  DNS_CRYPTO_LEAKS
 	CRYPTO_mem_leaks_fp(stderr);
 #endif
 
-	if (rm != NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-		RAND_cleanup();
-#endif
-		mem_free(rm);
-	}
 	if (locks != NULL) {
 		CRYPTO_set_locking_callback(NULL);
 		DESTROYMUTEXBLOCK(locks, nlocks);
 		mem_free(locks);
+		locks = NULL;
 	}
 }
 
@@ -345,90 +309,18 @@ dst__openssl_toresult(isc_result_t fallback) {
 }
 
 ENGINE *
-dst__openssl_getengine(const char *name) {
-
-	UNUSED(name);
+dst__openssl_getengine(const char *engine) {
 
+	if (engine == NULL)
+		return (NULL);
 #if defined(USE_ENGINE)
-	return (he);
-#else
-	return (NULL);
-#endif
-}
-
-isc_result_t
-dst__openssl_setdefault(const char *name) {
-
-	UNUSED(name);
-
-#if defined(USE_ENGINE)
-	ENGINE_set_default(e, ENGINE_METHOD_ALL);
-#endif
-	/*
-	 * XXXMPA If the engine does not have a default RAND method
-	 * restore our method.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef USE_PKCS11
-/*
- * 'name' is the name the engine is known by to the dst library.
- * This may or may not match the name the engine is known by to
- * openssl.  It is the name that is stored in the private key file.
- *
- * 'engine_id' is the openssl engine name.
- *
- * pre_cmds and post_cmds a sequence if command argument pairs
- * pre_num and post_num are a count of those pairs.
- *
- * "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so")
- * "LOAD", NULL
- * "MODULE_PATH", PKCS11_MODULE_PATH ("/usr/lib/libpkcs11.so")
- */
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
-			 const char **pre_cmds, int pre_num,
-			 const char **post_cmds, int post_num)
-{
-	ENGINE *e;
-
-	UNUSED(name);
-
-	if (!strcasecmp(engine_id, "dynamic"))
-		ENGINE_load_dynamic();
-	e = ENGINE_by_id(engine_id);
 	if (e == NULL)
-		return (ISC_R_NOTFOUND);
-	while (pre_num--) {
-		if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
-			ENGINE_free(e);
-			return (ISC_R_FAILURE);
-		}
-		pre_cmds += 2;
-	}
-	if (!ENGINE_init(e)) {
-		ENGINE_free(e);
-		return (ISC_R_FAILURE);
-	}
-	/*
-	 * ENGINE_init() returned a functional reference, so free the
-	 * structural reference from ENGINE_by_id().
-	 */
-	ENGINE_free(e);
-	while (post_num--) {
-		if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
-			ENGINE_free(e);
-			return (ISC_R_FAILURE);
-		}
-		post_cmds += 2;
-	}
-	if (he != NULL)
-		ENGINE_finish(he);
-	he = e;
-	return (ISC_R_SUCCESS);
+		return (NULL);
+	if (strcmp(engine, ENGINE_get_id(e)) == 0)
+		return (e);
+#endif
+	return (NULL);
 }
-#endif /* USE_PKCS11 */
 
 #else /* OPENSSL */
 
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 13f6b944be..e81b4b9ab4 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.28 2009/09/23 11:16:50 fdupont Exp $
+ * $Id: opensslrsa_link.c,v 1.29 2009/10/05 17:30:49 fdupont Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -968,6 +968,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 
 	UNUSED(pin);
 
+	if (engine == NULL)
+		DST_RET(DST_R_NOENGINE);
 	e = dst__openssl_getengine(engine);
 	if (e == NULL)
 		DST_RET(DST_R_NOENGINE);
diff --git a/lib/isc/task.c b/lib/isc/task.c
index ddd4a53478..f70ea490fc 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.110 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: task.c,v 1.111 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file
  * \author Principal Author: Bob Halley
@@ -40,6 +40,10 @@
 #include 
 #include 
 
+#ifdef OPENSSL_LEAKS
+#include 
+#endif
+
 /*%
  * For BIND9 internal applications:
  * when built with threads we use multiple worker threads shared by the whole
@@ -1156,6 +1160,10 @@ run(void *uap) {
 	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				    ISC_MSG_EXITING, "exiting"));
 
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
 	return ((isc_threadresult_t)0);
 }
 #endif /* USE_WORKER_THREADS */
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index f9c4bf8653..891eb69aac 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.94 2009/09/03 21:55:13 jinmei Exp $ */
+/* $Id: timer.c,v 1.95 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -34,6 +34,10 @@
 #include 
 #include 
 
+#ifdef OPENSSL_LEAKS
+#include 
+#endif
+
 /* See task.c about the following definition: */
 #ifdef BIND9
 #ifdef ISC_PLATFORM_USETHREADS
@@ -828,6 +832,10 @@ run(void *uap) {
 	}
 	UNLOCK(&manager->lock);
 
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
 	return ((isc_threadresult_t)0);
 }
 #endif /* USE_TIMER_THREAD */

From 3c52c4e44c52491c6ff883f7407f7cc8359f2f99 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Mon, 5 Oct 2009 17:39:36 +0000
Subject: [PATCH 256/385] 20230 update

---
 lib/dns/win32/libdns.def | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index a979447e62..23d4f56285 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -889,6 +889,7 @@ dst_key_tofile
 dst_key_unsettime
 dst_lib_destroy
 dst_lib_init
+dst_lib_init2
 dst_lib_initmsgcat
 dst_region_computeid
 dst_result_register

From 3ff75c89eb7b8c4f8c7dd375beec2981d147c791 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 5 Oct 2009 19:39:20 +0000
Subject: [PATCH 257/385] 2704.	[bug]		Serial of dynamic and stub
 zones could be inconsistent 			with their SOA serial.  [RT
 #19387]

---
 CHANGES                    |   3 ++
 bin/named/statschannel.c   |  10 ++--
 lib/dns/include/dns/zone.h |  15 +++++-
 lib/dns/win32/libdns.def   |   1 +
 lib/dns/zone.c             | 102 ++++++++++++++++++++++++-------------
 5 files changed, 91 insertions(+), 40 deletions(-)

diff --git a/CHANGES b/CHANGES
index 72125d4eb7..5082e2b1e6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
+			with their SOA serial.  [RT #19387]
+
 2703.	[func]		Introduce an OpenSSL "engine" argument with -E
 			for all binaries which can take benefit of
 			crypto hardware. [RT #20230]
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 0540e4e84f..1547c41613 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: statschannel.c,v 1.22 2009/02/17 03:40:28 marka Exp $ */
+/* $Id: statschannel.c,v 1.23 2009/10/05 19:39:20 each Exp $ */
 
 /*! \file */
 
@@ -678,9 +678,11 @@ zone_xmlrender(dns_zone_t *zone, void *arg) {
 	xmlTextWriterWriteString(writer, ISC_XMLCHAR buf);
 	xmlTextWriterEndElement(writer);
 
-	serial = dns_zone_getserial(zone);
 	xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial");
-	xmlTextWriterWriteFormatString(writer, "%u", serial);
+	if (dns_zone_getserial2(zone, &serial) == ISC_R_SUCCESS)
+		xmlTextWriterWriteFormatString(writer, "%u", serial);
+	else
+		xmlTextWriterWriteString(writer, ISC_XMLCHAR "-");
 	xmlTextWriterEndElement(writer);
 
 	zonestats = dns_zone_getrequeststats(zone);
@@ -729,7 +731,7 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "bind"));
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "2.1"));
+					 ISC_XMLCHAR "2.2"));
 
 	/* Set common fields for statistics dump */
 	dumparg.type = statsformat_xml;
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 5b781d5e33..9be1aabb0f 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.166 2009/07/02 07:39:03 marka Exp $ */
+/* $Id: zone.h,v 1.167 2009/10/05 19:39:20 each Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -150,13 +150,24 @@ dns_zone_getclass(dns_zone_t *zone);
  *\li	'zone' to be a valid zone.
  */
 
+isc_result_t
+dns_zone_getserial2(dns_zone_t *zone, isc_uint32_t *serialp);
+
 isc_uint32_t
 dns_zone_getserial(dns_zone_t *zone);
 /*%<
- *	Returns the current serial number of the zone.
+ *	Returns the current serial number of the zone.  On success, the SOA
+ *	serial of the zone will be copied into '*serialp'.
+ *	dns_zone_getserial() cannot catch failure cases and is deprecated by
+ *	dns_zone_getserial2().
  *
  * Requires:
  *\li	'zone' to be a valid zone.
+ *\li	'serialp' to be non NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_NOTLOADED	zone DB is not loaded
  */
 
 void
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 23d4f56285..723a15a32f 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -731,6 +731,7 @@ dns_zone_getprivatetype
 dns_zone_getqueryacl
 dns_zone_getrequeststats
 dns_zone_getserial
+dns_zone_getserial2
 dns_zone_getsigresigninginterval
 dns_zone_getsigvalidityinterval
 dns_zone_getssutable
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 3f5fbdd217..c4580e32b4 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.507 2009/09/22 08:38:14 fdupont Exp $ */
+/* $Id: zone.c,v 1.508 2009/10/05 19:39:20 each Exp $ */
 
 /*! \file */
 
@@ -207,7 +207,6 @@ struct dns_zone {
 	isc_time_t		nsec3chaintime;
 	isc_time_t		refreshkeytime;		/* Used by key zones */
 	isc_uint32_t		refreshkeycount;
-	isc_uint32_t		serial;
 	isc_uint32_t		refresh;
 	isc_uint32_t		retry;
 	isc_uint32_t		expire;
@@ -748,7 +747,6 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	isc_time_settoepoch(&zone->nsec3chaintime);
 	isc_time_settoepoch(&zone->refreshkeytime);
 	zone->refreshkeycount = 0;
-	zone->serial = 0;
 	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
 	zone->retry = DNS_ZONE_DEFAULTRETRY;
 	zone->expire = 0;
@@ -997,16 +995,35 @@ dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
 	UNLOCK_ZONE(zone);
 }
 
-isc_uint32_t
-dns_zone_getserial(dns_zone_t *zone) {
-	isc_uint32_t serial;
+isc_result_t
+dns_zone_getserial2(dns_zone_t *zone, isc_uint32_t *serialp) {
+	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(serialp != NULL);
 
 	LOCK_ZONE(zone);
-	serial = zone->serial;
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		result = zone_get_from_db(zone, zone->db, NULL, NULL, serialp,
+					  NULL, NULL, NULL, NULL, NULL);
+	} else
+		result = DNS_R_NOTLOADED;
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
 	UNLOCK_ZONE(zone);
 
+	return (result);
+}
+
+isc_uint32_t
+dns_zone_getserial(dns_zone_t *zone) {
+	isc_result_t result;
+	isc_uint32_t serial;
+
+	result = dns_zone_getserial2(zone, &serial);
+	if (result != ISC_R_SUCCESS)
+		serial = 0; /* XXX: not really correct, but no other choice */
+
 	return (serial);
 }
 
@@ -3086,7 +3103,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	unsigned int soacount = 0;
 	unsigned int nscount = 0;
 	unsigned int errors = 0;
-	isc_uint32_t serial, refresh, retry, expire, minimum;
+	isc_uint32_t serial, oldserial, refresh, retry, expire, minimum;
 	isc_time_t now;
 	isc_boolean_t needdump = ISC_FALSE;
 	isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
@@ -3238,14 +3255,18 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			 * This is checked in zone_replacedb() for slave zones
 			 * as they don't reload from disk.
 			 */
+			result = zone_get_from_db(zone, zone->db, NULL, NULL,
+						  &oldserial, NULL, NULL, NULL,
+						  NULL, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
-			    !isc_serial_gt(serial, zone->serial)) {
+			    !isc_serial_gt(serial, oldserial)) {
 				isc_uint32_t serialmin, serialmax;
 
 				INSIST(zone->type == dns_zone_master);
 
-				serialmin = (zone->serial + 1) & 0xffffffffU;
-				serialmax = (zone->serial + 0x7fffffffU) &
+				serialmin = (oldserial + 1) & 0xffffffffU;
+				serialmax = (oldserial + 0x7fffffffU) &
 					     0xffffffffU;
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "ixfr-from-differences: "
@@ -3254,11 +3275,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     serialmax);
 				result = DNS_R_BADZONE;
 				goto cleanup;
-			} else if (!isc_serial_ge(serial, zone->serial))
+ 			} else if (!isc_serial_ge(serial, oldserial))
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "zone serial (%u/%u) has gone "
-					     "backwards", serial, zone->serial);
-			else if (serial == zone->serial && !hasinclude)
+					     "backwards", serial, oldserial);
+ 			else if (serial == oldserial && !hasinclude)
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "zone serial (%u) unchanged. "
 					     "zone may fail to transfer "
@@ -3275,7 +3296,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 				     "3 * refresh.");
 		}
 
-		zone->serial = serial;
 		zone->refresh = RANGE(refresh,
 				      zone->minrefresh, zone->maxrefresh);
 		zone->retry = RANGE(retry,
@@ -3311,7 +3331,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		break;
 
 	case dns_zone_key:
-		zone->serial = serial;
 		result = sync_keyzone(zone, db);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
@@ -3374,9 +3393,8 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	}
 
 	if (! dns_db_ispersistent(db))
-		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s",
-			     zone->serial,
-			     dns_db_issecure(db) ? " (signed)" : "");
+		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s", serial,
+			     dns_db_issecure(db) ? " (DNSSEC signed)" : "");
 
 	return (result);
 
@@ -8766,7 +8784,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_soa_t soa;
 	isc_result_t result;
-	isc_uint32_t serial;
+	isc_uint32_t serial, oldserial;
 	unsigned int j;
 
 	zone = revent->ev_arg;
@@ -8989,12 +9007,17 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	serial = soa.serial;
-
-	zone_debuglog(zone, me, 1, "serial: new %u, old %u",
-		      serial, zone->serial);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		result = dns_zone_getserial2(zone, &oldserial);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		zone_debuglog(zone, me, 1, "serial: new %u, old %u",
+			      serial, oldserial);
+	} else
+		zone_debuglog(zone, me, 1, "serial: new %u, old not loaded",
+			      serial);
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
 	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
-	    isc_serial_gt(serial, zone->serial)) {
+	    isc_serial_gt(serial, oldserial)) {
 		if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
 					    &zone->sourceaddr, &now)) {
 			dns_zone_log(zone, ISC_LOG_INFO,
@@ -9018,7 +9041,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 		}
 		if (msg != NULL)
 			dns_message_destroy(&msg);
-	} else if (isc_serial_eq(soa.serial, zone->serial)) {
+	} else if (isc_serial_eq(soa.serial, oldserial)) {
 		if (zone->masterfile != NULL) {
 			result = ISC_R_FAILURE;
 			if (zone->journal != NULL)
@@ -9051,7 +9074,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER))
 			dns_zone_log(zone, ISC_LOG_INFO, "serial number (%u) "
 				     "received from master %s < ours (%u)",
-				     soa.serial, master, zone->serial);
+				     soa.serial, master, oldserial);
 		else
 			zone_debuglog(zone, me, 1, "ahead");
 		zone->mastersok[zone->curmaster] = ISC_TRUE;
@@ -10186,13 +10209,21 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		if (result == ISC_R_SUCCESS)
 			result = dns_rdataset_first(rdataset);
 		if (result == ISC_R_SUCCESS) {
-			isc_uint32_t serial = 0;
+			isc_uint32_t serial = 0, oldserial;
 
 			dns_rdataset_current(rdataset, &rdata);
 			result = dns_rdata_tostruct(&rdata, &soa, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			serial = soa.serial;
-			if (isc_serial_le(serial, zone->serial)) {
+			/*
+			 * The following should safely be performed without DB
+			 * lock and succeed in this context.
+			 */
+			result = zone_get_from_db(zone, zone->db, NULL, NULL,
+						  &oldserial, NULL, NULL, NULL,
+						  NULL, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (isc_serial_le(serial, oldserial)) {
 			  dns_zone_log(zone, ISC_LOG_INFO,
 					     "notify from %s: "
 					     "zone is up to date",
@@ -10870,7 +10901,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	if (zone->db != NULL && zone->journal != NULL &&
 	    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
 	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
-		isc_uint32_t serial;
+		isc_uint32_t serial, oldserial;
 
 		dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
 
@@ -10885,11 +10916,15 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 		/*
 		 * This is checked in zone_postload() for master zones.
 		 */
+		result = zone_get_from_db(zone, zone->db, NULL, NULL,
+					  &oldserial, NULL, NULL, NULL, NULL,
+					  NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (zone->type == dns_zone_slave &&
-		    !isc_serial_gt(serial, zone->serial)) {
+		    !isc_serial_gt(serial, oldserial)) {
 			isc_uint32_t serialmin, serialmax;
-			serialmin = (zone->serial + 1) & 0xffffffffU;
-			serialmax = (zone->serial + 0x7fffffffU) & 0xffffffffU;
+			serialmin = (oldserial + 1) & 0xffffffffU;
+			serialmax = (oldserial + 0x7fffffffU) & 0xffffffffU;
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "ixfr-from-differences: failed: "
 				     "new serial (%u) out of range [%u - %u]",
@@ -11082,7 +11117,6 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 				zone_unload(zone);
 				goto next_master;
 			}
-			zone->serial = serial;
 			zone->refresh = RANGE(refresh, zone->minrefresh,
 					      zone->maxrefresh);
 			zone->retry = RANGE(retry, zone->minretry,
@@ -11120,7 +11154,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 				buf[0] = '\0';
 			dns_zone_log(zone, ISC_LOG_INFO,
 				     "transferred serial %u%s",
-				     zone->serial, buf);
+				     serial, buf);
 		}
 
 		/*

From ff71474ede45c496b303af7be7cd0e2f3403bda6 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 5 Oct 2009 21:56:19 +0000
Subject: [PATCH 258/385] add placeholder

---
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES b/CHANGES
index 5082e2b1e6..a931a5b9a0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2705.	[placeholder]
+
 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
 			with their SOA serial.  [RT #19387]
 

From ea845a6b721dd29307bbc6b991294e0da5d7a2cd Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 5 Oct 2009 22:01:26 +0000
Subject: [PATCH 259/385] Rebase all of the API files to interface=60, as this
 is the first beta of a new major release.

---
 lib/bind9/api  | 4 ++--
 lib/dns/api    | 4 ++--
 lib/irs/api    | 4 ++--
 lib/isc/api    | 4 ++--
 lib/isccc/api  | 2 +-
 lib/isccfg/api | 2 +-
 lib/lwres/api  | 2 +-
 7 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/bind9/api b/lib/bind9/api
index 2240cdda3a..3252b3bfa0 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 50
-LIBREVISION = 1
+LIBINTERFACE = 60
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/dns/api b/lib/dns/api
index fbbf923b53..3252b3bfa0 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 50
-LIBREVISION = 3
+LIBINTERFACE = 60
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/irs/api b/lib/irs/api
index 2240cdda3a..3252b3bfa0 100644
--- a/lib/irs/api
+++ b/lib/irs/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 50
-LIBREVISION = 1
+LIBINTERFACE = 60
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index 2240cdda3a..3252b3bfa0 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 50
-LIBREVISION = 1
+LIBINTERFACE = 60
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccc/api b/lib/isccc/api
index 8459d4239f..3252b3bfa0 100644
--- a/lib/isccc/api
+++ b/lib/isccc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 50
+LIBINTERFACE = 60
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 8459d4239f..3252b3bfa0 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 50
+LIBINTERFACE = 60
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/lwres/api b/lib/lwres/api
index 8459d4239f..3252b3bfa0 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 50
+LIBINTERFACE = 60
 LIBREVISION = 0
 LIBAGE = 0

From a88f8c2dd19a6483ccaacaaf57b2ceac44737483 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 5 Oct 2009 22:02:44 +0000
Subject: [PATCH 260/385] update README for 9.7.0b1 release

---
 README | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/README b/README
index 048d5abab3..21ce41ce27 100644
--- a/README
+++ b/README
@@ -47,12 +47,9 @@ BIND 9.7.0
 	BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
 	releases.  Most are intended to simplify DNSSEC configuration.
 
-	Please note that configuration syntax and APIs for new features
-	are still experimental and are subject to change before the final
-	release.
-
 	New features include:
 
+	- Fully automatic signing of zones by "named"
 	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
 	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
 	  command line tool or the "local" update-policy option.  (As a side
@@ -73,13 +70,8 @@ BIND 9.7.0
           a stack backtrace on assertion failure, to aid in debugging.
         - A "tools only" installation mode on Windows, which only installs
           dig, host, nslookup and nsupdate.
-        - Improved PKCS#11 support, including Keyper support (see
-          README.pkcs11 for additional details).
-
-	Planned but not complete in this alpha:
-
-	- Fully automatic signing of zones by "named"
-        - Additional PKCS#11 support, including multiple OpenSSL engines
+        - Improved PKCS#11 support, including Keyper support and explicit
+          OpenSSL engine selection (see README.pkcs11 for additional details).
 
 BIND 9.6.0
 

From fa78dfd2473442dfd57e8fea22875a47d3f2c72c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tatuya=20JINMEI=20=E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89?=
 
Date: Mon, 5 Oct 2009 22:39:09 +0000
Subject: [PATCH 261/385] removed duplicate copyright notice [RT #20356]

---
 util/mksymtbl.pl | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/util/mksymtbl.pl b/util/mksymtbl.pl
index 8ebc795c04..5a432ab0ea 100755
--- a/util/mksymtbl.pl
+++ b/util/mksymtbl.pl
@@ -14,27 +14,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: mksymtbl.pl,v 1.3 2009/09/02 23:48:03 tbox Exp $
+# $Id: mksymtbl.pl,v 1.4 2009/10/05 22:39:09 jinmei Exp $
 
 use strict;
 use diagnostics;
 $^W = 1;
 
-my $rev = '$Id: mksymtbl.pl,v 1.3 2009/09/02 23:48:03 tbox Exp $';
+my $rev = '$Id: mksymtbl.pl,v 1.4 2009/10/05 22:39:09 jinmei Exp $';
 $rev =~ s/\$//g;
 $rev =~ s/,v//g;
 $rev =~ s/Id: //;

From b10528a3a54bebf07cd9e46b2de806f2de3eac12 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 5 Oct 2009 22:48:07 +0000
Subject: [PATCH 262/385] version -> 9.7.0b1

---
 version | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/version b/version
index 05fab79b9e..1f74f775b8 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.47 2009/09/02 06:41:31 each Exp $
+# $Id: version,v 1.48 2009/10/05 22:48:07 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=7
 PATCHVER=0
-RELEASETYPE=a
-RELEASEVER=3
+RELEASETYPE=b
+RELEASEVER=1

From 464f9144fe4069596758c59aaa27b65e716c3740 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Mon, 5 Oct 2009 23:48:27 +0000
Subject: [PATCH 263/385] update copyright notice

---
 lib/dns/zone.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c4580e32b4..402f866790 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.508 2009/10/05 19:39:20 each Exp $ */
+/* $Id: zone.c,v 1.509 2009/10/05 23:48:27 tbox Exp $ */
 
 /*! \file */
 
@@ -3275,11 +3275,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     serialmax);
 				result = DNS_R_BADZONE;
 				goto cleanup;
- 			} else if (!isc_serial_ge(serial, oldserial))
+			} else if (!isc_serial_ge(serial, oldserial))
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "zone serial (%u/%u) has gone "
 					     "backwards", serial, oldserial);
- 			else if (serial == oldserial && !hasinclude)
+			else if (serial == oldserial && !hasinclude)
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "zone serial (%u) unchanged. "
 					     "zone may fail to transfer "

From 8ec3c085233cedb22b05da36e2773c8f357a7e45 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 6 Oct 2009 01:14:42 +0000
Subject: [PATCH 264/385] regen

---
 bin/dnssec/dnssec-keyfromlabel.8     |  11 +-
 bin/dnssec/dnssec-keyfromlabel.html  |  26 ++--
 bin/dnssec/dnssec-keygen.8           |   9 +-
 bin/dnssec/dnssec-keygen.html        |  25 ++--
 bin/dnssec/dnssec-revoke.8           |   9 +-
 bin/dnssec/dnssec-revoke.html        |  17 ++-
 bin/dnssec/dnssec-settime.8          |   9 +-
 bin/dnssec/dnssec-settime.html       |  21 ++--
 bin/dnssec/dnssec-signzone.8         |   9 +-
 bin/dnssec/dnssec-signzone.html      |  21 ++--
 bin/named/named.8                    |  11 +-
 bin/named/named.html                 |  26 ++--
 doc/arm/Bv9ARM.ch04.html             |  67 +++++-----
 doc/arm/Bv9ARM.ch05.html             |   6 +-
 doc/arm/Bv9ARM.ch06.html             | 160 ++++++++++++------------
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  98 +++++++--------
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  26 ++--
 doc/arm/man.dnssec-keygen.html       |  25 ++--
 doc/arm/man.dnssec-revoke.html       |  17 ++-
 doc/arm/man.dnssec-settime.html      |  21 ++--
 doc/arm/man.dnssec-signzone.html     |  21 ++--
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  26 ++--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 35 files changed, 554 insertions(+), 449 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index 21a73f270c..f964242238 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.11 2009/09/15 01:14:41 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.12 2009/10/06 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 dnssec\-keyfromlabel \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 20
-\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keyfromlabel\fR
@@ -54,9 +54,14 @@ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA
 Note 2: DH automatically sets the \-k flag.
 .RE
 .PP
+\-E \fIengine\fR
+.RS 4
+Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to pcks11.
+.RE
+.PP
 \-l \fIlabel\fR
 .RS 4
-Specifies the label of keys in the crypto hardware (PKCS#11 device).
+Specifies the label of keys in the crypto hardware (OpenSSL engine). An example for the pkcs11 engine is pkcs11:foo (note the string pkcs11 is in both E and l options.)
 .RE
 .PP
 \-n \fInametype\fR
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index 5c91d6e5c1..bcc07c970e 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -28,10 +28,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
+
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -44,7 +44,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -62,10 +62,16 @@
             Note 2: DH automatically sets the -k flag.
           
    
 
    
+
    -E engine
    
+
    
+            Specifies the name of the crypto hardware (OpenSSL engine).
+            When compiled with PKCS#11 support it defaults to pcks11.
+          
    
 
    -l label
    
 
    
-            Specifies the label of keys in the crypto hardware
-            (PKCS#11 device).
+            Specifies the label of keys in the crypto hardware (OpenSSL
+            engine). An example for the pkcs11 engine is pkcs11:foo
+            (note the string pkcs11 is in both E and l options.)
           
    
 
    -n nametype
    
 
    
@@ -135,7 +141,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -182,7 +188,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -221,7 +227,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -231,7 +237,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index aa861af026..0fec92dd93 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.48 2009/09/15 01:14:41 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.49 2009/10/06 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 dnssec\-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 14
-\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -96,6 +96,11 @@ option suppresses them.
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
 .RE
 .PP
+\-E \fIengine\fR
+.RS 4
+Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pcks11, the empty name resets it to no engine.
+.RE
+.PP
 \-e
 .RS 4
 If generating an RSAMD5/RSASHA1 key, use a large exponent.
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 0cf59b3af0..5a16af80b7 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
+
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -46,7 +46,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -125,6 +125,13 @@
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
           
    
+
    -E engine
    
+
    
+            Uses a crypto hardware (OpenSSL engine) for random number
+            and, when supported, key generation. When compiled with PKCS#11
+            support it defaults to pcks11, the empty name resets it to
+            no engine.
+          
    
 
    -e
    
 
    
             If generating an RSAMD5/RSASHA1 key, use a large exponent.
@@ -213,7 +220,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -260,7 +267,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -306,7 +313,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -327,7 +334,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -336,7 +343,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-revoke.8 b/bin/dnssec/dnssec-revoke.8
index e82a412099..34e14592f3 100644
--- a/bin/dnssec/dnssec-revoke.8
+++ b/bin/dnssec/dnssec-revoke.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-revoke.8,v 1.6 2009/07/21 01:13:24 tbox Exp $
+.\" $Id: dnssec-revoke.8,v 1.7 2009/10/06 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
 .SH "SYNOPSIS"
 .HP 14
-\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-f\fR] {keyfile}
+\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-revoke\fR
@@ -59,6 +59,11 @@ After writing the new keyset files remove the original keyset files.
 Sets the debugging level.
 .RE
 .PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pcks11, the empty name resets it to no engine.
+.RE
+.PP
 \-f
 .RS 4
 Force overwrite: Causes
diff --git a/bin/dnssec/dnssec-revoke.html b/bin/dnssec/dnssec-revoke.html
index ebc250d994..22edeadee5 100644
--- a/bin/dnssec/dnssec-revoke.html
+++ b/bin/dnssec/dnssec-revoke.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 
@@ -29,10 +29,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}
    
+
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -40,7 +40,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -59,6 +59,11 @@
 
    
             Sets the debugging level.
           
    
+
    -E engine
    
+
    
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
    
 
    -f
    
 
    
             Force overwrite: Causes dnssec-revoke to
@@ -68,14 +73,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
index ab32b8f531..3d690fcc46 100644
--- a/bin/dnssec/dnssec-settime.8
+++ b/bin/dnssec/dnssec-settime.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-settime.8,v 1.6 2009/09/15 01:14:41 tbox Exp $
+.\" $Id: dnssec-settime.8,v 1.7 2009/10/06 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 dnssec\-settime \- Set the key timing metadata for a DNSSEC key
 .SH "SYNOPSIS"
 .HP 15
-\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {keyfile}
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-settime\fR
@@ -76,6 +76,11 @@ Emit usage message and exit.
 .RS 4
 Sets the debugging level.
 .RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pcks11, the empty name resets it to no engine.
+.RE
 .SH "TIMING OPTIONS"
 .PP
 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html
index 338dd240df..d4d97ab1e2 100644
--- a/bin/dnssec/dnssec-settime.html
+++ b/bin/dnssec/dnssec-settime.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 
@@ -29,10 +29,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
+
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -57,7 +57,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -80,10 +80,15 @@
 
    
             Sets the debugging level.
           
    
+
    -E engine
    
+
    
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
    
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -128,7 +133,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -154,7 +159,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -162,7 +167,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index f4d483e20a..abad0f11ac 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.54 2009/09/30 01:14:47 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.55 2009/10/06 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
@@ -72,6 +72,11 @@ files in
 \fBdirectory\fR.
 .RE
 .PP
+\-E \fIengine\fR
+.RS 4
+Uses a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance signing with private keys from a secure key store. When compiled with PKCS#11 support it defaults to pcks11, the empty name resets it to no engine.
+.RE
+.PP
 \-g
 .RS 4
 Generate DS records for child zones from
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index f1806b64b3..c994ccff25 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
+
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -67,6 +67,13 @@
             Look for dsset- or
             keyset- files in directory.
           
    
+
    -E engine
    
+
    
+            Uses a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
    
 
    -g
    
 
    
             Generate DS records for child zones from
@@ -361,7 +368,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -390,14 +397,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/named/named.8 b/bin/named/named.8
index 90bdc4feac..378efb722d 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.40 2009/07/11 01:12:45 tbox Exp $
+.\" $Id: named.8,v 1.41 2009/10/06 01:14:41 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 named \- Internet domain name server
 .SH "SYNOPSIS"
 .HP 6
-\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
+\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\fR
@@ -83,6 +83,13 @@ Set the daemon's debug level to
 become more verbose as the debug level increases.
 .RE
 .PP
+\-E \fIengine\-name\fR
+.RS 4
+Use a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance re\-signing with private keys from a secure key store. When compiled with PKCS#11 support
+\fIengine\-name\fR
+defaults to pkcs11, the empty name resets it to no engine.
+.RE
+.PP
 \-f
 .RS 4
 Run the server in the foreground (i.e. do not daemonize).
diff --git a/bin/named/named.html b/bin/named/named.html
index 4bd34a0933..b638e3593c 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 
 
    
 
    Synopsis
    
-
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
+
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -47,7 +47,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -79,6 +79,14 @@
             Debugging traces from named become
             more verbose as the debug level increases.
           
    
+
    -E engine-name
    
+
    
+            Use a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance re-signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            engine-name
+            defaults to pkcs11, the empty name resets it to no engine.
+          
    
 
    -f
    
 
    
             Run the server in the foreground (i.e. do not daemonize).
@@ -220,7 +228,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -241,7 +249,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -258,7 +266,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -271,7 +279,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -284,7 +292,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index c58535f3c2..8bfc4cf8f9 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -56,22 +56,22 @@
 
    Generate Shared Keys for Each Pair of Hosts
    
 
    Copying the Shared Secret to Both Machines
    
 
    Informing the Servers of the Key's Existence
    
-
    Instructing the Server to Use the Key
    
-
    TSIG Key Based Access Control
    
-
    Errors
    
+
    Instructing the Server to Use the Key
    
+
    TSIG Key Based Access Control
    
+
    Errors
    
 
-
    TKEY
    
-
    SIG(0)
    
+
    TKEY
    
+
    SIG(0)
    
 
    DNSSEC
    
 
    
-
    Generating Keys
    
-
    Signing the Zone
    
-
    Configuring Servers
    
+
    Generating Keys
    
+
    Signing the Zone
    
+
    Configuring Servers
    
 
    
-
    IPv6 Support in BIND 9
    
+
    IPv6 Support in BIND 9
    
 
    
-
    Address Lookups Using AAAA Records
    
-
    Address to Name Lookups Using Nibble Format
    
+
    Address Lookups Using AAAA Records
    
+
    Address to Name Lookups Using Nibble Format
    
 
    
 
 
@@ -516,17 +516,16 @@ nameserver 172.16.72.4
 
    
 Automatic Generation
    
 
    
-            The following command will generate a 128-bit (16 byte) HMAC-MD5
+            The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
-            are easier to read. Note that the maximum key length is 512 bits;
-            keys longer than that will be digested with MD5 to produce a
-            128-bit key.
+            are easier to read. Note that the maximum key length is the digest
+            length, here 256 bits.
           
    
 
    
-            dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.
+            dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.
           
    
 
    
-            The key is in the file Khost1-host2.+157+00000.private.
+            The key is in the file Khost1-host2.+163+00000.private.
             Nothing directly uses this file, but the base-64 encoded string
             following "Key:"
             can be extracted from the file and used as a shared secret:
@@ -570,17 +569,15 @@ nameserver 172.16.72.4
         
    
 
     key host1-host2. {
-  algorithm hmac-md5;
+  algorithm hmac-sha256;
   secret "La/E5CjG9O+os1jq0a2jdA==";
 };
 
    
 
    
-          The algorithm, hmac-md5, is the only one supported by BIND.
           The secret is the one generated above. Since this is a secret, it
-          is recommended that either named.conf be non-world
-          readable, or the key directive be added to a non-world readable
-          file that is included by
-          named.conf.
+          is recommended that either named.conf be
+          non-world readable, or the key directive be added to a non-world
+          readable file that is included by named.conf.
         
    
 
    
           At this point, the key is recognized. This means that if the
@@ -591,7 +588,7 @@ key host1-host2. {
 
 
    
 
    
-Instructing the Server to Use the Key
    
+Instructing the Server to Use the Key
    
 
    
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the named.conf file
@@ -623,7 +620,7 @@ server 10.1.2.3 {
 
 
    
 
    
-TSIG Key Based Access Control
    
+TSIG Key Based Access Control
    
 
    
           BIND allows IP addresses and ranges
           to be specified in ACL
@@ -650,7 +647,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Errors
    
+Errors
    
 
    
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -676,7 +673,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-TKEY
    
+TKEY
    
 
    TKEY
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -712,7 +709,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-SIG(0)
    
+SIG(0)
    
 
    
         BIND 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -773,7 +770,7 @@ allow-update { key host1-host2. ;};
       
    
 
    
 
    
-Generating Keys
    
+Generating Keys
    
 
    
           The dnssec-keygen program is used to
           generate keys.
@@ -829,7 +826,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Signing the Zone
    
+Signing the Zone
    
 
    
           The dnssec-signzone program is used
           to sign a zone.
@@ -871,7 +868,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Configuring Servers
    
+Configuring Servers
    
 
    
           To enable named to respond appropriately
           to DNS requests from DNSSEC aware clients,
@@ -1017,7 +1014,7 @@ options {
 
 
    
 
    
-IPv6 Support in BIND 9
    
+IPv6 Support in BIND 9
    
 
    
         BIND 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
@@ -1055,7 +1052,7 @@ options {
       
    
 
    
 
    
-Address Lookups Using AAAA Records
    
+Address Lookups Using AAAA Records
    
 
    
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -1074,7 +1071,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 
    
 
    
-Address to Name Lookups Using Nibble Format
    
+Address to Name Lookups Using Nibble Format
    
 
    
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index c5ceb50dbf..23817c79e5 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 
    
 
    Table of Contents
    
 
    
-
    The Lightweight Resolver Library
    
+
    The Lightweight Resolver Library
    
 
    Running a Resolver Daemon
    
 
    
 
    
 
    
 
    
-The Lightweight Resolver Library
    
+The Lightweight Resolver Library
    
 
    
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 00e0c62dd1..8ae53c7513 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,58 +48,58 @@
 
    Configuration File Elements
    
 
    
 
    Address Match Lists
    
-
    Comment Syntax
    
+
    Comment Syntax
    
 
    
 
    Configuration File Grammar
    
 
    
-
    acl Statement Grammar
    
+
    acl Statement Grammar
    
 
    acl Statement Definition and
           Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and
           Usage
    
-
    include Statement Grammar
    
-
    include Statement Definition and
+
    include Statement Grammar
    
+
    include Statement Definition and
           Usage
    
-
    key Statement Grammar
    
-
    key Statement Definition and Usage
    
-
    logging Statement Grammar
    
-
    logging Statement Definition and
+
    key Statement Grammar
    
+
    key Statement Definition and Usage
    
+
    logging Statement Grammar
    
+
    logging Statement Definition and
           Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    masters Statement Grammar
    
-
    masters Statement Definition and
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    masters Statement Grammar
    
+
    masters Statement Definition and
           Usage
    
-
    options Statement Grammar
    
+
    options Statement Grammar
    
 
    options Statement Definition and
           Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -477,7 +477,7 @@
 Address Match Lists
 
    
 
    
-Syntax
    
+Syntax
    
 
    address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -486,7 +486,7 @@
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -570,7 +570,7 @@
 
 
    
 
    
-Comment Syntax
    
+Comment Syntax
    
 
    
           The BIND 9 comment syntax allows for
           comments to appear
@@ -580,7 +580,7 @@
         
    
 
    
 
    
-Syntax
    
+Syntax
    
 
    
             
    
 
    /* This is a BIND comment as in C */
    
@@ -596,7 +596,7 @@
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    
             Comments may appear anywhere that whitespace may appear in
             a BIND configuration file.
@@ -848,7 +848,7 @@
       
    
 
    
 
    
-acl Statement Grammar
    
+acl Statement Grammar
    
 
    acl acl-name {
     address_match_list
 };
@@ -930,7 +930,7 @@
 
 
    
 
    
-controls Statement Grammar
    
+controls Statement Grammar
    
 
    controls {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow {  address_match_list  }
@@ -1054,12 +1054,12 @@
 
 
    
 
    
-include Statement Grammar
    
+include Statement Grammar
    
 
    include filename;
    
 
 
    
 
    
-include Statement Definition and
+include Statement Definition and
           Usage
    
 
    
           The include statement inserts the
@@ -1074,7 +1074,7 @@
 
    
 
    
 
    
-key Statement Grammar
    
+key Statement Grammar
    
 
    key key_id {
     algorithm string;
     secret string;
@@ -1083,7 +1083,7 @@
 
 
    
 
    
-key Statement Definition and Usage
    
+key Statement Definition and Usage
    
 
    
           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1130,7 +1130,7 @@
 
 
    
 
    
-logging Statement Grammar
    
+logging Statement Grammar
    
 
    logging {
    [ channel channel_name {
      ( file path_name
@@ -1154,7 +1154,7 @@
 
 
    
 
    
-logging Statement Definition and
+logging Statement Definition and
           Usage
    
 
    
           The logging statement configures a
@@ -1188,7 +1188,7 @@
         
    
 
    
 
    
-The channel Phrase
    
+The channel Phrase
    
 
    
             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1752,7 +1752,7 @@ category notify { null; };
 
 
    
 
    
-The query-errors Category
    
+The query-errors Category
    
 
    
             The query-errors category is
             specifically intended for debugging purposes: To identify
@@ -1980,7 +1980,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-lwres Statement Grammar
    
+lwres Statement Grammar
    
 
    
            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1996,7 +1996,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-lwres Statement Definition and Usage
    
+lwres Statement Definition and Usage
    
 
    
           The lwres statement configures the
           name
@@ -2047,7 +2047,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-masters Statement Grammar
    
+masters Statement Grammar
    
 
     masters name [port ip_port] { ( masters_list | 
       ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2055,7 +2055,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-masters Statement Definition and
+masters Statement Definition and
           Usage
    
 
    masters
           lists allow for a common set of masters to be easily used by
@@ -2064,7 +2064,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
    
 
    
 
    
-options Statement Grammar
    
+options Statement Grammar
    
 
    
           This is the grammar of the options
           statement in the named.conf file:
@@ -3366,7 +3366,7 @@ options {
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3410,7 +3410,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3607,7 +3607,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4059,7 +4059,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4101,7 +4101,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4263,7 +4263,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -5059,7 +5059,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
    
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5389,7 +5389,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5440,7 +5440,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5449,7 +5449,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5489,7 +5489,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5498,7 +5498,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5608,7 +5608,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5885,10 +5885,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    @@ -6099,7 +6099,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6121,7 +6121,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6751,7 +6751,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6764,7 +6764,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7501,7 +7501,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7704,7 +7704,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7960,7 +7960,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8021,7 +8021,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8036,7 +8036,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8047,7 +8047,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8076,7 +8076,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8112,7 +8112,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8131,7 +8131,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8555,7 +8555,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9112,7 +9112,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9266,7 +9266,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9649,7 +9649,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9804,7 +9804,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 08b4038503..5e719c0886 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 04e92412e2..1f3f85ffed 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index e477a3587d..3ba778a4a3 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 2c518a1b6a..8d5311ba67 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -99,27 +99,27 @@
 
    Generate Shared Keys for Each Pair of Hosts
    
 
    Copying the Shared Secret to Both Machines
    
 
    Informing the Servers of the Key's Existence
    
-
    Instructing the Server to Use the Key
    
-
    TSIG Key Based Access Control
    
-
    Errors
    
+
    Instructing the Server to Use the Key
    
+
    TSIG Key Based Access Control
    
+
    Errors
    
 
-
    TKEY
    
-
    SIG(0)
    
+
    TKEY
    
+
    SIG(0)
    
 
    DNSSEC
    
 
    
-
    Generating Keys
    
-
    Signing the Zone
    
-
    Configuring Servers
    
+
    Generating Keys
    
+
    Signing the Zone
    
+
    Configuring Servers
    
 
    
-
    IPv6 Support in BIND 9
    
+
    IPv6 Support in BIND 9
    
 
    
-
    Address Lookups Using AAAA Records
    
-
    Address to Name Lookups Using Nibble Format
    
+
    Address Lookups Using AAAA Records
    
+
    Address to Name Lookups Using Nibble Format
    
 
    
 
 
    5. The BIND 9 Lightweight Resolver
    
 
    
-
    The Lightweight Resolver Library
    
+
    The Lightweight Resolver Library
    
 
    Running a Resolver Daemon
    
 
    
 
    6. BIND 9 Configuration Reference
    
@@ -127,58 +127,58 @@
 
    Configuration File Elements
    
 
    
 
    Address Match Lists
    
-
    Comment Syntax
    
+
    Comment Syntax
    
 
    
 
    Configuration File Grammar
    
 
    
-
    acl Statement Grammar
    
+
    acl Statement Grammar
    
 
    acl Statement Definition and
           Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and
           Usage
    
-
    include Statement Grammar
    
-
    include Statement Definition and
+
    include Statement Grammar
    
+
    include Statement Definition and
           Usage
    
-
    key Statement Grammar
    
-
    key Statement Definition and Usage
    
-
    logging Statement Grammar
    
-
    logging Statement Definition and
+
    key Statement Grammar
    
+
    key Statement Definition and Usage
    
+
    logging Statement Grammar
    
+
    logging Statement Definition and
           Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    masters Statement Grammar
    
-
    masters Statement Definition and
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    masters Statement Grammar
    
+
    masters Statement Definition and
           Usage
    
-
    options Statement Grammar
    
+
    options Statement Grammar
    
 
    options Statement Definition and
           Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index c7bdacf3d3..64a7374cf0 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 2b01f9be06..4aa62eef0f 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 8ccf6fbe81..ca0f60a13c 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index af96c6f68a..920367f1d5 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
+
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -81,10 +81,16 @@
             Note 2: DH automatically sets the -k flag.
           
    
 
    
+
    -E engine
    
+
    
+            Specifies the name of the crypto hardware (OpenSSL engine).
+            When compiled with PKCS#11 support it defaults to pcks11.
+          
    
 
    -l label
    
 
    
-            Specifies the label of keys in the crypto hardware
-            (PKCS#11 device).
+            Specifies the label of keys in the crypto hardware (OpenSSL
+            engine). An example for the pkcs11 engine is pkcs11:foo
+            (note the string pkcs11 is in both E and l options.)
           
    
 
    -n nametype
    
 
    
@@ -154,7 +160,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -201,7 +207,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -240,7 +246,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -250,7 +256,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 87b451a808..0ab8a868b3 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
+
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -143,6 +143,13 @@
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
           
    
+
    -E engine
    
+
    
+            Uses a crypto hardware (OpenSSL engine) for random number
+            and, when supported, key generation. When compiled with PKCS#11
+            support it defaults to pcks11, the empty name resets it to
+            no engine.
+          
    
 
    -e
    
 
    
             If generating an RSAMD5/RSASHA1 key, use a large exponent.
@@ -231,7 +238,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -278,7 +285,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -324,7 +331,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -345,7 +352,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -354,7 +361,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index bf611d8289..91b3b04f9f 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-revoke  [-hr] [-v level] [-K directory] [-f] {keyfile}
    
+
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -77,6 +77,11 @@
 
    
             Sets the debugging level.
           
    
+
    -E engine
    
+
    
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
    
 
    -f
    
 
    
             Force overwrite: Causes dnssec-revoke to
@@ -86,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 14f6a681e5..43c7752c56 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] {keyfile}
    
+
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -98,10 +98,15 @@
 
    
             Sets the debugging level.
           
    
+
    -E engine
    
+
    
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
    
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -146,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -172,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -180,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 54c67edab1..401e43e702 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-signzone  [-a] [-c class] [-d directory] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
+
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -85,6 +85,13 @@
             Look for dsset- or
             keyset- files in directory.
           
    
+
    -E engine
    
+
    
+            Uses a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          
    
 
    -g
    
 
    
             Generate DS records for child zones from
@@ -379,7 +386,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -408,14 +415,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 14dd3d4c28..e0cbb658d7 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 72bcccda6e..db8f7e54b8 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 15210c19a0..441766efdd 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 548473cdfb..b5a1573440 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    named  [-4] [-6] [-c config-file] [-d debug-level] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
+
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -97,6 +97,14 @@
             Debugging traces from named become
             more verbose as the debug level increases.
           
    
+
    -E engine-name
    
+
    
+            Use a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance re-signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            engine-name
+            defaults to pkcs11, the empty name resets it to no engine.
+          
    
 
    -f
    
 
    
             Run the server in the foreground (i.e. do not daemonize).
@@ -238,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -259,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -289,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -302,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index db8db679a9..721a3a0488 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 18a331e3cb..b06f84631a 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 3cbd8411f4..1dbc627b7b 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index b111bbbdea..33947f6bd5 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From 699487d8026a2b931bdce8ce3ae6bc1025d639fb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Oct 2009 04:14:58 +0000
Subject: [PATCH 265/385] bin/pkcs11/openssl-0.9.8k-patch

---
 util/copyrights | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/copyrights b/util/copyrights
index b0ed8a6d67..66585f844d 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -231,6 +231,7 @@
 ./bin/nsupdate/win32/nsupdate.mak		X	2001,2002,2004,2005,2006,2009
 ./bin/pkcs11/.cvsignore				X	2009
 ./bin/pkcs11/OLD-PKCS11-NOTES			X	2009
+./bin/pkcs11/openssl-0.9.8k-patch		X	2009
 ./bin/pkcs11/pkcs11-destroy.c			X	2009
 ./bin/pkcs11/pkcs11-keygen.c			X	2009
 ./bin/pkcs11/pkcs11-list.c			X	2009

From 807ffe7aba4095b2f25c75ac1459f9efcd017eeb Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 6 Oct 2009 04:16:38 +0000
Subject: [PATCH 266/385] bin/pkcs11/win32/setprovider

---
 util/copyrights | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/copyrights b/util/copyrights
index 66585f844d..1339d4066c 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -235,6 +235,7 @@
 ./bin/pkcs11/pkcs11-destroy.c			X	2009
 ./bin/pkcs11/pkcs11-keygen.c			X	2009
 ./bin/pkcs11/pkcs11-list.c			X	2009
+./bin/pkcs11/win32/setprovider			PERL	2009
 ./bin/rndc/.cvsignore				X	2000,2001
 ./bin/rndc/Makefile.in				MAKE	2000,2001,2002,2004,2007,2009
 ./bin/rndc/include/rndc/os.h			C	2001,2004,2005,2007,2009

From 7d12a6b412fe47e6d6582923fd6954ab8cd0baeb Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 6 Oct 2009 04:36:32 +0000
Subject: [PATCH 267/385] newcopyrights

---
 util/copyrights | 39 +++++++++++++++++++++++++++++++++------
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 1339d4066c..51d43a7ffe 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -230,12 +230,39 @@
 ./bin/nsupdate/win32/nsupdate.dsw		X	2001
 ./bin/nsupdate/win32/nsupdate.mak		X	2001,2002,2004,2005,2006,2009
 ./bin/pkcs11/.cvsignore				X	2009
+./bin/pkcs11/Makefile.in			MAKE	2009
 ./bin/pkcs11/OLD-PKCS11-NOTES			X	2009
+./bin/pkcs11/include/pkcs11.h			C	2009
+./bin/pkcs11/include/pkcs11f.h			C	2009
+./bin/pkcs11/include/pkcs11t.h			C	2009
 ./bin/pkcs11/openssl-0.9.8k-patch		X	2009
+./bin/pkcs11/pkcs11-destroy.8			MAN	2009
 ./bin/pkcs11/pkcs11-destroy.c			X	2009
+./bin/pkcs11/pkcs11-destroy.docbook		SGML	2009
+./bin/pkcs11/pkcs11-destroy.html		HTML	2009
+./bin/pkcs11/pkcs11-keygen.8			MAN	2009
 ./bin/pkcs11/pkcs11-keygen.c			X	2009
+./bin/pkcs11/pkcs11-keygen.docbook		SGML	2009
+./bin/pkcs11/pkcs11-keygen.html			HTML	2009
+./bin/pkcs11/pkcs11-list.8			MAN	2009
 ./bin/pkcs11/pkcs11-list.c			X	2009
+./bin/pkcs11/pkcs11-list.docbook		SGML	2009
+./bin/pkcs11/pkcs11-list.html			HTML	2009
+./bin/pkcs11/unix/cryptoki.h			C	2009
+./bin/pkcs11/unix/unix.c			C	2009
+./bin/pkcs11/win32/cryptoki.h			C	2009
+./bin/pkcs11/win32/destroy.dsp			X	2009
+./bin/pkcs11/win32/destroy.dsw			X	2009
+./bin/pkcs11/win32/destroy.mak			X	2009
+./bin/pkcs11/win32/keygen.dsp			X	2009
+./bin/pkcs11/win32/keygen.dsw			X	2009
+./bin/pkcs11/win32/keygen.mak			X	2009
+./bin/pkcs11/win32/list.dsp			X	2009
+./bin/pkcs11/win32/list.dsw			X	2009
+./bin/pkcs11/win32/list.mak			X	2009
+./bin/pkcs11/win32/pkcs11.dsw			X	2009
 ./bin/pkcs11/win32/setprovider			PERL	2009
+./bin/pkcs11/win32/win32.c			C	2009
 ./bin/rndc/.cvsignore				X	2000,2001
 ./bin/rndc/Makefile.in				MAKE	2000,2001,2002,2004,2007,2009
 ./bin/rndc/include/rndc/os.h			C	2001,2004,2005,2007,2009
@@ -1675,7 +1702,7 @@
 ./lib/Makefile.in				MAKE	1998,1999,2000,2001,2003,2004,2007
 ./lib/bind9/.cvsignore				X	2001
 ./lib/bind9/Makefile.in				MAKE	2001,2004,2007,2009
-./lib/bind9/api					X	2001,2006,2008
+./lib/bind9/api					X	2001,2006,2008,2009
 ./lib/bind9/check.c				C	2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/bind9/getaddresses.c			C	2001,2002,2004,2005,2007
 ./lib/bind9/include/.cvsignore			X	2001
@@ -1714,7 +1741,7 @@
 ./lib/dns/dst_api.c				C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/dst_internal.h			C.NAI	2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/dst_lib.c				C	1999,2000,2001,2004,2005,2007
-./lib/dns/dst_openssl.h				C	2002,2004,2005,2007,2008
+./lib/dns/dst_openssl.h				C	2002,2004,2005,2007,2008,2009
 ./lib/dns/dst_parse.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/dst_parse.h				C.NAI	2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/dst_result.c				C	1999,2000,2001,2004,2005,2007,2008
@@ -2086,7 +2113,7 @@
 ./lib/isc/alpha/include/isc/.cvsignore		X	2007
 ./lib/isc/alpha/include/isc/Makefile.in		MAKE	2007
 ./lib/isc/alpha/include/isc/atomic.h		C	2005,2007,2009
-./lib/isc/api					X	1999,2000,2001,2006,2008
+./lib/isc/api					X	1999,2000,2001,2006,2008,2009
 ./lib/isc/app_api.c				C	2009
 ./lib/isc/assertions.c				C	1997,1998,1999,2000,2001,2004,2005,2007,2008,2009
 ./lib/isc/backtrace-emptytbl.c			C	2009
@@ -2412,7 +2439,7 @@
 ./lib/isccc/.cvsignore				X	2001
 ./lib/isccc/Makefile.in				MAKE	2001,2003,2004,2007,2009
 ./lib/isccc/alist.c				C.NOM	2001,2004,2005,2007
-./lib/isccc/api					X	2001,2006,2008
+./lib/isccc/api					X	2001,2006,2008,2009
 ./lib/isccc/base64.c				C.NOM	2001,2004,2005,2007
 ./lib/isccc/cc.c				C.NOM	2001,2002,2003,2004,2005,2006,2007
 ./lib/isccc/ccmsg.c				C.NOM	2001,2004,2005,2007
@@ -2447,7 +2474,7 @@
 ./lib/isccfg/.cvsignore				X	2001
 ./lib/isccfg/Makefile.in			MAKE	2001,2002,2003,2004,2005,2007,2009
 ./lib/isccfg/aclconf.c				C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
-./lib/isccfg/api				X	2001,2006,2008
+./lib/isccfg/api				X	2001,2006,2008,2009
 ./lib/isccfg/dnsconf.c				C	2009
 ./lib/isccfg/include/.cvsignore			X	2001
 ./lib/isccfg/include/Makefile.in		MAKE	2001,2004,2007
@@ -2472,7 +2499,7 @@
 ./lib/isccfg/win32/version.c			C	1998,1999,2000,2001,2004,2007
 ./lib/lwres/.cvsignore				X	2000,2001
 ./lib/lwres/Makefile.in				MAKE	2000,2001,2004,2005,2007
-./lib/lwres/api					X	2000,2001,2006,2008
+./lib/lwres/api					X	2000,2001,2006,2008,2009
 ./lib/lwres/assert_p.h				C	2000,2001,2004,2005,2007
 ./lib/lwres/context.c				C	2000,2001,2003,2004,2005,2007,2008,2009
 ./lib/lwres/context_p.h				C	2000,2001,2004,2005,2007,2008

From e74245134d71795065fe4940eea5307b1bb9c488 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 6 Oct 2009 04:40:14 +0000
Subject: [PATCH 268/385] update copyright notice

---
 bin/pkcs11/pkcs11-destroy.8    | 10 +++++-----
 bin/pkcs11/pkcs11-destroy.html | 11 ++++++-----
 bin/pkcs11/pkcs11-keygen.8     | 10 +++++-----
 bin/pkcs11/pkcs11-keygen.html  | 11 ++++++-----
 bin/pkcs11/pkcs11-list.8       | 10 +++++-----
 bin/pkcs11/pkcs11-list.html    | 11 ++++++-----
 lib/dns/dst_openssl.h          |  4 ++--
 7 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/bin/pkcs11/pkcs11-destroy.8 b/bin/pkcs11/pkcs11-destroy.8
index c10de4ab4e..aff35b3924 100644
--- a/bin/pkcs11/pkcs11-destroy.8
+++ b/bin/pkcs11/pkcs11-destroy.8
@@ -1,18 +1,18 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" 
+.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: pkcs11-destroy.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\" $Id: pkcs11-destroy.8,v 1.3 2009/10/06 04:40:14 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/pkcs11/pkcs11-destroy.html b/bin/pkcs11/pkcs11-destroy.html
index 3f0adf4538..afc6e3624a 100644
--- a/bin/pkcs11/pkcs11-destroy.html
+++ b/bin/pkcs11/pkcs11-destroy.html
@@ -1,19 +1,20 @@
 
-
+
+
 
 
 
diff --git a/bin/pkcs11/pkcs11-keygen.8 b/bin/pkcs11/pkcs11-keygen.8
index 93ba99db29..568e86286b 100644
--- a/bin/pkcs11/pkcs11-keygen.8
+++ b/bin/pkcs11/pkcs11-keygen.8
@@ -1,18 +1,18 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" 
+.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: pkcs11-keygen.8,v 1.3 2009/10/05 12:25:29 fdupont Exp $
+.\" $Id: pkcs11-keygen.8,v 1.4 2009/10/06 04:40:14 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/pkcs11/pkcs11-keygen.html b/bin/pkcs11/pkcs11-keygen.html
index 1292cf6508..41378fceac 100644
--- a/bin/pkcs11/pkcs11-keygen.html
+++ b/bin/pkcs11/pkcs11-keygen.html
@@ -1,19 +1,20 @@
 
-
+
+
 
 
 
diff --git a/bin/pkcs11/pkcs11-list.8 b/bin/pkcs11/pkcs11-list.8
index dd3f21f8df..c10183692e 100644
--- a/bin/pkcs11/pkcs11-list.8
+++ b/bin/pkcs11/pkcs11-list.8
@@ -1,18 +1,18 @@
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\" 
+.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\" 
+.\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: pkcs11-list.8,v 1.2 2009/10/05 12:11:53 fdupont Exp $
+.\" $Id: pkcs11-list.8,v 1.3 2009/10/06 04:40:14 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/pkcs11/pkcs11-list.html b/bin/pkcs11/pkcs11-list.html
index 8e8c5ceb2c..c51c5165a0 100644
--- a/bin/pkcs11/pkcs11-list.html
+++ b/bin/pkcs11/pkcs11-list.html
@@ -1,19 +1,20 @@
 
-
+
+
 
 
 
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index cb19044a26..895c43f593 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_openssl.h,v 1.8 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dst_openssl.h,v 1.9 2009/10/06 04:40:14 tbox Exp $ */
 
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1

From 95b41985f7dfac76f2dccd90f5ef4d820d409e60 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 6 Oct 2009 20:27:55 +0000
Subject: [PATCH 269/385] - build pkcs11 tools when compiling --with-pkcs11=yes
 - add PKCS11_PROVIDER environment variable as a method for specifying   the
 provider.

---
 bin/pkcs11/pkcs11-destroy.c | 5 +++++
 bin/pkcs11/pkcs11-keygen.c  | 5 +++++
 bin/pkcs11/pkcs11-list.c    | 5 +++++
 configure.in                | 8 ++++----
 4 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
index 21c322222f..cbc4d9692a 100644
--- a/bin/pkcs11/pkcs11-destroy.c
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -40,6 +40,11 @@ main(int argc, char *argv[])
     };
     extern char *optarg;
     extern int optopt;
+    char *pk11_provider;
+
+    pk11_provider = getenv("PKCS11_PROVIDER");
+    if (pk11_provider != NULL)
+        pk11_libname = pk11_provider;
 
     while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) {
 	switch (c) {
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index df25556c4c..13c4669d9b 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -80,6 +80,11 @@ main(int argc, char *argv[])
     CK_ULONG privatekey_attrcnt = 7;
     extern char *optarg;
     extern int optopt;
+    char *pk11_provider;
+
+    pk11_provider = getenv("PKCS11_PROVIDER");
+    if (pk11_provider != NULL)
+        pk11_libname = pk11_provider;
     
     while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
         switch (c) {
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
index 094664e6c4..50c6cbdaca 100644
--- a/bin/pkcs11/pkcs11-list.c
+++ b/bin/pkcs11/pkcs11-list.c
@@ -39,6 +39,11 @@ main(int argc, char *argv[])
     };
     extern char *optarg;
     extern int optopt;
+    char *pk11_provider;
+
+    pk11_provider = getenv("PKCS11_PROVIDER");
+    if (pk11_provider != NULL)
+        pk11_libname = pk11_provider;
 
     while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) {
 	switch (c) {
diff --git a/configure.in b/configure.in
index 81ccd963df..27e0d87524 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.482 $)
+AC_REVISION($Revision: 1.483 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -718,29 +718,29 @@ case "$use_pkcs11" in
 	no|'')
 		AC_MSG_RESULT(disabled)
 		USE_PKCS11=''
+		PKCS11_TOOLS=''
 		;;
 	yes|*)
 		AC_MSG_RESULT(using OpenSSL with PKCS11 support)
 		USE_PKCS11='-DUSE_PKCS11'
+		PKCS11_TOOLS=pkcs11
 		;;
 esac
 AC_SUBST(USE_PKCS11)
+AC_SUBST(PKCS11_TOOLS)
 
 AC_MSG_CHECKING(for PKCS11 tools)
 case "$use_pkcs11" in
 	no|yes|'')
 		AC_MSG_RESULT(disabled)
 		PKCS11_PROVIDER="undefined"
-		PKCS11_TOOLS=''
 		;;
        *)
 		AC_MSG_RESULT(PKCS11 provider is "$use_pkcs11")
 		PKCS11_PROVIDER="$use_pkcs11"
-		PKCS11_TOOLS=pkcs11
 		;;
 esac
 AC_SUBST(PKCS11_PROVIDER)
-AC_SUBST(PKCS11_TOOLS)
 
 AC_MSG_CHECKING(for GSSAPI library)
 AC_ARG_WITH(gssapi,

From f6e719d1454e1115cbc6e837882ab41555cb238c Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 6 Oct 2009 20:31:10 +0000
Subject: [PATCH 270/385] regen

---
 configure | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/configure b/configure
index 96a47c54bc..8f64c0648f 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.468 2009/10/05 12:09:35 fdupont Exp $
+# $Id: configure,v 1.469 2009/10/06 20:31:10 each Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.482 .
+# From configure.in Revision: 1.483 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -896,8 +896,8 @@ DST_OPENSSL_INC
 ISC_PLATFORM_OPENSSLHASH
 ISC_OPENSSL_INC
 USE_PKCS11
-PKCS11_PROVIDER
 PKCS11_TOOLS
+PKCS11_PROVIDER
 ISC_PLATFORM_HAVEGSSAPI
 ISC_PLATFORM_GSSAPIHEADER
 USE_GSSAPI
@@ -22857,15 +22857,18 @@ case "$use_pkcs11" in
 		{ echo "$as_me:$LINENO: result: disabled" >&5
 echo "${ECHO_T}disabled" >&6; }
 		USE_PKCS11=''
+		PKCS11_TOOLS=''
 		;;
 	yes|*)
 		{ echo "$as_me:$LINENO: result: using OpenSSL with PKCS11 support" >&5
 echo "${ECHO_T}using OpenSSL with PKCS11 support" >&6; }
 		USE_PKCS11='-DUSE_PKCS11'
+		PKCS11_TOOLS=pkcs11
 		;;
 esac
 
 
+
 { echo "$as_me:$LINENO: checking for PKCS11 tools" >&5
 echo $ECHO_N "checking for PKCS11 tools... $ECHO_C" >&6; }
 case "$use_pkcs11" in
@@ -22873,18 +22876,15 @@ case "$use_pkcs11" in
 		{ echo "$as_me:$LINENO: result: disabled" >&5
 echo "${ECHO_T}disabled" >&6; }
 		PKCS11_PROVIDER="undefined"
-		PKCS11_TOOLS=''
 		;;
        *)
 		{ echo "$as_me:$LINENO: result: PKCS11 provider is \"$use_pkcs11\"" >&5
 echo "${ECHO_T}PKCS11 provider is \"$use_pkcs11\"" >&6; }
 		PKCS11_PROVIDER="$use_pkcs11"
-		PKCS11_TOOLS=pkcs11
 		;;
 esac
 
 
-
 { echo "$as_me:$LINENO: checking for GSSAPI library" >&5
 echo $ECHO_N "checking for GSSAPI library... $ECHO_C" >&6; }
 
@@ -34229,8 +34229,8 @@ DST_OPENSSL_INC!$DST_OPENSSL_INC$ac_delim
 ISC_PLATFORM_OPENSSLHASH!$ISC_PLATFORM_OPENSSLHASH$ac_delim
 ISC_OPENSSL_INC!$ISC_OPENSSL_INC$ac_delim
 USE_PKCS11!$USE_PKCS11$ac_delim
-PKCS11_PROVIDER!$PKCS11_PROVIDER$ac_delim
 PKCS11_TOOLS!$PKCS11_TOOLS$ac_delim
+PKCS11_PROVIDER!$PKCS11_PROVIDER$ac_delim
 ISC_PLATFORM_HAVEGSSAPI!$ISC_PLATFORM_HAVEGSSAPI$ac_delim
 ISC_PLATFORM_GSSAPIHEADER!$ISC_PLATFORM_GSSAPIHEADER$ac_delim
 USE_GSSAPI!$USE_GSSAPI$ac_delim

From 246c504f90f42e5633dfd5e85bd57b01064961fe Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 6 Oct 2009 21:20:45 +0000
Subject: [PATCH 271/385] 2706.	[bug]		Loading a zone with a very
 large NSEC3 salt could 			trigger an assert. [RT #20368]

---
 CHANGES                     |  3 +++
 bin/tools/nsec3hash.c       |  7 ++++---
 lib/dns/include/dns/nsec3.h |  4 +++-
 lib/dns/rbtdb.c             | 10 ++++------
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index a931a5b9a0..086a6ad0b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2706.	[bug]		Loading a zone with a very large NSEC3 salt could
+			trigger an assert. [RT #20368]
+
 2705.	[placeholder]
 
 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
diff --git a/bin/tools/nsec3hash.c b/bin/tools/nsec3hash.c
index 13702674eb..f8ad799b19 100644
--- a/bin/tools/nsec3hash.c
+++ b/bin/tools/nsec3hash.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3hash.c,v 1.5 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: nsec3hash.c,v 1.6 2009/10/06 21:20:44 each Exp $ */
 
 #include 
 
@@ -32,6 +32,7 @@
 
 #include 
 #include 
+#include 
 #include 
 
 const char *program = "nsec3hash";
@@ -70,7 +71,7 @@ main(int argc, char **argv) {
 	isc_region_t region;
 	isc_result_t result;
 	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
-	unsigned char salt[255];
+	unsigned char salt[DNS_NSEC3_SALTSIZE];
 	unsigned char text[1024];
 	unsigned int hash_alg;
 	unsigned int length;
@@ -88,7 +89,7 @@ main(int argc, char **argv) {
 		result = isc_hex_decodestring(argv[1], &buffer);
 		check_result(result, "isc_hex_decodestring(salt)");
 		salt_length = isc_buffer_usedlength(&buffer);
-		if (salt_length > 255U)
+		if (salt_length > DNS_NSEC3_SALTSIZE)
 			fatal("salt too long");
 	}
 	hash_alg = atoi(argv[2]);
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
index 6eaa6d2f4f..9b5ee9ebf1 100644
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.h,v 1.7 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: nsec3.h,v 1.8 2009/10/06 21:20:45 each Exp $ */
 
 #ifndef DNS_NSEC3_H
 #define DNS_NSEC3_H 1
@@ -28,6 +28,8 @@
 #include 
 #include 
 
+#define DNS_NSEC3_SALTSIZE 255
+
 /*
  * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
  * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index cf8a5e6a0a..fa1d921e32 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.281 2009/10/03 23:48:10 tbox Exp $ */
+/* $Id: rbtdb.c,v 1.282 2009/10/06 21:20:45 each Exp $ */
 
 /*! \file */
 
@@ -383,7 +383,7 @@ typedef struct rbtdb_version {
 	isc_uint8_t			flags;
 	isc_uint16_t			iterations;
 	isc_uint8_t			salt_length;
-	unsigned char			salt[NSEC3_MAX_HASH_LENGTH];
+	unsigned char			salt[DNS_NSEC3_SALTSIZE];
 } rbtdb_version_t;
 
 typedef ISC_LIST(rbtdb_version_t)       rbtdb_versionlist_t;
@@ -2075,8 +2075,6 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 					continue;
 #endif
 
-				INSIST(nsec3param.salt_length <=
-				       sizeof(version->salt));
 				memcpy(version->salt, nsec3param.salt,
 				       nsec3param.salt_length);
 				version->hash = nsec3param.hash;
@@ -6656,8 +6654,8 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
 	if (rbtversion->havensec3) {
 		if (hash != NULL)
 			*hash = rbtversion->hash;
-		if (salt != NULL && salt_length != 0) {
-			REQUIRE(*salt_length > rbtversion->salt_length);
+		if (salt != NULL && salt_length != NULL) {
+			REQUIRE(*salt_length >= rbtversion->salt_length);
 			memcpy(salt, rbtversion->salt, rbtversion->salt_length);
 		}
 		if (salt_length != NULL)

From cd3e5ca69a53b7fe16bd4908f890a21b2418725b Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 6 Oct 2009 21:44:18 +0000
Subject: [PATCH 272/385] updated for 9.7.0b1 release

---
 README.pkcs11 | 120 +++++++++++++++++++++++++++++++-------------------
 1 file changed, 74 insertions(+), 46 deletions(-)

diff --git a/README.pkcs11 b/README.pkcs11
index 5b6fac4fd9..9a096f45ee 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -20,22 +20,32 @@ initializing, testing and troubleshooting the HSM.
 BIND 9 uses OpenSSL for cryptography, but stock OpenSSL does not
 yet fully support PKCS #11.  However, a PKCS #11 engine for OpenSSL
 is available from the OpenSolaris project.  It has been modified by
-ISC to work with with BIND 9 and to provide new features such as
+ISC to work with with BIND 9, and to provide new features such as
 PIN management and key by reference.
 
-The PKCS#11 engine supports two flavors:
- - the crypto-accelerator which uses the PKCS#11 device for all crypto
-  operations it supports. This is the right choice for the SCA 6000.
- - the sign-only which was stripped down and provides only the
-  useful features for a secure key store. The Keyper must use this
-  flavor.
-
-The modified OpenSSL depends on a "PKCS #11 provider".  This is a shared
+The patched OpenSSL depends on a "PKCS #11 provider".  This is a shared
 library object, providing a low-level PKCS #11 interface to the HSM
-hardware; it is dynamically loaded by OpenSSL at runtime.  The PKCS #11
+hardware.  It is dynamically loaded by OpenSSL at runtime.  The PKCS #11
 provider comes from the HSM vendor, and and is specific to the HSM to be
 controlled.
 
+There are two "flavors" of PKCS #11 support provided by the patched
+OpenSSL, one of which must be chosen at configuration time.  The correct
+choice depends on the HSM hardware:
+
+ - Use 'crypto-accelerator' with HSMs that have hardware cryptographic
+   acceleration features, such as the SCA 6000 board.  This causes OpenSSL
+   to run all supported cryptographic operations in the HSM.
+
+ - Use 'sign-only' with HSMs that are designed to function primarily as
+   secure key storage devices, but lack hardware acceleration.  These
+   devices are highly secure, but are not necessarily any faster at
+   cryptography than the system CPU--often, they are slower.  It is
+   therefore most efficient to use them only for those operation
+   functions that require access to the secured private key, such as
+   zone signing, and to use the system CPU for all other computationally-
+   intensive operations.  The AEP Keyper is an example of such a device.
+
 The modified OpenSSL code is included in BIND 9.7.0b1 release in the form
 of a context diff against OpenSSL 0.9.8k.  Before building BIND 9 with
 PKCS #11 support, it will be necessary to build OpenSSL with this patch
@@ -65,12 +75,11 @@ We will use this location when we configure BIND 9.
 
     EXAMPLE 1--BUILDING OPENSSL FOR THE AEP KEYPER ON LINUX:
 
-    The AEP Keyper is a highly-secured key storage device, but it does
+    The AEP Keyper is a highly secure key storage device, but does
     not provide hardware cryptographic acceleration.  It can carry out
     cryptographic operations, but it is probably slower than your
-    system's CPU, so it is most efficient to use it only for operations
-    that require the secured private key. This is why the PKCS#11
-    engine flavor shall be 'sign-only'.
+    system's CPU.  Therefore, we choose the 'sign-only' flavor when
+    building OpenSSL.
 
     The Keyper-specific PKCS #11 provider library is delivered with the
     Keyper software.  In this example, we place it /opt/pkcs11/usr/lib:
@@ -111,13 +120,19 @@ We will use this location when we configure BIND 9.
 
     After configuring, run "make" and "make test".
 
-Once you have built OpenSSL, run "apps/openssl engine" to confirm that
-PKCS #11 support was compiled in correctly.  The output should include the
-line:
+Once you have built OpenSSL, run "apps/openssl engine pkcs11" to confirm
+that PKCS #11 support was compiled in correctly.  The output should be
+one of the following lines, depending on the flavor selected:
 
-        (pkcs11) PKCS #11 engine support
+        (pkcs11) PKCS #11 engine support (sign only)
 
-<<"apps/openssl engine -t" to see if initialization is correct (available)>>
+Or:
+
+        (pkcs11) PKCS #11 engine support (crypto accelerator)
+
+Next, run "apps/openssl engine pkcs11 -t".  This will attempt to initialize
+the PKCS #11 engine.  If it is able to do so successfully, it will report
+"[ available ]".
 
 If the output is correct, run "make install".
 
@@ -131,9 +146,10 @@ library must be specified via configure.
     To link with the PKCS #11 provider, threads must be enabled in the
     BIND 9 build.
 
-    The PKCS #11 library is only available as a 32-bit binary.  If
-    we are building on a 64-bit host, we must force a 32-bit build by
-    adding "-m32" to the CC options on the "configure" command line.
+    The PKCS #11 library for the AEP Keyper is currently only available as
+    a 32-bit binary.  If we are building on a 64-bit host, we must force a
+    32-bit build by adding "-m32" to the CC options on the "configure"
+    command line.
 
         cd ../bind-9.7.0b1
         ./configure CC="gcc -m32" --enable-threads \
@@ -159,14 +175,17 @@ Configure).
 
 After configuring, run "make", "make test" and "make install".
 
-PKCS #11 TOOLS
+BIND 9 includes a minimal set of tools to operate the HSM, including
+"pkcs11-keygen" to generate a new key pair within the HSM, "pkcs11-list"
+to list objects currently available, and "pkcs11-destroy" to remove
+objects.
 
-The bin/pkcs11 directory contains a set of tools to operate an HSM for
-the benefit of BIND 9, including "pkcs11-keygen" to generate a new key
-pair within the HSM, "pkcs11-list" to list objects currently available
-and "pkcs11-destroy" to remove objects.
-
-<<>>
+These tools are built if BIND 9 is configured with the --with-pkcs11
+option.  (NOTE: If --with-pkcs11 is set to "yes", rather than to the
+path of the PKCS #11 provider, then the tools will be built but the
+provider will be left undefined.  Use the -m option or the
+PKCS11_PROVIDER environment variable to specify the path to the
+provider.)
 
 USING THE HSM
 
@@ -203,16 +222,7 @@ key files.  The "dnssec-keyfromlabel" utility does this.  In this case,
 we will be using the HSM key "sample-ksk" as the key-signing key for
 "example.net":
 
-    dnssec-keyfromlabel -a NSEC3RSASHA1 -l pkcs11:sample-ksk -f KSK example.net
-
-(Note:  It is necessary to specify "pkcs11:" before the key's label;
-otherwise the PCKS #11 engine will look for the key on disk rather than
-in the HSM.  If you forget to do this, dnssec-keyfromlabel will return
-"not found".)
-
-<>
-<>
+    dnssec-keyfromlabel -l sample-ksk -f KSK example.net
 
 The resulting K*.key and K*.private files can now be used to sign the
 zone.  Unlike normal K* files, which contain both public and private
@@ -226,18 +236,19 @@ smaller key size, and omitting "-f KSK" from the dnssec-keyfromlabel
 arguments:
 
     pkcs11-keygen -b 1024 -l sample-zsk
-    dnssec-keyfromlabel -a NSEC3RSASHA1 -l pkcs11:sample-zsk example.net
+    dnssec-keyfromlabel -l sample-zsk example.net
 
 Alternatively, you may prefer to generate a conventional on-disk key, using
 dnssec-keygen:
 
-    dnssec-keygen -a NSEC3RSASHA1 -b 1024 example.net
+    dnssec-keygen example.net
 
-This provides less security than an HSM key, but since HSMs are often
-slower at signing than your system's CPU, it may be more efficient to
-reserve HSM keys for the less-frequent key-signing operation.  The
-zone-signing key can be rolled more frequently, if you wish, to
-compensate for a reduction in key security.
+This provides less security than an HSM key, but since HSMs can be
+slow or cumbersome to use for security reasons, it may be more
+efficient to reserve HSM keys for use in the less frequent
+key-signing operation.  The zone-signing key can be rolled more
+frequently, if you wish, to compensate for a reduction in key
+security.
 
 Now you can sign the zone.  (Note: If not using the -S option to
 dnssec-signzone, it will be necessary to add the contents of both
@@ -250,6 +261,23 @@ K*.key files to the zone master file before signing it.)
     Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
     example.net.signed
 
+SPECIFYING THE ENGINE ON THE COMMAND LINE
+
+The OpenSSL engine can be specified in named and all of the dnssec-*
+tools by using the "-E " command line option.  If BIND 9 is built
+with the --with-pkcs11 option, this option defaults to "pkcs11".
+Specifying the engine will generally not be necessary unless for
+some reason you wish to use a different OpenSSL engine.
+
+If you wish to disable use of the "pkcs11" engine--for troubleshooting
+purposes, or because the HSM is unavailable--set the engine to the empty
+string.  For example:
+
+    dnssec-signzone -E '' -S example.net
+
+This causes dnssec-signzone to run as if it were compiled without the
+--with-pkcs11 option.
+
 RUNNING NAMED WITH AUTOMATIC ZONE RE-SIGNING
 
 If you want named to dynamically re-sign zones using HSM keys, and/or to

From ca60f7ba750a7ab5548fc1d32f78158927b0e272 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 6 Oct 2009 22:14:13 +0000
Subject: [PATCH 273/385] Add pkcs11 tools to standard windows BIND 9 build.

---
 .../win32/{destroy.dsp => pk11destroy.dsp}    | 238 +++----
 .../win32/{list.dsw => pk11destroy.dsw}       |  58 +-
 .../win32/{destroy.mak => pk11destroy.mak}    | 592 +++++++++---------
 .../win32/{keygen.dsp => pk11keygen.dsp}      | 238 +++----
 .../win32/{destroy.dsw => pk11keygen.dsw}     |  58 +-
 .../win32/{keygen.mak => pk11keygen.mak}      | 592 +++++++++---------
 bin/pkcs11/win32/{list.dsp => pk11list.dsp}   | 238 +++----
 bin/pkcs11/win32/{keygen.dsw => pk11list.dsw} |  58 +-
 bin/pkcs11/win32/{list.mak => pk11list.mak}   | 592 +++++++++---------
 bin/pkcs11/win32/pkcs11.dsw                   |  53 --
 .../setpk11provider.pl                        |  19 +-
 11 files changed, 1343 insertions(+), 1393 deletions(-)
 rename bin/pkcs11/win32/{destroy.dsp => pk11destroy.dsp} (81%)
 rename bin/pkcs11/win32/{list.dsw => pk11destroy.dsw} (83%)
 rename bin/pkcs11/win32/{destroy.mak => pk11destroy.mak} (73%)
 rename bin/pkcs11/win32/{keygen.dsp => pk11keygen.dsp} (81%)
 rename bin/pkcs11/win32/{destroy.dsw => pk11keygen.dsw} (83%)
 rename bin/pkcs11/win32/{keygen.mak => pk11keygen.mak} (73%)
 rename bin/pkcs11/win32/{list.dsp => pk11list.dsp} (82%)
 rename bin/pkcs11/win32/{keygen.dsw => pk11list.dsw} (84%)
 rename bin/pkcs11/win32/{list.mak => pk11list.mak} (73%)
 delete mode 100644 bin/pkcs11/win32/pkcs11.dsw
 rename bin/pkcs11/win32/setprovider => win32utils/setpk11provider.pl (76%)

diff --git a/bin/pkcs11/win32/destroy.dsp b/bin/pkcs11/win32/pk11destroy.dsp
similarity index 81%
rename from bin/pkcs11/win32/destroy.dsp
rename to bin/pkcs11/win32/pk11destroy.dsp
index a8d76c20c8..e08de5e7e1 100644
--- a/bin/pkcs11/win32/destroy.dsp
+++ b/bin/pkcs11/win32/pk11destroy.dsp
@@ -1,119 +1,119 @@
-# Microsoft Developer Studio Project File - Name="destroy" - Package Owner=<4>
-# Microsoft Developer Studio Generated Build File, Format Version 6.00
-# ** DO NOT EDIT **
-
-# TARGTYPE "Win32 (x86) Console Application" 0x0103
-
-CFG=destroy - Win32 Debug
-!MESSAGE This is not a valid makefile. To build this project using NMAKE,
-!MESSAGE use the Export Makefile command and run
-!MESSAGE 
-!MESSAGE NMAKE /f "destroy.mak".
-!MESSAGE 
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "destroy.mak" CFG="destroy - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "destroy - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "destroy - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-
-# Begin Project
-# PROP AllowPerConfigDependencies 0
-# PROP Scc_ProjName ""
-# PROP Scc_LocalPath ""
-CPP=cl.exe
-RSC=rc.exe
-
-!IF  "$(CFG)" == "destroy - Win32 Release"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 0
-# PROP BASE Output_Dir "Release"
-# PROP BASE Intermediate_Dir "Release"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 0
-# PROP Output_Dir "Release"
-# PROP Intermediate_Dir "Release"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
-# ADD BASE RSC /l 0x409 /d "NDEBUG"
-# ADD RSC /l 0x409 /d "NDEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"./Release/pkcs11-destroy.exe"
-
-!ELSEIF  "$(CFG)" == "destroy - Win32 Debug"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 1
-# PROP BASE Output_Dir "Debug"
-# PROP BASE Intermediate_Dir "Debug"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 1
-# PROP Output_Dir "Debug"
-# PROP Intermediate_Dir "Debug"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
-# SUBTRACT CPP /X /YX
-# ADD BASE RSC /l 0x409 /d "_DEBUG"
-# ADD RSC /l 0x409 /d "_DEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"./Debug/pkcs11-destroy.exe" /pdbtype:sept
-
-!ENDIF 
-
-# Begin Target
-
-# Name "destroy - Win32 Release"
-# Name "destroy - Win32 Debug"
-# Begin Group "Source Files"
-
-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
-# Begin Source File
-
-SOURCE="..\pkcs11-destroy.c"
-# End Source File
-# End Group
-# Begin Group "Header Files"
-
-# PROP Default_Filter "h;hpp;hxx;hm;inl"
-# Begin Source File
-
-SOURCE=".\cryptoki.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11t.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11f.h"
-# End Source File
-# End Group
-# Begin Group "Resource Files"
-
-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
-# End Group
-# End Target
-# End Project
+# Microsoft Developer Studio Project File - Name="pk11destroy" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=pk11destroy - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11destroy.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11destroy.mak" CFG="pk11destroy - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "pk11destroy - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "pk11destroy - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "pk11destroy - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/pkcs11-destroy.exe"
+
+!ELSEIF  "$(CFG)" == "pk11destroy - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "pk11destroy - Win32 Release"
+# Name "pk11destroy - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\pkcs11-destroy.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=".\cryptoki.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11t.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11f.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/pkcs11/win32/list.dsw b/bin/pkcs11/win32/pk11destroy.dsw
similarity index 83%
rename from bin/pkcs11/win32/list.dsw
rename to bin/pkcs11/win32/pk11destroy.dsw
index 6b4b781220..cd467834d4 100644
--- a/bin/pkcs11/win32/list.dsw
+++ b/bin/pkcs11/win32/pk11destroy.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00
-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
-
-###############################################################################
-
-Project: "list"=".\list.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Global:
-
-Package=<5>
-{{{
-}}}
-
-Package=<3>
-{{{
-}}}
-
-###############################################################################
-
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "pk11destroy"=".\pk11destroy.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/pkcs11/win32/destroy.mak b/bin/pkcs11/win32/pk11destroy.mak
similarity index 73%
rename from bin/pkcs11/win32/destroy.mak
rename to bin/pkcs11/win32/pk11destroy.mak
index f84ac75603..660bc64ab4 100644
--- a/bin/pkcs11/win32/destroy.mak
+++ b/bin/pkcs11/win32/pk11destroy.mak
@@ -1,296 +1,296 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on destroy.dsp
-!IF "$(CFG)" == ""
-CFG=destroy - Win32 Debug
-!MESSAGE No configuration specified. Defaulting to destroy - Win32 Debug.
-!ENDIF 
-
-!IF "$(CFG)" != "destroy - Win32 Release" && "$(CFG)" != "destroy - Win32 Debug"
-!MESSAGE Invalid configuration "$(CFG)" specified.
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "destroy.mak" CFG="destroy - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "destroy - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "destroy - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-!ERROR An invalid configuration is specified.
-!ENDIF 
-
-!IF "$(OS)" == "Windows_NT"
-NULL=
-!ELSE 
-NULL=nul
-!ENDIF 
-
-!IF  "$(CFG)" == "destroy - Win32 Release"
-_VC_MANIFEST_INC=0
-_VC_MANIFEST_BASENAME=__VC80
-!ELSE
-_VC_MANIFEST_INC=1
-_VC_MANIFEST_BASENAME=__VC80.Debug
-!ENDIF
-
-####################################################
-# Specifying name of temporary resource file used only in incremental builds:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
-!else
-_VC_MANIFEST_AUTO_RES=
-!endif
-
-####################################################
-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-#MT_SPECIAL_RETURN=1090650113
-#MT_SPECIAL_SWITCH=-notify_resource_update
-MT_SPECIAL_RETURN=0
-MT_SPECIAL_SWITCH=
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
-link $** /out:$@ $(LFLAGS)
-
-!else
-
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
-
-!endif
-
-####################################################
-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-#MT_SPECIAL_RETURN=1090650113
-#MT_SPECIAL_SWITCH=-notify_resource_update
-MT_SPECIAL_RETURN=0
-MT_SPECIAL_SWITCH=
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
-link $** /out:$@ $(LFLAGS)
-
-!else
-
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
-
-!endif
-####################################################
-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
-    $(_VC_MANIFEST_BASENAME).auto.rc \
-    $(_VC_MANIFEST_BASENAME).auto.manifest
-
-!else
-
-_VC_MANIFEST_CLEAN=
-
-!endif
-
-!IF  "$(CFG)" == "destroy - Win32 Release"
-
-OUTDIR=.\Release
-INTDIR=.\Release
-
-ALL : ".\Release\pkcs11-destroy.exe"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\pkcs11-destroy.obj"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase ".\Release\pkcs11-destroy.exe"
-	-@$(_VC_MANIFEST_CLEAN)
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\destroy.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\destroy.bsc" 
-BSC32_SBRS= \
-	
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /machine:I386 /out:"./Release/pkcs11-destroy.exe" 
-LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"
-
-".\Release\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-    $(_VC_MANIFEST_EMBED_EXE)
-
-!ELSEIF  "$(CFG)" == "destroy - Win32 Debug"
-
-OUTDIR=.\Debug
-INTDIR=.\Debug
-# Begin Custom Macros
-OutDir=.\Debug
-# End Custom Macros
-
-ALL : ".\Debug\pkcs11-destroy.exe" "$(OUTDIR)\destroy.bsc"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\pkcs11-destroy.obj"
-	-@erase "$(INTDIR)\pkcs11-destroy.sbr"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase "$(INTDIR)\vc60.pdb"
-	-@erase "$(OUTDIR)\pkcs11-destroy.pdb"
-	-@erase "$(OUTDIR)\destroy.bsc"
-	-@erase ".\Debug\pkcs11-destroy.exe"
-	-@erase ".\Debug\pkcs11-destroy.ilk"
-	-@$(_VC_MANIFEST_CLEAN)
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\destroy.bsc" 
-BSC32_SBRS= "$(INTDIR)\pkcs11-destroy.sbr"
-
-"$(OUTDIR)\destroy.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
-    $(BSC32) @<<
-  $(BSC32_FLAGS) $(BSC32_SBRS)
-<<
-
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug /machine:I386 /out:"./Debug/pkcs11-destroy.exe" /pdbtype:sept 
-LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"
-
-".\Debug\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-    $(_VC_MANIFEST_EMBED_EXE)
-
-!ENDIF 
-
-
-!IF "$(NO_EXTERNAL_DEPS)" != "1"
-!IF EXISTS("destroy.dep")
-!INCLUDE "destroy.dep"
-!ELSE 
-!MESSAGE Warning: cannot find "destroy.dep"
-!ENDIF 
-!ENDIF 
-
-
-!IF "$(CFG)" == "destroy - Win32 Release" || "$(CFG)" == "destroy - Win32 Debug"
-SOURCE="..\pkcs11-destroy.c"
-
-!IF  "$(CFG)" == "destroy - Win32 Release"
-
-
-"$(INTDIR)\pkcs11-destroy.obj" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ELSEIF  "$(CFG)" == "destroy - Win32 Debug"
-
-
-"$(INTDIR)\pkcs11-destroy.obj"	"$(INTDIR)\pkcs11-destroy.sbr" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ENDIF 
-
-!ENDIF 
-
-####################################################
-# Commands to generate initial empty manifest file and the RC file
-# that references it, and for generating the .res file:
-
-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
-
-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
-    type <<$@
-#include 
-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
-<< KEEP
-
-$(_VC_MANIFEST_BASENAME).auto.manifest :
-    type <<$@
-
-
-
-<< KEEP
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11destroy.dsp
+!IF "$(CFG)" == ""
+CFG=pk11destroy - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to pk11destroy - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "pk11destroy - Win32 Release" && "$(CFG)" != "pk11destroy - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11destroy.mak" CFG="pk11destroy - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "pk11destroy - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "pk11destroy - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "pk11destroy - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "pk11destroy - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\pkcs11-destroy.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-destroy.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\pkcs11-destroy.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11destroy.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11destroy.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /machine:I386 /out:"../../../Build/Release/pkcs11-destroy.exe" 
+LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"
+
+"..\..\..\Build\Release\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "pk11destroy - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\pkcs11-destroy.exe" "$(OUTDIR)\pk11destroy.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-destroy.obj"
+	-@erase "$(INTDIR)\pkcs11-destroy.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\pkcs11-destroy.pdb"
+	-@erase "$(OUTDIR)\pk11destroy.bsc"
+	-@erase "..\..\..\Build\Debug\pkcs11-destroy.exe"
+	-@erase "..\..\..\Build\Debug\pkcs11-destroy.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11destroy.bsc" 
+BSC32_SBRS= "$(INTDIR)\pkcs11-destroy.sbr"
+
+"$(OUTDIR)\pk11destroy.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept 
+LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"
+
+"..\..\..\Build\Debug\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("pk11destroy.dep")
+!INCLUDE "pk11destroy.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "pk11destroy.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "pk11destroy - Win32 Release" || "$(CFG)" == "pk11destroy - Win32 Debug"
+SOURCE="..\pkcs11-destroy.c"
+
+!IF  "$(CFG)" == "pk11destroy - Win32 Release"
+
+
+"$(INTDIR)\pkcs11-destroy.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "pk11destroy - Win32 Debug"
+
+
+"$(INTDIR)\pkcs11-destroy.obj"	"$(INTDIR)\pkcs11-destroy.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include 
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+
+
+
+<< KEEP
diff --git a/bin/pkcs11/win32/keygen.dsp b/bin/pkcs11/win32/pk11keygen.dsp
similarity index 81%
rename from bin/pkcs11/win32/keygen.dsp
rename to bin/pkcs11/win32/pk11keygen.dsp
index 80df0c7bd5..cd24823faf 100644
--- a/bin/pkcs11/win32/keygen.dsp
+++ b/bin/pkcs11/win32/pk11keygen.dsp
@@ -1,119 +1,119 @@
-# Microsoft Developer Studio Project File - Name="keygen" - Package Owner=<4>
-# Microsoft Developer Studio Generated Build File, Format Version 6.00
-# ** DO NOT EDIT **
-
-# TARGTYPE "Win32 (x86) Console Application" 0x0103
-
-CFG=keygen - Win32 Debug
-!MESSAGE This is not a valid makefile. To build this project using NMAKE,
-!MESSAGE use the Export Makefile command and run
-!MESSAGE 
-!MESSAGE NMAKE /f "keygen.mak".
-!MESSAGE 
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-
-# Begin Project
-# PROP AllowPerConfigDependencies 0
-# PROP Scc_ProjName ""
-# PROP Scc_LocalPath ""
-CPP=cl.exe
-RSC=rc.exe
-
-!IF  "$(CFG)" == "keygen - Win32 Release"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 0
-# PROP BASE Output_Dir "Release"
-# PROP BASE Intermediate_Dir "Release"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 0
-# PROP Output_Dir "Release"
-# PROP Intermediate_Dir "Release"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
-# ADD BASE RSC /l 0x409 /d "NDEBUG"
-# ADD RSC /l 0x409 /d "NDEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"./Release/pkcs11-keygen.exe"
-
-!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 1
-# PROP BASE Output_Dir "Debug"
-# PROP BASE Intermediate_Dir "Debug"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 1
-# PROP Output_Dir "Debug"
-# PROP Intermediate_Dir "Debug"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
-# SUBTRACT CPP /X /YX
-# ADD BASE RSC /l 0x409 /d "_DEBUG"
-# ADD RSC /l 0x409 /d "_DEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"./Debug/pkcs11-keygen.exe" /pdbtype:sept
-
-!ENDIF 
-
-# Begin Target
-
-# Name "keygen - Win32 Release"
-# Name "keygen - Win32 Debug"
-# Begin Group "Source Files"
-
-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
-# Begin Source File
-
-SOURCE="..\pkcs11-keygen.c"
-# End Source File
-# End Group
-# Begin Group "Header Files"
-
-# PROP Default_Filter "h;hpp;hxx;hm;inl"
-# Begin Source File
-
-SOURCE=".\cryptoki.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11t.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11f.h"
-# End Source File
-# End Group
-# Begin Group "Resource Files"
-
-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
-# End Group
-# End Target
-# End Project
+# Microsoft Developer Studio Project File - Name="pk11keygen" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=pk11keygen - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11keygen.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11keygen.mak" CFG="pk11keygen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "pk11keygen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "pk11keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "pk11keygen - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/pkcs11-keygen.exe"
+
+!ELSEIF  "$(CFG)" == "pk11keygen - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "pk11keygen - Win32 Release"
+# Name "pk11keygen - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\pkcs11-keygen.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=".\cryptoki.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11t.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11f.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/pkcs11/win32/destroy.dsw b/bin/pkcs11/win32/pk11keygen.dsw
similarity index 83%
rename from bin/pkcs11/win32/destroy.dsw
rename to bin/pkcs11/win32/pk11keygen.dsw
index d1379b2456..5c52ce05d7 100644
--- a/bin/pkcs11/win32/destroy.dsw
+++ b/bin/pkcs11/win32/pk11keygen.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00
-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
-
-###############################################################################
-
-Project: "destroy"=".\destroy.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Global:
-
-Package=<5>
-{{{
-}}}
-
-Package=<3>
-{{{
-}}}
-
-###############################################################################
-
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "pk11keygen"=".\pk11keygen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/pkcs11/win32/keygen.mak b/bin/pkcs11/win32/pk11keygen.mak
similarity index 73%
rename from bin/pkcs11/win32/keygen.mak
rename to bin/pkcs11/win32/pk11keygen.mak
index 6e13454fbf..63c875e255 100644
--- a/bin/pkcs11/win32/keygen.mak
+++ b/bin/pkcs11/win32/pk11keygen.mak
@@ -1,296 +1,296 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on keygen.dsp
-!IF "$(CFG)" == ""
-CFG=keygen - Win32 Debug
-!MESSAGE No configuration specified. Defaulting to keygen - Win32 Debug.
-!ENDIF 
-
-!IF "$(CFG)" != "keygen - Win32 Release" && "$(CFG)" != "keygen - Win32 Debug"
-!MESSAGE Invalid configuration "$(CFG)" specified.
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "keygen.mak" CFG="keygen - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "keygen - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-!ERROR An invalid configuration is specified.
-!ENDIF 
-
-!IF "$(OS)" == "Windows_NT"
-NULL=
-!ELSE 
-NULL=nul
-!ENDIF 
-
-!IF  "$(CFG)" == "keygen - Win32 Release"
-_VC_MANIFEST_INC=0
-_VC_MANIFEST_BASENAME=__VC80
-!ELSE
-_VC_MANIFEST_INC=1
-_VC_MANIFEST_BASENAME=__VC80.Debug
-!ENDIF
-
-####################################################
-# Specifying name of temporary resource file used only in incremental builds:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
-!else
-_VC_MANIFEST_AUTO_RES=
-!endif
-
-####################################################
-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-#MT_SPECIAL_RETURN=1090650113
-#MT_SPECIAL_SWITCH=-notify_resource_update
-MT_SPECIAL_RETURN=0
-MT_SPECIAL_SWITCH=
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
-link $** /out:$@ $(LFLAGS)
-
-!else
-
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
-
-!endif
-
-####################################################
-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-#MT_SPECIAL_RETURN=1090650113
-#MT_SPECIAL_SWITCH=-notify_resource_update
-MT_SPECIAL_RETURN=0
-MT_SPECIAL_SWITCH=
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
-link $** /out:$@ $(LFLAGS)
-
-!else
-
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
-
-!endif
-####################################################
-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
-    $(_VC_MANIFEST_BASENAME).auto.rc \
-    $(_VC_MANIFEST_BASENAME).auto.manifest
-
-!else
-
-_VC_MANIFEST_CLEAN=
-
-!endif
-
-!IF  "$(CFG)" == "keygen - Win32 Release"
-
-OUTDIR=.\Release
-INTDIR=.\Release
-
-ALL : ".\Release\pkcs11-keygen.exe"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\pkcs11-keygen.obj"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase ".\Release\pkcs11-keygen.exe"
-	-@$(_VC_MANIFEST_CLEAN)
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 
-BSC32_SBRS= \
-	
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /machine:I386 /out:"./Release/pkcs11-keygen.exe" 
-LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"
-
-".\Release\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-    $(_VC_MANIFEST_EMBED_EXE)
-
-!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
-
-OUTDIR=.\Debug
-INTDIR=.\Debug
-# Begin Custom Macros
-OutDir=.\Debug
-# End Custom Macros
-
-ALL : ".\Debug\pkcs11-keygen.exe" "$(OUTDIR)\keygen.bsc"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\pkcs11-keygen.obj"
-	-@erase "$(INTDIR)\pkcs11-keygen.sbr"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase "$(INTDIR)\vc60.pdb"
-	-@erase "$(OUTDIR)\pkcs11-keygen.pdb"
-	-@erase "$(OUTDIR)\keygen.bsc"
-	-@erase ".\Debug\pkcs11-keygen.exe"
-	-@erase ".\Debug\pkcs11-keygen.ilk"
-	-@$(_VC_MANIFEST_CLEAN)
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\keygen.bsc" 
-BSC32_SBRS= "$(INTDIR)\pkcs11-keygen.sbr"
-
-"$(OUTDIR)\keygen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
-    $(BSC32) @<<
-  $(BSC32_FLAGS) $(BSC32_SBRS)
-<<
-
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug /machine:I386 /out:"./Debug/pkcs11-keygen.exe" /pdbtype:sept 
-LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"
-
-".\Debug\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-    $(_VC_MANIFEST_EMBED_EXE)
-
-!ENDIF 
-
-
-!IF "$(NO_EXTERNAL_DEPS)" != "1"
-!IF EXISTS("keygen.dep")
-!INCLUDE "keygen.dep"
-!ELSE 
-!MESSAGE Warning: cannot find "keygen.dep"
-!ENDIF 
-!ENDIF 
-
-
-!IF "$(CFG)" == "keygen - Win32 Release" || "$(CFG)" == "keygen - Win32 Debug"
-SOURCE="..\pkcs11-keygen.c"
-
-!IF  "$(CFG)" == "keygen - Win32 Release"
-
-
-"$(INTDIR)\pkcs11-keygen.obj" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ELSEIF  "$(CFG)" == "keygen - Win32 Debug"
-
-
-"$(INTDIR)\pkcs11-keygen.obj"	"$(INTDIR)\pkcs11-keygen.sbr" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ENDIF 
-
-!ENDIF 
-
-####################################################
-# Commands to generate initial empty manifest file and the RC file
-# that references it, and for generating the .res file:
-
-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
-
-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
-    type <<$@
-#include 
-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
-<< KEEP
-
-$(_VC_MANIFEST_BASENAME).auto.manifest :
-    type <<$@
-
-
-
-<< KEEP
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11keygen.dsp
+!IF "$(CFG)" == ""
+CFG=pk11keygen - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to pk11keygen - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "pk11keygen - Win32 Release" && "$(CFG)" != "pk11keygen - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11keygen.mak" CFG="pk11keygen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "pk11keygen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "pk11keygen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "pk11keygen - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "pk11keygen - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\pkcs11-keygen.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-keygen.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\pkcs11-keygen.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11keygen.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /machine:I386 /out:"../../../Build/Release/pkcs11-keygen.exe" 
+LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"
+
+"..\..\..\Build\Release\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "pk11keygen - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\pkcs11-keygen.exe" "$(OUTDIR)\pk11keygen.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-keygen.obj"
+	-@erase "$(INTDIR)\pkcs11-keygen.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\pkcs11-keygen.pdb"
+	-@erase "$(OUTDIR)\pk11keygen.bsc"
+	-@erase "..\..\..\Build\Debug\pkcs11-keygen.exe"
+	-@erase "..\..\..\Build\Debug\pkcs11-keygen.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11keygen.bsc" 
+BSC32_SBRS= "$(INTDIR)\pkcs11-keygen.sbr"
+
+"$(OUTDIR)\pk11keygen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept 
+LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"
+
+"..\..\..\Build\Debug\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("pk11keygen.dep")
+!INCLUDE "pk11keygen.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "pk11keygen.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "pk11keygen - Win32 Release" || "$(CFG)" == "pk11keygen - Win32 Debug"
+SOURCE="..\pkcs11-keygen.c"
+
+!IF  "$(CFG)" == "pk11keygen - Win32 Release"
+
+
+"$(INTDIR)\pkcs11-keygen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "pk11keygen - Win32 Debug"
+
+
+"$(INTDIR)\pkcs11-keygen.obj"	"$(INTDIR)\pkcs11-keygen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include 
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+
+
+
+<< KEEP
diff --git a/bin/pkcs11/win32/list.dsp b/bin/pkcs11/win32/pk11list.dsp
similarity index 82%
rename from bin/pkcs11/win32/list.dsp
rename to bin/pkcs11/win32/pk11list.dsp
index 514b516c50..64010c9aa9 100644
--- a/bin/pkcs11/win32/list.dsp
+++ b/bin/pkcs11/win32/pk11list.dsp
@@ -1,119 +1,119 @@
-# Microsoft Developer Studio Project File - Name="list" - Package Owner=<4>
-# Microsoft Developer Studio Generated Build File, Format Version 6.00
-# ** DO NOT EDIT **
-
-# TARGTYPE "Win32 (x86) Console Application" 0x0103
-
-CFG=list - Win32 Debug
-!MESSAGE This is not a valid makefile. To build this project using NMAKE,
-!MESSAGE use the Export Makefile command and run
-!MESSAGE 
-!MESSAGE NMAKE /f "list.mak".
-!MESSAGE 
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "list.mak" CFG="list - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "list - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "list - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-
-# Begin Project
-# PROP AllowPerConfigDependencies 0
-# PROP Scc_ProjName ""
-# PROP Scc_LocalPath ""
-CPP=cl.exe
-RSC=rc.exe
-
-!IF  "$(CFG)" == "list - Win32 Release"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 0
-# PROP BASE Output_Dir "Release"
-# PROP BASE Intermediate_Dir "Release"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 0
-# PROP Output_Dir "Release"
-# PROP Intermediate_Dir "Release"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
-# ADD BASE RSC /l 0x409 /d "NDEBUG"
-# ADD RSC /l 0x409 /d "NDEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"./Release/pkcs11-list.exe"
-
-!ELSEIF  "$(CFG)" == "list - Win32 Debug"
-
-# PROP BASE Use_MFC 0
-# PROP BASE Use_Debug_Libraries 1
-# PROP BASE Output_Dir "Debug"
-# PROP BASE Intermediate_Dir "Debug"
-# PROP BASE Target_Dir ""
-# PROP Use_MFC 0
-# PROP Use_Debug_Libraries 1
-# PROP Output_Dir "Debug"
-# PROP Intermediate_Dir "Debug"
-# PROP Ignore_Export_Lib 0
-# PROP Target_Dir ""
-# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
-# SUBTRACT CPP /X /YX
-# ADD BASE RSC /l 0x409 /d "_DEBUG"
-# ADD RSC /l 0x409 /d "_DEBUG"
-BSC32=bscmake.exe
-# ADD BASE BSC32 /nologo
-# ADD BSC32 /nologo
-LINK32=link.exe
-# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"./Debug/pkcs11-list.exe" /pdbtype:sept
-
-!ENDIF 
-
-# Begin Target
-
-# Name "list - Win32 Release"
-# Name "list - Win32 Debug"
-# Begin Group "Source Files"
-
-# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
-# Begin Source File
-
-SOURCE="..\pkcs11-list.c"
-# End Source File
-# End Group
-# Begin Group "Header Files"
-
-# PROP Default_Filter "h;hpp;hxx;hm;inl"
-# Begin Source File
-
-SOURCE=".\cryptoki.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11t.h"
-# End Source File
-# Begin Source File
-
-SOURCE="..\include\pkcs11f.h"
-# End Source File
-# End Group
-# Begin Group "Resource Files"
-
-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
-# End Group
-# End Target
-# End Project
+# Microsoft Developer Studio Project File - Name="pk11list" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=pk11list - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11list.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11list.mak" CFG="pk11list - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "pk11list - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "pk11list - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "pk11list - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/pkcs11-list.exe"
+
+!ELSEIF  "$(CFG)" == "pk11list - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "pk11list - Win32 Release"
+# Name "pk11list - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\pkcs11-list.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=".\cryptoki.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11t.h"
+# End Source File
+# Begin Source File
+
+SOURCE="..\include\pkcs11f.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/pkcs11/win32/keygen.dsw b/bin/pkcs11/win32/pk11list.dsw
similarity index 84%
rename from bin/pkcs11/win32/keygen.dsw
rename to bin/pkcs11/win32/pk11list.dsw
index bdd633e4e9..352a03cd0e 100644
--- a/bin/pkcs11/win32/keygen.dsw
+++ b/bin/pkcs11/win32/pk11list.dsw
@@ -1,29 +1,29 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00
-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
-
-###############################################################################
-
-Project: "keygen"=".\keygen.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Global:
-
-Package=<5>
-{{{
-}}}
-
-Package=<3>
-{{{
-}}}
-
-###############################################################################
-
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "pk11list"=".\pk11list.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/pkcs11/win32/list.mak b/bin/pkcs11/win32/pk11list.mak
similarity index 73%
rename from bin/pkcs11/win32/list.mak
rename to bin/pkcs11/win32/pk11list.mak
index 8fcc585b69..7d717f1086 100644
--- a/bin/pkcs11/win32/list.mak
+++ b/bin/pkcs11/win32/pk11list.mak
@@ -1,296 +1,296 @@
-# Microsoft Developer Studio Generated NMAKE File, Based on list.dsp
-!IF "$(CFG)" == ""
-CFG=list - Win32 Debug
-!MESSAGE No configuration specified. Defaulting to list - Win32 Debug.
-!ENDIF 
-
-!IF "$(CFG)" != "list - Win32 Release" && "$(CFG)" != "list - Win32 Debug"
-!MESSAGE Invalid configuration "$(CFG)" specified.
-!MESSAGE You can specify a configuration when running NMAKE
-!MESSAGE by defining the macro CFG on the command line. For example:
-!MESSAGE 
-!MESSAGE NMAKE /f "list.mak" CFG="list - Win32 Debug"
-!MESSAGE 
-!MESSAGE Possible choices for configuration are:
-!MESSAGE 
-!MESSAGE "list - Win32 Release" (based on "Win32 (x86) Console Application")
-!MESSAGE "list - Win32 Debug" (based on "Win32 (x86) Console Application")
-!MESSAGE 
-!ERROR An invalid configuration is specified.
-!ENDIF 
-
-!IF "$(OS)" == "Windows_NT"
-NULL=
-!ELSE 
-NULL=nul
-!ENDIF 
-
-!IF  "$(CFG)" == "list - Win32 Release"
-_VC_MANIFEST_INC=0
-_VC_MANIFEST_BASENAME=__VC80
-!ELSE
-_VC_MANIFEST_INC=1
-_VC_MANIFEST_BASENAME=__VC80.Debug
-!ENDIF
-
-####################################################
-# Specifying name of temporary resource file used only in incremental builds:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
-!else
-_VC_MANIFEST_AUTO_RES=
-!endif
-
-####################################################
-# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-#MT_SPECIAL_RETURN=1090650113
-#MT_SPECIAL_SWITCH=-notify_resource_update
-MT_SPECIAL_RETURN=0
-MT_SPECIAL_SWITCH=
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
-link $** /out:$@ $(LFLAGS)
-
-!else
-
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
-
-!endif
-
-####################################################
-# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-#MT_SPECIAL_RETURN=1090650113
-#MT_SPECIAL_SWITCH=-notify_resource_update
-MT_SPECIAL_RETURN=0
-MT_SPECIAL_SWITCH=
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
-if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
-rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
-link $** /out:$@ $(LFLAGS)
-
-!else
-
-_VC_MANIFEST_EMBED_EXE= \
-if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
-
-!endif
-####################################################
-# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
-
-!if "$(_VC_MANIFEST_INC)" == "1"
-
-_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
-    $(_VC_MANIFEST_BASENAME).auto.rc \
-    $(_VC_MANIFEST_BASENAME).auto.manifest
-
-!else
-
-_VC_MANIFEST_CLEAN=
-
-!endif
-
-!IF  "$(CFG)" == "list - Win32 Release"
-
-OUTDIR=.\Release
-INTDIR=.\Release
-
-ALL : ".\Release\pkcs11-list.exe"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\pkcs11-list.obj"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase ".\Release\pkcs11-list.exe"
-	-@$(_VC_MANIFEST_CLEAN)
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\list.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\list.bsc" 
-BSC32_SBRS= \
-	
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" /machine:I386 /out:"./Release/pkcs11-list.exe" 
-LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"
-
-".\Release\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-    $(_VC_MANIFEST_EMBED_EXE)
-
-!ELSEIF  "$(CFG)" == "list - Win32 Debug"
-
-OUTDIR=.\Debug
-INTDIR=.\Debug
-# Begin Custom Macros
-OutDir=.\Debug
-# End Custom Macros
-
-ALL : ".\Debug\pkcs11-list.exe" "$(OUTDIR)\list.bsc"
-
-
-CLEAN :
-	-@erase "$(INTDIR)\pkcs11-list.obj"
-	-@erase "$(INTDIR)\pkcs11-list.sbr"
-	-@erase "$(INTDIR)\vc60.idb"
-	-@erase "$(INTDIR)\vc60.pdb"
-	-@erase "$(OUTDIR)\pkcs11-list.pdb"
-	-@erase "$(OUTDIR)\list.bsc"
-	-@erase ".\Debug\pkcs11-list.exe"
-	-@erase ".\Debug\pkcs11-list.ilk"
-	-@$(_VC_MANIFEST_CLEAN)
-
-"$(OUTDIR)" :
-    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-
-CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
-
-.c{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.obj::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.c{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cpp{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-.cxx{$(INTDIR)}.sbr::
-   $(CPP) @<<
-   $(CPP_PROJ) $< 
-<<
-
-RSC=rc.exe
-BSC32=bscmake.exe
-BSC32_FLAGS=/nologo /o"$(OUTDIR)\list.bsc" 
-BSC32_SBRS= "$(INTDIR)\pkcs11-list.sbr"
-
-"$(OUTDIR)\list.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
-    $(BSC32) @<<
-  $(BSC32_FLAGS) $(BSC32_SBRS)
-<<
-
-LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug /machine:I386 /out:"./Debug/pkcs11-list.exe" /pdbtype:sept 
-LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"
-
-".\Debug\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-    $(LINK32) @<<
-  $(LINK32_FLAGS) $(LINK32_OBJS)
-<<
-    $(_VC_MANIFEST_EMBED_EXE)
-
-!ENDIF 
-
-
-!IF "$(NO_EXTERNAL_DEPS)" != "1"
-!IF EXISTS("list.dep")
-!INCLUDE "list.dep"
-!ELSE 
-!MESSAGE Warning: cannot find "list.dep"
-!ENDIF 
-!ENDIF 
-
-
-!IF "$(CFG)" == "list - Win32 Release" || "$(CFG)" == "list - Win32 Debug"
-SOURCE="..\pkcs11-list.c"
-
-!IF  "$(CFG)" == "list - Win32 Release"
-
-
-"$(INTDIR)\pkcs11-list.obj" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ELSEIF  "$(CFG)" == "list - Win32 Debug"
-
-
-"$(INTDIR)\pkcs11-list.obj"	"$(INTDIR)\pkcs11-list.sbr" : $(SOURCE) "$(INTDIR)"
-	$(CPP) $(CPP_PROJ) $(SOURCE)
-
-
-!ENDIF 
-
-!ENDIF 
-
-####################################################
-# Commands to generate initial empty manifest file and the RC file
-# that references it, and for generating the .res file:
-
-$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
-
-$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
-    type <<$@
-#include 
-1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
-<< KEEP
-
-$(_VC_MANIFEST_BASENAME).auto.manifest :
-    type <<$@
-
-
-
-<< KEEP
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11list.dsp
+!IF "$(CFG)" == ""
+CFG=pk11list - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to pk11list - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "pk11list - Win32 Release" && "$(CFG)" != "pk11list - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "pk11list.mak" CFG="pk11list - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "pk11list - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "pk11list - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "pk11list - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "pk11list - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\pkcs11-list.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-list.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\pkcs11-list.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11list.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11list.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" /machine:I386 /out:"../../../Build/Release/pkcs11-list.exe" 
+LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"
+
+"..\..\..\Build\Release\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "pk11list - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\pkcs11-list.exe" "$(OUTDIR)\pk11list.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\pkcs11-list.obj"
+	-@erase "$(INTDIR)\pkcs11-list.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\pkcs11-list.pdb"
+	-@erase "$(OUTDIR)\pk11list.bsc"
+	-@erase "..\..\..\Build\Debug\pkcs11-list.exe"
+	-@erase "..\..\..\Build\Debug\pkcs11-list.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11list.bsc" 
+BSC32_SBRS= "$(INTDIR)\pkcs11-list.sbr"
+
+"$(OUTDIR)\pk11list.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept 
+LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"
+
+"..\..\..\Build\Debug\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("pk11list.dep")
+!INCLUDE "pk11list.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "pk11list.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "pk11list - Win32 Release" || "$(CFG)" == "pk11list - Win32 Debug"
+SOURCE="..\pkcs11-list.c"
+
+!IF  "$(CFG)" == "pk11list - Win32 Release"
+
+
+"$(INTDIR)\pkcs11-list.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "pk11list - Win32 Debug"
+
+
+"$(INTDIR)\pkcs11-list.obj"	"$(INTDIR)\pkcs11-list.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include 
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+
+
+
+<< KEEP
diff --git a/bin/pkcs11/win32/pkcs11.dsw b/bin/pkcs11/win32/pkcs11.dsw
deleted file mode 100644
index d335fe2f75..0000000000
--- a/bin/pkcs11/win32/pkcs11.dsw
+++ /dev/null
@@ -1,53 +0,0 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00
-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
-
-###############################################################################
-
-Project: "keygen"=".\keygen.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "list"=".\list.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "destroy"=".\destroy.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Global:
-
-Package=<5>
-{{{
-}}}
-
-Package=<3>
-{{{
-}}}
-
-###############################################################################
-
diff --git a/bin/pkcs11/win32/setprovider b/win32utils/setpk11provider.pl
similarity index 76%
rename from bin/pkcs11/win32/setprovider
rename to win32utils/setpk11provider.pl
index 5b35b146ca..8df4bb40e7 100644
--- a/bin/pkcs11/win32/setprovider
+++ b/win32utils/setpk11provider.pl
@@ -14,16 +14,16 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setprovider,v 1.2 2009/10/05 13:02:31 fdupont Exp $
+# $Id: setpk11provider.pl,v 1.1 2009/10/06 22:14:13 each Exp $
 
-# setprovider
-# This script sets the provider name in the build scripts.
+# setpk11provider
+# This script sets the PKCS#11 provider name in the build scripts.
 #
-# for instance: setprovider bp201w32HSM
+# for instance: perl setpk11provider bp201w32HSM
 #
 
 if ($#ARGV != 0) {
-	die "Usage: perl setprovider \n"
+	die "Usage: perl setpk11provider \n"
 }
 
 my $provider=$ARGV[0];
@@ -31,9 +31,12 @@ my $provider=$ARGV[0];
 $provider =~ s|\.[dD][lL][lL]$||;
 
 # List of files that need to be updated
-@filelist = ("./keygen.mak", "./keygen.dsp",
-	     "./list.mak", "./list.dsp",
-	     "./destroy.mak", "./destroy.dsp");
+@filelist = ("../bin/pkcs11/win32/pk11keygen.mak",
+             "../bin/pkcs11/win32/pk11keygen.dsp",
+	     "../bin/pkcs11/win32/pk11list.mak",
+             "../bin/pkcs11/win32/pk11list.dsp",
+	     "../bin/pkcs11/win32/pk11destroy.mak",
+             "../bin/pkcs11/win32/pk11destroy.dsp");
 
 # function to replace the provider define
 sub updatefile {

From d1f39121a69b6afa6c0c9e44eceb60910d1d7f81 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 6 Oct 2009 22:58:45 +0000
Subject: [PATCH 274/385] 2707.	[func]		dnssec-keyfromlabel no longer
 require engine name 			to be specified in the label if there
 is a default 			engine or the -E option has been used.  Also,
 it 			now uses default algorithms as dnssec-keygen does 
 		(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used). 	
 	[RT #20371]

---
 CHANGES                                |  7 ++++
 bin/dnssec/dnssec-keyfromlabel.c       | 54 ++++++++++++++++++++------
 bin/dnssec/dnssec-keyfromlabel.docbook | 30 +++++++++++---
 bin/dnssec/dnssec-keygen.c             |  4 +-
 4 files changed, 75 insertions(+), 20 deletions(-)

diff --git a/CHANGES b/CHANGES
index 086a6ad0b1..cf41bef0b9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+2707.	[func]		dnssec-keyfromlabel no longer require engine name
+			to be specified in the label if there is a default
+			engine or the -E option has been used.  Also, it
+			now uses default algorithms as dnssec-keygen does
+			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
+			[RT #20371]
+
 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
 			trigger an assert. [RT #20368]
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 556082230a..a08aacc6f4 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.19 2009/10/06 22:58:45 each Exp $ */
 
 /*! \file */
 
@@ -48,6 +48,9 @@
 const char *program = "dnssec-keyfromlabel";
 int verbose;
 
+#define DEFAULT_ALGORITHM "RSASHA1"
+#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
+
 static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
 			  " NSEC3DSA | NSEC3RSASHA1";
 
@@ -57,22 +60,22 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -a alg -l label [options] name\n\n",
+	fprintf(stderr, "    %s -l label [options] name\n\n",
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
 	fprintf(stderr, "    -l label: label of the key pair\n");
-#ifdef USE_PKCS11
-	fprintf(stderr, "      (for instance \"pkcs11:foo\"\n");
-#else
-	fprintf(stderr, "    -E enginename\n");
-#endif
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "    -a algorithm: %s\n", algs);
+	fprintf(stderr, "       (default: RSASHA1, or "
+			       "NSEC3RSASHA1 if using -3)\n");
+	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 #ifdef USE_PKCS11
 	fprintf(stderr, "    -E enginename (default: pkcs11)\n");
+#else
+	fprintf(stderr, "    -E enginename\n");
 #endif
 	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
 	fprintf(stderr, "    -K directory: directory in which to place "
@@ -140,6 +143,7 @@ main(int argc, char **argv) {
 	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
 	isc_boolean_t	genonly = ISC_FALSE;
+	isc_boolean_t	use_nsec3 = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -153,9 +157,12 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-				"a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
+				"3a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
+		case '3':
+			use_nsec3 = ISC_TRUE;
+			break;
 		case 'a':
 			algname = isc_commandline_argument;
 			break;
@@ -301,8 +308,27 @@ main(int argc, char **argv) {
 	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
 
-	if (algname == NULL)
-		fatal("no algorithm was specified");
+	if (strchr(label, ':') == NULL &&
+	    engine != NULL && strlen(engine) != 0) {
+		char *l;
+		int len;
+
+		len = strlen(label) + strlen(engine) + 2;
+		l = isc_mem_get(mctx, len);
+		snprintf(l, len, "%s:%s", engine, label);
+		label = l;
+	}
+
+	if (algname == NULL) {
+		if (use_nsec3)
+			algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+		else
+			algname = strdup(DEFAULT_ALGORITHM);
+		if (verbose > 0)
+			fprintf(stderr, "no algorithm specified; "
+				"defaulting to %s\n", algname);
+	}
+
 	if (strcasecmp(algname, "RSA") == 0) {
 		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
 				"If you still wish to use RSA (RSAMD5) please "
@@ -318,6 +344,12 @@ main(int argc, char **argv) {
 			options |= DST_TYPE_KEY;
 	}
 
+	if (use_nsec3 &&
+	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
+		fatal("%s is incompatible with NSEC3; "
+		      "do not use the -3 option", algname);
+	}
+
 	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
 		if (strcasecmp(type, "NOAUTH") == 0)
 			flags |= DNS_KEYTYPE_NOAUTH;
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index b80e0b1cae..1b576acad1 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     February 8, 2008
@@ -45,8 +45,9 @@
   
     
       dnssec-keyfromlabel
-      -a algorithm
       -l label
+      
+      
       
       
       
@@ -93,6 +94,11 @@
 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
 	    These values are case insensitive.
 	  
+          
+            If no algorithm is specified, then RSASHA1 will be used by
+            default, unless the  option is specified,
+            in which case NSEC3RSASHA1 will be used instead.
+          
           
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.
@@ -103,12 +109,24 @@
         
       
 
+      
+        -3
+        
+          
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default.
+          
+        
+      
+
       
         -E engine
         
           
             Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to pcks11.
+            When compiled with PKCS#11 support it defaults to "pcks11".
           
         
       
@@ -117,9 +135,9 @@
         -l label
         
           
-            Specifies the label of keys in the crypto hardware (OpenSSL
-            engine). An example for the pkcs11 engine is pkcs11:foo
-            (note the string pkcs11 is in both E and l options.)
+            Specifies the label of the key pair in the crypto hardware.
+            The label may be preceded by an optional OpenSSL engine name,
+            separated by a colon, as in "pkcs11:keylabel".
           
         
       
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index d1a4efa345..da7f99c238 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-keygen.c,v 1.100 2009/10/06 22:58:45 each Exp $ */
 
 /*! \file */
 
@@ -66,8 +66,6 @@ int verbose;
 #define DEFAULT_ALGORITHM "RSASHA1"
 #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
 
-#define DEFAULT_ALGORITHM "RSASHA1"
-
 static isc_boolean_t
 dsa_size_ok(int size) {
 	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));

From 552cbf3900765839883aec69c0e84f112aaea1b8 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 6 Oct 2009 23:18:42 +0000
Subject: [PATCH 275/385] auto update

---
 doc/private/branches | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index a79989d263..d11fb0590f 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -259,6 +259,9 @@ rt20257a			new	fdupont	// 2009-09-28 08:58 +0000
 rt20304				new	each	// 2009-09-24 22:57 +0000
 rt20310				new	each	// 2009-09-25 00:29 +0000
 rt20339				new	vjs	// 2009-09-29 20:44 +0000
+rt20369				new	fdupont	// 2009-10-06 08:41 +0000
+rt20369a			new	fdupont	// 2009-10-06 14:25 +0000
+rt20372				new	each	// 2009-10-06 22:08 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 22b23fb59dcedebdb735ec1406d0557225b649ab Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 6 Oct 2009 23:22:51 +0000
Subject: [PATCH 276/385] tbox wants an #include ...

---
 bin/dnssec/dnssec-keyfromlabel.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index a08aacc6f4..9f090c9584 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.19 2009/10/06 22:58:45 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.20 2009/10/06 23:22:51 each Exp $ */
 
 /*! \file */
 
@@ -28,6 +28,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 

From e8fc8c884b44371784805e1e0d3100da403dd3f1 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 6 Oct 2009 23:30:29 +0000
Subject: [PATCH 277/385] newcopyrights

---
 util/copyrights | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/util/copyrights b/util/copyrights
index 51d43a7ffe..22c0fbbcca 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -260,6 +260,15 @@
 ./bin/pkcs11/win32/list.dsp			X	2009
 ./bin/pkcs11/win32/list.dsw			X	2009
 ./bin/pkcs11/win32/list.mak			X	2009
+./bin/pkcs11/win32/pk11destroy.dsp		X	2009
+./bin/pkcs11/win32/pk11destroy.dsw		X	2009
+./bin/pkcs11/win32/pk11destroy.mak		X	2009
+./bin/pkcs11/win32/pk11keygen.dsp		X	2009
+./bin/pkcs11/win32/pk11keygen.dsw		X	2009
+./bin/pkcs11/win32/pk11keygen.mak		X	2009
+./bin/pkcs11/win32/pk11list.dsp			X	2009
+./bin/pkcs11/win32/pk11list.dsw			X	2009
+./bin/pkcs11/win32/pk11list.mak			X	2009
 ./bin/pkcs11/win32/pkcs11.dsw			X	2009
 ./bin/pkcs11/win32/setprovider			PERL	2009
 ./bin/pkcs11/win32/win32.c			C	2009
@@ -2683,6 +2692,7 @@
 ./win32utils/makedefs.pl			PERL	2001,2004,2007,2009
 ./win32utils/makeversion.pl			PERL	2001,2004,2007
 ./win32utils/readme1st.txt			TXT.BRIEF	2001,2003,2004,2005,2007,2008,2009
+./win32utils/setpk11provider.pl			PERL	2009
 ./win32utils/updatelibxml2.pl			PERL	2009
 ./win32utils/updateopenssl.pl			PERL	2006,2007,2009
 ./win32utils/win32-build.txt			TXT.BRIEF	2001,2002,2004,2005,2008,2009

From 2a6d4c9948b3f4f31311bd799d114585a30419a9 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 7 Oct 2009 01:14:42 +0000
Subject: [PATCH 278/385] regen

---
 bin/dnssec/dnssec-keyfromlabel.8     | 17 +++++++++----
 bin/dnssec/dnssec-keyfromlabel.html  | 36 ++++++++++++++++++----------
 doc/arm/man.ddns-confgen.html        | 10 ++++----
 doc/arm/man.dnssec-keyfromlabel.html | 36 ++++++++++++++++++----------
 doc/arm/man.dnssec-keygen.html       | 16 ++++++-------
 doc/arm/man.dnssec-revoke.html       | 10 ++++----
 doc/arm/man.dnssec-settime.html      | 14 +++++------
 doc/arm/man.dnssec-signzone.html     | 12 +++++-----
 doc/arm/man.named-checkconf.html     | 12 +++++-----
 doc/arm/man.named-checkzone.html     | 12 +++++-----
 doc/arm/man.named.html               | 16 ++++++-------
 doc/arm/man.nsupdate.html            | 14 +++++------
 doc/arm/man.rndc-confgen.html        | 12 +++++-----
 doc/arm/man.rndc.conf.html           | 12 +++++-----
 doc/arm/man.rndc.html                | 12 +++++-----
 15 files changed, 137 insertions(+), 104 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index f964242238..37719b1ace 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.12 2009/10/06 01:14:41 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.13 2009/10/07 01:14:42 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 dnssec\-keyfromlabel \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 20
-\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keyfromlabel\fR
@@ -49,19 +49,28 @@ Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
 must be one of RSAMD5 (RSA), RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
 .sp
+If no algorithm is specified, then RSASHA1 will be used by default, unless the
+\fB\-3\fR
+option is specified, in which case NSEC3RSASHA1 will be used instead.
+.sp
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
 .sp
 Note 2: DH automatically sets the \-k flag.
 .RE
 .PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
+.RE
+.PP
 \-E \fIengine\fR
 .RS 4
-Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to pcks11.
+Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pcks11".
 .RE
 .PP
 \-l \fIlabel\fR
 .RS 4
-Specifies the label of keys in the crypto hardware (OpenSSL engine). An example for the pkcs11 engine is pkcs11:foo (note the string pkcs11 is in both E and l options.)
+Specifies the label of the key pair in the crypto hardware. The label may be preceded by an optional OpenSSL engine name, separated by a colon, as in "pkcs11:keylabel".
 .RE
 .PP
 \-n \fInametype\fR
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index bcc07c970e..4121f82eab 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -28,10 +28,10 @@
 
    
 
    
 
    Synopsis
    
-
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
+
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -44,7 +44,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -54,6 +54,11 @@
 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
 	    These values are case insensitive.
 	  
    
+
    
+            If no algorithm is specified, then RSASHA1 will be used by
+            default, unless the -3 option is specified,
+            in which case NSEC3RSASHA1 will be used instead.
+          
    
 
    
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.
@@ -62,16 +67,23 @@
             Note 2: DH automatically sets the -k flag.
           
    
 
    
+
    -3
    
+
    
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default.
+          
    
 
    -E engine
    
 
    
             Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to pcks11.
+            When compiled with PKCS#11 support it defaults to "pcks11".
           
    
 
    -l label
    
 
    
-            Specifies the label of keys in the crypto hardware (OpenSSL
-            engine). An example for the pkcs11 engine is pkcs11:foo
-            (note the string pkcs11 is in both E and l options.)
+            Specifies the label of the key pair in the crypto hardware.
+            The label may be preceded by an optional OpenSSL engine name,
+            separated by a colon, as in "pkcs11:keylabel".
           
    
 
    -n nametype
    
 
    
@@ -141,7 +153,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -188,7 +200,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -227,7 +239,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -237,7 +249,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 64a7374cf0..52c8f186f4 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 920367f1d5..d338bb79c5 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-keyfromlabel  {-a algorithm} {-l label} [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
+
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -73,6 +73,11 @@
 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
 	    These values are case insensitive.
 	  
    
+
    
+            If no algorithm is specified, then RSASHA1 will be used by
+            default, unless the -3 option is specified,
+            in which case NSEC3RSASHA1 will be used instead.
+          
    
 
    
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.
@@ -81,16 +86,23 @@
             Note 2: DH automatically sets the -k flag.
           
    
 
    
+
    -3
    
+
    
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default.
+          
    
 
    -E engine
    
 
    
             Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to pcks11.
+            When compiled with PKCS#11 support it defaults to "pcks11".
           
    
 
    -l label
    
 
    
-            Specifies the label of keys in the crypto hardware (OpenSSL
-            engine). An example for the pkcs11 engine is pkcs11:foo
-            (note the string pkcs11 is in both E and l options.)
+            Specifies the label of the key pair in the crypto hardware.
+            The label may be preceded by an optional OpenSSL engine name,
+            separated by a colon, as in "pkcs11:keylabel".
           
    
 
    -n nametype
    
 
    
@@ -160,7 +172,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -207,7 +219,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -246,7 +258,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -256,7 +268,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 0ab8a868b3..fc1c5e691e 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -285,7 +285,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -331,7 +331,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -352,7 +352,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -361,7 +361,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 91b3b04f9f..5d4c23bba0 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 43c7752c56..a13a6c4a97 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -185,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 401e43e702..4f8cb5e589 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -386,7 +386,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -415,14 +415,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index db8f7e54b8..8ed6506f46 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 441766efdd..a97c9e0427 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index b5a1573440..eb774223a1 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 721a3a0488..6e1ceb4760 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index b06f84631a..a30cd46592 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 1dbc627b7b..a2085610d6 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 33947f6bd5..6ff7d82b05 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From 169b90030306de3abf0680e1ff13c2964e571317 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 7 Oct 2009 04:55:15 +0000
Subject: [PATCH 279/385] new draft

---
 ...ft-ietf-dnsext-dns-tcp-requirements-00.txt | 448 ++++++++++++++++++
 1 file changed, 448 insertions(+)
 create mode 100644 doc/draft/draft-ietf-dnsext-dns-tcp-requirements-00.txt

diff --git a/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-00.txt b/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-00.txt
new file mode 100644
index 0000000000..c1dc5fbcd8
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-00.txt
@@ -0,0 +1,448 @@
+
+
+
+DNSEXT                                                         R. Bellis
+Internet-Draft                                                Nominet UK
+Updates: 1123, 1035                                      October 6, 2009
+(if approved)
+Intended status: Standards Track
+Expires: April 9, 2010
+
+
+                         DNS Transport over TCP
+               draft-ietf-dnsext-dns-tcp-requirements-00
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on April 9, 2010.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document updates the requirements for the support of the TCP
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 1]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+   protocol for the transport of DNS traffic.
+
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
+
+   2.  Terminology used in this document . . . . . . . . . . . . . . . 3
+
+   3.  Discussion  . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+
+   4.  Transport Protocol Selection  . . . . . . . . . . . . . . . . . 4
+
+   5.  Dormant Connection Handling . . . . . . . . . . . . . . . . . . 5
+
+   6.  Response re-ordering  . . . . . . . . . . . . . . . . . . . . . 6
+
+   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
+
+   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
+
+   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
+     9.1.  Normative References  . . . . . . . . . . . . . . . . . . . 6
+     9.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
+
+   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . . . 7
+
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 7
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 2]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+1.  Introduction
+
+   Most DNS [RFC1035] transactions take place over the UDP [RFC0792]
+   protocol.  The TCP [RFC0793] protocol is used for zone transfers and
+   is supported by some implementations for the transfer of other
+   packets which exceed the protocol's original 512 byte packet-size
+   limit.
+
+   Section 6.1.3.2 of [RFC1123] states:
+
+      DNS resolvers and recursive servers MUST support UDP, and SHOULD
+      support TCP, for sending (non-zone-transfer) queries.
+
+   This document normatively updates the core DNS protocol
+   specifications such that (except in very limited circumstances)
+   support for the TCP protocol is henceforth REQUIRED.
+
+
+2.  Terminology used in this document
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+3.  Discussion
+
+   Some implementors have taken the [RFC1123] text quoted above to mean
+   that TCP support is truly optional for typical DNS operation.
+
+   However, whilst RFC 1123 predates the current RFC 2119 terminology
+   document it uses exactly the same text:
+
+      SHOULD - This word, or the adjective "RECOMMENDED", mean that
+      there may exist valid reasons in particular circumstances to
+      ignore a particular item, but the full implications must be
+      understood and carefully weighed before choosing a different
+      course.
+
+   In the absence of EDNS0 (see below) the normal behaviour of any DNS
+   server needing to send a UDP response that exceeds that 512 limit is
+   for the server to truncate the response at the 512 byte limit and set
+   the TC flag in the response header.  When the client receives such a
+   response it takes the TC flag as notice that it should retry over TCP
+   instead.
+
+   RFC 1123 also says:
+
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 3]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+
+      ... it is also clear that some new DNS record types defined in the
+      future will contain information exceeding the 512 byte limit that
+      applies to UDP, and hence will require TCP.  Thus, resolvers and
+      name servers should implement TCP services as a backup to UDP
+      today, with the knowledge that they will require the TCP service
+      in the future.
+
+   Existing deployments of DNSSEC [RFC4033] have shown that truncation
+   at the 512 byte boundary is now commonplace.  For example an NXDOMAIN
+   (RCODE == 3) response from a DNSSEC signed zone using NSEC3 [RFC5155]
+   is almost invariably longer than 512 bytes.
+
+   Since the original core specifications for DNS were written the
+   Extension Mechanisms for DNS EDNS0 [RFC2671] have been introduced.
+   These extensions can be used to indicate that the client is prepared
+   to receive UDP responses longer than 512 bytes.  An EDNS0 compatible
+   server receiving a request from an EDNS0 compatible client may send
+   UDP packets up to that client's announced buffer size without
+   truncation.
+
+   However, transport of UDP packets which exceed the size of the path
+   MTU has been found to be unreliable in some circumstances because of
+   IP packet fragmentation.  Many firewalls routinely block fragmented
+   IP packets, and some implementations lack the software logic
+   necessary to reassemble a fragmented datagram.  Worse still, some
+   devices deliberately refuse to handle DNS packets containing EDNS0
+   options.  Other issues relating to UDP transport and packet size are
+   discussed in [RFC5625].
+
+   The MTU most commonly found in the core of the Internet is around
+   1500 bytes, and even that limit is routinely exceeded by DNSSEC
+   signed responses.
+
+   The future that was anticipated in RFC 1123 is now here, and the only
+   standardised mechanism which may have resolved the packet size issue
+   has been found inadequate.
+
+
+4.  Transport Protocol Selection
+
+   On a case by case basis, authoritative DNS server operators MAY elect
+   to disable DNS transport over TCP if all of the conditions below are
+   satisfied:
+
+   o  the server is authoritative
+
+
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 4]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+   o  the server does not support AXFR
+   o  the server does not support DNSSEC
+   o  all requests and responses are guaranteed to be <= 512 bytes
+
+   A general purpose stub resolver implementation (e.g. an operating
+   system's DNS resolution library) MUST support TCP since to do
+   otherwise would limit its interoperability with its own clients and
+   with upstream servers.
+
+   A proprietary stub resolver implementation MAY omit support for TCP
+   if it is operating in an environment where truncation will not occur,
+   or if it is prepared to accept a DNS lookup failure should truncation
+   occur.
+
+   A recursive resolver or forwarder MUST support TCP so that it does
+   not prevent long responses from a TCP-capable server from reaching
+   its TCP-capable clients.
+
+   Otherwise, all DNS implementations MUST support TCP transport.
+
+   Regarding the choice of when to use UDP or TCP, RFC 1123 says:
+
+      ... a DNS resolver or server that is sending a non-zone-transfer
+      query MUST send a UDP query first.
+
+   This requirement is no longer mandatory.  A resolver SHOULD send a
+   UDP query first, but MAY elect to send a TCP query instead if it has
+   good reason to expect the response would be truncated if it were sent
+   over UDP, or other operational considerations suggest otherwise.
+
+
+5.  Dormant Connection Handling
+
+   Section 4.2.2 of [RFC1035] says:
+
+      If the server needs to close a dormant connection to reclaim
+      resources, it should wait until the connection has been idle for a
+      period on the order of two minutes.
+
+   Other more modern protocols (e.g.  HTTP [RFC2616]) have support for
+   persistent TCP connections and operational experience has shown that
+   long timeouts can easily cause resource exhaustion and poor response
+   under heavy load.  Intentionally opening many connections and leaving
+   them dormant can trivially create a "denial of service" attack.
+
+   This document therefore RECOMMENDS that the idle period should be of
+   the order of TBD seconds.  With modern high performance networks 2 to
+   4 seconds should be sufficient to allow significant numbers (i.e.
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 5]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+   thousands) of concurrent dormant connections without impacting
+   service performance.
+
+   Servers MAY allow idle connections to remain open for longer periods,
+   but for the avoidance of doubt persistent DNS connections should
+   generally be considered to be as much for the server's benefit as for
+   the client's.  Therefore if the server needs to unilaterally close a
+   dormant TCP connection it MUST be free to do so whenever required.
+
+
+6.  Response re-ordering
+
+   [Potential text to be added regarding whether TCP responses can come
+   back in a different order to requests.  I'm not aware whether this is
+   specified anywhere]
+
+
+7.  Security Considerations
+
+   Some DNS server operators have expressed concern that wider use of
+   DNS over TCP will expose them to a higher risk of "denial of service"
+   attacks.
+
+   Many large authoritative DNS operators including all but one of the
+   root servers and the vast majority of TLDs already support TCP and
+   attacks against them are infrequent and very rarely successful.
+
+   Operators of recursive servers should ensure that they only accept
+   connections from expected clients, and do not accept them from
+   unknown sources.  In the case of UDP traffic this will protect
+   against reflector attacks [RFC5358] and in the case of TCP traffic it
+   will prevent an unknown client from exhausting the server's limits on
+   the number of concurrent connections.
+
+
+8.  IANA Considerations
+
+   This document requests no IANA actions.
+
+
+9.  References
+
+9.1.  Normative References
+
+   [RFC0792]  Postel, J., "Internet Control Message Protocol", STD 5,
+              RFC 792, September 1981.
+
+   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 6]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+              RFC 793, September 1981.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]  Braden, R., "Requirements for Internet Hosts - Application
+              and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+              RFC 2671, August 1999.
+
+9.2.  Informative References
+
+   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
+              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
+              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+              Security (DNSSEC) Hashed Authenticated Denial of
+              Existence", RFC 5155, March 2008.
+
+   [RFC5358]  Damas, J. and F. Neves, "Preventing Use of Recursive
+              Nameservers in Reflector Attacks", BCP 140, RFC 5358,
+              October 2008.
+
+   [RFC5625]  Bellis, R., "DNS Proxy Implementation Guidelines",
+              BCP 152, RFC 5625, August 2009.
+
+
+Appendix A.  Change Log
+
+   NB: to be removed by the RFC Editor before publication.
+
+   draft-ietf-dnsext-dns-tcp-requirements-00
+      Initial draft
+
+
+
+
+
+
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 7]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+Author's Address
+
+   Ray Bellis
+   Nominet UK
+   Edmund Halley Road
+   Oxford  OX4 4DQ
+   United Kingdom
+
+   Phone: +44 1865 332211
+   Email: ray.bellis@nominet.org.uk
+   URI:   http://www.nominet.org.uk/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bellis                    Expires April 9, 2010                 [Page 8]
+

From 28479307225582ad0b2e11441d85fcf5169551d0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 8 Oct 2009 23:13:07 +0000
Subject: [PATCH 280/385] 2708.   [func]          Insecure to secure and NSEC3
 parameter changes via                         update are now fully supported
 and no longer require                         defines to enable.  We now no
 longer overload the                         NSEC3PARAM flag field, nor the
 NSEC OPT bit at the                         apex.  Secure to insecure changes
 are controlled by                         by the named.conf option
 'secure-to-insecure'.

                        Warning: If you had previously enabled support by
                        adding defines at compile time to BIND 9.6 you should
                        ensure that all changes that are in progress have
                        completed prior to upgrading to BIND 9.7.  BIND 9.7
                        is not backwards compatible.
---
 CHANGES                         |  13 +
 NSEC3-NOTES                     |  42 +-
 README                          |   5 +
 bin/named/config.c              |   3 +-
 bin/named/named.conf.docbook    |   5 +-
 bin/named/update.c              | 442 +++++++++++--------
 bin/named/zoneconf.c            |   8 +-
 doc/arm/Bv9ARM-book.xml         |  25 +-
 lib/bind9/check.c               |  15 +-
 lib/dns/Makefile.in             |   4 +-
 lib/dns/db.c                    |   6 +-
 lib/dns/include/dns/Makefile.in |  18 +-
 lib/dns/include/dns/nsec3.h     |  50 ++-
 lib/dns/include/dns/rdata.h     |  20 +-
 lib/dns/include/dns/zone.h      |   3 +-
 lib/dns/nsec3.c                 | 301 +++++++++++--
 lib/dns/rbtdb.c                 |  38 +-
 lib/dns/rdata.c                 |  19 +-
 lib/dns/sdb.c                   |   4 +-
 lib/dns/win32/libdns.def        |  12 +-
 lib/dns/win32/libdns.dsp        |   8 +
 lib/dns/win32/libdns.mak        |  25 ++
 lib/dns/zone.c                  | 759 ++++++++++++++++++++------------
 lib/isccfg/namedconf.c          |   3 +-
 24 files changed, 1248 insertions(+), 580 deletions(-)

diff --git a/CHANGES b/CHANGES
index cf41bef0b9..6b350d3b3f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,16 @@
+2708.	[func]		Insecure to secure and NSEC3 parameter changes via
+			update are now fully supported and no longer require
+			defines to enable.  We now no longer overload the
+			NSEC3PARAM flag field, nor the NSEC OPT bit at the
+			apex.  Secure to insecure changes are controlled by
+			by the named.conf option 'secure-to-insecure'.
+
+			Warning: If you had previously enabled support by
+			adding defines at compile time to BIND 9.6 you should
+			ensure that all changes that are in progress have
+			completed prior to upgrading to BIND 9.7.  BIND 9.7
+			is not backwards compatible.
+
 2707.	[func]		dnssec-keyfromlabel no longer require engine name
 			to be specified in the label if there is a default
 			engine or the -E option has been used.  Also, it
diff --git a/NSEC3-NOTES b/NSEC3-NOTES
index 98f25be292..e35ff4a5d7 100644
--- a/NSEC3-NOTES
+++ b/NSEC3-NOTES
@@ -32,18 +32,36 @@ generated as part of the initial signing process.
 
 While the update request will complete almost immediately the zone
 will not be completely signed until named has had time to walk the
-zone and generate the NSEC and RRSIG records.  Initially the NSEC
-record at the zone apex will have the OPT bit set.  When the NSEC
-chain is complete the OPT bit will be cleared.  Additionally when
-the zone is fully signed the private type (default TYPE65534) records
-will have a non zero value for the final octet. 
+zone and generate the NSEC and RRSIG records.  The NSEC record at the
+apex will be added last to signal that there is a complete NSEC chain.
+Additionally when the zone is fully signed the private type (default
+TYPE65534) records will have a non zero value for the final octet for
+those record with a none zero initial octet.
+
+The private type record format:
+If the first octet is non-zero then the record indicates that the zone needs
+to be signed with the key matching the record or that all signatures that
+match the record should be removed.
 
-The private type record has 5 octets.
 	algorithm (octet 1)
 	key id in network order (octet 2 and 3)
 	removal flag (octet 4)
 	complete flag (octet 5)
 
+Only records with the complete flag set can be removed via nsupdate.
+Attempts to remove other private type records will be silently ignored.
+
+If the first octet is zero (this is a reserved algorithm number
+that should never appear in a DNSKEY record) then the record indicates
+changes to the NSEC3 chains are in progress.  The rest of the record
+contains a NSEC3PARAM record.  The flag field tells what operation
+to perform based on the flag bits.
+
+	0x01 OPTOUT
+	0x80 CREATE
+	0x40 REMOVE
+	0x20 NONSEC
+
 If you wish to go straight to a secure zone using NSEC3 you should
 also add a NSECPARAM record to the update request with the flags
 field set to indicate whether the NSEC3 chain will have the OPTOUT
@@ -56,10 +74,11 @@ bit set or not.
 	> update add example.net NSEC3PARAM 1 1 100 1234567890
 	> send
 
-Again the update request will complete almost immediately however the
-NSEC3PARAM record will have additional flag bits set indicating that the
-NSEC3 chain is under construction.  When the NSEC3 chain is complete the
-flags field will be set to zero. 
+Again the update request will complete almost immediately however
+the record won't show up or be deleted until named has had a chance
+to build/remove the relevent chain.  A private type record will be
+created to record the operatation and will be removed once the
+operation completes.
 
 While the initial signing and NSEC/NSEC3 chain generation is happening
 other updates are possible.
@@ -109,7 +128,8 @@ NSEC chain will be generated before the NSEC3 chain is removed.
 
 To do this remove all the DNSKEY records.  Any NSEC or NSEC3 chains
 will be removed as well as associated NSEC3PARAM records.  This will
-take place after the update requests completes.
+take place after the update requests completes.  This requires
+secure-to-insecure to be set in named.conf.
 
 		Periodic re-signing.
 
diff --git a/README b/README
index 21ce41ce27..526f1df317 100644
--- a/README
+++ b/README
@@ -73,6 +73,11 @@ BIND 9.7.0
         - Improved PKCS#11 support, including Keyper support and explicit
           OpenSSL engine selection (see README.pkcs11 for additional details).
 
+	Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
+	ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
+	you should ensure that all changes that are in progress have completed
+	prior to upgrading to BIND 9.7.  BIND 9.7 is not backwards compatible.
+
 BIND 9.6.0
 
         BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
diff --git a/bin/named/config.c b/bin/named/config.c
index 3d72c5573d..5b8abd6d9d 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.101 2009/09/01 07:14:25 each Exp $ */
+/* $Id: config.c,v 1.102 2009/10/08 23:13:05 marka Exp $ */
 
 /*! \file */
 
@@ -185,6 +185,7 @@ options {\n\
 	max-refresh-time 2419200; /* 4 weeks */\n\
 	min-refresh-time 300;\n\
 	multi-master no;\n\
+	secure-to-insecure no;\n\
 	sig-validity-interval 30; /* days */\n\
 	sig-signing-nodes 100;\n\
 	sig-signing-signatures 10;\n\
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index a4a8044d04..ddf3ee4996 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 13, 2004
@@ -340,6 +340,7 @@ options {
 	try-tcp-refresh boolean;
 	zero-no-soa-ttl boolean;
 	zero-no-soa-ttl-cache boolean;
+	secure-to-insecure boolean;
 
 	nsec3-test-zone boolean;  // testing only
 
@@ -499,6 +500,7 @@ view string optional_class
 	key-directory quoted_string;
 	zero-no-soa-ttl boolean;
 	zero-no-soa-ttl-cache boolean;
+	secure-to-insecure boolean;
 
 	allow-v6-synthesis { address_match_element; ... }; // obsolete
 	fetch-glue boolean; // obsolete
@@ -533,6 +535,7 @@ zone string optional_class
 	ixfr-from-differences boolean;
 	journal quoted_string;
 	zero-no-soa-ttl boolean;
+	secure-to-insecure boolean;
 
 	allow-query { address_match_element; ... };
 	allow-query-on { address_match_element; ... };
diff --git a/bin/named/update.c b/bin/named/update.c
index ea61500e5c..b6b288e4f9 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.159 2009/08/17 07:18:41 marka Exp $ */
+/* $Id: update.c,v 1.160 2009/10/08 23:13:05 marka Exp $ */
 
 #include 
 
@@ -38,6 +38,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -1211,8 +1212,8 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 		 * Replace records added in this UPDATE request.
 		 */
 		if (db_rr->data[0] == update_rr->data[0] &&
-		    db_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
-		    update_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
+		    (db_rr->data[1] & DNS_NSEC3FLAG_UPDATE) != 0 &&
+		    (update_rr->data[1] & DNS_NSEC3FLAG_UPDATE) != 0 &&
 		    memcmp(db_rr->data+2, update_rr->data+2,
 			   update_rr->length - 2) == 0)
 			return (ISC_TRUE);
@@ -1717,35 +1718,6 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }
 
-static isc_boolean_t
-has_opt_bit(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_boolean_t has_bit = ISC_FALSE;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
-				  dns_rdatatype_none, 0, &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-	has_bit = dns_nsec_typepresent(&rdata, dns_rdatatype_opt);
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (has_bit);
-}
-
-static void
-set_bit(unsigned char *array, unsigned int index) {
-	unsigned int shift, bit;
-
-	shift = 7 - (index % 8);
-	bit = 1 << shift;
-
-	array[index / 8] |= bit;
-}
-
 /*%
  * Add a NSEC record for "name", recording the change in "diff".
  * The existing NSEC is removed.
@@ -1777,24 +1749,6 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
 	dns_rdata_init(&rdata);
 	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
-	/*
-	 * Preserve the status of the OPT bit in the origin's NSEC record.
-	 */
-	if (dns_name_equal(dns_db_origin(db), name) &&
-	    has_opt_bit(db, ver, node))
-	{
-			isc_region_t region;
-			dns_name_t next;
-
-			dns_name_init(&next, NULL);
-			dns_rdata_toregion(&rdata, ®ion);
-			dns_name_fromregion(&next, ®ion);
-			isc_region_consume(®ion, next.length);
-			INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
-			       region.base[0] == 0 &&
-			       region.base[1] > dns_rdatatype_opt / 8);
-			set_bit(region.base + 2, dns_rdatatype_opt);
-	}
 	dns_db_detachnode(db, &node);
 
 	/*
@@ -2129,7 +2083,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_t sig_diff;
 	dns_diff_t nsec_diff;
 	dns_diff_t nsec_mindiff;
-	isc_boolean_t flag;
+	isc_boolean_t flag, build_nsec, build_nsec3;
 	dst_key_t *zone_keys[MAXZONEKEYS];
 	unsigned int nkeys = 0;
 	unsigned int i;
@@ -2142,6 +2096,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	isc_boolean_t check_ksk;
 	isc_boolean_t unsecure;
 	isc_boolean_t cut;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@@ -2288,12 +2243,11 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		   "removed any orphaned NSEC records");
 
 	/*
-	 * If we don't have a NSEC record at the origin then we need to
-	 * update the NSEC3 records.
+	 * See if we need to build NSEC or NSEC3 chains.
 	 */
-	CHECK(rrset_exists(db, newver, dns_db_origin(db), dns_rdatatype_nsec,
-			   0, &flag));
-	if (!flag)
+	CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
+				 &build_nsec3));
+	if (!build_nsec)
 		goto update_nsec3;
 
 	update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain");
@@ -2397,13 +2351,18 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 					dns_rdatatype_any, 0, NULL, diff));
 		} else {
 			/*
-			 * This name is not obscured.  It should have a NSEC.
+			 * This name is not obscured.  It should have a NSEC
+			 * unless it is the at the origin, in which case it
+			 * should already exist.
 			 */
-			CHECK(rrset_exists(db, newver, name,
-					   dns_rdatatype_nsec, 0, &flag));
-			if (! flag)
-				CHECK(add_placeholder_nsec(db, newver, name,
-							   diff));
+			if (!dns_name_equal(name, dns_db_origin(db))) {
+				CHECK(dns_private_chains(db, newver,
+							 privatetype, &flag,
+							 NULL));
+				if (flag)
+					CHECK(add_placeholder_nsec(db, newver,
+								   name, diff));
+			}
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, diff, zone_keys, nkeys,
 					       inception, expire, check_ksk));
@@ -2490,13 +2449,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
 	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
 
-	/*
-	 * Check if we have any active NSEC3 chains by looking for a
-	 * NSEC3PARAM RRset.
-	 */
-	CHECK(rrset_exists(db, newver, dns_db_origin(db),
-			   dns_rdatatype_nsec3param, 0, &flag));
-	if (!flag) {
+	if (!build_nsec3) {
 		update_log(client, zone, ISC_LOG_DEBUG(3),
 			   "no NSEC3 chains to rebuild");
 		goto failure;
@@ -2520,6 +2473,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 
 		isc_boolean_t ns_existed, dname_existed;
 		isc_boolean_t ns_exists, dname_exists;
+		isc_boolean_t exists, existed;
 
 		if (t->rdata.type == dns_rdatatype_nsec ||
 		    t->rdata.type == dns_rdatatype_rrsig) {
@@ -2538,7 +2492,9 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0,
 				   &dname_exists));
 
-		if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
+		exists = ns_exists || dname_exists;
+		existed = ns_existed || dname_existed;
+		if (exists == existed)
 			goto nextname;
 		/*
 		 * There was a delegation change.  Mark all subdomains
@@ -2562,14 +2518,15 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (!flag) {
 			CHECK(delete_if(rrsig_p, db, newver, name,
 					dns_rdatatype_any, 0, NULL, diff));
-			CHECK(dns_nsec3_delnsec3s(db, newver, name,
-						  &nsec_diff));
+			CHECK(dns_nsec3_delnsec3sx(db, newver, name,
+						   privatetype, &nsec_diff));
 		} else {
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, diff, zone_keys, nkeys,
 					       inception, expire, check_ksk));
-			CHECK(dns_nsec3_addnsec3s(db, newver, name, nsecttl,
-						  unsecure, &nsec_diff));
+			CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl,
+						   unsecure, privatetype,
+						   &nsec_diff));
 		}
 	}
 
@@ -2960,7 +2917,9 @@ rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 static isc_result_t
-get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
+get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype,
+	       unsigned int *iterationsp)
+{
 	dns_dbnode_t *node = NULL;
 	dns_rdata_nsec3param_t nsec3param;
 	dns_rdataset_t rdataset;
@@ -2974,9 +2933,8 @@ get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
 		return (result);
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND)
-		goto success;
+		goto try_private;
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -2994,11 +2952,46 @@ get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
 	if (result != ISC_R_NOMORE)
 		goto failure;
 
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+
+	result = dns_db_findrdataset(db, node, ver, privatetype,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (nsec3param.iterations > iterations)
+			iterations = nsec3param.iterations;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
  success:
 	*iterationsp = iterations;
 	result = ISC_R_SUCCESS;
 
  failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	return (result);
@@ -3018,18 +3011,19 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	isc_boolean_t flag;
 	isc_result_t result;
 	unsigned int iterations = 0, max;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
 	dns_diff_init(diff->mctx, &temp_diff);
 
 	CHECK(dns_nsec_nseconly(db, ver, &flag));
 
 	if (flag)
-		CHECK(dns_nsec3_active(db, ver, ISC_FALSE, &flag));
+		CHECK(dns_nsec3_activex(db, ver, ISC_FALSE, privatetype, &flag));
 	if (flag) {
 		update_log(client, zone, ISC_LOG_WARNING,
 			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
 	} else {
-		CHECK(get_iterations(db, ver, &iterations));
+		CHECK(get_iterations(db, ver, privatetype, &iterations));
 		CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
 		if (iterations > max) {
 			flag = ISC_TRUE;
@@ -3068,21 +3062,22 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
 /*
  * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
  */
 static isc_result_t
 add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-		       dns_name_t *name, dns_dbversion_t *ver, dns_diff_t *diff)
+		       dns_dbversion_t *ver, dns_diff_t *diff)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_difftuple_t *tuple, *newtuple = NULL, *next;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
 	dns_diff_t temp_diff;
 	dns_diffop_t op;
 	isc_boolean_t flag;
+	dns_name_t *name = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);;
 
 	update_log(client, zone, ISC_LOG_DEBUG(3),
 		    "checking for NSEC3PARAM changes");
@@ -3140,12 +3135,10 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			/*
 			 * See if we already have a CREATE request in progress.
 			 */
-			dns_rdata_clone(&tuple->rdata, &rdata);
-			INSIST(rdata.length <= sizeof(buf));
-			memcpy(buf, rdata.data, rdata.length);
-			buf[1] |= DNS_NSEC3FLAG_CREATE;
-			buf[1] &= ~DNS_NSEC3FLAG_UPDATE;
-			rdata.data = buf;
+			dns_nsec3param_toprivate(&tuple->rdata, &rdata,
+						 privatetype, buf, sizeof(buf));
+			buf[2] |= DNS_NSEC3FLAG_CREATE;
+			buf[2] &= ~DNS_NSEC3FLAG_UPDATE;
 
 			CHECK(rr_exists(db, ver, name, &rdata, &flag));
 
@@ -3157,6 +3150,7 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 							   &newtuple));
 				CHECK(do_one_tuple(&newtuple, db, ver, diff));
 			}
+
 			/*
 			 * Remove the temporary add record.
 			 */
@@ -3199,11 +3193,9 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		/*
 		 * See if we already have a REMOVE request in progress.
 		 */
-		dns_rdata_clone(&tuple->rdata, &rdata);
-		INSIST(rdata.length <= sizeof(buf));
-		memcpy(buf, rdata.data, rdata.length);
-		buf[1] |= DNS_NSEC3FLAG_REMOVE;
-		rdata.data = buf;
+		dns_nsec3param_toprivate(&tuple->rdata, &rdata,
+					 privatetype, buf, sizeof(buf));
+		buf[2] |= DNS_NSEC3FLAG_REMOVE;
 
 		CHECK(rr_exists(db, ver, name, &rdata, &flag));
 
@@ -3227,15 +3219,74 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_clear(&temp_diff);
 	return (result);
 }
-#endif
+
+static isc_result_t
+rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
+		 dns_dbversion_t *ver, dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	dns_diffop_t op;
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	dns_name_t *name = dns_db_origin(db);
+	isc_mem_t *mctx = diff->mctx;
+	isc_result_t result;
+
+	if (privatetype == 0)
+		return (ISC_R_SUCCESS);
+
+	dns_diff_init(mctx, &temp_diff);
+
+	/*
+	 * Extract the changes to be rolled back.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = next) {
+
+		next = ISC_LIST_NEXT(tuple, link);
+
+		if (tuple->rdata.type != privatetype ||
+		    !dns_name_equal(name, &tuple->name))
+			continue;
+
+		/*
+		 * Allow records which indicate that a zone has been
+		 * signed with a DNSKEY to be be removed.
+		 */
+		if (tuple->op == DNS_DIFFOP_DEL &&
+		    tuple->rdata.length == 5 &&
+		    tuple->rdata.data[0] != 0 &&
+		    tuple->rdata.data[4] != 0)
+			continue;
+
+		ISC_LIST_UNLINK(diff->tuples, tuple, link);
+		ISC_LIST_PREPEND(temp_diff.tuples, tuple, link);
+	}
+
+	/*
+	 * Rollback the changes.
+	 */
+	while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) {
+		op = (tuple->op == DNS_DIFFOP_DEL) ?
+		      DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
+		CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl,
+					   &tuple->rdata, &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
+	}
+	result = ISC_R_SUCCESS;
+
+ failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}
 
 /*
  * Add records to cause the delayed signing of the zone by added DNSKEY
  * to remove the RRSIG records generated by a deleted DNSKEY.
  */
 static isc_result_t
-add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
-		    dns_rdatatype_t privatetype, dns_diff_t *diff)
+add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
+		    dns_dbversion_t *ver, dns_diff_t *diff)
 {
 	dns_difftuple_t *tuple, *newtuple = NULL;
 	dns_rdata_dnskey_t dnskey;
@@ -3245,6 +3296,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_uint16_t keyid;
 	unsigned char buf[5];
+	dns_name_t *name = dns_db_origin(db);
 
 	for (tuple = ISC_LIST_HEAD(diff->tuples);
 	     tuple != NULL;
@@ -3259,6 +3311,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 			continue;
 
 		dns_rdata_toregion(&tuple->rdata, &r);
+
 		keyid = dst_region_computeid(&r, dnskey.algorithm);
 
 		buf[0] = dnskey.algorithm;
@@ -3295,13 +3348,12 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 	return (result);
 }
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
 /*
  * Mark all NSEC3 chains for deletion without creating a NSEC chain as
  * a side effect of deleting the last chain.
  */
 static isc_result_t
-delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_zone_t *zone,
 	      dns_diff_t *diff)
 {
 	dns_dbnode_t *node = NULL;
@@ -3311,7 +3363,9 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	dns_rdataset_t rdataset;
 	isc_boolean_t flag;
 	isc_result_t result = ISC_R_SUCCESS;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
 	dns_name_init(&next, NULL);
 	dns_rdataset_init(&rdataset);
@@ -3325,6 +3379,47 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	 */
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		dns_nsec3param_toprivate(&rdata, &private, privatetype,
+					 buf, sizeof(buf));
+		buf[2] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
+
+		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &rdata, &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, ver, privatetype, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND)
 		goto success;
 	if (result != ISC_R_SUCCESS)
@@ -3337,18 +3432,18 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 		INSIST(rdata.length <= sizeof(buf));
 		memcpy(buf, rdata.data, rdata.length);
 
-		if (buf[1] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
+		if (buf[0] != 0 ||
+		    buf[2] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
 			dns_rdata_reset(&rdata);
 			continue;
 		}
 
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
-					   origin, 0, &rdata, &tuple));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   0, &rdata, &tuple));
 		CHECK(do_one_tuple(&tuple, db, ver, diff));
 		INSIST(tuple == NULL);
 
-		buf[1] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
-		rdata.data = buf;
+		buf[2] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
 
 		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
 
@@ -3371,7 +3466,20 @@ delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
 	dns_db_detachnode(db, &node);
 	return (result);
 }
-#endif
+
+static isc_boolean_t
+isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
+	isc_result_t result;
+	isc_boolean_t build_nsec, build_nsec3;
+
+	if (dns_db_issecure(db))
+		return (ISC_TRUE);
+	
+	result = dns_private_chains(db, ver, privatetype,
+				    &build_nsec, &build_nsec3);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	return (build_nsec || build_nsec3);
+}
 
 static void
 update_action(isc_task_t *task, isc_event_t *event) {
@@ -3398,12 +3506,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t deleted_zsk;
 	dns_difftuple_t *tuple;
 	dns_rdata_dnskey_t dnskey;
-#ifdef ALLOW_NSEC3PARAM_UPDATE
 	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-#endif
-#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
 	isc_boolean_t had_dnskey;
-#endif
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
 
@@ -3600,27 +3705,26 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				   update_class);
 			FAIL(DNS_R_FORMERR);
 		}
+
 		/*
 		 * draft-ietf-dnsind-simple-secure-update-01 says
 		 * "Unlike traditional dynamic update, the client
 		 * is forbidden from updating NSEC records."
 		 */
-		if (dns_db_issecure(db)) {
-			if (rdata.type == dns_rdatatype_nsec3) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit NSEC3 updates are not allowed "
-				      "in secure zones");
-			} else if (rdata.type == dns_rdatatype_nsec) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit NSEC updates are not allowed "
-				      "in secure zones");
-			} else if (rdata.type == dns_rdatatype_rrsig &&
-				   !dns_name_equal(name, zonename)) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit RRSIG updates are currently "
-				      "not supported in secure zones except "
-				      "at the apex");
-			}
+		if (rdata.type == dns_rdatatype_nsec3) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit NSEC3 updates are not allowed "
+			      "in secure zones");
+		} else if (rdata.type == dns_rdatatype_nsec) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit NSEC updates are not allowed "
+			      "in secure zones");
+		} else if (rdata.type == dns_rdatatype_rrsig &&
+			   !dns_name_equal(name, zonename)) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit RRSIG updates are currently "
+			      "not supported in secure zones except "
+			      "at the apex");
 		}
 
 		if (ssutable != NULL) {
@@ -3755,7 +3859,14 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				soa_serial_changed = ISC_TRUE;
 			}
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
+			if (rdata.type == privatetype) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add a private type "
+					   "(%u) record rejected internal "
+					   "use only", privatetype);
+				continue;
+			}
+
 			if (rdata.type == dns_rdatatype_nsec3param) {
 				/*
 				 * Ignore attempts to add NSEC3PARAM records
@@ -3771,7 +3882,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				}
 
 				/*
-				 * Set the NSEC3CHAIN creation flag.
+				 * NSEC3CHAIN creation flag.
 				 */
 				INSIST(rdata.length <= sizeof(buf));
 				memcpy(buf, rdata.data, rdata.length);
@@ -3782,14 +3893,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				 */
 				ttl = 0;
 			}
-#else
-			if (rdata.type == dns_rdatatype_nsec3param) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to add NSEC3PARAM "
-					   "record ignored");
-				continue;
-			};
-#endif
 
 			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
 			    dns_name_internalwildcard(name)) {
@@ -3866,13 +3969,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 							dns_rdatatype_any, 0,
 							&rdata, &diff));
 				}
-#ifndef ALLOW_NSEC3PARAM_UPDATE
-			} else if (rdata.type == dns_rdatatype_nsec3param) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to delete a NSEC3PARAM "
-					   "records ignored");
-				continue;
-#endif
 			} else if (dns_name_equal(name, zonename) &&
 				   (rdata.type == dns_rdatatype_soa ||
 				    rdata.type == dns_rdatatype_ns)) {
@@ -3976,37 +4072,28 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
 				   0, &has_dnskey));
 
-#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
-		CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
-				   0, &had_dnskey));
+#define ALLOW_SECURE_TO_INSECURE(zone) \
+	((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)
 
-#ifndef ALLOW_SECURE_TO_INSECURE
-		if (had_dnskey && !has_dnskey) {
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: all DNSKEY records "
-				   "removed");
-			result = DNS_R_REFUSED;
-			goto failure;
+		if (!ALLOW_SECURE_TO_INSECURE(zone)) {
+			CHECK(rrset_exists(db, oldver, zonename,
+					   dns_rdatatype_dnskey, 0,
+					   &had_dnskey));
+			if (had_dnskey && !has_dnskey) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "update rejected: all DNSKEY records "
+					   "removed and 'secure-to-insecure' "
+					   "not set");
+				result = DNS_R_REFUSED;
+				goto failure;
+			}
 		}
-#endif
-#ifndef ALLOW_INSECURE_TO_SECURE
-		if (!had_dnskey && has_dnskey) {
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: DNSKEY record added");
-			result = DNS_R_REFUSED;
-			goto failure;
-		}
-#endif
-#endif
 
-		CHECK(add_signing_records(db, zonename, ver,
-					  dns_zone_getprivatetype(zone),
-					  &diff));
+		CHECK(rollback_private(db, privatetype, ver, &diff));
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
-		CHECK(add_nsec3param_records(client, zone, db, zonename,
-					     ver, &diff));
-#endif
+		CHECK(add_signing_records(db, privatetype, ver, &diff));
+
+		CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
 
 		if (!has_dnskey) {
 			/*
@@ -4015,10 +4102,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			 * the last signature for the DNSKEY records are
 			 * remove any NSEC chain present will also be removed.
 			 */
-#ifdef ALLOW_NSEC3PARAM_UPDATE
-			 CHECK(delete_chains(db, ver, zonename, &diff));
-#endif
-		} else if (has_dnskey && dns_db_isdnssec(db)) {
+			 CHECK(delete_chains(db, ver, zone, &diff));
+		} else if (has_dnskey && isdnssec(db, ver, privatetype)) {
 			isc_uint32_t interval;
 			interval = dns_zone_getsigvalidityinterval(zone);
 			result = update_signatures(client, zone, db, oldver,
@@ -4109,7 +4194,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			}
 		}
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
 		/*
 		 * Cause the zone to add/delete NSEC3 chains for the
 		 * deferred NSEC3PARAM changes.
@@ -4119,13 +4203,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		for (tuple = ISC_LIST_HEAD(diff.tuples);
 		     tuple != NULL;
 		     tuple = ISC_LIST_NEXT(tuple, link)) {
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t rdata = DNS_RDATA_INIT;
 			dns_rdata_nsec3param_t nsec3param;
 
-			if (tuple->rdata.type != dns_rdatatype_nsec3param ||
+			if (tuple->rdata.type != privatetype ||
 			    tuple->op != DNS_DIFFOP_ADD)
 				continue;
 
-			dns_rdata_tostruct(&tuple->rdata, &nsec3param, NULL);
+			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
+						   buf, sizeof(buf)))
+				continue;
+			dns_rdata_tostruct(&rdata, &nsec3param, NULL);
 			if (nsec3param.flags == 0)
 				continue;
 
@@ -4136,7 +4225,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					   dns_result_totext(result));
 			}
 		}
-#endif
 	} else {
 		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
 		dns_db_closeversion(db, &ver, ISC_TRUE);
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index f56da44899..0e58d0ad6f 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.154 2009/09/01 00:22:25 jinmei Exp $ */
+/* $Id: zoneconf.c,v 1.155 2009/10/08 23:13:06 marka Exp $ */
 
 /*% */
 
@@ -929,6 +929,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
+
+		obj = NULL;
+		result = ns_config_get(maps, "secure-to-insecure", &obj);
+		INSIST(obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
+				   cfg_obj_asboolean(obj));
 	}
 
 	/*
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index ee4af5b9d3..7ab3bf1496 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -4891,6 +4891,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
      allow-update { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
      update-check-ksk yes_or_no; 
+     secure-to-insecure yes_or_no ;
      try-tcp-refresh yes_or_no; 
      allow-v6-synthesis { address_match_list }; 
      blackhole { address_match_list }; 
@@ -6442,6 +6443,17 @@ options {
 	      
 	    
 
+	    
+	      secure-to-insecure
+	      
+	        
+		  Allow a zone to transition from secure to insecure by
+		  deleting all DNSKEY records.  The default is
+		  no.
+		
+	      
+	    
+
           
 
         
@@ -9347,6 +9359,7 @@ zone zone_name class allow-transfer { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
      update-check-ksk yes_or_no; 
+     secure-to-insecure yes_or_no ; 
      try-tcp-refresh yes_or_no; 
      also-notify { ip_addr port ip_port ;
                    ip_addr port ip_port ; ...  }; 
@@ -10259,6 +10272,16 @@ zone zone_name class
 	      
 
+              
+                secure-to-insecure
+                
+                  
+                    See the description of
+                    secure-to-insecure in .
+                  
+                
+              
+
             
 
           
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index cb28c9f850..c808adc2b7 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.108 2009/09/02 16:10:03 each Exp $ */
+/* $Id: check.c,v 1.109 2009/10/08 23:13:06 marka Exp $ */
 
 /*! \file */
 
@@ -23,6 +23,7 @@
 
 #include 
 
+#include 
 #include 
 #include 
 #include 
@@ -1100,6 +1101,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "min-retry-time", SLAVEZONE | STUBZONE },
 	{ "max-refresh-time", SLAVEZONE | STUBZONE },
 	{ "min-refresh-time", SLAVEZONE | STUBZONE },
+	{ "secure-to-insecure", MASTERZONE },
 	{ "sig-validity-interval", MASTERZONE },
 	{ "sig-re-signing-interval", MASTERZONE },
 	{ "sig-signing-nodes", MASTERZONE },
@@ -1404,6 +1406,9 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 	const char *algorithm;
 	int i;
 	size_t len = 0;
+	isc_result_t result;
+	isc_buffer_t buf;
+	unsigned char secretbuf[1024];
 	static const algorithmtable algorithms[] = {
 		{ "hmac-md5", 128 },
 		{ "hmac-md5.sig-alg.reg.int", 0 },
@@ -1426,6 +1431,14 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 		return (ISC_R_FAILURE);
 	}
 
+	isc_buffer_init(&buf, secretbuf, sizeof(secretbuf));
+	result = isc_base64_decodestring(cfg_obj_asstring(secretobj), &buf);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(secretobj, logctx, ISC_LOG_ERROR,
+			    "bad secret '%s'", isc_result_totext(result));
+		return (result);
+	}
+
 	algorithm = cfg_obj_asstring(algobj);
 	for (i = 0; algorithms[i].name != NULL; i++) {
 		len = strlen(algorithms[i].name);
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index d1acc2b35a..548b32ed87 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $
+# $Id: Makefile.in,v 1.168 2009/10/08 23:13:06 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -61,7 +61,7 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 		keydata.@O@ keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
 		master.@O@ masterdump.@O@ message.@O@ \
 		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \
-		portlist.@O@ \
+		portlist.@O@ private.@O@ \
 		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
 		rdatalist.@O@ \
 		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
diff --git a/lib/dns/db.c b/lib/dns/db.c
index bc64bd85c7..f1ac004301 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.94 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: db.c,v 1.95 2009/10/08 23:13:06 marka Exp $ */
 
 /*! \file */
 
@@ -938,9 +938,9 @@ dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
 }
 
 void
-dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version)
 {
 	if (db->methods->resigned != NULL)
 		(db->methods->resigned)(db, rdataset, version);
 }
-
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
index e9e049e298..49a9aeb1b8 100644
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.55 2008/11/14 23:47:33 tbox Exp $
+# $Id: Makefile.in,v 1.56 2009/10/08 23:13:07 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,19 +21,17 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h \
-		cert.h compress.h \
+HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
 		db.h dbiterator.h dbtable.h diff.h dispatch.h dlz.h \
-		dnssec.h ds.h events.h fixedname.h iptable.h journal.h keyflags.h \
-		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
-		message.h name.h ncache.h \
-		nsec.h peer.h portlist.h rbt.h rcode.h \
+		dnssec.h ds.h events.h fixedname.h iptable.h journal.h \
+		keyflags.h keytable.h keyvalues.h lib.h log.h \
+		master.h masterdump.h message.h name.h ncache.h nsec.h \
+		peer.h portlist.h private.h rbt.h rcode.h \
 		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
 		rdataslab.h rdatatype.h request.h resolver.h result.h \
 		rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
-		tcpmsg.h time.h tkey.h \
-		tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
-		zone.h zonekey.h zt.h
+		tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
+		validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h
 
 GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
 
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
index 9b5ee9ebf1..905f6c1dd7 100644
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.h,v 1.8 2009/10/06 21:20:45 each Exp $ */
+/* $Id: nsec3.h,v 1.9 2009/10/08 23:13:07 marka Exp $ */
 
 #ifndef DNS_NSEC3_H
 #define DNS_NSEC3_H 1
@@ -110,6 +110,12 @@ isc_result_t
 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 		    dns_name_t *name, dns_ttl_t nsecttl,
 		    isc_boolean_t unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     isc_boolean_t unsecure, dns_rdatatype_t private,
+		     dns_diff_t *diff);
 /*%<
  * Add NSEC3 records for 'name', recording the change in 'diff'.
  * Adjust previous NSEC3 records, if any, to reflect the addition.
@@ -130,6 +136,10 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
  * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
  * record in the chain.
  *
+ * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
  * Requires:
  *	'db' to be valid.
  *	'version' to be valid or NULL.
@@ -145,6 +155,10 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		    dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t private, dns_diff_t *diff);
 /*%<
  * Remove NSEC3 records for 'name', recording the change in 'diff'.
  * Adjust previous NSEC3 records, if any, to reflect the removal.
@@ -156,6 +170,10 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
  * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
  * records have the OPTOUT flag preserved.
  *
+ * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
  * Requires:
  *	'db' to be valid.
  *	'version' to be valid or NULL.
@@ -167,10 +185,19 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		 isc_boolean_t complete, isc_boolean_t *answer);
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t complete, dns_rdatatype_t private,
+		  isc_boolean_t *answer);
 /*%<
  * Check if there are any complete/to be built NSEC3 chains.
  * If 'complete' is ISC_TRUE only complete chains will be recognized.
  *
+ * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
  * Requires:
  *	'db' to be valid.
  *	'version' to be valid or NULL.
@@ -191,6 +218,27 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
  *	'iterationsp' to be non NULL.
  */
 
+isc_boolean_t
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+                           unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a private rdata to a nsec3param rdata.
+ *
+ * Return ISC_TRUE if 'src' could be successfully converted.
+ *
+ * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
+ */
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+                         dns_rdatatype_t privatetype,
+                         unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a nsec3param rdata to a private rdata.
+ *
+ * 'buf' should be at least src->length + 1 in size.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NSEC3_H */
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index 6051752cb0..d06846b9e9 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.74 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: rdata.h,v 1.75 2009/10/08 23:13:07 marka Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -125,9 +125,27 @@ struct dns_rdata {
 
 #define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
 
+#define DNS_RDATA_CHECKINITIALIZED
+#ifdef DNS_RDATA_CHECKINITIALIZED
+#define DNS_RDATA_INITIALIZED(rdata) \
+        ((rdata)->data == NULL && (rdata)->length == 0 && \
+         (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
+         !ISC_LINK_LINKED((rdata), link))
+#else   
+#ifdef ISC_LIST_CHECKINIT
+#define DNS_RDATA_INITIALIZED(rdata) \
+        (!ISC_LINK_LINKED((rdata), link))
+#else
+#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
+#endif
+#endif
+
 #define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
 #define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
 
+#define DNS_RDATA_VALIDFLAGS(rdata) \
+        (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
+
 /*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
  * are used by masterfile-level formatting and defined elsewhere.
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 9be1aabb0f..6a1f8b0f33 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.167 2009/10/05 19:39:20 each Exp $ */
+/* $Id: zone.h,v 1.168 2009/10/08 23:13:07 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -71,6 +71,7 @@ typedef enum {
 #define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
 #define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
 #define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
+#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */
 
 #ifndef NOMINUM_PUBLIC
 /*
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index d3209b1017..b087cf0857 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.8 2009/06/04 02:56:47 tbox Exp $ */
+/* $Id: nsec3.c,v 1.9 2009/10/08 23:13:06 marka Exp $ */
 
 #include 
 
@@ -28,6 +28,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -457,7 +458,6 @@ delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	return (result);
 }
 
-#ifndef RFC5155_STRICT
 static isc_boolean_t
 better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	dns_rdataset_t rdataset;
@@ -472,7 +472,17 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata =  DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &rdata);
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		if (rdataset.type != dns_rdatatype_nsec3param) {
+			dns_rdata_t tmprdata =  DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &tmprdata);
+			if (!dns_nsec3param_fromprivate(&tmprdata, &rdata,
+							buf, sizeof(buf)))
+				continue;
+		} else
+			dns_rdataset_current(&rdataset, &rdata);
+		
 		if (rdata.length != param->length)
 			continue;
 		if (rdata.data[0] != param->data[0] ||
@@ -490,7 +500,6 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	dns_rdataset_disassociate(&rdataset);
 	return (ISC_FALSE);
 }
-#endif
 
 static isc_result_t
 find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
@@ -913,18 +922,10 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 
 		dns_rdataset_current(&rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
 
-#ifdef RFC5155_STRICT
 		if (nsec3param.flags != 0)
 			continue;
-#else
-		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
-			continue;
-		if (better_param(&rdataset, &rdata))
-			continue;
-#endif
-
 		/*
 		 * We have a active chain.  Update it.
 		 */
@@ -943,6 +944,158 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 	return (result);
 }
 
+isc_boolean_t
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen)
+{
+        dns_decompress_t dctx;
+        isc_result_t result;
+	isc_buffer_t buf1;
+	isc_buffer_t buf2;
+
+	/*
+	 * Algorithm 0 (reserved by RFC 4034) is used to identify
+	 * NSEC3PARAM records from DNSKEY pointers.
+	 */
+	if (src->length < 1 || src->data[0] != 0)
+		return (ISC_FALSE);
+
+	isc_buffer_init(&buf1, src->data + 1, src->length - 1);
+	isc_buffer_add(&buf1, src->length - 1);
+        isc_buffer_setactive(&buf1, src->length - 1);
+	isc_buffer_init(&buf2, buf, buflen);
+        dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+        result = dns_rdata_fromwire(target, src->rdclass,
+				    dns_rdatatype_nsec3param,
+				    &buf1, &dctx, 0, &buf2);
+        dns_decompress_invalidate(&dctx);
+
+        return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype, 
+			 unsigned char *buf, size_t buflen)
+{
+	REQUIRE(buflen >= src->length + 1);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	memcpy(buf + 1, src->data, src->length);
+	buf[0] = 0;
+	target->data = buf;
+	target->length = src->length + 1;
+	target->type = privatetype;
+	target->rdclass = src->rdclass;
+	target->flags = 0;
+	ISC_LINK_INIT(target, link);
+}
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     isc_boolean_t unsecure, dns_rdatatype_t type,
+		     dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t prdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&prdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &prdataset, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0)
+			continue;
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (!dns_rdataset_isassociated(&prdataset))
+		goto success;
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&prdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&prdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&prdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (better_param(&prdataset, &rdata2))
+			continue;
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE)
+ success:
+		result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (dns_rdataset_isassociated(&prdataset))
+		dns_rdataset_disassociate(&prdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
 /*%
  * Determine whether any NSEC3 records that were associated with
  * 'name' should be deleted or if they should continue to exist.
@@ -1241,6 +1394,13 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		    dns_diff_t *diff)
+{
+	return (dns_nsec3_delnsec3sx(db, version, name, 0, diff));
+}
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t type, dns_diff_t *diff)
 {
 	dns_dbnode_t *node = NULL;
 	dns_rdata_nsec3param_t nsec3param;
@@ -1259,11 +1419,10 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	result = dns_db_findrdataset(db, node, version,
 				     dns_rdatatype_nsec3param, 0, 0,
 				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
+		goto try_private;
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto failure;
 
 	/*
 	 * Update each active NSEC3 chain.
@@ -1274,17 +1433,46 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 
 		dns_rdataset_current(&rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
 
-#ifdef RFC5155_STRICT
 		if (nsec3param.flags != 0)
 			continue;
-#else
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+
+ try_private:
+	if (type == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each NSEC3 chain being built.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1,  &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
 		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
 			continue;
-		if (better_param(&rdataset, &rdata))
+		if (better_param(&rdataset, &rdata2))
 			continue;
-#endif
 
 		/*
 		 * We have a active chain.  Update it.
@@ -1292,6 +1480,7 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
 	}
 	if (result == ISC_R_NOMORE)
+ success:
 		result = ISC_R_SUCCESS;
 
  failure:
@@ -1306,6 +1495,14 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		 isc_boolean_t complete, isc_boolean_t *answer)
+{
+	return (dns_nsec3_activex(db, version, complete, 0, answer));
+}
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t complete, dns_rdatatype_t type,
+		  isc_boolean_t *answer)
 {
 	dns_dbnode_t *node = NULL;
 	dns_rdataset_t rdataset;
@@ -1323,14 +1520,14 @@ dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 	result = dns_db_findrdataset(db, node, version,
 				     dns_rdatatype_nsec3param, 0, 0,
 				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);
 
-	if (result == ISC_R_NOTFOUND) {
-		*answer = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
 		return (result);
+	}
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
@@ -1340,17 +1537,61 @@ dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
-		if ((nsec3param.flags) == 0 ||
-		    (!complete && CREATE(nsec3param.flags)))
+		if (nsec3param.flags == 0)
 			break;
 	}
 	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
 		*answer = ISC_TRUE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result == ISC_R_NOMORE)
+		*answer = ISC_FALSE;
+
+ try_private:
+	if (type == 0 || complete) {
+		*answer = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &rdataset, NULL);
+
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*answer = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!complete && CREATE(nsec3param.flags))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*answer = ISC_TRUE;
+		result = ISC_R_SUCCESS;
+	}
 	if (result == ISC_R_NOMORE) {
 		*answer = ISC_FALSE;
 		result = ISC_R_SUCCESS;
 	}
+
 	return (result);
 }
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index fa1d921e32..0fbbac2f6b 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.282 2009/10/06 21:20:45 each Exp $ */
+/* $Id: rbtdb.c,v 1.283 2009/10/08 23:13:06 marka Exp $ */
 
 /*! \file */
 
@@ -613,8 +613,7 @@ static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
 		       isc_event_t *event);
 static void overmem(dns_db_t *db, isc_boolean_t overmem);
 #ifdef BIND9
-static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
-			       isc_boolean_t *nsec3createflag);
+static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version);
 #endif
 
 /*%
@@ -1925,11 +1924,8 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 #else
 	dns_rdataset_t keyset;
 	dns_rdataset_t nsecset, signsecset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t haszonekey = ISC_FALSE;
 	isc_boolean_t hasnsec = ISC_FALSE;
-	isc_boolean_t hasoptbit = ISC_FALSE;
-	isc_boolean_t nsec3createflag = ISC_FALSE;
 	isc_result_t result;
 
 	dns_rdataset_init(&keyset);
@@ -1961,29 +1957,18 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 	if (result == ISC_R_SUCCESS) {
 		if (dns_rdataset_isassociated(&signsecset)) {
 			hasnsec = ISC_TRUE;
-			result = dns_rdataset_first(&nsecset);
-			if (result == ISC_R_SUCCESS) {
-				dns_rdataset_current(&nsecset, &rdata);
-				hasoptbit = dns_nsec_typepresent(&rdata,
-							     dns_rdatatype_opt);
-			}
 			dns_rdataset_disassociate(&signsecset);
 		}
 		dns_rdataset_disassociate(&nsecset);
 	}
 
-	setnsec3parameters(db, version, &nsec3createflag);
+	setnsec3parameters(db, version);
 
 	/*
 	 * Do we have a valid NSEC/NSEC3 chain?
 	 */
-	if (version->havensec3 || (hasnsec && !hasoptbit))
+	if (version->havensec3 || hasnsec)
 		version->secure = dns_db_secure;
-	/*
-	 * Do we have a NSEC/NSEC3 chain under creation?
-	 */
-	else if (hasoptbit || nsec3createflag)
-		version->secure = dns_db_partial;
 	else
 		version->secure = dns_db_insecure;
 #endif
@@ -1995,9 +1980,7 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
  */
 #ifdef BIND9
 static void
-setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
-		   isc_boolean_t *nsec3createflag)
-{
+setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
 	dns_rbtnode_t *node;
 	dns_rdata_nsec3param_t nsec3param;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -2028,7 +2011,7 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 		} while (header != NULL);
 
 		if (header != NULL &&
-		    header->type == dns_rdatatype_nsec3param) {
+		    (header->type == dns_rdatatype_nsec3param)) {
 			/*
 			 * Find A NSEC3PARAM with a supported algorithm.
 			 */
@@ -2063,17 +2046,8 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 				    !dns_nsec3_supportedhash(nsec3param.hash))
 					continue;
 
-#ifdef RFC5155_STRICT
 				if (nsec3param.flags != 0)
 					continue;
-#else
-				if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE)
-				    != 0)
-					*nsec3createflag = ISC_TRUE;
-				if ((nsec3param.flags & ~DNS_NSEC3FLAG_OPTOUT)
-				    != 0)
-					continue;
-#endif
 
 				memcpy(version->salt, nsec3param.salt,
 				       nsec3param.salt_length);
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 5e4e471a39..325980021b 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.202 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: rdata.c,v 1.203 2009/10/08 23:13:07 marka Exp $ */
 
 /*! \file */
 
@@ -276,23 +276,6 @@ dns_rdata_init(dns_rdata_t *rdata) {
 	/* ISC_LIST_INIT(rdata->list); */
 }
 
-#if 1
-#define DNS_RDATA_INITIALIZED(rdata) \
-	((rdata)->data == NULL && (rdata)->length == 0 && \
-	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
-	 !ISC_LINK_LINKED((rdata), link))
-#else
-#ifdef ISC_LIST_CHECKINIT
-#define DNS_RDATA_INITIALIZED(rdata) \
-	(!ISC_LINK_LINKED((rdata), link))
-#else
-#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
-#endif
-#endif
-
-#define DNS_RDATA_VALIDFLAGS(rdata) \
-	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
-
 void
 dns_rdata_reset(dns_rdata_t *rdata) {
 
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 34c3455d06..52c51d9c63 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.70 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: sdb.c,v 1.71 2009/10/08 23:13:07 marka Exp $ */
 
 /*! \file */
 
@@ -1260,7 +1260,7 @@ static dns_dbmethods_t sdb_methods = {
 	NULL,
 	NULL,
 	NULL,
-	NULL
+	NULL,
 };
 
 static isc_result_t
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 723a15a32f..803e4db443 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -189,9 +189,9 @@ dns_dlzfindzone
 dns_dlzregister
 dns_dlzstrtoargv
 dns_dlzunregister
+dns_dnssec_findmatchingkeys
 dns_dnssec_findzonekeys
 dns_dnssec_findzonekeys2
-dns_dnssec_findmatchingkeys
 dns_dnssec_keyfromrdata
 dns_dnssec_selfsigns
 dns_dnssec_sign
@@ -343,8 +343,8 @@ dns_name_equal
 dns_name_format
 dns_name_free
 dns_name_fromregion
-dns_name_fromtext
 dns_name_fromstring
+dns_name_fromtext
 dns_name_fromwire
 dns_name_fullcompare
 dns_name_getlabel
@@ -373,16 +373,21 @@ dns_ncache_add
 dns_ncache_getrdataset
 dns_ncache_towire
 dns_nsec3_active
+dns_nsec3_activex
 dns_nsec3_addnsec3
 dns_nsec3_addnsec3s
+dns_nsec3_addnsec3sx
 dns_nsec3_buildrdata
 dns_nsec3_delnsec3
 dns_nsec3_delnsec3s
+dns_nsec3_delnsec3sx
 dns_nsec3_hashlength
 dns_nsec3_hashname
 dns_nsec3_maxiterations
 dns_nsec3_supportedhash
 dns_nsec3_typepresent
+dns_nsec3param_fromprivate
+dns_nsec3param_toprivate
 dns_nsec_build
 dns_nsec_buildrdata
 dns_nsec_nseconly
@@ -431,6 +436,7 @@ dns_peerlist_peerbyaddr
 dns_portlist_add
 dns_portlist_create
 dns_portlist_detach
+dns_private_chains
 dns_rbt_addname
 dns_rbt_addnode
 dns_rbt_create
@@ -574,8 +580,8 @@ dns_result_torcode
 dns_result_totext
 dns_rootns_create
 dns_rriterator_current
-dns_rriterator_first
 dns_rriterator_destroy
+dns_rriterator_first
 dns_rriterator_init
 dns_rriterator_next
 dns_rriterator_nextrrset
diff --git a/lib/dns/win32/libdns.dsp b/lib/dns/win32/libdns.dsp
index c1912fcf9c..f736b897c1 100644
--- a/lib/dns/win32/libdns.dsp
+++ b/lib/dns/win32/libdns.dsp
@@ -266,6 +266,10 @@ SOURCE=..\include\dns\portlist.h
 # End Source File
 # Begin Source File
 
+SOURCE=..\include\dns\private.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\dns\rbt.h
 # End Source File
 # Begin Source File
@@ -562,6 +566,10 @@ SOURCE=..\portlist.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\private.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\rbt.c
 # End Source File
 # Begin Source File
diff --git a/lib/dns/win32/libdns.mak b/lib/dns/win32/libdns.mak
index c18009b02e..2ae1c7cb3f 100644
--- a/lib/dns/win32/libdns.mak
+++ b/lib/dns/win32/libdns.mak
@@ -166,6 +166,7 @@ CLEAN :
 	-@erase "$(INTDIR)\order.obj"
 	-@erase "$(INTDIR)\peer.obj"
 	-@erase "$(INTDIR)\portlist.obj"
+	-@erase "$(INTDIR)\private.obj"
 	-@erase "$(INTDIR)\rbt.obj"
 	-@erase "$(INTDIR)\rbtdb.obj"
 	-@erase "$(INTDIR)\rbtdb64.obj"
@@ -285,6 +286,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\order.obj" \
 	"$(INTDIR)\peer.obj" \
 	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\private.obj" \
 	"$(INTDIR)\rbt.obj" \
 	"$(INTDIR)\rbtdb.obj" \
 	"$(INTDIR)\rbtdb64.obj" \
@@ -455,6 +457,8 @@ CLEAN :
 	-@erase "$(INTDIR)\peer.sbr"
 	-@erase "$(INTDIR)\portlist.obj"
 	-@erase "$(INTDIR)\portlist.sbr"
+	-@erase "$(INTDIR)\private.obj"
+	-@erase "$(INTDIR)\private.sbr"
 	-@erase "$(INTDIR)\rbt.obj"
 	-@erase "$(INTDIR)\rbt.sbr"
 	-@erase "$(INTDIR)\rbtdb.obj"
@@ -606,6 +610,7 @@ BSC32_SBRS= \
 	"$(INTDIR)\order.sbr" \
 	"$(INTDIR)\peer.sbr" \
 	"$(INTDIR)\portlist.sbr" \
+	"$(INTDIR)\private.sbr" \
 	"$(INTDIR)\rbt.sbr" \
 	"$(INTDIR)\rbtdb.sbr" \
 	"$(INTDIR)\rbtdb64.sbr" \
@@ -696,6 +701,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\order.obj" \
 	"$(INTDIR)\peer.obj" \
 	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\private.obj" \
 	"$(INTDIR)\rbt.obj" \
 	"$(INTDIR)\rbtdb.obj" \
 	"$(INTDIR)\rbtdb64.obj" \
@@ -1375,6 +1381,25 @@ SOURCE=..\portlist.c
 	$(CPP) $(CPP_PROJ) $(SOURCE)
 
 
+!ENDIF 
+
+
+SOURCE=..\private.c
+
+!IF  "$(CFG)" == "libdns - Win32 Release"
+
+
+"$(INTDIR)\private.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - Win32 Debug"
+
+
+"$(INTDIR)\private.obj"	"$(INTDIR)\portlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
 !ENDIF 
 
 SOURCE=..\rbt.c
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 402f866790..c7a431b680 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.509 2009/10/05 23:48:27 tbox Exp $ */
+/* $Id: zone.c,v 1.510 2009/10/08 23:13:07 marka Exp $ */
 
 /*! \file */
 
@@ -58,6 +58,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -637,6 +638,9 @@ static isc_boolean_t dns_zonemgr_unreachable(dns_zonemgr_t *zmgr,
 					     isc_time_t *now);
 static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
 				     isc_uint16_t keyid, isc_boolean_t delete);
+static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
+				dns_dbnode_t *node, dns_name_t *name,
+				dns_diff_t *diff);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
 
@@ -1763,11 +1767,12 @@ zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 	dns_name_format(name, namebuf, sizeof namebuf);
 	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
 	    result == DNS_R_EMPTYNAME) {
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
+			level = ISC_LOG_WARNING;
 		dns_zone_log(zone, level,
 			     "%s/MX '%s' has no address records (A or AAAA)",
 			     ownerbuf, namebuf);
-		/* XXX950 make fatal for 9.5.0. */
-		return (ISC_TRUE);
+		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
 	}
 
 	if (result == DNS_R_CNAME) {
@@ -2212,15 +2217,18 @@ resume_signingwithkey(dns_zone_t *zone) {
 				     zone->privatetype,
 				     dns_rdatatype_none, 0,
 				     &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto cleanup;
+	}
 
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset))
 	{
 		dns_rdataset_current(&rdataset, &rdata);
-		if (rdata.length != 5 || rdata.data[4] != 0) {
+		if (rdata.length != 5 ||
+		    rdata.data[0] == 0 || rdata.data[4] != 0) {
 			dns_rdata_reset(&rdata);
 			continue;
 		}
@@ -2242,7 +2250,6 @@ resume_signingwithkey(dns_zone_t *zone) {
 		dns_db_detachnode(zone->db, &node);
 	if (version != NULL)
 		dns_db_closeversion(zone->db, &version, ISC_FALSE);
-
 }
 
 static isc_result_t
@@ -2251,6 +2258,9 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	isc_result_t result;
 	isc_time_t now;
 	unsigned int options = 0;
+	char saltbuf[255*2+1];
+	char flags[sizeof("REMOVE|CREATE|NONSEC|OPTOUT")];
+	int i;
 
 	nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
 	if (nsec3chain == NULL)
@@ -2272,6 +2282,40 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	nsec3chain->delete_nsec = ISC_FALSE;
 	nsec3chain->save_delete_nsec = ISC_FALSE;
 
+	if (nsec3param->flags == 0)
+		strlcpy(flags, "NONE", sizeof(flags));
+	else {
+		flags[0] = '\0';
+		if (nsec3param->flags & DNS_NSEC3FLAG_REMOVE)
+			strlcat(flags, "REMOVE", sizeof(flags));
+		if (nsec3param->flags & DNS_NSEC3FLAG_CREATE) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "CREATE", sizeof(flags));
+			else
+				strlcat(flags, "|CREATE", sizeof(flags));
+		}
+		if (nsec3param->flags & DNS_NSEC3FLAG_NONSEC) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "NONSEC", sizeof(flags));
+			else
+				strlcat(flags, "|NONSEC", sizeof(flags));
+		}
+		if (nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "OPTOUT", sizeof(flags));
+			else
+				strlcat(flags, "|OPTOUT", sizeof(flags));
+		}
+	}
+	if (nsec3param->salt_length == 0)
+		strlcpy(saltbuf, "-", sizeof(saltbuf));
+	else 
+		for (i = 0; i < nsec3param->salt_length; i++)
+			sprintf(&saltbuf[i*2], "%02X", nsec3chain->salt[i]);
+	dns_zone_log(zone, ISC_LOG_INFO,
+		     "zone_addnsec3chain(%u,%s,%u,%s)\n",
+		      nsec3param->hash, flags, nsec3param->iterations,
+		      saltbuf);
 	for (current = ISC_LIST_HEAD(zone->nsec3chain);
 	     current != NULL;
 	     current = ISC_LIST_NEXT(current, link)) {
@@ -2321,11 +2365,13 @@ static void
 resume_addnsec3chain(dns_zone_t *zone) {
 	dns_dbnode_t *node = NULL;
 	dns_dbversion_t *version = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	isc_result_t result;
 	dns_rdata_nsec3param_t nsec3param;
 
+	if (zone->privatetype == 0)
+		return;
+
 	result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
@@ -2333,17 +2379,25 @@ resume_addnsec3chain(dns_zone_t *zone) {
 	dns_db_currentversion(zone->db, &version);
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(zone->db, node, version,
-				     dns_rdatatype_nsec3param,
-				     dns_rdatatype_none, 0,
-				     &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
+				     zone->privatetype, dns_rdatatype_none,
+				     0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto cleanup;
+	}
 
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset))
 	{
-		dns_rdataset_current(&rdataset, &rdata);
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+			continue;
 		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 ||
@@ -2355,10 +2409,8 @@ resume_addnsec3chain(dns_zone_t *zone) {
 					     dns_result_totext(result));
 			}
 		}
-		dns_rdata_reset(&rdata);
 	}
 	dns_rdataset_disassociate(&rdataset);
-
  cleanup:
 	if (node != NULL)
 		dns_db_detachnode(zone->db, &node);
@@ -2417,10 +2469,12 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
 				     dns_rdatatype_nsec3param,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		result = ISC_R_SUCCESS;
 		goto cleanup;
 	}
 	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "nsec3param lookup failure: %s",
 			     dns_result_totext(result));
@@ -3509,10 +3563,14 @@ zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto success;
-	if (result != ISC_R_SUCCESS)
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto invalidate_rdataset;
+	}
 
 	result = dns_rdataset_first(&rdataset);
 	while (result == ISC_R_SUCCESS) {
@@ -3563,6 +3621,7 @@ zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		if (soacount != NULL)
 			*soacount = 0;
 		if (serial != NULL)
@@ -3578,8 +3637,10 @@ zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		result = ISC_R_SUCCESS;
 		goto invalidate_rdataset;
 	}
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto invalidate_rdataset;
+	}
 
 	count = 0;
 	result = dns_rdataset_first(&rdataset);
@@ -4339,10 +4400,14 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				     (isc_stdtime_t) 0, &rdataset, NULL);
 	dns_db_detachnode(db, &node);
 
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto failure;
+	}
 
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
@@ -4451,10 +4516,14 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	result = dns_db_findrdataset(db, node, ver, type, 0,
 				     (isc_stdtime_t) 0, &rdataset, NULL);
 	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto failure;
+	}
 
 	for (i = 0; i < nkeys; i++) {
 		if (check_ksk && type != dns_rdatatype_dnskey &&
@@ -4714,16 +4783,6 @@ next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
 	return (result);
 }
 
-static void
-set_bit(unsigned char *array, unsigned int index) {
-	unsigned int shift, mask;
-
-	shift = 7 - (index % 8);
-	mask = 1 << shift;
-
-	array[index / 8] |= mask;
-}
-
 static isc_boolean_t
 signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		dns_rdatatype_t type, dst_key_t *key)
@@ -4736,8 +4795,10 @@ signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
 				     type, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		return (ISC_FALSE);
+	}
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
@@ -4772,21 +4833,6 @@ add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	CHECK(next_active(db, version, name, next, bottom));
 	CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer,
 				  &rdata));
-	if (dns_name_equal(dns_db_origin(db), name)) {
-		/*
-		 * Set the OPT bit to indicate that this is a
-		 * partially secure zone.
-		 */
-		isc_region_t region;
-
-		dns_rdata_toregion(&rdata, ®ion);
-		dns_name_fromregion(next, ®ion);
-		isc_region_consume(®ion, next->length);
-		INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
-		       region.base[0] == 0 &&
-		       region.base[1] > dns_rdatatype_opt / 8);
-		set_bit(region.base + 2, dns_rdatatype_opt);
-	}
 	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
 			    &rdata));
  failure:
@@ -4838,7 +4884,8 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 			seen_nsec = ISC_TRUE;
 		else if (rdataset.type == dns_rdatatype_nsec3)
 			seen_nsec3 = ISC_TRUE;
-		seen_rr = ISC_TRUE;
+		if (rdataset.type != dns_rdatatype_rrsig)
+			seen_rr = ISC_TRUE;
 		dns_rdataset_disassociate(&rdataset);
 	}
 	if (result != ISC_R_NOMORE)
@@ -4862,9 +4909,15 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 	if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
 		/* Build and add NSEC. */
 		bottom = (seen_ns && !seen_soa) || seen_dname;
-		CHECK(add_nsec(db, version, name, node, minimum, bottom, diff));
-		/* Count a NSEC generation as a signature generation. */
-		(*signatures)--;
+		/*
+		 * Build a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db))) {
+			CHECK(add_nsec(db, version, name, node, minimum,
+				       bottom, diff));
+			/* Count a NSEC generation as a signature generation. */
+			(*signatures)--;
+		}
 	}
 	result = dns_rdatasetiter_first(iterator);
 	while (result == ISC_R_SUCCESS) {
@@ -4905,63 +4958,49 @@ failure:
 	return (result);
 }
 
+/*
+ * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
+ */
 static isc_result_t
 updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	     dns_ttl_t minimum, isc_boolean_t *secureupdated, dns_diff_t *diff)
+	     dns_ttl_t minimum, isc_boolean_t update_only,
+	     isc_boolean_t *secureupdated, dns_diff_t *diff)
 {
 	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
 	dns_rdataset_t rdataset;
-	dns_rdata_nsec_t nsec;
 	dns_dbnode_t *node = NULL;
 
-	/*
-	 * Check to see if the OPT bit has already been cleared.
-	 */
 	CHECK(dns_db_getoriginnode(db, &node));
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
-				  dns_rdatatype_none, 0, &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-
-	/*
-	 * Find the NEXT name for building the new record.
-	 */
-	CHECK(dns_rdata_tostruct(&rdata, &nsec, NULL));
-
-	/*
-	 * Delete the old NSEC record.
-	 */
-	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_DEL, name, minimum,
-			    &rdata));
-	dns_rdata_reset(&rdata);
-
-	/*
-	 * Add the new NSEC record.
-	 */
-	CHECK(dns_nsec_buildrdata(db, version, node, &nsec.next, nsecbuffer,
-				  &rdata));
-	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, minimum,
-			    &rdata));
-	dns_rdata_reset(&rdata);
-
+	if (update_only) {
+		dns_rdataset_init(&rdataset);
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec,
+					     dns_rdatatype_none,
+					     0, &rdataset, NULL);
+		if (dns_rdataset_isassociated(&rdataset))
+			dns_rdataset_disassociate(&rdataset);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			goto done;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	CHECK(delete_nsec(db, version, node, name, diff));
+	CHECK(add_nsec(db, version, name, node, minimum, ISC_FALSE, diff));
+ done:
 	if (secureupdated != NULL)
 		*secureupdated = ISC_TRUE;
 
  failure:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
 	return (result);
 }
 
 static isc_result_t
-updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
-		  dns_name_t *name, dns_rdatatype_t privatetype,
-		  dns_diff_t *diff)
+updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
+		  dns_dbversion_t *version, dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -4975,14 +5014,18 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	result = dns_db_findrdataset(signing->db, node, version, privatetype,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
+	result = dns_db_findrdataset(signing->db, node, version, 
+				     zone->privatetype, dns_rdatatype_none,
+				     0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		result = ISC_R_SUCCESS;
 		goto failure;
 	}
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto failure;
+	}
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
@@ -4998,7 +5041,7 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 			seen_done = ISC_TRUE;
 		else
 			CHECK(update_one_rr(signing->db, version, diff,
-					    DNS_DIFFOP_DEL, name,
+					    DNS_DIFFOP_DEL, &zone->origin,
 					    rdataset.ttl, &rdata));
 		dns_rdata_reset(&rdata);
 	}
@@ -5013,10 +5056,10 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 		data[4] = 1;
 		rdata.length = sizeof(data);
 		rdata.data = data;
-		rdata.type = privatetype;
+		rdata.type = zone->privatetype;
 		rdata.rdclass = dns_db_class(signing->db);
 		CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
-				    name, rdataset.ttl, &rdata));
+				    &zone->origin, rdataset.ttl, &rdata));
 	}
  failure:
 	if (dns_rdataset_isassociated(&rdataset))
@@ -5026,9 +5069,15 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 	return (result);
 }
 
+/*
+ * If 'active' is set then we are not done with the chain yet so only
+ * delete the nsec3param record which indicates a full chain exists
+ * (flags == 0).
+ */ 
 static isc_result_t
 fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
-		 isc_boolean_t active, dns_diff_t *diff)
+		 isc_boolean_t active, dns_rdatatype_t privatetype,
+		 dns_diff_t *diff)
 {
 	dns_dbnode_t *node = NULL;
 	dns_name_t *name = dns_db_origin(db);
@@ -5047,7 +5096,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND)
-		goto add;
+		goto try_private;
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -5083,6 +5132,50 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 	if (result != ISC_R_NOMORE)
 		goto failure;
 
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+
+	if (active)
+		goto add;
+	/*
+	 * Delete all private records which match that in nsec3chain.
+	 */
+	result = dns_db_findrdataset(db, node, ver, privatetype,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto add;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t private = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.hash != chain->nsec3param.hash ||
+		    nsec3param.iterations != chain->nsec3param.iterations ||
+		    nsec3param.salt_length != chain->nsec3param.salt_length ||
+		    memcmp(nsec3param.salt, chain->nsec3param.salt,
+			   nsec3param.salt_length)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+				    name, rdataset.ttl, &private));
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
   add:
 	if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
 		result = ISC_R_SUCCESS;
@@ -5123,7 +5216,7 @@ delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
 				     0, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND)
 		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) 
 		return (result);
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
@@ -5183,7 +5276,7 @@ deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
 static isc_result_t
 need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
 		const dns_rdata_nsec3param_t *param,
-		isc_boolean_t *answer, isc_boolean_t *updatensec)
+		isc_boolean_t *answer)
 {
 	dns_dbnode_t *node = NULL;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -5197,29 +5290,19 @@ need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	dns_rdataset_init(&rdataset);
+
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
 				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto check_nsec3param;
-
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-
-	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_opt)) {
-		/*
-		 * We have a complete NSEC chain.  Signal to update
-		 * the apex NSEC record.
-		 */
-		*updatensec = ISC_TRUE;
-		goto failure;
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&rdataset);
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+	if (result != ISC_R_NOTFOUND) {
+		dns_db_detachnode(db, &node);
+		return (result);
 	}
-	dns_rdataset_disassociate(&rdataset);
-	dns_rdata_reset(&rdata);
 
- check_nsec3param:
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
@@ -5268,6 +5351,53 @@ need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
+static isc_result_t
+update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+	    dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone,
+	    isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t now,
+	    isc_boolean_t check_ksk, dns_diff_t *sig_diff)
+{
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_HEAD(diff->tuples)) {
+		result = del_sigs(zone, db, version, &tuple->name,
+				  tuple->rdata.type, sig_diff,
+				  zone_keys, nkeys, now);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "update_sigs:del_sigs -> %s\n",
+				     dns_result_totext(result));
+			return (result);
+		}
+		result = add_sigs(db, version, &tuple->name,
+				  tuple->rdata.type, sig_diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  expire, check_ksk);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "update_sigs:add_sigs -> %s\n",
+				     dns_result_totext(result));
+			return (result);
+		}
+
+		do {
+			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
+			while (next != NULL &&
+			       (tuple->rdata.type != next->rdata.type ||
+			        !dns_name_equal(&tuple->name, &next->name)))
+				next = ISC_LIST_NEXT(next, link);
+			ISC_LIST_UNLINK(diff->tuples, tuple, link);
+			dns_diff_appendminimal(sig_diff, &tuple);
+			INSIST(tuple == NULL);
+			tuple = next;
+		} while (tuple != NULL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
 /*
  * Incrementally build and sign a new NSEC3 chain using the parameters
  * requested.
@@ -5302,9 +5432,9 @@ zone_nsec3chain(dns_zone_t *zone) {
 	isc_boolean_t seen_soa, seen_ns, seen_dname, seen_ds;
 	isc_boolean_t seen_nsec, seen_nsec3, seen_rr;
 	dns_rdatasetiter_t *iterator = NULL;
-	dns_difftuple_t *tuple;
 	isc_boolean_t buildnsecchain;
 	isc_boolean_t updatensec = ISC_FALSE;
+	dns_rdatatype_t privatetype = zone->privatetype;
 
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fixed);
@@ -5486,9 +5616,17 @@ zone_nsec3chain(dns_zone_t *zone) {
 		 * Process one node.
 		 */
 		dns_dbiterator_pause(nsec3chain->dbiterator);
-		CHECK(dns_nsec3_addnsec3(db, version, name,
-					 &nsec3chain->nsec3param,
-					 zone->minimum, unsecure, &nsec3_diff));
+		result = dns_nsec3_addnsec3(db, version, name,
+					    &nsec3chain->nsec3param,
+					    zone->minimum, unsecure,
+					    &nsec3_diff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "dns_nsec3_addnsec3 -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+
 		/*
 		 * Treat each call to dns_nsec3_addnsec3() as if it's cost is
 		 * two signatures.  Additionally there will, in general, be
@@ -5510,7 +5648,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 			if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
 				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, ¶m_diff));
+						       ISC_FALSE, privatetype,
+						       ¶m_diff));
 				LOCK_ZONE(zone);
 				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
 						link);
@@ -5524,12 +5663,14 @@ zone_nsec3chain(dns_zone_t *zone) {
 					CHECK(fixup_nsec3param(db, version,
 							       nsec3chain,
 							       ISC_TRUE,
+							       privatetype,
 							       ¶m_diff));
 					nsec3chain->delete_nsec = ISC_TRUE;
 					goto same_addchain;
 				}
 				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, ¶m_diff));
+						       ISC_FALSE, privatetype,
+						       ¶m_diff));
 				LOCK_ZONE(zone);
 				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
 						link);
@@ -5590,10 +5731,22 @@ zone_nsec3chain(dns_zone_t *zone) {
 		 * of removing this NSEC3 chain.
 		 */
 		if (first && !updatensec &&
-		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0)
-			CHECK(need_nsec_chain(db, version,
-					      &nsec3chain->nsec3param,
-					      &buildnsecchain, &updatensec));
+		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0) {
+			result = need_nsec_chain(db, version,
+					         &nsec3chain->nsec3param,
+					         &buildnsecchain);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "need_nsec_chain -> %s\n",
+					     dns_result_totext(result));
+				goto failure;
+			}
+		}	
+
+		if (first)
+			dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
+				     "buildnsecchain = %u\n", buildnsecchain);
 
 		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
 		delegation = ISC_FALSE;
@@ -5602,16 +5755,33 @@ zone_nsec3chain(dns_zone_t *zone) {
 			/*
 			 * Delete the NSECPARAM record that matches this chain.
 			 */
-			if (first)
-				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_TRUE, ¶m_diff));
+			if (first) {
+				result = fixup_nsec3param(db, version,
+							  nsec3chain,
+						          ISC_TRUE, privatetype,
+						          ¶m_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "zone_nsec3chain:"
+						     "fixup_nsec3param -> %s\n",
+						     dns_result_totext(result));
+					goto failure;
+				}
+			}
 
 			/*
 			 *  Delete the NSEC3 records.
 			 */
-			CHECK(deletematchingnsec3(db, version, node, name,
-						  &nsec3chain->nsec3param,
-						  &nsec3_diff));
+			result = deletematchingnsec3(db, version, node, name,
+						     &nsec3chain->nsec3param,
+						     &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "deletematchingnsec3 -> %s\n",
+					     dns_result_totext(result));
+				goto failure;
+			}
 			goto next_removenode;
 		}
 
@@ -5662,7 +5832,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 				seen_nsec = ISC_TRUE;
 			else if (rdataset.type == dns_rdatatype_nsec3)
 				seen_nsec3 = ISC_TRUE;
-			seen_rr = ISC_TRUE;
+			if (rdataset.type != dns_rdatatype_rrsig)
+				seen_rr = ISC_TRUE;
 			dns_rdataset_disassociate(&rdataset);
 		}
 		dns_rdatasetiter_destroy(&iterator);
@@ -5672,8 +5843,12 @@ zone_nsec3chain(dns_zone_t *zone) {
 		if ((seen_ns && !seen_soa) || seen_dname)
 			delegation = ISC_TRUE;
 
-		CHECK(add_nsec(db, version, name, node, zone->minimum,
-			       delegation, &nsec_diff));
+		/*
+		 * Add a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db)))
+			CHECK(add_nsec(db, version, name, node, zone->minimum,
+				       delegation, &nsec_diff));
 
  next_removenode:
 		first = ISC_FALSE;
@@ -5695,8 +5870,17 @@ zone_nsec3chain(dns_zone_t *zone) {
 				UNLOCK_ZONE(zone);
 				ISC_LIST_APPEND(cleanup, nsec3chain, link);
 				dns_dbiterator_pause(nsec3chain->dbiterator);
-				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, ¶m_diff));
+				result = fixup_nsec3param(db, version,
+							  nsec3chain, ISC_FALSE,
+							  privatetype,
+						          ¶m_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "zone_nsec3chain:"
+						     "fixup_nsec3param -> %s\n",
+						     dns_result_totext(result));
+					goto failure;
+				}
 				goto next_removechain;
 			} else if (result != ISC_R_SUCCESS) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -5727,108 +5911,98 @@ zone_nsec3chain(dns_zone_t *zone) {
 		first = ISC_TRUE;
 	}
 
+	/*
+	 * We may need to update the NSEC/NSEC3 records for the zone apex.
+	 */
+	if (!ISC_LIST_EMPTY(param_diff.tuples)) {
+		isc_boolean_t rebuild_nsec = ISC_FALSE,
+			      rebuild_nsec3 = ISC_FALSE;
+		result = dns_db_getoriginnode(db, &node);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator)) {
+			dns_rdatasetiter_current(iterator, &rdataset);
+			if (rdataset.type == dns_rdatatype_nsec)
+				rebuild_nsec = ISC_TRUE;
+			if (rdataset.type == dns_rdatatype_nsec3param)
+				rebuild_nsec3 = ISC_TRUE;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+		dns_db_detachnode(db, &node);
+		if (rebuild_nsec) {
+			result = updatesecure(db, version, &zone->origin,
+					      zone->minimum, ISC_TRUE, NULL,
+					      &nsec_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "updatesecure -> %s\n",
+					     dns_result_totext(result));
+				goto failure;
+			}
+		}
+		if (rebuild_nsec3) {
+			result = dns_nsec3_addnsec3s(db, version,
+						     dns_db_origin(db),
+						     zone->minimum, ISC_FALSE,
+						     &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "dns_nsec3_addnsec3s -> %s\n",
+					     dns_result_totext(result));
+				goto failure;
+			}
+		}
+	}
+
 	/*
 	 * Add / update signatures for the NSEC3 records.
 	 */
-	for (tuple = ISC_LIST_HEAD(nsec3_diff.tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(nsec3_diff.tuples)) {
-		/*
-		 * We have changed the NSEC3 RRset above so we need to update
-		 * the signatures.
-		 */
-		result = del_sigs(zone, db, version, &tuple->name,
-				  dns_rdatatype_nsec3, &sig_diff,
-				  zone_keys, nkeys, now);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:del_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &tuple->name,
-				  dns_rdatatype_nsec3, &sig_diff, zone_keys,
-				  nkeys, zone->mctx, inception, expire,
-				  check_ksk);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:add_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-
-		do {
-			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
-			while (next != NULL &&
-			       !dns_name_equal(&tuple->name, &next->name))
-				next = ISC_LIST_NEXT(next, link);
-			ISC_LIST_UNLINK(nsec3_diff.tuples, tuple, link);
-			dns_diff_appendminimal(&sig_diff, &tuple);
-			INSIST(tuple == NULL);
-			tuple = next;
-		} while (tuple != NULL);
+	result = update_sigs(&nsec3_diff, db, version, zone_keys,
+			     nkeys, zone, inception, expire, now,
+			     check_ksk, &sig_diff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "update_sigs -> %s\n", dns_result_totext(result));
+		goto failure;
 	}
 
-	for (tuple = ISC_LIST_HEAD(param_diff.tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(param_diff.tuples)) {
-		/*
-		 * We have changed the NSEC3PARAM RRset above so we need to
-		 * update the signatures.
-		 */
-		result = del_sigs(zone, db, version, &tuple->name,
-				  dns_rdatatype_nsec3param, &sig_diff,
-				  zone_keys, nkeys, now);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:del_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &tuple->name,
-				  dns_rdatatype_nsec3param, &sig_diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:add_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		ISC_LIST_UNLINK(param_diff.tuples, tuple, link);
-		dns_diff_appendminimal(&sig_diff, &tuple);
-		INSIST(tuple == NULL);
+	/*
+	 * We have changed the NSEC3PARAM or private RRsets
+	 * above so we need to update the signatures.
+	 */
+	result = update_sigs(¶m_diff, db, version, zone_keys,
+			     nkeys, zone, inception, expire, now,
+			     check_ksk, &sig_diff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "update_sigs -> %s\n", dns_result_totext(result));
+		goto failure;
 	}
 
-	if (updatensec)
-		CHECK(updatesecure(db, version, &zone->origin, zone->minimum,
-				   NULL, &nsec_diff));
+	if (updatensec) {
+		result = updatesecure(db, version, &zone->origin,
+				      zone->minimum, ISC_FALSE, NULL,
+				      &nsec_diff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "updatesecure -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
 
-	for (tuple = ISC_LIST_HEAD(nsec_diff.tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(nsec_diff.tuples)) {
-		result = del_sigs(zone, db, version, &tuple->name,
-				  dns_rdatatype_nsec, &sig_diff,
-				  zone_keys, nkeys, now);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:del_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &tuple->name,
-				  dns_rdatatype_nsec, &sig_diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:add_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		ISC_LIST_UNLINK(nsec_diff.tuples, tuple, link);
-		dns_diff_appendminimal(&sig_diff, &tuple);
-		INSIST(tuple == NULL);
+	result = update_sigs(&nsec_diff, db, version, zone_keys,
+			     nkeys, zone, inception, expire, now,
+			     check_ksk, &sig_diff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "update_sigs -> %s\n", dns_result_totext(result));
+		goto failure;
 	}
 
 	/*
@@ -5901,6 +6075,9 @@ zone_nsec3chain(dns_zone_t *zone) {
 	set_resigntime(zone);
 
  failure:
+	if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s\n",
+			     dns_result_totext(result));
 	/*
 	 * On error roll back the current nsec3chain.
 	 */
@@ -5957,6 +6134,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 	for (i = 0; i < nkeys; i++)
 		dst_key_free(&zone_keys[i]);
 
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
 	if (version != NULL) {
 		dns_db_closeversion(db, &version, ISC_FALSE);
 		dns_db_detach(&db);
@@ -6066,14 +6245,18 @@ zone_sign(dns_zone_t *zone) {
 	isc_boolean_t delegation;
 	isc_boolean_t finishedakey = ISC_FALSE;
 	isc_boolean_t secureupdated = ISC_FALSE;
-	isc_boolean_t build_nsec3 = ISC_FALSE, build_nsec = ISC_FALSE;
+	isc_boolean_t build_nsec = ISC_FALSE;
+	isc_boolean_t build_nsec3 = ISC_FALSE;
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire, stop;
 	isc_uint32_t jitter;
-	unsigned int i;
+	unsigned int i, j;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
+	isc_boolean_t was_ksk;
+	isc_boolean_t have_ksk;
+	isc_boolean_t have_nonksk;
 
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fixed);
@@ -6126,10 +6309,6 @@ zone_sign(dns_zone_t *zone) {
 	expire = soaexpire - jitter % 3600;
 	stop = now + 5;
 
-	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	if (check_ksk)
-		check_ksk = ksk_sanity(db, version);
-
 	/*
 	 * We keep pulling nodes off each iterator in turn until
 	 * we have no more nodes to pull off or we reach the limits
@@ -6139,39 +6318,14 @@ zone_sign(dns_zone_t *zone) {
 	signatures = zone->signatures;
 	signing = ISC_LIST_HEAD(zone->signing);
 	first = ISC_TRUE;
+
 	/*
-	 * See if we have a NSEC chain.
+	 * If we have already determined that we are building a NSEC chain
+	 * continue to do so otherwise workout which type of chain we need
+	 * to be building if any.
 	 */
-	result = dns_db_getoriginnode(db, &node);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_SUCCESS) {
-		build_nsec = ISC_TRUE;
-		dns_rdataset_disassociate(&rdataset);
-	} else if (result != ISC_R_NOTFOUND) {
-		goto failure;
-	} else {
-		/*
-		 * No NSEC chain present.
-		 * See if we need to build a NSEC3 chain?
-		 */
-		result = dns_nsec3_active(db, version, ISC_TRUE, &build_nsec3);
-		if (result == ISC_R_SUCCESS) {
-			if (build_nsec3)
-				build_nsec3 = ISC_FALSE;
-			else  {
-				result = dns_nsec3_active(db, version,
-							  ISC_FALSE,
-							  &build_nsec3);
-				if (build_nsec3)
-					secureupdated = ISC_TRUE;
-				else
-					build_nsec = ISC_TRUE;
-			}
-		}
-	}
+	CHECK(dns_private_chains(db, version, zone->privatetype,
+				 &build_nsec, &build_nsec3));
 
 	while (signing != NULL && nodes-- > 0 && signatures > 0) {
 		nextsigning = ISC_LIST_NEXT(signing, link);
@@ -6193,9 +6347,42 @@ zone_sign(dns_zone_t *zone) {
 		if (signing->db != db)
 			goto next_signing;
 
-		is_ksk = ISC_FALSE;
 		delegation = ISC_FALSE;
 
+		/*
+		 * ksk_sanity() accounting for the key to be removed.
+		 */
+
+		was_ksk = ISC_FALSE;
+		have_ksk = ISC_FALSE;
+		have_nonksk = ISC_FALSE;
+
+		for (i = 0, j = 0; i < nkeys; i++) {
+			/*
+			 * Find the key we want to remove.
+			 */
+			if (signing->delete &&
+			    dst_key_alg(zone_keys[i]) == signing->algorithm &&
+			    dst_key_id(zone_keys[i]) == signing->keyid) {
+				if ((dst_key_flags(zone_keys[j]) &
+				     DNS_KEYFLAG_KSK) != 0)
+					was_ksk = ISC_TRUE;
+				dst_key_free(&zone_keys[i]);
+			}
+			zone_keys[j] = zone_keys[i];
+			if ((dst_key_flags(zone_keys[j]) &
+			     DNS_KEYFLAG_KSK) != 0)
+				have_ksk = ISC_TRUE;
+			else
+				have_nonksk = ISC_TRUE;
+			j++;
+		}
+
+		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+		if (check_ksk && (!have_nonksk || !have_ksk))
+			check_ksk = ISC_FALSE;
+		nkeys = j;
+
 		dns_dbiterator_current(signing->dbiterator, &node, name);
 
 		if (signing->delete) {
@@ -6203,7 +6390,6 @@ zone_sign(dns_zone_t *zone) {
 			CHECK(del_sig(db, version, name, node, nkeys,
 				      signing->algorithm, signing->keyid,
 				      &sig_diff));
-			goto next_node;
 		}
 		/*
 		 * On the first pass we need to check if the current node
@@ -6237,15 +6423,18 @@ zone_sign(dns_zone_t *zone) {
 		dns_dbiterator_pause(signing->dbiterator);
 		for (i = 0; i < nkeys; i++) {
 			/*
-			 * Find the key we want to sign with.
+			 * Find the keys we want to sign with.
 			 */
-			if (dst_key_alg(zone_keys[i]) != signing->algorithm ||
-			    dst_key_id(zone_keys[i]) != signing->keyid ||
-			    !dst_key_isprivate(zone_keys[i]))
+			if (!dst_key_isprivate(zone_keys[i]))
+				continue;
+			if ((!signing->delete || was_ksk || check_ksk) &&
+			    (dst_key_alg(zone_keys[i]) != signing->algorithm ||
+			     dst_key_id(zone_keys[i]) != signing->keyid))
 				continue;
 			/*
 			 * Do we do KSK processing?
 			 */
+			is_ksk = ISC_FALSE;
 			if (check_ksk &&
 			    (dst_key_flags(zone_keys[i]) & DNS_KEYFLAG_KSK) != 0)
 				is_ksk = ISC_TRUE;
@@ -6282,6 +6471,7 @@ zone_sign(dns_zone_t *zone) {
 					result = updatesecure(db, version,
 							      &zone->origin,
 							      zone->minimum,
+							      ISC_FALSE,
 							      &secureupdated,
 							      &sig_diff);
 					if (result != ISC_R_SUCCESS) {
@@ -6292,10 +6482,8 @@ zone_sign(dns_zone_t *zone) {
 						goto failure;
 					}
 				}
-				result = updatesignwithkey(signing, version,
-							   &zone->origin,
-							   zone->privatetype,
-							   &sig_diff);
+				result = updatesignwithkey(zone, signing,
+							   version, &sig_diff);
 				if (result != ISC_R_SUCCESS) {
 					dns_zone_log(zone, ISC_LOG_ERROR,
 						     "updatesignwithkey "
@@ -6303,6 +6491,7 @@ zone_sign(dns_zone_t *zone) {
 						     dns_result_totext(result));
 					goto failure;
 				}
+				build_nsec = ISC_FALSE;
 				goto next_signing;
 			} else if (result != ISC_R_SUCCESS) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -6381,8 +6570,10 @@ zone_sign(dns_zone_t *zone) {
 	/*
 	 * Have we changed anything?
 	 */
-	if (ISC_LIST_HEAD(sig_diff.tuples) == NULL)
+	if (ISC_LIST_HEAD(sig_diff.tuples) == NULL) {
+		result = ISC_R_SUCCESS;
 		goto pauseall;
+	}
 
 	commit = ISC_TRUE;
 
@@ -6468,7 +6659,7 @@ zone_sign(dns_zone_t *zone) {
 	signing = ISC_LIST_HEAD(cleanup);
 	while (signing != NULL) {
 		ISC_LIST_UNLINK(cleanup, signing, link);
-		ISC_LIST_APPEND(zone->signing, signing, link);
+		ISC_LIST_PREPEND(zone->signing, signing, link);
 		dns_dbiterator_first(signing->dbiterator);
 		dns_dbiterator_pause(signing->dbiterator);
 		signing = ISC_LIST_HEAD(cleanup);
@@ -6484,6 +6675,8 @@ zone_sign(dns_zone_t *zone) {
 	for (i = 0; i < nkeys; i++)
 		dst_key_free(&zone_keys[i]);
 
+	INSIST(node == NULL);
+
 	if (version != NULL) {
 		dns_db_closeversion(db, &version, ISC_FALSE);
 		dns_db_detach(&db);
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index c2f899833b..87d707c40c 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.105 2009/09/02 16:10:03 each Exp $ */
+/* $Id: namedconf.c,v 1.106 2009/10/08 23:13:07 marka Exp $ */
 
 /*! \file */
 
@@ -1135,6 +1135,7 @@ zone_clauses[] = {
 	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "notify-to-soa", &cfg_type_boolean, 0 },
 	{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
+	{ "secure-to-insecure", &cfg_type_boolean, 0 },
 	{ "sig-signing-nodes", &cfg_type_uint32, 0 },
 	{ "sig-signing-signatures", &cfg_type_uint32, 0 },
 	{ "sig-signing-type", &cfg_type_uint32, 0 },

From 70f5a54bf2676b136aa838d1ee9688e00b5dd8b9 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 8 Oct 2009 23:30:37 +0000
Subject: [PATCH 281/385] newcopyrights

---
 util/copyrights | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 22c0fbbcca..fd45ec0d88 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -195,7 +195,7 @@
 ./bin/named/main.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/named/named.8				MAN	DOCBOOK
 ./bin/named/named.conf.5			MAN	DOCBOOK
-./bin/named/named.conf.docbook			SGML	2004,2005,2006,2007,2008
+./bin/named/named.conf.docbook			SGML	2004,2005,2006,2007,2008,2009
 ./bin/named/named.conf.html			HTML	DOCBOOK
 ./bin/named/named.docbook			SGML	2000,2001,2003,2004,2005,2006,2007,2008,2009
 ./bin/named/named.html				HTML	DOCBOOK
@@ -1765,7 +1765,7 @@
 ./lib/dns/include/.cvsignore			X	1998,1999,2000,2001
 ./lib/dns/include/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007
 ./lib/dns/include/dns/.cvsignore		X	1998,1999,2000,2001
-./lib/dns/include/dns/Makefile.in		MAKE	1998,1999,2000,2001,2002,2003,2004,2007,2008
+./lib/dns/include/dns/Makefile.in		MAKE	1998,1999,2000,2001,2002,2003,2004,2007,2008,2009
 ./lib/dns/include/dns/acache.h			C	2004,2006,2007
 ./lib/dns/include/dns/acl.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/adb.h			C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008

From 15bbb8a1298a61e401ba16c944dc06049abb81bf Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 8 Oct 2009 23:48:10 +0000
Subject: [PATCH 282/385] update copyright notice

---
 bin/named/named.conf.docbook    |  5 +++--
 bin/named/update.c              |  4 ++--
 lib/dns/include/dns/Makefile.in |  4 ++--
 lib/dns/include/dns/nsec3.h     |  8 ++++----
 lib/dns/include/dns/rdata.h     | 14 +++++++-------
 lib/dns/nsec3.c                 | 20 ++++++++++----------
 lib/dns/zone.c                  | 24 ++++++++++++------------
 7 files changed, 40 insertions(+), 39 deletions(-)

diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index ddf3ee4996..87ba9b192b 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       []>
 
 
-
+
 
   
     Aug 13, 2004
@@ -41,6 +41,7 @@
       2006
       2007
       2008
+      2009
       Internet Systems Consortium, Inc. ("ISC")
     
   
diff --git a/bin/named/update.c b/bin/named/update.c
index b6b288e4f9..406043d1c6 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.160 2009/10/08 23:13:05 marka Exp $ */
+/* $Id: update.c,v 1.161 2009/10/08 23:48:09 tbox Exp $ */
 
 #include 
 
@@ -3474,7 +3474,7 @@ isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
 
 	if (dns_db_issecure(db))
 		return (ISC_TRUE);
-	
+
 	result = dns_private_chains(db, ver, privatetype,
 				    &build_nsec, &build_nsec3);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
index 49a9aeb1b8..6b6f2b3dc2 100644
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.56 2009/10/08 23:13:07 marka Exp $
+# $Id: Makefile.in,v 1.57 2009/10/08 23:48:10 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
index 905f6c1dd7..85c56b80e6 100644
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.h,v 1.9 2009/10/08 23:13:07 marka Exp $ */
+/* $Id: nsec3.h,v 1.10 2009/10/08 23:48:10 tbox Exp $ */
 
 #ifndef DNS_NSEC3_H
 #define DNS_NSEC3_H 1
@@ -220,7 +220,7 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 
 isc_boolean_t
 dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
-                           unsigned char *buf, size_t buflen);
+			   unsigned char *buf, size_t buflen);
 /*%<
  * Convert a private rdata to a nsec3param rdata.
  *
@@ -231,8 +231,8 @@ dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
 
 void
 dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
-                         dns_rdatatype_t privatetype,
-                         unsigned char *buf, size_t buflen);
+			 dns_rdatatype_t privatetype,
+			 unsigned char *buf, size_t buflen);
 /*%<
  * Convert a nsec3param rdata to a private rdata.
  *
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index d06846b9e9..328ad5ea54 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.75 2009/10/08 23:13:07 marka Exp $ */
+/* $Id: rdata.h,v 1.76 2009/10/08 23:48:10 tbox Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -128,13 +128,13 @@ struct dns_rdata {
 #define DNS_RDATA_CHECKINITIALIZED
 #ifdef DNS_RDATA_CHECKINITIALIZED
 #define DNS_RDATA_INITIALIZED(rdata) \
-        ((rdata)->data == NULL && (rdata)->length == 0 && \
-         (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
-         !ISC_LINK_LINKED((rdata), link))
-#else   
+	((rdata)->data == NULL && (rdata)->length == 0 && \
+	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
+	 !ISC_LINK_LINKED((rdata), link))
+#else
 #ifdef ISC_LIST_CHECKINIT
 #define DNS_RDATA_INITIALIZED(rdata) \
-        (!ISC_LINK_LINKED((rdata), link))
+	(!ISC_LINK_LINKED((rdata), link))
 #else
 #define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
 #endif
@@ -144,7 +144,7 @@ struct dns_rdata {
 #define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
 
 #define DNS_RDATA_VALIDFLAGS(rdata) \
-        (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
+	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
 
 /*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index b087cf0857..81de97f4f4 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.9 2009/10/08 23:13:06 marka Exp $ */
+/* $Id: nsec3.c,v 1.10 2009/10/08 23:48:10 tbox Exp $ */
 
 #include 
 
@@ -482,7 +482,7 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 				continue;
 		} else
 			dns_rdataset_current(&rdataset, &rdata);
-		
+
 		if (rdata.length != param->length)
 			continue;
 		if (rdata.data[0] != param->data[0] ||
@@ -948,8 +948,8 @@ isc_boolean_t
 dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
 			   unsigned char *buf, size_t buflen)
 {
-        dns_decompress_t dctx;
-        isc_result_t result;
+	dns_decompress_t dctx;
+	isc_result_t result;
 	isc_buffer_t buf1;
 	isc_buffer_t buf2;
 
@@ -962,20 +962,20 @@ dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
 
 	isc_buffer_init(&buf1, src->data + 1, src->length - 1);
 	isc_buffer_add(&buf1, src->length - 1);
-        isc_buffer_setactive(&buf1, src->length - 1);
+	isc_buffer_setactive(&buf1, src->length - 1);
 	isc_buffer_init(&buf2, buf, buflen);
-        dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
-        result = dns_rdata_fromwire(target, src->rdclass,
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	result = dns_rdata_fromwire(target, src->rdclass,
 				    dns_rdatatype_nsec3param,
 				    &buf1, &dctx, 0, &buf2);
-        dns_decompress_invalidate(&dctx);
+	dns_decompress_invalidate(&dctx);
 
-        return (ISC_TF(result == ISC_R_SUCCESS));
+	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
 void
 dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
-			 dns_rdatatype_t privatetype, 
+			 dns_rdatatype_t privatetype,
 			 unsigned char *buf, size_t buflen)
 {
 	REQUIRE(buflen >= src->length + 1);
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c7a431b680..1dc5a5fb2c 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.510 2009/10/08 23:13:07 marka Exp $ */
+/* $Id: zone.c,v 1.511 2009/10/08 23:48:10 tbox Exp $ */
 
 /*! \file */
 
@@ -2309,7 +2309,7 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	}
 	if (nsec3param->salt_length == 0)
 		strlcpy(saltbuf, "-", sizeof(saltbuf));
-	else 
+	else
 		for (i = 0; i < nsec3param->salt_length; i++)
 			sprintf(&saltbuf[i*2], "%02X", nsec3chain->salt[i]);
 	dns_zone_log(zone, ISC_LOG_INFO,
@@ -5014,7 +5014,7 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	result = dns_db_findrdataset(signing->db, node, version, 
+	result = dns_db_findrdataset(signing->db, node, version,
 				     zone->privatetype, dns_rdatatype_none,
 				     0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
@@ -5073,7 +5073,7 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
  * If 'active' is set then we are not done with the chain yet so only
  * delete the nsec3param record which indicates a full chain exists
  * (flags == 0).
- */ 
+ */
 static isc_result_t
 fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 		 isc_boolean_t active, dns_rdatatype_t privatetype,
@@ -5216,7 +5216,7 @@ delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
 				     0, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND)
 		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS) 
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
@@ -5387,7 +5387,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
 			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
 			while (next != NULL &&
 			       (tuple->rdata.type != next->rdata.type ||
-			        !dns_name_equal(&tuple->name, &next->name)))
+				!dns_name_equal(&tuple->name, &next->name)))
 				next = ISC_LIST_NEXT(next, link);
 			ISC_LIST_UNLINK(diff->tuples, tuple, link);
 			dns_diff_appendminimal(sig_diff, &tuple);
@@ -5733,8 +5733,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 		if (first && !updatensec &&
 		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0) {
 			result = need_nsec_chain(db, version,
-					         &nsec3chain->nsec3param,
-					         &buildnsecchain);
+						 &nsec3chain->nsec3param,
+						 &buildnsecchain);
 			if (result != ISC_R_SUCCESS) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "zone_nsec3chain:"
@@ -5742,7 +5742,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 					     dns_result_totext(result));
 				goto failure;
 			}
-		}	
+		}
 
 		if (first)
 			dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
@@ -5758,8 +5758,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 			if (first) {
 				result = fixup_nsec3param(db, version,
 							  nsec3chain,
-						          ISC_TRUE, privatetype,
-						          ¶m_diff);
+							  ISC_TRUE, privatetype,
+							  ¶m_diff);
 				if (result != ISC_R_SUCCESS) {
 					dns_zone_log(zone, ISC_LOG_ERROR,
 						     "zone_nsec3chain:"
@@ -5873,7 +5873,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 				result = fixup_nsec3param(db, version,
 							  nsec3chain, ISC_FALSE,
 							  privatetype,
-						          ¶m_diff);
+							  ¶m_diff);
 				if (result != ISC_R_SUCCESS) {
 					dns_zone_log(zone, ISC_LOG_ERROR,
 						     "zone_nsec3chain:"

From 0838b3c02f79e1a3f1bf7b12e49c0f9fdf41bf56 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 8 Oct 2009 23:55:57 +0000
Subject: [PATCH 283/385] Recompute check_ksk as it may have changed

---
 lib/dns/zone.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1dc5a5fb2c..2511d319b3 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.511 2009/10/08 23:48:10 tbox Exp $ */
+/* $Id: zone.c,v 1.512 2009/10/08 23:55:57 marka Exp $ */
 
 /*! \file */
 
@@ -6515,6 +6515,13 @@ zone_sign(dns_zone_t *zone) {
 		first = ISC_TRUE;
 	}
 
+	/*
+	 * Recompute check_ksk as it may have changed.
+	 */
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	if (check_ksk)
+		check_ksk = ksk_sanity(db, version);
+
 	if (secureupdated) {
 		/*
 		 * We have changed the NSEC RRset above so we need to update

From bb4e0bd8e8155a7ecb2fc975540fb526ee63e1bf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 8 Oct 2009 23:58:14 +0000
Subject: [PATCH 284/385] silence ininitialised

---
 lib/dns/zone.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2511d319b3..5f03a7db77 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.512 2009/10/08 23:55:57 marka Exp $ */
+/* $Id: zone.c,v 1.513 2009/10/08 23:58:14 marka Exp $ */
 
 /*! \file */
 
@@ -6458,8 +6458,7 @@ zone_sign(dns_zone_t *zone) {
 				ISC_LIST_APPEND(cleanup, signing, link);
 				dns_dbiterator_pause(signing->dbiterator);
 				finishedakey = ISC_TRUE;
-				if (!is_ksk && !secureupdated && nkeys != 0 &&
-				    build_nsec) {
+				if (!secureupdated && nkeys != 0 && build_nsec) {
 					/*
 					 * We have finished regenerating the
 					 * zone with a zone signing key.

From d1bcaec0d6c3a2f6afe004c1a087314015cb77c0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 9 Oct 2009 00:33:39 +0000
Subject: [PATCH 285/385] 2708.   [func]          Insecure to secure and NSEC3
 parameter changes via                         update are now fully supported
 and no longer require                         defines to enable.  We now no
 longer overload the                         NSEC3PARAM flag field, nor the
 NSEC OPT bit at the                         apex.  Secure to insecure changes
 are controlled by                         by the named.conf option
 'secure-to-insecure'.

                        Warning: If you had previously enabled support by
                        adding defines at compile time to BIND 9.6 you should
                        ensure that all changes that are in progress have
                        completed prior to upgrading to BIND 9.7.  BIND 9.7
                        is not backwards compatible.
---
 lib/dns/include/dns/private.h |  55 +++++++
 lib/dns/private.c             | 293 ++++++++++++++++++++++++++++++++++
 2 files changed, 348 insertions(+)
 create mode 100644 lib/dns/include/dns/private.h
 create mode 100644 lib/dns/private.c

diff --git a/lib/dns/include/dns/private.h b/lib/dns/include/dns/private.h
new file mode 100644
index 0000000000..f9685c2400
--- /dev/null
+++ b/lib/dns/include/dns/private.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: private.h,v 1.2 2009/10/09 00:33:39 marka Exp $ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+#ifndef DNS_PRIVATE_H
+#define DNS_PRIVATE_H
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+                   dns_rdatatype_t privatetype,
+                   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3);
+/*%<
+ * Examine the NSEC, NSEC3PARAM and privatetype RRsets at the apex of the
+ * database to determine which of NSEC or NSEC3 chains we are currently
+ * maintaining.  In normal operations only one of NSEC or NSEC3 is being
+ * maintained but when we are transitiong between NSEC and NSEC3 we need
+ * to update both sets of chains.  If 'privatetype' is zero then the 
+ * privatetype RRset will not be examined.
+ *
+ * Requires:
+ * \li	'db' is valid.
+ * \li	'version' is valid or NULL.
+ * \li	'build_nsec' is a pointer to a isc_boolean_t or NULL.
+ * \li	'build_nsec3' is a pointer to a isc_boolean_t or NULL.
+ *
+ * Returns:
+ * \li 	ISC_R_SUCCESS, 'build_nsec' and 'build_nsec3' will be valid.
+ * \li	other on error
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/lib/dns/private.c b/lib/dns/private.c
new file mode 100644
index 0000000000..d2da122419
--- /dev/null
+++ b/lib/dns/private.c
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "config.h"
+
+#include 
+#include 
+#include 
+#include 
+
+#include 
+#include 
+
+/*
+ * We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
+ * at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
+ *
+ * If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
+ * if all the NSEC3PARAM records (and associated chains) are slated for
+ * destruction and we have not been told to NOT build the NSEC chain.
+ *
+ * If the NSEC set exist then check to see if there is a request to create
+ * a NSEC3 chain.
+ *
+ * If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
+ * type exists then we need to examine it to determine if NSEC3 chain has
+ * been requested to be built otherwise a NSEC chain needs to be built.
+ */
+
+#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
+#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
+#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
+
+#define CHECK(x) do {					\
+			 result = (x);			\
+			 if (result != ISC_R_SUCCESS)	\
+				goto failure;		\
+		 } while (0)
+
+/*
+ * Work out if 'param' should be ignored or not (i.e. it is in the process
+ * of being removed).
+ *
+ * Note: we 'belt-and-braces' here by also checking for a CREATE private
+ * record and keep the param record in this case.
+ */
+
+static isc_boolean_t
+ignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
+	isc_result_t result;
+		
+	for (result = dns_rdataset_first(privateset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(privateset)) {
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		/*
+		 * We are going to create a new NSEC3 chain so it 
+		 * doesn't matter if we are removing this one.
+		 */
+		if (CREATE(rdata.data[1]))
+			return (ISC_FALSE);
+		if (rdata.data[0] != param->data[0] ||
+		    rdata.data[2] != param->data[2] ||
+		    rdata.data[3] != param->data[3] ||
+		    rdata.data[4] != param->data[4] ||
+		    memcmp(&rdata.data[5], ¶m->data[5], param->data[4]))
+			continue;
+		/*
+		 * The removal of this NSEC3 chain does NOT cause a
+		 * NSEC chain to be created so we don't need to tell
+		 * the caller that it will be removed.
+		 */
+		if (NONSEC(rdata.data[1]))
+			return (ISC_FALSE);
+		return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_rdatatype_t privatetype,
+		   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3)
+{
+	dns_dbnode_t *node;
+	dns_rdataset_t nsecset, nsec3paramset, privateset;
+	isc_boolean_t nsec3chain;
+	isc_boolean_t signing;
+	isc_result_t result;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned int count;
+
+	node = NULL;
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&nsec3paramset);
+	dns_rdataset_init(&privateset);
+
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, (isc_stdtime_t) 0, &nsecset, NULL);
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, (isc_stdtime_t) 0, &nsec3paramset,
+				     NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	if (dns_rdataset_isassociated(&nsecset) &&
+	    dns_rdataset_isassociated(&nsec3paramset)) {
+		if (build_nsec != NULL)
+			*build_nsec = ISC_TRUE;
+		if (build_nsec3 != NULL)
+			*build_nsec3 = ISC_TRUE;
+		goto success;
+	}
+
+	if (privatetype != (dns_rdatatype_t)0) {
+		result = dns_db_findrdataset(db, node, ver, privatetype,
+					     0, (isc_stdtime_t) 0,
+					     &privateset, NULL);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+			goto failure;
+	}
+
+	/*
+	 * Look to see if we also need to be creating a NSEC3 chains.
+	 */
+	if (dns_rdataset_isassociated(&nsecset)) {
+		if (build_nsec != NULL)
+			*build_nsec = ISC_TRUE;
+		if (build_nsec3 != NULL)
+			*build_nsec3 = ISC_FALSE;
+		if (!dns_rdataset_isassociated(&privateset))
+			goto success;
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset)) {
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata,
+						        buf, sizeof(buf)))
+				continue;
+			if (REMOVE(rdata.data[1]))
+				continue;
+			if (build_nsec3 != NULL)
+				*build_nsec3 = ISC_TRUE;
+			break;
+		}
+		goto success;
+	}
+	
+	if (dns_rdataset_isassociated(&nsec3paramset)) {
+		if (build_nsec3 != NULL)
+			*build_nsec3 = ISC_TRUE;
+		if (build_nsec != NULL)
+			*build_nsec = ISC_FALSE;
+		if (!dns_rdataset_isassociated(&privateset))
+			goto success;
+		/*
+		 * If we are in the process of building a new NSEC3 chain
+		 * then we don't need to build a NSEC chain.
+		 */
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset)) {
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata,
+							buf, sizeof(buf)))
+				continue;
+			if (CREATE(rdata.data[1]))
+				goto success;
+		}
+		 
+		/*
+		 * Check to see if there will be a active NSEC3CHAIN once
+		 * the changes queued complete.
+		 */
+		count = 0;
+		for (result = dns_rdataset_first(&nsec3paramset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&nsec3paramset)) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			/*
+			 * If there is more that one NSEC3 chain present then
+			 * we don't need to construct a NSEC chain.
+			 */
+			if (++count > 1)
+				goto success;
+			dns_rdataset_current(&nsec3paramset, &rdata);
+			if (ignore(&rdata, &privateset))
+				continue; 
+			/*
+			 * We still have a good NSEC3 chain or we are
+			 * not creating a NSEC chain as NONSEC is set.
+			 */
+			goto success;
+		}
+
+		/*
+		 * The last NSEC3 chain is being removed and does not have
+		 * have NONSEC set.
+		 */
+		if (build_nsec != NULL)
+			*build_nsec = ISC_TRUE;
+		goto success;
+	}
+
+	if (build_nsec != NULL)
+		*build_nsec = ISC_FALSE;
+	if (build_nsec3 != NULL)
+		*build_nsec3 = ISC_FALSE;
+	if (!dns_rdataset_isassociated(&privateset))
+		goto success;
+
+	signing = ISC_FALSE;
+	nsec3chain = ISC_FALSE;
+
+	for (result = dns_rdataset_first(&privateset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&privateset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf))) {
+			/*
+			 * Look for record that says we are signing the
+			 * zone with a key.
+			 */
+			if (private.length == 5 && private.data[0] != 0 &&
+			    private.data[3] == 0 && private.data[4] == 0)
+				signing = ISC_TRUE;
+		} else {
+			if (CREATE(rdata.data[1]))
+				nsec3chain = ISC_TRUE;
+		}
+	}
+
+	if (signing) {
+		if (nsec3chain) {
+			if (build_nsec3 != NULL)
+				*build_nsec3 = ISC_TRUE;
+		} else {
+			if (build_nsec != NULL)
+				*build_nsec = ISC_TRUE;
+		}
+	}
+
+ success:
+	result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&nsecset))
+		dns_rdataset_disassociate(&nsecset);
+	if (dns_rdataset_isassociated(&nsec3paramset))
+		dns_rdataset_disassociate(&nsec3paramset);
+	if (dns_rdataset_isassociated(&privateset))
+		dns_rdataset_disassociate(&privateset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}

From b05106c7e68077d805893fbae006fae125494fd6 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 9 Oct 2009 01:14:47 +0000
Subject: [PATCH 286/385] regen

---
 bin/named/named.conf.5               |   9 +-
 bin/named/named.conf.html            |  35 +++---
 doc/arm/Bv9ARM.ch06.html             | 105 +++++++++-------
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  46 +++----
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  14 +--
 doc/arm/man.dnssec-keygen.html       |  16 +--
 doc/arm/man.dnssec-revoke.html       |  10 +-
 doc/arm/man.dnssec-settime.html      |  14 +--
 doc/arm/man.dnssec-signzone.html     |  12 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 doc/misc/options                     |   4 +
 24 files changed, 323 insertions(+), 300 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index f1bec3a92f..eb3fcb8e62 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.37 2009/07/11 01:12:45 tbox Exp $
+.\" $Id: named.conf.5,v 1.38 2009/10/09 01:14:46 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -302,6 +302,7 @@ options {
 	try\-tcp\-refresh \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
+	secure\-to\-insecure \fIboolean\fR;
 	nsec3\-test\-zone \fIboolean\fR;  // testing only
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	deallocate\-on\-exit \fIboolean\fR; // obsolete
@@ -445,6 +446,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	key\-directory \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
+	secure\-to\-insecure \fIboolean\fR;
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	fetch\-glue \fIboolean\fR; // obsolete
 	maintain\-ixfr\-base \fIboolean\fR; // obsolete
@@ -476,6 +478,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 	ixfr\-from\-differences \fIboolean\fR;
 	journal \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
+	secure\-to\-insecure \fIboolean\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
 	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
@@ -544,5 +547,5 @@ zone \fIstring\fR \fIoptional_class\fR {
 \fBrndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index c6ae20ae82..11564aff43 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -1,5 +1,5 @@
 
-
+
 
 
 
@@ -31,7 +31,7 @@
 
    named.conf 
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named.conf is the configuration file
       for
       named.  Statements are enclosed
@@ -50,14 +50,14 @@
     
    
 
    
 
    
-
    ACL
    
+
    ACL
    
 

    
 acl string { address_match_element; ... };
    
 
    
 
    
 
    
 
    
-
    KEY
    
+
    KEY
    
 

    
 key domain_name {
    
 	algorithm string;
    
@@ -66,7 +66,7 @@ key
 
    
 
    
 
    
-
    MASTERS
    
+
    MASTERS
    
 

    
 masters string [ port integer ] {
    masters | ipv4_address [port integer] |
    
@@ -75,7 +75,7 @@ masters
 
    
 
    
 
    
-
    SERVER
    
+
    SERVER
    
 

    
 server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
    
 	bogus boolean;
    
@@ -97,7 +97,7 @@ server
 
    
 
    
 
    
-
    TRUSTED-KEYS
    
+
    TRUSTED-KEYS
    
 

    
 trusted-keys {
    
 	domain_name flags protocol algorithm key; ... 
    
@@ -105,7 +105,7 @@ trusted-keys
 
    
 
    
 
    
-
    CONTROLS
    
+
    CONTROLS
    
 

    
 controls {
    
 	inet ( ipv4_address | ipv6_address | * )
    
@@ -117,7 +117,7 @@ controls
 
    
 
    
 
    
-
    LOGGING
    
+
    LOGGING
    
 

    
 logging {
    
 	channel string {
    
@@ -135,7 +135,7 @@ logging
 
    
 
    
 
    
-
    LWRES
    
+
    LWRES
    
 

    
 lwres {
    
 	listen-on [ port integer ] {
    
@@ -148,7 +148,7 @@ lwres
 
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 

    
 options {
    
 	avoid-v4-udp-ports { port; ... };
    
@@ -310,6 +310,7 @@ options
 	try-tcp-refresh boolean;
    
 	zero-no-soa-ttl boolean;
    
 	zero-no-soa-ttl-cache boolean;
    
+	secure-to-insecure boolean;
    
 
    
 	nsec3-test-zone boolean;  // testing only
    
 
    
@@ -329,7 +330,7 @@ options
 
    
 
    
 
    
-
    VIEW
    
+
    VIEW
    
 

    
 view string optional_class {
    
 	match-clients { address_match_element; ... };
    
@@ -468,6 +469,7 @@ view
 	key-directory quoted_string;
    
 	zero-no-soa-ttl boolean;
    
 	zero-no-soa-ttl-cache boolean;
    
+	secure-to-insecure boolean;
    
 
    
 	allow-v6-synthesis { address_match_element; ... }; // obsolete
    
 	fetch-glue boolean; // obsolete
    
@@ -477,7 +479,7 @@ view
 
    
 
    
 
    
-
    ZONE
    
+
    ZONE
    
 

    
 zone string optional_class {
    
 	type ( master | slave | stub | hint |
    
@@ -501,6 +503,7 @@ zone
 	ixfr-from-differences boolean;
    
 	journal quoted_string;
    
 	zero-no-soa-ttl boolean;
    
+	secure-to-insecure boolean;
    
 
    
 	allow-query { address_match_element; ... };
    
 	allow-query-on { address_match_element; ... };
    
@@ -569,12 +572,12 @@ zone
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/named.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       rndc(8),
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 8ae53c7513..876435cfb9 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -78,28 +78,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -2137,6 +2137,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
+    [ secure-to-insecure yes_or_no ;]
     [ try-tcp-refresh yes_or_no; ]
     [ allow-v6-synthesis { address_match_list }; ]
     [ blackhole { address_match_list }; ]
@@ -3362,11 +3363,17 @@ options {
                   For BIND 8 compatibility, the default is
                   yes.
                 
    
+
    secure-to-insecure
    
+
    
+                  Allow a zone to transition from secure to insecure by
+                  deleting all DNSKEY records.  The default is
+                  no.
+                
    
 
    
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3410,7 +3417,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3607,7 +3614,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4059,7 +4066,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4101,7 +4108,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4263,7 +4270,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -5059,7 +5066,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
    
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5389,7 +5396,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5440,7 +5447,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5449,7 +5456,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5489,7 +5496,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5498,7 +5505,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5608,7 +5615,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5785,6 +5792,7 @@ zone zone_name [ allow-transfer { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
+    [ secure-to-insecure yes_or_no ; ]
     [ try-tcp-refresh yes_or_no; ]
     [ also-notify { ip_addr [port ip_port] ;
                   [ ip_addr [port ip_port] ; ... ] }; ]
@@ -5885,10 +5893,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

    @@ -6099,7 +6107,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6121,7 +6129,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6448,6 +6456,11 @@ zone zone_name [masterfile-format
                     in the section called “Tuning”.
                   
    
+
    secure-to-insecure
    
+
    
+                    See the description of
+                    secure-to-insecure in the section called “Boolean Options”.
+                  
    
 
    
 
 
    
@@ -6751,7 +6764,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6764,7 +6777,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7501,7 +7514,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7704,7 +7717,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7960,7 +7973,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8021,7 +8034,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8036,7 +8049,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8047,7 +8060,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8076,7 +8089,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8112,7 +8125,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8131,7 +8144,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8555,7 +8568,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9112,7 +9125,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9266,7 +9279,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9649,7 +9662,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9804,7 +9817,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 5e719c0886..863896700d 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 1f3f85ffed..e18a809e57 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 3ba778a4a3..067d089015 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 8d5311ba67..3a4d8bc8f6 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,28 +157,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 52c8f186f4..a7198dc745 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4aa62eef0f..64ca98daa9 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index ca0f60a13c..1665b3bb3f 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index d338bb79c5..001d717287 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -172,7 +172,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -219,7 +219,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -258,7 +258,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -268,7 +268,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index fc1c5e691e..81ca3f3fac 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -285,7 +285,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -331,7 +331,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -352,7 +352,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -361,7 +361,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 5d4c23bba0..1908293e49 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index a13a6c4a97..356ebe610d 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -185,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 4f8cb5e589..5939150e6e 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -386,7 +386,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -415,14 +415,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index e0cbb658d7..ba5c51730a 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 8ed6506f46..de644190f7 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index a97c9e0427..e120d16d71 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index eb774223a1..8d07ff5671 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 6e1ceb4760..0f28e63fab 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index a30cd46592..1d9bcbff5a 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index a2085610d6..8c981256db 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 6ff7d82b05..37332ae00e 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/misc/options b/doc/misc/options
index 999b41af54..42fefab89a 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -181,6 +181,7 @@ options {
         root-delegation-only [ exclude { ; ... } ];
         rrset-order { [ class  ] [ type  ] [ name
              ]  ; ... };
+        secure-to-insecure ;
         serial-queries ; // obsolete
         serial-query-rate ;
         server-id (  | none |;
@@ -361,6 +362,7 @@ view   {
         root-delegation-only [ exclude { ; ... } ];
         rrset-order { [ class  ] [ type  ] [ name
              ]  ; ... };
+        secure-to-insecure ;
         server  {
                 bogus ;
                 edns ;
@@ -459,6 +461,7 @@ view   {
                 nsec3-test-zone ; // test only
                 pubkey   
                     ; // obsolete
+                secure-to-insecure ;
                 sig-signing-nodes ;
                 sig-signing-signatures ;
                 sig-signing-type ;
@@ -537,6 +540,7 @@ zone   {
         notify-to-soa ;
         nsec3-test-zone ; // test only
         pubkey    ; // obsolete
+        secure-to-insecure ;
         sig-signing-nodes ;
         sig-signing-signatures ;
         sig-signing-type ;

From 315a1514a58dbb1ca563445313d67c1cf664d248 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 9 Oct 2009 06:09:21 +0000
Subject: [PATCH 287/385] 2709.	[func]		Added some data fields,
 currently unused, to the 			private key file format, to
 allow implementation 			of explicit key rollover in a future
 release 			without impairing backward or forward
 compatibility. 			[RT #20310]

---
 CHANGES                      |  6 +++
 bin/dnssec/dnssec-revoke.c   |  4 +-
 bin/dnssec/dnssec-settime.c  |  4 +-
 bin/dnssec/dnssec-signzone.c |  4 +-
 lib/dns/dst_api.c            | 35 +++++++++++++--
 lib/dns/dst_internal.h       |  8 ++--
 lib/dns/dst_parse.c          | 85 ++++++++++++++++++++++++++----------
 lib/dns/hmac_link.c          |  5 ++-
 lib/dns/include/dst/dst.h    | 43 +++++++++++++++++-
 9 files changed, 156 insertions(+), 38 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6b350d3b3f..9b333880c7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+2709.	[func]		Added some data fields, currently unused, to the
+			private key file format, to allow implementation
+			of explicit key rollover in a future release
+			without impairing backward or forward compatibility.
+			[RT #20310]
+
 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
 			update are now fully supported and no longer require
 			defines to enable.  We now no longer overload the
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 40168c4f80..6796c8eb40 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.14 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-revoke.c,v 1.15 2009/10/09 06:09:21 each Exp $ */
 
 /*! \file */
 
@@ -105,7 +105,7 @@ main(int argc, char **argv) {
 
 	isc_commandline_errprint = ISC_FALSE;
 
-	while ((ch = isc_commandline_parse(argc, argv, "EfK:rhv:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
 		switch (ch) {
 		    case 'E':
 			engine = isc_commandline_argument;
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 471403e398..374e0297e6 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-settime.c,v 1.16 2009/10/09 06:09:21 each Exp $ */
 
 /*! \file */
 
@@ -161,7 +161,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "EfK:uhp:v:P:A:R:I:D:")) != -1) {
+					   "E:fK:uhp:v:P:A:R:I:D:")) != -1) {
 		switch (ch) {
 		case 'E':
 			engine = isc_commandline_argument;
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 7de39d05e6..1059d0b99e 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.241 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-signzone.c,v 1.242 2009/10/09 06:09:21 each Exp $ */
 
 /*! \file */
 
@@ -3424,7 +3424,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t set_iter = ISC_FALSE;
 
 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:Ee:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
+	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
 
 	/*
 	 * Process memory debugging argument first.
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 9c4427dfe4..1ea844e06e 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.34 2009/10/05 17:30:49 fdupont Exp $
+ * $Id: dst_api.c,v 1.35 2009/10/09 06:09:21 each Exp $
  */
 
 /*! \file */
@@ -109,7 +109,7 @@ static isc_result_t	frombuffer(dns_name_t *name,
 
 static isc_result_t	algorithm_status(unsigned int alg);
 
-static isc_result_t	addsuffix(char *filename, unsigned int len,
+static isc_result_t	addsuffix(char *filename, int len,
 				  const char *dirname, const char *ofilename,
 				  const char *suffix);
 
@@ -792,6 +792,35 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(valuep != NULL);
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	if (!key->numset[type])
+		return (ISC_R_NOTFOUND);
+	*valuep = key->nums[type];
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->nums[type] = value;
+	key->numset[type] = ISC_TRUE;
+}
+
+void
+dst_key_unsetnum(dst_key_t *key, int type)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->numset[type] = ISC_FALSE;
+}
+
 isc_result_t
 dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
 	REQUIRE(VALID_KEY(key));
@@ -1499,7 +1528,7 @@ algorithm_status(unsigned int alg) {
 }
 
 static isc_result_t
-addsuffix(char *filename, unsigned int len, const char *odirname,
+addsuffix(char *filename, int len, const char *odirname,
 	  const char *ofilename, const char *suffix)
 {
 	int olen = strlen(ofilename);
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 7d2935c8bc..c363d33b27 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.19 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dst_internal.h,v 1.20 2009/10/09 06:09:21 each Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -116,8 +116,10 @@ struct dst_key {
 
 	} keydata;			/*%< pointer to key in crypto pkg fmt */
 
-	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< key timing metadata */
-	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< metadata set? */
+	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< timing metadata */
+	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< data set? */
+	isc_stdtime_t	nums[DST_MAX_NUMERIC + 1];   /*%< numeric metadata */
+	isc_boolean_t	numset[DST_MAX_NUMERIC + 1]; /*%< data set? */
 
 	int		fmt_major;     /*%< private key format, major version */
 	int		fmt_minor;     /*%< private key format, minor version */
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 807fc0562c..66d0f17c43 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -31,7 +31,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.20 2009/09/02 06:29:01 each Exp $
+ * $Id: dst_parse.c,v 1.21 2009/10/09 06:09:21 each Exp $
  */
 
 #include 
@@ -56,14 +56,23 @@
 #define PRIVATE_KEY_STR "Private-key-format:"
 #define ALGORITHM_STR "Algorithm:"
 
-#define METADATA_NTAGS 6
-static const char *metatags[METADATA_NTAGS] = {
+#define TIMING_NTAGS (DST_MAX_TIMES + 1)
+static const char *timetags[TIMING_NTAGS] = {
 	"Created:",
 	"Publish:",
 	"Activate:",
 	"Revoke:",
 	"Unpublish:",
-	"Delete:"
+	"Delete:",
+	"DSPublish:"
+};
+
+#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
+static const char *numerictags[NUMERIC_NTAGS] = {
+	"Predecessor:",
+	"Successor:",
+	"MaxTTL:",
+	"RollPeriod:"
 };
 
 struct parse_map {
@@ -128,18 +137,6 @@ find_value(const char *s, const unsigned int alg) {
 	return (-1);
 }
 
-static int
-find_metadata(const char *s) {
-	int i;
-
-	for (i = 0; i < METADATA_NTAGS; i++) {
-		if (strcasecmp(s, metatags[i]) == 0)
-			return (i);
-	}
-
-	return (-1);
-}
-
 static const char *
 find_tag(const int value) {
 	int i;
@@ -152,6 +149,28 @@ find_tag(const int value) {
 	}
 }
 
+static int
+find_metadata(const char *s, const char *tags[], int ntags) {
+	int i;
+
+	for (i = 0; i < ntags; i++) {
+		if (strcasecmp(s, tags[i]) == 0)
+			return (i);
+	}
+
+	return (-1);
+}
+
+static int
+find_timedata(const char *s) {
+	return (find_metadata(s, timetags, TIMING_NTAGS));
+}
+
+static int
+find_numericdata(const char *s) {
+	return (find_metadata(s, numerictags, NUMERIC_NTAGS));
+}
+
 static int
 check_rsa(const dst_private_t *priv) {
 	int i, j;
@@ -420,10 +439,25 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 			goto fail;
 		}
 
-		/* Key timing metadata */
-		tag = find_metadata(DST_AS_STR(token));
+		/* Numeric metadata */
+		tag = find_numericdata(DST_AS_STR(token));
 		if (tag >= 0) {
-			INSIST(tag < METADATA_NTAGS);
+			INSIST(tag < NUMERIC_NTAGS);
+
+			NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+			if (token.type != isc_tokentype_number) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			dst_key_setnum(key, tag, token.value.as_ulong);
+			goto next;
+		}
+
+		/* Timing metadata */
+		tag = find_timedata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < TIMING_NTAGS);
 
 			NEXTTOKEN(lex, opt, &token);
 			if (token.type != isc_tokentype_string) {
@@ -490,6 +524,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	char buffer[MAXFIELDSIZE * 2];
 	isc_fsaccess_t access;
 	isc_stdtime_t when;
+	isc_uint32_t value;
 	isc_buffer_t b;
 	isc_region_t r;
 	int major, minor;
@@ -587,9 +622,15 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 		fprintf(fp, "\n");
 	}
 
-	/* Add the timing metadata tags */
+	/* Add the metadata tags */
 	if (major > 1 || (major == 1 && minor >= 3)) {
-		for (i = 0; i < METADATA_NTAGS; i++) {
+		for (i = 0; i < NUMERIC_NTAGS; i++) {
+			result = dst_key_getnum(key, i, &value);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			fprintf(fp, "%s %u\n", numerictags[i], value);
+		}
+		for (i = 0; i < TIMING_NTAGS; i++) {
 			result = dst_key_gettime(key, i, &when);
 			if (result != ISC_R_SUCCESS)
 				continue;
@@ -601,7 +642,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 
 			isc_buffer_usedregion(&b, &r);
 
-			fprintf(fp, "%s ", metatags[i]);
+			fprintf(fp, "%s ", timetags[i]);
 			fwrite(r.base, 1, r.length, fp);
 			fprintf(fp, "\n");
 		}
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 1fe5db6407..24d836538c 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.13 2009/09/03 23:48:12 tbox Exp $
+ * $Id: hmac_link.c,v 1.14 2009/10/09 06:09:21 each Exp $
  */
 
 #include 
@@ -277,7 +277,8 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 	UNUSED(pub);
 	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
+	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx,
+				       &priv);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index dab99f0009..1eb5aa54de 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.20 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dst.h,v 1.21 2009/10/09 06:09:21 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -86,7 +86,15 @@ typedef struct dst_context 	dst_context_t;
 #define DST_TIME_REVOKE 	3
 #define DST_TIME_INACTIVE	4
 #define DST_TIME_DELETE 	5
-#define DST_MAX_TIMES		5
+#define DST_TIME_DSPUBLISH 	6
+#define DST_MAX_TIMES		6
+
+/* Numeric metadata definitions */
+#define DST_NUM_PREDECESSOR	0
+#define DST_NUM_SUCCESSOR	1
+#define DST_NUM_MAXTTL		2
+#define DST_NUM_ROLLPERIOD	3
+#define DST_MAX_NUMERIC		3
 
 /***
  *** Functions
@@ -690,6 +698,37 @@ dst_key_setflags(dst_key_t *key, isc_uint32_t flags);
  *	"key" is a valid key.
  */
 
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep);
+/*%<
+ * Get a member of the numeric metadata array and place it in '*valuep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ *	"timep" is not null.
+ */
+
+void
+dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value);
+/*%<
+ * Set a member of the numeric metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+void
+dst_key_unsetnum(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the numeric metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
 isc_result_t
 dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep);
 /*%<

From c356aac15118b68b81120e4e4c7b5b10183749d8 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 9 Oct 2009 23:18:54 +0000
Subject: [PATCH 288/385] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index d11fb0590f..de34249793 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -258,7 +258,9 @@ rt20257				new	fdupont	// 2009-09-18 16:53 +0000
 rt20257a			new	fdupont	// 2009-09-28 08:58 +0000
 rt20304				new	each	// 2009-09-24 22:57 +0000
 rt20310				new	each	// 2009-09-25 00:29 +0000
+rt20310a			new	each	// 2009-10-09 04:31 +0000
 rt20339				new	vjs	// 2009-09-29 20:44 +0000
+rt20340				new	marka	// 2009-10-09 06:29 +0000
 rt20369				new	fdupont	// 2009-10-06 08:41 +0000
 rt20369a			new	fdupont	// 2009-10-06 14:25 +0000
 rt20372				new	each	// 2009-10-06 22:08 +0000

From 3f802a977eb8ac127c1d6d0d76b8e38d032403da Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 9 Oct 2009 23:30:39 +0000
Subject: [PATCH 289/385] newcopyrights

---
 util/copyrights | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util/copyrights b/util/copyrights
index fd45ec0d88..5e7dceba18 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1808,6 +1808,7 @@
 ./lib/dns/include/dns/order.h			C	2002,2004,2005,2006,2007
 ./lib/dns/include/dns/peer.h			C	2000,2001,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/include/dns/portlist.h		C	2003,2004,2005,2006,2007
+./lib/dns/include/dns/private.h			C	2009
 ./lib/dns/include/dns/rbt.h			C	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/include/dns/rcode.h			C	1999,2000,2001,2004,2005,2006,2007,2008
 ./lib/dns/include/dns/rdata.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
@@ -1872,6 +1873,7 @@
 ./lib/dns/order.c				C	2002,2004,2005,2007
 ./lib/dns/peer.c				C	2000,2001,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/portlist.c				C	2003,2004,2005,2006,2007
+./lib/dns/private.c				C	2009
 ./lib/dns/rbt.c					C	1999,2000,2001,2002,2003,2004,2005,2007,2008,2009
 ./lib/dns/rbtdb.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/rbtdb.h				C	1999,2000,2001,2004,2005,2007

From 8a07de2f032b0137d89ae8af14faa1a915aaf9fa Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 9 Oct 2009 23:48:09 +0000
Subject: [PATCH 290/385] update copyright notice

---
 lib/dns/include/dns/private.h |  8 ++++----
 lib/dns/private.c             | 14 ++++++++------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/lib/dns/include/dns/private.h b/lib/dns/include/dns/private.h
index f9685c2400..0df13d89aa 100644
--- a/lib/dns/include/dns/private.h
+++ b/lib/dns/include/dns/private.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: private.h,v 1.2 2009/10/09 00:33:39 marka Exp $ */
+/* $Id: private.h,v 1.3 2009/10/09 23:48:09 tbox Exp $ */
 
 #include 
 #include 
@@ -29,14 +29,14 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
-                   dns_rdatatype_t privatetype,
-                   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3);
+		   dns_rdatatype_t privatetype,
+		   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3);
 /*%<
  * Examine the NSEC, NSEC3PARAM and privatetype RRsets at the apex of the
  * database to determine which of NSEC or NSEC3 chains we are currently
  * maintaining.  In normal operations only one of NSEC or NSEC3 is being
  * maintained but when we are transitiong between NSEC and NSEC3 we need
- * to update both sets of chains.  If 'privatetype' is zero then the 
+ * to update both sets of chains.  If 'privatetype' is zero then the
  * privatetype RRset will not be examined.
  *
  * Requires:
diff --git a/lib/dns/private.c b/lib/dns/private.c
index d2da122419..1f7c32c304 100644
--- a/lib/dns/private.c
+++ b/lib/dns/private.c
@@ -14,6 +14,8 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* $Id: private.c,v 1.3 2009/10/09 23:48:09 tbox Exp $ */
+
 #include "config.h"
 
 #include 
@@ -61,7 +63,7 @@
 static isc_boolean_t
 ignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
 	isc_result_t result;
-		
+
 	for (result = dns_rdataset_first(privateset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(privateset)) {
@@ -74,7 +76,7 @@ ignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
 						buf, sizeof(buf)))
 			continue;
 		/*
-		 * We are going to create a new NSEC3 chain so it 
+		 * We are going to create a new NSEC3 chain so it
 		 * doesn't matter if we are removing this one.
 		 */
 		if (CREATE(rdata.data[1]))
@@ -165,7 +167,7 @@ dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
 
 			dns_rdataset_current(&privateset, &private);
 			if (!dns_nsec3param_fromprivate(&private, &rdata,
-						        buf, sizeof(buf)))
+							buf, sizeof(buf)))
 				continue;
 			if (REMOVE(rdata.data[1]))
 				continue;
@@ -175,7 +177,7 @@ dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
 		}
 		goto success;
 	}
-	
+
 	if (dns_rdataset_isassociated(&nsec3paramset)) {
 		if (build_nsec3 != NULL)
 			*build_nsec3 = ISC_TRUE;
@@ -200,7 +202,7 @@ dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
 			if (CREATE(rdata.data[1]))
 				goto success;
 		}
-		 
+
 		/*
 		 * Check to see if there will be a active NSEC3CHAIN once
 		 * the changes queued complete.
@@ -219,7 +221,7 @@ dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
 				goto success;
 			dns_rdataset_current(&nsec3paramset, &rdata);
 			if (ignore(&rdata, &privateset))
-				continue; 
+				continue;
 			/*
 			 * We still have a good NSEC3 chain or we are
 			 * not creating a NSEC chain as NONSEC is set.

From 0d9fb986c5e0824a2e0497970c09d68d55b0c341 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 10 Oct 2009 01:13:39 +0000
Subject: [PATCH 291/385] silence comiler warning

---
 lib/dns/dst_api.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 1ea844e06e..fd39b1ccf7 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.35 2009/10/09 06:09:21 each Exp $
+ * $Id: dst_api.c,v 1.36 2009/10/10 01:13:39 marka Exp $
  */
 
 /*! \file */
@@ -1548,7 +1548,7 @@ addsuffix(char *filename, int len, const char *odirname,
 			     odirname, olen, ofilename, suffix);
 	if (n < 0)
 		return (ISC_R_FAILURE);
-	if ((unsigned int)n >= len)
+	if (n >= len)
 		return (ISC_R_NOSPACE);
 	return (ISC_R_SUCCESS);
 }

From 3727725bb7d63605b68a644060857013d563b67f Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Sat, 10 Oct 2009 01:48:00 +0000
Subject: [PATCH 292/385] 2710.	[func]		New 'dnssec-signzone -x' flag
 and 'dnskey-ksk-only' 			zone option cause a zone to be signed
 with only KSKs 			signing the DNSKEY RRset, not ZSKs. 
 This reduces 			the size of a DNSKEY answer.  [RT #20340]

---
 CHANGES                            |   5 +
 bin/dnssec/dnssec-signzone.c       | 105 ++++++++----
 bin/dnssec/dnssec-signzone.docbook |  17 +-
 bin/named/config.c                 |   3 +-
 bin/named/named.conf.docbook       |   5 +-
 bin/named/update.c                 | 141 +++++++---------
 bin/named/zoneconf.c               |   7 +-
 doc/arm/Bv9ARM-book.xml            |  34 +++-
 lib/bind9/check.c                  |   3 +-
 lib/dns/include/dns/zone.h         |   3 +-
 lib/dns/zone.c                     | 249 ++++++++++++++++-------------
 lib/isccfg/namedconf.c             |   3 +-
 12 files changed, 341 insertions(+), 234 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9b333880c7..3472b24680 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
+			zone option cause a zone to be signed with only KSKs
+			signing the DNSKEY RRset, not ZSKs.  This reduces
+			the size of a DNSKEY answer.  [RT #20340]
+
 2709.	[func]		Added some data fields, currently unused, to the
 			private key file format, to allow implementation
 			of explicit key rollover in a future release
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 1059d0b99e..5d1634cf3f 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.242 2009/10/09 06:09:21 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.243 2009/10/10 01:47:59 each Exp $ */
 
 /*! \file */
 
@@ -101,6 +101,8 @@ static int nsec_datatype = dns_rdatatype_nsec;
 #define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
 #define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
 
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+
 #define BUFSIZE 2048
 #define MAXDSKEYS 8
 
@@ -158,6 +160,7 @@ static isc_boolean_t nokeys = ISC_FALSE;
 static isc_boolean_t removefile = ISC_FALSE;
 static isc_boolean_t generateds = ISC_FALSE;
 static isc_boolean_t ignore_kskflag = ISC_FALSE;
+static isc_boolean_t keyset_kskonly = ISC_FALSE;
 static dns_name_t *dlv = NULL;
 static dns_fixedname_t dlv_fixed;
 static dns_master_style_t *dsstyle = NULL;
@@ -579,9 +582,27 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 		if (!issigningkey(key))
 			continue;
 
-		if (iszsk(key) ||
-		    (isksk(key) && set->type == dns_rdatatype_dnskey &&
-		     dns_name_equal(name, gorigin))) {
+		if (set->type == dns_rdatatype_dnskey &&
+		     dns_name_equal(name, gorigin)) {
+			isc_boolean_t have_ksk = isksk(key);;
+			dns_dnsseckey_t *tmpkey;
+
+			for (tmpkey = ISC_LIST_HEAD(keylist);
+			     tmpkey != NULL;
+			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
+				if (dst_key_alg(key->key) !=
+				    dst_key_alg(tmpkey->key))
+					continue;
+				if (REVOKE(tmpkey->key))
+					continue;
+				if (isksk(tmpkey))
+					have_ksk = ISC_TRUE;
+			}
+			if (isksk(key) || !have_ksk ||
+			    (iszsk(key) && !keyset_kskonly))
+				signwithkey(name, set, key->key, ttl, add,
+					    "signing with dnskey");
+		} else if (iszsk(key)) {
 			signwithkey(name, set, key->key, ttl, add,
 				    "signing with dnskey");
 		}
@@ -1422,8 +1443,8 @@ verifynode(dns_name_t *name, dns_dbnode_t *node, isc_boolean_t delegation,
 /*%
  * Verify that certain things are sane:
  *
- *   The apex has a DNSKEY record with at least one KSK and at least
- *   one ZSK.
+ *   The apex has a DNSKEY record with at least one KSK, and at least
+ *   one ZSK if the -x flag was not used.
  *
  *   The DNSKEY record was signed with at least one of the KSKs in this
  *   set.
@@ -1492,8 +1513,9 @@ verifyzone(void) {
 #endif
 
 	/*
-	 * Check that the DNSKEY RR has at least one self signing KSK and
-	 * one ZSK per algorithm in it.
+	 * Check that the DNSKEY RR has at least one self signing KSK
+	 * and one ZSK per algorithm in it (or, if -x was used, one
+	 * self-signing KSK).
 	 */
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
@@ -1591,7 +1613,7 @@ verifyzone(void) {
 	}
 	fprintf(stderr, ".\n");
 
-	if (!ignore_kskflag) {
+	if (!ignore_kskflag && !keyset_kskonly) {
 		for (i = 0; i < 256; i++) {
 			/*
 			 * The counts should both be zero or both be non-zero.
@@ -1708,20 +1730,24 @@ verifyzone(void) {
 		 */
 		fprintf(stderr, "Zone signing complete:\n");
 		for (i = 0; i < 256; i++) {
-			if ((zsk_algorithms[i] != 0) ||
-			    (ksk_algorithms[i] != 0) ||
-			    (standby_zsk[i] != 0) || (standby_ksk[i] != 0) ||
-			    (revoked_ksk[i] != 0) || (revoked_zsk[i] != 0)) {
+			if ((ksk_algorithms[i] != 0) ||
+			    (standby_ksk[i] != 0) ||
+			    (revoked_zsk[i] != 0) ||
+			    (zsk_algorithms[i] != 0) ||
+			    (standby_zsk[i] != 0) ||
+			    (revoked_zsk[i] != 0)) {
 				alg_format(i, algbuf, sizeof(algbuf));
 				fprintf(stderr, "Algorithm: %s: KSKs: "
 					"%u active, %u stand-by, %u revoked\n",
 					algbuf, ksk_algorithms[i],
 					standby_ksk[i], revoked_ksk[i]);
 				fprintf(stderr, "%*sZSKs: "
-					"%u active, %u stand-by, %u revoked\n",
+					"%u active, %u %s, %u revoked\n",
 					(int) strlen(algbuf) + 13, "",
 					zsk_algorithms[i],
-					standby_zsk[i], revoked_zsk[i]);
+					standby_zsk[i],
+					keyset_kskonly ? "present" : "stand-by",
+					revoked_zsk[i]);
 			}
 		}
 	}
@@ -3136,7 +3162,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 	isc_buffer_t namebuf;
 	isc_region_t r;
 	isc_result_t result;
-	dns_dnsseckey_t *key;
+	dns_dnsseckey_t *key, *tmpkey;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 	unsigned char keybuf[DST_KEY_MAXSIZE];
 	unsigned int filenamelen;
@@ -3162,22 +3188,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 
 	dns_diff_init(mctx, &diff);
 
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-		if (!isksk(key)) {
-			have_non_ksk = ISC_TRUE;
-			break;
-		}
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-		if (isksk(key)) {
-			have_ksk = ISC_TRUE;
-			break;
-		}
-
 	if (type == dns_rdatatype_dlv) {
 		dns_name_t tname;
 		unsigned int labels;
@@ -3196,6 +3206,27 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 	     key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
+		if (REVOKE(key->key))
+			continue;
+		if (isksk(key)) {
+			have_ksk = ISC_TRUE;
+			have_non_ksk = ISC_FALSE;
+		} else {
+			have_ksk = ISC_FALSE;
+			have_non_ksk = ISC_TRUE;
+		}
+		for (tmpkey = ISC_LIST_HEAD(keylist);
+		     tmpkey != NULL;
+		     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
+			if (dst_key_alg(key->key) != dst_key_alg(tmpkey->key))
+				continue;
+			if (REVOKE(tmpkey->key))
+				continue;
+			if (isksk(tmpkey))
+				have_ksk = ISC_TRUE;
+			else
+				have_non_ksk = ISC_TRUE;
+		}
 		if (have_ksk && have_non_ksk && !isksk(key))
 			continue;
 		dns_rdata_init(&rdata);
@@ -3340,6 +3371,8 @@ usage(void) {
 	fprintf(stderr, "print statistics\n");
 	fprintf(stderr, "\t-u:\t");
 	fprintf(stderr, "update or replace an existing NSEC/NSEC3 chain\n");
+	fprintf(stderr, "\t-x:\tsign DNSKEY record with KSKs only, not ZSKs\n");
+	fprintf(stderr, "\t-z:\tsign all records with KSKs\n");
 	fprintf(stderr, "\t-C:\tgenerate a keyset file, for compatibility\n"
 			"\t\twith older versions of dnssec-signzone -g\n");
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
@@ -3348,8 +3381,6 @@ usage(void) {
 	fprintf(stderr, "\t-3 NSEC3 salt\n");
 	fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
 	fprintf(stderr, "\t-A NSEC3 optout\n");
-	fprintf(stderr, "\t-z:\t");
-	fprintf(stderr, "ignore KSK flag in DNSKEYs");
 
 	fprintf(stderr, "\n");
 
@@ -3424,7 +3455,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t set_iter = ISC_FALSE;
 
 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
+	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:xz"
 
 	/*
 	 * Process memory debugging argument first.
@@ -3644,6 +3675,10 @@ main(int argc, char *argv[]) {
 				fatal("verbose level must be numeric");
 			break;
 
+		case 'x':
+			keyset_kskonly = ISC_TRUE;
+			break;
+
 		case 'z':
 			ignore_kskflag = ISC_TRUE;
 			break;
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index aa3d506220..20c926ca98 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 05, 2009
@@ -83,6 +83,7 @@
       
       
       
+      
       
       
       
@@ -552,11 +553,23 @@
         
       
 
+      
+        -x
+        
+          
+            Only sign the DNSKEY RRset with key-signing keys, and omit
+            signatures from zone-signing keys.
+          
+        
+      
+
       
         -z
         
           
-            Ignore KSK flag on key when determining what to sign.
+            Ignore KSK flag on key when determining what to sign.  This
+            causes KSK-flagged keys to sign all records, not just the
+            DNSKEY RRset.
           
         
       
diff --git a/bin/named/config.c b/bin/named/config.c
index 5b8abd6d9d..39a8ba7ac6 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.102 2009/10/08 23:13:05 marka Exp $ */
+/* $Id: config.c,v 1.103 2009/10/10 01:47:59 each Exp $ */
 
 /*! \file */
 
@@ -200,6 +200,7 @@ options {\n\
 	check-srv-cname warn;\n\
 	zero-no-soa-ttl yes;\n\
 	update-check-ksk yes;\n\
+	dnskey-ksk-only no;\n\
 	try-tcp-refresh yes; /* BIND 8 compat */\n\
 };\n\
 "
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 87ba9b192b..a570654e15 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 13, 2004
@@ -292,6 +292,7 @@ options {
 	allow-update { address_match_element; ... };
 	allow-update-forwarding { address_match_element; ... };
 	update-check-ksk boolean;
+	dnskey-ksk-only boolean;
 
 	masterfile-format ( text | raw );
 	notify notifytype;
@@ -457,6 +458,7 @@ view string optional_class
 	allow-update { address_match_element; ... };
 	allow-update-forwarding { address_match_element; ... };
 	update-check-ksk boolean;
+	dnskey-ksk-only boolean;
 
 	masterfile-format ( text | raw );
 	notify notifytype;
@@ -551,6 +553,7 @@ zone string optional_class
 		rrtypelist; ...
 	};
 	update-check-ksk boolean;
+	dnskey-ksk-only boolean;
 
 	masterfile-format ( text | raw );
 	notify notifytype;
diff --git a/bin/named/update.c b/bin/named/update.c
index 406043d1c6..59fc045872 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.161 2009/10/08 23:48:09 tbox Exp $ */
+/* $Id: update.c,v 1.162 2009/10/10 01:47:59 each Exp $ */
 
 #include 
 
@@ -1810,44 +1810,6 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
-static isc_boolean_t
-ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
-	isc_boolean_t ret = ISC_FALSE;
-	isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_dnskey_t dnskey;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
-				   &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
-		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
-				 == DNS_KEYOWNER_ZONE) {
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
-				have_ksk = ISC_TRUE;
-			else
-				have_nonksk = ISC_TRUE;
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rdataset);
-	}
-	if (have_ksk && have_nonksk)
-		ret = ISC_TRUE;
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (ret);
-}
-
 /*%
  * Add RRSIG records for an RRset, recording the change in "diff".
  */
@@ -1856,7 +1818,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
 	 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
 	 isc_stdtime_t inception, isc_stdtime_t expire,
-	 isc_boolean_t check_ksk)
+	 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -1864,7 +1826,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
 	isc_buffer_t buffer;
 	unsigned char data[1024]; /* XXX */
-	unsigned int i;
+	unsigned int i, j;
 	isc_boolean_t added_sig = ISC_FALSE;
 	isc_mem_t *mctx = client->mctx;
 
@@ -1880,15 +1842,54 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				  (isc_stdtime_t) 0, &rdataset, NULL));
 	dns_db_detachnode(db, &node);
 
-	for (i = 0; i < nkeys; i++) {
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1)
+#define ALG(x) dst_key_alg(x)
 
-		if (check_ksk && type != dns_rdatatype_dnskey &&
-		    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
-			continue;
+	/*
+	 * If we are honoring KSK flags then we need to check that we
+	 * have both KSK and non-KSK keys that are not revoked per
+	 * algorithm.
+	 */
+	for (i = 0; i < nkeys; i++) {
+		isc_boolean_t both = ISC_FALSE;
 
 		if (!dst_key_isprivate(keys[i]))
 			continue;
 
+		if (check_ksk && !REVOKE(keys[i])) { 
+			isc_boolean_t have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = ISC_TRUE;
+				have_nonksk = ISC_FALSE;
+			} else {
+				have_ksk = ISC_FALSE;
+				have_nonksk = ISC_TRUE;
+			}
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j])) 
+					continue;
+				if (REVOKE(keys[j]))
+					continue;
+				if (KSK(keys[j]))
+					have_ksk = ISC_TRUE;
+				else
+					have_nonksk = ISC_TRUE;
+		 		both = have_ksk && have_nonksk;
+				if (both)
+					break;
+			}
+		}
+
+		if (both) {
+			if (type == dns_rdatatype_dnskey) {
+				if (!KSK(keys[i]) && keyset_kskonly)
+					continue;
+			} else if (!KSK(keys[i]))
+				continue;
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+			continue;
+
 		/* Calculate the signature, creating a RRSIG RDATA. */
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
 				      &inception, &expire,
@@ -1997,7 +1998,7 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		 dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut,
 		 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
 		 isc_stdtime_t inception, isc_stdtime_t expire,
-		 isc_boolean_t check_ksk)
+		 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
 {
 	isc_result_t result;
 	dns_dbnode_t *node;
@@ -2043,7 +2044,8 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (flag)
 			continue;;
 		result = add_sigs(client, zone, db, ver, name, type, diff,
-				  keys, nkeys, inception, expire, check_ksk);
+					  keys, nkeys, inception, expire,
+					  check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_iterator;
 	}
@@ -2073,8 +2075,7 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 static isc_result_t
 update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		  dns_dbversion_t *oldver, dns_dbversion_t *newver,
-		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval,
-		  isc_boolean_t *deleted_zsk)
+		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
 {
 	isc_result_t result;
 	dns_difftuple_t *t;
@@ -2093,7 +2094,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	dns_dbnode_t *node = NULL;
-	isc_boolean_t check_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly;
 	isc_boolean_t unsecure;
 	isc_boolean_t cut;
 	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
@@ -2126,27 +2127,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 */
 	check_ksk = ISC_TF((dns_zone_getoptions(zone) &
 			    DNS_ZONEOPT_UPDATECHECKKSK) != 0);
-	/*
-	 * If we are not checking the ZSK flag then all DNSKEY's are
-	 * already signing all RRsets so we don't need to trigger special
-	 * changes.
-	 */
-	if (*deleted_zsk && (!check_ksk || !ksk_sanity(db, oldver)))
-		*deleted_zsk = ISC_FALSE;
-
-	if (check_ksk) {
-		check_ksk = ksk_sanity(db, newver);
-		if (!check_ksk && ksk_sanity(db, oldver))
-			update_log(client, zone, ISC_LOG_WARNING,
-				   "disabling update-check-ksk");
-	}
-
-	/*
-	 * If we have deleted a ZSK and we we still have some ZSK's
-	 * we don't need to convert the KSK's to a ZSK's.
-	 */
-	if (*deleted_zsk && check_ksk)
-		*deleted_zsk = ISC_FALSE;
+	keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) &
+			        DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
 
 	/*
 	 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
@@ -2213,7 +2195,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				CHECK(add_sigs(client, zone, db, newver, name,
 					       type, &sig_diff, zone_keys,
 					       nkeys, inception, expire,
-					       check_ksk));
+					       check_ksk, keyset_kskonly));
 			}
 		skip:
 			/* Skip any other updates to the same RRset. */
@@ -2365,7 +2347,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			}
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, diff, zone_keys, nkeys,
-					       inception, expire, check_ksk));
+					       inception, expire, check_ksk,
+					       keyset_kskonly));
 		}
 	}
 
@@ -2427,7 +2410,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			CHECK(add_sigs(client, zone, db, newver, &t->name,
 				       dns_rdatatype_nsec, &sig_diff,
 				       zone_keys, nkeys, inception, expire,
-				       check_ksk));
+				       check_ksk, keyset_kskonly));
 		} else {
 			INSIST(0);
 		}
@@ -2523,7 +2506,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		} else {
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, diff, zone_keys, nkeys,
-					       inception, expire, check_ksk));
+					       inception, expire, check_ksk,
+					       keyset_kskonly));
 			CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl,
 						   unsecure, privatetype,
 						   &nsec_diff));
@@ -2557,7 +2541,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			CHECK(add_sigs(client, zone, db, newver, &t->name,
 				       dns_rdatatype_nsec3,
 				       &sig_diff, zone_keys, nkeys,
-				       inception, expire, check_ksk));
+				       inception, expire, check_ksk,
+				       keyset_kskonly));
 		} else {
 			INSIST(0);
 		}
@@ -3503,7 +3488,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_fixedname_t tmpnamefixed;
 	dns_name_t *tmpname = NULL;
 	unsigned int options;
-	isc_boolean_t deleted_zsk;
 	dns_difftuple_t *tuple;
 	dns_rdata_dnskey_t dnskey;
 	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
@@ -4107,8 +4091,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			isc_uint32_t interval;
 			interval = dns_zone_getsigvalidityinterval(zone);
 			result = update_signatures(client, zone, db, oldver,
-						   ver, &diff, interval,
-						   &deleted_zsk);
+						   ver, &diff, interval);
 			if (result != ISC_R_SUCCESS) {
 				update_log(client, zone,
 					   ISC_LOG_ERROR,
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 0e58d0ad6f..2529bacb5a 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.155 2009/10/08 23:13:06 marka Exp $ */
+/* $Id: zoneconf.c,v 1.156 2009/10/10 01:47:59 each Exp $ */
 
 /*% */
 
@@ -859,6 +859,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
 				   cfg_obj_asboolean(obj));
 
+		obj = NULL;
+		result = ns_config_get(maps, "dnskey-ksk-only", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
+				   cfg_obj_asboolean(obj));
 	} else if (ztype == dns_zone_slave) {
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  allow_update_forwarding, ac, zone,
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 7ab3bf1496..1867f687ff 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -4891,6 +4891,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
      allow-update { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
      update-check-ksk yes_or_no; 
+     dnskey-ksk-only yes_or_no; 
      secure-to-insecure yes_or_no ;
      try-tcp-refresh yes_or_no; 
      allow-v6-synthesis { address_match_list }; 
@@ -6425,13 +6426,29 @@ options {
 		  request to a secure zone, check the KSK flag on
 		  the DNSKEY RR to determine if this key should be
 		  used to generate the RRSIG.  This flag is ignored
-		  if there are not DNSKEY RRs both with and without
-		  a KSK.
+		  if there are not non-revoked DNSKEY RRs both with
+		  and without a KSK for the algorithm.
 		  The default is yes.
 		
 	      
 	    
 
+	    
+	      dnskey-ksk-only
+	      
+	        
+		  When regenerating the RRSIGs following a UPDATE
+		  request to a secure zone and
+		  update-check-ksk is true then
+		  only generate signatures DNSKEY RRSIG using DNSKEY's
+		  with the KSK bit set.  This flag is ignored if there
+		  are not non-revoked DNSKEY RRs both with and without
+		  a KSK for the algorithm.
+		  The default is no.
+		
+	      
+	    
+
 	    
 	      try-tcp-refresh
 	      
@@ -9359,6 +9376,7 @@ zone zone_name class allow-transfer { address_match_list }; 
      allow-update-forwarding { address_match_list }; 
      update-check-ksk yes_or_no; 
+     dnskey-ksk-only yes_or_no; 
      secure-to-insecure yes_or_no ; 
      try-tcp-refresh yes_or_no; 
      also-notify { ip_addr port ip_port ;
@@ -9871,6 +9889,16 @@ zone zone_name class
               
 
+	      
+	        dnskey-ksk-only
+                
+                  
+                    See the description of
+                    dnskey-ksk-only in .
+                  
+                
+              
+
 	      
 	        try-tcp-refresh
                 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index c808adc2b7..026dbb1911 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.109 2009/10/08 23:13:06 marka Exp $ */
+/* $Id: check.c,v 1.110 2009/10/10 01:48:00 each Exp $ */
 
 /*! \file */
 
@@ -1126,6 +1126,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
+	{ "dnskey-ksk-only", MASTERZONE },
 	{ "try-tcp-refresh", SLAVEZONE },
 	};
 
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 6a1f8b0f33..15f16f3a07 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.168 2009/10/08 23:13:07 marka Exp $ */
+/* $Id: zone.h,v 1.169 2009/10/10 01:48:00 each Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -72,6 +72,7 @@ typedef enum {
 #define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
 #define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
 #define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< secure-to-insecure */
+#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U	/*%< dnskey-ksk-only */
 
 #ifndef NOMINUM_PUBLIC
 /*
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 5f03a7db77..a04a248ee3 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.513 2009/10/08 23:58:14 marka Exp $ */
+/* $Id: zone.c,v 1.514 2009/10/10 01:48:00 each Exp $ */
 
 /*! \file */
 
@@ -4265,44 +4265,6 @@ was_dumping(dns_zone_t *zone) {
 
 #define MAXZONEKEYS 10
 
-static isc_boolean_t
-ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
-	isc_boolean_t ret = ISC_FALSE;
-	isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_dnskey_t dnskey;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
-				   &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
-		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
-				 == DNS_KEYOWNER_ZONE) {
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
-				have_ksk = ISC_TRUE;
-			else
-				have_nonksk = ISC_TRUE;
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rdataset);
-	}
-	if (have_ksk && have_nonksk)
-		ret = ISC_TRUE;
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (ret);
-}
-
 static isc_result_t
 find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	       isc_mem_t *mctx, unsigned int maxkeys,
@@ -4492,7 +4454,8 @@ static isc_result_t
 add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
 	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire, isc_boolean_t check_ksk)
+	 isc_stdtime_t expire, isc_boolean_t check_ksk, 
+	 isc_boolean_t keyset_kskonly)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -4500,7 +4463,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
 	unsigned char data[1024]; /* XXX */
 	isc_buffer_t buffer;
-	unsigned int i;
+	unsigned int i, j;
 
 	dns_rdataset_init(&rdataset);
 	isc_buffer_init(&buffer, data, sizeof(data));
@@ -4525,12 +4488,48 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		goto failure;
 	}
 
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) == 1)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) == 1)
+#define ALG(x) dst_key_alg(x)
+
 	for (i = 0; i < nkeys; i++) {
-		if (check_ksk && type != dns_rdatatype_dnskey &&
-		    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
-			continue;
+		isc_boolean_t both = ISC_FALSE;
+		
 		if (!dst_key_isprivate(keys[i]))
 			continue;
+
+		if (check_ksk && !REVOKE(keys[i])) {
+			isc_boolean_t have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = ISC_TRUE;
+				have_nonksk = ISC_FALSE;
+			} else {
+				have_ksk = ISC_FALSE;
+				have_nonksk = ISC_TRUE;
+			}
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j])) 
+					continue;
+				if (REVOKE(keys[j]))
+					continue;
+				if (KSK(keys[j]))
+					have_ksk = ISC_TRUE;
+				else
+					have_nonksk = ISC_TRUE;
+				both = have_ksk && have_nonksk;
+				if (both)
+					break;
+			}
+		}
+		if (both) {
+			if (type == dns_rdatatype_dnskey) {
+				if (!KSK(keys[i]) && keyset_kskonly)
+					continue;
+			} else if (!KSK(keys[i]))
+				continue;
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+				continue;
+
 		/* Calculate the signature, creating a RRSIG RDATA. */
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
 				      &inception, &expire,
@@ -4560,7 +4559,7 @@ zone_resigninc(dns_zone_t *zone) {
 	dns_rdataset_t rdataset;
 	dns_rdatatype_t covers;
 	dst_key_t *zone_keys[MAXZONEKEYS];
-	isc_boolean_t check_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire, stop;
 	isc_uint32_t jitter;
@@ -4615,8 +4614,7 @@ zone_resigninc(dns_zone_t *zone) {
 	stop = now + 5;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	if (check_ksk)
-		check_ksk = ksk_sanity(db, version);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
 
 	name = dns_fixedname_name(&fixed);
 	result = dns_db_getsigningtime(db, &rdataset, name);
@@ -4660,7 +4658,7 @@ zone_resigninc(dns_zone_t *zone) {
 		}
 		result = add_sigs(db, version, name, covers, &sig_diff,
 				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk);
+				  expire, check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "zone_resigninc:add_sigs -> %s\n",
@@ -4705,7 +4703,7 @@ zone_resigninc(dns_zone_t *zone) {
 	 */
 	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
 			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
-			  soaexpire, check_ksk);
+			  soaexpire, check_ksk, keyset_kskonly);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "zone_resigninc:add_sigs -> %s\n",
@@ -4845,8 +4843,8 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 	    isc_boolean_t build_nsec, dst_key_t *key,
 	    isc_stdtime_t inception, isc_stdtime_t expire,
 	    unsigned int minimum, isc_boolean_t is_ksk,
-	    isc_boolean_t *delegation, dns_diff_t *diff,
-	    isc_int32_t *signatures, isc_mem_t *mctx)
+	    isc_boolean_t keyset_kskonly, isc_boolean_t *delegation, 
+	    dns_diff_t *diff, isc_int32_t *signatures, isc_mem_t *mctx)
 {
 	isc_result_t result;
 	dns_rdatasetiter_t *iterator = NULL;
@@ -4925,7 +4923,10 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 		if (rdataset.type == dns_rdatatype_soa ||
 		    rdataset.type == dns_rdatatype_rrsig)
 			goto next_rdataset;
-		if (is_ksk && rdataset.type != dns_rdatatype_dnskey)
+		if (rdataset.type == dns_rdatatype_dnskey) {
+			if (!is_ksk && keyset_kskonly)
+				goto next_rdataset;
+		} else if (is_ksk)
 			goto next_rdataset;
 		if (*delegation &&
 		    rdataset.type != dns_rdatatype_ds &&
@@ -5355,7 +5356,8 @@ static isc_result_t
 update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
 	    dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone,
 	    isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t now,
-	    isc_boolean_t check_ksk, dns_diff_t *sig_diff)
+	    isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly,
+	    dns_diff_t *sig_diff)
 {
 	dns_difftuple_t *tuple;
 	isc_result_t result;
@@ -5375,7 +5377,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
 		result = add_sigs(db, version, &tuple->name,
 				  tuple->rdata.type, sig_diff,
 				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk);
+				  expire, check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "update_sigs:add_sigs -> %s\n",
@@ -5419,7 +5421,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	dns_nsec3chainlist_t cleanup;
 	dst_key_t *zone_keys[MAXZONEKEYS];
 	isc_int32_t signatures;
-	isc_boolean_t check_ksk, is_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly, is_ksk;
 	isc_boolean_t delegation;
 	isc_boolean_t first;
 	isc_result_t result;
@@ -5491,8 +5493,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	stop = now + 5;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	if (check_ksk)
-		check_ksk = ksk_sanity(db, version);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
 
 	/*
 	 * We keep pulling nodes off each iterator in turn until
@@ -5964,7 +5965,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	 */
 	result = update_sigs(&nsec3_diff, db, version, zone_keys,
 			     nkeys, zone, inception, expire, now,
-			     check_ksk, &sig_diff);
+			     check_ksk, keyset_kskonly, &sig_diff);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
 			     "update_sigs -> %s\n", dns_result_totext(result));
@@ -5977,7 +5978,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	 */
 	result = update_sigs(¶m_diff, db, version, zone_keys,
 			     nkeys, zone, inception, expire, now,
-			     check_ksk, &sig_diff);
+			     check_ksk, keyset_kskonly, &sig_diff);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
 			     "update_sigs -> %s\n", dns_result_totext(result));
@@ -5998,7 +5999,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 	result = update_sigs(&nsec_diff, db, version, zone_keys,
 			     nkeys, zone, inception, expire, now,
-			     check_ksk, &sig_diff);
+			     check_ksk, keyset_kskonly, &sig_diff);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
 			     "update_sigs -> %s\n", dns_result_totext(result));
@@ -6030,7 +6031,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
 			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
-			  soaexpire, check_ksk);
+			  soaexpire, check_ksk, keyset_kskonly);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
 			     "add_sigs -> %s\n", dns_result_totext(result));
@@ -6240,7 +6241,7 @@ zone_sign(dns_zone_t *zone) {
 	dns_signinglist_t cleanup;
 	dst_key_t *zone_keys[MAXZONEKEYS];
 	isc_int32_t signatures;
-	isc_boolean_t check_ksk, is_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly, is_ksk;
 	isc_boolean_t commit = ISC_FALSE;
 	isc_boolean_t delegation;
 	isc_boolean_t finishedakey = ISC_FALSE;
@@ -6255,8 +6256,6 @@ zone_sign(dns_zone_t *zone) {
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
 	isc_boolean_t was_ksk;
-	isc_boolean_t have_ksk;
-	isc_boolean_t have_nonksk;
 
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fixed);
@@ -6319,6 +6318,9 @@ zone_sign(dns_zone_t *zone) {
 	signing = ISC_LIST_HEAD(zone->signing);
 	first = ISC_TRUE;
 
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
 	/*
 	 * If we have already determined that we are building a NSEC chain
 	 * continue to do so otherwise workout which type of chain we need
@@ -6349,40 +6351,28 @@ zone_sign(dns_zone_t *zone) {
 
 		delegation = ISC_FALSE;
 
-		/*
-		 * ksk_sanity() accounting for the key to be removed.
-		 */
-
 		was_ksk = ISC_FALSE;
-		have_ksk = ISC_FALSE;
-		have_nonksk = ISC_FALSE;
 
-		for (i = 0, j = 0; i < nkeys; i++) {
+		if (first && signing->delete) {
 			/*
-			 * Find the key we want to remove.
+			 * Remove the key we are deleting from consideration.
 			 */
-			if (signing->delete &&
-			    dst_key_alg(zone_keys[i]) == signing->algorithm &&
-			    dst_key_id(zone_keys[i]) == signing->keyid) {
-				if ((dst_key_flags(zone_keys[j]) &
-				     DNS_KEYFLAG_KSK) != 0)
-					was_ksk = ISC_TRUE;
-				dst_key_free(&zone_keys[i]);
+			for (i = 0, j = 0; i < nkeys; i++) {
+				/*
+				 * Find the key we want to remove.
+				 */
+				if (ALG(zone_keys[i]) == signing->algorithm &&
+				    dst_key_id(zone_keys[i]) == signing->keyid) {
+					if (KSK(zone_keys[i]))
+						dst_key_free(&zone_keys[i]);
+					continue;
+				}
+				zone_keys[j] = zone_keys[i];
+				j++;
 			}
-			zone_keys[j] = zone_keys[i];
-			if ((dst_key_flags(zone_keys[j]) &
-			     DNS_KEYFLAG_KSK) != 0)
-				have_ksk = ISC_TRUE;
-			else
-				have_nonksk = ISC_TRUE;
-			j++;
+			nkeys = j;
 		}
 
-		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-		if (check_ksk && (!have_nonksk || !have_ksk))
-			check_ksk = ISC_FALSE;
-		nkeys = j;
-
 		dns_dbiterator_current(signing->dbiterator, &node, name);
 
 		if (signing->delete) {
@@ -6391,6 +6381,7 @@ zone_sign(dns_zone_t *zone) {
 				      signing->algorithm, signing->keyid,
 				      &sig_diff));
 		}
+
 		/*
 		 * On the first pass we need to check if the current node
 		 * has not been obscured.
@@ -6422,29 +6413,76 @@ zone_sign(dns_zone_t *zone) {
 		 */
 		dns_dbiterator_pause(signing->dbiterator);
 		for (i = 0; i < nkeys; i++) {
+			isc_boolean_t both = ISC_FALSE;
+
 			/*
 			 * Find the keys we want to sign with.
 			 */
 			if (!dst_key_isprivate(zone_keys[i]))
 				continue;
-			if ((!signing->delete || was_ksk || check_ksk) &&
+
+			/*
+			 * When adding look for the specific key.
+			 */
+			if (!signing->delete &&
 			    (dst_key_alg(zone_keys[i]) != signing->algorithm ||
 			     dst_key_id(zone_keys[i]) != signing->keyid))
 				continue;
+
+			/*
+			 * When deleting make sure we are properly signed
+			 * with the algorithm that was being removed.
+			 */
+			if (signing->delete &&
+			    ALG(zone_keys[i]) != signing->algorithm)
+				continue;
+
 			/*
 			 * Do we do KSK processing?
 			 */
-			is_ksk = ISC_FALSE;
-			if (check_ksk &&
-			    (dst_key_flags(zone_keys[i]) & DNS_KEYFLAG_KSK) != 0)
-				is_ksk = ISC_TRUE;
+			if (check_ksk && !REVOKE(zone_keys[i])) {
+				isc_boolean_t have_ksk, have_nonksk;
+				if (KSK(zone_keys[i])) {
+					have_ksk = ISC_TRUE;
+					have_nonksk = ISC_FALSE;
+				} else {
+					have_ksk = ISC_FALSE;
+					have_nonksk = ISC_TRUE;
+				}
+				for (j = 0; j < nkeys; j++) {
+					if (j == i ||
+					    ALG(zone_keys[i]) !=
+					    ALG(zone_keys[j])) 
+						continue;
+					if (REVOKE(zone_keys[j]))
+						continue;
+					if (KSK(zone_keys[j]))
+						have_ksk = ISC_TRUE;
+					else
+						have_nonksk = ISC_TRUE;
+					both = have_ksk && have_nonksk;
+					if (both)
+						break;
+				}
+			}
+			if (both)
+				is_ksk = KSK(zone_keys[i]);
+			else
+				is_ksk = ISC_FALSE;
 			CHECK(sign_a_node(db, name, node, version, build_nsec3,
 					  build_nsec, zone_keys[i], inception,
 					  expire, zone->minimum, is_ksk,
-					  &delegation, &sig_diff, &signatures,
-					  zone->mctx));
-			break;
+					  ISC_TF(both && keyset_kskonly),
+					  &delegation, &sig_diff,
+					  &signatures, zone->mctx));
+			/*
+			 * If we are adding we are done.  Look for other keys
+			 * of the same algorithm if deleting.
+			 */
+			if (!signing->delete)
+				break;
 		}
+
 		/*
 		 * Go onto next node.
 		 */
@@ -6514,13 +6552,6 @@ zone_sign(dns_zone_t *zone) {
 		first = ISC_TRUE;
 	}
 
-	/*
-	 * Recompute check_ksk as it may have changed.
-	 */
-	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	if (check_ksk)
-		check_ksk = ksk_sanity(db, version);
-
 	if (secureupdated) {
 		/*
 		 * We have changed the NSEC RRset above so we need to update
@@ -6538,7 +6569,7 @@ zone_sign(dns_zone_t *zone) {
 		result = add_sigs(db, version, &zone->origin,
 				  dns_rdatatype_nsec, &sig_diff, zone_keys,
 				  nkeys, zone->mctx, inception, soaexpire,
-				  check_ksk);
+				  check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "zone_sign:add_sigs -> %s\n",
@@ -6564,7 +6595,7 @@ zone_sign(dns_zone_t *zone) {
 		result = add_sigs(db, version, &zone->origin,
 				  zone->privatetype, &sig_diff,
 				  zone_keys, nkeys, zone->mctx, inception,
-				  soaexpire, check_ksk);
+				  soaexpire, check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "zone_sign:add_sigs -> %s\n",
@@ -6606,7 +6637,7 @@ zone_sign(dns_zone_t *zone) {
 	 */
 	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
 			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
-			  soaexpire, check_ksk);
+			  soaexpire, check_ksk, keyset_kskonly);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "zone_sign:add_sigs -> %s\n",
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 87d707c40c..6d906d0318 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.106 2009/10/08 23:13:07 marka Exp $ */
+/* $Id: namedconf.c,v 1.107 2009/10/10 01:48:00 each Exp $ */
 
 /*! \file */
 
@@ -1113,6 +1113,7 @@ zone_clauses[] = {
 	{ "check-srv-cname", &cfg_type_checkmode, 0 },
 	{ "check-wildcard", &cfg_type_boolean, 0 },
 	{ "dialup", &cfg_type_dialuptype, 0 },
+	{ "dnskey-ksk-only", &cfg_type_boolean, 0 },
 	{ "forward", &cfg_type_forwardtype, 0 },
 	{ "forwarders", &cfg_type_portiplist, 0 },
 	{ "key-directory", &cfg_type_qstring, 0 },

From 8667770ad2ef351a1c77630d0e2fed0255b57efb Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 10 Oct 2009 23:47:58 +0000
Subject: [PATCH 293/385] update copyright notice

---
 bin/named/update.c | 10 +++++-----
 lib/dns/zone.c     | 12 ++++++------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/bin/named/update.c b/bin/named/update.c
index 59fc045872..132481fb4f 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.162 2009/10/10 01:47:59 each Exp $ */
+/* $Id: update.c,v 1.163 2009/10/10 23:47:58 tbox Exp $ */
 
 #include 
 
@@ -1857,7 +1857,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (!dst_key_isprivate(keys[i]))
 			continue;
 
-		if (check_ksk && !REVOKE(keys[i])) { 
+		if (check_ksk && !REVOKE(keys[i])) {
 			isc_boolean_t have_ksk, have_nonksk;
 			if (KSK(keys[i])) {
 				have_ksk = ISC_TRUE;
@@ -1867,7 +1867,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				have_nonksk = ISC_TRUE;
 			}
 			for (j = 0; j < nkeys; j++) {
-				if (j == i || ALG(keys[i]) != ALG(keys[j])) 
+				if (j == i || ALG(keys[i]) != ALG(keys[j]))
 					continue;
 				if (REVOKE(keys[j]))
 					continue;
@@ -1875,7 +1875,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 					have_ksk = ISC_TRUE;
 				else
 					have_nonksk = ISC_TRUE;
-		 		both = have_ksk && have_nonksk;
+				both = have_ksk && have_nonksk;
 				if (both)
 					break;
 			}
@@ -2128,7 +2128,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	check_ksk = ISC_TF((dns_zone_getoptions(zone) &
 			    DNS_ZONEOPT_UPDATECHECKKSK) != 0);
 	keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) &
-			        DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
+				DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
 
 	/*
 	 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a04a248ee3..49956f5e09 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.514 2009/10/10 01:48:00 each Exp $ */
+/* $Id: zone.c,v 1.515 2009/10/10 23:47:58 tbox Exp $ */
 
 /*! \file */
 
@@ -4454,7 +4454,7 @@ static isc_result_t
 add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
 	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire, isc_boolean_t check_ksk, 
+	 isc_stdtime_t expire, isc_boolean_t check_ksk,
 	 isc_boolean_t keyset_kskonly)
 {
 	isc_result_t result;
@@ -4494,7 +4494,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 
 	for (i = 0; i < nkeys; i++) {
 		isc_boolean_t both = ISC_FALSE;
-		
+
 		if (!dst_key_isprivate(keys[i]))
 			continue;
 
@@ -4508,7 +4508,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				have_nonksk = ISC_TRUE;
 			}
 			for (j = 0; j < nkeys; j++) {
-				if (j == i || ALG(keys[i]) != ALG(keys[j])) 
+				if (j == i || ALG(keys[i]) != ALG(keys[j]))
 					continue;
 				if (REVOKE(keys[j]))
 					continue;
@@ -4843,7 +4843,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 	    isc_boolean_t build_nsec, dst_key_t *key,
 	    isc_stdtime_t inception, isc_stdtime_t expire,
 	    unsigned int minimum, isc_boolean_t is_ksk,
-	    isc_boolean_t keyset_kskonly, isc_boolean_t *delegation, 
+	    isc_boolean_t keyset_kskonly, isc_boolean_t *delegation,
 	    dns_diff_t *diff, isc_int32_t *signatures, isc_mem_t *mctx)
 {
 	isc_result_t result;
@@ -6452,7 +6452,7 @@ zone_sign(dns_zone_t *zone) {
 				for (j = 0; j < nkeys; j++) {
 					if (j == i ||
 					    ALG(zone_keys[i]) !=
-					    ALG(zone_keys[j])) 
+					    ALG(zone_keys[j]))
 						continue;
 					if (REVOKE(zone_keys[j]))
 						continue;

From 8de0d8a6905e397ed0a26054815420685f9b435e Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sun, 11 Oct 2009 01:14:49 +0000
Subject: [PATCH 294/385] regen

---
 bin/dnssec/dnssec-signzone.8         |  11 +-
 bin/dnssec/dnssec-signzone.html      |  23 ++--
 bin/named/named.conf.5               |   5 +-
 bin/named/named.conf.html            |  13 +-
 doc/arm/Bv9ARM.ch06.html             | 114 ++++++++++-------
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  46 +++----
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  14 +--
 doc/arm/man.dnssec-keygen.html       |  16 +--
 doc/arm/man.dnssec-revoke.html       |  10 +-
 doc/arm/man.dnssec-settime.html      |  14 +--
 doc/arm/man.dnssec-signzone.html     |  23 ++--
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 doc/misc/options                     |   4 +
 26 files changed, 349 insertions(+), 302 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index abad0f11ac..3348843469 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.55 2009/10/06 01:14:41 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.56 2009/10/11 01:14:48 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
@@ -286,9 +286,14 @@ will retain the existing chain when re\-signing.
 Sets the debugging level.
 .RE
 .PP
+\-x
+.RS 4
+Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys.
+.RE
+.PP
 \-z
 .RS 4
-Ignore KSK flag on key when determining what to sign.
+Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset.
 .RE
 .PP
 \-3 \fIsalt\fR
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index c994ccff25..d740f3dd67 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -29,10 +29,10 @@
 
    
 
    
 
    Synopsis
    
-
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
+
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -324,9 +324,16 @@
 
    
             Sets the debugging level.
           
    
+
    -x
    
+
    
+            Only sign the DNSKEY RRset with key-signing keys, and omit
+            signatures from zone-signing keys.
+          
    
 
    -z
    
 
    
-            Ignore KSK flag on key when determining what to sign.
+            Ignore KSK flag on key when determining what to sign.  This
+            causes KSK-flagged keys to sign all records, not just the
+            DNSKEY RRset.
           
    
 
    -3 salt
    
 
    
@@ -368,7 +375,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -397,14 +404,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index eb3fcb8e62..69fabf6c73 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.38 2009/10/09 01:14:46 tbox Exp $
+.\" $Id: named.conf.5,v 1.39 2009/10/11 01:14:48 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -260,6 +260,7 @@ options {
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
 	update\-check\-ksk \fIboolean\fR;
+	dnskey\-ksk\-only \fIboolean\fR;
 	masterfile\-format ( text | raw );
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@@ -408,6 +409,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
 	update\-check\-ksk \fIboolean\fR;
+	dnskey\-ksk\-only \fIboolean\fR;
 	masterfile\-format ( text | raw );
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@@ -492,6 +494,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 		\fIrrtypelist\fR; ...
 	};
 	update\-check\-ksk \fIboolean\fR;
+	dnskey\-ksk\-only \fIboolean\fR;
 	masterfile\-format ( text | raw );
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 11564aff43..3d53d8f7fb 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -261,6 +261,7 @@ options
 	allow-update { address_match_element; ... };
    
 	allow-update-forwarding { address_match_element; ... };
    
 	update-check-ksk boolean;
    
+	dnskey-ksk-only boolean;
    
 
    
 	masterfile-format ( text | raw );
    
 	notify notifytype;
    
@@ -330,7 +331,7 @@ options
 
    
 
 
    
-
    VIEW
    
+
    VIEW
    
 

    
 view string optional_class {
    
 	match-clients { address_match_element; ... };
    
@@ -425,6 +426,7 @@ view
 	allow-update { address_match_element; ... };
    
 	allow-update-forwarding { address_match_element; ... };
    
 	update-check-ksk boolean;
    
+	dnskey-ksk-only boolean;
    
 
    
 	masterfile-format ( text | raw );
    
 	notify notifytype;
    
@@ -479,7 +481,7 @@ view
 
    
 
    
 
    
-
    ZONE
    
+
    ZONE
    
 

    
 zone string optional_class {
    
 	type ( master | slave | stub | hint |
    
@@ -518,6 +520,7 @@ zone
 		rrtypelist; ...
    
 	};
    
 	update-check-ksk boolean;
    
+	dnskey-ksk-only boolean;
    
 
    
 	masterfile-format ( text | raw );
    
 	notify notifytype;
    
@@ -572,12 +575,12 @@ zone
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/named.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       rndc(8),
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 876435cfb9..4fcdfee9f7 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -78,28 +78,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -2137,6 +2137,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ allow-update { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
+    [ dnskey-ksk-only yes_or_no; ]
     [ secure-to-insecure yes_or_no ;]
     [ try-tcp-refresh yes_or_no; ]
     [ allow-v6-synthesis { address_match_list }; ]
@@ -3353,10 +3354,21 @@ options {
                   request to a secure zone, check the KSK flag on
                   the DNSKEY RR to determine if this key should be
                   used to generate the RRSIG.  This flag is ignored
-                  if there are not DNSKEY RRs both with and without
-                  a KSK.
+                  if there are not non-revoked DNSKEY RRs both with
+                  and without a KSK for the algorithm.
                   The default is yes.
                 
    
+
    dnskey-ksk-only
    
+
    
+                  When regenerating the RRSIGs following a UPDATE
+                  request to a secure zone and
+                  update-check-ksk is true then
+                  only generate signatures DNSKEY RRSIG using DNSKEY's
+                  with the KSK bit set.  This flag is ignored if there
+                  are not non-revoked DNSKEY RRs both with and without
+                  a KSK for the algorithm.
+                  The default is no.
+                
    
 
    try-tcp-refresh
    
 
    
                   Try to refresh the zone using TCP if UDP queries fail.
@@ -3373,7 +3385,7 @@ options {
 
    
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3417,7 +3429,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3614,7 +3626,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4066,7 +4078,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4108,7 +4120,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4270,7 +4282,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -5066,7 +5078,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
    
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5396,7 +5408,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5447,7 +5459,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5456,7 +5468,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5496,7 +5508,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5505,7 +5517,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5615,7 +5627,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5792,6 +5804,7 @@ zone zone_name [ allow-transfer { address_match_list }; ]
     [ allow-update-forwarding { address_match_list }; ]
     [ update-check-ksk yes_or_no; ]
+    [ dnskey-ksk-only yes_or_no; ]
     [ secure-to-insecure yes_or_no ; ]
     [ try-tcp-refresh yes_or_no; ]
     [ also-notify { ip_addr [port ip_port] ;
@@ -5893,10 +5906,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

    @@ -6107,7 +6120,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6129,7 +6142,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6226,6 +6239,11 @@ zone zone_name [update-check-ksk in the section called “Boolean Options”.
                   
    
+
    dnskey-ksk-only
    
+
    
+                    See the description of
+                    dnskey-ksk-only in the section called “Boolean Options”.
+                  
    
 
    try-tcp-refresh
    
 
    
                     See the description of
@@ -6764,7 +6782,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6777,7 +6795,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7514,7 +7532,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7717,7 +7735,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7973,7 +7991,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8034,7 +8052,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8049,7 +8067,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8060,7 +8078,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8089,7 +8107,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8125,7 +8143,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8144,7 +8162,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8568,7 +8586,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9125,7 +9143,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9279,7 +9297,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9662,7 +9680,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9817,7 +9835,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 863896700d..6739a9ac6d 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index e18a809e57..0f5c7a7431 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 067d089015..b340f29cdd 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 3a4d8bc8f6..87db514dcd 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,28 +157,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index a7198dc745..d8dc98918a 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 64ca98daa9..3aeab90a00 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 1665b3bb3f..4942b6fb6e 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 001d717287..ec611eac71 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -172,7 +172,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -219,7 +219,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -258,7 +258,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -268,7 +268,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 81ca3f3fac..f52dcf85cf 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -285,7 +285,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -331,7 +331,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -352,7 +352,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -361,7 +361,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 1908293e49..ed74bb2d9e 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 356ebe610d..deec0ad4dc 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -185,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 5939150e6e..972a3d70d9 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -47,10 +47,10 @@
 
 
    
 
    Synopsis
    
-
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
+
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -342,9 +342,16 @@
 
    
             Sets the debugging level.
           
    
+
    -x
    
+
    
+            Only sign the DNSKEY RRset with key-signing keys, and omit
+            signatures from zone-signing keys.
+          
    
 
    -z
    
 
    
-            Ignore KSK flag on key when determining what to sign.
+            Ignore KSK flag on key when determining what to sign.  This
+            causes KSK-flagged keys to sign all records, not just the
+            DNSKEY RRset.
           
    
 
    -3 salt
    
 
    
@@ -386,7 +393,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -415,14 +422,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index ba5c51730a..d4bbef19bf 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index de644190f7..932c9540d0 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index e120d16d71..027eb2e40c 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 8d07ff5671..391d97e9ee 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 0f28e63fab..ed53407f4b 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 1d9bcbff5a..17883adbf5 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 8c981256db..8ca3438fd6 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 37332ae00e..1ea7ed220d 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/misc/options b/doc/misc/options
index 42fefab89a..c6c773f8f2 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -98,6 +98,7 @@ options {
         directory ;
         disable-algorithms  { ; ... };
         disable-empty-zone ;
+        dnskey-ksk-only ;
         dnssec-accept-expired ;
         dnssec-enable ;
         dnssec-lookaside  trust-anchor ;
@@ -294,6 +295,7 @@ view   {
         dlz  {
                 database ;
         };
+        dnskey-ksk-only ;
         dnssec-accept-expired ;
         dnssec-enable ;
         dnssec-lookaside  trust-anchor ;
@@ -426,6 +428,7 @@ view   {
                 database ;
                 delegation-only ;
                 dialup ;
+                dnskey-ksk-only ;
                 file ;
                 forward ( first | only );
                 forwarders [ port  ] { (  |
@@ -508,6 +511,7 @@ zone   {
         database ;
         delegation-only ;
         dialup ;
+        dnskey-ksk-only ;
         file ;
         forward ( first | only );
         forwarders [ port  ] { (  |  )

From af20baa9600965efaa6ad1abdba53b0902e84b8d Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 12 Oct 2009 05:50:52 +0000
Subject: [PATCH 295/385] silence compiler warning/enforce const [RT #20390]

---
 lib/dns/dst_api.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index fd39b1ccf7..b79ed3fa63 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.36 2009/10/10 01:13:39 marka Exp $
+ * $Id: dst_api.c,v 1.37 2009/10/12 05:50:52 marka Exp $
  */
 
 /*! \file */
@@ -867,7 +867,8 @@ dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
 static isc_boolean_t
 comparekeys(const dst_key_t *key1, const dst_key_t *key2,
 	    isc_boolean_t match_revoked_key,
-	    isc_boolean_t (*compare)())
+	    isc_boolean_t (*compare)(const dst_key_t *key1,
+				     const dst_key_t *key2))
 {
 	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key1));
@@ -917,28 +918,25 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2,
  * both to wire format and comparing the results.
  */
 static isc_boolean_t
-pub_compare(dst_key_t *key1, dst_key_t *key2) {
+pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	isc_result_t result;
-	unsigned char txt1[DST_KEY_MAXSIZE], txt2[DST_KEY_MAXSIZE];
+	unsigned char buf1[DST_KEY_MAXSIZE], buf2[DST_KEY_MAXSIZE];
 	isc_buffer_t b1, b2;
 	isc_region_t r1, r2;
-	isc_uint16_t flags;
 
-	flags = key1->key_flags;
-	key1->key_flags = 0;
-	isc_buffer_init(&b1, txt1, sizeof(txt1));
+	isc_buffer_init(&b1, buf1, sizeof(buf1));
 	result = dst_key_todns(key1, &b1);
-	key1->key_flags = flags;
 	if (result != ISC_R_SUCCESS)
 		return (ISC_FALSE);
+	/* Zero out flags. */
+	buf1[0] = buf1[1] = 0;
 
-	flags = key2->key_flags;
-	key2->key_flags = 0;
-	isc_buffer_init(&b2, txt2, sizeof(txt2));
+	isc_buffer_init(&b2, buf2, sizeof(buf2));
 	result = dst_key_todns(key2, &b2);
-	key2->key_flags = flags;
 	if (result != ISC_R_SUCCESS)
 		return (ISC_FALSE);
+	/* Zero out flags. */
+	buf2[0] = buf2[1] = 0;
 
 	isc_buffer_usedregion(&b1, &r1);
 	isc_buffer_usedregion(&b2, &r2);

From 515053881bc3997d165072809d98072b80ef0ad2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 12 Oct 2009 06:05:29 +0000
Subject: [PATCH 296/385] remove extended flags before comparing if set

---
 lib/dns/dst_api.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index b79ed3fa63..5eb43fec80 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.37 2009/10/12 05:50:52 marka Exp $
+ * $Id: dst_api.c,v 1.38 2009/10/12 06:05:29 marka Exp $
  */
 
 /*! \file */
@@ -930,6 +930,8 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		return (ISC_FALSE);
 	/* Zero out flags. */
 	buf1[0] = buf1[1] = 0;
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b1, 2);
 
 	isc_buffer_init(&b2, buf2, sizeof(buf2));
 	result = dst_key_todns(key2, &b2);
@@ -937,6 +939,8 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		return (ISC_FALSE);
 	/* Zero out flags. */
 	buf2[0] = buf2[1] = 0;
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b2, 2);
 
 	isc_buffer_usedregion(&b1, &r1);
 	isc_buffer_usedregion(&b2, &r2);

From 11804ca08fda7bea94b571b4ce16a166b2e38a86 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 12 Oct 2009 08:57:38 +0000
Subject: [PATCH 297/385] zero extended flags

---
 lib/dns/dst_api.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 5eb43fec80..16629c53c2 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.38 2009/10/12 06:05:29 marka Exp $
+ * $Id: dst_api.c,v 1.39 2009/10/12 08:57:38 marka Exp $
  */
 
 /*! \file */
@@ -931,7 +931,7 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	/* Zero out flags. */
 	buf1[0] = buf1[1] = 0;
 	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
-		isc_buffer_subtract(&b1, 2);
+		buf1[4] = buf1[5] = 0;
 
 	isc_buffer_init(&b2, buf2, sizeof(buf2));
 	result = dst_key_todns(key2, &b2);
@@ -940,7 +940,7 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	/* Zero out flags. */
 	buf2[0] = buf2[1] = 0;
 	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
-		isc_buffer_subtract(&b2, 2);
+		buf2[4] = buf2[5] = 0;
 
 	isc_buffer_usedregion(&b1, &r1);
 	isc_buffer_usedregion(&b2, &r2);

From 30bb4870da5fdfc061fbd8423c7c54c5f8400444 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 12 Oct 2009 09:03:06 +0000
Subject: [PATCH 298/385] remove, not zero, extended flags

---
 lib/dns/dst_api.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 16629c53c2..d9a99e0966 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.39 2009/10/12 08:57:38 marka Exp $
+ * $Id: dst_api.c,v 1.40 2009/10/12 09:03:06 marka Exp $
  */
 
 /*! \file */
@@ -930,8 +930,6 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		return (ISC_FALSE);
 	/* Zero out flags. */
 	buf1[0] = buf1[1] = 0;
-	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
-		buf1[4] = buf1[5] = 0;
 
 	isc_buffer_init(&b2, buf2, sizeof(buf2));
 	result = dst_key_todns(key2, &b2);
@@ -939,11 +937,20 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		return (ISC_FALSE);
 	/* Zero out flags. */
 	buf2[0] = buf2[1] = 0;
-	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
-		buf2[4] = buf2[5] = 0;
 
 	isc_buffer_usedregion(&b1, &r1);
+	/* Remove extended flags. */
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf1[4], &buf1[6], r1.length - 6);
+		r1.length -= 2;
+	}
+
 	isc_buffer_usedregion(&b2, &r2);
+	/* Remove extended flags. */
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf2[4], &buf2[6], r2.length - 6);
+		r2.length -= 2;
+	}
 	return (ISC_TF(isc_region_compare(&r1, &r2) == 0));
 }
 

From 6a90baa0d5ac5ad6bf5a5e29b6e8b26a931e844e Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 12 Oct 2009 16:41:13 +0000
Subject: [PATCH 299/385] 2711.	[port]		win32: Add the bin/pkcs11
 tools into the full 			build. [RT #20372]

---
 CHANGES                       |    3 +
 README.pkcs11                 |   33 +-
 config.h.win32                |    8 +-
 win32utils/BINDBuild.dsw      | 1180 +++++++++++++++++----------------
 win32utils/BuildAll.bat       |    6 +
 win32utils/BuildSetup.bat     |    3 +
 win32utils/setpk11provider.pl |   51 +-
 win32utils/win32-build.txt    |   13 +-
 8 files changed, 697 insertions(+), 600 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3472b24680..534aa12836 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2711.	[port]		win32: Add the bin/pkcs11 tools into the full
+			build. [RT #20372]
+
 2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
 			zone option cause a zone to be signed with only KSKs
 			signing the DNSKEY RRset, not ZSKs.  This reduces
diff --git a/README.pkcs11 b/README.pkcs11
index 9a096f45ee..4abb34ee0a 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -41,16 +41,16 @@ choice depends on the HSM hardware:
    secure key storage devices, but lack hardware acceleration.  These
    devices are highly secure, but are not necessarily any faster at
    cryptography than the system CPU--often, they are slower.  It is
-   therefore most efficient to use them only for those operation
+   therefore most efficient to use them only for those cryptographic
    functions that require access to the secured private key, such as
    zone signing, and to use the system CPU for all other computationally-
    intensive operations.  The AEP Keyper is an example of such a device.
 
-The modified OpenSSL code is included in BIND 9.7.0b1 release in the form
-of a context diff against OpenSSL 0.9.8k.  Before building BIND 9 with
-PKCS #11 support, it will be necessary to build OpenSSL with this patch
-in place and inform it of the path to the HSM-specific PKCS #11 provider
-library.
+The modified OpenSSL code is included in the BIND 9.7.0b1 release, in the
+form of a context diff against OpenSSL 0.9.8k.  Before building BIND 9
+with PKCS #11 support, it will be necessary to build OpenSSL with this
+patch in place and inform it of the path to the HSM-specific PKCS #11
+provider library.
 
 Obtain OpenSSL 0.9.8k:
 
@@ -65,8 +65,8 @@ Apply the patch from the BIND 9 release:
     patch -p1 -d openssl-0.9.8k \
             < bind-9.7.0b1/bin/pkcs11/openssl-0.9.8k-patch 
 
-(Note that the patch file may not be compatible with the "patch" utility
-on all operating systems.  You may need to install GNU patch.)
+(Note that the patch file may not be compatible with the "patch"
+utility on all operating systems.  You may need to install GNU patch.)
 
 When building OpenSSL, place it in a non-standard location so that it
 does not interfere with OpenSSL libraries elsewhere on the system.
@@ -175,17 +175,18 @@ Configure).
 
 After configuring, run "make", "make test" and "make install".
 
+PKCS #11 TOOLS
+
 BIND 9 includes a minimal set of tools to operate the HSM, including
 "pkcs11-keygen" to generate a new key pair within the HSM, "pkcs11-list"
 to list objects currently available, and "pkcs11-destroy" to remove
 objects.
 
-These tools are built if BIND 9 is configured with the --with-pkcs11
-option.  (NOTE: If --with-pkcs11 is set to "yes", rather than to the
-path of the PKCS #11 provider, then the tools will be built but the
-provider will be left undefined.  Use the -m option or the
-PKCS11_PROVIDER environment variable to specify the path to the
-provider.)
+In UNIX/Linux builds, these tools are built only if BIND 9 is configured
+with the --with-pkcs11 option.  (NOTE: If --with-pkcs11 is set to "yes",
+rather than to the path of the PKCS #11 provider, then the tools will be
+built but the provider will be left undefined.  Use the -m option or the
+PKCS11_PROVIDER environment variable to specify the path to the provider.)
 
 USING THE HSM
 
@@ -238,8 +239,8 @@ arguments:
     pkcs11-keygen -b 1024 -l sample-zsk
     dnssec-keyfromlabel -l sample-zsk example.net
 
-Alternatively, you may prefer to generate a conventional on-disk key, using
-dnssec-keygen:
+Alternatively, you may prefer to generate a conventional on-disk key,
+using dnssec-keygen:
 
     dnssec-keygen example.net
 
diff --git a/config.h.win32 b/config.h.win32
index 301d2871f4..92dbf1f507 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.win32,v 1.22 2009/09/02 23:43:54 each Exp $ */
+/* $Id: config.h.win32,v 1.23 2009/10/12 16:41:12 each Exp $ */
 
 /*
  * win32 configuration file
@@ -248,3 +248,9 @@ typedef long off_t;
  * of libisc, libdns, etc, this must be removed.
  */
 #define BIND9 1
+
+/*
+ * Define if PKCS11 is to be used.
+ */
+/* #undef USE_PKCS11 */
+
diff --git a/win32utils/BINDBuild.dsw b/win32utils/BINDBuild.dsw
index eb1e4279e0..6cda568174 100644
--- a/win32utils/BINDBuild.dsw
+++ b/win32utils/BINDBuild.dsw
@@ -1,572 +1,608 @@
-Microsoft Developer Studio Workspace File, Format Version 6.00
-# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
-
-###############################################################################
-
-Project: "BINDInstall"="..\bin\win32\BINDInstall\BINDInstall.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "bindevt"="..\lib\win32\bindevt\bindevt.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "dig"="..\bin\dig\win32\dig.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libbind9
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name liblwres
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dighost
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "dighost"="..\bin\dig\win32\dighost.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "host"="..\bin\dig\win32\host.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libbind9
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name liblwres
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dighost
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "dsfromkey"="..\bin\dnssec\win32\dsfromkey.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dnssectool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "revoke"="..\bin\dnssec\win32\revoke.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dnssectool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "settime"="..\bin\dnssec\win32\settime.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dnssectool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "keygen"="..\bin\dnssec\win32\keygen.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dnssectool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "libbind9"="..\lib\bind9\win32\libbind9.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccfg
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "libdns"="..\lib\dns\win32\libdns.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "libisc"="..\lib\isc\win32\libisc.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "libisccc"="..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "libisccfg"="..\lib\isccfg\win32\libisccfg.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "liblwres"="..\lib\lwres\win32\liblwres.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "named"="..\bin\named\win32\named.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccfg
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name liblwres
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libbind9
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "namedcheckconf"="..\bin\check\win32\namedcheckconf.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccfg
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name checktool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "namedcheckzone"="..\bin\check\win32\namedcheckzone.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name checktool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "nslookup"="..\bin\dig\win32\nslookup.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libbind9
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name liblwres
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dighost
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "nsupdate"="..\bin\nsupdate\win32\nsupdate.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libbind9
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "rndc"="..\bin\rndc\win32\rndc.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccfg
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libbind9
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name rndcutil
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "rndcconfgen"="..\bin\confgen\win32\rndcconfgen.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisccfg
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libbind9
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name confgentool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "ddnsconfgen"="..\bin\confgen\win32\ddnsconfgen.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name confgentool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "signzone"="..\bin\dnssec\win32\signzone.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dnssectool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "keyfromlabel"="..\bin\dnssec\win32\keyfromlabel.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-    Begin Project Dependency
-    Project_Dep_Name libdns
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name libisc
-    End Project Dependency
-    Begin Project Dependency
-    Project_Dep_Name dnssectool
-    End Project Dependency
-}}}
-
-###############################################################################
-
-Project: "dnssectool"="..\bin\dnssec\win32\dnssectool.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "rndcutil"="..\bin\rndc\win32\rndcutil.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "confgentool"="..\bin\confgen\win32\confgentool.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Project: "checktool"="..\bin\check\win32\checktool.dsp" - Package Owner=<4>
-
-Package=<5>
-{{{
-}}}
-
-Package=<4>
-{{{
-}}}
-
-###############################################################################
-
-Global:
-
-Package=<5>
-{{{
-}}}
-
-Package=<3>
-{{{
-}}}
-
-###############################################################################
-
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "BINDInstall"="..\bin\win32\BINDInstall\BINDInstall.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "bindevt"="..\lib\win32\bindevt\bindevt.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "dig"="..\bin\dig\win32\dig.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name liblwres
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dighost
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "dighost"="..\bin\dig\win32\dighost.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "host"="..\bin\dig\win32\host.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name liblwres
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dighost
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "dsfromkey"="..\bin\dnssec\win32\dsfromkey.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dnssectool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "revoke"="..\bin\dnssec\win32\revoke.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dnssectool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "settime"="..\bin\dnssec\win32\settime.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dnssectool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "keygen"="..\bin\dnssec\win32\keygen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dnssectool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libbind9"="..\lib\bind9\win32\libbind9.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libdns"="..\lib\dns\win32\libdns.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libisc"="..\lib\isc\win32\libisc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "libisccc"="..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "libisccfg"="..\lib\isccfg\win32\libisccfg.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "liblwres"="..\lib\lwres\win32\liblwres.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "named"="..\bin\named\win32\named.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name liblwres
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "namedcheckconf"="..\bin\check\win32\namedcheckconf.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name checktool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "namedcheckzone"="..\bin\check\win32\namedcheckzone.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name checktool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "nslookup"="..\bin\dig\win32\nslookup.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name liblwres
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dighost
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "nsupdate"="..\bin\nsupdate\win32\nsupdate.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "rndc"="..\bin\rndc\win32\rndc.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name rndcutil
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "rndcconfgen"="..\bin\confgen\win32\rndcconfgen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name confgentool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "ddnsconfgen"="..\bin\confgen\win32\ddnsconfgen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name confgentool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "signzone"="..\bin\dnssec\win32\signzone.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dnssectool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "keyfromlabel"="..\bin\dnssec\win32\keyfromlabel.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name dnssectool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "dnssectool"="..\bin\dnssec\win32\dnssectool.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "rndcutil"="..\bin\rndc\win32\rndcutil.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "confgentool"="..\bin\confgen\win32\confgentool.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "checktool"="..\bin\check\win32\checktool.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "pk11keygen"="..\bin\pkcs11\win32\pk11keygen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "pk11list"="..\bin\pkcs11\win32\pk11list.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Project: "pk11destroy"="..\bin\pkcs11\win32\pk11destroy.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/win32utils/BuildAll.bat b/win32utils/BuildAll.bat
index 62b55d0a22..9b7ec6667c 100644
--- a/win32utils/BuildAll.bat
+++ b/win32utils/BuildAll.bat
@@ -113,6 +113,12 @@ nmake /nologo -f revoke.mak CFG="revoke - Win32 Release"  NO_EXTERNAL_DEPS="1"
 nmake /nologo -f settime.mak CFG="settime - Win32 Release"  NO_EXTERNAL_DEPS="1"
 cd ..\..
 
+cd pkcs11\win32
+nmake /nologo -f pk11keygen.mak CFG="pk11keygen - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f pk11list.mak CFG="pk11list - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f pk11destroy.mak CFG="pk11destroy - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+
 rem This is the BIND 9 Installer
 
 cd win32\BINDInstall
diff --git a/win32utils/BuildSetup.bat b/win32utils/BuildSetup.bat
index cb98d8e998..9186fbd737 100644
--- a/win32utils/BuildSetup.bat
+++ b/win32utils/BuildSetup.bat
@@ -64,6 +64,9 @@ copy ..\bin\dnssec\dnssec-keygen.html ..\Build\Release
 copy ..\bin\dnssec\dnssec-signzone.html ..\Build\Release
 copy ..\bin\dnssec\dnssec-dsfromkey.html ..\Build\Release
 copy ..\bin\dnssec\dnssec-keyfromlabel.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-keygen.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-list.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-destroy.html ..\Build\Release
 
 echo Copying the migration notes.
 
diff --git a/win32utils/setpk11provider.pl b/win32utils/setpk11provider.pl
index 8df4bb40e7..9892ccfbad 100644
--- a/win32utils/setpk11provider.pl
+++ b/win32utils/setpk11provider.pl
@@ -14,16 +14,16 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setpk11provider.pl,v 1.1 2009/10/06 22:14:13 each Exp $
+# $Id: setpk11provider.pl,v 1.2 2009/10/12 16:41:13 each Exp $
 
-# setpk11provider
+# setpk11provider.pl
 # This script sets the PKCS#11 provider name in the build scripts.
 #
-# for instance: perl setpk11provider bp201w32HSM
+# for instance: setpk11provider.pl bp201w32HSM
 #
 
 if ($#ARGV != 0) {
-	die "Usage: perl setpk11provider \n"
+	die "Usage: perl setpk11provider.pl \n"
 }
 
 my $provider=$ARGV[0];
@@ -31,12 +31,12 @@ my $provider=$ARGV[0];
 $provider =~ s|\.[dD][lL][lL]$||;
 
 # List of files that need to be updated
-@filelist = ("../bin/pkcs11/win32/pk11keygen.mak",
-             "../bin/pkcs11/win32/pk11keygen.dsp",
-	     "../bin/pkcs11/win32/pk11list.mak",
-             "../bin/pkcs11/win32/pk11list.dsp",
-	     "../bin/pkcs11/win32/pk11destroy.mak",
-             "../bin/pkcs11/win32/pk11destroy.dsp");
+@filelist = ("../bin/pkcs11/win32//pk11keygen.mak",
+             "../bin/pkcs11/win32//pk11keygen.dsp",
+	     "../bin/pkcs11/win32//pk11list.mak",
+             "../bin/pkcs11/win32//pk11list.dsp",
+	     "../bin/pkcs11/win32//pk11destroy.mak",
+             "../bin/pkcs11/win32//pk11destroy.dsp");
 
 # function to replace the provider define
 sub updatefile {
@@ -62,6 +62,33 @@ sub updatefile {
         close(RFILE);
 }
 
+# update config.h to define or undefine USE_PKCS11
+sub updateconfig {
+   my($havexml, $substr, $line);
+   my(@Lines);
+
+   $havexml = $_[0];
+
+   open (RFILE, "../config.h") || die "Can't open config.h";
+   @Lines = ;
+   close (RFILE);
+
+   foreach $line (@Lines) {
+      if ($havexml) {
+         $line =~ s/^.*#undef USE_PKCS11.*$/define USE_PKCS11 1/;
+      } else {
+         $line =~ s/^#define USE_PKCS11 .*$/\/\* #undef USE_PKCS11 \*\//;
+      }
+   }
+
+   open (RFILE, ">../config.h") || die "Can't open config.h";
+   print "Updating file ../config.h\n";
+   foreach $line (@Lines) {
+      print RFILE $line;
+   }
+   close(RFILE);
+}
+
 #Update the list of files
 if ($provider ne 0) {
    $ind = 0;
@@ -71,4 +98,8 @@ if ($provider ne 0) {
 	updatefile($file, $provider);
 	$ind++;
    }
+   updateconfig(1);
+} else {
+   updateconfig(0);
 }
+
diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index 85023589c6..5f005b1de9 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: win32-build.txt,v 1.17 2009/09/24 13:03:39 fdupont Exp $
+$Id: win32-build.txt,v 1.18 2009/10/12 16:41:13 each Exp $
 
        BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009
 
@@ -66,6 +66,12 @@ to see if the build instructions have changed:
   ms\do_masm
   nmake /f ms\ntdll.mak
 
+If you wish to use PKCS #11 to control a cryptographic hardware service
+module, please see bind9\README.pkcs11.  You will need to apply the patch
+in bind9\bin\pkcs11\openssl-0.9.8k-patch (this can be done using the Cygwin
+'patch' utility) and add --pk11-libname and --pk11-flavor to the Configure
+command above.
+
 Step 2: Download and build libxml2
 
 Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2.
@@ -88,6 +94,11 @@ From the command prompt cd to the win32utils directory under
 the BIND9 root:
 
   cd bind-9.7.0\win32utils
+
+If you wish to use PKCS #11 to control a cryptographic hardware service
+module, set the path to the PKCS #11 provider library:
+
+  perl setpk11provider.pl 
   
 If using VC++ 6.0, run the BuildAll.bat file:
 

From 77b8f88f144928eddcca144c348d6ef53e7d5c43 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 12 Oct 2009 20:48:12 +0000
Subject: [PATCH 300/385] 2712.	[func]		New 'auto-dnssec' zone option
 allows zone signing 			to be fully automated in zones
 configured for 			dynamic DNS.  'auto-dnssec allow;'
 permits a zone 			to be signed by creating keys for it
 in the 			key-directory and using 'rndc sign '. 
 		'auto-dnssec maintain;' allows that too, plus it 	
 	also keeps the zone's DNSSEC keys up to date 		
 according to their timing metadata. [RT #19943]

---
 CHANGES                            |   9 +
 bin/dnssec/dnssec-dsfromkey.c      |  10 +-
 bin/dnssec/dnssec-keyfromlabel.c   |  10 +-
 bin/dnssec/dnssec-keygen.c         |  10 +-
 bin/dnssec/dnssec-revoke.c         |  12 +-
 bin/dnssec/dnssec-settime.c        |   8 +-
 bin/dnssec/dnssec-signzone.c       | 436 ++++++-----------------------
 bin/dnssec/dnssec-signzone.docbook |  11 +-
 bin/dnssec/dnssectool.c            |  27 +-
 bin/dnssec/dnssectool.h            |  12 +-
 bin/named/control.c                |   4 +-
 bin/named/include/named/control.h  |   3 +-
 bin/named/include/named/server.h   |   9 +-
 bin/named/server.c                 |  36 ++-
 bin/named/zoneconf.c               |  28 +-
 doc/arm/Bv9ARM-book.xml            |  62 +++-
 lib/bind9/check.c                  |  29 +-
 lib/dns/dnssec.c                   | 389 ++++++++++++++++++++++++-
 lib/dns/dst_api.c                  |  37 ++-
 lib/dns/include/dns/dnssec.h       |  50 +++-
 lib/dns/include/dns/result.h       |   5 +-
 lib/dns/include/dns/secalg.h       |   9 +-
 lib/dns/include/dns/zone.h         |  34 ++-
 lib/dns/include/dst/dst.h          |  14 +-
 lib/dns/rcode.c                    |  17 +-
 lib/dns/result.c                   |   3 +-
 lib/dns/zone.c                     | 257 ++++++++++++++++-
 lib/isccfg/namedconf.c             |  10 +-
 28 files changed, 1093 insertions(+), 448 deletions(-)

diff --git a/CHANGES b/CHANGES
index 534aa12836..557b6dc5fe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,12 @@
+2712.	[func]		New 'auto-dnssec' zone option allows zone signing
+			to be fully automated in zones configured for
+			dynamic DNS.  'auto-dnssec allow;' permits a zone
+			to be signed by creating keys for it in the
+			key-directory and using 'rndc sign '.
+			'auto-dnssec maintain;' allows that too, plus it
+			also keeps the zone's DNSSEC keys up to date
+			according to their timing metadata. [RT #19943]
+			
 2711.	[port]		win32: Add the bin/pkcs11 tools into the full
 			build. [RT #20372]
 
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 3d062f1175..f2408a8d60 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-dsfromkey.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.16 2009/10/12 20:48:10 each Exp $ */
 
 /*! \file */
 
@@ -164,9 +164,9 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 		      filename, isc_result_totext(result));
 
 	if (verbose > 2) {
-		char keystr[KEY_FORMATSIZE];
+		char keystr[DST_KEY_FORMATSIZE];
 
-		key_format(key, keystr, sizeof(keystr));
+		dst_key_format(key, keystr, sizeof(keystr));
 		fprintf(stderr, "%s: %s\n", program, keystr);
 	}
 
@@ -195,7 +195,7 @@ logkey(dns_rdata_t *rdata)
 	isc_result_t result;
 	dst_key_t    *key = NULL;
 	isc_buffer_t buf;
-	char	     keystr[KEY_FORMATSIZE];
+	char	     keystr[DST_KEY_FORMATSIZE];
 
 	isc_buffer_init(&buf, rdata->data, rdata->length);
 	isc_buffer_add(&buf, rdata->length);
@@ -203,7 +203,7 @@ logkey(dns_rdata_t *rdata)
 	if (result != ISC_R_SUCCESS)
 		return;
 
-	key_format(key, keystr, sizeof(keystr));
+	dst_key_format(key, keystr, sizeof(keystr));
 	fprintf(stderr, "%s: %s\n", program, keystr);
 
 	dst_key_free(&key);
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 9f090c9584..eaf93e60c1 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.20 2009/10/06 23:22:51 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.21 2009/10/12 20:48:10 each Exp $ */
 
 /*! \file */
 
@@ -429,9 +429,9 @@ main(int argc, char **argv) {
 
 	if (ret != ISC_R_SUCCESS) {
 		char namestr[DNS_NAME_FORMATSIZE];
-		char algstr[ALG_FORMATSIZE];
+		char algstr[DNS_SECALG_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof(namestr));
-		alg_format(alg, algstr, sizeof(algstr));
+		dns_secalg_format(alg, algstr, sizeof(algstr));
 		fatal("failed to get key %s/%s: %s\n",
 		      namestr, algstr, isc_result_totext(ret));
 		/* NOTREACHED */
@@ -503,8 +503,8 @@ main(int argc, char **argv) {
 
 	ret = dst_key_tofile(key, options, directory);
 	if (ret != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("failed to write key %s: %s\n", keystr,
 		      isc_result_totext(ret));
 	}
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index da7f99c238..d4dabbc9ef 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.100 2009/10/06 22:58:45 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.101 2009/10/12 20:48:10 each Exp $ */
 
 /*! \file */
 
@@ -675,9 +675,9 @@ main(int argc, char **argv) {
 
 		if (ret != ISC_R_SUCCESS) {
 			char namestr[DNS_NAME_FORMATSIZE];
-			char algstr[ALG_FORMATSIZE];
+			char algstr[DNS_SECALG_FORMATSIZE];
 			dns_name_format(name, namestr, sizeof(namestr));
-			alg_format(alg, algstr, sizeof(algstr));
+			dns_secalg_format(alg, algstr, sizeof(algstr));
 			fatal("failed to generate key %s/%s: %s\n",
 			      namestr, algstr, isc_result_totext(ret));
 			/* NOTREACHED */
@@ -777,8 +777,8 @@ main(int argc, char **argv) {
 
 	ret = dst_key_tofile(key, options, directory);
 	if (ret != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("failed to write key %s: %s\n", keystr,
 		      isc_result_totext(ret));
 	}
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 6796c8eb40..34798f8b98 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.15 2009/10/09 06:09:21 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.16 2009/10/12 20:48:10 each Exp $ */
 
 /*! \file */
 
@@ -84,7 +84,7 @@ main(int argc, char **argv) {
 #endif
 	char *filename = NULL, *dir = NULL;
 	char newname[1024], oldname[1024];
-	char keystr[KEY_FORMATSIZE];
+	char keystr[DST_KEY_FORMATSIZE];
 	char *endp;
 	int ch;
 	isc_entropy_t *ectx = NULL;
@@ -180,9 +180,9 @@ main(int argc, char **argv) {
 		      filename, isc_result_totext(result));
 
 	if (verbose > 2) {
-		char keystr[KEY_FORMATSIZE];
+		char keystr[DST_KEY_FORMATSIZE];
 
-		key_format(key, keystr, sizeof(keystr));
+		dst_key_format(key, keystr, sizeof(keystr));
 		fprintf(stderr, "%s: %s\n", program, keystr);
 	}
 
@@ -213,7 +213,7 @@ main(int argc, char **argv) {
 		result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
 					dir);
 		if (result != ISC_R_SUCCESS) {
-			key_format(key, keystr, sizeof(keystr));
+			dst_key_format(key, keystr, sizeof(keystr));
 			fatal("Failed to write key %s: %s", keystr,
 			      isc_result_totext(result));
 		}
@@ -242,7 +242,7 @@ main(int argc, char **argv) {
 				unlink(oldname);
 		}
 	} else {
-		key_format(key, keystr, sizeof(keystr));
+		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("Key %s is already revoked", keystr);
 	}
 
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 374e0297e6..7371955a25 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.16 2009/10/09 06:09:21 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.17 2009/10/12 20:48:10 each Exp $ */
 
 /*! \file */
 
@@ -125,7 +125,7 @@ main(int argc, char **argv) {
 #endif
 	char *filename = NULL, *directory = NULL;
 	char newname[1024];
-	char keystr[KEY_FORMATSIZE];
+	char keystr[DST_KEY_FORMATSIZE];
 	char *endp, *p;
 	int ch;
 	isc_entropy_t *ectx = NULL;
@@ -344,7 +344,7 @@ main(int argc, char **argv) {
 	if (!dst_key_isprivate(key))
 		fatal("%s is not a private key", filename);
 
-	key_format(key, keystr, sizeof(keystr));
+	dst_key_format(key, keystr, sizeof(keystr));
 
 	/* Is this an old-style key? */
 	dst_key_getprivateformat(key, &major, &minor);
@@ -441,7 +441,7 @@ main(int argc, char **argv) {
 		result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
 					directory);
 		if (result != ISC_R_SUCCESS) {
-			key_format(key, keystr, sizeof(keystr));
+			dst_key_format(key, keystr, sizeof(keystr));
 			fatal("Failed to write key %s: %s", keystr,
 			      isc_result_totext(result));
 		}
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 5d1634cf3f..bfb7ced513 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.243 2009/10/10 01:47:59 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.244 2009/10/12 20:48:10 each Exp $ */
 
 /*! \file */
 
@@ -171,7 +171,6 @@ static isc_boolean_t disable_zone_check = ISC_FALSE;
 static isc_boolean_t update_chain = ISC_FALSE;
 static isc_boolean_t set_keyttl = ISC_FALSE;
 static dns_ttl_t keyttl;
-static isc_boolean_t smartsign = ISC_FALSE;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -208,13 +207,13 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
 {
 	isc_result_t result;
 	isc_stdtime_t jendtime;
-	char keystr[KEY_FORMATSIZE];
+	char keystr[DST_KEY_FORMATSIZE];
 	dns_rdata_t trdata = DNS_RDATA_INIT;
 	unsigned char array[BUFSIZE];
 	isc_buffer_t b;
 	dns_difftuple_t *tuple;
 
-	key_format(key, keystr, sizeof(keystr));
+	dst_key_format(key, keystr, sizeof(keystr));
 	vbprintf(1, "\t%s %s\n", logmsg, keystr);
 
 	jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
@@ -223,8 +222,8 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
 				 mctx, &b, &trdata);
 	isc_entropy_stopcallbacksources(ectx);
 	if (result != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("dnskey '%s' failed to sign data: %s",
 		      keystr, isc_result_totext(result));
 	}
@@ -1400,7 +1399,7 @@ verifyset(dns_rdataset_t *rdataset, dns_name_t *name, dns_dbnode_t *node,
 		for (i = 0; i < 256; i++)
 			if ((ksk_algorithms[i] != 0) &&
 			    (set_algorithms[i] == 0)) {
-				alg_format(i, algbuf, sizeof(algbuf));
+				dns_secalg_format(i, algbuf, sizeof(algbuf));
 				fprintf(stderr, "Missing %s signature for "
 					"%s %s\n", algbuf, namebuf, typebuf);
 				bad_algorithms[i] = 1;
@@ -1607,7 +1606,7 @@ verifyzone(void) {
 		if (ksk_algorithms[i] != 0)
 #endif
 		{
-			alg_format(i, algbuf, sizeof(algbuf));
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
 			fprintf(stderr, " %s", algbuf);
 		}
 	}
@@ -1622,7 +1621,7 @@ verifyzone(void) {
 			if ((ksk_algorithms[i] != 0) ==
 			    (zsk_algorithms[i] != 0))
 				continue;
-			alg_format(i, algbuf, sizeof(algbuf));
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
 			fprintf(stderr, "Missing %s for algorithm %s\n",
 				(ksk_algorithms[i] != 0)
 				   ? "ZSK"
@@ -1714,7 +1713,7 @@ verifyzone(void) {
 			if (first)
 				fprintf(stderr, "The zone is not fully signed "
 					"for the following algorithms:");
-			alg_format(i, algbuf, sizeof(algbuf));
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
 			fprintf(stderr, " %s", algbuf);
 			first = ISC_FALSE;
 		}
@@ -1736,7 +1735,7 @@ verifyzone(void) {
 			    (zsk_algorithms[i] != 0) ||
 			    (standby_zsk[i] != 0) ||
 			    (revoked_zsk[i] != 0)) {
-				alg_format(i, algbuf, sizeof(algbuf));
+ 				dns_secalg_format(i, algbuf, sizeof(algbuf));
 				fprintf(stderr, "Algorithm: %s: KSKs: "
 					"%u active, %u stand-by, %u revoked\n",
 					algbuf, ksk_algorithms[i],
@@ -2632,166 +2631,61 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
  * private keys from disk.
  */
 static void
-loadzonekeys(dns_db_t *db) {
+loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
 	dns_dbnode_t *node;
 	dns_dbversion_t *currentversion;
 	isc_result_t result;
-	dst_key_t *keys[20];
-	unsigned int nkeys, i;
 	dns_rdataset_t rdataset;
 
 	currentversion = NULL;
-	dns_db_currentversion(db, ¤tversion);
+	dns_db_currentversion(gdb, ¤tversion);
 
 	node = NULL;
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
+	result = dns_db_findnode(gdb, gorigin, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed to find the zone's origin: %s",
 		      isc_result_totext(result));
 
 	/* Preserve the TTL of the DNSKEY RRset, if any */
 	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, currentversion,
+	result = dns_db_findrdataset(gdb, node, currentversion,
 				     dns_rdatatype_dnskey, 0, 0,
 				     &rdataset, NULL);
 
-	if (result == ISC_R_SUCCESS) {
-		if (set_keyttl && keyttl != rdataset.ttl) {
-			fprintf(stderr, "User-specified TTL (%d) conflicts "
-					"with existing DNSKEY RRset TTL.\n",
-					keyttl);
-			fprintf(stderr, "Imported keys will use the RRSet "
-					"TTL (%d) instead.\n",
-					rdataset.ttl);
-		}
-		keyttl = rdataset.ttl;
-		if (dns_rdataset_isassociated(&rdataset))
-			dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (set_keyttl && keyttl != rdataset.ttl) {
+		fprintf(stderr, "User-specified TTL (%d) conflicts "
+				"with existing DNSKEY RRset TTL.\n",
+				keyttl);
+		fprintf(stderr, "Imported keys will use the RRSet "
+				"TTL (%d) instead.\n",
+				rdataset.ttl);
 	}
+	keyttl = rdataset.ttl;
 
 	/* Load keys corresponding to the existing DNSKEY RRset */
-	result = dns_dnssec_findzonekeys2(db, currentversion, node, gorigin,
-					  directory, mctx, 20, keys, &nkeys);
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
+	result = dns_dnssec_keylistfromrdataset(gorigin, directory, mctx,
+						&rdataset, NULL, preserve_keys,
+						load_public, &keylist);
 	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone keys: %s",
+		fatal("failed to load the zone keys: %s",
 		      isc_result_totext(result));
 
-	for (i = 0; i < nkeys; i++) {
-		dns_dnsseckey_t *key = NULL;
-
-		dns_dnsseckey_create(mctx, &keys[i], &key);
-		if (key->legacy || !smartsign) {
-			key->force_publish = ISC_TRUE;
-			key->force_sign = dst_key_isprivate(key->key);
-		}
-		key->source = dns_keysource_zoneapex;
-		ISC_LIST_APPEND(keylist, key, link);
-	}
-
-  cleanup:
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, ¤tversion, ISC_FALSE);
-}
-
-/*%
- * Finds all public zone keys in the zone.
- */
-static void
-loadzonepubkeys(dns_db_t *db) {
-	dns_dbversion_t *currentversion = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *pubkey;
-	isc_result_t result;
-
-	dns_db_currentversion(db, ¤tversion);
-
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, currentversion,
-				     dns_rdatatype_dnskey, 0, 0, &rdataset,
-				     NULL);
-	if (result != ISC_R_SUCCESS) {
-		vbprintf(2, "failed to find keys at the zone apex: %s",
-			 isc_result_totext(result));
-		goto cleanup;
-	}
-
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first");
-	while (result == ISC_R_SUCCESS) {
-		dns_dnsseckey_t *key = NULL;
-		pubkey = NULL;
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx,
-						 &pubkey);
-		if (result != ISC_R_SUCCESS)
-			goto next;
-		if (!dst_key_iszonekey(pubkey)) {
-			dst_key_free(&pubkey);
-			goto next;
-		}
-
-		/* Skip duplicates */
-		for (key = ISC_LIST_HEAD(keylist);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			dst_key_t *dkey = key->key;
-			if (dst_key_id(dkey) == dst_key_id(pubkey) &&
-			    dst_key_alg(dkey) == dst_key_alg(pubkey) &&
-			    dns_name_equal(dst_key_name(dkey), gorigin))
-				break;
-		}
-		if (key == NULL) {
-			dns_dnsseckey_create(mctx, &pubkey, &key);
-			if (key->legacy)
-				key->force_publish = ISC_TRUE;
-			key->force_sign = ISC_FALSE;
-			key->hint_sign = ISC_FALSE;
-			ISC_LIST_APPEND(keylist, key, link);
-		} else {
-			dst_key_free(&pubkey);
-		}
- next:
-		result = dns_rdataset_next(&rdataset);
-	}
-
  cleanup:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (currentversion != NULL)
-		dns_db_closeversion(db, ¤tversion, ISC_FALSE);
+	dns_db_detachnode(gdb, &node);
+	dns_db_closeversion(gdb, ¤tversion, ISC_FALSE);
 }
 
-static isc_result_t
-make_dnskey(dst_key_t *key, dns_rdata_t *target) {
-	isc_result_t result;
-	unsigned char data[DST_KEY_MAXSIZE];
-	isc_buffer_t b;
-	isc_region_t r;
-
-	isc_buffer_init(&b, data, sizeof(data));
-	result = dst_key_todns(key, &b);
-	check_result(result, "dst_key_todns");
-
-	dns_rdata_reset(target);
-	isc_buffer_usedregion(&b, &r);
-	dns_rdata_fromregion(target, dst_key_class(key),
-			     dns_rdatatype_dnskey, &r);
-	return (ISC_R_SUCCESS);
+static void
+report(const char *format, ...) {
+	va_list args;
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
 }
 
 static void
@@ -2799,15 +2693,12 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 	isc_result_t result;
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t del, add;
-	dns_difftuple_t *tuple = NULL;
-	dns_rdata_t dnskey = DNS_RDATA_INIT;
 	dns_dnsseckeylist_t matchkeys;
-	dns_dnsseckey_t *key1, *key2;
 	char name[DNS_NAME_FORMATSIZE];
-	char alg[80];
-
-	dns_name_format(gorigin, name, sizeof(name));
 
+	/*
+	 * Find keys that match this zone in the key repository.
+	 */
 	ISC_LIST_INIT(matchkeys);
 	result = dns_dnssec_findmatchingkeys(gorigin, directory,
 					     mctx, &matchkeys);
@@ -2822,166 +2713,12 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 	dns_diff_init(mctx, &add);
 
 	/*
-	 * For each key in matchkeys, see if it has a match in keylist.
-	 * - If not, and if the metadata says it should be published:
-	 *   add it to keylist and to the DNSKEY set
-	 * - If so, and if the metadata says it should be removed:
-	 *   remove it from keylist and from the DNSKEY set
-	 * - Otherwise, make sure keylist has up-to-date metadata
+	 * Update keylist with information from from the key repository.
 	 */
+	dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
+			      &add, &del, ignore_kskflag, mctx, report);
 
-	key1 = ISC_LIST_HEAD(matchkeys);
-	while (key1 != NULL) {
-		isc_boolean_t key_revoked = ISC_FALSE;
-		for (key2 = ISC_LIST_HEAD(keylist);
-		     key2 != NULL;
-		     key2 = ISC_LIST_NEXT(key2, link)) {
-			if (dst_key_pubcompare(key1->key, key2->key,
-					       ISC_TRUE)) {
-				key_revoked = ISC_TF(dst_key_flags(key1->key) !=
-						     dst_key_flags(key2->key));
-				break;
-			}
-		}
-
-		/*
-		 * No matching key found in keylist, so move the key
-		 * we found into keylist
-		 */
-		if (key2 == NULL) {
-			dns_dnsseckey_t *next;
-
-			/* move key from matchkeys to keylist */
-			next = ISC_LIST_NEXT(key1, link);
-			ISC_LIST_UNLINK(matchkeys, key1, link);
-			ISC_LIST_APPEND(keylist, key1, link);
-
-			key1 = next;
-			continue;
-		}
-
-		/* Match found: remove it or update it as needed */
-		if (key1->hint_remove) {
-			ISC_LIST_UNLINK(keylist, key2, link);
-			dns_dnsseckey_destroy(mctx, &key2);
-
-			make_dnskey(key1->key, &dnskey);
-			alg_format(dst_key_alg(key1->key), alg, sizeof(alg));
-			fprintf(stderr, "Removing expired key %d/%s from "
-					"DNSKEY RRset.\n",
-					dst_key_id(key1->key), alg);
-
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
-						      gorigin, keyttl,
-						      &dnskey, &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(&del, &tuple);
-		} else if (key_revoked &&
-			 (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
-			dns_dnsseckey_t *next;
-
-			/*
-			 * A key in the DNSKEY set has been revoked in the
-			 * key repository.  We need to remove the old
-			 * version and pull in the new one.
-			 */
-			make_dnskey(key2->key, &dnskey);
-			alg_format(dst_key_alg(key2->key), alg, sizeof(alg));
-			fprintf(stderr, "Replacing revoked key %d/%s in "
-					"DNSKEY RRset.\n",
-					dst_key_id(key2->key), alg);
-
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
-						      gorigin, keyttl,
-						      &dnskey, &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(&del, &tuple);
-
-			ISC_LIST_UNLINK(keylist, key2, link);
-			dns_dnsseckey_destroy(mctx, &key2);
-
-			next = ISC_LIST_NEXT(key1, link);
-			ISC_LIST_UNLINK(matchkeys, key1, link);
-			ISC_LIST_APPEND(keylist, key1, link);
-
-			/*
-			 * XXX: The revoke flag is only defined for trust
-			 * anchors.  Setting the flag on a non-KSK is legal,
-			 * but not defined in any RFC.  It seems reasonable
-			 * to treat it the same as a KSK: keep it in the
-			 * zone and sign the DNSKEY set with it, but not
-			 * sign other records with it.
-			 */
-			if (iszsk(key1))
-				key1->ksk = ISC_TRUE;
-
-			key1 = next;
-			continue;
-		} else {
-			key2->hint_publish = key1->hint_publish;
-			key2->hint_sign = key1->hint_sign;
-		}
-
-		key1 = ISC_LIST_NEXT(key1, link);
-	}
-
-	/*
-	 * If a key was not in the zone already and needs to be published,
-	 * add it now.
-	 */
-	for (key1 = ISC_LIST_HEAD(keylist);
-	     key1 != NULL;
-	     key1 = ISC_LIST_NEXT(key1, link)) {
-		if (key1->source == dns_keysource_zoneapex)
-			continue;
-
-		if (key1->hint_publish || key1->force_publish) {
-			make_dnskey(key1->key, &dnskey);
-
-			alg_format(dst_key_alg(key1->key), alg, sizeof(alg));
-			fprintf(stderr, "Fetching %s %d/%s from key %s\n",
-					isksk(key1) ?
-					    (iszsk(key1) ?  "KSK/ZSK" : "KSK") :
-					    "ZSK",
-					dst_key_id(key1->key), alg,
-					key1->source == dns_keysource_user ?
-						"file" :
-						"repository");
-
-			if (key1->prepublish && keyttl > key1->prepublish) {
-				char keystr[KEY_FORMATSIZE];
-				key_format(key1->key, keystr, sizeof(keystr));
-				fatal("Key %s is scheduled to\n"
-				      "become active in %d seconds.  "
-				      "This is less than the DNSKEY TTL\n"
-				      "value of %d seconds.  Reduce "
-				      "the TTL, or change the activation\n"
-				      "date of the key using "
-				      "'dnssec-settime -A'.",
-				      keystr, key1->prepublish, keyttl);
-			}
-
-			/* add key to the zone */
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      gorigin, keyttl,
-						      &dnskey, &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(&add, &tuple);
-		} else {
-			vbprintf(1, "%s %d/%s: not published.\n",
-				 isksk(key1) ?
-				     (iszsk(key1) ?  "KSK/ZSK" : "KSK") :
-				     "ZSK",
-				 dst_key_id(key1->key), alg);
-		}
-	}
-
-	/* free matchkeys */
-	while (!ISC_LIST_EMPTY(matchkeys)) {
-		key1 = ISC_LIST_HEAD(matchkeys);
-		ISC_LIST_UNLINK(matchkeys, key1, link);
-		dns_dnsseckey_destroy(mctx, &key1);
-	}
+	dns_name_format(gorigin, name, sizeof(name));
 
 	result = dns_diff_applysilently(&del, db, ver);
 	if (result != ISC_R_SUCCESS)
@@ -3449,6 +3186,7 @@ main(int argc, char *argv[]) {
 	isc_buffer_t b;
 	int len;
 	hashlist_t hashlist;
+	isc_boolean_t smartsign = ISC_FALSE;
 	isc_boolean_t make_keyset = ISC_FALSE;
 	isc_boolean_t set_salt = ISC_FALSE;
 	isc_boolean_t set_optout = ISC_FALSE;
@@ -3837,8 +3575,45 @@ main(int argc, char *argv[]) {
 	ISC_LIST_INIT(keylist);
 	isc_rwlock_init(&keylist_lock, 0, 0);
 
-	if (argc == 0)
-		loadzonekeys(gdb);
+	loadzonekeys(!smartsign, ISC_FALSE);
+
+	for (i = 0; i < ndskeys; i++) {
+		dst_key_t *newkey = NULL;
+
+		result = dst_key_fromnamedfile(dskeyfile[i], directory,
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &newkey);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot load dnskey %s: %s", dskeyfile[i],
+			      isc_result_totext(result));
+
+		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+			fatal("key %s not at origin\n", dskeyfile[i]);
+
+		/* Skip any duplicates */
+		for (key = ISC_LIST_HEAD(keylist);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			if (dst_key_id(key->key) == dst_key_id(newkey) &&
+			    dst_key_alg(key->key) == dst_key_alg(newkey) &&
+			    dns_name_equal(dst_key_name(key->key), gorigin))
+				break;
+		}
+
+		if (key == NULL) {
+			/* We haven't seen this key before */
+			dns_dnsseckey_create(mctx, &newkey, &key);
+			ISC_LIST_APPEND(keylist, key, link);
+			key->source = dns_keysource_user;
+		} else {
+			dst_key_free(&key->key);
+			key->key = newkey;
+		}
+		key->force_publish = ISC_TRUE;
+		key->force_sign = ISC_TRUE;
+		key->ksk = ISC_TRUE;
+	}
 
 	for (i = 0; i < argc; i++) {
 		dst_key_t *newkey = NULL;
@@ -3869,6 +3644,7 @@ main(int argc, char *argv[]) {
 				break;
 			}
 		}
+
 		if (key == NULL) {
 			/* We haven't seen this key before */
 			dns_dnsseckey_create(mctx, &newkey, &key);
@@ -3876,49 +3652,13 @@ main(int argc, char *argv[]) {
 			key->force_sign = ISC_TRUE;
 			key->source = dns_keysource_user;
 			ISC_LIST_APPEND(keylist, key, link);
-		} else
+		} else {
 			dst_key_free(&newkey);
+		}
 	}
 
 	if (argc != 0)
-		loadzonepubkeys(gdb);
-
-	for (i = 0; i < ndskeys; i++) {
-		dst_key_t *newkey = NULL;
-
-		result = dst_key_fromnamedfile(dskeyfile[i], directory,
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &newkey);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot load dnskey %s: %s", dskeyfile[i],
-			      isc_result_totext(result));
-
-		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
-			fatal("key %s not at origin\n", dskeyfile[i]);
-
-		/* Skip any duplicates */
-		for (key = ISC_LIST_HEAD(keylist);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			if (dst_key_id(key->key) == dst_key_id(newkey) &&
-			    dst_key_alg(key->key) == dst_key_alg(newkey) &&
-			    dns_name_equal(dst_key_name(key->key), gorigin))
-				break;
-		}
-		if (key == NULL) {
-			/* We haven't seen this key before */
-			dns_dnsseckey_create(mctx, &newkey, &key);
-			ISC_LIST_APPEND(keylist, key, link);
-		} else {
-			dst_key_free(&key->key);
-			key->key = newkey;
-		}
-		key->force_publish = ISC_TRUE;
-		key->force_sign = ISC_TRUE;
-		key->source = dns_keysource_user;
-		key->ksk = ISC_TRUE;
-	}
+		loadzonekeys(!smartsign, ISC_TRUE);
 
 	/*
 	 * If we're doing smart signing, look in the key repository for
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 20c926ca98..3d9ef761a3 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 05, 2009
@@ -642,10 +642,11 @@
     
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
-      (Kexample.com.+003+17247).  The zone's keys must be in the master
-      file (db.example.com).  This invocation looks
-      for keyset files, in the current directory,
-      so that DS records can be generated from them (-g).
+      (Kexample.com.+003+17247).  Because the -S option
+      is not being used, the zone's keys must be in the master file
+      (db.example.com).  This invocation looks
+      for dsset files, in the current directory,
+      so that DS records can be imported from them (-g).
     
 % dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 22111ef529..38ab8c2006 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.54 2009/10/03 18:03:54 each Exp $ */
+/* $Id: dnssectool.c,v 1.55 2009/10/12 20:48:11 each Exp $ */
 
 /*! \file */
 
@@ -110,39 +110,16 @@ type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
 	r.base[r.length] = 0;
 }
 
-void
-alg_format(const dns_secalg_t alg, char *cp, unsigned int size) {
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result;
-
-	isc_buffer_init(&b, cp, size - 1);
-	result = dns_secalg_totext(alg, &b);
-	check_result(result, "dns_secalg_totext()");
-	isc_buffer_usedregion(&b, &r);
-	r.base[r.length] = 0;
-}
-
 void
 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
 	char namestr[DNS_NAME_FORMATSIZE];
 	char algstr[DNS_NAME_FORMATSIZE];
 
 	dns_name_format(&sig->signer, namestr, sizeof(namestr));
-	alg_format(sig->algorithm, algstr, sizeof(algstr));
+	dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
 	snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
 }
 
-void
-key_format(const dst_key_t *key, char *cp, unsigned int size) {
-	char namestr[DNS_NAME_FORMATSIZE];
-	char algstr[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
-	alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr));
-	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
-}
-
 void
 setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
 	isc_result_t result;
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index 40213bcfd8..82e1d62fef 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.26 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssectool.h,v 1.27 2009/10/12 20:48:11 each Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -44,17 +44,9 @@ void
 type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
 #define TYPE_FORMATSIZE 20
 
-void
-alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
-#define ALG_FORMATSIZE 20
-
 void
 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
-#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
-
-void
-key_format(const dst_key_t *key, char *cp, unsigned int size);
-#define KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
+#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
 
 void
 setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
diff --git a/bin/named/control.c b/bin/named/control.c
index 13cedafba1..1c83bdcd14 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.35 2009/07/02 23:47:26 tbox Exp $ */
+/* $Id: control.c,v 1.36 2009/10/12 20:48:11 each Exp $ */
 
 /*! \file */
 
@@ -187,6 +187,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_notifycommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
 		result = ns_server_validation(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_SIGN)) {
+		result = ns_server_sign(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index d382ffe61d..0e68e397a6 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.25 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: control.h,v 1.26 2009/10/12 20:48:11 each Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -57,6 +57,7 @@
 #define NS_COMMAND_NULL		"null"
 #define NS_COMMAND_NOTIFY	"notify"
 #define NS_COMMAND_VALIDATION	"validation"
+#define NS_COMMAND_SIGN 	"sign"
 
 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index cb1ba28499..83ba09afc2 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.101 2009/07/14 22:54:56 each Exp $ */
+/* $Id: server.h,v 1.102 2009/10/12 20:48:11 each Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -289,6 +289,13 @@ isc_result_t
 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 		 isc_buffer_t *text);
 
+/*%
+ * Update a zone's DNSKEY set from the key repository, and re-sign the
+ * zone if there were any changes.
+ */
+isc_result_t
+ns_server_sign(ns_server_t *server, char *args);
+
 /*%
  * Dump the current recursive queries.
  */
diff --git a/bin/named/server.c b/bin/named/server.c
index 87870f99ff..8b7ab9951a 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.550 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: server.c,v 1.551 2009/10/12 20:48:11 each Exp $ */
 
 /*! \file */
 
@@ -6245,6 +6245,38 @@ ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * Act on a "sign" command from the command channel.
+ */
+isc_result_t
+ns_server_sign(ns_server_t *server, char *args) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	isc_uint16_t keyopts;
+
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);   /* XXX: or do all zones? */
+
+	type = dns_zone_gettype(zone);
+	if (type != dns_zone_master) {
+		dns_zone_detach(&zone);
+		return (DNS_R_NOTMASTER);
+	}
+
+	keyopts = dns_zone_getkeyopts(zone);
+	if ((keyopts & DNS_ZONEKEY_ALLOW) != 0)
+		result = dns_zone_rekey(zone);
+	else
+		result = ISC_R_NOPERM;
+
+	dns_zone_detach(&zone);
+	return (result);
+}
+
 /*
  * Act on a "freeze" or "thaw" command from the command channel.
  */
@@ -6289,7 +6321,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 	type = dns_zone_gettype(zone);
 	if (type != dns_zone_master) {
 		dns_zone_detach(&zone);
-		return (ISC_R_NOTFOUND);
+		return (DNS_R_NOTMASTER);
 	}
 
 	frozen = dns_zone_getupdatedisabled(zone);
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 2529bacb5a..b493a3b7dd 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.156 2009/10/10 01:47:59 each Exp $ */
+/* $Id: zoneconf.c,v 1.157 2009/10/12 20:48:11 each Exp $ */
 
 /*% */
 
@@ -172,7 +172,8 @@ parse_acl:
  */
 static isc_result_t
 configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
-			const char *zname) {
+			const char *zname)
+{
 	const cfg_obj_t *updatepolicy = NULL;
 	const cfg_listelt_t *element, *element2;
 	dns_ssutable_t *table = NULL;
@@ -871,11 +872,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 					  dns_zone_clearforwardacl));
 	}
 
-
 	/*%
 	 * Primary master functionality.
 	 */
 	if (ztype == dns_zone_master) {
+		isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
+		isc_boolean_t create = ISC_FALSE;
+
 		obj = NULL;
 		result = ns_config_get(maps, "check-wildcard", &obj);
 		if (result == ISC_R_SUCCESS)
@@ -940,6 +943,25 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		INSIST(obj != NULL);
 		dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
 				   cfg_obj_asboolean(obj));
+
+ 		obj = NULL;
+ 		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
+ 		if (result == ISC_R_SUCCESS) {
+ 			const char *arg = cfg_obj_asstring(obj);
+ 			if (strcasecmp(arg, "allow") == 0)
+ 				allow = ISC_TRUE;
+ 			else if (strcasecmp(arg, "maintain") == 0)
+ 				allow = maint = ISC_TRUE;
+ 			else if (strcasecmp(arg, "create") == 0)
+ 				allow = maint = create = ISC_TRUE;
+ 			else if (strcasecmp(arg, "off") == 0)
+ 				;
+ 			else
+ 				INSIST(0);
+ 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
+ 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
+ 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, create);
+ 		}
 	}
 
 	/*
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 1867f687ff..4821b6ae36 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -1170,7 +1170,33 @@ zone "eng.example.com" {
                   
 
                   
+                    sign zone
+                        class
+           view
+                    
+                      
+                        Fetch all DNSSEC keys for the given zone
+                        from the key directory (see
+                        key-directory in
+                        ), and merge them
+                        into the zone's DNSKEY RRset.  If the DNSKEY RRset
+                        is changed as a result of this, then the zone is
+                        automatically re-signed with the new key set.
+                      
+                      
+                        This command requires that the
+                        auto-dnssec zone option to be set
+                        to allow,
+                        maintain, or
+                        create,  and also requires
+                        the zone to be configured to allow dynamic DNS.
+                        See  for
+                        more details.
+                      
+                    
+                  
 
+                  
                     freeze
                         zone
        class
@@ -9365,6 +9391,7 @@ view "external" {
      min-retry-time number ; 
      max-retry-time number ; 
      key-directory path_name; 
+     auto-dnssec allow|maintain|create|off; 
      zero-no-soa-ttl yes_or_no ; 
 };
 
@@ -10280,6 +10307,39 @@ zone zone_name class
               
 
+              
+                auto-dnssec
+                
+                  
+                    Zones configured for dynamic DNS may also use this
+                    option to allow varying levels of autonatic DNSSEC key
+                    management. There are four possible settings:
+                  
+                  
+                    auto-dnssec allow; permits
+                    keys to be updated and the zone re-signed whenever the
+                    user issues the command rndc sign.
+                  
+                  
+                    auto-dnssec maintain; includes the
+                    above, but also automatically adjusts the zone's DNSSEC
+                    keys on schedule, according to the keys' timing metadata
+                    (see  and
+                    ).
+                  
+                  
+                    auto-dnssec create; includes the
+                    above, but also allows named
+                    to create new keys in the key repository when needed.
+                    (NOTE: This option is not yet implemented; the syntax is
+                    being reserved for future use.)
+                  
+                  
+                    The default setting is auto-dnssec off.
+                  
+                
+              
+
               
                 multi-master
                 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 026dbb1911..457e710ad9 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.110 2009/10/10 01:48:00 each Exp $ */
+/* $Id: check.c,v 1.111 2009/10/12 20:48:11 each Exp $ */
 
 /*! \file */
 
@@ -1127,6 +1127,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
 	{ "dnskey-ksk-only", MASTERZONE },
+ 	{ "auto-dnssec", MASTERZONE },
 	{ "try-tcp-refresh", SLAVEZONE },
 	};
 
@@ -1284,7 +1285,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 * Master zones can't have both "allow-update" and "update-policy".
 	 */
 	if (ztype == MASTERZONE) {
-		isc_result_t res1, res2;
+		isc_result_t res1, res2, res3;
+		const char *arg;
+		isc_boolean_t ddns;
+
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "allow-update", &obj);
 		obj = NULL;
@@ -1298,6 +1302,27 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		} else if (res2 == ISC_R_SUCCESS &&
 			   check_update_policy(obj, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
+		ddns = ISC_TF(res1 == ISC_R_SUCCESS || res2 == ISC_R_SUCCESS);
+
+		obj = NULL;
+		arg = "off";
+		res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (res3 == ISC_R_SUCCESS)
+			arg = cfg_obj_asstring(obj);
+		if (strcasecmp(arg, "off") != 0 && !ddns) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'auto-dnssec %s;' requires "
+				    "dynamic DNS to be configured in the zone",
+				    arg);
+			result = ISC_R_FAILURE;
+		}
+		if (strcasecmp(arg, "create") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'auto-dnssec create;' is not "
+				    "yet implemented");
+			result = ISC_R_FAILURE;
+		}
+
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
 		if (res1 == ISC_R_SUCCESS) {
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 91ebc2c817..1a2c0e903d 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.102 2009/09/14 18:45:45 each Exp $
+ * $Id: dnssec.c,v 1.103 2009/10/12 20:48:11 each Exp $
  */
 
 /*! \file */
@@ -33,6 +33,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -973,6 +974,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 	dk->hint_publish = ISC_FALSE;
 	dk->hint_sign = ISC_FALSE;
 	dk->hint_remove = ISC_FALSE;
+	dk->first_sign = ISC_FALSE;
+	dk->is_active = ISC_FALSE;
 	dk->prepublish = 0;
 	dk->source = dns_keysource_unknown;
 	dk->index = 0;
@@ -1168,3 +1171,387 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
 		dst_key_free(&dstkey);
 	return (result);
 }
+
+/*%
+ * Add 'newkey' to 'keylist' if it's not already there.
+ *
+ * If 'savekeys' is ISC_TRUE, then we need to preserve all
+ * the keys in the keyset, regardless of whether they have
+ * metadata indicating they should be deactivated or removed.
+ */
+static void
+addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
+       isc_boolean_t savekeys, isc_mem_t *mctx)
+{
+	dns_dnsseckey_t *key;
+
+	/* Skip duplicates */
+	for (key = ISC_LIST_HEAD(*keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		if (dst_key_id(key->key) == dst_key_id(*newkey) &&
+		    dst_key_alg(key->key) == dst_key_alg(*newkey) &&
+		    dns_name_equal(dst_key_name(key->key),
+		    		   dst_key_name(*newkey)))
+			break;
+	}
+
+	if (key != NULL) {
+		/*
+		 * Found a match.  If the old key was only public and the
+		 * new key is private, replace the old one; otherwise
+		 * we're done.
+		 */
+		if (dst_key_isprivate(key->key)) {
+			dst_key_free(newkey);
+		} else if (dst_key_isprivate(*newkey)) {
+			dst_key_free(&key->key);
+			key->key = *newkey;
+		}
+
+		return;
+	}
+
+	dns_dnsseckey_create(mctx, newkey, &key);
+	if (key->legacy || savekeys) {
+		key->force_publish = ISC_TRUE;
+		key->force_sign = dst_key_isprivate(key->key);
+	}
+	key->source = dns_keysource_zoneapex;
+	ISC_LIST_APPEND(*keylist, key, link);
+	*newkey = NULL;
+}
+
+/*%
+ * Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ */
+isc_result_t
+dns_dnssec_keylistfromrdataset(dns_name_t *origin,
+			       const char *directory, isc_mem_t *mctx,
+			       dns_rdataset_t *keyset, dns_rdataset_t *sigset,
+			       isc_boolean_t savekeys, isc_boolean_t public,
+			       dns_dnsseckeylist_t *keylist)
+{
+	dns_rdataset_t keys, sigs;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *pubkey, *privkey;
+	dns_dnsseckey_t *key;
+	isc_result_t result;
+
+	dns_rdataset_init(&keys);
+	dns_rdataset_init(&sigs);
+
+	REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
+	dns_rdataset_clone(keyset, &keys);
+
+	for (result = dns_rdataset_first(&keys);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keys)) {
+		pubkey = NULL;
+		privkey = NULL;
+
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&keys, &rdata);
+		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
+
+		if (!is_zone_key(pubkey) ||
+		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			continue;
+
+		/* Corrupted .key file? */
+		if (!dns_name_equal(origin, dst_key_name(pubkey)))
+			continue;
+
+		if (public) {
+			addkey(keylist, &pubkey, savekeys, mctx);
+			continue;
+		}
+
+		result = dst_key_fromfile(dst_key_name(pubkey),
+					  dst_key_id(pubkey),
+					  dst_key_alg(pubkey),
+					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+					  directory, mctx, &privkey);
+		if (result == ISC_R_FILENOTFOUND) {
+			addkey(keylist, &pubkey, savekeys, mctx);
+			continue;
+		}
+		RETERR(result);
+
+		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
+			/* We should never get here. */
+			dst_key_free(&pubkey);
+			dst_key_free(&privkey);
+			continue;
+		}
+
+		addkey(keylist, &privkey, savekeys, mctx);
+
+		dst_key_free(&pubkey);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	else if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	if (sigset == NULL || !dns_rdataset_isassociated(sigset))
+		goto success;
+
+	dns_rdataset_clone(sigset, &sigs);
+
+	/*
+	 * Mark all keys which signed the DNSKEY set, for future reference.
+	 */
+	for (key = ISC_LIST_HEAD(*keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		isc_uint16_t keyid, sigid;
+		isc_uint8_t keyalg, sigalg;
+		keyid = dst_key_id(key->key);
+		keyalg = dst_key_alg(key->key);
+
+		for (result = dns_rdataset_first(&sigs);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&sigs)) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&sigs, &rdata);
+			sigalg = rdata.data[2];
+			sigid = (rdata.data[16] << 8) | rdata.data[17];
+			if (keyid == sigid && keyalg == sigalg) {
+				key->is_active = ISC_TRUE;
+				break;
+			}
+		}
+	}
+
+	if (result == ISC_R_NOMORE)
+ success:
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&keys))
+		dns_rdataset_disassociate(&keys);
+	if (dns_rdataset_isassociated(&sigs))
+		dns_rdataset_disassociate(&sigs);
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	if (privkey != NULL)
+		dst_key_free(&privkey);
+	return (result);
+}
+
+
+static isc_result_t
+make_dnskey(dst_key_t *key, dns_rdata_t *target) {
+	isc_result_t result;
+	unsigned char data[DST_KEY_MAXSIZE];
+	isc_buffer_t b;
+	isc_region_t r;
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dst_key_todns(key, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdata_reset(target);
+	isc_buffer_usedregion(&b, &r);
+	dns_rdata_fromregion(target, dst_key_class(key),
+			     dns_rdatatype_dnskey, &r);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+publish_key(dns_diff_t *add, dns_dnsseckey_t *key, dns_name_t *origin,
+	    dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk,
+	    void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+	char alg[80];
+
+	dns_rdata_reset(&dnskey);
+	RETERR(make_dnskey(key->key, &dnskey));
+
+	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
+	report("Fetching %s %d/%s from key %s\n",
+	       key->ksk ?  (allzsk ?  "KSK/ZSK" : "KSK") : "ZSK",
+	       dst_key_id(key->key), alg,
+	       key->source == dns_keysource_user ?  "file" : "repository");
+
+	if (key->prepublish && ttl > key->prepublish) {
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t now;
+
+		dst_key_format(key->key, keystr, sizeof(keystr));
+		report("Key %s: Delaying activation to match the DNSKEY TTL.",
+		       keystr, ttl);
+
+		isc_stdtime_get(&now);
+		dst_key_settime(key->key, DST_TIME_ACTIVATE, now + ttl);
+	}
+
+	/* publish key */
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
+				    &dnskey, &tuple));
+	dns_diff_append(add, &tuple);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+static isc_result_t
+remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
+	  dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
+	  void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+	char alg[80];
+
+	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
+	report("Removing %s key %d/%s from DNSKEY RRset.\n",
+	       reason, dst_key_id(key->key), alg);
+
+	RETERR(make_dnskey(key->key, &dnskey));
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey,
+				    &tuple));
+	dns_diff_append(del, &tuple);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+/*
+ * Update 'keys' with information from 'newkeys'.
+ *
+ * If 'removed' is not NULL, any keys that are being removed from
+ * the zone will be added to the list for post-removal processing.
+ */
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, 
+		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
+		      dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
+		      isc_boolean_t allzsk, isc_mem_t *mctx,
+		      void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_dnsseckey_t *key1, *key2;
+
+	key1 = ISC_LIST_HEAD(*newkeys);
+	while (key1 != NULL) {
+		isc_boolean_t key_revoked = ISC_FALSE;
+		for (key2 = ISC_LIST_HEAD(*keys);
+		     key2 != NULL;
+		     key2 = ISC_LIST_NEXT(key2, link)) {
+			if (dst_key_pubcompare(key1->key, key2->key,
+					       ISC_TRUE)) {
+				int r1, r2;
+				r1 = dst_key_flags(key1->key) &
+					DNS_KEYFLAG_REVOKE;
+				r2 = dst_key_flags(key2->key) &
+					DNS_KEYFLAG_REVOKE;
+				key_revoked = ISC_TF(r1 != r2);
+				break;
+			}
+		}
+
+		/* No match found in keys; add the new key. */
+		if (key2 == NULL) {
+			dns_dnsseckey_t *next;
+
+			next = ISC_LIST_NEXT(key1, link);
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			if (key1->source != dns_keysource_zoneapex &&
+			    (key1->hint_publish || key1->force_publish)) {
+				RETERR(publish_key(add, key1, origin, ttl,
+						   mctx, allzsk, report));
+				if (key1->hint_sign || key1->force_sign)
+					key1->first_sign = ISC_TRUE;
+			}
+
+			key1 = next;
+			continue;
+		}
+
+		/* Match found: remove or update it as needed */
+		if (key1->hint_remove) {
+			RETERR(remove_key(del, key2, origin, ttl, mctx,
+					  "expired", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+			if (removed != NULL)
+				ISC_LIST_APPEND(*removed, key2, link);
+			else
+				dns_dnsseckey_destroy(mctx, &key2);
+		} else if (key_revoked &&
+			 (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
+			dns_dnsseckey_t *next;
+
+			/*
+			 * A previously valid key has been revoked.
+			 * We need to remove the old version and pull
+			 * in the new one.
+			 */
+			RETERR(remove_key(del, key2, origin, ttl, mctx,
+					  "revoked", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+			if (removed != NULL)
+				ISC_LIST_APPEND(*removed, key2, link);
+			else
+				dns_dnsseckey_destroy(mctx, &key2);
+
+			RETERR(publish_key(add, key1, origin, ttl,
+					   mctx, allzsk, report));
+			next = ISC_LIST_NEXT(key1, link);
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			/*
+			 * XXX: The revoke flag is only defined for trust
+			 * anchors.  Setting the flag on a non-KSK is legal,
+			 * but not defined in any RFC.  It seems reasonable
+			 * to treat it the same as a KSK: keep it in the
+			 * zone, sign the DNSKEY set with it, but not
+			 * sign other records with it.
+			 */
+			key1->ksk = ISC_TRUE;
+			key1 = next;
+			continue;
+		} else {
+			if (!key2->is_active &&
+			    (key1->hint_sign || key1->force_sign))
+				key2->first_sign = ISC_TRUE;
+			key2->hint_sign = key1->hint_sign;
+
+			/*
+			 * If a key was specified on the command line,
+			 * not in the zone, it can be imported into the
+			 * zone now.
+			 */
+			key2->hint_publish = key1->hint_publish;
+			if (key2->source == dns_keysource_user && 
+			    (key2->hint_publish || key2->force_publish))
+				RETERR(publish_key(add, key2, origin, ttl,
+					           mctx, allzsk, report));
+		}
+
+		key1 = ISC_LIST_NEXT(key1, link);
+	}
+
+	/* Free any leftover keys in newkeys */
+	while (!ISC_LIST_EMPTY(*newkeys)) {
+		key1 = ISC_LIST_HEAD(*newkeys);
+		ISC_LIST_UNLINK(*newkeys, key1, link);
+		dns_dnsseckey_destroy(mctx, &key1);
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index d9a99e0966..b0dabb5be4 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.40 2009/10/12 09:03:06 marka Exp $
+ * $Id: dst_api.c,v 1.41 2009/10/12 20:48:12 each Exp $
  */
 
 /*! \file */
@@ -930,6 +930,8 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		return (ISC_FALSE);
 	/* Zero out flags. */
 	buf1[0] = buf1[1] = 0;
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b1, 2);
 
 	isc_buffer_init(&b2, buf2, sizeof(buf2));
 	result = dst_key_todns(key2, &b2);
@@ -937,6 +939,8 @@ pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		return (ISC_FALSE);
 	/* Zero out flags. */
 	buf2[0] = buf2[1] = 0;
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b2, 2);
 
 	isc_buffer_usedregion(&b1, &r1);
 	/* Remove extended flags. */
@@ -1088,6 +1092,27 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Set the flags on a key, then recompute the key ID
+ */
+isc_result_t
+dst_key_setflags(dst_key_t *key, isc_uint32_t flags) {
+	REQUIRE(VALID_KEY(key));
+	key->key_flags = flags;
+	return (computeid(key));
+}
+
+void
+dst_key_format(dst_key_t *key, char *cp, unsigned int size) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char algstr[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
+	dns_secalg_format((dns_secalg_t) dst_key_alg(key), algstr,
+			  sizeof(algstr));
+	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
+}
+
 /***
  *** Static methods
  ***/
@@ -1265,16 +1290,6 @@ dst_key_read_public(const char *filename, int type,
 	return (ret);
 }
 
-/*%
- * Set the flags on a key, then recompute the key ID
- */
-isc_result_t
-dst_key_setflags(dst_key_t *key, isc_uint32_t flags) {
-	REQUIRE(VALID_KEY(key));
-	key->key_flags = flags;
-	return (computeid(key));
-}
-
 static isc_boolean_t
 issymmetric(const dst_key_t *key) {
 	REQUIRE(dst_initialized == ISC_TRUE);
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 9064a73752..83f5b54e1d 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.36 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dnssec.h,v 1.37 2009/10/12 20:48:12 each Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -25,6 +25,7 @@
 #include 
 #include 
 
+#include 
 #include 
 
 #include 
@@ -52,6 +53,8 @@ struct dns_dnsseckey {
 	isc_boolean_t hint_sign;     /*% metadata says to sign with this key */
 	isc_boolean_t force_sign;    /*% sign with key regardless of metadata */
 	isc_boolean_t hint_remove;   /*% metadata says *don't* publish */
+	isc_boolean_t is_active;     /*% key is already active */
+	isc_boolean_t first_sign;    /*% key is newly becoming active */
 	unsigned int prepublish;     /*% how long until active? */
 	dns_keysource_t source;      /*% how the key was found */
 	isc_boolean_t ksk;           /*% this is a key-signing key */
@@ -265,6 +268,51 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
  *\li		On error, keylist is unchanged
  */
 
+isc_result_t
+dns_dnssec_keylistfromrdataset(dns_name_t *origin,
+			       const char *directory, isc_mem_t *mctx,
+			       dns_rdataset_t *keyset, dns_rdataset_t *sigset,
+			       isc_boolean_t savekeys, isc_boolean_t public,
+			       dns_dnsseckeylist_t *keylist);
+/*%<
+ * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ * Omit duplicates.  If 'public' is ISC_FALSE, search 'directory' for
+ * matching key files, and load the private keys that go with
+ * the public ones.  If 'savekeys' is ISC_TRUE, mark the keys so
+ * they will not be deleted or inactivated regardless of metadata.
+ */
+
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, 
+		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
+		      dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
+		      isc_boolean_t allzsk, isc_mem_t *mctx,
+		      void (*report)(const char *, ...));
+/*%<
+ * Update the list of keys in 'keys' with new key information in 'newkeys'.
+ *
+ * For each key in 'newkeys', see if it has a match in 'keys'.
+ * - If not, and if the metadata says the key should be published:
+ *   add it to 'keys', and place a dns_difftuple into 'add' so
+ *   the key can be added to the DNSKEY set.  If the metadata says it
+ *   should be active, set the first_sign flag.
+ * - If so, and if the metadata says it should be removed:
+ *   remove it from 'keys', and place a dns_difftuple into 'del' so
+ *   the key can be removed from the DNSKEY set.  if 'removed' is non-NULL,
+ *   copy the key into that list; otherwise destroy it.
+ * - Otherwise, make sure keys has current metadata.
+ *
+ * If 'allzsk' is true, we are allowing KSK-flagged keys to be used as
+ * ZSKs.
+ *
+ * 'ttl' is the TTL of the DNSKEY RRset; if it is longer than the
+ * time until a new key will be activated, then we have to delay the
+ * key's activation.
+ *
+ * 'report' points to a function for reporting status.
+ *
+ * On completion, any remaining keys in 'newkeys' are freed.
+ */
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DNSSEC_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index ed29bcd5d3..87a6af33c3 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.116 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: result.h,v 1.117 2009/10/12 20:48:12 each Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
@@ -148,8 +148,9 @@
 #define DNS_R_MXISADDRESS		(ISC_RESULTCLASS_DNS + 102)
 #define DNS_R_DUPLICATE			(ISC_RESULTCLASS_DNS + 103)
 #define DNS_R_INVALIDNSEC3		(ISC_RESULTCLASS_DNS + 104)
+#define DNS_R_NOTMASTER 		(ISC_RESULTCLASS_DNS + 105)
 
-#define DNS_R_NRESULTS			105	/*%< Number of results */
+#define DNS_R_NRESULTS			106	/*%< Number of results */
 
 /*
  * DNS wire format rcodes.
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
index 2e4fe3ee0c..38550e8757 100644
--- a/lib/dns/include/dns/secalg.h
+++ b/lib/dns/include/dns/secalg.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secalg.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: secalg.h,v 1.20 2009/10/12 20:48:12 each Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
@@ -66,6 +66,13 @@ dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
  *\li	ISC_R_NOSPACE			target buffer is too small
  */
 
+#define DNS_SECALG_FORMATSIZE 20
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size);
+/*%<
+ * Wrapper for dns_secalg_totext(), writing text into 'cp'
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_SECALG_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 15f16f3a07..9dae4d7e42 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.169 2009/10/10 01:48:00 each Exp $ */
+/* $Id: zone.h,v 1.170 2009/10/12 20:48:12 each Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -81,6 +81,13 @@ typedef enum {
 #define DNS_ZONEOPT_NOTIFYFORWARD 0x80000000U	/* forward notify to master */
 #endif /* NOMINUM_PUBLIC */
 
+/*
+ * Zone key maintenance options
+ */
+#define DNS_ZONEKEY_ALLOW	0x00000001U	/*%< fetch keys on command */
+#define DNS_ZONEKEY_MAINTAIN	0x00000002U	/*%< publish/sign on schedule */
+#define DNS_ZONEKEY_CREATE	0x00000004U	/*%< make keys when needed */
+
 #ifndef DNS_ZONE_MINREFRESH
 #define DNS_ZONE_MINREFRESH		    300	/*%< 5 minutes */
 #endif
@@ -570,6 +577,25 @@ dns_zone_getoptions(dns_zone_t *zone);
  *\li	'zone' to be a valid zone.
  */
 
+void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
+/*%<
+ *	Set key options on ('value' == ISC_TRUE) or off ('value' ==
+ *	#ISC_FALSE).
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone key options.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
 void
 dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val);
 /*%<
@@ -1750,6 +1776,12 @@ dns_zone_getprivatetype(dns_zone_t *zone);
  * will not be permanent.
  */
 
+isc_result_t
+dns_zone_rekey(dns_zone_t *zone);
+/*%<
+ * Update the zone's DNSKEY set from the key repository.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ZONE_H */
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 1eb5aa54de..b9697d2b95 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.21 2009/10/09 06:09:21 each Exp $ */
+/* $Id: dst.h,v 1.22 2009/10/12 20:48:12 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -26,6 +26,8 @@
 #include 
 
 #include 
+#include 
+#include 
 
 #include 
 
@@ -541,6 +543,7 @@ dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
  *\li 	ISC_TRUE
  * \li	ISC_FALSE
  */
+
 isc_boolean_t
 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
 /*%<
@@ -783,6 +786,15 @@ dst_key_setprivateformat(dst_key_t *key, int major, int minor);
  *	"key" is a valid key.
  */
 
+#define DST_KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + 7)
+
+void
+dst_key_format(dst_key_t *key, char *cp, unsigned int size);
+/*%<
+ * Write the uniquely identifying information about the key (name,
+ * algorithm, key ID) into a string 'cp' of size 'size'.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_H */
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index faa1d528ca..fb981bd627 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.9 2008/12/16 05:04:47 marka Exp $ */
+/* $Id: rcode.c,v 1.10 2009/10/12 20:48:12 each Exp $ */
 
 #include 
 #include 
@@ -316,6 +316,21 @@ dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
 	return (dns_mnemonic_totext(secalg, target, secalgs));
 }
 
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(cp != NULL && size > 0);
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_secalg_totext(alg, &b);
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	if (result != ISC_R_SUCCESS)
+		r.base[0] = 0;
+}
+
 isc_result_t
 dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
 	unsigned int value;
diff --git a/lib/dns/result.c b/lib/dns/result.c
index c5ab30092f..0e857ac7d7 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.127 2009/03/01 23:47:25 tbox Exp $ */
+/* $Id: result.c,v 1.128 2009/10/12 20:48:12 each Exp $ */
 
 /*! \file */
 
@@ -157,6 +157,7 @@ static const char *text[DNS_R_NRESULTS] = {
 	"MX is an address",		       /*%< 102 DNS_R_MXISADDRESS */
 	"duplicate query",		       /*%< 103 DNS_R_DUPLICATE */
 	"invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */
+	"not master",			       /*%< 105 DNS_R_NOTMASTER */
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 49956f5e09..058f85cb54 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.515 2009/10/10 23:47:58 tbox Exp $ */
+/* $Id: zone.c,v 1.516 2009/10/12 20:48:12 each Exp $ */
 
 /*! \file */
 
@@ -206,7 +206,7 @@ struct dns_zone {
 	isc_time_t		keywarntime;
 	isc_time_t		signingtime;
 	isc_time_t		nsec3chaintime;
-	isc_time_t		refreshkeytime;		/* Used by key zones */
+	isc_time_t		refreshkeytime;
 	isc_uint32_t		refreshkeycount;
 	isc_uint32_t		refresh;
 	isc_uint32_t		retry;
@@ -312,6 +312,11 @@ struct dns_zone {
 	isc_uint32_t		signatures;
 	isc_uint32_t		nodes;
 	dns_rdatatype_t		privatetype;
+
+	/*%
+	 * Autosigning/key-maintenance options
+	 */
+	isc_uint32_t		keyopts;
 };
 
 #define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
@@ -362,6 +367,7 @@ struct dns_zone {
 #define DNS_ZONEFLG_THAW	0x08000000U
 
 #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
+#define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
 
 /* Flags for zone_load() */
 #define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
@@ -641,6 +647,7 @@ static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
 static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
 				dns_dbnode_t *node, dns_name_t *name,
 				dns_diff_t *diff);
+static isc_result_t zone_rekey(dns_zone_t *zone);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
 
@@ -738,6 +745,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->type = dns_zone_none;
 	zone->flags = 0;
 	zone->options = 0;
+	zone->keyopts = 0;
 	zone->db_argc = 0;
 	zone->db_argv = NULL;
 	isc_time_settoepoch(&zone->expiretime);
@@ -2196,7 +2204,6 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
 		dns_db_detachnode(db, &node);
 	if (version != NULL)
 		dns_db_closeversion(db, &version, ISC_FALSE);
-
 }
 
 static void
@@ -3403,6 +3410,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	if (zone->type == dns_zone_master)
 		zone_check_dnskeys(zone, db);
 
+	/*
+	 * Schedule DNSSEC key refresh.
+	 */
+	if (zone->type == dns_zone_master &&
+	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+		zone->refreshkeytime = now;
+
 #if 0
 	/* destroy notification example. */
 	{
@@ -3894,6 +3908,27 @@ dns_zone_getoptions(dns_zone_t *zone) {
 	return (zone->options);
 }
 
+void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, isc_boolean_t value)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		zone->keyopts |= keyopt;
+	else
+		zone->keyopts &= ~keyopt;
+	UNLOCK_ZONE(zone);
+}
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keyopts);
+}
+
 isc_result_t
 dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -7605,6 +7640,11 @@ zone_maintenance(dns_zone_t *zone) {
 		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING))
 			zone_refreshkeys(zone);
 		break;
+	case dns_zone_master:
+		if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN) &&
+		    !isc_time_isepoch(&zone->refreshkeytime) &&
+		    isc_time_compare(&now, &zone->refreshkeytime) >= 0)
+			dns_zone_rekey(zone);
 	default:
 		break;
 	}
@@ -10055,6 +10095,13 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 			    isc_time_compare(&zone->dumptime, &next) < 0)
 				next = zone->dumptime;
 		}
+		if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
+			if (isc_time_isepoch(&next) ||
+			    (!isc_time_isepoch(&zone->refreshkeytime) &&
+			    isc_time_compare(&zone->refreshkeytime, &next) < 0))
+				next = zone->refreshkeytime;
+		}
 		if (!isc_time_isepoch(&zone->resigntime)) {
 			if (isc_time_isepoch(&next) ||
 			    isc_time_compare(&zone->resigntime, &next) < 0)
@@ -13184,3 +13231,207 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
 	}
 	return (result);
 }
+
+static void
+logmsg(const char *format, ...) {
+	va_list args;
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		       ISC_LOG_DEBUG(1), format, args);
+	va_end(args);
+}
+
+static void
+clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
+	dns_dnsseckey_t *key;
+	while (!ISC_LIST_EMPTY(*list)) {
+		key = ISC_LIST_HEAD(*list);
+		ISC_LIST_UNLINK(*list, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+}
+
+static isc_result_t
+next_keyevent(dst_key_t *key, isc_stdtime_t *timep) {
+	isc_result_t result;
+	isc_stdtime_t now, then = 0, event;
+	int i;
+
+	isc_stdtime_get(&now);
+
+	for (i = 0; i <= DST_MAX_TIMES; i++) {
+		result = dst_key_gettime(key, i, &event);
+		if (result == ISC_R_SUCCESS && event > now &&
+		    (then == 0 || event < then))
+			then = event;
+	}
+
+	if (then != 0) {
+		*timep = then;
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+zone_rekey(dns_zone_t *zone) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_rdataset_t soaset, keyset, sigset;
+	dns_dnsseckeylist_t dnskeys, keys, oldkeys;
+	dns_dnsseckey_t *key;
+	dns_diff_t add, del;
+	isc_boolean_t commit = ISC_FALSE;
+	dns_ttl_t ttl = 3600;
+	const char *dir;
+	isc_mem_t *mctx;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ISC_LIST_INIT(dnskeys);
+	ISC_LIST_INIT(keys);
+	ISC_LIST_INIT(oldkeys);
+	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&keyset);
+	dns_rdataset_init(&sigset);
+	dir = dns_zone_getkeydirectory(zone);
+	mctx = zone->mctx;
+	dns_diff_init(mctx, &add);
+	dns_diff_init(mctx, &del);
+	isc_stdtime_get(&now);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	CHECK(dns_db_newversion(db, &ver));
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	/* Get the SOA record's TTL */
+	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
+				  dns_rdatatype_none, 0, &soaset, NULL));
+	ttl = soaset.ttl;
+	dns_rdataset_disassociate(&soaset);
+
+	/* Get the DNSKEY rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &keyset, &sigset);
+	if (result == ISC_R_SUCCESS) {
+		ttl = keyset.ttl;
+		CHECK(dns_dnssec_keylistfromrdataset(&zone->origin, dir,
+						     mctx, &keyset, &sigset,
+						     ISC_FALSE, ISC_FALSE,
+						     &dnskeys));
+	} else if (result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_dnssec_findmatchingkeys(&zone->origin, dir, mctx, &keys);
+	if (result == ISC_R_SUCCESS) {
+		isc_boolean_t check_ksk;
+		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+
+		CHECK(dns_dnssec_updatekeys(&dnskeys, &keys, &oldkeys,
+					    &zone->origin, ttl, &add, &del,
+					    ISC_TF(!check_ksk), mctx, logmsg));
+		if (!ISC_LIST_EMPTY(del.tuples)) {
+			commit = ISC_TRUE;
+			dns_diff_apply(&del, db, ver);
+			result = increment_soa_serial(db, ver, &del, mctx);
+			if (result == ISC_R_SUCCESS)
+				zone_journal(zone, &del, "zone_rekey");
+		}
+		if (!ISC_LIST_EMPTY(add.tuples)) {
+			commit = ISC_TRUE;
+			dns_diff_apply(&add, db, ver);
+			result = increment_soa_serial(db, ver, &add, mctx);
+			if (result == ISC_R_SUCCESS)
+				zone_journal(zone, &add, "zone_rekey");
+
+		}
+	}
+
+	dns_db_closeversion(db, &ver, commit);
+
+	if (commit) {
+		for (key = ISC_LIST_HEAD(oldkeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			zone_signwithkey(zone, dst_key_alg(key->key),
+					 dst_key_id(key->key), ISC_TRUE);
+		}
+
+		for (key = ISC_LIST_HEAD(dnskeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			if (key->first_sign) {
+				zone_signwithkey(zone, dst_key_alg(key->key),
+						 dst_key_id(key->key),
+						 ISC_FALSE);
+				key->is_active = ISC_TRUE;
+				key->first_sign = ISC_FALSE;
+			}
+		}
+	}
+
+	isc_time_settoepoch(&zone->refreshkeytime);
+	for (key = ISC_LIST_HEAD(dnskeys);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		isc_stdtime_t then;
+		isc_time_t timenow, timethen;
+
+		/*
+		 * If we are doing automatic key maintenace and the
+		 * key metadata indicates there is a key change event
+		 * scheduled in the future, set the key refresh timer.
+		 */
+		if (!DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+			break;
+
+		result = next_keyevent(key->key, &then);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		isc_time_set(&timethen, then, 0);
+		if (isc_time_isepoch(&zone->refreshkeytime) ||
+		    isc_time_compare(&timethen, &zone->refreshkeytime) < 0) {
+			zone->refreshkeytime = timethen;
+			zone_settimer(zone, &timenow);
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+ 	dns_diff_clear(&add);
+ 	dns_diff_clear(&del);
+
+	clear_keylist(&dnskeys, mctx);
+	clear_keylist(&keys, mctx);
+	clear_keylist(&oldkeys, mctx);
+
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, ISC_FALSE);
+	if (dns_rdataset_isassociated(&keyset))
+		dns_rdataset_disassociate(&keyset);
+	if (dns_rdataset_isassociated(&sigset))
+		dns_rdataset_disassociate(&sigset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
+isc_result_t
+dns_zone_rekey(dns_zone_t *zone) {
+	isc_result_t result;
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
+	result = zone_rekey(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 6d906d0318..b26798927a 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.107 2009/10/10 01:48:00 each Exp $ */
+/* $Id: namedconf.c,v 1.108 2009/10/12 20:48:12 each Exp $ */
 
 /*! \file */
 
@@ -530,6 +530,13 @@ static cfg_type_t cfg_type_bracketed_sockaddrlist = {
 	&cfg_rep_list, &cfg_type_sockaddr
 };
 
+static const char *autodnssec_enums[] = { "allow", "maintain", "create", 
+					  "off", NULL };
+static cfg_type_t cfg_type_autodnssec = {
+	"autodnssec", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &autodnssec_enums
+};
+
 static cfg_type_t cfg_type_rrsetorder = {
 	"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
 	&cfg_rep_list, &cfg_type_rrsetorderingelement
@@ -1174,6 +1181,7 @@ zone_only_clauses[] = {
 	 */
 	{ "check-names", &cfg_type_checkmode, 0 },
 	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
+	{ "auto-dnssec", &cfg_type_autodnssec, 0 },
 	{ NULL, NULL, 0 }
 };
 

From 69677f863f38f10943af2959633f831604b0b679 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 12 Oct 2009 22:54:54 +0000
Subject: [PATCH 301/385] improve doc on update-ksk-check and dnskey-ksk-only

---
 doc/arm/Bv9ARM-book.xml | 46 +++++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 16 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 4821b6ae36..a6564ccbe9 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -6448,13 +6448,26 @@ options {
 	      update-check-ksk
 	      
 	        
-		  When regenerating the RRSIGs following a UPDATE
-		  request to a secure zone, check the KSK flag on
-		  the DNSKEY RR to determine if this key should be
-		  used to generate the RRSIG.  This flag is ignored
-		  if there are not non-revoked DNSKEY RRs both with
-		  and without a KSK for the algorithm.
-		  The default is yes.
+                  When set to the default value of yes,
+                  check the KSK bit in each key to determine how the key
+                  should be used when generating RRSIGs for a secure zone.
+		
+		
+                  Ordinarily, zone-signing keys (that is, keys without the
+                  KSK bit set) are used to sign the entire zone, while
+                  key-signing keys (keys with the KSK bit set) are only
+                  used to sign the DNSKEY RRset at the zone apex.
+                  However, if this option is set to no,
+                  then the KSK bit is ignored; KSKs are treated as if they
+                  were ZSKs and are used to sign the entire zone.
+		
+		
+                  When this option is set to yes, there
+                  must be at least two active keys for every algorithm
+                  represented in the DNSKEY RRset: at least one KSK and one
+                  ZSK per algorithm.  If there is any algorithm for which
+                  this requirement is not met, this option will be ignored
+                  for that algorithm.
 		
 	      
 	    
@@ -6463,14 +6476,15 @@ options {
 	      dnskey-ksk-only
 	      
 	        
-		  When regenerating the RRSIGs following a UPDATE
-		  request to a secure zone and
-		  update-check-ksk is true then
-		  only generate signatures DNSKEY RRSIG using DNSKEY's
-		  with the KSK bit set.  This flag is ignored if there
-		  are not non-revoked DNSKEY RRs both with and without
-		  a KSK for the algorithm.
-		  The default is no.
+                  When this option and update-check-ksk
+                  are both set to yes, only key-signing
+                  keys (that is, keys with the KSK bit set) will be used
+                  to sign the DNSKEY RRset at the zone apex.  Zone-signing
+                  keys (keys without the KSK bit set) will be used to sign
+                  the remainder of the zone, but not the DNSKEY RRset.
+		  The default is no.  If
+                  update-check-ksk is set to
+                  no, this option is ignored.
 		
 	      
 	    

From c00929ed9f5234a0f2d79bd338fa931de85f4bb2 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 12 Oct 2009 23:02:32 +0000
Subject: [PATCH 302/385] additional doc improvement

---
 bin/dnssec/dnssec-signzone.docbook | 10 +++++++---
 doc/arm/Bv9ARM-book.xml            | 10 ++++++++--
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 3d9ef761a3..e36559a2a9 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 05, 2009
@@ -558,7 +558,9 @@
         
           
             Only sign the DNSKEY RRset with key-signing keys, and omit
-            signatures from zone-signing keys.
+            signatures from zone-signing keys.  (This is similar to the
+            dnskey-ksk-only yes; zone option in
+            named.)
           
         
       
@@ -569,7 +571,9 @@
           
             Ignore KSK flag on key when determining what to sign.  This
             causes KSK-flagged keys to sign all records, not just the
-            DNSKEY RRset.
+            DNSKEY RRset.  (This is similar to the
+            update-check-ksk no; zone option in
+            named.)
           
         
       
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a6564ccbe9..4ce37a3b73 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -6459,7 +6459,9 @@ options {
                   used to sign the DNSKEY RRset at the zone apex.
                   However, if this option is set to no,
                   then the KSK bit is ignored; KSKs are treated as if they
-                  were ZSKs and are used to sign the entire zone.
+                  were ZSKs and are used to sign the entire zone.  This is
+                  similar to the dnssec-signzone -z
+                  command line option.
 		
 		
                   When this option is set to yes, there
@@ -6482,6 +6484,10 @@ options {
                   to sign the DNSKEY RRset at the zone apex.  Zone-signing
                   keys (keys without the KSK bit set) will be used to sign
                   the remainder of the zone, but not the DNSKEY RRset.
+                  This is similar to the
+                  dnssec-signzone -x command line option.
+		
+		
 		  The default is no.  If
                   update-check-ksk is set to
                   no, this option is ignored.

From d2a3eaf162184f8cb64f9fa2db44a711f5646292 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 12 Oct 2009 23:05:07 +0000
Subject: [PATCH 303/385] prepare release of 9.7.0b1

---
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES b/CHANGES
index 557b6dc5fe..6a79aa4735 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+	--- 9.7.0b1 released ---
+
 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
 			to be fully automated in zones configured for
 			dynamic DNS.  'auto-dnssec allow;' permits a zone

From 3b2c6af63e0367c6eabe0a21ca23841ca87cd22f Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Mon, 12 Oct 2009 23:16:15 +0000
Subject: [PATCH 304/385] regen

---
 bin/dnssec/dnssec-signzone.8         |    20 +-
 bin/dnssec/dnssec-signzone.html      |    25 +-
 doc/arm/Bv9ARM.ch03.html             |    32 +-
 doc/arm/Bv9ARM.ch04.html             |    70 +-
 doc/arm/Bv9ARM.ch05.html             |     6 +-
 doc/arm/Bv9ARM.ch06.html             |   253 +-
 doc/arm/Bv9ARM.ch07.html             |    14 +-
 doc/arm/Bv9ARM.ch08.html             |    18 +-
 doc/arm/Bv9ARM.ch09.html             |   180 +-
 doc/arm/Bv9ARM.html                  |   110 +-
 doc/arm/Bv9ARM.pdf                   | 13392 +++++++++++++------------
 doc/arm/man.ddns-confgen.html        |    10 +-
 doc/arm/man.dig.html                 |    20 +-
 doc/arm/man.dnssec-dsfromkey.html    |    16 +-
 doc/arm/man.dnssec-keyfromlabel.html |    14 +-
 doc/arm/man.dnssec-keygen.html       |    16 +-
 doc/arm/man.dnssec-revoke.html       |    10 +-
 doc/arm/man.dnssec-settime.html      |    14 +-
 doc/arm/man.dnssec-signzone.html     |    29 +-
 doc/arm/man.host.html                |    10 +-
 doc/arm/man.named-checkconf.html     |    12 +-
 doc/arm/man.named-checkzone.html     |    12 +-
 doc/arm/man.named.html               |    16 +-
 doc/arm/man.nsupdate.html            |    14 +-
 doc/arm/man.rndc-confgen.html        |    12 +-
 doc/arm/man.rndc.conf.html           |    12 +-
 doc/arm/man.rndc.html                |    12 +-
 doc/misc/options                     |     2 +
 28 files changed, 7272 insertions(+), 7079 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 3348843469..e6e38e51b7 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.56 2009/10/11 01:14:48 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.57 2009/10/12 23:15:22 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -288,12 +288,18 @@ Sets the debugging level.
 .PP
 \-x
 .RS 4
-Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys.
+Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys. (This is similar to the
+\fBdnskey\-ksk\-only yes;\fR
+zone option in
+\fBnamed\fR.)
 .RE
 .PP
 \-z
 .RS 4
-Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset.
+Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the
+\fBupdate\-check\-ksk no;\fR
+zone option in
+\fBnamed\fR.)
 .RE
 .PP
 \-3 \fIsalt\fR
@@ -331,9 +337,11 @@ The following command signs the
 \fBexample.com\fR
 zone with the DSA key generated by
 \fBdnssec\-keygen\fR
-(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
-\fIkeyset\fR
-files, in the current directory, so that DS records can be generated from them (\fB\-g\fR).
+(Kexample.com.+003+17247). Because the
+\fB\-S\fR
+option is not being used, the zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
+\fIdsset\fR
+files, in the current directory, so that DS records can be imported from them (\fB\-g\fR).
 .sp
 .RS 4
 .nf
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index d740f3dd67..1279515842 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -327,13 +327,17 @@
 
    -x
    
 
    
             Only sign the DNSKEY RRset with key-signing keys, and omit
-            signatures from zone-signing keys.
+            signatures from zone-signing keys.  (This is similar to the
+            dnskey-ksk-only yes; zone option in
+            named.)
           
    
 
    -z
    
 
    
             Ignore KSK flag on key when determining what to sign.  This
             causes KSK-flagged keys to sign all records, not just the
-            DNSKEY RRset.
+            DNSKEY RRset.  (This is similar to the
+            update-check-ksk no; zone option in
+            named.)
           
    
 
    -3 salt
    
 
    
@@ -375,14 +379,15 @@
 
    
 
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
-      (Kexample.com.+003+17247).  The zone's keys must be in the master
-      file (db.example.com).  This invocation looks
-      for keyset files, in the current directory,
-      so that DS records can be generated from them (-g).
+      (Kexample.com.+003+17247).  Because the -S option
+      is not being used, the zone's keys must be in the master file
+      (db.example.com).  This invocation looks
+      for dsset files, in the current directory,
+      so that DS records can be imported from them (-g).
     
    
 
    % dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
@@ -404,14 +409,14 @@ db.example.com.signed
 %
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index f9674cb30b..f8fdfd8ea1 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -54,7 +54,7 @@
 
    Name Server Operations
    
 
    
 
    Tools for Use With the Name Server Daemon
    
-
    Signals
    
+
    Signals
    
 
    
 
 
@@ -472,6 +472,32 @@ zone "eng.example.com" {
 
    
                         Retransfer the given zone from the master.
                       
    
+
    sign zone
+                        [class
+           [view]]
    
+
    
+
    
+                        Fetch all DNSSEC keys for the given zone
+                        from the key directory (see
+                        key-directory in
+                        the section called “options Statement Definition and
+          Usage”), and merge them
+                        into the zone's DNSKEY RRset.  If the DNSKEY RRset
+                        is changed as a result of this, then the zone is
+                        automatically re-signed with the new key set.
+                      
    
+
    
+                        This command requires that the
+                        auto-dnssec zone option to be set
+                        to allow,
+                        maintain, or
+                        create,  and also requires
+                        the zone to be configured to allow dynamic DNS.
+                        See the section called “Dynamic Update Policies” for
+                        more details.
+                      
    
+
    
 
    freeze
                         [zone
        [class
@@ -760,7 +786,7 @@ controls {
 
 
    
 
    
-Signals
    
+Signals
    
 
    
           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 8bfc4cf8f9..f49bff7b43 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -49,29 +49,29 @@
 
    Dynamic Update
    
 
    The journal file
    
 
    Incremental Zone Transfers (IXFR)
    
-
    Split DNS
    
-
    Example split DNS setup
    
+
    Split DNS
    
+
    Example split DNS setup
    
 
    TSIG
    
 
    
-
    Generate Shared Keys for Each Pair of Hosts
    
-
    Copying the Shared Secret to Both Machines
    
-
    Informing the Servers of the Key's Existence
    
-
    Instructing the Server to Use the Key
    
-
    TSIG Key Based Access Control
    
-
    Errors
    
+
    Generate Shared Keys for Each Pair of Hosts
    
+
    Copying the Shared Secret to Both Machines
    
+
    Informing the Servers of the Key's Existence
    
+
    Instructing the Server to Use the Key
    
+
    TSIG Key Based Access Control
    
+
    Errors
    
 
    
-
    TKEY
    
-
    SIG(0)
    
+
    TKEY
    
+
    SIG(0)
    
 
    DNSSEC
    
 
    
-
    Generating Keys
    
-
    Signing the Zone
    
-
    Configuring Servers
    
+
    Generating Keys
    
+
    Signing the Zone
    
+
    Configuring Servers
    
 
    
-
    IPv6 Support in BIND 9
    
+
    IPv6 Support in BIND 9
    
 
    
-
    Address Lookups Using AAAA Records
    
-
    Address to Name Lookups Using Nibble Format
    
+
    Address Lookups Using AAAA Records
    
+
    Address to Name Lookups Using Nibble Format
    
 
    
 
 
@@ -219,7 +219,7 @@
 
 
    
 
    
-Split DNS
    
+Split DNS
    
 
    
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -249,7 +249,7 @@
       
    
 
    
 
    
-Example split DNS setup
    
+Example split DNS setup
    
 
    
         Let's say a company named Example, Inc.
         (example.com)
@@ -506,7 +506,7 @@ nameserver 172.16.72.4
       
    
 
    
 
    
-Generate Shared Keys for Each Pair of Hosts
    
+Generate Shared Keys for Each Pair of Hosts
    
 
    
           A shared secret is generated to be shared between host1 and host2.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -514,7 +514,7 @@ nameserver 172.16.72.4
         
    
 
    
 
    
-Automatic Generation
    
+Automatic Generation
    
 
    
             The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
@@ -538,7 +538,7 @@ nameserver 172.16.72.4
 
 
    
 
    
-Manual Generation
    
+Manual Generation
    
 
    
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -553,7 +553,7 @@ nameserver 172.16.72.4
 
 
    
 
    
-Copying the Shared Secret to Both Machines
    
+Copying the Shared Secret to Both Machines
    
 
    
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -561,7 +561,7 @@ nameserver 172.16.72.4
 
 
    
 
    
-Informing the Servers of the Key's Existence
    
+Informing the Servers of the Key's Existence
    
 
    
           Imagine host1 and host 2
           are
@@ -588,7 +588,7 @@ key host1-host2. {
 
 
    
 
    
-Instructing the Server to Use the Key
    
+Instructing the Server to Use the Key
    
 
    
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the named.conf file
@@ -620,7 +620,7 @@ server 10.1.2.3 {
 
 
    
 
    
-TSIG Key Based Access Control
    
+TSIG Key Based Access Control
    
 
    
           BIND allows IP addresses and ranges
           to be specified in ACL
@@ -647,7 +647,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Errors
    
+Errors
    
 
    
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -673,7 +673,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-TKEY
    
+TKEY
    
 
    TKEY
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -709,7 +709,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-SIG(0)
    
+SIG(0)
    
 
    
         BIND 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -770,7 +770,7 @@ allow-update { key host1-host2. ;};
       
    
 
    
 
    
-Generating Keys
    
+Generating Keys
    
 
    
           The dnssec-keygen program is used to
           generate keys.
@@ -826,7 +826,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Signing the Zone
    
+Signing the Zone
    
 
    
           The dnssec-signzone program is used
           to sign a zone.
@@ -868,7 +868,7 @@ allow-update { key host1-host2. ;};
 
 
    
 
    
-Configuring Servers
    
+Configuring Servers
    
 
    
           To enable named to respond appropriately
           to DNS requests from DNSSEC aware clients,
@@ -1014,7 +1014,7 @@ options {
 
 
    
 
    
-IPv6 Support in BIND 9
    
+IPv6 Support in BIND 9
    
 
    
         BIND 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
@@ -1052,7 +1052,7 @@ options {
       
    
 
    
 
    
-Address Lookups Using AAAA Records
    
+Address Lookups Using AAAA Records
    
 
    
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -1071,7 +1071,7 @@ host            3600    IN      AAAA    2001:db8::1
 
 
    
 
    
-Address to Name Lookups Using Nibble Format
    
+Address to Name Lookups Using Nibble Format
    
 
    
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 23817c79e5..cc6bc909f9 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,13 +45,13 @@
 
    
 
    Table of Contents
    
 
    
-
    The Lightweight Resolver Library
    
+
    The Lightweight Resolver Library
    
 
    Running a Resolver Daemon
    
 
    
 
    
 
    
 
    
-The Lightweight Resolver Library
    
+The Lightweight Resolver Library
    
 
    
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 4fcdfee9f7..330bebcb93 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,58 +48,58 @@
 
    Configuration File Elements
    
 
    
 
    Address Match Lists
    
-
    Comment Syntax
    
+
    Comment Syntax
    
 
    
 
    Configuration File Grammar
    
 
    
-
    acl Statement Grammar
    
+
    acl Statement Grammar
    
 
    acl Statement Definition and
           Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and
           Usage
    
-
    include Statement Grammar
    
-
    include Statement Definition and
+
    include Statement Grammar
    
+
    include Statement Definition and
           Usage
    
-
    key Statement Grammar
    
-
    key Statement Definition and Usage
    
-
    logging Statement Grammar
    
-
    logging Statement Definition and
+
    key Statement Grammar
    
+
    key Statement Definition and Usage
    
+
    logging Statement Grammar
    
+
    logging Statement Definition and
           Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    masters Statement Grammar
    
-
    masters Statement Definition and
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    masters Statement Grammar
    
+
    masters Statement Definition and
           Usage
    
-
    options Statement Grammar
    
+
    options Statement Grammar
    
 
    options Statement Definition and
           Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -477,7 +477,7 @@
 Address Match Lists
 
    
 
    
-Syntax
    
+Syntax
    
 
    address_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
 address_match_list_element = [ ! ] (ip_address [/length] |
@@ -486,7 +486,7 @@
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -570,7 +570,7 @@
 
 
    
 
    
-Comment Syntax
    
+Comment Syntax
    
 
    
           The BIND 9 comment syntax allows for
           comments to appear
@@ -580,7 +580,7 @@
         
    
 
    
 
    
-Syntax
    
+Syntax
    
 
    
             
    
 
    /* This is a BIND comment as in C */
    
@@ -596,7 +596,7 @@
 
 
    
 
    
-Definition and Usage
    
+Definition and Usage
    
 
    
             Comments may appear anywhere that whitespace may appear in
             a BIND configuration file.
@@ -848,7 +848,7 @@
       
    
 
    
 
    
-acl Statement Grammar
    
+acl Statement Grammar
    
 
    acl acl-name {
     address_match_list
 };
@@ -930,7 +930,7 @@
 
 
    
 
    
-controls Statement Grammar
    
+controls Statement Grammar
    
 
    controls {
    [ inet ( ip_addr | * ) [ port ip_port ]
                 allow {  address_match_list  }
@@ -1054,12 +1054,12 @@
 
 
    
 
    
-include Statement Grammar
    
+include Statement Grammar
    
 
    include filename;
    
 
 
    
 
    
-include Statement Definition and
+include Statement Definition and
           Usage
    
 
    
           The include statement inserts the
@@ -1074,7 +1074,7 @@
 
    
 
    
 
    
-key Statement Grammar
    
+key Statement Grammar
    
 
    key key_id {
     algorithm string;
     secret string;
@@ -1083,7 +1083,7 @@
 
 
    
 
    
-key Statement Definition and Usage
    
+key Statement Definition and Usage
    
 
    
           The key statement defines a shared
           secret key for use with TSIG (see the section called “TSIG”)
@@ -1130,7 +1130,7 @@
 
 
    
 
    
-logging Statement Grammar
    
+logging Statement Grammar
    
 
    logging {
    [ channel channel_name {
      ( file path_name
@@ -1154,7 +1154,7 @@
 
 
    
 
    
-logging Statement Definition and
+logging Statement Definition and
           Usage
    
 
    
           The logging statement configures a
@@ -1188,7 +1188,7 @@
         
    
 
    
 
    
-The channel Phrase
    
+The channel Phrase
    
 
    
             All log output goes to one or more channels;
             you can make as many of them as you want.
@@ -1752,7 +1752,7 @@ category notify { null; };
 
 
    
 
    
-The query-errors Category
    
+The query-errors Category
    
 
    
             The query-errors category is
             specifically intended for debugging purposes: To identify
@@ -1980,7 +1980,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-lwres Statement Grammar
    
+lwres Statement Grammar
    
 
    
            This is the grammar of the lwres
           statement in the named.conf file:
@@ -1996,7 +1996,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-lwres Statement Definition and Usage
    
+lwres Statement Definition and Usage
    
 
    
           The lwres statement configures the
           name
@@ -2047,7 +2047,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-masters Statement Grammar
    
+masters Statement Grammar
    
 
     masters name [port ip_port] { ( masters_list | 
       ip_addr [port ip_port] [key key] ) ; [...] };
@@ -2055,7 +2055,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
 
    
 
    
-masters Statement Definition and
+masters Statement Definition and
           Usage
    
 
    masters
           lists allow for a common set of masters to be easily used by
@@ -2064,7 +2064,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
    
 
    
 
    
-options Statement Grammar
    
+options Statement Grammar
    
 
    
           This is the grammar of the options
           statement in the named.conf file:
@@ -3349,26 +3349,50 @@ options {
                   The default is no.
                 
    
 
    update-check-ksk
    
-
    
-                  When regenerating the RRSIGs following a UPDATE
-                  request to a secure zone, check the KSK flag on
-                  the DNSKEY RR to determine if this key should be
-                  used to generate the RRSIG.  This flag is ignored
-                  if there are not non-revoked DNSKEY RRs both with
-                  and without a KSK for the algorithm.
-                  The default is yes.
-                
    
+
    
+
    
+                  When set to the default value of yes,
+                  check the KSK bit in each key to determine how the key
+                  should be used when generating RRSIGs for a secure zone.
+                
    
+
    
+                  Ordinarily, zone-signing keys (that is, keys without the
+                  KSK bit set) are used to sign the entire zone, while
+                  key-signing keys (keys with the KSK bit set) are only
+                  used to sign the DNSKEY RRset at the zone apex.
+                  However, if this option is set to no,
+                  then the KSK bit is ignored; KSKs are treated as if they
+                  were ZSKs and are used to sign the entire zone.  This is
+                  similar to the dnssec-signzone -z
+                  command line option.
+                
    
+
    
+                  When this option is set to yes, there
+                  must be at least two active keys for every algorithm
+                  represented in the DNSKEY RRset: at least one KSK and one
+                  ZSK per algorithm.  If there is any algorithm for which
+                  this requirement is not met, this option will be ignored
+                  for that algorithm.
+                
    
+
    
 
    dnskey-ksk-only
    
-
    
-                  When regenerating the RRSIGs following a UPDATE
-                  request to a secure zone and
-                  update-check-ksk is true then
-                  only generate signatures DNSKEY RRSIG using DNSKEY's
-                  with the KSK bit set.  This flag is ignored if there
-                  are not non-revoked DNSKEY RRs both with and without
-                  a KSK for the algorithm.
-                  The default is no.
-                
    
+
    
+
    
+                  When this option and update-check-ksk
+                  are both set to yes, only key-signing
+                  keys (that is, keys with the KSK bit set) will be used
+                  to sign the DNSKEY RRset at the zone apex.  Zone-signing
+                  keys (keys without the KSK bit set) will be used to sign
+                  the remainder of the zone, but not the DNSKEY RRset.
+                  This is similar to the
+                  dnssec-signzone -x command line option.
+                
    
+
    
+                  The default is no.  If
+                  update-check-ksk is set to
+                  no, this option is ignored.
+                
    
+
    
 
    try-tcp-refresh
    
 
    
                   Try to refresh the zone using TCP if UDP queries fail.
@@ -3385,7 +3409,7 @@ options {
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3429,7 +3453,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3626,7 +3650,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4078,7 +4102,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4120,7 +4144,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4282,7 +4306,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -5078,7 +5102,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
    
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5408,7 +5432,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5459,7 +5483,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5468,7 +5492,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5508,7 +5532,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5517,7 +5541,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5627,7 +5651,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5793,6 +5817,7 @@ view "external" {
     [ min-retry-time number ; ]
     [ max-retry-time number ; ]
     [ key-directory path_name; ]
+    [ auto-dnssec allow|maintain|create|off; ]
     [ zero-no-soa-ttl yes_or_no ; ]
 };
 
@@ -5906,10 +5931,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

    @@ -6120,7 +6145,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6142,7 +6167,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6464,6 +6489,36 @@ zone zone_name [the section called “options Statement Definition and
           Usage”.
                   
    
+
    auto-dnssec
    
+
    
+
    
+                    Zones configured for dynamic DNS may also use this
+                    option to allow varying levels of autonatic DNSSEC key
+                    management. There are four possible settings:
+                  
    
+
    
+                    auto-dnssec allow; permits
+                    keys to be updated and the zone re-signed whenever the
+                    user issues the command rndc sign.
+                  
    
+
    
+                    auto-dnssec maintain; includes the
+                    above, but also automatically adjusts the zone's DNSSEC
+                    keys on schedule, according to the keys' timing metadata
+                    (see dnssec-keygen(8) and
+                    dnssec-settime(8)).
+                  
    
+
    
+                    auto-dnssec create; includes the
+                    above, but also allows named
+                    to create new keys in the key repository when needed.
+                    (NOTE: This option is not yet implemented; the syntax is
+                    being reserved for future use.)
+                  
    
+
    
+                    The default setting is auto-dnssec off.
+                  
    
+
    
 
    multi-master
    
 
    
                     See the description of multi-master in
@@ -6782,7 +6837,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6795,7 +6850,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7532,7 +7587,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7735,7 +7790,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7991,7 +8046,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8052,7 +8107,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8067,7 +8122,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8078,7 +8133,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8107,7 +8162,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8143,7 +8198,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8162,7 +8217,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8586,7 +8641,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9143,7 +9198,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9297,7 +9352,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9680,7 +9735,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9835,7 +9890,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 6739a9ac6d..4e5e07c2a7 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 0f5c7a7431..c765f3793c 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index b340f29cdd..61d2fe62e9 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 87db514dcd..2800761c52 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -83,7 +83,7 @@
 
    Name Server Operations
    
 
    
 
    Tools for Use With the Name Server Daemon
    
-
    Signals
    
+
    Signals
    
 
    
 
 
    4. Advanced DNS Features
    
@@ -92,34 +92,34 @@
 
    Dynamic Update
    
 
    The journal file
    
 
    Incremental Zone Transfers (IXFR)
    
-
    Split DNS
    
-
    Example split DNS setup
    
+
    Split DNS
    
+
    Example split DNS setup
    
 
    TSIG
    
 
    
-
    Generate Shared Keys for Each Pair of Hosts
    
-
    Copying the Shared Secret to Both Machines
    
-
    Informing the Servers of the Key's Existence
    
-
    Instructing the Server to Use the Key
    
-
    TSIG Key Based Access Control
    
-
    Errors
    
+
    Generate Shared Keys for Each Pair of Hosts
    
+
    Copying the Shared Secret to Both Machines
    
+
    Informing the Servers of the Key's Existence
    
+
    Instructing the Server to Use the Key
    
+
    TSIG Key Based Access Control
    
+
    Errors
    
 
    
-
    TKEY
    
-
    SIG(0)
    
+
    TKEY
    
+
    SIG(0)
    
 
    DNSSEC
    
 
    
-
    Generating Keys
    
-
    Signing the Zone
    
-
    Configuring Servers
    
+
    Generating Keys
    
+
    Signing the Zone
    
+
    Configuring Servers
    
 
    
-
    IPv6 Support in BIND 9
    
+
    IPv6 Support in BIND 9
    
 
    
-
    Address Lookups Using AAAA Records
    
-
    Address to Name Lookups Using Nibble Format
    
+
    Address Lookups Using AAAA Records
    
+
    Address to Name Lookups Using Nibble Format
    
 
    
 
 
    5. The BIND 9 Lightweight Resolver
    
 
    
-
    The Lightweight Resolver Library
    
+
    The Lightweight Resolver Library
    
 
    Running a Resolver Daemon
    
 
    
 
    6. BIND 9 Configuration Reference
    
@@ -127,58 +127,58 @@
 
    Configuration File Elements
    
 
    
 
    Address Match Lists
    
-
    Comment Syntax
    
+
    Comment Syntax
    
 
    
 
    Configuration File Grammar
    
 
    
-
    acl Statement Grammar
    
+
    acl Statement Grammar
    
 
    acl Statement Definition and
           Usage
    
-
    controls Statement Grammar
    
+
    controls Statement Grammar
    
 
    controls Statement Definition and
           Usage
    
-
    include Statement Grammar
    
-
    include Statement Definition and
+
    include Statement Grammar
    
+
    include Statement Definition and
           Usage
    
-
    key Statement Grammar
    
-
    key Statement Definition and Usage
    
-
    logging Statement Grammar
    
-
    logging Statement Definition and
+
    key Statement Grammar
    
+
    key Statement Definition and Usage
    
+
    logging Statement Grammar
    
+
    logging Statement Definition and
           Usage
    
-
    lwres Statement Grammar
    
-
    lwres Statement Definition and Usage
    
-
    masters Statement Grammar
    
-
    masters Statement Definition and
+
    lwres Statement Grammar
    
+
    lwres Statement Definition and Usage
    
+
    masters Statement Grammar
    
+
    masters Statement Definition and
           Usage
    
-
    options Statement Grammar
    
+
    options Statement Grammar
    
 
    options Statement Definition and
           Usage
    
 
    server Statement Grammar
    
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
    
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 45eda4cbe1..468e155d89 100755
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -1711,7 +1711,7 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 823 0 obj <<
-/Length 3172      
+/Length 3171      
 /Filter /FlateDecode
 >>
 stream
@@ -1726,8 +1726,8 @@ x
 bx¿?Æê=ô·JÔF‡ÂÂï×ß¾Y‹EQ¯qloïà2š0ÄpŠa¸$âÀpA½‡içDq*K]W¼û;6‚k©ô꣊ɼ=¦7)·í1ç›bSvÓ˜H—áöØÇœgó1ž ¦bø€TO¨÷À“?\:qâÓþRf{zÃP›Úlj:; ÆÌn2˜ë–é,‘:6Bœˆ½ÈLªåfUÍ×	n„#”	¾gRÖ=Éah˜ã\v !OOC„žT>¸÷Àõs_îº
 &ŒŸ{L¡¸rr™Í	0Ä8Z	;ÌI"ŒÔ{àÄÈú숉ڋÉl9™ß\–)J41Ží›ìXÆjž2œ
Og‡±ôÃÐÙ
#sÀѾ&iÝÍiôC‘³|ùÑûùßùb˜ÊlD€!Æ”J_ö”Š£õ0Q”:)³“/åmjêëK³bÏà"„=®úÆœgó1ž ¦O‰80žPï'a‰ Ý¨c§ý#Ž¢O¯“
 ©Í¦¦³Ã ÂaÌì!ƒ¹Äpωa2n/2ój:­¯$K*ã‡<§ö­ç(yPWÆg£1v „<‰80zPï&ýáNwKô¡ø¹ÇDçÿs•Õwk¸C.³9†'P+I‡9IÄq‚z»L’r©q€”z?Ò¶—-ïB£©ïªe˜õN®Šå²L­úùAN*¥Ûã>\­ŠµgA~X³šÞlx€!”ƒ'ê=Â#œ‡Å€vª>A<~ ™V«ÔLGR¢­¹¤ö *TLo.<Ч'Ÿäƒð¤â@àÁ½wðK˜”°FÕ·§Þž?oÊÕí¸\­ªUjñOYâ¤
‹/i^"þh©ä$d2›`ˆq•’Ã××¥âÀ8A½·3ß«Æ8¨Oûw5çßVeŠ	îç1qPšs¥x<¦;%`ˆ¡å”×ԤâÀPB½””$Ô2Þ¡Ä¥ý3bÉܪR!­ÙÈC(†L"Ô{@FrB¥S2ûw4ÅzS&kRÝGI§÷öáú°f9!ÇÙüCŒ¨¡¾$'Æê=ð#ê9ì®äCñsŸ>Ü=æ><æ2›`ˆqµÂ8IÄq‚zœ0CœÕ 4íßÒ¬®k©×é)ë]îÝÒd‡5µ	9Îæbü@
1~q`ü Þ?T§$¨Sú¡ø¹ÏƦ|Ôõ(ä2›`ˆqµ’Ãë©80NPï±ëæNǹ¤„õ¾çU5/‹VÔ÷-c%ÜïJÆtåÂ
zr¨á%˜T¸÷ëG;"Öï^W«oEó$žíã	$åÇÛOî°²—Í0ÄØ€ê¨á+ñRq`l Þ;6´#VÁÖG‡å¹—7Å|¼Þ“/wž'~¾[Û~È R•
0Ä@€R` $âÀ@@½w (C,7½Š!žM&ñ–ùõ…˜õxQÍë¢q¼?¾K\6ÀÃ
-ƒa‘ˆÃõÞa!1N3ˆ…j°x»ô
ìç³q6Ö”osMã˜0Äð€©áyf*Ô{‡‡Äè^GBtƒÇ¯õÎMûà?øà
aÌ‘Š˜·l*€!FÔ£"Fê½£‚3bD¿û0
ÍÓŠk(.Î=]Ëõçí¤BvÄ"&.`ˆaÑføW©80,PïÔCY¯–Ø‹ß^~h¨øŸ@Û>‘GÉãpÑe.›`ˆqÑSføqM©80.Pï‘æÑÚIÈ…k¸xÝ{:þùízS.ºÇçÝlËÊ$>wq1«‘±R=®5˘€\y¡!"o?ÁÃò¦â@äŽwòZE´¯ú½µ(ê'±§Ü'¨aú‰71GÙCŒ€žÃ×v¤âÀ@½wA4í7Œ5|(W³êr6‰“~Z¬Û‡m‡ñµ˜×ŸéŸa}òaIÊFbôDÞ`OÅ!€zïÐŒ(#{c<ã
[Ñ«ëj^M}Ã`„9>'MHÈa6!À#¤§BH"ŒÔ{GˆtDIÞ/¢%äW
-®ýÌqî猩.I(gnw§KXu·“Çäf£1tzâ
âÀÐA½wèCT¿¯`²!çãÇuÙ6ï›}Ž2¼åx7^L\6”exá2†æº#‚+"M¿¥`*–zzÓ>Ž[쳓ò@	ùÌ&b¨ôô¾W<ê½£…	"åE7´<¿™Í7ãð:œ5èWfËÏÛ×WÄ+$þ]-ëµpcÜ£¼r&f![c`ˆiÜËòðšd*LcÔ{§1eD2ݓؤ$~µ¸ÞÜv¯V«77~¢%¨‡mAÚeÐÙaúÌð=L‰ 0õ1×Q|눰RôÄ·øÏ./·9ó°Ë=é>Ñ/ŠÉÕ¶N8­ŸŽÌ!¹2;Df˜k3¼Äœ‘ue6†ÅûŸq×È\ï[Ç‹Û^ûÏ{;
Bðü/$,ûÕUöæ* ‡¾è)öÞ*Ìux€"‚ƒv`ÿs=Úºžh©§Hゥž›§¶}"’Çá¢Ë\6À㢧ÌðãšRq`\ Þ#Ì¢µ“×pñþº÷tüóÛõ¦\tϻٖ•I|îâbV#c¥z\k–1¹òBCDÞ~‚‡wöSq òâÞ;y­"ÚWýÞZõØSîÔ0ýÄ›ˆ˜£l€!F@O„€D¨÷Ž#ˆ¦ý&‚±†€åjV]Î&qRÀO‹u»â°í0¾óú3ý3¬O>,!IÙCžÃì©80PïšedoŒg¼A`+zu]Í«©oŒ0Çá¤		9Ì&b„ô4ÞÚJÅ‚zï‘Ž(ÉûeB´„ÜãJÁµŸ9Îýœ1µÓ%	åÌíît	«ãvò˜Ült€!†NO<D:¨÷aˆê÷L6ä|ü¸.Û†â}³ÏQ†w¡ïÆ‹‰Ë¦¢³Ã €²¯g'‚ÀÀ\wDpE¤é·LÅrCOoÚÇqëƒ}vR(!ŸÙ¤C•ž^Ëܩ80XPï-L)ït(º¡åùÍl¾‡×á¬A¿2[~Þ¾¾"^!ñïjY¯…ãå•31ÙCLc˜e3¼&™ŠÓõÞiL‘L÷$6)‰_-®7·Ý«ÕêÍŸh	êa[6GÙtv˜þ@LþÝ 0õ1×Q|눰RôÄ·øÏ./·9ó°Ë=é>Ñ/ŠÉÕ¶N8­ŸŽÌ!¹2;Df˜k3|©K"DfÔu”Ù"ïÆ]#s½o/n{í?ïí4PqÀó¿°ìWWuvØ›«€	‰ °÷Va®Ã´ûŸëÑÖõDëH=EzïMõÜ<åãðûY¶yÎ;K0CßÍ54Èû#v"ØA'¾ÍwÌ—<ùJÿ#N)þ¿¿<¸{DZ¬o²`qK‰«ßË%üU´÷f"7½l‘ÿzIendstream
 endobj
 822 0 obj <<
 /Type /Page
@@ -2055,7 +2055,7 @@ endobj
 873 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 196.5138 511.2325 205.4701]
+/Rect [499.2773 196.5138 511.2325 205.6195]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.9) >>
 >> endobj
@@ -2118,7 +2118,7 @@ endobj
 882 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 88.3283 511.2325 97.3344]
+/Rect [499.2773 88.3283 511.2325 97.185]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.18) >>
 >> endobj
@@ -2144,22 +2144,25 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 887 0 obj <<
-/Length 3480      
+/Length 3478      
 /Filter /FlateDecode
 >>
 stream
-xÚíßSGÇßù+ôªƒ&óûÇÝÃ
Ø!•`àÊÕ%y¥5l­ˆ$ÀÎ_³ÚÙšm1—8` )ÔÛ­þ~¶§gfwaêÿg«NŒ“DQ¦£Éœùß½Þbí{vÛvá»^žn}ûJ˜#Ns=8ýŽe	µ–
NÇ?oï½9:=8:=Ùùõôû­ƒÓxPè˜QQñ·­Ÿ¥ƒ±÷ÿý%ÂY5¸ñßPÂœãƒÉ–T‚()DøÉÅÖÉÖ¿ãÁo—¦©¢„%Êr“ø$\€OÂ8'ÖrDÿ»ú£hÂ	³õñogàí‚k©ô>ê·Í‹Ùu1kß*|ÜZëöm'‹á¢˜Õbg—+º½_üB)¯ÊE9­šŸ«qóâÝ|xVììZG·Éή¢÷òE:—epKnÅ-Ñœ².£kúÌÎÍ‹c¨X°Û…†ëŠ­¿Î±kqRq`¼ Þ;^¤!ÊHÀ‹ÛÌ‹¡œ/ÊÑ|wt>¬ªâbž€ÇŸ/RY—†çõl8™g^%nî‘‘\Tz	YÌfbŒ@•Œìg$Æê½cD(¢˜îáô¯`dsQî‘èe!d+›`ˆ±Õ0ªŸ…D¨÷Ž.jÉl#‹ÙÕ|QŒw?ŸS(K·zC¡°’Þ¡ø?‡–MÄ„œf1b f1‰80bPï1ŒI) †Qb6—
®ÄWÖ‚„f1@ D ‰80@Pïí´¬\ld2¬¼”½€hK„ª;k´¤h)]-‰ÉÌE"¨¬ˆet/*©8Tpï*ÖnA·ÊåEåsjzõˆIËFbH@Q0$q`H Þ;$Œò#
-lNÕF$®Ëâ&—þµ¡jxXL#ògV”;ÂÒ
0Ä`‚rb0%âÀ`B½w0iA˜†Ý­þ"0m®+Úé¯^hBZ³¡†4P6cú¡IÄAƒzï QŒ0æyˆÐ˜Ðü>­Š44Ô8³©Yû˜KÏ&˜Bº³a†LPNcûaJÄÁ„zï`ŽPÅLö‹À´¹ÅÑ°Òš

0Ä ²YÚM"Ô;S’cÜÀOœ“Â|oêÅüoÍÆRÖÓG·?_sŸ+ùÀ[˜{¨*!…Ù€C(H"Ô{“Ä	½oÙ»Î=‚ò¯	‰/ÎÉ&\BB³q†.P0ËûqIÄá‚zïp¡~42vq»ž¼¹¬ÇŽþ\F¢n!sÙ\CŒ¨ÆE"ŒÔ{äB9J,§+\Ȇ‹ýÏÕpRŽÚârì›æõÛéE9*ëQG*õXe‰É•"²¯$Þö/Цâ@dǽ;ÿÒ
-1PÆ£cKê£+•àUyQoÆ)÷Õ ¹…2d31Ơ̶Šcõç=JkbhlaEÝ¿2NWÚÖšµé‡æëq1Ÿ^Ív˜Ýá'£éòãù­	ÍOçE;ÇYLÃ'4ÅçÅÄOuŒxx˶1#ÙzCLo˜qLïD˜Þ¨÷n(ñ/´Ô@ï¥âb³´V°§ØYÄ„eã1  ‰80Pï’{qà-¾ðíâÓâjxÑÐP|º\ÂPÌçqñ"–…ãå\F?ÚA ä)›`ˆQu°®Ÿ‚D¨÷n”ø*RÀÛA`¿œ®rÿøŸD÷*ÿ}¯µÇf1B F®!#Fê½#„ù‡á!¢%ä¤X,Êê¬ÕOXr ŸûË|~B†³ù†?PAŒŸD?¨÷Žª‰d²ãG¶üV×Å,t…?//#Le[sß^û7s+ž§"1‹ÙŒCŒ¨’cýŒ$âÀA½GF¤“D(Ý1¢ZFÞ,΋YÃíÉïrK¥lÚ’Ñ¢¼®§+B²'<Å,æ2
FVTBIÅ0‚{ýª´œðú¦ÈHœ¾ø)ebÇNSB™›qÿJl×ùW‚‡7üB.vçåYå_²zu…=M1ëÙLCŒ)¨*ÆT"Œ)Ô{Ç”¡„K
-™âL}óæøðõáQ‚,iˆðÕ­}ßJ™ÚÙu¬?ùZȘÐl\€!†Ã%†ê½ÃEYÂ,‡¸ˆ\ö~x·º¼ZªE/\<¾±*¤2`ˆ¥rý»6©80PPï(RÆ%Eæ€âgS©«K4±Òõ@bîg«çÞâ˜âl€€!”(ê½kˆ…ô4ĺmˆ_í‡Ó|zã®#>ø´(ªzÕæï¾ft{‘ÄíAUáRÉo^¿¨WýNSÕIB©iðô_´öÓBHU6ÀJˆõÞà_P
-º^Ó‚ðb<^^I–h;^Mg“áÂφ´ÑÏç˜Àl<€!†Èõß'šŠÃõö‰%õ/Tì_e»O\	×Àpo
-õ‰âÏ[§ñlœ€!†TÃ)†ê=ö-Â_vbƒë+ÔÊ{¨®ð8ËŸâô8&,hˆà°"ˆë¿
-%‚î=>Â*b…Ô‡p…Àmö¦W•oFê­bêžxéE%$3`ˆ¡ÅÂPIÄ¡‚zï*‡ñ­‰Ñ•X9Ž†“P:š§ž$ËH‡äö«Ö9d"[g`ˆé3霈ÓõÞé¬1ÌBÊY·@ÿã°ôZVÃjTlÛ—™‡¾¦?r¶ À¦Ôõß—ŠõÞ	*Ñ~ઠ‹;œ°VóGT¦C>²Õ†˜Ú0ß®ÿ¢ŸT˜Ú¨÷Nmaˆ¦ª¦N¦£E{«Òá·o6‰®ÿâ­þ/¤vÈG¶ÚÀSæÛõßÙ–ŠSõÞ©ÍQöoËU±rré¥}_^”‹Ï¶7åâ¼Yün¥4D:ý±\€J¬M"âov
ñкÂ^ Bʲ†PˆDkÞYâ¡{‚
-¼žÍ}–õbÁÊŠbX2(FW³HÅÞ´š—ãb6ln=éÍ[8´ànùë¯w™¯þ«ãàá°<­yM-«pÇU²ÍÓ²‘­—U^ŒFÅ<Âj±\¶ëo?ø2¹ü|^cÉ>ëbÂsÏ:hˆœu+‚"¥â@h½GšŒ%Îé@SêQL~Âí˜dmùÜ;ŸM§‹ÔÃ!%¡’‡·ÕÛ'–öÊć«‹«rœ:”%UÛ¾í‰ßD’C¬ ZXÓ‰zWb[»]h˜"ööñky|îG6†,ê>®üp­‰«ãh™íî
Iî')H õòë'‹†‡}¤ƒêºÙIšVÍMòB‹§S{Á
-™Ïb`AeQ°``¡î;°|oj-íÀ
-×›¿›ÇË?Ó{–Fû#0 ÛWØh}/LèD_]U£æyÒ<…ᶗªölª€!F”¥*Fê>Ž°ÒÓÅC_o—ì½A¶ëpÒÏËÕibBN³‰†1P3”˜D 1kîS3!Îë'€S¦«Ë™Ðécl{6½zQÌÏýVW¤Þü„#lšðļƒÔ„çöq›¼ô?œËÇšÛäD-‚·ùˆ3ž½édnzÛŒÕ>7“ùyã×wR…4gŸTÀ;© Œ(<‰@0ˆP÷qpgNûOFŠb×x¸ø[;o®¦íãÍtöÑŸ_ÿh¾;ŸÞ4/FÃpïGó¥~dÒYskj[¼§WáçÃxØ›¶‘<û§¯éÌ> ‘7æ$WrhˆH¾’sLòT ˆä¸ûP7˜•„3çmÝ8¬FducûºxwøÞù°:[i÷Âö`.g:ºš¼¯w„v ©iʆb@P` î#ÆÏ•
„öë§úÖî¼Ý»uf¿›
ß—þ´•òy¹K!ÛÙ,CŒ%¨&ÊR"Œ¥5÷©ÆŒIG×néý…/æœo¿¸¼,ªq9*æýI	fwíÆ Ò­„ã©îO8–„5·ÉªÞÞѶMB=ŠãÓ0úXMo.ŠñY]Uë}Wîž{°üó'$7ûü†ØùÅC‘I‚¡ƒºïz0®ˆf4²SÓãꓨ)¶/geÑÞÉÿ]9_LgŸWoïƒñþÑÉ­Q»Ù(Ò”="B²²Y†P”…D ¨ûXF˜ Jñ€oÊÈë¢*f¡ÍŠ*ÚÑ:^´sX}X^I¾\>Óî‰ìHåBî²É†PFû¯úI‚‘ºïªeD:ÑUâðíµnOûñ8<ò%<ª¾Cö…ÿ¯¹=Vó„/2†r*B‘úXõE®‰oÞ"ÿ4ð¶endstream
+xÚíßSGÇßù+ôªƒ&óûÇÝÃ
Ø!•`àÊÕ%y¥5l­ˆ$À¾¿þfµ;³-4Ûb’8` )—e{{»ÕßÏöôÌì.l@ýÿl`¡ÂÉq’(ÊÔ`4Ù¢ƒ3ÿo¯·X{Ìn8hõòtëÛWÂqšëÁép.K¨µlp:þy{ïÍÑéÁÑéÉί§ßoœÆ“BÇŒŠúŒ¿mýü+Œ½ÿï·(ΪÁÿ%Ì9>˜lI%ˆ’B„¿¹Ø:ÙúwWò·0÷PUB
+³† P"D ¨÷&‰zÞ²w1œ{$å__œ“M¸„„fã1\ `–÷ã’ˆÃõÞáBýhdì
+.âv=ysY5:ü¹ŒDÝBæ²¹†P+ú¹HÄqz\(G‰åt…Ùp±ÿ¹NÊQÛA\Ž}³Ñ|~;½(Ge=êH¥«ì11¹²CCDö•ÄÛþ%–Tˆì¸wç?Z!ÊXbtlI}!`t¥¼*/êÍ8å¾úä!·°Q†lÆ€!Æ”ÙöÏ{Rq`Œ¡Þã¼GiM-¬¨ûWÆéJÛZ³6ýÐü~\̧W³f·GEø›Ñtùãù­	ÍOçE;ÇYLÃ'4ÅçÅÄOuŒxx˶1#ÙzCLo˜qLïD˜Þ¨÷n(ñ´Ô@ï¥âb³´V°§ØYÄ„eã1  ‰80Pï’{qà-¾ðíâÓâjxÑÐP|º\ÂPÌçqñ"–…ãå\F?ÚA ä)›`ˆQup´Ÿ‚D¨÷n”ø_*RÀÛA`¿œ®rÿøŸD÷*ÿ}¯µÇf1B F®!#Fê½#„ù‡á!¢%ä¤X,Êê¬ÕOXr ŸûË|~B†³ù†?PAŒŸD?¨÷Žª‰d²ãG¶üV×Å,t…?//#Le[sß^ûƒ¹ÏS‘˜ÅlF€!ÆTÉõ¯~¥âÀA½GF¤“D(Ý1¢ZFÞ,΋YÃíÉïrK¥lÚ’Ñ¢¼®§+B²'<Å,æ2
FVTBIÅ0‚{ýª´œðú¡ÈHœ¾ø)ebÇNSB™›qÿJl×ùO‚‡~¡Š»óò¬òY½ºÂžÇ¦˜õl¦€!ÆTc*Æê½cÊPÂ%…Lñ¦¾ys|øúð(A–4DøêÖ·R¦vvÝëO¾2&4`ˆáÃpIÄá‚zïpQ–0Ë!."—ã½Þí¤n¯V„jÑÇo¬
+©Ìb @©\ÿ®M*Ô{ŠÔ„q	A‘9 øÙTêîM¬t=˜ûÙê¹·†8¦8 `ˆ%ÄJÄ„zïb!}A
±nâ—‡GûaÆ4_„Þ¸ëˆ>-Šª^µù»ï†Ý^$qcF{PU¸Uò›×GÇ/êU¿ÓTuÒ‚P*d<ý­ýô‚R•
0Ä@€R` $âÀ@@½w ø”‚®×´ ¼—w’…%ÚWÓÙd¸ð³!môóÄ9&0`ˆárýϦâÀð@½‡}bIýûWÙî×EÂ50œÄ‡B}¢øó–ðÆ)d<'`ˆáÅpJÄá„z}‹pÆ—Øàú
+µ2Ç^#ª+<Îò§8=Ž	ËÅ"8¬âúïBIÅà€{ƒ°ŠX!uÄ!Ü!p›½éU囑z«˜º'^@zQ	ÉÌFb¨@±0Tq`¨ Þ»Êa|kb4@%VŽ£á$”Žæ­'É2Ò!$¹ýªu™ÈÖb:ÃLc:'âÀtF½w:kF³Pç°bÖ-Ðÿ8,½–Õ°›Äöe桯iůœ-(0Ä…)uýR¥âÀE½w‚JG´ŸÃA¸+èâ¬Õü•élµ!¦6Ì·ë¿é'¦6ê½S[¢)‡j‡…©“éècÑ>ªtøí›M¢ë¿x«ÿ©ò‘­60ÄÔ†ùv®_íD˜Ú¨÷Nm®ˆ’°[n¬Š¥“K/íûò¢\|n´½)çÍâp+Ý !ÒÑðêåTbmÒ|³k°ˆ‡ÖöR–
0Ä€€’`@$âÀ€XóÎ/ÝTæõlž³¬VVÃ’A1ºšE*ö¦Õ¼³aóèÉZÞÑšîÔ>4_íñ»Ð`=âõóÖ!3Úó
+<–¨5·©uî¡J¶‰Zv²õºÊ‹Ñ¨˜ÇJX-–ë Óvî_'—ÿ&ŸYî~Ùµ2Ç„ßõ²AÃÔewûü›0J‚à„»8KœÓ§Ô˘ü”Û1ÉÚºw>›N©×CJB%‡Õ·Û'÷ÊÄ׫‹«rœ:•%žUÛöÄ#ù=ÈQ³‘†²Fû÷ºS`È¢îãÚך¸:Ž–Ùîé䎒ò×´ºQ/¿~ºhxØI:¨®›½¤iÕ<&/´x:%±¬ùl°€!T+ê¾Ëw§ÖÒ¬pÇù»y¼4½ki´?cñº}…ÖOÄ^ôÕU5jÞ¸ ÍSo{©
+iϦ
+bTAYQª`T¡îã+=]5â¼~8µaºœî0ƶgÓ«÷ÅüÜauEêÍO8Ã]§<Йò¬Dæ1îÏ8–5·É+ˆZ"oó§<{ÓÉ$<ô¶«}n&óò*ǯï¢
+i!vQAQx`¡îãàÎœö
žŒÅ®ñpñ·vâ\MÛEÆ›é죿¾þÑüé|zÓ|
ÃÓÍoõK“Κ‡SÛâ=½
+g8ÆÓÞ´äÙ?}Mgö¼1'¹’CCDò•œc’§A$Ç݇ºÁ¬$œé 8oëÆa5j$«ûØ×ÅçÃ÷·ÕÙJ»6ËpCÓÑÕä}½÷ ´{M}LS6ÀƒÊ€Bƒu!0~~¨l€ ´_?Õït×íÞ­+ûuØnø®¸¸ô—­”ÏcÈX
+ÙÎf	b,A5Q–`,­¹O5fL:b¸vKï/|1ç|ûÅåeQËQÑ¿ÍîÚA¤[	‡ÑþíYx>,	kn“T½Á£m›„z5Ƨaô±šÞ\㳺ªÖ;¯Ü=÷`ù×OHnöõ±ëŠ‡"“Cußõ`\Íhd§¦ÇÕQSl_ÎÊ¢}–ÿ»r¾˜Î>¯>àãý£“[£v³U¤){D,„de³1 (‰@0P÷±Œ0A”âÞ”‘×EUÌB›U>.>´£u¼mç°ú°¼—|¹|¦ÝÓÚ’Š¹Ë&bd@mí¿$F꾫”édD#T‰Ã·×º½ìÇãðÒ—ð*¨úÙþ¿æY-̾!<Èò˜	0Ä0:¡˜$Á0A݇b‘´Œˆ¦|¼,ß_”Ó³Ùðòüs‡E$N®ÎΊúGÉ„²2û‰^CŒàüi6o¹Ltf@Œ‡õ0ÇÝ2D˜P0D(ÇÅoW^ïFm?^„Û#&m9~µ7o(°‚?F³MX.B£`=ì§!ŽÁ»÷‰à,RÀÛa£¾Ó«
+úýÙðC­½süy*rPÚœæ‚Ò™! ½C^k¼Â(ñ§§îrG¬Mî;ø_Œ8ßüñÖÚýHÙúm
+ÖòôÔùÈ©EêsÕ_´É¢=Dþ¡Oñjendstream
 endobj
 886 0 obj <<
 /Type /Page
@@ -2172,14 +2175,14 @@ endobj
 889 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 758.4766 539.579 767.4329]
+/Rect [527.6238 758.5763 539.579 767.5824]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.18) >>
 >> endobj
 890 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 746.5183 539.579 755.5244]
+/Rect [527.6238 746.4186 539.579 755.3749]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.19) >>
 >> endobj
@@ -2221,7 +2224,7 @@ endobj
 896 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 674.0707 539.579 683.027]
+/Rect [527.6238 674.1704 539.579 683.027]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.25) >>
 >> endobj
@@ -2242,14 +2245,14 @@ endobj
 899 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 637.8967 539.579 646.853]
+/Rect [527.6238 637.8967 539.579 647.0025]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.28) >>
 >> endobj
 900 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 625.8387 539.579 634.795]
+/Rect [527.6238 625.8387 539.579 634.9445]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.28.1) >>
 >> endobj
@@ -2305,42 +2308,42 @@ endobj
 908 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 529.3748 539.579 538.3311]
+/Rect [527.6238 529.3748 539.579 538.4806]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.2) >>
 >> endobj
 909 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 517.3168 539.579 526.2731]
+/Rect [527.6238 517.3168 539.579 526.4226]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.3) >>
 >> endobj
 910 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 505.2588 539.579 514.3646]
+/Rect [527.6238 505.2588 539.579 514.2151]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.4) >>
 >> endobj
 911 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 493.2008 539.579 502.3066]
+/Rect [527.6238 493.2008 539.579 502.1571]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.5) >>
 >> endobj
 912 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 481.1428 539.579 490.2486]
+/Rect [527.6238 481.1428 539.579 490.0991]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.1) >>
 >> endobj
 913 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 469.0848 539.579 478.1906]
+/Rect [527.6238 469.0848 539.579 478.0411]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.2) >>
 >> endobj
@@ -2368,14 +2371,14 @@ endobj
 917 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 420.8529 539.579 429.9586]
+/Rect [527.6238 420.8529 539.579 429.8092]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.7) >>
 >> endobj
 918 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 408.7949 539.579 417.9006]
+/Rect [527.6238 408.7949 539.579 417.7512]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.4) >>
 >> endobj
@@ -2431,14 +2434,14 @@ endobj
 929 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 301.9372 539.579 310.6693]
+/Rect [522.6425 301.9372 539.579 310.7938]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.7) >>
 >> endobj
 930 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 289.899 539.579 298.8553]
+/Rect [522.6425 289.899 539.579 299.0048]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.1) >>
 >> endobj
@@ -2557,7 +2560,7 @@ endobj
 947 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 64.1653 539.579 73.2711]
+/Rect [522.6425 64.265 539.579 73.2711]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.2) >>
 >> endobj
@@ -2569,17 +2572,17 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 950 0 obj <<
-/Length 1163      
+/Length 1161      
 /Filter /FlateDecode
 >>
 stream
-xÚíÚKoÛFà»~Ò›}ï1n’¢ê nAŠDˆ-*µäí¯ïò±ëQHNC[I‹‚0ˇ3œùD/%BÆÃdÚ0ã…ϬWLsÐÙz7ãÙ6<÷ãÚmò¸QŽ·ºXÎ^¼‘6óÌa²åU¦´fB×;sŒ;ÙróaþûËåëËåûÅÇåÛÙëeÚ+Î\V»ümöá#Ï6¡€·3Τw:û#üÂx/²ÝLiÉ´’2þånö~öKÚ!z¶í=àLH#zEHt(Õ“2«=32qãÀœò­6ÙžÛÊáXç›ÃÕýÜ|¿»-þ\äÒ¹	Ó“µ}è1Ž2„¦à†	u« Q¹# ãâ†	nãe"®ð½žÞ–üöoK¦!Œ&†)bxÈ ‰•wO!12}$¦½ª>[U‘˜h‰>oVÇ¢z+\M¼¾!¯4€±¼p ÁëdÀ ‡P}…¼èô‰—¡›>Ò“
¯ûr³ÀM¯|woq"£½¡@Êž8¨á%W_!”72}òf9“JÄ+?¨Ï¦/Þ(ü)·̇ÂB‚j£Š"«×ñõ–'{5À¬1¶Ýr2zV‡qR£¢@Ê!–jxåÖWåLŸjǤ3ñã>Ðç½¼ÂV¿á.ANç¸ó¢Šm
-R¨ðXA
¯Õú
-¡P‘é*e˜’éí0
ªÍ¦<<¢rÆNšÎ¤)ö{´&HiÂó5|CB_!Mé6ÅÚ•÷ÎöÝ”¾ùêÄgßùxû¦²A¯ý‡+\¨ÆJŸIͪ}U;|¨íF¨ò¿Ñ6šendstream
+xÚíÚKoÛFà»~Ò›}ï1n’¢ê nAŠDˆ-*µäí¯ïò±ëQHNC[I‹‚0ˇ3œùHó!Èxø‚Lf¼ð™õŠi:[ïf<Û†÷~œA»LÊñRËÙ‹7Òfžy#L¶¼Ê”ÖLèzeŽqç [n>Ìxw¹|}¹|¿ø¸|;{½LkÅ™Ëj•¿Í>|äÙ&ðvÆ™ôNg„_8ïE¶›)-™VRÆ¿ÜÍÞÏ~I+DïÖ¡½[œ	iDϦ‰6¥zSCfµgF†wª
yÉ$“‹Ü1w¼.î¹Ð|þj¿~ØåñÐüúòÓþáؼ¼øéòÕ"ds~pþïÿPÞ?-_ŒQù0tZ”zÕéûý6k^üŠ&‘ârØDwýÕ,DÇSm_!„Nz@é“Ri™¥ëì‹ÜI9ÿyU>¬îša^m‹ÃpobtÈñu=AÝ¢ºëmz"‡{‚ÖGõ¢“ÂBh”	½š…®5“¸`ö	éç››mxáÿ;Úÿ?»Ü?íyq£÷<HíyxÞ¤²žB(mdú¤
$s\A«M4Ú®÷‡p˜Õvâöý¹ÅŒæ†)nxàn˜[O!72}âÆ9å[m²=¶•‡C±Î7‡«û¸ù~w[ü¹È¥s¦'+jû<ÑceM&Ô­‚D厀ŒóÌyéZAêDPp	Ý­>áäÁq?±ùz6©»cÝà@ÎÉô@ŸeöBСÓ';Ö²°iíè/íl‹2ôWéé?Ú™4Å~Ö„)Mxž Ô°¦žB(Mdú¤Éhæl¯Y˜9ÑT…Šß÷·Å"7&Qg{>Z
+¤Dᙂ°Ã¢z
+¡D‘é“(­.^ùÙQ‡âx¼ÙÓꜜbÃGsB'¯—>
 >> endobj
 953 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 736.6834 511.2325 745.3956]
+/Rect [494.296 736.539 511.2325 745.3956]
 /Subtype /Link
 /A << /S /GoTo /D (appendix.B) >>
 >> endobj
 954 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 724.7033 511.2325 733.7094]
+/Rect [494.296 724.6037 511.2325 733.7094]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.1) >>
 >> endobj
@@ -2627,7 +2630,7 @@ endobj
 957 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 688.7382 511.2325 697.8439]
+/Rect [494.296 688.8378 511.2325 697.8439]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.4) >>
 >> endobj
@@ -2655,7 +2658,7 @@ endobj
 961 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 641.0171 511.2325 650.0232]
+/Rect [494.296 640.9175 511.2325 650.0232]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.8) >>
 >> endobj
@@ -2697,14 +2700,14 @@ endobj
 970 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 569.2861 511.2325 578.2922]
+/Rect [494.296 569.1865 511.2325 578.2922]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.14) >>
 >> endobj
 971 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 557.331 511.2325 566.3371]
+/Rect [494.296 557.2313 511.2325 566.3371]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.15) >>
 >> endobj
@@ -3243,26 +3246,22 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1066 0 obj <<
-/Length 3185      
+/Length 3186      
 /Filter /FlateDecode
 >>
 stream
-xÚå[K“Ûƾï¯à-Ü*q¿ÎøüæÕ›×ï®Îùü»¿>ÿñ&P\æñÝ›×/_ýðó‘Ïõ‡›¿]½¸‰oÑS‚™y…ß®ÞÀ³^øoW±\‰Ù#\`DòœÎ6W\0$8caf}õîê§È°w×>šÒ	ÁÅlÁ8R°~ŠŠH”3)`œb‘ÜDQˆIFYT>%=å+‚Dž‹Y¤2Êÿ¹-îô™"€@‘l–ñÉ,#O©ÇŠē"*#R]lt¹XÞëå§eS¯®ãùûÅLJ/¸3óR°/"	h™+Àp)«^vÍîàHË
-Ž$ÄS®)ž¼$
,WÕZáA~E±ŒOJPFˆœeFk#Žh=¢s#FõD'
-ûÒÔgÖ$L–Ÿ\=/?PÎd6XÿæÞ«d )É‘YîU’ñ„µâ`>Œ²Ý]5oîvÅÆí^ûhëÆ…ûÙm§wnü+Æt­ÝxÕøÉöPwÅgÿL]zFMÝVð`½<\BæhÌû%€åê)Þßg1¾!#ÕÅ
)•DÔ˜ÿ	"õXŒoÈH•²ß„åÇß¾[r™Ü>€íÂ[t¹.Ú6±uhŽ”Š~ù5	~LBŠÀ°ÙwÛ}—à8$›!éïÇŒÅc‚) ¹Á}°×‚”Aÿ]îŸ.Šü+¸º«›ßR„÷Q‰ Åã–ú˜`Flfî	‹]àBÊM8üJ.«¢ZƒTdÌÔêô%ë?àKžûó/IG¡
-eXñà(ä?òº_)hbÿzïuGÜž`“Š¢åY&¿6ˆf—‚¨db ¾EûTãa4Rõp®ÙlAÆd$åӈȦEˆT	Ú…MsHzB¼«6Õº0Œ‰y×$+c2XŸ¥"«ˆz½Ì´Ì+ûËçÅú±8´n®Üo¶­›îîµ›s˜o¦ tBÜì¢lîqwÙnõ²2QX—F„Ù‚bŽ¨Äd‚ý8mü¼;l«e±^ÜTU"|Y­L°Ò6pK»¿):ãÖhÌI„ÊæŒN;IŸjÜI"•y]].OÍ2HuD>½h J,:0E„gl¸èµ…¢s§‡MÓùk»“`DæeÓµ›5vrùÓÚMM§R4xCÌã¯v"ÅÈ¡˜8žÃ
&ÀŠÍcë¤é‚ÀíR­@PnªR¯]ÑÙ
¦¬¥$î\N	ÎzÃVo}ˆl¶¸Tæ…æófå~÷ã´Â0›·z÷Δ‡<£°½ê¥vTß¾zý½åˆ>Kf°°‘%Ô±ÇÈÑî·Ûf×µ^žõÚ
¬>ÌÐe©hëÄrÇÛG™TJ ð	Že€Ò´<N(Â,î»}W­«Îì2Ð…þ¼ÔÛ.±€„Z”±¼ÇßÒ·]±ëKA,Ê%QÚdØÉ2@äTž²ÜéQ¦
-PQ}>3î€ç÷Õ5À=üèñÀ]ëÖxQÆæuÓytéæ«zÄù•Iª§”	IµÈcìúSëØ/ÖkÇ|Ó”œ‹×¿Z9Ÿ5ùŸ”BMphö¾v×j¾O‰Ä 
-¦J\ð7
-CÄ~¬ºûfß…ÇÃh³5{ÃWK•¿ûXot°Ún×Åaµ{[w¸ºJ·Ç‹¢
˜k·÷ŸÇJÁ8â«'”&}ãÕR¤ºX-	PW`†'ˆÔc1^-Eªh¶‰¢H0”å*ø·épTw©"F"Î;M#ۋɲ‡¼$GJ9=帽ÈÑl¥Tâ7H™#¿ÃE~Ÿtª"
-‹\~u:ê‘4•GB9Mròµé#›k{2„ЇÜ2Å!›ÈLžoÀdþÕ=‘ÁÂCÌ£4¼iå· ËÃÌ`å~]”›³ªïζgðdˆà)§Ý½OåÜ]%Ü=RYw×ë¦(Ï2e’!.!XO®©Î¢°Ù_\òáÊoÝÊ¡©c2Ë»}È
-N{B±ýc²Ùª‰SÄLH›VSjBMj¨&pE1ZÏõj,5V8¿Op±ê´¨Ñ]8Ê&싇J?¦dnû³2BÃàåÓºŒTçÊF;“cäŠµÙ7}ÜwÕƒ®F·1àˆÌ(¿`ãÕ„•³ñ
-Òšû”‘•í”‘Ï
-éQóü—­æÈsÇImFªsužX9™ €ôùªÚrv𗛢2uha3ùAÃ÷wûSå
-_ð…>Õ¸/D*çPæÔí*D⤀P£w€Ê!§'©Î5:tPPnÚb•¾=ªtÒØÞ'\9¹9¡õg¶ ó	UŠ]ð‰Õ„O*ÛúÚiýEO›þX(‘€	lH>­ÔHu®Õ¡_@î¥!ªõݾÝjÞãóý¶,:ݺÓ]`®Ee~ÊC]lª¥»p°°’š²ÍNÕÍñ–Už‘mn-|CÖæLäç}-]šj5gÆÛl'F¸UŽgëçbñ
-­^—¦?A8ä6ÛS¼×Nàµõ¾ðœtYu~ÚuOÄüV»[›¢Ôý;®9§bFµi™v›y|Ò#°º3Š½=˜_b”•·×\;"#­„‚·sÄ®7£e±o­úÍÊä;wAlgÏLúVžlö»ºX»‹ªÊγºõ„í€ÞKÀßx*ß ÂÃÆP<¤!磡E{kš‹˜ÂØê(oýuè³=XØ•Ÿ¯ýcÑ‹Ì…Ó†{¶è:½ÙZÛÐXmS|Âsúñb=ÞWk2DD«#œ…ÀÃÚ]â,‚dðBÛ§ǯHåÄ*ÇÑkˆ(OJdÿWÀ+䨓=f²g*Mg²¾¨‹[ë„R±‹ÊÜy$Lîòhw7}ôB¸é±ŒIi±Ìܯ›ã-7SyÆË”1…¸Â'ç”U˲ˆeYÀ²l(\GlËúØfúõæÝ,²·dS#̾Qœ…¶…›l¡cæSý>qÀ³¬æá²j?=KÁ‚…(©=Ë…Í@%½¸ÇÅÊ‚	bæœ8ft_xæÈh­;ûª‚Šùóðµ¡~|HÚʳ6›É*™qƒ)‹ÜóA'Ïš~×
 ­Ï‹nuh3F¼Ç
-,%Y~+zTX¨¬èMW­ÿWõî¤.{(qªÌ”èkó­nuh`¼~sóêå?Úv¬š¬}HÆx«š¶}ŸjÜö‘ÊÕ>Ç®æ )få_X9R/=l
-™>°ùÒp°vì0N0e¢;“1üÃØe
-08>\ƒ3ØE7†,g§r^6žªñ¨‚ký¹j»ª¾;òè¯ÚúsnÎépÓkWÌäù¼2Xž+ó7s_Og VÅÈ	.?¶[é Û¿¤Þ"ñ|;|Y3ª9žËøe¥?>Nó„4æLs*“šœò¯ÑœÈMU”ŒÆ>·¤Î|QŸØ 8>ùÃýãÿ3˜“8¥F¾Õ¡™©Ÿ€‰ÊNäù'IÜGÒ„èÿt3Ùºendstream
+xÚå]sÛ¸ñÝ¿Bo•g"ñE}ËÝ9×\§ÉÕöµs“Ë-Q6‰Ô‰T|ίï@¤R¹º3í¤ã‚àb±Øï]Èt–ÀÉ”¤šéY¦‘	•³åö"™Ý÷.¨ƒYx EêÛÛ‹o^ñl¦‰NY:»]wp)’(Eg·«wsN8¹ÉüÍË¿]].˜Læ7W×—RÎÿûþö§«ë——™˜ß¾~ûæær‘%ZÌ¿ûËËŸn=Äyß½}óêõ?ñ\¾¿ýñâê6œ¢{Ršps„ß.Þ½Of+8ð	áZÉÙ#¼$„jÍfÛ!9‘‚s?³¹¸¹ø{@Øùj—Æ8'dB¤r¶à‚(Ø?ES¢y*aC‘ÝT1HMRÎx`>£æ+J¤Ör ónòûbÀP4›e"#i–ÑçÔAaIQ’<”!©Ê·Åj±|(–—uµ¾\¤I2·øðéó{?n
Åß¼’¼ƒ‹¦¸,`°¬Ê}±lëý‚ö¶•‚¤LRé±ÆpfpHæQ®ËMaˆ‹`úKÒ€ñ”¡”d”¦³ŒJ’q©ã6ä€]¨¡ƒ–z¨ž}®«@)WÀh)¦	P
+z\ ÖYšõI¸}pŒéQK5¡i¦c"džàV„ȽhvûKªæõý>ߢ
Û¥
Žs|ló¦-ö8þ5IئÀñºv“ÍSÕæ¿»5ÕÊ!ª«¦„…Õòé’R:'c6j8£Ðê6ÐE1n–ê¬Y¦ŠðQÙsHê 7Ë“3ÅÕ‡ß>}s5"ððÒIt¹É›&b@L¥‚ž|u—à'¥GXÚÝ¡`ìƒMºŽ>è÷‹ÇRðçÆûƒ¼”-%ûw±(EÆÀ¼ªePß¾~ó=Ž4a/¢,2gô{ Ö'!r4‡Ý®Þ·£g³Á净wÙB*Ú yžîðùH“Š¤4Iê]iœž… Œ$\÷íîЖ›²5V¼(~_»6²A
+)纃ßÂ7m¾o#[A,Ò©ðQÚdØÑ2@j–ž¢Ü£HxEéùù¨C2|(/)Ô¸øÑù|Ë7Ñ¢ŒÏ«ºu£ŠΗՈò+“TO1’j©CìúSƒè—yUD¾­W(­½F5ù_šÊ´/‚§ú€îk©æ‡Ija¦ä}c0äžìDz}¨­¯qœ­wÆ6\µTº¯¥ÑFt«Ín“?õ\íÁÖXWÍñ%o¼Ïµæýç±ÒDB*Cµ|N£‹b¼Z
+Pg«%	û2ñ‚‚ñJÉÁM”CÒÔTÊk¶ép”÷±ò%%‚s~š@6gÓdçì¢ìãî,FcD±”¯—,|Ogñ},bÅ…$Xêô‹QçCc¤"Œjú¥¹è"›e;0BÈû˜£å¢3š™fUJ¿¸ÒÛ¸ïý2Âó'-ñafk|b|
fYV÷ÃôZ,RA8eÙ´ªw¡PÙUDÙ”U÷bSç«AŽL3"RÓ“û¨áÆ}ÿÞNHçkÜÙ·sLNyðùÀi7(4~LÛQ6qFx6Òä>²©5Á&Õg¨¢­ä:Õ•+™ßE°X…ŽõXÔ¨Ž¢ñvñ©,c´ôÍ~P 1ˆ_	hù4/Ô™ý8g²­hŸ›]Ñ#¸/?ÕQÈã2N •åØߟqjBÆ
+e¼†„æ!&ä^M;%äA	=*žÿ²”$ P®Ns3@
Ùy"e¨}3H•zü¼zvuðü9¸¿m^š
+4·9|¯Õû‡u§Š¥é´.t¡Æu!@¡.@S5k‰{H%„ºÐý*ÔjÍ N24@
9ÚW`6
±K¯,¶Ó	,$·'°î¶À–‚c:‰’™>£¨	ðP63+ï«ÿ{Îý«P&¡X§é4'Ô•'•uBÁtŸ—¯ŠÖÖI†å5KÔüû777Wßá$ä˜
΢s€Aµ£U{•¡SXÓQþPT8³*±àí{È`ÐÄ€ƒƒÖmSŒ$€Zdê˜/NîzGO¡T€¸çÓÀjeieº¼ÙŒ3aêk›>áÇýý×Ý|ËÃ/º"ùÖ¯uÇ@'æV*›C-©ì@òR.Ò´GÐPòêCl¾÷dú:sIP³ÅV€­VáD·Å
+Û[òâ„)#o[ÂÃ4æ¯W¿àøúº)ZÓbÌ”ðaÊY
+ˆàšõåì—›N]n†Òæë¶ËóW÷¦û`&ó¦Óœ’®…×6m·w%aDzÓqj7¯z!ß„5S¸ =´õr^×=5ŸõÂx¿¹é؃$ý·X¡Û*»¹55ÌðKlaãê»3ðËW/ö÷üíà,Ä´¹9žJ=#O­Ahpï¡Î1gY¬ª¦)b™¥±žŸ´›`—ÃmXãó®ÀmQ$ø!RqRBUÞÛÙÎe¬ÕÒó½/"ˆ &,69ÉC¯‰f/P³„i3u¢Yu¬€§œ0CË}‘·±+ô¾“e‚„
+M…kß'3£ 3ð‹G±i¯n0pL6SnÍ{?Ö[váªÅ'íÔê©Ê·å_À^ŽnŠA¿Fh(ò4‡àÎGPzÆ—yðE~èCX'[¸R˜xöúÊÇÒ¸99ÈÀóJHá2j<^J2~´¼õ@‹TìH–Ò,à²d>¥ÝÖ¡ËizvèÖf¼~eà)•gÊü.Ôxî ,=û¢ø\ô)óuU8‘ÇèÕÓL
PC®ž3ØOrÖgëÍ¡ÙÖ4¹˜v+°è_¬-áÅšyíˆWÒ,dŠ‘ÊLUõñŽJ‡È^É-|3åÕé5
+Þ×Ù˜Ê]ÔaJº¼J!ÎÆÍe„—‰/V&jRábƒYq¼’à«Cî0«²uÓ—¥õ(æÓ6_Ý/x¥¨ÂÅ#Œ*ságÂ\$’!ïl¸Kæw6RÃ4ðmŽoðŽ@†Ú”Î_·ì"Œ–ù¡±ì7c»\WV8éâp2ÿPöU¾Áßf2­Cuç›'(RU˜‹X(—Vœœ!ü’‰ù~ówh¬³§y	­-[~ä{÷·ƒŸ¬`ÌÎ/7nYÐ"ó‚ÜÀµyÛÛ•
w,9Á¹þ8²ÊÍÉ!h?¥8–b¾éòëÏE5꿨¹Ö†DkÚu¡ÆýW€B²òÇqïÕ÷(ÏjÂý¯8/ß_›äè±7`i¼×ãéU•ßY%LÕÑw±T£FÂdŽ¯G¹ãôQá£óeBk.ŸýÃýãÿ3˜›8¥ØÈ©3ド#ÊzØ‘4!Œ§,Bú¿J)Éendstream
 endobj
 1065 0 obj <<
 /Type /Page
@@ -3270,6 +3269,28 @@ endobj
 /Resources 1064 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1044 0 R
+/Annots [ 1071 0 R 1072 0 R 1073 0 R ]
+>> endobj
+1071 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [197.7714 320.787 259.3428 332.8466]
+/Subtype /Link
+/A << /S /GoTo /D (options) >>
+>> endobj
+1072 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [491.4967 264.9355 511.2325 276.9951]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1073 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [102.5211 255.6303 156.7673 265.0399]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
 1067 0 obj <<
 /D [1065 0 R /XYZ 56.6929 794.5015 null]
@@ -3278,94 +3299,95 @@ endobj
 /Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F14 765 0 R /F48 985 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1073 0 obj <<
-/Length 3817      
+1078 0 obj <<
+/Length 3524      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Ùrã6òÝ_¡·•«F\¼vŸ&s$NÕ:ÙïQ•Ì-Òw(Ò©q¼•ßn4ñ€$§’ššŽºÑè´Xpø'iĸÊô"É4‹¸ˆëÝ_l`îÛ+aaVh5„úæîêõ•,2–Å2^Ü=öJOS±¸+~Z¾ýîÍwï?^¯dÄ—Š]¯¢˜/oßüý=|‚©(ZþËA¼ýáöÃÍ·ÿüøæ:ÑË»›n¯W	Ï4¬¼¼ö‡ß×}ºþ|÷ýÕû;ŠáIWx„_®~úÌøû+ÎT–F‹'èp&²L.vW:R,ÒJ¹‘úêÓÕ?ü†ƒY³4Ä9˜f±H+€•±PA Á5ðP'À_-˜Ô\zþêtÀ_Á¡­ã…‡Bþ‡Ýcq½Š9_þ´Êëú·Õ:_oËßVÿk›ò³@f¼þEÃÝâ„©Dj ÷ùZ•OÌ#ðr°TòØBžrW)Á„ˆÄ…Nê¡æ'•j€L©˜ñ,ÉÆG}G½^‰Œ/ûmI®Ü-÷ #zù—Ž†Ìémûgñ¢|ÈuMAƒyS¼n÷ÔFux–ÅJÂ-H¥ñ>Ë¢ˆÄ·oI¶Fl†lý̹¬íèn8‚ëËu… eAÈàdX	¾¼y ±¦=ÎQ«êfË_Ñ\í`#;¶¿ér@YY°éÍxéŠA-3L=/ƒC°Ó2è¡I]ß>:	|œ‰†ˆK´VpPsF¢!â”%2šPðÉP xJ€
+ À@%Õr—©®Å²Ùà|¶ìŽy7ÏÔ ÁuÙôÔ_oófƒò„]^”l›-
ÏM¾«ÖÔ9<yo!A2Œ|H§Æx‘HßüçÃG”Ääx•ØÁ‹ßw=vâe—EÂq”Fó»µ€»¼ëËýqQM’Ÿ,ÛZì!‰$»{E™I”EÒv1ಌ3–¤YbÕ}õH0ã›P,ƒ[³ •E<”{Z3Ü7â cpg´8æ¡FêÏYWk¡þbw~$Ž¯Ë®sÕ(ñ˜¥œfA*Žì…ö‡}ƒÊ±Š#µ¼ÛºIPªö©£yCcå¯ÀÒ&¯itˆÕà XQØ®jJ~Ú–MàÀŠGL$B_:±f±Ôκns{†u»{¬Ëž– ù„[Éâ±…Bå{¬šÍÅWUF^RüØÅwPDhÝ¿DñÏpTü)'H)¾õ&Ë+¥÷	8Xí€ß~ý|-„X¢ýåbùÑ*8‚‚ƒaè¨O:N;t¼Ž#§ã8ÑZtFOk»×q%"°ý=5¬~cÓÈ–ÐÖˆÁ€Óol[ýFk¦Äòþ`—?Uè°uoÕuívçôD¨Úþ v©Cößö`åþˆÍâ@áöÀx@>>™çy’‘Kœ%íú|ßÍS`Ž‚Ʋ4âçmf‰Sƒˆ.˜7¨™šx`jpç‘ÒãYШÌÏæ
-Œ
-9£‚€9Ø®eCmoXŒ„ˆL2­åD›Ç˜1 °!ÂÀÜ`÷„¹R`séЊéT«¡µÁ=ÖÆtQ¹ÏÚ•(ŽY$dtÁ®ÁNÛe¢®}¾.gxÁú¥`/àuPs¼‰© ¾#Ä7Íš®vGöaÑïÜuÜ6›
-ƒ	ìÖå×Ò†g÷Ïô.öëÀ>pE—X7;Ã:5bÝ$ÜW¨ŒÐ½SꒈŤHç©sPsêÆN9‹SžŽÉûTö]¯>†?Ï]§è¬ñ·üõ±®Ö•½«¯y}8ÇupÆ©€Äô×`g¸î Œ¦µa‘#a”¸€ÙAÍ19Å,I¸£þ³8ÊOóMÕkHÃ/ðmvšo
-‰¨Ýö¤¢ŸÇë}†7¬è#ÄqùÆ™tòk4ÄwÒ^bÍìk”g
Zð€2ƒ È4†Ñ33΄¥;O ƒš8æa†³ñ„Â07Õ×Ò*§!ŒòcqüQ~c$Ä—|Îì¿ÅÑyèfˆ5ªšˆ. vPsÄ
æÀËtŒù]Õ=Ö9º
.¦Iœä.´årÓšäM/oÛÞNõÛ¼w-;Ôv÷&(ƒ-h+i¦Y5ëúP¸ž_U5Ç(ešÌè
´rw_5Åë·ßctr%"rg¾‹i]…Ê4¬'e`ñ,Röúæ6€Q‚ síŸmå¼÷eõà1«&®àbÂñÓž…ä·íºnŒ@7¶˜p¦ü¢ˆ÷}ÉùÁNK®‡ÂÓîËõaß¡m?•€Çí°îp6BþÎ×ÃüUÖUgùÔZžÿr(÷Ú¦+OY–féïŠXÝÁ±‰íM_?îÉóÃbg.EK4l—<ÛìÌ¥8(SOÍë
-Īml‚Ü6¿µç
-²2b‘ÌÔŸS•iÆd¢¢óGôPó#ŽÕr4él|Æ÷M~_ÛJ¬«¨Uw|wûéÓû·Ô>2ÄØ.N¶+ $nÊ	DÑt]¹^•„)di" Lf“²m^w6¬iʲ˜¤R÷Þûô~bÎ_|ÄÐÂÙºg/½«£éÖtÿò…ñ¡\÷à]å·™»	etL2"èU8S©„H[¤Le’Žö6J‡†Ç
-™J…IÚ¯ÅÙ]SåJRür¨¬‘zu
~J-AEÖ%A˜â2.pwhªµßRͪßR‹*åü6:$ù¦›—šÂ€™•£j¡¨6U…©À§U›\ž­à˜rÎfiØh7Œ#I8šS·ÛÚŠJa·*möÖcÍ\ÅÖ͘
F_S‡é'ã}a ·6
ÿZv…£H
ÐLkövd7¡êq…×óË“ÊU\L…J/ïŒ1U‘÷‹f]Ý®ým”vE™‰"qôÖ
-ç¾)Ö!	–,屋$téã;‡2EÕyý&M˜Š|4úºìׯƒÝ(Syaìëɺ–$êI)×Ô¸¤Î¼OÎk›˜˜†ì0‘cCÃ÷Á'˜°÷-ϱqÕÛè³·©«u¸¥5wFº}´Í¿êØÍ'Á#f=;u6	>`à¡=4Å«Àe"÷!‡ìe¤I§nÜe"‘¶BÈ…5‹ØªÛöµª&À‰D³(ñìJ¿”Ï¡…¨–'Îdã£J&nþjS¢©˜£ˆ!bSÚIM÷Ü¡¸Õ>°,!ìŒ\ùï)ïhó¢D^6ÆÚ\¦H	-û$–ßÜܾ³õX.X‰d*`U²¶
-w•é<¢Ã‡C¸`
¡ñ]Pj b±öÁÉ>AôLM<Ÿ¬ XKÈ7eSîɀⰩ%Áïþ:]šÆ†x³šäµÇú)â_!/7&
ƒÕ«<@Ü°Úi!YÚ­÷Õ½pHËd”M^XšY<%\&äâ\שI#ir¿YPãã0²rð«á‚@È9Û—*ë£ÖC&Ìt¨’¥b.Fô+Yê³ÝL"B,Šù¼m¦ŒñÆ÷°Ð;ô*¦̼¹É¹('Ç,
rWÕù~øüä\$Ž´Á<‹"-Ä0®>e£Õ+õyç°ï°}
ØÉ£°·
ºd:âÁ=p‚iT"ž泦šŠ2NN8+È-2.FVµ¿“)¨ŒÀ‹$.Wk¡€Ô”'ÉK7±±Nðé@f™ÃP#Ì2yoa3îÐ^1è™vWpäzr¨-pþ8‡}=ø&Ÿ(JVÞuí¾ìÇ
pès‹ñÇ
ÆQ¥ñ8¦Id\G3& Jcšªà0j*¶¶ÕzKúLƒGÚ ³+óÆnï6½wè}‡†Vd6úÈ–ž­L€€&ŸÄC&…%Ӱ˧ôbš@B„žyбÂ//Êâè²P&L*Éž6ÌrÔrkLkæ_Ë’ºë:?te÷× AO˜ˆ¥O(\Äý?/ÐàúÄd¿>J²²ü1àú„pƒß9ÛíúØîûжš%©v$°€ðƇn7kY2Éâdúšz’Ò¼’»à¥Ï¿˜´žœ~¶­©O@Ë(…¤\)
-›‰¸5¦»9ØÅ“T@ƒ-¼•FáÊu˜`¹WQá¥p[÷ìrŸ¯ÉëC×Tªº6`ØWît#^¬º¡jÆÓ‘ü¢BhwFÃ4§ ‚ˆ\k>AØÙj]¾À>jM%6ÅÏÛù2	óÊS9¹žH;œ‘¯G¶€Dyt¿Ë‚}{€ª·k‡×dS
-	¢œÆ±œTÌÃl4±k"-øÍC’	WÞaœp*S:™Ù€³4ø¡ÒêMÂ"é?…9f4öÄ2h˜å4ÔÒ/YäÀ]!©øŠÄ/d µï¶=Ô–S ¬
`Ô1¢šDVTñ•œk4‘NKÜ Ú:x$pÜ kòÇÄY8û…]årÁ j®=~ë±·ìãÛBg	±±Ät'ü{|I2 ¹Õï*/…usú!1‡9Jk(à<†É$Êk€T¥/¸ÚL8ù£¬É ?p¨vš*_Á™ÉP¸ô*ñ²ï¸L•-oz{Øî¬Þ¯.Ñ@FêIžÑQ^
ÖÉe¾Lö#~"„\”óX\º’„óÀ•l¡|Ô0KüÄñЙ°=Ù &Ps„û‹_Ý…‰‡”ˆKÿïxôÐâG'ôÅå8š{¤ÔGÂ_¹„8HÇÆÑEq2]îÆIJ[N‘æSü1u\jí.7êP´µ­•¹O¦²¥y?P,ÃÚVk‡ÀãòÚ”öX¶$À†Aë-ÞùߨÖo&PÊÑÑõ{SX\W_‚Ÿ%ý,¥•ÎY–
-5Ñ’é´V‘^@v§¤xÉ·âöLÓð—â+¿ßê¸aàAC*+!'·@gÄQùÑœrTOÊ©ë®JÓõØ2UØ’eh¸/Z2ŽUè¹%ç¢jiä\„[ÅÚÇy½i÷`iv¤:ŒÏ«ÓÉ,KE>-Äd¦ùRƒiò¨™Èo+W³%ôG
-²|üþ[ûÃPpü;E	÷)Í£MKÛdï´ù µd[WYÚZònöÐ3RÖËvŠ‚`ijÈç=ÿÄ"6Œ«D/l¢™áÂ,Öû¾Ø·ïn„‡Y UêÛ»›—ï”]$,‰d´¸ÛôöŠc±¸Ë~Y¾þþÕOwo?Þ®¤áKÅnW&â˯þþ–f>Á'c–ÿ¯üðîýwÿøøêÖêåÝû?Ü®,O4¬¼¾öÇŸÞžÖ}ºý|÷ÃÍÛ»îý“
+®ð¿ßüò™/28ð7œ©$6‹'øÁ™H¹Øßh£˜ÑJ…™òæÓÍÏ݆½¯néçà3‹D¼X)Í⶘\µþš„EJªŽ¿:îñWpëhÑA!ùº®6Åv|\a,³Qdý=§¨Ô5{¨#É,3@ý1/ë4Þ«hÙîr5¿r.·ÇCÚuE“8Sz€´òKN‹«ü‰ÿ­«¼yãdyli2«=Tí'·"^öpç_Š¦-ªíi>Ö9ÀYk	G,1Fºä9R˜$Ëbƒc<Ç3ÍìÒÇœæÖ»´ÚæÈŸ6ÑònW4~MCß7iÓæšk–fSšØË)†ŠC¥’Lã˜û[tÇ!¸>ã•`ÖDìiè:‰
„,”ÒÏ2u·9ÍVÇý=/ë
ñCFšI‘Œâ.€´é>_§Ç&§EKÓǺÈ<]9ª<ÏüTMó/龨òܾÎ
+¼“uüXìÂz3‚ï㯒M¤<¨Žå†)ƒ+
+Ö» `
+YÒ´iÛLðª„ÅJ%Wð¨)Þ¡vi°®`€ø_hÊEë¹Ñä‡Gw‰8šPæ×ÍïëÆÄ¿óì‹,XGiÍöõÁγ¯ƒÂSü~ÌÏe}Þ>]FÝÙ§	êYû4@}w›Èe½Ý¢åQÂ)8i°èR„\þ<ù@Ö¨Ë8›–MMS÷9ÍäUz_¢Ø»I¿8ÿòPë¢-Ÿi>+HG×­ßÒÙ—k0¶N¢c]á4@i ¥Í·59µ6b‘F6ÂÉ,Hgðˆ˜8H´kU^ÎY€ãÝŽEE;ÎÓ.-±Iç¼^ÎrN'‘	d? Cš3{rM8G6s–sFKý5œwn­	L¾`$ÀkÖ¡º`±eÇýCv»Š8_þ²JËòÕ:]ïò?Vhø?ûD´1e·`%»>> 0c̳£Z[¸bØ÷y|F.Vˆ(ºtÆf|Æá=ÁEñÄ&ýC¾CÞ®Dâm3‚!ëþMCSîÜ~ü+7<Ë7é±la(h‚¦—(×8&·HNœ£’h1”щ7È'?@ãM}{
Ô	þYN,_¾÷Oß|pÐL–¿ðáÄ>§ü\·xÊ0²:'wÆÆ&ÙèŠäõÁÎË^En½~²÷0
+)ð'Z]! @M	y§˜YiF|r(NNÁ
¼h€d!Ì^îÓߊ[±tÞƒ'Ë昇ÐiõLïeòª¥ß°6ôcŸfy@ãëãvGÙ3‡bM?ŽYÚzH²`y\úÒwKïÿýî#J¢=]%þÀ‹?4-þˆ–
ÏÍ£4º¿;¸÷árXT’ä[ââ’Hòû8±gÄJ”Å©Ù“³8	¶wõ0cï„b	ÜZ0Ïq_î§fÚpÐ1›ôÍ霑æ,IT@þßù8¾Î›†@Ø
`ÑPc$"íR‘ñÚ•K;"£|ÚA©ê§†¸æò/ÀÒ*-i¶ÕMà X–Eæ8íÒ‰éD¡Â
+}íÄÂìê.õgX×û‡2oi	šN¸•dt^T¾U|!™4:¹¦ø=°Š ˆÐ²ýÅ¿HÀIñÇœQü>¤øÔ›,¯”§à&‹=ð»Á‡0š%Ú_. Û&GRp0
ý&§{:ŽŽ#š ãø¡öèœ:Ÿ×öNÇ•0”‚ãÀë7l	íLýƱ×o´fJPJÓO:ÝûEDuY†]Á9=ꌶßÄÞ#
ÈþS½ÜŸ°y.WÀx@>ÂÀsëSy,)dO‡Öižs4klÈØ¿lk4³JôL
"ºbjÜ€U_ej¢ž©ÁJgA£2=[gTðh¾–@Á¨ `
+¶kYѸ3,NBD"™Ör¤ÍC̽t´gnðçs#¤À æÚ¡Ó±V}kƒ{ž¬û‰Ê}Ñ®h
1š–×
+q}°óv¥ƒrQ×!]çgë—ñvu‚	Þù:ÁñûjMW»'û0ˆèœŒ7á:î>»ÅŸeþ˜ûðÌ¥J˜NTjZ%×J=¨Œó@¾¢|e@LÈŽˆØ1i·IôeÒЄ´!oc΢˜ÇÚ>åm3ËÑ.z¿Ì× iêbT ðAqZ/ð[ņ)m¯¹À>ØyŽwPNÇêya󔸂9@M1j"H‚¸¢þq”_à›1Œs~-[íƒ]à[€Bâ7å±ÙUñËx;ŸàWñâwˆ8ÿ
+ƹDòk$ÄlF]Óá>ØÖ¨Ž5h»g4AÆq?€ž˜p&´QWPS‡|úôö5Oq¶‹“íš‘ˆR6"«š&_¯¨94kiP&“QÁ–ÚK¡•:J¢î;ïÓv¦üÅ'ºk<çͼÕѧDk¼¾AaÜ`wá15ßv`îF”ùó¹¡æLÅâlì2%t²W°O̧T,\¶~+–®;?]y+:ñûÑ÷ΰ”¬…Z‚†¬s‚pUe\ÉßþXënSÈ1‹vG#*TpÛ8¤Gø\µ¸ÔUÌ­œ)dŶh±Â ¸´b[ÇóeœSÁ—ÁWÿ0á™æ©»%]O~6;_JÉüV¹OÛÚƒ‡j`óÐÙøë
+ïðùÉ9_˜hý„Ï¿‹Ì¯©úR»½ÙÕð¼Tð!R‘:Ó¦k(¯×Ë;züa:·èÖ•u×è‡_›Ð–;ÓS’Ú†çU¶ž`Éb…@r†.Ý{i⪩ÓÂMl™2]0ú2o×/Û¹Y¬ +Œ‚^½ Q×2‚@tT¡÷*:é\rZºÐÄ…<0Ýc‡+š¾Ÿí½À:9qlXîvêÜ™ÔÕz¾¥u×Ç¥c¿ã7ÅLøÚ±S'£Ø&6õ±Ê^̵³¥{îÄ“!‡ÎÝ*xK+‘¾4ÈEhºÃ¨¬ëßhTT3œ°š™¨ëž®ô·|®[y¾å6Xl춡dâæO 69šŠ)Š6¥ƒÔ4Ï
Š¶÷g›ÑÖšP÷{JÚ<Ë‘—•³6—«NÂÈ7ÄòÛ÷Þ„·J趄*æý±(Q6ÐVá®2žtØ1ÄwJßÍJnGº‹M.ð	‚`ªíøäÁ[jD¾Í«ü@§]	þnã屪æûí6èSáñ¯—[—…ÁêU:÷ÂA÷ßÐá‘¥ÍúPÜw«X"ÍHèHbáSq!f,½Ü£‡í‚ûU€_õÌDœ“}©àÑk×C"Ìô\KE\è™-c9¨kTLvë:û‹UÌ®]|rÑÎxcã,ôý†Š(s£ðqêÁ*Å©u¥ÁCî|~Öë;‰3³ VcFñç_,`c!‘¾±Û—€úÈšúU.À@—Nâ‚>ŒÂ’qØÕeôbúg’UËνbV Éj¶¼ÿ=×þòçÓÃoHßTŸiK(îîË¢ð8ÂŽ)7*f&–v†ôÿ|Übsendstream
 endobj
-1072 0 obj <<
+1077 0 obj <<
 /Type /Page
-/Contents 1073 0 R
-/Resources 1071 0 R
+/Contents 1078 0 R
+/Resources 1076 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1044 0 R
-/Annots [ 1075 0 R ]
+/Annots [ 1080 0 R ]
 >> endobj
-1075 0 obj <<
+1080 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 238.8931 176.3563 248.1085]
+/Rect [120.1376 118.4229 176.3563 127.6382]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1074 0 obj <<
-/D [1072 0 R /XYZ 85.0394 794.5015 null]
+1079 0 obj <<
+/D [1077 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1071 0 obj <<
-/Font << /F37 827 0 R /F48 985 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
+1076 0 obj <<
+/Font << /F37 827 0 R /F48 985 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1079 0 obj <<
-/Length 2236      
+1084 0 obj <<
+/Length 3047      
 /Filter /FlateDecode
 >>
 stream
-xÚÝY[oã¸~ϯ0}°‡Q$»O™ “Í›™&žig/(I±…‘%×’Ç
Šýï=¼É’Mg‚mÐ…DRäá¹|ç&“	†™ð%Šª‰P1â˜ðI¶:Ó¼»:#nOä7EÃ]oçgoÞ11QH%4™Ì´$ÂR’É<ÿyÊC3 €§7ç?^Î"ÊñôîòvÆùô<Ìüý‡ËÛ󙈧óë÷7w³H`O/¾?ÿ0÷;¾MãâýÍ»ë«{:³_ç?œ]Î{)†’Ì´?ûùW<ÉAàÎ0bJòÉ&¥èdus†x̘_©ÎîÎþܼ5Gƒš#Q–Ѐê(¨NÄ•âÁJ¼ÒªËšúŒéb»I»²©AÎ8™®ÓM[lìxWV•¥YV¬;7®í í6e½Ðc>M[»Ö-·k3#rºØ®ŠÚë÷¦Z4›²[®^빘fÛÙ+G¹©ý¨§ç.¥ƒä!HqN¿Pëõ7ïb99FJ’6ë=ËUšE«œÛ}#ÕÄIŠ·Ñ3_‘``å…ÁªHkà ÂžÎ
g°Ü™å¿³óÒŸ³û´-¢Ä-ê¬É‹Üôúӛݡv]d¥¶ŠßTÖöyûîÂA•Ç=Dœ"‰ÁöD Ũ4h¶¬d $‘0Œ•ül|¬ª‡Œûm]ÚÎ~L³Ø6Y	KšUªŒ|°ü¥x´ó¼Ð|׆qX߶V8važGD(ænÓtŽ9Æ¥C9ÚŠF¼8ÁÀCµ‘0sF²\îc¦<€•ˆ&óÒ#‹<­'¦N¨ç\œQ2}hªªÙiùõìþÑ>Sý85mgêtUØ0d·ä¹EPÛê8DÙ)+Bà“T‰o™‘a$ÇJÓ—\ëA·kì «Òm[´ÝH¢˧m¤†±GMZçBQŠbì¹ëfÓ°9QÞæ ‘D’À&ÇO²G!~Òžœg›‘©ñ·Ö®™€£ÎL‚M›‡Ñ+f!oV»pïÎåÜ®ì–EmײfµÚÖe1VûƒyipkIxŒ/'Zh)Ç
-ÚãùµE.,„]*àQÂãò„z)A+u M4K]°¹wVs_3ˆO{&Ì`pÓ=I‰ÚcSçYˆªcNÖe³­ÜŸê"ëÆ4õÁÝCŸ7š¤B θòqQÂçnwºZWî䪬ËUZõ—$CXÔ+~wÖÝÓz»÷šx(7$(¦”Bõ°ŒŒþÖÏþiØõGvïS¤Ýùʧ¯Wß… N@…ÑÿÄ/ÂØ«ŒÝ>ÞS^__}ÚÞ³OuzñvuÏ®ŸïÞvŸÿ/>ןðõYþtõqñÓJ=^_].rªô»?¹+Á‘Œßü[Ÿf­5Ø>!¥å+/ÒmÕE΂f;¡aø‘ eÂæœx RÇeP›–ËØØh¾ôöµ6wþV>ø,Q´ª¼7¤mÀêc¤0öÞ÷¦è²7š=Ðzp Jdâã’»p·‡ªñuvL „@	 Lø÷¤;Ž”ÉÐ--<‹ªIó§‘;0*4ŒC
->ðR˜øÅÞŒvjâƒ)ÎìÀF2}ÞÅ}zé6öê‘ÇƸ͕šW­4È
ÆJšæS§O/©šœ?€2p¶eY;ï
-{mfrº­ë¾lsHú •Îl*_Ùù4üœaŽ›£{²…êA
->»ϱÇÒ]ÈÈá¢,Ió0:Ð¥Éwvþ›}€Cµ£}{7³Ûœ»	Èéá˜ð´·õi¬ì|±íAï"o™ƒ¦ÊÌGgëðC-z­oBž(¡+¢”$ža·Fe¢«9a-p’¨çôk©$¤è`·õ£!IÓŠ˜£R!Fd²¿ù‰ÊÊ9²¯„lŒ£%œˆ±;Þö°TâDuÀ%h…Å­D:4- R9¾
-b*¤ß¼¶X^lÒ•½Áµ†*ÑPýZÔ¥ïÞàk‡ÀPvG20åÁ™SqkÁ{¶û”ië››ík]ð+‡,}iÕ6V_Œ%(¦D$Ÿ²]W©æ˜Pa\/Ú®›:w
çaUC@²¯jzO
”ázmê¦Ì•igïæíR]˜üK&ÒÁ
-4ýB@‡Ð‚×{˜ë°—ŸT¢‚ê›Ë}M­õw^uŦ†zçk¶#„@²*ëÇTÄc϶ŒëDCPãà4„4s.J,
-ȇ¸·s_pú¶z»ömõ±&thLú’Ö€)ìPÜšvˆ¥ae]7îÂU“ëJ÷ø6	~«(ŽÚŠh’ô­Q×gvÔ+­×°n’0Ôæ1è	NúO\tA}§wå¢NƒhÓ!6F*&±9tQlºÔ~< Ó7×µ£Ö‡	íS/¬»
-Ãw§f«OžúucOtéÿÖ¨Èì<ÍLÑ÷Úî³E2‚­Í6å½­›ÈÔóÓß6Êššü}U PN†öÏw)-KÛçÿâd·D¥qïÈ_tD6£œõ¦«¿Ða:Ø
®˜PpIÍÇs²	3
-ùA>ù}§<xäNr`Ïa å†^Ï	ÍËQ XA.è?-µ¨(RH¨8 ‡´šî®¯¾ÿøáPID@J8›	þ{<ö$LŽ­˜ ¢]cÈå…ùìn'G=§Ëgy(×Æâwpöåì+y
-þ¶ÅÚb¨oQ/¨G¦X€÷›ÿ«ø¥/‰_(†E6z¿P?3F˜ðüòöÇÓ|1±FðÏgC8«
-)ûDêXü£ìNcìÅ$ýÿÆl`Š|b$¶´ƒØõÍü4Âö_`‡<†ñ5dò?€¯—’ó^¬Iô‡HŒÿ¸;úºT$”iÔ¡tˆ%	ý͇'ßìsÿTÜÿ×
-53“’†Ñ­0ÃèêPMKcÈ£¿<ý¿n×€õG]>Cendstream
+xÚÝZ[oÛF~÷¯‚}p:÷Ëö)
×-šd'ÝÞ° %Z"B‘^‘Šk,úß÷ÌU¤<²4‹],ôÀápxæ̹~çPd†áGfB"i¨™)ÑÀDÌ›<[Á³³ÖqQ1^õÍÅÉW/™šd$•³‹«-°Ödv±üeÎC§@Ï_=ûáÅiAž¿{ñöTˆù¸¸û×o^¼}vªøüâüõ«w§…†ϟûìÍE\ñ0ç¯_½¬“d
+v†súuýPÕ¦j–aóuÙûÁ°Þž=¯*»hÊ]_õÍíK"’ê@pY]•»f(újû©Úfö—IŽUXþ4CQ A9 ÷±ºÍ	EE"V0Ìçe»ÌP¥í©^wÛ!G–#¥yde¨I¤%7ÔìºYÁER=+AFê}LÔ e¤¤†òceU@ؼô—u×~Ô–«BçÝ6,Y.½šúøŽ»]í‚FíÃ
üÂë°ž‡W†uåC·Á°.Ãû7uÓøÑeX·èÚ¡\U [_î:8>SO7‘E‘³KÂ7XOì׺0Ÿ×–SðiÏ{÷©^º½á‰_!Â`bÑm6þÄ0ÛÔm•ÓÑQ©èã,L@TÐô@=°UØSDµÀ¨»òJk	úûp€zïŽÕôÔ[
SÖÒF/)%Ý›J¿bL[wn¸½¼õ×2g™ q¦¢å±‚qu'ä„Å
â„éGúB‚²¸w]-jËwNáE÷ºŸêüõf]/Ö9]YVæä¶].r>
+…8÷]w»&H
+Œµ­a3gªpõ¦
+žÊ4’XXg`r‡7<<_ÕŸªÖ»p
ÚÇc‹ÃÎâºm Ö—Y;ä+]ÿh„`fdŠìSmá€ãP^W…ƒ@|oŽàF>dœJžIš%3ìýmé/ÞÎaà”©C¤€+¤+M­Áf¸S¥B?B·†D¼Y;MØÍw ƒv¨åP·+?wSy#RÓäÖa—y9“¬Çf~>„Ãö·ö~†£¬ ùÔW­µ0*_z¶{KœPìôÕˆÆcIR‰Â8£·[›	»à‡Fa1>/O¸Ê¹,WBmˆ³Ç<0tÓ¹`Æõ4ÔHmî5”€èEd%ÊèªkšîÆZ‡Ýņ3;[¦Mý½e<„G†58ÁANõA£ TÏ7;—%©ñÆ3¥¿|*›zé‡ËnS:„UžtA™ÍuÝnµöÓõà—¶U^j»0)oW6Íít—u]m}4_¬­Î¿¶4m¤ÛõŽ<‹|ôÃÖ›)¼ÜÔ-€P&çù•Rž3GFvà%cK€k3“6a±¨j‡°E¢XŒI:|:aÂô~ç{ÌØ…§h-î¬å&EÙÒßF…q¯$äM!ÏŒßÆ3l(ÉÄ3ØÀÃ]Îo:?sÐR’'(P6«nñf“Ù”+ÄHrª<µ‰MÄXµØV¹”J%J÷þi¥ñãºn*Ïp+à!J\äž%ðz²W»m—óërÛ;¤ã€ï`T.ÕõÆí­$³åƒ˜ó¹Ï®š¢Mû¨O¢p¬p5_ì¶x¶C(wm%za³ÏôŒõ¦\›¥ÈëCS|`z ö¤^lª²FV禭zÿÈ ô—˲¯
+ˆVí¢ïåg‡—ö¸h9	o_>e­à:¤w1}Tr×0äú!4A퉌C0Ëbß-j˜ê}¤*ý´Ïðp?Æ¡0¿ëýáرôFÀgeØý.ª‘6‚å9r)}ÌK8TóVI˜%y.ïIV…ʘ7S9Žº pHÊƉ‹’qâ¢!qÁÕ&.ŠC©f'|M`Gº%ûRÍö,(;
+Ñ@4%Õû@¡V{È;°™³k;pqÍî-àaáTy
£sqoD+8PÖ]4×91£°&59"0X¹¯Ž Èp4‘ó‡…ƒƒ‘8g;%óX‡Ø9pì ¨I1WºPëf:?qÞñ ÖÎx,jçl°kuÝz’uï}YÚCë|c>±h¹¯12õJµÛñêbؘy¸z¥Áæ2Ln÷ëFñéêö Ðí4ñ ´xÃSsîÔg®|ŠõÙˆ;EÖØç}Ñ£ ÒdÂĸ¨ágau¹¹n››º­7Š‡Í’!LÚ™¸:…õpõÞ½f±±ëmh­L2ËBbì$ðt÷/Çn\8Ñû?¸•Obúzòu.îñÁ,NOÂØ“{{{IE{~öawÉ>´åóo6—ì|õÓ»o†Ÿ~ä«ŸÚøüŒ¬>{¿úycnÏÏ^¬–ÔØg߇-Á‘æŒLwþ#ËOì/?%ɵÝrÛ1„²‘,åq;PÁH¤Ë¬4=—fw £‹uÔ¯×yð7×pY¢hÓDo(ûŒÖ	†§6âWÕ°øʲw¬ºÒ*$I÷ýIKùfoþ¥µ¯|G!gt…m-ÅÔîÿ’Iw*ÀÔZpnéͳjº2Wüá…	ЈݙI%N&5öt —‡öT»0!þŒ{@¡m£Ôx÷¹Òòj…¹!önÊûÞv>=Þ¤élž±2p¶ujÖÜT~;·=Õó]Û&ØH
+ém„ú–d‘]LÃ	îu÷êÞ‡"Pð
+|žãŽ!c¿XL;†Þ¢U ;BÈÄIÏ	pƲzw=é–O$aC£LÖÓ‘/6àÖ$uÆð.…$ßÔ³ð°[Z¤{w7­lÛèQTIÝ·çË!eöýç”$a[$aÀæ
+W0¨	–és8=-_àù»zÕ–Yk³!–#Ã	w/=¯¶ƒïh
+2ÿêüï~Ô‡÷í7¥”za> ’¾X‘}ò$hƒºo\áilT,ü}¹p ï©_çA2ÀÖ/¶õ¥ÇMdùI»M²¦%ÙøÏr‡9Ê¿X¥ŒŽ)Yú”bâhµDÀJyrä6¢e‹QÁR…ð:L'û¡ÀU3Â8âÊðÇdæþT òÉç½ùÀû w”ÿZaå|Ðâ™
+%š |ßæöY)RZé¡Òš¬OðïÎϾ}ÿæN/ZA’‚ÍÆÿ“‰d†Ë©;ë6Ÿ»ÆG¾ œT!£-sQ˜0\}F8ˆ!ghXY–àe_ݱ7‡óÉC
++äþ¯)ÿU¦_Ò‚	,TNï·`ФŠF¾xñö‡ã&<"ùÅLø›yóùh^4UŒ•)•F¬~¯‡ã6öÅNúmc0‘æƒÏ1ÑÄÎ_]µ°Á/e`wxÌÛטÉÿ¼}}±sþ¯˜mcE¤mEÂ`ú7¿;÷ƒ:)cKuÀ{A®Â³
ö±AÜÿ3Ó~‰Ôšæ­Š?GŒÎ‰òðí–è;ŒÿU«F¬ÿ@OXendstream
 endobj
-1078 0 obj <<
+1083 0 obj <<
 /Type /Page
-/Contents 1079 0 R
-/Resources 1077 0 R
+/Contents 1084 0 R
+/Resources 1082 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1044 0 R
 >> endobj
-1080 0 obj <<
-/D [1078 0 R /XYZ 56.6929 794.5015 null]
+1085 0 obj <<
+/D [1083 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 126 0 obj <<
-/D [1078 0 R /XYZ 56.6929 317.229 null]
+/D [1083 0 R /XYZ 56.6929 203.6549 null]
 >> endobj
-1081 0 obj <<
-/D [1078 0 R /XYZ 56.6929 289.9246 null]
->> endobj
-1082 0 obj <<
-/D [1078 0 R /XYZ 56.6929 260.4072 null]
->> endobj
-1083 0 obj <<
-/D [1078 0 R /XYZ 56.6929 248.452 null]
->> endobj
-1077 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F48 985 0 R /F21 738 0 R /F41 969 0 R >>
-/ProcSet [ /PDF /Text ]
+1086 0 obj <<
+/D [1083 0 R /XYZ 56.6929 176.3505 null]
 >> endobj
 1087 0 obj <<
+/D [1083 0 R /XYZ 56.6929 146.8331 null]
+>> endobj
+1088 0 obj <<
+/D [1083 0 R /XYZ 56.6929 134.8779 null]
+>> endobj
+1082 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1092 0 obj <<
 /Length 2477      
 /Filter /FlateDecode
 >>
@@ -3379,29 +3401,29 @@ c
 ÄŸ½¢SSñ0»F‹Çx‰òÐM?ÄMÝ¡WÐ
 w9U^?„ÿÓCÐiÍ\‚ÙI“/Å)HÉĘ3Ç“’)¯”ªûü'ä–‚ºÁ°â+"ûæizŽŸ3Jä}.›¼ÚQH¯¥!(ê6œž¢`Àz	@S©YæéÙ­%sàe§ú[>A[Ì©îó>ºeœòo«ùûú¡Åßèùû"•‹ž^ýï.YGTbA;ø*1<þ1½Apt(&BbN>þ1f‘ÿíΧ6f¡˜6Ï¥çà™Ú!¦`6û Õø˜^V4ìo;|súÄ×e=Ë)qÌ‚ýæ	—5àL€é’&)×ÊâCx6ý²‹g²dAŒ~©qÉ,q8cèc»5‡;žIA¬§ƒû0AÜ@c´´¿>VíÅ4~òøRä¿õGàŽü³×*4±tA1RgƒÕ`3jy8˜Ÿ1)!Ø„‰ºî¡
œg[‹µS8®Yø$èiÃ"TpÏ>E_÷ZWôµendstream
 endobj
-1086 0 obj <<
+1091 0 obj <<
 /Type /Page
-/Contents 1087 0 R
-/Resources 1085 0 R
+/Contents 1092 0 R
+/Resources 1090 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
-/Annots [ 1091 0 R 1092 0 R 1100 0 R ]
+/Parent 1107 0 R
+/Annots [ 1096 0 R 1097 0 R 1105 0 R ]
 >> endobj
-1084 0 obj <<
+1089 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 1103 0 R 
+/PTEX.InfoDict 1108 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 27.00000000 27.00000000]
 /Resources <<
 /ProcSet [ /PDF ]
 /ExtGState <<
-/R4 1104 0 R
+/R4 1109 0 R
 >>>>
-/Length 1105 0 R
+/Length 1110 0 R
 /Filter /FlateDecode
 >>
 stream
@@ -3414,12 +3436,12 @@ q
 n*Œ1½÷¨¾x¥Æˆpîâ‹&XîÃœ§³±è\íD¤ßä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎr)`˜¢Xh¡Ò& „hb—H°Œe"Ãêʱ„£~Ï“a³tŒºìZDß!#Z¶ÚÂk! e'jÝ=§ _tsÙ¬ûÍ&­Nå@‚i¬ˆ3t%kÐE„\H–YZxÿ/U¥Ç™åë—Φ@±¯iWH
 þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5©/¨vp÷o`kA“ôr±ñœÓ4N.4Žæ&F°ÑTÆG%V½ Î'ÌØR5¬BÔ‹`qUžv-UÍ=ëÆåQv2ë_ ”¿­qq‚~èr¯Ú5ÌJ¼ð˜°h»P¡õ‹kÜàéÚýªå>Ò¸D°o»Îi¸CrT]¿MJ¥ ÆÖ¹’°;¿ö‹ûóZ¼¬å[Ç-œÁ¤ŸBx¿ýpü|üÈÂendstream
 endobj
-1103 0 obj
+1108 0 obj
 <<
 /Producer (AFPL Ghostscript 6.50)
 >>
 endobj
-1104 0 obj
+1109 0 obj
 <<
 /Type /ExtGState
 /Name /R4
@@ -3429,63 +3451,63 @@ endobj
 /SA true
 >>
 endobj
-1105 0 obj
+1110 0 obj
 1049
 endobj
-1091 0 obj <<
+1096 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [470.3398 484.6246 539.579 496.6843]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1092 0 obj <<
+1097 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [316.7164 472.6695 385.3363 484.7291]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1100 0 obj <<
+1105 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [304.6433 205.7899 373.3153 217.8495]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1088 0 obj <<
-/D [1086 0 R /XYZ 85.0394 794.5015 null]
+1093 0 obj <<
+/D [1091 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 130 0 obj <<
-/D [1086 0 R /XYZ 85.0394 769.5949 null]
+/D [1091 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1089 0 obj <<
-/D [1086 0 R /XYZ 85.0394 582.6901 null]
+1094 0 obj <<
+/D [1091 0 R /XYZ 85.0394 582.6901 null]
 >> endobj
 134 0 obj <<
-/D [1086 0 R /XYZ 85.0394 582.6901 null]
+/D [1091 0 R /XYZ 85.0394 582.6901 null]
 >> endobj
-1090 0 obj <<
-/D [1086 0 R /XYZ 85.0394 544.5476 null]
+1095 0 obj <<
+/D [1091 0 R /XYZ 85.0394 544.5476 null]
 >> endobj
 138 0 obj <<
-/D [1086 0 R /XYZ 85.0394 327.6392 null]
+/D [1091 0 R /XYZ 85.0394 327.6392 null]
 >> endobj
-1099 0 obj <<
-/D [1086 0 R /XYZ 85.0394 295.6795 null]
+1104 0 obj <<
+/D [1091 0 R /XYZ 85.0394 295.6795 null]
 >> endobj
 142 0 obj <<
-/D [1086 0 R /XYZ 85.0394 119.5277 null]
+/D [1091 0 R /XYZ 85.0394 119.5277 null]
 >> endobj
-1101 0 obj <<
-/D [1086 0 R /XYZ 85.0394 92.1076 null]
+1106 0 obj <<
+/D [1091 0 R /XYZ 85.0394 92.1076 null]
 >> endobj
-1085 0 obj <<
-/Font << /F21 738 0 R /F23 762 0 R /F62 1095 0 R /F63 1098 0 R /F48 985 0 R /F41 969 0 R >>
-/XObject << /Im2 1084 0 R >>
+1090 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F62 1100 0 R /F63 1103 0 R /F48 985 0 R /F41 969 0 R >>
+/XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1111 0 obj <<
+1115 0 obj <<
 /Length 3448      
 /Filter /FlateDecode
 >>
@@ -3507,54 +3529,54 @@ JNvE@
 fGK»dªNÒ)h*ói ¦ÅbZDß-’bË0¬?׆:d$|Â^ઈ	¹KqÅgƒ¿Sð|0@.ÄmA
[ƒy~~ýš~ v™âPf©k†¸‘*U–œr5hßf^i}k+8F5ÛìXþ0¿« A­
 üн ·ºü8Ól)øŒòU"»LY2Z
ËÉ ™ð°{Þ£Oº‚;{¤Þd‹¶ãj¥°^(€Åô&ÎíÏ*´Ðçºr&éñ…º²qvèÛ(øJa1	fÁ´WƒùFhr¹. —Æ,õ•Ŷ£¬Xó+¾7`èãšìÓóÚ=_‡*¯nO‚·@!ºêHC½˜§
}«fsLð+?€„7Œ]ß”‹¨xÕ²é`ž:!£H‘æEê!£P„Œ.¡N§‹vV»@Ã⎺.i¶ìCßþ6DCžiA°	ë‡-cÛ£¦`ÃÕ¶n˯þÚ7RÜõP©f´/wD§83Æ:ô:±øàô^2d~ôbÂ%–]qÀÈ­]<Çý—ÀŒœ^†@„qÈ°Ø×óàkŠ'9ýÂmÚÓ_LÜÏÁ‡ÁýfâjÙN
ö÷áºYúçȢώu™~«sÅxOø“4©ÓKÝml‚'TKHf85cN¯	zÝïîç·´iËW’Fæ\hø©¿³o°Gc“MÏú
ì“¢ôñÊ…ä*À°Î]A“C3Ë{á©•”S©VEU_ŠX»´ž#MXP¬?%§B­„šéÅÄòÖ¸»¹Ü;ÞÏŠ¸h¨©®ž;g¢ÖðrT…CT.ÓÓGϤK=¹&u^êqK­cÁg¥„°lšâð‡\Ôʹ 6	Ámƒ¾^LÑøzÚaoúú‹;Œßð:µdßÿü+=Ú¿ò5`pøo05­h2Íÿû¿mæÿI’:Y–,Ç…2"ÌJ<‰Î8wÿ–sÎú¹<ÒÐendstream
 endobj
-1110 0 obj <<
-/Type /Page
-/Contents 1111 0 R
-/Resources 1109 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
-/Annots [ 1114 0 R 1115 0 R ]
->> endobj
 1114 0 obj <<
+/Type /Page
+/Contents 1115 0 R
+/Resources 1113 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1107 0 R
+/Annots [ 1118 0 R 1119 0 R ]
+>> endobj
+1118 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [464.1993 465.6151 511.2325 477.6747]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1115 0 obj <<
+1119 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [55.6967 454.6761 105.4 465.7196]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1112 0 obj <<
-/D [1110 0 R /XYZ 56.6929 794.5015 null]
+1116 0 obj <<
+/D [1114 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 146 0 obj <<
-/D [1110 0 R /XYZ 56.6929 531.1808 null]
->> endobj
-1113 0 obj <<
-/D [1110 0 R /XYZ 56.6929 497.8268 null]
->> endobj
-150 0 obj <<
-/D [1110 0 R /XYZ 56.6929 342.6181 null]
->> endobj
-1116 0 obj <<
-/D [1110 0 R /XYZ 56.6929 307.0547 null]
->> endobj
-154 0 obj <<
-/D [1110 0 R /XYZ 56.6929 119.358 null]
+/D [1114 0 R /XYZ 56.6929 531.1808 null]
 >> endobj
 1117 0 obj <<
-/D [1110 0 R /XYZ 56.6929 92.1345 null]
+/D [1114 0 R /XYZ 56.6929 497.8268 null]
 >> endobj
-1109 0 obj <<
+150 0 obj <<
+/D [1114 0 R /XYZ 56.6929 342.6181 null]
+>> endobj
+1120 0 obj <<
+/D [1114 0 R /XYZ 56.6929 307.0547 null]
+>> endobj
+154 0 obj <<
+/D [1114 0 R /XYZ 56.6929 119.358 null]
+>> endobj
+1121 0 obj <<
+/D [1114 0 R /XYZ 56.6929 92.1345 null]
+>> endobj
+1113 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F55 1070 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1121 0 obj <<
+1125 0 obj <<
 /Length 3046      
 /Filter /FlateDecode
 >>
@@ -3574,29 +3596,29 @@ H8
 ~'sd_èc\Ñgbe8ÓÚ¤ã*;O£
 ~Èø­ÁD0cJ‹Õ–Z~>¶ôú/×ÌÀ8SÿóÏeò¥›ÌqÒ0OþûK¯S¾%8@ïƒê½k,,ª]»xß,6å¾<Ž2¡f‡àÇ©RL3ü!å„TàÏ)üïþ½fﶨN9‘¤(É	ºMGÞBiTøaç1éÿÆv–endstream
 endobj
-1120 0 obj <<
+1124 0 obj <<
 /Type /Page
-/Contents 1121 0 R
-/Resources 1119 0 R
+/Contents 1125 0 R
+/Resources 1123 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
-/Annots [ 1123 0 R ]
+/Parent 1107 0 R
+/Annots [ 1127 0 R ]
 >> endobj
-1123 0 obj <<
+1127 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [417.8476 169.1947 466.5943 181.2543]
 /Subtype /Link
 /A << /S /GoTo /D (sample_configuration) >>
 >> endobj
-1122 0 obj <<
-/D [1120 0 R /XYZ 85.0394 794.5015 null]
+1126 0 obj <<
+/D [1124 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1119 0 obj <<
+1123 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1126 0 obj <<
+1130 0 obj <<
 /Length 776       
 /Filter /FlateDecode
 >>
@@ -3605,21 +3627,21 @@ xÚ½WMs
 f[¦¿#ž¯³ÔZ_së2³®(£˜õÂ\â{žêâ)Ô<Ú\'T®£$Éî­œE)_Q&ÏΡÓLQ@ÅéÜé®>ÉŸT\›Êåó Œòœ­ã\înn){¬pÅ1å¼?lôŠ¹N%í|Ú.ï‚€0ß2.×a—¶&C ôAÿ!ɪ¦N_MÕ㾚n„XTAþˆJè’(ÏK‹=¾Î)ô¡ôâl³×”£ØBš?^·bi³\­ ½Ý
2¨‹e¦„Ä6ª“„åë;ZW,Knóº…j·×òVƒöI¸ÛUû_ÂCÿêžYÚR¼”é•O"Å]WX§
 üVU”¡´i7DÁín-ñRcí¡	Èâ›¶Ú++ŒÞáÕò¾î4°ò¹s÷¢¾î­#L?¬—vï]‰Åo"V׸¯úxE¥þWÖäÃJbŠÙm;Ö‰PDL‡Ž…›y=_ÃjñÚ¯¦#yp•ñ¼|ß·‡Z9‡Éuœ¥çâËO2Xk†|,Š-B@;U‚((}€š‡23Ý(M\PÌ¿šÁÖ2ÛyÌÞþÃp&€ø>®'èÕxâÇN*Pw«y¼ý/ÙTbendstream
 endobj
-1125 0 obj <<
+1129 0 obj <<
 /Type /Page
-/Contents 1126 0 R
-/Resources 1124 0 R
+/Contents 1130 0 R
+/Resources 1128 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
+/Parent 1107 0 R
 >> endobj
-1127 0 obj <<
-/D [1125 0 R /XYZ 56.6929 794.5015 null]
+1131 0 obj <<
+/D [1129 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1124 0 obj <<
+1128 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1130 0 obj <<
+1134 0 obj <<
 /Length 1487      
 /Filter /FlateDecode
 >>
@@ -3633,90 +3655,93 @@ Yj
 Ö,ûdÒ$œfÅ¡.JHÙìƒé¦çëÕ±òSÛÍ`¬ÅƒñH-‡oS#PâhÃTŠÃŠv+¹†KÇ(dMˆŒ9È0×Qtø¡ÃìÊ’
¿ŸÂÃMCó3¸cTƒ¬;c¯DÙW¸ŠYf1@“¹•Ø¼:4˜] Ó>àd›Ó}ü‘¦lÌ–Þ²júª°àšºÃ‚·0N¿-͹OR{î“l§^s(.hL2P	!ƒ$õ²¯ß{6azƒ5dVPèE©ìX«ÞoÝNr	§BgPÝh‡M×,[¾Y!·ØÖŽìdãa¿‡] çnÀó§)ƒª£ä­u¯ßˆV6¦Ú
œÄÀ¯—½»›$Hõ·ÞMÊéñ½F$õ³Ä
 ZTàÔzkÑžìCh÷’#á~;0P›e©oÕz_–™¾½ýѲ>•Ž7%qnÕ5¼;à›>¼jF·“m+¬dm{ìö£ÑLìEÖ;ìžâ°	wÎ@Ã;„øŒF!´a—§1‰i[rêKž3úóÛñÝM·/Û_þÊßý¬&P"©¿ý€?€Ðë‚ÒÀýàùöç€ÇÐÿ¾Jendstream
 endobj
-1129 0 obj <<
+1133 0 obj <<
 /Type /Page
-/Contents 1130 0 R
-/Resources 1128 0 R
+/Contents 1134 0 R
+/Resources 1132 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
+/Parent 1107 0 R
 >> endobj
-1131 0 obj <<
-/D [1129 0 R /XYZ 85.0394 794.5015 null]
+1135 0 obj <<
+/D [1133 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 158 0 obj <<
-/D [1129 0 R /XYZ 85.0394 263.5848 null]
+/D [1133 0 R /XYZ 85.0394 263.5848 null]
+>> endobj
+1136 0 obj <<
+/D [1133 0 R /XYZ 85.0394 220.0831 null]
 >> endobj
 1132 0 obj <<
-/D [1129 0 R /XYZ 85.0394 220.0831 null]
->> endobj
-1128 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1135 0 obj <<
-/Length 2338      
+1139 0 obj <<
+/Length 2256      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Y[wÛ6~÷¯ÐéK©“%^ÀäôAqœÄm¦µÚ—¦KLxqÊŽwÏþ÷`)Ó±·k?ppÌ|sƒø$„>IR–æQ>Éò˜%!O&«ê$œl`ìí	§93?iÖŸõjqòÑMr–§Q:Y\õö’,”’Oë¿XÀ¦°C,.ÏßNgò08}7ÿ°8ûšISpÂüõŸSÎy0zö‡^¿¿DâÍÙ|šÅÁâßÏ.§/~:9[tüõïÀCa™ûrò×ßád
Wùé$d"—Éä!ãyMª“8,‰…ð=åÉåÉo݆½Q·tT&¿¬*„ÄVÁHã¬3R—£§™g€X”Šú(|nvª"üö³¥¬‡hx$¢'Ó’$†Z«VL²WuØ\0[eg‹ÞO›ë»Îût&߯;.Ac^[>þ¿êòÏ(AŠZ›§Ø®¨L¨6ÇÒwÃ!ôáÑÐiV͵Æ>‡YøBÝÇppŽ¢}I»xÊ­Y›kHÕ°§Ò€áº0-Ø6ûríOÅ>‹cjyÖ±–@KóÒn^ï°«}³ø0…"Ö¥Ö7š-Q­.õõ¶©5µu»zªné漆J¯ÑŽÞÝ möê½nbÓ÷ÓI5â×R:ëãÕÐy¥6 Ë‘KH¨Vcùx±¦yòÍjCÙövB6Gk6KÚ•ˆ'4(€
-ã¸Â:ÊW
-Ÿ¬»ìÆcYwE4n5Að½‰ÂQÂY&^¶v[³US_ðžBÄNS/LQFŒ*S™C& ôeÊH6ëzþí`è4£*7Ͳöj˜:¿|È[³¶¿{(£ø—ÎFOûÏËqHõïAéµ<°ö|D©dYw ðÿýÝãŒÉ(ÌhâsÔ9f¿™OÔ¥iŽÒ8fö×Ö98ÝCÿ’Æ_¿ÍpFÇé Bårl{"z!v $0Àn–E~Y¸TC¤1åì–ò_e?Iït{;¨îl5u˜—P]i«m];,ãvŠ¦i1V¾Çà€A&û$ðBÒ
-ÿX²$žë¦žÝ6»’Îô®ZbÉ‘óZbaLO%PzDÑ‚UMq£‡iÀˆ¡RßcÃ6ûlܯÕ®÷ ƒrßí½¼•-èDöI%9˲Î#òTA!T¨GÉŠc$õåZi@SÔ­>}‚az¢(™dÂ7uñ/±„ŠX‰tøp¦¿,¬½ò=´«wm–¦
5Èœ*¿•1jãW›¥”¡¹X÷µýó±˜è ƘuYŽ.®îFlaP-…Vˆ!‹;¿úÖ$ìr†`‡ö«0|µwÉ¢?Æ*_¯gÈÛàzÈjs¼]ÓÒË{,Ú‡·ßyô²ñh@»€IéÐþ@Hâý£ï‡öÇ_t½—	ýs•¥ÔA‚ùð•6”Ý+­k´·
îeIçPQÝ€>á$;XY0íþKm›’N¸Ýúí`©m<+øõɤd‹í¨žàéýãø©‚GÓ¤âŸóÃSüHºÄ™ÈxþXº4x’¦4±8NçÎ?t#¿û'KðG"zô1|¨yÑñÐVèL¼xè'ˆ öw‘@ÂÎþïŸ[¿/A°RF‡_RWÈ$‹í“1e/‚O'Îýï2÷Yÿ/`záendstream
+xÚ¥Y[wÛ6~÷¯ÐéK©“%^ÓÓÕqb·Mš­Ô}iúIÄ”G ìx÷ìß‘{»ö×Ì|sÄ&!ü³I’i“¬ˆƒ$dÉdU_„“-Œ½½`fŽo'ùýY?..¾{óIi”N›Þ^yæ9›,Öx° ˜Â¡·˜ß¼ú‹ŠÐ»¼ž}X\ýÍ$„)4aöúŸSƘ7{yõš†^¿Ÿñæj6ÍboñûoWó韋Ÿ.®N¾þXÈQ¸ÏüNÖp”Ÿ.€y2¹‡F°¢ˆ&õEœð ‰9·=ÕÅüânÃÞ¨^:ªO£¥DlÂXP$I4ÐJR)¸Ó
+›ú,Cï­lä^t’:߉½\ý³|PDmÚ=Wbµ#êƒ(M_»¡ïu«:…ÊxÏ.ᆃ$ã…æ=›úœÇžFS–{ÈL·åŠÚ¶¯TÔ¿5â™i]Kߥ¤i§Û,ew/eCbÇ£QTœ‡ȃbì@Z6"mEX˜I¢Yí„VKóÞFÑØFÎœÛ4Ƹ7kHL±_–Ý^ì¨ù—4D#j9<ÿ
+ö—Í+dz,Ò d1¸Y˜0þ1Šb}_Ë`øq ß»jH¤êƒêˆZšžÎÎVnRÛ˜)mg˜FÛ/⻫äòÓÛâ×­bŸ>‡"ú´žýðÃs‘w¢æGôšDA”s«±ÿ'‹y§ÑÓª>××1C<ª±±Ôà³"	2¨kÆRDdRÄ;ÑDõ7óCij¡L<”8®=ûËúV{ô	úì#CzÙç@Þlª«蟅‘-îûôëˆóŒÇ`Þ
ï]«ÓÙüòæÆl¬mªc¡q'ªr=]~ÈóázLbB©CM0áÎêÁpì,Uïœ9äüª+o«ÁÙrÏìO~‚ý
©'7‚éÎhýn¯Ììþ)˜F†T;)ï›fpJŠ6C±ÖШL	ãJÂcÖí¹Ð¬R-Š‘1}è4óþjÚû†HçV@ 4øw0}ÝŽâÊa»Á3Ë#`XØ°®	#X'3示ŒN3+±¬„é»%†Û½¨-}Ö!‰ÉÁµrH'ùYtâè’½‹–k)øb˜;_´žxÙÞ>¸èã\¾5˜ƒÅ¬µ´œðýÑ•ˆïà–P6R=Çw5@󔀚'`Œ‡Vãúˆ5tªU{+©Oc¾p5hpF¢ƒƒ$.Æ2M4êê(ê©%`¸)UmìÚCµ¶\©qŒ©–eN´
+M3/uózÌF¼öÍâÃ©„”²5Q'+y»kiÚ²[=×6ÜØæ¦ËX=b¹¿#ßì]ÉÜ(ä¦o§Iâ™ñ«/¥êtŒ{ÒB7µØ‚-G®A<‡eœ?}Ÿ
+Ó"ùê…ŠÁÍöv2EãØ~ —ÔÝâD¿Æ<ÞQ)ãôtR¯”¶X»êÆbYº{.m5õ¡DÿVdá(aA&V
x½Z«¶ÙŒÈžBÆNS«*QFŒ.y}L¥ ^ «Ñ³jV÷ü[ÃÐ"hFQmÛ}Ùíê³êùûÇb1z6Îýæ±¢âZê2üÏ÷ã¨êŘ$>	ý±±	·È!¢÷€MsíòyļyIéºMÝ;Ð7¦¯ÏHû\°O8šZºÅ`¾¶\èÒ„”ÎÅ¡ÒÏÒ,y|7yXmã}Œ%^Ó6þ}»Ç`ÃYê®rbIõ;ÜÍ0àLºÂÁºµAÏñ2PÞ™1»­Á7vé["vQsÀ00¤	¶Œ&žúÉ(Vc¨½:¸½—#Ú9‰Œ_ÕNRYæ<‰’»o;‡9^%uÖ†ìÙ–
YÖVIj=LrI2gãmSþKzQÚúäši
k7¶Çìj#ÒfC	:7…ÝJ)±µ+ÊmCˆÊPK'¢£”øîør,• JyS±‚°.7D
+€@¢3	ó?7›¯M¢.mH:¬V ðæ k,Ë/׈<–·¡õVuº‹9&ÒË3ñIi$ÞØÓ?7Æ.B-w´?’	‡ñüw%Ï3âÓo•&°ð0·O0a¯ðåa1|„Aûþ¨Ý}K„~3#R×Ödn@·
+ʬ¦§9ÜiF»¶2îwvûGDêZ+
+}mM•Ìb7jƒççEólpzÃg”)ÿ»9ðøȸƒë¥sÎ9D=ùÌ;¨o¬êXˆÛ€¿zìÇHæ|ìi?tðÿpüå$ΞçÑñ7‚Á²<ˆñ%Á…¡‡äö‡sÑÿ¿“¾endstream
 endobj
-1134 0 obj <<
-/Type /Page
-/Contents 1135 0 R
-/Resources 1133 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1102 0 R
->> endobj
-1136 0 obj <<
-/D [1134 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-162 0 obj <<
-/D [1134 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1137 0 obj <<
-/D [1134 0 R /XYZ 56.6929 749.2418 null]
->> endobj
-166 0 obj <<
-/D [1134 0 R /XYZ 56.6929 703.0989 null]
->> endobj
 1138 0 obj <<
-/D [1134 0 R /XYZ 56.6929 680.1552 null]
->> endobj
-170 0 obj <<
-/D [1134 0 R /XYZ 56.6929 533.6481 null]
->> endobj
-1139 0 obj <<
-/D [1134 0 R /XYZ 56.6929 510.7044 null]
->> endobj
-174 0 obj <<
-/D [1134 0 R /XYZ 56.6929 421.9372 null]
+/Type /Page
+/Contents 1139 0 R
+/Resources 1137 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1107 0 R
 >> endobj
 1140 0 obj <<
-/D [1134 0 R /XYZ 56.6929 391.3503 null]
+/D [1138 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-178 0 obj <<
-/D [1134 0 R /XYZ 56.6929 345.2074 null]
+162 0 obj <<
+/D [1138 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 1141 0 obj <<
-/D [1134 0 R /XYZ 56.6929 317.2705 null]
+/D [1138 0 R /XYZ 56.6929 749.2418 null]
 >> endobj
-182 0 obj <<
-/D [1134 0 R /XYZ 56.6929 120.3964 null]
+166 0 obj <<
+/D [1138 0 R /XYZ 56.6929 703.0989 null]
 >> endobj
 1142 0 obj <<
-/D [1134 0 R /XYZ 56.6929 92.4595 null]
+/D [1138 0 R /XYZ 56.6929 680.1552 null]
 >> endobj
-1133 0 obj <<
+170 0 obj <<
+/D [1138 0 R /XYZ 56.6929 533.6481 null]
+>> endobj
+1143 0 obj <<
+/D [1138 0 R /XYZ 56.6929 510.7044 null]
+>> endobj
+174 0 obj <<
+/D [1138 0 R /XYZ 56.6929 421.9372 null]
+>> endobj
+1144 0 obj <<
+/D [1138 0 R /XYZ 56.6929 391.3503 null]
+>> endobj
+178 0 obj <<
+/D [1138 0 R /XYZ 56.6929 345.2074 null]
+>> endobj
+1145 0 obj <<
+/D [1138 0 R /XYZ 56.6929 317.2705 null]
+>> endobj
+182 0 obj <<
+/D [1138 0 R /XYZ 56.6929 120.3964 null]
+>> endobj
+1146 0 obj <<
+/D [1138 0 R /XYZ 56.6929 92.4595 null]
+>> endobj
+1137 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1145 0 obj <<
+1149 0 obj <<
 /Length 3003      
 /Filter /FlateDecode
 >>
@@ -3733,47 +3758,47 @@ M1
 ²y¨®· èÌQq ¸€
äÄ‚Þâ8Á২Xt+S¾*a.ŠB»îæP“õ„yà@%Ѥ<¦áǨ	§Ëã¼Î¢OÔqy9xz’ÒX3{C·w"®ghÅïahâÞ²Ÿâ?­ÑÜ^ü²~Â%¯Ø­¡™>€DM_mà*8Û(ÒÁ×ÁØH´‚yCYG8!¾	Oã'AgÀ`Ùé¹ìIöë]ˆÌØ5:v<ðÙló¦êvLåè pþæC¾Û²)ÑKR¼„,âзùÈÇÙÑKmˆú{ÎG¡³¿o™ŠÁ=e°JcT6QFñŠâ(ŠïÃN¦§cvpFåÀ“¡r̤øÒ!Åx+€S«á=AÔf$ÿzóÀ-&ÏV-Ë2Iu2yÿ†R°"LP =È;ºîçšbŠ-/5À“É˜Ñb,ÜñÉÊp’¦oo±Jñ›H–NmN¸ÀG¨Ð½7Áf«åkHî4¿Ú—«·e]ïè:†M Kùuâ¶"¶ô,Jï‚XÇCzH«AVFåŸeíœ	ó" ƒÊ×£=ÑRº^yÝoÛÃ-JgÑWlǹ!t8Pò­´src7Ém9ÜÀrúBÃ(Æ·ü0Å?á`øJ“·[oçò#«“ÈeCÆóôUõøjÀL£$…W’°ÓÒ÷&"!ôJQ MÁ‰…¶öQB|^‚¿á6ãä}‘ÒJl5ìÑJe²“Èú‰›g -O”ÑÏîÝ©ÄOÌ”¤'Ù‰‘IOŒLn*ÔØ»ùšeøS”0µ2xx06ø¬®²xz…¦ïÃǯk
 Nï/Ëâb÷ìöb†óg)齦;ù"qž~ƒk)ʺìÉ1䇆ïb!yÏÅç„OaÛ\xE‘?Wí¡O=ƒ¡’'mlÇ~úac^¥Š>¶?gPåÝœF[Ïö’J|3f{‰MJb¡¹©+º|X'Sê³cØ؉ÖäžFcäTün‹Rÿ•üvòÀLóâ•€,±>ÈŠž?VòEôiäãøÄQåw²ý»}E€`ÐâÉÇ+Ù½åì’)3ËÕ8ä¥Ç…cv·òZó}õP}eÀ*B4ƒŽÀ:zÛÃÞª— ÛðË MÀ±˜0‡p59~•eñfc‘ÉÄ“·@C]à|d¤U*_" WàP)§¸a/¾VÓcJ¼¼¸éɈ)L#Én@-ø°ü€rÍ>Þå{ˆjª»œ<,²²¾²oÔªá|{âG	ÖGøK‚™‡:5¼_ýß?X8þBÃ%‘MS3ÿâž'JM–¡^ãO%~ÙðXôÿ5eÉ}endstream
 endobj
-1144 0 obj <<
-/Type /Page
-/Contents 1145 0 R
-/Resources 1143 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1151 0 R
-/Annots [ 1148 0 R ]
->> endobj
 1148 0 obj <<
+/Type /Page
+/Contents 1149 0 R
+/Resources 1147 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1155 0 R
+/Annots [ 1152 0 R ]
+>> endobj
+1152 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [101.3082 428.2743 169.9802 440.1745]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1146 0 obj <<
-/D [1144 0 R /XYZ 85.0394 794.5015 null]
+1150 0 obj <<
+/D [1148 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 186 0 obj <<
-/D [1144 0 R /XYZ 85.0394 599.3467 null]
+/D [1148 0 R /XYZ 85.0394 599.3467 null]
 >> endobj
-1147 0 obj <<
-/D [1144 0 R /XYZ 85.0394 570.7212 null]
+1151 0 obj <<
+/D [1148 0 R /XYZ 85.0394 570.7212 null]
 >> endobj
 190 0 obj <<
-/D [1144 0 R /XYZ 85.0394 411.9765 null]
+/D [1148 0 R /XYZ 85.0394 411.9765 null]
 >> endobj
-1149 0 obj <<
-/D [1144 0 R /XYZ 85.0394 386.1565 null]
+1153 0 obj <<
+/D [1148 0 R /XYZ 85.0394 386.1565 null]
 >> endobj
 194 0 obj <<
-/D [1144 0 R /XYZ 85.0394 219.8396 null]
+/D [1148 0 R /XYZ 85.0394 219.8396 null]
 >> endobj
-1150 0 obj <<
-/D [1144 0 R /XYZ 85.0394 186.413 null]
+1154 0 obj <<
+/D [1148 0 R /XYZ 85.0394 186.413 null]
 >> endobj
-1143 0 obj <<
+1147 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F39 927 0 R /F21 738 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1154 0 obj <<
+1158 0 obj <<
 /Length 3066      
 /Filter /FlateDecode
 >>
@@ -3798,39 +3823,39 @@ O
 H³*è7Èîˆkúí˜ÀÜÎçÝh"g4ó“"ô2cb’V9+CwpyV„¦ÃMµqä:¾”‡-˜1ŸLE”CCÆù8•ë{!ô÷2V‰Žðç?FE©IãÑ¥kÙ‹°ÃÝmL•VeêõQ$h “ÿí­æuôÙOÚa÷tMb’±5€­—¡uÙ,P™$S Bñøé×—…HÁ>žQæ—ËðÑÙ	L€ŠËÑò<‘&‹²D$þ>ôeÏÓ‚¾dy£ð}-JÚÓÖ\5á~-ýŽ€ž¦ŸŒ0ßÅÜT“ž^÷)‡K|"¦:=ëí'ƒŽ/bfà>j¾ÙPd&BÎ)7[”žè×üüíÂgcú¨#­Ó3ƒŒ/efl¥,ÕèûR¹·ÎøÊI\щ‘¯³ûÁ]óá,šf}€|9œ.P¡¤ï¦÷vÔ½Žwd,pe‰¿êlÁ˱&ô@ƒl¸š+ž0EF/}ÖW:Âoñ3áEè&þïOþÇ¿uH²HÏÍ}¢ÄÀ",”ûþ˜žIîÿ6à\ôÿRw²Hendstream
 endobj
-1153 0 obj <<
+1157 0 obj <<
 /Type /Page
-/Contents 1154 0 R
-/Resources 1152 0 R
+/Contents 1158 0 R
+/Resources 1156 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1151 0 R
+/Parent 1155 0 R
 >> endobj
-1155 0 obj <<
-/D [1153 0 R /XYZ 56.6929 794.5015 null]
+1159 0 obj <<
+/D [1157 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 198 0 obj <<
-/D [1153 0 R /XYZ 56.6929 714.3337 null]
+/D [1157 0 R /XYZ 56.6929 714.3337 null]
 >> endobj
-1156 0 obj <<
-/D [1153 0 R /XYZ 56.6929 679.6003 null]
+1160 0 obj <<
+/D [1157 0 R /XYZ 56.6929 679.6003 null]
 >> endobj
 202 0 obj <<
-/D [1153 0 R /XYZ 56.6929 548.3115 null]
+/D [1157 0 R /XYZ 56.6929 548.3115 null]
 >> endobj
-1157 0 obj <<
-/D [1153 0 R /XYZ 56.6929 514.8119 null]
+1161 0 obj <<
+/D [1157 0 R /XYZ 56.6929 514.8119 null]
 >> endobj
 206 0 obj <<
-/D [1153 0 R /XYZ 56.6929 311.7264 null]
+/D [1157 0 R /XYZ 56.6929 311.7264 null]
 >> endobj
-1158 0 obj <<
-/D [1153 0 R /XYZ 56.6929 283.0279 null]
+1162 0 obj <<
+/D [1157 0 R /XYZ 56.6929 283.0279 null]
 >> endobj
-1152 0 obj <<
+1156 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1161 0 obj <<
+1165 0 obj <<
 /Length 3191      
 /Filter /FlateDecode
 >>
@@ -3847,33 +3872,33 @@ xÚ¥
 »}~ú¿ÿ_có/*à
 <ó¿bp|³sD ™Â+:Á6çí?vì²þ_§*¸endstream
 endobj
-1160 0 obj <<
+1164 0 obj <<
 /Type /Page
-/Contents 1161 0 R
-/Resources 1159 0 R
+/Contents 1165 0 R
+/Resources 1163 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1151 0 R
+/Parent 1155 0 R
 >> endobj
-1162 0 obj <<
-/D [1160 0 R /XYZ 85.0394 794.5015 null]
+1166 0 obj <<
+/D [1164 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 210 0 obj <<
-/D [1160 0 R /XYZ 85.0394 701.5077 null]
+/D [1164 0 R /XYZ 85.0394 701.5077 null]
 >> endobj
-1163 0 obj <<
-/D [1160 0 R /XYZ 85.0394 671.1418 null]
+1167 0 obj <<
+/D [1164 0 R /XYZ 85.0394 671.1418 null]
 >> endobj
 214 0 obj <<
-/D [1160 0 R /XYZ 85.0394 474.6626 null]
+/D [1164 0 R /XYZ 85.0394 474.6626 null]
 >> endobj
-1164 0 obj <<
-/D [1160 0 R /XYZ 85.0394 446.9467 null]
+1168 0 obj <<
+/D [1164 0 R /XYZ 85.0394 446.9467 null]
 >> endobj
-1159 0 obj <<
+1163 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1167 0 obj <<
+1171 0 obj <<
 /Length 1997      
 /Filter /FlateDecode
 >>
@@ -3888,22 +3913,22 @@ m
 °F:J”år¸IŸR9qsÆG²þKǪtÉ÷Ò9‹­zÁ]Ü‹Ç®`PfÃ	[2¢ÜÒ©‚H9-,Ú„1OÊÝ€ñ÷½xPN<óèSšŽÙ¿~…aÂXOpr9ª€JÔþ“ÓoÁ2‡$Y*åE@þ|]¥LdÖçÄþçªþ©TéÜ.#é¹Rþèt¾äežå…k§FÒã£'¥Ÿvúžå>Yw°Ø‹dÝ›¨%ÚìȯÀ,å”i†Áß@Î1[´­t·0Êw‹j3vúô†gœ³çûÏk[ÛLîž®w">Ó€yØ0·»âËË	˜OZ(´Yå(Ø{:HÄŒ<»žé2rcx>£’=ó,عoªÄ€RŠYMŽQÀÞgô3‘òü-ýþkt_í±Ø)aúž$Ÿm˜ÎûKð©ïiÏðI|yg\‘£“³F9wtùz:;¥Ë%²CJåãt†2|Æd€˜ºH£’1=œ¦´¼ÀÉzqL_²ED? öÞÓþQñ»/Èüç.h¶ZÑ>$yâ3o¼P6Ò)¤#_JÜóOI+Ì‚æùì”f¬‘ÜWYî(¡ÌØs:í\,ë/Ï2i³H½	3˜nx ÃOEŒà®û¥:('œíã<
 i²ÇãsíÛå˜Et¯Ó3Ý<¿Oµà%y~b½W«ý¼Ò\ã”—ÌÚ¶ƒïÕÌýÑ…ŠéxŒqÑOàqsýé>»½î±$¡â®CÛ.ÇKÔH*›º¥Ÿß¡øú¿rŒYendstream
 endobj
-1166 0 obj <<
+1170 0 obj <<
 /Type /Page
-/Contents 1167 0 R
-/Resources 1165 0 R
+/Contents 1171 0 R
+/Resources 1169 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1151 0 R
+/Parent 1155 0 R
 >> endobj
-1168 0 obj <<
-/D [1166 0 R /XYZ 56.6929 794.5015 null]
+1172 0 obj <<
+/D [1170 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1165 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F62 1095 0 R >>
-/XObject << /Im2 1084 0 R >>
+1169 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F62 1100 0 R >>
+/XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1171 0 obj <<
+1175 0 obj <<
 /Length 2836      
 /Filter /FlateDecode
 >>
@@ -3920,48 +3945,48 @@ MH
 ÷ÛVƒÄ¤IG¾€b
!‰¬¹èQ‹8Ƹ»—ízS›ÁPjÒÇ©	¥VepóñDžÁìl{­$úOÑX*2*6›»G§bX!_UœHïöeKSj´Ø6`¥~péØ+€½`’NàÞ÷á^?ÖnsähMákNÊ=u[Ž'Ä"ìaÛ5(=Ep4”ÑlgÓSÇÈÂèf	¶Zì¡ZnëÂ;ºÂHðôò·]r1@9
”±¢ŒM05vU†%nK–JjQþžÊšÇénT/ÀV½oeº ›Wéž*³s³•KºfÌ·d{Ä%jpqìQ– _«çó¯tA§î¬1Ç·J3–B¦âê½ý.G›ÝƒûVu|ñáÿÑ-H|/è¢n¡œU¾§:g’½|@ÆÌ<èCò/¿Lz¬àâ%5䂹Ü'„–RšóÜ~íäBŽí:0I
û9¨”ZXàþßT’hò¹ß—>êͺqßJ¦›wÍ8uðÌ•Ú[ sÈ>®ÉÓGU”ÖìÓLÒ76°¹+:ˆ]Ú°`;^é¿Zm¬x2Ž&©Úƒ¶M]}5DâãZC¬&oÐë7fYa ™~*UŒ®ŽŸàBžôãÃ÷‘kBPó¾
?dS«àû¨3ÿ-0aŸ’AbqhO=’ƒüëÓÍåOøU>áã1é~òuòØâ÷—Tª|¸+æôM§Þp
PÄYyŸ‰i§yøŒ½R±
m¥È€‹ªYjpg
µÂ>ù>zôàRÕÓAÊu°àÕ³^(¥ýaBÙ¯r–
$ŽòßqíNC#¹n·arÖšÞ{dôàWKCè#`*_{‹¢ÆNý‹oxœ0—	<ÚÇNåìlÿÎDù$ÉXìÒÊ‘~ñOâÌ*ú£lÈ4 ¤’,Ö©x™ äT‚ðoÎ+z<¼‘2®lKê~D¢œÿ9ƒ¾ôCj³½±%…“í†ÆÂmD.Tn£qw"`qÒW$Ïí{i©&Ñ_ôAŸÇî[”edê©.æÁŠ÷Òô14Ô"WG7›P˜OÈ„Gôæ€ïþÍuÿÝ0N™Ê2ùJëÄ–É<õLY½øEX«ŒéL¦¬ÿ«ÂÓÎendstream
 endobj
-1170 0 obj <<
+1174 0 obj <<
 /Type /Page
-/Contents 1171 0 R
-/Resources 1169 0 R
+/Contents 1175 0 R
+/Resources 1173 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1151 0 R
-/Annots [ 1177 0 R ]
+/Parent 1155 0 R
+/Annots [ 1181 0 R ]
 >> endobj
-1177 0 obj <<
+1181 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [377.8384 347.6929 436.8266 358.4773]
 /Subtype /Link
 /A << /S /GoTo /D (ipv6addresses) >>
 >> endobj
-1172 0 obj <<
-/D [1170 0 R /XYZ 85.0394 794.5015 null]
+1176 0 obj <<
+/D [1174 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 218 0 obj <<
-/D [1170 0 R /XYZ 85.0394 558.7948 null]
+/D [1174 0 R /XYZ 85.0394 558.7948 null]
 >> endobj
-1176 0 obj <<
-/D [1170 0 R /XYZ 85.0394 526.9277 null]
+1180 0 obj <<
+/D [1174 0 R /XYZ 85.0394 526.9277 null]
 >> endobj
 222 0 obj <<
-/D [1170 0 R /XYZ 85.0394 332.8718 null]
+/D [1174 0 R /XYZ 85.0394 332.8718 null]
 >> endobj
-1178 0 obj <<
-/D [1170 0 R /XYZ 85.0394 303.8962 null]
+1182 0 obj <<
+/D [1174 0 R /XYZ 85.0394 303.8962 null]
 >> endobj
 226 0 obj <<
-/D [1170 0 R /XYZ 85.0394 175.3419 null]
->> endobj
-1179 0 obj <<
-/D [1170 0 R /XYZ 85.0394 146.3662 null]
->> endobj
-1169 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F62 1095 0 R /F65 1175 0 R /F21 738 0 R /F39 927 0 R /F41 969 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [1174 0 R /XYZ 85.0394 175.3419 null]
 >> endobj
 1183 0 obj <<
+/D [1174 0 R /XYZ 85.0394 146.3662 null]
+>> endobj
+1173 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F62 1100 0 R /F65 1179 0 R /F21 738 0 R /F39 927 0 R /F41 969 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1187 0 obj <<
 /Length 317       
 /Filter /FlateDecode
 >>
@@ -3971,21 +3996,21 @@ xÚ¥
 Ŭ­êN*-"y9,º£²n7ã"O2-Â|VÔÉ*LYÎ$}ZBuÀxgËòM„ž2åá_ñ€@ÞKÞ0m­Ô©²c5{8önO¯¦GRYy%>M½ødFàœ‰îŒ«¤:æ÷ºÿø„í÷Só¶ÛÂzßÄ,¢xDCÑ)KW¼ÄIà‘ÿ'ÿý:åœ> endobj
-1184 0 obj <<
-/D [1182 0 R /XYZ 56.6929 794.5015 null]
+1188 0 obj <<
+/D [1186 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1181 0 obj <<
+1185 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1187 0 obj <<
+1191 0 obj <<
 /Length 1913      
 /Filter /FlateDecode
 >>
@@ -3999,59 +4024,59 @@ M&P
 ïp,'èñ+)jä‘jåQúk ©ï¯‘ÙYºÝÕ¡Eâ¦Á§âÛð´â·I-§Ñ;ÀÍÍ$b®»Ö¬Ý‰ÜQµ㩺›{JýÐà4;,ÿ‰f`¨º
‡W$‚7€Úù«1[Ë/¥nÆÏX	 «EšQS£»»·ž;šWïP{“øÄDN)ój=u”ö¬ÊùßC;»òÕ]Û Ñ_;Œ`ÝÄF
 q…7ÉGb†N0bèKNôJ…$ȳÈBÏ"g¥OØêåýµ	G’^—=Ys{}ñJE½Ó6l`‘“TÈ‹«Ã}%­JüŠÆ‹ŸêIÙmS:_Óß	Р*çóýÃì(š´ªŠúºWy÷ËÓü-1~!EŠß×¾6F‘íE†>5.NF¸áb‚Ý®6¸|»ÜÿÏ“vendstream
 endobj
-1186 0 obj <<
+1190 0 obj <<
 /Type /Page
-/Contents 1187 0 R
-/Resources 1185 0 R
+/Contents 1191 0 R
+/Resources 1189 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1192 0 R
+/Parent 1196 0 R
 >> endobj
-1188 0 obj <<
-/D [1186 0 R /XYZ 85.0394 794.5015 null]
+1192 0 obj <<
+/D [1190 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 230 0 obj <<
-/D [1186 0 R /XYZ 85.0394 769.5949 null]
+/D [1190 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1189 0 obj <<
-/D [1186 0 R /XYZ 85.0394 576.7004 null]
+1193 0 obj <<
+/D [1190 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 234 0 obj <<
-/D [1186 0 R /XYZ 85.0394 576.7004 null]
+/D [1190 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1190 0 obj <<
-/D [1186 0 R /XYZ 85.0394 544.8207 null]
+1194 0 obj <<
+/D [1190 0 R /XYZ 85.0394 544.8207 null]
 >> endobj
 238 0 obj <<
-/D [1186 0 R /XYZ 85.0394 403.9445 null]
+/D [1190 0 R /XYZ 85.0394 403.9445 null]
 >> endobj
-1191 0 obj <<
-/D [1186 0 R /XYZ 85.0394 368.2811 null]
+1195 0 obj <<
+/D [1190 0 R /XYZ 85.0394 368.2811 null]
 >> endobj
-1185 0 obj <<
+1189 0 obj <<
 /Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1195 0 obj <<
+1199 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1194 0 obj <<
+1198 0 obj <<
 /Type /Page
-/Contents 1195 0 R
-/Resources 1193 0 R
+/Contents 1199 0 R
+/Resources 1197 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1192 0 R
+/Parent 1196 0 R
 >> endobj
-1196 0 obj <<
-/D [1194 0 R /XYZ 56.6929 794.5015 null]
+1200 0 obj <<
+/D [1198 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1193 0 obj <<
+1197 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1199 0 obj <<
+1203 0 obj <<
 /Length 3198      
 /Filter /FlateDecode
 >>
@@ -4072,47 +4097,47 @@ C
 Ceß—óeÈà=ܯPÆ[ËŒQi«¯©x.x:‰W×ÊHÉCÄßm þ‡õ‹d}>9d0‰Ã•røS~fƒ›Îì¿÷CÛ§r&8o¼¬Ûp0ÕI°ÓŽÆK…Ï£¥ª¨X™¥©··WÏåK¼FñáàîÙ>P +V5eºÎØTö–Ú‡tmÎgC£,㕉˹=SAèk»3N@±$Ä™Ó!
ÓØ«¡„p6˜!O@‹ç“còΦAÐ/†SŸw¹ô]X¼^§ú4uWx.bnÆè€ð2£˜˜Æ+‡_ÀèÁPöpç°Îd¶J+&¹–7cs@x™M¥-|þe\ƺáZ‰>RïWîoiÁ¤´­‘i•ÿ‹Â,ý·Ï¯ñ¯
 ùS~Y»=‹@ÈR',¤ÿ3ìQ¥éþÈ|OÂendstream
 endobj
-1198 0 obj <<
+1202 0 obj <<
 /Type /Page
-/Contents 1199 0 R
-/Resources 1197 0 R
+/Contents 1203 0 R
+/Resources 1201 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1192 0 R
-/Annots [ 1205 0 R ]
+/Parent 1196 0 R
+/Annots [ 1209 0 R ]
 >> endobj
-1205 0 obj <<
+1209 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [356.2946 363.7923 412.5133 376.6291]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1200 0 obj <<
-/D [1198 0 R /XYZ 85.0394 794.5015 null]
+1204 0 obj <<
+/D [1202 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 242 0 obj <<
-/D [1198 0 R /XYZ 85.0394 769.5949 null]
+/D [1202 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1201 0 obj <<
-/D [1198 0 R /XYZ 85.0394 576.7004 null]
+1205 0 obj <<
+/D [1202 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 246 0 obj <<
-/D [1198 0 R /XYZ 85.0394 479.565 null]
+/D [1202 0 R /XYZ 85.0394 479.565 null]
 >> endobj
-1202 0 obj <<
-/D [1198 0 R /XYZ 85.0394 441.8891 null]
+1206 0 obj <<
+/D [1202 0 R /XYZ 85.0394 441.8891 null]
 >> endobj
-1203 0 obj <<
-/D [1198 0 R /XYZ 85.0394 424.9629 null]
+1207 0 obj <<
+/D [1202 0 R /XYZ 85.0394 424.9629 null]
 >> endobj
-1204 0 obj <<
-/D [1198 0 R /XYZ 85.0394 413.0077 null]
+1208 0 obj <<
+/D [1202 0 R /XYZ 85.0394 413.0077 null]
 >> endobj
-1197 0 obj <<
+1201 0 obj <<
 /Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1209 0 obj <<
+1213 0 obj <<
 /Length 4061      
 /Filter /FlateDecode
 >>
@@ -4137,33 +4162,33 @@ S
 žèͶKê-‰?˜^À¡E×°NžÄô;,)ÒJ”¯0¬•;ªåëÉ3½&„–˺/ÐñÐè›»ç“_A½Îì±ê%”ÔTÚêÏk]ß­ëËAt•Û…e›(Cµ|LÌœÜnè?cX/J•–±È[Mì©ÂëJka5ó\Sî€[²Ä%ØùØê ŸÆkú2|¼uÀ(ƒovY	m‰S»f?PÛûŠŒºüQ[·¨>Õ¡Ëãiß×onBË—Z1ycr®ÒíÇ™'¿ö„g5;_{þgOå,- 
k€±3Á1kΆ_‰î}-ÊÅüuò<ÎÛ.β¶>¸eR°øý$~pË@œ)¥Ó···ëXîN§ßÆbsh~Ó`.g¿¸ŸâˉTmIeb?U…—þì‹Û•˜™ùC¸ìßþ¹^ÔKˆvÂýß{ŸV9’üOQø}@	Ÿb
 jLŒ˜æxqºñ¿IýÅã=þ\%öúoõ꾈CþuèÃcUJ‡w7žæU¿ú£äí'ÛÒagÐ;ð-JZœòEȽ™3[BóÂÔÿ
ƃh> endobj
-1210 0 obj <<
-/D [1208 0 R /XYZ 56.6929 794.5015 null]
+1214 0 obj <<
+/D [1212 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 250 0 obj <<
-/D [1208 0 R /XYZ 56.6929 165.9801 null]
+/D [1212 0 R /XYZ 56.6929 165.9801 null]
 >> endobj
-1206 0 obj <<
-/D [1208 0 R /XYZ 56.6929 136.242 null]
+1210 0 obj <<
+/D [1212 0 R /XYZ 56.6929 136.242 null]
 >> endobj
 254 0 obj <<
-/D [1208 0 R /XYZ 56.6929 136.242 null]
+/D [1212 0 R /XYZ 56.6929 136.242 null]
+>> endobj
+1215 0 obj <<
+/D [1212 0 R /XYZ 56.6929 106.2766 null]
 >> endobj
 1211 0 obj <<
-/D [1208 0 R /XYZ 56.6929 106.2766 null]
->> endobj
-1207 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1214 0 obj <<
+1218 0 obj <<
 /Length 3065      
 /Filter /FlateDecode
 >>
@@ -4179,39 +4204,39 @@ xÚ¥Z
 ¬_²Õº°n–Ô§X;‘LjÉRÓaXΓçB}ƒY™š~E•qùÍX|ë$Œ¤Ï\tc©ÕƒZN‰11+,¥wØÿñ6à˜%„ Èy/5+îª±¢¦ \tÁ	y\üƒQEUÝoÖD¤€{z¹ÀÊÅ¡ `dêBÃD7þÒŒg!=¾¨Ë=ÔC‰§Ç¥—P.ÕÀUZÍï°{Ãjò$8Îgá³bÆètÇÏÓE^6ª>¡Ù¾¦¾Ì„œ¶c<~°Îp¹]þ†_ÎU*ºÐáôEµê“¢øÂõåØWçxðêÄÿLê_©:qÐhH=,…œèÝ7cÏÝß ¾QØÌs€Ë=òâÖàJmm³¦÷éûiW€:ô‰êCmŽ_«"q·©ÃÓobœ‹ø">½>Mñúqn‚‚F:­¡ôŽsWg°¦º!¢‹78 ðÜ÷9d÷gôÕ·]ºW
 覷=èv/P>ÂQl­'æ^r) \œùòåË3ŠKU=ú”¸´Eq¾¶u÷”ú„ËÍïe‚€=éýƒqï!C§Pü°Sœ;bH›4†.¦•¤ÿ(|í:‚bƒŽkw_á(B™QAû‚µÎŸ\oà.©¼ ÁÒ¡ÈÁÁÝ9½2ú¹ÿˆ¥L†ÜSçç$÷ëõòå¡=2fø—‘.Qg¡üWšþ‹ yiÌO¾â©©J¡	d¼«y÷Ÿ›}Õÿ~ý\Iendstream
 endobj
-1213 0 obj <<
+1217 0 obj <<
 /Type /Page
-/Contents 1214 0 R
-/Resources 1212 0 R
+/Contents 1218 0 R
+/Resources 1216 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1192 0 R
+/Parent 1196 0 R
 >> endobj
-1215 0 obj <<
-/D [1213 0 R /XYZ 85.0394 794.5015 null]
+1219 0 obj <<
+/D [1217 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 258 0 obj <<
-/D [1213 0 R /XYZ 85.0394 730.0812 null]
+/D [1217 0 R /XYZ 85.0394 730.0812 null]
 >> endobj
-1216 0 obj <<
-/D [1213 0 R /XYZ 85.0394 700.9798 null]
+1220 0 obj <<
+/D [1217 0 R /XYZ 85.0394 700.9798 null]
 >> endobj
 262 0 obj <<
-/D [1213 0 R /XYZ 85.0394 216.5924 null]
+/D [1217 0 R /XYZ 85.0394 216.5924 null]
 >> endobj
-1217 0 obj <<
-/D [1213 0 R /XYZ 85.0394 187.7778 null]
+1221 0 obj <<
+/D [1217 0 R /XYZ 85.0394 187.7778 null]
 >> endobj
 266 0 obj <<
-/D [1213 0 R /XYZ 85.0394 127.6814 null]
+/D [1217 0 R /XYZ 85.0394 127.6814 null]
 >> endobj
-1218 0 obj <<
-/D [1213 0 R /XYZ 85.0394 101.3894 null]
+1222 0 obj <<
+/D [1217 0 R /XYZ 85.0394 101.3894 null]
 >> endobj
-1212 0 obj <<
+1216 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F14 765 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1222 0 obj <<
+1226 0 obj <<
 /Length 2311      
 /Filter /FlateDecode
 >>
@@ -4224,14 +4249,14 @@ pR
 ÜͺË8yÜ¡~KdëNøf;Ðp(yó.›qí.»Y†ÿmñ»—þìš.D->\]>.+¯cl¶•(ž€¬"–D‰ûýOžUý—þÚ×gAÒJ¤_ˆy',H‰
 âBV©è ät?Z(ôÿÑQNendstream
 endobj
-1221 0 obj <<
+1225 0 obj <<
 /Type /Page
-/Contents 1222 0 R
-/Resources 1220 0 R
+/Contents 1226 0 R
+/Resources 1224 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1192 0 R
+/Parent 1196 0 R
 >> endobj
-1219 0 obj <<
+1223 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
@@ -4251,33 +4276,33 @@ x
 6\>RgÈbÏWÖ¹j[†›
 WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½t•‹ùD„™Â²]°Ä(‡;„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^˜h±ÎW9AVªy­Â©/fýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
 endobj
-1223 0 obj <<
-/D [1221 0 R /XYZ 56.6929 794.5015 null]
+1227 0 obj <<
+/D [1225 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 270 0 obj <<
-/D [1221 0 R /XYZ 56.6929 730.9277 null]
+/D [1225 0 R /XYZ 56.6929 730.9277 null]
 >> endobj
-1224 0 obj <<
-/D [1221 0 R /XYZ 56.6929 704.9004 null]
+1228 0 obj <<
+/D [1225 0 R /XYZ 56.6929 704.9004 null]
 >> endobj
 274 0 obj <<
-/D [1221 0 R /XYZ 56.6929 236.9993 null]
+/D [1225 0 R /XYZ 56.6929 236.9993 null]
 >> endobj
-1225 0 obj <<
-/D [1221 0 R /XYZ 56.6929 205.1553 null]
->> endobj
-1226 0 obj <<
-/D [1221 0 R /XYZ 56.6929 146.386 null]
->> endobj
-1227 0 obj <<
-/D [1221 0 R /XYZ 56.6929 134.4308 null]
->> endobj
-1220 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F62 1095 0 R >>
-/XObject << /Im3 1219 0 R >>
-/ProcSet [ /PDF /Text ]
+1229 0 obj <<
+/D [1225 0 R /XYZ 56.6929 205.1553 null]
 >> endobj
 1230 0 obj <<
+/D [1225 0 R /XYZ 56.6929 146.386 null]
+>> endobj
+1231 0 obj <<
+/D [1225 0 R /XYZ 56.6929 134.4308 null]
+>> endobj
+1224 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F62 1100 0 R >>
+/XObject << /Im3 1223 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1234 0 obj <<
 /Length 2383      
 /Filter /FlateDecode
 >>
@@ -4292,45 +4317,45 @@ w
 αú.ˆß»V øæµJ—Ë4ÂNÝ?/GLÁ¼¤àÀ !ND!ÔûO´mÔÛ·³ÚõÇeÚLCùJøG“©„ÿ㇡ƒ<'‰(
$è%ݼ|‚©4Ưø`4`±G'ÝíJµ®„»P~¢ücÓãëÔ²uÏסVÆOý°¼©Š|J=Ò*¶BÖÃieü‚*	g†õÉ8è”ÆP±ªdîÆq«9•ÐÊÛƆ÷-•|Ë-AîV9xÁu r&K)ͤ“nÛ¬ÕmTë–LÁµI&Ã)ñB	>>‹7¼Ùn*N"¼‰!¾Ýœ½xSwï.!}C]«¤
_V”õ„'E¥’  ¤l	ƒQCaþɤ¤.×uäq)mÌžù>oCxÜ:(µ»@¿ÃpZÝÆ€›Ë]zÏÄò¸ñ´•ž$HPñ3¢@Áu¯ ?àˆ—U¼?œÅõ=#ÑÛiímä¥ÍEÝÓ*vŠ¢ºÏfƒú¾^ÄI·Î"Ô]4Ò«›u^4“¼üþq‚B3k­)Ž)È“Ò‘ZûÜt4´ª„DÄCM$`­õžÂD@BÒc¹ŸhÒòaÀk¼bJ˜6½EîŒVij¨êÁ÷”â_˜¯ÅŠ%	Œ±v:¨£Oé€·	9x9¼ö(­¬ž¦³ž0ÇÒÙ˵Ng@õêÎ,€E<Ó´ÀÓ?CoVÅß[¬_üòY‰r(‘’HÚ„ÜvaH
0‰¼eÖÜW«OÔÁ‚ku›NÃo7qA9T§5mà© ü^î±\O%_[Ÿµ–¼á$·Ï`Ù®Øm9-ãz»†t+¸Ý˜®Ìšúé¦^‡À
|žHƒhˆFȨadE_²)ŽuöBòm;~¿È1—â„`¤‘i†¬·Àßw¤P^„ÜØÑñ»*@˜ALjš6«ˆXV
5î)|wÉgqEJŸû€¢¡ÑÀ`\7Ë`›e^>ú™@ô\JêÈ4dú߉Rd%0™7‹šúÁ‰‘Ž ftzhm9}@]b|QÒX½ðG’”@˜¦uöÝà“že	€É®,ÙmêI7wƒuÅòðº‹ÓÊÍ(û6`ËÂO®@ûg@AÙ>
Á^‰Õ©tª/뎈¢9`è¤F{nmï:|ÝÛÜÚçÔ¹Çs»‘ÁK(û>¡ÌÖ@Á/E?.ôŠŸöÿ„rÌaºHÅ(ü~C¿Ý<·°ƒy|	ÚpÙÔs-Ürº÷4nXC­ðk+Ñî>ï
 ÿ¡ 6k„ÌjE¥Õ_ã1í
 è§Õq—»jÕt¼7[غã˶§˜ÉùP	JE.z—Œëñ„¸{P¢öe°t^¼_GŒ±þ²¡ÿ+’]ÓSÙc_ᣃØë©ÿs²ù‡ÐrnÇÛJçœQ(<“²_\eðHã¤ýfÐmŒendstream
 endobj
-1229 0 obj <<
-/Type /Page
-/Contents 1230 0 R
-/Resources 1228 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1237 0 R
->> endobj
-1231 0 obj <<
-/D [1229 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-278 0 obj <<
-/D [1229 0 R /XYZ 85.0394 513.3136 null]
->> endobj
-1232 0 obj <<
-/D [1229 0 R /XYZ 85.0394 488.974 null]
->> endobj
-282 0 obj <<
-/D [1229 0 R /XYZ 85.0394 420.2055 null]
->> endobj
 1233 0 obj <<
-/D [1229 0 R /XYZ 85.0394 390.0916 null]
->> endobj
-1234 0 obj <<
-/D [1229 0 R /XYZ 85.0394 312.7536 null]
+/Type /Page
+/Contents 1234 0 R
+/Resources 1232 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1241 0 R
 >> endobj
 1235 0 obj <<
-/D [1229 0 R /XYZ 85.0394 300.7984 null]
+/D [1233 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-286 0 obj <<
-/D [1229 0 R /XYZ 85.0394 159.3 null]
+278 0 obj <<
+/D [1233 0 R /XYZ 85.0394 513.3136 null]
 >> endobj
 1236 0 obj <<
-/D [1229 0 R /XYZ 85.0394 131.3824 null]
+/D [1233 0 R /XYZ 85.0394 488.974 null]
 >> endobj
-1228 0 obj <<
+282 0 obj <<
+/D [1233 0 R /XYZ 85.0394 420.2055 null]
+>> endobj
+1237 0 obj <<
+/D [1233 0 R /XYZ 85.0394 390.0916 null]
+>> endobj
+1238 0 obj <<
+/D [1233 0 R /XYZ 85.0394 312.7536 null]
+>> endobj
+1239 0 obj <<
+/D [1233 0 R /XYZ 85.0394 300.7984 null]
+>> endobj
+286 0 obj <<
+/D [1233 0 R /XYZ 85.0394 159.3 null]
+>> endobj
+1240 0 obj <<
+/D [1233 0 R /XYZ 85.0394 131.3824 null]
+>> endobj
+1232 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1240 0 obj <<
+1244 0 obj <<
 /Length 4330      
 /Filter /FlateDecode
 >>
@@ -4362,48 +4387,48 @@ epc	.ѯs
 ô­Leí]¬Í䧆³ÆL>žÚeIðëÅ¡¼vc
«OÔær‚0ŠB’¾
 i5¤QŽm‹ÎÁ…ÿÆÅòS±ª]Þõ.¬±ia×¼ï7ëƒÌg(-×
@†ÍæDéSÝ,+Ê¥öI¥ ÕJ¼ÈDÃÅ¥‰‰Bê51¯=pwO‡êñnö–~©br#ò=ú[+ ¹íèµ;%8jï.Äí;ú%	á—5€´$++3ƒy¡#Ç>>-ÖŸ¼›ç1¶O-/4x%ƒÉ“6à(I©"èY×÷k?ºº§+êq&WÚñ‰õµeºÌçó8‡¹÷#C©^¢™ïj§’òv÷~Úp˜ØôèÑ:Þ×ÔtMM€
„ú¾ënÒ¥ðj„¿Såæ6iÝmÁëv¿YQ#šþh祉3&Šˆ,³"úÍgà½æê†J0!4Âe¨à=籑Ê>T:îÝÆp%G†]—pÚºzȨ«ù}G¾Èë–àKÃuSûkÎy&ä¼…µû%ãâ}ÌeU¦Ôá?P†¬,&|ælqþ^—Š?$Ø®è†POp&ñ×Ê̼©(CWÄù'ÐùIÆ-€?Í„—gŽ¡îaE­EŸÙy‹•j!»ÿÞÀWÏѪ¼
ß:Ÿ˜¤B¡ 'º7¦âêÖ¥¿ª4ÊËëp•n.í|ÛãÚ_ÏLö¯¸=JWWB”ÃVuçYO3D—øB@ô*rîÐ/†«)Ü"0“¤ódw¼p)s¯Rú…‰ Ü&iru’¦¿pŸýaWdØû×)uÁ±|þ'ÌBj‘+]Y"“Êï-þGŒöÿHd³_UɈùnW‚´SaíÁÿ½D"ˆ«îêM…ÖçõÉô²Îð? ‰I™ÿâ´²ÓOÈ¢'2­¦È h)\,Ž8ÿ‘uÌúÿ=<”¼endstream
 endobj
-1239 0 obj <<
+1243 0 obj <<
 /Type /Page
-/Contents 1240 0 R
-/Resources 1238 0 R
+/Contents 1244 0 R
+/Resources 1242 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1237 0 R
-/Annots [ 1242 0 R 1243 0 R ]
+/Parent 1241 0 R
+/Annots [ 1246 0 R 1247 0 R ]
 >> endobj
-1242 0 obj <<
+1246 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [55.6967 387.5149 256.3816 399.5745]
 /Subtype /Link
 /A << /S /GoTo /D (rndc) >>
 >> endobj
-1243 0 obj <<
+1247 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [268.5158 387.5149 332.4306 399.5745]
 /Subtype /Link
 /A << /S /GoTo /D (admin_tools) >>
 >> endobj
-1241 0 obj <<
-/D [1239 0 R /XYZ 56.6929 794.5015 null]
+1245 0 obj <<
+/D [1243 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 290 0 obj <<
-/D [1239 0 R /XYZ 56.6929 692.9565 null]
+/D [1243 0 R /XYZ 56.6929 692.9565 null]
 >> endobj
-1076 0 obj <<
-/D [1239 0 R /XYZ 56.6929 660.5438 null]
+1081 0 obj <<
+/D [1243 0 R /XYZ 56.6929 660.5438 null]
 >> endobj
 294 0 obj <<
-/D [1239 0 R /XYZ 56.6929 112.3379 null]
+/D [1243 0 R /XYZ 56.6929 112.3379 null]
 >> endobj
-1244 0 obj <<
-/D [1239 0 R /XYZ 56.6929 85.6994 null]
+1248 0 obj <<
+/D [1243 0 R /XYZ 56.6929 85.6994 null]
 >> endobj
-1238 0 obj <<
+1242 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1248 0 obj <<
+1252 0 obj <<
 /Length 2372      
 /Filter /FlateDecode
 >>
@@ -4424,67 +4449,67 @@ U
 û1ú†Á`ð¶¿ïài')"=æ…G_'í
 wíÃùs¡¶h $48ÚÓê<ÖÂàg[y™»;ð¸¡/s©ßÓoò›	9n¸3˜•ËŸÚìPåþê{Ó»¹ÈÐíj3³ÙÌñõG'_Qìå¸òÁæ1¶kw{E¥¶÷œ&ÅHIpj=VÛK²©zCèN¯a§é¦ìÙ>ÐŒdÉ«Çz´-3[OÈså;¨Ëê®?O‡"5>>n$è<¦
lF_õâîŒ7N¶ª¾8}÷Hi¬¸7SbSJmÞ¹Ã)*óõçxËÝNy"6ýÈ£Ë:ºNy'÷–nÇ6èÏý?)à™*fÛ§´—ñÝÿ]îÿØ…òQhÍç‚FP\ƪcÊr.âCÎû?9§¬ÿl!‰ãendstream
 endobj
-1247 0 obj <<
+1251 0 obj <<
 /Type /Page
-/Contents 1248 0 R
-/Resources 1246 0 R
+/Contents 1252 0 R
+/Resources 1250 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1237 0 R
-/Annots [ 1253 0 R 1254 0 R 1255 0 R ]
+/Parent 1241 0 R
+/Annots [ 1257 0 R 1258 0 R 1259 0 R ]
 >> endobj
-1253 0 obj <<
+1257 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [406.6264 524.1437 456.8481 536.2033]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1254 0 obj <<
+1258 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [140.5805 512.856 196.7992 524.2481]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1255 0 obj <<
+1259 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [103.6195 470.0794 159.8382 482.1391]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1249 0 obj <<
-/D [1247 0 R /XYZ 85.0394 794.5015 null]
+1253 0 obj <<
+/D [1251 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 298 0 obj <<
-/D [1247 0 R /XYZ 85.0394 769.5949 null]
+/D [1251 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1250 0 obj <<
-/D [1247 0 R /XYZ 85.0394 749.3189 null]
+1254 0 obj <<
+/D [1251 0 R /XYZ 85.0394 749.3189 null]
 >> endobj
 302 0 obj <<
-/D [1247 0 R /XYZ 85.0394 679.8163 null]
+/D [1251 0 R /XYZ 85.0394 679.8163 null]
 >> endobj
-1251 0 obj <<
-/D [1247 0 R /XYZ 85.0394 652.1211 null]
+1255 0 obj <<
+/D [1251 0 R /XYZ 85.0394 652.1211 null]
 >> endobj
 306 0 obj <<
-/D [1247 0 R /XYZ 85.0394 573.4726 null]
->> endobj
-1252 0 obj <<
-/D [1247 0 R /XYZ 85.0394 542.9681 null]
->> endobj
-310 0 obj <<
-/D [1247 0 R /XYZ 85.0394 335.1831 null]
+/D [1251 0 R /XYZ 85.0394 573.4726 null]
 >> endobj
 1256 0 obj <<
-/D [1247 0 R /XYZ 85.0394 307.4879 null]
+/D [1251 0 R /XYZ 85.0394 542.9681 null]
 >> endobj
-1246 0 obj <<
+310 0 obj <<
+/D [1251 0 R /XYZ 85.0394 335.1831 null]
+>> endobj
+1260 0 obj <<
+/D [1251 0 R /XYZ 85.0394 307.4879 null]
+>> endobj
+1250 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1259 0 obj <<
+1263 0 obj <<
 /Length 3489      
 /Filter /FlateDecode
 >>
@@ -4509,33 +4534,33 @@ vk^)
 ü“Ål7·5Ú'}Á¯"´ú‚HcÀÀž¢í¶dÚ¼Œ~?Ú×í°¤jç=U}ô#Í›ªs—QqÏùw2Eš<\{ðõl$a@Z)ĉ+&9¹b’ók$0L’Óë#Ép2
 kî²Úc¯0¹¿C8_Pø;v! ¹(Éï3S|µŒ@x"BÉ_–
IJ,Ç÷xc$†âÖ•Æ'Ëýн.ô'
&O¾ÐjJæù‹ÛÔ.þÔvLå›p÷ûåôÈ|»4N* wվߦÇÕ×üÎ"‘"ü™vn»é‚£j3y.—¦¬wñ  ƒ¸'™xÿÛ”¨c9\"ós…)ùO	s¶J'7Wæ	8Qv.ŸÝCÔ¾*ù¨BK%@¤3‹bñÂBV¤É$Bhï·‡Ãú!ÆE&6×ù§¸xаÞG7<§æ\Qp¯ ä½ízÈCŸËi;<œ²s*Îe²ëÖå.VBKpA›ÊÿŠøßù˜)ù™äQŸ‰þLz™Ï$ñÁo²á¾ê$Ñ6ÜÝ:VÙ"-¥Ux·]ñ¿$bÿÝT&Á?\Fþi™†¯úÿ÷ÿ:Ç?½ê,Qy.Ç¿lÎäÏòDçÀ„…B-túLrÿÐç¢ÿy@Òendstream
 endobj
-1258 0 obj <<
+1262 0 obj <<
 /Type /Page
-/Contents 1259 0 R
-/Resources 1257 0 R
+/Contents 1263 0 R
+/Resources 1261 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1237 0 R
+/Parent 1241 0 R
 >> endobj
-1260 0 obj <<
-/D [1258 0 R /XYZ 56.6929 794.5015 null]
+1264 0 obj <<
+/D [1262 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 314 0 obj <<
-/D [1258 0 R /XYZ 56.6929 769.5949 null]
+/D [1262 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1261 0 obj <<
-/D [1258 0 R /XYZ 56.6929 749.2381 null]
+1265 0 obj <<
+/D [1262 0 R /XYZ 56.6929 749.2381 null]
 >> endobj
 318 0 obj <<
-/D [1258 0 R /XYZ 56.6929 540.3599 null]
+/D [1262 0 R /XYZ 56.6929 540.3599 null]
 >> endobj
-1262 0 obj <<
-/D [1258 0 R /XYZ 56.6929 517.4049 null]
+1266 0 obj <<
+/D [1262 0 R /XYZ 56.6929 517.4049 null]
 >> endobj
-1257 0 obj <<
+1261 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1265 0 obj <<
+1269 0 obj <<
 /Length 3318      
 /Filter /FlateDecode
 >>
@@ -4557,29 +4582,29 @@ FB
 C)²¬/é>3‚u~ÜuD:ÙÒÐúCÑñƒ4”\æïWðV>ÎÁaJh{yÓî¿c
Ÿ'ˆÝ]ÂÅïTŠÅšŽfÚ5R÷…ž&›ÍŒw£OúýúÅø…§ŸôŸî‹þT,ýÕ—t?jPRèK’ .#•ôä·ýªWyºU^W1”èè…‚õøÇÛ×J…¯¿æ:£@”ÂæonÄm€æᶥ®Ýá•£cé÷!¬ðÇÒ—†)üñ‡ÇÝE»kå~W†Á»•qQƒ¯^3¾ñ¬ÜF•Ðˆ
¯´‹©ÜœÛ	@
OOoy~}v¾åN-08NE.eéù\wˆFNJt‰K;³jȧè,ÈDrî`€u%`OÐW¼jý’Fz:}1>Ê]OùÓèiòΛÅú
Ÿ~˜ÞP†«Ó´÷/	 ·(„Å‘ÞH—Ǧq¿[¹(i)íxÕ^¸ôz½þuïk†4VÕ—ZR{á‚ý•}è‡R&øë¦ôÀ?Ÿðÿˆjø…Y”
 c­c$Âê,õD!g‘º¤¼ÿµÕSÒÿ|Æ)¯endstream
 endobj
-1264 0 obj <<
+1268 0 obj <<
 /Type /Page
-/Contents 1265 0 R
-/Resources 1263 0 R
+/Contents 1269 0 R
+/Resources 1267 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1237 0 R
-/Annots [ 1267 0 R ]
+/Parent 1241 0 R
+/Annots [ 1271 0 R ]
 >> endobj
-1267 0 obj <<
+1271 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [173.6261 273.4719 242.2981 282.8815]
 /Subtype /Link
 /A << /S /GoTo /D (the_category_phrase) >>
 >> endobj
-1266 0 obj <<
-/D [1264 0 R /XYZ 85.0394 794.5015 null]
+1270 0 obj <<
+/D [1268 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1263 0 obj <<
+1267 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1271 0 obj <<
+1275 0 obj <<
 /Length 2400      
 /Filter /FlateDecode
 >>
@@ -4593,33 +4618,33 @@ E*<
 B6	moê:Ýæ9+¦äã¶LÅ“û*•`âE8FB¨ÉFˆÕ2@šÉÞW:í?ì~O넉ËYÃËc`µnLŠ®!ÀQ›%ËÁ½¬M„uÚDxJ°.Ðö@UAìøEÄê1°:
 ìM™çå}‡˜NG±Ë}šuý$6%ÿ˜ÈàÞ81ö²â|Ò‘¦hûTk0æÛ1ÐÖp†½dB9ÇpQ…1¦T87¦ûCn¬. Í2Í«š6êôH˜¬èЀÈäš|Ë"w#‚!¼Š†É8Ô”>©Pðm6gŽ®HóšñÝeáüwc|­z
¼èԃǩÔ@„éG~îéÿ½HTïW\Öúø&çÎæOÚ/z8¿îŸœ*>6hœ=‹‰ã
¶Wé›áqóökNÝCc¯ëÍ÷¯ò½ª†§.;ÁÁ‰O	ðôÜ=4­µª›zºfKeÎ“Þ bœ£æ45LzÇD/µˆü~šÃŒ‡ìB×æçæ)Ïù#á!±'2ÄŸS-±<
S½]’À©AÆ4 ²b=Eáé4r9ÈŠ^Ð×vü 0Bèç4ËÓ».†ŒºÄ°m(,åÚÔ«*³½*c•›aèÃs²Ge0®s«K§Ž|{Y4iVˆ)w¼.;&º­}zt…f½6ë±mÚÁ° ‡/Ía†6µxððã%ЀyÉL†¡ð5´ö/xúº%"/:yiüÿN9F°„Zjý8tÎZ¼t'N_ŸœPKé{"H‚à±÷'œ!#˜ÏÁßé?Ó#$ˆtàbͶ§õE3ðÝoQ÷[ÓgCG¾L ´tΆØ]MvFegC9rü¾ïûÜ Äà"°MxûŠ•~mÛŠ8ÎOMÆSíûÐqÐY aþªøË̆ÝcÜgâ—“¤þžà…BÇÏ9‚‚	DiJ|ô‘¿ÌdbÓËj·„|/°É•ók;eHûPÖ®iÍϸä¼eHK OëÚ
£!0ƒ•ñå”gôÓËh°æ´3¬?ÆíµžÒØqž°m¯´/³Ã©iý¯iÚX‰0ò£§M›ÄŠ¥¦O›ônzˆ›öº+Ù¾Ö.‘Bü@IÁèE í0µëuÐçC؇ÓØÒT½äâÎÝq:Ò9ã‹Öø¡uøòQ7£ŠñWY˜X¥«nÚ–7ò@}_ËÈN —“t'5rä‰HÆúi#G0ÀI¬ë*Ÿ3òùŸü?§ù‰צÈЖú®œþÑšº©Wê€Ý/Ó@à%ƶ<ªXOþçΛ=«ñ—þŸ°ÿ'j	?ŽU¯ñQKÅ q \!-Td üÓýC‘±¬ÿ
”|‹Hendstream
 endobj
-1270 0 obj <<
+1274 0 obj <<
 /Type /Page
-/Contents 1271 0 R
-/Resources 1269 0 R
+/Contents 1275 0 R
+/Resources 1273 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1237 0 R
+/Parent 1241 0 R
 >> endobj
-1272 0 obj <<
-/D [1270 0 R /XYZ 56.6929 794.5015 null]
+1276 0 obj <<
+/D [1274 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 322 0 obj <<
-/D [1270 0 R /XYZ 56.6929 520.4669 null]
+/D [1274 0 R /XYZ 56.6929 520.4669 null]
 >> endobj
-1268 0 obj <<
-/D [1270 0 R /XYZ 56.6929 495.6849 null]
+1272 0 obj <<
+/D [1274 0 R /XYZ 56.6929 495.6849 null]
+>> endobj
+1277 0 obj <<
+/D [1274 0 R /XYZ 56.6929 178.7136 null]
+>> endobj
+1278 0 obj <<
+/D [1274 0 R /XYZ 56.6929 166.7584 null]
 >> endobj
 1273 0 obj <<
-/D [1270 0 R /XYZ 56.6929 178.7136 null]
->> endobj
-1274 0 obj <<
-/D [1270 0 R /XYZ 56.6929 166.7584 null]
->> endobj
-1269 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1277 0 obj <<
+1281 0 obj <<
 /Length 3171      
 /Filter /FlateDecode
 >>
@@ -4632,21 +4657,21 @@ x
 ”LK
 {÷	Óh&„°$ÌŽ>ÿ+DÞSõâ…›ëó÷¯s®Ÿ÷úÖÝó[Ý¥YlôçíˆÝ¬•šŒÙ*¥Úhϳ@׌ÔwÜVýìß®”N‚Âט	SgÒm".™.òzÞEÈ`8è@ÅÒ/}[XãiðFÏ«G·Eh‰ð)$,é™k	pÓJªÜõ—Ø×+*Éᇪî=vžAØÚ¦Ÿû¯{”¦#/“ðWU	VÓ&Ñè}à$Á¶ºÂÝ{qΪ²æO6ý1nPS?ˆÒ`Û“éÏÕ}M-[‡gUëð ö>:ªùØÈ×0‚˜SÊT¡lzñï“ËGçþGvJÐÍ´¸Îv<)}SBÁÒíyuPßögx'³ˆo´6Ù¶
Jǹg#E¼
vó²÷˜Ž*ÀÎ*<ÅÕÍú–jnžð2!]¹ÝÚý[i¨`·“ÏrBaÄî‡Ïˆ.ÆTÆ‚ER“Usà1fY#ÆÍšŽ¹é¨7­úqݪЂúA­§~Ø»¢¾>´B²HóÐ×ÿp+ÙzÐΑÃO Y8À~hUáDm¨OANI$œÊÓ6ƒI§{6Õwè²Ä‡ž×äÖ…‡ž^S€A„53´,òÔë¥0BXøH‹§ô¹¦:­Ü¬We˜ÍLÏ.¯¯§WøK'©H‹eí"•%¢?O‰u²k€LÎST4÷	xS{³ƒÅÊŠûCÅO¬,o=µ=SmëÄàÃ{®ËøØTUâNfç<¦a>R”Ý=éxi;mˆ–»wçâÓ²‰[}2bû0´¢2رeåcâÖ¸ù2»&îÒ¬*¿Äplà9âì(Ú;Ì쳪TÈ6aeAoô1OKªÐ›ÖnC“×f¥@‹•T%ÄÝNX׃¹®]¸ˆ¨ì‰ê„Þ¤‚IÔabB^ÃSK0¿¤ê@
ªäVÕçnxþØNFÔ$„Ómf«I6@yË»¯Ÿ8"$ÚðÇ@Íz³}Úvóªõ’׸éíÑL€mÍŒ‚•L½œ-á\÷èú®£$³õÎã†ß,Q¯—s¿)ºÙ²ªóÆÿªªŸø–VЕ8²´™uZCé^|¦·2}ÚÚ^®WÃÈ\k‘„Çg0Mµ¤ZC[L›ð<ÁTÓŠ›ÐÓÿš“j­Q¦¯6
Gæ×»%éT‚.A­ôxǘ®RÑ$ÃySŸ&G€ÊûÛô5‡‹ÑPÕçÝ Sð0¾ÚÞh¦»2³ŠOÏPFEÀÈ>§šß=Úã{ÛÞ:¬ãLTKCIÇŽˆ³XÒ±¡ŽÊ‚W8`–ÞÉ¡W¾˜
é5,êK‹m,´Ç´È³?ÂwxùÇníkOH܆I‚Û€Ú]µÚ«ÙÝ1ü\¬µ×ÃÁøÖÇí‹Å;åËPÐXm5;ö3\c¹}ñ3ÜÿoÔf#Z²HÄþw¹ÖPPóò×»|2š.ø«¿Þþ:²LÅq燅=À
‹eb–â\(ÚH½”Š†=ëXnzu¶þ?<”{endstream
 endobj
-1276 0 obj <<
+1280 0 obj <<
 /Type /Page
-/Contents 1277 0 R
-/Resources 1275 0 R
+/Contents 1281 0 R
+/Resources 1279 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1279 0 R
+/Parent 1283 0 R
 >> endobj
-1278 0 obj <<
-/D [1276 0 R /XYZ 85.0394 794.5015 null]
+1282 0 obj <<
+/D [1280 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1275 0 obj <<
+1279 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1282 0 obj <<
+1286 0 obj <<
 /Length 2934      
 /Filter /FlateDecode
 >>
@@ -4662,33 +4687,33 @@ xÚµZKs
 š¶G(î •ãÏ5	5A4Žhxåw)V6Ö‡c۔馲é.ë±ÁúVâ%½Ó&±¥séB凉HÆNžJÁ¸·x¤§ùªÀ°>4õ-Ç_tRÙaæÛ°§#FsCbØVôÄ›ÙÝÖIž:@ü¼œüÓÜA€ÔåÒJ²¨³ÓEj&ÜÄÜ‹·¯1ž¥/»àU¸íÞéxêSÌ0ÙÌL÷ƒê‘ú³â1$?Óž"ü0­ž	cŒÇøý¾0ÓåïË,JHÞY¶ráéªØü_C¤–@I%µŒ¨Ã0g•óé»Õ]ÙZý7©l©ª@½§àm¢ï}@
ÅÊP=e› Z%_`œ1 @§à‘÷±tE~‚E¾JŽn„7ævNJ@—.´È|¥;9ÌžÍ{oëŽùè‚‹:±þ™È·I°8¼Ðè)&Ú³¢¯àØsýæïÔ:ž
 ˆÃ/ŒðºÑͤžð“ÌÓ4ÀæÁ]q$™¹›úáü³+û៙ô¿Á‘‘/â¸W#œØ¬Qžˆ”G?‚aÏ…âŽk°ô¿É#%endstream
 endobj
-1281 0 obj <<
+1285 0 obj <<
 /Type /Page
-/Contents 1282 0 R
-/Resources 1280 0 R
+/Contents 1286 0 R
+/Resources 1284 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1279 0 R
+/Parent 1283 0 R
 >> endobj
-1283 0 obj <<
-/D [1281 0 R /XYZ 56.6929 794.5015 null]
+1287 0 obj <<
+/D [1285 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 326 0 obj <<
-/D [1281 0 R /XYZ 56.6929 744.4469 null]
+/D [1285 0 R /XYZ 56.6929 744.4469 null]
+>> endobj
+1288 0 obj <<
+/D [1285 0 R /XYZ 56.6929 716.8556 null]
+>> endobj
+1289 0 obj <<
+/D [1285 0 R /XYZ 56.6929 352.0635 null]
+>> endobj
+1290 0 obj <<
+/D [1285 0 R /XYZ 56.6929 340.1083 null]
 >> endobj
 1284 0 obj <<
-/D [1281 0 R /XYZ 56.6929 716.8556 null]
->> endobj
-1285 0 obj <<
-/D [1281 0 R /XYZ 56.6929 352.0635 null]
->> endobj
-1286 0 obj <<
-/D [1281 0 R /XYZ 56.6929 340.1083 null]
->> endobj
-1280 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1289 0 obj <<
+1293 0 obj <<
 /Length 2722      
 /Filter /FlateDecode
 >>
@@ -4704,48 +4729,48 @@ lVUm
 (©gZ`$áWë¼iÌRlrš#å!/Š!&£:çò³än„•DJ›Ÿy¤ø_ƒ­c÷àn®Î‘Ó¨0‚r"åÝåeZS—Ž{Cà=µ(tlÀ!¦Âë|iÃDŠ3¼\
Ð
O븕íRgW7ÔÁ‹¡vR”ÁЛdžáÙ©ÈÃKB‡6…‰r…É^=GL` о ;ËI¦n¶ÓÈÛY´­èm¤Z&[ Ao”¥Ù§²åE‹4àvXé´ âï-nj3_Ñc¦Á/3'Kscqa}U·¾ª‡¾ª«Í½Ë†t·—Ø}žfv—	5t‘`¯ZØUÊxì5Ïe·UŽ Û¤µ¶ªÇ|&L]Žs'q¶6FŠ‰êaue‹ü6“KáŽ÷haG±«ì´-,ý¡ÁNŠûO<Û_7_¶ò{G~+÷EXk,nÞiÓ|‹ÖvOT> endobj
-1293 0 obj <<
+1297 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 255.0679 539.579 267.1276]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1294 0 obj <<
+1298 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 243.1128 117.8035 255.1724]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1290 0 obj <<
-/D [1288 0 R /XYZ 85.0394 794.5015 null]
+1294 0 obj <<
+/D [1292 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 330 0 obj <<
-/D [1288 0 R /XYZ 85.0394 467.3023 null]
+/D [1292 0 R /XYZ 85.0394 467.3023 null]
 >> endobj
-1291 0 obj <<
-/D [1288 0 R /XYZ 85.0394 442.1291 null]
+1295 0 obj <<
+/D [1292 0 R /XYZ 85.0394 442.1291 null]
 >> endobj
 334 0 obj <<
-/D [1288 0 R /XYZ 85.0394 305.1414 null]
+/D [1292 0 R /XYZ 85.0394 305.1414 null]
 >> endobj
-1292 0 obj <<
-/D [1288 0 R /XYZ 85.0394 274.1939 null]
+1296 0 obj <<
+/D [1292 0 R /XYZ 85.0394 274.1939 null]
 >> endobj
-1287 0 obj <<
+1291 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1297 0 obj <<
+1301 0 obj <<
 /Length 1218      
 /Filter /FlateDecode
 >>
@@ -4757,2713 +4782,2763 @@ xÚ¥XKs
 dsæÎ+tPÙš'6Ú^X3õ¼§ŠŸiAÅÓ3Á«SÛªX-—gÊ¿º¾;À[ø£­\rÝ=¼§ˆ§L_®‰Êà@”€­¹¤÷sÍÛªÛŸ›ä;`ÿŒ>2À´l›:NŸ1©Rö2oÙé ³¼mV`sukË›U+Sñ|ƒ+ªä)Hr®ÒÏÔéþÔ#€¢tmSk[,X=$yÉšƒš5•º3Ù9qlL Ñ'ÿ+J!yvx¶OçMÃÖUÎ.{“æ§\˜¿wq†Ÿë,q=ùR1|ºyꉩîgP	‘ŸA®Šm©~_g5XІ®c#šÕ¢P—u¦n[V&[7é²å8å†ÝÞÔæá«ëŽ!™¡l–VÒE~d+þDsžRy–׬Š\ˆGõÞOÙa¦Ò§èÖgÇPöÍéfWY·*Üh™¬DÝ},ì²,p¨ñ¼B«\¨‹@OöZëQ‹íª¸Ó•ö‘íê’7ôûÿvøª¼‰"w_«wßïn¨Ê‰H)± ´Ù~ð
 ù¶ò
ý_ÿP¤Áendstream
 endobj
-1296 0 obj <<
+1300 0 obj <<
 /Type /Page
-/Contents 1297 0 R
-/Resources 1295 0 R
+/Contents 1301 0 R
+/Resources 1299 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1279 0 R
+/Parent 1283 0 R
 >> endobj
-1298 0 obj <<
-/D [1296 0 R /XYZ 56.6929 794.5015 null]
+1302 0 obj <<
+/D [1300 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 338 0 obj <<
-/D [1296 0 R /XYZ 56.6929 769.5949 null]
+/D [1300 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1299 0 obj <<
-/D [1296 0 R /XYZ 56.6929 752.2028 null]
+1303 0 obj <<
+/D [1300 0 R /XYZ 56.6929 752.2028 null]
 >> endobj
 342 0 obj <<
-/D [1296 0 R /XYZ 56.6929 681.9672 null]
+/D [1300 0 R /XYZ 56.6929 681.9672 null]
 >> endobj
-1300 0 obj <<
-/D [1296 0 R /XYZ 56.6929 651.209 null]
+1304 0 obj <<
+/D [1300 0 R /XYZ 56.6929 651.209 null]
 >> endobj
 346 0 obj <<
-/D [1296 0 R /XYZ 56.6929 616.9944 null]
+/D [1300 0 R /XYZ 56.6929 616.9944 null]
 >> endobj
-1301 0 obj <<
-/D [1296 0 R /XYZ 56.6929 589.1412 null]
+1305 0 obj <<
+/D [1300 0 R /XYZ 56.6929 589.1412 null]
 >> endobj
-1295 0 obj <<
+1299 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1304 0 obj <<
-/Length 1125      
-/Filter /FlateDecode
->>
-stream
-xÚ½X[sâ6~çWø:#Õ²,_¦OÙ”¤Ùéf[JŸÒãØ"hâ+³Ùÿ^ùŠ
&ØÁËð€uûÎw>IGBŠ*H±T±­+¦­C¢"¢¸Á@UžeÛíå}@Ñ	T{}š~½Á¦bCÛÐe:¯`YPµ,¤L½‡áõWMÇ“Ј:4àC~º»ÿ=«±³¿ë¯÷7w·ÿN®F¦>œÞ}½Ïª'ã›ñd|=d$Çk9‘7wŽ³¯ÛÉÕ—/W“Ñãôó`<-}©ú‹Tœ8òmðð¨*žtûó@…ضˆ²‘"ÛÖ”` ‰ŽqQãþü]VZÓ¡MúlAbifƒ€:ªˆTÚºm*&±¡5œ*ø0†ª½PêÇué2ôuÉ8õ²¦-³ˆÏÂè·¬ü˜x-M„ MˆV…™G|ãð|à*Q³¯(ô·Ù×[Þq—½P{dÊEVþžýå­l9s<çuˈÇe}RxÌJ¹aa/ýûÑlÕôY9>±ã¾Aùº¤qÔÖ÷LÃÐN¡æÑN/
-ÎB' 'àÞR¸¥×Î÷DæB…
-ìaeÞ–ÒÔ5~äÒ¸*UI|ûó8"¦¼6óÂwÖ´VéXF¡ ž-¤“ÁÖCÊa~­‚=‡§G‚lß#tèQðºïΙ6ÕwäÛ0ßsË•ÓeÉeãYÓgÎâm+€Fo»‹Ã‹ø,øúò6Ù“ÏÂçî*9¾m@Ål¾­í@ÉÚ£BÌ'v3ŸûÚœ2Ðo+Ê
-&ˆÂs`Ñ1XבbþÂ)ò™´Àcî„b^ìD½©Á©»â‚õN·Äí_‰ÕÒsbÚ³(Èèryõ@:GÎÖî‹xé¾=Æ2ªbw)5K‹.üµÄ6ŒT0Ñ›wO¾Ì'‘ßßZZ	
-Ö:XyKœýuªIM×ù]GÌ;ñ¡Ñ^ÎÐèÏç¤7Ý-½‡P-¯ª¥=L]iV:sYËÙÖ+¢wŽâÝ[ê•<3ÏGMbÍ$š:ÖSÔ_j©j¥¡Lí2LˆMMoÔçbÕxÅó"–W#SÞp2Ûä˜m²³]Õí-g¢H4»9³ÍEm¥6¡nézw6
݆:¶F¤ÍdT©^Þ£†Ž…N·ÍÑcjf›P3T­ƒf#yÍƲԣXãTôt˜ºÓStAÚFÏÁYFPBFnÞ‘ßý|¯¯žá*x¢¼Å†¿‘\¥øÚñO£ÔˆÎk™g‚˜T
­âŽÎÔ0˜çŸK#…hE£žvÉ”Ëõ
;φ\3É‹'w÷…¶®Õ‡§¹óš¶7_/3Çϯ#¼Ì•[Ó¯ŒgT|@µ<+Úux1i2—‰Àá+²ÃfïE&pÂm^/NݨQ“9‘†Ò>BU¼[MO«˜Àä=´á!T-7ª³Ÿ]woÒºLT,K+_T5\yQŪ-Í6R‰º¹Ï¼|Ÿ=¤þ?¾ Aendstream
-endobj
-1303 0 obj <<
-/Type /Page
-/Contents 1304 0 R
-/Resources 1302 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1279 0 R
->> endobj
-1305 0 obj <<
-/D [1303 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1302 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
 1308 0 obj <<
-/Length 1171      
+/Length 1136      
 /Filter /FlateDecode
 >>
 stream
-xÚµX[sâ6~çWø:#ՒlJÒìtIKéSÊ0Š-@­±½’Ȇ^þ{%ƒ
k›n˜Œ-Yçów®:2LõC†ãB7Àá6tLäáf`+õìa€ök@¹TW}˜
¾¿·<#€‹]c¶¬`ùÐô}dÌ¢ç¡1)sx÷4¹|ømz;òìáìñi2Ø1‡÷?‹»‡éí§O·Ó@¾ƒ†w?Þþ<O‹GîãÃãä‡b&(.ï€NÇ÷ãéxr7ÍgãÙA—ª¾È´´"ŸÏsÓˆ”Ú&´ß1¾¨	Q`c3°:¶e•3ñà×Á/ÀÊÓ\´Ñ~È„ØrqƒmT1 oB×TPž@×ÂVnÀçpMs(9IÄ’r2ÊA"ŠÙd»y¡ü¦̵²ê!8n"Ýò“¿›ŽÉ2{A¢ˆ3ÿäÈ …=G!A϶œè»ü‘ÏsʼA…ðs–rYܲl¡óbT㧽-%Ô†'xu«TÝsª±2ÚžªýU»UlZÊq^PREUª$– “Y+hßÀ¬Ø FŽÓhÖ®_5-Æ"ÏtÛÓÍyxôLß=¡Ñ24ìÚVà6Ú{+(x×æ;*)_$i‹\HRÉ–;јìŠAÃ4‰D¥‹­rÉõ åaû½u®
-PäYвƒæ­±üz&Óò[$}€ ö±wÉœ2U\ɉ?[û„Ä"R1ñ÷ÕQÕl5²oA××uºÁšmqò„°dœ_þ­[ãä=5=6ä
°·%qº‚ýE;Vz-ÿ‡ryB⊸¾[ˆŒ†Í5MÔÓÉÖžˆˆ$×È/YLEáy!Iøç5ocJ–¬K$å¯$îhÿ5%\¾P";ÔM‹-‰JÙž”	$’…¢/‚L³T…_=‘tôS!"Ãõ"VoØÇöüæ’?Tn×v…ª±â\P	RQ^CËgÎü|ñéi†õ}1ÙP eW‡êŒLB®[
-Ÿ¥s_YÁV@9ŸELîCao¨b0oŸcLW¦Už%IQqŽÙ’]‰¢¯Dnùÿ%wmRwKOSÙµµÖ}‰.Ø}7®Œ§¯,jÄhÁšÓÏ[*d{é“v[ª"€ÈÈY7ÕZ‰Üxt©¸’mzz@Åz&’ﮀÈyt…¨©rÖ´é`"•¨,Õ÷’§@¶rÝ»:ÁÊKH°zŒ‘$R}ee„dD®	)­Ó©]³;ç;Ø,£Øo#eÑè’6™Š3ʹYÅÛJ_ÜÝ–q1Rµ‰ÉÓd|A-XÓ(`e}û¹ö¢u¿©j¦?sèŠèXiïj{#}ãmDk»©vjeG®íŽ-èªjÄwªwè¸ä%Ö_z«”3¹Þì«°¤ÞE”KnN¿´š>Ök/ôå§õ”*¢—&š_ï¼,@z4™g•’\ŸMaÌh"‹#¥Üq—k]ÓAšå@}úÕpì¥þ÷o¼úíxi+ù>>œŸa«r~†=Ú¾Ù“ÒšÚþóò4îœú}ƒ|Äendstream
+xÚÕX]s£6}÷¯à1îŒT	Ó§lê¤Ùéf·®û”f<äXc>¼Øñlö¿WXƒ³°&™éøÁHHçž{t%®.ÖüaÍ!®©Ù®		ÂDó£Òžä»›.Æ€Ý Põa2øõÚ°5º–ni“YËÈq°6	î/®þ¸ü2‡@'è‚C@,tñáöîwÕ㪿«Ïw×·7ÿŒ/‡¶y1¹ý|§ºÇ£ëÑxtw5ì,çë‰	×·ŽÔÓÍøòÓ§Ëñðaòq0š”¾TýÅÈÈù:¸@Z Ýþ8@Ðp¢­eA캺
Lb@bÆ®'ü=ø«¬¼ÝNmÒ$Žn7h⊀9Ð5][³‰-C7¶
+Þ…ÐEA}àù>]¦€>/§zµ¡bšðiœü¦Ú¹×Ò4Àº„èU˜YÂ×/&þ‹ROInÔÓK1Žq‘–£p{dÊ…jSÅ[¶œzAÀ‹¾eÂÓ²?o<¨VaB¸³·ýûÞl×ôɼˆÔó@P¾*iœ´õm¦ÐÍ¡æÑ^— ‰<Oc/¢?€{ÙÂíPjpí|ÏeÞ©C,åm)M]ÐèG!?§R•Üq¸î‘'RÊk+/BoEk=œŠeZáÙB:q=¤<Ö:ØSœpz"È=ÂÇEχîœi½"ßš…_îœ.[NÍgqJŸ8K7­½þ>ßÅgÁWïo“=†,~ê®’†ÉÄIÊf›Ú	”ï=*Ä4òR>
Ùî\ûÞ‚“ýšQþ&˜ ‰Ïŧ`}OŠù&„·ÈgÒnO¹‹Ùî$êM
NýŒÖ;Ý·%²eॴg((>Ñåöêt¬öîB,º2±YÐM>ì³._ä‹AAšÈ3V=`_Õ×H¤2´S)v&¥˜w÷Bé¼²€ØÄéœ
+&z[ÂÇP&5ó$ìoCg‚‚•	²`	ò¤N5ï鹫„ç"â#†Vï{DÌGÓýþ¿ßÕ’»ZÛC0”f¥3on¹æ°:ÿE’qÿ(Ø?±¥YIv‹¤Øv¡¡ÛDÂBÛ4Èõ—Z¾\yQæ—[64lÝl¤³w±j¼âù.!—÷3[^³”mó”mso»ªÛKÁD'èns2ZˆÚJ	Ʀcš”¨¦ÄØt¡i¸V‚t ptKiM­:eÜ6Gu¬™kCÝBz‡TŒä]ß­Æ5{±NDÞ*z¬ÿAôtÝNm£çè[° œŒ<¼“°ûç¹>¿úˆ³è‘òîù}Ž¯¼ðÇ(5g"ï¹LvAÊ"*:9†H²ô„íhà×!ºÓÈS.?d4î¼rÏäUž@ž*þ‚¶™ŽëÓ·	üŠþ¤yiœyaq'âeÂþ3óíJ>W­È$@ÖÕv¹hò: ãR rÀú ,yñ¦èÍ×ú¦:«A`^m¨Š¢òÀ8»»/P›2ap½,¯êF¥¼j :ºkïHå’˜ö!ó²X{Lý?Žxendstream
 endobj
 1307 0 obj <<
 /Type /Page
 /Contents 1308 0 R
 /Resources 1306 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1279 0 R
+/Parent 1283 0 R
 >> endobj
 1309 0 obj <<
-/D [1307 0 R /XYZ 56.6929 794.5015 null]
+/D [1307 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1306 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1312 0 obj <<
-/Length 2511      
+/Length 1161      
 /Filter /FlateDecode
 >>
 stream
-xÚ½YQ“Û6~ß_áéK½3•BR¢$6O»é&—Î5¹ÛnïÒL†¶éXSYrD9›Í]ÿû)K¶v7Ignü A>€4Ÿ1øñY!c–¨t–«4–ŒËÙr{ÆfïáÛ‹3îe¢ 
¥.oΞuÿmõ-Ðü‹õ™í®»‹¬i?#j½5
ç§Ã—MÝée÷eã'¦ÿÜÔÆF¦Ö‹Ê½3ö]Ó¾«›/Ö´*-‰Ô»¯ZÓgÓ6QÝD¶ÑQ×UßjБšh©—›o_©ï"]Û[½ZµÆZcéÓèá¹ï $–›wUiývüIàïOK³ë¢uÛlG£ÑA'cÞ>}ÈM#“ªR4©ò¯˜‰$V˜÷#ýù?>y.ø¬g¯Ñä4EÂs'„ØÃ3"úš]W6µ%¨ùµÓÙBbÒëOæwÆD]¢qt½"â7«ß?W2H|˜J0ñ”ì¹Ù˜Þ :8(•0ÊN•%`G"½œ—$sk:KÔ~GÏ÷U³ÐчeÁK×à3/Œ`ÍŠ¨Å=Æc"o6¥v4áV{a½ÛÝúyêê.PKC;#%šÍÇ;S‚“,›k|äs	ôíû}«É»ø
9•;2©æ/×Äì6€E¼˜ˆÆ!Òe±YJñÇ=›ÉòcÏþº•„]¦¹z'â„‹ªYþAämÙmHÂ@d‰†­¡Ïèxd”õA˲¸ªçÐʬõ¾òAw[VQn»à‰ÛŸ”?3	•Yrȃ"+¦Ë½Š†R®ZÜJi/…FéP|ãêhržBÌxöðì½ÔÄôÃÍà©Œ“T¨ñüUÕÜ¢ï‹l¾ï”;,øö±4áƒs0<íF÷ARP!·¬ß‡Ap‘\éN/¡ ÐrsE{èµÑn‚Üíœã4·õP‘ÛÍìV™:ÚL¯¤9%>ýc€	5_ì;b—kzoa@nôGÏì6ž°®|!Õ@÷àÒ³»¦*—~Fhˆ¨{yr‘mª½‹Õ‰CøÆh•à=°WpÌÁæœÏqM‚åÁ<«‰7ØäkÏÅ
€‘~ ßp„n}ÈÙšmƒmNfä° kËEåÙåvç&i>z…/ȬQe	
úÆeÖ]È,0ÈŽ`O†Š÷Ú*
-ßÀÝçÐâe,õ`rœ7GÁ.‹8a2!Ì«ák‚Å»²
±cwfYâ"nDzž²#åqžŠÂëvÑ|j”'.ŽÏb`ráPõßnJ—0÷ÒŲ›´£'¸¿mËVxèB:ˆ4QdãðUéÔ\¡â\_èµ<.8 ÄÐk´CQ‘Ç2gꞒɸîBÛ´L#ôëBdr–&,¾¿ì\!`⢘>UD½Æh¨Ò¡àظLÄ‚Cdôbh¤KÞ‰MÌbÖoô!:0‚TØÎpÜ÷ÀZø÷>aWX÷U>ÿ÷ÆÔ‡áSMx2h¸XoØjª²&1çH¿:™Œ`H
-CÀun@(“)1òHâßžÊIeÞ©¬q"Ê®8ÞáíHåZëç£Ú‚T³î嬙j©q=.9ÿĘÌEµczúŽ²01ë}:ê&, gu7¿v;ƒ›#ºòÞYùoùþ×¹é#SgýëÚî÷vë:"–L´{Œ6
ŸÃâ
¯X¼YÚlàÜ6ûjEäÂŒÇjìz’ˆP>bPžúã©*rÓ*xƒælåΖââbd}7¨,“é$S(*ýüÓÞM¾ïï‹WØ{Š_6FëvQv­n½¥¼E!¡,ˆd£uãÚohZúZŒÎÙ¡÷ ®-¾!ƒ÷°/‚š1àØý‚úb 1bÝ'·e¢o)††[†
-ékˆ
-à\cºÀsæZ¢»fj+Ig§Ýy$—8´l‰¤7	&]VÈùóÆ6Ÿ4dâHŠ½Èºß›	¯zøÒmèÍ¿†Eyñ=/ýÓ5öG£¡Ê<Ó¬P©7ƒ«ÚZ³ŒôÒÝ£šO»²ìÍ•Še!¿V-˜X®t8`©,à¬(ü€Ê(ˆÇÙ8qÜ âîRýToç,–¤èM¡,õçTW?¨/ƒs˾F©³åç©B—1œâöõ·Ãç\hô’"L}ü„jØ)‚êП)°‰q«ýªé\k‘†>îGRŸÒÀ_xFhè€5‚‘?
-[â½õ!¿Ö{K‰"Ôÿà swÒúÀ1«ä£ûŒç£‰Ä\•kؽxßÃ÷fa¿>ìâSêâåá–ïÐÂGi.|ãÌCã–À`g¸SK00žlEWþþÃ=ÆÑÕ;R®‘e´8ˆîû“2‘1þ³8qKÊúnã/ÿyøwz¶¤(Äôuk‚wÐpâFá.¤êØòþŸÎSÓÿ*Ûendstream
+xÚµX[sâ6~çWø:#ՒlJÒìtIKéSÊ0Š-@­o+‰4ôòß+Ù†Ø`ˆ1³a2¶%Ïß¹é¦ú!Ãq¡àÀð:&rŒ0˜ÆJÍ=PµìúªO³Á÷÷–g0p±kÌ–5,š¾ŒYôMF;æðþñ§qy÷0½ýòåv:ÈwÐðîÇÛŸgãi9åVŸ'?”#Ay9:ߧãÉÝx4Ÿ}Œg{]êú"ÓÒŠ|<ÏM#Rj˜Ð
+|ÇøK=˜6’íXб-k7~ü²¬Í¢­öC&Ä–‹[h£š}º¦‚òœº¶
+>€kšCÉI*–”ÀRe!¬†ÒMòBùM9?ךª×„`à8¸]6ÛÈr¨‡lN9HÅÇâ¨MˆlÃCZþn:&Ëí‰"^Žü[@ /€ö…=Ûr
+ ïŠ)žçµq‚Jáç<ã•Z,_è‡yùÔৣ
+ZJ謚OðêÖ©ºÇTbå¬oC›–
+/h¥Jb	.2k
Ms²Opµûr
 FŽÓêþ®šc‘gºÝM[ðð<虾{`²Ž¡aж·ÕÞAÁI›o©Xd|‘fr!Í$[nADc²-G
³4-”Ú“±Bè”K®-Û§¬è\—Kž-;>fùq&½§å7ˆN ˆ}ìsˆÌWràÏÎ>!±È@‰Tü³gõ®ê¶Ù· ëëúЂß§¸@wŒ‹ËMk¼§aŒ„¼ö¶ä ÎV@°¿é……BËÿ¡\ž’¸&®ï"§a„0ã´Eòœ'DD’åï_²˜Š¾ÂB’ðÏk؇1%)KWª¾KÊ_I|¡ý×”pùB‰ìPˆ-‰JÙîèÀ’	ÉBÑ—‚ÌòL…_3‘tôS!	‘áz«7T±=¿9ç•ïk/…jèŹ d<¢¼VŒ;ùùììa†¾'êi]b’P eÜ##Ó„ëŽÂGÛÁ²MÛ³PÎg“ÛÖP¨U>Ì»çÓ;ӪȒ4‹¨8Æì¦5}%rûC$$·9í’°ð,“—¶Öº/Ñvß•óì•E­¤9ýº¡Bv—>ø,ÐUÈ@ä䨛ºÌxt©¸’%== b½:f"ùöZWAõ˜«]‘I–é½äYÈF®{wCXÅÒL5ܑˆè+ÛEHNäz‘’u.ÚÈ®é
ŠŠ’ç4UÙm—¤M®âŒr®@Vñ¦Ö—w·»Æ¸|RÉÓd¼At§Q*À&Êûös=Eõn¦?sèŠèXYoµ‘¾…ñ&¢jªZ«ÈêØAUµñ­êúÆZÄy‰õ—Þ*ãL®“ʹ*‰>q©w»%7‡_Zm_ûµgúòCˆfz–ÑKSͯw^– ›Ì¶33Ëú «å„KýW¯¼ú<íý°ÑV6ñ}¼?*ÃVí¨{>´}R‘ÒªÚþóÝÁÛ1õÿÒewMendstream
 endobj
 1311 0 obj <<
 /Type /Page
 /Contents 1312 0 R
 /Resources 1310 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1315 0 R
+/Parent 1283 0 R
 >> endobj
 1313 0 obj <<
-/D [1311 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-350 0 obj <<
-/D [1311 0 R /XYZ 85.0394 612.8238 null]
->> endobj
-1314 0 obj <<
-/D [1311 0 R /XYZ 85.0394 582.6371 null]
+/D [1311 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1310 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1316 0 obj <<
+/Length 2392      
+/Filter /FlateDecode
+>>
+stream
+xÚ½Y_sÛ6÷§Ðô¥òLˆ€ AÍ“íÚ¹t®Éë¶iÆIÅ)E*$å?¹ëw¿],@‘íØéÌ°\.‹Åâ·»T8áð'™d©o½¥^›NŸWe«çíó懇ó¿T¥iSêYá¦>˜æºª¯ËêÙ–,ò§;ÄGêúE{úbê*(« ©tжÅ
+ŸPØXüæÝ™ò!ÐesÁ£‹Ú4ièÕhpÜk‰ùêºÈwÑàý}?7›6XÖÕz0t0çÓ›g›Täzß Q•ÇŒ@DL!
¼ý×|ùúB„“ÎÈ%š8D™Œ@&€ŠôU›6¯Ê†pï—V·f
“4p.Ê%ˆ£Ë¿6úƸµ¢
+ÁRB²4lÇ¥®V¦3¨U`ŒR	£Œ·àPY”EÒÉ5=ã¢hÚ˜¶!j»¡ñ¦¨fº z·-xh+ãé̸	Y5{ s
+#òj•»i{®µ֛ѵ[§,<57t2R¢Ùá0Nrð`”$SC:@ßÞlkMÞÅwÈ)Ø‘H5}·$f»,
+³©¡‰h²áºŒ86ÉX¦TøuϦ@òtß³¯@·’pÊ´VçD\pVTó?‰¼ËÛI¸ÆÄ#Y¢áhè5:yÛ¸ å	ˤʆQ»0K½-\ÐÝåEA”=.ñ¸ØA.æŒK(â,eaÈãñÚÃ	})›:nóy½“B£t(¾r@µ·xCÂNÂäéÕ;©‘åû‡Æ’E±PÃõOŠ¢ºCßgÉt
ÞÉ7˜ðé67þ…u0ŒÍJwA’Q!7/oü$¸H.t«g€Ph)Ì9§3tŠ‰Zi»@jOÎrª»²¯Èžfv«D
Ýké.Žîˆ1À„šÎ¶-±ó%½
Â“ß +}ë˜íÊM_HUP=Ø냷›ªÈçnE(ˆ(;yrQS[«#ÙŠðÓ.Á{`¯ñVÇá÷$xêÍ#±’x½@¾v\<˜é&º3@I(a÷‡œµYWXÙédF
+jš|V8v¾ÞØEª[§ð©
Ñi˜%Š °Ì¡àBßØ›õàoHdK°'}F`¶ŒÅJȧàêÍ¢–Þ›½`—‹¸Œë*Eøaò.šŠXˆÈÁ"5ÇMX܆y9fG²4™Óm£ùÐHO¡Ø¾3¥QÿÝ*·—k^ËvÑ–Fp]çÌð(Ðúë â˜e"K†'à²Ò¡¹B±TfÏôZʲ¢ï5:¡0C¦\=rP2æ]è!¼–qdƒæAˆDNb.à âô9MŽ`*˲ñ'è4}•‡Æ%‚‰"£C#íå9Ä„ñî wÑì¡BÀqúºX3÷Ü]Øæ}•N_™r7}¬hî+‚‹w†-Æ2kz)ßJ Ú]ʧ[Köx0
+:
+%%Ù²îF‚ýÛ
€ƒ½ÒíNF’ÂÂp­ÊdLAŒ<’ƒøoe‰¤4oÕ{Öð"J®8ßâí@åêÆ­G¹©jÙÉ5f„q.Yÿ0¼ÜFµe:ºŠr¿0ï|:¨&@Ïâ¡?iO'V{
+tá¼³pvÞrõ¯uÓ(F~(-háy¯×¶"âÑH¹ÇéÐpì'oxÄäÍã.aç®Ú"gf8Wc•Ð‘DøôùÕ%zé©[‘e‘«.9PÂëgÛ[ö“Š‘åC/³Œ^'Ã-Wñ·àŸvÆhºº¿K^þì)~ùÔ­ëYÞÖºv–bð:…«iADó<)+[~CÑÒåbt–Hvµ½´e¹p<ûsTŒ§ÙΨ.#Ö¾²G&º’¢¯¡d¨Þú¨À…7¦õTéÅ#qC«”½ º	“8Ù¯n@»Ù3»-ð›•EP9ÅVß7ô‚”8ƒ;àr‰fW4iW†@-ÅðØ]{tÜÅÿ´‹á§D7PÅqšîÊ)û	⻓ïüw
+\л°Þë×$Be%R»ù¶¹@Â6HØȳ»æbï\sut5úì±ê=‹OŸ²8üªÅ5ºÜq[÷êäûæQ›Åa¬xϽyÁ6Âýmœý?/žtüÞ÷¦þ%Fãç·c)§¾±S`Ÿn‰êO€I|Þæ]ˆ’­×±¬0oØ»üó‡x9›¾ËH×#‘l“7-®>ÖØB)‚JEèê. ]ñùÃê)Á £ó8'1ÿ3@´hÆ1/ÁÿHöÕˆ6ɲ¤ËôóÂèvä%œÁm×õU¦)‹“L}M¥ÿ2¸(›ÆÌ=·ßQÍý&¯Gks¥˜ÌäKÕ‚‰ùBû{OeÆ¡¹Éä*ƒX ïu…ö?û~T?Ô›@ŸÅ£ø	½1¤¥®Ï@uå“úèÛxò}½¿‹Fôeºø}Ý×á‘>
+½(óKïÿŸ0¢A
+¯š=ö'\$þs6òáw	ìoÿA·û÷Ê€(ËÄø¼?kBéBÃcµoy÷OÞ¡éÿ?Ê‹°endstream
+endobj
+1315 0 obj <<
+/Type /Page
+/Contents 1316 0 R
+/Resources 1314 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1318 0 R
+>> endobj
+1317 0 obj <<
+/D [1315 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+350 0 obj <<
+/D [1315 0 R /XYZ 85.0394 587.7171 null]
+>> endobj
+1074 0 obj <<
+/D [1315 0 R /XYZ 85.0394 556.781 null]
+>> endobj
+1314 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1318 0 obj <<
-/Length 3862      
+1321 0 obj <<
+/Length 3820      
 /Filter /FlateDecode
 >>
 stream
-xÚ½]sã¶ñÝ¿Âo¡§Œ‚¦O—;ßÅMsIïÜét’Ì”’(›s©);î¯ï.€H‰”Óf¦ã\,°Àb¿qÉáO\êŒeVÚËܦLs¡/›~ù}.„Ç™¤YëÛû‹›÷*¿´Ìf2»¼_õæ2Œ#.ï—?'“ì
-fàÉÛ?¾¿ûð÷Oo®ò4¹¿ûñãÕLjž¼¿ûë-µ>|zóÃo>]Í„Ñ"yûÝ›Ÿîo?QWæçøöîã;‚Xú™˜ôÓíûÛO·ßÞ^ýzÿ—‹Ûû¸—þ~W¸‘¯?ÿÊ/—°í¿\p¦¬Ñ—ÏðÁ™°V^n.R­˜N•
-õÅç‹¿Å	{½nè(ÿgRer„RõhÓÖêË\[–)èB>»+a’e¹k¯fÊò¤{,:l‰dQÔre·ßùïeµBȪ¤Žº#pQ·Ï~‘¬š]˜¯¤F[l|ëë¾l»ª©¯¯f©Ì’ö±ØUõÃ:Íæ	6¥Ÿ¶n:ä9l|&³ZK·‹Mñ†ITʺõM\þ.šýzIÍò©¬©5÷H@{³Ú¯ARΓ»¡"©®DÒR³Xnªºj»]Ñá„ ß:‰í¶©Ûj^­qX÷B]]ãIÖížÐÂjê_8—{˜x0¶›cþ.p÷(wUM¿#€à§ª|ö˜Ë†~‘_®±(öŽ/nt»»2É~ëè;ÐsÕ=R« <7÷2_<–ìDÜË…È.s®™äy>!ž„4ëc‘tŠ1õXĉ]¹¾¿S¶9ËRcÎSH#”ûz!¸}àrHúÞ	¢ÔÉs³ûBâ	° Ç–EGërÐfE¿]Ó–»'8´,*MÞÔµnêY1o›õ¾ó¸Û¢{¬A7PÂeêÎx0×±À8 BÖ¥ž™Œ+ž
eè¹Z¯5M¤«T%èHM ¢¥_ÚËæ}
-H
õt•Ç9ì·+„p[U$!F¹*öëŽ&X7‹°Lè"+MÓvÔr¬¹BÕqŸÍ¾Ûî}mª
š—ìÁÉÜÍû´/*Q]È ó–l·¯	up¶`>Á_H‚˜0§y†cÁÝá/í[£ûTF&w+B(Æð“‘²A£Ý–‹
-wS.¯IëÝibW”¦Ñ¹@À7ŽŸ-œÜ0BeŠeœç~{lŒÌæyæ¾¹&‰I¥b*ÏôPdHâRq¼,•Êdå ͆ž«Å#5ý DžúIÀÀLvÅ®ƒÃ‰1:HÌÑg™Ÿï‘Ì6vÎý8ç /*ЈñDuš4TÀfriΪ>Ö´¡ŠXHõKù2›4VBäLçéyêi„úÀXIÉ´ÖjHþNµO¶å”nC‹ÛdùêQ-¨s¿]Îì@ÛÙ,@hËEôOÿwS—í5Ù":\ÁO@ÏeÓDÔí~¾ôŠzéŽã™¡ÞnwÕ-GÉäÝÇÏŸoßR˜IƒAPâ Ð1÷£V;FSZ%ÕŠ`Ñ9^ÿìèЦ-?ì}ˆs°önª1Û§3'É£ŽûHŸÕP®e.“;í¨Ë… ÁEá÷Á- ”äx¦rãLádž:”Ð%/•4Á—ô±ðÀº!@éù±ðt¢·IÊ‘òcÐ`l,„‹šº+ &rVÌÅõ,~ÃñyÌv¿aE;b¾„±`†ŒðÖi^ÕKæ¿fǯG&K™5By„]½\àTc3A$-Dêi»ÇëÌd: ´eÛs'¦Ë4ËÁÁì<Ì„ñƒ¥V‰óƧ5m|"Vt€³ß0<¶<ÜÀ´`UÎÒŽX§Ä•ðÜ…€j@ýžBe¢*•'†B]vå˜o²–IHY<ïî:AΦ€€uI Á/ågØgàÂøuZ¶zñ@RîØT×,Ì”¥µÉÛƒã\ûÁMM-“|_îæ4-õiúé­•ü•ð²†}OEµ.æk¿Œúk²Ç,¸)’½ª=$±©=^t@ÈQ/ª-2<›±‡¨¤6²™²^Ÿ‹¯û*fñ).ŠæÝ?ÙS`ü†:\Tƒ@r¦×Áyî6Åzýr.Í¡3º)»ÅÍ—Ý\£'êŠù˜AÕðFß'•É<ù(@””…ÄZ=^àg»¸Ð!¢ÝÔC‚
~‘2õë47nXš§Á÷.ëöfd7rXÁN¹Ì–Í"‰‘ä9˹	Ö	»Ý˜äþÊʤ¡•aEÃÉ´2à…Uz”¾1®©a™ÎƒmuÖbr-àì2.Ãö|ü†B±n}•e-^7iêR	[¯tÞÔõ±¦M]ÄYü0ñH™áé+Ä#Öõ}–åF‘§¤Ü‚_‚kÛ-Dße½t\{竃oFWä+Ð$‰ËŸkô‹OøMö[e]¢»\Òg0OWAŽ¤,Yïý÷·ÿ9VØ„€ô)ê
-Îïó(ÜA,Ä£Dy±®\¾ lÖ·°Îæjy´¢\°TsûÊ‚,ãy’ùò·¤+ÎNpPOOoS¼P£Ù¹pÕlÄ`»½ûÈÀ.µUäªÃwŽqV4Wv@F[åÓi…+ xëë°{_Iœ3-s=´Ã¾ˆ›{Ør‡¿±kpÈÖø¤Ïæ¡r­y9œCÄ-RT7œEƹßx…3â'DVÝ›ð95:ðùO#4 eUþûŒÃ0þ¿šåZ$?Â.wÏU[z.©’#ìX½E…“ÀˆÕqIe‡®—Á§ÆYà´&¸¹*°oŠÅdËcù5–ÕÆ€#âLeVŸåh†ýß8¤3ë"c\¼¯ÂÎEKuO„è3•BÚ!`ªaÒí;Ž—`çEØI›¤±þÀ[$Çþ–@Á¤!¸¦Ø‡.%î€Ö„ã¦ȮËß*ðü®0ˆí~~˜Ê&ëê‹w\ayí	n¶oÉÁ‰"J•å€œÿ7K2bHÖFï•faÂYÆS›oat™aÄ
-çíÍÈŸ‡322ˆÆÙÃÑàO0^8y¬¹’+øÓ—fï]mŒ½àcßÆÒÃÁÅû ,D€OÅ®ò±$||vðÔË£°K“þd’¥ékþº5í¯#ÖA[}9a$[…vÄ!®N³õ#êÎ]K0®ï¨LæJS³ïÊõzãÄ9XbD¡AséÂè%[òíΙ ƒ$›‡ªÍÃeàñn5:VÛË0•dLñPá'VnX“¥ÓA‰†t$£Îé,5ÿ]\€×Ì¡Êí¨‘Tém‰H¼ÄÅÛ?™¬›bé!aŠP u\’ƒÀPE¨g´bÙœ­Ò(OæLm.Ü5¼Ù‹÷
šOÜq ÂùadŽ)õ!s<˜ÖKïƒ1í©UÄ<6¦zŒsã“z'b\ØWªd}¬i½‹X.RÀ+ÌÙáâlph™½NôH#Ľ§Äth@ý>š¦ðë¢.Ç4¼
Gä’èÞɼ;¾È¥œæ–LóԾ»ÖÞ,gÆ÷›íëL‹ôâk„úyK±’5 ¡~E/;–ü
-]<´¡ï¦·Ò[O­ÿ¢Ba†7>J©ê¶sWæJ=zHËÆ“ƒÆS’ø6c³tèé±Lí5Vµœ0Rg²—¦ôücŠ£Ǿ&êÕhÍŠ°y¿Ðx|ÊŠ#¾—b0Zó‡8ã¬?¥“ˆá§€iRk”ƒ@²Q†¥‚™T‰þ•è¨ªθÒúUéaQ•€åêå¦íŠ¿jÑNéŒÊ˜Â˜øì*"ÖÈ2:[V*͇ëð.‹÷tÆ=ŠYõ/¤
:ÓŠž›²«:ç^ 
›£›-ƒ†¨xnâ†ý<þíKãÛ@4ܹ6”J"(<ä™a¨À•
ãÉ3W k¶/ÎÌŸÊX¶V:3=
›ƒ!x¼³ÓÇš˜ˆåªõÕrBLŒe ?ê<é€4BzȃýÉl6$}?~SBv5?\¤ìjïvå`Tó(#ó÷7¾j¼([¸{®s0Ìéiv8;æ朻ÊøÜá•	Ý.ÜrÌJceà&¼uÀËÝÕ@~p³Û×7N:è?ƒƒK†1z6i¿¨
-ù+q?¹Må=B «¥æ<Ü`Ahìé]ÍxÿÞúžw	“þ ¤-k?¾­êbÝÆnú¥–¤Ñ‰óXµ¿§5i¸™1GÏ“R‘&Ÿ©d„¨#as–B¯ƒ†ôäÕMéîhæ
?!Ž^V-Ç-
ñKLz“f´7KÚUîßB)&ˆy yÚK„ÎÃõ”û)ò£û)Õν´ÒÇß®ñB¥.—¸ûDÒˆº¤†ŸÝúX~)’Þ4OîyKªtâ¯è­¤3¹cÔ)Ks9Á8©ûåf-âé"pˆèÝ‹MT.}pÀ žøj"ÄG`v‡ƒ<Úʪé'Ù!J!FY/ÖMÞÆ—ˆÍ>fÙ_÷À€vÒ€‚¡’J¨óö³‡4m>’¡ðV
3Ç)W+rÆ9Ø»sä#Ò)ýaåøfr=XùY­û~V{Ö(êX§vWT@ëÞ}“±é ÿëÞ=d©ÊØáž@«WÑý‡,îNk/¡ž=r!mx‘ã*xY8Šsßm†JÕÇDœ+8dÏif{ï0?žÓx…Pçý
-áÿ'ÆeçÖGœeÊLF¡²£¾Î*~8û‡^Èã“c&\¼Ì
¸˜Ä/
-®ù©:ú×â§Kÿ~óä›endstream
+xÚ¥]sܶñ]¿Bo¡¦>
+	˜>9¶ì(iœÔV§ÓI2SIIß‘ç#)YýõÝÅ.x$Å;¹ÍhF.X`±ß€<ð'Ïu&VÙóÔÆ¡RŸçÛ3q~}ïÏ$ã¬<ÒjŒõýÍÙå»(=·¡MTr~s;šË„Ây~Sü$¡
+/`¼ùåûë÷ÿøøú"ƒ›ë_>\¬”Á»ë¿]QëýÇ×?ÿüúãÅJ-ƒ7?¼þõæê#u%<Ç÷×ÞÄÒÏ‘I?^½»úxõáÍÕÅ7?ž]Ý{ïWŠ7òåì·?ÄyÛþñL„‘5úü>D(­UçÛ³XG¡Ž£ÈC6gŸÎþ>L8êuCù'E¨¢D-0PE#jkõyªm˜DÐ…üÐtåÅ*‚íu÷Y‡-
­r!MÀÛì‰àk4ÁvÙ>Û–]¹oç“ð¨8ȳ¾åySßömÕÔ„RÝúA%SÈÆt«ðÛªíÊšç¼möÈqØöJÊÐj­Ü
+˜†Ýòª¶ˆƒ‡ª|l©ÉË‚V{ Ÿþè ­ê»
ƒò,¿/A âTïš=˯Ùv·)_ÁvwÓ–mùŒXQþ.„ª¹ãÈâÚ²côæ–Ö€›ŒÕÒiÑñÙ
+¿!+a¹5hþ®ßó÷aguûÈÓHG“ç+©ÑÂqRëK_¶œì9V‰cpi†N³1Á¦äi릛u›}†aÊ•²n¹‰+Àß¼é75ˇ²¦Öš‘€öö¶ßà©\w•Au!ƒ–šY±­j•}Öá„ =ß:‰í¥i]mpX÷D]]Ã$ë¶÷rA«©ñïz˜åõ¤.ÇÝ£u¨jú]8³¤8Œ†~‘_®ÁºB£Ûý…	ú£ï@UwO­Œ~a.üp'ºs£$ÃTÊä±µ¸ÏȨàú–²%¼Éd¤lÐhwe^ánÊâi½;Mì¤iq.0äãgKgG÷ߌˆ’(L„Hy{áB›¦	#|÷Š$&VQ¥‰žŠI\,çËŠbÜ:H³%„Çû*¿§&R^ä©ŸÌd—í;8£½Ä,c–ñ|÷d¶±sÍãœC‚¾AŒ'ªÓQCQJæ,=m¨ÆXÇ
Õ€…T?—O«£ÆJÊ4Ôi|šºGZ >1VJ…ZëhJþŸ÷Nµ¥vå”nKKØ xõ¨rêìwEæÌ´)8°pnùàŸþŸ¦.ÛWd‹èp¥xv`z…r0Í€ºë×O/«8df'µ¯h9‘
+Þ~øôéê
µ?» 
ƒɃ@@ÇšGÝ6}*éˆB'€
ÎñÂûg @„6µoñ°÷)ÎÁÚ»©–lŸNœ$/„!Ïô9šÊµ‚ÀoÛ·u¹ ¸(ü>¸„’Cpjœ)¤hÑ(@Co¼¢ ñ¾ ÷ë†%ó#gº‘mRäHñ˜#qðp.hê.ƒ˜ÈY1cÔ+|ø
ÇǘmŸû°¢]0_ÒX0CF²uZWuºÁ/ÙñW“Å¡52b„}]ä8ÕÒLïH3"mw¾.šD{”¶l1±82]¢Ã¼·ÀÎÃ3>8j	¢rÚøŒ°N58ÀÕWç–G˜MÏ)ÚÖsâ‘ðÜ…€jBý†B…ÈREi0ÀP¨![òMhÁ ±dÞ]w4‚œLkA Á/eÑØgàÂøuZvûÄ@Rîtˆ¬¦¸é*ÖêFš3eélÝ ”pRɹ=s>òòVT\ˆú®]xm†ìßãD’nÂw[bžÛ-­HÆi’ß²"
Ù¹Õ–QG!*ÎLÀo]–EYü— ‚ªcèm_çxpÙ¦rÉË0Àë¾Útª;^33O»äóhŒµQ‰8Ã4Š_ðÇc¬ã*1`¹Xò]Ûf»j•ïa×uWe›gê¡Å6Ö§×1`-,dâšæ¼Üd%.葘ÿ¢£uƯœÓ+^˜ƒQæZ`IŸÓx
+°\›}!¶³P`–ÜùR„–Cæîòí’]±!„ÑTt×xî’½¸‚1ï?}ZÝ|º~O`¨®ÉÌ”•µÁ›ƒãÜðদ–	~*÷kŠš–ú4ýŒÖJþJ²¬aßCVm²õ†W€±ÃxMvβ7Uµ‡$6¶óe@„u^íáˆÀlÆ¢ÛÍ”õr~œå_újÈâc\ÍÛßÍÇÙS'`ü–:\Tƒ@r¦¯¼óÜo³Íæéå4ç²ìòËÏûµFOÔeë%ƒª!á|œT¢Òàƒ§QRâ;hxŸìâB‡ˆvS»êÑ–@¿+ó:ÍÄ›DÞûÞ¢n/v)‡•âàT‘ËaÑl!’XØIš†©0Þ#a·Ü\X4´2¬h8™ŽŒF…›¥À^†_-×Ø„‰N½muÖâèZI–òÛãø
…bÓr•e=X¼î¨©‹°‚ƒ?=iêÆXÇMÝ€µ°øiâ‡FÄ/°¨Oì›´ajôŒ<%uàx	®ív}—uá<¸f竽oFWÄh’Ä¥ÀÏ
ÆÅ'ü&{†­»².Ñ]4ÂÌç‡AŽYá³Þ›Ÿ®þµp¬*
¥2]Áù9ÂxÉBAœ%Êù¦rù‚´ÉØÂ:›«iälE©c-첡HŸÌ—_sHWžLÏ¿±Ñì‰ÜpÕlÁv³ûHÀ.µÕÀU‡ï5âÜÒ\Ém§;ÊJWAðŽë°{®$H!B­ÒÅJ‚M™¶Ü!ÃïÐ59dk8鳩¯\Ak].çqËØzÕõg‘Á¯pFü„Ȫ[`³>ÇF{>ÿe´l”~›q˜Æÿ«TËà¼Æx¬Ú’¹¥ti§ãT±:.EÉ¡kÂ%@àÔ8ñ\‚Ö.E¡¼
+ìÁ›bñÙr_~¥FQÝa¸À!ÉTbõIfØÿC:±.2ÆÅs]v–g-Õtz$D_E±c	SM«åŽ°ãáqv^úø°IËl‘à?Vø[y“†xHàÅ>t±`(q´Æ7}b>\~õ·KˆØöëÃT6ØTŸÙqùåM“mv³cKfH¦y¡eb¾åúOAB¹ÚâåßÊÏ·MøÜâ[œ@^è‘üa³mXpòp@Fy¹8y2œ	ËE#WogúÔôìg‡À>úv¨;ü;G`>ü{Èö’ðupØÞMûk´â¸³èAÒ—œõ넳öXU¹çZÂBªþíkxô…<ìÞ°NðÎc93ÞowGX'…µŒ_ >`-PŸ2/	c,cMÈßøXh\ÎKž‡J¼BLàí¬¯S€ƒ[igãŠ’é¬å/ª&x½Á!JU·»/Ï)ï!
“ðƒ–ó™ÐØd·`š5VU¬—£¥5ÊQFþqŠÙmãX'ňj±fEÚt\eœŸr$_Ês,ø¥V©?~3®ÆS:‰˜^pJ˜&¶ö@Ùd¸È°X†&Žäø>tIUd)€R/TâÇXÇUeÀrÅrÛvY±_•·Çt&JÂâ“«°–1ÑØr„µÆÉ:Øe‰‘θ1·ãÛh#åÈÍÙWs/ІÍѵ–AC”Ýù7Æy~øÒðK…;÷¼†òHùW<+#Ї‰bü9yèš‹sȧ²”ê“ÌHÃŽ	ŒÒ‹P˜|B`FX'Æc¹R}UcCПè4i´@zǃýIl2%}³|MBv5=Ü¢ìêèjå`TÓAFÜMMÇ—7\2ÎË–×oý]¦€)½«ÀgÇÜœ“sq wxbBWK×SÒ¡,pé:`‚eg5\îûúÒIýá –2á(…„&WT!y%ÎAãW·©ô Gt…ÔTøë+ha=£{ÆáÇvÐ÷˜ÑSDÒ„´eÍãÛê®Î6íÐÍñ /íyMA8Uó%­‰ýµŒ™½MŠe|¢z¢.„Í	¤~È81—W7事i78üDú8º¨ZŽ[ÂKŒzf4›%íÊöw\Åï¡ÄÔ“|ÞKÕ„®ýÝ”û)ÓÙÉ£¨vî	 U»ÆÕ¹\ÖΉ¤uI
žÝr¬¿Io›÷¶%Ž4¿vÅ>w¦Œ:ã4òŒ<Â8PÐQ­ÙE‹¸@úü‘žr:Šc€ñ„Kˆ0¼À³
+8Èg…:Ú
+?-§Qêb”u¾iZÿpx†ØôC–ý¥´á±gËeà[ã&Îý‚þô“æÃ{o¼:5F-[C•Ð˜„…ŒÐâ¹éç·ÏÏ—þ_»Z¤Dendstream
 endobj
-1317 0 obj <<
+1320 0 obj <<
 /Type /Page
-/Contents 1318 0 R
-/Resources 1316 0 R
+/Contents 1321 0 R
+/Resources 1319 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1315 0 R
+/Parent 1318 0 R
+>> endobj
+1322 0 obj <<
+/D [1320 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1319 0 obj <<
-/D [1317 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1316 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F39 927 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1322 0 obj <<
-/Length 3700      
+1325 0 obj <<
+/Length 3755      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿Bo•g*š$œ{r'—^ãôl÷æ:m(¶8¡H•¤ìø~ýíbIQro.žÅX,ö
->ü%=_¤Ñ"I#Oú\äÛñc/ÆYY¤Õ뇇‹«"Y¤^‡ñâáq°–ò|¥‚ÅCñÛòÝ߯~¸¹»\…Ò_ÆÞåJÆþò‡O·ï	’ÒçÝ—ÛŸ>þrw}™DˇO_n	|wóáæîæöÝÍå*P2€ù!¯pb‡O?ÝPëãÝõçÏ×w—<üxqóàÎ2ëË®/ónõ»ï‡•žž;ˆBÏ÷e¸.~D‚Ú¡Ah¢ØKU,ÇD¥H‹}?Qt¤Cë
:ŽW#!š,¶
-‰yI‚pÞt°Î˜‹…;®Ëºøª_Oé	¦ç	pX3Œ‡3)¢pL‚1a’G˜Ä$GÍè㤆P¿Ö€@·eÁÓIà`x½/«~…
-`ÀÆ8tÆ8`OKx;#ìÍ3¬ÀcëWú’¢¡ºú ƒõDp
-¥Â±
-e—ï»ÎIlh$6#É*ZÔ]§óUÕ4_³q¬ÓpµÒOìP3«>}VVRøÆæ ÔØlŒmÎHÍamœ±9	´kF®tŸ_¡x†o3‚«8tVð„Çqà©(–çxˆuZ€–ñ}Ú0}äa‚‹–ê<	k††±'àÌ“`Lù¾ ú>èßX‹
çû ]ÖÆMAëeSæÆ´ ¶ì/£ÏÃý§ÔâSŽM']ë6#]äcñ ¾»+#ä37
-RŸxq$Žm<,-CÐ%MÙ=¢Ôc•Ø=ºý®Èzž°ªf¶Æ©Œn4ˆÉJÁn¦NܨUw:¸Q˜P^ËyOŠÂf–Åú9k¯Ú}}e˜pÅ,EŸ¡0Ò‹‚$“ø»/}´
Sqóa"{1Ä©ˆƒ7ü–E_
ñgÄnºêÈk‰‚ãPyÑ=I67Q#‚ŽÅßb½EÇÑjHÞˆH—Y†{M»¬…Èm_e-ÁéÊ``h,qÀ(
-ÀÙÄND
--R’„–ÿ$Q«]S•ùÜuÅÀ
-eÃ2–ôœï¬T¨¡ì	@¬ìUMžÍI¨žŸúVtšaºñ"M=Ja5%›émCá”
r(Lr."[7ûÞÚg=ê¬ßÓ4D,8ePe
-úoDC¬ÓÕaMª±dSyŠ1‘³8¬
-FòC²%ñ˜ŠRAÖ
¤Û#ÄX!l·¡A>PÈT"È™J»‡´QÄ^3ecÇ&Ʀ'8tðš© ¶ù=##2+Hó V'a8yD<é%Ú?_¾á‡XgîÑbMî1«žŽ½"™‚"ŸÝßaÍ0¶&i0¦À\cˆ%ì߀CÛl±KWˆ`s…0WˆÞΠ+Ä1w…\¡òýå¿.!ʪ² Ôç¬Ú뎷´š‡Í6ËWÝ&à^#)©Ï±d~bêê®ÌX5å&‡26ÄA„šâÈ DCæ[SÐȶX¸IèpœüŒ„WÁ˱DkˆJÑ\ÌÈØÈ;)c8ôP¼!b¤Óf‘þ·ÈëÜþ‡À눀ٸkH…]¡†]Ð#obS_¸°+”6ì‚–
» I È…]Êès¶ Ã1 RØ ŠŠBÉQ4æ#/‘z¾/ä4,"/¢bOªhb9fƒ¥Ø‹…ˆÉŒ(¨ÈºXhŒ\l"ˆ)Œ0ãb1t8ø¸¿àb“Ô9ä7}l’úòm+Ódìb
½Ä`8ÀÁ™šãQD‹k¼(•)Tê	_&Çü}k…žÀ<í¼Â°ÎhŒÅBvMÛŒÂS–³»:¬™mÇ¢ò„%ã}¹6§–¿¼ÿùêáÝÏÔ1Ô@òÝývMå7k| q¨Éaþ¬;B¥ûWŠtùŒE5"«g¦Ö…ƒ¾¿½§©œo÷MÞT¼W›="4G¿¬"Wj
-À‘ÄÁøÙkµ$µC³	)Q‰ ¶°mVÖÕ+Ãê(¤êSbãµÄQzÝõp„¿A/Lb‚@ÅDæQâ'Ž5ÀD^³ßdµ¥sl¿IÍ_ʪš¤ïkmãC[63A|óf»Ý×en2*¼€WdøOU³ÎxI`ýI§ T*ç…|ˆuZÈ–©›‚4ÛU¡ŸË|Æ'/D|~{‡5³ÿØ+@ø˜Fé˜#íAê/»†´=ç>Ú@ü‚©"Qܽù‹ß5#‚¸±nM$Bóàfº
-~wm¹ÍÚ²bp­uaW5‡
¸ û›wŠ@ü©t,ͳzæî{Îþ÷ÆiAô“uô}øÇͯÔuª»Ì$…&Fµ)Ì—9u\Nîû\Ÿ‡s•Oµfäÿ4µÆâR$SV*ƒ¹ã…
:Æ-«96ÁbÖXê6€åQ㯌	ìc€±Å¦ÿH¬ÜRÏFF"¶:YA½áEr\(}.›íK&Ä~3Knk¢-ÀâáîË–LØdŸ™Œu8‹§D-z €ˆÅÖ%…pho²ŽF×÷i‹ª¿m2SªD‹–ÐA›LCrTÙK¤]=ØFÀ3¡05g‹|"B}QÖ+_Áý\‘ÞÎy{ˆ
"›Póí‘ÄÒK£hòn‚¬ƒýgt¯a”Zn@‹œ€ÑO#£Ø¨Aì¨eìçKÙi䃟ZŸ0±>aˆ¾.´”ÙÉ1ß“®Îä<ìÖg_Q`±©;zÔyOýbOB`ÐÜdý³Mâµ².ûÒÞ¼©ñ–žöí ߯šŒß;ì[ÉÁŸøEµý~ÇÖ¼ÜZ'Pã§ÐSŽ„xÀ.ßí×ðÞ<æ`ŸpÓî¤Sˆä°qÖ	±N;‡e"V?ê¶ÕÅê	%ñÈøø
-£Îïï°f˜Öç”Á˜£;jZ9S«J,«’Ÿ­Ýij¡„_‚	t
ÿX˜Êêð5/¤·eïVZëÇCÝá`†žH+h^'Tx %+ŠÒ椠U ýcñB1²ÒÕ
Ÿ«ì{[F€öu(Ý,›æ§‚‡SïãÄƬ¬VF³š—fn™×=éß~¹½Aöœ3ðç*
-ß(V
±Îˆ™Å2:ß4=h|¥ŸŒž­ñŽ* Ê“I¢ÎSá°fÈ	›‚LE¦Á˜Ž‡KŒZÌCi¤P`ÎÁ¶×,¹Én|®ÂKn€%/òðÓûŽÐ‘Å}³#p¥ŸuÅÓŒi;öžÊV`9«¦'yJ„Ó‡ññÓ 2³2µŠ›þ–Wû‚ïuÆsN³ZJ1ÞßSÍå¯ÔüZïª0ØÑß@Þè×<ºÍ
-=áØå€ÁÍ‹v¦ÏŒ¼òC¿c$ÿ耸	-Ê@yÏ¡ÓÈ™ð…ìm’Ž´§#;vzEøa1]fË8s…lÓÖË ~CߣKG §F9VŒ¿IÒ%£m9HÑÅ€ïp»Ãò3‘Éí¿ßù|ýéöØ tC
wo ;òîöúóÍ	ó€µ|{z¡¬Ÿä!C„¥™9™¡K˜-EŒo1öí-ÆRË%¥˜”Uæ‡Ú
¼)«‚ð³Ëž¿ð¯4`Rõ’½ò».Á¤^Ø3Òhˆëu»-k=›Äm4y!éþÍ׈«iCâf8ÍCˆ‹=b4†‡Ç>Ë´ˆ|k'“øË£Ÿ¹Ü¹&&Þ¡ˆY’é&3‚ÂÙ<Ùª¢ãyNð$¹;ýÀ–´äÄ,ÚÒbèo³è4R
½¡dÈ=H÷hÑ,\J<¿q#1–û¥7PÌ9çz\‰KàwrHç-s¡i™+Âåݽ.ȹÓãäÓOŠ-ý-CááõúÆÖ±|´Õóâ1]Ç&gØ^¿¨TLåÌ9Yê!z¦dË诩±(û^
r¿ï7Xš%LX`‡r&ߪ@‡@xßØI¼XùH£
-ÖîÖÑhdê\[$¼u³Î†AVaÌZ³ÅîAz¦¶¾«œ®ŒoJFrym–ë,®Ù>)LZÍÓ©¬Èå@¸¡¢špzØNY&‡éxY.ï«¡‘æågnꌑæüç=ôK[óÉLôI	IÇ°|£ó¯žÜõ®ÒÄ&ž]Yá›yÿ:Ž&áÖ9«]zvѦrsze)a­±V{èAÖšUŽMv1ö
-ÿ«Ü–UÖãE–lÅ`ƒ%Qƒ­-6²¶´XƒKƒžÞîŒxGøÔWØySÕ
µôج×Ó—„,¢'Hµ\Ö£áQ2Ã6™#¦pN|Âg"ì#÷{}û+W;Nü¼UH“:æ¦êÿþéëáwÁQB¿‡šÿ¡›{*LKrã¸ò.Dß*LfHÿ/RÕ6
-endstream
+xÚµZ_sã¶÷§ð[䙈&‚§OÎïzmΗÚN§$”Yœ“H…¤ìs?}w±ˆ¤(9™NÏsC`±Àû—!ü‰K­‚PfñešÅ
+…º\n/ÂË'hûx!˜gî˜æ}®/®?Èô2²$J.W½±tj-.‹_fïþzóÓãíýÕï¾Ü}øôñçû›«4ž=~úrGäûÛ·÷·wïn¯æB+ý#áD‡Ÿ~¼¥ÒÇû›ÏŸoî¯~{üÛÅí£_K½"”¸ß/~ù-¼,`Ù»™iuù•0Y]n/b%Ké(›‹‡‹ø{­¶ëÔþÅJ*Š“˹ŒÀ“»¡‚]›§*I¿Ë‘˜ÚeÇ…»Ü˜å¾iËêiþkF3^¶ˆU ÐûHÏ5!‚ì‰ ,VŽDx\Üy5Ûåݺʷ\«Wôí®ÄÌq°ŒDwÄÖ4Ϧ¡r±ßîÚQûï{Á4¥ñ
yG¥¼¹zÆl°T­ºÍ+‘¨ÎD¤—µ©pàl`)ZÃÚE)Ù¥”UÛ5Wz¶_v¦ 8u5}þ¶ü})»54:$¦ˆ“öÕOU,‰ßwêok¢•Â¶RºáìÓŠ:VuÇ3ï̲Ä4Å÷,mgVù~Ã|eKSŤ
+‘iž©ÎɤᄸåN¦ñub̦"
R!ßvë°ÎØvyW¶]¹lO";
+ÂkB†²ã$Èt¢†BXhË0îAkm2D‘àpeOt¸FÎ|·3UÑrƒ_÷¨ék±iÙG8ì3ümkbÝ÷ί¿©s™aª!À	2!!Ú‰sAÑ'$& |‰ØÅ"Ñö Qf/š<e"O vZ„bˆÄSÒ$Y ÓT2oYÑ$<›ô[¦à»–Úzj€%*Y
tuóz%„pËÂõš JB p[EökU7Ûœ¯T½]¸ƒ"³÷/a»lÊ…Se5Fl¤`øPd°*è0ÊŠÔØ<]Rᾇ]Ï?ïw8Æîñ¸(ÿ¬¸¬+gã¬ØX")d„¡Htt‡<×rvVu€z	´ÌÎkŽÓiÅá˜pºEY_Ík{Þfgg÷LÇÓOXÃh0?YÃ4í[Ã4!5§Ç4Y´ Ü”w'¨Aób_nº9Bß’­ZhÉ×iEê¹FªÔj²1žÀZ‡	(‘³x®		xJFqšE / “¤Ý°À®@FžÛ$1’H÷Ù®Uá©ïï¨+GÚ]½¬7½$À¦&#õÜ‹[SÎé•'JìJ¥@ØìhÛ¼¬(Á­Q	€„”qJ×–ö2ê ši;XÂ_ –›~1ì]r×i{.›+ÔÛyažËå„Y29?½çš˜hÀ‰Ìâl(€E»ÈðÍnû’ë¨ñªŠ ¸{%î/~Ìp/˜â8ü˜4Fõáv<¿»¦ÜæM¹areLáFµˆÃÐÃí;vHÀ‹Ä%àQï0¶0·ßs`oø@yKßÇ¿ßþ›Jpª6·¡¡õT]`Mºôå’*>2CÎÉúʧÊ0óêÊ`Z)V_*˹ã-;z/ó)@[—¹„³ÀÓÛ˜µöÊ*á¬.¶õmå–j>="9=³Öɪõ’½CrâÝN_² î›;pZës…½-îOñû¾lH…æ™ðÄø§p°`”¨DಸŒd/ù
åuÞRëé«ù¶Îm’5ZJAnR
éQN/uÏ}À{ÐÀgb*N¦÷$x¿1¾¾rRÎçšî픵ß va5Ÿ!V¨ ‹ãÑ[	nÌ{FçÅ™Û
(‘0`!ºï‰b1Š…
+`G%«?_ÊÖà>„™³	#íEhë"'Ù‘Þ-#
å³MÞBÀl]þÕ¾‘BÑXs´2ËŽêÅž@`Ùü»Äþà³%ã7в+â]ÖžÒÓ¾éEý›:ç7÷>r°'!zQM·ß±6/·ÎTÅð¹î){BÜà†o÷‹öÞ>àØ—SË„“¶'@”D³7<>×i#๬§Ó˜•iSÌŸ‰GV Ä—}~~Ï5!À8K§µC	ìÝÑãüa”¹©ålSòƒ°u¯;C%Dø
1XÇH7ðÁT¾î@_ð@f[v~¤…Y²?8;ÐôD·ˆö]BGYò¢(]d
+·
+nÿ^#‡®¶ÿDåÞØrúš×>Úh6ç^†ˆó7ø²®FóŠ‡æݲ/z*¼ûrw‹ÛsfQh8Ê7`Öã:3Çeï|]wpã7æÉÞ³y.ÞQT*Mõy)<ׄ°iˆTT&†r<^¡×Ð`¢éFJ
êt{Å`XÚ‰èÖæj<„¡à–Xò ?¾o‰·¸«wDÞ˜g³áî5ú´-[OírЃŒUÝžR$bœé°6~ìDæS»>ÜÌ·åf_ðyã	¼ÄT°Ní€ï(u†,
?ÑûdVÌ7¸ŠGónÝæ…¶°ór`ïæÅxÝg[^ùußï$ÿÒ€¶JÞ—ò}§ƒþ)Ü4\Ÿ–H‡Î@¥c_„ß³Y5׸oÆ™ä¯é{têHäØh‰ékpÒì É`Zö2´1`<üì0ü„kr÷¯÷_>ß|º;ÖmÿŠûçσ"ywwóùö„~Àä>»öÍPÞ‘ž&ÂÜÌ$hè'vN™ˆá1&¡;Æ„\R*ù°òý9‡£¶½ÁÀ¯ËMA|‡ÞeÇß–Zø·Ðió’¿ò»NÁ_X³p´Âu¦Ù–•™ãÖ†Õ¼TûµxµeÝì–Cñàäbö
+ýÅcÁ%ßÒšQ'^¤ã
+èÇ-_nˆ†¡w$† àÀpabÏ“¶*Zîç‘'!ÌÝ™oDv¢¥'zÑlC}›w §…5Ôú $6þe´¦;ÔiŽnˆ%™ž‡v#µªë¥ë×»™w"猉á{grèÝæBÑm®Œf÷÷ôÊ ¦VO?)#Kæ[ŽàáñºÚe˜±\¹|}ùãÂ3,/^{Rj–râDõà?S¸e/°Í²h÷n
¸ßwkLÑ¿§w-°BQSè®P‹@zW»N> endobj
 1324 0 obj <<
+/Type /Page
+/Contents 1325 0 R
+/Resources 1323 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1318 0 R
+/Annots [ 1327 0 R 1328 0 R ]
+>> endobj
+1327 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [250.9056 734.5663 314.5963 743.9759]
+/Rect [250.9056 692.6472 314.5963 702.0568]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1325 0 obj <<
+1328 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [108.9497 634.1305 178.334 646.1901]
+/Rect [108.9497 594.2039 178.334 606.2636]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1323 0 obj <<
-/D [1321 0 R /XYZ 85.0394 794.5015 null]
+1326 0 obj <<
+/D [1324 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1320 0 obj <<
+1323 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1329 0 obj <<
-/Length 3401      
+1332 0 obj <<
+/Length 3388      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZÝsܶ×_¡ÉK¨C 6OŠ%§Jc©•ä¦™$Ԥ㘗#O²ÚéÿÞ]ì‚_Ç;ÛÓñŒ–‹Åb?~»”8
àŸ8•¯Ò0=MRéLjO—åIpúk?ž¦Y8¢Åê‡û“ïÞEÉiê§*T§÷^Ú´§÷«ß<å‡þp¼·7×ï®~üp{~–HïþêæúlÆ÷îêçKýx{þþýùíÙBèXxoÿzþ÷ûË[ZRÌ㇫ëšIéçÓÛËw—·—×o/Ïþ¸ÿéäò¾;Ëð¼"ˆð žüöGpº‚cÿtøQªãÓx|‘¦áiy"ãÈe¹™âäîäÃÁª}uV"ðÃH…3
-£µðã4O“8õUK¨Àëº5p(™xM]òèþç‹GÊ˶gB{<]Õ-
V¦0OY›×=×UñJ£ßƒ80þ¨3
-Rï÷0”—øÿ^†áÏgièý³›ÔvòÃþÏ{V«žúý‡»Ëïq¬ó½_ç
‘yÃ2¹.4³ÂOã8´Ç4ŸÖÙ®iógããòwï¤hˆ#ágTõÏUxÿ±ìdâë0HÆL·uÝ.ze,Hø’ù´,v+ã8ØŸoVæ›ïyXaÖßlN­«'—#m,ÆI&牢'òÚØI	ƒÞçg•}sùÐD¢¼»¼Z¢õ$1›ÌõÜñ‰œÖKk]0c>mr2)U:§tKúÀœêg³Ýæ«•a^xzב³Êr“9)ÐóW,ÆëœnŠl™;Å°:*ó2Ñ„SMgɺ0ÁoˆÒÊYÑC^­|`3ˆ ‚ú/bʃøDÆ!ˆv|Ÿ©ã“Žjà%FÙ³€ñn»R ÀŠÍq1:ª9F EAQ—$ñX;L†¨ê0ñÖ¹Ù\°¡É—u¾\Ó°$€‘5ò2®]ɘw
-{4‡/Cüž*lBÎ
-8pqsEšu5
’&ÄáÂÔ£p#Uè.þÕÌ]¹Hü4
-“AîÕ	Eýè&~Çi‘!ïsŒÀˆ´pAŽ#`®ca”-—fƒ
-I0²4/fÛÐæ(ü…ýi§$ í•†i¢Üì¡Ã òCéðcUÏš·h»i4tЗ:Ú‡®6‰é€µãÌÒÅ8¿a<ƒù5,Q ƒA^LÁ§I­Ý K«:*D
µ:Ï*àÒEoXd°ÙU+³>Ù̵C¡˜8]µ[›ñ‡ˆöÓP;èG©aZ§	_«ØŘ2«²§Ãü”ö£8Š¦'Yþà÷i$ã¯Ê±q8™YWÃjm9hlŒ¶‚ZT§’F $•ô]3¬F¡šÀH¨ëÂd®o¸ùq ²F2𵈎ÖÑá¸êˆì¥îÚõ¢úÄ&1
§!Ô[!øë±½;¢ýÍÇŸðeg¸ûÈ”D2ý‚Ȥ{'BÁNŠ¦Ïh}Z±›khÊV+¬p¦O½¶zldu/3í*‘G[‰Ø–”ÝÇš¦QјpVÆZUF A‰¨xhþ|#‹(ŽÑ?"^Ò¡³?œ¥æJÌÍ•ªÚq÷´niÁ½Íhü‘„¿¶à;€žò
-|Þö[€¦%ö
›ŸpĪ„×À©—l™­rË”`•Uµs½DÃ4K¼ˆHH¬ÑØYI˜²Lø%íÚ™×
¨,àüuµ„=¶Ü%Üú¿‡¾…ÄHM-˜hjGkûý0Êù×Ö¶'ͧCúºÛi¢–ÉyED¢3
C_(H¦&AÁá/²zµ!™&lÜ$]ívku:ÉÉÑÆ´<Ž ¿c|‡œÊ…p›*̱%Q¶†gûíx錌‘
+V¦‚µsµ™sfašÆ)Ëý“ÞÕš†ý×ñ@·=¢¶”Ý´£dÉ7¦ñ”ñŒûþòÆ´6EœÙåà¶6i¿4Íò@É+¢ÐÕ7S/¾×ŸIêgéƒ|^ÚÄÙXɯòk©ßr”
+XL™Mi`Öw
ç|°A©&¤û¾(»EÁo¹Yg\é;8Þ0ѵõ‰©gˆÊž1ÉÓýŽéÍÀZL* éˆåTÈ/d`ÖØl@mê ­#ÆAFßs
od²‘〽ÁÏ'Ý7ËË¿€$’Š—z…ª“D¬C0¶§Žod‘0_YÕ‚ói[>«¡³˜ êPï™Róhv»"Ï
ÓÂ4}GHN%«mQ¸UÄ@³Ï™ç©bJÎm²UáÃâ¨ÍÓ$ŠÃRý¶ËŠ&¹·TAéØiÑ}Qç>™Ë† „Ê9`Ì£ÉI¨ ú§Ág2à1ÖñädÀYD….öÞ,îw/3(M# ó:Ö“%†r8I¢)#w	×(j•x›Âì(\ØÒàÓ¦Xm¬È²J®(ÜÚ™ŒIPe7°[sÉ¥ržï¡¶žFqH@À9ÍœÊ3kjZùirn8wꉻ	cåþÙ̹Lü4PÉ(ðꄼÇKï¥,á\šEŠü’bJ¤¥srì aá" lµ2[H‚ž¥}2»–&0@áÖw¨ƒw/4ŒAàåf7­Dà«Ð%u3·iÜËMÛE‡,C‹}£­ÓÁ^§}}© Ü˜Xï>‰9Éo9™Áòì¦È‘PÔU°Y“HHáŸVo¤U!BC¡ÎãÓj
+¨Þ&YAGdú:7»¹¨˜Í;T‰‰“U·³ánqÌh?UÚå}‹4éë8r>¦Êêìá8½XûA‡åYú`÷iF_c#‘8žYVãRm5êjL–‚BD')@˜ð¦ÁÐoÄRJ	JúCÓ”&cw}Ã#ž5à„ý™²oŒuܳXö\ûn³¨?±VzTõ–“}uùkfýiÍ'ýP€Û™0pÄ?%A˜~Ò{S
”dSEà„ý°~„‚,Lœ:?Ÿ£«!¼Ô½K‰‡Â©„<“a›oáb
×I×ÿº¸y~u=N<Û-«i™AóèŠ3—ssþŠ%ïr†a5®6¤¯}Ðý¢ ÙתëÁ}<ó%64Àe¤™âv0?Jñ4¯p v	$ÑQüå.ò{'m›ƒÂ"î™ÑcµÉêCK8Ãír€´e4¶…¾?7=Ó¼¼ô-ùH ôˆ½W’O
+š
+=uµM™<÷]šu÷”
™Ñ*ØÉž].u˜Îïsþn˜˜‘6Îõ}‰ºÍ T,|‘¨ÏdPc¬ãv>`Yg0άÀO.šza>ÝËúó4|‡k†‰iÑöõ”Þr8Ä$ßå‘´5À4‹Ý_ªhBAín45÷#avµ1«Cr‘¼¾¬CšYv¼ÃTúNN–ÍuÀˆúºZLºNŽLS>L!†Â’bdöÊBØ[
+šÀV±kiÈ–W•W8²½>Ö³ºwõÈÚÖ#öƒE÷Ö‘¦a4œÜX-£ú$bn‘EE¨†1_ÒÊéŽR‹%âK5­Ø?l:špßc?ŸÀâQø¿ü表Áæm×pFWÐø…O±(ÁG…Ã1pèÂ)ÛCFbyaɃ¬°ên®kcg…™/Vjl¬ÄÙ^&ÇBÜHGOì÷âérHiìzcš<ùÙß<Žµç¡lîåŸtW€B&_pA¬§çÁG/ž•;z×·÷3Ú5½`ïõp:²7(ÛÞmg+RFž·L]‘=&1Ô®ó”µ¾ ê|ï)_ß,¯ÞýJ0Ùߟ=^Õ†qý2eöÈfzàe±MÊ6Ä?W‰C1øì=WUa£!–ۘϖBl£höŒpÝW÷Õ¦êDÎzÉñ×–3‘•ýM3ùø˜’&‹	.¼h{ì×_AäãO¶fR1øÿýË°ýÏæBHɵVóIŒJÀ5a¦PÒ‘z™­ñOÈ^²þ?UWendstream
 endobj
-1328 0 obj <<
+1331 0 obj <<
 /Type /Page
-/Contents 1329 0 R
-/Resources 1327 0 R
+/Contents 1332 0 R
+/Resources 1330 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1315 0 R
+/Parent 1318 0 R
 >> endobj
-1330 0 obj <<
-/D [1328 0 R /XYZ 56.6929 794.5015 null]
+1333 0 obj <<
+/D [1331 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 354 0 obj <<
-/D [1328 0 R /XYZ 56.6929 396.2024 null]
+/D [1331 0 R /XYZ 56.6929 369.0592 null]
 >> endobj
-1106 0 obj <<
-/D [1328 0 R /XYZ 56.6929 369.4308 null]
+1111 0 obj <<
+/D [1331 0 R /XYZ 56.6929 342.9234 null]
 >> endobj
-1327 0 obj <<
+1330 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1333 0 obj <<
-/Length 3397      
+1336 0 obj <<
+/Length 3417      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZQsÛ6~÷¯Ð[å™%€ÓÔɹsqZÇ›^¯´DY¼Ê¤*Rv|¿þv±Š•k3sGK`,»Øo—ä³þøL+#g™‘LÅ\ÍñìúÞ]pÇy¦(äúîîâÛ·"›fÒ$Ý­‚¹4‹µæ³»å¯ó7{ýãÝÕíe”¨xž²ËH¥ñü»ë›ï©ÅÐÏ›7o¯ßý|ûú2“ó»ë7Ô|{õöêöêæÍÕeĵâ0>q3œðöúïWD½»}ýþýëÛËßî~¸¸ºëöî—Ç7òÇů¿Å³%lû‡‹˜	£ÕìbÆIfR	¦¤¾esññâ§n ×ÓŸš)d#
-LD @-ÓY¦Kt¡¯W°¡4™·ë‚ˆÿÔ•£Ê†~süáóf“?¹žzG¿M»¿?Œz…¤Â™ª£9›b÷T¸1Ïåfã&Üo·»K®çEÓ
 æ‡ý&w£þ•$ò Ù~ëøkú]æmŽ7V1Máù€’"ΙQ*±;^¹5×ÀÇqD6ÿc_ìÊ¢¡‡¼ZQW›¢¶ÅnUïé„tÔ³Û©mÃ¥@áÚ€éôÉz&{°E»XG›}1<×F¦zráŽi¸rïT…Ÿ6KßÑÙ¥úpvXÆñmît@Õ0€LšÊÒ£ÕÈ:¥¾zìð@|>Â-Öí˜E¾o¬íÀ®è–U:íJJzž·mñ¸mÃ:“¦]•)͘¦_2 Y£]®ÔÔ{K,z­‹ÚþbþeK¿ËrY}ãè5Ur¥6 uÕ´»K=ß/œ½¿ |aÌÞi8[ÞæD5pMÑÀCUOcæyOÌ-L]°~͇ÇØ»Ÿ‰@yÊeAS¸k0w·aîž¡??”,1¨QºPÙžv•X±ô¼¯\Îâ¹(;‹Å¾YGXnm¢ºŠšõ¾]ÖÏÕ±$	åD&fZ”ŽkD–Þí2ƾ0ÿ°ç.„pÅ0 4,¼©bGñ©lêZîjsV”OÖD°ïãõ»»«Û÷¯ˆÁm’ºj7Ó²v+`€¹¬©/ÓGõÔ¼zqÓÕ^탫Tõ¼+Û¢Aÿæ1X‘kuÉogQØi룺ŒyâLŽ¯H]R#ù_¤ãngB­Hd¤ROÛXÈuÚÆ:.[›Ëa›e´Ø”EÕàGf
-L
-ÐqHÐÛ¬‚ÔDÞ\Zdiw3#ýœ»Æò’Ï+¸¢œ%µ¶ÚŒíÛMñBÛJ76¸‘äÐHaÜ–±{‘`YüœUÝÝØp‹¼7`-©Öó»K¦I¶'3sÄã=Û£Šû¡$j	,vVËÂX‹¢Ñ3\|#Æ0^Ê Α‰¥.}.ƒÔzÄÄÜ‹âA('óf[,0[ï‹Ü>×¾¼Íwyëšé\F½CbÝ•{ûÍ÷í:ª>-ëǼó°Îbsäºãb'1“Içw]Õ·¿¼XšùXº[-ëSu9éÔ¯|¹„øVäËÓNÊšŸqÊ€kÂ)=—=÷ºi£¦„Ö´åbè”3üTNÐqHÐwJ8Š4Ëú"X¤x-V܃` øºù{QlݵË)ªÃo°Ë´²ï+qèÁ^ q³ýdȽo±±BŒ›Êc" ík„|A>™@ϳ£·%e»v·ýO“zW†m¨àäi'©0™¦Ó§r>íŽ%E_iá?*?Q-;ºÏ›!@W7©œÃ3
ÅdÞŒJu$‡‡Vò€¦6qÈ_F­f*‹MÃ"‘ðùuKãí=Ž„ù8¥›Úk,ZÃÂZx\Â:»Ç’B·DÈ	±£‡œ~Ú]^5`pow¢nj÷Æ•CJ‰#‹°’H¦jq4Pd@\WŠh²Bã?	<È#@<ÇW F&í!®¸
«¡”n¡œ~¼¬$(4  –@0íÐ&Tûë£ÖíÍ¿cÛ7£oÑSCQÛ½dÛÕO€§ÉlGÞÈn
-ßìž?üøIx8”JÀžpMxžç²žWVåc¾‰v.ãÞ´HAyZ„ŽkD†~ N™F<Øâz5¢<˜S§ŸÖuÖUæ?ùPÊçi@=€í|IB¥½«!wߪà–Uþû᾿€6ÈêˆfŽÀG†L—ïÝ»|#!ìÞí’)·ë@9ÎPŸò1Áû‰£H|â(¸Ojw6ZøIH,jö_U”‡ŒPÐ7){°>†7ͦx°•kúB[á³ÍvEÒ×¾"cc>yHJó—.ÔPáî©«ô>?±Ÿ°äÕÂ{êêˆÃ‚»gΦ+=ÃIÀ¾Îüë9V7É´Û…\§Ý®ã²n[(!G›A#ÇwÅjZ€ŽkD‚ÞfÓ”‰Lè¾îÄLPÉš"„I}¬‚¦Òu¹«(M,ÖÖá1ßllIúqè×r9ü­žßWRT§â|sóúý9dI2Ál*´±¡Ã%‚¤K’ùSYS=š­E%þ+.h rc‚߉Ÿånëă^¸uÜÕsÞ[(ß<ç/ŸcWR†=Eµª]M©9Zõ°¥øx/z¾ïã}Ý®ûpì1àíJ0p'kW´Y¾€fË…‹V[üì¬9mÈ1gp›ž©S‡\†ì¹úo<{öË–q%¦×í¸Fî;kÆR­·òhЀ¨1ÀLF„3Å•ÞÿS9'í.¼å°6£32¡‚ϹÒÞgSÐÓݸØÕ¸ Š.gË@
„5¢õ”éb
6–~º=º‚©Êm˜Jä–³ÀMÄb¾Xç•ý¶.J_CܬK9 S
Ö-¸­yQßîaFÄmx,ž=
-øGNåxVê£/l¢`’ñA™ßýk£CQ†U:Ï4-À`.½eª)\ ÁQÅApÄ.wT1nìn×]žKCHßl‘8J·µŽõ7»5•Xî)äÌ)Ž®4Š?-,Bú¢ìüéCQbõ¶jK¼¬H‚R‰ÞÐ^ñÞ^>–´6Ko؈K*7Þn~mõð°\CÝæVBã£*u¾iêèä÷€"2Ù…h
-@ìÔÌB1üêxÄTâÙÙ×ÌŸûqóáËo™1¡õ‰X*b°‰É¼P(¾ƒWÄþ+è¡èÿå17:endstream
+xÚÍ]sã¶ñÝ¿Bo‘gŽñE—‹ïêLÏ×øœé¤Ih‰¶ØH¤"Rö¹¿¾»X€"EŠº¦×éÇ£%°ûýø,†?>3šÅÒªYjÓ1׳Åæ"ž=Bß»îq¢€u±¾»»øö­Lg–ÙD$³»‡Î\†ÅÆðÙÝò—ù›¿¼þÛÝÕíe$t^üØNØéuCÇø§¥aÚˆt„BvÈc€U2Kµe‰„.dà͇»ë·?ÿkNËÖëê¹(é«YåÔëìɃME¿Où®xxXÙÞ¿ªÒCÏ«bͲ¨Ê2_4EUÒwQûE¡í)ÞKÏïÚ5ó†€ê!4ì`Ѻ%˜ˆ8gVkᶫ.V„@;ë/T祟s‘yî´5»KnæÕz/}ß®lä]6ZÎdXW,«Ù@x]vKh’h–•Ëѹ˜Ô©
+8뺊NΧ,Z¥—¹ÝGÂÂ*ÊàBʬÆu^#Ãá€@Žð›áoå
+-ÕŽ~ëfõ
+A3•Gs’4~.Ök?á~»ulÌëúh5?î×™õ«ê@Ù~ëñ+ú]fMŽ7Ö1MõåNçÀƒ_så59IçìAAóš>ý¨ÊõAÛ|÷Pí6ôDzèÙïÔµˆLpÁ|x9¬òl×ÜçYeÉÖ#¢3ŠÅqЄüÓ¶ðÔÒ:…_/[.o¸zE¿ ²K´G/î
\ô•¾«é43ì½njÖrÊéFêß%JM
+ÛUy߀F…”h˜«"Bsp­/ô»¯=Aß¾U¦«ÍiÊD¢Î[†…‘q×dqbB¸ëšÀ°;„7 UÙc^¿]ÎHç[wuR–Hš„¥V&}¾m³º†sgÌÖ4Ró#
+UÜÒ¥ø.htQS6‡Ý1†ÐéÌ;KP¾lM„Ô*1!xÛ+ŒaZ› R;ŠÃ†9±s¿#n‡4b[ 
áiØH#ªŒq¾Ûܮ݌ģ“ƒ[ÃÄ27„ÆÍM*tnVÿ'浃zgDÇð^y¿åsµfÆXëWœPŤ”i_IpÚîkïe–Eݯsï}[vÚá6öÙÊŽ£.`7±ä³D&̤`П_ÈÔ2õíÇnT ¤ãtOR@ãb˜ËƒaDª¨ÝT”Å,OOE/Â0‘Â<	:V$Óe‘­ãîmª%š–QzšÓ2æ’)BM:ÅS™°GZW.p"3)à€ïîà¿ã
+ò_qˆþ'Œl•FóQFsp6ÊXœŽX‡(—@½Ì²ýº!'¬„ÑóT~k3DFé§g`‡²/Ë@þEôÆq*Î10†pÜJŠÉCBÀž‚º–E®ùaãÜêñ«œÄ,Ö瘥­€¬Ä$Ó¡CŸ_#Ê5ů!_3» ŠŠmbÎñËÄ,1R	Î*Ø„5v)ùŠ­Q'âIžžcXbX*Œ<ãÕO0ìsN¯.!_³‚iɸIô9~iˆSÉ»ÑôŸgÛ¤]vúR|;ÔKþ·)›aÊ(Õ-Ü
+8’CjŠiˆdÁúdýFÇ$)|îW5m•å¥¢Ÿnnxµw+# `? ÒC¾h&« R$HƒƒÀ}6ÔlJSÓ­Zô
+f1œÈ†ÏTª!ÖÐéxÐ#E]¬¡æ†â[‹å
+ÙïyT`Ê1Û¸4Œ'6^¼ÅY½kÞ_ý“yˆ‚|EÒ¨¹ÁÔÃ*–ã<ôU[ŸôCo^bº°¤ŽºØì×YC¢2ÚR«º¯«uîäÍßß|$€6é0š—­ï½þñ§«ÛKe¾äœƒzôè¹õ	²dh‰½$±Ì©¾ƒyLr˜Î|TQóDVåiÙâäRíiB²É	6o«èq½Ï‡ra$¸­©…[¤áÊ=©J°5ÕÙ.}G²KÌAvXÆ	m^:XÎL$©4{–dF«u*#Cõ¢³;ˆ6ãÑ#äöRcqØYdûÚé¬á‹ni§Jg|IÉ̳¦É7Û¦[g2´¢¯2%)3ÒöµhÖøT©®öXôZ•ûÅü‹†~—ŲüÆÃ+ª8äKm-ª²nv—f¾_x}·a„˜;Óp¶¬ÉªÛj2|¸2±µó¬Gæ¦ÎÙX­Ø‹±w>·ÅàºXæ4…?3fþú³CÁƒ‹‡Q*š“¦"SÂMù´­t±NK‹EÉY,÷õ*ÂrkUeT¯öͲz.)à”…vš”k„–Þé'LbŸ˜¿;¹K)}1LBšmò ªØ‘*ššº–ûœÚ¼†åÅ“Sìûxýîîêöý+B𛤮ÊÏ´¬ü
+èàºXNÕ-Зš£zjV¾x‡ék¯ÇW»¢Éëãë
+Ÿû¶5RíÇú(—ªM˜'dr|Ú„¯m9>X”Ÿýúa,~©ö!L
Zwø‹+ÿþbßåc’÷G)Bâ(yHkj÷”Î[„Iˆ,j¯*ŠCF(éMJÎáI³Î]%Ä©¾Ô`Vøí²])ú¼Â26öå”n²—ÖÕPáîéø=•Â’•‹¼ÿRêðn‹„àÏ™³éJOq؃Œµú9„¹øŒíŒÕ&ŒÎ#9›úpÃÑÂ¥C7Ç™´BO®Þ"
—ïí3I˜L¥é­ïee;5<€É7Ø$x)h*|—?ä2„â´>Ý«;Ò{–\ 5à‡Šny@˜on^¿¿"3üH	Ì£ºf245!‰:!æOEE•Zõ°¥#Kqå¢6f¼¯šU?Ûdrûâ¤Ú¢EmË5Ëàl±ð~j‹Îê“*Œ¹{šœ©ÌtN«p@ê_tö4—–r-'m‘†«ö-4e‰M’Þ²£Ž‚ÇÎ};é)h?צsåO%œ¤=PðdÃzŒIIa¤î<áJzO¥ §=e±‹^g"D²C Š/¢õ´mý6aº=9:v©²m™J=tÕ¡XΫ¬tïÉàpD—5Œ•d	‡ˆ4ÑbQä1uígÜve°£úˆHŽæDŠ>†J&R¥ÔådŒ¯’L‡ŽaU.àL®~<“´UbÈ9 !ÅWˆ]^H1…ØØݬÚ.ÿ>?Ö¬¹’`~_-&Šó?»S’XΦO«¥føzdÿñììeéç>»>¼IW)&²bœ•2†(LØ4…¬ÔrpÏÞgIÿ7maendstream
 endobj
-1332 0 obj <<
+1335 0 obj <<
 /Type /Page
-/Contents 1333 0 R
-/Resources 1331 0 R
+/Contents 1336 0 R
+/Resources 1334 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1315 0 R
-/Annots [ 1337 0 R ]
+/Parent 1318 0 R
+/Annots [ 1340 0 R ]
 >> endobj
-1337 0 obj <<
+1340 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [182.6146 85.4256 231.8861 97.4853]
+/Rect [182.6146 61.5153 231.8861 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (notify) >>
 >> endobj
+1337 0 obj <<
+/D [1335 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1338 0 obj <<
+/D [1335 0 R /XYZ 85.0394 649.2264 null]
+>> endobj
+1339 0 obj <<
+/D [1335 0 R /XYZ 85.0394 637.2712 null]
+>> endobj
 1334 0 obj <<
-/D [1332 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1335 0 obj <<
-/D [1332 0 R /XYZ 85.0394 679.1143 null]
->> endobj
-1336 0 obj <<
-/D [1332 0 R /XYZ 85.0394 667.1591 null]
->> endobj
-1331 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1340 0 obj <<
-/Length 3687      
+1343 0 obj <<
+/Length 3690      
 /Filter /FlateDecode
 >>
 stream
-xÚ­koÛ8ò{~…¿Ô,ߤpŸº}]×ô.Í{ØÝŠ-'Bm˵äzs¿þf8”,Y²b‡ÆÙáp^¤˜pøc™Me:q©f†3™­®øä¾}¼fÚM»P?Ý_½þ Ü$e©•vr¿èàòŒ{/&÷ó_Ë$»}zsw=Þˆäí?Þüûþý}²ÇO7·ïh&¥æÒ»÷Þß½¿}ûþú÷û^½¿oyéò+¸BF¾]ýú;ŸÌí^q¦Ro&{p&ÒTNVWÚ(f´RÍÌòêËÕZ„¯á§£òœIe別êÐfÒÔLœI™Uð	x³@^о™2ïœì±Êª:ßNËõò™@{H­aÎ(a_]O•J“uY¿q.ó
-ÆR&ÙöZø$ÇH¢0]åëšæå–¦h1šü_¹Î+Ü©ÇÉ(eb¦Åó?6ËbVÔ#TjǼäî¨lh“-½"©KD=™*áP€“©,5F¤U¾ýžo+R†ü%Ž—°5§þ®*Ö‘FÑåFq¥kD™-«rŠ$.ÆÄ®S&
ƒ`AHJðBÒÌim#äºAÖ°ÑJÉÈؤ„ãVJ8@)1Šä–9BI™²: ºÊG•œY)tKÑ	•0."X¹©‹r
|¦”ä™:(#ê=äÔV›|FäÎqÂ$EüM=JŠõ•®¥5n„i˜Qª‘OUgu¾ÆAPZÉv…ýS1{¢î,«"=EMm	º±-æAÕNR3•Z1®­èk±Žâ÷éiqYÇZÝiIÅÐÒ&75ýx_î–sê’VKïƒèæ|–WU¶}¦a]Òçz·]ÇŸ,pçñóS)jv‹øµˆβ]ô¾UËì{^µÈƒÒÑ=ngÛ¬zbÃ*@¹„.AB^2„4íB‘#Ž¤…:¨á´.§U™¯.ày®Õùå[¨‘õûÇ-eÎ×'`ôðzOÚgÞˆrrƹM#Ìw{d‡:³§|ö»iP:ú˜­òƒ¹‚	Tal[ˆÛ/ÔÞÝUyM¿Î³b]ÕG€_>¿¡Î§Û7ŸÞ³øër»Ê–ä.@–¥ZYË Á¶Þ~¾¿ùð_ê¯Pûså‚–øh}…”Šfˆè
Ð	4P÷7nx;ÿùîæãÍ-L	gyQ÷«v›MIúŠøKZoVÂÊ"É‚p}:» ðÈE"(TPÏIh‰@å’ݲ.Vp"i:º8(Ðls“|)W9äZ^ðKOå>ÿNq&£_†DÝ@2 ^@Zô-0œ–¶Q6Ðidƒ¿]ðS1Ÿçë>/²ãòÊydíéãn›5fÈÁBë9}ÈjDVÓ'2~8÷\/J2=8ÊÂVºF\OB0Ý]>ì@Tu±\Ò¨BÄÕgŒR¦è³êè˲€'ž¢ë…#OxëB‡cñ‹“6ʤ
-4^Ùó6ªuÚFµPÈÔ6Ÿí¶Û£•Sp¹\ºó+7@#+÷¬×LzÝ_ùD”h<7gJ©’¾wqu'•A­S‘¼b…ñ·]¼t)È€‰ª®Šf¢"&ؘ5ÁÓ¥2†aô“=©®Tƒ?ÜÔ4´&ç±%­À
’}¹ýJÆË`Tî|_¹â
-ê 7\Z®€½j(À9²“:²&„ÀC/ÓІ=¶A8Ûðéàoa@Bãꀲåúó2¨:|Ž†~°$ÔÙü™¾|]—û#ª"©ÑЕPð|lÚ¢¥ÔÆÆYwz!NÖ¬6`0rF›uOöÚ'ó|‘Á§AQöŽ)ãÄtËuB``ò¶¬ã*Ñ I0y]‡Üq㛨iÛÙéÇCeÙµ„E±ËÆßBgCœGwEÉ‚1LH£Ž¢œeÁ˜šd~S®hôÉ…MæYEËiZ-€=ü[E¿™eàôÿ²šÀb¸½qùu¾?¿ØCé1„{NàY5fy³à]¨CÐÞ|Vw½¢‰œÓÜ·ø…|[„4Oq›¼ô´@†0;íG,3Ø#š%_gâ‚öhAsðÇ"R˜€ƒYe…Q¹ÉɹEw[í 9YômÔ‚.e>ºÞ8²üºÛT1%û’çë©ÊÑ¢#/\äõìiú¸Ü¥!Ú3-[š=@JqÚqɼö—\PêŒj ÂY̤â~Z?or1“ãªóË·P#ë÷ηѧÎö	øÒœÅ]LBB¯1#R_{ÁCAøœú´‘?Y:D2—f•œ´³Q¤¸`h)Áz1l£E/C;¯è§Ù²lˆÞõS±£(
Áú¿%"¤eB»´ÌBÅ$D0ù#èî÷FÍ‚Eo´ï¾	\&ÚQ“k )m®ñ‚:Á@ùšú’#)ÈôÕ/åC1ÏW¿àü9Á,·æ4.ú\±Ûü¢jÚP7UÞ2ã@±;Z×J|‚cZʉÖ⟔NþmGÆjA3ª=¹Ÿ¯§V$÷ð_&ƒ² ¬˜¢@4çÌ°&°ôäÛ¼NSE@~àõ ƒ0ñúf%'ïJàhÒe*"žv1¦¬ì%Ŭ‚ÌTsÇ{®ÚLªœA‡MäÝ›wq®Cà¨AÑœôZ
-6ȈKÅ.Ô™}i šºÞ‹bܳj°7à¼î<-Ô}¿eÀ]©>'('óG¨&»OM'Ù1m²£!c_.)
-B†ëìÀDòRŒ	©ù¡‚;áÀúÉn½¤¨Ñ4uÕY(ì„9L‚‘@\1W	N´óà¯{ÁS(ÞÚôa!þbJ®aæ!«‚7·*yx¦©°êâùD½Ü€vNvj·Ý=FݘW´5ß"Ò5^’…=tJ˜‹õaÈXÄqñNp–¬¶äˆ‘³Öã’ãŽÂé”ûAG<ÁB/Ä	ÇÅcX9Ä1B'=áÀ˜ÊèÐ	ÅsŠ0Ã
-p¨œÃìÉ{
-§ÁW™F&Ûõ|vÀ?¦ÃàH¹µ¢{ùÂÛj9ü.]@ÀóÕ†°!+±–ˆy+vP—±ßl°ö’~:Z^˜Ò»¸iÅ2xGÒ>ð³Ö¤}9ˆí{6â
!$h˜jì8}Û>F¯~×5.
ø´?b[Ž±RH<;X{Ë@Úlšã͂Ѐ«ƒ~`áZ óDpFƒ½–V2°`þ¼QïB6ê-Tëlÿ/s\ƒ@Ï@žtváh¸pÏϦo~Dar³Ê®>°ßÎv³) ]7kS
-AÊs*–"‚uÔÙÑ¶ó¢Ê‚¾Ãàæ—wýÏ5›lJ¼[f[BÇ^$1aa¸a°XíÄË+לmSÕ†`ÃneŠõ‹ú=+;µÑ‘Š8,ò¹Ù–ß‹ùa¯Ž–Ãr£9ºæ‹å×c-†lY
¢?´‘çU>íÂèó1Ö‘C%™ðÇÔ(°û`×Lœ¦µP¨b{©©QÖ3£ù‹ÅÒÂ_¢h€w ÍÔ †AqA*-Ô†ØΑ2n´¾`l:PgŒM5¦Äý²eçúìê-ÔÈò}ßÚh!í­ß*@}Hé«Ù¶è—r1rSǸÔ?tí!0:>~à}À
š£çÎ_å!Þ—ž@-˜pݽ=
Ô2†ØÎꚀÕ)°gu­uZ×Z(ªC‡{q]ãÃ
-%ϯÞB,ß×5Íž®Þú®sq¬k`í€ÌÓºæ<xÑcôœ®5ðXâ}©®)|Cd.ì{uŒ!¶óºŠr±`Ñ:£i—«·yVOg”ˆeÕ´Úd³|˜C«Rq–†hHDOß”fFrÓ£"V-´88èï³8èx3±0=OM¸yƒv•}ÍãLÐ\Í2NƱš†³l»-èÁý›-cü›”šT²Å®§·Çyû€iä(@f
-ç¯9	c›˜w¦Á€ëÄ×	H×S¶ÍfÓx{ä-ãÇ÷5ÝV;{¸@¯èõLíí	]ÏÐU=
isC7”ŽáK=Ä£°d}¸
-ôñ™|[d³bYÔñrÞ&Ë2›Çë G—:0IY<ö(…ŠK‡ÍDR¨ùùöæ—Hî3$m«±;–xm9ó>o_šÁè1_ã%
éB¬]ÀtÛÛ{jkоûü…:«p£Dw>¹‰à
-Ù$}EíC‰UyìE*¡wjÿ…£bç÷=öZâã¶tÖ‰ìÌ~^GÌ)2œ€H¤?¨…}NºZøñks”D¬óý²X>$ìÕg³|;ýª¹Ò˜¹£±êfñ¸.ãuüI+êS&•Pç­hè´m€ÂMÜ|^ =ÙrºØ–«i¶«Ÿ^µ—ƒ½Oáötàéx$§üYòZ !}ýT&È]ôlJ@©><%T¡N¸&“Xbù%OðËCþ”}/BƘ†w¡ÍÖ±Ë-š¼v¢¤ÑKˆ˜0Ò>‰Å'ˆXïÁ§ZŠxEL~ÀÒq:AP¡*„ݧðÖ)ü •"}Á
-&¦¯V…ãÞÅΓE¹\–ûû[zöDëÎÇλø0
-¶Ì`±®Ø©GÝÊ0|‰=²=¼­Èýé߇×ðÚ1åý™0F{@‰BNŒ*~|>$ýÿ7fy/endstream
+xÚ­]oÛ8ò=¿Âoç5—Ÿ¢ˆ{ê¶i/‡kz—f=ìîƒ"ˉPÛòZr½¹_3R–,ÙN±‹!Eæ‹Ãù¢Å„ߘ˜„%Nº‰uš.Ì$_]ñɼûx%Ì,ͺP?>\ýðAÙ‰c.‘ÉäaÑÁ•2ž¦bò0ÿeš0É®Ÿ¾û|÷áöãO÷o¯­ž>Ü~¾»žIçnÿuC³÷o?}z{=©Ówÿxû{z•?ÞÞ½§GÃ	¤÷7nîoîÞÝ\ÿöðÏ«›‡V–®¼‚+ä÷«_~ã“9ˆýÏ+ΔKÍdœ	çädu¥bF+W–W_®þÓ"ì¼õŸŽêOp&U"G(UG©`Æ93±Æ±DÁ+Tà¯Üðâ¼Ø4×3¥ô´y.h²Êê¦ØÒ¼.¶ß⼜ë¦ü•sYÌÃÊúèÓ/ŸßÒäÓÝÛO74õ,ç@N¼c¦Ù:|ßT4fë—.¹š–%ð1B	4ò‰Ž||2‚9c¤—,[ÖÕl]5åâ%w•a³Úøa«MSVk†p¨Oz†Â@£dh·B¢ÓÇRkmÀA
+›Uëå½Ä0k”°¨å¦ÈWÊ*å4Û^‹tŠZ”bêùå4Nk‹jKKíîÀâÿªuQ£K=Φ@kLÁ‰xñÇfYæe3Â¥¶,•Ü~—‘7Ùò+pC½"•°hhými7Rd¿Äç¸Ù8ßÕåúid›…â JUy~›µcÒ€2”¤?¡$
»®“¹®FE1Zí ›ƃ–ð¹Õ> –‚uIž0+dߺF
Zr–H¡[–NȨ€qÑ3eÔ%`%/4A%Ñì± ±Þùá;Cg^ŒŸ-ö+mËšÜ'Ò0£TTPÝdM±ÉASZÉ–Âþ¹ÌŸišguà§lh¬À8¶àcêsṲ̈VŒëDôM‹DGý§î´ºËZãiYËÐ2™Þ6ôñ¾Ú-ç4%³–iêUç1yQ×Ùö…Ñ}áëf·]‡O¸õ‹ðú¹ÅAà2¼-Á<ÛÕÞðá]½Ì¾u‹Ü[
1Ý“6ßfõ3D p^B$“4¤á“ñ€A0³…1o#ÐÁgM5««ì˜´€#”r­ÎÒn†ÄûGÍ1›Û£>znáiÿô6b–œqž¸3Çýâ)ÊB“ü¹È¿âÔQó/³UqðT°€Æ‹cq÷…Æûûºhèëì)+×usè£!N|4dáëj»Ê–)@	sZ9Ê Á­Þ}~¸ýð_š¯Ðîž
+zðf#Éц	)™$¬0!`"2N1ò·ëŸïo?ÞÞat¦ç, /›>±z·ÙTd©ˆ¿"zy”Å4óJBútj™¼*T‚'ÄÄ ²Óݲ)Wpi9D7ȹÐcs3ýR­
+(jtº’ž«}ñ ÂJF_ú³CSÏ2 ^–ÀZ+ðè%;N‚n`uƒß®	ø¹œCºÓ—Ev¢=@ÙÅGOú´ÛfÑYKù
¾öÈ,ZDÖÐ+r{¸öRíh²¯€Kr:ø”ù­´ÑŒlOC°Ü%ïw ê¦\.i	L!`
+æ3&SWMc™GÏ!võÂQö²u¡ý±ÀÅIïdÍ¿à:@§½SB‰¶E¾ÛÖècÈ:Ç—ö,Ù3$ÛóK\3™êÙ©¡I¹9ë– ;rJ¦d‹Ë`5NzƒvbúÞ+žß>âÀ”2X¨›š h%H0Á–¬	ž6ÇÉ6ÇOöd,H©ˆù?.{;€ÅyÉðED²¯¶_C¢Œ%‹Mû‡<2WÒ¥á”ãK®@¼zï9à:zHDBàq—Îg±þEO,BàO5¼:ÄX®ƒÒ¸: l%…ù¼òF¯ƒË‡–„:›¿Ð›¯ëjÄU`5¸¡¦”1£ G™nCÏYwyiMÖ¬7à*
+F›õ@ž:΋EGÊz4›·L+^a[¶“÷‚wU¨W$ÁiM3žgC¹ÈM3¥mgd:žˆÅ¶e,¨]ÆH“
Iþ
UÆ0!:Êl–%@x7j¦ÿMµ¢§§À.<$ÓyÖdc@ÁgšÖ
+`ÿVÓ7yáþï!	k,¤x0ë0ȯ‹ýybEàÇî9gõXÌ|\1`Þz‹¼éÆC$§µßwŠmék;Å“é;@O´Ò§ö8‰^±ä°G´JQ΂ÉAsˆ~Ç*RX	@hY{c…§jSPX¶ÞAò>r²Ú|ƒÉ|l=†ŽªúºÛÔ¡ûR1èÔÕhÑyQ*£	.Š&ž=-wc¥‡N™Ñ—fPFœ>N2eSw>út¡N‡ŸÊŸ‘E.OgÍ˦ÃìØ2.už|5B¿w¾%¨ÞÙ¤ÏÀ—x:·¡ðð³jÄ@³É…‰³K]Ô?y:Dè«•H¥ ël{DDД†à£ŽÁ£W~œ×ôi¶¬"Óû²yî!¶¡›`ýoÉ™0¡­ëÛ¢o“øÜ¥xÛýÍÌ{ôh}1e9¸\LhF]®jD´UÆ+šã‹Í7­8Òξ¦5¨RßéLÇ[ƒpþ,Tþ<1§qÑwp…iü¢j¹‡œ²ÄB	ß±ºV³,0ŸÊ‰F3ÕŽZˆwm@^$(ObFµ'÷óõ,Óø/§ƒži
+‡Ü‚‘)+™Æ7M'¿OpŠ€:s/ëA~á‡Û•œ¼¯@¢IW¨€xÖÅì…Jdï()–(¨H•…Eãª
+	ø˵äÓ"<”«ÍÒ÷Š£Ü>tŽaæ[¯9£K']åþ¹ýR°‰ãà&}á?gMw±4Ń$Á1XaÏ{G¥3\wŽõ	cVÎg›ªZ<#‡¼[3é :Æ4 ­\ïÂf¢]ÚÔ‚Óݶ`è¤ÓÚc]-‹f,¨€Æ´IŽº‡ƒK‚l¹Ï^ê¶|ªr¨ÒÂcLÚazû>¬uÒü€ÔËÉ€	"6/mIêÌžD¨ØÆ›a*º2¯þ?MÀÎ2ÐBpÐY†¥x̺œ¨8”ß[;Å’Þ™NcÚ:GC™¾\R„ QjŸçÀBÈ旅4†ÒÇPƒp`Ód·^RBƒhb5÷Ý¿†€÷ˆ+”)>XÁa¶iš5-±+šøzȶð‹™ï°ú•Ç¬ö…ˆ~ßõ.~Öý`Ä»ðRBœ~Â@ál˜ã]‚Ѐ¬K`àåZ¨|±¦ƒÑkC	Æ„ºT‹t¡N»öª·@¬9n…A¦g P:K8
	÷‚­KðºGô	S°…\êpóvít°u’)Ñ
¶‰³¾¤RN}RD°.¼Q[ºwÁq^ÖÙ£·zx¸ýùÃ}ÿuFÃ&Û‚)ï–Ù–ÂáÓP±À£¿W°ÐèÄ+—›mlhC°áGW1åzýüƒ©U¶èHgÅ@"äÜl«oåü°WÇÌb»ÑÝí…Îë±!ƒÅi£'Râu/…á3'+‚Ϻð#}Œuä\IxsÌïÞÍôØXZu‹!¶×:•¤Ìhþjµ´ð—8à(*óA- ƒ<â‚VZ¨<±u6Â)¦•¾ÐvïBv6-Ô˜÷ûà˜S8×g©·P#äû¬1¯Ú£ß@s¨éë|[vŽKµ9ˆªX©¿ë(&‡ôèøøA‚`hz‚ž;þ‚ÈC¼¯=Z0a»{5z#Ô6†ØÎÛZ"¡ƒTâ¼­u ÎØZ„¢F´¿ø·5E¬€û,õj„|ßÖ4þBÃôéÿ5¶v,ű­·6OÛšM =AÏÙZ„¿ òïkmMá/‡Ì…}o¡.°1ÄvÞÖœeÒ¶Ö:ck
+)6Û"kf9UdY=«7Y^«diçÙh¡FøèÒÌHnúŒ„†‡æû,,†ßŽèp+¡I³”ã*ûZ„o¿šªe\÷b
=æÙv[Ò/´è_pÁ3ÿBè!†Ê±¯!øqÞþviä@@•
+§0ž‡±ß5±Ôšˆé„Ÿ' _ÏÙ6Ëgá)M?\CRJÖÐuµM7è5ýü–öþò„ni讞iýÔwáM“=†‹#O²9ܦáwðn‘åå²lÂí|2]VÙ<Ü
+YºÛEªèqFåT í7Y¡á§»ÛŸ»/PÀ­Æ®ZÂíÔÏû¢ý•<=k¼«![}XÎÂx÷@£
Æ÷Ÿ¿Ðdå/–è*2ÞðhBÉÔ½¡ñ±Âæ<Η0;µÿÂRÏó•û¿û¡dÉmÃÓ	âÌ£­«p+úwc 1y!j`ÎüjŒ`ümÜ|^"3Ùr¶ØV«Y¶kžß´„½Wþuì¨mžžã­…0ׯe¼ÊE—»ØrúðûAå»…kr†6a\øm¾y,ž³o¥¯ÿ!‚³uAºj‹ÎïNü>\H¡Ô¨(|ÍáOÿxüðËzm™:ݲ€ ¯S@¹Bµ=´ð3óæÿ¼¿‹Àendstream
 endobj
-1339 0 obj <<
-/Type /Page
-/Contents 1340 0 R
-/Resources 1338 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1315 0 R
-/Annots [ 1342 0 R 1343 0 R 1344 0 R 1345 0 R 1346 0 R ]
->> endobj
 1342 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [180.4479 292.4725 244.1386 301.902]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-1343 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [265.4578 246.568 326.6578 258.6276]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-1344 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5441 246.568 416.2908 258.6276]
-/Subtype /Link
-/A << /S /GoTo /D (incremental_zone_transfers) >>
+/Type /Page
+/Contents 1343 0 R
+/Resources 1341 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1318 0 R
+/Annots [ 1345 0 R 1346 0 R 1347 0 R 1348 0 R 1349 0 R ]
 >> endobj
 1345 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.9692 215.2488 342.1692 227.3084]
+/Rect [180.4479 265.7126 244.1386 275.1421]
 /Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+/A << /S /GoTo /D (statsfile) >>
 >> endobj
 1346 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [277.6219 183.9296 338.8219 195.9892]
+/Rect [265.4578 220.378 326.6578 232.4376]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1341 0 obj <<
-/D [1339 0 R /XYZ 56.6929 794.5015 null]
+1347 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [367.5441 220.378 416.2908 232.4376]
+/Subtype /Link
+/A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-1338 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F48 985 0 R /F21 738 0 R /F62 1095 0 R /F39 927 0 R /F14 765 0 R >>
-/XObject << /Im2 1084 0 R >>
+1348 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [280.9692 189.6287 342.1692 201.6883]
+/Subtype /Link
+/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+>> endobj
+1349 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [277.6219 158.8794 338.8219 170.939]
+/Subtype /Link
+/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+>> endobj
+1344 0 obj <<
+/D [1342 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1341 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F62 1100 0 R /F39 927 0 R /F14 765 0 R >>
+/XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1350 0 obj <<
-/Length 3869      
+1353 0 obj <<
+/Length 3932      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Ërã6òî¯ðm媈!>ÎÄÎ:µ™ÌÎx*[•ä@KÅ5E*"ióõÛ/€¤D{6û  Ñ~ƒê2„u™ÅAhòè2Í£ U|¹Ú]„—0öÃ…œ¥CZŽ±¾»¿øöÖ¤—y':¹¼ßŒÖÊ‚0ËÔåýú×Å»^¸¿ùxµÔq¸H‚«eœ„‹ïîÞÏœÞýüþöî‡Ï¯¯Òhq÷ó{¼¹½ùxóþÝÍÕRe±‚ùZVxeÂíÝ¿n¸õÃÇëŸ~ºþxõûý7÷þ,ãóªÐàAþ¸øõ÷ðr
Çþñ"LžÅ—Gè„Ês}¹»ˆbÄ‘1R]|ºø·_p4JSçø›,ˆ3Î0P›Uí(¹Lãˆ"eȼ4ZA}b1WبšGˆC,5ÐÙù+íœ#ûô3¢,ÈTâ2‚Aä—›C³[RŒ…‘®~å2T¨D9óX¬ š¬86ÖcœBƒ9i‰­G#“Ý:AªÝr¬—‘è%È1«&'Iäi6å"ë«IsÍS¿GŠ!LCqA(‹¶8bÅAÄäœÀ!s¤Äé/fª`“ƒšR*C¥¬Þ·Âú‰4ûä‰ðV‹&×ný9šÓBŽ]DÐ(L"íq¼sJ»¤f‚…Œ_O¡˜Äèúmog­§¶ähØóÔÅN\Š'RIüO¨^
-U¨yÏ–N Šëãûh!³dMôk…ó`­ìç\Úƒ­š£÷~BÓÞ~áW¬_Fԭ瘎Æ­¢ÉÈzŽâìy[Ž4CÌ¿·ôûcáƒò¡7öp(*
-ŸªÈHà(K‹CkÙÖç2Ø!‰ãNG7¼"åw3‡’¤Ò€3£è›{q*uÇ}ZÅùMl¸Ìšx	(ûQºøTBw‚éTN‹HkæG‚9Ƙó‚!uXÕã­åIÎàÀ$
-¢!‡Á6Ûiã̉‰EZ((sÁq~G±¦GSŠD†ãܨ¥ƒ,‡ö›VÕ¼fU—~þäö¶Æ‚Ô
Ìù9ÎA1›4˜âCÚY¬1.L”™/S¸ô£Ý7ìU2ɼr—ÇÄ¥i2³Û2ÂÇ›ÛÏŸn¾Ζ&n]b–‰ƹ8Æ9cV¿L’5¸‡Ø™–
-›Þy¡ç=™¥±Á“âý`n)Öj'&Ï'šýPì’V`(ƒ³z#D¼q¦.#•A.éùúª -ÇX\T3õUÅ©E·Ú.wÅ~o×KÌi€
-ΕÇdè0’Ìî›tx¬B¦ùHy"Ä5Jî6såE¬.&o!ÈN‡¤Ód”[kÍØÄéâîÃs$çä$<4Iå gÌÁB¢Oщ#ÈY³,Ÿ
-_U¶hB…ÆŽeÜ„Zü	‚Ý.Ðd‹ŽªQ¤4À8ƒFd`-‰75Øɹ
-bB\ÇqwÌæº+wŽÐœM_ÍY<Ô”öN–7!ȿʺÿÂÍö,À®¥’RÂê
Ðcsxâë
gùÔçŸ'{¨mÅmTÁ_-RéÖqëþÝnêš‹)ílMÌ‹â”~]z{À™n$1Òb‘””u`Âje÷\Kƒ+«’¨D‰ô༶Y=Q¢PWañNYÔhÒpU–8ó¹yr—s§pò‘¤$K-71º{¬Iœ¡ÇyX’:	ù*ÊJ  ¤5ѧ‚½¾gGšJ
vÆ©"„ìÙbMöbÀQçâÓž?ì·Î|9BôUÓ qX¿jñŒNfæm‹7ÆzÝây,ܼüÂnžâºÜ`ÄÀ‚83|
-vŠt˜¾MŽÇš¡gbª€ (ÔSz~ñÎ|bùtŽ¾Ø|í]%ÊÏ¢èå$Nņ€¥òQ	«¦ ˆ"¦"Bj{ä>Fr|·±Üü€´+@­e	VJ/;Y˜Ä&Ai=ó,a9bà¤?qe3ñxË#0yÐÈ(‘çbWGÇ‘ñâ/,ŒüÁËóV;0ÂûÁ¸œPœ1À,ëw,oè*º¨u¾n9tÒó1éò У±ã·õ-	9RíGȪ¨V}UtÎP~“ƒ>³#_bÌ1õŠêüq‹nϣȚCq'gÇ9£²UóøÈ/^RÀ‹\/Š‰ÿhø_Pl®]AÇÝ	¶ÅG±3îÃ
-Ñbµ-êG+K¬
-ÙàAÖ§ËÙ•]ç( [
¿kÈ&ÚŽé/v²ŠDË‹v>teú‘˜–ÏÆ"1›~‡1%ÊbÙÛrè¯êM­•nÿ2xÍS6h«ÜF^¿@T®Гÿx†:%6Û­pf?€4-çq,×”@†fÁ¡ˆqñ‡žVLÈ,ýÙ
-"Aï>|–jì쮡Ä
ÚàžÛ~ç\Çù>‘30\܈’œ^ƒž«Pö½Nª«Ð¯)úQRs&-¯.aò/év·oÅ¡tE'T±YA®:²„§l÷L'ú@e(¾W)1ñÚ´º`&›>Qö¯†
'¾9ÏÈ´]ÁXjÄy*ae;³a±ŽÿæCzq¾°1É“däôgjÍ<èÔ½ø°“œ	’@‡þ]ˆlržº—î”Êí“ÇþtT!†NeŸm%íã¶ä÷øÔìçD-ñ=QCozû™±i¥Zˆv·ïÞb‡ìdœ~,w§Ña¤ÊßÐëüÖA®·¡{­›²[YG_cw<~epÏþCQ`yU%•Rh
-wÝ´*Ú0{äÔ¢òÍ«±´Š@´”Jߎ¥ÇX¯ÇÒ‹˜»–Ëu“Ð92A’eÙÛ»{¬™í§¯rY¤¡šî/å °<¾”hùzB‰µ…†|­—¦gœ­|¡øûÊõè,íäMŽ“ÕÄçŽÞÐ
¯|'9ƒ|õHPyºÅWH¦DSãDÙ/†ß«-kúh#Wó5ü\.N¢ÿ£H2¼ÌÏXŸÀ(ÿÔ„õÖõ¼íIc}ò dr,Må±(MËSgOR|Ž;”…›Ðïˆ/Ðn¦ˆCÎmº_\˜ŸMÞ+–
-,f§'¡ôéÆùùt&Ñ¿¾½qÀ(‹ÜWýÁ]‡sDÛ¢ͼw5=Ñ>¯§3U,°´!$Ho>0ÊåUU£¥úJVÎŒ'ñÖf2;ã©lU’-Aw(RI+Î×o¿’åÙT샀Fh4ú
ªëþÕu¡É£ë4‚8Tñõjw^?ÁØ÷WJp–i9ÆúîáêÛw&½Îƒ<ÑÉõÃf´V„Y¦®Ö¿,ÞüpûááîãÍRÇá"	n–q.¾»ÿ–!9ÿ¼ùéý»ûï?¼½I£ÅÃýOïüñîÝÝÇ»÷oîn–*‹Ìײ…	ïîÿuÇ­ï?ÞþøãíÇ›ßþyu÷àÏ2>¯
+
ä÷«_~¯×pì^…ɳøú0Py®¯wWQl‚82ÆAª«OWÿöŽFiêÿb“q¦Ój3b 
+¡%×iœ‰!d`kÏöp³Œt¸8nm-µ(êöheýÄ¿÷б­Ã*W[nn‹g+Öë²+›º¨xd]tÅ7ÐLÌ¢9Y=\lšªjŽ~õ7ïo¼sû®‘¥p®¥RAÇšˆ|ËÈøÕ¶(ë6ðX a–ÖÏ´QzñØt[n5þí¶¶µØT‹f„¶/7*[Xî´¶ì×ÿö]”Ù—†6!²w{~Ò„ÇZ¡ä‚ók‡°3/º¶›¢¯:€)ÙË
&¹üÂRÈ{´Ä%ÆÆ+!jeÚ†zÍNÆû%1e©r 0ŒØm›CÙ]‰÷¥£œî‡Š4ü³©­p¹©
CýÔû
q¼¬14N‡B‹žé›“‘±Dà€ìHsV8À`¼ ò<ðŽûê…áDz’íœh ™UEæH!þf‹¾%¾!HöàÀ/„ƒˆ Üã@ÑOù“3+Z­eññüLðªXm-Ø(Ž÷5ÃÚf'£mÙõ…O+[¡µž‡
Z_¯m[ŠÇÊGMhmê¦s¸bšiD“Bg`Æ^Zãõ­ìApšg>§q$ãø§­:8¦¬J7Ák
+Lˆhd‰Rå{è*f.¨­ÈHèd`j’-vÅÃeÄ….1qØ®Y—x¿Vú/ŒÐ×Ýá/¹s#ÀU¢@V؇ì\ŠI’ÅmÕ6(`Ê‹ç¦\³h$î
+”H¶Ähèoà¸3G‘»ËôT¸3å„FD^Öî-‘À~Ï¿ÎØâp³·/¸dÇ¿L 웶-AlÿØÛº•!ºª32´·Ó3rå4—/ªmªgÑ·ã–vÆVÓWkÑJ¬cÙZ¯zô»g
x.ù®RÖcµ‡Æ©Ú‹²Ïìw(UàôàpÅnO¯CPŒ
B34‹8(f›Eû¥åÖ¦¹Q™]ÔüûãøWD»qkmÜVÛ¦íĸ«±Ý6&H³<ýiš@ˆ
+V ñç†>š˜Lð…r’\Ü…ØûžÓ‚´÷OlÀ¼q®>>±mZG3´FAž©HvÆC'a¸P!ÿò¤×¶›!]QBâhÇ]ˆ~½¨›Ã®¨*âvèAw*bÓ2`z*¢#¹•	|¾pqìð°'juÊz
~5unuB¿0'NˆYô”9ógƒµÂáZDUÄ¿'2ªð{´U…l€(A_êæXÌ>“Í(øŠþ	
…"‹ú"Ëx;ºé¸Qú922* MØ5|²]‡¶‰í2UbŽbt¢‡(FCˆåâ=ækª“s˜u3'	Q #e]¶èvZÞ@Œ¬þh!Î+É$ÚYg7õeÀµó)¬É‡tl^5+#LŒˆMÈϲ$HôÀg‡ÅØK)6Œ£¤–;ÎaÏŸ‰E„Ð"Bƒdt¶&QÁѾõãøM"0LvɇÇ!ñ”èGcö£å‰fzøYfñ\Úã(Êþ¶ëìnßáuÌf]'º`kw~è\(T©1¯K…	²Ô˜c‰/«àJeý]•›‘×™] é¬éÁ®úCË!,2»iœ)\üTqyU³qK¾v€y)1 |ª¯‚ÌQ¤™—žăúÄb®°Q5OXjŽ ³óW<ÙYaúô7¢,ÈTâr‚Aæ—›C³[R”…±®¾p*
T¢œ},VOVë±ÊFN
¡Á,‹´D×£‘Én Õn9VÌH™u“ÓŠ$òôDYaM‚¬k¾ô{Ô¡5”„²¼`‹cVDLÎjŒ‘9KJœcÚ
V119è)%C0TÊê}+@ ŸHa³Oo¶hríÖŸ‹ŽæÔ£‘4
+”†X{ñœÓ.­™`!ãדT(æ#±º~ÛÛW’[ò4ìzêb'>Å©$ T/…*T½gK'Å÷ñ}´Y²&:¶Â¹°Vös>íÑBòîݟд·p‹Ž+Ö/#êf³z´ÞhMFæÛèp€`Ïsì r`þÅÀ¥ß… ½±‡CQQüPEVGYZZÓȶ>›ÁIÌw:ºá)Û9”¤•¼…ÜÜ‹W©;îÓ*ÎqbÃåþÐÄK@ÙÒŧò¸L§rZDZ3?Ì2ƼÀ˜°ÃÊà¨zo.Oô§€I,DCƒm6ÔÆ™)
+µPPî‚-â>üŽ‚/L)Ž¦ˆǹQ5JYíW­ª¹dU—~þäö¶
Æ‚Ô
Ì9:ÎB1Ÿ4˜äCâY¬10L”D™/T¸ü£Ý7ìV2ɽr—ÉÄÔxf·e„wï>º{0œ-MܺÔ,=ŒsñŒ3"Ȫ7¤kp;±3-6'¼2CÏ{2Kcƒ';ÄßûÁÜR°ÕNLžO5û¡Ü#$­ÀPgÅSyãL]GaÄ`:æ‹Å‚´cq­SÍ‹=çÝj»Üû½]/1©*8[“¡aJ’Eùëtx¬B¦	I‰"6Jî73Fâ0zµ¼±@nô8ëäP‡\CÆn~ï?ÚÚbU¢èä0ö¦b'D8ˆê¶sºË'F‹üð想ÙuÍEJ"r%v„LËÈœ‘Ÿ8€×ÜH‘‹ç£$Nf¬VvOu3„6bDN°Õ6«/˜ÉtÜ•‚ª¡¼äjÎð—DÅ·(‹]øf|è5·'beB/{8†b%S0¦{ªyR¾Ø=äœÃÜñ)d㊿›¢¬xÌAhM!ã‡æhŸ9®üfΛäiDÆÙè‚׳^ÃáM½¦xÍ+–Õ¼À»ànd†]Ѭ‘¢8G)…®Q!&¤b™]Ùm"ÝRƒp±#䫦?@j²¾hR
¦}:Ó¯›Ô1Öe“ê±ðèåG°×]—ì€øYð3g–UÁN‘Ó×ÉñX3ôLl!…zJÏÏ>Z˜˜V£³7_{º‰rãÓ4zœ‰S	{@õ}ØÀª)(d‰©J‰Ú¹¡"ÝB)Îv˜YBT6¿K ¼ìdaBóšY¤õÌˇå„Ë
+‰+ÌÙ’ÄG
+`ò ?P"Ï!Å®T#ãÅ_&X˜Z@Á[íÀÈSp	ãr"@qFˆÕMŽÅC0:Ä¢.,ž/¶[Î
„ô|Lº¨½É4Ö2_ßò#
+YÕª¯ŠÎÁÊÏ~Ðgvä‹AŒ9h_‘5‹Ó˜uôŠ¬9”röÌ3auÕ<=ñ£š”#W"Œbbã?Zþ›«cÐqw‚m	%£Øy•a…ßHë'+K¬
+ÙàQÖ§ËÙ•]ç( G¿kHWZö“¶ØÉ>(-O,ÚùhÓµ‘˜èÆ"1ëÁ¿ÃˆeÑ¿
cï|U/hz$h­tþ}”av88Åùl£¯_ÀÆ—+F£w)¦ŒŸCr¶5C¸³Aš–sŒ8–kÊPCCo9øËÂ	
ÿzÆŠÅ,4ÃÙ
+ñ‹fñæÃgY¡ÈÎîÊ¡
‘@Û™}"g`¸z%9=H"½ˆ¡ì{T)Ö¹ç^ŠØiV$ýËÙäIôï{¯0Ê"wÀUp×áѶhO“_Ñ>¯§3ßá¥
!Azõ	SŽÀ(U9Mà¥z]“GH—Ù!‘ôÕ µ«%[ÏsEέ²èÕ½=Òùæ“SÆ~3šNv¿«ÿÑÐÛ÷Ÿ>ݽ‘oú=Dò‘Q9WRó
	u®¿v«aç&ñ¼]Fa²ø\‹Le..Ë.|F™€cŽsó÷,Íò¯Ë_j÷y½Z÷µ•ü–ò%U)$¯‡Z(ßæèÍ$F˜	RÊ\¸óW9~g>øøX\úàØÄ~%<#L¡W†¿ý1òð¥v”&»T˜1aÖÄRˆBÂãø”rÿÕò9éÿ€5oendstream
 endobj
-1349 0 obj <<
+1352 0 obj <<
 /Type /Page
-/Contents 1350 0 R
-/Resources 1348 0 R
+/Contents 1353 0 R
+/Resources 1351 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1352 0 R
+/Parent 1355 0 R
+>> endobj
+1354 0 obj <<
+/D [1352 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1351 0 obj <<
-/D [1349 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1348 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1355 0 obj <<
-/Length 3498      
+1358 0 obj <<
+/Length 3403      
 /Filter /FlateDecode
 >>
 stream
-xÚÅZ_sã6ϧȣ3³fER¤¤G7›ÝKÛÍæœô®7m´¶œhâH9KN6ýô þØ´s{íÌmfÖ øP’§üÉSc…ÍTvšd±0‘4§‹Ç“èôú>žHæ™z¦éëûÛ“ï>èä4™Uöôv5˜+QšÊÓÛå¯+”8ƒ¢Éùç«—žÏÎ’xr{ùùêlªL4ùpùÓµ>ÎgŸ>ÍægS™99ÿÛìúöbN]–çøþòê=Q2ú90éüâÃÅüâêüâì÷ÛN.n»µ×+#ù÷ɯ¿G§KXö'‘ÐYjN_à!2ËÔéãIl´0±Öž²>¹9ù{7á ×

Ù/6©0*¶§S‹䇭,E"%0%&V+ÝYYÉ•=ZyY5M±˜>çër™·e]í®[j+2;7œ|O…Ž+ ƒè c)²H¥c%.ªü˺8›jLÞ_ÝÜ\œS{ •{.v;ËBÑV'(‚sUùc±d¶¡d‰,Ô¢"‘“«º-Sj-T’ÄÌË&*HÉý™m"L7q¾njR¶*ŠeCÍ–I_xMÑvn¾8Ì7Õ*I›=•`-c”›ùµhÂU$b¥½ª(QŒ‚ð·XÉt²*mù\ÀšµŒ&·÷ܹ,VùvÝÒCÙ4‘*ô“‡‰È@áή»nÃØL¤iÉ7<à:`Ï5Ø|±(žÚiñõ©ÜÐþ@CU’¦ÇÕè¸zŒ–l¥PzGŠÌœ¸¯râÔ@Óƒ*@ˆ&MyWåí–h
1½Üõ>›rõZVwÔÑ»€Üˆ°…ç¶{»-ćàBäÖFÖc‰t­êÐN2Ø:A´ÜmëC´÷ õê'òJGeÐý¦TÁ"¬‹ü¹ÃÌÈeÁÐIAô
—Õ"NcÏõ¼]WņÅP,™æi¿ÒsÞ¶ùâ¡9ˆD›`OqÀt‡ž	µû÷¶Ø¼®ë»]©Y"¬I³£R=ϾÔÑöDJØ8R#±7OÅ +#T{_làAg¤ÑA­;ÚC 7÷õv½¤&Ö曶Xv³„¬Š!(f‘|{Ïtùá&FÔêÈN.W¡P›ŠØZº¡w&ñÚtqÆá”­ê–—†˜â0Ÿy££ðYþEªX¾óH.ª®E
o034EF—m±y,+g'Œ±¯;<±“Õ‚)õj‡e4ñ"o‹»d¬bHuÖQµ2}Á܉Ñê­èkµ’‰7@?à:‚zÏ…÷ÅâaŠ`höb®4À§ÞÞq¤Ð¤;âo]@ÒqÖ$Í;†´mãÂ/Ç
-¤ðµ›rÑr¥Ðµ¸Ï7ù¢E÷A:Ñ@Ï«%5š×ªÍ¿R/n¬TlÚ¼d±Ëú‘ÚÐA!m*†%ê*ŽÇø1oH¤¶èš‹b¿«¹Îj°úOuÕx>"-
-8ß—DY9RýHO´>hTEûRo\:œúÄOù–ƒ)°XÔn¦%ŸK–³Ø·‘cm›üá@è%mrtøDM>ÀûØN"¨¬aȲ‚ȆôçUÔ*†BÈ™’Áá‡Ô2tΤ©P±ñ!k•—ëбgDœÉAb¨aî°ê
-¼-K»¬÷m­F€ £æú¯Dâ=ÑD|ÁÄ‘aûé¡Á‡M´
µÊjYbö²ôÌyËþ—g͇¡Êix‚u]?lŸXÂjÄë‹ž0ÖìèÀ:ócÁ[-9]+9¿»¼šÎÞ¿Ÿ‹Ùüú,SjŽ|mwIÎÓ¹ëòêãÒÁ„*†S±q<¡rN¨:®Þå¿îÕ¸%$ýG{¦€àq%C]F’ÏQ2Z@
-	£}T&WÄß1~ˆ0-òMÃ#ê!㪛ˆÉ9ý\^óãrÉyó™ù
-=<4çẻ3'Ì&Y”©o=0AÚg·T:%¡ÓiŸ£ºžê¦)»²ó9_oƘì󒊸»99”y$ŽAÏ„q"pªÂ	fý?tAØjLÞ@mÏt´ÌÔcö¥\/ùfÿîEYCÝxL¶çÙ—=²¦þ)†Â©P:îï$ íiT(ÍèÊ‚aM:Û¡QÕÕ”Š;wÄ…Óç(fXÒ¤,qul<—£q&’
-צº¹]1¶žcþ°
'Ùú%…Øßð£g¡vòxvªøîØ!nÛtÅˇßm”åîPRÞ»¡1\1QóvqOÕªS
jÕ²½$˜1Dc阂'Þ_û-ÂK#X—ið˜w—“¸´,ë‹!ètis7CA}<€‡i¨Ò‰°‰:~g‹,ÖÙ8…)½¢ÎXYÖaš+Ø·³×Ð5ŠO1•°Òd㘌îRÚfËá$§X`ꃎ«- HÆæ¸ç¹»nÇÕûnYµÅìîë¾óBy™ãò=S@þØ}#¡R«Ç
-\°­CU„¡Öá2ž:_
‘@­^KÇâTo¨Ëù=üza¿‡îG	àèGIŸ¸ÕmðË~!»d\86µi°xêÓ(¼ƒyZ+¾ø—Ã3ŽÞ5©Ê—.ù%(âÈàì”k¯8¶îÖÛ‚FìÉNQ|-JÖX“`qÓÒ}Þ®7wŽÖ¡Ú2µd®4as¡ÏmºŸ`G]­_©»¬¦¼§@ÖR8a³ Ïm•‹ßЃ[yùõ¶Ö«nšd0M óÝ6¡#NßHÊxxŸ9uݬûA#uo®Ì hôÿ˜­É	^Ó¨(°wØÉë‡n¿\ ~)ÖõQÛú‰WDàÅA«7J$FžÞ(8p`Û,™ÔÙ~®ìÓDîNJvHQ-¸dìÜÚ‡ìÈPÌŸ3äÛo¦Æ—HRÄ©ü/‚ü›/¦T&E„Î}4²¹GÖŽk˜ÉO®<Ù{­ªDœÁŽÊï¸
-ŒCk" ™Ç/Ü3aTäÅ@ôß™
m’ѵ;øŸ»U©ñ÷è@ÂŒã9„˾ÉOÙ_]ÞÚy¶áøaÑ‚£rjFDʵ/ϯfŸ.nø6_ÿ¦&Õc”„’u€”‰UúÛ*ˆC ‚C«øD{ÈuTž«ß°fó|UÇå{¦€ü¦ôX˜Òqú-‚]”CHÙ”!e3) yH%ÚC
-ˆt—Ž!Ãú:÷qDÆU×M¸B‰5‘÷peänÞþÿÆUd„Á!Çq5à:‚+Ï5À”¹˜ðï½ÉI…Œ”:.¾ã
-È¿ÉÑ¢à¼)ðOÚõØNž(!¤Â#NFY_ÌIAóŽúøžZ>U»øD¿GæCÈ.¢ÌÐ@íw˜ƒ‡å­é·ÔwOÍĘ7vrÈux';.—¯›zZÕӦΧm»ÞOè•0±ÑÇ踌÷2ãÄ&cx/¥OAÛ-7Pú¹j¾mï±–Ìñ«$ᆻîIî¾çB’óQüáóŒþ¨£Rð@¶{žðöö'¢¸tJú—@À(«7"S‰<–Õ¿0ÀUøõr÷å±_gM
~q³û}ÄtÃZ{¶£ÀºÊ¤	î´Äï â7p7à:‚;ÏÀÝt‘/î÷Ï'L O9ªFÇÐcüæΈ$†df¤¡OB‚*8÷—™»AZ4|Øp³°‡ÙÜÎ_ Í
n÷±ÓÍQxô`«!#£­Fºßj‡?üŒ#–r\«÷?Vv™ì¡ow ¥ßÚý4JK}|óL‡÷Þ3¹úêi	Õ#åüÓ‡æa?+LÂfÇÅwLûòÇ0‡äÅDc8à(ÿ‚ÿ®À/…ø»%íݺçó›Ë
WõŠ/¾ßÊÜEP¾æ÷)Ã	a÷ÝÅ„foîùÁÓ÷l™«ÚÞ
oé½S„/Õvî•I«ÌL~¼ù‘çߢHçwDtÑ#3=×û«›/þEŒó9wÖôÛ}›BÝåÊu™	´ŠWêê>ÿâž™/IqDiž’mXìhá,(BU¶¿ˆ5ý2´xZŸ®-¹cEíàÅ<öµ.~³@_÷ÖÄùœ§üR·÷Ôz)©e¹¤eÄL%ØYP‹¯rŸ?8C¾*¦5&øú›7#ðƒßü£îë»?ý]qÿÑuŒo3Rv$•¤PBÃ$¬*nì~àˆÀͬ
-¨þ“(Mèendstream
+xÚÅZ_sÛ6÷§ð£<¡Ä_’®ãäÜ^œœí»v¦í#Q6'2銔÷Óß.vA‘$5×Î\<‹%v±øíb„—«jñZÕ÷Ô±q¹õ"Â"œ_Bìí—¢K‘W8—¸€%r¸º‰­$3ô‚h¹-»Î+† é@†o5O䕞ʠûU)Á",Ëâ¹ÇÌÈeÁÐiAôˆËja2¸ž×˺\Q Š%Ó<-‹Wz.º®˜}i÷#a¤­=‚Ä×$.Tð÷u¹z]6÷Û‚óT8›å‡¦ˆàÑ%J8›#É·Oåó7	ª{(Wð sÒ‰è Ù=­$ÐÛ‡f½œS‡HëŠUWÎûQbÁVy"¯œÎ’8üÀˆ]¸ÉÕ"p3aœÐrk`¯mm<AÙºéx
+`ˆ)¾A€ou¢ÆÀ¯~MUÎß<—uߢF0˜Œâ#Í®\=Vµ·FÚ×­žØUËzÆ”f±Å2xVtå}2#VqVdºî¨ZÁ`îÔju4K#´Öêò\¸Pâì¡œ}™"ÚÈ+­ÐFÞsE¤àÛ†…‹¿óaI›¼KšWiëÖaŽHáêVÕ¬ãP¡köP¬ŠY‡îƒtÚ¨^Ôsj´¯uW|¥^\XÿR¹êŠŠÅΛGjCY„´©–°µ+cƨ|,Z©Ýº¤-¡Øïî€]¬þSS·H³vù9QžÔ<ÒÍuÙ½4«/>)ÎÂ>â†ûˆƒ¬ËÃŒ˜Í?Òœw'Ç9¬Ûh
+붸Gx§€I›>U“w0À.¶Óêg²l€(²!		ÉÕMŠ¡r¦t°"µŠí6Y™¦
!kQTËØæg…Éå =Ô0v\uÞ–§µ]Â&KÌ,¤.û5)VuLDd£"š{!Eݾ”«–Áç œÈíVb9Ƥ
xFq‹Áû}b“ØÖ®”°¸‘‘:+Æi,”ûº'-Nn‰‹æ§#aí&>B¦Ô¬¢K‘C¬ÈÓax<…AS®ƒ@ÑŠ(É¡…;FÉ&kï‡ÊéÉ›ÈËò¾Xí¡i;vpìñé0O¢PÀC°WpDr²6<¬
|7ï.ˆëÄoÖÌÈ]z’)ÉByðÇf^MÇn)Ù¬¸Ý·*Rv"fMÆ6ÙŠîÛÕ¸°ÞÅÓÓ’‚TÕ>Þ¦š£š—Ú‡9 …ЈÔýž¿¡®søGŠº@úð3ª’0¥p™œ\uÄŵ¾¸QC³Æ«á—>¨<²TˆÛ*µA9l{­Ü¼¥üïœH~ƒ‡ßëÛ7Ô¸ýxέ?sƒûnάü‡vç£3ëçãßñóQ©ÃùœÉ	M	Ÿ}î{\«Hœþt‡#fG4_0qd˜š0<4xá°‰¶¡VUÏ+Ì^æ¹è¸#üò¨ÅP"Ô:-°lš/ë'–°ñç¢'Œ5[ºD¦ÆüXöÖsN×*Îï®®§çoßÞˆó›Og¹òPóäOn›ä=»®®ï0.íM¨ŒÓÂJ›N¨†\ûªžkãr_wJ‰\d6ÉLÁãRÂ@]F’/P2Z@
+	«CT&WÄß1~ˆ0-‹UËo4CÆE?“ú¹úÄó9ç5ÞdÎ)ôpÐœ‡ëþädœ0ÛDäI®¾uÃiýTi—„ZLgÛ9ÚSÓ¶U_|>ËuÉ‘=²CRaúó“}™G*`L'"»*ì`6ÕÿÃF…­’BIØ7ÃvÀu¶kÛ—j9Ÿ«ÝCå„Òñ øÀ?2š–°F@ɧB@i³9Ÿ€v Q! 4c(3;4i‡‡FÝÔS*ñüFžÏ&D'†ÁIƒ²ÄÅ¡÷¹(5¹H3(_GÈêÇvÅW¸›=BÄ6ìgË—âv€–ý°ãÀ³W%t»uÖO~×5ä!Pœû­I‡ÆpÆDy,ºÙÕ¬^5¨X«îá‘`xƤ"“e¢
…P<Ë•Z‚H0.Öà±è*qjy¾)‰ Ó'Ïý%1l¢<ìIF•N…KÕáóK#r£óq
+CE½±ò¼Ç
+4=V°ok­¡k„•h*á¤ÝJ7Èè>±m×T
+úÁ°¦Þë¾ÚZ‘$É‘]gȵß}{®ûVuWÞÃê¾îú/é‰=,?0Eäý7*sz¬À§r¶õ¨J0àzfAŸ_*¿¡-¶ò›u7mý0é`˜HA´nc5ìÁ‰”fxª9õý¨»A#ó_±ì hôÃVIäkTY;ìäùCw˜.?—Ëæ…¨]óÄŒ"ðä µ1J"FžQðÅQ?ù"eç«&‡)”ßsE‡ÖT˜47c
¢Çî¹°*	éb$úoŒ†¶éèðüÏŸ‘ªÌ†Ót aÆñ†Âçàä§ì¯>{í=ÛrüpñHÁQ9³£2"ã
+È×ç.oùL?g6Óc”ï…RøŒ”©SúÛêˆ} Ò?Dɶ‡\@¸6Ö®ž¢ê°üÀ‘Á”+°SÚdß)XE9„”ËR.R€Tª¤€H§rÙRðÚf‚Î]\‘qÕw®PbCä\Y¹·ÿŸq%s%”‚xpWC®ý¸ê¹¸‚bþï9™‰R‡Å÷\ùãï9Z$ì#~¢U7nòD	!&e}†“‚ö
õñi´BªnúøÄ0OæMÈ>¢Ì0@ݬ(0G7í ”“Ù·ÔûWÒI‘eÉ‘»C®+¸|¾V®šiÝLÛ¦˜vÝr7¡W«+ÐsE4¯e
+Û‰KÇ*ðZÊ‚vk(n ôó+ÔbÝ=`-Yà
$ág†ûþIníB’÷Q¼›ðñœá˨§Rð@¶ðîîŸDñé”Ÿ€€#PVoE®Ry(«Þ6ÀY„cõjûr˜gM-Þ¾Ù¾+ñ³6ßží(H±”ÍþÜIHÒìÈMˆ!×Ü®bö°»?ÙD¤ò”ƒjô\=Æßï¬H
$3#E}òTÁ»¿ÌýÁÒ6@ç!Ј
{˜ÝÃ
é|GilØð«lžÂo–Zå|wéa©=þ`Q¥‘[ø‹®.œì3Ù}÷x ¥­~š
+Èl¦
+™É×WOs¨)çŸ~i¿ìf%I¸ü°øžiWþæ¼Ød¬ÀO|«Ê„[v–+o¾‚›áçnKG¹Do8¡1£š*þÔ:ù'nÁ…=?dAÂûW!ˆþñöGj|®X~Åê–€Pj})_ÇŠ÷—NøD	#­I¶>ã>øêqˆü8>…Û>ƒ«|jùªÕ~%Þ°ÚÜ÷º¹¹½zÏùÌ"|)ú°¶9T´t4#ö]šÕVàM×ÈZ'ýµ³¿|¡vsÛØà~¶ç‰J3¨µJ¡í¬Ûõ’D(íTDõÿ€(	Qendstream
 endobj
-1354 0 obj <<
+1357 0 obj <<
 /Type /Page
-/Contents 1355 0 R
-/Resources 1353 0 R
+/Contents 1358 0 R
+/Resources 1356 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1352 0 R
->> endobj
-1356 0 obj <<
-/D [1354 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1353 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R >>
-/ProcSet [ /PDF /Text ]
+/Parent 1355 0 R
 >> endobj
 1359 0 obj <<
-/Length 3135      
+/D [1357 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1356 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1362 0 obj <<
+/Length 3243      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsã6¾ûWèªjÈ/>Ž“OÖ©ÍdÖ㶒h‰²YC‘ŽHÙÑþúíF7 ¾domÊU&ØhF?¾%V1ü‰Uf¢Xåz•æ:2±0«Íþ*^=@ßW‚yBǹ~¸»úþ“JWy”'2YÝíseQœebu·ý-øð÷_î®oס4qDëÐ$qðÃÍçDÉéñá—ÏŸn~üõöý:ÕÁÝÍ/Ÿ‰|{ýéúöúó‡ëu(2#`¼ä.øtóÏkjýxûþçŸßß®ÿ¸ûéêúÎïe¸_+ÜÈŸW¿ý¯¶°íŸ®âHå™Y½ÀK‰<—«ý•6*2Z)G©¯¾^ýËO8èµC—ô§M©“Uhd”ÅrYÉqPZ˜j%y~V²KJv\¨äþp
-ûÍSx(w‡²{œnZNÁY
§ž	à¹$P	„1‘Ip·ÎãàpZ‡
-Ž©oñ	ïk‘ ’}€XÔùXRã?mSß±«š"Þ}øBjG}¿~dŸÇòP•½ìŠªKH„>µ¢‘Qᘌ›vÿTôÕ}UWýi-„ÞAGšX@Ex0‘Jrغˆrc¤ÝɶÜǺ'+ª:dœV‘IZCþSéxFJÒQ®UÆ<ÑÂ,a¦"™€¶•Œ¤Öä-hàþ½ÇqŒ{{)[ÔÎ|‰xJ\Eh:«×8	vvê|Kj
èkCZ°›¢!ò=9vå–(ö腭虣 îš&~`jWõeøRmKêÝ'DË+,SùÂ#ÊÃsyèð Dβ=nXP8šC±Câïq,7öâññ´0XuÔU󭣦•ZåAùW_š¢&jSìKjñª;Ò<¸é‰Jj€FQw-µîy(d-‚í`vËV·/Ô<#:Ñê¼
-z,x™-oZ&<ÏåxktøÛŠô±A>™ÅfSvµ­2cïÂMƒ[-{Ô¤N‚ûcO/•u4?$
ê¶ýF­ãñX5UÖo€ŠjâUŠæôR« ®´dpµ›ÍñÀ#Ú¦>ѤpâÇÕ?¶ JëK^gø²ÃÕ±ñòXm©i÷†
R¤÷@û´ÚÃFq„9UžýÌüE³¥Æ¶-§ìVÙã鋦{ñÓ7üìy µáh–688'qÜè×#øër÷\¨'rÚí,rK™Tä¯/ì¹V%™DÆ@®-}÷ˆ:V¹Ú§¾²Ž›‹ÀÓ耲/‹l`w¬©ÇFèÜt ¹ÐêªëÇ’¡Ü?õÞÖRe‚÷D.ê#ÏØî(îé¡þT‚»Í9´îª¬0Ž2²Ìs—ht	øc€(©–‹¡˜e¢Á 
- U$¼GlxÓL(Íá
û4á›êiÓPXz‘2¥YoB)&)˜	í¹ù®w|l¶Ãu`ííÝR@!®Ìœ¥Î4ˆº&*t7Ô¢½ä—ÔI
¿,ô‚—”õŽ’Np³t8R˜(•^ïÖz'‰Rhf².ŽR>•›
-•TnñrõÖÈ6±j€x}8e·Ç,µŒtªÕø˜ÇgsÑ×
à›Ø¼ÖL—=Ý1
bêëJGp½¶®ã™¯;òsÆPn´ðW¯]T·ó[	^vó…ÅvËP­ó<-±Ü—ôN@[d(¹˜À
´
¥	ŒàÀ3šâ0Z™B€¥Q ÀÖﱉ^W™C>NëÓ“Ó,#EäN>ÊcÀh¡H£•e&3)
lÀ–Ý,vµ
êëáÈ0…¨­ã§ÇSInÛ}Qq×}ÑUq¤bÐàW#­Iç^Ðx¨Û{,Ü;“brÇ£Ú¥kåM”…F‡j»µ^
ÌŠô‚Ϥ_«nèkwD„t°Qó¿×qD'µcWöDy*}µ9"´ï´áŽ¸(*‹›¨·²0nGÚ)›žøÆ®g-`ÅuÎqí¯àä>›rš§QjbX\RµÃ1X|ïBð<$e2J4Tw1«„A„Õå;˜ ‹Á^W8„R×ï)§^®’ëE¹ÒYIå¸0uVÔ¸x¼ç‡æ>?Ÿ×:=€I›Ò©ú†J#
-yu–Žš—°Žë
1æ³]¬çTµX)®€>‹:ìúbóöð•1ö›åÐp R\x`ŽèèN®¤®ƒÝ€xu$Ö…3@á8Ùzê¡Ä/íáÛpþöØléý	׶¤ûºÜó*è¡øäbkóXÜ»2
&ÛY<—Ï&~Q{­XoF{;>=Y™F»¬`nß|yÖc{JâúQÚLRÈñ¹y]ϵ Ä(u¦€’8K1ÊJÖ^®z¢-¨à9É£Èe-ºX<à†ú}©§¹Ç’®¥^Çf§¶æöÔl¦Kdd„Î&e×`š÷$O¬…*Íl=%0ÊÏå1-4*º"eá@=ô9ä…ýû£Ý5Pm”Œ™(Vê4÷žQ?»ŽGæuëåö¾Üá޸€ÖÌÎÅx3ˆî îàçc›Óqj7‡†‹Ò©™ù;z¢)aKÖždÆK·þÄ.ÁþBd.5,[ä4›~Úh× ?ô,9•mx/ǦÆó·
-‰Mu”ÙB¬ƒ¶œhøu [ñ2Û}Y6.uvxRÛ~¾i÷{_Cפ8h!+£‡¥à-³sr6(©€³hE9u}¹G@fýuŽt¦#­rå­‰DªÅèÁó‡Ãi{6ï=€h`”‘˜Êc ŽàõpúYðõ\oHá2€Ä«Qpâ؈˾¨ênlÃx#7ô	[DîN.·±£ŒÃy×_®ü·DJ½‘ÌL—s™c²Œ•@ðÅ›&1ð@L¯/í™æk¯žÁY’l¼ø¸ú“Âß»Ii“S=*Bº˜Ê®áÉò[†ÞÞ!•]ˆÑ2Þ$GWCèc’uéîý±ðNóà¢âIâYUÖê(&‘‘RO²æšÌ¥hð§hí¢¹¢~r&yåþbbz&q¤„2̼/N4;_gœá9¸³ ‚…t,Û\-ÖÚ};°r/\˜HϹbÔ;öKúø±¹€Äú‚H™æ"+¬²i[º
-Ñâxí!	/Š	 (Mr·}_‚â˜7JI’NEG’ºyO%¹­ÑåbÊ×v=zXC¢&*ÍÍ·#Ödvû"Å\È1€˜\,
SßôkÏ(–<`?çoü‰Z<”ݹºdØMƒö£2×9,&Š¾r1	(žLšš×#Ðërò\g³§ËY›Ï„~}qϵ°ú8á§5ù£åÇQèlÃ'|B7óQèç(”Ê´ÄîZw]RÐå_|üü•ºÜÕèb0ÀD$ê&z™lÆ@) 9ŒÒEò:(òXˆ±ÙYÇ<ŠH°¡žË1"“0—Îß”fÃ!³Ø/àÔ›j
-´zOϼÿ.Ë#ÀàR@cÓh€#^×&{!æ±€u¦ÐŽ'Wð7»É-Ëÿë»ü±nþáiìžö*™KÝ9 1l1†m•ió¿ü\m!βlùç€KS%xù}q.Ã\Üt#ÆS…Nº²U
-N9ôD¯S8?a¢DjpE‘GÂ0ªþ<8/“ àÎ82Jºƒþ¿¯wð_×3ÍÀ¤Jšl•B˜‘ô“†ÕŸ+Ù-Ï1
Úv¯gXÂ÷7{¹úØÂŽVÃM¹‰ÃÁÌvWÉøG°Áêtð–Zá¼x- ®¶‰õBp
-7Åf

gÚàÆWËéÎlð*Ö†&¡¾ñæ
-Ÿg„‰õ´+,d iÆßÃa®™aé<•à—8tÏÄÙ$韈ò÷Lõ|‡î	!ö–ö·Isþ™‘NÁÛ²7~»”yºR€’•w&½X˜0×@ôÿ†”-=endstream
+xÚµ]sÛFîÝ¿Bo'Ï„,÷‹wOiâ¤n¯iÎqç¦iû@‹”Í1E*"eÕýõ,°KR¢œÞÜÜxƱØ]‹Ï¥Ä"‚?±HM©L/’L‡&f±Ú\D‹{{!˜&pDÁ˜êÛÛ‹oÞ©d‘…Y,ãÅíz´VFi*·Å¯Ë7ß½þx{usH-ãð20q´üöúÃ[ÂdôxóÓ‡w×ï¾y}™èåíõO}sõîêæêÛ«Ë@¤FÀ|É+œ™ðîúŸW½¿yýã¯o.¿ýþâêÖË2–WD
+ùrñëïÑ¢±¿¿ˆB•¥fq€—(Y&›mTh´RS_|ºø—_p4j§ÎéϨ44©Lf(ÕH"XÇ‹Äda¬`øÓîR¤Ë¢jò]U?_
+!–¯.•dË?Û¦ºê¾©š{Àµ|,Ÿ;‚~‹LÔ?ä=½U’ŽUÿÐîy¼(	øáÓÜU<Ô•=¬%è%·¼0í¾+žÞ2-ðr´`ÙôO‚“uB„™1ÒʆgRgËÃCU—“ƒXŒèB±†7” »V¬xðÅ€/mú´‰bjÉ|`ÿK±lèůþöç®~!øæVž*·ûYÂJI¨|[þ¬¢dù]{(ŸÊš¯ÕÒÚÍ«:‚Úm_µ
-âp¸©E§°ù7ï´Y&4™FËCV¦™Z™åÕ‘ØÍ%2Ë1Û‘S¥pªŒ˜àå¾iI‘Å?ˆw å±‘†AzÉ{P/j*2o'
+Vc8W%¤#Ï„9”~9À¦]Ÿ7¡†íËÇ=F&‹´˜^dd‘vOÇž‰YÞ’æ‘“ÎÍßT5ì1Y—"µŽU¯´
+e*bÖkÑt]¹²vÌç+ÎœGàgNÌhÕn6$&X`]Ù%Œ³‰ÐžŒÂ,R4ãßö•1lBÊhoBˆ%œ!ÂÁY°¤‰a9žËnΆ’0S2lH¥Ör†ø —›}×Ó†w%=sÞ·.s7ÔZ[õÕÏtQÊ,×`g@_y¦Ñ¼¾owàù¡-·˜€P«³TMuI4½
Y©^V
=)Pà\aëÚ‡DÓòœ<hŠ–Øsš}vCÛrÇ4Žm0¶DÈåõÚsെŒunÉçipaW„Gk°úAÂçêÁE+k½Ñº_ölïŸAÓ2bSö¯ŽgûèƒËWuMÐÛá(±Bi¡‘ÈÇi8
+#B¬ 
«,™/;˜(SQÖ3e‡§b÷Ã4òØ=6Ìí/bÐié—ðT3L¼!Ž!o‹dÊ»c$;äÝ1ÖhNȈ¢PF±ÏûmÑ3X=”«G”fÆS&©rqgHÑ°Ý]‹	!òùèLÚþuìÝù¯º¼0œBqƒIÒƬ[ŸTÒ„
+Ïqì’C‚éÇ(RkŸê¥OîÒe$é2’tIŽ“»tFŠã<Áåu*QìJãU‡¤.9©[бæé\—CO—Ÿ±›sÔQc¼TfRÀè¡Ã!ÞÈ81SÅ4^LÃb/¦f1s´*Ç€¼j
+IHÝ®h|=/ï[#fªšNîÕ‡õ:ª5#"—LGÑfH¦%Ú¡¶šñ‚T†i,ÏæR˜ü1ç`¤Iæ|á/¤Ð@&Q˜jL¾ãTzë¤+Êu¾¯‡°yÊj,¡¶×æ+@ŠIX?ÿgäÖa¢uü_9¿ŒÍ¼¦ËÞkùÔÛÔˆÒ+÷…QŽjij©ÁŸòΆ{£¡ý°Å‹á~Lu>Ü{*k»ç _mƒ]¹Þ•ÝÃI¸7Ð)hV_dÀSÍp0QŽx=Ü„ƒÛË®-Q7D.¯¹üxàAê\_€tûŽ[8±¼}ó‘,†qìç·Œø²/wUÙÑË:¯j0¤
+‰wT#	îªqNJ°ÿmÞWwU]õ£ÎÑW°‹@ƒ$q6\_7y¨WÁcâ—Ó…†”¨Roóg,BgÐêf™xÙ"ÆTç-ÂSÙø[®ö»2èÛ j>­’P'™y™O5ÃÄ4=JÈ¡Q:åâu]·Ô$t*ø0.‹‚" ! ¢`e‘ѤG¼øðï2€ú(B“?ä»…<Ý»¢,T‘ÎTczÈÝeÊ=u|ë|EÎa)VyCè;žÂW€±$¾£¥÷œ†kZøž±pœep¨Š’FWùÊ1Ñò9óTxF¹ƒÇ^ÓˆŒÏ§Ø¯˜Qk$kDþEr5—Û'Ûhh›è;-×*[–ôå®ÉkÂ6ù¦$ˆwÅ;µ$[^÷„%5àuEݵÝñPÈ¥X£Õ-™5r‡…“žiwÞ…'Ñ¥@O·MùÓì-QÁýË
+é$4ÿ«UÙu[dÊA×
ŠjÛåÊ$8T6þú)ɲnÛG‚ö[¢±jªl8,ª‰wfìSE]iÉ82& jWà<ƒcXN|¦<„º¯cÇò:;ßЕ.­ïì)϶pùÖ„n+§>Ú¢\íS´å1¹UötyC¿¼Ëî=O´6|6ŒƒªÃ8þJ⎕D[œn)B“ˆìÅ]=Ñ鶓€$ãÐ¥&ûR骲Q¿–Ñ
œÅÑÑfSæXã¯÷5Ø”¹ˆQÈ!\]Ù{„Ñ‚ä€(7ÛÞ[Y¢Ìò5áŸòzÏ+¶ë¹‚.FY3Žªëj×õ3q‚bšz*ð-“Q%¥a”hyäzô±Œ5Øø?ÚCì®	ðFS݃O4éç#ºc] £2K/R&‘ÝÆTÑ"9¡%7ëìxØ»ÃC{5ïvH•šëT»†*5î 
+8J™ša®ß¯kú®¬×p\Zh_ÒŸ\É&ÒëÝÝFN…<©ã‘Ëm¹ªPIeG©¯	ÀWÚ RïžÞ©ÝÑP¦$úè~lz6g½\&xÈ—Ý|LuÞÏ=ÕÈÑÑ.Ž}]é0._ÜÚÍl=ñuþtïO^Ǩtç½|íú#!ò¢à
+¾ó4-‘Ø޹ϛK&ŽÊ
´¥¹š‚‰C5Å`²3‹£p^4¼ïšJ7¾ô$Ï>:ÓÑæxwàÚ](Ë£ø¨Û=NfR* "!+,µ
êë~?ÜÿIc+KO-ÝjE‹W¼@ÞÑEâ¢ÁïFZ“Îɸ¯Û;,Xxô„?ŠÌÏjçêËo¬li´«ŠÂúvLw¿ˆÏéñ”CúµêŽùJî±,Âfê—KŒ»{“ZbÍ-6`¶ù®¯V{ºØ€w¸#*
+ˆö[V¶Œ[ó¯½õ‘ÚpµâŽOë"¾æä~²äLÇ–„‰‰\xqy•zy߸@ïéƒñ„S§?]×:=“þ›H=GAvD%†NB§ú
+§«m€„èDå: 9î€w@o÷yt}¾z$>qýÕvhÜ+ßÿ@%’w#r¢5ÖYYÓ§å.»v×Ó5 fyhwãõÛ½ýbï[ÜÛ¢îêrûد3Êõ©Pyæw®MƒÅŠ=³ç²Ú‘ß×^+Ö›ÑÞöÛ­åiRb—•ýöbáëOzjÏ€‰‡ÊP»»ï&À[Õœ¯‹E¤Â,3ÙËsLu>cz*[˜ùcºáèg¯7^äa¸Þ8ebözcÂÅ$w*mX3Øx¹î	¶¡‚çQE*kA0Äzä	tõã¾ÕÓÜ‚cKG5C‡f—¶æƒöÔÎßfØ»4îqÓW8üÌG?©@þ¹=¤-ÐúyÖË•ö0æê/ç/€µ}2`ò»šé,×Iæ=£~rLëöËì5 ¸Ã=½qŸ‘dçì܃5tü|ÈQ8%V8ÄpÑ(š™¾£'šBjií‰KÍÈÃòÌ=Ø?TQ©¿¤ŸµÈãlbBi„»ÿá4ňž%§²˲oj<úŒ¤âP¤ÖTÇI-düMãX?¶ãíÜ'̲q©³Ã“*Îøù™ïXˆ•áý\ð–iÆ	„y¾ƒ£åéžQ‡øéÎ}ëóeÚÜ–”	ñWF3>ùÛúÿùÇLÃ/½ `Piz¦VQ¦2KSȼ9I þWO§¬ÿ·4endstream
 endobj
-1358 0 obj <<
+1361 0 obj <<
 /Type /Page
-/Contents 1359 0 R
-/Resources 1357 0 R
+/Contents 1362 0 R
+/Resources 1360 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1352 0 R
-/Annots [ 1362 0 R 1365 0 R ]
->> endobj
-1362 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 483.6075 428.747 495.5077]
-/Subtype /Link
-/A << /S /GoTo /D (zone_statement_grammar) >>
+/Parent 1355 0 R
+/Annots [ 1365 0 R ]
 >> endobj
 1365 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 291.3684 539.579 303.428]
+/Rect [367.5469 217.5222 428.747 229.4224]
+/Subtype /Link
+/A << /S /GoTo /D (zone_statement_grammar) >>
+>> endobj
+1363 0 obj <<
+/D [1361 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+358 0 obj <<
+/D [1361 0 R /XYZ 85.0394 465.4138 null]
+>> endobj
+1364 0 obj <<
+/D [1361 0 R /XYZ 85.0394 433.6381 null]
+>> endobj
+362 0 obj <<
+/D [1361 0 R /XYZ 85.0394 196.3675 null]
+>> endobj
+1366 0 obj <<
+/D [1361 0 R /XYZ 85.0394 169.5333 null]
+>> endobj
+1360 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1370 0 obj <<
+/Length 2601      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝsÛ6÷_Á·“g"ßÓ§4qrî\ží{jûÀH´Í‰L%¢Ÿï¯¿],@‘%û.éÌÍ53%,‹Åâ÷Û…,
+ÿDa,³A†ÂÍ¦XÜŸðâÆÞŸˆ$3ÏBó¾ÔO×'?¼S®,Xi‹ë›ž.ϸ÷¢¸^þ6³L²SÐÀgo>\¼;ÿËקNÏ®Ï?\œÎ¥á³wç;£ÖûË׿üòúòt.¼³7}ýëõÙ%
Ù¤ã§ó‹·Ôèq@éåÙ»³Ë³‹7g§\ÿ|rvÝ­¥¿^Á.äËÉoðb	Ëþù„3¼)á…3‚,îO´QÌh¥rÏêäêäïÂÞhütÒ‚3©¬œp S4Y%Uç@a™·pÎg¯‹ªmÓâ×Ív³^áA“êiâÅ\Â&h¢Žî#-gÛ5>Ål{WQG[m¾Vj/ʆF?¦ÁÍ©ð³ªÝnêŶZRßDz¥¦˜­›¤4+;ÿ•Êå2}š¦]ß$EÒüå”×Ím2å©ÝV÷°×Š»ÙUUwOƒ‡xôÌx«Ñ4¸¹-¨qÙs|'?ï@Žï»k_/zíªZlë¼BË{Ñ”7¶¯þØöµ¢Û~Û/d4âf½¡Í^VÛ²^¥VÁónýH¸«ðl?W‹úæ‰^âfÀs¸бªÛmËöWÃœ¶°ÞÁü–B"óÌá0N2¸ŠrµZ?ΛõmM+„bBswlÞNfoâ¾…ðLHÙŸø
+ýñ;ç²Â¥K1{¼«wØ”à<ðõ–äêÆƇ‘èXx&Û£Àö®Nߥ³Øó
+;ܬ$‰vU~­RWŒ|ý׺I,îÊæ6T7iÖ岎áî)æÊ2#¥Æ•³`ÅÚ¢¼§3„
R‰­ûNΆöt´€ÆÁðãÔFŒ¬¶ôR·CùOÃzG4]ðCûzKŠÞD«ÔCÝ'È¡Úü—$J!Šgå0òò9`¾g°§'u}²Ô.ìl6ð¡©t8>y'51û‚ãÀg0ý…v1,}èPY‡BпC!ÿ
+øo’ÃãÆ«á9Å㜎YÅÿ‹ƒM£&ÚWçS::›«UΦÒ9J4VÛð’R~?#C6곚Ÿi]ô]©™¿ªšgëæ:pæ7ýsØ9¢É1é ÎLJk¢£/zf¬q«93
+˜–6쬘]Ãÿål¯xð™T†LãÔÅ—Bµ… H¨×ŽkÝù vüp~/‹·kXQÑ_TR<ïkŽ‹²p‘
+òˆJƒhlèÎð©03ŠI,fOóE¹8…Fn`†ÞAX±dˆ1ä<_TB/”Ễ<Î÷Kx)s=Ñ uHÊh‚®½ÈÒöÂ_ô÷îÛÂAaª ›ïê¯oÖ¹Ì{H˜æŠ	îQ2›(|&î¤F ;§|oÀGƒ¬ëkÞç£,5aÀ d â–‹¡C>R;>‚æj½(”ë×
Y
+DE!ðyKíA‘¨è‘uvvM©³ÂŒõSVZ'=Ÿ×íœpÒÀ¾YnGéLýq…Iµ¦åk°aSô÷ ÊŠ‘8
+Hˆµpƒ@èT`+R½S½HT/Ô!z•pš!Ý}†ëp0SdŸë&±#{Ñ‘½HdÏ>Ù‹ƒdï Ø2bœöa86Ò¸a$¾ÄoÎY{ È£ƒ½øÓ“€|gÐÑÿ~´L¥ÊÌ|íÿh !£‚iå3i€Ò‚y®Õ÷Ldîqt‰ø}Ó€¾æ#i€âÄ `þŽiÀŸÌüi»ÔÿóK ÷`áôeþNjŒä¬1ùkΤî}5ÉýIh‚A˜h(õ8h`€ú•ê.Ä°™JQlv¥h|É¥¨R3Øy[mÓhÓ>V›ôÝ®ÒÀ7º¨‚F\,Þá…@·Á0…»¼W—Îó…;'†@Ü9qLži®}/¶•¡ë’Øh«Ô›	k¬Ã[z?0fS-6m=
÷'„Ñtt”°UßtóÆ<<3oëv’‹”qæ¥5º7\½djl¨ÙC³Â¼?-¤1@G\ëaî²[7ðáS÷†ÎUGÕÑ
+¥9¡¯î´íb
ºòÕÝø²
+ƒìÇÒ‚©Éà˜r×þd¸dt®
=çÆŠB˜¾£Mìý>yS	m¯²ö˜
C–Õþ_EïxN¦ã¥ì®aAÕ)™ÐB
+ÊÑ-~ðFLø´Ø£PÔ—:EÔ$M•"@ý"HÜŠNjÂŒY@]l;°cXŠp×åsP,äR„ï—"0J¥ŒÝÖxEŠ]awïÒ†ˆ¤ ;C‘–r.¤œ9åjž§G•ÈœˆNÉÉš§½œìÕÔõ”sÿ~Á¨%ó®;Ke³œ
+ö€@3ˆuŒí)mœÝ]Wà¡ex&\{RGÂ5KÀàaÑÄî´9n@'5aÁ°hÆ[:32aÈœv÷C43sÚÞ%n|é˜ÓR¾„O¬|©E¢qM_S×®ZÅ/î(†nïrG†v¿<áoÖLÓ*ú\«¦Ê—gûî—Ê
E:&.‘	öâOÄ91Áå‡ø2_i‚Í—sQb1ì!•Î'PH&„â/¾äæÚº»ëöœîº“Ax”w¤s¸V;D:*P`‡	Ò‰?×#h–•Òé£ÑQz$Hy†]zB‡Okšˆ¯)fÑp„×G
è„ö-湎…ÜÀ„áa•­(ÙÑ
+öŽhG#­Ä±tÃ…ãƒ*]>¨˜ÔjN¿ÈÉÄ$8<¬Þ1ûH—œVHNù(“})“Œ,ùÖ*?oŸ2ÿˆebxWNóßÊìþ¶l\´÷H8Wc
+–ŒB÷ðo/öMÿ7@»iendstream
+endobj
+1369 0 obj <<
+/Type /Page
+/Contents 1370 0 R
+/Resources 1368 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1355 0 R
+/Annots [ 1373 0 R ]
+>> endobj
+1373 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [455.0966 727.7808 511.2325 739.8404]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1360 0 obj <<
-/D [1358 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-358 0 obj <<
-/D [1358 0 R /XYZ 85.0394 712.783 null]
->> endobj
-1361 0 obj <<
-/D [1358 0 R /XYZ 85.0394 687.8416 null]
->> endobj
-362 0 obj <<
-/D [1358 0 R /XYZ 85.0394 470.2923 null]
->> endobj
-1363 0 obj <<
-/D [1358 0 R /XYZ 85.0394 447.8217 null]
+1371 0 obj <<
+/D [1369 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 366 0 obj <<
-/D [1358 0 R /XYZ 85.0394 335.2388 null]
->> endobj
-1364 0 obj <<
-/D [1358 0 R /XYZ 85.0394 312.9276 null]
->> endobj
-1357 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F63 1098 0 R /F62 1095 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1369 0 obj <<
-/Length 3203      
-/Filter /FlateDecode
->>
-stream
-xÚµZKs7¾ëWðªÊœà5x”ON,'Jm”¬¬=%9ŒÈ‘8erFáV´[ûß·
€ó"å”k­*ÓÓ¯_ðƒ?>Ëu¦p3ãT–3žÏ–Û6{„w?\ðÀ³ˆL‹.×wwß~fæ2§…žÝ=tƲ³–ÏîV¿Íu&²KÍ¿ÿåæÃõÿº}wiÔüîú—›Ë…ÈÙüÃõ?®¨õÃí»Ÿ~w{¹à6çóï|÷ëÝÕ-½ÒaŒï®oÞÅÑωAo¯>\Ý^Ý|uùÇÝOWwi-Ýõr&q!^üö›­`Ù?]°L:›ÏžáeÜ91Û^¨\f¹’2R6/þ™ì¼õ]§ô§r›åBiФ̴¦iÇZæ™á˜Œb™U\$->¥åÈ…Z.6›æyñç¡Ü½,šz¸h.t挵³îÈ£ùׄ²#—ÚŒ÷%øøT.«ße[ íüy]-×ÔÜ4ËbƒM3/V«Ý%·ó²m#㲨©Q,—åÓžÚçZUu±{!Êû›4¬²ÝWMÝ&$Óó»uFÚŸâ Uç©i¨P/lf ^âç9IÝV÷›ò
Œèy€9RAߺÝõ2Ò÷
’阚¨è
-§Âзÿ­êý%Ÿ—»ºØ,ŠeU?&z¹Bä¿?쩱ªÚΘûu¹íXþµ§ÑüX”œì*΀hoê²}CÍçj¿np|¨K˜´-vÕæ…Ÿêæ9õ‚	©á¬ýùNûçf÷é›–{–¡$<¢\63ŽóHÀLjLqÝ{[ d\A·¶¡Ö}I¿mÔŠ„K/÷X.x¦¥áaàƒN&&23‚E&Øæ}¹-ë=*Oð0ƒJÐ…æ²hƒ<QðÛ|.w»jå'¤1:ƒÊÃDÍ“,Q‚ë‘"7}$~‰ÞŒÑz(zFƒÆ·a/<ÏõCØÑ&à¡£Ò7¬Ê‡â°	|UØ{D¾Ç¡›	ù„»ôþXºnÈò,w.Ÿi™g"‡U}ó•ÖÇ;í|{¶]iuz,êÇ`¬ÐŒ=úC-¢tgÀI3Ýó~i§fÖdÂX1ÓBdLÚ½›Î†åZq–åR¨°a¿\.4ŸßÁÿb>ŠJ=¯S³Ü˜맞ý9ãSÎIbê´ýZ:ð„o¯·bö¾ͺ‹
-/º#ûEéžK»ÐRÉYnUf$/y>'XBXfó—ŲX^B#¢ÔtÆ:…"¬Ø£ÈØù¡õ-'øõ8|x¡ôúmÛg XŒ
Kh‚#0)í2au·ëë akµƒè¼8Æò¯ÃçB8кÌI¨Ìh«Ïþ\ÚLI°Þ³?q
Ý)kû!HÕé5úÓ„=˜(0\	
-ê‰Ð‹üRòè>±¹nÚ} äŠ°’ÜË}x[·Ïå.ô{ðýš-=yd`Ã/³Â\¢£»`H
2‰»ÌFŠ
-~äŒá}?œ”8Œ°b¦lÛ2äZ±Ñ–¡ÖÒhƒ‰³í	³+—‡][M{{°CëÜ`:2%lUi^Ÿ¦€†`æÝsÕN†#ðE27ùXSC²js&¿djlÈù¡Þ §…,†eŒ)ÕWñqÝÀƒßNH¡ØUŠÔ^
-à¥9¡QùÎ:a
H>T…p¤F=ÖLMfÊȹv'Ã%£rµë(׿!Âô)l"õw–³)åKh[G÷É0$Yí[èå$=£L	Âáâ¾Áœ:U!—P\„ ÔË
Qð‘ÃŒ^F÷³Â¼Rƒt¹N»¢Ä5銦*‘<?)ìy)ׄ=¤Á눶=9ú•3)ƒZ!V"l\‰À[ªDàÝcõ¹$RrEH>º"|EA
-ÈÑ	§)ç‚—”sÁË^ÎE©ƒF
-‘¿ˆ‘Ÿ:““Õ/£œìÍ:Tsàþí`T"³&ÙRQ¯¦ÀîÐÑô°ŽØžeNéhà§á
-¶ÉEî^k‡ë\#×	ܯ™!°•Ÿ qMHЯ™eÆò| B?rêT3c3FNh#'>¤È©)_Â_,|©E¬~MŸéX¬b5aø𸎄*¼jË”6xŽXÖ:Ÿ«¨s9×TõòJ@cV™^nȃ™˜Lr*~¢Ÿã±üT¼†ÌÔÌóÅ\”¢R(€
-cÎPH&¸dâK(SùÙ©)ÜÑ2ÆûÎ;„¦|:§kµSA‡C
-Ña"è`¯³AÇ‹¥E/èt½ÑÙð"a£!7%¼t¹NÛk⚀ØTpQ`dܪó2$®	!úɮɜs¦/EßdE
-.R¤à‚ÔApÁ·>¸øwᘉCs&š+¦¶Šùx‚Œ”hŠA<ñ9H8˜ÍBŠÊùì—Æ“$_[ë'8@x1ڼ⾻\g๎p8<­Šý¸æáÒNHýÏΞ¸&¦—ƒ“%géÏ?È2ŽçóƒïFjòÝþ!úndò{Äöp¿õgKÐ~ÿRÛjItà	TZdÌAð”©Û¢Ý—¡§]mÈ@î" ÀJ¬øOÀ²ZrMð¼*}Ò”ã”@î¤=&È~•åÇ7;$ê~]ìcê*¡¢
-Â’§bÄÞÜ¿} /@á¬F—YÈ›ûÎ,.ŸœŒ‚`\yç¤,)	(OåFÚbÂÆâæw—NÌâ)ëâ~øÒÔÊt#¿!æxf9¡'T.ú¹á$¸ñ<Ðó²ç Z(Ù¢fß¾ªZôÅ	¿/ô±I²ùçbs s¸?†#¶uQOˆŽG¼ÔßÛbƒ'žq¹°MãŠLë”ì—75*(²ìîŒÄTóú|¡‡esÀ/UOŽV‡e<Èã y¬¨ÉröÇ`†ÄÀȪz‰{ë¢eBÌxj궺¯6Õþ…È;CBÓ5´—ྡL!!6Dk×Ía³¢vxO£à÷¸ÁÌ)pcÇTsQ© ré+×1Ú…–è/Èe¿¼QƘdY2B<|‰4ñØʦµa»ö@+‹ý!U@ ³:È`h òZžVàÛþkžŸö¯§¦-#‘–{dn§Â8Ͷyé|Ô‡q¢@0Ì@‰Ó
-|wJšº³]Ýôw¿/–ŸÚÓÉ4Ýs¨¦,U
-grƒÈ¾èò#ÑhÔ/Éd«¹Ö}YÆ7
"×+"(Á2–k×—!eÛ¦«ï×ò<®³ê•4¡Ãt:KˆLG?úY/Ú—€ÛRŒê×{€&ÌYÓX‚~µ§3EaW‚p±Àäáû-µŸOÔø٠ٖq–]|ѯQ<ž)s9ƒðeuþŠ
t¸ÎAä:ZÎC¹R‚'±> endobj
-1371 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [184.7318 305.3272 233.4785 316.1115]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
+/D [1369 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 1372 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 182.7836 418.5625 194.8432]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
+/D [1369 0 R /XYZ 56.6929 751.4533 null]
 >> endobj
-1370 0 obj <<
-/D [1368 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1367 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F63 1098 0 R /F62 1095 0 R /F48 985 0 R >>
-/XObject << /Im2 1084 0 R >>
+1368 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F63 1103 0 R /F62 1100 0 R >>
+/XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1376 0 obj <<
-/Length 2656      
+/Length 3259      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6òÝ¿B÷tòMˆà“ “'7±{î4nâúææ¦í-Ñ‘Æ鈲]ÏÍý÷ÛÅ.(’¢gÒñƒÀÅb±Xì7¬&þÔ$sBšÜN|n…“ÊMfë#9ùs?)ÆI"RÒÅúáêèõ™ñ“\ä©N'W7Z™Y¦&Wóߦïþyòñêôò8ÑNNSqœ¸TN8¿xOœ~Þýrqvþã¿.OŽ½^ÿrAàËÓ³ÓËÓ‹w§Ç‰Êœ‚õš)Xpvþó)~¼<ùðáäòø«ŸŽN¯Ú³tÏ«¤Áƒ|9úí9™Ã±:’Âä™›<‡*Ïõd}dÎ!«£_>µ;³aé˜ü¬Ë„Ó6$ÆŠ,£R–B:Zâ].R£M+e­Æ¤±PÊ׫bv»¨Wåð¼Jç°£štiîí‘Fv6roõ`ë_ïÊÙòw)uÙ'FëiA?«e³¥Q}ÃóùæXeÓ²i"îvQl㨤ASnÊ
—«ªšñŠÙ¬¼ãñ—ûr³Œ¤nízÍ{2…û&5ÓmMæ ^=”‘]Ù$Ñp¶<WJäÎép6ÜàéX)5µ3JN?ÅQÅv;â÷Âáà ¢“à(œ׌ͨwu5/çL«æý®Œ4/oŠû¯\6Èóë3›unÇ/¬—®Y¯êª$¬Þj#rÔ{BŒÑÕ¯Äd`f™GmÍA§]3šžJ…K”RNÏ«m¹¹)fe3²‰qz‘æ)-¥CäjºÜ-‚o}5§‰»z³mhH³Û¸,jŽYŽaqó¡­"àGçZm]<8ˆM«¯¼ù}³¬>ÇÍˉXe„rN±ÐP±Ë*©«‘“'-nOê»í²®Æ¤
—¦u/ mÈŒ‰˜Ûâ6(¾MAôK›h0Ö‘Æùy‹Hj£zFíá^MÊtQuAm‡n(
-oT6IÓLß¾Èqj‘gY6î6“–bÒ%œN?c3á5¨u‹†l®‹íl±Ç¤Ï…– t“‘âטÌÀ8r¸õ“Á2AÛš`ârO6‚—Ôº?³ûƒ)ßsE7\Àdp]F+!Ót s=cC§´ZÕÑÁ\?µNkÏe€$†¸9û£óF§R2vI}ïÖ1³WCdg†N1úBp×ó`&èCD%ÉiÄp~˻ըyJ£ü%&¤E泈Ùl‹m¹.«m	 '->ö†—kàâÕˆ!%$À#ßzÀN’‚Ûü/ý8‘
-/²·ôõ¿·í‰;÷7XIÒÑÒÆö¨ýMo6Â29øz­Òí}ÿl”ð©!=åk€Dª¬ŠëJÀV
VÅšA­#(ò…0¾U€„[ÈMÍ(-…ó4ÓW2\Br@ñ9‡ƒQÚtf„a2¢:@“Ûèˇb]³Å²â[^V¬µ%k&È.FqH³YÚ£jí£ªGUƒúåö›õ42°oQ­õ¶Ó3ªè4p\W‡Œ0ÎqÙùÇÅ]6IÁg{÷Uüj4h†LíÞi“‡täÀ.)d—ŒLX°,}“Ç@LäÄqóÄÀ 	+û^ÏDj1s
ËG‡ßÇÅòXMƒ»ëÒj¥
-«Xª¶#U€¢ªÁxÐdﳨjŠ=ð¬^SnÂüÒMp;Ñãµ øt U$á/ʱÐ=ÀboPTOÑöÇM¿«¯A¼Ò’"™Mžh3¢Þβ;ióçs-¡RpkÆ]£¿;G‚I—â~0ö…ô&ßm|0cÐ
-3—ÿ•›'ךƋ‚é”U}ÿ™ù:ùxΘ÷wÁ—öBŒê\4>D&§¿K'[›«}"ŒÀþn	oVW°zÝ4ˆ —g âw4667Ýp¦ßÄ8«a'…YKÇ®à0EËH#ZJÁ2¡ºË2x¼ùŒr¢ùX í\DØ/§à×­4XWáÌ%¹â¡Ñ?B6µet’-LDÙhOš|–äf¨“æÒîy].Š×2,Ë8‚drwĆòÍØÁv¡ÿ&¦}¨@£ñþóöסõ:ú¿]ÎîWņ¾I®ˆ1ì‚Àä,”p0(VMMX˜#¤ôö!gÁZh,´>t9”â.ŠêtQ˜»pãÁ¸UÄëXª<`¡]Q°‰öó‘½âU·µñ™µhÕ5§I‹8Þ²™yÙ,i%&Åèäb¬ «R¼ÑXúí…ÄAÏéU‹Lž“¹×¹_Õ¼¼’Ƚ€2ë«ZŸnúß	øÏíÂçj	-¥z3¿ÎÞ¼ymôÛñ^RNéÚrÂH.Hå‚ZhPK€qÛ ˜Ÿ"$h€°-ÁÜЖ`=íãr»`bŽéù5š
zŽŽMàÔ1!®FJ{û±Ç_5ü®­0ö€	 q¦ e19&	ìÊ]œHȯ™Ph=»æG„±>´íö§ÜíÿÞA(ç»þhF&ºÓq	Æ©¤WßÒÄmU?pcs?kZSÐ'ÔÑ
—)ƻ֚¶íÁÈ,.©)»@(‡–f´ŸƒºèÖ¼¥¤©ï7³±·”¤Eï§M½±”+)“º¾1âð¥5:FÍ}Hô`’{ ð©ó”K Âî±Ck±k7À8u6`bŸq–‘“¸x—îkÈÞÓËfÜûÅžˆì=„+5Uk¡º7û=…¡-ya3ÕqBû”rá­‹/%ÿcMHë"gD°ÃͲ¹
Ñ
-Vñ7x¹üz¹Ý’—&qád?—@´ÐêL‡mIà.cîO¦ørs~qòþýÞ£µ“¹p™òØwÑ>UßÝ¥h	&ŠûOÍNiá ܵû†’çâ?c-
-
–oýN¤Šc“Bk7èŒ=Óø{¬7NàûÈÓµœDüî‡üÝ9XH¿³L?‚¸°Lç>2…ÇqùÞa(Ó~„õÿ{f™endstream
+xÚ­Ërã6òî¯ÐžV®1ăQ99;ñÖf2ñxkI”D[¬H¤G¤ìh·öß·Ý¢ìI%3å"Øh4~SbÃ1Ë’(VVÏŒÕQ‹d¶Ú]ijG˜ûîB0ÎÂ#-úXßÜ_|u£ÌÌF6•éìþ¡G+‹â,³ûõÏó÷ß_}¼¿¾»\È$ž§Ñå"Iãù7·¾%ˆ¥Çû?ÜÜ~÷¯»«K£ç÷·?~ ðÝõÍõÝõ‡÷×—‘%ÖK¦pfÁÍí?¯iôÝÝÕ?\Ý]þzÿ‹ëûp–þyE¬ð Ÿ/~þ5ž­áØÿ¸ˆ#e³dö/q$¬•³Ý…NT”h¥Â¡9€<ô²ªhó¢õaÅÊ¡HFašÑWŽ¶|.Þ᥃‘•Õ
+ïÖzËàhñTWM¹,·e{$ò‹€4€ùjEÆ+pÜbÞ[‚5›ú°]Ó˜	·Då¥l7£CÈÆ…Åþ™ì“Y­ê¶CŸˆsÎ_³vS6JŒÊÜE_ºJ–¥¼Š“r€b;ìφ㡶3¬ÈÛƒwyÀ`…Ïœ‘×r>ïò#oûûSÝHÇí›áÁÈh·-i2Æ%ûœ ¸çIÌ÷	ÎùKPoªÞu%œé RÛæ«ßšói²Ì²Û4:ÃÔþõ´ à/úNCÑ)Ý/I4¤ªV€µö‰Ÿ&Ýë
´Î"C?à!¤»º/ò·’øƒ,ú­¿u>MX7}Nͱõm(R
Ò|GRÛ7xXLÒ|“DRÅÉ‹û
%Éɼ~â+‚ñKî€)¨h|’S@˜$A€ìÍ®®3@àÂ`éI¥ƒä:™_Á?Æ«’Ò3¯Ö£Î¦Àt¦GÑñ)uU.)ÄÁ’m¾,¶
Béh›ù²¬òý±ƒ±2³óï!Ë鼓Ì:G
+˜K>Kʼ¥ž·)‚4~)‚Jáö›¢"üuA.½XSZ¿›r{íÆçóá`L€†¼mj¯¨}Z.é‡Ñk‚ª~aÀcÅjÎnƒÝ5zƒzWø]öUðJ;ð*ùcñŠ%H4?kß°„Ö+–à±:KpŠóPìO‹]I™½¾½GšØ~XêêHÆ ödÊZ&>«Ã!gÊZ¦]¦Œð)ãê>ù~Šò™±0Çe>Óê¬ÂMn«š'}á©$‰RìÕôÓ1NÀíf)d*CÝê‰tì§
¦\–I¹ð&•õê#—f³	ÂY ¬èÉa|Ä£
+*åÓd'€ÓÝÉ!©iA£wEÕº„T„|r
ÃUÞ¸»%H
‚Ú—kWBœçÆd‘Ähij°Æµ'>($…æˆÏBõ;>€·Êolž=!¾ã@½	ñ'T+‡0Ž<2¨S 
¸[qÆv5	ÅÉë¶ÛÇ:o»¾ÜBž±©·§=*‰ùÆÎibçÙb“MËÑÖ³URºÛSTÕ<Ñ¥S—I7*hò=)¹Ü‘»CGò®'>ûÒ“êlÙíÉ.K”TÜ"€9¨·Ï…g—
+'8›Mõ0gÄ
Ž—Bˆ9«ÔO~G¼ë^L%UjŠ“¼ÑãráØ×Æ%cw…ÂÚG‰¶æýîÏéçiI¤Ààb|MT7ylÏúïÔX!2§ì
6U3pt`^ˆŠb‘FÉåBÄPaÝb¡ôC<±IŒõ46='7®0A¹B…:L<Õ{×!íVúzFÀ1ËÑ-n^<4(¾ô®ÅCG/¹:zR˜84|ÝæSîKCù'P%Hh¨ØEµ¨«‰“/îÀ…‘Ç›&<£N¾€´VQ¦”ÇlóßœâkL‹èI›äh0:q"õóë€Hj3ðÍÀH•¯‹Qu±®×)ó%²™/•
+в/èïËÈBÚ?ÝÝ_Š‹>IçtüAU	³"e1i̤ì#NÕ_Ȥ§ø“‡…[0é<à9Ô½6‹å¶^RWî¦ÞýÁˆƒï¹¢ƘCaSŠ(NS1ô]cóAÌ;˜åqÿNJ]’°â棚Ӄ”l˜ùžµr¢ÆNÑûBp×ëÉÞÃàüʧí¤y‚Èej¿Ä„ 5!Û
+é‚P¿eiñ±o|ÑZüžï€‹w†´ÈT”@òݱãSÜ©‚22Q6hÆ+’ÑJ’Ž ·Ójà›U¤™¼}%Ò×}1¶´"ü&åšœtí†~¥ñÝ$VùŽAÁ”êJå/ îRïo Ppí˜ê.!1 ~ëË»)Útd„a.¼:C“ëÓö–`DZڔUá;?¬´+&ˆÎÛE~N±YØ“ZÚeœz*Aû¬þÃjêx%y
3°)ï3ú½®Sô3!ƒ½ýø¬½x¼‰BÀü’Ù?óýtÊoÁ%é“Ó.žÓ©Öl
+NSéAyÀeW	ê»iθ}AôpdàÆ—%}§§¼N€øTCóÑá	Î¥˜;oק¤Š5÷ý{Rèõ¦ñËn”3*ûÊjUïB]ÿ¹Ÿ96àu¼Ã øtR«þŒS‡3Âú¢&øhMÉ_{‡9~Bæ‰
v6òBm_OðkXÑV¤PìkP…?Œ=ÁEŸâi,ö£Ø(Ûm|6aà&‰ý+yôßbRƒÿÕ™2y.aH LO37™7g’UÑP+ñņ)±:‘² nx3µX×þ÷ä´DÛ©¼Úø%Oùž0Ÿ‘m¤¥5›zõ›s»*c›'žS£!s¶@£`Ñô:ô÷Š5UnHUÆ‚"bš‰=ð†&W?À(™ ¼6G׎ƛœéU}xd¾®>Þ2æáÉùÒ‰ÃÐúCdñü—8‰ƒ­èƒb8~ðÙÞª®ðcbCP'€ÞÝ€ˆßÓXi«úáÒM¿'ˆJ´„&-Ž]Áar,2– ‘F4´”‚¥õ¡ºÏ2x¼õŠ?Û¼ñ{·Ÿ¥àˆ‰ Mƒ¿¿pg(Éþ’©–ÑI¶0áeë iòY6£¾±éö\›üÄUºeG,îŽØP> ¼™îûÐ>U Mzæ+LC«Cjuô¿-W‡m¾§w’+bŒ› 0¹r¨í‡X˜#dô•4.gÁîÊÑz×ä‚›(¢×DaîÜ;ýV¯g©#=Ú›è09)!Þõ;¬EÛP[Ôœ&½l
+ú‚> endobj
+1378 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [213.0783 733.1915 261.825 743.9759]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
+>> endobj
+1379 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [398.1622 609.0825 446.9089 621.1421]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
 1377 0 obj <<
 /D [1375 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 370 0 obj <<
-/D [1375 0 R /XYZ 85.0394 725.2846 null]
+/D [1375 0 R /XYZ 85.0394 436.6824 null]
 >> endobj
-1378 0 obj <<
-/D [1375 0 R /XYZ 85.0394 700.2184 null]
->> endobj
-374 0 obj <<
-/D [1375 0 R /XYZ 85.0394 148.5316 null]
->> endobj
-1379 0 obj <<
-/D [1375 0 R /XYZ 85.0394 118.3446 null]
+1380 0 obj <<
+/D [1375 0 R /XYZ 85.0394 411.9605 null]
 >> endobj
 1374 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1382 0 obj <<
-/Length 2996      
+1384 0 obj <<
+/Length 3174      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZmsÛ¸þî_¡o¥;¯|i>å'õÍ]’¦ÎLgîî%Q6'Ɉ”´ÓÿÞ]ì‚"eÊv’NfBX,‹ÝgV3	ÿÔÌÅ"Ît6K2+œTn¶ÜžÉÙ5Œ½9S,3Bó¡ÔÏWg?½6É,Y¬ãÙÕz +2MÕìjõ{-ÎAƒŒ^¾{ûúòÍÇ/Î]]¾{{>×NF¯/½ Ö›/~ûíŇó¹JŠ^þýÅû«‹4³ŽŸ/ß¾¢žŒ'”~¸x}ñáâíË‹ó?¯~9»¸ê÷2ܯ’7òùì÷?ålÛþåL
-“¥nv?¤PY¦gÛ3ëŒp֘г9ûçÙ?z…ƒQ?uÒJ
-mb=á@m¦è2B^®q ©’0nÓ´£DSï:–jÓJ$¨„ÊvB
Ø%³8ˆüuBI»JÔ;ðn–¢.xfQ½-»®X=;Ÿ¥¢œwyµª·$Ðœ«ó?ªývQ°†õî\¥Qã™ï,æ˺úCJ}½§ß+½×Åxý¦\~¢á4Ú7¬«âŽ»r³¡®E›Ím*2ãâÙ\)‘9§ýžömа¦í%Q‘/o¨ëó¾Ø}=W°9ˆ?8éèê†Mhx[	Ùõ‡t²…ÿÔÐÀ$ênòŽzÚ¦X–¸«°ZY‘bâ`tâ„IcËŽ#ç·v¾_5s\¸8¨T
-k¬á	hÏ:×åû[lK¼ƒî/;!g†ëÅsv›–"ÍŽÝö€)àg©­;6Åh…¦ÄdŠÑ:ª›®¬«ãÇdQñe¹Ù¯ÊêšÑ1~ŽwpK#7â º1HO¸Ñi`–ä·u¹zÌ™„Ôêý8í,pˆŒ³d¬¶w$U¦þRû’Li’¬w
-¥n»+o‹MFZ‰çÍU&”(Æé¡0sU¬óý¦kéW½¦ç´ŸR+§Bšû¨Ÿ·õ~·,&ÌWdú ƒÀ ã;¡ü4…204;€ìÍÉ£Iv¸È\[%UÝØ#ë籫ծh½çgJÃR:30G$N©¾YïÁ@@Ö™ÎDš&ÙÄ,'²$‰‡“žÓé¨ÄˆCèIOÜ7Ïa±Px}ö”uö!ëì	ëìÁº#÷ƒÿ”ЩNfäPÓì¡ÊãTª¾	— Hd"Z´Ð*ÉÆØótlSí«:<›Â¸xˆ©U¾-VÊ©‰C|sõË›bù	›qT®©ËC6ê¦Øå‡.o¿¶]±¥!*j5ƒ8Y¸ônË•8ã°cìë]¾Ý"ÂXYuÔÝ:ÇÈÆž®¦'%I·+a¸¸
ƒ7ÜðæÀÈö/¼CÏxÅiô‹EsSl¡\C]ßP?
ÏÃ,††·³Ýc©ô†W~‡rðh2Û« ù£J@ø6/7ùbSLSšÄîñcJtjÇÇK@øÐt8г¬wEëŠêŽ÷‡"½CpÀ×›çxzITƒ–Ý]ÙÇ©ŒJ–™X¯¤P…ýC:i³±'ê»jŒËS&ÇPv/½<^ü‡̇°© ÜR+vθçÔþïóñ‰¨éôúGG!Ç°ñ¶î¯6ÄÑ6ÿ„q%:ü•rhÊôPÛ¡½à¾v¿FQÌãeYT=ß¿¡ZpÍ)RQ¾Xîwewài©^Ф¦ÄC…Ëa¬)ª¯]Wô¼Íwe½çÎ&ŸOÅ4ädQí+´UÑb1üåÁ  ÁÍÆnÚ÷²ÞnOMA¢ä@t»ÜAøá™"nŠ¼åq›ÔR“Ï
-P)î^”Ô›Q‡QpaGó‰–À­ÄþLx™M[SË“Ó‰¡ÄQÆ4ž9CŒCÿÝMQQ'Si…çþ•¬ª«kêh·¹Ïè#~ª{\€®f¿kjJ6m˜Ê«žF£ž`ÛÀ^,Fä«úe'nyƒ“¼Nf—›âD‘°F=Ž>J'Ã*wçp
©*@DÝ[k£ª¸c‘`¶‡Í
ýÈ÷]½…
-²ä¸ÑÏÍ›fS¬.ªÉë°é¾ÏhÏM¯ŠUà•ÒH>5öÞeÇŒ»¥gQ-Çä׉ûZÏ£ÛÛT½´Èt¢¿‰DÄq?NÊo0OWZ|7/KBØFËÛ¡Ø£Ö½‰
-ü”gP>$ã|šÂ3,<óL×GûòùÞÖ`O,+Â.ÐEƒÛ4S|šËvb›sZÖâK¯ˆ!¶Ì=í}æ
-CzÏy^þ‰ó€aê8¼ï¦Î;\äT¤±PP&[$6ÐCJ²–´ûÔÇó¥›rØŠ=ä)©@{ƒ×ôlë-÷F÷è5¢v_òmÃ̺AË#ÿñíå¿0Å5cdK?˜@«ª;j@>×w“œ7…½÷÷ÌRVË8í½"
-ã×ënê}X‰䈰|³+oç|Œ¢bŽb7‘ç²Í
ÞA|B¾¢’_A”g|~ÃÈøˆçÀEÐ85vVh´;ıÑÀü*¼ÜV8¾µÛRîø^o}‘£—HW;¸þ«ðâhgÑÑž)vЋßå-ÀW
-ÖôOpÀ£iyçØ0‡;*t®žto}FoX”DR£%³ª7{J„0“!±¥žÀ_VÅ&MH‹êX°9„ó@¢Ê-n5¯XÚã/<ñwH¸ö®¾f’ÐñxÓ\t–9S×K›¯‹F`)«#üHõçÆx3Ä?\Ý–­P£nxþo3žôÖ'…¦ÑßðN£éód­O­‘¼ã×Û æ~Lóõ)û†â§|:‚û¬á.³.þB"gÀ“fŽ¹Ú/‰™œ:
-|Ÿ¡à1¨Ê>çÐ"0«ÞL¿“i÷ä6^£&SÚ}Ãï_¡3§>¯Ìwøà€'ÝMq¬%
½4ØÔPqÖ{œž$}î.
-}U}ǃÈôÂók^Ëœà†è”÷-!¶ŒÄÚ|Ë2‚¡Yò,‡MÉÀ¨aŒ*ô,Xf’^à
-x-òëû
-û
-7™ç]dØ$hH‡¿ãhº°Xâ~ø^qp&‡CuM=®e{`‡(âEè×¢ïQjâ{T:ÂÃõÖà4õ ½Ð}Ì?2'ÆL¸¢¼ô5…óú8OûÅõ’pýxØ1©<¤ú8éÝr¨
-#ç8-¬ÎœôNš0cä—	:¶ãGý#c‘e©yÄ?©ü¤&ü³oVyWø7„·ùý(Êàrà  =hN/5aÏè[¨„òf¥ô½ŽâÍ©Ä
-›ÙäI‘Üb2g§?"$CÑ­ÉNë¢ytq3Ì«:|¬‡:š:™Òã>À¡&ƒD¯Aþ¶¹h	}#vÀ•ÜÞPÑü¯£{×A'Ä`Ë$Búº>û\X¬& êõÓ»¦–ÆêÊת”>3`·;Ž×À;blNØ@š7w(˜ã&¿òX릨+¾O÷—(ÿRÄ·/¾
ë¤튺ûÜKS‹%#ÍÒ%Bòã©…Iìðï%æ‡?öøáÄw@«U6YdŸ°?üg*XÀ¯Æiz¢ €G…MA‰quù¿à‘÷+ÿ=K
LÿÐo@Xendstream
+xÚµZÝsã¶÷_¡>Eîœ|òãîÉIîRg'q™v’Ú¯ãˆRW®î©µ)ûÕ½«¦$_©ž Y†1àÏ™²~ÌÍy¡æ-yÙ¦|ï¨åÕÇF8[lûMbƒn"µ[~úSÅY΋Ë¿"ɾstï&n2hdžw¦mÜgÜßK8Je$¼ÆcÇk*•dÂðÎÉ’§£+•óàvÛ×~×07ž¿2`¦­[ÕxƮ­Å„!ƒ¡M.…/-A4ØÒ°-AF¶4ƒ-Qt°%uí›5¶Ow¦¥Ir‘±²‹Ø~¾ÒÂB{ã=ø‹²0fÒRN½æñÞ51ƒfI¡MiN‡*²²6‰²6­¬UNóоwÆ£ñÜN§OM¢³âÙMÉ"Jq4õxS Èñ\bêg6Éd–¿Hý”G1@Â*áq€ c‰G@„ž’^Ëzônw[®<úAÏò#29„µ\Mýºr·å~Ý'‘} @Ë­¢µ„ÛP!Àm~Ú»»é\¨Ã:r#eiR;¸‘ G !¨W­ëš/zêxß´Gc˦{¤± lé’þý}ï:t$Äê€“'a£ÒT_iaBž…ÃΠG³‚†°¬ÕàÞ~¦E×îw+Ùðb>¹è‡«ƒ‡’¦¼«ÔN{(Ð@ƒÆÔ±Œ4º=b6v¢BµÕ©ÍæïÂóh×ðT-™dxaÐ^`HSMÂËB¢7d¼Ë±mâ讑fÙý:‚¨«lQóðòÉk¦³ÄärB§3If¬åŽ©–cƒfDKðÃ]ݽ÷Ñn¡R=GÛâÓ£\
+~S÷=¡4™;§\‡]þH=SÜ®ƒ?‘›0õòêâ›o®É*ìx#Þ*™	AðtU%Ežçq²ºf\Œ§ôLtz&9 €üaeÔòâê£BhL“¬*9X`½
+Ì=
Òà2,Ýä«dJ5L@’ا&Á»OD#™dÈ£Ÿ¹*ÒD‘ÏÞ]d2Üb¼EN·¢(F·â¿й·n74`{(„¾ÿ4ûÍÒñ·þz„aü&“¾Åªm@îöôEƒ`Þ;7][É«H¶ßò\
ØÄ Z:>Š‚-Ä¡ÉIâxh{³D˜Jظ.ä8ó›{VaËÛÊH/¼ß»Ï `Æ”%“ˆê‡4aˆ‹ò›è<
ŽJ.Ìb_m¸pr‘môÈ«oÃqþ™ [æ
a
+nœÕãõÒ›M‰$/Òi0}N°³PÆ«¢•ôPLªh¥‘æj]Ì݇Õz_A®B7àoàŽ„GÄDz3†Ñ3ZäyФ|hëêSv,€å™ÁŽqcADZdÓisS€.G×ì9{“I¥&¡"p†QØv_?¸u¸Œ´¿7‹›ƒ0Ýé8á¸=¤(§œË¬”/ü)àŠÈŸ5,m3™ïÉ`iìdp6DxI€~':Uvj€‰ö”À¢éLI³ªÐð„ImÀ7Ç5êÈ:SE’çYyË&E©ÓHNeˆ…Ìtr|Ž-qªžÑ‰ÁÉÿW»c*'ˆ¹ÊNRÁXä±2—Ÿ…KpIG$r[T¢ä¦0ö¼|N¶9pÇf’OF0.cê“ÙŠ†ô-Í'Ù
+N¿ºw«÷ØLçõ-‰([…F»uÀ=ta÷Õ†º(¨µ`dH3Ž¯ÅC]y€ÓÖ3QêíÝ®ÜlµõéTŸñÄ'ð$'éw5t»‡ÐyÏ
¯ôl¾àEø]€W|þ#¤††ÛÞ»
’eH¼HâOÃW 
¥7 '“sT¼‰ÕR†
Œ‘:*H[ʇ²^cu,vLxh–ÚOS¦r3=&X‹%~
:¬Ú]@Ѷ¡ø‚ýÃ!ÁÁ ØáãÍ<½ŒR¨ÇºsǹðùŽ‰¬WÓU…ýƒ;jaŽò¢ö±™âòëO×tNÜk\×a>äë˜n©•Z«í³õÐ÷ús>_Aºj{Àk 
)—Æ´Èà¢y—ÈC94?Ävh/YÖíoq(úñª†tný‘äkŠw<#WFa¼[íwuài¹™_P¸ºÄ.bapýOú¶®©xm*Àæó‡rW·{nËEÌ‚à“nµÐFΗ{¼À_ñ"hT°4X£Ú(¦}¯ÚÍÆyj
+#j~ˆn_z"ÿx¦ké‰dªsCM>+€„J²xY“´ ½`0ÂŽíG$Z˜rŠÔŸ	/³îZjyrñYr`Aàyä#ÐÈ8È}eË™JK<÷Ô¹ä©ú¶%A·ñu”?•H=.€h»ßm[r6¥™ÊËFËô ÛH^,Eäk†e#·ºÇ—üœÔ®×î‰ a´ü4úH5.Èá”»sHCšÑC
ÚšyãyHPÛC\Í5ýSîûvdÅ÷†.ùÝr»]×­Ÿ(#ûö)×sÝ–UÈ?Fèœï¨‚yÙ3ãîèéšð˜ò.0q‹ày”½Å⽆iU¦>‹D¤i–~š”g0/ŸÔ}3¯jBØFÇÛ¡»G­“„D~J†Ó(ŸÊ²©?ÅðÌ8à}
+¨&”wÌÿË®ÅIübÝvùR
+FÙôø+DÐ3”¸àÀ³puЯˆWlUzÚÄ>w0¤œGbòOœ[“àpð%•úQø8Ü"÷ O	aâS×V!‰
ôœ¬£Ù½ëcƒùÒ}½¬{’}=!…oéÙµ–Fù•Qè>”›-3 lÊH%ìôH¾ºü;º¸bŒìèfТÐn£œ7‡½yæ3.«DšMöÞ…ñëõ÷í>¬D2DX~»«çüDEE1‘ìç°Í5ë|.]6ÔBà#ˆ¤ïB¸ad|Äs ÔVž~ô®a÷X+`~
&÷„–³öðYGy½ñAŽŠHW{H]
+ø­¯§.> endobj
 1383 0 obj <<
-/D [1381 0 R /XYZ 56.6929 794.5015 null]
+/Type /Page
+/Contents 1384 0 R
+/Resources 1382 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1355 0 R
 >> endobj
-1380 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F62 1095 0 R /F63 1098 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
+1385 0 obj <<
+/D [1383 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+374 0 obj <<
+/D [1383 0 R /XYZ 56.6929 587.9841 null]
 >> endobj
 1386 0 obj <<
-/Length 2840      
-/Filter /FlateDecode
->>
-stream
-xÚÝZÝoÛ8Ï_á·•5—ŸõØmÓž·I/õáp·»Š-ÇBeɵää²ýÍpHYrd·E°È!g8üÍ)‹	‡?1±†q•êI’jf¸0“åöŠO ïÝ•ð<³À4ësý¼¸úé­J&)KcOëÞ\–qkÅd±ú-zý·Wï×wÓ™4<ŠÙtfbý<¿yC-)=^ßÞ¼¿ûçÝ«i¢£Åüö†šï®ß^ß]ß¼¾žÎ„5ÆK?Ùoç¿&êÝÝ«_}u7ýcñËÕõ¢[K½‚+\ȧ«ßþà“,û—+ÎTjÍä	^8i*'Û+m3Z©ÐR^}¸úG7a¯×
³_Çš1Åø"±B²45z\,‡ÍˆYœ€åÏÎEã8ÌåÉ0b8Õq{ãT2#•í¶Wª‰,5Fâþ¦œ%¶51ö<¦ý½A;Δ™Xdœ%AsÇq;Å"ZÀ]ŸîÌ©ªr¬’(yòi"×iªˆ§G»¥Mà~šoåäM
šôÖæõ&vKŠe±B&Œ'ÄKÅ’4±Náu™íq&*šéLYY˜ 2«VD䞧,ò=µ¬êÜóWuKDsØíjèÖ<
--yÛÕ¼$iÔnrßZöKOg«Õ>oüLë©âQí,^¿GûáæwÛú6õr*yôÿåm3¥Ø©uš°XÅjÒßãoƒ
Ô¤q:™¡ÿÍ Æ
—@ý5" TÍJýˆsbRÅ´ê3Àœ…¾ïè 1OX¢­úþÒŸù‚‹€]XÂeJ.’Xeb£¬ljZ`¬z£´€ªØ/°ÝgU³ž
-€çA:C¸#§±}‰	ÄH‡±èo/ç)S6ñ,àmÅúùò¤1`…+ãGœwþh¾¿{qÈìj1’‡
¤®f¸dL"f	Ä,ÎyôŸºÊ)Q.¦BˆÈíP¾oz`
Ó‘Wj0‘›ˆr·Šãh“5Dlóå&«Šfëß‹Šž»2sA
ȶÆg­³e14۬ͩéO§Šcê´p¯j€˜IDYl‹Ö÷Ö^ÅPdßÖ‡Ê3Ök? ÎV$¥ÝdíXðìÉDkx•‘Døthž›6ßB¢É‹Ðº®Ë²~r!ÝÚµE]ùٲݮ|ö³Ôôü³3|'ù-‡Ý…8¢­Ä
¯É<ϬÇt
-Éy¸ìŒ|æT°PšÉT_–Ü1½=pQ•2™˜¡ì7ùïœËÊåI	ÑIôPÖ÷YIMeÑ´D¹=„Þù{Ïyq*l¹1Œ,U¶Í©¥É÷ é÷œÆÒHÿ‚1Ë14yånnó·ÿ&z²‡Üù`BD§ë£æi“Wù£KüPŒâ2 ‚¯½zj]Ö»g¢"@•wçTa@5_ýˆyÞzÿq•@h¢7r¡Þ,ǵÂÚ-_G?÷ƒ—tóaèTÆ‘êËÚ=WIHF@îô3&ÚäåΓNxæUsèÌŠídm `åEî¹ÝÚ]¯gC]|ßSQ–D}:Ëè*4¼BÓÂÌ~Œ3:ö=LrÎÒD«®†ÎuâPÄÖ„¼ß4‰p1µÈ+/žb~JÒ:às0(óp5’ÅbõÀaÉITÔ{$-nXE^ì|¾Îe`]S#¤°8O£ùš:`ØKCˆØ2)Mü¥†H$ž—|g.ùP<æ^·¢¢¦lD&¤^HêA¤óª—²¤†HÙmPƒ‰g~ÿ#M[xÉ„El©Uûb•“=•0$cà.h°$L
-Ê’.(-zæ€ì7f(Ç”òTK<îZýkƒæPššÁ¦L'¢o'ó¼õc°a…éÙ+Myˆ¶“
-õ P]
6",T`Áà+`R×5?‰ëdt
+0
Aìš3áóÆKÕLÊ KÉ/ƒ¢d*‘$âÜ>6E‡9 îX²´tYè£WâÛÚÙœ²™gÆíÔ©¥âÛ:×¢9®Ï™B3êØòí®õE…w ~‡
­|‰Ò)Ò¸lŒgËŒIüâlÝ•Kb®/}®ó•GÇ…ªo³ÿÎBÙƒ[>k‹m>+ªuHbY*c}Y“ŽkD•­‚â÷]æÕ=Ô‹î0¯ƒÓÕ¯A­‚¼h£CUщºËºz ó¾öñ“(º)ÀŒR=ÓÈmQÚÜ7{4YÊ4nH¾ß3Úçô‹…ns^¹:-6ñÙPí€O!9È€IäNF
íøp:Øb{ØÒËcVòáÌÒz±ÙsoVÍÕ‰ÄËh’ŠIé2šz\иFÑT¬Êq4ÅL8‰]Ô¤ãQeˆ&ÁÅÊ¡.G4‰Mbˆ&èøHH˜Ñé¹sº×ÇR[)ÖuȲ„qF‡ Mà]%<¸Ä	¸@ÝTÊaþúrpÅç°%ŽØú¿AK&);â2´ú\ç¡ÕqTõ¡}-È‚:†òà¢*׈.ClAÞÓ€Á2·‡ÖƒKBýîxè]ᵪ¤;RH(Z9nªöUø!„)GuÛ/¾ê>ˆê*…¤ÄÓ¿h´’
-·ŸÉ}}®
-\ç£Õ(¤ l‚|pY•ŽkD—!¤ðö69Qæ)ŤçƒxÅÅ1^qAñ
-ž#ñ
-ºxŶh¬‹W\ãðBÊÅ+îàåLâY¢Ø0bÁ$˜%ðÞ$ö2Àú\çÖq¹:>ßY9ûtÈ÷ϳ=^¯+æL¦±¹¬BÇ5¢ÃX±a2ÞÊì­¦äñzBª.¤@óÔ¬WÅÒÎ]ŸÓ˜:·YÓº€¥D¼¤S.<ÝõÑŠÐw\c±¦Iv‘yÕa{ïo6'3c˜R§¥Ö†t¶i„÷˜eZÆÑ5ù]{sTPȃ»‡B*£m¿oò·‘ÒÒ5¶Ñ1§+;‰´Êé,ÑÑ~¶*oŸêýGz¹ÏªÕS±j7lìÚf1Me„¦¤ï.G‘ô—-ØÖi´Ó‹„0#ñÂ*ðÞIJ>ËOÚ›²9™ÓA‹f÷âž6xh\ú	ÑBîúDZ„"|iè@+Ã	¹ÉÍF®pœº\ž9j˘™’?ý¼&p8ÎqÝBD.1‚¨¢jsÌ—°¾Çy>÷wnÈr< ‹8‚ºÇÕsáOŠØ¼|M¾¬«•³‚vV “WÌ/È£±Mòó‘E(&´ˆ?Yz\"Kà:1oAGôAXÑ	ãÃÊ%ù׈ƒ°¡3µVúÌq‡d*mdq‡”:—nÎÏè"4ÖLj­Ø î
-å åˆhíÐû»<ì	÷nûÝ4>ÑŸèÔæ½`D.íæSÊ‘¤„üÈàîw¡ÇÝÀÂÓ¥OxB lZðjÊÕÈÝR¥`ÕݧaV²x«”˜ð)úSzø/Ø@Ñ¥°û¨âÄn¼¼°jì‡U9o_#r}o€ÂEs<ñ—‹_„ºxˆ”ØÜ„r†¾¬èõÐtß•ÎÝ8ZfÀ$_؃œù™Œ2·2âмûðýÍ?¡9~ׄ¡¬=óAIñ˜Y	çm¯”ûª)N57
-,be2¢úÿ§‡Õendstream
-endobj
-1385 0 obj <<
-/Type /Page
-/Contents 1386 0 R
-/Resources 1384 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1388 0 R
+/D [1383 0 R /XYZ 56.6929 560.3469 null]
 >> endobj
-1387 0 obj <<
-/D [1385 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-378 0 obj <<
-/D [1385 0 R /XYZ 85.0394 568.882 null]
->> endobj
-1107 0 obj <<
-/D [1385 0 R /XYZ 85.0394 545.0538 null]
->> endobj
-1384 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F62 1095 0 R /F63 1098 0 R /F21 738 0 R >>
-/XObject << /Im2 1084 0 R >>
+1382 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1391 0 obj <<
-/Length 3373      
-/Filter /FlateDecode
->>
-stream
-xÚÅZëo7ÿî¿BßN"–ïÇÇ4qz9\Ó\êâ€kûa-­âE¥]U+Ùuÿú›á«]i%;Hæk–çñãPbÂáOLŒe6È0qA3Ã…™Ì×W|òƾ»‰f–‰f}ªoo¯¾y§Ü$°`¥Ü.{syƽ“ÛÅÏSË$»†øôÍÞ½ÿî§O¯¯žÞ¾ÿáÃõL>}÷þŸ7TûîÓëï¿ýéz&¼Ó7ýñöæ
Ù4Ç·ï?¼¥ž@Å™I?ݼ»ùtóáÍÍõ¯·ÿ¸º¹íöÒ߯à
-7òûÕÏ¿òɶý+ÎTðfò
ÎDr²¾ÒF1£•Ê=««¯þÕMØŸŽÉOÏŒÔv2SšyX\Ê‚9!€È™À¬’ª“²cRÎT(åݶ¨Ûe¹½~:[6Ûu±;Þ¹>FûÓŸ0ÑQp¡z\Å™u°¥ÿiêŽ/˜Ž¡–šó¢¦Ê]oËzGµ}[ÕŸÓG
UÕw’6Ô‘ÒÆÚW¸µ#©Hå˜÷Œ3`à& Ú>ï”X˜LZÔ‹‘ù„gžÃAͺ¨ŸÒ|íÈ„Ö0o JÄ)àÐ¥eÏ\Œ‘qìö¾[,0©;†ÎœåÑšN0c½ÎûÝ쪦FÝ÷ÓªÅÒ`Ëõ䑬+ë¢ÝÁ‘¬-·T‚†ÊE	ÃëªNä÷Õüž¨?´P*á,-Ù—x(¾w&I4Ü£ª›¡lΞ—‚¶JÓÀ¶`ƒ*n«ÄŠ›¾ýð#õ¬Ë¶->§Þ
î
-{I‰Úf+ó²ß;ob¹ O²èil1¶'	öüëjF`Z“ˆ7Åü·Ä{ÑÒŠø=	EYɸÒ2…Üç)ïR¸#Þ[ê,R¹iÚ¶º[%ÒªŽ‡ŠãT$±Q=”üöKµ¼¼P!Wiõ51•V/£ÿ¹œW`Ư WªéÝ~—˜K5õê‰jí~³i¶»rAB‘–ƒ1Ô”; V‚'1¬Š]õP⊇i]>Ò`»*ÊT*~c¦¤†%P™±?|CQ{B¤1¹Æ<û#תÆ4ÌPgS?é4 TiΘº
-|…ö}§ó§‘0fcâW‚l§Z]rIR…²Xµxô\õ¤P~X&5ŠþÛßWóØÕ´Í2uýûÚСEóØÒTu
-Dò„Ê ãF#í¢\ûÕ‰‘ÝÃq:ôó»ÏíÞ1î¸ë»Üã8ÉŒ_ìSu¢ãî‰ÀÄ]Ie›ÞV‹EY§v**6iúƒC…O‹–Ü1'¡C™âVw£*"Áß)óa¥éFDxÄÚ¬í®Ø•k8Jvy®°à¹¼•ú2øèSU_¸í¬ªOP‡Ø†Ê|qõŽjdùêšxÌpý¨€hÙëâj½_S£Þ¯ïb€z³¤²ªïš}´chüIñj=°›÷hIX‹°+w‰r{í§ûºŽ'	šz¾ßf”>H1E¬ªdv Û’Úug+Š›éC±Ú—TÍf£ÅP/½ÒYÙQ†,ZŸ7 ëõzïS]0 L5|³?Åí óp[Ñ——ï¨FÖêI`Î7d Zá`AØȤ%‡†}À`2!l‘	a­gBHN&„Ñ„°r—(û&„¤gLˆ,Ç3áìQô§KF<ÃìÕc‹¦ø}_¶»6+•ås=éü—Çç_­	ÈòécµZ
]>͹D(Í(ÐßæïÑÉ‚ã¢c¬à–ÈC‡¬^dÂg´ÐÀe2ˆçî}ªóZØQ
µ0G²º=½Dz¦µ—¹è¨FØ^"ÓpóòAü ŒØÈÊ(wÅ3üàαAºˆµž.Ææ=£¤‹Øu—(Otoðý69Í(V/¡Ù’°ò@ñ hMUšvÝìJj#r¢Z
-éà¡ÑQ˶úJJÎ(•Ô`óVd÷-Ç|6ÎÙ^TPüEQ¤N¢ÂP-Ž±“† çý;áVctHÆÌ™ñîHŠ1f€ÅSÌr$fÀhŒ0ØzqˆÒ¥˜ÕŽè(:`Å)èF‡Þ’"E$Âè0ঈ8@‡Yéâ©ù0Z½TˆbM#ë^úðj@±¿IeAÃÇ4~J4VŸˆ,Pì:@5\k”UÇ
-0°VÌê)7÷[.ò¶¤ÕÆ—€Û®gNeþ2¨«AÕ¸	ö²ìS÷‘ÕÉ=oåóòÔEj¸y¸g˜è¨žáBÈ€*ñ".Ž•	„æ|F]J½"xœÓQ¤Ä´X,RÆ!“QHTÉgb™\.PÇÌz”šj·o>R¬¸.瘔jŠËA1†vqÈQåÔÓ²ÜQ®É“…§Ñab&åŸ:÷oBº^õr\'« á”®ÊÈÑe2ø¶ŸovÚ ,ÓPLC]vÙD ´)#W¬bPvšÛMzû‘zðFþj˜ª‹ùµ½Í$­zO€r¶±mkÂÇ9‘ç[<Ǫæ4¾ß,ÀrðÞ®$ljI$u³ÛI[Rº&åùdw¿o©LFçƒagªÃáï(8®V‘èËÁªYõ°Jêµ}»OÂ’äðâ÷©2ÔKIîSI»ûk“MP¯j8Îe1Oßü"¥ž¯šv6Ü)€D”LÐ ÖÓrØ9ðú0PÖÿÈâö>ºS °„Dë}ž³ØlÊbK½UÖ¹Os
çV8÷ßFs%Â2#là œæqÖYþH:Î1ÍåqBW@JX!ÌRÃ&!+•”BùSŽ:w ß¡ñ¡V(;­–DÐ}Ð!^aÊ03×Ihq,»nút,
Œ‡	Åáê,ÍXç’Û“¼CÚdO°@A~LfÜ@q€•GéEBéÕÎ0t0¶ÓxAÍ€*JBÁ–òHÊ9ÀHÌX}""@(«ý‚‚3t£JaC~©DãÒêãè™u0‡öG‰·Çjw_Õ—²TÚ1gxsÜñéÊä¬t™Ûf;–shmMf.ÊgtîBƱw°~ÞðºÛ¸T½Ïûm‘_DxÌ?¯Ê´à&4Ì 
-ïââÛ¦'ã68iÏÏEßq˜+Uóéf™»™ôŽIëqº.'8ê ®*ÙãðŠèCOˆÆ­%
ð[uâ‡ë™Ó[ø/§'¯¤Þ½p¨âàƒœ‰¯š“ß' G:D´Çõ¸×ƒbÇ7ï×rò¶Mú›JÏú3ÇMöQàJ¥è»íôºøc³B¯*b–d˜Jf˜ *¥ç¡R&šU10ô,š2Ñc¨‹JˆÃ}T'õ”»™4ÈYc/Ù­Ÿœ=4–×r’_=
-œ„¢ˆùµäÓßð::`êDµ
LâYÿ”¿NqÌd/x’þ:µ†›óñæ&
ãV¨Ë¸ZZ°iîÌe\ÝQqd³{­•Çç4;é¯p
-­3Õ#ƒì\^TpCFºôNK·u_‰FîÈ–4ÿ"7Úû.‹ûêšÚ¤$ÒŸ'‰­”³*º'5zfÀŒrqòœ(Õž½(gÎúg®D}ªG—©˜ìf/¹)ðDøæ{‘‘Žj„“áÙi¦ƒôCV^c8vY*·u–³½4!Þ¡8K²y §
=«ªOf‘ª»(°4ëü—Fc«ò'Ë¢Zµ‰éÑß!h@˜ÖíÞ¾g(ïüf¦™J§žEIÊÕ¼E¥/wg£¤ß­xª¿"Jz̨ðÎ.q.J
-€ŠN™ðL”N1¡ÿÚ(‰wt.þQ²?ó…()4>Å;z
{ŸWøô	ÃN³§Æ³a\¤Èñ^WI¬¥ÇNVƒz0M¦ƒƒ FøôÝÆxMfé¢"R4TÞ¥6^e1+Çíƒö¾Ù¯©^¦×W«Î§Ì²®“>#°> endobj
-1392 0 obj <<
-/D [1390 0 R /XYZ 56.6929 794.5015 null]
->> endobj
 1389 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F62 1095 0 R /F63 1098 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1395 0 obj <<
-/Length 3308      
+/Length 2542      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[sÛ¶~÷¯Ð[噈ÅÀÉSš:9î´NŽã>œiû@K´Í‰Dª"eÕíœÿ~v±/"e'“dÆÁåb±X|û-(>cðŸÏ¬N˜tj–:•hÆõl¹9c³{xöþŒ™EZô¥~¸9ûþLg.qF˜ÙÍ]O—M˜µ|v³úmþößo>Þ\\Ÿ/„fs“œ/´aó.¯~¤G—·®Þ]¾ÿõúÍyªæ7—®¨ûúâÝÅõÅÕÛ‹ó·šÃû"h8ñ»˟/¨õþúÍ/¿¼¹>ÿã槳‹›v.ýùr&q"žýö›­`Ú?±D:«g¸a	wNÌ6gJËD+)cÏúìÓÙZ…½§þÕ)ÿ)m-”™-´HœUé´—YÂ4xm‘*žhnlëeÁ§¼¥ÐËû:_dëfÑì²²¾ËwçÜÎuµß-ócpkcR9ë32¦•š°Fö¬áŽ'FY34ç×:‡U°vÞ<ø†›ƒqù®ÌšØíôÑP´x™×ô¸
-ʪõVBÏ/ïèÉc‘ê Ò¿ÖÛ|YüΘÈWô´y(‚²U~—í×Mx«©Ð!G>]Xž¤ÚΧµð³(£è`Â7<'¡DóÛ
-?[ˆ¹¢¡koD¸›b/I…ÓAÑÌ|b¬4QRE™ß™fwÞ3º¿ƒ,]–Õf›5Åm±.š'åÉ(ôC|çå˜{>ûR§ƒ°•"5ÅÝÓ©°S:‘Fèç‡o¥^ŸkØnJÚ8ò§‘‰Ô†®rÉMQbÐI¦æ‡‡bù€M=_WËlM½]lÒ£lµ¢¸«ëWЭ¬\‘hµmŠªÌÖë'ºÿõÇôζÚ5AøP¬ƒâ[o!L#AKcÇ
ZÅðñ×:÷ã˜t~õáæòÝ©wvd÷y
ÛÄ9¿ñQzvÉ}Ý„GÛm›Ç·‹’túê‡Yg±™ïq‹Â~WOÄ°4.áB¨àÏMVƒC§âX"üIäþ®Ê0uÅR}´í–ël;JJå¯ÞL)Á×v€ÊpÔƒÿ«Ã‚BaÂí’4•qOÑX>§ðè<®n©6yÙ„Û¼	ÐM›°9ñaiƒô]œcæ#è \¢dlXÒÔgèÈ!ºN»EJ9aÅvÅj•—áþœÏC3£Ë6d¿$³>AŒÅžt~›ÕEááí]‹r¹Þ¯Šò>*»C¤€‘Z™/ws,®HÏõ¨ÿP—dÍ´óÁ!i"”æÃ
£ìh0¡–ºhÌ|b5ybŽ‹é1©Çˆ4}€ñ9ä€2 þC¹Ä¼t¿ßeÔ‰=ë|ÑœÁà8#X"˜²_BO¤õlËNÓ	2y
-VŸÔEï1Кñ¡ªE´n|'ÑRˆ>%hƒ¨Á9Àr3‰K!¡®z^ÔFqÊ‚¨'ºú`ìBø+æ#×€R)´i#«˜gZ³?g°ó”s’¤zm?Ûξãû˘ýXÁœfýiEÍ‹¾j?/#9‡ãÆ ¾-3Òý©Z#–r='äus‘è„S“R4ò ³.òõ¬ª<ÈÃþ F½ßnq/*ˆžÐ“7ßjx šèÒ2´æÄ»ùݹd!¦qáûøpóö#m¨ºZž6ÿŒÖÀ¨Q*¸,a‚ý…þ¶Ø‘T:D­Ž'[d/„Kðá·´“Ï°XXî 4Xú<™i¥F¨µx4£x„D"ÄJ_÷˜ÏD©	LÏdZn‡6ü\|žB<dµM/¢+xVÈÈy^üø¬‚
 ’Qõ×;};òº«	—{²—Á5¤ª#HG&€šž
¹ ɯò&aMÇM4–3ƈ4¡¾@š¨õsQ7uj¡Á¡ÎµUÏ£ZìWÛR¬)ê‘…6ÖµÓ›{ÙØÈM²ÇªX½¤BY)®¾T§·Ò|••!	<&¢Ýª#{Ÿ×nò8sž¯”üòJã9\ÖrC!õ¼º£XWø†Ñ‰sL
Ó«G6!láÂÊAÙá›ÍCÖP‹ˆ/Êyª=Dq±å	\=¢H÷(Šú4%zcÜÅ×[z¤X29ÿ”ª•BÐqàJÙ„+ãŽîîC¸îWðQ~Ña¼Çz}ŽÈ—!õƒq!ÞG€¢‘%[‘LJ+õ‚!Ó”4ž<,Úm7þCu8â)ÙcV¬³Ûu¸Æ'm¡íkÛP5­Ð»œÍßÅ’4ÿ+Ûl×y€$nG#ÜUH͉:N#¸ªë°Ý% xàp´‘ãºì²ò>§¦©±Ô4ðæ5µÿ÷z*1Nì ¾Z˜Ä^†Ð؆èIÐGKÑÎÂÐÙˆ¯
-Eëa)¸ßuØE›	{:ÜÅ~Â]ì¿ókQm¦x+¤^a=ýñ‰!Ûä«©b3‰R¡…1p[â¾Ô‚{_ô#þ6tëˆýÞ-õ¿€·h}b¾p…çÒÁ¿W&ŸJ+>t2æE/Qüy¬Ñäê#9¿ÀSÙ—6×ú+€
-Ie£k¦ñ”ÚTš¯Ä_PórÁ8á ìy{¶´áqÕÇ8 ºËÿ§–ª*Ö‚~6~œåCUÕ´a4±Ð[øý° +Š0ÌԺ¥à±"4¦&e{!@ËW’põÅ’Ÿ²
-e%t>¡FßBL ù|EŒ}b•°ƒáÆÚƒ7{ªý!]°éÎÒÃMý:¼w×3ÜÍÿÜ继!Nvh*H‘¾$W&@vetœÙ‰OÚ9û›§Þ[æh¯úd…ÊúàkhªýzE/QÑ}÷yÓ×jº7IÚVÔb4áÁo¤í¸Ðý@§C:lo¸’Ǽ\vŸ%žDq5¿ªš0As,‚竼.È¢ - *6ý¶ÀF¶®+¿
è•°)
-ãëU¹#û¥˜Þì¾€/BÅ`DËÄNP0Ü&ýzç{üRðSÇ
-JQ!†83µÍazŠGÕtY“Þ6mãMpû¾\e>Ž¡Ë=
{À·uþ:,ïCþ4ÔC®Á.{tXIKS=«|S} ·Ùòó4¬&ª>¢ú¶ªëâv×ðŠ¶"iéĶ-ÚÃÚÚ'ÒÁDÑáBÑña›#	‰ÌäÓSÝä›ð	*å6•"›br‰*“›‡@r‡g¨÷f÷á©gÛÀf7YùäãÐÐ?ø8Ý”@ ‰ô">†lw™­#{~ÌÖûøZÇâð38I¹ùá!Cm€Ž˜€Àc{p»}jòÉ"X2•ÅÄ2•a'ŒRi’‚ÕÁ(ZÝÚ§k(Ùºwé¶ö\†²
-zhÇ@c“ýUlöºéó}¼ÝTû²™2Y<m?C…[ÓÌÒY«;\¬ÆN£¾,´Y+â·R‰6òˆr ¢DÆåÅlâVó³xbÑd»¦­U°¾)i¹+¶ÝÉìdÁƒDËö¸·.þU”RK †Pôóéžü¢OËø5øäùV«qÑW9>¾’ÚÀú¤ÝÀ±ÊŸ:¶‰Â1šy|0üÜ°t0‹gêâV~ÂÆAhŒôëbÿÛ>ªÒñdŸ+7°füu=J½`ÃXÚ„ ƒ­ÏS(UÁ¸”ƒÒnÛ<+èëPìí²ܶPí1tâ›q„5š8&q1!D6ô†\Ù€Ž7ÔüSå:&¨™ƒÜÀ«Êï¾,§Î
õ×^¶<ÃÕg&”ó0g#›³=àO™ž(ƒ‚½ÿ†Š-°H̨¨@I…#ÞPíi©ž¢®÷Ù±Ýo"íË`x¤\ðLØü˜&N~HM€	Ûç?ƒ÷¥NŸ·R>[U»|
-!¸à€kâ…‘[©‰¡RüÝÉÑØ7×:¨÷êï¼E7b\‘‹
Žvö›mÊ›	í£_LJ4fÖšÓƒ‚4¢Ú“è“ëdY¤†¿ð™Nè™_È!oVÖdÓ‹‚vŽŸ¶;\’4aŽëÁÀäIÇ{+7”m©í×Ä1obÍ7ÖTØnâû-x]á)}¼VRtãt+7“+†_S—~ýŠÁ@ñ'rL"I­G'Ä(¤¡`lÉ¿ë4=îõ›—êM\MÆ1Uøõ‹Lbð0—pf{®ªƒT¬ñwMx¥¯»cç-ýÇ3oO;ÍkêWcR''²k?€~ó/ʺŸÛó“Öž8á•Ò>žÌ£|Y#Ož*Mÿ?ÞáìŒendstream
+xÚÍkoÛÈñ»…¾•¢½}“D?å'õ¡g§ŽE{wh‰²ˆð¡ˆ”}ίïÌÎ’"%JNk·(˜Ãåì¼vž+1áð'&‘a\ÅzÆš.ÌdQ\ðÉ=|ûx!<άEšõ±~œ_üðA…“˜ÅVÚÉ|Õ£1Eb2_þ¼ûËÛOóËÛéLX6˃¯®ßÓJLw7×®>þrûvê`~usMË·—.o/¯ß]Ng"2öKOáĆW½$èãíÛŸ~{;ý}þÓÅå¼Ó¥¯¯à
+ùzñëï|²µºàLÅ‘™<Âg"Žå¤¸ÐF1£•jWò‹Ïëö¾º­cö3*b&’ሥ3 ‰™Uð	
جSÐH‹ N
+m§"
+Ò¤®Ê7¸ ƒ¬¡YMÏû´L·Iž?ùÛQ•÷´ÂƒeV/ªÝ6¹O—„ÒTu“.²•ß—Ðc“l›l±Ë“-mÞT[ÏoUmýv,
úˆž>*’Ì	F@E¾îÒíÓ¬¶‹¹¯¼Ì
+k=2>¦7ÓNÍFv2‚ÅHúðìÁŽÐ
œQGzÓdUYÿ™üÄ™ŸÅ&ÏYã,dœ…’»<­é€]íjEÏmR.«"ûæi:ãTt[³#䌈ŽP„LH£ÆCÎ#ÍúXä1bÌcZ,Tdœ9› ,³MUå‡"ˆPÁ>°ãY:¬!úÖ!Ä;„ÆPŠù:óÆ#ƒ{3·kwu•§MzÒ:pÊÌ„Êœ·Në´u:¬Î[:Ë̪ìÂ(Vç¥è°FÄØäCn‡r¼Ô>Æ2.EøŒ}zXgìÓbØg·Y&Mš•Mº}HŽIJÌgpâgÅé°FäéJʘérÀ@ ÿÔP­rÀœ‡*¾'ÕÉâØèñTÏÁ°ŠY­âÓ´hZlwIíKªÑœi%¡Õ%·Õ$xÜ‚³HëÈY亗âŒÕÂ9gFIísÜÍtfE0‡ÿ2¸<´ÐÔD3Öq!ëÉ׉`\ÇàÍ©;]÷6p?\rò¾&=¥Z³>e§”•ýx!œˆ00„Œü1CfÕRÉr¹Më_Õ£ß8—˜_ñkVÒ³«8vjJCT´/9Ð:ð€ÊÃTò ­=‰lȤÒzP <;/äT/Àjª8–'÷rW5k‚~yÿ‰0¡ ðz.X­Á°XÍßžŒt+›	2(2ðÀRÙà…Üa	‰Œ/;€¼q¡Ñz²båj|«JW³½¢'.ò€æIYuB¢œ?"b‚J>yXóP#ÞjBva„Í\¤÷]¹ñ4²<¥–;
ŽUÇ!t;pŒýPxYta›ØÆ“Ù¾+{qìKÃäk
+-³!¸Þ÷+Úî8•F´
+a³Ï¤Ã!(¥_3hHÖ6!^=ô)ŸI#ÚFÌZ_Ÿ+ק¢ÿûªˆà
+Lˆ±é€Ôã@mieY¥¿¬êݦwn%mš¬¼‡—0¦àt«ÔÒ‡6yáK—*ðƒnE$o]-0â¿à¿´ñQz*Bú§ü2Çù¿˜ì¿•
+h‡>!JÅLA3ðL„(°u¿n„(˜­ùoDHŸò™Q–3´4¥Œœäu5RBµýT;,50ßÔ+Lñ©+Ÿçë(ÌYJw3œ¯„‡%Ž!
+=
+ÄL›ÏgpM3í8ý~™Ï¼~pôÝ0ͨ…<Ý‘+.»Ö©Œ·*ìd8þY•~O…;!4Gæ^“8V#!ºvQÖë¤& Hë¤Ìê¿c{…ÏMž¸” vʆÁ*YdS)³€–¾9QR'…{¥DdLò¬ÈÿµòL(ƒ"zQíJˆƒµÛP%KâÒ¬“f,uöxºÉ›DvCAy0¶×Ou“Øþ€'ÏÛÕU•çÕ£KèûñÂSÃË_¸¶
+žß:ÃwœOŽgÐNâ#Îg}¬ÓÎÐa¹ ‚¨QØM­€'cýók„û°•Ž™Íû÷)6㥫•2ÂPÉ0¸Ï«;ÝRžÕ
Aî$áëÕ'µÑÝ\Õu»¿E)ÝÝ®Ô0g’Iò´—vúÌ\¡NKp}3¿úð‚àܧµïÃ!-H½¾ï<®Ó2}pÅßr§¤ñ•oM«‹jóDù¤h–wŽOs(~BwM—o°ÖG>Š\7Ñ,oH=*{]áí–.	£Ý?à÷'ÏéúóX0è‹Ê=—à˜P‘ŒŸ•1Á:Í7trÀ3-ë]gV\'kš»‰a§»ñ³(‹ÿö˜å9A_wÙâm/Ñ´@ùÞïq&€'¨˜ä82¹RŸ
7.Ý&æ8wÏièBRw:(’'îRzæE\xÌBi²X\*Jh‰ãP«¶h
ãë (ŒÈ´Å¿çÐÄ‚nQ5º¥gïooµ¯t^êÖ?›ï®FbI‡ÇÛª0q¦îÖ5Â+iѳ“OWÉ.oQW´MXœÇÁÕŠ>À¶cCh£¥4ö{
€ëq)æ‘2Ý@ÃÁg©—-+i)á	J{ËÒEÕ1/¼À1ÝÕX~
+ˆû7D6óœÉq¥¯ÚfKZ!ãâ1¬£Ö"dRðpxQ¦Ã»ðÎPÇ,=™2BJ‰¿WD2øûÍ¡45C3Š¾ÏÓÖ·`~dÚ…EÚMÕ—®÷G¸jhyU׉ð‹Ô¢¼¡ÛJ@ÔåuÍò:]ƒFàLàviM´ðuãX43¨Sòû\Q2Ê'"mŸ›¢€;ÇV¶UVºªð>*ñÍý´AÂ&ŽSǵ¸Öždõ^?gH]Ìpèf¾—›Æ·>pú
´ôF[Nݯ 6æ³E²¿ûÄ]€/Nvšì0RÏt}¬ÓÝG‡…¢É³¶ùÁ#Ÿ5Y‘βòøèr¥Õç%é°FD^ +Âh(ËUy]£èu4õ;ÑHA]Ä+©’¦vøœWå=ÍüÚçO‚è¶+JùD;‹¬Ü5©_öÞQ¥q[Òm‘ÍèœCÏŠhxÌ%Dåò°åÜççÞ¶œ€Žeë’À5ÌG5øœGVì
+zyHò]:¤,#Ï6yêQÕ\p<ëM!dÅÐ>ãL=¤3?Sy¤QWÊ–ù¸+Y&cçÄèŽå:’€¼É {?‰¡	ô‹/äCk9=7ô³êý¾	ÀUÊrO‰Î§„qæ†ôLn%ºJx·nÒÆR“è÷»•=åUbïUÿ{§j'\ÃðWó‘Ãäݵ̋œï݆s9îŠ[Ih¹¼Pn臒w¿â‹þ/o/üHendstream
 endobj
-1394 0 obj <<
+1388 0 obj <<
 /Type /Page
-/Contents 1395 0 R
-/Resources 1393 0 R
+/Contents 1389 0 R
+/Resources 1387 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1388 0 R
-/Annots [ 1398 0 R 1400 0 R ]
+/Parent 1391 0 R
+>> endobj
+1390 0 obj <<
+/D [1388 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+378 0 obj <<
+/D [1388 0 R /XYZ 85.0394 317.2404 null]
+>> endobj
+1112 0 obj <<
+/D [1388 0 R /XYZ 85.0394 294.9454 null]
+>> endobj
+1387 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F62 1100 0 R /F63 1103 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1394 0 obj <<
+/Length 3374      
+/Filter /FlateDecode
+>>
+stream
+xÚÅËrã6òî¯ð-rÕ‹'ÇÉŒgÖ©ÍdvâÔVm’%Qk$R);Î×o7ºÁ—(ÙS»U[: 4F£ßº–ðS×.QªÓë8µÂIå®—»+yýs¯ãÌÒ¼õýýÕß>˜ø:i¤£ëûuo­DÈ$Q×÷«_g‘ÐâV³w?}úp÷ñ—/oob;»¿ûéÓÍ\;9ûp÷[‚>~yûão¿ÜÌUâÔìÝßß~¾¿ýBS¯ñýݧ÷4’RsfÑ/·n¿Ü~zw{óûýW·÷íYúçUÒàAþ¸úõwy½‚cÿp%…Iwý)TšêëÝ•uF8kLÙ^ý|õÏvÁÞ¬ÿtŠÖ%Âi'‘Ä2žæ²±R€'"#“–ËZMq9`!—wÙŸóæ•õ:?ܨd6oŠ]>¯ŽÍøü
+>W*U×ýMNHi±&h1=ZT¤€‹Ò
‰ùéØ,ªc¹‚«ˆÔ쯪Ì	
+ÖÔ=Ü$³cYåõ·7jV•pÂÞde€
+þd—•Ïå±Éyø©Øn	Z„­òî˜ãáQhAf%H¯R"uN{ˬÉW TFÉÙý&'©Yåëì¸m¨ã÷„ViI@·%t~“Nj7ÕñPC_—ƒK)vÇu³í1®¬Þ6{î­j¥íHk™¥%JbÒËÕC:/PiRžŠÕöŒ<alz™Žé”4v#‡”tÂdd&#e_˜pb—}õ‚„pYQ»÷¤W¾Éëš>,Jš%©¢oQª<¿Aéá,„9Åü`ÑŠDl”Š,òjáŠÎÉ–êdëÿ'Z&‰ŒÕ²Õú \9Tç‡"ÛÎÿ8æ‡çù˜u"Uùy™Æ™Ø S&©QfHÀÏÛì9f4ÒòH&É´††÷@bµ*–ÙvûLsžZšÜeuãÍ÷¾×³¦¢ö7)µ·€€Jã‹5
°A¤½—ÇÝ×ñrå(‚J†rµ!š“t¶Óøà%Ìêhv›-74^ˆðX{¹(£†®ž‡v [H_Š²¦±fÓõ¶Ý‘Ny3'û¯VæÍSuøJEV®žŠU³ñÂÄ”»ïoR=CÖ(;Û»7TŽ7‚±–
+€=ж+.œbõ@­B8ioÉz´¦+Z·{Ú ÛK^9TxÎ 
+™êÔyÙkuš°¾6©Øàht)ž\©ý¾0=’~	—¢Äž•ú‘¸Æ±Ð‘ãª}ST%žZ©™w†°QQ69úH¸	žñ:ï
ZN(qA®#Û]*\Þ¼:_VåÊóÀzx¡„pI$Îé¤YÓò¬Qq`$ðö²Qéc7*-Öˆ½x¶±EQ‰ˆ^Øq&6XmDdÁ¢v¿ÃëÑiN̼cÎHFä„D
—ghmY¡­µÁ 
뼡ýèúa¤»~m¯&üõÃ\îòx ‘÷wï—aSDß°S±'vȯgLÒ‰‘1`I¶Ûê)_ÑÚAl½×„l`Ý€B“‹Fì†&ÈóðP<æ%ÍaèŠá~옛8ŸR³ªh? ²j
ŠßvÃû…Sã<œzÂ$
("­gœØoÈ(ÊŠC‰ÎÖœÞ,$/B¦Î|ÃÕ*	`ÿjÙüÜ•àg2²{ ùÍØÜÙ`î܉¹³hîÀÖùkÔ6…Ô%in‚‰î¸ÐéL!tØ6àp¢ïÛð¢±{¬‰žáF©°äÛl`lãdÄ3æÄ& 2Ž.›“>ÖysÒbyîô£ßuuØe§±¯†¤'…Ôï"-ÖÃHEŠ(¶ÑŒû`A¥®ðbw‰ÏÓ]!Ä—â?zªXAô'ᵨt°úÍ”ï2±HR¼Ð1ž`Ó+s.ÙTÔ˜)½€øÒgÉ	FùÌëM*…WÓ*ì…Yt_Šï§Å.{Ùtæ.Çr§„‹’ëvk±Bh$Ì°%]Hh!Xòµ«Ü§¤%£“rzl¦‡6âîrU‹‰s…—’ôî„Y#u74rgï‚bÕZ†"Dã…ˆzÿégÙAÞ”=ð¨p”Í $',óþè’ŒäŠ>	¬§¹ÕÔ™4èÐo_)©°Ê{²Ï–_™ö¬¦}6ç™b"
NÖê¡ÀœÒ®U<¢½¦ÁŒÛ}U×Åb˨UÉ@âø£ªôy@õq¿¯²/ˆ$HS#ŸþL	&í´ÍpÇ[Ÿc ÿD“œx²ØÝhËyŽûK!‘Ôã´®æñ'#û¬^ÉÞœ©p4X•Oß&:dL«ºI!±s6鳘ïŸfÒ)¥˜b?dˆ2iE«ÕKºkj³mW/M«~ù‡-‹QRÿX,©QWkú×s C«ê©¦¥ÊˆøÙ¹=n\§‡ëŒ£Ô¾|zýÒéc!±4Ù3¹c?)\œ~³Mµ©R-uÏ+,8¾¨àЇbµÊKîs›Q³çå;ƒ
+ŸfuÈ2ϯB4Ø;ãdÚ!ÓfQ
+µéćM¾óÉà™àÃÄßéË¡G‡s>ð`œ>[ëyQžÄ¼^ä…}[œ“±†‚ÃÀI{;{¡Cmnóì´‘´¦ÔÛ¢9èpE ~E»ääCŒÙ¯üz„ABvGAZ‹)€Ñ]úi´ˆL|&ù42äèªbÕPcƒ€+9!aí siö]I:œg^Î&ô‚i¢‘b„‡J Ei/z&Šë}î“'{l9¶Ç`Ï#iÂC^.yÐ_~ÈF@¼
+o’Ó;ÏŠ†S¹ÔA Gdƒæ+Š¬MEwܼS*l«l5TÔÞÔÒgO˜4‡›8t&ܴĘȌ`‚`‹µä4`î7b.Ò¶¦Ý¦·€Ü5~”ïÿÏ[•@"âxÙFö±ÎÛÈë$kÀ|yúö§-äñD´X/P¡tŠ"ñ**ÆÂL‹“/¶ÿÔ'Û
+Žéb£fÙjÕ½6{4~Qd›‰-›\À¦çB°(Ÿ-A÷ï>Z\æK,Añ“ >N(Œ‘ö·©PhZç
U–Òpž–a¸ÚÔš—r2Õ«h
Œ¬1sq*ÄŒÉ'ƒoûÕèóa›ƒÞLÕå©Úî"®¿ñó+ôyíxöËûÏ4‚ù÷›aaÎWÓøQAx×

öJÞQ·'|ja½Õ3X¬bIóÇý
+4³t£áPkBÁ—ˆ‰—Á:§âWõt›Í×Ôó¦½ñÁ†¢f‚áòrŽÛ­'Æ‚30ˆ‚$^ë#3K“Áó{lÊ¥Öü„æåFùÒÀø´xXgKþæ7­ír[Õó©ÓAˆ\€*ÄC˜·ÃÁÕ‡‰Ü¿&:/ªÞœ΀$DÚÚÙ~Ÿgõ×Ð&¬=ò(0k7YøÜ©(¸aÿ>Õý§e¢ø+õ¸ü‹; L±6"U`®"KL6¦÷°¿È©"ÏÀß¡òùwÁˆÿ`fíG¾¬àò—ø(f––™æç‚é hêK¯ŒFBÒ¬ÝTÉæ’ÙÓ²´IŸ`ƒ,ü3‚ãbH¬!°‹FF‰£	~£€{ Œ}žÏ¨ðcA%G@8B˜ájÌÇŒà3!A„²=ò#g“BnC+G”:²cïdb›Œ¢²§¢Ù奚”Eìd`³?ñéÎàä"·ÿ8LU˜!´Ž\ Îógr§!Ž]€Ãú:ÌðÚlLŠÞÃñ…÷é«ÍÛ\œû/¥qÿ9á¦e›”ý×ÿ³ìþ„
+œƒ@ùLeKÇ:%°åÿ‚ªOã‰õ/=Aú·øÆendstream
+endobj
+1393 0 obj <<
+/Type /Page
+/Contents 1394 0 R
+/Resources 1392 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1391 0 R
+>> endobj
+1395 0 obj <<
+/D [1393 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1392 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1398 0 obj <<
+/Length 2490      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZKoÛH¾ûWè¶0ìéw7‘“'±³d¯£3s %Ê&"‰ŠHÙã]ìߪ~P¤DÉ	’Á> ,v«««¿zµÌFþ±‘U„ŠLŽL&‰¢L¦Ë3:º‡¹·g,ð¤‘)írý49ûñR˜QF2Íõh2ïȲ„ZËF“Ù¯Éë¿žßL.nÇ)W4Ñdœ*M“Ÿ®®ßø‘Ì?^¿¿¾¼zûñö|ld2¹zí‡o/./n/®__ŒSfƒïypäƒË«wžz{{þË/ç·ãß'?Ÿ]LÚ½t÷˨À|>ûõw:šÁ¶>£DdVžà…–e|´<“J%…ˆ#‹³gkvfݧCö“Ü-´fDPždYaíð²CmÀòGeùï(È
+dü¢/*eÎPêQª3N¶=^.FŒ‘L)Žç˘"šK32JÁ¡kÀ×hbÇš¥%sœ”(Á%ˆGŽ÷ãT³dÿóäbÿ@P¨àÊŽ¬dǵGŸGŒP™eÂ3uh·ÙÜÀWK>zSÁ–FÝ]EÁiG²Û•æÐ2´Ö炘ÌX§ò‡j‘ot*)ëq*t–€eód¾šy¢<‹²Øø‘YUþUÕx¢Þ®×LKšÄ‘¢iÊÕ½iŠ0Zm7Ó@ç³Ù¦¨ƒ¤ùXÐ$€áðØÛ5'¯oíÆÂÇÓ1§É'ü¯hê1(Eö--3ƒ(£î1r„‘¸QºCÿ·á:åÁIôÅy6(¡x°ZƒZpÖâ•
„£–-ÖlòU=‡ãb6I½ÉÓG}JøÄhÖ]á@–k@Ñ…˜aÄH±§É#U/•×Á—ºÛPš0ž±àKúwü/~£
Õóƒ—^ü1-Ö§ÿQ­ÂšQ`Tp’ÃܺØ̫Ͳ˜ù×míP‹äÕÍ£>˜?0šW¡ìÔÙ¡Í:\'/ráFòE“1@ÿô`û€“zD¦=úgÇ!v@ðé)r¾×4*6«¼A·5zw8n•C-SÃ{9÷OïñÀîÎGeÝ ‘×jœŸiˆM_@ñ“y^.ê 4„¯Ã%$O–1doë"Ek» “ÂA›	Õ>_¨Ä£¢Ü2ÀBà|bR%\1ù]’¤DK‘}E¨‹_K’Š¢õR’TÆÊÙ÷M’ðx¶aB–ìŠ>‘&Öz7¸BDSš÷îêȲ¤³dë'¢šH;c!1+ÖÅ*n×ÕÊ;`»TPÛƒê>ÖXä«ø¬Ñ~Oanì.Õ{C3º§K@@üF)ßÔÙs(=üËç­?ÔŒy¼¤è:Å·ùÙ¸¤@h«Ùé¬ÔrÈJCe……œéQw‘ÃĘTé%&‹%™}]Î
+h71áë.1á[71qÃ\br\Ý@ÄÄ„ôpb¢–0@çñÄÌ°§½•D2ÉûÉÉ)>œœ Tj:ÉÉû…„ l¹‘}w>Q&ì«í˜‹™/%§X¶HaTž®mº\'P¹cÐéú^ãÑŸR¦åЦ¤ð&­î«ó±FØ%lÖƒŽï e³¤j?]…	l£™rÉgËâ©"ÛbÆëu1-19ÀYìŒÊ lVÌóí¢	_Aü:DH
+^c(Ð=$¬ªCgÐù³ˆ¥
+ö·*Þ2ÔÇ^‘Qèy¦‚ ç¢ZË(ü#ÏoTѹ³ŒêÞXÿ˜VËuÞ”wå¢lž•!ԣĨ1N‚°Ëu„-—·WSΟÁN‚·h®N/ßr½°>SÉ%Ô§§ØolJÇfhV$—åÊõÜT&OåÔ•Ð’WÓ|áG{u8LasípW×X=0z`­ÖMY­òæn|ÿøæÆ|˜ŸÊE|W„ìŒHPÊö‹
+wMà.>ëÂ_˜äúýäêòï~t	zä÷E
n¢µ€¶Ðß8Ø®žs[7aj½vwH—+/3\$À2‹ü1’Åæ]ÔÈä/C½¥Ð4—m
ºÌ!Üo†p,,ÞÄxíºÇ€![KµçvÓE¾EBº@€O§¦X§êjHÍt¬¤‹ê)õPÐEe€}ʯånY4,W7©–Ū	¯x)â(4Ó€3K(Ÿ3
ñ0„ÙöVq¹Ch .(Ù¦y¨æÀXK‹~5wª±
+NlSÎfE(è°bŒµ¬CvM¼	Ѷ3ƒ1G”~µ‹¢X>ûg¹š.¶³]á8”Ö
ÄH%õ—›ƒf4žHÇô(ÿ©„@¾òÚ™G*ÖGQDÙÞb\j²¨š¿Û?MhQtÛs:cÊÑÜD¥ï `|
+9`¢~¼ ™V+ÌK÷ÛMŽáÁâÈ¢8ÚÄ
+&0›ÿÒ›^.4{µåPË3,°¬ü®M,t2x× þ„&¶+úDË5Þ§Pöÿ×Û=èÿé»^H“ú¥j¦å:[CídN!nue4‘k@…^©§!fZfû:¼+?ƒzÄ´ùãÅð
+¦å‚õos]Zq7¶ë5`rW©ºgHžŽŽFlnVMŸïrƒ¨]ÅõÈ@¤fš®ð&+j¢Jø³ÓêXF)õUÊ»ªÉSï ‘¬#ª¹!‚ÑÝÕË£L·³uŠ5ÖPía †Ö6k·?ÐB¸·±8É«rö’LÀ²„ôKe:-õWi	!6;ÒÍb³rOßÓÒ-Ô<IϵJîx…vE<°UGJ%ÕÜÀ¹ÊPphE²Œî·ÉÚ8·<'C^G6yã)_ù"Ÿ«U`Ä׸H¹
+ž."Ën*‚z×ÀÑYc?oèTÅ‚ŠäCqÐŽH cP0Á‰ö™ÖÏmîC¸íþÙÓÿ¡Hu¢˜†Äš°D…a¹éêsLZ¦ÓZÄpÆ8%š^wUôù‡êi¯FÉór‘ß-â/7Á¶û¿è´Ó
ËhrÛÑâ|¹^!º`Ѷ·Â¼Â²¼ýh¿(r˜•¬É*Q:}(Õ+þé›|u_xRp£­'µ‚PóÊÓÿz5”œ§+VB8¢¯–P8–èpø%†þZ@(‚?ñœ(m˦oþK‚ÝŸYHÖòal
+‘–g&*å°8ŠÆCÕÿ
	lyendstream
+endobj
+1397 0 obj <<
+/Type /Page
+/Contents 1398 0 R
+/Resources 1396 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1391 0 R
+/Annots [ 1401 0 R ]
+>> endobj
+1401 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [471.1233 444.3406 539.579 456.4002]
+/Rect [471.1233 128.8813 539.579 140.941]
 /Subtype /Link
 /A << /S /GoTo /D (query_address) >>
 >> endobj
+1399 0 obj <<
+/D [1397 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+382 0 obj <<
+/D [1397 0 R /XYZ 85.0394 188.6884 null]
+>> endobj
 1400 0 obj <<
+/D [1397 0 R /XYZ 85.0394 164.0083 null]
+>> endobj
+1396 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F62 1100 0 R /F21 738 0 R /F63 1103 0 R /F41 969 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1404 0 obj <<
+/Length 3525      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZK“Û6¾Ï¯Ð-šªˆK<	nNNb{Jì¬gR{Èæ@IÔשˆÔŒ•_Ÿntƒ%J³N<å"4Ñ
 ûë$&)ü‰‰±‰Íe>Ér˜T˜Ébs“N`ìí`šY šÅTßÞßüãÊ&y’[i'÷«h.—¤Î‰ÉýòשMdr3¤Óï>¼óîí/_ÝfzzÿîÃûÛ™4éôÍ»_SëíÇW?ýôêãíL8#¦ßýëÕÏ÷¯?Òå9¾}÷þ{êÉéqaү߼þøúýw¯o»ÿáæõ}¿–x½"U¸ßo~ý-,aÙ?ܤ‰Ê™<ÃKšˆ<—“Í6*1Z©Ð³¾¹»ùw?a4ê?Ý?‘&RY9²Rm É«`7ð—ï¾)™N·Í®k±)¦ÍŠºÞýüd©gS¶mñP¶Ôß–uGý«Ý­pÓfƒûÜDÄMdp6.× #ò©‹M¹d²X(å¬bªçj½&ó’8T5½7u9®{äŽU³^7ÏUý@ý»¢Aÿy;ÓpÊJfÖY×иÊáß×(Éd&açtf²ÉLˆ$7Fz!tš¦‚?§¦|»¨—¬5çtÖe’‘ÝH…K„Ѥ¶ÅSS-gOz¶_ng´óç[ãòDk¶ÙŽì²K\f’ÆÓÚ/˜vQÀËTø
—©œîÛrI=~Qгõ‡\>á©ŸKç‰4.é˜U»e˜ªWÏgñØ4­??äV´Ô[u-uÀ.IÃ&3¥Ò$•ùɵÍÞO¸À%èÜ«2µ
+|¸¨£{,¸Uµôœ¯›Å'¿d œ¨ó€3úÖÓTÒúŸÔMìkvD]œ²;Ÿw3šºÅ幋ív]-Š®jêöþn	žOß—»ƒ_z–L
+ôL&¨Í´Ùû†Ûé©« G¼-H@râH¿fÿrˆ¾²'W6gcC¢º}Fñ±ýÜì×Kú¨nx懲‹gµÇ/O7’f[©«”½6r[îž<_#{¾ÐýX<17oxÒŽyºâ¡¨j@v+ôô}Ó•€	FH–Æ—e[‘D<›‡jz³ÀF±n"Ÿó}ÂFP>oê5söG1Ñê@7^„€4±²7®qh6@€Ÿô:dY¢m?)ž°Ò|"GqÂDËÄIhÆ83fæ°<-ÂÔÍÖ«6Í[ІÑoû¾^^¡Ë=ô’
aìm[~ÃÇûX†ó€–2°
:šæ©Z–ŒÔ+o±Ð˜‹OÏ4-šÍ,p^­«îpðÕ·MÛVó5·ÕÌvÅo^›ˆÈ£lËE…êN¦}Á":=D1Â&t@Éé‡m¹ƒO="Â|w‡¶+7y”hÕæùcµ©F8Å­I¤µ4ÿ½RºÞŒ šùª¥®=:vj¢k•2ŸnŠúÀô5´Yá{PáïÉ@cγ¬Q¨r	†§R5½[k0òT¬÷á³^üzp¢Ê§Ï%Ïè7ruÀ‡SyŸ$î-0×ÖNßà¹+p&åç­üz̃ÂA#Cœ"ÞŽl§ÀP&¸Lä5gžòتjد‚_`;GØ¥2QY,I¤à½µpR°Eå–i°&p0-ï
+½Ѫi©>>Bî5K÷P=óCWŽé!èÄêT-h_ó!Ž¥³$©Y(:ÝÖ»ke¢oéµ-1nRŽ¼&ôÅ@cS|®6û
½OEµ.æk+6;îÆD–V$ÎêJ,ËU±_wã‘eîœ9âb{Ÿ7ú
+n=LxD!‡†˜Úª“%D`ˆ¬³1SóÃ~RììŠÛ†Ã.Ë“À%-v•‡MêÕ!HŒÊÂÒÚêò4Q`þàrb2dÜÃÿ‘ŠHÜ07žˆÌúgñ””eÄÂ)é#!ÔëɼŒ ´#g$e¢S4œ¶|°À(´,ƒwj|ŒR¡ž~DÈnœÍ‹üïÊÅqçm"N¥Ñ)DÛÖé4géXOõ‚糡	kؾȌ¦
„ãJÅ9¾öŽV‚'oË.ôݼöXísìÄ/	;‡5ºÀ“‚1âÀª
½ìlÁ´ñõô®	tGFà›ÄÁàÀA(ÖÔ_!~9ˆôö[T¡¿õsaË#9<½kB:s.„s.Bþ,5Ó5O°_@Üo¶÷G\$”Ûé‘D0Q
+¬
+ÙÝ‚÷¡•`º‹Ç¡3€¦L¹ëçS]>žÊKVtÅ…ÉÐÍ\eˆFŸœI¦A1Œi3s
+¼£¥¶?–<õ"2i¹i0Âv¾ïÍßÏÅ£ Ût)yäs<4x=4±W–gæ‹
)`ä
«ŸP3—Iæ¬"_‹\±ûó£ó‡¦G|x×¥£…Š‘'d¬ïVÔÇ›AK³½…­j™ªá@kHø“xîŠy—ŸAYžž¯ë9½è˜¶¥YÃä¾rË`†­VžÚA˜R!b/œe	 ß︵.}Ví;ÃôÇeZ€:ŽÓ ¡' =xŒ
½|ÿþîøUµ Èó0ï±‚VÏ¡†‰*OiÕèÈÙ«Q;ôí8oð™¶õ¡÷j¨m•¯a_Aç‚i¼§°ì ímðHΓ†#bKb0‡£=PóBÁ‚·	Ò+ôæÓùžãJŠ4-§KÐÀÉJjr‘Hñvõ®¨Zôon"onƒ½B‹!6nmÜZrDî6
Óo¨¨…òhŒÐ;s‹ú>²ÌC³ÇÚäjU‹úªEżç‹]^y ¯Ç˜”sLèë u}É1'!âO‡
+éÿÞï“Œ„Æ9ÄR*HP7[‹Çr ÷´Á®ùK5Ö\ëýíÊÅ~×VOåŒ1ÇA"/Œj÷b]•õhj® ÿ3NŸ–H¼c£ìñ¢OR ­UÊ\÷I1ÕeŸÔS¡X¬X—í)ß"þ„¿Ê7ð=©di§ì/dzYœ
+fÓz¿™Sx™‘ºÀ3Hè_ºðÙ1ÍРϤš ÿxë³2h-šN £î<„S¯âæ(ÄÑ_Á˸¿ÊT¢m_n¿–&ôl}•ýò‘jHå¤~!ì‹©®i òHÔ‹O£qF–Xð™×9¢ÎꤘaäzÖãÑ_Qüç…dÚ€—rh:_Š¢¿<<Ä‹—÷WÂÃÓš‰@0XZ«á‰”‹xw‘ì£j§d>¼árQYUæ”ía#$ož¢¦¾.ÌpR÷î>¼å’ö‚iÁVZÁÙ÷Êp«­c
W¢!õE%
WuWîjð(zŸÆœÇèé‚k{màwZLi†Qr~
+o¢”ίULuÙ¨zªàNªÏt{5[7³1¢VZ_£§‘c`bÊ%Z€â¡ÐWåê$å$aß¼mÖe‡µsmµ=âáb±(·tko¾ðÃus¼ɹ€
ºGGâ9c)ä^e½W„ísâ4gYÏMJ‰D¥2vÚÿ{Mºè¶^Ã|¶ƒ¤²{X¬R«}•v*~F×ýuIÊ,}ÁçÆT—u©§º´ÊS5JÍ¢N•(ç5”à®ôx¡Sºú‹ð_(”Äé4ÊÂS Å‚ÓùæÐ6i[ž—#µK¤èƒÕ\«ãúv>ï Ž‡iÄåóJžJ¤6æúîöT/Hq>U ·3ãÒé|y¥áëÐñ¤xRŠÄj“Ÿä°[.´a0‹Šž…0ý…“£±Îãe§¸‚†ÞéÆŸ5ëeÙvܹ+ê¶X„`4£û¸y/1¾pz	­9û®Ù(,<þ_¼¯Ù4O}ýûü·H3„Áü/D^Ì*áú8‚nvý­`ïB|R dK™êì§B÷ˆmÕ^Æ
ú`ÒüOLu3.æ±i»M]ÕÂF·30Ø3Ø€H,ˬ».DO5"Å8´I2ãÄPŒw¸=Öü´ÙÔ¡¶e2ÒÄ–HH{ qŒmá[Ná‰k£Ñãi"ö]Ef”gZ¾m„ç'pe	åäLÈêD`X6P?¼µ-7|]ÿÅ^ ø3¥—¼@DuåDÕ0›Œ2Æ¡ßèᮉÐSÈ0t6­ÒC!Ævq<¤8`‡áuWÔe³o‰Š¬šÁ•ï¦ù´ß¶ƒNïÃ=È´¸nä@ÁÁƒÆ*§žß¼|,Ö(×þ%à*ïÖæRÅËp1œ¸…GÁ”ËEéûØí”Jr‘ê¨ê˜Êé·å¢ "LN[Ñ>ø(µ—Ž†ùúZ
®ŠjGóª‹WÕ]1¬ò îúŽT¸‘€:AáÛÒÿNFàc·LéýSµnð"¸õ?ù0ỌîåyŠÕµ_‡ÁhjÏJ!—ËY‘šþ"„Xy F^ü#AE$ì™óû²\оTƒÃEñV@–™’2ò‚HtÕßÄ«67¹ôëMeüÉ刡ÁÞø¿ýËÎãÏ^u¶ëä¸ÅJuµƒIX(ŸjêsœâŸ€ž‹þ'Mtï“endstream
+endobj
+1403 0 obj <<
+/Type /Page
+/Contents 1404 0 R
+/Resources 1402 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1391 0 R
+/Annots [ 1407 0 R 1409 0 R ]
+>> endobj
+1407 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.4645 175.6376 438.2112 187.6973]
+/Rect [361.118 570.951 409.8647 583.0107]
 /Subtype /Link
 /A << /S /GoTo /D (configuration_file_elements) >>
 >> endobj
-1396 0 obj <<
-/D [1394 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-382 0 obj <<
-/D [1394 0 R /XYZ 85.0394 500.6173 null]
->> endobj
-1397 0 obj <<
-/D [1394 0 R /XYZ 85.0394 478.0377 null]
->> endobj
-386 0 obj <<
-/D [1394 0 R /XYZ 85.0394 255.8247 null]
->> endobj
-1399 0 obj <<
-/D [1394 0 R /XYZ 85.0394 230.7743 null]
->> endobj
-1393 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F62 1095 0 R /F41 969 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1403 0 obj <<
-/Length 3440      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿BoGÏT<€Ipî)Iž;iÚsÜéC¯Y¼P¤*RqÔ_»Ø?dJnï&ãp,€ö{!¹ðO.â$L²([¤™c!ãE±»‹'ûîF2ÎÒ#-ÇXooþþ^¥‹,Ì’(Y>?ô®NgS§*SÄP€4Ð9Ò–t)UjºË¿.‹¼ØÚ¥»ÂkW
-ú«dÆèy½žYSš0ÓZ1ÎÁÇC[~±Kw3KeThd¬¦‚PT¥­»vfG…*6šW#oÉ@•5ð4_‡/ì“S)“EbD˜.ØBZŽ±ÈœÈ{Üc!ÿ"ªl{¾oƒ]â¯îë‘fö˜1j£’龎Í*E>•»ãŽõq·r†`'.ðõºFç§õ&É-áØ[2]8yok‚Š¦®‘ݨ;°RÊÀ‰x<Á’O’y§Ç—§Rêü1ïX;i·ë6ƒ—ç…æ2KujëWX:ºÂRå,Q—Ÿ½ÐwÎR¸P«;{¤™Ç‡”"
-)âéÖt¡ ÏW¡Ñ€Wáëˆd\obÁüÅqÏ_·‚@ÎI1l4pµh–sJ„FĆùá'¼ä›–¡ÑJŽùvvÝK
!N’t?qH‡˜F&?@¨"„>h°ms<Líš9ÓV6JBˆsÔp*Ê‚Mžý™ÜVd›c­í¨hU¨©¯ó+ø‹;ú7žHÊtrpÁ¸ +íqç¯[%ç=ØóÒ&¶f·]8çÃeÝÙC
åDm°æ3>r–»àÚ¶†ýê3A;?œéœßE¥Š‰YªÌu¥c]VªË»“òëÆzY5OË9“
-Œ„Òú:=ÖS&ÔwBÈ#EH™"¤Œ#$ì[µMe;ûÛ¥N´=ÆÃyQØ}瘆­zÍÃO5‡a<‚ìu؈c¨£hv{`Ǫ¬Ê®·¥@›YçáúŒÄàvÌy¦õ¥J)*ö@_@’.ºmjÒÛaŽ<Ù‹æ,# UÎ"µ9ÖÆÎÏÒw”8\”%
y‹7q]–ÆX—e©ÇºtÊs1ñ+x¤Î…H€óšRðÉ:{¡Ý•á§·×Ø P!’lŽ©BL85È7{8­}q¥M(#¸”14xxZð0:WÿÊÁ^®Kcf#Eíò9=Z¨0Òq|ýv{¬W¨x¹U ¡ü²µL
Yä7Hñd$ÃDÇÙ4âÎ÷{§›
³(詃h÷¶(q
Fcðãe£‚¶Ù1–sºãiMµ¶mLJ¼nó£Ðã”dŒÞSŒ
Î-Zñp~ìš…ÂÙÿ»O¶e×|±ë¿î¿¥HÑfÿCäÅ[•íY‘WmCЪwH>>©'¦dOiêò¦fÌUÞ–íe›¡àã+6c„uÅfx,<̶i»%M]ÙÂE·KPØfC‹0Msˆk†Š‰áÐq˜ÆFNɸÇëIŒ·ŸI”¶4IbK($=±`2ŠðNá‹g£Ñá€4û¡¤SÊ3¡sÅë~WRnþ±éH…‚ÇŒ§âWîö•ÝÁZNIþª"ŒÉ^áèë
-G=Ö4›eŒS7¾Ñ …»FB5CÃÔ$!\•ž1°ËI〆«.¯msl	‹´šAHUÓ|>îÛI''Ñ[R-.
-Å…i‘΄+»Í+$ÃH"ì*ßðL0ÃŒÍ	àΛ•…&“>Ç€}Æ’D*̤Ѓ%Ñ"
-ÞÚ"§",N¡Ñ=¸(µ§Ž†aFKPNƒ›¼°ÊqÓ_ŒLd1ÒL}ùtŽˆ5Þ²’dð±;Ôþ\VÍêÔÙËlX¢yið%¯Ž~‰
uÍWW¤Á`T$/J!—Ëi
-‘Z”MÊ´•3ĸ%ìØ…Ê=+n¯mA÷šSÅW%p%êLÉш´^ƺ-Ë#»ŠqžI1ëmWUÅ*V×µ}ŒuYÛ{,Ç©bQÏ!†HDÌW7ï±fvŸ&æ&LLO·ô¥ÜAÏ¡Ñë9ÀN±j;Õsèé…àÇw?qgS׶²¾Ô8”ÓIÙx¨HS2/S|xQþ³±A)Óñ Ë3b(Ó0ƒ¤õµrL”aÅ>ºÎøÒe¾{$Òw	ëeÛŸí¼Ïâ«›3Ê˽ϭ{¦¤šlî.B§žÏZŸ±Ï‡îC0XÊ}×Zêà
-#¦¹L‡P$døßP³íÖeƒpœ¶+ÀR‘pÌ嶶vÍ ª8~W––\•OlôãP©sÓfëæø„j¬5y~É'Év9! —aw2}®±ÉÛÎZ²(̲ÔÛ¥:ßÍÆ’˜¤GÒ'¦D%Ö‰:,ßÔß̬«ýIï2Îôý}Ÿ_JñËÏøD[Ó—³¾ˆ¶%9._$’_y#ÿ*‹¡nSû¸ßq)npRìÝ/XpÐËKQzöë¾ôÅjlïYr/Óç5
-’ùšÈ%	©¦÷Whxø™€Gƒß;ä}:Ñ•à·2 8(ö片Y˜FŠn±a$ûµIu‘HoÍÛ$fC_1]À¥Û9>íG1h¾Ík´Ù³5wWÂ×òå­açP××pUý‹À“º¡‹*ÞÍŽ°YΤç.‚MíŠþ=³$9¼ò@<>~à­Ƹژ
-ÞÀ-¸Ò?ŽòhÒg{zf:ÙÊšécÉø„W+B)èæ-^SKål:I&G½>Ê(%Ã.-W¾Œ~¬Ûò©¦"¹tQÆ“=ð‚h£ÅW2w×ÿC;ŽS”úŸd'Z¨öµOûDL9c2¾ž@›ï[[l»ßDÀWÐÇ¥_sýb[§kÛú¥ržÑ÷ûæÀ]Ó‡ño3©ˆ¾+zu2T$p3¼µÂ¥ö9þøc™
-œž­ìJJ]>.(5{E„x[~xK]`€úŠ”0ê³7©ú¶ãuš~•zîyÝœšÞê`eØ‹ÉP¹¯<‰¥}¦Z\úH¯ì+·X®Â¸ÏÑdTþ¥³9{èòsTsá@¸ñ-ÇkåS÷]*¤äQš¼R!]v¨ÉǺ /!¦<μgˆÐ@ØruûéåþÓD'¦×Ü1ìN3Ó	&R–ÊÝÒ¾Û:wgÜþêœëuOaô¦âÅNÅsï7w›:Ô¶"˜U§¥©½/u‰á9Œkú.F=áß7tNò°E½*ûÌõ	;hˆÕ¯‚4¼#]ñضy&`—×'‚\ÄÏØCÒNKæLùY„œBC÷·¦¾²¾ôÃ9`þÚm†£ðÇjñÿ¨nøÅ¡N!v6’`ˆcñ—&ÊåÞæõK]à_ß½$ý¿é©IVendstream
-endobj
-1402 0 obj <<
-/Type /Page
-/Contents 1403 0 R
-/Resources 1401 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1388 0 R
-/Annots [ 1406 0 R ]
->> endobj
-1406 0 obj <<
+1409 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [347.1258 495.0249 404.2417 507.0845]
+/Rect [347.1258 193.4648 404.2417 205.5244]
 /Subtype /Link
 /A << /S /GoTo /D (journal) >>
 >> endobj
-1404 0 obj <<
-/D [1402 0 R /XYZ 56.6929 794.5015 null]
+1405 0 obj <<
+/D [1403 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+386 0 obj <<
+/D [1403 0 R /XYZ 56.6929 651.2334 null]
+>> endobj
+1406 0 obj <<
+/D [1403 0 R /XYZ 56.6929 626.1263 null]
 >> endobj
 390 0 obj <<
-/D [1402 0 R /XYZ 56.6929 628.3918 null]
+/D [1403 0 R /XYZ 56.6929 322.0105 null]
 >> endobj
-1405 0 obj <<
-/D [1402 0 R /XYZ 56.6929 604.1707 null]
->> endobj
-1401 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1409 0 obj <<
-/Length 2836      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZÝsÛ6÷_¡{:y&bðÉÉ“Û:=ß\Ýžë»—¶°ÙœP¤"Òv|ûßo» H‰R:Ó›LB`±X,€ß~A‘3ä,·‰Ð…™e…I¬v¶Ü\ˆÙ#Œ}!™g™C®oî/ÞÔÙ¬HŠT¥³ûõ@Vžˆ<—³ûÕ/óoÿvõÓýõÝåBY1O“Ë…MÅü››ÛïˆRÐçÛo?Þ|ÿ¯»«ËÌÌïo~¼%òÝõÇë»ëÛo¯/2·æ+–pbÂÇ›\Sëû»«~¸º»üíþï×÷ý^†û•BãF>_üò›˜­`Û¿‰.r;{…ŽHdQ¨ÙæÂXX£u¤T?_ü³8
S§ÎÏê<±¹Ê&PéÁJm“Î2[$©†!<ÀO~Wû
-6%å¼Ýº¥§æ«+»²~¤ÎºÙ1C³áñ•ë¶ÔüÁã°Ìç<òàûy[׶~Eí®¡¯[.ý¶ƒcVE6ÿ÷e¡æ®zö-
V¾åV÷äjjiV¨¬ª¸ +SV¾îª7¼8ˆ…”Ia­
-»Ú¹VNpAa¡LRˆ4-´NŒyàÇ›—i"% A1ÿÉïÊfU.é²ï/%jÞ~¢îMÝùÝ‹«Ú£Û‰°Ì4ËešF;3-†\tYrí=ª¹¬¼«áx%«p¨L ×çUè¹&t&Í“éX‰û§.IçjÞkA=¦ú5¢aí—]ùâáz±yh›Êw—rîáî3‘Î"м”Ís\xÂï.FZ¸{O“ZîwÔ~mž«5iâ¦ya6ÿe[m°°°ÚLz‰ÀÑ6Ï¡8׶`ê’¼j‰¸½fC=RK·ŒMz½M Kf6QÆpÎ'ïëàs™“Jž±)ëçηpF©ÎØ‘á‚}êæ•W»Gß[W \ÈñÖ7pX»7â-á
-jj:Õ›¯¶9˜øî·+—®CÓåµêp
0ìj&®Z=ºáY†rSŽ/Ÿo{›
-:óÑD±oce’±U“³ÿyë—åúübˆ­fÛ•¸ Q=Éø% ?9æ­úîqÊ2öó©á!à¯<÷Á?9@ìÃBrÒüAg#Ó¯XÿžéŒñ3nþÉ»]÷à]wÆøÓDç:?«@Ït¬ÁÈô3™èÔÊ‘
-÷x2FäýÉ‘±cF*\0ù†ÈÿijfÞ8T¸võÒÓPž´¥±Y梜×mãvŸƒHv턵i%Â"ÛΪ„P²0±ð$™Í‹±Y¼>ùÚ“ƒÉr“Ί¡[úÞ»«,,­üÚ=WuâìTP`É0ç붩ÝCÅS_8êaÛõöÓa¤NC_Iä•›Œs¿
-÷ÆÀ’*³qI Ê]cFª†!÷¥Ü¿Zw~w 	õ¥µZ„.ÞëöàK^	aáëŔס°­-,6>?CpþLŠü@¤ Ú¿VÜ\•í²yñ1]´O-õñj¶”‚½”+â2¨9ËØûKìTUó%=0GG;yÉQJÞ h;1"ïhãW‚hyG)äEc'ÕvÍ–Z´RŸ¶ÄDc¸oòz®‹¹Ê»¿Gò¸Â«£,ù¤Ï3®g¹Ñç}Þë´Ïë¹pÛmÛÅœ°=ëô„N¿¢DÏ5¡Å¡Û2;PãÖaõ©ùGh÷Êa?æ#8òÀÜUóø"òÓ‰{a¡ÀVÑaØñDêžj{ääL®9Iû$<ž†]Û è!¥ˆ^Â6tbØFèðŒ¶áËaÛŠQØFã°
²CØÙ-ƒ­ã|X¼çÇÃ#ûµ ƒ=Âc|g0PjCe“ý‘W´7‘çùô+øÈGS,ÛOÊ¢ydq“fØQ‹¨”*ÉÑ= Øß
- BÚ$U&› *-ƒØÔHzWI¬V†að#$|r~ÿªùõÑÑ€P­ .j¶(²€ÿÙçÖ€E¡‰kлݟB ¼¿Ù¨Ùw
ìi6ÜV”¼ŠûJÕè„" Af3ûÛ&äpùüíRAeÄr³­üÆס„š¾üÀ­âèöM‘%©Nõlx¾îÊ “MÒBèÙbÿ
-öç5F±éW
-1-³$ÏØÅÇ"ÅEô<Ôl°‡·	7!°,Oa‹0ý*”:8#TªÐTX|Ô-‘ù
Éþó³«ðUÄJΈÙg_†qùÔ4­gŽ>up˜8ºç¤—8¤aÌ~#ÒþÁ£Ÿ­8/Š®‰äMä$½Å£ó"ÿ–«pA‚æ—	1(Ž™ËÈCÇX.!®¿ÑвÂuqœù»ÖWk,®LŸP†{¨±E|‹éN_1pËÏ0ÏëA’ç>yÖÎÕë8!LEów+J™FƒŽÒÀÕŸ8'¦Á¨  îåE.ÿÀ˜ñYx‰‹¡Èc|K©°º·û•C$sÝòéHI#’4êÿ¨d”ø5%
ÔJi!ÇJxß%j¦U|N£ç*Q®ÅˆìZ¦uq¿ixƒn‹¯L¡ú‡Î>éZØLίL8-*È&*šKÆ‚¾ŠðAѼ”kÛò±ö¬/¹p‡¥0½u-²4Ô(›ÖmS/jÿÈqJFñ(<õ#ºj$;êG‘D|pmœrròÿrG¤mÓ–TXà@8%ÙH%­hÑ:'}Ê­Dd‘d™»"'4ËvÊ[Ö9Ïñ ò®#z$ñXÞk‘ŠÿS³EÎHÊ`ëš_c4æ€Ý«÷5±”¼
-£b°ûÇð¢mçWDß½.ú“LÓTµ7¸oÕ/3Hç:¼«Ñ›ópÆX1ðu˜¾1ÇþN
-Þ/%oغâÁ™(ˆnµâ—,ææmÀ‰…õHøúTâ9óÐõóŽ‚×1u¬ŠÞbN9€q,‰ø–}XGEl8Æ"8Áý_‘ü‡	Ì;òFŽC²%F:Ž
‹âùïaÓJ'þ„7ºW)Þç¦Îä/#&ú½2“£¿“`ày/ÓÔÑ()´þûßî§V¤ÁãŒb¨~¬ßå æRŸ#3½Ç…ºˆûÇ èHA_~PóM,_ÖM,®‘‹kü>ÃY‰pPlRËÝÐg0EY›à_àÀ¢dê´ÆÄ=ר”±°ÙIehø/ø›"½‘':$GE
=IàÐ@¢	ŠjjŽÕƨfP5Öù¸:cæ”,{æáBå]|Ãd8û_9·ÙýCUi¢lwÇ Þã'H³“Пªü
-çàûoGˆœúa[Ûž(îE_<ýé½÷ÿ#Àd	$ò'~žÔ"MrUdQ©›ÛCÍû_ÇUÿÅ\/~endstream
-endobj
 1408 0 obj <<
-/Type /Page
-/Contents 1409 0 R
-/Resources 1407 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1388 0 R
+/D [1403 0 R /XYZ 56.6929 299.3741 null]
 >> endobj
-1410 0 obj <<
-/D [1408 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-394 0 obj <<
-/D [1408 0 R /XYZ 85.0394 732.1335 null]
->> endobj
-1411 0 obj <<
-/D [1408 0 R /XYZ 85.0394 707.0477 null]
->> endobj
-398 0 obj <<
-/D [1408 0 R /XYZ 85.0394 332.0911 null]
+1402 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1412 0 obj <<
-/D [1408 0 R /XYZ 85.0394 308.176 null]
->> endobj
-1407 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F62 1095 0 R /F41 969 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1415 0 obj <<
-/Length 2942      
+/Length 3325      
 /Filter /FlateDecode
 >>
 stream
-xÚÅ]sÛ6òÝ¿BoGÏD4>Ipò”&NêNë´Žoî¡í-Q6'©TO§ÿýv±R”í^œp‡3÷Hóë‡ë“³÷2eq–ˆdv½
-h™˜Ãg×Ëߣ$ñ)P`ÑÛ—ï/>üûêÍiª¢ë‹—§s¡Yôþâçs‚>\½ùå—7W§sn4Þþøæ×ëó+ZJ..ßÑLFâWçïϯÎ/ßžŸþyýÓÉùu—ð¾œI¼È—“ßÿd³%\û§ËÌèÙ=|°˜g™˜mN”–±VRú™õɧ“ßz‚ÁªÝ:%¿g®L,8Ðxα\ÄY¦Õô±”ÁãD.¦iÑ>´èwIíÕ›¤*Nfzõ
-9ã<δ¨ßDÄ2åÉ,•2f8ê½D[Ä,Ö‰âˆÇY¬¥Æ-ÆÇÓy£kø_Dê’,é,1&θ=xöeÆc¦²LNÛ›î%`'Î.6bö®†ûÌ‚+yºó€°½Q"ƒ;$8=Óq–¦t£ë»‚î”È•(µ»RWoëu}ûàðB’JÅFrXo»²®À$S•-Uݹ‰Ív]lŠª+–nÂa:#(‹ÇSI“™Y¨«ïS?šÎÐÿÞ„¿Ï8‡%!÷Å'F¢X,Û;žÄ\‚`ŒY}Ø7ÝÖM·.ÛŽ¾>uyg¥ §C¨8S\õ©¢æ”›¨h·uÕÚ	š¤•œ>ß]~¢ï/»¢y p“?Ðâ¶Ññ0[¯hr³[w%èqp@½³Àb0»¨í¸liãL³««NX«ºÙ”Õ-­æÿ„¯Ü¿T¸r[ Ÿ™òÇNT)éä‹U¾qP[4_‹†àûr½vëÀR¾^?ÐÛ횊¾;"£# ïwvwåpUEötýZ^ÑÆò”GÕ²è
-¼9¨“fݽ€ÁÅÈ:ð>7;¤ÇRຠ óovh^<6ZK÷›ø˜×#<2
ȹÇm{ã²äïÑ3__¦g:ã±TÆ8-6·Î9] ÇŸ‡¼Ý³qHÙùT,œfüûP<ðb$q‹z¬§89 æÄV$²ÄY0´X—½¤¼Á®Éšpµ^:¼ö®Þ­—!^Þ4yuèÐhN¨ù¹àëx—äÖò(ßn-•zÛ” ­W8›•¼£õ²µSi´kéYážêÁË¥cµ-=òÓÜñÀº^äk«ÂuHtt±*h¬nõ'H¨4Gì$$*?Ö÷JÀWSÏ—b„2QnŸ"¡`[šZØgÀUp^º¥ºqÛi›Ã¯ç9:û¤íTõcâ–üK±DöXýç®p¤s¢Ü«X¹8£«Ç2½ÀtþÄÞÏñæ¸@/Ž'nM2itSи-ôŠ6>š”„oGˤ£SÀ&oòÖ#׎VLwøWK_VÐ+
-Œ3eë·Zùo¦_v¥Ãu”z©‘ÂS¬Kð[Ī5I^¤_H¿t>Ê›mÜI!ñf˜šܤ&I¢|ºÕGÉC'!yç&9ôqÂ,:VëOñã¦X×÷.4e ¼ü3ÞWòjŠib連Œ²¹Nù'!…˜i¡!áPÙs
H3Œ1GÒŒžâ<$y˜gHº2…\nònq7æQ‚gUF™—㱧øÔ¨R™™<¢I0
-™Hîå]-I9%ä’sMSXÙ‘ÁßT4³©½WÀ¯v[,J4ç…ôäx
ÜEI3|žàZñM%üH¸E#PY:™#¸WP>.&b-Ð^Öö™A±€yw¤ŒlˆË8U<wþ<Ü0wÇt‡qóqWÚµÍA^1wÖSœPâ®T*:ÏÁlI
õ–€5(wMBI³|Tc\e}µò¸ëàRyÄÍ®õô»¶X¯ÈjjL%C«A_.Sas>¨£âÛv].Ên‚DÅ
-P÷"Šm ZÑÊÇ}ïí)ÎC’‡/”k(qSîO>êF¸I¡Ä4îŘôŸb2c±­
˜<æFTÉ}@ÀìtUW)óœèîk
-ªX1f&©¦Ñ4h’_Ñìþ®\8Ò¶šBàÆí$»ÑůdE\ÈÄÕЈ‚h
TB`·é·ÙÑy=äãÛåÍÛŸ	 r!{/s $/Z,Â-Rleè'›„b81Àª2YœBóAÃQœ‡$§‚†Ž¡ÄÞ|<°ÓÍdj^GOñ)Ug"I†L³HËTgNÞ”X…­h,¬óCÈ:?œó³ ”Ö
-á³9wÅâ3i˜fP_±,•·yYùÆB·ï7e7æj{#¤	Ûwø®€»ª+]j—Ó@j±`é¬ê]µœÌô>ÚŠB*WŽ ²#•²ƒVFáÇ"ßå馰i@–Ÿb‰%Ò|¸Y8ùª>¸X‚”>!îPpîx›5ãVté½sx pI¼ä žE·Ã²Ar,«ÊMÙ•_úÜ;Î\e‡ÓŽsúèéäÃùH>œ“Aâ®í÷Ö4BƒHï9º¿šJìIù"7—DFÅ Œ›úëh¦ßtSÜ–UEe„ 3¬‡Dmq&£‹1NòÙ=Ž9
®c¿w\xgþŠÚJU}ŽôdS	4nEgBÕ'Yu®¬ïHÀ©&T}äzÊ=îtF™zª˜|ª’€ ÇL	ðAiò…„#8(NÕ26)PñXÔ,*¡_ŒÃžàãb@à’ˇNj­Àߨ1S´ú™
-ƒ,f\Ègeöj€qf¼á>sµvaœFÎ…\³ÄôʨI§Ù¦ó›uæm[ÞV¶ÒOȿ°„[æÔˆÁÉj¹Ï|ifྑZE£ÃàãK”
6eUnv›©3KGß»?½>î34<ÿ©€2|þqâµfŒ{h¬ê5”î–¢4)dÛ9þ•á¶8$µ¿#CiKú¾É±(J˵%Bµ
}õ»l€	uÑØÎ]m2@®V°0õ˜º-º)_Þ¼¥¾ð¾çæú.ØIõñ°}Ü7™ÜĊƾ#mûTk·
-.­ço†-ïÜcóÙ6… Øº,¾u„·±÷@”€êš¾׆Ëù”â‡Ì2ù¦®k~šˆgXeš˜Ÿ	EKŽ#tÒ–ï®u2Œù+G¤qbô-§46ºÜ^#±òç`ËGiÿ_'ŽNŒÇÜ#Vñ”=ÖÏPÊw
-Žÿ‚“Ç'Ÿœx†ÅÉ$8yLpü™‚/dq±ÝUå´m(§Ë»Þ·û™–Ô1þnj¢¡Îú_&}÷O¸ö?WÁ~¸1âHg>…Ðh€ˆcÊþX%9àœ³XÈDL°þ_):˜æendstream
+xÚ¥Û’â¶ò}¾‚·ÃT-Ž®¶ü8ÙÌæL*ÙÝ3!'Ip­±	6Ë’¯O·Zò›ªÔTZ­V«Õê›dø„ÁŸ1™ªI’ªH3®'ËÝ›l`ìûîifhÖ§úvþðÍ;™LÒ(E<™¯{¼LÄŒá“ùê·éÛÿ>}œ?¿>΄fÓ8zœé˜M¿}yÿaRjÞ~xÿîåû_^Ÿ5¿|xOè×çwϯÏïß>?θÑæÏáÆ„w/?>ôýëÓO?=½>þ1ÿááyÞ_Î$näχßþ`“lû‡ÉÔèÉ	:,âi*&»¥e¤•”S<üüð¿–aoÔMÓŸÒ&ÒBÅ“™‘ab\É,b”6Kâ4í”,ø˜’*¹YîgË"·eS_n˜K|E2é³½Z¼¥Y]öVç2å/VŸo-è<§»ìK¾;î¨Sw{ ¸ZS[ÃpÑd¥­Ž5aHj‚ço?zdU–vÙäUé©šmÖÈ­•Lk{øØŸò¢ ([.í¾‰P	“™HÐasVv,ÔÉÚ¾y§úšŽE¤Ò  œÈ#š¡>’(• 6¢‰®¬ÍŸ)¨*2:V÷¾Ouûà[*\ñ`V³ºZ~²#§³ô¢ïKÐRˆ0Øm¬#‘$f(ƒS©âº=qÅéÄ÷;c¢ðã+[/ù¾©5!ÜLýhÚº:ÐÚéô
uëf•Wëdj›%ÃÀ`¶¹çTZ»ò`SQ»°Är‘oÈ´Ž¤äö`Ëê¸Ù‚(åf
+%ÁüȲåÌ€ÖšaÜY3àò²±‡u¶´ÞzÇňÒtE¦Qf;ØãµI)Á…§*òº±Îè}U¾á«â(Ž!p±1Ç¿`®ÒH)DÈ<ß“uÞ	Ú¸šîÝTŸó•%êW;R äà‚ñ A
+ðîÈ„„#?6›*/7Ô#gàÏ£=䶦NV®ÈËeµk‰ÿªJKPsÈÊzm5±tGì:ÅÙcþ
+äà!\ùíj.n:¬iÑÝ" ‘`ÐùœG‡OÆ×›I!¡£ÄТ¸0#ë
+HF„c#5¨ÎT?tªne¥ÇWæ<’XnÿdÅÂÖuX2+Û5CØpýß™f³Ÿá?hqò/ªöô3/;¹ñ®r^Œˆ¼ìvç,d—t¨©õ±9Ò\
+Ø†}<¥¸âV‡ðÜ®ð6óÈ"ošÂs»F6kÈ~‚'þõQƒ
+ËUuªoÇf¦"ÁÁ˜ïÇæÕبP~Pïl™-·vVçÙ«ÈuK¡~º»~K5"ÀÀ¬¡Â`‰æC	œ]Ke:ë’*f»êˆ)0”98¾Ã™Æ1 îXûÙÎÃÝHà’/Ô^ÿ©	åv
+Z&Ò?âçÆ¢#Çàc¿nmÙqqV¡L!ž"H'bAÚUÖd9Ë‚–ü·,dJØG‰99‚¡"ßåÍ„u7µ­ ö„cèöÝ1\V®]yV.VBk¿ìs" þÞ{Alº8·FÝ‹–‹¬v^vIFª¦Î¡ÿãë/´4
+òÞ!kìæLuEX_é°Üi”¼rbå‰ì—%¤G»Âh'Ôô‰ÈBAIÖÔ²!ƒzo—yV Þ4¸½ÍJ؃MÑ™‘y9}ˆ5=‡ºØá±t
+Má:ÁR8¤T
+“z#•)ï¹`½Þï¼PRÌxzË:ß”N5@%ÆÆhà ¯£‘œêh€¤ˆj· &/àfVŒÆ¥C–ט’¯oxP:G)‹c¸`@ñçŸÑðå‹Çç3Î Ú}„KUµÊ—äŠóGŽ‚ן¨û‚Suõ-•FE	„ý»Ú#ºí e\T"Ìr¿þõk\ ™‘w×o‰®zh)“Æ	æÞvÅ´zÛ%/È®¤dµ¨«â7ŸR*‰§ÉZ>çÕ±*Ô­‡ð	±+>UÇbE`wò¶õȪM¸ZÉøÂ(‡TT-]8IGj)@öj%"¡VЂ\籉DGpÉO}2zX:6Ûfñ‹¢ê¶øîff–<…#Uú+žß£ºãúÊÕŒ6;4›5wœ?Ž¤‘æ¾-ÕˆÃwÉXó¡ôɺªb!ç Ž¿#4½9!z—¡ÌeV.-
5Ik£I†ÉÐ3Áy5ávÙá“{¹t6ö(eIÙÞ
Vpù8îG
Šr%Ú¤C£ÂËŽ¥0“˜˜“´ÜßÅ盩Ï¡®ø€N˜3ê÷üæ¼Ú¬®ÊlQø©m¥pwƒé°§¢–z•¦9¼²p¥ðf™è°¤brEƒ³hjÀ’î,ÑTmJêÃ:ƒ¬“âïØÕQHèŠs$q¯´F»Þ??&ñÀFvCe9bí]ÑÛ‚¾@‡].÷=Qh‰Ñð+ErŸê¶'¶T(cû*}Çesu_„@4"Â0
›H§Zeð‡´÷ÆÒi°KzóHC@ƒìa¸"Êv4†å6A·r›Ò*ìŽ
+®“×æ*·IIÅ;½x',’:¾x·l½Š§î)ÚµèUØvœTŽN¼ÿiŒCQéÍ»?Í„zæÝã^g7š7Ž8óFÍÙ;ó†ðäòi«IAÅ_?âø`CÇcRÿÚ"Ò`ÆI/Ñ™u>Þ*6G¸pRŠƒ)áƒ8ß…¶¨2z~RÂLŸÖî2à„rá}—±.˜.Þʶ°›Ü¯äï‚c~JÉ[jÿt	@ûBJEù”Ú%~>:\å5}ÿ	w|©ûz\¦÷­dE\ArÏ£‹—Ø)Šê8-<…¿·]¦c D3zð5hV•£#Ð6~q$þȽ¸Oƒ U7Õ>¼¥ãJmñÊþ¾)êeM¨X>ûð·¡Ø‰+œ2ª•oÆ<,Aµ_©>úT·c^K…Û®Ø.V†õÝ Çdü!Zª).ÃãÉ…ï镬W8¸ûíFžº¨6ôÊÌíò=Õ‘LÛ/W7v> endobj
-1418 0 obj <<
+1413 0 obj <<
+/D [1411 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+394 0 obj <<
+/D [1411 0 R /XYZ 85.0394 439.4679 null]
+>> endobj
+1414 0 obj <<
+/D [1411 0 R /XYZ 85.0394 414.5066 null]
+>> endobj
+1410 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F62 1100 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1417 0 obj <<
+/Length 3432      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]oÛFòÝ¿B÷t41ûEr‰<¹©ÓúÐ:­ãÃ=´} %Ú&"‘ŽHÅ1Šûï7³3K.)ÊÎ!ap?fggggçSr!àO.’4Ns•/²ÜĉÉbµ=‹;˜ûéD2ÌÒ-C¨®O^¿ÓÙ"óT¥‹ëÛ—…µrq½þ#JcŸ½}ùîâ§_f&º¾xyºT‰ˆÞ]ürN­Ÿ®Î~ýõìêt)m"£·?Ÿýv}~ES)ãøáâòGÉéséÕù»ó«óË·ç§]ÿëäüº?Kx^)4äÓɉŎý¯ëÜ&‹GèˆXæ¹ZlOL¢ãÄhíG6'N~ï³né,ÿ¤ˆ•NÕ•œc`’Ç©Vºg Lc©€/BˆèúTJ5ͦ¹{Âã ‹¥JcaDê–Ÿm6§Kƒ+ºûr‡Mu÷U}×ÒðM	m.?í‹Í+h÷ïËÚ—Ù–»ÏÃê¾iÚ’Qô©‹mI³¤Œº†Æ>íËÝ
ÝîN¥šm°ZE›ªí˜Ð[qøà|x")ã° ýÉ`ü±ÚlhðfV÷­úm`øRm÷[
ï*´ïhŘ0Ps·=Äp'9ŸWDuC}G+2Îxd0X¬×´¦eh>L± å$› Íîñ¾B> AÇmñ{»ß‘Ã(ôšZEýD:c ÷‚-èW~xÙ:†0DÆ(€CZ‚çÒð²òK±}Ø”¯HK9¶ÆÒ¢.Û…e
+–üowf¥ã=‘ÑÉ¥xmßÌÉô?$¸úµ2oæö7!˜×2}C˜\ë¿´f9»#Múõt‰ÊÊÀØRŸM2v”Ó8XËhv©#}ˆ Ô¶qïMYÈf³iâ找÷ð,F`„ˆíŸ"0»-Ú´D%IŒÿsröé8	0&@kt¤‘(“Àa»{š&’¡Q~Y•¤ÈU{B¡é§ŒÆª©9&=™ŽT$ÔïÎ’k*Æ=ðœë9ñØ”…wGJòf÷ î2	ôÚÖåm±ßðªABùÕŠô >ÇÛ}6
øUÈ7AŽßŽäqÎ;7™ŒÌ¿Î=ãžç‰™·ýphÀ•*r¹çqÑ:¸¸éWL܈>Òygyf/B/zɺ]¤pß™L!4°±´9™×àu%)ð='Zö ÞS$x÷Kð7Â@)2•-Œ'*qgY|Z€ßerà’ƒ	Úî¤ÜÀë‹­ZüØÀyÁ‘<Þe€Ø‚•áÆ!ž Ø]ÉXJ£zùqgJG^4u2ëP‚lµô€VTüÖMǨ[Qí:
ÉÁ ´òxÊ0“æ1è»ïêÛ®-ÉS¸ÿ!Ôû6áK”Îsý|\¡PÆ…ÚÇ…þ=·à´VïCa¼*m"¶ÝMݺ
+„p¦ î—¨ÏQ6·ÅM®`m£NÁà4L÷8Ú Ù»Æj4ºjÜwÝÒBT™WW­Sâê¶Ùm]ÈŠ³Åÿƒo6–D:sã·);Üì»åLü€IŠl±å#[l³9Äy ‰"Hì±ï¿ßÕÔ'û‘'à÷+1ÍšÈíNM?çœXXAXX¯KpEáäp4ÊçrfžçføeIn6t…Û$ñzh·:–ÍŽOD&±‚pê0|EôU=}†
+ÔJšæÉBÃCHMêž!MîîX9]™’~.ð:6°Ax‘œåŠõã߇9 É&q.€á9›ê%J°1ûQŠTž²A«MÕsÊ솤	g›5ÃAԱ߬C¸b·+ê»à]ʼnü9ºN€v™D¨!`{ Ï¡yØUp[è`d)çBp¾jÝPí[zV¸Æy¿Øù’ñ‘žöž4œY§f]z¤8ŠøuAˆ[Ü02væ§[¡‡
¡ÈÏàrTòjîù’€`¥pO!c[Z¹g5nꔊ§œË}„ãàö°V{Òn¨þSu·g×Éyô—$ssņí|=[=”ífÂp𕧩@-ŽgÞ6ÈfºïC¹C­H4¥”M½¯Mv™äxçÆÕÓþÙR/¸ÔŠ
+íLÕú¥Ž?Ö‹é§}Å°Œ©çq ÜååäEs]ïÄú­ôa’ÙN\Û±g2Nîä 1Œ×r½‘nØ@éæ:³ß‘Fñ%Ážå*MÇD“Hë,ñEDò@Ü…ÝÒ·¤ê´œòÆ/!aãI'…	çóỺ/W9©Â+‘OtTqWTµÏ+tCº!ˆºÑUsÿa"²_á“ÐÜ×]Åž]A®}Œrþ;^Ï9z難a|1	!5Ú¨I%ÂPuy´‚©Aàû‚n¨’c¸ÈT®]eóñbÅì5½mq$#tÁîo¼½ó™q)jx¨RhÅ.<ÖŠU·w¥B‰AUµ­ºêsIÝAHákܲ§œ:=ž¤œðGJ’Ü·ýÚ†¾`ÂÀÐûmŽ®¯çNEw¯òij	ëK
}·ÍçÉH¿è¦¼«êš‚ER>š‘ºÐL»êÕ&´ø\ÆRT…ÂçËBäL…×å¯(©ÔQÌǨg¢³¶„w¬³áÕp¥¾õTî“™g&Ä|¤y¡UxØy‡õÌýR 6=#ðQã,{.úÕc\†(ç	ÛÐô`ÏDà.•|?"{Œ/‰FAj©ÇD$£,3Ü•°ñ–æl¡ˆ…Tú«Üû©{ÕWéÝW'NÅÀn¤bH?kô±ìÄü÷Ò¦RVžàzb-è3T„Ý +„¥>¥“Nux*ØAö:@'ï8¾`m«šªÐ‡{VŒ_½ß½9®91RsVe¬Å^šõu|hPÙÑ!Ô6Š¸K£4eÀ
+ÍCåÂú>ϱ*+G´C2TÓ­V9+n6I¤!²,•Q‹ã×æÒ9´°t>áðà-¥†ƒZ!1“É“Tfû<óÜÒ·OJ»TÕ†gA¯Õ`Ü}å}ÙÔå… àº,¿t·uç@Ú¥ÒmØáŸ0‰éO—Bb…|^—óŸ6’9Fš6–¯•¡)¦5µLY¬°¸í(Ëj}Ú`ËŠSÂ)UR1JÎ3ºŸj¼Â’ðÏ÷+	=ŸÅñö¾y¬©ü€Äýè®e
+*´ù$:ú½L€Ÿ¦d‡½‚>,aš¦£½cFÜ> endobj
+1421 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.6732 587.5427 286.8984 599.6023]
+/Rect [213.6732 308.8411 286.8984 320.9007]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1419 0 obj <<
+1422 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 509.8341 283.4678 521.8937]
+/Rect [209.702 230.3842 283.4678 242.4439]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-1416 0 obj <<
-/D [1414 0 R /XYZ 56.6929 794.5015 null]
+1418 0 obj <<
+/D [1416 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+398 0 obj <<
+/D [1416 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1419 0 obj <<
+/D [1416 0 R /XYZ 56.6929 749.6227 null]
 >> endobj
 402 0 obj <<
-/D [1414 0 R /XYZ 56.6929 654.332 null]
+/D [1416 0 R /XYZ 56.6929 377.478 null]
 >> endobj
-1417 0 obj <<
-/D [1414 0 R /XYZ 56.6929 633.0122 null]
+1420 0 obj <<
+/D [1416 0 R /XYZ 56.6929 355.0589 null]
 >> endobj
-1413 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F62 1095 0 R /F63 1098 0 R /F21 738 0 R /F41 969 0 R >>
-/XObject << /Im2 1084 0 R >>
+1415 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F62 1100 0 R /F63 1103 0 R >>
+/XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1422 0 obj <<
-/Length 2657      
+1425 0 obj <<
+/Length 2102      
 /Filter /FlateDecode
 >>
 stream
-xÚÅZÝsܶ×_qã§S'ã“ì'Å‘\e¹•Õét?Pw”Ä	¼)Ë—Lÿ÷îâƒyHjÍ­E·öš»µ‡®Ì=F.‘œHàåt/ÞSjã†Ý„¢õ³¶†.7›d­ëi²u>à
-ÊK:\Cø*O,OP *ZRd‚VU·®q»'úP¾"n›€c´M‘°,p©pàô‰"©r(„Çë!hÔ·Ñ;èÔ<Š&-ˬiÜDj0QB Œf~¢Žj`1É!Œý¤ÖÔ¿Übã"fi-6ŽÙã@öÛp
OÛ	‹ùXÖ)òÙYæS»ÛäZ¬±„?	D±Ò‘±ãOSºãø„Òœ§$‘¼@ëžx¨µ‚¦ýjU¯³¢ÚCðR£Œùóï8>¡¸ÀF›=Å_MinˆÖ©jÞÚ²hÄØ0A Ô£{šá:ÇXXA„‹‘«Ò~¯Ø®â˜Í}÷s»4_}=ÚŸë8`•ßdpêø!Í$|Aò–¤aÛŸ\ük#ƒïÇÎ	§½p^ï@¤MÞÍe?”ÍIJé²¥‚HÞiÉ–<.›õÎh"08—B³dÄÅ
‡­B/.¾tüvØ”àLkÝí‘¿Lˆ-A3ˆPeãRE³¦?i~…6óçc‚*Ò©”F•ùmæ#÷/YyŸw ½NC¢/”xÚ)áLM\ù@õÍT‹”H…ˆ	À Lòœ½+¤&)ÝÃÝûß
-rо¶pP7Ž/ß#ƇEÐi!Œ!R«ôÀñ*ÑD€©àÔà©‹ÿѾº¼dQÈKlpè,z9È$rÉƹ|¶á¤.	$qÔîúw{Œ†'8q¡óßë*Ÿ
-èqT™“½(LCr•$|›æeæÆ……„@÷ó?Ÿeqx1.T=±‚ÂÀùÌR¸o³jå*ß°€*¶{Ìw¨h—4õ:и‰FI*ç˜=Òçe6êÍ.SÈ^è·¬dqØìÂÀfÎÝfO
„E̸Pp·,‹åÿÌì>
ó³ôÄõ}µZ¸Öu Ý_Œñö8÷‰¡¯¥aÖk·1§Ú>'~(Ú»Q*‰°¿In+“›òú#sÒMHXù$‡#Hî®zJR/†¶Î÷À¥á+ÓÌŠ™b.ºˆBÇ»,%âÀ›_Á_>?xJ†’¥àë©
„f¿Í¡Òáh¢¶Õ´·€íx}¾æ³jÐg©ø."ÆV%8Ëâ*]Š5'ÔÞ)3N¥spfÈ+`¡1°ÀÖ6/óÁ	_ðœÆ§‹?°eÀ£¤4}}8¶(¤(‰é|ø†8?>æ´/`$SlÝ%×Q}ç[Õ¹Ì:+6šûÍó×cc„•cˆòU6ØxÅ$°3¼ù°¼f~âí\’p䃉8B¤3g…çì&Æ/Ý݉ñ×#fŽáò,à ‡¿&Š£à¥-Öù¾6˜¹Ùù„y/eŠ:7Ã"Ò}Ø¥ÚÝêÁÓídhà§>xÌ{JlínŸá¥4ÀµÛ’L
-È‹îö{ùŽÄ½¯øÌ7IOâ^•Ñ$™*ÞÓÙ“	àsÿ7¢G‰…}è:"TB.Ó±e»¢ðT‘èÿõÄ^‡endstream
+xÚÅY_sÛ6קÐô‰¾©`ü%ÁæÉÍÙ©;­sUtsÓIóÀX”Í)Eª"Çíô»ßP EIn™Ž,‹Ý»ŠM)üØT+BE*§I*‰¢LMo×:½ƒ¹7æxfžir}»˜œ_‰dš’4æñt±
+diBµfÓÅò}ôú»‹ÿ,.çg3®h“³™ŠiôíõÍ¿‘’bóúíÍÕõ›ÿÎ/Î-®ßÞ y~yu9¿¼y}y6cZ1XÏ„®®¸ÄÞ›ùÅ?^ÌÏ>,¾Ÿ\.:[B{Æß&ï?ÐéÌþ~B‰Hµš>€–¦|ºžH%ˆ’BxJ9y7ù©ÌÚ¥cø)¡‰Ò<‹1UJbSÀ*oëí¯g3¡’è±(Kìm¶gLGù*ßâ¸nï}7[.q²iòÆtTW8ÕÞg-özbÛÚOçØa)',Ö„Ÿsé„VËþ”pSÚ‹jˆ,ž1FR¥¸Uÿ§‡|[ i„jÝæŧ|‰kW–T¯q>Câ}Ý´H@½µW,ív—nw`Ù`QCqÚCh@)ŸÖ3u`ŽX3€Ö8šQÑ´°¤ØbwY8C[³¡ÜÖUCcµö;¿’,p³cBRîbvlêm[˜Òè«$5ÎÛSíüY®¯°µx˜NYßf%v-°#fùµ‹ï.o°·*¶~ÏUá:ÆÒžäU]–õcQÝá¬júÒ1üèa4x!ûŠ„¬FÜ«Ãöúcfp̯Žlºò«>IìHî·FäL&Dsš‡Ús[fMƒÝ×ýØ߇ÆaHØ×NÈÖø`,ÆNl`Ü„¬ì9Üâ¨ì8~8>ŽîˆWœòÇCÜâ‡òBàØßNNœŽ?ÃãÄ_NŽ=8þ…<ŽÈ­jˆÓf‹y#]Öv±í(ýå¾þª§ÿˆ_z+F'Õ Q,LTæqFe3Ì?gëMéæ0ù™Þä`ìa®ÊšºÊ>z¾ù}ö©0 ¡D×iý.§˜.&kÓ³%‚'5صÙÚAJÊ.%ŽàºK3ÁutmvPqTØœ›DM±.Êl‹DS¼ØÖ*§zÊè^
¦ƒŽ“bQnQ!Åקq$IJ>;-æy³©+—øaY^µ}
~󵎑ÕU6#æa­"R£éº¢GtŠ€ê(ûdË fÕvŒ=¦ídô¡5” Ú0ÃL•Ä¡fÍ°kl;3Ì (Ðœ#ÎëŠO®EwöšãÙ)ÃfàÀVEÀЕifà<¸ÂâÌŠÔ`@¸»¯†Òdë¼'Œ—´†0	&7*µàH©×Épu‹9¶Æ‡òåÑzN¬çbE%䩪iXF“CuT/T6™ö^%‰@óc1aEóy“;$Þn—DÑHÅá"I&­ÿÝç6*¨hýP¶Eœœ{Ô¶]6È’!5äh¶•õ˜.*{{Õ<Ú³3s..­³'$|tb ®J¤Ù»-øâ/”ò»‡p?ïTätÊ]´1Å,¾? úÈ‘lÊìÖj-hm·•ÒI’siëœ&Þ€¯šˆ¾"L0ÁFƒ|#v»…˜Õüä%*á©ãmÚ¬Í׶`ËM¾]ö²‚";û³¶°÷	8¬ÐvZv8`zu{,cPÀëArNUMážN67À¨/'¤í@b4z—;þ¬lêî%6†›Nà¡.•ÇÂßÃ}Є$”ó!f_?%%Iœ¨)—p ©ÖæMsÛ»)væÁGÏ>ù÷¿ìI5J¼ƒ(Yø‡¦¿ƒb¨ä1ð°íi´÷1¢ã:¡È¾4£	¾ñgÂÒbÙmÕî±ù¨‘88;G
gÜðÀ=áPýˆ8fÏù,Ã	è¤Ç?ÊÌ:‰³P$ÙSŽ§pÖr·±=òM~;âœI•¿w…Ë	ËÜ\›Ê¿ì3GÆ"¬ùÆÅ[€2¥´Þcñn7R½b¢bÊÜFW1É	Õ1ªˆB¼1/qŠ´ˆõ”c6ÈÝƶ\3Ùv1WË¢!™÷íÓ&±Â‹¹÷ÏÍ!‰Ä&v|1£;‰'Œæ@µ¬×YQíEðÒT¥é—3¼“xÂp!@Œ1{†5fyJ´NÒ¾å»Ô9b='\ë8Œ
ã„	õÆ=Óþº^á÷ºªÆ/zî9lHÅ‹\×ÜçÂÜÒ|	/_¡cÿ­Ð¨µÊ ë¸%Íhø‚Ç[œøkqóóxhˆSé}— 8TN;å ¼~•6y·—<¨[ê¦è–"y—ÒŽé×Ízg°éRh÷3v_]Ÿl] tꚎ¿À
Sœjð”îŽükDm	–A…ŠV
+¤ŠfM~Òü
+}æòc¿©Húî±ðº•ù]æ*÷OYùwAz;¢œÖ A‰ÓN	90I»âʪßì…j‘© bš+eªžsy…Ô$ª»}ÿÞ*¯Ý}\8¨®£ ËuýŠa¶ðFòp?pŽçW)ˆ†*P€¢Êý%düç3¾ûˆÂ»Äº":ï½$
Þ’
ß0mËIé]XªéO{‚ú
¤Ðè÷ºÊÇ
+z³ªÌÉ^¦áqÇ|"ó2´Í¹Âƒ@ïö¾H¿âðR(7´ÆGy2D£ûÃÑqªÿ߇'¢endstream
 endobj
-1421 0 obj <<
-/Type /Page
-/Contents 1422 0 R
-/Resources 1420 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1427 0 R
-/Annots [ 1424 0 R ]
->> endobj
 1424 0 obj <<
+/Type /Page
+/Contents 1425 0 R
+/Resources 1423 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1430 0 R
+/Annots [ 1427 0 R ]
+>> endobj
+1427 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 518.4396 427.332 530.4992]
+/Rect [353.6787 237.4931 427.332 249.5528]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1423 0 obj <<
-/D [1421 0 R /XYZ 85.0394 794.5015 null]
+1426 0 obj <<
+/D [1424 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 406 0 obj <<
-/D [1421 0 R /XYZ 85.0394 589.0297 null]
+/D [1424 0 R /XYZ 85.0394 308.0833 null]
 >> endobj
 1053 0 obj <<
-/D [1421 0 R /XYZ 85.0394 561.4384 null]
+/D [1424 0 R /XYZ 85.0394 280.4919 null]
 >> endobj
-1425 0 obj <<
-/D [1421 0 R /XYZ 85.0394 435.7497 null]
+1428 0 obj <<
+/D [1424 0 R /XYZ 85.0394 154.8032 null]
 >> endobj
-1426 0 obj <<
-/D [1421 0 R /XYZ 85.0394 423.7945 null]
+1429 0 obj <<
+/D [1424 0 R /XYZ 85.0394 142.848 null]
 >> endobj
-1420 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R /F62 1095 0 R /F63 1098 0 R >>
-/XObject << /Im2 1084 0 R >>
+1423 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1430 0 obj <<
-/Length 3273      
+1433 0 obj <<
+/Length 2594      
 /Filter /FlateDecode
 >>
 stream
-xÚ½]sÛ6òÝ¿Bo'Ï”>IâÑMœž{­sg«7sÓö– ‹‰tHÊŽûë»À.ø!Qrï2sñL¸ØÅb¿)>cðÇg:‰#Ì,5*ÖŒëÙrwÁf0÷Ã'œ( EC¬ïï>Êtfb“ˆd¶XöÊb–e|¶Xý:Ob_ÂlþþÓíÇ›~¹»ºLÕ|qóéö2šÍ?ÞütÐwW?ÿ|uwñLóùû¿_ýsq}‡S	íñýÍí1ø8±éÝõÇë»ëÛ÷×—¿/~¼¸^tgž—3éòåâ×ßÙlÇþñ‚ÅÒdzö/,æƈÙîBik%eÙ^Ü_ü«Ûp0ë—NʳXÈDLPð)j'RÈN€<‰¹¹0Ææ‹K.Ì|_åãÑáxœržÌR!b‘êì3ˆ
±Îð°/Û|g£¶Ý6"fÆdç	¤	Âr@ؤ <œ	ßÛ¶›UbÞn¬ä¼ÜïlƒÕŸ]VåªA„¶ÂÁe¾Ä5bžãŒ;FXP?‡MŠrU,ó¶¨JP6ɲ9ÃñUÑä[K»ºÝœèùœ°~cš-6±OÍ,e0äàsûiAHÃsGŠiP!5‹8ÖÂãÖ—<›Ã©v;[®ì*jèrÐ(Ðõ•]çûm‹/¾ÒçRÅ&jH?al‚¾`±RŽ;g¸ç®(÷­m´ÈËmàa—-vû¾<çÛ½=ÇNšÆÂÈÀϦùIbÅø€yÌN|Ê’Œ•›ô¼±N[@‡åƒF¥×¨);àB‚òJ}ž~‡5ÁÀP\€MT6æ`qi@áAB“v¬öK'n¡æ¥m_ªú3N¶u¾vó¿1&–8sE¹ÄµycqäÉÖëªÞååÒ~çF].LuF;4m…œ+í#˜Ì3aæeóbë&ž°HÁ}&ZŽÕûXœ2H²8áVz+r¾oì
-!oäðll‹@Ž|ö
-	cÈqkKgÜ´®ð. 85
mlCct|)Ên>Ð
-ò“*xrw¯È5#!lÚì± –ðÞOüá-x/œc[ƒ@’©4X›65)b¥L Û;QàÕ‚›j_÷VwÀy&bÔøß8_æeYµHÅ~]Z¹§$¯ü•¸qúë,!"2'Ø‘6½Û-úˆò?M±…[ß¾’»ª/3ˆœàämp`>Sr¥D	ך6°í3ÇÇ#™Oë!8½Óþˆ+àWŠ7üÑëŒ?
-XAÒ§ÝHɘDž'ßaMл#uš&c(2ë$ƒdt04FCàeS,7£5ãæé“.tˆngU”yýŠ#N5Ÿª¦hÆÏ6„§¤÷B‘™7;¯3
-2´4;P™>xf
-Ý<«ÒÍôüÅÚÏ8䈥:%A3ˆ—ó+
AÏ-_ãê?¬ç¹ÂÑ]þŠÀ2ß7„™ûƒê—½­Kä[ZAnk_—ø~Ù0ˆêß]®{uóÓw¸öÁâŽîlìr'RfómÕ´2(ÑGqÖ€-ÞÙUÚŒ3ww¿V»“7{wa7§ÑÛ{|úˆâ&ýñÝÐü{w…pH_ðò(…@šˆàÀ
PT©¶{ï¤G‡Á«zBi.mÓœ´3­RÈt’7âþë´uXÞΊ2ª«ªmŽlŒ1X	Ös–t‡5A{dc•¦câ92ÇE°,Ó'À¯Ò=QDèK
UƒSí&oòj®ƒÈ¿ìJ#p–Ì4CO×cÙ¦=@ ã5#ªÙÕ
-QÈ…Š¥:4Â|¹´Oà“ã¿”Ùf#y%q¦ÓŒ‰˜5")NÆcm ôi¦b%±&y« ”™¯o³é‚´6…MS#Nï…ëìE`X1Þ*
-ÜE
-Bt¦“d¨5!úBBfb¦Ó
-ËŒ0tY—WŽ;¤SŸ.ÁåCB%b~T)g \)ÐD–råHϾÌxÌ”1‘°?k/?ðîf'f*8Ñlx(Ú8îìò0ÜH(‚•„
-[9qc5|ëµ,%Þ=m-EÊÝ@‰OjdŽn[%&Ô Cy~ÛI}bXvßø6Š„‰³,5ÞX„+ÉÎ:3ŲÞpf–ÏðŠÇâU±*Ú×È{x;rlp;Jñt6$pìØÖ#Ǧ…+/Ç|Ü?ÙeáÊùÒ¤iïÛ`Ðû¶´KaX®pŒ@r±‡8é=¾¿ll‰(nïï¯ßã(¼Ìbƒóù¾­vPÃDè RC¥¬Çj	ÚEo(÷mikJ áÕÅCÿÄíŒN‹‘_†çêµÌwÅ_öO+Ø€ºðz(z:•Á3i0lã•
-'ëG2¯»Á%tøÑpÁñ%ï‹Ü’ê"`4î)UÌ=bæHÒíEÅ=Gê”ùd¿>QX‚  Lâ‚Bw¿Œb˜“;ñ]=¹3ä´KŠ8 y:Ñzœy­ÛºÜ…ñ:°ª¤ØT/l«ò¡»®/îÝóúŠ0FY„húPé6Ï©ÖØÚ¼ii¬±Px½‚‰Cñ„ýó®R	ÝE¸ÿt…#½ËÇwäjû°S¨%P¤^Ÿ8çžB½4’(U(lzœpáÛÐ’vÛæ!äù^Qu~yÐÑ~Îë¢ÚS7È]k}Ðû^uâùÉ¢n&6Œ½Q”±NçqV¸F²è¨¬Vö¸8•hÊTœg¡ÃšàaìndÌ8$³#&|·v‚à!ãCÁÙÀþþùÅE>h­ý
-¹RéMF½³õ×è›F0òeŸ—mØ›=@p’ $.á±â™9ô¹£Þhé½íf4UÚ yüÇõ.9÷Ÿ{ÜÈñÙE@qj¸èš¯“.Ê|)²Såi§BLÆ©RÉ*4À:£BëP…‚OÐ#º~­8ÏG‡5ÁÈèÌý1'½¹	ô	cC‰Ë¦ÚÒ—‹N—öºäšï‡i½_ê=“鎳5(–ïrùO}C	u£'ìTŒt	jp)¾ÊµáSiŸï4‡ÈúÿÔ°ÔIâŠMiñý††q°eo›C¬ÓÖajXûúd}T\J‰ótX,ŒN+5”8íxèuË(̈Ü~ñŒª/w𾳊CžW„œ2ý¼Ó×'€èú¢Ü™r+5ÿl‰Ú ãR‡íP—V)Ùw¨µ«÷õÛz[À-+ž„(
¥ŽÔSßS©«0Шv!À3¥Ç	Ä#Æ©ε‹tP"¢?VÁ°<0žò:ßYLµyhu€=œ{W=ã&”As¼xŒªw˜výCŒÏÜuã—6´C,¤ÞmÒ´›1%*î
-O+<ã1Ïý†Â°Î(|ÀêZÅv
nt¹Äá»îùä°Çnë×cÜ0xTƒj',QçÐaMœaT’'	
-¤P£C,ðc(7ŒJë_ ƒnÑmnqÀG|„/8`A£l_dîw‡Ý޻ɟŸ¢I9÷·,Ã7Úuð÷h2¿çƒ\©Ä/1º/&¯„¥(ã<Ì&XB¹÷ØýhÁª‡„Ún1äåy±õŠ	p[çe³¦¯GLÏiö>õå‚ô*8•Ã#YcÅ!¦Lh”àA¡d¼Cq…;Ä€‡}‹cákôÁž£k}xí!°ƒd.î‚öíKB3o¶ù3áuŸÝÜÖ«hªTußK[ÕM¨TÚ6dÓ#}ðÕÊsÈ”™¢î± FšH‘É€Àk»ßPMè1ëØ7ÿT«ÿÔÖ2ËN|çi«6!¦¼SÍŽÝý¦ë˜õ?ŸH´Âendstream
+xÚ­YÝsÛ6÷_¡é“4S¢ø">®Onj÷Üi;Gw/mh	Ž9•HE¤â¸ûßoR”D¹ùh2	@`],v»‰	‡¿b’f¼ôë5˹È'‹õŸ¼…¹.D¢É:¢lHõÝüâ›ke'žy#Ídþ0ØË1̗¿L
“l;ðé«×·×7?üçîrfõt~óúv–ÉœO¯o~º¢Þw—?ÿ|y7Ë„ËÅôÕ?/ÿ5¿º£)“öøîæö{ñÔœÙôîêúêîêöÕÕì·ùWóþ,Ãó
+®ð ï.~ùO–pì/8SÞå“'øàLx/'ë+–k¥º‘ÕÅ›‹÷fãÒ1ýi.˜¹j¦¤x-±àÀ6uµeNr{Ä5Ü3ÿÁ–(—ýH1¸!r¦ØÜ3£¤Šw²x^¬Êª¨Õ€ÚäÌç9òG²»°¨·3á¦Ë†´Zį@ÔowÛ*,i¤¬5‰Ëž¸ÞUËŒz÷mb¶xEæ™$Jqó”ZuW½ÅÑrº¨«_9—ow$Ê’fŸÊö‘zíc Î¯RjøgBUܯB†‹>eÛ„爪޴e]ÑÖE;&Ê¢^oÊnªø´-gbº_ã—F^U\¥u”mY¬h´?gY½¥éúáˆþîÄ¡±§rµ¢ÁuÑ.e!¿¢e¨Á*ušMX”x¶ãûèIÿèi‘lرwèÜ2-<˜ËÀ¨¾ÌP•vLL²½ƒü•ÇáËí‘Ç}ÞªNanìô!*æèŒØ»
+£Éãî¤$좒p§ö±hiä±xŸ¶ŠÎz;ÒK°€iÂÁcŽÓçÌh¡Ó‚„)x´$DAM³{@i#!pX1mkR)hˆq!í¡N‹ÕSñœÐ÷þ/—nrX3%À:¢òq a;Üíó€~ˆðg€|`äÈr½[µ%¨2©q¨x
AÍh—Ô8ôŠS•çšÏmÓmX‡ªíN°Ù„"Êòu‚Ï#‡«ê6¥^CPêN7hÀ,ª=B\`²*CÃÎ%¹;âÆ}T–!$ó>×ãèªt
+LLùO@änÅ"÷ÙœVŽ#ýÚzãƒd :E{Æ­É£žo7‘ƒÉǃ³\ÉÎø_^ˆéþ—Ó“ôöäŒ\ͼ–1LÞMãÚ{EDƒ~<ë^qà››µœ|_É&ƒCugÃã¡Œú)„i?èÆk­É0ÁœµÈáª1³ÀÞ6¬Bð„¨±¥{lJkm#ªÃ
Shθ4¾·â,!KžI>í­ù@°\3+´9¶fâ·¬C,š+všÝfƒÐ¨ÁBi$&9,3H ²ƒ6ðAHu-P"K‚vXH‰ñÓ{ï™úËð€ûà«ZL¯Ë´3Œ¬_UÚ(P‹ùî¹êûA"m¹§Älæá7	LÃŒŽ8dƒ³dvÒÍŠZòeèàÔ>{{Jl
 J+À¼»Ó4	r	é¼›=èËœÝ?÷`4Ÿ&½‡~.
ûh…БiŽ)ŒÎûªM&r¸aÑ>Œîªt`'Àr&¸ ±BŽW‰(R—¥§BYVÌdm»:fAš{¸„wD#Œâ·…ŠrÂÆoB›*¾’¨vëû9a0&ðÐ6=«9±æ¨SmR,hŒ±fV1'£Û÷Ý&eµ,èfÜM9/Ëk•´+ÓDõ+Ïùü±+„ =¥
+WUg‚”Û×ó‘ 
+ø‘ƒeéClèr‚5@Ð2,p”AÌ»hø€Øòf$‰
+€ØÉ.‰‚r„?”ʧ.o‚S	ž²„²Úµ¡!Ö1ØVË£ˆ¼.>”ë]ÊwÞ«]xIk™ôªŠ›Qyƒb} Ž:‡õ¥‚µåª< £BAà Y-jÌ„T`¼*™O5"ÀAô’‡bv Á|æÁà±$Í“u,w‹X·êiÚ§zû;M¶Û¢Oq4O'1P,hm­8²	[Hðq±Ž–¾«†ó½“ÀM[§Ò€æªð\æ}¢,ªæ)l);Ò&dL|xš÷©:ŸAÕEo•ÑˤšB½²¤^trh©^‡NArî
ÆRÚAœ^pE:èQY#ãE“ÆÒ9裬úùŽW§nRwÈCÙvÖI}(“ÃÚÞaO•”+&ö8ñ1Êñ¹{åœúšgÆiÛyw5%äP}þÞƒ(Ⱥõn»÷º#ÉÄ?®åçIÙJJþ-Tê‹@©¿Ú¤¯TwÙh¿T¢ADä¨ØkJ%í @k µ©ÚU*7ÚíÌAäh>Ц
+cÙWxeªÈ®”éEímrŸ¶+Þ"èÅ#‰7k);9GCªóxÔSuš>G %ï!#~‘}O5ÂÿŽ@ÕÖšCRdÎMÌ0ä£Á09tžËÅãÁšÆà|ºFÓ‡n覢¶¬Ší3 inꦌ¯ïCžÌ…2%]t»h3P(ëÄ¡SÓ/ÐRUéòéS¿Ó2³ÔE#!7€TQÅ7í‚. Õza¥ÑuñLE<(¾Û…mû6­ØWûôýæênªúï5ÖÒ—7?}Mkïí8òJŠ’(és³Rž4ÚÐ(Íâë(Xñ:,K°fš‰ïŸ‰
+OÞìð¶H£·o¨'ÞÆããÐ%üùæ’úGO){‰<‰ ¤¨R¯v¤G³!m.BÓœõ3á0Ê8û²Ÿ
©ÎûYOý¬¬²m]·Í‰Å\¼çEÖ=ÕïƒÐk¨Š˜§ÈáPŠÎ³ü>Îé*±%–úäT
M¥G7èE3Ï;•¿Û•ûG{˜MnêéöT¡i’óú®îˆkM$÷É	¥fJ»#Ü.‹°Lf•Ùº}ærÛ=SɱÇ)-"81' ÖƒÐ'´dÒzÿQoâ.þ¨æξYØÔzñ	¥(­8©;é2Ë™åÜyrO['¡=¾Ø˜¿ãyìÏ[¨F”"7ÛëP·o6ØøôqSd£4È.ðy;=xE³`Àøü‹o2!=”éU!ý0=þ¥` Ë/»z7ž«Oú=åEÛA÷ðÜ`i¢™>éØÿb:x˜°D;Sˆô?Á¨œÁ^é×dw
+ÂœI(Û{²ðÿnsc>endstream
 endobj
-1429 0 obj <<
+1432 0 obj <<
 /Type /Page
-/Contents 1430 0 R
-/Resources 1428 0 R
+/Contents 1433 0 R
+/Resources 1431 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1427 0 R
-/Annots [ 1433 0 R ]
+/Parent 1430 0 R
 >> endobj
-1433 0 obj <<
+1434 0 obj <<
+/D [1432 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+410 0 obj <<
+/D [1432 0 R /XYZ 56.6929 415.868 null]
+>> endobj
+1435 0 obj <<
+/D [1432 0 R /XYZ 56.6929 390.8599 null]
+>> endobj
+1431 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F62 1100 0 R /F63 1103 0 R /F48 985 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1438 0 obj <<
+/Length 3814      
+/Filter /FlateDecode
+>>
+stream
+xÚ½koãÆñ»…¾U"÷Á×ÇËÅ—^Ú\RÛ)P$ù@I”ÍE*"iŸòë;¯åK”\ @aÀ;»;»;;3;/J-|øS‹8ð|“ØE”X/ðU°ØìoüÅÌ}£gåVC¬ooÞ}4Ñ"ñ’P‡‹ÇÝ`¯ØóãX-·¿.?üõýÏw÷·+øËл]¡¿üöÓçïx$áæÃOŸ?~úþ—û÷·‘]>~úé3ßß}¼»¿ûüáîv¥â@Áz-;\XðñÓßïúþþý?¾¿¿ýýñ‡›»Çî.Ãû*ßàEþ¸ùõw±…kÿpã{&‰ƒÅ+t|O%‰^ìol`¼ÀãFŠ›‡›tfiéÿl{¶ábh/#5ÏeßóàÚ*²Êµ—µšã²ÃB.×ùÓê%-òmÞœVyÙdGèMﮢÀ‹âX/†œ‘ÑaÍÐat( 7
+“`LÈÃ!Ûä¿ù¾ÎjC.›çhY¶ûuväÁjÇcÛô$h@sÅc² \îÚ¦=Þªx)ý×ç¬d”ï>?<Ü}àQ¸y™:ÄšçÓ¶©öi“¯pß‹µ	àjÊK‚@¡›´(N€îÇ˧¬ÌŽi“m¹›ÖÒr#;·EÃ}¢Úí©L÷ù†;íaÈÂßüÀŸòÞ¨ÐΪE¤/Œ@€©>gˆa>w¬Ò«^#•Õu¶©Ê-ËTÃK
+ ª’3Añ
+£ñèK¾yf°j%æU[Ë(ÈU¶LK‘‘3û¬´àÓ½³Râ´kÍõ`nˆu9˜ë°œåI¯Êj›Õg\z&6áu:¬Fö&Rž	m2&‚¹2B¹˜L
M„Dt“üéåE­AÖ²<û
+!SIÏÈà’$ÑOãÈmZ6n{‰÷™!±\¨<«âdâ%Éö¡¹ù“_;@¯yó<š*³W †üÛÝ¿n•RKGŽô¶õjΊk?ô¥Ý»Sþ¬‡×kt$8—ÕÈÄ`=Ã7r‚!Ö5rXS5r†uF—bHª’8ºNG‡5CÈèΉòt<¦£×$4:|‰]ž+2=0ÔiÀ¤MÚž÷´”l“veGÐ+x­Ü=Ђj“Õ5«F0j˜¨RjoìX“XùPqžéèëÿSÁ")´Ñ‚Íé—Ðý†~ÙD§Á‹\Õ¯!Öeýê°¦ú՜ٙf	$Ì~x‚k†„ÑmCHØ#=&¡W­ÄrLdAøùktî¿ãþ{ÏCD*Ch ’€âeì·5Y&€DúIô,Ñ•]~Éä´AÌeÅ!m8œØR`esÙðf ƒ[Œƒà7uÀ0u¡óÒë˜`F åŠã(jäkàà}¸"¦¹Ox˜²8©=¤‰lŒ­{V9ŒCzL÷ÇÚ0±OOÔ»ö¾záM$„V,
+hF00«c¶ú¼ÂÀáxÄÙaÂnŽ§s\7x–”Ç@AÖóê:¬™;Œ’òÒcõø ’˜Áƒ“ܺæ„Ð
Í‚Èã#PC°†
+è/î붦
+Ñ0à]gÏéKN!š1K’2´,سöüb`<åF©±”.üÑb¨p<	–•ˆð8š`ùÞSVKq:jºÅ˜§yAŠ	psLËz—q^çË_j<
+ˆPËJiâ\Âʧ'É )J„6Hˆ88‚¹@ƒ„)!³‚	<8‚uÛðXÃr˜î9J´8‡Ñõ©[ÄÀbr	ˆDöíSÃdYé‹à9ÙÑÖÛÙèi^wšêX»Œ¥i\P=RÊZ^\ÀÄäÇr¥z’·Œ4΄¦×8ˆ6]…ã\ÖÀ±í€™«¸%f÷‘Q£ªŽºð;Õ› vúÂãîANù“ådVìùÍÔ
+åŒ/ÚÚnè%çÔ†VJ«—OEµ¦¤T¢ãÇŽ!¸aÇìô²‡eq²žà‹¸”­ÀuÓ®y‰ªåx™†×R¤ûÃܵº|HÒ4ÿœ[£¬hÀ-—8¹ªšdXãº
+¥\¨à
¶Ñ±$Áñïë²Áî°HtÛ²^µÛ)ž'2gÛëÇwX3ç‚ðð
+T~LÀCÖP=Ó•H·ð€šœ
èßA”ÈÐ/ßýÌÀºÝ!³w¤u>ˆ©§ò®ˆq’R³Ô# ?Ôá‰ýr.\ƒ§›/ðšÔ²æ¾/Yþ‚J²ðÖbYa’~ÿ\ôÒz»å‡Ý…	åkËS-­Ÿ„ŒˆV¾_icÛÔùVJàÐ<¯pÅ㈣hk0ëeÃÅû8úï¬á–‹KÏqœ
s}Œåè­Úᡱ"*1ró]IÆÚº¥2E¬Eîó»LŇ3Õ,ŒÛ®
+›²*Wýu`€¯C »€[ò”	ënRÖ¯™«Öi­ÕÄ" ¡5>hG]3$9ZÕ>=óÀšû_06Æ>>ræÊ+¹nW˜+[îŽéÓ„Æua_TPV€‘yGæ~¼†ˆ?C¦ígZ¯`qÆUb2N©dsÒR:¹ÚÎDhÿUB¼–1^d:i‰–FDE±N©¤‡åéŠG[IDaˆ)À*²ñœè!«µ;
+ž‚@2°sr­sé;—%N±RÈêí¸”—•›ª™KɯÎùœêÎ×®dÈ‘D2Õ(¤×Dˇ}ZH­Pì%@¬Û´ùŸns‘@£vTtìË“s^þ+Õ
+^DÚ:i?ü|«tr9ÉÖ~ì%ÊèëNlˆuÙ‰uXŸAÊpÙ‡…ž
âèúéÖÌñc¦<;9=˜‰Å½0%bbq”}–¢ðƒbƒšd­›Vд¯¬¼Ÿ‹¯ÌzQÜÕÙäîšQ‡Æˆ)”'½Š|5tVˆ/>GÒíÙ(
+.Œé…˜0ðÓŠChèÁ°ßy0B'†ÃâÁªCΛ­÷`õŽÉà\gò±#&A>&Ÿ5ãÔx8†àЃaŸ<W<˜Ž¼8Š]sªSf½ ÆöwO¹y0pב”[·„ì¬S¸‰x°ù*þ`€LM¨§QîÀƒa¨3ô`Ú·ç‘¤‚èòmÀ¡ÕSÂIçÁFk¬é̹ß~5Ù‘Ïš
Ø/y0à–óº+%É÷mv€W’M?8uú(íb|Šå€a$øÝï&:b|ßKàAý·QÖñœßì?	¢:{J‡ÑØý>ˆj
+éù$ëp_Ùª×A®á*³…$­ìð*OÝÕÝÃÞ¾ó¾Ç”±¹à ­’Ì2ð‹.A)ã)«Âë.aˆuÙ%tXü1ûG
+‹loxÏÑø‘ñBmâëDtX3TŒK¯±ú ˆ#2F¿ô1Jê F˜W,ôL¿4€–ë$=fí:_gçe1¬žF¡ÝåÚ/gþ·:ßwôˤ(ô šÒ&8ºÎÛë
*ÎwëŸÅ*PÖòxà
+TÜÛÎ?3P¾ñ€·Îg_›¹Ò±OïAúFR?áØ›¸ŸÒXN6°eiS	bXŸ¥)8ŽŽuiÓA2°F)ò/ÛåÇœ¥û–ÜV\oAu§æcÈž_Ô@2c"¾qÓÈë²°ÞÑ#©§C.¿ÃnöU¾
™ ôÂxZ³ïêå‘í"{ÊJ#;ú÷‚6ÿÙÂlk¢Qô³ÚTûðƒ^ÇÌ7{°ŽCßZÍ›åçªÉ\ðÏi@÷ý"âÏ^0 ¥IpGó1Ò6ÅôeãòE¬iØäìcüž3—d,Iüè
Ñ£q?ˆáç0è髦笳gâÀ¼7ÂÃůE.l9ñ¶Õ>Õý¤Çvî•Ís¶ù"tˆâO+,"þµ¬>dGä„Ó
+÷c°­¾éèü7! e¬Ôtä9ÍpÐ÷b¥â79hT÷k–Õ£å'Ùý‚£ß´E*Eãs¶&Ö3½Á ¬ÈÑÍypÎË$CÜšÏÙV|+Na =¨Pc]½ÄêWUZaUÂ=‰cú:wU߃„pî¦]ø­¯	<üö»¨ÿóï€ûI[06øudÞë@Þk¬2Qôi/™RŽßσXG3¤ÿ);‘_endstream
+endobj
+1437 0 obj <<
+/Type /Page
+/Contents 1438 0 R
+/Resources 1436 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1430 0 R
+/Annots [ 1440 0 R 1441 0 R ]
+>> endobj
+1440 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [286.8324 392.4739 335.1613 404.5335]
+/Rect [315.1789 725.8736 363.5077 737.9332]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update) >>
 >> endobj
-1431 0 obj <<
-/D [1429 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-410 0 obj <<
-/D [1429 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1432 0 obj <<
-/D [1429 0 R /XYZ 56.6929 749.8269 null]
->> endobj
-1428 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F62 1095 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1436 0 obj <<
-/Length 3991      
-/Filter /FlateDecode
->>
-stream
-xÚ¥:Û’Û¸±ïó󨩲¸¸¼Ô9uª¼^{ãTâÝØ“ó’ä!
cŠÔŠäŒg¿>ÝèDR”œTÊSVhFßAy/àŸ¼ÏL$tߧy!Íýöp'î÷0öódœµGZ±~|¼ûáƒNïó(OTrÿ¸­•E"Ëäýcù·Õ»?¼ýõñý燵2b•Dk“ˆÕ?ýD=9ý¼ûåÓ‡?ÿõóÛ‡4^=~üåu~ÿáýç÷ŸÞ½XËÌH˜¯x…+>|üÓ{‚~þüöÏ~ûùá¼{ÿÎ2>¯òÛÝßþ!îK8öïD¤óÌÜ¿@CD2ÏÕýá.6:2±Ö¾§¾ûr÷—°àhÔM]âŸÑYd2•.0Pé¥8NîS“G‰†!dàã“íìÃZ'zÕûªm:lÄ«¢®ÛêïŸ,÷•‡ª©ºþTôí‰ÇZúílÏ8ÔFÄÃpྦäÞâ›ïÕ«ÓƒÌVvG?ÝÓ•ºûÓ+õ÷ÕÁ"³áÄk)£ÜåÈ·P´¨X¯ŽÖMZÿÞ6ö
vÅ¡ë¹²/¹Z¹n³jÝµÚ×íúú ¥\ÁÕk‘y†à‚!Ø(ˆ"j<uU¸kyû®.žyØ7èúaC]HTÇÛó°^mëâp\:–c9ÊÙ—_ÞpÁ-줅¨ã6‘[ƒ-ÿú»£ÝVBYžgl]ˆ²ˆ„-K…‰“$˪ËHë1Iž\R]å®®lºõP×]õ»ï.ãÛS_uŽ7Ð~ÿÓ§/ýõ§_	Ø;döÎI€kGêÝHÕ0ÆkoýÂ-ýnÛ¦wwÔÖ³ÏÓÛ-x,¶_A›äª£6ÝíÖV϶t·t¿ŽãH0Ž™ùp–K‘òµ"œŒd¤P1AD]ºŠEžâß…ç‰éªú®*ybÿTq÷©hö–f¼TuMFëªÚ6}ýJ­¢üçÐõ¶„•%h˜Ê
j•vWu?¢wªdâݦ™tTÂ
-1°„V€¾¡Šš@:bѵ
µI/ÓÔWÍ—ž‰¥LW§EœIQ’Dyš3²ã¬^ÐOÓ6ëóq ƒŽã@?eo‡d
-iº{êèr•Ê#£”œY4´Z€ttAýIÔ°¢Ž
µ¿Ú†Ú¨äÄ•0raVÑ3zÝn¿¸;û\Š=m‚"È3ÀÈüàÌýtŽ#þÙ-¿`ÐÎgÏwÕ;rÆ©h2Rà”(Z¸4\8‹¤$Mqª//Kë(Õá¶XJS³Ú+6B¥	]	ôJˆë"
- Ï«1ôU;êªzú¥„‚Ú=U·e\´Á >ŒÇIíqŦB¯œôBÛ‰z ,Pœ)0(CN8ü±&ÌmZ\Þä ‚tÛ`¥Õ%u’3ÈW¶Ù¶ܹ¥fWÑ>#”oÜõd«Ó¹w$QH¯NW_…ã. °½ˆdÛ-þ»_œo vc¤-Ðv¦“öZôò߶¶ëªg–Ÿ¡cÀñ~ßýú U¾ºêÄx "£ÛNlŒu݉,¤"š>,‰b“¥·wXÛO}˜ŒâÙîäÁtÆî]ƒ)Á‹¢,hÓ 
-),tîî±1²uãÂi”1ëÏU-‹£4Sr¢enUëâ84~@LC «4øj9vVˆÏ>‡ì_¦¢8MÍÔ‚Ñ Ó?cö`=¶ƒsè΃a7{0™j€6Œvö`õN¤ÓSäóò£¨)žø¬… åºN€¢Ð	zÃoSÚ#h	Ð<µe!PŸÄ¢!Æwq o0ŽDp¢¿ #ZHûÒôßr T~“džGøq”uôãRÉkè`o„GÙ‡£—¦^E}¶ï´î©pgFÁØ^IpÐVCæaò~Õ%ÄY†4¾íFHׂG"
SqBòj»>P84q‰Ž¥³›¤K&N!É¢D€:iø2<§;f[Í0ç`”=üÅ$uŒÙù†½ðo²*SÔø 4vÚßðyt¤€~ûH«’˜mQˆœ$‚ hNXZ”Ûô&WÒm.Ö:«ÂÚÈØïldþ¡ìeÆÑÚ≭:®zëk¿õÚ§t”cáˆÞpº§’„©ñ|yª¶øÇ”`à/ݳ+;€É#óUòlGŽ&ö©Ò‘ƒ0°@2—Å«Ý;®ÛÐoK5Ij:Úƽ˃jH`t
-ð퓦QȼÎÎI}=V[W•qMûmÍÈ$Q’©djxAÖÉ胮ûhÞe¢ÐÞÛÆž
-Æ€žÑž–"	¡u¬ÓIij޶‡#ðÃéÅår°ˆcÚÖ.‚׫Omo}ÀO¡?„OΫ¥†’†˜•
;¼Zbo5E*«Ißô>GÌ"“dz<À«´Jõµ»åÊs‘~çj€Ñl8çß°bÝ¥-ß,°.6‘ÎŒþ^¬Z+SB•WZ¶=TÌ¡®=XîÛùC0W¶Ovû•é`ÁwÚrÂK†Q„$"JÕ¬j‚|)Ws‡Õiƒ"ʤ̾ËA+F÷âê‹éê#¯~,À¹o‡ºpnj‰­yé³Áp,X;ç¶äµ%x,q;Ú§léT”$BGq<ºâLìk$±ºrT©$V"¼JœŠ—¥£Š’À¥“º ‡T7…£è<ŸªîÁ®¸
-µ‹”W	è÷0%‡ú‘ÂDYçß#26ÂL¨¤EÛÓæÞnl5 ùRõO„À†^uÅ!ÇhkûlkB,:O°ße\t%Yt®e"Œ$yúŠ…B‹iòäûjK$¡mpÛ=dûä@qybn¨wW\á¯ÑÛ¤±+éw·È‘™ùfâJä3£.9ÉH\¸`îbÁY™|30%Û‚	ßX–'¡W6sˆ-D|§ª,™ÕéÊVgN¶àgü:À§éˆ{$p#›¢sLAç4 «j¶õPR¨ë]¸“Fï©ÿŒ!œá¯k|°)Ê^ÅÇX¾„5ØéHÄ©œªÖ‡¥âH¤A‚È.ÎoU‚6¯òŽ%‹ë$*8>ŸR¹¬fŒ_ÊŸAþ®Dæ@ã‘ôíÐ|Œu=6XNê
-XÛ­ý…ÿ6ØÓë¢	SçÅñ9•Eàm2ÖÓ(H;Ã=!Ô¿A‰„Ö”ð¥CA¥CªŠ¤ûÚ=?»a¬JãôB£áé
ÍpØØà‚$Ùfçµ/Ôm‡Wß4ôómÖæ
“NP4¯ìajC qÔçlUN”3ÓPxúßéK£4μÙù
íà›ß h„ÿ·5Wf‹f`l“ üßµ5ÓQÖKD²×9³O©¥;¸ËaÉ"Åàa &žÛ­=:†Ä"g|<_•Të89}ÎfYo`k´h{!D;ÛÞ¾À$!ó÷7ìÔƒ•9öã’o«wõCc}=–2ú윹gþÕ1ï‡U´ðl! i’f–¥„,c}-`¿Ç‡,®‹pïùí$¼Hr)`üp ÅìÝS
-q.¯^Ø©É$Ð
`÷Ô.V˜VC¤! ®'W¤¨*NrBq¥Â¾4`ʼ³rðK¢.é~¼ Øsd ª0Ä;÷ÅWËäºËôumýl—߇)²n#ÇLµú¸£.6¾Ò«ù¨¼$GG2ÒÕÕ)Α£âcÙR@Šº™eÁîߊ@òYQwÝÖïVðeW|Ši*mQ³JÈ|	r¸ e`/5º°‰µÂÚ%sìØ6ÞT%«³¯'‰Ñὺ¼RÿDùt¸z$%ÄZÍ7s÷iºzîw÷;îèygªƒ¼ú›¥»Å= VfJc! ¦­Ü79›!ì³ÈXO7)Ò¸¼OlcÃcuûr~—îÀÔg2¸‡!ìÄ'0‡ÄÔ=aëˆsKŠªáØvvœ¡!3Q.**0v!ñ‰”PÞ¶]uÊ—ÔÈÆ“4Åì>f+Y7-Ó:·o˜-8àjÞÔè°@ÃóêŠòTjÏ3'èYÌz¦G>ÑÐg(ðþÏøoDh'ÚYÆ:›=ûŽÔU,Ó Yÿ	{%„œÀªÑ›Á¿Ëc)âzÄãXeÄãXÑ÷Ø1âqœ*/z*ó›~¦¥ùÃÑ1
-»6í€üA«O4¿hµ:[WwȯK‘±”’š9¤“fü¡—‚o³ÜÇñWãTXóGÅ1Öõ85`ñ{nµ{]—¶.^/ñör}{÷€µ°ýäBcåN÷'¯œâH~…ê’q*žbT
-}éµ/ý‹µa¨á4	à *é$|6êã‡H~8'o
-Ýý ñvõ´|L ªp†t^õ2¸=A.å"Iè9äÄÍÀ¯ÿdk+ÄêÇ¡ªûµÏhBØç²JçBBã²ÖAm„LU	™ý²óbø*JeØö¹*-¿åR¡'[wCMˆeUì›Ìû–'TÐðøƒú6û½yÂ.WéÏðíÈ[D¿Cµ›¿p>IÃçþcg‡²]÷íqíjë²Eë¿TšÑ*JLê-ù¦jÊåB°J¥×6G’N¯•@À5èÔ‡ïþðö—/+¢ðg!šwI·Áù¯uÎŒÉ|(?ãñŠSOã°9b´¨X€ÃW^GÂ7ox¼D~çqäü
ìýR]çkNžF”Ì+si3t”ÇBiY0Œt›„‹µF	“ÌIÍáw”‰M#ñi K¾s€•ÉPwô_X–¢zLÂàš\”iÇŠ¾Šl4Æv>2ÐàâŽ'f]#Q‰,ŠAly÷Ÿ–!˜Š4ö2û?acþJ“=4*áDèsSo´²(Õ2²ÁÊäÙèëShtƒcAžbqqÉ¥Ë(S!)vï^õâ°³×Õ‡óŒëÃøúpž2+sç¸;Þàwxø°ú^Û€u5Ð<óSÓUCvñNeÕ›z²òÝËŽß>/ˆ«¸÷¶é¿þÄú¬{qé,SWÞ%E,ÎSO”sùœòð-ö%éÿhͽendstream
-endobj
-1435 0 obj <<
-/Type /Page
-/Contents 1436 0 R
-/Resources 1434 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1427 0 R
-/Annots [ 1438 0 R 1443 0 R ]
->> endobj
-1438 0 obj <<
+1441 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.2799 485.9484 410.176 498.008]
+/Rect [353.2799 109.336 410.176 121.3956]
 /Subtype /Link
 /A << /S /GoTo /D (zonefile_format) >>
 >> endobj
-1443 0 obj <<
+1439 0 obj <<
+/D [1437 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1436 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1445 0 obj <<
+/Length 3589      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z_oã6ϧðÛ9ÀZå?‰$z8`»›mS´Ù»$w8\ÛÙ–c¡²äµä¤î§¿I˲œ´¸Ã+rH
‡Ã™gFæÿø$Í’Ì
+;ÑV%)ãéd±¹b“'ûöŠû9³0iÖŸõÍãÕWŸ¤žØÄf"›<®z¼LÂŒá“ÇåOÓ,É5p`ÓŸï>Ý~ûÏû÷×ZMo?ß]ÏDʦŸn¸¡Ö·÷ïüñýýõŒ›”O?|÷þï7÷4”yßÜÞ}$Š¥Ç¦÷7Ÿnîoî>Ü\ÿòøýÕÍcÜK¿œIÜÈ—«Ÿ~a“%lûû+–HkÒÉtX­“Í•Je’*)¥ºz¸úGdØu¯Žê³DÈLŒ(PÈž
ORkÓ‰Nm’IBnŠ¼nqWršãCLoê‚?3&*ß.kzvë7ýÕ'Å{¬9K“)!Ó]þB“NÖ,Q)KýœU³Ûä1ÝìÛŽŸû垊ºØå]±¤îKÙ­i®ïHm¾ñ­ÅºXüJͪx.*š˜·Aà°J»-%î	¸‚t“Y"yª Å›¦Â	ævªz;ý
+ÈÔj¿‰„XŽlUÊDñÔøY‹¦ÆeŸö°£²ñìI¹`x’™éãºl‰Üv°ëMQw¾[tíkâp#ÉdXi“·]±#Ö3¯áséÀËôñ h…¼ª¨оÃv:ï½$‹Ü>/H{R¤à‡Ù©òšçb·+—Ë'K=u»•ÆÙ<¶Åîš›éÌÛNØŽ<—ÅÌóÖ)ç"•õ¢Ú/Ëú)09ŸT':N!vÀ‚õöEÛ+ý6Æa&%@’Ò<è‚°ÉmrÄ
T´Íüb°ÿ‘SåàM`—4Å©d”O&tp§yÕ0ïª,¸
+±? û"O4çÙ`v¢ÄÄ¡I³þ,>‚Øq–s†ªÕ¶³pà_öÅîðŽdÚä¿ÍFLJR
+ie2þº˜qÖˆœ§šT‰Ê´:ôq]´¨@–¡b#õ*JY—]™WD}Ϋ½§ÿÌR¶ÁÍ~MNãy½¤QØŽP§ÞoæÅÎ#Q&àĵ8Ó
+­ÎN"ŠÅ~×–Ï‘ZàSuy]4û–(‹k>%ÕQŸÜy} Æ¼]S“”êš(1Y?ñ#0éTó`^1@heŠ|A(|÷¥;láÿE•·íSx›¥Ò¿ò··xz
‚Ä]+h ØÖ[¾”]J
+.	'xâ‰ùbQlÝ-XR fP¡Ø·Ó¥ë4Û-Á
+ÌÈ—ËýÄ/ô½E&£ð&Τ}û:H3¶å¤¥•:vÖ±-ªµº}í…ìè~Z°5|Û™Œ.ÖyýT´¤×,ǃ;1¥°&ó7,›VÍÓS±Äû‡3´u¢.‹U†E·VKíü¨36åÌI$0§Ø!„W‰IÁ™È‡œÜ<‹rC³]7ûjImâ
+X$‹EG¤uóB
Y.´Ð\K'	OÍ6ž‘:x’©C#§G0thÖùp26Ê8äWîò_/®;Œ(_ÛTÏEÜ_O­!¸àn!§L1½]Éã/žî4ÕøÁã– Sü¶((Ôáñ¨½úßÝqà›ÆDè-±‚¬ŽCdÔî7EX-÷‡]ú”^¦e‘WÞ%xŒ¿ݹ`eZ$o±?«›zæ5¶mê€VÙôxÝ“ÅÉ‹¤à€D?q>ÞÅI©VúƒwŸ(<’tô2ž®V\uÙÐÕaÐs7v¶¸†´ÖKªƒ°¶D®Htg‹´¢;‚xÔ©!GêÓû<ü‹5͘û±ªy¡«-ÐRq@0êÃ}²ïÐTX®ü$/Ýã\'œc±ÉËÚ‡·ƒíìk‚‰å¨£‚bÏíÌ&‚‰Ä^º—Ïc©Æ“5)ƒb8ÞáwbÓ¸›?õjÁh¡FFµ¯*7¥gÕßðs¢Ÿ)ïg2ˆMÄm
÷f=„angÚÆX~ª½ž»²0–u¦^yY½¶YPUŒT_‰}:æLaÆ×Ó±†t¬„v:FBOÇJ‹`zÂôuŒÝÀ nèýýÖ)
+IófúÁfãÞòïç5M-7Û¦-üŒùa,8æ<…I.¤]ˆg¦ǂˆp
v1TUV'VË×#ÕÞ¤Ëj˜DXÖ•«ÃlYTùYøɹ€T\ãµ¥ã¤óµOÎ’k´ ›î/N÷±ptËsΧè(ÆçáCRˆê—.K3
+ì°{)Š8Tû	øZÎ#`˜6F´MѶù“³kîQ çô@ØFà5¶/P Sú˜C¦ ¹¤‚ÁúÆâ&H$Ë2xCf‰àÇZÏàïzñ›~³/«n²™ï¹‡R¹˜Ì¸ŒuÄ‚À
!Ç.ª¨ViŽÌ¤áÓ-‰ù\.Æ⨋0°µ.ªíj_ÑÄe™?Õ
àú‚O¤@B·&Vû§5½‘=à’ð6›ÃÉï&€¿ù¬à,Ö@¡àÒÚ¶Å~Ù̺f;sõŽÙ²AØ+ËH‘d©>/ë±8AèDh»¦U.”?àN!ýðÝûÏ#!·&Fñ.À@Ï©Ø2æñŒÜîò]G-§*ª`·§1èQ‡1i‹âR).IpÃÌ ÷ÑØîiBû±"dþ¹·žqÅ>@ìJ¦È­³b‘ž#F
+ó¥9g2ü¬7¤8çÖK—@çêðìåa'§y±Ô&{ãa–á"T!^ÖåbMl)¦ÇËÅ8tLWdüóa¶ít|u'ˆo]Q09yŒèönì¼Ð*”z¾Ž“9…4!Rd>
†	OU3ÏCº˜šDK®O=-BÅ;¶¥N»w*°«‹c:OŒ0ÁÝò
+B»‹w8¬,Yœ»lhgjäÛmu µH•Ö]Û­o:ï§RÁ¸ h‡fOUአôñ¨)¿@’_iY¶ù¼:áìK?Jײ𲑙™î+xa#*IbÅ°€m_[1uө‡ô5ìà½èÒ#ç7œŒyjxÂÒ˜Y{P@ÎZt‰¹¥¨ÝuˆtŒ[ðYü¶­Ê…¢¡ÞK	s€rÉ,á:Imì šy	9·ZÉÜ‹uL­C4Ù/4Œ:àÜrc^tú³.‡:q–Ó[¡XS×µX°cY?gdÕ¾lš(	±Íɪ>¦0qy×é5z!¶CÉÚäÕÛf×ù·Ëœþb{hRÈÓãéÊç÷$f³©Œµ—'¹p_jüÈ¿cøÔW9lÇ®L•&RÚ€Rÿ~C2hÊÀ‘²Qˆ¨!UáRáE/ÞBtd"^ÌÚYáƒ"hD¤ÆNÙÒ³£¤ö¼¢^<2ìÄøÚÎÜ{ƒ?G­pA
iø~‡YÐ'G®&±¤Ñƒ£ðëŒÔ” ‚‘ŸôçÌGyx}U#Ôbz…òXl¸à€pÊ	·©}Ýû³.;`œ…²®!¬¶y60¥²ì•ã¬‘¥åà+Uz°6¹a–…p½.£f½Òàú‰ÂùaF¥˜,‹~M§è>ÏK~hx¢tÊ©A KŽèJ
§nˆ‹Œ»!×àO&•§Vò‡üÞM/S |ÁäŸv=`IåQ,ø^Kt¼£Ý“ò•þÑ ™rˆ8œÂu²X—uo.Ýwý)áí¬—û¤>Œ™Ì[fðtE©¿Pš¾¿©€£ÊÕÝ‚H~ûÈf¬öµ‹…]½.¤ðÂvWnrgØÙï°j@o8Û¢­”éÕZ”¦XSQM!ˆ¨}þ
+Ô”Ÿ“¤ÉWþñ[Ä|>1ÛR×­Éܧ‘Eî>=³ðA—cTq3ÝîçC˜ß¾€l? ׎ZÇ*¥°oØ–0"Ø8ñA„ûzìÊ‘‰NM€÷ˆlÃZ™0Å1ìÿï8¦(«xןuïâ¬^„5®ryvd#@LþêêaÒÈêr’Cv²:Y¥ÑÓÛôì!b¶Ö™Ö´;Wl‰#‹¢|&5ªžÀãŽNZ=®·Î~ݯ<èîáö£w"£=r†¢õÉg*¾³DØáuçá–[ª1pëÏ	àñ3åAo?&7÷ÿº¹KVR8Äì4äAÆ—B	YiŒÊÿÄ"»‹ÑFÿc›!Y>’ØGH]Ü#R‘¶3•5üÔရ	‚jxq	{—°éÀž9=zHt2;‰cÿ<"ÍH„]B"l‘Heo Íz½O¬èËp¤ ëb|Gî!ð ‚B‚IÝ“R§âu)cŠçˆAÇ…¼#öä¾²È÷í…A&CŠÿ?°)À lØY‚U>=¶2ìVõoo ç-QýýŠ$—­Ú[9~¿º—Ž÷«V,Äî*Æî#÷¡Y5ªÀ‘ŒUAöo{ŸF´¤OR~ øñoôç. C™~ÿŒ8.ãj´¬G‹Á7›mw æÞ*ýjÇïÎáL¦’>™Iü(Eu^ õj‹Ð+ˆ;N	UJ÷k¸”=|~Ot÷Õ©wôô÷Õœ–~¦®xvpZ™`±ú‰_bÉ:®î>XjNJº‡F‚›ËÏœ@Ôá¾EÙÌCCø ˆ”ªY„iáÇ(@
±“í_·½ßf¡udÞÒÏ¢¬ÿBnÃOb€p[wÅ®.º¿x>„Ç4Ä%EŸI/Õk±T0úE…M‚SþÏ?«<–{Áö¤1—~¤1.&^(TºfçÑ’ÿýå¹èÿ6¬þ°endstream
+endobj
+1444 0 obj <<
+/Type /Page
+/Contents 1445 0 R
+/Resources 1443 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1430 0 R
+/Annots [ 1451 0 R ]
+>> endobj
+1451 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 73.4705 144.9365 85.5301]
+/Rect [55.6967 395.7911 116.59 407.8508]
 /Subtype /Link
 /A << /S /GoTo /D (view_statement_grammar) >>
 >> endobj
-1437 0 obj <<
-/D [1435 0 R /XYZ 85.0394 794.5015 null]
+1446 0 obj <<
+/D [1444 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 414 0 obj <<
-/D [1435 0 R /XYZ 85.0394 144.3392 null]
->> endobj
-1442 0 obj <<
-/D [1435 0 R /XYZ 85.0394 119.1174 null]
->> endobj
-1434 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F11 1441 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1448 0 obj <<
-/Length 2834      
-/Filter /FlateDecode
->>
-stream
-xÚ½]sÛ¸ñÝ¿Bo•g"”øâGûäÄÎU7’Új禗{ %:æ„&u"GýõÝÅ$(S¤3×éd2‹ýÂîb2ŸðÏtÈÂD$³(QL\Ï6OÁì¬ýtÁ-ÎÂ!-|¬·ë‹?¿—Ñ,aI(ÂÙúÁ£³ Žùl½ýu2Á.B0÷qõ~ùÓ?o¯.#5_/?®.Bó÷Ë¿ßÐè§Û«®n/<Ö|þîoWŸÖ7·´Zo—«k‚$ô9CôöæýÍíÍêÝÍåoëŸ/nÖ­.¾¾<¨Èï¿þ̶ öÏ“I¬gÏ0	O1{ºPZ2­¤tââîâ-AoÕl´˜¡0 CÔ	%,¡ÿS•Yýær!Ãx~¨3(5oí Ú5yUÖ8Ñóû¬¨ž/17èѼÚü1ßžî»?äE³ÈK´HÁ=)„P,’<Ù‘?œÃÇ;‹æ«8tY¬oyöl)‰é6û¢ÌË/OKúfßwE¾Éš¹}z^=dS¤u= ÖB„šEqÎœ³Dk1.œO¤¯yLòŒ§´ÙtºËØ-Û×p€§|“€)=ÁÖâpõíh¦d$û\×è"Š[öfÒ8híaÁŽ«C±¥ñþ’ÇólWí»;Oi`?¿²ý‘†xš=šeú”Ñ1©ž³E‚i)CçF$»ÏËíÀ¡F=¶ÈÏyóh¹wÙ€Ë(ͤ„ˆ%ôõ/ë’†ÒQ|ƒ³…`+uâhçü¢%Ô‘˜ˆ±PÄ.Z ›\t8Øfé¡hh’×ômÜ*™=-hÖNÊÃÓ=žŽM™}Ž‚=GÈŒÀ0’áün—mò‡#ÆäKEd YG'Gaù@Ð
-“ØÏšŠrþ6¯ÓûÂÙÎÈ_m²º6ÉaÆ=àKît<;€a°‡j<}¬óØb¡¬UÝ8ßôó €áçk€uÏËж*:áMa†fÖ8p‡8vqy½‡°FqûqqCchŸæ¹8Œ9SQè’¾è\ ÆpÛ…ý0D&Ãa¸1ÄS¬e? ^°WŸ
=	ÆüáÐ’k
-’8t±W¼©ì×_ì
‚MŒuË®“Íc^z¸tßù(nwwžMkÊ5qÌT¬ú–y¨%µŠÌm*”Ë£ø’5N¤Ïà?'Œ‡C¹ÁZë[°a·ÏŸRã89ìwUÑ㬛G‚Ø($pn¿h\„"¢l {ôù1w»€ªô“ú"Èñ…¢ÿ°£©á	ß´Ø+Á™æ§õö™ê\H*n£rˆnÀšŸE¡h_l°YŒ.±¼
æoÝS¹¸nžvÍ‘†ÿÆ—‰¾àÝ6Q[™\H-çÆþZÍëÊœ€Úg3ˈ6¢˜W‚â1Ü}¼"xZZb«;úÚ[ 2ß­eP•ÅOÎ*æ¬jË0%|š<˜’>7z)0RÒ-Ô+m¬WVû'[š@ÍqŸÑ—ƒ!¿%HQmš&Éê*§$ôê­Ä«ða\VMŸx
9ŽF¦Kl}‰€eÙdû2kþdéPplFì¥zí@­YöàոɱÏRzE™T­ÌßTt£Jf¦–„!ÆK½K7™Ý@vhû’ÖW¿\üpµ\ÑŒVë]UÖ´A’ZRù4»T%jÂ.Ý7ùf1t.‡"5Ý.ÞݱhIEº:rvƒ	:Z@«NCò„§Û­˜¤Ðù‰f·ïßѸËb»Çœv·¦çRB»B}œÂÑ¢uE[órS¶ÙZ$±'KÞ“ÖIb€/?}	d\€ž´†Õ¹(bÀÅñ¥Ì¶:hC¶”ø¼È˯c4Í#%ni.ùÜIìRíC¾wŸn¾Ú׸ž€0FôËfKF‡òkY=—/v²–GPÀý$$„´WŽÒ¦Á„Cã~ðÝfLO¦£ÃiŽu»P¦°~ºÂf
Kª°o4Û#²ïy-%ŽÍ¡ -;‡r"ÿf7âoº´!èNò˜Â©>SÚÚ.0±
ÑÃi{ŽmEÝ>Å;˸¾I­`D¹A­Mæpé›u)ߪ#wt/«PEeƒÖ_»ÓÛöÄ¢´[Š¼nú
Ò	/ëyý—sùßß"(¥G¸ð±L«wžWTqÊУ…RàÊ´ÕüÓAÍ{L…†²/L^¯}¨Y̧~¨ó±F´wX“Ú1í´?e:¬½ÏT0üQM¼^{…i2©½‡5¢½ÃšÔ~Œi§ý)Óaí}¦š{ÿÿ«­ B¦£I+xX#VpX“VcÚYá”é°|¦ûcÿ–ŸÂi‹!\–“ó°F,æ°&-6Æ´³Ø)Óa‹ùLùÿÁb<Ž˜”\[ÌÇ:o±kÊb£L[‹½`:h±Óköµ}æa„Ï«Sš{X#š;¬IÍǘvšŸ2ÖÜg³›Ñ]Å,H&u÷°FtwX“º1ít?e:¬»Ï4ù1ÝEÌT4©»‡5¢»ÃšÔ}Œi§û)ÓaÝ}¦W?¦{³Xs9¡»‡5¢»ÃšÔ}Œi§û)ÓaÝ}¦oÏêŽ×4KüÁÖt(Ý=iqÝö\u/E¯³¦Á—Vš™Ž‡ÛGCÐ_±à¨€ö¼°L«0Ó´ÑÆÝŽ†ŠN»µ¶x´Doñ´\1\ÓKï–0²‰u+ñÀ‚AjèÛ³}ÞJЬ{°Øþ5.™ÞWš“ÖîìkeEÀm'@x°àÄhoÍæçËÛ˜Qº:3JkFóð£çk<=Ë[å}¾|Äj	:-[LOV×e¾¡ñ±:¸V¶ìáž¼Bx/l½žØuÂ-¢UÅ@…,z¦Áf÷{ú´+²ó½-ö	ƒáÿíéþá?`ëÂ[Á…Çb8ÐD„?T+Z<
-^þ|iÿÒí¥èÿM» endstream
-endobj
-1447 0 obj <<
-/Type /Page
-/Contents 1448 0 R
-/Resources 1446 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1427 0 R
->> endobj
-1449 0 obj <<
-/D [1447 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-418 0 obj <<
-/D [1447 0 R /XYZ 56.6929 502.1235 null]
+/D [1444 0 R /XYZ 56.6929 468.5048 null]
 >> endobj
 1450 0 obj <<
-/D [1447 0 R /XYZ 56.6929 472.2328 null]
+/D [1444 0 R /XYZ 56.6929 442.1853 null]
 >> endobj
-1446 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F14 765 0 R >>
+418 0 obj <<
+/D [1444 0 R /XYZ 56.6929 122.2539 null]
+>> endobj
+1452 0 obj <<
+/D [1444 0 R /XYZ 56.6929 93.4835 null]
+>> endobj
+1443 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F11 1449 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1453 0 obj <<
-/Length 3264      
+1456 0 obj <<
+/Length 2497      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZÝsÛ6÷_¡éËQ3%IÌ=¥ÓúæšÜ9¾éCÛš¢,ÎI¤"’vÔ¿þv±~È´“^'3°X‹Å~ü´\	ø'W™‰„²z•Z!ͪ8\‰ÕŒýx%™'ôLá”ëû»«ïÞ©te#›ÄÉên;Y+‹D–ÉÕÝæ×à‡ŸÞüëîúvÆFI´M"‚ïoÞ¿%Š¥Ÿ>¼wóãn߬SÜÝ|xOäÛëw×·×ï¸^‡23æǼÂÞÝüóšZ?Þ¾ùùç7·ëßïþqu}7œez^)äÓÕ¯¿‹ÕŽý+)›™ÕtD$­W‡+mTd´Rž²¿úxõïaÁɨ›º¤?£²Èdqº @-'
-”&‰ÒT€t:’4%
nª6¿ß—ay8vçð¦.×a"DðMôÍßñxß½‹Õd‘0•Qª`×h:ÍÜ7[ЊM‚sÓS#?­e”Ôé×2h«úzÝŽÉùfC\mK„S^?”Ü.šÇ’F7DØq÷Ûu¨D:îÔîš~Ï<ùžxòÍ	&Øå¼
Àš-ð Ó½fòÁ±Aµ¡”‘5&vGœH‹ó”Ñ$6ú¶»IbÜÔD9žò¢«Š’zÝ®â)ùñXæ'ît
ýÖMG{ÇoHEH(ò–[OU·£Ö!¯ÏÔúÔƒØ^˜ûÒ€86åtóüLtõU½=åmwZgA_týpg)ÜWyBeQgÛœ¨Q燒iUM¿°tëçá¢ó¢lA*UÁdžè$ñtÒ´ã§çÜjóâTý&D\Tù~Aˆ§r*_]–g¸F³ta¨LôÔMyÜ7gÇ=Ôþ»¼®Ë=wÌ‹=Ssßä<%Ê™¶u4‡‹Y/©†øÑKq"1"2±üº@!ãÈZ£—œ>ƒP‘êøåµhž€µ¸égÌ—²Itr9㎷++¢TB NTÅVX§÷÷“ a@yà”*ÉÇðÜ¡Ç×—š5µÑŒU,‹[¯>­d$´µŠ˜&mwÖQŽðÝÍ!^½màD«É¡üÂátew¨$žÉ8ê$u‹Ì’§Ü¹»N³àT’qÚà˜ŸÊº#*\3†¥àq›€-6¶k ‘ëØÑO²àµ4‡œì#p¹`¼ŽÁü˜7ßï©áÂ31ùù4Ð×›òDÍÜ|43Ó¹ÅØìL½ù)9ÑÁ»á <Ç5XØjšni	P,ò-¥‘ÉÿÒÙ2ˆ](D_í»Ðò§HÜ’@ž~G+ƒžªA]õ\ õ[¿ItUðÒ öwaå	¼~ßÎù7eyôŠ®êQáÔ8•å ßÔœµ…T«µšºÒ_óNŒÆ‚ý†#&øk±#Ô‘Í …±Šl*âe”&"a2„öO3=¹€Ò.¼!Â/5$µŽ2©“ÕtÝg»\ÛOá‰Ô6J­±óý?Ë¢ÚbÚT6xr)[,kcjãqgDØ¢lMm¼rü¥Ü
-ó`C5æ¤|üðf:T4î—]Å›66AÄ	
-M;T6Ê ºÍ-¼&Å\ÓrbÁa¶,7ß騾HL¸þßx[ì$Ðò)ðËæyŠâû6BX4úF1ázÅ(<×hESwˆžY…âøKÛ\ûϬÂè(—V1ˆ¬Ž—È‘Ym@fµez0lû€ÅQQ_˜9³‡F³ÀA‚V08D<=˜…–z00ÿ8QzØÿœYüÇ:Âÿþ/3Ð&ƒâ!6¯›Á”ëe3¸F3pg1jïËg¶BèZ¿.ÃÀµ ÄÌ2e™IçR\ÓÎNîJ9ReÄ(ÐkË_û—»/¾?{¸¹Íû}7jŸéùÒ9_QvœEY¬Ó/({ÂõŠ²=×ÅÞ3e›(Ö"y]†kAˆ¹²8¨´s)ÞŠUXlªÇjÓ;0}¯_húšô´‰~•ñôQ¿ÈDlÜ\å‚ŠƒæØAR55u‹¼¦	÷œÂÄMÍEô8]ߨŽÞ2ºêP¿¸üÍŠ”¤T¤d¦ÜjøÈ “HfëP
-¨³ßl6Uål_Ë¢#ñá"/vX×=¯ÃÅpñU#@UÚ`:,§´†ÇËá`˹
-:AdÙ6ÄR€mÃÑž@f:’q¦·çnú‚,1ä¬4µÌÆë»’ªi—ªîÊ‹Å’Ѐ+RTŽT_=òQ:ÏÁ…÷±©[$¶¥8ÒÅÅRGB’ŸÝTžEI ¹Á'ŠlxŠEë°YðEHCÝy·‘‰Q}8£àÛp#ÈÙR“Ý™îdúñ™CøS#1ç5Gµ¸ívÍ©‹¾[Âñ‰Æ)çhLïÒàDXÄ4F°:”f Q‚Äœ×íSÉÔÛۈô›äÝ‚I€wDà æK&¡Àȵ̘͹
-̲M
’Œj…¡C‰¥yÕ‰|±éô^ÝešÙCܼÞÌ3¢{\ÁÑ>ï.Ÿ¸ôöýG~Jx~èk§á±é,ž„š:²JíÄ󦦣à–7{µ2=ýàø¿¨MvŸÚK»G‚õÀ@ݽbÿ7aDù¹(ÝÅÔÛÛ¶ìxüÆ¥ØpúËo]£]©!†¸˜‹VVù¾Ü7O tipßw4ÀaõÂ¥q„t­.])äÒÞcar‹öPÓ›P^wûóZJéjRa‚Þ‹"»Á"·«Š~ŸŸ€oáLPÜÁŽ[<Écé!_Éèíh–KÓ¢kìùbµæ~ßV]î×1£…Àð€çr®^¹ÖÖþ¥+ÃWI^›Æ€´)÷åCŽJæ!zïÃ!Ç´
ö=Û-Üõ¢AºÇÈT÷O]o‘|ßå³°Ý HŸ«C ÎìJ0¹ÏÙ ÇW1ìÍòOjÈvà"ÉŒw0-p´ëÆü&çùmÙ$Ãí©9„/Å)t”hås=
^¦µ8J¤õ±©n––1‘1Ù4|)k€Ão\¼×Ê=m;ýX¯Fà,ú1;%Yç	{§³œcp7Û¥«á›~1À*¨‡…OÍQ¬q…*Ȉ‰x;Ç2C‚!¨Ë4¿!í„Tµ³‚‘ðÂ;è,~ú××¼Ëó·Ìð±jú–:Ü6àìùƒ^R’T"²:V_‘…b%âiR‰÷DhUüKwõ©¯8,õл\‰­fD—˜¢ ¦òwå?kàšcnƒž“lÇtÊDE2½¼œ»]ß"zQa„N„ÿð,ÀÐÜ;“!­ŸV€·Ö9¿O85⨗‰PÚ7eByÓ1¹Ã»5†Ã»	û*@Œß."”áf·•DÆÊø+.+1’¹FàÞ×
-—îùÁÍ#|êÝóËèËáD²Ï´1©7/dI’H­^"2Ò‰0¯FA˯‘ƒÞð›1½YZÆáH96m[Ý/–
Ÿix¥˜¼ðB
-´øÍï€úãÑC•}u¨.œ|°[sqïΧ}Õ›O¼÷þì_–µ¥iùç5ÛV,é5UP”štÐê$“Xõ2œš€Êö#BƒÖ ò™UQö…þ¡ªÉ?õ$ÿÓ­4 Cˆ‰hsÀäPï;à—9D2^:'¿¬
„ün.!‘¦ï
4JS•}]©•
¥Öó…ŸËÄç¿â\ì«bi,2pf›"a)ÀïfB=c
-4¡1Køb
-{qWz*÷û9…æãC;×!nÐ…(l0Ê:kr‡7VÚ‹°ƒ¸	U«à§æ	?óâw{W$¹mjHfjH0‚Hó³‹þÆ°\Xƒ€£»ãqæ©íÆ5K®
#Gàñfü«ßtrÑZÉ퇣‘Q©ãQGlUÐÒc¥}fÁVû"ÔÒWfüý¯«°å¬×ï‹¢,]
ì§MÓNËí^\6{þ~¯)ÎŒòè!ûÑ/¢¼Ó	¦„ÍiCŸ	.lVgPS ßÍÁ4èáC&3W2¥G&þã;Pü‡6¤Þó,Šd,J©`73¤xx'©|ÅI|“ØtZ¦ÞœçÖ†ýÑë|d;ög™Ç—˜3ýCSû–{®ê–z9ý´‡œ<*
êþpOćXÐ3;ˆìU)	¿ü'¸vNÍ€ƒÝ×mº/ý.\ýMÚU€,™þ˜a†/]Ëc˜Yáî1½¼»E8yç—Ü6{¨J‡õü3@θ¶?rŸ}^lŽ¾ðzá™`!ñÁÞBªôÏ…ëÿ@™ÿÆgá¥UßÛÿòŸŸõ¡ÄPY/?Ù*‘DY…‚§òRòáoŽž‹þ?­¿šendstream
+xÚ½Z_oÛ8ϧ0öåd fEQ”¨»§´Iz^lÓ^šØîƒjËPEr-¹Ù짿)Q²,µWà´
‡œù
‡fd¾ðá/”d¾HÂEœ„Lú\.6þâ3´½¹àFfe…V®Ô«û‹—7"^$,‰‚hq¿sÆRÌWŠ/î·¿{¯ÿyùþþún¹
+¤ïEl¹’‘ï½Zß^'¡Çëw·7ë7ÿ¾»\Æ¡w¿~wKì»ë›ë»ëÛ××ËW’CÿÀŒp¦ÃÍú·k¢ÞÜ]¾}{y·üãþ׋ëû‹‹—û|½øý±Ø¿^øL$J.žàÅgfõ>Ýd¦Ã̚㡤öÛÿ\½{{¹¾¥7j­÷UYS«¢ŽÎ˜_Ù!Ïj˜
á‡Þº$}zhòÍ
+ÈWœ³DÊ@Ã8éçêHª *–­Ñ@—21F‹_#oW™évk&kµÓŒê‘Þîn^Sžpeú”Û^›ô„>BQ‘wÿ=±¢®¨k^nŠã6ƒE‹``±à=‹¡,þúý·ˆXEµ¡	å.jûèK_·ÏF¢®óÏe¶…Ž>Q;÷Š¼ü25fV›.Í’{Öb×j?˜4Z¼ŸÒÍZN}‘¡y3PÇòKY=•'=Y«âÛµŠ[pŽï)/
+¢Ò¦É÷
½èèƒç6k²Ãc^fôšïðz)½~:æE³ÊKzû«²biAÚÓí31²?󺩉Ös‚c™÷tÓäßLGœ
+MìnLüôÜS
+“ú”jíª*aªF"Ä‘ÉËÏä“m¶å6yUâ|R\)½#òÐÙ •pÆB«?ú<*å~ÂxZk+uª¶·sè0ê«õÙúvuyuuÇ.ïÞ/“À»<‹\8d<ƒÜ‘š@n¥æ‘OiuÕŽ#wÕò þ~ì\°8ásØ©	ìVjû”VûPí8vWm á¢%ß_âÅBÅ3ø]©óø[©Yü“Z;ü'jGñ÷Ô¯=Á÷ãᆣÄ~Gj¿•šÇ?¥ÕÁ?T;ŽßUHÉÜß툛nÂ3~p¤&ü`¥æý0¥ÕñÃPí¸\µ>û¹¿õûhÞgB2Ë9Ÿ9R>³Ró>›Òêøl¨vÜg®Zþÿð—,ŽùœÏ©	ŸY©yŸMiu|6T;î3Wí»A¼ß…=L"Ø›ãì®Ôyì­Ô,öI­öµ£Ø{j»þôqÄd$æÐ;Rè­Ô<ú)­ú¡Úqô®ÚäÇÐËîØI2ƒÞ‘š@o¥æÑOiuÐÕŽ£wÕ^þz3!åzGj½•šG?¥ÕA?T;ŽÞUûê,úÅ*€qý(ê%.×&á²MF8de”ÿΚ&ýT˜7	ñÐd«Àø–gODµf‚O'sÔq¿'2¤DÔt­ÜŽš «
k}ˈ¸ÊkÔ¿%‰lÄbÙZ<’7„„|î!;ä	rx§¾Õ³ÈšštN,t¥u°;¿@[YsÛ™\k4Xó€[ï³MŽ¥'«[»QØB
0Œ…q£®Iï§ÏèÁú«'Ü©ž`’Ù¢Í=[múù‚èçêhSܲ';(NÏl:ÝåÊ6Cn
 45T½Á,øÏôq_d:é}yr'°cÎbApaM“hŒYi÷®HmäûÞ/ì—нµ±êANZ£’È@MÜéL¤w¬©ª|€½b
0iù93t¿¦+/pîâNMýP#Ó¯¢€Ú‡ô›QÖ/|%]üX]=ûF}PÂ2$8bÝbB—‘³?`‘«jøÖ<䦬Ó,=˜\©øÔõ$>iy·ÈÀŠQOyó@ÔcZ>eª›¶¯F@ÛÌÕ ÏaÊËÝ!­›ÃRyÇMsl',æNí^LÓT‰Ôåx¶%Rè³_r¸¸¾bá}¨ˆO»vàÛ=5Tn¹S@ñ”¹ö•Y¶Õ¡cT£UÁÌV±öEõlW¥Þq!>¤e™ƒe…5Õ£¢JM—ô)54‚ëeÀDè¥ùÈ×ÁV
+gˆ.´žÜÛÃ)WmwÜÓ{»•Qß»·‡	‹!]éëÿ€7Ä›"ñžô‘ƒ”1HÓx´™vDHÑiM4N9>él¢û>‰gr>¼»t›6}O!ž>C‘0¡¤¾ƒà§bˆ ¸?é;ï‹ö8*Žÿ7Óðõ?ÜØ#î/ÛÓ#ÊÌ7÷SBŠ™ p¤&‚ÂJuA±©Êo'Q‘° ˜SßJèïE…Yà
h£÷ Š
+Üp¬EšmÜlã6¶a´Ý°Ì®Â›tXtM]X`#]­T—yiÃ"„„̆„‰ðgÂâc9*þ÷?…A$aûâÓAÐÉœ#Ó€F»ÂýºÈN¢ Žàz†SÚ[™õ½Pœ)%cWÿuÙ¥`6sêåe©õÐð«"ž‹pF¼z¶WÌ]z,šÎ㆟ºWAB¸={’á4F úíë§âVܘP*÷–ð#¦ð°2F¡·b>´¼ýÁÈ©éÿÿbtendstream
 endobj
-1452 0 obj <<
+1455 0 obj <<
 /Type /Page
-/Contents 1453 0 R
-/Resources 1451 0 R
+/Contents 1456 0 R
+/Resources 1454 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1427 0 R
->> endobj
-1454 0 obj <<
-/D [1452 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-422 0 obj <<
-/D [1452 0 R /XYZ 85.0394 398.7344 null]
->> endobj
-1030 0 obj <<
-/D [1452 0 R /XYZ 85.0394 373.8645 null]
->> endobj
-1451 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F62 1095 0 R /F21 738 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
+/Parent 1430 0 R
 >> endobj
 1457 0 obj <<
-/Length 3454      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z[wÛ6~÷¯ÐéKås"„¸$›½7u²î&i×qwÚ>ÐmsC‘ªHYv÷ìßÌ€%*Î6±p!.ƒÁ\¾HN"ø—“Ø
-›©l’dFÄ‘Œ'óåI4¹…o¯O$™ùA³pÔ·W'Ï_éd’‰Ì*;¹º	ÖJE”¦rrµøyj…§°B4}ùûW¯º<;MÌôêâ‡w§3GÓWoΩöúòìíÛ³ËÓ™Lc9}ù·³¯Î/é“å5¾½x÷õdTYôòüÕùåù»—秿^}r~ÕŸ%<¯Œ4ä·“Ÿ&8ö÷'‘ÐYO¶Ðˆ„Ì25Yž˜X‹Øhí{ª“÷'ÿè¾º©cü3q*be,pR‹TgÉ8—¥H¤„A‰‰„µ2í¹¬ä—ý(är>ÏçwŬ¨óëªØ?³T@›2r.|°}?jdì/U,t›!7¸ë©™6¶°<Žx,Z2X͈Ìè”Ç<£ÛË‹²+›:¯¨ÝslROZÖ·Ô([*éà-£éÕ]AÝ‹â&ßT5îójSôÓ©UVŠTšŒi©›1r¥€šæ!â@ºø
-“(‰¶ê‰{F}äžý¨àžçU‘×À„YYwÅvpå6:NÔÇ)éG28u¢„Ö ÜZˆË*ƒëYßkªo˪¢ÚúT¦ÓbÙÜûQ]^aUÓroQwë²hñⵞ^çm± ̹|sùMÆäÕm³.»»å3<ÿd–E@]
-v
-®)‹c"³ÚG¯[¤‘‰ù*?ÆØP"UÒÏ\–õ¦+Z=•eÌiÑ“	‰)tÚˆÚÃ9 ;îk[ð𮡎Ù¢Š¢k¯ŠuÙ,Ê9ò´ÒÙ¥ÎP4ýÙÉøòm€Ä7óùf6ò¨ÌÚT1"“x\fÃQÇe¶å”?̘½mùûˆu™Réô£F(\Ž6¤tw+:ÒHK¹Ü,©‘/›MÝQ½¹á ± .®^ÖT^?Â]QoËMËÞ4kþâ·ðÚ¼þšgÑéá¶Í¦ÿº+êÝwwऌÌPn=u*6Ž:,y—S­¬©ìÈÔÞƒê¤zØný¨’kU¹,;gfãÝÜ^¡îEÆ|Qxâ–ä­no©Ù¶å}Q=ò"ß+ïv´áù¢¡P:p„dó­@À¹£x˜Å‚
¹™^ÔÔS±£SÝõ.AÍÊ•³-к/‹­3'0†(Ã-óÕª*‰/¸à*_çŸA‘âA?qÇU…—08
›Àþv>ÍÔô£NÈ{#E‚ë•Š-Š´oÇÌN"2­ÒÐõìißL‚ÌK’h+â4S=“°«(ÈÔ€m«™žWe†Ž­ÈÞŽpR0’ÆƉ[‡°—Ë“Q±rRÐÜ—§P'%€OùuY•Ý#5œÒ@ùK)ÜÆ6›Žº¿{÷ž*,T«¦niÁdzC[,iJñ³*Ì#±às8]^:»èæÌ‹5¶Ç®®{\9AH,)X’xƒ§`P’(À§¼n·Nøë	ÞtšM߯Šy‰‡›çHܦ2)XŽÆÏs^Žøo˜Î‹.^•hÀ/Q1M¼ÙüA·¤4|N
-¹àYåͱðÎÆ4Y¼ ©éÅ÷†jnGê±Tès¬‚®eÞ9‰¼~Aåì@="Øà´D+©p5<éžÐ22µvk%"›ÙOAåJdišŽcòY¿â,\Òy‹}  B&q¼Û™žpŸH“"Ú•_H¿âSD‚óµ\ڀȪl»pž)í±‰k¾¨Qd£Þê,ŠúqÆB7>ãËEí@{"L*“¡B5+Ö
-fæECFepñ©ý$)ÌLâép—p®õŽ5;ˆ;”ËŒ˜é…1᪛ݬŒìd„Ò½,¢ é“á6»kj—Úk,ö²HA­×Hl0’1Äh&¶ªhú5óO)8f,÷Î|Žô:ã`“r›)9z£H3
Ç
رCGØ‚X°#J§oÊŶl‹g4§ÜŸëTÙAÍk•óŠ;Ùíï}8ë!CFÃï QH„5GLŠQ"ÖÖü!“¢n^€QäÄú8ÁŠ|õ„B0üZ<äKˆ˜¾-©ìØßÑ̸1§bÞ,ÙWXfŒˆ(~ÀÕÇ ¶NœS
¯þÿ8/hÈm/¶‡º6óCfR²ÂCÑo·‚ωù°QïÇ°úðð00ŠëiÉØ-I·ÞmÖµ;3ל‡ã”[ϸ×\bÎdQk¸æÀÇ+‚è%)8ˆíL|Ä"ƒKmŸ<‚%˜,+£3)L¢>ß&÷+ÎÂ%m2f#2 p·óQÜñŽø‚4ò‚O‘h5„nQ:$ñ˜Û°BÇñ5†W³ $ü#¨Q‚Ç‹#›ô¸¡2è©«Ç9ˆö$‰7'åꕃÝP2ý‚"Яøu®6ÒüuñÒSüÍëÅX ZÊôèQ
ð¨/)íýŠOŸ/Œ´{G]­‹›òaä°€µŒ¼iËñB4‘ˆ4¾1„VsIyÌ›MõÂÛ1YHŒ°ê™ø¡x> endobj
+1454 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F14 765 0 R /F41 969 0 R /F62 1100 0 R /F21 738 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1460 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [63.4454 268.4593 65.4379 278.099]
-/Subtype/Link/A<>
->> endobj
-1458 0 obj <<
-/D [1456 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-426 0 obj <<
-/D [1456 0 R /XYZ 56.6929 601.2567 null]
->> endobj
-1459 0 obj <<
-/D [1456 0 R /XYZ 56.6929 572.3004 null]
->> endobj
-1455 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F11 1441 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1463 0 obj <<
-/Length 2628      
+/Length 3719      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛ6òÝ¿BôM…ÁÉSšØ=w®NÏqŸO†"!‰ŠTù!Ù½ë¿]ì‚¢dº±/ÓÑÅb±ßÀ®¼™?o+áÊ$˜EI ”ë©Y¶9sg+XûéÌcœ¹Eš±~¼={s)£Y"’Ðg·Ë­X¸qìÍnó;çý?ßýz{qs>÷•ë„â|®B×ùñêúAú¼ÿx}yõÓo7ïΣÀ¹½úxMà›‹Ë‹›‹ë÷çs/Vì÷™Â3.¯þuA£ŸnÞýòË»›óûÛŸÏ.nYÆòz®DA~?»»wg9ˆýó™+d«Ù&®ð’ÄŸmÎ%…
-¤´òìÓÙ¿‚£U³uJJÆBÅ~4¡@_N)P%"”°„
-,:ȗξ(K-4}Ó,ÓÛNç8ó¶¨2^èÖ<¨÷•nhX¥~öý`¿ßŸ'¾#ôCºÙ–ZTºC0!lÒ.[ëö@tœz#N¥¯„ÉäCõr2_6õ†‘Çb©P*T·Ô]u? ùØ0ƒLÌqßl.cODì2÷<‘(å›-#…Ása=‘'C³~]wš¬Þ­STWÀ¨h	f¾©êŽÍ¹;:-ËGZH+‚§]—f_i\W–Sþpý‰ [£Q€´|Qz®sŸË43b>4ò„…uQ­¸7µ™âîšéZvH5nª´4Ʊ’4CV•]_eœç›t»E×@­ÎcÝ74BzE5¢mð®~¥Õ4ωû¶%@ÝB^oÒ¢"˜=Z9KdÃŒ¬™£1\ßÖpZÒwWhrÀóyÎU7%ܦX­Ñda®Þõl°0¡è–Þ¹	€%¥y©WEW€CÛ}³­[VŠ¤ÓöÙšé·´÷ÇN®ýj¶B‡Êy×2A²žÀò Æ»
-?’ˆ’á	ÃÀÂE²ZÃAV7¤û¬#ŠaX1L'”`j|
-ÖÉ­‚µÅ¢Ô¼­!h^›HFƒÕLq“~åÃZ]µŒ>bðu7½_kãÈc¥ƒ~Sñ™`Ï	ѸÑA%Ò
ÃÛçƹ`Ýð‡€}QBÀx“ Ñ-(w®E•Ã9ìÉ€cCÑ6}Ë„·
ÛèF8]0¶
-Ê
f™Çä”ȵ*ð«,²´+Lšˆ†¼£¾%}°‰u]’U\ãž°R¦æè•&h[täšÊY×{½Ù=d»» ÓG,˜|^,‘Èg×õ³þˆv'‹ºcñøps‘Æà1®:‘=åX¬áž1Q!Á/âé%äˆDvýÃȱ˜Oƒ¶®(°cb¾k]ni!
-"Ù(­xä`ÃYZ@W»‚³)Þ-oQ¼56aLŠ”qÅ9Åh±Í =¦+ŠL«>øöME£‚KF÷¾*M†D¤VvAf˜€™|Ûáö:Ý1¨âãjqž“­ë"³WåtèÁÉÅŸ“P‘“®;{3ñœ/ÃáÚ¡ËÁì™~ò¾}eíºî˜ƆmÓ¦+²üÛè $Š†à¯æKZ€Á>5ùD±ÒáÛ·LÈ^ã ˜-‡Œ™io|SiƳÙÇž	obsW˜<Úi?¡#S¤^슺oéÍðôÅ 
àöí;ZߤcžR€)¾Ú—ÿµôè(;£×G`,Tù팮˜×î„´µyí©Ä¾û`DºMì­§ìÃ'ËŽj’¡sY‚j#ˆðU›oÞëà}0l³ÆKŽ_†	¸‰}âVËË‚ÝsÒ³-ë>j¨îwžpÈ\+/‚2ÂuñåÖìì+îSц.4,štwQÆO^ Þ¤T+L#zÅö
-x÷fÛèeñPêêžþc„ð¥H¼Ó7ía,êUßÒðQ·_êæ&œ¾¥Ïý”xó¶1it^<,›WÐðÆ4ý{¯Ûîµ4ŽøÐyÕ~ÏÞyŸoçmñ‡&PÕoVµ/`“>¼šÀ]“VíR7íwížCRÚ`VEàgW¹4ª+=„½¥ø_ËtõÈðvØâúWBÕ­õ1ói;
-×»çW„÷죾^Ò®ŠL$-¶	+!’ð¢DHxÉ%’‚æfI‰$‚°Á²ßm릢
-'÷üa7@HØô>ç»pÌjø”Õ$~hôo`Õw¥ðe”LšÞ¼Åòñe
-
#!#?`.Õ)—j6‚¿^¡‘2H’I…qùmulówX>ñ„oz)ŒB*kŽµÉÈ£¹{Žƒ“÷˜{ß÷à¢pÃ	îí“ì[ö‚D2	'­}ðˆ…˜èI׌7aiKtÒÔ÷§Ž—ßSÁ755XôõÊ’	vÑ‚g•å½JYþ÷+ëåö:QÜí^û“vƒ×èÜ(Ÿoëº<¹í^<÷Ïqttß¼ž„y~îÒòY*szxÇ2ýùö™ç’’Âõýøð\Š¿ý\ú ±ð«
-û4w¹PÁo-ÔRÝÀ“wÔídÑ‹ECºã·ÖSZ~"Â(ñ-Úˆ7*:âͼæ]¬¦Ò&ÍðUÛBiÂ@ó&v¹noÚ¶uV¤ÔTu©˜àúÐëtC
G×·ÏkXa&¡`Çb?‘ÎÕòh'Õ½†§Ú…7Ô}+8ÁX+ˆ…TI4QËI ¾ÕY{uŽ¥†TX¢Ê¥o¸õL#†Øf3»O-¡YRY½ãædn:*ó‘
-péqu	ƒMM“£“3"3x’*SªÔ$÷D4ŸAôWTAå\&Ãæ¿è™®+á[gƒ2îé;Ü4‰Â„mŽúÏË©Æ3Ô¬‘²¨‚“$ŒHŸ•´Ï¸a‚Mýà[n(±÷ynI®l°#—e¦Â†aÊkCׯ«·)õN—Œ¿%äÝÏПË8±\=ÏŸ¹yª=Ù’ÒTØÞѦú?7å}Âv+âH½Äx~à=9¾ýK_Š
…­ÈºåãÑ×-´&ûpLR¥Bì[=2R½“…ù-£Dì¼k“±¤+ýŒÑbUÕ‡¨
"×XÀ ®€l‚Gãä 6Ä€rlB?QÉ3V/ÐO˜Äþ”~¤‘lxÈ‘l§gy<Úÿÿ=kBwr·üßdH '5A®—i_vÓ,£Â@Q'
-¦hÒΨ«+ƒÐèãìs›qlÚÛð];jyÃØôMpÿ"Íù€´KQsa%`óuÀ,:ú¦L…û8¤?þpÄWÈÎD’]öiNäT|,P:Ʀ_Í	µã¿¬nmÆeõнÍÄËÉÂÿ1݈íCüü”õÿIH8endstream
+xÚ­ZKsÛF¾ëWè¶P•9;oµ'Å‘¥b;++•C’DB6 Á då×o÷t(Ù›•˜÷ôL¿¾î¡:•ð¯N>×ùiš[á¤r§Ëõ‰<½ƒ¾ïNYÄA‹ñ¨o®OþùΤ§¹È½ö§×·£µ2!³L^¯~M¼ÐâVÉÛÞ]~÷óÕùYj“ëËÎÚÉäÝåTúîêüýûó«³…ÊœJÞ~þÓõÅuy^ã›ËßRKNŸ#‹^]¼»¸ºøðöâì÷ëN.®û³ŒÏ«¤ÁƒüyòëïòtÇþáD
+“gîô*R¨<קëëŒpÖ˜ØRŸ|:ùw¿à¨7L»?ë2á´õp“ZdRÏ_²©R0&µ
+ḣKÖjî’ã(¼äUÕ7u¹(×ÛîiñW³)Ï­¬YnÕéxõg4ô£fˆ0#"›¥ÎN©ø–¨•T›UõP­öEMõ@‘¾j¤M¾á¶Uy[ìëî
Ö\²Á„öbw¦²„+|ÌU˜k’ëûªÅ4Ûî¶l6T]špîN#…N°R"wNrÛm¹¬~“R—+š5PmàÖUk¤æp`¡­È¥N-ŒT¶—så…Ê@|¥”ÉùjUu@Q8?,÷©\vD Jm±¼¯6w¼øøf%-oyÕë{ ÆX—£åŒµI—ÃÎ%,WÂÕŸ%EÝ64dYÔpW3PȾÎ,l†{aú-:&§ãõñÊAÚ¥ÚtåŽÉbJ¨£k¨©Zo›>JGkÛm³i¹k[în›Ð¼ Æie…”^O9·.6KäRš'Í-|³Þ0@KŽÒ‘gÉ/÷å†úðî@4]7)º‘í  î5‘‰WVE‘ê‡3m£C%õB׺\Þ›ª]_LA‡”™ò50ÓM¬üúÖÑ°%|7MG¢ºè¢‡ëÄï=+ò·>Qa È¡ìÂ=Aùv¿	7,zöuFg¨±"àì ycÑ1ÀåUS¶Ô¨ýpè»’Ê$÷P8{ X4ðë¿I'ËÏËrÛL½ºjËŽ7!EY•;"€•§wÄ»CA›È•émH°¹(e%5ß”uó¨Ð‘&7ûŽ:ج¨4öÐ]›C•ÆR騱0¹E
»ÛË+võÓ™R*	6Ý%—¼Yv°Å®«–ûºØÁ¸É™HdÊ[ÜñOˆÉlòÈŠï¢A[N
Ųk©¡h¹eÃõ}:ZuE\Ç
ݤh8Žúþ"•YR¨Ðv_ðÚpØ'jZ•uyWà%s×cÕÝSW4s »zÏr¼>È4Œ¸²gþS5Ø[l¾éŠŠ‡°Ü IŸ«õ~M•	K°aÄÏ5É 4ÞRÏ™øŸÔ‘ì#I\T+±·ëÿ¦¦þm|ÚaÙÅí®Y/ŽÙ%­ðÖälxà¬3nM¯òh›6ÍÜ2N8—Í—Éí²YÃáWÁÞ[ÀmE÷“Çk„‘ËýŽ‡Kʃ&ÔáÎ
+¶	0´pÆÀZà ÏÓW
¬âRÆ%wÁ¢Ë	È@x©ÝTµD'Òâ„´cRm‚
ÇÛOn[]1k-?pó †U³o©‚ÀmõÊ^ÜÅî¹KRFôÑæ¼6£G^–dM„RÅ_âÕŸûŠÍµ®÷ÁWb©Ð%º(¨?Qé{X”	ù6¨ÊV|¸þ.Ê¡Ò9šAܾEô ¢Bíùr{æ kª¾w+.ºh®uAï=»Fìôc#8”vˆ›„Ò“ßƒÂáÃýáð} Æ7³¥ç„[^¸\é/`–wŠG
0PRÆ<×MI
áSíæ‰z›È>³ù”ˆ·Z¼VZó¢QÂzé^´"óhW¤ Áq¥„8[¶MÛVA-À<F·OÜÈ\`.\v(@ûí6B•ºZWJÞË­;à{Ðé†'#í½áÑûvþV5„wΙV|^ðͶÕ_s÷š!Kû¡³@ ã|n¦Þë|„·ôð
šèY
y_¨¯«
é§ùꢕzDâ1QÛ0”Áûöøe
+‘\¤ŽÁÉ/gL~w¿˜sÜ;›P‘¦&ûÚPëùB€Ï•þoù´¬«åÜ:˜h01²#™“
€ïf¦ &X Ã…‰Ã—cØ‹¼ÒcY×Óš¯d‡„Î`¢°À(ë©_“ã¼L‰,WzÀMxõÚ$ß7%¢1€"!$ð¾m,Hn,HЃHós°þ.
+9×ÇÀãaæ®í†5KŽ#GšXÙF› ‘‹Y“)ÏÇ8…ŒBˆ:tn’¶X—Ôt@sncš[2¡ðý#D
X
+Òëï—˲1pœ6v;-oLmw”qYÕeÛò¦·zloŽcï«(o·ƒ)‹f‡’ø\fm1eÊ0Ñ¢A‰å'
+nTJ1ŽBÇÄZûìëµÞð,²$,Ƙä~">Øá¢ð'1'±´J£8O¥
ëƒ:ਧ-Ëq<ËäøèWë ò@þ&–0 ÞR­ O».H£Òd³_ßñ¡%ô<DÖª”ˆ…/Åaí¢-y$Šò—l­Ë¸GãÅï+@3’Œ{ ÆCÕŠf¸GC™·åý,œ¼ŽKÞ65D¥ýz1
P0®Ý¯×EôÑ/6ÛxIÌ8>Ø[*“~¹Ï’ÌœÊ56‡Â+éÞÑ ãÙÞ8häLò¼Z
+p¼êŽûAÏ7Ÿàí;ÙýrNßs¡¼‹pá	X=š0«iFÉÄWã“Iº&2œsr‚œL/œ>¦ÊCÑÇÐU;ÇeÞFÙük0Þ1+¼É—Y<õ㨓—u	pys·áì¿}*yé—)éGÍ29uª…1™›ÒB·¬ó!#¢û짎!Ìš’A8ª+è`ˆ¡bä]|ë{FcE”ØäÌ)|¼ú™&Æõ†û5…'‹\
+Up
üÓ,»E&í4µ9±Ïd@Ã%¨8|ʾ:g¥Á¢ž ˆ)4zIõéœË[ê%À€Ž£¡‰×¢-Šb¨ܯš ¼0*ÒÊ1¦ÉQ4§ggn Õ[.÷ÁÏ•Y
QÔ.{YfÇ£ŽËl?êHœ05M`Etö
+ý¨
+&Ì1V¤2? `ƒ4£„TŠu³(“+5C´eòq •O¹MCÙ4øî[^²‰ÙôÚwýžE§n[ŸóDœxçŒPJÚƒS‡À‘|—
9*U›	¤´£@.Â8¬÷è¶âRß
+íçIï9B)ÈGÜêîŽb‘BýÄ‹4q¯¢h›A}¬ªØ|ëèýU‚Ùírņ܆œ&6ôèÔ1e
+­ã÷9•g¢üû9³Ãøgäz_ •³àqå‘'ÈœŸ ßöOEøÌ^Õ²W)mŽÀ6§OÌW« *‹¸àãMUS<Çæ¿6Õ” Ây{†î!‘ˆ…IôAM£l3ö}îÇóH,xÃXzü€9Ërß3¬|!õ¤`i,%¨_…4^ÐR?Žÿ³<ù_Œ	Ðã³Ex40¦>&´bêñ?”—HÛ^T%€þœiâÍÎá‘7͈YiÂÒ<«º= úiàlN¯xEJêäò§K¥°#µx*èWMЃÄ˨_P¸;°™lpZB:!®†'=ðF9¡2ïæBÊT}ÉÏ/´È3Œç~|±èW\Œ—ÞbBˆP©sÃÎä°:Ši&DBç½RÿG"㊯	Î×[pi"ëªíæB'rm"6	bÍŒšE@^öVgUnž,äøÒÎÌšEí@{*l¦Ò©e§Ð
+ý˜™ù¯àá-MÅÄ]&§Zõ·Îß_P‘Ôðu¡oz.ñøÏü$‚ø6
+@©¨«¢Å5m(A[£VU¢üfßOmæŽiPÏýkÏþ¦íªnO1£—ÉŸû2™¾ßÒ«db
ÏÏžOÄzL¹zöÏ1ﳎ*’w€Vûw"Üæˆ8)¬2j,^€_÷óc€72ËþÜB äû=ú,‡ÉDš¦9bËe˜IëŒ,×@,æ5@Ž–ŠäK ÀœÁ"]¯1„¨C'}€'«fMœôŒDßM9nH‡{˜j\„“™Ýî¡ú[™!®4à«
þÖÁÿmõïW\Œ—|®þcÎ> endobj
-1464 0 obj <<
-/D [1462 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-430 0 obj <<
-/D [1462 0 R /XYZ 85.0394 554.5721 null]
->> endobj
-1465 0 obj <<
-/D [1462 0 R /XYZ 85.0394 527.6165 null]
->> endobj
-434 0 obj <<
-/D [1462 0 R /XYZ 85.0394 225.7428 null]
->> endobj
-1347 0 obj <<
-/D [1462 0 R /XYZ 85.0394 193.0129 null]
+/Parent 1430 0 R
 >> endobj
 1461 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
+/D [1459 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+422 0 obj <<
+/D [1459 0 R /XYZ 56.6929 712.5662 null]
+>> endobj
+1030 0 obj <<
+/D [1459 0 R /XYZ 56.6929 687.7843 null]
+>> endobj
+426 0 obj <<
+/D [1459 0 R /XYZ 56.6929 215.6322 null]
+>> endobj
+1462 0 obj <<
+/D [1459 0 R /XYZ 56.6929 188.2003 null]
+>> endobj
+1458 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1469 0 obj <<
-/Length 4034      
+1465 0 obj <<
+/Length 3015      
 /Filter /FlateDecode
 >>
 stream
-xÚÅÙrã¸ñÝ_áG95b€8XyšìÎLœÊN63ÎU›­-Z¢mf$R+Rö8Ç¿§ÝQ>’‡”6€F7Ð7`qžÂŸ8×&1¹ÌÏmž%:ú|µ=KÏo¡ïÙà1Ë0h9õ뫳_¾Wö’VÀ^±ý΄J`wÕÄ6yº@¬X†¡åe~£#,Ê0|†fÅ /Ã$¥/—ÖË¿¼ÇhBe;j@Özhï[úèº×ÜM;ã»]³çÞ1‹ÀŠC×l‹®éܲ“ÌWÅ¿þ¤
žôσ脹dÇQô t:cÇ’´®Ú‚†ºpzЈV™\^”yh•dÈœâ€G]7Î!Œ–o“ì@Ã[_	œT[^¬áÞ(yðQ‘ÿ‹›†±”_‹-ÆŽÆŠ)"Œ›žøUé¥|`P®··lIj6-«}ÑÞ•íØJ­šýþÂ-»Ž;ÖEǶ‡Ù‡oÎÄ`½Î…ºL[\®ë9ñ—Yb³(1ªnä:•°ƒ:)héb)ls Š®+·»Ž§5ôË‹ØÅ»o?~æhlÕl·‡Œžw¼ä áqzâ(Üljaäá»÷‚¨³e\…‘½õ 
žÙ>c“TŠìavÐ(:Èi
-yŠ{ ?~û=B´¾En	;«– Ŷª«¼SÄïëÇ9rá$”ÑA¨êb[®gèT(U1 㣜`œöœæÅŒˆAC§&Fd”\‰||˜ºÈ!®ÙTkê÷QJK™NÁ^Îwh!	Jâ—/ ò2¹~ìH¾óÅßRQ4‡®ÛLÝ]Å`ÌnÈBŽh‰Õb<ôžˆõß`¸Ö€Y$c+"X$<Ö,íR‘)F(ÉÍaC0ÞB€>6jCv=4æš›SÚ†{h4kP²¥
.Á~oZåæøH!†wQqêr	ÊÙX&ÚJÝ2áë-­i"…òä=‚áö¥J„s.«m¾±ò±²`èŠ21ŸS¤‘c꣰nj9$Nª£å¨™©¹@ĸ$‹Yd†--í3[Xg‰yšÄÉäaäåÊ„—YÄMû3ÇÂRä
-Ìß$·zžÈ0˜/òn›¨5™„´?P Vh3º2âCGƒiäµ×s€ &ÖôÔg\äƒïC½:º¦Y3ü‘à|Kœñ÷—|eú0|Wt«»PcF²ùÕ#° ŠùþNlA$™hy“g‹¿¢1õŽ:VÞ÷B£Ý•«êæ‘>8uöer¯/Ôö~܆ÞÅb£`$A/ÌÝ©rŽá)ŸEÔRØû%àÝ‚]šI¨ã¬ûdLÙY\ΦëXÅK_·˜•Iꤺ%_aA/äwŤ\ûxv‚Q—c~ñ?¬ÙWx"ÍË‹ó¬”Ù,‘YT¼ ¨º‰$ÍsñÂTVhöëKùx¢Þ Sst‹˜AÚ³Q =j	RÌiªJ²žVXdz7+S8×tA£wÛ¼àvV&¹snþnv1.‡(éâuÌ?˜pgL¿²W–¹€JÀ€þ˜Ö%r]{Ó‘±éÈNUÁµ8¥'0ÝämÓ‘Ù@È—b~ÞxRcl‘¯À¥Qpðæçú ¯dŒÝ#_û@LŸæ}LO&ô«Ï—ÞLOŹÄ@f‰Dš8”'ØAêÛßžSãÓà®;_Ç_uaE>—ngÁ©ê))B™Ä£G´ݶÇQÏpŒ÷Aœ¸;³èŠ
Åìög®ã°1*v83¶_V¦‹?3"ëyœÁ÷LŠïæhjÝ=½
-^šw^ù“up°‚ýq²ƒu>YScZy[Ý!V[t,ýi0ø½-ër2¸¦ÏCKÛ C5&¡‘#@Ÿ.á—·|c·ƒÜ3ê£ʼK—FÙÅÛ¹úËøªÎh«Ûª.ºhmîæuÆ‘§kÝ_øWëíøu,KÜÖ¡ïú1¬áþ`ÝdRx ÏývñßáB¹,e"±q»/¶[È
ýzÞÐ;çêrbmž±Ý:IÅÑ5+b…\µyh©í6¶‡MWí6<qb²¥†åp^÷Iv£L†R½õòþb»âª‚0Yb˜„™ƒ°bûÈÙçkkçû¹ˆS§Õ\ñrP%s÷Üm±€;ƒwyofPCD-ŒµG7™î“™…›a€^~Ÿˆ25lÄ/BÆx³c¼>)œËu48“øêeG¾Œ³FvÅglRòÂïÀªù*“\|†¨oSìåP®§¤YÐ|ÎLNî÷åä¥Î=Á–Ô”h©_-q
-T$lÆøyO¤Û>Q§øQ9HêÜäúìŠjÓ¾	Ƴœ˜×uÙ®öU¨¾étþzW(ˆ×ðùÝk•ÔêìY%ÕVýJ*…
-¨é	Ã0ðP¶@YyŽOf`«ž‰âðå`üqr„uѳG	Ö#±SzðâÛ€YÒsÅAOSq„kX(Äë0©Ü‹í®PñX¦íôa	^ËÊç-nÌÍFçњĤ“wŽ/²µ:ØZsÒÖêÚZßBk@F×ÚÄ¥™žæ¬Ñbc‰²
Ú(§Îâû·ùgo^o)§–_R’^ÛŒLLenO"
&Éæ'-­Õ‰Ìã“…gY%i,m®ÂËN8¹'{ƒ©±}錽^?áÎÎíÉ›dž{ÊÞB$û¦_'o:^Ó¯)³¬ð““¤J¼ôzY™XCöׯOªSž¦æIu„:‹™ëáI^5j“
-5_Î4ñp<¹å7ØG§â§´Éj“âç+ØqÍ‘‹ó”ë¹ÈEÏIE§6dPÊ>5yè«Ì@0{9¥@Ú°áºA5AeO 
¡Š>ª¼´‹VòùSÕfìÊq±ë2Ôà ŒN]>yþôÿS ‰ö×ê—K˜†s5/U¿Z”ŒàRØL|3;žHð¦ñD~±)fd„mW­ÚåꮨërÃYÙç¾ ëÿõ€.¿L6)µÂ6ç¹ÉcEæ¡•þéÏÕZÉÉ[ãhDUcm[XkaØî'¯þã_„B¨DÛô¾Qü‚»ˆùA•+p6¯BO§wÿñ#«$‚ZN_eòTŸ
-n`hJZ
-úÓ¯H~¢Wƒ¾ãߌöWôsÿg'ƒÿ1Ÿ¤‘ÿù0úPÉl¢œ“ó‘Ž´_&«@²n³#ÊÃ?k“þ±H)endstream
+xÚ­ksÛ6ò»…¦_JÏD4Á7Û{Œ›Ú­{­ÛK|÷%Éd(’p¦H•˾›ûï·‹]P$E'¹&ã–ÀbßÈbáÀŸXÄíx‰¿ˆß,²Ý™³ØÀ·ÎïYšMËá®ïîÎ.®½h‘ØI膋»õWl;q,wùëå—¿Ý]½:_ºc…öù2ë»›Ûï	’Ððò×Ûë›þñêò<ò­»›_o	üêêúêÕÕíË«ó¥ˆç]ÆðÌ뛟¯höëË_~¹|uþî«»ž—!¿Âñ‘ßÏÞ¼s9°ýÓ™c{I,°pl‘$îbwæžøžg ÅÙ볿÷_õÑ9ù^l±ÍÐs;ô\Oðp8Øò1ÝíigÕøàÿöò—+š>>>Ž7Ë×púˆØY,E«0Ô(ës[²íêRæ$­ÕiIã[×õ8qIY?ÈšæU|\òñ,“ûV暆㭾õqûÕn%‘8âÝì8ôb8„{Ó<¯eÓLµ'‚Àö|ëÙ!êâÔçÚIÇóÊ[„Ë!ÆSň ¶=Ï#‘»´Í¶'$Ʊƒ±~A
Æ™;v"oLd¡švÆ"ÜÐö‚ÀgqWë‰j܉jü0ðxo.˧eZ6©Íhɪ’ÍÌ-ÂÃwÂÈ\³oUU¾À»B«*‹§;…ÄQdSû©|}×µƒðŠ× üˆt}7°pä±t‘ùg¥c.óFEb{BÄÏ3{6
+âË1Ê?ÆhÚQ8µõ}-×êq†UmžpBÃ*…íþKßw žÁ…BØI°ÓÈ´TåfÝßš3gÄÉ$1fp/ŸNü,Šm&`í€=þl73—Œ3^ÂÛß«µ—Ï¿oû~`|,UȲ-8òªMY‘ð8z‚Ô0L?œDQpU/VJiöUÙH‚ìÀÓ
/T3Üö/™µñ’w¼¥­xÜ2à­ã¸E+kиª/üã' W±†Ÿ¿+WMFv›ËªÝV]K‹•Ì}‚˜F–f[™¿0fÁ©)¥á5ÔA`ýóþåÍÏ•µ¾¨z6#¦:äW[Þ’
+øšMYw[ÍT8
+èƒk©²•%1²0aÜÓ½€˜ÏCýþö5¡+Uæ=º´mÓì¾yA™V_PÒxØ*È2ú\Z7CüQ¼@¡&ýî‰=ô$Áá9‘ÿÞÉÐsbkBôœD[¬ój—j¬*Ó$(™îjÏ7‘¡YU¶¤Œ¢A¢\o ü†N§Œïæ7^cøÔ7ô
….­§ª«iV²=Tõ=C
½å˜3ª;ÓB¥
*Øgê]°ƒ¡„¡=‚ˆe‰3‡Õƒ9-W[Ÿ‡†*!Ÿí/°š¬Vû–`YÕ9Ah|ƒ.Ÿh¨£’+°º²7¥E‘AUOçBTº~™EuÐ&ä:쥮ÍC¯´½Ã¸‘-íÃ"
å=ü¨‰€oHB]¦AË*g”º@pz¡¤¨²~›ÑŠÆ¸Mù-€òë–à+Æ$[.æØ„«1 ŠÄa2ѱpUwõA5´ãÂúµ”ôAs“}ºG–õчTéªà/HŽÛ¶Ýsq±¯ê6-ì4ÛÙq7™jS,Mìl½û«Êÿ,<@=dë1‰)¸1©¨Öö§izJ\;Â(t|è…¨+ o÷3ûÛi§`Ž-çt
+Ý=Á÷ÿe¶ø²]¯O¡k#w•‰à¸Êe²j8Ô®tEGL&'E˜BÅ8J^kÔ^bqÇ <ˆŒk‚‚ÍЄü̧kapŽ>šÓtØ{€iqïá›”@ùƽzƒð€»;,I58å;n~{`Lž1¨?Ι¡ƒôlçÂõ9(?µÙ²š½ÌÔúi"±uutKb«+dóÍL•3I7ƒÒzPVë&ï?4	û–@ÿ¥A>bëµ\×Õntâ«(¿2G¾czt;FÏÉÝÏc:í6]X¹"ê+í†%:h‘sš`…«B¶
ÃiÐ1'£˜‹ÅèÈôa
+I8í-àϺý˜²
f"p˜j4¿a¾µ'mñ‹9QN¼I†£_³›é:ङ6ébX³Œ* qjGH¡î¥1>õ)fÈ™yP¸˜øÐ+!Óy:
+¹$€	7…zÞ@©‰°Æ±õZ•™œì¦
+1mSZ¢¼é»®¬Ì™Q¸Ê	öÖ	œiOß|Ô쌨=—ÍäZí³èø’QþX@4Îëä´=©ì'rüÕìFl40ѹ§¡µ…˜‡—zN‡ÛÆUlF;oè:Ž)
…ܨV@øè lÂ9ªkÜÛ#ÌѶ‡ÃyâMþµŽÆLÐŒÜNÂàTRc~°D?y/dJ?jðÃÇ3 ~ÞÖÝO°uŒøPѲva¦µ£yò•=6tüÀzò0í‘P=S‰Âì#âõŽÖkp¾Ëxn`»Qÿf6̧¡íã3ï-äz4-7î3.•dؤّçx“
+ôHá¬ßVmŒt	è'GÑ#@ʪjÊ=ü`^)DѼ*
9ŒœÙ›°©BO8üº˜Xë4k{7•ÃRg@¶7Ë9‘^âiS%BÉ[´rf‹VÝA„×½VDÅ.®wé~Oq&ào¦„Æâ3žÈ}ìÓ½|÷F5¸¡oÌ"¿¿:°ÖÄÈŽ	Ù2ÔsÂ÷}¥t/ŠˆÖ4>(IˆAÚ·nÚ9æL¹B·–µ+,LÈÊɃÒM0BHˆ¡î$q=Š>x¢«÷U£ËÄȳšÛ[¿¡c|ßVÝfºB‡uÙ0BÒÞÀ²˜ Ä•ùªš¹ÎpB0 _¿ÔpI‡³OK;ȇ©Ýv£„â,µMÁw2kcÒ‡>V4¯´'£Â*ƸKïù²FRH |¸_¶ýÕ‡­ä|p¤Ð£g¾ôù\
â9ÑQ$Ø4ëäêŒ3®+nµ5}vâ=*°&›fw[~@ýg°%Ããʸm×5Œx_õµ*žh¹b<¬•–ž¨føÑ1%2I!°U¨L÷mæ‹Ùõÿp7‘Ž jW"ª«àKAUIÐFµdšµ­òa ÷õM@úD“£Ï!=¬"²î¶':CöørH`Go1sGÙÐSöÅ
+òŒö
+©8z¤Òž(SÈ«&†‘evž:­~Ž'_ªhÜÊbO³9ê½´äƒ5eºŒ€,GSÌ-ø¼U˜š*ä7„~Å1%¢§Cé†<ÓˆF*†a¦X°¤t×êÊ‚^3F=šFÏ3,ôΚnïwoÓ•|©À"d»R™±8]òÀ¥G$ŽÃiñž&3ñº5-cÝw™&
T?›o_™€µ­éž`Yiݪ¬û¦Gf|¯»§—(Aåd`¤“CªãIÀB‡±k‘Iã‚Á¡9-†™Jò¾ãC›°„A™±ÎÕ>f¶fœbòý*aQ­TÕ5T3œ&Ðô+ÖJ?bø˜~KÞ9q$C|‰¯³Ú~
>ºÊ¬¨úðµ+×þ ÅÀ¢O»3ÞÛTôî˜ô/	Ë61Y/0…O2äÅä…Öµ::3là·™ÄôɤCjˆï°PôÇŒò’qE¡‰€LÜËZVlž³–mHŸ±Q] ö{uíAêzô»3þ|/"è«gÜü¾n!í(¡áo÷uºƒ1_ÞCù™$,`FżڿGþÞ\Ð/U…,ß™×äÁõìDLKÚ7´cUm:~êx’Íûª~q—üÊñnN»|x_ë(ºTëúÿÀ1" –¿w²i?‡ÌË?Ìž]vù~Ù¨K•ÝneDû	·ïÒÇÏCÐÖiÙ¬eÝ|øôÜ¿r€…áÿ_Ìüã…ÓÛâgÿ›Çñ`üÈöâøøãéø×P'´c7‰QÈaäM)ïÿä”ôÿ¨ï:endstream
 endobj
-1468 0 obj <<
+1464 0 obj <<
 /Type /Page
-/Contents 1469 0 R
-/Resources 1467 0 R
+/Contents 1465 0 R
+/Resources 1463 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1466 0 R
-/Annots [ 1471 0 R 1472 0 R ]
->> endobj
-1471 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [87.6538 337.0934 137.7628 349.153]
-/Subtype /Link
-/A << /S /GoTo /D (tsig) >>
->> endobj
-1472 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.941 229.4213 439.613 241.481]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1470 0 obj <<
-/D [1468 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-438 0 obj <<
-/D [1468 0 R /XYZ 56.6929 131.3818 null]
->> endobj
-1473 0 obj <<
-/D [1468 0 R /XYZ 56.6929 106.9867 null]
+/Parent 1469 0 R
+/Annots [ 1467 0 R ]
 >> endobj
 1467 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [91.7919 602.6942 93.7844 612.334]
+/Subtype/Link/A<>
+>> endobj
+1466 0 obj <<
+/D [1464 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+430 0 obj <<
+/D [1464 0 R /XYZ 85.0394 191.1478 null]
+>> endobj
+1468 0 obj <<
+/D [1464 0 R /XYZ 85.0394 166.7586 null]
+>> endobj
+1463 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F11 1449 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1472 0 obj <<
+/Length 3460      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]sã¶ñÝ¿ÂrçÄ_0yº$¾ô:Í%½8v.77´DYìI¤"Rö9mþ{w±~È”íK&£`±»ØO€â<…Ÿ87Y’yéϭ׉I…9_lÏÒóûöLðœyœ4Îúêêì‹WÊžûÄg2;¿Z
p¹$uNœ_-ßͲD&€!}ýý›W¯¿ýéíË«gW¯¿s1—&½zý÷Kj}ûöåwß½|{1ΈÙ×}ùÃÕå[ÊÇW¯ß|CO'¾½|uùöòÍ×—ï¯þvvyÕñ2äW¤
+ùåìÝûô|	lÿí,M”wæü:i"¼—çÛ3mTb´R²9ûñìÂÁhX:)?‘&RerB€ZèÒ$K•5>É”TA€ï.æYšÎÚ}^5«b?_ÕûmÞðçÔ¤Ôª«bîŠ=õÿGÛ¼ºgxÓ-Ôú’þÞ¿G¡s!oŒîú±¸çuÿ¥¿¦Ý—ÕÍÁ»Ó#I’úÐþm¼é#{vœ6õa¿(zNËþ/—‡ˆBXŸ(i
`J¬V: úK2‰·6;À{Þßíê=Ë°Ü}ÀÎû	úP‹"â:ç·ÙÔì!©Þ&ΗI5'H5¿T™*Ð1ë'EZÕm¹ºž@3›(+õ)*Í¢RX•(íŸAåÓâìÏæÏ8y/é¤<ù_Å~,M@‹¦96NØè˜z)E"lšMˆ9JfRΑ<í­|6)ÇžÃ	=˜(ÀsY-N’ Np¬x>‘ÂèIR†’êNôó…¥<:k=qÔ#Jõó„%þaÉç	KÚDh''…uhŠyn>ßÕõ†à÷Eó¡Þ¨êg8Ïñú9¶XÂÕa{]ì§QˆGP”U[ìoóÍI,s©/Ò#øíKüâ•€ ÂÁŽÚ%Yfûä@8ø)ØÃÆïÛ¼-¶EÕR÷›âç4•UÙ–uE¼ZRã§&¿)x+5ˆ¥°“4I¦uvºZ=ý$´80Â4Ìaâ’Ž-D~ž6 -³%ÑV4Ô]¬ó}¾‘•M[.ØÖô]ÐÞ4õ¢4Kêß•íšGèo!ܬØÖmX gU¾å¥L$d;I¯f¯W£•;ZŠ4}¢µ›âB̪Ø!œÈ_oǧU"¡
+°ïŠE‰k‹å„˜Y».PäJ†
`
+D½›‚šõŠWššQ-j¤iY¥*Õ³ï«Í=Rjlë¦=ÚyAh:m@T›lƒÚùn·)Þƒðßäá¹	ÞaúM»‚ÎÔ4?*[YÑ™r1Hë¼Í<Ÿ9Ê™,êj5¡­A\ŒSv:à0¬‘“ˆDaSC¹£~J
¦˜VL¨¡U³E^Q£^,{jæg{ B6<¡fôeÕ”KÆœO°¥„I„QŽ	¾-‹»)ãÒ‰3îW¨3Ö“vŸÀ?WÎ'.µGžçô>6ÈCé‹<·9ðƒ=‡É4§Ø’ÆLžNgÍsOjñ`ûÍÌxØ2Øìծ놷G]К@¬ÃŽ¸¤Yä
+4îyR½›Ó	s.c'üØêà±T
+Z¼-oªº·ZmÓpaM¸-Á›àÖØéņ3ªzJ>Ö‚ó„ÂèiùdÞÉ)ù(a‰7ÜdÄÛñ^BCÒ¦åïÝkBàw–nHš
+<8P1Vºe±Ê›¶I:Ç3°ú Bmf÷õ˲!÷zí
Ué,ÈCïýè±îÿoÊÛPna»>ðúë|ÉämŽ’Ë<”€ûÝ̲¥ÿœ±\×7nÞ•›
µ8„Üë@´«Ãôn?•v`²@î)))8Ô`½"
î.@X<Ôdâ=ñjÒ¤\bÀ®ù|ˆÆÉSI𬲙Àq[tþ§SO5R™ZêÈw{˜àBQNQ?â»ešhÝ©÷n_ß‚Oœ—ŸVSŠg€±ÌÄÝbXC?·,ZŒ–³mIv	 »u¤:Áî•u³M½À\a}*G­AÜwÐIÃ`8a˜¿Í›v0IÄs†)tÌͶ­Ñ‡„MC&T$(°Sâ8_¨¬¤ $ž4›ýü&¶biŒ=ƒŒT_óÐÞ);ôG\)áÉñ|“ß’)¯ÝkÈh3R9m-»+DÓòžS^I¹bvÙ`O©†N<”
<‡w>fœ\8X+呇텀Á’Ä.­¤$ dfA_–<UÜÆ»ºiÊëM‘ÐA¾æ8C<“ŒIe“¦úù:ÐçÎ"Ù
wëQz Ç©i g{̤b&!q­«9W	P…	™ÙG	Q
+âÕY¼ 0tzV!E/Íš§·ÓÙ•5‰]~ö”‰B¸2*Ús½ã°—U¿Q@!Øqžÿ7›ú­!ÀÂÒ†:×`¶
ƒBdáúI'óGiLÎN5yУø¢Ï*µS1ÊíÉ\N²mßëD—p;Iž‰Ý’t¢wK8ȲÑ-!ldÀÒ÷n	ç®8—Z:•ÇÉ¡yÓªI«ƒcÕ©7c©‘’6ë±™­ÈÚ¶p(ׇ››û£¾Å>oֱĈ^jQï÷nvص<€µ˜}h±pŽÖd‰v2„:-¢/.–UsâbAwúØ%õᆩXÄö½pœ4fôë
+=hsžŽµoõé®åe5ýó&vvùÍ›yåÙ¯3¶ÛCN/^Šj*søÞK·FQФãûÆÓ5Ýdù…oI©ú3ÒìX9 2ä>«“Iâ!ÍËݼ)º’<ˆè(b*rÌP3Å2Åv²ÐOßüÀ³mhqÙŽ±¶!H¾Qµ%]@ÿú~Š\8	•7¼YœªnQ«º„Œp†Ûy®òºœH†ŽNe×£ÚJøñaüóÂC^³)—4²”†*þŒ%õó3ȼ2‚\ß·¤ß>¼ QÔ‡–nq°]—æd²’#šHb¹ãc bùŸ8®%>¨$SwºW„U§ýQ*?‹00’ÕaC0!@ù¡Œ-N͆³DJ÷¡·!-º!
+øŸç…­ñÑ‹lóOÚ7`qdß©ö-Òx
!úS¹=l©iÊÆŽãEž—h}¿á¸â–‰ÐÆ>mÏ©í¬žõ>PU…›VçÆƘFcäKGprN—ˆÝÁJI&*%?6€L!l¢š(u&Šƒ¤¹Ž<ä\Zòë@zEèØD'ÁFÐÇŠDòÃüG£ÄqVS€>°²ïU}w¬jŸ¯Ñ¿_MÙÈbñ8qüP†*ÓÝ9Ÿ<þ4ñ^eã(§Ò,QÚN¼A]Ù߬¨>CvPÝÕæ+7§†Wn˜îA¢Q/ÁÈæ6†lÙ4ÊMñ‘Bß]d¾'šÈeb¬4ý’á>£¡]:šÈ 9ÑŽ ³ã›dpð*VL…,üb‹+LJ¾?Ü!¬ÿþ¦{®˜ð2|#ÒyŽÁÇPžΠ«* 2lhëPÙfô)Õ˜ÇI1Œ}˜¾ËÛÅ:^Š1ã—=Ø…î#ðBëü'œØ‚L21 ó™×³£3
Âã(6Â+óêž:\:‡[ò`/ÔqÜÆ!Äb#g$Ñ.ß—»S×9⤧|•‚ìã—|'¾PTËÜ©ï	Óî‹Š?üõbÿi§¶‰rNv&ŽKëð.QE¢«P?s|Húÿ8Ä
+[endstream
+endobj
+1471 0 obj <<
+/Type /Page
+/Contents 1472 0 R
+/Resources 1470 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1469 0 R
+>> endobj
+1473 0 obj <<
+/D [1471 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+434 0 obj <<
+/D [1471 0 R /XYZ 56.6929 575.952 null]
+>> endobj
+1350 0 obj <<
+/D [1471 0 R /XYZ 56.6929 545.1349 null]
+>> endobj
+1470 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1476 0 obj <<
-/Length 3193      
+/Length 3592      
 /Filter /FlateDecode
 >>
 stream
-xÚµËrÛ8òî¯Ðmä-CÓ!¤Q³Ø(<œ¥Û³`¶†±×gœpi1Äz~{öë+Ï3‘ˆf·wZšZóÙíêýüÅoÏÞÝ^^Ÿ/DÌ#v¾£`þüêÍKì1øyñöÍ««×^?;Õüöêíì¾¾|uy}ùæÅåù‚ëÃ|ANLxuõK„^_?ûãg×ço?»¼íö2Ü/¤ÝÈç³÷ƒÙ
-¶ýûYÀ¤ÑáìãƈÙöL…’…JJßSœÝœý³#8uS§äJÍB-â	*> 3±à³84,’B:	¾?_DA0ÏˬEˆ1ö¡v{³™‘–<çÌ„¡pÓþûÔþú
-ÈuÝwÀÏ"™Ñ±vHV "é@­i“6oÚçzž5Ø“VÛí¾ÌÓy—œÏû­Z„¶Âï2Ãï¾ÉVˆ·|Äžæ±5NVÛ¼&ëdA'„°K-ÆGÑV5IÒ’·ßuF²LÒ4kûc;/ïªz›ôâ®îhˆÑe²%¨Éêû¬¶—‚9Ž¬à楞[Š<ÊÉ6ó²ÍÊ9.x<_žóy† ·Ì¾äË"¢™ýnWÕDd»/Ú|çQm»vî$ª¶J«¢ñÁ
­t·o÷x`Ð!àö-Ž¤Ø¿ð»Êg”mG$âp^•úíööB ÎéKüg+0*R‡ó+»V½Ïû¼Ó‹Ýn’!2_üXm±_Øõ./¬ÆØÖCÞn*òå—m!àÖ
-­Ýnµ_ñ`«?ªV7N[Góú•«¡$Jß¡#”€Ž¡;/
-ì²ÚµŽwÈî³’Pï°'}h	lph¹Ïê²{­öDzaßuR?žs¸?ö@MH
-cIùˆØtFÄBÓx‚ž±»$/H¸£ÑÙ“ÂoV£¢¸ÏÊ)Ó×VDš„åLí±@Á>ͽDÓªlq!˧0þ(lC£ˆ 3Áæí‹wØnªô“»ûp¾Y™—kÄI¨¥Í.KskjáPŽY*WâÕ%ßz:ÇL†JÏÂX2˜ïquà~´ÖÓŽnÑ\(:'6âKj ¬ÀŒ{,Ëž3Çœ&2´g(¾_1LÖ\€Ò‚…BÉ¿LÁ¯@AŒrÉGHV«ú„$§-Ø"åüa“§RxuàÙS§é`HœÙÑfîÛWïîö€òûž!Ç€³f
X;%Â!‚½‹Xž”ª€ðGvqpuRÿ´X;Š‹!Éc¹ŠP3Ʀ_ùk‚•Ìõ‡éPÆч+°æ„Å
-ìªEüÛTˆ‹ñl€õ!ƒîn7Ÿæ(a´ŠÆyÓ]FöÄßô¶ßaù³ÒÖÒ­RSVtžýY=EEŠ—j¬œÔzX½8c¦»çâr{hÕ¥sŒ8êl¯ë¸Ã¯cËÝüÒ 2éèô,eV"
a÷¹ó
-ÇÑ–á,\e@µì÷:òä¼?M\æ­9`y?V×È0ǧ 3Ü€
#ÛóûYmí(.†$µ•G0
-ö©_ùëÚÂC[…Š=Ê“'Sþ‰TQE¤Â°Ð@~â<` œ¯(‚,)ä¤0ΛtlïÅ!ŽƸ$[èÎÈ©ä#cñÀ…þxžt°õA5±kÉ%SØP¼¤êä%…œ&Ž£ÙËQD€ŠX_fS,+–áŒë˜ŸT,ð¼,Šb5áfJ»æÏ*VGq1$y¬Xa YF¢_ù+–ƒñâæ@%”Ì:èaf¡ïIZ¸ý».ÍpÅw>J±øå(ÐS']å¶ÎS4„ÐgÓ(ûECè¨[–‡ú´‘>,KŠ¢z˜º=1‹ã.p†”×j[ æ/†Ò-[õË;aHÈÍAìrlYGÛ3š¶pmÊ*±±ËêmÞâ
$N	ꌸˆº¦#~,Ê+™µ
6ü=Œã ü”Ò
-òcÈ-:óC’‘œPL†÷+[6!ÅðdÄd*ý2é)~‹IˆT¶sĤuGS×A1ðB¦»J´…pH`'T4P	ñ-
ÔLq­Gˆà®§x ìb*–¦æm:¿šXÂ6ˆ@•9ˆÑÇ»…ø &À6Ýh½ÃŒeKc.³À0àÀ*G^¦âM`|)8hÂc·f›ä´ l±ÉÛüÞM
Ùëí])c"ç^µ€or7ùCÚäëKëFfm!+WÞûòÉÐêÔIš
-«i6.¤Œ„Ö‘ø¼*´z²£òÅ®Î!“.0§=Î.ŽuâÂ0gêÇê[ Ýa§Y͸çEó
å2‚Å]’qJ·$8Z­|ÜOÙ·Û-f½€Ä½ØÆEž‘·Ÿ(>‚åU,Œ´Í¥$>"î‹œŠm½‡À`µø”=NW_×Év›ÔÁÂA‘qLÉ–KÿãŽË¦¶ô;R=«.ÖÅY´r¿]fõ×á!þÓ©šÔûc¼§ë>ïc©Ò{ÀûVzÅ÷
-ùÿXâUQìÕyÄÆDLg€cNU°‚ù
-9tÅ9h¾|sssùá&K÷uÞ>b¯mÕº´7à#̼ñÄš´Î—˜¬Ù‚ëQ-!॔vU—Ⱥ%pF8X¯g\*þþb8½×¨FwD×nõ¦³EÀŒbú8øÉ(3bæøѾÁÁ-ïAMžyyú$‡Y¨¶ä°±…q ïÎÊ…€Áüaã,‰ô®€Ý~Yä) 
`2@‚Ÿ²*ɾÝT°^Bºÿ]•öë}*«çF¤¯7Bg—¼¤©NSœíƒ>q‰«¥õkø`Ëš¸½ýzƒ Je9l¥Fx™¥èÿm#wOXr–¾ÒMsèEf[¸UÓäˆÎ.ñEïÃy~¥=¸áuikÛžö­óîÒÞkû!¡ÛöÆV*lÏ2sù×sw±m	RÙWÆ$rYv–N³¤“\¹Ù"ø	›dåù±%6î“"_
&—„DNÚ¯'Ž³?îÃd”hUØÇ´w}ÜÌÀ´vÿã-¤w™îh-X‰¡d¿\U[Щf€$þõ¦»Lao¹&jØn)ÏÉ€ËkRÎFC#­jÚÑ®*W”»ÅNI*XÉk64#Ÿ,šÅ&Ž¾Ó\k@6¾BÑgH@}•e[¿f`ñ<ûbct"êšêB¾@?& 1Œ„0jþ0„€ÂfonŸçÖðÍ›ÄGjšùM¾Í‹¤vq$Œ¢…Ï(@tTtB:´B·p ×é+Ýž°f.U-ÝËT©Pôì_¯üž v¿ü—""3–Ëõu“µ‡ªß‹ô¯ì¤¾Á‰xpXI™zk<áþƒ°Ë¿¾Cd<šxÚÒP
\êA7Hh‘#1vouž¹Š¢’¤›nncCp¼†ôÍ?@ 'ÀÅk‹Ý6†¾@AÇ1Ó±Çr¶ï¥ÉÚ®'U8z÷¤®¤X['¶Ùº¶"û%¼{ày^7RØÀDùþùÆ\w8-¹õ±ÿ–æovIšy~ÚdéÁ2{(rwWìLËÅ„¯H“ržõÈR¶ûÚ›°^Y­[—Uç%††¯KÁðPÈ8^ø´ì©÷8;‹éæ@óš]á“ÄýÎ/ç³À*@Ëí’Mhd0®‹~[%!üöÕdHÑ;|ñº(zÊS^‘ £­vÙ½«’8]æ…:ˆƒh˜­1ÇÝ7;ŸØ¡)ÓîAÔIÝòŸû<{°µzºú.G…uaÓ}œnæËʽ­BÏ® r›Ùddf”ÑÌÌÀ|Ù¿H¬\5à‰5À½‘£ PI™ð"^d¢™SÎK¹r²Ñ‹–PAÈv×Ȳ¤(€ëÚ³@‘áä£5%î‰;Ò—“;ñ;}NH?û8ñ$	y¾”S|Ð%u?ý_¥þ\*frTR•‚ˆižœ˜²ŒÃ£$Äÿ©é˜õÿ3N½$endstream
+xÚÅZK“Û6¾Ï¯Ðm5[—xñÉqìdRÇkOjI*Å‘83,K¤"Rvfwóß·
P EÍcíª-DâÑ@7º¿~€l–ÃͬÊráäÌ8™©œ©Ùrs–Ïn ïÛ3Æ,â E:êë˳¿½fæ2§¹ž]^'´l–[Ëf—«Ÿç/¿{ñöòÕ»óWù\gç¥óù×o¾¡G/|óúâÛŸÞ½87r~yñãj~÷êõ«w¯Þ¼|u¾`V1˜Ï…^_üý=}ûîÅ?¼xwþëå÷g¯.{^R~Y.‘ßÏ~þ5Ÿ­€íïÏòL8«fŸà%Ϙs|¶9“JdJ
+[ÖgïÏþÑLzýÔ)ù)a3e¹™ ST.ÓºP€Í¶«šØ–ÖÎ/®‘!˜Æ’iReŽçÖÂñÝ®¨ÛërwÎì|qÝì6Eæ¤KG-4§jÏ"wóºéàåóv[.«_òœ—«gÐÂå¼»-'–¶SŸ±r²máêŽv0½ž™È¥“I4íÄ"ÂÀið(’¶+ºrSÖ-ñ©Z¯qÎl!œš6v¶`,sJq?üª$Ú·å*›ØDÃáÍX=`{j’gJp›ˆ™"ŒOlÞ5Ô²®6UGȸ¨÷›+¦×\SÛ²©—û—°gÛªúªÙ×+zùWS—t¿-ßqí'5›Ñ"ùã´¶Ü}„UÁª@åŒ •›-"+QÕÍ„|˜È·r¤'Ä#Dų\ ’½•+"¶ÐÖÕAféè24Ëeã^UõM˜×æï™ó<3nlCíbÔyRˌ̸ì
/*i–bYîªÊåôÚ,ŠGy}(ï¦ÖâšD%¤›W+P’QK-Å”¥ŠLö
+‹Œ‘‘°)ùL;•-Íc°‘gÎZ;Œ‹žâ"%I°7à_€UÁ+{cYMHñÌŽiU"×µ‡ þ§OXÛÌ
+5ÀXÈ9b“ÃB ^ƒü:AðdÆø`–FÅ)–¨ÔЖ`¯ ¦l~GŠ*Š«ìè—\å—ï/¾}6>ÆtæœÖ°}‘ÙÜyÏA»›=¼K\M?~‘N8v5Çtqï˸ukæ pG»Ñ*cL6säíâ ‡v0¦äÀhõO·¥ß‡žwÅúƒ·blög€ÿˆø@X¸iº’FðËð|þÏ@È€Y$3~ß—mG
Þûù©uwï*pŠq!“,ôŒNÖÂÁ¡‡‹k*7ZÚê¦.º} M–Ü’ïô
+ÿ7e]î@WôºoIÊ…Á$Ôc"8p¤Ðp[ˆ$Ô¡¹ØnËz¡b6’n¾)Û¶¸)A|Z˜ùÏ\¹¢ nÀ‚j³«n*`¨GÛÄݤ˜ž¶âÄ}rüû¾¢‡ÕÇ£—FIÆ>DZ/Cù0ÆæYφ‡c‚˜ëî¶ÙßÜBl•‡MâÃÍ®ØlŠ½ ç½S®Îb)ývC\Ç´a7R-ÖëæSKÏDða³_wÕv† M )@œ5×úÛjv£N$Cé½õùâsÕ’ž2-3c™iV¬ƒÛývÛ캅7íË`ãœOE„m³ß-Ë)7
+n‚»ˆº¨©“t`Öiº‹z‚´…(ã»Tò¨R‘Á\#«R…Ö‹·%5y‹	M:LiÈ`—e²Z‘ÌÚ@Óë&t\jÞCиJÁäPèä7rÂ6‘«k¾ýSÕ݆vožÐ4<èHq"g {]õ±\Gý_Hpa¯iAÜ5â[†tå1ݦ^ßMœŒ€¬E+«Ÿtä‹~Ö-—¸-΃á?A5Gs>Qߺض0&Œäˆãi¾‰g-ÄázÈÎ=ÁWöÅÕ“5N€‰Da<‚Ÿ×´už%à5Å2:áÖ@>«²+ªuû,‚g9‚×UÙ.wÕ–|¸ÇåëIЂx
“ߧ©QòA#UFüFÊ™ˆ¤«zuxeÜ
+3S;2Îø1P?~‘N8Ž@Žéb *X@ÎÌÑ–4„O¢¶t	õ£ÚÈ5ÜHÌ$,(ö1™„G_)Üé#Õ|—áãnŸ¡
(N¦Ñ™Î:⪈¸ú$âªG"®BL è5L©Æ™kG{TOKomȬeÈÎÅCüÄo†ÆÄ[}dÝ@ÊL
Üž$	æžÂ[£2l<öE†¼ðˆ’y€!s5]ø¡Ë'PW…€ÅgÛÁZ¹ŽósL'Pâ)›zš¾)f€›F‡)+dO`Ϲ{\f.t‘	âÝÝýæäò\ßkN@PÉ>M	žäΈ޷öÖ$bå5Xè¼›<ús“‡ˆúèTü”ÄšüÔš<™†:®Â€$~±~ç#…¡øEhÏIåw&LÌ£ ÙÓC'ŒïÂæ”)§ø€EèÈ 0'ˆÆ€EXà ˜ìQòáSUzèÐq±«2VÅ ˜Îí(˜þ?Gü5êñ¦à\5{¬ýøåzÀ@.i*L{%¶J€÷›î|ÁrLB:HÛ®Z¶‹åmQ×å:$gïuY_²y—_FŽ*®ÜdNjÓfŽjXéßþP=ªTþL#ªK„ø„%—жýÍ[‚ù‘`"SFb5#3RPq⯡‹Î9頪Ϋ`ÚÔÓ>¼ül	òAŘܠÏ#704'3ýmStËÛßÖ&ݾãÏ@öyJ~”ªñeÙóáv¼¸Ìp7>Ÿ:íï2åïO™çO<åo¨hW‚,òûððzá	íßÞû+tR»ïf"òW`¤™¸&`‚iÀÛ€MÔ²l6›}]-‹P$K>°Š<ÞÁ¿ÇOøBG×|ÞÞµ°=«MUÃ&wÅ"œD®2«¬ž`×ìÚaéã&)sS$”t8e•š®bÒœ`˜5ÔÅæeN¤ü¾¬Ât**|­ê®¬W¡Ïo„‚x‡ãåÕÕºLûu,/ÐË¡æo#AcÓ–
+J]³lÖm\5ôŒÀŠ×ûXQCäpûŽz–Ô¾8]Ì
+e£YýÓw——oé©4Jwi^Ü;<ÅH%¤Ó—1vDo¿€„&¸ÍI»`¤ò¤‘*à
rýd”§H;€
Ä›Éô¡Ã–ËÁ¡YÃN*øßLk#g’g&ÅçÃ`Oq‘’´I ¤ølÒW[&,Bâm˜ë-b!• 8„Cšü(N€Êþbü¤ÚL2{ôAœq!Aë?Kšˆh€ë£zÌì§>£‚Èc9׌ü¦wó~!–„ô,:ô&ßw`ŸÏÇð!9¨àQÕþò:ÉRáah4á®_³+ª° °ØVXÆWNš·ïôU‰”žGÕ‚}3þH𶺹Ÿ8Ðf±Ü>ŠI+))êŒJ&ƒ{©¤¦2Zò	P	«ÛPÉØî*ȩדŸ§è±{*ô¢É§U»@Á•µ)}"ôËñÌô©Æ)õàn­ŒÑÈÆÓ/{ÐÄxì.JnXòøüq`Hˆ©«×¼c>ûïÃ×ïÒWkOÜáŠ\g4n
+97GÐõ_‚oý¿P—Òendstream
 endobj
 1475 0 obj <<
 /Type /Page
 /Contents 1476 0 R
 /Resources 1474 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1466 0 R
-/Annots [ 1481 0 R ]
+/Parent 1469 0 R
+/Annots [ 1478 0 R 1479 0 R ]
 >> endobj
-1481 0 obj <<
+1478 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 242.8671 510.2452 254.9267]
+/Rect [116.0003 680.0038 166.1092 692.0635]
 /Subtype /Link
-/A << /S /GoTo /D (DNSSEC) >>
+/A << /S /GoTo /D (tsig) >>
+>> endobj
+1479 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [399.2874 568.3155 467.9594 580.3752]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1477 0 obj <<
 /D [1475 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-442 0 obj <<
-/D [1475 0 R /XYZ 85.0394 714.2819 null]
->> endobj
-1478 0 obj <<
-/D [1475 0 R /XYZ 85.0394 680.2498 null]
->> endobj
-446 0 obj <<
-/D [1475 0 R /XYZ 85.0394 416.0284 null]
->> endobj
-1479 0 obj <<
-/D [1475 0 R /XYZ 85.0394 384.8057 null]
->> endobj
-450 0 obj <<
-/D [1475 0 R /XYZ 85.0394 298.1249 null]
+438 0 obj <<
+/D [1475 0 R /XYZ 85.0394 461.551 null]
 >> endobj
 1480 0 obj <<
-/D [1475 0 R /XYZ 85.0394 264.0928 null]
+/D [1475 0 R /XYZ 85.0394 434.206 null]
+>> endobj
+442 0 obj <<
+/D [1475 0 R /XYZ 85.0394 334.6837 null]
+>> endobj
+1481 0 obj <<
+/D [1475 0 R /XYZ 85.0394 301.5645 null]
 >> endobj
 1474 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1484 0 obj <<
-/Length 3341      
+/Length 2869      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZYsãÆ~ׯà[¨ª%<0ÀdŸä]É‘c¯INUj½å‚HB	h”,§òßÓ=݃‹Ðš^§ø€á===}|Ý€\øÉEdc•]Ä6"!£Åzs"÷0ö͉ä9+?i5œõõÍÉW:^ØÀe7wZI ’D.n²K¨à(ˆå»>\\~óãÕÙi.o.øpºR‘X^\~wN­o®Î¾ÿþìêt%“H.ßýíì7çW4d˜Æ×—ÞS¥Ç+D¯Î/ίÎ?¼;?ýtóíÉùMw–áy¥Ðx_N>~‹Žý퉴M¢Å3ü´V-6'a¤ƒ(ÔÚ÷”'×'ÿìFÝÒYùI(mÔŒ•\HØ(R#	F60ZéN‚JƒT„ËMZ¥÷y¶zÌ_:êu›¶ù&¯Zâ.ÝlÒžû«‹P®G,`B ÉŽ) ý\´P:°R„‹UÇLnÚ]QÝÓ´¢*Ú"-q!uTûÍm¾û|{Hà­ÛGŒwøx8ïÿ°‘{|‚àÓ'·éjr:ÒÑÿ¾%q/ãÀ†‰í¯!<öÞç?	¡ðuE=i•QãÇ–ò†úõû¹yÈ;®úIÒaÁ܃+<$h’À„pVÁWÈ¾6³,‹Ç¹
LhI^ÔîöMûú ¯¡Ž-OfÂ=GÁÄvùþÃõõù;j7ùz¿+Úü—,w§2YÖuÛ€qk»»iYq‡Cw¹›‘WëœL²}HÛÖW
-n/	“‰îþ¾”t„öë&¯S¾®Ûœžù–¯t¿¥g[Ó3yòÕîÛz“¶Å:-Ë—S)¥<íC½çõEÕæ»'¸€N%îH¦ûÀäèÔM]>¡RcO½Íwi[ïÐɤȞmp–à–L츿Þo·u“Ã–w°`¥aIþkºÙ–¾ÛIÏõ§ôø­®òS¹üKCAN«¦¸¯œq5žSž²®7[æ½hòŒ	;
Çaw’Ž²kÕÏUÎÜ<¤~Z=çèôOõ#®5S…
lËtÍ#´
4A”:‰Ä.Ï°WMĈóžŠõ5‰‰!‘ºÌzj®QTÌÁŒ®iqFGÚ‰
’(4SKd®ê½ßú6§ËÕ„µr,™}•Þ–È­–N	ñù”–)¢ë}@ÁKZiõB²®îóÝ[”½Z-uúÍ¡éåËÓQw™=®!GÑò_¨…g—ß
W5ÛºjxÃuåxäŽÚgtÝä{×5DµgÕßßòxspÿÜU’¢$²~ùáµ)
þßZ}äµ%vxmÞ¶'œVù³w^!)èX„ÀO²±&ŽÞåz	¥–õsŽg±rQ”_#¶žÙÒ¿²hè¤ÐF5Å眚J#kstÀ¢ÓéáyÝ6°ešõò¶3¼²±csMúåø˲£ e·d¢ä?)ÂÎU¶º}Á6,Ñ–lÎùê„w…ÞZNðL³§BF0'ŽXƒüã˜OX¥›<›‘(	؈—›’nPéøb"Yz†{f}%~è&™
ֻ⾨Ҳ_H¢&ˆb¡Æ¦âܯ2áÀEÂuÌ„p(Û©ígiTd&‡ê.òÁ“œ
¶œÐ
\õ.­i ¿Ù@ô~@‡ÑÏbï
2ý3ĬåeK݃=Ó²©‡g[×~Ëy[÷‹ g«B5ÖòàÊ°W1{pè!/=·9Š»F²§k8ÀÀÐ:O&µo(úÁR—ÐÉdcr¾Ð1p¾
-é4`¤
SÝzÝ¿1㹌6lÿM#í4ò(“@Û{%"©ƒŽäœÍ´Žì‘.ð&"àÃÈe„óÝ)øú—Ò]µê;zÒÑcœç:	BYød.PvIÚP;±ïe±UT€ge¡ö¹ýnZ9½HDð‹Ü*ÂE¯±æý±+í̺âƬøðä¼ô/£	H(!ÂÝá9]o±Á€§é!, ‰Ê™Å³Ž£›paF〈æ¶~Iƒ0n×æÙœ–ü$"áp˜HHÂÂrZŒ=6ˆS$
ÍL"Ñ‹Ã,kæþ£ Ž´Ï!à”aù°ô7yZ1/ó7†Ê„áÑñÇê(žQ6 ¿Ù;½‚MYí¨;õ}Û—N&„¡D›$cÊ–5¸g¡Ø3ôRáPÎûvßiJäS‰~¢¡žMúB
€þN߈RªÀšM5Üjˆ˜À׎):ÝhÞÐ@^‚©@u<—â½
-›ÙÔ@¹Nf¼Â;k¿ìIã8Ré0žEq(­ŽvR%s÷§à¢¶Û<Ý5ô§S•énèN“y£@ÂB}a>Š§ê³IvÆ	!{•x§œ,·2]®Iêë$™ø28¿PĘÑÖ.~@':…¼tNô‡µ”öì—$¨Ï#²ãx(ôe_hš|n4—FcÑ0‹Ï<”6“c±§†.FšKŒ„N&ñ×á.«æ¯‡Õúè,I÷~iqgIðt–d!ÓÙ&Ë=ƒ`è÷‰ƒuÐô…9êl×útpS?ÑÙg߇—€ÐqÆAÀÏÝ<Óq%•°1‹dâd §ƒxÚÄšI%ªÃõãYxÎÉ5ŒȯŽw«aÚ¹4ÆRMž°06;ўʥ¿ø¯.´á˜(öȱf“™l*áxVùI%3£@Š±›w¥@ïNÉ=óÕ¦9w°dQ§,öâÖŸœþôð9Äš¬Æz
-H-½uoTŽy즰ëêâ5"!åtmR,äT)U¥ ƒÚ:oš	KºBÞJZÕƒüƒ aæbA"côïawÈ'…ñÂu÷…aé`’ÎÝ£‘dõs
ÐfdçžÃƒÊÍx¤X‰‰¾Ì”Ý•"õ»¼]?äÌgë¥òþÃõßÏÿMí««&gH§UH©íØ>2okÂJ&ÖÐŒO¡Ái¡Á¸“ÿú†`Ý9ôyàÞÐ_§s&ñ¨DˆîÍ6_ÎÅ3gŸæ5à£Ã89ÚD#­JµE 'ºôbƒ1r.ÿq5g–¤Ó`'Iª;r…Úºd-ÆŸÃÛ¬÷\‘,&kö]Ò‘6Sò³î|)&ÔAæ)–}­Ü[⬹\tª•è²/0³º¨¸YWèg!}ƌڕNæ€8 Ù3^µ$в¤Ã7lIL½àíšÖ~³šž›Ô•B‘FIdˆ¥z3¶纰–H®¡]As亨
-ÚД´d ½øJ¤K˜C5Ƭ8Deå¾tªÆ¦#Y[ᙌϯ‘Ò65\4ˆeÇT‹áY”˜Q!¾±–ñô…ZhŒ÷—\¹•ú•û’F‘Ð )I„÷µsSÕ-5ÈBÜf5=U©}UË®!¹Bì%ÁËNÎxˆý–Ðت/¼Ë€Í¼9ݾL²‹PÞ{ƒëêV™1YûÇ5îãÖgªü×–+5óAÍ $úˆ‚”VA
é¦w­K°É{j=øª˜å\Q2=\ÂÀL TÇÃ0¶D¯(S(‚Pmü	¾ý5soäŒígëšK+5x©]ØBæA+î´ž‹²¤Öm>xÑÖAßØûX^â¤+–$¸÷{üšû	%AƒQRì£elÙÕˆô@	úc3F^ñ5zA1~ýÖ .Èôe2r3s…Þ‰ª~Æû÷wG³Ç<¶|‰R=uÉ)T'©q²ä%…Ö®
‚¬Ã<[a²òÊËW-U×_–íΠÉÀØxš¼“N…"	b)ãñU¼²“<­d¯äÞÑTNøëê@ÇA%³­ùõi	›_ñÔwsp3x‡_†6|Ôƒ4ÞÑ10y*™ÎôïeÐå$2š¾—ÁË|õ
½÷eYÕ4ùzUÖõ#À¡l.J$¾Té”lËLA ŸNhnÇšžøÞ#Ý·`=56çnV
-TÝä÷]ªM¤g–n0~aMÌtaž§`¾j‡ŠÎh‹œiA"*•ž)²i¯8T­×ˬ|
-ŠfÔ»ûcJÆD¿Ò„;œhè#âÀŒc5èý­öc€S¹Ý˜ú-&ÈEÙÒ?XUÏ} E‰š2÷Úm‰ÀÚî]Ý›Ižzðe¸óݮȲ|ú5Á†(Z¯„·E•¡¥¯3•sJ	0IÔI}æó(®Œf¥#d<î?“‰ø3goê+%¢`˜ÖÏ.ì£æÁ–“N2üë2mšOx2…tµ.à¤ûêÉ=Ò,ÛÁ-ÿìfüL/1°Ÿ¾
šû„XÀï¾f>øœþôçeý·waŒõHÕ96rÐq`ˆ0SxÖØpî¿C;dý–‘~„endstream
+xÚµZYsÛ8~÷¯ÐÛÒUïÍ““ØYÏ‘ìÚž­ÚÊäa‰’²ÆÙÚÿ¾Ý艞hkfËh€@£Ñh|}ÈÞBÀŸ·#7JeºˆÓÀ
….Öå…XlàÛûç,í¤åxÖ›‡‹ïnüx‘ºi$£ÅÃãˆWâŠ$ñÙ''r¥{	„óö㇛Û÷?ß]]ÆópûñÃåR†Â¹¹ýñš¨÷wW?ýtuw¹ô’ÐsÞþíêï×wô)bon?¼£‘”š˜Þ]ß\ß]x{}ùùáû‹ë‡þ,ãózÂǃüzñé³Xdpìï/„ë§I¸8@G¸^šÊEy„¾¾oGŠ‹û‹ôG_ÍÒYýy•~$g(½…ç¹iʉÃÔ|é÷”hEát;ít¶ü¢Ÿ[:ê}§:]êªc%6ª,Uƒçþî&ðF×#K¹A"RÃvÊ)ÞÿÆE黩'‚Ų—&·]“WšVíË•n~ŸÏmØ
+ËÌâÓé¼ÿ¯i>¹®ûù³Ùc9+û^“2¦ªyBᆱ7R²â)_<ê½^³âA˜ÀMN¤I„›
+N¤9y”ý¬oÉpÂ
e0ÚΕUé’0+EM½×·ïõú¦žÑ0´öºPþp[]чìÄ»ýªÈ×DƒAñX7D(jªºZª}·­a?ÕåO¼ök]ibl÷ûRÕ‡êÒ¡³Ú³0kUUV°/5Æ‚"ëâyúŽéqÕ«NåFnß‹@Z:Þ~³¥°¦WDéŽÒ½Òkµo5uòÛЈF;ErW'ëìNûªÍ7 »;w°Õ§ãÓƆ•Žý­jid¥ñ–ph]WxVUÆyž¢n×\&ŽyÑÔG†žç9¨ ˜õÒ᪎x©nÊ&<Ò»`«2+Ï¥çHžó¤Š<-®xÒŽ´ù¤«9X®ÛE	ƒS×h´­‹'¼Eyήc„ìqhÞ»Ç$‹¢ŸLÌRDå<§Ý¯²º›b¾õ#¯åÏx…x
7˜¸i"s–+³›;ã@ý"BAH
uÝð¡vu•·‚Ãh'-Lô¨[ätcHð`vèÆi	Ú	LNcžÌ&JÜ3
øÍ;u5µú7ØžHšº¡%Y¡[>“Q´‡­â™#Ë'¯BБÆþÔÀÍ9aA9­"KÄ;©sŸ—y¡šâ™¾ÈA×+¨^;@Ïk'†XP&g+'I’”'ו•
Ÿ÷tëAwÐçÏRÍAkíßr`,ï‡ëÙh!‚p!J§Oàî®Õݱõ*ý‹µw¶`3ÈCní›`ˆ¯GùŽŒ4þý8@„az¾Ö¼(š‰ü1‰!
+‘šFË}Ñå»BSÝIŠÇkrÝ¢_IÔzÛ¯má¢ù‰¤lr©uN†ƒÑÌ¥ÇKÕ*õ+Òu»IŒÎvl‚€™¾Úà~~Zdêêu]ð*6èʶ¥éŒbÒ:	 Þ(ð½Q@º£¿j8
c~C™'+	Ïeh0Óþ~§ÖÚÊÓ©•%+}(ró\p%J1ã1ÖªirþFxÙídƒ½"Úmªº÷cøë¬ÅÑ¥0D¾bð«&
~g„¶¥zž_»+r¶ÇýÎn×1¯‘)@ϜұÈ#³ý¶IB.Ù$I  ! ¥„A¬ÀtõŽˆB?é‚H¸¹ÓdÆ“€+±°V––¹ ŽÇi"íƒÄ³°ÒÛØ•Ñ:ÊAÍS®—©tøõß>ÒpÎÒšài,>-OUÝmidW°™Ãlõ3#M`bõtj0#“ŽÊ²#¶¿"8''¡aà³Ê¤U™´*“ƒÊä”s^Aà•3LKgõÌŒ
+žŒ§&‘}ŽxaÉg–¤2Z|²§OØ=_0N°dõ{VlŸÃ
̧l~âF^$‡”Íç”­T<½?–'l­cNÇy±ÿr^œc>¨Š¥y¹B¢,_J”ÿ„^ÈœýémŸ9ç^Ãÿ3sÃpFRÌàQ ‚c‡‰O ÁæËÜQìB–âé’A^?¶þ›Sò8f GQmœLRr?9
+i„þðéQs0²Ö´ g–抾”p{FÕE¾­%?ĺ;·jêT¾èÝ‘O±…£.¼Ú}Ñ@—¯kú\Ç>þzßõ¾H7&ñH(¼Ýi
+Rï4x>@ô8 È€džÅž¸«ûýn!ä+LÚC
+h}X¢S%¸>&ÂqEÉ=#ì‚ž–˜0šgÄDOY×%G1eHÇŒ)jÏ{XΆ‚4\³4”Çá´zèôOõ\‰øm¸ÁQz mÄm\&)+|ê©qÞa›c¨‡$	1fRÙÀÍÛF‚[óEàÆAž]ÂJÂ`&t5RÕ{»õJÓåúf2©wäT*µÂÆÇzIMíþ›Ñ­ÉªûRRªz&¢¨«n^£î%%Õ0h7·Ð/OGÛeÔÜ_ß]†¡óϴ«ÛÇ«0µlyÃuaV†¼h+í3MB¼žW{›?@§8ÿ9˜ž¹Jz \°ËO¯Mú€ÿiêŸq¤€h3¿í#I+#ŒJüVe*QœNëí#¢„”ζ>h<¨•Gˆ£ÚŠPÝÇÐëóQ,(UÔΙ©y>úÑÙCˆ`®Òj¶-U6HÈÛÎÈÊÉ5Ù—‘/ËF‚‚V$dqâåJR°s•-WÏH¥nT0H†”ÌÖüRÇfc*{Rà2ÜÙ,Ýw½4ŽÇÑôŒÀH|Lâh?dÝvõPÉèóÂıÂZ'xìøaÜV;G!ëÛä•*†…¤Aà‰ÅD5~eŒ 2{5çÂ=W¦IôíCF2ŒŽ	Ü烖À)£ô®ºQ ³ÿ‚ñ¶ï½5Õ‹~£?ô¢`ŒÏ೜ێ†G{ª¢­Çg[×à¾jÞ–Ýýb™ðŽ9…Å>Ó%—±My#FyáfŸ;³ît£!Ù^kÕ2«}KÞ–²»2iªZáÀ|MºÜÂ#m™k	Ñk™e6}>CØPrüw…Cz0J|'Žö(e¶ƒ‘z¶ìr5÷<×÷û¢Ë· âÍ /U=W$l­¥¥ž¢¦0•<¤L)"âÓ AѲª©]ñ–u—Ä`
µQ[dQ©¼‚x¦´•Üo…¡•±‹D¸1~Su¬b¸h
2î“=Œ|úgÃÆpc6|h9ïûËhUÇœ0ÂmLÅGóÒ”‘φ°¾-ê¹ÙÒ|-5Ä…}‡ˆØÖÜì’ø¦Ó³ÓÔvQ"!
‹”.Æ‘Ô]AU]ü·3‰ x#ˆ\¬gY3÷ºqèÛ
JBëÖ©UŲÌ;Ü82Îö?©Æ3Æü˽±+Ø´/ñá°²c»ç^'C‰Ði’Ì€…G×BÕ¾pŠRàáPÏ7ûn?”³,8ˆ-p
+¬0öFŒø+¥
+lYá±eá³<&ýhd8Û0…
+ø @‘Ju½”&Ä{1lþuŸzs¼ð~èâ¯ù3¿Š>	þÃÿ40üGEie’ÈùŸ!·ƒ¼˜°Pxž8:‘ÜþwÁ©èÿ&ãˆendstream
 endobj
 1483 0 obj <<
 /Type /Page
 /Contents 1484 0 R
 /Resources 1482 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1466 0 R
+/Parent 1469 0 R
+/Annots [ 1488 0 R ]
+>> endobj
+1488 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [432.8521 616.4281 481.8988 628.4877]
+/Subtype /Link
+/A << /S /GoTo /D (DNSSEC) >>
 >> endobj
 1485 0 obj <<
 /D [1483 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-454 0 obj <<
+446 0 obj <<
 /D [1483 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 1486 0 obj <<
-/D [1483 0 R /XYZ 56.6929 749.3199 null]
+/D [1483 0 R /XYZ 56.6929 748.9522 null]
 >> endobj
-458 0 obj <<
-/D [1483 0 R /XYZ 56.6929 670.678 null]
+450 0 obj <<
+/D [1483 0 R /XYZ 56.6929 667.6879 null]
 >> endobj
 1487 0 obj <<
-/D [1483 0 R /XYZ 56.6929 640.1762 null]
+/D [1483 0 R /XYZ 56.6929 636.0345 null]
 >> endobj
-462 0 obj <<
-/D [1483 0 R /XYZ 56.6929 132.0998 null]
+454 0 obj <<
+/D [1483 0 R /XYZ 56.6929 425.9376 null]
 >> endobj
-1445 0 obj <<
-/D [1483 0 R /XYZ 56.6929 107.213 null]
+1489 0 obj <<
+/D [1483 0 R /XYZ 56.6929 394.4436 null]
 >> endobj
-1482 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F23 762 0 R /F39 927 0 R >>
-/ProcSet [ /PDF /Text ]
+458 0 obj <<
+/D [1483 0 R /XYZ 56.6929 313.1793 null]
 >> endobj
 1490 0 obj <<
-/Length 2947      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZYsÛF~ׯ`ùe¡*s<®õ“œÈ‰R±’µ•ÝªMR.ˆš(SC€R´[ûß·{ºšÊnŠè9ÐÓÓóõ5 šIø©Yir;Ks+b©âÙâîLÎ>ÁØ7gŠçÌäùpÖ››³WoM:ËEžèdv³ðÊ„Ì25»Yþ}õíÅ7—ïÏç:–Q"Îçq"£7W×_SON¯~¸~{õÍOï/ÎSÝ\ýpMÝï/ß^¾¿¼þêò|®²XÁûš9yáíÕ÷—D}óþâÝ»‹÷ç¿Þ|wvyÓíe¸_%
nä·³Ÿ•³%lû»3)LžÅ³hH¡ò\ÏîÎllDl	=›³gëFý«Sú‹M&âL§
-´j @¥¥È¥Ígiœ‹Ähã5xW´‹õ|隶¬Š¶¬«æ|žHý›År¹sMóÑOû¸)›–úÿó÷Ì•yë³[ìwMyïæuµy¤ù®ùXï>V55'ßþ™ÆîK÷ð±Þ¢,¯©Gñëø5|á_uå>6mѺ;Wµ‡ïÌM,²$ŽÇk‘ü¯Þj5ëºWÈßf"7MB@èÐ!Y,:üa)j~í~‘RW%
-L=Eµ$⧦øäx!38
-XGÇ"Mà¸ÎÍÚuÒÎ+ZçxÌ8Ç/ÿ”“¶"ɲŒ'5CÉ’¨lèYÐc[?¸Ýj¿ÁV­\Ñž«h¿;WY䨯^ÑÌ`A	YPµë‚yn\;æZwüvãv÷nǃUóÐÑôøúú¿íÝî‘Èe¹ÂåWÎK1§³Fä*ÍÇg
›B,é4‹–nëªeY}¢¦×:<Ö5~Ûð,šÏ0	LÚä&ºjǃÛb×–‹ý¦Ø¶ûÆ‘r€^Õ;ž~·ÝxvË5ÛMɼhGØçÚý–?”íºÞ·S_÷Ä ÑÖôÜÃÊŒ›»ý¦-a=j‘:ÑqÊ„Íuì9]‹õd
&O &Úª	Ä¥AµË®Á¦Â“Ã^‚>Rh±¾Ã«{ͶXp?©‡r³¡)·<Ö8Wuû8Z§Ùß‚&Ç+-6%HZ˜Û<Ž.!èÀ’|¬]š	ºËRrD¸l þ²vp÷6rEceË“šš,7€í«ùep€ÞBš†Þ±nƒåŽ<-ƒPÚXÖ1ûÐÃ`a2°]i’8o‘Æ*}N¸Ð"÷æ>,æÇùåÓH`²TŶýÊó>"d
-ÑöO²ãxBH«•	òHH&@ˆ4Uùõª?O €ÿÒLDÂ4‘Á(|1Ä´qœgSk&$0B$Xl
-p'ˆàŒ¢kH¢-u ØüÔ!Ø°£6Ž€
Íânå£`3¤FÏâTŠ4O’?lÌq>d9¶D˜d°ð°–ˆÌ¦éŸ'cÇñ„Œbm†§7òÖRÀo—ÉOeÁ#fDZ–HÕ`œÏÅÚ('{*@Wå™Ó×8®P&c¢ªn‰h¶nQ¢gwË—ÐÛè¶n§ˆ2
-ó	5ò8èHs“<
РOÄ$8È®GOl-ÇWTί,ݪ€ÀH;Á°‰Oσ)¥xI,¬F,Xl|ª“ÍÊa$1&‰®ªn¬ËÜrŽÊyF·ø̱:§XpÈgj«ÓòþgjÏk¤þ¢ö˜ÖÆñÑ^†¯èÎa£›†7ן§òMH“Ùh`£Äë³{lŽ$ž±
ð{X—`Ïp6ÚzÕ÷å
"1
-€wn±.ª²¹£¦O±pœ,zBGÚŸ36nã¡/LôùH®#8Ê궚ÊY
-2
-KÒž‘ºea–ÀS¦rvwºº™@/”
]Fþ“Â$èG§
-ÔPT
‘œU§2¢B	û`¼Ä°²æ¦åW¤ã;ælÁ³
-xóC”|u“Ëz»aQG»(×ÈØ×&smâ¨ök.}RÍ=ÛÉÚjôFOÖ.è›цø–ülÊO•?08Ô–º~Ñ:EÊúÌ:ºÌ貨ƒUÔ­NiêÍ=‚À/Võ›ñŒuÕºßÛn«^[Ò	#å}Ð;¯£».bŒB ¨Ùtžÿ•œNƒÊBÁ%£’Ÿœ
-P9%.µJ«‚Ö>s×Òv‰	¤Z½R±Ýz#Ìó`Ž@=¬½Ò€ê] Å
èÂ[™Ò»œ	{A*V	}ƒÀ`ã4úGÇ/õ„y`ÜYlöŽÈ’™ûÃ{9¸H8œWMáôÈùBág;ÿÂñ¦BO9®Ü²X6œdîszÒƒPÜ·ÕÑ@à%ÅF2WœÒƒ3çô‰uqïF,¨á·ÊsGùˆ—†ßÞî<6PïÞ|<+¢/HýŽ\O:Yd¶jŸ3zjËŠ[ºjÁ}5ßû!×:p
Ž`z'Fc5gõ³Sª'iÇA“)Ì4ìØüý<† î}}ݧÄd¡h¸¿ß2,œpÀ#z<·äg¯Vv8|u=žû;·d¾×uË«‡ —puâ«æáõû^軽Ï`P
-HFŠC£P!>¡ŠÁï°EH²+oÊþ|Èðaxâê:ønÚr)˜XÔwÛrã–óp„=|y±é[I¯¾/ÿ\«¬ê‡1PíDilàŒå3<£µùT¾|IÔàP ´†Gû‰ZHrÓ¤5=Ü•î®÷»¬úú«>|‰"“ê³M\5îÛf—8ÕGBf–aåvO,H :˜»ÊIl•«pØuu-ˆ¸¨'S5+ ey4¡,¨-ó§ßx‰‘×Áå늼ö"9N£÷
ׇu
ÔÍ[ýoûüëÄå0ìÚ™Ùƒm“³ÃϤ/B²ÿ"|öEeM~2}õŠ¦ÜxãCªY×ûÍ’h®ÙÄ/)ž¼©U¹ö¡Þ}„Ž'w+]!1ø­¤ð¿WÙëÃOÏ?J3’îÇ_=ac×_¤xyÝî¾\p£­„œ*0É…ÁTLc^
!ò>Ô—´à…j„Jëú/á¼æŠ…^óCSÀS¢„5(C¥m.6{úh:ø®ïš1ÿñ‰A.×NWÏ÷Å@’Ó«q/
,õzJøU¹9`>r‰åí‹×'?ëyð8[•íómá]zŸÏ=‹¿‚ïìñ±Ü>öÇù…ÓÛîÜ}Yï›
âØ?N@Jü›ÈÄÿCd÷‡ÿûß(ý_ul*L–éîkÊ8^JHÙ5(
-·”¦‡’w[y*úd]Œendstream
-endobj
-1489 0 obj <<
-/Type /Page
-/Contents 1490 0 R
-/Resources 1488 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1466 0 R
+/D [1483 0 R /XYZ 56.6929 281.526 null]
 >> endobj
-1491 0 obj <<
-/D [1489 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-466 0 obj <<
-/D [1489 0 R /XYZ 85.0394 683.3585 null]
->> endobj
-1492 0 obj <<
-/D [1489 0 R /XYZ 85.0394 652.4223 null]
->> endobj
-1488 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
+1482 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1495 0 obj <<
-/Length 1237      
-/Filter /FlateDecode
->>
-stream
-xÚ­X[oÛ6~÷¯ò” £ûyJ3'K±¦ë=y†ÁHTÂUU’¶ãÖûï£DÊ–c%‘ÝÀ0DR<ß¹Ñ2Lù³χ~dGF¹Ð3-ψói<Èw7KïÍ&ÐÞõa<8¿v#‚‘oûÆ8ma…ÐCË'“SÚðL"˜§WŸï®ooþ]žîéøöóÝ°=óôúöÏ¡ÝŒ.?}º+ô¬Ó«?.¿Œ‡#õÊ×nï~W+‘z¼:^Gû«áÙtüq0otiëk™N¥È÷Ádj‰TûãÀ„NzÆRNLhE‘mä×s ç:N³’
¾þÚ¶ÞÖ¤ö³Lh;¾Ýa@×j0²¡ç…®xôÛ©
˜#?‚8#¸üø¦yúS=P±ºP£ÿ.*=%3`;0²L·¦ÖÚ‡<Å쥗‰ôÖ»*8PR™*Ú°›²°Þá£öÎÔÞ›7‘<N1§  ‚¤»ž$å¬ÒDc–”‰Íz5ÑTŒ„ôêÖv¨Ô§~Hщ;¯ñ‰qü
TQ¯+ö?¦g.+Ö)"Ùš<”a¹fí0|Í2
-1:®CÀ%É’1]zW˜Ï(›UE¼'=)~`D¬žôÖ*!(›—íñŒ–bsžôd[4«s¤©ô=UY©ÈAJ™Ì­e…,»k†–9è_:ßž™Ëò4=àäG£Íx‰ã>f l¹qd¥CuÖ­S¸8HƒÙn§ñþéÓ­yJ¸Gü8—ÖÔ)£9HH*Ë+.â&ÿÞˆmkFä%ø…Ø"uçžéÓ+Aö"£ÉèC+4Šy~ß=4ªPš3D†<‹¾Hö‹H‚äÇ#µ«ü3»¬›~¯”§	;‹*mÁ¶•ë¡¾bœ¡UÓöÊÞ0á
-œ¢Ã«¥l7¿áÕ¾™^¿n]úqYAšV¾*¤t[麮,?€N`»®ãÕ0¿Õ¯<o´Ö·•ã­\×G¢8Ðñ^³ ’,ü¶˜þ¾˜¡É]‹é¾ ¦{¤˜‘íÐ:­úUÀeÛ+{%ócO6NÀe$‘§c}N²Es8´==Q“iïH¬på¿ú¨‘RÒÔ·“¯R=‘˜³þPÖKPÛ¦ý@ydóˆŽ.û¹,´§RǺ$]"éDÈO†·!º.%äç[u“Ðq…`n>Ý~ùÂb{›#¿ÿœ0´7w¶Óú ³ƒº¡ÑBUjážäÍÍƾèÿrcÎ9endstream
-endobj
-1494 0 obj <<
-/Type /Page
-/Contents 1495 0 R
-/Resources 1493 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1466 0 R
->> endobj
-1496 0 obj <<
-/D [1494 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-470 0 obj <<
-/D [1494 0 R /XYZ 56.6929 600.6754 null]
->> endobj
-1366 0 obj <<
-/D [1494 0 R /XYZ 56.6929 573.3325 null]
->> endobj
 1493 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1499 0 obj <<
-/Length 1169      
+/Length 3642      
 /Filter /FlateDecode
 >>
 stream
-xÚµXßs£6~÷_ÁcÜ©H„&O¹Ô¹æ¦—k]÷)õxˆD
É—8çûß+~ÙØÁ1عñx‚ýôíjwµ,2LýC†kC“0Ë Ì‚¶‰lßLã^?û8@Õ; ~	4ßú0üzE¨Á s°cL–M×EÆ$¸=»üýâÏÉh<Ø6Ï8¶cž}¸¾ù­œaååòËÍÕõÇÆCjM®¿Ü”ÓãÑÕh<º¹
rm¤åq…°GàêúQ9ú8¾øüùb<œN>
F“µ.M}‘IrE¾n§¦hµ?
LH˜kOúÆ„ˆ1lÌ–M mRÏDƒ¿­OÑ6ûÙÄ…¶‹i‹-Ô0 2]È,F
j3èL
-Þcšgsïd\eK Äœ—sñb~dzr|^^¦¹ÆzY€d¶›|	‘q_%Ù²œJ=õ0‹½9ï þ³Ä	‰”ŠÊÉ%—³$›ÅI€	d¹•+´Ò#~œ×k”­bö%‰+¥òQA©¼½õ#OÊiyó½m…UË´’‘÷Ÿ¿¡ˆEÉ“ÖD‰pYã–‚ ãRÎæžòf‘ªœÿÑÁ:%è×ÏNÂD{0A¿3U•y±k÷y7ØExŠƒ0Éž¼,ñý»Y£Bö¸ÿåãŽv`XDŸê8
-5‹‡þ^$“6Çé,׬òØ4ÉÔz>¿™ÖÁ‘#»:®ƒ[UìŠS\ „5ã‚u¶ô(m˜™,'þ5mSïW¼
-=­Ä}œd\ϡι%^´H›ãY’*Q{m‡í
ET°ÊÖ~Óaé¹'ÏrñÜë´gmTRüY­2ï©—*ÿ%‹,ö¢®\Ðn–®ä/µBz4“)÷;¬^ÎF‡$Ž–«PdRõÒ¢Âá™ÜòÔ÷w´vCˆç0wžاE%XŒfy86Aõâ1qñ¹ß²/ù×-ÊSú<¾<¶šÐ_BÞÑÕÕ\×3Õ'P¯fzÝèÒÂ䤦Æq}‘mU‘ <Ý“›#¸µ9Bú6GÚš]DWh„´µ¦ô¿ZüäFئKhé,àºxÝã¤Ñã"¦]ÌhM*W²]æëŽÙkêÿbïendstream
+xÚ­Zmsܶþ®_¡o=ÍäXâ•`óÉIäTm㤎2Öñx¨;žÅ1E^Ž<)N§ÿ½»ØŽ<á,ÕÍh4·À°Ø—gç9ü‰sg²\•ú¼(ufraÎWwgùù{èûöLð˜e´œŽúêúì/Uq^f¥•öüz3áå²Ü9q~½~³øúÏ/~¸¾|}±”&_Øìbil¾øêêÕ7ÔRÒÏ×ß¿zyõíO¯_\zq}õý+j~}ùòòõ嫯//–ÂïKæpâ…—W»$êÛ×/¾ûîÅë‹·×9»¼Ž{™îWä
+7òËÙ›·ùù¶ý—³úyoÞÝÑ»Ÿc¨×ä"
˜û¯#Q'‚šEqO5…Ê£ †|«ÍXï˜ä9	Q^”¼¤e®H‘‰\™ÂÀÄ ”q
ÓØbN(“Î3?Ûø¦j6aüÒT;Yõ;Zæ2`E^ê‘.l!ó €UÄ€ÔCÓ¶DÝpËúåtcEˆu@´ pA€
+Z€Ët†£(´J‚QR¢eQ²«€´ù…ÍŒœ6Òõ¤mkÖÝ›ú8Å C!Á«§w3YâTŽTõÞÿpv„€1ûñ‹‡N*Nõ@Ö-§PQRód)H
+­]YYól‰ÉJÛ|H‚!3#JûyÙnMf¶,Ž“wÒ)»¬¢˜ʼn™$ài)JMàD8®:ªcH=ö[>eØ-¿¿IÁM“Câ­?m"øèyjDÂÁÑ10¹o™ÎÌØÅ¢ËqÂÌ•åÊçø§‚½¡|Ùº†zµlûþÀ¡u*r"Ës•l;6}GøX’³ÐüŒ=ýþ,¥®ö#XOdêdEŽªëžv©¥a±äp`¦36«ª%Ï'až‡`¾ZN#h‹œiA"*`ÎLjTþøˆµÌ„.ƒ^®Ûû¬VY¿{ÿœ‡WLÀ–¼"Â=NDX>Pfìë¹gºÅàoUÀøHÌ™ävsî7˜ 7íHOðVŸ8¤¥ÈHÔ¤ƒš“§•ge©ì\cžºªº¹­;ßíšõ:`÷y=ãC”ÒeP›¦[£¥/3µ)¥„æ`¢ÔËxÊ(ŽÆ:ˆOp/´‹õTi Ës¶7¿¸§U‡|ñí®º»«v	ÝÏ-
<Ƴ#–y½óa5OÌI2ü7«¶†·4þß©PJ¿º]®ÚV2„qþ§Z¯wpÊïüˆwX‡¡öÿ|™Ä¥žÏºƦ«Ð¢?ÙtQ»zµß
Í}½$·Šã?Öû~÷$>&ß~3y—/©%˲·©µóh›ï"9~g™0­ÿX€¿¬šKsÐû”|S£ò¡EöÝ‘¦ÿ4€ËI(eT
ñg²âÈY°æúéñLƒßw.U³œûZŠòNÀYÅbSWè—÷±²mXÆ‘á
+ÂÒ„HÅBÐç\¿¬ ïî	õXNf!©'pÄî#‘óÂnèàëEqT/!èA(®Þּ襎hñ¶'¢a´W
`VJµ¸çÛjQcßV»ÀÜ,	§å=ùœ—hœnض
ó¢a[=î·C­ãm¿Súz[ÝC);àÜeߎͶÅ™®Ä]V«ÛTH‡<º4OhŒÉ¤‰*@6­×eÊT…Ç‹ÐJª”¿5€
+8B’°Õ`ØV+nç(&dˆÕ0ä†ûÎ¥Ïü&óûB“™ØÃùŒÙ,^°†à=҉Ⱦ Gä‹b®ðúçÜâ㜷axÀûš‘
=Y‚‡øð|õ¿nTzsÆ:"«yÑÝ@‰êÙ‡߶4ÌlQò´BÔ³îÛ$À 4÷ÔmÛ2r\NYú«´Ùú”+2SJ}˜9:ïãEjк¼pâ÷[däøÄ"5åÜÂ!Ïé#PB©-àg4¿ßNǨÀÒEêÂæ‡Ò&†/V1˜Õ˜Ò¥tlHT|X„ïýàÕÝqÕH8Ò5$&Ñ–PÙüЩ²aCT6|8¡l°PgâÌ'•MeªPò\
+8—‹ßAÙ˜ãrÊ2¥l6Sv2ñ'tÍfNÅï·ÆÈñ‰5‚?ÌžÞl‘§t­ýq™üT¸p⤮…tË>C×hú&K¦Œ¢ŒÙ%)Þÿ›’ò>J{jVVÄÄÝèÅM?Þ&áµ@*h`ØÅQ÷á'7r\¨é2ÝêÇÚú~{”×RÍí»ªó•Å¥ÌKq½y –’Mw˜Plm3a´­‡ô}™So³‰7Qƒ¨âÚ¥Š×:Ãq©¥PZ/1>áL`³‹5€m|Š>t`샗'RÌOµÚn½–ñ{( èë .¿ç*}U¦ñîGúoodÊÑØ6	Ú‹DfþÖ‹,c€]qcÕÒ—oüüúÃûbRH8×ú0UÌS*õiËxÿ÷G«‡/zuNÊô÷¨*‘~yQ(õ¢8^yüºõñÒÿß²s¹endstream
 endobj
-1498 0 obj <<
+1492 0 obj <<
 /Type /Page
-/Contents 1499 0 R
-/Resources 1497 0 R
+/Contents 1493 0 R
+/Resources 1491 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1501 0 R
+/Parent 1469 0 R
+>> endobj
+1494 0 obj <<
+/D [1492 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+462 0 obj <<
+/D [1492 0 R /XYZ 85.0394 479.6298 null]
+>> endobj
+1453 0 obj <<
+/D [1492 0 R /XYZ 85.0394 454.1046 null]
+>> endobj
+466 0 obj <<
+/D [1492 0 R /XYZ 85.0394 323.2236 null]
+>> endobj
+1495 0 obj <<
+/D [1492 0 R /XYZ 85.0394 292.0835 null]
+>> endobj
+1491 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1498 0 obj <<
+/Length 1735      
+/Filter /FlateDecode
+>>
+stream
+xÚ­XÉrÛ8½ë+T>IU!€ûøä$vâÔDÉ8š¹8.LB6+Ép‘­™äߧA)ÁkR:K³—ׯÉÃŒ]y!
Ç~è w­Fx|
{ïFDÉXZÈêK½žOm¢Ð£Þx¾ìé
+2žÇQ4
xòæÓìôìÝßçÇSß™ÌÏ>ͦuñäôìÏ9zw~üñãñùÔ"K&oÞžŸœË-Oéx}6{+WBù¸GéùÉéÉùÉìÍÉôrþat2ïbéÇK°-ù>º¸ÄãÂþ0ÂÈw|ŒHÒñjä¸6rÛÖ+éèËè¯Nao·}ÕˆÁˆÚ5Hm€nˆ<¶€õ
A€(é‰ùŽ‚~!“u’g•’ë«´}D%UÕ¬æ+žÕ€QèL’J>›ŠÇrÄÔ
+“˜/Y“Ö½ãÐÉqZ實–ÝÉ¿yÆ¥ˆ6ÜN"–ÉÁ
[ó
+9Y³´áJ¶*x”|ŘjÛ‰z×®(‡Äk‚B×¥m@ë„ßb¦ò¨ïîF}$©*.‡â}«ó$’‹ÊåJI³oJ¸(§$˜ðˆÇ<‹ÔZ¾æ¥Öšk­m$Ò!›
+¢8ôñÌy(ÀÄß	ѱeÔv(6ì­Ô?S×@PÂyÈ“.ËI”²J­oCFtwr¶”Y¾'›¨çu²æ䟧¿}6ŠÁF³â±Ò;Ëke½¾a‚Ø›°4ÕÆ2K¿¾Þ:½jªZy‘g54EÀx˜y&!¾IZ2ÃHPò•VÉ6?YºÙ&£œ©¡cZ˜DùªHR[:…[ú*cê¼éÁÞÂçRa¤C:Ø~Øh÷ÉàÙc¬¹ð'Ü%B%õJW‰
+ÔDj¯åLS‰•¨Ñ~TTU˜Z[±:ºáÊË6r?JÙ;„U½ÙÔ9H'du#™Èq\2ÌW$¡×¡ÜI(Ý&!ÑiKg3$ÇÙÆÔñ°ƒ¨kk°ÚdËFN°„æA×æóLn´èµƒ¼;)_óT®åËé nJ&ªWîJ¤å¸Ë¼’®’X1#– ê#°€T‹êðäŠËgÁÊZŽ„âYß´À}fú¡Ì!˜iÈX¬ÅG‡O¡…O:;p†Ótß&mÈE[eÂ`¾5Üss
+ä’sí©8S0–…#TdJ¿+Ò$JjÓ@q¹
}
yÁ 
+½W™]c¯`[uÑ¢¸Á™ëb?B@a?ôî1¬š›hMQÔ”úÀü0Y´1rÜ<ÞL¡ê“»ºc…­Ô{ÞG Ñ°¨¶ÇïتHu]ªMÕH7…¨vÕj![*ž·³/j×M¡ô
+-—ö‡…zóµ!P
+7FÇõ_çRÖnOpuÜa£–ÍÎæ@3çeÆÒ9ÿ¯ËvQà¹î°,¥È¼->1ªnò&å¸í•r˜‹„ŠÖ-g¯oóò[ïèèÑ·}Ý’­µÒ®´¸3¶¿ÃàH.ü<Ò
+ ¶ÚáÀ»Ïe¾,j'%rUÉZM+^®“HMDœ4x¥•ü‡)2ÆÊšh„BnëOíû=eÊP.¨R«ÅmšùZ§oÔ–¢&‚L®hò†*ÃŒÒ&´“öâ¸äUÅ«¡þaÆà.WWÆP·zzž<Ä!	(T
×|©ÀÔ‘Iù2Iw”[Ú/_©z6qô§y“ô7wˆÓ«~÷x-‰ñqËúö>·G–,¯{õÁU±\m¶é| {EÉ×IÞT[6“qíÀyrOÑ©xΗMõŒšÑ@
~JMdù³KhZ—ITkì~gQ¨›uWòžÜBß\Á¬g,Š X’+ÍKSa§
Qø;á^Z:½ÂØÑO*Œ~Õ´gQ·¼ÆÙػԇ«î GÙ—ÞuH|»(Ùj׊ý£H¤ÜEØñí Äh‘±•š^´WáËbŠ*ÏAL†}ÑÕf~k}ox¹և삋¶‚iRÕ]µ´ÏKSöuZšÞ¿Mm]²¬ZòòWÔhŠ˜éÃå7ø*ÕYE¥¢€MóH·…;Rv!ee£™|º|Ü©P¢œ1úÁžçúÓä¾ëÿvzË5endstream
+endobj
+1497 0 obj <<
+/Type /Page
+/Contents 1498 0 R
+/Resources 1496 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1469 0 R
+>> endobj
+1499 0 obj <<
+/D [1497 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+470 0 obj <<
+/D [1497 0 R /XYZ 56.6929 241.8725 null]
+>> endobj
+1367 0 obj <<
+/D [1497 0 R /XYZ 56.6929 214.6175 null]
+>> endobj
+1496 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1502 0 obj <<
+/Length 1115      
+/Filter /FlateDecode
+>>
+stream
+xÚÝXKoã6¾ûWè +Roì)›:iÝl뺧Ô0‰rØH¢–¤“8uÿ{©—-?’HvEa$Gš3Ô<‰Sÿá;дÛð:&rŒ0˜Æ\?» úмÚo}ž~¼´<#€‹]c·°|hú>2&ÑíÙÅÏç¿NFã!ÀŽyæÂ!p\óìóõÍO%¨†‹o7—×WŒÏ‡ž}6¹þvS‘Ç£ËÑxts1ä;Hóãá†Ëë_FÕìj|þõëùx8|Œ&k]Úú"Ó*ù>¸šF¤Õþ20¡øŽñ¤&DA€t`;tlËj(Éà÷ÁokÀÖÓ’õÐù9–{ÐF­D¦;ðÏ	 ka«<ÁÛ!pMó,¼§á`™¢sÁÔ²".©œq1ËxµüT
ÓBk½5@ŽƒÛ0#É"oÏg#Q$jZÎ…ZÓ‹Åtka³_9üÓa{öpGäqŸ´äŽOAÄâ˜
+š…Tî˜fW!Tšƒ>¶µó=µgè?Øѧ“ƒ ]Ë(A>o™F¶Hï¨èe_JLêC,Ò&Ïêt$ÅÒ^H[še\±øpàXU}Î2µE¬ÜæÝYèj+Ñ„ÔL’†<‹d_Å䤓Eméš/îèrÿ˜^›÷4·Z:©#HH7!€åvË]W%r=hyXgO=ÛrJ˜ÊG<Ï1ZôMäxÏ×+éò,hÙAð¾”àÑmêîªs£¥÷¯µwu½¿ ‚¸Ì¾ÖÏ(Š(&å±¹M²9x$	‹t~,3¥xlÒCû[ßV‹i/\ýÏ´…€ŒGM„ëé~m”b$j!ºC½*ZæÇ…¨ˆ(rtàOu¨4Ö
+Ü—AéèÐv:H)‰Ë^h_Ž¾[Rè`£S  ¡â¢;9Q÷³Œ¤´;Yè@eRGÉš$üiÕdµU((QtÅ㸃:/Tpm§EàJ%ï{ÀŠjxK4]=Ô{4jᪧ-õ«½*Lˆ”Ó¦ˆ)XÂnìU&ä‘~zëTŠCí´UGEè¢RÎt
ÞÏ5Þ,xÐ>è÷'aâW0ASIl“ü?ø¹e%^”Ÿkßÿ±käªayýëAí	…CiÞVÙÑ'ýk?ÒÁµ¨XVÍÍ)eTó&Nõ×…$’²á®•}ì[Ðõ]|¸ÿ¸ììƒ÷ûÏÂß妎Ц“­bÂ’•ÎF\Ð^ÏQ­(:¶Åÿ¡VÜŠâÿG+ŠNjEñ)­è¡[!ËÅUÎ;ý¯·<ùÆhsfëÎÀ÷ñú2[­Ë Ët¡¯ªPÕv%__-í‹þ/NY9endstream
+endobj
+1501 0 obj <<
+/Type /Page
+/Contents 1502 0 R
+/Resources 1500 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1504 0 R
+>> endobj
+1503 0 obj <<
+/D [1501 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1500 0 obj <<
-/D [1498 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1497 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1504 0 obj <<
-/Length 1062      
+1507 0 obj <<
+/Length 1100      
 /Filter /FlateDecode
 >>
 stream
-xÚÍXÛrÛ6}×WðQêa\€?9Žì:Ó8­¢¼ÄÑhh	’9¡H…€â¸‘ÿ½ Añ"SÑ%í¤ã¸œ={°äî9Ðü!‡2À Qg²è@gnÖ®;¨Øãn6¹õ]¯†³+ÂÃÌÎjX>€¾œáô®Ë=ƒ»—ïn¯n®?.zÜëoÞÝö\La÷êæ¾].Þ¾½ô\äSÔ½üýâÏa`—Xñêæöµögè Õôo/û½ÑðM§?,}©û‹ ÉùÒ¹AgjÜ~Ó€Ÿ:æ$v@=B63Qç}篰¶šmÕA€	Ã-z¨& ƒŠSÁ$P?-eÏevÂXŸgT! (Åù–Y[”NÃxnÇ­[ïìÚTFrè0‰Ý$Žžìä“Tã$ÇÉæ|þ3j :ÌäAN>»q°ÊN|‚>i¼ža´çq’J3‡¶óŸ³3û{›h;¸Y,#¹±–Su1A¯éÂsé˜]¶2ýÄ…Ùhœq²w“(Pª°ù=?Ú
-[é¬ôêþGâQ”<º_V2}Ú Úùé4•Jž<Œ£P~= d
ÓÜÈÏÀâã‚~9a­–õñ8YftpÐœ{
"»‚~ïÁE ´L³ãî,Iª•2Z~Óë4xܧHÃbV(™WëY˜*}”²ŽLUãú‹Õp9Ρ˜[&©.糇QÃ ñª=,‹Úcà{åfãX-.×M™ED)ðÇ[úµiã÷YAb£Ò~SØ;ãr«³î¶í-§¿¹:
b5“©NMH„E ǫŽL‚Ç5-W÷¥¿õ£»ÆGÉQ%«t"«Û—^-ÀÖöÚ¸sj÷ˆ—ý–/Q 8gNm¾º’}ѹ¹Ÿbµê¹ÅÓýÊêTÙKª‚l’gA•î J+ª9·>Û’ê@þ˜ŠÙ‘#´{”ÖS#pñßh¡Ø¼	;rÏ®{õÆÄ!;RoŸæ3|šÞkWJº;%/sËïqV<¸J›ô¤t8Q§&§i ƒû@˜ ÂØMåÌ$ý‡üSròé&ÚÔ$§Cä<Ž…hº²ŠtèÚD³ÿB~QÑXdïóý	þ”Bý
-…£ë·_t#[<Ï[¹ —³+Œœk–Q3ÄU#‹}Ӝ‚œí4ß›oEÞ´ØÇצš†8mEœÍñÔ>¨`.K;U×—)àá!¯f ÂÒÇÒÒ°'ŒÎKSÉoõ´>ŒqdzZàCÁêiM¶¡‚¶·´9î™/­çÂkkja©ÔO·ÐÕÿ<ˆïã²;6-p¥æ>ð|‚b
-:bÃŇ/üM¯]ìªQÿHèOZendstream
+xÚíX]sÚ8}çWøvFŠ>lËš>¥Y’¥³M·,ûÄ2ŒƒñÔØÔMÈ&ÿ½²­€Mh÷©Ã0þutîѽWWÂÒ?l9.t9áã6tv¬É¼…¬™n»iaó
xý”¿z?h]\SfqÈ]âZƒi	˃Èó°5†mØѨ}õéöºwóOÿ²Ãìö ÷鶈ƒÚ×½?»ÅÝMÿòãÇË~`ÏÁí«?.ÿtûE“k0Þ÷n/Þðâ²´ß½îö»·WÝÎhð¡Õ¬m)Û‹ÍùÚŽh³?´¤Üs¬ý€ æœXó–íPèØ”¾¾‰Z·>¯K­y×Zý0‚„º¤F@—ôt‘†b‡.%4pØ.Bíðqš5_€i‰â•TiÏŠûwÅe”Ù«Cî8¤Œ0÷ÃXé?È¡î|i`VBŽ“t'G I%RY<IªÇÅ8{Oÿ—‘ƒ*ÝÆQ(M‡çu??Ò|Dì8ÐÆŒ¼\xQÝ uü¾ˆUñ•¾­ÇLjBÓöR1l½eôc¡\”Ì€ŸŒzñr~'Ò}Òám•ú±œŠ„A$@7"û’¥:I…óc(áý@§RŠNWµîi\F<.¢pVý¨p0ÄÑêÈ¡@ "ßt’b’Äll¶AP	‰¿Å¹Åòníµe™vÝõë	‘É2ˆML†»ˆ:£`|ŒCJ˜£‘ ³©ý–793æZ¥÷›ÀÚ™¶ÂËs ÕjUÜâ	¾¹eªî[ªœA¢³¥¡êì êœF• ª36ãµ’ú‘GÉZBû)\9$:u5åzPZB0Ä¹Í½ çÁdÈs'î:×°9´)wkmXJvj~L¨™Hm	.ƒ”{—Îy‘À(¤6çûòIÓ8ØÕOð-Ì1$aµr>%±RùJ¯çáDžZM¾ò7ÕÈáôV]st=“Ši*ä}¾äœ¼ž’3Qéê(ü–DZUËH… XO'‘& Η3 Tt
+9ÎsqÉ(]\™1Šæ"V2§Ù¸Ï8ö_
N"_Êuí˜'¢:XµZ˜÷ºž}WgÇ®yŠHÌ´#'q©zh¤\e'÷bòd6ÉMÔ>øiü<õÃè9œÅI*Þ¤Ææ‹‹âz›˜ÀìÍ‘˜‹X‰ÖêLju¦çêL¶t–jy·O€ÛœNÚºd÷<²>[#´t¶F˜mOƒR™azÃüõ¤î-õï6Ðv„endstream
 endobj
-1503 0 obj <<
-/Type /Page
-/Contents 1504 0 R
-/Resources 1502 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1501 0 R
->> endobj
-1505 0 obj <<
-/D [1503 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-474 0 obj <<
-/D [1503 0 R /XYZ 56.6929 146.6885 null]
->> endobj
 1506 0 obj <<
-/D [1503 0 R /XYZ 56.6929 116.5746 null]
->> endobj
-478 0 obj <<
-/D [1503 0 R /XYZ 56.6929 116.5746 null]
->> endobj
-1507 0 obj <<
-/D [1503 0 R /XYZ 56.6929 92.1632 null]
+/Type /Page
+/Contents 1507 0 R
+/Resources 1505 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1504 0 R
 >> endobj
 1508 0 obj <<
-/D [1503 0 R /XYZ 56.6929 92.1632 null]
+/D [1506 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1505 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1511 0 obj <<
+/Length 2059      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ÛvÛ6òÝ_ÁGjOˆàÂëñ““Ú©{6në¨/us| 	²¸¥H-AYQ/ÿÞ (™NœÍ=p0˜æ±€ÂyB¨(â +b’P–óõ
`ïÝs4‘'Š†To¦g¯¯D¤HyL—Y9¡y΂éâ.|ûýÅOÓËÛIĦd%)
ß\ß|‡˜?o¼¹º~÷ËíÅ$‹Ãéõ7ˆ¾½¼º¼½¼y{9‰Xž0àçNÂ3W×ÿ¾DèÝíÅû÷·“ÓÎ.§ý]†÷eT˜‹ü÷ìî#
píÎ(Ež;XPŠ‚ë³8$‰…ð˜êìÃÙϽÀÁ®e³_"r’ä<1`Ìd4'E\dA–$\XÞM¢”ÒPV]Ôµ²ÖKÕFºÙ¶s…¿Ñ„–›ø^.-bþ2·8„‹¬"F²X$VØ¿ìVBŠ,Kƒ„0d¾Û4m‡`¹¹7‹¸:ÇÏG+!â´ œ%	Hg¤Hþ]£Çt¨núT]ÎËhúru­¹ ižò5^vxÙð
+[­¢gM¾Wú¾iïëæHµÅM­"ÝÉ®Ô]9×'FÔ³œIíÐ][ÖŸc>ºÌº¬£V-[¥WQW®z»ž©öŬå§ÿƒ«I×î¿J{ªÇ׊8Öb[ue´–ºóLŸsHÄ)Eý}îÀmLVãíƒßïké5¼›WRk†bĉíöDZlÚlçŸ1…#9$VSWû¿–e«»CB¿ÀNŽjµ×uîSè¬_J-Bˆ?Ï~þ~Il«J=@‚4ud.ðõa£‰¿Õ#ìÄ#'zž1:^_qôè¥Q
*;å(Øt3žCk£N9ì\ V¨µª;\~§~£”×¥91²^ ð‹–ª?çÐGŒbè$,œC˜;é×þ¤é¤;o”>í’ŒQB™HQP’Æ¢xQŸ„~“Éq›üŸ˜¼ƒÜzö|ä£ ÊžãXTÔ_)iJ2Ðx†žÀó<DVËLkW*ÐÔb@žÅ$cEg²éÊXŒªUûhJ‹W²ŠçE(qíËŽçÍfP³D¢Î‹0!ÈNú=,F¦@íʪBh¦Æ*†œUÎë]ƒßM;ayØ<–·!·ÝªiKÓª=ªÖ;[Ìõ ìÈiÄ$ÌÆ‚¡m¿Í_&0X‘BZÁ”ÐW…€ãx6XÂ`h£Ï†dŒ8D’‘âÄ¡+ù¨Æ¦Áœÿ/ŒS2GkAï©<,5b$~¬ñÕ¦*ç÷1úý>Jœ¨ª1ç6ž&¼Ʋ8‹È«G´ɸ׶‚‰Ä)¼Qó2rå,Î`(ÊOꙩAÊÆAºú*·ˆX7x\]ÿ„»¶g´Ö=çÒ1ø˦Š#èV²ó;Äps(¼c±ÝÉyçØàNÃíòDZ•¸™úlëIý)½‰… á{g=KàlPûMQö¢dhYéf¬µAFLkúFÐj¿pjkÀ¼÷”Å›³4(
+ßì·PK	ÃÊ+ô¾Fƒôf6`jL‘%¦ùÔÍXˆÝ›g§)Œdžké¹Fôóâ9eØzYóf
Ufauç’±¬çž°Ão³´Æ3<àµÐˆîCÕÀF£í‰pD¬ªÊu9Z@k¨•®É›öa
‚+aDîLp"h+'Ì@ì®\t+䌆7§ð5Ü@\a¥zp˜ÕzÜ2	-Á}EHTµF”M^À¬¶µË²…ßY:ÚU³Õ ›ÆÐa‹Ù¨ÑHµ±ì‹ùÉ”Xó¨épc<°f
+Ûp	ÌÍÿˆ¸îvMTAÈVˆ…òo«›ÙÒó•Z;j7Kñ~î.(l¿ ˜’WH$BõiÔmr½©Ô«Ãp	åº=h<.÷U>wçÚáxöÉ(‡—ƒÔ'{°™&Òœ$IÎýÔQ>¬:‘ÆW¢7‡ cï®ìøÞÿÙÚ@‚ê„ÀÜ°í±»j‰Û¹Ö6ÿ†l.€2¡CÌ ·iô¾ñÂwè=6a©÷Ík=Q3µ’~ö‡àÙ#¤«fW9¸\âwßlÝ3bë²Ý<.)E½åªúÒ#Tñ¯‘Eé
+_×ÀqJñî¼/†ƒû·=bó"Æ¿Y
+ÊÒ±¿niÿzÿæ?Šÿ¢Ã€
³ïÇ:MI΋ÄÈ2^ÉŸšÃÿ£ì¨ªÿès	Ñendstream
+endobj
+1510 0 obj <<
+/Type /Page
+/Contents 1511 0 R
+/Resources 1509 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1504 0 R
+>> endobj
+1512 0 obj <<
+/D [1510 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+474 0 obj <<
+/D [1510 0 R /XYZ 85.0394 457.5229 null]
+>> endobj
+1513 0 obj <<
+/D [1510 0 R /XYZ 85.0394 427.409 null]
+>> endobj
+478 0 obj <<
+/D [1510 0 R /XYZ 85.0394 427.409 null]
+>> endobj
+1514 0 obj <<
+/D [1510 0 R /XYZ 85.0394 402.9976 null]
+>> endobj
+1515 0 obj <<
+/D [1510 0 R /XYZ 85.0394 402.9976 null]
+>> endobj
+1516 0 obj <<
+/D [1510 0 R /XYZ 85.0394 391.0424 null]
 >> endobj
 1509 0 obj <<
-/D [1503 0 R /XYZ 56.6929 80.2081 null]
->> endobj
-1502 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1512 0 obj <<
-/Length 3461      
+1519 0 obj <<
+/Length 3497      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿BôŒÅ ’Ó§4s¾¹¸=Ç}jû@K”Å+Eª"eEýõ·_€(™î´“d<\.€%°ß»ž)ø¯gy«¤°³¬°qªt:[l®ÔìÆ>]i™3÷“æãYß?^½»M²YθÙãjD+UžëÙãò—èÿÞÿôøñáznR¹øzž:}wÿc
-~|øñþöîÓÏï¯3=ÞýxÏ臷>Þøx=×yªa½
-o,¸½ûÏG†>=¼ÿüùýÃõoÿ¾úøÎ2>¯V	ä«_~S³%ûßW*NŠ<àEź(ÌlseÓ$Nm’xLsõåê¿àh”–NñÏš5ëÌÐñs»»ÖyÔ½ÔK(÷úÛÕC9Ô/Õö‡j×óï€zˆ/5.ÕÀ6=óöÛä…Š¡æht
-PòOHÊŠ7U 5*N}o©X`–¹Yf²8IKì›ò¥šÒg‰xRÉd.^TyT÷Œ)ùAܯ¶M½(yœ5 Œ5"à¬1¤b¼‰ñ–*âÌfV¶Ákû‰Ý&ÊG¦5u?Ȇ·Õ¢ž“ÞÌÍbër{®?¿*e*R„,â#¥°å#6Ÿ†ßî~âÑr¹dt߇•+YàÓØVd°.ÉG<3·èÚù”råbðH»]´ß‚ɲš7·°ç¿Xœ$*ú,Ü£	Â#˜Q5Õ¦j©²etÙôÝùž8$€Î`m[nðôâGé	_Ý!˜I¿ÕÃ&@BÑ÷GÆ-«U¹o†–þ°‹\…¥g{B
-³œ´üÛù¶›éhÛíð<™‰Ò„1]ËOf"ïP5à“kR\Àó‘aå“L\¬Ëö¹Zò{JrD0í$XÀ>§öFz·:Öí3œÁZÔýĦ²ID´ûÍñ
-°OÕ*èŽÑ†q€e„(â0`P‰ÞX‡‰c¥¥¹-Ï-§¤·­hÝ<8òÔFOeO¬°\
+dEíϾ‰
-²|Ž4,}¨‰Û¸¬»X~
-1—L"¾'Ú±ªDÊ¥A;Ès¨‡5C—[GÜã—»Oý^q[©*¢»•eZháPÃsâ“äC¦¿¼™4<8Ìôç@à̯÷”È„CO2åAf;O€>
-PØ.†T|ŒñGØ«"T÷SâÍD‰ë”ƒd¢Œì­éÀRs2|“=ö0)
-먟×eÛ”‹ÊÇJò
-Hºl
-ëÏä-–~‚ûÀñßê–@%?‚EâTˆ1`Á»·&V™IÃîßýõrJðœL?¬+‰/¯)'[{"§ÁåÅd¹ÓÆ8sÿ¶j`T`¸ë‚ìŸÐôKÞ,1 5ŒSš·JŒŠKøxªA9”?”

û§i+Ë ù•IÆsr^þ€£H‚càæÑãÒ0±>á²"9•&²GR€>/ªíÀ3Ä}#½'ŽB:‡‰k€æ8å¿Ùg›"ºÿ‚Ï<„5z’³†AòȆm^}9€(q€­[À–Ëó>&T!”u˜ØX}>^*·ø…!s6àòÛN"kÉï=Û%Ïȹ-)kVþ”÷£€øáþËwud܈z ºªÊa?ƇÜj1™Yu>˜ŠœºI5:4,E(Œ§¤@¶ØóL*y¤‘<º–Œ!_ÊZ*œ½³žAQÏÍ^È°¤í…¤§E]gœq:ä*-iFÿ²ÙR0¼ª¯Û
-aÛË;©ƒÆ¢œüqqJfÙ<á‰føÝdÂ	Rš³{‚ÅÕ õ튟èXý¯&ê[ŒZSAɹ8‡*[‰-!µ«	[O¡ŽÏÒB¦RAš@Í_}Èlž}QëËqu¬;WRé$É.³JF²h«°TÅçýŽ”Šj¥TÚK8ÎÚ‡PÁ~¿Å*m2ˆP
-•;ö‘às–NŽÛ¦h3€;”âö¡ð…½ÞÉTù"@ö]Ž¹™.¼,wV;©¬…~P¬Éœ‰´Í8ïhŒCG³höÄijÅ€zï<Žªj˜"ÞS“u݈Z´Œ!%r…÷«Î»ª	³eAc~º©J²ŠŒÓiÊM5³P}·‘ÌxQra‹™+˜óN–/º}³dð¹’„¶DFJjEš7ÝP]àŒ!s|*S:jÏX–/Bu˃ÒCp§®ð6xéøÆŒŽL0‡÷Ä
-á—Úé趹0D̦þŠ&ˆàÐÁ‰×\ùN)⥟Šž8ˆŽðÐÀëª:mÑ!V(:Q^O›#NZ«òÝ
-Š±†'ŽyøPÁÀ2Ãn†™Zpƨ(â³å›ì³°~*{:W:²y.¤¨âL¤£¼0aÏT:êéž…9žy¶GrSyÝ&“Ê“"˸/}J@CìëÅÿª ˆˆä3¥*œ)U¯ÎôWÑQå!:ª\¢#Òeˆâ¤Ê}œÄ1™\òƒ-JåRì瑈|ÁáHùtEù4¨ïš=÷€dÕT4B_—EÏõzK]sçÄ%ÄQÙi9–â3”z±§´ß)†áÜÍ;ïîó椵Ýrœw¾¼áf™d0Jæp|D(è¾Ð9
{eX²ÝÕ/’ZÀ’
-*œÝïü²ïçSrbúÎE·t¡s~…]™€iÀ‘IdνÒÆŠãs!?p.¨€cçô:|_02üºã&âr·-'bx‘ĵ}íËXXâ
-_Ï’€‰RñV»¶lx–°ÔúãT÷<ªjÿ±sz}“3ê²nrN­Ö±·îuÆÕÌ7–H§ºKCM*—ÿ¢aÉ›u—†tH©Ü¾Uwñ™êK[ç¸=Þíån9u³“Å™Êݩˆ~5Æò)‰:„ü†1Ÿh™Vœ¾“éÂóB79¢IZ8´Ÿ@¨Ý)Sñ.Ë{êSS €]¿¾,Ê@e¬?Ö©
tÞÊHâì4	
-¢*Žqbøq;u|ƒt7‘µoó7Éc—…îß.h
-KƒœÅEå}È‘ÍI.ârýåUfâ¬H/š-ol3g¼êU¾
-xçÀÙ÷èNÓæç百^KÁZÒüÛn$ïZ×ô?Öù¦8@åvKY2:׎Qì«]]I~¯u
-l‚òÿüDàɈGÊß”A<	J Bø@ðéÈÃ2/ÜIªìÔ1rt@¨nê~Ü@Šßþ;<Ðqžñ¼p\Û$IÏUw#õ_"·‰ÜLW½îúbjÒò³Úl‡#ƒr÷£ÍÉ{›óâKƒÓ¿µqØZ
-í;ú1ò&4dÌ%¼œ¶±ÓIqqåvảÍF§eÃ啬Qr¥%!ÞNÞÁ:Pœ{b2¢³$¯tÿ‰#oäíQÊ–ÓÎ8Pùs*|^3°Èc“;ßøì¶TNY³‹‹Àç ù˜»râ½ÿØŠ?ÆíC‡î‘2öF"%«>XžÉ´½ì0ÕÆÈÿÐýB·:e‚çÙ$ßóI¼»À.g탠_ÒÍgì¹vOŠ',ödÓK…šâG+£ŠÀ·à ll³ââv]î­¡Æ­De‹—˜”[û:ìà¨4Œ9òàâ¡£é‰(*Ñ›Zˆ…q¾¥ÑÑKMM{X…©B9yã÷´ä‘TÍF|r†£ïÚ8ÉÛ	
-I:u»X	…ç¹
{â+Àz  §ÑgØ9LFA¹N~%N’¥Ï|FúÿVº3N"¾13Á_EéLAfR¨8ÍR;õÛ)øó/µN?c³Yœäù©}®
-{RE†Á
i!÷ò×MwÑin¬ÑÖÿ¶Æendstream
+xÚ¥ÙrãÆñ]_Á·@Uâì\¸*OòZZË•Õ:Z¥’*Û	Š°I€&@i™¯O_‚$ä#[*Õ4z®žîž¾†f¢áÏLâD%¹Í'iîU¬M<™­/ôäú>\3
ƒ¦ÃQß<^¼»ué$Wyb“Éãb°V¦t–™ÉãüÇ(QV]Â
+:zÿéþöîÿ®/S=Þ}º¿œÚXG·wÿ¸aèÃÃõÇ×—S“Å&zÿÝõ7Ü•ÈßÜݢœ›7}¸¹½y¸¹sùóã÷7ýY†ç5ÚáA~»øñg=™Ã±¿¿ÐÊåY\pÃ7JóÇVD>cw¤C¸¢CÔ6«Ú×~ÖuÚº4z®^Ђ 8oÐÍ!œ—·COèÙ—bƒJ5ÛQ؇ßäÃp’FãvݲÙV4¼”a	sô¶Ý²ŸOÀóo CðqˆÀa 
+:%ŒaÿˆP¯øAç´l•aÊf[½HhSÊîµÙþÊ»v:.àúI=ܾ7¹Éøcàve†{î$‘A{ªŒ×ôñA’ô*°q:wß'D­ªzŠD¨b»)F|xîxm#>œB«$c9𓀜øl!)·u±âQÂRXšˆ’3)Ùý‡ÍŽšcYÓmé/.|ðÅuðI±Ž©ÓÌÌg^e‰K&Ã|æ+s$¯Hb ÙÈ\“ì/,ÚOy+ñr©S>ã$r$ñ"6¹xâs›L–¿€¯Åv>"Ë4U©†Q}îå}ýd­ç)’" õ;øý8¶x;½
+ü¦ëí‰~2r°&i6âðõåѦ‹lX3ƒ™°&ŽžŠ¶‚‹=µà·®å\C>“œÇ"+}~vëTzIQGYo@Q
„×Ý~SŽ­ŸbÈëdîÛüu™JÒ,ä¶dƒqu`O'gAóq¾>ÄÉö 1»S‰ˆS«Òí¹[Æ¥½gNÉÒ¦$ÑÝBPÍ 6P1róÏðÀ¨,íÅO<ÂIbå‹…³–ÐÑÅÁv#6^:lDþÓšÛr½éö®ªV-F…g0`OþáVå6ùW †yÕ „æÉx0%.?>Òéev>Hœü”G×N—ÈQìb½¸}Lz¯8€‡Û1ƒ=,&ãÀCK;ëZî9+B–»—Ôå@{JÉÏ9óLÙ,ñ•fC)âØmNTÞó¹×|Œ‹“ââ]ØlÁ›í›¯'el­xKV}¸y65þ´ÊT‰+#û3µ>—d=„üÈr¶,ê磘†?•hVÁ†É}Èù¼Î7OàŽGnÐäãS…ãG®´ÕyÏ·Þ@yåÓüôLZo!ûŠµxfIæwÖûs·ƒ½èE¶mÇž'w

w¢¨´ÞØDLÞ°C'Fú¥š•<Ã…âjL“žv×VXn‘Ù2‰D9&	•›Dbw‚ú@z²Âó
+¹
4éØ0†Ô©>
¶aã0ꩬ¶ØŸ‰“d¢Ÿþ¿ò#‰¯ŒN!OjÀ©þ•(J&¼îhè÷¹ûƒ:3\@±OJ,¯Ñýaù‘Xg°èPuñ>¸4ûË’hÁJ¡Œ†x—¶/yRΈ‡ð¸PÁTI¢¾BP5šÆý›Üä"fúRÂ]õ)‚wTssI\²Îž$'…
·H8U
+MÎԞΡÓÜ—ž*Ì^h¨.Þ0Ô›’hÝ´CRq’RU"!.&ÅÓ!Ô§tS§ìϱ¿á6~¬0Žüa÷‹í±¤¬•”zf«¢•Aw÷WðpZ8)ÀÂbˢřÍzS­Êù”œ
 æå¢Ø­F)’ìÈHvdƯAN¤YTpâŒÞ{¤Žó9˜Ëu ÁœÖÝÝË,*3 ¦n¸}ÚU«nÊ%ÜS
+©âtdÇ7
ÇàN~Õ-?˜@oþÊŠaÆ[†ÃêDÛ,SÚ;Há0½Ìt*zÿéãwÝß<â³åÿ>=|@¤¸ïº/‡¤1„øÞsÀØ"½õQ8˜õÉÿžñ-Ä…28ëÐб×;¦¼ â¼É-¹i“»èþ?ß~úx}w¯Í’EhÞ”2„žhg3¢”±ˆCD¨Çâ¨òñÞðjcF`Éel¼rüFÀ“xtÜ¥:­®Êbò}«œcþ¤RÃ0±n‘j­ŽÂÄ"îpF·ã $2þ ÌÄÃ:4N:Îaæ§)ìQÔrV×,C•l[Œ´¡¡‚K†Êû	Ħ*É=½sçöyÂÀÃॼ?N «qŸ­‹TmÁjOGØ<¤ÒåµÍŽ(:{±ïGÐqvŸ­ÆioÙë)ü:ãz°×‡ßüá`NœÇÇ¿cø¿&2€•™Äb¢Õ•!/ÏxjÓ‚\ç@“Òμ!Ûð
ã!w±ÀÛð3¹!Üh
æœïÈ
Ò¨B ÏI~ˆ,MÎwôo-àDµ\8ÏÄœ€¿ŸdÀ¢Y­šW¶Pš*ØÜPxBvESøsÚÅ`ve›¥‡ñ~+£Ïídâ*·&Ôw œñƒNe>
ù!úšñÒ²IU®mx¾£p9š{,§éô° áÄlêÁ5ùÜÆÇF-$Çp‚>6cÒ¤{w¬ûþY³³Ô†Å”¼­ô­‹_Ä­fz€sa‹¿!™zg$å̯åþuð3ŽßùîóØ
+áãlPG#}”·ˆ}ÝÔûõ‰Ê±.¨·~æ¨nhÆü‹¿ú‡c‡_ÕÁ•sYfÇ=Lo5UxÊÌžÑn´²,ññÿü#Xendstream
 endobj
-1511 0 obj <<
-/Type /Page
-/Contents 1512 0 R
-/Resources 1510 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1501 0 R
->> endobj
-1513 0 obj <<
-/D [1511 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1510 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1516 0 obj <<
-/Length 3204      
-/Filter /FlateDecode
->>
-stream
-xÚµZYsã6~÷¯Ð[誂“Ç£3ñLœÊØS{$y %Êb"‘
-IÙñþúíF)RÔd'[.[@èãC£qˆ‡?13!™Ì¢D3Ã…™-¶|öuï/„ã™{¦y—뛇‹¯ß©h–°$”áìaÕé+f<ŽÅìaùs2É.¡¼½»}wóþ§û«ËH7w·—sixðîæ‡k¢Þß_}øpu9±ÁÛï®>>\ßSUèúøææö[*Iès¢Óûëw×÷×·o¯/}øþâú¡Õ¥«¯à
-ùãâç_ùl	jÁ™Jb3{œ‰$‘³í…6Š­”/Ù\|ºø±í°Sk›ŽÙO˘™0
-,#•ˆNKCpÖ‘‘`‘GƒÎcÁÂ0"LÀÀa·Ñ¢ã!9K ›Yd*©¬KÖyÑ ]¾~æ0f‘–882=¬30¥A^äMžnèG5D”+üÊ ºqP–®´H·™g¬ž³ªv]¸o½Ëù/œËlIû:/ž¨£”J~‘R[ùì¯ÿ”E†%ÅÁæB°Äi%üÇ:+-	’5q£:ºI«¦&z¿{„4AÞ¸‚:«Úv5I¬¼¡ªÛë\Lì/ÜÝ¿^Á¨îªx¥â´¨_,Ò¹WC¥¹ëÝOàü†°CáKÞ¬Ëý(Ü-8udî6ùƒ”Ò÷ŠJóm·ô`Wë¾ÖnÈîaœ*o^©¼Îž96*~ÌÆ"AC’§
--˜»5~UpûÏoï>\ÝÜ2*&Ï"µ,3ÇRàì´mv;t’èe¬³Âa…âÊþ´¶ÔÛX{m–4çlïHæ&fI’è#ÏtECŒ¦˜Ø…ð9­òÒ¦7È׺ɶ5Õ,Ó&}DC6$õ~±vÍHSQ-žHýγ瑱åz¦M´©Kú–¨¨•p»>(ù={}¡iy~
ýîÓØÐLkãý×â‘>õkQ¯Û#ÈJsß¾‡¨«Â%õ­ÑqHhXŸ³M¹ÛÒ†	jìhð}»NËæNhÈBR*ýáê–ÚíÈLM¹(7Tµèæ?¶§‚Xi6@Á6_B¸ˆ8FgÁ¿iï5è"b&…b·ÝÄnÓb,Ûò©L·˜*fáÐþîMûö»«»1(ÓQv'ˇza}.`‘ˆã0„õU¢¦U7°+Øš ÑÉõà`v0b¢
-aÉUÆ’Ó¼Ëuz¥i¹lŽŒ!þÏWƒôA@¸¢ãäè-×Èð=䊘	)û÷¹U—Y½¨ò›È‡æM"Æ¥ö¾:Vâhd*Ö~Î·ÖsÜ(v˜JÜ<ÿ‡ý’Ê‹ƒrˆiÕ s3hyÆñ-×A†½fn-Ø”f
-]5
¶×Ø<×ÁOì³jk’q¥“éÁ[®‘ÑûX|ˆPõ‡ÿ;ÁÖ*qŒ5H(T›yŒaM1Š¨§ç$Öÿ‡ý~>ÖtÂ"-ä´é[®3‚{›Æì%´ÔêÖ:\Xó\Gn‚½Ñn2dIÇÓã·\#ôÓR˜_!}	þv¸9=Ž$‹¢0<‰8ðl _êê0¸–ÿŒÒÃ~?qQ‚;Ã3Öo¹Î	2èmq2ÒÌ@ œF\—ë4âZ®ƒ§š*-êUV
Ç!fzü–kD€â0»%ø;×ÕãøJ´uq°ñŒNzªN!ÎóŸQzØïç#.Œ˜VIë·\çô68­!> endobj
 1518 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [251.8681 599.6322 347.399 612.3694]
-/Subtype /Link
-/A << /S /GoTo /D (root_delegation_only) >>
+/Type /Page
+/Contents 1519 0 R
+/Resources 1517 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1504 0 R
+/Annots [ 1521 0 R ]
 >> endobj
 1521 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [284.2769 360.3945 352.9489 372.4541]
+/Rect [251.8681 205.1117 347.399 217.8489]
 /Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1522 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [282.0654 330.5066 350.7374 342.5662]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1523 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [311.9531 300.6187 380.6251 312.6783]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1524 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [299.7586 270.7307 368.4306 282.7904]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1525 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0084 240.8428 360.6804 252.9024]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1526 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.7921 210.9549 399.4641 223.0145]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1527 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [401.5962 181.067 470.2682 193.1266]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1517 0 obj <<
-/D [1515 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-482 0 obj <<
-/D [1515 0 R /XYZ 56.6929 560.3013 null]
->> endobj
-1519 0 obj <<
-/D [1515 0 R /XYZ 56.6929 535.1807 null]
->> endobj
-486 0 obj <<
-/D [1515 0 R /XYZ 56.6929 416.2201 null]
+/A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
 1520 0 obj <<
-/D [1515 0 R /XYZ 56.6929 391.5178 null]
+/D [1518 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1514 0 obj <<
+482 0 obj <<
+/D [1518 0 R /XYZ 56.6929 162.5022 null]
+>> endobj
+1522 0 obj <<
+/D [1518 0 R /XYZ 56.6929 137.1661 null]
+>> endobj
+1517 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1531 0 obj <<
-/Length 3163      
+1526 0 obj <<
+/Length 2817      
 /Filter /FlateDecode
 >>
 stream
-xÚ­[Ûrã6}÷W¨ò¹*Äâò8Io»ÂÃúb(˜Ž%u0=~ëÊÒÏícÒb7OÅæ9Ùÿ1Œ‰„ù$.9 fDC)ÂBò¡ìOEagÐ,³~ØíæXº²©mC³›[jR¤›¸¾#±,CœIÏ«²I¤ÐS"FÚÎããÊ>ÜõÌ
øs§ãZs7gôËÃá±JüŽÀŠÆç= ™ŽfyeôÆ‚ã8Ëú¨Ë,¨ó½”Õv“·®e	&²¸ü€šQ`èDÊ¡oɵ¾#áB{!)/2Ž28mXJ¦FðFOÇýlƱ”#	›8>ûµ Èt´8ã2ãúüZaœGW
-¼nñx,»×)å(âØQjFƒ!å¤>ØåP…·¤ÜÀ1ç0„<$Â9* ü€À oDŒs¿`õtÜ¿À9†8">ýµ Èt´8ç Üà"[òr=T„su^ª¶|¨ÊúqÂ8ÆcpFÅÔŒü!ã0øs¥†
-ü=Æ©ãzfŒdsŠ¤Rê2߈ÉÐÒß<~Áæ鸟ªªBâsïAKjŒÇŠ’-S° „-8¸>ê2ÙÊċűIê&i›<éºjêàRX%,ã
-ÔŒCºeH
-Š‡*¼
ÝfN"ÊhÄ¿ÐIª©QÿæðFOÇý|Sà“%‹Ï~@-)2-N9	¶àßú¨åÍ9:
-¡H\€šÑ`ìè(|
ÞÆÏÍØ1ös‰H¶J)Ý Ðë›õs¿`ótÜ¿àç TpF'? –™Œg\
-é½ „;ƒ"|s -Cþ·Å´ Âà„œ>&6€¦r,#
-IŽÉ@ð§C±)w¯×:çs…/ªLqÐ6ÅÌß  íolëƒCZ]–ÒOº,e m×u$×\ýúõ€ºü*Óõ½ÛvçWvMU5/ƒ¦\O0<ãŒøZžLæؽP8ÓR×Ð˵֞[ŒÓ!ñ9LOa*nf­s×™Û?UÙvöÉÌ^žÊ®hù¦H¶EUîK÷ªX{)­¶˜g1tüœ¦äèÇé²-ê®LlQÐë=¨	ê—uÍ’(áœ<œÊ4ÃB~ã¥j×[ۖׯö¡==´Åo'c-ÎÚoòÖ¬±éOº,éÕhâê¸î³6°
-ÃçxÖµ(3ÈퟗüÕ>´š¸z6ÎK6coy–œùr·*Q™Ýf)Ãçb¯þዽpv÷<%•ú:îLJê*ì2Øõ•úo0²úò¯[û\ç]ù»_ÖɾØ7ÇWûÓÎÂ6y¨r:ûÓkê,CzaXPšñ&kXSx9¾¶lÊÕ:ÏëO{—?»I,èìl}„é5œ­Ï«“©˜Sz¦Šî84­Nã
-ÛUîlk¾Ý–Úµç•mï;¶Þa"Žn´']¯7ÍEQÛ6È
-ŸÍn‚VàIc[Ãbë¶8Âûúóù¤ƒ×Ÿšý,ÇÚ\ÒC¼Ð³í…'ݦ:m=_ÊîiL®Rûª‡Óù°‚gûP7ÒÐçôë?Ø
õ.ž9T(xXrz ËgŽ7YÂ
-&'fàR‰
-
 ©ÔÁ‰îYêïX}±oל•ŸäëˆòXõ§ˆA„ß·/V|÷𸥓Q??˜!áLÅç;€âZLÆŠF2”I$Ó,[ Uá•G™µ)ªâ1צ'M]ÍTA9RàFå{ÐŒüøþJ™Ž°>]q}BÒüQ?gk£Ši͇ª´'wG·ßÊД‘Ӄ}rŸÉÆÄúvçz‡‡¦g¡=3ì¿¾íÜ'Mˆs	’o‘r®ù¥ž~›—Xøæ&¦±279$5NVP±jšg8u¬Þíô×`~F˜b<Ü€ùN_œHˆ¾Xp|5	
Ømn‘NŒÓÖAçcÑuᕺ±yݾØ`GG—‚ëÄ£šŸô—3|²13澉Ÿ…—æT9ù¹NÂœN¶¥nŽ{Ãé&?ƶƶyoDA©äl˜šAÐTl/o}™„Q±°z¨Èð¨ÞÐó;Þ“°RQÑ4#zxߪw@_ö6oÂ.ûun êœÜ@ú¯1¡†¨Â–o°b†ºÅæ«úIÚÍ]ý³õõ"ýÃ̶î­ó}a›4z]ðpw•»@Xc«æÑöüœfé¯Íé)!Ö¶àaBAî]2÷„±a´
P‚)¹>mºñÖ~Ýd¶Ñ¹¯…ç­Ó&ùÓ‡¢vćŸ?Â\<‰uq‚x¦p¸Dæö•k8Ù_ëj1Ø4bæ'Λ‡]ÚqÖ’Ë[†
-$„XøÔGE6G
vM·?$n:'ß¼õÝJ² D@Íh1˜6–!ˆ%Gj„íc½s"õ¶Ùœú—ôš^Rë“þóuU©88]ß"n/AÕå™NÊïèõQ‘™ö(Ã"GÜI}B|Æx\p@ÍHú&ŠÉÔPô;uH¿$é•çdØT_¶ö§åã-`
¥¥‰EÌ_wàn‹ZçpiæD‰‡£š3G¿î{5Ý/É0E!ë„À¡Ôp^ÚÆÔb¡ù
-S¢pÊ&Õ:
-}NÖ¸²_?sÓyí&ðõ-Ÿ˜ó"&çlù^/Aê|Þk/83–Bà}éÒ=Ûœ4ý¼§£R’3§/,]/´JiÅ%k®úOUÿ?q‘Žendstream
+xÚµ[[sÛ6~÷¯Ð£<³Bp%€G7µ³î´v×Qv›>0s"‰ªHÇõþú= @ˆ$(À™j'“1~<7|88$2ÃðÌ”@˜i>“š#‰˜­¶xöž}¸ ³è@‹>ê‡åÅ»&géŒf³åcO–BX)2[®Ÿ¿ÿçÕ¯Ëë‡Ëxž¡Ë…Èðü‡Û»m¶ÞßßÝÜ~øíáêRòùòöþÎv?\ß\?\ß½¿¾\%¼O„/ÜÜþ|m[®~ùåêáòåO×KïKß_‚™qäÏ‹ßÿÀ³5¸ýÓFL+1{­él{ÁC‚3Öõl.>^üËì=m_ŠŸ`
+	EåD)›
+ Ð(cðÈðjW5OżRbþËíÒ4ø|]|+6Õ~[ìû¤¬íß÷OyUïŠæðQ³yn{¾º³ïí—DÍ«¦ZUûhÕöyS¬¤…‚VÛ±-×¢%®!öœðùª{²Î›Ü‚+gaéìYå;{À‚¤… ­7Ÿ;<õ¾X•Ÿ0¦­Vèx)›'Û2záÍw7œôb£!ÌX8Gªû4 £ˆI•9Ôj“×`³…õe-H©,›-˜FsiÃ.ª²aŒ;7Á¢û}SV»:àFXͳL!²sÇ}”z21ôeÊ7›êeã_>¾Ž•NW2¡Ý£&Ô÷Gx†x¦Fú?ÅqHÚƺ¨W‡²
‡í¨'â«%”k7c/Fª…Bšf.wcGa(#:8j¾Ìlã¡ç²Ç'\åZ—WGç!&0	•jˆ½G¥	¤CÐI¶1]Jlë¡"lëPÇqúó¹8L
²›"<®Ü£&´É&Ë ÔŸ“lÞ‰1×$RŸæL<
+r”kŸð8”ûv®I³˜Ê,zJH‹s
Ȉ\%¸ÖCE¸Ö¡Fô¨‚a Baňê÷¨	tË€–’ýÀ‚¿G7ÒÍù1R.)’2§	šj¡®Æ×áN‡rßÌ8Ž%ÒR°xô=*aH(-Ê8!M9%kiušqu©æïêG¨¦‚§¥*®¾M¨ðMpD±fCýçä[ß‹‘ò,C™Ý'ùF5Ô½„
<ñ­Ã'œå¾=Ãi¤Â‰à{TÊ@Zœo0OÁ‰Õ´Šð­CGêy%r²
2— :®Ý£&Ôùùq:ÔN¾½³"…Aói¶pÃe›Ã'\å~Gí+ ,ñØ{TÊ@Zœm†4ζ*¶e4ÚZì«M¹š¨Þ"”ò¸zšÐ?¤3;g94à£ßÏÕ6þ¹ýó	$~,·û#!ŒÑ³ÝpÚÏ¿µ†”ýì< „@¡¾Â-‘Çc+:aPóõ-ѪÃ'\åNÒ
+öˆá¢I3ØHFcìQ	CBiQZq¨ê‰E³:M+Oÿlñ_òúÜ}ÛA1Ä
¶qC•2$'!ÏLÀ+i!a‡²cVW§A”Zš'”{Ô„öÁ3¨ï¤©¿ßm^!ìTÏ·E¾²<>oìçrŠoàŒ^WðŸ<õ€rIÙíZÛÃ;˜Ã +lÛž¨A£yêÿ·Ú&+b6_>9X]4¶ì·V櫧rWÔÝ˹{þRnœÝ6ÿ®
+¯*Ÿ8o£™@0ðÝÚþã]{Þ!„Œ$1žêÝÝ/ooþ=u §¾;Ûu)ŒÎ?Ó°þ1¬ZÿlŸí1ά]ÏóÞþ5nln¼±¯;Ħ¬Û3LÓÞå[×[‡oÅÁ)ø„v§©öÕ|7²?”ÛÜž˜*ÀZï|µÚÛÔ@78u~@ÃÊà¬sºö›çÚ¶òÝ«mÜþê:Ök;u]Ôö½Á™¨Á´g¢!Å(”]TdÇœ6˜Á,,ïŽ<Ìé¹’ó+g^uhlk›;ó>#[.É̱á€0@Ñ%†conMt`Þ„¹0™˜¤âMÖ
+
+[ú¬³¶#«¡©ºAÝ­]8ÕÍ4Ë˳ÁKÊT$í[§±9wLP!,/ùó¦ƒ>Ú§PûL'k…2s50LÂS‚$¼Ÿ ³Ü6¹>Ûl`Λç϶ehV»"iy\ÕæC'Õ/™Åvß¼Ú¦™-'s9Ë`Õä©]Qu:—{T{$ÿT¬¾.Ìì¬Ã*•¡Lé„ršÐ>Nøð-?”Þ€Õªj%µ%••U
/l
+u	RB8_÷fEË2=¿©SKÂkƒn±¾O¬3¢ºcvf8­Õ þhµlG|¢R¤æ~¯[«ór3Uª¨I/ž6J$íÐz“›ÚBC¥¯©Ïç°jÚ©“HÊåtdùíQl«ËäG=†4&zȽv#gî»[»ÇéAƒò	Ó®t†j¤™²¶ð}¯O&#ª5âLòx2ê£N'#:&£í_A&‚
ÖÅ5{Ô„êaU	ûes)9Ð}žíL߃ñº/PÆÕéƒgª¤	‰8Ù¾x|ÂÝPî©í	¶õ°ºJ¢Y<î•0$”ݾ@Õu-&	–õP–u¨ãAõ½^Áf3¼êàPH×ïQ³“†C©¡çäZßðªƒh¥"Wfÿ+q߇èU‡Ã'œå¾™q›s-ãÑ÷¨„!¡´8ã˜0¯&.×ú¨ã:Ôq¤ ë_enšabdÊø¨5aÁrÊ|WE
M8'厌9GÁ4Â9&a…A߉ç:|ÂëPîwpŽ£ŒJ¿G%	¥Å9pjÊ8çz¨ç:Ôq¨êòófâ|°ýv	7K`L½GMè2Ž I}hÀy¾>¸1¾ð`Hi­#æÒ‰=^x8|ÂçPîÛWU‘¹èƾ¥ÌËŠ’ÀŠÀÍ÷£dë£N“Í£Úz±8˜õ¢®òEÓl‡a”ˆŠàQé&’ŒM8Ý&N!Æ#×¹l¢J\æ7‡O8Êý¾™›`ÅãÑ÷¨”!´8å æ{‚qÊõPÊu¨Þ›Í_ë¯ç2`	ÉxÔ„	ÎIxªåȆó,ªSžŒ¿‡
+[ÅLF¾’g eß¼Ôý›Ã'Üå¾}U…ݘ™ŽÇߣ†„Òâ¬ÃaÂ÷o}T„uÊh\ïê¯Å«¥Ee®!ÒÁÞ<ÃøïÿöO(Ž¿/á1uêz–™í5…íµ3Ê®ØØrÿ[‹Ðôÿªœendstream
 endobj
-1530 0 obj <<
+1525 0 obj <<
 /Type /Page
-/Contents 1531 0 R
-/Resources 1529 0 R
+/Contents 1526 0 R
+/Resources 1524 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1501 0 R
-/Annots [ 1533 0 R 1534 0 R 1535 0 R 1536 0 R 1537 0 R 1538 0 R 1539 0 R 1540 0 R 1541 0 R 1542 0 R ]
+/Parent 1504 0 R
+/Annots [ 1529 0 R 1530 0 R 1531 0 R 1532 0 R 1533 0 R 1534 0 R 1535 0 R 1536 0 R 1537 0 R 1538 0 R 1539 0 R 1540 0 R 1541 0 R 1542 0 R 1543 0 R ]
+>> endobj
+1529 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [312.6233 664.9538 381.2953 677.0134]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1530 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [310.4119 633.2165 379.0839 645.2761]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1531 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [340.2996 601.4792 408.9716 613.5388]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1532 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [328.1051 569.7418 396.7771 581.8015]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1533 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [286.0435 713.6209 354.7155 725.6806]
+/Rect [320.3548 538.0045 389.0268 550.0642]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1534 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [339.144 683.3704 407.816 695.4301]
+/Rect [359.1386 506.2672 427.8106 518.3268]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
 1535 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [336.952 653.1199 405.624 665.1795]
+/Rect [429.9426 474.5299 498.6146 486.5895]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (access_control) >>
 >> endobj
 1536 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [322.5463 622.8694 391.2183 634.929]
+/Rect [286.0435 295.6317 354.7155 307.6914]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1537 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [331.4327 592.6189 400.1047 604.6785]
+/Rect [339.144 263.8944 407.816 275.954]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1538 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.2812 562.3684 429.9532 574.428]
+/Rect [336.952 232.1571 405.624 244.2167]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1539 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.3165 532.1179 398.9885 544.1775]
+/Rect [322.5463 200.4198 391.2183 212.4794]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1540 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 375.2504 328.1555 387.31]
+/Rect [331.4327 168.6824 400.1047 180.7421]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1541 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [172.152 314.9088 267.6829 326.7094]
+/Rect [361.2812 136.9451 429.9532 149.0047]
 /Subtype /Link
-/A << /S /GoTo /D (root_delegation_only) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1542 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.4539 61.5153 426.1073 73.5749]
+/Rect [353.5699 105.2078 422.2419 117.2674]
 /Subtype /Link
-/A << /S /GoTo /D (server_resource_limits) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1532 0 obj <<
-/D [1530 0 R /XYZ 85.0394 794.5015 null]
+1543 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [330.3165 73.4705 398.9885 85.5301]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1529 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F41 969 0 R >>
+1527 0 obj <<
+/D [1525 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+486 0 obj <<
+/D [1525 0 R /XYZ 85.0394 725.3455 null]
+>> endobj
+1528 0 obj <<
+/D [1525 0 R /XYZ 85.0394 697.9265 null]
+>> endobj
+1524 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1545 0 obj <<
-/Length 2705      
+1546 0 obj <<
+/Length 2986      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[Msã6½ûWèhW
|'ϬSgãñž’8ía,y%Ùç×oC$!‚ rE®ÔÄùØx~l4 ˆÍ(üÇfJí¸›'‰¢LÍægtv÷>±St ¢úñöì‡ÂÌqšëÙí]Ï–%ÔZ6»]ü~®	'`žøõúãÕ§ÿÞ¼¿0òüöê×ë‹‚+zþñêß—MëÓÍû_~ysQ0«Øù‡½ÿÏíåMsK·6~¼ºþ©¹âš?Fo.?^Þ\^¸¼øóöç³ËÛàKß_F…wäg¿ÿIgpûç3J„³jö>Pœ㳇3©QRˆîÊòìóÙoÁ`ïîþѱñ“ÊÅ¥†‘äÄJ!ÇG™Ã€ŒdD+¿n”9ååGù¡ü«ØmÊÕö®Ú\0{^ìꇪ¨WC÷™¢DÙY¿‡„G‹¡!z4˜RDi&bŸ«ª	ÀîkÛXTÛù¦~ÜÕëUsa}çI
œr†P.-Èy3 á4ƘöÁÔa¡!jŠÅ.777÷³¦qÓs>à3î§v÷çG½ò™&fHIrM¬`B@eˆ¤Ö<’è¾ünMF=¢À5³z±U 4Ä2ªp&5B%V!'Æù0ô¹¼‘
-{
U(ˆ¦–O«PI¢7‘Ó˜
-;|ÆýÔî+TÈwœãq¨‘ÔªBm¡á\&öQÓ*¨é̱~Ú¥‰PÆéÔ—H†šÁlrȼe2l]ò Œ8¦Ý´
ÄIÐØmLˆ>3©Ýã…(qÔeDP"©5\ˆÐÈ%Ãaƒ™N£DH‡’˜„Eœ-‚F4þ™øšÇÅç´-©XÁ`±ž»è<Ü€Q¿_!9Uƒ]§G>`PCK¸Ø I:Isrë¡Áu(ßãj½«ï^†ÝZI„¶ï¶tÛ÷Ó:"”½ûÝžFbòÃèB…¥µšÔç¦xÃûÔI|Æ×Ôî”°XB	V’Z‡y@åˆ$ÖPy)Ç	eLàò꣦åP‡‹jY&"cŒ[¼÷€é>JdÌ…lÜÿiæÑ¡ƒ®}
-uTO«
ÞfŒŒÅÔÖá3.§v'Õ¦Ò²RAíu':ø•a’ZÃå¦h\m"¶Ô‹Òn]l×e*6I,•í;€ÒÎc©9b¬2Qï'UÚÁ‡A×°tÔ”3Dj0©ô@•ÖÂq‡«Gg5/ÿ†#ƒÞBp;¸º`b…ÅÎÈ«‡BôÕ¡|O_¾UIsŒ-¼×3Òé`CBùž¨Ó+?ÂFvÛWвïà¯e ´zÛ\Yw"ƒö÷²½X¯vÕjQ-ü'u~·Þ4—·Õ$V¯î›Ïeó|[Öó¦ý÷zU5Oyw÷—ÂãÏÕ¦þƒR>/]‚®÷èm}¿*?>~ÓŽ°þ"N©&d»§}%Xy†Ü3lþþtýùó処ímì9ó†GýþµjÁðz½4­²1Ö|X®ËE÷ÜÝþÆú¡ù´¨·ßÈE+Œná¢kï­»àÅkÞÁ»—™ò@Ú;F;šÍ’Nÿ¾û¦U®Ú<»>¸ÛOM¸&õ+
Ì'ć귚Öo@y²~<‹í"·ÝÕóm’"9%V3ƒ¨Q’äÊïWÆ®Úù®'{¢¹èàK3ÎCc°2¼Ã¼óÑ4íx:}¾­6µ¦ý½^.›Ö·ªzlïw.—í­zz~èyC£}§ åkß‘ñÕó¯ÍÕyÙ>ñ¥í{ñôðºÛk²–R6Ðüúý4ûC½(m(T±)ü;¶¬ÆŠ
G¤
-O,*lÞ¯¹Õ@jah‚ì¶ÓºšH¨)2ºë¡Ýu¨½[õ}ñ\.ëE½{)|ZÚÀ§±Í=)½ú05Âc¸¹'áJÄã4‹ŽIoÒ=.`)0½±'`Ù*é{‚nìµøŒë©Ýã«B	/­)t Ä:iK
-(—Ëy"½ÔÅÊ'q˜íŠÕzQ¥9OXB…áhÿ”ˆ4'Ô¾VENSŽú1\gCØ…Döï„"TkÖw“[ÇN¬¾Blð„áÚ¡c@8Ä*6a ÒÒ.³›ÒGMË- †qꊇÑ)˜Îç8€!o s˜…Ž™œ^w±?Éî± F!{Ç°°rZD£{Ç->ã{j÷ò“ðˆ2B@e˜¤Öp\KšÙpé£v¨aÄv/Ušð |“’ãj„Bvxû-W*æpzíužº7¾S†¤<¨Uµ…Š¬ï&»Ÿq;µûŠljÔᨓÄ.;¿¥ÍXFu"º´/qû»üÛõÓfžÊŽK¢ŒÁPJ!^Y8xÕb
-§‘Ü„#CÕQ"ŒB
-;jý·¬ï+&ºŽ{X=ú+‹}’ä°dÀÆ>€2,†¶P¹q Ë2;1}Ô´àj"Pų+î$S5BdXÞ	Èë‘7Ó]ëΰƓ„3!ÑÏrÁ"3EÞŸñ=µ{üf”E¹ÂƒP"©5\€ «xfší£v(ßc¹ÜǤ=©Š1…	¨&±%Ô¶ÜÆTN³ªEjPAr`ů–˜´‘Ϩ[|ÆûÔî+4(!†Ràa¨‘Ô®A®‰ã¹í¼>
-Ñ`‡BB6–›£
-çP#dFŽؘ͛Êp<6§xæÔ@Ÿè1¨Í
@j÷µÇ‰€ÊI­¡JdPNd¦ã>jZ‰å{|ÚVűÑ‹‡ÃØ¡dj„M¼öÉRX#GtN3)gœJÀ’0f5²ÑÀ<9Ž.[|fR»Ç‹Q‚|˜ÀCÑ24[¸5µ–™o€û(D‰ª÷ýé„ö s½w ‘ÞãE?ˆ»?å±–i­iN,Ó—¹`NØÈQì[àŸñ9µ{üD9‰JàcP"©5\m¨šmFm=¢¶•jtB¡@84B ÙjJÄÞ@pãs­ßjQÌà[-ÎÙÈ×ÜV‹ÇgÜNí¯9k`vtþ€ÊI¬áš£†pªTFs=¢¹µ?VY¯ŠMu·©¶_÷Çyß5ƒàO[Ž]Þ£w›—Û]L«&F4¼T¸5âC\+i¢¬1±{Ù2×ÊÖ7"Ùú©Ä¤?)­™ˆ!øÅÔn$1Ofr7ÏÕà¾fÀãÝ¡2LRkø2dtf7¯B~ŽÑ‚öïö_Íù‰ân³~(õÿõOµš}•Á	5°¸PJ&^W@RRJGlöJ‚»QŠÐ2VŠ¿3šàüqvuøö5çSº²€¥&v°N²¾Û袅ãXtè]:få®[æ…„!€p‰­Fƒ…VòüªèõzBRŒn€ù3ÿ5NÿÌÌÁˆÏ‡Ÿ°Ê{(·;¨ÅGŽüŠÁŸ±jב«Åˆ%æ"‡cæÛeùȶm÷4õ–!³±,È-¿žÉ†¬Ê‚œªq0Òb }5é'ï¤Þ†Nzë¸×ðdýkZ\ŒÆØ*fáTÕu¾-2·”ÜlºßçM^•iáæ»%YïÏàˆ³çö1ýÕOo³¬tsE^~²§	f'•›õ+Y×ÙÞ7IÄf²~_sÆÖéñT„¡WÛ³º]qÙ>çÍÇ!¸r«¶c‘›±”6ÄXº˜Þz,{è¡Q¶ó)EP	[Àx<ït©æóNKe#e›xŠUP$à<*6Mˆíž
I‡ƒ"=±ï³lèϬÞóÓÕSÇá^K„i¢÷UùLçT@.Ç>ªí£@@>=ÝâùiåS[ú[Ç|±»«Y¦œ"‘‘JPs)BUÜç-Õ’"#nF‘Yxq¨ pB“8¼ºTóðj©ìeEö”ë7UY¼僆H$tA–jBƒ^}Ô
Tpá]“,YúdÆ|m•±³ééTä.‡
+ŸÄúcî2"9S@erÙº‘©`LO¹¾?øÕÌÓ‡qÚIÀ…/Y=Y5Ä5k˜ÈÇ£ôª3\ed=çEá(j¯¹Ï«&ß#¬Õ ^ðY$mskêcŸ‰Ñöׇ°<ÄDÇøš}‡Ú¦V72ÊM¦öÀï ´§M݆Á!"(°1Q'¨ï	a'³¥ßt_£sÌ×hu®ªf³€QÊ‚ú“ö4Ì@5¡G?B¹Å¦	(
+/ô]ªÈÁTF"TéÏéy?j7¢”ó¸Ü@4!·ø¢X¨¾Üw4Œñõ1KK(î—Âçôƒ›÷·Bå@í¦R÷ã”·•ª/[ŒÛÌŸØ?N€7$±Å[ØêÑþ@Ü”ÄÙ
+ÇÉÜ¥ÐâxY­ŠEU}‚äô®Üâ!Íw)¤>ÂéŸÁôИŠJ87çÛÞPIüù–xdœYtQŸ²¦i_)+7™–õ³+}L­)…iCŠi$”bÞºÐzLxÁöÂÁÏÕ¥ðòSÓ’yÜLY¦¢3SÁÖ¶ÊÍ…€D%EX‰¤_ðC	•ígÑŸHƒ E—jý-UýÆ¿Ãøƒ¡ªÁî¨ì–jBx/¦ƒ­‰‚3Гþƒë£ˆï†`§+¨BÏÐîùÙ~àL32
¦!|*ª­õ6Ìõ‚Lü×.!Ábî_´HL`'Ú®)è`KQ HÝ£O/­L×AN€‰q$Ôƒ¤P†Å˜¹ ¢Ml®¥P%ƒ>¤ô¹¦c™{'#íÛâÚ^4ôjÈ߯…w¹¬µž3¥¥-3§Ê~ç&îî3æq	-át¡ïREp¨l¥úÛÁj³™¹
+bœé¸ô@4!}xA‹öÅÿ÷VS[¨.ÜщEˆ™q-¬)·`àkëp…d¬ÇÍj™37eÔY‚ÁbVê«bC[TOnåæøçêr†.†$LbZx®v×Íäþä;¯ì	ºIi ì€‚Wö´…÷ÿ{ý€ÜзäÂÝEÂDþTº[Š”E@Œ›lYíCPQ©õe×_pÆ›){Œ®KdíÍstÁ4³`›A#àtÊJ|xü@iâ‹Ê.€J‘à:œ?ΕŸí¬ŸËb±â´b¦/R¼1®)›;rÎ’Ù3à 
+ˆ‡ñ3Ó¥š?3-UïÌ4ÇÓÆ»sÔÁ*áJ´TZôƒº@ŠŠíÙqáÇG‘r_íìeJ(¸«N‡.®wâÊ\è¼¾o¸Ÿ#Õóž†RW,äÌ+MÄËŽÆâÇCvxM ‘2eBDb IìUŠP›Kt%¾ò…†
+GÑÎýœjOÑ—µ{tï
+´ÃÊ–ö×gØ}VšÎ
sß*Òçj³Œy=¬|ÏÉ°·B.ä@E,µ\ÎÎœ[þH©>™P…jóqcx2]d0™ÉÂÄßûuû5ÓÍîÒm¸à
+íè ’Hˆ$èpLkS‘NÞ¢èk‚7ao‚—†|#ƒ¦ua.î&ìá’Yèè9øb¨Ó5[p‡*á@åìümãQ³©óßÇQ‚1„ù‚hBþU„B˜_z|ž[¯);â¥BŠ39{ÿÅ`C_²gk¤ËnéÌó½ÿÂ# t‘"áqÿ·TKšŒ¸Eûl*Àc‚Ê8èºTó k©ÂfÙjçù,•³ÍĽt§\Åõð4jô Ç9â‚°¾ŸzsÖc:¢RF (0"œôMŽA0Ð/˜?æ;A9TÉô$Šß…–jA‘1·8¡MÒqv¨"T“{–ï‹IBVPó¸&-Õ„*}R8vfººüM(ìX4D!C+:B½éZCa _0Ì÷O  ª)ïCKµ È˜[…˜#ŒñBgÛ¥Š 0PÍGŽêÒŒ!$¢I\•–jB—1ŸÍy_™¿3z“&úmM„ž¢„}b¸ovˆ~Ác¾ˆúC¬@ÑR-(2æ"‘Pg	½ðEªK5Ä–j>xL‘!–èUZª	]úñP!Æð@™¿D‡Ó@ÔæKT[¯O¥eN#=££YÙ‘/X?âú'@H¡Ž´Dw¡¥ZÐcÌ-ÂÄ\à+¶ÂU„Ê]t6æ¾lØN'櫵Š‹
Db»–*Ó—aÒûyàvU~¸ËPy	ùêN%’œÞU=öÕ=Ð/Ø:æû'¾º'(ÁJÇ}ÞR-)2â‡Öˆb¹ðq¯KW ºîù°™Ž?¹Š¸¦*.½¥šß¿“ˆË„ôåžü:´b ÚTÅ<Úà¤)“ž¡1´ú“Ç|gÑÆÇå&‡žêѨó[ªMÆÜ¢p“Q).`;D‘¿\õD]jªM]¥c°™¯î	‹Ên‰ÆÂûPÓH*.{Ò?+Ò®6DCK)0%¨) €´Ò1 Š4O7xÄõG58»1§{’¸>Óè
+Wm™?¢žÿý­è_þ[íë²CÊ”š;¢R¡D¯”Q\%ãs¡4tBõÿ/ˆ
üendstream
 endobj
-1544 0 obj <<
+1545 0 obj <<
 /Type /Page
-/Contents 1545 0 R
-/Resources 1543 0 R
+/Contents 1546 0 R
+/Resources 1544 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1501 0 R
-/Annots [ 1547 0 R 1548 0 R 1549 0 R 1550 0 R 1551 0 R 1552 0 R 1553 0 R 1554 0 R 1555 0 R 1556 0 R 1557 0 R 1558 0 R 1559 0 R 1560 0 R 1561 0 R 1562 0 R 1563 0 R 1564 0 R 1565 0 R 1566 0 R ]
->> endobj
-1547 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1555 737.8524 427.8275 749.912]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/Parent 1504 0 R
+/Annots [ 1548 0 R 1549 0 R 1550 0 R 1551 0 R 1552 0 R 1553 0 R 1554 0 R 1555 0 R 1556 0 R 1557 0 R ]
 >> endobj
 1548 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6164 707.9231 422.2884 719.9827]
+/Rect [231.137 624.1678 299.809 636.2275]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1549 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.2338 677.9937 438.9058 690.0533]
+/Rect [143.8055 560.4651 239.3365 572.2657]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
 1550 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6948 648.0643 433.3668 660.124]
+/Rect [324.1075 296.9881 397.7608 309.0477]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (server_resource_limits) >>
 >> endobj
 1551 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [226.7331 618.135 295.4051 630.1946]
+/Rect [359.1555 265.057 427.8275 277.1166]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1552 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [283.1811 588.2056 356.8344 600.2653]
+/Rect [353.6164 233.1259 422.2884 245.1855]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1553 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [287.6042 558.2763 356.2762 570.3359]
+/Rect [370.2338 201.1948 438.9058 213.2544]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1554 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.879 432.6227 426.5323 444.6824]
+/Rect [364.6948 169.2637 433.3668 181.3234]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1555 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.0699 402.6934 407.7232 414.753]
+/Rect [226.7331 137.3326 295.4051 149.3923]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1556 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [373.9 372.764 447.5533 384.8236]
+/Rect [283.1811 105.4015 356.8344 117.4612]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
 1557 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.6839 342.8347 393.3372 354.8943]
+/Rect [287.6042 73.4705 356.2762 85.5301]
 /Subtype /Link
-/A << /S /GoTo /D (tuning) >>
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1558 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [307.1508 312.9053 375.8228 324.9649]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+1547 0 obj <<
+/D [1545 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1559 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.8268 282.9759 403.4988 295.0356]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+1544 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 1560 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [337.0185 253.0466 405.6905 265.1062]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1561 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6945 223.1172 433.3665 235.1769]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/Length 3134      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[Ksã6¾ûWø¹*Dð˜œ&OvRg×ã½l’G¢lîH¢W¤=Ñþúm‘	z*NM¹ýøØhP=äÃ?r©Â,ç—*çH`".×û|y×~¼ “yPÖG}wñÍ;¦.s”K*/ï¶=Ya­ÉåÝæ×ÕÛ¿½ùÇÝõíUF^It•	‰Wß¿¿ùÁÎäöãí/7ïÞÿø¯Û7WŠ¯îÞÿrc§o¯ß]ß^ß¼½¾Êˆî§NÂÌ
ïÞÿýÚŽ~¼}óóÏon¯~¿ûéâú.ØÒ·—`fùïů¿ãË
˜ýÓF,×âò3|Áˆä9½Ü_pÁàŒù™ÝŇ‹½«Ý­SþãB#A¹¼ÌGZ‚ŒI/c„x-S"G’Q¼LÉ”—=Êxùñéã§ò46–¸
ƒR}‰Ñº5±0ë-L((¯s=\ùýü
1p!…‘þ>5YµUcgêǶªîsá&«C[6åÆ|«m}´ÓÍc¹®¶§êpo¿öÜUk;þ_}(í]Ææn*Üþ\«ß0¦ëâ¼d½µè¦º?™qÍQΙ6Ö£\ÚÙÒ>¯ˆ^•FCj4´Ÿ?Ü|øpýÖŽŒNgjõpÐÏ¥·N0*¬0ûeW߶»Pïí·MÕ|R3L¼a2w×j¿À¡níÀ¸=•)ÎJÃðТÎð4˜åí¨8¸Ü[ŸÍ…	ÐÜl¸Pôè8~*, 	ÈŸA	
+;ÑÔ83kZ[ÓVë&¢2ÏÅš&W xù‘<û:ƒõßo͒߼㺇žS 	î'ëâ±0…rF=ækHå\™ËUS!`vü¹ÚíìèSY>ºëÞàÂ]ª@å½'/LXfÃÀ=N02®êÒÀ»jý`g×…»ã£[{ó´ÊutWiŒÉˆîõ9ðÖ°~¨B\Ká;G&3×®œp¤.›ÒíÃbèv±,¸&0®™¥œ”1¡Ir®š']@ufU÷Ùs±«6U{ÊLF:·ˆ{J ¥VI5jBa@_%}E>”åÈ?›²Y+Ÿ9“¶QÊ”{úÍš3Ò!gˆ²ÜG
+B3²˜iŠ(%j`±½x¼¿´ƒÛží¿`{,×Ú¾>[i¶x"cÌFîé(Ô‚&±4£É<C„è%öP	z”˜Iã°ße‡zSƉOJÄ4“ijB‡a¶"ˆIž•øsäË{ä‹L­¯Áë,Ü1A<ˆ'thmŠx¿`w,÷ˆÇ pŠñtjA“XZšx˜BqFóâõP	âyÔ8Z¾Ž˜`Ÿ·äZ¥õ¨	EìË	‚­r Çë%¾ikÆ*`†Ô|âãp™r:´7Á¿€_°<–ûüSP«b&Ò1¨%M"iIþ	E‘„#Kš}Ô<ÿj±öôXF̃j‚äPœ%5¨	a—Pò):Táõ©ç
­®$’œ$²Ô­˜Ê¡­©¬çñVÇr¿€uÃ-Š§ýPšÄÒÒ¬ãq…—X×C%XçQ]É{,ͶìÎ=YS?×ăç‚ò%jB‹áYÎXŒÔxæÍ3&FL³äcñBßù<~ÁòXîùÔT&Š¥#àAjD²ÒÄ#P 
+¾D¼*A<š‰Uö,§Š=%é‚5¡È¸ØSœ4ù˸çìW|QÂô3™Ù‡ú¶$+>‡_0>–ûrú1Œ4Ü‚-¨ÉJÒÃù¸“f_4O>2Ë»6{Iâ“
+i¡“JxL¬ÄxÊüœ
´xÞ%lO †A‡yâÁ‘IÖ·7É;O›IýÖ1„9VIÿPZ‹HVšu‚ =órø̺3(Á:JDj*ëi‚d.“zxL¬ÇðÝ
+TZ
+²}_‘¿”xÓI/‡ª”«÷rëé¹À=O[I}9÷$F
+žíd(­E$+Í=
+q¢¦¹w%¸ç@f¹§¦Ì^šõe¤qZB“ŠUŸo%×r Ëë¼\Y°(:årónA&Ϲ¹Êó¾ÕÇÜž¶?’úrB•*E/ŠÓG\ZÐb,+I@1ƒ¿4{ yzYîP·Õö4G9[“¤"¹vÅ‹ÏPÞ›²ú«¿NÆ‹l--a“'áב‰$îg
+³¾™©$çáiƒ#©/æÓ6Å\'Ý@ZŒe¥9&	œAÄÉz¨Ë<*
+ÑÔÎ*ÌbX¤5¨	¢—(šè¡Ù¦7UóE~‹Â%»ôÅàÌŽå¾<­:íÿ€ZP$––f=r±˜Úz¨ë<ʬ¸¯Ù±ÜËæ!k«½ù-Ò8a_ü19Ý¡Ûã)ÆúÉøI
Õij†qY”3N‡Ft´%¹£­hk&&¶MXR˜˜û+¦öM_P1–; ˜QföE€zK(8q$PšÄÒÒÃؼbXâX•à˜Gu÷¶K"Ûë}¶©¶æÔ=åa=õ+FœÂNŸT' &ô"â˜õé褰ta’éb®Lf9‚	‚Z„ø¬µdV|À„§¶“à{&%O¿àƒXî€Æ\OÈø,“¤%ƒPŠÄÒ,3)øê7,ðM݆È­
ÍtCCÆèLLÂïwA¼ $Þ…´¢."û¢i¡ÇÀBz˜iº‰%‘0á”ØìŠç©2‹Q¨wB)¿~¨«µïØ9wÁÛ!dfŸ‹jW|ܹù¢mÏ®}Êt•ÏåÉÜóMMçšZèWëæŸn2F|*Oàè#°©>ž¦ªãœbž\;€âÅÇÕqŽ¡fè¯þ:Kdø:f6¢Õ15ý5´of²:vð´Á‘Ô™R%ÞqÍ릒N Ʋ’;¥Ý“²À°3(Á0긧¶Î6‡¦)׿àÑTXéäÊ/=àgHêœÖþ·md ÖõÁ4AÝ»½íZºÌ`s:{ÓÕh¾üpóÁ䔓)vMmGpú·ÛfF¾§²›­ý
»ú³>GÛCi$î®ÈÊ<êýjÙm*›QéÐxîP´]¯%Ð%ô>ÂØv[vÕÛ¡¸/÷å¡5‹¯îÊ~*ä¥-”ôvôX7MòRS¶-hØ|;ñ¨™.F¨Ä:ŠfFsgèwS/}ÄCû§î±<±÷€önÔõ½Á§m”ï>nŠ¶ëS3¢à,7vm|¡ãFÖ²,´æ¶÷³t]~½{ fnªjš'מ™y‡x>­ëý>ì@:!4´£È„8lû—Ghj7$ÊažæyWS±®-ü}7ùšÉ¼`!çòd½{ÚØŽU⌢À†õsW÷SµúøÔÚ«–ÛÝV4
kêÉݱùÏSÓå._¹ÉsK.¶µM½^ç]rî¥tÕ¬ÊÍÓΫR¬×¶ÿuc{ÑÖƒ%i'ú+7Wín_¶P¦°ßLÒ”ñ!²ŸäŠ‰€½
+²ÄR†÷ø¬ÃDzävÝ–]È2Pø¾<ôÔ¶Þ5ÿ:M·2Ô‚&œ)D•"CM‡­{²#%/uEÀ/)Éí¹¢Ë/ûrÖ
++¥¸Hû" T‰¥U̺“‡}ZSÓs?ÿð¹ZKÈL3‰ŽpBâ'HG_¢zOsO\uO^7‚,ÚLZLs$öYö¨r3U˜BJâ¡0mk¯r—!‹Öép(?Û.ÿi[ûzÚfì½°O¸.}ª8¹¥Ëª+¹2ªµï»×9¬SnÊ
ìGœ
+{0øåîú[‹º³­Ó€
+ÿfíœv…3\<•­»²ÜuÛ[¹ùÎöY[UáRs‚løG_@ûˆÍ0åêMkóÆ^4›ý 1ß&¥í“ïÛ·yv‹Pˆ·¿»sº-žví`ÿtÝÕSaÌ9D‘yŽÉe‹\sÒ™ª]sX<×ýÝc²7Q FŽþgL¢/Ñbºó˜WeçSÕð``Š-HK‰u&ZxX¶A
+U˜ôW~ŸiÆúKà‘ÁdþPaÇpÇYùÔ†áÀISGgû¿â‡ØôGÏ;;`ÒŒ$MSÊ¿‚š„Mþü.üéÿ²uþÿl\!fZö§Çrt®¼RFq¿~ƒ“‚ÐTM¨þ€ŽÆËendstream
+endobj
+1559 0 obj <<
+/Type /Page
+/Contents 1560 0 R
+/Resources 1558 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1579 0 R
+/Annots [ 1562 0 R 1563 0 R 1564 0 R 1565 0 R 1566 0 R 1567 0 R 1568 0 R 1569 0 R 1570 0 R 1571 0 R 1572 0 R 1573 0 R 1574 0 R 1575 0 R 1576 0 R 1577 0 R 1578 0 R ]
 >> endobj
 1562 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [374.6372 193.1879 443.3092 205.2475]
+/Rect [381.2254 659.5291 454.8788 671.5888]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1563 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 163.2585 360.6996 175.3182]
+/Rect [362.4163 629.3132 436.0696 641.3728]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1564 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 133.3292 388.3756 145.3888]
+/Rect [402.2465 599.0972 475.8998 611.1568]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1565 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 103.3998 533.2211 115.4595]
+/Rect [348.0303 568.8812 421.6837 580.9409]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
 1566 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [368.9978 73.4705 438.8121 85.5301]
+/Rect [335.4973 538.6652 404.1693 550.7249]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1546 0 obj <<
-/D [1544 0 R /XYZ 56.6929 794.5015 null]
+1567 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [363.1733 508.4493 431.8453 520.5089]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1543 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R >>
-/ProcSet [ /PDF /Text ]
+1568 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [365.365 478.2333 434.037 490.2929]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1569 0 obj <<
-/Length 3375      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã¶ñݿ“—Ê3 	ì½Ô¹ø.—»Ôv¦ÓIò@‹´ÄE*"eÇiûß»‹]€¤DÉ—I's!°X,ö»Õ¹„ÿÔ¹ÑB†itž¤‘ÐRéóÅúLž/aíÝ™bœ¹Cš±¾¼;{õ6LÎS‘ÆA|~÷0 e„4Fßå?ÍÞ|}õÃÝõÍÅ<Ðr‹‹¹ŽåìË÷¾"HJŸ7?¼}ÿîÇ›«‹$šÝ½ÿøÀ7×o¯o®?¼¹¾˜+£ì˜Â‘
oßwM£w7WßusñËÝ7g×w^–¡¼J†(ȯg?ý"Ïsû›3)ÂÔèó'˜H¡Ò48_ŸE::
-C©ÎnÏþî	VíÖ)ýEÚDñùM˜&ÓZ–BjÐÚ<‰¤ˆce¼–5¥e‡…ZþT<Ïór[,ºfû¼/³Š´H9Ø2u¼Çš8?œ¯´©„Õ·EAzïV<È‹v±-7]ÙÔh±=iÒDÈ 2À¤{gÇ¡•0vYïKˆLŒ$¥Åíòœ7™=þ2Ò%™½tèš*>`È(§%'Uï±^b〲!|œ)‘©HBàú´·
°Nx›ÃÂ×»ª+çë¬íŠí¡³…"6Æœ>ÝcM?r¶Èˆ8‘j|þŸs¶”Ýg_Š}_SBER÷5Yv8åjŒþ‚ÀT8šP‡®‰Dú´â=ÖK|P;éjqb„Q2>íjC¬ã®æ±¬‘¬y~–2¨ŠùC³]gÝÇAVˆƒÐœfÂcMp1ò¸ zÔñô>CQ
-­_2€Çz‘CjÞóö”;#(GTWVmRª8ÏÀˆj)åì«ç:[—’áÇMžulÁšª\”E;ay>bÅš2,—+QlËø´»Í¦Ùv-Îô¬{jœU`Þ:ëÊÇ‚ë¢[5yKpû]n³º+/Ô¬^`Q•EÝ19¶årÕ1¬¡ƒ6Ž†€¹—&;+W;DvP2”E)‘jMÚù½©‹KRÀ¢©Ñ—»í…2³"'èýsïé‡:{€HçÑYU5Os:}*‡ÂÈȹrVçSS¾1‘šoÐ6“€Òc76þX’¢Ý Ï>Õó…RŠü¬‰…WªSÐ…i"µÝ~7-"&<ý™Ú‚$däE•íZ0_(“ÙS³ýÔÒКm¶v«Ù3
2Æ0‡o<Ûe³ã•ÇbÛ‚§­Ë¶õo	¾»AÔdõóPÝ‹Æ~sŸÇHµ•Ge½—@Ñ…÷Pk•è”U -Çþ|7‘±Ù·”ïdPH
kbžW0êbj,k„Aˆt§©Ѐ9hóÓ
-²·…ùà³ô‡$íaE†
-ÒpvEÛ‚÷¡¶ð»½0³]Uô&JB°‘‰Jä8Õ³vy£X”Èk‘_’Ï<­
-w(âÙb…£ÈfpÙ­,ï°à\á
Ãò¢.†õŽÐÒâav]Äz"íÍ4¬óèžÏ'-åS9ɦœ$aâ8@â‰h	,ve\¢ç§Áìý-OÁ Ï‰0ñ^„ˆÌ¯»¢íhØl³¥#ÜÒ·-—Öò¸ãg©egML˜dL4+ ^T»¼à^·°q/ë’ýînß¿ãÙÒx„„ÿ©©€Bøå^È°žÇÁæ—-ûL~‘q¼Ýûz¥C£ÖèAwcn½¤÷`œ`:eoC@Lq'Ç®BàEÉç‡i)w?üNöâ}^O”½6öƒÛ´®ž	¼.²º¬—»Šæ䫸@¥½EGÚÖmb5ûǪ¨)Ö–P›æÃ	ÑbìDþÀ=•†ÚÝSmÈk0:QLþf—ì[X¸¤ )÷02šö7uÆõ‹-e¦-MIlsÌ2´ŒR¦égßk
-ÌiömdÃA÷i1„Ê=1ÁX‰ÙPí$Óy]Hƒ~ŽÃ¤I:ÁW8—HÂYñ[†®ÞœÓCØ"?,£)çƒ×åýŽ†Š£EAhYž³\-!”|FÝtìRA(R|&e8ÚTªc¾ñÞm$Û_’ý¥Sæ ñŶa£aÏÍme»»§	¨ê5þûzú]+”"…,ä;m~	:v[ck\:­ÛáKÀ¼š8A‡Ð¦í#¸ÎÛÃ7„A7ÖŽ_¬p«¦í.ÝCBÞ÷6­·Úši¶‡¦ì/O¶ëàHA~‰5ü(ò?rïfsEí˜l±UvÜ[öšO<*?½±íP×x3Øò?ô¶ŽÍMÝ Žú^gè—Ýó¦ ÙO=F¿ŒàˆØº…àšžâx }÷OØkqCåŸb|¨*˪XRW¥Íìc½à­}ú¶®2Þ×îX€nú7ÀË\IÙïeVl茋Œl
-ßÅ	—ûÙ®\C€IÖ`R…jV×.¥$KNcò2Ô
}v[v
-cúçÂíËôÔõøÀÁ~EÐA5r%oRð	;P;â‚9u½ÉDN£6ñº§ŽÈßl;ô
-„pÍ#q:‹’!¿žøuãØfPf—k32.¬ñ•¶O…œs@‰Yᬲo#®¼F=‡Ãpf_¶‘=zŠ˜zRì‰1“OtXå»ÁªS[§Ìe¦Ò?‰ã*¶Ö6Žô¨ÖTÐCù‡ân±™·Eõ0••ÿ«õ4­Ú1íP⮉ŽKD€í%a®š§â‘„à‚ù…¾¸Î3÷0ÛË…OÉŒ²†‚Ä&O\}Eî2Qw¿¹Þ!a¨â±ñ åGi¶Ü®í6<ùhuÊ0wS¾]Óœ€}9#¤Þ“m€$£)T$ùÂë—ð7¸Š*¸¤}|¯#ãpò°·ÄÝÛàüÑß±¢,¨Þrá-ˆlQyf!ôÓAê¯O®OL<\ì‹–]˸hûöúŸ4*~s¥ÎlÆ#î±Î³›”Üç¾®?Ý‘L¶]e}` £#v—G£<Œ†>€3ûF$ûåÙhH–··¼xö{¨[ƒQÖî‘{á4R|äÅŽ¨ü°¤v€{$øp—ÕèDvvúµ³âN)¡Þm›QÌêbÙt¥»È0íï„4&®ptÏÍ÷»ÛÛ9úwÒî}†àЖ-çÍ`–1ÁaÐ…¤7êéÃ#—¦åM¥zöm±½§§¨¦%Üôõ¢ÜdMéWÝï –	™“öz_8s½½ýŠ“ˆ8õ?~Ânÿ†õžÈ›uVÖ_LõôZÑ4=ðìòŽ‘ÃŒAoºîÔ«ã:à%qä}®QöÇ–>×ðÃT$"%{O)ô*º—hÝ‹“ﺨ¦ûAkʶ
¿úp;M*/ÛduËoâ)ìç-\>k7“¸.Àå©
-Šý)öÏ^6uø›Ê„wßMêÊhûWØÊÕR„J(w|iàol™»Ë3úØòpþë.«F7>9Iߪ‰cÞjký‰¿C€l»?ý§ýßEFpMsìOid,L&Ž)T…9ø#
-¡ML°þ?w±nendstream
-endobj
-1568 0 obj <<
-/Type /Page
-/Contents 1569 0 R
-/Resources 1567 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1574 0 R
-/Annots [ 1571 0 R 1572 0 R 1573 0 R ]
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [393.041 448.0173 461.713 460.077]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
+>> endobj
+1570 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [402.9837 417.8013 471.6557 429.861]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1571 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [321.49 736.8562 382.69 748.9158]
+/Rect [320.374 387.5854 389.046 399.645]
 /Subtype /Link
-/A << /S /GoTo /D (options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1572 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [317.0267 705.9305 385.6987 717.9902]
+/Rect [348.05 357.3694 416.722 369.429]
 /Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
 1573 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [356.8967 675.005 430.5501 687.0646]
+/Rect [488.512 327.1534 561.5676 339.2131]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1570 0 obj <<
-/D [1568 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-490 0 obj <<
-/D [1568 0 R /XYZ 85.0394 658.3825 null]
->> endobj
-1108 0 obj <<
-/D [1568 0 R /XYZ 85.0394 632.0762 null]
->> endobj
-1567 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1577 0 obj <<
-/Length 2950      
-/Filter /FlateDecode
->>
-stream
-xÚÍZmsÛ6þî_¡òM„âÀ}s'çÎÕÉ9¾¹¹iû–è˜ITM*ŽûëoP¤E½¤vf:ž1Á¸ì.$FþÄÈXf½ô£Ìkf¸0£éâ„>AÝ»ÛLR£I·Õ×'?¼UÙÈ3o¥]ßvt9Æ£ëÙ/cË$;
|üúýåÛ‹wÿ¾:;ÍôøúâýåéD>~{ñÏs*½»:ûù糫ӉpFŒ_ÿãìÃõùUÙ¨ãÇ‹Ë7$ñôØ¡ôêüíùÕùåëóÓß®:9¿nçÒ¯à
-'òûÉ/¿ñÑ¦ýÓ	gÊ;3z€΄÷r´8ÑF1£•J’ùÉÇ“µ
-;µáÓAû	Τ²rÀ€R
ÐxfT¡¯ï
-œÄoM·©pÌd{À6Ë|Q4«Ø°§S{–	ecÃ_9—Å|&ö||—×TŠž_òùº¨ÿNZ´èhqšI©L§»®¤bmJ^
¨ÁÉ«4èz}3«y¹PF­ê¡œÏ¦ùýlhþs’gGª˜ßþ-0½¡áætÛî(E8¹çOìóý™ì˜ÝakOt&™–™M„`Þš.ê]*™§wBõF·N1ë`©¶G[&Xvüàšéjç4X„Ž&ÛTúØE<–/g:¥fJ¹´§ÿ¨–Å1`cO¹PpÏüe
-ú6þ(6TÚ±ŒgOØðÏ}•ÂG“Ä;G@ßqЋ鋾ªI;©I%§}Kµ=
-a˜vÙ(“ºàn¯eœy©öοæÓf²È›éÝéDe
-öè"_6å´†3Ê:„]ÖTsêÆëyA/á‹"Ö<ÜK,éqsëSçhî»)Êå'BÃz5Ë›bF/ØIxÎ
-ì=ŸÓkSÅ'êÅ´Z6Ð"¶®n7ÕÛ§Š„Ž¥ÕîÏ[¦Û£'ž([àÒ&cZx°ðfž·²ˆ!~Åw‹u†y€Ø.à	çÀ¡ó«B„§¦E¾´ˆÀB–âÊ	2(µ]ˆqR›Ó#Œh2¢0Ì€H-Õýü¼z€„×OKó’ê.ÍK!('Ç«L_ìF—Liö#Èf9nû™{?üß?ø’„u¹(çù=¾ˆ°ÿƒ0¡–Ó9.¾N‹UCuÍ]ÞPë2J ©ÊÈHUP `*£˜§ÔOôÖb„gNÍn	¯#ü¤Õ‰¶èwO6
-8dÌ2®“èÉ®…­`ÂÉD]4”ɪš—ÓÇ[Ëœ·é´­h¼S_ùjUä÷Èçw‰ÏA^Ý|)i{M„ g^ômZ°©Œ›XI°U"ieÂõ~£0ù Š¦ÅʇrZÀâ)僄Å2¿™S­ž.غƫ
mUxæô€I.gáƳû0mÖî܃ö3ÌH`õ-ûaOkà¹XÏ›r5Ã	hÖÓ
-vU¦ûKýP6wÕº!~YT³©aš7eµdCýO¤Lt:
;»9"Á"³W{iKxð•ùŸ ­~GÕ¢l`ìá²Iú~8`dáô¾0~èX;l–Sx»YN¬¡åÄR0-ÖÓb¡(.'
-ÛåDyOÖÞxUJj:¥ÞAOÖ3ðÌS”I[3ÄÊF€÷åÕSÏjb”ܱñçbăO¨í}ã-ãøËOË*€
‰–(Þk`ÐÜCðÍ:ìM8Œ€éió0#>S(„•´ ”×ôÜAÛš3Xvs”a4Zþ©a¬ÑÃôãv@ðûÓBp®×!Å“´H›Žƒ}!Ɖ3UÝΣÛõ¼ÏàÄÏçÕCälÓR9 û\<’dUÜa*ÒˆÓD}.yd@nZ,ÓÅ6w±@j¡uHöªâJ8ÕÑÝm4@R1jQvÜ€kXQñ&ŠÖ+…ÆWÜîÊn
-ɸã±ig<¦B‡ÐOì³^ÓàJ„¨IPm¯·‡[\H–ie‚¾¿
.¹ñŒ¾§mI2,øh..!Šïò/•n
-òü ¨-ʾ”9®_ BˆÌ±Ñ-æÓPXÜáúõqØmA¬V”თÛPS-觪««ºhêþ—7ƒ!éVqëú†ø¥¸¯±“¤ØÍÝRCå¹}Aî–/ÉÝÂb6€ëCäcs–«$oá8Ë`q^œ¼»Šw“7N-“ZúϤïî²üÅùÛ½(?Èïñãa=SàM .‘˜Æ€½G£$Ÿîï\Œ—=1퇜1_ž’m(/¾®æå´lpgá{')…ó"å†x÷G¼û#.¢áúÝ´Y_]}¼x÷ŠÊ—cáãû³Vtþ:*
-n>|"5x»v}êù8vã<ŒGîcÄ	‚~Z
+©M†×)ó^ÓùšD¬ù6ÙÙåñÜpÐ÷›™B
ͤÍfíLA§âb–DêÕ'ÅÎ¥8+%ži$£äd
-	g˜¶‹ÙÉ˪‰u1­ã5­,Iò¦)a`*f¨@¸ÈgéÓŠ$³b^$u4=F¦”<ŸÕ±¶®«iæ]–Í]¬Ùõ{V¸æC??å£d‹gÿØuóK`
ŽŸsrxó·$‘F…‹àìÖØég±jhðÿ©ž–endstream
-endobj
-1576 0 obj <<
-/Type /Page
-/Contents 1577 0 R
-/Resources 1575 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1574 0 R
->> endobj
-1578 0 obj <<
-/D [1576 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1579 0 obj <<
-/D [1576 0 R /XYZ 56.6929 746.113 null]
->> endobj
-1580 0 obj <<
-/D [1576 0 R /XYZ 56.6929 734.1579 null]
+1574 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [397.3443 296.9374 467.1586 308.9971]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
 1575 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R /F21 738 0 R /F62 1095 0 R >>
-/XObject << /Im2 1084 0 R >>
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [321.49 254.7663 382.69 266.8259]
+/Subtype /Link
+/A << /S /GoTo /D (options) >>
+>> endobj
+1576 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [357.6499 152.1632 436.0651 164.2228]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-keygen) >>
+>> endobj
+1577 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [455.3558 152.1632 533.7708 164.2228]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-settime) >>
+>> endobj
+1578 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [317.0267 61.5153 385.6987 73.5749]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1561 0 obj <<
+/D [1559 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1558 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1583 0 obj <<
-/Length 2937      
+1584 0 obj <<
+/Length 3506      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sÛ6òÝ¿BôLÄÃIðÞ[nÜKœ¬ÎÍ]ÛŠ‚lN)R'RvÜ_»X€¢d}¤çxšdÆ`±_Ø]ˆüç…L¦j¤*ŒùâŒ
îaì‡3îp†iØÇz?9ûÛµLi˜Æ"Læ½µtÈ´æƒÉì—àòÃÅçÉh|>âð|Å,xs{E”>—Ÿn¯o~øy|qž¨`róé–ÀãÑõh<º½¹T‘€¤[â?ŸnG„t}óqtþÛädzѤ#¹,Î$Òûß³_~cƒœîÇ3ÊTGƒ'è°§©,ÎT$ÃHIé!åÙÝÙ?»{£vê>6ER‡‘É>	¹OQƆOU¶0ïè@탡Æê\ëÒ4ÔËVç\n(0ùïfFy½¢†Éò×úR4mQÝû…pf^Û¯›Ô>/Mˆ|êø€«PªX yl0T,±Ô–0`9pŸ1`y]¹Ý¯‹Òl¦ò0"?U²0Nx꧆ÜMžœ§,€-Ýa깓°iêõ*7¾4Îüy+Gé¿Låh®éûsã&LÌÂÒç0Ð!T˜*®,“‡Ö”‘“·E]£¥Žƒ’XzoÊgNƒi½²ú	Y‹æÔ_Ðøøú’À SÊ-23M¾*¦Æí`…‡¸y]åfÙ‹ÀŒºtj\9wØãžtãW±ñþr7˜çÄ“¿ÉºÌ—e™îÍEðd%¹tŠ€°Â­3ÓQiÜ•Ý D-LX®§e‘gȱ׎
d\|4«¬$xežh‰ñØmõ=ºå§ÆTÌLÕ¿2&ÌÎA„=H'ìb±,ͽrÕŽU\ÝÞ…ô½"lGV6µŸœ—ëžÜkë–’HÐOî•UÖN]÷ëåIM»€Ó2b½Ènl£ac+é󠡱̡Ô3ƒ²Ñ2‘àZÙ6zcZZÐÊtö-•hQ_Xd^ßêGáW_dÏÔ˜:l³X¶Ïçœó Ü'Ÿ‰UÅÝæа›ÃwÏæŠõ7'´¬iê¼È¬X±ÿT´n„>ËlÕùmÒöß eUÖÌëŲnü~ÿÆÀLX—z „xA'‘â=ã¬Ìà.,u,LòBƒÄF–Ê™çuJDÀ·ª )î++Ì<«È*±E2f¶ƒN|Nƒ¥ã—Y=ZØcúìp¦ÀÚ8ºj¬ØTÇᲫ=ý`«}Cv¢#eä|à’ÀY€>€§ƒUñÖÅˇ'AS¯Ü½Ñ›¹X—mvIPË+áx‚€¥Y-Š–,ºt!q˶X8-°˜ëŠ°q›u˜æK†vÿnßI¼Óo–&/æÏÞd­3vúôÕû•ÉVS‡Lì¤öÔ™t»*¼‡A!®š6$iܳMH%BódÃHc•à½Nƒ«û5ƽ@ Ãö'¼^®‹ç½£;ÊGLˆr¹K“â2ÔB¨-š^„$Ö	JìnšoSâ.­me÷;‹¾–þ)^¬{j—¦ˆ%¡„ëæ8+:¬”¼\
)!§8TB„"å44	S)’s´Qz¨
-¼üN”“õƒï&»‹¥”¹kìï»Gä2	U”€´u¬Ó¯‰h¥ÒaÂ’ˆöÿ›å	éÙæA
-hƒµ\ÓÏØ^jØ
-n>¦ÐÝ/®@‰¥Œ*V3
-˜ë§ÊÛ49N¡!¶éDá¯àÞ8´žÐ[n….¦»¥h|D½®(hØR~ˆÜ“¢ä>½¯ãr®_P(Úv4Uy±¤Ÿq˜­1d¶b«fÛxo1úù0†©Á²/Så‹ †¦QÀãá´hià1+׆šÎ‚uÓ>È¡!c—Fký!ÊЙ–t[o]»†³Ñ‘T¯cëFR*ŸÊþŒðýŒÃ’wÂ1u/¾•#z‘Åi(cÈ“‹LjHz™«¯¨l‡.°Ä+—/j±/=è,k30Fø6˜”0RÛ¦eš»ú„›@-›ˆÁ—nla­Ä×G\ƒ®Ñ]îVŨ´Òå6‘;"½[¾•ô6•Ä¿"ãx¢¤®NÆ«#«úߪ>aE|gB²”»lÖsÂëæËæ
-rÕoX®Úgt‹Õ¬pi+«FÂÇì—ž„/"F¢Ÿëʈo0m-õèe¢·Àõ@êÛýÅTWÌìŸXIL‚†e|]6m–£/K‘>„hYé@}åT1)'|I9¡!4ðã°rö¤þ:MzÓÀJpr•œrÌBè0Ö©sÌ×wWïÁº…fÁÇڿΈHºËN!0>šfô¢|ýù+ø–hÃò#ê¶ë#8W‡ÅÐ;ß÷ìcÌ“‰¶`*L’ÔùØÏ%F‘äÁŶe³- HYt•ä]¾oü0$è]±äâ›{ô+Wülæ:
Á0£l†“@Xé2¿ËÑørú‰Í Xð¡.»—`Ÿß­w²¹Yµîù¥5'n9`·ç®ÀGúƒÜí“ý×õx….åSÜÕX+¦§øËÛ‹ŸFÀ¥XA· CÖÖ•†Àu×U‘[&ÜNW±ˆuíX*‹Ìú­¶Ø(…CA>è]Žlý~ÇÉ2‡\HA"uJQ×äÓ¯>\Þ\Š³T7À~ØÉÕº ã¡1Þ1æÏ6YB€{»Å&,ñ™ZyY||´3Übý‡V;ZÊ¡íB”õWF‹*/tXx=®|Ç%ײGÕ)ÙI2¥é"¸rFÒͲÌrª0%A.†jÙÉæåÚ΀ µ)‹Ï@àØ›³¯¸;3 ´;(6ûšœŠ ¬kû+ ™Ê`½|gc…ÀØsŽaâ#ý´0­ÁZm²½Šæ ’uA"À›õ´¥¾!¦î©svgeÒSÎ üXf¶VÀUæŽÆÐËd5sx@Oéw¢ãYCc´ƒwSÈ1ÒÙ÷¸?ßy×qnŠîW#§´[ÄîÔîžÚ|Ç•×8…(2:å˜àL²I§Ûwÿý„-Sܵ®bPöÇø¡	Qûwã×ûþœ^ofá%<³aþQWo3<¬è'“G2ƒ^ÇWÅX˜ˆ³VŠHè}Ìlà5ñÕ?6ÜüàtGêCmW”ƒ«Ö"ÐÉ‹çqÿ³DÖ#þ(QÏ7endstream
+xÚ­]sã¶ñÝ¿B“—Ê3 Hì½Ô¹ø.ÎÇ]j;Óé$y IZb"‘²ã´ýïÝÅ.@R¢leÒ¹9‹ÝÅ~SbæÃ?1‹b/N‚d¦’Ћ|Ͳõ™?[ÂÚ‡3Á0´B}ywöæ½T³ÄKâ žÝ=piÏ×ZÌîòŸæ±xç€ÁŸ¿ûôñýõ‡o.ÏU8¿»þôñ|DþüýõwW4úpsùý÷—7ç¡#1÷õåwW7´3Ž/¯?~E3	=Ž ½¹zusõñÝÕù/wßœ]Ý9^†ü
+_"#¿žýô‹?ËíoÎ|O&:š=Á‹ï‰$	fë³0’^Jigª³Û³¿;„ƒU³uJ~a¤½(cdài?˜²ð”£B4&½1%d…B^§mWlöý *ÍvvûŒyRálˆþ€5A…P!Bß"­Æd܉¿[ñ /Úl[nº²©i¢y@ÂöxJ”ç¡^`f-<_E‚÷”õ>¿2Hà^âhÄ/-n—3Ü8wð¯p~ˆ—8ÏzQåEì‰hŸ¦Ð^à+ùò8¨W(9Ć”xÏz<ƒ—•oõ‚òY(<±-²Ý¶XtÍ¢¬i|¨{‰'ÀD^$ÁM0Ö<0\ø3¦áÿ£yÓœì+^è%Ò×ÇO*0
•Œ¸}Iñ,ü+Œâ=ªx‡z'fõÊ8¨W9ÄæônOºÍ!\p	·6	öBpô¾ïÏ¿z®Óu™?nò´ã+ü¡©Ê¬,Ú‰Kðg‹î!¡ÁÈa!ŒMX€G»Ûlšm×â[4ïžšN+ð,uÚ•M¬‹nÕä-½€†˜çr›Ö]y.æõ’&²ª,ꎡHÃ`°-—«Žç:hSlÑaÑdîø‚—á«‚9Èò‚L¢(0¼üÞÔÅ	 kjtƒËÝö\èy‘Óìýs¯ê‡2>(@ìô3­ªæiA§OÈ1ÆxZ/šÖùÆÄ“„‚!T‹
ÞÍóÆÈ‹¤Ýdvˆ‹vƒ*ûXTÏçBÒ¸M£:$(W Ìî»iOÉèDþ¤'•œUé®…Û“¾š?5ÛÏ-
Íâ M×v5}¦AÊ0`çðŒçbâ±lv¼òXl[à‘ßP‡ð‰éÑ𺣧Q+[‚jZå2bÐ`&~,Çá|¨×ºl[gïFà¹MZ?¥5æ™;8ª
Ç8*ë=Šzè9}ýV´ÇAtº–ø±Þ¿H¯èBÑNÀ3¬‰x^AS¨‹ˆ±¬Ñp,¤30ME
\m~ZAÞ`æœíüC”æ°"‡‹
+9¿¤mÁûPZøÜžëù®*ú+RèÿGWT"ÅI4o7à6Š¬DZ‹ü‚tæiUØC¦H³ŽB‹˜§Ëneh‡«*8ßð\^ÔeÁs½"´´ø@P]4c'zâ,Þ7ã0ÊS÷|>I)ŸrIÆã(ÅÈq€È•"‡ÙHìʨDÍO‚ùõ-NÁ w‰ðâ´š_wEÛÑ"Ù¦K‹¸¥g[.ÍÍ㎟ýÈïÌúÎK;QgÕ./x£“-lÜsº’în¯?°‰lé	x„Ä”AáüŞɰžÇÆæ–
ùŒ>KÙÞî]¾Òá¥Ö¨#£Ó†À£€‹ V½ãzSÖ6œˆÉŽcu,:	†ªÓÍ’K~§ûä½[WÂD} ˜ÖÕ3M¯‹´.ëåî¢wÒU\0‰>#n£6±˜ÿcUÔdkBiˆO‘>ô‡¬Anªü?¦Å6ñëx
—‡J“¾ie}d$åDJ¯} N9ƒÉbKžiK¯Ä¶>v3TT¾Ÿ$'Ç5Çbš|cÙpÐ}AR”®Qcð†b#™öëPº¾‹ §(L¢’	ºT`UBÉyñ[ŠªÞÒ<»Ù?Ð\J¯ìÞ’•÷;ʲ‚ÀÒA›4vdÝ¡1Àº,@
)6õ‡rˆ€œÈ9Pü¹xf0ãa°©ÒÌÒÝMÒO½Î|eà…PF¥IØ"Á9ž ‡ÀSö`D‡Gƒê3AaãŽàLn!…4QóËgšÎ‹‡tWÏ=4Gã’EŽDAA « oÓí›í®~cdü†…ã!i‡òQä…B¼÷¢§ÔÈ"” {rì¨RØ\U
+C–™ùtÕ¨Ý"ÏëßhÞ”ÙÑ#I«e³sXÓ«Åôõ÷—ï·__QŒI[ÏïwÃaj>¦Õ®à.Ø!úÿ¿¯Š©ŠMðhÙ&ϤëC.€j¾	¡¼"¹ä!J¨µ˜@iä8Ñ×ð½¬æ”‚œ Ö)¯7AÊÚ#µ ¦S¶JtÆã“sqµDcã"êšœˆŠÈ‰À“£CD.‰†í3äk“$ÚŒfùV`”nȇ7›mÉYé(Í6;!¥Ïöl¤?Íí‰)Óä¬qÚcLqc)›È>ÉŒÃÈõ0ÒÈ46HãÄÜäÉ&[ò¶
(šù_ÚýmÀ¹n3~*«ŠF÷ŒÔT;ó­£	[0: 0[¥õ’ jÒèJÎ#fp¤Ò4VuÙ¶»5]è‚ýܨ^méyè\VnAœÛ Ö(ÁœI—L)ý×	W·—Œcá"†bñßô0
{bèÝd¶»{zQ½¥ÑßikAš µ+´¹t,Xc«­7­Ûa#`QMI¨Òuä¸ÎÛàkÇÃÛªi»ÛGÈûÒ¦u—¶fœíáMö±“¯uÐà^âÈÆBÿÄ¥›!Ìæ¦`2¹VÙqlÈk>ó¨ü\ôjpäj¨!YÅS00\åèUß6ƒ8êK=|Cµìž7½ýÔOÒè—Ñ<¶vá¸0aWÔ-ˆã÷qÜw°ÔâzÊubìS•eU,©¨ŠôüSñÖ”}…
[W)ïkwYP¬Qùp©Í(û½LŠ)íå"!›Â@±âìaß”kHÐÇštB¬PÊj«¥„xÉiLZƒº¡çÃnËJ¡uß!Ø>KOl™ýBú%Í’é„y=à&Ÿ°5#Η[šLðC;ßµŽP[0m
+ô
+ûA¸æ€Ø›…jˆÄ­+·®-š6&Ó̺ڔ.Ö8¢íc!å`bRØ«ì$g®¼F=…Csf]6–=êDLu{dLÄd§ãcƒ
++\1(!95iÌYÏTº†8®bemì(¥šJ(×'î²Í¢-ª‡)Ÿ(<×±žÄ@5Y¸k£Ȕ`uI«æ©x$&8Gz¡,®óÔöe{¾°“Ì kÈGŒóÄÕ7ôà"e÷›-”'%~¶*$$£Ü“æ›ÛµÝà_ìYM_Œ„£=ÝN†ª©JÀºœP¯ÉÆÀa&¥WHHòÌÉÂgñãoÅ
+.h‡u$cl.£Cö–¸xœ?êïM˜5U_Aò–Ó£ ’EÙ™™¡/‰Ÿ8„Ot<à\LCˬ¥œ³}{õO¿ÙL
+ߌÆ#î1Í3›„¿O<3N?í‘Œ¶]¥½a ¡vG­\†CÀ7ó	#ôûåÚpˆ–··¼hv{¨XƒQÚî¡{å4|èØ)ý0¨v{3b|¸ËHtâ­|FÅ,ø€]JIHwÛfTóºX6]iZ£ùJHc¢
+G÷\{¸½] ~q!mÛ30
€z°lÙoó”N’ܨ¤—G‚¦¡M$ÑüÛb{O¨¦¥ˆôuVnÒŠ^é£EÔï Š	‰óMx_ÑtjK{=úˆ£¼8q¿f·Ã|ÏË›uZÖ_L•ô>T¢I<êï¬ò–CBi(mqêÄqˆàTZ@çk„ùÖÒûîK…^¨C5ÖrnÑî9Mqq²­‹bºÿT¦Ü¯mhò«·Ó¨bвMZ·ÜO`?oáôa˜»ie‹0˜/OYPìNY类ÜXÐá'•	µ¸›”-¤Ñ"vMØ„ùžâ@¸ã ŸØRËSz˜ôpñë.­FŸ”¤¯Ô8¯Ç6€2×A˜?Bºö"å‹A×Î$
Óz!d|¨>9QIOjÛL:ô‚ÀåG#Ø0ÆŸŠ:-á¸ÓùÒ5ãw÷,‡ÉòK%údT¬hSËPy:ðÕÉDMg+ÄZøG°`);AŽðtèàNB„ÌýyÆ>o¹Ø«Ò^„*ðÂ@Åc—±n¡<…ÏAר{A!4Ôã:NŇ„½€M	ONÜ)ñ)—0ÀôbB¼w	®o0ÑX!›Õñàkã)Êvðƒ7áƒÿƒ?(Ž$–É)¿ñ”¡öþ–nò7žø³ÍPhˆ0±á·ÿ‰ŸOÁÖ ?ý“Òþ÷¶pRë`úwXÒîd0“ÆRR]þþÏ÷÷`âÿµ¬O^endstream
 endobj
-1582 0 obj <<
+1583 0 obj <<
 /Type /Page
-/Contents 1583 0 R
-/Resources 1581 0 R
+/Contents 1584 0 R
+/Resources 1582 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1574 0 R
-/Annots [ 1587 0 R 1588 0 R ]
+/Parent 1579 0 R
+/Annots [ 1586 0 R 1587 0 R ]
+>> endobj
+1586 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [328.5503 737.8938 402.2036 749.9535]
+/Subtype /Link
+/A << /S /GoTo /D (tuning) >>
 >> endobj
 1587 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [341.1654 530.1591 414.8187 542.2187]
+/Rect [336.2616 708.0059 404.9336 720.0656]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1585 0 obj <<
+/D [1583 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+490 0 obj <<
+/D [1583 0 R /XYZ 56.6929 693.8168 null]
+>> endobj
+1075 0 obj <<
+/D [1583 0 R /XYZ 56.6929 669.0349 null]
+>> endobj
+1588 0 obj <<
+/D [1583 0 R /XYZ 56.6929 84.3175 null]
+>> endobj
+1589 0 obj <<
+/D [1583 0 R /XYZ 56.6929 72.3624 null]
+>> endobj
+1582 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1592 0 obj <<
+/Length 2811      
+/Filter /FlateDecode
+>>
+stream
+xÚåZ[oÛ:~ϯ𣽈YÞE>æ4i7{Ü®›ÅbqÎyPl¥ÑÖ¶ÜHÎeýÎp(Y¶åØÙ¤@E€Þ9ß|œ!%zþDÏƕ׽Äkf¸0½Éü„÷¾BÙÇëëJÃv­_®NÞ}PIÏ3o¥í]Ý´úrŒ;'zWÓßûïÿzöùêb<JÃû–
†Æòþ/—£s’xJÞ}¸üøñÙ Ñý«ËO#/>\Œ/Fï/Cጀö2ö°§Á‡Ë¿]Pîãøì·ßÎƃ?¯~=¹¸jÖÒ^¯à
+òýä÷?yo
+Ëþõ„3åé=À΄÷²7?ÑF1£•ª%³“/'o:l•†¦]û§¹`BÕ*Íœ…>ŽViÇžì–÷†R1/¸ÞßµãÐWÌRµÕÕP¨„i“ ~•a‰¾Ñ¯-ý
+­˜SÊô#˜´ {Tð"g¸Ëï>HÕªœpæ¥Âá±ÒÅc:©†ó´šÜ†*Qý2›§‹*Ÿ” Oëxÿê6/©änàú«YF?B‹,–<ÜfÌé~uËëÁq?„`ÞÆ»ÎòÅWÂj9M«lJ?pN3=ÑϪˆ)ö‹™I±¨ F¬]ܬ‹ÃJM{¥Rành—ºg?¤eƒXçÎe6›²mtj€gb­ìµñ:å"ŒXcõ¦x¥;!ì!¼È„)£tX{¹ºžó4_
aB‚Ý7˜À
&ðasQw‚r
+D¢_w›Rf4ì‚Q˜f„ÀiÌÜíAÐé+ $0¦–úM!ÔÒÍ[AÈ)f•/è²n±BV:äF}B\1­UXúŠE:;?N‹?ø£–ù<Ÿ¥wøC N#d?{œdˊʪ۴¢Úy”ÔPì€N$+##YA†€	†€ÀP¿Ò¯›X)Ð ¤)%kk	?Fؤé÷bsx:vC‡œ™Êur
=ÙÞaG““IÜ2šÊpYÌòÉSÇ[Ëœ·5NË
+*Ïä4Vº\fé2zÂ]Íè /®ïs2¯¡móċͽ‚^°ªŒF¬$ìU6D’fBú´Ì¶*…ÅQÜZ,|È'(O)ßO±l‘^ÏhŒf¶¶*Ñpµ!S…4¥¹˜L„ëO;ö/I˜M¤9vÿ3RûÝýÑ×@:_ͪ|9‹Ó	h»Ö ÈQ¸&ËVH›P3í"Ãût–GÈ5ß=–C¦½Ôýxl+úuàù¡g«á~úóx4Бó‚×2›Ýy²­*¼]+KH¡˜›‹å¤.E…¢°Q(Ê7zØCÔkÇJIM'¢Ô{Êzîymä³U]Ä
×^m;WC£äˤk§ÕAËÊïXÌ7óÏ¿.Š7äZbyMö¼áëU°N8€ìÉ|
l#¦u<„…dKKJ÷0·æÌgŽÚ;¿½1ÖèõÆlàJ{ˆ¬“æŒëÆmƒ{º¡[ÜÆxÐkѯYc^”IàHºYÍ6üøÙ¬xˆu² ÿdß²'’,³».LE"qšÈÏÕNа+E:Šunc†º…Ú·a»ÛEQNµúnWê ©¸(Û¯À;,({E«%È‚¥Àæ+n÷ RɸãîÅ‹ØÚ2Sa@'ŽY.³Ið&BनvõíÁ'äÉ
t‚ýý¥SåÆ3n4º/œÌ’ exé8-«ì./¿LDaÇU™¤eö3·(ï­<…8s0kÕ¡¨œ+&y„ZÒña´^ï×Â&ìA! ½C¡†yž7`ôê¼­	¤“d&aïMð‡.n:FÂáþ¿”/hO&
rfe¼Ã¹Î6î}öC¥­ƒŸøŽâLð•8X&½vÍ&¢'s$Vo{fîXpÓ\Ô!ŠoÓûŒr×9Y„ðe÷yJ™«÷Ÿ)âs¬tƒ·j(‰×˜Ýãým„ã`oF,—tÏ?nBI1§_äÖƒ—/ò*‡¸®vù™Òt:¥ƒ½,I/Â]ðº-Ô
»Në³óó1;xÙ?‹$´ˆQÆågÛ.Ò>œíå2dñ‹Wá±G}qÉ£©í^j?W)4Æ•¶§¹‚³Ý‹cž$Ø0¡Øû̼b5I\R·Ø‚i3=€©eFºuœ¨k
+Ö
+A-8ª§œÇ“ˆü„Q Æ„ÑàŪæÚôx¥¢ÿeÿbgs SqOiˆÄ¸Bï{/øýÁñçù°Üõ6Á»Ë¹ì°¨^{]uÏÃv×a]À-2–%^h¨&}˜ôe…Z*P®!W¾¸ËÂÍ2"-‹²Ì¯’÷‘ŸQ‚Å´\ÄŽÛP^ÂuVâÈÚ0SÈ!ð-Âôw¹N9æ´„8µ¥›WêÅ}¯ŸÆ^‡F™€†¸‡53Nú7àÎLÈÂÓjy€•{M¶*ô‹øXÕo
+X¡5‰–Äkè½?ÆJÕ	Acó$Bùë'*KO$¨ÁDÛ‹l‚—‰]8[Ó-ld}sãëi€h‘UÅÝ7#Ë£pO«IqÉxY,¦1ˆs@¦÷š*¤ÓÎWš†ÂYœ{t€uôy«g‹iˆb,…x˜¦´XoºP^w =ývAEãq™UåfËëÎø
“úqçA‘¦xŸÝ•5Å“$ÛÏâ08h^™Ÿ•Å…K˜‚ò‹ÃjY¢”|S—hÊÓKú³x»ëgX\BÜbð2þgdñ¨ýÇâÇO²ûûŠ×}•NS‰Ä=~ ÛŸƒì|¢h°þ„vlâEÛ”v¿«R‚EI
+ñ.›Àw¶¾)Ÿ}®±%äÿúZ3_•ñ‘)ÜÝ<Å	Pr³¤¿¯ÒÙúÆÄõãeíßÒ‹ÔЙD:aR[ºz¾ÄËx.ú‹‚R¼Dâ…0­¯ßPž=.gù$¯Ð²ðwëš
+×/D}[ÄÛ_ðö—\ÄÛ¦¹Æñxüåòã)åG_bæ˧³Ftñ>v¼~h"Õùäv5ð¼‡qæ3÷1ÁæE±p¼	›ÌVt*bÉ`dg£aÜpPûõJ¡„V
+Òj=…f¥ ŽKq1 «Eê´ë‹šT.Ò
+f‰É躲Ž§x‘ï+GEËâÔŽ_o„§Z’¤U•ÍÃÄT¼²á<ÖM’L³YVwGË!adB×éÓ2––e1Éã·8d^ÝÆ’}Á§;gwÀPŒÜÖPD£»Í&ßj¬ßÔ߆diÛeyY5Ÿ"mN0Ž:aû¾RSžî¶Ùƒ7gí«?a[ߧáÔpNuÓPCWõ¬p¿\²=wÔgð‹‚ŽÉÿæK¡¾endstream
+endobj
+1591 0 obj <<
+/Type /Page
+/Contents 1592 0 R
+/Resources 1590 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1579 0 R
+>> endobj
+1593 0 obj <<
+/D [1591 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1590 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F53 1062 0 R /F21 738 0 R /F62 1100 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1596 0 obj <<
+/Length 3030      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝsÛ6÷_¡Gz&âá‹$xoŽí4î¥NNVçæ®íEQ6§©);î_»X€e}¤gšdÆøívâ#ÿù(ŠÃ8é(IU1òåÝCßgÜòŒÓØçz;=ûÛ;™ŒÒ0E<š.¼¹tÈ´æ£éü— ex3°à?o¯ÏÇ"bÁ»›ÐâRE"¸|ñiz=¡ŽØ²¾½¹½"JJË·ïn~øyrqž¨`zóñ–È“ëwדëÛËëóߦ?ž]Oû%ûÛâLâzÿ{öËol4‡ÝýxÆB™êhô/,äi*FË3É0RR:JuvwöÏ~B¯×Ýg¡±Øƒ“à#®B© Ó*JC¡á€L šº°@•U[£	x˜F‘™€Æ’…qÂu1·ƒ§ç)žWEK34‹TÑ6›u^¸·¼YÏ-KVÏ©ñ¯‡¢¦V×ÐóçÖ˜>K»éIÖ!T˜*®Ì:¦%Ì)£4€q<È»²©ßAÇA•­Ï¹î‹ê™8fÍÚPš§bŽ,è}Iý“w—Dñ);ɼhóu9+Zêé
+âÍ›:/VQqÇHÌè•6Ž3ç–Ûl	ö»¿²ˆM&ð—Û€l7×C›+>¯ª¬¬ñÛ\O+ÉePdùÑJÛ·i‹9(²J“஬ÍgJ«…«Í¬*óÁ¡³bxÒ–¡á¶,4ùX¬³ŠèuñDSL&öSÙ£~V¸•ó¢îÊ_ÅÎFÈ"{y—ËUU,¹p'þ+ö«Û»°W§$I÷RµœW›9îÜ)ì@O$¨(÷|ï5v¿jžT¶Ø-!6Ë×í:[",ñ1h©/³,ͼ@Ùh\“à,‘ZÙ½-:šÐÈ´÷Jµ¬Íz™9}¨¥›}™=Scf¹‹åª{>çœá>E›EQÜ~æãðÜóqÅü[Ö¶M^fF¬øþTv¶‡«lÝ•ùmÒ¼[Ü eTæÌ›åªiÝîûm#a^z%Dw
HâŠ÷lÄZY_a©…0µÊ
Y*gë”Ϻ±„¶¼¯0ó¬¶$£Ä†©(æ;ì„s¬,^ÅúÑðÀ7fÏ–×j
+z*è]·FlªG¸òh[?˜ÅzŸA!œèK9¼dA@°¤÷àé`V<À`bÁ“ m@õýpärSu%Ø%Q
VÂb‚„U±^–Y,¼.pqØ߬ºrYþaµÀpnÖ(ÂÖ~¬ç,>gh÷oöIÌùývUäåâÙyƒ¬³ÆN_}ð½.²õÌ2œÔžY“îÖ¥ó0(ÄuÛ…$»¢Ø=¸Á…šÃr¢Zš#”:×÷#jL¼3·çûèÌõÇËyq¿wEn3Á‡yrùbM:
+U–ôâðwL§Ö¡hÇñpöÈñ?ªX‚ö})ŽýÄç_ÌzõbA‰S­ôqz®Sy1®„üáX	Š”CÀÉ-8·~—hœS
~'ÆÉüPÇyÈþL±'¾w‚ý}w‹œ¥pH±t)&:I¾$n”J‡	KvâÆÿo”[ˆg–W@ãÌe›nÄpªq¿©q$t¨¥8 ÎAu2Š¤Oɵ5Oµ³fr™BCTÓK¾^?´žÐOnC„>š˜Ø(¿´r[4›šÂ…žE	~â-÷ë @°áà¥2Læ/¦t#£Ê (Bœ@U°PÅ2%7ñùù8Vq\ ziuAêg<ÏÊŽ:³jSPÓ:b`0þÙE7ÔåxÌÔÈc¬Âï"™Œ‰iI@
α]³¡ÎtŽÊCàëPÝ
+J%¡,ùSº…ë僤lŸ T‡Q$cr9Ó §(eV倳\c8'y0®ÊGK4X'ë$U‰B)’Œ¸ª9‘1£W)¬ÀTB<~oŒùê}â¢ÃzS—ÆJŠNñÙ‚´ê¹9ò•Kì€\Z¶Õº\fëS0|ݘ[3K„?D2‰Îž ¶ŠƒbHó Ž.¨I!¡TÂâ$!6¼ä
_š'l° jL›è”&qóÖÔ˜í.Ígç.ÒX4¾Ë)mÀÒ>4›j>ŒFæe›g62=¢Ô¾¶|~Sï£0¯Jù	ï£ð´‘‚¼O^A‚j-•²î'õÝöÜOºu?ºw?éNv…}uPÄÝtMÞTDYdKÔ·ƒ>§Y»ì±í²ÚyžÝŸöˆÄ<(^Ë
ƒzU‰1,ú0}Bbêj!È
M®¨î….°°+›%j±/)ê<ë20Å„E[NJ©m’1ÍmU –I¿àIG	¶°Bâª"{]QÛ,tŒö`7F•>›0éÛáy¨¼–𶥺¿"†ãqÊ„Ž·Æk
+)"
njê!«„ÆÍ-=E½¡ºKGUV ÒS™
+¼º(Âü´çh¿‰Úc¿WölÞ©š‚$6’è°íú˜¼–í~ƒôGrju*ý‘ü*aÓŸøþVq€>ÆÖªbÃ:ÆIø´ŽÀç­ëµò—Ž£?3¥q>GÃÓŠ©€Jlšs€Å4ÿ0vÜÈxjdµ©ñA¹	Kà;“9›ì9³Y`ž4Ÿ·§-wÃtõa(ëyiÓ[G„©†™'Ý3W5Œ„Ÿâʈo9ìÚ:z£«o‚Áê‘€«ïv«§¶ªHœþnJ	$xÚ$ÚT(¯?¯
+ñ!8Ë*KòUSŤšð$Õ„†Ð€ÇAÕôdþujôMc`ÉÅñ	Õ±c¦­O~wwõ,BŽàCã.c`"{Ê)ä F³Œ.?”+#º‚¿H[À(Û®àU‚·½ïؽ
+Å¡u*½JAcï.>AnÉ6.†fÍÚO”ªìëÆ»°o]0¤å½0øÙc({Ë-/ü-PЊbye)ÂDÙ|ïòzr‰üÔ$,xßTýͯˈïËÎ9ؼXwö®¥+Nœo€¶”T×[õw\Ê,
+Á)žÀVØÚ°Áööâ§k)V¼
³bÈÕúrxí¦.sƒ1Ðm©4±E: ¯Žõ ªÌŒsÑj€:°”–õyk!‹:¨yûûŽd	”Ñ	1ð4†(!w~õþòæêSkÜøð![Ý‚,‡®¾x_·X<›		ö–›0Å'jåUYà5£a'ó¯TÍ@¼R=èà»>¦AIa¨Æ‹Îåuk¬ñkÖX¹„”ñÔÀ´„4öÊZP?)VU–SM)	:p/T»N¶
жÖ­m|NºéÆœ¹®Ý!ÝA©™kãTUÓünî‹SlVoL”&´\`xøH¿aNc­F™Ì[McPÇúàèífÖÑ{A&,L),ÜSØì÷ʤ[9ƒÀc•™ê×™ÝC“YÖÌòÁz*Ç8(àSÖR}Áù( äãì‰C]Úß_ãXŸGù¿ýyÈ)å1Èü°roµæuK­¯ë— ³SÇQÈUlýÒíÝ?®ÿ
Ò–)î:[£F	(ó³|ÐϨý{a¯Ñ}ƒV±·£ð'mø
+ÿhê­·ÖôŽˆÉ#)Âë"¯z”ëÂLu"Lâàq…Œ­#ºÃlUD9ñÔZO#üqеÐ&ð™‡!’ŒMßàÈPV„ý¨¨!¶Q„Å5ë×ÈÎå;N$&2åÇE—àï"
+Â~øôñÒéìÝàbÔ÷Z÷U3s1îªiKÌøÜÏP6+ü¹â†þBÉÚᇗ‡áôúu{WBJÈO±ø¸Æ|ßO+Øè$Ö_úcÖízÁJ­ÜÙš´Ä¤çB¬µ~ñS[÷«WËå-ý«óR`endstream
+endobj
+1595 0 obj <<
+/Type /Page
+/Contents 1596 0 R
+/Resources 1594 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1579 0 R
+/Annots [ 1600 0 R 1601 0 R ]
+>> endobj
+1600 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [312.8189 570.0778 386.4723 582.1375]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1588 0 obj <<
+1601 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [434.6742 530.1591 508.3275 542.2187]
+/Rect [406.3277 570.0778 479.981 582.1375]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1584 0 obj <<
-/D [1582 0 R /XYZ 85.0394 794.5015 null]
+1597 0 obj <<
+/D [1595 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 494 0 obj <<
-/D [1582 0 R /XYZ 85.0394 740.4694 null]
+/D [1595 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1585 0 obj <<
-/D [1582 0 R /XYZ 85.0394 708.3638 null]
+1598 0 obj <<
+/D [1595 0 R /XYZ 56.6929 748.2826 null]
 >> endobj
 498 0 obj <<
-/D [1582 0 R /XYZ 85.0394 708.3638 null]
+/D [1595 0 R /XYZ 56.6929 748.2826 null]
 >> endobj
 999 0 obj <<
-/D [1582 0 R /XYZ 85.0394 678.508 null]
+/D [1595 0 R /XYZ 56.6929 718.4268 null]
 >> endobj
 502 0 obj <<
-/D [1582 0 R /XYZ 85.0394 621.8501 null]
->> endobj
-1586 0 obj <<
-/D [1582 0 R /XYZ 85.0394 599.5389 null]
->> endobj
-1589 0 obj <<
-/D [1582 0 R /XYZ 85.0394 513.2226 null]
->> endobj
-1590 0 obj <<
-/D [1582 0 R /XYZ 85.0394 501.2674 null]
->> endobj
-1591 0 obj <<
-/D [1582 0 R /XYZ 85.0394 321.1429 null]
->> endobj
-1592 0 obj <<
-/D [1582 0 R /XYZ 85.0394 309.1877 null]
->> endobj
-1581 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1595 0 obj <<
-/Length 2791      
-/Filter /FlateDecode
->>
-stream
-xÚíZ[OëH~çWäÑHƒ·ïíÃåsl‘ÎîÌ<˜ÄkBœÅóë·ª«í8s¬v…„Ëåv§»._}Ým>`ðÇÚ¤Æ?°^¥šq=˜Üî±Á
<û´Çc›ƒ¦ÑA·Õ÷—{;•vàSo„\^wúr)sŽ.§¿&&•é>ôÀ’]œŸìÍ’Ó³ŸAâRi‘ýp8¼<Ñ›~v~LO—£‹óÓ³OŸG‡ûV%—g礜žŒNÎNö¿üqïä²rwZœIï¿÷~ý
¦0»÷X*½ÓƒG¸a)÷^n÷”–©VR6šùÞxïm‡§áÕç̤O¹ÐÆRÅùö_¥_`ð«Q2õ8Îõ=à̧þå•J™g+ËÙ±<ç:Uάö©‘ð-<Þ?0Bèd\—wûÜ%yF÷*©g9
-:™eÕŒ¤òš®µXÞ_Í‹	©þȟ⳪*'EVçSjôXÔ³Î[:©Š›=ÔÉñù}2°*õZ˜
-'Gög¹ÈÁÓ’³ä8¯&wž†-ѱ§G$(&Uºé]¥-Ø×Ã|;Vy¥¥r©„ ]
ôå]6olwž)—Zö8OêÔ
->
/À}Ê)“Œ—ù¤ø1þC›ÿ¡p3/¯²9É˲*ê¢\D»Žï—ù>Oîª|ÚØöꉮ?_í°hg¨¯›þÊ¢Éß2˜K!´{
-ÝXc\0ègç§`QîDr6ÍõʤÜF“‚p4üLB¶@³AÖ Pq_C‚	O2º•U
VÞ¯E3<	Ñ
1š·&ÌSïðÇj¢oàïàãT*¹²»ýa¼O6*Lûl8>9úéäŸ`!+U2U>SB©ŠnózVFP¹#¤D+7ts6¬òVµê[@ª»ÓïЗÒç|AŪÄ_u­ð¶ÎRoê,Õ‰©42V§^²ËÙø*®fÚ&£|‹	äP†ˆ„DÙ4M6Æ–U^A‚p.\ròu	^¹Åwçî8?Øž»¹“;Ò™é[9’Õý-	Ù¼±Ý!X•„Îw;D‹ Â«„ıµâ.eH¼4åPÁóNÇ{ªà·°ja‘Ýæ‹éäsÕ4ëoÍÈÇ›bŠõÙýwº¡á-çÙ$¸4@©!uÞyõª¨¾Ã{—\Ý×áWÙFXÔż€XÞÊž…˜€Yˆ“U†¸?ñ¹ql)œMn³å’,Þ]åõcž/è†Ì‚‚:háKª‹ºõc³­žéMnvu'ýÏ*w)3²§æ	¬‡)ZbŒ†Á7"9[.ÞF)¬HšëxlÊ<ÜD[/AQP}%íYØfg׊Ξ…µ´eŽïíHœÕçK°n÷9f×
-8‘8~l¥EÖA{ã•&gÆgŸ 
-Ü%Gå¢&ú¥ï²?åDø¶(«ï›2ˆªiVgx„ÌÖw‘ðq±íêȻ×àÝÉ|à³c®]
-¨Ñ³çN§Ö©¸øØ—6¹Ä$qå}Ô3±û›Y<¡En¨‚4Íž	'‰ÄÄPBF„×ÀˆB«Œ6±Q^ÄW€mÏ•iA~ ‘’Èé¦9I‘÷ CS-Ýðhãó×$æ*óœ]}\°AÇ^“Ž]›¿ÕÙÄ{„†@*xO:rXzxîha’Q;ï;ÉhqQ¹:Ê™ˆª&Q&2iãf€:Ü’Éí¥¬!˜’o~. 9L|ÁUÑðõ¯¤äq£Äï°Mø>à™ˆGÕÿ¥ºÞøÀx,‡÷p!ÎUÊ´$ç/q ±q€jùª|Vu`¨¡
-_Ó5£&´.Z{Ð…qÎÃñ—]?&°ðx}Å—u™~`3Œ÷ð½)Aôg<<Å–ÝVÌ%õ>OÐ(óÅ4,‡A–óbòDòé,"Â2úž %P¨ƒB¶Ýè7ÅC³%_¯èÓK6Çá'v}óÛZäuFÆZa|ÁÚÆ=÷M7ôo¾ôòÕWôʦҹ-ÇoÂ:ð)t±‹}¡MûË÷휥PVEÓª3ôÿùnendstream
-endobj
-1594 0 obj <<
-/Type /Page
-/Contents 1595 0 R
-/Resources 1593 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1574 0 R
->> endobj
-1596 0 obj <<
-/D [1594 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1593 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R >>
-/ProcSet [ /PDF /Text ]
+/D [1595 0 R /XYZ 56.6929 661.7689 null]
 >> endobj
 1599 0 obj <<
-/Length 3301      
-/Filter /FlateDecode
->>
-stream
-xÚÕZÝ“Û6ß¿ÂoÕÎÄ:ñC¼{J“Ýfû‘æ6¾kçÚ>ȶÖV#K®)­³ýë @YöÊÙÜu;77™‰HA~ WL"ø'&YFÊèIjtG"ž,6Ñdc_]ž3õ“¦ÃY_Î.þr­Ò‰	M"“ÉìnÀ+£,“Ùò§àÕ›—ïfW·—SGA^Nã$
-¾¼yûš(†>¯¾{}óÕ?n_^¦:˜Ý|ÿ–È·W×W·Wo_]]N…Ò±ŠYüëû·W4éúæÛ«Ë_f__\Íz‘‡Ç‘By»øé—h²„Ó}}…Êdñd(ÆÈÉæBÇ*ŒµRžR]¼¿ø{Ïp0ê–Ž©IG"2V“i…Zˆó»ÒìÊM©Bƒro
-‡NC§¨y­ÃÈDÍK5мÐ*Ì”Š'ilÂDÁªþýíeÿD}%:¸©ïšÝ&o˦¾œª$
òyÓµØÌ‚}QUÔúP7ûššuÑî›ÝêØbw_.
-K½Ÿ£8Ú]Š,(¶UŽTPÿ$Õ¡‰c”Z`C:~øæ=L!™êua»r^,©[ÖlæëWÔi&ÃS[j0fš$r2ÔÁÓ«ÒY¨ÀE'S?á9M%afɧL¥àXR2Õû7×ï.§Zg2xç4ÛÜ—KT·Ìâ ÇOìóê·
l±èÈl»yUÚ5
çD;ÌâUkgmúP<|a‰úsÉz:fHºÇ«b·Ý•u–TâiKjÇŸ°ä@EÏeIïuŸÏÒ¯8oÉ(¥|òΟLˆÄ©iöãï›ÁìÒÈ øØ’>È‹Æ}—ö3µþ”âý±ÿ©×!Ét¨„NŸÐbbL˜Å‰öQ´(Suµbû¨…Íýº\¬±™pC"0lögøö⼋ÛÙ¡ÞsKß÷ßÍÞ]
-i‚Ôo×9Û3§Ï²ÙäÞj¶Ûn›]ëmû¦´m³+yuÞ‚CÝn‹]¹A>¤Õñ¤óäµ™ú„Q§}.£PÃS0פQzCþ»U^‘˜P¥`´©LÃ(=†/`ŒŠ’0“&»+¸…ãv÷+`°;Å¿uA:¾kªªÙ—õ
-õ@ÑV&ÊL¦a;\²¨r41Í;ÚAšP*„æ¡¿B©m(©-ŠÑË·´Ï{Ð,HݺuéH÷yUž8Iëðúíû¿žúH%bŒVJüÏ,ý)ù.ÎÒ0K“§îylD¨IÈå z¢âä`ù›º-vp•Ïß°á>Ï•¹ QfIüŸ$C¿â¼:bF"ÊžRGj (JS.w ê_¯ÖycA˜9Réò`îo_bešBbÓ6‹¦"Ê‚œ3o]ØB|ÞÒÀw73"8¹(46år*LÙð|R»ÍQ¨ ³Ž¿pCwD*[KuŸ²¨¿ívÛÆxsÌ»H&†#Œ°¬û‚Šè8"Ï»²j§}¦„\\ìü½$x$üÞÔ˜¥]»Wá
-ZuŸ‚]!¤P`^–‡ó²^ŽD‘T„©<÷N9°öó ?×)E
-¨FŸrJh$Z’ößšJxЛµDåf:ÈQáivb´¯õ¨³,Ù:[Cwþ@_pJW9@“ë•_‹E{Þ
_‚ÓÖ9Öî2n°ì”2(±œ”Þ'‘‚•
RìºÝnâQí
-ã¾v…±û|W6s²v:æm±á”°ÌÛ|žÛÞŃ>fçGWt¶në	®‚q^Rsö°
}ÁÏ;ØÀrÏå`ÿŸ¸BgY˜$Ù¸BÃ%‡"y€+D!@÷:°Yç&’#Áà][ÔLÚl«rQbüU*v98 ¯ϓЫ¢¸Ž'¢W;ŒØÛæ»Ö3÷Ëy×ÛÛ×
s.>æ°mÁ{nòúaÌIn¼‚¹ÊwŽUçÕòÚ	G­–îBAó\´ê:§B*|˜Ý¢å:ßöxýš—vÞæØb/âbMÅ̼½e&pj`yGºY:,®…v9I€U‘S¬ÔxáW:UZ"€tH)&äîĉçy‘"P<š‚¡%ŸW'礀F~w…»}M/—øßK–ç¨^Ä£µöbÖEᑪ·ýØ8ʤUd¾È	{ñÒÐ(™
îH³)r²„Jcrá”	 =¢ |Eµ¤Ž»N©{wr³Ë
O¯ÊMÙÑEbø®›=5´%¤ Ý±¿ÈyîœÙ|(¶Ì¥¬vZä‹uþ±NàÅ ]G|mÙ¸ÉT€c:†p‰·[¼?Hs¹I]»Tƒ¥ç}AC˜¨E0êøx¶ZËcÌ<¯,³BM,‰ù¼FG‚pŽÎýƤ]oÃ;6åšÍ ‚mƒ¡ÉËŽ9â`ÄÅh'Ö¿à—3O#»6ÞakËU턪“Äè|	q®„A«G\z´µö+9ýØ(¯7 BWe
`Õ•æpW~X—Õh@° |¼™@©-µœK`c^ЗÑd&øqS(ð¦ü½ð¨?]ŒXtQáó;‰ÛôÛPƒAöºœÄ}ć£`KA5Ø–Ït7¾¾œ;Û¶Ø9`R/¨Ønµ*,#ºýÔ*,Ï@²ÉÈ€ZÊ]’“K<0²ãp	DJÂðØY7¶
é	ì†×æôh_¯Fc]XiX*Ôw»ÅÚs›Îüf†=‘N—Ý‚ÀAìD²Æy6,Ì`Ð<{e݇òÅ‘–ÝŽ³7™rÄBÄ÷Å	\C0êË_wYÿ\4Ïx£ºÒGn4¶/\îóª{ôÖqÃió“øœÞI’ˆ¯¶¨¼óéGI…H@6áô„sÎs¹:¡€…„E¾Û•TF2¬MèÅÇšÍ/.s=¤îx›ëÖÌ©ì„Uˆ$l8¦ñþ`ø6ꦼÉplü­<Êt½%<"ÿYJ½mxcûØ:
!;îÏ?ç„\+I^©Pþµ_¡¼œŠ(Š@óB|Ãï\EŒéÇí®°¶/V}ÚF<®<¹„bЕâÎNFTþíðDêNo(5á„Þ0FzLh$zo1ˆ®Š–wpry…ãÓüáÃÞåÈÃ#ŽåêlÇXô¼NŒX—«µ[š˜®+ Æ%uX~È{º‚@Ã7
-Ô/™žÓ‡1k:x6jÃ_“*{Òo›75-á»d<2·ÔÛ~b;Ù”ÞˆS÷Ó‹~11zF¼Û‡ªà&D©*ßQǯ¨þ‘OmHs`¾›¢ÏGàåäÂÎ>çFÂ6§ë†¹ ßJ`ÙûMY$•y™›KðDðž$N?´ }¯¡rÛ=üÄÁ¦±îå'cfà)ðÁýkjº{!Èv8Q¤*ˆT•5½$©‘u«5
 ¬eÝùËpª¥æ`#0[Wo^ñ¶¥ˆ‹¹ÙÅDkÏ#b™(°A÷DqìSÞM”Û[2XX´'£\{Ž®tÅ 6nx$'>ž£‚¼ˆ‰YîËv=˜ƒU^@õ€q8;Ù¹d€ø:D£cбñÕÂI´t—¡õP¡<ª@ø¶ßÓë
-E9þÿK”–šÞV§‘KqαU·ôA
-°¾ÂÉ—ù¼Üõàbí¨å®éï6994H)pé1ŽüèUéØp* ”L¢2绸‡4WO2Ï»“•TäCãÕaR¿™Q«³ÅÉÂM]lšº\Ø1-÷{{Ÿ£çͽ»‰Æ‰‡±IÔ§õœs¯{  w@ß5½Þ‡èdÃ×vx-(4bÞ?7½!r~ß”^*@
-«Ms„Oà²Y†Ð袸ÍH¡c(핋̓J\÷à/ÐY–öWLñÈVe¾T8ÅGw»J›Ð©±A§l†½˜tˆÜª½CÎØÁÜŸ3DšƒÌß3RŸ=¸/™ÇÁ'®@lÛßÊ>)úÌ4†[ê¡$מ¼€Œ»3çdê±Ç zè©9›êLjS§æ¨çÕné{87t0tò£¡‰?ÌWÅrUœaÕW-ýn<ž©N4†ÇUǵŸzx¦ÃÞž×m´p,¤ŒzÄ•R_<×s1êkóUbG~?¡NM†oä)¸Ùg=Ü&Q˜$2‚…lji€±&”†~÷?}z&OþXø¹wø[@†*ËÎü•SÿÖ«ây¡ú3sªŽXeaœÉ~Ö@ôBxLendstream
-endobj
-1598 0 obj <<
-/Type /Page
-/Contents 1599 0 R
-/Resources 1597 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1574 0 R
->> endobj
-1600 0 obj <<
-/D [1598 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1601 0 obj <<
-/D [1598 0 R /XYZ 85.0394 612.1852 null]
+/D [1595 0 R /XYZ 56.6929 639.4577 null]
 >> endobj
 1602 0 obj <<
-/D [1598 0 R /XYZ 85.0394 600.23 null]
->> endobj
-506 0 obj <<
-/D [1598 0 R /XYZ 85.0394 297.3236 null]
+/D [1595 0 R /XYZ 56.6929 553.1414 null]
 >> endobj
 1603 0 obj <<
-/D [1598 0 R /XYZ 85.0394 272.6213 null]
+/D [1595 0 R /XYZ 56.6929 541.1862 null]
 >> endobj
 1604 0 obj <<
-/D [1598 0 R /XYZ 85.0394 87.0771 null]
+/D [1595 0 R /XYZ 56.6929 361.0617 null]
 >> endobj
 1605 0 obj <<
-/D [1598 0 R /XYZ 85.0394 75.1219 null]
+/D [1595 0 R /XYZ 56.6929 349.1065 null]
 >> endobj
-1597 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F21 738 0 R >>
+1594 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1608 0 obj <<
-/Length 2864      
+/Length 2817      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZ_sÛ8ϧð£3ÓðøŸâ½eÛt7;Û´—fo:·ÝÅVbÍÚ–Ï’›æÛ@@²ìÈM¶MoÚÌT	à RV#	jä¼ðQÇQˆV8©Üh²8’£[ûùH1ÍIKtÒ§úéêè¯ME½ö£«›¯LÈ,S£«éc/Œ8rüŸ·gÇ'ÚÉñëóß ¥Œuzüò—ÓwWg—4à™ô§ó‹WÔéñòíÅëóŸ¿<=v|uþö‚º/Ï^Ÿ]ž]¼<;þóê×£³«Nåþ²”4¨ïþøSŽ¦°º_¤01s£;x‘BŨG‹#ëŒpÖ˜¶g~ôþè_ÃÞhš:“•„!NÆŠä?E¬ñRx¯Ý°X9:QJDç¾À‹æIàÅÍvÆ.«ÀA(K8	6‚êÌhUÏŒJF0r´£à”ÐLŒv<.Î^ýò&“ã7ŽO‚	z¬$ôH9þ÷ÙÅÙå©èÈöb½…ƒõeÛz9íí÷AÈ8´ŠÃi-E=,ÆDa$A„Brú¡ä0=IÏŠ‡zV<´Áûì1ÑAglÂc×#`Ãð›SÀ("F:Q€Jú02=™?°§E¦”ÌS”C!:!ÓB÷zÜ\|Œ"sÀüï€	ÖrŽþÞ8ѲŠTt8ˆJ_Þ»g|D”Ê<â>*a³w=£Ýæ0=öÏÂ6·}]Öú¶\§l!}B‘a7É>H¶M¶„3pµÚnqÖf (ñV…ê«YN§MŠÙFÛñåeM³üåKzEEþwJCu1iÊjI/w³r2#ÒIµ¬ËºaVÕ
3¢AåO®Ë†º–›Åu±¦öM5ŸWwÅ”¨®ï{“ÌxZ-ò’Yæ‹"åÕ~UЭË¡|:]«l\Ô5×G—ÜØÔ-	=ê&_NóD<¥žówxÜTëEÞP»©è	m’^=–FÓú°].›b½,š,·úƒóöô¿®>q³øœ/Vs~©gÕkS—Ÿ»¥½ Ö]ÙÌX½»joÝ­âE>a´J¢‘N,¢Ûô¾¦YÒô}¹(çùz~Ï’yò¢¼± º(þ¹¿e¡ö’¢Cö´
¿jƒÅÿS1Ù®	Êõ `ÜŠýNH¬]AXŒä°>ˆß^¾oί¸¤Ô1¸ñù•M°É¼S)àŸµC`€ÐОìo
ñ™³ã ç„Cm¤+ŒÉÎE¡2ªœ^þÒGB·@a¯¶Z†¤'í™ ù;YáùVÁ¦É¾"+8È JKûå¬à°ËB‡ÊúËѧ0½Vlã$Ze
~’ä€çýŽb™>óšÉ_Š^s§å
jqS2KB“yΡ¸«ÎÀÀ†”íë„R2t‡t
'r	îõª¬'›ºNù­/SeŠ­Å¤ZOëÝ!¾€7G«È‹O1z=žõd]^§ç
ùXóm£.ö×ÅúS±æ9uSÑ’h¬\R¢¤ã9ÓåÝܲஔv¡íSmRcRÐ(õNˆû´Nz(¸?›²úN²¥ûN}ht£’à±Ê×M9Ù@jà÷²@ØLðÁsg	iêuµA{Ùr¹-?<Ø¥#hc:¢ÖGé$—‰%+±©7ùr’‚PcÜøšXÃäŠùü.¿‡õÔ¢‚Ò§ª  ÌظF‚þºÄ½PcéQ¸P7ÖØÑÌÊå_Ô•ÀSºexyI¯¨'¾çí“'Þ¯’O@Ï*/×ÔI, ðÉ›£³–¼ó%H°ˆN@Q5fNT”¥’ùçŧ<íkQÐf¨Y%ß”:;÷ãw.1p¤JÆ€„€­™ÏñݤåÐÈ®©¡#•Mðœó³¹¯›bQ³
-TK‹rÉÓïfE;V6à‚—|[ÖF«þ¢Ë–Tå‚ì9?uæÝFK®”L­d^C¥^¢¨æ40-æà§ë{zKö‚gÆ™ãí3ì9H
-F¤V½“ò£”º•Œ‰’Zò]õ˜¨Õ’«uY­Ë†…'{Ñ耭;‡±kç”>I;èëñ²¾¿ÎšÆ›–J;¼OßþЕVOÍê”æõ[%Çï:Â)d§šÈ§ÕÐê(CP£s¦Öœøžºò뺚oš‚ÞE¾„5ÍG­uƒ¦-yìÅ5®–s&lAÄCk+4-©€ßšš)¿w¬zA±¸aùɬ@ÇÛkÈ_y³iÍ›ÍÙíft¶ÞÐbŸÀfÚ)Îò~phÝÉ,ÅÄÔ[ѳÝs»„iï¹ÖØغnÅÒn¤XÎ:7T»˜Ø«]L´BÚÐ^‹MÝT8PÞÀiÆ3߀˜œpŸÈ„t>Ûs麮&eÞÓGìýÀ‡}˜ëO¹[Óóþa‚fò	ü8rqúæl7%ŸañºI"†IY<ÈTþ½Nú9ñQQ„Ýcøh#Œ÷ê>ºÀÚe³ÕúöèôäþÀèHP·m?¼Û€
TZôuäáþê»å²t?Ÿ%ŸJW‡ê0D$ÜþØ©èºß†X	ë\ÖA´·‰ é}#}£¾ôçÂèéw‰ß#kà–Ë$d-¼K´óŸp—ˆ–õP,Åޯ>í¨¤zC%Ö½¡Öª- ?ð쎆ôJI{ÿÑ)¡$ä9¸*ÕdDÙVª\òìsBßã©aŠß63µE2–¨©:ÁU,yÝa+Õ|TኾàRJïV$%ß0.‹’#;ßiªöÛU½™LŠt„NwŸ[\<›o0*öaÛÐ!Ô´PüCö+BÇÅ\úœÄ¶:p¹êÞÞÚt¹êÜönÕðÝêû¢ièPÌ®®~;t‹ê„2Áö?ŽùqS.Š“¦:™Ó!z¢ÐVrž/†|ªö‹ù”^èH@59¼n?Óùô™î–÷\N®ødRp™¨ˆÁfY6u_²Ç¡p4§qm=߉ôxd^äë’>—º\8/¦Š´wc;ç;„t
KÓ|¡5É'tÀÆs€Í&èT©Ñ^;3§YuGy•à
Rèš’ø²¨ë¢'hÚöÝTÛ3'ñæyVmæÍ¡Ÿ¡;àoÇ~4&G¦§þDmû3=¨PM–éápÕ…5V
--|PÂ#Úx= úÿæoendstream
+xÚíZÝS#¹ç¯ð[ÆUgEßÒTž8ö¸ 6›lrwƒ=à©5Ç3À’¿>Ýj=öa[@Šª¤¨B­I–úã§VK¢ÇáOô¼a\¥ºçRÍ¦7¾=à½øöñ@Ä6ƒ¦Ñ Ýêû˃?Ÿ(×KYj¥í]^·ÆòŒ{/z—“_“£/.‡ý4<±¬?0–'ߟž} NJÅÑùÙÉéÇOÃþÓÉåéù±‡Ç'ÇÃã³£ãþ@(m$ âÿ²"†…âÐ4A¤òB€C6³aÓê™q@n´Ö÷Z€vÌKþ-C6=vªA§
+­®3³Q’i¯EÔÂ1Hª¾‰ÉuX(Wa3Uë’J8ßÑ62{l:LŠ1b»iV5Æ®ñPT¶/Þ˜£Šµl6
»N9ã|YgÄ“«V"	¸vGvÌ8JY‘-ªz{¼'ö¤—s\„±®#ÑZÔhm@
‡TÖ‹pLÂ0–¤BüÖ‘–Ájih*ä›Ó ­P†ˆ£Ûgl†€üz··LãeÖ¶6`8%[o¿eȦÇnæ)à¯éŠdÁ\™µJ¯,XJÕÿ¼	‹÷aÂrmÂZ®Lli¥* 'Å5Ž}/+b\S¶î–jg°a2I—Ë£R'–q‚÷0Áj;C¸“Ïïnó%ô9cz	y˜D°!y¹Z=pÇåíâŽÒQÙ,˜‰ÃX}‘Ï+ÜŸž}ôrUS	SΉÕl_H“^¤h¾òd<+HÆ™ÅaP\Œ´œ_Syjµ+(0ÂìÙÌÚNö2Ç}Ó˜BÁ|µ2]9yÍ9K“k,¸è§29þñ…µ
&؈	vlÄ,sLþ*舭ˆY+Eý0-ÆÓÝg­hî¨8Öó®\,Tîáð“]ÍbçÓOÏ„ýýºnñµ“2çLú
CR¿G×Ò0k îÞ¯kåãÖR¶ÿìóeÈ`¨¨aí)%¡}£aâ¡H±Ü„|jÝÀbhGèT€|$ò‘ú?ä?òeªÈ×ZFÝ 3XnªÚI]ஓºPÙJê'¤ ¤05óÄO¯\ú™^ƒiÙ=^Ó2Ç—™øÛ"$ÌA`×å5Â18Ó©„$±*Å3­Òz•
+4èv°†¹È–5Qxš|¢ÉL!MVTµb¢?U/º‡Ù{$k/þßcJ€,¯Ò_0å9er.0Oºu)½Kn³Å¼,Ö®òú!ÏçT!±á¥$‚.€øÌ`“Œ¼Íû³šéôa÷Ü‘µýŽ/-AÄ,•¾kÓ‘6eÚq:l/‚ndr:`¼w•Òɤ)Ñ–a«‡J”õíñÀ¤ì…k¼N¶²ÎQêûíqœõeçsÀnÿ…f[ïÙ‘gÒ¥-m˜¡üÝp8:ý» ]rTÎkŠÀ´íP{™TÅÍ<«ïšmY“¬Îð*™o¦“ðÅr×‚Ùý‡ñöZÞñ²Àç=FvÆ¥Ìê”ÀkØW.¹D'ñ`å]ê)áØÝÍ4ÞÔbpbe›\ž
‘Š!…!–!$
+­2J
b£¼ˆ]!Ûí+“‚;ÆHJaP7ɉŠ†hº•Ü
Ÿ¶ÞøÆ1מçÝú•ÁV<öwlýµ®(ÞÂ6Œg°¡t¹£ÀeyMšîh|š¶ÜÑáá6FëHoù"²_DšÂI“âU8¹{/kBL%¶ß
(A!&~‰p¬ÒˆÍgJ‰˜0€ñ¡¶	ž°xgý_z5ÐVÇ;~5 aë2
Lá	PFç‡xÌØغIub½VuˆQÃ>|MeFMèh´ñau%&„×`nóÊÀÆcù‚wv­¥¾ãHδµ]1–qî)]œ «¶kîÌ­¡BåóI8}QΊñ#Ñ'K8%D˜åô¸`E!#x
Ùn¹ß÷yô˜|}u¼Ž¡ž“+‡ŸØ£º–PÞqDä-3¦óJSpÉxJ/pFþ1Éßðhõf«,®Êp˜ÙZå¾Ìqw
äj‡lò`Å894D¸´V»µ÷÷ŸF	QççånEµ$ðžGJL×Ðy1oôÃ	^=c˜¹}Ïê \O²Gª‡œ!06\ø%¼×«¦ô9#ÞºUì5
ªÆO_òÇ?UÄE”ï9€ÜäËÅò×Ü;ýMîKR¶ô2™c.ØI‹jtL
+™>õœ÷:Ÿ<÷Ùúúé¾vp~÷;n^·ÌK&cé­¥O·Åa”gÆËU«ÖÔÿ$g0endstream
 endobj
 1607 0 obj <<
 /Type /Page
 /Contents 1608 0 R
 /Resources 1606 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1574 0 R
+/Parent 1579 0 R
 >> endobj
 1609 0 obj <<
-/D [1607 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1610 0 obj <<
-/D [1607 0 R /XYZ 56.6929 591.8614 null]
->> endobj
-1611 0 obj <<
-/D [1607 0 R /XYZ 56.6929 579.9063 null]
->> endobj
-510 0 obj <<
-/D [1607 0 R /XYZ 56.6929 492.1929 null]
->> endobj
-1612 0 obj <<
-/D [1607 0 R /XYZ 56.6929 467.8533 null]
->> endobj
-1613 0 obj <<
-/D [1607 0 R /XYZ 56.6929 267.9987 null]
->> endobj
-1614 0 obj <<
-/D [1607 0 R /XYZ 56.6929 256.0435 null]
->> endobj
-514 0 obj <<
-/D [1607 0 R /XYZ 56.6929 119.6628 null]
->> endobj
-1615 0 obj <<
-/D [1607 0 R /XYZ 56.6929 92.1624 null]
+/D [1607 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1606 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1612 0 obj <<
+/Length 3339      
+/Filter /FlateDecode
+>>
+stream
+xÚÕZ_sÛ6÷§Ð[é™G$HÜ=¥‰Ó¸Òž£^3×ö’h‰
EªiÇýô·‹]P”LÅíÅëMfB`,»‹ÝßBŽf!ü‹f‰ÚH3KM,’0JfËíY8[ÃØgϹð“.Ƴ>ŸŸýí•JgF-õl~3╉0Ë¢Ù|õc …çÀ!þýí›Ëó™„Á««¯¡©8‘Á‹×Ï¿›_^Ӏ機_½yICŸß¾yuõÅ÷×ÏÏÓ8˜_}û†È×—¯.¯/ß¼¸<ÿyþåÙå|y|¬(T(ï¯g?þÎVpº/ÏB¡L–Ìî ŠÈ9۞ʼnI¬”§TgoÏþ90º¥SjŠÃHD2Q³•‰8I²ÓÛÒ!lËÍ(&IŽw½ˆB#"øTG
+ã$T/ÕHõQ”ˆ8Kgib„V0„ªŸ¿›£:UÌÏŠi­=² X6 s…ÁËÂ.ÛrQ¬hRY³Š_½ ¨1ÇzDÜx/Þ§YÅ™Pà>³©„ù¨ñ°ô+NkQI©$~D‹q*tš’ÿðÕ[ТLUpUß4í6ïʦFJ䋦ï¨y·)—lêந*"¾¯›;žZÝ]Ó¾§¶hoËeaŸ¡:a7ÒÃ…Wîj{d‡zÏ-}ß~3ÿî<’&xFýn“³=sú¬šmî­fûÝ®i;oÛץ횶\æÕG,8Rͧ©ûØ‚ñ“Z0Ì„”É#6©Ö™Så;™€Ú³$
®‹ù¾-êŽí¨247ô}'p*¶sa'_­x™-P£ih‚Ë»¢-·È‡t:mÆG/U”©˜dÖ§²È>|=qM¦Gñð¿[剴
+Œž‘Š0=Œ£â©L!Œf
+Tª³P¤q6mtëµ–"‹Ž}›‚4|ÓTUsWÖkÔ2$,3Z©!9˜,†ÝpɲÊÑÀ4ï`i„T`š‡Þ²£¶é]cYLW¾¡D¥Î²o©[wÕ=‘nóª…ÐÄu<Í»n1þao—·gî—ó®×ׂ¯æ\|ÈaÛ‚÷Üæõý”+’Üx)¢+e‰Û·­óÊEiDá¨ÕÑM(hž‹´@ÝävC² _v=c¢¯ßðÒÑλ|邺QìÃ@\n¨€™××ÌN
,o¨S7+‡Àã(v98Š$ÀJÈ)VÆð¯tª´DÚ2èx0á§0”çQðÁ…èoŠ|årLú)LÂî~çdŽEnÏç_ÃhDó¸Äå%o¶ljY
ðõI/0!ÇB‘$ô¼H(!MÁØ’/ªÉ£’kà¥Gá®_Òãþ÷œå9(ñt=B—uQxêqí06
p)#™¯nÄ ^*Œ’éèÊ€4Û"'c¨4!/NÙ'Ú#
+ÊWT+긣9Ï.·<½*·eGDŠá»iîx¬¡](³ MýeÎsÌæ}±c.e}°Ó2_n
+p1
øi¾ñbЮ6X5…›o:†pw;¼BHsÉI}·Pƒ5çmAC˜¨E0èø8·ZÇcÌ<¯,³BM¬ˆ	¼&#‚E8ºð“v½
oØ”6CìŒN^vôȉÃ;Ñ°ð¿œ{ÙÍ°©ð[[®k'P$&ÞóÈWêà@$táÊp€À¥QëÃ%çß=åõ$P躬«ºšîÊ›òø¢PÀ³ |¼Y„R[j9—ÀÆ¢ /ƒÉŒÌ†_x[þVøKÔŸÃ.Æ-º¨ðùÄm†m¨Á{S.á>àñ1bKA!Ø•Ït7¾¾–™EëI½d¤bûõº°MèöS«°<]ÈòäMÓWŒ||Ùeý;Ñ"_¾çiëJ¹Ñؾn¹Í«þÁ3Ça§Íâs6z"Ñ!_)lQuç3"’
+‘, lêšsÎséZSÀBÂ2oÛ’ªHƵš*q¬Ù.ðâ2—hà‚Ôöž·éP±~aÍœ†7NX…`Š)ã'Q7}â9†cã¯ýè=¦,á!ùORÆ»†7¶­Ó¸óèþôKŽàÚp\H‚ðJAe5úÁ$òê­0ÍGQ„O÷½+ˆ±ý°kk‡ZÕ§m4ÁØK¨†0Q%îìdäHСöèmÔÞPjÂ	ƒaŒô°ÐHõÞb`-ßïàä2r?
+ǧùãw¼Ë¡‡=&:”«·=ÃÑÓB:1&Ȧ\oÜRm¸®WÔaù!7ÞÑ>9P¨ ~Éôœ>[ÓÑ«Pþz˜TáÜåPé^Õ´„ï’ñàÜR•p[®Ž7¥ÇáÔýâ?›:FÏ‚ww_Ü„(Uå-u\ð
+‡àúÔ†46à»Í!Šñ|^N.ìÜåÜ(@ØæþxÝ8[E˜Gîü¦,„J„¼ÌÍ%
ø‚"~×Ú釔“Ï5To»wŸ$Ø6Ö=üdìÁ‘y
+|pÿššî^Dd;(RDªÊš’T€Èúõ†PÖ²î}H‚e8ÕRs´˜­«·¨xÛÞRÄÅÜ?êb¢µ‹¸
+,GÐ]+Ž}Ê»‰r;cKk‹öh”ËÏÉ•®ÄÆäÄÇsT11Ë»²ÛŒ¦Á`•×ïQ=`ÎN'v.™ ¾ÑèÔsGã«…£ hé.Bë¾ByPðm¿¥çŠr‚Ÿ£´Ôô¶:Žì\sŽ­ú•êT€
N¾Ê%à®{k'-÷jŸ^ñn““Cƒ”—ã˜Áßþˆ^•§JyÆ$*#q¾‹{Hsõ$ó¼9ZIu>4^ì'
‘µz[-ÜÖŶ©Ë¥¬\
+¼÷õ£Í­»ÚGcía¬‡´žsîuoähã›fÐû=lØâÚÏG1ï›Þ9¿mJ/ …u¦9À'pÙ,ChtQÜfÂé*öÊÅæ^%®»÷è¬Jû¦xd«2_*Ï⣻‚]¥ûMèÔØ S6Ã^B:DnÕCÎØÁ«0æàó𷌽ÔSáßcH2‚\*Øn¸”}¶R™i
+·8ÔCI®;z+Û'‡¼xê1¨zÆœM㇈3#Θ£žW7.¸¦ïþÜÐÁÐÉ|Œ†&þ_«uq‚ÕPµì~ðƒñ„=†p2hu"Ž´*çªàŽ×m´p,¤ŒzÀ•R_2×#s1êkóõb'~:x©”šERŠ$Ž£ßõv«C¡µLþàÛíäª?ç§C>°E’žv³	HBŸXDi’Їo¯ÄåËïñÑGeaðÍ»ó‹T¥ðPƒÿëòÍåõs1L;~^×
+NA£noó?(‚âÀÿ™Lh¥²iýHŠÌh8J(t¨hx¨çïuœÔÆh£¿®62-tšéG¼Å |ÙÁýþb J
*HfÂHžTËhÇ¿®ZÒX¤‚q’4Š2íp~ØŽŸœ>þˆó“?zÊãk)R©G¼BC¥žÄôûæÁd7ö	t"Ó“:m÷i'ˆC-Ò0ŽÝÏaJ%jêÏÃÙ£ó{ÿ(rÿ‡¡1ì—erúµáw7•ä…
+3áƒ?ÙDE)=̉þ{lEendstream
+endobj
+1611 0 obj <<
+/Type /Page
+/Contents 1612 0 R
+/Resources 1610 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1579 0 R
+>> endobj
+1613 0 obj <<
+/D [1611 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1614 0 obj <<
+/D [1611 0 R /XYZ 56.6929 660.0058 null]
+>> endobj
+1615 0 obj <<
+/D [1611 0 R /XYZ 56.6929 648.0507 null]
+>> endobj
+506 0 obj <<
+/D [1611 0 R /XYZ 56.6929 345.1443 null]
+>> endobj
+1616 0 obj <<
+/D [1611 0 R /XYZ 56.6929 320.442 null]
+>> endobj
+1617 0 obj <<
+/D [1611 0 R /XYZ 56.6929 134.8978 null]
+>> endobj
+1618 0 obj <<
+/D [1611 0 R /XYZ 56.6929 122.9426 null]
+>> endobj
+1610 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F21 738 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1621 0 obj <<
+/Length 2988      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sÛ6òÝ¿BòL…Ã’÷æ&NÏÆé9îLæš>ÐmqJ‘:’Šãûõ·‹]”L9NâÎ4ž	@`ö{R3	j–X!MÍâ4V*;[nNäìæ~:Q³@‹1Ô×'ÿxcâY*R§Ýìúv´W"d’¨Ùõê÷ù«ýz}~uºÐVÎ8]X'ç?^\¾¦‘”šWï.ß\üôÛÕÙiͯ/Þ]ÒðÕù›ó«óËWç§e"«aÃ[üçÝå9½¹øåüôëŸOίû#¯¥¤Áóþ÷ä÷?äl·ûùD
+“&vvR¨4Õ³ÍId°‘1a¤¡a½Üè°sáRÐ*áÒ#fN#Œµsì]bœ§ã‡â—WïÅÛ‹kqþú7ð Èv~>ÄI‰Zæ¬#(þEÑcèÀv‚
¡þ^˜’	ü+è£
Xl•ñV#Ç€@`õ@#"öÁcR¨ù@)¿!Ód„î…ˆò5~áå¥VÅ©H¾Á/X¤ˆ‹’§ý‚ð²:XÒ¢}Úþô&fdÔòÁR"W5 ÖB`°œ}‚ß?˜.qŠÁ8f¿Øꮊ[<ÅmN‡©Ø-ËŒ-ì®zÃö0mE¢0ä±B)I†
£4
!›éz]´Ë]Ûz7ƈ¾Ò×|Y7«vâè`_t$ÒH‘Ÿ¡#tz¾ÊÛeSÜxçYy¸—I³‹ãmÞ|Ê^Óv5݈把Üy]˜Ï.ë×9y¿cÌžzç;ËœfitI»¯ZÅô¯&·>ámÙ÷!Ïòl€f›5]±Üoàï"G„Øõäƒvï
+~éM½Cvv¹+>å<Ùû#è£?¢ÞGi%Ç~K>Ä®Ýe%8%–ÆØù
m
‹kîdå}ö÷Ý»’öWB"*ˆ}ê¶
+¬L”Æ$Áx[ *´»€U†]hƒèÖEõ'
yâ)6¼º¢O<'~g¡å…[/0²ÍŠ†iˆ|².Cæè$€÷²³DìEÀAÞ‰¢Â2qUb™ʼªD"Úmj‘…˜oEƒ½øñ7Ç8S{f@,@ÜÌJü6þ:4³Ïjðq´ë¼Üò6m—oZ>BáÒ¦¨xùý:ë€"xÅÉY0VãKMFX>Ì8~ÌzEó¢ä		=Ï^C±ž‡¨KšXå%Èió@_ž_ÐæÀœ3=kXr˜H½v‹@D³±,òGþ¿7ƒ#UuƒªB—ø†šƒ#¿¥A/4,|ðé‘B{S{/éâ°O8˜K_±U}‡Z/‚€9éèQ¨ñQÈFãwÞMo°|ã72í„j²¥€¨…Û⮪щ@æ/*pÛ™7âR«‘C”ʉMö$†Èꤼ>•ƒéÅþvä&ý)*^åÃê{¤‚cÛË/ª‰«Þ<„"H>’ ÁÕÙ nœ=ªg¤†AÚ:3˜i&C=§V«Sac]b8½êQ9C}®î‘£‰‰Ì‘r†4"’ÊÌŒ²²p*'2¡Ä²Þ ‰1¹a-Ãh	Â
+YÕü(yºˆ%›,±·ì€ÆV;8oÍÆçù¾+"1Ulô9zªérô8UGjslÈ9
’ÏY2:L¢”‹°ÐaòOý<úŒ1ÿé“€µ…ÈçôÑ©VI{„>zLQÌn+êæî	êŒð¾,u^RçtlIòÓ1Xk©¸ðXƒ +Öê/T¾Š¨ŽÓh„ýo,ABeÜ—häbIŽîit F@ë'ˆ¤i„þ¥ˆôü²â_á=@¡D"#ûµeEmœ°Æ¹§ËŠA=J¿)<Ðz”j­B°ã>X€¶O铼÷!¯­Jº(DªŠ0µ‚%V†¨•ÃŸÃ]S ‚MG›ê/ìŠ2—èDóŒW}¨‚רø†}æŒa뜷pø…y°HœRû±IÁåÆ*/87Ù{µ©ÃKV»[.sŸOû:è@X+ÐÍ8 •Ñm°¡SdÓBÙ(Й™e9²óK̬#…V§°’kB¥Õõ•VÕÖ÷y×QŠ»]_ÿòŒš*¿•¹yWlòEW/JJé`„h‡ Îq™ÈùØ?/WôA	Eèð9¼Ú9ÿjwGwYn9OÉ9¢ôP´Á®*ºvŒÙá»($êô.¢û¥Ãz“5½žÅTj:œŽê·%W|Q–ÒÒ`è-!MÌ©{uÕ¢ˆ&U©ŠÐ¼Óº¾§NY{8C9-i_Fu“­ÂØm=d@fîIˆuèu½+{˜©ÜxU´K~xõY…Qrx¥·à^$Þ(±ÀØîë]e±?
VÿwMxO•T×£·Ù½„ÿÕUN©ËüQ,¡ˆŸ#Ð÷XXmž÷z™Bj có•ï@“«Fá~†L˯qB´"~ô:.µ°) ÔG¬¹Ò
+3cgd‚)àGàwà5#°$oѼÌ|‘"³‘®&u4ÒÐRÍÅèÂU~—quÆ’¨±xž§ÌA±çP QÜœ%YÛS)rkûzt‡Zèf°n¶×'èVõ¬ìz1<Ž[oæ/?¼~÷öìâ2Ô"ì¨N‡¯aJ}K§Ý¨=Ô»§É°É>›C£©^ØØ9ä’cr
C
(dÓ³¦ŽÃ8G&B;§g#qø>	‹ 9ÖÚ%Þ|k—º© ÉÙÅçþÜiøÉÈ$‰ž–è>ŽŸ„{!ÕÓDZ1$$6Ñ=Ôèèÿ‹˜>¸endstream
+endobj
+1620 0 obj <<
+/Type /Page
+/Contents 1621 0 R
+/Resources 1619 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1631 0 R
+>> endobj
+1622 0 obj <<
+/D [1620 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1623 0 obj <<
+/D [1620 0 R /XYZ 85.0394 660.0058 null]
+>> endobj
+1624 0 obj <<
+/D [1620 0 R /XYZ 85.0394 648.0507 null]
+>> endobj
+510 0 obj <<
+/D [1620 0 R /XYZ 85.0394 560.3373 null]
+>> endobj
+1625 0 obj <<
+/D [1620 0 R /XYZ 85.0394 535.9977 null]
+>> endobj
+1626 0 obj <<
+/D [1620 0 R /XYZ 85.0394 336.1431 null]
+>> endobj
+1627 0 obj <<
+/D [1620 0 R /XYZ 85.0394 324.188 null]
+>> endobj
+514 0 obj <<
+/D [1620 0 R /XYZ 85.0394 188.6539 null]
+>> endobj
+1628 0 obj <<
+/D [1620 0 R /XYZ 85.0394 161.3494 null]
+>> endobj
+1629 0 obj <<
+/D [1620 0 R /XYZ 85.0394 119.8769 null]
+>> endobj
+1630 0 obj <<
+/D [1620 0 R /XYZ 85.0394 107.9217 null]
+>> endobj
+1619 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1618 0 obj <<
-/Length 2779      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝoÛ8Ï_á‡}P€Šå‡¨Åá°Ù6éyÑMz©{Ø^‹‰È’kÉMsýÍpHYrä¤{-°‡=‡Ã烌˜qø'f©f\eÑ,É"¦¹Ð³åú„Ïî ï͉p<¡g
-‡\?/N^^¨d–±,–ñlq;•2ž¦b¶(>¯þqönq~}J̓˜†:æÁÏóË×DÉèóêêòbþæ·ë³Ó$
-ó«K"_Ÿ_œ_Ÿ_¾:?
…Š´ʉøãêòœ˜.æoÏO?.~99_ô*—%¸B}?|øÈg¬î—ÎT–êÙ=üàLd™œ­O"­˜Ž”ò”êäýÉ?{ƒ^;tÊLZ¥L§2™°“TSvÒ‹t¡Š²]æÛS‘…)`Jð`±2´ÄÛ¦ªšû²¾£ŸÝÊ2×Û=lLKÍæ–¾‹Å[jHǸÜmégÝUDÚµ¦ VY»ôùOS»Qÿæ\V†šXˆˆe:eD‹b°ØWYeŠ%<90òÿ6Ê+Âga”°Tòä¸4Žƒ,×ô#Æ¢Â~QaœÅ,ŽÒ#[(¤`J)=KTã±ÝÃ÷Wg§! Eø‹‚*o;l)kFSôƒŒÁN"Ø¡H)["t^Bmîò®üìø–ùråp p—1-V~ܲ©;»ÉMÕRߪ¹Ç½›Å–¦í"±!­ÊUCÂtÐÀŒ[j¶fûÙlíð8¸/«ŠÈ8·¡fÝ„ín¹
-‹fÓZ4,Pó˽¾úõl~	mAT\»iê@Šzp¯9ˆ[ÒvM`{hvlÌEzöGa)×;ÇÝ•ëþ„l©14š‹;Óò@ÑgÕ춭‡¸æj…J?‚¹æ)“q,gC@|ÈÎ
-ä,”ŠeOº§G"ýˆã¸M$KT*ŸÁmœÂ²’,³ÆýÁº‹H¦Šì¬dêhJ&à™h—dVìÌ;úvÄ]³!
-: KðrÈ`‹üu£Áony§‘08„¤ÞÁ¤­›õ8Œs›ïªîÀùõ 0gçð®](º/;@7òyíÆ,KTsy ¨5ÝÀXüÛvñÑwF”“ô9`ÄS€ukVo,0ž”$QÁ9œ(hJMÝBMUn´rúýðwK_rj=ø©‚Ú{Ç?Êú€óúú6À­J?³sI8÷ÞÛ:@»ïìøÞÙñ¡³ãn-ÎqøðêåS  ëfßûT㯫",M$°ïŒ'ãœçQî£xëÏ ÷‰IšgOç>1W,.G<ÃíT™ ï‘I4ykˆDÐCbaNEàŽ¹ejˆcW—c¡ñÂÁ«}N
}Q³»[0Úkuã¦2_6U¹,mn„ôÞ˜ÂJŠÉ¡`—ù’¯7•yxxy‰Á
-—X)¾&¶‘!dÆÒðÂ-s˜V¹±·`xÇ*Í„pI¦ÀäÃœó`^#t<Í7›}¬s8ž¿ûMÌJJp‘ˆèœ'GeAsª*Í|ìnª]W65õ¢çîV6GI6†óºÍë¶ÊôìÃ:Žš¿#j^NhKv¡'uN?£HmÙ!zƒjQoˆº60‘hÃéŒÚUªìøV”uh燃åÛM>aÈòE¦¥ÛŸÝ¨4	rtW*ƒw‹kj¸¨H1¬h!K$ÎÁ!•6bÁ »Ðf	*ØîÑ<}H„Žu^˜±¤Ê@BvM¸n ±D—zGYU[ÞÕÊòƒ\
-‡ÃUvvtªyš,/ˆ£2·–WÙmAʶ¼[×#žø¨ôõ9*ŠÞlš¶ì‘÷ÙN/Ëq«à> 
-¢¿T'z_·@ÿ®Ýå•­Xpô¶ì©±35³YhºC\*N‘!có@—Qè'²õöžòžÒá;¸H&™ršWÐáb^ÖÏxا¼GDô£—õýDKR0§€ú‚ÇQÉ>íO½$íÊiT§Ps"Xðâo´w¶±4Ô=†4qÞ¯šÖuy—qP̤.¯N| *CõhêÏçaî?Ø‹O¦âˆ(t%v×…DUÁœ¹©ÜZ4N"Ë[ú’Vа“Añó­rǹîÓPâ'T€ž׃ÐRqpaSÊa°ŠÁñœB¤Ï>8n¶lÖ‰DgþÇ£UuUµqúVÕ~)_ŸÒøG“ÐHI¦c÷ÉÁ(töIh„Uu”’¸ºž¿™_ž†Z(ŒDïÇ'“²ál߶‚}Ræáû="9‹y¬Ÿ3
-Dl‘):9à‰ÒÌv‰ÁÏÙ³€Û¦a´ÏX‡³~/ãüßd¬ ŠŸÎX%Ø5É ÿ¸v¼¶ûšKB!Y–éèè™IKãôÏÀÃ80jç*SÐÓ]nù|z$fœ%˜G+
áIÈŽËAj£c€âˆ3­däR›+@$×ð¿Ýž‚ÌH€j
-±"#kÇÙ§™`<Ê2ELƒ¶]ëÞ–ðr¾–³×
¬h6X”%ÛE ‡ÇŠ#°ÁÝ
éÂçxñ(M´ðËò¾‚ø†2Á¦Rh⫠긲¬÷)¤m˜S8Wt‚K¾u]·ØE56ÛæTèàsIQIXŽÒðnÞnÓ7,Y¹Ž¦¶5ˆ€t[Ê„Z(òKG/úÖMçf	Y¤M!èTúáP¤)ˆ¡v¡Âë‚Ëò*jïÚüÎàr0ÎEtõ¼Ÿ½böâx"æA]A/I)ïƒo	iÐ2ï<ÕÖÔr¤M܈–¾[ƒÅçS¨/döc«²íì
6´·ø»²~äö¢,a±äÓ·Pô:‹³?ãöžöãC¯¤Üâ*CÏ'£¯Þu_jW^íï7þè/ò/Êʵ^—[ºÎkŸ¯
éæ5M¡¾So©íDA
-	ÑÚî(PïmF•â–—]éSv,0_¬í>Ù^z}ñŠ‚+M-[eaƒ’3`jw7­ù´óOÐucLM-ór~z.Áô÷jõTÖ/ad~	öŽ§5Õíø¾xYåmëËêÂlpÎÚßÒå8ŸÈA¿©LO¿ÞµNØ¿âôz·¹¿ç¶ºìoÈ–´‹œþzxyÛkµ¬v…鯎WÔ“XLyÓFЛJ¡ß‹	Q€ T(/h~ùêío¯Ï§*n8D‰ÜK"{ÕÅ„H@¥‚ZØË´¯Ö…Êb[Æ1‘LB­º?L¸Ñ? ü´¿òÏ»ëd{ïðì9ø}ea§¤3SîGùU~c*êÃ	l± äàvƒzlñ„kUþ¦Èy»1[:ÊVCDí d±jîÅþäeÉ }Xß4nFÚé+í¢ívƒ÷?Ñl{gyXšu‡ìòmwŸ‡…/üa¤þ–FŒ@§c&¹ô ûÛÄZÂ’¨ßx;Ù{—‰bQ–Bf$O_÷àž8…¤uÚ÷ÃÄÇɹLÀ§‰èçEmùûxþ¾—Vñ÷	ÄAŠ&Ñ­î4=üú'Ú÷†Ñmó²ê¯úŠ¦ë_®NÞ‘ÃÉÀ"ƒNF<8òðdô…Ö(D<2Þ?Ô]þåljù•Æv29Ó#w’0]»…{3Ž&!sŒ"–Ò ù‰÷(P­ï>ª…HyAý	¬ßý'üùìÙ
-ùkÿ¼`ùÑé±ç»þ–Ý)…ŠgâQ‰çÿá±êÿØÒµendstream
-endobj
-1617 0 obj <<
-/Type /Page
-/Contents 1618 0 R
-/Resources 1616 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1628 0 R
->> endobj
-1619 0 obj <<
-/D [1617 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1620 0 obj <<
-/D [1617 0 R /XYZ 85.0394 756.8229 null]
->> endobj
-1621 0 obj <<
-/D [1617 0 R /XYZ 85.0394 744.8677 null]
->> endobj
-518 0 obj <<
-/D [1617 0 R /XYZ 85.0394 576.1531 null]
->> endobj
-1622 0 obj <<
-/D [1617 0 R /XYZ 85.0394 546.1637 null]
->> endobj
-1623 0 obj <<
-/D [1617 0 R /XYZ 85.0394 456.8705 null]
->> endobj
-1624 0 obj <<
-/D [1617 0 R /XYZ 85.0394 444.9153 null]
->> endobj
-522 0 obj <<
-/D [1617 0 R /XYZ 85.0394 262.033 null]
->> endobj
-1625 0 obj <<
-/D [1617 0 R /XYZ 85.0394 239.2457 null]
->> endobj
-526 0 obj <<
-/D [1617 0 R /XYZ 85.0394 175.7981 null]
->> endobj
-1626 0 obj <<
-/D [1617 0 R /XYZ 85.0394 149.7409 null]
->> endobj
-530 0 obj <<
-/D [1617 0 R /XYZ 85.0394 105.3857 null]
->> endobj
-1627 0 obj <<
-/D [1617 0 R /XYZ 85.0394 82.1181 null]
->> endobj
-1616 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F62 1095 0 R /F63 1098 0 R /F11 1441 0 R /F53 1062 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1631 0 obj <<
-/Length 2336      
-/Filter /FlateDecode
->>
-stream
-xÚµYÝoÛ8Ï_¡‡<(ÀŠå—¾‡Ãe§—Eêô\ïöpÝ>(6­Ä’›fÿú›á¶d«i‚¢(PÉápf83ü
#ÿD',Ée¤¹f1q0[ñàæÞ	Çy¦¨ËõÛôèÍ…Jƒœå‰L‚é¢#+c<ËD0
-¦Ø	Hàáÿ®Ç£“HÆ<¼¸¼J(Ëðìߧ泥	M$Žõ·Ëñ9äô9»_\¾ýcrz’êpzy=¦áÉèb4ÏF'Ÿ§¿¦[•»f	®P߇£OŸy0ë~?âLåY<ÂÎDžË`y¤cÅb­”©Ž>ýg+°3k—ºIp&U"ü$ÅŸâœ%J*ë§ãëÉåÛË1ìªÃ®S¦¤NaäkLÛ ñ"lïózY”+¤e¸*–ÆO-QeUucˆ«¸¿7«¹™;Κ¾ÅꉈÍêaSTå_œKâ‘áúDd¡™Õö;oàœ”PáÇ;ãö-håßõÊm_:-QȺiÑ® ò¦DB°<Ž¥µˆDv£8$Cb´Ž&ÜpCßÂN'a¹¼¯ÊYÙ:uÝ+DÊ2­•sXϱBì9üïøþAºË‘²Tg™c°¶íÅ™Œ!¾âT)KÒT¼$Ò$Ë3”:gÑVbÔiƒ¨§šŒS&t"v;£Žöø-•Šå˜dÈ?œÖ³”
DaÌRUbø‹Ç|QWUýhܱÝ<¹c[eU®né×¼nU`´È$œÞ¹ÃœmÖt¶«ÁóK9ËÒT_O¥HóŒ¥Rdýx¢Pá½ ç.ȹÏÞÉ6÷fÖ	wú	äÐ0ËÁ‰ú®†aBzK
-kôíf‰vÓ6÷õ¿ê«Ú
7M]mZÂ3’*e\CtEŠ3.yÒÓ&J8Í×Å°Y½´"@“ž¯>~ügÃól|ú‹rô»ÓËqôa4ùêò¡Q¼¿Ÿ×ÙÑè]áö»_—€®–Ô›D°4®7r¿Þhíãª^ÍLO,D”HX ¤QÝ@º+œ3oŒqW¢‡kì[˜[ã±å´/ÝÀPç1† çŠI™<#‹ÖqåHZ‘ïãªm£Ò`_¶ƒæ*ØZ¿ÉT*ÀûÈ¥cë‘nÌÅ	T(NÎbÀ²Î¹×p]‰p
-ÿËð ™<…©a…[–Íd¤£-Ñ=2ÍÂź^eƒ		¦_ˆ,Ê2E»Y›ØÓMÚJ_´ã è$g2˳ “ª?–üXfâÆ£]ûþc¥©[OR»ü;½¾Ò¨YÚ¦úšN§W?–¢ðCà'áйGts³(6Uµm5°s’1©µx)*}%Œ„…p«Aê®hªR,¾È=dÂéH?¦'ø4°4þW.Úè+ôž¥°Wã±¥…
> šÍM]Ýë9ßã A‹—,µf«ãÊB)Üoz…!üOܺ¨ÊÎRÂõ|NÌUoÌ@f­‹Õ­‹I¡¡#‡+(u-*(¶Â‡—ÁΧë³ÝQËoµI]“:}/%4ˆšv{v.ÊÈË‹0ÐbwSbh'.°wxïŠÆV}ûöWzl1úÚšUÕäW|Lê Âã·£ñhrŠ.þÄF­·Ëa0'Þ¹ò|çlª»flI–qùÒäÎ0•DÉìµýZU4CÉœAG”wÓl¿!•3¯sûtï\¨á¼!ÿJúï´T9À°¼×¬_Ÿ$Kãí£Œ
pÛ.€(‹ªe΂m
ôi̺4n‘MTøgSo,añ38¬(\¼ªžˆšCÿ	,ûð{AíؒĘbvçVÊ@òÆ-µïœð-!q
-¸øñÝ{(÷#ouL|×Uš‰Dø#˜áf*I#$©óŽ Ïðk
-ÀGODßšêäxmÖâ0=L#e!	Lø	'iðaSÑÛ'…’|_ce%nnˆx#uw1ôXƒRÞžõsS™ÛqʶÈ5³uyóL‘©+Bg˜L=QÀÀÏÓóó	;¼Ggžzy~6üÆÕÛî{tú€&$ëÈ=|˜s'8uï`"’Dü‹>ãô¥§±ãíÛØ‹D	™y|ðÞvÌøp…íZôÚ¿îZtÀ¬ÏZõ
-AòYAâ9A×ß7Žo¨†ëF+%†þTÄïÿð¦v@_A²LvÛÎePà„Új…¦çò@wÿ'¬åÿ8Ëendstream
-endobj
-1630 0 obj <<
-/Type /Page
-/Contents 1631 0 R
-/Resources 1629 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1628 0 R
->> endobj
-1632 0 obj <<
-/D [1630 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-534 0 obj <<
-/D [1630 0 R /XYZ 56.6929 606.2532 null]
->> endobj
-1633 0 obj <<
-/D [1630 0 R /XYZ 56.6929 579.9813 null]
->> endobj
-538 0 obj <<
-/D [1630 0 R /XYZ 56.6929 357.4916 null]
->> endobj
 1634 0 obj <<
-/D [1630 0 R /XYZ 56.6929 335.0205 null]
->> endobj
-542 0 obj <<
-/D [1630 0 R /XYZ 56.6929 253.3724 null]
+/Length 2794      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝoÜ6÷_±÷ Y†¢(‡CÓÄî¹ÈÙ9g‹Mó ïj½´Òf¥ãþõ7Ã!µ’,Ûé%À
+TãápHçã7܈‡ÿÄL',±ÒÎŒ™æBÏ–Û>»…±ŸO„—™¡y_ê§ÅÉËsef–ÙD&³Åº§+e;?»>»|}vúqñËÉÙ¢ÛrÿX‚+Ü陸ùl§ûå„3eS=»ƒ?8ÖÊÙö$ÖŠéX©À)OÞŸü»SØuS§ÌKÅ©Œ³XˆÇW¥8¬êI˜iqŸÃEç)Cp4|3nùÑðRõo%³©™mY¢`íþ·Åâí)l)UÑb“ŸÎ•L=OI­Šý©H£|ÙŸý`ÖÒ·%iµõŽ8õÚ3‚ž?ëÊSp.K/ÿ×ü&_פy¤ìýÕ+Ľ…E¿*ÞÜ,ÑÌj-gs!ˆÀ¬òuv([ºi·s$P¿#òÏùþÞ»wŸ»¢ÝÔ?#£O³Ë—ns9RÔä-»MlÀ¨Â‚){öþ¶+TV1Ñ0›ïèS.Ÿö
+¥™‘Â:›Kà¤1*:Ë– ¥¦Aø.³ŠˆM†ÎTF2þÝÐ×Ý/M¾¬«Ñhí¼ôÕHòúúIt·)ÂÊwEYúµëªuT—SžA9eSßÑ1ʺº%ªýûp±{p†þ ³8bévdˆâ)èÙö{yÀ1w<—ŒpŽáf”Œþ»Ya#Â
+–p¸wÆÍ0‰=HfÒ¤,NX)hUxYÈ´‰‰™1ÆPM‡ªh½ÍÞ½š˜Ñ0Õ‡ÛÍHXÐ]㬿TþeWË¢-ï‰ßå‚|å4%”Mp(ÿ’mweþýáåy,z'äCçÅ·$60„´,Mq”b^ÌRÚŒêeæ“BpÓUÈÊ!ç<º¨Ðu½{þ+ÛíŠàà…÷ã‹wŸã‰Õa“2f6t×¹×£,ªl‹Tj#JÍM]Ú¢®hÓv»qÙ$
+²1Äë>«š2ór0²¦°ÜÒ¬‹wÄÍV+¯´¡w‰0€‹úŒÜ¢ñâËM[[÷枸ÛÖ"]8Ũ;¥²_EQÍÝú€	X¶ßev²-¬–þVVõ6+ÜyL”aºRi½[\áK"°UX’@t	©på
+&ÑäÄ×5ÇmÁ
Öéê!l³U>ÔTæYÓÎÛz¾­›Ö¥¼yØó 6ÅmEu,«°Â¥´ÑÜ­ŽI\žËV$Qæk'«Üµ g_Ün ëÍcnൠ—¾ÊgFT½ÛÕMÑæÄ>.äƒ./­¢»ìž8èøíyEîUwfÀñCsÈÊòÞÏÞíÜœÜæsvz@¿TœÊ:ºz¢i©îÛe{ïžrìžÒûH‘L2åÔW¯`À×<Û­þàUì Q<¢G?¸xé½¾[hp$òXk
+@¤l<ª”W¢Ó I›¨ÙøÝ×ï¸1œóâß!´ŽXæ4Ú(ó4P•‚ËQZB×Ç_Õì¸wðX¬¤
+¢5ý+-|˜12j÷v¢ ¥Ly,ú0º‡
(FF$³òD‹ÔyÇeÑèæ‚ ŒV2öˆæ
+¼05ü_F^A@'7ÒÌ@1\¬q.2û4ŒÇÖ*êÑî¬G8ÆË‹­œ½©áD³Þ¡‚ây_³;T"ûŸBçi`}ËO5¥€E@vÉ=ÃF´§
+i‚äú*ш’	É•PkªÜ6lTù³Õ•ë<€l)
Q¨P¥ç¯júVuë‰|	XÀÒöT„éÐäÈSP9ÝAEØ.[@SDšì6Çã`u‹¹3öq52Çã@ºi,u&%´ßÀÏ2k×uDyVÏ&~FCß}Ž}ÄçSè*F:»¹eÑ´Ø ]ûÃßÕì—X8+õ£éÛS¶‰ý+Yïéô1Œù˜ƒãw1?胜âp˜ÔÛAíÛÁ«ã«Æï^ðõ´(=õ¦ØÓ^óHGú¹²]ØDM¡«Sï‰öª¸ÚºîÃQ)^yѨc€(±r÷äFiêõùkb®4Q®·B‚ 5‡›&ÿtÈ«6h»ÉóŠ¨ü ýU¾bÔyþ¶Á]Mød‡¾º#¬ÑÁ½ì4y¹ötx
+*³¦	Íô*ßášUx,tïO@‚ÈÈ£&²WµšP)c¦ :‹·dpW(m–#I ™ª^<0á#blù#}ðõ"kçػ׆gãà·s;%)õ¥è~Uè,€(³›¼¤1\ÀµJöÞ4hĵLxVÞ75»|O \DÜ·Í£Úƒ.5÷Û›Ú¯H7½ó
¸h3ÚÝòà;Rç½
+ûó.YŽ;–WíØÛlß>âŸv9†Þõ_„`R÷6#NÙLrœîï/i†™¸»x·Ø(½ËnZø€+R®¾
+Ë!ªÐ:Š;ó¾Ê‡Ø\Æ)1‹N÷èúÞ‡G¥‡ÞVþ1átÒ¤²A/{]—e}ç+ÊîoU·èl"hðq‚Ãè©àãàèÚ¬A•x>8ÞßWmö凉õ¬.=•Qô £¦„¾·Íf,ž¤LÔõ²&´A?"LXº -ºüDƒ+‹UPôqÊ|‚w*¥†Éö‰ÌçqðÕ&wA¨EˆÑ=ñI-»ç`Pþ'
 ¨Hâ°ÌyÉš¾YuOÄ¡ú0Î?OÓŒ‡’J¨ÁP#Ía+|„
+¾ûðœŽ2ȽwBí¤Ñ.‰u/'ÈnèK¿¡$Q±¥÷ô©’#ÜA¬¦d;¸›DÉoÊ:†˜†îÑ&±Ì}s’
+ç=9BÈ0¤žMj”"3ý\0(©Ìà¹Ó)Dû¢)DStÃIHzP2&.ÏpÀF>‹æ1Ç–N¤£wx_úν‡÷ÊË1dxÿ§˜!ÆêŠËp‡©k$êyD3È?ôè|{Øv@¯XO×4×€¹3ܸŸGröØ?)€Lˆÿ`âðÙ³/J_ûÏ
Ž-(MùñÍÿH§Â¦ðÌV>ع«FÐF?Üú‹"Úendstream
+endobj
+1633 0 obj <<
+/Type /Page
+/Contents 1634 0 R
+/Resources 1632 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1631 0 R
 >> endobj
 1635 0 obj <<
-/D [1630 0 R /XYZ 56.6929 226.0165 null]
+/D [1633 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1629 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F11 1441 0 R /F41 969 0 R /F53 1062 0 R /F62 1095 0 R /F63 1098 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1638 0 obj <<
-/Length 2828      
-/Filter /FlateDecode
->>
-stream
-xÚÝZÝoÛ8Ï_a,œÄ*¿$Š÷æmnmÚK}@qÝ>È–l'K^Knšþõ7ä²äÐŽ{í Dñc83œùqfd: ð£ƒ8Wb •BBÃÁ|}AK{}A휑›4êÎúuzñâ†Ë
-TÄ¢ÁtÑ¡$Žé`š~¾ümü~:¹¿±£àjFdøëíÝ+ìQøxùîîæöõ?ïÇWR§·ïî°û~r3¹ŸÜ½œ\(!Ü’ø×»»	Nº¹}3¹ú<ýýb2mYîŠE	×üþyñé3¤ Ýï$à*ðBª¬/DȃPpîzŠ‹ÿh	vFÍRŸšBa̤GO‚úôª âŒ=±€zgÜÞƯ^Ýãû÷c6" ž»ñÛ	6qžo&¨øQ¨0d†hx»)“gîæfÙïÅ
p¿¶a*ˆc©Ì6¯³2Û&MÇ$Ãa‚:kt#VìÛá2ÅÆÛøÜ^Ñx˜Í+óLkàÇÑð®rôšUæü­¶KòåÊR_µôê<µóºÇÉŸ; •âôºÙæåÒ짎²™Q㌇¼(|ºœeh…šÂfcèÁÛÃ*+±…lBÃ1MËœ^…ÌAË0Ï‘·šgu¥VÉ=ë9Pòå»ûÛ×·wx\“ã·ïßL¼‡~ùzr7¹OÝÉŽàl±ùÛ»ÓÑ%¶Çv4`ài—}:ô;èèSÔÏ_>ƒ_üöBe 8‹
e§‚ìÏ]þ%)²Òª«©üjÀµÒ¬5{Ó UÀˆÆ(
e­8Ô§ÿBǾãþèJvzKæÓ áÙ[òÓ[òóžÞ’ž‚T ÃždôTá`ç¯õqÓÅtJÐb b°H¨sP+H"Pý¿[åqxÄQç× e›nEŸÔ¨j$D«áZpwëš;e4àœ‡!ŠðÒØ&å2ó8–x€ÄÌš®ŒgEñpž”Ø0¨Ϫ4
‰hÍC…Eµ]×@“m3ª›jcWmñ¹ïQ7ÙFÃgć·ŽÔÊnò!l[7>SлÀ$¥Ðùá¹Ø»B”jš]¥7Ê6ýix@£©ðIawFÃ1À´é0陚IKÑŠÍ°#½ÞÕ–æ,óy¦ªó&ÿ’=1ÌÄ`tðÇÌB ‡
-°žŠp©¾ƒf»ä¨­14êÄ'GlMÀÍlñ‹U}¦¥qJ†iVÏ·ù,«Û£Äþêbì+“µë\Ì»¿®v¦1Ïpø "À©úüõsf'Íq„©¸Æ壞(àê-—…sž®ø!
„ÒŠté:†˜Î'üAB’VE‘lÝe	}Ô¾=®gUQãËCÞ¬òÛZÖ§{S®™¥í×9´8¡ƒ¡MPx|Áö¦Hæ•hMŒc¢‚õízö¨#ç¯RóF‡mÆÉ¡nâ]¦][ñáôJ±a…ýKäb§$(ʼiùzÔª]³ÙidZ=V;.3½$:°ÔÇ=O6Ù~ñSå4Þ“aV3»ÔæQ?fÉüßu‘Ô+\JEw)OŒœæKq0õ˜r;A#ŠPÃ,Xb,
-$eñ1zHLœ0²Þn:éÒD¦OIÁMª'
¶£–uòˆÚ¨6M^•IQØwãBð\€5Wú|Lï#`!hÿÖUšk|϶5*äa•ÏWº	~»2דéF×–Á,¿õûãÝ5.i§µ6ù VµäæÉŠÔn“§Í
-›Ê=p=Kjm¶È·ÀäîùT²ã**£mt77rÃíz,ñ/•ŒuƲðª\qu0¢È
RœmÁ%-DÀFùz¥9Vawý¬Î%Q`G=ÃáÃf‚ñ¡‚†§,B\gè8!©}PD÷iô´Ð³ÐÅ1wöÿéڜާk}DŸ?{(+Ø;
-/ÏðNäðÆ@(%ûš¬7Evía)‚‹·ØyT*q®Tp?_óëÔ*àü„½¨w3{ä,tTö¼“i´åÆñ|v<'vžùn‹¦­Ó'Ýa|H0Ù%˜z}°ÂÞ¶»Â.Hì„i6Ï×I/æú2c—û–!K£M’¦ß#²w[Qf羺©:\PHànù’äE2+2;Û\8ÍÄ£Øl]WÏi¹Ã½BâHSÎSÏiD‰%Û»+½ÆãàDUôÀ«ycÂåÑ-%X°rfTyvƒ«þŽV¨á
-¬w¯rÛAjÿŒœ…}õB­ƒox|œ’·~öÑkБ6¾[hÓRï6<ë9¸°…2n£j=^æ3sŠ'4¤£LµßÜwáª"jz¾w¾k=€p_{«/p]bѸuÁÄ0/ð=oðý¤Ahxàº/ÛàÊXƒÈÈ—ýtŤÃ.u &7ÁÞ,1ôõ¡†Ò|ix€±Äfv‰%•m¬õêAÀð¬Ð	9@ºYï
-w„ÝB×AËy±K³ú@ÿ†¢­™âVzs<pçÕz“4ù,/òƹÂÉ	ƒY²-r“ŒB·Võ/f R±jÁüÒOQ×D×ÈõuƒgÌD›».ËüFÖ!ªžy™æ.àƒÈ‡¨Hô噃&àÓvjõad«‘K§º¥áýy¼^Ñ-ü`ma_°øJcŒ(@ñè™jãt)†eñ¦)ž­V|Ø€mã3 d릑¯³QSŠü‹í1‹<ÂÍZÚï)¾z>X@PzkZÀOiwMÝ®x1<õž¯ûÆ—«l›7¤l~ÛÇ)“œYL§ozë’rî¾E\ÅÃ]‘ÕÁóYöÒe¬3(¨\Hes°Ã£8”îzð	ÜàBp‡ÆX ìˆH7n–ö<?6«¶sTy¶G¿¹ïÍègUçþc§’‚“çjsSÅ`Á©C:eï!sVÃízÓg½;Öµrè÷X9•®ÄÓmf®“f¾ÂNKŒ
¿é‚³±[ˆ¹ì̳éëøÍI³¥ÿofÛ5ˆŸe·N÷ç“t+ŽÛm¤ë¦!Æn)dà$¢¥7Ͼ0[­/žrŸÁÂë°òcâjŒþTé2
#ì9…[«ð[ˆ±G‰‰iyr>°]A÷5Jcgû:…PÍö¶Ÿ¿íÇëryB¡N–B÷¤ø_|ÃÓ$ü|05è<ºóŽ'ÿìà$
-b¦t6*$ì|¥ãžvÄ0=âÌ~ÉüC#Ù&+øM]W@¦_u‚CÎ]šæ„O: i£Ãýÿk²¯MVêÈÖŽ»?`8¢ÿolm«ZÄ5D)[ìªoø½ÐÆì…mëÒLÒØì(f•EŽÀ|CÁP{~b|¤•‹ð[FjH®+ÇË>„µ¶{Ñ´r¼|3þð¡—FÔÁ±?*êðxþºCÏâ¹ÚÿYJ˜
-ó[JkQ–)­%ÅŸ8 ûGÑSÖÿ›®õendstream
-endobj
-1637 0 obj <<
-/Type /Page
-/Contents 1638 0 R
-/Resources 1636 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1628 0 R
->> endobj
-1639 0 obj <<
-/D [1637 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1640 0 obj <<
-/D [1637 0 R /XYZ 85.0394 496.6186 null]
->> endobj
-1641 0 obj <<
-/D [1637 0 R /XYZ 85.0394 484.6634 null]
+518 0 obj <<
+/D [1633 0 R /XYZ 56.6929 647.5054 null]
 >> endobj
 1636 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F14 765 0 R >>
+/D [1633 0 R /XYZ 56.6929 617.516 null]
+>> endobj
+1637 0 obj <<
+/D [1633 0 R /XYZ 56.6929 528.2228 null]
+>> endobj
+1638 0 obj <<
+/D [1633 0 R /XYZ 56.6929 516.2676 null]
+>> endobj
+522 0 obj <<
+/D [1633 0 R /XYZ 56.6929 321.585 null]
+>> endobj
+1639 0 obj <<
+/D [1633 0 R /XYZ 56.6929 297.1352 null]
+>> endobj
+526 0 obj <<
+/D [1633 0 R /XYZ 56.6929 227.8928 null]
+>> endobj
+1640 0 obj <<
+/D [1633 0 R /XYZ 56.6929 200.1731 null]
+>> endobj
+530 0 obj <<
+/D [1633 0 R /XYZ 56.6929 151.1547 null]
+>> endobj
+1641 0 obj <<
+/D [1633 0 R /XYZ 56.6929 126.2246 null]
+>> endobj
+1632 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F62 1100 0 R /F63 1103 0 R /F11 1449 0 R /F53 1062 0 R >>
+/XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1644 0 obj <<
-/Length 3175      
+/Length 2012      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZKsã6¾ûWhO+WE^Éã<Ýh$%ZžÉè05å’	4^ݯŸ0øã“P:É$JT2N›6y„²Ÿ.¸­3s•fýZo.~ü £I$ZèÉê×W°8擇åoS¨àz`Ó·×7ï“Ë™Ùôþá2RÓ7øïáúþáúÝýå,Ib1}÷¯7¿<\ÝQ-ÝkHÛüÝí͇ëŸþsg;¸½!òÝÕ‡«»«›wW—¿?ü|qõàèÉ™Dîÿ¸øíw6Y‚¬?_°@&q8y†x’ˆÉæB…2•”ŽR\Ü_üê;ì•š¦£Jã,R‹­	>á­³ÝpN1Ê|%B¦E”FØà·GG$¥x|,ˆe¢Ða:¯é›}Ú^rÔV¶´£Uô[.³2Û¥¾xEúÙ@–o„£ÂÀLj¬}`f.1^DÑQ$T¡ã¾L7Ùr¶¨6[p/fcya­…²- îüE@º¦™Ê0
cÖÙ¢Bg²wY37&]Ùïê ÉrLäÊ ˆ-°ý¼!’Q*Vo›
-4/Òeí@ŒÅC3èéVjú
-Y¾¢t³²66oÖv´z›-rÔ°kº”Z¾ KX$ÐÇGV5›´£¢	šuöz ÎX‚Å®MµE§Lrðy•##i4TƒYéZÂLñÈ¡«•‹ü2$ÜOf2†e,ñ;0{
xë$ÒUcf/t>ÙXé.-ë•£Wökø¦FÛm±÷6
¦êª´[p3Y}`á-U0C‚&˜r£1ÕÙ.¤ív•œwÄ´·BH—Y¶¬)	H%Âtµ4S»HQã2.	dv˜]m3›Ö¥Œ½²Õò„½#“
-B©¢¤e§³WËíb?¶z½€'"~™m&1—Ƕ	ô¦0Þ=…,²º&]Av¨¢Õëª-–”~D¹BMNòÖYGFBJѬ˜E †©ÏëA7dœ ¯£øHp‹“¹ÅêÖ)6dvÔÞá§9dN­HÝwÕÆSBÄÄj’Ëp¨I‹èÇ4/	¶3ÇAB<€ï›¢ÉרxþÂÚ¢E'’¿x€ë“‡ôÙÖYÝõneÖ/E»tuÍ4RkQµ%¬Ÿ
ñ*ç. õœù}Çñh&€¯Õè³éî;8„Ö°mѯ Z$2…¤ýñ[?Äý1ÎsœæÛƒxÀxÄJ«ˆ•ƒÅ‚Ò,%HôÁ@kvý#‘`O̽TÄéä0²g˜DpÁ掃‹™†º†Qëø›1Æù4þÍ@?–Žµø‰\‹— ÏcP´üèC}&„ wtZôþ­=“¸«³'ýA¾Žïû§ï°ßçœâí$ìâíDS¼
4+ƒ¡m©044ðBÍÄÒ˜Á¸1'~ù˜–‰´#ÆŒA‡:Á3ÆÊŸ¼aZÒ… aa”:bZxÑ1OkØSÎbÐ4^E*÷–Ù§E‘ºó8$àóJáåò?èò6¦ƒºÑЭ+v'µ1ÝòÃÇljá‹û<~ŒéœIx`YÛR:l„Ô6Ýg5â¶HÍ:²›iƒbTOIs×
EËê¹´õ+"Í3Ê=ÏÆtå”/	ßÐuº`S÷M¼’‚û³a ‰êæ¿ww÷W˜DÍc¢|žç|–ðï{8¦¤|åˆ_Ãpß,jÕâcf¼¯¼ýìE¹?Ò¹"ËÓÜ{ÇdÙçÇ‹rÒ,UùE
-ü­*ÒÉ£æ5ÉØ龕8ų	ÿm`QàÓ§ˆG8Ç¿ÞÈ£·bb‰¯Ôð¦P0=>aî)$µÁ|%t£Ž¯'Äæsã¸0m¶w;p ø8¦û·(Ì^ÃwQ…»fî†
{^ï„É­ëÃ=;ÖMCÂ=n`öâÝ4í
»Ní8¾4m›uµÃÇ#þó…ç=¨ŸH¹ÇÈƬ>u	q—Öî5]á
aãïPé69î›EtˆöÙX¯îÉÕÁ›?.pE¯3;ÀÁEUgCXšv¹×.¾Ê›5AEùÁs"7!0®ÝšUݾ·à*
-$OäÐð®mßuåc©y 1¸;èÑîñúï«MÞø—'+÷PÉw°ÌVi[4#K™W°r¥´‹{\¿R÷t™Ã·¢Fx®¨ïk)Õ¿Ò•öú«šë[Ù»¾í
-Ý[ÁÍ2†úJLoK[’×®;´k²-R¢qû°GÒE²}µ6ö”0¤È›;óo›¿ú™u÷ð§>ŽÅ¸×ðÞÅ2…³¨#ÎÝ{ìcÖÿ†§r?endstream
+xÚµ]sâ6ð_ÁCÌL­Ó·í>•&äJ'!WB{^ïÁ<8‡Íåòï»ÒJ`ß5™k‡´^­V»«ý’XŸÂõSE¨Èd?É$Q”©þ|Ó£ý{˜{Ûcž&Dq“êçYïÍ¥HúÉ4×ýÙ²Á+%4MY¶øÿ2|7M1W4Òd+M£ŸÇ“Äd8œßL.ÇoŸ‰Œfã›	¢§£ËÑt49
b&¤âÀ@xÝLFHt9¾
>Î~íf‘›j1*¬¼Ÿz>Òþ´ûµG‰ÈRÕ„JX–ñþ¦'• J
+0ëÞmï·ÃƬ[Úe&%R¢RžtØI².;É„è$A;ÝLÇoÇ ·¦42_òÍÃÚy¹!V5à3F2¥¸#~ÿþý (Ï'Ãkkàëáxߎ¦€¹aÑ›K.»AI"¨v,Š
+­g>í‹ÏùÚlkü®K\Û’ø°6	Û“ÑŸÃëwW#r~sMPh/ŠnKÒ&D±ž±3¤ÈjYÛVD€FV»ÙÊ TgãÉùÕïþÄ/Š™×ÅgÓ­&ׄÁ	8~·OÛ:ÿòcÇÆBÅ´„ÎüaG¨š—Ü.°U¾éÚZo0&<á‡Vå	Ê]q_l;ø€d©Vì#êÜÅ.#Œ«ÄÓ¯lì)žò“Œ¤R°?ëP1ŒPi•¥$I`;;95ùöi”oD»K£rnª
+gjw(üM)_›waà«JÊôE&ciTÈýÅ·.jü~4N¿m±¯÷ãÅ+¶à±r¹é¼“…gþPÂbÃGGãe‡cp& }qñ¯ÇDÁ€"ód}õ`æ…•t†–T’TeI;‚ëàÙa1Ù0¹SPE½êÕZš
+œ3$‘HÀõt•9F;Ž«Üc ìÍ— åL òÀ|¿Ã9¸[K¦N?‘¯•)(¿1éÅ"I4mû(&™†“q0º«^ ³–nfQnò@îÜÑAHóÙì<•³È‘OŠ©' Ÿ»Êý~»¢Ü.íÈ7šY:ó
žo¤~Unç¦Å<Ši’Bj{TÓ‘V¹7æ1[„PÏMÛU*ÕDSþ¢RÉ8É2%»K%dàLÎuöu^¸Ž/†mVÇÎCBPŠD±CE“´‡LÕ‰AÇ!3KÆ°L5}NiÈPÖ9)Q‚‡¬åŠE3øçÑI<%ѤTD¦TÚ­ûŸú6mf™@¢ìt=ÚÀ!ÞŒ7¼Q‚Fý†RqÜäì”Ò¼GÇ¡2»ÂøE.PaDʪÜ;ÀuÐÀà4OXîxõ±‹·ë'„p’¥ó}ø^â…lƒlL>_ùØfXðÎ/Í·889T~û Õûqк•IþÕT’0}èæv3¡56	:ñ6³k3;š¤'„ïÍÖÊäi]ÔZ4\+„\OS'v²“ˆü´/hí“@J~x(íÊqÜß!ð†Ëæb¸eU¾—
+Š´Z”…Y›ûÜ6*‡$WÍwÅÝ7’K|:·Á´ÆG
+˜þsxq1%Ãé;kÌaà6 ݯ\-·m¾ÈÁ]º	N|‡Osþgþ%ŒÅŸp˜Üâˆcg‡×±±‚‚g'/ng„vgئF¯}ók®µè2A‡Vì›Z½‚ÿ
+#ôö-F
Ó Ý¿)
SB¾zë†Òf_•;ž“é¡h÷ãu£çMˆHSÞ¼E7´l¥€†ÀeEÏÄsɯܧ¢ÿ"ŸÖ)endstream
 endobj
 1643 0 obj <<
 /Type /Page
 /Contents 1644 0 R
 /Resources 1642 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1628 0 R
+/Parent 1631 0 R
 >> endobj
 1645 0 obj <<
-/D [1643 0 R /XYZ 56.6929 794.5015 null]
+/D [1643 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-546 0 obj <<
-/D [1643 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1444 0 obj <<
-/D [1643 0 R /XYZ 56.6929 752.4085 null]
->> endobj
-550 0 obj <<
-/D [1643 0 R /XYZ 56.6929 542.1781 null]
+534 0 obj <<
+/D [1643 0 R /XYZ 85.0394 645.1438 null]
 >> endobj
 1646 0 obj <<
-/D [1643 0 R /XYZ 56.6929 510.0725 null]
+/D [1643 0 R /XYZ 85.0394 617.8288 null]
+>> endobj
+538 0 obj <<
+/D [1643 0 R /XYZ 85.0394 390.8337 null]
 >> endobj
 1647 0 obj <<
-/D [1643 0 R /XYZ 56.6929 447.7453 null]
+/D [1643 0 R /XYZ 85.0394 367.3195 null]
+>> endobj
+542 0 obj <<
+/D [1643 0 R /XYZ 85.0394 281.8762 null]
 >> endobj
 1648 0 obj <<
-/D [1643 0 R /XYZ 56.6929 435.7902 null]
+/D [1643 0 R /XYZ 85.0394 253.4771 null]
 >> endobj
 1642 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R >>
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R /F62 1100 0 R /F63 1103 0 R >>
+/XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1651 0 obj <<
-/Length 2603      
+/Length 2813      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÏwÛ6¾û¯Ð‘z‰Pü @¢{J;un"+ݾmz $ÚfW"U‘’ãýëwR”-‹ŠíݧçÁÁ`0øfða@Kô8ü‰^¬W6ìE6dšÝ›ÌOxïú>ž¯3¨•m­÷£“ŸÎUÔ³Ìiz£ë–­˜ñ8½Ñôàô—wŸGgÃþ@jÖhÃ÷—HbéqúëåùÅǯÃwý(F¿^’xxv~6<»<=ë¬%Œ[üØ«ò#¯F§Wý?GŸNÎFÍÚ‹\¡÷Ÿüñ'ïMa­ŸN8S6Ö½;xáLX+{ó“P+¦C¥jÉìäêäKc°Õë†îM«˜éXF;P“jjÚ2£ Q›®æ‹t
-ë3qPø´Au›’àçræÛå"d( mŒïý(Ð`2ÑšLhÃ"a4¸ˆÓ”URee•MÊ7JCÚþ9·l=bRä¨y³ZÂÈ"§¹Š¶!2Êè`DnÚ –¤•ô\öE¤ó¢Jg÷¤”L&iYfcšº7Â0¥Mo ³ZK7é:K@;{È–Û$žÜ&yžÎ¨óî6ÍIü¡f–sûo¦Ü)Š ¹“ÎÓ¼¢yÜêЭ­X`GN9tôzÐÛ„¾qÍË4}2ø!…ÅL¢¾åMÃûµ¥¿'ój-\ÛU:ñ®¹ý*!ýz#ÂÉÐØ-wå£ÕáÅckè$ÄŽè
 %to “òlÔþ@pÎ}"3´óÞϳÎ!íBfC:cÍð*ý^QëºXÎß.Å­J­qz“å^z—U·ÔJè1ËòômÝüwúóŽµ"bVg oÞ¼Ù½ŒÍŒ
-æ0¯
m:µË|¼Y¦âQ¯æcܨØÆŒU<	mÕR·LKßéŸ	=ˆ|JzSõ5ϾÊê~æ-WÙ<­ù®¤æiR®È°‘x“e
-[cZ¿dùÄ[ø”ä«dyOÊâ­ã¾MÂF©‡›à¼˜ÍŠ»,¿PBˆß­‹™²|j¹½
-Ï„TÊÔk×ôÜŠ.(d9ľ®»
‹‘b²Éí¶½	0ÂM±Ìþãö>L|Ç4-'ËlìÄ8ï¸X§Œw–€•­Q6—í-øjIû¤"õËd^o’t¹v<½#Ó@{OQšºUoG-¿…Aª+ÁTI]^x¢Ã%z,U6A·J²œïÄ—"ÚŽ†3ºÊ+ç,t®“ÙÊë]»À;ŒAË ÍêÙq#¯’½P@ƒ]¹Ôc‹;ÆÀZ
-¦±‰Ó,I–¬“l–Œg^Å»Uú¡çµÚ˜r}U÷}!D€D£NF}–‚úm²NI– ^¡ñ‚ˆ{²L²¼¨HZÞw9ÉÜÑc¢ú|¸Ð‡$FgkT[ñ%žñÖèôć=)m]Q†¢¬¢a‘ß{(ºÃz€ÜÞÒhHR¥€²l
-Ü“M0hN· qU;³5ög¾e3¦mã2jÇêÑ¥4ÌNô;ðÔì^þ&eÔȨ˜ŽÑÚ#7~Bð¨9ÎêÃìá§uòvŽ)%qwB53¢¤ÂÜE¤•ÊÕ|ž qQ×V”U;YÝ@—¬(§e–Ûb
‘൦€*´ÕQ‹”îHŒIªö”üz»‹IGÑ¥×Õ¼(Ñ
îÍVóœz\î^«B¹8nv Ð3`0%yy?3RÎbËy#D½FÔt7XQhbZzu2Rú™šÄÆچΥ¼¶yÀ6´tỨʚûòØtSÄwÿ2}&É–%èñµ,2’Šë’ÆËìæÖ£ç´\f8ñõ&[§ÞÙàtI”æè)ª+Ý
Ç!tŽõ¢æÐŒ|ÁÚɬ,HR3Wä‹æ¶©­¥EbS/GÒí®ñªrS˜ÖÐÌëN‹É
-uïâpw{êôÇ)(gˆË®´›SWÒO|P”VÄا•;°M	L“q6¾ÇàaƒwÓi†ƒ—&еÛ{Ðœ'÷Ô $È&=[ÛiJ’ÌOO«Ã%?N#yðOwïqÆvÅjžM§55›ÛéwJCÖs—ºÛ“4AE©Žòê®ht8ìÖ¬"i64¨Ö\"å
-;:Ù¸>À‘÷©‘þt«éŽ]v¬"~Xƒûê'»öuÑb1ƒScìϲÇDþðÖ ¢=¬"jÓoûNd9ãqOIÍâ0
-úÂ*¹ýáYƒjZX=9?ã`Ê7ëÛ¦´à.Åb+åæƒmáiAmDOÁñF1U˜Wž\Mh¥‹£Y-WXA Vq{ê’C*ÓkÏý²Å jÜ€IH[f÷~zd²±qûj+váÃ5ÓæG|†éß+¸­C8Q"Ã/;Žrv¡ný‡‹Ï¤zšqJgÀK&)lÂ)Px\ÃüÜD:ödzD1hÃmÂ’Ú9à!íÁx븵gdO«
ÄËýËÆ#aöKÆ‚¡ÔV°ÌËüŸ‚%Ÿ¬¯¬×f©œ…	;‚¥#ñ&VgÓ¼äÝ61Ù¾UŸ}¸¼ÂŠ‚»:½h°'m9ûZTõꀆ’	#d ¡fpyÓûdŠ¨üæî¯p(>ÛU^®‹bYQ1K`SÛ²ùÞq à­Å-àŠ3É»ØVYÙ
£«‹ÏÙþ7.¾.ŠâõP1ƒuœ°R
-«H×è/àý<hùz´YÉ
“VGxrËâXª
¼(1³|̲éæ“È&Së0mÐ7À—ÙMžTþ£ñä[«:Vä…
™
-¹Þ¼°³p;máô3þÇ3Šƒa_ë_;£àÆ<,~$‘Û®+1ˆX2ëŽAÄšÙˆê¤w«êöËò~˜þ·8ÔÁðëåŽ*–Þ×é&óÖ
-ΰuºI\,ʲtõ¿ÒIµõÖŠŽ6‰#ÎBÅ;ª…ŒSW“õP	¨REkHŸgËÕ£…SÇpsî¢#azA5Âï×K¥ÑP
¿þ~>ìÆò_E^ÿKs™äåuýqã)zèDvãõѲCh˜½d5ã†Ê†¯‹iR¥”§F*$Ýà~¸Ï“y6ñU®³ñBt[®mÞªivTBÅLhQWø)?)	¨àê]^Â4ÈX¦yµ¸–SGœ”ÌpÛµã¥cF4ŒÜýk¹ÊñÿÌ$å¨o1Ýâ ÑÊ¿A´åíÑîtÁ™ÑaW ðW&@ñöÉ8ÿö~*耲åæ±&§™A­ýHrÉd¬ãMnx3xÉÍM`?€-玿ذ¨+AU)nL½©>Þã«ê~7.¾D vÊ°9SBìú	ïu|è.7?i#¨‘c¹û·d,‹¥zJ³Ðµú1þ—™^«åúBiGgendstream
+xÚåZÝÛ6ß¿Â(œX³üDñÞÜÔI·H6½(.̓lѶp²äZr¶›¿¾C)K^ÚÙkr¸‡ƒDñc8œ/þfd6¢ðc£8!‰âj$UDbÊâÑr{EGk{}ÅÜœ‰Ÿ4éÏúa~õý+!GŠ¨„'£ùªG+%4MÙhž'Dk @Çÿzw7»žð˜Ž_ݾQÌÇ/šþ2ŸÝã@â¦þp{÷#ö(|¼|w÷êöõ?ï§×2ÏoßÝa÷ýìÕì~v÷rvýqþóÕlÞ±Ü?£ÂðûûÕ‡t”Ãé~¾¢D¨4=À%L)>Ú^E± q$„ï)¯Þ_ý£#صKƒbb”p‘ð€œ"’S¬H"¸°rb\JÌÞœÜÞM¦?þxO¦÷¿LA"	ÜMßΰég†æ‚¾›ÑÑ„+’¦©Ýåµ®ô>k5ˆOÆãnM#×+옺á*ÇÆÛ_ñ¹¿féX/kûÌ`M¤Éø®öôÚöþÖ I˜:.Ö·Á¦#Ù¹›[4f~?¹§7í¾¨Öv›x<÷ÄíGþ¡(KshsLƈŠc´º…F1v;KÞ6ºÂr
+½cšŽ9³
+™ƒ–ež;{äz©›FçNÌz1Ke÷ñîþöõí*löëôí/ofdÈ(lj¯gw³ûéÜëvÚÅæOïÞÏ'/°=u£„ƒ7½øëtŒ"Íó;ŠOò]Øb˜$Jpi){èßŧ¬Ô•W[‡Å€kÑÜìÞŒt˜°OÃxwÒ_x¡gßs„]É/oÉŸ¿ðò–=fÅå-ÅÙ-Å_9%!ç91ñáH2y*p°ŒsÌ<]â¦iSfŒªQLSÂ$ÐzF¨JIåI¨ýk«<p“4‰ãóà:
+´\Ó¯’šø3M"	£Jvqœ÷¢¯Jå(Ràø4I¬÷YµÖ§’JšÚYóõª$/³
+6bÁ³®lCb0†Žö¡ÆƪÞo›¿C0ŒLdÌöí¤ië[µÇç±ÿû¦Õ;:1¾õ¤6n“ß(åû¦
™Ù&)…ŽÏ„¼ Ę!`ØUf#½NÃ[mO»Gq2žBˆ¶öDf¦aÒQtGŠ}í°'½=4ŽæB‡LvW7E[|ÒOŒ2’ yzë+ðëlÂXŸTqžBèŸO³[rÎÐx¢•L]6´D1<{¹ižif‚Ñq®›å¾Xè¦Ó#ö×€°¯Ê¶¾su2ïý¦>ØÆRãð	À©Fùæ¹p“–8 GdÓêÑLŒàέ֥÷œZb$’QâŽô"ph#²ŽQ„ð,ª¼ð€UI4<ÏÎ`Ÿ±S'D^xÑ
ïÏóÅŠ~à+ÇjÅ·/Šq{RÊ¥Z\ÿDRß6Ú¶üb­âý,Ûšž
I®ú`ÅVOÚzRŸ\…-=NY»Ï9¾¾SÅØÉ|¬'é¶Ìý–x'œ0Æ£Bÿ]¡¨6z_´>>¹Ôv¢!y‹˜ÏßÖeÕÒ¸NLJR7äR‚.º„L9ÑyPyíÒ¯SŸôKï2a}ÀåEÂ듽#CÇËVçCûÖàÂöN5&Ž"×Ç`¶ôž	}«²Ü·7tà ½\”ã þTÈô¢Š.™z̽Í·ÞöYïõmú6Τ/,ÃtW;…™Û¬]n°³…´ÛÓûl*Ícïx ö¢³Ïvø5¬ç8ÿ_vÛ·ˆoe·^öÏ'éWœµÛ4†d6¾üÕ‚¥)QÒ}|nw_þhaKµFX€š
+Ì`áqõùº³ýWÅ%‰/‹@e-zÈz’ДÚV ӫر2i-ìXÝcÐ\o÷µÛ}«®Ö¤Ùãó[Ióøo†ÿÅ7;¯ ÍxÇ„&|ð·Š'¯à2%Q
+l@šD§§1ø{…©ZE±p_Bt8º°Dv)
+~B7uù,T“{‹òÂEàaI/<:Lxü‹þ£Õ•Á³nÜÿÏ‘ˆù{A¶w­zu#9–XܪÏø‰Ð!õÒµMA&k]N”r¶*Ìw%pepä'ÅG^{\ß1Ò@J]{^ŽÀÕÙî	˜éÎñòÍôýûAòÐsÿÈxhþFøÿ}Ñ·Ÿûoã?–"[×ãaKé,Ê1e¤¤¢'œû¿õ> endobj
+1652 0 obj <<
+/D [1650 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1653 0 obj <<
+/D [1650 0 R /XYZ 56.6929 520.5289 null]
+>> endobj
+1654 0 obj <<
+/D [1650 0 R /XYZ 56.6929 508.5737 null]
+>> endobj
+1649 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F14 765 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1657 0 obj <<
+/Length 3177      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZKsã6¾ûWhO+WE^Éã<Ýh"%ZžÉè05¥R±Ñx5_7>bðã£4Ž˜ÌÔ(ÉT3f«6z„¼Ÿ.¸+3ñ…&ÝRo.~ü “QeZèÑâÓV±4壇ùoãwÿzóËÃÕÝåDÄl¬£ËI¬ÙøíõÍ{âdôyw{óáú§ÿܽ¹LÔøáúö†ØwW®î®nÞ]]N²,P_uZpuï°’«yÿpýîþò÷‡Ÿ/®ºƒäL¢ô\üö;Ía¬?_°Hfiµ[ìÛ݈ý";s•·ëu½iúmæÓ¢,Ú]¿GÛ…É]'õ†¾óíjÝ/÷g]¹fþϘ(*.èWàpD<®¡Ï
‘$iƒ`‘ñød±*R¼£"ÐmĔж²ÉŸô(xÄîŠP«ÔCÑÐw¶ÝÐ`ª¶Ü+Ê‹2Ÿâ$Ù¤+™;1óÎtîeu¢^4ŸÓgZTùf×-o1á Ÿà‰ð
+!›#Öôi@²¢z$ÀtïŸ
EÕšMÀÖS	–ú:õ½É©Ã祩zÒ0ÒXéî´
4-aªx’ºRèXݸÈ/áçx4‘),c)XX<0}-¸ç%òEk§/ö>Ùšé&¯š…ç×îkå¦Jëu¹F
¶ê‹l×àgLs`â	-U0C‚(˜ò½1µ7^ ­ñîy÷ˆt0C +cæ
‘U²!¤ë¹ÚYŽG”qI(sÝl—Xm=e
–Ũ–'ÀŽÙÍ¡TéÄÙ¬“Ç5±Z½^À‰þBãÌÐ'XЛҺ÷23MCº‚d_Äk–õ¶œýˆãŠ5y-H;oØE³bW¦¾˜-{ÍuÂxeœ¤Gw8™:<¡n½bcæzí¬ašcæÕŠÜݾØaJƒ˜øBMr÷5éý˜Áv"Ò4Jcˆ€{ð}S¶0òÇ%*ž¿°¸h¥™ä¯àûäaämnÓì[·DeÚçzó‘Ó]ëØ5Er6(‚¤…%žêbîÚ ho¶,Z–úÉܬM5ë§2ØÒeñXMhü)ÓBªþ¤®l%¡Ä¸©éÛ.sÇ)üMRIazµµ 
+ãG
+œ0åó×uÓS™RÍø °A†¢%×­·Ê­·Ê­·ð幜¢jŠ¹ñ2©x8ñÁo¹ÕõÀ`›øöX–ÖšköT­3Š_
ÂÀˆ—Ë…´Àð
¹6†ÅŠƒ€ßÅ`E¯!F3u„hÔÆ×ÐÉ*ÿhz²ìõÌi>û¸]»ñ,öòXF°sØðØ)ÀÜ¢q¦ ’ˆóX
…¡h?¦£v¶~`áÁÇ™wb³‚£
g'êµN-
+>+ˆw´p»#Å"¡eê6[ÊmµºÛJ¬ß@”ñÒö*t’ÑnÍ…ÕšÛý¬Hƒ›háß·¬í:
+¨Wä4ûÖ-¿¨hÂÈ
kg¬˜Bæ¹q­54gGm+¼Èg>“‚*m‘¾q<«IÁfëŸá2@LÈ|aU‚à+ëj=m7S“v·9ý‚”.ªY¹û²v(5«·¬Ÿ-É*3ï.€z6aãqÜ›
àë4RbÞpµ·2yæ½Ø–~t´;rÛšàøÝÞ’Jw§Ê4w8.šnt.$kæ:y:ßkg¨«Ð„Oõ¦øÓ·084—E]–õs¿  Çv(è:8Éât¤dÉŒëÏ;áQÂtÿpäoUòB AÁB}òt†ê1hÊ‘¾F¿©‰ÐDÁœ+‰Â¹Ko•‘”àeø.&$wç$ஂÊîÌ[ÓÐùJWcT•qžº=|Ì¡ÉW¤–
+öiÚ—šð“dãj»šZ˜&äÁ‘W쇩÷7÷”MØtã³Yè9ŒÅäÒ±ñí/ïnß_áB p¥±>£6*’%z4Ù°}˜”)¬”‰ˆ_Á$Q•Àä¯[³)ÌËìvp.Hž:@²+´…¤Ld€$Ò6¨€ï’˜úÃÈ&ìò…„…]Ž„õ;w”ÜîÖæe(žOßa6RɈ|— ³(cé+P”I)Ó1òí¶}¬?Š¾NäO
+í¡ØÚBQ1 ˆ4BÑ~Ⱦ{(b–…"ÇPŠ±ÐŠD5v÷‹¤sgK,
±÷‡­Èv¡j]ºcËhðÿv¡¤_é×>y*Ìóe&Æ'¬àlð;d¡£8Ë’W¬€ÅýeÊ
mqàO5öÃÑéël¾ù¤üÁ ºòw$…†´Á)ÇT>› ²ã§¥îFCÖàö)¸±€*'@y6%|c Tg%,¥,÷PÂ"•Èõÿ/œÊZ‡aª¼š™ÏGf§Ã³!óä 2»ƒè!S÷©=Ý	áR'á@EÓ®ÛL†ÐÙQG½ÆKÜ
+¹ÑÖ¸yóÒ	wsÏgSÝ÷j­a·¢_Á³ÈdI{â;¿.~.„»}œ+Ú8-·‡pOî.„•V+{犕]E€­ÝèÄ€X<°WQ	§ÃÂÄ[ǘ:+&>èmãoFçSø7üTF:ÕâFäk¼|ž‚ž•à¯?•ÆèD›Îû¼ëÎ!îsâ¢ÛÉ׉½GþiÁò»‚SœÅû8;ÓgÏ
ÁòÖ”Û¿@cž·
yopÈŸÀªlx0fZÓž(Öáœ
³Ð8o3«Ð«ÂkiÞÀ6æ‹Ù‹Gå_® a>ÍÊÜŸ¾!_3…WÉÿ «Ú”Žå#"´K4¬ÔŸË¦t©»…/ŽS:UGO6.—ŽZçp*ƒö»-s»iNœ"¥;ýAŽÕ;‘öf²>VõsåÊ×ÄšJ[=O†tå•/
¾¥ËsÁÆþ›—xã#æÞ¾@!ÔÍïîî¯DÍECCùŠÍÎù¬àûÝìp°W-å+'¢øö…'1-gõì£q§Û×?Þ~öjÜíé\åié½OrÒóãÕ8ë”*KÂjáùäOJûrdèDô	ßEœ@âÙÆþm Qà;§„'ÒGOø:ïÞ=J¦£Tdx-Ž·‚‚éáùòÏ9Kq¾2º=Ç—Bò©u[HÛslÆý®8a×t÷Æ„¹KaøÎê²ô×ÀÌߦaËKë›\û6üáœ4þ!s—ì¶j§Ûeîú	¹ù¶]Ö|è8à=_xʃúI”h€bLšS·Žpií_þÐU޶ᾔnŽÓ®UÄÑþ±ÐÎµêß×Q¼åãóƸ.¥ö6„¹ùþu ÚÅW@E»$&¨¨8x:ä'ëØm¦]ÓÝÛ
+®’Hòìà=Ûµk»©ýÌ,·!z÷^-º­]÷c½*ÚðÊdá%…æf‘oËv`á±óšÂ2£´y|»Rwt‰Ã‡¡zx®)ïf‰ê^ßJwU‹EíU­ì\Õî3ý»Þ-2ÆøJŒo+—S4¾}×µ¯².sâq÷ˆGÒ¥±{¡6ôl0¤È›;úIõþ‘9N}šŠ¼¼÷.N(œ…,>vÅîíõ±èïÛngendstream
+endobj
+1656 0 obj <<
+/Type /Page
+/Contents 1657 0 R
+/Resources 1655 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1631 0 R
+>> endobj
+1658 0 obj <<
+/D [1656 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+546 0 obj <<
+/D [1656 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1442 0 obj <<
+/D [1656 0 R /XYZ 85.0394 752.4085 null]
+>> endobj
+550 0 obj <<
+/D [1656 0 R /XYZ 85.0394 542.1781 null]
+>> endobj
+1659 0 obj <<
+/D [1656 0 R /XYZ 85.0394 510.0725 null]
+>> endobj
+1660 0 obj <<
+/D [1656 0 R /XYZ 85.0394 447.7453 null]
+>> endobj
+1661 0 obj <<
+/D [1656 0 R /XYZ 85.0394 435.7902 null]
+>> endobj
+1655 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1664 0 obj <<
+/Length 2603      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZMsÛ8½ûWèHU",>H€˜=%ŽqžDVv§v2J¢mÎJ¤F¤äx~ýv£AŠ²eQ±=[ªT…`£Ñh¼n<4h‰‡¢i¦­´=cCqõ&óÞ»¾'Âëj¥A[ëýèäçÊô,³ZêÞèºe+f<ŽEo4ý-Ð,d}°Àƒ÷—l #\ú&Þᣋ«ÑÅéU`m,ƒÓŸß}
IK·’Ä?ýåòüâãס7ðË%‰‡gçgóËÓ³þï£O'g£fíE
+®Ðû?O~û÷¦°ÖO'œ)G½;xáLX+{ó“0R,
+•ª%³“«“/ÁV¯º4Á™TZî@Mª]¨E–i]ˆÚt5_¤SX–ŽƒªÀ§
ªÛ”ß8—3ß.é$CiÛ`|ïG6À“‰Ödf3BGà"NSVI••U6)Þ(
Ùòݲژ9jÞ¬–0²Èi®bmˆ–ÒQ0"7mP€KRÈJz.û"ÒyQ¥³{RJ&“´,³1MÝH¡™Š4à'³Q$ݬë,õXî![~“xr›äy:£Î»Û4'ñ„³œÛÇx3åâˆ#MkL:OóŠæqËC·¶‚9uPèÐÑGðAoOPøÆ#^¦é“¬À),¦õ-ozÔîÜ°-ý=©WkáÚ®Ò‰wÍmA	ùÿÐ!‚á–;6@£ÕáÅckè$ÄŽè
 %7Qo ¢Å2°SûÁ9÷)ˆ<ÓÎx?Ïv¦8‡¼™
EèŒ5ëô{E­ëb9O|»|`÷*µÆéM–{é]VÝR+¡Ç,ËÓ·uó¿éO;Ö~ì‚%½)úšgßeu?ó–«lž‚Ö|WRó4)WdØH¼É2…­1­_²|â-|JòU²¼'eñÖ‘ß&a
Gîá:8/f³â.Ëo”âwëb¦¬ŸZn¯Â3!•2õÅ5=·¢
+Y±ïƒënÃbC¤˜lr»moŒpS,³¿ÜÞ‡‰ï˜¦åd™çë”Ñâΰ²µ"Êæ²½_-©bŸT¤~™ÌëM’.׎¨wdhïÉ#JS·
+ nÓò[h¤ºL•Ôåà…':\¢ÇRi3t«$Ë)pðN|)Ìv4œÑU^9g¡sÌV^ïÚÞaZîiVÏŽy•Ìè…²ìÊ¥æCXÜ9ÖR0MœfI²dd³d<ó*Þ­Ò=¯ÕÆ”ë묺ï!\¸:õY
+ê·É:%YB‚z…Ú"îÈ2Éò¢"iy[Üå$sG6õøp¡IŒÎ Ö¨¶âK3\- ^+\¯Ï?2š:ìWd˜áM´Î¦yÉ»c4l¢²}¿>ûpy…µw{Ò:dOBÚröµëo€4”Lh!; 
#f€Ók¤Þ'SÄå_î.ä³Ñ]ååj±(–¶7µàà-›oBÞZÌC®8“¼‹s <1V6GÄèêâãóav£È‹¯‹£xMEÌ`Ig­”‚ÅÊD5>€ÄØF?Z¾qfrͤL¢Ü²8–ªE/JÎ,_'³lºùH²ÉÖú“Lö
ôev“'•ÿŒ¼ûÖªŽ{aC¦BíÇ^XÃ,ÜXZ8ýŒ5q0ìGQ€¯qpc–?’ÌmW—D,™Š£ŽbAij†ª¦w«êöËò~˜þ÷’8Œ‚á׊;U,3¼®ÓM玮œfët“¼X¢eéj/î­q"ÎBÅ;*
+aBÆ…®+ŠI{		¸RUkPŸhËÕ#4Šá>ÝEZ‚‚ê…_¯—LAy6üúëù°ÍÿyýÇÎe’—×õg§H¢Û×GÌ¡fhv`9®©„øº˜&UJ¹ª¥xAÒ
ï‡û<™g_õ:/Ä·åúç®
+Y¤ÃŽŠB(hD¢®(ðC!~p*PÁÕ»¼<„h‡°Lójt-§Ž:)™æ¶kßK
æ´hP¹;Ùr•ãß¡HÌQßbÊÅA=¢•ƒ?‚iËÛ#Þï‚3…]5™7â”ÿpîý„ÐfËÍãMP3zû±ä’É8Š7ùyà]á	,7wƒý¶œ;^cÍLW2Z°¯¸nP9ôþú~/°ûqܸøRq=¡ÄŸC2%Ä®Šñ^'ćþ.só÷Ð@ÍËÝ¿8“Š”XÉžŠXè?ðZýŒúœ^«åúÿº€Oèendstream
+endobj
+1663 0 obj <<
+/Type /Page
+/Contents 1664 0 R
+/Resources 1662 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1631 0 R
+/Annots [ 1666 0 R ]
+>> endobj
+1666 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 732.5838 145.2431 743.9759]
+/Rect [55.6967 732.5838 116.8967 743.9759]
 /Subtype /Link
 /A << /S /GoTo /D (statschannels) >>
 >> endobj
-1652 0 obj <<
-/D [1650 0 R /XYZ 85.0394 794.5015 null]
+1665 0 obj <<
+/D [1663 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 554 0 obj <<
-/D [1650 0 R /XYZ 85.0394 718.3947 null]
+/D [1663 0 R /XYZ 56.6929 718.3947 null]
 >> endobj
-1326 0 obj <<
-/D [1650 0 R /XYZ 85.0394 695.4159 null]
+1329 0 obj <<
+/D [1663 0 R /XYZ 56.6929 695.4159 null]
 >> endobj
 558 0 obj <<
-/D [1650 0 R /XYZ 85.0394 492.5344 null]
+/D [1663 0 R /XYZ 56.6929 492.5344 null]
 >> endobj
-1654 0 obj <<
-/D [1650 0 R /XYZ 85.0394 467.9557 null]
+1667 0 obj <<
+/D [1663 0 R /XYZ 56.6929 467.9557 null]
 >> endobj
 562 0 obj <<
-/D [1650 0 R /XYZ 85.0394 360.5123 null]
+/D [1663 0 R /XYZ 56.6929 360.5123 null]
 >> endobj
-1655 0 obj <<
-/D [1650 0 R /XYZ 85.0394 338.2011 null]
+1668 0 obj <<
+/D [1663 0 R /XYZ 56.6929 338.2011 null]
 >> endobj
-1656 0 obj <<
-/D [1650 0 R /XYZ 85.0394 338.2011 null]
+1669 0 obj <<
+/D [1663 0 R /XYZ 56.6929 338.2011 null]
 >> endobj
-1657 0 obj <<
-/D [1650 0 R /XYZ 85.0394 326.2459 null]
+1670 0 obj <<
+/D [1663 0 R /XYZ 56.6929 326.2459 null]
 >> endobj
-1649 0 obj <<
+1662 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1660 0 obj <<
+1673 0 obj <<
 /Length 2927      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[[sÚH~÷¯àQ®
-½}¿ì›Û³žš±ìÙšÚ™yAN4ˆHÂŽ÷×ïé‹DŒ!)Wª¢V_Oç~„IÃ?ÒICMOŽ&¢7œœàÞgûé„„9ýfR?žõþîä—Lõ2’ÊÞÝC´—FXkÒ»ý‘HÄÑ)쀓÷W×çæ´ONnïNOÎìwW·wWnOûÆhš|ø×ÙÇ»‹Ÿ%£…¾',ÿps}yõÓoƒ°Á͵ï\\^.®?\œþu÷óÉÅ]{ø’3Kýד?þ½Üõ猘Ѣ÷/chorÂC‚3ÖôŒOnO>µF£nihœkÀ
-é+Ž%[ŽõG`864¹Bšbµrj_¤³;R˜¨1mù@IÄ©á–Fõ”0H2Ê>•Ï·óá0«*‹¬`Ñ
-¢
Ðj8ãæγ2ϪÓ>3&)O‰N²j>®³ÑiŸcœäS?’úGå·}˜C÷´zÊJËàŸ:¹û’W~å$ƒA{>Ô'!¨;±þ’Y²ä+ýì›O_òáÛ¤†z^Âj7–úÇõÍÅ`p3ð/ÐY1­ÂfOyý%̯»NgiUÑB%Å4ó@=´e2 ßéo`[â\œ3
-užpnÌŠAˆ Üj#úíÌ@¥× a1ŸÖ–$+ãŃÎ<y1¯|ÏcVVy1­–çEºƒÖÔs¤Œ"½Xœ“PÎÂ’‰Î/ß²Y±QèJÅ™‡]4!²‘ù³yýålºÌ[¬–eÞöX™·Ïö+ʼNëü1]‘¼oDxAûah|O€¥‘ˆJ£·#,AZHÞ |]¤ã>å 4·×é1Ÿ‡!_êXÐS†ÌV?²¶e³b#ôŠ"&Ìá–Z!ƒIkÐÙCV–éx‹Îù
-ضÇYôv$lêz–Œ¹0¬1…0´j
-»ÌzáµÁ0*ĵÄróe°PLøÙ؇1x!3L ¸ë>[6+6ÊÀÂÃÛEFa›V[¿•e•Õû¨'U«ê	=N=á¹ðÀ‹i·•ÁCkZøç(­SÔ%,^²ˆY—,×ieÉ=;e	°–µNvºñšŒ!®Y•%»³•û\–%Û²d»úŽì>à5f/¹éWÛ‚‡	Æwu
¦w¹
-
*Z×p‘å$–¶†qÂÇLR¸™#·Ç~3èþc:…>wjÓéCB¼ª&¿·óÖåÖïüJ¹-ã{¬
-®&`þã7‰cùiaRbŸ-››—Ø›í¨	Îg†6r{>ŸóaZ[fS&’tì#·^µÅhúZ4Yµí´®³ÉÌ»;§ðÏ…´†5÷óÚ7FyÕ_–›¦‚1_’ Žþ™}Ë«:Ÿ~öo¶ŽtJ’gÿæ£PÛrÄÙF•NBëêcØh4
-Â[½ë’ØYQÖï€8ÆÛ*5ÉÕ¹ëƒD6Ãõó,ó£©U%;:§UúÆþ˜tôìÇî3G¶mz‘-ú]çÛªQ6“¦­H©.S_÷ìÖ2°úRJ9jùß¡f J®¥^voP°-†.ñé¨Ê‰õaŠ²Ð= Zò½Š²ÍŠMºÇŒ‚ÅxGàÆ5ìY#Ÿ—Ål²¼SÝ‚w±µ¦°Aï5àÌ¿mÖ}¨ÆxC£uЭZR »&ítÙ7+oþ8F“é|rï6aıÎö-4ξEŽÇ/"0îi„FÉUÅö
-)¨l4	ð I¶Ói’mMZê{
-7òoÕü¾Êàìi=~Ws;h¡€W'5OŸm47·m{sûŒv°‹›v6Õh_¡‹Zw0•¯pYãõ'¸Ê¬ù5:XdèeÕ°ÌgM’M%R땨ÁEW–¥÷ż^5K›€š‡ŒÄ0êÒ?X~îùÆ úFÓÎïÇÖ•w}ß­ˆ/‘¤!|µúŸ°ö±¨ÕAÈRõbm7K@	€(xdК_°NèëÜv 3°‘«ú²ÉDq‚ `øqÙC0±òp«ý]†¸¬íŽ€yÇ”¶‰¦-ŠÌËl·#¸æYS*E‡0)“·Ü3ÜÆB61Ì[`…‹`pCq–`¤$o¬ËÃFêúíÌåh¥ˆ“9˜þea°#a°ã~Â`{@úZè亨³µ”¥7ï4´QpB5'ù¨qw6?ûÑÖoÞ§Ãÿ>¥>#òCÃb2Këü>w†¡yýì³ro¥]~îs´Õú¡MÊš[Ú„	S¸L9IÇã°Cê“¢ñaöÍe\Ygø¹lœ„RÍ¥+ÿVÍ]­´êò¶N#I#HöÛ˜K[ÿî`+Pë&DìöÄ I•X(wƒ ‘€B)¹š¦6Ü"y*æcç÷qUøÎÉ÷åÓ:ôÕÞÀ	›XÔ€gGb¦¿s%±ækA‡ÕÜìj[)Â-U¶9-j߸ÏüÓEAðœ8ÌÁC$9$n­Ó´:tNý´Y™;ÙYçÃl‹Å‹lɱ,ÞñËÃ,”2œl·x¢x9´»öïå ûzn¿»¿ ôCWµuÉÿ¹õî»R™N«/þðjuvœÕ6¬Û„gLéÛ­ƒ#ÍÌ85AdÛAôÛl	uùô‚\ÂÏŽë¾à#XÅÆn…rAäÛý¦M¥@Z³•<*
â
-ó%(«Ù+±\|Û̈Î7Œ¦€ð“j¹M¡ Á¼yxÉ—}ô9†ì/zìæ´Ž¡öÛŠhDëFBh£ØŽ¯¸”´¤è/³›`îa)=eoü7+”a„‰ÞkSÆÄÜÄùZq¬^(~ao>¢íÞ»7%RÁ÷>},³2ûz†Þ\þ
[׊%¸ýåHˆ¥'•Wyk	Ï.D÷;¿ùÜù#RXÃ%]þ
é«5dP"m8¨€sÇØø<ª&¬U¨ÒˆkW™µ¿bCDÑü>–]éö‡»ÞŸö	Æ8ùOsý
-ÙGMÓé0tÜÚŸdUÆ®~hR’¦€(!ÿõˆù¢ßá2®ážŠí‡a÷ª†|DMj/Õ'¢[Nª¡Qœz	`…êÙ
-‹ÈÉA|û<¹/ Ãݢɹ/ÕásWŒ‡Ê‰±«gF·Eˆa­¿0ƒéMÒÖBA88*ßçÏ7óú‘wXê,x“Œ^}„IáÇun3åÆ TÙ´F›ÑsdÉ7žP6ßkD_ÁN¾;ùì"ªÞ0v`å¸r;v†€!§4‚îjzÔ…/YþØ´F´½ašóí*˜ÒøÀCDïeF¤@rL%ƒH]°íJ…ˆ &B°»l¶àÂvÿ©x#ˆ>˜ÚbDÞñÆHQ©mñûW&ß5po§ˆ¾ôOn„ÄXqM»?´!Äv/‹›‘kñ!Áˆ2I›Yéÿîr`endstream
+xÚÍ[[SãF~çWøQTŽ}¿ìÛd€,©&†l¥6Ƀ°ÅŒ²¶å‘dö×ïé›Ü¶eOŠâ¡[­¾œþÎýȆ?2Ðafø@Ž&b0žàÁGx÷Ã		s†qÒ0õýíÉ?.˜d$•ƒÛûd/°Ödp;ù={ÿ¯wnÏG§C*p&ÑéPHœ}yuæGŒoÞ__]\þðëèÝ©âÙíåõ•_œÎ¯ÞŸŸÑÖód‡°öæÖ.
++on/ßßœþyûãÉùmwô’3Kýç“ßÿă	ÜõÇŒ˜Ñbðcè`vÂC‚3G¦'7'¿t&oÝÒ>Ð8×€U€GŒ’=Çú#0º\!M±Ú8uh0à
+ûQ˜¦1í¸@I 	IJ$eŽ¿ÔO7Ëñ¸h‹
¬`É
+¢
P
+ø`?wYÔeÑœ™1Y}JtV4Ëi[LN‡㬜û7¹o¿íýr†çÍcQ[f§”ÐÙí§²ñ+g¼´çÃACB‚ºÛO…e%Ë>ÃÑO¾ûø©²]hh—5¬vïrß\]ŸF×#ÿ]Tó&löX¶ŸÂü¶ïÔi‘7--TVÍß	ÔC_f£òƒþ¶7®êÕ9“0ØV¡…[xpSvPÊ@
à6;¹0ìf*½þŒ«å¼µ$YQ¯î}»ðT<”Õ²ñ#EݔռYŸ—èÚT
+Á"œ‰A*N¯“Oζìp~þ–qÅ‘l($öЄÈ(ñï–í§wó—H¼Ej]â툕xÛæ°_U—mÞ–EJ¤}'¾+Ú_‡Å·ƒW„T½_iÒBòˆïU•„‡&d7Wù1ážW¯Ã=½Ô±€§™½dk˸bðŠ"&ÌÁ–Z!ƒIgÊGÅ}Q×ùô%¶œó
¨íˆ³åÝ›°©Y3ã°háÕ¦ì3è•gÓ“¨×RëÝ—aÀ@Ád˜øí-aÊ×±w%1L ¸ëK¶Œ+vH€Â¿ûFY›NS¿ÔuS´/QMª6UFœjB»ò¼«iÎó†•ÁõBo^ùv’·9ê/WÄlË•´’äÚ^Iäasï¼&p˜+A6%Éîl%Ķë’dG@’ìÐБ=$¼fÀê5÷üÕ¢¶bãëÄâ:
+Á>Ó‡œÕˆPÑ9…ˆõÁjüûâTˆìÝåO€„Æà.òrz4×`íáù_þ´çäÇõ¾äx@Š„†Tj?ÐD"¢pç.®G?ƒZ@¤|ÏA{Ž…oØ{¬	ÉÇõ­üh¾Uh¤b쬘#J‚6[SùÛÙõÏï.!%Wx~‰›%lÓÍ’àfáMÜùÇàR¡·WgúväJ=†P"†µììचåpê6á”rªÉßæRS&¼U—
+Ð"ÕC'4€¹^a㥃År‹²ltñ8ùå…¢’\'ù²ñòÂ|>l;MQ?¸tÔV¾]õ}UÏRY‹„ôˆ‹=f²ÊÍœ¸Í8ö›ÁðÓù$Œ¹Sã ñF ¨b>oçmK­ßù+¥¶Nï±)¶Œùß'¶‰HË?ƒ”/Ù2®è[n`gv 
+$8Gœ¥öl¹˜–ã¼µ¬¦Ld#x‰ÔBBÕ•f ë+7Љ’jûyÛ³…w*vNåÛ•¬†5wËÖw&e3\—šXû!˜¯=IFß_ʦ-çý“­’ìÉ?ùØÓöq¶Óä³Ð»ü6šL‚è6ßõÉ뢪Ûï€8Æ»š5Ù噃Ô6¯Û§EáßæV‘ìÛñ4oš06õÇä“'ÿî®pdÛ®ØjØw¾­Ð8iºú“êÓ8åñum¿ŽÅ—RªÀÈIÇÿ%uTÝÌNÉìÞ <>6aÎø:ŸŽªz‰X¿NMVšDKþ¢l\ѯyÌ(XŠl\s@žu‘ñY]- É•-x[ë`
+;ôÀôÛé\‡Š†:»€>èÔšúØ5y¯‹(¾XióÇ1šÍ—³;·	#Žqvl¥oö)q:~Ih„÷žFè‰ÜTk¯Ž‚ʨGr=²ƒNl'èÑÚØc¸‘j–wMgÏÛéSßÕ¼’;ØA—¼2	@(¶>Û‰7·}{sÛ&;ØÕMûN[†Ê³/ÐU];ÆW´,ž‹)Äg>ì^UªéN?	i®¤&jæ´„7ÃEÈO½…ê©(wëÖà·XöeÒ”D_<Ë¿Ÿ{ÄìÈP“ðjÑzÍç`ºþÀ7…5¾F{£“¢×å"&ÖT"%¬^­E.²¢°,¿«–í¦¹`üš:8d"†Q—6ø—õÇ¯1Ýüaº`[y·÷Ý‹xJ’]Á°Ñk$mŠ³zY3Æ[»YBJDÁƒ [€¶¼‚t2@ß涅ÜÔ—]&ŠáÂß—7+_o³¿¡À)pWûÝãŽ)íL[YÖÅa7p
¬³†TŠƒ0)³{·Ü³ÛÆBÆøæmÇ°ÂÅðrG1–`¤$¶å~'uÃnæz¤E3æXÌÁ𯋂}³ûÞÏcAìˆÂP]UmñO¸–²ô–½f6	LHæ#£xbõPN¢³³	ðôÉ¿í¼æ]>þïcîs!ÿj\Íy[Þ•ÓÞ´lŸ|6îm´ËË}v¶Y1´éX¼¥M•0…ËÔ³|:
;ä¾™UуÙ'—k½1àÇ:º¥â¥ÿÔ,]½¼éó¶:#I$ûÌ%¬õ°‚'Šuúú}1HR%VáÉÎÝ @$ NJn¦¹
õ…È«åÔy=ÀcÚT~ð@òcå¼
c­7oB¤ÆEðì›”éß¹BX¼ÀVÈauÇ]mo%E¸£ÊvçUë;w…o]íÌaÎ y(!Ùpk¦µapî§-ê|ÜËζ{ì]bKŽeïŽ]¦`Ÿ”ád¿½£¿3ÈÝ¥»¯GÅç3û}ýa/˜¹¦«EþÏ}”w_‘ê|ÞÜ{á‡G«±Ó¢µ!Ý.4SJßjÕ´if€©	â × _Hܦ‹Çgd~vZéuðÁ"F;¸È‘oõÛ5•iÍTï¨4×a¾d³øJ$W»^eBç›ÅR0åµ<€¥PH`Ö<8€ãó>ðœ=AÎWŽ=rËØÅ0ûíÅ3¡õÍâ	a³QìÀ×ZÊZSñçÙË(_`!=eoúW)”AKôøšÂ•$æ&•Æ¯Å晢—öfÁ#Úî|ÈYCÚ!½JÀû>Ÿ|¨‹ºøü½™ü«wî<Gp÷Û=G×T6eg
+V)Î$÷;V¿æ<øóPXÃ%]ÿuèW-ŠdP"m¨€s»Øˆ<©lU âDšÚÙÄþ6HˆqDüå+ü¸ò¯ì¯h!?ŒqöŸ.Îúò¶˜çóq¸±?¹j p
\}“
¦¦@œÃ¢F>붌k¸§b/ðU$QºK
	…ˆ–“•*A@”Ø@âcK*&‡ñÍÓ쮂¤”‹fg¾ÞÕ†o[kE#à’ é!¯#ÜBÄ°ÖߘÁô.q[aA8¸*Ó—÷O×Ëö÷ØÑ<& —`Røù_[Úì8š”¦˜·h7|Ž.ùÆÑ3„Âæ‡ÀÃ`ˆâàÉç€'¿¼„¬7:®„<ž!`Ì)M°»œ¿JîÂ׎¢|è		:âÞ0„
+MŠù•A$ä¾ç!˜Ðv\É1”BuÁ ("‚˜ÂþrÙ‚sÜýçá(új7Š	}¯ŒŠ0FŠJWöAÄþIÏ×<8(¤Ïý—šÕ?q–\ÓþÏ"]à‘†ÝËâfÔv”¨‘д›•þhjk(endstream
 endobj
-1659 0 obj <<
+1672 0 obj <<
 /Type /Page
-/Contents 1660 0 R
-/Resources 1658 0 R
+/Contents 1673 0 R
+/Resources 1671 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1628 0 R
-/Annots [ 1662 0 R ]
+/Parent 1679 0 R
+/Annots [ 1675 0 R ]
 >> endobj
-1662 0 obj <<
+1675 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [305.1296 409.1267 384.9596 421.1864]
+/Rect [333.4761 409.1267 413.3061 421.1864]
 /Subtype /Link
 /A << /S /GoTo /D (clients-per-query) >>
 >> endobj
-1661 0 obj <<
-/D [1659 0 R /XYZ 56.6929 794.5015 null]
+1674 0 obj <<
+/D [1672 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 566 0 obj <<
-/D [1659 0 R /XYZ 56.6929 172.7706 null]
+/D [1672 0 R /XYZ 85.0394 172.7706 null]
 >> endobj
-1663 0 obj <<
-/D [1659 0 R /XYZ 56.6929 147.65 null]
->> endobj
-1664 0 obj <<
-/D [1659 0 R /XYZ 56.6929 147.65 null]
->> endobj
-1665 0 obj <<
-/D [1659 0 R /XYZ 56.6929 135.6948 null]
->> endobj
-1658 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1669 0 obj <<
-/Length 3081      
-/Filter /FlateDecode
->>
-stream
-xÚÍ[Ksã6¾ûWè¶tm„àý8:3vÖ©ÄÎHÚTj“h‰³F"‘²3ÿ~»	R„dJ”b¥Jå*F÷‡F?
(ü±U„
-'ÆI¢(Sƒéâ‚>ûï/XÝfØ4†­¾›\|{#ÌÀ§¹LZ–PkÙ`2û-ú🫟'×£Ë!W4Òär¨4¾»½ûèkœ|¸¿»¹ýþ¿£«K#£Éíý¯]ß\®ï>\_³úË€BÝw<ÁNuÏñäöÃøòÉדµ¡Œ
-äþÏ‹ßþ ƒÈúÃ%ÂY5x…”0çø`q!• J
-ÑÔÌ/ÆŸÖƒ·U×.Ð$e„q%Ca‰TÊîÖAaغÈqJm:dÂ%ƒ¡4¡P\OgÁD0)ˆB
ŒrD.ª™ß_ݯʉè@t\Œ’FÁ†·?C#íý•/ü¹J–iRøE’•dc	 ­ù dí}â
-i‰EÁë§DPJBU}JC´1,DP‚ ~‚k猠à„	%ú g®æê×›Ñ(ùó(%Ä>¾´¼d6JÉ¢Lf{ðóŒÉsÇCKKy~\ Xv¿cTðxüÆÎ?j	ç½èXÆ´åo¨ßíÑðµ|1zÚiµ³=ðiçˆUZnÀwŒö
_ÈØiñc'ÅÏJ"˜ìóÀÚâ(óø×Çåx5&EÑàÿò,ñ°•Ë8+“å_‚“Ù^H^ÏY%
'B¹¾­"NjÖ@z§óâùäö‚py*0Û0²/.Å>†š­¸ôïõjaÚnf0äšYƳoâZA5±Ü˜/É	W|GÐÝš:ðÆ’WÓ€<#ârÈ(…ð>)òùK3ã2.Ó¢L§õD|ÈWY™,‹í™p²‹²Ž(ÇÍAÁ<¨Ž„©;
-³ÎN
ô„ÀË3T"Ma‚ÜÊ…ÚÈ)Ðye8YÇ£_ùü&Âñ*#²5’u½à’G“bºLŸË4϶‘TBXVzŽý>a5ªäéñÑŠh»KÛÖø€.sm}´ù	bî¯èÇ•Ò:ß¼Î>u
-†šDAS·=ÈÞ0wZÙ鄤ÕpÃ{T|…°€úhõñÌ­JFL/~R{°>Þ÷œgE‚%©6ÑhtŒzçäIaÕ4I_:|T‹fËéÙ‚	¾Æ2m{Љ$rM}šú½h¬žíâf†XÍLœœ)­Fï~ýxÿÓÕíø	!U4‚ßýp¶ŽÀ/àílÕ‘BPIµêÁbéDí}¯G¸çøËÍ¥RÑÕí ”ÊÊh´#Ý{C?è›—Øû@fÏP€	^³w-!Jï®oîG?]ÚÊJo®—Ë~ׇ/dí\׳„8ÏÈ=ðA­,÷Îú¾|J–€Y¾DMd,`ÕÍ×,+óåQæ1dõlµÑÀS²4 šﺯ?ÞéaK›þN¥ðµ‘Ï×6Ÿ\Õ¾gˆ-ƒ§ÂPA2gŽ:vhzìÀQ­UŸJjF Eöû§´XÄåô	Ò)ð×Wϸì¶7ìÛ6Ûz9„Ü5š<%þÌ…ïwûñ›·þUe“aú†¹Ÿ )Ò,Šg³ºS4„Šâlöm~‰´ªåSÝr‹vU·Mí9_–¾4Ë“­ñ½'Érlv#6_Ÿâºò5.|!ùë9™–^de#T9/6¼«A«¢.=TïL¤„ÿ/»„¯¨;Í’ß)åY2ß,zøê«QT?cálÈé­åõ„Uƒ¿V6ƒß(¯RPâ׈4&OiáÇZÄõ`ÇðŒ3ÿ"Ífé4Vlã–x=ª6Ù¯òÚj¡åþûÇ4ž>Õ[>ÏyZäYš}®”e²xÞ“Œ„šþ¾¥óÏY4èyZÏZ¤ŒX§½A›\2ð	ËU6A‡úWáäÒáJ³QÓã}AtËï¹úa5dn²'#€’“Ì۷㨘¡èl«r/ª¾Â6KæÉçÕ÷8.ÏI#¡«Ó=HCœÕ¼ÎíJt˜”cpì3|j}¬‡®l7ž“åc¾\ìÒ3yÖY‰Ðò5Ù“•­	Œµ¨\=t[ä×ÅاYæ³U³[ž7M^6†5ÏJ'Î÷ p~*t…‚4RC²é±]®‰‚Üc?¸JjT°¡8Χ_o‚а£èÐü3NjDÛ`‘bì0ý’”'‚û“Ñ}ufÕÓ|±È뮞^\øíÜmoþˆÑ?s…ž°Ä7Pÿ.-ü›Øÿøzô¤øbÍeÐ8K^ýoϪ¯Duéˆkå©gž.Ò2výĸc¾¶Š~·r=ÊÕNÜûá\¹LB.!úœ	³„3*[åšà¦@ºHòUy”,}Ÿ} ­½£œhmûÕ„7
-ÿý|•Ü$6㦩0BFãñ×â¨}þ*c@5mÃþ:uCº}L³—üË^‡0®Û
-\CL.z
-Ø"(e[ë£Ö'8dþ\5˜K èÙöâ–!¥ÛÖàÃÜÊ¡š»÷<»E5àølQ…ÇÒ¾tÒá¹ÙVÛƒQÕ'D5àøl„6¶/ßáÊ)¤Ï!©rÈx~å3è~P?ÞÇ×IH¢x}¤Að.ù|ˆFº
M„b}V%ã/‰¯M3Lƒf€õ°+Þî€@¸÷¡õª05„rÓç³%š	·1‡™Ö}JÜkHæNf€¦rÇŸ5]º!tŒ$í1ÌY¢•õþéÓòku8™dÙ™äúžZ6­öJETÆUÒ„yZæóEŸ•¯²YÝ©ºÙAዸk<ºÆ
¾¢>³@*žJ}kƒtet×18À·ÛÁ\âU©f§·[ Öu“â9™¦˜÷![ùuÁ¤ºËvqVeŸøþqT>ü„©è6óýê}jÜÇkÝÖ¿ï‰cHƒ’¾•?[`LmÈj$n€¡€i4X°ò›g¿µÝwȆkŠÃä[ýʃ‡¤ëfÈ!ëYÂp¬™†o:„Ô„Y)wËhñðFéÊØPì“ÑBvª¥Ú”‘÷Ë)	è!]Ò2P	«r—¸’ãF{Bq×{Ä•\.ÜwÑ!®Åë×fS\¿X¤FcºÚ§ÓoϾ…VÈÓ°¦Ø€b‚pÃù&išC»‘úó³!Fo8mžy#£lµxÀCmvÍÖ­/£áק¼HüûÐú—q³†?’ò5I².£&MZ³\‰W5A»4'Æ	~pkŠÃd¸†p†ÓÚ4CÑò§Ã?†ú·e%Yå:l7Å«¶ÍTt²é|U@¸T»gv³.
4DKÊv[£‰3ô@Qb÷íNjp‚Àb‡½1PVhÍëV»ÔOAÐÃx zò×Ñé|žÉnÝ
-*£›|éß­ý„šJ³éO‹øê™ö§—ø"/I–ÖÎ
-*^ëgs>Ûeç$̦6z·¡“¦P˜e&ÀžXîÞoèŠÃd‡¡ƒÄ9ÉÚ‘‘CÚièT+î£Ðµð”à-gêù±be},¬FflS•“¬:OVDÅS¾šÏ°,==¨ó+ü¹Ž4 qR7ˆ‹N|aݵN§_-!d0ÚÇ9¾5ÅaH²_[À¶#WŽäß]«réu@	žD2v0Å
„d‘ÄYm]Ñ&;¡»¬+8·µuåÊÔ‡î6¼êkëŠõ›Ö_®­+¾†°,žûzX€·ê'~ðv.¶¯N¼™Q6DK`v)BhÞïÓÖ‡!É›B1\Ëvä]N$èýý\lš]‰Pb¼3gi¡Ã¿;9ý'œiŒ~Á ‚„†ùëx;¿:áx™ÄQÿŠµþðg»ôn‘ú…wûÍ»4DàU—õ”‹)¯?†ˆúb¨3o'Ñâ=½¶YÀüÿëöendstream
-endobj
-1668 0 obj <<
-/Type /Page
-/Contents 1669 0 R
-/Resources 1667 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1674 0 R
->> endobj
-1670 0 obj <<
-/D [1668 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-570 0 obj <<
-/D [1668 0 R /XYZ 85.0394 627.067 null]
->> endobj
-1671 0 obj <<
-/D [1668 0 R /XYZ 85.0394 601.9463 null]
->> endobj
-1672 0 obj <<
-/D [1668 0 R /XYZ 85.0394 601.9463 null]
->> endobj
-1673 0 obj <<
-/D [1668 0 R /XYZ 85.0394 589.9912 null]
->> endobj
-1667 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
-/ProcSet [ /PDF /Text ]
+1676 0 obj <<
+/D [1672 0 R /XYZ 85.0394 147.65 null]
 >> endobj
 1677 0 obj <<
-/Length 2372      
+/D [1672 0 R /XYZ 85.0394 147.65 null]
+>> endobj
+1678 0 obj <<
+/D [1672 0 R /XYZ 85.0394 135.6948 null]
+>> endobj
+1671 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1683 0 obj <<
+/Length 3078      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZëoÛHÿž¿Â žÎû;кɮØ$M\à»ûA‘•F8ÇòZv²ýïó’G¶l'­“[ˆõà3ä)ÒÃðGzB"i¨é)ÑÀDôò‡Üû
-ï~:!f‰)ÕÇñÉûs¦zIeo|—ðÒkMzãÉo}‰8:¸ÿqtñÉœ¨Àý›ñ©âýößxt3
oNÆhÚþüáj|ví©d2Ð?	Ç—磟¾\—þñõÙùÙõÙÅðìôñ/'gãfé"	fvöžüöîM`­¿œ`ÄŒ½'¸ÁˆC{'\0$8cñÉôäæäsÃ0yë†v*`D™¤Z£¤Kk É(k´F?ŒA]Uþßbé9zt¸Ì–e½,ó:(¥ZÍ–Å¢¶‹,{Ê‘á„;æ‘1½¨vö>ìÜ]¶8%º_ø›Iñ;ÆtVLüí¼X	ßå·yQ¿ƒ™aÚº/óû6?ÇT
@#•´ê³süòéŠw¬„„	‰D¿cðýèê‘Ã5y×ÁW[fÄš­|	[¹‹í€Sº7 !¨:vO[!Å”Jøáþi+D'Ž\åK¸Êgqý2+ÿêâ
-H‘:U…¥PÍûŸª‡¬œyæjX?›M:¤‚”–Ãù§§l	æßÄRJñD’Pí…UóÂAÌ]¯–u9)üÍòÞá§7`#ð²Æ>àÔ³ˆþC5YM;a%ŒÊþhf_HÇÃQÜUÓiõTξ†çÙí4 “¤K"
-<|8LöŸ«cpõ6þÏÕY*—œ¢u(Å
âï-sÿS3§˜uæg›.Õ:\XäEµôï³éÔ¿\;³ÙÑÈŽ8|ýþºø+/æ˲š…¨”ÈÂýYµt…ËrÆÞ‡w“¢Î¥êØSL'h3˜l=©’’>+œ3®‘Âj#œߨ8¼ÖÑÎøqx…Ë8¢ÍjÐ,j ±2Éz‹5)< êp­zR	‹åãù·‡Û
-ì"¹¡ýO‰74ÇÁý91vôZÆÍÛjˆÁ^ÀaÈìÝ[·XÆ»UÁÁ§l,Šªh»dT…dˆ!ÞìuLõÇ䎹“Ë%Ħç…¬@Ù­'Û¬‹f$‰fà;«6ýê~	v0s›™}¶S‹.­º,Qƒ.KT]öíß]‰ÙŽ…®×ß–‚v]ð+ˆ2o‰®á´ª‹-°nn‡LöØ$Yì±ö‘W°‰0°Z{´ØoÌ,jÕ[Úäc9›|‡Ç[ÛX·¿·À"¤¯xíñ»,–ªâ¸#Gµ˜ÖÓpÎX½éÆ?¬f³4X,Š|ù›­•ñwv2%–â@²&”ARPþÖ6;h¯a°Jsp)j{,ëûxbéÈÚvZ,ÑűLÆ‚Ýï%Û_±Ûd›Ø«„THõ¦™Ð‡Üž"¿ÃÑãÎÑcýÌ1q~f—³¼zhîòÆÞþÞsøsf÷®¸™ü„äœp—>’¾ÏÏá>>÷ù9a>ƒŠÉ¼pÉ<ïN–ˆÈÉתî¢•,VºË.D~8ë€Íœµë&î¿Ó	X~€¯‹iÌá4È…!FfD½=¦âyÔÀT2•À´¶t…€.¹‡é6S®¨ÇjW®|âolíE
-[{oaë~wÀÖÖ´Ù[€6–r/l)ìâ¬)œ¶	ŽÛW8”rá¸ÉJ¹ðL¾i(¾)f“³Åâ n-
„ÐÊ™b®ÀÇo
-…öY
¼üœS™ƒ5`VjO§ðj}:U6Öz¶Eç´žW³IÝœH·WÂa­ÔÄ‚÷M÷:(¨ˆ¸ÞuéÅçlLb’DÀºæTgGAâF‰z7@SËë\û
-q•sŽ„0ð©(–ê
ñy]ä/Å'ÅŸ¶9ղᙇZ^”…Ù‚)5]MŠpW¬¹wàÔ§þ*àßVÝ׌ý_ôV¾°ß„ý"PÛàê4Uweãvéj䓶Ho¿…ú{¨¦†¿^…Ä6NÕß>Àn’}ÝSxI,¬ºîšþ?êöDÄ@e@ªݾÝjãR¥یڎkº¿‹Ë48§d&éâŠÐÅVs°ùm9-—Á:Oå2lu2m¤˜˜5äV„iù‰Fc„9ØØDCRÑnÿZÕ6:SÚê3J’¦‘}»¼ÏÝS{:–jÝ?r/ËY×T±
™M°#d20%¥ëõXvYKÔ´®ÂTWóyµpþ±S(Á ~Îè„š 4( ¾¯žf„ …Ø{TqÁ6Ú¿Ùmõ+¤V'6lØšêÏEÚÛê‰Å^Ùmµ
--µ
--b½`Ý»ÃÁ®aV5Âðù¼È[íµzcB›ßF@GˆìA6Œˆ2|Ç·žhRíq‚HåôùÓäúÝý¿ÕʃüPí—ìI:䶚¦ÎK
€n	ûµ3.S(ÃÝT\„º7{÷yU,ÊjüÛ­I›ãr}ÀoSª=šŒTN“£Ï›2]Y“ý2#Q‡ÌTÚB\¶%ó¸z¼õœg*Òöd$™PíQd¤rŠ¼œ/ëM©´D¨Þ/5uHmAûÂOKêU6»Fö\;aw؃´Ih¢^	LܪŠM±ykLv¾QHS«ô+’-CÛÄwQ‡!ói–o'°ÍføbŒt)÷ŸûEàúI{<ÔzGôÙ$kfå´¤·1¾ì˜üÿJ”Áendstream
+xÚÍ[[sâÆ~÷¯àíÈuÂdî—Ggmç8•µ³ÀI¥N’äµjArØÙº5@ ˆÙ*ÊUFŒzzº¿ééËÌÀzþXOi¢w=ã$Q”©ÞxvA{Ÿáݬ¢é×Dýê‡ÑÅ÷·ÂôqšëÞè)àe	µ–õF“ß#M$¹4úáîþÚ]ö¹¢Ñptidt…ÿFwÃÑ݇áeß9Ë£ÿ¹úet3ðT:èè[ªîîoï~üï bðpï›7·7ƒ›û7—Ž~º¸­•dT ô]üþ'íM@ן.(ΪÞ|¡„9Ç{³©QRˆºez1¼ø´b¼-»¶&)#Œ+ÑëK¤Rv÷°~
+ÃVŒ§Ôæ¨}Fað&T¢R™ÕDpLcŠHkzF9¢åD®–‹W‰à½è£¤Aðî òÓôpåþZ&ó4)ü—"Édb…HæpÌF²÷i+¤%ìô®N	 ”„:ª:”†hcX >@ýÉÎ@Á	Jt(1œ¹—«ßnƒä¯£Lûø§ù%³Q@‹d²>/—+‰`²#öjkˆ£ÌÇÞßžæÃåxœE'~ÿ˳ģ¶˜ÇYñ”Ì·0¬ÃrL&{
D=gƒ4œå:–³6Š8©YèmœNOç°Û‹e ä©°lÒÇ®|ûj6òÑÖ«„iG„˜^Ÿ; ³&Ìc·òYn µ‚ÃtIN¸â;Blkœ^!ùª
+`D\¤SHÔ“"Ÿ¾ÖS1\Ä‹´X¤ãj">äËl‘͙̋Ќ!tOYG”ãæ 4^
+"5?µÖNµô„+ Ö¨¯ä™Âu•Õª°@eDYe£_gùô&Ãñ²B²šU»à’G×I1ž§/‹4϶j"
+ëÄAjŽý>u7ª…ú&iE´Ýes+„À¢¹¶>Ýü9÷WåJi
oß&ŸZÜCk¢Nnÿ0î´²SBE«á†w@þN0aõÑêã!„;c+”ðÔ‰ T(¬O;ÁÕ½äY‘ UIªM4c„>LyEØ4NÒ×–hÕàÙHzÆpBܱLÛ<¸c*ä:žú8<õ{ñD=ã%Î±š™@9#By‰Íýoׯîî!b©¢|ï´ét‚lgl’’LªU‚ÛH'ªH|3À}È_o/•Š®î~ÃTVFƒùé”ØúAoÜÅÞG@{¾P@À:B·t†(a|è¾}|¼•Ý—¥MÞÞÌçÝH®:`(Úù®j	yŸ¥;´Š(Ë}à~X<'s@-Ÿ£52
‚°ìæLæ%„ùü(7ŠzÆi(¡’uàiÑÜø0~s}?¤‡-h$ýƒ*Jákò ¯M•¹¬¢ÐO…¢‚ÏuQ÷؉"£l«.³z(}ôþ˜³x1~£t
+b÷õòå€ðÝôâ†m…p³i›}¨i£ÑsâßÁlø~w×ßm3øWYe†EXä~ŠÆÈC°(žLªNò*Š³É÷—,Âå…‹çŠrƒwÙ¶Éí%Ÿ/üÓ$O6Æ÷%Ë‘2îZmx|{Ž«Æ·¸ðÉß/ÉxáUV6B£ójûjä±,ª§Çò‰”ðßóy›ò%wG£Iò¥žøù	+ßžVH;ƒO”—e)ñ«D£ç´ðcÍâj°RbøŒ3ÿ"Í&é8î—bãVD?*×Å/kÝr©åOþ3öãxü\m½äi‘giö¹"X,’ÙËžâ$´ô÷-žoéÕ #Tn«‘2böNmtÉ 2Ì—Ù8+ê^‡£K‡kÍFu÷¥Ô¼ç)„ÕPËÉŽ
+ENN2ïã~Žg`f†bÐ-Ÿ;qõ=¸I2M>ÇhÂÇ!HyÆX	îÀÒâ¬æUµ·ÀÀY‚9„`qÀîç&ÖzðÍÄK2Êç³½Pz!ϼJšC';ª¡5¡‚±—«ÇvÏÜ‚á
+´ûÔ‹}²¬wÓó:µÉµƒÍ³…ϧ{ð
$?¾BAa©ŽaY÷؉/×DA-²^%	5*Ølæã/‡%‰·AèQmþ3IªÈD›Ä‘b1þ’, g„@(£‡òTšÇùl–W]=¿¸ð›½›qý	“æž=ã_KFý»´ðobÿ5 ðíSñÅJÊ€8KÞüw/ªoDƒiÉpjó©LgšÎÒE„îê3éÊ7ú½l¨Hö˜W3qï3…oºz™„ÊBtf	gT6æ5‚t–äËÅQ~páûìƒ-茽åDkÛ@¨&¼6ú§Ëä6$7T…2¿G”õšjST¥ò­½dš½æ_ö–@øóÝj€drtÑXÀA)Û€X
±>)Ä¡ðçkÅxŽ
+•AÇv·œ)ݦ^µÞ½'ß
®ÄgŒ+d;–v@ÜÀ6L÷`\õ	q
$>c—iŽíª€¸²D
+éëÊ_˺2ž^ùººÖëûáðæƒí5ž¦“ ¨Šó½86ž±yJ•7ïÂQj"“k8>|y„»/
+5Ò
+C.ˆÛ{Ûz‹eÝc'†9Ë»¢“DñêâIá}òùtk0š*)Åö¬,Ñ_ßšfXRd€v¿-ÿ@¹÷áõM͘B¹éŠ^ŒÍ„[›‚Ã\ì>Cît¨p'óÀS¹ãÎØê.»@tœ%ípÌY¢•õ‘êÓükyL8eÙÕåêv[6.wRE´ˆËB
+k·Ì×¾V_f“ŠŠ«ê	ê…Â?âžòàR7ÿŠêL¹p»B
+²­+’â%§X¢XPùývÁ”¿ófÿqRV¤øþi
4?ü)	SÑ]æûU»Ø¸i
+!غýßÇ5ÝÖåÀ˜ZÓ!´I,D%ZfÀ8¥•‡ÜVãà¬m¿wÖ_qì‡,·íGp¬™lFF	YȆcõ4|×¢¤&ÌJ¹[G%ŒÆO¨cͱKG€æy]EÞ­"Ô'`
+„´)ËÀ$,ÊÚâY1ƒ.§Ó¶æØ¥­ÓxÐáÖÕµ¨kñƶYWׯ©Ñ›.÷™´Æk6†ï <ÛÚ€Çàq\™uÒ41†Ön#õ‡k}L(^†Z?(ò>„GÙröˆ§ÞÜz5l[Ý\Ã/oÏy‘ø÷¡/ô/ãz{¿<&‹·$ÉÚ|^u‰y7¸ŠXca-iÁLð€[qì‡,ÛÀ«£YQ¡€è÷Ó~
#’ÒuøX
+Z<7Å˹õ”|²ñtY@ÂTçy“64DKÊv¯@iý.S”Ø}»U‡.Àša?àØæmd3èË+ª]Ö§€Œñ@õäï-ÕgétšÉÂnæ
+*£[ŒL›¨	‚¦Ò¬GÓ"þ‚f¦ýÉ&~“×$K«P
oÕg}vÛææ$̦6z·%˜wÊÃr÷~K¬9öC–-–ˆ»D[‘¡„´ÕÏ©FÜKF¥+å)Á[ÑÔ_À†i\,ª#c­03c릜då)“°"*žóåt‚ÏÒóƒ6¿À_ª<ˆ“Š .Zñ•„71§
_‰"T,
+¼š1'À·âØY¶áÒòfä2Žü»mCE½J'!@Wpƒ)îl $³$Î*çŠ.|x›såÊ®œ+xïê@ކׂMí\±}ݹâË•sÅ×”ÅSßŸøc‚í¹Ø¼V±5åncÓ)äû Ê»çbű²Üž¨Rz²šhWDù!`×Ö´î> endobj
-1678 0 obj <<
-/D [1676 0 R /XYZ 56.6929 794.5015 null]
+1684 0 obj <<
+/D [1682 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-574 0 obj <<
-/D [1676 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1679 0 obj <<
-/D [1676 0 R /XYZ 56.6929 752.4444 null]
->> endobj
-1680 0 obj <<
-/D [1676 0 R /XYZ 56.6929 696.016 null]
->> endobj
-1681 0 obj <<
-/D [1676 0 R /XYZ 56.6929 684.0608 null]
->> endobj
-578 0 obj <<
-/D [1676 0 R /XYZ 56.6929 401.8966 null]
+570 0 obj <<
+/D [1682 0 R /XYZ 56.6929 627.067 null]
 >> endobj
 1685 0 obj <<
-/D [1676 0 R /XYZ 56.6929 374.3052 null]
+/D [1682 0 R /XYZ 56.6929 601.9463 null]
 >> endobj
-1675 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F11 1441 0 R /F39 927 0 R /F67 1684 0 R >>
+1686 0 obj <<
+/D [1682 0 R /XYZ 56.6929 601.9463 null]
+>> endobj
+1687 0 obj <<
+/D [1682 0 R /XYZ 56.6929 589.9912 null]
+>> endobj
+1681 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
+1690 0 obj <<
+/Length 2375      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZmoÛ8þž_áP³|ÁhÝd×l’&.p‡Ýý ÈJ#œcy-;Ùþû¾É”-ÛIëäb‘Î3Ï‡‘†?ÒÓafxOŽ&¢—?œàÞWx÷Ó		4ƒH4H©>ŽOÞŸ3Õ3ÈH*{㻄—FXkÒO~ëþp5>»>Pû„Äý£‹O¾ÇøŸáåÅùè§/×NïG—¾ûúìüìúìbxv:0FSÏaìÍØ
+#oÆ£áÍéã_NÎÆÍÒEÌììÿ<ùíÜ›ÀZ9Áˆ-zOÐÀˆC{'\0$8c±gzrsò¹a˜¼uC»”&˜FBSÕ¡5Jº´&’Œ2§5»P‚øé€`+¬òÿK¿ÚÑûË°ìe¶,ëe™×A…Õj¶,µ]<ˆ`‰ÜPŽ'Ü1ìˆ	ììC°³í<²s­lqJt¿ðIñ;ÆtVL|s^,‹„ïòÛ¼¨ßÁÌ0í?Ý—ù}›Ÿcª
+ ‘JZõÙ9~ùtÅ;VB
„D¢ß±À@ø~tõÈᙼëà+€-3bÍV¾„­ÜÅvÀ‰@Œ)Ý‚ŒÔ
»§­bJ%üpÿ´¢ÀG®ò%\峸~™•uq¤HªÂÒ
¨æýOÕCVÎ<ó5¬ŸÍ&RAJËÀáüÓS¶óoâ)¥x"ɨöªyá æžW˺œ¾±¼wøé
ÃHܘÀœºqѨ&«ia'aƒQÙÍìéx8Š»j:­žÊÙ×ПÝN:Iº$¢ÀÓÁ‡ÃdÿÙ±j0×Qoãÿ\u°¡qÉY úW‡RF Ø(Ç{ËÜÿÔÅÌéfùÙ¦KµyQ-ýûl:õ/×ÎìFGgv4Y9«†8AÒB²6¬ïª…2#ND_ÿ‡.þÊ‹ù²¬f!*%²pV-Eᱜ…±÷áݤ¨óEé†úcŠémsÂâp#5CRÒg…sÆ5RXm„óï'‚×:Ú9?¯ðG´Y
šE
¤"V&Yo±&…8fLô¤(Êôo·FrCûŸEn¨ŽÃ^£@e½TÈMܪˆÁfÈaÈìÝ\·XÆ»uÁÁ©l0Šºhûd£É CÄÙëšê{\s§ƒ_Btêp_È”¡&ݬãIâxÏ*Ï‹º¾[M§ßNaãéƒçrÌúãû²öÁcýÐ2°˜9dž‡l>Ÿ–ç±¸í©¹seïZÕÚÅ:¶Š„¤ä9Qš3Wä£ÌNX%öú1¼.¬€Bk)ÁŠÄ©¦o
«sÈ¡e‰Va_€¨M¿ºƒ_‚ÎÜ~f;ÃŽjá¥u€—%jàe‰ÊÀÁÁ˾ý»Â+±Û±àõÜR0ÂÁHA”yKx
§U]¼ lys;d²Ç(Éjµ•¼‚Q„ÕÚãÅ£`fq«ÞÒ(ËÙä;|ÞÇú¼ý½!‡ÅkŸße²TÇ59ªÉ´F˜²˜€Ó†ÄêM7ÿa5›ý År`QäËm­¿³›)‰°‡26¡’‚ò·6ÚAƒ
ƒYšóKQÛ#aYßǃKGê¶Ód‰2Že3&ì€/ÙãˆÝ6ãpæÄøÐ~%¤BÒ¨7M‡>äö4ù®&w®&ëgŽ‰ó4Û]Îòê¡iåÁ}Ûsøsv÷θ™…p—C’¾ÏÒ¡û}–N˜O£bÆ/\ÆýÝ#ùú¦ªûr†JÕÓ}ýB4ðá‡S¯QÁYûþÄæ÷€:AË!ðuA9œ	ùÁ@Ä<õö >èQƒSÉT‚ÓÚvè&](rê6]®¨kWÓ®|úoníCŠ[Û¶¸u¿;pkï´Ù[À6–r/n)lä¬ÑÒÑq›âX¸}…³)×üÐÙ”òMƒñM1›œ-ki ˆVöº‘)æ®ú˜âÍ•¡í«—‚ãê"s¸ÐJã!^­©ÊF[϶è<—Öój6©›ƒéöJ8¬•šxõ}Ó½J'"jm}ãó¶¦
+1Iš<Þµ:k7¦Ð»ššþXÇÛWˆ¬œs$„9PE¶doÐë"|)@)öµuªæNú<Öò¢|,üËN©á1pãóéjR„V±æÞTŸÿ«àö~ÍØ¿ñ÷ßÊßñ7¿Ô6¼zͼ²‘»t×哶Ho¿…«øp±>þz’Û8Uß|€ý$ûºç&1ý±B躀úÿ¸Â'Ò ¦*ªVíJîVE—a‰45Êÿ€\Óý]¦Á;%3IAW„‚î°z˜ƒÍoËi¹Öy*—a³“iMÀĬ!·BLËO4„ÆÝU¬l®‰%“íºð¯UmÃ3¥­b0£$©Ù·Ëû,Ð=±¼c©Ö¥$÷²œuMÛ˜)Åþ˜ÉÀ””®×cÙe-QÓº
+S]ÍçÕÂùÇN¡Ç9£/j‚Р€ú¾zš5‚bRql£œÝVñ¦ÔêĆ
{·ús‘VĶÊc±lv[­Bu­A‹xi°.ãá`W;«aø|^d‹­J[½1¡ÍÏ$0„lMz#¢Áß‚¢AJµÇ	"•ÐçO“ëw7öÿVUOÀ¸Ø+¼¡êÞª¢J˜%Uº-~ì5À¸L
­5´¸·àЛ"š·Ež­êÎظËny^@”ÀxNª"L!HýlRÍÃ\m4¼tTû‘² ½ðèUwÕÂgI¨àÀ(°icó)[¸ëÂŽIJ gq[Îê®ÕBšn$yQÒ`ZNvbŽ*û9…dû1—RíÆ\Cå0÷áßçÛh#÷%æûÅ6Tr[hƒ Ê`KhùÀíD2vfîøV6å”­‚øúüg[ŸWÅ¢ŒÑ¡ö'ÁÝÊ´Ù.×8¥Ú£ÌHå”9ú¼¥J8Wq{´Û+´¡êÚþüT®•i‹=®*¯ÃõÎ3uiË4‹ºL¨öè2R9]^Ηõ60JÂföûÄ6Tr[Ú´µ·Ðf³‰$ñÏÕvÇ?È¢@ê%!ÁÄ«Ø›·öÄd#…¬µJ¿/Ù²µÍƒu2Ÿfùv>ÛìM1ÆH—Šqïàåøs¿\=i‹Zï"Mrgå´d6çÞ|UØ1ùÿ¦NÆ]endstream
+endobj
+1689 0 obj <<
+/Type /Page
+/Contents 1690 0 R
+/Resources 1688 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1679 0 R
+>> endobj
+1691 0 obj <<
+/D [1689 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+574 0 obj <<
+/D [1689 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1692 0 obj <<
+/D [1689 0 R /XYZ 85.0394 752.4444 null]
+>> endobj
+1693 0 obj <<
+/D [1689 0 R /XYZ 85.0394 696.016 null]
+>> endobj
+1694 0 obj <<
+/D [1689 0 R /XYZ 85.0394 684.0608 null]
+>> endobj
+578 0 obj <<
+/D [1689 0 R /XYZ 85.0394 401.8966 null]
+>> endobj
+1698 0 obj <<
+/D [1689 0 R /XYZ 85.0394 374.3052 null]
+>> endobj
 1688 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F11 1449 0 R /F39 927 0 R /F67 1697 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1701 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
+endobj
+1700 0 obj <<
+/Type /Page
+/Contents 1701 0 R
+/Resources 1699 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1679 0 R
+>> endobj
+1702 0 obj <<
+/D [1700 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1699 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+1705 0 obj <<
 /Length 1238      
 /Filter /FlateDecode
 >>
@@ -7471,144 +7546,144 @@ stream
 xÚ•WKÛ6¾ï¯0öä"š¤ÞÝS²iÚ-‚¢h¶§¦®L[ÂÊ¢*QÙ8Eþ{9R¶lÁ­aR3ß¼‡[Póc‹,&4Ì£EšG$¦,^»ºØšg?Ý0ÇÅ!‰£04›™§Af$ÎxºŽAÞ=ݬ>p¶à”$	O›QW’¦Äe‹§õŸË‡R´Zvwé2½ûëé‹Hš¥ĨQ‘šç¹x÷øë{äÎqù$‹¡«ôwªé«µì„®5ⱈ„QÂ^b,I^JØ]À(¥Ë·E!û~„Ѫqó±êµ‡
 9Éž8¤Ð¸Gyd‘¼|&(Dz%`Àb2^~¦1}ûð±7+DzJ·Y¯që±vB%’õE—Bãá^
H¢A¢—îÑÐ"³hÖxÐTÅK#vNÕFuŽôplÃÐKð×¢x)U-g"ÃÈÙuy°DК©irWÜrèN4ýÆôñ¹ª0&KªlKI]Äó–1œ
 ôU³5œ‰éJÓ)HY+mk­p-ʼnÔgJyc'J–…‰#[ZÎÔ|J—¯¥“¶cuø€:vP½ì@:¬#I¸|­t©í`êA›a¶Oºc;;\CëÀÚ-¥@€‹T9l%R®ûT\ÃõhhÈžŒÚBú#!—U«ÀT…ùQª¸á3µUjíDÖRÌÕ#Yž2ljf–€Ä™ …iîÆOLÅd<‚5~v™"'89DÜ	ËÍ4ÝUÚ–0ž‡ç–~ÞcÑ™ÞdIĦù1i„«ÚŠNW>XY»$¶î/²ÑxзJÙÒsÙ´>±–M%êiÚÀ¦ª>ï1}¯>áu`Eµ6ët‹­¨š^Ÿ–ÎqHf²ý³ôã˜+åÜ_Å®­åÔ¦R½"a[jtQµ²«Ýå*ÚÖ“Ý°("vr'šàæ©5cµ2ù¢pGk$ `K`50H@‹­‘¼}VÛ¡o¤îoñ¯: ^«ºFê¹VÅË\—y•¿x`9ËpÓ·¢šš^íÜQ'm4×G¼oœ¾²‚«ȪŸ»½¶BívªàX/{V5T©-Xk&˜ÌÙ/
-ï¡nÿ±ÌQjæ6M§"”Øß*»GVv²ç§Ïs81ÿîç¼âfÆ£HèEÎt¤Ü´=bü~ÎÐÂ’Y’{w{ÌÙÿ}”ç!É
¯¬ÂÜ>à¦AqU ÛzL½.«Þב.ý™¼TE.0im¡»gÙæŽMsç­ð©³ËWb6èÓæ¾ÏRµø.{Tþñ„Y£ÎŽùÙ»Õ±•Þô‹&¾ý\pѨÃ+Ë1âØ	mòÁIpØlá+û7Õ8U·n&ÓÉ·Bhzß:¹èÍ?kЦò~ÜîVÇð÷×äC4û©Û—ü»ùñiü0óŸ[ð‚e>Þæ>Ý> endobj
-1689 0 obj <<
-/D [1687 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-582 0 obj <<
-/D [1687 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1690 0 obj <<
-/D [1687 0 R /XYZ 85.0394 574.0823 null]
->> endobj
-586 0 obj <<
-/D [1687 0 R /XYZ 85.0394 574.0823 null]
->> endobj
-1691 0 obj <<
-/D [1687 0 R /XYZ 85.0394 543.8373 null]
->> endobj
-1686 0 obj <<
-/Font << /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1694 0 obj <<
-/Length 3285      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZmoÛFþî_¡oGÖŠÜ]’Ëâp€›8W÷Š¤—ظ+Ú~ EÚâ…"¾ØQýÍìÌR¤D׊¢Ñr¸œ}›yæ™Yþa$¢D&‹8Ñ"ôƒp±Ù]ø‹Gx÷Ï‹€û¬\§Õ¸×÷·ëw*^$"‰d´¸}é2Â7&XÜf¿z±bùûíëwq0ê+}Jê±Ï›>~øpK½&µ:0’»]½;§)Ršû|º¾½»y;£*`RZEÃW?ß^\®dè×°FßûþF°’„~>]¿¹ûxsû=½ùðþÓÍÛëWËX{·7ð„ã\\ß;5ÞÍÀW¸M_.~ýÝ_d°©?^øB%&\<Ã/‚$‘‹Ý…•µRNR^|ºø÷ pôÖ~:{:;É™ãž9ž0‘‚W¸·Û¢]®T ¼´,ëgn7ËÀxù¦oÚâ)'Ñ—>oŠœß×ø«½nËoÛ¼yÊj?دë=
]ê¾k‹ŒúªÌÛóÁêŠDÛ”ßÝçyECí©ÛSQ÷ËÀkˉ³¢]á)ÀV¬‚@$a(íºÒû2ÏÄðƈ(ƾyW7tœ»šTÒSQ=ÔÍ.íìPà~·õ35ºš~û–?¹zóS;}E“¬»|Ó‘àP÷<ïXÎ¥°Ü!²×dtZJ"6‰³×«»OoÀ\ÃÐc?™­Ž…Iü€û¦ÙSÑÖÍÔ§ÝwôE0öš•ŠÀ
-â$v›“ØOÿ~jÑ‘Zñ"#Ó!¸™µ@zûyáZÿ:Z£û`5þ£¦Gèöß­×ð¯Hûv“7¨›Gh¯÷ýýšEk·ºõÕO+p[ß·I„ïk‘Uíéôµ·Š}9™ÿk.)EbŒ™wÈÕ ñ•‚ÓŠ L¦Ìêó†ð“³>ññ¡×ù¨“c=׆ÃþƒM&XZ(
Pa-Ðo@»¡2±Ãëå*ð}€»mS×lÇi•1"æ]_d3&^&Ñ¢
ù½Ç„ÞÝû›ÿb+bhÑúíI}°ß¾nÛ|–¤ÖŸ@Ú,
@ÉœAZ°îtÆmd<ò„Í–ß;'¥cFXm¼ß¤Ô4ÚÄã@r‡U73!‡œÔÅ걪ë=á!jxœY:‡Î_Vén~£}‘$Cì…hùÒ…P½I+o›—{j;ÆÒ'^\{h»|G/[ŒEw §ûõØ—éfز«‰çŸÒž‚ï
-˜J<
¸äŒü¾þŠM†èçm±Ùr³(Kj•Å®èŽÈmYºK]»®\Hy`ç™DzÅcS»uîŠö…€uUÕ0~¨mðyèq&:ðò´ë‡¦}rxAó{ˆpd›Ýà#8ö`¯‰’v‹Az_”v“­´¦ßÁ#ÇÃdi¾sŠSV“òs_í›â©(óG²ŒÓ@
â=A‡™1_	ˆ¤âЙoO]‰ùb0	?Yç6o‡Ñˆ”Dˆ+Q8µb_­£ŸóQëÜybX¦ŒÜŽ€õ²åÎd‹
-Âeäaq†Ò&B7m_d+Úˆ9wEd¢K7›º¯8\Ê
†Ô
-ÇビhuWñ28<Ý–¨Dž6eAÈ™–wE³©€-é’šÖ9,e9ì@ËòàôÁAÍ$¦ŸnþÕ,âÐ'â	42 fEHãŠò…S	eø*?V‰
	AÛ¥ÝxæUÝ8~¯h˜À`#vOcÑ6%ØÂÆÇï›”
-7Ò g±HŒoÈÂ
Úí3Iœ' 1JŒ÷CýœJ&ßçUF|ú[Êg†"J^aî”-ùÌÙ/)u¢sé.=PoÞGcÙå5´f#æ~0Ÿê±=õ‚i²!$pwåOë?ò¦ž£JÄÉPZœƒ´LU5à+h§Ä(ýš25VVÖ/Tr¤™‹Ë¾gˆ±&¾Ç:ónCô +vsnjº©r°B6¥DGƃp ®(p7¥³œØXþcÛï8™} üÜu3v#9eÜœ`œ»Tâ…Ñ·¸Tâ2‹Šx0Þ¼þ²	)€ÖC8œá "ßhß
¹R`i‚[Òf›V¹“[µrÀG[µ)“-®€pWgvÚ¸2$îœfëê°ƒ°…±Ò§‘¢ùÓÃÀ¡êUÕÏs§£¤Hd¤ÎÖÉ™ÃõÁ'‡Ó?ÒYg°žµ›Ñ#Šóà"ã*ǨÀÊvZI¥Þ(K]@9ê‡þMÑQ&4Wœ„ EßT`'àh³õ?0b€˜0ù3]ôº¸é¾8)%×*Ò7ÚŒ«ö#§j b0wHþÀ%#*Û¿`,Ø*”Õ ~x·ð¯ô®ÏªºRø±ŒLCâ=½ø²„¯“DQ§QÛ®ô¸V°¾ÙÉÅÛÖ³-É)^5ÛEòŒ\ØW‰a|
$À¨öü¾î,EÒŽŒBK($aÃŽ&°kh_Ï`2ð“>c$`í-ý‚­á€<(±÷¾"ÎϘëÛNDŽߊÑöÁú.©”Pð¬'Ô–NØÆ}δLJ¸£”:½­XJièQ1Ñiü…,/›J '‡~ÏôÐämÇ“Út9÷ÜÛôü¢¥g[ƒB
[Vn½U
]ÊÐ#.`ˆ[•˜åsjR¥Ž §GSýk¶^r0þãÍÖ_ó̱;Å"’ãk°IáÛõ<€£ðÇ8Åîí©Ø¬Üí³´Ë]雫ŽRü&eWîöþ«žÜƒI/súí=ë·÷fé†A×Þ¨më¾ÌÜ-}
-ç
G]r[ˆÄ³Z£Ú|¥YÆŽdùxk§YžÞÎUåaŽƒ=[²–(Îi´—Õü¼¥L
-¬ÝÆ@tŸ¶”)ÂöD»4Jy7?“ Í2â§-D	—r=µ·­)erƒ_ [bJ9îF;wÉÞÅ“,‹¡«¦:ÝCϬ”"úXGUBVºpí/)~%¹­´†æÅû€Xè8q\ËÞ¬®ø¨góScûƒËdžÓ?$ã*äb9Šwy·­3žË 1@ã®3ÁÍ!Ïs´½Ûšº¸Ó³ÀŽ5rAÖ2ÉÖYŒÛwoqwC,Ÿl>70ôò´-lÒõŒõh
л*Ûšw¼î†©¦NÅÃdò1âtÒ9c÷—j°†LáÅ“Q‰R´ð•“Y
ÝgòrÆ‘lµ„h²Ð˜î,¬•ãúiËô‰»·X­bÒƒÕ(°·¼Á+é–Ð|¦ÔŽ°‘ÖRðVcïÙTpœÒ.…\¬™3ü
´	fdN‹emN?AœvžmF/ïYÚ™`èÜígòœã GÞ™îG÷T–ávîÂÜ´çÂ0tæ*pü+™«_à‚ùIŽRcvgäü߉Ø	Èܤp!2žMÝýÙÉùÜÿN:'©endstream
-endobj
-1693 0 obj <<
-/Type /Page
-/Contents 1694 0 R
-/Resources 1692 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1674 0 R
-/Annots [ 1699 0 R ]
->> endobj
-1699 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [63.4454 707.8911 452.088 718.0529]
-/Subtype/Link/A<>
->> endobj
-1695 0 obj <<
-/D [1693 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-590 0 obj <<
-/D [1693 0 R /XYZ 56.6929 690.9391 null]
->> endobj
-1700 0 obj <<
-/D [1693 0 R /XYZ 56.6929 656.5891 null]
->> endobj
-594 0 obj <<
-/D [1693 0 R /XYZ 56.6929 517.028 null]
->> endobj
-1701 0 obj <<
-/D [1693 0 R /XYZ 56.6929 489.6469 null]
->> endobj
-598 0 obj <<
-/D [1693 0 R /XYZ 56.6929 373.2709 null]
->> endobj
-1702 0 obj <<
-/D [1693 0 R /XYZ 56.6929 344.9674 null]
->> endobj
-602 0 obj <<
-/D [1693 0 R /XYZ 56.6929 184.6919 null]
->> endobj
-1373 0 obj <<
-/D [1693 0 R /XYZ 56.6929 151.8489 null]
->> endobj
-1692 0 obj <<
-/Font << /F37 827 0 R /F71 1698 0 R /F23 762 0 R /F39 927 0 R /F11 1441 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F48 985 0 R /F62 1095 0 R /F63 1098 0 R >>
-/XObject << /Im2 1084 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1705 0 obj <<
-/Length 846       
-/Filter /FlateDecode
->>
-stream
-xÚ¥UMÛ6½ëWè(KŠ¢,7k'u€n·kå$9Ðc‘DU¤ã¸¿¾C
½ënÝSaœ>ÎÇ›!Åb
-?—‚P.óx)s"(qÝG4ÞÃÞûˆLz¥×¨·UôË;¾Œ%‘EVÄÕ·+_%¡eÉâªùœÜÿz÷X­Ÿi&h²$‹T4y»yX¡Eâ²]ß|ÚTŸP»ÿýa»Y­ŸîË<©6 -Ò¼¤%œçÁÃêÓÃÝo›{Ä|\!týÊÛ×êC´®ž¹.–Qî«ø3úü•Æ
Ôü!¢„ËRÄ'P(aRfqå‚‘s~±tÑ6úãÙáÕî|ôy‚—D”Ùò{¿Åž¤à°åÙ{g¦EÊi‘¸ƒ¶Ú‹ËdZ°2ÑÊšÁ¾KF““FuóžöÝù[›¾×Csñ¤JDZQN[TvÁ{=Ggö“m­:tT$êLNG»£×j°žj¨7eŒH!²9yó
ÚQd‰› jךÁXbÛý Ü“³úB­¶›÷°2‚°jÎÔo¶¾Ò¬È=
>PÇ®¨c² y2ãBÖæ”bu}Mt‘ÉdÀf¼ä•%ö`Ž]ƒÁ»Ö†àfð$Ì	A~hû®Ï(–¨EÊ’iŠd0n&¦Q^dù?‰Ù<✪¦	Ø™0ù~ûuÐîd¦ï¨ŒˆúBiöS[`‡3šÜuNO@cûCC~Œ±ä
¢=GÁÇéYY.	-8õ#Méhº¶>ßbK±äÅk¶À}­‚°ñŽV7ëæ,‡!.`èÙ’HÓïOoM?CaR[‡I}0Ƴ3~@¯Ñ½D¡9ªÇ‰­mpcå_‡¡œB©ÐMPíqט^¡\ád£;½÷3‚±qÚ.øôÖD'¼ÄL¹œC€jõ¨&tÚ_fÐ/Iuh-"Oê¥Kù¥K`wfL;
M|9‹RmñÚaô©õ÷¯Ãc¡ZûXPR!Tð]â ùWƒ¸œ7
-;˜lçIï˜"aÔ—ß¡dõôCOö2g:üÜãQ#‚—1/Xò_/5Ä?¯7ÞUø‡¼ÿ÷+þò}ËáS–ÙíšÓœp.Ù%)Ï£ìuêÏïý¿sÿœ°à^endstream
+ï¡nÿ±ÌQjæ6M§"”Øß*»GVv²ç§Ïs81ÿîç¼âfÆ£HèEÎt¤Ü´=bü~ÎÐÂ’Y’{w{ÌÙÿ}”ç!É
¯¬ÂÜ>à¦AqU ÛzL½.«Þב.ý™¼TE.0im¡»gÙæŽMsç­ð©³ËWb6èÓæ¾ÏRµø.{Tþñ„Y£ÎŽùÙ»Õ±•Þô‹&¾ý\pѨÃ+Ë1âØ	mòÁIpØlá+û7Õ8U·n&ÓÉ·Bhzß:¹èÍ?kЦò~ÜîVÇð÷×äC4û©Û—ü»ùñiü0óŸ[ð‚e>Þæ>Ý> endobj
 1706 0 obj <<
 /D [1704 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
+582 0 obj <<
+/D [1704 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1707 0 obj <<
+/D [1704 0 R /XYZ 85.0394 574.0823 null]
+>> endobj
+586 0 obj <<
+/D [1704 0 R /XYZ 85.0394 574.0823 null]
+>> endobj
+1708 0 obj <<
+/D [1704 0 R /XYZ 85.0394 543.8373 null]
+>> endobj
 1703 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1711 0 obj <<
+/Length 3284      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZmoÛFþî_¡oGÅ}!¹,¸‰su¯Hz‰»¢íZ¤-^(Rá‹õ×ßÌÎ,EJt (-‡ËÙ·™gž™µXðŸX„‘%2YĉöÃ@„‹Íî"X<»^î³rVã^ßß^¬ß©x‘øI$£ÅíÃH—ñcÄâ6ûÕ‹}é/¿ýqý.£¾2ðC©@=öyóÃÇn©×D£6¾Fr·«÷oç4E¾TBsŸO×·w7ogT	“Ò*†¼úùöúãr%Ã渄5Þ÷70‚•$ôóéúÍÝÇ›Û_èé͇÷ŸnÞ^¼ZÆÚ»½'çâúvØ©ñnŠ@á6}¹øõ÷`‘Á¦þxø*1áâ_$‰\ì.t¨üP+å$åŧ‹
+Goí§³§#ØHÎìðÌñ„‰)x…ûp»-ÚåJ	å¥eY?s»Y
+ã图i‹§œD_ú¼)r~_?à¯öº-¿móæ)o¨ý`¿®wô4t©û®-2~è«2oÏ«+mS~wŸç
µ§nOEÝ/…×–gE»ÂS€­X	á'a(íºÒû2Ïüáñ#!}ó®nè8w5©¤§¢z¨›]ÚÙ9 Àýnëgjt5ýö-rõæ§vúŠ&Ywù¦#Á¡îy4Þ!°œK'`5¸Cd¯Éè´”~lg¯WwŸÞ€¹†¡Ç~29Zû&	÷M³§¢­›©O»ïè1öš•ŠÀ
+â$v›“ØOÿ~jÑ‘öµñ"#Ó!¸™µ@zûyáZÿ:Z£û`5þ£¦Gèöß­×ð¯Ÿöí&o:¿n¡½Þ÷÷k­ÝêÖW?­ÀmÜ&ñƒ@ûYÕžN_+p«8“ù¿æ’ÒOŒ1ó¹4¾²@pZ_„ÉtY}>ÃPøAr¶Ã'>>ô:ur¬çÚpذɈ…оÒÖ-`ñ´K?T&vx½\‰ ¸Û6uÍvœV#bÞõE6c‚àe-ÊÐÐ{Lèݽ¿ù/¶"v€­?Ñ^Ñ‘Ñûíë¶-ÀgIjý	¤ÍÒTŒÁ¤ëNgÜFŠØÇÓ!OØlÉ!Á#çæ¬"?Lb×9¯ž
+ê^íòª£1~ o‹ê‘'æ|UŽw]‘oôÎ6vãðKø_Ìk|	wè«
ÂŽíl½?Xà‚J|Hí "j»Ï7ÅÃÁÎIé˜Vï7)56±ÄXøBà°êf&䓺X=Vu½'L%ž†\rF~_Å&Côó¶Øl¹Y”%µÊbWtGä¶,Ý¥®]W.¤<°óL"½âÀ±©Ý:wEûBÀºªj?Ô6ø<ô8-¼‡<íú!†é€^м@ÀÞ"Â&E7xÆŽ=Ø«@b§¤Ý¢@Þ¥Ýd+­éwðÈñ0Yšïœâ”Õ¤üÜWû¦x*Êü‘,ã4PÂxOÐafÌW"©8tæÛS—pb¾LBçOVã¹
OÔƒ ¯ùÈ ï?ËD:Ðöy˧KK­È÷ñ[‡…ÌÆ+sÌ q–“»^í `$|KÇsGgï3X€¥L45žrg J$q½Ä.ó¯én_òK°ÅÅy|(‹ŠÅxòVR§üŽ}Ô¬'[—‚phõ
ëJÂÄ/;áåŒB­ü@Nßú)mÖ/á
®4±ë
+Þ¬Tä
ks+b[žµÐu
+j(!Rêä<Ú—b"À^è˜õŒø#[‰$s3m&ÜŒ¿›œäºo›uYoÒrÝÞ¯4@§°¿ ýžm’ žB¶Š}eÂhÈÔÇþ[‡l›	¸ÆÉÁqž€%ë€À
˜†–B¬ýe¸d-#E¬|Îd" ±RˆW-A
Ñö,l£vÜkî¹n>“„avŸ7˜:໢r3¡iÓ›¾Ly¦YÁ‰Ig©4vA„À¾s9Y
+ÌÄ$Ä‚³åGa¨§öó’Ÿ2&NF…–KÌ*(¦QTÂV•£1`ËZ7̼£FÏ!5å@x¶aö«mÊ­¢Ú”}–shÎ!pº-ÇU3Š«8b;’ʆwí½si ]¹[Ë„É ²¿!ª&	ÀÂÎŒÏÆ&=ù3‚óÜ3‚ìH|DÒÃØgÁãk
+Ï1D»±)¶Aã· «Zö+Ó¡ñ~ÁIáà{>PDG`?®é7Íþ×·ÝÉxOiÙçí0‘’q%
+§vAì«u´ãs>j;OË”‘Û°^¶Ü™lQA¸Œâ",ÎPÚÄWÇMÛÙŠ6bÎC?2Ñ	È¥›MÝW.åCj}ÇãÅI´º«x™@ž‹nKT"O›² d‰LË»¢ÙT@Š–tIMë–²ö eypúà f
ÓO„›5‹8úÄC<áƒFĬi\Q¾p*¡_åÇ
+2±!!h»´ϼªÇïà­xlÄîi,Ú¦[8Ããø}“RáFä,‰ñ
Y¸A»}&‰ó$F‰ñ~¨ŸóQÉÂÄ€âû¼ÊˆÏ@KùÌPä@	À+̲¥€9û%¥Nt. Ý¥êÍûh,»œ¡†ÁlÄÜæS=¶§^0Mv „q×Yþ´þ#oê9Š ü8J‹s£‘–鱪|…íbB€¥_S¦ÆÊÊúñ…JŽâ#sqÙ÷1ÖÄ÷XgÞmˆtÅnÎMB7•C6CÀ¦”/âÈ8bÄÀî¦t–Ëlû'³¯„Ÿ›¢nÆn$§Œ›Œs—JBaô-.•8Ç£Å"„âŒ7¯?†lBÊ# õÎg8¨(p ÚwC®$,MpKÚlÓê1wr‹ Vøh 6e²Åîê¬ÀNW†Ä=€Ól]v¶0Vú4R4ša8T=°ªúyît”ô©³õpbæp}ðÉáôtÖÙ¬gífôH â<¸È¸Ê1*°r„VRG©7ÊRPŽ…ú¡St”	ÍÕã'!ÈDÑ7äìDm¶þF&¦‹¾@7Ý'¥ÄáZER›qÕ~ä”@
TæɸdDeû÷£#€[…òC5$ˆ€…	ïþ•ÞõYUWúA,ã…ÓxC/¾,„è$QÔiÔ¶+=ovrñ¶†õ,FKrŠWcÍvQ€<#6ÀUb_	"ª=¿¯;K‘´#£ÐÂ
+IØ°£	ìÚ×3$˜üD`ÁgŒ¬½¥_°Uȃ{ÿ(âÌðŒ¹¾ítLø­m¬ï’J	ÏÚqBmé„mÜçL{ˆ;J©ÓÛŠ¥„†Æ_Èò²©rrè÷LMÞv<©M—sϽMOÀ/Zz¶5(Ô°eåÖ[ÐÐ¥=â†H±U‰Y>ס&Uê(²pz4Õ¿fûèe ã?Þlý5Ï»SìGr|
6)|»~€pâ§8½=€!‚•»}–v¹+}sÕñOŠß¤ìŠÁÝÞÕ“{0éeN¿½cýöÞ,Ý0èÚµmÝ—™»£Oá¼á¨Kîa‘xV+pT›o£t ËøÁ‘,oí”#ËÓÛ¹ª<Ìq°gKÖÅ9ö²šŸ·”IµÛˆîÓ–2 EØžh—F)ïæg¤YFü´å(áR®§ö¶5¥LîbðdKL)ÇÝhç.Ù»x’e1tÕT§{a處RÄBë¨j CÈJ—§Ùþ’â÷W’ÛJkh^¼ˆ}'ŽkÙ›Õõl~jÌ€bpùØpú‡d\…\,Gñ.ï¶uÆÓ`$hœÃu&¸9¤ñùqŽ¶w[S÷bz8âñF®"ÈZ&Ù:ë1ƒÑbûî-înˆå“Ígâf˜Vž¶…MbBº>€±­ÁzWe[óŽ×Ý0ÕÔ©x˜L>¦SœN:çaìþR
Ö)¼x2*Q¾”-|ådVC÷™¼†±E$[-¡š,4¦;kåø‚~Ú2}â®Ã­V«˜ô`5
+ì-oðJº%4Ÿ)µãl¤u€| ÕØ{6%ŽSÚ¥‹5s†¿¡‚6ÁŒÁi±¬Íé'ˆÓ®Ã³Íèå=KÛ!›‡jdš©™sYØU_R{àwj¸ZÑã5Ò+ºh™QÅ«áïm¡ ÄKÅÏ&ÃEÂKäuâÛTpêϧýLžsôÈ;ÓýèžÊ2ÜÎ]›öü@†ÎüAŽ‚å1sõ\ð/ÿ1É1BjÌÿ;{!¹€›n¡äÙÔÝŸœÏýÿN’'«endstream
+endobj
+1710 0 obj <<
+/Type /Page
+/Contents 1711 0 R
+/Resources 1709 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1679 0 R
+/Annots [ 1716 0 R ]
+>> endobj
+1716 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [63.4454 707.8911 452.088 718.0529]
+/Subtype/Link/A<>
+>> endobj
+1712 0 obj <<
+/D [1710 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+590 0 obj <<
+/D [1710 0 R /XYZ 56.6929 690.9391 null]
+>> endobj
+1717 0 obj <<
+/D [1710 0 R /XYZ 56.6929 656.5891 null]
+>> endobj
+594 0 obj <<
+/D [1710 0 R /XYZ 56.6929 517.028 null]
+>> endobj
+1718 0 obj <<
+/D [1710 0 R /XYZ 56.6929 489.6469 null]
+>> endobj
+598 0 obj <<
+/D [1710 0 R /XYZ 56.6929 373.2709 null]
+>> endobj
+1719 0 obj <<
+/D [1710 0 R /XYZ 56.6929 344.9674 null]
+>> endobj
+602 0 obj <<
+/D [1710 0 R /XYZ 56.6929 184.6919 null]
+>> endobj
+1381 0 obj <<
+/D [1710 0 R /XYZ 56.6929 151.8489 null]
+>> endobj
+1709 0 obj <<
+/Font << /F37 827 0 R /F71 1715 0 R /F23 762 0 R /F39 927 0 R /F11 1449 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F48 985 0 R /F62 1100 0 R /F63 1103 0 R >>
+/XObject << /Im2 1089 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1722 0 obj <<
+/Length 847       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥UMÛ6½ëWè(KŠ¢,7k'u€n·kå$9Ðc‘DU¤ã¸¿¾C
½ënÝSaœ>ÎÇ›!Åb
+?—‚P.óx)s"(qÝG4ÞÃÞûˆLz¥×¨·UôË;¾Œ%‘EVÄÕ·+_%¡eÉâªùœÜÿz÷X­Ÿi&h²$‹T4y»yX¡Eâ²]ß|ÚTŸP»ÿýa»Y­ŸîË<©6 -Ò¼¤%œçÁÃêÓÃÝo›{Ä|\!týÊÛ×êC´®ž¹.–Qî«ø3úü•Æ
Ôü!¢„ËRÄ'P(aRfqå‚‘s~±tÑ6úãÙáÕî|ôy‚—D”Ùò{¿Åž¤à°åÙ{g¦EÊi‘¸ƒ¶Ú‹ËdZ°2ÑÊšÁ¾KF““FuóžöÝù[›¾×Csñ¤JDZQN[TvÁ{=Ggö“m­:tT$êLNG»£×j°žj¨7eŒH!²9yó
ÚQd‰› jךÁXbÛý Ü“³úB­¶›÷°2‚°jÎÔo¶¾Ò¬È=
>PÇ®¨c² y2ãBÖæ”bu}Mt‘ÉdÀf¼ä•%ö`Ž]ƒÁ»Ö†àfð$Ì	A~hû®Ï(–¨EÊ’iŠd0n&¦Q^dù?‰Ù<✪¦	Ø™0ù~ûuÐîd¦ï¨ŒˆúBiöS[`‡3šÜuNO@cûCC~Œ±ä
¢=GÁÇéYY.	-8õ#Méhº¶>ßbK±äÅk¶À}­‚°ñŽV7ëæ,‡!.`èÙ’HÓïOoM?CaR[‡I}0Ƴ3~@¯Ñ½D¡9ªÇ‰­mpcå_‡¡œB©ÐMPíqט^¡\ád£;½÷3‚±qÚ.øôÖD'¼ÄL¹œC€jõ¨&tÚ_fÐ/Iuh-"Oê¥Kù¥K`wfL;
M|9‹RmñÚaô©õ÷¯Ãc¡ZûXPR!Tð]â ùWƒ¸œ7
+;˜lçIï˜"aÔ—ß¡dõôCOö2g:üÜãQ#‚—1/Xò_/5Ä?¯7ÞUø‡¼ÿ÷+þò}ËáS–ÙíšÓœp.Ù%)Ï|E^§þüÞÿ;÷¿à`endstream
+endobj
+1721 0 obj <<
+/Type /Page
+/Contents 1722 0 R
+/Resources 1720 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1724 0 R
+>> endobj
+1723 0 obj <<
+/D [1721 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1720 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1709 0 obj <<
+1727 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1708 0 obj <<
+1726 0 obj <<
 /Type /Page
-/Contents 1709 0 R
-/Resources 1707 0 R
+/Contents 1727 0 R
+/Resources 1725 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1674 0 R
+/Parent 1724 0 R
 >> endobj
-1710 0 obj <<
-/D [1708 0 R /XYZ 56.6929 794.5015 null]
+1728 0 obj <<
+/D [1726 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1707 0 obj <<
+1725 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1713 0 obj <<
-/Length 1965      
+1731 0 obj <<
+/Length 1964      
 /Filter /FlateDecode
 >>
 stream
@@ -7620,86 +7695,86 @@ i	
 ­è×ØÚ:‰óÎÐÃBYn?z·XdÌqâd¾©Üä¤ÚNí:ørðï»QÕaáƒL·CÕMucVìâªV.Wª4 Û8Hü»Uoy)”@»Zìo+B)ˆ×­©ôD9ƒ©;B.ÊõTyåvÂ)Î6™îZds§¡ÁÓÏMí­µ°r=¶öä&vÓž®é^/yr€¡¶¯ÓP;«y Â1{9B€FãŸà{ËוÂM>p\×-ž‘7>å	èWˆÌ¨WKÐÆ
5m"û¿À¥–€ã6WUŸÔž9ZØוå,¶VHbžþ‹'¯´=Í\¦pÀŸ'8TÃ[WyÌ#‰6Éyè5µÒÇî:4	ßál 3,•ßbÏ[œ+ªë/WF".ƒ›ËÊ?@”€/jŒu“1Ô¢+l',{_¼2ãâ•sä®Ïñ۪ʿ&–Bú–åç!G˜
 ¥Ìrcø-Š¼ûãËü
 “¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoãã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy7G)JΑOü©5­¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+¾,}w¸ÉÀUßÄx³Q³Ô}\Wù¸·ö߶
-ߣ«ª]qöü´Þíâ³äZÄ^d{‘¡ÉeIGid!:Æ[wó罿ÿ*endstream
+ߣ«ª]qöü´Þíâ³äZÄ^d{‘¡ÉeIGid!EDòÖÝüÀyïï?*Zendstream
 endobj
-1712 0 obj <<
+1730 0 obj <<
 /Type /Page
-/Contents 1713 0 R
-/Resources 1711 0 R
+/Contents 1731 0 R
+/Resources 1729 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1722 0 R
-/Annots [ 1720 0 R 1721 0 R ]
+/Parent 1724 0 R
+/Annots [ 1738 0 R 1739 0 R ]
 >> endobj
-1720 0 obj <<
+1738 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<>
 >> endobj
-1721 0 obj <<
+1739 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<>
 >> endobj
-1714 0 obj <<
-/D [1712 0 R /XYZ 85.0394 794.5015 null]
+1732 0 obj <<
+/D [1730 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 606 0 obj <<
-/D [1712 0 R /XYZ 85.0394 769.5949 null]
+/D [1730 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1715 0 obj <<
-/D [1712 0 R /XYZ 85.0394 576.7004 null]
+1733 0 obj <<
+/D [1730 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 610 0 obj <<
-/D [1712 0 R /XYZ 85.0394 576.7004 null]
+/D [1730 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1716 0 obj <<
-/D [1712 0 R /XYZ 85.0394 548.3785 null]
+1734 0 obj <<
+/D [1730 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
 614 0 obj <<
-/D [1712 0 R /XYZ 85.0394 548.3785 null]
+/D [1730 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-1717 0 obj <<
-/D [1712 0 R /XYZ 85.0394 518.5228 null]
+1735 0 obj <<
+/D [1730 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
 618 0 obj <<
-/D [1712 0 R /XYZ 85.0394 460.6968 null]
+/D [1730 0 R /XYZ 85.0394 460.6968 null]
 >> endobj
-1718 0 obj <<
-/D [1712 0 R /XYZ 85.0394 425.0333 null]
+1736 0 obj <<
+/D [1730 0 R /XYZ 85.0394 425.0333 null]
 >> endobj
 622 0 obj <<
-/D [1712 0 R /XYZ 85.0394 260.2468 null]
+/D [1730 0 R /XYZ 85.0394 260.2468 null]
 >> endobj
-1719 0 obj <<
-/D [1712 0 R /XYZ 85.0394 224.698 null]
+1737 0 obj <<
+/D [1730 0 R /XYZ 85.0394 224.698 null]
 >> endobj
-1711 0 obj <<
-/Font << /F21 738 0 R /F23 762 0 R /F11 1441 0 R /F41 969 0 R >>
+1729 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F11 1449 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1725 0 obj <<
+1742 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1724 0 obj <<
+1741 0 obj <<
 /Type /Page
-/Contents 1725 0 R
-/Resources 1723 0 R
+/Contents 1742 0 R
+/Resources 1740 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1722 0 R
+/Parent 1724 0 R
 >> endobj
-1726 0 obj <<
-/D [1724 0 R /XYZ 56.6929 794.5015 null]
+1743 0 obj <<
+/D [1741 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1723 0 obj <<
+1740 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1729 0 obj <<
+1746 0 obj <<
 /Length 2544      
 /Filter /FlateDecode
 >>
@@ -7711,41 +7786,41 @@ FXЭ
 ¼
 –a“p¯GkଯëÃá5³îǪÿêÄ-	ÜȽ¬Í|µ/^ÄwxÒH‚
 D¤<ÐÎÿ—yÇ‘sU@E…ÎqÌ*Š‘×8P”Ì Ë¿/@f4áRÊ}^º¦ÖÒRº#›Úv°/×ˈÖFtÅŒ‚þ[åSr Òéú@Øèªé)ŽL½"Ÿûæ¢@ù<ñpJµÙ>~æÜpËLtGY­Fgá±[A
—(-̃ÅÙ¶Ä ˜Þ°)Ëx™AaíF¼¨‚ÕáPâ¥V)§8·º>@ÌÔ4ûôÜÄP‰BÍÞ(dvP&máªëæßFD3zœ`·“¢ÂEàÛ=ÃBj{
†rh®ÔÐq½ ‘®³«zß&Å(uùJ¸8…B×ò5ø?Š²9Òp#ªf'Ë’•ú&_æùM_—¢±J6iðU£ª#E}ïãÏ^5X*‰eÃÏÖJ©>KF\¢P¯SSŒo&Œ>Ï! ·LÝ–è@±¸ˆ¤ægH@Ä9³ZI(	Ž:ž()6Sq
-UŸiQc¢õFêƆEiX*×5ÔÏ]OÕ-ãÖXXE p³Í‚¥¢o¹‡šMÔºõÁùˆ4òs®øbðج–×y­P°M”`à· FAˆ½Ž¼m¥uGKÑ–‹;ÕAŸ^–,y§ž%­Þõ½1,ôUUD¼.µæ!u[È8ˆló#_÷'k®ÿ1,°Èq‘<Äa	U®ßù³{”ül>Â1¥ƒÏéD}ãX/Í›·ô(òÄ-O¿õÄ7‹›.f2ïeO˜ÅËŒ¶±|ïÛþjÄJ˜±Ò¶ë–BºfÓ„È^'Dö6!2‹Šµ>¹Õª?DZ…Ú™ðìÂ
DðFÍ\¥Pà1ª~)‰ÅïšVýØ^
.-㤎Í°·ÁqÏGß5p’³:ñLðÊçaAêð0xšnþ5cµN¼‡£*itUV`+c!ž¡z'[´Úzå},ÿdêUi‘دšèœ7³v«êœÈu{d¤ÌcIÀýj~ÅžXfQ‹gR`sdß׳=¥±iˆ%†zߊêÁïªÂ÷UY*»bI뎺,hùAØ7{pä‘Å?õ°–ˆV¸M¯jjK€ü­?%
ÊGË_¾(XàëÿšV@%Ÿ£J4ËÝh^ý]žÔ‹f6×níƒ+LÍìS2vDN?š`®…8ä9H3ð`3zø…$ÛVÂïå4ýˆÕÕHƒ®\Büu|-Fc˜¤ë\5¢œs²knTuü×tè«ÊeÁ?Mä' ÁÙX€p†h¨k.æÍâõñkMb q‘ÌB°ƒiû†sk(ß½üdÚÿÃlhßp²ÑoC;àÐn;Õ£ž»¿¨Î…?^Uè&ŠÌ(\¹'HðêÑáC5mWp}cŒ‡XÉ„?)â’éÀ9–ÜI[(‘î¾›¨Â^5ðù©‡m7ïÍlŠR͇蕽M|1x:
t´yãizaÁSBïHæ>Ëíé±³Oâ"HÓȃ…×UØNÉø©|hÑçòÅ™X]ÖÌ=Î÷¯»"L1œ¬ù‹Oï×WHÎÔšæÝǧá#¾û4á·óhö3¿cYŒ<ôú9¢wEYà6B=?y{Üð'ƒ¿Ÿ÷Á¢rendstream
+UŸiQc¢õFêƆEiX*×5ÔÏ]OÕ-ãÖXXE p³Í‚¥¢o¹‡šMÔºõÁùˆ4òs®øbðج–×y­P°M”`à· FAˆ½Ž¼m¥uGKÑ–‹;ÕAŸ^–,y§ž%­Þõ½1,ôUUD¼.µæ!u[È8ˆló#_÷'k®ÿ1,°Èq‘<Äa	U®ßù³{”ül>Â1¥ƒÏéD}ãX/Í›·ô(òÄ-O¿õÄ7‹›.f2ïeO˜ÅËŒ¶±|ïÛþjÄJ˜±Ò¶ë–BºfÓ„È^'Dö6!2‹Šµ>¹Õª?DZ…Ú™ðìÂ
DðFÍ\¥Pà1ª~)‰ÅïšVýØ^
.-㤎Í°·ÁqÏGß5p’³:ñLðÊçaAêð0xšnþ5cµN¼‡£*itUV`+c!ž¡z'[´Úzå},ÿdêUi‘دšèœ7³v«êœÈu{d¤ÌcIÀýj~ÅžXfQ‹gR`sdß׳=¥±iˆ%†zߊêÁïªÂ÷UY*»bI뎺,hùAØ7{pä‘Å?õ°–ˆV¸M¯jjK€ü­?%
ÊGË_¾(XàëÿšV@%Ÿ£J4ËÝh^ý]žÔ‹f6×níƒ+LÍìS2vDN?š`®…8ä9H3ð`3zø…$ÛVÂïå4ýˆÕÕHƒ®\Büu|-Fc˜¤ë\5¢œs²knTuü×tè«ÊeÁ?Mä' ÁÙX€p†h¨k.æÍâõñkMb q‘ÌB°ƒiû†sk(ß½üdÚÿÃlhßp²ÑoC;àÐn;Õ£ž»¿¨Î…?^Uè&ŠÌ(\¹'HðêÑáC5mWp}cŒ‡XÉ„?)â’éÀ9–ÜI[(‘î¾›¨Â^5ðù©‡m7ïÍlŠR͇蕽M|1x:
t´yãizaÁSBïHæ>Ëíé±³Oâ"HÓȃ…×UØNÉø©|hÑçòÅ™X]ÖÌ=Î÷¯»"L1œ¬ù‹Oï×WHÎÔšæÝǧá#¾û4á·óhö3¿cYŒ<ôú9¢wEYà6B=?}{Üð'ƒ¿Ÿ÷¢tendstream
 endobj
-1728 0 obj <<
+1745 0 obj <<
 /Type /Page
-/Contents 1729 0 R
-/Resources 1727 0 R
+/Contents 1746 0 R
+/Resources 1744 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1722 0 R
+/Parent 1724 0 R
 >> endobj
-1730 0 obj <<
-/D [1728 0 R /XYZ 85.0394 794.5015 null]
+1747 0 obj <<
+/D [1745 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 626 0 obj <<
-/D [1728 0 R /XYZ 85.0394 769.5949 null]
+/D [1745 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1731 0 obj <<
-/D [1728 0 R /XYZ 85.0394 573.5449 null]
+1748 0 obj <<
+/D [1745 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
 630 0 obj <<
-/D [1728 0 R /XYZ 85.0394 573.5449 null]
+/D [1745 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-1732 0 obj <<
-/D [1728 0 R /XYZ 85.0394 539.0037 null]
+1749 0 obj <<
+/D [1745 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
 634 0 obj <<
-/D [1728 0 R /XYZ 85.0394 539.0037 null]
+/D [1745 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-1733 0 obj <<
-/D [1728 0 R /XYZ 85.0394 510.2426 null]
+1750 0 obj <<
+/D [1745 0 R /XYZ 85.0394 510.2426 null]
 >> endobj
-1727 0 obj <<
+1744 0 obj <<
 /Font << /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1736 0 obj <<
+1753 0 obj <<
 /Length 2810      
 /Filter /FlateDecode
 >>
@@ -7757,66 +7832,66 @@ e
 çÑD”’-Ê:3–êv¢¡Pc^4ßL2…%æâVº³Ühò„ò4c­ô¤ˆRÊ]€Ñ–\ŠV7fžYæ¥ÇˆDJ;`XÌxäøñHÒˆ%,ëñ±ú¸ˆ0×kSìèÒØú7¥ŸMñ¬Â½³ ×j´.ÞT+(’m|ik»sPÛ` JÛ­âb¼Ý¦Õ{—BƒR)=UŽ“Ò‚hl˜gé>]aMƒ×,9DF]„e-+à¨îû–+8©¾rÑDcfÔÒh@Õ¿3zr‚ÞµRÐ4…‰HàÐNv&¦hñçTWâ †î.…}¦ÚYù°ÀÜG¶ƒˆ¤ud½˜.¦‰…ßeª5þ05…ÝÇz—Zj]4ƒ	“w1Š\0húÃ|[Júó‡åã”$¤QŒ<9m»ÀDX+вI‰Nɘƒ—q€/ÖSt¯ZÈ‘ûAÃîH³ÿm!o€~½×ßt…¤	º2{Ž«@ØL…‘ú·ã£D£ú{VÕPŸïr¹Ëè{††>PKŒÀiŒZ•ÓZzhk¬I²rÆTCgl‘$Ö·aTìö¥ÚYm›šJ£²Ýb^`”–5ýv¬àdЮ&œ'à·7En¡öØ\­S('iÒi¯é·RpÕuÚ¼žàk± ž_O…"èŠÌÖ'ãVnTFíŠÍ–KŠ²®¹{-‹/êªkåH½¢”¶öõ\W\å«øʃßä*u]Qã{µV±¸òVÒ›Hh‹ŽÎDÉ–Gaè‹ðµÆ8QF:¡ÕëÖÄÓ³2XÈܽ]†ÔÏ¡2bø;÷ßú‚ÞJtMël†xü–ÃgmÓgEhE••*>zˆÂƒ¶ÐéO¾m»Î´ë]4k~EŠÍÁ;4%¤NŠÂËëy
Œ³º4†xÑÿ}uõ'ºÒÐþ˜„„/?º£ET‚2e-L^ˆç­Œ›äN)–LÊ[3ªÅBc´ÇeefΊÃÇžøL*47ÂŒºš²êªÑcßü¾‡É/ïA¶¢Þ4é~ûÚÄŽ­§ÃUaYyTiò^/¾ý""»‘Gqʶ
 kûèõ¡Þa€<Ž@«£¿ïqäiìØ@:ļΖ"´ZtÀɶ¡?|F0·m
~B}×Eã„Ö]ÉÞ¡M7€éæ‚Fý+¬ïÁí
 ½5ºÂ5æaŸ6|šq˜ÐëA¤S‘ônhaЫg#ˆV˜ilÚqø…Ë·­(„á´ª[Óà2àdƒûÚ“9òŸóv¼LZ•Ï–\'NrÓQT&1À;Þ3Y¶÷j†+~Sm vRM“—ç	V¸_hvK%OÆ1e¼»YÞrîMlk‘ă,ómúOm?‹çŸ¸ÙÓ"Ñú„ôÂ@•ÒâwÖÞÊz…±rp3ûöû\p©z»|à;Ù^Mdûu»¿º¼|yyA8….•.‹ja¬t‰­¾qý`èúÂOàZ…¶þ
-Ä“N"\‹ä´_ùaEŒóŠÈ¶Å>þtâ¾%AlZv&>}ë å/3;ú±ÿîÑíX·˜ïþðàSÊ#uUßwÈk/ùó‘ÿ8ŽŽø;úÓaò4RÆ)5äé/SyW01bŒ‰®ôÒ=<žÚ
¢¡'ñfßµ8…¶ˆê½W¶-±O,Ý"x‹õbšé‰oi©í'ç´°OªC—íèýR­Fþ{¤²~¶¡éáÄBßñ}zÒqEðÇ^d7,†;Nè„®©ÚÞ‰T»vêfsÙ¬³ßñÜÈI\yÌÕ‘ïtX§¬ŒqJí-߉œÈ£áÏqz7!Ø$MÓ’3Ðo}ᔃŸ%'äp»Äü?ýì?s2Ž½é›^À
13…7þtâ¾%AlZv&>}ë å/3;ú±ÿîÑíX·˜ïþðàSÊ#uUßwÈk/ùó‘ÿ8ŽŽø;úÓaò4RÆ)5äé/SyW01bŒ‰®ôÒ=<žÚ
¢¡'ñfßµ8…¶ˆê½W¶-±O,Ý"x‹õbšé‰oi©í'ç´°OªC—íèýR­Fþ{¤²~¶¡éáÄBßñ}zÒqEðÇ^d7,†;Nè„®©ÚÞ‰T»vêfsÙ¬³ßñÜÈI\yÌÕ‘ïtX§¬ŒqJí-߉œÈ£áÏqz7!Ø$MÓ’3Ðo}ᔃŸ%'äp»Äü?ýì?s2Ž½é›^À
13…7>aÝ~'=åý¿z'ðJendstream
 endobj
-1735 0 obj <<
+1752 0 obj <<
 /Type /Page
-/Contents 1736 0 R
-/Resources 1734 0 R
+/Contents 1753 0 R
+/Resources 1751 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1722 0 R
-/Annots [ 1740 0 R 1741 0 R ]
+/Parent 1724 0 R
+/Annots [ 1757 0 R 1758 0 R ]
 >> endobj
-1740 0 obj <<
+1757 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [253.7995 149.3637 417.685 161.4234]
 /Subtype/Link/A<>
 >> endobj
-1741 0 obj <<
+1758 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 110.455 208.8999 120.6168]
 /Subtype/Link/A<>
 >> endobj
-1737 0 obj <<
-/D [1735 0 R /XYZ 56.6929 794.5015 null]
+1754 0 obj <<
+/D [1752 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 638 0 obj <<
-/D [1735 0 R /XYZ 56.6929 662.0717 null]
+/D [1752 0 R /XYZ 56.6929 662.0717 null]
 >> endobj
-1738 0 obj <<
-/D [1735 0 R /XYZ 56.6929 624.1661 null]
+1755 0 obj <<
+/D [1752 0 R /XYZ 56.6929 624.1661 null]
 >> endobj
 642 0 obj <<
-/D [1735 0 R /XYZ 56.6929 624.1661 null]
+/D [1752 0 R /XYZ 56.6929 624.1661 null]
 >> endobj
-1180 0 obj <<
-/D [1735 0 R /XYZ 56.6929 593.0972 null]
+1184 0 obj <<
+/D [1752 0 R /XYZ 56.6929 593.0972 null]
 >> endobj
 646 0 obj <<
-/D [1735 0 R /XYZ 56.6929 294.2701 null]
+/D [1752 0 R /XYZ 56.6929 294.2701 null]
 >> endobj
-1739 0 obj <<
-/D [1735 0 R /XYZ 56.6929 255.4568 null]
+1756 0 obj <<
+/D [1752 0 R /XYZ 56.6929 255.4568 null]
 >> endobj
 650 0 obj <<
-/D [1735 0 R /XYZ 56.6929 255.4568 null]
+/D [1752 0 R /XYZ 56.6929 255.4568 null]
 >> endobj
 1000 0 obj <<
-/D [1735 0 R /XYZ 56.6929 226.1045 null]
+/D [1752 0 R /XYZ 56.6929 226.1045 null]
 >> endobj
-1742 0 obj <<
-/D [1735 0 R /XYZ 56.6929 53.5688 null]
+1759 0 obj <<
+/D [1752 0 R /XYZ 56.6929 53.5688 null]
 >> endobj
-1743 0 obj <<
-/D [1735 0 R /XYZ 56.6929 53.5688 null]
+1760 0 obj <<
+/D [1752 0 R /XYZ 56.6929 53.5688 null]
 >> endobj
-1734 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F11 1441 0 R /F41 969 0 R >>
+1751 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F11 1449 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1746 0 obj <<
+1763 0 obj <<
 /Length 2825      
 /Filter /FlateDecode
 >>
@@ -7831,191 +7906,191 @@ xÚµZ]{
 ´¸ ¤ƒùÈ
 ’Tï*ÓªA<—Ǻ·ÃÐû"Âa‡˜%(ŒÏ´’–Û
 µ9Te>#ôá¶6Ø6Ay2¾b$´ÌHÜ)³|Þ‰zA4lY3ª#Óò`ï§6c¿ŒI0‚¶Æ¾[g;µú,{Ù•oúùFÿÍ+”Ÿë¯’ù
Ø.…‚1¦‘•ß‹WñÈÌvìï&}•/\u˜sê8˜$Ðk“3©-å¡ZKY\{h½ÐÙ}lÛ6ø´Üïå®+Ö›­ßÁä\²Z*)#ý&ÇÍ:±¦‚ñwù·á£s£˜cû‰†Íçƒb‘÷Ç}ªO]žkÓçÁj%¬¼SƒS5ø´‰3zÝÏÞs–äWœ¹Ïw;sâû}&ÁDÂ(ò[„%ä6-Ô~P‘xN|¸­9ô‡­ÁF^d‡\•<ÛkÒlIdu¾ª2!³ðôtÖÅ:Úsq\û½I$Ø‚?Sÿ[Bn…k¡6ãû>ûòá¶
-ï+ÜF6Þuþ}^=gÛô5Õ Œ@õµ®­ÑLKç„}RÛˆÈBFo_#y5Y«YÈ°ƒŽAóañEXûDó*å!¯¶yJIŒ/…—(™»¼Øg¹vB½fgÉ>ÜprªÅ'¸ª
LnÿË_úZ;‡1¢Iâ8L£Ð|Rʱ~)ñ+p÷_Ý||úîÿ‰bÅendstream
+ï+ÜF6Þuþ}^=gÛô5Õ Œ@õµ®­ÑLKç„}RÛˆÈBFo_#y5Y«YÈ°ƒŽAóañEXûDó*å!¯¶yJIŒ/…—(™»¼Øg¹vB½fgÉ>ÜprªÅ'¸ª
LnÿË_úZ;‡1¢Iâ8L£Ð|Rʱ~)ñ+pÀû¯n¾	>}÷ÿ‰_bÇendstream
 endobj
-1745 0 obj <<
-/Type /Page
-/Contents 1746 0 R
-/Resources 1744 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1722 0 R
->> endobj
-1747 0 obj <<
-/D [1745 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1748 0 obj <<
-/D [1745 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1749 0 obj <<
-/D [1745 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1750 0 obj <<
-/D [1745 0 R /XYZ 85.0394 752.3015 null]
->> endobj
-1751 0 obj <<
-/D [1745 0 R /XYZ 85.0394 746.3107 null]
->> endobj
-1752 0 obj <<
-/D [1745 0 R /XYZ 85.0394 731.5461 null]
->> endobj
-1753 0 obj <<
-/D [1745 0 R /XYZ 85.0394 728.1497 null]
->> endobj
-1754 0 obj <<
-/D [1745 0 R /XYZ 85.0394 713.3851 null]
->> endobj
-1755 0 obj <<
-/D [1745 0 R /XYZ 85.0394 709.9887 null]
->> endobj
-1756 0 obj <<
-/D [1745 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1118 0 obj <<
-/D [1745 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1757 0 obj <<
-/D [1745 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1758 0 obj <<
-/D [1745 0 R /XYZ 85.0394 648.8377 null]
->> endobj
-1759 0 obj <<
-/D [1745 0 R /XYZ 85.0394 634.0731 null]
->> endobj
-1760 0 obj <<
-/D [1745 0 R /XYZ 85.0394 630.6767 null]
->> endobj
-1761 0 obj <<
-/D [1745 0 R /XYZ 85.0394 615.9121 null]
->> endobj
 1762 0 obj <<
-/D [1745 0 R /XYZ 85.0394 612.5156 null]
->> endobj
-1763 0 obj <<
-/D [1745 0 R /XYZ 85.0394 585.7959 null]
+/Type /Page
+/Contents 1763 0 R
+/Resources 1761 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1820 0 R
 >> endobj
 1764 0 obj <<
-/D [1745 0 R /XYZ 85.0394 582.3994 null]
+/D [1762 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1765 0 obj <<
-/D [1745 0 R /XYZ 85.0394 567.6349 null]
+/D [1762 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1766 0 obj <<
-/D [1745 0 R /XYZ 85.0394 564.2384 null]
+/D [1762 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1767 0 obj <<
-/D [1745 0 R /XYZ 85.0394 549.5337 null]
+/D [1762 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1768 0 obj <<
-/D [1745 0 R /XYZ 85.0394 546.0774 null]
+/D [1762 0 R /XYZ 85.0394 746.3107 null]
 >> endobj
 1769 0 obj <<
-/D [1745 0 R /XYZ 85.0394 531.3128 null]
+/D [1762 0 R /XYZ 85.0394 731.5461 null]
 >> endobj
 1770 0 obj <<
-/D [1745 0 R /XYZ 85.0394 527.9163 null]
+/D [1762 0 R /XYZ 85.0394 728.1497 null]
 >> endobj
 1771 0 obj <<
-/D [1745 0 R /XYZ 85.0394 513.1518 null]
+/D [1762 0 R /XYZ 85.0394 713.3851 null]
 >> endobj
 1772 0 obj <<
-/D [1745 0 R /XYZ 85.0394 509.7553 null]
+/D [1762 0 R /XYZ 85.0394 709.9887 null]
 >> endobj
 1773 0 obj <<
-/D [1745 0 R /XYZ 85.0394 483.0356 null]
+/D [1762 0 R /XYZ 85.0394 651.9592 null]
+>> endobj
+1122 0 obj <<
+/D [1762 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1774 0 obj <<
-/D [1745 0 R /XYZ 85.0394 479.6391 null]
+/D [1762 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1775 0 obj <<
-/D [1745 0 R /XYZ 85.0394 464.8745 null]
+/D [1762 0 R /XYZ 85.0394 648.8377 null]
 >> endobj
 1776 0 obj <<
-/D [1745 0 R /XYZ 85.0394 461.4781 null]
+/D [1762 0 R /XYZ 85.0394 634.0731 null]
 >> endobj
 1777 0 obj <<
-/D [1745 0 R /XYZ 85.0394 446.7135 null]
+/D [1762 0 R /XYZ 85.0394 630.6767 null]
 >> endobj
 1778 0 obj <<
-/D [1745 0 R /XYZ 85.0394 443.3171 null]
+/D [1762 0 R /XYZ 85.0394 615.9121 null]
 >> endobj
 1779 0 obj <<
-/D [1745 0 R /XYZ 85.0394 428.5525 null]
+/D [1762 0 R /XYZ 85.0394 612.5156 null]
 >> endobj
 1780 0 obj <<
-/D [1745 0 R /XYZ 85.0394 425.156 null]
+/D [1762 0 R /XYZ 85.0394 585.7959 null]
 >> endobj
 1781 0 obj <<
-/D [1745 0 R /XYZ 85.0394 355.0758 null]
+/D [1762 0 R /XYZ 85.0394 582.3994 null]
 >> endobj
 1782 0 obj <<
-/D [1745 0 R /XYZ 85.0394 355.0758 null]
+/D [1762 0 R /XYZ 85.0394 567.6349 null]
 >> endobj
 1783 0 obj <<
-/D [1745 0 R /XYZ 85.0394 355.0758 null]
+/D [1762 0 R /XYZ 85.0394 564.2384 null]
 >> endobj
 1784 0 obj <<
-/D [1745 0 R /XYZ 85.0394 352.0499 null]
+/D [1762 0 R /XYZ 85.0394 549.5337 null]
 >> endobj
 1785 0 obj <<
-/D [1745 0 R /XYZ 85.0394 337.3452 null]
+/D [1762 0 R /XYZ 85.0394 546.0774 null]
 >> endobj
 1786 0 obj <<
-/D [1745 0 R /XYZ 85.0394 333.8889 null]
+/D [1762 0 R /XYZ 85.0394 531.3128 null]
 >> endobj
 1787 0 obj <<
-/D [1745 0 R /XYZ 85.0394 309.8192 null]
+/D [1762 0 R /XYZ 85.0394 527.9163 null]
 >> endobj
 1788 0 obj <<
-/D [1745 0 R /XYZ 85.0394 303.7727 null]
+/D [1762 0 R /XYZ 85.0394 513.1518 null]
 >> endobj
 1789 0 obj <<
-/D [1745 0 R /XYZ 85.0394 278.3282 null]
+/D [1762 0 R /XYZ 85.0394 509.7553 null]
 >> endobj
 1790 0 obj <<
-/D [1745 0 R /XYZ 85.0394 273.6565 null]
+/D [1762 0 R /XYZ 85.0394 483.0356 null]
 >> endobj
 1791 0 obj <<
-/D [1745 0 R /XYZ 85.0394 246.9367 null]
+/D [1762 0 R /XYZ 85.0394 479.6391 null]
 >> endobj
 1792 0 obj <<
-/D [1745 0 R /XYZ 85.0394 243.5403 null]
+/D [1762 0 R /XYZ 85.0394 464.8745 null]
 >> endobj
 1793 0 obj <<
-/D [1745 0 R /XYZ 85.0394 173.5556 null]
+/D [1762 0 R /XYZ 85.0394 461.4781 null]
 >> endobj
 1794 0 obj <<
-/D [1745 0 R /XYZ 85.0394 173.5556 null]
+/D [1762 0 R /XYZ 85.0394 446.7135 null]
 >> endobj
 1795 0 obj <<
-/D [1745 0 R /XYZ 85.0394 173.5556 null]
+/D [1762 0 R /XYZ 85.0394 443.3171 null]
 >> endobj
 1796 0 obj <<
-/D [1745 0 R /XYZ 85.0394 170.4341 null]
+/D [1762 0 R /XYZ 85.0394 428.5525 null]
 >> endobj
 1797 0 obj <<
-/D [1745 0 R /XYZ 85.0394 144.9896 null]
+/D [1762 0 R /XYZ 85.0394 425.156 null]
 >> endobj
 1798 0 obj <<
-/D [1745 0 R /XYZ 85.0394 140.3179 null]
+/D [1762 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1799 0 obj <<
-/D [1745 0 R /XYZ 85.0394 113.5982 null]
+/D [1762 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1800 0 obj <<
-/D [1745 0 R /XYZ 85.0394 110.2017 null]
+/D [1762 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1801 0 obj <<
-/D [1745 0 R /XYZ 85.0394 95.4372 null]
+/D [1762 0 R /XYZ 85.0394 352.0499 null]
 >> endobj
 1802 0 obj <<
-/D [1745 0 R /XYZ 85.0394 92.0407 null]
+/D [1762 0 R /XYZ 85.0394 337.3452 null]
 >> endobj
-1744 0 obj <<
+1803 0 obj <<
+/D [1762 0 R /XYZ 85.0394 333.8889 null]
+>> endobj
+1804 0 obj <<
+/D [1762 0 R /XYZ 85.0394 309.8192 null]
+>> endobj
+1805 0 obj <<
+/D [1762 0 R /XYZ 85.0394 303.7727 null]
+>> endobj
+1806 0 obj <<
+/D [1762 0 R /XYZ 85.0394 278.3282 null]
+>> endobj
+1807 0 obj <<
+/D [1762 0 R /XYZ 85.0394 273.6565 null]
+>> endobj
+1808 0 obj <<
+/D [1762 0 R /XYZ 85.0394 246.9367 null]
+>> endobj
+1809 0 obj <<
+/D [1762 0 R /XYZ 85.0394 243.5403 null]
+>> endobj
+1810 0 obj <<
+/D [1762 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+1811 0 obj <<
+/D [1762 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+1812 0 obj <<
+/D [1762 0 R /XYZ 85.0394 173.5556 null]
+>> endobj
+1813 0 obj <<
+/D [1762 0 R /XYZ 85.0394 170.4341 null]
+>> endobj
+1814 0 obj <<
+/D [1762 0 R /XYZ 85.0394 144.9896 null]
+>> endobj
+1815 0 obj <<
+/D [1762 0 R /XYZ 85.0394 140.3179 null]
+>> endobj
+1816 0 obj <<
+/D [1762 0 R /XYZ 85.0394 113.5982 null]
+>> endobj
+1817 0 obj <<
+/D [1762 0 R /XYZ 85.0394 110.2017 null]
+>> endobj
+1818 0 obj <<
+/D [1762 0 R /XYZ 85.0394 95.4372 null]
+>> endobj
+1819 0 obj <<
+/D [1762 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+1761 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1805 0 obj <<
+1823 0 obj <<
 /Length 2889      
 /Filter /FlateDecode
 >>
@@ -8033,179 +8108,179 @@ id
 ¾šÈÖϺ`]Ë4OòJv‰šU
N«µƒiqLË2í«ÿa:L˜o©3†Ø°²0VVdK5Á*mPîj÷c6µ¯aÒ2ýœQ9ÛCþ’?ó®Ó<Ül|Oº\˵ËÞòFnu<0–Îwu,«ä©l2ÇÓíªg0­÷ .XÁ”ðƒ<
 ŒÛÏiueK×±ôƒƒæÏBŽãŒÄaÓj˜¹¶jÞLpð0s«tÃüD»—yK[ÏÇ"ß»ø+Vý,/MÓ­~‚é;üd'DÄñCK˜ýl~h½u Äë!ÍTò'/Ø‹PˆÇª¦•…’²j(ÙöK«´A©«ÝOÉÔ^³ïÇTìq{–«íPo‘Í#/þéºÐ湚»×,Ý…ô¦¬+#wŸ[<¹ÂùÅ!Ù±r¹
 …º#õ:ÓÊEYi(^ds›´¥«ÝÅÔOï7ÕḭD˜d™7žmôl‘‡ü€ºíÉÿ ãóa ±~ãcðÆÓÊ‚AYé´ŽbË®e•60tµû1˜Ú—YR–™>
-.Wçñ|¾FñZD—øw¦~TЙìkUUIw9SAèJ6î$Í«z꾅щlÍ£ü~dÃÏu1dwGÛ›VdÊJ#‰å4i•6uµû‘™ÚËøBm¼DÁ¶Ï9„§L½Î´ç1NîC݇MyúýȺ‡ лéz~ÐÛ–±DÇÊŽ§^I§‚ö;•“~f8ö–…a4LK5eb©TÛtV]á^T¦°Žqn¨bœñ7ƒ´ºsnÔ©b‚å2^Åâêr…tÇÉÐû¼¤é“ÖÓ?±N©áv3¥†f#¥æÒè¢.lå¹x	òüßµ·eYšìÕ‹Z¤uö×ÎÚyÍnð i©³xˆ¿OÛ3ùŽ>“þϯíUñÑ08¼2ڮ嗪+ñNxòÕÕ¾§ßý?˜Oaendstream
+.Wçñ|¾FñZD—øw¦~TЙìkUUIw9SAèJ6î$Í«z꾅щlÍ£ü~dÃÏu1dwGÛ›VdÊJ#‰å4i•6uµû‘™ÚËøBm¼DÁ¶Ï9„§L½Î´ç1NîC݇MyúýȺ‡ лéz~ÐÛ–±DÇÊŽ§^I§‚ö;•“~f8ö–…a4LK5eb©TÛtV]á^T¦°Žqn¨bœñ7ƒ´ºsnÔ©b‚å2^Åâêr…tÇÉÐû¼¤é“ÖÓ?±N©áv3¥†f#¥æÒè¢.lå¹x	òüßµ·eYšìÕ‹Z¤uö×ÎÚyÍnð i©³xˆ¿OÛ3ùŽ>“þϯíUñÑ08¼2ڮ嗪+ñØ9ùêêßÓïþ–ÎOZendstream
 endobj
-1804 0 obj <<
-/Type /Page
-/Contents 1805 0 R
-/Resources 1803 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1722 0 R
->> endobj
-1806 0 obj <<
-/D [1804 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1807 0 obj <<
-/D [1804 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-1808 0 obj <<
-/D [1804 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-1809 0 obj <<
-/D [1804 0 R /XYZ 56.6929 748.5056 null]
->> endobj
-1810 0 obj <<
-/D [1804 0 R /XYZ 56.6929 743.7078 null]
->> endobj
-1811 0 obj <<
-/D [1804 0 R /XYZ 56.6929 719.6381 null]
->> endobj
-1812 0 obj <<
-/D [1804 0 R /XYZ 56.6929 711.8197 null]
->> endobj
-1813 0 obj <<
-/D [1804 0 R /XYZ 56.6929 697.0552 null]
->> endobj
-1814 0 obj <<
-/D [1804 0 R /XYZ 56.6929 691.8868 null]
->> endobj
-1815 0 obj <<
-/D [1804 0 R /XYZ 56.6929 665.1671 null]
->> endobj
-1816 0 obj <<
-/D [1804 0 R /XYZ 56.6929 659.9987 null]
->> endobj
-1817 0 obj <<
-/D [1804 0 R /XYZ 56.6929 635.929 null]
->> endobj
-1818 0 obj <<
-/D [1804 0 R /XYZ 56.6929 628.1106 null]
->> endobj
-1819 0 obj <<
-/D [1804 0 R /XYZ 56.6929 601.3909 null]
->> endobj
-1820 0 obj <<
-/D [1804 0 R /XYZ 56.6929 596.2225 null]
->> endobj
-1821 0 obj <<
-/D [1804 0 R /XYZ 56.6929 569.5028 null]
->> endobj
 1822 0 obj <<
-/D [1804 0 R /XYZ 56.6929 564.3344 null]
->> endobj
-1823 0 obj <<
-/D [1804 0 R /XYZ 56.6929 549.6297 null]
+/Type /Page
+/Contents 1823 0 R
+/Resources 1821 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1820 0 R
 >> endobj
 1824 0 obj <<
-/D [1804 0 R /XYZ 56.6929 544.4015 null]
+/D [1822 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1825 0 obj <<
-/D [1804 0 R /XYZ 56.6929 529.6968 null]
+/D [1822 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1826 0 obj <<
-/D [1804 0 R /XYZ 56.6929 524.4686 null]
+/D [1822 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1827 0 obj <<
-/D [1804 0 R /XYZ 56.6929 500.3989 null]
+/D [1822 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1828 0 obj <<
-/D [1804 0 R /XYZ 56.6929 492.5805 null]
+/D [1822 0 R /XYZ 56.6929 743.7078 null]
 >> endobj
 1829 0 obj <<
-/D [1804 0 R /XYZ 56.6929 467.136 null]
+/D [1822 0 R /XYZ 56.6929 719.6381 null]
 >> endobj
 1830 0 obj <<
-/D [1804 0 R /XYZ 56.6929 460.6924 null]
+/D [1822 0 R /XYZ 56.6929 711.8197 null]
 >> endobj
 1831 0 obj <<
-/D [1804 0 R /XYZ 56.6929 436.6227 null]
+/D [1822 0 R /XYZ 56.6929 697.0552 null]
 >> endobj
 1832 0 obj <<
-/D [1804 0 R /XYZ 56.6929 428.8043 null]
+/D [1822 0 R /XYZ 56.6929 691.8868 null]
 >> endobj
 1833 0 obj <<
-/D [1804 0 R /XYZ 56.6929 414.0996 null]
+/D [1822 0 R /XYZ 56.6929 665.1671 null]
 >> endobj
 1834 0 obj <<
-/D [1804 0 R /XYZ 56.6929 408.8714 null]
+/D [1822 0 R /XYZ 56.6929 659.9987 null]
 >> endobj
 1835 0 obj <<
-/D [1804 0 R /XYZ 56.6929 382.1516 null]
+/D [1822 0 R /XYZ 56.6929 635.929 null]
 >> endobj
 1836 0 obj <<
-/D [1804 0 R /XYZ 56.6929 376.9833 null]
+/D [1822 0 R /XYZ 56.6929 628.1106 null]
 >> endobj
 1837 0 obj <<
-/D [1804 0 R /XYZ 56.6929 350.2636 null]
+/D [1822 0 R /XYZ 56.6929 601.3909 null]
 >> endobj
 1838 0 obj <<
-/D [1804 0 R /XYZ 56.6929 345.0952 null]
+/D [1822 0 R /XYZ 56.6929 596.2225 null]
 >> endobj
 1839 0 obj <<
-/D [1804 0 R /XYZ 56.6929 321.0255 null]
+/D [1822 0 R /XYZ 56.6929 569.5028 null]
 >> endobj
 1840 0 obj <<
-/D [1804 0 R /XYZ 56.6929 313.2071 null]
+/D [1822 0 R /XYZ 56.6929 564.3344 null]
 >> endobj
 1841 0 obj <<
-/D [1804 0 R /XYZ 56.6929 298.5024 null]
+/D [1822 0 R /XYZ 56.6929 549.6297 null]
 >> endobj
 1842 0 obj <<
-/D [1804 0 R /XYZ 56.6929 293.2742 null]
+/D [1822 0 R /XYZ 56.6929 544.4015 null]
 >> endobj
 1843 0 obj <<
-/D [1804 0 R /XYZ 56.6929 267.8297 null]
+/D [1822 0 R /XYZ 56.6929 529.6968 null]
 >> endobj
 1844 0 obj <<
-/D [1804 0 R /XYZ 56.6929 261.3861 null]
+/D [1822 0 R /XYZ 56.6929 524.4686 null]
 >> endobj
 1845 0 obj <<
-/D [1804 0 R /XYZ 56.6929 199.468 null]
+/D [1822 0 R /XYZ 56.6929 500.3989 null]
 >> endobj
 1846 0 obj <<
-/D [1804 0 R /XYZ 56.6929 199.468 null]
+/D [1822 0 R /XYZ 56.6929 492.5805 null]
 >> endobj
 1847 0 obj <<
-/D [1804 0 R /XYZ 56.6929 199.468 null]
+/D [1822 0 R /XYZ 56.6929 467.136 null]
 >> endobj
 1848 0 obj <<
-/D [1804 0 R /XYZ 56.6929 191.7053 null]
+/D [1822 0 R /XYZ 56.6929 460.6924 null]
 >> endobj
 1849 0 obj <<
-/D [1804 0 R /XYZ 56.6929 176.9408 null]
+/D [1822 0 R /XYZ 56.6929 436.6227 null]
 >> endobj
 1850 0 obj <<
-/D [1804 0 R /XYZ 56.6929 171.7724 null]
+/D [1822 0 R /XYZ 56.6929 428.8043 null]
 >> endobj
 1851 0 obj <<
-/D [1804 0 R /XYZ 56.6929 157.0677 null]
+/D [1822 0 R /XYZ 56.6929 414.0996 null]
 >> endobj
 1852 0 obj <<
-/D [1804 0 R /XYZ 56.6929 151.8395 null]
+/D [1822 0 R /XYZ 56.6929 408.8714 null]
 >> endobj
 1853 0 obj <<
-/D [1804 0 R /XYZ 56.6929 137.1348 null]
+/D [1822 0 R /XYZ 56.6929 382.1516 null]
 >> endobj
 1854 0 obj <<
-/D [1804 0 R /XYZ 56.6929 131.9066 null]
+/D [1822 0 R /XYZ 56.6929 376.9833 null]
 >> endobj
 1855 0 obj <<
-/D [1804 0 R /XYZ 56.6929 117.2018 null]
+/D [1822 0 R /XYZ 56.6929 350.2636 null]
 >> endobj
 1856 0 obj <<
-/D [1804 0 R /XYZ 56.6929 111.9736 null]
+/D [1822 0 R /XYZ 56.6929 345.0952 null]
 >> endobj
 1857 0 obj <<
-/D [1804 0 R /XYZ 56.6929 97.2091 null]
+/D [1822 0 R /XYZ 56.6929 321.0255 null]
 >> endobj
 1858 0 obj <<
-/D [1804 0 R /XYZ 56.6929 92.0407 null]
+/D [1822 0 R /XYZ 56.6929 313.2071 null]
 >> endobj
-1803 0 obj <<
+1859 0 obj <<
+/D [1822 0 R /XYZ 56.6929 298.5024 null]
+>> endobj
+1860 0 obj <<
+/D [1822 0 R /XYZ 56.6929 293.2742 null]
+>> endobj
+1861 0 obj <<
+/D [1822 0 R /XYZ 56.6929 267.8297 null]
+>> endobj
+1862 0 obj <<
+/D [1822 0 R /XYZ 56.6929 261.3861 null]
+>> endobj
+1863 0 obj <<
+/D [1822 0 R /XYZ 56.6929 199.468 null]
+>> endobj
+1864 0 obj <<
+/D [1822 0 R /XYZ 56.6929 199.468 null]
+>> endobj
+1865 0 obj <<
+/D [1822 0 R /XYZ 56.6929 199.468 null]
+>> endobj
+1866 0 obj <<
+/D [1822 0 R /XYZ 56.6929 191.7053 null]
+>> endobj
+1867 0 obj <<
+/D [1822 0 R /XYZ 56.6929 176.9408 null]
+>> endobj
+1868 0 obj <<
+/D [1822 0 R /XYZ 56.6929 171.7724 null]
+>> endobj
+1869 0 obj <<
+/D [1822 0 R /XYZ 56.6929 157.0677 null]
+>> endobj
+1870 0 obj <<
+/D [1822 0 R /XYZ 56.6929 151.8395 null]
+>> endobj
+1871 0 obj <<
+/D [1822 0 R /XYZ 56.6929 137.1348 null]
+>> endobj
+1872 0 obj <<
+/D [1822 0 R /XYZ 56.6929 131.9066 null]
+>> endobj
+1873 0 obj <<
+/D [1822 0 R /XYZ 56.6929 117.2018 null]
+>> endobj
+1874 0 obj <<
+/D [1822 0 R /XYZ 56.6929 111.9736 null]
+>> endobj
+1875 0 obj <<
+/D [1822 0 R /XYZ 56.6929 97.2091 null]
+>> endobj
+1876 0 obj <<
+/D [1822 0 R /XYZ 56.6929 92.0407 null]
+>> endobj
+1821 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1861 0 obj <<
+1879 0 obj <<
 /Length 2542      
 /Filter /FlateDecode
 >>
@@ -8215,173 +8290,173 @@ xÚ¥Z[w
 ÇÄ¡V"l·Jäë‘¢š7&vᨒ׷„°FœEÄmÊm™E]â'B‰™`µ¸÷ÕHëÖ&&s-?¦!}™fðŠÊS“}„Õ×iya] ½r°.…é$HÙ…kp>¶Pn ü@ÄHB;I ¡]Ktº8ól«ËGXáÝÄjù°P-Ã0MÀL(6ƒ‹º'wiÞ@‰Úh¢¾ÀG°5Ø|=¤E»KžùóHž5Ì\‡€¶¨–ç¥fºÙ¾i¾íU…ôN‰!¸›RÆ•”A9vPî‚68b[H7Á9£ÂÅØ|šÒ„»>»i*°µÇ×€%Á	/ŒxéÊÅÚØÏ÷Fâ(ßWæÃEtšDœ@Æ6}8@aÇ8¿Á¸¸WK8ßù¢W7é~§Åö5‚ð &ÐA]Ê榔p-eî(ƒÐágØã„÷ÀŸNÅm¹c<€Ó¨ó™^C‰U·„óó`Ê
 ‘gDDvXýZdüR±(’>¬Ž%PØ×q#êâ,«%7æ-y¨^ôB0WD¡õˈ…§JøŸrö³:û ¸ÊY'ˆŒ¨2”¨‚æËÓF@¨µ> ‡ÐÈ¿P˜R3RRº›‚ÐaF.hÃŒ†Ø32Á¿Ö­uˆ]Vçê(•:_ÝübU”¥ÜàÓ\ÄÞ¢zÉšªí‡Än¥
œ¼œKðˆ	zløÓô´Eé˜éÛ EðÂñ…v”r¡¤4$pt‘Nhƒˆ!¶…\g„P×üPÔnppSŽiñ£Gkñž½y#$¾Äæt‡$dúÉWþ-gd¦vÕ×îÁw~áì”ù«¼@?½Ü„þ¯~ùÑEy¹Ns˜-b+Ÿ~D½(¼”.L);ŸZªã“:ŠG'tÇçö8Ÿ=ð…ž¾³¢‹Þ)—’UÁÀùTõÇg9µcºrÖ(£úÿ¬·é¶ÝM¼ƒ¼tBZ¤.éQäèá\¸)`'òšA7FØÖ¨™-b¸"2ú]¨JÑŽ¼¡ Ý—àyõ`è×’5J%^ƒúû“¤¨sÆщ7àØN¡^€‚¥€)å JIi¦ 7;˜rAT
±-\™àKþåW²­›$œ.Nͨ¼ŒóÎÄ’ˆƒüH¹ùI4}çsñvõM42¼ùàç¼+KëFÞo·›u=êTt„)ºC(ù>Š»ïÚñ7ßµ„ž©«{ˆôíDB—-Ô…/{¦”ƒH%¥‰LËå\БCl‘&¸®éVOÅxê¨Ò¢îŠ¼³/÷üÓjžlü›òž:Gkêå©Òžª”«­ÞëÊÙ6ìØ¥0Xfâ{1Oý™øãK]æ¬a4°´Ã1gˆýªó½ý^1ã+êyˆ±Ø&GÁXܶ`JÙmAK]”#):¡;[8÷…¸°?œÞvC8k£'ü¿gå¾JoहXùì(0Cß‹)MÌá(žÞxâ»T|dy.wÚ/&>tËÛ·Sþ“«)ÿ”³¬)˜þîH°äö–RšŽ]Ydd¥£ð{ó˜ÿ¡…×ÐînJ9(VRºî	#G£ì„6(b[(6Á¯³B§­ÏéS=sv–iG{
-9±ôIŒ»©Òï¯bF²SÁà´?Õæ!±ò¡‘n!;J¨û$9úhnÇÁxœY8YŒ!à4¼ªÅœ7%ÿo6×°(£2ùP.ì÷ba¯¾ëÇÊ+à.kVœ¸¥7álE‘9ôˆAWܧ«»­Ì›òž[ݨϧÌøƧSþ3ŸŸxYAFméÿÿ ˘OF‰m3Ù…«‡j»#”]ÿtëüÙÿ“ƒ÷øendstream
+9±ôIŒ»©Òï¯bF²SÁà´?Õæ!±ò¡‘n!;J¨û$9úhnÇÁxœY8YŒ!à4¼ªÅœ7%ÿo6×°(£2ùP.ì÷ba¯¾ëÇÊ+à.kVœ¸¥7álE‘9ôˆAWܧ«»­Ì›òž[ݨϧÌøƧSþ3ŸŸxYAFméÿÿ ˘OF‰m3Ù…«‡j»#|ö{1ýÓ­ógÿ/’P÷ñendstream
 endobj
-1860 0 obj <<
-/Type /Page
-/Contents 1861 0 R
-/Resources 1859 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1913 0 R
->> endobj
-1862 0 obj <<
-/D [1860 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1863 0 obj <<
-/D [1860 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-1864 0 obj <<
-/D [1860 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-1865 0 obj <<
-/D [1860 0 R /XYZ 85.0394 748.4854 null]
->> endobj
-1866 0 obj <<
-/D [1860 0 R /XYZ 85.0394 743.3452 null]
->> endobj
-1867 0 obj <<
-/D [1860 0 R /XYZ 85.0394 728.6405 null]
->> endobj
-1868 0 obj <<
-/D [1860 0 R /XYZ 85.0394 723.1655 null]
->> endobj
-1869 0 obj <<
-/D [1860 0 R /XYZ 85.0394 708.4607 null]
->> endobj
-1870 0 obj <<
-/D [1860 0 R /XYZ 85.0394 702.9857 null]
->> endobj
-1871 0 obj <<
-/D [1860 0 R /XYZ 85.0394 688.2211 null]
->> endobj
-1872 0 obj <<
-/D [1860 0 R /XYZ 85.0394 682.8059 null]
->> endobj
-1873 0 obj <<
-/D [1860 0 R /XYZ 85.0394 668.0414 null]
->> endobj
-1874 0 obj <<
-/D [1860 0 R /XYZ 85.0394 662.6262 null]
->> endobj
-1875 0 obj <<
-/D [1860 0 R /XYZ 85.0394 599.7666 null]
->> endobj
-1876 0 obj <<
-/D [1860 0 R /XYZ 85.0394 599.7666 null]
->> endobj
-1877 0 obj <<
-/D [1860 0 R /XYZ 85.0394 599.7666 null]
->> endobj
 1878 0 obj <<
-/D [1860 0 R /XYZ 85.0394 591.7571 null]
->> endobj
-1879 0 obj <<
-/D [1860 0 R /XYZ 85.0394 565.0374 null]
+/Type /Page
+/Contents 1879 0 R
+/Resources 1877 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1820 0 R
 >> endobj
 1880 0 obj <<
-/D [1860 0 R /XYZ 85.0394 559.6222 null]
+/D [1878 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1881 0 obj <<
-/D [1860 0 R /XYZ 85.0394 534.1777 null]
+/D [1878 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1882 0 obj <<
-/D [1860 0 R /XYZ 85.0394 527.4872 null]
+/D [1878 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1883 0 obj <<
-/D [1860 0 R /XYZ 85.0394 502.0427 null]
+/D [1878 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1884 0 obj <<
-/D [1860 0 R /XYZ 85.0394 495.3523 null]
+/D [1878 0 R /XYZ 85.0394 743.3452 null]
 >> endobj
 1885 0 obj <<
-/D [1860 0 R /XYZ 85.0394 420.5376 null]
+/D [1878 0 R /XYZ 85.0394 728.6405 null]
 >> endobj
 1886 0 obj <<
-/D [1860 0 R /XYZ 85.0394 420.5376 null]
+/D [1878 0 R /XYZ 85.0394 723.1655 null]
 >> endobj
 1887 0 obj <<
-/D [1860 0 R /XYZ 85.0394 420.5376 null]
+/D [1878 0 R /XYZ 85.0394 708.4607 null]
 >> endobj
 1888 0 obj <<
-/D [1860 0 R /XYZ 85.0394 412.5281 null]
+/D [1878 0 R /XYZ 85.0394 702.9857 null]
 >> endobj
 1889 0 obj <<
-/D [1860 0 R /XYZ 85.0394 388.4584 null]
+/D [1878 0 R /XYZ 85.0394 688.2211 null]
 >> endobj
 1890 0 obj <<
-/D [1860 0 R /XYZ 85.0394 380.3932 null]
+/D [1878 0 R /XYZ 85.0394 682.8059 null]
 >> endobj
 1891 0 obj <<
-/D [1860 0 R /XYZ 85.0394 365.6884 null]
+/D [1878 0 R /XYZ 85.0394 668.0414 null]
 >> endobj
 1892 0 obj <<
-/D [1860 0 R /XYZ 85.0394 360.2134 null]
+/D [1878 0 R /XYZ 85.0394 662.6262 null]
 >> endobj
 1893 0 obj <<
-/D [1860 0 R /XYZ 85.0394 345.4488 null]
+/D [1878 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1894 0 obj <<
-/D [1860 0 R /XYZ 85.0394 340.0336 null]
+/D [1878 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1895 0 obj <<
-/D [1860 0 R /XYZ 85.0394 325.269 null]
+/D [1878 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1896 0 obj <<
-/D [1860 0 R /XYZ 85.0394 319.8539 null]
+/D [1878 0 R /XYZ 85.0394 591.7571 null]
 >> endobj
 1897 0 obj <<
-/D [1860 0 R /XYZ 85.0394 295.7842 null]
+/D [1878 0 R /XYZ 85.0394 565.0374 null]
 >> endobj
 1898 0 obj <<
-/D [1860 0 R /XYZ 85.0394 287.7189 null]
+/D [1878 0 R /XYZ 85.0394 559.6222 null]
 >> endobj
 1899 0 obj <<
-/D [1860 0 R /XYZ 85.0394 272.9543 null]
+/D [1878 0 R /XYZ 85.0394 534.1777 null]
 >> endobj
 1900 0 obj <<
-/D [1860 0 R /XYZ 85.0394 267.5392 null]
+/D [1878 0 R /XYZ 85.0394 527.4872 null]
 >> endobj
 1901 0 obj <<
-/D [1860 0 R /XYZ 85.0394 252.7746 null]
+/D [1878 0 R /XYZ 85.0394 502.0427 null]
 >> endobj
 1902 0 obj <<
-/D [1860 0 R /XYZ 85.0394 247.3594 null]
+/D [1878 0 R /XYZ 85.0394 495.3523 null]
 >> endobj
 1903 0 obj <<
-/D [1860 0 R /XYZ 85.0394 223.2897 null]
+/D [1878 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1904 0 obj <<
-/D [1860 0 R /XYZ 85.0394 215.2245 null]
+/D [1878 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1905 0 obj <<
-/D [1860 0 R /XYZ 85.0394 149.4956 null]
+/D [1878 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1906 0 obj <<
-/D [1860 0 R /XYZ 85.0394 149.4956 null]
+/D [1878 0 R /XYZ 85.0394 412.5281 null]
 >> endobj
 1907 0 obj <<
-/D [1860 0 R /XYZ 85.0394 149.4956 null]
+/D [1878 0 R /XYZ 85.0394 388.4584 null]
 >> endobj
 1908 0 obj <<
-/D [1860 0 R /XYZ 85.0394 144.3554 null]
+/D [1878 0 R /XYZ 85.0394 380.3932 null]
 >> endobj
 1909 0 obj <<
-/D [1860 0 R /XYZ 85.0394 120.2857 null]
+/D [1878 0 R /XYZ 85.0394 365.6884 null]
 >> endobj
 1910 0 obj <<
-/D [1860 0 R /XYZ 85.0394 112.2205 null]
+/D [1878 0 R /XYZ 85.0394 360.2134 null]
 >> endobj
 1911 0 obj <<
-/D [1860 0 R /XYZ 85.0394 97.4559 null]
+/D [1878 0 R /XYZ 85.0394 345.4488 null]
 >> endobj
 1912 0 obj <<
-/D [1860 0 R /XYZ 85.0394 92.0407 null]
+/D [1878 0 R /XYZ 85.0394 340.0336 null]
 >> endobj
-1859 0 obj <<
+1913 0 obj <<
+/D [1878 0 R /XYZ 85.0394 325.269 null]
+>> endobj
+1914 0 obj <<
+/D [1878 0 R /XYZ 85.0394 319.8539 null]
+>> endobj
+1915 0 obj <<
+/D [1878 0 R /XYZ 85.0394 295.7842 null]
+>> endobj
+1916 0 obj <<
+/D [1878 0 R /XYZ 85.0394 287.7189 null]
+>> endobj
+1917 0 obj <<
+/D [1878 0 R /XYZ 85.0394 272.9543 null]
+>> endobj
+1918 0 obj <<
+/D [1878 0 R /XYZ 85.0394 267.5392 null]
+>> endobj
+1919 0 obj <<
+/D [1878 0 R /XYZ 85.0394 252.7746 null]
+>> endobj
+1920 0 obj <<
+/D [1878 0 R /XYZ 85.0394 247.3594 null]
+>> endobj
+1921 0 obj <<
+/D [1878 0 R /XYZ 85.0394 223.2897 null]
+>> endobj
+1922 0 obj <<
+/D [1878 0 R /XYZ 85.0394 215.2245 null]
+>> endobj
+1923 0 obj <<
+/D [1878 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+1924 0 obj <<
+/D [1878 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+1925 0 obj <<
+/D [1878 0 R /XYZ 85.0394 149.4956 null]
+>> endobj
+1926 0 obj <<
+/D [1878 0 R /XYZ 85.0394 144.3554 null]
+>> endobj
+1927 0 obj <<
+/D [1878 0 R /XYZ 85.0394 120.2857 null]
+>> endobj
+1928 0 obj <<
+/D [1878 0 R /XYZ 85.0394 112.2205 null]
+>> endobj
+1929 0 obj <<
+/D [1878 0 R /XYZ 85.0394 97.4559 null]
+>> endobj
+1930 0 obj <<
+/D [1878 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+1877 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1916 0 obj <<
+1933 0 obj <<
 /Length 2121      
 /Filter /FlateDecode
 >>
@@ -8394,119 +8469,119 @@ Z9
 aÜo汆ÆÙ3¨¢sõd¥Ë*^ÉÛXxùÎR~ȬتýÁŠüˆ9w›m&U¿Øé½cïU¢Àâ,pò¢2ª‹ö6°L@ÎU\¿²q8.€6býN}×I?âL¥°Ž	®üHU®‹}fFµVÕx•øý}_à»*ê¬cIj†\m­17ÂÞÔ©ÏpÐƺû<3ú$)6“.|¶qžjéŒ:¯ü≀Æ2-“,N7:‡ê‰¸jHññBçç®:s%võrá‹(+$-K¢èp
 uüa„ÄøÉÒ7YÂò°§O+|Ëô'66E^­
/œ÷z‰?Ö)\6;6jVìÙ+†ÎRZ/ÙÉT[?뙉WÃ
 BRSOÄú1£ìô<(AD]­Xx©°óZìM¬¸¾{˜åºP¬ú\J"VßCÞäN¹Qï3;¡Ô»pý²©Î“	ì‚™8
-ÓÙ„õç‘A­Ç> endobj
-1917 0 obj <<
-/D [1915 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1918 0 obj <<
-/D [1915 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-1919 0 obj <<
-/D [1915 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-1920 0 obj <<
-/D [1915 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-1921 0 obj <<
-/D [1915 0 R /XYZ 56.6929 746.6461 null]
->> endobj
-1922 0 obj <<
-/D [1915 0 R /XYZ 56.6929 722.5763 null]
->> endobj
-1923 0 obj <<
-/D [1915 0 R /XYZ 56.6929 716.7581 null]
->> endobj
-1924 0 obj <<
-/D [1915 0 R /XYZ 56.6929 701.9936 null]
->> endobj
-1925 0 obj <<
-/D [1915 0 R /XYZ 56.6929 698.8254 null]
->> endobj
-1926 0 obj <<
-/D [1915 0 R /XYZ 56.6929 684.1207 null]
->> endobj
-1927 0 obj <<
-/D [1915 0 R /XYZ 56.6929 680.8926 null]
->> endobj
-1928 0 obj <<
-/D [1915 0 R /XYZ 56.6929 656.8229 null]
->> endobj
-1929 0 obj <<
-/D [1915 0 R /XYZ 56.6929 651.0047 null]
->> endobj
-1930 0 obj <<
-/D [1915 0 R /XYZ 56.6929 636.3 null]
->> endobj
-1931 0 obj <<
-/D [1915 0 R /XYZ 56.6929 633.072 null]
->> endobj
 1932 0 obj <<
-/D [1915 0 R /XYZ 56.6929 609.0023 null]
->> endobj
-1933 0 obj <<
-/D [1915 0 R /XYZ 56.6929 603.184 null]
+/Type /Page
+/Contents 1933 0 R
+/Resources 1931 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1820 0 R
 >> endobj
 1934 0 obj <<
-/D [1915 0 R /XYZ 56.6929 579.1143 null]
+/D [1932 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1935 0 obj <<
-/D [1915 0 R /XYZ 56.6929 573.2961 null]
+/D [1932 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1936 0 obj <<
-/D [1915 0 R /XYZ 56.6929 558.5914 null]
+/D [1932 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1937 0 obj <<
-/D [1915 0 R /XYZ 56.6929 555.3634 null]
+/D [1932 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1938 0 obj <<
-/D [1915 0 R /XYZ 56.6929 540.5988 null]
+/D [1932 0 R /XYZ 56.6929 746.6461 null]
 >> endobj
 1939 0 obj <<
-/D [1915 0 R /XYZ 56.6929 537.4306 null]
+/D [1932 0 R /XYZ 56.6929 722.5763 null]
 >> endobj
 1940 0 obj <<
-/D [1915 0 R /XYZ 56.6929 510.7109 null]
+/D [1932 0 R /XYZ 56.6929 716.7581 null]
 >> endobj
 1941 0 obj <<
-/D [1915 0 R /XYZ 56.6929 507.5427 null]
->> endobj
-654 0 obj <<
-/D [1915 0 R /XYZ 56.6929 477.5928 null]
+/D [1932 0 R /XYZ 56.6929 701.9936 null]
 >> endobj
 1942 0 obj <<
-/D [1915 0 R /XYZ 56.6929 453.2532 null]
->> endobj
-658 0 obj <<
-/D [1915 0 R /XYZ 56.6929 369.7201 null]
+/D [1932 0 R /XYZ 56.6929 698.8254 null]
 >> endobj
 1943 0 obj <<
-/D [1915 0 R /XYZ 56.6929 345.3805 null]
+/D [1932 0 R /XYZ 56.6929 684.1207 null]
 >> endobj
 1944 0 obj <<
-/D [1915 0 R /XYZ 56.6929 310.6805 null]
+/D [1932 0 R /XYZ 56.6929 680.8926 null]
 >> endobj
 1945 0 obj <<
-/D [1915 0 R /XYZ 56.6929 310.6805 null]
+/D [1932 0 R /XYZ 56.6929 656.8229 null]
 >> endobj
 1946 0 obj <<
-/D [1915 0 R /XYZ 56.6929 310.6805 null]
+/D [1932 0 R /XYZ 56.6929 651.0047 null]
 >> endobj
 1947 0 obj <<
-/D [1915 0 R /XYZ 56.6929 310.6805 null]
+/D [1932 0 R /XYZ 56.6929 636.3 null]
 >> endobj
-1914 0 obj <<
+1948 0 obj <<
+/D [1932 0 R /XYZ 56.6929 633.072 null]
+>> endobj
+1949 0 obj <<
+/D [1932 0 R /XYZ 56.6929 609.0023 null]
+>> endobj
+1950 0 obj <<
+/D [1932 0 R /XYZ 56.6929 603.184 null]
+>> endobj
+1951 0 obj <<
+/D [1932 0 R /XYZ 56.6929 579.1143 null]
+>> endobj
+1952 0 obj <<
+/D [1932 0 R /XYZ 56.6929 573.2961 null]
+>> endobj
+1953 0 obj <<
+/D [1932 0 R /XYZ 56.6929 558.5914 null]
+>> endobj
+1954 0 obj <<
+/D [1932 0 R /XYZ 56.6929 555.3634 null]
+>> endobj
+1955 0 obj <<
+/D [1932 0 R /XYZ 56.6929 540.5988 null]
+>> endobj
+1956 0 obj <<
+/D [1932 0 R /XYZ 56.6929 537.4306 null]
+>> endobj
+1957 0 obj <<
+/D [1932 0 R /XYZ 56.6929 510.7109 null]
+>> endobj
+1958 0 obj <<
+/D [1932 0 R /XYZ 56.6929 507.5427 null]
+>> endobj
+654 0 obj <<
+/D [1932 0 R /XYZ 56.6929 477.5928 null]
+>> endobj
+1959 0 obj <<
+/D [1932 0 R /XYZ 56.6929 453.2532 null]
+>> endobj
+658 0 obj <<
+/D [1932 0 R /XYZ 56.6929 369.7201 null]
+>> endobj
+1960 0 obj <<
+/D [1932 0 R /XYZ 56.6929 345.3805 null]
+>> endobj
+1961 0 obj <<
+/D [1932 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1962 0 obj <<
+/D [1932 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1963 0 obj <<
+/D [1932 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1964 0 obj <<
+/D [1932 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1931 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1950 0 obj <<
+1967 0 obj <<
 /Length 1945      
 /Filter /FlateDecode
 >>
@@ -8517,44 +8592,44 @@ O3i_
 ! ˆ(ñ7|Ùl‹²†B ù¼¬WÍn[ôeƒ•Ï×»‘Í›Öí€U¦ŽÖ
 š~ã\¹ŸåcåˆÜ7ME+€a{·#¤5€×kâ¤Zë>¦=‰ÒwÇnÅÓùmOT8åꈷy‡ŽºŒü™ê°*"ÖKH,£][‡@î7ŽÈEÝ=Ãq‘Zôa›—5ðиßïj·¤å©²=#-DZ q;2.ááȈ3t€Ò-Ae³OM×Ç‚ª–·•²ò˶¬Ë1ïú]Ñ7^x ï;7á l>Tœ.ݲ1Û÷
ö¤äîµÛ4
ŠnùQŒ––auÛÑÒ£[(…_nVô-û°½„
kþ,d`…â|Oáþöè¢gZ¥h«ìÁ|ƒ›ýwß·ûýGðùg¸›ÝËv=´C‡BDúnŠ'¶`WàG«}½À˜(ªá<¸ÍzÂà
 ³‰1éï\³\«XûXÌΚeyn@Çœ¥iJÿ¦ê7Í~½™8Jè8•ºvµ2eàÁÀUJÎkŒñª:àÌ›{Iôç²ßmÑl·`ý¤*kGkëýÖÕ}‡Wg$\.qU×צè‰æE¿Ûf ü=ãšR7€ÕB¹»ýB(bŠ%%}r¡h©ëCŽ8†(ÎŽ™JVÎç;C´Gˆ½
»=(½;Ф	DïÀxÆØ$õÔ$ä½	··¨X7$̉ˆnw˜‘ßêùóÆÕ4Âtò²È§9Âêp‘ÉfÚ«Lfc@¤OØð]—O®Fõšÿ³®ÊïŽè®ØU¥˜`úEÑÁiJÙMZ3{{÷ž8ò€ºm!øA÷âxR³šŒ	x‰¡¾X—Lj¢7ƒw6ÏdµDãÓ*züÛ}Õ—måN£»GòcX,»nïB”Ÿø…âÀ.7€Á
³áÆN‚lF)A‘ïK¥B1”phµ$Š?(¾°© J׺E‰N¸ y,{*Œ›TCV|i@ÉsïyÍ€^5繬ª XŠ2 —Ô«‚QÕ%jUvä–¨e=á‹Â&¤ˆêk×/^ê©žb*Ëàá$@º‘¿/šz5!÷¸Ñ‘82ÿ¿(Fd	¿éɵ1&ŒÎH>ÀŽc\|a“ŽIëë³É®Z_Èll}@
^ñ}Ûßè!0\E᥮þ#:ötM0!ßmzì)¢¡,<ƒyfÇ–ò}“ÍBà§ðëºÐ Õ;(P;ØZêG¨;ZZºUÖÑ:
-7Ñ[¤ʘÐ×ìbyíòTSþ*¤Ñ›þüïŸ?}øÏkx»Åb¦˜Í¬ü:5¿ßDU)ÇŸªŸ
µƒ8Èa€\Ô¢7…r$sÍ´gõȇ½á'®ƒ“¶…ü¹ŒYÍu\¼œcN‘‚³N¦{ß`Bɺ½£/uµ0x÷‘¾ô{ƒo™1§tDm ¦«¢¥I¨í0ê¯ÂõMK`•{rÑè•ý!`zfó%5YH§Î-œ1ñ³¼eL–ÅBç£ëMÓÙ+5´‚çžy1W±»M—ª¢T£ªÊ!Å¢´¼:Ë/
ðw¿F“™C]ôª^®×"‡¤aÉ~\”,†Ïpî‰4êHi0Fë)šP´ƒ4ʧۻ˜@`eè¡¡„*œžõÐÈøîcäwH¨©Ômá/„íàÍ]tì¦}²÷/açïðãó˜áϲ“íÀ’yèÙÑo#\Ó/U€·Äùqü/Ïû/Ð6ž‚endstream
+7Ñ[¤ʘÐ×ìbyíòTSþ*¤Ñ›þüïŸ?}øÏkx»Åb¦˜Í¬ü:5¿ßDU)ÇŸªŸ
µƒ8Èa€\Ô¢7…r$sÍ´gõȇ½á'®ƒ“¶…ü¹ŒYÍu\¼œcN‘‚³N¦{ß`Bɺ½£/uµ0x÷‘¾ô{ƒo™1§tDm ¦«¢¥I¨í0ê¯ÂõMK`•{rÑè•ý!`zfó%5YH§Î-œ1ñ³¼eL–ÅBç£ëMÓÙ+5´‚çžy1W±»M—ª¢T£ªÊ!Å¢´¼:Ë/
ðw¿F“™C]ôª^®×"‡¤aÉ~\”,†Ïpî‰4êHi0Fë)šP´ƒ4ʧۻ˜@`eè¡¡„*œžõÐÈøîcäwH¨©Ômá/„íàÍ]tì¦}²÷/açïðãó˜áϲ“íÀ’yèÙÑo#\Ó/UB7üÀûò¼ÿÐŽž„endstream
 endobj
-1949 0 obj <<
+1966 0 obj <<
 /Type /Page
-/Contents 1950 0 R
-/Resources 1948 0 R
+/Contents 1967 0 R
+/Resources 1965 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1913 0 R
+/Parent 1820 0 R
 >> endobj
-1951 0 obj <<
-/D [1949 0 R /XYZ 85.0394 794.5015 null]
+1968 0 obj <<
+/D [1966 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 662 0 obj <<
-/D [1949 0 R /XYZ 85.0394 769.5949 null]
+/D [1966 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1952 0 obj <<
-/D [1949 0 R /XYZ 85.0394 573.0107 null]
+1969 0 obj <<
+/D [1966 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
 666 0 obj <<
-/D [1949 0 R /XYZ 85.0394 573.0107 null]
+/D [1966 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-1953 0 obj <<
-/D [1949 0 R /XYZ 85.0394 538.4209 null]
+1970 0 obj <<
+/D [1966 0 R /XYZ 85.0394 538.4209 null]
 >> endobj
-1954 0 obj <<
-/D [1949 0 R /XYZ 85.0394 504.6118 null]
+1971 0 obj <<
+/D [1966 0 R /XYZ 85.0394 504.6118 null]
 >> endobj
-1955 0 obj <<
-/D [1949 0 R /XYZ 85.0394 432.7569 null]
+1972 0 obj <<
+/D [1966 0 R /XYZ 85.0394 432.7569 null]
 >> endobj
-1956 0 obj <<
-/D [1949 0 R /XYZ 85.0394 303.3232 null]
+1973 0 obj <<
+/D [1966 0 R /XYZ 85.0394 303.3232 null]
 >> endobj
-1948 0 obj <<
+1965 0 obj <<
 /Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1959 0 obj <<
+1976 0 obj <<
 /Length 3824      
 /Filter /FlateDecode
 >>
@@ -8574,65 +8649,68 @@ h
 £L¨¸Â›2Ž¤Šà˜ÊjŽŠåû]>ê|“(ÑÆô®³av½Ò»^q¬$C“¡Ç|qYðw)Ð÷þæ Wr–ÇëçbÙ–Ÿ‹ÿx…f&@Ã2Ô\ÙZ6Ýmž	_•˜¡áÁKa¸t…'z ù²ªr±ØðP> endobj
-1960 0 obj <<
-/D [1958 0 R /XYZ 56.6929 794.5015 null]
+1977 0 obj <<
+/D [1975 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1961 0 obj <<
-/D [1958 0 R /XYZ 56.6929 752.1413 null]
+1978 0 obj <<
+/D [1975 0 R /XYZ 56.6929 752.1413 null]
 >> endobj
-1962 0 obj <<
-/D [1958 0 R /XYZ 56.6929 501.191 null]
+1979 0 obj <<
+/D [1975 0 R /XYZ 56.6929 501.191 null]
 >> endobj
-1957 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F53 1062 0 R /F11 1441 0 R >>
+1974 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F53 1062 0 R /F11 1449 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1965 0 obj <<
+1982 0 obj <<
 /Length 3111      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZmoÛ8þž_áoç k•õÆöCÚtYì¶Ù‹ÛC›Š¥ÄBlÉkÉÉùßßgH½Xrw‡5E9ÃáÃg†däLÀ?9KBO(Ìbx¡álµ½³'hûùB²ÌÂ
--ºR–ïRñL{:ò£Ùò±3Vâ‰$‘³eöm~u{ûéóõÍŸ—?óÞå"bþÛÕç¯W¿RÝí¥öçW?ºƒÏ(>I‹ÄüúæçËûå/Ÿ–Θ®ÁR(´ä¯‹o÷b–Ý¿\Oé$œ½Â‡ð¤Öþl{„Ê¥lÍæâîâw7`§Õts@¨/Lüxľó@¨½HAzàczhŠª¼\(ÏëuuØdT~Èé·IŸsn~]ÛÒ¡.Ê'n_çè…÷?²£K&—$"QËâH2={$Ø#•d‘j×Úa·‡MS,u¾gûŽu“okúHëÖSxÎXˆæ«´ìÏᥨ‹‡
%Ú2[€·½D«JÒÓaè3Ìh~¬æÕ¡Ù,óÇý¥LæÕ–Zvõw^†ÿ$‹îIF6ßnŒzo6«éc]ÔMµ?’èw!üM@R‰˜ÿÃøeدX\Þ¼Œ,¬4Å*%aëkѬ٥]·+í{J|öiV<ù=ð4±Ì8 nm.ÓmN
-DìáX=ÿÀZ¼àrø!öIÑAa2/jªùëï‹<£2ϳšÚ›ŠªžËêÕöͩɬÖ¤%÷K7OÕæ·å¾¬E;-9y	zQEó›’Z?Ü|¾þÁ*)ê¾YUæ<ˆ$8§G„°£•~)2V!æéŽ+wû"mò¯K!Š ]z¾›eÿúéË0œÿ“ùr»¼ùòùndžàt@¨å9”ÆžôeÌf´ë’ã4% ’yyØ>¥´´q‹šÄÅ"¬6Ìu€<à`ämÃoÐòÀÒ)}¶­Œr^~Âl¾Ê³‰»Í¯‹'V‡¡edÿ¼$J,i¿Û·žŽcK
-œF¾ÖF2éZX“6‚‹dÉ>ŠÐPŽ•Jú^DA=ÉMFM8_26E[ç)B±bà	l9R­%TÀ2!ãŽdÓh•X"(«1®P@&¾e7l`ì2B¾6ó°-OK¢v¨5x5V˜5ñ¼¾ I¬ç?ã_$`œ”ý ’Ö´žàµùKº9 e)©ŒaXçH	+7ÅsNÕ”È`ÁâÛqwìa0'Ð1ºùH
ëôeØñ±ÚoÇÀ##/N´Í
-ÞÑ<²m#îL”%‘ï"€ULziŸp† ¼ GaÁ{—9òï'™²ðDYx†(Ba4µg¡EWÊ$¶A2’Ø:)3Ëoeu߬vCÅR”#ñ†f'uªz€¼6†èþŠ;AÁì¿e¸ääBUC5°ÜSiùñ–Ú8­†*ãZʬ±fb¦ž2 °E$4¯dùc
-1…drDû¿µPÄ@ŽÔRáëõ-C×Ã¥;”›¼¶+WÒïÕŸ?ýÁœÌÜ}ãj,g²Æ–~¡¡nY½à¡là€â*­™ÅSú1î0-UYRTéL©ÞŒ ©RúoÀ¨#uFVÊÁèeu‚"ø8ñÃóŠÔ©æŠ$ 
RòžjBQàP$ECQàP$,ŠÙC‘°(
-º(
-áб\F`6À0¥¡J#v,›ô_Tn˜mÃ^ú$p.pùgw£
C’ô|¡í	¯`Ò|é…R…S™wÎüÑâí!]=¿¦mà2 Ùîà8ôPlŠæx)¥DšRRÐæ@‰ï¾¼¬ð›@†PF6Bž9¤·0jV‡¢Á¶I¼±ïIçñÖ•šÆ›“rÞ„èQíó̅‹µŸœWî¤NµNß!äùì«¿AÍ6«€ý%²J{ô„33mfALb*8gØç›ä\à†‡ÝŸfÔNQ¶“˜qütŠ52cék\Eløp¤jf8¤i)¢3$u) _?‘ƒtÓMÓÌ|Ññ…p¬òÃ8|cI;Rg–ÔJ™%ͪmZ”?b>mO×½u…Á£DÄç-pR§&ô×lˆ x÷L¸Ã„NE6U€B“{U„iHmE*únR\ì~?X¼
—i^#áKHFu`Ï݉¬
 
-ù"nï"”t³ãd[½ËW.ó6
lU:r¶\(¥½Rž>½tmí¦/ˆtänL8Um
-“]Erü<@ÊžÔßçÍêý>¯«ÍËÔ©Zê`žÐN4á“"NÜC÷S ¯¿2²³2L‘+ÑDïÐÚ÷•l¯ãÂþåCâÁYÀÚûu¬Ö#f‚Y+žÜŠ¹ñ¼»¯žÀOåäžRqä~øÆžêJMï)'åh²Å(MžUÞÒä‰öqšì©7¡)É„fˆqš±†B3–øÌ¡{+Š
´¢Ø’åë’·‚χ£=¹ä,~Ñ4N¶Ø<
-[ˆéPíµ,C–Ïx£+?gHl!Ûæ@üQÖxä³g/÷\:tÒ;r çy÷öüo¢À4ÊTà…A½²ŽÔ”Y©eëêuiqàÅB½a€“:µ`pá¥àƒ°oÂ-Å-r¡­ë,k÷½Tzèlœ»Î4çIˆƒ]Ænn§¦],/òã7<Ü
-q09ÿÂêŽFÅà‹à¬j't¢»ïÚHzq(ãžòëÜ^K¤íI¥¡*¬a—Ö}×˪±™Êª+Þöå™Ïë:çËJ?†S=i}¾”÷ùÔ´ØkxSÎH
-gˆ¯nGªïÜëÃ]51ŸVÍ›%”^ÒM‘1aúô,‹’0ÂÁ%ŠX¿ZñÝ)…"´¨"Ñ“çÉï_0[”ÌwÕæ’ñÕ±;«¤{-ÌM€P°~?Jj*ÊOóÚv1·½]q è\Ž÷f=1Ù¤;Y0®3ߤõì[!ZR¿Ö¡ÐypÖ{ òËí_×_¾.©bŸ–Oø†(3[Áƒñlé‹'«ÝsÔíÒ=ë1^Ô’½…®U¯imGì,æÈTìmŠËJœ—&)ïM%û<Åt¥¦)ÆI9ŠY§˜³Ê[Š9Ñ>N1=õ†b`crª–Ø5M$S–ÈÛPøxM¿H1«u¾z¦­5YQã‰0ã?2€Ã2X0a²;Je@>±6õYÆOü¶—{ÈÇ¡ª3¬2Ì5éãúóÝݧ½åv'Äê±—XÒÅÐ$àdìo¥–¡i X¡›É{ÛsZÛkÛ¡Úñ[Û®ÞkzÄÊ×ù÷~é|üõêîÎÞ‘çeçeÔåíN¶ÏU“n…X¯ü7žUZ™i§²L{ÓÛÀbŸ¸r—D`Îhu2Cµƒ?NÑ°ý¢°«÷¿óérùëÿÉ£öäzø—X#sî#þç?øjÿœ-À¿¾I&^ð £”–Ö(t“”jhºûÓ°SÛÿ
Q¨¯[endstream
+xÚ­ZmoÛ8þž_áoç k•E½°Ò¦»Èb·Ín\ÜÚ|P,%bK^KNÎÿþf8CêÅ’s¸;¨)rÈ>3$#gþÉY¬=¡’`%§…Ô³ÕöBÌž íçÉ2+´èJ}X^¼ÿIE³ÄKB?œ-;cÅžˆc9[fßæW··Ÿ>_ßüy¹ðµ˜ð.ZˆùoWŸ¿^ýJu·—‰?¿úùÓ|†Zø $Q,ó뛟/ï—¿\|Z:cºK¡Ð’¿.¾Ý‹Yvÿr!<•Äzö
+“Iâ϶Vž”²5›‹»‹ßÝ€VÓuÌZÅžŽýhľó€N¼PAzàczhŠª¼\(ÍëuuØdT~Èé·IŸsn~]ÛÒ¡.Ê'n_çè…÷?²£KÆÇBƒ…¨eq$™ž=ì‘J²Hµkí°¿Ûæ)‡:ß³}Ǻɷ5}¤uk€)<çG,„óUZöçðRÔÅÆ?Šm™-ÀÛ^œ¨JÒK´öf4?RóêÐì
–ƒùãþRÆójK-»ú»/Ã’E÷$#›o7F½Î7›¿Õô±.ê¦ÚIô»þ& ©XÌÿaüŠ2ìW,.ï^FVšb•’‡°õµhÖìÒ®ÛUâ{Š}öiV<ù=ðb™pÀ¤µ¹L·99(‘‡cõükñ‚Ëákì“¢ƒtŠb ]¥=߇M„²¿ýôÇ¥Öó’!_n—7_>ßÌœîy¥‘'}±íºä8M	(ÁŸx^¶PU=R¢ðÈU†U¸Ë뺸”óÕšxÄ!óUCß„H¨zM¹³ÙÏX±.l§MU=vÖc÷Ú¦YÎÕÈ2¶#&s’«Íjæž\okeE½Û¤G4ÐØ]µÅþ*¦‰)Cu5WÕyÃm{jc¶F¥OT~(6TD3RÖ2Õº
+ÚÖ9Ì`	„ƒ»'óÚéÏò&ßo‹’?­? S
îc;;cÚÍå3èëWâ12†BvUÙäټوļ‚1öŒè®zødê€B±Í«C3èIŽhÌ´à³nö°?žŠ¼öœM ,ÔƦO)-mÔ¢&v±«
s@ 8yÛð´<°tJŸ°í_+£œ—Ÿ0›¯òl¢ÇnsàÁëâ‰ÕahÙ¿€/cKÚïÆö­—D‘%N#?I,Œdܵ°&mÉ(’}¡¡+•ô½8ƒþz’›Œ=_26E[ç)´‰¿X1𶩅Ö*`™qG2	Èi["(«1®P@&¾e7l`ì2B¾6ó°-OK¢v¨5x5V˜5ñ¼¾ I¬ç?ã_Ä`œ”ý ’Ö´žàµùKº9 e)©ŒaXçH	+7ÅsNÕ”È`ÁâÛqwìa0'H"tó‘ÖéË°ãcµßŽG†^'6+xGóÈ~4¶¸3V^‡¾‹V1é¥}‚ð‚H‚÷.säßO2eá	
Y¸ÖE(Œ¦ö,´èJ™Ä6ˆG['efù­¬î›Õn¨X*€r(ÞÐì¤NUÁÆÝ_q'(˜ý·—<€\¨j¨–{*-?ÞR§ÕPe\K™5öÁLÌÔS&¶EÂ+Yþ˜BL!™‡Qà>Æ/d-1#µTøz}ËÐÓáÒÊM^Û•+é÷êÏŸþ`Nfî¾q5–3YcK¿ÐP·¬^ðP6p@q•ÖÌâ)ýw˜–ª,)ªô¦To
+FÔ
+)ý7`Ô‘:#+å`ô²:A‘|ûú¼b'uªy€"	hƒ”¼§šP8	FQàP8	‹¢@öP$,Š‚.Š4:–kÂ,À¦4TiÄŽe“þ‹Ê
³­î¥ŸAç—v7Ú0$Iω=áLš/=-•žÊ¼säoéêù5m—ÉvÇ¡‡bS4ÇK)%Ò”’‚6J|÷ýàe…ÿÛ<2„z0²*öÍ!Ýð¸…Q³:
¶Mâ-ˆ|Oª 8·®Ô4Þœ”ó&DjŸŸ`N/Jüø¼r'uª}púÖ粯þ5Û¬Vö—pÈ*íÑÎÌ´™1‰©àœaœo’svšQ;EÙNbÆñWÐ)ÖÈ Œ¥Ÿà*bÇ#U3Ã!HK‘ ©cHùú±¤›n"˜fæ{ŒŽg($€c•¯#ýÆ’v¤Î,©•2KšUÛ´(Ä|Úž®{ë
+ƒ‡±ˆÎ[à¤NMè¯+ØBðî™p‡	
+mª…:'÷ «ÓÚŠTô<ܤ¸Øý~°x.Ó¼F—Œ&=Cv'>°6€(䋨½‹P‰ ›¿x$Ûê]¾r™·i`«Ò‘³åB©ÄÓòôé¥kkÿ0{A˜„îÆ„SÕ¦0ÙU(ÇÏÓ:
+Tö¤þ>oVï÷y]m^¦NÕ	¬
+æ	íDc>)âDÀ=t?úú+#;+ù‚Mô­}_Éö:N÷/bÎÖÞw¨cµ1Ì‚\ñäV̈0ˆçÝ}õ~*'÷”ŠB/ðõ{ª+5½§œ”£Év£4yVyK“'ÚÇi²§Þ„f¤$š!ÆQhÆ
+ÍXâ3GÒ[Ql Å–,GX—t>|>íÉ}$gaðˈ¦qú°ÅæQØBL‡²¶×²Y>ã®üœ!±	„l›ñGYã‘Ïž½hÜsv.è¤wä@Îó8îíùßDi”©ÀÓA¾²ŽÔ”Y©eëêuiQàEB½a€“:µ`pá•ÁºoÂ-Å-r¡­ë,k÷½Tzèlœ»Î4çIˆƒ]Ænn§¦],/ô£7<Ü
+q09ÿÂêŽFE
pŒDpVµ:ÑÝwm(½H˨§ü:·×i{Ri¨
+kØ¥uߵDz*Û6áÚ’~ßOºéñ8~¬ã|ƒ­Î{·+5í^'åt§iUnŽ“,yVyË’'ÚÇY²§²Žzpe‡Iuš¶Y¹»¦ìœ0.)¹Ÿr]úbõÆÖïJq•ê¸îq“>M»îœòŽë†Ú'\×UõÃ-L`’îf°â]!¨ÒJw¯öG
+§Ð8”ÉNíHqª•j­ËÎ;õœòŽS‡Ú'œÚUo²`™hâQ,ÅB7÷T2èÃÂÕ5ýbtsOpT•¥MJÏøõPð E9¢à…Ÿø|èƦÎ5I=èeŸØLeÕoûòÌçuóe¥Á©´>_ÊûüNjZì5¼)g$…3ÄW·#Õwîõá‹®ŠO«æÍJ/é¦È˜0}z–EIáàE¬_­øî”BZT‘èÉsä÷/-Šç»js	ÉøêØUÜΊ½æ&@(X¿%5e†§ym»˜ÛÞ®8t.Ç{³ž˜lÜ,×™oÜzö­ÇDR¿Ö¡ÐypN(ö@å—Û%¾®-¾|]RÅ>-Ÿð
9Pf¶‚ãÙÒO6qÏ9P·K÷¬Çx1‘ìE(t­zMk;bg1G¦boS\Vâ¼4I1xo*Øç)¦+5M1NÊQÌê<ÅœUÞR̉öqŠé©7“SµØ®i,™b°DÞ†ÂÇkúEŠY­óÕ3m
¨ÉŠO„ÿ‘Ô–Á‚	“ÝQz,ò‰e°©Ï2~ì·½ÜC>Ua•a®Iןïî>}ì-·;!V½Ä’.†&¡'c?x+µìMÁ
+µ8ØLÞÛžÓÚ^ÛÕŽßÚvõ^Ó#îT¾Îo¼÷ƒLçã¯WwwöŽ> endobj
-1966 0 obj <<
-/D [1964 0 R /XYZ 85.0394 794.5015 null]
+1983 0 obj <<
+/D [1981 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1967 0 obj <<
-/D [1964 0 R /XYZ 85.0394 679.319 null]
+1984 0 obj <<
+/D [1981 0 R /XYZ 85.0394 679.319 null]
 >> endobj
-1963 0 obj <<
+1980 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F48 985 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1970 0 obj <<
+1988 0 obj <<
 /Length 2837      
 /Filter /FlateDecode
 >>
@@ -8647,23 +8725,23 @@ lh
 @ãâ]0ƒ±î½±½&Óè‰wç<ÐE0…lõKžLQ–	¹ìÉ>ÊoÒ:`=È“wÓÜå»t¡Fà8^»ö|B­{ô]£¿%ÌêF¬¡e=Qz•A·QEÉÇÁ>×P44yy蚦{™<ÈÓ©lz;<Ú<ÓÀæ@d-­Ò8ƒÔÿÔ={A\¤ñŽi*OÈîÏÎwG§C+ôï1<—ý˜‰ì`†«£Èë•:”Vüž‘f$Û~R­û½§ò~¿?T3¯GP«cz³§š³ŽáÙ…lÂ{ôz¥0aCMŽ§ºLІn‚au_=(„”yßw‡ƒl78™¬;dz¬€®~xñs{*Q,ÇÇÙ)R¥þviÇ3ìhTjÑ®ÃZÙ¤´ô¶_+kFH=•0÷ÒiåñØÔªÔGE¶ÐUý£2¸-	á©êÐxo™ùˆ³:IŽ.$›jtŽÊƒœð4¬&›MÞc²™1_N6÷ãÍ?V“VÝRížLqþŒ%^½2ÒY¬]çÞZËÇãHÝFr÷c	éç°j	¦¶«y†·-R­[ÂSyK8§X-[7ÙeëŒÿrÙ	ðéI‡vpÀ/:ÿ‚óUéhuð†®ïLŸ	ïÐøxcÆʪ²Aµ7ºšS#G/3Ñùp/On‚ÒÍz6MÌœ½ÌŽ0K³œ.n“(gkÛ$žr&üÎÆÃ|º³m»=’«ÔaZãáis< Pœ||0½f>ÝT1-#´ýÎï†Ô‹iC„éU.À†×b“r:‚9dkÔ®–×-ä,-hÆãôØk»EHﻳæ¶wÈMc\Á cÕr¦Ñ±ïa:ábz=Žî[-ûšvÛ5O½9½HCª
OrTc"5±·_÷¤-ö'Mù¯xR(@XCGZ·5’£,ÑÔ­ìãå¿6Ùó
ƒN!ëö€Ê@ˆ_°G@µaG5æØrö«9f“÷˜cfÌ—sLÄݦcšûäMçäª=øºG½hµB#¨{ýƒyªUÔýPïû?«Ó¦BT?íä〓)A¡q(+ùZmFñH××?¥g°¾§ñ0N|l^&^Ü[swí&:î%T/µÛæþ‘”ÔCãÒWDE–2F.äÆjAžÊ#èûiÊ·ÈSN/°µ4s®“ª˜Bõ[àˆíͨ‘/•Õ’ŽÉ^]wëúr[zâš=8¡µÒ»¸ú{½>™û8æ¾qºFi–b¨ò·-1mÂvPLyÏZdÝâ=Ö)óå¸rwæPŠ6‡«Lü>E™Cq'áEÕo½Ü/f'Cuh(µ®¡i_ažÒÒúÂÚÚÂm‡ó©5…?+´Ó­+ÿu¹¯a³_¶Ê(´¯‚@™W t!Ó†TëpðTc™ßup$A·™{ª9÷Ih·$°m‹Ø¿ÓéÜCm¶½ÛØDZu	¹œ[{‹ñÇÓn”çë
Ö
 ”]H¹!Õ†aÕh{Ö;ßM0”Ò¬ÀÛü=Õ\€Ø6PfSX,ÁhælÃœmXdæOŠQ2Š¬_GóИ‡ó°%ó Ìš‡…æaÖ<Ìš‡E§ËÛæ`E1»°ë©6Ìã¨FóTU­VW6sûu×’mà©æÄöI)Íc	ógáÌ#"ódÎ<"	DÖï£}˜°öÆ>bÉ>…³í#¬}„µOæí£ƒ©(Ҍ擊hÃh¸ )b]@´n2G4Z¬iVç¶ØŽgsS¾ËGs!ãOÒÆW¶íYÚ¦’go¾"DËÇõ*
uF.\¼…T*rTæê°>È¿Ü®Ti›l]•6ãº\¥ElAC?.ï«ey§ÏáÝ\í@£4—íi·t%
 ®’ñÌÜß.äPŸøÛPðƒ®­ú8‘äF&+¶ˆ'	7øû·­Ö\ëy9-é° 0(Žd0‰ÝdYpØK¹SQ—°2»{›±=C¯Êì˜õâ3´ \פUìSnçö-Áu ?C]C-.Ô?7.¤ÊjµŽÊ^xײŸÃvôì-ÎkOY¯øvÈÛB×Ýt©†?†±×mzÔéè:ûÔª†Æç÷7¦áî‡"2ncúæÀ!œ¦Æ|éá¹%¨Û~e5‘Ï	üEpLÕ#X®ÎË\6ë9¿È×Ý‹Õöâ¶f^ßÁ¥ß|]¼”ßÏe—g?¥9¸šn¸À¬RÃ\Ý@µí6áfªsëÏÀôevÀ
¯b:ËR’‰Ûå€hã/H–Hú$€Þb;âyÊwÎ!c‹fê8ð¨Qh›3ìѬšyÚÍ”93ÁÓÐ1{L›¾%LCš±b[$+f…t+öæ”'$5Ç>ŸÕ¡OS[:uO@iÎ
-Óš8³tüÌÕÿoœ'xL:´Uœnþëvßœ«éᢾŠsPÿ~µòÇ;à«þ-·€´sÎõÿ)oüË!Ë cædO$ã)|,œPJ³¹ã ”PH»sÙÿnuþ¤endstream
+Óš8³tüÌÕÿoœ'xL:´Uœnþëvßœ«éᢾŠsPÿ~µòÇ;à«þ-·€´sÎõÿ)oüË!Ë cædO$ã)|,œPJ€þ¹ã ”PH»sÙÿnÍþ¦endstream
 endobj
-1969 0 obj <<
+1987 0 obj <<
 /Type /Page
-/Contents 1970 0 R
-/Resources 1968 0 R
+/Contents 1988 0 R
+/Resources 1986 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1913 0 R
+/Parent 1985 0 R
 >> endobj
-1971 0 obj <<
-/D [1969 0 R /XYZ 56.6929 794.5015 null]
+1989 0 obj <<
+/D [1987 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1968 0 obj <<
+1986 0 obj <<
 /Font << /F37 827 0 R /F48 985 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1974 0 obj <<
+1992 0 obj <<
 /Length 3265      
 /Filter /FlateDecode
 >>
@@ -8686,26 +8764,26 @@ O
 üm„
wÓ’ÓïlEŽ3{ï¿Ÿ=÷¤«YqÐvÀFî³V„
wƒ¯íÝààp‡‡Hï·,Ɔ¶/ÜsÉÂmÞoÝ>«fÒ_o^MumûŸ3ž·Å‘Ž,«¼=Ö{ºi
 ßלãl›}µfl¹Wõþ”Ö#oz¬W¤wU³ ‹OÈ$¤û¹>ƒ&Äž/«­Yè_á&Ï™û
 >œ¹_¨ØE›­;¬`ÁÕ’Ôß·
íðh¼1Û¢Û6Ãl­ŽëÓ· °?Ûí¶¦Q¶¿ïz¸«‚^‘RÀôK;ƒÕý¶rëä…¤UT¡é:ÝoÛMOJø¢§{0#•äò$‹pÜù©_Š)¨ÒÕä‡Bä?þÙá7r2üò>™'€÷d
-?æ˜B±aŽY7S™Lðþ?ËÊÀuendstream
+?æ˜B±‘³n06¦2™àýÌ"Àwendstream
 endobj
-1973 0 obj <<
+1991 0 obj <<
 /Type /Page
-/Contents 1974 0 R
-/Resources 1972 0 R
+/Contents 1992 0 R
+/Resources 1990 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1977 0 R
+/Parent 1985 0 R
 >> endobj
-1975 0 obj <<
-/D [1973 0 R /XYZ 85.0394 794.5015 null]
+1993 0 obj <<
+/D [1991 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1976 0 obj <<
-/D [1973 0 R /XYZ 85.0394 179.5067 null]
+1994 0 obj <<
+/D [1991 0 R /XYZ 85.0394 179.5067 null]
 >> endobj
-1972 0 obj <<
+1990 0 obj <<
 /Font << /F37 827 0 R /F48 985 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1980 0 obj <<
+1997 0 obj <<
 /Length 1913      
 /Filter /FlateDecode
 >>
@@ -8717,47 +8795,47 @@ xڥX[sۺ~ׯ
  aWš½
 Ná¸Æ~<ö¹$ø¥?'q•è`á?í4Nû*mUx‡S`ÎH†o;¯ïæ³÷Ÿn†ÈÇ'TÊ–¤TùšcØʵ2üj@xM sŸSîû¼½<‹¹ÅÓanö†YÈó§ÌI—(u€B`b*©#¶mwB^Ëë£BÛòøÀ}5ãùK
 ÙF¬šDÞ¶¬ÏP- HeˆTËã8¶¹½û„ï»Óº½G¯WªI¯*Uëâ•À	_¶iÇ0ˆìŠ¿üû·ÏÜü犀U:d=Üx~sƒÞÏ>Í?_ä÷•®ôÌpè;ü£áŠÌ£ž0+ëZ¥Óïjÿ¢ÊÞ¤Ý@Ä}è¨Ád‡Ý—Ûð”õ‡J‚ˆ„~·n\*Á³·kìý×ó‹nAεgßeý£×gH÷új´ÆÎÚ¾‘νÍ:ûÀtØÇ^ÙÝ	ä¼›®m0ÁOx8ûvŽáásϩɸ‹
-nþó{×mEÑÖý¦¿mò"oöçÓ1›ïK½©á|ÑŽ`$Œà1FPQ@å1ðy€‘Ü7—Óð·0šÁ©ìi8å˜îË[ôæ¢yb>N“YQVõb÷úÔŠÒ¡BS˜'l/Ó´HêzðUB,-ÚEÂû…Â'Qà·	Xfº9«/Œ~¹¬p»~VƒÏÅ€p.Ù±Ææ¢Æf¿üú!H̨<Ö÷÷‹úvIÞœÕ':}ø ‹‡à­ Â0>N×»´,’—¡]$‘at‚‚ìzëaíbeX<ûnÞ™]™J»£ñS{ûd(M‘ñáÏe<ô	ü9h2NÂQ91½ýúvjûoò"4endstream
+nþó{×mEÑÖý¦¿mò"oöçÓ1›ïK½©á|ÑŽ`$Œà1FPQ@å1ðy€‘Ü7—Óð·0šÁ©ìi8å˜îË[ôæ¢yb>N“YQVõb÷úÔŠÒ¡BS˜'l/Ó´HêzðUB,-ÚEÂû…Â'Qà·	Xfº9«/Œ~¹¬p»~VƒÏÅ€p.Ù±Ææ¢Æf¿üú!H̨<Ö÷÷‹úvIÞœÕ':}ø ‹‡à­ Â0>N×»´,’—¡]$‘at‚‚ìzëaíbeX<ûnÞ™]™J»£ñS{ûd(M‘ñáÏe<ô	ü9h2NÂSéÄôöëÛ©íÿpJ"6endstream
 endobj
-1979 0 obj <<
+1996 0 obj <<
 /Type /Page
-/Contents 1980 0 R
-/Resources 1978 0 R
+/Contents 1997 0 R
+/Resources 1995 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1977 0 R
+/Parent 1985 0 R
 >> endobj
-1981 0 obj <<
-/D [1979 0 R /XYZ 56.6929 794.5015 null]
+1998 0 obj <<
+/D [1996 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1982 0 obj <<
-/D [1979 0 R /XYZ 56.6929 581.7741 null]
+1999 0 obj <<
+/D [1996 0 R /XYZ 56.6929 581.7741 null]
 >> endobj
-1983 0 obj <<
-/D [1979 0 R /XYZ 56.6929 460.6765 null]
+2000 0 obj <<
+/D [1996 0 R /XYZ 56.6929 460.6765 null]
 >> endobj
-1984 0 obj <<
-/D [1979 0 R /XYZ 56.6929 366.7195 null]
+2001 0 obj <<
+/D [1996 0 R /XYZ 56.6929 366.7195 null]
 >> endobj
-1985 0 obj <<
-/D [1979 0 R /XYZ 56.6929 293.4426 null]
+2002 0 obj <<
+/D [1996 0 R /XYZ 56.6929 293.4426 null]
 >> endobj
 670 0 obj <<
-/D [1979 0 R /XYZ 56.6929 247.3727 null]
+/D [1996 0 R /XYZ 56.6929 247.3727 null]
 >> endobj
-1986 0 obj <<
-/D [1979 0 R /XYZ 56.6929 211.2315 null]
+2003 0 obj <<
+/D [1996 0 R /XYZ 56.6929 211.2315 null]
 >> endobj
-1987 0 obj <<
-/D [1979 0 R /XYZ 56.6929 172.539 null]
+2004 0 obj <<
+/D [1996 0 R /XYZ 56.6929 172.539 null]
 >> endobj
-1988 0 obj <<
-/D [1979 0 R /XYZ 56.6929 96.3402 null]
+2005 0 obj <<
+/D [1996 0 R /XYZ 56.6929 96.3402 null]
 >> endobj
-1978 0 obj <<
+1995 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1991 0 obj <<
+2008 0 obj <<
 /Length 4192      
 /Filter /FlateDecode
 >>
@@ -8777,26 +8855,26 @@ VAC
 OˆøO´çföþþö§ïUA²$‹@d4Š†~¾õÕìáîG†þò‘N€ý£œ¡òÈþОˆ,Ü}²ŠÒvh#)*&[®J¦¯˜Mžè‚h@öaó‹R&MÌñÈlùYü>µ4uÉô•;>hØí+Hª˜…NÒ\ÓÒgo)¤\Š<•±½§‚aÙ¦CG¬ïµÔ2yÀy–bïè•÷Ó/ÔŽê<ꓯêB_1ç
 ì`WAŠ3õÕóõ41ÒžþÀ˜¯%Ì7ÏüÌÁ¶óMŒ‚® N“:ç“ÄÄÅU@¶]¹ç¸SøûUÉôõiôõ<‡LŒB²c™ˆ5ú	àlèAA]½Œ‡bá;pôå&œòo6Íëø»¾Þ‰ä ³
 ÓqŒ'\ò̵î9'Ýȇÿ’J§YnìÙãdªTèÔ—Xj¨}-½%Ð|¡’®œxãÄM5ghêŽ,Ó†Nì4&Ä„9<¯yšéü)S‰ÉÓxÀö÷3ç,¶?g™<^Ä[T…‰Ã¼žft†ìÏîA¦0D¬Y^|m'NX§gOür	N2ÿÆ[q#Q¤-›“«p’ž
-?B£ ‚Ø{Úè€äN-(_í/ËŠéêS¦!$ë¯U~˨dÊôlÃæÉ×Öj‚ fö&4(' úuùRõ™;‡i¿¦k~ŒðÉgêù.—Ögë¡Y¢Sm¿&%˜E%™µ£"}x•s(`Îß겉Ìss9ÛSâø®*îV¨6+*gS8`‚jÚ> endobj
-1992 0 obj <<
-/D [1990 0 R /XYZ 85.0394 794.5015 null]
+2009 0 obj <<
+/D [2007 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1993 0 obj <<
-/D [1990 0 R /XYZ 85.0394 751.6872 null]
+2010 0 obj <<
+/D [2007 0 R /XYZ 85.0394 751.6872 null]
 >> endobj
-1989 0 obj <<
+2006 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1996 0 obj <<
+2013 0 obj <<
 /Length 2016      
 /Filter /FlateDecode
 >>
@@ -8805,1347 +8883,1382 @@ xÚµ]
 9C«ÒìÓ­ùOòGù|XN‰˜¨êXä›Ê@¾¦õÞ~ e„JÄ™°"HrN1—óÇ)ç“ßn§q8™-¬'ÉUêúºO×{³L+óß}Fa*(¶æ?/ÊC’™uUŸžzÔ‹¬_CžÔ>yN‹Rq1ˆ)h–^ñ"‰âÖ>£„(¹3Ü:ÉCóªÔÆ^¦°bªzp»ƒ:Ú^?ÙYðF=v»4ß™íï³dgŒwE ,ŸŒœc”j]”¨Œ#qnÑ~ðP
 ÁS	³FŠXÜús’o<„@qŒÇŽR]&k%p!œêP:­ûlÇ“E„@¸Ã%C†Mô.nîŒR–Ÿî[yèƒ)‡6)p±õD§€˜Ââ"8ûrplFR¢Ý“Ä`c¥­
¾ötJ³ÚMXh @¿cŽÓ¼Vežèl‘d駀£MqHRKDÇ# sRŽÇ¢¬upÐp’ZêÆ¿9Y¯Õѵ	µ´:fÉ‹%Wä	LI4†lÓ‹ËÙòÃb˜19ë&) žÆH†ì-MQ„£6E%ÇcŠÅ±LH/†ÇºÈ!0ëÊîö	¸GÝD*lU¾.6Æéa×ĹGD³zRÛÂĺÙëT¨?µéˆ!L (ØkH3’6C@ž¬jh¢3º8€K~z]Ø«_„LvÔ£wlnÛ­¹öÁÒn=jj“ƒÅÚ#›ƒ—âôAÎÒ?TW$ø?•¹AmÙmª´~¦E6.Ó¦·ŽµµžFAE…V£ÔŠœTE>ÆܼÓ\U³ögDˆYS—D4ïA/@qˆ¨är*Tfù-ÝÕ%Rø{ ¥tI6…~P½cD¡Bž9koËÙûs³†á0¤ö**NÙòƒÊk£„ç<÷)Sº‚0\í­ò7ú´:o6ieNÁOôGݨU(FrhD¢¾c:Ný
 Ø‹¯{È5žì-
¡o§/ÁÛ*VNÅä”Wþt™…1ŽûéövñÑô|…òë;U¯ß•MÝEã[ܧ¼œÏÍýf—÷ogðMºÓÉ”è4iÛ
6(4°s«±0r1@ka†}˜íŠ渃›¼9>ã©mrÊêÁCEÑNûvü/êý%Ï|s†Qµ¦òšYèÚøè`]1€Ãj@_5À5–g\°ô Ë²g¸ø÷˜àUÅÐìǹ®ŸÒëêqHv\]ã½Ùª³äç²f½c F›
-hž¯‰Ö"]ÊÖoŒ"¤ß¦º²-!“­µ~`€4J‹ùYiì(-`‚™qE<'ÙÉ.‹­·&È iè»áåk*oŸB'ÇúÉŠSäg>Í¿óXê8‚-±ùVc—&RÁt7"ûe³ç-öã6l 3Åú‚εš+ZJÚGج‡’æ•Ê«´†¤‰^{Á†:«Ÿ=–Ãm2ýÛ¯Ûç‡ü0FLê÷ÐĬ­PZ'„ˆË€°ïà—²ÿ„ìß­endstream
+hž¯‰Ö"]ÊÖoŒ"¤ß¦º²-!“­µ~`€4J‹ùYiì(-`‚™qE<'ÙÉ.‹­·&È iè»áåk*oŸB'ÇúÉŠSäg>Í¿óXê8‚-±ùVc—&RÁt7"ûe³ç-öã6l 3Åú‚εš+ZJÚGج‡’æ•Ê«´†¤‰^{Á†:«Ÿ=–Ãm2ýÛ¯Ûç‡ü0FLê÷ÐĬ­PZ'„âË€°ïà—²ÿƒ¹ß¦endstream
 endobj
-1995 0 obj <<
+2012 0 obj <<
 /Type /Page
-/Contents 1996 0 R
-/Resources 1994 0 R
+/Contents 2013 0 R
+/Resources 2011 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1977 0 R
+/Parent 1985 0 R
 >> endobj
-1997 0 obj <<
-/D [1995 0 R /XYZ 56.6929 794.5015 null]
+2014 0 obj <<
+/D [2012 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1998 0 obj <<
-/D [1995 0 R /XYZ 56.6929 684.0716 null]
+2015 0 obj <<
+/D [2012 0 R /XYZ 56.6929 684.0716 null]
 >> endobj
-1999 0 obj <<
-/D [1995 0 R /XYZ 56.6929 572.8605 null]
+2016 0 obj <<
+/D [2012 0 R /XYZ 56.6929 572.8605 null]
 >> endobj
-2000 0 obj <<
-/D [1995 0 R /XYZ 56.6929 509.4701 null]
+2017 0 obj <<
+/D [2012 0 R /XYZ 56.6929 509.4701 null]
 >> endobj
 674 0 obj <<
-/D [1995 0 R /XYZ 56.6929 470.2699 null]
+/D [2012 0 R /XYZ 56.6929 470.2699 null]
 >> endobj
-2001 0 obj <<
-/D [1995 0 R /XYZ 56.6929 433.5878 null]
+2018 0 obj <<
+/D [2012 0 R /XYZ 56.6929 433.5878 null]
 >> endobj
-2002 0 obj <<
-/D [1995 0 R /XYZ 56.6929 401.47 null]
+2019 0 obj <<
+/D [2012 0 R /XYZ 56.6929 401.47 null]
 >> endobj
-2003 0 obj <<
-/D [1995 0 R /XYZ 56.6929 335.1577 null]
+2020 0 obj <<
+/D [2012 0 R /XYZ 56.6929 335.1577 null]
 >> endobj
-2004 0 obj <<
-/D [1995 0 R /XYZ 56.6929 244.1508 null]
+2021 0 obj <<
+/D [2012 0 R /XYZ 56.6929 244.1508 null]
 >> endobj
-2005 0 obj <<
-/D [1995 0 R /XYZ 56.6929 168.8052 null]
+2022 0 obj <<
+/D [2012 0 R /XYZ 56.6929 168.8052 null]
 >> endobj
-1994 0 obj <<
+2011 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2008 0 obj <<
-/Length 2161      
+2025 0 obj <<
+/Length 2160      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Y]{›8¾Ï¯ðÝâ§c„$$z‡§“Išvã´;;ÄÈ	O1dN&ûë÷è&Nf·½@Wç¼çC™`øO&’#Lc61C>YmNðäÞ}-BxÈ£hÒU{®•AG»:¹@TÈ>ºËªún=·®¶vð]=ÛÁªý„c,øÁ.äe+^«ÆŽ7U¦~°Çe]ÃH AÀAöÀö“™ìadQJ¥“s@5iunNŠ	¸wĘƒÝÁÅ@gê$Ñ—:Qú:RG¨à¥Ö#TˆQ$©G¿ÎuÀ"QV9Ž«•ÖcA<'@ø²_«R‰#îlnÇÚï§3ʈõ6,=éʽ­ÖöÙÜ›…H»µûu™n”æJ{¤Û)‘ÁÝn£ÊÆ®äõ`Hv%«6©W«÷êkM­ô4p0ÎÉH[Åœ‡æ\›´nðšbâNˆ(áÁÓ}¾º·ë«´Ôƒ0¸UvÁ`TifW×fZmFi5õâóƒÇ:ŸyÖÍÀ?_[]æØz`bÚ³ê5m½Ò
-ÕîU¤õcLÄßÁcìÁ´
-g…¼±º6éskc`
-©2b$ô¶%¡ÚäM£²ƒ)â±8’ǃ©+õr0µR&˜’¡Ê8‚º!Äq•^hDe/L0²÷Už—«b—i"Ò8øuyñÚŸŒñôèN•j›6yygç§Kû´”ZUæ™ÕH[Vÿšr€æ¾Ú5V¬¹ÏÝ–ÕC“W¥¾ª,ží²Îœ^§!°Þ§Ê¯Ë»¤§éq D’‹~x´‰û)/
-;ÒA Ÿ«ª|T[ð¬6•}šÁsp »˜–Núa›—†À-|­Õzç¶wGéÔKü}½ÙW’—9EB$	{S©#œòR†SÅh‚&!÷1å’Ò0ESPJ¡¤EÖJ@ëq6Bâ>¶–ZÚ>RšôÓKÝo}Óá¼	«y	YOç/=1	Ó!¬a
-Â:…4¸¹w{Öj•k'€Ó“°	шØažJ$(­˜¡³Vþð ÊL9H†L€¥ñš]z‡‘îBl¶Áó>aUjH@À>¥ì¾0°‡Ô¼ñK¶µcÝü¤už¹Wß´-Ó"ÏR{û¶Çy߆\_;}Ž÷™ªWÛüV
`\Ÿ9=ŒQò"™¹Ðu8|¥ÛèJ½LæVʹ>H!‚ž<<®Ò¨ìú9†Ž."Q_åÅ |oï
â›ÖWu›˜úæ¡+2h:h:Þu.ñ̓۫¯5=l]­ò—½ìgèÜK©#^òRÆK«±ëF!t).ˆVEZørć”Ç‘µR#Ðú)¼È0éc[¶	áE;[lm¨djîŠwίtè ;9^ºñ÷‘ÿ¡@p­Šˆé+ÞêHñ–—2ÞzóA”	ßPêQ‡ÞŠP( ë>Š¬•Ö÷A!úЖªz)S·»»;ÛŒÀÔ C.gë{…Ë«k¸ƒb¢¯T@sÙ»áâ—äÓ—ËÅH’Çh¾Ô
-ÞèühÜîòÂäÁÐã Áò§ž‘]µqI´Ó_›Uý­=²×hC󂙯*ê¯tóѺª6èt8ïBHEx(:Ç2Ž÷Ï=‡È>É´XNUÕ“³\ªÍÌ$¨l1ãÆïyžª]‘õ{¨¼®w*{?r 0 Üׄ Ö€YY×j5Ëêõ¶Ú˜ûw„q0íóíÇlÛ=øp¨éÓ\©¬6
-ÚÏ–+ùwõà]dSà/ÖÑnQk?ë§Åj†Ü­ØMÈ"9MD"Ø\žây"#Fsü!E’HžÌå|~ÎaS­¼–	ggæÜGÇ
ø"Áó˜‘÷Y}v~¹Xã´èØŽ’g¨»-†ÔÞõÿü®4µf·ÏöÙt>·h3ÊÆdÓ•í/ÆZ,=:óyÿ¢„è]š¦ïrýo4Tᘵqa2fW9dÚ¢5G˜’@Ù©)‰‡¤@RHÑÓoÙψ€T#dÿò·Ç†ô9ñImÑÈÿž“ºånI¾_ºuEÀE캚H[7¿Ó8Á+ù°ôûb¤ó“ìfÜÉ<ý+>G|ßý¿ùÇ¥aïR7[[‡
-àÊÎBöÆÆ<Ž6–ÇAÃý!Š<)Àª{o÷÷¶±Þ¯auÆEaØ É”„qðm‘è¼óz,%£-žÚZû»2oK³#T½6í÷0d=§VÞÕ®Ìô[·á£r[äÃ÷¯¼njô†T±\,ì'Éåòóëepœ¿š	”ù—:W膦óÚìKãétÕ¢Þƒóó«S½	bûH²M^Â! †lÈÃ]C­•½•+üŸÒrŸcu1ˆ‰(lÙz‚!	™Â	Ø«è¡—ãTÂL°¿½¾½ºÙ¢’ô¶³YŠ2$ûÅqÙ†!?Î/Ó£Eòõæ§ÏׯÓþ¼lÔ¶ôiiù—òËBª²®¶M¾Û¼ôWˆaý§‹‘6·ÿï¿ìÿÄ¢R†ãý&Å:ûÄă҇#$Bçp÷ç2#ØÿLSX3endstream
+xÚ¥Y[{›H}÷¯ÐÛ¢/£ž¾ÒMÞP,g‘G1YmNðäÞ}YܴȺè	fÖŸ'¿ý')âçŒX¤Ää	&‘(¢“Í		Θ_)N–'ÿl7ì¼5ŸŽYƒ…åádÂ!ÇѸÍ0Âl0“#â°µ%c6óRÚf³}ÐÏ„èH@&"Ø\K¤ù6[5Õöyh"( ÃIWí¸Vjëê1©úè.«ê»õܺÚÚÁ÷ìÙ~ǘYí'ƒ„äÁv!/[ñ:kìxS¥Ùö¸¼kJ$	8ÈØ~2³‚=Œœ#Ƙrr¨&­ÎÃÍG÷Žs°;¸èÌœ$:  ó²$@'Æ^£BGê¼”¡Âz„
+
+óè×y‘°€(‚UŽãj¥F€õX@çßCökUf`âP8›Û±vçûéŒqb½
KE²ro«µ}6÷f!Ôní~]&›Ls%Œ¼ˆ’픨àn·ÉÊÆ®äõ`Hv%­6‰W«÷êkM¬ô4p0ΪP[EBPs®MR7ðšaâNˆÁÓ}¾º·ë«¤ÔÜfvÁ`Ì’Ô®®Í´ÚŒÒkêEç
,t>ó¬›q€¾¶ºÌ±õÀÄ(´gÕkÚ6z¥ªÝ+$õcLäßÁcìÁµ
+g…¼±º6Éskc`©2ä„zÛ’Pmò¦ÉÒƒ)ñ(Tǃ©+õr0µR&˜â¡Ê(„º!åq•^hDe/L0²õUž—«b—j"²(øuyñÚŸŒñôè.+³mÒäåŸ.íÓRjU™gZ#mYük* šûj×X±æ>w[VM^•:| øª²x¶Ë:sz†ÀzxŸ¶e›^´³ÅÖ†Jš­“]1ðÎù•d'Ç‹A×#þ>ò?¡U‘{Å[©#ÞòRÆ[cÞ"ˆqéª"{ÌŠCo…ˆJèº"k¥F õ½EaÚ2k†^J³ÛÝÝmF`j!—³õ½ÂåÕ5\ƒA1ÑWH&¡9íÝpñKüéËåb$Éã	4߈Hfot~4
	nwyaò õ8H°ü)†ghWmA\íô×fUckê5Úм`î«ÊEöW²y€h]Uô:œwRJ€Î‘Š¢ýÅsÏ!²O2-V€SEõäl—ƒj3ó	*[ÄÅð‚á{ž§jW¤ý*¯ë]–¾9îkRkÀ´¬ël5Këõ¶Ú˜ûwˆq0£öùöã¶m‹|8
+Ôôi®TV›ÚÏ–+ù÷ì
À»È¦À_¬£Ý¢Ö~ÖO‹Õ…[±“E|ËXò¹:ÅóX…’†süRÇJÄs5ŸŸÒ9lÊ¡×*üÌœÛàè¸áƒXÄxñ1rã>«ÏÎ/Ëcœ–Û1Òãs·EÊìmQ/@ñÏïJSûavûlŸMçs;€6£lL6]Ùþb¬Å"УsŸ÷/Jø‡Þ%Iò.×ÿF@CŽx&cv•C¦-,Zs„)	2;5%ñ€’HI%{ú-û9‘j¤ê_þöØ>ç!>¥-úßs— Ü-É÷K·®¸(€@@Weë†àw'øa%–~_Œt~r‚Ý̃;™§ÅHì»ÿ7ÿ¸4ì]êf«cëP\Ù9åoüaÌãhcy4ÜÂГ¬º÷vO`ïývPX„QHi?‚>ÄSB£àÛ"ÖyÿæõXŠG[¼lkíïʼ
,ÍŽü1ëµi¿SÊ{N­¼«]™ê·nÃÇÌm‘»ËžÞ¿òº©ÑRÅr±°ŸÄ—Ëϯ—Áqþj&0î_ê\¡šÎk³/‹z¤ÓU‹yÎϯNõ&8ˆì#N7y	‡€²!wlÙ+Q¹rÁÿ))wñI1VC‰¸iËÖC)ÈNÀ^e@…§æ’ÿííôÍèÕíÐÈv•¤·ÍRŒ#I8í.p4fRqœÿ^¦G‹øëÍOŸ¯_§ýyÙdÛÒ§¥å3\Ê7.}¨ÊºÚ6ùnóÒ_A †õŸ.FÚDÜ"ü¿ÿB²ÿc—ˆ)EÇûM†uö‰ˆ¥G(Bp÷ŠÊìÿK X,endstream
 endobj
-2007 0 obj <<
+2024 0 obj <<
 /Type /Page
-/Contents 2008 0 R
-/Resources 2006 0 R
+/Contents 2025 0 R
+/Resources 2023 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1977 0 R
+/Parent 2032 0 R
 >> endobj
-2009 0 obj <<
-/D [2007 0 R /XYZ 85.0394 794.5015 null]
+2026 0 obj <<
+/D [2024 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2010 0 obj <<
-/D [2007 0 R /XYZ 85.0394 463.2352 null]
+2027 0 obj <<
+/D [2024 0 R /XYZ 85.0394 463.2352 null]
 >> endobj
-2011 0 obj <<
-/D [2007 0 R /XYZ 85.0394 318.8302 null]
+2028 0 obj <<
+/D [2024 0 R /XYZ 85.0394 318.8302 null]
 >> endobj
-2012 0 obj <<
-/D [2007 0 R /XYZ 85.0394 224.0131 null]
+2029 0 obj <<
+/D [2024 0 R /XYZ 85.0394 224.0131 null]
 >> endobj
-2013 0 obj <<
-/D [2007 0 R /XYZ 85.0394 159.9229 null]
+2030 0 obj <<
+/D [2024 0 R /XYZ 85.0394 159.9229 null]
 >> endobj
-2014 0 obj <<
-/D [2007 0 R /XYZ 85.0394 83.8775 null]
+2031 0 obj <<
+/D [2024 0 R /XYZ 85.0394 83.8775 null]
 >> endobj
-2006 0 obj <<
+2023 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2017 0 obj <<
-/Length 2308      
+2035 0 obj <<
+/Length 2602      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YÝoã8ï_à^R`£Õ‡å{ëL;;Ýδ½I¸½™yp%1êعØiÑýë—%Çr•ä€C,K4IQä¤ÂF~l$cg<%YD$er4ß\ÐÑ
-Ö~»`–fâˆ&}ª³‹_?‰d”‘,æñh¶ìñJ	MS6š-¾?ˆ\:¾¾ŸNo>Nînþüôíáë—«7_.'L¦i<¾z|¼¹¿¾ý÷å„K
-ŸÀ”Ž¿^Ýÿqõç/3>¾úífzùsöûÅͬS®¿F…Öì¿ßÒÑöñû%"Kåè^(aYÆG›‹H
-"#!ÜLy1½øWÇ°·j>
„QÂEÌálÄ"""Xì›Df„§	w&SØá¢j5Ÿ<«·å®Þ”ù“*õþ@ÈDH’óÁ}¾Qz¸‹ž½Šg$‘	ZºÏì’¥cÇÐØïç	Žðp´8X©Jíò¶¨+|o뺴a?ŒdRr+R$DÆQjDNߪzÛÍðP#I‹Q,ÀNŒÅ!#2Ø—`æ#&‰þpÒga±€ËuTCCtFˆÁÜ“÷$ûVd°¡("«?ÎËU½+ÚõI}iFen)'eˆ[B2ÁSKÒè€nKi©¾OæN\L;4ÒÌ˼iœÀÒ4É,ÕOÜç÷É2Àк,óUˆ_D¢$åC~ÏÝè.Ày""J¢H@În|”‰	e?\ï¡	2@œRS+Õ6—€hLŽ½BŒá¨]+¬ŠUé!7sÉÆ%¾9•Ëaï!¶£2ØçTö±êg2¤}åg!¦Nj×QÔóœ“C²õÔ›ªGŸC¡ézÌj—o×ŧ:%¡ä4ÏVŽ_òüooßêe(òX
-X³pâð”r`o)7û¦EñOV³ºrƒ%
-ü6½úz-Ñ%dÊ”gÂWí‡@¥ýTçtlž09ý|¥Qˆd|=½úçïÁ…E1Å) ð\Ƨ–p],µŸkGV8ûY•å&¯´\]¦Áج±‹`µ½j\	ÓW7ïÇË@ïEn’!Õèa¨6ÛRmTeùvi8&6:µm©Ž-0À=ÍëÍ$´eà¸P‹SÛÒ  ·ÅÐè
-öm½Blž—¥­Íƒž¦*[Û¯&ÏŒ¨ÈWäXø‹X!Ï…ŸêxøwT^éÓÿŒ0.“aåÓ×+ƒš–Æò´^Ž( —÷”R'Ŧ[5/Œ·MÖ«…MaõÛøØÜQ»ä¢Çï“‹Ëw§ÿ`ÌÁýK1WÇÎCp(êãäÌyô¨Nœ‡£2çQ…à˜@c¨›<4f1‰hšV®£
-hç£1ƒ®‰r_=ÿTâÔÚõ+ôz˜aÁ„“K*?CÚfŒ5NÇÒâ4,Äé>´N]ÍîW>FC	›	ác4°U¨cŠx
Rÿópƒ3Ú
ˆà%·€M¡£Ù îŠhdÿBÀÏl9¢§4#h2xh7r%P}~˜Î̈‚çÍýìvö'®t€…|ÀÚ†z^ä­)Càë.M’ãĺ6;=¨pí–BLo¾éÍòþÎQ*¡å1¤î(‹O‡lŸêxÈvT&dçá
-Š&‡=Ÿ‡¡1IN+戊ù
-ÈDâkv[- ý´Æ¢‘p	׌à0ô€w	çuÕæEUT«ÁWè0hÖõ¾´ÔëüEyt|Üthá8j;Øív‰sUm•2Ôx²®/t"6,”4'[›£IÍðöÞb¿}\wèÛâÎð´ô¨N¸£2n°fÒ8ñ Q÷œü$ÓÓj9¢€Z^«&¡~N™¯ÖT™bÈ6gzàŸJÂlí¡ÇógŸú°ˆ–*íWÛû”ÌCV¾KéSO„…{ýyeª"9ºUUüT	ËÐ	ƒ]ÅiìûÄÝôîÅïÜ%Ø´XY·…˜µ „
žVÐa)#4ƒvऋô©Ž»HGe\d=	ÑJ³äŒHGÙ?þ¡kóE>îŠÊ¹­B×õ®µÃýf“ïÞübª+ê­¾Fl-âòj¯ËlWšÕÛ@!Â9weäá¶a¥ª@Ò†Mf2u€yültrO"yælzT'ÎÆQ™³¹¡¸ Rº+9ïÌoƒ#ÞÇO+×Q´ó¯ŒP:<õ¦ï[Ð#ÇöA½ê÷Úâõ€¼»!î®K§©ºs4Ï'ûþ
-ÍS«ªã‡¡ûYyKûT'ÃQ™Ãx>(§DåÈ` ôEþ†÷ævçb’@Ì
è°4öÍ+ZBŸµ`šé2áL[×#:n?GdÌ·=ÛDô/JƒMÄ)Í=Ä;Õ‚-D_7tdÁ2{[È)èb.Q³d{½h
-SÜþáS…ž>ô’Ù{Ÿ0W]è•_«ýæIÙ›’'Õ¾*se	Ô’âaAm¥ï¯ú‰‡Ki
-jSgÐ7.ó}Ùâ‹)Fà)ôƒºÊúWùÂÚƒu#në¦)žJË©«ƒôd»v<ûÜŸ±_ëû®¢ÁŠ]kRá¯$a`¯+9ë¶8h
-‡5Í~>WÐììºW©ï¡CnB»ÛÎÿûŸ¼Ãÿ–QBDšò°ÃñDø8vJé½0NߟýÏï½îynøendstream
+xÚµMsÛºñî_¡™*ÏD>I"=9¶’ø9±]K™6Mr IÊæ˜"U‘²ë÷ëßP$EIi;otÀXì.vûÑIßóS£@	O*Gñò„Œ`íã	µ8‡4ic½ŸŸ¼ýÀƒ‘ò”ÏüÑ|Ñ¢z$éhž|¿÷„w
+Èøâz6›žO®¦ß>ÜÝ|ù|ö~úùtBeúã³ÛÛéõÅå?O'LØ9»þzöçnOŸ}œÎNÎ;™ÎáÚ „kÉþ}òý'%pŽßNˆÇU(G/ðA<ª-O„äžœ»™üdvò÷†`kÕlT%ã>У#*<.`±­©<Ì©Nà„IQUi‰ˆ‚Á-à;ÊÊuV?.è¦o1¢gD»"$Q¾-‹*­ÈúÒ$}²ñY°hà…î뤱4ì‰ó¨ª(3å…aØ'|ñçÈ;=J6-²"=j°†ââ(ÅE=[x"YŸÞǺ Ü=Ö§&\IK…³
µî÷Ô°½:ê~I¶Nãº\¿¹Ÿð|&iÿTÅQ-“ê×Õæ¸#AŸæíŸã"«£dWë².ã2ÿuQï¯I‚Š {M~Eæ'¬Ê¼Gµ¢…Îr=zÏGéåéó`XºÍÅ6Ýt‚ÿ„Qߣ¡Ý$p1ß]ÞÎ/o®›]Ý$.ìS±76ïf6( ü8S?¤uu
+,©ÎWzpŠPý˜"ð=§…™
âfÖåBüŠpˆ×¯«ºDø12ÉŽ–XT$Üo²<Ù²Gà!,O+d¶(×xWÔÿh§ÛD’Yo#›Žaš¾Á¯¨Â1I5‹"Mð3³iù‰SÚEÒ[jWFP(Ũ@Ýχ\
+ò0å"l]ëƒ0ßã¾Ã)ÀH¨y&|[FÀLVáX­Ò8Ó'0SWl·ã¸\.QtXÍ!‚CÍlj妪-Õñ#b6ûœBiZK¿—……´eÌÚËcŒ‘„„z…]#áÞvA”YCܧYñЩ‘ÒÄû…ÊèÆ܇ÝjÕ–5‚鸫üõOË—»µOƒ¥ù6Õˆl›˜@9¦äP5ÒŽ2
+E*DÃÒ5Xâuê*ðUpG¼YšC*2ÎbÂ^LJu´;áT#¤ñ‹Ðø.,Èñs”ŸÒñÆ~•‹¡˜N¯¸O‡«¯Ž Cä-¦s9fÇѺ’°^&Çw³³/Òæf¸:!ƒê»ãKú’–»ÔÕ{fŸÎðË_ÌÎDÆ×xwÑLn4îãÅ'Ü I_d=ÌåÂÕOižÃ]Òµ²¦•UÙEP×F*
»çBC« ˆ£*u¡¦J‹*«!˜ö‚ˆ4˜—Z>%Ž¨ÝS‡—8c®Œ­  OçKmpüF%ˆø’å9BFí0n*8ñþg’tmòÚÚ}-›z0ªqÈìL)—Ù'|ÀøЧIŸ;7)W¶ýiŽ@ñkmŸBBíGŽíùZa÷Šm[Û¢á¹M”ÁÑžÍP§Q2ǯËÚXWé;0¸¯@Q3òÀ¼£IKÝ°bc„ƒÑ©
ªN‹k¹ÊÓeZXºÍ%2›v4tVK “A|Ÿt
õ“ôà±tvÓÇ¢ý^ç¸M]BÈâ(Ïm|®LM`ZU»'O.Ë=xûB/SŠã#‘·…´?ð:¤­ƒµùùÂSŠ†ù9œ]~&Àü´Íï+ºÜ?ãsÝkG«è^Èg·±Ï ãÂèR™%¸ÛJ…™à䢃¥ÆO:óm3TŠs·d
+áfÛPÓx4lðy«Û3O(λ=M!2¡Œ¡-dÕø_7×SœÑ‹3øˆlIIÍŠíy1PÌõ²Ê¾=è)Mèjúí- Á #¦k5ëÓÍlŽh†ŒÓëùåü®neP˜õÛt£ª*ã̺·b6Ðj”'KsÒ­[ÞÅ×Ùô‹éÖÉ‘«Ï,W¿ÇÕo¸úÔaB¢^÷øá‚£x3ÿÔæ´U‹‡“®°i†4ãæ>l•®+ÝþV®­žhðÊêÑЗG®lëÀ•uXæÊžïT–ÐÚ.³tH,ÛÎ0Xa—å9d\(·ï³<«_1Ù.Ë$}‡¾+mAÙ4]æɤª_s›á]©“ ]ËMí¶8ªiAóÙœÿÞN7ÍÞîs"÷	¨’»kúkωúͺÁ°÷4‡U!§¬ç›$Å›Ä̳Ö_+œ‹Ñ[ì?dz&1å3nîís§Âé
+z+³9Áoûr¹Ý !ƒeÏ–œßVçî!JŒ.%1Úê®tndÜƱxææá­qx˜7	
+Æ—ÔÆãÓjs¥·û&5#m@6‹k-äÐRZÇîñøã+óF«QlW
+ÜýâtV54"„Ú‚Øo]2O]E_ÛüÎD]ŸÓuÚäk²ƒþ;ùòúâoÛÖa ôÙN€xávß
+„êþ[®
+ ÈDÕ‚+n{Ò¥·ïŸj.=ý÷òÀ¥%̓âÿý/öö?{x<÷ý,Ðl…Ò‡£Œí9û÷®ììDëóendstream
 endobj
-2016 0 obj <<
+2034 0 obj <<
 /Type /Page
-/Contents 2017 0 R
-/Resources 2015 0 R
+/Contents 2035 0 R
+/Resources 2033 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1977 0 R
+/Parent 2032 0 R
 >> endobj
-2018 0 obj <<
-/D [2016 0 R /XYZ 56.6929 794.5015 null]
+2036 0 obj <<
+/D [2034 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 678 0 obj <<
-/D [2016 0 R /XYZ 56.6929 769.5949 null]
+/D [2034 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-2019 0 obj <<
-/D [2016 0 R /XYZ 56.6929 744.3807 null]
+2037 0 obj <<
+/D [2034 0 R /XYZ 56.6929 744.6864 null]
 >> endobj
-2020 0 obj <<
-/D [2016 0 R /XYZ 56.6929 712.2038 null]
+2038 0 obj <<
+/D [2034 0 R /XYZ 56.6929 713.4673 null]
 >> endobj
-2021 0 obj <<
-/D [2016 0 R /XYZ 56.6929 645.6981 null]
+2039 0 obj <<
+/D [2034 0 R /XYZ 56.6929 650.1002 null]
 >> endobj
-2022 0 obj <<
-/D [2016 0 R /XYZ 56.6929 573.1238 null]
+2040 0 obj <<
+/D [2034 0 R /XYZ 56.6929 556.7542 null]
 >> endobj
-2023 0 obj <<
-/D [2016 0 R /XYZ 56.6929 497.5848 null]
+2041 0 obj <<
+/D [2034 0 R /XYZ 56.6929 454.3841 null]
 >> endobj
-2015 0 obj <<
+2033 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2026 0 obj <<
-/Length 2064      
-/Filter /FlateDecode
->>
-stream
-xÚ­YKsÛ8¾ûWè°ºf„Ä“GÅ–³ždäŒíÔîT&Z‚dÖH¤–¤œr~ý4€")HJfÇ>›Ý¯ø@‘†2Raš°‘Lâ˜ðÑ|sG+xöî‚8™±w¥Þ>^¼¹¡r” DÄbô¸ìèR+EF‹ÏÑäãÇéìúö¿—ã˜ãè-ºsŒ£_'³O“vîãeG“wÓ‡Ë1IO@ˆ1£ëÙÃÃôjü~úû»éìòËã/ÓÇÖ­®ëSãÓÿ.>Á£¬à—Œ(h}…ŒH’Ä£ÍãqF©ŸY_<\üÖ*ìÈyHŽXB)žô¬•
-¸ÖËyJPÌEßµ]W/âB?íV«,_ÙÛÆ3—ß±©C—8Kh`˜0ÌÌZÀ˜Ñ}lz?1Éñ8½¶* »ÙÁÍíh‚‡E%RY§þÉÐì”
-4	{ÄyUéù*pY›uúdñhN$¸K}}Í‹Ív­mKU»ù\WÕr·^Û26§x”Õöù¶Ìò™D©{¥.-20nJ®9,‹rh1ÅH1;'Þçð‡~JÓô§Ìü¼S~ãxçÅ RU
µ‘6%·°3Å®Þîj¨JJ0”qæbë¯iîî¦ÚþÀ8†ŠËŠÜ«+Û¨ÃRÆL«kæµµöš]a=§nb¥s]B/б݌+Š¦êôFÜ•jr™°nXa¨hG—ÁçLäA	a/1yÚj+uh¶ßÒ1Œ¡ÒzfM8ÃaâbžUÇÐÌÓ>• Ð¯Ï!µ:”:Ó	“˜6Ã(ulB¶‡0ÂÚ;R¾Ûè2›Û»³lí¥‚üídnS‰Ý7Óõª(³úysZF‘pÛŽÔ	p½ÔytOYíÀ;4Æ·köX+¡@B¤gópßtéëœcß–EQ7Ý&	
-ôæ14,h¦c%H&\ýX–Txò7·v4ŒIøÚô=éiÒ\E_!¼VÀ”PeEžR jÄvCÙôðä&š%è…µí.ÄÜb`¾DIy¤a#K¦( ‘ÄŒõÉ”ô\¢ÏÈÞ,Æb»{Zûl÷Äòg߸A†		CŽy	‹}1|êÐÂ88Ë3î¸÷{þ¸µÇ	p	%ˆ·lÞð$âLt Cœ8!iØÅ°èxgîRs‘æØdïja6kæ…ß
Í\ýœÖN‰ÙùÌàI[ P—M*˜YÈŠ¢£_DßÞmF]WLE,2g©ÎШ25bžÚ„ì(ù×íllá¢$a/S®>|ºž¶y­7ºS^
ÇíTRZH+,„/î­1iw£vMwáe¾inITmõÜÒû¸iëEe¯
-è\³t+ž^ ê²bW¹÷ô|W6Lܼå
-º*rS»TPLVí5zW…v³yQ[à$ø-¡5ôxÐsú¢»dcÝÝ RÇ„¶ºÜdU[D»bOZ™¥ÁS‰É‡‡»S•úx`²B™À™Z5Ë°«l•›4ê> endobj
-2027 0 obj <<
-/D [2025 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2028 0 obj <<
-/D [2025 0 R /XYZ 85.0394 634.7354 null]
->> endobj
-2029 0 obj <<
-/D [2025 0 R /XYZ 85.0394 399.1196 null]
->> endobj
-2030 0 obj <<
-/D [2025 0 R /XYZ 85.0394 318.1439 null]
->> endobj
-682 0 obj <<
-/D [2025 0 R /XYZ 85.0394 275.0317 null]
->> endobj
-2031 0 obj <<
-/D [2025 0 R /XYZ 85.0394 236.6315 null]
->> endobj
-2032 0 obj <<
-/D [2025 0 R /XYZ 85.0394 202.7957 null]
->> endobj
-2033 0 obj <<
-/D [2025 0 R /XYZ 85.0394 130.8533 null]
->> endobj
-2024 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F14 765 0 R /F39 927 0 R /F53 1062 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2037 0 obj <<
-/Length 3049      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ËrÛ8òî¯Ðmè*‹ÁƒÏÙ“+±'')[›yh	¶YK‘“ŠÇùúíF7(P¢”­ÝÒ
°n4ú	HNüä$NÂ$Wù$Í£02ž,×gbòßÞIÆ™:¤©õzqöê­N'y˜'*™,î½µ²Pd™œ,V¿¯Ã8<‡Dpu;ŸÏÞLßϾ¾›ÝžOežÅypùéÓìöêæ_çS@T!‚—·_.ÿNcŸÎs\¾›ÍÏÿXür6[ôlù¬K¡‘§?Ï~ûCLV°ƒ_ÎD¨Âä:"”y®&ë³(ÖaiíFª³ùÙ?ú½¯vê¨(¤•NÔˆ,”œHæq¬ˆó0ÑJ[a\Íæo>ß|ZÜ|¼ÅÝØ9;ù‰	l8ÌR¡,òªn[³œþÛ¼<˜šÑµ‡žŠ0Nc˜…È€bžŠÎ´çSè&1tß<@â'øw‹¹YnŸÎe˜þ;Ëê<}e~BÕfEݲ¦öó[^IÅ:æõjï[$tšDypÓá@hÄó´°¾,pÑ4Šªmr»¡o&x30´mùÛsÙ=´˜ß¼#w·8ÏEðTÔm±ìʆ	Ìˇºè¶ç2 ·¸a¦ÝRëïº%Ϥ= ²(E"	/Ðh»;áöEš?Êjô{óB„±ƒ„±õc·d\K•köd²0NbKeñhH7"_•dª4ËY9êbmFH%a,•d¤æ%2è`A€Ø	(‘ÅDíÆ,KäÒ€W4f÷äÏZ6ëµUìTem@t¤ƒ·(.œáôI´F°‘‘ÁzÛvÝòqo}»ÃV§¢8Ls9Ô)B±}oj†¬î ðüXÚUìÑh¯(w>Ž;SÖ:e\…½Ízv§¡ÓP©˜Žã£5îC_%ÃTÊd’ˆ(T™HøBšúXεºÙéNbØð´@„ ÎEÕCóæ²Þgt€:É]5ž¯UÔ
-ÎyÈÞÜTfÙ¡l3ÍRÏ¢`ùô²éš‡§bGBßz&Am")Xm·W›L÷j×ÒÁ·¢Úò²¤{¡EŠøÆÞPÀJ:ã±êHŠ&’P'"šùRq@Š†’ˆ‚ÏóËWè,”´ùõ¥äÞÕüò‚oaSzøÑîæÛO€&IB£{eŽ”2àuHîHíö{ˆ-ÇØ^]S‹Žêª¼G—HÖmG¯MU%sLˆ¢(¸þpùfJ[ê»Ì·ßW*Ú‰“‹1–Üwá´5g£îø'ô àçZ6V»E¶ÓÂ…0ì,‡RÖ­©Û²+¿™1§ysO¾¨n¨%m8G7³¦‘CŸ·²ŽÊJš}!>—UEUh!F±¼{¡‘•¹/¶UÇmëÊ´L¦õâ:Ï’ç)kâT(«„,$ѽßp˜é· iSRaÈ0KT¶©Üþ¼Èã¹É\}ue4Ú·u™Ôò¾é:S¬ÆNà¶Áè®Òð	:̤–C—€FŒÄµà8†áV¯¨ÙÙb.8=Gˆ3·œ}m»gcý%t¬"@†„¹ŒALoŠð#‡¢Qr#zj‰Cѱ#©R”1q‰Dž0"GÙ+€1&xWvÁ‘…iWðÂY …Šv>"@­ùJ×JðTc{±É˜\1ƒCßÂ\ƽì=?¼ã:®Ú¨Ù5×±üx]1U*ãÔR/¥Ò`ÕØðcuÓ1`¬ÓÈ:_@ºãù^¥òžÚmK)6€¯Kñ‘ǼLPíÚÃ:à.#«øÆÔƒ-]£*‡Z(-[ØáÂÓ*c,~¿ÿÉUŒ’ORbÄ:X9wÆ™Zø=.lý|²+6Ñ–·‡‰A$Á=fÒeöSW	¹á)ÃòcyCæZ¹Ô·…y&˜ßuól¾·‚rÙŽèÀ´$ÕÕ¾ÿ°]+ohÍ_›ª\–†ìæS­ŽŸÆÓëP‹ûL…‰·s¢
-
_6íQMzª‰t˜`'O{ôø*ŠWü¸¸ö)íÄÒ «$ì+I$Ü;èpŃUV’£e€+/)o ÏÂÁØÆ@hù´ýÛ'bgp³t*—VqJôÓ'
ßÇ:nø=Ö®˜ôIBŠ‘ç2;MÒ!ôM"0…œr@òU‘Š	T1¶šœ.‹MqW¡¡Ò¨^™d©¼;a»áö¦+?gÖ2¥çÓÅ"@}qݘ+V•óð|)0àNö¶wuíJ»A胾­¨l¥Tï]4î®G¡ƒ×£ÿKa}÷â.­Ö×LâôaÃÇ:¡=ËjÏ›íIC%ttš¤C!9xÙP¡Ì¢lHòM³Þ€­Ü•UÙ½ÐߺY™Ÿ‡/|Åh5Ú¦ZMÛî¥2ýÅai–SBÒl;7Å®ª ¼ï
-(Ô,GD¼fbýåÍáÃNe(PFâ¿z¸±·0Iší¹y:p-ñÕaYmW†:\¶%ÈüO--ÉWü´#+z-‘üdáÏsû¡á¶khòŠúü€²››§ò/—ø"Ó6äy
Å6DYY¹]”6Ãâè-Ù…N‡yZF Ð>«óš¢ãf{VÅ›ÄA$„GAºìɱO¦[²·×"ÁÇ^œ/˜€z/_.Û~‚ Ÿñ‘}Á|VÆÊ8cíø®4ે,ºÙG¸JîõÍíÕßNå’JĘ~E.™|óÃdrçØÀõl7~ÝjÝ%)ÐYõÒ•ÊDë¸è±,ãËñ'	H¹]Წ Üï3–'a&Utš1‡4ÂØ@N6ëtÈÙM½B½²â‰´SŒÈ½LD6®  ú›@Û®è㲩»¢¤jn0‹’Zp+c?ßÌOíUF¸"ÊÁ*lFqƨ´Æżû[…×ÑÞc×àú–DjÁ›ÛáäÉ
-CBê™æÉB…uB
–Us,Ñ8I²O4IŽ%’7÷ÃüʽäîQÕÞh½„[?4¬x‡jJLð!¯GÞ"]šÈÓÒôŽÓ!í
-ý=“Ê¡æ×	[Ô}U<¨~–d'yr8‡<ùÒÎãª9àinoEÄñ€zkûÀ$tñ@mxò±w-¢ÂD°â‰öŠÓGÞÕ9Ôš'Fì”oŠðkSÛ+nï¡.¿¹¢À5•
-ø,FäÁã^£XÀî½xî®uö]–÷yöÏïg᱿¯è8ÄÿœŒŠèo;þ￶ìþÂ¥¡Î25~¾*Áêf¦PR©C%ç?Áòþá~éÞendstream
-endobj
-2036 0 obj <<
-/Type /Page
-/Contents 2037 0 R
-/Resources 2035 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2034 0 R
->> endobj
-2038 0 obj <<
-/D [2036 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2039 0 obj <<
-/D [2036 0 R /XYZ 56.6929 752.112 null]
->> endobj
-2040 0 obj <<
-/D [2036 0 R /XYZ 56.6929 634.5858 null]
->> endobj
-2035 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2043 0 obj <<
-/Length 2972      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[wã¶~÷¯ð›åvÅÅ… ÁÓ'gíÝuR_;§ÍIó@Ių©”ç×w€P DIM»ûƒonù9ƒÿü\«ˆÉ,>O³8RŒ«óéꌿÀÜ—3N4cO4©¾{>ûøY¦çY”%"9ž¼tÄ´æçϳ_FW7÷×·ÿºÅFßE—cÅØèîêþ§«¿ãØãe&FW_nž.Ç<Ó*"eÉ6º¾zºù4þáæç/7÷—¿>vó܉ŠÎ™´2ývö˯ì|'øþŒE¸¿Á‹x–‰óÕY¬d¤b)ýÈòìéìÃ`Ö-RE¬t¤Dœœ8N¹V‹˜ŒÓ˜ƒ(œS˜àC
-óTVaã{П•
-(9dœ‚dŽäÅ”¦ÎÛªÞU	Wp0<ÜvO8O4 œ·T*âI"ûÒÝÎ/ÇRÄ^„¢|Áï›ëb~Éõèߌ	ƒ#_Ír¹ÊKüøfÞ/9ç£ð‹Ñ¦!¢vQ4=¾p´4YHÀÆrY½™¼æË!⼶›Ac%*Z
ƒ–ìÍEBÀ)Æ ËL)áŽSV@,Y°­ûDi²Q³6ÓÂffE°æHð­¬ÞJì®ëbe°;wòT+\üãçO8,”Ì°÷V,—Ø›ÐPÁÉ‹9ñ«š¦˜,Íßà3e£ª]˜ú­hˆ¾Üq˜?ZÙÌÌóͲEƒ²ÒÛVD{&C¸Lt©Dèãà
©ƒ·£rà]ìn	ÆÇñ‰-=ÑÀ–!$³,Š…ÚÙò±.Ê–NœcÓ,ªštÑlV«¼~ÇjŽ­U"¬Û¢*ýb‹×q×ø²Y™Žq[¡Qö4 â %R²ÊYÙ4f:Œšˆ<”>Ià¾Àîúðݨ$bL¥'î& :r7žÊÝÍCŽ\žÊü	ŠÚLÁÞ÷ýŠ—˜$Dž먤ë{–4’©îK÷d:]ûÛqœ}£HíÛ·E1]ì[çâ:Ö`—¦	/Ót×èÚ	}¿ÕEÛšòð]ÀÔɉ»¨ŽÜ…§rwñí Ûrk'{[ÚI¸åµY“:óÖÌúêœç¯Öõ…62~Æb¯sÙu¤@(ñø¸ŽBªÃ:ꨜŽÖÃPgÊÂu]µÕ´Zîá5Ž£T©ø¸pÕ€t=¼‚§2Iûâ!`%ÏRØPàü?Šä¦\´Âɹ.!9`ÜG·€Íóa®ž0Ág¹YMLCÓ¾Sâ#2pl.J8GÆÒ~èÊFJ	I™ÛQDøpÑZik\ŠaZ=á܃
RØõá¿|´^v£½í…ž61¸bY4U+F‰­‹ª¶QUÑ:ëÇöÂ;”f3š¦©êæ0ˆc&s
-Ã[¢#&"‡àzÁY”hé£@
²W«™yÝG°Í3!½<&YG´/Zßß‚“gBõd{êR&Æ	–LŒšjã.ajpÂzÛ¢¬%hn=Næ‚Û•@¹Þæ„–Ñ;\ß
-§f•ß§¬Zœ&\¿3Zž£¶âP­Òf¡™ðÿTõуYGi¬uÿÒQÈèØg2õ±m€öÛ¦Œ:øY‹öÅÔØ\O*:—%{°Kz걘#ÑV=8^4YO*„õŒfÊõ¦†+U¤ÓCàØ9ä†à‹¤MãÃã7ý[ýÝÈQ™»,†ð>1e‡fºÈë|Ú:t¨¢¬±Å€JäUÙæEI—,½ÂÝÜ,o‰©
´¶Ðî”æÂHQ(òY_”ãY­uOÜ»'kÏöù?ÐÃîë’s)ÈHH—t³UB9$9÷+ÊYa#d—Œäm—^÷ˆÑî±Ë87ËY?¹°g>èpb¸>Ƹ<îqBªÃ.§£r>§Šš,’{§Ó´µ)_ÚžϑËxr\¸Žj@º~ÔÔKEÖoÇí0Pf¥r®ßIæF|ðdŒ€PÁ2NÃ\
-Ú(Ǧ–,–ðÁˆÌÕÐáʺ.ƒð©#.’¬Ñ馦Û%埋œÀSRº93öĥϺ֛¢¤é§`SãEò(ÖÙ	¸l‰Ž …ˆXž‡À"¢
-gï„êö}mö "e$OÉÕíÖ
-èUîJÖljè²&ð³NÛ=/ÜN«ÎÏ
-=r‚ãâ
-[zpÈ(ÙnµïKXÅÉžJöc½âV›¦EÖÚ˜&Ù>\·Í¬œøŽøbP!îÀk›~E&Éf2HÑàÃ¥SÐz¦"‹¡B²À¶£›Æ9kÛÍ;:À
-_*¨‚«ä±7ž)µÓœøLhëêÕÔu1›yþ®¨‚íÖiØÜWù·¢¥Úíéö‹Í'¦’~±Ž†k"Ñ]uNÖõ‹hÈ‹îË>žÞ]}ÿ…*Ú÷ú«eO…NE¨éÜ»,Á§€~™x²ötG1ÏNÔ‡!Õa»ì¨œa¶ƒ™#Êg0ƒVÉ­ËUñq¹:ªÁzv)ÀÑ+({z’ÝñQøê’p¼]Aäv†µ,.D$u¬wµ#‰H"ÎTÏ®„ @[WåÎÖW?=ýôpÿÙ>,À¡û‡½ANƒDá­'ðÇv«û¿Ö•<‰/–’°XJ¨XJzDÛ!ÛSä«æ¦&b7Ûz–ù¤Xí{6ßÀ|Ù:åÓÎnYá%§·+s›¤RÝ+É–wtSNë÷5å2–íaÄ3	LÀÇPA¼§rˆ=ùì½4¯f¿Ôpˆ|óQÉ:ªÑú±ˆGB%}цž¦ÌdóòÒ9''YÔ=vÀ<=†¹}“)œ%CŽÏ·w·÷äÅŸoîŸ`W(T”‰XáY]ªÈ'§˜_Ûó;=î4.ѶS.±H©Š±ð}+—ÌÂäÏðïîîúgœ§F¿~½»{zŠpÒVyv²ã³S´ÃÈÄ€*š!Ø‘«·«°¹øë…í$´'Œ/,†5Ç€“’
ÁLQBQBÇÂgˆ&s:]å~o˜7†oŸà{g÷ÚéDn‹•±u…NFŸ½(PÚ¼š²c0N$áÞäíL³™.Žï[4ñÏÿtM¬Õñ”ü8(&4›îç“ßÝ]ÃäxÏ‘Ó‘ˆG«
-»rtñÖõf]oá{îLvõªðC-fÜ;+Ix
-Nª‡vZ­ ´A¹SDŒ¾›¼&¡l¬Ýfµ'Ç{Ò#™(ìˆx¼°9›û˜åïS1ÜòK	AÜL,M¾ÆžÛÌn¢[Aݹ ¦ýÝÝP·;°]À
-rþo~û@Kïûvм*JЊ£Ã%HA¢Ú`þ]=bkÕ^*8Z,Ûþ/ÁØý1"¼Œàgœà2‚z¡d·œ~Ñâ	DVÆNüŒRvÔ•sÔ'Ÿe!‚˜ÕÜe×]«DŸ’¯£°ç®“4J’Lõ%$yÝêÌI„C.Ç˶¿ ÀdŽ#øûÎ(¦è˜QžãëÍdY4wÁt·É`ض…ôþjîTpÚ9]âCPÇúM]Ú¡Ò(RíºÏå²ÿ¨P”Óåf¶†C o±<ò¶<ÜËÛîE?hÀ‰u{Z<‹R­O¼–†TG å©´®NþBuY1T›\¯£¯¬ŠRÉûÒ›¿òoƒJ²lÏ"KªØ#«Gå°e;…__a;!‚Ü:û[(GOB&@~/ Í8ÓoËÈ!GÐ)ïCª î7Ïusÿ#LÒR®äD¦ùû"rùq#Œqñ߀DFiÀq"H³/[ :JSpy¡p„íª4óøÐèylëñRá-jz­Ò¨i{Ïþ»o^«o$)xí½Œß@s±Çž{h¶‰Ž4Tñ}@|’ùËK‡’&Œx^çn÷œÌŸvTÌöyüYàu•tdÿŠgànY—šÿß,´ý£¨{­Å0L$‹íã÷BYíBa½+º’:RZ¤²ÿ\®žendstream
-endobj
-2042 0 obj <<
-/Type /Page
-/Contents 2043 0 R
-/Resources 2041 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2034 0 R
->> endobj
 2044 0 obj <<
-/D [2042 0 R /XYZ 85.0394 794.5015 null]
+/Length 2826      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z[wã(~ϯð[”³±Ðå1ݹt&ËvÒ»;gzdÛ:-K^KN&óë· #Y–{Îl÷> ¨úª(P‚ÿÁ(á>ai8ŠÓÐç$à£éê„ŒÐwshÌØ€Æ.êãËɇkR?h4z™;s%>I’`ô2ûÍ»xzºz¸¼ýÏÙ˜râ}ôÏÆœïþâáÛÅl{:K©wqsõ|6x’D
+%,"ÞåÃóóÕ§ñÝÕ¯×_ï¿\|¼úröûË/'W/V8waR²ÿžüö;Í`¿œŸ¥	½ÁâiJG«“3Ÿ‡Œ™–âäùäŸvB§W
íSHÈŸÓ0œò˜õ«ø„ƒÆqH`ÊZµÑ Om%Õ6žÊ~¸æÜAħ´OdZduÝUG@¹/µ8r×Ü“Ì¢zDcî‚T’ -Ûm9˧Y#j°_ȼf™5¦&°v“êm΂ÄÓJ•3ìœVe“åe^.:£~ˆw¬ÔËj[hô2{-õ굘æß	¡ÂÌ(5”a$ñnçØVVZ(…K=ÆTZ<”
+Àl·ƒ3#Q©ªzû€e®ok1ó÷è§m¥1(ˆ'ÃDpQ‡‰`QŠó"¤~”0Ãy‘-öh$~ĀărYT`-PæGн%Ù³h¤ÊC4Œ¬´תe œêÌËzש€ô,ðD¡VóBÀ`ø»M,°}3ïÅ «²xoãeþg[ª)ÀÖ¢$jS"Ãah÷»ç;¬|'œÜ)ŽÂç|¡),!â:ü‘•3¬|½ú×ãÝÕaÊp¦a¡Œƒ ŒA)ÊÜt—L#?â<^Ò€z–l‘@š¸½ä(ÅB‚ÖÒŸƒ ð´kM¶
Vf–è¢PYo'E^/µ»éF0­*kP4ÖÞòÆb¤·,n¼³Z7yU¶=6/§Õj5ù¤Ý)ÆOk/[
+øÏ	ÄaK9¨K”²ÔrÏR¡†á‘%
¨gI×Riꇔw–|ÚäeS·ìáv£•^oW«l£).P–x­ŽëŽâÐYÛ•°7­–h˜ú”ÒX‡­YY×b:’Ì7ÕªÈ&¢ÐƒZ{€ƒ*sÐB<¥~‘tØB.ê°…,JYè®ï}òÔì#߈iSÒº1˜SÈ ¢hX8‹ê‘®åv<öYœ´¥ƒ\wlâ`ÈS"i7Ðä_æÓeþÃÄ3Q»&Ö˜è¿Æ‡6yÓˆò°-¢Àƒ8:b5`ƒR¶øqÈ[—´Þ²¿dŸ·´–lÇ5uúÈJûôÑJÜRlŒ~3­tshõ;¬AH»X9\Ô€
JipÝÇæÀORn\l½©šjZ{lC?æ<΢z¤k±bAÌ¢¸-Ò™™\A®·VºÒ"©®×¬Ø
+¬Îå!QÎì‘#ïI¢hïNCÕ!{2,Êíj"ôlѼ	QbÑ0íd…rîL®R{IIÜN!fbžm™!T-–¤ß2‘À«Ì|ì{DöÈþuU×xfɵá{pÇÐØ,sÝä†_ì³Þ+»á`mTâ*ƒ¶¯×Ÿ°rÆõ,¥Á4˜‘övêít*êºÚfmsð r$vQ‡YkQŠµMo
+—s–4ïkÑ—“˜‡ÃrYT`ݘp lK2÷&DMT¥¼*`‹:Bw=Ä!¨ÚR´Ö€£ 	“Φ:’Ðî¹&÷_më'žè¥«²³ôÅ·—ÏŸ®å-û›÷ݨ@3ÌŽ!F–k‘ááÑŒõ%F1=Âx5ÀxƒRŒíÓn9Úò…xûAÈAc¸¨
JfQ=¢µoÿOyÔ­/å“íba/CJ2ß&€–8sXd®Ã?5›^nïonpìãÓËíãÃsíÁ„ vÄ®]j¯‹¹7UGm¢@ƒøÃ=Ä+õBãåSv¡ÌP@ºRÏÐù+ü»¿¿¼ÄuïpZ?¾¿~ö±S½.Äánžvô•-ªè¡úò!GaqúSY‰ôšÐ0>•N¼ÅÚ‡ ’v±ÑÛjpW0îÌôîÀå¡^=xŽ§Þª³w£+r“¯„:…"ïÚˆ2­ÊWQæàB‰'æ{à(X¯›÷n^Eõ¦d"o"½.ˆu¼‚¯ Å„†z«¦•‰éÊÖÐy
+ÑÓS:¢¡wºª°Ê¼Ó7[›ÙÚÒÔÔžäèUnšdøÀeôzq{V=”ò¹E*×ÃÞE¶ÑBÉã|&¤œ% zâ
Ú)ñXıBÃñ²ÚnðÇ,{¯•ŠÁÊ‹²Ú #AG!²5ÖÔb2WиUU6K=i{uÕd×#–s¦‚Lç‡YÞ‘DâM]s®ò´RŸ»©­|jrp›…ÉKú¿Ï8l­)›ö½Ó1ðy÷ªéùÒ;Æpn6p‘¬Ê„Hê§äju8P[”
+ÔOGj8Aćj®¶Ò
×õ£ä˜|Õ#`+\G±EÐÛ’PÇëÔèR¼šÐ¤LÒÝÍP&Ø‚÷B™šÑ–=‰~³Q–pºí"‚cËg9šzóFÝ‹T·
+ºZˆsùgÆèEUÚwݘ2Þö¢·¼($…©ôT¾ïÛ²žêOMœ£J=@1/fÎøøäL¶­ÍDj/Pê—'9µzo‚Ȇñß
V=×NW9æ9Æ7XÚ'*¨/ÑGñºÇ»&êbžÏ÷N\“f9®ñbbY½Éâ°#ÐX|äjî€Ü@ƒ”\}$r‚Ðgì ‰;Ÿ(¢§±fZšlj
ÓÝ>MghB׌
¡¦èrŠt0ÒYbIÍD1ÒÙ]LÑJKgèD:C£IjšÀò$hô•™¸+ÿU:C.é“„y(qQ‡	mQŠÑ_ûMH@†ÒÌÝ)û) ñÚ”Nü8†Ó¤%Ÿæt¢c‚¬hN'Õei8í¢y	ÑO¸%7'òóVñ,­~(bÇ¡
±ÁÍ‚`×0 {Ó†Ø	Ù;ñš²½oo,[,ÌyžÕn6a$̹m̾
+àÎs¤ãNF`C¥v
÷Ází,Î%p÷ÕA:Ë!úÉGäûv òiâÞ·ÿG4’mM÷„릮tšyÖèæiæA“b´æíPTS:s3¾Âr¢§Ñ—ý~­¾é¥ÜROM¥¨§W”!…Æ=ókêASÝØêφ×Cê~ÃÊ÷øh¿fýMRÉ2áGRUt˜T¤HuÙG*ù'ñÏ‘*IÓdP6Ú®K*Hfƒ–t:I¥æ#?Tt’*ooRg”Ú$ÕEaš
+•ÜŒ¯°Äç0
+GK!ð€f$°™(µµ WR·Â¤g^m_*5,‹ª\ˆeS
+ŽÔÎSÿB`ÒÁM^áL€[eïn\efàÞöÓ
"×U«o>Î'×%Ü·_AØ8ô|õúÀÏ0îË¿xé1+±ï7ûkvFÆà„ÉW'F 8±40BI•BêŠÎYâó„Æ=²ÿ¶	ÐJendstream
+endobj
+2043 0 obj <<
+/Type /Page
+/Contents 2044 0 R
+/Resources 2042 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2032 0 R
 >> endobj
 2045 0 obj <<
-/D [2042 0 R /XYZ 85.0394 259.0654 null]
+/D [2043 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2041 0 obj <<
+2046 0 obj <<
+/D [2043 0 R /XYZ 85.0394 373.7264 null]
+>> endobj
+2042 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2048 0 obj <<
-/Length 2246      
+2049 0 obj <<
+/Length 2078      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YM{Û¸¾ûWèЃüd…àƒÁíɱ•¬×±ÚJ»íf´Y|V"½"i¯úë;À)QRÚÚ’ÃÁÌ`æÅ|Pl@áŸ
¤"*áÉ N"")“ƒéꌞáݧ3æyFiÔæú09{ÿQă„$Š«ÁdÞ’¥	Õš
&³_‡ˆ"ç ¯îÇ—£‡ñßïoÆç#–$Q4¼øòe|wuýËùˆK
-ÌÀJéðöâîëÅg¤}9OøðâÓøñü·ÉÏgãIcVÛtF…µé³_£ƒìàç3JD¢åà
(e|°:‹¤ 2"P–ggk¶Þº¥}®ˆ¤&’G
-œÂ‰¦¼ß_ŒÄŒO1°1Ùú‹³>.ë¯ÑW»Ï÷¥lq20L& ÜrÌÒʼ/æóÒT».aBJ¥´ï™×põØ'ÚZ#J­â®¦*!2J«…ÁkÞ9^ßÙtÑኇ¿›
R²°¾Àë“_\ç/õÓ2+f8
-Ð1¯Ì:ˆI«­¶à6æ[ÙoÙr‰wya½ÁHˆÐ±Ý6#‰”ÜmbYäÏN2Ì©‡k–O—õÌÌÂ^QÜü»ÈZ»¢®<“¿®Ò
ެϙšUVïIACΗ¢Ìªb½9gŒ
ÉÂ=ŽÀ÷DK[›ë0Ø.¶«>°ÙãؤÑqó®ûº`cØâ®6ÁzPpîÁfIlöêÁf_z.~¶7Yéßøüäffi*4ÉuŠ°@s,4±=¹|8Mó®@è¨]"äèVÅ«C—ùã.Vö)ÀX{é–Ò‹ŽQDõðî~2þ¹o̦Döù‘œR§õéyµÜà;¿k|HëªX¥U6M—ËÍ_–ØcæN'¼ýF)7KÏ
-D»/6„¹½{bæÅ:€n­à"O—Hz©×°SâSšï.™×UÝìžgæÕ,‹—˜N¢æÆ—óÁˆG$¡š :DÅR;{>ïƶ^LÆW(èfüÏG/ 6Š"†0ûÇÂäš-OcR…£—¥™Ž FÏ
w[¦JH	Ï<-V/ÖÕvÇq2,ëéÔ”å¼O»hÚL¢cL ü³ÎòÊó¦H*+ =#©˜#
ë`4!ê, cÃ1÷FÜäðGÞ¥iú.³=FC©Ž8¸¸Œâ­‡ãˆkÂ¥P] —D1çYÔÕK]Ù¬Íèp‚²HhîŸgÐÌ"kêàÔf§mDìgÌl©—
-a0ëÔâ­ÔŠDà¡£MM‹É¥%ÀÄÖ?1T>¡¶’ìö¿QïjŒAÓü¨ÆÀ³§±C
yÐÖÚ¶FÇžàqà ÌÇ.øzßqyº2‡]¤ ¡¡ZœðQ‹ëˆ“×I/SºuÓ®Ò~?µ•ÔûüDäBrT^¯Ì:›vê2^J€k¨î¶W¦ËçbU‹Õa÷JJd,OôÕm®#î
\'Ý{LéÖ½»JûÝÛVz(‹ND¬ÕI$nÏh¾¾QI›"P•K„@d¤'dL¸†$4b1ÔW®¿+/Ç%Á¸)F6u©YˆhX½ÙÎ@HWð–¦´_Jh$«2ØãS"ËSZÚjg©®ùRuΆ®9€{g|`À¬Fú²´$¦œÈÒĺk T$aq·O€h–ïºÜuÒÓ­ûCÍñÕwß(fëáA“`g¯¶ïÚ7‹EŒáqS÷úÍñë;ö¬1¤»Q,LŸ•Pcy”ð¤ÅDÑ0.aX!&Tµ¬³O©½Äv.Ågèð!2-B…³4ßZ!®óƒ×ùhÖw Š–|å¼k›b?˼&ןYQö(Ø·}[!¹¾ó­eçWkÕEÁåç¯WãPMÁѶqjN‘kÛNº’$Yè_ŽD¤ré]÷B—ÜroÔJŽ£òÅL±ê#Ÿo-KÛ|CŸúÑíèÅÓkVÔ~9œé–oð•?µe‘»ª„ïTƒ¸`¬0~½mƒÃ }r­vzñEújÚ]IJýSßÕ¼˜õ*+KÈÿ;~ŒñÓFAêqdD´'05Zÿ‘„ˆ(Ú´ŸÇ#"e“á|/Är;ˆXm&|çz-{SnV+S¹hM>]o^°ìÙeM ½Lhf^º§üt{qéáióã2éºûöJúì}3õóâHÞjÆ„½ì¯Ûƒù£žå¡yv…ñ/·_>O;LئX0ôd{8‘Ì¥}ƒô/±Ò£'×£
-:¼z¼@*Z+Bc+ü(i)³Â}'À¸ëNÜ™=Š‘§ù3µ³‘¢oê$¶ã5òZ'Ûš¶ð¶Í‹å²xÃîT‚ˆzÞ½µï„ÿ${mf?öØ4âJÍÖ9ÝÚ;R”G)^á	¯à Oðœÿº¿ãÝñ-ö¤/óínà!ìFúaÊcdÂØkâì,Õ·åÓ~Ó2’¼£T¼ãŠ)zÚÞkW.dHX4
-Ûý¡§Å‰#héûþ‘3I¶µ·ÓÚ8†”°Ÿc 9R–„du`rS`,´VG“Tì„6ŸQ€ÉB$vfÞ~'	-MGù‘ÞC@â£*”¢þ/
S'<Ž}¹¼øüx:ø@”Ùsn˹-ÞÚÖWB‘´;gMtҌԮïü§ˆÄ+œ­²<D¦Uh|ÌÜø/5SÊÛ4¯¡(õ9&r¥Tsà÷
»uSÈ>^¢Dã“yTGÿZœŽäÿ..Ú 'ÅõX$’èˆí|ºø:ùéþátd¯¡c_çÆç‹ÇM	Í“ï^/¡Ù(ÖUV¯¶z¡¶Gª))	¤DÀ¿ÿê…dæ±²6¯Åï&ô
Ö4©õŠ†iØ@"ÚC\8Q80q{[ƒÑM&ßV<ÜžÂ÷’0½ú\ˆ?ÃlkéÁUHb
-é™ iãýÿû—íÅDhÍû¿
óXÚ<§‚QÖ=Ðgì.‡IO@tömÿ,¦}endstream
+xÚµYKsÛ6¾ëWèÐ5­X<	â¨ØŠ«&q\K™¶“æ@KÅ©Dª"åŒóë» Š¤ 3éÃ>p	»‹û„ðÁ?ò(Œ$‘C!YÈæÃån€†ðíf€íœ±›4nÎzµüøšŠ¡eD¢ábÝà‡(Žñp±ú¼
+y8(¸¾Ï§Wã7Óßo¦·£1–1—Áäînz{=ûm4&Ád˜ŠPðnrûaòÖŒÝ$	&7ÓùèÓâçÁtQ«ÕT#ªuúkðñ®`?PHAÂð3¼ KI†»ã4äŒR7²Ì¿Ô_«¥^(0
+	ˆ‚‡‡’sÒƒË0¢„V`ÀƧ÷½¡ÅôÚlà0ÄëÙ[³GàD¨¢á˜ˆ‚>šÃ¯•ÙI¸1‰H€–¡jÒ*+
+µÿ©ž×‡|·MÔÖÃX
+P–r»f™ïö[Uª´qP—KUëãvû<Â?Àx̃´4ß÷‡4+«¹2Hì’Æ
¯Í³Ü(C¬óÃÎèÀZzSÆà4J¼Éà/ü>I’ïSýçÑzL9èàj°aa™< Š2ÉVÉa„ã`eFòc¹?–``£`±I3ìžIfßW*+Ó?"ˤLó̱³{¶Ò@B/Û*ǹ4ÏMbU¦I©VáESF.{¼°1«²<Ì	ö5xi|þ@Xt…
+à‡cò²P7é\hëcr)y[¨>LÏ	’(dÛwðŸc™%;u¨")ÅË@5g]ªžÕÔ‹Bk Î„zj	{÷á„BFjÿ<*;îÔ!]š—ÊÐÕÞ<
+°à†íV¾Ø\™lóCZnv—á@MD{²AsÖðºY½ð¾$ôoW¨Þ¦ÐK¡„’Š8êµÄSHPçç¹(°Î󲊆0ˆCOlCÀ‚Щ#–í"òm1ZÐH¸mÎ71QšGAù¹Š{¤y|†Ã5´fÊCR¨6ÑPÆ8"·[aºZ™QîB_Àælc!.ìj‰ŽÑ›	cí ­½dæ¬NC`»iÖ=‹ýñaël]³q©
+Ü+ž˜°PâKZÂfŸE6˜qP˜ˆuìú–>vïDb8î·{±Q>-e(H
fx H$í$sÒÅPÔÐN¿%ú!t™eÞ«ÊBÆj–¹Ë†z¬Ü$¥e¢3Ÿ&”aÕ¡2=
+V‘7øGÁ—<³â›ªhX¥VR	5CÅJûˆþj²Áä»ÙíØÀÅÀ±cp–¥\½ýp=­y©vªá^º"ê‡Ì
+	ì*¢N¸Ìâ.¼7áe¨9.öji*3¯ŠÛU¡‹×˜¯«]Ãxþð”æG»œýËŸÍ'ëÈEžiŸ¥…I‹;§Â*Wv}–—0Q›W°Mò¤šEƶ™[íÕa—$†S˜jT¬+ƒì-Ír>µ'0y;ß[—žÂ( !Öç¥]t·‹ô1ÓÖÓø\±¥²éNºpðjv«ëd*i“Õ.ÍRˆOIY`ºWke6š-•z—dÇÄOq•|
+°0±“ÿúÊp$œJ?†CŒ#öíìbÆÿvƉ(f£`ˆR@ÂvœgøLaìæ´,bòañÓûû^S˜A9dÊV¿óçü×Ð+°÷üP¦ÇÝI*©n¬ò0&±k¡IDµmËE* ãAFâ-d9¿Z%Dž›¨Íã„C™æ´“ømÁ^WRežo_ô#hþœåûܹSè€2PnPhz æAOè+tN‡ãï>á˜1Ë&‹ó*ÈUhõ,Ïö#öãØÖ¼eHèàê
+Ï:îy‚,4Ì’	WA}r\<\)œlÄSТH¿øâ6¸@Ì(î²ÌzYêR§|Þ{y
+°*$º”Ž\'á–‡W4Ø:媺ÀÓ„KúšÖEé\×èU%Y·U¬~Kìò•ÒzV5HðšfæYÕvš€ôÍíŠlÕù%ƒ6!b2˜¹zÞ*ݲÓ”	Ù·È
å¶cÞìn³»¡ca¿Ùn¨Å|vc(½½ÅH"m×E²45þ0‡¢ZAØzÇVvažÍ
ÃkjWšM¡‹YÀˆA_çtYèæÓõj}yÕ¨®ÁÕ³\µô¶\l®îaì\SEA$EßÐÂ"bÙ¨üÝ6Çε««³ÛÆSQÝE$¨{ÁJIøPm¨¹d™ïv•!è—-¤L}ͨi5‹ºô4ü«KœˆÙ†PîŽEi©¤\n:ü«}ÑkÛ
@Ì“H¶3i}waú÷ÖEöçMZ±õß~ÙÃxPõ
xÿE6DýCŠ§†EuLø׿לn"™Žñ©nŸ¨à!,ŽœR
LØ™êî—sÝÿ—!£ªendstream
 endobj
-2047 0 obj <<
+2048 0 obj <<
 /Type /Page
-/Contents 2048 0 R
-/Resources 2046 0 R
+/Contents 2049 0 R
+/Resources 2047 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2034 0 R
->> endobj
-2049 0 obj <<
-/D [2047 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2032 0 R
 >> endobj
 2050 0 obj <<
-/D [2047 0 R /XYZ 56.6929 634.0466 null]
+/D [2048 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2051 0 obj <<
-/D [2047 0 R /XYZ 56.6929 389.2139 null]
+/D [2048 0 R /XYZ 56.6929 751.6284 null]
 >> endobj
 2052 0 obj <<
-/D [2047 0 R /XYZ 56.6929 245.821 null]
+/D [2048 0 R /XYZ 56.6929 518.1706 null]
 >> endobj
 2053 0 obj <<
-/D [2047 0 R /XYZ 56.6929 186.2038 null]
+/D [2048 0 R /XYZ 56.6929 438.1556 null]
 >> endobj
-686 0 obj <<
-/D [2047 0 R /XYZ 56.6929 149.7581 null]
+682 0 obj <<
+/D [2048 0 R /XYZ 56.6929 395.7108 null]
+>> endobj
+1580 0 obj <<
+/D [2048 0 R /XYZ 56.6929 357.6038 null]
 >> endobj
 2054 0 obj <<
-/D [2047 0 R /XYZ 56.6929 117.6525 null]
+/D [2048 0 R /XYZ 56.6929 324.0611 null]
 >> endobj
 2055 0 obj <<
-/D [2047 0 R /XYZ 56.6929 82.9956 null]
+/D [2048 0 R /XYZ 56.6929 253.0794 null]
 >> endobj
-2046 0 obj <<
+2056 0 obj <<
+/D [2048 0 R /XYZ 56.6929 140.1638 null]
+>> endobj
+2047 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F14 765 0 R /F39 927 0 R /F53 1062 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2059 0 obj <<
+/Length 3033      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÝsÛ¸÷_¡™>=1Að£}rb%öåÎN#¥mîz”[œ£HÕ¤âóýõÝÅ.(R¢è™vüø»Xì'd9ð''‰ö…JÃIœ†¾ROVÛ1y„¹’1SšvQïo?¨x’úiD“ÅCg¯ÄI"'‹õ¯ÞÕçϳ»ëÛ]N-¼wþåTáý|u÷õê'û|™ÞÕÇÙür*ÓD§Ò‹„w}7ŸÏÞO?;}œÝ]þ¶øñb¶hÙê².…Bžþsñëob²†üx!|»MžáCø2MƒÉö"ÔÊסRn¤¸˜_ü½Ý°3k—‰B«Ä×IÈ")ýTë 'ú‘
+”ÆýçÅíýÝüä$ÂäËÔ¥
+‡/AÓ.ʸ‡BºÓI¾ý u)…'©†Ý’ÕSÞl¶ÇÌÉįp×¢ØS]¢:ô#Âíñ77…Y55èC¢¼fc°z«§—]S=>e»M¾¢¹–KPP
+ïCõDXÒýn^ê7е⽔÷=+ö¼mõ@»bSäGrHGGÐœT¦ŒÜîëA“i("_EBƒ0œÀü©
+íU¥ë<`z_æW?_käSÚùÍ•ä¯ëùÕßÁ¡TÒžÖÛ)@ú„$I@g1¿ýøv&s)¥ôx’tHȯp|ÊÃ9àÚrŒíõ
µÿZ\ç—2®xöÆÅ6+aÃлùùêý”ŽÔ~2ßÝï Gtô¦Ï‰ÎÍ«W «°g„ÖÍhÀñ(ÂbcjC“öˆ5õ³'d›'V™ƒäemÊ:oòïÆo)Ã
§‚„q‹w^YQËêp)=Ð;’×ÔÖ;³Ê­XÖÈcdE]bOºK%às^Ô³í¾6k._hdm²}ÑðFû²05“ÁûPÚ0öƒ4Y§j@[%x©H9½®vM^•Ý#H:”tXEÒO¢ é_Äá|VvÔ>ƒQnŽÛÕW†Ñ¹¡·dŸ›®¡1Ùúè
+ˆæ]Õ >N=ùW¸â(d
¬b‡,:é‚8˜^?á$G£Arzj‰‡i‡8|È)…	‡‘P¤‰8ʆ|Œ1XÀ§²lL§‚oœxRáaãÞ$v¨5d+ÞvQ!W5äll>&…Ì`ß¹0—º•}Ǹ„ö×Ćvw¡àœ‘Õ¹ HH¿°Cú±·®l†±²j¸c¬ß‡žu¿ZòúN¥üÚ}—ÔÍx_
+‘<ÖÉ•PŽ¡#Ô	w	yÜ€ïaH?Øô8Ô(P¶?m‡CuþXZ¶ðƒÄ«¬6jñËüÓ5¦D4I>:¤Åˆ:Ù9uÖ™Œmü	7¶Ž>òMiž²ÆðÞÏ €Ü ”¦&Ò¥÷ÓNRÝpO‡`û¡Ô!öS¹€à$@KÌ5ÁþnªgóÜUÚüR…taJ’±ŸVÞК?vE¾ÊŒ+øÝ¿xXoc§†3žJ4%RÇ“«kúlóÁÂrVF·I!Pt¬ÙTO‰Žê(vœˆ²ªƒÙ´"P?Æq_iZË9“¬i?Š´+\ :ÎÕÂP÷*‹“ÌélL
Uà‡ Êñ˜ÚE©-ʲZ¾SËlkš—ÝiP
Cƒ:g®E
p×”Œ
+bi½^P
¢„kèTÏ%ÆÔsGdŽŽP@ª ë&K\ÅHkTÌCÆ­žuEp\0
+?L¡Òí]+lkr«‹¶¿dª¿ÜßÍh͞ݽbû  A_ñÚÚ
+^rSA*YwaÈúÙ··ƒ͘‹6DÝÜϳ¤ Ý-nßhöÀLdGûfu]­rrDøͶŒ6û–…í8öu>ûB…IçäD¢QZª‘tH0’§#z4áv¼_Üt)ÄâÓ +%¡Û–’H¸õðÁVQXJN‡‚ˆ«/)k ·Â¡Ø@hù¶¡÷àªb‡úìéÇ2ia_'é+OF]Ôy«oQ‡b²K2׫’`œ¤
ìšDšø»tŸäWª"Š"PÃØjrºÊvÙ² ÌG»±À$Ë 
‹¼a[ÓÐAÏÐeL5>®ßPýŠcXèÆ\±8÷Î=>ðòáæálG?®²ëÅ=ø¶õ”­“ÊCÈ RºÚnÛ@Rä¥yó¿ÖK¦ÃÁì¼ö²$}E{:¨íq(«=ïO´Gû:LÓq’4@²„ðµ’AŸæûj»cYæE޼Ы߶Z|=€:Ù©?2Zƒ¶*ÖÓºy)LûtØ>›¥”ŽTûÆ-±»PÞ7êV#"õÞ1±öõ†"@/öÇÒ©‹–ë²®Íj
+´€©xa_a¢89rótáJjð9«b¿6ôÁE[„¼ÿPÓØŠ|UFúŒ#kk´øh;
×ME‹×ôMþµ³@{»§ü;ou%¦lÈë*ŠmY[±½“d6½âè-Ù…ŠûI„¿šÚgcu^QtÜí—`U|HDBxs!$ «™š2ÍŠ½½‘÷‰ê#•¸÷% ÞÊ—†óºÝ#£^—ñÏëY㌵á·2P8îRèdáê¸w·w×K$¡1÷rù™Ú`&™¿ú¡ëÙïv$ZPº¥³=ë#ÀåùIQÑE÷-Ê2¾þQòmWµ¬
+÷'Ie }©“dœ³5ÀZORJø2²ÏÛm¹FͲ
+•SÐý8ÚÈ‚ }
+´íš&WUÙd9s½U”Æ@§¿R0z“}7=\pTáŽ(	«²	E.£Ê7ë¼àøÓV(GpI¨¶{{×-0‘øPôD¯(B5¢eaöjaÊGˆ…§ovpeXŒ²Ö¢xëkBìÇX÷˜ûj­D	AYmÊ¿JÑІ’Âõs›â(ú¦û)çóŸh	qÏï‚“=ì<»¬¶jŸ…}„A*!½µu+Ž¡áVOq3¨Jt㱟(}”ytSGXžzÿ¤8Œ1ÅØå)Vì$±!¿âÀènõ{-m=º²
+FÍvg£0t±4¢;ã¶È_ç\v\rKâ;«—RC5Ž?Èêeu^/[”ÕKs.%Ù¦À§$‡RàÉÛ‡~æoˆ}•£–^ZßöÁnÎB6Ìk8‰$Ý|4m*
+%by>'^ ®^1ó.jDœux‚:2óò7åÜýC‘=žØ¸LüH)5ÎW‹`¬gãò#F}Îæöç
rŠžÿUöGP¡²Gš´T}˜´Àk•‚Ú7ø.øPŠÓw?~`NóK&ÎV¥ý
¦ƒ{,ó?û\Qn~΢$:z”êþŠÏ|¶cëcÃEÂÜ=;ZˆyኹûüeöûO³³*Ç~€¿ÿÛÂ4ò_²úòñÄü"?Ò:¥ç0§ôúdØ*îÑûØ) [ë92®åž·uë£xÀ&£5'yyÓÿ½_vÁ¼iºvá·›§¹±±\rúù螦Wþ¹ÿ’QÚÇm™hÿmåÿþšÃ
+…±¯’äÌC¨3¸ÈT:¦Pú¯³Þþ¯Í)ïÿ¥¥ôþendstream
+endobj
+2058 0 obj <<
+/Type /Page
+/Contents 2059 0 R
+/Resources 2057 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2032 0 R
+>> endobj
+2060 0 obj <<
+/D [2058 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2061 0 obj <<
+/D [2058 0 R /XYZ 85.0394 751.4437 null]
+>> endobj
+2057 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2064 0 obj <<
+/Length 3128      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKs㸾ûWøf9±0HðQ9yÇž±wcÏdí©dkw”DY¬‘H-IÙëüút£(QRR±f£ÑøúJKøWç&QªÓó8
…‘ÊœOWgòüæ>Ÿ)¦;¢±OõÃóÙ‡OA|žŠ4ÒÑùóÜã•™$êüyöëèaÄ%p£›Ç§§ÛãŸnù|ûx9VibÒÑõׯ·7÷ÿºk#H¥=\?~»þ;}½LõèúóíÓåïÏ?žÝ>wbù¢+ Lœýú»<ŸÁ~<“"€ÎßàA
+•¦ú|uš@˜0ÜÈòìéìCoÖ¾:¤ŠÐ$Âè0:¡H`ýa…)+D±IEè S˜VC
+sT¨°ñnôÃ'cÏ6Ë–l¥ÇV‹=£adÆÒˆ0ÒÉ	øzTGàë¨,|»KF‘i|bIG4°¤ÉX	';K~­‹²ågÔ4‹ªf]4›Õ*«ßé¡šS‹J¤u[T¥{‘c;ö_6«¼cÜVd–=
è0Hé˜írV6M>ÆMLîK›L
ØQ<›( Jp­GÏƧ:|6•=›Ÿ†\8=“ºu>#xß÷,¡FêãÂuTÒõ=K*dq¤'ÞSÞ)ÛÈc
œd"l—Ô¾-Šéb‡½‹í Å.óÆ?ͼ;GÛNøù­.Ú6/FŠ4͉Ã𨎆£²‡ñý¡]²3”ý%‡¥·äM¾fufm>ë«sž½¢ïódüL-Dlë³ëH…"JLxBGÕ9*«£õp,LR0b×uÕVÓj¹X‰P&éqá:ªéú€…œ"ü}ñ°J	ÆX`‰d§l¸¢É¹.>9G`ÜEG\Àæù0WŠOà±Ü¬&yMC“¼}Ëó’&$“g³10HEœÊ¸;´ÁP@âeWÔZyál86ÀËHJæ §Í}Á(E]¿èÉ…k퀃î±ç»Z„ß^^âò„V”¤¤ÖFVì@d5üoq'.Χ4›é4ošªnâ²Ta8ã8ö©㸣²8®p9UDãįV³üußñB®‡ñqá:ªéú86B™¨/ÝS—ã ¨¤bxJ=jª=ŒiNè°%iKP'œ~J
+·oåz›"£w8ÃMÍ*·NYµ4Íø~-füzFú
+}Í€R•jgø@Y¨‡IÒ?yr |b´É&pl
+Àª…!Z°/¦9&}á}ÙQ¶|¥§ÜÀœˆ¶ê¡ñ¢éÌ{R¼gïo¿éŸjèÎ&•™MWaˆÎ“rwh¦‹¬Î¦­u$@G`ÊšZ
+¬L^•mV”|ÈS¸›e-3Å€‹í„Wç|FŠ@‘Íú¢ì¥·ÊOoÑM)ç¦Ð¨q“Ù’ÈÓîëR)ƒ`׬K>…Ù€*
T~J9„å¬ÀHÙ%%YÛ¥Þ9R…sìRÏÍrÖO2pϽNõkª•¤OuØëtTÖë4CÑS
+™m±ië¼|iûÑ3‹Ý®£®çuD…}ñvÜŽt•(•
V2;₨”ÚšaÄØæRðB5]Д~ЄÉd¶„Ž2èTà…ÑD@uœö1:ÝÔ¼b»ä:æÙVNºØ”I(“4í;öm:>ÖiÀ¾0
¼”
lz­c«Ó*&8Žnë´±›ut€9Z¾TP-VWì¹7Ž)·ÓŒùLxéê5¯ëb6süm‘+âÒÎ|î*ƒþ[Ñr-÷tÿóKI©¥{9 ˆ}÷‹nËu¶²gx‰‡œè®4òîáúãø/\Ùðº7wÈžŸŠqÓ¹yw{Bwý²ñd-Äàëdp¢^ô©[gGe­³Ì!!£s™Ìi&èy“ô¸XŽh@,Íà¼c¼hí‰uïIíJqHÇéh5W“ÛyÔ°”Ö"HÂdgG;‚èH€3陕ÖmaéªÜYúúÛóÝÇ/Ÿð&ùŠ†¿ì
*d
+g„*R"’r'»züâÞµõOä*§È¯œ"®œ¢žb;„=îjž×Ll±†­c™MŠeѾ÷g³
Ì—­U>¯9
+(¾É‚1»è@YÔ]™ly{(ÏËiý¾æ„Ù†;&8Qù{DGÀÎDë¯'ïÀ—ùk¾Wô§±Hu¢Jåhö¥ê!-R™šžXCTùdóòÒ¹$+•èn
+;C–FB«µ‰Àhâø|ÿpÿȾëË×çû/Ox‡³)Â$¢{²6·Ø°'Ž)»ÆüO¾âilšS6­ˆ¹†Áx¼•Meaòø{x¸¹¡ë½Ñ»»‡‡§'A“XãádÇg§t‡‘Iªh†ðÆߢæâ¯؉xM_ xEa&f㙢„’„·E7Ȇ'3Þ]e?;Ì›œ_ÞÞÄ÷öî´Ó‰Ü««Š$}r¢@aóš—XAnEÒöjgšÍtq|Ý¢Žxî``4AsS1;*°Ž
+HLh6ÝW”?íYÃäÅûÅ¥"WŽ.V•U—Fo]oÖõ®g÷„o¯
+7ÔR œ‡AIü](V=´Ój…
É’`ô=Ïj
+#ì6§8x:§dD†::/0W³³ì½±*†S~)!t[C‚‰ež­©gÃpÍt+¨:Ì´¿ºêÖ“–óXAÆÿÝ-ïI‚ô®ÏQ`gS«¢­X0\†$¨mæßU#X©þóÒÀÖZ`Ùö?Px|µûMÂ?ïkŽw^µÐ@’[Î_j©ÄˆHºhŸê°î¨¬“þzòrBGþ¡šÛ­ìÖ”‚¡ŠË×Q
Øs×iãÊž€ì®S§Ú$µÑMìÒíg˜Ìh„>"$)çÐSÎ/`|½™,‹fa›îù7Ø5£Õ_Ïím
+M[ŸËB\yE¬[Ô¦&†\âÍŽ÷į†:ÖìçÁ!•ÓåfF ×ìâµssÚŠÀ/XàÅÇÃ^»ùÌ6cd÷mÖȬí86rÿÞÛp¨Wls¥“c¾#Çø3µ]*
}ª‰A"ä4à+'¶w×&W{wà;çoàËê
›Ãv(†&:aÕ;pTÖ®O~U;f‘€ä28.^G5 _ÏB	#¤	=ù3…qטư`O%0¡³ƒ•µìîýŠÚ	dèñðó`$‚¨Äp'&w·Â=Qœù{8ñ$KNbµs‹¿…{3ÞÒÄ™OìðîÏa¢FŽ°¢YÆ5ô,®C£	×@B¸F‹ë@¦ŽWL¸ö׳¸†¶Ã5L®a°ãÄH†##ÂñÎÿ×q, ï8áÞ=¢#ßñ™È‚úçaPK©ôƒjHWÃØ®#Ú—nÓ¡N’žxéÄ]&ÒA:!׎­ƒ´OEÀKø.0!ïÐœ0ó×ê»u>Ú:q>Ü­*½Ç[9P'rêD$:
úGÁ?È^^\@wW…}	2÷­»%Y.ûËž]x)Aç,Ù,üŸ6ìó`ïï•l%ȱ‡~v…§þÀHvuÏÿý“¬íOÏÂÜBrà‚q¼2ŒœP¨]¥£}“ÁËïHÈþvžušendstream
+endobj
+2063 0 obj <<
+/Type /Page
+/Contents 2064 0 R
+/Resources 2062 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2032 0 R
+>> endobj
+2065 0 obj <<
+/D [2063 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2066 0 obj <<
+/D [2063 0 R /XYZ 56.6929 281.7838 null]
+>> endobj
+2062 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2069 0 obj <<
+/Length 2171      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YM{Û6¾ûWè°úI‰Ä‰Þd[IÝÄNÖR¶Ýmz $ÊâS‰tEÊ®÷×ï>(R¢$ïnr ƒw^ÌÅþ³A"	åZb-ˆ¤Lfë:x„w/˜“	½PØ–ºš\¼ÿÀã&ZEj0Y´t%„&	Læ¿ï_G÷7·¿^†‘¤Á¹%¥ÁÝðþÛð³ûz©£`øq4¾™ÖB€B1Eƒ›ûñxt>ŒþñåÓèò÷ÉÏ£IcVÛtF9ÚôçÅo¿ÓÁNðó%\'rðPŠ£ÁúBHN¤àÜϬ.Æo¶Þš¥}P™	5A˜J™ôFáÆ‚!dܱ>À¼ÞâAß²%©‰J¸å(1Oëì}¹XTY½	S”ˆXñA{ãó©ûxkW¦$—q×ÀqVW—!ç,¨—™ E8¢AYØ™—e>[îIý‘½ÚAî×—vÑÔ	l.YdunŸs$äÁpQg+X/Óz·ã0”}ú_òÕÊŽªºÂ&øMÉX(0¢¥ŒÌ™òb¶Úγ¹ed^اьƒ—î†Ãé¶vBîi7ÃQQº©©[¶­¼F<)>«ü±ðËÉ¡k”Ö„‹äµÚRÇ©ÕHjÝôP‹áí‰ßB-A­“Óæ5R=öu©¥	„Ö5ÐR+Š¸ƒ–Z8BjEQä©Õ‘2®ÇAî×—öi\‹æÙ*«
¥8ežRVRÊï„NŽ’½ÎË0*œæUY<‚Ë)8PÑsÊF>Ï‚7pÍb4øN%½uZ§¯v`/Ã:õXɧ²ÊërózÉi—åKöÆÆ" °	³4Â4w`1#A4UÙ¸„I­Ì!>ŽîGCŒÐ“ÑUöiôϱSÐö(
’p&ìúe™Í6;©HƤòt+ª*›…p‚ÇFº­Hî„gåú	ˆŽuPmg³¬ªÛÕjwÖ$¶÷2¡ÁÓ&/j'›Ú©ª†¹G;U.윅&åfmMƒ9…±fΈOü#ïÒ4}—ã¿£!û‰Hj·ÀÔã>†+"JH$¹ê ªN‹yj<èˆRnë§mí˜1Yb£ûÝ3õt˜gE§4š¥u^ºÙæ¤0†ƒcŒaËÔi7d›Ô\”#ÙVj`GœD§…¶”¹üL´‚aÂ[ºï”Å1‡'•ˆOïÚHnÛq%£0†ÔÝÙýÙãÄHA½Ó=æ‡é:;U“X3uª–Ô	¨¼Ôy¨NíÚ‚jÛ~¨ÚÛéû‚Z"@Ul×Ù&Ÿu"”}T@ÜeÍ…l¯LWå&¯—ëãCÜUÎÎÜ’:°—:ð©][ïoÛp{Ûc…G„lj:ËÆ],ÈÜ•ÇŒâ¯ÿ¢,k1žØœ Q)d	a‰’oŠÑ1…EÚ7³¾MM˜æ\õ‹)òd€f­²Êmòi½´x…*+2MMÁ„³¶Ž¾¸“6œû·6¼‘¾p­8‰it$Z„êð “4ïÄäY	Í‹}¸Ÿ¶Ó•'4êkåYˆá=61̬ǃ=csh˜ˆ£¸Éýæ¸õ{ˆÍ58'QQÜõèd™õY	¹6ŠýfG‚°¨õ¹ÍºK*Õ²ÿJñcÿfÿ†šÁ,=f¥Ït8çªzT‚Y
¦# 0ÛX·Ã,0 léW¦v²£¶)Hú¹k"fõêÕªÂk€oóvJþv{ºÔ¬ ÍJöXpýùÛÍÈgUzµnV=ç¡…Icæ똭É>¼‚µá­ÐVOÙÌf+g.ÿj^aï”DÁsj˜/§Ïy¹uËá>oaù«}ånlUær*¬‰M‡æÔyæeæÖc£c‹ÁÞD±.`Ëô9kW«vìO]uó”mÖyUAôïÅñª'õ) ÀdòGc¢„ö! ÿJ‚G êª7yDÊ&º¹(Ä2°Õ‚«]ádß™šÕëzÕ&âŸY1Û¼>Ù¤‡ËG:PÔ.v7óÓÝðÚÑãÃʲ÷ÝtÑJü¦7(·ËqQéöµ?šQûçdV@{Ò×7ÐnÃ0úux÷õóè|ƒ0Á¦‹cèÍ
z—o$ôó0Èì|j±J©©U9
nÆC;k­å¾Àõ_pf^š~Éú=éøáUôÕJöWŠ=Ö¢¯û$–Meƒ û„„›-ÊÕª|±U6l	*ÖUüQnWs;?uâ@öm6ÿ±Ç¦0RŠ$ÌÈ»¡¢4Sû4˜‰©}@nÂIþëËýÈŽN±¹vª	_Æç»Óàwéš*Ç‘ÃN㠄ÞªïÈ{·ýSËHòŽRþ.RLÑóöÞšt!}À¢Â÷‡žò&PÒsööÖSë]îí”5fÇÌnèCÂaŒàH™öÁêÈÄ0üŒ¢>Ä ckÚ$ãf,¸ÆÞY²ý’¦³ù‰ÚƒCà£Ê§¢Þ›6B.XoŽG.]?¿œÎøeÓ9&ïó«s!×í¯Z	I´ôF]ÝÞ»OÚm8_çEŒLk_ô>d‹Ìú®˜9RޥŒRèЙ+¥šhrI“È>\[ÐÎë}²#zà¿V—ù¿«ûê€ôü¬º~sè”KÛ!~ømòÓ—‡óž½…‚}Sd.^Œ_+(ž\õz
ÅF¹©óíz·/äv¡|Jë‹ìç+¢ /PfŽ+›ì¹ü#óu˜F#m? ÞC3qÄ0M¨ŒX›r–F•m–¢(v¶z£›Hf‚pt›úï&¾wu±Ðþ\±Ë¥GÚV0eèiiƒþÿýcÆ®ÿ1áIë›H·µ„~•sèNœQà¾oºä	z2î±ý?öÊsendstream
+endobj
+2068 0 obj <<
+/Type /Page
+/Contents 2069 0 R
+/Resources 2067 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2077 0 R
+>> endobj
+2070 0 obj <<
+/D [2068 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2071 0 obj <<
+/D [2068 0 R /XYZ 85.0394 644.0913 null]
+>> endobj
+2072 0 obj <<
+/D [2068 0 R /XYZ 85.0394 395.8255 null]
+>> endobj
+2073 0 obj <<
+/D [2068 0 R /XYZ 85.0394 249.7608 null]
+>> endobj
+2074 0 obj <<
+/D [2068 0 R /XYZ 85.0394 188.487 null]
+>> endobj
+686 0 obj <<
+/D [2068 0 R /XYZ 85.0394 150.7575 null]
+>> endobj
+2075 0 obj <<
+/D [2068 0 R /XYZ 85.0394 118.2791 null]
+>> endobj
+2076 0 obj <<
+/D [2068 0 R /XYZ 85.0394 83.2494 null]
+>> endobj
+2067 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F14 765 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2058 0 obj <<
-/Length 1422      
+2080 0 obj <<
+/Length 1617      
 /Filter /FlateDecode
 >>
 stream
-xÚµX[sÚ8~çWøfÖªî¶ö$¤KÛ\6ÐIûà‚OÁîb'Ùüû=²dcƒ€i»LbÉùtîçè“Ã	b0S<ˆGÌ6=,áo{Äa¶QÓÞ›k
-)Ie0]´hÅÇ1	¦óÇþðþ~t{5þ{Rûh
-Œû7ÃÛÃöÝý@Ñþðíh2‰Š	Pd`÷¯n'“Ñe8M§ã›Ñàóô]o4mäjËN03BýÓ{üŒƒ9¨ð®‡S±^`ƒQŠ›	ÎXýfÝ›ôþl¶þ[õÙB°‰˜FcP‚”´c
¡d”UÖ˜¼fù·"-öU‘ ¢Ã~¥5KSÁaíõFX€ÍÃ6‰J,N|>ªQFªyVznõsþUB	zWÛÏõòÙˆûæZ°!Ââ’sCa­ŸõÚ¢:ì¨Bq)‡j¾÷dÅR§[=+óí«‡¨àHRAö‰.Üê«~]¤kmv}RÉP̱B1CÁdžÄÕhrù0¾ŸŽïn›S;vŽÅHayŒeám=d„SµÛ‰û:™ëЉy×öˆkŸ0¦ký›Ù°~¡Kw¤\i»xýu÷~te)|IKû6Ïö`Žé'ŽÀ\Ê™žÛmê<\_ZÄ0©¸Ò~’ÍFAX+6Æ]fN™R6sûÈô‹]|KÒ­]åû´ÂˆZ9wn–ge’fi¶´{+»¡”¿„–‰1î|GƒÒG>â®'ï*'N*…K¨)òQΠ6ªNìÃjP†o¸Úg	Ås~†e
ò°l‡”Rˆ›Ìï°mª=ÉÒp£‹ÝÆx³ZèÓµ	7‰ä“ì@',â@•AêíšåU(_†·#‚Bù•ò¤d
èP´N•ÈQÜmbS«w KuVžêU•&ð|Y¥³ÕÜÕ‰¥á°¹}ÚwE:×GÀ•@BQzÚmÔq4¨ÊÛƒ ¤ˆš«è$ËäaÙ	ÊQÂd—åpQjW^¶iéÉðºV€
¡ÆyÌh-¶ÉŸõÞÑ|›.Ó,Y=ÜÂPõ1ŽÙ·P',\£*?û¢œ Æ#¶3vBœJD#.OKÖ <¢u‚œD…ìŠæ‹rýåi¹l|RIvÜfÐ pÊù›µP'lV£*›-ŽFå)–»¨<`éÊ6Ëë¼
-ª™±&}­­‰Ný;ìcÙ¿Lž
-]xn~‚#Äã¦É9{óK¨Î„;tU€[ÅÉ.­'0uYol%…»:a^Éì*]Xtb·6Êí:Y×…;%¾¨ëMRÎVÆÍÕUN$6nËÎ]ÞE²^Bb•«ÍÞÑÔ¸ñU÷JoN~ßER=”)Øö¾¶ž™ŒFöìðÃäÎcR:û„Žá4/ÕA¦Ú¡G‡Øs¾¸ß:-”c7ß@ÿQ”Û*¾}õ Úª”Íœ†7Iö”¬=b#*AKÞ'h“ºØ^(š^ËCCó¦£=b?¨³±’ªÛð?Nÿ¸{8o¹q…9«æäµ(õÆÕ‡Ë<+òm™>mv|9”0Ù4X
-ÑØÑÙÆ4m¶óá2ÝTé`°0IÙ»M6Ú/£0©ÎðQÓ±ÒÈIZ‹|xù¼©e]&ó¤t
é¢ö©Û7í¶;~¾<;§ÅfŒ ?3¦í(œ˜ÒÈg'7ôlOU|Ç¥xªº??ªÁ@ð&_,Ìu|HV
-(ŠŒï“þ²²“¦W„ƳSˆþÇ_#öÕÿBVì“]œà»²|×ß±}d@tóÅÿ¸É¹ŸþX³û*Å¡Çã#m*ÃÜŒ²¤ÊhA¨Ø½ù¬s(û,Uöendstream
+xÚµXßoÛ6~÷_a`/0±ü!RäÞÒDéܦI»Û€¶ªMÛB-ɳ”dùïwIE²imWˆHúx÷ñ;òîH2ÄðG†\ ¡¨F*D>œe<\ÂooÄÊN(èJ½ž^]±h¨T§‹Ž.‰°”d8½F:
xty3™ÄÁ$žNÇïã³€(Ièèüî.¾¹ÿ}PŽAd1½?¿ùp~mÆîΈ½‰'gŸ§oñ´ÅÕÅN0«Aý3øøç°„·Œ˜’|øŒˆRt˜
BÎs#ëÁdðG«°ók3ÕËÁˆ2A=dP2$)Îi
®`”5lLžóbS¦åîRA‘l1Š”CŸiLSààB!`uT4°Bâ󑓪QÍó²Ô³`«‹¯ú,à€ÁjûÙ5k¸¯®Àö‹"2
¸Ñ°Özm¤zæ¨BRJ+Ôê{çÑÇ8’‚s+:O·zVÛgN"A9ÙUŸTªóeškƾX«qa[_õó"]Û‰}'æò¨æI¤”0„^Æ“‹ûñÝt|{ÓÎz1‡‡7„‘ò°oÄ»‹bL	‹n{FäH'óª¤þ{¶ÌÀ5OÓµþµî°Q©+;¥ZiÓ¸ÿ¼}_
_ÒÊŒùŽ˜ÕGF‰U0×µæ\ÏM7µî¯.Œ
+ÒX¥£$Ÿ×+nAK¬efSéÒõÄ|rýd›$ÝšV±0_†»ÅÙy³"¯’4Oó¥é쵦â)0Fjrç/:!#äó(î{ò¶qâ~豧G\ÎÉ®”‹ûG²•ªí«]“B ¬¢&ÇdwKEáH³fAe²´fº|éÔÞlúß´B9	Š—'8éHáÄI5œ¸¸Á»qB6W¾°ÑÅFhˆ0Çô8¸Vʃ®û ¬a‘¿obNXwûžfóLÍPsZàû´Jg«qÿæNŒ+[˜¯+Ó¹>ì‘¢û¡#uÄNªñÃvoo2ó@ÃQ“NÈc²î$ãˆôMž/*m#ÁÓ6­<Ý…àB‡FÃXV<ê©Å6…¼¬Î?Èp(!1!Ž3Ü•:Ìp+Õ0üèÛé±0
+w3n˜Š Dô80'äÖÛä*¬x™o“ë/Ëeë’ØaÊêKF'{:B˜jøŠý|IÕÔKýäß‹8D HÅÕ
+íë¦PÈ8é!ûPêºÒ†.¢¢Ñ2}Ô¹»Ýè|2¹6ê_ªØ试“™ÙŠ¹é=¥Õʨ¹{w1ù…3\>l6Ŷ2´2s½HÖµ»û…Ý̾–uzn²2d@šÍʦbo«³MeRždºxÚmàr†L¹ýºåÚPFsIىБ:²œT³‡‚ÓQ“mpÚ7éN=“WECʬf“D˜m¤ôoЗbt‘<”ºôÔG(”m
}²„\É;ÿ
ß`­±dšÆq˜Ú`#&¡@ÃRÐÒÍî«[éÂH'¦k‚i'kWfÚùðËÆãÐÎ’j¶ª{³…ˆ p‚Ú©WÙµ{(Y/!¾V«l§‚hSÝø²_àµ3¿­l u+,vêðI›¹çד[¥þJ-uþ	*	ÿÌY«®êL”…˜¹²ãõøÆ®BYsóªÑ²Ú&øÍн^h³¤|fWø>É’µmF…p%¿¬VÛLå
ëÊÛ£/$ˆ†íé
+.AJ¨>禿ßÞŸfnœC~Î]Þœ<—•Îl€¸(òbSú½Ø
!“	Wn‡p{•p¯¦0\º¬/ ÐTiÖ‡¦4ˆ	f°Ý$™ö#cp—¶*ÛÑcò:¥‘Eê ï×` Þæ´LWÉ<©ìõdá|jûíåËN?}«8õ 0Šÿ‘W€Ž†ÃNÈÇSÿ
+쿳÷ß¾ãÎ~wú!.‡¯ŠÅ¢®ÉöÕ
+!‘í]ÜÏÿµá®Ú{Ú€E…D†ýø÷]°Ç?öåÏQ»:ú<ÔŸômÏC±—gQW¡4êóümO:‡ß;"Ì©ÿ<ç
+·gù‡ß_Sâ”> endobj
-2059 0 obj <<
-/D [2057 0 R /XYZ 85.0394 794.5015 null]
+2081 0 obj <<
+/D [2079 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2060 0 obj <<
-/D [2057 0 R /XYZ 85.0394 748.1793 null]
+2082 0 obj <<
+/D [2079 0 R /XYZ 56.6929 748.8989 null]
 >> endobj
-2061 0 obj <<
-/D [2057 0 R /XYZ 85.0394 678.114 null]
+2083 0 obj <<
+/D [2079 0 R /XYZ 56.6929 686.2194 null]
 >> endobj
-2062 0 obj <<
-/D [2057 0 R /XYZ 85.0394 593.1286 null]
+2084 0 obj <<
+/D [2079 0 R /XYZ 56.6929 608.6199 null]
 >> endobj
-2063 0 obj <<
-/D [2057 0 R /XYZ 85.0394 365.8527 null]
+2085 0 obj <<
+/D [2079 0 R /XYZ 56.6929 351.8621 null]
 >> endobj
-2064 0 obj <<
-/D [2057 0 R /XYZ 85.0394 292.8225 null]
+2086 0 obj <<
+/D [2079 0 R /XYZ 56.6929 286.2178 null]
 >> endobj
 690 0 obj <<
-/D [2057 0 R /XYZ 85.0394 246.9241 null]
+/D [2079 0 R /XYZ 56.6929 245.4515 null]
 >> endobj
-2065 0 obj <<
-/D [2057 0 R /XYZ 85.0394 210.8582 null]
+1581 0 obj <<
+/D [2079 0 R /XYZ 56.6929 211.6394 null]
 >> endobj
-2066 0 obj <<
-/D [2057 0 R /XYZ 85.0394 172.241 null]
+2087 0 obj <<
+/D [2079 0 R /XYZ 56.6929 175.276 null]
 >> endobj
-2067 0 obj <<
-/D [2057 0 R /XYZ 85.0394 96.2889 null]
+2088 0 obj <<
+/D [2079 0 R /XYZ 56.6929 106.7098 null]
 >> endobj
-2056 0 obj <<
+2078 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F55 1070 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2070 0 obj <<
-/Length 2782      
+2091 0 obj <<
+/Length 2859      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZOwã6¿çSøçMÄŠ¤(QÝSÚ¤Ót6™´q_w_·Ù–m½‘%×’“q?ý‚IQ¶ìLÿ$Q ‚øH™ŽBø§#“8eé(I#"B*F³õE8ZBßûjxËø\ßL.¾úŽ'£”¤1‹G“…'K’PJ:šÌCrÂñíãóóÝ·ÁóÝdrÿpwÐTR6¾yzº{¼½ÿÏUÀDÜÀ†ã‡›ÇŸoþ´§«ØÞß=_ý6ùáânâôòu§!WJý~ñëoáhKøá"$<•bô
-/!¡iÊFë‹Hp""Î-¥¼x¾øÑ	ôzõÐA[Ð0³c0:¢”¤B°ž5DJbθ¶ÆíÝó·?Ý?Mî?>ªÕè1ÃQÀÀtLJÍ<¯š&ŸMÞ¶Å:7üÜãO`a”À8ž½¢rœgóæ*àÐÊðVWíd¼Ù/Y›cǧ|ÿ…!+
1«æØ€I¯è؈jW‡c@¡¢Zb{·Ù+”èÜHœî;az)‘¿ôÀ®%p&„%O«¶¸êëa,O­Y‚›@ÆOÿ€ŒŸ¿@FÀÕN8ÆPVÚí4A¨–¥Þ´E]5jG±h<Ñ>éž»àm–UªÁ”[*$M
ã®Ñ®ƒ>pÝq°Âö%4v³Ù`-–Õu5­	IÃÐi·ÅYj˜x‹Ó¨±*ª`è(à’™Ä©
D“¦^´¯F:¢C[ãsž·ù‚Ò_õrT+Ç]Õ(šþÀ©±ÙMË¢Yåók'UÓƒZ|6«zWÎûÑNªµ¨
»]‰¯€²Š·3¢W©6|HB	½ºûЯR„XÇP@“ƒЭH/ÌSmWì­Ü$Ìêõw5PËBëÀ)G{•lqÁ㯞„ šœZ§6ÅzSîq.›ªmP	£ñ‚¦ € «YL˜÷ö~§Úˆ¥…7ãƦ­‘bl_w멬Ã)¥ãKGZø/,5qÁ|Sd\¥ÂRõÖE¼ÌVYµÄ0á|<…Fˆ£f„rœy0Ë&+¶vmó$&IH­>TðGÞeYö®PDIØùví¨a¡)¡‘èKFD4!q’Ⱦ¼Ymæ˜9LˆHc°*
-N=›©l/ó*ß‚˜9`R"’ñCE©orH¾ýá¾³Õ»r¶zb\A£ËlFP™›9n¶ÚÁ.pµNå´Øøʦen!¥™m½Ý êÇX?F-²dec°eSf³ÃU2×;ãdØê†]…Ý£^iÁ1ðeˆuÂG]O—G”$IDªH.g)ð¹l5s\Ú9.ƒ‡SÆœH)äù)-ÓÀ”=d‘DÆ	íOùÆÁLK‰²^šŒw›¹ö¾¢i'
ûཛྷÌë¬Åw400¼z穪‘â¹3•.! 0ÿr%äHFP»Ò‡qÉ×pÊ“ˆDª	„f§Å*ðú¬}
—ûKÈÄJ!8º_®km.ÆÇ—¯®5w­•mé5©ÑëÂ’ðX¯¦1ó%ýUPczxBaºÙ¡Í«0Ãöy¶5J©˵•¼vtÏ©â.•úÝnu)¤Î,ß,Z}Û¤»5d%®½;©>Ç
-HWŒGCGÿ~ª¨fån~òžäÚÞ™MmÜv2ªº=uÙeK*u×e/ÉNGƒC_"Þ8ƒú\g"Ërù·»gŠÛsµU!xV=Ç5 _/°¢¤pdí+ˆ‘Å…ÉKªaNeÐÒ·upì2‘ÕãÂã•B;¾ÆçÔ0d
-‚ÌmJiÂ
-QdçR$é€dspC™R°7drp× W1Dëû‹aBu¾Q{û\§ÃÄqùø‡a†”}IœE‰8¯ŸãPð0N"Ußõ44q"íÕ­mœHD õ´qâs¡7¥¹–hqåï©aÀ”õRÂ{7€)ÒB
"%¢ìH6µ‘"Ã.R$‘,=¸§€dzåÒ…Jã'M«J]÷GHó§ÑÊÅÚ±Œ¿}àÀT
-ñFôy\g¢ÏrùŸ~þHU¯©cýAª§ I±ùÔ§&ýAK§?xÚô×q%&¥°ãk|NÍà]åR r}ì`
-Åè[ÊH…oœ¨=¦Ó¡f™üÏ‚ýHSŸÇ“/‹4!  8§›c:V®g”WÒÓÎ`Kð›ŸÁ8ux©ði1ŽYâ44Æ©žߧ†až—9fBÁ¤Ã7-Bã›b1™0¢Gr™ýÚ	DW.ÜR~ô}ª~Ñq%¹þ”6€%·Õ!Ž‹ 
-åøñãäîkäþïdïn®€ŒPg»-Ò«¶ÜcŸY5¾d»¶†£~1ËÊrÿ¯Þ5ôšËl|)íý½â¾eÞ!5^´êO¥[XŒ»h«‡,víο}›«›’z£îÈ©q¨äÉkè®Vþö<º_²D	 ˆdÃÁg}ƒc«”²eññV6?9ÖýÿÞµendstream
+xÚµZQsã6~ϯðÌ=D™YQEé1ݤÛt›Ý½:ÞM¯²-Ûš•%×’7›þú’¦lÙI{½äA‚ ð)óQÿ|”JŠ,©,f2är4[_„£%ô½»à†gl™Æ>×·ß|'Ô(cY%£Ç…'+eašòÑãü×àæÓ§»·÷ÿºG2¾eWc†ÁÃ͇Ÿo~$Ú§«,
+nÞÝM®Æéž»àm–×؈Ð-5‘¦†q×j×A¸î©°QOÜl©å²þ£©¡ª×¡ÓnK³40ñ–¦Á±ˆ*:‹”³T%Ym³èžr‚9…Ž®¡ç¼èŠ-€ÒŸôr°•ÓCCeÛ85#6»iU¶«b~í$jzPGÏvÕìªy Ù	[‹Æ°Û•ø
+ UŒè¢›1½JØícI¢ôêî`5Z`CMZK"·½4OØ«¦·vˆ0kÖkÚÒ@­J­ƒà‚ü}ìÕH&LH‘xõdüI )¸uj[®7Õ3Í‘¦Ö”0Ú/h
+ru”°(•¼ïê=Nµ+یۮ!Š±}iÜ­§²çœƒ–þ…àe‘Ƭ#W…ßöˆƒ—Ù*¯—!‚)˜P5#ÐqzäÁ,›¼ÜÚd8´ÍUÂTÈ­Þ×ðÇÞäyþ¦Ä?†’v~»E„vÔpáã±ìK&Ä\±D©´ïoV›6f“Yb«âàá̳¾P{YÔÅÄÌ!&)©‚‡}(Ê|“Cæí÷ïèl|® ±OkFPU˜9nˆ¶ÚÁ.ÓjʽÕZ|åÓª°!¥mK½Ýˆ êc¬QYòª5±eSå³C€â†,ôÎ8	[Ý°«°{Ô«+ÌB±(KI󺘘ÕF!%”`2á,‰¤®ëÓØç²¥Ìq]ç¸tZN™E,Â:çì”–i`JX¬C êMùá`†ÆB õ2ì6sí}¤i'úཚ!0¯óŽÞÉÀÀðTꤺ!ŠçÎ,ux AUür%%äHFP·Ò‡q’¯©P1‹E¨^NÇW›¥¢Í§²ªÇ"y©[Òd8¤å]W¬A]Af6¤[« -'RU,óÙ3‘ö<¡×åk#F¯GÙõ…LÌž3ãu·ÕNRéÚK3³¥:½m¡»¬],öGÐWIPOعl
+Ҷ7t)¹ÑlËeYç‘ɳ@6>iÐå÷0èˆTQ!„\À~Ù›Ó”¶:‰(¨V‡´©¡èd‹]B¨Ä–´û…Qñ¾!©-ìv³ÉÁéìÔ63	€‡|v›ú\§·©ãÒÛô=
J5/lÃ1Gf–嶘Aˆ}>ÔËŽAIr^9Ç5 ]¿nŠz2ù‘^HG†©S˜BÉPmÊ
+S¾Q°G1ŸÞ¿üƒs"·»Í¦ÙvôRvÄ1/ù®B§éù¢nfŸ[ί©ä‹”ÇR%?dOCê|]ôb…ƒÝJ6–Ôæi—3P§£Ž¼©\£æñþáþÃ;ì•nV>¸º…|d“•®lTìòQñÕf:‰B—Ž—ûLiS*uþþno©GŸY=ê÷ß?^hþf}°ö~Ƈ¡HtAIVmj€kYÔ³Âå¤ûÝlu~Þ²Jÿ‹¦ªš'­;Oôõ$½@í‘ ëT{¹†„v§Åbûª}
—P¢ÚFQ\®jŠàòɵ段²-½&½.-‰®wp3Ÿê¯‚ÓsÚˆ;²9p•fØs‘oRxr¨'TUCŽ'?¥H$5¢xuó–^æùs«M^^ÖPÂé°
+U‘o¨¥'ã¤á[7u·2Bû³k’›/<1'ê©(>Ûé=M߶Á|‹Z—5X¥½îE‡
)æ*WIœö7@¾ƒ¯2LÏÞYÒs†WÁ!¢©õÉç{ÄÛsvµafÅJöÚÝTQão˜.Of0`a¡/Ô@>×éæ¸üûÜ3Õý¦YhK¦±$bIú’~Žk@Á^KK’Lö54É?³®I3{’>dû*4¥ûÌÖ ð^ÚÑ
=§Fˆ»]ìw»IðvšQÜ,:}í¨»uÌ6J\{W{vRÝ ®V‘CgFÿ¢²¬gÕn~òÂìÆ^žN-p÷2ê¦;uëi"^zÚTyZx÷¢’N9>×hY.ÿšÿÌ)ç²b&$OÏ«ç¸ôë#+cBÞWEˆ9AKi…-}mçoƒ¬³1¤Øñ
=§†!Çd®ÕÈ@$dçB¥|@²9Á“L‚,!UW²}¹³Ã‚\ß_„	OÀÇ*Sçaâs†‰ãò¿äÂ$yôœ¦|‘Ã0!¦õú(I™R÷zú”¤ö?
-JRŠ?ø´(ñ¹È—©ù$’½ÑÛS¨ 
+jRÒúÒ|¦Xˆ%*©5vB€JÌ£#ñÜB%
÷PIY
+¥|*äD¾\:¬´~Ú´`òº?
+5:\9°Ëø«ð‹"ü›¼?ëü,—ÿ°¿ò•¯A_Èb•ˆóê9®ýúø“,–Jõ4ø6J@Ã^"üÅâÏç2·œð‡=

šSË›»t¿”ÂP8šõmã|{Ûȃ¶sM‡EÉ$çª_ˆ¿H׉¯ü¿%@|¦RžG–ÇtX–ÉÿÜkø›õºì—fYzV7Çt¬Üaîƒâ‹÷´3EC¨aŠ*<¬èq‘+ª|.óÙLPY…=
=µ`м¨
+J|øQÑVNZ„®œÌL×ôñíX®ñ/´j#¹jêe±uI0ûï’„¦?žLˆÃ‹
sëüÙ„ëÜ<ý!ˆ87M[êûPlû¶endstream
 endobj
-2069 0 obj <<
+2090 0 obj <<
 /Type /Page
-/Contents 2070 0 R
-/Resources 2068 0 R
+/Contents 2091 0 R
+/Resources 2089 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2034 0 R
+/Parent 2077 0 R
 >> endobj
-2071 0 obj <<
-/D [2069 0 R /XYZ 56.6929 794.5015 null]
+2092 0 obj <<
+/D [2090 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2072 0 obj <<
-/D [2069 0 R /XYZ 56.6929 751.4229 null]
+2093 0 obj <<
+/D [2090 0 R /XYZ 85.0394 752.1018 null]
 >> endobj
-2073 0 obj <<
-/D [2069 0 R /XYZ 56.6929 581.4086 null]
+2094 0 obj <<
+/D [2090 0 R /XYZ 85.0394 591.9521 null]
 >> endobj
-2074 0 obj <<
-/D [2069 0 R /XYZ 56.6929 367.4495 null]
+2095 0 obj <<
+/D [2090 0 R /XYZ 85.0394 346.8082 null]
 >> endobj
-2068 0 obj <<
+2089 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2077 0 obj <<
-/Length 2232      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Y]sÛ¶}÷¯Ð£<ÂñA oŽíºêmd×’;wn’Z¤l6©+Rθ¿¾ H
-’œv2ÁÀjwq°Xœ]‘†d$9ÂT±Q¤â˜ðÑbu†GÏ°v{F¬Là„‚®ÔÇùÙÅÏ4)¤D(FóeG—DXJ2š'ŸÇ—÷÷7ÓëÉσãñGtpŒÇŸ.§—¿™¹ûsŽ/oof瑉@Hj1Ç×ÓÙìæ*˜Mn§ÿ»›Þœÿzv3oë:O0Õ^ýÿìóWˆŽˆ@}DéqtºR‡Ñi¥tÖ&l8ïHB¸JÅ©
›«‹û‹Ë‹‡‹Ç‹ë‹8χ.)××⨭”ÇÉ.žDÄ!Uô½t€†QO¡Wët‘}Á8\˜éN8ÂêkœoS³PnÌ'\³V.~£‚Cq8ž¿ØËĺø…p›$Ñ…Å!×wŸ¡0ÄÒŠ”ë:+k.~3–žÝ£€
-Ž„F9h³|eYæyù½¹FŠŒŸÞÌgYèÝ(lv+9NíòÒ|š‹ª°Õbî*Ìç ÒMe…Jó™I¶€k¾ñý%kBxZñ¦3Õû¾M?ypˆŽpèÂÇ“D2bNBß ÂG
-.CÄ<fS/Ì–c‹)ÌÀñ¥<D ŸwP÷^„²ã@£¯5µÞ>圓––HÁ^¬¦Ë7/êìõ]–BHH¡íáÇ-ø^Ëoï²&à­k÷õè±€3HpE†¼¼Û¢'wf›¡9ü¡y
-ˆPeÍ_{7Ë„{›íMRúž=}·	Ï5¯Øãtb3þ,š\žøо”¾Ü@œf»Ül´î»N9’®‘Eí;ßa	£bŠ	ÈQø«‘ÝÜ/.›Ýy4ûù¼½Ïiñs,á?b7âÈCö\üù¥³Üèð;ça*ånÔÇÉôÚ(QÖˆAVÕ›¸v'ñ.SqÅÂ"ù).¶±"$
-!v­zŸ®q/ÒÃÏWF#ð,âÑÇ
-'G¦’¡H…²ðåãü—»‡cȹI	µHmðÌÞª:]Ùgþª,ªrSgÛÕÎ."´z†“†)©~‹ñÞq4„)xÉ•y§±—äi×$Š$‰z¤Ð)jœúOòlÆ»u-ÝR»º,sfxŒoE¹®²jHh
-L˜m8>>@À}M›ðqBÓUÑpæ#4­”wûú~â¯n´°„§ÿl£Êà">ë»å@dä²R«1ñhìßñ$Û¤¸o¥xNØk«4=©4-’`ÇûûOp„dØ2•VçÒ£3 <\EQ?—Ûz½­ƒe–ûôu‰8eCýÏíè¥ýÇcSóa„ýsp¾GמwEêÛ$†êòÓX®bàïûûb­ÆÌ‹4…0íÑ›Lg’W—ßsŠ““ÞfEsvMIá£GEtÓ?Oªý3Ó4Ò‚ÖËö4NOj¬Êª×M燽%˜ Aö.]éEXÀ;¡È€S—›ìùGïî¤ßîvD8B–{q¶nG÷íhsð~¸×n~Iúzà~`
ÍÚQåƒ	žr$¤0·ªŽ7õ¡ŒÂŠ".‡†æ'¡ªk_h“)HµiØoõdMq¨›H!æý\ñ9¸´VõÓÖäfãd;„ÐW/Ñ	áJ`õßîë›ÙÕäé3½¿ÍÔ¡&
-ñNCæ2•ÔdH°¦Z´qWóoNÆ“ÚL#Õ ¤VpjH	,@´›©‡‡ÙäÖÌ"¹0EoâtA
-4^O—Év‘öÍjGR«í
-`SÀB¹40;¿{÷ÀVÑ
-¼>'ãÆqÆEÓh¦‹í&«aíÍNÔq½mªcÛ]€9]<Û3o–ÆÉ•Y¶6äÎÅÆ^ag5¯_âÚÌgÕ]»(ÒSøâÆÈ´n.^²<1sZCefcÛ °<²FÍ\û€Û¦|e­Û­ª\!ÁìÞuöš–D·>2è§ÕŽç;}ñSwréú¾Î
-C!<Ì»·[wk<…“D”—ít÷'OÛö™m©Å®£æ`±<÷@Uµ !éߎNÖ׌#P›ýÊå®]©Ã͸Vª)ã½V%E”B™{Ô¤ò˜ì½*€Q¼oò¦+OðòmP»šì*s{Ø•G(¤€ãql:RG°qR
6_£ÊRJø¶÷Ú“É—ò¸g­”ǵ^¡@¡¸a˜ô}›¹f¤kõ¶—ª-oþCžÞ¾8؉à©>Þß	éŠ[¡Í«½Hãˆ3¥ŽÚs2ûözaŒ8%aÏàU¹ZC:|Êò¬†H£B÷0“ô§óDÇ·6ÖÌ‚/Eè
-MÁå賂ÀóòBí/YËn5´…¿læ1Ò–.™hûºQßø‘$™é!QÑü0²ï–‘TÊ=ÞIuÀ©>8é”ËpïÛÅÀ=¸ð^Õï‚éà )êžU/y—y’Ú5û.îbsŸèž<÷Çíò4Vªëö_|?Ð*Ìÿsn“ô¿þñn÷3%”STÊд3H¢Š8§´ã$Œ†®·?óíûþ7ø’5endstream
-endobj
-2076 0 obj <<
-/Type /Page
-/Contents 2077 0 R
-/Resources 2075 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2087 0 R
->> endobj
-2078 0 obj <<
-/D [2076 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2079 0 obj <<
-/D [2076 0 R /XYZ 85.0394 752.3759 null]
->> endobj
-2080 0 obj <<
-/D [2076 0 R /XYZ 85.0394 596.2077 null]
->> endobj
-2081 0 obj <<
-/D [2076 0 R /XYZ 85.0394 535.8202 null]
->> endobj
-694 0 obj <<
-/D [2076 0 R /XYZ 85.0394 498.7066 null]
->> endobj
-2082 0 obj <<
-/D [2076 0 R /XYZ 85.0394 462.9408 null]
->> endobj
-2083 0 obj <<
-/D [2076 0 R /XYZ 85.0394 431.7394 null]
->> endobj
-2084 0 obj <<
-/D [2076 0 R /XYZ 85.0394 368.4301 null]
->> endobj
-2085 0 obj <<
-/D [2076 0 R /XYZ 85.0394 251.2316 null]
->> endobj
-2086 0 obj <<
-/D [2076 0 R /XYZ 85.0394 166.9338 null]
->> endobj
-2075 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2090 0 obj <<
-/Length 3421      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[wÛ6~÷¯Ð£|Z±Ä²Oiã¦i7[»»Ûmú@‰´ÍF"]‘ŠãþúÁ(’¢¤œ³öƒÀÁ3ß\@1‹á_ÌL%NºYêtdbaf«ÍE<»‡¾×‚yiÑçúööâ›ïU:s‘Kd2»½ëe£ØZ1»ÍŸÙèFˆç¯®on®¾[ܼy}ýߟ¯¯.¦"¿|ÿþêúÕ›ÿ\.¤‰˜ãxþîåõ¯/"ÚûK'ç/__Ý\þqûãÅÕm'X_x+”ꯋßÿˆg9¬áÇ‹8RΚÙ<Ä‘pNÎ6Ú¨Èh¥e}qsñÏnÀ^¯uj3´±‘‘:mÑ‘4"™Þ2¥ú©Ž#©ë¶LŠ©-\¸e‹úÍ÷Æô8…ˆ¬3 ™gÉËm±jëíóxK„”‘²‰™õç=®ãšOõ'•i¤’Ôåû©®?ÒÉÜÕ[U÷¼"uAÒ¦)Úq
ÆV6R&‘Ì69®91šY>ÏG†Ò:R
-T‘ø>ı\
IXVã*%±S{9ô´9( ŸrÛÈ	iΨBë„*.¯
-÷ã)êÎL˜&¦ì¯.#£âÑ”¯‹ªØfmq¹PÖÎ_ÝÐïöRØy±ªýoÞ 1õÇï{Wå:§æßuU4Ô¼óÌõfêdŠ#Ó³Jâ¢T:{RIT$•ç•ÄDiœš’ؤRϯ>—M[V÷´ªK¶ó§r½¦Ö²ÀIfiE$“l	ÔÕ#ýøôò¦þTäGµ&cJ¬î¤Öô¹ŽkMÇåµæ퀴w?t›Xž®ãšnˆ.Šø‹xo‹g0ÎØñ&=ÖM‰¢¼¢uó›ÇbUÞ1GF? .†Ù“Úí¼)2ß·z º×Il»¡6jœµtÉüÍ‘ªº¥Fƒó¡:ù×@”wÙnÝ6t¾:´./y5?;ÀKûPPcµÛ’ˆUK„¡ÈBˆãè‘ ËTžÑƒ×	=\^>žu$°3c±lþMœ–Šy&„ê¿-e Ôí¥‹ùä3Ø+%Eÿˆ€RùFÖðï€.çMy_‘Áö¹Xo;rV=úa
-•Ý£&©æ·%^?¶e]Q{“ñËâP8¯°¾XÚ¡¹o@_ÊÇ5+C[nŠæèq›BŸq}®ãÇÝqùã^O·‹Ø;œ­7yÄÍÇà-€êIÉ:®	Ñ6ƒlèµ²í½ŠL´7ëÄÌ_ý„‘Ý¿ˆ°MT˜ò¼¤sAª·8 ’ÅAß*ö|$c{õ´¿[å<ÅM7:ž»2xîõñnø~T¤eE•‡£–&Šã†g}`ûU¶áV}7êùã:¡À;iáÎèDë„N.¯Í@0‡¨LJÑ´Ù¶] Î:ƒ|&Ö'Åë¸&ä(†]¶¿Xœ½÷áp¡‘“ªÄŠOûÊ
w>=Õ€_ÍïY½˜÷—_ Ë æGâ~õS¶.sïCr¬²*°’*˜r„¼¾*%H€þF¢Êñﲩ×;/¾4óš{IŒuÖ–Ÿ
-¢àzP#c1YsÿUMç²ç¥–—O¢‘äå¥1iÍ@Y>óüôSí6Ë ZÉãÿïÞ½òÑœÝ`)¯~øáÝ»}À‚sÌÐôþ#æ2†?ˆ…Ö›!leL>Ò~¡_hó"týz’}Gm«ÀñÎÃ*TÜ>€ŸUJûa‹dwÄ5Ü%d§MÈ˘·Äò–X¿%Ý~XÞ;ÿêݺt 6¥z¯\ÓOêPåLë¢VÿD¡ƒÇžp~Šb
- Uõd²Áxì&md!‰Œbmf
B¯‹*M!–K“.Ex¯ µ)«gF‚~êÝ–Zˆ£Û²õº~Úçx4ìº^qÞ×|,žl1Çâw͉`W<IÚI„ësG¸ŽË#\1p)D9¼“€èÓøGç'N×qMH7vV­ÖCñ:|Žý6ß°åñÍ÷ùCÂáÛ€¿‡oøÈø&\|ˆoH,>?røé-ž¿äŽ'¬)UŽ%:ù%5’¥]"Á©•Ä8C
5ÒC"àG׌ì´Q°âˆåCɯ1\uÈ„´€Lhy n u?ägqºšy˜%àje\¼`NsŠvÏw¨ ‰AÅ14éš÷ ´¨¸à¶€Dq;Ð:ö‹rè»Îy\ú8V
ZrÕ£1‡ÖÆ™@|ýjÙ_¤Ò‚‰UýôÕuDm„8ì„8¡¦ÀvÂÜÆʹ²Ô¦‡p8ø0SŽ©˜zòì™yö;ˆbøÕúWi=Íï—_¿ƒ€D}S2RWát¤-Ĩƒ
á¼/š2’&!¿`q¤„ÙÕf×0/€A3‹m³©â”K²Ý^~)ÚsÕ)tZš3…Ê>×qèí¸<ôÞM&‰UIê]û¸kwåú|=d8wZ¼ŽkB¾ap™FdË¡€>ÔW"áCt¤!Á‹HDª
-¬·…ô€ÒIxnÃX˜{z½‚öß5ØbUø¢uºŸŽ5‰^ôÚˆ3ÖôL)Ƥ’ÁtW¢ŠZ!y†dy²Çʪ¡v«”•_,ù{\,îÌqÍQ:‚8“–ô¹NhNàòšópP×L¢Ø¥g¦LSêš"ŠÁý§|¿-«–#•ŒÃ˜‡zË›Ñì6›Ì×–¦Ò8*„—}F‚
I÷»MÑ
Ü2<v@j¨·/vV
ø†ž K'Î0Õ°eNŸµëXF©;}:=®§¸üé”ç
-	°•Å2§Ãˆ
-	åÔiÙ:®	áF-l”È8J÷ï.<Êèç‘üݧ²Þ5ëçE°Oìòì[%G@YÓ„ÞŒiÞ(СÇr:žòE!l,‹~ÔE3qˆ…Æ?aÓpöNj=±o£Å.”M"§Í¨jSÃL g'Ï«uH‡Âþ)cÎŒ‡ÕÉï¨Ø2ÊvŒpVP{2á¡f
-e5È0ðÙ첡ŒÆ	¹¸WÔ§¯}àŠr[pÜwä/mà kE·X<<ko™ÌoÓPãþ˜4äj?cÆþT6Å‘W`5M™ôfÎ3×ô»äY½”Þ1àSS×Õ×T»Îª|2Òb¡Ëƒ~8Àðu¶âÔÉ¿ê"eA7:& ¬ë\Šp2ìÒ÷ÇíŸb`µWó¿v?àââö¶Ý %©/·Z1}Y´OYYÕ=kwÄK¤‚²Ò˜.¤Åæ¾:Þ_Ìqï¨úVq!åÐ~Œ‰œú‹/­µ=sèœýÒL<Ì™…õ¢Àã\|„¦	‘jñå@ŸFJªàðC’×ð\ýínBõ3k¹à±Q&CûÙ«Rªla3á$hX#kTZ‡¬ˆñûJL ÃûE ¦‘!Žâ­>AEå¹…Ÿ
›·ø;ax6Îíï‚MÌðJE-?Sч‘¥Uº7É6{:6f$Ão0šO ÆUî¸ììÌÞÛ;3´Çm	¡i¹~f2˜¤¿¡ðO”þ'¤£ðL)/¶Èä¡‘?CŒ_®è!GØæ«zO®y8ÄnñˆùnóHo$ócc·ò&©S29M`¢±”\-ð è)h¶û	¾°{Ìü°Ó[)4–×	Œ\#þ<¸ÿY¶-9ÚÉÀ“’íoE›¼ÈFa»L’ýå­LRº
-dÍòvG	iP¹>û£çw{1ö¯Ë»Ý8BxêK×D~Þ:ô+Ð_6Í.ëuh|»˜„`7ñ*4u(º4œ–’ºqð
-ªRâ½pV>1é4ÕYŠ‘mÈ0á]^¿åj:PÊjÅ‘@‹zc‚ƒESð!'¬"ò·Ž¾•€÷ŽdCøî¡ùö*rŸíoÞ»‚6}C†â›ŒÉ&·—©žûK{=û­àáÆÁ2=dŸŠáÈK~&¶^ÑÛKÄbd˺“è!\ÒgÓ5ÎPUõw{Sùx
'•=°ŽÃªŠK»0´û^@ÈaN¦}ªtÊ·ŸÊ*ÇëlÂ"#J$øSÑÕ+…äZ$0à†êMùw^æÆÐ¼~ZƒßuÈcùÔþ&¨uÂMPÃ*“å¤Ê>n(ólÏŒŠpË%Ÿºg9U]
-5á·–PÏÂ!þߟtî?^Õl[{äS™B¢á ÍBáæ	i¯Î9!ûÿû•´#endstream
-endobj
-2089 0 obj <<
-/Type /Page
-/Contents 2090 0 R
-/Resources 2088 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2087 0 R
->> endobj
-2091 0 obj <<
-/D [2089 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2088 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2094 0 obj <<
-/Length 2932      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[wÛ8~ϯðÛ8çÔ*/¢.óÖëœÎì¤Ý&=»g§ó Xr¢­-yL9mæ×/@€´dKÎìôäÁ4	‚ àÈ™€?9ËL$tÏÒ<ŽŒf¶Ü\ˆÙ¬ýt!™fá‰}ª—7Ïßêt–Gy¢’ÙͪÇ+‹D–ÉÙMùÛüŇo®^¿û÷åB1].Œó__\}zñšûp™«ù‹ŸÞ\_.d–ʈ2$KÄüõÕõõ›W‹ëw?]ýçýÕ›Ëßo~¾xsë/…F©þ¸øíw1+á?_ˆHç™™}…/"’y®f›‹ØèÈÄZû™õÅõÅ?ÃÞªÛ:¦£³Èd*цÒ=mHã8™¥&
K¨ëú®)ºýîRfó
-®çóu½ªºzÃßþ[w]µÃq6/Ö¶¥ÙŽ?mëéªo]Õt4¾­šê³ª³ôý¡X×eѵ;Ë|š’·W»‡jÇT·<¹%iŠ²nîhªÝ3çe±¼¯Pëpõ…”QnŒr÷¨¾më]ÑÕmó¨çuTÍ40ªW4³.ß;بy³ßÜÒÙ°Ö®hòãG0-Ï•móCGÓŽ»W,}v÷ÌÌ^bÍÁÜÊíh7¼e½¦iwö÷Ù~­här·9溲–F˶¹«,^—¾w÷è¶ÂŸ'†Ê‡ïMU•¼©¥OŒ¾¼ç½}nZÛ­ý	,„¿ªpWNž€ˆ„§–
-Å*ËÆß/-úTä±rìýz*TÆ¢Á#Ÿ¿5¦ïÛ2ÊrÏÄ‘4ËíÞ&Ue
-ÈÏJ¨FD<&
'Š#Ñ®·Õ²FÇGûêØÒt³³Ñ$ú-z?·D„öÀ…½E×5y<ùH+eµ*öë\['ðæzà@k>ÖvÅ®«J"Zµ|nU }qTV]µDôµ…‚›˜lèq¯>|š´l’èHâÝÏZ¶O5mÙ@å,{5fYŒ¤)Ö¶ÅbF]¬p­
øé‘ŒJˆ(MÀÎ
-¨F¤ìYqÓ8I†bÞ Qc‘ί߿ÀA2'‘hÒ[Ç,££A«ã\çw[ˆ¼h#\üL
-&O3H>­µõíºês°ô¥àXá”4Pç"7à"ñF¤L÷Y©øKUmñ“7õo§!Yä¿™ÏÂv3Êg#§Ä*ÊUû
Àµn–»jqâ“E:ÖðÊUæ‘6©îqÝ7õ7Œ-SLE”‹,ç
'n*E¤q:Kj8kô{ªEŸìÔQ}ÒTcŠZ±Iž8ÞS?3q	•äÃó_sànÚ¨Ëzu¨{ºˆÍîé¶{¦ñÅW@
ŸW\ŸlZqjÒg2$àÈ:yB&‘` »TD™Lã¡ïàx÷Œ6WþªÆÜxo	’ÀðãÛW4y¦8mîêî~ØiiÏ(7(›ì)åöÈÎ(×SM=¡nA&ΞÁSˆ0Ð.A
e¸®þozvôÛ•ßˆ§dFX2mµm—÷“™Êh€¼g3UŸj:S*—©Úq¢ãÈÚ]}W7'6Ð*¨Î‹¨Fd‚4RZ›¡p7^‘: àÔè„qxXÌß­Ž¢‡
°¥|vl‹ö¼%ºSî¸uÍãšmTX»ßMc/ׄýâ< Zyiô©¦í¨œýÞ?…4 âØî»	”!S‰°÷¬|žhD¾
3‰ïHt6Ô©B§’€cÊêÃ	Ico$„·Òà|rîÂN…=và˜aGëØq8ÕÒÖ3°#EØ
âvtPN¤o•ƒÝä8ê`ßÅ	Pµ¦ùa#0ß_§ÎH#)35‚™42RÊ'ü«GuÆ¿<•ó¯íñ‘P™ÇqüÄ‘žhäÈþíÀQbeŽŽüdÑvP3lmµ/ÛÅ´ˆµ§Îï]A‹_陼æÐÈ;ò˜½f=5¸ +'r.+€jUØŽ°„‰XËù­s>  Âi Ps3i¨2Å%NžHÏe»RDF°+ ^|•*'>Æ®4e¡T
-û–«_ Ø4p¡‚ZíÁý×ô•náÖø¥ß*¼»¥,™ðÓoô•>Lj º~ËgÚ–.¼d6µ–ðdžu½©¡âšvE¡#-Ò'RUŸêŒ+z*çŠ&]ñÜ‘W<9rÔûG¾®mq붵>Í€î¹%PãÕ²èu0*Ûlê9”:ëÄöõS i¾—›uÈ„¶ÔƒXÑA=Ün¶4í¶%O/y¥´]V»öM6æG×,^ÌÌðmÙ¡U}Fš´£«q‡ºH÷í~]«¼ódØQI%"5çÃNŸj:ì*v®§òüÙ#Cž?=r,ÏŽ¼Þ;ÔC–z\õ#X,ƒ¶Þ]BÒ\vv¬ã'òH+éݽl, Æ²p)âÔR)àÜDúŽŸ«&ñÌŠ¬â~µÈ2N°£¥@u×î‰Ê¥|¦²4b[Êžn^&ªè R“Ç?΄žÐ!}r3¨~ëf¹Þ—‡xã§'ëð[ΖcævWƒ‹FáÍðÑ¿©*÷¼•Ò¬øî¦Âßö“Mªq¿Ì)÷kI›ª+è%ãŠßV}+€Ä%hEïWñ„ÎÓô}û•ëh=¼E±?ñ]ðùÅÒC‡ÅØû
-=é
­ÚõºýÖ“AñÁ‘âMáÁ²ûå"rýP
™[ñÅ?sP(â†íChJù¯BŒÿq²¯É*É(˜ŠÌÅ™ñ–µò=#¹\¨.Â1®•‰î‘bf¥Ï`L÷Œ	ßîKƒÛŠ
-}h*ªõy;•8&”™&Ãy7¨™Ûv»®í½sŽ”ñ_Ÿ{2ö¦¡„à¨XjãìO¢\'fè
-ƒW1ÝU•qŽ½ÞïQÃ9ý{²`€¾·€†~ðž…ºé8`£™õÍÒ*üÊILØBUñìô°á®¾9¦ËÊ`el¾C…=çTèÉ‚
-}Bå:¨æHc
æ±×`ÎÁÉu:&uÌcºtîëul‡æ´0ƒ3˜šùô5ëØ•¢ÜqljŸyÏ	º„-lßIïE‰‡}­€†îPÿEkAJ„·)ÿ¾±zÎØÊSySIW>£„"x;ÎùZ68¼ð«NÍêÒŽÆN’+lœplqÂûºìõÏ<ðtÔÞt¼¥s‰pzNô*ïgcÆ“áçÊ¡I†ûØüû–
µ¤‰ðÿ}Fl'fÞµ¾ûߊÿ@§‘Î25îÑ`äÒ…Z‘*?=üÒ©ìÿj™E2endstream
-endobj
-2093 0 obj <<
-/Type /Page
-/Contents 2094 0 R
-/Resources 2092 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2087 0 R
->> endobj
-2095 0 obj <<
-/D [2093 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2092 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F55 1070 0 R /F41 969 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
 2098 0 obj <<
-/Length 2582      
+/Length 2259      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sâFòÝ¿‚—T ²LæCó¡GçÖÙsvãõ¤.wÙ<È Œ* q–°×ùõ×==#$8uW<¨ÕÓšîéïĈÃOŒ´a&•éȦ	Ó\èÑb{ÅG°öáJši$šv©~˜_}ÿ£²£”¥FšÑ|ÕÙË1îœÍ—¿`ŽM`>~7›Ýüm:»ýp÷ïÏw7“©pVØñõýýÍÝûÛ_'S©91ç㟯ï~¹þD¸ûI*Ç×nf“ßç?]ÝÌ[ÁºÂ®Pªÿ\ýö;-á?]q¦R§G/ð™HS9Ú^%Z1(1›«ÙÕ?Ú
;«þÓ!eÀ23ÂVf•$JXêì2¸L§©mª”YcZeJÕQ¦3L;gD¨ËÛÕdª@yѬ'bœ?ÑkÐÍ:G@ŒÿÈ_¿­	·/wû‡M±Èø ¨ÊðEør™oò¦€•¸°Ìš<|™=M„‡ë¼	ØrI˜¢QŽ— ²{/é…œ¶Ë¿†ôW„Ôø².kñŒù€<$É–Ý·„õN‹€wÚ7_ŠÍ† ‡°‹¯Ý„¼ÍšÈ„۞Ϣ`:•Øä,Ú¡ºE#•÷Í春QLI›^f‰XvÜ8¦xªú,ïŸ K}4Yƒv]e¿¨¶;,°UyV#ÚAG%Íe…tˆÎë#yu<AÂS¨nòçü¤¬¤–¥ÒÉ‹REšS©zyK–r(&]±fySÕíeþ°|¤ˆ€W/ÕyeiÉ,OÞÒV‡ê‚º"•×ן'î-\
-]ÞE–‘h€eÏ}´JôYÞ¶ù„Nþqö‘¨<*ê¨B,SNóA—QqMþ„'ªîe5§mÒy]JÎœƒã².;Tt©¼.Õïqf±µ ß«³ÍI¼¦ààW—åŠDrõ:S¥¬'ׇ¼ÌŸ ½…¹#Õãf|‰"ÌbaêD,–DBz?EÔcñœ—„[ç_	ÈËEµÄr€x&¨#GZ^fuØå×<(¥+¦Ä_BƒÖ×ÊÑa¤b)7D[‰ o¤}G¢þ1èˆ)Ê%vþ9ÕM%5“B™ãbݦŒnƒrP)©ûóÿ¡#?øã#©·uÇ6ƒŠ}>DŸõÈÄZ˜âÌÑÝ¥:ï‘-•÷È¿y$ŽŒ6hµh¼ìUY'gÚjwYº–j@¼^VTšimE_¾žUb6¬ÂÖ
-QÕÑPÛv¶Ú^©ÔöCÊ
Ml×Ä‚óó†IÀqœ~#Ut©.&RyÃ\Ÿ¤]'LÎYF¢–]e[ȶ‰4}–¤k%Óž®ñ=£GÐ5‚A×Òü5í|¾ŸcöþüËœÞcÚF¸
-_eØ8mzÚ#¡ŸªXVô¤Fø %…°cNÛ~øv\ã´ƒä*NÑEYç‹}·âàðÿ]äœé¹`š;û†é;TL©Pnl]qÆÚä'…@2clz™u$`Ý+–™˜ë6ÿЪ•MÖ©¦=öqÄòš/ϪNAÙ7Ϊ˪ëRW]K…ò‡A·ËÓBËù<#ÑÏ^Ø8ˆqÄÓ_¬0·ÓN‚,5A5‘›%Á^CðuÂPEòTtsƒ˜u BcŠÒÎâˆ*«ãÝSnÒÐ¥õÖòÛÚþ¶A\š_H.#Ѓ°Gq”Í ™òâª5~턦†â#·¡Eâ«ZÁ%˜Éð`<¡ƒQö¨ÝáD€_Uû2°Î"Ð+q·öE…y‹|ÞvOÅsLG£"jðh.l=²íǘeŽØ^‘¼k?9|«ÎéXxhÚ¬nXèkD{_Ž6•Ð>s†H :­óßüzýóý§›>N&!ñ;ÑbÙ´ÙT/¤£qæÚ’a
Ù×â±éŠÃu²VLrSô˜ØØ‚îÆ@g"mt°$´‹2^F!êýìšê܈‰|I”¯­J:Òà@áÒ4pX–5äì)lÈ3Uþ’8Iû7!Øm~위}¥é;aeb±{—´"%ýÁ‡Û'gAÚ‰¿†—í¾nˆä!újèâý. ¶YÝø[h€c6E‚CÃÛ»PRÊB‹ýîò]Ö·S€Œìt¾­ìEM=m"Áu’Dô½¾(Ÿ«E®Ä=ÞTÕ5虧‚¥
-º1õŽA“µâ*…šØV <0†¤JÒMï#è…—JÌpxá§xÅDŸf
Aïgô[¦ŒR}{ǃ·¦ÅÎ3Uý€ÂuðsQíëÍ+-]{8žPÆÚ¢Ewlƒ
²'8ä^šî’ØÔŠ¶ðd¡BƇÎ_Ž³ºÞo‡û¸Éý_º†¡<ÀÀb7ÒÑ톢}0/$“¿˜D¶ýù@òÁÐßÒ0ìãɽ8oû ÿû/ëßó	x¦sg†ai5ƒM
-ŠŸ/œIF:•ý¿ïŸá”endstream
+xÚ¥YßSã8~ç¯Èc¨É’eiß`Ùì펄«­™;àÇÎÅó×_ë—c;JÂÞÕTM„Ôén}jµ¾î†dqÄe(G±d(Â$-Vgxôk·gÄÊN(èJ}žŸ]üLã‘D’‡|4_vt	„… £yúeü	tðøz:›Ý\³ÉíôÏ»éÍy@DLâñåýýÍôzòÇyFÄAãñï—ÓÇËßÌÜý¹Ç—·7³óoó_Ïnæ­c]ç	¦Ê«Ÿ}ù†G)ìá×3Œ¨Ñè
þÀˆHŽVg,¢(b”º™âlvöÏVagUÕÁ(¤<ô ’!HFQ؃#’ˆÓj8î&Óùdzkvvw?ŸÜMõ¾ô·wXâ ̨Ð_K˺ÎA5M¾Ê¬<íÈs‰X(•“J|‘”Æ@RÔ•=eæs[g©5ve½ÉËÆN½X)°’—Ïf¼Êš$MšÄj¬ëj‘'Óò–7/vÅ||ÏÞÏ	!c´wZÅ„ðQŒàåtPЕràzBÍI©]Û¡IΖñ	“NÈc²‹pLŽÅÀä};8˜Ús‹þãÔ…u¶®¦eµY%ÍAtxêcJ£Ó•:ŒN+¥ÑY›°‰¢Ž$„«µasuqqyñpñxq}‘ÅÐE	BluÑ	y\ì¢I8…[«=œa¬£)ãz-ò¯‡3Ý	FX}MŠmfªù„+bÖªåÁoÔd(Çó{•X½î’`8¶ 8Üúî3†XX‘jÝäUiÍ%ïÆÒ“Ö=
+(à4ã Í
ð•eUÕ›¾D’ŒŸÞÍgUªÝHlv+1ÎìòÒ|šk*±Õbn*̲Mm…*ó™—i¾€ûj¾ñö’ë@„žR¼éLõ¾oÓÃOœ"¸¸
L‰˜…Vß ÂH„$c‘CÄ<fS1/Ì–‹)ÌÀñeŸ<Ä ŸwP÷^8ç¢ã€ÖךZoŸ
+ÎIK$EYM—‡LÅM%‹&ý¥1:Ðþþ¦|¯Õ÷YãðÒÅÌ*{ôXÀÄ#I†¼¼Û²gäÌê¡9ü¡y
+ù‡PiÍ_{7˸{›íM3úž=u·	ÏiØáTZ3þ,š\žøÔ¾“¾Ü@9œf»Üpl´î»N#$xäbµ¯|‡#ŒÆˆI)¤)ü¥eg77Æ‹ËßfwÍ~v/ïsV~Åð±qÔ!.@~é,k½~çªUÅÁ‡2÷hBÉQ¨.^>å*S½º´ë9Ó=w''ÝÍK}xº`ñÑ/¸¾tÔ¿Nªý+W4Õ‡l,lùb«qzRc]%Poò¤8ì-Áq"önuåÇ"I¤½ÚäÏçøîN:îîÇAˆcc±wtëvtߎ6oˆc+›¤„L³×7G{ÐÏÚQíƒ	¸âBõBº0ÕM²i%˜H¢.ÏÐÐü$TMã‹m#	©i¨®iGÛvôz2…ÙkV|ü=øO;úÑŽèÉS¨“¢ñ2ËnÞlõýâN¨±0ýwJSïú ê{0]Ú‘zAuŽ6óõBß¼|
+èðñ¨O®ofWÝÌúx/«Ã€†­–žæ!%¨8gº)À©vWÑüˆŒ'™⫶ŸYÁ©á>°1o¦f“[3gøêÂÔÖ©Óm)TjºJ·‹¬oV9’Ym¯Pg›²ª¥y'ß½Û`‹u1þ*2ÖγˆëþƒºCcÀc»ÉX{·MÒlkó=SõK]ê<ÛÖKãèÊ,·vZ7aÒ2?˜U¼¿yI3Ÿ×ŸT™DÆo/|qcdçÏâ%/Rë5h¨Ílb{–²vƒOoÀu*"Û¿€Ï²jT­aÛbµ«Ù T¡p-DÝýè–bæ²zWR8}ÉSwré¾&Cá.Ï@D«Æ§FˆFÜå=Õh*²¶Og{w‰kÝ9X,¥>Pp@Ï)LönH§Óëëú(‰zoŽÒä®Ôá®_+¥+Ôd¯'ª_6qܤò˜t¥¢=“ÿÒí_x—Û]ÒtWŒ@˜ÛÃ>Ø%8V­Âø6©#Ø8)ÍÂ×UÝ}
+„®c’#ABvÜ1'äqŒXI,aµçÙÌu=]G¹½PÖÙXÔžù[mpzÛï`'æäD÷}'t¤ùn…4–W{q«˜²£öœÌ¾½Þs""˜èÙ»ªVkÈ…Oy‘7f”«^išýtD”Œom ™_~P• ¤]žù!ð<¶Œ ÁZ–«-ýå9`ÇH[c¸L¢ì«Ÿ´iš›^åúç—}·Dˆ„”.k¥õ§úÌèÃNA²/]Et#’lÅ»ÝdKŸQõÆz™»*Ò̮هqšû|2"ðø¸]žæÀ9¤dÝ>ïg@@…ù•Àm†þ¿"Üý
+e"ôÇ,¼=AalRŽŠ÷/¥ý1qß÷ÿɾ,Áendstream
 endobj
 2097 0 obj <<
 /Type /Page
 /Contents 2098 0 R
 /Resources 2096 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2087 0 R
+/Parent 2077 0 R
 >> endobj
 2099 0 obj <<
 /D [2097 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2100 0 obj <<
-/D [2097 0 R /XYZ 56.6929 296.1579 null]
->> endobj
-2096 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F55 1070 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2103 0 obj <<
-/Length 1561      
-/Filter /FlateDecode
->>
-stream
-xÚ­XßsÚ8~ç¯ð#ÌU¿m?RBÛôZ’rw3m\#‚[°s¶IKÿú[[’±A@;w“™Œ-Ò®¾ÝoW‚xþˆ„YÈ=?äH`"¼xÓÃÞ#|{Ó#3´ aõjÞ{ùšù^ˆBI¥7_¶Ö
-âÍŸú£ÛÛÉôêúïÁ
-Ü…CqÿÃhz?z¯Çn!íÞLfƒ!ñ%ã
-+˜ÄýéèÃäj8~;ÿ1¾™¾<Ìßõ&óƱ¶ó³Ê«zŸ°·€=¼ëaÄÂ@xßá#†ÔÛô¸`HpÆìȺ7ë}ll}­§ºÈ,@" ¾ƒ
J A_¥±ÒC¢t­n *¥4Ë»à(3€»×c½"øÄëq‚(Ä ‘AtèÒP2ô†,D
š‘ÑýüíÍÝeæ®ÓRå©*µ³]QªM¡_ÆYZdy™l7{»1.©Y‡säh&0H0älmÔb¯Tü-ÎÒe5·3‰$!´OâvaÈ&kÔáBµSŸ)õõSýY?ÂçÏÓÇ-„-ÉRƒ„‘µ	X±KËè‡W&é£~+³lí¢wéœíÒì©HŠCiIЃ$ç	SR °C*8<;‹FX@¶—¨e‰£h4('Cøÿ4\=اçæékóTêíŠ6󇈒ÚÇZNI®bÀNC;ŽŽ$mRÒ¬ºLÖªrÆÚxj¬ý|p'­d(àXX–uį&³ñÝõíüúfÚÌ:™¹Ž<;ȧ€"ŸBñÒ®ÖH“Ú媓/ôË—­‘Aš•‡8µ‰Ò2‰ÍL:F¿“‹nýZ/;ùvS“0;ªä&Y§(}~>£Ú([x3ªAUv‡«C“P¼9çLZÃd; aˆx¥„ŽÉÛççMZÃd'pŸÐ:&ÿZ©tO}sÈö<·o:kmˆšø5Ûæ©UÍý¤ljSQ§ÉäùŒŠd¶PgÈ´¨jgÚïÔ\œ:'
-—2ÈÌó¶”ÃxçdACHsF»Öç57ÌïëC>eÎhÑ´ÁÀñÁ¾6t ÌôØ;¡jU€V/ú×K=ªÏÞ+žTœTóÕ¢:ts€,Ô2Ú®ËÂ8à:å0ð^i¯)/U¿Ü7öê6J¡ V­ö1â„(C!Áüì-œCƒ%~÷:s7™ßßMuÞü9fû£÷÷“ÙÿµÑ‰\BÚ¶•î;©9ö”Q¹-ºÅˆtSü×ÊúA¯ÆfIHƒü{R(têÇ'Ç6æl¡¸!ò?ÿ0µÿ	ŽWm6 î$g¸”pãTÅ!aäÐõæ'¬cßÿ]í¼endstream
-endobj
-2102 0 obj <<
-/Type /Page
-/Contents 2103 0 R
-/Resources 2101 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2087 0 R
->> endobj
-2104 0 obj <<
-/D [2102 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2105 0 obj <<
-/D [2102 0 R /XYZ 85.0394 751.7846 null]
->> endobj
-2106 0 obj <<
-/D [2102 0 R /XYZ 85.0394 685.3283 null]
->> endobj
-698 0 obj <<
-/D [2102 0 R /XYZ 85.0394 643.9977 null]
->> endobj
-2107 0 obj <<
-/D [2102 0 R /XYZ 85.0394 609.9378 null]
->> endobj
-2108 0 obj <<
-/D [2102 0 R /XYZ 85.0394 573.3266 null]
->> endobj
-2109 0 obj <<
-/D [2102 0 R /XYZ 85.0394 503.9484 null]
->> endobj
-2110 0 obj <<
-/D [2102 0 R /XYZ 85.0394 440.4569 null]
->> endobj
-2111 0 obj <<
-/D [2102 0 R /XYZ 85.0394 374.0006 null]
->> endobj
-2112 0 obj <<
-/D [2102 0 R /XYZ 85.0394 84.369 null]
+/D [2097 0 R /XYZ 56.6929 752.3759 null]
 >> endobj
 2101 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
+/D [2097 0 R /XYZ 56.6929 596.2077 null]
+>> endobj
+2102 0 obj <<
+/D [2097 0 R /XYZ 56.6929 535.8202 null]
+>> endobj
+694 0 obj <<
+/D [2097 0 R /XYZ 56.6929 498.7066 null]
+>> endobj
+2103 0 obj <<
+/D [2097 0 R /XYZ 56.6929 462.9408 null]
+>> endobj
+2104 0 obj <<
+/D [2097 0 R /XYZ 56.6929 431.7394 null]
+>> endobj
+2105 0 obj <<
+/D [2097 0 R /XYZ 56.6929 368.4301 null]
+>> endobj
+2106 0 obj <<
+/D [2097 0 R /XYZ 56.6929 251.2316 null]
+>> endobj
+2107 0 obj <<
+/D [2097 0 R /XYZ 56.6929 166.9338 null]
+>> endobj
+2096 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2115 0 obj <<
-/Length 1960      
+2110 0 obj <<
+/Length 3468      
 /Filter /FlateDecode
 >>
 stream
-xÚíYKsã6¾ëWè(U…X¼I[IœÍØÎØ©líd´HÙœáÃ#Rv´¿~/Š)iœñníaËU4ûñu£Ñ
’)†?2IEÕ4T	LÄtYLðôÖ~œGx¢ KõýÝäo?°pª’TNïV^ÂQD¦wɇÙ÷ˆ`4xvuönqœÿ´8ÿû?¯¯󀄄’ÙÙÍÍâêâòó€
-ô@ŒñìÝÙÕog¿Ø¹›¹¢³³·ów?Ow­f]í	fZ­/“ñ4#~ž`ÄT$¦/ð€QŠN‹		ΘŸÉ'·“_[†Uóê(`e’ŽÀAÉ”¤„ =<„B’Qfð¸],¬Qg¿Ü^k{à-ÖOa1¢¸!/ã"MþÀGð|g_5“Áò1]~þWU¦eé?ÂbŒp`lÜqyua™(§FRdeV7븩Övê}ºJ×sÍÒr™Ú©wq¹‰óu‰Œ•R:öÈ‘ôp<Á@ >7¤g¿Ýýtýþ4—e“®Ë´±ŠÜnë&-jûp^•uµn²M±Ëã’:>œ B9oBã~úeM
ÚaÆ•¡¾’º)„EHwÞÙ1껧*ž²<5Ìô”†vԙØænüçY’5[ûd˜fåƒ}ò®YVås
-ûù¦ªò1ȱÇÚݶ¬žê¬Þß?Œ 0’l*°D‚2ﬧvÄÍ€BB$:,Ì^àd$5´T#èÍ	¾ù$ýè±}jG_ÚÑs;ZZD×SS)Â\`.ó¸®-YO1ðf…ÊQµW#ÐH
-áHWÕºˆ›Ž}²–ãoÇQ‡+„vˆ8„ú4°n·~²1,RûPTI:†„!bûz>©÷ëøßÆïó{÷Æú•o¬_uÚï%Ê6ÝôxòEË}žõÏ€…I‚©›¡êf›§_÷·ol}s’_’­Ó%=Û¦‚#IÙgúòŸ`zÑŽ~a/
-ãÙ¼wÁI
-¨úNêFÀXzæ‚".”ü†ôÜeq8=·TôÜ=Æöô_HË ‘øš´íûèü÷ú'Ë,
-¡¨”ážÓ_É:{ã­ù¿žØË7Öï
qøu‰XDH3í̯ÌÃÿÏ›mÞ4O}×ì·Ð.pY«Wó^,nÏß_ÞÜ]^_µo4l´VþGœ†m9©)MÂfÍ£)àù¬Þ–Mü§ŒËÄNfо<¬]YÏfÕÊ­ÛUß	0×	@óË %¾lìäSºÖib ÈࢧvzðY\ØÉX-õà;G¬8¥£Ô^ŽJªT3øìå1-í(¯âÄö‘5#²f€êœÐÙÝcVÛµ"þœŽ©DB¡¥¨«Ò)èCªüÙÔéj“[¹+ÓÁ Ó-d‡*Ì[T
÷©¦×}­{©*õúC`Ïf
-g3‡²ºÁf½k¶ÓÂŽÀ©•Å»–ÏŽêt
Ú<ä^¸v¢°CÛ•@”H¿ë,´ $+²<6¶èGÁn(W_1˜Œ©Ïº‘¢Ùý¦±ò²ÆŠŠó—xëtH6Å“ÚÀ„u¼iT›´l§ym§ï·ö7IWñ&o4?ª½aîIô‚AB¿¥Ññ÷
-Ýs Ú4OUF`OeynG÷©ý…ØNì(®Ýoé~—¾€1c‹²µÐ»/ýÛ÷Û‘ !Oˆ©€aè›ÙîB:{:ûÝlͺ07AùÖ>õ °~Éj}˜

·»$¢<"}G;œõÆñ8ëq±©Ý}OÜøÕØOÝ»;bë¹þ\óXÕ~CvU´›·ÝÎc(I…0	å)”âo—I6ëX\÷nçÀ¦úæPõ¬ksZ
o9]‰a/ô;DþJrXç{"-4Hö姰
-Ëó4Cy]”B(öè/oQÆ÷þÊ+Iï7`Ñ!›Iø`8,ŽÝ¥:luKeÌ~Teõp¹P±˜?•í#µ6ÛòcÖô‚ŠG­{¿˜zMo=šb¹‹dvî­òtÀ2¨ù/EE=Ëz½)WE>žöý›ooþ&¾È°*ê)ù™Þàü˸Ïv«–UÞï<7Ë_2Ñï'4Šõ¦}¦f•­™Hb‚u«i‡CUü¤ã:j‰-ö´ô˜Ž[A`òFð0žÏ)°€äô|çp¾¾fƒŸ²i:œïUQ¡šáiZ;yCOÚ¢%hŽú`SÒ4ì]>–«œšÿ©«¢¡f§.Ðò%ÚçPÒE©tî$JªH*'Σ$`yœêJ‚f¦Rϯ>•MKf«:±dʺZQë.Ø•‘Lb=ÔHúx],òãú"LäbwNaz\'4&py•y3…›àÙ;ï>%xþ$9-\Ç5!ÝЦ‘JíPº72v¼G›º)Q’¯hÝüfS,Ë{æÈèÒÒYx‰=É›fØWÂ.‰Nà
Šœ¨JG-]2}O¤ªn©Ñà|¨
EŽXÑW^0œøãÕi¤•nÀ…UIŠ‘c(±â¸÷4©ŽâX$§µ Ïu\:.¯ÎzOÄê±A9-WÇ5!Ø@„‹¬¶v(Ùí¥ ›!°KÑ?"FÖðs@—=×Õçb½íÈYõ<ê‡)Tö€Ú`¤šß>–=–Ó!•/aã®è^4GYhü6
gï¤Öû6ZìBYX­_Ô„úÔ0hÆÊórR¢0…˘3ã!@µñº‰
+.£ŒÇÍ1Æ !ÝtÒC-LÊj?aBÑýMȈ2'äãr\XŸŠNö±+Êm¾ïÉsÚÃA#,ÖŠn±xx–/Æ,Ç–6„ˆáþ˜4äk?bÖþT6Å‘O`5M™ôeÎ3×ô¼ãY½”Þ+à[S×Õ—TÃΪ|2¢d¡;„~`À•ðU¶äìÉšFÎ¥nïËxKN†@úþ¸ý[C¬öjþ×"	ÜA|A\ÃÞ¶´$uàåâ•¡§ßíSAVÖãFuÏÚîÎI%02d2]T‹Í})t|Ì7¾ âÞS®âbÊ¡ýH!Ôg…`àì™kuç>;&»¿ÈÇéøM}Ø¢Åç})Ù…M!Ïkx®þv7¡šµ\pJ™5m/¬J©º…Í„óx aˆ±Qiu fÄì(=0ïšF†8Š·ú•ç~6lò%æ‹òøYÑ]»!9„J'
+v@kšÐ£|W/l÷øÑý‚ð¢izñ·oÑ*ðΆ÷‚<>ÇOõn•Ÿ1Ö)§ŒYQìtzÚ)÷¹Ž;åŽË;å×çÂnïÆ°ùkR’aÜ@¤¬Üiù:®	Ž9‘Vp	oCHÍ"@[s¼möñ6G ØGމݭ¬‰õü}Ý4åݪ &¬áØy¯AV¥Ißß!ál‹O->'OÂÆ9#º;a3¾RaËObô¡…‹(¶J÷fÙfOÇ&p^X9çò“Q8ÏÅggöþÞ™y m¶%§åê™É`”þžÂ¿Q) !-…wJ±EFü¢ürI/!<Â6ßÙ{rÍÃ!Âp‹GÌwë
}‘Ì-‘í=%£Ó'ÊÕ‚Þ‚n`»Ÿ_á»MÎð‡ÞN¡qÇÃv‚çþšunY…ßï3ì5> endobj
-2116 0 obj <<
-/D [2114 0 R /XYZ 56.6929 794.5015 null]
+2111 0 obj <<
+/D [2109 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2117 0 obj <<
-/D [2114 0 R /XYZ 56.6929 752.2879 null]
->> endobj
-2118 0 obj <<
-/D [2114 0 R /XYZ 56.6929 690.9973 null]
->> endobj
-702 0 obj <<
-/D [2114 0 R /XYZ 56.6929 653.2561 null]
->> endobj
-2119 0 obj <<
-/D [2114 0 R /XYZ 56.6929 620.7725 null]
->> endobj
-2120 0 obj <<
-/D [2114 0 R /XYZ 56.6929 585.7377 null]
->> endobj
-2121 0 obj <<
-/D [2114 0 R /XYZ 56.6929 521.5252 null]
->> endobj
-2122 0 obj <<
-/D [2114 0 R /XYZ 56.6929 385.2336 null]
->> endobj
-2123 0 obj <<
-/D [2114 0 R /XYZ 56.6929 245.9771 null]
->> endobj
-2113 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2126 0 obj <<
-/Length 3124      
-/Filter /FlateDecode
->>
-stream
-xÚÝ[K“Û6¾Ï¯Ðaš*Á“Ž{œu6v¼ëÉnj“85bY'"å‰÷×oãɇ@JSöV¥Ös6›Æ×îLfþÈL	„™æ3©9˜ˆÙrw…gðì»+âihÑ¥úöîê›×LÎ4ÒÍfwë/…°Rdv·úe~óþýí»Wo~¾^Pçߢë…ÀxþöæÝO7?¸±÷ךÎo¾»ýp½ ’PDºÏßݼ½}µxù×Û—û÷ïn¯»ûþêö.JÖ•ž`fÄúýê—ßðl“øþ
-#¦•˜=A#¢5í®¸`HpÆÂÈöêÃÕß#ÃÎSûjJ\($(Ïf Öè#,@É1šD•Q’R™'2[”fšß¼¢C¨¡BkC±«VÅP„€Ò¥hY¥„ŠD§R±ÎÇe |&{b½/ëê°»^0ÎæUÝ,¶U¾rÝÿTû´ø¼Ü7Åál>»ËM±üX›ÅTzþ¾ªëò~ë)Í$jG•®‰šnÚ=ýP™!­µðÿ•R¾>n·æ×Swå¦Ð”-1xU¬óã¶&y‘`Ï9U³÷…‘²Ü?Œ|%#ДĿ”b»à4C„gVãHA#ÿmµÌÇÄg°GÄcŽ´"¼#®ewN^8Óþ¥|¿Jð%1!»Œ÷°¢cbR”µÄÈPÀ<…ÝdÀsâfüÖu¸ª€f!é勪yP·”˜7›¼qXzû³q8ZVöwUw×ÅÁÑ6•¾qÝêà»ð/ÅÄQ,ÝWÍÆQ”ûE@¼°uœŽÍ¢Z»'V'ÂL“°>6`9û|WÔ“`Œà15)Nˆªár-`™Ñ Ôj¿ýìÜkИi¿õnøDOfðiS.7ÝçVe¦kTf~ã¼M'N$ |§â2(XSF.€bÃå§*,?´>üãZˆù?]çT÷0`^­Üïû©ü°ÇÀ	Ç£ƒ h1‡Ãé
-)ÊÈŸQY Ð,S6y9€ÁP‘ÍWŶxÈ›²Ú»'ï>¸ßÄDEv™Ÿõæ§òçLÜX‹
-Óë(&s¨°œ1‰E0€r‚
®ÙüMãžåÛºr­hÐöv­‡íÑsÉW+'lí‰N­Ë}à`_£óVŒ]Þ¸§UÙ~*MYv…ðóp½G›eç`WnWgð-ä’<ßdßnÅ¿2´]·
-´nx^W»" ^#)! ì-­ûÈïÇÒ5Vî-·N¦UüQÖMýbȶŒâûN­8ÅáS;–ž0ï¨Þ5ÍtP\/k“ìŒMbŽå3ƒ"Ž¨âü\”A'Ï_hCßUYç6„¤ŒÍý‹¦CƒRkÑ£÷ÇÆ
†ÓŽ‚½‡§²ö/8冠\G‘ש¸Ž@T/%×}ÜŸw[à#Ô3°Ëݼ7ôÇbÙ”Ÿ
-0	–ê}±¢ˆsÌ/]wJ.Ä·Šô¥>1ü“6Ÿ	ÊÄ0Éô©K5ž?E*›@­“	T¦Xˆ­M"¶6L¡€‰PŠOK©¢õ’(БȴìËö–©\¥—Ç9™õàaëŽ~ŘnïPÛlªåàW`"Ÿ‚Œ‡ãžq7ÅÍ$ru:ŸòŸJÂ"_Èúþ!ûˆD1n:‘B×ÀZÓhéR£%RY´¼N Ì›qÉÎÀ…"*`]'E‹T	Ùúp‘\èáÂ÷Û´b.fÐÀÅŒù‡6
y<6nÐÆQšÂlÉ|D'LkG<Ž cD_† €>SdAöSI- LB³§K D#”¬¼†];aRi–yR³©®Ö_…Ð}ÀZ˜ò˜›{
»ïª
-Þo_y;^æǺFâ
¾Xµ®ÁS{êã~kC4»ƒûWÇÝc=ê–Õ¾)ö͸[å"CRð3nµK5a(ÊÊÇ´¡(-ØTaŠb¤¸˜–+%äꦤSÙ@°P™JÔK`º„v÷4»Æ`§A$aË$'åEæO¥Íý
¶Fº6åÖy¹=†HÃsügn$–¿€ÝTù‹#%U¯ü_‘|Á1ƒ‹²AxÒZ]Ü+R>좊¾ET»Çr[ŒØ„MÑ67©±AT¡U7Ã{Êûñ°"ÓÙ©·x¶Üg-¹S$œÜÉp$Ý(öÕa4.‚8Svv3#)LåíPMØh ²6ºKÙ(GYÆÕ¤2”žM©’õ­T!¡…î‹Öne˜˜ÄÆ„à¦C]õ§rT¬7ÕÑd2¦}_¸ìò~ÐÖra៖kÿ`Sø¯ÅØßvÚÔØ”,<ë™&0p¦é²:…2Øû›Ð¸½aªÕú2shqÁù¹r/û2Ó¹,T#Ï8?p³{+AÈ4À»TãTàoS•ái€s$)Ó‚Eª„d}€›
šžh/
*݆… 9Ø0?àÐ=­,³¶áÏB\yÚ¿Êæ/Í	rlºç'ìÂó“2•=‘l‘‚8U\ˆÈe±Vsú¹ÇC?Že"ôû¾—A”¨Ì‘Ò44;TÐTšû/Š&åŠñÑ©\Éø¨'X›s2f=ï5™[çkú¶\ÆX¢\Æht¾†àÞWF¢óµ•“ʾ‚boœó=)¼/â›È²à|{o¦
-10Oeë„L¡["ÍÅW.¾VP¤ŸáÙ…þÿŠ¨‚
K=m™]ªqËŒTÖ2«ó)>¬¨ÑÒ‰urŽ(–|Z¸H•®gŸÜ”@•ì‹÷¯kÉ燲1Ž‘P„g¸Må™
sìxw¶:ƒô »s|˜ƒ; ±ìcÎã¿Y'X°¡ùy–‚@²‡²Nñ?Nâv±HY¢2–[í6“}
-Úpuy3T7Å<îœ0Úñ¹³y¸¡.}ÜF!‹ËŒÿëeB;â©Ÿ§,'ËW˜<ÛäõYxsEƒsž†w‡jÞÊ*¶NÁ#Êâe‚ºù¼Mì<`Ær³IÉ"UB´~#Â1éËÖî=Jûr†Æ^;fËÝg¦üa·ôe¥ÛÒ'§þ"	lbnÓüjG9•M^K^|ÚÈc,tP›/%}c†‘ºqŠmnJó#2¾CÆR”/Üû$ý
îÎÖ˜š±}+”¡íŒ@ÁZû‘úX6î¸ÄӺƣUQµ„]ØŸ˜±üØTÀ©\æ[sªf†îýoî™ù!o<³zy(­J1ÿqï›  =`éŸú£oPÚ áÔ‘…“8§#7ÒΊ̃i滛ÅÁèæƼp#ù*Ìû“øÎkÍæX{rÈ´ú Ax^¬ÊÆ+‚øYc+©÷/éâàôó‚=òpH‡£·³ÅC©CñZ®x(U,J틇Ðèa ¡]úCñP‹’ÑŠ ÕLgö\Ù~ž+GQÜÉ‘¶·z±¸¹É?
k›»"ß»Ã8SËb„­lxÚQ˦¦˜<êBIÆ‘šM»Ð.Õ¸TÖ…~ø¢Ø}R®»ŸÊ•ŒÝ{‚…¤Røºüæô“ÌR2K ±;iû~Ì,E/³1·´™efj«_1³¤‚]žYJ/‚œ¦–FðñÔ’.þ7©¥YiJ噲^—jžÊ³9w%tUÀ1˜Ðæ$€…€.clZ¸H•®RÈ+4‡}©'ÞËÛPŒ
3¬Ó±*H¨,)ï0²4Qmœ™½òb˜ºk.Ð*÷ËíqU¸ÎÊ_­°‡ßµ'G¿oy:p}&†x8üí 3ÏÇ°î	uw‡ôw]@E€áá•Î¼îû»Ãµ·ìÚá:Œ¿‘Q—»r›Ú++AgáVˆÝ@F±%%D	Ù™‚Z‡hâ®±'²ÀzJ׋	>¬…)É"Ñ©h}XühÖm¹1KÁ0žõMÂI!L9íÀÉò´p2­~øaF,üÅN…½\cìòº)]"×þË›w/øéÕ­ë
 éÑNe´3> endobj
-2127 0 obj <<
-/D [2125 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2124 0 obj <<
+2108 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2131 0 obj <<
-/Length 1745      
+2114 0 obj <<
+/Length 3036      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XKoÛ8¾ûWèÅb–o‘Ç´I»)Z7»»´=¨m•¥T¦Ù_¿C‘’%›I
-,|ÐHÍ¿~3™bø‘©Hjª§‘æH`"¦ëýO·ðßÛ	ñ:óNi>Ôzµš¼|â©FZR9]m¶ÂJ‘é*ù<{…Ag`Ï®.Ïæ”i&g77W‹Ëëà^`ÐŒg.Ÿ.Þ»g7gšÎ.Þ^-Ͼ®ÞM®V}<Ø	f6˜“Ï_ñ4ÐßM0bZ‰é=Ü`D´¦Óý„†g¬{’M–“?{ƒƒÛWCp¡ \q¦Â@:ÓKvŠ’P–j~y¼N©ÚM‡ÆN\vJ—là2bˆj,Ç./›ýÃúß"7Nú‚1ͼœæó"O×qæn7E¹kÈ#x¶Ú¥•×ö×8»¼lòø[f’þ=»Ä#0h+`ü6¦<Þ›d¾.öwifÚ°Ü+ÃÅhŠ8¥Ê¿NêÃg!Â	¦Å3©h=‘ªN«MÕß.(!šD (Â]Pû"1Çqi‰XÄÉÓquJ¸†L‚[Þ™uºy€Ìh9»ß™zgJwSîºÞ™õw+Fm:ÚgÜymÊ}šÛ·¯¦Y²ŽË3¢fI‰Ž¸š-žÖrÜqâl_TµEa:'EB(ÒB8nè+…Ó„êg¡j²ÚÝwÝe§YÓyi_,ܵÉSVuœ'G‡aº'P½ë]šo½ál[”i½Û»Û/XàÛ7¯Ý
Ї–ÁV³›¢ªR(èvM¸[í3Þíßi±ó)‚¹/’/”òû¸Ìí5PæL@íÉNÂJÌ&\l@Þ,öÔ‰¬µ 'é6/Jó˜
BÙs»I
-àN,ØÓ»i¨õøn구G»Éí®?vØ#¢Ús¯p=Þ0
-©£±ïÕÎS]RìãŽîÚ`Z©­=¸ÖÚ'¿W@–íž2ÉãÈ‘	EžCn õr–«	ËÕ!ì´@ÐÈøÓ®;¥€ë1rd}÷ÈýZ.RÔk¿q6ÐY9¢4Ô9gHS?6Ü^­>Ý.Ü˪gï?¹Qà؆TÁ®‚QdÐ?lJéŠC—gÝöp[µnʼۼ¾
-̯´vJÝTã5ú
˜ú[S¶vŠÒ«Ý›ž¢lq™Ú¬ë®
:†{“–¥ïÓêxºpGð,¯®ÜËï—kbDYî8?$Î#µ.òÍàïÖÓÃàÐnˆÒ4ÇÌDÀ=hSÞ3PÈ ‡Ò#缺^\:{Ú¯*6“Vu׶IÙG·fã1Í×ÖqÞ@/:uO`(¢RÊ!¥à
-Ý"zìŧÕoŸGô:‡^˜_!ˇª6{Ÿû×E^e6ûƒ_È!—ÔÛá0‚)BûñøHû|t…ÙiS;…ßà§1Š —ÊCŽýn£4rÒ8Ì0ÉU¦üiÊFø¨èò⮂1ïˆlP˜’lJaá‚ÒÙ@ÿ×TØ„?I‚C-ñ	öZƒuK@ðóœí$ÙKk?¬*âä"_!¶þÓí|“fè‘[	“`]Óîí&»Ð²•„±Ð©&æ[³gæ§É~ß즗¶½´¸ö–œt¯o²xðA9â‘"Ç>ò€=(9Š“z<Ö¼Xß5UȲFJEúØòݳ ÜÁÞÙƒB;LF½½ª—–Ëc_ìã_óªXÅk‡¢H¨cûõóILK ï¢|åHRqoó¬Ñ¦êvÜqº¨<ÁôçW7C3iK‘q‚>Ïÿê5ÃÙä´«ôÿ±Bwü‡h“3q…£ŽÜAòjùúöúfuýqñ›:4‡B­rÜmI{šδc¿½\zê²rˇ­äx×ɶ].–n8¶<¯EÐœExvCåµÙ.n¯í¤b׬¤Ý%±Ý'ýÖÔiá½n\‡÷Þ®—¯‘“Þ´Ç(öÅaì‡dùÕŒr•æîìÜm{~42Á
-Î;Zö ÙV}·eç½ÈÏæ	ÛŒQ×@(FB*—ž¿w¦õ£!€ŸÅw×&Œê]ÑÔîwfÙ6{“×Õy ‹DDˆ©HÏé¡,2$"ÜÕœ½2gßa{×~½zæ4îhØŠÛ¦ì!R݉Ój%Fœõ”ñÒÔë—mTÈÒyhðÓHJ¦†S‰ý®C4ŸL‡ÑZ„º"ivŸA’¸ŽSAÙ˜üð¹£~4¦LM…ûŽÅì¥àˆŽû­÷¿¿q>âq›GEÃÃ>àP AöAY0ã§GŒ(ƒ‰æ4öÿjßlendstream
+xÚ¥]sÛ8î=¿ÂoëÌÔ¬Hê‹ûÖïéîmÛkÒ¹›Ûîƒlɱ®²äµä¤é¯?€iÉ–œÛ»ÉƒhAÄ#güÉY‹Ø(3KL(¢@F³Õö*˜ÝÁÜ»+É8‡´èc½¼½zþV'3#L¬âÙíºG+AšÊÙmþûü¥HÅ5Pæ¯?Üܼyµ¸yÿîÿ>~xs½i"“ù‹OŸÞ|xýþŸ×€ÈA0ÿíŇ//þF°O×FÍ_¼{ssýÇí/Won=c}æe ‘«?¯~ÿ#˜åp†_®¡MÍàG ¤1j¶½
+#-¢Pk©®n®þî	öfíÒQaÈ@(«i(Ý“F*EdL4K"#b
S(²½^hÌwYÛ9Žå«Ê<ëš}Ëtꜗ{à±–<‘€¬á`•­6£öeåkOn¥ªç¥@{Ó@¨\¤Ê,Ý;+15¯Û%í
sÍš€Ÿ?ƒÿaXÞÔ?ujOÛ€_kˆ`Íž@$9€­íŠfËKªŠÀö­_ß'k
qp8r’KVrU´l)«¦¾+Ú£¢Á˜yD§
Ü~ÁPøð».Ð¶í¢¦o; ôÕ†×vôÝ6mW=º˜	wÔžM
œ®‰”ñ,ŽµiN8IBZô±ÈGÊ‘ˆá±P‹šÜBõ0AZpç4»…zµƒ+uÂD0¿|‘1‡4ÂXßA4a”DCÎn(ŒØK„!ÛÑÔhÒ™yKHÖÕÀ8Œr&œ¿|¤™¼Xg‡ªCßÃe¨™ê‘-,yÛ¶Ëöä¬iÝð¾E†êÅQ^tÅ
+¬»R º(1C‹{õéË´fU øú'4Ûú Y‡e5ûaL³»VlÛdðeV-à\[°Óe¢D(Ss™I5Âå@ÍI"BÐçMŒ_‹0Hæ7_à žKtªÆ1Ê^ΑMû5ßΰa;'?@­ ö$…„¦iÛrYžPhéGv4'];AÝâW¥ÂoE±ÃïX4…ÅÀùHº_ƒ(`Sƒ¡|6²K¨ JCæxê lpšØ"‚X“z¢ç?§*ÐQ¢{TuùÝËQP¤¼àÌR°.™ªY”¤"N!ÒCZô±Î-ÕåikL¬”lÛÈË»{¬‘í&(q68Ùÿ5{îºñž:/קžÚÚ§uÙlŸv	Ù'¤ŠÓbAgLé²ØzXÄæ°&íe ;
.5ñe<ÖÙµ†I`†L¼ïgTAbv|h}föùí+H“*Ž›û²Ûl!yZµÓÂ…&	Ÿnë‚pÖÔµÊVA9’†—9ðX#,dK:H†<ÜY¢.	ñ+ú“ÍÚ-†„'wY2˜ã»fµ™Taš€Kõå@ÕÇšT˪f<Ñaâ+“}yWÖg:€¼ÁQz™55ÂÛ0IE
+Eò¹['È6Q°b´ÌØt8˜¿_ŸøŽcá”?;Õ…Ïõœ&ºs긴âqÉ:‚úõ°=Í3]ëi8¾¦ô%"’ò‰D£uAËêïãS‰PmO%àNàŽD—ôX#´i¼IéE«Eþq,)uL\µ
b“ÆN
ˆ·¥Ëʺ„ìÝ‚ü—tà˜“ŽæIÇq×––^H:Ì»}žttPNoedã9[Ïh–‘˜ãB ¾Ï¦öH„DG:‘ x“‘P±JŸ°°ÖsXÖÂv§[Æ1ºÉ'¶tH#[öOR’ôdË/-ꪆ][òfAAÆŸuM>lŠš`h6˜!˜¬ .

5˜ -(€µÎÚη™B-çKk|€A•)‫ænãPiŠS<Ÿªve "uš¹:öU¢,ûè½’„™R‰ö½DØf4°.&¡†ZÀú+úI§FjüÑïž½¥,šðëºR@5Pa¿ã=Û†¼b2e;VÃW嶄škÒuJÌÁª5mŠËšâ§)S¼¸¥7Åó-ÇLq°åë²Í–.$욶;¶­¸'Éú«U¯WÕmGiSÏ Ž*rˆ&ezÚ¦‡°SzCz4*ê¶×ï„…Üúƒ)ªŽ‡ªcƒM®»Ææq„[2¹CËû÷z6ø³dšŽbUdn_*Ôa®n걞‘¹o¾Ù@K¸;†ÙXy'Ð_o~%à·âñZJ…—OÅŸ1¨×Ž"X>Un9B[e¾éÔÛTò¦Lzt±œÞfÕدMË`…“ÝiƒŽìÿ˜/dý¾¥?(槌W§.|ù1sØ
§ýVîZ¿²-NÍi충‚³Lžpü}¬éÛæ±ìmÛ¤+·˜ƒ9¶¼¸?K+T d&—™óX#Ü
Ò
+	ÅCÀeÁЉá„M5×÷¿Øb÷ìâýz°0w¶ål=;z„±¥©¼qûØd§©·ÛÜ—9/ÏFÞt¼åÏAXÏ©Y×J$!Tþc±b¤¿©D
Ÿ“SC¸øóPÞg•-ÿ´4s _®
+ûrâzvj³Z2`MHGñp¯¹%8ܵeC†žó>߈±ÃjÛ¸IÇÌãä8C‘jÌ)ûWkøò¸hhÎßDúí£|V›lŸ­è]ðHŒ¹§¯Ï'óIR²öÁç8·¸	ß%ïί()k0Š,²ÒwòYîþʽ*%;ö´cH¢HF.ïc-äã$-¥³°²ÎKˆ…w#®>Ô#=È،۲´iU>¬mðÌÓ^G)¡#óDAÓǺàu–õ:7S1þâ–>ÆŸo9ã[Þl³=Ê!M\Nõ3h,ºÞ_CÀ\uíX¯/0B+éÌ=¯[ÈHÂFˆsM%PÅÒ0¾­%qÏ‚´bŸ,Ò”cL`´Š2-”]³$,î«¥ëFPðœQss·/ÁDÇñþAYª²×[)ÍB€ß6^*|8Ô–7}–Sö©Š¸„mÑet“qÆ-+¾g€bã³¢û³ø~°G87ø¢j7ëhÞßE¾¿x/xÿlå2‡ÅØý÷=ë­›ªjü¼52(<ØS¼ÉÜóU{X­À#—÷Å‘©eßÜ5bzñxöVê6´<>þç©žžHÁ@Æ.Y(LjýÌØt¼EŸÂÈÿ
+Ä"JsÜÇö1Ñ>­ôõÚ„qO›ðk“µ4XTÍ`Ò‡º¢BŸ—S}#9Ë”6ËLâ!ÜJ¦¶;,«²ÝXëH8ÿëbSÆBÍ8,smsx›óÇÂè8:ù¯þµ˜l©Ê]Äxó_Š¿GaJüéq/þ¾±€|~r†…’é×6 ‹“Yë:¥ÞS¸™3—°ƒ‚âÙùfÃU}eLù•I‚‹UËÿ]~=ÓâsH^z®ï ŒöÒä%ž±ðLè„gØ-ÙCǨVx&¤óW¥c„„¦ƒh°c3¾Ð`{QüòùÁÝPÒâ—°jGÌ–N‡»Y>7º¶cE|YQ¾°þûш.‚™»7ÿ÷9ÿŸ+L„NS5®V•DÇŽ)<¸Ôê<÷áÿ‡:çý?ìø{Øendstream
 endobj
-2130 0 obj <<
+2113 0 obj <<
 /Type /Page
-/Contents 2131 0 R
-/Resources 2129 0 R
+/Contents 2114 0 R
+/Resources 2112 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2128 0 R
+/Parent 2077 0 R
 >> endobj
-2132 0 obj <<
-/D [2130 0 R /XYZ 56.6929 794.5015 null]
+2115 0 obj <<
+/D [2113 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2133 0 obj <<
-/D [2130 0 R /XYZ 56.6929 565.1932 null]
+2112 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F55 1070 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2134 0 obj <<
-/D [2130 0 R /XYZ 56.6929 492.4514 null]
+2118 0 obj <<
+/Length 3164      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sã¶ñÝ¿Bo‘'‚$¦ONϹ^/ñ]cg’6É-Ñ2{éš”}ίï.I‘âM?æfNàb]ì.öÿÄ"ÓŒ+›,R›0Í…^¬÷g|±…¹·gÂã¬ÒªõííÙ7ß©ta™5Ò,nï{{eŒg™XÜn~]^~üxuýæÝ/ç+©ùò[v¾Òœ/¸¼þéò{‚}<·ryùöêæ|%²T¤€”!šáË7×77W^ݼ{{ý×Wç¿ßþõìê62Ög^p…\ýëì×ßùbgøëgÊfzñœ	kåb–hÅt¢T€ìÎnÎþ7ìͺ¥S€ifD¶XiÉ2¥³)¤„ÙLÀ.“"KH3ÌFiJÕ“¦°‹LÕ"¢¡8ß݃”¬]¶H$ù©xýª!ØӹȖÅs½ÎÛ²®hz“·Í–
Ašâ\,[çÕÆOzt·-󦽘è!õiv{:ìÃÝ®lŠ_˜ÕÜn?á*PìBf•Ñ  Á¬ÖÒ×G+¡ô`ÜÎ8p;Ãï¡	SmM¿M¹­Ž¶ù£®
+vlP‚ƒÌM’.Œµ,Í2ûß+·¿ÃŒr#ZP®‚ËP”Ȧ€£ºÏÚƒïÊŠ s„*'{T9,@­»~å¦Øƒ	4¿2'AÒŽMÑz(Ê!euDÔ[D"Ó“$z‡í7½þp{Z—ÑJHÈ䤮‹¾l‰ÿÍ®h¼ÚQLø›WÞjXíiì‹6‡³ç#gœq
®
+î³BN»?³ê!‘JÅ„÷Hxâ•“Æ7ßiÝ×½dàg$ì(m»Y¡Ð,‘ZÍ2‘Æ\
Mr–pclÝ<ëò7Î¥³£½BM²¼½ýÞCjÜôMJBȽ3.UÅAÀK¿¿ú;I9ëš”ÓB¹¬ŸZÚ@ƒe…Í=Yí´ëwwëý€/í
í
+îK7CÃ"¢uS¶õÓë¹b‰D+ºQJ,«º¥AŽ¾JiáiÀÔ¦¸Ï;çZñnv_Våþ°§žóÝÁ#ô8W½]ñhî²ÂøæÃ%
†RrF	Zõg¢¸yû@,¨eýHî\)¹0¸ ´Ø	&^œÇÅ)¼—òòh!¶‚^×^b¹‡¯ëý#F׺:-Í™L²/¤Cš‘‡Grâ8ŒÄ‘°$Iæéœ1½0,•!½Ÿ)‰TÚ,¯!ÿÿSø.×¹K`Ê{ ùëÐ9"@ÌiÊ_•ç²>4»W‚!žs€FYÙÊH»üù\C¬h©%w#r‡èŒ2EÛÒ2Ê;8Óò8ÇÂkLS>„e|†œš¤Ç‘ž»bžÔ„WðÌBîåÈbVÓo؆žŒ6à¿@Î÷Þy¡)#ø1Ê!*ž‰ˆ2ÆA»’˜‘Ž3E…¾M*—$óÔ‡…MÕ4ÅÚi;¨áȨRÈO“4šÙT„…¸¢ÍÄöŠ3µ£ÇbpPqÒ&¡”2xˆy›ìaÍØdÀr6ùÇI›œ#ÙÙäˆä¤MöI¾‹)(¥ÅïoÞã Ms•o})às|ª»a²Kû7è×±H©<î‹Ë‚qäB £}ùÆZW]¬s(íšHsE䶔'Îû»¨pe`.ßí¦Tôj²˜ƒbþj5Õ23Ë?ò¹½é%̆.fîÂöMfÂogê¸GÝí5¶;iÈYXoR—Ϭ º¯?¡ÅÓÒªž²uÁ9KÓD
=3±#KSÆŽÕ,K”‘Ã{û°z¥3–)þ«ïc¶úˆå¬^ME/@ÆJŒ5ù®·+,KT’³ŒE¬	Ά
¨K%×CÖÞUñDYhš-]þ¿!÷I»D ÞSÈ|:¶åságŠÏ´¢¨ÖõÆ™9@ñ\˜wÚdyIÓ›¼ñ» ýyÁ4•*8js$™£ãH)
öãÔê6]‡3¸èùr]ûtHƒ’8?*…ËjƒÝ¾"øöPŽT¡w†|‚Bˆ¡Àëúm]â´%ùÆ\ æ^Ä1ã:™ 8¬VêVÙڱʀå¬ò/SV‰
ÿQ–­ã½®š‘i‚
Y	v–»ˆ5ÁÞÀ4ÁX—tÀßÏ'…˜WÓ2¼ˆzªÚÇÞ%”ŸáPtÙ1mó}ª¾’ášžÒŒÌR«0óšécÖLÄrš¹EIƒjIçI¤	’C×+Ï줶UCa»Æ5Áƒ°J€RSdØ0ùáã-F¦?ÝÒD³8WûU¹ë7·rѽR`½&ŹŽMªNÁ¡ét&{¶1Þ€÷¡K^VPebÿÉÙÁ®Ø	5#”ZB±«Û/œha¶—¤!ô¥\;içã°æe»˜h
+™ë&DÐÕååT¬ÚPÖ
\#sxªšÀGAƒ¡ôyOúûøX»Ò^#1a’€Y`Þ’š·ˆ
+7ìþà—9_G-äDcH;jšóË QLšT¦$€=¤Ôχc/­†ÒüuÞ=Œ:|ÇM„=äÞ‡$Ií»Óž@h&¡Fù‚'èaÍx‚€ò"lªïŠqe·X@5K;bM&PBX¸CêÑ3z|{®ÂÎÂ8¢uËq`¤ÆÍIé	8º"™—^ë´ô"òï7†‘S'é<Í€4AsèH
äç™uo@ΉÆCJøqÔ<ԇ݆ÆNDðësãSncÂ[	‰<|8÷þ‚ ª>Þ½k¥ã&ƒW™†d¸pÃm=»Ô´&¾ðNCÝ%Òtx¡‹Ï9”CŽ]üˆ´]•¡¦<. ¸„*¼üàÀÓÅ©Çâ3Œ't0éÞ·×à÷õ¡ò¤ó0è?&ànñCù&;«Â_>‡ qô.„oÚâ)fäçÝ8Tgƒh­%Kµ‰í­;6o™b&‹è^¨.¯ˆ™SYõþ²¾wuý©é’”©¤I±$±OÞ`:Qù§©M"i<šë%rû¼IÝp{â†ãR÷´i}…Hrµ@‰«£öú››™ìsr”ວ[çb3<†8t2´¾ßvcżÚN)óÌt ‡ô.&™.èxôIÿó„uú–¤à*²M|QØ]öL!óB©cÖµÊàvCŠ<æýßž¢¸endstream
+endobj
+2117 0 obj <<
+/Type /Page
+/Contents 2118 0 R
+/Resources 2116 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2121 0 R
 >> endobj
-2135 0 obj <<
-/D [2130 0 R /XYZ 56.6929 419.7097 null]
+2119 0 obj <<
+/D [2117 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-706 0 obj <<
-/D [2130 0 R /XYZ 56.6929 374.0117 null]
+2120 0 obj <<
+/D [2117 0 R /XYZ 85.0394 119.0275 null]
 >> endobj
-2136 0 obj <<
-/D [2130 0 R /XYZ 56.6929 338.0338 null]
+2116 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F55 1070 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2137 0 obj <<
-/D [2130 0 R /XYZ 56.6929 299.5046 null]
+2124 0 obj <<
+/Length 1526      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XÛr›H}×Wð²UR%Læó¨Èrâ$–½¶RµU‰0B	´\”(_¿
3ƒg·\eÁÐôåt÷™ˆ…áX.G\PayÂA.&®nØZÁ³w¢dl-d·¥ÞÎo®™g	$8åÖ|ÙÒå#ìûÄš/¾ß"F gãÛé•=y?|œÜÍ®G6ñ8s†ãûûéìê毑M]â Œñðv<û<þ$×îG‚Ç念§ù‡ÁtÞ8Övž`VyõÏà˶ÇFLø®õn0"BPk;p\†\‡1½²<þl¶žÖ¯Á QÆ©
‡˜Ðp⌲?F6‡èIžG¡Ç«ägšDrÑ^©ßTþF?‚ín¡0ݪ·žÑÉÚWÂœ
+ðÍ&	×¥µ¡-Iô
+cöŠxÔñL¢]µ¨r*Zt‰rß\C(Ç(+qßsk‘›D¦¬XGÕÏé~D†êNÙy­µáâ; °ö©ЩaσROɇوøÃ((¢¼ã„1Ý(üp$ZÁYzf	u‘KS¯Aµ2B†óuœwÌÕ×ù:-7ùsí‚e3î!Lé¦@z¿ŒäoF©!VpòGÖJ­º€P·QRôåNã$®‹°à¾ò8	¶ÑbL–†è8E”sW‰ÊXtœ1­ÑÉ·¼ImuCUØÉ'û8-óÍA>RX××:B:ük¹¶ˆ–A¹)”‚ ƒŠ(Ëkèð@ÕÖ.‹÷Šû´aiQ.y^nûÅ-SP¤Âç¨iSHa™©ô(б¼‹4;Œ”2ÀßkEáÎÔÒºìLÝnpù"™¼Dmþ> > V³ZÇË< AÖtñöfv%Íem±“8/²’#—Úý%—nƒ¤6¦.ç~Õ\©7Ùwð‰¦‡ë‰Ôè`Æú‚¨ã’†4¸ÙT¸È^¾ñçùû»‡_ãv“@K$‘ªÌÇCì i’&yšq¹=šus¸N—C‘çóªÝöeuR󄮣ð›&‹:·.ò¸ëÕÂ39㚨Tù¦¥G²$¥ž¼ª«K“ŠqV%$-NŸ’"ø¡„+…q²RMš¦›—ã!Iw90VoŽ`ÜåÌbØG.H
û>©[%Ü< æZ*ÎÏ”¡ªM¿Øë'}µo®þn®
+®Ûžb(нÞÒâLqÓ)+¹â´)H¥uo¢Êmc×Xûùd.YÎï`ÞEùjú8y¸¹ŸßÜÍû|¯p
eÖ+'ʓ¤¦6úJ²¿ÇËÂx­¼T]¤E_.ÚI‡¹M—íõeµhî^íe‰»„Ó±Uá/ìÐËÕ–ª+Šš*ª‘ªìÚë¾Iï&µÁdgò"{~Ïä}'}¸Ë> endobj
-2138 0 obj <<
-/D [2130 0 R /XYZ 56.6929 223.841 null]
+2125 0 obj <<
+/D [2123 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2139 0 obj <<
-/D [2130 0 R /XYZ 56.6929 130.1538 null]
+2126 0 obj <<
+/D [2123 0 R /XYZ 56.6929 562.7154 null]
+>> endobj
+2127 0 obj <<
+/D [2123 0 R /XYZ 56.6929 499.03 null]
+>> endobj
+698 0 obj <<
+/D [2123 0 R /XYZ 56.6929 459.6249 null]
+>> endobj
+2128 0 obj <<
+/D [2123 0 R /XYZ 56.6929 426.4105 null]
 >> endobj
 2129 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F39 927 0 R /F41 969 0 R /F53 1062 0 R >>
+/D [2123 0 R /XYZ 56.6929 390.6449 null]
+>> endobj
+2130 0 obj <<
+/D [2123 0 R /XYZ 56.6929 324.0377 null]
+>> endobj
+2131 0 obj <<
+/D [2123 0 R /XYZ 56.6929 263.3171 null]
+>> endobj
+2132 0 obj <<
+/D [2123 0 R /XYZ 56.6929 199.6317 null]
+>> endobj
+2122 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2142 0 obj <<
-/Length 3025      
+2135 0 obj <<
+/Length 1951      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZÝoÛF÷_!àŽ¢Í~/	p7pÑ8¾ÆÁhû@K”ÅEª"'ýëof?(’¢¤š¾\DËåpvv>~3³k6£ð?›ÅŠP‘È™I$Q”©Ùr{EgOðîÍó4‹@´èS½z¸zù½0³„$šëÙúÇ+&4ŽÙìaõKt}s÷úöçù‚+½"ó…¢4z{}÷áúG7w?Oxtýææ=<ŠDh bé4î®ßÞ¼žÿöðÃÕÍC'O_fF
-óûÕ/¿ÑÙ
-DÿኑÄjö”°$á³í•T‚()D˜)®Þ_ý«cØ{k?Ò1Q17Jàl'JñTB´àÂjáÝýÃí»»÷G;¡„*P”áœ0¥“ií{¢EŸ*,<¡ý@…ë.äxÉD!b~~É@4±¤è-	v,QÃ%?Ô™³ëíý'éFUY|q£ìSVºQ¾v¿ÍÆ“oªºq£mºÜ䥟Îk÷»Lwécá'«u·„&¸Ã—ß˾.¸R$‰
îç …‘ðL)UìIÒr5Á‡%D(#}™Í~ÎâÈK¹m›6-º­^mÊÈ)/Ð	#±Qç GtÚÑAê)8·^çGëM9@½¾ýõ_oùd͈JÄûˆÎØßY©—Nj¥úRSÂ@˜“zY•ëüi±ÎA¿#Ùp¢\Š³ÂuDÇÒ
T¥5¡T™xè.N¾>)§D›ØLË7b«gcÀ^oð‘(çW üøWJùS»O›¼*Ý[œ)27Î˺ÉÒ•£FÏ|¾ÊÖi[4/¦¼Œi"U¤|™5Ë—eºÍVÖ³…ÐœÄ1¤•E—üf&vÁI0™9^þb-£LÕ|!…Š²²nƒwás³IÉÈÍUºÊ˧ðÒSí'Ãîñc hò²Íjÿ¡_í¹ÚtéºÉö#®u¶ÿ&7 q»Ý°¿[—þ—›´|ÊP¹"‰ò¦väneŇUî6°lªý?Õfn€âôS÷³«ê:Þ04Š $¡T{EsÏøXåÊfT‚jçÝõ¿Î`pìD0éÔøbÂ}<†Èhvlú3~.eÀ¬zSµÅÊAÇ£”ÔcgúXWEÛøÙ]ÚlÐíNâŠJb”>,}ªÓÈÒQYhYMA¤‚DG^eíÓ¢Ü/Ž¡…Cà^’¯£šp.†h
¹h áûsJâ-‰ƒUšm«òïµBñÜÐɸP‚·Û”IÕ!›Þ×Ø”Š%ä!˜¥2Ñküäɺ½•hŸ.1êpÁµ€jëY
RƒÚ
-#BzÌ.&%C»™dì‡Û¢ª~‚˜~¬BúNëQ‚º‚¡×•ÍÏåÒ±Hë¬>í‚PasË.Ø£:ã‚ʺàú¨ºáÚ@7g—DKêC8z¸äOm9ÒL€C§Ñ˵Wñ“³q[ú þ•*šˆÚ…` ÜÊÍ–•/‚œŸæd@ÇNë*ï„ë5cŸêŒ^•ÕëÓDÕ'úÂ’hbÉQÝ3Zòé5
O°þ\x-ª…êê£òêÝe†ºYeûýTÐ)ÈNI‚·i€¤óFêS6RGe´Â_	8(¬‹ôÈ’2µfRŸ¬£šl€‹ãD%CÑ r¡Q»ÇL)Ed3¦”Ñ|Úæx˜këô)sÃÕ‘
-òªHŸj<&÷!×[RÿÎ=„j{¢~„¢Paä:-¸µ&Š®
-4@GG5•É5a²cc!û›øk¹@ARíWÝé"ŸÀád!)û\À„?=Ô#lØôÝ éÙ.›Ï_S®"ˆ=l²=`‹Î8õ®
-ÙT£¾}ÿÝØ7y,•
-CljüšÓ«ÿ©³EÇqÑgyìÇ<†îDH~XwööæíXD*T:þ†"v/ˆ( ¶•2#_ß¼úðægø/ä!.g×Ë}þ˜­:hr¥@á‚[ý#¯—/!PÉæŸ_QÙœ‚ϹͿ€Ú
f;@<ØbC‡¹u'>8½ñƒ²Ý>Úô/Ýnåw3;/YÙ¸	—øa°<Â~S8%z;p%ŽövífrÏ4÷«µ¥?}’Ò× †˜öwѹn½s+ÜÅ_–øR²_8Ý
-vwlz"ã»<”1¡)<ìvu2E¢¡AφcŸêt8vT6wÃqWí›ãh¤$†Já¬\hB®aýi“ë‘`?æuŽ±´ƒßÛlŸgu8”ôí³—oœkù!T—ÓàízTËkÜTÙã¥áY§]ÌŽ ï8iS€âD~Á¦=ª36
TÖ¦õDKebPÅÙ%ÑÄ’£–Êh¦‡Kþ{nd´ÏÉF(qìËD«Æ&mÀ¬ù²>S»c›®%?”îU;e8C‘£C7|!ûœ7G
-g>ƒ:XðåZšKé^Äö
-ìDÂä0xZ¡ÏÜ]¹ï(ðòÃðŨvÒüêp:P{ïZŠ1Ї$8Öj&w=Õ(
ŠtgÃJðâßÍšA9¿Ð<º9R
0\Å3n q&܆èì÷¬ “D8ªÞØîö ;ñòvËg¯+ØÓ¬¿­ÀyÑgm÷¥yßÜЪ%1	b˜d¾•|ظP2Ý©ŽÝœŽ¶iî/$ŒGdxWzgîÂøJÕD¯nï^»o7±Êæ‚FŸæ\á+ä¿Œo:
ðF‚/î#Ñ*þm5gÊ·f¢L|8/ÅÛóÂoê~ÖmÓî37Þgž¸ ×#‡•˜€¸Šw	öç½LÄ0ŸàáîáŠôÏÅÀÂ7MQ‰ òÜ­-3lÔ.ÜztTÅÞ_.·éçE]-?W‹ 8èžõ>NPjB¾áÑ$å±d(àuQTÏeèÅzÒ3ç}2–a'¡³jCûÕî†9Hm
-4.º>s¨…q¹Ï	׺;ª¬©O"$§s¦þ&ÉDB¤áòpÞî“S©)1x«y"´‚1Õ±ÏM	ýšá¡cº¶àø“ý÷ÎÂåm7æÑ›“ ‰°´ò I¿¤t@ÙŸMq4û¬Ï€&Ó‚é“°Í$>€&Œ»{[<ƒß¶,³eV×)6'í`vÈgqüy{ì0/µÀ
-OÛô?H¨•7ö3ÀÈ´F4µx¶TâaB÷b1±}XÔçöV‰÷np pRã°Ù¥#|ÌÜ›MjÃh»n7ó˜-SDHæoD¿~snSEëßw _Ùå>/¦D^fÈ@2ÏZBóUäÛ¼	Wsðw%™t½ÊœÆŠ/îzÞÖ_ ºÝ:‚ëû[âfoç,jÜUâ×ÙgÞ0~Å:küR˜'™ç
êIRí…€ÁÊñp•*NîÃæPðùñª¯vc§‰
ÌÞÛýÑÞ¤å^/½Sìšjï¿ö‡Sc:£@ŒaöíOÑ~l 9cçûªÜÚÆ)­ÀË¥ÍÂÏ¥›¶4L×ín‡N)iä?èÖhK\Ñ7tVˆõ”Œ€“(ÆGüðÒ;5”½Ñ]ÕX3@ÅPÔxÕÊâp‘sÞèðr‰9àÆÏùÖ-ë&ú2à³³5ÌWÞ›ÝßX>î§È›¦È¦lmÍš¡œÏÈÕvVöª1¨‚UÁA!Àé27‚Çâ¥d@#Æ'µ.AmëŽIëÌá‹‹ÝÚËáî®`\Ç}òW_œhc3rë_¶šêà
-+­¦%WãZïÈúNµ—Ê,—UØ7HTE™%IBµ>&*ÚeÁ?ý§t‡¿”†€h'º@¨ø Ižy#/4
j¬âîî{1?
N~˜ŸüôÛËóùôÝâÇÑ|ÑXÖ¶ž`¦Íú}ô槰ˆG±XŠñ-<`D☎×#.œ1ß“®F?7
+[oÍÐ!4¸HPŽÁa‚c†€AqŒ8	Iƒ%C˜y)Yðg¡1CŒI:n+;šÒ
LÉZS‚w‰Ewʵ]•ÛµõHbjUÕ¶•—Ij[åʉä¹m¬“ªV[Ûþ³,Te›«rW¸!Y¡Wóäo¯›ø„´™¾HÖ*E˲XYÙŽÁ"FQ$b'ŠŽ‚À!áQÎãÜÑ’ºÇ^ʸãÑ;
+#ÎïŸÒ
LÙqGˆB!¢î”¯oTq€>+Þw£q~‹1Í•}ÞN‰œ(ï¢úÆu(wÛ"q~Êœã2çRõGVÕÕ`†ìህ÷ƒÙ–ºÌFJ¯ÌÚ­ýÝŸšPñKâûçn¤&oÃJhaÎhwö…Á†E&àtKÚˆ†t@j#ßï¶I•…}ÛÀ
uiû®ý€µüá;
“³•í-ÊÚŠUµÌôx•~=ÜùDRµJvy]9Ê}Â8’Þ¤6øŸ¨zùÄn-<XH‘”@Xl¨XjÄîØH”¡˜`ÞÞHÆeÍа›D’D 8F3n$/ç‹W—ç6n~™²“ÙóWÀ×~üa<hˆ$
Ãö>w˜$)Š(а5Ér
aëh$)šhuq[ÕI½«ºdDº!®¶FO¹ub·ÊêµO©ªÕ²V©ŸÀ5°S	a°½Í*5ŒŽ7×Á#ŒÕWó¹<{~õr`C ¼ÅKøG¾³C[HÙÝݼ6úXÜm®‰žx?>=;?µJbgFºÎ
+ØÝ¿¥cæKµr K‡Ã‹¤Ø9›KB‰ÀÖðÞ0að bٓ٫Å//F଀#£PΣW{8AÖÎW'eQ•Û:Û­Ó†ç!uz8Ü@„Ó£/
+piÀø?³9°ÞpœS»)ÎçÛÆ0!ýÕŠºî)×›,WfÓý–Òè@É®¯EÌŸ’9îݾ(7UVõY4„{
£Ñ˜Ê	6|4X=:~îe÷¶
+C°|ˆÝ©ô¦A¾y¤ï|ë¦i}hZ¿7­OMki!ú‚ÀŒcâïË<©ª¡«EŒùëB£q5 ‘	$áðu¢ú”ÔC$Ük4>{<†Ë9‰gúbÙæò7A6„…¡rźLÕ¾oìþø Ý÷êc}}ëoÓwdß‹G¶¯xd}åÃ~ÏWœžN⨯³Ð°£`êÂ^Õ«zŸ«Ïû«GöNý ¾4ÛÂ	[n÷J!e
+© }¥·‡ÒÓ¦õz@}(P¼õhfóÞÕGäŠîvwm;é™qÉ&ûzn©¸‡ž½T‹žÛÇXŸ ¿‚–…Nå¤ø:Z>yäðügh>`2‚›Eõ¼þ…ª³G^ü¿Ùÿ»L,¤ÎÒÉ0±üŸ8ï$NóÔuM?¿ îBqؽôžÎ¯N.Ï.g/Ï¿(ùô)A?ùj¤QsŸÔ’&
a¾†Â'Õ¾¨“?l§Ëù$ƒüåýÖÝë™KC™­Îð&`.ÐuJ&gµíÜØJÛÑD¶ ];ø$©ÖɘD„RÞ®
¬.€Ä8*îqTZšä“[[d‚Ö¡È$í2¤]˜Î	,n²Ê¾['ÕI$‚  D¶MzzH¤ýi°«Ôj—ÛyW&1‚F+]‚™ªÐoQuk¸VZÞe÷z+Þöp¦pÞrN¢î¾ÝmÙÖZû2¥©ëªl®D¤kj)Ú4â­d¸vpbS_I=>cW+oWoÁ…i²u–'fõ¤©ÑÞ~•”ÇŸ2,SÏ:—•rr½«í|¦¤S%ùm²w6¤»õÆ5mhÂ{½ÉUkUÔ^ tãùµô°3˜˜Ã¦íDž+‚Ù2™O“u…Øô%ö±U0³ýöXÕÁE“Y
+uVIžï§„½,Fb³£d³É3FU½Í–¦>­_¨ì‹\}Rye»¯÷öוã´>ª½aJ%ú…ABÒèøÒB{eå®ÞhT]•éÒ¸néú þ…èNm+©Üoá~—µ®Á˜¶EY·hˆÝ™~ôõ~ $(°=0…x€†Ô™j:ÀÔU™µêµ)å{ûÔut4U1
³¡áöWˆ(—½sÑálÊ×gó©`ç¿'$þ»‚J|×µÛkIåë|Úsݾú¦¬ü–l›è¾24Õï”Âa…¡Ä—¼9Ž
+ÁMyÝõ%ŠéckðV›ó훿R>ÈÁ†II‡KàëRyL¼QzM„‰¾éŽ!!'9¶ý/Ä8Üqendstream
 endobj
-2141 0 obj <<
+2134 0 obj <<
 /Type /Page
-/Contents 2142 0 R
-/Resources 2140 0 R
+/Contents 2135 0 R
+/Resources 2133 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2128 0 R
+/Parent 2121 0 R
 >> endobj
-2143 0 obj <<
-/D [2141 0 R /XYZ 85.0394 794.5015 null]
+2136 0 obj <<
+/D [2134 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2144 0 obj <<
-/D [2141 0 R /XYZ 85.0394 752.2237 null]
+2137 0 obj <<
+/D [2134 0 R /XYZ 85.0394 618.8894 null]
+>> endobj
+2138 0 obj <<
+/D [2134 0 R /XYZ 85.0394 552.6593 null]
+>> endobj
+2139 0 obj <<
+/D [2134 0 R /XYZ 85.0394 486.4293 null]
+>> endobj
+702 0 obj <<
+/D [2134 0 R /XYZ 85.0394 445.2559 null]
 >> endobj
 2140 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R /F53 1062 0 R /F62 1095 0 R /F63 1098 0 R >>
-/XObject << /Im2 1084 0 R /Im3 1219 0 R >>
+/D [2134 0 R /XYZ 85.0394 411.2651 null]
+>> endobj
+2141 0 obj <<
+/D [2134 0 R /XYZ 85.0394 374.723 null]
+>> endobj
+2142 0 obj <<
+/D [2134 0 R /XYZ 85.0394 305.5711 null]
+>> endobj
+2143 0 obj <<
+/D [2134 0 R /XYZ 85.0394 163.3139 null]
+>> endobj
+2133 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
+2146 0 obj <<
+/Length 2696      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZ[wÛ6~÷¯Ð£|N„âNàÑMnºkÇÝx·9Ûö–(‹­$:"7ûëwp£@¤ä4=ÛœS“àÌ|3øfD2ÁðL„DRS=É4G1™o.ðäž}A¼Ì,Íb©oï/¾yò‰FZR9¹_Fs)„•"“ûÅÏÓoÁè¦ÀÓÛ«›ëïf¯ÿvýúïÿyw{}9#¡dzuww}ûÝÛ—3*0ȃ0ÆÓ›«Û]ýÃÝ]j:½úþúýå¯÷?\\ß·šÅÚÌŒZ/~þO°‰.0bZ‰É3Ü`D´¦“Í	ÎXY_¼¿ø±0zj_MZ6D™¤	sP2!i!hÇB#É(³öxwwÿöÝm'e„ÈIF1ÒË•Ð,–
+'ü¤Ìº³Åñ’R"¬³K¡Ä’,Z2#gêhÉëmþ°.œÅÃþñ±Ü>¢¡K¥‘b8ßy,5¼óVÊî|5´óÑ%Û÷—Lí¼³äÝ®Ü6nãÍÊ[`_çþ²Þo6ùɷwQüQ6ÃÖ
+qÕ	ëDR#Ö	RÖ:­3¶äÁ:½%“Ö‰—üq_Þ:›jám2;Á]ÍÛGÕvýù’2¶Í$XŸ°N$5b e­ó©g	BŸX2%–ìX#ÁðÑ’)ì|*vuYm½9–‡§ ÜÑ6 
"n"ÛÙ¶ù¦XÌæ«bþû«mx!VBqHuŒxù§Ý%QÓêq—o^O¡¥É„ãö„†Í„¬õëYŸ!F3=º^é¯o[*¦gõ~ZÞÆë*_@²:rƒµ ½úcR›µX‘/Ž„«ö»m¾v7¥÷Y7³nêas€˜&§ìI4HY‹Î„è@Î38Åæë¼®#)Bù¸bA(¡ë,ÐÀ:š½*æåòó‘2=Ø·Þ²Àž¾õ϶•·omf3N*¯¼Ç(åooÍÿ½'ü´0ÿBdØŒ#
+Û:áŠHjÄAʺ¢L¸B#BEæ=a“ã‘ZpÊdTéqµ‚PB­ØÀ^2Ú:jÝ»eµƒàgœMŸªº™™Xp·ÿŒó)¤¨âqW6ŸÝ›_jÃÜ”žÞUu]ÚƒßHšMÔN*w‘’HZ4“HkÍýÆ—–ûõÚz«Ÿ±(\f:àõ,ð¢Xæûu—äUbzÎB¬wgŸ-!ÈV‘@ädòbjÚ§îoIŸŸ~]Íó!í³¡¶¤ºH+kk§;¥®F‚É¿e²vâlЈ‰,žyÒ“")²à°Q‘í¥Ù2@UpGwnL±v¤ÁQNÇB	ź¥l†(@ª«Yº”õÚײqgÁ§ÓC)u˜!Ô­ÃÅ”;· ãÛ¦ø£Ã-I×R‡P ½PƒÅa¾ËŸ‡ÖÈЗ)¨P
%Çào*±Ô0TZ)•7©®AŒ·Á8„†4j\µV*¡[-@ƒåZ´0Åý­X‹3hÐbÆüC[ƒ<í7:Qf<êz€À\q-ÞNZ;áaG@Œu€FL=„ »TA3àHc¨t{õóùP²aòŽìDP¨£Ù¡ ¦‡ÂÜGh8zUH}m—ižïë"‰÷bi̺„4í¥÷ÛuzX¡ý·ØožêÁ0¯¶M±iR®‘`òDN¥F%HÙ@ù=(J6Ò”8s­Nè„zušRâ™>Ò+4¥½€if@c]°3`b¢
óN´‘¶óÓu¾8R™Š7`VÐ|Æ!ÕüÙ59]{R¤R6„50Šn@T›§r]„„ñ=Ô¥í5`ZÅÙâ9ßm‡)…Ô²Ÿ,^¬÷Ù|ê £@r¤ˆP>n«Ý '‡);y–a	8>E{b©‘
R6D7©åHJ®ÇBT¿*7ªWJèÕ=Ç0#Í»ŠÎ1LLIcÈ·¹¡®o‡SÕ)Ö«jojsýP¸¬s?h»8F°ðOÍo)öÁªð«µ¬ßÞŠbÓ¬˜qÙ	L˜À¦«ç»éî	4­Dž§€).8{I÷bæåídóSÈ&’½”lÙ±Ô0²[)‹ì›²”bmY•D¶D,ƒzsT¯ ”Ðëø§)&ï*öÚÀÑý„a±g~Êp\Gš&šÉìÐyð¿~¸Žtûêkó5r¯Ç¿˜°3115S/Â#Á£D„eâL<‚÷(f|FñaÆÇq–`|_™¨(?õS],5‚Ì e‘¹ýS´hT¯–õõJÑ¢Ž^‡B“1›r/ÉÔf]so;dŒ%:dŒ¶Y×<øfH›um³¤ò‚…ošØ_°õY·×k9κ‹¸ze!ëvÞLõ^”H¶•q1tgHsñ8Å×âBúy]èÿ2”eˆfòÄ×‘ÐÈ'm^ÈFeuºªwõêz3‰õ¨f­P_µÎ™©8źýt™ñé®lLJg$tÜ>”îÌ2»ïÔ|D‘µ]¿xGëò)Ú6pÍoï‚š!úSˆ¡ùé)Á°é@Ê:5$pÒ³Tœ€Úv@c[Ûf³ÏÁ®	o†ê@˜·g&Œ€uüFîmÝm¤KOÕ(”mRkÑ-}6fŠ¦
+Ó¥cFMU˜|q°£¡ïN!‚ÍÇ¢	ôàöCÐ?ýMêáó[p9Sjà„ ™@ð²JÅ	“ý˜ô_¯öuÿµØendstream
+endobj
+2145 0 obj <<
+/Type /Page
+/Contents 2146 0 R
+/Resources 2144 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2121 0 R
+>> endobj
 2147 0 obj <<
-/Length 2389      
-/Filter /FlateDecode
->>
-stream
-xÚÅYÝsÛ6÷_Á·R3‚/âcúä\œœ;‰›Kœ»›iû@KÅF"]‘´ãÿ¾,H“¥´çtnܦÎÒ¥ó.[†+ƒn¾ÙT~ׇ0­¼züp¯߉·-Tà‰ï‹»uq1„Â0éêE~‡'œk/xØþ%€cÅ3`û·¼Ø„©à5ÉÐQŸçûœZY@ËùÈ=/2éc4À	‡`Çá.O"b—Ó§±§úÃAŸÆf"^/8án_{–iJ†;ÈÕMÈ5„)«‰ÔvO®®i‹àûür¢ûžŒ{¬¹"†Y½‡€À@înãD?èßí¢¹Å-«;‡PT‡8ÀÓº]¬q
-#‚HäšK#ðÅjñÙÁ@‰šuÞà²M^ZFî%°K•pò‘D¼«vM}3Áˆ€Ûÿ&(FD„ÉØ_p…~É1”>¸‚œ†ÁŒÂ$Å4èj
-)ÉïBôOú®è]=ŸN*É+€²nØ>züè
9Ÿ=	
-e¯õ'·¥Jß’1š¶_¾qudÔ`¯BuF]æ[0‚Ãè+2’eZ?™~¬C:åŸgœ¦ÁÔ³´t›ïf`F‘¢g~SlN ¿uÀ›¢Þú®aÖ/wÕ¶ Šc#ÄS4[öX>˜ƒ¨
ç€tçËÂÝ5ØG	•MŸdð£Õ$1¦!d‡I7E¹<…HtòááÀ9ÇÏX¶%Š~5›KÌHZ.±Q»¦[UÍcöj|°ÉÔØQÅ$<´v®®Úm)4xú¶ÿ‡
áÅá'ýT®¼ºýÚ2oÜ欀¦]$ Z2"¿xëò2rÅØ­ÉÌFOPs:³卵2äY•›Ç˜Ëh%©ŸîÁ[i…Šû쯓ÛôaíÊ	«`‘Ìʯ[­0ÜrϲË|Ï`r£{Œ“œpx*!ÌmrÒ³ H0–~|‚ðt²ó»xr8GÁ?G†X@æ7bMu
-O¥–QÁ°ï‹ª­‘xo¿8ºôæ”!Õóéd—a÷Ði`0/,ºqØß¹&/BV8;´:¾¾:àçÉNmMòÇó£A&&üßó#aà­¯ENæG=Uðªû}Å(ˆ4ÒªdÈì`ËŽhbË¡çhjtoËÎC>‚ÿB¾w»º—íöbÜò
÷¥hn±;ºÈ4Ñ™ýJEeHuB?UÐÏ¿ô³Š‰Ó[vD[Žôãã.Wã-ÿGýÜ´Å&61†*ÆŸ× ä’ Æ×,l@uBƒUÐà—©œ
)x÷ Ëk7_A8¨Jq@É¼ø¤x=Õ„|£ª”€+¬ø¶Ê£‚–y“ck…¤íDb6­´T“¢ïí§`;¥ºSexä
o5¬Žw¶Ú›[ºUÞn¢ÜîÁ×2æÉŒCÒdÕ7É“µ†4Íü•jQXq¼XÄYF4§ú+Y27ÀNñ÷‹¸PPQûbÑ󉼙K_,ÒƒZØbŸ¼øö6¤Ð¡=D×ËFþëËF¾ÚmàÄqªçâÓl­âL	€êÖüèËË«WزøY"äÏàÝÆ?ë©2ÆmÒm¬µ„N(gÁwç¶ý‘K¤ôùV,òò¶å.mºjƪmÚ]ÏdãòÚa~y´‡õ,ý0{dõ‚c·–«ï¢%ÓPDuË7Wço?Nê3Y@Q…EÆËrPŠ®Ú&²ÕÓÓ>±ëâ¶Ì}Ææ'û"$f…ÕmüÆj$Õ¨P+/Ü`ƒkú*ºÏ‚k·Xú!Ê:’jnº”yW.SÕ@?ˆ‘èI´C‰¼×Ë—GáËçd,Ö	ŽÃ×ê8|õTñBþùéýA}Hj;½mG4±í•('TCr4Ú÷5þà°ˆhq	k2›±Pïd¦ezTUÌMù‰ª×Ԁ踢:¢¨§Ë«kQ1í€ë‹ï^²ÖhyRŒžèPŽ‘æ2Ø
-q$Ⱥ ¹¬ÊÓê;’=™/QY"ᩃ²ª»îa¸SwíÊ%ÖÄB~õga›˜•=9ß½š–"´‹HÔ–}y™ûµRø_„Ä”ÆhXžýKæÓOµRÃ3Çði݃Öà±r× ”×êÐè(¤\€ƒ‡²ÿ¬þ:endstream
-endobj
-2146 0 obj <<
-/Type /Page
-/Contents 2147 0 R
-/Resources 2145 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2128 0 R
+/D [2145 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2148 0 obj <<
-/D [2146 0 R /XYZ 56.6929 794.5015 null]
+/D [2145 0 R /XYZ 56.6929 751.8354 null]
 >> endobj
-2149 0 obj <<
-/D [2146 0 R /XYZ 56.6929 166.8062 null]
->> endobj
-2145 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F53 1062 0 R /F62 1095 0 R /F41 969 0 R /F63 1098 0 R >>
-/XObject << /Im3 1219 0 R /Im2 1084 0 R >>
+2144 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
+2151 0 obj <<
+/Length 2089      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YKsã6¾ëWè°ªj„àIG­É:5㙵ä$UI’²X¡H/qœ_¿EJ”äª-B
t£ûë¯4™cø#s)fŠÏ#Å‘ÀDÌ“ýÏŸá·gÄÉ,½Ðr(õq3ûá‹æ
+©†óÍv°—DXJ2ߤ¿7ß¾­îî],©ÀÁG´X
+Œƒ/7O7ŸíÜ·…¢ÁÍ«5¼2ÅB"DË…8x¸ù²º[ü±ùi¶Úôöm&˜icþ;ûí蟄HŒ(‡c#Ò´oEvìB"BÊùPç‰e½Ô„il¨‹8&cÛÖ/Y’oß BRí.ƒÂÎ3Wm~K»ýK–Úɪ҉ýŽ1-2.§*øV5M¾ Á÷b¸_c%ãzAdY—ŒœG#‚B!"ç“ß)åÛ®(ôÓIÏCD‹yY,pšmã®haHœ¦2Ðb$"”ÔY·ù_ÙEœ#1¿i	@

Á›@´‚šß6ÚGŒÉ@›íFU½[;ÎûÜW›iº¼—œ¬¼UIn,Ÿí\ܵì”'qQ¼Ù©ïî»Í²—¸Ž[·Y“ÔùK«³-Á×ÒN¶ÞÀ
+Fµ9	öG°Y½§}A¼0lÀ¬ìÌáTÄ
+é\`Íì®ÛÇåÒÎÄ©?#61-kw]cgš sðñþÀA–æ­sq§ÆÆR}ºF°±Ï~ç6û»E'ÄíØ1.€.SèPê<…öR†B×SJTÂSÀ¾J'#ÉÅe»¼Ð„]#þž•4<2ìVãIç5>ÕÏØ>Ö!‚Ÿí‹M„ĦˆÎÁÜÜ6«+ÓV£õ·ºD";6„jóÞôIÝšd*C„	òÜ6ÎÏ’)”>ѳé‡)ÚDT01Øí5®Ë3»±Ä¢sÜlŸäæ%‹ RŒ!¬µšü¹¬ês
aʆ=	OT‚Wà9ºO/eàÙNÀS!‰wBš×@UývQÁ
+hQ.×KMX7© Hq¨K#ónw¶ èfXi¤sùð`\ !ÃI{”ˆɨ?™¦&³é.vÛçeRtif_`#‹}]='D_úUN¨O÷Ï”°¼r¿Ú®ÂŽã¾¼ÀË Bf©%D@
â!—³¸ó]½@ËvüÝclM¾Ï‹¸.ÜlÒûÌ4;šu9‹-*ñH]ÆÖPê<¶z)ƒ­×)êÓ
òuly4\4®—š°nŒ-À 
ÇÖ%;`h‡øTA›+é{@WÊéTfO*=7!zÆ‚CG¥ÑpgØÇM›ÕC!;þ×ýÃí移•};¦ÃÐœéD¯Uý§&b‚¡ÃóÑ?l\q¬ŽÊêA‰>µVáz½I9á2Š!¸”(ç
+;Hí”× ‘P׈O¿ÓRö28RÀé¥8Oîp*´=üE•^hBåq.,«¼ƒÊzÏõM0òQv>µ~ŽËªÔíò°©9ƸxßÜ0µ6í×M^U$bŒ±aŒ–IµÉ‹ìLw©(â”Êk¡â 1y¥…JU/eBõËÀ–[(Ž"ŠÅeÃz©	ËÆM¶G¦õ—PÝô¾î2s91/¦'‚gâÚ,¹[ÌAx—çû¼Ô16Kó"MlHuq<\–²S‡Ú
+âÂ\Ð,!€¹òk\T$ÁüÝŸ@áá~}r1øLó§¹L	2PòŽž_Í'hF&äJ>
¤.ä“—Òušë¼?IF`\^ÖÜKM¨µ	‘ !ëÞôõ¥ÚÇžðŒ1ö2w|»;0å÷¬¿šœºÐÑpÌ€øÇ„.øÍ	Y@øª=Å4pÁW÷B§šy†FGª{¯½ËSþ‹–jŸ4pM±Ÿ„LðbÒ¦ÇÕæéñÁ.þy7ŸŸVëé/TBFIöþ/L1Ÿ6MÛ®.}â:dçî–„ÒvÍøŒdÜ
+gµmpk'öšõô¤•µÐ´ø"hÙ	Øm©ú5oθǛ;rÏzµ²‹o>¯¿NœqÊ)š=¤æƒÜzJ7DƒŸÍ~LZd¾7²Ü¨Ý€™˜úÊGå=ûLmÈ‘’ÄWü÷wv?åN•B‰É›®/•ëõåÞø´Lœ[¿ÄeuèT=	%´8áè+ã‰_™à þcož6ÿþúxÝ£÷%ÔÁ2sY¿A“¼w±¿­Ê¦ªÛ¼ÛôByHÝ>\!¬ˆmùõWüÅ’`ìâá«
+“ÀhZæÁå÷©EŒ"!ÂAŒ]¶QÙÑØÌi‚k²ú/ûýrêßP€ô7ÿ	úÀ½;ÿï-þwÅ‘IyæBΰæ+E¼QúØ„EǦí> endobj
 2152 0 obj <<
-/Length 2164      
-/Filter /FlateDecode
->>
-stream
-xÚ½YKoã8¾çWø¶
-0bó¥×ÜÜIº'ƒî$“8À`39(kÛ’<–”žöÇo‘EÊ’¬tìbáƒø(‹õøªH³…[Ä¡"‘‹(‘$ ,Xdå]<ÁÜç#fi|Gä©>®Ž>|Ñ"!IÈÃÅêqÀ+&4ŽÙb•ßyË««³‹Óóß}Pï#9öJ½¯Ë‹Ûå»:N¸·ü|v].EDŒkºz7·W§ËãHz«³ãûÕ¯Gg«^¬¡èŒ
--ÓŸGw÷t‘Ã	~=¢D$q°øJX’ðEy$A)„ÙÝýÖ3Ìš¥sªDL‚˜G3ºàlÁI‚€”$$\eœ\^|:ÿ|{½ÔG^_^è3ÁJ1Ð"]€V’À,Y­•%b"L“$bMS¥¥ÊgX	I(¹¥ÊêêJùS·KÛ¢®Ž}A…§G6J·¥W48ÖÖ56²ºÜnÔ_8ÛÚÁ\5Ù®xpk*7Ú¦ÅÛkµ;f±§À†2¢Þ)‘Y«†\¶{ApsémÍÚÚ×ÇÑê&>*=ê¹Èá´ÆuôîúÛ:%‰dpü  2dÂÿãùÅ)R'øYæeQMê¨w8t­­ìU¦pèkZuéfF¹,Œ	Ãв'3VùÁ”p€˜€%’›ÜNÞ¢=m£ÅàûÊá'’I'BW¦Í·9¾üÜ	©þ uVל3<°õ	=RÖ¹ÓžaïMSî%‚†ð¶©UY‹Ö‚™jðÁBïügpÛf²/“{/3*”‘H$á[žNI’!ÕOè<2`„:Vû¸„ɦËÖ°a,½TKÞ¿ênWÍ •ñ'è%«”‘.F÷×ÄëôYáHÖ5­Q´·jWM*t+ç
ÆCN&o[,âÔ§Y×ÝÆŠñ PŒFµ8 þÚnŠ¬h7/Ø7!hÀ8Cð$ !&Õ5.žÌ!á۴鮄ÖÈ,‘•Á[VDÆÒ9ôÈ/ËbúŒ†$Œâxá‹€Ä1•fÙ§ó/¦ØOÁ²aBNfgÓ–%ò‡Tªe<“¶z*½ëÕf̹àæãtIQñ†=Õ¡c(‰ÎcPçH„ÕÚBP®Óncíq€âz–¼¦¥ ŠMØZR½®¥žÊhé9Ý}ØujÊêk[äSA8u®”?–¤§:e¤.nü
-âz$˼ºNçù¶}PÆDê`äƒ7gg6g|¹¹œÉ4“œ}ýéäØg	õ ,3q!)	eÑjÂP—‚Y‚!;ù¿e¼ƒÏ)Ç÷³µÊ¾éxÐI$Ö™ápúïºRÓé]•gÓ±ÍwLM>ËŒ¸mœ9<”Ï4êËp‚fÿ·A)˜ØÝ.@½¯È”@½¡ì=Î#l¾€yŠÌv.n°1¤íÚbS´/sz¢“°z©êm•ß.B(ÏÄ7d*2Ï¡TÀ	$´jCjlÔzªñÉCPäŸß»ÖißzÂÆ¿ñã×ãîfܵªFÆ#Xãjó»u™f?ßSZ»êçFe;ÕÎÔL0å>8ÝßævH@ÑŽ?›¹ŠügŸ¢ïmáD¡rŽô…oX8ÝùíÜ6‚$úö…Ú¢Tu×¾ºë7²ŠìfXj	W\tùöu®p¹Šà†5åº{WÐð®PÍ«\ã)×ë7¹îÒ*¯Ë\=Ï1•$„jtÊôÙê\È-;³;m5í÷³°Ã¥®&'¨szvsr}~5¸^²×¡gˆÓ<×j)¥»Žh@bÔ‹Ì‹ðmº‡²h±½Gæз °ûg§šÖrLí7W:1WŽ½)dáéŠ3Ž÷Lñ£5c…P»g€ôH@ŽEP ®€7ÛsŒœ9ÝlêïzãPX‘¸è†IýhV›onHí-&,Qšã]š&·	®+ëg71¸6éøÑYé¿íZ;·.M2µ<ôT^´Eõ„,èa[*úB̯¯Ùê‡þÓÀò:ÄèlY™V}}	7ùꀬßààØp)ulì—¨8ånŽ?
-ß/i½uZ'ý™×çýXÀ
Û[©ÛMwº*_0ÍÜ9¤î賡168ð\¤s+1”ã¬Ïø?
-ˆ$I¨ÕvÏ?§¿œ\aË:'¶íeN·«ÚJÿ`×Wv®Ãæš³zð9dñ8'Z[¹õi3$^û;ƒ(2klír¶Vfs<¦]»:Ï€·Ôi›ŽÝàÁÎlê¦+ÞWå"Hf̽™´V…Öުб²bxˆºàÓsFõ=?|zÀuîYJâ8”ï218žË0xû7BÖø}°}óf„·-³48SÂY(ÆfÓa¬C—FPŽö!&ùþÐ\2pó¬ÃFåÒ½»À”fð»¦L¡fÜa{…š½B3…_æ9°-4|’æñÅÌXîÜûz±üz†MCg|	êÇ‘܉1<áÍåòAŸ9åä™3	…Dîéd.×îEQ¥ß\vÙ>$L¢ø]¦"Þ³V;ƒŸšwa÷ÈÕC÷d·«smÏ@&VázÐ^?õ“¥kHf0Ù<Ö»Ò=Çrpø“
-áÚº$/}ÄI{Í›om¬§C.Ó\M»]˜l7…Ck5U<»ç¡áà`¥ÍÂÁ8¿òZ•Š¾^Ïí´/mþë—üý?PU‰8æó	„H˜J땉h*zÿæ(ûh¦HØendstream
-endobj
-2151 0 obj <<
-/Type /Page
-/Contents 2152 0 R
-/Resources 2150 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2128 0 R
+/D [2150 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2153 0 obj <<
-/D [2151 0 R /XYZ 85.0394 794.5015 null]
+/D [2150 0 R /XYZ 85.0394 351.3738 null]
 >> endobj
 2154 0 obj <<
-/D [2151 0 R /XYZ 85.0394 752.3006 null]
+/D [2150 0 R /XYZ 85.0394 278.6168 null]
 >> endobj
 2155 0 obj <<
-/D [2151 0 R /XYZ 85.0394 637.1124 null]
+/D [2150 0 R /XYZ 85.0394 205.8598 null]
+>> endobj
+706 0 obj <<
+/D [2150 0 R /XYZ 85.0394 160.1512 null]
 >> endobj
 2156 0 obj <<
-/D [2151 0 R /XYZ 85.0394 533.8793 null]
+/D [2150 0 R /XYZ 85.0394 124.1686 null]
 >> endobj
 2157 0 obj <<
-/D [2151 0 R /XYZ 85.0394 460.7643 null]
+/D [2150 0 R /XYZ 85.0394 85.6348 null]
 >> endobj
-710 0 obj <<
-/D [2151 0 R /XYZ 85.0394 423.114 null]
->> endobj
-2158 0 obj <<
-/D [2151 0 R /XYZ 85.0394 387.2272 null]
->> endobj
-2159 0 obj <<
-/D [2151 0 R /XYZ 85.0394 355.6754 null]
+2149 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 2160 0 obj <<
-/D [2151 0 R /XYZ 85.0394 291.5937 null]
+/Length 2814      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZKoÛH¾ûWÈaeÀì°Ÿl‹Û	<“8ÞÈÙ “MQ2a‰Ôˆ¤ï¯ßêERM*ÀÎ^69°Õ,VUw×ã«jãYÿñŒ$bÏ¢˜!b>K·gál
ïÞŸaK8¢ Kõöþìõ;Íb"f÷«/‰B)ñì~ùuþaŒÎE8¿}óñúê< 4¦bþæîîúöêæwøÍC ’0œ|sûåÍ3ww“ù›÷׋óo÷¿œ]ß·útuÆ!UÊüyöõ[8[‚ê¿œ…ˆÆ’ϾÃá8&³íãqF©›Ùœ-ÎþÙ2ì¼ÕŸz÷‡ˆPA<›@ðÖsNz»Àc$(¡z/E¹«òj¸ŠQ$E” ƉW4†&”ÑEP«ÃB«Å°ïl•ÒªH¶Ùò<°ñ_öÍD;J•¾¯ßð'úpŽ#¯x¤e±Ê×Á*ßd†¸'VpqÊ,mËwéáK9’‚sKºÌšu°Éž³Íϳ½>É6+Öy‘já£lùíꛢTP8QÁfA{Ü@ö5X·”[`[àÔ2]m’µG2aˆE’%'ô*Ý5•aŒ¤Œâ!ÃÝI†»r_ûøQ+_ð«ÚÑÂù¿Ÿ¯¶É *Ó'Ÿ¾à,QÄå}ÚPò}–ÖåþÅÇ”!A8n™êSd`¿’páNÛSl<¢Ìª5U¶÷Ÿòh«ŸÛÑ¿ÚÑŒ˜#Á°“‘&éc6æMÃMÒýè"!:QˆVO¿º^\~¾¹»¿ùtÛ~uàÂgÂQu‚!ëm<)ãC0(óÄ<®Êm’f|«ÜK/UmÍø‡W·x`3Ûù;±ùLDá|—€íéWåÊ<ëGËèíÍí•Åæ±Ì«zŸ?4u^Z©«ý9–óÒJ»Y\"3zWîÍ`[jŠÌz³]MÏ™óbUî·‰aª’{jEÔVpaFUf§>¿»¬Ì<„^´Cf‡I±lç8ÒÒaÇÁæx~{Ì´œx.Ÿ2M/çßóú±ljó&Ñʯ›mVÔÕ…ç1•‘°ç3zŠë¢Ð™ë÷|³1üÍÞ$V´]ox•4«û?¬›}»Er®f¼æŠ£1ÚºÏë¬N_k­JÕ$dLA}_X…r28¨®¶j‡_Ì /ò:O6æÇ2©“álÀl2{¦+ejðg“íó¬B>‡
+ûŽôIûÐ1$±Y˜c	VÅ£éTÝ¥râ8U·TJnÀ†"CqŒå´HGäÙÔ0Œ(î‹üRYû¾¹{fÎ6v£!1Û]ÌWy,«ÚŒ¶Ì ÝZ:ë#i²K6v²\µ"òÅVÎQ,#ÂÍ.”ÇÊ‘Û¨¨NÚcŠ1¢+è‰ìZøß[û?²ÐZÂNXA‡jÂ
+•VÜÁrÞU\•'˜ûQyW=€ˆ¢xZ¿–Ê£`o¿h„‡Šª§¡2š
+¥”c…ÃÐ…ä'
+kÄܘ'"õÖ&"=Έó*=(j&ºŸÛ¤vá³5, /Çâ8i¹"€²¦¤ŸŽFZ5‘‚ÍïU][žŒr¨GªÆÙ˜ú]?&µ1›à6e²Ì‹µ{i©ŽV¯&ÝêÕÇ@PçE“UöC+í{¹2ɪäÕçjá˜?&•Y®[A,§I±V …R@,ueŠ»ÖUýX®` ¹™j23PêtŸ‰yìʪʼH‚ÐÅa(ü˜¿·å\Ù¶:(wÖ<”¢öi¬€zÐŒš4Ûxá1߀H‰ÂHà㣟°c‰c.rUç6‰Yk«×í“T9Ø–#¤Ž	± §‘:äc/²À°Ò³¸d¹uiªì&-ðè‡Ò¥ð¤$i·U
+›­2 :µðº² Øk€PE$O¤·.Õ„:*m€×'
pÐÆñà”~È–müôt‹UÊ9›ú{^¥¯ÁKÑã?F«ƒ“Ñʘt:Úu©Æ£]K¥£]q4·W…½p'‹™VÌyë‡;xË#Þ×ìÒÖµ/©ûoÌ¢ãËÌa!âÐ5ƒTŸA%>Š\v*îafz
+êEò”™™dùœµ	¨ðB÷‚à¹ä—ï6–èòîKeÿáÆh°¡ÞU»,ÍU[ [ú®](Vù°Õn¬˜€~Äè {`ï_ b×*úë
+L5©êl¿5Sf+5(šíƒNü̬FÑ*ýÍÌÎÒ¢6&å3UQ´¡¿)œ;·)Š…ã\‘¡½Y™™Ü2Í­´¦°]\Æ,Z8wbAöaÝ×®¢ÓÿU«p6ä@æs]bwî†MÿÈ]cÚ*‡Õ.ǽ‘Hýì”7v¨&¼ÑQioÜôFWÍôœ‘ Ëz9"^½kå|6èõaâö«ß9Rla°äàŠª‰wÍ@‡
ÕØbC½uRÃæi5×U‹K0r@ëêBÙb%@áÈœd?òýù`2õ7Sž•‡íêý§Y‡¿=cêv[Ž4
+IÄ|,œRj˜Êc+±Äu¬ûïâP-endstream
+endobj
+2159 0 obj <<
+/Type /Page
+/Contents 2160 0 R
+/Resources 2158 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2121 0 R
 >> endobj
 2161 0 obj <<
-/D [2151 0 R /XYZ 85.0394 209.4884 null]
->> endobj
-2150 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F48 985 0 R /F53 1062 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2164 0 obj <<
-/Length 4125      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿Âo§L#šì[š¯ËµMs3½»¶IÛœH¤*RNÝNÿûíbà‡ '77™À\,û
ˆËþÄ¥6‘Ée~™æI¤c¡/ËÝE|yï^_³vƒÖÓQß\_\½RéeåFšËë›	®,Š³L\^W?¯¾‰„ŒžŠxõöý‡w/ž=I“ÕõË'k)eVÏÞ½{ùöÅ›A_Ç0FÆñêûgo?<ûŽ`ïžärõìõË÷O~½þÇÅËkOÖ”t+¤é·‹Ÿ/+XÁ?.âH噾ü8y./w‰V‘N”ríÅû‹z„“·öÓ +DIed€R…x¡óÈ(x…¼¸¾«qW¯1*òH˜4ü8fý‚†Ì°‰$Jñn?4]KÜÙëž¿˜"5xbþ¢íûªêêV‘H‡úðDd«zßB_TUƒ“[êWõæx{Û´·ÔmÚ›î°+Fr†.¸@eIlÜ
-«Ð
-E”k-yH„#.×*1Q¬³ôr-Ò(Oã\Tq®Ýß…¹È’%M²úÔwÔ*,DÃʆú¶>0вåö¸«Û Ý
=ÿ¨í«Ž¡úø®¹½sßöõÐSkºmcÛ9BÇr”>ÛÖ÷õ4@i¹z³˜à)v3ÿ)±ØšPKÇ<\VÓóN5}±ÙÖ±2v,ÔÄÂ'y¼:m_”Ä•‹UßܶÅp$è	VürSÓóØ×µ`«í³8ÂÂÚ¡)Q¾èÍ7^<´Å®)¹óö=£°¢ØÃBS¥p7û÷Áõû7¯=ý“E2[âh°*-;û¬6<ìùmU÷å¡ÙÔü¢Á…¥jõã«ç2K4qíWwüÌÿK	þ‰ó“Q'ˆZiŨ‹¶òP™+1_ÙJ;½Q«×ï߯íÒm¯À½0r6€í,Æ.@™D;M’¯Üg’	Ý6v+a\Çãzôw$Õ]_—Ôèóá®ÜÈ’íµ¬@ÀócÛ}bÌNùg†h±s[¢$SVOË/p¬6ÐY²-	´îA/€™¨-q¶z~<ñíô	!V¨/I2~L„Û{´o5£¯ÛòðàLô‹ímws°£îÕiøŒ‹ «aðüû÷Ïž¯Ié³¥~ÿB[*²Õ§»¦DûûCƒäԿıl‰ŠÌn&>a3©!EœØÅå«Ú²&`7Y¦'“ññf‘ó2»†§DG±ßoA3A}qé=?5Û-lëº
-I(*½ÌràZô3fòùÞôõ¶.j÷3œ
fÚ“%Ûk),|ÂlìöôüT[:¯ƒxLiäiÝòW£"«Šô–á™ã‰J"ÓÕ+`FÀ¢4m?Àh`*ûc3 ùÄHhRlÇÚI ‡C®¡§þ'V¶aàF­žA3è!eáB’:/|UåŠ{•]{Е\Bx¡·ë;ÆM:“Uò)xHŒnfëvyBÆEßw%ív-2pâ(4ó=Ä·SÃ}Ë,‹™eã.c—œíñ›w<²ªØ´÷@?;	4‚Aky&’aŠ>B²J܆å[vCàyì­¨`“-&´¦‚Ôµ6Í–À~kM*´öÇÍÖº7h“Œ@Ú“îöPìïÈ1¢kŒc;‚§¤Çé$ˆŽí˜RdRë@sDšݱÈfmØøõCçm½µ`ÎÖÑãÛ—ÿ¦ñKßûG×N0Ú<œ±Õjf«O½ƒJ <–>lûœw‚V]ÍV¸íjñEP/ˆ%0E€øqƽϫYÔ•ù¨¶&žxgŒ³H°õm}Øp´ÆVŒ
-…ªØö!¬Ý³øì1>蛋¥Yeì$d±r•G	˜?„¢b‰$uÉ:.cki“:Þ¯?~;TKʼôæÿ¾©ê‘bûfŠÀ‹Y(ïѹw„-^ÝÖm} ˆFdUÀI”ooØò¯…L#
±ß\NÜHž¬í`‹
ÞÛ¦‰~;ÖýÐ[ß!ÀûÞÇí@ï)þÄ–
 &@?¤3÷ââVOÑ‘CgwŽÅvû2oõïåÌØ}½ˆð)Iú‰Üc"Ϩ¤âQÁH"e|JæÓ%@IAŒ´ÉÀÓ‰yób>ØíXE݇õ~¦ùõt~Ç‘ñéÚÝ®(¿P)ó(Ëœ†þ@£"%Rg`ÀH¢Â"V6ÀJ0Äe€¥™£Á-ÅYã5èV$r)1.?H.lš˜J¶‹Ð˜˜u™æÖEžRÆÊh§JDi€6•A6ÏHƒ´îxöMÑ×&¡‰!Ìí¬á‹©ÂáËQá#i¶úÐ3½´uFˆdÌOÓÏ‘Ic±¢TzŠ!Q-!‘+n9â„ô7ÒL鹸oê²°nSfÂ…ƒr¾x15øÞN‚ð#Æ
-4JrTiÍ>Ên·£tÞm›–'Ydýˆ­å¶uq ÐPÿŽLK Ôº¾s³íŠz»aT÷MßØh’±\9-	œFwöG.¿L”zûƒAA‚zpe®ÖÐè‡ÿ@̶µ+5í?ËèoxŒŸ(ÁWÿ=X¡x°„ðÓ­WT6‘ê¼÷1R?ê6À/§Ù¼°õ4'¨H§¹ü¢0A¦z^Î*ª~¤Ò6fb#ç1,¾Ÿð}úóòTc…6Q–$r´27Í6Hž€qJLŠX@àð@˜™LI96’g÷	ùÔ1}äØÖ®CdoÄ\ vÅÐÑ£´ra°ÀÓÞZQ€¶ƒòo¥‚KR¨,¡1ÆjEM:ÒqÖT"mªŽŒ2bdZH@òHƾ8êS­§\·ãÄÚ83T©ÂçÔß[¦ê°RÉ<“ZDu-b€Ò:[[iÛ<„(N#¡1UÕökdÌ Ü@Ф¿ž²?8r»!ùj_4 zb¾åÀ`ŠÛYƒpä7CÇaò×m®ï™=·ÕÂD*Kñßþ‰(ÿŠ¾`m¿úóö¯Ûýåê®ÂÖ]ó¹oŒÁÿšiÕ&X›Í¤¯ÿž™rÊû°NÌ\e:á%Ö|ÜÞç)%®2§ôÓ½Gph/1
-ÌsÏØL°kXä™í„H@gzÔÜ«ma·ªò˜ÑƒOøîL.ÖfX±	=´(]Í]ÕZ¿é÷uÙÜhg:Á«€|\¨iý*ñõ+W·UcùÀg+A왕l[UgÃM97ªJ),õy׶uÉY–Åß-æ±ÌàôPdîÔibýW÷ÉÁ+çã™òdzgÊù,ôfÿ/b¥âEQê´q±qõP˜ŽÕ<å³½Çm¯ˆs5«b!î/Þa#%#€¾¶‰@|Õ SG4O&œ„[lI»%;HC:†Tî:‚n9ôpzâî
ħ\E©Ê“åIÆè¹õ*æÉ™ó$€è[oIÀëçüŸÉH
-púr›9¨sñÄê©È}~Þ}©üø¼\æçoˆÈä^Eß[¥Ìdogüð+½MvQ'$Qy¶´»ìçlöÊaÆãª(Ö7`É6.Ååc¡1ÞCɪbƒeÌr$A{!I“dWTáÒÚÝâØö»íi`4VquþF{Ümꃿ`á2u.¸"@9õqÓ¡ÌV»fǧ赂8FhùûœÎâ*Á9nÄ2sùðz8S^ŒÍIeHÇå´»â÷fwÜ1´Ù1¸à/üŽ*³Ð3”nÔ’M­MÍ4÷j—¬ôªØØb«e†Ù£Ì„=~¬Y©8öìQ`5—çk°/UÏŒþÏx]D³íŸ
-4EéÓ½ã[9AtÇ!|µ#¼Y”JéÏŽáýˆãøävŒ=ìú™uÕÎNkæö`«M1]›9Üx‹Eæš9O9‡ƒzz*‡Þ±s5{ñ Ó‹/"gv3^¶Ž|ԊϲÛí>°Q×Í÷d^U[rÕ•Ôü46
©NUљⅷ%á©ûÿekòH¦Ò'Œ‡3—tlN..Åþv‘‹ýÍ„DRyÀ‘hÄœD|o‘™[Ö}*EבÄü:’¿U3µ<½WE?›SEãg®Òø;LRdÂ'¦÷3>*[ÿªÏ%]8J‡ªùEFB˜ü䦜$«=
-†On!aŸÄBò,-„VùSâ¡v‡8r18_¦D	ï¨Íç›ÐâTXÎÎÏ(ú@ž-Î4Cµ»4’þÀð
-–}E¤…"eÈ|D&Ƴ@ðÔ)î`ª@ep‰×Kî{SB*'wêä>™1ú–)0hd
-Á~Bl¼é
-î,í±Ú³‘[Ö•%xROæcÛ¹VÙ¤‰‹dn¶—*uŽÆ‡ŠKk)èQÞ‡¢´©
-¾%Ð+Ë'xúš*ŸÖT•[8½a¤ÖÌÃsÃs²ÞGÁÃlšàfF¥çuª¸°ÍMh‘›GØ¿cHwR#ÕXƒÅmetÚgcbß´•­õ4%î8Ïb#c,^ÓqZz¾I†à
SÉÑ,yçFï“pØç-|2«ùó\!òÅõ«0¨Ùo'Æ}rïÚ‚‘Ò I©ýêÍÛw®é“W?üøý3¼´q.3æxýòN$¤N'"ó̦÷J§æ+Õ‘öù+ž,œ9®„=ÊóDMÕï2
 {ã–¸Ymp¯^ÒM)ÔU†C˜ÀÉÁR×Ò³þTÁš~HgÉôÔÑŽ˜“ØEk3bég×R¯Þw»š <{O=Ÿ‘áa¾
q-´ÚJõZÍ{þn<ì»Þº3DÈÙ¸¤{_=_±ÉUÝÐ-:lûâ¦%cÍcè3·ÍAVðUànxì¥êÿ¾‰>Þ¸OÒHa¥8xÉ\‚`ÀÇÆ…\*;!ÝÝY?¥ý¿Å{ïendstream
-endobj
-2163 0 obj <<
-/Type /Page
-/Contents 2164 0 R
-/Resources 2162 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2128 0 R
->> endobj
-2165 0 obj <<
-/D [2163 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2166 0 obj <<
-/D [2163 0 R /XYZ 56.6929 95.0316 null]
+/D [2159 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2162 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R >>
+/D [2159 0 R /XYZ 56.6929 748.7291 null]
+>> endobj
+2163 0 obj <<
+/D [2159 0 R /XYZ 56.6929 660.3963 null]
+>> endobj
+2164 0 obj <<
+/D [2159 0 R /XYZ 56.6929 549.6423 null]
+>> endobj
+2158 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2169 0 obj <<
-/Length 3384      
-/Filter /FlateDecode
->>
-stream
-xÚ½Z[oÛ8~ϯÈÛ8@ÍåU"÷-ƒvìt»M»@§Š­4Úú’±ä¶™_¿çð%Ëv:"š<¢Ïå;I\rø—Ö0®œ¾,f†s¹X_ðË°öÓ…4óH4Ï©~¼½øÛ?Tyé˜+dqy{Ÿíe·V\Þ.ßϮ߾}õæåëÿ^Í¥á³ÙÕÜp>ûåúͯ×ÿ¤¹·WNήzu?¥V	‰tŸ½¹ùõíËë«RÏn_]}¸ýùâÕmb+g]p…<ý~ñþ¿\Â	~¾àL9k.¿À΄sòr}¡bF+gV7ÿNf«þÖ)Qe™±²œ…TS²0Ž
-–PÛÝÕ\	1{Ü]	;«éÿïû¦mºWølñP/>µDµÝе{ˆ‹ÛMWoº¸|?Zþc»©Al¤yûP·5-ç;¶u—vZ6]³Ý´qª$ÛuØnS­Ã‘m¼t‚˜Áœ1’NŒÈBÍè8ívï‹gu˜]lýuÙéoÜðwï`?šª8È.Œ¿6m×ÒýÛ0ׄ[«»d@k÷~ÓíšV¼ p¡À¶‚ p6?3þ^ïÛ°Í] X×]xÖ=-àŽ†ç7t, sj¶\V]GÖ~sø†k·¥k»_,êz‰ŠRnö«¿5|iV+Ý
vû_½èêeØî>l÷Hàî.Üïe•/N®dÒœœö¾jV,-”̹Òù…WŸë݈¶,Ò©UYO‹°}K:Äeoªpý£¾D»
;º®·Qžxó×a§j³$š?êÃ}ŠÁ>eà°QÖ)4q“Õjû¥Òl…tÔtÕÝÊ,nò•/*¯$èÏ.Çg'Mãc‹Ú¦‰æž‚áƒëEóç2’úÞpàCHZõGϪÉ5ð ÐëºiÛfóLÀÚÜ{àÙ"ŒH3»¦™»UµùDÃfó¸ïh¸j6áôfozax0 ¡ÈÐPJÉ”.
-àÙ6—*ÇL©™ÖN¢Åv½u„€­Õ¾õ®’s[-ûõ~EªñTt©w.uÁJgÜPÍÞ¼›Á5 
-Œª–®ÛMXzù8Ø,Â774Hã¡ÇÃDÜx4IéA;p g“ÞuàÖ몌¥YؽÙÑp]WÒ*$dÊŽs¿õ&ÿ÷ƒÊ7¨‰Ò‘G¢ šçTñÄDÄKT¤iàìð½0Þ?nw݇1KÂV*%Oó”¨&˜˜ç¬Ú¹º©7Þ‹¸A, Á2*$ÿ†q¦_&‡Š¼0¡Fá¼Þ¶Íж![ÐB'H²8ôHÊÒØ@Š¾XšÙƒÈ¦œ[SmzƒLI›$îÇœbM˜?=þÁ5ÓçfY/_Lx«Ð–iÌlˆMÄqÈ©6LI9¥øELxœ†Ñ>8üÑIp0XWm—˜Í÷Cºž°/€ ¥ `Š•˜à[Ä.]_rÅì—7׿¼Â¡™y¤]-iÞ§-΄ÜgðîZš½ù×5M±—c .f Bˆ÷Oq«ðÌx.œL.ó!BÊ&f™ÐW¦ ³@Èò÷©†‰lÀÀß#=Ûì×wä‡óÊÃÇAÊ®¸PÏ1Ï°]*(ý¡î'{ö²NáåØŸpæ£Ï»Œñ8Œ‰›Ô³×÷4µÙfG!ÍÛ’ñBÛ‘ù§ò žG×#H^Ö÷Õ~Õ`=Ê‹¶ó†W£†ÛC4Z²cˆjÀßEiíiDÍ©Ž#j¢Âƒ®¶‹jÐ}¹ÜÕm{MK‘ö4?‰j‚¡\ó¢,˜uZ9
-h*KNh*K‘i¿Ì¢e)ÆÚÇÕ‘”¡”Á9:äŠJ¨Ð
-+ƒíEL“`V+ÑC¨‚í=„úy«JÏñS+ça˜¸Á‚77±¤B
-uH­dZ¸gÁ¨(Ë!ŠÂcŠ
-•¡(Lá°ÚÐ:
-‚À6.,i@&4‹‡m[ohöî‰æBízÀZOáÐ\È’Wö8õù›gŽ{æ|¥ÆñD3w5]уhD!J°êSX;»J›a­Ï\ýþtIÞ¾ ßÈ"Æ‚Ây0Á©Í¶_
-3ÁÏqÜÄœÑb úHB’£qˆ>ñj››”K…	]îÔ¼89Õq˜HT1Òãq‘|
Æ°Bh}š‡D5ÁÄ
-VIË€‹›$7_t§¸µ5AEazÛÆ}öŠÄÛ¼>7`ËÁJŒ6@â;J@‚"cÝ‘‹bì‚%³’—`˜„
-„&övnpÙÖÓat"êó1‚ÐœÑvTœøðõê9p1²(Ÿ.ì9ežÁFáUÌ>ª†eŠë\sHÎãîƒ%£+Ü÷ɨN¸O¤ò൪b`õÃcdJ­Ns‘¨&Ø8p cŠ!Þ|zy4{ñü1êÙ½©Ê¤Á
-¥ ÔŒ¾@'<´}¥5ƒ”òù©T&·¦äêq8fØþõ›	¢ú£+ѽÂþ«VgtŸS×}¢òÝnVì’µz9j]êÓ$ª	†bKB*5à¡×{¬3qЋg›u˜öŽ×UóÙÏèPg¤â5ï¾fôwá~о!‰…Ém|ÖçjµŸ„Tp"]ÊjŽàžÁj[1v]¬êjwäT!õr>ÆÙ=¨ä¸É
-åði;ȨNØA¤Â‡~ªŸû7‹5Á‡@’*Os‰&8€dFØ+Ã8jyŒ£6¦Ü–gqÔæ] R6´»àz{óú§9æ'Õ}
-nyß¿*@LÚ2ú ™ ¸~ôbŸ0]Jíà±j²æ×\sǸå£\ëv²ƒ(E
-¤¨š‰§ÁvÎŽú‡!ƒrv‘4uÑ‚j“ŽXÊÚF87Ø/4?aô¹©ˆ=hxZížÈË|’]lw¦6Ïv7±
ÈÅ&†îù§ï@KÁY)Ë3¾œê„—D*¯Ó]½«Žòu¹]WMçS¡SJ9	‚Þ)¶Õ_Ã,›ärÈØ;|urŽ«¹pÑip„…^ÛíýlßòÁ9LWðê-ÇoöôÈãÛ*iº‡ðˆ”g=©(™)Žd4î´–ÊœÓ-x!+KÈÑOê6§:®ÛD5ÖíÓ·èV9nO³•¨&øëV•RëV‘nÅ­TkŸ)í’	âz¥ÒÛʇ*üHWoJz­íhÊgÆ©I³¿ÅyŠMÙu²–×±å”p
-­
ß„·H#lQÈ36Q°Huèß»][w‡&@(Ÿü}è>°”°Qò4³‰j‚Ûe” µ²;´¨ÿb¨T¡ë£ÄÔ‹ê4›5za.½ˆVô¾ö7ä!cªôtXúE`Žò80oæðÛ"z1ÕÑPC
-]ƒäéì=æøÕfŠ3“W¨o@ •ÅTeLìªxgù§ª‹íºZ4VPø+º]³²t“¾Ⱥ¯°ÿ~}¢+\Á°qÒ2¢ãî‰ñ»½ApÐç)NÑ!«c_à)x¥Þš÷¯({ÇÐ<:®W9Yîýlïx+ú®y_ÀÁ_Ð pgžåú¾ †hù—9ƒeRë˜Ì†ïGLHNùF!gžåÅ_áÍsíÎùFFuÂ9"Õ÷zÑU]ÅØã¬Z+s†óD5Áú@ÐP”hQŒx¿.|8dk.¢²7e¸%ØŒDYsZ³ºZ<àÈ„¯4½xĉcŸ¹d$}³¢ý›ÃuÈ Ü9-íÐÚ‡jG¯°‹Šß0_O¾ì³%`uBá?íŽ nnÏõ“¤cÖ¦Â
ìXaò4é‹Øxçé=È_¿µ&nÛ§‡cß5¾¶E!ø70ëèg*š }ÀÀæß½óŸ
-MȾÑàó£-™µ=L¸Â4˜£úkµèè}Ÿ­«­çÃ+bwb'TÃ/Ÿqç7†¬s>U…qâcó¹žÒ·Â¯`ð‹ïÌE3.½T{¾Â…8¢p…ó5ï7f$š«cÎk˜+8ã¼ ~`GP¿Ï¾ìz7ô£	×ÐÍöï7Ë*%‹¸T
=Ú%û&«Â÷_DE}ïl£‰lÔŽ³Ñ‚9
-aD 3ôýwáYüw}õË’ÉBçIÐψŽc~$Âgç_B-ëUƈßu«àÿ¾Gÿ÷þ?¼ÆV«f~ú‰èðg€@Ëã¥g½ÕøÏi´}¹?™_Hdjá|›mS—Lã‹-‡:ŸÌ3 0¤ö˜“L
-¥ÎåD¢8ôüF:OW”½´‚)üÜa=°=³
-ó»ÊØ?†å»ÙzûÙ7®ñíðm,Ëb^D¿JM}9®ÃϽ'Œ‰§¾ÚwUÞ=¯!O°VËJ4SʉÈJU(7f=}~Èûÿ÷âÓendstream
-endobj
-2168 0 obj <<
-/Type /Page
-/Contents 2169 0 R
-/Resources 2167 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2171 0 R
->> endobj
-2170 0 obj <<
-/D [2168 0 R /XYZ 85.0394 794.5015 null]
->> endobj
 2167 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R /F41 969 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2174 0 obj <<
-/Length 2303      
+/Length 2684      
 /Filter /FlateDecode
 >>
 stream
-xÚíYQoÛ8~ϯ0p/6¶fH‘’¨—¼MÚËnd/°‹n‰v„Ê’kÉIs¿þ†’‘dÙ	Ð×C€ˆŽf†3ß‡4›Pøc“0"Q$“8$¤,œd›3:YÃÜÇ3fyæŽiÞåúuyvþÇ“„$QM–«Ž,I¨”l²Ì¿L%, 3A§7wÞ^,f±˜./gó <š.no/o.®þ‚÷3pR:½^Üü¹ø„´ÛYL/ïf_—¿].½Y]ÓåÚ¦ïg_¾ÒI+ø팞Èpò/”°$	&›3r
-Î¥<»;ûÃìÌšOG]Á(	xŒø"à_HFÂ$	'q˜ˆÃ”öEÑà’Ò¦ÙoTŽ/ÅJ/ìüCØý¾J¨ S—•ðrõ”ð€ðXF–ËI¯êÍ~»-•ƒS9£ÓåƒÑ”Àz(
­Œ¶-Gô”ˆ€‹žb]Õ»“S•¿³ëªÜš,K]•Ïvª,ë'·ä|gY½Ù¦mq_”Eû—z*Ÿçfª‹Í#5íÁAÛ–fæ7ö·\ÚCù?4¤6xˆWH×¼*ûYhöдݩúnÙà¡Ì¾Ù7/=7¾
ã/°“1Äåû›Åõ¥…]½Q¡ûY”.OµÏ¾æE[˜
R2Õ{x[9tùs•CO׶ÃPÙ7÷E§$ûê¦;ôîKe?Ù@ü©²»tN©N:£IG"kË™õ¾-Ó+S“žð…µQL"_Be§àÊaÁ•ÓlZ±¾ÄL‘¾âÂ:jåhµýTý(šÖ*KÑ ÃHÈqUr°µÏŸ.e®—ºÝnöÖ¹H°qÑÓƒÒq–Ì.Pzˆ5'4éUfi…¶ëq]ÁÁŠ™“ŠM—tnñÐp­çM»ÞPGÖ´›oõvÌivk–ÄÓÏÞÃÁY ­Öä	èOMØì›ÖÒjËcü‰4]fÌg-šP›PÚ°.EæžEÏ+kOWh3Š¯ÆmǺ^™LC
…é’7Ó{eÂÀ™…—.ÜmÆ@½¸¹»»|cÓÉÀ$øŽm!Mòq{ñ…$cPÓŸ~HR>¾»úøÎKÿýòo+À´v@¼ñ
-HtÝ}CçûáêÓÈ-ª=•°Φ“§.].sˆräèâ¹´ÖsÕfç;¨"å#¤xµÀ€@ÒóÓx®CúWNaL8£¾
¶yî4`Eí\±zvGšUº/Û#mØ1 áU‡½0ð—e2îzLwç»}u®ÍÈÏó¼jÈ7õ|à5}éÇ⤞éÀŒ¾Ï’„€»âžj‡àž—–€Viëú*¸ÛzÙžéÊ:KËùËmð¦ÎÕ1·&lÁi·v˜Ž»Õ1éåüŽùÁD—$qìnÏí-|O ‰dî–ÐÀâP^%ºûÆõkRÈ/¡¿ŒŒHÁÙ[ÍÙA]Àöc 2^FaøšAÎâ1p<@%<ÏtŒþU+ã„ÑHô¢qŸ6j	w÷”Õ¹¿p'±ÿ\/Þϯ/ÂÆ2¬}¶"ëÛ—ÂU]èת2í©ïFǯv	ã¶Wnv=Óq”9¦ÿ£ìʶ»âÑöú=¤ñ€PŠ“ñðL\êÇ„²Hö"â‘Æ’.Òô[½ÂçÒô›Ašô¦	÷vâ­H³øOéßGFý^ýÓ?]¾üD+`ÿ“òX2Æ€ÆÆÖ(í!&èa’Ø9mÿN‘_hendstream
+xÚÅZmÛ6þ¾¿ÂÀ}¨ˆU¾SÄ}Ú\rÁé6×lïhûAkÓk%²äZRvóïo†CÙ²-{›ÛE€5_†ÃápøÌC*|ÂàŸd:eÒ©‰u*ÕŒëÉluÁ&÷Ð÷æ‚G™i/4J½¼½øþŸÒN\êŒ0“ÛÅ@W–²,ã“Ûù¯ÉÕ»w¯o^]ÿ÷r*4K^¦—SÍXòãÕÍ/Wo©íÝ¥ÉÕ›×ï¡*4 Ä9Ê–Ü\ýøúÕåï·?\¼¾ÝÚ3´™3‰Æüqñëïl2Ó¸`©t™ž<@…¥Ü91Y](-S­¤ì[Ê‹÷ÿÚ*ô†¡c>P"K4v6§’iþg¦•YðD6>-‡ÚÔsf	4Ž®XìGì«šrû ÌdjOµd|»EBNÀNk{ĹNPvbµ†3´I7èâ êRm’ôêQâ§Ë©áÉ-üÉëÃ
A¥Rèlba¦LŠ0ùä	O™rN’Ô V»óBhøþz%&¯jXÓd¸¬^ót¨:¬ËˆAèq
KÌX TšÁ‚Ñ·Ë¢Á³I½n‹º¢2µ™d•Uù9ö/b_ÕúoZªµ5ý¾¼¾yEc5Ìý¥dɧK¡_Ök¿‰ÓäÕœ
+«>Ó ;O¿ª/¹ŽãæèEŒÚÚˆz¢6Kf˼º÷sªýæô³èÚn㩼ñ¥ÏZÓÃ]QÎbÄÊÉ0$že2ƒvGnº;)Ï;SáRìœÂ¾q%Õ8þ°”a€I°Ë™ØÅ6Ÿ­:túžB[ëa´@(9-chÿm•?N›zö±9ŠkmRË™™'>²n+5bŸÎj88»}¯Ê²~ˆÇo¸ð‹Í¬‹6VùŠæ@§”©ÊT¿ŠW–t…5ýBya8V«TJð˘¦1"Æô¢(åÛæ(àz2R§Ê
+ýU’K‡ÊÔïvÈ)ŒTΤŒ=‘Fˆ”0WýŸ1Œ„ƒeÁEä—«€Ž?‡¿7/¯·e‘¼9‰špø!ö¹Š¨ÉRÇ•"¤–O ¦<‡šCÕgPS;‰QÓe;Ô„r³¬»rNåhðÛU•Ÿù¦Éµ"ÜAë¡/TÚe”
 —d…Ú*ÿ€[E†EF¥
Âi´©b
+ÌñÛŽ}Ȥ„㤔0š-¥Øš­3²‹Ì®H×=K\´¯]I-w~–‡S„ba
ØÚ¬ý¬ø1á£JZTÙÅþ-êã¨0Ýãtåg(U+.“²XmNvc®
+Û£€_Ï=y¬ü\T÷ÔÛ|nZ¿"«w×)µ^_ò¤¥"º$γñqcâŒoãT˜Gû°D?)f¢P˜“Ž¼+[j˜Õúã¾Û\rhöcº¯¡2yb	-»þ°>¦]nµ7³ë¶ÞÄјSG¬£M3†éw;yŽû‡
,°ÙŦ®V¾jI2Ät~¬B~¨¨Q››n½Æ T,‰¶sìo<ÈV8c·ºÃ-	F,Æö€Íøˆ0cP[¿©Û°
@ʦÆ•¼¥¶¸éÐ9k;\–Ÿ‹MK
C°N{
íuŒæ¼DzôÐOY´m9zˆÂ¶z´óµ¢JW}ÉSaÏ\ÑŸ:O-ýá	xiöR •)—Ögµ=\’
+*B@Ç<áÝ&ÚQ¯¢E}ayBtô¦‚Ù4S™=Ÿ_Nmá
+©VÛôœ«õäÆSØÔ=ų†i噩ê›-y–h)ËS¥3yžhm¥ÑjGˆ–K9߸‘óbãgà÷ÏG‰PY&
§=¦Y½Ôˆu{1¦dyHó{æýc	 ­Æ$Ì8#R2uRŽ™{00>¦ÐÓA2_P¬€Ú5Í‚I1€t˜*`¹ZÑ
*eQ…f8;aÌ}‡@Õ¼ÀK0Oîºhç_Ô¡?ê r>Gí!¼¹˜ÃÕ:"óÛtÞ߀X<1'ù›àé̪¯Âß\`¨îÎD?â{“!„~Š½íIaûí7foؼьö6T}†½I¼ß9g÷ØÛàÎëÌ€½ÙÈÞ,âYl)¢ˇ®šõÃlòP´K*a@ª½K
+€‰p[N»0‡]pœ÷ïdÔÄst”Ï–8˜ÛŠâ0¢!…I`-ëM8\T!¤Î¶ä}O8èØͼöMõ]K;‚„6óTiü¬pPl
+¬~WuGÃjþŽœŽõ^8Ìó˜"÷q€*³":€Öúƒ†?|Äa.Z±>ý…Ý´2žÚŠÞ0á–DbB·¡·½sVâîA‰ÜA´âOEéï}îsë,_Ó
+¥€Vm½Nô
+³äC^”§Sâð¬>ïøÿÅQ"úfÏgÄ(eöNÙ§¼ëÄK¦ôN×h2ŒBÓ¡ÔH.:Í„90ì½o»"}q"ŠÔÂy [˜4ãî0‚JHsëÒ·”ÿ ¾ÞÄh‹S"aɨ	0€Ä{¶¤.¸µÅ”Ç1âð2äÔÉðú€\³²D›qtYÀY­â$…1ìŒRÎíŸ×=‹ í?óœ!…U+ý*Ïܤ2Ó_Äû!§"× É”}*!
+-S¡úªO¾ΫÍÜ7xñh>“ü„„ÅCx“ɈßÊ$oº=¾¹„(\i²§î :ÕÚÎ@CªéNºÕÅ;‚/¿»„@Š2€¢ù]QRZúÊã{nѬ°JÏÊØ<ßÔk*šS!à*®€ˆÀ>Äß#ô†uÄëõ̯[ªÇ[«Kv6`k=’šà.–
+©úÜtWTós™IOv©œîÍáYöm›“	{êŒÞDZhTïi„}Ä펞]Ž£XâN=µ2Ù€; Êž'a-#’­L")ÏH
ö2Gl×Á‘,ÛöÀ%ÊM×/iå@N3&ÄÁ£Ý†àžjf¸5zÆ0mЃ]Qw
	Ì[ç˜Êp@(ÒÊžQõøаøèÃâ Ô7¾Í‹À®‚†ÍŽ£áð}'$Ò³\ Ìe}º?Í“†þÌ´ð%¤Úwž(E)zYŸ~:ô æ߉ÍØM‡RÇÈeifíÁ”?{ÌùñãHWþä7ÍöŽ\Å—5,ÇÏz|E{´‰´r0©wg¼ƒFï„N{§
+Îù÷‘s„
+d¦sóõ2ÇóíÑC92ìp¾ÿÓ3w]QÆ"`xÉøÓ¾3˜ôùy×ídÎ|û#™à¸Ç1úÍRô²fùl駋‚ÞD÷¿ügÂóxÆ°­Ì‘eû_ý @þXö¶Î£Oæy›SiAG«6nYj¬²£6ŸýNWTýÁÝsŽŽÛ´8è›û=ì‡/üþ¿ŒôÔ¾Ào|ãPÀ¶äóÙÿ1c÷?O”°;õeU2ü”éxo.žKwhº–l…°#¶ÿ…U6ýendstream
 endobj
-2173 0 obj <<
+2166 0 obj <<
 /Type /Page
-/Contents 2174 0 R
-/Resources 2172 0 R
+/Contents 2167 0 R
+/Resources 2165 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2171 0 R
+/Parent 2169 0 R
 >> endobj
-2175 0 obj <<
-/D [2173 0 R /XYZ 56.6929 794.5015 null]
+2168 0 obj <<
+/D [2166 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2176 0 obj <<
-/D [2173 0 R /XYZ 56.6929 524.4854 null]
->> endobj
-2177 0 obj <<
-/D [2173 0 R /XYZ 56.6929 188.0905 null]
+2165 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F62 1100 0 R /F21 738 0 R /F55 1070 0 R /F53 1062 0 R /F63 1103 0 R /F41 969 0 R >>
+/XObject << /Im2 1089 0 R /Im3 1223 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
 2172 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F53 1062 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R /F14 765 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2180 0 obj <<
-/Length 2516      
+/Length 1809      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YÝoÛ8Ï_á·s€5ËO‰zL›l/‹mškÜÃmTI¶…Ê’×’›ÍC)S²Xˆø1‡3¿™¡ÙŒÂ›iE¨Hä,N$Q”©Y¶½¢³5̽¿bŽfá‰!ÕÛåÕ›ßEšóÀ*hŽÎ`–‰ÔŸ~Ç™ˆ~ƒ%”›ž 4>ö8£2èi©Ž=ÐG8§D0ÇÁ\¯N·Eþ•*ªáŸÌóº]dM½ZõÉ\ݶE¶0¢aûó‚´?Š—pqÇ(–ˆˆP®ìŠ·Ÿß?]TÂrSÀÖ`Ëk6ºØÌ4ؼlq`Íô¼ÈužÖ]å&Û®qãHTÖøí€Õsƒí¶Ø¥û´s›|¥”WL·`xR(ØÞï€_6O±
-j‹¿E8Þ¬p¢n»Ü1dóC[Ök·+œd 7tŒÛ§%ÚDU~ߧûì¬@rÛ(»Ùþe×5ë}ºÛ”5»D/A’ßp ­sllSÇ'Û¤õºp¬jÇûÐP/ØÇvU¤mÑ×&á"m’k¼iã—×FÁ÷užùC	°x¥ñjÀ°Î\m˜@KeW[¾rc˘$¶Úbÿ³pZmwV̦ÂCWVe÷rÙÈž^êf×ÂåÐ#àÇRs"¸’SÞÎ@r3E§ÑšóB#da‘@²	4ì©Ž'@ƒ_ßñ*T  '‡uÛöY±Hó|_´-’÷$Ò‘'ÿæ9gœá–t¤”#5n^®«²*&ØFŠÄJÈ1ÛÙ‚{žã)c¢9Ç<Û‹<9œr„Ëæ\²1ÇÝG0èÄ`èÚ5ûn‚1$1eÄø¿}ëeb‹¡ÎN3M˜¶2†8Sþ+‹“Dk=¶=ÇEÈÒZâ@4ÎÁ‰”Ž;Ë|âèlU‰hxô¬Ùn
ÂLøÜ‚IM¤‰¡ïÝÞ=½ûtÿ¸¼ÿøÐ/:‡óIFˆÁ9QÀûh®*ReAÕ6z,tÝ~Sü8T–3£XΉe9¿ïÜÄ8´E^œO…æ2ëñŠ™–®#24©ÓÔm÷œº}vx ŸenÃŒ”þ•x{ÿpkQ¦D)¸¹A8Ä-=¿_M¯(Ñ’{áÏi\¡½Â1è	égóÇÑç²ÛàpÝø`ˆ–a«²vÑ´ÙÙà„Ã6 Á7µÒ®Û¢îLÜØw¸`·/ëÎѧøi7Æ91T` 
»j$–„
­ÂÄÃÎ8w‘û0bålGѲ'O¦e•~¯
-_½ü#êÒ…¥ÁYÈ´ƒ5p±WUg`LôF¾Ýê2ƒ¶±r
-7-+©ˆ#gÐfȇIÓnúVŠŸå»G¤Ï©‹¬+!µijк¤1¬¬s›Ê£jìòìTwVˆÜ™žr ho
-rž—ë²KMtN@¦r]§>É°&)Åü¾FJÔ6Pe‡=RÔ΀ô­7ånxì\Gò¢
Ky…†˜xiB¼•Û4x‚ $Iz´¶yñ%èóL9°²d <ƒGÎq#"u4R_Z­›=¨p¬#a½Í|ÿýáæÝâíÉÙäÏðmpæÐŽ&ÅO»Iû×ö‹ûö
šo‘zEmI¥…H3€6
o#M
7ÉÄ%¿f*©v*‰]Bf¾h»—ʲÒcØ1›ÒŠ(öê#l˜Š
uÛ9~¦§wFŽÑŒÿ«
×·;“—ùá„7U5بª[Z4?ãî}ºÙ‚IŸëÂåœÛCë(¿{x;÷ØòÝeÜ)~¦"¿Ž!¡(`{4ÕýãÈï9.B–XüÂFBerÜÙE~µnž]iÐ5#„áòÔ‡LtÂí—`Îœ%ñ‰ÞWŠ`Œp¯lYej°õ¡æ0çª2K€Šy^tÅ~‹¡†7Í3Žã¼eÔ¥Yç7ŽÌW"¨.¸‡vÃ4Çö3†j3Ý{)º²;ÆГ}tÀÊÔnNƒ›æP¹Éƒ1Í‹%ËG›1=¼w¸zƒ3E”†úÕ¢$¤òϧEIOeöí+Â$#:Qâl%JÈ`÷ˆCq÷ªˆ=Õ„ŒÃ4J‘ˆr>òs[LdÝœBö©Wê¥kp¡•/BRô˜®Ü®7Ö™8a!º8J„²˜û%,ÀNÇ«Œɨ‚”ÖrhGUWbo»´ÎŠ6L7ÜÜΘק6ÞsÓªBW0¾Ûuøú`Àmå`ª±;ôñûÇŸr”ãÀP䘺°$G]¸×‚)e1.’üu
©ÎÛhOem4›²Q
-9 ;SÓ4bàePq¼*_O5!àÀ@#ðY
-f4pÚ@MMÍŸ)»|£hcX'sÏG¶q‘ìøpeÛÆjX±cî%â¸úÁÀ+WÏ”&š'úäê]3’-ŽILuÔßN4#ÎÄV
-T”ÄQ¸""$?$H·ç¥­'šy™ŸK“îqcz_·9¶,:Â7¬kÌH–„,öÉ`°•ÇŽ)§i—«ãäD08P1ûU_O˜ôЕ7…¤n:¯Ø
-‡âï²íÎ:œNŠ×ý- :ïnžÈz[{zot_Œ0¨8^•«':lè='1ÇɧÁaF-{_ÃÇŒÄWp‰Ï¡…É0ÒÛ‰ÕhMoÐv…™inÓ.ÛnQzJ
-q¼+¶®ÒMÜ/[°üUeê™J†÷=|¡€/4¦#§É¹f$Š/ÔÉ6ÅâèÅ1UæåÈ25o;f£þ}Aã¯-v
-Þª´5'ôP$Ÿ?éà9ÈŒšç óàÀüëŒm[äi÷šÊùßIŒr¤ÂðÅà×*WþÈÑg7ƒGœð‚¤èÌ[Ôÿæy’^*j"}\¾Ð |¡¤‚Ò€9÷Û¦PÄ<ªN8íë‡ü»çñw]iòb}&ÝTpä…2çe’Eï!=•ýÿeŸ‹}endstream
+xÚ½X[oÛ6~÷¯Ð£Ôï±'·¹ÔEëd±ƒ
hû Xt¢Õ–*Î/†#J9“áøææbz>ùÞaÄ8ü4žÞ?º¹›¡¦áøêb6ü:ÿ0¸˜ï`µ¡Ì,¦¿Ÿ¿â |`Ät$‚ïð‚Ñšë	ÎX3³Ì¿ï¶VëOû¨à4B’I£Q:~b[Õ„DýÛbàU¡ˆé—U¹Ï0¨òCÿAWÑ("Hh-‚‘”âö$(AZj
)DUZE‘Šdm¨?,¿µ¤FBrbᡨíVb<IÞÖÿ§ðŸ„“ݘ†W‡ö‰$Ò`›@ÂépkÁš¶Z¨=®¿ç¤ž8›¬YpžÃƒö1½âQ[s}LI[îH(Sv…	RR«úóÇ´Ž˜Pa¾)Ó½J"”7'õÜXÝj^¸{Ÿ°3ë<ñkV!È÷¶t¦YïÁ€…›ØSVºoÁ…)
+ðFd8Yº·mq°¯3&
ïŸû
+“m½˜–¯y:¤Íš>ós¹è>;îST‹GØ0âal‘D"ü+¯¶önÒc´	Q³035ºÈ¹¿~ŒŸŒ›Y@»W“c(áë´(€ÂæË~ƒQI‘ÆR¿n1E±:,´°Q]hFaJ7a~lVé"-mißëg˜pqæ¡Z I•ì¶ˆ¾h·R^QÆÛò ´:fQ).^³
+ƒ4ƇîøEOªEJAÞë¤ÌËÉÇž«›¯zŒ)D$æ§Kc[ª®GP0ŽKãNÊîzfÊÅY}.ysy\-B¸Å°“:FpP	b,ê"ØU³Ä,ã]);JâvÒùì‹ý^5~•¤–Ô	’©š¤§x{¶­2G”§k“&‡@(†¾[p}ÉNêJ·Å&YK?]-Ÿ¥É[Ç.Èë[
+ïºàìâ—Œ³ëžBÓTlåòûíå»áˆhÌXOXpŒ$—Q;Y(´?’0âÚêø«Nü„:°u>Z<šÅ7¶†D¶0/ÿ“gæpÙ^'çVß}—–ô*CÍ6­jDlÒçò ™ýoe¾ã6PÇmÆwó÷×·':<ï/{ßÏŒwÙÙ3\œÖ¾½|%ß–iµÞïËã²i.9\]1\w›_ÊÀ´ã0+ªM¥µùE€A§
ÞS‹Mß@Á]
+ߤ4\ÌÀ•ÎΟÁ>é¿Lg¾
nÉÂÕv•–Ï/ýÚPüχï8ýå_âö¿8r…àöÿÂUîÐ7À؃²''RŒ(αÿôúRendstream
 endobj
-2179 0 obj <<
+2171 0 obj <<
 /Type /Page
-/Contents 2180 0 R
-/Resources 2178 0 R
+/Contents 2172 0 R
+/Resources 2170 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2171 0 R
+/Parent 2169 0 R
 >> endobj
-2181 0 obj <<
-/D [2179 0 R /XYZ 85.0394 794.5015 null]
+2173 0 obj <<
+/D [2171 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2182 0 obj <<
-/D [2179 0 R /XYZ 85.0394 752.2803 null]
+2174 0 obj <<
+/D [2171 0 R /XYZ 56.6929 623.887 null]
 >> endobj
-2183 0 obj <<
-/D [2179 0 R /XYZ 85.0394 678.9572 null]
+2175 0 obj <<
+/D [2171 0 R /XYZ 56.6929 483.2189 null]
 >> endobj
-714 0 obj <<
-/D [2179 0 R /XYZ 85.0394 629.2071 null]
+2176 0 obj <<
+/D [2171 0 R /XYZ 56.6929 367.2053 null]
 >> endobj
-2184 0 obj <<
-/D [2179 0 R /XYZ 85.0394 596.6999 null]
->> endobj
-2185 0 obj <<
-/D [2179 0 R /XYZ 85.0394 561.6414 null]
->> endobj
-2186 0 obj <<
-/D [2179 0 R /XYZ 85.0394 497.3516 null]
->> endobj
-2187 0 obj <<
-/D [2179 0 R /XYZ 85.0394 426.9933 null]
->> endobj
-2188 0 obj <<
-/D [2179 0 R /XYZ 85.0394 245.5268 null]
+2177 0 obj <<
+/D [2171 0 R /XYZ 56.6929 263.1469 null]
 >> endobj
 2178 0 obj <<
+/D [2171 0 R /XYZ 56.6929 189.3485 null]
+>> endobj
+710 0 obj <<
+/D [2171 0 R /XYZ 56.6929 151.2234 null]
+>> endobj
+2179 0 obj <<
+/D [2171 0 R /XYZ 56.6929 115.128 null]
+>> endobj
+2180 0 obj <<
+/D [2171 0 R /XYZ 56.6929 83.3677 null]
+>> endobj
+2170 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F62 1100 0 R /F21 738 0 R /F39 927 0 R /F41 969 0 R /F48 985 0 R >>
+/XObject << /Im3 1223 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2183 0 obj <<
+/Length 3813      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÙrÜ6ò]_¡·Œ*š8H‚yS,Ûq;^K®=?p†”†år2$¥ÌfóïÛnð$kk­*ã Ðhôݧ!ü‰S¡Jõi’ê 
+EtºÞ„§7ðíõ‰à5K·h9^õãÕÉóW*9Mƒ4–ñéÕõ–	BcÄéUþyqþáÃË÷oþq¶”Q¸ø18[Fa¸xwþþÓù/4÷á,•‹ó×//a(µŠa‘¸.ï/?}¸8?KôâêåÙ—«ŸO^^õhQ¡Bœ~?ùü%<Íá?Ÿ„JMtzƒ0i*Ow':RA¤•r3Û“Ë“¿õG_íV)"e‚ÈÈÄC)N…Ò(’bDi+©,1.U½oÊf~•ðQ4Q"Ði˜úŽ@hiè{Ya$_ŽAX´´ð±È­B¬ª¦ÛçY[œ-c`ÍçeþÅõ.úÞ
uþCͲž·Óáï÷üU¤F'K™B	è♟7»lýׯűÊvÅM±>-m› ,Ñ(Œ
os'|õƸ…øºÜˆZF+^öœ.u:A	ï9ˆ8.[ß1*HQÜ@[k‹UÑŠ‰õ“XËÔy˜MvËØ °]ñU†ç‰m™ö(¤ˆÕ”m¨Æ¨ºa²ø8¨˜–Ã¥¥ :UKÓ–äØnøøŽ÷첦E	ÃþÄ"xk
+í'jÅ¢Ìl‰æÃ)ø‚Ò†_º\¼{þî%uí:+K° ¾ž !ãsùëù“•åÄî`W9E\æþTAáp
±BœP`²¯Î»Ox« Nó$Ö+eÐÅÁÚO„]òy±ênø¸:G~F:e‚ãäžÌÍ-œgÚC¶¶6À\ׇ]Æ8Kø•uvá†Åœ^qæÀ°æMooY׳±Þey1Soâcd¿-`®%y2˜y²ñNöÂÑÔÿ/Lqâ4lyác²´î2ÇdºÑL–=I¿Áhé@3êCÛ»¹söÕòû†|r4ãÛEßľáãb̬¥%‹	cLc’'RQ…©Öå/~*0=§"Ç Ô³n:ŽàfmqSpHC2tÓíÈÁŒµ‹$<{ Í›òfãö6Eëb'ÀlkGB°á¶mq[lm4#of<áé·y€¬iœNõ¢déÍË&[m‹¹µ!
+ž¥!ÆêM¶fÕKÁÒ–7UÖvì§hÎFEرVZŠ~±gí?´Y÷cº&Û²	ÅNÛÃyY¸g¢2³`Ï\]¾y=5¬r$¥_šè™•¥¹ö¸ç¯`€Ö‡rUðkÀe£k£#š´^4aNaÎÿ-ŒÂþâ­´Šƒ¶ö†geª„ïZöxk__^.íÕíÓËÉ)0mO‰íT–ò)´¼¼M2¢dÍp]Íë3jš
F‡··´c»’6„bJ°ýZÕwÙéþ<Ý»ÄÇ
‘N„µ“ì³va?tØÊÞwðfñ¢;òUø”/P]´6âvs·GóV0ø¢ZŽÎÀ8ÛÞÔ°;^×TaqŠbµøéÝù‹eŸaYÔ§aéEd±0‹»M¹Fóü¡Íf’ëÁÐæÐ3©)¶—K¿V67€Éº%«ÝM†7Š™îç;{‡g„G¶G·>õÅ«74yWn·´²*ŠÜ'¡63)P­éúA:éKSlf±“íá$ö‡’ü6ΈÆڻÂâpÝLé+ƒ4-*Þ5 2ªˆ_f	nÍHT´L¯êƒ/T+«¦Í€Ð@X6]Ù¢õDh:;¤Äa4$40	Û=CCã;VX¶b.PµßAJ±îC²çE»~Žâž¹\{t%•ÂõU—¦fؤ³p00˜ª† <‰ÕÌ	CÝEDªÉØc'kšzM\¡>…fÊCü:68¶Ä²PX¶3p‡äk'€ß|à•yΦ½¡	t³£•€#´ŠO"¦àÃ'«D
³\cÏ2Ú®¡ºl1¡7¤º²•i3÷v¯5©ÐÛw«­uoÐ'Ž5'õÍ!ÛoÈ1 +,k×=>’šû‡ 8¶cJ©>žI­CÍitv]ÃÓŠ_ÓÖ½­·ÌÙ:jÞ¾ü'­Ÿû6ÏZ®½8#Ì‹VÇlµšGÄó4T§˜]FO
+Su"\¥!¯¶Â¶„€B>Ë=ê±>	@:o«ÖAbeú XŽ¼³­4.]x[V¬¹
+S…*Û6>,Ý“÷[íBi–EÙgK³›«4Ð`\P|ôçB'ñPÂñ„Ö2ˆâÄÑÞÛƒâ²PI•%Å80¶_&¡ˆ­BøŽÎÈ}#há⦨\6
++¸àĪ÷¢4øzÍ–)dDûÍ
+¢s7’¦£j.l5:}晦“ÌÓúÞ÷:ë¶-}§ø{6\€˜ýPd\Ü‹_ˆZ

Gƒ]×R5Ô£ûÅë-˜±Û›iþÜ#×)<¯º©xT0t â>#ë³¥¾Š"m2ðldä4‡˜.vãzË(•†ÑgßÃJqŸ­Ù÷!–“Wž/¾Š@‰$žFïK\âI	T¤‰™<$…¸Oáá”SIbãÉ…ÍW+‚ÎȬË$µ.ò>Æ`¬âÈ©Òø%l‚›}x'¨Á‰-Z>}•5E¬é`skªÔ'ÓØ?
+‡IÌâSÃøÒÔB$C ~’|Cˆâd(;!Jd1ä©kH䲎8!ûM‚ĨhJÔUáê°Æ錜ÞĈ‰éÀïöœï0V U’£Jk6°Y×»¥ðm[V|È,éGhoØÙ¦Úâ$š†P‹«Œð}—éëŠAÝ–Mi£I†âQ羘Twí¾k}õ¦}ƒA‚  aüôà^+¸6
x€Ã?Ò€žH\­¨´o®œµ:Î
+Y@`	¾ú;ö`ÍBq¿9‹¢UM¤zØûÄ2zÔm€_NÌ´®õÌ'¨ JRù¤0A/—.&h,mg"6rÃâ÷ÝÇÛ˜–÷5VDq`´–¾Çæ)z“G`kG‚Ìh’øH~d“TP°ˆÜÕŒ9¶¥+…ÙÇbª0»¬m~ÀèQÒ“›Þ ߋE,Ü‹W¤P-|ïî¡Äq¨=5M_—T!ô15
+b‹h>IöµÑ>ÕzÆe;N¬c§s±à—I1ñ7±-SÕX¨dšÉHuÍb€µ{z4¨Œ“@(‡LžWÍI'y0!hRŽ^ÏظeHºØg%OP91]rcŠ[[ƒóHož„Ñ>.-Ú\¿'öÔV‹8PF;äßþ‰ ÿ
+¾`m¿ÿ“ÞíÿreWaË®éÔBù6Á˜x\µñ–fìË¿
9å­_§f®2Ñk>Ž÷iÂo·)¥w81æ=Nûx‰Q`šöf‚XÂ%`'DQÿ‚&ß¾sxÝ"¨ÊcF¶
+ðÝFÎÖfX±	½à·5h¹ê*øÕ
Úf_¬ËëãðÞ
+só,2uI©À¬l+FÁ®Øj­‚]ìƒ]Ìjaô¦b°î×á\£¬©L¼eªè]ðý#:2v;”ÔÙWj]ð< ÌÚÿóŽ¡Ðý¸§H#í¬‹›sa³èx®ä6£f[ƒX‚r¶´”k‹ðŸÀ¨ÇÉÕlìÅi> endobj
+2184 0 obj <<
+/D [2182 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2185 0 obj <<
+/D [2182 0 R /XYZ 85.0394 748.4221 null]
+>> endobj
+2186 0 obj <<
+/D [2182 0 R /XYZ 85.0394 656.9381 null]
+>> endobj
+2181 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2189 0 obj <<
+/Length 3278      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z_sÛ6÷§ÐÛÉ35CIÜ›{q;é\Ü\ìLo.í%R1/"©ŠTçÓß.v‚¥¤sã‚‹%°Ø?¿]¬,1ü‰…N£ÔH³ÈLéXèź¹Š`îç+Á<7Žé&äúññêÅO*[˜È¤2]Þ]ßH™¨tyûæÍÝýËWÿ†w3pÆñòõíý»Ûí͵‘ËÛŸï®ÿxüåêîÑ‹Š.b…2ýyõþxQÂ	~¹Š#er½ø/q$Œ‘‹æ*Ñ*Ò‰RŽ²½z¸ú—_0˜µŸÎªBÄ‘T©œÑ…TsºÐ&JLY]<ÑâtYV›â°~ÀÁw"ø.Aö·ÃÚþ°+‹¡bÆpƒm3úª§µß½|ƒƒl9tD諶$
+¯e©ûk‘/«?U?ôSþá©"B[4•[bÿ©Úó"í¶ê{ÏúLÔ‚Öcr×uKäžNÏßãXx¤ÅQQ¦L²¸"2ZK{˜ºEï0Ë*æÁ{ 3ãç§zýDÌ뢯ˆøøþìs½ÝÒhUh«OS±Z>>±r“Ð
+`á(&gíÞ|š1€HÀ¼ºÝPw,NS|kœÚ6àJ}—m•JÛNôá¶îÚ¶Zã¾iS×™<Ϧê||ª{
+¥¦x¦U…”
­ÜÌk•ÜC¨-OCÑÁ	éÂcÉ°¯«þ¯‡Ì`ȦÙÏ›Fë8=6M;Ó¤‚‘"ÑŠ˜:0ñF%‚MS£‰RŽ} *æ²V÷Ð*©Zvíö™wjy{Š~7Š0Éæ‚©Uåƒ&—JN
4½úЛ{ä}Kz¢À,2Jf̲svMYÍåEEB¤æXÕZ.û]µ®1ùÛZÓ»ƒ=红wrÉ»´PnØàÏH‡0Áœ;È\CÝ~à…žû¡jh\vn—¶h@Ù®ûT—¬:ƒ)­QÌB
+®à·;íÇÏgƒªÅ®9î4aêšêeë¶Àú{¬ã·oa="9µÚñ—šîSð}Ç´š?-V=e˜*1˜áF9E(;E 5<3¾7‡ž—Y1GS
¼×†&ªŽÍû×¾ü7j¬YŒ:ªYË
O‹Õðìëue1+QfùÎ~Ê,\ÞÀh5Yí¿p/³dX4㋾zÂîráä¼£áL ™nŠz;[ƒÞÁÍÂVeã¥IeÙôÔ8	Ë÷dCœ¶®
+ϯÕ5WuOìéÙøë~<'5¯dñy¾V§ë¤“u\Ë#;Í
§»ÈvÛ}îç\¹@(¥õ÷&{Pð¸èLŽ	«$†ñìòøìdiœàŠ­M„zCc™œä¢`±0†ðƒ“BÖ”ü^…~ÒíçìÚÔ}O5Ež‡Ñoä30p0`xK”Õ¶h?ÒÐ囜ÑÚŽ0š­ëñ2§ÙNJ©$M}°,K|S‰–^Üè¥-Öë¤j2åryÀ&¨\£Ìh3Uƒ»¯|G£å{[ÁMÊI0xù8X¯ùåþábhzùö7ÃùÖÉ™7c\*¥MS¸f§Âê5ß$›ªàJ<2ÇÙtÖåÿ~ÒEQ÷¨ˆe8?Óõ%¦›‹š¾b¦éë¹ÈÒÜ<õ‡•ñ[T‹$Ò,‚kIvY&Ï5#Ôô掗æS¡*ª (,qqP:;ã‹oß¡p>…ÕjG3”xaÀ™Òö"ìqO+0	UœNDâÀ«bæ	WŽÌ÷ù03½ü
“tå5ëÆlŠ\-
+÷§p;à
A‚¤’ŸÁM°œë‹$ìí»U«#%c')¥/ÂÂ4Œ.¿áËÀ2’â`Ðýà…
§JÏŒŒ}ŒÜ:Ø;—RMãÚAWâšn&]¾¾¿}}G´öt[µíî@Á¯ÿÖõá×["N¡—&]žN— BH›g·ïéÎ…D@ç}¼i4ã0GÀm»¹3ˆ™"bºK•
v'\8	úNËÊÓíL©X¨ïqÏ"J$Î;>?U#à{—#n&\ê“Ž¹^~°e—Ö†±n“	7;´uk²|צ4ÉÜ?h¬¹Æs\¸Ô)÷¨>ß2w}:­¦ËÓÍó ÊDE“Ë€rTÏ…ÝvkßU,Ë=uB΃)|ªÓ4¹,çšHƒN²l*£©ÌbBS™‰ÀúY,3ql}œå‚$s½  Ñ!gPT¢ þw§€`Qž(1B¨‚å£ßv`d½ÊïcI+o\S\\ÿ0Ç@*R¡¾	¤¹Œa¾FE–MQ¶a*@Q‘8…á°hiAõ_ï&JK#Ïú	n¹-QWÏDã«c½Ã9²ÝmÒi¸‡£±|³ÂÅV8{Ñçx&ʪ¢'µ«pD)UÙitšv×T5ÃÜX¸Úõéá£}Mï("æ‚ÔX0ARÛSLá8ÇqíJF{ˆ3ý¾$»®¾=m뮾þÐúRò,LˆLG9øæe˜¹ÎÄçr™¶Ç‘Cò	4HlÝå—EpL3"L€Fbå>‘áaÒ%M}Öƒ‹5EªGÏÆ—±tEæ.¼œkÛÔg\®{Ø´PÊÿÓH¨ˆãÌ¢\ÆYšSPjSÐÌÚ&‚L°ô|8èÄÿ^ë‹1˜\㤙ƕÍ-pWý²€Í…ôשËÍC£|ÙÉ
+³襬 Ziø:gÜÝÊLª.K`¯BžŽžÛa¼*¨ýœêó…K1<ñ:6¥ò4%õX@BÉÿÂõïgCGÆ‘\Žœ‘éBà0“E­má2ªž™™‹"x¦SN"'6r"„
œÍó¥šÅ
+Ç¿
+¿âeÖQ…R‘ÁpœïÔO0ãey:©$¿¿‚
+´V÷³BÀ-\k熯îç~¤dË»=f·7 …Ûw×JL~ôæZˆþ๵-lüEƒ®þ®öZ~÷7äãà'“êä÷)ÎåɘÒÛ30§Árr
+1øKú¶*ögŽÄe–»yrõ`ŠèÜ?»)á¨Íh?öþóÿ#Üø	ör9oH	©Î`ㆅBÙE"Oý–ÿeîTöÿà5d	endstream
+endobj
+2188 0 obj <<
+/Type /Page
+/Contents 2189 0 R
+/Resources 2187 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2169 0 R
+>> endobj
+2190 0 obj <<
+/D [2188 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2191 0 obj <<
+/D [2188 0 R /XYZ 56.6929 507.1706 null]
+>> endobj
+2187 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2194 0 obj <<
+/Length 2716      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZ[oÛ8~ϯ0°ëc¯õ²@ÍtŠlãèäA±•D¨-¹–œ4óë÷Þ¬m'íb"Š<"Ïõ;¤Ù„›hE¨Èä$Í$Q”©Éb}F'0öþŒ9š™'šu©~™Ÿýü«H'ÉžLæ÷¹4¡Z³É|ùyzq}}ùñÝÕŸç3®èôr>S”N¿øøÇÅÛw}žñéÅûËxåR$@Ä8Ò%túñæëwç©œÎ/Ïoç¿]Î[]ÖÈÓ׳Ϸt²„üvF‰È´š<Ã%,Ëød}&• J
+á{Vg7gÿvFͧ1QH¥‰â2™Ì„$:9¢£„*À,UIA`œÅæ©P`_Š+—*_¶Õ‹mÑ÷ÏTJ( »ÆˆOáDt8a	'Šé+7›bQþE)/`DÓiû˜·¶•¯V¶±Û,óÖçÛs¦§…#®íóνÏo®ÞÏšò¡*–îÓ¦¬üÄnïç_U—+®á:Õ°''ø^öbî†2Â9eî»M^nÑ„’‚
+iæ	3cŒdJqC4÷ô4Ä2Â’4Û3[
¦Ë´p4‹z½Î«¥U\ýTl·åÒˆ^óÊ©6è¸	ö_Tö‰1Þ|«²rÝOenY‘]v¹f`ÁÌó2‹²+‰+v$õ62
ÈE'JúY¾Äfq¢³$dä›ÎR–‚3Ÿð‘@sÄC,Ñæ¶Ø_‹|[Öë¼t2³í™±‘?œk’	­1hFõlR’qÊ»,}*¾îJkú i–yGÁVUÛ§®w¦±(º½‹Ú<—¶¯¾·Oc-f²—#/¾•Më–x.ÛG·„ÛðÐ{`)åt4Î`[‰"©ê”>•p}\£]ªÃ:
TC­¾¼E«"£ú8[*Â×P³"å¼ÏØP·Âêv,nœ©Ö¯”vJ’ÖöJÓ¿¨¢¹{	OcJrº*ò¦µ]uUØF̬ÄÀ¬~²q„ItÆS÷l~FkëÅ&´6`ƒ¶)¡AÕ	èP±O5öìí¶)Ú±	˜ŽÏ‹UÞ4·{†G–V‚g6PE¸íYFÊ!)JÕg·o\0Ÿ¡…^ϱzö½{¯Ç>oØ6:1ó¹ºi"âè"ƒ¨Ÿú`ìå12o’!L²D?Eæ™Iž†Ø¦k FÔ‘ùoщ›SÔxFHB¥â
H†4ŒN¯îc³J’J™ú„{”?ï¥KÁõºlÛ\¼]}´Ot»²j‹mU´hû¶×óïÖÅò°CÜPBŸHs]ª#á©ÆAñ‡‚QHØG™
Tn‡A"ôÙ?¢Ä$õi­ë’z÷Àñ¼KÖõŽ}ïÞ;ðSô3!Aê™z•GÈWxû?¹„&\Jc׻ƩßÄŠc‚¹(S¯räà 
+ø¡\eǤKuØAÕ:ˆ¥ËÛœã‡kP!a*9FºTG4è©,8·Ö×× ¸1^§]5PE–ík†ÌØ[÷Öm†—E=õA‡S_ˆû!b»'ªæ)_zsg‡ý˜Í¬š•9®ÁÇÝ*¯¾ì/¢‹šAÊËô‰r¿KuDÔžÊúyó\lG†à’è$=¾n Š,Ü6çè%ý…;ÞÒ·ãÇ_-ÆdÁ±!Ù‰“.ÕaY*ÏŠ»ÝÃX‚hÀGÇ—
T‘uûv§‰¦µ{ÏÏwî¶Uÿ¾Ò°óãà£$MÞ±j’Pë©Àhœï
+ ­‚Ù¤Ó1µ¦X—‹zågß—IîFì³ M‘p­¢Æ=È22³¾tùçÅï×.o"	‚âÅ	ɸTáÔÆ„B¨·×›•½øæ°5vÀDtÓéBûðJYr„>Vƒã¥%þ  ëE½[-íöFOwMázì];ÚÛÖöYÉ@#ÔH@+þDþéþ\ɬàc0Ó)”„|P:q…¡ħvt2ýX·¥
åÊ_‘˜–ë*«ÍÎeSôB—=Ä2-;¯}q駱o¹›g›hôÉÇ(p—åÐjêáâ¹¥~°[ÜmÌÖh?±ø›1wßD̬	38×Ã@ü­B¹°/]déSbÑbn+kÈhÅvü#í“ï
°¹#v¹ÈG3‡0¦R«¤œÏJ{&7Üô¿,‰gÛÞ|°]¯–uÓ’žºqàâ•“\m˜(žã3éDRê'5–r¨	ä¾þ"¬»ˆOÃc÷íJà¢2'd§ÆÇÈðåVº8Ý-ìÿ¨w/¬­d¢a…¥£©:+ñ1Ö†¡°PT8`cD²WסLqíì¯#«þýrÙ+ÿ¬qÏ«—™êÚfçbú½i»ÐÌ|™ãê¹ùüÃþŽÀ)Ïýh©¯‰_%ûì®þÞ*’¤hˆÖ?ü³®ýÏ×$„|}èNªy"$ÇŠ™I1d]	M”†¤8æý?G/•ãendstream
+endobj
+2193 0 obj <<
+/Type /Page
+/Contents 2194 0 R
+/Resources 2192 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2169 0 R
+>> endobj
+2195 0 obj <<
+/D [2193 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2196 0 obj <<
+/D [2193 0 R /XYZ 85.0394 216.5531 null]
+>> endobj
+2192 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2199 0 obj <<
+/Length 2074      
+/Filter /FlateDecode
+>>
+stream
+xÚí]oÛ8ò=¿ÂÀ½8Øšá§D½&i/»­·gwhû H´-D–\KNšC¥H²ì¸×C€ˆ3‡3Ãù Ù„›¨€&a$‰¢LM’ͬ`îãó4³†hÖ¥zvñA„“ˆD&÷Ë/M¨ÖlrŸ~¾'Ls`A§wóë«ó—:’ÓË/_næ×·ÿXQ 
+J§Ÿ/ç]~BÜ—óˆO/?Þ,οßÿ~vsߊÓ™Qaeùqöõ;¤ ùïg”ˆH«É3”°(â“Í™T‚()DƒÉÏgÿlvfÝÒQ0J¸øˆ$ÓI†¨ƒ¿Ï8]Qí·i\{ à:cŒDJqGòw$ÙîÌÎüðä?Órg…‡²ä±ˆ7†˜Ÿñf›’”›>#Öeäwrã8MOðp3:”âðj~ùù‡U¹1벪ïÙ¾2Ej§/>pÑQ	s€"8âû5ˆÅÃÎzÎôÔàÿû¬Êj7£¦IY¤Y•®L]á¨nÖÚS mevOÀ§Kü&k“<6+â	a-n…q(üBÄUåÞ
¿b“Ò}S/J¹ô|Š¿ÓËvÔ²ËÒJ§ô¨öÁï…Ó[ËLE=a…—ñ@p}ðð€nlkÇöLU#bgyåØ*ÏVÃʬò2 Þ`”–¦Á•~©ù™Uµß,FÐFÜO¥é4«ý·Â/8›IaI˜ºÁð}¯\Dx»Àèym¬5óÔ­°µ²iÝn™ÄÊnÇeñR‘%
׬^7;dŸ—ÅjVÕ1øV±³Ôît›5‹`“Â~Ãé݇+2‘(µELj@}ZÄf_ÕWz§OÄÅ•_f½Å"Jgj‡ë»—ßÈ:“›Í–^ž.ÓjÀA§6‚ãoTQwÓp‡ÎÁÖ°jäðÆ™A0ï^©¨·3`¯ç‹ÅÍŽ³'A7\	…HwùçyùŒ('PÕŸ^ÇO1ww‹ÛïZîÜüÇ3(RDÎÛ
7Àé˜4lҞ…¡ˆTôÃí§‘ôÁHÈX‘šéèH¸G¢Y—
+£½‰ö-•ÝõÂÔÉÅ¢HþW¼X`Š¸ôâ´-Õ¡½èÊTHSA_†}åiÔé¾YjŠ:[¾ ”še¼Ïkš @›`zLc‚AæÓâ
u¨Nh¬¡r{Šw»}qa%I/Ò´¨È£y9PœMøa(OÒRJÒW\¦tØ¥Â\£Úp;ÐÕ=ø,Ž¬€nà<µJ÷º.ð›—IœÏÊ"÷”›25G•KA
+û
åv¨N(·¡²'ú/
+“]B…a¼](G‚'I"Í„'pþqÈ„1*=Ñê-.ä7몿0’Œh)دŠ³ƒuÈ€\}(õ–@Äc.Æ©&ŒCŽ;iŽ–êÐ=ãPú2ȾAâỂ.aŠ¤tùÈA®¨€ï?>_^Í>_«§%}tÄCs‹ª2ÉW¦°¡_ÛIŽùšAÅéI_ëR÷µ–êÿ¾vÊ׶»ìÉ—þ=œP¡äi“´T‡6éû›	eî¥õ7uýÍB忯þf!çovÐó7‹xð'üm˜’gLC[ÅEÔOÍ‹›tÝËO‹?4
ŠÐˆcub+
&[-Pn!Aiø
+qð¤¥z…lõÖ™ƒz¥E‚yÈ¥žö(i3ÑÌæðî1›9ÔÁX-õ+z”*ïÿú¸x[
Ø;A_ìÓPÄ|p€«”a
+m–î‹4.êÜOVuéñHä2|ës6}.q\™m¼ÃÆ ¨¦9”Œ°ÔóÐLøbÞ.®iŒ 觲Háú%À»(m¿ë°û
+ÃœÝumÆzŠëŽϛÙÃ.Þ
ÓkÖdæd÷²­ËÕ.Þ®³ÄέÑ¡c¬Þ!‹H›sã&x®ãb5HÐË}½m¸¨×]nàÆT«I"dÐXMRÐP´p#(4¿»"MšC	I4õÑ~Þ´Ãj¢Å£»ÕN„oœ‡GÊ2¶x)Êm•Uà õO¨1aPA†‚ë±Ä@t¸;0>™3º,Ž?Ž´T¯G·ï_gx
+ÕÕ”$Œtmož˜´ƒPaW>ìv÷ЂŒ…äßÎÉç~·×<[Í–YnFØŠ„JÈ!ÛÇ7ÙÂý<ÆS†DsyVoò|-ÓE@8—lÈq;Âq&B®ú¡k[îêƘÅñ¿ÚÑËÈ}ô:Û
+
7¶Jø…·<yUëñ—¼YËqÖeéã–ÌŠ˜¥#GgЇ)ôž”›Mܾv
žÔDÚçÄÞ廾Y\ÝÝ~¹¿ýsÞ®:ç›`2ÌïªH(2Z‡m"
ŒTù–m8ôà¿1~|`¡íãY(§ÄFf9½­ýÄ8@i:œ¥æ <5ª—™iˆ¨q‚&Xy¦±ßî9öûà›`ùÝjŠ˜¬9Cîïoç×.ЂÀ”(Eùð§Ã!uiûv(¼¢P	òFøcDèFá˜÷ˆôT>6™Ô?4º(›|ˆ¾áyVø„Zn]~B´ËiðžÕ~͹M]‚
+|Þ‚P2µ§ñS­íõÄl½‡]\Ž´ì–¨‘P.hÐO«m#Fµ×»i¼œÕ a¶äñSœåñCnšÛÈ? Î|fê…{µ·wBŒvî´½Eÿó‹þë/cÁ€üH½BsÁØeµÅ¤> endobj
+2200 0 obj <<
+/D [2198 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2201 0 obj <<
+/D [2198 0 R /XYZ 56.6929 591.2744 null]
+>> endobj
+2202 0 obj <<
+/D [2198 0 R /XYZ 56.6929 428.8011 null]
+>> endobj
+2203 0 obj <<
+/D [2198 0 R /XYZ 56.6929 356.2997 null]
+>> endobj
+714 0 obj <<
+/D [2198 0 R /XYZ 56.6929 307.1205 null]
+>> endobj
+2204 0 obj <<
+/D [2198 0 R /XYZ 56.6929 274.8641 null]
+>> endobj
+2205 0 obj <<
+/D [2198 0 R /XYZ 56.6929 240.0563 null]
+>> endobj
+2206 0 obj <<
+/D [2198 0 R /XYZ 56.6929 176.5882 null]
+>> endobj
+2207 0 obj <<
+/D [2198 0 R /XYZ 56.6929 107.0516 null]
+>> endobj
+2197 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F14 765 0 R /F53 1062 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2210 0 obj <<
+/Length 3048      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z[sÛ¶~÷¯Ð[å™ÁÀ£siêNs9±sæÌ´} %Êâ„"]‘Šëvq!AŠ’ÓIÇ3&¸X‹Åîâ[¬è‚À]h™nÄ"3"•„ÊÅjwA÷Ð÷î‚zž$0%1׫ۋ—?ólaR£˜ZÜn¢±tJ´¦‹ÛõïË«OŸÞ~xsý¿Ë„I²|•^&’åû«_®~s´O—†-¯Þ½½W¡&Ê‘O‘åço^_þyûëÅÛÛ^œXdJ8Êò×Åï’Å$ÿõ‚¤Üh¹x„’RcØbw!$O¥à° Ï[‚i&¥8/\Ï5#Ýhw…I3&cñNZ‚É›‘o2¨͈ÌDfÀX€ÏŒû“(ýñÄ~ë±Ãº<ÇÎl=•:ÕÌ裭÷@f"[–¥Ѫßy€Æð¢ŸÇ‹†âÌLY7™ŠgrÐOšAHGÄ3R€Ö¦AæÇñ¸¡Ãgð„óvíZ6:Â3Nl¢¢Äû=Œ¾pÊ£æÄv¹:g£òÈŒ~¯¯*BèZ7…¤nº š
+•M2‡âï²íN:œÐ"\Êósv¸žË:\ûlôõjšº§Ì+q^´žëX¶±q•Ršecᆙ§y˜¶è=®´ù¥	‰œ	 ZxªãstÞÛŽÍä›Þ íó3lîònµ-üGù1+œæ]±ó	¯A÷¶’¸mW ~*Íx×ÇaŸë!ìsí@É1F×4UÙ3é2€§Œ¾œ¹¼Þ¸AëÆMÔ_3Íf…Hƒ¼·*mê	oN¤€¢4‹Ò; VÕñÞ†K m›ëiæ3pKÄ<
+IÞµ@„¥Tð1Þö‘,`<$kU€Óã4¿Z@LmCzo_9pÈËF…(ž
.?ÍbH”Ū¢TCÕi`tþŒ?G\gü9pY~xöÅ›#o‹Ñ´Îʘfäù2ƒ’©‰`7E@¢Q|ŽP®½Ø²(Ø‹7̤0–š,bºk*$ÄéáèŒLâÕõ‡7®e~ò"xÓÒÕ»©fnpÚþs8õNn/À®L˜ç¶7â:³½Ënï§Sœç¹)ÓÌ”#€ÉÚŒ§|[çwÁÊÁ3ïšà‘UsÉÈI%ðÌEQq^	1×i%ô\V	Oó6·˜7sYC©€ƒ9c#¹~貦ñxÑ5^D¹>öAƒÝì¼âz®ÍOTÎÊäxÖ/vó”ÙØèqØÈÛ¤myZ›Œ^¤\þ{ÚìGœÑæÈÅdÖ:£Î#ŸJ£ÞÞ8·ÞMpÚèB{:‡XÊ©ÉN«†C	éƒø÷TÓøŒj¸2€¶ô?W¿……ß³ðWˆHBè¯T8Ò‘ä«^î
 r¦Aöñ]¬¿ž“ñ͸}u§ÝoÛ÷nïo8¤?ó¢8àX;X Ý]
6&±Z.w€ïò{?ã·¼*×ýq-ýI3V«Ïæ„3‹
+°èx³¹‘)UŒÞlÉ cæ:[pH·–(~t³û“xÈãÍ–pÖ)–Éaæ“›
 
x5•ãͱ¨xz(V%Z|±~1—$F9¦ž/ÐpÉ¡!‡Ý[PHðÄh¾ºÄÒ]·{¹Ž›_b#@>lãöãÓÁKBÈJFˆ_mícà%#Þ»ÂUÅ`De/œÅfÅ´€ãáòAcÍÂU„zÌ/ǘ_øôCú’JÑöÎN
:IîI‡²Ó¸~Ögó‰Ë¶± °ñ¹¿‘Q¹ªÀA¦d®’ƒ‚¦È¤–›#$"¾ƒ¤ã8½=Äu]^Ú	¡'®SaïàÇž!$QÐ7Ürݧð(Dã‡rЪ”“ÚÎ1:›“¡*Ì+–œ’åõÌ>ÌèÄÛ4ñe,¦ë¶±Í¿yÒ}QûÜOª]úŒåB\¸V…(Ó¶i_kUãªÊÏö+n$„½ºx¨
+;‚Àû‰Î‘íÖ!Z,Pã"%tÞ=Í¥:Tâ…æ?È_„¹‹‰l8É8ÂÕzWÖ%Äë¼ù\l¼2ë•ÿì}^@gN\ÂLzlŸAuûK°zf
EÚ_¾|Wº†çSsèâ;öû:ÂÄNÜ*mmÇ÷l‹êÁÝY2[Þ 
!œèq•ç·ë÷×·ö'ø¯¯øL–Cœ5:×zü-Rl–OE°eg}­`Zð9HœOÒ!=›)«Ô°¾Â7/*5ø›`?‡®¬Êîé’Rê""­Ñ”ëw·ê·ÁïðbѸ(
+Ïè7¶$ƒáù˜{Bç	Q	!˜AÏ(:13FðîB3Ã+™KsiaJuâñŽ^	®
Dã?ñüˆI<¤=õG²!„Üš3Ÿƒx¬Ï—€EZ±˜4vþÁ`üÅx/Væ†;’UUø}šT¤çJ©þáí[÷íÕo7gV=ã^¶Øñ‘DÂ?êÓwìH°¢:öé¨Ï"ÝYâìP0RÄlEâ&¶'Í “à!Ñ
„_É$iH4Ò£¢•KP*.Ú,!	2™±2¯¾ÜþòñóóZ¼®»b_‡ˆsóÔþñ»ú „Ÿò°;õk.ú|ö^‚ô"þð/½†_²	¬k6Ÿs‰-‡€æ…ÂÅQ!P}øMرìÿ-±®rendstream
+endobj
+2209 0 obj <<
+/Type /Page
+/Contents 2210 0 R
+/Resources 2208 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2216 0 R
+>> endobj
+2211 0 obj <<
+/D [2209 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2212 0 obj <<
+/D [2209 0 R /XYZ 85.0394 639.6376 null]
+>> endobj
+2213 0 obj <<
+/D [2209 0 R /XYZ 85.0394 238.9116 null]
+>> endobj
+2214 0 obj <<
+/D [2209 0 R /XYZ 85.0394 143.0423 null]
+>> endobj
+2215 0 obj <<
+/D [2209 0 R /XYZ 85.0394 83.0386 null]
+>> endobj
+2208 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F53 1062 0 R /F41 969 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2219 0 obj <<
+/Length 2930      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ËnãFò‡Ðɨ§ßlΞ<'qqfcä@K´MD"‘²cìÏoUW7_¢Æ,|P³ºX]]ï*Z,8ü‰…±Ìf2[¤™f†³XmOøâö¾;g‘–C¬÷7'o¿Ué"c™•vqs7 åwN,nÖ¿%ï™Ðìô›Þ~kÔY²à@¬Ÿ¯>œ³óŸ®¾%ÌY™¦,*¨gŸ>]\}¸üõt)
ò§KÃyòñìê—³	öé4“ÉÙw×Hìä⦻Èð²‚+¼Å_'¿ýÁk¸ó'œ©Ì™Å3ùOGp°ë_žàL*+g¤'Å„£4lÅg2f•TøH&Ú
‘µ`N§iÉ®Z¯Øª®îuLwq—ʵÔúW®òm‹°ùb)3&ÒY²j¬lé\TÊïR¦$||‡VðâïœËûý.o˺" B6EϦ`™1Äf¤¸T°ÎÓ½~©êǦl¦šT‚¥Îª…UŠY£íœä0+Áæøµ€Q	»XIx­Œä•Òaw>ºÀ‡‹ëóŸ/?Ý\þtuDÚ†i%ÅëòN™Ìx”7H´)’ö¡ÀÅŒ°q7Û#ÜÕ»ŽÛžª`'ŠÛÍœ-9Ó©
+8o€^jû“ß_^} ã2ThYл§b×1ØîN…Kê
mîÛrS¶/§BˆœØ
+™Ü<нø€s‘<ä˜#k 1.Ï´Y,;©[M¹-79&MÒÀQ.Ù¯Ú½?² h^­ÃöKÕæÓº­gô"4—±:\o´>ª˜Œ¥©qÑ2Éu›·Å¶¨Ú&=䣨V›º)<3:)+‚ÞîòUÑL8m‹Ý¶¬€Vx~.Û‡(ά”2J,(/ËPðÛr¹ª7uüh¥“óM¾oº„Ј'"–W!š·¸Ñqë6MÐ:ªáýŽ¹pÊM$¸oöù†Võ)¾Ú—Mä"‚·á]îëÐ}×í:&­%—:§Hâi½±ž¼ýš`_¿}á›of^yK°¶¦ßEŽ‹úŽ~7eUÌQû¥*ÿ>$÷¯/¤v†´_¸¢ŸHí’í~õ€«íÿqƒÎ†àö!¯fNËS®£ñϬZñ,è‹î‰g»hû@*
½U½£×óŠðêGQÍë
mF'{ÐÊŠ±yÇ€BÒ/Òc%žÓÏŸÅËÍi¯4ãÿp{e£ "¿‡RÒše\Š€7àHñÔG¼¼Ä{âŠì©;äè5NcÁjÆ5öº¸Ë÷›v$pÈŠ³,Õ&ÖStVîêͦ~ö‘žn_è—â8,ªP@ú“4c§¬}l…x°^“š›†hâ~ƒ~Bø—…NEâÙMµŒRÅ»uÓÒê¹ÜlhuÞ܇è{EèÖøËGôCzu¤z_>ÅòÊã³gû~4ûåÔ%&÷%)ï¦ÍEÊ”¹Tº‰Ñ<©ÚŒqiìT‰Ò…ûeC%Ô+QfA‰ˆÂÉ‚ViÅ‘; üù¡Ä1¤Y®A"%è”n>wŸL@}h#“ó‘‚I®³¡c,ɸ4”—©Áfbh\äŸKkmr‰Œ[‡ú><‚ Táª?»\Ïœµš1™ÖJ6K©üx*Á*×þ¦ô¥’„c©~Ef.JÄÆø•OæBr„Y¥€n…›ô5ñX®ÕTÏ@“˜u ç}<Æ–4	Û¼]=a‚Ž˜³Â…YV÷sš2ÙiäXQÐ{wÑàêZ(’çωhÇô@Æåxôd<Ùužì(5"$߃¬ÁÞV@š ${@‰
áâ«pNPBx"Ñ&E  (­K§©âB6ÅØ4=âšV`£¥'®‰¥ÇŒdRñÀ7¹
ÖŒ¬
ÖÄkOׯZ°Àš–$ªbá5½â’ÇtÝmÝRÁÍaD欆€æCó‰ExŸâG|
+Z°Å ŽÜÚõÓQF$š1½tîE¾;£K1Á·Ôûï}KʤƒáT]Øý"V{E¹A&ÜÇsÊÀcN;Þ¹æý3žF®Ïy’nΓ8ž”ò'aŒ"I;W‚•w%ø
®”WJy00&;p$gÐIMK‰z¿[KÌç˜Ëo p^‰è¨›±@•Æ,惑ûͲ|²sçÉ„5ãpˆå!XuHWPù&+_?‚B|Ù
¦hÀWª°¸üô¤i
+DÙ€^S¸
+ȃҦh‚;EÞFJXà¹Polb;S_žÝµ}Q>§“ŒT¼—ôéN÷Yå¹öL¬ßÄÚ;VݱDÖÖôXBß¹_¡ðÎCßÐîÐÞ=(
+[»®Áèèb¹FaÇ—ðá„Q1ˆ€0fX,gBšI“ž“—Ç*EÂÔ‡–Z¿3(¦áÀbÐdàãcÝ4åí&¼LçÝœ`–Ⱥ’d>/CîÎTW«½™+@˜s¼€R¸ºŸu¨9¤“ˆCîQÌy¡Q,Íœ”š2b’±®“ÃòÝIfø´uÚî±Ü–VQŒ£%i×ê ù†~sú¡6ÊŽô/øBOA…–Ѥæ&B)žáªÚoo½]"-pª7›	•ˆ\ ]‚ôxu8àònnn0Ûô
+ŸígŸ•´dÓ/%Ueø‹ƒ‰Mé£UÝa9<ˆ8®nRˆWH¯jÚ"^ⱈ÷§D†5*Æwß*¹È½ÚƧ‘Ê¡ošOœâ¥Qæ´"ˆÁü
YR¸ŸÒåî¾V¸s´PüËXݾšBœa™èDGc’XwöýEù‚+æL×Ôá¡r|¨º©ÉNÈIT
+éYº±“xM™˜j‡o²wa¤@šB3¤ì2?„삯³¢LlÄðGŽdv½”–Ÿï5$ã÷f‚jï^|‚@%,abÊA(\¡*@·…,…oêÅ"4bÃGw\´ÏulYjõÄ ãØäPXl9Í2ßÜ×;¸Ív~Ž.„êæh}ë‹ùE…P¤”Ä)íî%Ö¹°ÑõGæé)”L®ëŸŽ
 ¤÷H¾šS¾œù7Öu:YíwdU»y¡Íº¢•L¾ÿxv¾üøÁ„9Yf úR“10eoÛR»í¤Fß³ {„æôØ+â£%paÝÕ
+ÃAn„ŠˆåM±´š  Íz
+”\vˆÛ	÷«f.°u‡{Á¬pøzý±?ÒþBe벉sÙ8z÷Ð@n]ï}	ë¿öÐe5Ç|°ãcËÐ?¤Þp»Î†Ÿ4yÎ_šÐÕ¹/ªbGï°1êøFhä×w~êÖéÜ@'~|(C);áC gÙý.ßΘjĸ©ŽG4“ÅÀþ|§Ãy÷)—Ò”‚·A·!˜j’þöRðº'àBh½¥uÔïz¤j3í+è±Ïe #Þu…ø¹l­˜ó}ɤ㱈ˆ'œ>u Uý\öš¹3¹cZéHj[~æPÅ„ê}DlãPÈÝ–DgCÅе|¡r(Š.¥Y7¢wfo=ìßÑ·´/ågJû–Í\LZÃL—°?/K
ëØSÖTÊáP¬¥³›‡ò‘@”XpE&Š»Yà|ßÆ™³c<ë?gÉ>Žaê|ÊËMÞùhÛ¼ŠCþ(¨¶Mˆ×E1IÔ¿ž}üôãE@ÆtixóÐ? ÄO×a<?Ý4äj1öú×ßxìL‚FÂb{uˆr©}hXZΓÿûï…_ŒÕÜGmÞqòÿgCÿ?t²ÿ§…q«cp k#Sx¡íëñ yÿû_ç{endstream
+endobj
+2218 0 obj <<
+/Type /Page
+/Contents 2219 0 R
+/Resources 2217 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2216 0 R
+>> endobj
+2220 0 obj <<
+/D [2218 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+718 0 obj <<
+/D [2218 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+2221 0 obj <<
+/D [2218 0 R /XYZ 56.6929 748.5139 null]
+>> endobj
+2222 0 obj <<
+/D [2218 0 R /XYZ 56.6929 713.3233 null]
+>> endobj
+2223 0 obj <<
+/D [2218 0 R /XYZ 56.6929 648.7414 null]
+>> endobj
+2224 0 obj <<
+/D [2218 0 R /XYZ 56.6929 590.0462 null]
+>> endobj
+2225 0 obj <<
+/D [2218 0 R /XYZ 56.6929 95.4174 null]
+>> endobj
+2217 0 obj <<
+/Font << /F37 827 0 R /F53 1062 0 R /F21 738 0 R /F48 985 0 R /F41 969 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2228 0 obj <<
+/Length 1729      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥X[sÓ8~ϯÈôeY,¬›e/ÃC ´…¶0—×VZï:v‰BÙå¿ï‘Žì:©¡e˜7éût:àGÇ‘$ÅXÅ‚È€ÊqºãX;Q§ã·J~_ëÉÙèá>Wã˜Ä!Çgóž­ˆQDÇgÙoúêÕÞÑîìÝÄg2ðž‰/ƒÀ;œ½™¾DÙ«I̼éÁÞ)L™P!(QA&ŸÎž?Ü—¼gŸÇ1QBš°Œå“£Ý§äéñѾQíuñös¢7Á~}øŒ3Híù( <Žäx
“€Ð8fãÅHHN¤à¼•£ÓÑëÎ`oÕ¾:T#É#"#¦Š$h/	ʉ€Ž•ŒIÈ·¹dzž¬ŠÆ¯õò‹^N|Ê HE•&ÅeU7L†àƧ”ÄR²WþÑן _'‹«BÃõ;í×¾wÆ'<€2ië7ì»Åé¿VЖu­¢»]Ó{ºntÝôçwùf½ÔyÞ*R’eK]׺ní
exU-ÝHrÉáðû¯gbC
+ûÕ¸3‹¤¸¨–ys¹˜øÂlùå"IýE&“©uºÔiàí„û‡ó¿?®¿‰âúœ‰ã™fùÁÞ·¸˜Ó¢x~ügñmç7rpUý•Âû&`·mç„?›E¯Â'/Öñûõ»õûþÅêõãÇ÷ˆúá>ëƒÏ%`JJP©VuVZO^s©aÀc/9¯¾h”é¯v‹8c}€y)J…#™e™¥€XÆÒ)­ó¢@»ç×èÊ…«Ú€‘€¤=ã6*§Õ;”Fü1aŠð£0¡¨•”Ù–-HàõBgÎA²ð]%RñfÝñ¤”zIJ‡÷´Z,ÀxmH˜yMåžÖ£ѼK–\ö ÅDû¯õ`ä­Ïfª¼õež^âÊb…¦)¨Ú9?wF2ý1Xisq^Þ8m矲Z—®ÿ-“òW×›2ÛAâºYÛµíàä?|lG»Þq' k¡;Ê£éáæ}ºw2[ù-<ìÜ|»ÍÞœLM5ÏfÇGà 6MPìŒÙ{–ÓÐ]ʜʎ=»3:w«7W¿ÝW-|à™¤©¾jP/#u$
BíÔÊuÚ÷ÐXZ]”ù7"tð{$õ•Nsã¼õš—Cw¼kc¶!’˜‡ñ}¸4©ºÅEœÅí
Á)oÃãˆ>¾A •ô:3ÍËÁp™2ºÈà³n¾6r`ÇÞ©Ö[qÔ½
+s{íµËC·cÿ>øendstream
+endobj
+2227 0 obj <<
+/Type /Page
+/Contents 2228 0 R
+/Resources 2226 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2216 0 R
+>> endobj
+2229 0 obj <<
+/D [2227 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2230 0 obj <<
+/D [2227 0 R /XYZ 85.0394 175.5261 null]
+>> endobj
+2231 0 obj <<
+/D [2227 0 R /XYZ 85.0394 84.5049 null]
+>> endobj
+2226 0 obj <<
+/Font << /F37 827 0 R /F53 1062 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F39 927 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2234 0 obj <<
+/Length 2511      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZYsÛF~ׯà#UNæ>jŸä#^¥6²×’«¶ÊñE‚"Ê$À å×oÏIJ¥üÀÑ ÙÓèã믇&ÿÈDH$
5e8˜ˆÉb{…'OðìÃ	2³(4ëJ½y¸úù¦&IåäaÕÑ¥ÖšL–_§oèTàéç»wogo?ÞýòáýÝõŒ®øôæÓ§÷wïnÿw=£ƒ0Hb<ýíæîËÍüÞ§kC§7Þß_{øõêýC2«k:ÁÌÚôÇÕ×ox²„7øõ
+#f´˜<Ãcèd{ÅC‚3w6W÷WÿM
+;OÝW³® Q&iÆ”LAFÚs†0H2Êœ3n¾<üûãgû" Î:®Ã“•H­œÜmÕûªh½î_š¶Ø6þ·uÕÔû¶Ê±õ;зÏè›1%J!eg){lpæÕ²ÞŽøêO)¡‡ê›‹æΗË}Ñ4¯÷@{Qåb½¯ëvYîsvŠ‰”.Iéá¢ÒCSäôQŽhG]¦êfŒP<‹;Ñwïïß~¾ýôpûñ.}i¨†¨2@ÉÅ4¦T@ƒÂ"™6SøÚïÓ§CBØ´;›(±ª÷gHa@oœLÈM1â*&´NÕô¶
'ÏÃi…ÿ.ýjŽž'UYTá›óf°÷Gøf[ûÏç}ÙήÎÓ\ös´¬ž@ÒÈi»Îe)ƒ"p­'½²nͼ€’â4æ³÷—×U`Âávõ~Mô´hvuµ´&dÜ	ž¢ÂÄLSÛ}½i2'3ƒ¸T1ííimiBèD2z@¼õ4-¤Ä<Üx›Ë*ã	gtTki9æI‘¢	N_¼Ö5˜‹||¸í—†›ÏSnŽ‘ݼ\B¦?Á79ØcCÏyH.|ÒÀÆþZOaï¹l×~7…·ï¡Ñ\«fóœ[0RLDÃë](
+Ðî’t7ŽÀÆaç7æW)&¤›Iù0wE‡‰ê}"Yý?êrlX‡×®Š"lÙò5ƒP„R=;‚ÿð½x¿>F¢	`Ã1ÚTÂÛhwB`p÷«RF‡©4oÚú©€ß_SEY%X#Î@YC?:ø¯ÁìÙF
E3ñ·yil)$Ž@ûüGB–I¬ûµól»àovÅ¢´î°%j7âƒçµ¥­võæöî]Ø‹å¦c‰ÿ³SÝx6-ƒ@ð{Ði!Õ}Ö€y§§x¤¤äBä)â$ÝH/wÅÚtA?W™£ûêðšPÊûö°Cý)äP.=¬/©”§ÓôX=ðòh332™
+óé²°U.Y±pÉêvWóæõ,êíÖ, GUÅÆ?I»Pc×d
+áƒ2‹<	¶ýˆe7›ú9ßÙLÞšq1›.×j‚e‡ÊYŸ@cT‰~×t}/“Ѓ9ç—"Ç݉œ›×á7õb¾ñËuÝLVUí?W‡½ƒh÷Ç	„8Û/e˜p/½åŸU•w°{,¨éx­;ñª|óVÀIíÔòÙ¥ñâ¾à¨Sã7òÉ®ÁÆ#§ÇKÌ°îÆ
+:Bú‹µG„³—®rëݬ¶ûJÞmæ‹D¹à‹¾‘wlUS¹,GXKÝú(õc"Qîü;;¨ˆ¢?ÅÔ–ÂSÑÄKƒAb–Mëù´½3
+6coóµX¥’_/1G€Ñ+åAT)kx/ƒnWöX?*H<ÝÖÞ¹~³ØÌk;ìø?OgØ =®Z¯%ÎHKÿàñ%W]FZÓºjÆ3T«˜;®§‚¨·ùCéKIcFÀ{ü9ßî6 ÿÐûÁd~`T‡û»²Êí§œý´	j?!AË–Aܸ­Ûßf\O_êƒhÖõa“„×ÎøÂÞÇÉåyT˜D'mÞÕ¯ÞÖ,o‡^ÆÎrv R¨g·ú€»×(Â	–´»'™4…7·äèZòš9êÔxRIòÓ’ä?ùç¡ö–!/‘hŒÎR ú lÎÚ®Ô8¥MRÎåñ^Mô]®M
+xçZ­k´àŒ°ó¶%©Œqý($Tõ­»Od˦;§ ìÂYäVõjðÚy¯—Û=×Ëí¢eÛØ›pà¿lçs›EülŸ‹"H’ Õ%,¡vÁœŠÁR§Ì†c0›³AŠù„»a'TF›hÈeäùhw¥Æ£¤\´¹hÛëv’¹ñìE†0%›œµ-IeŒëG›Yö7°îKh®Ýv•Ç˜ª˜J@;:êëDÌÒ¨ßivŽÉ¯^⬛RwGÑ!HÇo¦Ë²>h±^1q\«t_6|XPÉÄ…àw¤Î?J97­OæW‰°QŽŒB™#{½(Òƒ#?íËÀ€°ëáÖëk{Eí— æû€z5  >dÍð*ÂåÓ!Q+Ï|§”ªW6-Ä›±‹¡±÷xÀþ|h:RgB¥\h¾¿…ãY>kÛ…OË¢pϺ
+[2b$ã¯PÒõ=¿òqìÈÄ߬ä	0G
–™ ߸ÃM<Øü<"÷žûó»0ƒå²ÞÎËêhÊ‚°§P1¯†hœZa\Ói´r©ó*ˆ-UÀhÏfMGh-€ðKþ©íÿu…'endstream
+endobj
+2233 0 obj <<
+/Type /Page
+/Contents 2234 0 R
+/Resources 2232 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2216 0 R
+>> endobj
+2235 0 obj <<
+/D [2233 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2236 0 obj <<
+/D [2233 0 R /XYZ 56.6929 751.8794 null]
+>> endobj
+722 0 obj <<
+/D [2233 0 R /XYZ 56.6929 711.2251 null]
+>> endobj
+2237 0 obj <<
+/D [2233 0 R /XYZ 56.6929 673.9044 null]
+>> endobj
+2238 0 obj <<
+/D [2233 0 R /XYZ 56.6929 641.148 null]
+>> endobj
+2239 0 obj <<
+/D [2233 0 R /XYZ 56.6929 572.743 null]
+>> endobj
+2240 0 obj <<
+/D [2233 0 R /XYZ 56.6929 498.2696 null]
+>> endobj
+2241 0 obj <<
+/D [2233 0 R /XYZ 56.6929 396.921 null]
+>> endobj
+2232 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2191 0 obj <<
-/Length 2201      
+2244 0 obj <<
+/Length 2086      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6ò]¿BoGµ€IôÍuœž;‰ãFJçfš>Ð%qJ‘>’²OÿþvñA‘dO§™ÌDàb±Øï˜M)ücS‘Hq5• ’29]í'tº…½_&ÌâÌÒ¼õórrõ!Œ§Š¨ˆGÓå¦G+!4IØt¹þ#ø™0Af.½ú Ã2dF9\€X_îßß›Ï÷æ€,c³PYÔ뇇Ûû÷wÿ™Í¹¤@~6—”Ÿ®ï¿^4°‡™âÁõ/·$6¹]v‚ô…e4D)þ;ùãO:]ƒÌ¿N(	U"§/ðA	SŠO÷!C"E:H1YL~ëövõQŸò„Lˆä"5†„SûUÌ@FH±`„+™t*æ̧b‡…™?YýÊ&c$Q q£´§ªnÇÚPœ•DÓþg|9$_}kª˜ˆXøZdåÚXdUí÷i¹nÌW[™ßå̓Y8îF.¸"aF#FWƒ#	Ê,N^6m–Ú[«õ‘»û÷f¥þeYXg›ôP´Ž»²­g,	ªÂviYfʼn¹wö8Xð̧¬áà?B©àoX·‡õŠu–¶îïã+#ˆ‡ˆ…¯_éeŽ5ÅIE®NlLHïGâC°£”ouÚæUi€)2âÍAp=SñeÅ„aL(&ßM1ŽàŠs‘X±äo+fhZ#ö£s‰²z±šx<âo”é>[ÐKÞîNJêÓ9C'
-­Èˆ’Ò¤Î`žAZl«Žíí§©2h²•¶JÖÚﶆtbÖ9r EPiŒuV𦲋Q––Á>kštko|N‹|í,
-ߦÆÀ
‡Õ*ËÖÐ%„\w-+©C%	‹8¿lj\j£(!±„ÔóOmÝQœ÷Ižj0á	c§›/{.dК4kÓ‡åPùBh”š§l•£¿gëwö4æ…¾dtP—땯ä†DD¡‹‰—¼(m$[£sáGQUáŠ	g,¨Í:5›¨\½XéS®ÑðWÇ*"7YýœÕ–ï6m³}VZêXÛ{¸t€û˜i¯B@ÜÈ	…0n"
-‡>«½K‰ GÏPÚ3ô·#‡°ÞÕµ1à'ãÊM·a\Uaœ¤´«lB!§¥š\ۅ̵6ð ÓnVG̞н›Os-J„ŒDŠ‚ûªÅ³T9ŽhbÉè<®I„B›æúBØiv©‘wmvO¡l^vùjgö,¦£,•%eúBD< VÚ|¬‡Â¯=oͼdi3sƒãÑàÎvxÍ®:¶+„
{›ªcITw—>[Ð6+³:µÜ®µ¬Íïd9‹B¢ib$„ÅâÆÀéÂHja>èS"¶6JóTdš€¬M€ž°mOØ‹jmÂæãѾœIhã${#~)tën4xç.ÏFÌÙ¶@Ê®×û¼Ì!g§­“äK¶±Ú,Wöا´<€ÒŒB	7%lhT§¼zÞQz¤)¡,æo‰5ê†,RÕÁšÐøßö€¡0ò#&,r·³ËŠ'³²…tuaYUb§	”gh³"#ÈÇ»OwK=lâË»Ï÷4àÒ\
-ñ¶8.§®«¬ùå1sÎlüÀŠZ[û"ÄÍ@ÝöiJ|þÒAóíüÇÏ*S8Þ;ÿ9´y‘·Çc,pÞ©Vaµ²îo_ºÀƒë¹2i~W‡ÚzP[
H'aø}I- µ“r«ç|­‰¸l;ƒôÄÕ°Ó€o“›a‘Ä@j©HLeôZ“'P/0è@‰g¡øMž!8ïSÔuÀö‚ŠÅÉéâך<î	ùИ&éôužýØkƒ§XeÀÑ©q‘=Ÿrbf,çâÙÆOãü°K¹Î5‹ÌZ©žÅ"ðDØâöÖ½þ¸øìÚ[DÛ|£’JøÙÉ7æ¸9÷’Þžnu½@/) ÔC6ÏUªïL0°PJ]xô¬$£,
- qÐ)‹ŽÍ
 4èÎÐþd%$E$eu	FÔ/g_—ÿþüåm-Þ•mV—.Ý,Ž
t?Ö¨7Ѐ@îÉûÓ½89FÎv‚‘ˆ‰ÓÓŸ¶¤8‰ˆã^z׊öQœ;Ü9T.”äËýy£Šðdó‡XŠï=–ÕS‰nœMLOЉBb ‰ÞAH²Šë÷»WßRú$ÎÓ‡{Ké°.(üRø½¿]Ü|¹{ÀÊvAß¾àóé;†1‡:}ëYD2Û¼û”»®ELßçÕŠA›Boý÷ºN7›ðÄ딘VÝD1~"ÄÍaÕ›GêÿÎÈE{œ3h'-0µi•BzPb45ù>/ÒÚL©°3ZµW/ª‡h½}„¾üfÝV»0A!h"÷0vJe>Ã@å‹eÒe“¹e°pOc¯îó9ª¨tOraf6€>Öé*kFœB\§{{ý­_¬(Q›G—ÇTü>‡d]T%ð#BÜè±HO>ܼ(ææ"~ϳqš>ð£h*‹ÖQµç;æì-KGðÐt…$l¦ì||µÇÂqá.ñ`]ŸþS·Û+ 7¶‰CZ?™)åêûáÊ{àÇ=G®†mm÷Òîú½"/³KþÀ¦<}y…v©àÿiäôG#“0I.¼?óX89¦Pb&øù3Åî†{xÿ?{T†	endstream
+xÚ¥X]oÛ¸}ϯð£¬Y~K|L·iomš»Iº}P-9*‹©$7H±?þΈ¤,Ùt²ÀE€ˆ"ÇäpæÌ™±…?¶È¡ÂÈEj$Q”©ÅzwA÷°öî‚y™UZM¥^ß]¼z+Ò…!Fs½¸ÛLöÊÍ2¶¸+¾$—77W×oÞÿµ\qE“×d¹R”&/¯?_~ps7KÓËwW·Ë3Jqbå4MÞ¼¹¾]ýþéúí»«ëå×»?.®îFµ¦ª3*P§_¾ÒE7øã‚a2µx„J˜1|±»J%…3õÅíÅÇ
'«ÃOc¦*#ŠK½X)I2ÃtÜ`”PX¥ÂM
ÆYÌ`A
+
¶jñ¢¯Þ*5‘„õL(Ø%Ú¼)ìnSÕå±I(%M–-¦çžh7JEÔ“C™2Df”Íõ»}(×Õß”ò²[®„’IŽ•tvß.Y–¬K7m7îé´u2EÞçnvc[7¸/›²Íûª¹w"ýÖÿ>ß÷[ÛV¿`Í6ÍEòÞïé…TbÂÁàC”xEFJƒÂÝS×— ×<),jÍ5KÛ»©‡Akû³*J7‘;ûË©§ËÆ;àUQþ|åï5ÈÎ̦ATÓà,¼'îZþØW?óºlzw>lQ­ËßðÅ_zЯÜäûÚ‹L-Š‹hQ|º“›²ëÜ­Y¦IªŒ
+×vWáE•N¾—Oßl>lT¸™ªyØ÷$rËñÏÙf gäŽJ!Ó`n
+	<ÁÝM¾ó£Ayxæî±Þæm¾îK´c°†—lÝ7¬ýÜÚ6}^5Jðý`|¸4 33sŸ; ¡{‹Oš|+Ýû¾+7S5€‹¼pÓζ4x‚Oð„äÉ›¦îªyídÀŸû2bG.3ëÞEÌŽ”H¦3/X5EµÎûÑ~›÷îÔ#ÂÚàCwt«ÓL¡~k÷uáv¸;<ñîä„F=WiˆöŒ±ôyB›J'´Qj ´.BhŒ.FåEÑz8ÏèL¤„1ù¼jA(¢ÚŒÌ$'Ô(1×mFfœÿs–¼¿q¨ÚÕ&·¥›ðîœÑ„„JØÛ]Ñóº„e™öRu8lüî/âùk»ÛÈÝ,DKÓ”µ±0^#+†ß8ÛEâTn„!Ýëˆ>P˜
+/C<•rMæ¹)§¸0$x
+^ÓÛÁ ¶öá[¾þîÞæ„	ÆSx"ì<™"YjØXœH=ƒÅ 5`±&WÆUðÙzÛZÛU{F™Â/ :xV¹Q*¢Ý<·rb$Øw¦ÞgGNÆ$U¿u#´ê©c5üJd!~VyÄ«à8žêàzû€ˆñ[Z÷Èlóä^/
ðK圵îmëWžEvw
±«å¹Ø•$M{6vÁÊœ™ãØ¡$“®ìàö±Ê)nŽÎŸ³‚C½HÍ¿C>@ߎœàËö!R`*óÓ‹¦
+ºE°¸wv‚!€×ƒ.8D’×]¸å˜ŸO
+K|jæyÉ6õÓQ:TXé-"Á§(Œ¹{Ûæ>QU½Ó*—Šï}5\wµ
”b’ª5fOhI¡'Eå®þºüxóÚÛÓÛSø	ôÊÌgWl„­×¨®ícĤÒ¦0ì…|Î1…HîíièF¨0j¼”ûGÕPg ï÷íЂýæf=c;Te“CWªÊ| Š(çbÔp;mî‘5´þQ¼Óù¯‚%ÕПUØ3á0w.ß=ÔQFgDˆ¬ñäxû’ÉcX' ¥â`m[_´H´Ñy˜Ý^]¹s.?Ü~z1Öpó¿©¢ücAÁ€\P“…á®éasÚ¼»`™
+zýþúû©ñ:;è^»BÉz"ù³Üø²ªYûÈüè¢/âw
¥žeÝò4¤”y³8¿^~¾ûϧ?_´Çûzñ¦ô|x;|2ñä÷;4¶í«ý¡Á`Ú=z!‡c¸9az	…@/Š¦›úE¡WK9€E¯ñÛ@T/ÁH*3÷¹i¶‹cvÎSß…×Ãe„ÏI6P¾µõ¿ÏScºê¤ÕH·P¥V
·\aX<ÿ%ð°ÃPQÈè‡@/tzqdÎ/:Õ¼T`D³,[^ß[¨G·»H+¨ÂePô5ìºGß#ûC§‘ª±ƒC7£ßæì5˜ìxó6²¥€úI«øçÌc•&ÉŽwí^ÜõŒ–šÿ,l÷ÏH¿"»­„A²…ânF“¿lÝ,‹ß ÔüF¨Í×s°Aqüê!ûÜ>|ćpYv¦¶TbeA)¼“æXu%2u[Ñýƒ5ôendstream
 endobj
-2190 0 obj <<
+2243 0 obj <<
 /Type /Page
-/Contents 2191 0 R
-/Resources 2189 0 R
+/Contents 2244 0 R
+/Resources 2242 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2171 0 R
+/Parent 2216 0 R
 >> endobj
-2192 0 obj <<
-/D [2190 0 R /XYZ 56.6929 794.5015 null]
+2245 0 obj <<
+/D [2243 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2193 0 obj <<
-/D [2190 0 R /XYZ 56.6929 546.7712 null]
+2246 0 obj <<
+/D [2243 0 R /XYZ 85.0394 497.7321 null]
 >> endobj
-2194 0 obj <<
-/D [2190 0 R /XYZ 56.6929 448.103 null]
+2247 0 obj <<
+/D [2243 0 R /XYZ 85.0394 355.5987 null]
 >> endobj
-2195 0 obj <<
-/D [2190 0 R /XYZ 56.6929 386.1077 null]
->> endobj
-718 0 obj <<
-/D [2190 0 R /XYZ 56.6929 347.8768 null]
->> endobj
-2196 0 obj <<
-/D [2190 0 R /XYZ 56.6929 315.2212 null]
->> endobj
-2197 0 obj <<
-/D [2190 0 R /XYZ 56.6929 279.9283 null]
->> endobj
-2198 0 obj <<
-/D [2190 0 R /XYZ 56.6929 215.0111 null]
->> endobj
-2199 0 obj <<
-/D [2190 0 R /XYZ 56.6929 155.9807 null]
->> endobj
-2189 0 obj <<
-/Font << /F37 827 0 R /F53 1062 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R /F48 985 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2202 0 obj <<
-/Length 2681      
-/Filter /FlateDecode
->>
-stream
-xÚ­YÝsÛ¸÷_¡¹>=pø&˜<9‰suæòÑÆ7s3×{ %ÊbC‘:‘²ëtîï. (šŠsÓŽ.ÀÅb?‰‡Ÿ˜9øÊô,Í43\˜ÙbsÆg·0÷ã™kæqÑ|¸êåõÙoT:ËXf¥]¯¼ãΉÙõò×äâãÇË÷¯¯~9ŸKÓ—ì|n8OÞ]¼ÿùâ'¢}<Ïdrñãå'x•:µ°HhvþÛõÛÞ5௲Œ¥Ú XÈùï_¿b¯>¼ƒKÏ.¯{y‡g\¡°¿ŸýúŸ-áhoÏ8S™3³{xáLd™œmδQÌh¥"¥:ûtö÷žá`Ö:¥#£3N¦J’jJI&cVÁåçºü7)£íªâùù\	žü…H]CÏ¢^Ò Yѳ*ë‚Ô¤Å`>›Ç2aˆ÷®^.Ø¢©W´ôHc™LUÐgÙ[í’Í~±ÆQ–´åf[;"w뼞Ø-3L¹žGoŠåÉÝÀ|©qa)x‚âYr½.h³r.«‚öÚ·EKÔn½;.)ÂDÛå]±)ê®}NŸƒL~]³íʦnG«žÑdŽÂÌæR¦•cÁ 3Fz9ÚbwçÏèµ>¤×Hñ4Ívy‰çÄ7TÙ]fªµZÕNœÁjÆ5÷²Xåûª›
<ÅYŒ7–Ó´[$X5UÕÜKz»y g·ËÐH÷J¦5é¾½+)’|¹$3·-ÐÅý=<?DâÅM5º‘
-[†ÏÖMÛÑ辬*Ý„/Aöe˜[uàÛà“ñ'oÀqäz[ÞÅò@Êã»ûv,ˆVRä8$ÇÆœP·äL÷‘„gÓæ„!eÊ\*ÝÈŽèž¹ÚŒqiì؈҅óeC#ÕQfÁˆ@ˆÊÉ‚UYÅQ8 ý~]bÊò,— ‘tÌ7Ÿ:O&˜Hmrú R0Éu6Œ99—–[FfQËTy(>çÖÚä
-·íýxsH‚òÕaïr9±»‚`23È•ÊfÉÖÛ¿¹+Á+—þ¤@ljz’a[ooOZ4›Ï*HÆü

-JJhÙ´„R¤,å&}J=–k5¶3ð$aØy·)k"åôºÉ»Å:(lÄœîØeËúv*¡@¡—½EN¥•Î¸G
Ž®…-yùœˆ~L/ä\ŽÇHv!’]ÉŽJ#Rò=èüm¬‰Bº‡%1 !]|ö	Fo¤zXI(hÁ¤Ìºt\*¶²)Ǧé‰Ð´˺…æ¶ÙušI5VÄG±ÉmH°æ(ÁÚ`ML°6ñ|ý¨lhE¢.‘ÞÐ'Þ)ñ>5ḛ¦¬B˜Ã(¨Ì'X¯¡,Ó܇—)~"¦$­b‚:qz	0è¨"ÏX^úð¢Ø‚™¸¢/1!¶€tˆ-~ˆ-)“žvBRRôi÷›D=Ê
*á>îSsšñÁ5?X1€ñ!sÉ'#É´œŠ$Õ!’R>ˆ$ÌQä#iJ0ò¡ÏJi%x’ó€3ùÜ	„üYš“Ã&_·MÛ–7Uø(¸Îó© À*‘õdº.CíÎTÕžMͲy"¥pt!¿6€9”“¸†Â£˜ŠBèg¡I—¨)Ó¨&qÂw'¡§·N›=Âmiå8’u­A’oXá™ÓƒÚ({düó怃
--!6Š†‡F¨”ÏpTï77Þ/‘áÍvÄ%®!
”¾@úuMØàjÕÛ ,'›^¡·<ûM[°I6®ðR*Ãg»ßn«ÒgBÝqÁqæð$Jà8º	‹B¾B~uÛyxñ ÞïCÆhß}«ä2÷f;ÞL}ƒÐ|l”/%¨2ÿ\Ј(ë7T
(áyEÔ»ßFx¬ÖN)Óø—Ý>YBœTØ«´ÙM±D,Üû÷7Õ®˜3}ЇÆñ îGd&C6¡ Q)”g9BÎÞR&–Úá…ŽwÙU¸R K¡Ru^?„ê‚Ÿ«.ùˆá¢Žœ¨ìz)-¿ÞkHÆyæßQhŽ®yëo(p|_vk„ùÜ»	R¨1\=ø*abÉA*%¡)A?…"Ñ™æ©s”ˆÑ‘>»ã »ob›ÈR«G¯M+Á–SÑ-óê¶ÙÁi6SAÉY¨þíÐúb}Q!)%“¢^ì"Î…‰SÿºŠÎ|ty R€L®ïŸN]@J?,òhNy8óqNûyFÝU4ÙÔ4’ÉßÞ]¼š¿{mÂ=Yf})yœ©z[ÙŲ¿À£™´_qèYŠ=Rszm‹ÉѹO‰0î±Âð¢'bfy[Ì­&*h³Y ‘RÈ×öÊý¾=Nìdù¡-âå^p+¼|½ŽñxØÒ_üdã²÷²‹ªéƒ»ì–ÍÞCÿ¾‡.«=ƒ¤ŽÐ2^Rï¸}gCOšÜçmh¢Üu±£ÆwØõr#5Êã•¿u;\Ó¹Müõ¡Pf^^½M‹3"„Žìv—o&\5\ĸ«_ÑŒr#^ƒøÓ‡Šu“®y%S°mH¦š´€Ïƒ¼í‰¸ƒÚlhíûŒ^	m¦}s™c’÷]áfã}­˜Š}ɤãDÔöÉ«6Hø¹nîë ^;µ'wL+Ymʯlª˜Pý¦Ï‚Š`Üà?ð%ÕÙ€ú–)‡²¡êRºëÆå½ÛÛ ‡ùqC3ñPþNi»ïØÄÁ¤5ÌôûëºÔ0Ž=eCP/Å:Ú»]—["QaÁ¹(ÎfAò}ïœã™”£›¬¶ù]^Vy£1
lò:^ò? Ú´!|*ŠQ¡¾üåâÝÇŸ.Ãb,·‘‡0OÍñ÷×ñ¯›v´¸,vP_/²¿=ÆV-K)eÄ}'*tû#ßÙeÙÑ?
sËyò¯™È{º»HQHX_5‹¼Â6íÅ6^> endobj
-2203 0 obj <<
-/D [2201 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2204 0 obj <<
-/D [2201 0 R /XYZ 85.0394 368.0049 null]
->> endobj
-2200 0 obj <<
-/Font << /F37 827 0 R /F53 1062 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2207 0 obj <<
-/Length 1896      
-/Filter /FlateDecode
->>
-stream
-xÚ¥XKsÛ6¾ëWh|)5"Ä‹ ÛéA±Äm¬$¶Òé4É&a‹ŠTEªŠûøï]`AŠ’èÚ™Ž‹Åbß.HÇüèX†$ŒYzþ’«qLâ…ãùmOVD‚(¢ãyöÑ{A¨$xW³³Sÿôíìå«óÙħ±P›¾{w>;»øuâ33pw9}˜¾AÚ»I̼é«óëÉçùO£óy§V_up£Óƒq7øiGr¼…I@h³ñr$$'RpÞRŠÑõè}'°·j·š‚„ñ
ØBО-bF¤ŒÄX	EB¥Ð_ôýÄá~®›nò—¹Ø˜RK	rÛÙwÕ:oKä\,“Ô_fò»#hyQx­ÓµnÀf8O®øë‹è]øâçmüÛö×íŒÿòÛÏ›÷?þx‚{ýÁãþ±‹Ï_2Þ»‰Ï%‰B)a¬1-ëEiOòš…†½ä¦úC#MM–«B?sÂöÌE©Ýu™¥'2F"KÇ´Í‹åÞÜãQ™¾M6^ÕÛÔNÔ(µ^ÿ¡×N+ÇUTiR,ªºAò§<Ç	àGaB‘+)³YÖI†Û¹’¥ï¬È(‘*ˆ÷Íw7û(¥Ä3wœVË%¯a?c^S¹{
-£{Ú½»,¹Û/ÚßV[3£Š@oÏ|f¦ÊÛ.òt+Ë
Š¦Pµ;üÆ	Éô§ `¥½órwÈ`¡j¹ß™Û(å¥Ui$ÜmÖI“Wf»Š€t°w©ÓÆP!q‡Ô³ÑÉ÷ó
XWÕºÁÉ%o5E§ð6߀æÀ€vðŽHJÂMíسêÜÔ®
-§K
)â\‘àß"ªZâøП6oŽMDX6XÏF>Üüö®3hßV!Ô2¸„cþ9DÔÇwÄ„F`t§zô¹á3…LU€’•É·F»cö<+I(öŸé¢¥L•Ôq"’¦	0v!¾Át1ÇYÏðÈ™’uYÜ#¡5v†Œ=h4b0dÌ‚AAó¿…$oà¢(¶ê‹‡ÀM™%Ö9Y[>9aàóýŒ¬6ÍjcQ‹"æBéÌò€A(t*n3ÄaÔa¤D°.úȉ	—ªå1˜³®ŠzÈ®
- ·cì ´Æh»­ÖÂCA jSÍ€uöÛBFX¶¬h­6رêÀhµÎI\ÒpÊ¡9ú¶¤Ùè·dMHd)§žq
¯¸‡ˆIDYô_CãÓúíé­ÓE…}ÚÉ—²Ú–8^‰¹òקÆÌvàvm'8ùÿ”£]oˆy'öÌÙôòï}}~5ªüüÙ¹é³/^}¸škÎ/ÞÎHbhÕ9Ãânë,§¡+ÊœÊ=
»3ºq«»Òo=áªMøOÒT¯äÄâa¨¤¡S¨[™!O»…¥Õ]™ÿéÂLÁ†R¯tš›ÃÛSór¨Fº6æ0eBó0~
-'UGXÄYÜVNy«Çì3ê›´”^§b¦y9¨d¦Œž’d2†Ò'[ÍiD{×ZèQ÷,ÌmÙk—‡pˆÅ…z@|H¢Löû^3Ök<°lšGÝÅìG1þM³e^æu‰m²Á®ô­F¿—©Ûv™”›¤Øv3:ª[˜Sƒ[µ®Ï]fLß\¿}<øM˜gAdžÏ\uîÕÀõ6IíSéö÷m«L-c-(þ?K_†‘ÁÜ°‡«ø\Àû
Úè}à˜~˜¿~{õ¸Y.»Öe®×÷5¸ÚUŒS0èœòÍrw®€&(켡hØ}€7G…aå
-ú>…¬3ƒ>ƒŠÁT©ãîÄjó	Þ<;¯á¶]Á牉ͪ*ž€®×÷eµªóúð˃Ñ#
-¹éq¹bCß	 (ÇLšZ;üÁ¼‚!vŽ¿ tŸ7çøÖ¦T|ô“Ïíèo$÷"T•Au`Ú€ê1
-jÚõè:™é€Ìö{@'ò6/¾Aä¢}m´’]ÇÂË.ž"|õ¨¾¶Ù?–Ç8}Àå­äÁ›”ÉÄÁÇlå°âvt(¾~TÝ$ËÖº®ŸnæQ‘éb]UM–õ{ðþ¢²—NèæQ¡ð²’ÇÔNÜ_ð@”y:
¤JÐeçÿþº·ûŠip)Švi·ßr+I`sØ*e§B©Þ~<Öý_ŠRdlendstream
-endobj
-2206 0 obj <<
-/Type /Page
-/Contents 2207 0 R
-/Resources 2205 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2171 0 R
->> endobj
-2208 0 obj <<
-/D [2206 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2209 0 obj <<
-/D [2206 0 R /XYZ 56.6929 449.4646 null]
->> endobj
-2210 0 obj <<
-/D [2206 0 R /XYZ 56.6929 355.3738 null]
->> endobj
-2211 0 obj <<
-/D [2206 0 R /XYZ 56.6929 285.1933 null]
->> endobj
-722 0 obj <<
-/D [2206 0 R /XYZ 56.6929 241.275 null]
->> endobj
-2212 0 obj <<
-/D [2206 0 R /XYZ 56.6929 202.5209 null]
->> endobj
-2213 0 obj <<
-/D [2206 0 R /XYZ 56.6929 168.3311 null]
->> endobj
-2214 0 obj <<
-/D [2206 0 R /XYZ 56.6929 95.2288 null]
->> endobj
-2205 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F39 927 0 R /F53 1062 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2217 0 obj <<
-/Length 3179      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKã6¾÷¯ðÑ
Ä>%{šd&A›™ÙLX ›ƒÚ’»…Ø’cÉÝéüúTñeI¦ì>ˆ¦Jd©ê«'Å~l¡¡ÂÈEn$Q”©ÅzwCpï‡æiVh5¤úöþæÝ÷"_b2ž-î7ƒµ4¡Z³Å}ùëòý—/?}¸ûïíŠ+ºü–Ü®¥ËŸÞúåý¿ÝÜ—[×ïøøõvÅŒÌ%1…t]þüéÃw«ï>úþ‡Ÿn»ÿñæã}dkÈ:£yúãæ×ß袄7øñ†a´Z¼ÀJ˜1|±»‘J%…3Û›¯7ÿ‰îÚGS¢PB¥yžgƈQŠ„¡ÉV>~ýîç»/÷wŸíÛØgNò£‹7„K–YâCS®Wë¶Ùc‘ê„«á–F!4¿¼e Jl9DLÁŒoùÁú?ð=ǾÝù¬ê“Ô9øÃËþ˜à|à…†±ý7¸±û§ºsÛ­[Á$sþ:IàQ*ˆ“]d9Už0éŽJFl¿«úuºy6À®¢Ö^€É—'àû¹:$V†@¬…
-Rè^;´‹²>$Ö_‰L
Ê;²Œ` ¦e·¯Ö5Êí'—'ˆÕvôíݧ~.Ü|8ÖÛ˜eîo¬Ú”gY{/x¿&úW{mÁžkž+BàìŠê9‘,z¾™ÀïJµF€”=sbNâkýk‚]úãž`(à¢>P–<ËÎÝdYoµ»«ÙÈf²ÈdtWT.Ë
-ÿ5­TY´ÚÙMqÜöîϺÝíœW‚5¬¦Úº;qŒì–-A}`g!g‚idÆn·íK:ÊHWµ4êª&5A]6îxÎŽ
nYy™@8ø"o'|Î\Ò¸ù`Ìe½Ž2_"ÁÀ²fGN—±àhê–Ã
-˜—¶}+n쎮Ébê]¸Ës±µÝ3–í®¨›$é‚]”¿¸šúâDÑ
-åš–Ã2auÉ¢³«°¡1úJ_j@t4žÈbf3{4µ)`0»†—»ÄT 9gJLz‘PܹÇkß—·ƒXˆ3(ÄñŽeÓŽ^°Ê´ù}¢)$o<×*^IŒˆÒª˜ªñ¬Ø|Û±›¯½{Av6®†Û¥*.A	£±Ð~ã±H.uèˆ@,¤í8“c@&sÐÝ,Œ8f,W—q4¤šR¤²H:$dH¦E´P\»Kf
-Â*ÿ"w‘*ÁÞR
-¢ˆ¦lÌßS
-;ãpQË®=Z½­+7mó@¸:nMYô…›uÚ‡¯þlq‹$¡¸,ø§öPÿz£¶þÄ{žHAX
-;Ý¢„œøšîP·sE^ÙZ¯™1(¼{7µwh{®ËÊM$;ýLÞ•Õó;ÿ^‰ð¤Yì­ÚªVÅ‚œ¥k¼Ãþ°D½®lí¿C JoZgW·sSu{k¦3ŒjR£vѧ?´.P{G]7ûcOo©ñØõÔÈ´ÛŸéJLÈ<¶pgCÒy$òq\Ρ€ËÖÜÊKÃSÜõtb}DÁÅ·@²åIøN
¸Ù‰9[ ¡m~™Q·à¿oÁLÝ.ŠÒM;Ù†„ÇêÇj‚¸"Ãū̧©¶K4 ÏcªÏÊ¥†Êr˜Â£Êt^²,v(šÒ6 =DO-’‰ážÕ¡ïÔ
u´ÔûVú±lñÝgÓ;W2Ý!Õ¼C‹TÖ¡uW‹œ¢,Ω"ç"k±È9g-YäŒx'S<蟳åÝ7¬¹ÓeOq)*2ˆwª¨ë}`¦u6Š¸ºëBÁþ§N9§ƒN9§ãxiŸ™—nÄ?‹—þ3#lz¾?›¶MÙíþ¡Xÿî‹„‘m©ÀaóX±³+XP]Àb ²Xì“Á’§ ³õÓ¡m{5#ä—&ƒÒò"s‘*ÁÝ8¶rb$ÈwÄž¯¹	5·1s57d{B«+:žgrZsÿ=\O5·q=]£í¯öàï\D¼ÂÓeÉ®#Þäñ“‰—z»uKÇï`’·8nmãm%ÁÍ¿÷·ŠÒv"˜+žT•5¾›óÊìcÿ:˜bæk
nSço;,•"š«g–u!EØÏbnÁ]Û^4üwÂÚ†h60bmýDÌp³‹DÎí÷YnPoaýÉ®›öhÝN½ž"!ÃCë‘ÑF³
-8ÕøÍñóªï¢ÄqµÊ«VW²ãѼý"‹óãÕ*bÜa®ÊºÄT¬²Î˜JVYC®¼ÕZEY«Íä|§,Ï»Ò)3œ™©ÕF…/d<¬í }il"…ÃÍdÿq+8dŠÔ¼
óúé)/ìk05TÝm/š+¢h¬Åƒ×·¨ •Ïf`ñbÛ…·œìûóXLî©›~Ûl_'ÑgøM==c=ÙÀ°ƒUùvØS8¨C;+ˆ6Ñ%¨ØC"øq[\4~NóyúTÚ^-OãTPI„°­#ËŠŠI5e=~DyÎûßÕ—lendstream
-endobj
-2216 0 obj <<
-/Type /Page
-/Contents 2217 0 R
-/Resources 2215 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2221 0 R
->> endobj
-2218 0 obj <<
-/D [2216 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-2219 0 obj <<
-/D [2216 0 R /XYZ 85.0394 751.0357 null]
->> endobj
-2220 0 obj <<
-/D [2216 0 R /XYZ 85.0394 641.026 null]
->> endobj
-2215 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-2224 0 obj <<
-/Length 2062      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X[oÛ¸~ϯð£Ô<¼‰¢Î[Ú¤Ý,Ú$§ñ´}P,9Ö®,¥–¼Ùì¯ß©HsÄ$5œÎå›!Ōߘ%†™Lf³4Ó,á"™­¶G|vß>	O³D‹1ÕûåÑ>ªt–±ÌH3[®G¼,ãÖŠÙ²ø6Ï„aÇÀ‚ÏOO/®./>~:»8^ˆ,Iäüäêêìâôü÷ã…L8%çó/'¿|¦µ«ãÈ>]ÿXþzt¶Ô«.¸B~}ûÁgœà×#ÎTf“Ù=L8Y&gÛ#(–h¥ÂJ}t}ô¿áè«Û5…àL*##¶b&ÃSMŒ‘dÌ(©œ1Î~?ùrõ™ŽÔÈx|§†2u”K «ßµu‘§2–¤°B„($Â
†Â$žæÏò!ÂhL’]Ÿ÷å¶lúŽtî½ÅnüaÈ™õͪfg%Ú0y]dVîú`ð6b^1̓ð&ߖųöÍX
-IàI_Á3&Ò,{!t‚½FÙ1£SÖRö\Ÿ‘œ“Ï×—¯'rÿÎnំÁÉèƒ;ìˆÚq‡HyFK&lbêýùÅ)mͼRŶjª®‡\jw´ôµ\—cÍʧæJ¿ˆãeҀψ=‹Ùc¡§t"õÔ.'¿-¹üúºAΛ¾Ü5eOš\?t[M>´M×îúj¿}”«™Ò&øAQað¤çêEÑtc:—%L
-K1wf}F±ŒIÍ£špqú|—2¥~£&ŒUIˆEó¾më·„ÏCÓÞuUwXq”`©5j¦R°U’ˆX…ÀÔ•	¦w¼|°TH·1W=&ÙŠÇ@õôìŸß~&“øà‚aCÆåõm»pßF²
-^¦ÓI?×Í0ú3Âß$,M¤[7ƒë¦!X•8d¾‹°„@°&	x·Pl·ë*Šë'ökGƒGU„~¢ràÿG¬\°T‡ï‹5Ê°ÖÁñŸ¶)±?Ãÿˆf¢Ô,㈰ã;=»þðõüjy~yÿƒlÛaÿ³æ”"e:n`¯%$Oåp=ð„ì}B‚r+8'èåUuIiBá_œ£q1,`Ü]¡µ˜b\Qb<7Õc´'ôàÜlˆ²Ñõë¢íË ôŒÜBÁöÉë஘1¸W}WÖkè¼	§€îaZÌé§nWî*
-C|E ‘w°õ‡‚¡Üm6â0© P²C4v[±^ú5f}Òj`‰A?gcq…0Éu¸ƒ‚Û¦~ð
ø€§ZM8€²…[úÆõ½VPa‡Kz;Xfeß´”8”HAb-^ÁpßÏ}Eƒâ¿Ri¤kcá6‚Ù`í¼ZG×Gi¤}[› ‡~"èàž#@ÖW؇:ŒÖTa·4ynÀÚÜü(ÏIÿ-Å)Dvç®+ì
}þ¥kÀž>,ù&DÁUƈ—;ù1UxzÚÉT®Ám{2AL¸\7éÚÇÊ	4¹åéËÚ
TõÔA
NÕ»
-!ºI¼Á£V´ÞÒ/¥
-‰8Þ±¼>ÿ„£ômé	âŸuþÊ+ˆØÚÓ®6mµ
-2sr+F%×óÍ6_-¶E‚Á¨M}Îh©§)Ómòp]w¤0÷¸>^IÌÁŠ²:4/ÅôK"$ê-ø|¹ñaV”ë|_û+rÕ=áÍž+ì×å+AõHó|HyP›Ca)Âùóæ>å6íÎ[¢ÛCiÛùû·kÇñÞŒÖÞ!uV&_ßîýûÝÔcð­3hJdúF´•î|ìŽ=ÃÝß|#âtüßOËOè:Eü‘qkK¸ïÃf”BÅ…6O#É?B?Õý_ìòendstream
-endobj
-2223 0 obj <<
-/Type /Page
-/Contents 2224 0 R
-/Resources 2222 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2221 0 R
->> endobj
-2225 0 obj <<
-/D [2223 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-2226 0 obj <<
-/D [2223 0 R /XYZ 56.6929 752.2293 null]
->> endobj
-2227 0 obj <<
-/D [2223 0 R /XYZ 56.6929 623.4383 null]
->> endobj
-2228 0 obj <<
-/D [2223 0 R /XYZ 56.6929 561.5469 null]
+2248 0 obj <<
+/D [2243 0 R /XYZ 85.0394 285.4875 null]
 >> endobj
 726 0 obj <<
-/D [2223 0 R /XYZ 56.6929 523.3883 null]
+/D [2243 0 R /XYZ 85.0394 241.6173 null]
 >> endobj
-2229 0 obj <<
-/D [2223 0 R /XYZ 56.6929 487.1636 null]
+2249 0 obj <<
+/D [2243 0 R /XYZ 85.0394 202.8843 null]
 >> endobj
-2230 0 obj <<
-/D [2223 0 R /XYZ 56.6929 455.5032 null]
+2250 0 obj <<
+/D [2243 0 R /XYZ 85.0394 168.7156 null]
 >> endobj
-2231 0 obj <<
-/D [2223 0 R /XYZ 56.6929 390.69 null]
+2251 0 obj <<
+/D [2243 0 R /XYZ 85.0394 95.6826 null]
 >> endobj
-2232 0 obj <<
-/D [2223 0 R /XYZ 56.6929 319.8083 null]
->> endobj
-2233 0 obj <<
-/D [2223 0 R /XYZ 56.6929 137.601 null]
->> endobj
-2222 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R /F14 765 0 R /F55 1070 0 R >>
+2242 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2236 0 obj <<
-/Length 1987      
+2254 0 obj <<
+/Length 3024      
 /Filter /FlateDecode
 >>
 stream
-xÚ½X[oÛÆ~÷¯Ð#
D›½“ìyr''E뤵
- í-®,¢©ˆTç×wfgW"iZnQàÀ€¹šîÎõ›Š‡?1Ëã*׳4×ÌpafËíŸÝÃÞûxæ‘iÞçz³¸xýN¥³œåVÚÙbÕ;+c<ËÄlQþ–\}út}óöÃÿ.çÒðä
»œΓŸ®n~½ú‘hŸ.s™\½¿¾½œ‹Ü	LÂ"ŸåÉÛ·7·óï?Þ¼{}sùÇ⇋ëÅQ¬¾è‚+”éóÅoðY	üpÁ™Ê33{€œ‰<—³í…6Š­T¤l.n/~>ØÛõ¯N™B›Œ©íln$˸œ¶gÜ€þóTfóüd/)¦ì¹Ð^ó?QÏ×ïŒéq
-Á²Ü€`žåO÷X[7¶‡PKÓ4›õo}"Û‘kB8Õ¿R+–š\¥»Ý¹eõ;çÒµ—s%tÒ­-@(\˜Ä‹æIÍjăÞ$¦âĺ«–EW5õé!DâCD%‹øVéVÅaÓѪ%óè¾!•ÈÁŸ:ö)˺ãižs •á,7ÂÆ™À­\Á(9ScúýÚU ænæ Å¥HÖnâv#0ÚM8sÞN\+4ËÓ<ú¯nöLjtHã)ß^<¥ÙÓlÈÖÒ²=z¨üPOÔá¡jÝ+4aÜÁû†sObJ¦Ë®™>: ²ttëvžè­›âÎmÈêJ§L“G«b¬šÍ¦yp%°•Ü=Ò“¤†E±¿YrØBüÅÇYŸ…Lƒê¦yâØ={5¡›ä)“Êæ#å˜ûZlwÇ–Í–M9Aa:ØB‹x'Å?,BüÃj{h» ($]®Ô(¼ÖÅGè%ÇŪÙo‹ŽÖ¨>z|)6UI˲ÙUMk¼î-—MÝVmWÕ÷Ã6®ëܾ
\eu_uñÇúq9І‹êpþÎí«¦lÙÄ
¸fSÃrmÅyðës=~G.öŸÇW¶k­_¸22M\Ùw]ž3-ÍèÊŸ•ß6¥ûsjÒ¾ª£êÍãÈK©‚%‚3zº¯»MQ]³¯º¯ñ¸==mqï"·¸3öÖ/›>×{G.oïýD±É™ÍT„³=E³]U›§åÆ€Õó,;/Ý‘kB¼AZpNÆÅP¾a¹1„(Æ$msð(°tD&ÐAZâ)‹® ê
-mŽ‹{W;"Ÿ ÈCûrÔì«o¾Aý±R%™ɪė©däÌ(º~J·mç@i%d)J-­€°èˆ´óR7_ªÒ¡˜]¨*¸ôºt_^½ž¢‘VË£³|lÁ©îó¡¸ð‰÷ÃÕÒ£„
J{ù"ü#Kߢ¸é±žtsíÚ–´™Å¶`„d•G‹‰q×@—D©êÝ¡cZfØkI13sª¶X…"Ú£í‡Þ²ÒàÅŸ%ä´Ér
ågÙ9Ÿy&X#pîé‰n
`´x
0j““ñ±{Ê¡Ö+
-44b‡é]ë£ß‡«Rªâ¢(‰L¶xâýã=§´¤’‚û^ÕbC<àÏÃT÷!uÆ`ßœzCô@9]£µ°±FWu‰ÝWÑníËŽåcž÷!é/¡µ·i¦FQ¿n›P;î\Ä7W>hãVçö< õ¹ž´#W¿ûvÏ
-ýÑB“­36™ç;rMH6À2		®¢ÝB@aˆ)m’uÓv´
-5g"j%€êApáE®tO••z56™Ž­Õ<|õÐF)hqë÷\`*jzv%õm°Þ5›jùHkBTM`B! ›2é(.N½hpK_@-™õ<ØÛ,Fˆ®NGœDRC”»ð›Ü]q[<µ¬V+ªËŠŠØvt¬7iÐÛ
t„Ãb]…N3Î.¾kŒÀcÜ[u“×°€jÜêæ&
sû`nzš¸dÞ|šz\g )rõECS
-“}í[SOBSªry^°#ׄdchJ!x‡¢ù{ÁÈòÔ‡ù[qŽ„‚6âoÁôÜŠáð"GHóq	„Ö¦¢¦gÄ#ÜŒx„ôÕq›ùô@é©Æxíÿƒ„LÓ!
-Ic_R–âËíá.$ª<%*¦¢Ì’§ÚðjÔ¤
ç4D"À9ÇORÆV̇HŽ2RN¥ /ÏF1õ_JÃ(9~»¸þãâWšûtžه˛ó¿n9»¼íÙ².¸Bž¾žýù_äp‚_Î8SibOpÙHS¹XŸi£˜ÑJ…™êìæì÷~ÁÁS÷ê¬(gRY9#)B0<ÕH&eVIå„ñîòæíç«O·W¯ñ4î½üøb)5KµÐŽ8Ïëv¹jêû‡¢öÔj@m
SVHx‰¦Øf]Ñ‚ÐexQÑßÅ3Ýß7[ìÚ‚Ý=Ïp DÂL¬­_´nw›Ù]k–ĉö„YÏ­–¢’°X¶.ò™•giªÂ–`Zˆèª#vÛr½©Ê/œK:™Š@ xû°ƒÓ–MMdÍ=]ógØ¥\á. Ë8q»Xöj
~4µ[*MQîêeWÖtŸÑ…„‡÷p:$Ñf{.’¨ùVæ=m÷XÌœ\rÉR)ÄOÈÑ0®Àx_c¢õHŽíbf9°:•ÄÆ“¶Ïu—}ŒfžÊªò(èZE^äž®!é)0E‘€{é‘7“ù€W–Ý+?¨WÕÎËn³š®Å÷47'!-Ø,L<’d–›¦*WÏóf> n; ^uLjK‘J&t¬a³T±!Õ˜ƒ’1*RIåÍ:+kšBéÑlÙÒL»)Vda9=h<)ªÖ
VÍzílŸVe]ÀÑ•†:š""åÄäÉËñb¶g vF‹3ý>Á‡sºEûÃCò±'à	ni¸Òû‰ŒÚc"O,óÊ€b&¥R#ŸŒy½GÁ
½n_Í)—@ÖðúÁ†¯Âîë™Í…Ä0i0ߧfWù³ÑÐ]æM4ÖþÌØDÉm-¨-«*gÕ6‰¾H©7çÂÀ6`Ÿ£AÇÒ{;¼TœlM§©øI‡äqéÞpyïÀÜ
+Î	|yVSÚ`C8BEã§hœ@!+ ™H^ =×¥HpGÂàA'çf½•9ŠÝ×MW„]ÏC!@PâÛ஘µ=¸—][T÷þÐYNÁÕošÑ¥j@‰4ÄäF^Á‰?•`ðTvs
+“
+%¢±{eYÍiMÀábÑǤÃ%-Â&sv>a’ë°=ânÜÔù÷Rƒx¬ÕX‰=('’òA\ÁƒÔLc(`W±%Hé Ç
+ÕÚhwP4O’°æ²ËL¡.û¼¶Ô;\jg‘ó\þxqrâ­ÞZê‘ÂŒ¿Á3<•­«;D¨%øP° îYÁCL}æ¨\5fæyÉhé¶Ød>û†Ið¢ò‘YC&,L:ÎÀjž\c\£Á]‰kžfœ
IH4xÜ8
+öÀ^ÍœMò[1éäpôžÍ)A	ðXr’Û°'Ù?¼ýÃh½k;P•@n¬&æõ˜}+&qucô8ù-«Jy¡"Å1nçÃÀY[¶]_L‡ª¢ëŠmë©òòéÉž7àSLÝÛ²ÉÛã°Ç
³BÀiÜP¾@åÌþ뱈trË>"n9‘F[þ¾+/ðu“»ü¢¶‹S^Š˜hµÊÑ•
¤Œ&´/6UVg]‚YW|ËùJj×fŨÙq\Þ*6,6'å=¤:.ïžÊÉ{;i ˆNúškFѬïËê0Ö@&(ø$w=Õ{S·JÙ1ãpcQŒ‰Ú†Ê½UAÓ„ÚsK4PRd4ë²L;uHâC»p‰ê þX©¨dBôêf^¦‘BŠ '¥3UX¡IðR—›ZfÑÑÔ¾XÐD6º	Tpéu^|{íÏ5“§©å!öPA+]}pá÷‡%J*ɬ	m9HHd(Q|è°®´s]´­ï˜%Õ3A2Jg-:Æ]CÓLYov›9e‚Ír)Ff|iJê¾ünGņ±Á+CkG|–ÓBágÕÎ󌗆§ÜÒ¬üÀhðêaÔF{ááU
+iØ8^‘¡¡]}c¹ïÁˆ¾Ã]Y\d9M“lž8ý8M`Å ¥¯à¹;*50Âÿn.û:‚¬Oi¼òù­÷M‡²Î1û
+&ÚI|ªC+H‡¾a”&ÌƉš–OÔjC0»+¾ùQ@Ãe¸/$ÎCªã€ÖS
³¯i™,U/¡¹¼9…ôEAúr’¯@4Ã×PÌ©a‰°bÌ×
XÚ—Ò&zlÚŽF>àà'+Ê#`îDç[[lŽêŸì&:äm|pqPÔS¸x¢­{Vx"ì¬á5´¹pìûënLpªMøxJ›N¬bÐ'¥ŒZ;’ɽÿ¥LŽÁ#
‘h×nóÐò†öñU¼ÒÞuÏ›?Aòw(¹®õ¹ï»éÜ·ó‘.ä¸T‰ò-±Îyq('׃¯Rq⛢t€,d†qÊ”HÆ’ë!Ï…=O:Ÿ´ª?=_eµ-ʃŽtŽç ÞF 1Âsµ_Ò£$N54sçïIß9M®³gšÍË{„‚ûÂÇ–A‹m¸¬ïªƒlüáAøL94=BåârÖp‚	tL3«n¶ô0[ýBÕ¤µIFUÓq`R`–éK™íê0ª!k'úw¡-?&©€LNóˆfø“ÅÏbÌ—Û$,÷Ù¯
+=+q
+Œ„ÿ5?…E|ÁŠá†ŒpF8çl&ÚÂÑAÙƒ>`„óþË„i€|v ×Tfòa2Èþ„Œã1Iì^’‡ºo»;ï¤rï¤è†» PÏúWÃIZ¿NC“™û¦
+°N_ÝIòVOŠ¾¦÷UF‡S1vº“‰=½Mþ¼©í$›ý¸lû߸ì´3¿i
+éh’Œ;ô7——ÄÂů7gÖŸüR"|€øÂ
ð_hï­Ÿ˜éœLhÒm¡Òábð’Ö7W×ïèÍÔ3–¯!Ãl»-Öˆ4õ¹@ŒÅ66Lý–Õ»lî¤qôY{ð…i((N°mDz¹øãö_?¿,”«æ:”Æ7®®ñÆð¶©ÛfÛ•»õ±ßÔÀ†øC˜°â=‹ÿóïmö¿+Ò1SIrä‹…„‚^¶)<œ0ü0ø_æòþ÷è> endobj
-2237 0 obj <<
-/D [2235 0 R /XYZ 85.0394 794.5015 null]
+2255 0 obj <<
+/D [2253 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2238 0 obj <<
-/D [2235 0 R /XYZ 85.0394 436.3514 null]
+2256 0 obj <<
+/D [2253 0 R /XYZ 56.6929 752.4085 null]
 >> endobj
-2239 0 obj <<
-/D [2235 0 R /XYZ 85.0394 376.2994 null]
+2257 0 obj <<
+/D [2253 0 R /XYZ 56.6929 572.8048 null]
 >> endobj
-2234 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F39 927 0 R >>
+2258 0 obj <<
+/D [2253 0 R /XYZ 56.6929 166.0529 null]
+>> endobj
+2259 0 obj <<
+/D [2253 0 R /XYZ 56.6929 106.0009 null]
+>> endobj
+2252 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R /F53 1062 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1666 0 obj
+1680 0 obj
 [730 0 R /Fit]
 endobj
-1528 0 obj
+1523 0 obj
 [730 0 R /Fit]
 endobj
-1245 0 obj
+1249 0 obj
 [730 0 R /Fit]
 endobj
-2240 0 obj <<
+2260 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1697 0 obj <<
+1714 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -10155,7 +10268,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü
 ¬‡¹rðpr‹t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññÃ…;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y{‚ÀN¿!v€ØÙââòø
€¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ	êõ'þÇëŸ ®.`¨
'&ïcNëcn[“ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ
-Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.Ym
e5¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
+Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.=Y%9U¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -10178,35 +10291,35 @@ $O
 t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç	Žð=Ï	añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGxd½DŽ…*~ÂJSÛ/
*ûÎÔF‹µëújQ‹jw	Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô.óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘	p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß	ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ
ñâSPÓKD³—dOjnÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“
_7T,Q1çTiHøBÕWL8­¡¾	 ,œ²£.±ßu2†)¶=–Oš ¹ÿêÚ´­Ùê²,
Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê	{>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM©	Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³	”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã
©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc	-@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜	…@ƒi/_	A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿZfõ‹endstream
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿÕ…õ–endstream
 endobj
-1698 0 obj <<
+1715 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 2241 0 R
-/BaseFont /BPMHKA+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1696 0 R
+/Widths 2261 0 R
+/BaseFont /USBGCJ+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1713 0 R
 >> endobj
-1696 0 obj <<
+1713 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /BPMHKA+URWPalladioL-Bold-Slant_167
+/FontName /USBGCJ+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1697 0 R
+/FontFile 1714 0 R
 >> endobj
-2241 0 obj
+2261 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1683 0 obj <<
+1696 0 obj <<
 /Length1 1630
 /Length2 6133
 /Length3 532
@@ -10218,7 +10331,7 @@ x
 Òy¦§aáèha
…«pJí•Ž HÀÈ(ã
 ±@Bá0Y$D¤±ÉB¬@¼¼ #Hîìå
 µµC‚XnxXÙÙ9þ²ürYzý‰ÜD" ¶0Ó̓;Äîì!o(þ×ZiÙ@! u
%5‹‚šHƒ¸Þ¡áf鵩@­ 0„dw9þqYÁaÖÐ_¥!¸n¸¤ Âb½	ƒxZAœA gˆ«¸yA [Wò¦H8
-³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`Ue-Eyö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
+³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`yCymuö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
 ÿóü{é!Oˆ`zn%lŸš‘†¬"Ïéé—5úÐÁƒÑâ\\£ý:ß¿Þî—¾(Rf~QÂU;(zÕä5¾í|¹ªÌ¶ÖÛAæÈÜžÙË£ò¡g}ŸO4ÏôNˆ}-lZŒŸöU/Ê{LeÓP[wm©_ó™iÑÅ=àà;>WìýSVz÷|R†g_«”·¯´ÖÞ"®*ØþÊ”°yzÂÜÕ÷±§»ýðîûUJöìW8Œbî˜øL‘þ.Ù”OuJåÊߪݎË;BbubÁï<_^Ë¿Å`i¢KÙÅy¨yc@–‰Ÿ'\;ø$·®Q;S-”âs/,
9D¦Ô#,9ƦïKv²±SÐúê¿»èçö‰%…÷²õ-âÁ]3ëãÝ“±Ñ][™CæºÊlëŠÑLü‹¦ëÀ¢€5‘ؽrô›ìç3üÜ°˜üDÑSjÛðôä)Wï8Ž*öÜŸèž“3@'}~+ÏÝ6‘žˆ•Ø\Žpµ<züuÚ>AbåPóبLbZ÷a3ÒYÍEœVÁ= ¾‹­{·^®2<¿}5aq€©ÿ_5¹Ûðòµ÷>›À¥´ê$C}ÀXŠ¹­œÕ÷ji—û­€G‡/§Œdû-!j¹;Ë6#ÔÜŠ.Oé­×ôÎc´¼$z¾I(ñØÇ/Wj®½"¹ßKÒÿ¾ð{Lš¿ÞH¥hԻí:iÓFRF<g]Û39}—ÞÞF™8|à0­‰å‚Ô"¦¯£G$¼	ºêÆIª˜Ê΃.–Šô‹µŸE·ÛCqüQmæoi\7yªàmûŠJ…0:næÅÊØê®óÆ	XeŒ`Ãé’_ÿî½jâì…”Êr‰ÇO„DŸÓÕ6xÍ·o¯lŠýP¦ÿÎ*5„$8d”#ÙiWtu¿÷¾žG=kŸoHÉ]˜Ÿ:ã3ùN»­g}„™?&ì
 b݇a›yKÜ£%t×TcaÖËF˨?B:äÐ	3ÚZP‚ÌÆŠ}
fñφôˆƒTU‡J鉽žj:»«Ï‹ºôN)/ÂÕ	äE½¬^gº‹ ^/«k¯&6Ö7%³"”-ήQËòÍ“ñÆ‘r¾“'#LwDEëЙ}`?—$-`¤¦ÍC5Õ‡9æ3ÖXïžÊºUFC:ׇ¸T<íàìe¸z&îÄŠù @Õ!˜-“Ú½¡…´cEҼŸýÍó2¦±h’—Y#ªªÇSÀìjzaT
€Õx…^ÉÊ9%î5Fõ¡ƒ…™y	×±ªälš2$g$?˜ß{v€¢è§à,¯ŽÀnD£ÍfGªªSH4‡S"€ÚóôöóãNƒ^œ¤ä½t!¢+ÏøÝ÷n©X#õg«uW
³}ceS÷ö¸ïcZ¦BF%×#
èS=ªbÁõËFñÁp%ˆ&ˆ÷Ñÿø‡@§{›Â§F$
 ñÀèHvo»Vüy½¼Òç³³”ÎjÁÕŸ,_Âh^§–p³/â#Ó„HÊÀç„»ûÄŒ[‡¤Ê»B8Ò¬’%PË ™#¹&}Ô7uo(à–îu•úµÒ95ÀŒ¾?ËêcÕ8—ÄñâθÑ,™ê:f”†.‡Ðà¡ÝõÁ41hÀ›3):«;Ícƒ·ú‘¶Þ,èðY½:Nç5u…QEð‰rŸ–²ÌûŠ!&.ÜYâü×Éú;á$¤`×yme~b©@{•3*¹‡ô÷¤”
¥Åêg`iDÕ˜|)1IŸ\°êjñ˜Î™+ Ä&j‰wé„™–£Á{÷…á«-G3µ«®ô*UÅmÖ­ïè, ï!¦ öOµìl•yóâúŽàäç?MµŽÇ¾Ä팼®sÞÀ±x»åÅ!¼´œ®“X>ÒIÙ»—X,×EAœ;¯è%Š]"N?v6ÁnÁ$W¥0O«W4¸»Æ—NQI…>Äóq†z#ÚQû3]º¹Ñ
@@ -10236,35 +10349,35 @@ d 
 ÕB¾ª\h~8©$‰¼¼·ý˜7!g;É¥ƒ\®cf>}7›ùâžÐÙZسãÁÖ–Ü^-Už&(
 ÖËÓ»ÜIFÙØS­˜õOV_ºhýÐn-®
 X{$¢½‰¼û£@–rlZ™âɞˊ1o(­¶¨mèö¡Ðé»÷ÝõäIŒ]Œ_-ô‹¸Þûò'zŸT¶n76Gت–·&úìIĆ‹7ÎÔ‰‰f¾uä3¾õˆ;)EO4,Źk&l‰#õŽ¾„˜¬Ù¶³	½höâiF]	‹œx'´ÅfÊb\ñê{Ý?¬¹¶=ê3¤XTÕW©*®§‰\Ee¶©x‘@†Dz:ƒ!¡X¾ÂK”G½èß>c{BŒÍCŒ±¹0šUÕ¼ƒ¿ªÝ•5xfœéÉU“Nhèòã»Z–$8û훎·òБÞåú¸;ß¾2~%~QÍ÷*|6οÀ.©ó¶H&l]ážçµÐ[èù%¥κƬ!ÙrOxÆ!.B˜“zuW,Ôêr‹9å™ÊT°CHÖ‘_e‘‰ÿð:û5r€û3.ñ4v—W”ò]ª[)ïó–äÙÀ—݈H¾ÌûùSŽ¸+¹ºfS4çHõ¿ÞzyàÂ*/ç%Šâ׻͠Ï8ôæãmº'7…\ì°Å÷K)8ÐÁ@£bÅî\ç±ÄÝÊ‚×[g“©»5é«ÅÖ¡’'¯ÔíÌ¥ºégˆ<‚â¢Ï8TŠqùœ_Uå=¢¦#fœÞ*ª6í¶²*æ›\oi›–•`ûlj[ÛW*ˆ»ºœ2Ž(ËtŒp{ˆ¥6Í]š†}„¯>{?'CÆà§5zíEëÝÚÓÞ&vø¾öŠ
÷dYcØL‰8àÇÉu°à•GËÝšÎñtûëV²­ˆ’eÓëû­&KÅàჃ‘oS*.m•»8ÕîŒWQì3ÊDÌûj	OpHY²ï®f>×¼ù‰_ôŸö‘Ƥ‰´»ø|EÀ’=PzêîXDƒ%½+C£ˆ1_ù¶‡=AýYœ:&Aaú;æ¬U¾öÝ*“ÍXJ·=à²ùˆ1¦¬ý<ð»©,|#
O'Cƒµë“M]í¼æf°ºÜS4‡AÇ÷Mj€“Ò·ÐökxõÊáž™ËG‡ÞÕéú,óÔ92‚¬
߸gp0o9)ÁM£«&ChVF=Vv¯ñõ­Åž¡üÜÈT·Žïvä(Ê´ãé¿7jzä­ ¾¹Â6]E³ÚŸÉÞeIGOIùç…&˜+ÊZ Sl©
-Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀ…Oy˜endstream
+Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀÉy·endstream
 endobj
-1684 0 obj <<
+1697 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 66
 /LastChar 78
-/Widths 2242 0 R
-/BaseFont /MJSGHF+URWPalladioL-BoldItal
-/FontDescriptor 1682 0 R
+/Widths 2262 0 R
+/BaseFont /FUZFTO+URWPalladioL-BoldItal
+/FontDescriptor 1695 0 R
 >> endobj
-1682 0 obj <<
+1695 0 obj <<
 /Ascent 728
 /CapHeight 669
 /Descent -256
-/FontName /MJSGHF+URWPalladioL-BoldItal
+/FontName /FUZFTO+URWPalladioL-BoldItal
 /ItalicAngle -9.9
 /StemV 114
 /XHeight 469
 /FontBBox [-170 -300 1073 935]
 /Flags 4
 /CharSet (/B/D/I/N)
-/FontFile 1683 0 R
+/FontFile 1696 0 R
 >> endobj
-2242 0 obj
+2262 0 obj
 [667 0 778 0 0 0 0 389 0 0 0 0 778 ]
 endobj
-1440 0 obj <<
+1448 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
@@ -10272,90 +10385,93 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚíRiTSבª¡¬2©¤j=,Œy5„„1M ƒÄÜrKr/½Ü@R*©Ê²ˆ.EE©°ªÔ¥–X…WÀ‰´Šð€å³HÕª8õ‚uu•þl½õÎùsö·¿³÷w¾³i‘2†Â6À¡J08LŽK¥g6›B£ã°’@04DIÀBÀ|ÀJ½p—6_È[&äñ)4Œ¥q$YC¯`ú‰D:GTJH•„Ö‘5TJ-a*&ŒL ÒjÁÚ‰i`-œãé0Ĥp8BTØ'#(…5¡I‚ª1ÀCúÔ·©tO#E¯I™t@Š„0Tk¬¦°Vcd7˜ÔòOÈšZ-(3d2–qƒË#[±—û>ý'¢Jã0JLŽiÐÛXžÂ°VQ¬70•ß–÷žÚV#®ì8jOO›o>¼¥íÜÖ“f?æPŸË5¼á9üÁ¯Î[?FŽ9G|Å‚Ô¼^ê)Q–%SÆÚÚílqt£—ï“Íx ŠOœv©´µå=Ýíw­R¼üèùôNú9ûÚU÷8ü
-êpÁôê›7^>ÎIÙØÞkuøò,¦$”ž^µVü÷Ná•ñûaX%f­º47~ßS×WVjËí®”[Žf©TjwÝìÿb›nP÷µS8ûSZcJ+e™ó}®)ÊÌÀæ}sL@Sc„ô—™ýtA¿‡ùÝ.I^vqx´$jdÞÑrUõ<­XÕ®kY׬@/äÔ­ÉsI©ëàúqRöÐÖ&½¤ýºhÇô'	ÏŸ÷<{m¢6?PezظŸíí»?0ÝË{ˆÞƦÚ_ýÌâ«Ô|q—†÷8¬0µêþØ—Õ4*1‚ë¹n7Ž|æiåRî	Çt{Ëþ%]çýu£ew¼Ø`#ˆ½ˆ~ØWñðç‹Í¦ýÜÄÐพ¤3ò›Þ—jêÏW†¸ÖäOO°4††V.jœ‰u÷Íõpï7ÛI? šÖ]†Âûš³Y.¼ñ±Ç„>º^ø
þPei>ì³ Ç~pó¼”Ìûò¥™¾¿Ø‹¨I2vøÖœ°|?gÉ^HžÅX³7åXuDõ6ñ‘`Öž£‚º‡»²¬³ODß©KñBPë±ñéRz+mýåšG„SaäóŠ$&x¦¹ÅÑãc™éÜ3­çùÅ'¿ê
-8¼ö`Uæ®Ý\¾`ûzŠÐ¡¯»_@MZœózËHw˜ÞÁYÜØgEï5ßþ¾ôo>{ÐYïéóÕâ€fjíùÿŒ®XÃà:«å™lm¬wmß8
jªÐÕ¸Ñ ·KAÊd/«»Eêú­ä‰;jiJ5m%h‡^ž¨,V°rºWœôñ VVQÙbÉ)íR›i·§>.vxŠo:p5œ__¶
-¼U¹n¤|ÜÿNç¸>×õòpAûO§—IÕÒ×q²=IsÕFCÇœŒÆÎ’yNe†`†×–Óe~Îý┩a“Í|µ$úÆVÓ¶íšë•p…£Ž³9Z`à>;Óžg÷nvÁJ*õÔ´¸vÔ°¯6¼d ÷ÈŽ‹Qïç[îx)ÜKÄůlcµƒm¶¥ñ‡¸B—UCi÷…Š"ÇÚ`¼Dž§j½•¸yå´¶þø.‡íœƒš¬¢ÎÙùM3æïØô£Û£%é²ò/לãç¥+Άòzg}ë¹°PC@‰Ù'ÅU’óž~÷ôŽ}ÈÈ¢ÇÑgÌùÏ4=§}ËŠ$C—;D7[vÓj:µU%ù»¥³«]Ö¿æt¨í²ðª“ÿ®¶¢6Þ'­cÔ%Ä‹Wq'—º}mL*ä„t™†5¯Ê€ÐÃÍXˆãêž—Ö@fn®¨$¨óúÎaMb}ûµÒÜŸÐ(Y=u¼µrß,NT.+ u¾P`7ãÞWb?ý&©Šß?z^Üœpµûó‘5;ø/¬	,zB!CI¬èâͱnx’y(¯’ZÓÇþ›‹òÿÿTZX‰˜N‰§P~FûŒ­endstream
+xÚíRkTSW‘ª¡¬òRIÕzX%2yj	@ÄX4¼_soÈ-ɽôrIˆø ’ª,‹Øè’§¨(Vú@©%Va
+ø"­"°©Z_sÁººJÎüš5çü9ûÛßÙû;ßÙ49Caa	†“#Á2™”Ãä™Í¦ÐhÁ8¬ 
Q°p°Z§Ü€ÍòVy|
+
céIUÀ+˜>Iâ‘Æ¥2¡†µd
¥Bä˜	ˆ4°~òFXgÀx&1)€%6©JaMj’¢*ðßÂ.ý]*Æ3HQÀkJ&"!Õ«(¬µÙ
&µü7dM/.Ñi4kÚÉòSNý%¯Ð"ÃïL›®#`È0ÆÑéÔø­8!:íô¬”Ph¥MÕÀ€ÁYÉd¯|‹#DC¡T•B“Oá0
+MWBú7¥ƒ$ŠIDÞ¿íT2B D¤!ì?ØS1ç˜4	Gô Íd³9$‘ÜïNIÓš‰Q%!h*àò|€Ç
+9DdÄF@PÖXO*f1QŒ ¯Ò™ ÂpÊä¿ú°KgdL¢o.`¥NÎéÞ$öקaz#c0¸<²{¥/àóØ9"*u8£ÄÔø½‹Ué)ëa%ÅzSúmýtßéí5¹âªÎcöôŒ…æ#[ÛÏo;eöc÷ú¹\ÇŠ„?úÍy›ó§Èq§’‘ðoXŠ×G=-ʶå¬m=ÎG7zÅ~ù¬‡ÊáÄä—ËÚZ?ÐÜqϺx0½ÑûáÏžÏîfž·¯[sŸÃ¯¤Žά¹uóÕ“Ü´M}V‡¯!Ï¡JRÙ™5{áèÞ-º:ñ «Â¬Õ—ç'îæúÚJm½ÓvÛÑ,0•Éìn˜ý_ÎaÓõªþ
+ç@Úbkl©`µ\8{¡Ïõèr3°ùÐßÃÐÜ.ûuö@]0àa~¿[šŸS#]p¬ÂEY³@ãZMµ…ë[ã[´èÅ‚Áúuù.iõ\ÿbNzã^Úú”ñW´ß–ìœù4éÅ‹ÞçoLÔ–‡J£‡û‰1Þ¾3½¼‡éílªýµ/,q
+õW÷Q`X¯Ã*S›öïýÙÍc2+¸‘çvóèžV.å¾p\»¯üo²xïo›,{ÅzAÜ%ôãþÊGÿºÔb:ÀM–'ô¦œ¼å}¹¶áBUˆkmÁÌ$K“DRµ¤i6Ö34ß#Àu¡ß\'Qâ`$Pï²^ìÖ=PŸËváMŒ/:.ô9ØýÒo角(KãÈŸE¹öC[¤íb>ˆ\nôýÕî|xmŠ¡Ó·ö¤åÇyËöA‘ÙŒuûҎׄ×l×æì=&¨ı+Ï>÷TÔôƒª/u^ᛞ-§·Ñ6\©}L8E¼¨Laâqg[ZQ<1nÌäžýdÏ/1õuwÀ‘õ‡ª»7=||kå¢(B‡þž5]üyIî›­£=¡:gqS{‚½wÌ|çÇ>D0°åÜ!g§ì7KZ¨uþ1¶jƒë¬Š4²5qÞ…¶ý4¨¹R[ëFƒÜ/)R½¬î™ë÷ҧ9Ý´]Bп:YUÍÊìYuÊǃX3V)DåK¥§5ËmfÜ™9ö¤Ä}ð¾ùàµ0~Cù.(ðvEDühÅ„ÿÝ®	]žë•‘ÂŽ_ά©doä{S櫲úÎyYM]¥œÊõÁ¯­g>1~Éýê´©q³Í<|­4úÎVݾýºëÕ°hG-gKŒ@Ï}~4¶#ßîýœÂÕTêg¨iiݘ~]Xé`ßÑ—²¢>,°ÜõŠv/—¼¶‹®j·-K<̺4*ëM{.V;~­	ÆK#ó•m·“·¬–Õ5œØí°ƒsH]Ü5· yÖ›v{¼,S^ñu|Ày~~fô9	¯/pÎ÷ž‹‹Ô”œsr¨H\}0õž¸',ûyà@ïÙ‡Œ.ysÖ\XðbPÝ{Æ·¼X:|¥St«u­¶KÓT]Z°G6·ÆeÃ{¡N‡Û¯¯9ùïn/nç}Ö6N]F¼|pj¹Û·†”"NH·éQhËš,=Ò‚…8®ímtidæå‰JƒºnìQ'7t\/Ëû’7P'ÚªöÏáDå±Úfá‹v³ît5îóïRªùcÄ-I×z¾]·“ÿҚĢ'1ĪnÞ<ëƧY‡ó«¨µýìÿpQþ_ࢀR+pÓ*ð4Ê¿™<Œuendstream
 endobj
-1441 0 obj <<
+1449 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2243 0 R
+/Encoding 2263 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 2244 0 R
-/BaseFont /UMVMTD+CMMI10
-/FontDescriptor 1439 0 R
+/Widths 2264 0 R
+/BaseFont /BAZAFA+CMMI10
+/FontDescriptor 1447 0 R
 >> endobj
-1439 0 obj <<
+1447 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /UMVMTD+CMMI10
+/FontName /BAZAFA+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1440 0 R
+/FontFile 1448 0 R
 >> endobj
-2244 0 obj
+2264 0 obj
 [778 0 778 ]
 endobj
-2243 0 obj <<
+2263 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
-1174 0 obj <<
+1178 0 obj <<
 /Length1 1199
 /Length2 2269
 /Length3 544
-/Length 3057      
+/Length 3059      
 /Filter /FlateDecode
 >>
 stream
-xÚíWi<”k2edÉ~YF3vÊ>H'ŒÆNeÌ<3†1Ã,ö-¢8ÙÊÒ&YrìE¨l‰E„P*J¢
Y¢Sï£Nõž^ßÞoïï}žÏ}_ÿëú_×õ¿¯ûã$Åi˜é> 5ÆÒ@#QF€=%À‡ÍÄái{4ö‚d¶-O @WRr¢°¨àš.hÉñ,
-†Á³ '_6`‡gZ(2Bé  5Jû»#a`”z8€Y ƒJ¡A†N`€4ŽH¥€Ä½ “Îf@¦@‚*\;3`IcPȾ,á¼×UUMMý§mhhø„}GȤi€2´©ôÀÕl…
HPáÄU_,	oE¤°VÛ¾,V ‘¦f 	B6$“„¤,MU¨X+Ñ’°JÀ„¯ê‡¡0@ÔX˜æZúÓè!´ˆ5!…FüÚ‘¨éL£±A[Ìß	þÓFY€.Jeˆ2À %øj®¦v
-¿‚èU3žFŒŠ¤$<•	FQH ôG0ñÁ Àb°Á¨ˆþ¹ƒ£Ñ‘B`> :’Ÿì$}ÛÛáYJ(à‰B¢PhµúþX탗H§QÃ~ºÛã@@ÓÆÊÕíwkµµúÿáiaA‡h5Ðú€†–€FC}êjÿÊúCïZ|µbñ”¿kEý¤´¥‘è€á·– -¿·2˜Ð¬ˆ¯£­
-ü“ߞ΢@ñsŒ¼Pº(h‚ zÍñú¾æýšÃšM¥~UñMÒ„	ìVU¡BgU
-á?¢ðjØq¿:º‚ß.Äßt¿ÂßØÍid*h µ¾)LkJ(HÄRXßo³ó]nâ×
-béLÊê‡BtÑ¿`N¾‚?
d2¡Cù
-4â/I­h:‘B#84¢xñ‡a&°H§¯'Å~ß“(P‰ 
-àCtÂŽC~5‡š–.šK‡h¼¸§Ý®ç¼ð…-§O¡r#¹Ûì%ýK¥uòç
²r1ØN_“*Ïõvë¹Ó¥­RôCü
-š‘…E„¹w%I½F^Úio´ùý&DÏª]*ã¨dNÞ+Ë°[»ÞÉ—/¸+™XÞÆ%ÒÅb¶.y¼œr€IË–Vò:L¨Š/ǽuØEv4‚=à´`P~q‡søv_«¿ÿQe·_ýëE‘Êfaïþüº1mଚ÷>Òî¥úF-w¯i-û–5’–/ruwkïQï¾äŠHy×b¡vRô"ûåkÉx·ƒå
-mEQeEo[Kçß­SUB¿P–}¸Òz¸•_x¨¹•G:Pƒ/•Ö¹IÚ¶'.YDatwš/[ä µp9Î{—<-û!'$kæ'ŸÛeݑ֡ȼâmsG\y+uÄô†ú™ÞgÓn[í6+Íó^sljN)è†lØL´‰-º~«B$-PÜ9ñeHÅ	ocGÖ˾t–ÄOT謩=ÙÚq*|V²ùÐg>‘¤iwT%¹ŸóB¼K[›‡ž;៥ӹ\·¿Þ¬w,+-ÆD|d³̦ázѲj‹¦/Ÿve®{¶f3¡¥?Ÿ˜£M˧o!ù"rºÀÅ`èý^ÐÓš†<äfFkpS0¯§÷›ýqs&g{1èY+—;'ç÷½8c»ï(Ö¾¤~,ãåÁùÇi¯ê†Î´y‡¥«ÍLòºõšÃî>2äœÛÐÔ%‰¹T½EBkçgo7·W¦—³‹Ìž£$otOZÏÜ>sgƒøD­uÅÝ­3ÔŒv\~a>W¸’ÊGœ_ßï%T`aÔÓ—!_•GÑÞÕöJÀxoÅ>ºá»#ãi"Õç·O8ìYåÕÂ/\e²çd[wý¸LÌ­acÉ“;9r¯lÚ„ëÏÄÁ(&]—ÄGyá1áãN¦&7Ûm{ù÷\móÕè±KG)曌ò»ÕñêB2¼„QŽÒfoC›Ö¡ušÃó5@EB'Ë%x)T»Ëm½OdÀ@K éíMËmSi–¶œÃUs¨¡ŠZìôµ\ѦzOŽƒ9ÙB¦ž\ÆIü/¥ÿÙ\ß&óRf×û:C±±d+Ý”…ì±x_ºô8²¥…+UŽ‡ü‰÷‰óþö“ŸêŽÙs-eÑïä„»Ï2Q2ÎBU?yÝʽ/fH¢®Z²õ{Äm±ã¤Ûmc”ÿ`)<-DZãSGWÖ¾wCj.íe÷P*"³=&ÌO
-K©LÌâ»Î?À±‚ဢ©¿îs¿îãªWb+¦†O¶s»aöz„òEÞ§³¿ÑùŸ^±¼i„ã‹"_ÔHÖ&íž8«l…¨šÌ·Qõ³
-œVAà£nwýóK°½êäåJ-·=iÖŵe‹ã¼M	!|î6zÁ®Ïáí‚RÏe|*ïÙj~åZZ½Wæuþb?vž(f~µ‡s*»f5/A;(ѯéb§Œ·ry|Aøþl"jŽüÒy9áXI’ó·ûMU´n£|ÏÓ’qÕÈ^KDtPSaITïAgŸN‚qK¨RvÍÇ'÷súé©¢Gå4Sm²’å‚ÉÚ¡%À_¸ÞHÊúBVúÝŸªœÓc”ÄÇ®<>'Ú_T÷AìKŽÖ»Ë4™nz©Oèùò=Œ¨W§Sûø={ñ9ø—Ñ!ewtô¦
eb¦’…Mb‰BÜÛs™¼;àBmÒFÄéDG©äß߿ɳäl•èŽï³iº:‰Û%°´©çÁµmþçbf­ù§Êóðァ»™óÉyâ\q˜UFdUvf¤Ý)‡ê„þ*uŽ%~–ãÛç
-b4rÍLiÒ™ïu
-IâB#ùz'FÏ`ÉNÕŠþù¢U[¢ŒTî…n"oɘJ3£d™&Ì :q{&Í+W
+$e(ئ‡™Z5#WKJ%J
+Ú'Ë¿Bžßâ„]ûv
¢gÝ.ŸyH.·ð¥uä
û7*•s^êfÖ·%	ILé¸
Þ/ÆCa
+J•%ÕÂÎãZ¦2‹ñSÎöôX,ì¯Å WdÛ•ú»4·y‹Ô¿š—ªn–ôë¸f%jw/	çÔ¾õWð:mŒm¹}Eo1 ¢‘²x–Rb¸MgÈ°N÷yDê›ø+ícëÏr_¼’KðÜW©ÚVSQ:ÕZþ°èv–:湆Òý¥Ö­¢’üæV!iè@M>P_á)çО´`cc¸ÅrÑ*©GÈ=sÊ÷”Üq¥÷¹…°P%‹@•‚.»Žô5ö%÷XÜEyiJþ ù5üÞ'“žתÏ
+_ñ"¬ŸP0
9°éX3L?üF•6)Ta]bYçØg¾¦+çH5Ê:–,JVí¬½p¬µ#oÏŒ\óþO"RÉ“^èjÑJ_·¹÷¶Ä×÷}¶À?)dxlzµÖèpvzœ™ÌðZ]®ájé²F ¢_]à•ƒj&µô‡“Š®µ)ãEŒ­äžGO»›ðßîXqeÚ)Dhfµ†5…	ûø½ÞÿÎìD¯ÍFv•n)¹GÎN;ì<„w*¯šùbßìÃô—uüü6¿Èíé‰ý¾7^ñØCÝùîa
M]ÊÑ6çÏIÈêmùäçiàùÒübN©Å3´Üµîq»é›ù·VÉŒ]°«º½A¨´,þpgÉäsÂQSÊpþ$"¿ÿ‘PlŠæŒ‘@—údIÚýB¹;+[Œlç½EŠn°;ù”«	·­Òý`}‚Ì5ÛËtîì tvX©¨÷N^:»I×L&\g]÷ROàê"Uù‰¥C©¾\’éK¨Nño«c®QŒ»Q.¹UîØžòK\›8ke~<ŒfÖÕqþ^BŒ/ÑFwϨ«¹Ùõv‡^Ñí—ÛGtûÂ3ÐjEf#¢žuÂÆ€¸¢0i„§¾ÖÏÀ×Ê_Ñ87‡š­ª;9îaú]ž+ý£ƒZBÌo®Yœk›H·vàݪy‡æW]ÀO^)XÆÜèÑîÁQ07GÜÜG`kòƒ ó6WÁ7*¾P´[g*ý´ÙÊ4á {¬Þž^xÝÒ"¦,Dû(üÇØ© §ñu‡æ±ÙÌ[¹{<Žd›©oÍFRÛs쪭W__¶nZs{ hµù˜çÍ­è ÁÓðô\—Ž]
}oøÚîíÎwКR3=fìªigÌ,ºNßÃñb«¼5o/¾)FŽ´
­ha%˜Ù½.úôÁöiZ~âÕ£\ÿÛÅ°YŠKNC‹T†c:•¨¾¡;åˆàÀ¬YÏ<`³)Ù.ºlGÏ4/ù±¨HVjkßñblXL¸]í’…º&ÞÞûþ©5nË®MOÕ”ROÛ¥)‡Û¬ÎØ¡Qµ­»¤BÐQyѸ
+‘«ÈÛ—ÎÃÝÏ%Œ=i9©A<¡Ô: ã2­àúñ©~¹î‰Œc™rÈ‘Í6òÌõ2ºJO4ŽJ«¼NÓx|Žpò3ÊÙkÞ×YÌ°T„çvæ±ã*_ä EßîG‚w]hòÊô¹ÝW:²L‚÷̧àíwy»¿	!ît±ÓO¬8ëÒÞE—A®ï¤Ræ ›Áˈ0A—ë'ï6ñV/”¥&«$îV32|ؽ{TëÒÞª	>âÑ&rA7ÌÉhŒT9/üx¦ñ÷§LÑÇ—¬¯c‰¯½á`iô+€ÍY£ßo›ã­S›•ê9¢soF•Å)yÐíe¼zv–ht.ew¥zËM†]Ù…ŠùQá¦Äpg/\°Q˜Ç3x»˜ü3Eÿ}Û7X^º’^ï›uU´,[hJ[^îáååÔ¾CÏÊ2¥÷Éö£Ü5ˆ¶îÏHÞIB¿£¾p[L<\žì6&èu]cبÒó¸|T+º×ÚTRÓ»ÏÍÿƒ«Xüú4·ö㻹}¬Œ´õ‡”Qi¸ìå0ª~DU9p/n4œº²„“qûÚÇ·Œ8u™¤§—žˆ_ß_Z÷^ús®Þ›‹Ånæii¡ˆS•Û;X1/§õ‰úôs‰/bÃ+nMˆ™*ÆM¤Hš;ï%‹n*`wo†‹·+`É“I.ò)¿¿}]h-(Ö*ÛЇkºðÿüOè ‘ÅaYAð(Ȇ~(—ÿÍàÿd@‹endstream
 endobj
-1175 0 obj <<
+1179 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 97
 /LastChar 110
-/Widths 2245 0 R
-/BaseFont /GEWXKF+NimbusSanL-ReguItal
-/FontDescriptor 1173 0 R
+/Widths 2265 0 R
+/BaseFont /BGVCGE+NimbusSanL-ReguItal
+/FontDescriptor 1177 0 R
 >> endobj
-1173 0 obj <<
+1177 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /GEWXKF+NimbusSanL-ReguItal
+/FontName /BGVCGE+NimbusSanL-ReguItal
 /ItalicAngle -12
 /StemV 88
 /XHeight 523
 /FontBBox [-178 -284 1108 953]
 /Flags 4
 /CharSet (/a/c/n)
-/FontFile 1174 0 R
+/FontFile 1178 0 R
 >> endobj
-2245 0 obj
+2265 0 obj
 [556 0 500 0 0 0 0 0 0 0 0 0 0 556 ]
 endobj
-1097 0 obj <<
+1102 0 obj <<
 /Length1 1608
 /Length2 7939
 /Length3 532
@@ -10366,7 +10482,7 @@ stream
 xÚívgPTݶ-HPPÉIhrM‘œirNlèZº›,Q@¢ 9G%#A2HÎ9ƒäŒd âC¿{ιõ½óëÞóëÕÛU»j¯9çsÌ9æZµY´tyd K¨"ÂÍäåЀÙ[:£tÁj<²8pk&`a‘CBÁhÂAŒ†>B!y¨@@%`È!Ý‘0[4€]_ǃ‹‹û_–ß!K÷xnw¢`6ÖÛ(áhu@ßBü7êB¡´-`
ƒCršZÆ 
%»’†>@	êE‚á-gK8Ì
  ³‚:  kÿk°B8@`¿KCñÞbÉ `Êj»Ýu³‚:þvq¡H{
 uû
€¡6H°ú¶hæ`w†ü&pk·Fü!äˆDÜFØßúnÁ´(4Ê
-	sDn³jÉ+þÅmFÿ΂ݺëÛHÂÊùwI|·0·^4怠¡nèß¹,¡å»ßæ¾sDÂþÐpFÁlþÅ€€„Ú€‘8…º…¹ÅþÝÕ	øoÕƒáîv#þDý“‚­y	€·9­Ð·¹m`|¿ä`ùÿ²Cœÿás"ÿ4ˆý÷ÌpÜ’CpwjMÀ§@ߦ°ÿÏTæýωüø?"ðDÞÿ¸×è¿âÿíyþ;´¢3®¶¿€¿.Àí
ƒ¨~ß1ÿW,Øwÿ7Ñ4„þÅð߀ÐàÛ6È8ØÜJÁÏËÿ—†R„¹A!Z0´•-À¿íÑ»¾Š„à·Zþi#€(,ü7Ÿž-ÌÊÎáwÓŸˆþqA g~+ÏÞ|Š*J†*º\¿MÿDiݪŽÖsw¼%ö_u¨# ÿ\üÆ•E¸jDâ~çðerÉö%e>w$ò¶J¨ˆ$k|X‰A\–³³Ëóõû9[GowWgó1Në:
Wz$>‹˜6!k˜¯S:”‰~‘g„e.0¦ãclKP«>»àÂÌ1yÕ’ ÀdÿS¡Õ¬çn9´éçï©|e>·'ëC‹›f§—ЛÙq€úYšµ«„8ë$fÚõSëÁ·RÞoÛ@*¾«ʹAÔguG…*|«eB‰;}ƒv©¢]ùßÖÒï6”‡yÛ}sx/Gj¢T«$Jñ£•H
âQ–®‹B~RlEÛ1w.ì*Çbr|¬½}$nÖ‡·Gs]> Ã?V1òx£+w¿³\õ9’e‡Ð†ŠØ¥ÍäÊv””7œœ¸äN­Ñ÷«/ùŠö.‹ú…&Ð)âá0äPùÝÚ…k¥èé¹éÛR§ö
 ^8³÷&sݱ­|&éŸî#6cÕ¯‡‹úœ‚œEë=öÚÊÔïƒ.Œ}(pÚéc8hXÔêëeM±¸ÄÈpefI­|š
 8xÏŽo‚¹
Lœ¸Uˆ–¤¹ŸjñÝq*½ºÏáÃ'äy•JâêA@"]1\j-L¢3wØ°¥`”µÇ,–>aZ¦¶où¿-Ž~æÚn‹åãQQNq—5%
zh±)è#*õò¸”l\ÌÕ/(YfÿY½wç½Jt½o­QêÅTHú{ò=Ó™5Ú
@@ -10402,35 +10518,35 @@ K
 8>ÔfN-öÓ¥]¥rÆp4’	w0N¼‚+à.ƒÅf4¢ÎfŒý˜¬ê/7r¦ÀCêOÝpñ%\ï‚©.úÌ•â{šÞ‚§mÝ’ó³éÁm÷µp7ßßçŽÆQ}⥜ñMÃècFn°ãH¶ÈH¿­D^{D
^HÒœð.xØ´Yæ^¥$ÃNèR¾äK'^é’²td?õ’¸I}²ß©fxaúÁ(‹Œ™K‹ŠÖâ€MÓÞ*ôSæ›iô‘ h	šŒ%–ýb¢¨¦—úˆ*äÝ*Wæò(#]V’Ü<ši#ÒY²•Š‚DÁ°¡ÃÕFFV鹕6ÁóÑÕ+3ÙøÛM~o£¼Wö¥Ø…Ú©5QÐ8ÿµ;¼³Óæ?¾z¤á½³0MñÇ€nZ_:¾ª"‰4Oñ÷
™Ë±NGÕÛØW,vÕxF™GM2Îzä}ézÚZç=¯‘ZO+Itš_¿Êk÷ïMjëgàÒk/^R\LsG‰
 ²©
 3ã½+ôÞÊ•÷aˆlª Ïn×–OBw:ëÌDöƒ^ቃ€¸Rn¹šd¢¯ÅÓò;SÓtd®ÌA~zM“èRVt}õÚ+'˜	†4~}µ÷°}³íÚš[T:áµ%|Å’Q"èXê³ÚÎÝ9"áòç0Tw³È‹d·¿Pô@åÉ@ÅìÓEâòxOæî¹Ã	åÏIXUb_4²üQ
¨:ù©^\õ47ãÇU¸µ&²ðc
óŒA«`á0Ôýµ˜—™žÌ‘¥ˆß·%¢y†.Sz¾M²hàž·ãý°óg
#$SÿçÅOÁëÏàBø[yã¦5åž Šq(OÜâƒL#‘'Þ/ãØ«*ûü©¯ð5X1œæ)ol×Ós[2L&³d´/øÿ—ÁÿøÀ
-#Ñ{0ÒŽàÿö)çendstream
+#Ñ{0ÒŽàÿ#)öendstream
 endobj
-1098 0 obj <<
+1103 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 2246 0 R
-/BaseFont /FJGWJS+NimbusSanL-Bold
-/FontDescriptor 1096 0 R
+/Widths 2266 0 R
+/BaseFont /JHLVOW+NimbusSanL-Bold
+/FontDescriptor 1101 0 R
 >> endobj
-1096 0 obj <<
+1101 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /FJGWJS+NimbusSanL-Bold
+/FontName /JHLVOW+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
 /FontBBox [-173 -307 1003 949]
 /Flags 4
 /CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
-/FontFile 1097 0 R
+/FontFile 1102 0 R
 >> endobj
-2246 0 obj
+2266 0 obj
 [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
 endobj
-1094 0 obj <<
+1099 0 obj <<
 /Length1 1166
 /Length2 8686
 /Length3 544
@@ -10441,7 +10557,7 @@ stream
 xÚízUX\[ÖmàÜ¡pww—à.…+ pªp‚— Á58„àN°àîî—‚ËåœþO÷íÓ}ŸîÛýîÞ{­1æsαæþê¥h)ÕµX%-ÌArNŽ®¬œlBU°ƒ¹TËÌQ™UdíxyÍPhiµÁ®ö ÿ _iÈÌìä(cæúÂkÛ¸TÌ .'‡‡€/çËšƒû¯@'ˆ@vpò¨ƒ\A{°ã%ãdáærtÕrsv¶ƒ,5AP'7ˆ*°z©ì?³¤œ½ `kWƒŽ¦#33Ë¿NAAA€¹×_@[;è^î {'ç?2½HȃA—¢-ÿˆU·2“µ»þÑ.€ÁÆÕÕYˆÝÙÊô‚±A­ØA®ìŒ/…Ê:ZJ;9ü!EùÃ30dñÒ”ûß}³stòpôùØ
 ìhùgK–nÎì:Ž`7Ð[™ÿ	~Pþ…Yƒ\¼\‚\äiaÃþGJm/gП$ç°™£¥¯³“3ÀÊÌ
 ò[^(>P3wÀâòõù߉ß¡pr,Á®sõË1üKýYýc¯bæ
-{9Ø888Üÿ\¿¨¥“£½×¿ÂUÍ@vYu5]æ¿÷þÏ())§IVN~+—ïˤ¼(
+{9Ø888Üÿ\¿¨¥“£½×¿ÂUÍ@v-}U})æ¿÷þÏ())§IVN~+—ïˤ¼(
 òrÿ]ñŸ^üåߨºøêäø—ä[G+'€à?Úyññ¯–ÜAèËlþcFÀ¿ë«:¹‚-@†Ž/ÇËÔ¼<8ÿëHýÿ_ëï9äÜìíÿt…áv^ü€”8boùp3°½×yáïz LÿÿAç­«™=ØBÒÑÚþŸ6¡r`O¥:ØÕÂæãò—Ë–~‡ u'(ø/ÀÊÉËù7NÛlaç‚B_ÎâO
 ähù·”²ŽN–`Gk€–ëËTšA,ÿ	üA[¸A /öüy@/ïþµ·¿y‚,Pçœ,„ƒmk‚[oª$IîÆø°Ü·M• BöºI@;xl¨Sã0¨
ûŸFTWIƒìg#YNßÙð~+\@O,¨­¦ñåiA7Th¡†QüÅö«a¿8ý ¥Ù¨ó³8Œ±g±ÂC…ì/¿õNìññáß$d×.†”Ó‘µ¡DÅ$!Œ˜%eÜ''¶¢
-ïË»6ä½ã¬#Q2Ï EèÈMmaYEÞêÆ´¼F_wKßûLãqq‡ÿeO-âùgk=þIh®.íéÖ9ûr‹ÕÑÅ)­µ–aJ_Ü’ÁæG&Sb÷~ã‡gŽÝoûé	·ÃAAWQLÆ|C¦Ä,hèÓ×Ê›'jý1ÃʱåwôF5ÿ낡ѼfbhœÕ¨V¤eÒoŸZoxLÓô$eàÿD ‡™3]@IâNHËæô-y©‹ñôÈ="²üL^ïçj‚»j:&ŠèenY?º9«ÿ—ÊÿøBÀÂdqur0ƒØ¡ø@@PW'ÈÿOCù_œÎvendstream
+ïË»6ä½ã¬#Q2Ï EèÈMmaYEÞêÆ´¼F_wKßûLãqq‡ÿeO-âùgk=þIh®.íéÖ9ûr‹ÕÑÅ)­µ–aJ_Ü’ÁæG&Sb÷~ã‡gŽÝoûé	·ÃAAWQLÆ|C¦Ä,hèÓ×Ê›'jý1ÃʱåwôF5ÿ낡ѼfbhœÕ¨V¤eÒoŸZoxLÓô$eàÿD ‡™3]@IâNHËæô-y©‹ñôÈ="²üL^ïçj‚»j:&ŠèenY?º9«ÿ—ÊÿøBÀÂdqur0ƒØ¡ø@@PW'ÈÿOCù_ÎŒÎ~endstream
 endobj
-1095 0 obj <<
+1100 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2247 0 R
-/BaseFont /EPMOHV+NimbusSanL-Regu
-/FontDescriptor 1093 0 R
+/Widths 2267 0 R
+/BaseFont /SXNXDB+NimbusSanL-Regu
+/FontDescriptor 1098 0 R
 >> endobj
-1093 0 obj <<
+1098 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /EPMOHV+NimbusSanL-Regu
+/FontName /SXNXDB+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
 /FontBBox [-174 -285 1001 953]
 /Flags 4
 /CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/five/seven/eight/nine/semicolon/A/B/C/D/E/F/H/I/L/N/O/P/R/S/T/U/W/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
-/FontFile 1094 0 R
+/FontFile 1099 0 R
 >> endobj
-2247 0 obj
+2267 0 obj
 [500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 278 556 556 556 556 0 556 0 556 556 556 0 278 0 0 0 0 0 667 667 722 722 667 611 0 722 278 0 0 556 0 722 778 667 0 722 667 611 722 0 944 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
 endobj
 1069 0 obj <<
 /Length1 1624
 /Length2 9819
 /Length3 532
-/Length 10682     
+/Length 10685     
 /Filter /FlateDecode
 >>
 stream
-xÚíweP\í–.Ü-84îîîÜ]h ±ÆÝ]ƒ‡	îîîÁ\ƒKà>äûî™3uîüš9¿nÝ®Ú]û]ÏZÏÒwUm
-5M	Kˆ9HâèÆÂÁÊ.P;˜»»*C•X$!ö–ªæö`À+ÀƒLC#åº!ŽÒ@7 @d	Y89È4)ˆ“·ØÚÆ
@¯­¡ËÀÄÄüOÉ€¹÷?WKW°µ#€öõÅdqr9º½Rü
5A €›
`¶¤TÕôåUäôr*Ú9#ÈhPsMÅ ¶9º‚V€ý߀ÄÑü'5WÖW.	Wà겿š¼,@N f€ÈÅìêúú»¬]€Žn¯5pƒÀŽöî–x•[Aþ
-ÈÉòªáðŠ½’©A\Ý\-\ÀNn€W¯jÒ²ÇéftûãÛü
- V¯š–÷?)ý…½Ò¼¢n@°£+À
äåöÇ—9`	vu²z¿ú~%srÿ†»+ØÑúŸ0\@Ö@K{«ë+Í+÷Ÿêü3OÀÉèädïý—5ä/­ÿŒìæ
-²·bEæà|õiáöêÛìˆÌögXä­ ö¿å–îNÿÀ<@.ˆþÏÌ0¼´„8Ú{,AVÈl*·W—úÿY—Yÿ}Mþ7´øßÒàK{ÿwÍý×ý—Kü¿½ÏÿJ-ëno¯tx€¿—àuË@J€?{ðgÑ8»ƒþ/ ØÞû¿±úWE]Ðß‘þ!ûWLÞ
øZ	Gë×–°pp²²ÿ-»Ê‚½@–j`7€ÐþµZɵ-A.ö`GÐkWÿ*è«;û¿`Z6`;Ç?åçù9Zþkì¯ú+r6i	
	m9¦ÿn·þ¥©ö:nZÞN Àÿq£«±üÏÃIIˆÀ—…—ÀÂÉÇàçfðóqøÿ7ÿ¢áøçYèæö²³²³s^ÿÿñüódü/42ŽË?3£ét´|³ÿü-Ü]\^»û×ÍMúç¿òY //@,„Âl3²3Ýjñ?OHö÷rÀ‡;•4h}.ª†ôfDm
-T˜=Ö„³6N	>·yÏ9=í*0îö¾µ§ëIøS1ôb­Óvð1í…°™” eëÆùžÎ)m¼1àe×ÙÛšP×0)~„'êàrA<½a¢ò(Â¥¾vB°H¯OÀëÄl„®ýttL›rpsM7862<Ôs×·KÌ”—€D#äñ66È9XÌ@»Â7šZTflÅ(EbŠrÕ- ÚCš|•[=ÿ
-ë[™}uZRÌ&‚(¦ÑUúîÑwÄ—PÔ›˜@ƒ y?©È¨Y÷càóîî™8íÝ;|ñøØõ†²Ó<†À4°	"wgÀ\Ÿ~ù¦lˆ¿¢CHÎã]#)ÐÎv¦~@t U
-ˆwÀcñÓ#:êe(f˜ùN!ù»E“N.ú—¤ºp=J/ŒÚ–÷³ÄCïrÏßåêœÀJr=	©”§=M‡¾¤êr–»i×ð¼ÌÛîÖàI»n;>ÅÜgÕÁ¶×ˆ#òPzsð‰™ðIk©
¯€Ge%ý³™ßÊVøô‚JyÅ(¿BËTsÙ.‹OE×wô¢ÅîëšÇãzpzéc†˜á¶®îãIZ©G½—V™“/ߘ&)‹•ïÿm¢`{ÒÈÇ×Ø^¹Z©©UØ‘ÅŠI²ßÜ€}CCF²¨§êÒ‹|m•	û4ÐH˜š_¶P&«²½×ñS×H
ý>nÿ+Lú÷A©qÙ¸µZfMë꬙Ï7Q¨SSÔþ©öŽ®jeƒ(ˆíùfw§xk”Ò|ÙÊ>–AY²ÅèáxW‘R®ì‡!ØN4Y´V)Xqûž–Ø>R#áe.ðKkŸH¢Œ(»qG5FÇckʇB·	{ŒÕÊË”ã
-Ú"­r:ï5a¶Á6?`.„8Þ¢{ÞÄ'ZeŽçTÐ¥´U‹¬,«mž©à~K*à½ÿÚψOžêK¶Òçà(’áè9ÏËÝÇW}d˜Ë¤ð¾½jþæâ^'b3½Û¨*õ]Àë3…¸€uIE_ž\0GR‰wÙPáÙäAµ]pt°Êy¾ø¯OþØ6ÿɨI©·H3Rߡ߀ÃÑ`¶ÆkÎz:º0¸žÓ/¥ªÍkSv™ãËZåÌ:;╾C]üŸ+a|ã„·+j*b¿7Xâ{LR FÑÙψžN&€ÙëxYS”üªNZ]—ën—hѦn¦ÝÖ‚¥¬¤ŸÐ¼ö¥¾5é â'©ÒÜ>¥”Δš8Q£TZrɻߥL:ô0Rª‹pf÷æJ5…£Ó]Ä”	ßÝ ØÃ4¿|p¬˜Šþ5Èa¯&I¤<­%MÊÊR*—zíó†0ùî–Ç$In-e/€qÀ(L壛:éPa9¾:Õ€Uj·†îòÒh?Js'ÁêVÙ“wË`½©eï'Œz¿G– àf§ÂØ$©Õ\úîïÜy“ º1ê¢ó_Ú‡æ$óIчÞSÿ…<üËO¨­˜ähNÔ"º–@XéÁ2Tó2ì	[@OlüEhØbzÊÑ—ãæbf\·zÅ«9à\>#¯ó“`ZG
-Þ¡HtX«ØÂùî´1ø/M€™•“÷iöå¹?{1L a=Ïè‹-&Á4bÌUêðÚïj£OVXòdƒ'ã}”=Â+uìO°ZVÛæŸYû1ÎyAÿ.Á,ó/ÚfƒÂPÐñâÍèÇþɬDsšY¹²Dðxã1=‹ähCchK)‚>»â$q´cr?ÿÖ‰¯-«Ð¶Ÿe‰r[}]-»®î+c|ÏQ‹¯Åpµ(‰ß"7Ï°r½/õœ!‘ah˜Ä¦¬ûz‡¯ç=6š®«dRÊ~E¾ìs(¯&?ªi«À©Ò3;ÇxPMx¼MÈ廇=8lÓ@‘+¿ï2ýIð°æ
,ùE*ªç+ÊÐíBñyù¿¬7èò"fPþÍðóYÊÀý!„>VòŽeÑ y-ƒCwÁPµˆ–õbòž5®­}	Š}½s=ˆƒÁ‚Z+*ߘ3jàáóÕ\	(¥êùÕüºüÐ&8ŒG&#ЊºiàgÁHÿ‹:lqmùíÕøFŒáÛ@⶛/Ú"²¤¿íŒ}¬ÂÛ­@Ž'RX§xBž#VpßOÇNËø‚íAX9g]q¼¹Äín"{#,ªq
-wóÛeÏl„ÚR¾oñâI9#ªÌxŽÇø;en ëõïFÒµSÂ>ïɧߌ·¼Œ²Åãsá}–€íº’A÷x/âéR³c¢4ã*L?ŽË‰`±Õí4Iy[nK‘û•øŒ]ˆ&³òíUªŠ=ï®”Ró^äÒ°ÝE…øDÐMècF&ŒÝ1“܃EÕÝ%+5¾é'ËG39éÅ»ßÓiÕàý¸vЋ.çÇô 8™±ÄH|XA€¤6íþ: r!(`1É=i;¦úåÓú‘Äsóü[·,žiá >»g¶¿âî°·ö¯=vé`²£x÷å2A>#¸ÕÕ¼…2oÌöÏmR¦N$Ò89-YÕ_â	o—iUf·®éCýKcÜ6$^4Ó£Uèö~=LõÑ*7ì±ÉÅžÓ!óyæwè‰Z‘ÕD¸ м3
Ö <Ö/6­~’L±µÆëðÌwkyš.¾•]©¦[¸fØÇOùøûÊè#V<®%–MŠoíÞý‚9öÛ9°
~ñ”0·ýê^Ëoñå^5ütýéˆu¨š¥ð—ImS†2nJòˆÖ?ZüCâÇ[~÷ŽÖÅNæë_w6“ãD1l‡T4 ¹mn¤Á>§)ߥfYZÀˆ¦˜«:B¿=2=Mx›E¡ö0Þä´Ž–(Ì:¢Š˜:qR<	4Û)¯í|ÕG¤ÒG]1ìŽÕ;˜çãÑ1‡%Ì×Cw¾@nßµ üb´qH$+—È|šâAÊöÑÆ¥MVÔ¼l×»‰QÜåFéš`f
Ú¯§±ü–Æê—GŠY­ô{ßЪ‹!Ðœ$¹|³7¥ük$®]Ö¸Hô×
E ŸCIOk›“iÐ맛e¤	ú¦¤^'¹|+Þ5F>3´¦éÏ.¥JW?xѹ’.×~`Éë.ñVai²¾t/h½8÷.˜kÃÂNÌñiˆ“‡®cUºyŽNÉO¯»
-Î$S*ýèëe¬PìL”è‡ý(²¶´ÊCÆfd<ÍJTÝ—Må\ðÅÙ\»…7‡4z{þÇœÍ][…°q¸äè°7+Õgƒ/±Ó¤l½Ðæ—KË°ÊCsûjÂêBu)ÜeÐÔïðD'\4#vŠ‰?
-ÉŠœH—¢R); Ù:­|Øë‹œÎÉCp¿1<ÁN‰òb¤!ˆåð_»øQ™-­„kžE"\_~›,,b+!‹deøl =Gõ3®~öÑftWºÊ*0{QwÂß)<ùWiзÉ>JhLr(å–"ƒfodS•¸YŸ*ú>
ì	OÀžCvïú´±"bNÐ	¿C7*ü~õ÷ͦÀozEw½Ä©¹ãÌbáÔs_4)‘Õªâ+ìð—<»ó AÝüÑ7}¥ÏX)ÖrëÉ¿Cy_ø±SñTC¢NGÞiøa¬•UUªk°41¸ùú[INOö€š0?žóÅïÃ#1Iv*$å/Þ˜•ž²n5|½ÑÆZ Œ£2=s†ŽòYX¢ÌaM#Ø^GÍ=(œ o†+Plmrzè–²sOcõ`à|ŸpÐÿa5µP˽˜ø>]LÀº]¦üûÑÀ*ƒÒ&|­í—ÎÄBì¯	®µtx(uœ40ó^·xœ¾Ê)\´Ë“×”…5Ûè1ù‚ôa>Ï1™™õO[R;YïõËäÑ>Ñà:p6zÇ*Š*±7¬ß
-îRécLOšF’Ãö³|~ÀŸRèé)Я
˜I·ÿ2ŸTë²àØÒ„–YB)	†Ý…[§8OÆëL€8U¢ÔÔ—5êŽc$Bemøÿfu!ŽgWaRSö±;9®í橵»mÀ¸3DYþq•h{'Õ`eöÀ±ÌÕ.ë™›‹þÉXqÛbCm(Žµ’ûw9ió\äÀ‘=='T«`X^£ø„“Ä°¸lº‘c2Z¬C,Í9åô5S–K$œf/—Ýᛟ³¸™/FX	nT™ðq.+Ð6üñ/pã’Ñå
Z⺂Z¸QAÎÚçÊc—YÜŠ3Èuåòü=Aâ³Æe¡~’™ƒËÑ!=!·l«
-e¾ŽíûÉWAM+„Ö_­ƒÿÕñ‹\-Z¦ ’•Ãò»Ô;˜g½‘¶Ù)¨½šIˆò§ûR“é|RÅûIÜ·Ü÷^'ã4ë]¿:
7úϺßÛ9HˆÔ¿yî¯TÏÞõà ±„Ëîq²ýœ9	Ÿ–à Àc½)­ÒG£Öüå®~–þ#~ŸÑÑHSŠ’Nsë¹7•ž-x²÷ôCÎ9D´.̽oóÁ7ï€|¤»ñ­Ø·Ư_•0{=ùóž4m38Zæ¼a˱²@Þ6ISìQ«ù‰&ª+Hy}k#ëBÊú&¦úâÆa*«Ë•³£KÿE<öþCuó	¨x†$¯ß03÷ááÑ!–ø©±lŠA¡ÍÛìÃ*ÁÖàrOò›%†š17ß+U|¢1pb
`ˆëªÕ
ÚNÐúKß¡æØ´«ˆ(S—Ôx0lt^©ºOk_$ßO¶ò.¬¯Ý©½œùH‹Cx8@Œf§BÀw÷ïrî@xŒgŠ¹¥¬Òööðßê¦Få>õ»?[ÆèePž¨âfËó€7‘9
-õÚüâŽÖü£cçòN∉ވ^	#"cbÌXìW¼Y™ìq[âÄ˶KÄò““62Öz@ƒßØ[­wâ¶tÆ8DðF+•¸?êì°”|‘Ò®Œ‹gM[úÏž³Ûr¡©Ì°0”Ò0KÐuRÁ¬¹8tûb†Ñ<›’Ée¨ÖŠ[þ²	o+iÎ^<ÏS#K™Y5ðEÕ…–?‡vI³t.M_7ßÁãÃ…ßóNM¢ mçÞwâù±IVjx8/¶:Ù´¨×Ö$*ñ “2ÒžøÕ¯|*§´é¯R&óLÚt
-;e÷Íïi&‘nƒ}ÄåÆ >¶}Eñ
-Ú_©³È),tИBPg—^ÄLþ4=2FVüDq^¾ñ4ôՅ퉓 ÊŸsJÿƒwwæñ1ÔÑCíj¦¤qÄG÷RV íþ^úºØ@õY2ÚS½œ”–õ3rc¥~Ž)íê³€TLO)Û_²Vƒ'Ÿùð4ò¾W*2Š~(ùÇQCâ©ÙŠÈaqVR„»jõ®¹êü’àó÷ýèíáù
-â*Àl?¶²Œ«î—ø#ï/ë8ÌÚDëÇ
-ðÕL)©zË˵Êôšbt?´6y¸‹[‘ª¼y'ê3 ¾µ;ø½ ]æ›ý¼p  X/.ý3%Õ Kp»Ÿ;Õ¦G0iäÖ©s5çíGÒ‹wÉ»üœåêU¨úðÊ™ov,ÆYãV¢hµ1™0‰3(ÛSBmõ(¼ªv’÷h¸Š‡ü€€–øGðÁ~=Ã:KñQ×Üô§YÝmPéö®.Ýû¨fþ6üš-Z„spÌ´\¡üa\ÅFW””‹e³Ó3Ǧ’ÌÖSüÁýÆøàûóÊl¥²ÖϤ§%o+2ßñ/¹és"­ßôq¥öÔÓKë±ñyn<íæ£
k@2y™=Rj#2û²›mÃ(¶úð&1ÉéÌ·YÍóÕru¶Ö=QWá¬bex„~34#ðl7®±;'Ò…
-V¹Œ™o£ýL¥—Á¾ÆwvûdÇêÇÞ\B…éõ€cì̳AØŽD¾/”j¥ž©òΞx>|×£«Qó­kJ#¡‡»n—UΊ¡èjê~“d<Ù\}ÛIÛi‰2ГÙ)4igÝZo
±aJüŠä87=ؼî«*Ešiå aTŸWEG¿HÚ»Ã"¼Áú"{ì¿o·9!,<·MÍ…‘•Ih‰s·4+¼d
=>ÏÒ9.b˜1$wg{â„Ž¾£‰Í¬¬8¥W"¼žh-h%‰Ú¦«Là†gߧ ÊhæSoÚ±¼¿œ’1¹]cÉS› ¡„Ýñíœ8»SÀ÷Ä첞ÛV¹&éé¼*)L<ç²p¡#í[è}Çjaší°3÷Ð"v?!¬F¾jØr­"Û¬èà9£ë	ëä3Í³à„–Ç~½–Ðc§I_Í°^’¸êfô”-Y:/4ŽTÙ£Ü"0ÀÇ™)Q/wqžVWºÑ{ÿ.£›ýÒÌþÖyKdG†çÓO½3*‰XRƒö³2UåG4(ÔGN<`âëÚÎM¨èTFoXžÚ¨®´‘L®m 8oÌ:LS]1‚4ÕýRyú>×͉±Ò/Öµ/ù”¿9E¡ñ¨ÎlM‘Ú&fïgE±ãÏÝ«dX¸j~¡âŸCò	3¨ÓE•~6Ȉ‘¬áÞNô-¨Å¹óU<lòvò”6f(ßKNñêkQn±/i,†­àóûÐØrsâ"¾ýÄ=ÇÀÿÉîrœ¡;vÜ)ÌHÖFˆ1Õý2Š^ô8Ñc{=CÂp¤’ÄÔV̇ºÃÛ!9­¿Vá¿åËÎÊŒClEˆ×ÃœØþËQõ®q¤1Dq{æTmQ¨c™wX¢åc‹@CiEy¬L¤.¾‰ Œ)娻ž)Wú©PáHŒ_,èÂ<#?ÜÉÒ6â2ËWË»èXfRa&2!c%éòŒ2,Á›^¨»/Ìs¿³¿DQx™”ҷƨEÀºhèzß’Ò´å|x²Š£O(îéŠÆõƒ¿ŸP74c]ø‹m«ÎÀoƒªiþO4…~4Ç“CCŠ6Æ5¿Ø3R²–¿àm	´ZÕ¨l]¥{$—«®\7ØÈ’QÔÕps¹l¿¥Ú|!8K„kÔn|¹þ˜ª½NŽ°XÒŠFïÈ×àÅvçVócT6mŒ¿í@DÎ/ÈÊËáKÈÂs(ð8éqxê¾d+-Þ¡/®„_‡ŸÓÖÖÜöž½¿LtUîuGéÎlžRf·xïÉò¼
ŸåíÍ¢ÜÁX¯4‹×ÉC—=-‡:õ«{¤÷š§TÚ_!e$Á¨N§o3œ¢é8¹¿ä/§¹²öÔf–zV²'ÞˆÍäF/e ¥KÝ°‰5¤‹Ûy bO'MŸ‹[tQ_KûLˆ3ÜýšöÈ2ºØ/«•à«Ìð|B ž•L¯òÉ9z”yùmH÷ñÒ?!bløçfžÒoy3y­•ŒœtñX3U|`DŽÝÜ­ù	T^›G,Þ“©‰ìæÚ¦	GÍüïm.åJ>³#b½lmó‹¹µÅZ“D˜Æe3ãb|ƒÛO~Œ
-J+öïóËë§Pþ¤Ä"¡æûH‰Œä-BÿY+­…Ó*þQLÉ*â‹ãÃøBÅ“:#gw§Q4#”òóÛõœ²ª6‹y¬pÆK§Q¡“«¡õ<Þ@½³Ö‡¨QnÓ+ÚlÖü€yNþ¨½)0œWuΛ+í4üš—Ì&Tãé#90âþëòuYíÚtK뗫‚½#k´qêžiw!™ŒûQê–’± ‘Å|î9>g²E«€SFãί\tE%ðÃ;ç›»V¶=¾ßF„Ü·G·-2’Šëp„¿!ǹ‰MíbAHVoÚצhU9¼YÖ¥Ø>=%ÔMcPSõ'*s$²BQ™WñÞ§«ŽÔi]G+ö°yŽšŸÈ8–ssfÃ܉èu‚Ÿ&¡OnLPQ„Ä
ëøGÇ‘*늯úê‹hi?j´ì„ZKd’I3fR}åË}â´ûò]Tï·LE¼JXVx [Õɾ&ëÕµTY¡o6rÛW½±ŸÕg9dS“Ÿ³X×KšÇ'Öƃ„Ž/­É÷C8Ç°ñ÷¿>Tû²6/}3éyÔqÕpñN.–(S¶Ëœï®„÷ó$tÀª0Åk‡_cEhE5¯Úæg_uκ{•Ò
¸ÑŸŠ_dÈ=˜\«DüÄŸ§Çú/xl;h<ÄÊq±m'N1®ÉkrnžˆÑGîrzJ÷ø»j«2Å-ø¥é9 ¹û¸Êæ#jÐMžç¼çÄw·(Hz`û墱ÛZ—KÙ-ÌÌäS0;Öõ\3_â‰þ•„kC°5o9q†âsð»7ŠUhù‡œåyTÑ|ÛÀÜJà‰Z)lÝh¶¾B©Ì(Åö½mØGÔA›Êú<øRß°¾_Áçøs)^[k¬çˆZ"(ĉNb¦{Ôæ}´½ÆÒï'òê"[X„Ýâ-SHœd¨ÀaOÒÀÉâÉ lϘ‰*±Ä—¼t»ûÚ5”5*Ó«„òû'ô—Û²oô©áï]Ǥïß,){Óœï>æ†å_-Î5DßÉïdLEÅÞNP —²#SíAW›çu¬ïΰ!Hk„~—…fsÁ	{Ënx:G»¡oëÌ›I#ÄÅg/0¨~¢$9îÁ«Ö¡âü™e]´é¦m4 žÛXá,ÿ	
-è4C•#͈_ÂvÇzBÕÌ^‹ÿ€ïܦ¯Û^;ÁÔº¡IÁ3@æ´'ÁÕò5øˆãJ¹¾%X¡øÁ»¿1ÿ¸§üf›8Ï3Õ&÷@UX̪/È=mlð¡Xðôû}ªÊã`ÍÖKŽhñwáýµEùëÔk’MõÇjÅð49äXH>ÛÆ°—“ÌËY{ÈP"ãÝøøQÅÚð!E»nQ‹‚ÚDôÚW~XÓð¥+†‰ïÄç×IφÒKj¬ìF”_Ð'Ü ð×=o:
ág`®m•žÔ@sék~â2xηøZÉwþõÐÓû
-þ÷÷o!QL“°ßMÀÏ°gø±•ô˜bÂb¾iE]¶[”2¸‰'cø/W×ØhÿôqÖ7
--$JåW¤¤íOVðªÜbë;,ÙA	Þ¸ÛuÿjB.€æžiK—O¨û‰I/èÖØOY/¾çñidàa˜ðæˆJ‘[›§™»òû©O?Oµ	N'‡Ä'=…|a†iÙEª³¤f5`ÉEï¬ÛÞ¤½{ê|·åE®§3m¸¡Ÿ¼!1-᛺I
-vbvÝ6HÇ™3`Ð6•SÛóxˆ4ÀÏ vÙs¢Ö“yx¹ŸÀ£5RhìŶ=3”\nc™¼.5~«šÑé¤ZåÄ…fµÞÝ=©ùÊ;8‹+ä?~u'FƒÆÒu	*¹¦Q¼QAñlÎÒ­-xò®vx¸TŠß’/
-šêìïû”÷—Š~ÞÄ`:5pFrnéš±Xe¤•ƒÚöz6Ç‚¹¼º@ƒ\Ÿ/HCc/5ÒÆÄÚ®ç!÷„ht1”^ÁËõêäÑ(p	Ëåó–ê­\	.ìùpl)Bo oÖ>`‚r¹C{—JÆÖûߣ„pߦ¡
-?¢YÈ)n˜<ÏÐÕñ Ÿxõ+î…µé@·“PJ³Ä6üE>ʲÂ_çËQÏGq½T¶0Ÿ61mp^
ºeÒ*дÒôDB—öÖ˜¯pƒÿT\…Ñ«N)4AY3Óû3¤ý#Ö\ŸXÛ(ad†³GÌJjonªðÔ‰¥'Ô³j[6m&qŒä$ÇN®¤@£û0^…-³˜þÃëøaÄ>‹YS¼9äÇŒ¿Ø Ò4£—röePÔQ´·ª²,Š˜¡æÏ»òJÌa¬l@†Ó
-T»>U8¬Oú²’\Ik/¬òËÅÃd_P$Õ„Ý*Ù»…ô¶’(ØÒjLþ±•%m¹NV%â°Î
“wÉ“(y*"é´èh&«Ž2&ÂÇñK’¶ ¶\ž©%=Rxž§××Jñ?|)¯PBé4_÷‚¨°üâ8Œ¶èAüiY³zÃ\KsÚ¨-"ÊÚ&^–Ë‹PâÎÔµê£Ý²e3;–È‘“©úCÕ¤šo¦FHß×1·íéùó‹ha¨Së0´•q.bð|ã#œƒ¾Iùþ4 oÄ1¾XŸ&¤˜ÜË!ŒiÉxËÓ‚Šj½|eQ
p‹“_ºŽùn•™åóôÝã†$2äÎÝJ \M%‡1¦Â'þÖ—õ¬$WÀ/‡–-*¤Ö:jî$`E´‡è‘€³’Á°nî'!nç$1Ï#h~™xU†|o’«Ø+k"÷›¢ÉB†%6ü¬-ê5 ½èÇÓRê–r€î|ÌÁ»!J.³ž>¼p‚®„*Üž0ªz©6£ãŠ,^±î†&ÒøB›cz­'5²“5(;¥÷Ê{kƵ)¼½z¤§S_
-šeã#z­h®×Ù㛌hŠïùÔÚ}Ñy©d"L펤wŽ×¥í+ÞVº§8½
ón±U9Ñiöõ¼å Ë`(mÚblwAÉxÑ<ª½'1ðØ2_ËÁ’âQ‰7áâ)ú|$÷’ôÈüc&K¶Y¥3d9¤ÓÄcâÀ®/p`¡ÚĶ›"ó^ÑÖ‰„A"¯’“;ÐTŽKàÈGÍÁ¨¨xð7Cc~EIUûû›sº÷ŠæKëb€YÁT¡Ûà—®€6%ô-‚Y¼Ù›~å…!#µcBŽÁSÿu#y¹6ÛðÎÙDDé©l)ÕЧ™µJŒˆsÁðò!7]ÇÑ>‡ß^în?GJmR¡ògÇOºíâòbñO<Ø¥Ÿ~Ú«:éªêÍ2ÈÎMy?øV𬅃¥…¿Á«¶±mbõG7ÌTR÷òX/3#`å
KîÖùö„„=«ë½7tÛÍÚz/Þ<ø>´à»[¯?o¸Õ
\ s6% >„®–{Ë"Lñ„k1ê{-^©c·òãÃÛA‰SÜÔ^S+ÿ›ôœs»Í¾ÅPË“£¬¦·ñKÁÊõ/´)ª¹N,nÊ~ÑÛÓN¥Bž›·«×2w!7èR !4'8®MHîJŒPèG"(îë×´ýgjÌgÙËgt¢HFÙ«XÌp\Eîa´îâs“ž.8rjÐeKTyAîÒ+vØ5ÓŸh0‘AMx”W{Õù…W4‡–ᄃt_ôcŠ:–ÌØð×ߟ¥¾wžî¦M̵ KòÑu³F‹H[èú›ö9¶³&£q	«Ñ†ª=1ŽÄã­–è×+5ó(ß˹o–Õ§WU»î`4­ÇO‚'¶b¡"@«þ/Óè†ÓÞ:s–þ,æÊÊBí¼Ü$\3ä±Û¶Z­æžM»bA
-¦FDÃöÖbŠX¨Þ‹­wýx‡áiUT_§ÞÙ÷dãÝ~JFŠjÔ–‚­ö‰Î8Üä_/Õ|m£…‘@ÔC̪aöçïUæEiݨnÅa'	Ð_oŠï¾ü²¹iÀ’¤VVÐYý3å‚\œš
-îöí˜:{Ñ„YÂdm…®ß¾«:Ùqèý¡“畧ÍÁÛöý×”×{ƒ§+*[÷^#å^®å5’Nxv‚dûJC"éIJÓ/
ßø÷9p²À–@‰ù¬ a½0á¯ú9•y+ˆ#Cé0i‘
ž6á˜}mu8£™xÁ¥<2¢Œ¶’';rÃd‚\-€m^8Ozåo­øûc[ck_\OÝE¥Bšƒ¼ÊÐ\ÑØAÊ
ùÖúÈõ·AòÀÛn¬»ÖÙT;¤õ
uóh«ÖVäÁ=î³
-B6~©t¦­Z¬‘†5Q
-qÔV9¨=Ò¬\ê(,7nB`.þ¸ªÑ‹
Bºô›äGNrLöéQú[¾‹îîê^M°7íÓÜB±”X¾èW´	ØIà›-ö7ãåsnñ
-cÖSñáq½ßo>Ê¿“•ùNhñNýاBAÖçƒÔU·° Ð^¸|P€£ì¶[S‡ïTq;¡¯tJZˆf[Bôf&‹ék#"¤|O6fhˆ‡ \ÉC¶®ñ‘×Ä/ïê>ï[80×ãFÞ…È}ž˾¼©_HVQkʈÆNcûP("¼²Z÷t›eÿ_þÿ?Áÿö  ‹Äèb‡ü„¶endstream
+xÚíweP\í–.Ü-84îîNÐàîÚ@5Ò¸»
Ü]ƒ X‚»,A‚ûï»gÎÔ¹ókæüºu»jwíw=k=KßUµé¨ÔµØÞXA,@r'(;§0@ìháî¦qRf“‚8X©Y8€/*´+Cœd€P0@dY¸¹\BBB¨tiˆ³·+ØÆ
+`ÔÑÔcbaaý§ä
+ÀÂûÈ‹¥ØÆ	@ÿòâr€8;‚œ /ÿcC-µ¬Á €´šº‚ª<€Q^U r¹êî/©X”Á– '7Àâ
+pøû°„8Yÿ¤æÆþÂõÆ
¸9ƒ,Á/f /Kóˆàru»¹½¼ÀnW ô¥Pìdéànõ'€¹5䯀œ]!/Ž/Ø™:Ä
êfé
+v†^¼ªËÈý'ÔýãÛ
ü Ö/šVK÷?)ý…½Ð¼ P ØÉ
yAÿø²¬ÀnÎ@ïß/dήà¿Âpw;Ùü3V€+Èèjårs{¡yáþSæ	ø/Ù¼ÿ²†ü¥õŸ1€¡n kvT.Ðß6`'TŽ?âàd
pqþ-·rwþærý«@Œf†é% ÄÉÁ`²FåP…@_\ÿg]fÿ÷5ùßÐâKƒÿ-íýß5÷_{ô_.ñÿö>ÿ+µœ»ƒƒ*Ðñeþ^2€—-(þìÀŸEãâú¿l€Ž`ïÿÆê_õ@Gú‡ì_1(ð¥oœl^ZÂÆÅÍÎù·ì&öY©ƒ¡–¶k ÃKµþ’ë8Y\ÀN —®þUÐ#NÎÁ´mÁ–öNÊÏ÷7r²ú×Ø_õWäÚêjº,ÿÝnýKSýe ÚÞÎ Àÿq£§±úÏÃ))ˆÀ—ŸÀÆ- äå
+pùÿ7ÿ¢áúçYu{Œ8Ù99¹/ÿÿxþy2ùY'KˆÕŸ™Ñ‚¬^Æì?`KwW×—îþuó_’þÇù¯¼@–¨‹sK‘0»ŒìLh-á‡/c2F}=\ð_ÂK´?UCº3¢6„*ÌjÂÙ'„ŸÚ¼gw™w‡{^;0t§ŽÈüi˜zqVé;XvC8LK02ôâ|Of”×_òsêînŽihš? ’Otð¸"Ÿ\3ÑxáÓ^9cX¦×'tb7ÂàÖ~<<¢OÙ¿¾bú2Ø}†Ð»CÊ’—€B'âñ
+ƒ>6È%TÂP§Â7šV\vdÍ8åÍõ²/F@´‡,å2¯Fþ%Î÷2
+‡ê´¤˜
<$qlã¯jŒ]ÃoI/`h7°†A³~Ò‘QÓîGÀ§SIúÛ·²„’ñ±«
e'yLi`Sd&Þ΀™^ƒò
¹%Ç"¼‡ÛF
+ K ½Ý4\}¿xª4	¿-ÖüÇLô‹Pì0‹íB
+Ê·ó¦<ŒÏIuáúÔ^Xµçlï¦Ißæž½ÍÕ=3„—âyQ--N{œ	|NÕ/ä.‡êÔð<ÏÚíÔ’ȸm¹<ÆÜeÕÁ·×ˆ#òÑPzr˜IXÉki.‡e%}o¦3;¾—-	è•òKP#ƒ•­æ±[$•œˆ ¬ïè&LjÝÓ³ˆÇ÷àö2À1Ço]Þ#²Öˆ0~'£:#^¾>IV«Ð÷ÛTÑ&÷¸Q@ ±½r%´RK»¹3"‹›l¯¹÷šŽ‚l^_7ÔµõÊ:þ±¿‘85)¾l®LNduŒt›î}r§ë§¡™º6êð+Læ÷~©½IŨzfMëò´¹Ïwq˜C33ô9Á‰öŽÏÕ*†Q»³Ü÷¯nOV¸¨e²U|¬‚²äŠ1Ã	.#¥Ý8BÞdà:ÓeÑ[§àÄuìyvXáúHw…—¹"f,¬|$‹2¦þ܈?¬9<:[›P>º™HÜm¢^^¦WÐþe™‡Øe·	»ý+®Å>p¡ ÄeøãÈ[(ð:>Ñ:s4§‚!]¨­Zl¥`Q}ãTÿ{RÿÝ·>fBÊäP_Š¥^G'±'ÏY~Þ^êC£\&ˆ0•÷ÍeówW÷:ñÛ˜ÉF5é5!¯OTþáB65¦½yòÁ\IidÞeƒ…§ãûÕöÁÑÁªgù’çü>ù#[‚Çæ¥ÞbÍ(½~ý^L?ă¹8¯È¸ëéºOî½”«6®ÈÌ8e.jU2ëìI—zô·.õ‡X
+ŒÞß,©«JTTü^g‹ï6MÆä<%½*8˜¦¯âåÌÐò«:éõ\¯º\ïaÅ›ºXôZóüPZµR¥oEe7#Z{‡‡ìâaß:éDaœÒ¢Tú§sÔ†Ò¡q ¥åˆ ¨×‘fV6¹þêp
Œ®ØEhØMáŠ]öGJÂæ`¸ªOÞ-Æï¯Ó4s,AåaZH”5ksuÂLnCü=,,–]sä†5h+q€ùHVr^>b‹ÚçúÖ”ý`ˆŸT¤jsû$Žr:KjâXriÉÿÞgU`Ò‡±r]„§7OªƒÞ<¶løÎ&Õ.¶EøŽ£pÅDÄ—_\êR$*“Ú2äìl¥ò©'Ñ>¯èãooøðL“äWRv˜WˆŒÃT?@5Èc(y5hú­S»4õ†ûК;‰–7˽[êͬz>bÕû=°½ï±;Gv#É­gÒw~ç@Κ„5LÐç]&BˆÔß·°&YŒ‹ß÷œøÏE^|DoŦÄp6¤ÃÒ³ÂËÔ—¡[”᎑ÙéºcãÏCÃæÓS¿5³âCëÉ”¬g€3ùÌü._Mƒé¨ø#}0á­cg»ÒF¿6ºeÏUߥ9”çþìÁ2……÷:^bËS”÷Qñ¯ÔµW:ÆiYn›}bïÃ:ûåû»„ °<Ì¿h‹BÅÀO0`ûc(³ÃyjéÒ
+ɳÿ•Çdö4Š“-‘µæô’ó›s”mã»Ù×ÎmY…v}lÔ[«êÙuuߘã»[|-¿T‹™ú­##ðò}Q©÷¥1&&1ê}!³-ëºÚè~‡Ëƒ¡ˆ!€ï&•”²W‘/÷ʯ%ˆnÖ*´@g¦üÄÉ5Torñö~×,PìÒoM¶/	Þ¢áþ• XEõlE¦}(!¿à×Õæ÷Ÿ½HY…T~3ý|’6t¿O'cŒ•ºe[E6l^ÉàÒ›3R+¢g?€˜¾ckk_‡â^m_
àa±¡×Š+4æzø|³PJ«y~³¸*?°
ã“MÆ
+´¦mêÿY0Ô÷¬_\[~s9ºUgtÈÑŸ¸õŘG•ò·›rˆUFz½hËõHïOÌwÈîýéÔi_°u//ï¢'I0“X‚¥ÓEâ€gŒC3Jåènq³èè™
z£þŠ\àý«y‚xrîˆ*‹¾£ÁŽyÙkØzƒÛ¡t”°O»
+é×£-ÏC”Ãñ„<ŸÞÀ¾”Åô¸W(äû¬nÏBmÎS˜~(—Àá¨Ûn’ö¶Ú’¦ô*ω˜?ß#›N¿iTh¯¨êWSrìì~{©œšwÿ,Ÿ†ë.." †iÊ34f"ìŽäÞ,®á.Uq ùÝ ÑD!šÅY?ÞýŽA»†àÇ•£~t¹ ¶Ññ”½0Vâý$µdç×>+Q›iîqÛÍ/ŸÖdžgß»äÌ
+8=³ý•v¾xëüÚå”	¦8Œw_,0FX^Λ+óÆnÿÔ&mæìH&ƒ—Ó’Uý5žøf‘^uzóŠq>Ôµ„9ºþæY+=Z•a÷×ýD/½JÃ.‡|ì*"‡gþšcwüàà’\¬Ò9‘Ö­Yø“&ñ‘A‘¨Yè£Ü@Š
AŸg–$´åq²øFn©šaîŠi09äÃïKã¬XɸJ´Xi~‚•;÷sÖdøïgpÀ6ÄùâÜöË;m¿u§–[DµðCÐÕÇCöÁFXN´Â3|}Œ
Yê¸	©CzÿhÉ÷‰nÝ;úÙç;Y¯†|Ý9L%pS1”>vø‘†{¼¦BךE!c6¸f`®ÚuüÖÐ ì$ñM•úýh“Ð&úMaÖ!MÄı³:àQ¨Ù^eeûƒ¸2úüQW¬þþ,—<Ÿ®¦³è9jûŽ%‘ÔWãõ9ùD~àãJ¶>}²’ÖE»þuŒÒ/òP_Ð+{Ð^=Õ÷4v¿|rìjåè¸{FÖŸ™-È’Ë7zBÑÊ¿EâàÛgŠE[Wú9–t7±·9›½|ªqXEšbnHéwR*´\a僰C{áš~ñíP«&ð|Ï{¡V2ä:ô/xÝ&Þ(.Œ×—î­ÇàßóŒaYÚK¢#?ró1t,Ë4Ï0(›èwU!˜fJ§b~»ˆÕJœŠ“ü°gFÕчõA»Ï؈Œ§Tªûº¡òž±8›g§ðú€N×ÿˆ»ùóf!|Ü>%f|ÇuÇRõéØÀúsìä:9GϬÅE`ãÂ"¼ÊàÌžº¨†H]
+o,mÁ[ññW­ˆíbÒ"rbÇ2£¥è4*ŽvÎKïw{%"'¾ää!¹_›c§Dy13ÆEsù¯œÿ(ÈÌ–QÆ·È¢­/¿I³ƒ‹C±6ú
6”™¡ùW?ý`;¼#Se˜=¯7æïžü«´/èûx/5,6%ŒJ[‘a³£7*Hš¥JÒ¼WsŽþ˜/`×1»guÒD	9'èLØ¡—~·üûzCè7£’»~â¾ôLˆIf±hê™/†´ØrUñ%nøsžýY°^þð«ÞÒ'œ›@y¦Õäß¡üÏ‚¸©j!Q'Ã?o5ý°VJƒª*Õ¾h²51Aý…}DL¬e
+'Ç»AMØÎã÷QX¤:“òç¯ÍKOØ7¾]ëàÌÇKИºÀFù,-Pç°§m­¢çîŽÑ†7#”ß+µ69¿tKÛ»§±{°q¿KØï{¿œZ¨í^Ìü‰˜.!dÓ.[¾vØÿŠÆ°tˆŽP{ë¹3±÷[‚[-CZQA7ܬ×
·¯J
+ýâøugá}ÍfL¾0c˜ÏSLæWfýã¦ôvÖ;ƒ2ŒtøŽÜÞ1FJâÊœ
«7Â;4X“ãf‘”ð}lŸî	'»»jfGÄÒ¾N!&Õº®¸6µ`eÐJ‚áwV©Î’	: Εh5õe
z£X‰0Yëþ¿Ù]Ic%9UYÔU|ìfŽj†»øjío°nÐ\æCúÛÂÞJ7X›ßs-ò´Ëyææb~4QÚ²\WÀLD`¯äý]NÞ<‡ÙÿLâ€ÃÈ
Ó*–×(9æü拤\º±S2F¬c,ÝõäK–k$‚VýÁ«ŸÓø™ÏÆ8	PšLDÍ8×%XˆfáèW„Ñ÷ɘòF†÷-qŸƒZxÑA.:g*#Y¼JS¨uå
+‚ÝA’Ó&T†e¡~R™‹Ñ!Ý!†7ËŠše¾Ní{É—AM|8j¬¨VªÐwcߥZŒ+ÿ=ì÷k¶ÏwÈÓyÊsW{)*Ö¬Ü)ÒSI×ë€ëê9RlšÀbm±h ¾'̺à~6ALŽ¥<º3JŠH¯½cÌÄ7œÙäJòñPd?¶VòõcÃyh.’ïuÏ’™æcÐ	»ŸêìBЧáÂ7+¼CSý¬+8'•€ÎTüå—>)W˜‚bTëz´¾õM4BÒD}ËÞ=v¥¯ªmxfœùÊlÉÒ3îÞ„³„nwMiÑüÎ+§L¶c…y X0¥E¨¶Ž§óù{øú,Û|õÈ¡`O÷Ñt×/
º„¤Ð®üäô™‡Çw¶{	rŽdøæ(ÐEì±,Wq‘¼= ©¯":åz€¡÷ÌƇ
7e@¡™ôpN4ÌE¡Ò±ì=wÉÃo”$9 ¦!",ª‹„ÑêŠÃߤæ$y7µW
ì4ÒÛž^@G<ÉõµFüe¥4ÞöÉý~<¿1&7¡h°_éMCêŠ÷Ï/Ñ&ÉÔWçmQ¢èvÑ…Áå£ÉGx©Šê-µÔ· 1ôM™‰Oßêuü¢T–-¨dç²Z“~÷¤?Ô6=³ûL7QùxWj:™B©x7²FøÍ}çul0I³µÙñ[¯Ó„2~Ò[›oç"#Ñøî¹·T=}Ô‡Á.·ËÍñsêì9|R‹T€ˆóªH¼ÊƒVë—»Æiúø=f'c-ij­Í§^üTFŽàñž“s,y—ñF„0(g¯àîÆ¢ïÞïÈwâ÷[qoÆL^¾*á4w»òg=éÚ¦ð´,øÃcå€ümšãf¸ÃÖ³cM4—òúÖfö¹”ûLll1Ìù¯Ì_h¬/TO÷-/üç	8û4,Æ`♒ȼ~ÃMÝ…‡#E‡X¦Æq(…6oq~Q
¶—{R^/0ÕŒ@}/ÙÔIFÀ‰5€AžËVX{a›¯½ÄZ#“nbâ,Ÿ¥Gƒá£óJ5|Z{#~r”ÆùÖ•ÚÓÏ2?H€Äjv.¬¼·Pò"b=Q=Ë/àô“··‡ÿ&Ò03îï`*÷©ßáúñÐ2Â(‹öH; 7]ž¼ŽÄÊQ$ª×”t²9Sp–DvLôFöJ‘`Åá¼äÏêïÈäŒÛ”$]´[ U·•µÑþ~ÀÝl½µ”D²c0Ù·ÌÀ#A4^ªÄÏøQg£ì‹’viRTrf:òc¿ú¥Å’t¶}U*ØGj¾åÉÚÄŸb–LFQoGêT4o8\—Æ++¢Ì¼¹l¡¾¢%g’nAµ¢óakÜÉ=fjÁó	°ÖÁŽÍcªÎÎ'þXËú¢ú.w8O|úÈ©É;>al%Íe.KñÊë{Á¸ý~§¨svï”è®VùØGR~$¦áCÛ74¯ ½¥:ËœÂBGÍ	$
öQ™yìä“C#ÅTgåëƒß\9¹‰¢ü¹'Þ{we‘ÂÞGÐ/gJ™D|p/eÒïí¦Ï­JôWŸ&cüèÐ5Ó_ÏIiY=¥4QîãšÐ©>
HÅö”¶û%*g=püI€@3o­R‰IXü£PÉw®2O­VdÞËÓ‚"üeë·ÍUgDŸÖö¢·¾ÌV~P
fûq”e\v=Çz]ÅcÕ!éX=RD¬ndIIÕ_\¬UaÔ’x¯÷¾µéÔƒÌ]Òj\õÕ[qŸ¡ÍñÀµ‚tÙï³¢A€‚bý¸ôOÔ4®Áí~î4Áä‘›'.ÕHÜ7È,Ü&ïtî¿á.׸?¯Bïp4@TÉ|µm9Ê·E¯ƒÍ‚MšAÝžj§O…äP³—úrƒÑˆ¯t ø¡ðˆ`‹ßÊíÕ3M`b°~ž™ü8­·*#ßÚÑcxÕ,ØFX³ItŽ™”/T8HB¨Xÿ%íj•Àêüĵ¡,»ù¿·>:ðî¬2[¹¬õùIÉë}££ŠÌ·‚Pb”Õë^žÔîzF}ÏÍã§/E;ù˜E_4!™ü¬)µ™½ÙÍvaÔ
›½„ãØ”[ìÈùH¹º›«‰žèˈýÖ±²|¢?¿™y¶›ÔØŸ‘èÁ«^Ä‚,¶0~
K
+§2Êâ^Œº@?Ú³ûñq&€Ðáz<˜;ól‘¶"Qï
+¥[i§ª¼³ÇžÞvëiÖ|¯ÅEÙÐLèæ­Ûa—·fjº™9‚_%™Œ7WßteÒwZ¡õwgvŠŒÛÛ´ÖÛ@lY¿¡8ÍL4¯úªI“gZ;j×çU10Γwào³‰®G°?ËùïÙoLÃAˆÏú%íRsáädZâœF­Ì/ØCβtŠ˜f‡Œ(À]Ùžx¡#…oéb3++N•‰¯ÆZZÉ¢¶*Óð…h9÷#h2š4š¶­în&dMoVØòÔÇhҨá·};ÇNo	=±?ÛÌl©^‘uw^–&žñXº2wJÌõ¼åµ4ËvÜž¹o‘¸U§\6j¹R•kVrôœR‰ƒ÷„wöùË7猑Çyµ’Ðm§ÉXÍ´Z’¸5~Ì–*éOG©ìViêàÎÀ~S/~–VWºÞs÷.c˜þÚÌùÞeSdOAxçÓG»=,…XRƒñ³2UõG,(ÔG^2`ìûÊöu¨øDFOXžÆ°žŒ±l®] 8oÄ&LKC)‚<ÕýRyò.êÌ\éëÖ›|"Øœ¢ØxXg¾¢Dk³û³¢ØéçÎe2Õý"ŠQü(Ñck5ëÑP;$‰¥­X}›¿C6rR1¥ÂÓ—“‡ÜŠ¯=¶õž«êmãPcˆÒÖÔ‰ú¼HÇ"ÿ:°DÛlj‘ð,†"Ò6‹úH…DCrI"[ÚIo5S**®ôc+ Â‰.˜°XØ•=xJy°eðdÌcž?ªžwޱȢ:ÄJbBÁNöÙ3ʨ„`rI|¬î®0ÏýÖáóUDáERJï
+³6û¼‘Û]KJÓ¦ËÁñ2ž²¤§ÏÁbBbIxüÐŒUѯvYìºý¿
«Že[ˆ<1tû0œ~Œ*ÙšÔüâÌHÉZüJ°A"ÔjIQ£ºy™î‘`R®¶tÕ`+GAUWÂÏå±ûžjû•è4¡Q§ñùêCªÎ*%Ò|I+)¢S^ƒÇ-´æ!θlÒ'~Ë‘„RP˜žË—˜o?QèaÜãàÄ}ÁNF²Ã@R™°Ž0§­	¬µå<}w‘è¦ÒãŽÖ•Ù<¡ÂiùΓ=äi15ÊÛ›M¥ƒ¹^yš “!{W}æW3îPÏ_©Œ¿bÊP‚qnïF8UÓQrßg¿¼ÖÒ
+Ø7R‡UúImÂt=6“³”‰ž!ix/À6Öˆ!nûž†3<}&nÞ
D{%ã3&ÉtwøkÒ#÷‹ˆñÝý^Y­TõHe†ç#é´Tz•OÎáÃÙçßF.Œ"F¾üÜÈ3Gù­€d® ½”‘³ž.o®FŒÈ±Ÿ¹±8†Ékóˆ%x´&7•ƒÃ^Ù0åªùAà¡Ã£R)`~HªŸ­cq>¡>_kš¨Ó¸(tjRLhxóÑYQyÉá]~ycýäüêŸÔ8d´‚a¨QQ³Å?i§µp[Ç?Hˆ XG|uºßf’œ«xÔ`æîê4Žf†Qyz½šSVÕf9‹çÎ|á<,r|9¸úLÀ¨¿dÞz5Ìk6gMŸÍž0Ë-µ;FðªÎyuɤ“FXóœ™Á‚®k2y(OFÞ{eS¾*§S›Îgeó|YX°{hƒ1JÛÝ!ƒç."&›q7L{ÏV2$6Ÿ¯Û5#àBüC®hpÂlÒùMˆ‡¡¨ñËöÙÆŽµ]·ï÷!÷­á-ËŒ¤â:<ѵ¯”b×ñ 1’]b,¹ãòuûÊ} —7Ûª4ÇÇǤ‚ºI,Zš¾D®DvZ‹*þ»tµ¡:í«(pÅ..¿ãaó#×bnÎt4œ„Q7øqöøÚm_DÒ¨Npx`¥²®ø²·¾ˆžþƒfËv¨Í›L
+æLšïùÜö_×ÄõËVÄ«†e…rTïi±_^I—úf£¶}ÓùY}
+™A5ãRd3ý¹?sµ utlc2@ìôÜßš‘|7ˆw$O÷ë}µ/{óÂwÓî]7MWïäâ7e*q™³]•ˆÞÁ`¾„8aU–J°£+,!‘í¨æe;câü à›îéçÀåtC^ÌÇâgYJÏÄ·*1?ɧÆÉ‘¾óÀC>»:‰r¼\»±¬+Êšœ‰¯Œ‘;Üž2ݾGnš¢j,qsþ$iúŽHÆî>nrùÈšãg9ï¸	Ý-’î9~ù£iî´ÖåRw‰²²øL|~ª™-ñÄüNƳ.ÜC°˜¸
+Gõ)øí+¥*ŒüŽ¹îò<šh-`~¥"ðX½”¾n8[ŸP±Tv˜jëÎ.ìú€me}b©oXï¯à3™¯Íöû3dm1´sÒDg	³]!Z‹‡^úHéÚ±‚†Øæ±Ä_¯¸DÛ'*tÁ×­ÜÿCªø\*É3f¬J"ñ9/Ýþ®vÅßm…Æì2¡|ÛáÑ#ý9Ç.ƒâ;c ajø»BWÔ£™[¥W*Þtg;¹aù—ó3
Ñ·
+ÛQ±7cT¨¥œ¨4»°ÕyË_v¦8d4ÃÖä`9 !xa¯9Nfè×
ì<‚ùab3éDxdf±5Ž•¥F=ø5Ã:T]>1¡­Š7]·
”"
+‚á+\>§hàä`™	K8în±Cišù1k	ï	]ÚôÚkÇXƒZ×µ¨øú)œãÞð´|>äºT©o	V,¾÷îkÌ?ê.¿Þ"
&ðLD·ÍÝ—E•°î
rO¸/>Y»KU}¨ÙÜeË/^Ý[™W¸J½r%ûÑ”Q¤^ŒH—C‰ƒâ³e1κ˜µ‹
+#6ÚEHU¬ƒR´šÖ!aÔ¹ôÙD,í_2J|+9»J~:˜^êâôSsi'¢üœ1ÑðM°îiÃy0àxe§L|ÿ¨šI_ñ“”%p¹!ÔN¾õ輻ÜSô¿»{
‰b‡_3?ÁŸÆV2bKˆJø¦}¶Û¤–ÅO<y/x±¼ÂAÿû§‹qh.ñÍaiEJÚÞDa¿ê
®ã‚-Œðµ»}ׯ&Làh扰pñˆp¿—˜ôŒiƒûؘõì1tD„‰n‰¡A+8<ÍÝUÞM|üy¢Ct2^8(9î)â÷…žS¬:KQzZžRüÖ¦íUÚÛÇÏ€5;~Ôz³†»Æñk2ÃáI‘±¤`WV·-Ãt¼C&£ayõmûHCÂZ§¡]gZ}™ûç‹ðé1zcÅÆ\»S#©Å6æñ«R“§°ª)Ý.@ªuN\hXÇøíí£ªˆ¯‚£‹¤bþÃ7wRX=× ’+:¥kU4Ïæ,½Ú‚GïjÇgˆkµ‘ä
å¼°™îÞž_@y_©ø§
,–C—–Ï#!–ËÌôò0[^O8p—竳9XÜ…Fú˜XÛÂÕü"ÔîÍÏL¥—ˆò=ºyt*B<¢òùü¥úK—Âs»><;ªÐkÈ«•÷8E€ \ÞО…’‘Õ¾w˜!¼×…)ƒF¢–òJë¦÷ÁSu|˜Ç^}J»amº°ídÔ2l±
?BQ³¬	WòŸ5òÑÜ.T,-&MÍ\–ƒn8µt­µ¼Q0e¼5g+ ˆ‹«°Zø5¨E&"¨kfáz~†´À™é•èæ¦"ŽìÖtñè–]JíÉM8¶òà†y’ @ÏàȦÏ$
€“€çØË—hvÄ«rd3¾?e=ˆØ7`3oŠ·€ü˜ò—@™döRÉ¡Š:Œ‚õâUS1„G“0’Çþy[^‰½ý'á<ƒÆÓn@/Í—¾¨,_ÒÚ¯ò|~?$I3á„Ò${·¡^W’[Y(<´²¥-ÖÉ©FÔA±ù‹$NáM\©}5Þ)[4·g‹¼·;Þ–®?pUKªùnfŒ²¶Š½åÀ(˜_ŒDG›Z‡¥£‚wCàáô]Ú÷§°!e#žÉùê$1ÕøŽDqLkLÆk¾tt›Å£(Ëj4Naá*fÍ:3ËçqÍãš,2äÁÝF(\]5‡9¦Â'þÆ—ý´$Wȇ ‡ž#*¤Ö&jݾ$`I¼›äˆ»’ɨnæ'1aû81CÀ#hv‘tY–rwœ§Ø+k,÷»’5ÙR†.â´ú ½è=×ËBê¦.j€9þ­BÌþÛAjóî^‚p¢Ï	UøÝaÄUõÒm†ÆëGYü¼
Mäñ…¶GŒÚºêÇ+0öÊïTvWLjSø{*ôɱN&¾4ËÆG÷XÓ]­rÆ7Óß	¨·ûbòÓÈõ#E˜ÚÊl­J7ÚV¼®tOq~æÝâ !®2t¬Ûìëy#ÐÏÁTÚ´ÉÜî>„–ñ¬uX{-Ifè±e±’ƒ#ͧoÊ#9ÈWôéPþ9éõ!Æ\Žc£JnÐjP·‰ÏÔ‘Ó@hßR­‰c'Eö
+²;9
+Ó›¼JnÞ@3yJ¡CuGã¢âßL„%Uíýœ¯ÎÞ)Yx,t®Jjä„SEºí‚Ÿ??Þà‚ÐB_#™Ç›?rTž1Ó:Õ!å>ö]5R–Ûëp|Ù£‹(=‘+e°ü8µR‰q&^>µÕó€sîuüíåý9Tj›
+“?=btÜe——KxìÁ)óøkØAÍÉØ PMšInfÂûÞ·B `%,#úQ­ý0h§/ºaª’¶‡ÏÚd‘	'ïK±ÔNowHØ“†þ;#èNÖæ;Éæ1pÿÚàœïN½Áh4¢Ñf``ŽÂÅŒˆô·Zþ5›(Õ#¾}Ä°ï•d¥®ýÒ÷¯Þœà§ö˜Yû_ocæœÙoô·Zf5½Ž_V©ï¦OQËufƒªø9FoM:—Špyn<Üt,_ÉÞ†\cJƒ„B=¦0œxR´ ¹K1"¡H`x?¬^Ñ÷9žª³žf/ž2ˆ? g¨b³¸ÇsS»ƒÓ¾ÏMz<çÊ©Á”+Qã¹Ë,ÙãÔL~¤ÃF5P_î>Tç^ÒX…0|5ˆ)NTìX±à"^­=I¯u
Ÿì¤Í´`J	0t±G‹ÉXêù›õ:µs'"¢óˆªÓ‡ª=2Åã­öW+µò¨ßɹo”Õ§WU»mc5­Æ
€Ç¶ca"@ËþÏ“˜çF“Þº3Vþl**"íü¼d|sÔ‘›¶Zíæî
ûba*–FfÙ(ûÓZ•EQZ:´8ìü8vÿÛuñí×_¶×
8RŒ¢*ŠºË¿ñ&\Q‹‚SSÁ]¾§÷bZpØì­°õ[·U!ÛŽr?tó|`òt¸øÛÖ~Âx½3|¼¤±sï1VéáY\!ëDäá&Hµ/5$’§4ýÒô—ƒ l	|3›$ª&ºïU?£:k
qb*ýB^dËg¯¯C<âP[Îl.Yp¡€Š,«£ìɉÚ0ž _àÁèÇGMé'D{Ï_+yÊùÐÖØÚ×]wÞF«á¢¬2²P2q”†b²Þغý6LîÆ‹3eÂ>jï²Ú¯I¤amÝÚŠ:°Ë{ZAÌ!'βY‹3Ô°"N%‰Þ*³A™–O†çÅOÌ%U3~¶EJ—y•üÀM‰Í99Ìx#¢kÙÕUÝ£¶ç¥œ™+––Èÿ†1¦;|µÉùj´|¯8b3׳výAáùE™ï˜6ÿÄ=4TH]u2Iq?ý¹kÁ{Eê.û
ÄNUè1c¥sÒ\4Ç¢²7+ELo	å3 åƒd²	SC<íRv-ئNÌGA‹ ¼üs×Yïܾñ¨>/êDþÓÌHöÅuµä\²ªz+PV> endobj
 1068 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /DARAUG+NimbusMonL-BoldObli
+/FontName /QYTPOV+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
@@ -10575,7 +10685,7 @@ endobj
 /CharSet (/numbersign/hyphen/period/slash/A/C/D/P/R/U/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
 /FontFile 1069 0 R
 >> endobj
-2248 0 obj
+2268 0 obj
 [600 0 0 0 0 0 0 0 0 0 600 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 0 600 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
 endobj
 1061 0 obj <<
@@ -10591,72 +10701,55 @@ x
 www4Xp×àNp×à®yœs»ûö¸¯u÷¯7^±kìo͵撹öGC©¦É"nî`
 ’q°‡°°³²	TÀv¦®.ÊöJ, KWUS[0à
àF¦¡‘t!`{) $Й¤@f;???2
@ÒÁÑÓliÐkkè2011ÿÓò—ÀÔóß‘·H°¥=€öíÅ
dëàh²‡¼Qü·5A Ä
 °Û‚’ªjåUdô²*ÚY=ÈhPs}kÅ 6Ù»€ÎÛföæà¿Zsa}ãw.Ž 3ð[ÈÃäøÄp9Û]\ÞÞ`€¥3Ðò6ˆlofëjþWov‡¿rtvxó°{ÃÞÈÔ\ .fÎ`Gà-«š”Ì?ê„X!åv¿Á‹7Os3׿Zú{£yC!@°½ò€ü•Ë0»8Ú=ßr¿‘9:ƒÿ.ÃÕloùÏ
-˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒÒG}}M¦ÿê†ýÛSím ZžŽ À¿¥ÑUv0ÿÃ_<ov'/€——ÀÇÎîû_dü›†ýŸge Äì0`cecc¼ýÿûóÏÓ§¡‘¶7s0ÿks4!@{ó·eûÃ_°™«³ó›ÆÿoMÿûùïµ<@fÈ¿æÌC¬3²3!ßòF¥zºØaBK뵊
-ª:ý3"6ø+LžkBYÆ^[=çŽ_vw‡ºðmé:Ó@§¤¾ïº±ViÛx™vƒ>•¢eëÆxŸÍ*­Ãêó°éìnŽªk•<Ó·q:#žÝ1¼w+À¥¾uD÷3K¯‹ÇkÇlx‡ýíËÑ1mòÁÝ-]ßðà@ç\÷	Sn< ,mt€S.‰¨¾v…w$Ó6tí.E\wRÛâTæ!5,0cök¾º¶Ö%_{®ÏgE^˜’Ôûˆ%F79ÖxmÙ„âWQ5^}[4ùÞ¤Ö¸çM¶¼Lb»ãåÊÒå/ˆ¢Ü0¾éT·–nr¡o^²_,¿BúÛ¶£?%nK•'<(ª»ŽóîƒqZ¹x³?]lÑXÍÑõ#è'Z
„ÔF[­Ñ]÷õ‘GïA;ì­éz~BÌE‰´-mÅžépLæß÷oóG~ÿZ ™þ\’ÒNyk¹$Ý=ѤtU]ðÞ'x™¤¬`ya*Ou(ݺæ%E-ÖVž£Ä²¡dþYÑÓy+q¦&5ogÙÅ}Ú˜†/„Ếb3XÅ,4Qá›6õ‚Û¹FPÛZ0Idm§'§(iÆ®D¦F½.å-ÃŽEwÂ÷c»¡x¬	#Xe»edMñ«%¤yf1‚,É8Ä黽C?mU¨cæ/S"5ta‰µÝžûË}(àYøí«ÂÝó…i$¸«^$œ	ž4:ŠÛuŸ‡¨{Cx™`ö„Öœ»±?ͤÖ"¦ŽˆtXüðN5úÜ—V<“KïÛ•ÃjäÄz˜NƒBè]8vê#&s<;‹ŒØÁZw¶Â¾s¸>dNË3ü”gò‹c楒¡Š-v¡”+Cx+ì]ØÚÅ؆%BfDkµñ9©U•;Ù{úau kD‰OE^àÞ5ÎôÝÓlj‡ox´¿ˆ!„IQ˜0Œ:+=¥\°gcæ¶$¹P8]IO|év¾ïL²¤›$'U	~t?ÆÚĪmUh1°¼_ÿeÈc“'Bó.%¬×½©öý¥ƒT‘‚ÚÌ’sÞO·#þ–]©Ãî#ävèõ0à2z
-N#ÌY¶|À¦ ïk¯ðUè`çÉ—ÃnþLJÔÙ°ªË¥%£÷Ü;6åï¾$bHè\™VÚïÅ£ô,>uiàÛ¾ÃÔ…Öô.–‘ŸÿR[š¾:	!ï9áttIëi@b`ݳ’ôš¯·;1òØRïóg¨†·ë6L˜	
m¦MaJÛ…>îÓ·£^Ñ“¤h§Öå1Ô|–‹O'¤/ñ£.Í
¿2Åàj¦boØë4{Oc©Ù’T¬‡Q|´	âQy®Î:3Ôœ2¡L°
Ù§Ž#÷n¥¤Ý9Moƒ`q°²~ò¯Gµ@¾êú®ŒÉÇe ¶¯D&»æ%ĶvùT
-‡Î°çJå~ÙÑϽʵ‚ƒyQ^…ꢧø¼Ñ‘Ì’¬Û‚„ÛQ±´Ebʫ_¢”ªk”ÏϤáÞÔ¸´¦ÈŽÑh¿?ÏÊÁöóî›RõÍðð4$H1~Õ=@†ÁßjÓîÊ2½,Ë
ISd²2aI:<;‡…]?…Š1N]ˆ)[dÙ™L—DXÿ4ˆ—mA3¦™›Ì|}Ië
-Ž®õiŠ{ÉÈÏeÿeâ’‹ñNe ä±)ÃÆÎú%˜MÕºt¾Ó=ÒXóª Úø]UK/H\¿Ó82@6&îZÓB8£hbcQÉ™…íªø ?îùŽ'$³6-|îö뜮ÈèÈ· —²Ûp8üzlÓ4k|›÷»¦š¬¢Õ\|A,ƒcùã’¥ë5²	ðó¢µlÖ$‹?1´Êõ”“ÌAòwuœz*iãÞþ"^ês3VJ	…2CÉØCƒ²»«Ÿ³Îžü7K-èÆk*m\&?	‹HKßÛì<ïÏ»h´û¤aOüT¥’ÍìjÆÔ³^§/SÖq0Ô¤Ñç`w†Z
˜%ý8‡å:JpסDp½«’Ù½TIm ÎµOJ@àÇ©Oœêäàü¢°ïûâuøS{Ù˜Ž‘øn/¹»ý#lï;6̓jó{ÄÝr©Lu~—õ”QÞC’_ˆ;ô¿š7yÆÐöHîtÃï;µNö˜d|
¸ƒÎRëPaD3¡‚iÓ.k{Ï$ÀÈ)¤¯ˆ®œ {"JLÔÆl,—
-ƒ=®›Ê16#ÕÍ}ìŠ …׃?øs‹”#_GVÝë«*ûs4Ê3ñx]ZÉÂíCúu:pä}³wàâ•F®¨D…U½¶9ÀO‘àÛ‚Œäh(YzΖfšP™Q¤T!L§`m3jNQÏ…+¥‡å³G€Ý9Õ6§{ÄÓ)‘+ÚÞ¾¡pï"¶ëËÈo”ù‘¯TI“¹âÃâê„
Câ(…1>¦õ66$Œ6u¢íîz’ðR7üI»•‡˜ëú¿÷~ük‡ÄI»±8Ù
7â M"ÎcÔv^Ç“D3©O«HhíeæV£ln߶
c+a×ÇÉOÜDU™Q8D@ÒŠ´¡¬@»G…Tk7:âèp­+»!Û2³*É|†·l%M·­Zqëw×W®¦¡XŠÁXÖŠúb¾²æ2a"ÿ^œý%$•ä
-Êv¹Â§µp½þ0¡Ñ‡ÆÔ?~¦:„Ö€ôR“÷Jn<òhh¬ÕU	­_)ÜÌÛÍs¿©ÈL
-­sTJßà:ÿ𵼎6C׉tãž%uº"D}ÙŠýã—ÔÁ
Ý×¥nà¤BhdÊ“zJòðáþXæA'ó>Ëá뺖·UE¯L
-R¢}hŒDW#uéƒí;aäôôY	Â@¥”"=zï”ôÙ¬röÉê…]‰ØŽ6Dü6O%í_o	‚4݆›©È%½7WWv¯8åYÞ­"ÉÝ“$ts¼¸C«zaü0áÅ»½¼â¹IŸ.0ÎÜú„»¼~CK–PÜó1O{“뫲ç1¯åƒÜ!éåGB¸¾‰³:}[
-^¢ƒY»€ìëë’ç°ôa¾\ÙNŸØÇ_«h`LD
Å|?w/36Ð'^’¤¬_ûÀ-éV„ùô¹Ý÷§¡¨Ì=Ì¥ßó:6FŠÄ	ºCoÙÈÙ\ìO3J­dCT¸ÌÕý¦¡W‰6¥)ù¯÷§v3^Ìq~’éÓøÜÊäðç	¤¸ý :‚‹³Žz¤¹ØÕ àÄsƒ?¶pøµ] Ýý
~ðÿ4=ê_$&5AŽ›O«C1@Í·K±§°èŽ;(óE¢Ö–ó¿<3åðÜ£Å9N§_Œ©/¡
-V`[x!ºó®U=­úQ6_ú<¾F2Û¢cMUJÍü¶ æážp¬?’£3pÞ	IÎþD@?œtxfªî
-âå76á='„álZ­—“L¤øY1¸•'á<§ß^pR¨Wü¶”æN/¸D[í•ÙìÛwÓöþª>‘w‡whh{™›¾05	~Š»Œ˜S+ƒn­¿¸D¦%½ûÜMS)FŒŽÞ—úÎøþã™Á9ÖEt‹ò¯Kâ%ë]†BVly¥bÁC¢Ô1¿úv"x‘F–í»~¸ý4ÈNšòTz÷nq~ÃW:=:Úݾ÷o_>/ê0ŽVña2D¿O¥›Ó™-ÁÅ&OJÿÝI/öÛ|ÿW1h£ê½Q ¶tƒÍš¶ÿ'i-„X=5]¨òé-VTSÇ•LʪâpÔä¸9
-=²à~‚z³
-ü
-Gôå{Tž
âÚoŸ3©Ð'7LåC‹ùƒÅW1™Úzž•od°ï)
-2º«2WÊ’K{ëMz{|y‹æ'$€*g\rïr2ÆÉ&+]Š_͸>žŒ”H¢æu¢Å©Â»Qo„ ,¿¶ŠþBø1æÑæU»?I.Ì=—:fˆ$LsÇ»ˆ°5òñG`E¥ú$	ÞdÉG—"	ÄKü•â’\¬ož¿j<Š†3J;æ‹Ï‚¦½¬?8$f½ß)døô“Öbº}ˆI¹¬2IŽ¡§“™úÚüW©Ùýr‘FÕŸàac›l,ÖÝï¢ûP×w2·Û梑Ù
-		úå[‡Sp‹S(n
-пFo©îéËGÛš˜9WH :L9R•P/Î[IÜû`þñ^¥nÖM–\2Ò–= l¤¨#\xXÖÇuKcüh°¶qK'|î-ŒÐé=+}D…u¢GRÂ}<Ì׶ }w	Þ·OœË!ê=YEJÁA x•C„jþÓ¥™¥ï“^iÍmßÛµ—d3,Ô ~êŒÒÓ¯B¸%{œ."¤)\¨ŠèÚô­`és]ûZ|ùKÀôk³­Ü‡Dá~&¬ôן[Ôö[̆äŠçIÜŸ	Y
8¸‚–ÙÈC’¯è1Y&âCß=èjÖ=Ny90€ïg¼kËÅØ#fK1V*Í£2rMÓ„§úºQº7ÓNÞ¿ú±8ª™Æ/Iª4ÍS¾-•fl2ìßôW‘@R»Û“¦ž®÷Ÿ›NW—§J™˜"âý>‹µÆˆ†e7敨’Šæ´ž³–¨©LlnS^Ž‡%Xb™.Yw·¤wçÁÄԩЭm·Šð*$VˆÑé6ýÁ²íTÙ ©î>v•n'0èWdóñáhþ¨ÄÝ»(AàÅõ}Ôç±þ;ɞHŸG¹ž)‘t¶ †‰eC[[çù.«žã•?a6ÞgÓ*ÞìJN{Œ?"wã͘êfI±V
ˆÚø„°ñô$#uš‰Þ}©,·LÜNÜç5µRl™Àô0ïQb¸ÿL/“ÇJ91UÀÞg>WŒPäϬÀ^¾”ƈÑ·£ùD¹ÚtäŽÌ[†Ù»`nc®7Z=l[a$¤–hÊÛW.Á܉ª¡™t#œ%ós|â_×ïÊF?^§£Ry¨tuÜvzºnlÇÚHžÕèQÅ“Ëñp«q|†átNÀzd$Yý;OB/nuÒ?NÜ+ùÇøb-Fô'ìœxô>ÔO	‘ðîV:™ZÿÒèdÊfy§ÔüÉ”»¤ÀïæGuí¨…„„Ò=ë8ÊðòªîjöŽþŸWÍΑB#È#=–·¿7síGbÏÀÊ Rsø†Â:{PW™Q‰J®åÕÜÍ5°”P¬<ä²õÏh7 ž
-pJXÓ¼²£0XTþÌÝGKŠΚDÅJˆb
-Èò¯3šx9|'ׯà³R*{xiÁ^5X~ØX¨òÃÑÿê‹ëâ†$NÞüy‚æk|ëæ-=ÛÑö¶WbÆæ_‚ÆÙWSf/B(“Š•Ù;¾`“öúšï†wªÖ5Z©Ãˈp)íâÜÏ><[
-ÔO’ùr~QQoı±õûKiÌŠŒ)ÑÖm½Hƒ5Ñ‚EY±ÛN/DÑ¥ñ$ßÜ5dTókñXXd™ÅU+yëß·“&×¹’¯`ÿ.Èj>ä—D1—J–©)TH‚Ïl#´„“#G„C9”\Œ#×Æå
-·Œ“1ŽD-Zü†'˜ñÿ ²oË“X2—õ¡.j.ÇiET²<…¤¤C:£S¢‹Þ‹‹ª‚žvWA£A|AaŠS¶ws¢éJÃËËÑ`sÛË0úÐeÅžÈß~U¼Ëuûœj2$À	›.$zTXD\út]°¥|ˆ*ÞoxHŸ^o‰5éÒýE˜)æ|ƒK¼™ñ[D\F¦3´Ÿ°êЯŽÙ¥»p¨`ø¡ ©ûô´:º/¼áCL•äz3ÌÜuj
-Çl´pÇìºýªM“ý›Ÿâð!¶‡…‘k„Ø$ïËŒ©:jT-ù¹±[­õÈù&¶®,埅ºÝ)ûºˆÑ?víjÿ,ú¬ZM,Ñ4¨avjF²…Ú?÷;|Ä;Òã__Äôg@cfwlÒu\EøæÔø%(w&ÇiÓ–.­Ç[½FÖ”´+ù›†ŽLf5´9Fþ
-Rƒ9mûÉ	0ÊZ²ä'Ò¦áÜJ’¦¬œ]ˆ×¼×ËT㩳$U«šïªö
¨‹WÌTŒÐë<';ûL·'	EÉ×Iv¬-2&íÃüå|îär”‰¶úA]¼èr”*b?(Q£q_5LYNJ 4–nq¿ž¢…&|Ñ`½Þ]¬É²ÐcL§VÞó©qz¨)\ß²ôÀWŽ¢–Ђ|¦IHz韟䯶ž¬Dê}ÎÎi„´ÏÐŒ4É ô°Y…3!û~¢µ,‹Ìì’ÐmM%¾G]áîÁß7u¹‘~…T˜ªkIžb:…8½W³X¼]p–¬ËÕn±Ð‘æî'NP6ú…|ûbCöLà,5!Ña™Ÿ€HS%<ÂQ’ OÖß}û´êâʳêÃÀë¾Wþ*\¥XÎy¸EáR˜ÊmÇNõn¹Ç\÷¬¿a=ªü[»÷ƒ½¿R òÝÇaœÐ¾h¦˜Å’[)
duÆKrÝ™^‹¢SToˆ\î÷p}™|_'ç‹´tøŽ™îÎ5§Ûæ%#±Œ-«\'Ç]Ibjæguõ¡Á³â˜hn“í"·Ymß|÷óárùd‰Ì#O›ýÙv$ªðZCVÙó‹ÞÎ9â‚jOèZ¯k‡AêW~Žs ÙŸ<$ ][mŠ¸Ÿf&.Ñlí#™¦
}¶ƒýBèã]<"œú|…äªÌ%w­Çªe®¨:ÆærIwXÕ;—hÉÄ9uŸýmêK/:ß*zB‘R·è–…á[7ƒì!M .ÁÁ§CþèHáÁÛ9¸ƒG
-Š|LàwMBq¬%£ä”•£¸rÙѬn?,ÂWMg÷ŸŽRê:l}ß>Afàúx§²ÜwªÆ6kÃè™<ÖÛ¹èQÑ¡¬•,Bä»ÿ¨jF;œQ”kÊD-c›iïú>½”Ï“_B?HÑßÓ¨åw˜çÕéÿ™4«Þ£·ØÌ£œÃ8M£}âg.î3{úB†ÃçßœI‡©ˆ¼Ôýî²âkØö5>}Ññ…8)´îíi×ìí
Éâž#E$HB5Úñà!þEÀFýÛš§—6×]~éËøÔu>
7Kê€Ò#8ßPN¾p{ˆës…QÙ®øºçõëóŒË#:GsžxÆ-‘L}×öv©†¨*-f ¦ £
-ô1qŠs*n·’ÓöTáÇÃeÉ#ìÊz"N÷ß?IRʲQÞíóÞmĪ¾|À¤Pÿ3e¢è0Ï¥~z*º“ÔňMLóšÑµîw°KªxË›ÅÁ•oWmÝ–™”0¦dèâÏW´ç—ˆa‘@ö§OZ{Uý8ž)Øð1cu³ÙzYFvHòëÄâr/â»qƇP]Ä^œY—˜•Â­¥nF#.pOé‹k¥ØÁÎõ–Å&gµ>N8t{I@Ò×û«ï¥½óC]P~øy¦ßN@„±0Fszù¹žÆÙúΟAå’½¸Ö9ÆÖåЂ‰÷Fð\"vrr=gqG·ŸúV<ì ô>ðËKŒ\yá…OƒÔ¦dÖÚwxS>´šw‘ÁÜFΡÎØ
-ìx†¶€…Pøiõî>»"8–µý$<;"ä
-SÃ	à.C¨êÌæ~-÷fjóL£Ê°°’ÐL ,Š…&F€p(€~E]zsCW _Ùhv{.W~®Ï²éѬL´AÆæ}ÎñPô»xã1Ž}„¾lêMNõ”ZßÿÌX‹NsÊŒQ*’–lÜÂ@ÚøsEÉ¿õé &¸"cWžøÞ¶Ý2¨‰uÁ³¿Hø©}ZÉ×ÖçboB÷¼h1d ±ôãSÇgyK{M’®ûjÝɱçªjêPÿ%ÁßE¬„(/ýdåì݇_‚&
^|ÖºÐY!%/R‰Ù…ј/~ì²ÐÉpØõ5\Œ4¸N±:IÆ©Å¡KË=¿H7šdÀÆj2 Ç%L”™K¤”ŽŸ1íâæ¥Éq¢ pX“§gn«E®óÂÈcååµsr3dÈ‘m—격éÒ‚¸ÈbýÃÍ$Ҩ޼xETH—3¥ìK˜aGù5ôÖïOðŽ”’€i¡rêš	¥£ŒEäÏ
-™TVÆØi.ÌYs2þäìT4a,/h¶5béL}#£»“ªu4w)“4¯²ð÷ÐÐÎV¢øyí8Z¬Ôý†iDÊiú^ø%Ž/%¯N“?åžÂyn5f¸ÙlM_^LWïô-ÄRW-ü‰e²hnÃŽ¼DcbúÏ8‹­G%Ya¹—9öÝ·!nÕ0á¨%î¦bQ¯P_sÕxýž¬¥¹¥ÑP¡ïá’*Í#s‘÷ô¼zgâzÈsŒ9^™Ð|Úß³ÌQØIJ’$ÛºD$S¾º¬ÌÚƒ·Â7ÉÍ%bå1¸f]èc¨*ºÄÿŽì÷I­\p_¦ÞÉÀh]*ä«ê0´!ÜS}-$Jï§~Ò’\s†ãZ$ºK™—ê#¼“ÕQ~t˜¶Zn¥¡ƒÂÏmzJ5á*gS\eu_:,û˜‚¸¦=ñvZµ7Ñà•*åC=©ÿ8Õæ¹Â•qž¤ðc±½ýµWGKÊšXÄ.~¦8
Ð:[¸Ø÷ɬî&¢“è9õÃý¬o‰×Ê>‚ð7…r(Y#:2‡tl9y¾úr¨Þ婤½Jš
-Û‡
-X¶Šè¦zU^Ï„Au¾wߺ>a%Çøo£ÇšúZW0¼„…Û_Ë'fÓS€WZ¶;oÔ:kH{Â7ÿ\Ŭ%vè´æxêJ^Ò!Tl‘ñe‹˜Ñ'‚ý¥ÊhmTŒêaœÎu	µˆiîiäà¿¦×è¬öôÈPKœÁÜvµgœä‚!O’‘4C£b„¹\SsÀHd”§>Pr"VÈ/•Š4%þŽ/ÓÕº—‹âZK{ß .µö€˜4-ê‘3¾˜g/„)KHlHÜ(K@A“b²Çægu‚5Ø_î‘ŠXõ˜ëáD-vÏrÐÅ#Îoõ~i^Ϧˆì)Ý(w§¶¯W¸Á‡Œ–}ÿ]!AP±ÜŒ¸cÅÿÒæÃŽ¢~¾C¹ÕQ«ÁeìyènÉ‘>õ„2m‘~ sù6¯°mË„¡Ã_°L3ivœüj¼ãSB}Ârå.ô.ñLzÊ ¬,7§Dœ×š*Ë[+ñµ±Â’¸¾ÛÐþö»z'©!(n7p>,œ€»—ÚàÌÓáÛ)¢Æoa«¶0“É)óZI]ùÞíµÚkOM(ƒló™à«'PÆá;½°L~Uà™oٰϨ#:êE"gߌÿ®Â©øÛÀ˜è'5Cb…‘|IË-WW)’|
ߧTóã9¦(£MÄŒ8A`-Ϭ‚³ 噥ÅQ蹉ñM±0Æ…»~Ç}SZ/Q`Ž¦yÈŒºWÅt‰„+FÝî
-ù8áÎ|aU'+› øY7‹0=c;³2ùO!·EÅœÙn¯±gÑŸ3ØP#BýÌCK©=¦\4‘ËïäSÑs©«Poî|Hs&¹(çå"IåÃ9¶”#–ÄÙ=¸±^炙Ý,¸è&%¦ý~3¨ÙžìùqŠ%3$Ö»…Ô(ÌöÌS
êì÷B¼Ì%3³VïÖac²IšZY¢Ï´¤+‘M&“¦h‡O9nKïØøiî@GŒ\$`—Ç$yë¨ÓhÛå‹~o³
-b똣å„ËÉg”dúsú`‡ÿ¤±XçðïÒTa¸ï b\I©ìzÎìšDmÒΪ6%&îU@p¯K¢õMyž0Ƨf^`77+ì»vŸË×Ýr鄧śiyjÆä±­[@äÂHÙÓWö0øJ¦„¾hŸÆµ‰Ó-Õ}æC­4Œ•Á…_z/õýÐ!è˜"¯QÌ÷ó‡êÃE½ÚÏOò°ýŠ$T•ã&¦Ö©Ò‡:åÄ_óŽë+WV÷íR´àŽµä«bØiÝʼnPiò§	F…TÏrIƒŒ÷|¡ôÓ31¦6í¢I}¹âñØØ–kΛÓÒëIÒ©ØŒ´/ûŽ±!ÌxøA[(ø/JÖe"ÄÐöÂÎåÏè‡þG¹ß¯öÊ&b^Ó|OŽSŒÃ\Pg…ŽzP(ùU‡¼·ÕÖ¾®ÓÔ¡èÖtÓoÞõÊ6mû'éÊsXSªbš^=3l|YA.hTÖ~L"yÔ]Ec!eÁø®¡$]Ürù"øF¹«VlgŒ(›ÐŒ9BM
r>Ðö7Ï/Ýä¼[Èab‹-º­Á%«nE) 2‚nˆ¹îÌaOƒÙ§­="3,uΡôS6„dÁàÒ9{ÎQ\ÓÁ'œ…™<n›[ü‰³°¥9\rŸÝ!c$Zh\Ø/÷8‘l'^T…Ja&~ZÌK€vM´Ö£w…Ð8²9ÍsÃÛ	¯Ðu£I–Ú5¶”Óè*r8¿×w,TðEÿŒ¸Û+¡Ö.¯ñ6ðŸòùñy…·)^^Ÿî²ç,àv…DlÀÙt7«<«"Ë Ž½vÂjg
1q©«ã±à½?wÅ$Q]×UŽ^nŸfP:ø6ú?Ð’7¡‹±KN³Ìm—›"ýžãÿùzûv/K–ßMùts®x!ñW¶°ØÑI¡–q/	ôåÅÐÔý¡!+¨"J't”Ù·©šX©5ÍhÒÝаý>÷ÅÑcÎÉÛ7û&ß½]Ù)·^`ö—Yr±cHó#
-AhŠºš’îb>ñúþ±]aúÁ(Éè\PW»ÚwYÏ!>ï½d±Q‘xÅ
PÖÌŸú’_£DΟ?êôo[-‚âÑöÌt÷Òì\³M{äs¶S ©+GòÝ¥Ó,—©4ÊWNEvÉʱ<Þ×ð$§\à	/66ï»Øþ‡?äÿOðÿ™-èq°:Û ÿ½
-Їendstream
+˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒ„¦Š²¶ÓuÃþí©ö¶	-OGàßÒè*;˜ÿÇá/		€7;€…ƒ“ÀËËàcg÷ý/2þMÃþϳ2âö°±²±±ÞþÿýùçéÓ¿ÐHÛ›9˜ÿµ9š ½ùÛ²ý‡á/ØÌÕÙùMã¿¿ÿ·¦ÿýü÷Úƒ@ 3ä_óf‚!ÖÙ™oy£R=]ì0¡Ž¥õZE…Õþü&Ï5¡¬
㯭žsGŽ/;
+Œ»C]ø¶ti ÓRß÷Ý…X«´m¼L»AŒJÑ2uc¼Ïf•ÖaõyØtv7GÕ5ŒJžáÉÆÛ8ÏîÞ»àRß:¢û™¥×Åãµc6¼Ãþöåè˜6ùàî–®oxp ¿ó®{‡„)7‰FÐ
6:À)—DT_»Â;’iºv—"®;)ˆmq*ó‚?˜1û5_ÝN[ë’ǯ=×ç³"/LIê}Ä£›k¼¶lBñ«¨¯¾-š|oRkÜó&[Þ&±ÝñreéòDQnßô?ª[K79Ð7/Ù/–_!ýmÛÑŸ	·¥Ê“žHÕ]Çy÷A8­\¼ÙŸ.¶h¬æèú†ô“­Bj£­Öè®{ŽúÈ£÷ öÖt=¿	!æ¢DÚ–¶bO„t8&óïû·ù#¿-L.Ii§¼µ\’îžhRºª®
xïNŒ¼LÒV°Î¼0È'È:”n]ó’¢k+ÏQbÙP2ÿ,ˆè鼕8S“š·³ìâ>mLÃÂÇp]_1Œƒ,Žbš¨ðM›zÁí\#¨m-˜$²¶Ó“S”4cW"Ó?£^—ò–aÇ¢;áû±ÝP<Ö‹„¬²Ý2²&‡øÕÒ<³A–dâôÝÞ¡Ÿ¶*Ô1ó—)‘º°ÄÚnÏýå>ð,üöUaƒîùÂ4ÜU/ÎÏ	ÅíºÏCÔ½!¼L0ûBkÎÝØŸfRkSGD:,þaX§}îK+žÉ¥÷ÆíÊa5òb=L§A!ô.
;õ“¹žEFìÎ`­;[aß9\²@§å~Ê3ùű
óRIáPE‚»PÊ•!¼ö.líblÃ!3¢µÚøœÔªÊì=ý°:5¢Ä§"/pïgúîéãÄÃ7<Ú_Ĥ(LF•žR.Ø31s[’\(œ‚®¤'¾t;ßw&YÒM’Žª?ºcmbU‹Š¶*´XÞ/‹ÿ2ä±I
€¡y—Öë^‚TûþÒAªHAmfŠÉ9ï§Û‘a_Ë®ÀÔa÷r;ôzp=§æ¬@[>`S÷µWøªNt°óäËa7&%êìXÕåÒÎ’Ñ{î›òwß1	$t®L+í÷âQzŸº4ðm_ÈaêBkzK‡H‚Ï©-M_„÷œp:º¤õ4 1°îNŒYIzÍWƒ‰Ûyì	©÷ù3TÃÛu&ÌÀ„†6Ó¦0¥ÇmŒBw‰éÛQ¯èIR´Së‚òj>ËŧÒ—‚øˆQ—Šæ†ßF™bp5S±7ìuŽ½§±ÔlI*ÖÃ(>Úñ¨$®ßi w­i!œQ4±±¨äÀÌÂ…vU|Ð÷üÇ’Y›¾wûuNWdtä[KÙm8~=¶iš5¾Íû]SMÖÑj.¾ ˆÁ±üqÉÒõƒÙøyÑ¿Z6k’ÅŸZåzÊIæ ù»:N=•´qo¯õ¹+¥„B™¡dì¡AÙÝÕÏYgOþ†¥tãµN•¶‚.“Ÿ„ŒE¤¥ïmvž÷ç]4Ú}Ò°'~ªRÉfv5cêÙ‰¯Ó‡)ë8jÒès°;C­L‡’~œ‹Ãò%¸ëP"¸ÞUÉì^ª¤6PçÚ'% ðãÔ'Nurp~Q
Ø÷}ñƒ:|Š©½lLÇŽH|·—ÜÝþ¶w›æAµù½	ân¹‡T¦:¿ËzÊ(ï!ɯÄú_͆vEÂëÁ|Ž¹Eʯ#«îu€U•ý9å™x¼.­dávÈ!ý:8ò¾€Ù€;pñJ#WT	¢Âª^Ûà'áHðmAFr4”,=gK3M¨Ì(R
+ª¦S0†¶5§(ƒç•ÒÃòÙ#ÀÀîœj›Ó=âéÈmoßÐ
+¸wÛõeä7ÊüÈ‚Wª¤I„ÜGñaquÂŒ†!q”ŠÂÓúF›ºNÑvw=É€ˆ
ø?©þ¤ÝÊCÌõýß{?~µCâ¤ÝXœì†q&ç1j;¯ãI¢™Ô§U$´ö2s«Q6·oÛ†±Œ•°ëãä'n¢ªÌ(" iÅÚPV Ý£BªÎµqt¸Ö•Ým™Y•d>Ã[¶‰’¿¦ÛV­¸‰õ»ë+WÓP¬Å`,kE}±_Ys™°‘/Îþ’Jre»\áÓZ¸^˜ÐèCcê?SBk@z©É{%7y44V‚ꪄ֯næíæ¹ßTd&…Ö9ª¥opøZ^G	ƒ¡ëƒDºqÏ’:]¢¾lÅþñKêà†îëÒ
7pR!42eƒI=%yøp¬?ó “yŸåðu]ËÛªˆ¢W¦@)Ñ>4F¢«À‘ºÎôÁö0òzú¬áN RJ‘½ÎwJúì‹
V9ûdõ®DlG"~›§’ö¯·AšnÃŽÍT
+ä’Þ›«+;Wœ‹ò,ïV‘äîIº9^Ü¡U½0~˜ðâÝ^^ñܤOgn}Â]^¿¡%K(îù˜§½ÉõUÙó˜×òÁîôò#!\ßÄY¾-¯GÑÁ¬]@öõuÉsXú‡°
_®l§Oìã¯U40&¢†b¾Ÿ»—è/IRÖ¯}à–ô
+Â|úÜ‚îûÓÎPTæŒæÒïy#Eâ݇¡·läl.ö§¥V²!*\æê~ÓP„«D‚Ò”ü×ûS»/æ8?Éôi|nerøóRÜ~PÁEˆYG=	Ò¿Ü@ìjpâ¹Á[8ü¿Ú.îþ?øšõ/“š Çͧա æÛ¥ØSXtÇ”ù"QkËy„_ž™rx
+îÑâ§Ó/ÆÔ€P	+°-¼ÝyתžVý(/}_#™mѱ¦€*¥f~[ópÏ8V†ÉÑ8ï„$gÿ" N:<3Uwñò›ðžÂp6­Ö‚ËI&Rü¬ÜŠÊ“‹pžÓo/8)Ô+~ÛJs§\¢­öÊlöí»i{UŸÈ»Ã»4´½ÌM_˜š?Å]FÌ©•A·Ö_\"Óƒ‚’Þ}#FGïK}g|ÿñÌàë":ŠEù×%ñ’õ.C!+6‹¼R±ˆà!Qê˜_};¼È#Ëö]¿?Ü~d'My*½{·8¿á+ínßû·/ŸuG«ø0¢ß§ÒÍéÌ–àb“'¥ÿî¤ûm>‚ÿ«?‚´Q	õÞ([ºÁfMÛÿŠƒ´–?Â…?¬Žžš.Tùô+ª©ãJ¦eUq8jrÜ…Yp?Á½Y~H…#úò=*Ïqí·Ï™‚T蓦ò¡E‡üA‚⫘Lm=ÏÊ72Ø÷]‹Õ™+eÉ¥½õ¦½=¾¼Eó@•3.¹w¹Gãd“•.Å/‹f\OFJ$Qó:ÑâTá…ݨ7BЖ_[E!üóèóªÝŸ$æžË	3D¦¹ã]DØùø#°¢R}’o²ä£K‘„Gâ%þJqI.Ö7Ï_5EÃ%óÅgAÓ^Ö³Þï2üúIk1Ý>Ĥ\V™$ÇÐÓÉL}mþ«Ôì~¹H£ŠêOð0Š1„M6kîwQ}¨ë;™[ŠmsÑ‚Èl…„
+ýò­Ã)8ȉÅ)7è_£Œ·ÆT÷ô壌mMÌœ+¤
+G¦©J¨ç­$î}0ÿx¯R7ë&K.iËP6RÔ.<,ë㺥1~4XÛ¸¥>÷Æ	ètž•>¢Â:Ñ#)á>æk[¾»ïÛ'Îåõž¬Ž"¥à P¼Ê!B5ÿi‹ÒÌÒ÷ÀI¯´æ6‰ïíÚK²j?uFéi‰W!Ü’½NÒ.TEtmúÖF°tŽ¹.†}-¾ü%`úµÙVîC¢p?VúŽÎëÏ-jû-fÃrÅó$î‹Ï„¬\AËÇlä¡NÉWô˜,ñ¡ït5맼À÷3Þµåb쑳¥+•æQ¹¦iÂSýÝ(Ý›Çi'o„ßFýØÕLã—$Ušfƒ)ß–J³6öoú«H ©ÝíISO×ûÏM§«ËS¥LLñ~ŸÅZcDòóJTIEsZÏYKÔT&6·)/ÇÃ,±L—,†»‡[Ò»sž£Ž‚gç¹9m˜½FVË",˜Ûx™£Ÿ¢Îúäç/û£ÜîdL3¨JÔ­Tú\±ÿHÉLÈïa…ºfNuöѯ&],rÁEÂÚ1DÚÇŠ
+Ÿ`bêTèÖ6çCÅx+Äèô@›þ`ÙvªlÐTw»J·ô+²ùøp4Tâî]” ðâú>êóXÿfßdO¤Ï£\Ï”H:[PC‹Ä²¡-‰­Çó|—ÕÏñÊŸ0ï³iov%§Ž=Æ‘»ñfLu³$ŒX«Dm|BØxz’‘:ÍDï¾T–[&n'îóšZ)	¶L`z˜÷Î(1ܦ—Éc¥œ˜*`ï3Ÿ+F(ò¿gVà/_JcÄh‡ÛÑ|¢Üm:rGæ-Ãì]07‰±?×›­‡¶­0RK4åÀí+—‚`îŽDÕÐLºÎ’ùˆ9>ñ¯ëwe£¯ÓÑ©<Ôº:n;=]7¶cm$Ïjô¨âÉåx¸Õ8>Ãp:'`=2’¬~'¡·:é'î•üc|±#úvN<z꧄ÇHxw+Ì­it2e³¼SjþdÊ]Ràwó£ºöÔBBBi‡žuexyUw5{GÿÏ«fçH¡ä‘Ë[‹ß›¹ö#±gàe©9H|CaÈ=¨«Ì¨D¥×òjî†æXJ(VrÙúg4€O8%¬i^ÙQ,*æî£%ÅgM¢b%D1dù×M¼	¾“ëÎWðY)•=¼´`¯¬¿l,TùáèõÅuqC'ïþDï7¼¤O¯·Äštéþ"Ìs¾Á%ÞÌø-".#S„ÚOXõNèWÇl„Ò]8T‹0üPÔ}zZÝ^„ð!¦Jr½fî:5…€c6Z¸ãGvÝ~Õ¦ÉþÍOqøÛÃÂÈ5Bl’÷eÆT5ª–ü€ÜØ­Özä€üÛW–ÎòÏÎBÝî”}]Äè»vµ}V­&–h	Ô0;5#ÙB탟{ˆ>â‚éñ¯/bú3 13„;6é:®ƒ"|sjü”;“ã´iK—‰Öcˆ­^#kJÚ•üMCG&³
Ú#©Áœ¶}äe-Yò
+iÓpn¥ISÖÎ.DŠkÞë‹eªñÔY’ªUÍwUûŠÔÅ+f*Fèuž“}¦ÛŠ„¢d„ë$;Ö	‚öaþr>wr9ÊDÛNý .Þt9J±”¨Ñ¸¯¦,'%PK·¸_OÑB¾h°^ï.ÖdYè1¦S+ïy‹Ô8=Ô®o	Yzàƒ+GQKè
AÈ>Ó$$½ôÏOòÇW[OV"õ>gç4BÚghFšdzج™}?щZ‹Å?fvÉè¶&Àߣ®Žp÷ào‹›ºÜH¿B*LÕ5ƒ$O1BœÞ«Y,Þ.8KÖåê
·XèHs÷'(ýB¾}±¡
+{&p–è°ÌO@¤)ˆ
+á(ÉÐ'k‚ï¾}ZuqåÙaÕa	àuß+•?®Ò,ç<Ü¢p)Lå¶c§z7ƒÜÇc®{Öß°Uþ­ÝûÁÞ_)Pùîã0Nh_4SÌbÉ-Œ”²:ã%¹îL¯EÑ)ƒªÇ7D.÷{¸>ÈL¾¯“G‰óEZ:|ÇL÷çÓmó’‹XÆ–U®“Ž€ã®$15ó³ºúP€àYqL4·ÉÎö‘Û¬¶o¾ûùp¹ü²D摧Íþl;Ux­!«l‹ùE‰og‚‹qAµ't­×µÃ u+¿@Ç9ÐìOH’÷ÏU„®‰­¶EÜO3—h¶ö‘LÓ†>ÛÎÁ~!ôñ.N}¾BrÕÇæ’ƒ»ÖcÕ2WTcs¹¤;¬êK´d✺Ïþ6õ¥o=¡H©[ôËÂð­›Aö&—ààÓ!ÿ@ôN¤ðàíÜÁ£E>&ð»&¡8Ö’QrÊÊQ\¹ìhV7᫦³ûOG)u¶¾oŸ 3pý¿@¼SÙGî;Uc›µaôLëí\
ô¨èPÖJ‚G!òÝÔ5£Î(Jµe¢–±Í´w}Ÿ^Êç
+ƒÉ/¡¤èïiÔò;ÌóêôÿLšUïÑ[læQÎaœ¦Ñ>ñ³G÷™=}!C‡áóoΤ…ÃTD^ê~÷Yñ5l{ž³×(᳓* ŠŸÏgé­?»ñ\²Àå'Ç…îñµþ@vǸŒ‡¨óÀ9šæ‚Ã?ŸŸ¾èxŠBœZ÷ö´köö†dqÏ‘"$!ˆ
íxðÿ"`£þmÍÓK›ë.¿ôe|ê:Ÿ†›%u@éœo('_
+¸=Äõ¹Â¨ìW|ÝóúõyÆ壹Œ	O<ã–H¦¾kû»TCT•3SQú˜8EŠ9·[Éi{ªðãá²Çäve=§ûïŸ$)e	Ù(ïöyï6bU_>`R¨ÿ™2Qt˜çR?=ÝIêbĉ&	¦yÍèZ÷;Ø%U¼å͇⌌àÊ·«6ŠnËLJ˜S2tqŠç+ÚóKÄ0H ûÓ'­½ª~Ï”aLø˜±ºÙ‰l½,£	;ˆ$ùubq¹ñÝ8cC¨.b/άKÌJáÖR7£¸§ôŵRì`çzËb“³Z'º½$ éëý€Õ÷ÒÞù¡À.(?ü<Óo' ÂX£¹
+½‚ü\Oãl}çÏ rÉ^ÜëcërhÁÄ{£x.;9¹ž³¸#ÛO}+öH‡Gzøå%
Æ®¼ð§AjS2kí;<)Ÿ@ZÍÆ»È`n#çPglvçxž–HhÑo°þ¦¯£mÉ،Ģo­»L£ÇQ“0íñÅùuâ#ø2†Nü®{Q[V¯Àj¿¢»þ?ƒNWô¨?ƒt›á%¦qGGö:¼®*x¼ÃÀÌžÙÍÙ^?£õgf‰•çûúpïîLÂTÅ7^\ý?0[ÅÃèQÄè$†À×}ÝŠIÃP±ªÇdYvgä‰e¦w©Þ$àŒ¢_™×¹Žéß™†Ø'DÂ9ËŒ?h2ó¸%¹ß̆Ó6UÖ¾—õ„¯m“±(ò¨øÈþ­ÉæD¥«‘÷§½ºwõ¦$MMó:2ž“ú©‘ƒ=‡3Ït]ÆF±°i\Çã“%N¥ŠaÿÝ£ÛEK¼ôÑ×îŒ6y.G­†(®AM†<ï¹Ö~Êyõ.‹ï—²À.õ8'_e#åBâ[7Q:¿žßämø"mƒbìSƒŽÆZáÂ
4¨YŒ•{t¿Op¡Æ¨à‹!|	‘õj—/™§ÐLve§eŸ(ú]<Žqž(Á¨ð칄…ÏÀßù¨;ïAJGZ0ý7ùˈ¾†[(-®P+Uìp¤ëñ|\—;ïùÝ27r¤v¨x©t¯½ <¢íæVþ–(ù’]”Û­®ÂãBB²ßâ	ïE›Üä ?•ïd
+ž¥̺”k®ÖPú-F3{^.|àƒM],¿Òck&Ïý"§^{9D_o·äË•ÄgDwŸÇ>B_6õ¦F§zJ­ïf¬E§9åGÆŠ(IK6na mü¹¢äßúta\‘±+O|oÛn™ÔĺàÙ_
$üÔ>­Šäkës±7¡{^´2ÐX
úñ©ã³¼€¥=Š&I×}µîäØsU5u¨ÿ’àï"VB”—~²rön‰Ã/A“¯>k]苬’)ŽÄìÂèÌ?vYèäF8ìúš®GFܧŠX$ã‡ÔbÐ¥åž_¤M2`c5ã&ÊÌ%RJÇϘáVqóÒä8Q8¬ÉÓ3·Õ"×ya䱈òòÚ9¹2äÈ6†KuÙÔtiA\d±þáf’wÃAé@To^¼¢*¤Ë€™Rö%̃°£üú‰Gë÷'xGJIÀ´‡P9	uÍ„ÒQÆ"òg…L*+cl4—æ…¬9rv*š0–4Û±Œt¦¾‘ÑÝIÕ:š»”IšWYøûèèNg+Qü¼v-Vê~Ã4"å4}/üÇ—’W'ŽÉŸŒrOá¿<·3Ül6¦//¦«Žwú–ƒNb©«þÄ2Y4·aG^¢11ýÎgœÅÖ¿£’,„0ˆÜËûîÛ·j˜pÔwS±¨W¨¯¹j¼~OÖÒÜÒh¨Ð÷pI•æ‘¹È{z^½3q½
ä9ƯLh>íïYæÇ(ì$%É†m]"’)_]VfíÁ[á›Æäæ1‰¿òŒ\³.ô1T•]âGö{ˆ¤V.¸/Sïd`´.òUuÚ‹î©>ŒÇ¥÷S?iI®9Ãq-Ý%áÌKõÞÉê(?:LÛ-·R†ÐAáç6=¥šp•3È)®²º/–}Ì?A\ÓžÎxŠ;­ŽZ›hðJ•ò¡žŠÔœjó\áÊ8ORø±ØÞþÚ‰«£%e
+M,b?Sœ†è‚-\	ì‰ûdVwÑIôœúá~Ö7ŽÄkeAø€›ÂG9”¬™C:¶œ<_}9TïrTÒ^%M…íŒC,[E
+tÓÎ@½*¯g :_‹»o]Ÿ°’cü‰·ÑcM
+}­+^ÂÂí¯e‚³é)À+-[‚fß7j5$‡=á›®bÖ;tZsa¹rz—xž,ÿ
°Â,ZAË°z˜wÃV‰”]AVrÉ|RMc:ù~pŽêˆ°Æ¸œÎõb².<„âÓ?øÕMÌlH~6ŽäÓl:Íx²_$j)ÊWA¼ëhEBuµ²¹ù%Gx	—iSÅÊ—Ž²ÅÄ© 2'BæȰ箦Q0h<´ó’ ÿž·§£Q-önµ‚q¡òS‡!»l˜ìÙŽSö£'ºN–³º,ÇTéW¦“ð¸Ç­gÈ‘²Ëê³ä‰#¡,Gd›äô‰ðýl$HÀûa—>7f»‚Z%ýÙS•²Ú@G÷Ø/RÝŠŠ¤`· ê²8f½ó¨ª»üqÄÎdX
Gû¤g¹Ë˜
»„_qvw3ƒ9T ÛáÏúmœ”@n¹aOJ‰
…yu†çêfÙ=Õú{ÝÓFÎLfN‹GäÔi"?þÖ}醊ÛUœ—_š›iN„z²ròÃõ3
+uÎÂüÕÏÍ{1T¨—t+jªNìpC4ç@ÖîÅfÙä:)0ýôðtòuwô›§`âèÃJ_Âåfò²¤p¡Éý@ ë¤åcùC¡î—rj¿ÁRµP“ÜüQ[öºC›¨˜2Jí¹~?„.ìpÞ»ÂVXz%˜©­^ŒºÎµ†×þ'R¹ÊxE˜•ú½Æ#´ÂETíö`…TÆ*‘Æ4d¹ÆÔÊô;é¯QÍ·ìe¿Éŵ§Ú-Œ™–¾~jͶœÅ`k(vï¯ûa¤æ ‰öឆ…ö*„þlØNÙçfr²ÇŠ1³|/0î4ÑÉÇýžjÈ¿>VùEƒ" OáZ¨zßû,q!¿å]3„*Øœì>ÀŽÅ­ˆ‘{+$v¤fx[VÿÁ§ðaXïòÞòÃݸ´îÖæ#¬OÆfe­Ž¨€Ägs·BÌgtíD·°¦1?éBmbvø¶—9¢¯'2S☟—øø/Ð]Å`œÎækâ$:DKØ$žr°[[/o•‡á‡¦„ô¨ÜëÏ~fwHý¥ÈC¸¯É½ßn	
+ê÷E6K¿­í‹zv
$àg¨¡Ñ8qx!]ü`b6#2•›PÖŠ>)ЦšôʈQІ)C(Õƒ}R~­­‡_¯˜>{š·u9;ƃn¡“íó'\	=…i{,Áe“b««=µÅ¹ÛˆÎÝ6ß®ãÑÜ€AŃšlôϺΛv6Úì	5ÕÍRjå8äò¬Úèpõh.	ÒÛþ1«,Sd¢Ïì^5
ö¢ ÚO舄iᔚ8Ž¨á§ˆCî¤M¾»ÙIrúdöÿÃß#58ƒ8øìꯦ‘c‡9<œÔ?Xé(õ£ƒÙFkcˆÊU#´gƒ–ŸA>fâÃ穬-mDñ{nÊ¢,B‘dKÝ*ÞFΑt0¸ß28°ê!Û™h—Ÿ"à}8Bò˜á"¥f]™M<"$‡[ÕënwYÅ—ÛuÌ6ÎG¹óê=¦™¨ˆG(fjwfÐÜÄÃú£Ù_Y×Òm¨õPø²—'MWußÛKjÓ\·EE}‚Sy识cÔPÞc
U»¿WÎ…{gÎV©)ûðqBÐPègõ‚ »€‘j´µJ¡!ýÌÇO^â®=ÓôÑF~÷H×¥[ñ²ÕÉ»yè¦<€]¯©RE›x†{r.¸õSz÷N®rÍcOdùñ6“ôíFƒZÅ»µp±êLÛll™ÞÔòÓž¾h¾s,ü×Ã"TqÂÝ^–Oãrç,ÙÅŸ¨ÅEò/*f’”Ž€˜›…#ê–úJ8Š\ÐTH6ÄÄëêVäùã§q_(7QÐNàQK¸7VÓ¯¾«v…!YԫΓ²QŠÚ—>÷m‚«“мNØY©ŽJÉèÀê5—I«^ê‘ËT3Ey+fèÏÛ¥ý¯Ô°€H7Û³k
‡9ùÔá?b&=eÖ–›ÆÓG"ÎkM•å­•ø‚ÚXaI\ßmhû]½“T†·8ŸNÀÝKmpæéðí”?Qã·°U[˜Éä”y­¤®|ïöZíµ§&”A¶ùLðÕ(ãðÎ^X&¿*HðÌ·lØgÔõ"‘‡³oÆÿ×aáTž'zûû¹®^u?%Àtc	¶èÁÁVuA†|£¸ÅÍ×”6>1Å'¨¥Ô2¼oòg ’o›Ê
KâúÂTðÝö3r
bBWnêPÑÕƒÕZì)dž¡ÌBT«Í´Añ5¾S5£æ̦¥ÐTU¢¯:Üê‹°¡À†zBnüm`Lô“š!±ÂH¾¤å–+Ž«I¾†ïSªùqS”Ñ&bFœ °–gVÁYòÌÒb‰‰(ôŽÜÄø¦XãÂ]¿ã>€)­—¨°ÇFÓ<äGFÝ«bºD•Š£nw…|œpg¾0ª“•MPü,‚›E˜ž±Y™ü§Û¢bÎl·×Ø‚³èÏl¨¡~æ!È¥ÔS.šÈåwò©‚h€9ƒÔU¨7w¾¤9“Ü‹”‰ór‘¤òá[ÊKâìÜX¯÷ÓÝn\t“Ó~¿ÔlOöü8Å’ëÝBj”Nf{橆uö{!^æ’™Y«‡w댰1Ù$M­,ÑgZÒƒŒÈ&“É‚FS´Ã§·…¥wlü4w ƒ#F.°Ëc’¼uÔi´íòE¿·Y±uÌÑrÂåäÎ3J2ý9}°ÃÒX¬søwéª0ÜwP1®¤Tv=gvM¢Ç6igU›÷* ¸WŽˆ%Ñú¦ó¡VÆÊ`Â/½Ù#»ÏÃâÒß¾!õÈŽb>"Ä*200œ7¬ÏT}èó fT÷¡·MEfº>³¼5qÖ€m®)½—ú~ètL‘×(æ{ŒùCõá¢^m„çÇ'y؈~
+EªÊqÓëTéCòâ¯yÇõ•+«ûv©FZpÇZòU1ì´‚îâD¨4ùÓ£Bªg9Œ¤ÁÆ{¾Púé™S›vÑ$‡¾\ñxllË5çÍiéõ$éTlFÚ—}GÈØf<üÈ -ü%ë2bh{açògôCÿ£ÜïW{e1¯éF¾'GŠ)Æa.¨³BG=(”ˆüªCÞÛjHk_×iêPtkºé7ïze›¶ý“tå9¬)U1M¯ž6¾¬ 4*k?¦‘<ꮢ±²àN|×P’.n¹||£ÜU+¶3F”MhÆœ¡¦9Ÿ?hHû›ç—nrÞ-ä0±Å‡ÝÖà’U·¢PA7ÄÜFwæ°'ŽÁìÓÖ‘–º@çPú)B²àFpéœ=ç(®é…àÎÂL„N·Í-þÄYØÒ.ŽF¹ÏîÀ1­ÇN4.ì—{œH¶/ªB¥0¿N­æ%@»&ZëÑ»BhÙœæ¹áí„WèºÑ$Kí[Êit9œßë;*ø¢FÜíƒPk—×xøOyŒüøŠ¼ÂÛ/¯OwÙóp»B"6àl:ˆ›ŠÕ‚U‘eP
+Ç^;áµ³†˜¸ÔÕñXðÞŸÀ»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼ø+[Xìè¤P˸—úòbhê~ƒÐT¥:J‹ìÛÔM,ŠÔšf4énhØ~Ÿûâè1çäí›}“ïÞ®ì”[/0ûË,¹Ø1¤ù…Ž 4E]MIw1Ÿx}ÿØ€®°ý`”dt.¨«]í»¬çŸ÷^²ÎبH¼â(kæOýGɯ¿Q"g‚ÏŸuú·­Añh{fº{iŒv®Ù¦=ò9Û)ÐÔ•#ùîÒé–KTå+§"»dåXïkø’S.ð„›÷]lÿÃòÿ'ø‚ÀÌt†8Ømÿ̲Ð`endstream
 endobj
 1062 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 34
 /LastChar 122
-/Widths 2249 0 R
-/BaseFont /LYZVZS+NimbusMonL-ReguObli
+/Widths 2269 0 R
+/BaseFont /BSNMUV+NimbusMonL-ReguObli
 /FontDescriptor 1060 0 R
 >> endobj
 1060 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /LYZVZS+NimbusMonL-ReguObli
+/FontName /BSNMUV+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
@@ -10665,110 +10758,91 @@ endobj
 /CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/slash/four/six/colon/B/C/D/F/I/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
 /FontFile 1061 0 R
 >> endobj
-2249 0 obj
+2269 0 obj
 [600 600 0 0 0 0 600 600 0 600 0 600 600 600 0 0 0 0 600 0 600 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 600 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 984 0 obj <<
 /Length1 1606
 /Length2 17112
 /Length3 532
-/Length 18022     
+/Length 18024     
 /Filter /FlateDecode
 >>
 stream
-xÚ¬µct¦ÝÖ%ÛvîضY1+¶mÛ¶Y±mÛIŶm[õÕsNw¿=Î׿ºß×מsíµÉˆ”è„ŒíMÄìlé˜è¹r6†.N²v¶2tÂvÖÆ€¿J622Gg;[Qgn€š‰1@ÔÄÀÌ`âââ‚!ˆØÙ{8Z˜™;(U~ªQÑÐÐþ—怡Çÿ´ü=édaf ÿûãjbmgocbëüâÿú ’‰	ÀÙÜ`jam‘WДPŠË©ÄMlM
¬
-.†ÖF#['*€©#ÀúßÀÈÎÖØâŸÒœèÿb	9Nö&F™¸™Øÿc¢Ø›8ÚX89ýýX8Ì
lÿöÀÙ`akdíbüOõ¦vÿJÈÞÑÍ_Û_0;'g'#G{gÀߨ
-¢bÿÎÓÙÜÀùŸØNÍ;Ó¿žÆvF.ÿ”ô/Û_˜¿Vg['€³‰»ó?±MÆNöÖcÿ³w´øW.N¶fÿ•-ÀÑÄÌÀÑØÚÄÉé/Ì_ìºó_uþ·ê
ìí­=þuÚî_^ÿ+g'kSz&æ¿1œÿÆ6³°…aøgP$mMíLŒÿÖ»ØÿO›«‰ã¿DùÏÌPýMÂÀØÎÖÚ`lb
-à gçü7$€òÿŽeúÿ>’ÿ(þo!ø¿…Þÿ7rÿ“£ÿíÿ¿Þçÿ„s±¶–3°ù;ÿ^0€¿Æ øgÇüÿ|
l,¬=þÞÿé¨fòïÿO ’ÎÛ dkö—
-FzÆ+-œÄ,ÜMŒ,œÌ¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF#ãØ”Í-Œ¬lÿi:Û¿M&¶Æÿ™ù_zþ•7ÃÏŸ*òòJ4ÿ¹Mÿå¥ð—ugeû¿‰ý:díŒÿ—ð†°°;À‹Ž•@ÇÌÁ	`çdpr0ùü¢ý†é¿dYgGw€Öß’™þUøÿøþKÒù˜¶FvÆÿL‰’³­ñßÁú_ŠÌF.ŽŽùü×]ÿ[ðÿ”ÿ5â&&î&F0kËvF<Á–é¿2œë0sG&Eµú˜@GBìK•‹
-ükìzýÒÃw¹*õ?kC蛦¹¿Û=–Îí¿¥¨Æú0¬)zSM®óñ|H¨ú·È;9hŽtKá3.Ô¢½nevÀ4ÙUö&ê–|BàOw²8BݼPù“¸ø£‘>Û#ø¥5Ä¡w!5¡Ôž_'¾}ÛkZÿôóüwÎá\àèe"°µî€”PX™/,3"@<ÔSÂ{4ÂÑ3#­¶«i7.øÙ[ÓZ‹
ô­·6åÇ7«¯uÇeHfÕŽvl9‰®Åà.¿ÚCpôמ¹ï
-ÕZŒ™ÓØANvŠ]Ïy–ãÅ{iGçý2ê-úA¢ÿ}ÛcÃ~~*æcd@Œ„8ÓÔÁ?W‘2,Åi|Z…È%sÒJ CÓº‰¼¬–‹C!ýñàÄ~0w‚—„L¨„‹¡=%¾,jl‘¡Þ‚Fø8;í¤JNDË·¯U7÷ôw¸àô‰¸gVáÆû)§ª!‘Neå~Žm­EGÂýqÊ¥ -â9þÝÌ_*nÿAv	ÙSáýÀ°v€<÷ÁÀÉŠÅÜä±ÌWáŠÞâÿ.±hMe”:X³Ï/=\“õ 8èOª~îTˆJ~^‡Ò¯(E>JA±Y|̼cæ¿çÑ°>Pã}õÒ¾Õ*"SßRØM}ñ7•KŸa:uÖKúÝý
HÒôD¹¿£„‹lű"ŒƒÎ¥Õ\ÏR°#_ñ1ò—ã.±¶•õ¦üã7JZ*|“P9	{Èñ\U-ã±°¶
-Ú¡QZ±¢›w¿‘•Üv7óŽ-ʇJѦ®!ÀçÜ…áÚó¬Ë9€FÿýÖì=|»KYg¨^BX³Ø€ÀþJk8»8—MzþòÎ&38S‡uìTÌoŽ	$àǘ^zE—w#ÊÀˆd8ë;ãg]¬M,ýt’Ž{ÒÈ%Ñq%%mw„­Ãî@Jeâ_õðßsÞg¯`¦RÈ5EB† nDŸ¬‹Ÿ"8ïnx³E4 V;þ6Qh\„§Þ=½X ’þ“Gþòüåŷ싔셭bŸ§ç\EÏñ Â—°w#¡<ª˜Ûa·÷‹~uÔ›š9>kÕ`•–ÚX´nz«að|ÏǾävœ«Œ+=L6¾Møf"Hó²†ÖÚü‰Œ6ßñž?
-,ÐmÍŒ%²Ž¬î|ø"Õ?YHå¦õÆ]½ô!P!1):X·œø~R¯µËöÛÀï/ìº×Ø,‡°ñ·¢WÅýí`ôÐõ
g¥°âtãÏ䱇sæ¼e³Î4MùGî>8¶»’d÷ºëFÛÆö¿®3 û°½i.ío±Ç|Í¥Z’2D3yˆPPjñÕfGüf0¾è<5éõ!S¾/!u¾ûµÀÓš
-Ø:|‚¬·.¶–ó_Mv“ôacæ~ϼr²]‹Ë±¬ˆóÄa©Öbß:g×¯ïëb¥-±÷#ƒP!»‚ŒCîîœbL	ÓÞ˘]÷]¯* dÏÕ	§„n˜"}x3<	`C X‰ì4áJrÛBHõ“ÁÊ„edÔI¿Ì|`Zþ©Å	9;LgÇp™or¬øæ•šÀTʪµiÇõo²G3iØD‰ùÑ®äB·ÌeãÿBÖ’ G«¨¾7”2À#?Mš*í£gm¥côG=èÞ[|T^Êh¸Õ>w~õO¿þÜДr_Ï68È·R©¡XVÏ-‚˜$JÁÏBG×2E"ÏÈš×å=Ú¤2߬	'¢Fö‘bP©¿)‹ÐÞ	dzÍ~Èo´‰¯Ëd˜ž¨D¹²|§ƒ#!vµ’oÑý$WG+³…Íö÷—¶vËx‘’ÁT:UYà‘’ˆ”y€—øÞ¨ôû³b›3¶¦~"î
³Íþ i
!ÝT=ŒªÐr/2çñÅÂâлHh:cA×ušÍ/[L€ˆ¸?´4~i-pL6‹¯¯g’^†æ
-v߶o…'siEI݇‚>TàM‚ó.¥t§>À)—
7J®ò¶M¶"Wv,ð ò{ Ò~|oÄ$ï!½Ü¦ |ñõï˨²ͦBÇÓX¹2á{dåÖÔÈåuîæÙÓÜŒ¢±
-åsõ´ÊåÐh?‘«åŒß¥éÂExÜ%8Û5µÃ³ÊóËoÁÒ¨§^RýÏjfrM¿Êí8ÅŽµxà„ˆ;“JÇÒéy.±\Gj×tP6;L`Ÿ6ìRØ#6C+9G÷`Xòñ/+?þ±ÔE²d
n`ëæ/F»Óy³¦s™N520üBoëÂ¥ÕTu¥X³W™ÓeBi¢±¡Ú€™nŒÆÕŠøÉ t¢Ë¨ûCØí¹Í^„<ß™&ñ2Ý5’­*}¤ô/Šd²FЛØêZÁ?˜M‡þøËá̤(	’ Óü€þUÒ³Ën¾ê|*0¢¤ô;‚·èb€ÜøÕO1ñ÷¯‡¸ÀdñëxÜ\6€¡A©¼!r“›ÎWL¨	³
•Ú	ªí⯣nT“Û¸	;¤ëÏDc¹B#e >ó—lê±õ2ô¦ÒPùi÷	ß±é1¢é¼½Y½ë—aÉu«Žœ.@’Ñé¬	ºá)ÒK“b§úb¨‹’E{xaüá;ŸýIÒ®õnjgôO¸·ï•×_ÝÁ¬Ÿ
-_Ë£Ý% }\RÖ:èJÞd­ÖX¶d–>/Ä,n’5¸r%£à²ºš–øŸmV$H‘Æql=ˆKZ»(‡ruP÷S™äR“Çчȵc;"+?Ócù†”•!kȼª6´ÊïÓ‡l¥ýá4Ç(A¦†K)-Ý’vÝéÏîÅ‘‚LÿJÊr
÷è½Úƒž	~g°Ç¿2c‘„$St[Ž¼ì“[É]ø³1Vz¶ÞZè±J=£YR]5Þç9ðš|[EyŠEšÂ:4ÿx©â+*©æ>ØyDUÇêhÌÒ>I
.­ö=ý1ý¥Òc@ßÇîìq㦒ÇRj¹z8¡v˜»7ÖEUß}-Hè2¸Â…÷ÇvV:¼:_ŠæDÙ¯ñ‚-§¡mé«VÎ#PÔü4QÖw×ï7`§¸o¢JžàFݪ<^ÌÓä9+²Ãóm%™¬vËYàQ¾`ƒáÁ¾uïÏi,gϽϱ«â_–ó®2 ¿^Ò–L€pi`J¶Ä	=C‡ç&zM,¸M,<Ôy
1H†æ'vÛÕbù“nx…óÚ·ýKK*›¥,/6y#?H¯[M¥UŽÜÙX	AçºF1~¯¡ŽÆŒÀç¾ÇýЗZ]aý\WÂ2ز»p׸ÌGáÜý¶žèuvßÀŽðucŒõʉ¬ËWÑeºwXSH±‡?Ï^–“\ŽÃï¥H×y0&ÓcÒIJVîÛÀ©×Ûê	ïžÚï‚ù1E—Ì3ß®jf²ˆD]õz
I퇹`ª¢Ö6pÛ1ÚaTm‡Û™úß—Žd±*{Æ",T–]BÞÐoæ²V4ÚX>}Á+GC¦2ží-L¤JËÄÂ~º0¸3y©*¥#fç^ø¢(¦þ˜QËŒ¥m0ò˜&C–òŠˆ\
‚ ·sTj‡¬A:&Ô¬XõDGi¬x~7ãJ/oìØ
Ò—48é®Ì¨¤ðbÍå8m{|gòG—b2m˜êVüoidmçÑñþËÒ6ài;è<ҤϹ‚%lYãÍ¢xÌî—jzÈÙÉuLƒÚu_­\êæ»´åe¿÷|2Du\Ô`ÐTãE»+‡U>|
-RÉ_‚!'zÍ”FøÔ”Vé†u#	Žežà	º°ÙOLSÀžeúíÖEx!#ãp Ê^0ˆ1üS¸à–lƒîÂC‰«„2í¸Ü}Ýóx(¿à
-ξ.¼ÙúáäãD¾[ÙvÄ›)LH”k€Å!C¼…eHêtrƒ÷I/K‚Ì'…&‡"Å‚u´ƒø.BˆJ½ÖÉ6Ï<ômJ®b2¢´Û}ArL®'îz“$ær,ýíæ%¾Ù£ÔYª„	G…&ûÖÙ9s_CÆKàöÐÊÝQ"K+‚M=2èy_*ê‘®VrÇbæ“–©|.()$Yám¥¥ÎWîw‚45…[
-Ý÷B#?ƒôúT×ϧxß:ÉÜápø»ß­Ó«§Òµî2Ó­óƒ׌Èð“-„Z°è–¿
-	cHì›R¤»°C\qbl
-pïswóH
-kç„¡ºØ-y*ÄmkYÙ>â2š¸’Ë»§
-À§i°~†Ò°ŸÝI}ƒÚi|ïóPãAùÖ	/—™¬\µpe<­8M#¯š"’%+ŸÃ~ÖÕ
-zAâ:Û—p¼!™^ŒúvAò£b<±¼«·ÏQždWŒøÍHŠãD*uK*½­:ÉíF~±1`gÇTÙŽÍ€2 úí¶­XšZeï§òA°´´oƒíÖü²™Í’h¯Ò3Î3{VslÆ.kîÛåÝÓU½jh•²	gÇ?³ü‚:©’-“ûò–8HMÌ™Bnñ&Bý@|Sn'‘–½%T7ÜÙç–ÑN„ ›¼ãd_ÛC3®wÇú»²ñp–tjºHgîUŽUP°}Ö7þ€ÜI±ìrLEm° m×Ei—¿ú„V½ïÖR¿ŒÊ¶fn<›¼X*Yµçç¡4ò; Öor>Óqí¤sÒµ"…ñù·j§t‹¹ÒØ"⺋Ñq§º(±ËóˆþŠ
-&
SºY e	H;Hÿ—q¤ðËêXæWiú@ã&kêoÄé"´%ËÚúWÅ;yfÅ
-v«šÌóvI]ô«;î÷÷¨¸F÷.Ù¢™ÁTÌï„`/¸˜˜­Ji‚>S,®#˜”‘Ž—õñMâ‘lL÷Š‹ïŒ®zöœçŸ¥z¯„Ú^Hì»8§jƒ9Ux,§}s'^­V‘Ÿ«¤ñ¾`<@\-ؘãûÄvžN‚ðüìAåqy|ª“™Ç>$’ïÒÍÇH¬ðù·ÆHÄUÇMXá–&£‰.BÍÓTøÐÙ̃DXÂ5ʼ$×Chë¹âG÷ MøÄ‚)¸ÕPk®GSJBc‰%»ÐXê›XÔò‚bcžëóBq3©‡É%øÂ8Ř½Ý·óÛV•‹,,n¨Àˆç“tQÌ¡úL;Ržˆ?úzGc£Wt›qØı7¦¦„öµij6Cì';*8ûAŒ,XíüZ—ø[]ÔóÍä#S*Mͤ˜8µÃï}I‚(/´Íd:Ç€¾•[ăLMbT¾ˆý±û9<­þá⼨d2ʦ¯·Cj=’£¸@ýŸzv<“QÛ;úbñ¤ŸºË¹çd)m§™_h(ÂêÙ`¿ØÁ4t„0¨
,ÀúR
æ.bÞXôCMj‡î×ZüzÙîæaò3“æPgpÁc!Nn<—,ï”b^ÆM¬3‚Ëpü}ƒp:}|ô»DØâˆ]%'ÁTå¹:#›AÝÍF‚Vã0b0‹4pÏ‘Ï)hµaA+Ûz¿C¡è%mÜgªą	ÉIßb{Á6‰wƒ´·T£Ò‡c–wºf
-{{~D'ÛûÔ	ð.$*>>¿¹1îmÌ›ÿ‰ó(¦Wýbš¥ìl6ÃÅ>-³øªd~R3ù
-|hD +i^Dí£.(€ù«483R£ÁIJ“@¢t)­ü„ÔIm1iM?!+øM{äa÷]¢°A4àƒš$–O}÷™'ä§îÞ¬Ò[{/T|F¸óC}¥Œ±°sH|=OKRe©y”‚«Ÿ>¼O¡ì%œG“)Ä6<¦—rÔ¢þS,ÂHǮڇ‚‰¾Ì&%@¡™~j5¢ÐW¼Žã	­ÑçÖû:èµ{"ˆvfT!Æ„ï·yµºqIzÚ*˜mÖvÉ?5{T×0DÓ£	b9h¡ óòyÂ3–½è"
-øvéç¡ŽŸQ-\~X^Y<.ê/ŠÀ­1F0îñ­ßÀñ¨<ØøùJ]Rî9˜¹t›V¢6[8ýÍÉô½T5é]ý¢âì;÷¨:ÒB¸ájÛÑO7õ\CÉeáÌq.ªš¡èËŠH–»ªÛ©]ïd”Ò+>,ܼ`LšoXGØçv-seSÞd¯W†éɇ۞	0§H[x— ô…Ì>„^¤ÁvJ•
ð@FƒÞ„–ôÿ憉’étŒBžÑ	”ýÕ&!¶¢ªH*Z"¼ñG¦?€Ââ‘Š¬g
-R}¼nÜÎè-xâû1-ÿ;„&YA½œ¥AçºxýˆK\ëS‡¾¨
b¥nGU/0´J·P›Ò(ïeߢ½œiñž¨Î»È’È g1ë{"ÀÜ|¨G3+a/Lò·Ù¹–ß2çÓŠ,›»Á¨©âà	½F9¿¿#úSŠoxûCw|g¯óu`¶ªu¤MÔm†²	D™×ô—|ë3Ž;Û•êú½W:Ùe¸Ìg-ö(ƒÀkЋ˜®5ü¥ìTlf²¤íiìØMO­3prN]ý
-AAé/«®|ô‡ïm?‡ïŸý±jj2q¾4(æ²Øèð‹zQcaœ–çTýr.š­5Ùðþ~йc¢{	¢HËœ…"$mæUËbJÑO£¸Œ
ÿ5ÙN…MÛ¡
-¾Ôáç†8˜¨±“EH•.¨ü‡ÐFM)ŽC‚†-‹QõYzö?·­l’KÂDŠ¶öŽ·­'÷!QiMùbƒìè÷ÌË¡k†ÜÛö
-ò7ðሳÇW°tò>*4HN˜zú½á0
Ð\ìiüp?ØJ³)Ó'žÐêd<×ê`YæV .-Y#ÈåÜò/¥Ë(ì…ÕqÞÎx6¿ATK,rOÈÝœn¨åá¶4)š³m0½¼ˆ.Ó3Ãe¹+Îvûçg¨[ù§r©Ñk]x2ÙèÏ,Rè\žmê,†J	ZFFx¾8ŸïÚu¶.!¥^R¿o}ø¶¶Ê—ºNy”ì1€XÑ0×	yⳘÄû%
-ý³[r]Ù'‡Ê’œÕV©_jÇÅqÛ4åÁŒ¢ð›ÚŠC.Xuÿ ûûÖÑ;exhhÞyvM¢*Š%`d#­˜~Ýi­4Y}ÏtRµ£åvíùÐèÂ0°îÁO.,ly9.<ÁøÙ+ÓƒÅÔgí+¨XÞ¿é^Côkë;“[QÎÀˆ2È7ü=„þ8ª§xuü¦HŽ(ßáèµÌ±mÈÇîçV»¼ös„-·ÝÅØUÑ7êIàÌiΘ”*9óÅ“ „Rä¨+üJ^ôny
-QhNÐúf.•“"©xÆbä!‹4ö|/8ôë©c©û¨Ö2_Uÿ9NF“¦‘˜8MæÕÁ
-E$Í] 02vL¿1ý©â&ÉwxÝîÆ;|JWF³¡¥Ü_†>)27ê`Ú>µ ½|	ëÔ©$@ôƒ
-¢Xo׸çœ÷åõ¥|_wùät
ø²jšç—¶:âlÁÕ*‚h#²°#Ò”‘g¿s$Hç’gñ&¥n!"ÖÝ3Ã
T¦x›iã×/°…æ÷¥hüiXðꪽ1[„n” ÅT²µÖ·@Q
Û’….nŒÈ‡0¶ÇfÆÑ8…	‰ŽÝÏsÓª°—yXæ[vlùðNðÏë­ûË$b71¹þy/pß-aÿEˆf¡¤b-~Kð’‘êçȃ¾>0°hü³OzyůƒÛ{´
-Ïg•¤ÔÒdkqQÛÓÑW_½æ·¦5ˆÞ°Ä-IL>Ä‹S¶?üD#èU‚¯ð&š¬\Ãàb‡âÂÐèrÖX[nþ¯L^•S¿Øš1'¢/n–ÂÌò$µën/&glÑiø‡ÖÅæaCÀ^@×é4¾nï¹nIãÊ<÷I‚ŒÕÙzßËž€¤˜Zh‚q‚rŒ±^ZgÇî=D`ÁË¥ƒ†·ílâ2A³õ5(q:Ú0D~¸ø/
-úÀžºéâ9Bõ$ÚÀ
+¢§0mA®ìR–¨öüBQÀ†9FJÐÔ ²õú ï™´Œ ¯¥µßªñ_['ˆ|zì·UÍcNiØ11žö¨É|Ú~iÔ(ÙRãÿJ T-~=ÝZÁBd´¹³õ(˜ßHK?ÄÍ‚™&Ð=¸LszŒ%:‘W^ßµwk-iéšRoº ÀSKd€{™W_Þm¹°Tk•3*TŒ5õ…ìÐh6¹qºÊœX+¿C²ç¸:ü€2–¿ýåX/ŸD»šÃu
Y·ñíwEAM·ôå¡9ÿ®ëŧv[ŒÑº.h¯l~gfíмiŒiºI&›“~l<´<},n_MWêznÏo{êt	¦™‰!ÞEâ37ÔC)jFC
;>	ªÖ“UL¾Û5Ã1.Š§r™v¦zß3¶îŒš8 î‰ük§{°pX2>}íRCçXñÒ@Þ4õT4_d„5wé´9¿
5ŽoB¹ÐPªúÏŽ“=^šT&[¢« ™
-Üò6éx3¯¡œ)ÐlXÞ:Ø#kõ«!1ÌÍÝÞîv¢[m4ðg¥¸ð«AA07–JîºywÓ½ßñzHM_PQ=#Ñ4hŸÝžÏ%Éôúz¹F˜'Ͼd|"óÖÊÃÃ?öÞ*Là¸4vô‘«ÁŸ‘dm±Ï@êcOò÷à&Tp0’“K}rÑ`fUx~kÍ[q€11Îâïc
-àà·ÜÊèëTwAU!¾Í†¦vÆIˆ:#·¿âŠŸ?ò—´ù}’A„rÇ܈ÉL{@½j»<ø!Ñ«ŸÑªjH¶Ëpá•ž¦oHä7oáDžGÀ{{«žT«îÅÒ[Éh‰{Ø]åO]Ø•ýÌ1ù"Õ\³¢Î}Ї)õ»XÎ3«Â4oâ#Ä£Œ´9Ûõ4‰taÊüÔšU­q7Æ6y·ŸXDºoœy§]C¨£zLyX_°ÂÃé¨2ÿhfåϼäo¬E7ƒnÇWvV)(¦Gè¬[ƒHlÊõIÖ§;Z‰‰¥Ë©¾7"M8ßTÏ~«·—.~¥òN^Ël­ÕÞӷ*
Iée„ìFòäoÄÍ´]P‹^m5YÀ IƒZ)·O„1™Î艕þC9ëü(+3®áИ7—Âgry#ïˆUƈYÀ¶5DP í´û¸Ñ?‹ZK	'¼Œ8±Ç!é‚ÃœiúдÞZí‡Ù€b¾4šÛÆó3ð•Îg£ÆÍNt³d#8g¢¸R&ürzmÔ?ú‰¶ZûX(ŸBßv"Ù­~ìDãÒú‹;71ÿw°—1dÒÒ~ikcFbY.Õh•/;§pÔÅ[˸ÛAp,-÷ƒ@b!4–mKß$iHR
-„ŠèÄŒ®[1õŠSG›X*£ Ç|ÌonçþÌÎ`mKý‰—5µ°D®Y‡`´W¼ÆÊ;×!søߘïÈöZ1¯È
O²­†‹òS6ÌbþÒìu¬í´‹à[,5a„y¬‹ÍæÝ÷§Bc/°½\ix½¿ñälñ`^¡œ"	Z$6²ˆ¯µ3îMܦLñ¬ªš%KtÇ$]ˆe#/…¯*µÀ}ÙB\g˜°àYëû
‡E)F^SZ¡ÁXRP€óæ7•q>Þ"û
-%þ4MG9uÄbÝ{2ŽÐÞá?Ó˜·ñÂO‰t8ÔyÕx…ÇØmÛ‰¸Î@
-»3ç{i›TÔç¿ë
bA!-¾9®œ¸¬Ër‡åÐÔu³a
Ç|†bÍ8R¨ÖþŒ¡Ô:¹‰¶´Àx‚kÄÈÒF{†Í_^±ò"&‹3y˜fˆgÞÜæ(h^¡V˜%U
-4½ÇZj,%·Þ,î§	ˆ¾O²àœ8[°mÍÑ	ó„r¹yðUýF]O“/ñúó°6;^dï¾ê'7zSí2¯N,Ó$œ’*ÆÐru>‹ÔJ#*»"¦;ˆwá1Ô2nœ@f'=/M`AÕ÷	9£fqLwËÛ”Û.„­¶gReЛJZ^§í'~êúºÃÓ(ømawÇÃ2•ƒà.„¦n‡@¢.÷DVäý»±–dgÑõþ.ëßH±²9•P´G‘è&D1ÊnÕb"£B³¦˜ë*c°#•l'xýù¬†R™àD—Ý-掟TôË]]܃|6±ÿÝHŒ`Ÿ™qÞ7ø5â2NËl«„V.”l"Së [5	óI»8®ª"‚éhþ¹v¦$-?ò«<*:ÿzªÏ
-ëÈ©ËèH§¦]1;ÿõˆVÜ}8gƒ³·*Õ€’`iíT¾Go!&Ó¯¨Š=Õ„¸eeWh×·I?¼‚!okuš‚6@ç0IhÁ¥¤*oNG‘Ü@‹“»aµ+2bü±À?MbŽJ‹Ÿ`û8”ÙpÁ`‚Ë(‹3]6ã‹]ËEÕ)pèŠ_È•Õ¸…DGª³w1¢ëbï:ÖS<]±×#
êP^Ö}?¯ÉDéè&wv™±jŠ2Ô’=C¿ã˜Åš{dŠ;aWPqæöqQôÄ×âÚ#¢.ò~]½¸]‹m·ÿãnP¼~gÀxáT‘úøî÷<ýÀžmúV1Ÿn…õïÌûOOa™’Sži3ÓÞæ.ºØÕ½\H›üS¦é=¯ÁFÔ ÂOÊu<yÞœ=	ÞðëƒóWZRw&.e™¨1àsÜðÊ1ÈX†Ã^99kà­£MÖKÿND4ßœ29V^[
uI[ÏèN«Ì¯·ƒíôñÛÅ¿§
U^~¸Lèk±±‚Ô—ÿÈ*Ž!UãÒR×õÚ‡ì‚îÎÇr^	D¿ÀÏs!ÙÅUŠ™ê€jlp0Âjžü#ª7&q¿ñ}æ6h´Â9èPå „˜ÊZíUßËþËtÊàÈvŠ«Îž÷Ž³ô)ã” ¨HÊPJ$šEù?#§«î
;ÌXHÖÝÔ£ìú¹ƒ¦Ûœà9QÀþĨ…Íc=?QUg•áN혈½›~Šô|
V3­—E¤¬×C)œ9öMêÆ5Ëo£æ;l
-;U–Vº'¿P@´ò~þ¢:Üi<8ô_¤;µ^D+
-SŠzªÛ'_P èc¦¹8*Mgí)ÿ®O"z¨¿™Œc),ó•S±:…ìÙ‚0U®f„,õMP	QOAQ5‰r*Dû-+±E-JñÛ^k	z¤î¼.xáeú¶¾£29ÆÀ•hÔ¿ãC\¯¥s‘úõÑ?õrãl×Ý^ŸÇ=s[í²«˜©áfoçô£?=Šß;ò4]·ÓóUµkÁ”^ÚÖfÊÜúìKZ=lÔíÓÅÙ¹¼f${¿ÊvR²ƒVõPhÜÊ¡Û'Í$4‹æb?Ý 0dLù#S&¬JokÒQjº‚õÚ#³½g™ÎÜlZtn›j‚zì(nÐG7€#ð,;YREj¹†D€}«ÿ9RÒ&ñJ4•À° €e͆¶µ…‚œò„ K
-\=c¹²E®¾98wyÖP—Vg••ÄÌÀ÷	æy©é“ÜŠÎf´ÜÄ0pѼ!€Ÿ„üú†z·®Jn%ËAÈÐ=Ð
-âÚ?ÆCÏz|þ±rèou¤¥J¡ð9`º ·	5àñ 
û˜ä9X´É™¶”'÷ºœš¿=ÞrŠ2}òzåÄ0Š„ Ñq9pÉ»ô2|Š¹ÐûöÆeNαðYÿð6ÒúátŒîîF̶*Dÿ{ÚF°€ÜÛ‹,T’«Mƒi½¢‰UÔ2÷•?Ã\~æ¿9«,¿>Ö~z×ÚÇ›?¼ø1èW?œ,ñQ
¾®Õìñ,¦íÚ_J=	鵬Ôvæi«®Æ ï3
-ßZbÔj­ÿ*»5ÊÁÝtŠc@u¤A®èÂY‰îLœ@º<·Â!SÍX¹gË[&IvU5+{˜¼šßéüš)ôK>Aq¡í†,¿èä¨û;©Fæjt‹nòúá¸ZðpÈ5—b»¬=æ„7Jq/kÔ÷d*ÏÒ“Ö¦k‚k¦$ƒ*@2ϳ’z¥ªëaµP…IV¦SWi«1a[C=Ë.D‚j/²¨•.
-¡ñÍæ1V|wØÒ½Ý$çþŠ‡J_ùÞ$Sç8e‹‘1wÜ;ËÌ]>-‰D\6©O²mF±÷[¼ü:_­ýúc´ã²&Ò•üC«Ý
W
-¼Oíäwx%2Äk¾ýÄS(GQœü|sª\ÏìTäG¡ùƒOJý®Å1‹ñpqw
^¿±›±DdOuüÒ¶?Ü©Àô„í˜;†d×xˆ<	ÂÓì‹ño½K­Ê%ÊLœX±[×ÚqA©Aw£-¬î2’5´ª2ŸÌœs°ÒvÔ©BòSºã†^i:?)Mµuß“U@t®~PÉ#£ÊݤHè…¶eCcacÔ¨›l=bßS,Š˜&©§ÇžgVŸøÅ#m.fXí“NÖ{
)tO^¶|àéÂj8”ñ@‘eX€IÑa.²~SfÈá ay_èŸNWú-¬Þ7ºÒu<õÃà”µ}™î¸IÁTðg	Ãg´œä¥~%>Ðoë÷°"«q96.9ÓNüÿcSd÷¾d&"µ7‰GâxœÝ´EþïñDµÔÝÒ–Ó~í4íLÅ…oÅßìx2bÊS:_…´Ý·¿‚] £Âih£uÄب‘³XKbâf¨üÚ½¼‚•X®O”­…ÿ5ÿ0¡Y8÷PÚ-ö¥¶÷ãtR×
-DãäÈ¥1™ÈO¬=1ô'¦9ö‚ã²½m.6Ëš	'{`ê¡8à^†ÎD(|s÷éz¡¹¯Gœ1nßNqø‰f*O‘[Ö\Lbî,‡–Íáó±up¹÷ž!º«hÆ8j"cÔóΨڢë¸Sô²—59Ø™
-*Ÿgj.[‹šœ²¶'iº`Ǿ‚+¤ª$›ì¨éƒ?Îy¤*ÓÌmx¾'˜|g'%ï\Äu,áºn–¿öÓfñQ‚[P0¶ãW~Ø0N(GC¦û|n•/—~ë:Æô¦c*»†eu¬:Õ@md•‡%óÍŒ“‡¾‹á7¥:å…Ù¹”£µº¹_ºÒˆJ)_"³
-3b\å}šzÓ
JÜ\P?­	±r
jx¦ª¿Ñ’=‚N&ýòOj¥ú“÷qxKž9iPŠ5­Ô¨×#é)y²k˜åñÀ…Ôi¾ëk'ƒØ™{Ξ`Î숉{é5züñ-à@¶–bo˜zP«uxÿâ/ëSôê„¢ k¸ÎCSx¤`ŠÇ]ÒdÛÎ’E[”kÏîéÉç[DÁ†8ºÒ’èû¸ŠÇ)á:{W†nî¿°¯ƒ†1eŒ“UÅw°l½ê{\A‡ZcÝZÝø™G!‹–¬Àü¤_›Ö†äW¡Ï*¯ÕŒã›hF	&6l‘Gà}8¶ˆÝ×}@Ž<Ç_øÅ%“ï¸:Z›“Œp·¬Ñ¯Ó)rÙÂÕxÊ=BF@èFŠ’|ð!íQT…â›Ë.u9õ±Ê~r]Á*=o´Ø.ؤ‚jP
-'|ã2žˆ»Y‘{‚vi6	pQó9$¦û,ß’ƒäܾpŒnÔóß¼ñúføBó¶:'OÙŸxRF¹²úSÐÊfH—ñÁjx¤Sân-~uGÚä3®»œàŽ‘?ö6õ–WËqMù.‘RÒ£Ú¢ÔÔI™/2U¶JC~b>ÑëZ/î°’ž„OAf?aÅH,Oþj¸nšfîÔ^
–QƒŽL èÀ°ãFp6
-áW©²`{£‹)HÌÊÀ!{eêHÀð™”™V³ü"­)A˜Wô‡ÄgÕÞ}Ï"yþS¯rîªîzZΨnq¦]¢5z>×˹1Eî¸"öˆ=ªæÝ”>ùÀ†·»“÷ á+Öë1ÎjŠÏñLC~Û>ª‚-)0Ö?~AµœŸ"M)@o¢NœCh›çý>^ 6H•ªW¤mE¾ÊÊ(ËôG•LdbHk‰ï»z¶µŒ‰&2Ay”;!LöHs§é GŸ@ËyåG·~Sïýè‘$›„5•¨ÃG¸¦y'¼k/j–Ð@pÓ·ØðÆ*Іì ùú…«Éó=à1þì×nLº?ÜåÒ‚©N‹:üâ
-JŽË‹&:ß’nd0‡}2·#^ÚÈíÞAW£Nb_̽Ø¥e»pw'Ö
-Þ¨H,Ò”ž<1ˆ2,ÀÚ1BÞãÍÐœ†‡S\œ‰>ý~Ô±BºÐñNºÊÕ[Îõ½àBh’SÒoëÚcŽôT“ÉÕS?^X1µ^Y1ªfg/'¦gL¹L‚¢TïhŒ£‰HöIùT²=Ï
¼²ÏÊR‡Ø.²-é|ç™LÐs¢íˤ^¯Ë¬d»"EÏ¢Â4¹Ñ®2iÁæþ}oMÄáxéh-¢©Á·˜
--|™Z¢Æënw(QîkÔ¨å ¯øh§HˆnïBºM}D«õÌVK`­ËÝ ±}]Ê}ë¼Â¤té\40PfÓ­³8<²ÀE	ŒºßÏÉV>ÔKsê—ã¹x‡¨Æ^ì‚j6‘e;–Ì3–Šû´^_GÒ5÷£íD;õ?eú5²ãmÑKklÒ§Hƒgn]èB—ïü׊‘ã6ôß.hun?Æö_õ´Yå]»æ°0¬|Îr”±X¬g,©õq€ð¿/(ñ²¸ŠÁ÷ËÏ~TxËò‚¶¢õ'V±¨½—(°§_û6çȼ®
ÕV/ùïñ©0R¦8«K#K¥¹©ÑN»b¼ H'ÎÙE³ÖúŽ=¨)Ø´=ð7Ã!eÈr%­mái¤]“ðj&#‘LñCwµ"íˆø?w-¢…8/
,d?œ3Ü9TpfR„
†\½Ò©GEÊÄàšz”õqMÌ_ö«6‰*›¬‹øŸ7sÇ$ÁG¡_îamï~¬)ÎÞÓÀÚ0¶»?­Z«Lf1v«|̉TÇ®27T0$È‘–-ç3¦’„y!=lpn2^÷'z½;í§§LTÞÔî,¦ý˜ê4ºöŸŠ\Ç_†+˜æñÖDˆ§ã58ÿàZT²<g—hòâ«”ÄMHAw!—pµÃã¾Æ3ã“ê©´.‹|ÜllRTÁx’”¢,\S:¼ãÇe¨˜¯â^sù¡1mñ'ˆÊIÄg퉯‰çåD’ç~µ¶„R¶N~òIsjýB®cî[¸êyr‹¥g@øðhÝéGÔz.Ó]8ß½¨DN¨÷9ÔPÙ;ÐLtl=«ä‡Ûä…^íH”K)cÞ˜ôª)骙Sg qWY¹›òÁ—n«ëlte¯Ë•K~Ǿֶ«uVÔél“µûÄ„:MW`à[‚_J/9„Ô Q$ùþ,ÍÈò0„²xã^È6>r“¨Eèôèë•·!9Ñb=’ïÇ)À^H¢Æ®R­úרµ‡Š¼.²:_C·ÒŸÜ¬!véÊ×M'–Ája–k>ä¶
-³úöèÓÒúáBå«òWw¯€3Z‘a–ΓÅ%#8ae\’M+!¯<Àê*÷A§ŒÐã]ËF„Híþ§Ž²[æ+ìpå#æ"”–Ý4#Yã͆²5~ô‚lÍ%K åo©†¯c=Ð/W9E׋f¤1`Yb¯ŽÑ¬ßìwré¬òîÙqxœuáHàÁm!°q8hE'ÖÔ£çÊÝï‰#·5z¨8©«ëD­ðžÕô{s’?ùú y‘s„aq¸Ùë6¬ˆá²Îïôò¸Õ3ëÛÊ¥=áØÕOx#U®Ù÷…ÅÉÊP|×ð1;Ò…\j1+‰zùkakÛŒ“|£ÃöËa?ªåå]íÉ
?çúåûÐlO3Ž6bØ°SøÐ0GGÄõB €bbƒèMˆáîÚì_âíÍ&u§,y´·n!\»ßßDg2¼ËªAሩ˜Ço1v(ÞÑŒZÍòË83šÕÍxAð3å<=]Í C}ÄõªPèÕ°…é<û,üH›Ïè¹S3‰ç¿ëßûù¶ZP+~®ÄQĩɺ3¿
’2ÈxmÚ4‘­ùÝ">¥‘xÄÕð¥b¼0ûºþºo¯Ïè¿»ÜüS²\εoñ
a瀸®+@G­ñ½8lçøFãqsëgCÝ`ª²	§ò–§&˜WÆòôÛp6Û
-cô|æ'`ÎÄS%Q
2ÃÜ&aÔð†Ó²YŒ½
ò…ûów‘Ž?£x…–Öê"WÛüy36h?¬‡jø^²iJkӮ߇ÕÆLgøÿ_;sþÏ„\ä^ž#g([Ž–Gæ1¹š£µ­ÜWåŠÍÇžÄcŽI³…ñœ³ÜÏ‘æX„ñœ†ž³
/rMåýï·÷yß?à»sÿâY#é»
NØ3íY¶À:U
®[‰‚‘¶BàkÝz™=iïÒA•áÓ>8â„ÒXò¨Dƒv–ŸxÃSê^c6GÑÃeï©z¬.£Yÿ¸O£Ø0^¬7“Seã¬ô ˆˆMî«>Ý…¸4g䯓Z}:ͬÈòjùÚqynýKs*)oŠ .¬Èøœ–ò%Õú°:L/D~
-»»yÇ&Ķ1òþ‡ókÄCÆ)aº„íájÏ1¼AøZ
-U¢´’™…ç"óWÇ¿NãÐhŸgÈ –6¢À¡yX¬{fÜL:’Õ ³kÔ6n›'±u	•Ÿ$E—Ò9ls+ª; ’†hNÍ2Ápƒoc&úFåÖÍ„Ì­‘P!
-aÏOB&Ã~€Y°R0ˆ3¦ë+*Z–ä:_7‘ßÛ¿	8ò~Bî¶Þúfë¾Ã2ˆ
1ý´óèhc4|yC¤1à”eP¥(¡†ûuF#õ`?wÜ<Œ•Ag ÏÙÔf
-“ü½óMìcFæ/.ˆ›'A!¯™•Û[QM£ð+hú#¾,¹¡.a£à#_°FÜÝ™rÍ”®Q‡lætD³ÁoF•}àº}l£Iâ¼Ò›Ëñ	UÝU>DM¦ž=:^颗fTAÅ–ú2iÁWÜ\£˜!@³ç°2‚ˆ™1ÈÝF‡ßjB™÷Ám(Dàkªl¶çõ‡OŽï½Æì±ËTgÏTOmÌÆ~DÞ½
ÇWÿM>Xuw·Ûuò¾–çrï½JbYëçœd¨è8lxK#Z	§Mé)>¦`eô_|
N+Zõíêñâ^ÆÖŦÐåþW§® ÉD¥ÝžkÇ^'Z\‹…­)ýþ‰Ú%…­I–ëlÆ!ú¡ª#K27¶¹žÑphÚùqq&¥â*xõ³ÛòÏ£|yìÏŽ‚œxÉPÔ4ç7lUðì,W`üm_p÷-¢1u¦Ó´5µY§J;¾÷QˆDŸÁ”H¦[uúÕŠ¡”I‚R–ÏVVÉ?¾§9Mö§­®sîa@0ö]Lo•£ör$ü?
"ÁPŽZ©7t>ªn¬Ú½CPŠM(
4
Xi«—3ayýåäµ¥iu@Áåc
-Õ¬²ãÎ]­¨€¢¦ b<Åwù.©D<ãçáĈ:Ïe]¿8%âÜY›>¸ØÚ¹8Èùß—’¿ï#6{†ç"L’îX¤¯ßî¹"V»³ãGZe
&¿3óu_9û_fû^nlê
-R‹Ï¡ev,;è+c$?  âÍ{µázÊ*¯ì>èD5É'_›oa9Iyî¨áÆFÜæk$Uj‚×À$ì‰áÉRJDµ=%¤¥Z¥³Í’fLãŽaíORŠ>’|„AÝŸ…®Å©Tï
Ⱥ៱
JòÊx€dUº|O¶ÖO±Ñ;~·”´ô¾Þ–]ÂÁQs\Íâ¤^Gš‡Rh÷8ú/‰ýü'¿ŸH|x¨Od°Ø?¶i÷Âendstream
+xÚ¬·ct¥ÝÖ&ÛvvlÛ¬˜Û¶m۬ضí¤bÛ¶­úê9§»ßçë_Ýï=Æ=±®‰k®¹Æ&#RP¢2¶34³³u¦c¢gäÈYغ8ÉÚÙÊÐ	ÛYþ*Ù`ÈÈDMœ-ìlE
œM¸j&ÆQ#33€‰‹‹† bgïáhafî Tù©FECCû_š\†ÿÓò÷¤“…™-€ü‰µ½‰­ó_ˆÿëƒJ&&gs€©…µ	@D^ACRN@).§7±5q4°(¸Z[d,ŒLlL¨¦vŽë#;[c‹Js¢ÿ‹%ä08Ù›Yü=fândbÿ‰`oâhcáäô÷`á0s4°uþÛg;€…­‘µ‹ñ?	üÕ›Úý+!{G»¿6mÁ윜Œ-ì£*ˆŠý;Ogsçb;Yü5ìLÿzÛ¹üSÒ¿laþZ
,lÎ&îÎÿÄ24[8Ù[xüýÌÞÑâ_i¸8YØšýW´G3Gck'§¿0±ÿéÎÕ	øߪ7°··öø×i»yý¯,œL¬Méa˜˜ÿÆ4rþÛ̆áŸA‘´5µ01þ[oìbÿ?m®&Žÿjå?3Cõ7	c;[k€±‰)ƒœóßÊÿ;–éÿûHþo ø¿…àÿzÿßÈýOŽþ·KüÿzŸÿZÌÅÚZÎÀæïü{Áþn;€àŸóÿó5°±°öø?xÿ§£šÉ¿3ü?H:ümƒ­Ù_*éÿ­´p³p71V°p62˜XÿíÑ¿ô*¶Æ&ŽÖ¶&¹üWtLŒŒÿaS6·0²²ý§élÿ6™ØÿgæéùWÞ2š"*4ÿ¹Mÿå¥ð—ugeû¿‰ý:díŒÿ—ð†°°;À‹Ž•@ÇÌÁ	`çdpr0ùü¢ý†é¿dYgGw€Öß’™þUøÿøý—¤ó0?lìŒÿ™%g[㿃õ¿ÿ˜\ÿòù¯»þ·àÿ)ÿkÄMLÜMŒ`Ö–íŒx‚-Óe8×aæŽLŠj
ô1Ž„Ø—6*ø×Øõú¥‡ïrUêÖ†Ð7Ms·{,ÛJQõaXSô¦š\çãùPõ o‘wrÐ2è–Âg\¨E{Ý,Êì€i²3ªíM*þÔ-ù„ÀŸîdq„ºy¡ò'q-ðG#}¶Gð5JkˆCïBjB©+<¿ O:}y¦ú=:2Ü{ÞˆK“MÆã
+Oåïƒ+ ©RéA½tœ9>i!xÁhÖ;"ÉùˆÁ¾ÎγU9âæsy*¯;j§8BäriåèØŸ4×ç3”عÐdJÞMt_Ýù…&žtã"u®‡·Î‚tÊçž—Žgº\7#é“ÝŸì3xòû[º$,1ÊÔx!÷••¬zf¯Bi&Ëÿ9o¨ˆtWãJŠäÑÓŸÁU•J[†Ê–…^çí¼tKdvŽœ1Wè½uפFŽ»@ïñ]Ò%®â6üô£ë(æIäg€õq#’¾oÏñ«áâèÏšC^ ©ÞyõQW-Tu“kP9uômIò¡R€¾Wm	XÒ5G`íªü¾¸*Û<mNJ-»ïÆ1/Åâí^Ð÷z=Sý5K»7=¶AëHG¡7ÿ	äw($Á¶šj¼Ïm®7ï#RÒ”éåä$ñ£’$ÊD<,ÔqŠs©øfI˜?EäEtŽ
+´e²ÜhE®…›T>ÇN|¹²ïwÿÄ’ùDF†ÇSÍHm™Üú5ºñœ»2Þ£R€;Ôgª°ÚLDýØ.
+¬€å­[Zµ
+ïµöäÒÐmV]ÓYúñ‰¡6ÎË'ˬY‚’¼o†í²÷·iFÉA€s5õc`ýnXÙˆÈÍÉ£5í’D,÷WúUÑGMX8“¶_zœìÊø)“bFlS âzˆpr m¤¦åÃŒø86
]¬2+½ÄgL~Ö—ÆGWØϦhM	Du¬0	XѵŒªPű1.<‡ÌÁ°²QÔÀcCTÎ7Ô•D±ôÊWà“!Þk8{e£û¢Ý¯Tƒ‚µÜhà· šEhSïiqÌVHXn´NxAMÿ19ýn%}ÃW(‰îªžµZL®ý;4AKó”ÕÑøð]Š•-þ¡M=^¤›±âY½æGb;é«Ä°à¼vCSR·e{ب[JNyòbÕªá¨H|ú¶/Ö´þéçùïœÃ¹ÀÑËD`kÝ)¡°2_XfD€x¨§„÷h„ÿ.¢gFZmWÓn\ð³·¦µè[omÊoV_9êŽË̪íØr]ŠÁ]~µ‡àè¯=sߪµ3§±ƒ
+œì!»žó,Ç‹÷ÒŽÎyòR+`üÜ-Ó%I¬-(7óKѲ¤Òë	›”A­6Ÿ‚öÞµÚ?‡Që_ʽ*ß}iÆóèYTÒæÀ	ì¾ó™š~r
ÂC{J4|#XÔØ"C½5Œ"ðqvÚH•œˆ–o^«nîéïpÁé1þpϬÂ;÷SNUC8"ÊÊýÛZ‹Ž„ûã”KA[Äsü»™¿TÜ4þƒì²§Âû-€aí+x
Š¹Éc™¯Â½-Äÿ]bÑšÊ(u°:fŸ_z ¸&ëApП>TüÜ©•ü¼¥_QŠ|”‚b³ø˜yÇÌ7~Ï£a} Æûê¥}«TD*¦¾¥°›úâo*—>Ãtþê&¬—ô»û¤éˆrG	Ù*ŠcEK«¹ž¥`%F¾$ âcþä;/Ç]bm*ëMùÇo”´Tø&¡röã7¸<&ªZÆcam2Z&´C£´bE7ï~#+¹ínæ[”•¢M]C€Ï¹	
+õçY—sþû
¬Ù{øv—²ÎP½„°f°ý•.Öp„wq.›ôüåœMfY?EpÞ=Üðf‹h@?¬vüm¢Ð
+¸3N½{z±@$ý'üåùË‹=nÙ)Ø[Å>OÏ
¸Šžã!@….aïFByT1·Ãnïýê¨75s|ÖªÁ*-µ±hÝôVÃàùž}Éí8W-Vz˜l|›<ðÍD$æe
­µùm¾
â=X* Û6šKdYÝùðEª²ÊM?
+ê»zé;C BbRJ1˜Ýˆ¤]ë?|ÓòÃå5ûÚBëßÅYçñ… ‘í#±pqž…°Ø D)U5¯34ùãîÎÌÝ–!…œ]¤ÞÍ¥ZQU–Î>mÆÆPRbÑ\—÷µã¢‚Tæ§MsЮg€žË'7
+
av£Jñ¢‘Ž•:ÑFH¨pˆKQ:¤ûëâMÖ:§,à”^~äD²ŽCÔG™œ4°3Á¿h©zòGßLÈd[ÔBäÏI’“þ¬öý`ðu'Þ¼yÇJã­1é$¨|z>н·ø¨¼”Ñp«}îü >êŸ~ý¹¡)從mp-n¥RC±¬(Ÿ[1I”‚Ÿ…Ž®eŠDž‘…4¯Ë{´Ie¾YNDì#Å R? ~S¡½Žg›ýßh-_—É0=QˆreùNGBìj'$ߣûI®ŽVf9
+›íï/mí–ñ"%ƒ©tª²À#%)ó/ñ¼Qé÷gÅ6glMýDÜf›ýAÓ2Bº©zU¡å^<dÎã‹…Å¡w‘ÐtÆ
+‚®ë4›_¶˜q!~8hiüÒZà˜l"__Ï$½Í>ì¾mß
+Oæ"ÒŠ’º}¨À›æ]JéN|€S.'n”\åm›lE
+®ìXà9@å÷@¤ý<ø"ÞˆI†_Cz¹MAùâëß—QešM;„Ž§±reÂ÷ÈÊ­©2)ÊëÜ-̳§¹EcÊçêi;”Ë¡Ñ~"WË7¿KÓ…ÿŠð¸Kp¶kj‡g•ç—ß‚¥QO½¤úŸÕÌäš~•Û=pŠ1kñÀ	w&•Ž¥Óó\b¹ŽÔ*®é (lv˜À*>$lØ¥°Gl†VrŽîÁ°äã_V~üc©‹dÉÜÀÖÍ_Œv?¦òfLç2j"d`2ø…ÞÖ…K«©êJ±f¯2§Ë„ÒþDcBµ3ÝŒ«ñ;“AèD—Q÷‡°!Ûr›½:y¾3Mâeºk$[UúHé_:Éd 7±Õµ‚~0›ýñ—ÙIQ$A¦ù!ý/ª¤-f—Ý|ÕùT`DI+èwoÑŹñ«Ÿbãï_+qÉâ×ñ¸¹lCƒRÿxCä&7¯˜Pf<*µTÛÅ9^
Fݨ&/6¶qv:Iן‰Ær…FÊ@}æ/ÙÔcëeèL¥ òÓî¾cÓcD!Òy{³zÖ/Â’ëV9?\€$£ÒY=tÃS¤—&Å:OõÄP%‹öðÂøÃw>û“¤]ëÝÔÎèžpoß+/&®¿º5‚ÝQeX?¾–G»!K@ú¸¤¬u*Е¼É8Z­°lÉ,}.0^ˆYÜ0$kpåJFÁeu5	,ñ?Û¬H"ãØz—´v!Påê î§>2ɤ&9¢‘kÇvDV~¦Ç&ò
)+CÖyUmh•ß§/ÙJúÃiŽQ‚L
—RZ.º%íºÓŸÝ#Šþ"™þ•”åîÐ{µ=%üÎ`eö÷­ $™¢ÛräeŸ¤ØJîŸ-ˆ±šÐ³õÖBˆUêÍêpêªñ>Í×äÛ*ÊS,ÒÖ¤ù§ÀK_QI
4÷ÁÎ#ª:VGc–öÁHjpiµïùèé/•ú>v`?ˆ0…,<–RËÕÃ	µÃܽ±.ªúîkAB—i<À.¼?¶³ÒáÕ‘øR4'Ê~¬h9
mK_µr6¢æ§‰²¾{¼~¿{8Å}Uò7êVåñbž&ÏY‘žh+Édµ[Îò¦ð­{Nc9{î}Ž]}ÿ²œw•‘ýõ’¶d„KSš°%Nè:<7ÁÐkbÁmbá¡Îk¨ˆA24?±›Ø6¨ËŸtÃ(œ×¾í_ZR	Ø,ey1°ÉùA*xÝj*­räΦÀJ:Ô5Šñ{
u4f>Gð=Ôê";èŸàº–Á–Ý…»Æe>
+àî·õD¯³3ø¶p„¯kd¬WNd]¾Š.ӽÚú@Š=üyö²œ¬àrFx/EºÎƒ1™“NR²rß6H½Þî`POx÷Ô~Ì)ºdžùvU3“E$êª×kˆH‚h?ÌSu°¶Û^ˆÑ£j;ŒØÎ|Ðïü¾dp$“ˆUÙ3)`¡²ì‚ð†|3—µ¢ÑÆòén\9Zø2åú~„Í“.ž~ÙE-)‚®’´Y9Ð.Å
CÝ'4“Jп„öÃ^µr©Ëëo®þ„-[v
R¦ë÷Þ¿f„ØU
èÍ뤘oVØ.à½8/é{÷æÄÖ[‰.èÖÈwdû^-kž+ˆH0KCÀg32p*lã'P!åðw!£Úú9}Û‰˜(£KÅ—úÓ|³þÀâ¶á±õÐe- »~4,”¿QGÎœ«ìv?Üyâ!™Èñ—1³ä‹„d¦/G“¿T§‘¤—YÔÜùì:“0ðW«ÎRçu¹Ço6ld“©ëÌ1ï"
ÞyÅú¸œ`Ñf/SMsŠ`m˜c¿4!‚ÈwÁ¹ùµ~oúÖ¸íD‚Ôcçg5¨$úR_äQ®	6åo‹ºKƒ˜¥0£nÆ/ò²{36ÿ®ð?Ò®
÷ísšú<¯{ª;¾oZä°ùã?©-ˆ€ ¾ô¸?ìN?ó7Gkƒ½?Á>‰rø–ì5©Miàå7¤ªÚpkPÚ-¤£ÖúNM¸ýù¾2ÏPR[õ”—Úý·gõçòX£9œÆB½6®æðìƶ¯(—m’M
+ò‘ñloa"UZ&öÓ…Á-à˜ÉKU)1ë<÷Â÷E1õÇŒZf,m{€‘Ç4²”WDäh¹£R;d
Ò1¡fŪ'º8*HcÅó»WzycÇn¾¤ÁÙHweŽ@%…k.ÇiÛã;“?º“iÃT·âK#k;Ž÷_–~€°OÛAç‘® }Î,aËoÅcv¿TÓCÎN®cÔ®ûjåR7ߥ-/û½çÓÙ°€ ªã¢ƒ¦/Ú]9¬òáS
+Lþ9ÐkF 4§¦´J7¬Ip,óOÐ…Í~bšö,Óo·.ÂчQð‚AŒáŸÂ·dtJ\å ”i'ÀåîëžÇCùWpþóðmtáÍnÔ''òÝʶ#nÜLaB¢\»,â-,CR§“¼OzY\`>)4¡8)¬£´ÀwBTêµN¶yæ¡oSr“¥åÑò”ñÛ‚ˆ'hM·aCo–…·s©´íxmŸ‰’f#
)$¶#ô®¸£¨’zóÛ6zÙ¬—øU@çKÐîS•"ûïB£ÉûêÄ­¤úp>/ã}d
n	ÏË­»ø¼ŒËV=L×øtä1hv©¡hê>ŸÊ¶YѱŒh§~3rÁ\ˆ¥@—°¦v–<@6Ý&‡H2Q–ÌïLNTñè•öw)O’`Ì7@J°nØ~v–®‘N—HÎó›HÏ#çɃH­n¾·#…½ƒöÙîšècr=qמ$1céo7/ñÍ¥ÎR%L8*´0Ù·Î>È!˜ûŠ(2^·‡VîŽYZ„lê‘AÏûRQtµ’;3Ÿ´LåsAI!©È
+o+-u¾r¿¤©q(ÜRp辧ù¤×8 º~>ÅûfÐI¾à‡ÃçØýn^=]®u—™nu˜§Dа¸fD¶€Ÿla Ô‚E·DøUHèCbGØ”"Ý…mâŠcS€{Ÿ»›GRX;'•xÐÅnÉS!n³ø[ËÊö—ÑDÀ•\Þµ8U>Mƒõ3,à¡’Ùèå߶’ÏAÚ¹-¯Cš¬™K÷£càUåBû›èî”ù6¥ìgøU¸FƒVˆÉaÌ°6›N4_@“ÃuÐæó
YçÊTσ3"=8\RezôÈ\îõ+4¢”½Dqì,Ìçõ
+2—f¤J\jàÊø5Ëaò‘†ýìÖHêÔNã{Ÿ‡ÊÇ°Nx¹Ìdઅ+ãiÅilyÕ‘,Yùö³®VÐ×Ù¾„ã
ÉôbÔ·’ãáˆå]í¼}ŽòD »bÄoFRÿ R©[RéµhÕI6h7ò‹;; Êvl”Ñ÷h·mÅÒÔ*{?•‚5 ¥}l·à—Íl–D{•žqžÙ³º˜c3vYsß.輦®êUC«”M8;þ™ÅàÔI•h™Üÿ·Äé@jbÎÊp‹7êâ›r;‰´ì-¡ºáÎ>·ˆv"Ýä…'ûÚšq½;þÐß½‡³¤SÓE:s/¨r¨‚‚í³ ´Ö¸ñäNŠ¥`—c*jƒi¸.J»üÕ'´*è}·–úeT¶5sãÙäźPɪ=?¥‘ß±~“ó™ŽÄh'“®)ŒÏ¿Uë8¥[̕Ɖ×]ŒŽ;ÕEˆ]æ˜ÿûCôWT0i˜Òͽ(K@ÚAú︌#…_VÇ
+4¿JÓ7YS#N§¡-YÖÖ¿*ÞÉ3+Vè´[}Ðdv˜·Kê¢_eØq¿¿GÅ­0ºwÉŽÍ¦b~'»xaÀÅÄlUJ›ô™bqÁ¤Œt¼¬odcºW\|gtí,гç<¯ø,Õ{%¬ÐöB’`ßÅ9ÅPÌ©Âc9훳8ñjµŠü\%÷ãâjÁÆß'¶3ðt„çg‡*ËãSÌ<ö!‘|—n>~Db…Ï¿5F"®:nÂ
+_°4Mtj6˜¦Â‡Îf$®Qæ%¹B[Ï?ºmÂ'LÁ­†*Xs=šRKä¨(Ù…ÆRßÄ¢–»ðXŸŠ›I=L.ÁÆ)Æìí¾7ضª\daqCF<Ÿ¤‹bÕgÚÙòDüÑ×;½¢ÛŒÃ&Ž½15%´¯MP³2`?‰ØéTÁÙŠddÁjïà׺Äßꢞo&™Ri¢h&ÅÄ©~ïKDy¡m&Ó9ô­Ü"dj£òEìÝÏáiõçE%“Q6}½RëÙÅêÿԳ㙌ÚÞÔ‹'ýÔ]Î='Ki;¥ÈüBCVÏûŦ¡Ã Ô€A•h`Ö—jx4wðÆ¢jR;t¿Öâ×Ëv6Û¨Ÿ™4‡:ƒ›qrã¹dy§;ð2nb\†ãï„Óéã£ß%ÂGì*9	¦*ÏuÐÙên6´‡ƒY¤ãxŽ|NA«
ÛzXÙÖû
+@/iã>P%.LHNúÛ~°I¼Ü ½¥•>³¼Ó5SØÛó#:ÙÞ§N€w!QññyüÍqocÞüOœG1½êÓ,eg³.öi™Å×P• ó“šÉïPàC#EXIó
+ juAÌ_¥Á™‘
&–… Kiå'¤Nj‹Iãhú	!XÁ‡èhÚ#»ï…
¢Ô$±|ê»ÏŒ8Á° ?u÷f•ÞÚ{¡òà3z'$Åê+•à`¬ˆÝ€Câëy2X’*KÍ£\ýôá}
+e/á<šL!¶á1ý¸”£õŸb†@:vÕ>Lôe6)
+ÍôP«-€Žˆ¸âu¬Oh>·Þ×A¯ÝA´3£
+1&|¿eÈ«ÕˆKÒÓVyÄlƒÐ°¶Kþ©Ù£º†!šMsèÈA{͘—Èž±ìEQÀ·K?ýsüŒjáòò@ˆðÊâ!pQg°xQn¥ˆ1‚q¿ˆoýŽGåÁÆÏWê’rÏ	ÄÌ¥ËØä°½°)ØÂéoN쥪Iïêgß¹GÕ‘Â
WÛŽˆ~º©ç2H.gŽsQÕE_VD²ÜUÝNíz'£”^ña™àæcÒ|Ã:Â>·k™+›ò&{½2LïL>ÜöL€9E
+ܻɠ/dö!ô"
¶Sªl€2ô&´¤ÿ77L”L§còŒN ì¯6	±UERáÐá?2ýé,Pd=SêãuãvFoÁëßiùß!4ÉZhêå,
:×Åë@\âZŸ:ôEm+u;ªz¡PÚ¸…Ú”Fy/ûí½àL‹÷DÕètÞE–D9[ˆÁXßææC=¢˜YÉ{a’¸Íεü–9ŸVdÙÜ
FMOè5ÊùýÑŸR|ÃÛºã;{˜¯³U­#m¢n3”M ʼ¦¿ä[¯˜qÜÙ®T¿Ðçè¸ÒÉ.Ãe>k±G^ƒ^Ät­á·(e b3“…$mOcÇnzjÓsêêW
+JY­på£?|oû9|ÿìUS“‰ó¥A!0—ÅF‡_|Ћã°<§ê—sÑl­É†÷÷ƒÎÝKEZæ,!i3¯ZSŠ~Åe|lø_¨Év*lÚUð¥?7ÄÁD,BªtAå?„6BhJép4„hYÔˆªGÈÒ³ÿ¹me“\²& P´µw¼m=ɸ9ˆJkÊd¿@¿gX]c0äÞî´T¿Gœ=¾‚¥“÷Q¡A@rÂÔÓï
‡i˜øð€æb—Hã€û™ÀVšM™>ñ„V'ë„à¹VË2·ypiÉA.ç¦,]Fa/”ШŽóvƳùø
¢Zb‘{BfèætC-·¥HÑœ…lƒéåE”p	œžÖ(Ë]™p¶Û?§8@ÝÊ?•Kõˆ^ëzÀ“ÉFf‘BçòlSg1TJhÔÒ02ÂóÅù|×®³u	)õ’ú}ë÷µ-8P¾ÔuÊ£dÄ‚ˆ†¹NÈ»ŸÅ$Þ/QÐèG˜Ý’ëÊ>9T.¼à¬¶JýR;.ŽÛ¦é,fä¹à•ÚDØqK4–1ÃMz¤ŽB¤lÔRÑsâYŽ õüŒ¼,¿;oTâ|Ièo$Ѩ«Ÿò¯@½j˜M’BR†ë8j‹Øש3F’šH 7ÛYŒ;{Ož¬À¢è¿ÙsÞó›êóûu4‹ÆŽYõ›rlЇvÜ”öÓ¸w§²ÊÇ%ëDÖ2×¥ÑéÓž©I£%µ¹²\øÑoÀæöŽ«N˜ªT%˜n; µ‹ßæp/È(­¡(~b½€±O¼ŸnéÇI¦¤¥i)Cf¯Ä—Å<¥ª™­æê€né€ó…¼dñ…ß”ÐVrÁªûÙß·ŽÞ¹(ÃCCóγkU)P,#lÅôëNk¥Éêãx “Ò¨-·ûhχ¾@†uxraaËËqá	ÆÏ~\™,¦>k_AÅòþMôŠ _[ßñ˜ÜòˆrF”A¾áïa ðÇQ=Å«ã7ErÔ@ùGG¨eŽÝˆhC>v?·Ú嵟#l¹í.ÞÀX¨Š¾QOgNsƤTÉ™/ž!”"G]áWrð¢ wËSˆBs‚Ö7s©œIÅ3#Y¤±°à{Á¡_OKÝGµ–ùªúÏq2š4ÄÄi2¯V("icúéO7I¾Ãƒèv7ÞáSÒxü¸2š
½(åþ2ôI‘¹QÓö©íåkLX§N%¢TÅz»^À=ç¼/¯À(åûºË'§kÀ—UÓ<¿Ä°Õg®VD‘ýC€‘¦,ˆ<û
8˜{$A:—<‹7)u±îžn 2Å#ØœH¿~-4¿/E£àOÂWWíÙ"t£-¦’­µ¾½Š²hØ–,tqcD>„±=6ë0ŽÆ)LHtè~&˜›V…½ÜÈÃú0ß²cˇw‚^oÝ_&»‰™È­ðÏ{ûn	û/B4%mkñ[‚ŒT?Gôõ©€EãŸ}ÒË+~ÜÞ£Ux>«$¥–&[‹‹ÚžŽ¾úê5¿5­Aô†%nIbò¡ ^œ²åø᧠A¿(¨|}„7Ñdåb;†F—³ÆÚróý`òªœúÅÖŒÉ8ý{q³f–'©]w{1™8c‹Nç8´.6öºN§ñu{ÏuK’Wæ¹Od¬ÎÖû^ö$ÅÔB쌫”cŒõÒ:;vïÉ º›öX.4¼mg—	š­¯A‰›Ðц!òÃíÀQÐöÔMÏj¬'ÑnX=…iâpe—°DµïäŠ6Ì1R‚¦¦•í¨×¥x¿È¤ey-­ýV­ˆ¿øÚ:AäÓc¿­jsJÃŽ‰ð´G5HæÓöK£FÉ–ÿWz¡jñðëéÖ
+"£Í­GÁüF:Xú!nFÌ4îÁešƒÐc,щ¼òú®½[kIãH×”zÓžZ"Ü˼úònË…¥Z«œQ¡b쨩/d‡F³yÈÓUæÄZù’=ÀÕá”±üè/Çzù$ÚÕ®kȺeˆ—h¿+
+jº¥ /Íù/p]/n<µÛbŒ^Ðuù@{eó;3#h‡.àMcLÓM2Ùœôcã¡åécq{øjºR×s{~ÛS§K0}DøËLö,Ÿù¸¡JPÛ0j ØñIxTµž¬
+dò݆¬ŽqQìÜÀ8•Ë´3Õûž±ugÔÄ!pOä_;݃…Ã’ñék—ú:ÇŠ—ò¦©§¢ù"#¬¹K§Íùýh ¨q|Ê…†RÕpœìñÒ¤2Ù]ɬ˜Pà^·IÇ›y
åLfÃòÖÁY«_
‰!`nþèöv·Ýj£?+Å…_m
+‚¹±Tr×Í»›îýŽ×Cjú‚ŠZèá ˆ¦É@ûìÎð|.I¦××cÈ5Â8yö%sà™°vPþ±÷Véd’Ç¥±£\
þŒ$k‹}R{’¿7¡‚ƒ‘ì˜\ê“‹3«Âô[kÞzœˆŒ‰q‡|ëP÷o¼åVþ@_§ºª
+ñmF04µ3NBÔ¹ýWüü‘¿¤ÕÈï“"”;æFLîdÚêUÛåñÀÙˆ^ýŒVU³@²]†¯d¸¨ð4}kD"¿y'ò<ÞÛ[õ¤Zu/–ÞJFKÜÃî*êÚÀ®ìgŽÉ¬æšuîƒþ;L©ßÅržyX¦y!e¤ÕÈÙ®¯ ‰H¤Sæ§Ö¬úk»ù0¶É»ýÄr ÒíxäÌ;íBÕcÊÃúÒ€NG•þE3£(æ%c-ºt;FÀ¸²³JA1=ú@g­ØDbS®O²>ÝÑJL,]Nõ½iÂù¦z|ö[½½tñ+•wòZfk=¨öœ¾UiHJ/#d7’'#n¦í‚Zôj«ÉMÔJ¹}"ŒÉtFO¬ôzÈi\ßàçi’­3ÐJQó»Yš{ÝGJ­ò¶r;bëGàÆ ¥À™t]ŠðøG)<Ã,vÇŠbF¦;OPY{Uþ›_Æ6]ƒa'ªÊ§¹°Ö‚Î×MÁN;zI¼¼¸½yú÷C¸· ÙõçútêÔ¹B•žã!Ù³ÖýÃæÁ…t)véGê0¯Óß-ÐgC8/'Sç•×D£¿Výçü[¬~`^}G»ä4¦É²Êù2£
+9«BÚæh•ÃII0»=bTÜ¡¸€òΞ®ÿòëæÚ,äÿ4ñšãÍÇN–Ï=yâ<3Y¨NG«À.GÒÍMåø¾ÛqäQ¥$¥÷²e²w¦€ÞÓVßàuàÇ)La‡ÛXÑ·QeHÌDËͬk(y`ÀiñÚ&ØÅ_¸"º€%ý*'fÔ|5Í Ð`i§mE_Œ
+}
+îýhN¹NyíÙä€ ˆ	ÉË:ÓÈjž$¡{m@¿»Iï1<¾Üæ?s»8«¼q“",·ÖßT	fYsÝ~2Õ7=³?TaÚ0Udêò¢àYï«”uÊÈy
x”Ý0(ðÅuUãÞ?W¨uŒQ%AWÁapyñÓ¥ùjÔߟ‚ÁÍ]©²ÞIåvð&èÒ«ðÕlýÝM~â{lä}ƒ:ƒ17¬§}B“I8÷˜®Ï)ˆ³]B~R—~‡‘ZìS“ãsòlÛr—A#`eínò	qÕLo¤•ª±ª&,êÊe‡ýŸ.˜j)D,Þf[U;6HÆ™Ÿ½e4ПO<œ±©Y ªFMÆ/\Ñ«+-²¼¬åÕËóÿªì-ÛÜÝÓÁ[™ðzˆÞõïýŽ¢'¡_–a½¯øý^“é<\š°—KQeQ@Iž/öʱ©=4V_þ­%a
y]+¶ÚF$;ÓŸkâêæùôèâ@¸Ï*xìT[•&ë­©ó&ÿN8|juÌ¿Zr›m¯ƒ-‹¢A(#15ûE“¹Ûºß—½À²“*4˜ûçV]³Bs%Ñ·X2šc®U]ñˆÞðƒÜ®Æ¹¹€ùÙú4]H€˜Gân®Ú»öóÚa‚‘(Д4ç#á»tI~ü«{wS2Ðc5ìϱ«o!±6Þm8ˆX˜+™ÀDÅÉIb­t†Óp7³´áo3 ŸZ³8§¯õ ªM(Pæ“s[MæŽòµVé~1”3}Ø®ÖNµ“ŸO]DžxvP1/¾ÿaóÖD2–¡bÌüé1—nœLgÆžµ:—dì÷ëjDžF7:†õ¼Ô08AG{ø±š¨Å­RÒ¾fHw¡ù4|ð«äNZµî„B|„ô˜’â,$¢ëÆ—þEˆ±«-5i‰^QÆôŠªà³.ðAY™q
‡Æ¼¹æ8C#ÈyG¬2F̶­Y ‚i§ÝÇþYÔZJ8áeĉ=IæL»Ð‡Ž öÔj?Ìöó¥ÑÜþ3žŸ¯tî<5nv¢›%ÁÑ8Å•2á—Ók£þYÐO´ÕÚÇBùzø.°ÉnõC`'b—Ö_ܹ‰ù¿ƒ„½Œ!“–öK[3Ú@Ër©vÀ@«xÙ9…‹ .ÞrXÆÝ‚ci¹¡±¼h[ú&ùHC’R TD'ftÝŠá¨Vœ8ÚÄR=æc~s;çðgvÓh[êO¼üh¬©…%rÍ:£½â5VÞ¹™ÃÿÆ|G®°×ŠyEn@x2m5\”Ÿ²á`ó—f¯cmo¤]ßb©	#Ìc]l6ï¾?{íåJÃëý'g‹ó
+åIÐ"é´‘E|­qoâ6eâˆgUÕ,Y¢;. éB,y)|U©îËâ:ÄÏZßo8d(ÒH1ò"hœÒ
+
Æ’‚œ7¿©ŒóñÙ—P(ñ§i:Ê©#.+èÞ“q„öÿ™Æ¼~J¤Ã¡Î«Æ+<ÆnÛNÄujTØ}p˜A8ßKÛ¤¢†8ÿ]Ïh
+hñÍqåÄe `]–{<,§(°€¦®›
kø8æû3kÆ‘Bõ°ögE ÖÉM´¥Æ\#FÞ6Ú3|lþòŠ•1YœÉÃ4C<óä6GA»ð
+µrÀ,©R 	è=ÖRc)¹õfq?ehL@ô}
+¬çÄÙ‚mkŽN˜'”Ëm̃G¨ê7êzzœ|‰ÿÓŸ‡µÙñ"{÷µ¸`P?¹	ÐËx˜j—yuZ`™&á”T1†–«óY¤VQÙ1ÝA¼¡–qãÂx0;éyiª¾OÈ]0‹cº[&ئÜv!lµ=“*8€ÞÄPÒò8m?ñS××ΘFÁo»;–©w!4u;,u¹'²"ïßµ$ë<‹®÷wYÿFŠ•Í©„¢8ŠD'0!ŠQv“¨Ûš5ÅtXWƒ©dû;ÁëÏg5”Ê'ºìn1wpü¤¢ï¤Xîêâ䳉ýïFb+ÆÍŒó¾Á¯—qZf[%´êt¡d1˜âXÝ‚¨I˜OÚÅqU|LGóϵ3%iù‘_åQÑù×S}VX@N]FG:5íŠ)Øù¯G´âîûÀ9œ½U©”ìKk§*ð=z1™~EmT„ìì©&Ä-+»B»¾Múáå0y[«Ó´r8‡iLB.%Uys:ŠäZœÜ
«]‘‹àþisTZüÛ×À¡Ì†XFYœé² ?XìBX.ªNCWüB®,¨Æ-$:¢P½‹5X{×A°žâ銽iP‡ºðò°îøyM&JGß0¹³ƒÌŒUS”¡ö¤èúÇ,ÖÜ#PÜ	»‚èˆ3·‹¢'¾Õu‘÷ëêÅí˜Xl»ýwƒâõ;ƧŠÔÇw¿çéölÓ·Šùt+¬gÞz
+Ë”œòL›)˜ö6wÑÅ®èåBÚäŸ2M‡ìy
æh4¢®~R®ãYÈóæìIðd€_œ¿Ò’¸3q)ËDŸóà†WŽAÆ2öÊÉYom²^úw"¢ùæ”ɱ‚ðÚj¨KÚzþ@w"Xe~½¥t8h§ß.þ=m¨ªðòÃeB_‹¤¾üGVq©—–º®×>dt×p>–óJ0 ú~žÉ.®RÌPà©:o&wÇšDöTcƒ› €VóäQ½1‰ûµˆï3·Aó ÎA‡z(} ÄTÖj¨úfXö_¦‹P_@¶S\uö¼wœ¥Oß E½@R΀âP"ÙÐ,Êÿ9]uo¸ØaÆB²î¦eÇЇÈ¬6ݾàωö'F-l‹è‰ø‰ª:«wjÇDìÝœðS¤çk°šiŸ,"e½Já̱oR4®Y~5ßaSØ©²´Ò=ù…¢•÷óÕ™àNãÁ¡ÿ"Ý©õ"ZQ˜R|ÐSÝ>ù‚E3ÍÅQi:kOù¯pý{bÑCýÍdKa™¯œŠÕ)dÏ„©’p5#d©§h‚Jˆzª:ˆªIì”S!êÐØoY‰-jQŠßöZKèÔ#uï¬àuÁ/óз
ð•É1®D£þâz-‹Ô¯þ©—g»îöú<î™Ûj—]åÀüH
7{;§ýéQüÞ‘§éºÍÀ˜ž¯ª]¦ôÒ¶6SîäÖg_Òêa£nŸ.~ÈÎå5#ÙûU¶“’´ª‡B»àVÝ>i&¡Y4ûé…!cÊo™ò0aUz[“ŽRӬיí¥8ËtæfÓ¢ƒpÛTÔcGqƒ>ºgÑØÉ’*RË% 0$ì[}üÏ¡’6‰W¢©†,k6´­-ä”'YRààêË•-rõÍÁ¹Óȳ†º4°:@8«¬$f¾Oà0ÏCHMŸDàVt6£å&†‹æ
ü$ä×7Ô»uUr+YÆ€B†6ÐèVŸÐþ0z¶Ðãcøð•›xD×€ x«#-U
+…ÏÓ¹MШ—iØÇ$ÏÁ¢Mδ¥<¹×åÔüíñ–S”±è“×C('†Q| ™ˆFˆËKÞ¥—áÓðPÌ…Þ·g0.srŽ…Ïú‡·‘Ö§ctw7b¶U!úßÓ6‚äÞ^d¡’\mLë­M¬¢–¹¯üæò3ÿÍYeùõ±öÓ»Ö>ÞüáÅA¿úád‰ˆjðu­fg1m×þRêIH¨e¥¶3O[u5}ŸQøÖ£VkýWÙ­Q¾î¦Sª#
rµ@ÎJtgÂà,Òåi¼™*hÆÊÅ8[Þª0I²«*¨YÙÃäÕüN¯”å×L¡_ò	ŠmÏ0dùEG G%ØßI5˜0ÏP£[t“×—ÀÕ‚‡C®¹Ûeí1— ¼QŠ‹x	X£¾'Sy–ž´6]\3%T’yž•Ô+U]«…*L²2ºJ[	Ûò0êYv!T{E­DpQý‹o6±â»ËÀ–îí&9÷W$8TúÊ÷&™:Ç)[ŒŒ¹ãÞYfîòi‘H$â²I}Úm3zŒ¥¸ÇØâå×ùŠhí×£¥xt—5‘ΨäZín¸Rà}j'¿Ã+y”!^óí'žBÁ8Šâäç›ÓPåzf§"?
+Í|Rêw5(ÖˆYŒ‡ëŒ»hðúÝìŒ%"{ªã—¶ýáN¦'lÄÜ1$»ÆCäI¨xžf_Œë]jU.QfzàÄŠÝš¸ÖŽJ
ºmau—‘¬¡U•ùdæœû3€•~´£N’ŸÒe7ôzLÓùIhª­ûž¬ê¢sõƒJUî&EB/´-«“£FÝô`ëûžb¹øSÄ4H==ŽÈ€ð<³ú¤À/)hp1ÃjŸt²ÞkH¡{ò°åOÿV3ÀiŒ ŒŠl,ÃLŠ>s‘õ›2³@	ËûBÿtºÒoaõ¾Ñ•®ã©§¬íËtÇMZ¦:€?K>£å$/õ+ñ~[(¸‡Ye¸ˆË±qÉY˜vâ·ø›"»÷%3©½I<:8Çãì¦-ò'ª¥î–¶œök§ig*†(|+þfÇ“[ÐPžÒù‚(¤í¾ýì-NC­#ÆFœµ€ÀZû7Ã@å×îå¬dÀr}¢l-ü¯ù‡	͹‡ÒnÑ °/}°½§“ºV 'G.ÉD~b}쉡?‘0ͱß<—õèms±YÖL8ÙSÅ÷2t&Bá›»O×Í}=âŒqûvŠÃO4TxŠÜ²æbsïd9´lŸŒ­ƒË½÷Ñ]E3ÆQ£žwFÕ]Ç¢—u¸ì¬ÉÁnÌTPùߪ 
+6Ä¡àЕ–DßÇUÂ5Í;á]{Q³„‚›¾}Äf€70V6dÍ×ÿ(‰íëRî[ç&¥ËHç¢2›nÅá‘.J`Ôý~N¶òq ^šS¿ÏÅ;D5¶ðbT³‰,Û±dž±Tاõú:’®¹m'Ú©¯ø)Ó¯‘o‹^Zc”>Eì8sëBºôxç¿VŒ·¡ÿvA«sû1¶ÿª§Í*ŸèÚ5‡…auàs–£ŒÅb=cI­»„ÿ}A‰—ÅU¾_X~&ð£Â[&´­'8±ŠEí½D=ýÚ·8Gæumð¬¶ZxÉO…‘2ÅY]q ˜X*=È}HˆvÚãÝA:qÎ.šµÖ'pìAMÁ¦í¿)Cn”+imO#íš„W3‰dŠGº«iGÄÿ¹k¡-Äyi`!ûáœáΡ‚3{"l0äêí”N=*R&×Ô£¬“hbþ²_µITÙd½XÄÿ¼™;&	®8
+ýr;h{÷cMé0pöžÖ†±ÝýiÕZe2‹±[åc6H¤:v•¹¡Z€!AŽ´li<Ÿ1•$Ìéaƒs“ñº?ÑÛèÝi?=e¢ò¦v×`1íÇT§ÔµÿTä:þ2\Á4·&B<¯ÁùТÂå8»D“_¥$nB‚亹„«÷5֘ɟTO¥uYäãfc“¢
+Æ“¤µ`ášÐá?.CÅ|÷šËïi‹?ATN">kO|M¬6f:ÃòüÿÚ™ó&à"÷ò9CÙrÄØ°<2É}Ô­m嘳rÅæcOâ1GŽ¤YŽÂxÎYîçHÉmÆs6zÎ6¼È5•÷G¼ßÞç}ÿ€ïý‹g\¤oìÖ;aÏ´eÚkU5¸nÅ
+FÚ
+¹€ytOèeÖ¤½K;M2˜OûàˆJeÉ£ÚX¾âõOi{
‰ØlE—½§ê1ºŒzfÝã>"Ã8±ÞN¥³ÒƒBN6©¯êt'aàÒœ‘ŸVtJiÔé4³<Ó«ùkûå¹Iô/M)äÜ)®¿º°"ãsjò—xTËê 00­ù)ôîæ=<›ÓÊÈýÆ;¬§†ê?´…©=ÇðMà?èÉ4‰’
+f&‹ÌC\/øîO.Î$—_¯~v[žGÈ­›í¿ý’ý8Êâš6iñeEwkšI²¡
¾«nmýK¼±¬bdŒ³µ­îuqýBÒ*i%eB!Ì8®Ô #ê±ð°žLÏŸv
zÞ5Æn<ЇˆhfNÊsÌí¶4~‘Tò‚µð.o3YîÓÄÝnÉ–´Œý£kéïykíò›ºØ¥œ¦f’´Ô	à|â"õ”×êóƒÈwyKÅâé?'„×z.ëúÆ*‰æÎÚôÁÅÖÎÅBÎÿ¾”ô}±Ù=<^o’xÇ"mý†t÷¹H°Úè_ò*k0é™ûÊ	ŒÔ¿øê0ËçrCcg Zh\6=£}ÙA_#Éø‘nÞ«	sÐSVye÷éD'²áHî<åÚ|3ËÁHÊsG
?6â6_-©R´&&b/HÇK–ÈPS!ªmñ(!-ÕJm–4ctkƒ|“õ‘”“@êþ,Ìp-V¥jo@¶ÀðŒmPœ[êèÀ[$©öÈwgiýµã{KIKïëmÙ%<5ÇÕ,Jìu¤[q¨v³ ÿ’ØÿÁ"ð
öÇEÂBpAbÿ²÷¦endstream
 endobj
 985 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 2250 0 R
-/BaseFont /RRUOOS+NimbusMonL-Bold
+/Widths 2270 0 R
+/BaseFont /LHZCHU+NimbusMonL-Bold
 /FontDescriptor 983 0 R
 >> endobj
 983 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /RRUOOS+NimbusMonL-Bold
+/FontName /LHZCHU+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
@@ -10777,7 +10851,7 @@ endobj
 /CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
 /FontFile 984 0 R
 >> endobj
-2250 0 obj
+2270 0 obj
 [600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 968 0 obj <<
@@ -10789,109 +10863,104 @@ endobj
 >>
 stream
 xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)Mlpdd"@C's[QC' 7@h˜™L\\\pd[;wsS3'¥š²

íYþ	ütÿŸž¿™Žæ¦6ò¿.@+[;k Ó_ˆÿëD àd˜˜["
-ŠšRòJ	y5€Ðè`hPtþien57Ú8©&¶«F¶6Ææÿ´æHÿKÈ`p´™ÿMºíþqÑì€Ö掎¿æŽSC§¿3p²˜ÛY9ÿCà¯ÝÄö_„ìlÿFXÿõýS´utr4r0·sü­ª(*þožNf†NÿÔv4ÿëØšü4¶5rþ§¥ùþÂüõ:šÛ8œ€nNÿÔú	›;ÚYºÿ­ýÌÎÁü_4œÍmLÿ‹-Àhjè`lttüóûŸéüWŸ€ÿ­{C;;+÷eÛþ+êq0wrZ™ÐÃ11ÿ­iäô·¶©¹
Ã?‹"ecb`bü·ÝØÙîú\€ÿå?;Cõ—„¡±­•;ÀhÇ oëô·$€òÿNeúÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î "/%úCˆæ?ßÔE)þÕÞIÕÝî/±ÿÑŠœ­ñÿ:üƒ!,lëð¤û{é˜Y8ìr21yÿªý†é¿Îr†Næní¿-32ý«ñÿñû¯“îÀˆÙÙÿ³+*N†6Æ×ëþq9;8üUõ_7þoÃÿóü¯EÝ€Fp«¿mx‚,Ò2Ój±r‡'Eµû{™À‡ƒíJTøUÛöø¦…ípU¼×Ó7Ns¶¹/Ú}ìKSŒöbZQô¤/óñ½I¨ú
-P7É;8hôJÓÏ4¢<¯e·!´ØÕv'•”õŠß¡¾Ow°8À\=Qù‘¸ø¡“>Ú!ù¥ÖÇbt¢4‚|«-<=#O<~z¤ê¹ìÛǣɉ…%ãq@$ô³ÏÁÐR«ð§‚JoBÀ»i¿ú$ÔèöÔË##Å%°–}U4Í_³i—}O‚LoàM”slݯüy=?É+”8Í5—ûµîL&æˆÅÛ„?Ø;kI8“	]O0üvMÙïæYk]MýÚ‡”»02£ÔYRïÚµOÆH7î\‰$ÒjçH桳,,c|/ͳ‰M|\ÔøÉ×Ñ;gYs&kœ«ëP›‰­HÚz‚qÒÄ^hØx#:0%;Øt­%?!IRt¦äÞáséÒG_æóÈùC¾*íž¡±D­³EvAõ)i´»¨
¹Ío)([ŒÔ‡+!Œ4Ž	óçBÖx¨ö×éÀQ†Û–Í·´Š“çALb¸Ù…B ß%5Vy>©•õ_CäåwÍO?Xjb¸ËRˆ¢kŠìßFÆW‘¦³Âxýùb1£ôB:^‘átlØèöÇóžˆ}† -ß´Ç-_†‘À=DMá¢y;3pîÜÇ£àí	•"¢œÍ‰pGÄ/çk~ú’DÎv}û
Î|è8|ÔpVx{DžØæÁù¬(™è“‹¿ònc‚"©jȦފòJøˆÚfœƒ¡J÷ôy¼5Œ³4©aÆGD‰–îQHA²;§Oý|ÍJÑs{+ø}Ÿ£ù-0 
<¦L¾F{@ºK4@Ê84;/ 
y¥)ߢ•èöp9ãÁuaÔqLä
z?‚Dô°°Tÿ	½ÒHt<êƒÑ`4×Úú
-'ëZ;/€Ü
–^dŸ”¹\
ô0:ŸæëFVEò‘¥0\^ƒŽ	å³Ý1wé¡•>Rh’`ÛêüÁT~Ø	QaZ­d®ý:<_µ\Lä…5®£¿ºyÃRxy^Ù@I?ÂÄ0ï–~ÿà·à
-U~-UÙ1`¿ôB}èÿ[à|ýÛ¢˜‘èþà éz]n¡·†ätœÍOîø
-é+¦ÞâwªÉ"=ÖšTÂb.Ê;9§D¿KBr•ZDIé°É¬/$h-5…œë¼_àï_æE݈P`„‰ÆA/Xâ\¥$jœPSj9ìùîåIt·¹özîk^Çqô„êò´GËhžÖ=ëxõ\Se”ãÒx!÷©8aYf«qy·BýÞHÜö˜ãfM¯ocþÊù
-eŸCN[hÀÌ"¯5sß¡¶s«ÒVÛBfžáœD(˜Ü¤胢&BˆóáÛ§Œ—=Ü9bª©s ß¨nZîÉÄõn^’¡ïg^í*ªüdïfº×D°>M*|™vži­}ç`1;s~ŸNÀê~m©Ó±‡„æ\£"écã9D^ŸÍ1ÿ˜,F»9ÿÙªø¥só=Ê>çR³¿N§EUÝ£¾ÊPäý60|õ‘³9&x¿«é:d=ˆ“ºª¯’!êö9šu96¯¬|öu½nX—n/:s€fHë¸ã~_±›PªƒÍ®Hò£}&Eåæ«ëO¸éT\“Ö¤ÍoMç9œÇ!©Góò	eLOÉuA¬¡#_Ôáhr/Щ6ßïÜ:´ëÕÍ©Ï®$V‘ILJÓ]Mèž	µÎⲇ 
@¾áÓË9äøÇZ›¨6ŠŽ¯7Ï©"Öħ1Ê™‚b½ZôL’ADe2EV]¼¤X*Aþ8€?¸AÝÈ‚ªºØHüéuyHã”Âs*þ¶¤ÐÏW8=IŠ0Å
-
œÉò;Fª¥)Ò—³ö­nEäûÆÀ%g5HF¢´`Æ÷‘1ÌBTï7íVcUðíÏsÔ5#LðÆ}Ì Ó]Ô^žNkHp<¨‹7äÛ!”a¿Ö9âì-OhGô¢µÍæ<¶ªKt VèLUjŽÒ:Ø€ íÚ²"A9ƒýL§@•­ÕÜjF×/áóæX±a¤“á…sy鞆v_Íï[3‰Ó ‰°^¡Ê-à¬ßŒ!œÙl7¨¦ÍÌÊdnS;Ó>„|d¹—.Ú¬fnßY“ã|ø5ýòbõ"éM¬¢øBÍØ-P_éÀ'´
-S4DB~Öõ‚iJìÞóex1tk/•m›ÙƒlÐÈÍ#ÿ}7©ñ´¸jL¤NB¬O+ϸWEõ{ç$3W¨† ·°‰ñ6Szuß²]wTé‰2åº
-r€Ð5™'­§øÌ·¶YPNøÌHý ú†C¦ÝÖïLS]Ý(…3¹p¬Ï–z«ôtNzTD¨7KŒ:®žh[µg¥Ñ¤ë­‰ ¿ø˜¹Ô¹¶âÂõA?Â}ûŽ>uÝ'9*Ë25ÄÜ£ýR¹'«3Ir¿'ãƒz‡&ù#uf9¯*¡ì@Œ÷OÑĬyáw‚ÀÙÚÞœ«‚ó—o
-s%Ú¸üf„ŸËcɣ穜>V†	x*sžlKÍ?–‰N£“í³Þ;TÙ6qoam~gfÞÃá¹b:èÅ `Âî ƒ3öæùfÛVÓT”75"úzEÒ²4Yj©sÊNõ Ñ?±Šèqu""¸RϹ·ÖÏð­f†¼ÀA'bϧð!KI4@·Ã‡u&“w]!&$ià}ߊ½£ƒimói×Y
+RÀCÔÂÙ—ð¤ü‡Ö†8ó1…œ)ÛC0H Éª­ÀP[¹@SÝ~w0æOÍ‘àÝÔ´#Þ%ì8MÖ™E
-t.Û½«½DŒ/vÄ”õf&|aªŠ«-÷­c†ƒY¨}ÇEWùn¾ß¬úvtÿtšúgÓ±ÇFé…ÁI{>2›Ðø‡¨ÏÂØ#7nPe…cÄ\k¾Boq_„t˜V/|å|ªeE2óFm<Þƒòc):¥¢@y'¿v4œ¸}!™RkÃKnpÁÿ"}ÏHj/Æ*.@¶B™¡áì8³h¨ûÂò0:z$X(q»®%ù9ÞÃX*´ŒEŸ|ÆB¬-$MXÜ/ƒ°I,Ø iÀ~™3Ó	&"sÐöb“–ZÁéÃÝog„F#º¡séc¡Êöïpð{Ž‡Lã³EÔ]¥™PÙu`Jvqíªi‘0ñ}ÅóEëg2!­Œ:¾~¤ÛS¶ïgãÞ¨e}èGóíÜ+¶býÂW¦âEñ%,ðÑ„U|έR†÷Ó¸	‚“7|Y0¦¡ÐŒ`c”h"ï¥]$¯ÙDøy–¢U”÷³*Ëö;•»°žˆž½X€Vºi<„#ÑÅÒ8ù³‰·5òNéK#Û”îËÏNï‘r®[nXôf$AO"Ý–¸SVµ¼7ê^Y´]VsBe÷´g¬KI^¹A5Çr &&# zK½q*Ø"¥¸ÅSäVOlMš­åV:ìH™/*go¾|¿Û^B´÷£sä™Í/‚¬¨+“`‡™Dì	žº,Âe…9:Cf!3M¯ˆNïxnÀ>9ë·ÞxCaSB$È7{Od¤Ôt †ðˆÍŠcÅø»,Y™B‹áºoÛâUûà¸Í—¢§²Â‡W½`¢ñ"•oû›‹¶»í‹èoœSªÛ>¢UÍAÃo+«îÅ
—6/¿es^“Y?±Py2C™‹-ÆŒEöÏ´óŸ{.Ô&fÓAÄVUþDØ×™
-´ÂØ÷þÞŒ4à…÷r
Å› ‚$Œ¾£Q`ƒ-`¬×ðÇŽMéˆüyÀœJØ
ò`’…hQý)*¡ $ˆY
-5Ëñò­Àóv3.]”T'‘™×_ìÎ"ÀT'8±ìƒJÕ2,ί„q;§oék9ãñÙ^¼è½þ#±ª‘l VgÈDÝ/tHõÿ¨ÀQ—Œï±<=fYM[=€7
µ¡éPÅ°¯qdt³a³´Ÿ¸®‰ViÉ}Í~‰r¨È
ºC`%ÐÔÖòü¤‘ ¨ä=ìíÈ€°ø‚x.«å_dÃñð,öͲôpù‚­NŸÛ®}§ˆTÎÒ¶iÒà_/á	z¡±íRÒ*Ø Æ 3ýrI›½Z }z+§ðEU-8¬¿¢u6ìú xõ+ðsFúÐÎ3à"Áw}EýlMÚv…U=Iö1ä³Ò±çŠ:lú¡‰àâåŸm•ôònG&±O4 ŽÇ³rŽÏõ¬ß’Š@Î%R¿~W Ø)Ø×\„Ý=VÎáܨVbkcà6æŒ#°ÅóŽùI4MœÑb¸ï=pû{níÒË%ˆfcY¨¬×¿þécaöyqÌÝ1¯Æ ì—n7
-4?äÀYÜéV“yö2RS¨àÆ`{š,#JiHÂâ-ý»€ëbú@ùðsºÄÙÙÇ5NJ;Îið’s7?†™YJÂ’F4TïËý´äb„RêK,k"z’t&¼pwÛkßò1^šDFO²ÌÂ>1Ñk3V¾îÈNŽD{¶æDJ™¼oæà”1•±ææ¯\ÒeÖ/žôG};;’%Ú¨A{½Eì–6¿nn†  ê¢Î,%*îp5¤=¾š£Íi
-Yت^éιAÈ•Ë5í
-Ñaµ+Ë“º±\‹0ïdÅ C´Ð²(Ó©Öצpy§’éÛ …oû x#z–ÓŽú­iÅ6„_´'Æõœ¦?óØ&¢6ºT&V@t½E­B:3ç|¡7›Ãù)èq‘ y#釪sfWZâH«abzTÆcóY!ë>=ä€Ë„—ö†ÅŒÎF1-Ùòò}\Ò|3GŠXi
-TpndØtº7ù)åç«sç/4ƒ8ôÃNE#.VØjÑ6sÇþ·Šª,o¿¢N(Þ-Ú›:ŽoLªḻ9ö8èš?&f¾>©¾*æËäIâ~‹zÅ}HôäX|]ˆ…–5Ö‰¤õö3›‰ø/(‰[ï ˜Vîb6ðÀ—ˆ¨ÔÆ¿<—ªîïáõÑc{R‡vº±£¹ôRåpõ«ý—T6xÍtd=úÈKgû% º`I)„ê6…xVdLñK±¯“þO{e§Ré÷ù+Poõ šZyßÝb*óë6§ï½$¬ôG u\>Ì~ó²=]ÞkÃOáGùÀâ¼’þ4SËÅuÖ¦Ç5´ŒšÈN›Q;|8x
-ï‹i’6RNbl¨°›
(¾/`Á%àÁ¶åæõ‹¹ÙpbO$s™Ø¶€ŒÑ¾ÖÛw@‘ÖD“Õ˜‚ÍN"­K &.MæÊj©úŶžÔì¿(`\5ÛZ µ2kyD„¬Î[ï*¦à"þFp›aÿ
Xf˜¸ÎTb»}-»
ÎáÎB%½8ê 
U‘6J‡(ê¢ØÀµ–…Fíªãʜ؂¯ÀX-ô£-Ýñø>‚q'«o"ty’ЄP.Hòöf;¦—囦
-èýJÇF@´ø¢umŒ¯Æ8|‚…$³(ßUH§k‹ÖÐÓà	÷¹eeÕmÖGJ•#ðœ¶k%ââ];$ÖJt ‡Ÿû?`ö„i¶Iq~?•°©Âá/üªÄÕÎk‰ÎX¬Êù˜³SÜÛ¶‚ÜHvòÅ¿¯ö—Slöèeî‹*bN¿ÿe¾¢\h¦µð®ŽRöã
-oçë÷¤¸Ñ^u¯LÇåô¼ë‘¡—–‰È/º¸ïr£ìu_
-¹ÊGÜ.×÷ÂÌ?áw…_«DP×vÀÊîúðMEi‰Í;èÌjêL¾ÓÍç¸×l£ÖJáðœ4ݘ$í$©QøRdàdzFaÆ
-±aÆ°ö¤ûÐq#Ê õ;–>ußЂÑȲ¨ûÜ
î(x­Ô>|»zsÇöMïÜÚ
¡<£²€*¬R¶nè«jt¤g6ö!;¢nÖDJ®Jí¯/i·2»K’HŽc1äÄ¢):ÙØ^Ãô¢šù…Íí>ŒôkÏ\@¡fËyñ6“é‘úGÔPÐ艋ª£5nôXþ8…ZvOçkŠV7ûüÒ6'wÊÅrÒVrô‘àÔóµOoü@	”Ç}žìÃ3_k¥Wn~—	q°ê€Â¡NmHN¢ö.U¿_¤dNß9h‰¼¤‹8
@Qpù7Y^©Æž7RØ‘{ǵºÒ´±Î—ÄA¦WM¹	³xûû’×*îÞ¡Þxö\(ž§/2Ÿ@\ꩉãù>#ÞÐFÕ³«
iøMŒ”™?E¥´bC3%ê5îæ{ÓeR„Z)o
UE4´oÆ :[qt˜O¹èðuÙÎJ’ÔàW-º¤–yÃ*¸Ü,ºqï7ô/fÁC¬F¤œslÂïJc–R‰¬È3†›…ˆ¸î*\ª‘nu”Íooˆ[í)0"Ï„äÜòR‚zƒi"ÖbhÖ“
ÀI8ŠeC’µ¦½`ò6¬¬ÙÈØ—Éýüv¼ÏvB¡¹†5ÃÌé—|5˜,óë··'{Ÿ$ÿ0ØvYR~=2·NDá…Ü…´²ðAC£´ïK‰	t¾ú¤ÅÊ´Uäfsä)_©ËŸ÷º1Ó—ÃU»»bî¯41Ê„kÄßF(Ä
-AQé}lߧ‚>œ'Øoy=Û“õÀ!»šp£vSO`MÚ
-ÂEdqðÏVŽ<[^/à•‚³mQB(ÉJ4åïPÓ%›ù5`¦—¼<áN]´ÍrªuÓD…8#¯U…ÑxšŒŸžþØë$@Ñrˆ ¥åpT_ç6þ3$$mýñmmòkŠÊƒ!7gN?¥÷Ó
-4“R¥VU»4¦^¡ËþõúB–üLJ#£·nγsl€tŸh‹P¢ÀB¯B¡1ÔÏ’‡’ÀmA8onTƒ¯üàŸœŸ™@©5Ý£	m>è|Ìãé$Œè8L¢äë×RõC™u´„î0a\*;­A°0‰ì…ÀÏ?'ê=¤†CcÕ×ÇógEw{ñ§X<¬Ö«Î§¢¯‘Ö/¬+±]éÐf¾ë{Î"²Â.`W_‡—ú¸R2´
¬	ÑßèûnȨ÷„W:È%¯Qý#?‡uÓÌá†8p¶ÄÖKê"“`t@º^õÛ“TºXÔ+©eÝy,NÄ™‰âJcì³¾ýóiówh²i©1K½à#<í‹6uƵ(E
-¬Ç¿Ñ¦‚¤E(#ÍËŽâ~qõ¥]ïãDí
-zúÎ}™‹KŠcw|¤ªïhu•ëôSˆÆ¡ÐãË­„[ö:Ò-DqnFå†üô’êP>Âz^ʧÁÒÀ”¬Ì»›~–[T¸4عâXïîif%ŽE„óN˜¸þÒ:Í“dõ¡#d©ðº+†ðŠÊoFš{ÈY_5¡»$ž…Sr25Õ¼îà>Ó ë°+a“^r8Æz5³w
³„­JÚ%uàÏŠŒ²¥oŸP,ã¦8(+{(š\‚J)æ}kŒné?op¡Œ®_@U<º°4Êßo‰ÔYÞ<ìaÁ ŸMˆ§õcDÏSÆ)ÃêNiñZMEèG5­:—ÜüÂ.Ì{á¥Åu[R½Q0È›®iÔú#ÅU·@„ñ`lˆ-gb”Ŭ\ÏŽXIP'°(Gý³»`š˜º„€B@BÖ&íOrÒKn°ÉŽ‡{ûgÕ.V­„Óá™ÔëuVO¹©’›¦ic{b¨þÈí‹5D«Í÷‘(L˜žkVADõ½mÕTŸÃb|kÊ"¯=^sfÉ̇ ø.Íþ¦úzƒD?¼fd¥òCRØÇ”½²c+‡ò¼}ÌÉ?	Ž²69>jí™e›W"àùï
-.^7=º6Š2#0Ÿ“8uGzƒ)?&¯~Ó&Î^ma€ÐÎÝØ”ÉUk‚Ï]ûl ’4Já–‘—ªÖã¾ß‚•è‹ˆzN“Uæ§z¡Ø„ðcÃÀ4¼âeºsÂiŽ˜›ÈÈu"ÂXÐ MòÂàwB²Iê­Ã>¬qø´d†É¼•§Ç.m"£ûˆëDÊ!‘‰oRêS´½)™FÚêaÜ.¹½<ÙBý2ƶðÞ+ôBƒÐ­¡+-Õ›3ãò¡5ŠÚR" :zïEñ>©-Óæ°Îg‰lL8y$º›³Þ%µÙJÏX9?ænµ‡äFóà–®Œæ4GÕ'‡“ç@µ-–ýp5i~Ìoãø†Ž…·r–½Ý¢_«
-)׆þ®ì¸}Ÿð‘„¨ÍŽà”ÿâMµ3ëîDþþF·X#›Vx„¥Šš9—ÅÁ¨¢S@§¾Õ§+Öf.;™•óÛtÆçÕÍ&…¸eýÁˆQ³ý
Qi†•hOr{jY%ÙJw¯ÂT„—lFt{¸ö81÷(Â¥…ô¶äÃÊòûb2ÒJ8cá”ˈÒbÁÀm¼J&­Z‚A
-Õ!R3|´î|ܽ$uà×­GY‚œ	æ{Âx¡  ~.œú&[qæfôð†hZ³O D_‰Ã`z™7ÊMìòMA•WsÕ [ž„væsÅÜ!ƒØ^ZÉ»‘wïFÞVeGò‚\l¹ÑS\Ÿeæ"þÌDnÚ‘15Nôz{ƒ¸Yów0[°	ukz?¡Þì%¥
-Ü0†Ç/OLj[É|Z«×Ûž<Òí°4ûº·Dɇvk5A´oã	ÌtAÔ”	
-çHBžO+Ú‚ÄîóÎ"«g,Ç}õS?3Ù³”“´§+Ôö·V¥+ÂÜÖ/'Ên³÷^ö/€Õ…Óÿ곕µ°€ùÙ?"0ÁAÉÃ\(à-ŸÍ¹À/¾7mù±y}ýÔm“ýmùkìµ4#±$ß”
-¢0ÓžœÇ‹·z´RÒCfwMÎ-‡Ý
’օʹºwvE:…n6OAÆR	.
½Ã Kæÿ>©´‹™Ü¾hiÓn#Ç*ëÈÎ^ª‹{n„œƒ|Q‹évÝ	5¼ã›ènB	uv%ò9{d|ÞQP>CöŽŠß$qˆÒÊšÙ8”Ç­š¥«­u#Õ¸)«Û×¼¡ëSœiQ¡zJõÏA*tµÓ¦¤§	3;Ûtès-|b~0~B-Z)ñBšª©*·?ƒæ–+[L’0o!ìÆ»UÕ‹B"Œ¾ªÏ5jdÝi·©dVéc]Ð[æa÷Ú(i³ ¿=ב;†L íu߆+YÙÔ¯jÒðoAs-á÷!Þ;ýÈž8íöêš«Î~Ã0À„
-Œè†²}­°[^­ÄÊ"+4´Ÿê°»Ç[èë+SˆR·sQª‰’ŠYHX¿™ïC6ñé|W$­µÈ¹ê1±£×Kì¸ËG4ÄÓ:£å9d8—f‘%¬-Uo—@~<Í‚¿<ÀÂ/OY„рƈŸ²7	9ÿFL!Ë·$À#Í‘»%#“ÂÏ®À!¼d^ûÉßì#r8ç7Ôs¹ùáÃ@óî¤D((§vL¼ñgà³wKKf8Õ–u±M„ ,GìÀ±„#†áÎ7n$\*Âä2Þ
Ví/@3*Û¯¦"üÔHÏÄ»Tm’k7ìècƒÀ¶oÝ…æpxVåÓ{'ŸÀVÏQ@Lv¥ày«§ ç-{†Õ#c¾Ùy·Gö=…lL˜ÀL[×nЩ2oY4êðÌûÖË•÷>BX^M4UÓvŒ„l0gz
-ó½ýÙÍËF£jkN°3½WäfÜÁ)8+í':º/¨%²+žG%$Åw·í=¾tÀÜ~ÆéÁúäi*¨ÐuÙ>lû2{†X’GVM"¹ï§¿äØÞóŠ-I¦./q*#Ú-ÍÌûS­n®Þ~¿5f58O&Ó=ƒSµ@·ŒVÓÃܧçOPkÓÿhÙ)&ÒªîÏWfzv,Þ6ì,Ïp¸êÉã7­‡ixÔÆ­SÆ;Øc¹}¤ÛUŸV¼ðœxç.»wQ~ßÓJ3CÙNcYB»Ñƒ¤3Æ›õ?­ÔæuÅXŽÝʇÌ®þÈ}‹b×"¼ô)ÿÆ;Ñ€¤ˆÍ
-Ú‚+m.'ª®ãæáLVò ÊacL-À³…KË+@±ù~àI mªÎw3$‰/pKx÷ÛNìvþBͽ2ÛÏA‹É]`Kmâd¹êuW‡¶oŠ\ˆ©/QÙî„„!'Ìqzî¿æÞ`rŒjéÒÍd‹ß”¥
-¹•úÑÅ0vñ>R0Þ{W8ý34®H‘ó£îH±±­
-—0oj+tóH*ßj<šÊ¡ÁYzdÍ¿f1hJãg<+ïa??Â…VMQ·IŠ´Ö`ÁÖK)²jâ‚·8óK×…
-t‚i]ÕܹQ7•¬¶">ø'2cq’ÅuE}sÀ£e9L&„MrÐ`yOCÀ´ó'{›HPO˜ÒoÅø8ì»n·Šš¹Î1è˜(]zš¦ÊÜ÷ŒDÈQ–Í’>¸iŒYñvÃ×LT%ù+0&—¢1BµUkæÞê«–Ì«l
-¶Û2g§yö$®ö*Îæøe"'WèÖ£“C
N1.-ÖsÛòQí5rJ÷ÛYAQ&¢V1R7Œ¾'NI,Ÿ*˜å~Ƶ”›~÷Úrò9!ˆcV†aCPµO;;PÝÌå³(t>ƒ¯ì~0Óâ&ý¥tdW)T?&ÔzISÆ—µ Ñéô9óóŒl|—T¶·ô¤+NÓÄn“4üÑ«#éÜ‘ñÑÄüÁÉ֕aã_.›+A¯@™øêSÈ3•'üp‡IøÐÌySzùO‡´æìÍ®¼Ck;ë2O3Ô‰áy/sT²—»ŸŸhŸúĈäomg…Zˆ­‰fº9ðþÒnjĹ.&i&ß7AŸÀ’\aö(±V­J¸ãnÔœm>	ØŸ) þêy…ñålkMO¸éX8VEdàŸs][»NÆoñ3F_4å`}†v,ïˆnd ‚ì’تLÚB+;1‹h²QÀú·î´¢f)²kß8OÒ#õ:‰É°*NøG0Úðž{Ï·¸Gâ3]ÒB]ÝãŸeõÊUút–Zä¡ÛQ*He'3u}š&ºaVÙ0nÂ_å·	Ø5J泧Þ;R~&ôc5Æ¥:3…/ïì&Ó¢.AðáÁÎƸÃÄžR¿nÈ€¦ã~E2Kâèš”¾³klÌM"÷mkòù¶Bˆ)™öøï¿¿ÓIF{/õð·לuù[Š“‹ÜhV¥<õ!1QÏG)9ì(Å¥
ÒtM ËëqÌõþ¸]%tƒP]¦ûtàÆ&Ks:!lg‡€†)®7ì,èøÔ:Åaäæá·ãäQùÔò=•ÃýnÙ,×À­¼kZ^IºgàÁô.uQ³÷},Œz“¸»•dA@{â^@±ÝƒžÅ&ýþ°Æ¹rVL*ç‹jïRf§ž¦|ú¦ØhwFjPÜ{tnãðž¸Â1LM‰ðg6þ>¬€ä¨è!³ßO’N·3PsÞvz¤' W›Bb×÷d•ª;ì;Ъ"j7Ž”‹98ô©å,³ÑÕ4ÛÕ-뀌éÂçË+[ã®fΠ´=5"ëO_Z§ÝQýJå÷#	;~Æ×:¦ùOuP2Ãþû9¿™Úã†ß°q¸D’!ˆñÛü"Np G“óTI¹Düˆmuáê°q¤boówH/Xâ¼¹vbh™‚79}Øži•0!5mù'p¸ªŒÍ-ÖЗXéçQdrîá•fè÷ëåÞ1ŸdÅ˛Σã…ê(?ÞOCüUd;â±ñ.&-	ÆÍ á©UÃ&ÄlÈQ¶œFWüÊîG˜ç;!:XV†à
Ž«¦g.šÆÌ" ƒâÝ`”Âp¼](G¦•|ªf?„ËÄŒjݬ~h2w|¶A™¿îÇ숚ˆ‘u	#S0g0XÌŠo	æ<
~°fC1å¹TËI€I¯v8ì{0®BôÂPœŽì>@;QÐÃ'‡³
†êÉ2$¢b(ŸÜ~¦rŽ}žjÈê	6G\æ«ëVáÃðšOD©h#Œir~7úsaóÊÀ?Ô³©§²ÆÍ9Õܯ»
-%*RŠ
8$	²Bí¦®ä[D¥ªÝ«ÔGÆ;üÑh<®^‰¨´ÑE—@$|ûÈ89O\2¾ãw3ÆRæò…iŠR)ÇäN(˜$	âBd ±ÈÔ: ¤cCœšÒÅãE…É<¬)2@5ø.½’ë"¼ë'óMÂÛçœÌ„8
-БQöw>}N·>¢Z[@ßHÀ—ÞäN—÷“$wŽp»X0õ•Äƒ<±´Áí¼sÎ*`<Ñú¶øAF‹/©=J^®üݯ‰TÿýŠCX	k¯”¢vÈ´ªøƒßnÔ«Ó¨ÉŽ:ÁCò®E~$œ-b™¶ëþto©ýB5÷ªF¶¬ïϾ¦´]çnÿ¾ãçz£û-&úiý½®€Q“²sxGûÑû¦I`¾|R$I‘õ\‹àX.áçëÑMdù	ØGË7DÐÁ`lÈÒák‡)*¢mÁˆŠ‰£ä¾цëmhQ8ð™’¦;¦eP‰Ñ£EçòÎïZ¶úAI
-¦£Ò턳`à*ùê™>÷)›td¾ñlË•]“î×=í
-9l¿»YªjËŠÍa™°Tt÷W.™”Õ>/žú„	VݪdspÏ#¸îú§+^üƺ§h¥ÔS-b©\LÔåg›llª¦¢,#Un¥`ÙD2ïÑw^´îWƒ…jžÚòHƒ,ߣ4i´Ø$ƒšš4œ¤c„\œÐ9˜n³žK=F™•S'a&È6cS4	EV×#ž°Nšy’ QN¦]ˆ‚{4)gáŠÈZó±ñëÛ¢¸$¶§”tÖ©ç<
K·fÐ2o„mê„‘iª:Ï”)Ðö¬×ø,m/@=ÉFËi‚tÖ²$Q."]å+&•²jjÄD™Þ}Û­n38e(Ö²õ²·™s,ÒõáÙĽëÃîñ¦Öà#”
-,
kÉ÷´éhÏ·.rLgâ×hž„—pZ??ÎË;@·aQÞ¦fÍ‘Á£˜ÁüÒ,_g+õÇDê–[ÖË`lƒÿmjC“½
µ‰¹ñ•«ßyÁÙUe°M	©P21=ÑAC6R²ãxÖ¢Ó»ÌiI˜µnþ¡twÙW|$Ø©Ýv;Œ4âcƒäy.,üôFÖm@Ë1›ÚÜÒS½V%¥
òN)®#ò÷~H}ç†/œ¶CDÞË>K†·Õ04y\·ç¤Í¨ƒÎ¬VD©?qúÉ´K¿¸!˜Ù6t’m3ã˜B.
-ÂJY†Z†ûš|ý4-¼©‡ôÄÖ/äNø&vL‰¸y)û÷oæéÆ¡s¨Fâ²JJ–à!`²K-TîÍ$\\8fÇ®Ÿ™ºˆ¤]z‹9L9‘Ïÿö4ÆðÞ/Tþ&š¥ëÕŽÛîäHŒ7ýø1ô°’ë{ÇnŽrbÍ¤à„©7ëã!ÀÎ|#^ìñ›C§.Öçì1Ê"‰	>B÷‹=^Õäìb—bu/ÙÒXÄ‚™Oå§kY‚O)™:&Bç|i¿ôÚ¸rŽ:7q.8VJG±Ú–=
-¼œggÍMÛR9éà½Ù»T¿Ø6žft»@ã.‡±v¸g8ËÃ7ÖÇËñˆùƒs‡@JE¢ ÌL‡²¾ì§£é-ø?ÝÉ8݇uÊ I·ï*"3 Ò÷ËVA¬¢Õ-
¡Z"ÞÆmU{/)tŽÎ›ð?KŸä~_†ÜÙšÖ¶lâ’¡n˲aþq+—ôú¨¤ë1æo/+žQTËq&ÕHdn„Ô¾u
˜Ñ­-ëMåÇ‘sÿÉÅ™[tœ¼¨øµŸÀÄíÞ®ßPx|òúËüá‘æ/¨-epsƒÛ;ʽQÊeŽÍYszgÏLf²Ê%—â
-‡3¾•þ4¡´°Ç4s©Ó(œ#qp6ßïȈLÞè¹xÌ9ÿ*Ͻ-+\NÆ"ìÊלý4±ëè“B»5ýû/VQO‰Aüp
ÈÄ@ˆtö·­ã*EÕV0µ¬7Vn¸¨bÍ[u?¹CöuJ4,Òk|_Ë­|Ïë2•`k”äÅhÅEdÔ<üÉgÁÛ{Ôrä5ø‹›o{Ÿ¬cy¯£ÓJ¥Ò/âðÉÞ28Ê8®9!úzÕP“¤¨x÷6`1©ÖÝ`¯îOzó€Xú8jvƒXq¢™°£»kÌí²¶¡‰2D¾ß•‰”uaôBAwõúà‰¿
-€ÞŸ|æ`xFÎärãiwÍBÄt·Ñ9”kE‡-ñL¡•´]^`ƒ|ðv?B@ÕÚ,eç¼oì.9‚¿‡ú‚8ÛƒïûÝ
-2h°Ø‹­ˆÓçBJ6
	rD÷ öy@hÓ©A˜orÉbo»­]hdçb;é^ûxw^c»{$¯öw÷ª(:©]Bæ?0B¨Zt=qsŽ»_ý¾$UÎö×ÐíT!
vMIöM»ªéKk¦øy"Óî“hŸQ¨¿tHg½Å#v³Ë¢¹(^Ë×"F¸CáßÚï~µÍO[ŸåÇ•ÖZ²Æ~!íg‚dö¯hÙ¿¿«ðÉ×_j¼ºÞÑñ¯EAåƒß€MŽ›_ô?¸M¼½Ñ¹t~ŒÜ+ìSVáu¤T…r©¡l®¥Uƒ0P;Þ‡™OØ~uLáÑwöÞ5gL›É+Êj/1ˆwv_›Æª¥µ[þ±žœh…{eóåa"ë‡u™rÔc§®–㶭=üdxí†ã%û¡AUì÷È+×¼Ô4ÞΔEÞ°•ÏØ„ç“ø¡´ûèâPz?¢†Ú mê"ìvbîdU‘Ö¾”ñzñj3¹¢¸j&ÁÄ~¶§‹»‘LͱZ
-É5w½‚'☺²¡tg‚ÉGѺÐäQ`Æ9vÉlpúÿÖ§ÿ¢^ʆÁ.¸7%Ò` ã±¬Fœ}a<õŽÞµªž2Ȇ´h¶”RÒ`k‰ÉÓUúÞê¤/˜÷¢ú¹«É«¿ð\”)$q‘1)Ûÿ~3w¿,ᶉ:—ŠùÒ¬®ÊÊ€W6	Ù ƒé‡~ÕiЩ`’××»žÉv ˜rGK/ÊBˆTJRÌZ[¡}ÙAöˆóÛ¡Ýå熫"ø`™Þ[þö‘±U1²ѵÀÈyþ¸ëhBØ…ÏÃÌQ)¼é‰e‹@Ÿª"´±³ÿ2ŸJÙÒe5>	9UV„jTÔ׳4ašG}„Ç᧜5ÅHgQz>ÜØÕ"oÍ£i:,®Zƒ…[ªŸo[¿¢!cÝÛ)èu3oÁÜKÄÏ6W
Þ¯"Ó 
”ÚðUAtE©

¿#Ibz£±'»PæÜä
-	!˜s¥8cs;ªÄj­ÌÜfºô#·Ãÿg:‘s2$Œ©ˆ×6'?^1„4=Wk¯^éßÈsê&Ù¸e;ìðìÐégªA¬½Ù¢vXþ]ïz¿Y¬ÍrôÞ=
-Þ?”XÉÙTVà†Q¢›‚3=A(ÊŒ®?Ît??xnkà1›Ô›ÔÚäŸA`ã×0滬²tôŠ¡Œ»*!ÂFë¾ÈÕÁ(»L lô-eFf×Å
-§,Éù¾Nª„8’sŽ±©U WSi—³¶,keõ%ï"‚×cQ:Á`c„†3p›	Ò£ïטvv„_Y†)„A(@n`'7)$P²tJíòkÓp?
¨OÝï°¸>ózäö	o"DXÓº3Êlª‘ûÁ†êÙKß±6ÎÀš9ŒÌ9‘寧«Ÿ#Áâw©üljœ]rlXÀfñêjéÙÖ	ˆ¹œqwLLCÖŽ¯ËAŒÍƒ•è­0|¦·Ý¢fZ/Ç
-qH	{ÃŽÆ¡I<Ü“QvÏÍ‚TD†¶ßûu|s˜ÙöoÜœ¼ •ÁáÊË—1™­.·óüe|î÷œzzEݳÝ
U1d•1°Æ½™Ä<‚Ǩ‹Ç/œapbÑþ?íÌ÷?à3ÎÙdds_ël_ûÎÞ;33gwÈæì’³ÇÙ„ì2Î(ópvÄÙ+
-eËè2R¼ÄûÛûyŸ?à	·Cžtж‰ä€¢rªØt°W¨ÂÃ^Ã>\\hŠþ…¸­£éÝÓùÞ©e‚&
-ŒÙí?ÄSËÜ·7¦Mwv½	r#aCp	ÑÁ¤»Ê«Z²â™×?åYó›j‚foM¤Ž¾ïhWò÷%Ñq.4ƒ5ÍÞóŒ®:žªFï€uI|Òxóstóår}¤‘(º…íOëËD›ïö0C³Xò™Ï­mtý#¿#/OÙÉU5ƒ|¦ðžË%åOŸ8+‡!ðÕÈïÆÄ»Þpi¯ÏÊ*ÓK(’èÛ¾½ÙR„n9 ½i3Í“~i/]L‰ÙA•+®ƒ¬-ãÐúˆ¿”X£Ôëë"M3µ°hónf;ñˆYþÒ$qW½ÒG_¹jcR2š×»‹7¨Š}r¼áègJ?%Lë9bBú<–ŽÌ&f·´È’Mµ½>ºç|lÙQs-
-Ï7û1'»öoσAü¬¸²a«Í¡K-é¢äþ{." xÊDïùÐæI~˹G=Ö±?‚§>Èyüñ°“NÐ%îIß×µ¿è4É^)Oïä¥ç¾®ÁÉ’F°³¥1ŽžzÓ€SÚóJîi¸g_
~`ñ›1E!ûŽ±Ö]Óhcotí¿AàçUpö„ß*&"-š{~gò&ú{
…rO]ÉOœ…È”[‰„î£-•;J×VAЊü$JJX&Ê×"é 5
-¼ØñÆV¼_±  ’™c€AÆ
-€~g´¦™L#ZeöܬðrFVU
-¨ì¿öžÓpÇ£†äH¶Õ2Señϵt(å¶õOÖt†Ò[	\„¢73}ñƒça-ø{û9…Ô8‚Ãõa8K<ªä-™£UÍZˆjzìɲ¦Omuã–‹
-|BÖÝB|kæZÄ@ºÛt7B5úÿü¥/Òµ׃1šòò‚Æû±®¸—ÜQZÖ¿S^©Àþz?§â7*¬UÌ‘Ž´Á9a¸|ø2DyúQZg‰?D[á4m|‚B–*õ¹÷kîìDRºÚ0„¾ýç–É­wó~ýØÒPÇü>?
-»ë~÷aœ¿nïOÝp}ê#Æ)f’’¦„?BË`„ú~R(hà'Ùç¾óì
ØÉ»žOÛšù.»ûe<™“1êÌÇÒïÒÂfÔÕóÏ“¤òÞ!°(íTLÈÃÖ¥råúDÌ|–ÐÅ8Gä|}¥|è+ÏTPDpƒˆíJN5ª,»sa}èàÝ!/ÿhEî:±‰–ÂÖuL¥èmzÍŒÈ%áØß+pJ^‚…®Ù†V§óÕ7ƒ°	3¡‘
áâ9zU¯Ì…‰ò;é–Ÿ·(Nâ°­|&=×ÝÉEr4GîÇ4ê˽/Vñùén:,'劘ʕc(x^µ@$ÛL‰†¸æVìP¤ýÄJÍÏD{¤>pV$QJ¬©ô=˜Ð9Úp€Õâ«ùD¤å0ù_‡b>éRêVtÃÖ ÄMd~„Ýl{‚òsÉÞ!5õµPÓÎ!ÓêÕ±·ÍˆoÅï$ø4÷µ£e!Ó†R©û,ÞΦbŽ†lŠ\›»ÆÈì\Ùú$Rk=›‹Tö°
-Úð­,6äX€qÐ-}nJ®k^¨£ô@l€¼ÜI>Œ˜×TqÅOшتxín°úâ…õµ4JÌäÅVkw¨Š‘þI’€¥¤\°^0Vò˘íep«%"h*
êmQôB±Ýë“ÙÏXšEÿ¶Éµú0üöA•ÚªÏPbÑËöê6EL7‹:Æ6ÒpÑÁå»ý%Tñ4w bBY6Kn8¢slG›‡œ	.ôˆdŸ*‹îí¡ï8‚ìu)+¸"xJmKMÛ /û’oË3ÌkŒÐ‘ÜãƒÛ’ÍËïÌk‡;/°¿‚ë’àU¿n¦NÔí]…6sÍ£¹ÛÉi<9s„pÓ4ìЛ•E÷³¡{¨Î¸›Ñ(@£ìª–8¥C©·g{foU>Ñ™vù¨µ«IÈÜÞPœU›K)ʶZQýmk ·çƒe~cs3˨Œ°2è£ßÕ ¾ÄùNs´Añ,ù¡H¾…¼ÀÅt••å;:
-œ•F“þ/Eň¢M—íîÒX
=r‡K—+hö¦­y¢–éx>39+¥¸®¯k"½…Çl÷ÀJí„MÚÜ8ÁYËÜ&F¶”´Ñnýó'¶±_t¯…´²ÅÕÛ¥ ¼”žŸö8Gojü=ã6ÀçÞ}IP†C?äy¹l÷×MÜ8ºSJ§Y´%$<-ãw¼S9ðJU&tŽÞ[™#ÅÀ½5‘µc§O&QNðoMÂM/	…Ìþæ2¼`ÕE”n¼]QàѨPØÅA9TM;x¸á•3O‰­X»ãÞä»ÎúF_s„"oêoì9‘ö-Z%×/ÌÓÀ¨LÒ¬ŽÇçDrU‡¿¶Ï­š6ÞxÓÂï¯Å÷†½®w~¿Î~ÁX0nïýe´Ý&¤„’Wm»Š)Ôšë2ÒÄ`ÇŸ­B¢ž}dMÞ xì)㟂ñU‘dIÂçÍÊ>`O‹5ö7ÕKõ 5ñŽ£ÓÔ‹Á}äIZ-™óDZ´[ŠkA,è3úI—ãq­«E2·:±AÚJÇ‚p9lrEèp¢V —2JÙçï£)m×·ÇѾ&\!H !Wuy§|õ
¸ýkI±3ÓËôìünŠÐŠµ¼J§UÇ‘º;Ë÷Û\»#QÆ>‰E¼ßå
îÜôÕ7;w“«)½VM.òHfÜ7$fÒzVÒþ
®:ëÍ©Û"Ä%yF#u»¶b1:î£Î¦Ð¦ºwI§âtß±.bïö:Áô|š·!/ä‘×…lEŒ];\PâéƒÀJ-†ùfï\gX?ÚÝbÊâ¼q#°È™JZcvr›”)\MUŠÿ½žØ«R#óÞ*{OÙ¥òó£SØÊ3«uS¥Ò+¦Ë?:ô$±ó4£º‹Õ±™o	°Î³d
q‰ÿ|¡âWV¬I¾ßxo¦Ì=ˆ4Šž%,²——Tí–]x-«GU}¡:¼@šëäãÕô´:+VfÀiIÆx†‡Ë2Ë–„\ü_¢øð?¸ùº»Áý\}(þê…Þÿendstream
+ŠšRòJ	y5€Ðè`hPtþien57Ú8©&¶«F¶6Ææÿ´æHÿKÈ`p´™ÿMºíþqÑì€Ö掎¿æŽSC§¿3p²˜ÛY9ÿCà¯ÝÄö_„ìlÿFXÿõýS´utr4r0·sü­ª(*þožNf†NÿÔv4ÿëØšü4¶5rþ§¥ùþÂüõ:šÛ8œ€nNÿÔú	›;ÚYºÿ­ýÌÎÁü_4œÍmLÿ‹-Àhjè`lttüóûŸéüWŸ€ÿ­{C;;+÷eÛþ+êq0wrZ™ÐÃ11ÿ­iäô·¶©¹
Ã?‹"ecb`bü·ÝØÙîú\€ÿå?;Cõ—„¡±­•;ÀhÇ oëô·$€òÿNeúÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î !§)¥%OóŸoê¿¢ÿjï¤ên÷—ØÿhEÎÖøþÁ¶uxÒý½tÌ,ö¿9™˜¼ÿÕþÃô_g9C's7€öß–™þÕøÿøý×I÷?`ÄlŒlÿÙ'Cã¿ëõ¿ÿ¸œþªú¯ÿ·áÿyþ×¢n@#¸Õ߶Fö¥©F{1­(zR€—ùøÞ$T}¨›ä4z%ˆégQžW‹²ÛZìŒê»“JÊzÅïPߧ;X`®ž¨üH\
+üÐIí|ŒRëc1:QA¾Õžž‘'?=RŽõÜ@öíãÑäÄÂ’ñ¸@ ’GúÙçà	h©Ux†SA¥7!àÝ´_}jt{êå‘‘â’FX˾*šæ¯Ù´Ë¾'A¦·ð&Ê9H¶îWþÀ¼žŸŽäJœæšËýZw&sÄâmŸ
+쿵$
œÉ„®'~»¦ìw󬵮¦~íCÊ]™Qê,©wmÚ'c¤	w®Diµs$óÐY–1¾—f‡ÙÄ&>.jüäë賬9“5ÎÕu¨ÍÄV¤?m=Á8ib/4l¼˜’lºÖ’Ÿ$):Srïð¹ŒtéÇ#/sƒydŠü¡
_•vÏÐX¢ÖÙ"» ú”4Ú]Ô†Üf†·”-FêÕˆFG‚„ùs!kt>
+j8+¼="HOló‰à|V”LôIŽÅ_y·1A‘T5dSoEy%|Dm3N†Á‡P¥{ú¼ÞÆÙˆ
+šÔ0ã#¢DËFwˆ(¤ ÙÓ§~¾f%ž©Y·˜"<Ø™Él¶‹Ç¹ÿúä2Ý©²HˆîKöÿ¢Õê’2|Cu˜Äï4‡ÙbIYY`AýÝ«!ðc*	w¡)óÊ~#†!åÌDŠ¹p¼šÖ™(bðÆ%łߪÇ4òsœ.劎^Ëú0ª†'>
+dÇ$[ß4˜h3iï*#§†]Y·6_¡$l¥—\5Š´
+ÖƒGÒgÏt7êz \ÄØSÂèÑÝá	Kz¬Å~»šF£¦s>y{­)ÕCóaÑýû²Ú7×	Ý#ÓF¾o¯Q2v3äòÔן¼xÒ¾#x9s¬(ÃÇÊÒ÷öUX7Žqb‘ŠŒHö;QºÙö³ˆÊëí:²5p,sÍŠ˜VÚÜýXQý3j.jWô…¼¬[Ç2#oîä2’«²6¢£yé0O ÙÓËø8³)Kz¡l„ïzä^骟|‚gOH)àY	îó¸¢e¾,Ùê›Ì,ðŒ‚þ²Êsźy&Ê⥄ñϤì*“@bKiyäúk@WÁ»¾/ÿë÷îÆ5
Ï##êáù@¹‡ŽRƒ;ÇË6ÈV|¶å9{<)¼ç	QU+ó؉¬@"9ãå·¾9Ì-–†Æ¬»î³ØŽÈ³¼…„e†tY.ž±áWËÔÀ;žš¹„PfÙWÐBNûŠX÷a|nÓd5ÕR©¡Ûo÷¿]fǧ_$¿å0[^ž‚IpƒVzrEÄsÜó^Á¤ÑÏJó„½Ë®Ïô—qŠž€3«Çþt¿ipôøɼïÆ/ÑøµÑ7d™§©M’°{<1†/ß{€"Ãg'”Dnnë«J0VkÜ„},j6ä²6”ª’nå'Ž`gâ[ö
+õ	Ò””d³3þˆA*ú<ì;»ãçëȈÏÞr‘U¦Ξƒ	¸R64yEIÝ#ب[@“4ÂS»Ð¯«±÷è(pÖg/ä/ÄX»ÐÖ@­Å»b¾äcŠÅIî n¿¿„îçç3Ã"çU=^ó»\XºwV¯”¡ûB:Ï‘
+[—ÒØ$ ´zEø}:µ`s(éHô‚Å+X—³÷¶*5Â^ÁmøÆÊ$¶ïÉéGH
+>êò:Û†ç-àñwN‰
+3“7º]Ç }"}xt¿-i7Ÿè¹½‚•
+üƉ¾ÏÑüІž@S&_#‰= ]Œ% ešPŠ†¼RŽ”oQÈJt{¸œñàº0ê8&ò½A"zXXª‰„^i$º@õÁh0škm}…“u­@îK/²OÊ\®zOóu#«"ùÈR.¯AÇ„ŠòÙôÐJ©4I°muþ`*?섨0­V2×~„/ŽZ.&òÂ×Ñ_ݼÇa)¼<¯l ‹¤ab˜wK¿ð[p…*¿–ªì˜F°_z¡>ôÿ-p¾þmQÌHtðFЇt½®
·Ð[Cr:Îæ'w|…ôSoñ;ÕdȇkM*a1eˆƒS¢ß%!¹J-¢¤tXäÖ’´–šBÎuÞ/
+p‡÷/ó¢nD(0ÂDã ,q®R5Î@¨)µŠ
ö|÷ò¤ºÛ\{=÷5¯ãƒ8zBuyÚ£e4O랊u¼z.©2Êqi¼ûTœ°,³Õ¸¼[¡~o$n{Ìq³¦×·1åŠ|…²Ï!§-4`f‘ך¹ïPÛ¹Ui«í!3ÏpN"LnR‰ôAQ“!ÄùðíSÆŽËî1ÕÔ9PƒoHT7-÷dâz7/ÉÐ÷3¯vU~2‰áW3Ýk"XŸ&¾L;Ï´Ö¾s°˜9¿O'`u?‹¶Ôi„ØCBs®Q‘ô±…ñ"¯Ïæ˜L#ÈÝœÿìUüÒ¹ùeŸáS©Ù_§Ó¢ªîÑ
_e(ò~
¾áÚÈÙ¼ßÕt2ƒÄI]Õ×Éuûͺ›WV>{€º^7¬K·ƒ9@3¤uÜq¿¯ØŒM(ÕAfW$ùÑ>Ž¢róÕõ'Üt*®IkÒæ·&„óÎãÔ£yù„2¦§äº VБÇ/êÀp4¹‡èT›ïwnÚuŠêæÔgW«È$&¥é®&tÏ„ZgqÙÇCȇŒ† ßðéårüc­ŽMÔEÇ×çÔkâÓåLÁG1‹^­?z&É ¢2™"«….^R,• ÀÜ ndAU]l$þôº<¤qJá9	[Rèç+œ„$E˜b…†F΂dù#ÕÒéËYûV·"r†Š}cà’³$#QZ0	ãû‡H„f¡ª÷›v«±*øöç9ꞧÇ)$¥!€4%J)Æ«B¡(kèè^«£ Œ¢K"ôŒÖIQ§.¾É°UDBó€â¼HÛHzõV¢’éç5柑&xã>fé.j/O§Î5$8žÔÎÅòíÊ°¿_ëqv–'´#zÑÚfs
+[Õ%:P+t¦*5Gil@ÐvmY‘ ‚œÁ‰~¦S JÖjn5£ë—ðys¬Ø0ÒÉð¹¼tOC»¯‰æ÷­™ÄiÐDX¯ÐåpÖïÆÎl¶TS†ffe2·©iB>²ˆÜKmV3	·ï¬I‰Àq>ü€~y
±z‘ô&VQ|!æ쨯tàZ…)"¡	?ëzÁ4%vïù2<€ºµ—ÊŠ¶ÍìA6hä挑ÿ>„ŒÔxZÜ5&R'!Ö§•gÜ…«¢ú½s’+ÔCÐ[ØÄx›)½ºo
+Ù¿®;ªôŠD™r]9@èšÌˆ“ÖS|æ[Û,
('|f¤~}Ã!Ónëw¦©®n”Š\8ÖgK½Uz:'=*"Ô›%FWHO´­Ú³ÒèÒõÖDÐ_|ÌÎ\ê\Û
+qá‚ú a¾ýGŸºî“•e
+™âîÑ~)Ü“U‚™$¹ß“ñA=‡C“ü‘:³œW•Pv Æû§hbÖ¼ð»AàlmoÎUÁùË7…¹í\~3È
+ÂÏå±äÑs‰TNŸ	+Ã<ˆ•9O¶¥fÈËDˆF§‹ÑÉöY廙l›¸·°6¿33ïáð\1ôb°	a÷	Á{ó|³m«é*Ê›}½"é?Yš,µÔ¹‹e§úPh‹ŽŸXEô¸º\©çÜ[ëgøV3C^à ±çSø¥$š ƒÛáÃ:“É»®’´ð¾ˆïÅ^ƒÑÁ´‹¶ù´ë¬†)à!jáìKøGR~ŽCkCœùŒBΔí!$ÐdÕˆV`¨­\ ©n¿»Gó§æHðnêÚïvœ&ëÌŠ":—íÞÕ^"Æ;bÊz³N¾0UÅÕ–ûÖ1ÃÁ,Ծ㢫|7ßoV};º:Mý³éØc£ôÂà¤=™MhüCÔgaì‘7¨²Âˆ±b®5_¡·¸/ÂH:L«
>r>Õ²"™y£6o„Aù±RQ ¼“_;N\¾L©µá%7¸àÀ‘¾g$µc [ž Ü80›=~Øü.¥T¿†ñ¥™^šW`/ž$8¢%S>ô”æý XÞ$'ñ.ά¡¥„2Éÿoƒã;At«!Äò‚´žÖ&\Åžã™dn£˜kjÓ¥³< -YRç˜oiæUìÚÆ‘ÌY	Kî%?ê5TXrz¶ë[È/¨£=gU0‰Ü„€UShW´1ûºzcw™>ÔXê1§†S\»²3Š‘ÎBaʉ@,ŒëÂ?/ßu3u¤ð;…®MXÛ;Í0¾z“ƒE9–T¨ÕÖ[x,ÐÏsô1Æ÷Ìó–Q£×©VNcÌ…ËrÖs,¨ ³“eeµ‚l€N0j—;î~÷–ê2›ZoºäÆ
JR¸¬Ý.nìÿ¦ÏR(šF½qqIéì{7¸–lƒ%Jåíi6.’±ñNJ„µ­~d¢Jă÷^Oß«ÑÉs!¨kgw%¼¤ó_†©ëÂ
+??zÜ…¤Ÿ'PìE¶e6¹-Vƒú£ò>áÂPe†–½Í•Gèf5©{AuÔ¦JÑø^V¡ÌP
+:Ù‰4GÌCe*Z­:?ß"íÖŠS$`ë¾*~=QîFf†£¾d5 ?Užaú9v¢÷"“T!KÈ
õð;[ùÛCµÛ²Ñä$|É•ÿ#]±·,ÄgåÂc>t-ƒôÏ/c!Ö’&,î—AØ$l‹ˆ4`¿Ì™é„G‘9h{±IK­àôáî·3ÂF£Ýйô±Peûw
+
8ø=ÇC¦ñÙ"ê®ÒL¨ì:0%»¸vÕ´HƒŒ?˜ø¾âù¢õ3™VF_?Òí)Û÷³qoTŒ²>ô£‚ùvî[±~á+Ó
ñ¢øøhÂ…ª>çV©Ã{‰iÜÁɾ,ÓPhF°1J4‘÷Ò.’×l"üˆæ
¿D9TäÝ!°hjky~ÒHTòövd@X|A¼—Õò/²áxxûfÙ	z¸|ÁV§Om×¾SD*gi[‹4i	p¯—ðƒ½ÐØv	)ilPcΙŒ€~9¤Í^-P>½•Sø¢ªÖ_Ñ:v}¼ú‰ø9#}hçp‘à;‡¾¢~¶&í@»Âªž$ûòYéØsE6ýPÈ¿Dpñˆò϶J
úy·#“Ø'PG‡ãŒY9ÇçzÖïIE ç©_¿+Pììk.Âî+çpnT+±µÇ1*#Xd4-.¹.f(܌̠n{Sš©|ãPtw90¿Ì§­ã=tÜr•xÿ’Yñ©Õa…@.i¾™?#E¬4*872lºGÝ›ü”òóÕƒ¹óšAúa§¢+lµh›¹cÿ[ÅU‚·_Q'ï–íMÇ7&U6æØ‹{tÍ3_ŸÔ_óerˆ$q¿E½â>$zr,¾.ÄBËëDÒ‰ú@û‡ÍDü”Ä­wPL+w1xàKDTjã_žKU÷‡Š¿÷ðN€úè±=©C;]‹‰ØÑ\z©r¸úÕ~ÈK*¼Æf:²}䥳ý]°¤Bu›B<+2¦ø¥Ø×Iÿ§½²¿S©ôûü¨·zM­<ƒïˆn1•ùu›Ó÷^Vú#:.æ?¿yÙž®ïµá§ðƒ£|`q^Iš©åâ:kÓãZFMd§Í‡ˆ¨><…÷Å4I)'16TØ͆Nß°`‹ð`	[€r	óz‡ÅÜl8±§’¹Ll[@Æh_ëí; Hk¢ÉjLÁf'‘Ö%З&så@µTýb[Ojöß	0®šm-Z‡µ<"ÂVç­wSp#H¸Í°ÿ,3L\g*±Ý¾–Ýçpg¡’^uІªH%a€ÃuQlàÎZK‡B£vHÕqe·lAW`¬úÑ–îxüFÁŽ¸“Õ7º¼ÎIhB($y{³ÓËòMSô~¥ã# Z|Ѻ6Æ×c>ÁB’Y”ï‚*¤ÓµEkèið„ûܲ²ê6ë#¥ÊxNÛµqqŠ®k%:ЂÃÏý0{Â4Û¤8¿ŸJØTá‡ð~UâjçµDg,Vå|ÌÙ)îmÛÁÎn$;ùâßÎWûË)6{ô2÷Å1§ßÿ2_Q.4ÓZxWG)ûqŠ·óGŠõ{RÜh¯ºÎW¦ãrzÞõÈÐKËDä]Üw¹Qöº¯G…\å#n—ë{aæÆŸð»Â¯U"¨k;`aEw}øŽ¦¢´Äætf	µŒu	&ßéæsÜk¶Qk¥pxNšnL’v’Ô(|)²FðcˆÇY£0c…‚Ø0cX{Ò}hƒ¸eÐúƒKŸ:†ohÁhdYÔ}îw¼Vj¾]½¹cû¦wní†PžQY@V)[7ôU5:Ò³ûÑ
7k"%W¥v3<ú[j¬ån–E¿kƒœm»ŠìŸ×—´[™Ý%I¤@DZrbÑll¯azQ?ÍüŽÂævFúµg. P³e†¼x€ÉôHý‚€#j(hôÄEÕÑ7z,œB-»§óÎ…5E«›}~i›“;e€b9i«À9úHðêùÚ§7~ Êã>OöᙯµÒ+7¿Ë„8Xu@HáÐG§6¤'Q{—ªß/R2§o´D^ÒEœ (¸ü,¯TcÏ©ÆìȽã‚Z]iÚXçKâ Ó«¦ŒÜ„Y¼ý}ÉkwïPï	<{.ÏÓ™O .õÔ‚Äñ|Ÿoh£‹êÙÕ†4ü&Æ
ÊÌŸ¢RÚ±¡™Hõš‰wó½é2)B­…‹·†ª"Ú7cHЭŽ8º̧\tøºlg%Ijð«]R˼a\nÝ8†÷¿ú³à!V#RÎ96áw¥1K©DŠŒ?VäÃÍBD\w.UȇH·:Êæ·7Ä­‰ö‘gBrny)A½Á4k1H´?ëÉà$œNŲ!ÉZS†^0yVÖldlƒËä~~;Þ¿g;¡Ð\ÚaæôK¾L‚ùõÛÛ“½O’l»,©	¿™[§
+¢ðBîBZYø ¡QÚ÷¥Ä:_}ÒbeÚ*r³9ò”¯Ô¿åÏ{ݘéËáªÝ]1÷WšeÂ…5âo#”‰Nb… ¨ô>¶ïÓAÎì·¼žíÉzàá]M¸Q»„)ˆ'°&má"²‡8øg+Gž‹-¯ðJÁÙ¶(!‚d%šò÷F¨é’‹Íü0ÓK^žŒð§.Úf9Õºi"‚Bœ‘תÂh‚0æ£Þ·/Dž¿V™¹6j©Û̇‡o—
+_0ß9ø™Ü®Á³@3&i¯)BBD‚Òr8ª¯sÿ’¶þø¶6ù5EåÇÁ‡›3§ŸÒûišI©R«‹ª]S¯Ðeÿzý!KþãÑÑÛ7çÙ96@:áO´ˆE(Q`¡W¡ÐêgÉCIචœ7·@ªÁ×N~ðOÎÏL ÔšîÑ„6t>æ€ñtFt&QòŒõk©ú¡Ì:	ZBw˜0.•Ö 
+X˜DöBà矉uƒRá±êëŒãù³"‹‡»½øS,VëUgÈÓÑ×Hë‡
Ö•Ø®ôh3ßõ½@gYa°«¯ÃK}\)ÚÖ„èoô}7dÔ{Â+ä’רþ‘ǟúiæpC8[bk%u‘I0: ]¯úíŽI*]¬NꌕԲî<'âÌ€Dq¥1öYßþù4ˆù;4Ù´Ô˜¥^ðžöE›:ãZ”¢‡ÖãßhSÁÒ"”‘æeGq	¿¸ú‚Ò®ˆ÷ñ"‰v=}ç¾ÌÅ%ű;>RÕw´ºÊuú)DãPèñåVÂ-{
i¢87£rC~zIu(a=/åÓ`éÇ
+`JVæ€ÝM?Ë-*\šFì\q¬w÷4³Ç"Ây'LÜi
æI²úвTxÝCxEåÇ7#Í=䬯šÐ]ÏÂ)9™šj^wpŸiuØ•°I/9c½šÙ;ˆ†YÂV%íÇ’:ðgEFÙÒ·O(–qS”•=ŽM.A¥ó¾5Æ·ôŸ·¸PF×/ *ÝXåï·Dê,oö°`ÐO„&ÄÓú1¢ç)ã”au§4‚x­¦"ô£šVKnþ?af¿½ðÒâº-©Þ(äM×4jý€‘âª[ Âx06Ä–3±ÊbV®gG¬$¨ˆX”£þÙ]0ML]B@! !k“ö'9iH„%7ØdÇýý³ê«VÂiH€ð‹Lêõº«§ÜTÉMÓ´1=1TäöÅ¢ÕæûH&LÏ5« "ŒúÞ¶jªÏa1¾5e‘ׯŠ9³dfƒC|—fS}½Á¢^3²Ry€!©ìcÊ^Ù±•CyÞ>æäŸGY›µöLˆ²Í+ðüw…¯‰‡›]E™†ÏIœº#½Á”“W¿ig/€¶0@hçnlÊäª5Áç®ýF6PI¥pKˆÈKUëqßoÁÎJôƒED=§É*óS½PlBø±a`
+^ñ2Ý9á4GÌMdHä:a,h&y	að;!Ù$õÖaÖ8|Z2ÃdÞ‹J‰Óc—…6‘Ñ}Äu"åÈÄ7)õ)ÚÞ”L#mõ0n—Ü^žÇl¡~c[øïz¡AèÖЕ–êÍ™qùÐEm)PF½÷¢xŠÔ–ŒisØ€ç³D6
&œ<ÝÍYï’Úl¥ç¬œs·ÚCò£ypKWFsš£jƒ“ÃÉs ÈÚË~
+¸š4?æ·q|CÇÂ[9ËÞnÑŽ¯U…”kCWvܾOøHBÔfGpÊñ¦Ú™uw"£Û¬‘M+<ÂREÍœËâ`Ôщ) SßêÓk3—ÌŒÊy‰m:ãs‚êf“BܲþàĨÙþ†¨4ÃJ´§¹=µ¬l%Ž»Wa*ÂÎK6#º=\{œ˜{áÒBz[òaey}1i%œ1ˆpÊeDNi±`à6^¥
+“V-Á …ê©>Zw>î^’:ðëÖ£,AÎó=a¼PP?N}“­8s3zxC4-áÙ'Ð@¢¯Äa0½ÌåŠ&vù& Ê«¹jÐ-OB;ó¹bîAl/­äÝÈ»÷
#o«²#yÁ?.¶Üè©®Ï²
+sf"7íȘ'z½½Aܬù;˜-Ø„º5½ŸPoö’RnÃã—§cÄ­d>­Õ‚ëmOévXš}Ý…["äC»Îµš Ú·ñfº ?jÊ…Šs$!ϧmAb÷yg‘Õ3–ã¾ú©Ÿ™ì‰YÊIÚÓjû[«Òaîë—e·Ù{/ûÀjÂé‰õÙÊZXÀüì˜à äa.ð–Ïæ\àß›¶üؼ¾~
ê¶Éþ¶ü5öZ	š‘X’oJQ˜iOÎãÅ[=Z)é!³»&ç–ÃîIëBå\Ý;»"B7›§ c)Œ—†Þa%ó‡ŸTÚÅLn_´´i·‘c•udg/U†Å=7
+BÎA>ȨÅt»î„ÞñMt7¡Š:»ùœ=2>ï((Ÿ!{GÅo’8DiåGÍlœ
ÊãVÍÒUŒÖº‘jÜ”Õíë
+ÞÐõ)δ¨ŠP=¥ŠúçÇ ºÚiÓNRŠÓ€„™m:ô¹¾@1??¡–­”x!MÕT•ÛŸAsË•-&I˜·ö@ãݪƒêE!F_Õç5²î´ÛT²«ô±.è-ó°{m”´YÐßžëÈC&ÐöºoÕ¬ìêW5iø·Š ¹Ž–ðûï~dÏFœöN{uÍUg¿a`BFtCÙ¾VØ-¯Vâe*ï@ì	@uòQµ
ä8L°4§2Ir©¶Ð“†¤o§¿Ù	§¥ëÁIÆtPÕ'ÆiÎâsëŽÉÇTЃF`Þ™0Úu­5hJ»½
Ù‡,KíÜкÔP¡f|éO7§Hf|dÑr^kç
Žß¼¥'@>¢íð@‘…„—Ä”ÄÄJÄÞ¿Ý>3„Œµ¬èZˆ›Ù¡R^XÚ9ÈÍjÕy0”Nš¯s„gA‚îWˆ™[Uú	£™2õÞzבl‡KØ6`ñ
+î†Å×°æËùß'™+¹O?àªH‡q@…ÑQœÙ–l.vk	-3Ô+¸GçQ@CX<¢â*î>Ö‰?7ëÝSY±ƒ°±÷a~ü¨=j ºíd„¾‚þÔ‘"Ød±ÊUU;•ÞÆrÝJéŒ$AøZ©uëÎñ³‰W´Bšgûû±wæp'Øbû5莵Ë#—½ë
¿É¥M!¹q¼V@«ßÂ=¼8жœÃñ!r1†À`^6]ÈÊü«o†c\'7 V;:šb˜€™Sì
+…eȤ½øÛ ]Ûq};—¼¿ý%W[J¨÷¡¼–Þè	aÁþ[Ò-@^ŸFðGH¿	ìÏÈÜ°<·eÕ@wô¨‰Îy«(‘«xd;{”«‰U¸otÁªDÕL
+˜ªˆÍ|Îóp—aÜ^§9Lî÷‹¥¨`=1OþLˆq‡p–*ÃsqÇwŸÚOuØÝã-ôõ•)D©Û¹(ÕDIÅ,$¬ßÌ÷!›xŠt¾+’V‚Zä\õ‰ØÑk‡¥	vÜå#
âiÑò2œK³ÈÖ–ª·K ?žfÁ_ž`á—À§,‡h@cÄÏÙ›‰„œ#¦å[àŒ‘æÈÝŒ‘IágWà^2/Œýäoö9œóê¹ÜüŒða yƒ?wR"”S;¦ÇG^ˆø3ðÙ»¥%3œj˺Ø&B–#vàXÂÃÇpçŽ7†.arï«ö •íWÓ~
j¤gb‹]ª6ɵvô±A`	Û·ŽîB	s8<«ò齓O`«ç( &»Rð¼ÕSÐó–=Ãê‘1ßì¼Û#ûžB6&L`¦­k7èT™7„,uxæ}ëåÊ{!,¯&šª‚i»FB6˜3=…ÎÀùÞþì…æe£Qµ5'ØŒ™Þ+ò@3îàœ•öÝÔÙÏ£’â»Ûö_:`n?ãô`}ò4	T躉l¶}™=aC,I‚#«&‘Ü÷Ó_rlïyÅ–$S—‡—8•í–æ
æý©ŠV7Wo¿ßγœ'“éžÁ©Z [ÆN«éaîÓó'¨5ˆé´ìiU÷ç+3=;–ov
–ç8\	õäñ›V†Ã4¼@jãÖ)ãì±Ü>ÒíªO+^xN¼s—]Ž»(¿ïi¥™¡ì
§±,¡ÝèAÒãÍúŸŽVjóºb,ÇnåCæWä¾E	±k‘
+^ú”ãh@RÄfíÁ•6—U
+×qóp&+yPå°1¦àÙÂ¥å Xˆ|¿ð$6Uç»’ÄŽ¸%¼ûm'v»!†æ^™íç Åä.°¥6q2Œ\õº«CÛ7E.ÄÔ—¨lwBÂæ8=÷_so09Fµtéf²ÅoÊRaáÜJýèb;†xŸ)ォGœþW¤ÈùQw¤ØØV„K˜7µºy$•o5MåÐà,=²æ_³4¥ñ3ž•÷°Ÿ
+áB«¦¨Û$EZk°`ë¥Y
5qÁ[œù¥ëÂF…:ÁƒN„´®jîܨ€›JV[‘
+ü™±8Ébº¢¾9àѲœ&Â&9h°¼§!`Z„ù“½M$¨'Ìé·Ç	ˆ‰b|ö]·[EÍ\çtHL”.=MSeî{F"ä(ËfIÜ
+ˆ4ƬÆx»ák&ªˆü•“KѡڪƎ5soõUKæU6Û‹m™³Ó<{WûFgsü2‘“+tëÑɇ¡ˆ§Ç—–Fë¹mù¨ö9¥ûŒí¬ (	Q«¿˜?©Fߧ$‹OÌr?ãZJŠM¿{m9ùœÄ1+É°‡!¨Ú‚§¨næòY:ŸAÈ‹Wv¿˜iq“~ˆRŠ:²«ªj½¤©Gc„ËZÐètúœùyF6¾K*Û[HzÒ§ib·I	þhŠÕ‘¿tîÈøhbþàáDëÊ0Žñ/—Í• W L|õ)ä™Ê~¸Ã$|hæ¼)½ü'CZHsöfW^È¡µ
„u™§™êÄð‰¼—9*ÙËŒÝÏO´OýbDòÎ7Ž¶³B	­DÖD3]‰xécFb\“4“ï› O`É@®0{”X«V%Üq7j·6Ç„ŒìÏõ¼Âør¶µ¦§@Üt,«"2ðÏǹ.Š­Ý§ã7‹ø£¯šr°>C;–wD72ÐAvIlU&m¡•˜E4Ù(`ý[wZQ3‡Ùµoœ'é†zDŒdØ'ü#mø
Ͻç[Ü#ñ™‰.i¡®îñϲzåª}:K-òÐm(¤²“™º>ÍÝ0«l7á¯r†Ûì%óÙSï)?ú±ãR™Â—wv“iQ— øð`gcÜabO©_7d@Óq¿"	™%qtÍGJ߃Ù56榑û¶5ù|[!Ä”L{ü÷ß_é$£½—zø[HŠëNκü-ÅÉEn4«Ržú˜‹¨ç£”v”bRŒiº&åõ8æzÜ®ºˆA¨.Ó}:pc“%„9¶³C@Ã×vt|jâ0òFóðÛqò¨|jùŠƒÊá~·l–‡kàVÞ5-¯$Ý3ð`z—º¨Ùû…>F½IÜÝJ² ? =q/ ØîAÏb“~Xc„\9+&•óEµ‡w)³SOS>}Sl´;#5(î=:·qøO\ᦦDø3ÖF@rTôÙoÈ'É@'áÛ¨9o;=Ò«M!±ë{2‡JÕöhU5ŒGÊÇÅúÔr–Ùèjšíê–uÀ@Ætáóå•­qW3gPÚž‘õ§/-‰Óî¨~%ŒŽòû‘„¿Fãk	Óü§:(™aÿýœßL
+íqÃoØ8\"ÉÄø‰m~'8
£Éùª¤\"~Ķº…puX‚8R±·ù;¤‡,qÞ\;1´L	AÈ›œ>lϴʘƒš¶ü¸\UÆækèK¬ôó(29÷ðJ3ôûõrï˜O²âåMçÑñBu”蓼!þ*²‰ñØx“–ãfðÔƒªáFb6ä([N£+þe÷#Ìó,+CðÇUÓ3Mcf‘ÐAñn0Ja¸Þ.H”#ÓJ>U³ÂåbFµîV?4™;>
+Û Ì_÷cvDMÄȺ„‘)˜3,fÅ·„@sž?X³¡˜ò\ªå$@Š$ÈW;ö=W!za(NGv È(èᇓÃY†CõdQ1”On?S9Ç>Oµ
+dõ›#.
+óÕu«ðaxÍ'¢T´Æ49¿}
+„¹ƒ°yeàêÙÔSYãæœjî×]…)Å’ÀY¡vSWòÀ­¢ÒGÕîUê£	ãþh4×
¯DTÚè¢Ë ¾ŠŒ}dœœ'.ßñ»c)sùÂ4E©”€cr'L’q!2XdêFÒ±!NMi€âñ¢ÂdÖ |H—^ÉuÞõ“ù¦?aÈísNfBèÈ(û;Ÿ>§[Q-„- ï$àKor§ËûI’;G¸],˜úJâAžXÚ€àvÞ9g•0žh}[ü £Å‹—T€%/WHþî×Dªÿ~Å!¬„ŒµWJQ;dZUüÁˆo	7êU
‰iT†dGà!y×"?αLÛuº·Ô~¡šŒ{U#[Ö÷g_SÚ®s·ßñs=„Ñý}Ž´þ^W@ƒ¨IÙ9¼£ýè@‡}Ó$0_>)’¤Èz®Ep,—ðóõ覲üˆì£å"è`06déðµÃ•GѶ`DÅÄÑrß‹èGÃõ¶F´(øLIÓÓ2¨ÄhŒÑ¢syçw-[ý $SŠQévÂÙG0p•|õL	ŸûŒM:2ßx¶åÊ®I÷ëžvH…¶ß]„,U5‰eÅæ°LX*º{Œ+—LÊjŸO}«nU²9¸ç\wýÓ/~cÝS4ƒRꩱT.&êò³Í66USQ–‘*·R°l"È÷è;/Z÷«ÁB5OmùǤA–
+ÈïQš4Zl’€AÍMNÒ1B.NèL·YÏ¥£ÌÊ©“0d›±)š„¢«ëOØF'Í<I('Ó.DÁ=Œ”³‡pEd­ùØøõmQÜÛÓJ:ëÔs††¥[H3h™7Â6uaÂÈ4UgÊh
{V†k|–¶ žd£å4A:kY’(‰®rŒ“JY55b¢Lï¾íV·œ2kÙzÙÛÌ9éúŒðlâÞõa÷xSkðJ–†µä{Út´çŽ[9¦3ñÇk4OÂK8­Ÿçå Û°¨oS3æÈàQÌà~i–¯³•úc"uË-ëe0¶Áÿ6µ¡ÉÞ†ÚÄÜøÊUƒÆï¼à쌪2ئ„T(™˜ž‚è ¡)ÙqìÔn»Fñ±Aò¼Œ
+~z#ë6 å˜Mmné©^«ŠÒŽ†y§×ù{?¤¾ó
ÃN[„!H-Èâ–‘Ôyúê³Ból«nsªYòU4Mö¤
©0lÕÜ´~µÇê½æ`¾ü™ñd™ÿÍ%ºŒ(„ïñÃpY0çh^zÑl™dɄ˱½ú¸çðG0Q'[9R3…m4cA¸Ôá÷¹öîY+x‡}Ê)¹ÕV¹„çþìm‚›sÞi
+chô„,	3 ‹
ï‘“#•ÃùG	ÖÑŠ9$5à »l|ëQλM}ž¥’>‚ÈÔ!¦}™n¿°B=…_½' qŠ=ò¼²D½JQ:|4ù	"V&71¢‡»Ê´XGŽÌ˜Û6¸XÉLjðD^«Pìˆ,0ª°>«ÇŒzK„Uê• Á;ð#
zJí™ÛGÃLtåk
­' , 2ýòô™ÏªÍÑk|Õ[~>'}A–ž­h¦M$™O¤{É™™aý|Fo¾á¦›\basmç­‚‹ÝjM߃½€—RÚ·Ž¤`W 5YC¶]Þœ}ËA…	IñFÝi„—¤>4Å1 <ÏÜïQ»ÔäJ!¼@ïµ/g”ÆL…˦Xx2¹Z‰—L¤xó¨jZ‹¿•…<	ËÍ(癵uèKvÝ%'
¹ä†¡&$XôÕÝevþŒÂ…--kZ"»À¤Kõ.C!5—ÔÖ²
NɆ	ÅŸ;DrR,çÖ‚ŒQŸ¥Hâ-A(wYœÐ%
+ ±(ø'E5 Í0Á{'­WÈÐÐlûù
4·Oÿæþk¨ÕÏÙ€œ“æ¬)Tlý¼SM¢ÌºtÙö:ʇOI[|¹,™á
+¸}³i¼<nU·ƒÊ'D†7Òz;%s}S°l<•’y°46Ê–TZ¹eÛ]DÕ\Y¹ñ}˜en|(xèn)<¸ËŒ¢G/Çê‚«þf$'„ƒ":èuë	ìðx/’<€Â?‰CòSÁ064qcZŒz¸ÙÝü\! ;‰^¼·'PZÖ‰EvdŒ¢bòjGYþ=Ñh/«¹È´®ŸË	$8éÈ'kê¼²à
+%gsðùB§*÷Ä•TÝþô¶VÔ½~Þgÿ°s-Ãê¾ù¤‡I3ôÀâʨbŠÅ4ZŨǾdzçÏ—à	Áç‰÷ø׳ŠX]"ïe‰¥?ÂÛjš…<®ÛsÒfÔAgV+¢ÔŸ8ýdÚ¥_ÜÌl:ɶ™q
+L!
…a¥,C-CŒ}M¾~šÞƒÔCzâë—ò'|;¦DÜ‹	Ž‹¼”ýû·NsŠŠô
c‹Ð9T#qY%%ËGð	0Ù¥*÷f’®
+.³ã׋ÏLH]DÒ.½Å¦œÈçûNcxï*ÿÍRŒõjHGmwr$Æ›~üzXÉõ½c7G9±fRpÂÔ›õñ`ç¾/ŽFöøÍ¡Sësöe‘Ä¡ûůjrv±K±‚º‹—li¬@bÁ̧òÓµ¬FÁ§”L¡s¾´_úm\9G›8+¥£XmK‰^γ³æ&„m©œtðÞì]ª_l„Š@O3º] q—ÃX;Ü3œåá›
+kƒãåxÄüÁ‡¹C ¥"QPf¦CY_vŠÓÑô|‚ŸŽîdœîÃ:
eФÛw‘éûe« VÑê–†P-o‰ã¶*‚½—€:GçMøŸ¥ÀOr¿/CîlMk[6qÉŠP·eÙ0ÿ¸•Ëzý?TRÈõó·—Ï(ªå8“j$27BjߺÌèÖ–õ¦òãȹÿäâÌ-:N
^TüÚO`bŒvï	×o(<>yýeþðHó‚Tƒƒ2¸¹ÁíåÞ(å2Çæ¬9½³g¦F³Ùå’Ë?q…ÃNßJšPZØcš¹ÔiΑ88›ï…wäD&oô\<朕çÞ‡.'cve‰kÎþšØuôI¡]Èš‡þý+‡¨§Ä ~¸db D:{‹ÛÖq	•¢j+˜ZÖ+·?ÜT±æ­ºŸÀÜÀ!
+û:%é5¾¯åV¾çu™J°5Jòb´â"2jþä³àí=j¹òüÅÍ·½OÖ±¼×Ñi¥Réqødoeל}½j(áIaRFT¼‡{°˜Të‰n°‹W÷'½y@,}H5»A¬8ÑLØÑ]ƒ5ævYÛÐD"ßïŽÊDʺ°z¡Ž »z}ð…ˆÇÄ_@ïO>s0<#gr¹ñ´»f!bºÛèÊ5ƒ¢Ã–x¦ÐJÚ./°A>x»! jm–²sÞ7vÁßC}AœíÁ÷}Žn4XìÅVÄés¡%›†¹¢{Pû< ´éÔ Ì7¹d±·ÝÖ.´?²s1‹t¯}¼;¯±Ý½’×Gû»{UÔ.!ó!T-ºž¸9Çݯ~_’*gûkèŽvª»¦$û¦ÝU‰ô¥5Sü¼‘i÷I´Ï(Ô_:$³^‹â»Ù…eÑ\¯eÈk#Ü¡ðï…Šíw¿ÆÚæ'È­ÏòãJk-Yc¿ö3A2ûW´ìßßUøäë/5^]ïèø×¢ òÁoÀ&ÇÀÍ/úŸNÜ&ÞÞè\:?Fîö…)«pÈ:RªB¹TŠP¶×ÒªA
+¨ïÃÌ'l¿:¦ðè;{3¦Íäeµ—Ä;»¯McÕÒÚ-ÿXON´Â½²ùr0‘õC€ƒºÆ…L9ꉱSWËñÛÖþN2¼‹ÆvÃñ’ýÐ È*ö{ä•k^‡jogÊ"oØÊglÂóIüPÚ}tq(½Ÿ
+QCm6õv;1w²ª‡Hk_Êx½xµ™\Q\5“`b?ÛÓE„ÝH¦æX­Ž…äš»^ÁqL]ÙPºÀ³A‚ä£h]hò(0ã»d68ýÀëÓQ/eÃ`Ü›i0ÐñXV£ξ0žzGïZUOdCZ4[J)é?°µDäé*}ïuÒÌ{QýÜÕ‚äÕ_x®
+Ê’¸È˜”m€¿™»_–pÛD‹KÅ|iVWeeÀÀ«‰
„lÐÁôÿê4èT0Éëë]Ïd‹;PL¹£¥e!D*%)f­­Ð¾ì {ÄùíÐîòsÃÕ|0ŠLï-ûÈØÀªY‚èZ`ä<Üu´N!ìÆÂçaæ¨ÞôIJE OÕFÚØÙ‚™O¥ì鲟‹„œ*+aB5*êëˆYš0MŽŒ£>ÂãðSΚb¤³(=nìj‘·æÑ4W­ÁÂ-ÕÏ·­_ѱîíô‡Çº™·`î%âg›«ïW‘iІJmøª º¢Ô††ß‘$1½ÑØ“](snr…„L¹Rœ±¹UbµVfn3]ú‘ÛÀáˆÿ3È9ÆTÄk›“¯Bšž«µW¯ôoäˆ9u“lܲ‡vxvèô3Õ ÖÞlQ;,
ÿ®w½ß,Öf9z	ïï‹?ŽJ¬äl*+pË(ÑMÁ™ž eF×gº‡@‰<·5ð˜MêÍ	jmòÏ °ñksŒ]VY:zÅPÆ]•a£¿u_d„‰ê`”]&6ú‚–2#³ëb…S–ä|_'UBÉ9ÇØÔ*+‹©´ËY[–µ²zŽ’w
+Áë±(`°1BøÍéÑ÷kL»;B„/ˆ,à G70“›(Y:¥ö
+ùµi¸ŸÔ§îwX\Ÿy=rû„7"¬ˆiÝe6ÕÈý`Cõì¥oØ?g`ÍF朌‹ÀH‹†ò×ÓÕÏ‘`ñ»
‚ƒT~65Î.96,`³xõµôlë	Ä\θ;&¦!kÇ×å ÆæÁJôV>ÓÛnQ3­‹c…8¤„½aGãÐ$îÉ(»çf†A*"CÛï}„:¾¹Ìl{‹7nN^ÐÊ`„påƒå˘ÌV—Ûyþ2>÷{Ή	=½"ž;ôl`¦GS=)ÅhhR:êbÞ°ã}µ;íYÏHey~aN'¡¦o¦NQ»ð%`\ô?G°2™9×Á>ìSŠ¬7…¾»Ù6ò_qÛ§ÍȒΊŽ¤¦vغä.Ù#*Íõ¹²G-–à°Ã~3º½øÕNôdàÐH¬|ò€Ò>I6]ñs˜öüåÛ{ñ7cÌ	a8d?‡ÉNV¦æWíûê^ÙŸ\W’é†;ˆwÒ`–v0zA…füA©‰õ§$=›Ò¥˜ÖÒGVöašMŒs*(±Ó8üì¹äô¶^d•àŒ1÷·»s®ÛCºDdq
+I¢BŸîÙ¿¿²ÊXãÞLbÁcÔÅã‡Î0¸±hÿŸvæû
+‡ðgl2²¹¯u¶¯}gï™™³;dsvÉÙãlBvg”y8;âì…²et)Þ?âýíý¼Ïð„Û!O:hÛDr@Q9Ul:Ø«Táa¯a	..4EÿBÜÖÑôŽŒn†éü
+ïÔ2AÆìöâ©eîÛ›Ó¦;»ŠÞ¹‘°!¸„è`Ò]åU-YñÌëŸò¬ùM5ÁF³·&RGßw´+ùûè8šŒÁÈfïyFW
OU£wÀº$¾¿@i¼ù9ºùr¹>ÒHÝÂö§õÆe¢Íw{˜¡Ù
+,ùÌçÖ6ºþ‘ß‘—§ìä*ƒšA>SxÏå’ò§Oœ•Ãøjäwcâ]o¸‡´×ç?e•é%IômßÞl)·œ?Þ4‹™æI¿´—.¦Äì Ê×AÖŒqh}Ä_J¬Qêõu‘¦ZX´y7³xÄ,i’¸«^飯\µ1)Ík„ÝÅ	TÅ>¹Þðô3¥Ÿ¦õ1!}KGf³[ZdɦÚ^Ýs>¶ì¨¹…ç›ý˜“]û·çÁ ~V\Yƒ°ÕæÆÐ¥–tQrÿ=!ën¡¾5ó-b Ýmº¡ýŽþÒéÚŽëÁMyùAãýX	W	ÜKî(-ëß)¯Tà‰aß½ŸSñÖ*æHGÚàœ°\>|¢<ý(­³Ä¢­pš6>AÈ?!K•úÜû5wv")]mBßþsËäÖ»y¿ˆ~li¨c~Ÿ…Ýu¿û0Î_·÷§n¸>õã³@IIS¡å
0B}?)4ð“ìóßùöìä]ϧmÍ|—Ýý2žÌÉuf‹cHéwia3êêùçIRyïX”v*&äaëR¹r}"f>Kèbœ#òF¾¾R>ô•g*("¸AÄv%§U–ݹ°¾tðî—´"wXÈD	Kaë:¦Rô6½fFä’pìï8%/ÁB×lC«ÓùꉛAØ„‹ƒ™ÐȆpñ½ªWfÂDùtËÏÛƒ'qØV>“žÇëîä"9š#÷cõeŠÞ«øüt7–À“rELåÊ1<¯Z 
¡“gÌ^™7…fÖ¶†Î;xzÍ.—½°õ<µ@|˜¾÷º`ÜG¶ÁàÇ¡ÝQ‘ôÁö¥¿XmQ žh?ÝŠd„Zêà¸
w–_ã÷ëÛ“ÌWsƒÚHãØ´ðÕHPÎ#razoºÚ·¼§,ýÎ{=M¤LÅ;uD«&RVdz»Qò¿£Ài:ü:a‘Ѽr.<Ó!OÍÁãÏcL­ó*ó@ dbzâ2YÌóŒûäð<îº|¯t$âckÖvzÎÌfPW´ DSÄwÞqŸm¦DC\s+v¨Ò~b¥æg¢=R8+’(%ÖTúL茜m8ÀjñÕ|"Òr˜ü¯C1Ÿt)u+	ºakPâ&2?Ân6ˆ=Aù¹ä?úZ¨içiõêØÛfÄ·âw|šûÚѲiC©ÔŒ€}
+ogÓƒ1GC6E®Í]cdv®l}©µžÆÍE*û‚Xí
øVr,À8è–>7%×5/ÔQz 6@^î$Æ
+Ìkª¸â§hDlU¼v7X}ñÂúZ%fòb+†Î5ƒ;TÅHÿ$IÀÒR.X/+ùeÌö2¸Õ4•õ…6È(z¡ØîõÉìg,Í¢ÛäZ}~û JmÕg(±èe{u›"&Œ›Å?ci¸èàòÝþªxš»P1¡,›%7Ñ9¶£ÍCN„zD²O•EwŒöÐwAöº”\¼¥¶¥&†m—}É·åæ5FèHîñÁmÉæåwæµÃØ_ÁÆuIð*Š_7S§êö®B›¹æÑÜíä4žœ¹?B¸ivèÍÊ¢ûÙ‰Ð=ŠTgÜÍÎh QvUKœRŠ¡ÔÛ³=³·*ŸèÌ
»üÔÚÕ$dno(Î*ˆÍ¥e[­¨þ¶5ÐÛóÁ2¿±¹™eTFXôÑïŽj_â|§Ç9Ú ÆxŽüP$ßB^àâG:ƒÊÊòÎJ£Iÿ—¢baDѦËvwi¬†¹Ã¥Ë•4{ÓÖÓ/mJûW2S‡êrÚS–V¸&•ˆàúZ(^S'2×ä‹’L3:5¨V}JC9ÜÖË”2Jî(>9c·aïj<Ü(ÎQC…6Ç­ X)sSl„öϲژÑ߬n
+i¿5xÑ@>,Ïu> w?tiÓ¶0ûôIÏä#%(ù‰ö
+©«ˆ|LO†D¨Å÷¦gîÑå¼Þ8vÉC÷I~®O–ÙÍ>mŒáõÞ¢‰‘}‚
+^hâŒð·¹ œ£“hZ™Í/øÅ_à7œÀ+P¸¸&&êåî$+Nȶp®Ô
~I(–»c¹ÚŸYªÓÅg¶%ø¥p%ö>­’H¾iL¿\ÚõÐß(¦µâ_«8Cƒ—R{‹
+Žµrð¦ëØíû‹0Ê{‡˜ÊQê¸2‰«Zœa‰ƒ†*7Äc¹äJî„I›ÏüìÒ]©æÁ 1=Š¡å©òñS€MX¡¥GMøªéþP¢‹:*½ÙOT9†ÜD¨*ÀzÞÃ*Úž“¬ÿ°Ë_hg
+‚œ«ê9ŸjˆŠ"J7Þ®(ðhT(ìâ ª¦¼ÜðÊ™§Ä‹V¬áÝq
+oò]ç}£¯9B‘7õ·	öœH{È­’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤Ëq¸ŠÖˆÕ"™[Ø m¥cA¸¶¹"t8Q+PK¥ìó÷Ñ”¶ëÛãh_“	®$+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝåûm®Ý‘(ãŸÄ"Þïòwnúê›»ÉÕ”^«¦y$3î3i=+iÿWuÈæÔmâ’<£Ⱥ][±÷QgShSÝ»¤SñºïX±wû@`z>ÍÛòÈëB¶"Æ®.(ñôAàN¥Ã|³w®3¬ín1eqÞ¸XäL%­1;¹MÊ®¦*Åÿ^OìU©‘yo•½§ìRùùÑ©	lå™Õº©RéÓåú’ØyšQÝÅêØÌ·XçY2‹†¸Ä¾ŒPñ+«Ö$ßo¼7SæDEÏ–GÙËËGªvË.¼–Õ£ª¾PH^ ÍuòñjzZ+3àÆ´¤Nc<ÃÃe™åGKB.þ/Qü?øŸÜ|Ý]ƒà~.>ÿÄØßendstream
 endobj
 969 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 2251 0 R
-/BaseFont /SNIDXA+NimbusMonL-Regu
+/Widths 2271 0 R
+/BaseFont /GMYIZN+NimbusMonL-Regu
 /FontDescriptor 967 0 R
 >> endobj
 967 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /SNIDXA+NimbusMonL-Regu
+/FontName /GMYIZN+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
@@ -10900,7 +10969,7 @@ endobj
 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
 /FontFile 968 0 R
 >> endobj
-2251 0 obj
+2271 0 obj
 [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 926 0 obj <<
@@ -10911,7 +10980,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA,ŒÌ<5e
ECkkC;Y)¡5௙’RÔh²°³3y@€Ðð퀅›› jgïîhafPÿå ¡££ÿ/Ë?.#÷ÿ@þF:Y˜Ù¾þ}pZÛÙÛmA)þ¯U€@È0µ°Dµ¤ä%Ô’òjI -ÐñoŠÎFÖÆYc ­`jç°þ÷`lgkbñOkNŒ¹„†'{ ±Åß0 ›1Ðþˆ`t´±prúû°p˜9Ú‚þÎd°°5¶v6ù§€¿vS»dïh÷×Ãæ/ö—LÑÎ	ädìhaüͪ(&ñï:A憠r;Yü…v¦=MìŒÿié_Ø_š¿(ÈÐÂÖ	ºþÉe˜X8Ù[ºÿÍý—ÌÞÑâ_e8;YØšýWôG ™¡£‰5ÐÉé/Í_î¦ó_}þ—î
íí­Ýÿm÷/¯ÿ¬Áä´6eD`ùö7§1èon3[¦¶Š”­©€…ùßvgûÿÀ\€Žÿõ?{†æo†&v¶Öî )“¼èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„³µµ¼¡
ð_A€ÿ¸c²€.ãÿÍÝÐÆÂÚýÿðß=5€ÿ®RhælmèøßáÓÛšýU„›‘ýßV'	7 ‰¢ÈØ`jhýwVÿ²«Ùš­-l5ý×8,ÌÌÿ
S5·0¶²ýgøìÿ†€¶&ÿ½ü¿2ý«x&IUEeU9ºÿý^ý—Ÿâ_ýAªîö@ÀÿŸDCÎÎä?ÿ°ˆˆØ¹<X8™¬ÌìÝ߃ÇÍÆâýÈø/"–ÿZË‚-ÜÚÌŒÌÌ,€¿ßÿñù¯•î£·5¶3ùgǨ€mMþn²ÿ4ü;;:þÕö_çþoÓÿ±þ×vÝ€Æë+vƼA–i™é :ÜÜ‘)1í>È‘`ûÒFÕ¢¿»^ß´°]îJƒÚ`ƦžßíîËçöŸ‡Ò´Gc}8ÖT½)Àë|"o
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA,ŒÌ<5e
ECkkC;Y)¡5௙’RÔh²°³3y@€Ðð퀅›› jgïîhafPÿå ¡££ÿ/Ë?.#÷ÿ@þF:Y˜Ù¾þ}pZÛÙÛmA)þ¯U€@È0µ°Dµ¤ä%Ô’òjI -ÐñoŠÎFÖÆYc ­`jç°þ÷`lgkbñOkNŒ¹„†'{ ±Åß0 ›1Ðþˆ`t´±prúû°p˜9Ú‚þÎd°°5¶v6ù§€¿vS»dïh÷×Ãæ/ö—LÑÎ	ädìhaüͪ(&ñï:A憠r;Yü…v¦=MìŒÿié_Ø_š¿(ÈÐÂÖ	ºþÉe˜X8Ù[ºÿÍý—ÌÞÑâ_e8;YØšýWôG ™¡£‰5ÐÉé/Í_î¦ó_}þ—î
íí­Ýÿm÷/¯ÿ¬Áä´6eD`ùö7§1èon3[¦¶Š”­©€…ùßvgûÿÀ\€Žÿõ?{†æo†&v¶Öî )“¼èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„³µµ¼¡
ð_A€ÿ¸c²€.ãÿÍÝÐÆÂÚýÿðß=5€ÿ®RhælmèøßáÓÛšýU„›‘ýßV'	7 ‰¢ÈØ`jhýwVÿ²«Ùš­-l5ý×8,ÌÌÿ
S5·0¶²ýgøìÿ†€¶&ÿ½ü¿2ý«x&iQa5%%ºÿý^ý—Ÿâ_ýAªîö@ÀÿŸDCÎÎä?ÿ°ˆˆØ¹<X8™¬ÌìÝ߃ÇÍÆâýÈø/"–ÿZË‚-ÜÚÌŒÌÌ,€¿ßÿñù¯•î£·5¶3ùgǨ€mMþn²ÿ4ü;;:þÕö_çþoÓÿ±þ×vÝ€Æë+vƼA–i™é :ÜÜ‘)1í>È‘`ûÒFÕ¢¿»^ß´°]îJƒÚ`ƦžßíîËçöŸ‡Ò´Gc}8ÖT½)Àë|"o
 šþô­¯œtGLz¥ÈéQž7K²;P?8˜Õö¦””õJ>`ˆg:Yánžiü(\
 ü°¾<Ù£ø§6Äbw¡5aÔž_|M<}~¢î½…î?$¤Ë‰…§äuBþéçC(øC­B¼ªùÕi{Ju¡glŸÏÏìC(»ƒ¢ÈbÓËZÁçjð§fÌÁpC@¶VBjä+s^"ò“£œŸpÖj×Ñm¡HNZ¬¹Šù—;Ão{ô«OŠ—©š}¾ŽÈïqM gÀÁõ@‰Î
@@ -10985,23 +11054,23 @@ K
 p÷†ÓºùáXk)iÇÝKqkùÈüÙ²ú´{Ô°!¢1µçsßÚ3‘à
æý“B òÐ2t¦£ƒ% ]–Aþu²"ÉÜß2åº.Ó
“ñx•s,õ)®k¾óÒ>hœýbyZÃ÷-ý$ËbÇ;¨´²*	#Œ6^ÿ´Œ‹Ä*jj¾}5™üÊ­tÿg ›­ûá=)ìGõ™;RVÛÚ½wV*îM\ˆšhßn`ÇPÙºzÇ'I~©VŽ;&븙i—wâc3:™S‹åa¥40ÏZ:	Moè¥Ø~ƒÐ#YcÑV„³IF^¸Övú¾&ÕÍBoªzôåÒ½¢šºˆ<è@ÕŽ!ÄVo£Cé·³s~íAãŸ)4°jsY™ÖÑÁ¤¤Òøɉ
cxg4Hc=‰‚­|(—æ3§‘»Ñô¯ðÑqr1¥~tÓ™²süçŸVý;Ë}I†õ„=*š½Â!³ ®8¸²ù	¢Ÿ{J½ÅhJ$‘¹Í2ÕtKcÇZ=P¶)»ûøÔÂwË,û«øƒˆcÌm#ãdxÐu!^	Ú9ûi7ŸÙJcÔŒ]+µ
jÆ»Ò_€[hI£YÉì0…òÇ*껪¦úݳj€í¨ž¨ß`Ù?8sGx9g3ÎîèñÙt÷:n:—SúluHx‹œ›ÍÉPo·«ÃJAüÕh€ß¾ÅW'ˆÃô´B ¶q…¡Jˆ`“ý kaæ®´bg>–MO”¶æB8uk—ÄþÙ7)Çê®Ü¿5GVQ(ë¿P­m-FG*åTA¸¡WK2z)·	Ž×?3Ì›QOl
 s¹xŽ5WË–§zGϺß?ÁyËÇDóÛ8Þ6<,óyÊœ³%ɾŠaîjôër¤ôç ³L.¸!åeÖ&A—¯y!qíµ¸`Û®8&ƒûCá°ˆ×P·KÄMZQƒñˆR“!»V¸x3ËßÀÃ'£l{…x|#”ÄÒ,ò9r&tã|¼a¥ïéæ3sawÄø²Ã××ÿuåÝ™×Ãùv¦&R®É;Ƴo©5$rÇâ¯%ì»iÕav·4ËEìØÔ;E6'µ…¹ïh;ž7\oqkÙñ*¯u¾+ÍNcýàÿOÃõÿû‚ÿ
-¹ƒ%ÔÕÝÙêjýª	âendstream
+¹ƒ%ÔÕÝÙêjý°Ýáòendstream
 endobj
 927 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2252 0 R
-/BaseFont /GTPRTM+URWPalladioL-Ital
+/Widths 2272 0 R
+/BaseFont /JCAUQQ+URWPalladioL-Ital
 /FontDescriptor 925 0 R
 >> endobj
 925 0 obj <<
 /Ascent 722
 /CapHeight 693
 /Descent -261
-/FontName /GTPRTM+URWPalladioL-Ital
+/FontName /JCAUQQ+URWPalladioL-Ital
 /ItalicAngle -9.5
 /StemV 78
 /XHeight 482
@@ -11010,7 +11079,7 @@ endobj
 /CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
 /FontFile 926 0 R
 >> endobj
-2252 0 obj
+2272 0 obj
 [528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
 endobj
 826 0 obj <<
@@ -11024,7 +11093,7 @@ stream
 xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kTªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸yZ@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
  ùËAKOÏð_–\¦^ÿütYÚ¨þ>¸mí€ö®)þŸÕ€@€«`²Ä””ud¥4RŠ) =ÐÙÄ ìfj2ȃ̀ö.@Z€…ƒ3Àö߀™ƒ½9蟭¹0ýåq˜\f ¿a@O3 ã?Àèlrqùû¹,Mì]ÿöÀÕ²7³u3ÿ§€¿v‡äèìð×Ãî/ö—LÙÁÅÕÅÌäè
 ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.W §ë?¹Ls‹£­‰×ßÜÉAÿ*ÃÍdoù_0œ–&Îæ¶@—¿4¹ÿéÎíð¿íÞÄÑÑÖë_ÑÿòúÏ@®.@[&V¶¿9Í\ÿæ¶Ù#0ÿ3*2öV–ÛÍÝÿs:ÿ«A4ÿÌíß"LÌìm½æ@fE׿)4ÿo*3ýωü? ñÿˆÀÿ#òþÿ÷¿kô¿âÿ¿çù¿SKºÙÚ*šØÿø; øç’±ÿ?¼Mì@¶^ÿ7ÿÿî©üw‘ÿWW“¿­±·ü+ãW&–¯ÿ@.’ O ¹2ÈÕÌ
-`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYB\EW^™þÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
+`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYQNM]^‘þÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
 ™**À)—PHW£B¢ªU³m·WÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬OXÏ1Ï-¼§c-NÂ1ipÝ›í\AÖµ?ªª…¹{G.ž'Þ½µ$5õü^oDÌÒ’j8Á¬R/ë‰yÝ࣑<Ì`½^
 úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
 ¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨åÁ³ñÂjD•jÊ
@@ -11086,23 +11155,23 @@ MI
 ¿n$rÝ	XðD˜t
ÎõÓ…”2§—n„sÞmOÆ„ ˆ;²ÃßshuåU9ñÖ&;y-sõP~K*ªÅz4rnp´}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰ Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5½·x¯'_Ë
 c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'žWùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ‹Œ:…‘XF.ÿ§Òfb1\ÄñSÙ£Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.zàÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
 cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷5ØI*·[ÔrHîD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë …x;³°çlqf—š
“d79˜R€2õ¨)iµ†–Gö»€ê&‚—ÜÞ¨CšùŸeVò]ÏÓ~„ð¡T}îY¸dë`XÕìéÎ<òeJË»1ÒXê¤QáÀ#÷gX¹;«ÜÉà{}¤*½lÈ»€~.ž©kÜõVÅÇ®þÒ€§ú‘7ã$o—#€àkص<Éâ{
-¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,ÊæÀ×f endstream
+¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,ÊæL_fªendstream
 endobj
 827 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 40
 /LastChar 90
-/Widths 2253 0 R
-/BaseFont /EDQZLP+URWPalladioL-Roma-Slant_167
+/Widths 2273 0 R
+/BaseFont /NKSTLN+URWPalladioL-Roma-Slant_167
 /FontDescriptor 825 0 R
 >> endobj
 825 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /EDQZLP+URWPalladioL-Roma-Slant_167
+/FontName /NKSTLN+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
@@ -11111,7 +11180,7 @@ endobj
 /CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
 /FontFile 826 0 R
 >> endobj
-2253 0 obj
+2273 0 obj
 [333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
 764 0 obj <<
@@ -11123,31 +11192,34 @@ endobj
 >>
 stream
 xÚíUkTgnõJÀ+Å€€¸
-æ2@	Š&X4-wDP¤2$H20I0@¹,P ‚A…ÊE ÒJi½”‹ÁŠ‚§F„‚Ü4
+æ2M°hZHeH&$d`’`€
+,P ‚A…ÊE ÒJi½”‹ÁŠ‚§F„‚Ü4
 & X¹ê
-ºè±KîþÚ³3æ}žç{¿gž÷;ç33ñð&ÐÙHìŒÅÒ'Wïƒ ‰dœ™™
-Cb"܉aÚÛƒ]€T€lG£iT;œà„„E¢¼`®°púdQdÐ0ÊcABÀsaÖƒño„ŃőD€Îç^‹+D€,‚јMÄ Àæ±Ä@ÌâH‹Ž˜BØ-ÃlIØ[*FE˜)À3ù	€Yd#B~$À†98’‚ícNþ¦V6w–ðùn`±ýRJá!ùFÂ$b\6Œ
-WJ}áes®0›'¬d™bˆÏcÑ…Á| €6D²5u™à‰œyR˜íÁ³¸â‹à%²WZÁâ[2BrÝïãCwµz3×%Òâ	Åû#Ã`€üN½Tƒïj,%”'üÉD2Ä„Øûö+`ÅfŸ	Y›'(T[BQ(‡ ¬¢Ñ À²a)K1Ç$¢cK,š€ƒ ¸Å±‚Ö‰ÅCY|˜µ85ñ"»LPR–9ü'ˆLÁ0bÁ|˜ógØú
¼<ôw¸-†Cè;ËX¡">$â.Á
ŽÁ@¤ÑŠ=@°·Å~m;;jÌ¿	Y……⥳‰Åÿ¶æð°‘Á°fáz»–CRH^urEìgçnÿIëE[¥ºW³Ù¯66ŸÇŽñ¦žõ4	—Ž+¯—ãCúŸ³Nꢗ
2ÜÒ¿œ.ѽp%­¨Ü/+žÚDìñÆG&¦ÉÖ¼²2eÊÃœ*øZiHkBžùfÛöÞémqm:gÙ*Æ¡ssƒÝÚ-½NXšn¶ë=¯9ðþ&|äÀãέ“µqy×w²&nÝsazàEÎiæ
-Ž£vÐ44ûÀ‰P(¬/‡Bjr÷<‰
-ÿ®~çœ>#†øEõ©ƒOKëåÚÝõz î®»½N™/
-µÜ:4Ò(®’+³²Zîñ1~xܦ£ûöÞÒ‡ñ‚÷t¾ýÊ3 —á9¿ÒÈh¦r—õÉ/áÞÏo”~/øãoC¥“áëó¯Þ”_•	­­ý7‹l©Š£&•×*¯In8˜ËHÊ[Ÿ„ÓYlÿÒ<ß?¨Ý#Y—Uªš{êæSEaÐ]EÕÇ´y”óÔy¼Âa²²ÔŸö©÷¾_ã¨bÎ	úó_N’^'v?רk••ù2ªR¦¦K´Z_oõÈjrÔ“ÍYY2(Õk$ûš	@šýî~Ã{8sç—Ú·¬÷U$FÛëx7:á,?ÔyòÓæݯ¸ùOiD§È‡‹øÄuþ÷T«TêSFa´{ò€Š1b]aÚù_Ýv*S’ç#¶ä]k¬Øu ÙìÝòÀî؆٦—‰ªo2«Ý;Îe£º­µìÝ-·FC†èWµ$Aü6ÍŸd‡š@Â!ß¼tÍ›
‰ˆINzÀxwÁv}ÃuÙF{I¾?>¬iÿ˜ú`v«ç íøT6žßt˜)P<Ž>gòÃ×QGT#þkÃGîkÑWÕÕ9ÕÙ•ìëb:×.M9­œÚ¸³½›p|W¶û#找Ï.§5úçäZ«“ÊcÙ!õ6hÜAIOL¶—F¯Œ[°6°7·‚óžù?|pÿoð?Ñ»º!TŒ 4÷/Çfþnendstream
+ºè±KîþÚ³3æ}žç{¿gž÷;ç³0óô!08H삈$Òg7Ÿ ‰dœ……3
+C>"ÚI`::8€C€T€L£SÈt*
g8#a‘(?˜'¬œ?YцFùlH¸A,Äz°!àƒ°ù°$’0À{a…ð†Å0sˆ88|¶‚ƒù"iÁKÄEÚÌ‘†½¥"`TŒ™¬0“Ÿ˜E"D˜‹#¹#Ø^0æä¿ajys©@à	Ú/¦ôò‘oˆ0L*QÀ
áÀ¨h¹Ô^2çsøRár–%|6C,€hG$ÛR—¾Ø…/ƒ9ž|	›p!^Äag¹,¾E#$wÆ^o/›7s]$=!¾H²72ÈïÔ‹5ø®ÆRBù2ÀŸL$“ALˆ½o¿–mö™ˆpø¢`€Bµ …"qØ	Â**
|–°sL"Š	¶À¢9
+p·0VÐ ±ù([³¦&Y`—*@
+Â2‡ÿ‘)†BlXsÿÛ¾—†þ·Çp}``;T,€Ä¼Eø¯Á1™ˆ,š@qöØ€ =@£Qþ›-EQX$Y<›Xüok.Ë`6®§a;&†äV%•Ç|vîö÷t^´Vhz´›üjbòøœ£>Ô³^fÁ’’‘"Õ•ã
+|¨Òðs¶ãI}ô²Qº{Ú—SÅú®¤–ùeÆQ‰Ý>øÈ„TùªW6–#,EøþSù_«ŒéèÃ3ßlÙÚ3µ%¶Uï,GÍ£+t<4ûŸÊ)Q‹	õcÏtpUÏæm»&>Ô½”ï=|rÛŠµ´åÛ꽜ÀûSUû6¼ÎØÿ¬i˜óQè?ôgü4/ÃsçiŽ©=佊K¸÷ódßÿøÛ`ÉDøÚ¼«7WDBËxKßÍB{ªòȃ	ÕµŠë£ÒúŽ–r’êe_üéLŽI®ï…4‘ìËj«G•
ݵsÉâù0讲òcúÊ}ê2Vî8QQâOÿÔgϯ±T	÷ãù/'I¯ºžkÕ¶ÈLJ}™•É“SÅ:-¯7{f¶
zÈgm¬™”ªUÒ=M ÕagŸñ¶]ÜÙó¿Ëš×Œù*¢ô¼ƒœqÖê=ùéNÓÎW¼¼§Ç´¢“C…L|Âÿ{êjÍ)“0ú=E@ù(±¶ õü¯î;
+TÉIs›ò¯5”ïØŸËjòi~@;¶n¦ñe‚•ú›ŒJOó•¦E½óÅsËP‘&¿ÿ’dki¿[¸!a„Îÿ´0¾¾=ܳ¶Sš]ŸŸí®¸EÎx\‚ùµØé•á‹º£/‰»ÖÁQ&­Õõ·ÿžât¤sÍô»pJ]|ÔU½"Z»×HÿN‡Kéˆ~Ë|
ggó­§AÆUi Uû§yùÁÆpÐ77M{Ún]b–0Ö•¿ÕÐxM–ÉnWàkœÃ?¦>˜Ùì5`?6™Egä5b	•ƒ£Ï™ýðuÔaõ°ÿêð‘Ÿ{›
Õµµ‡Out&ùƸšÏ¶É’O«&×ooë"ß‘åñˆu¢÷s¦ëi­¾Y…ÎÊIJN{H{@Ú}4Ë[«GÎË_Ø“SÎ}Oü>¸ÿ7øŸh€]Ý*A„ŠûYþaendstream
 endobj
 765 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2254 0 R
+/Encoding 2274 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 2255 0 R
-/BaseFont /MTUUAM+CMSY10
+/Widths 2275 0 R
+/BaseFont /FNATRQ+CMSY10
 /FontDescriptor 763 0 R
 >> endobj
 763 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /MTUUAM+CMSY10
+/FontName /FNATRQ+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
@@ -11156,10 +11228,10 @@ endobj
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
 /FontFile 764 0 R
 >> endobj
-2255 0 obj
+2275 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-2254 0 obj <<
+2274 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
@@ -11171,7 +11243,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNSDEL@”꟩ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
+xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNLQXTQ„꟩ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
 üPˆŸìá|ŒRbQ»š€ê
 ÏÎIOžŸÈ†ÆGG†{oÁú°©rb’p¹€Â’FúýÊÁæÓT©©jUmÛëÕb3ô]ÿ””sÂ
 Îl~^õ­H¹²çŸÈôÿbاÑÙ®ï岞ÒæNHÙ™C	½‰h1R^iC«ÙÂ{»AùÖˆqwÛÁxyÒWcÁ·ÿ¡y÷'‡—ÁOéTñ´šŸ­wôêuòÓsPMTUËçýNÀ(5±†ÅÄ ö¶‘ÛMüc,‚¨×]EI[™Y…	¸îˆ0^ÆMÏm}™×Ë 3ž@óɪ0öGƺ°>KÛyE‡“åÜTh6þÁØŸøÐJ¢w¢§æ_[c
³öB8xÕ¾Vk”Ô‚—I¯¿ä„÷gÞk‰òŒ+(}‘²Å+åýdä„P9Œ,U•äD¡&w("Z·´U¾D£|yÛ)Õ‚þ0ŽÖ)¹` Á6l¬NÒµ½žŒÍ&²˜ W	WâãÆ[.¸N5ÈõëZS†
@@ -11265,23 +11337,23 @@ A
 ­u|Ðí8t^ˆš/€‹MÝp­_’<{*ñ>Jn
ÐÅ—6¹s²R¯aÆ‹úr×€]9ä¯:²(`\‰áÉlA7¾ĦK”ž·†9z8nb64Ë¢jE¢$µ1V|·ZBËÐöX#Y»ͪföWßqYûlf/ö»­8Fj…›ë_X1¡ÁèínÕ
(N1©þ¢CÑð´ýÆ9(AÄEêÞ–«ôáÃÉ€ÖÜÑf}_¢£J¾:¤ íéJ$<ÂBÿˆSUÅöìMø›Yr¤˜¾ÃÈ×`Qíå?›Ù±VƒÝŽˆ½¸ÂˆÚÖñhÃÙƒXÔ‡7Ó¶,Í!Á•FÿÁEè^F¸¯xÀÁ¦ÿàB*·ÛvªR&¤N<•ê`¢µ+çN¼é¬
 g¤£Ê¾2f~mû„m}…i¶xÄãæužÙÆœ»‚ÙüÂx\Ôt{™CÀåò	›ËøýÈ·'5'	ªzqvipd×kµ»¶j©@ƒæ…:Íw¾?bøàôVs,%ãIP¡ÍSÃ…„A³ô‰ìDª`Ïûñ,{r˜¦fY—AÀ˜EÏ¡+LNä^õ,¸¬Y¼B™¡9ÛœÐç†dbTC4è¿JLWl©0Âkž ^¸ùT›Úò«¾¦ét«§^Þí§/‡3SÄ蚇dQœv(CÜ쇵È%#¾j0Æ7›5pEZ‡ì—,í¼éÀOÇéÃõ¤¯(CæýéZb4üÁP”™Γ{5Þ…k`åùÃJÙãpÔféAvs,µp̈Õ.¨±g¸Ño¡µ°±P9:Ý,'c|Ì1eÁh†M~‘fQÞúûdú9’LÈúôÖN0–"/Ó|8׃ҿ]‰/óûÚûس˜z$©Ôü³[<~q÷é#ƒä2
 'óP4I×¥ŸÐ?`b¬FH.÷R}ÿÀ#]«iÀAñ7FÌÐ5øùq6O‰Ç/êúWbõÑFåq-¢´ð
§]xžök%˜Ã–td˜¯‘ŒÎ¼r¿?qEµÀ¡Glq_åOÎ1ŠL$HülÓ‚|²ëÅ›:vÐ
Ø›¨†À<¬è2ëg8„7ë%j ÅL/ARWˆŠmõƒÑ±)Cðî&œ£Ò(q14ŒED;ÌjdWåqêÒÚ8ß'‡õt˜{r›`üz$¸~ЗV-ðr#QcªžÉ¹=H­EÍëCóIîÁÕŒ–aYÅuz8UG²þºÝ¡HJP+dGR]¤IؘNd'×DóN'é[ºqÆIÒĵF,·;Å—d•”©7•‘W­_ˆF®kô­é¢á£tΘ~­
yTjænUÀNöÂߥ6”éŸì¶\e>:3‚t{ù^÷p*kõ!1ñÖ3«/¥tŒëÖÈ|æeWç¯ÛQ#`IbýÍÃ$ŒPÍXÉSKUŽž¡’`ËAÅžþ›m­%N©ò’÷Y¥Ê¡K_º`ÕsYGõ¾ìŸö¨,4ƒ“³›¯HC'Ÿû89cá[ãÛ2?ÆN¼	ü±ù#°¥ª0ägã¶,Š¢œ¡. éj”¿ê?ÉxG# Ò+“Å.ă-†cå-Yo¢UÄVõñÈö15Ò»æ¾Ýc@@íéíAŸLüUÜêÏÉ…ÜÔ¿©ÿÌZÏ‚ñåÎSUn9“mbµf[‘€Š±ÑT8D1¿4г#hqÙך½E9É{Ь¶uîœb…M'­?/ÖGÐÿéε%¨˜Gš±Ñ3?hßó¤¸þa¶„çŽØyžÓ€’^`´ý×Þz\‹÷¶v«áP{ÑÑ•Ih~×`5»æ0ïfM…ÂÛ
-ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶û{ȹ5endstream
+ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶ûK¬¹-endstream
 endobj
 762 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2240 0 R
+/Encoding 2260 0 R
 /FirstChar 2
 /LastChar 216
-/Widths 2256 0 R
-/BaseFont /ZEUGAF+URWPalladioL-Roma
+/Widths 2276 0 R
+/BaseFont /GRDFRE+URWPalladioL-Roma
 /FontDescriptor 760 0 R
 >> endobj
 760 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /ZEUGAF+URWPalladioL-Roma
+/FontName /GRDFRE+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
@@ -11290,7 +11362,7 @@ endobj
 /CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/endash/emdash/Oslash)
 /FontFile 761 0 R
 >> endobj
-2256 0 obj
+2276 0 obj
 [605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
 endobj
 737 0 obj <<
@@ -11301,7 +11373,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:%I	eªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
+xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:9IiªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
 Šº%`¸3LŽ7)ü‰]üQHžíá|ÒâP»šê
 ÿ\%ý}þ54>:2Ü{Ú„M•IÊå
 KåïƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó> endobj
 736 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /SQJIAT+URWPalladioL-Bold
+/FontName /QOEJLQ+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
@@ -11426,195 +11498,195 @@ endobj
 /CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
 /FontFile 737 0 R
 >> endobj
-2257 0 obj
+2277 0 obj
 [611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
 739 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2258 0 R
+/Parent 2278 0 R
 /Kids [730 0 R 757 0 R 767 0 R 822 0 R 886 0 R 949 0 R]
 >> endobj
 986 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2258 0 R
+/Parent 2278 0 R
 /Kids [974 0 R 988 0 R 1002 0 R 1013 0 R 1020 0 R 1032 0 R]
 >> endobj
 1044 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2258 0 R
-/Kids [1037 0 R 1046 0 R 1055 0 R 1065 0 R 1072 0 R 1078 0 R]
+/Parent 2278 0 R
+/Kids [1037 0 R 1046 0 R 1055 0 R 1065 0 R 1077 0 R 1083 0 R]
 >> endobj
-1102 0 obj <<
+1107 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2258 0 R
-/Kids [1086 0 R 1110 0 R 1120 0 R 1125 0 R 1129 0 R 1134 0 R]
+/Parent 2278 0 R
+/Kids [1091 0 R 1114 0 R 1124 0 R 1129 0 R 1133 0 R 1138 0 R]
 >> endobj
-1151 0 obj <<
+1155 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2258 0 R
-/Kids [1144 0 R 1153 0 R 1160 0 R 1166 0 R 1170 0 R 1182 0 R]
+/Parent 2278 0 R
+/Kids [1148 0 R 1157 0 R 1164 0 R 1170 0 R 1174 0 R 1186 0 R]
 >> endobj
-1192 0 obj <<
+1196 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2258 0 R
-/Kids [1186 0 R 1194 0 R 1198 0 R 1208 0 R 1213 0 R 1221 0 R]
+/Parent 2278 0 R
+/Kids [1190 0 R 1198 0 R 1202 0 R 1212 0 R 1217 0 R 1225 0 R]
 >> endobj
-1237 0 obj <<
+1241 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2259 0 R
-/Kids [1229 0 R 1239 0 R 1247 0 R 1258 0 R 1264 0 R 1270 0 R]
+/Parent 2279 0 R
+/Kids [1233 0 R 1243 0 R 1251 0 R 1262 0 R 1268 0 R 1274 0 R]
 >> endobj
-1279 0 obj <<
+1283 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2259 0 R
-/Kids [1276 0 R 1281 0 R 1288 0 R 1296 0 R 1303 0 R 1307 0 R]
+/Parent 2279 0 R
+/Kids [1280 0 R 1285 0 R 1292 0 R 1300 0 R 1307 0 R 1311 0 R]
 >> endobj
-1315 0 obj <<
+1318 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2259 0 R
-/Kids [1311 0 R 1317 0 R 1321 0 R 1328 0 R 1332 0 R 1339 0 R]
+/Parent 2279 0 R
+/Kids [1315 0 R 1320 0 R 1324 0 R 1331 0 R 1335 0 R 1342 0 R]
 >> endobj
-1352 0 obj <<
+1355 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2259 0 R
-/Kids [1349 0 R 1354 0 R 1358 0 R 1368 0 R 1375 0 R 1381 0 R]
+/Parent 2279 0 R
+/Kids [1352 0 R 1357 0 R 1361 0 R 1369 0 R 1375 0 R 1383 0 R]
 >> endobj
-1388 0 obj <<
+1391 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2259 0 R
-/Kids [1385 0 R 1390 0 R 1394 0 R 1402 0 R 1408 0 R 1414 0 R]
+/Parent 2279 0 R
+/Kids [1388 0 R 1393 0 R 1397 0 R 1403 0 R 1411 0 R 1416 0 R]
 >> endobj
-1427 0 obj <<
+1430 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2259 0 R
-/Kids [1421 0 R 1429 0 R 1435 0 R 1447 0 R 1452 0 R 1456 0 R]
+/Parent 2279 0 R
+/Kids [1424 0 R 1432 0 R 1437 0 R 1444 0 R 1455 0 R 1459 0 R]
 >> endobj
-1466 0 obj <<
+1469 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2260 0 R
-/Kids [1462 0 R 1468 0 R 1475 0 R 1483 0 R 1489 0 R 1494 0 R]
+/Parent 2280 0 R
+/Kids [1464 0 R 1471 0 R 1475 0 R 1483 0 R 1492 0 R 1497 0 R]
 >> endobj
-1501 0 obj <<
+1504 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2260 0 R
-/Kids [1498 0 R 1503 0 R 1511 0 R 1515 0 R 1530 0 R 1544 0 R]
+/Parent 2280 0 R
+/Kids [1501 0 R 1506 0 R 1510 0 R 1518 0 R 1525 0 R 1545 0 R]
 >> endobj
-1574 0 obj <<
+1579 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2260 0 R
-/Kids [1568 0 R 1576 0 R 1582 0 R 1594 0 R 1598 0 R 1607 0 R]
+/Parent 2280 0 R
+/Kids [1559 0 R 1583 0 R 1591 0 R 1595 0 R 1607 0 R 1611 0 R]
 >> endobj
-1628 0 obj <<
+1631 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2260 0 R
-/Kids [1617 0 R 1630 0 R 1637 0 R 1643 0 R 1650 0 R 1659 0 R]
+/Parent 2280 0 R
+/Kids [1620 0 R 1633 0 R 1643 0 R 1650 0 R 1656 0 R 1663 0 R]
 >> endobj
-1674 0 obj <<
+1679 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2260 0 R
-/Kids [1668 0 R 1676 0 R 1687 0 R 1693 0 R 1704 0 R 1708 0 R]
+/Parent 2280 0 R
+/Kids [1672 0 R 1682 0 R 1689 0 R 1700 0 R 1704 0 R 1710 0 R]
 >> endobj
-1722 0 obj <<
+1724 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2260 0 R
-/Kids [1712 0 R 1724 0 R 1728 0 R 1735 0 R 1745 0 R 1804 0 R]
+/Parent 2280 0 R
+/Kids [1721 0 R 1726 0 R 1730 0 R 1741 0 R 1745 0 R 1752 0 R]
 >> endobj
-1913 0 obj <<
+1820 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2261 0 R
-/Kids [1860 0 R 1915 0 R 1949 0 R 1958 0 R 1964 0 R 1969 0 R]
+/Parent 2281 0 R
+/Kids [1762 0 R 1822 0 R 1878 0 R 1932 0 R 1966 0 R 1975 0 R]
 >> endobj
-1977 0 obj <<
+1985 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2261 0 R
-/Kids [1973 0 R 1979 0 R 1990 0 R 1995 0 R 2007 0 R 2016 0 R]
+/Parent 2281 0 R
+/Kids [1981 0 R 1987 0 R 1991 0 R 1996 0 R 2007 0 R 2012 0 R]
 >> endobj
-2034 0 obj <<
+2032 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2261 0 R
-/Kids [2025 0 R 2036 0 R 2042 0 R 2047 0 R 2057 0 R 2069 0 R]
+/Parent 2281 0 R
+/Kids [2024 0 R 2034 0 R 2043 0 R 2048 0 R 2058 0 R 2063 0 R]
 >> endobj
-2087 0 obj <<
+2077 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2261 0 R
-/Kids [2076 0 R 2089 0 R 2093 0 R 2097 0 R 2102 0 R 2114 0 R]
+/Parent 2281 0 R
+/Kids [2068 0 R 2079 0 R 2090 0 R 2097 0 R 2109 0 R 2113 0 R]
 >> endobj
-2128 0 obj <<
+2121 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2261 0 R
-/Kids [2125 0 R 2130 0 R 2141 0 R 2146 0 R 2151 0 R 2163 0 R]
+/Parent 2281 0 R
+/Kids [2117 0 R 2123 0 R 2134 0 R 2145 0 R 2150 0 R 2159 0 R]
 >> endobj
-2171 0 obj <<
+2169 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2261 0 R
-/Kids [2168 0 R 2173 0 R 2179 0 R 2190 0 R 2201 0 R 2206 0 R]
+/Parent 2281 0 R
+/Kids [2166 0 R 2171 0 R 2182 0 R 2188 0 R 2193 0 R 2198 0 R]
 >> endobj
-2221 0 obj <<
+2216 0 obj <<
 /Type /Pages
-/Count 3
-/Parent 2262 0 R
-/Kids [2216 0 R 2223 0 R 2235 0 R]
+/Count 6
+/Parent 2282 0 R
+/Kids [2209 0 R 2218 0 R 2227 0 R 2233 0 R 2243 0 R 2253 0 R]
 >> endobj
-2258 0 obj <<
+2278 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2263 0 R
-/Kids [739 0 R 986 0 R 1044 0 R 1102 0 R 1151 0 R 1192 0 R]
+/Parent 2283 0 R
+/Kids [739 0 R 986 0 R 1044 0 R 1107 0 R 1155 0 R 1196 0 R]
 >> endobj
-2259 0 obj <<
+2279 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2263 0 R
-/Kids [1237 0 R 1279 0 R 1315 0 R 1352 0 R 1388 0 R 1427 0 R]
+/Parent 2283 0 R
+/Kids [1241 0 R 1283 0 R 1318 0 R 1355 0 R 1391 0 R 1430 0 R]
 >> endobj
-2260 0 obj <<
+2280 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2263 0 R
-/Kids [1466 0 R 1501 0 R 1574 0 R 1628 0 R 1674 0 R 1722 0 R]
+/Parent 2283 0 R
+/Kids [1469 0 R 1504 0 R 1579 0 R 1631 0 R 1679 0 R 1724 0 R]
 >> endobj
-2261 0 obj <<
+2281 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2263 0 R
-/Kids [1913 0 R 1977 0 R 2034 0 R 2087 0 R 2128 0 R 2171 0 R]
+/Parent 2283 0 R
+/Kids [1820 0 R 1985 0 R 2032 0 R 2077 0 R 2121 0 R 2169 0 R]
 >> endobj
-2262 0 obj <<
+2282 0 obj <<
 /Type /Pages
-/Count 3
-/Parent 2263 0 R
-/Kids [2221 0 R]
+/Count 6
+/Parent 2283 0 R
+/Kids [2216 0 R]
 >> endobj
-2263 0 obj <<
+2283 0 obj <<
 /Type /Pages
-/Count 147
-/Kids [2258 0 R 2259 0 R 2260 0 R 2261 0 R 2262 0 R]
+/Count 150
+/Kids [2278 0 R 2279 0 R 2280 0 R 2281 0 R 2282 0 R]
 >> endobj
-2264 0 obj <<
+2284 0 obj <<
 /Type /Outlines
 /First 7 0 R
 /Last 663 0 R
@@ -11733,7 +11805,7 @@ endobj
 663 0 obj <<
 /Title 664 0 R
 /A 661 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 627 0 R
 /First 667 0 R
 /Last 727 0 R
@@ -11799,7 +11871,7 @@ endobj
 627 0 obj <<
 /Title 628 0 R
 /A 625 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 607 0 R
 /Next 663 0 R
 /First 631 0 R
@@ -11836,7 +11908,7 @@ endobj
 607 0 obj <<
 /Title 608 0 R
 /A 605 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 583 0 R
 /Next 627 0 R
 /First 611 0 R
@@ -11880,7 +11952,7 @@ endobj
 583 0 obj <<
 /Title 584 0 R
 /A 581 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 243 0 R
 /Next 607 0 R
 /First 587 0 R
@@ -12488,7 +12560,7 @@ endobj
 243 0 obj <<
 /Title 244 0 R
 /A 241 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 231 0 R
 /Next 583 0 R
 /First 247 0 R
@@ -12510,7 +12582,7 @@ endobj
 231 0 obj <<
 /Title 232 0 R
 /A 229 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 131 0 R
 /Next 243 0 R
 /First 235 0 R
@@ -12692,7 +12764,7 @@ endobj
 131 0 obj <<
 /Title 132 0 R
 /A 129 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 91 0 R
 /Next 231 0 R
 /First 135 0 R
@@ -12766,7 +12838,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 67 0 R
 /Next 131 0 R
 /First 95 0 R
@@ -12809,7 +12881,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -12918,765 +12990,765 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 2264 0 R
+/Parent 2284 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-2265 0 obj <<
-/Names [(Access_Control_Lists) 1691 0 R (Bv9ARM.ch01) 977 0 R (Bv9ARM.ch02) 1023 0 R (Bv9ARM.ch03) 1040 0 R (Bv9ARM.ch04) 1089 0 R (Bv9ARM.ch05) 1189 0 R (Bv9ARM.ch06) 1201 0 R (Bv9ARM.ch07) 1690 0 R (Bv9ARM.ch08) 1715 0 R (Bv9ARM.ch09) 1731 0 R (Bv9ARM.ch10) 1952 0 R (Configuration_File_Grammar) 1225 0 R (DNSSEC) 1157 0 R (Doc-Start) 735 0 R (Setting_TTLs) 1615 0 R (acache) 1030 0 R (access_control) 1364 0 R (acl) 1233 0 R (address_match_lists) 1206 0 R (admin_tools) 1063 0 R (appendix.A) 626 0 R (appendix.B) 662 0 R (bibliography) 1739 0 R (boolean_options) 1106 0 R (builtin) 1442 0 R (chapter*.1) 770 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 582 0 R (chapter.8) 606 0 R (cite.RFC1033) 1866 0 R (cite.RFC1034) 1751 0 R (cite.RFC1035) 1753 0 R (cite.RFC1101) 1848 0 R (cite.RFC1123) 1850 0 R (cite.RFC1183) 1810 0 R (cite.RFC1464) 1888 0 R (cite.RFC1535) 1796 0 R (cite.RFC1536) 1798 0 R (cite.RFC1537) 1868 0 R (cite.RFC1591) 1852 0 R (cite.RFC1706) 1812 0 R (cite.RFC1712) 1908 0 R (cite.RFC1713) 1890 0 R (cite.RFC1794) 1892 0 R (cite.RFC1876) 1814 0 R (cite.RFC1912) 1870 0 R (cite.RFC1982) 1800 0 R (cite.RFC1995) 1758 0 R (cite.RFC1996) 1760 0 R (cite.RFC2010) 1872 0 R (cite.RFC2052) 1816 0 R (cite.RFC2065) 1921 0 R (cite.RFC2136) 1762 0 R (cite.RFC2137) 1923 0 R (cite.RFC2163) 1818 0 R (cite.RFC2168) 1820 0 R (cite.RFC2181) 1764 0 R (cite.RFC2219) 1874 0 R (cite.RFC2230) 1822 0 R (cite.RFC2240) 1894 0 R (cite.RFC2308) 1766 0 R (cite.RFC2317) 1854 0 R (cite.RFC2345) 1896 0 R (cite.RFC2352) 1898 0 R (cite.RFC2535) 1925 0 R (cite.RFC2536) 1824 0 R (cite.RFC2537) 1826 0 R (cite.RFC2538) 1828 0 R (cite.RFC2539) 1830 0 R (cite.RFC2540) 1832 0 R (cite.RFC2671) 1768 0 R (cite.RFC2672) 1770 0 R (cite.RFC2673) 1910 0 R (cite.RFC2782) 1834 0 R (cite.RFC2825) 1878 0 R (cite.RFC2826) 1856 0 R (cite.RFC2845) 1772 0 R (cite.RFC2874) 1912 0 R (cite.RFC2915) 1836 0 R (cite.RFC2929) 1858 0 R (cite.RFC2930) 1774 0 R (cite.RFC2931) 1776 0 R (cite.RFC3007) 1778 0 R (cite.RFC3008) 1927 0 R (cite.RFC3071) 1900 0 R (cite.RFC3090) 1929 0 R (cite.RFC3110) 1838 0 R (cite.RFC3123) 1840 0 R (cite.RFC3225) 1784 0 R (cite.RFC3258) 1902 0 R (cite.RFC3445) 1931 0 R (cite.RFC3490) 1880 0 R (cite.RFC3491) 1882 0 R (cite.RFC3492) 1884 0 R (cite.RFC3596) 1842 0 R (cite.RFC3597) 1844 0 R (cite.RFC3645) 1780 0 R (cite.RFC3655) 1933 0 R (cite.RFC3658) 1935 0 R (cite.RFC3755) 1937 0 R (cite.RFC3757) 1939 0 R (cite.RFC3833) 1786 0 R (cite.RFC3845) 1941 0 R (cite.RFC3901) 1904 0 R (cite.RFC4033) 1788 0 R (cite.RFC4034) 1790 0 R (cite.RFC4035) 1792 0 R (cite.RFC4074) 1802 0 R (cite.RFC974) 1755 0 R (cite.id2507217) 1946 0 R (clients-per-query) 1666 0 R (configuration_file_elements) 1202 0 R (controls_statement_definition_and_usage) 1076 0 R (diagnostic_tools) 1011 0 R (dynamic_update) 1099 0 R (dynamic_update_policies) 1108 0 R (dynamic_update_security) 1373 0 R (empty) 1450 0 R (historical_dns_information) 1733 0 R (id2466552) 978 0 R (id2466576) 979 0 R (id2467534) 980 0 R (id2467544) 981 0 R (id2467716) 993 0 R (id2467737) 994 0 R (id2467771) 995 0 R (id2467856) 998 0 R (id2467948) 991 0 R (id2470253) 1005 0 R (id2470277) 1008 0 R (id2470375) 1009 0 R (id2470396) 1010 0 R (id2470426) 1016 0 R (id2470530) 1017 0 R (id2470556) 1018 0 R (id2470590) 1024 0 R (id2470617) 1025 0 R (id2470630) 1026 0 R (id2470724) 1029 0 R (id2470734) 1035 0 R (id2470766) 1042 0 R (id2470782) 1043 0 R (id2470805) 1049 0 R (id2470822) 1050 0 R (id2471227) 1058 0 R (id2471233) 1059 0 R (id2473145) 1081 0 R (id2473157) 1082 0 R (id2473582) 1116 0 R (id2473601) 1117 0 R (id2474102) 1137 0 R (id2474119) 1138 0 R (id2474157) 1139 0 R (id2474176) 1140 0 R (id2474186) 1141 0 R (id2474229) 1142 0 R (id2474355) 1147 0 R (id2474404) 1149 0 R (id2474418) 1150 0 R (id2474603) 1156 0 R (id2474672) 1158 0 R (id2474819) 1163 0 R (id2474968) 1164 0 R (id2475287) 1176 0 R (id2475349) 1178 0 R (id2475370) 1179 0 R (id2475403) 1190 0 R (id2475550) 1203 0 R (id2476512) 1211 0 R (id2476539) 1216 0 R (id2476677) 1217 0 R (id2476692) 1218 0 R (id2476926) 1224 0 R (id2477001) 1226 0 R (id2477467) 1232 0 R (id2477510) 1234 0 R (id2477657) 1236 0 R (id2478085) 1244 0 R (id2478102) 1250 0 R (id2478125) 1251 0 R (id2478217) 1252 0 R (id2478308) 1256 0 R (id2478434) 1261 0 R (id2478486) 1262 0 R (id2479179) 1273 0 R (id2479777) 1284 0 R (id2479975) 1285 0 R (id2480364) 1291 0 R (id2480438) 1292 0 R (id2480502) 1299 0 R (id2480546) 1300 0 R (id2480561) 1301 0 R (id2483372) 1335 0 R (id2485278) 1361 0 R (id2485337) 1363 0 R (id2485774) 1378 0 R (id2486978) 1397 0 R (id2487037) 1399 0 R (id2487528) 1411 0 R (id2488167) 1425 0 R (id2489540) 1459 0 R (id2490497) 1478 0 R (id2490583) 1479 0 R (id2490634) 1480 0 R (id2490681) 1486 0 R (id2490801) 1487 0 R (id2491018) 1492 0 R (id2492631) 1506 0 R (id2492638) 1507 0 R (id2492644) 1508 0 R (id2493134) 1519 0 R (id2493168) 1520 0 R (id2494843) 1579 0 R (id2495334) 1585 0 R (id2495352) 1586 0 R (id2495372) 1589 0 R (id2495609) 1591 0 R (id2496848) 1601 0 R (id2496976) 1603 0 R (id2497133) 1604 0 R (id2497428) 1610 0 R (id2497564) 1612 0 R (id2497582) 1613 0 R (id2497987) 1620 0 R (id2498112) 1622 0 R (id2498126) 1623 0 R (id2498238) 1625 0 R (id2498261) 1626 0 R (id2498277) 1627 0 R (id2498338) 1633 0 R (id2498407) 1634 0 R (id2498512) 1635 0 R (id2498587) 1640 0 R (id2499098) 1647 0 R (id2499465) 1655 0 R (id2499470) 1656 0 R (id2501143) 1663 0 R (id2501149) 1664 0 R (id2501594) 1671 0 R (id2501600) 1672 0 R (id2502548) 1679 0 R (id2502580) 1680 0 R (id2503058) 1685 0 R (id2503232) 1700 0 R (id2503313) 1701 0 R (id2503372) 1702 0 R (id2503452) 1716 0 R (id2503458) 1717 0 R (id2503469) 1718 0 R (id2503555) 1719 0 R (id2503685) 1732 0 R (id2503925) 1738 0 R (id2504113) 1743 0 R (id2504115) 1749 0 R (id2504123) 1754 0 R (id2504147) 1750 0 R (id2504170) 1752 0 R (id2504206) 1763 0 R (id2504233) 1765 0 R (id2504259) 1757 0 R (id2504283) 1759 0 R (id2504375) 1761 0 R (id2504430) 1767 0 R (id2504457) 1769 0 R (id2504484) 1771 0 R (id2504614) 1773 0 R (id2504644) 1775 0 R (id2504674) 1777 0 R (id2504700) 1779 0 R (id2504775) 1782 0 R (id2504782) 1783 0 R (id2504809) 1785 0 R (id2504845) 1787 0 R (id2504910) 1789 0 R (id2504976) 1791 0 R (id2505041) 1794 0 R (id2505049) 1795 0 R (id2505075) 1797 0 R (id2505143) 1799 0 R (id2505178) 1801 0 R (id2505219) 1808 0 R (id2505224) 1809 0 R (id2505282) 1811 0 R (id2505319) 1819 0 R (id2505354) 1813 0 R (id2505409) 1815 0 R (id2505447) 1817 0 R (id2505473) 1821 0 R (id2505498) 1823 0 R (id2505525) 1825 0 R (id2505552) 1827 0 R (id2505591) 1829 0 R (id2505621) 1831 0 R (id2505651) 1833 0 R (id2505693) 1835 0 R (id2505726) 1837 0 R (id2505753) 1839 0 R (id2505777) 1841 0 R (id2505834) 1843 0 R (id2505859) 1846 0 R (id2505866) 1847 0 R (id2505892) 1849 0 R (id2505914) 1851 0 R (id2505938) 1853 0 R (id2505984) 1855 0 R (id2506007) 1857 0 R (id2506057) 1864 0 R (id2506065) 1865 0 R (id2506088) 1867 0 R (id2506115) 1869 0 R (id2506141) 1871 0 R (id2506178) 1873 0 R (id2506218) 1876 0 R (id2506224) 1877 0 R (id2506256) 1879 0 R (id2506301) 1881 0 R (id2506337) 1883 0 R (id2506363) 1886 0 R (id2506381) 1887 0 R (id2506404) 1889 0 R (id2506429) 1891 0 R (id2506455) 1893 0 R (id2506478) 1895 0 R (id2506524) 1897 0 R (id2506548) 1899 0 R (id2506574) 1901 0 R (id2506600) 1903 0 R (id2506637) 1906 0 R (id2506644) 1907 0 R (id2506701) 1909 0 R (id2506728) 1911 0 R (id2506833) 1919 0 R (id2506844) 1920 0 R (id2506884) 1922 0 R (id2506910) 1924 0 R (id2506940) 1926 0 R (id2506966) 1928 0 R (id2506993) 1930 0 R (id2507029) 1932 0 R (id2507065) 1934 0 R (id2507092) 1936 0 R (id2507118) 1938 0 R (id2507163) 1940 0 R (id2507205) 1943 0 R (id2507214) 1945 0 R (id2507217) 1947 0 R (incremental_zone_transfers) 1113 0 R (internet_drafts) 1942 0 R (ipv6addresses) 1180 0 R (journal) 1101 0 R (lwresd) 1191 0 R (man.ddns-confgen) 2229 0 R (man.dig) 1953 0 R (man.dnssec-dsfromkey) 2001 0 R (man.dnssec-keyfromlabel) 2019 0 R (man.dnssec-keygen) 2031 0 R (man.dnssec-revoke) 2054 0 R (man.dnssec-settime) 2065 0 R (man.dnssec-signzone) 2082 0 R (man.host) 1986 0 R (man.named) 2136 0 R (man.named-checkconf) 2107 0 R (man.named-checkzone) 2119 0 R (man.nsupdate) 2158 0 R (man.rndc) 2184 0 R (man.rndc-confgen) 2212 0 R (man.rndc.conf) 2196 0 R (notify) 1090 0 R (options) 1314 0 R (page.1) 734 0 R (page.10) 1015 0 R (page.100) 1695 0 R (page.101) 1706 0 R (page.102) 1710 0 R (page.103) 1714 0 R (page.104) 1726 0 R (page.105) 1730 0 R (page.106) 1737 0 R (page.107) 1747 0 R (page.108) 1806 0 R (page.109) 1862 0 R (page.11) 1022 0 R (page.110) 1917 0 R (page.111) 1951 0 R (page.112) 1960 0 R (page.113) 1966 0 R (page.114) 1971 0 R (page.115) 1975 0 R (page.116) 1981 0 R (page.117) 1992 0 R (page.118) 1997 0 R (page.119) 2009 0 R (page.12) 1034 0 R (page.120) 2018 0 R (page.121) 2027 0 R (page.122) 2038 0 R (page.123) 2044 0 R (page.124) 2049 0 R (page.125) 2059 0 R (page.126) 2071 0 R (page.127) 2078 0 R (page.128) 2091 0 R (page.129) 2095 0 R (page.13) 1039 0 R (page.130) 2099 0 R (page.131) 2104 0 R (page.132) 2116 0 R (page.133) 2127 0 R (page.134) 2132 0 R (page.135) 2143 0 R (page.136) 2148 0 R (page.137) 2153 0 R (page.138) 2165 0 R (page.139) 2170 0 R (page.14) 1048 0 R (page.140) 2175 0 R (page.141) 2181 0 R (page.142) 2192 0 R (page.143) 2203 0 R (page.144) 2208 0 R (page.145) 2218 0 R (page.146) 2225 0 R (page.147) 2237 0 R (page.15) 1057 0 R (page.16) 1067 0 R (page.17) 1074 0 R (page.18) 1080 0 R (page.19) 1088 0 R (page.2) 759 0 R (page.20) 1112 0 R (page.21) 1122 0 R (page.22) 1127 0 R (page.23) 1131 0 R (page.24) 1136 0 R (page.25) 1146 0 R (page.26) 1155 0 R (page.27) 1162 0 R (page.28) 1168 0 R (page.29) 1172 0 R (page.3) 769 0 R (page.30) 1184 0 R (page.31) 1188 0 R (page.32) 1196 0 R (page.33) 1200 0 R (page.34) 1210 0 R (page.35) 1215 0 R (page.36) 1223 0 R (page.37) 1231 0 R (page.38) 1241 0 R (page.39) 1249 0 R (page.4) 824 0 R (page.40) 1260 0 R (page.41) 1266 0 R (page.42) 1272 0 R (page.43) 1278 0 R (page.44) 1283 0 R (page.45) 1290 0 R (page.46) 1298 0 R (page.47) 1305 0 R (page.48) 1309 0 R (page.49) 1313 0 R (page.5) 888 0 R (page.50) 1319 0 R (page.51) 1323 0 R (page.52) 1330 0 R (page.53) 1334 0 R (page.54) 1341 0 R (page.55) 1351 0 R (page.56) 1356 0 R (page.57) 1360 0 R (page.58) 1370 0 R (page.59) 1377 0 R (page.6) 951 0 R (page.60) 1383 0 R (page.61) 1387 0 R (page.62) 1392 0 R (page.63) 1396 0 R (page.64) 1404 0 R (page.65) 1410 0 R (page.66) 1416 0 R (page.67) 1423 0 R (page.68) 1431 0 R (page.69) 1437 0 R (page.7) 976 0 R (page.70) 1449 0 R (page.71) 1454 0 R (page.72) 1458 0 R (page.73) 1464 0 R (page.74) 1470 0 R (page.75) 1477 0 R (page.76) 1485 0 R (page.77) 1491 0 R (page.78) 1496 0 R (page.79) 1500 0 R (page.8) 990 0 R (page.80) 1505 0 R (page.81) 1513 0 R (page.82) 1517 0 R (page.83) 1532 0 R (page.84) 1546 0 R (page.85) 1570 0 R (page.86) 1578 0 R (page.87) 1584 0 R (page.88) 1596 0 R (page.89) 1600 0 R (page.9) 1004 0 R (page.90) 1609 0 R (page.91) 1619 0 R (page.92) 1632 0 R (page.93) 1639 0 R (page.94) 1645 0 R (page.95) 1652 0 R (page.96) 1661 0 R (page.97) 1670 0 R (page.98) 1678 0 R (page.99) 1689 0 R (proposed_standards) 1118 0 R (query_address) 1379 0 R (rfcs) 1000 0 R (rndc) 1245 0 R (root_delegation_only) 1528 0 R (rrset_ordering) 1053 0 R (sample_configuration) 1041 0 R (section*.10) 1875 0 R (section*.100) 2157 0 R (section*.101) 2159 0 R (section*.102) 2160 0 R (section*.103) 2161 0 R (section*.104) 2166 0 R (section*.105) 2176 0 R (section*.106) 2177 0 R (section*.107) 2182 0 R (section*.108) 2183 0 R (section*.109) 2185 0 R (section*.11) 1885 0 R (section*.110) 2186 0 R (section*.111) 2187 0 R (section*.112) 2188 0 R (section*.113) 2193 0 R (section*.114) 2194 0 R (section*.115) 2195 0 R (section*.116) 2197 0 R (section*.117) 2198 0 R (section*.118) 2199 0 R (section*.119) 2204 0 R (section*.12) 1905 0 R (section*.120) 2209 0 R (section*.121) 2210 0 R (section*.122) 2211 0 R (section*.123) 2213 0 R (section*.124) 2214 0 R (section*.125) 2219 0 R (section*.126) 2220 0 R (section*.127) 2226 0 R (section*.128) 2227 0 R (section*.129) 2228 0 R (section*.13) 1918 0 R (section*.130) 2230 0 R (section*.131) 2231 0 R (section*.132) 2232 0 R (section*.133) 2233 0 R (section*.134) 2238 0 R (section*.135) 2239 0 R (section*.14) 1944 0 R (section*.15) 1954 0 R (section*.16) 1955 0 R (section*.17) 1956 0 R (section*.18) 1961 0 R (section*.19) 1962 0 R (section*.2) 1742 0 R (section*.20) 1967 0 R (section*.21) 1976 0 R (section*.22) 1982 0 R (section*.23) 1983 0 R (section*.24) 1984 0 R (section*.25) 1985 0 R (section*.26) 1987 0 R (section*.27) 1988 0 R (section*.28) 1993 0 R (section*.29) 1998 0 R (section*.3) 1748 0 R (section*.30) 1999 0 R (section*.31) 2000 0 R (section*.32) 2002 0 R (section*.33) 2003 0 R (section*.34) 2004 0 R (section*.35) 2005 0 R (section*.36) 2010 0 R (section*.37) 2011 0 R (section*.38) 2012 0 R (section*.39) 2013 0 R (section*.4) 1756 0 R (section*.40) 2014 0 R (section*.41) 2020 0 R (section*.42) 2021 0 R (section*.43) 2022 0 R (section*.44) 2023 0 R (section*.45) 2028 0 R (section*.46) 2029 0 R (section*.47) 2030 0 R (section*.48) 2032 0 R (section*.49) 2033 0 R (section*.5) 1781 0 R (section*.50) 2039 0 R (section*.51) 2040 0 R (section*.52) 2045 0 R (section*.53) 2050 0 R (section*.54) 2051 0 R (section*.55) 2052 0 R (section*.56) 2053 0 R (section*.57) 2055 0 R (section*.58) 2060 0 R (section*.59) 2061 0 R (section*.6) 1793 0 R (section*.60) 2062 0 R (section*.61) 2063 0 R (section*.62) 2064 0 R (section*.63) 2066 0 R (section*.64) 2067 0 R (section*.65) 2072 0 R (section*.66) 2073 0 R (section*.67) 2074 0 R (section*.68) 2079 0 R (section*.69) 2080 0 R (section*.7) 1807 0 R (section*.70) 2081 0 R (section*.71) 2083 0 R (section*.72) 2084 0 R (section*.73) 2085 0 R (section*.74) 2086 0 R (section*.75) 2100 0 R (section*.76) 2105 0 R (section*.77) 2106 0 R (section*.78) 2108 0 R (section*.79) 2109 0 R (section*.8) 1845 0 R (section*.80) 2110 0 R (section*.81) 2111 0 R (section*.82) 2112 0 R (section*.83) 2117 0 R (section*.84) 2118 0 R (section*.85) 2120 0 R (section*.86) 2121 0 R (section*.87) 2122 0 R (section*.88) 2123 0 R (section*.89) 2133 0 R (section*.9) 1863 0 R (section*.90) 2134 0 R (section*.91) 2135 0 R (section*.92) 2137 0 R (section*.93) 2138 0 R (section*.94) 2139 0 R (section*.95) 2144 0 R (section*.96) 2149 0 R (section*.97) 2154 0 R (section*.98) 2155 0 R (section*.99) 2156 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 494 0 R (section.6.4) 550 0 R (section.7.1) 586 0 R (section.7.2) 590 0 R (section.7.3) 602 0 R (section.8.1) 610 0 R (section.8.2) 618 0 R (section.8.3) 622 0 R (section.A.1) 630 0 R (section.A.2) 638 0 R (section.A.3) 646 0 R (section.B.1) 666 0 R (section.B.10) 702 0 R (section.B.11) 706 0 R (section.B.12) 710 0 R (section.B.13) 714 0 R (section.B.14) 718 0 R (section.B.15) 722 0 R (section.B.16) 726 0 R (section.B.2) 670 0 R (section.B.3) 674 0 R (section.B.4) 678 0 R (section.B.5) 682 0 R (section.B.6) 686 0 R (section.B.7) 690 0 R (section.B.8) 694 0 R (section.B.9) 698 0 R (server_resource_limits) 1405 0 R (server_statement_definition_and_usage) 1347 0 R (server_statement_grammar) 1465 0 R (statistics) 1646 0 R (statistics_counters) 1654 0 R (statschannels) 1473 0 R (statsfile) 1326 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 346 0 R (subsection.6.2.16) 350 0 R (subsection.6.2.17) 430 0 R (subsection.6.2.18) 434 0 R (subsection.6.2.19) 438 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 442 0 R (subsection.6.2.21) 446 0 R (subsection.6.2.22) 450 0 R (subsection.6.2.23) 454 0 R (subsection.6.2.24) 458 0 R (subsection.6.2.25) 462 0 R (subsection.6.2.26) 466 0 R (subsection.6.2.27) 470 0 R (subsection.6.2.28) 474 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 498 0 R (subsection.6.3.2) 510 0 R (subsection.6.3.3) 514 0 R (subsection.6.3.4) 518 0 R (subsection.6.3.5) 522 0 R (subsection.6.3.6) 542 0 R (subsection.6.3.7) 546 0 R (subsection.6.4.1) 558 0 R (subsection.7.2.1) 594 0 R (subsection.7.2.2) 598 0 R (subsection.8.1.1) 614 0 R (subsection.A.1.1) 634 0 R (subsection.A.2.1) 642 0 R (subsection.A.3.1) 650 0 R (subsection.A.3.2) 654 0 R (subsection.A.3.3) 658 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.10.3) 326 0 R (subsubsection.6.2.16.1) 354 0 R (subsubsection.6.2.16.10) 390 0 R (subsubsection.6.2.16.11) 394 0 R (subsubsection.6.2.16.12) 398 0 R (subsubsection.6.2.16.13) 402 0 R (subsubsection.6.2.16.14) 406 0 R (subsubsection.6.2.16.15) 410 0 R (subsubsection.6.2.16.16) 414 0 R (subsubsection.6.2.16.17) 418 0 R (subsubsection.6.2.16.18) 422 0 R (subsubsection.6.2.16.19) 426 0 R (subsubsection.6.2.16.2) 358 0 R (subsubsection.6.2.16.3) 362 0 R (subsubsection.6.2.16.4) 366 0 R (subsubsection.6.2.16.5) 370 0 R (subsubsection.6.2.16.6) 374 0 R (subsubsection.6.2.16.7) 378 0 R (subsubsection.6.2.16.8) 382 0 R (subsubsection.6.2.16.9) 386 0 R (subsubsection.6.2.28.1) 478 0 R (subsubsection.6.2.28.2) 482 0 R (subsubsection.6.2.28.3) 486 0 R (subsubsection.6.2.28.4) 490 0 R (subsubsection.6.3.1.1) 502 0 R (subsubsection.6.3.1.2) 506 0 R (subsubsection.6.3.5.1) 526 0 R (subsubsection.6.3.5.2) 530 0 R (subsubsection.6.3.5.3) 534 0 R (subsubsection.6.3.5.4) 538 0 R (subsubsection.6.4.0.1) 554 0 R (subsubsection.6.4.1.1) 562 0 R (subsubsection.6.4.1.2) 566 0 R (subsubsection.6.4.1.3) 570 0 R (subsubsection.6.4.1.4) 574 0 R (subsubsection.6.4.1.5) 578 0 R (table.1.1) 982 0 R (table.1.2) 992 0 R (table.3.1) 1051 0 R (table.3.2) 1083 0 R (table.6.1) 1204 0 R (table.6.10) 1590 0 R (table.6.11) 1592 0 R (table.6.12) 1602 0 R (table.6.13) 1605 0 R (table.6.14) 1611 0 R (table.6.15) 1614 0 R (table.6.16) 1621 0 R (table.6.17) 1624 0 R (table.6.18) 1641 0 R (table.6.19) 1648 0 R (table.6.2) 1227 0 R (table.6.20) 1657 0 R (table.6.21) 1665 0 R (table.6.22) 1673 0 R (table.6.23) 1681 0 R (table.6.3) 1235 0 R (table.6.4) 1274 0 R (table.6.5) 1286 0 R (table.6.6) 1336 0 R (table.6.7) 1426 0 R (table.6.8) 1509 0 R (table.6.9) 1580 0 R (the_category_phrase) 1268 0 R (the_sortlist_statement) 1417 0 R (topology) 1412 0 R (tsig) 1132 0 R (tuning) 1432 0 R (types_of_resource_records_and_when_to_use_them) 999 0 R (view_statement_grammar) 1445 0 R (zone_statement_grammar) 1366 0 R (zone_transfers) 1107 0 R (zonefile_format) 1444 0 R]
+2285 0 obj <<
+/Names [(Access_Control_Lists) 1708 0 R (Bv9ARM.ch01) 977 0 R (Bv9ARM.ch02) 1023 0 R (Bv9ARM.ch03) 1040 0 R (Bv9ARM.ch04) 1094 0 R (Bv9ARM.ch05) 1193 0 R (Bv9ARM.ch06) 1205 0 R (Bv9ARM.ch07) 1707 0 R (Bv9ARM.ch08) 1733 0 R (Bv9ARM.ch09) 1748 0 R (Bv9ARM.ch10) 1969 0 R (Configuration_File_Grammar) 1229 0 R (DNSSEC) 1161 0 R (Doc-Start) 735 0 R (Setting_TTLs) 1628 0 R (acache) 1030 0 R (access_control) 1372 0 R (acl) 1237 0 R (address_match_lists) 1210 0 R (admin_tools) 1063 0 R (appendix.A) 626 0 R (appendix.B) 662 0 R (bibliography) 1756 0 R (boolean_options) 1111 0 R (builtin) 1450 0 R (chapter*.1) 770 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 582 0 R (chapter.8) 606 0 R (cite.RFC1033) 1884 0 R (cite.RFC1034) 1768 0 R (cite.RFC1035) 1770 0 R (cite.RFC1101) 1866 0 R (cite.RFC1123) 1868 0 R (cite.RFC1183) 1828 0 R (cite.RFC1464) 1906 0 R (cite.RFC1535) 1813 0 R (cite.RFC1536) 1815 0 R (cite.RFC1537) 1886 0 R (cite.RFC1591) 1870 0 R (cite.RFC1706) 1830 0 R (cite.RFC1712) 1926 0 R (cite.RFC1713) 1908 0 R (cite.RFC1794) 1910 0 R (cite.RFC1876) 1832 0 R (cite.RFC1912) 1888 0 R (cite.RFC1982) 1817 0 R (cite.RFC1995) 1775 0 R (cite.RFC1996) 1777 0 R (cite.RFC2010) 1890 0 R (cite.RFC2052) 1834 0 R (cite.RFC2065) 1938 0 R (cite.RFC2136) 1779 0 R (cite.RFC2137) 1940 0 R (cite.RFC2163) 1836 0 R (cite.RFC2168) 1838 0 R (cite.RFC2181) 1781 0 R (cite.RFC2219) 1892 0 R (cite.RFC2230) 1840 0 R (cite.RFC2240) 1912 0 R (cite.RFC2308) 1783 0 R (cite.RFC2317) 1872 0 R (cite.RFC2345) 1914 0 R (cite.RFC2352) 1916 0 R (cite.RFC2535) 1942 0 R (cite.RFC2536) 1842 0 R (cite.RFC2537) 1844 0 R (cite.RFC2538) 1846 0 R (cite.RFC2539) 1848 0 R (cite.RFC2540) 1850 0 R (cite.RFC2671) 1785 0 R (cite.RFC2672) 1787 0 R (cite.RFC2673) 1928 0 R (cite.RFC2782) 1852 0 R (cite.RFC2825) 1896 0 R (cite.RFC2826) 1874 0 R (cite.RFC2845) 1789 0 R (cite.RFC2874) 1930 0 R (cite.RFC2915) 1854 0 R (cite.RFC2929) 1876 0 R (cite.RFC2930) 1791 0 R (cite.RFC2931) 1793 0 R (cite.RFC3007) 1795 0 R (cite.RFC3008) 1944 0 R (cite.RFC3071) 1918 0 R (cite.RFC3090) 1946 0 R (cite.RFC3110) 1856 0 R (cite.RFC3123) 1858 0 R (cite.RFC3225) 1801 0 R (cite.RFC3258) 1920 0 R (cite.RFC3445) 1948 0 R (cite.RFC3490) 1898 0 R (cite.RFC3491) 1900 0 R (cite.RFC3492) 1902 0 R (cite.RFC3596) 1860 0 R (cite.RFC3597) 1862 0 R (cite.RFC3645) 1797 0 R (cite.RFC3655) 1950 0 R (cite.RFC3658) 1952 0 R (cite.RFC3755) 1954 0 R (cite.RFC3757) 1956 0 R (cite.RFC3833) 1803 0 R (cite.RFC3845) 1958 0 R (cite.RFC3901) 1922 0 R (cite.RFC4033) 1805 0 R (cite.RFC4034) 1807 0 R (cite.RFC4035) 1809 0 R (cite.RFC4074) 1819 0 R (cite.RFC974) 1772 0 R (cite.id2507489) 1963 0 R (clients-per-query) 1680 0 R (configuration_file_elements) 1206 0 R (controls_statement_definition_and_usage) 1081 0 R (diagnostic_tools) 1011 0 R (dynamic_update) 1104 0 R (dynamic_update_policies) 1075 0 R (dynamic_update_security) 1381 0 R (empty) 1452 0 R (historical_dns_information) 1750 0 R (id2466552) 978 0 R (id2466576) 979 0 R (id2467534) 980 0 R (id2467544) 981 0 R (id2467716) 993 0 R (id2467737) 994 0 R (id2467771) 995 0 R (id2467856) 998 0 R (id2467948) 991 0 R (id2470253) 1005 0 R (id2470277) 1008 0 R (id2470375) 1009 0 R (id2470396) 1010 0 R (id2470426) 1016 0 R (id2470530) 1017 0 R (id2470556) 1018 0 R (id2470590) 1024 0 R (id2470617) 1025 0 R (id2470630) 1026 0 R (id2470724) 1029 0 R (id2470734) 1035 0 R (id2470766) 1042 0 R (id2470782) 1043 0 R (id2470805) 1049 0 R (id2470822) 1050 0 R (id2471227) 1058 0 R (id2471233) 1059 0 R (id2473198) 1086 0 R (id2473210) 1087 0 R (id2473636) 1120 0 R (id2473654) 1121 0 R (id2474087) 1141 0 R (id2474104) 1142 0 R (id2474142) 1143 0 R (id2474161) 1144 0 R (id2474171) 1145 0 R (id2474276) 1146 0 R (id2474333) 1151 0 R (id2474382) 1153 0 R (id2474533) 1154 0 R (id2474582) 1160 0 R (id2474718) 1162 0 R (id2474797) 1167 0 R (id2475015) 1168 0 R (id2475197) 1180 0 R (id2475328) 1182 0 R (id2475349) 1183 0 R (id2475382) 1194 0 R (id2475597) 1207 0 R (id2476558) 1215 0 R (id2476586) 1220 0 R (id2476792) 1221 0 R (id2476807) 1222 0 R (id2476837) 1228 0 R (id2477048) 1230 0 R (id2477514) 1236 0 R (id2477557) 1238 0 R (id2477704) 1240 0 R (id2478064) 1248 0 R (id2478149) 1254 0 R (id2478172) 1255 0 R (id2478196) 1256 0 R (id2478286) 1260 0 R (id2478412) 1265 0 R (id2478465) 1266 0 R (id2479158) 1277 0 R (id2479824) 1288 0 R (id2479954) 1289 0 R (id2480343) 1295 0 R (id2480417) 1296 0 R (id2480549) 1303 0 R (id2480593) 1304 0 R (id2480608) 1305 0 R (id2483432) 1338 0 R (id2485354) 1364 0 R (id2485413) 1366 0 R (id2485850) 1380 0 R (id2487122) 1400 0 R (id2487318) 1406 0 R (id2487604) 1414 0 R (id2488174) 1428 0 R (id2489684) 1462 0 R (id2490572) 1481 0 R (id2490727) 1486 0 R (id2490778) 1487 0 R (id2490825) 1489 0 R (id2490876) 1490 0 R (id2491230) 1495 0 R (id2492804) 1513 0 R (id2492811) 1514 0 R (id2492817) 1515 0 R (id2493307) 1522 0 R (id2493340) 1528 0 R (id2495252) 1588 0 R (id2495606) 1598 0 R (id2495761) 1599 0 R (id2495781) 1602 0 R (id2495949) 1604 0 R (id2497120) 1614 0 R (id2497248) 1616 0 R (id2497337) 1617 0 R (id2497632) 1623 0 R (id2497768) 1625 0 R (id2497786) 1626 0 R (id2498190) 1629 0 R (id2498384) 1636 0 R (id2498398) 1637 0 R (id2498510) 1639 0 R (id2498533) 1640 0 R (id2498549) 1641 0 R (id2498678) 1646 0 R (id2498816) 1647 0 R (id2498852) 1648 0 R (id2498928) 1653 0 R (id2499302) 1660 0 R (id2499805) 1668 0 R (id2499811) 1669 0 R (id2501483) 1676 0 R (id2501490) 1677 0 R (id2501866) 1685 0 R (id2501872) 1686 0 R (id2502888) 1692 0 R (id2502920) 1693 0 R (id2503261) 1698 0 R (id2503504) 1717 0 R (id2503585) 1718 0 R (id2503644) 1719 0 R (id2503861) 1734 0 R (id2503866) 1735 0 R (id2503878) 1736 0 R (id2503895) 1737 0 R (id2503957) 1749 0 R (id2504197) 1755 0 R (id2504453) 1760 0 R (id2504455) 1766 0 R (id2504464) 1771 0 R (id2504487) 1767 0 R (id2504579) 1769 0 R (id2504615) 1780 0 R (id2504642) 1782 0 R (id2504667) 1774 0 R (id2504692) 1776 0 R (id2504715) 1778 0 R (id2504771) 1784 0 R (id2504797) 1786 0 R (id2504824) 1788 0 R (id2504886) 1790 0 R (id2504916) 1792 0 R (id2504946) 1794 0 R (id2504972) 1796 0 R (id2505047) 1799 0 R (id2505054) 1800 0 R (id2505081) 1802 0 R (id2505117) 1804 0 R (id2505182) 1806 0 R (id2505248) 1808 0 R (id2505313) 1811 0 R (id2505321) 1812 0 R (id2505347) 1814 0 R (id2505415) 1816 0 R (id2505450) 1818 0 R (id2505491) 1826 0 R (id2505496) 1827 0 R (id2505554) 1829 0 R (id2505591) 1837 0 R (id2505626) 1831 0 R (id2505681) 1833 0 R (id2505719) 1835 0 R (id2505745) 1839 0 R (id2505770) 1841 0 R (id2505797) 1843 0 R (id2505824) 1845 0 R (id2505863) 1847 0 R (id2505893) 1849 0 R (id2505923) 1851 0 R (id2505965) 1853 0 R (id2505998) 1855 0 R (id2506025) 1857 0 R (id2506049) 1859 0 R (id2506106) 1861 0 R (id2506131) 1864 0 R (id2506138) 1865 0 R (id2506164) 1867 0 R (id2506186) 1869 0 R (id2506210) 1871 0 R (id2506256) 1873 0 R (id2506279) 1875 0 R (id2506329) 1882 0 R (id2506337) 1883 0 R (id2506360) 1885 0 R (id2506387) 1887 0 R (id2506413) 1889 0 R (id2506450) 1891 0 R (id2506490) 1894 0 R (id2506496) 1895 0 R (id2506528) 1897 0 R (id2506573) 1899 0 R (id2506609) 1901 0 R (id2506635) 1904 0 R (id2506653) 1905 0 R (id2506676) 1907 0 R (id2506701) 1909 0 R (id2506727) 1911 0 R (id2506750) 1913 0 R (id2506796) 1915 0 R (id2506888) 1917 0 R (id2506915) 1919 0 R (id2506940) 1921 0 R (id2506978) 1924 0 R (id2506984) 1925 0 R (id2507042) 1927 0 R (id2507068) 1929 0 R (id2507105) 1936 0 R (id2507116) 1937 0 R (id2507156) 1939 0 R (id2507182) 1941 0 R (id2507212) 1943 0 R (id2507238) 1945 0 R (id2507265) 1947 0 R (id2507301) 1949 0 R (id2507337) 1951 0 R (id2507364) 1953 0 R (id2507390) 1955 0 R (id2507435) 1957 0 R (id2507477) 1960 0 R (id2507486) 1962 0 R (id2507489) 1964 0 R (incremental_zone_transfers) 1117 0 R (internet_drafts) 1959 0 R (ipv6addresses) 1184 0 R (journal) 1106 0 R (lwresd) 1195 0 R (man.ddns-confgen) 2249 0 R (man.dig) 1970 0 R (man.dnssec-dsfromkey) 2018 0 R (man.dnssec-keyfromlabel) 2037 0 R (man.dnssec-keygen) 1580 0 R (man.dnssec-revoke) 2075 0 R (man.dnssec-settime) 1581 0 R (man.dnssec-signzone) 2103 0 R (man.host) 2003 0 R (man.named) 2156 0 R (man.named-checkconf) 2128 0 R (man.named-checkzone) 2140 0 R (man.nsupdate) 2179 0 R (man.rndc) 2204 0 R (man.rndc-confgen) 2237 0 R (man.rndc.conf) 2221 0 R (notify) 1095 0 R (options) 1074 0 R (page.1) 734 0 R (page.10) 1015 0 R (page.100) 1702 0 R (page.101) 1706 0 R (page.102) 1712 0 R (page.103) 1723 0 R (page.104) 1728 0 R (page.105) 1732 0 R (page.106) 1743 0 R (page.107) 1747 0 R (page.108) 1754 0 R (page.109) 1764 0 R (page.11) 1022 0 R (page.110) 1824 0 R (page.111) 1880 0 R (page.112) 1934 0 R (page.113) 1968 0 R (page.114) 1977 0 R (page.115) 1983 0 R (page.116) 1989 0 R (page.117) 1993 0 R (page.118) 1998 0 R (page.119) 2009 0 R (page.12) 1034 0 R (page.120) 2014 0 R (page.121) 2026 0 R (page.122) 2036 0 R (page.123) 2045 0 R (page.124) 2050 0 R (page.125) 2060 0 R (page.126) 2065 0 R (page.127) 2070 0 R (page.128) 2081 0 R (page.129) 2092 0 R (page.13) 1039 0 R (page.130) 2099 0 R (page.131) 2111 0 R (page.132) 2115 0 R (page.133) 2119 0 R (page.134) 2125 0 R (page.135) 2136 0 R (page.136) 2147 0 R (page.137) 2152 0 R (page.138) 2161 0 R (page.139) 2168 0 R (page.14) 1048 0 R (page.140) 2173 0 R (page.141) 2184 0 R (page.142) 2190 0 R (page.143) 2195 0 R (page.144) 2200 0 R (page.145) 2211 0 R (page.146) 2220 0 R (page.147) 2229 0 R (page.148) 2235 0 R (page.149) 2245 0 R (page.15) 1057 0 R (page.150) 2255 0 R (page.16) 1067 0 R (page.17) 1079 0 R (page.18) 1085 0 R (page.19) 1093 0 R (page.2) 759 0 R (page.20) 1116 0 R (page.21) 1126 0 R (page.22) 1131 0 R (page.23) 1135 0 R (page.24) 1140 0 R (page.25) 1150 0 R (page.26) 1159 0 R (page.27) 1166 0 R (page.28) 1172 0 R (page.29) 1176 0 R (page.3) 769 0 R (page.30) 1188 0 R (page.31) 1192 0 R (page.32) 1200 0 R (page.33) 1204 0 R (page.34) 1214 0 R (page.35) 1219 0 R (page.36) 1227 0 R (page.37) 1235 0 R (page.38) 1245 0 R (page.39) 1253 0 R (page.4) 824 0 R (page.40) 1264 0 R (page.41) 1270 0 R (page.42) 1276 0 R (page.43) 1282 0 R (page.44) 1287 0 R (page.45) 1294 0 R (page.46) 1302 0 R (page.47) 1309 0 R (page.48) 1313 0 R (page.49) 1317 0 R (page.5) 888 0 R (page.50) 1322 0 R (page.51) 1326 0 R (page.52) 1333 0 R (page.53) 1337 0 R (page.54) 1344 0 R (page.55) 1354 0 R (page.56) 1359 0 R (page.57) 1363 0 R (page.58) 1371 0 R (page.59) 1377 0 R (page.6) 951 0 R (page.60) 1385 0 R (page.61) 1390 0 R (page.62) 1395 0 R (page.63) 1399 0 R (page.64) 1405 0 R (page.65) 1413 0 R (page.66) 1418 0 R (page.67) 1426 0 R (page.68) 1434 0 R (page.69) 1439 0 R (page.7) 976 0 R (page.70) 1446 0 R (page.71) 1457 0 R (page.72) 1461 0 R (page.73) 1466 0 R (page.74) 1473 0 R (page.75) 1477 0 R (page.76) 1485 0 R (page.77) 1494 0 R (page.78) 1499 0 R (page.79) 1503 0 R (page.8) 990 0 R (page.80) 1508 0 R (page.81) 1512 0 R (page.82) 1520 0 R (page.83) 1527 0 R (page.84) 1547 0 R (page.85) 1561 0 R (page.86) 1585 0 R (page.87) 1593 0 R (page.88) 1597 0 R (page.89) 1609 0 R (page.9) 1004 0 R (page.90) 1613 0 R (page.91) 1622 0 R (page.92) 1635 0 R (page.93) 1645 0 R (page.94) 1652 0 R (page.95) 1658 0 R (page.96) 1665 0 R (page.97) 1674 0 R (page.98) 1684 0 R (page.99) 1691 0 R (proposed_standards) 1122 0 R (query_address) 1386 0 R (rfcs) 1000 0 R (rndc) 1249 0 R (root_delegation_only) 1523 0 R (rrset_ordering) 1053 0 R (sample_configuration) 1041 0 R (section*.10) 1893 0 R (section*.100) 2177 0 R (section*.101) 2178 0 R (section*.102) 2180 0 R (section*.103) 2185 0 R (section*.104) 2186 0 R (section*.105) 2191 0 R (section*.106) 2196 0 R (section*.107) 2201 0 R (section*.108) 2202 0 R (section*.109) 2203 0 R (section*.11) 1903 0 R (section*.110) 2205 0 R (section*.111) 2206 0 R (section*.112) 2207 0 R (section*.113) 2212 0 R (section*.114) 2213 0 R (section*.115) 2214 0 R (section*.116) 2215 0 R (section*.117) 2222 0 R (section*.118) 2223 0 R (section*.119) 2224 0 R (section*.12) 1923 0 R (section*.120) 2225 0 R (section*.121) 2230 0 R (section*.122) 2231 0 R (section*.123) 2236 0 R (section*.124) 2238 0 R (section*.125) 2239 0 R (section*.126) 2240 0 R (section*.127) 2241 0 R (section*.128) 2246 0 R (section*.129) 2247 0 R (section*.13) 1935 0 R (section*.130) 2248 0 R (section*.131) 2250 0 R (section*.132) 2251 0 R (section*.133) 2256 0 R (section*.134) 2257 0 R (section*.135) 2258 0 R (section*.136) 2259 0 R (section*.14) 1961 0 R (section*.15) 1971 0 R (section*.16) 1972 0 R (section*.17) 1973 0 R (section*.18) 1978 0 R (section*.19) 1979 0 R (section*.2) 1759 0 R (section*.20) 1984 0 R (section*.21) 1994 0 R (section*.22) 1999 0 R (section*.23) 2000 0 R (section*.24) 2001 0 R (section*.25) 2002 0 R (section*.26) 2004 0 R (section*.27) 2005 0 R (section*.28) 2010 0 R (section*.29) 2015 0 R (section*.3) 1765 0 R (section*.30) 2016 0 R (section*.31) 2017 0 R (section*.32) 2019 0 R (section*.33) 2020 0 R (section*.34) 2021 0 R (section*.35) 2022 0 R (section*.36) 2027 0 R (section*.37) 2028 0 R (section*.38) 2029 0 R (section*.39) 2030 0 R (section*.4) 1773 0 R (section*.40) 2031 0 R (section*.41) 2038 0 R (section*.42) 2039 0 R (section*.43) 2040 0 R (section*.44) 2041 0 R (section*.45) 2046 0 R (section*.46) 2051 0 R (section*.47) 2052 0 R (section*.48) 2053 0 R (section*.49) 2054 0 R (section*.5) 1798 0 R (section*.50) 2055 0 R (section*.51) 2056 0 R (section*.52) 2061 0 R (section*.53) 2066 0 R (section*.54) 2071 0 R (section*.55) 2072 0 R (section*.56) 2073 0 R (section*.57) 2074 0 R (section*.58) 2076 0 R (section*.59) 2082 0 R (section*.6) 1810 0 R (section*.60) 2083 0 R (section*.61) 2084 0 R (section*.62) 2085 0 R (section*.63) 2086 0 R (section*.64) 2087 0 R (section*.65) 2088 0 R (section*.66) 2093 0 R (section*.67) 2094 0 R (section*.68) 2095 0 R (section*.69) 2100 0 R (section*.7) 1825 0 R (section*.70) 2101 0 R (section*.71) 2102 0 R (section*.72) 2104 0 R (section*.73) 2105 0 R (section*.74) 2106 0 R (section*.75) 2107 0 R (section*.76) 2120 0 R (section*.77) 2126 0 R (section*.78) 2127 0 R (section*.79) 2129 0 R (section*.8) 1863 0 R (section*.80) 2130 0 R (section*.81) 2131 0 R (section*.82) 2132 0 R (section*.83) 2137 0 R (section*.84) 2138 0 R (section*.85) 2139 0 R (section*.86) 2141 0 R (section*.87) 2142 0 R (section*.88) 2143 0 R (section*.89) 2148 0 R (section*.9) 1881 0 R (section*.90) 2153 0 R (section*.91) 2154 0 R (section*.92) 2155 0 R (section*.93) 2157 0 R (section*.94) 2162 0 R (section*.95) 2163 0 R (section*.96) 2164 0 R (section*.97) 2174 0 R (section*.98) 2175 0 R (section*.99) 2176 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 494 0 R (section.6.4) 550 0 R (section.7.1) 586 0 R (section.7.2) 590 0 R (section.7.3) 602 0 R (section.8.1) 610 0 R (section.8.2) 618 0 R (section.8.3) 622 0 R (section.A.1) 630 0 R (section.A.2) 638 0 R (section.A.3) 646 0 R (section.B.1) 666 0 R (section.B.10) 702 0 R (section.B.11) 706 0 R (section.B.12) 710 0 R (section.B.13) 714 0 R (section.B.14) 718 0 R (section.B.15) 722 0 R (section.B.16) 726 0 R (section.B.2) 670 0 R (section.B.3) 674 0 R (section.B.4) 678 0 R (section.B.5) 682 0 R (section.B.6) 686 0 R (section.B.7) 690 0 R (section.B.8) 694 0 R (section.B.9) 698 0 R (server_resource_limits) 1408 0 R (server_statement_definition_and_usage) 1350 0 R (server_statement_grammar) 1468 0 R (statistics) 1659 0 R (statistics_counters) 1667 0 R (statschannels) 1480 0 R (statsfile) 1329 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 346 0 R (subsection.6.2.16) 350 0 R (subsection.6.2.17) 430 0 R (subsection.6.2.18) 434 0 R (subsection.6.2.19) 438 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 442 0 R (subsection.6.2.21) 446 0 R (subsection.6.2.22) 450 0 R (subsection.6.2.23) 454 0 R (subsection.6.2.24) 458 0 R (subsection.6.2.25) 462 0 R (subsection.6.2.26) 466 0 R (subsection.6.2.27) 470 0 R (subsection.6.2.28) 474 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 498 0 R (subsection.6.3.2) 510 0 R (subsection.6.3.3) 514 0 R (subsection.6.3.4) 518 0 R (subsection.6.3.5) 522 0 R (subsection.6.3.6) 542 0 R (subsection.6.3.7) 546 0 R (subsection.6.4.1) 558 0 R (subsection.7.2.1) 594 0 R (subsection.7.2.2) 598 0 R (subsection.8.1.1) 614 0 R (subsection.A.1.1) 634 0 R (subsection.A.2.1) 642 0 R (subsection.A.3.1) 650 0 R (subsection.A.3.2) 654 0 R (subsection.A.3.3) 658 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.10.3) 326 0 R (subsubsection.6.2.16.1) 354 0 R (subsubsection.6.2.16.10) 390 0 R (subsubsection.6.2.16.11) 394 0 R (subsubsection.6.2.16.12) 398 0 R (subsubsection.6.2.16.13) 402 0 R (subsubsection.6.2.16.14) 406 0 R (subsubsection.6.2.16.15) 410 0 R (subsubsection.6.2.16.16) 414 0 R (subsubsection.6.2.16.17) 418 0 R (subsubsection.6.2.16.18) 422 0 R (subsubsection.6.2.16.19) 426 0 R (subsubsection.6.2.16.2) 358 0 R (subsubsection.6.2.16.3) 362 0 R (subsubsection.6.2.16.4) 366 0 R (subsubsection.6.2.16.5) 370 0 R (subsubsection.6.2.16.6) 374 0 R (subsubsection.6.2.16.7) 378 0 R (subsubsection.6.2.16.8) 382 0 R (subsubsection.6.2.16.9) 386 0 R (subsubsection.6.2.28.1) 478 0 R (subsubsection.6.2.28.2) 482 0 R (subsubsection.6.2.28.3) 486 0 R (subsubsection.6.2.28.4) 490 0 R (subsubsection.6.3.1.1) 502 0 R (subsubsection.6.3.1.2) 506 0 R (subsubsection.6.3.5.1) 526 0 R (subsubsection.6.3.5.2) 530 0 R (subsubsection.6.3.5.3) 534 0 R (subsubsection.6.3.5.4) 538 0 R (subsubsection.6.4.0.1) 554 0 R (subsubsection.6.4.1.1) 562 0 R (subsubsection.6.4.1.2) 566 0 R (subsubsection.6.4.1.3) 570 0 R (subsubsection.6.4.1.4) 574 0 R (subsubsection.6.4.1.5) 578 0 R (table.1.1) 982 0 R (table.1.2) 992 0 R (table.3.1) 1051 0 R (table.3.2) 1088 0 R (table.6.1) 1208 0 R (table.6.10) 1603 0 R (table.6.11) 1605 0 R (table.6.12) 1615 0 R (table.6.13) 1618 0 R (table.6.14) 1624 0 R (table.6.15) 1627 0 R (table.6.16) 1630 0 R (table.6.17) 1638 0 R (table.6.18) 1654 0 R (table.6.19) 1661 0 R (table.6.2) 1231 0 R (table.6.20) 1670 0 R (table.6.21) 1678 0 R (table.6.22) 1687 0 R (table.6.23) 1694 0 R (table.6.3) 1239 0 R (table.6.4) 1278 0 R (table.6.5) 1290 0 R (table.6.6) 1339 0 R (table.6.7) 1429 0 R (table.6.8) 1516 0 R (table.6.9) 1589 0 R (the_category_phrase) 1272 0 R (the_sortlist_statement) 1420 0 R (topology) 1419 0 R (tsig) 1136 0 R (tuning) 1435 0 R (types_of_resource_records_and_when_to_use_them) 999 0 R (view_statement_grammar) 1453 0 R (zone_statement_grammar) 1367 0 R (zone_transfers) 1112 0 R (zonefile_format) 1442 0 R]
 /Limits [(Access_Control_Lists) (zonefile_format)]
 >> endobj
-2266 0 obj <<
-/Kids [2265 0 R]
+2286 0 obj <<
+/Kids [2285 0 R]
 >> endobj
-2267 0 obj <<
-/Dests 2266 0 R
+2287 0 obj <<
+/Dests 2286 0 R
 >> endobj
-2268 0 obj <<
+2288 0 obj <<
 /Type /Catalog
-/Pages 2263 0 R
-/Outlines 2264 0 R
-/Names 2267 0 R
+/Pages 2283 0 R
+/Outlines 2284 0 R
+/Names 2287 0 R
 /PageMode /UseOutlines 
 /OpenAction 729 0 R
 >> endobj
-2269 0 obj <<
+2289 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20090903011315Z)
+/CreationDate (D:20091012231359Z)
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 2270
+0 2290
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
 0000000004 00000 f 
 0000000000 00000 f 
 0000000009 00000 n 
-0000073723 00000 n 
-0000794710 00000 n 
+0000073718 00000 n 
+0000803820 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
-0000073847 00000 n 
-0000794638 00000 n 
+0000073842 00000 n 
+0000803748 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
-0000073972 00000 n 
-0000794552 00000 n 
+0000073967 00000 n 
+0000803662 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
-0000074097 00000 n 
-0000794466 00000 n 
+0000074092 00000 n 
+0000803576 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
-0000078422 00000 n 
-0000794356 00000 n 
+0000078417 00000 n 
+0000803466 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
-0000078546 00000 n 
-0000794282 00000 n 
+0000078541 00000 n 
+0000803392 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
-0000078671 00000 n 
-0000794195 00000 n 
+0000078666 00000 n 
+0000803305 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
-0000078795 00000 n 
-0000794108 00000 n 
+0000078790 00000 n 
+0000803218 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
-0000083084 00000 n 
-0000793984 00000 n 
+0000083079 00000 n 
+0000803094 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
-0000083212 00000 n 
-0000793910 00000 n 
+0000083207 00000 n 
+0000803020 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
-0000083340 00000 n 
-0000793823 00000 n 
+0000083335 00000 n 
+0000802933 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
-0000083468 00000 n 
-0000793749 00000 n 
+0000083463 00000 n 
+0000802859 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
-0000086450 00000 n 
-0000793625 00000 n 
+0000086445 00000 n 
+0000802735 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
-0000086578 00000 n 
-0000793564 00000 n 
+0000086573 00000 n 
+0000802674 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
-0000086706 00000 n 
-0000793490 00000 n 
+0000086701 00000 n 
+0000802600 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
-0000089648 00000 n 
-0000793365 00000 n 
+0000089643 00000 n 
+0000802475 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
-0000089776 00000 n 
-0000793291 00000 n 
+0000089771 00000 n 
+0000802401 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
-0000089904 00000 n 
-0000793204 00000 n 
+0000089899 00000 n 
+0000802314 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
-0000090032 00000 n 
-0000793117 00000 n 
+0000090027 00000 n 
+0000802227 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
-0000090159 00000 n 
-0000793030 00000 n 
+0000090154 00000 n 
+0000802140 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
-0000091236 00000 n 
-0000792956 00000 n 
+0000091231 00000 n 
+0000802066 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
-0000092895 00000 n 
-0000792828 00000 n 
+0000092890 00000 n 
+0000801938 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
-0000093022 00000 n 
-0000792715 00000 n 
+0000093017 00000 n 
+0000801825 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
-0000093150 00000 n 
-0000792639 00000 n 
+0000093145 00000 n 
+0000801749 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
-0000093278 00000 n 
-0000792562 00000 n 
+0000093273 00000 n 
+0000801672 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
-0000095724 00000 n 
-0000792471 00000 n 
+0000095719 00000 n 
+0000801581 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
-0000099062 00000 n 
-0000792354 00000 n 
+0000099057 00000 n 
+0000801464 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
-0000099190 00000 n 
-0000792236 00000 n 
+0000099185 00000 n 
+0000801346 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
-0000099318 00000 n 
-0000792157 00000 n 
+0000099313 00000 n 
+0000801267 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
-0000099447 00000 n 
-0000792078 00000 n 
+0000099442 00000 n 
+0000801188 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
-0000110269 00000 n 
-0000791999 00000 n 
+0000111318 00000 n 
+0000801109 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
-0000115577 00000 n 
-0000791867 00000 n 
+0000116628 00000 n 
+0000800977 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
-0000115706 00000 n 
-0000791788 00000 n 
+0000116757 00000 n 
+0000800898 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
-0000115835 00000 n 
-0000791656 00000 n 
+0000116886 00000 n 
+0000800766 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
-0000115964 00000 n 
-0000791591 00000 n 
+0000117015 00000 n 
+0000800701 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
-0000120339 00000 n 
-0000791498 00000 n 
+0000121390 00000 n 
+0000800608 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
-0000120468 00000 n 
-0000791366 00000 n 
+0000121519 00000 n 
+0000800476 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
-0000120597 00000 n 
-0000791301 00000 n 
+0000121648 00000 n 
+0000800411 00000 n 
 0000003632 00000 n 
 0000003681 00000 n 
-0000127414 00000 n 
-0000791169 00000 n 
+0000128465 00000 n 
+0000800279 00000 n 
 0000003730 00000 n 
 0000003758 00000 n 
-0000130265 00000 n 
-0000791051 00000 n 
+0000131234 00000 n 
+0000800161 00000 n 
 0000003812 00000 n 
 0000003881 00000 n 
-0000130394 00000 n 
-0000790972 00000 n 
+0000131363 00000 n 
+0000800082 00000 n 
 0000003940 00000 n 
 0000003988 00000 n 
-0000130523 00000 n 
-0000790893 00000 n 
+0000131492 00000 n 
+0000800003 00000 n 
 0000004047 00000 n 
 0000004092 00000 n 
-0000130652 00000 n 
-0000790800 00000 n 
+0000131621 00000 n 
+0000799910 00000 n 
 0000004146 00000 n 
 0000004214 00000 n 
-0000130781 00000 n 
-0000790707 00000 n 
+0000131750 00000 n 
+0000799817 00000 n 
 0000004268 00000 n 
 0000004338 00000 n 
-0000130910 00000 n 
-0000790614 00000 n 
+0000131879 00000 n 
+0000799724 00000 n 
 0000004392 00000 n 
 0000004455 00000 n 
-0000134643 00000 n 
-0000790521 00000 n 
+0000135612 00000 n 
+0000799631 00000 n 
 0000004509 00000 n 
 0000004564 00000 n 
-0000134772 00000 n 
-0000790442 00000 n 
+0000135741 00000 n 
+0000799552 00000 n 
 0000004618 00000 n 
 0000004650 00000 n 
-0000134901 00000 n 
-0000790349 00000 n 
+0000135870 00000 n 
+0000799459 00000 n 
 0000004699 00000 n 
 0000004727 00000 n 
-0000138505 00000 n 
-0000790256 00000 n 
+0000139474 00000 n 
+0000799366 00000 n 
 0000004776 00000 n 
 0000004808 00000 n 
-0000138634 00000 n 
-0000790124 00000 n 
+0000139603 00000 n 
+0000799234 00000 n 
 0000004857 00000 n 
 0000004887 00000 n 
-0000138763 00000 n 
-0000790045 00000 n 
+0000139732 00000 n 
+0000799155 00000 n 
 0000004941 00000 n 
 0000004982 00000 n 
-0000142493 00000 n 
-0000789952 00000 n 
+0000143462 00000 n 
+0000799062 00000 n 
 0000005036 00000 n 
 0000005078 00000 n 
-0000142622 00000 n 
-0000789873 00000 n 
+0000143591 00000 n 
+0000798983 00000 n 
 0000005132 00000 n 
 0000005177 00000 n 
-0000148577 00000 n 
-0000789755 00000 n 
+0000149546 00000 n 
+0000798865 00000 n 
 0000005226 00000 n 
 0000005272 00000 n 
-0000148706 00000 n 
-0000789676 00000 n 
+0000149675 00000 n 
+0000798786 00000 n 
 0000005326 00000 n 
 0000005386 00000 n 
-0000148835 00000 n 
-0000789597 00000 n 
+0000149804 00000 n 
+0000798707 00000 n 
 0000005440 00000 n 
 0000005509 00000 n 
-0000152019 00000 n 
-0000789464 00000 n 
+0000152988 00000 n 
+0000798574 00000 n 
 0000005556 00000 n 
 0000005609 00000 n 
-0000152148 00000 n 
-0000789385 00000 n 
+0000153117 00000 n 
+0000798495 00000 n 
 0000005658 00000 n 
 0000005714 00000 n 
-0000152277 00000 n 
-0000789306 00000 n 
+0000153246 00000 n 
+0000798416 00000 n 
 0000005763 00000 n 
 0000005812 00000 n 
-0000156546 00000 n 
-0000789173 00000 n 
+0000157515 00000 n 
+0000798283 00000 n 
 0000005859 00000 n 
 0000005911 00000 n 
-0000156675 00000 n 
-0000789055 00000 n 
+0000157644 00000 n 
+0000798165 00000 n 
 0000005960 00000 n 
 0000006011 00000 n 
-0000161365 00000 n 
-0000788937 00000 n 
+0000162334 00000 n 
+0000798047 00000 n 
 0000006065 00000 n 
 0000006110 00000 n 
-0000161493 00000 n 
-0000788858 00000 n 
+0000162462 00000 n 
+0000797968 00000 n 
 0000006169 00000 n 
 0000006203 00000 n 
-0000165083 00000 n 
-0000788779 00000 n 
+0000166052 00000 n 
+0000797889 00000 n 
 0000006262 00000 n 
 0000006310 00000 n 
-0000165212 00000 n 
-0000788661 00000 n 
+0000166181 00000 n 
+0000797771 00000 n 
 0000006364 00000 n 
 0000006404 00000 n 
-0000165341 00000 n 
-0000788582 00000 n 
+0000166310 00000 n 
+0000797692 00000 n 
 0000006463 00000 n 
 0000006497 00000 n 
-0000169117 00000 n 
-0000788503 00000 n 
+0000170086 00000 n 
+0000797613 00000 n 
 0000006556 00000 n 
 0000006604 00000 n 
-0000169246 00000 n 
-0000788370 00000 n 
+0000170215 00000 n 
+0000797480 00000 n 
 0000006653 00000 n 
 0000006703 00000 n 
-0000172314 00000 n 
-0000788291 00000 n 
+0000173283 00000 n 
+0000797401 00000 n 
 0000006757 00000 n 
 0000006804 00000 n 
-0000172442 00000 n 
-0000788198 00000 n 
+0000173411 00000 n 
+0000797308 00000 n 
 0000006858 00000 n 
 0000006918 00000 n 
-0000172701 00000 n 
-0000788105 00000 n 
+0000173670 00000 n 
+0000797215 00000 n 
 0000006972 00000 n 
 0000007024 00000 n 
-0000177881 00000 n 
-0000788012 00000 n 
+0000178850 00000 n 
+0000797122 00000 n 
 0000007078 00000 n 
 0000007143 00000 n 
-0000178010 00000 n 
-0000787919 00000 n 
+0000178979 00000 n 
+0000797029 00000 n 
 0000007197 00000 n 
 0000007248 00000 n 
-0000181484 00000 n 
-0000787826 00000 n 
+0000182453 00000 n 
+0000796936 00000 n 
 0000007302 00000 n 
 0000007366 00000 n 
-0000181613 00000 n 
-0000787733 00000 n 
+0000182582 00000 n 
+0000796843 00000 n 
 0000007420 00000 n 
 0000007467 00000 n 
-0000181742 00000 n 
-0000787640 00000 n 
+0000182711 00000 n 
+0000796750 00000 n 
 0000007521 00000 n 
 0000007581 00000 n 
-0000181871 00000 n 
-0000787547 00000 n 
+0000182840 00000 n 
+0000796657 00000 n 
 0000007635 00000 n 
 0000007686 00000 n 
-0000185887 00000 n 
-0000787415 00000 n 
+0000186856 00000 n 
+0000796525 00000 n 
 0000007741 00000 n 
 0000007806 00000 n 
-0000186016 00000 n 
-0000787336 00000 n 
+0000186985 00000 n 
+0000796446 00000 n 
 0000007866 00000 n 
 0000007913 00000 n 
-0000192832 00000 n 
-0000787243 00000 n 
+0000193801 00000 n 
+0000796353 00000 n 
 0000007973 00000 n 
 0000008021 00000 n 
-0000199964 00000 n 
-0000787164 00000 n 
+0000200933 00000 n 
+0000796274 00000 n 
 0000008081 00000 n 
 0000008135 00000 n 
-0000203665 00000 n 
-0000787071 00000 n 
+0000204634 00000 n 
+0000796181 00000 n 
 0000008190 00000 n 
 0000008240 00000 n 
-0000203794 00000 n 
-0000786978 00000 n 
+0000204763 00000 n 
+0000796088 00000 n 
 0000008295 00000 n 
 0000008358 00000 n 
-0000205525 00000 n 
-0000786885 00000 n 
+0000206494 00000 n 
+0000795995 00000 n 
 0000008413 00000 n 
 0000008465 00000 n 
-0000205654 00000 n 
-0000786792 00000 n 
+0000206623 00000 n 
+0000795902 00000 n 
 0000008520 00000 n 
 0000008585 00000 n 
-0000205782 00000 n 
-0000786699 00000 n 
+0000206751 00000 n 
+0000795809 00000 n 
 0000008640 00000 n 
 0000008692 00000 n 
-0000211844 00000 n 
-0000786566 00000 n 
+0000212695 00000 n 
+0000795676 00000 n 
 0000008747 00000 n 
 0000008812 00000 n 
-0000224498 00000 n 
-0000786487 00000 n 
+0000225348 00000 n 
+0000795597 00000 n 
 0000008872 00000 n 
 0000008916 00000 n 
-0000245848 00000 n 
-0000786394 00000 n 
+0000246636 00000 n 
+0000795504 00000 n 
 0000008976 00000 n 
 0000009015 00000 n 
-0000245976 00000 n 
-0000786301 00000 n 
+0000246765 00000 n 
+0000795411 00000 n 
 0000009075 00000 n 
 0000009122 00000 n 
-0000246105 00000 n 
-0000786208 00000 n 
+0000250067 00000 n 
+0000795318 00000 n 
 0000009182 00000 n 
 0000009225 00000 n 
-0000253347 00000 n 
-0000786115 00000 n 
+0000254254 00000 n 
+0000795225 00000 n 
 0000009285 00000 n 
 0000009324 00000 n 
-0000253476 00000 n 
-0000786022 00000 n 
+0000257954 00000 n 
+0000795132 00000 n 
 0000009384 00000 n 
 0000009426 00000 n 
-0000260279 00000 n 
-0000785929 00000 n 
+0000261009 00000 n 
+0000795039 00000 n 
 0000009486 00000 n 
 0000009529 00000 n 
-0000268322 00000 n 
-0000785836 00000 n 
+0000267994 00000 n 
+0000794946 00000 n 
 0000009589 00000 n 
 0000009632 00000 n 
-0000268451 00000 n 
-0000785743 00000 n 
+0000272447 00000 n 
+0000794853 00000 n 
 0000009692 00000 n 
 0000009753 00000 n 
-0000272623 00000 n 
-0000785650 00000 n 
+0000272576 00000 n 
+0000794760 00000 n 
 0000009814 00000 n 
 0000009866 00000 n 
-0000275985 00000 n 
-0000785557 00000 n 
+0000276414 00000 n 
+0000794667 00000 n 
 0000009927 00000 n 
 0000009980 00000 n 
-0000276114 00000 n 
-0000785464 00000 n 
+0000280762 00000 n 
+0000794574 00000 n 
 0000010041 00000 n 
 0000010079 00000 n 
-0000279958 00000 n 
-0000785371 00000 n 
+0000280891 00000 n 
+0000794481 00000 n 
 0000010140 00000 n 
 0000010192 00000 n 
-0000283374 00000 n 
-0000785278 00000 n 
+0000283752 00000 n 
+0000794388 00000 n 
 0000010253 00000 n 
 0000010297 00000 n 
-0000287544 00000 n 
-0000785185 00000 n 
+0000287002 00000 n 
+0000794295 00000 n 
 0000010358 00000 n 
 0000010394 00000 n 
-0000292462 00000 n 
-0000785092 00000 n 
+0000295912 00000 n 
+0000794202 00000 n 
 0000010455 00000 n 
 0000010518 00000 n 
-0000295823 00000 n 
-0000784999 00000 n 
+0000296041 00000 n 
+0000794109 00000 n 
 0000010579 00000 n 
 0000010629 00000 n 
-0000299613 00000 n 
-0000784906 00000 n 
+0000303223 00000 n 
+0000794016 00000 n 
 0000010690 00000 n 
 0000010746 00000 n 
-0000303794 00000 n 
-0000784827 00000 n 
+0000303352 00000 n 
+0000793937 00000 n 
 0000010807 00000 n 
 0000010854 00000 n 
-0000306949 00000 n 
-0000784734 00000 n 
+0000307051 00000 n 
+0000793844 00000 n 
 0000010909 00000 n 
 0000010960 00000 n 
-0000307078 00000 n 
-0000784641 00000 n 
+0000311038 00000 n 
+0000793751 00000 n 
 0000011015 00000 n 
 0000011079 00000 n 
-0000311964 00000 n 
-0000784548 00000 n 
+0000315486 00000 n 
+0000793658 00000 n 
 0000011134 00000 n 
 0000011198 00000 n 
-0000315845 00000 n 
-0000784455 00000 n 
+0000315613 00000 n 
+0000793565 00000 n 
 0000011253 00000 n 
 0000011330 00000 n 
-0000315974 00000 n 
-0000784362 00000 n 
+0000319170 00000 n 
+0000793472 00000 n 
 0000011385 00000 n 
 0000011442 00000 n 
-0000316103 00000 n 
-0000784269 00000 n 
+0000319299 00000 n 
+0000793379 00000 n 
 0000011497 00000 n 
 0000011567 00000 n 
-0000319957 00000 n 
-0000784176 00000 n 
+0000319428 00000 n 
+0000793286 00000 n 
 0000011622 00000 n 
 0000011679 00000 n 
-0000320086 00000 n 
-0000784083 00000 n 
+0000319557 00000 n 
+0000793193 00000 n 
 0000011734 00000 n 
 0000011804 00000 n 
-0000320214 00000 n 
-0000783990 00000 n 
+0000323711 00000 n 
+0000793100 00000 n 
 0000011859 00000 n 
 0000011908 00000 n 
-0000323686 00000 n 
-0000783897 00000 n 
+0000323840 00000 n 
+0000793007 00000 n 
 0000011963 00000 n 
 0000012025 00000 n 
-0000325436 00000 n 
-0000783804 00000 n 
+0000326101 00000 n 
+0000792914 00000 n 
 0000012080 00000 n 
 0000012129 00000 n 
-0000328551 00000 n 
-0000783686 00000 n 
+0000331630 00000 n 
+0000792796 00000 n 
 0000012184 00000 n 
 0000012246 00000 n 
-0000328680 00000 n 
-0000783607 00000 n 
+0000331758 00000 n 
+0000792717 00000 n 
 0000012306 00000 n 
 0000012345 00000 n 
-0000337762 00000 n 
-0000783514 00000 n 
+0000336085 00000 n 
+0000792624 00000 n 
 0000012405 00000 n 
 0000012439 00000 n 
-0000337891 00000 n 
-0000783421 00000 n 
+0000342002 00000 n 
+0000792531 00000 n 
 0000012499 00000 n 
 0000012540 00000 n 
-0000354043 00000 n 
-0000783342 00000 n 
+0000357856 00000 n 
+0000792452 00000 n 
 0000012600 00000 n 
 0000012652 00000 n 
-0000361402 00000 n 
-0000783210 00000 n 
+0000365167 00000 n 
+0000792320 00000 n 
 0000012701 00000 n 
 0000012734 00000 n 
-0000361531 00000 n 
-0000783092 00000 n 
+0000365296 00000 n 
+0000792202 00000 n 
 0000012788 00000 n 
 0000012860 00000 n 
-0000361658 00000 n 
-0000783013 00000 n 
+0000365424 00000 n 
+0000792123 00000 n 
 0000012919 00000 n 
 0000012963 00000 n 
-0000369009 00000 n 
-0000782934 00000 n 
+0000372841 00000 n 
+0000792044 00000 n 
 0000013022 00000 n 
 0000013075 00000 n 
-0000372657 00000 n 
-0000782841 00000 n 
+0000376614 00000 n 
+0000791951 00000 n 
 0000013129 00000 n 
 0000013179 00000 n 
-0000372916 00000 n 
-0000782748 00000 n 
+0000376872 00000 n 
+0000791858 00000 n 
 0000013233 00000 n 
 0000013271 00000 n 
-0000376350 00000 n 
-0000782655 00000 n 
+0000380322 00000 n 
+0000791765 00000 n 
 0000013325 00000 n 
 0000013374 00000 n 
-0000376609 00000 n 
-0000782523 00000 n 
+0000380580 00000 n 
+0000791633 00000 n 
 0000013428 00000 n 
 0000013480 00000 n 
-0000376737 00000 n 
-0000782444 00000 n 
+0000380708 00000 n 
+0000791554 00000 n 
 0000013539 00000 n 
 0000013584 00000 n 
-0000376866 00000 n 
-0000782351 00000 n 
+0000380837 00000 n 
+0000791461 00000 n 
 0000013643 00000 n 
 0000013695 00000 n 
-0000379812 00000 n 
-0000782258 00000 n 
+0000383460 00000 n 
+0000791368 00000 n 
 0000013754 00000 n 
 0000013807 00000 n 
-0000379941 00000 n 
-0000782179 00000 n 
+0000383589 00000 n 
+0000791289 00000 n 
 0000013866 00000 n 
 0000013915 00000 n 
-0000380070 00000 n 
-0000782086 00000 n 
+0000383718 00000 n 
+0000791196 00000 n 
 0000013969 00000 n 
 0000014049 00000 n 
-0000387198 00000 n 
-0000782007 00000 n 
+0000390819 00000 n 
+0000791117 00000 n 
 0000014103 00000 n 
 0000014152 00000 n 
-0000387327 00000 n 
-0000781889 00000 n 
+0000390948 00000 n 
+0000790999 00000 n 
 0000014201 00000 n 
 0000014241 00000 n 
-0000390767 00000 n 
-0000781810 00000 n 
+0000394388 00000 n 
+0000790920 00000 n 
 0000014300 00000 n 
 0000014347 00000 n 
-0000390896 00000 n 
-0000781692 00000 n 
+0000394517 00000 n 
+0000790802 00000 n 
 0000014401 00000 n 
 0000014446 00000 n 
-0000391025 00000 n 
-0000781613 00000 n 
+0000394646 00000 n 
+0000790723 00000 n 
 0000014505 00000 n 
 0000014564 00000 n 
-0000394781 00000 n 
-0000781520 00000 n 
+0000398402 00000 n 
+0000790630 00000 n 
 0000014623 00000 n 
 0000014687 00000 n 
-0000398501 00000 n 
-0000781427 00000 n 
+0000402119 00000 n 
+0000790537 00000 n 
 0000014746 00000 n 
 0000014802 00000 n 
-0000401515 00000 n 
-0000781334 00000 n 
+0000405136 00000 n 
+0000790444 00000 n 
 0000014861 00000 n 
 0000014919 00000 n 
-0000401773 00000 n 
-0000781255 00000 n 
+0000405394 00000 n 
+0000790365 00000 n 
 0000014978 00000 n 
 0000015040 00000 n 
-0000403552 00000 n 
-0000781122 00000 n 
+0000407556 00000 n 
+0000790232 00000 n 
 0000015087 00000 n 
 0000015139 00000 n 
-0000403681 00000 n 
-0000781043 00000 n 
+0000407685 00000 n 
+0000790153 00000 n 
 0000015188 00000 n 
 0000015232 00000 n 
-0000407716 00000 n 
-0000780911 00000 n 
+0000411719 00000 n 
+0000790021 00000 n 
 0000015281 00000 n 
 0000015322 00000 n 
-0000407845 00000 n 
-0000780832 00000 n 
+0000411848 00000 n 
+0000789942 00000 n 
 0000015376 00000 n 
 0000015424 00000 n 
-0000407973 00000 n 
-0000780753 00000 n 
+0000411976 00000 n 
+0000789863 00000 n 
 0000015478 00000 n 
 0000015529 00000 n 
-0000408102 00000 n 
-0000780674 00000 n 
+0000412105 00000 n 
+0000789784 00000 n 
 0000015578 00000 n 
 0000015625 00000 n 
-0000412696 00000 n 
-0000780541 00000 n 
+0000416699 00000 n 
+0000789651 00000 n 
 0000015672 00000 n 
 0000015709 00000 n 
-0000412825 00000 n 
-0000780423 00000 n 
+0000416828 00000 n 
+0000789533 00000 n 
 0000015758 00000 n 
 0000015797 00000 n 
-0000412954 00000 n 
-0000780358 00000 n 
+0000416957 00000 n 
+0000789468 00000 n 
 0000015851 00000 n 
 0000015929 00000 n 
-0000413083 00000 n 
-0000780265 00000 n 
+0000417086 00000 n 
+0000789375 00000 n 
 0000015978 00000 n 
 0000016045 00000 n 
-0000413212 00000 n 
-0000780186 00000 n 
+0000417215 00000 n 
+0000789296 00000 n 
 0000016094 00000 n 
 0000016139 00000 n 
-0000416652 00000 n 
-0000780053 00000 n 
+0000420655 00000 n 
+0000789163 00000 n 
 0000016187 00000 n 
 0000016219 00000 n 
-0000416781 00000 n 
-0000779935 00000 n 
+0000420784 00000 n 
+0000789045 00000 n 
 0000016268 00000 n 
 0000016307 00000 n 
-0000416910 00000 n 
-0000779870 00000 n 
+0000420913 00000 n 
+0000788980 00000 n 
 0000016361 00000 n 
 0000016422 00000 n 
-0000420591 00000 n 
-0000779738 00000 n 
+0000424594 00000 n 
+0000788848 00000 n 
 0000016471 00000 n 
 0000016528 00000 n 
-0000420720 00000 n 
-0000779673 00000 n 
+0000424723 00000 n 
+0000788783 00000 n 
 0000016582 00000 n 
 0000016631 00000 n 
-0000420849 00000 n 
-0000779555 00000 n 
+0000424852 00000 n 
+0000788665 00000 n 
 0000016680 00000 n 
 0000016742 00000 n 
-0000420978 00000 n 
-0000779476 00000 n 
+0000424981 00000 n 
+0000788586 00000 n 
 0000016796 00000 n 
 0000016851 00000 n 
-0000445001 00000 n 
-0000779383 00000 n 
+0000449004 00000 n 
+0000788493 00000 n 
 0000016905 00000 n 
 0000016946 00000 n 
-0000445130 00000 n 
-0000779304 00000 n 
+0000449133 00000 n 
+0000788414 00000 n 
 0000017000 00000 n 
 0000017052 00000 n 
-0000447861 00000 n 
-0000779184 00000 n 
+0000451864 00000 n 
+0000788294 00000 n 
 0000017100 00000 n 
 0000017134 00000 n 
-0000447990 00000 n 
-0000779105 00000 n 
+0000451993 00000 n 
+0000788215 00000 n 
 0000017183 00000 n 
 0000017210 00000 n 
-0000465812 00000 n 
-0000779012 00000 n 
+0000469815 00000 n 
+0000788122 00000 n 
 0000017259 00000 n 
 0000017287 00000 n 
-0000473346 00000 n 
-0000778919 00000 n 
+0000477349 00000 n 
+0000788029 00000 n 
 0000017336 00000 n 
 0000017376 00000 n 
-0000479375 00000 n 
-0000778826 00000 n 
+0000483671 00000 n 
+0000787936 00000 n 
 0000017425 00000 n 
 0000017468 00000 n 
-0000482435 00000 n 
-0000778733 00000 n 
+0000490034 00000 n 
+0000787843 00000 n 
 0000017517 00000 n 
 0000017554 00000 n 
-0000492648 00000 n 
-0000778640 00000 n 
+0000500299 00000 n 
+0000787750 00000 n 
 0000017603 00000 n 
 0000017640 00000 n 
-0000495024 00000 n 
-0000778547 00000 n 
+0000502871 00000 n 
+0000787657 00000 n 
 0000017689 00000 n 
 0000017727 00000 n 
-0000501508 00000 n 
-0000778454 00000 n 
+0000509460 00000 n 
+0000787564 00000 n 
 0000017776 00000 n 
 0000017815 00000 n 
-0000514234 00000 n 
-0000778361 00000 n 
+0000522882 00000 n 
+0000787471 00000 n 
 0000017864 00000 n 
 0000017903 00000 n 
-0000517201 00000 n 
-0000778268 00000 n 
+0000525842 00000 n 
+0000787378 00000 n 
 0000017953 00000 n 
 0000017993 00000 n 
-0000523477 00000 n 
-0000778175 00000 n 
+0000532019 00000 n 
+0000787285 00000 n 
 0000018043 00000 n 
 0000018073 00000 n 
-0000533159 00000 n 
-0000778082 00000 n 
+0000541344 00000 n 
+0000787192 00000 n 
 0000018123 00000 n 
 0000018156 00000 n 
-0000547778 00000 n 
-0000777989 00000 n 
+0000555519 00000 n 
+0000787099 00000 n 
 0000018206 00000 n 
 0000018235 00000 n 
-0000550974 00000 n 
-0000777896 00000 n 
+0000562929 00000 n 
+0000787006 00000 n 
 0000018285 00000 n 
 0000018319 00000 n 
-0000556971 00000 n 
-0000777803 00000 n 
+0000568586 00000 n 
+0000786913 00000 n 
 0000018369 00000 n 
 0000018406 00000 n 
-0000563615 00000 n 
-0000777724 00000 n 
+0000571665 00000 n 
+0000786834 00000 n 
 0000018456 00000 n 
 0000018493 00000 n 
 0000018862 00000 n 
@@ -13685,10 +13757,10 @@ xref
 0000018546 00000 n 
 0000026687 00000 n 
 0000026750 00000 n 
-0000772851 00000 n 
-0000746908 00000 n 
-0000772677 00000 n 
-0000773876 00000 n 
+0000781934 00000 n 
+0000755991 00000 n 
+0000781760 00000 n 
+0000782959 00000 n 
 0000021847 00000 n 
 0000022064 00000 n 
 0000022133 00000 n 
@@ -13709,12 +13781,12 @@ xref
 0000027992 00000 n 
 0000026913 00000 n 
 0000028114 00000 n 
-0000745687 00000 n 
-0000719166 00000 n 
-0000745513 00000 n 
-0000718481 00000 n 
-0000716337 00000 n 
-0000718317 00000 n 
+0000754770 00000 n 
+0000728249 00000 n 
+0000754596 00000 n 
+0000727564 00000 n 
+0000725420 00000 n 
+0000727400 00000 n 
 0000039881 00000 n 
 0000031232 00000 n 
 0000028262 00000 n 
@@ -13770,1462 +13842,1482 @@ xref
 0000039290 00000 n 
 0000039445 00000 n 
 0000039600 00000 n 
-0000053273 00000 n 
-0000043218 00000 n 
+0000053271 00000 n 
+0000043217 00000 n 
 0000039966 00000 n 
-0000053210 00000 n 
-0000715786 00000 n 
-0000698705 00000 n 
-0000715602 00000 n 
-0000043808 00000 n 
-0000043971 00000 n 
-0000044134 00000 n 
-0000044297 00000 n 
-0000044455 00000 n 
-0000044618 00000 n 
-0000044781 00000 n 
-0000044936 00000 n 
-0000045094 00000 n 
-0000045252 00000 n 
-0000045408 00000 n 
-0000045566 00000 n 
-0000045729 00000 n 
-0000045897 00000 n 
-0000046065 00000 n 
-0000046228 00000 n 
-0000046396 00000 n 
-0000046564 00000 n 
-0000046721 00000 n 
-0000046884 00000 n 
-0000047047 00000 n 
-0000047209 00000 n 
-0000047371 00000 n 
-0000047534 00000 n 
-0000047696 00000 n 
-0000047858 00000 n 
-0000048021 00000 n 
-0000048184 00000 n 
-0000048347 00000 n 
-0000048515 00000 n 
-0000048684 00000 n 
-0000048853 00000 n 
-0000049016 00000 n 
-0000049180 00000 n 
-0000049344 00000 n 
-0000049507 00000 n 
-0000049671 00000 n 
-0000049835 00000 n 
-0000050004 00000 n 
-0000050173 00000 n 
-0000050342 00000 n 
-0000050511 00000 n 
-0000050680 00000 n 
-0000050849 00000 n 
-0000051018 00000 n 
-0000051187 00000 n 
-0000051356 00000 n 
-0000051526 00000 n 
-0000051696 00000 n 
-0000051865 00000 n 
-0000052035 00000 n 
-0000052205 00000 n 
-0000052373 00000 n 
-0000052542 00000 n 
-0000052712 00000 n 
-0000052880 00000 n 
-0000053048 00000 n 
-0000066642 00000 n 
-0000056931 00000 n 
-0000053371 00000 n 
-0000066579 00000 n 
-0000057513 00000 n 
-0000057676 00000 n 
-0000057839 00000 n 
-0000058002 00000 n 
-0000058165 00000 n 
-0000058327 00000 n 
-0000058489 00000 n 
-0000058651 00000 n 
-0000058813 00000 n 
-0000058975 00000 n 
-0000059137 00000 n 
-0000059299 00000 n 
-0000059466 00000 n 
-0000059633 00000 n 
-0000059800 00000 n 
-0000059967 00000 n 
-0000060124 00000 n 
-0000060286 00000 n 
-0000060453 00000 n 
-0000060620 00000 n 
-0000060782 00000 n 
-0000060944 00000 n 
-0000061106 00000 n 
-0000061268 00000 n 
-0000061435 00000 n 
-0000061602 00000 n 
-0000061769 00000 n 
-0000061936 00000 n 
-0000062098 00000 n 
-0000062260 00000 n 
-0000062417 00000 n 
-0000062584 00000 n 
-0000062746 00000 n 
-0000062913 00000 n 
-0000063080 00000 n 
-0000063246 00000 n 
-0000697816 00000 n 
-0000676485 00000 n 
-0000697642 00000 n 
-0000063412 00000 n 
-0000063578 00000 n 
-0000063733 00000 n 
-0000063889 00000 n 
-0000064046 00000 n 
-0000064208 00000 n 
-0000064370 00000 n 
-0000064527 00000 n 
-0000064682 00000 n 
-0000064839 00000 n 
-0000065001 00000 n 
-0000065158 00000 n 
-0000065315 00000 n 
-0000065470 00000 n 
-0000065626 00000 n 
-0000065787 00000 n 
-0000065943 00000 n 
-0000066104 00000 n 
-0000066259 00000 n 
-0000066419 00000 n 
-0000071172 00000 n 
-0000067996 00000 n 
-0000066753 00000 n 
-0000071109 00000 n 
-0000068274 00000 n 
-0000068436 00000 n 
-0000068592 00000 n 
-0000068749 00000 n 
-0000068906 00000 n 
-0000069063 00000 n 
-0000069220 00000 n 
-0000069377 00000 n 
-0000069534 00000 n 
-0000069691 00000 n 
-0000069848 00000 n 
-0000070005 00000 n 
-0000070163 00000 n 
-0000070320 00000 n 
-0000070478 00000 n 
-0000675519 00000 n 
-0000655552 00000 n 
-0000675346 00000 n 
-0000070636 00000 n 
-0000070794 00000 n 
-0000070951 00000 n 
-0000074348 00000 n 
-0000073538 00000 n 
-0000071283 00000 n 
-0000073660 00000 n 
-0000073784 00000 n 
-0000073909 00000 n 
-0000074034 00000 n 
-0000074159 00000 n 
-0000074222 00000 n 
-0000074285 00000 n 
-0000654758 00000 n 
-0000636441 00000 n 
-0000654585 00000 n 
-0000773994 00000 n 
-0000078919 00000 n 
-0000077739 00000 n 
-0000074472 00000 n 
-0000078233 00000 n 
-0000078296 00000 n 
-0000078359 00000 n 
-0000078483 00000 n 
-0000078608 00000 n 
-0000078733 00000 n 
-0000077889 00000 n 
-0000078082 00000 n 
-0000078856 00000 n 
-0000361595 00000 n 
-0000421042 00000 n 
-0000083596 00000 n 
-0000082539 00000 n 
-0000079043 00000 n 
-0000083019 00000 n 
-0000083147 00000 n 
-0000082694 00000 n 
-0000082857 00000 n 
-0000083275 00000 n 
-0000083403 00000 n 
-0000083531 00000 n 
-0000099382 00000 n 
-0000086834 00000 n 
-0000086260 00000 n 
-0000083721 00000 n 
-0000086385 00000 n 
-0000086513 00000 n 
-0000086641 00000 n 
-0000086769 00000 n 
-0000090287 00000 n 
-0000089122 00000 n 
-0000086946 00000 n 
-0000089583 00000 n 
-0000089711 00000 n 
-0000089839 00000 n 
-0000089967 00000 n 
-0000090095 00000 n 
-0000089277 00000 n 
-0000089430 00000 n 
-0000090222 00000 n 
-0000299677 00000 n 
-0000091364 00000 n 
-0000091046 00000 n 
-0000090373 00000 n 
-0000091171 00000 n 
-0000091299 00000 n 
-0000093407 00000 n 
-0000092704 00000 n 
-0000091463 00000 n 
-0000092830 00000 n 
-0000092958 00000 n 
-0000093085 00000 n 
-0000093213 00000 n 
-0000093342 00000 n 
-0000774116 00000 n 
-0000095983 00000 n 
-0000095353 00000 n 
-0000093506 00000 n 
-0000095659 00000 n 
-0000095788 00000 n 
-0000095853 00000 n 
-0000095918 00000 n 
-0000095500 00000 n 
-0000283438 00000 n 
-0000099576 00000 n 
-0000098871 00000 n 
-0000096095 00000 n 
-0000098997 00000 n 
-0000099126 00000 n 
-0000099253 00000 n 
-0000635758 00000 n 
-0000623696 00000 n 
-0000635579 00000 n 
-0000099511 00000 n 
-0000103159 00000 n 
-0000102968 00000 n 
-0000099702 00000 n 
-0000103094 00000 n 
-0000623123 00000 n 
-0000612140 00000 n 
-0000622944 00000 n 
-0000107622 00000 n 
-0000107223 00000 n 
-0000103325 00000 n 
-0000107557 00000 n 
-0000107370 00000 n 
-0000177945 00000 n 
-0000110526 00000 n 
-0000110078 00000 n 
-0000107761 00000 n 
-0000110204 00000 n 
-0000110332 00000 n 
-0000110397 00000 n 
-0000110462 00000 n 
-0000113374 00000 n 
-0000116092 00000 n 
-0000113209 00000 n 
-0000110651 00000 n 
-0000115512 00000 n 
-0000115641 00000 n 
-0000115770 00000 n 
-0000115017 00000 n 
-0000115179 00000 n 
-0000611242 00000 n 
-0000601446 00000 n 
-0000611068 00000 n 
-0000600882 00000 n 
-0000591795 00000 n 
-0000600707 00000 n 
-0000115899 00000 n 
-0000115341 00000 n 
-0000116028 00000 n 
-0000774241 00000 n 
-0000114846 00000 n 
-0000114904 00000 n 
-0000114994 00000 n 
-0000224562 00000 n 
-0000260342 00000 n 
-0000354107 00000 n 
-0000120724 00000 n 
-0000119790 00000 n 
-0000116261 00000 n 
-0000120274 00000 n 
-0000120403 00000 n 
-0000119946 00000 n 
-0000120112 00000 n 
-0000120532 00000 n 
-0000120660 00000 n 
-0000425070 00000 n 
-0000124383 00000 n 
-0000124003 00000 n 
-0000120876 00000 n 
-0000124318 00000 n 
-0000124150 00000 n 
-0000125556 00000 n 
-0000125365 00000 n 
-0000124508 00000 n 
-0000125491 00000 n 
-0000127543 00000 n 
-0000127223 00000 n 
-0000125655 00000 n 
-0000127349 00000 n 
-0000127478 00000 n 
-0000131038 00000 n 
-0000130074 00000 n 
-0000127655 00000 n 
-0000130200 00000 n 
-0000130329 00000 n 
-0000130458 00000 n 
-0000130587 00000 n 
-0000130716 00000 n 
-0000130845 00000 n 
-0000130974 00000 n 
-0000135029 00000 n 
-0000134260 00000 n 
-0000131176 00000 n 
-0000134578 00000 n 
-0000134707 00000 n 
-0000134407 00000 n 
-0000134836 00000 n 
-0000134965 00000 n 
-0000774366 00000 n 
-0000138892 00000 n 
-0000138314 00000 n 
-0000135167 00000 n 
-0000138440 00000 n 
-0000138569 00000 n 
-0000138698 00000 n 
-0000138827 00000 n 
-0000142751 00000 n 
-0000142302 00000 n 
-0000139030 00000 n 
-0000142428 00000 n 
-0000142557 00000 n 
-0000142686 00000 n 
-0000145145 00000 n 
-0000144954 00000 n 
-0000142876 00000 n 
-0000145080 00000 n 
-0000148964 00000 n 
-0000148204 00000 n 
-0000145287 00000 n 
-0000148512 00000 n 
-0000591520 00000 n 
-0000588162 00000 n 
-0000591341 00000 n 
-0000148641 00000 n 
-0000148351 00000 n 
-0000148770 00000 n 
-0000148899 00000 n 
-0000420784 00000 n 
-0000149735 00000 n 
-0000149544 00000 n 
-0000149146 00000 n 
-0000149670 00000 n 
-0000152406 00000 n 
-0000151828 00000 n 
-0000149834 00000 n 
-0000151954 00000 n 
-0000152083 00000 n 
-0000152212 00000 n 
-0000152341 00000 n 
-0000774491 00000 n 
-0000152846 00000 n 
-0000152655 00000 n 
-0000152505 00000 n 
-0000152781 00000 n 
-0000156933 00000 n 
-0000156167 00000 n 
-0000152888 00000 n 
-0000156481 00000 n 
-0000156610 00000 n 
-0000156738 00000 n 
-0000156803 00000 n 
-0000156868 00000 n 
-0000156314 00000 n 
-0000161429 00000 n 
-0000161621 00000 n 
-0000161174 00000 n 
-0000157032 00000 n 
-0000161300 00000 n 
-0000161556 00000 n 
-0000165470 00000 n 
-0000164892 00000 n 
-0000161746 00000 n 
-0000165018 00000 n 
-0000165147 00000 n 
-0000165276 00000 n 
-0000165405 00000 n 
-0000168126 00000 n 
-0000169504 00000 n 
-0000168000 00000 n 
-0000165608 00000 n 
-0000169052 00000 n 
-0000169181 00000 n 
-0000169310 00000 n 
-0000169375 00000 n 
-0000169439 00000 n 
-0000172827 00000 n 
-0000172123 00000 n 
-0000169659 00000 n 
-0000172249 00000 n 
-0000172378 00000 n 
-0000172506 00000 n 
-0000172571 00000 n 
-0000172636 00000 n 
-0000172762 00000 n 
-0000774616 00000 n 
-0000178138 00000 n 
-0000177350 00000 n 
-0000172939 00000 n 
-0000177816 00000 n 
-0000177506 00000 n 
-0000177657 00000 n 
-0000178074 00000 n 
-0000566788 00000 n 
-0000182000 00000 n 
-0000180729 00000 n 
-0000178276 00000 n 
-0000181419 00000 n 
-0000181548 00000 n 
-0000181677 00000 n 
-0000181806 00000 n 
-0000180894 00000 n 
-0000181046 00000 n 
-0000181232 00000 n 
-0000181935 00000 n 
-0000186145 00000 n 
-0000185696 00000 n 
-0000182126 00000 n 
-0000185822 00000 n 
-0000185951 00000 n 
-0000186080 00000 n 
-0000190048 00000 n 
-0000189669 00000 n 
-0000186270 00000 n 
-0000189983 00000 n 
-0000189816 00000 n 
-0000192896 00000 n 
-0000193091 00000 n 
-0000192641 00000 n 
-0000190160 00000 n 
-0000192767 00000 n 
-0000192961 00000 n 
-0000193026 00000 n 
-0000196646 00000 n 
-0000196455 00000 n 
-0000193203 00000 n 
-0000196581 00000 n 
-0000774741 00000 n 
-0000200223 00000 n 
-0000199773 00000 n 
-0000196758 00000 n 
-0000199899 00000 n 
-0000200028 00000 n 
-0000200093 00000 n 
-0000200158 00000 n 
-0000203923 00000 n 
-0000203138 00000 n 
-0000200335 00000 n 
-0000203600 00000 n 
-0000203729 00000 n 
-0000203858 00000 n 
-0000203294 00000 n 
-0000203447 00000 n 
-0000205911 00000 n 
-0000205334 00000 n 
-0000204035 00000 n 
-0000205460 00000 n 
-0000205589 00000 n 
-0000205718 00000 n 
-0000205846 00000 n 
-0000207420 00000 n 
-0000207229 00000 n 
-0000206023 00000 n 
-0000207355 00000 n 
-0000208962 00000 n 
-0000208771 00000 n 
-0000207519 00000 n 
-0000208897 00000 n 
-0000211973 00000 n 
-0000211653 00000 n 
-0000209061 00000 n 
-0000211779 00000 n 
-0000211908 00000 n 
-0000774866 00000 n 
-0000216233 00000 n 
-0000216042 00000 n 
-0000212099 00000 n 
-0000216168 00000 n 
-0000220700 00000 n 
-0000220152 00000 n 
-0000216371 00000 n 
-0000220635 00000 n 
-0000220308 00000 n 
-0000220465 00000 n 
-0000390831 00000 n 
-0000224627 00000 n 
-0000224307 00000 n 
-0000220825 00000 n 
-0000224433 00000 n 
-0000228724 00000 n 
-0000228230 00000 n 
-0000224752 00000 n 
-0000228529 00000 n 
-0000228594 00000 n 
-0000228659 00000 n 
-0000228377 00000 n 
-0000233748 00000 n 
-0000232617 00000 n 
-0000228849 00000 n 
-0000233683 00000 n 
-0000232800 00000 n 
-0000232956 00000 n 
-0000233140 00000 n 
-0000233313 00000 n 
-0000233498 00000 n 
-0000307142 00000 n 
-0000238070 00000 n 
-0000237879 00000 n 
-0000233929 00000 n 
-0000238005 00000 n 
-0000774991 00000 n 
-0000241965 00000 n 
-0000241774 00000 n 
-0000238195 00000 n 
-0000241900 00000 n 
-0000246234 00000 n 
-0000245293 00000 n 
-0000242077 00000 n 
-0000245783 00000 n 
-0000245911 00000 n 
-0000245449 00000 n 
-0000246040 00000 n 
-0000246169 00000 n 
-0000245618 00000 n 
-0000325500 00000 n 
-0000250250 00000 n 
-0000249687 00000 n 
-0000246403 00000 n 
-0000250185 00000 n 
-0000249843 00000 n 
-0000250014 00000 n 
-0000408166 00000 n 
-0000253605 00000 n 
-0000253156 00000 n 
-0000250419 00000 n 
-0000253282 00000 n 
-0000253411 00000 n 
-0000253540 00000 n 
-0000256998 00000 n 
-0000256807 00000 n 
-0000253730 00000 n 
-0000256933 00000 n 
-0000260407 00000 n 
-0000260088 00000 n 
-0000257167 00000 n 
-0000260214 00000 n 
-0000775116 00000 n 
-0000264208 00000 n 
-0000264017 00000 n 
-0000260563 00000 n 
-0000264143 00000 n 
-0000268580 00000 n 
-0000267766 00000 n 
-0000264377 00000 n 
-0000268257 00000 n 
-0000268386 00000 n 
-0000267922 00000 n 
-0000268515 00000 n 
-0000268082 00000 n 
-0000272752 00000 n 
-0000272256 00000 n 
-0000268735 00000 n 
-0000272558 00000 n 
-0000272687 00000 n 
-0000272403 00000 n 
-0000276242 00000 n 
-0000275794 00000 n 
-0000272877 00000 n 
-0000275920 00000 n 
-0000276049 00000 n 
-0000276178 00000 n 
-0000280086 00000 n 
-0000279420 00000 n 
-0000276397 00000 n 
-0000279893 00000 n 
-0000280021 00000 n 
-0000279576 00000 n 
-0000279738 00000 n 
-0000283633 00000 n 
-0000282993 00000 n 
-0000280255 00000 n 
-0000283309 00000 n 
-0000283140 00000 n 
-0000283503 00000 n 
-0000283568 00000 n 
-0000775241 00000 n 
-0000287673 00000 n 
-0000287170 00000 n 
+0000053208 00000 n 
+0000724869 00000 n 
+0000707788 00000 n 
+0000724685 00000 n 
+0000043807 00000 n 
+0000043970 00000 n 
+0000044133 00000 n 
+0000044296 00000 n 
+0000044454 00000 n 
+0000044617 00000 n 
+0000044780 00000 n 
+0000044935 00000 n 
+0000045093 00000 n 
+0000045251 00000 n 
+0000045407 00000 n 
+0000045565 00000 n 
+0000045728 00000 n 
+0000045896 00000 n 
+0000046064 00000 n 
+0000046227 00000 n 
+0000046395 00000 n 
+0000046563 00000 n 
+0000046720 00000 n 
+0000046883 00000 n 
+0000047046 00000 n 
+0000047208 00000 n 
+0000047370 00000 n 
+0000047533 00000 n 
+0000047695 00000 n 
+0000047857 00000 n 
+0000048020 00000 n 
+0000048183 00000 n 
+0000048346 00000 n 
+0000048514 00000 n 
+0000048683 00000 n 
+0000048852 00000 n 
+0000049015 00000 n 
+0000049179 00000 n 
+0000049343 00000 n 
+0000049506 00000 n 
+0000049670 00000 n 
+0000049834 00000 n 
+0000050003 00000 n 
+0000050172 00000 n 
+0000050341 00000 n 
+0000050510 00000 n 
+0000050679 00000 n 
+0000050848 00000 n 
+0000051017 00000 n 
+0000051186 00000 n 
+0000051355 00000 n 
+0000051525 00000 n 
+0000051695 00000 n 
+0000051864 00000 n 
+0000052034 00000 n 
+0000052204 00000 n 
+0000052372 00000 n 
+0000052541 00000 n 
+0000052711 00000 n 
+0000052878 00000 n 
+0000053046 00000 n 
+0000066639 00000 n 
+0000056927 00000 n 
+0000053369 00000 n 
+0000066576 00000 n 
+0000057509 00000 n 
+0000057672 00000 n 
+0000057835 00000 n 
+0000057998 00000 n 
+0000058161 00000 n 
+0000058323 00000 n 
+0000058485 00000 n 
+0000058647 00000 n 
+0000058809 00000 n 
+0000058971 00000 n 
+0000059133 00000 n 
+0000059296 00000 n 
+0000059464 00000 n 
+0000059631 00000 n 
+0000059798 00000 n 
+0000059965 00000 n 
+0000060122 00000 n 
+0000060284 00000 n 
+0000060451 00000 n 
+0000060618 00000 n 
+0000060780 00000 n 
+0000060942 00000 n 
+0000061104 00000 n 
+0000061266 00000 n 
+0000061433 00000 n 
+0000061600 00000 n 
+0000061767 00000 n 
+0000061934 00000 n 
+0000062096 00000 n 
+0000062258 00000 n 
+0000062415 00000 n 
+0000062582 00000 n 
+0000062744 00000 n 
+0000062911 00000 n 
+0000063078 00000 n 
+0000063244 00000 n 
+0000706899 00000 n 
+0000685568 00000 n 
+0000706725 00000 n 
+0000063410 00000 n 
+0000063576 00000 n 
+0000063731 00000 n 
+0000063887 00000 n 
+0000064044 00000 n 
+0000064206 00000 n 
+0000064368 00000 n 
+0000064525 00000 n 
+0000064680 00000 n 
+0000064837 00000 n 
+0000064999 00000 n 
+0000065156 00000 n 
+0000065313 00000 n 
+0000065468 00000 n 
+0000065624 00000 n 
+0000065785 00000 n 
+0000065941 00000 n 
+0000066102 00000 n 
+0000066257 00000 n 
+0000066417 00000 n 
+0000071167 00000 n 
+0000067991 00000 n 
+0000066750 00000 n 
+0000071104 00000 n 
+0000068269 00000 n 
+0000068431 00000 n 
+0000068586 00000 n 
+0000068743 00000 n 
+0000068900 00000 n 
+0000069057 00000 n 
+0000069214 00000 n 
+0000069371 00000 n 
+0000069528 00000 n 
+0000069685 00000 n 
+0000069842 00000 n 
+0000069999 00000 n 
+0000070157 00000 n 
+0000070314 00000 n 
+0000070472 00000 n 
+0000684602 00000 n 
+0000664635 00000 n 
+0000684429 00000 n 
+0000070630 00000 n 
+0000070788 00000 n 
+0000070946 00000 n 
+0000074343 00000 n 
+0000073533 00000 n 
+0000071278 00000 n 
+0000073655 00000 n 
+0000073779 00000 n 
+0000073904 00000 n 
+0000074029 00000 n 
+0000074154 00000 n 
+0000074217 00000 n 
+0000074280 00000 n 
+0000663841 00000 n 
+0000645522 00000 n 
+0000663668 00000 n 
+0000783077 00000 n 
+0000078914 00000 n 
+0000077734 00000 n 
+0000074467 00000 n 
+0000078228 00000 n 
+0000078291 00000 n 
+0000078354 00000 n 
+0000078478 00000 n 
+0000078603 00000 n 
+0000078728 00000 n 
+0000077884 00000 n 
+0000078077 00000 n 
+0000078851 00000 n 
+0000365360 00000 n 
+0000425045 00000 n 
+0000083591 00000 n 
+0000082534 00000 n 
+0000079038 00000 n 
+0000083014 00000 n 
+0000083142 00000 n 
+0000082689 00000 n 
+0000082852 00000 n 
+0000083270 00000 n 
+0000083398 00000 n 
+0000083526 00000 n 
+0000099377 00000 n 
+0000086829 00000 n 
+0000086255 00000 n 
+0000083716 00000 n 
+0000086380 00000 n 
+0000086508 00000 n 
+0000086636 00000 n 
+0000086764 00000 n 
+0000090282 00000 n 
+0000089117 00000 n 
+0000086941 00000 n 
+0000089578 00000 n 
+0000089706 00000 n 
+0000089834 00000 n 
+0000089962 00000 n 
+0000090090 00000 n 
+0000089272 00000 n 
+0000089425 00000 n 
+0000090217 00000 n 
+0000303287 00000 n 
+0000091359 00000 n 
+0000091041 00000 n 
+0000090368 00000 n 
+0000091166 00000 n 
+0000091294 00000 n 
+0000093402 00000 n 
+0000092699 00000 n 
+0000091458 00000 n 
+0000092825 00000 n 
+0000092953 00000 n 
+0000093080 00000 n 
+0000093208 00000 n 
+0000093337 00000 n 
+0000783199 00000 n 
+0000095978 00000 n 
+0000095348 00000 n 
+0000093501 00000 n 
+0000095654 00000 n 
+0000095783 00000 n 
+0000095848 00000 n 
+0000095913 00000 n 
+0000095495 00000 n 
 0000283816 00000 n 
-0000287479 00000 n 
-0000287608 00000 n 
-0000287317 00000 n 
-0000292591 00000 n 
-0000291913 00000 n 
-0000287841 00000 n 
-0000292397 00000 n 
-0000292069 00000 n 
-0000587807 00000 n 
-0000585809 00000 n 
-0000587642 00000 n 
-0000292526 00000 n 
-0000292230 00000 n 
-0000387262 00000 n 
-0000320278 00000 n 
-0000295952 00000 n 
-0000295632 00000 n 
-0000292717 00000 n 
-0000295758 00000 n 
-0000295887 00000 n 
-0000299742 00000 n 
-0000299422 00000 n 
-0000296077 00000 n 
-0000299548 00000 n 
-0000303923 00000 n 
-0000303432 00000 n 
-0000299897 00000 n 
-0000303729 00000 n 
-0000303858 00000 n 
-0000303579 00000 n 
-0000307207 00000 n 
-0000306758 00000 n 
-0000304049 00000 n 
-0000306884 00000 n 
-0000307013 00000 n 
-0000775366 00000 n 
-0000312093 00000 n 
-0000311434 00000 n 
-0000307319 00000 n 
-0000311899 00000 n 
-0000311590 00000 n 
-0000311740 00000 n 
-0000312028 00000 n 
-0000316232 00000 n 
-0000315479 00000 n 
-0000312205 00000 n 
-0000315780 00000 n 
-0000315909 00000 n 
-0000316038 00000 n 
-0000316167 00000 n 
-0000315626 00000 n 
-0000320342 00000 n 
-0000319766 00000 n 
-0000316344 00000 n 
-0000319892 00000 n 
-0000320021 00000 n 
-0000320149 00000 n 
-0000323815 00000 n 
-0000323495 00000 n 
-0000320467 00000 n 
-0000323621 00000 n 
-0000323750 00000 n 
-0000325565 00000 n 
-0000325245 00000 n 
-0000323927 00000 n 
-0000325371 00000 n 
-0000327118 00000 n 
-0000326927 00000 n 
-0000325677 00000 n 
-0000327053 00000 n 
-0000775491 00000 n 
-0000328936 00000 n 
-0000328360 00000 n 
-0000327217 00000 n 
-0000328486 00000 n 
-0000328615 00000 n 
-0000328744 00000 n 
-0000328808 00000 n 
-0000328872 00000 n 
-0000332781 00000 n 
-0000332590 00000 n 
-0000329048 00000 n 
-0000332716 00000 n 
-0000338020 00000 n 
-0000336178 00000 n 
-0000332893 00000 n 
-0000337697 00000 n 
-0000336388 00000 n 
-0000337826 00000 n 
-0000337955 00000 n 
-0000336555 00000 n 
-0000336717 00000 n 
-0000336879 00000 n 
-0000337041 00000 n 
-0000337203 00000 n 
-0000337365 00000 n 
-0000337536 00000 n 
-0000566755 00000 n 
-0000343300 00000 n 
-0000341376 00000 n 
-0000338132 00000 n 
-0000343235 00000 n 
-0000341604 00000 n 
-0000341767 00000 n 
-0000341928 00000 n 
-0000342089 00000 n 
-0000342251 00000 n 
-0000342414 00000 n 
-0000342576 00000 n 
-0000342739 00000 n 
-0000342900 00000 n 
-0000343067 00000 n 
-0000349778 00000 n 
-0000346211 00000 n 
-0000343425 00000 n 
-0000349713 00000 n 
-0000346529 00000 n 
-0000346690 00000 n 
-0000346852 00000 n 
-0000347014 00000 n 
-0000347175 00000 n 
-0000347337 00000 n 
-0000347491 00000 n 
-0000347654 00000 n 
-0000347807 00000 n 
-0000347960 00000 n 
-0000348110 00000 n 
-0000348264 00000 n 
-0000348426 00000 n 
-0000348588 00000 n 
-0000348750 00000 n 
-0000348912 00000 n 
-0000349074 00000 n 
-0000349236 00000 n 
-0000349398 00000 n 
-0000349552 00000 n 
-0000354172 00000 n 
-0000353346 00000 n 
-0000349890 00000 n 
-0000353978 00000 n 
-0000353511 00000 n 
-0000353662 00000 n 
-0000353825 00000 n 
-0000775616 00000 n 
-0000357662 00000 n 
-0000357342 00000 n 
-0000354311 00000 n 
-0000357468 00000 n 
-0000357533 00000 n 
-0000357597 00000 n 
-0000362047 00000 n 
-0000360849 00000 n 
-0000357831 00000 n 
-0000361337 00000 n 
-0000361466 00000 n 
-0000361722 00000 n 
-0000361005 00000 n 
-0000361175 00000 n 
-0000361787 00000 n 
-0000361852 00000 n 
-0000361917 00000 n 
-0000361982 00000 n 
-0000365222 00000 n 
-0000365031 00000 n 
-0000362159 00000 n 
-0000365157 00000 n 
-0000369266 00000 n 
-0000368690 00000 n 
-0000365308 00000 n 
-0000368816 00000 n 
-0000368881 00000 n 
-0000368946 00000 n 
-0000369073 00000 n 
-0000369138 00000 n 
-0000369202 00000 n 
-0000373044 00000 n 
-0000372336 00000 n 
-0000369391 00000 n 
-0000372462 00000 n 
-0000372527 00000 n 
-0000372592 00000 n 
-0000372721 00000 n 
-0000372786 00000 n 
-0000372851 00000 n 
-0000372980 00000 n 
-0000376994 00000 n 
-0000376029 00000 n 
-0000373169 00000 n 
-0000376155 00000 n 
-0000376220 00000 n 
-0000376285 00000 n 
-0000376414 00000 n 
-0000376479 00000 n 
-0000376544 00000 n 
-0000376672 00000 n 
-0000376801 00000 n 
-0000376930 00000 n 
-0000775741 00000 n 
-0000380199 00000 n 
-0000379621 00000 n 
-0000377204 00000 n 
-0000379747 00000 n 
-0000379876 00000 n 
-0000380005 00000 n 
-0000380134 00000 n 
-0000383626 00000 n 
-0000383305 00000 n 
-0000380396 00000 n 
-0000383431 00000 n 
-0000383496 00000 n 
-0000383561 00000 n 
-0000387586 00000 n 
-0000387007 00000 n 
-0000383751 00000 n 
-0000387133 00000 n 
-0000387391 00000 n 
-0000387456 00000 n 
-0000387521 00000 n 
-0000391284 00000 n 
-0000390395 00000 n 
-0000387711 00000 n 
-0000390702 00000 n 
-0000390542 00000 n 
-0000390960 00000 n 
-0000391089 00000 n 
-0000391154 00000 n 
-0000391219 00000 n 
-0000395036 00000 n 
-0000394404 00000 n 
-0000391396 00000 n 
-0000394716 00000 n 
-0000394551 00000 n 
-0000394845 00000 n 
-0000394908 00000 n 
-0000394971 00000 n 
-0000566722 00000 n 
-0000398759 00000 n 
-0000398310 00000 n 
-0000395148 00000 n 
-0000398436 00000 n 
-0000398564 00000 n 
-0000398629 00000 n 
-0000398694 00000 n 
-0000775866 00000 n 
-0000401902 00000 n 
-0000401324 00000 n 
-0000398871 00000 n 
-0000401450 00000 n 
-0000401579 00000 n 
-0000401644 00000 n 
-0000401708 00000 n 
-0000585528 00000 n 
-0000578244 00000 n 
-0000585348 00000 n 
-0000401837 00000 n 
-0000403810 00000 n 
-0000403361 00000 n 
-0000402042 00000 n 
-0000403487 00000 n 
-0000403616 00000 n 
-0000403745 00000 n 
-0000408231 00000 n 
-0000407288 00000 n 
-0000403922 00000 n 
-0000407651 00000 n 
-0000577923 00000 n 
-0000568710 00000 n 
-0000577737 00000 n 
-0000407435 00000 n 
-0000407780 00000 n 
-0000407908 00000 n 
-0000408037 00000 n 
-0000409586 00000 n 
-0000409395 00000 n 
-0000408468 00000 n 
-0000409521 00000 n 
-0000410026 00000 n 
-0000409835 00000 n 
-0000409685 00000 n 
-0000409961 00000 n 
-0000413340 00000 n 
-0000412114 00000 n 
-0000410068 00000 n 
-0000412631 00000 n 
-0000412760 00000 n 
-0000412889 00000 n 
-0000413018 00000 n 
-0000413147 00000 n 
-0000413276 00000 n 
-0000412270 00000 n 
-0000412442 00000 n 
-0000775991 00000 n 
-0000413794 00000 n 
-0000413603 00000 n 
-0000413453 00000 n 
-0000413729 00000 n 
-0000417039 00000 n 
-0000416461 00000 n 
-0000413836 00000 n 
-0000416587 00000 n 
-0000416716 00000 n 
-0000416845 00000 n 
-0000416974 00000 n 
-0000421235 00000 n 
-0000420016 00000 n 
-0000417125 00000 n 
-0000420526 00000 n 
-0000420655 00000 n 
-0000420913 00000 n 
-0000420172 00000 n 
-0000420351 00000 n 
-0000421107 00000 n 
-0000421171 00000 n 
-0000428122 00000 n 
-0000424294 00000 n 
-0000421388 00000 n 
-0000424420 00000 n 
-0000424485 00000 n 
-0000424550 00000 n 
-0000424615 00000 n 
-0000424680 00000 n 
-0000424745 00000 n 
-0000424810 00000 n 
-0000424875 00000 n 
-0000424940 00000 n 
-0000425005 00000 n 
-0000425135 00000 n 
-0000425200 00000 n 
-0000425265 00000 n 
-0000425330 00000 n 
-0000425395 00000 n 
-0000425460 00000 n 
-0000425525 00000 n 
-0000425590 00000 n 
-0000425655 00000 n 
-0000425720 00000 n 
-0000425785 00000 n 
-0000425850 00000 n 
-0000425915 00000 n 
-0000425980 00000 n 
-0000426045 00000 n 
-0000426110 00000 n 
-0000426175 00000 n 
-0000426240 00000 n 
-0000426305 00000 n 
-0000426370 00000 n 
-0000426435 00000 n 
-0000426500 00000 n 
-0000426565 00000 n 
-0000426630 00000 n 
-0000426694 00000 n 
-0000426759 00000 n 
-0000426824 00000 n 
-0000426889 00000 n 
-0000426954 00000 n 
-0000427019 00000 n 
-0000427084 00000 n 
-0000427149 00000 n 
-0000427214 00000 n 
-0000427279 00000 n 
-0000427344 00000 n 
-0000427409 00000 n 
-0000427474 00000 n 
-0000427539 00000 n 
-0000427604 00000 n 
-0000427669 00000 n 
-0000427734 00000 n 
-0000427799 00000 n 
-0000427864 00000 n 
-0000427929 00000 n 
-0000427994 00000 n 
-0000428058 00000 n 
-0000434768 00000 n 
-0000431204 00000 n 
-0000428234 00000 n 
-0000431330 00000 n 
-0000431395 00000 n 
-0000431460 00000 n 
-0000431525 00000 n 
-0000431590 00000 n 
-0000431655 00000 n 
-0000431720 00000 n 
-0000431785 00000 n 
-0000431850 00000 n 
-0000431915 00000 n 
-0000431980 00000 n 
-0000432045 00000 n 
-0000432109 00000 n 
-0000432174 00000 n 
-0000432239 00000 n 
-0000432304 00000 n 
-0000432369 00000 n 
-0000432434 00000 n 
-0000432499 00000 n 
-0000432564 00000 n 
-0000432629 00000 n 
-0000432694 00000 n 
-0000432759 00000 n 
-0000432824 00000 n 
-0000432888 00000 n 
-0000432953 00000 n 
-0000433018 00000 n 
-0000433083 00000 n 
-0000433148 00000 n 
-0000433213 00000 n 
-0000433278 00000 n 
-0000433343 00000 n 
-0000433408 00000 n 
-0000433473 00000 n 
-0000433538 00000 n 
-0000433603 00000 n 
-0000433668 00000 n 
-0000433733 00000 n 
-0000433798 00000 n 
-0000433863 00000 n 
-0000433927 00000 n 
-0000433991 00000 n 
-0000434055 00000 n 
-0000434120 00000 n 
-0000434185 00000 n 
-0000434250 00000 n 
-0000434315 00000 n 
-0000434380 00000 n 
-0000434445 00000 n 
-0000434510 00000 n 
-0000434575 00000 n 
-0000434640 00000 n 
-0000434704 00000 n 
-0000440941 00000 n 
-0000437503 00000 n 
-0000434880 00000 n 
-0000437629 00000 n 
-0000437694 00000 n 
-0000437759 00000 n 
-0000437824 00000 n 
-0000437889 00000 n 
-0000437954 00000 n 
-0000438019 00000 n 
-0000438084 00000 n 
-0000438149 00000 n 
-0000438214 00000 n 
-0000438279 00000 n 
-0000438344 00000 n 
-0000438409 00000 n 
-0000438474 00000 n 
-0000438539 00000 n 
-0000438604 00000 n 
-0000438669 00000 n 
-0000438734 00000 n 
-0000438799 00000 n 
-0000438864 00000 n 
-0000438929 00000 n 
-0000438994 00000 n 
-0000439059 00000 n 
-0000439124 00000 n 
-0000439189 00000 n 
-0000439254 00000 n 
-0000439319 00000 n 
-0000439384 00000 n 
-0000439449 00000 n 
-0000439514 00000 n 
-0000439579 00000 n 
-0000439644 00000 n 
-0000439709 00000 n 
-0000439774 00000 n 
-0000439838 00000 n 
-0000439903 00000 n 
-0000439968 00000 n 
-0000440033 00000 n 
-0000440098 00000 n 
-0000440163 00000 n 
-0000440228 00000 n 
-0000440293 00000 n 
-0000440358 00000 n 
-0000440423 00000 n 
-0000440488 00000 n 
-0000440553 00000 n 
-0000440618 00000 n 
-0000440683 00000 n 
-0000440748 00000 n 
-0000440813 00000 n 
-0000440877 00000 n 
-0000776116 00000 n 
-0000445519 00000 n 
-0000443255 00000 n 
-0000441053 00000 n 
-0000443381 00000 n 
-0000443446 00000 n 
-0000443511 00000 n 
-0000443576 00000 n 
-0000443641 00000 n 
-0000443706 00000 n 
-0000443771 00000 n 
-0000443836 00000 n 
-0000443901 00000 n 
-0000443966 00000 n 
-0000444031 00000 n 
-0000444096 00000 n 
-0000444161 00000 n 
-0000444226 00000 n 
-0000444288 00000 n 
-0000444352 00000 n 
-0000444417 00000 n 
-0000444481 00000 n 
-0000444546 00000 n 
-0000444611 00000 n 
-0000444676 00000 n 
-0000444741 00000 n 
-0000444806 00000 n 
-0000444871 00000 n 
-0000444936 00000 n 
-0000445065 00000 n 
-0000445194 00000 n 
-0000445259 00000 n 
-0000445324 00000 n 
-0000445389 00000 n 
-0000445454 00000 n 
-0000448314 00000 n 
-0000447670 00000 n 
-0000445644 00000 n 
-0000447796 00000 n 
-0000447925 00000 n 
-0000448054 00000 n 
-0000448119 00000 n 
-0000448184 00000 n 
-0000448249 00000 n 
-0000452652 00000 n 
-0000452332 00000 n 
-0000448427 00000 n 
-0000452458 00000 n 
-0000452523 00000 n 
-0000452588 00000 n 
-0000456252 00000 n 
-0000455997 00000 n 
-0000452805 00000 n 
-0000456123 00000 n 
-0000456188 00000 n 
-0000459500 00000 n 
-0000459309 00000 n 
-0000456391 00000 n 
-0000459435 00000 n 
-0000463228 00000 n 
-0000462972 00000 n 
-0000459626 00000 n 
-0000463098 00000 n 
-0000463163 00000 n 
-0000776241 00000 n 
-0000466069 00000 n 
-0000465361 00000 n 
-0000463367 00000 n 
-0000465487 00000 n 
-0000465552 00000 n 
-0000465617 00000 n 
-0000465682 00000 n 
-0000465747 00000 n 
-0000465876 00000 n 
-0000465941 00000 n 
-0000466005 00000 n 
-0000470737 00000 n 
-0000470481 00000 n 
-0000466208 00000 n 
-0000470607 00000 n 
-0000470672 00000 n 
-0000473733 00000 n 
-0000472960 00000 n 
-0000470863 00000 n 
-0000473086 00000 n 
-0000473151 00000 n 
-0000473216 00000 n 
-0000473281 00000 n 
-0000473410 00000 n 
-0000473475 00000 n 
-0000473538 00000 n 
-0000473603 00000 n 
-0000473668 00000 n 
-0000476643 00000 n 
-0000476128 00000 n 
-0000473886 00000 n 
-0000476254 00000 n 
-0000476319 00000 n 
-0000476384 00000 n 
-0000476449 00000 n 
-0000476514 00000 n 
-0000476579 00000 n 
-0000479764 00000 n 
-0000479184 00000 n 
-0000476795 00000 n 
-0000479310 00000 n 
-0000479439 00000 n 
-0000479504 00000 n 
-0000479569 00000 n 
-0000479634 00000 n 
-0000479699 00000 n 
-0000482694 00000 n 
-0000482049 00000 n 
-0000479904 00000 n 
-0000482175 00000 n 
-0000482240 00000 n 
-0000482305 00000 n 
-0000482370 00000 n 
-0000482499 00000 n 
-0000482564 00000 n 
-0000482629 00000 n 
-0000776366 00000 n 
-0000486310 00000 n 
-0000485990 00000 n 
-0000482860 00000 n 
-0000486116 00000 n 
-0000486181 00000 n 
-0000486245 00000 n 
-0000489745 00000 n 
-0000489489 00000 n 
-0000486436 00000 n 
-0000489615 00000 n 
-0000489680 00000 n 
-0000492841 00000 n 
-0000492198 00000 n 
-0000489871 00000 n 
-0000492324 00000 n 
-0000492389 00000 n 
-0000492454 00000 n 
-0000492519 00000 n 
-0000492583 00000 n 
-0000492712 00000 n 
-0000492777 00000 n 
-0000495281 00000 n 
-0000494509 00000 n 
-0000493006 00000 n 
-0000494635 00000 n 
-0000494700 00000 n 
-0000494765 00000 n 
-0000494829 00000 n 
-0000494894 00000 n 
-0000494959 00000 n 
-0000495088 00000 n 
-0000495153 00000 n 
-0000495217 00000 n 
-0000498683 00000 n 
-0000498297 00000 n 
-0000495434 00000 n 
-0000498423 00000 n 
-0000498488 00000 n 
-0000498553 00000 n 
-0000498618 00000 n 
-0000501897 00000 n 
-0000501122 00000 n 
-0000498809 00000 n 
-0000501248 00000 n 
-0000501313 00000 n 
-0000501378 00000 n 
-0000501443 00000 n 
-0000501572 00000 n 
-0000501637 00000 n 
-0000501702 00000 n 
-0000501767 00000 n 
-0000501832 00000 n 
-0000776491 00000 n 
-0000505743 00000 n 
-0000505552 00000 n 
-0000502050 00000 n 
-0000505678 00000 n 
-0000509073 00000 n 
-0000508882 00000 n 
-0000505869 00000 n 
-0000509008 00000 n 
-0000512118 00000 n 
-0000511862 00000 n 
-0000509199 00000 n 
-0000511988 00000 n 
-0000512053 00000 n 
-0000514686 00000 n 
-0000513913 00000 n 
-0000512271 00000 n 
-0000514039 00000 n 
-0000514104 00000 n 
-0000514169 00000 n 
-0000514298 00000 n 
-0000514363 00000 n 
-0000514428 00000 n 
-0000514493 00000 n 
-0000514558 00000 n 
-0000514623 00000 n 
-0000517590 00000 n 
-0000516880 00000 n 
-0000514839 00000 n 
-0000517006 00000 n 
-0000517071 00000 n 
-0000517136 00000 n 
-0000517265 00000 n 
-0000517330 00000 n 
-0000517395 00000 n 
-0000517460 00000 n 
-0000517525 00000 n 
-0000521139 00000 n 
-0000520948 00000 n 
-0000517743 00000 n 
-0000521074 00000 n 
-0000776616 00000 n 
-0000523800 00000 n 
-0000523091 00000 n 
-0000521265 00000 n 
-0000523217 00000 n 
-0000523282 00000 n 
-0000523347 00000 n 
-0000523412 00000 n 
-0000523541 00000 n 
-0000523606 00000 n 
-0000523671 00000 n 
-0000523735 00000 n 
-0000527315 00000 n 
-0000527059 00000 n 
-0000523953 00000 n 
-0000527185 00000 n 
-0000527250 00000 n 
-0000530252 00000 n 
-0000529996 00000 n 
-0000527526 00000 n 
-0000530122 00000 n 
-0000530187 00000 n 
-0000533482 00000 n 
-0000532708 00000 n 
-0000530463 00000 n 
-0000532834 00000 n 
-0000532899 00000 n 
-0000532964 00000 n 
-0000533029 00000 n 
-0000533094 00000 n 
-0000533222 00000 n 
-0000533287 00000 n 
-0000533352 00000 n 
-0000533417 00000 n 
-0000538095 00000 n 
-0000537840 00000 n 
-0000533634 00000 n 
-0000537966 00000 n 
-0000538031 00000 n 
-0000541877 00000 n 
-0000541686 00000 n 
-0000538221 00000 n 
-0000541812 00000 n 
-0000776741 00000 n 
-0000544708 00000 n 
-0000544387 00000 n 
-0000542003 00000 n 
-0000544513 00000 n 
-0000544578 00000 n 
-0000544643 00000 n 
-0000548167 00000 n 
-0000547457 00000 n 
-0000544860 00000 n 
-0000547583 00000 n 
-0000547648 00000 n 
-0000547713 00000 n 
-0000547842 00000 n 
-0000547907 00000 n 
-0000547972 00000 n 
-0000548037 00000 n 
-0000548102 00000 n 
-0000551298 00000 n 
-0000550589 00000 n 
-0000548307 00000 n 
-0000550715 00000 n 
-0000550780 00000 n 
-0000550845 00000 n 
-0000550909 00000 n 
-0000551038 00000 n 
-0000551103 00000 n 
-0000551168 00000 n 
-0000551233 00000 n 
-0000554482 00000 n 
-0000554226 00000 n 
-0000551464 00000 n 
-0000554352 00000 n 
-0000554417 00000 n 
-0000557228 00000 n 
-0000556585 00000 n 
-0000554608 00000 n 
-0000556711 00000 n 
-0000556776 00000 n 
-0000556841 00000 n 
-0000556906 00000 n 
-0000557034 00000 n 
-0000557099 00000 n 
-0000557164 00000 n 
-0000560960 00000 n 
-0000560640 00000 n 
-0000557380 00000 n 
-0000560766 00000 n 
-0000560831 00000 n 
-0000560896 00000 n 
-0000776866 00000 n 
-0000564001 00000 n 
-0000563229 00000 n 
-0000561086 00000 n 
-0000563355 00000 n 
-0000563420 00000 n 
-0000563485 00000 n 
-0000563550 00000 n 
-0000563679 00000 n 
-0000563744 00000 n 
-0000563809 00000 n 
-0000563872 00000 n 
-0000563937 00000 n 
-0000566569 00000 n 
-0000566248 00000 n 
-0000564180 00000 n 
-0000566374 00000 n 
-0000566439 00000 n 
-0000566504 00000 n 
-0000566821 00000 n 
-0000578165 00000 n 
-0000585754 00000 n 
-0000588054 00000 n 
-0000588023 00000 n 
-0000591740 00000 n 
-0000601181 00000 n 
-0000611688 00000 n 
-0000623429 00000 n 
-0000636146 00000 n 
-0000655213 00000 n 
-0000676100 00000 n 
-0000698243 00000 n 
-0000716138 00000 n 
-0000718968 00000 n 
-0000718738 00000 n 
-0000746275 00000 n 
-0000773386 00000 n 
-0000776964 00000 n 
-0000777088 00000 n 
-0000777214 00000 n 
-0000777340 00000 n 
-0000777466 00000 n 
-0000777546 00000 n 
-0000777647 00000 n 
-0000794820 00000 n 
-0000815118 00000 n 
-0000815159 00000 n 
-0000815199 00000 n 
-0000815333 00000 n 
+0000099571 00000 n 
+0000098866 00000 n 
+0000096090 00000 n 
+0000098992 00000 n 
+0000099121 00000 n 
+0000099248 00000 n 
+0000644839 00000 n 
+0000632777 00000 n 
+0000644660 00000 n 
+0000099506 00000 n 
+0000103690 00000 n 
+0000102964 00000 n 
+0000099697 00000 n 
+0000103625 00000 n 
+0000632204 00000 n 
+0000621218 00000 n 
+0000632025 00000 n 
+0000103129 00000 n 
+0000103283 00000 n 
+0000103454 00000 n 
+0000212759 00000 n 
+0000357920 00000 n 
+0000107860 00000 n 
+0000107461 00000 n 
+0000103856 00000 n 
+0000107795 00000 n 
+0000107608 00000 n 
+0000178914 00000 n 
+0000111577 00000 n 
+0000111127 00000 n 
+0000107999 00000 n 
+0000111253 00000 n 
+0000111382 00000 n 
+0000111447 00000 n 
+0000111512 00000 n 
+0000114425 00000 n 
+0000117143 00000 n 
+0000114260 00000 n 
+0000111702 00000 n 
+0000116563 00000 n 
+0000116692 00000 n 
+0000116821 00000 n 
+0000116068 00000 n 
+0000116230 00000 n 
+0000620320 00000 n 
+0000610524 00000 n 
+0000620146 00000 n 
+0000609960 00000 n 
+0000600873 00000 n 
+0000609785 00000 n 
+0000116950 00000 n 
+0000116392 00000 n 
+0000117079 00000 n 
+0000783324 00000 n 
+0000115897 00000 n 
+0000115955 00000 n 
+0000116045 00000 n 
+0000225412 00000 n 
+0000261073 00000 n 
+0000121775 00000 n 
+0000120841 00000 n 
+0000117312 00000 n 
+0000121325 00000 n 
+0000121454 00000 n 
+0000120997 00000 n 
+0000121163 00000 n 
+0000121583 00000 n 
+0000121711 00000 n 
+0000429073 00000 n 
+0000125434 00000 n 
+0000125054 00000 n 
+0000121927 00000 n 
+0000125369 00000 n 
+0000125201 00000 n 
+0000126607 00000 n 
+0000126416 00000 n 
+0000125559 00000 n 
+0000126542 00000 n 
+0000128594 00000 n 
+0000128274 00000 n 
+0000126706 00000 n 
+0000128400 00000 n 
+0000128529 00000 n 
+0000132007 00000 n 
+0000131043 00000 n 
+0000128706 00000 n 
+0000131169 00000 n 
+0000131298 00000 n 
+0000131427 00000 n 
+0000131556 00000 n 
+0000131685 00000 n 
+0000131814 00000 n 
+0000131943 00000 n 
+0000135998 00000 n 
+0000135229 00000 n 
+0000132145 00000 n 
+0000135547 00000 n 
+0000135676 00000 n 
+0000135376 00000 n 
+0000135805 00000 n 
+0000135934 00000 n 
+0000783449 00000 n 
+0000139861 00000 n 
+0000139283 00000 n 
+0000136136 00000 n 
+0000139409 00000 n 
+0000139538 00000 n 
+0000139667 00000 n 
+0000139796 00000 n 
+0000143720 00000 n 
+0000143271 00000 n 
+0000139999 00000 n 
+0000143397 00000 n 
+0000143526 00000 n 
+0000143655 00000 n 
+0000146114 00000 n 
+0000145923 00000 n 
+0000143845 00000 n 
+0000146049 00000 n 
+0000149933 00000 n 
+0000149173 00000 n 
+0000146256 00000 n 
+0000149481 00000 n 
+0000600598 00000 n 
+0000597238 00000 n 
+0000600419 00000 n 
+0000149610 00000 n 
+0000149320 00000 n 
+0000149739 00000 n 
+0000149868 00000 n 
+0000424787 00000 n 
+0000150704 00000 n 
+0000150513 00000 n 
+0000150115 00000 n 
+0000150639 00000 n 
+0000153375 00000 n 
+0000152797 00000 n 
+0000150803 00000 n 
+0000152923 00000 n 
+0000153052 00000 n 
+0000153181 00000 n 
+0000153310 00000 n 
+0000783574 00000 n 
+0000153815 00000 n 
+0000153624 00000 n 
+0000153474 00000 n 
+0000153750 00000 n 
+0000157902 00000 n 
+0000157136 00000 n 
+0000153857 00000 n 
+0000157450 00000 n 
+0000157579 00000 n 
+0000157707 00000 n 
+0000157772 00000 n 
+0000157837 00000 n 
+0000157283 00000 n 
+0000162398 00000 n 
+0000162590 00000 n 
+0000162143 00000 n 
+0000158001 00000 n 
+0000162269 00000 n 
+0000162525 00000 n 
+0000166439 00000 n 
+0000165861 00000 n 
+0000162715 00000 n 
+0000165987 00000 n 
+0000166116 00000 n 
+0000166245 00000 n 
+0000166374 00000 n 
+0000169095 00000 n 
+0000170473 00000 n 
+0000168969 00000 n 
+0000166577 00000 n 
+0000170021 00000 n 
+0000170150 00000 n 
+0000170279 00000 n 
+0000170344 00000 n 
+0000170408 00000 n 
+0000173796 00000 n 
+0000173092 00000 n 
+0000170628 00000 n 
+0000173218 00000 n 
+0000173347 00000 n 
+0000173475 00000 n 
+0000173540 00000 n 
+0000173605 00000 n 
+0000173731 00000 n 
+0000783699 00000 n 
+0000179107 00000 n 
+0000178319 00000 n 
+0000173908 00000 n 
+0000178785 00000 n 
+0000178475 00000 n 
+0000178626 00000 n 
+0000179043 00000 n 
+0000575864 00000 n 
+0000182969 00000 n 
+0000181698 00000 n 
+0000179245 00000 n 
+0000182388 00000 n 
+0000182517 00000 n 
+0000182646 00000 n 
+0000182775 00000 n 
+0000181863 00000 n 
+0000182015 00000 n 
+0000182201 00000 n 
+0000182904 00000 n 
+0000187114 00000 n 
+0000186665 00000 n 
+0000183095 00000 n 
+0000186791 00000 n 
+0000186920 00000 n 
+0000187049 00000 n 
+0000191017 00000 n 
+0000190638 00000 n 
+0000187239 00000 n 
+0000190952 00000 n 
+0000190785 00000 n 
+0000193865 00000 n 
+0000194060 00000 n 
+0000193610 00000 n 
+0000191129 00000 n 
+0000193736 00000 n 
+0000193930 00000 n 
+0000193995 00000 n 
+0000197615 00000 n 
+0000197424 00000 n 
+0000194172 00000 n 
+0000197550 00000 n 
+0000783824 00000 n 
+0000201192 00000 n 
+0000200742 00000 n 
+0000197727 00000 n 
+0000200868 00000 n 
+0000200997 00000 n 
+0000201062 00000 n 
+0000201127 00000 n 
+0000204892 00000 n 
+0000204107 00000 n 
+0000201304 00000 n 
+0000204569 00000 n 
+0000204698 00000 n 
+0000204827 00000 n 
+0000204263 00000 n 
+0000204416 00000 n 
+0000206880 00000 n 
+0000206303 00000 n 
+0000205004 00000 n 
+0000206429 00000 n 
+0000206558 00000 n 
+0000206687 00000 n 
+0000206815 00000 n 
+0000208400 00000 n 
+0000208209 00000 n 
+0000206992 00000 n 
+0000208335 00000 n 
+0000209932 00000 n 
+0000209741 00000 n 
+0000208499 00000 n 
+0000209867 00000 n 
+0000212823 00000 n 
+0000212504 00000 n 
+0000210031 00000 n 
+0000212630 00000 n 
+0000783949 00000 n 
+0000217041 00000 n 
+0000216850 00000 n 
+0000212949 00000 n 
+0000216976 00000 n 
+0000221563 00000 n 
+0000221015 00000 n 
+0000217179 00000 n 
+0000221498 00000 n 
+0000221171 00000 n 
+0000221328 00000 n 
+0000394452 00000 n 
+0000225477 00000 n 
+0000225157 00000 n 
+0000221688 00000 n 
+0000225283 00000 n 
+0000229594 00000 n 
+0000229100 00000 n 
+0000225602 00000 n 
+0000229399 00000 n 
+0000229464 00000 n 
+0000229529 00000 n 
+0000229247 00000 n 
+0000234621 00000 n 
+0000233490 00000 n 
+0000229719 00000 n 
+0000234556 00000 n 
+0000233673 00000 n 
+0000233830 00000 n 
+0000234014 00000 n 
+0000234187 00000 n 
+0000234372 00000 n 
+0000311101 00000 n 
+0000239006 00000 n 
+0000238815 00000 n 
+0000234802 00000 n 
+0000238941 00000 n 
+0000784074 00000 n 
+0000242806 00000 n 
+0000242615 00000 n 
+0000239131 00000 n 
+0000242741 00000 n 
+0000246894 00000 n 
+0000246255 00000 n 
+0000242931 00000 n 
+0000246571 00000 n 
+0000246700 00000 n 
+0000246402 00000 n 
+0000246829 00000 n 
+0000326165 00000 n 
+0000250196 00000 n 
+0000249688 00000 n 
+0000247006 00000 n 
+0000250002 00000 n 
+0000250131 00000 n 
+0000249835 00000 n 
+0000254383 00000 n 
+0000253692 00000 n 
+0000250352 00000 n 
+0000254189 00000 n 
+0000253848 00000 n 
+0000254018 00000 n 
+0000254318 00000 n 
+0000412169 00000 n 
+0000258083 00000 n 
+0000257763 00000 n 
+0000254508 00000 n 
+0000257889 00000 n 
+0000258018 00000 n 
+0000261138 00000 n 
+0000260818 00000 n 
+0000258195 00000 n 
+0000260944 00000 n 
+0000784199 00000 n 
+0000264940 00000 n 
+0000264749 00000 n 
+0000261294 00000 n 
+0000264875 00000 n 
+0000268123 00000 n 
+0000267623 00000 n 
+0000265052 00000 n 
+0000267929 00000 n 
+0000268058 00000 n 
+0000267770 00000 n 
+0000272705 00000 n 
+0000271898 00000 n 
+0000268292 00000 n 
+0000272382 00000 n 
+0000272511 00000 n 
+0000272054 00000 n 
+0000272640 00000 n 
+0000272227 00000 n 
+0000276543 00000 n 
+0000276223 00000 n 
+0000272817 00000 n 
+0000276349 00000 n 
+0000276478 00000 n 
+0000281019 00000 n 
+0000280224 00000 n 
+0000276711 00000 n 
+0000280697 00000 n 
+0000280826 00000 n 
+0000280954 00000 n 
+0000280380 00000 n 
+0000280542 00000 n 
+0000284010 00000 n 
+0000283371 00000 n 
+0000281188 00000 n 
+0000283687 00000 n 
+0000283518 00000 n 
+0000283881 00000 n 
+0000283946 00000 n 
+0000784324 00000 n 
+0000287130 00000 n 
+0000286811 00000 n 
+0000284136 00000 n 
+0000286937 00000 n 
+0000287065 00000 n 
+0000291751 00000 n 
+0000291207 00000 n 
+0000287312 00000 n 
+0000291686 00000 n 
+0000291363 00000 n 
+0000291525 00000 n 
+0000390883 00000 n 
+0000296169 00000 n 
+0000295533 00000 n 
+0000291863 00000 n 
+0000295847 00000 n 
+0000596883 00000 n 
+0000594885 00000 n 
+0000596718 00000 n 
+0000295976 00000 n 
+0000295680 00000 n 
+0000296105 00000 n 
+0000323775 00000 n 
+0000299064 00000 n 
+0000298873 00000 n 
+0000296295 00000 n 
+0000298999 00000 n 
+0000303481 00000 n 
+0000303032 00000 n 
+0000299232 00000 n 
+0000303158 00000 n 
+0000303416 00000 n 
+0000307180 00000 n 
+0000306689 00000 n 
+0000303593 00000 n 
+0000306986 00000 n 
+0000306836 00000 n 
+0000307115 00000 n 
+0000784449 00000 n 
+0000311166 00000 n 
+0000310847 00000 n 
+0000307306 00000 n 
+0000310973 00000 n 
+0000315742 00000 n 
+0000314951 00000 n 
+0000311278 00000 n 
+0000315421 00000 n 
+0000315107 00000 n 
+0000315259 00000 n 
+0000315549 00000 n 
+0000315677 00000 n 
+0000319685 00000 n 
+0000318804 00000 n 
+0000315854 00000 n 
+0000319105 00000 n 
+0000319234 00000 n 
+0000319363 00000 n 
+0000318951 00000 n 
+0000319492 00000 n 
+0000319621 00000 n 
+0000323969 00000 n 
+0000323520 00000 n 
+0000319797 00000 n 
+0000323646 00000 n 
+0000323904 00000 n 
+0000326230 00000 n 
+0000325910 00000 n 
+0000324094 00000 n 
+0000326036 00000 n 
+0000327729 00000 n 
+0000327538 00000 n 
+0000326342 00000 n 
+0000327664 00000 n 
+0000784574 00000 n 
+0000329200 00000 n 
+0000329009 00000 n 
+0000327828 00000 n 
+0000329135 00000 n 
+0000332016 00000 n 
+0000331439 00000 n 
+0000329299 00000 n 
+0000331565 00000 n 
+0000331694 00000 n 
+0000331821 00000 n 
+0000331886 00000 n 
+0000331951 00000 n 
+0000336214 00000 n 
+0000335706 00000 n 
+0000332128 00000 n 
+0000336020 00000 n 
+0000335853 00000 n 
+0000336149 00000 n 
+0000575831 00000 n 
+0000342131 00000 n 
+0000339224 00000 n 
+0000336326 00000 n 
+0000341937 00000 n 
+0000342066 00000 n 
+0000339497 00000 n 
+0000339659 00000 n 
+0000339821 00000 n 
+0000339983 00000 n 
+0000340145 00000 n 
+0000340307 00000 n 
+0000340478 00000 n 
+0000340640 00000 n 
+0000340803 00000 n 
+0000340963 00000 n 
+0000341124 00000 n 
+0000341287 00000 n 
+0000341450 00000 n 
+0000341613 00000 n 
+0000341776 00000 n 
+0000347227 00000 n 
+0000345310 00000 n 
+0000342243 00000 n 
+0000347162 00000 n 
+0000345538 00000 n 
+0000345699 00000 n 
+0000345867 00000 n 
+0000346037 00000 n 
+0000346198 00000 n 
+0000346360 00000 n 
+0000346522 00000 n 
+0000346684 00000 n 
+0000346847 00000 n 
+0000347001 00000 n 
+0000353619 00000 n 
+0000350567 00000 n 
+0000347352 00000 n 
+0000353554 00000 n 
+0000350858 00000 n 
+0000351012 00000 n 
+0000351166 00000 n 
+0000351320 00000 n 
+0000351474 00000 n 
+0000351636 00000 n 
+0000351798 00000 n 
+0000351958 00000 n 
+0000352117 00000 n 
+0000352278 00000 n 
+0000352437 00000 n 
+0000352595 00000 n 
+0000352748 00000 n 
+0000352911 00000 n 
+0000353062 00000 n 
+0000353227 00000 n 
+0000353393 00000 n 
+0000784699 00000 n 
+0000490098 00000 n 
+0000502935 00000 n 
+0000358113 00000 n 
+0000357318 00000 n 
+0000353731 00000 n 
+0000357791 00000 n 
+0000357474 00000 n 
+0000357628 00000 n 
+0000357985 00000 n 
+0000358049 00000 n 
+0000361335 00000 n 
+0000361144 00000 n 
+0000358252 00000 n 
+0000361270 00000 n 
+0000365813 00000 n 
+0000364615 00000 n 
+0000361504 00000 n 
+0000365102 00000 n 
+0000365231 00000 n 
+0000365488 00000 n 
+0000364771 00000 n 
+0000364941 00000 n 
+0000365553 00000 n 
+0000365618 00000 n 
+0000365683 00000 n 
+0000365748 00000 n 
+0000369014 00000 n 
+0000368823 00000 n 
+0000365925 00000 n 
+0000368949 00000 n 
+0000373099 00000 n 
+0000372520 00000 n 
+0000369100 00000 n 
+0000372646 00000 n 
+0000372711 00000 n 
+0000372776 00000 n 
+0000372905 00000 n 
+0000372969 00000 n 
+0000373034 00000 n 
+0000377131 00000 n 
+0000376293 00000 n 
+0000373224 00000 n 
+0000376419 00000 n 
+0000376484 00000 n 
+0000376549 00000 n 
+0000376678 00000 n 
+0000376743 00000 n 
+0000376808 00000 n 
+0000376936 00000 n 
+0000377001 00000 n 
+0000377066 00000 n 
+0000784824 00000 n 
+0000380966 00000 n 
+0000380131 00000 n 
+0000377256 00000 n 
+0000380257 00000 n 
+0000380386 00000 n 
+0000380450 00000 n 
+0000380515 00000 n 
+0000380643 00000 n 
+0000380772 00000 n 
+0000380901 00000 n 
+0000383847 00000 n 
+0000383269 00000 n 
+0000381176 00000 n 
+0000383395 00000 n 
+0000383524 00000 n 
+0000383653 00000 n 
+0000383782 00000 n 
+0000387245 00000 n 
+0000386924 00000 n 
+0000384030 00000 n 
+0000387050 00000 n 
+0000387115 00000 n 
+0000387180 00000 n 
+0000391207 00000 n 
+0000390628 00000 n 
+0000387370 00000 n 
+0000390754 00000 n 
+0000391012 00000 n 
+0000391077 00000 n 
+0000391142 00000 n 
+0000394905 00000 n 
+0000394016 00000 n 
+0000391332 00000 n 
+0000394323 00000 n 
+0000394163 00000 n 
+0000394581 00000 n 
+0000394710 00000 n 
+0000394775 00000 n 
+0000394840 00000 n 
+0000398657 00000 n 
+0000398025 00000 n 
+0000395017 00000 n 
+0000398337 00000 n 
+0000398172 00000 n 
+0000398466 00000 n 
+0000398529 00000 n 
+0000398592 00000 n 
+0000784949 00000 n 
+0000575798 00000 n 
+0000402377 00000 n 
+0000401928 00000 n 
+0000398769 00000 n 
+0000402054 00000 n 
+0000402182 00000 n 
+0000402247 00000 n 
+0000402312 00000 n 
+0000405523 00000 n 
+0000404945 00000 n 
+0000402489 00000 n 
+0000405071 00000 n 
+0000405200 00000 n 
+0000405265 00000 n 
+0000405329 00000 n 
+0000594604 00000 n 
+0000587320 00000 n 
+0000594424 00000 n 
+0000405458 00000 n 
+0000406004 00000 n 
+0000405813 00000 n 
+0000405663 00000 n 
+0000405939 00000 n 
+0000407814 00000 n 
+0000407365 00000 n 
+0000406046 00000 n 
+0000407491 00000 n 
+0000407620 00000 n 
+0000407749 00000 n 
+0000412234 00000 n 
+0000411291 00000 n 
+0000407926 00000 n 
+0000411654 00000 n 
+0000586999 00000 n 
+0000577786 00000 n 
+0000586813 00000 n 
+0000411438 00000 n 
+0000411783 00000 n 
+0000411911 00000 n 
+0000412040 00000 n 
+0000413590 00000 n 
+0000413399 00000 n 
+0000412471 00000 n 
+0000413525 00000 n 
+0000785074 00000 n 
+0000414030 00000 n 
+0000413839 00000 n 
+0000413689 00000 n 
+0000413965 00000 n 
+0000417343 00000 n 
+0000416117 00000 n 
+0000414072 00000 n 
+0000416634 00000 n 
+0000416763 00000 n 
+0000416892 00000 n 
+0000417021 00000 n 
+0000417150 00000 n 
+0000417279 00000 n 
+0000416273 00000 n 
+0000416445 00000 n 
+0000417797 00000 n 
+0000417606 00000 n 
+0000417456 00000 n 
+0000417732 00000 n 
+0000421042 00000 n 
+0000420464 00000 n 
+0000417839 00000 n 
+0000420590 00000 n 
+0000420719 00000 n 
+0000420848 00000 n 
+0000420977 00000 n 
+0000425238 00000 n 
+0000424019 00000 n 
+0000421128 00000 n 
+0000424529 00000 n 
+0000424658 00000 n 
+0000424916 00000 n 
+0000424175 00000 n 
+0000424354 00000 n 
+0000425110 00000 n 
+0000425174 00000 n 
+0000432125 00000 n 
+0000428297 00000 n 
+0000425391 00000 n 
+0000428423 00000 n 
+0000428488 00000 n 
+0000428553 00000 n 
+0000428618 00000 n 
+0000428683 00000 n 
+0000428748 00000 n 
+0000428813 00000 n 
+0000428878 00000 n 
+0000428943 00000 n 
+0000429008 00000 n 
+0000429138 00000 n 
+0000429203 00000 n 
+0000429268 00000 n 
+0000429333 00000 n 
+0000429398 00000 n 
+0000429463 00000 n 
+0000429528 00000 n 
+0000429593 00000 n 
+0000429658 00000 n 
+0000429723 00000 n 
+0000429788 00000 n 
+0000429853 00000 n 
+0000429918 00000 n 
+0000429983 00000 n 
+0000430048 00000 n 
+0000430113 00000 n 
+0000430178 00000 n 
+0000430243 00000 n 
+0000430308 00000 n 
+0000430373 00000 n 
+0000430438 00000 n 
+0000430503 00000 n 
+0000430568 00000 n 
+0000430633 00000 n 
+0000430697 00000 n 
+0000430762 00000 n 
+0000430827 00000 n 
+0000430892 00000 n 
+0000430957 00000 n 
+0000431022 00000 n 
+0000431087 00000 n 
+0000431152 00000 n 
+0000431217 00000 n 
+0000431282 00000 n 
+0000431347 00000 n 
+0000431412 00000 n 
+0000431477 00000 n 
+0000431542 00000 n 
+0000431607 00000 n 
+0000431672 00000 n 
+0000431737 00000 n 
+0000431802 00000 n 
+0000431867 00000 n 
+0000431932 00000 n 
+0000431997 00000 n 
+0000432061 00000 n 
+0000785199 00000 n 
+0000438771 00000 n 
+0000435207 00000 n 
+0000432237 00000 n 
+0000435333 00000 n 
+0000435398 00000 n 
+0000435463 00000 n 
+0000435528 00000 n 
+0000435593 00000 n 
+0000435658 00000 n 
+0000435723 00000 n 
+0000435788 00000 n 
+0000435853 00000 n 
+0000435918 00000 n 
+0000435983 00000 n 
+0000436048 00000 n 
+0000436112 00000 n 
+0000436177 00000 n 
+0000436242 00000 n 
+0000436307 00000 n 
+0000436372 00000 n 
+0000436437 00000 n 
+0000436502 00000 n 
+0000436567 00000 n 
+0000436632 00000 n 
+0000436697 00000 n 
+0000436762 00000 n 
+0000436827 00000 n 
+0000436891 00000 n 
+0000436956 00000 n 
+0000437021 00000 n 
+0000437086 00000 n 
+0000437151 00000 n 
+0000437216 00000 n 
+0000437281 00000 n 
+0000437346 00000 n 
+0000437411 00000 n 
+0000437476 00000 n 
+0000437541 00000 n 
+0000437606 00000 n 
+0000437671 00000 n 
+0000437736 00000 n 
+0000437801 00000 n 
+0000437866 00000 n 
+0000437930 00000 n 
+0000437994 00000 n 
+0000438058 00000 n 
+0000438123 00000 n 
+0000438188 00000 n 
+0000438253 00000 n 
+0000438318 00000 n 
+0000438383 00000 n 
+0000438448 00000 n 
+0000438513 00000 n 
+0000438578 00000 n 
+0000438643 00000 n 
+0000438707 00000 n 
+0000444944 00000 n 
+0000441506 00000 n 
+0000438883 00000 n 
+0000441632 00000 n 
+0000441697 00000 n 
+0000441762 00000 n 
+0000441827 00000 n 
+0000441892 00000 n 
+0000441957 00000 n 
+0000442022 00000 n 
+0000442087 00000 n 
+0000442152 00000 n 
+0000442217 00000 n 
+0000442282 00000 n 
+0000442347 00000 n 
+0000442412 00000 n 
+0000442477 00000 n 
+0000442542 00000 n 
+0000442607 00000 n 
+0000442672 00000 n 
+0000442737 00000 n 
+0000442802 00000 n 
+0000442867 00000 n 
+0000442932 00000 n 
+0000442997 00000 n 
+0000443062 00000 n 
+0000443127 00000 n 
+0000443192 00000 n 
+0000443257 00000 n 
+0000443322 00000 n 
+0000443387 00000 n 
+0000443452 00000 n 
+0000443517 00000 n 
+0000443582 00000 n 
+0000443647 00000 n 
+0000443712 00000 n 
+0000443777 00000 n 
+0000443841 00000 n 
+0000443906 00000 n 
+0000443971 00000 n 
+0000444036 00000 n 
+0000444101 00000 n 
+0000444166 00000 n 
+0000444231 00000 n 
+0000444296 00000 n 
+0000444361 00000 n 
+0000444426 00000 n 
+0000444491 00000 n 
+0000444556 00000 n 
+0000444621 00000 n 
+0000444686 00000 n 
+0000444751 00000 n 
+0000444816 00000 n 
+0000444880 00000 n 
+0000449522 00000 n 
+0000447258 00000 n 
+0000445056 00000 n 
+0000447384 00000 n 
+0000447449 00000 n 
+0000447514 00000 n 
+0000447579 00000 n 
+0000447644 00000 n 
+0000447709 00000 n 
+0000447774 00000 n 
+0000447839 00000 n 
+0000447904 00000 n 
+0000447969 00000 n 
+0000448034 00000 n 
+0000448099 00000 n 
+0000448164 00000 n 
+0000448229 00000 n 
+0000448291 00000 n 
+0000448355 00000 n 
+0000448420 00000 n 
+0000448484 00000 n 
+0000448549 00000 n 
+0000448614 00000 n 
+0000448679 00000 n 
+0000448744 00000 n 
+0000448809 00000 n 
+0000448874 00000 n 
+0000448939 00000 n 
+0000449068 00000 n 
+0000449197 00000 n 
+0000449262 00000 n 
+0000449327 00000 n 
+0000449392 00000 n 
+0000449457 00000 n 
+0000452317 00000 n 
+0000451673 00000 n 
+0000449647 00000 n 
+0000451799 00000 n 
+0000451928 00000 n 
+0000452057 00000 n 
+0000452122 00000 n 
+0000452187 00000 n 
+0000452252 00000 n 
+0000456655 00000 n 
+0000456335 00000 n 
+0000452430 00000 n 
+0000456461 00000 n 
+0000456526 00000 n 
+0000456591 00000 n 
+0000460255 00000 n 
+0000460000 00000 n 
+0000456808 00000 n 
+0000460126 00000 n 
+0000460191 00000 n 
+0000785324 00000 n 
+0000463503 00000 n 
+0000463312 00000 n 
+0000460394 00000 n 
+0000463438 00000 n 
+0000467231 00000 n 
+0000466975 00000 n 
+0000463629 00000 n 
+0000467101 00000 n 
+0000467166 00000 n 
+0000470072 00000 n 
+0000469364 00000 n 
+0000467370 00000 n 
+0000469490 00000 n 
+0000469555 00000 n 
+0000469620 00000 n 
+0000469685 00000 n 
+0000469750 00000 n 
+0000469879 00000 n 
+0000469944 00000 n 
+0000470008 00000 n 
+0000474740 00000 n 
+0000474484 00000 n 
+0000470211 00000 n 
+0000474610 00000 n 
+0000474675 00000 n 
+0000477736 00000 n 
+0000476963 00000 n 
+0000474866 00000 n 
+0000477089 00000 n 
+0000477154 00000 n 
+0000477219 00000 n 
+0000477284 00000 n 
+0000477413 00000 n 
+0000477478 00000 n 
+0000477541 00000 n 
+0000477606 00000 n 
+0000477671 00000 n 
+0000480645 00000 n 
+0000480130 00000 n 
+0000477889 00000 n 
+0000480256 00000 n 
+0000480321 00000 n 
+0000480386 00000 n 
+0000480451 00000 n 
+0000480516 00000 n 
+0000480581 00000 n 
+0000785449 00000 n 
+0000484060 00000 n 
+0000483480 00000 n 
+0000480797 00000 n 
+0000483606 00000 n 
+0000483735 00000 n 
+0000483800 00000 n 
+0000483865 00000 n 
+0000483930 00000 n 
+0000483995 00000 n 
+0000487363 00000 n 
+0000487107 00000 n 
+0000484200 00000 n 
+0000487233 00000 n 
+0000487298 00000 n 
+0000490358 00000 n 
+0000489648 00000 n 
+0000487489 00000 n 
+0000489774 00000 n 
+0000489839 00000 n 
+0000489904 00000 n 
+0000489969 00000 n 
+0000490163 00000 n 
+0000490228 00000 n 
+0000490293 00000 n 
+0000493880 00000 n 
+0000493624 00000 n 
+0000490510 00000 n 
+0000493750 00000 n 
+0000493815 00000 n 
+0000497471 00000 n 
+0000497215 00000 n 
+0000494006 00000 n 
+0000497341 00000 n 
+0000497406 00000 n 
+0000500492 00000 n 
+0000499849 00000 n 
+0000497597 00000 n 
+0000499975 00000 n 
+0000500040 00000 n 
+0000500105 00000 n 
+0000500170 00000 n 
+0000500235 00000 n 
+0000500363 00000 n 
+0000500428 00000 n 
+0000785574 00000 n 
+0000503129 00000 n 
+0000502355 00000 n 
+0000500657 00000 n 
+0000502481 00000 n 
+0000502546 00000 n 
+0000502611 00000 n 
+0000502676 00000 n 
+0000502741 00000 n 
+0000502806 00000 n 
+0000503000 00000 n 
+0000503064 00000 n 
+0000506608 00000 n 
+0000506222 00000 n 
+0000503282 00000 n 
+0000506348 00000 n 
+0000506413 00000 n 
+0000506478 00000 n 
+0000506543 00000 n 
+0000509849 00000 n 
+0000509074 00000 n 
+0000506734 00000 n 
+0000509200 00000 n 
+0000509265 00000 n 
+0000509330 00000 n 
+0000509395 00000 n 
+0000509524 00000 n 
+0000509589 00000 n 
+0000509654 00000 n 
+0000509719 00000 n 
+0000509784 00000 n 
+0000513742 00000 n 
+0000513551 00000 n 
+0000510002 00000 n 
+0000513677 00000 n 
+0000517176 00000 n 
+0000516985 00000 n 
+0000513868 00000 n 
+0000517111 00000 n 
+0000520803 00000 n 
+0000520547 00000 n 
+0000517302 00000 n 
+0000520673 00000 n 
+0000520738 00000 n 
+0000785699 00000 n 
+0000523271 00000 n 
+0000522563 00000 n 
+0000520956 00000 n 
+0000522689 00000 n 
+0000522754 00000 n 
+0000522819 00000 n 
+0000522946 00000 n 
+0000523011 00000 n 
+0000523076 00000 n 
+0000523141 00000 n 
+0000523206 00000 n 
+0000526165 00000 n 
+0000525456 00000 n 
+0000523424 00000 n 
+0000525582 00000 n 
+0000525647 00000 n 
+0000525712 00000 n 
+0000525777 00000 n 
+0000525906 00000 n 
+0000525971 00000 n 
+0000526035 00000 n 
+0000526100 00000 n 
+0000529337 00000 n 
+0000529081 00000 n 
+0000526304 00000 n 
+0000529207 00000 n 
+0000529272 00000 n 
+0000532212 00000 n 
+0000531633 00000 n 
+0000529463 00000 n 
+0000531759 00000 n 
+0000531824 00000 n 
+0000531889 00000 n 
+0000531954 00000 n 
+0000532083 00000 n 
+0000532148 00000 n 
+0000535632 00000 n 
+0000535246 00000 n 
+0000532351 00000 n 
+0000535372 00000 n 
+0000535437 00000 n 
+0000535502 00000 n 
+0000535567 00000 n 
+0000538728 00000 n 
+0000538537 00000 n 
+0000535772 00000 n 
+0000538663 00000 n 
+0000785824 00000 n 
+0000541536 00000 n 
+0000540829 00000 n 
+0000538939 00000 n 
+0000540955 00000 n 
+0000541020 00000 n 
+0000541084 00000 n 
+0000541149 00000 n 
+0000541214 00000 n 
+0000541279 00000 n 
+0000541408 00000 n 
+0000541472 00000 n 
+0000545932 00000 n 
+0000545611 00000 n 
+0000541717 00000 n 
+0000545737 00000 n 
+0000545802 00000 n 
+0000545867 00000 n 
+0000549673 00000 n 
+0000549417 00000 n 
+0000546058 00000 n 
+0000549543 00000 n 
+0000549608 00000 n 
+0000552852 00000 n 
+0000552596 00000 n 
+0000549799 00000 n 
+0000552722 00000 n 
+0000552787 00000 n 
+0000555843 00000 n 
+0000555133 00000 n 
+0000552978 00000 n 
+0000555259 00000 n 
+0000555324 00000 n 
+0000555389 00000 n 
+0000555454 00000 n 
+0000555583 00000 n 
+0000555648 00000 n 
+0000555713 00000 n 
+0000555778 00000 n 
+0000559574 00000 n 
+0000559124 00000 n 
+0000555995 00000 n 
+0000559250 00000 n 
+0000559315 00000 n 
+0000559380 00000 n 
+0000559445 00000 n 
+0000559510 00000 n 
+0000785949 00000 n 
+0000563317 00000 n 
+0000562738 00000 n 
+0000559727 00000 n 
+0000562864 00000 n 
+0000562993 00000 n 
+0000563058 00000 n 
+0000563123 00000 n 
+0000563188 00000 n 
+0000563253 00000 n 
+0000565586 00000 n 
+0000565266 00000 n 
+0000563456 00000 n 
+0000565392 00000 n 
+0000565457 00000 n 
+0000565522 00000 n 
+0000568972 00000 n 
+0000568330 00000 n 
+0000565738 00000 n 
+0000568456 00000 n 
+0000568521 00000 n 
+0000568650 00000 n 
+0000568715 00000 n 
+0000568779 00000 n 
+0000568843 00000 n 
+0000568908 00000 n 
+0000571923 00000 n 
+0000571279 00000 n 
+0000569112 00000 n 
+0000571405 00000 n 
+0000571470 00000 n 
+0000571535 00000 n 
+0000571600 00000 n 
+0000571729 00000 n 
+0000571794 00000 n 
+0000571859 00000 n 
+0000575645 00000 n 
+0000575194 00000 n 
+0000572089 00000 n 
+0000575320 00000 n 
+0000575385 00000 n 
+0000575450 00000 n 
+0000575515 00000 n 
+0000575580 00000 n 
+0000575897 00000 n 
+0000587241 00000 n 
+0000594830 00000 n 
+0000597130 00000 n 
+0000597099 00000 n 
+0000600818 00000 n 
+0000610259 00000 n 
+0000620766 00000 n 
+0000632510 00000 n 
+0000645227 00000 n 
+0000664296 00000 n 
+0000685183 00000 n 
+0000707326 00000 n 
+0000725221 00000 n 
+0000728051 00000 n 
+0000727821 00000 n 
+0000755358 00000 n 
+0000782469 00000 n 
+0000786074 00000 n 
+0000786198 00000 n 
+0000786324 00000 n 
+0000786450 00000 n 
+0000786576 00000 n 
+0000786656 00000 n 
+0000786757 00000 n 
+0000803930 00000 n 
+0000824312 00000 n 
+0000824353 00000 n 
+0000824393 00000 n 
+0000824527 00000 n 
 trailer
 <<
-/Size 2270
-/Root 2268 0 R
-/Info 2269 0 R
-/ID [<9624E1A96827473083CB913E1B65D3B4> <9624E1A96827473083CB913E1B65D3B4>]
+/Size 2290
+/Root 2288 0 R
+/Info 2289 0 R
+/ID [ ]
 >>
 startxref
-815591
+824785
 %%EOF
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index d8dc98918a..99d8a2d545 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 3aeab90a00..7bda193218 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 4942b6fb6e..9eda2cfdfd 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index ec611eac71..72976c1a3f 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -172,7 +172,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -219,7 +219,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -258,7 +258,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -268,7 +268,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index f52dcf85cf..d9ff99efe6 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -285,7 +285,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -331,7 +331,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -352,7 +352,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -361,7 +361,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index ed74bb2d9e..cb77d251a0 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index deec0ad4dc..5e3dff458f 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -185,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 972a3d70d9..91d405c41a 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -345,13 +345,17 @@
 
    -x
    
 
    
             Only sign the DNSKEY RRset with key-signing keys, and omit
-            signatures from zone-signing keys.
+            signatures from zone-signing keys.  (This is similar to the
+            dnskey-ksk-only yes; zone option in
+            named.)
           
    
 
    -z
    
 
    
             Ignore KSK flag on key when determining what to sign.  This
             causes KSK-flagged keys to sign all records, not just the
-            DNSKEY RRset.
+            DNSKEY RRset.  (This is similar to the
+            update-check-ksk no; zone option in
+            named.)
           
    
 
    -3 salt
    
 
    
@@ -393,14 +397,15 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
-      (Kexample.com.+003+17247).  The zone's keys must be in the master
-      file (db.example.com).  This invocation looks
-      for keyset files, in the current directory,
-      so that DS records can be generated from them (-g).
+      (Kexample.com.+003+17247).  Because the -S option
+      is not being used, the zone's keys must be in the master file
+      (db.example.com).  This invocation looks
+      for dsset files, in the current directory,
+      so that DS records can be imported from them (-g).
     
    
 
    % dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
@@ -422,14 +427,14 @@ db.example.com.signed
 %
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index d4bbef19bf..16e16e8ada 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 932c9540d0..00806259af 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 027eb2e40c..2cfff525a1 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 391d97e9ee..c8bc344cd9 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index ed53407f4b..ffd9a42662 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 17883adbf5..f61f201015 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 8ca3438fd6..4b17fbfbfe 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 1ea7ed220d..cd76adf372 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/misc/options b/doc/misc/options
index c6c773f8f2..3cf58ca88e 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -418,6 +418,7 @@ view   {
                      | * ) ];
                 alt-transfer-source-v6 (  | * ) [ port (
                      | * ) ];
+                auto-dnssec ( allow | maintain | create | off );
                 check-integrity ;
                 check-mx ( fail | warn | ignore );
                 check-mx-cname ( fail | warn | ignore );
@@ -501,6 +502,7 @@ zone   {
         alt-transfer-source (  | * ) [ port (  | * ) ];
         alt-transfer-source-v6 (  | * ) [ port (  |
             * ) ];
+        auto-dnssec ( allow | maintain | create | off );
         check-integrity ;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );

From c243d779731a410f8dc2d2feeed20c15f299b6e3 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Mon, 12 Oct 2009 23:30:34 +0000
Subject: [PATCH 305/385] newcopyrights

---
 util/copyrights | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 5e7dceba18..8755d5517b 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -153,7 +153,7 @@
 ./bin/named/include/named/builtin.h		C	2001,2004,2005,2007
 ./bin/named/include/named/client.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/named/include/named/config.h		C	2001,2002,2004,2005,2006,2007,2009
-./bin/named/include/named/control.h		C	2001,2002,2003,2004,2005,2006,2007
+./bin/named/include/named/control.h		C	2001,2002,2003,2004,2005,2006,2007,2009
 ./bin/named/include/named/globals.h		C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./bin/named/include/named/interfacemgr.h	C	1999,2000,2001,2002,2004,2005,2007
 ./bin/named/include/named/listenlist.h		C	2000,2001,2004,2005,2007
@@ -1820,12 +1820,12 @@
 ./lib/dns/include/dns/rdatatype.h		C	1998,1999,2000,2001,2004,2005,2006,2007,2008
 ./lib/dns/include/dns/request.h			C	2000,2001,2002,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/resolver.h		C	1999,2000,2001,2003,2004,2005,2006,2007,2008,2009
-./lib/dns/include/dns/result.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
+./lib/dns/include/dns/result.h			C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/include/dns/rootns.h			C	1999,2000,2001,2004,2005,2006,2007
 ./lib/dns/include/dns/rriterator.h		C	2009
 ./lib/dns/include/dns/sdb.h			C	2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/sdlz.h			C.PORTION	1999,2000,2001,2005,2006,2007,2009
-./lib/dns/include/dns/secalg.h			C	1999,2000,2001,2004,2005,2006,2007
+./lib/dns/include/dns/secalg.h			C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/secproto.h		C	1999,2000,2001,2004,2005,2006,2007
 ./lib/dns/include/dns/soa.h			C	2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/include/dns/ssu.h			C	2000,2001,2003,2004,2005,2006,2007,2008
@@ -1879,7 +1879,7 @@
 ./lib/dns/rbtdb.h				C	1999,2000,2001,2004,2005,2007
 ./lib/dns/rbtdb64.c				C	1999,2000,2001,2004,2005,2007
 ./lib/dns/rbtdb64.h				C	1999,2000,2001,2004,2005,2007
-./lib/dns/rcode.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
+./lib/dns/rcode.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/rdata.c				C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009
 ./lib/dns/rdata/any_255/tsig_250.c		C	1999,2000,2001,2002,2003,2004,2005,2007
 ./lib/dns/rdata/any_255/tsig_250.h		C	1999,2000,2001,2004,2005,2007

From 97639003b0992b5f30ce82bdcc2fcd9d621ff09c Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Mon, 12 Oct 2009 23:48:02 +0000
Subject: [PATCH 306/385] update copyright notice

---
 bin/dnssec/dnssec-signzone.c      |  4 ++--
 bin/named/include/named/control.h |  4 ++--
 bin/named/zoneconf.c              | 38 +++++++++++++++----------------
 lib/bind9/check.c                 |  4 ++--
 lib/dns/dnssec.c                  | 10 ++++----
 lib/dns/include/dns/dnssec.h      |  4 ++--
 lib/dns/include/dns/result.h      |  4 ++--
 lib/dns/include/dns/secalg.h      |  4 ++--
 lib/dns/rcode.c                   |  4 ++--
 lib/dns/zone.c                    |  6 ++---
 lib/isccfg/namedconf.c            |  4 ++--
 11 files changed, 43 insertions(+), 43 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index bfb7ced513..3c4a67c6d1 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.244 2009/10/12 20:48:10 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.245 2009/10/12 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -1735,7 +1735,7 @@ verifyzone(void) {
 			    (zsk_algorithms[i] != 0) ||
 			    (standby_zsk[i] != 0) ||
 			    (revoked_zsk[i] != 0)) {
- 				dns_secalg_format(i, algbuf, sizeof(algbuf));
+				dns_secalg_format(i, algbuf, sizeof(algbuf));
 				fprintf(stderr, "Algorithm: %s: KSKs: "
 					"%u active, %u stand-by, %u revoked\n",
 					algbuf, ksk_algorithms[i],
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 0e68e397a6..c6baddcb2a 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.26 2009/10/12 20:48:11 each Exp $ */
+/* $Id: control.h,v 1.27 2009/10/12 23:48:01 tbox Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index b493a3b7dd..b2a893cbc1 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.157 2009/10/12 20:48:11 each Exp $ */
+/* $Id: zoneconf.c,v 1.158 2009/10/12 23:48:01 tbox Exp $ */
 
 /*% */
 
@@ -944,24 +944,24 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
 				   cfg_obj_asboolean(obj));
 
- 		obj = NULL;
- 		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
- 		if (result == ISC_R_SUCCESS) {
- 			const char *arg = cfg_obj_asstring(obj);
- 			if (strcasecmp(arg, "allow") == 0)
- 				allow = ISC_TRUE;
- 			else if (strcasecmp(arg, "maintain") == 0)
- 				allow = maint = ISC_TRUE;
- 			else if (strcasecmp(arg, "create") == 0)
- 				allow = maint = create = ISC_TRUE;
- 			else if (strcasecmp(arg, "off") == 0)
- 				;
- 			else
- 				INSIST(0);
- 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
- 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
- 			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, create);
- 		}
+		obj = NULL;
+		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (result == ISC_R_SUCCESS) {
+			const char *arg = cfg_obj_asstring(obj);
+			if (strcasecmp(arg, "allow") == 0)
+				allow = ISC_TRUE;
+			else if (strcasecmp(arg, "maintain") == 0)
+				allow = maint = ISC_TRUE;
+			else if (strcasecmp(arg, "create") == 0)
+				allow = maint = create = ISC_TRUE;
+			else if (strcasecmp(arg, "off") == 0)
+				;
+			else
+				INSIST(0);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, create);
+		}
 	}
 
 	/*
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 457e710ad9..db360e2b5d 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.111 2009/10/12 20:48:11 each Exp $ */
+/* $Id: check.c,v 1.112 2009/10/12 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -1127,7 +1127,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
 	{ "dnskey-ksk-only", MASTERZONE },
- 	{ "auto-dnssec", MASTERZONE },
+	{ "auto-dnssec", MASTERZONE },
 	{ "try-tcp-refresh", SLAVEZONE },
 	};
 
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 1a2c0e903d..1b52ba32ea 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.103 2009/10/12 20:48:11 each Exp $
+ * $Id: dnssec.c,v 1.104 2009/10/12 23:48:01 tbox Exp $
  */
 
 /*! \file */
@@ -1192,7 +1192,7 @@ addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
 		if (dst_key_id(key->key) == dst_key_id(*newkey) &&
 		    dst_key_alg(key->key) == dst_key_alg(*newkey) &&
 		    dns_name_equal(dst_key_name(key->key),
-		    		   dst_key_name(*newkey)))
+				   dst_key_name(*newkey)))
 			break;
 	}
 
@@ -1432,7 +1432,7 @@ remove_key(dns_diff_t *del, dns_dnsseckey_t *key, dns_name_t *origin,
  * the zone will be added to the list for post-removal processing.
  */
 isc_result_t
-dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, 
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
 		      dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
 		      isc_boolean_t allzsk, isc_mem_t *mctx,
@@ -1534,10 +1534,10 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 			 * zone now.
 			 */
 			key2->hint_publish = key1->hint_publish;
-			if (key2->source == dns_keysource_user && 
+			if (key2->source == dns_keysource_user &&
 			    (key2->hint_publish || key2->force_publish))
 				RETERR(publish_key(add, key2, origin, ttl,
-					           mctx, allzsk, report));
+						   mctx, allzsk, report));
 		}
 
 		key1 = ISC_LIST_NEXT(key1, link);
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 83f5b54e1d..6e904ece25 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.37 2009/10/12 20:48:12 each Exp $ */
+/* $Id: dnssec.h,v 1.38 2009/10/12 23:48:02 tbox Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -283,7 +283,7 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
  */
 
 isc_result_t
-dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, 
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
 		      dns_ttl_t ttl, dns_diff_t *add, dns_diff_t *del,
 		      isc_boolean_t allzsk, isc_mem_t *mctx,
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index 87a6af33c3..0d172f687c 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.117 2009/10/12 20:48:12 each Exp $ */
+/* $Id: result.h,v 1.118 2009/10/12 23:48:02 tbox Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
index 38550e8757..43d9fb25e1 100644
--- a/lib/dns/include/dns/secalg.h
+++ b/lib/dns/include/dns/secalg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secalg.h,v 1.20 2009/10/12 20:48:12 each Exp $ */
+/* $Id: secalg.h,v 1.21 2009/10/12 23:48:02 tbox Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index fb981bd627..177b00be25 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.10 2009/10/12 20:48:12 each Exp $ */
+/* $Id: rcode.c,v 1.11 2009/10/12 23:48:01 tbox Exp $ */
 
 #include 
 #include 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 058f85cb54..f42cd99cca 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.516 2009/10/12 20:48:12 each Exp $ */
+/* $Id: zone.c,v 1.517 2009/10/12 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -13404,8 +13404,8 @@ zone_rekey(dns_zone_t *zone) {
 	result = ISC_R_SUCCESS;
 
  failure:
- 	dns_diff_clear(&add);
- 	dns_diff_clear(&del);
+	dns_diff_clear(&add);
+	dns_diff_clear(&del);
 
 	clear_keylist(&dnskeys, mctx);
 	clear_keylist(&keys, mctx);
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index b26798927a..96fac89dba 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.108 2009/10/12 20:48:12 each Exp $ */
+/* $Id: namedconf.c,v 1.109 2009/10/12 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -530,7 +530,7 @@ static cfg_type_t cfg_type_bracketed_sockaddrlist = {
 	&cfg_rep_list, &cfg_type_sockaddr
 };
 
-static const char *autodnssec_enums[] = { "allow", "maintain", "create", 
+static const char *autodnssec_enums[] = { "allow", "maintain", "create",
 					  "off", NULL };
 static cfg_type_t cfg_type_autodnssec = {
 	"autodnssec", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,

From 19ac4707eeeab9e04d1de0efecf13e342a532cee Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 13 Oct 2009 00:55:51 +0000
Subject: [PATCH 307/385] changes needed for win32 build

---
 bin/dnssec/dnssec-signzone.c | 5 +++--
 lib/dns/win32/libdns.def     | 8 ++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 3c4a67c6d1..b8d19d2af4 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.245 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.246 2009/10/13 00:55:51 each Exp $ */
 
 /*! \file */
 
@@ -583,9 +583,10 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 
 		if (set->type == dns_rdatatype_dnskey &&
 		     dns_name_equal(name, gorigin)) {
-			isc_boolean_t have_ksk = isksk(key);;
+			isc_boolean_t have_ksk;
 			dns_dnsseckey_t *tmpkey;
 
+                        have_ksk = isksk(key);
 			for (tmpkey = ISC_LIST_HEAD(keylist);
 			     tmpkey != NULL;
 			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 803e4db443..657c72c662 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -193,9 +193,11 @@ dns_dnssec_findmatchingkeys
 dns_dnssec_findzonekeys
 dns_dnssec_findzonekeys2
 dns_dnssec_keyfromrdata
+dns_dnssec_keylistfromrdataset
 dns_dnssec_selfsigns
 dns_dnssec_sign
 dns_dnssec_signmessage
+dns_dnssec_updatekeys
 dns_dnssec_verify
 dns_dnssec_verify2
 dns_dnssec_verifymessage
@@ -597,6 +599,7 @@ dns_sdlz_putrr
 dns_sdlz_putsoa
 dns_sdlzregister
 dns_sdlzunregister
+dns_secalg_format
 dns_secalg_fromtext
 dns_secalg_totext
 dns_secproto_fromtext
@@ -694,6 +697,7 @@ dns_xfrin_attach
 dns_xfrin_create
 dns_xfrin_detach
 dns_xfrin_shutdown
+dns_zone_addnsec3chain
 dns_zone_attach
 dns_zone_checknames
 dns_zone_clearforwardacl
@@ -724,6 +728,7 @@ dns_zone_getidleout
 dns_zone_getjournal
 dns_zone_getjournalsize
 dns_zone_getkeydirectory
+dns_zone_getkeyopts
 dns_zone_getmaxxfrin
 dns_zone_getmaxxfrout
 dns_zone_getmctx
@@ -765,6 +770,7 @@ dns_zone_notify
 dns_zone_notifyreceive
 dns_zone_refresh
 dns_zone_replacedb
+dns_zone_rekey
 dns_zone_setacache
 dns_zone_setalsonotify
 dns_zone_setaltxfrsource4
@@ -786,6 +792,7 @@ dns_zone_setisself
 dns_zone_setjournal
 dns_zone_setjournalsize
 dns_zone_setkeydirectory
+dns_zone_setkeyopt
 dns_zone_setmasters
 dns_zone_setmasterswithkeys
 dns_zone_setmaxrefreshtime
@@ -865,6 +872,7 @@ dst_key_class
 dst_key_compare
 dst_key_computesecret
 dst_key_flags
+dst_key_format
 dst_key_free
 dst_key_frombuffer
 dst_key_fromdns

From 5c0fd37335a9f9b535bd2b40e462abd952a26501 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 13 Oct 2009 02:39:38 +0000
Subject: [PATCH 308/385] changes needed for win32 build

---
 bin/pkcs11/pkcs11-destroy.c      | 2 ++
 bin/pkcs11/pkcs11-keygen.c       | 2 ++
 bin/pkcs11/pkcs11-list.c         | 2 ++
 bin/pkcs11/win32/pk11destroy.dsp | 4 ++--
 bin/pkcs11/win32/pk11destroy.mak | 4 ++--
 bin/pkcs11/win32/pk11keygen.dsp  | 4 ++--
 bin/pkcs11/win32/pk11keygen.mak  | 4 ++--
 bin/pkcs11/win32/pk11list.dsp    | 4 ++--
 bin/pkcs11/win32/pk11list.mak    | 4 ++--
 9 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
index cbc4d9692a..8b7eb74aac 100644
--- a/bin/pkcs11/pkcs11-destroy.c
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -1,5 +1,7 @@
 /* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */
 
+#include 
+
 #include 
 #include 
 #include 
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index 13c4669d9b..79e5e7dfd5 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -11,6 +11,8 @@
  *
  */
 
+#include 
+
 #include 
 #include 
 #include 
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
index 50c6cbdaca..1cfbd5d368 100644
--- a/bin/pkcs11/pkcs11-list.c
+++ b/bin/pkcs11/pkcs11-list.c
@@ -1,5 +1,7 @@
 /* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */
 
+#include 
+
 #include 
 #include 
 #include 
diff --git a/bin/pkcs11/win32/pk11destroy.dsp b/bin/pkcs11/win32/pk11destroy.dsp
index e08de5e7e1..43c0950f4a 100644
--- a/bin/pkcs11/win32/pk11destroy.dsp
+++ b/bin/pkcs11/win32/pk11destroy.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
 # SUBTRACT CPP /X /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
diff --git a/bin/pkcs11/win32/pk11destroy.mak b/bin/pkcs11/win32/pk11destroy.mak
index 660bc64ab4..75d310ee97 100644
--- a/bin/pkcs11/win32/pk11destroy.mak
+++ b/bin/pkcs11/win32/pk11destroy.mak
@@ -118,7 +118,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11destroy.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11destroy.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -191,7 +191,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
diff --git a/bin/pkcs11/win32/pk11keygen.dsp b/bin/pkcs11/win32/pk11keygen.dsp
index cd24823faf..b0eb1c13f7 100644
--- a/bin/pkcs11/win32/pk11keygen.dsp
+++ b/bin/pkcs11/win32/pk11keygen.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
 # SUBTRACT CPP /X /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
diff --git a/bin/pkcs11/win32/pk11keygen.mak b/bin/pkcs11/win32/pk11keygen.mak
index 63c875e255..be76e8b747 100644
--- a/bin/pkcs11/win32/pk11keygen.mak
+++ b/bin/pkcs11/win32/pk11keygen.mak
@@ -118,7 +118,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -191,7 +191,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
diff --git a/bin/pkcs11/win32/pk11list.dsp b/bin/pkcs11/win32/pk11list.dsp
index 64010c9aa9..ad564e2dbd 100644
--- a/bin/pkcs11/win32/pk11list.dsp
+++ b/bin/pkcs11/win32/pk11list.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c
 # SUBTRACT CPP /X /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
diff --git a/bin/pkcs11/win32/pk11list.mak b/bin/pkcs11/win32/pk11list.mak
index 7d717f1086..dad24430b9 100644
--- a/bin/pkcs11/win32/pk11list.mak
+++ b/bin/pkcs11/win32/pk11list.mak
@@ -118,7 +118,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11list.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11list.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -191,7 +191,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<

From b043b56271060295bd32f61e7b7221dd40fb60dc Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 13 Oct 2009 03:03:05 +0000
Subject: [PATCH 309/385] support ESV version strings

---
 util/kit.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/kit.sh b/util/kit.sh
index 6f5bf6be44..78b76ae4cf 100644
--- a/util/kit.sh
+++ b/util/kit.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: kit.sh,v 1.39 2009/09/09 04:48:01 marka Exp $
+# $Id: kit.sh,v 1.40 2009/10/13 03:03:05 marka Exp $
 
 # Make a release kit
 #
@@ -80,7 +80,7 @@ then
     arg=-D
 fi
 
-version=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}
+version=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}
 
 echo "building release kit for BIND version $version, hold on..."
 

From ef9ee92543d06967beb4591805b4ffd4020dd659 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 13 Oct 2009 23:48:12 +0000
Subject: [PATCH 310/385] update copyright notice

---
 bin/dnssec/dnssec-signzone.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index b8d19d2af4..4739dfc290 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.246 2009/10/13 00:55:51 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.247 2009/10/13 23:48:12 tbox Exp $ */
 
 /*! \file */
 
@@ -586,7 +586,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 			isc_boolean_t have_ksk;
 			dns_dnsseckey_t *tmpkey;
 
-                        have_ksk = isksk(key);
+			have_ksk = isksk(key);
 			for (tmpkey = ISC_LIST_HEAD(keylist);
 			     tmpkey != NULL;
 			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {

From cbee6197d1fb31453ff51f9f1c705feed67c9c73 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 14 Oct 2009 03:54:23 +0000
Subject: [PATCH 311/385] 2713.   [bug]           powerpc: atomic operations
 missing asm("ics") /                         __isync() calls.

---
 CHANGES                              |  3 +++
 lib/isc/powerpc/include/isc/atomic.h | 37 +++++++++++++++++++++++++---
 2 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6a79aa4735..612ac40df5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2713.	[bug]		powerpc: atomic operations missing asm("ics") /
+			__isync() calls.
+
 	--- 9.7.0b1 released ---
 
 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
diff --git a/lib/isc/powerpc/include/isc/atomic.h b/lib/isc/powerpc/include/isc/atomic.h
index 765cb6d72a..1e16a681b1 100644
--- a/lib/isc/powerpc/include/isc/atomic.h
+++ b/lib/isc/powerpc/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.6 2007/06/18 23:47:47 tbox Exp $ */
+/* $Id: atomic.h,v 1.7 2009/10/14 03:54:23 marka Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -46,9 +46,33 @@
 
 #include 
 
-#define isc_atomic_xadd(p, v) fetch_and_add(p, v)
 #define isc_atomic_store(p, v) _clear_lock(p, v)
 
+#ifdef __GNUC__
+static inline isc_int32_t
+#else
+static isc_int32_t
+#endif
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+	int ret;
+
+#ifdef __GNUC__
+        asm("ics");
+#else
+         __isync();
+#endif
+
+	ret = fetch_and_add((atomic_p)p, (int)val);
+
+#ifdef __GNUC__
+        asm("ics");
+#else
+         __isync();
+#endif
+
+	 return (ret);
+}
+
 #ifdef __GNUC__
 static inline int
 #else
@@ -63,7 +87,14 @@ isc_atomic_cmpxchg(atomic_p p, int old, int new) {
          __isync();
 #endif
         if (compare_and_swap(p, &orig, new))
-		return (old);
+		orig = old;
+
+#ifdef __GNUC__
+        asm("ics");
+#else
+         __isync();
+#endif
+
         return (orig);
 }
 

From da2c52acae0ccc747f37ebb4209fdb2327700044 Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Wed, 14 Oct 2009 12:49:11 +0000
Subject: [PATCH 312/385] Add a few missing docbook formatting tags. No content
 changed. No CHANGES entry added.

---
 doc/arm/Bv9ARM-book.xml | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 4ce37a3b73..f12dd94c4f 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -5327,9 +5327,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
             
               
                 The pathname of a file to override the built-in trusted
-		keys provided by named.  See the discussion of
-		dnssec-lookaside for details.
-                If not specified, the default is
+		keys provided by named.
+		See the discussion of dnssec-lookaside
+		for details.  If not specified, the default is
 		/etc/bind.keys.
               
             
@@ -5518,14 +5518,15 @@ options {
 	      
 	      
 		If dnssec-lookaside is set to
-		"auto", then built-in default values for
-		the domain and trust anchor will be used, along
-		with a built-in key for validation.
+		auto, then built-in default
+		values for the domain and trust anchor will be
+		used, along with a built-in key for validation.
 	      
 	      
 		NOTE: Since the built-in key may expire, it can be
-		overridden without recompiling named by placing a new key
-		in the file bind.keys.
+		overridden without recompiling named
+		by placing a new key in the file
+		bind.keys.
               
             
           
@@ -6294,7 +6295,9 @@ options {
                 
 		  Accept expired signatures when verifying DNSSEC signatures.
                   The default is no.
-		  Setting this option to "yes" leaves named vulnerable to replay attacks.
+		  Setting this option to yes
+		  leaves named vulnerable to
+		  replay attacks.
                 
               
             
@@ -9212,12 +9215,13 @@ deny-answer-aliases { "example.net"; };
             level of named.conf, not within a view.
 	  
 	  
-	    If the dnssec-lookaside option is set to
-            "auto", named will automatically initialize
-            a managed key for the zone dlv.isc.org.  The
-            key that is used to initialize the key maintenance process is
-            built into named, and can be overridden
-            from bindkeys-file.
+	    If the dnssec-lookaside option is
+	    set to auto, named
+	    will automatically initialize a managed key for the
+	    zone dlv.isc.org.  The key that is
+	    used to initialize the key maintenance process is built
+	    into named, and can be overridden
+	    from bindkeys-file.
 	  
 	
 

From 1ed01b339066bbf48d8f65e9ef36e782618f4fd6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 14 Oct 2009 22:07:13 +0000
Subject: [PATCH 313/385] silence compiler warning

---
 bin/dnssec/dnssec-keyfromlabel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index eaf93e60c1..c92763cbed 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.21 2009/10/12 20:48:10 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.22 2009/10/14 22:07:13 marka Exp $ */
 
 /*! \file */
 
@@ -310,7 +310,7 @@ main(int argc, char **argv) {
 		fatal("extraneous arguments");
 
 	if (strchr(label, ':') == NULL &&
-	    engine != NULL && strlen(engine) != 0) {
+	    engine != NULL && strlen(engine) != 0U) {
 		char *l;
 		int len;
 

From 0f819662426b47ba3e68f621f86e30dfc1a8b541 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 14 Oct 2009 23:18:20 +0000
Subject: [PATCH 314/385] auto update

---
 doc/private/branches | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index de34249793..d5b9956df0 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -256,6 +256,7 @@ rt20256a			new	fdupont	// 2009-09-28 10:50 +0000
 rt20256b			new	fdupont	// 2009-09-29 15:31 +0000
 rt20257				new	fdupont	// 2009-09-18 16:53 +0000
 rt20257a			new	fdupont	// 2009-09-28 08:58 +0000
+rt20284				new	fdupont	// 2009-10-14 21:19 +0000
 rt20304				new	each	// 2009-09-24 22:57 +0000
 rt20310				new	each	// 2009-09-25 00:29 +0000
 rt20310a			new	each	// 2009-10-09 04:31 +0000
@@ -264,6 +265,8 @@ rt20340				new	marka	// 2009-10-09 06:29 +0000
 rt20369				new	fdupont	// 2009-10-06 08:41 +0000
 rt20369a			new	fdupont	// 2009-10-06 14:25 +0000
 rt20372				new	each	// 2009-10-06 22:08 +0000
+rt20399				new	marka	// 2009-10-14 02:27 +0000
+rt20405				new	each	// 2009-10-14 05:15 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 3493b4e0ef537798b40223472f10158b5032ac70 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 14 Oct 2009 23:30:34 +0000
Subject: [PATCH 315/385] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 8755d5517b..1b37ef12f3 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2283,7 +2283,7 @@
 ./lib/isc/powerpc/include/Makefile.in		MAKE	2007
 ./lib/isc/powerpc/include/isc/.cvsignore	X	2007
 ./lib/isc/powerpc/include/isc/Makefile.in	MAKE	2007
-./lib/isc/powerpc/include/isc/atomic.h		C	2005,2007
+./lib/isc/powerpc/include/isc/atomic.h		C	2005,2007,2009
 ./lib/isc/print.c				C	1999,2000,2001,2003,2004,2005,2006,2007,2008
 ./lib/isc/pthreads/.cvsignore			X	1998,1999,2000,2001
 ./lib/isc/pthreads/Makefile.in			MAKE	1998,1999,2000,2001,2004,2007,2009

From f6cd5ef97a8c88adebd867ce84956d2d4537e622 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 14 Oct 2009 23:47:51 +0000
Subject: [PATCH 316/385] update copyright notice

---
 lib/isc/powerpc/include/isc/atomic.h | 30 ++++++++++++++--------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/lib/isc/powerpc/include/isc/atomic.h b/lib/isc/powerpc/include/isc/atomic.h
index 1e16a681b1..6f54cc3b48 100644
--- a/lib/isc/powerpc/include/isc/atomic.h
+++ b/lib/isc/powerpc/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.7 2009/10/14 03:54:23 marka Exp $ */
+/* $Id: atomic.h,v 1.8 2009/10/14 23:47:51 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -57,17 +57,17 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 	int ret;
 
 #ifdef __GNUC__
-        asm("ics");
+	asm("ics");
 #else
-         __isync();
+	 __isync();
 #endif
 
 	ret = fetch_and_add((atomic_p)p, (int)val);
 
 #ifdef __GNUC__
-        asm("ics");
+	asm("ics");
 #else
-         __isync();
+	 __isync();
 #endif
 
 	 return (ret);
@@ -79,23 +79,23 @@ static inline int
 static int
 #endif
 isc_atomic_cmpxchg(atomic_p p, int old, int new) {
-        int orig = old;
+	int orig = old;
 
 #ifdef __GNUC__
-        asm("ics");
+	asm("ics");
 #else
-         __isync();
+	 __isync();
 #endif
-        if (compare_and_swap(p, &orig, new))
+	if (compare_and_swap(p, &orig, new))
 		orig = old;
 
 #ifdef __GNUC__
-        asm("ics");
+	asm("ics");
 #else
-         __isync();
+	 __isync();
 #endif
 
-        return (orig);
+	return (orig);
 }
 
 #elif defined(ISC_PLATFORM_USEGCCASM) || defined(ISC_PLATFORM_USEMACASM)
@@ -107,14 +107,14 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 #ifdef ISC_PLATFORM_USEMACASM
 		"1:"
 		"lwarx r6, 0, %1\n"
-	    	"mr %0, r6\n"
+		"mr %0, r6\n"
 		"add r6, r6, %2\n"
 		"stwcx. r6, 0, %1\n"
 		"bne- 1b"
 #else
 		"1:"
 		"lwarx 6, 0, %1\n"
-	    	"mr %0, 6\n"
+		"mr %0, 6\n"
 		"add 6, 6, %2\n"
 		"stwcx. 6, 0, %1\n"
 		"bne- 1b"

From 102ccdd2c0ade46f2d668c4b4d3fbbe668a44994 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 15 Oct 2009 01:15:23 +0000
Subject: [PATCH 317/385] regen

---
 doc/arm/Bv9ARM.ch06.html             | 124 +++++++++---------
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  46 +++----
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  14 +--
 doc/arm/man.dnssec-keygen.html       |  16 +--
 doc/arm/man.dnssec-revoke.html       |  10 +-
 doc/arm/man.dnssec-settime.html      |  14 +--
 doc/arm/man.dnssec-signzone.html     |  12 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 21 files changed, 299 insertions(+), 295 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 330bebcb93..88a0dbbbae 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -78,28 +78,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -2470,9 +2470,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 
    bindkeys-file
    
 
    
                 The pathname of a file to override the built-in trusted
-                keys provided by named.  See the discussion of
-                dnssec-lookaside for details.
-                If not specified, the default is
+                keys provided by named.
+                See the discussion of dnssec-lookaside
+                for details.  If not specified, the default is
                 /etc/bind.keys.
               
    
 
    session-keyfile
    
@@ -2614,14 +2614,15 @@ options {
               
    
 
    
                 If dnssec-lookaside is set to
-                "auto", then built-in default values for
-                the domain and trust anchor will be used, along
-                with a built-in key for validation.
+                auto, then built-in default
+                values for the domain and trust anchor will be
+                used, along with a built-in key for validation.
               
    
 
    
                 NOTE: Since the built-in key may expire, it can be
-                overridden without recompiling named by placing a new key
-                in the file bind.keys.
+                overridden without recompiling named
+                by placing a new key in the file
+                bind.keys.
               
    
 
 
    dnssec-must-be-secure
    
@@ -3249,7 +3250,9 @@ options {
 
    
                   Accept expired signatures when verifying DNSSEC signatures.
                   The default is no.
-                  Setting this option to "yes" leaves named vulnerable to replay attacks.
+                  Setting this option to yes
+                  leaves named vulnerable to
+                  replay attacks.
                 
    
 
    querylog
    
 
    
@@ -3409,7 +3412,7 @@ options {
 
    
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3453,7 +3456,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3650,7 +3653,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4102,7 +4105,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4144,7 +4147,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4306,7 +4309,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -5102,7 +5105,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
    
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5432,7 +5435,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5483,7 +5486,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5492,7 +5495,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5532,7 +5535,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5541,7 +5544,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5628,11 +5631,12 @@ deny-answer-aliases { "example.net"; };
             level of named.conf, not within a view.
           
    
 
    
-            If the dnssec-lookaside option is set to
-            "auto", named will automatically initialize
-            a managed key for the zone dlv.isc.org.  The
-            key that is used to initialize the key maintenance process is
-            built into named, and can be overridden
+            If the dnssec-lookaside option is
+            set to auto, named
+            will automatically initialize a managed key for the
+            zone dlv.isc.org.  The key that is
+            used to initialize the key maintenance process is built
+            into named, and can be overridden
             from bindkeys-file.
           
    
 
    
@@ -5651,7 +5655,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5931,10 +5935,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

    @@ -6145,7 +6149,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6167,7 +6171,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6837,7 +6841,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6850,7 +6854,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7587,7 +7591,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7790,7 +7794,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -8046,7 +8050,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8107,7 +8111,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8122,7 +8126,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8133,7 +8137,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8162,7 +8166,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8198,7 +8202,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8217,7 +8221,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8641,7 +8645,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9198,7 +9202,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9352,7 +9356,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9735,7 +9739,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9890,7 +9894,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 4e5e07c2a7..8738f75492 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index c765f3793c..61148b0f27 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 61d2fe62e9..ef52e25744 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 2800761c52..84ab031a8e 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,28 +157,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 99d8a2d545..bb451a664e 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 7bda193218..23af9d9f26 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 9eda2cfdfd..ec716bc8f1 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 72976c1a3f..d8071ebe93 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -172,7 +172,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -219,7 +219,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -258,7 +258,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -268,7 +268,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index d9ff99efe6..3ca81ed1af 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -285,7 +285,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -331,7 +331,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -352,7 +352,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -361,7 +361,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index cb77d251a0..c8ecfb9e77 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 5e3dff458f..71a3db9f24 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -185,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 91d405c41a..e469e62e9f 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -397,7 +397,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -427,14 +427,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 16e16e8ada..da17b4d222 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 00806259af..fe667b424e 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 2cfff525a1..b1d01693a2 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index c8bc344cd9..8254f59254 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index ffd9a42662..87b6b34cbe 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -205,7 +205,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +469,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -523,7 +523,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,7 +546,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC2136,
       RFC3007,
       RFC2104,
@@ -560,7 +560,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index f61f201015..cc71f45bae 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 4b17fbfbfe..c401a23df0 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index cd76adf372..2b40f61e49 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From 8f7de3db7ec299ddeded142905f5eb1f22076353 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 16 Oct 2009 02:59:41 +0000
Subject: [PATCH 318/385] Respinning to fix memory leak in dnssec-signzone. 
 (Also adopting doc changes.)

---
 CHANGES                       |  4 +--
 bin/named/bind.keys.h         |  4 +--
 bin/named/named.conf.docbook  | 31 +++++++++++++++++-----
 bin/nsupdate/nsupdate.docbook | 50 +++++++++++++++--------------------
 bind.keys                     |  2 +-
 doc/arm/Bv9ARM-book.xml       | 40 ++++++++++++++++++++--------
 lib/dns/dnssec.c              | 26 +++++++++---------
 7 files changed, 93 insertions(+), 64 deletions(-)

diff --git a/CHANGES b/CHANGES
index 612ac40df5..0fe450c0d2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,8 @@
+	--- 9.7.0b1 released ---
+
 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 			__isync() calls.
 
-	--- 9.7.0b1 released ---
-
 2712.	[func]		New 'auto-dnssec' zone option allows zone signing
 			to be fully automated in zones configured for
 			dynamic DNS.  'auto-dnssec allow;' permits a zone
diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h
index 1c8a4aba11..58a94f2011 100644
--- a/bin/named/bind.keys.h
+++ b/bin/named/bind.keys.h
@@ -1,6 +1,6 @@
 #define TRUSTED_KEYS "\
 trusted-keys {\n\
-        # NOTE: This key is current as of September 2009.\n\
+        # NOTE: This key is current as of October 2009.\n\
         # If it fails to initialize correctly, it may have expired;\n\
         # see https://www.isc.org/solutions/dlv for a replacement.\n\
 	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
@@ -9,7 +9,7 @@ trusted-keys {\n\
 
 #define MANAGED_KEYS "\
 managed-keys {\n\
-        # NOTE: This key is current as of September 2009.\n\
+        # NOTE: This key is current as of October 2009.\n\
         # If it fails to initialize correctly, it may have expired;\n\
         # see https://www.isc.org/solutions/dlv for a replacement.\n\
 	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index a570654e15..c81cab9838 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 13, 2004
@@ -132,6 +132,15 @@ trusted-keys {
 
   
 
+  
+    MANAGED-KEYS
+    
+managed-keys {
+	domain_name initial-key flags protocol algorithm key; ... 
+};
+
+  
+
   
     CONTROLS
     
@@ -273,6 +282,7 @@ options {
 	dnssec-enable boolean;
 	dnssec-validation boolean;
 	dnssec-lookaside string trust-anchor string;
+	dnssec-lookaside ( auto | domain trust-anchor domain );
 	dnssec-must-be-secure string boolean;
 	dnssec-accept-expired boolean;
 
@@ -339,10 +349,17 @@ options {
 
 	zone-statistics boolean;
 	key-directory quoted_string;
+	auto-dnssec allow|maintain|create|off;
 	try-tcp-refresh boolean;
 	zero-no-soa-ttl boolean;
 	zero-no-soa-ttl-cache boolean;
 	secure-to-insecure boolean;
+	deny-answer-addresses {
+		address_match_list
+	}  except-from { namelist } ;
+	deny-answer-aliases {
+		namelist
+	}  except-from { namelist } ;
 
 	nsec3-test-zone boolean;  // testing only
 
@@ -384,7 +401,8 @@ view string optional_class
 	};
 
 	trusted-keys {
-		string integer integer integer quoted_string; ...
+		string integer integer integer quoted_string;
+		...
 	};
 
 	allow-recursion { address_match_element; ... };
@@ -545,13 +563,14 @@ zone string optional_class
 	allow-transfer { address_match_element; ... };
 	allow-update { address_match_element; ... };
 	allow-update-forwarding { address_match_element; ... };
-	update-policy {
+	update-policy local |  {
 		( grant | deny ) string
 		( name | subdomain | wildcard | self | selfsub | selfwild |
                   krb5-self | ms-self | krb5-subdomain | ms-subdomain |
-		  tcp-self | 6to4-self ) string
-		rrtypelist; ...
-	};
+		  tcp-self | zonesub | 6to4-self ) string
+		rrtypelist;
+		...
+	};
 	update-check-ksk boolean;
 	dnskey-ksk-only boolean;
 
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index ab234b498b..31afb2811d 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     Aug 25, 2009
@@ -76,7 +76,7 @@
   
     DESCRIPTION
     nsupdate
-      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
@@ -118,8 +118,8 @@
     
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
-      in RFC2845 or the SIG(0) record described in RFC3535 and
-      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      in RFC 2845 or the SIG(0) record described in RFC 2535 and
+      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       nsupdate and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -136,7 +136,12 @@
       record in a zone served by the name server.
       nsupdate does not read
       /etc/named.conf.
-      GSS-TSIG uses Kerberos credentials.
+    
+    
+      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
+      is switched on with the  flag.  A
+      non-standards-compliant variant of GSS-TSIG used by Windows
+      2000 can be switched on with the  flag.
     
     nsupdate
       uses the  or  option
@@ -629,9 +634,9 @@
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC1034 that a name must not exist as any other
+      long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     
   
@@ -687,27 +692,14 @@
 
   
     SEE ALSO
-    
-        RFC2136
-      ,
-      
-        RFC3007
-      ,
-      
-        RFC2104
-      ,
-      
-        RFC2845
-      ,
-      
-        RFC1034
-      ,
-      
-        RFC2535
-      ,
-      
-        RFC2931
-      ,
+    
+      RFC 2136,
+      RFC 3007,
+      RFC 2104,
+      RFC 2845,
+      RFC 1034,
+      RFC 2535,
+      RFC 2931,
       
         named8
       ,
@@ -718,8 +710,8 @@
         dnssec-keygen8
       .
     
-
   
+
   
     BUGS
     
diff --git a/bind.keys b/bind.keys
index 511dff4f01..1b5cab17f5 100644
--- a/bind.keys
+++ b/bind.keys
@@ -1,5 +1,5 @@
 managed-keys {
-        # NOTE: This key is current as of September 2009.
+        # NOTE: This key is current as of October 2009.
         # If it fails to initialize correctly, it may have expired;
         # see https://www.isc.org/solutions/dlv for a replacement.
 	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index f12dd94c4f..c92446a270 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -5509,24 +5509,42 @@ options {
 		validator with an alternate method to validate DNSKEY
 		records at the top of a zone.  When a DNSKEY is at or
 		below a domain specified by the deepest
-		dnssec-lookaside, and the normal dnssec
+		dnssec-lookaside, and the normal DNSSEC
 		validation has left the key untrusted, the trust-anchor
-		will be append to the key name and a DLV record will be
+		will be appended to the key name and a DLV record will be
 		looked up to see if it can validate the key.  If the DLV
-		record validates a DNSKEY (similarly to the way a DS record
-		does) the DNSKEY RRset is deemed to be trusted.
+		record validates a DNSKEY (similarly to the way a DS
+                record does) the DNSKEY RRset is deemed to be trusted.
 	      
 	      
 		If dnssec-lookaside is set to
 		auto, then built-in default
-		values for the domain and trust anchor will be
+		values for the DLV domain and trust anchor will be
 		used, along with a built-in key for validation.
 	      
-	      
-		NOTE: Since the built-in key may expire, it can be
-		overridden without recompiling named
-		by placing a new key in the file
-		bind.keys.
+              
+                The default DLV key is stored in the file
+                bind.keys, which
+                named loads at startup if
+                dnssec-lookaside is set to
+                auto.  A copy of that file is
+                installed along with BIND 9, and is
+                current as of the release date.  If the DLV key expires, a
+                new copy of bind.keys can be downloaded
+                from https://www.isc.org/solutions/dlv.
+              
+              
+                (To prevent problems if bind.keys is
+                not found, the current key is also compiled in to
+                named.  Relying on this is not
+                recommended, however, as it requires named
+                to be recompiled with a new key when the DLV key expires.)
+              
+              
+                NOTE: Using bind.keys to store
+                locally-configured keys is possible, but not
+                recommended, as the file will be overwritten whenever
+                BIND 9 is re-installed or upgraded.
               
             
           
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 1b52ba32ea..d55d3ec378 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.104 2009/10/12 23:48:01 tbox Exp $
+ * $Id: dnssec.c,v 1.105 2009/10/16 02:59:41 each Exp $
  */
 
 /*! \file */
@@ -1256,15 +1256,15 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 
 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
-			continue;
+			goto again;
 
 		/* Corrupted .key file? */
 		if (!dns_name_equal(origin, dst_key_name(pubkey)))
-			continue;
+			goto again;
 
 		if (public) {
 			addkey(keylist, &pubkey, savekeys, mctx);
-			continue;
+			goto again;
 		}
 
 		result = dst_key_fromfile(dst_key_name(pubkey),
@@ -1274,20 +1274,20 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 					  directory, mctx, &privkey);
 		if (result == ISC_R_FILENOTFOUND) {
 			addkey(keylist, &pubkey, savekeys, mctx);
-			continue;
+			goto again;
 		}
 		RETERR(result);
 
-		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0) {
-			/* We should never get here. */
-			dst_key_free(&pubkey);
-			dst_key_free(&privkey);
-			continue;
-		}
+		/* This should never happen. */
+		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			goto again;
 
 		addkey(keylist, &privkey, savekeys, mctx);
-
-		dst_key_free(&pubkey);
+ again:
+ 		if (pubkey != NULL)
+			dst_key_free(&pubkey);
+ 		if (privkey != NULL)
+			dst_key_free(&privkey);
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;

From 616560e3db487f548b383c7eecc6e855e8afe7d6 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 16 Oct 2009 04:10:06 +0000
Subject: [PATCH 319/385] 2713.   [port]          aix/powerpc: 'asm("ics");'
 needs non standard assembler                         flags.

---
 CHANGES      |  3 +++
 configure.in | 36 +++++++++++++++++++++++++++++++++---
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0fe450c0d2..bf1fc69412 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2713.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
+			flags.
+
 	--- 9.7.0b1 released ---
 
 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
diff --git a/configure.in b/configure.in
index 27e0d87524..6d116c4eae 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.483 $)
+AC_REVISION($Revision: 1.484 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -2431,7 +2431,37 @@ AC_ARG_ENABLE(atomic,
 			enable_atomic="autodetect")
 case "$enable_atomic" in
 	yes|''|autodetect)
-		use_atomic=yes
+		case "$host" in
+		powerpc-ibm-aix*)
+			if test "X$GCC" = "Xyes"; then
+				AC_MSG_CHECKING([if asm("isc"); works])
+				AC_TRY_COMPILE(,[
+				main() { asm("ics"); exit(0); }
+				],
+				[AC_MSG_RESULT(yes)
+				 use_atomic=yes],
+				[
+				saved_cflags="$CFLAGS"
+				CFLAGS="$CFLAGS -Wa,-many"
+				AC_TRY_RUN([
+				main() { asm("ics"); exit(0); }
+				],
+				[AC_MSG_RESULT([yes, required -Wa,-many])
+				 use_atomic=yes],
+				[AC_MSG_RESULT([no, use_atomic disabled])
+				 CFLAGS="$saved_cflags"
+				 use_atomic=no],
+				[AC_MSG_RESULT([cross compile, assume yes])
+				 CFLAGS="$saved_cflags"
+				 use_atomic=yes])
+				]
+				)
+			fi
+			;;
+		*)
+			use_atomic=yes
+			;;
+		esac
 		;;
 	no)
 		use_atomic=no
@@ -2896,7 +2926,7 @@ AC_SUBST_FILE(BIND9_MAKE_RULES)
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
 
 . $srcdir/version
-BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
+BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}"
 AC_SUBST(BIND9_VERSION)
 
 if test -z "$ac_configure_args"; then

From 45eea1bda65a66106bb7d85eae5997deb013bf0c Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 16 Oct 2009 04:16:17 +0000
Subject: [PATCH 320/385] 2715.   [bug]           Require OpenSSL support to be
 explicitly disabled.                         [RT #20288]

---
 CHANGES      |  5 ++++-
 configure.in | 12 ++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index bf1fc69412..6776039847 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
-2713.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
+2715.	[bug]		Require OpenSSL support to be explicitly disabled.
+			[RT #20288]
+
+2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
 			flags.
 
 	--- 9.7.0b1 released ---
diff --git a/configure.in b/configure.in
index 6d116c4eae..b36570d86c 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.484 $)
+AC_REVISION($Revision: 1.485 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -525,7 +525,9 @@ case "$use_openssl" in
 	auto)
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
-		AC_MSG_RESULT(not found)
+		AC_MSG_ERROR(
+[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+If you don't want OpenSSL, use --without-openssl])
 		;;
 	*)
 		if test "$use_openssl" = "yes"
@@ -3246,6 +3248,12 @@ AC_CONFIG_FILES([
 
 AC_OUTPUT
 
+if test "X$USE_OPENSSL" = "X"; then
+cat << \EOF                                                             
+BIND is being built without OpenSSL. This means it will not have DNSSEC support.
+EOF
+fi
+
 if test "X$OPENSSL_WARNING" != "X"; then
 cat << \EOF
 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

From 3e888c5b810c3d7a2b2afbc3d83d0e2ff8d2da6b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Fri, 16 Oct 2009 04:18:04 +0000
Subject: [PATCH 321/385] regen

---
 configure | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 128 insertions(+), 6 deletions(-)

diff --git a/configure b/configure
index 8f64c0648f..0ccc615360 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.469 2009/10/06 20:31:10 each Exp $
+# $Id: configure,v 1.470 2009/10/16 04:18:04 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.483 .
+# From configure.in Revision: 1.485 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -22462,8 +22462,11 @@ echo "${ECHO_T}no" >&6; }
 	auto)
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
-		{ echo "$as_me:$LINENO: result: not found" >&5
-echo "${ECHO_T}not found" >&6; }
+		{ { echo "$as_me:$LINENO: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+If you don't want OpenSSL, use --without-openssl" >&5
+echo "$as_me: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+If you don't want OpenSSL, use --without-openssl" >&2;}
+   { (exit 1); exit 1; }; }
 		;;
 	*)
 		if test "$use_openssl" = "yes"
@@ -31012,7 +31015,120 @@ fi
 
 case "$enable_atomic" in
 	yes|''|autodetect)
-		use_atomic=yes
+		case "$host" in
+		powerpc-ibm-aix*)
+			if test "X$GCC" = "Xyes"; then
+				{ echo "$as_me:$LINENO: checking if asm(\"isc\"); works" >&5
+echo $ECHO_N "checking if asm(\"isc\"); works... $ECHO_C" >&6; }
+				cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+				main() { asm("ics"); exit(0); }
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+				 use_atomic=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+				saved_cflags="$CFLAGS"
+				CFLAGS="$CFLAGS -Wa,-many"
+				if test "$cross_compiling" = yes; then
+  { echo "$as_me:$LINENO: result: cross compile, assume yes" >&5
+echo "${ECHO_T}cross compile, assume yes" >&6; }
+				 CFLAGS="$saved_cflags"
+				 use_atomic=yes
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+				main() { asm("ics"); exit(0); }
+
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  { echo "$as_me:$LINENO: result: yes, required -Wa,-many" >&5
+echo "${ECHO_T}yes, required -Wa,-many" >&6; }
+				 use_atomic=yes
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+{ echo "$as_me:$LINENO: result: no, use_atomic disabled" >&5
+echo "${ECHO_T}no, use_atomic disabled" >&6; }
+				 CFLAGS="$saved_cflags"
+				 use_atomic=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+			fi
+			;;
+		*)
+			use_atomic=yes
+			;;
+		esac
 		;;
 	no)
 		use_atomic=no
@@ -32429,7 +32545,7 @@ BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
 
 . $srcdir/version
-BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
+BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}"
 
 
 if test -z "$ac_configure_args"; then
@@ -34859,6 +34975,12 @@ if test "$no_create" != yes; then
 fi
 
 
+if test "X$USE_OPENSSL" = "X"; then
+cat << \EOF
+BIND is being built without OpenSSL. This means it will not have DNSSEC support.
+EOF
+fi
+
 if test "X$OPENSSL_WARNING" != "X"; then
 cat << \EOF
 WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING

From abe20c2cca12abe0523fc314af31183626c87325 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Fri, 16 Oct 2009 04:19:48 +0000
Subject: [PATCH 322/385] bumping 9.7.0b1 release line

---
 CHANGES | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6776039847..d65f71d97c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,11 +1,11 @@
+	--- 9.7.0b1 released ---
+
 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
 			[RT #20288]
 
 2714.	[port]		aix/powerpc: 'asm("ics");' needs non standard assembler
 			flags.
 
-	--- 9.7.0b1 released ---
-
 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 			__isync() calls.
 

From d060d8669f5558690e7faf4a1c12fe5c02a7c60d Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 16 Oct 2009 04:20:49 +0000
Subject: [PATCH 323/385] regen

---
 bin/named/named.conf.5               |   33 +-
 bin/named/named.conf.html            |   46 +-
 bin/nsupdate/nsupdate.1              |   30 +-
 bin/nsupdate/nsupdate.html           |   44 +-
 doc/arm/Bv9ARM.ch06.html             |  128 +-
 doc/arm/Bv9ARM.ch07.html             |   14 +-
 doc/arm/Bv9ARM.ch08.html             |   18 +-
 doc/arm/Bv9ARM.ch09.html             |  180 +-
 doc/arm/Bv9ARM.html                  |   46 +-
 doc/arm/Bv9ARM.pdf                   | 7578 +++++++++++++-------------
 doc/arm/man.ddns-confgen.html        |   10 +-
 doc/arm/man.dig.html                 |   20 +-
 doc/arm/man.dnssec-dsfromkey.html    |   16 +-
 doc/arm/man.dnssec-keyfromlabel.html |   14 +-
 doc/arm/man.dnssec-keygen.html       |   16 +-
 doc/arm/man.dnssec-revoke.html       |   10 +-
 doc/arm/man.dnssec-settime.html      |   14 +-
 doc/arm/man.dnssec-signzone.html     |   12 +-
 doc/arm/man.host.html                |   10 +-
 doc/arm/man.named-checkconf.html     |   12 +-
 doc/arm/man.named-checkzone.html     |   12 +-
 doc/arm/man.named.html               |   16 +-
 doc/arm/man.nsupdate.html            |   46 +-
 doc/arm/man.rndc-confgen.html        |   12 +-
 doc/arm/man.rndc.conf.html           |   12 +-
 doc/arm/man.rndc.html                |   12 +-
 26 files changed, 4247 insertions(+), 4114 deletions(-)

diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 69fabf6c73..bf28810084 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.39 2009/10/11 01:14:48 tbox Exp $
+.\" $Id: named.conf.5,v 1.40 2009/10/16 04:20:32 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -102,6 +102,15 @@ trusted\-keys {
 };
 .fi
 .RE
+.SH "MANAGED\-KEYS"
+.sp
+.RS 4
+.nf
+managed\-keys {
+	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
+};
+.fi
+.RE
 .SH "CONTROLS"
 .sp
 .RS 4
@@ -244,6 +253,7 @@ options {
 	dnssec\-enable \fIboolean\fR;
 	dnssec\-validation \fIboolean\fR;
 	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
+	dnssec\-lookaside ( \fIauto\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-accept\-expired \fIboolean\fR;
 	empty\-server \fIstring\fR;
@@ -300,10 +310,17 @@ options {
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	auto\-dnssec \fBallow\fR|\fBmaintain\fR|\fBcreate\fR|\fBoff\fR;
 	try\-tcp\-refresh \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	secure\-to\-insecure \fIboolean\fR;
+	deny\-answer\-addresses {
+		\fIaddress_match_list\fR
+	} [ except\-from { \fInamelist\fR } ];
+	deny\-answer\-aliases {
+		\fInamelist\fR
+	} [ except\-from { \fInamelist\fR } ];
 	nsec3\-test\-zone \fIboolean\fR;  // testing only
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	deallocate\-on\-exit \fIboolean\fR; // obsolete
@@ -339,7 +356,8 @@ view \fIstring\fR \fIoptional_class\fR {
 		...
 	};
 	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ...
+		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
+		[...]
 	};
 	allow\-recursion { \fIaddress_match_element\fR; ... };
 	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
@@ -486,13 +504,14 @@ zone \fIstring\fR \fIoptional_class\fR {
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	update\-policy {
-		( grant | deny ) \fIstring\fR
+	update\-policy \fIlocal\fR | \fI {
+		( grant | deny ) \fR\fI\fIstring\fR\fR\fI
 		( name | subdomain | wildcard | self | selfsub | selfwild |
                   krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
-		  tcp\-self | 6to4\-self ) \fIstring\fR
-		\fIrrtypelist\fR; ...
-	};
+		  tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI
+		\fR\fI\fIrrtypelist\fR\fR\fI;
+		\fR\fI[...]\fR\fI
+	}\fR;
 	update\-check\-ksk \fIboolean\fR;
 	dnskey\-ksk\-only \fIboolean\fR;
 	masterfile\-format ( text | raw );
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index 3d53d8f7fb..29161210d9 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -105,7 +105,15 @@ trusted-keys
 
    
 
 
    
-
    CONTROLS
    
+
    MANAGED-KEYS
    
+

    
+managed-keys {
    
+	domain_name initial-key flags protocol algorithm key; ... 
    
+};
    
+
    
+
    
+
    
+
    CONTROLS
    
 

    
 controls {
    
 	inet ( ipv4_address | ipv6_address | * )
    
@@ -117,7 +125,7 @@ controls
 
    
 
    
 
    
-
    LOGGING
    
+
    LOGGING
    
 

    
 logging {
    
 	channel string {
    
@@ -135,7 +143,7 @@ logging
 
    
 
    
 
    
-
    LWRES
    
+
    LWRES
    
 

    
 lwres {
    
 	listen-on [ port integer ] {
    
@@ -148,7 +156,7 @@ lwres
 
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 

    
 options {
    
 	avoid-v4-udp-ports { port; ... };
    
@@ -242,6 +250,7 @@ options
 	dnssec-enable boolean;
    
 	dnssec-validation boolean;
    
 	dnssec-lookaside string trust-anchor string;
    
+	dnssec-lookaside ( auto | domain trust-anchor domain );
    
 	dnssec-must-be-secure string boolean;
    
 	dnssec-accept-expired boolean;
    
 
    
@@ -308,10 +317,17 @@ options
 
    
 	zone-statistics boolean;
    
 	key-directory quoted_string;
    
+	auto-dnssec allow|maintain|create|off;
    
 	try-tcp-refresh boolean;
    
 	zero-no-soa-ttl boolean;
    
 	zero-no-soa-ttl-cache boolean;
    
 	secure-to-insecure boolean;
    
+	deny-answer-addresses {
    
+		address_match_list
    
+	} [ except-from { namelist } ];
    
+	deny-answer-aliases {
    
+		namelist
    
+	} [ except-from { namelist } ];
    
 
    
 	nsec3-test-zone boolean;  // testing only
    
 
    
@@ -331,7 +347,7 @@ options
 
    
 
    
 
    
-
    VIEW
    
+
    VIEW
    
 

    
 view string optional_class {
    
 	match-clients { address_match_element; ... };
    
@@ -352,7 +368,8 @@ view
 	};
    
 
    
 	trusted-keys {
    
-		string integer integer integer quoted_string; ...
    
+		string integer integer integer quoted_string;
    
+		[...]
    
 	};
    
 
    
 	allow-recursion { address_match_element; ... };
    
@@ -481,7 +498,7 @@ view
 
    
 
    
 
    
-
    ZONE
    
+
    ZONE
    
 

    
 zone string optional_class {
    
 	type ( master | slave | stub | hint |
    
@@ -512,13 +529,14 @@ zone
 	allow-transfer { address_match_element; ... };
    
 	allow-update { address_match_element; ... };
    
 	allow-update-forwarding { address_match_element; ... };
    
-	update-policy {
    
+	update-policy local |  {
    
 		( grant | deny ) string
    
 		( name | subdomain | wildcard | self | selfsub | selfwild |
    
                   krb5-self | ms-self | krb5-subdomain | ms-subdomain |
    
-		  tcp-self | 6to4-self ) string
    
-		rrtypelist; ...
    
-	};
    
+		  tcp-self | zonesub | 6to4-self ) string
    
+		rrtypelist;
    
+		[...]
    
+	}    ;
    
 	update-check-ksk boolean;
    
 	dnskey-ksk-only boolean;
    
 
    
@@ -575,12 +593,12 @@ zone
 
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/named.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       rndc(8),
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index e8645dd324..40000e113f 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.1,v 1.10 2009/08/27 01:14:39 tbox Exp $
+.\" $Id: nsupdate.1,v 1.11 2009/10/16 04:20:32 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -37,7 +37,7 @@ nsupdate \- Dynamic DNS update utility
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
-is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
+is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
 .PP
 Zones that are under dynamic control via
 \fBnsupdate\fR
@@ -64,7 +64,7 @@ The
 \fB\-L\fR
 option with an integer argument of zero or higher sets the logging debug level. If zero, logging is disabled.
 .PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to
+Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645. TSIG relies on a shared secret that should only be known to
 \fBnsupdate\fR
 and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
 \fBkey\fR
@@ -75,7 +75,13 @@ statements would be added to
 so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
 \fBnsupdate\fR
 does not read
-\fI/etc/named.conf\fR. GSS\-TSIG uses Kerberos credentials.
+\fI/etc/named.conf\fR.
+.PP
+GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched on with the
+\fB\-g\fR
+flag. A non\-standards\-compliant variant of GSS\-TSIG used by Windows 2000 can be switched on with the
+\fB\-o\fR
+flag.
 .PP
 \fBnsupdate\fR
 uses the
@@ -367,7 +373,7 @@ with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86
 .sp
 .PP
 The prerequisite condition gets the name server to check that there are no resource records of any type for
-\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
+\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC 1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
 .SH "FILES"
 .PP
 \fB/etc/resolv.conf\fR
@@ -393,13 +399,13 @@ base\-64 encoding of HMAC\-MD5 key created by
 .RE
 .SH "SEE ALSO"
 .PP
-\fBRFC2136\fR(),
-\fBRFC3007\fR(),
-\fBRFC2104\fR(),
-\fBRFC2845\fR(),
-\fBRFC1034\fR(),
-\fBRFC2535\fR(),
-\fBRFC2931\fR(),
+RFC 2136,
+RFC 3007,
+RFC 2104,
+RFC 2845,
+RFC 1034,
+RFC 2535,
+RFC 2931,
 \fBnamed\fR(8),
 \fBddns\-confgen\fR(8),
 \fBdnssec\-keygen\fR(8).
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 2c4203bf93..4407b51528 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -34,7 +34,7 @@
 
    
 
    DESCRIPTION
    
 
    nsupdate
-      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
@@ -76,8 +76,8 @@
 
    
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
-      in RFC2845 or the SIG(0) record described in RFC3535 and
-      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      in RFC 2845 or the SIG(0) record described in RFC 2535 and
+      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       nsupdate and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -94,7 +94,12 @@
       record in a zone served by the name server.
       nsupdate does not read
       /etc/named.conf.
-      GSS-TSIG uses Kerberos credentials.
+    
    
+
    
+      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
+      is switched on with the -g flag.  A
+      non-standards-compliant variant of GSS-TSIG used by Windows
+      2000 can be switched on with the -o flag.
     
    
 
    nsupdate
       uses the -y or -k option
@@ -187,7 +192,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -451,7 +456,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -498,14 +503,14 @@
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC1034 that a name must not exist as any other
+      long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -528,21 +533,22 @@
 
    
 
    
 
    
-
    SEE ALSO
    
-
    RFC2136,
-      RFC3007,
-      RFC2104,
-      RFC2845,
-      RFC1034,
-      RFC2535,
-      RFC2931,
+
    SEE ALSO
    
+
    
+      RFC 2136,
+      RFC 3007,
+      RFC 2104,
+      RFC 2845,
+      RFC 1034,
+      RFC 2535,
+      RFC 2931,
       named(8),
       ddns-confgen(8),
       dnssec-keygen(8).
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 88a0dbbbae..b5a0dd3c9f 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -78,28 +78,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -2605,24 +2605,42 @@ options {
                 validator with an alternate method to validate DNSKEY
                 records at the top of a zone.  When a DNSKEY is at or
                 below a domain specified by the deepest
-                dnssec-lookaside, and the normal dnssec
+                dnssec-lookaside, and the normal DNSSEC
                 validation has left the key untrusted, the trust-anchor
-                will be append to the key name and a DLV record will be
+                will be appended to the key name and a DLV record will be
                 looked up to see if it can validate the key.  If the DLV
-                record validates a DNSKEY (similarly to the way a DS record
-                does) the DNSKEY RRset is deemed to be trusted.
+                record validates a DNSKEY (similarly to the way a DS
+                record does) the DNSKEY RRset is deemed to be trusted.
               
    
 
    
                 If dnssec-lookaside is set to
                 auto, then built-in default
-                values for the domain and trust anchor will be
+                values for the DLV domain and trust anchor will be
                 used, along with a built-in key for validation.
               
    
 
    
-                NOTE: Since the built-in key may expire, it can be
-                overridden without recompiling named
-                by placing a new key in the file
-                bind.keys.
+                The default DLV key is stored in the file
+                bind.keys, which
+                named loads at startup if
+                dnssec-lookaside is set to
+                auto.  A copy of that file is
+                installed along with BIND 9, and is
+                current as of the release date.  If the DLV key expires, a
+                new copy of bind.keys can be downloaded
+                from https://www.isc.org/solutions/dlv.
+              
    
+
    
+                (To prevent problems if bind.keys is
+                not found, the current key is also compiled in to
+                named.  Relying on this is not
+                recommended, however, as it requires named
+                to be recompiled with a new key when the DLV key expires.)
+              
    
+
    
+                NOTE: Using bind.keys to store
+                locally-configured keys is possible, but not
+                recommended, as the file will be overwritten whenever
+                BIND 9 is re-installed or upgraded.
               
    
 
 
    dnssec-must-be-secure
    
@@ -3412,7 +3430,7 @@ options {
 
    
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3456,7 +3474,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3653,7 +3671,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4105,7 +4123,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4147,7 +4165,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4309,7 +4327,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -5105,7 +5123,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
    
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5435,7 +5453,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5486,7 +5504,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5495,7 +5513,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5535,7 +5553,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5544,7 +5562,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5655,7 +5673,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5935,10 +5953,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

    @@ -6149,7 +6167,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6171,7 +6189,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6841,7 +6859,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6854,7 +6872,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7591,7 +7609,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7794,7 +7812,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -8050,7 +8068,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8111,7 +8129,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8126,7 +8144,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8137,7 +8155,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8166,7 +8184,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8202,7 +8220,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8221,7 +8239,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8645,7 +8663,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9202,7 +9220,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9356,7 +9374,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9739,7 +9757,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9894,7 +9912,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 8738f75492..836f16fb98 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 61148b0f27..d79c282d90 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index ef52e25744..2aca0934f4 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 84ab031a8e..0727e92cca 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,28 +157,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 468e155d89..ec8380c0e7 100755
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -4939,26 +4939,24 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1325 0 obj <<
-/Length 3755      
+/Length 3767      
 /Filter /FlateDecode
 >>
 stream
-xÚµZ_sã¶÷§ð[䙈&‚§OÎïzmΗÚN§$”Yœ“H…¤ìs?}w±ˆ¤(9™NÏsC`±Àû—!ü‰K­‚PfñešÅ
-…º\n/ÂË'hûx!˜gî˜æ}®/®?Èô2²$J.W½±tj-.‹_fïþzóÓãíýÕï¾Ü}øôñçû›«4ž=~úrGäûÛ·÷·wïn¯æB+ý#áD‡Ÿ~¼¥ÒÇû›ÏŸoî¯~{üÛÅí£_K½"”¸ß/~ù-¼,`Ù»™iuù•0Y]n/b%Ké(›‹‡‹ø{­¶ëÔþÅJ*Š“˹ŒÀ“»¡‚]›§*I¿Ë‘˜ÚeÇ…»Ü˜å¾iËêiþkF3^¶ˆU ÐûHÏ5!‚ì‰ ,VŽDx\Üy5Ûåݺʷ\«Wôí®ÄÌq°ŒDwÄÖ4Ϧ¡r±ßîÚQûï{Á4¥ñ
yG¥¼¹zÆl°T­ºÍ+‘¨ÎD¤—µ©pàl`)ZÃÚE)Ù¥”UÛ5Wz¶_v¦ 8u5}þ¶ü})»54:$¦ˆ“öÕOU,‰ßwêok¢•Â¶RºáìÓŠ:VuÇ3ï̲Ä4Å÷,mgVù~Ã|eKSŤ
-‘iž©ÎɤᄸåN¦ñub̦"
R!ßvë°ÎØvyW¶]¹lO";
-ÂkB†²ã$Èt¢†BXhË0îAkm2D‘àpeOt¸FÎ|·3UÑrƒ_÷¨ék±iÙG8ì3ümkbÝ÷ί¿©s™aª!À	2!!Ú‰sAÑ'$& |‰ØÅ"Ñö Qf/š<e"O vZ„bˆÄSÒ$Y ÓT2oYÑ$<›ô[¦à»–Úzj€%*Y
tuóz%„pËÂõš JB p[EökU7Ûœ¯T½]¸ƒ"³÷/a»lÊ…Se5Fl¤`øPd°*è0ÊŠÔØ<]Rᾇ]Ï?ïw8Æîñ¸(ÿ¬¸¬+gã¬ØX")d„¡Htt‡<×rvVu€z	´ÌÎkŽÓiÅá˜pºEY_Ík{Þfgg÷LÇÓOXÃh0?YÃ4í[Ã4!5§Ç4Y´ Ü”w'¨Aób_nº9Bß’­ZhÉ×iEê¹FªÔj²1žÀZ‡	(‘³x®		xJFqšE / “¤Ý°À®@FžÛ$1’H÷Ù®Uá©ïï¨+GÚ]½¬7½$À¦&#õÜ‹[SÎé•'JìJ¥@ØìhÛ¼¬(Á­Q	€„”qJ×–ö2ê ši;XÂ_ –›~1ì]r×i{.›+ÔÛyažËå„Y29?½çš˜hÀ‰Ìâl(€E»ÈðÍnû’ë¨ñªŠ ¸{%î/~Ìp/˜â8ü˜4Fõáv<¿»¦ÜæM¹areLáFµˆÃÐÃí;vHÀ‹Ä%àQï0¶0·ßs`oø@yKßÇ¿ßþ›Jpª6·¡¡õT]`Mºôå’*>2CÎÉúʧÊ0óêÊ`Z)V_*˹ã-;z/ó)@[—¹„³ÀÓÛ˜µöÊ*á¬.¶õmå–j>="9=³Öɪõ’½CrâÝN_² î›;pZës…½-îOñû¾lH…æ™ðÄø§p°`”¨DಸŒd/ù
åuÞRëé«ù¶Îm’5ZJAnR
éQN/uÏ}À{ÐÀgb*N¦÷$x¿1¾¾rRÎçšî픵ß va5Ÿ!V¨ ‹ãÑ[	nÌ{FçÅ™Û
(‘0`!ºï‰b1Š…
-`G%«?_ÊÖà>„™³	#íEhë"'Ù‘Þ-#
å³MÞBÀl]þÕ¾‘BÑXs´2ËŽêÅž@`Ùü»Äþà³%ã7в+â]ÖžÒÓ¾éEý›:ç7÷>r°'!zQM·ß±6/·ÎTÅð¹î){BÜà†o÷‹öÞ>àØ—SË„“¶'@”D³7<>×i#๬§Ó˜•iSÌŸ‰GV Ä—}~~Ï5!À8K§µC	ìÝÑãüa”¹©ålSòƒ°u¯;C%Dø
1XÇH7ðÁT¾î@_ð@f[v~¤…Y²?8;ÐôD·ˆö]BGYò¢(]d
-·
-nÿ^#‡®¶ÿDåÞØrúš×>Úh6ç^†ˆó7ø²®FóŠ‡æݲ/z*¼ûrw‹ÛsfQh8Ê7`Öã:3Çeï|]wpã7æÉÞ³y.ÞQT*Mõy)<ׄ°iˆTT&†r<^¡×Ð`¢éFJ
êt{Å`XÚ‰èÖæj<„¡à–Xò ?¾o‰·¸«wDÞ˜g³áî5ú´-[OírЃŒUÝžR$bœé°6~ìDæS»>ÜÌ·åf_ðyã	¼ÄT°Ní€ï(u†,
?ÑûdVÌ7¸ŠGónÝæ…¶°ór`ïæÅxÝg[^ùußï$ÿÒ€¶JÞ—ò}§ƒþ)Ü4\Ÿ–H‡Î@¥c_„ß³Y5׸oÆ™ä¯é{têHäØh‰ékpÒì É`Zö2´1`<üì0ü„kr÷¯÷_>ß|º;ÖmÿŠûçσ"ywwóùö„~Àä>»öÍPÞ‘ž&ÂÜÌ$hè'vN™ˆá1&¡;Æ„\R*ù°òý9‡£¶½ÁÀ¯ËMA|‡ÞeÇß–Zø·Ðió’¿ò»NÁ_X³p´Âu¦Ù–•™ãÖ†Õ¼TûµxµeÝì–Cñàäbö
-ýÅcÁ%ßÒšQ'^¤ã
-èÇ-_nˆ†¡w$† àÀpabÏ“¶*Zîç‘'!ÌÝ™oDv¢¥'zÑlC}›w §…5Ôú $6þe´¦;ÔiŽnˆ%™ž‡v#µªë¥ë×»™w"猉á{grèÝæBÑm®Œf÷÷ôÊ ¦VO?)#Kæ[ŽàáñºÚe˜±\¹|}ùãÂ3,/^{Rj–râDõà?S¸e/°Í²h÷n
¸ßwkLÑ¿§w-°BQSè®P‹@zW»Nü‰K­<_&áeœ„žò…º\ï.üË'hûx!˜gi™–C®/®?Èø2ñ’(ˆ.7ƒ±´çk-.³_ïþzóÓãíýÕ2Pþ"ò®–*ò?|º{O”„>ï¾Ü}øôñçû›«8\<~úrGäûÛ·÷·wïn¯–B+ýáD‡Ÿ~¼¥ÒÇû›ÏŸoî¯~{üÛÅí£[Ëp½Â—¸ß/~ùÍ¿Ì`Ù»ð=™huùßI\î.B%=Ji)åÅÃÅ?Ü€ƒVÓunÿB¥=„ÑåR†žŽ`ŒÙ]ö=_Á®-c•x‘¤Ûå@Ìí²åÂ]nòõ¡i‹êiù«ïe>]¶•'0ûHÇ5#‚ˆ ,VNDxÜæ¸ój±O»m•î¸VoèÛ]‰…å`‰n‰mÞ<ç
•³ÃnßNÚ?ÀySä®!í¨”6WB/˜
öªUW¾‰ê¼ADzÙæîœ
,EkX»ð¥³”¢j»æJ/ë.ÏN]Mߌ¿-_Šn‹MIø±'Â(}5ÇSekâwņÛ)OÅ°­Ô€.…¿ø´¡ŽUÝñÌû|]àæÙ÷,m—oÒCÉ|EKS„#¹¤ò"‘hž)óÎɤá„#¸åV¦éubÌÆ"öb!ßö€ë°-ÎØviW´]±nO";ð|kF†²ÃÈKt¤ÆBhK?@kmé3D‘`qeG´¸FÎt¿Ï«¬å·4îQÓ×`Ó°Op8dÊøÛÖÄzœßpS—2öüÐWc€eDB´3ç‚¢z$F |‰ØÅ Ñô!Q&/še$O vZøbŒÄSÒD‰'ãX2oQÑ$<›t[¦à»–Új€%*X
tuóz%„°ËÂÃ5š ˆ| °[EökS7»”¯T½™\¸^‘™ûÆ—°]7ÅÊ*Ž¢š"6P0¼/X•ô´$Ejlž.©p?À®ã_;c÷x\”ÿV\Ô•µ¿¡Vl*‘Ò‹|_Œ$:ºCŽë
9ŽG;«:@½xZ&ç5Ç€é´â°L8ݪ¨²¯ùk{Þ&ggwLÇÓÏXÃ`4?YÃX­aL*©)U~€d,|k€rSdÜ¡³ã¬EÙ-ú†Ù¨…–Ì°áRy>óúFà¶ÕëŒ^ûðòÍ\;é{I2PþK©}Ô@4sqà΀ŽA€uLV´ëCÛ:ìÁÒÅPXÏUm›¯—e]M[Ü‚{äƒÛp9í¥ëÒ¢lÿ?63†²°Êç:ïÖ׈.ÏìùŒ„€~oYÌ(€½zÃ^ö6ÃéÉJŠ`h%¡f¬¤°¶
+ÎJB¹¨ŒAƒÒ˶Xo™Ó’š¢c¾”>Ÿ>R‰×JX0žò*oR2–PG>\WßÏ)è¨c/
+¥ƒÚtܽœ
+³s„‰DÚ^œª=ì³´ãËrf:Øt‘¨ë‰ˆ®’lp¡ëÄàÆ1o*4õ:à)ÏÛ\°^éõsÚ\7‡êÚlÂ5o)âzFB¡”Š8‹ø«¯|TS ùÐâ…‘ ŸDoX8˾òÏ€n:êȾɀâÃ@{á‘mÀÇ;”iCt:2h*Hl0è¬W§h¡8ìþ¢–ûº,ÖsÇÁVh«ßÑ­Êwà
+}gQ¡‡Ø“ÀZì•õ:C¨”žŸø:õÞl:«ÿÄÓ’37uê®îÃ3t‡È¡rf!]Õ‡ÎêdëCmò´;P7 &N)Q¥"”*:¯F‡\§©ãš¨R£É¦xKïG DÎ
+à¸f$á)…q4<ˆD’vû	EH1Z´ÛP »,¤*‘äT¥Œß0dK™°Š1Ìcclê-e"ÉÛ…i~
‚Ð@fI`P½úhâ
+€aGÆ“ÆP‰Ðñ©ì“;Ç×™s´\“sL˧c{B&x‘ÏÍï¸fkHˆãDŒ%0Ç
+pùʧÚv‡U:B$›#D‚9B¤t¶!¶¹#Dòàµï/þyWZ±>§åS$fJ{ó°²Ý¥ëe»Mœk¨Õ91¢œš:`…#3ZM»ÎŠ%v©§A€¶.°’éÉ2bßS.Ûä,ÌÖ¥_Íû*scŽ6ùº£zv 6÷f±?ølÑôý´è
+«x×u…§ôthQY§ü>bßVz{â£Õt‡=kóbg@•ŸZàž²'Ä
vøö°jaïÍãyu5L8i{ÒQài?yÃÓr6ŽËx:M¾É›&Ï–OˆÄ#+àã«>?¿ãš`š¥ÓZŠ±æîèiþ0Hì…ÔrQü˜lÝë>§"ü†Œc¤øÇ`*_w ¯x |Wtn¤U¾é³?8;ÐôD·ˆæMC½,i–62…[·/„‘EW;|Þ²ïs)}Íëí4[Χ^ƈõ7ø²n,FÓŠ‡æÝ2¯Ê¿ûrw‹Ûsfïi8Ê7`6à:3Ëeî|]wpãËüÉܳe.ÞQT{*Žõy)׌#°iˆTT"Ær<^¡×ÐTôZdâ
êt{Å`X›‰èÆæj<„±à†Xð ?¾o‰·¸«÷D.óç¼äî5ú´-[OmsЃŒUÝžbéEbšé06~êD¦Sû!ÜòoëòñyãñœÄT°ŽÍ€ï(u†,r~Þwɬäßà*=꯸u—fù¸…—ž¼›—Üé>ÓòÊ¿p;É¿R í„’óe „|`ß©rÆ!…'£ëÓ©ÿÑ
T:öEø=2Y¤–ËXsû–[3ƒü5}N‰­1Ý`Nœô’Œ¦e_ AÆÃÍÃϸ&wÿzÿåóͧ»cЯ¸{:íÉ»»›Ï·'ô&ðÉvh†Ònˆ4æffAC?¯0sÊHŒ1òí1Fä’RÉ…¥–•æ§ –Ú¼-ÊŒøúÞEÇß–ZøwЩ|I_y€}
§`‚/¬8ẼÙU>ÆmsVóRÌ×àÕ”!t3[ÅÞÉÅ톋Ç:ƒJ$¾¡5“N¼HËåÑc¾Ü
Cï@F% @ÀáÂÌ
+8ž'm•µÜÏ!OB˜»Ï¿ÙŠŸèE³Q`õ]ÚœÖP‚ØøWmИîP§YzN,Ñü<´±Q=X/l¿ÁÍœ¹)gàH\?8“> ·›E»¹2XÜßÓ+ƒš[=vîŸ~bF(–òo)‚‡Çëj›Q`Æbcóæåc:Ž
Ï°¼zH©YÊ™eÔƒÿLá–¹À&Ë¢í»5àþÐm1EÿJœÎµÀ
+EM¾½f@éô®¶x°bCs¬âïÇÉQËTëÜ2á©›q¶L²ÆŒ5«bØ¯vwh|R*T‹3\kyÍtÀÜ¥ éo5w§T°&›õá„š²ÂI?¶›$ãa9ͯ‡Zš‡ÿsZš# ÷P/lÖ'5þ'…$-ÓÖÛ|ýµuäÑó#“ÛÎåšXÇ“¢+J|;ï^ÇþäNñÊè¥gç/Øß‘N-§•„oÕÚC²ÊùʱÊμS?V–ÊÃ_ÏøjðŸgýŸÈÜÿÊb©õ‰_~H?òtÄV(\íqúXIp!uψþ_%+Ÿ§endstream
 endobj
 1324 0 obj <<
 /Type /Page
@@ -4990,21 +4988,28 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 1332 0 obj <<
-/Length 3388      
+/Length 3609      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sã¶ñݿ“—Ð3'¿ÀæÉ9ûR§9»µuM3Ih²8ÇE$ís;ýïÝÅ.(R¦|wÓñŒ¹–‹Åb¿!y*àOžF±§*=MÒЄŒNWÕ‰8}€¹O$ã,ÒbŒõÃòä»wAršúi¬âÓåzDKûBkyºÌób_ùg@Axoo®ß]ýøáöü,	½åÕÍõÙBEÂ{wõó%A?Þž¿~{¶:’ÞÛ¿žÿ}yyKS1Óøáêú‚FRz!z{ùîòöòúíåÙËŸN.—Ã^Æû•"ÀüyòÛâ4‡mÿt"ü ÕÑé¼_¦©:­NÂ(ð£0ÜHyrwòàhÖ~:+?)|ÄjF€*	PK?JÓè4‰R?`
-xWTE™íÊç³E†Þ:+[Cà¶i‹îLzÅ£iid•Õd»Âa­wgR{MEo¦Úv–RàÕMî¾û]D¢n¶èfÕØgÎYGÏncøã¬2ð•¤á¢žL‡^nJóuESã€Rúi)»¥¦ÆÝà9ý»©
AOSd‰ ðgovŒ×=oy°héY7ç׿žI)=XIûZÒ¾ë¦ÃïÂÄk›Š¡åÏH#ŒAJv¯4Lñnß™[€PLÆ]Dêý®Txq‰ÿßð4€?Ÿ¥Êûç0¨íà‡;üÏkÖùûý‡»ËïBY2ÝåÆîPÊ¢ežÜ29#Pói“õmŠ`¥ðÝ»PŽÔ
-á'ƒô·¸7 áýÇ’_+‘L‰îš¦[ì…± 9àGæÓªìsã(ØÇ7¹ùæ{ËÇìÛ¬úÖô•{ýï÷våÅÁÒtl49±[é'RƧ±LÁÜ¢ôˆÒbŒEf&güÔ€…KæE›Ý—f‘•Í®è6U{È‚•Æ"z‡k†‰±­KØxJ=å₸€ÃŽÙšTxíÖ¬Šß…P&§™‹ë»»Ë·49bØΡ©Ú§U4@¸7eóô9ŠhϨàxß÷eW,ètâÈ×!ð=QŒ-0hµl"Uû2÷(^ç¡¿Ó¾Š´û¤í²ÎT¦îØÂ÷Ö‰/%lÂäÈ¢ÞÍà@gQ5-;„ao+ö,EYtïˆm·eÄŽ(Y”ľ¢èu%cW²ËJ¥n[³Z”Mó1k‹Ü¼P± ô‘ê×9°fX˜¨Xa$•rÊÃ/ähcíµ¦{3saìCPr†åÃc~¬5ão)Ü<6¸à2¬tÚ{ÌÊ"Ï:ˆ,öõ	Ô‚ ŒÊ ô{%D´ÎìêÌzî8õ*Ómšœi5)ÖPÈ ¶*=UQ\C‘HÐVþvù+ÂñLlÛàIÁfKèÍš1èÁ
-0Ô‚…8š¯RÆ
ã8â諼©²‚	MrÆÅßÛäL"pnÌÖ´ÝÌƱ/PC¿øÈ×dœò6pE.PV¬›]••4HT	æså€x›¬¥‰Ò¬;b¡÷Ñð>úºÛi¢–ÉyED¢3
C_(H¦&AÁá/²zµ!™&lÜ$]ívku:ÉÉÑÆ´<Ž ¿c|‡œÊ…p›*̱%Q¶†gûíx錌‘
-V¦‚µsµ™sfašÆ)Ëý“ÞÕš†ý×ñ@·=¢¶”Ý´£dÉ7¦ñ”ñŒûþòÆ´6EœÙåà¶6i¿4Íò@É+¢ÐÕ7S/¾×ŸIêgéƒ|^ÚÄÙXɯòk©ßr”
-XL™Mi`Öw
ç|°A©&¤û¾(»EÁo¹Yg\é;8Þ0ѵõ‰©gˆÊž1ÉÓýŽéÍÀZL* éˆåTÈ/d`ÖØl@mê ­#ÆAFßs
od²‘〽ÁÏ'Ý7ËË¿€$’Š—z…ª“D¬C0¶§Žod‘0_YÕ‚ói[>«¡³˜ êPï™Róhv»"Ï
ÓÂ4}GHN%«mQ¸UÄ@³Ï™ç©bJÎm²UáÃâ¨ÍÓ$ŠÃRý¶ËŠ&¹·TAéØiÑ}Qç>™Ë† „Ê9`Ì£ÉI¨ ú§Ág2à1ÖñädÀYD….öÞ,îw/3(M# ó:Ö“%†r8I¢)#w	×(j•x›Âì(\ØÒàÓ¦Xm¬È²J®(ÜÚ™ŒIPe7°[sÉ¥ržï¡¶žFqH@À9ÍœÊ3kjZùirn8wꉻ	cåþÙ̹Lü4PÉ(ðꄼÇKï¥,á\šEŠü’bJ¤¥srì aá" lµ2[H‚ž¥}2»–&0@áÖw¨ƒw/4ŒAàåf7­Dà«Ð%u3·iÜËMÛE‡,C‹}£­ÓÁ^§}}© Ü˜Xï>‰9Éo9™Áòì¦È‘PÔU°Y“HHáŸVo¤U!BC¡ÎãÓj
-¨Þ&YAGdú:7»¹¨˜Í;T‰‰“U·³ánqÌh?UÚå}‹4éë8r>¦Êêìá8½XûA‡åYú`÷iF_c#‘8žYVãRm5êjL–‚BD')@˜ð¦ÁÐoÄRJ	JúCÓ”&cw}Ã#ž5à„ý™²oŒuܳXö\ûn³¨?±VzTõ–“}uùkfýiÍ'ýP€Û™0pÄ?%A˜~Ò{S
”dSEà„ý°~„‚,Lœ:?Ÿ£«!¼Ô½K‰‡Â©„<“a›oáb
×I×ÿº¸y~u=N<Û-«i™AóèŠ3—ssþŠ%ïr†a5®6¤¯}Ðý¢ ÙתëÁ}<ó%64Àe¤™âv0?Jñ4¯p v	$ÑQüå.ò{'m›ƒÂ"î™ÑcµÉêCK8Ãír€´e4¶…¾?7=Ó¼¼ô-ùH ôˆ½W’O
-š
-=uµM™<÷]šu÷”
™Ñ*ØÉž].u˜Îïsþn˜˜‘6Îõ}‰ºÍ T,|‘¨ÏdPc¬ãv>`Yg0άÀO.šza>ÝËúó4|‡k†‰iÑöõ”Þr8Ä$ßå‘´5À4‹Ý_ªhBAín45÷#avµ1«Cr‘¼¾¬CšYv¼ÃTúNN–ÍuÀˆúºZLºNŽLS>L!†Â’bdöÊBØ[
-šÀV±kiÈ–W•W8²½>Ö³ºwõÈÚÖ#öƒE÷Ö‘¦a4œÜX-£ú$bn‘EE¨†1_ÒÊéŽR‹%âK5­Ø?l:špßc?ŸÀâQø¿ü表Áæm×pFWÐø…O±(ÁG…Ã1pèÂ)ÛCFbyaɃ¬°ên®kcg…™/Vjl¬ÄÙ^&ÇBÜHGOì÷âérHiìzcš<ùÙß<Žµç¡lîåŸtW€B&_pA¬§çÁG/ž•;z×·÷3Ú5½`ïõp:²7(ÛÞmg+RFž·L]‘=&1Ô®ó”µ¾ ê|ï)_ß,¯ÞýJ0Ùߟ=^Õ†qý2eöÈfzàe±MÊ6Ä?W‰C1øì=WUa£!–ۘϖBl£höŒpÝW÷Õ¦êDÎzÉñ×–3‘•ýM3ùø˜’&‹	.¼h{ì×_AäãO¶fR1øÿýË°ýÏæBHɵVóIŒJÀ5a¦PÒ‘z™­ñOÈ^²þ?UWendstream
+xÚ¥]oã6ò=¿ÂèK Ò’%Qíá€t“ímÛÍÞ%Ùëm‹Ž…•%×’ãÍî¿ßg(KŽìÍâ QÃáp8ß´œ	ø“³8	’,Ìfi¦‚XÈx6_‰Ù|ûáL2Žïü!Ö÷wg¯ÞDé,²$Lfw‹-­åì®øÍK‚08
+Â{ýþúÍÛ>Ü\œ§Ê»{ûþúÜcá½yûóA?Ü\¼{wqsîKKïõß.þ~wuCŸ¦ñýÛëKÉèq„èÍÕ›«›«ë×WçÜýxvu×ïe¸_)"ÜÈŸg¿ý!flûÇ3D™Žg;x̲p¶:SqÄ*ŠÜHuv{öžàà«:)?)‚0JÂ	†Ñ@€Zq–ų4΂$‚O(ÀÛrUVù¦z:÷#¥¼E^µ†ÀuӖݹôÊGÓÒÈ<¯	È7¥ÃZlÎ¥öš½™Õº³”"¯n
+7ïw‹º!Ø¢›ycŸ#ä=»¥áÉùÊÀ,IÃe=ú¬¼ÂTæ!ïʦÆ)øRY‡vKM»ÁsúwS‚vKSd‰ ðçÖl¯{Zó`ÙÒ³n:.®=—RzA¿j_fºn:œ¦R¯mVÝý|‰$TB²[¥a¢À€uûÎÌ„R2Á¨b$2ï÷0T—WøÿþàÏçYèý³ÔvðÃ-þç5ëbýîÃíÕ‡w¡(™îÝÒnPª²ežÜ29!Oói™oÛôÀ
+áÕ%ZÈ‘„R,ü5î
&Bxÿ±äTèP¤c¢›¦éü½0|’N2ŸæÕ¶0Ž‚}|U˜¯¾c°zìÁmÛƒ«mk¶+÷úßïìÊþÁÒä3èãÈleJ™Ì’PI
+§;mf„ä±ÈÊä„›ê±pÉ¢lóûÊøyõÐlÊn¹jY*T"âÓ<ôXLM]ÂÆ•’zÌÅ%q‡°1…Iäµk3/"4}¹¼¾½½zMÛoh©öi
îMÕì>GÍõüî»mÕ•>NZߣÓYƒVËFR•I xGqBœ‡îNa¬Ý”¶Ë;³2uǾ·N|©`¦@¥ðÞ÷þ£÷«¦eÐïmÎŽ¥¬*‚î±õº*‘Ø%‹Sp¿i–œV²!Öq%뱬Tê¶5s¿jšy[晊E*HE¦OsÐcM°0R±¾fRŽyø…ü¬
+½ÖtßL¤ŠƒL!q”åÃc
+SwŒk
+7¥
.¸yUy‘žî@/Ê™£¼ê̦ÎÉgKoeºeS0‘fOƒ•Sj˱×*hv¡‘ütõ+ÁÏbZK‰UÀ@׬	hŒAR¨y¡pÒÛ®B¡‰MÉlèé,p?«hVyɄƶÓ|<ÛnñɬMÛMœd"Bõöô‚“K!RÊ$ã	±Rç8R±_±n6«¼"¸w=€ÀçI‘¾-ó–>TfÑÑPOã£y¢oÛºÛœk•)xED¢d ’XŽýÃ÷óz¾$™†½U‡lÕZµ©"ëKì”b ¦Ì…†h§Ðã’¢÷”ÊL/z(]·ävíÔˆÞ[ÃHå‚Ÿ¬˜¥Mœ0‹3(‘r*%Ë8å7¾ÒÒ{» aþžî¹Æ—C®ÓÑm	%çi¬¸cbÓÒL$ߌØH½]Î_ÜüÛc+B
+Õ˜Ö&‡Gõ¼ðÞr ]¿g4Îï@ÍW$YÁÝ;ð½M%} ¡‰ð$‚DF_`šy¦	ÈU”Åže3ʬ|(ÓÒƒ9àpu’9×™oÒˆpV½Ñ©ÈªiM+Üo˪óK~+Ì"‡xL/p[{Š°þ
é€ØëÎcƒ¨VÍ-*‹
BT5>ž½MENHá¬ÑÚˆÜÔÏ:rdô~øÆ–'ˆgöŽcêüÈ›‡—ýö{ì¹À³íHQc"Ô¢šÆ;G¬Ë[FÙ±Ô	¬,ù8î˺€úTºî*ÛÁÁEà»vËr¾œÐ·(	²P¦ŒŒ>§˜ 	‘\¥Ò9àªÉÞOÞ¹}囋Ýì”bë(HB‘Œ›N8‚bSg‘Ÿð)¥‡¤4‹!)(=ønRzôæÍ„Aéñä¾@çÁ“%‰ö.ˆè¼Y?„a×.³ÌyA>5[nRþr˜	‡fC¥"LF¹©Bß>ÎôÓóÔ˜§ùƒy6/­}@×ÿëTr¤Jë^eI7Ò”z@ì¯H70|Þ¡0fʈS`óHª%•Ë‰¡ Â*
Qʩ㔈Š(~Ùq‚{‰‡†*#êaà‚‹f[££ŽBçap¬ñ€NŠ_Üü¼jÆmVë’l¹­i´·í‘8#„Æ}ÎÕUeQ2–§
+±jLÆzucª§ÒÆ–4ñln™bºcƒ4¦F¨a€Ë@V+›ÿa|Ò¡·„zñÑl°-È#9O,GóþÜ:œÚ[%ª’áçö‘AI'›­}4‡ü±Dq2S›NÙ݀ɓ­	…“±ûécèD›l¶‚íÀ¹£\l ¸×ï﮾¥’úC‹"®“IHézF! Ý>0ÓkÕÌÁw?ùó¦Fßþ°ÝGmi™o	*ù¹nÚ¶»±ºŒÉQGã¬ébâð¯÷å!8H(×
+
+'9^¦“Ôg·)»ÎIeouʾ=kE»Ì•XòqÊRãiÛõÃýìÑîCÚ¤%ÔÓ'»C¬ã݇k¬°”º7>ÀÛÍóDœ19ÍF5ÁǨ‘¨ NÓxÌÈ-V¼ÔÓ0õ–¥ÙP«g`Kƒ”UYÙ%Èž<­$ñKÎ$È0ìÖ\÷(tõÍCmÏÞ©ðÀ•Fõ_­Îè0ÈR=vI®¤eûY ’Ðý“™²		ùT¦ƒ[§”ëOø8q¬_àj´té*+­®K
P>Ÿ›µuq˜õ´;³iéƒ-CµuµRš
„†YŒÓ›E±wˆSÉžUNÃMÛEûn‚ûn‚¶EÞe¸ÜU¨@†Yø¬»Ã}ù„»x¶ÇS‚†ââ°Á¡* b/•pS‰=5’´¢£6£ÐTˆàø¸E£öå~dØNbTû’ãÉ'Ž=…
+ÀɪÛØ¢Ö?æa5}íBh³™*s%T ±s«¼ÎŽÓƒàÅQtØý¦wX-&#Qs0©ã™e5ìÅÎ×£¥À½ƒè’4C'$Jdý}"öšÏ})@I¿oÈÁÙA¿ç«#ž,‚™úL_wˆuܳöX\õ,ýúkÅ¡G…G…`²'—ï±&Ö7ue ¸GüS
+Uãü“”´¡t½0nÌ=o‡Pµò¤‹‹)º:ˆ¹/ª;ê•®Uíò'†©¸„Åšš®ÿuùþÝÅÛëa{©]ñR•bfÍ£.•j y5J”ÂT\oQÐÐjàs~ƒ£ÄpE9i&$©)»=èI„Zó
+b—@R'/w‘ß9iÛBSj™¡Ç|™×†–ÜßæâÎAÒ–ÑÄ–žøþÔl™FïýàeÛ’Bx·Jòɤ¯B¼UÑ÷éøb¥Yt;&Ç>‚VÁë—œÓÎÚ6íö½®ÿ0!5¼×}wå%êz4ƒ’)Ä(È£OÛùë¸÷XÖߌ3sð“~SûæSÙ=¿ÁAž©Ó<ôXLŒ/	íe¢sÁÄè¢×19µåM,mŽ^fªšPP»MÍŽðu¾4ó¥ëêõݺ•Y5t/=ðµÝâµ+4ÊÎÞËIZˆ.Ä!y½]žüP7®äW2Ãýps^ôÎáµÙ[«Ãy–ñö¸>€Ï饟чÖ	}pX6œA=Q³l»rþü¾œ`¢²ìôò=ÖÄú#U!F Ñ¿`yÞ
+åÅÈž¬=,lVïy³ïîØ]×¾ÊÔAšƒ½è§©}Y&g92sw”BôɃ$•Èí¯„ý}ÀË`7ÖÒ-¬„+¬pdta¸h¬Ou“w•ÈÂV"vÂœâzëHÓ0JCMa¬~QeòS˜
+#:?ŠcTÀ˜)éÐiŽRËÛò¡Z¡·ËŽ>¸ù÷OôˆÂ¿¥À9=”5X»m¹ÎàÇe8ÃF&„X”à°ÙyÉ]ÿÉÞ#±¢´äA®+9Q2Æ™w-õ ¡Fc3%&¨-iŸ$];b.fÑmß_Âþ›zklø"Tª}ct?ó÷B" Ò€ë‡ò•öJùi¥½xfšÔ)©Ò›úÝaøcÁ	Ã}Vøÿ&qÿƒM•‘ÖGº3Jf
+å‡Ïýÿxñ9ëÿß“sendstream
 endobj
 1331 0 obj <<
 /Type /Page
@@ -5012,527 +5017,539 @@ endobj
 /Resources 1330 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1318 0 R
+/Annots [ 1337 0 R ]
+>> endobj
+1337 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [250.0538 432.0993 252.0463 444.1589]
+/Subtype/Link/A<>
 >> endobj
 1333 0 obj <<
 /D [1331 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 354 0 obj <<
-/D [1331 0 R /XYZ 56.6929 369.0592 null]
+/D [1331 0 R /XYZ 56.6929 279.7498 null]
 >> endobj
 1111 0 obj <<
-/D [1331 0 R /XYZ 56.6929 342.9234 null]
+/D [1331 0 R /XYZ 56.6929 254.6585 null]
 >> endobj
 1330 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F48 985 0 R >>
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F48 985 0 R /F11 1336 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1336 0 obj <<
-/Length 3417      
+1340 0 obj <<
+/Length 3365      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sã¶ñÝ¿Bo‘gŽñE—‹ïêLÏ×øœé¤Ih‰¶ØH¤"Rö¹¿¾»X€"EŠº¦×éÇ£%°ûýø,†?>3šÅÒªYjÓ1׳Åæ"ž=Bß»îq¢€u±¾»»øö­Lg–ÙD$³»‡Î\†ÅÆðÙÝò—ù›¿¼þÛÝÕíe$t^üØNØéuCÇø§¥aÚˆt„BvÈc€U2Kµe‰„.dà͇»ë·?ÿkNËÖëê¹(é«YåÔëìɃME¿Où®xxXÙÞ¿ªÒCÏ«bͲ¨Ê2_4EUÒwQûE¡í)ÞKÏïÚ5ó†€ê!4ì`Ѻ%˜ˆ8gVkᶫ.V„@;ë/T祟s‘yî´5»KnæÕz/}ß®lä]6ZÎdXW,«Ù@x]vKh’h–•Ëѹ˜Ô©
-8뺊NΧ,Z¥—¹ÝGÂÂ*ÊàBʬÆu^#Ãá€@Žð›áoå
--ÕŽ~ëfõ
-A3•Gs’4~.Ök?á~»ulÌëúh5?î×™õ«ê@Ù~ëñ+ú]fMŽ7Ö1MõåNçÀƒ_så59IçìAAóš>ý¨ÊõAÛ|÷Pí6ôDzèÙïÔµˆLpÁ|x9¬òl×ÜçYeÉÖ#¢3ŠÅqЄüÓ¶ðÔÒ:…_/[.o¸zE¿ ²K´G/î
\ô•¾«é43ì½njÖrÊéFêß%JM
-ÛUy߀F…”h˜«"Bsp­/ô»¯=Aß¾U¦«ÍiÊD¢Î[†…‘q×dqbB¸ëšÀ°;„7 UÙc^¿]ÎHç[wuR–Hš„¥V&}¾m³º†sgÌÖ4Ró#
-UÜÒ¥ø.htQS6‡Ý1†ÐéÌ;KP¾lM„Ô*1!xÛ+ŒaZ› R;ŠÃ†9±s¿#n‡4b[ 
áiØH#ªŒq¾Ûܮ݌ģ“ƒ[ÃÄ27„ÆÍM*tnVÿ'浃zgDÇð^y¿åsµfÆXëWœPŤ”i_IpÚîkïe–Eݯsï}[vÚá6öÙÊŽ£.`7±ä³D&̤`П_ÈÔ2õíÇnT ¤ãtOR@ãb˜ËƒaDª¨ÝT”Å,OOE/Â0‘Â<	:V$Óe‘­ãîmª%š–QzšÓ2æ’)BM:ÅS™°GZW.p"3)à€ïîà¿ã
-ò_qˆþ'Œl•FóQFsp6ÊXœŽX‡(—@½Ì²ýº!'¬„ÑóT~k3DFé§g`‡²/Ë@þEôÆq*Î10†pÜJŠÉCBÀž‚º–E®ùaãÜêñ«œÄ,Ö瘥­€¬Ä$Ó¡CŸ_#Ê5ů!_3» ŠŠmbÎñËÄ,1R	Î*Ø„5v)ùŠ­Q'âIžžcXbX*Œ<ãÕO0ìsN¯.!_³‚iɸIô9~iˆSÉ»ÑôŸgÛ¤]vúR|;ÔKþ·)›aÊ(Õ-Ü
-8’CjŠiˆdÁúdýFÇ$)|îW5m•å¥¢Ÿnnxµw+# `? ÒC¾h&« R$HƒƒÀ}6ÔlJSÓ­Zô
-f1œÈ†ÏTª!ÖÐéxÐ#E]¬¡æ†â[‹å
-ÙïyT`Ê1Û¸4Œ'6^¼ÅY½kÞ_ý“yˆ‚|EÒ¨¹ÁÔÃ*–ã<ôU[ŸôCo^bº°¤ŽºØì×YC¢2ÚR«º¯«uîäÍßß|$€6é0š—­ï½þñ§«ÛKe¾äœƒzôè¹õ	²dh‰½$±Ì©¾ƒyLr˜Î|TQóDVåiÙâäRíiB²É	6o«èq½Ï‡ra$¸­©…[¤áÊ=©J°5ÕÙ.}G²KÌAvXÆ	m^:XÎL$©4{–dF«u*#Cõ¢³;ˆ6ãÑ#äöRcqØYdûÚé¬á‹ni§Jg|IÉ̳¦É7Û¦[g2´¢¯2%)3ÒöµhÖøT©®öXôZ•ûÅü‹†~—ŲüÆÃ+ª8äKm-ª²nv—f¾_x}·a„˜;Óp¶¬ÉªÛj2|¸2±µó¬Gæ¦ÎÙX­Ø‹±w>·ÅàºXæ4…?3fþú³CÁƒ‹‡Q*š“¦"SÂMù´­t±NK‹EÉY,÷õ*ÂrkUeT¯öͲz.)à”…vš”k„–Þé'LbŸ˜¿;¹K)}1LBšmò ªØ‘*ššº–ûœÚ¼†åÅ“Sìûxýîîêöý+B𛤮ÊÏ´¬ü
-èàºXNÕ-Зš£zjV¾x‡ék¯ÇW»¢Éëãë
-Ÿû¶5RíÇú(—ªM˜'dr|Ú„¯m9>X”Ÿýúa,~©ö!L
Zwø‹+ÿþbßåc’÷G)Bâ(yHkj÷”Î[„Iˆ,j¯*ŠCF(éMJÎáI³Î]%Ä©¾Ô`Vøí²])ú¼Â26öå”n²—ÖÕPáîéø=•Â’•‹¼ÿRêðn‹„àÏ™³éJOq؃Œµú9„¹øŒíŒÕ&ŒÎ#9›úpÃÑÂ¥C7Ç™´BO®Þ"
—ïí3I˜L¥é­ïee;5<€É7Ø$x)h*|—?ä2„â´>Ý«;Ò{–\ 5à‡Šny@˜on^¿¿"3üH	Ì£ºf245!‰:!æOEE•Zõ°¥#Kqå¢6f¼¯šU?Ûdrûâ¤Ú¢EmË5Ëàl±ð~j‹Îê“*Œ¹{šœ©ÌtN«p@ê_tö4—–r-'m‘†«ö-4e‰M’Þ²£Ž‚ÇÎ};é)h?צsåO%œ¤=PðdÃzŒIIa¤î<áJzO¥ §=e±‹^g"D²C Š/¢õ´mý6aº=9:v©²m™J=tÕ¡XΫ¬tïÉàpD—5Œ•d	‡ˆ4ÑbQä1uígÜve°£úˆHŽæDŠ>†J&R¥ÔådŒ¯’L‡ŽaU.àL®~<“´UbÈ9 !ÅWˆ]^H1…ØØݬÚ.ÿ>?Ö¬¹’`~_-&Šó?»S’XΦO«¥føzdÿñììeéç>»>¼IW)&²bœ•2†(LØ4…¬ÔrpÏÞgIÿ7maendstream
+xÚÍ]sã¶ñÝ¿Bo•gŽ,ñE‚—Äwu¦¹$Ž34É-Q‰TDÊ>÷×w» @‰’œäfzãñp.Å~a? &	ü‰‰5q¢r=Ér›D˜Él}•LáÝû+Á8‘GŠB¬/î¯þþNe“<ÎS™NîÁ\6N¬“ûùÏÓ/ÿñö»û›»ëHšdšÆבI“é·¾¢‘œ_~ûáÝíûïÞ^gzzûí¾»ywswóáË›ëHX#à{É3œøàÝí?oz÷ö›oÞÞ]ÿzÿõÕÍ}¿—p¿"Q¸‘߯~þ5™ÌaÛ__%±Ê­™<Ã$y.'ë+mTl´R~duõÃÕ÷ý„Á[÷éÿŒ²±±2a TE°N'™ÉãTÁ+d`»l¶îIN«º+·OÅê
ýlêYIPùTn_p«0¡':ÖNÜT˲ØveÑE~&þ&$ªØ ‚>)ê9-±l6åb·Z½ÐÏùn[ÕwËÒÄÀ¬X­@PJ¤Ó[¦ÖÓ¶¡ín³Ù^;-Û¶l‘ˆI$@kd–)€Dœ#i÷ͺ$6zòjÉ´n¶k˜ÕÁÿ奓éºÀ½Õóð·Å—ú%IäÌ•LïýórQìVý¨Zb‡¶;dªâ,³ÌŽºáÑ+%¦íÈÌÄ™R }‘Ź’ֽąGÄâÖ6ç	æU±ÚmFÖQ2¶:7ŒÖlºª©òܦQ,y\v,†¡‡’ží¦œU¸÷rNUM¨Ý8)ÆÆ:U~‘§ª|¡D0kÝ”UV1ŽÐÈD`iâõ³íŠ®\—u×¾!9yZŸ—ÕlIäÏŠ–wVuôl@ùQÀ3Þ&°ôV^.8õ¶šƒ¢
èqÕ<ô&’žÁ™Î^!•Ú¡W«•E»E¨Ùuƒ™?|{ûî'‚Éß•-ãt
ãúyöˬŠ'¶ÔdÈÙ_“°(ÀÂRævdrô_»“¢-VŽÚ”å€s ØL…&p½[?xÔÙ²œýFÓ¡J¾v”ˆ¤_ižª¹óO8ŒŠâ0Áë€/=Øùbn€t8Ð<³‡T†sc
=ûÕÍOç{¼½?Õ]•³Ìšº.gl¾äxhQ{*}T[vCH"o{2F¶ã
¼ÀÃ…@=xÎYÁ4<ìi눅«•sønôlÉE¬²Döž±C6ŒX	›izÑW(“iN,:9ŸÎcizãôÞ6‡U´µÞÞ²ÞÞdê(X,9NÀ³À‡èå
+#Í–žm·{Ø…GnjØszD˜ÐMœpÐðãnUðW¿H©÷”«!ü†žsð‰ˆÁ¸ â4A4&÷¯¹dMN³)˜÷¶r¾~Ðq@S»“ M¹]ÀIJ?€H†žy§Ù‰ƒB
+køñ‡B'‰×„òã¦bjiŠ×+æóŠmWoè‰
í‘Åb%Çl˜T6pmmÜs*ÐwUí¼‹ÌC•ç4
+Ð(”BÃ\VcÍyô…ž»–	:D–Å2Õ—-#Õ>´`“ʼnI8á®[{Ç
ð´ªx,á˜["QÛp´:ŸÊ¦q–«tÈ·MѶàwÆlÍÄRõ‘§P'=]Zìé‚aO½qÊæ°‡áž{Iþ[ïÃ8$¤^‰	xl¯ðMlLoáSüìx#G;áŽD~L#ŽyÒ>"
ù°™Á7î¬À1·k7#ñèäǽaâ27„ÆÍMiL!úàïUæõ
ÄÞ>w¼S0טØÚÜG¥g”DÇJ©l¨$8ív-Ÿ2óª-V>÷#Îàà­ña'$ì&ÐÚ@î%lj^“Å©âQaòa÷ç¾ò„Î÷$ô]s1è¿Nõ›Š(µTBÈ%¦I0¾[‘åaŒJP3wA›6ç9­¡H‘"Ô¤X"SÙÖÞ¥…r+	>ÜÁ_ã
+ò_‹,æ?%£%„Y*÷Œ£ŒÆ¼+å~<Ô±ÞâaÜ%ÄÏ/¨ü6Üfˆ01â©ÆPöiøi5T%Å%þÉð³Ôqç¥lG˜ë8ÛÇt=‡öLãÏÆ™µ§âsæUb [4ö³I}>ròkD·Îò+ ä3¶N+˜<É.0bÐ8Ï3u!¸¨ag¬1¤ä3Ö0mE¬1—†%P-Å…SýÃ^ã½BB>g~¥9$‰ºÄ¯LʼnMó0šþól;g˜!AŸŠoûªôÿ#@9¸æbȸ	äÅñ£"¹pæYrÑ°P*ìù9hpl3Ÿù5]_cÙÇ(ûØ'Ìcö°.âåˆØ•Œå¬;[‘ ºX)„ãÜî‹ÈG­MâÄX	!ŽR'š0Œ…XÇzë=–+¿•Q…	ÇQÐ&”Ešgçï±FVFB‘1\ýSyˆ¸ëcõÔbâ‘k–ã<–)}5Þ–5&szÑVëݪèHT¾"‰XÍCÛ¬J'wþêÃÐ&F÷²á··ßÿxsw
ìO×BÀ€3Í9=V1Úá [ªKªî`Óø&˜êiL$×Ge«sLš^m€uF¶ËɶìfËèqµ+EWšÚók÷X#‹D«^¸jhP%Íî%ˆ¥?Æ2Â’fªH`˜­`@æ©­òŒ`ƒQš$'BHÈï•Q¾Ý0+v­Ó XƒoYP©³\V²Ó¢ëÊõ¦kM–VäJSšÅVåC Z°÷ÀyR³sÀl0:kÜka»b^Íë¿1¼¤ª#@\nÃGS·ÝöÚNw3ÖúÜï_sž
g+º‚=}E{"î
ÈÜÀÔeÖMï'pày9ü<Ç¡µÓûëT“tOgq"\³<Ô=ªºïË¢píýyÉEÖ²Ôè78¾eƒèSë>LΊ¥œ¾ÐA~=¢bÜL hIÝvìHîž_ÞÛ¢ãa’˨uh¬½
+¯¿Å®[FõÇyƒ—FÈ…ÃUÄI~`ºãdË$Ö²·»sí8–n3©a8%Ƙ%!Ðg­Qû¯$Wp¾•Åü¤QbÒ+sÁñ‡X§²ÇrroÚ.Â;UÛU³c£Ô`F6Õç	è±F(%ˆ"Ͳ!	.2"8](l„…¢ð—ÈßÊrÃnWpXLƒ=8¤…ëYâ§Oüˆ›¦D"¸:SЭ±‰v­„bÆ
òHË8‘";h,WÝ’½ýŸ,
\†¨b€ÓÒ†`Ï({Á‡Xg¤í±Rwþ£ê#•³£¼:r(t0õ<ÕçÉðHÇd@dz²9 Ã‡Vz!LcjŸÅŒD´66Y’÷gX¤¤àëTšü8çâ”<µç:¤Y´ÝTÐp*ƒ|×ÝCNPˆ-ý(èÑm‹º¿Ý“ºj¸ë*àxŠnh%Z€ªº8 ÒGnë¨.d…ÁSð€—D®±7+.€ŒL»=¹ÂÔœ^”¼PAO+
+H¨0˜æh~mÈôÁ¢xöÛÅXüÒì|˜êµØ_ðàæßÁØu;np´¿ApÔñÞ|Ÿm׎vÒÓ<‡â«›-^^)ImGºr7…ÝÝ×ÝGµ<\}÷ìŒåXg,Ïc9Ë«êj]¬¢-gÇž6
+áP>OB5BÃð Nc‹ñà€ˆÛÅórˆ9múŠcÝǺÉüµc|žÐ#èØÖ&L:ȱZBak/ë/iá|Æ «#à8s> endobj
-1340 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [182.6146 61.5153 231.8861 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (notify) >>
+1341 0 obj <<
+/D [1339 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1337 0 obj <<
-/D [1335 0 R /XYZ 85.0394 794.5015 null]
+1342 0 obj <<
+/D [1339 0 R /XYZ 85.0394 565.5402 null]
+>> endobj
+1343 0 obj <<
+/D [1339 0 R /XYZ 85.0394 553.585 null]
 >> endobj
 1338 0 obj <<
-/D [1335 0 R /XYZ 85.0394 649.2264 null]
->> endobj
-1339 0 obj <<
-/D [1335 0 R /XYZ 85.0394 637.2712 null]
->> endobj
-1334 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1343 0 obj <<
-/Length 3690      
+1346 0 obj <<
+/Length 3634      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]oÛ8ò=¿Âoç5—Ÿ¢ˆ{ê¶i/‡kz—f=ìîƒ"ˉPÛòZr½¹_3R–,ÙN±‹!Eæ‹Ãù¢Å„ߘ˜„%Nº‰uš.Ì$_]ñɼûx%Ì,ͺP?>\ýðAÙ‰c.‘ÉäaÑÁ•2ž¦bò0ÿeš0É®Ÿ¾û|÷áöãO÷o¯­ž>Ü~¾»žIçnÿuC³÷o?}z{=©Ówÿxû{z•?ÞÞ½§GÃ	¤÷7nîoîÞÝ\ÿöðÏ«›‡V–®¼‚+ä÷«_~ã“9ˆýÏ+ΔKÍdœ	çädu¥bF+W–W_®þÓ"ì¼õŸŽêOp&U"G(UG©`Æ93±Æ±DÁ+Tà¯Üðâ¼Ø4×3¥ô´y.h²Êê¦ØÒ¼.¶ß⼜ë¦ü•sYÌÃÊúèÓ/ŸßÒäÓÝÛO74õ,ç@N¼c¦Ù:|ßT4fë—.¹š–%ð1B	4ò‰Ž||2‚9c¤—,[ÖÕl]5åâ%w•a³Úøa«MSVk†p¨Oz†Â@£dh·B¢ÓÇRkmÀA
-›Uëå½Ä0k”°¨å¦ÈWÊ*å4Û^‹tŠZ”bêùå4Nk‹jKKíîÀâÿªuQ£K=Φ@kLÁ‰xñÇfYæe3Â¥¶,•Ü~—‘7Ùò+pC½"•°hhými7Rd¿Äç¸Ù8ßÕåúid›…â JUy~›µcÒ€2”¤?¡$
»®“¹®FE1Zí ›ƃ–ð¹Õ> –‚uIž0+dߺF
Zr–H¡[–NȨ€qÑ3eÔ%`%/4A%Ñì± ±Þùá;Cg^ŒŸ-ö+mËšÜ'Ò0£TTPÝdM±ÉASZÉ–Âþ¹ÌŸišguà§lh¬À8¶àcêsṲ̈VŒëDôM‹DGý§î´ºËZãiYËÐ2™Þ6ôñ¾Ú-ç4%³–iêUç1yQ×Ùö…Ñ}áëf·]‡O¸õ‹ðú¹ÅAà2¼-Á<ÛÕÞðá]½Ì¾u‹Ü[
1Ý“6ßfõ3D p^B$“4¤á“ñ€A0³…1o#ÐÁgM5««ì˜´€#”r­ÎÒn†ÄûGÍ1›Û£>znáiÿô6b–œqž¸3Çýâ)ÊB“ü¹È¿âÔQó/³UqðT°€Æ‹cq÷…Æûûºhèëì)+×usè£!N|4dáëj»Ê–)@	sZ9Ê Á­Þ}~¸ýð_š¯Ðîž
-zðf#Éц	)™$¬0!`"2N1ò·ëŸïo?ÞÞat¦ç, /›>±z·ÙTd©ˆ¿"zy”Å4óJBútj™¼*T‚'ÄÄ ²Óݲ)Wpi9D7ȹÐcs3ýR­
-(jtº’ž«}ñ ÂJF_ú³CSÏ2 ^–ÀZ+ðè%;N‚n`uƒß®	ø¹œCºÓ—Ev¢=@ÙÅGOú´ÛfÑYKù
¾öÈ,ZDÖÐ+r{¸öRíh²¯€Kr:ø”ù­´ÑŒlOC°Ü%ïw ê¦\.i	L!`
-æ3&SWMc™GÏ!võÂQö²u¡ý±ÀÅIïdÍ¿à:@§½SB‰¶E¾ÛÖècÈ:Ç—ö,Ù3$ÛóK\3™êÙ©¡I¹9ë– ;rJ¦d‹Ë`5NzƒvbúÞ+žß>âÀ”2X¨›š h%H0Á–¬	ž6ÇÉ6ÇOöd,H©ˆù?.{;€ÅyÉðED²¯¶_C¢Œ%‹Mû‡<2WÒ¥á”ãK®@¼zï9à:zHDBàq—Îg±þEO,BàO5¼:ÄX®ƒÒ¸: l%…ù¼òF¯ƒË‡–„:›¿Ð›¯ëjÄU`5¸¡¦”1£ G™nCÏYwyiMÖ¬7à*
-F›õ@ž:΋EGÊz4›·L+^a[¶“÷‚wU¨W$ÁiM3žgC¹ÈM3¥mgd:žˆÅ¶e,¨]ÆH“
Iþ
UÆ0!:Êl–%@x7j¦ÿMµ¢§§À.<$ÓyÖdc@ÁgšÖ
-`ÿVÓ7yáþï!	k,¤x0ë0ȯ‹ýybEàÇî9gõXÌ|\1`Þz‹¼éÆC$§µßwŠmék;Å“é;@O´Ò§ö8‰^±ä°G´JQ΂ÉAsˆ~Ç*RX	@hY{c…§jSPX¶ÞAò>r²Ú|ƒÉ|l=†ŽªúºÛÔ¡ûR1èÔÕhÑyQ*£	.Š&ž=-wc¥‡N™Ñ—fPFœ>N2eSw>út¡N‡ŸÊŸ‘E.OgÍ˦ÃìØ2.už|5B¿w¾%¨ÞÙ¤ÏÀ—x:·¡ðð³jÄ@³É…‰³K]Ô?y:Dè«•H¥ ël{DDД†à£ŽÁ£W~œ×ôi¶¬"Óû²yî!¶¡›`ýoÉ™0¡­ëÛ¢o“øÜ¥xÛýÍÌ{ôh}1e9¸\LhF]®jD´UÆ+šã‹Í7­8Òξ¦5¨RßéLÇ[ƒpþ,Tþ<1§qÑwp…iü¢j¹‡œ²ÄB	ß±ºV³,0ŸÊ‰F3ÕŽZˆwm@^$(ObFµ'÷óõ,Óø/§ƒži
-‡Ü‚‘)+™Æ7M'¿OpŠ€:s/ëA~á‡Û•œ¼¯@¢IW¨€xÖÅì…Jdï()–(¨H•…Eãª
-	ø˵äÓ"<”«ÍÒ÷Š£Ü>tŽaæ[¯9£K']åþ¹ýR°‰ãà&}á?gMw±4Ń$Á1XaÏ{G¥3\wŽõ	cVÎg›ªZ<#‡¼[3é :Æ4 ­\ïÂf¢]ÚÔ‚Óݶ`è¤ÓÚc]-‹f,¨€Æ´IŽº‡ƒK‚l¹Ï^ê¶|ªr¨ÒÂcLÚazû>¬uÒü€ÔËÉ€	"6/mIêÌžD¨ØÆ›a*º2¯þ?MÀÎ2ÐBpÐY†¥x̺œ¨8”ß[;Å’Þ™NcÚ:GC™¾\R„ QjŸçÀBÈ旅4†ÒÇPƒp`Ód·^RBƒhb5÷Ý¿†€÷ˆ+”)>XÁa¶iš5-±+šøzȶð‹™ï°ú•Ç¬ö…ˆ~ßõ.~Öý`Ä»ðRBœ~Â@ál˜ã]‚Ѐ¬K`àåZ¨|±¦ƒÑkC	Æ„ºT‹t¡N»öª·@¬9n…A¦g P:K8
	÷‚­KðºGô	S°…\êpóvít°u’)Ñ
¶‰³¾¤RN}RD°.¼Q[ºwÁq^ÖÙ£·zx¸ýùÃ}ÿuFÃ&Û‚)ï–Ù–ÂáÓP±À£¿W°ÐèÄ+—›mlhC°áGW1åzýüƒ©U¶èHgÅ@"äÜl«oåü°WÇÌb»ÑÝí…Îë±!ƒÅi£'Râu/…á3'+‚Ϻð#}Œuä\IxsÌïÞÍôØXZu‹!¶×:•¤Ìhþjµ´ð—8à(*óA- ƒ<â‚VZ¨<±u6Â)¦•¾ÐvïBv6-Ô˜÷ûà˜S8×g©·P#äû¬1¯Ú£ß@s¨éë|[vŽKµ9ˆªX©¿ë(&‡ôèøøA‚`hz‚ž;þ‚ÈC¼¯=Z0a»{5z#Ô6†ØÎÛZ"¡ƒTâ¼­u ÎØZ„¢F´¿ø·5E¬€û,õj„|ßÖ4þBÃôéÿ5¶v,ű­·6OÛšM =AÏÙZ„¿ òïkmMá/‡Ì…}o¡.°1ÄvÞÖœeÒ¶Ö:ck
-)6Û"kf9UdY=«7Y^«diçÙh¡FøèÒÌHnúŒ„†‡æû,,†ßŽèp+¡I³”ã*ûZ„o¿šªe\÷b
=æÙv[Ò/´è_pÁ3ÿBè!†Ê±¯!øqÞþviä@@•
-§0ž‡±ß5±Ôšˆé„Ÿ' _ÏÙ6Ëgá)M?\CRJÖÐuµM7è5ýü–öþò„ni讞iýÔwáM“=†‹#O²9ܦáwðn‘åå²lÂí|2]VÙ<Ü
-YºÛEªèqFåT í7Y¡á§»ÛŸ»/PÀ­Æ®ZÂíÔÏû¢ý•<=k¼«![}XÎÂx÷@£
Æ÷Ÿ¿Ðdå/–è*2ÞðhBÉÔ½¡ñ±Âæ<Η0;µÿÂRÏó•û¿û¡dÉmÃÓ	âÌ£­«p+úwc 1y!j`ÎüjŒ`ümÜ|^"3Ùr¶ØV«Y¶kžß´„½Wþuì¨mžžã­…0ׯe¼ÊE—»ØrúðûAå»…kr†6a\øm¾y,ž³o¥¯ÿ!‚³uAºj‹ÎïNü>\H¡Ô¨(|ÍáOÿxüðËzm™:ݲ€ ¯S@¹Bµ=´ð3óæÿ¼¿‹Àendstream
+xÚ­koã6ò{~…¿UjU|‰îÓv_—â6{—ÍwhûA‘•XXÛòZòºî¯¿Iëe{=ˆ(r43Λf³þØL¥qšñl¦3«„©Y±¾If/°öþ†9˜¹šw¡~~¼ùéг,ÎRžÎŸ;¸LœÃf‹_£4æñ-`H¢×ïßݽÿ÷ë[-£Ç»÷·s®’èÝÝ?ÞÒèýë^=ÜΙQ,zý÷Wÿ||û@K©ÃñóÝýšÉèqéÃÛwoÞÞ¿~{ûûã/7oÃ^ºûe‰À|¹ùõ÷d¶€mÿr“Ä"3jv€—$fYÆgë©D¬¤~fuóéæ_agÕ~:%?©L¬¸Lgs!cô§¥ÌbÍi•Å©à"H™³)){(”òz¿j«íªœ›|]6Ã]3!âèw1è{ 	ú¢CŸ	8]®EŸÇeÕ€è3ÕÛ¶ª74>äv2öM¹ ©Ê-¹“„‘!¶¦×|µªnHE½Îé³4ÂíѬ‡_æ_ÝŒA¾¾õÁ¿Õ_ɵ-²8SŠ[Žw·ÌDeQÛçù䂸ã<úZÕ«Üí¦ëgšn—%M¼¹ÿD3M›o¹ÃJ*æ·«YÌ‚Í!ïÊW‡üØx»ªhWGZ)7ÏÄSQ6ª§-%ý˜h¿²ð üOu»¤‘Ý<×yÓ–;ÿ–$<€ó4XA²UA/ûí"oKØÎÐxœ†êDÆtàŠw .¨±‡Â}lê¶z>É‹Ô˜Ëd=ÐÙ®öš,àÁúdïž‘äOï¤éêys¥3ÀŽ G2ª6ÎbÅ”q0¿%*±g%ÀS-ÊçôæØ0c4éŒPYtÿññîÝ	ŒµÉ_ð8p…tÄahÊMK£Ã²Ü8šø³Þ8 ¢+M¹ûŠGŒ“•G·o—õ®jA“ÁF¬)ˆ=‘è«*h®ˆŠe¾fa¦e9r$JÅ<•rgK©S”2-î^f4xèú?ï~0áTFx‘¯OeA6ˆ¼¿rÃN¾·‹|¤ê
+clÈØ´L
ø·’ØèXÂ;KîÀ`„¾	—ÛeXÂÓièeU5.¢r»x´?8ìVa`nèªìI2žÄ™¯†:XþQ”[äDH‡Þà8è
+Œ«p]¡S°,áÌfð駯hðÁú;´¬^½•"Wb¿«é™oŽ]r
½„Í(‘qu=ÄÀÇ嫦žŸÄàðÐëH¥œ%RŠ÷wKs¶ŸÊóŸÅFkíP¼æõf5E.U±VB:X”€È¬÷²rÁ­ò®rpYDvÚ©	Ì‘ÝÁT8˜DÀHfzÆ1aêb w!âåÛUUTí—Rdž'ú;¸ô¼ñÀ/Ãó$×Á4Æûþ©„³Å¸áY±¡ÞýYÛ˜ÒT›—‰Sf"Qj/Ê˧,! *éý-†[–œ’„C‡d&qqe™ßF²¹©ýó$%(½”ð¥ä”‹')„;ÞS®ÇIusM9“£3[ÀÖSdØ'$4ëüH”žJz6Û²8ٰ˲paÚ²¨/×M&‚›Š•^>è´å6‚’‚
+‡eU,iXäã§jéYƒnìÀÃ4—¸™C<ÂÄ“õ5‹¶Žâ7Ùyq¥:ºXDŸÍÓ讥õ~µ !i57ÆŠÎb.ôè»#½Ú¬–Ûýnã>yÆ“vË”æâ´Os¸r«•#Xä.ß…µfùi[¥!¦Ýn©L*vy³<›p©”ƒV@x¼˜pu¡Î'\꤆ó¶ž7u>
+ö`D&dá"ù5A¿onY¬Ò}&×€x2v9óJâ$I}v¶ÀSKn‡Ų,>ã0sÙ3.beÜLØìžÂ&õð|xhÊ–¾Î_ ôhÚ ˆ8°1v_×»5/GwÆ)Dg>ð–9%ô>ıË'è¥r?í#Ä
+Ìý­bžŠîx€‹Ê8Äèæ?>ܽ¿»ÇMï¹C^µ}bÍ~»­I_MôŠ(³ˆ
+/.¼íž¢2é­«ÇDJ5’HƒBGX­Á"iÚ…8¨Òm•¤¢Oõº›mrˆKËúP~%7“Ó—Ö‚hhYÔ«
+Xs±^íÎN¤S'xÙà·^VHy¦ª¨P%iƒÛGú²ßåÞ
iíÊ%íTG£Fä--‘óùc½§Á¡.Éõà[nR{5Ò=	Át—¼=€hÚjµ¢)P‡É©ÏÔBrŠaªu±,·(”+ltë™Â Rû¢1@[³À¦
+šÅY%ˆ¥‘ê²êB÷QÊ·e±ß5èl”3¹XÂ]¤ì&(÷¼ÔƒÜÈ>å3Y¢2‰ºèœ QÊ7¼K{|§®s-xÿ²/mô!%0Ñ´
A¹ÔŸðc¨*6OG”ñÑã'R¤ÔB<ÄJ§©_ÂÉWâ"A±’C½ûìRfluM7L¾ì+ànÊö9Ô(ù¦9Xéý¤t[cŒ¡ÑóÌ&´v¡·-B`m–Nñ6‘Nh¾>™°S/j«ê°ì?|°"ÔùâH+Ÿ7¶›Ôåʱê
%ÏC×æäÈãÖ¥ðžw§Ÿ!ÅÉ{€ÍFÓa=’¿6¾!@/U3™ØëX(;A·t'†MÞ×­£â×Q¶ítÊmXœ(㳦]縙N•Ddsbç>ÞÂ`K;ÿŠáŠŠ(èWƒFC±ªÂ:S=Ûoê5½½8vá%y›O9Ï©‚ÀþÐÐ7EAÿo.!k	Ì¥{0ê0èÈoÊÃebO¥ãGîçÍ”çÍmtQ V{Ë¢íFEåvNs_öÊ]URÃ0^z¢6ÍÇ÷ýˆ¥€3¢YŠuÊLÕ)E$°*€³±Ê*°Q[Rpsá¶ÙC"?a¹‹!kÁ²X8]÷¤®?ï·+É>•¥=M=Y€@vd¸WÁç²-–ó—Õ~ª‘&–ÌûÒü	JŠ³!Hd<&»‚ºPçCP€²6ò\p‘˜y{Ü–lœ&ë8a©¸L>@MÐïÙ7Ñg:í3ðÉ[‡H´+B쨞p#)”¾é•…½#“yù“§C„¶rñTJÒÎÐ-"‚öIÉŽ¨G¥Çítü4_ÕžéC…MébíúJÖÿÖ··Ò˜IMt*mS¾PWÓµ±Ñ£{í{ô‰ËÉåªäŒËUP”°Pk|CŸ`¤|àMUÇ$$TuüÛ®”„±7dfúJ	ìO³8MRu}—.7ô_ôQÍ=wèºbÆ„éj],ÄCjÉgBÈXfv§÷Y¨T2×W"ØíÇÛyÊ¢GøÏ£ÑM›× b<®•í¹Î¾Ì ôÈ,ÓÛž`'~º[óÙ›¶3ëîÈáwÛ
¥¼gF"NT¥‚ª„Lž¶T»üxË“¨t/Õz»²}ƒrÝ»‹e£c—i	cff]Áþµ³pi4?Ý%þ5MÅÆ qÉÒËžÌ$Z\¹±	P(Qpój1ßÖõjäÈ­f]´c¿è¡ÆÔEÖ³B8PÜh¼»vóý2uš{jêUÙNE›Té “8º]·tTEÕ^‹Ñ«ÏÚax÷ÆÍuòü€(š³‹³r±kESê¹x(ßÓ›cC
+»ª_C0)Ó—Pôc–Š
ÚZ—ƒ3ÅS
+–ù½Å“¯ì3Õ)tT(t$Të«e@âwm¼?¦ï¦7᎙¶ÙN8°w²ß¬(£A4¾§ZئÝ9C	à/²}b£X´6&t0±Ešrº´ã¤[øÅÜ_Þñè)ol$OEôt¤)Kõùx¦W®$ø>Í;}Ûî[“!ŠÚ„…~oåøšnÇ‚ËЂ©«½a¨VØ°ñŠÍ&°¥T¦îÂv‚0’œÂòp´èïÂ3lòBŽ0le›Ã0õ„äk¡ÃÀ6Î(BÝ_Û5‡Ù³wZB¨
+·K»Í¢8áŸÒa	ðiʺ/Iè”Ãw.áX¬·ô²&›g1Ǥ»µ§q¸Bcî
+>l­3Á‰¥ýŒþ$–¹Ã;QòA˜MUÖw£¼¾çS ×Rrˆ˜™ìÚÕ°Ÿwà'|Ëkïb˜~Òž¸–/1Ë9¡ß
{ ËLŒpMf‚Þ_3˜4»òóˆ.Ôy§ B°ý¢Ì°Iž‚é"a4&Ü‹³YŠ·>¬O˜Â¬Ð§k‡¹óakÖ
³€Ñ6„I¨QŠ6¥UgM×/ø\TMþdõ^îþóî¡¿œÓc›ï@‰÷«|GÁìYäŠxµ·«Úÿ4ûÌ’1û«Bæ:Ú‚@ò«Ùw#þgŸô¬îôE'š*
+ò0·Ïí®þZ-Ng54-­F5¸âs­×¡C¥,•œ1߃¯»bT|Þ…ŸÐç!Ö	£â èCnø}ðkªÇÎHÓÔ.ÆؾÕÕˆÔÄJ&ß,–£Þ‘`d,F¥S1dW¤ ®ð0ÆvÙÙ@þ¬2%®8›Ôg㡦”¸ßò§lÀ®/RPäû±´1…â³G?(@{*ç›bWuÌ¥~ž0D¨÷.¿ËÓSb44?ˆ>Uo£—ìÏÃ_Ùòï·Z d1Óݳš´@u…1¶‹º¦±IiÍåŸý€.üêÏQÚ^xL+Z,ü"é4¦ÝW3k4¬.ñÿ–
·0Ô2ðsÀäy-Óëîò’’yðËûaýVø³!uù¸ÐeF¸¦õË÷\UŒ¿¿› —„à/ÿ`ûôkv©ca?/=i‰c
+WrlIÌ¡°™`ýQeÂendstream
 endobj
-1342 0 obj <<
+1345 0 obj <<
 /Type /Page
-/Contents 1343 0 R
-/Resources 1341 0 R
+/Contents 1346 0 R
+/Resources 1344 0 R
 /MediaBox [0 0 595.2756 841.8898]
 /Parent 1318 0 R
-/Annots [ 1345 0 R 1346 0 R 1347 0 R 1348 0 R 1349 0 R ]
->> endobj
-1345 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [180.4479 265.7126 244.1386 275.1421]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-1346 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [265.4578 220.378 326.6578 232.4376]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-1347 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5441 220.378 416.2908 232.4376]
-/Subtype /Link
-/A << /S /GoTo /D (incremental_zone_transfers) >>
+/Annots [ 1348 0 R 1349 0 R 1350 0 R 1351 0 R 1352 0 R 1353 0 R ]
 >> endobj
 1348 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.9692 189.6287 342.1692 201.6883]
+/Rect [154.2681 688.6419 203.5396 700.7015]
 /Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+/A << /S /GoTo /D (notify) >>
 >> endobj
 1349 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [277.6219 158.8794 338.8219 170.939]
+/Rect [180.4479 182.0134 244.1386 191.4429]
+/Subtype /Link
+/A << /S /GoTo /D (statsfile) >>
+>> endobj
+1350 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [265.4578 136.1089 326.6578 148.1685]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1344 0 obj <<
-/D [1342 0 R /XYZ 56.6929 794.5015 null]
+1351 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [367.5441 136.1089 416.2908 148.1685]
+/Subtype /Link
+/A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-1341 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F62 1100 0 R /F39 927 0 R /F14 765 0 R >>
+1352 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [280.9692 104.7897 342.1692 116.8493]
+/Subtype /Link
+/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+>> endobj
+1353 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [277.6219 73.4705 338.8219 85.5301]
+/Subtype /Link
+/A << /S /GoTo /D (server_statement_definition_and_usage) >>
+>> endobj
+1347 0 obj <<
+/D [1345 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1344 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F62 1100 0 R /F39 927 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1353 0 obj <<
-/Length 3932      
+1357 0 obj <<
+/Length 3982      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Ërã6òî¯ðm媈!>ÎŒ'ñÖf2;ã©lU’-Aw(RI+Î×o¿’åÙT샀Fh4ú
ªëþÕu¡É£ë4‚8Tñõjw^?ÁØ÷WJp–i9ÆúîáêÛw&½Îƒ<ÑÉõÃf´V„Y¦®Ö¿,ÞüpûááîãÍRÇá"	n–q.¾»ÿ–!9ÿ¼ùéý»ûï?¼½I£ÅÃýOïüñîÝÝÇ»÷oîn–*‹Ìײ…	ïîÿuÇ­ï?ÞþøãíÇ›ßþyu÷àÏ2>¯
-
ä÷«_~¯×pì^…ɳøú0Py®¯wWQl‚82ÆAª«OWÿöŽFiêÿb“q¦Ój3b 
-¡%×iœ‰!d`kÏöp³Œt¸8nm-µ(êöheýÄ¿÷б­Ã*W[nn‹g+Öë²+›º¨xd]tÅ7ÐLÌ¢9Y=\lšªjŽ~õ7ïo¼sû®‘¥p®¥RAÇšˆ|ËÈøÕ¶(ë6ðX a–ÖÏ´QzñØt[n5þí¶¶µØT‹f„¶/7*[Xî´¶ì×ÿö]”Ù—†6!²w{~Ò„ÇZ¡ä‚ók‡°3/º¶›¢¯:€)ÙË
&¹üÂRÈ{´Ä%ÆÆ+!jeÚ†zÍNÆû%1e©r 0ŒØm›CÙ]‰÷¥£œî‡Š4ü³©­p¹©
CýÔû
q¼¬14N‡B‹žé›“‘±Dà€ìHsV8À`¼ ò<ðŽûê…áDz’íœh ™UEæH!þf‹¾%¾!HöàÀ/„ƒˆ Üã@ÑOù“3+Z­eññüLðªXm-Ø(Ž÷5ÃÚf'£mÙõ…O+[¡µž‡
Z_¯m[ŠÇÊGMhmê¦s¸bšiD“Bg`Æ^Zãõ­ìApšg>§q$ãø§­:8¦¬J7Ák
-Lˆhd‰Rå{è*f.¨­ÈHèd`j’-vÅÃeÄ….1qØ®Y—x¿Vú/ŒÐ×Ýá/¹s#ÀU¢@V؇ì\ŠI’ÅmÕ6(`Ê‹ç¦\³h$î
-”H¶Ähèoà¸3G‘»ËôT¸3å„FD^Öî-‘À~Ï¿ÎØâp³·/¸dÇ¿L 웶-AlÿØÛº•!ºª32´·Ó3rå4—/ªmªgÑ·ã–vÆVÓWkÑJ¬cÙZ¯zô»g
x.ù®RÖcµ‡Æ©Ú‹²Ïìw(UàôàpÅnO¯CPŒ
B34‹8(f›Eû¥åÖ¦¹Q™]ÔüûãøWD»qkmÜVÛ¦íĸ«±Ý6&H³<ýiš@ˆ
-V ñç†>š˜Lð…r’\Ü…ØûžÓ‚´÷OlÀ¼q®>>±mZG3´FAž©HvÆC'a¸P!ÿò¤×¶›!]QBâhÇ]ˆ~½¨›Ã®¨*âvèAw*bÓ2`z*¢#¹•	|¾pqìð°'juÊz
~5unuB¿0'NˆYô”9ógƒµÂáZDUÄ¿'2ªð{´U…l€(A_êæXÌ>“Í(øŠþ	
…"‹ú"Ëx;ºé¸Qú922* MØ5|²]‡¶‰í2UbŽbt¢‡(FCˆåâ=ækª“s˜u3'	Q #e]¶èvZÞ@Œ¬þh!Î+É$ÚYg7õeÀµó)¬É‡tl^5+#LŒˆMÈϲ$HôÀg‡ÅØK)6Œ£¤–;ÎaÏŸ‰E„Ð"Bƒdt¶&QÁѾõãøM"0LvɇÇ!ñ”èGcö£å‰fzøYfñ\Úã(Êþ¶ëìnßáuÌf]'º`kw~è\(T©1¯K…	²Ô˜c‰/«àJeý]•›‘×™] é¬éÁ®úCË!,2»iœ)\üTqyU³qK¾v€y)1 |ª¯‚ÌQ¤™—žăúÄb®°Q5OXjŽ ³óW<ÙYaúô7¢,ÈTâr‚Aæ—›C³[R”…±®¾p*
T¢œ},VOVë±ÊFN
¡Á,‹´D×£‘Én Õn9VÌH™u“ÓŠ$òôDYaM‚¬k¾ô{Ô¡5”„²¼`‹cVDLÎjŒ‘9KJœcÚ
V119è)%C0TÊê}+@ ŸHa³Oo¶hríÖŸ‹ŽæÔ£‘4
-”†X{ñœÓ.­™`!ãדT(æ#±º~ÛÛW’[ò4ìzêb'>Å©$ T/…*T½gK'Å÷ñ}´Y²&:¶Â¹°Vös>íÑBòîݟд·p‹Ž+Ö/#êf³z´ÞhMFæÛèp€`Ïsì r`þÅÀ¥ß… ½±‡CQQüPEVGYZZÓȶ>›ÁIÌw:ºá)Û9”¤•¼…ÜÜ‹W©;îÓ*ÎqbÃåþÐÄK@ÙÒŧò¸L§rZDZ3?Ì2ƼÀ˜°ÃÊà¨zo.Oô§€I,DCƒm6ÔÆ™)
-µPPî‚-â>üŽ‚/L)Ž¦ˆǹQ5JYíW­ª¹dU—~þäö¶
Æ‚Ô
Ì9:ÎB1Ÿ4˜äCâY¬10L”D™/T¸ü£Ý7ìV2ɽr—ÉÄÔxf·e„wï>º{0œ-MܺÔ,=ŒsñŒ3"Ȫ7¤kp;±3-6'¼2CÏ{2Kcƒ';ÄßûÁÜR°ÕNLžO5û¡Ü#$­ÀPgÅSyãL]GaÄ`:æ‹Å‚´cq­SÍ‹=çÝj»Üû½]/1©*8[“¡aJ’Eùëtx¬B¦	I‰"6Jî73Fâ0zµ¼±@nô8ëäP‡\CÆn~ï?ÚÚbU¢èä0ö¦b'D8ˆê¶sºË'F‹üð想ÙuÍEJ"r%v„LËÈœ‘Ÿ8€×ÜH‘‹ç£$Nf¬VvOu3„6bDN°Õ6«/˜ÉtÜ•‚ª¡¼äjÎð—DÅ·(‹]øf|è5·'beB/{8†b%S0¦{ªyR¾Ø=äœÃÜñ)d㊿›¢¬xÌAhM!ã‡æhŸ9®üfΛäiDÆÙè‚׳^ÃáM½¦xÍ+–Õ¼À»ànd†]Ѭ‘¢8G)…®Q!&¤b™]Ùm"ÝRƒp±#䫦?@j²¾hR
¦}:Ó¯›Ô1Öe“ê±ðèåG°×]—ì€øYð3g–UÁN‘Ó×ÉñX3ôLl!…zJÏÏ>Z˜˜V£³7_{º‰rãÓ4zœ‰S	{@õ}ØÀª)(d‰©J‰Ú¹¡"ÝB)Îv˜YBT6¿K ¼ìdaBóšY¤õÌˇå„Ë
-‰+ÌÙ’ÄG
-`ò ?P"Ï!Å®T#ãÅ_&X˜Z@Á[íÀÈSp	ãr"@qFˆÕMŽÅC0:Ä¢.,ž/¶[Î
„ô|Lº¨½É4Ö2_ßò#
-YÕª¯ŠÎÁÊÏ~Ðgvä‹AŒ9h_‘5‹Ó˜uôŠ¬9”röÌ3auÕ<=ñ£š”#W"Œbbã?Zþ›«cÐqw‚m	%£Øy•a…ßHë'+K¬
-ÙàQÖ§ËÙ•]ç( G¿kHWZö“¶ØÉ>(-O,ÚùhÓµ‘˜èÆ"1ëÁ¿ÃˆeÑ¿
cï|U/hz$h­tþ}”av88Åùl£¯_ÀÆ—+F£w)¦ŒŸCr¶5C¸³Aš–sŒ8–kÊPCCo9øËÂ	
ÿzÆŠÅ,4ÃÙ
-ñ‹fñæÃgY¡ÈÎîÊ¡
‘@Û™}"g`¸z%9=H"½ˆ¡ì{T)Ö¹ç^ŠØiV$ýËÙäIôï{¯0Ê"wÀUp×áѶhO“_Ñ>¯§3ßá¥
!Azõ	SŽÀ(U9Mà¥z]“GH—Ù!‘ôÕ µ«%[ÏsEέ²èÕ½=Òùæ“SÆ~3šNv¿«ÿÑÐÛ÷Ÿ>ݽ‘oú=Dò‘Q9WRó
	u®¿v«aç&ñ¼]Fa²ø\‹Le..Ë.|F™€cŽsó÷,Íò¯Ë_j÷y½Z÷µ•ü–ò%U)$¯‡Z(ßæèÍ$F˜	RÊ\¸óW9~g>øøX\úàØÄ~%<#L¡W†¿ý1òð¥v”&»T˜1aÖÄRˆBÂãø”rÿÕò9éÿ€5oendstream
+xÚ­]sÛ6òÝ¿Âo§ÌD,	üxt§õÍ%Í%î´3mh
+²x¡H•¤¬º¿þö )SéÝÜÙ`±Øo(ºá?ºÎLê<¾Nó80ad®ËýUxýcß]E‚³vHë)Ö·÷Wß¼Óéuä‰J®ï·“µ² ̲èú~óËêÍ÷7ïo?½Z+®’àÕÚ$áêÛ»o’óçÍÞÝ}÷㧛Wi¼º¿ûáƒ?ݾ»ýtûáÍí«u”™æ+Yá„wwÿ¸åÖwŸnÞ¿¿ùôê·û¿_ÝÞû³LÏ…òûÕ/¿…×8ö߯Â@癹>A'¢<‰§D?jØ"”'êyèágéÕSeO“ wrø›RóÀGT†ÍºJ8t%ÀÎîýÐK¡ˆÂ8HµþºT`Þé
Ì©B—Õp¥²áÁ–ÕöYäuah:kÚÙòØõòÁ"‹›š,HáâçŠÈeAÌÆ-ùÚæ¥l€1Áô|EÊyéY@<ªÏ4…­ÛGˆG,º†£èìÁüv)óøü5fÄYE‰K	–NuÕ…ËˆÒ J"g‹ÂÉšƒc5ÕØØi!4˜c±’àz22Ûm¤Æ-Çz‹^‚³jrV‘˜ ?¯t±¾ê9×~9P…Äi(.eqÁ‡¬8ˆ˜œÔ#r’”8ýÅ:ÅDçR~Ä¡JV?öÂú‰5ûì‰Óã„ã^)8ZÒB^DÐ(N²ÓŠˆ·A/ci—ÕÌ°ñ›Y&4©Ž¾ZÒíåÔ–ü;ž†ŠQ<ÒIüOþ§YQ¨xO– Šçãëh!³dMíª|èÀzÙÏy´™»w~BÓÁþÁ-:7®ØôÖv]QsÙN+.@ã(‹Ck[ÙÖç2Ø!™âÎG·¼"åwÆY’J
¾Œ‚nħ4÷iç6±á2hâ% èÇéêsÕ”öÓiœ‰VÌsŒ)/0åC è°28©$Ú˳+ò	`b„‚xÌa°ÍfZ;k¢ãˆ-”¹`‹¸ßIèÅ€9Åñœb‘ÝxiSu¤‚,‡öWª¾dT×~þì¼;ŠM‡ u+BnŽsPÌ&5¦øvTýL"‰;2_¦pÙGhÙ©d’yå.ˆ¯¦ñLªl§Ûw?~¾}0\Þ]pâÎ%f™è¡ÉÅ/.ˆ «Þ˜¬Á=ìÅÌô,PØœñ~Ì=ï_T€ec‡øûq´¶jµÝ™Åó‰æq,öI%ØÉ‹U`
f/Ë⿨O±.W=gC¹[ï‹ÃÁnÖ˜Òœ+Ïj½a$Yœµ@È<1&BX3£än»P^„qã­–‹‹
+äZMsNtÈ5dìEà{÷ñ)–s" G@"(ÓL.CÊ™=n¡g†½@Ÿ Õ'Ò }JA>yž¼‚µsB:‡‚Q”¬°èBIk|À…çðEGÇ…XÞéÊøöÉ¥¡º%ÞæX²Àæ^+Om÷…ÑYÜ97Ç‘‚?_l×ØÚ)nÅØRi4¾ÒG[[¬Iƒ —g4!±@T·_Ò]>1Zäû7Ín.¡P
+‘GbGÈô÷ŒÌiù‰¼æVÒ\<¥p2CÞnÚÎ\ˆ9ÁVß–_0¸+åTMYÉÕR5^•Þâ̸è-ÌøÐnÏÄJ‡^öpÅJ¦`H÷Øð¤|µzÈ9‡¹ãSÈÆ¿Û¢ªyÌAhM!ãûödŸÜóé‚7ÉÓ ‰µ‹±Ño½†Ã›"(BóŠE5/ð.¶›˜aW2@¤(Ή¢ã\…˜ŽŠevE·1†tK-=¬A
+P¶Ç“ËkJ¹y˜~ݤN±.›T…G¯þà8‚½î¦ÚbÄÏ‚ŸyaY#Ø)V0ó«äx¬zf¶ŠC5§ç'-ÌL«ÊÑÙë¿z¸‰sí³4zš1©„= ú>ì ¾±÷.ÒØ÷1T¤;B(Åy#Ҿ跄¨¬™¾J ¼daBóšY¬ÎÊ_üÏ!	W–³‰!Ž<ÀäA$ DžC2®P#ÓÅž&X˜Z@Á[íÁÈSp©ÝoÅ!ùµ‹‡$`tˆE]X¼\j·œéù”tQ{h¬e¾cÏCBŽ<' ¤,êòXÓ/%ÎP~ôƒ>³#_bÌA{IÖ̤†uôŠ¬9rö̆²nùIM
+„±+ƆØø·žÿÅæÚtÜ`[BÉØøßcøb| m­,Q²Áƒ¬O—³¯†ÁQÀ¿Î‰WHWz÷œ½ìƒ"ÑóÄbñYÁg®ç"1/ÏMEb)¿ýEÿ.Œ½—‹z9S9ë¥Ûò÷A†å—I0Źl£ünžÁÄW%£Ñ£ÆRÚ?ΡJ9S‹Š!L€Ù Lë%>œª
%¨¡¦‡ü²lBÃ?ÝèPÞéC=ž­·¨Wo>þ(+4ÙÛ}K‰!´!è{!kaŸØÙ®ÄIN¯‘ˆAÏa(ú^%£‹Ü—ôNÅz‡
¯wØaŸ¤86Rþ‚•¸#J1µ¸à`ô¨)ô\Ûb£xpò jÔ¸õ\—i[*̸àéIÒË:‰ds®ìÁÅmÛY¼×WZŽöØDq";
…†ªÆE”n⸢ âo7\Lé‚Kaïøæî
œ$–Óï6£ò‹gj¬KÈüK½ÝÚ®è*WÓB+ùçbTÔd	›NÙµõæ<ôp÷ê‚Žs^»zÙ,ÄWs]ÿË áÌ3çY‰¼ËŒ¤§Ëöûeÿ¢Dj±ð#?è> endobj
-1354 0 obj <<
-/D [1352 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1351 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R /F21 738 0 R >>
-/ProcSet [ /PDF /Text ]
+/Parent 1359 0 R
 >> endobj
 1358 0 obj <<
-/Length 3403      
-/Filter /FlateDecode
->>
-stream
-xÚÅZ_sÛ6÷§ð£<¡Ä_’®ãäÜ^œœí»v¦í#Q6'2銔÷Óß.vA‘$5×Î\<‹%v±øíb„—«jñZÕ÷Ô±q¹õ"Â"œ_Bìí—¢K‘W8—¸€%r¸º‰­$3ô‚h¹-»Î+† é@†o5O䕞ʠûU)Á",Ëâ¹ÇÌÈeÁÐiAôˆËja2¸ž×˺\Q Š%Ó<-‹Wz.º®˜}i÷#a¤­=‚Ä×$.Tð÷u¹z]6÷Û‚óT8›å‡¦ˆàÑ%J8›#É·Oåó7	ª{(Wð sÒ‰è Ù=­$ÐÛ‡f½œS‡HëŠUWÎûQbÁVy"¯œÎ’8üÀˆ]¸ÉÕ"p3aœÐrk`¯mm<AÙºéx
-`ˆ)¾A€ou¢ÆÀ¯~MUÎß<—uߢF0˜Œâ#Í®\=Vµ·FÚ×­žØUËzÆ”f±Å2xVtå}2#VqVdºî¨ZÁ`îÔju4K#´Öêò\¸Pâì¡œ}™"ÚÈ+­ÐFÞsE¤àÛ†…‹¿óaI›¼KšWiëÖaŽHáêVÕ¬ãP¡köP¬ŠY‡îƒtÚ¨^Ôsj´¯uW|¥^\XÿR¹êŠŠÅΛGjCY„´©–°µ+cƨ|,Z©Ýº¤-¡Øïî€]¬þSS·H³vù9QžÔ<ÒÍuÙ½4«/>)ÎÂ>â†ûˆƒ¬ËÃŒ˜Í?Òœw'Ç9¬Ûh
-붸Gx§€I›>U“w0À.¶Óêg²l€(²!		ÉÕMŠ¡r¦t°"µŠí6Y™¦
!kQTËØæg…Éå =Ô0v\uÞ–§µ]Â&KÌ,¤.û5)VuLDd£"š{!Eݾ”«–Áç œÈíVb9Ƥ
xFq‹Áû}b“ØÖ®”°¸‘‘:+Æi,”ûº'-Nn‰‹æ§#aí&>B¦Ô¬¢K‘C¬ÈÓax<…AS®ƒ@ÑŠ(É¡…;FÉ&kï‡ÊéÉ›ÈËò¾Xí¡i;vpìñé0O¢PÀC°WpDr²6<¬
|7ï.ˆëÄoÖÌÈ]z’)ÉByðÇf^MÇn)Ù¬¸Ý·*Rv"fMÆ6ÙŠîÛÕ¸°ÞÅÓÓ’‚TÕ>Þ¦š£š—Ú‡9 …ЈÔýž¿¡®søGŠº@úð3ª’0¥p™œ\uÄŵ¾¸QC³Æ«á—>¨<²TˆÛ*µA9l{­Ü¼¥üïœH~ƒ‡ßëÛ7Ô¸ýxέ?sƒûnάü‡vç£3ëçãßñóQ©ÃùœÉ	M	Ÿ}î{\«Hœþt‡#fG4_0qd˜š0<4xá°‰¶¡VUÏ+Ì^æ¹è¸#üò¨ÅP"Ô:-°lš/ë'–°ñç¢'Œ5[ºD¦ÆüXöÖsN×*Îï®®§çoßÞˆó›Og¹òPóäOn›ä=»®®ï0.íM¨ŒÓÂJ›N¨†\ûªžkãr_wJ‰\d6ÉLÁãRÂ@]F’/P2Z@
-	«CT&WÄß1~ˆ0-‹UËo4CÆE?“ú¹úÄó9ç5ÞdÎ)ôpÐœ‡ëþädœ0ÛDäI®¾uÃiýTi—„ZLgÛ9ÚSÓ¶U_|>ËuÉ‘=²CRaúó“}™G*`L'"»*ì`6ÕÿÃF…­’BIØ7ÃvÀu¶kÛ—j9Ÿ«ÝCå„Òñ øÀ?2š–°F@ɧB@i³9Ÿ€v Q! 4c(3;4i‡‡FÝÔS*ñüFžÏ&D'†ÁIƒ²ÄÅ¡÷¹(5¹H3(_GÈêÇvÅW¸›=BÄ6ìgË—âv€–ý°ãÀ³W%t»uÖO~×5ä!Pœû­I‡ÆpÆDy,ºÙÕ¬^5¨X«îá‘`xƤ"“e¢
…P<Ë•Z‚H0.Öà±è*qjy¾)‰ Ó'Ïý%1l¢<ìIF•N…KÕáóK#r£óq
-CE½±ò¼Ç
-4=V°ok­¡k„•h*á¤ÝJ7Èè>±m×T
-úÁ°¦Þë¾ÚZ‘$É‘]gȵß}{®ûVuWÞÃê¾îú/é‰=,?0Eäý7*sz¬À§r¶õ¨J0àzfAŸ_*¿¡-¶ò›u7mý0é`˜HA´nc5ìÁ‰”fxª9õý¨»A#ó_±ì hôÃVIäkTY;ìäùCw˜.?—Ëæ…¨]óÄŒ"ðä µ1J"FžQðÅQ?ù"eç«&‡)”ßsE‡ÖT˜47c
¢Çî¹°*	éb$úoŒ†¶éèðüÏŸ‘ªÌ†Ót aÆñ†Âçàä§ì¯>{í=ÛrüpñHÁQ9³£2"ã
-È×ç.oùL?g6Óc”ï…RøŒ”©SúÛêˆ} Ò?Dɶ‡\@¸6Ö®ž¢ê°üÀ‘Á”+°SÚdß)XE9„”ËR.R€Tª¤€H§rÙRðÚf‚Î]\‘qÕw®PbCä\Y¹·ÿŸq%s%”‚xpWC®ý¸ê¹¸‚bþï9™‰R‡Å÷\ùãï9Z$ì#~¢U7nòD	!&e}†“‚ö
õñi´BªnúøÄ0OæMÈ>¢Ì0@ݬ(0G7í ”“Ù·ÔûWÒI‘eÉ‘»C®+¸|¾V®šiÝLÛ¦˜vÝr7¡W«+ÐsE4¯e
-Û‰KÇ*ðZÊ‚vk(n ôó+ÔbÝ=`-Yà
$ág†ûþIníB’÷Q¼›ðñœá˨§Rð@¶ðîîŸDñé”Ÿ€€#PVoE®Ry(«Þ6ÀY„cõjûr˜gM-Þ¾Ù¾+ñ³6ßží(H±”ÍþÜIHÒìÈMˆ!×Ü®bö°»?ÙD¤ò”ƒjô\=Æßï¬H
$3#E}òTÁ»¿ÌýÁÒ6@ç!Ј
{˜ÝÃ
é|GilØð«lžÂo–Zå|wéa©=þ`Q¥‘[ø‹®.œì3Ù}÷x ¥­~š
-Èl¦
-™É×WOs¨)çŸ~i¿ìf%I¸ü°øžiWþæ¼Ød¬ÀO|«Ê„[v–+o¾‚›áçnKG¹Do8¡1£š*þÔ:ù'nÁ…=?dAÂûW!ˆþñöGj|®X~Åê–€Pj})_ÇŠ÷—NøD	#­I¶>ã>øêqˆü8>…Û>ƒ«|jùªÕ~%Þ°ÚÜ÷º¹¹½zÏùÌ"|)ú°¶9T´t4#ö]šÕVàM×ÈZ'ýµ³¿|¡vsÛØà~¶ç‰J3¨µJ¡í¬Ûõ’D(íTDõÿ€(	Qendstream
-endobj
-1357 0 obj <<
-/Type /Page
-/Contents 1358 0 R
-/Resources 1356 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1355 0 R
+/D [1356 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1359 0 obj <<
-/D [1357 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1356 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R >>
+1355 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F14 765 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 1362 0 obj <<
-/Length 3243      
+/Length 3504      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛFîÝ¿Bo'Ï„,÷‹wOiâ¤n¯iÎqç¦iû@‹”Í1E*"eÕýõ,°KR¢œÞÜÜxƱØ]‹Ï¥Ä"‚?±HM©L/’L‡&f±Ú\D‹{{!˜&pDÁ˜êÛÛ‹oÞ©d‘…Y,ãÅíz´VFi*·Å¯Ë7ß½þx{usH-ãð20q´üöúÃ[ÂdôxóÓ‡w×ï¾y}™èåíõO}sõîêæêÛ«Ë@¤FÀ|É+œ™ðîúŸW½¿yýã¯o.¿ýþâêÖË2–WD
-ùrñëïÑ¢±¿¿ˆB•¥fq€—(Y&›mTh´RS_|ºø—_p4j§ÎéϨ44©Lf(ÕH"XÇ‹Äda¬`øÓîR¤Ë¢jò]U?_
-!–¯.•dË?Û¦ºê¾©š{Àµ|,Ÿ;‚~‹LÔ?ä=½U’ŽUÿÐîy¼(	øáÓÜU<Ô•=¬%è%·¼0í¾+žÞ2-ðr´`ÙôO‚“uB„™1ÒʆgRgËÃCU—“ƒXŒèB±†7” »V¬xðÅ€/mú´‰bjÉ|`ÿK±lèůþöç®~!øæVž*·ûYÂJI¨|[þ¬¢dù]{(ŸÊš¯ÕÒÚÍ«:‚Úm_µ
-âp¸©E§°ù7ï´Y&4™FËCV¦™Z™åÕ‘ØÍ%2Ë1Û‘S¥pªŒ˜àå¾iI‘Å?ˆw å±‘†AzÉ{P/j*2o'
-Vc8W%¤#Ï„9”~9À¦]Ÿ7¡†íËÇ=F&‹´˜^dd‘vOÇž‰YÞ’æ‘“ÎÍßT5ì1Y—"µŽU¯´
-e*bÖkÑt]¹²vÌç+ÎœGàgNÌhÕn6$&X`]Ù%Œ³‰ÐžŒÂ,R4ãßö•1lBÊhoBˆ%œ!ÂÁY°¤‰a9žËnΆ’0S2lH¥Ör†ø —›}×Ó†w%=sÞ·.s7ÔZ[õÕÏtQÊ,×`g@_y¦Ñ¼¾owàù¡-·˜€P«³TMuI4½
Y©^V
=)Pà\aëÚ‡DÓòœ<hŠ–Øsš}vCÛrÇ4Žm0¶DÈåõÚsെŒunÉçipaW„Gk°úAÂçêÁE+k½Ñº_ölïŸAÓ2bSö¯ŽgûèƒËWuMÐÛá(±Bi¡‘ÈÇi8
-#B¬ 
«,™/;˜(SQÖ3e‡§b÷Ã4òØ=6Ìí/bÐié—ðT3L¼!Ž!o‹dÊ»c$;äÝ1ÖhNȈ¢PF±ÏûmÑ3X=”«G”fÆS&©rqgHÑ°Ý]‹	!òùèLÚþuìÝù¯º¼0œBqƒIÒƬ[ŸTÒ„
-Ïqì’C‚éÇ(RkŸê¥OîÒe$é2’tIŽ“»tFŠã<Áåu*QìJãU‡¤.9©[бæé\—CO—Ÿ±›sÔQc¼TfRÀè¡Ã!ÞÈ81SÅ4^LÃb/¦f1s´*Ç€¼j
-IHÝ®h|=/ï[#fªšNîÕ‡õ:ª5#"—LGÑfH¦%Ú¡¶šñ‚T†i,ÏæR˜ü1ç`¤Iæ|á/¤Ð@&Q˜jL¾ãTzë¤+Êu¾¯‡°yÊj,¡¶×æ+@ŠIX?ÿgäÖa¢uü_9¿ŒÍ¼¦ËÞkùÔÛÔˆÒ+÷…QŽjij©ÁŸòΆ{£¡ý°Å‹á~Lu>Ü{*k»ç _mƒ]¹Þ•ÝÃI¸7Ð)hV_dÀSÍp0QŽx=Ü„ƒÛË®-Q7D.¯¹üxàAê\_€tûŽ[8±¼}ó‘,†qìç·Œø²/wUÙÑË:¯j0¤
-‰wT#	îªqNJ°ÿmÞWwU]õ£ÎÑW°‹@ƒ$q6\_7y¨WÁcâ—Ó…†”¨Roóg,BgÐêf™xÙ"ÆTç-ÂSÙø[®ö»2èÛ j>­’P'™y™O5ÃÄ4=JÈ¡Q:åâu]·Ô$t*ø0.‹‚" ! ¢`e‘ѤG¼øðï2€ú(B“?ä»…<Ý»¢,T‘ÎTczÈÝeÊ=u|ë|EÎa)VyCè;žÂW€±$¾£¥÷œ†kZøž±pœep¨Š’FWùÊ1Ñò9óTxF¹ƒÇ^ÓˆŒÏ§Ø¯˜Qk$kDþEr5—Û'Ûhh›è;-×*[–ôå®ÉkÂ6ù¦$ˆwÅ;µ$[^÷„%5àuEݵÝñPÈ¥X£Õ-™5r‡…“žiwÞ…'Ñ¥@O·MùÓì-QÁýË
-é$4ÿ«UÙu[dÊA×
ŠjÛåÊ$8T6þú)ɲnÛG‚ö[¢±jªl8,ª‰wfìSE]iÉ82& jWà<ƒcXN|¦<„º¯cÇò:;ßЕ.­ïì)϶pùÖ„n+§>Ú¢\íS´å1¹UötyC¿¼Ëî=O´6|6ŒƒªÃ8þJ⎕D[œn)B“ˆìÅ]=Ñ鶓€$ãÐ¥&ûR骲Q¿–Ñ
œÅÑÑfSæXã¯÷5Ø”¹ˆQÈ!\]Ù{„Ñ‚ä€(7ÛÞ[Y¢Ìò5áŸòzÏ+¶ë¹‚.FY3Žªëj×õ3q‚bšz*ð-“Q%¥a”hyäzô±Œ5Øø?ÚCì®	ðFS݃O4éç#ºc] £2K/R&‘ÝÆTÑ"9¡%7ëìxØ»ÃC{5ïvH•šëT»†*5î 
-8J™ša®ß¯kú®¬×p\Zh_ÒŸ\É&ÒëÝÝFN…<©ã‘Ëm¹ªPIeG©¯	ÀWÚ RïžÞ©ÝÑP¦$úè~lz6g½\&xÈ—Ý|LuÞÏ=ÕÈÑÑ.Ž}]é0._ÜÚÍl=ñuþtïO^Ǩtç½|íú#!ò¢à
-¾ó4-‘Ø޹ϛK&ŽÊ
´¥¹š‚‰C5Å`²3‹£p^4¼ïšJ7¾ô$Ï>:ÓÑæxwàÚ](Ë£ø¨Û=NfR* "!+,µ
êë~?ÜÿIc+KO-ÝjE‹W¼@ÞÑEâ¢ÁïFZ“Îɸ¯Û;,Xxô„?ŠÌÏjçêËo¬li´«ŠÂúvLw¿ˆÏéñ”CúµêŽùJî±,Âfê—KŒ»{“ZbÍ-6`¶ù®¯V{ºØ€w¸#*
-ˆö[V¶Œ[ó¯½õ‘ÚpµâŽOë"¾æä~²äLÇ–„‰‰\xqy•zy߸@ïéƒñ„S§?]×:=“þ›H=GAvD%†NB§ú
-§«m€„èDå: 9î€w@o÷yt}¾z$>qýÕvhÜ+ßÿ@%’w#r¢5ÖYYÓ§å.»v×Ó5 fyhwãõÛ½ýbï[ÜÛ¢îêrûد3Êõ©Pyæw®MƒÅŠ=³ç²Ú‘ß×^+Ö›ÑÞöÛ­åiRb—•ýöbáëOzjÏ€‰‡ÊP»»ï&À[Õœ¯‹E¤Â,3ÙËsLu>cz*[˜ùcºáèg¯7^äa¸Þ8ebözcÂÅ$w*mX3Øx¹î	¶¡‚çQE*kA0Äzä	tõã¾ÕÓÜ‚cKG5C‡f—¶æƒöÔÎßfØ»4îqÓW8üÌG?©@þ¹=¤-ÐúyÖË•ö0æê/ç/€µ}2`ò»šé,×Iæ=£~rLëöËì5 ¸Ã=½qŸ‘dçì܃5tü|ÈQ8%V8ÄpÑ(š™¾£'šBjií‰KÍÈÃòÌ=Ø?TQ©¿¤ŸµÈãlbBi„»ÿá4ňž%§²˲oj<úŒ¤âP¤ÖTÇI-düMãX?¶ãíÜ'̲q©³Ã“*Îøù™ïXˆ•áý\ð–iÆ	„y¾ƒ£åéžQ‡øéÎ}ëóeÚÜ–”	ñWF3>ùÛúÿùÇLÃ/½ `Piz¦VQ¦2KSȼ9I þWO§¬ÿ·4endstream
+xÚÍZ_sÛ6÷§ð£<¡@à£ë8=w'g»wiûÀH”ʼnLª"eÇýô·‹]ðIIÛ‡‹gBp±Â.¿]ì”çüÉs“ˆ$SÙyšÅÂDҜϞ΢óGèûáL2ÏÔ3M‡\ß?œ}÷N§ç™È•œ?,cYY+Ïæ¿N¡ÄŒM®>ܾ»ùáç»Ë‹4ž<Ü|¸½˜*MÞÝütM­î.ß¿¿¼»˜Jkääê_—®ï¨+á1¾¿¹}K”Œ½»~w}w}{u}ñûÃg×Ý\†ó•‘ƉüqöëïÑù¦ýãY$tfÍù¼DBf™::‹&ÖÚSVg÷gÿîôºŸ†ì+ŒŠ“ó©Ž…ùa+K‘J	L©ÉD¢•î¬¬dÈÊž­ü´]µåô)oÚb³;e)бŠÏ‡ãîIï¸âõ@¼T0Që>’ÿ°,°|"'ͲޮæØV“OÓŠ–/Ë¢¢Ök½%žeþÌ\në•ssiˆiQoˆšÓãϺb¶¼bYíÒSæóÍ…´“¢i
+Ö‰ÞņYk4,†©ŠÝÜEfŒr3™—äFfüQ…š§)¨3[–UÑu&'7â»w±˜ao’쉽‚tÇ36_*2­RæyãõZvƒTùS1£µH
Pˆë¥\­Hͪf}Wõ#5ØäÐ"¥	,ǦÌý¶OŸœ] ]S^j»õÅÁ®ž-¯ÈÒ˜yjÇ–|Yæm`~
+\@%éé	Æ6öœm7~9V¯äáËÜ­…Œ{‘æÅ"ÑKÙVHªDDÚX/¼­›‚d±@ØKÓ(Ù¡xÙyrÏtÄ‘™É¡¯ÔΦE•GØudp=›Êì¨ìŽi_øØ°F«‘ôk;UVMÞÞÞß__Q»Ù®×õ¦¥—²
+,ª„U#l'V5Y¦ÓζÓ8J&?WŒ)”T°”¶,_b„1™þû–f§ág#å½ðSQŠUÌù	q‚ž¬ñ¼öè„`”°3Œ¼¢·%€”Œ,èå[pƒ¹m’|…%ì) '‰ÒßQ$¹C¹ã`ù9_•ó¼-ëjÏ:™ìU¡ã
+è0šnVŽ w¤„‡´Öiil´rïaTƒèä+À²‹j“ÊÉmÝ!X;=°öÜ}gä$¦8_55)[ż¡fˤOVy»åœ‡˜hÓÇÞgØë¯eõH½È"l!ëvKˆ½ÝâKp	¡I%c,ÙSUï!ˆ–û¢mb’–HhÕkòJG
8ƒfÜyÅ×`wU¸ðÈE2‘&ö›R‘çíª*6¼O’ŠîIf\¯rÎOò¶ÍgŸ›ƒ¨5)@NÙä8j‡\‡QÛq¡‚l‹Í+¦;‚³T$ÆfÇ{¦€àÑzFJ$q¤Æ’ï×ÅÀó#„ 䑘<êŒt":höH«ô®Xˆ9° ­Í7m1ïF©‚9$„Ñ,’§WNÛÈ£À
ì’FH:|?ÎVÄ°{0ÿÐ;ƒxmºÈäÊRòSCL9'1:Ú	¸åoQ¤Šùý¢êZÔð3CƒQ,å‰ù$sŽÊ¯;¬Ù­‹jÆ”z±Ã2x–·Åc
2V´ËêΙPµ2èt®(ÑêT¼6˜\%PâGþ€ëò=—«–ÅìóÁШOï¸Ò5ðŽxªuœu!LóŠ!mÛ¸€Í)¼Bí¦œµÜã‚/tÍ–ù&Ÿ¹Úé´©ÝU»Øh^«6ÿB½¸°îGŦÍK;¯Ÿ¨
dÒ¦–¾ñ•¾ÜÓ:™ @W´$(ö»š;`¡«¿®«ÆóiV@F0'Ê‘ê'z£ùA£*Ú—zóÙêX¿ç$Ã='ÍÁŒ˜Íj7Òœw²Äñ‘Ÿ6m›üѯ€I›>U“wõ&€í4&JC¶??ÙG6$,~ËÁÓ‡†„p©<Ø.‘Z†ök…Š»ºr‘—«ÐFiDœÉA*©aì°ê
+¼-K=k³Âs”ÀFh ‡ê¶¸Bó—|S…ADŽU@s'$¯š<Í!ð%V˜ÌìÄÄ1x0&õàÅ-½ü™(X*(­ÏÜ7ŒÓP(wçv>hÁprG\0—	ò´UÕ›àR@F§³tÏaЂk„E¢…‚\Z%Um.ìd»¢s,íÁ$4îh˺iÙÁ±‡ÏÃ4`¹\‰BÁ^Á=ÉÉÚxÆÖ[øîÞ]Ö‰éOÚ¸KO¬’,”ªçåtì–ŠÍŠÛÝx«¢a !%`'`Öhl“è¾[)A¥§\*­×+
+iLñ6Õ}€P¿T.Ì͇F¤.èyù†º.áQ(êéý/D`¨rH”"±rrÓ×iøÃ^
ÍjÄN
·ô^åññ#Çm•¯6=‰½ÖLîÞÒ‰7þwI$·ÁÃóöþ
5î?\rëý/Ü Eľ»c&ÿ¡—ýùhkÜ|ÜoÜ|ðàæs!'4%|w¹ïi­qúãìÇ{¢‰ø²,:˜Æ~xhðÂamC­²š—˜½Ì=sÞr‡ò¨ùP"ÔE
°ªëÏÛ5KXŒx½sÑÆš]Xg~,‘«9§k%çw7·ÓË·oïÄåÝÇ‹L9¨9òÇd—ä<»nn0.L¨´•Pˆe'J‰!×ᄪãê]îéË^)‘[Fö¸`Ï<.%b€ ËHòJFèA!a´ÊäŠøã‡hÓ"wWFs}¦GwrN›üÚ_¸*5ógz¸hÎÃuW Žf‰¬?ýê
¤}pS¥]j1mûg]7MÙŸÏùj[0Æ|dìßTÄÝYË¡Ì#°
z&Œ]v0“ê¿°ÑaIh¥'ŽÐ‡\G`ë¹zؾ”«ù,ßìبDÄP:ï™âGFÓÖH#ù|¦ãþ,ÚžF…€ÒŒA ÌìФU]M©Äs=Px>}ˆŽb'
ÊÇ~ÏEiœ‰Ôªëšnl`WŒp…»ÙAlÃ~¶zÉ_ahøճЃ‡|Þ*¾;v¸Ûva]ñôá¹­ âÜmMÊû84†3&ÊSÞâ5Ü£W
*Ö²]>‘ϘT¶é˜B(ÞÅúJ-ÂÃ&˜kðšw‡š8µ,ëK"ètÉs7BA}T€—ɨҩHRuü¬3ÆC­lœ†Â^Qg¬,ë°M‡ìÛYkèaÅ'šJ$Òì¤dt—Ø6[*9=0l©º¯J•Pú„÷˜;¯gê}·¬Úâ–öußy¡BÌQážg_øØu#¡l¢GÒ?°ªÃS„¡Ö!2ž:Ÿ/žné^EÇâôn¨Ëy<<»ëS%;ðàzq|ŽþWÒ'.@u{<Ù#d—¬‘óZ‘ØÄ‹§>ÂSÛÁ–§µâ«‚Ñ9¶—Ô¤*_ºä—@ˆ¿ŽNY±öŠcëqµ-è{2‚C_ʆJ`ÖX“`qÓÒyÞ®w.Ö¡ÚÒ&d.›²¹€Ðç¶@ÝO0£®Ü5²Å{Ÿ)¯)‡µØE+èsKå"7ô Å^~½m§õ¢&H·Mh‹†Ý7’rtë?uݨûẻ.3x‰˜Ål•HNð˜FEµÃNž?tûéñS±ª_ˆÚÖkf\'­Þ(‘zz£àFq°Í`ƒ”:ÛÏ•}úâ#ÈIBÉ)ª—Œ»@ûcŠù{†<}—5>D’"¶ò+ÂûÉ«,™i‘D鉣Ñ!×á¨Úq
3ùéÌ•'{±JÄLá¨üŽ+ À8²¦"N³x¬AðÀ=FE>Q„þ‘ÑÐø™ÉàØÝ&þ›ãÏÑ„¹Ær—}“Ÿ²¿º¼µólÃñ#	G
+ŽÊÖŒ
+˵/¯n/ß_ßói^[cw®üBitÇ5†”iÒßóuÄ!PA9bcs⣳!×Py®~ÁšÍóQT—ï™ò˜Òc`JÇö[ «(‡J¬ÿ`-ó’‡Tª=¤€Hçqv)øY¿Aç>®€È¸êºùã´Œpä=\ÙgìòÿW~æ©å	\
¸ŽàÊs
pe.¦ú{79VÈH©ãâ;®€üñMŽÆ^3Và¿´êq2YSBH%GœŽ²¾˜“‚æ
õñ9´|’wñˆ~>ŽÌ›]D™¡/+€Ú¯(07@'í·T‡¿eK…J“9`:ò-3¹d­ØÔÓªž6u>mÛÕ~*¯„‰>*½cÚ?^Æv’$ÉçU”>ùl·PÐ@¹çÖ¨ù¶]bý˜ã,H«…ÇîMîÞp!Éy'~»ðá’þ6ÔQ)l Û’|xø‰(.‘’þZ8åóFd*•c×Þ?ÖŠ³ðGéåîµ±ŸçK
~3ø–Â=ÿ¤³ÕúÛóÉ•ê>žükˆóç5Fà7Ó%ºEþö§Ùýwë1¥Ù{‹J-äo0+…Š›dßW ^Ô‰
+¨þ?bœ€endstream
 endobj
 1361 0 obj <<
 /Type /Page
 /Contents 1362 0 R
 /Resources 1360 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1355 0 R
-/Annots [ 1365 0 R ]
->> endobj
-1365 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 217.5222 428.747 229.4224]
-/Subtype /Link
-/A << /S /GoTo /D (zone_statement_grammar) >>
+/Parent 1359 0 R
 >> endobj
 1363 0 obj <<
-/D [1361 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-358 0 obj <<
-/D [1361 0 R /XYZ 85.0394 465.4138 null]
->> endobj
-1364 0 obj <<
-/D [1361 0 R /XYZ 85.0394 433.6381 null]
->> endobj
-362 0 obj <<
-/D [1361 0 R /XYZ 85.0394 196.3675 null]
->> endobj
-1366 0 obj <<
-/D [1361 0 R /XYZ 85.0394 169.5333 null]
+/D [1361 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1360 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1370 0 obj <<
-/Length 2601      
+1366 0 obj <<
+/Length 3207      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZÝsÛ6÷_Á·“g"ßÓ§4qrî\ží{jûÀH´Í‰L%¢Ÿï¯¿],@‘%û.éÌÍ53%,‹Åâ÷Û…,
-ÿDa,³A†ÂÍ¦XÜŸðâÆÞŸˆ$3ÏBó¾ÔO×'?¼S®,Xi‹ë›ž.ϸ÷¢¸^þ6³L²SÐÀgo>\¼;ÿËקNÏ®Ï?\œÎ¥á³wç;£ÖûË׿üòúòt.¼³7}ýëõÙ%
Ù¤ã§ó‹·Ôèq@éåÙ»³Ë³‹7g§\ÿ|rvÝ­¥¿^Á.äËÉoðb	Ëþù„3¼)á…3‚,îO´QÌh¥rÏêäêäïÂÞhütÒ‚3©¬œp S4Y%Uç@a™·pÎg¯‹ªmÓâ×Ív³^áA“êiâÅ\Â&h¢Žî#-gÛ5>Ål{WQG[m¾Vj/ʆF?¦ÁÍ©ð³ªÝnêŶZRßDz¥¦˜­›¤4+;ÿ•Êå2}š¦]ß$EÒüå”×Ím2å©ÝV÷°×Š»ÙUUwOƒ‡xôÌx«Ñ4¸¹-¨qÙs|'?ï@Žï»k_/zíªZlë¼BË{Ñ”7¶¯þØöµ¢Û~Û/d4âf½¡Í^VÛ²^¥VÁónýH¸«ðl?W‹úæ‰^âfÀs¸бªÛmËöWÃœ¶°ÞÁü–B"óÌá0N2¸ŠrµZ?ΛõmM+„bBswlÞNfoâ¾…ðLHÙŸø
-ýñ;ç²Â¥K1{¼«wØ”à<ðõ–äêÆƇ‘èXx&Û£Àö®Nߥ³Øó
-;ܬ$‰vU~­RWŒ|ý׺I,îÊæ6T7iÖ岎áî)æÊ2#¥Æ•³`ÅÚ¢¼§3„
R‰­ûNΆöt´€ÆÁðãÔFŒ¬¶ôR·CùOÃzG4]ðCûzKŠÞD«ÔCÝ'È¡Úü—$J!Šgå0òò9`¾g°§'u}²Ô.ìl6ð¡©t8>y'51û‚ãÀg0ý…v1,}èPY‡BпC!ÿ
-øo’ÃãÆ«á9Å㜎YÅÿ‹ƒM£&ÚWçS::›«UΦÒ9J4VÛð’R~?#C6곚Ÿi]ô]©™¿ªšgëæ:pæ7ýsØ9¢É1é ÎLJk¢£/zf¬q«93
-˜–6쬘]Ãÿål¯xð™T†LãÔÅ—Bµ… H¨×ŽkÝù vüp~/‹·kXQÑ_TR<ïkŽ‹²p‘
-òˆJƒhlèÎð©03ŠI,fOóE¹8…Fn`†ÞAX±dˆ1ä<_TB/”Ễ<Î÷Kx)s=Ñ uHÊh‚®½ÈÒöÂ_ô÷îÛÂAaª ›ïê¯oÖ¹Ì{H˜æŠ	îQ2›(|&î¤F ;§|oÀGƒ¬ëkÞç£,5aÀ d â–‹¡C>R;>‚æj½(”ë×
Y
-DE!ðyKíA‘¨è‘uvvM©³ÂŒõSVZ'=Ÿ×íœpÒÀ¾YnGéLýq…Iµ¦åk°aSô÷ ÊŠ‘8
-Hˆµpƒ@èT`+R½S½HT/Ô!z•pš!Ý}†ëp0SdŸë&±#{Ñ‘½HdÏ>Ù‹ƒdï Ø2bœöa86Ò¸a$¾ÄoÎY{ È£ƒ½øÓ“€|gÐÑÿ~´L¥ÊÌ|íÿh !£‚iå3i€Ò‚y®Õ÷Ldîqt‰ø}Ó€¾æ#i€âÄ `þŽiÀŸÌüi»ÔÿóK ÷`áôeþNjŒä¬1ùkΤî}5ÉýIh‚A˜h(õ8h`€ú•ê.Ä°™JQlv¥h|É¥¨R3Øy[mÓhÓ>V›ôÝ®ÒÀ7º¨‚F\,Þá…@·Á0…»¼W—Îó…;'†@Ü9qLži®}/¶•¡ë’Øh«Ô›	k¬Ã[z?0fS-6m=
÷'„Ñtt”°UßtóÆ<<3oëv’‹”qæ¥5º7\½djl¨ÙC³Â¼?-¤1@G\ëaî²[7ðáS÷†ÎUGÕÑ
-¥9¡¯î´íb
ºòÕÝø²
-ƒìÇÒ‚©Éà˜r×þd¸dt®
=çÆŠB˜¾£Mìý>yS	m¯²ö˜
C–Õþ_EïxN¦ã¥ì®aAÕ)™ÐB
-ÊÑ-~ðFLø´Ø£PÔ—:EÔ$M•"@ý"HÜŠNjÂŒY@]l;°cXŠp×åsP,äR„ï—"0J¥ŒÝÖxEŠ]awïÒ†ˆ¤ ;C‘–r.¤œ9åjž§G•ÈœˆNÉÉš§½œìÕÔõ”sÿ~Á¨%ó®;Ke³œ
-ö€@3ˆuŒí)mœÝ]Wà¡ex&\{RGÂ5KÀàaÑÄî´9n@'5aÁ°hÆ[:32aÈœv÷C43sÚÞ%n|é˜ÓR¾„O¬|©E¢qM_S×®ZÅ/î(†nïrG†v¿<áoÖLÓ*ú\«¦Ê—gûî—Ê
E:&.‘	öâOÄ91Áå‡ø2_i‚Í—sQb1ì!•Î'PH&„â/¾äæÚº»ëöœîº“Ax”w¤s¸V;D:*P`‡	Ò‰?×#h–•Òé£ÑQz$Hy†]zB‡Okšˆ¯)fÑp„×G
è„ö-湎…ÜÀ„áa•­(ÙÑ
-öŽhG#­Ä±tÃ…ãƒ*]>¨˜ÔjN¿ÈÉÄ$8<¬Þ1ûH—œVHNù(“})“Œ,ùÖ*?oŸ2ÿˆebxWNóßÊìþ¶l\´÷H8Wc
-–ŒB÷ðo/öMÿ7@»iendstream
+xÚµksÛFî»…¾<²ÜwŸÜÄIÝG’³Ý¹iÚ~ EÊæ˜"U‘²êþúØ)Qv:77©A,vÀâ­ˆYÿ‰YjÂHez–d:4‘0³Åê,šÝÃÚ‡3Á4#
+†TßÞž}ó^%³,ÌbÏn—ƒ³Ò0JS1»-~¿ýîâóíåõy M4ÃóÀÄÑüÛ«ï“ÑŸ·Ÿ>¾¿úðóõÅy¢ç·WŸ>úúòýåõåÇ·—çH€ý’O8±áýÕ—}¸¾ø駋ëóßo¿?»¼õ²å‘BAþ8ûõ÷hV€ØߟE¡ÊR3ÛÁGŠ,“³Õ™6*4Z)‡©ÏnÎþí¬Ú­SúÓ&
Ôñ,0:Ôñ)-Gad@kA¢Ò^ÇRLé˜hPÕ›6hÚ kó ïë`‘/ÊC¹E’¼&í?bÀÓq ˆTÃë&bÈÂÊž(Ós¼¼jîñCÍsÂ5å}ÞWO%}mÎE:/»uÛt%‘õ-­0ùͧÂÿ±-7Ï„ëÊž€þ7ÝÞþÈÞ
jÀ“[0™‰ùíßW”Ë|[÷¨,Z ¬"ÌŒ‘–ûªÃÅEga,T
+ŠAŠ¦eŠ‘"Db’ðÈÒø9ã,JôËo>¤:ýêž
+oÜ®‹¼/xìÅcðØ==ylÂTįpà©&XI›Da’%<ÐÃ+Å/¤”±ïûR¸°«Oy½e|»$¥ê¡¤B§abbÁZ}.»)Í'a¦dÂ4oà8cæVÌ‚»ú‡›¸«øþŠÙ-ÁN	z,ŸÇŒe_nVUS’ÉH™€ƒGrl3íŽâŒ½{ÝC»­‚ïxqÛ•ŒÙY!t_6å½Å»ë›«ÁËvC@Îg–‹-9}ÿÕ6¥µ8ÐXyh2I|}²TEÕ䛪~>BXý$™ÝtÕ}c/TF!ÇA¿E&êòž¾ªÎnI»ª©xÔ©R/`p– ÜqŒ¤»½eZàåàÀ²é+Þädè%ΤÎ@‹U]LîÅbDGŠµÿB¢7À
+€€/~xð£mêg‚ø1ñ –Ÿ§º?ófh°úîãÍ—¿|}2!Tn/ö»„•’Pùºü¢™Š’ùwí®|‚ÉÎjiéöUAíº¯Ú†q8땈èÛ	g“€åhñJ”^ÅÞפ–È,_ÄlGN•Â©2b€—û¦%Eÿ"Þ–×Qè‚Z1t½Ì»U9îU	i@ÅÈÂ3av¥?ð_èÀçMA¨ýu€ågÈ>#,“EZÌ2°H»@Žob ÃTŽ“Îí_Uu¾ÚS2>ˆèJ«PBÜe½M.ní˜ßNþšxÀï™Ñ¢]­HL°Àºj8NMLF
+ÝÆ°	)£½	!–p†»ÑÓ&$dšØ˜¯ˆ×é ^§ÖröñAÏWÛ®§ïJú›ó½u™»¥~×òÚ‚
+
+\wQÊPÔD}å™Vóú¾Ý€ç¯h…®\d`áC¥j¬K®PàémÈJ5eÔå4œk#l]ûŸP–BÄ´<§{ž´Ï‰EKì;–¾¸¥u¹aÇ6["äüjé9ðZCÆ:wäódpÙ?Ê*>1ýQ´ª8çйlÙÞW ?-8‚¦eĪìßîöѯêzœÿ1à€J;6ÕíE>QJ-CÅßË¥Ôêt)å©Øý0@Ø0TINãH¿Ì€§šà`ä
qBÐMÆ,°;FÒ¹#@Þ#aæ8Œˆ(
+eäË¥©’ðàöT…Iª\ÜÙ§h¸î®Å‰ù|t"mÿ:öîüµ./§P¼`”´ñ"ëÄÖ'•4¡JJô}‚éÇ(RkŸê¥OîÒe$é2’tI“»tFŠë¼Áåu*QìJÃS÷I]rR· cÍÓ¹4.÷i<Ál쨔ÓŒñR™Q£÷E.ñEƉiœ˜z(¦ñbÓx15‹i¼˜ƒS9äUS`HBêvy@ãë±x~çØÂ1ˆ|•ìÕg^à5#"—LÑfŸL1J´ûÚjÂR¦±<™Kacðç”/€‘&™ó…¯H¡„.(Õ6ùÚTJ¾{ë¤ó­rÌj,C“jówúJ«Ÿ«å”Ü:L´Žÿ–óËZ·Èõ½Ü\ô^ËÇÞ® F”^¹/ÔˆrP#žL
þ•÷	ád¸×Æ@|f^÷CªÓáÞSYkÜ<ýblÊå¦ìŽÂ½‰B¥Tò2žj‚ƒ‘r`‚ߘƒÛó®-Q7D./¹üxàEê\_ l3É-œ˜ß¾ýLøöó;Fàð¤*;úXæU
†C!ñžj$Á38Ü“ì
íè]UWý sô,
+ª8{öë&õ*xLürºÐý¸å´E oˆ×ægCª,ÂQÙø‹ýuômP5×I¨“̼̃§š`bœ%äÐ(sqQ×4Vˆ©ï7.‹‚" üÝäMW9‡‚š—¦^+ZÏ	Ü.{®Ü=Óߢ¬K7ƒ€ºš
+·x§c¶ËùkÑq(ÄH&t:¶†ÿo$<>$È2p*ˆhP‡qœ‘wá˜XÀÿΨ"4ù]¾)PÈã;"ê¡J²*Š±@Ýån˜rOß2_sXŠEÞúŽ·ðˆ#âQ’øŽ–¾sZ®éà{ÆÂs–Á®*JZ¥ù­]iù†œy*w¼£Ü@‡cÇ4"ã÷)¶fÔÉ‘¿E‘\LÕí“m4´Mt4ËæåŸ}¹iòš°M¾*	â[qŸdó«ž°¤WÔ]KÐo…œ‹y18Ý’Y#Gp£pÓ3Ýηð&JTðvÛ„ ð?MN‰
+î_H'¡ù_,Ê®#Øò Sª€¸jPTÛÎ(WÆ Á®²ñ×oIæuÛ>´]USeÃ)`QM|4c»œ"(êJK¶À1U»‡ä\áðâ“åSÛ±cynèJ—Ö7ö•'[¸|gB·Åƒy‹rµOÑ–‡äVÙãã!íüñ.»÷¼ÑÚðÉ0.¡ƒ™y%±©N‡qO…z"§-Žb·¡IDöòÅžjâæQT’qhŒRã«©€UÙ kËhgqôÀ€Y•9VúËmM+6qg.ÏbxÈ
WWvš08ÜåjÝ{[K”™_Þ
Úñò©A»ŠQÚŒcë²ÚtýDt”Y˜¦ž
+¼DËdPDi%ZNVXÆøƒD´ŠØ
ð¦SõƒùמÝ¡.‡1
™¥)‚Èzcª„蜉О›ôŽŽÍvxÜÝ᣽™Š•D•š=שvmUjÜ, 
+¸J~™šý^-mú®¬—ð\Zh_Ø
féõîf‡Cùªyär].*TRYàdê5x°
¨âõæyÏ;5=Š•DLÉÆosÒ×E–†I*å˾>¤:íëžjàëh‡î®t˜—/^íˆ&®9»€2|÷×qG¿6’ŠÁ×®>"/
+®ã;OÓ‰íÃá›ûðL°¹dâ è@Qšk*ظ¯©8Œn¦@`q.ÂBÃ÷.©€ãÑ'yöÁ›.Ç	‚kz¡8âx<>>LiR* R!+,.µ
êë~»ŸJcëKOÖ4ÛŠ|@ÞѸGqéào#­IçdÜ×í–-¼zÄEæŽwµS™Öò+[ mª¢°¾Óñ9ýyÊ!	[uÇ<$$},Ž°¥úåãî–𤖘#EÌ:ßôÕbKã
ø&;¢¢€h1ãÕÊsKžüÚ±l¬І[¨7´xª:âßœèÛ’01‘/.µRG!ãˆ'Æ2Œñg›ˆU
+Ì`Ä?^áþÍA}1…«?®ß¸ræ¨'SqŠÿö<zL%µýéš7÷3®>ïéƒá†c§?>×:=””~Ž-¤ž† ;¢Î’CÇÿÄQ½ÂÆñi'Û !:BMöAŠû wÛ¼º>ÇŸÉQ†®´_mŠ†•âö3EGßû)²ò]T"y7 'Zc‘5ý@¢Ü¨±k7=­Pbæ»vó8<¿ÝÚßMà{w[Ô]]®øúeßu«Pæw®YƒÃŠ-³ç²Ú_Ô^+Ö›ÑÞ¶ëµåiTh—•ýÆÂWŸŸôØž;9(—¡‚w¿žØ"3Qs–S&ÄO4a9‘Ÿ´ýÏÿliÿoºÀÍUšžHÐL†©ÌǪʙ½£3©L&Xÿ/]¢¡oendstream
 endobj
-1369 0 obj <<
+1365 0 obj <<
 /Type /Page
-/Contents 1370 0 R
-/Resources 1368 0 R
+/Contents 1366 0 R
+/Resources 1364 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1355 0 R
-/Annots [ 1373 0 R ]
+/Parent 1359 0 R
+/Annots [ 1369 0 R ]
 >> endobj
-1373 0 obj <<
+1369 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [455.0966 727.7808 511.2325 739.8404]
+/Rect [367.5469 139.6782 428.747 151.5784]
+/Subtype /Link
+/A << /S /GoTo /D (zone_statement_grammar) >>
+>> endobj
+1367 0 obj <<
+/D [1365 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+358 0 obj <<
+/D [1365 0 R /XYZ 85.0394 380.4002 null]
+>> endobj
+1368 0 obj <<
+/D [1365 0 R /XYZ 85.0394 350.5503 null]
+>> endobj
+362 0 obj <<
+/D [1365 0 R /XYZ 85.0394 121.5976 null]
+>> endobj
+1370 0 obj <<
+/D [1365 0 R /XYZ 85.0394 96.6891 null]
+>> endobj
+1364 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1374 0 obj <<
+/Length 2820      
+/Filter /FlateDecode
+>>
+stream
+xÚÕZßsÛ¸~÷_¡·Ê3¿Î=å'õMÏI÷éîh‰²8‘HŸ(ÅuÿúîbŠ¤(9mr3m2c‚ÀX,ß·HL8üc™Íd6q™f†3™o.øäÚÞ_ˆ(3KB³®ÔOw?¼Sn’±ÌJ;¹[vúòŒ{/&w‹_§–Iv	=ðé›7ï®ßÿãöõ¥ÓÓ»ë7—3iøôÝõß®¨ôþöõ/¿¼¾½œ	oÄôÍ__¼»º¥&ûøéúæ-Õdô8ÑéíÕ»«Û«›7W—¿ßý|qu×Î¥;_ÁNä‹_ç“LûçÎTæÍä	^8Y&'›m3Z©T³¾øtñ÷¶ÃNkøtÌ~Úxf¤¶`IÅ„âbÜÊ‚9!@ÈiÁ”ºµ²cVNRhåÅ>_Ïš]>ÿÌjïªÉï×Q.h
5qæõúKjXEÙ4ŽS^Šiõ@ouµ~¦ŠâœxšŒèO6€—Ó2>W9NNs&‡5a(,D3Gù†žèHXRÓàMaª2ãøUuøÆx%l:–)/A­Óþ8p#o˜4"}²Ê¿D]ªšžÅÍ´,æq.ûjëT)Ë„ÏtE“‡  ­ñ™Ç׎}àìB…û"LJ‹²Á•ZÐ[kÉ\P˜×›Mð,|Y“á ô7¼`lÌ&>cÖq'ˆK?ŸésÀ^r^%s@¿b¬Ó™P–(i&…1-Ì
+Ë`ÎùôuÇoêj·­×##‚Iô„}´iIÖÓÑű"¹8–çyE­÷±1úón[ÎwaŽPwŸ7TdK-]¤†PB@GRÄžÿØCç%î… Ês³+6àÖ
+ÜúSQ¡Nƒ…8B¤Õ†yëÜRãöaB…Û­Êù
+‹20B¬ÍÉVTTÞ-ÁÈðŒ3»U¿‹û¢DVé>D³ü‹Ua€ì¿ê*0_åÕCR¨¬â¨‹E\ÑBŒ!€Ç'~u‰¥M»hÛŒaÄo™Ë"
—c`CqP&
+oògê=_7qèû8^ÓÚuA8¤Û±BIƵN½GGø2ÚE! †¢Ú!?ƒÒq±8TŠö¸t™p}-wÁ"mËEBàuT<ª¦“ÌëDêG\ø͆#kTÇPÄA4õ(cg‰ÿ¶‹¼(\î×ø.hë‡ñ艊h´Ôß’ª@š¾pHØ7]é,Ò«ÿ-Še¾_Gú,$ûvC} Öù¡±_““÷PZÇú%}´éñ4êü—(J.Š{å$
+å˜ÅPô,
+u¥N£P+up{ žík*¼•½BŽqaUø>
+|bŠ…p›µ(õòj†Êæ3UÔAtQVùö™šÞÞ|¢&¢WpÜÑ(&ƒ0Ͷ‘ÝÀ.Crò’XÑE™Ð€vláBôÝ.Ä°Ì=ŒÀŠuðÇ/¡/½Ê „ô¼í?YŠ!hptv§ºXpZá9sR«!àçmöðï¢ÁãÆ«>L…`ž¶Y‡Ñÿ‹T£"êW¦]:Ø›ëuŠ$ÆB/˜É5,ÏÔWeÕèÜ{?žUCdê³ÚêÓ}ÑwúŠÅôE¿«YÒR6䶽` õBð&Ǥ?×ÖCøE!ñMg½ŒÕ"¬4gFÑÒz}|Ó;ø+§G§
Þ"‘ê‰'t2<ùc"€Ø²L‘L§fz°@¨øáz#'ok˜Ï¤;¥Øï¬Óq˜‘í!‹„°FKj@¨ÔØ.äÕÁ!1_˜>Ïæùü
+ɳ:»,ÃŽ´ÿƒAÆZQ'ô²§P?f¸øË
+ã¾b[åëÙ2Ÿ‡4Ö[¨Hò÷ûðáÐ'¸ø¦ßañÏõ6v‚“F  ©h"ŽãùW½ð]¸“òm™b¨ÏUýÔ~ÕB~P°Ê×é£ÝS½ýœ¢ªÞ‚1>ê¾ùçG‡ßfiÇ r•ã7ÓHXQ)œ‹ñ'/ªUÿ7)“^ÿendstream
+endobj
+1373 0 obj <<
+/Type /Page
+/Contents 1374 0 R
+/Resources 1372 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1359 0 R
+/Annots [ 1377 0 R ]
+>> endobj
+1377 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [455.0966 642.0614 511.2325 654.1211]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1371 0 obj <<
-/D [1369 0 R /XYZ 56.6929 794.5015 null]
+1375 0 obj <<
+/D [1373 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 366 0 obj <<
-/D [1369 0 R /XYZ 56.6929 769.5949 null]
+/D [1373 0 R /XYZ 56.6929 686.7418 null]
+>> endobj
+1376 0 obj <<
+/D [1373 0 R /XYZ 56.6929 663.9487 null]
 >> endobj
 1372 0 obj <<
-/D [1369 0 R /XYZ 56.6929 751.4533 null]
->> endobj
-1368 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F63 1103 0 R /F62 1100 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1376 0 obj <<
-/Length 3259      
-/Filter /FlateDecode
->>
-stream
-xÚ­Ërã6òî¯ÐžV®1ăQ99;ñÖf2ñxkI”D[¬H¤G¤ìh·öß·Ý¢ìI%3å"Øh4~SbÃ1Ë’(VVÏŒÕQ‹d¶Ú]ijG˜ûîB0ÎÂ#-úXßÜ_|u£ÌÌF6•éìþ¡G+‹â,³ûõÏó÷ß_}¼¿¾»\È$ž§Ñå"Iãù7·¾%ˆ¥Çû?ÜÜ~÷¯»«K£ç÷·?~ ðÝõÍõÝõ‡÷×—‘%ÖK¦pfÁÍí?¯iôÝÝÕ?\Ý]þzÿ‹ëûp–þyE¬ð Ÿ/~þ5ž­áØÿ¸ˆ#e³dö/q$¬•³Ý…NT”h¥Â¡9€<ô²ªhó¢õaÅÊ¡HFašÑWŽ¶|.Þ᥃‘•Õ
-ïÖzËàhñTWM¹,·e{$ò‹€4€ùjEÆ+pÜbÞ[‚5›ú°]Ó˜	·Då¥l7£CÈÆ…Åþ™ì“Y­ê¶CŸˆsÎ_³vS6JŒÊÜE_ºJ–¥¼Š“r€b;ìφ㡶3¬ÈÛƒwyÀ`…Ïœ‘×r>ïò#oûûSÝHÇí›áÁÈh·-i2Æ%ûœ ¸çIÌ÷	ÎùKPoªÞu%œé RÛæ«ßšói²Ì²Û4:ÃÔþõ´ à/úNCÑ)Ý/I4¤ªV€µö‰Ÿ&Ýë
´Î"C?à!¤»º/ò·’øƒ,ú­¿u>MX7}Nͱõm(R
Ò|GRÛ7xXLÒ|“DRÅÉ‹û
%Éɼ~â+‚ñKî€)¨h|’S@˜$A€ìÍ®®3@àÂ`éI¥ƒä:™_Á?Æ«’Ò3¯Ö£Î¦Àt¦GÑñ)uU.)ÄÁ’m¾,¶
Béh›ù²¬òý±ƒ±2³óï!Ë鼓Ì:G
-˜K>Kʼ¥ž·)‚4~)‚Jáö›¢"üuA.½XSZ¿›r{íÆçóá`L€†¼mj¯¨}Z.é‡Ñk‚ª~aÀcÅjÎnƒÝ5zƒzWø]öUðJ;ð*ùcñŠ%H4?kß°„Ö+–à±:KpŠóPìO‹]I™½¾½GšØ~XêêHÆ ödÊZ&>«Ã!gÊZ¦]¦Œð)ãê>ù~Šò™±0Çe>Óê¬ÂMn«š'}á©$‰RìÕôÓ1NÀíf)d*CÝê‰tì§
¦\–I¹ð&•õê#—f³	ÂY ¬èÉa|Ä£
-*åÓd'€ÓÝÉ!©iA£wEÕº„T„|r
ÃUÞ¸»%H
‚Ú—kWBœçÆd‘Ähij°Æµ'>($…æˆÏBõ;>€·Êolž=!¾ã@½	ñ'T+‡0Ž<2¨S 
¸[qÆv5	ÅÉë¶ÛÇ:o»¾ÜBž±©·§=*‰ùÆÎibçÙb“MËÑÖ³URºÛSTÕ<Ñ¥S—I7*hò=)¹Ü‘»CGò®'>ûÒ“êlÙíÉ.K”TÜ"€9¨·Ï…g—
-'8›Mõ0gÄ
Ž—Bˆ9«ÔO~G¼ë^L%UjŠ“¼ÑãráØ×Æ%cw…ÂÚG‰¶æýîÏéçiI¤Ààb|MT7ylÏúïÔX!2§ì
6U3pt`^ˆŠb‘FÉåBÄPaÝb¡ôC<±IŒõ46='7®0A¹B…:L<Õ{×!íVúzFÀ1ËÑ-n^<4(¾ô®ÅCG/¹:zR˜84|ÝæSîKCù'P%Hh¨ØEµ¨«‰“/îÀ…‘Ç›&<£N¾€´VQ¦”ÇlóßœâkL‹èI›äh0:q"õóë€Hj3ðÍÀH•¯‹Qu±®×)ó%²™/•
-в/èïËÈBÚ?ÝÝ_Š‹>IçtüAU	³"e1i̤ì#NÕ_Ȥ§ø“‡…[0é<à9Ô½6‹å¶^RWî¦ÞýÁˆƒï¹¢ƘCaSŠ(NS1ô]cóAÌ;˜åqÿNJ]’°â棚Ӄ”l˜ùžµr¢ÆNÑûBp×ëÉÞÃàüʧí¤y‚Èej¿Ä„ 5!Û
-é‚P¿eiñ±o|ÑZüžï€‹w†´ÈT”@òݱãSÜ©‚22Q6hÆ+’ÑJ’Ž ·Ójà›U¤™¼}%Ò×}1¶´"ü&åšœtí†~¥ñÝ$VùŽAÁ”êJå/ îRïo Ppí˜ê.!1 ~ëË»)Útd„a.¼:C“ëÓö–`DZڔUá;?¬´+&ˆÎÛE~N±YØ“ZÚeœz*Aû¬þÃjêx%y
3°)ï3ú½®Sô3!ƒ½ýø¬½x¼‰BÀü’Ù?óýtÊoÁ%é“Ó.žÓ©Öl
-NSéAyÀeW	ê»iθ}AôpdàÆ—%}§§¼N€øTCóÑá	Î¥˜;oק¤Š5÷ý{Rèõ¦ñËn”3*ûÊjUïB]ÿ¹Ÿ96àu¼Ã øtR«þŒS‡3Âú¢&øhMÉ_{‡9~Bæ‰
v6òBm_OðkXÑV¤PìkP…?Œ=ÁEŸâi,ö£Ø(Ûm|6aà&‰ý+yôßbRƒÿÕ™2y.aH LO37™7g’UÑP+ñņ)±:‘² nx3µX×þ÷ä´DÛ©¼Úø%Oùž0Ÿ‘m¤¥5›zõ›s»*c›'žS£!s¶@£`Ñô:ô÷Š5UnHUÆ‚"bš‰=ð†&W?À(™ ¼6G׎ƛœéU}xd¾®>Þ2æáÉùÒ‰ÃÐúCdñü—8‰ƒ­èƒb8~ðÙÞª®ðcbCP'€ÞÝ€ˆßÓXi«úáÒM¿'ˆJ´„&-Ž]Áar,2– ‘F4´”‚¥õ¡ºÏ2x¼õŠ?Û¼ñ{·Ÿ¥àˆ‰ Mƒ¿¿pg(Éþ’©–ÑI¶0áeë iòY6£¾±éö\›üÄUºeG,îŽØP> ¼™îûÐ>U Mzæ+LC«Cjuô¿-W‡m¾§w’+bŒ› 0¹r¨í‡X˜#dô•4.gÁîÊÑz×ä‚›(¢×DaîÜ;ýV¯g©#=Ú›è09)!Þõ;¬EÛP[Ôœ&½l
-ú‚> endobj
-1378 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.0783 733.1915 261.825 743.9759]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-1379 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.1622 609.0825 446.9089 621.1421]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-1377 0 obj <<
-/D [1375 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-370 0 obj <<
-/D [1375 0 R /XYZ 85.0394 436.6824 null]
->> endobj
 1380 0 obj <<
-/D [1375 0 R /XYZ 85.0394 411.9605 null]
->> endobj
-1374 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1384 0 obj <<
-/Length 3174      
+/Length 3291      
 /Filter /FlateDecode
 >>
 stream
-xÚµZÝsã¶÷_¡>Eîœ|òãîÉIîRg'q™v’Ú¯ãˆRW®î©µ)ûÕ½«¦$_©ž Y†1àÏ™²~ÌÍy¡æ-yÙ¦|ï¨åÕÇF8[lûMbƒn"µ[~úSÅY΋Ë¿"ɾstï&n2hdžw¦mÜgÜßK8Je$¼ÆcÇk*•dÂðÎÉ’§£+•óàvÛ×~×07ž¿2`¦­[ÕxƮ­Å„!ƒ¡M.…/-A4ØÒ°-AF¶4ƒ-Qt°%uí›5¶Ow¦¥Ir‘±²‹Ø~¾ÒÂB{ã=ø‹²0fÒRN½æñÞ51ƒfI¡MiN‡*²²6‰²6­¬UNóоwÆ£ñÜN§OM¢³âÙMÉ"Jq4õxS Èñ\bêg6Éd–¿Hý”G1@Â*áq€ c‰G@„ž’^Ëzônw[®<úAÏò#29„µ\Mýºr·å~Ý'‘} @Ë­¢µ„ÛP!Àm~Ú»»é\¨Ã:r#eiR;¸‘ G !¨W­ëš/zêxß´Gc˦{¤± lé’þý}ï:t$Äê€“'a£ÒT_iaBž…ÃΠG³‚†°¬ÕàÞ~¦E×îw+Ùðb>¹è‡«ƒ‡’¦¼«ÔN{(Ð@ƒÆÔ±Œ4º=b6v¢BµÕ©ÍæïÂóh×ðT-™dxaÐ^`HSMÂËB¢7d¼Ë±mâ讑fÙý:‚¨«lQóðòÉk¦³ÄärB§3If¬åŽ©–cƒfDKðÃ]ݽ÷Ñn¡R=GÛâÓ£\
-~S÷=¡4™;§\‡]þH=SÜ®ƒ?‘›0õòêâ›o®É*ìx#Þ*™	AðtU%Ežçq²ºf\Œ§ôLtz&9 €üaeÔòâê£BhL“¬*9X`½
-Ì=
Òà2,Ýä«dJ5L@’ا&Á»OD#™dÈ£Ÿ¹*ÒD‘ÏÞ]d2Üb¼EN·¢(F·â¿й·n74`{(„¾ÿ4ûÍÒñ·þz„aü&“¾Åªm@îöôEƒ`Þ;7][É«H¶ßò\
ØÄ Z:>Š‚-Ä¡ÉIâxh{³D˜Jظ.ä8ó›{VaËÛÊH/¼ß»Ï `Æ”%“ˆê‡4aˆ‹ò›è<
ŽJ.Ìb_m¸pr‘môÈ«oÃqþ™ [æ
a
-nœÕãõÒ›M‰$/Òi0}N°³PÆ«¢•ôPLªh¥‘æj]Ì݇Õz_A®B7àoàŽ„GÄDz3†Ñ3ZäyФ|hëêSv,€å™ÁŽqcADZdÓisS€.G×ì9{“I¥&¡"p†QØv_?¸u¸Œ´¿7‹›ƒ0Ýé8á¸=¤(§œË¬”/ü)àŠÈŸ5,m3™ïÉ`iìdp6DxI€~':Uvj€‰ö”À¢éLI³ªÐð„ImÀ7Ç5êÈ:SE’çYyË&E©ÓHNeˆ…Ìtr|Ž-qªžÑ‰ÁÉÿW»c*'ˆ¹ÊNRÁXä±2—Ÿ…KpIG$r[T¢ä¦0ö¼|N¶9pÇf’OF0.cê“ÙŠ†ô-Í'Ù
-N¿ºw«÷ØLçõ-‰([…F»uÀ=ta÷Õ†º(¨µ`dH3Ž¯ÅC]y€ÓÖ3QêíÝ®ÜlµõéTŸñÄ'ð$'éw5t»‡ÐyÏ
¯ôl¾àEø]€W|þ#¤††ÛÞ»
’eH¼HâOÃW 
¥7 '“sT¼‰ÕR†
Œ‘:*H[ʇ²^cu,vLxh–ÚOS¦r3=&X‹%~
:¬Ú]@Ѷ¡ø‚ýÃ!ÁÁ ØáãÍ<½ŒR¨ÇºsǹðùŽ‰¬WÓU…ýƒ;jaŽò¢ö±™âòëO×tNÜk\×a>äë˜n©•Z«í³õÐ÷ús>_Aºj{Àk 
)—Æ´Èà¢y—ÈC94?Ävh/YÖíoq(úñª†tný‘äkŠw<#WFa¼[íwuài¹™_P¸ºÄ.bapýOú¶®©xm*Àæó‡rW·{nËEÌ‚à“nµÐFΗ{¼À_ñ"hT°4X£Ú(¦}¯ÚÍÆyj
-#j~ˆn_z"ÿx¦ké‰dªsCM>+€„J²xY“´ ½`0ÂŽíG$Z˜rŠÔŸ	/³îZjyrñYr`Aàyä#ÐÈ8È}eË™JK<÷Ô¹ä©ú¶%A·ñu”?•H=.€h»ßm[r6¥™ÊËFËô ÛH^,Eäk†e#·ºÇ—üœÔ®×î‰ a´ü4úH5.Èá”»sHCšÑC
ÚšyãyHPÛC\Í5ýSîûvdÅ÷†.ùÝr»]×­Ÿ(#ûö)×sÝ–UÈ?Fèœï¨‚yÙ3ãîèéšð˜ò.0q‹ày”½Å⽆iU¦>‹D¤i–~š”g0/ŸÔ}3¯jBØFÇÛ¡»G­“„D~J†Ó(ŸÊ²©?ÅðÌ8à}
-¨&”wÌÿË®ÅIübÝvùR
-FÙôø+DÐ3”¸àÀ³puЯˆWlUzÚÄ>w0¤œGbòOœ[“àpð%•úQø8Ü"÷ O	aâS×V!‰
ôœ¬£Ù½ëcƒùÒ}½¬{’}=!…oéÙµ–Fù•Qè>”›-3 lÊH%ìôH¾ºü;º¸bŒìèfТÐn£œ7‡½yæ3.«DšMöÞ…ñëõ÷í>¬D2DX~»«çüDEE1‘ìç°Í5ë|.]6ÔBà#ˆ¤ïB¸ad|Äs ÔVž~ô®a÷X+`~
&÷„–³öðYGy½ñAŽŠHW{H]
-ø­¯§.Üòl^¶-2êùª¨©oµ*÷‘Émæ©Äîßå¡*[‹u•Ìn:ìnƒk€ˆç°:˜-´f*Iìö8ËÓT8ñ§Ö5øtÚÄæHK"I€uBx‹! 3gú¼
+‚˜ë2W„ã~]tåTÊd*òë«®‰å0HÁ¼¥Ãõ@Iæ 3·ÆDÔuD/VærLî€Ø—»ªÃöקºØU+døúýG¤â&[¤>6¤îŠ¶+©ýŸ¦vˆ¹ž?x8(;ËÄ%8èá`ð¾.ëRú%üèöÐì°d·KXTBû}Ó•Hí6E›çªþ„ô~FèZ­SЮŒ÷h@@…öÚÎn\ü?iÔÝ·±ÄïˆÍ°q¡&ð/âç¨9Ÿ×¡¦\u•7%Ãä™4:a™ÈÌ@š3ä®—d€^É­åÄ2 ‚\ìèŠj{Åv¥çŸ¼àÀc®+¶ë¹Æ¶»qž‹ÃÚe¬Œ¢®ÒÙuAׄ$e$)è ÞÖ¹kÌšÞŒ¡Ù›±}	f/h;²7ch÷fl_œC#²©hضx"{ÍA¾LŒÜ·³l{\4$óe‰ï¨8+×Ú	]È"}z ½“#²†Êó®'ŠÒšŒý#…	Í®$ÅþÿÞ.t’@ ª­5Ùæÿ&òȈ ôùÂ+œÞëÔ
+TuK¢§bMb“7w½¥°µêF˜œe\¤Cåøí£“QŒ+çœT†Jʾ<ÀL;›¤,d’Ïns1o§¬‹å–øÂÒÊÄŠ…™_!³‹»§)=åœñTx=]7ìÃó\©¶¨O^³_^T­_ÆæD±œ¤LæOÅöè2I9#6A×õ„è\æठ9ýSGll†ïå€cš˜W0­ÕhÚh{S³‚bx¢iHE[8¶GÐç	_Vͱ4ï1­+‡ä È„†àè ±RFVÕ+{¶¹·ÀÅŒ}S·Õ²ÚVÝ	Ð;C@mÊæ´Wà¾ù¼C!¶Hk7Íq»Æ6MÜá,ÏU·­·XžÐ>IT—çyöA´Ã]9.ÛueÇ׃!XTÑ°¤G8bpí$°d¿5Û‚heѽdz±ì³À‰Ði9
+mÀµwʼn–ýcß´¥'ân{ævj_¸Úç›qG
+¤ã	>«°}þÀR›::­8ûíºbõ[{97yÖ
+…]ª3‰x!5싈ÿ<Íú9‰‚d5ç`©ÑÔg¡00]@©
+([cBV°kbe¿”#¤`êÜÒõ!溜#®Þ>éE{ª¸-†¨a¡—0¡òd\B‹½”	™¤C)6˜#§ófOçíçÂ5€³ÎÈA:Q‘Ð@ƒ‡F»kç,ññ¯òSéAnÎ_Ã?âkˆ¢ñYÔëÑ,ù@èLÂâ/B¨ºZblƒ!ÛbYn[KÅwœÛÌ—U]N1
’Y>ÿÒ›Þ-‰¬÷ À¹¤½h’M{Ù¦&Äös e\½Z#ÿºÜSÙ	îÊÙ	¿Ðm|:Úx®mÔx.—퀫Õ½µ¯v«O5Áœùiëš]éW9ÔÁíÀŸŸ®Tº*Í 5âº%Ä\—-!põ–à€óXÎkÝœ	‘]_Þ3M,?¬tI.‡ëRd%RŸÎÙ&¥ÈJè>E¶ô"Û‹7û¤ó)݃%Øä–Xhw4Wo®sC\}´d×\2M™¶÷kqF¸ÜÌÝ÷°©tì£ÍµršÊ6!s7h¹üžÑuªŸ¿ÇWq
+1%}~ìp¾:0å†sbj;@ô®¬ÝU âaŸUCsU¸‹AÀîÒ€¢ÕÚÕ—¥16Q*ç,¬õ[ÔgËGÃÍŸQ_ÅïxÞ*½5’yï´.ßo^¹¾Š4âÀ]V\²Ý4Eä¶q]±]Ïe·¾ÜB†±i¶çWTÂ"ò…•=ÓÄʳ•ŠeJŒ–ÝT
+—¼Ác[µ¶šGê_VúÚ[%6B¦'ÕY¶E÷’"ºÕýÅ¡}émÙ­I3]~(°ªµ’ Ù>•^\¬˜`o¹VCèÙN·œó9Aê§øª2Š©%k>Ú(ú}€Æe߈Ú
+aí£D×Ðz—ðy^I0e_Õ—MÞ~“ðÅݹ±BdÖì
”9pÞ©I0C±ŸEìýþí‚'PZÝÙ
+é±€ìwbˆ­"…¡€RLn\Eb=Jä*èбoîšT­çÂ2< ¶Inpûì©ý
2¼DÇ⪠’—T
=)t[¾nñ)÷¥ î㶆¦ïìÒí|x8B7LxF•~ÆÔJ²LJÏÙ¿9à+›áq_TêTêû×a3ðÍ ×Òĺ¶¢W(ñɳ™äà*Rõ9ß´˳,›þ¢µ.¢ËHÕ3@í¹0LvÆH=-ÿ>	ý„/H˜]äpౄÎ÷]2>ݬätSf§/qµw|ÐBHÐ	×x¶6Ú`Àœ%ZÐ603¾¼kYžF‘לּEõâ';X|L| ¼†9ïÅ(Û3§rì½øF×
?€×«öÛI»L´òϱÁ2Ò¬'xýÄ…()‹výÎW«åŤx5aA‹L²"·›ÄqWQt7™#3,\¿K‘ÑHTžmAR§³ýƒƒS–LÑtðö××®ö`%	† Ýkâ)@ž®(¿@b]ìˆ<0P±¢”þPâÕø+- „Ü
+ô1f‡ ,>L¹qÏ–f³K)êsâ`uéFkW¬6U]úÛmIÀÝy»(.›´=…Ò>ÕœÀ©ôåêOÃÔ¯%k
ç20)ï2âë­s<ûÐz÷áIyíxÂBùoŒý‚#üa:×ÏÁ#©³Ý.žôÔe¬f²ÊA]@õ•G¼jS”jûJèñDįGbŸ'=¤P|Ž¡hëð„Êæ–ϳ‹ç
+ZµÅÝôGZê#ÞFÏ€lL6ö¿«f
+úÁ×í¼Ž÷w¯§@õo{qîo’á1|Ö­÷hLEy‡¹ýrL!¬l¾*¿ž*Øï_	DZn3!Åõ_Ä~ÂE<ãy ñYbdÞ/|1Wö·2iþwÊèg|IHÅYª29òRºBy®3R7}7’TðëZIþÙv©°Øõ-\“Xlx+X¬ÿ³t†@ZZÓ©=lü}q ßIدÇ9S‚§ÃoPm³úÍ9]™‘Iƒ/ð‚!s¦€­`Ðø:ôö’*
]DeFŠÂÉMöHnhºf_‚ hðÚž@];lo
+š§¬›ã'’ëõ‡;â<î+0þr¿‰(ll…_˜,‡“Ç>;ä[5µýzØ"Õ©¨÷ï@Åo°-U.ã`éºß E¦JØ_LÙœ%‡m×°™ÂÅŠŒôLˆˆ‡b¨Ì} ŽE‡·^чš©]FáÖË1ö…É`Š McváöTÔ«Ý´uKuÄŽº…¯[Gh“ö²Ý›~Íe¹)ž@]•–QÉ’~‹-f3@*Ú©ßwô?|¢°b—~Ý'Sf’7qŸÿIaù—ýÏ"•Á_ÙLêI4ËDn¼Pv?i>–<üDð\ôÿ‡+f	endstream
 endobj
-1383 0 obj <<
+1379 0 obj <<
 /Type /Page
-/Contents 1384 0 R
-/Resources 1382 0 R
+/Contents 1380 0 R
+/Resources 1378 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1355 0 R
->> endobj
-1385 0 obj <<
-/D [1383 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-374 0 obj <<
-/D [1383 0 R /XYZ 56.6929 587.9841 null]
->> endobj
-1386 0 obj <<
-/D [1383 0 R /XYZ 56.6929 560.3469 null]
+/Parent 1359 0 R
+/Annots [ 1382 0 R 1383 0 R ]
 >> endobj
 1382 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [213.0783 660.5919 261.825 671.3763]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
+>> endobj
+1383 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [398.1622 538.8963 446.9089 550.9559]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_security) >>
+>> endobj
+1381 0 obj <<
+/D [1379 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+370 0 obj <<
+/D [1379 0 R /XYZ 85.0394 372.9462 null]
+>> endobj
+1384 0 obj <<
+/D [1379 0 R /XYZ 85.0394 349.997 null]
+>> endobj
+1378 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1389 0 obj <<
-/Length 2542      
+1388 0 obj <<
+/Length 3157      
 /Filter /FlateDecode
 >>
 stream
-xÚÍkoÛÈñ»…¾•¢½}“D?å'õ¡g§ŽE{wh‰²ˆð¡ˆ”}ίïÌÎ’"%JNk·(˜Ãåì¼vž+1áð'&‘a\ÅzÆš.ÌdQ\ðÉ=|ûx!<άEšõ±~œ_üðA…“˜ÅVÚÉ|Õ£1Eb2_þ¼ûËÛOóËÛéLX6˃¯®ßÓJLw7×®>þrûvê`~usMË·—.o/¯ß]Ng"2öKOáĆW½$èãíÛŸ~{;ý}þÓÅå¼Ó¥¯¯à
-ùzñëï|²µºàLÅ‘™<Âg"Žå¤¸ÐF1£•jWò‹Ïëö¾º­cö3*b&’ሥ3 ‰™Uð	
جSÐH‹ N
-m§"
-Ò¤®Ê7¸ ƒ¬¡YMÏû´L·Iž?ùÛQ•÷´ÂƒeV/ªÝ6¹O—„ÒTu“.²•ß—Ðc“l›l±Ë“-mÞT[ÏoUmýv,
úˆž>*’Ì	F@E¾îÒíÓ¬¶‹¹¯¼Ì
-k=2>¦7ÓNÍFv2‚ÅHúðìÁŽÐ
œQGzÓdUYÿ™üÄ™ŸÅ&ÏYã,dœ…’»<­é€]íjEÏmR.«"ûæi:ãTt[³#䌈ŽP„LH£ÆCÎ#ÍúXä1bÌcZ,Tdœ9› ,³MUå‡"ˆPÁ>°ãY:¬!úÖ!Ä;„ÆPŠù:óÆ#ƒ{3·kwu•§MzÒ:pÊÌ„Êœ·Në´u:¬Î[:Ë̪ìÂ(Vç¥è°FÄØäCn‡r¼Ô>Æ2.EøŒ}zXgìÓbØg·Y&Mš•Mº}HŽIJÌgpâgÅé°FäéJʘérÀ@ ÿÔP­rÀœ‡*¾'ÕÉâØèñTÏÁ°ŠY­âÓ´hZlwIíKªÑœi%¡Õ%·Õ$xÜ‚³HëÈY亗âŒÕÂ9gFIísÜÍtfE0‡ÿ2¸<´ÐÔD3Öq!ëÉ׉`\ÇàÍ©;]÷6p?\rò¾&=¥Z³>e§”•ýx!œˆ00„Œü1CfÕRÉr¹Më_Õ£ß8—˜_ñkVÒ³«8vjJCT´/9Ð:ð€ÊÃTò ­=‰lȤÒzP <;/äT/Àjª8–'÷rW5k‚~yÿ‰0¡ ðz.X­Á°XÍßžŒt+›	2(2ðÀRÙà…Üa	‰Œ/;€¼q¡Ñz²båj|«JW³½¢'.ò€æIYuB¢œ?"b‚J>yXóP#ÞjBva„Í\¤÷]¹ñ4²<¥–;
ŽUÇ!t;pŒýPxYta›ØÆ“Ù¾+{qìKÃäk
--³!¸Þ÷+Úî8•F´
-a³Ï¤Ã!(¥_3hHÖ6!^=ô)ŸI#ÚFÌZ_Ÿ+ק¢ÿûªˆà
-Lˆ±é€Ôã@mieY¥¿¬êݦwn%mš¬¼‡—0¦àt«ÔÒ‡6yáK—*ðƒnE$o]-0â¿à¿´ñQz*Bú§ü2Çù¿˜ì¿•
-h‡>!JÅLA3ðL„(°u¿n„(˜­ùoDHŸò™Q–3´4¥Œœäu5RBµýT;,50ßÔ+Lñ©+Ÿçë(ÌYJw3œ¯„‡%Ž!
-=
-ÄL›ÏgpM3í8ý~™Ï¼~pôÝ0ͨ…<Ý‘+.»Ö©Œ·*ìd8þY•~O…;!4Gæ^“8V#!ºvQÖë¤& Hë¤Ìê¿c{…ÏMž¸” vʆÁ*YdS)³€–¾9QR'…{¥DdLò¬ÈÿµòL(ƒ"zQíJˆƒµÛP%KâÒ¬“f,uöxºÉ›DvCAy0¶×Ou“Øþ€'ÏÛÕU•çÕ£KèûñÂSÃË_¸¶
-žß:ÃwœOŽgÐNâ#Îg}¬ÓÎÐa¹ ‚¨QØM­€'cýók„û°•Ž™Íû÷)6㥫•2ÂPÉ0¸Ï«;ÝRžÕ
Aî$áëÕ'µÑÝ\Õu»¿E)ÝÝ®Ô0g’Iò´—vúÌ\¡NKp}3¿úð‚àܧµïÃ!-H½¾ï<®Ó2}pÅßr§¤ñ•oM«‹jóDù¤h–wŽOs(~BwM—o°ÖG>Š\7Ñ,oH=*{]áí–.	£Ý?à÷'ÏéúóX0è‹Ê=—à˜P‘ŒŸ•1Á:Í7trÀ3-ë]gV\'kš»‰a§»ñ³(‹ÿö˜å9A_wÙâm/Ñ´@ùÞïq&€'¨˜ä82¹RŸ
7.Ý&æ8wÏièBRw:(’'îRzæE\xÌBi²X\*Jh‰ãP«¶h
ãë (ŒÈ´Å¿çÐÄ‚nQ5º¥gïooµ¯t^êÖ?›ï®FbI‡ÇÛª0q¦îÖ5Â+iѳ“OWÉ.oQW´MXœÇÁÕŠ>À¶cCh£¥4ö{
€ëq)æ‘2Ý@ÃÁg©—-+i)á	J{ËÒEÕ1/¼À1ÝÕX~
-ˆû7D6óœÉq¥¯ÚfKZ!ãâ1¬£Ö"dRðpxQ¦Ã»ðÎPÇ,=™2BJ‰¿WD2øûÍ¡45C3Š¾ÏÓÖ·`~dÚ…EÚMÕ—®÷G¸jhyU׉ð‹Ô¢¼¡ÛJ@ÔåuÍò:]ƒFàLàviM´ðuãX43¨Sòû\Q2Ê'"mŸ›¢€;ÇV¶UVºªð>*ñÍý´AÂ&ŽSǵ¸Öždõ^?gH]Ìpèf¾—›Æ·>pú
´ôF[Nݯ 6æ³E²¿ûÄ]€/Nvšì0RÏt}¬ÓÝG‡…¢É³¶ùÁ#Ÿ5Y‘βòøèr¥Õç%é°FD^ +Âh(ËUy]£èu4õ;ÑHA]Ä+©’¦vøœWå=ÍüÚçO‚è¶+JùD;‹¬Ü5©_öÞQ¥q[Òm‘ÍèœCÏŠhxÌ%Dåò°åÜççÞ¶œ€Žeë’À5ÌG5øœGVì
-zyHò]:¤,#Ï6yêQÕ\p<ëM!dÅÐ>ãL=¤3?Sy¤QWÊ–ù¸+Y&cçÄèŽå:’€¼É {?‰¡	ô‹/äCk9=7ô³êý¾	ÀUÊrO‰Î§„qæ†ôLn%ºJx·nÒÆR“è÷»•=åUbïUÿ{§j'\ÃðWó‘Ãäݵ̋œï݆s9îŠ[Ih¹¼Pn臒w¿â‹þ/o/üHendstream
+xÚ­ZÝsÛÆ×_Á>…ÊÈ}8ØOŠ-§ÊÔŠ£*3í$y€HHĘ­vú¿w÷v “,§=à¸÷µ··ûÛ“œ	ø“³$Ó\å³,7q"d2[lNÄìú~8‘<&òƒ¢á¨ï¯O¾{¯³Yç©Jg×·ƒµl,¬•³ëå¯ó4Vñ)¬ æoº|ñÃ/Wg§™™__üty©DÌß_üíœZ?\}øpvuI›ÈùÛ¿ž}¼>¿¢®”×øþâòQrú<±èÕùûó«ó˷秿_ÿxr~ÝŸex^)4ä“_³%ûÇëÜ&³ü±Ìs5Ûœ˜DljÑÚSÖ'?ù¹_pÐë¦å'E¬tªT:$À$S
](À³ÓHK5_Wm‡-9on‰²-v]µØ¯‹ý¾øxŸÒˆb¹ÜJ;/Û¶l©sQÔÔ(ÖmC£nJ¢´ÛrQý&„*—¯€¢²yÅc«j±òóÛ’¦u+?¯ÜÝ—»#weÝ2ƒ~+?8-º¯äIçI¢ÜáÚfñ©ìèÎn›5ÊwÅÖ€5"NöŠ(ôó®pßå:ˆŽRÂïaUǼ²ã˲­h&/|öñ‚Ïo÷Ûm³ë|ÿÍÃd…öN¼‰ûCå±F-ÀC}د»j»v†–ƒ6"†V3p I-jênŽOÔ!“ýàfÛUMÍܹët|1;û¶\Æ(o0¨^ŽŸ‹
°ñŠ–6C>¢žˆ²£–TÚŒû‹B¾^ÞØׯ¿ÓêMx‡‰(`?-c…†ûªõ+’yY7kTHaX3X&õ:
+T§–@#Ö’h¢8ÍCpA
¶%è›Útþ&q¨º b[Õwž`o¹`ä^§ç0Q¢‰½¨—=W#j2OX|27N£‘B¼akÂêVO¬˜R7žPÓ׉	{¶4íë3un†HÇÃâ”Þ–]Š÷qBD*™/¶6E·X4fÀzŒb	ÙÑõi®æ
éò¦øTN-ïÛîØ Md௻UläÂ8°ñB©›ºü
+ý½@p2¦0B©8ÉË1"UÊŽ0‚Öv@fÄÞ•Q,AÒKÚdR8d	¤^–†e	4’¥éeiFÞ†ºöµƒáÇ'ÓÒÄVdÌl:xÊ4O¡3È‘@E‰Œ€•À׌•
+°¾	4‹s
Ž›ÖDpXvÖ&VI’
v&Wxß|rÐ
+Nïíñò©‰u–?{(Cð’O–97­,ÞKˆý,7Ù±Ÿò(HØÅ_"nàhŒ€@qßSÐ4ëÐI +w·Å¡ô€'tW Œ…ʪ1p-ËÛÜ_8Ú@·–š>0” ½Ìæç}¹c3=…:*ÐÄŒà2…ÔG3Òô4Ä˦lëo:êøT7‡ÉØ¢n4ˆ
Í)èçû²ECB¬Î8y*
@fqJCÑRÙíô|´!)hˆµêÍÛ­µÍ~·(Žúáã°©W¼”4åS¥Éر‡
4øÒaÆ
+D#Çvï=èD†ªXÒ$£X0™G—5/Õ¸†
+ƒò"C<ИÊsâ'ÃÁÇ2Ô¥¡lÂ覑fÙýbº‚ ©‰‰æáÅ“jjj¬€Ðã•ò83IÂ#¾
±“xÎЉ`‡»ªýä¼]¤R=wq|Ê¥àà7U×J“¸°sKà°‹Ô3Æ] à.!ø)$.=¦^\ž½{w5͋༢€zÈ=d&ìK2#çÖÚp^õ+FÃ%)é݉ä?î첞Ë„
+®1ÍMz”ªdw@‚¥;qäÒEÉP#¨-„ë‚3ŸG2Î0e{FUÀ¥‰¼ãú¢óLz-F­È-iEž´Â¥vÔ¹³n64`{
+(„¶?êýæ¦änzøa<“ƒ¾hÑÔ wûcƒ`Ý»r¼ÿ¶‚ oI´ý–ת™À"ÒMÉWaÁÙ‚Ý!Žã‰Ž—ù$H¦¦éôüzÅ,lùXñ…úݲùôfò"eœ.âÚ)ƒqAk›zÃ&£{í—Û7ƒ±Xõ­¿.À?ãyËœ€‘B‹,ÑÃý҈ŦDlót€Ï±rÊ$SV´’Š‰­”ÏQt9áb½_B®Bä7`ŽpKÄI`"©À£bLÀ‘[ÏIqßTË/É1‡(Ïôr"Ò</Û‹Œ*t™¨Ùsò#“J“éQ
ÝU÷åÚ+#íÄóƙɱŽàÂIÍ!,'À¹,‘òeŽ?\öY!CIfë=é,“;GÕr/åëP¡9Ö©JÆqO	üћΤ‚­T®a¸IÖ¾¥.¾®A‡GÖ™Êck³<0+‰ó,K‡“¨ÉLÇS-˜Jâ1{FÇ«qn=ówæ9îÌÜ™#wÓPNæà­Ê|*hžó<‰´ò«p	”tàAÚ¢b%û4…±çåk:°µ;Ö£|2€qéSŸÌV4&v”­àò‹U¹ø„Ít^݉²Uh4ÛâF]ØO8ê"§Ö08€ãÄNÕâ¾Z:€Ó‰‹Dµ¯4w»b³!DÔ‰KwÀ¡ºŒ‡(.9€/I·« »¼÷+n8v gó
oÂÐÀs^qý"¤†F¹]•–!ñ"Š»
Wì6”ÞŸœ#ãu¨–Ògh ŒÌÐUAÚRÜÕ«c¡kÊÁB³4ùò5eÊšñ5ÁX,q{ÐåeÑì<Š65ùìï/	†ôÁçoÞàíe”Bª¶D8¶Âå[8&°_Eª
+çsÔÂäc‡Ùê1.¿þrMç‘y
ë:¹:&¸[j¥I¢“gë¡ÌëO¬ù|é²é¯!lH¹4¦EŠÒç]Âúr¨=úvhß0­ÝßâP´ãEéÜúèkòw¼"WFa|¹Øïªî§Yã^& kéh1¾ƒ«•¾o[ÖKÞ›
+°v~_ìªfÏÄm…$6Y‚V;mäüf:ñËA#ƒ5 ÁÙF2{Ñl6¥MaDÅ3 Ðí
+Â)Bçº,Zî—©¶†š|W8*É䛊¨99xèvl0ДS¤îNx÷È‚-œ
+¼d8ÒÂÀóÀF Ëã@w•-GäPZâ½?Pç
/Õ5
Ú«ã âS‰!°Ã m÷»mCƦ4‡ò²£ezämÀo–"òÕý¶‹[¬p’[ÓàRð„ÑòËè#Õ° ‡KîN!
©k@DÕskæuyà!žm! škúQì»fdÁzCoxn±Ý®«#×O”!úÉŸcÕsÝKŸFFèŒoRÁ¼è8âné[ÖˆcŠ;‰;_ßIöò÷€¹ÊÔWiš¥_ʧÌË-?ƒ˜¡
£åãîQëQB"}|J‚ÓB>•ec{
+á™{8â=,G!ï0þ/Ú“xbUv¹R—{ž~Y–ëb¼(BZ\ŽöEkô˜Ç ªÚàQ‹šG;ü…ï‡WÆ’ÃÝo9Èñè8õ–ìtC/úmq[z0:KUOð ÕÝãÍ/\w}OÿèÐÔuAàù?T3^Tõ±ÐÔê+j}ÑçÅ«>YÖýNbAà?vD_	øŸÿ?èøÏSXI²V…ÿõGe66a¦Ü™xĹÿG¢Ç¬ÿAUÊ.endstream
 endobj
-1388 0 obj <<
+1387 0 obj <<
 /Type /Page
-/Contents 1389 0 R
-/Resources 1387 0 R
+/Contents 1388 0 R
+/Resources 1386 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1391 0 R
+/Parent 1359 0 R
+>> endobj
+1389 0 obj <<
+/D [1387 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+374 0 obj <<
+/D [1387 0 R /XYZ 56.6929 529.2786 null]
 >> endobj
 1390 0 obj <<
-/D [1388 0 R /XYZ 85.0394 794.5015 null]
+/D [1387 0 R /XYZ 56.6929 499.7745 null]
+>> endobj
+1386 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1393 0 obj <<
+/Length 2466      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sÛÈíÝ¿Bo¥f¢Í~“ì=å;õMÏNÝtÚ»{ ¥•Å9ŠTDʧÓÿ^`±¤I™RÒÚϘ ˆ°X|®Ä„ߘ$†q•êIœjf¸0“ÅæŒOîàÛÇ3hf-ѬOõãüìí…Š')K­´“ùªÇ+aÞ¼ûùçw7Óßç?Ï»½ô÷+¸Â|9ûõw>Y¶:ãL¥‰™<Àg"Måds¦bF+ÕbŠ³Ïgëö¾ú¥cö3*a&‘ñˆµ3 I™URyf÷U¾œÝëÙ~¹m«]SOg–óè_ÿþ7fB°ÔÙ'·GÈß^Û'‰°X	ÆcN‡uU5îÏ`¿´;"žF)µ<ÊËf7IT-÷·$\³vq+B+&¬1 ïk7û²w»GÔÔªŠeRn§aIµmòª2*R¥Þo‘!3ÂyfQ­èYïkú¶ËÊeµ!¬·Å„“èvßxÛͤRL¥‡6lÖyì“ÜD-®¬ÂÇÛº*\ãèó­[d°Múä­äöu^Þ­äÉêlhÂá ˜ʶ›h“=Ò·²jshêý
+¥üƹ\ä®lŠ@X»Åžä3ûí2kT·»Ïž9’”X(:­NG5¢OßPR¦L'
+ý¯†j7g°VW!$KS£Ç{H̉bV«ô8/ZÇWÛCVO½šŽÓRš¾Eºäæ‹m,ð¸µ`‰²Tþ{ÎXhMÐÇ8Lê⮡™ÑþËèüÐ0ÀRÐL§1‹¹?ŠÉ—	´:_ö4=ØïôÉñör#'*ØϤ·¥–ï¬ÇØïÈÊ~0È-'FX jsdU-u”-—;W×ø¢¨aÝÄÜŠ_±þⳫ6vfJCIÓ^¹~”GT¦’GmÝ(dc&•ÖíŒô€|XMÇÒä_n«fMÐ/>%Ԃаp8.è7‡…jþèd¢[Ý Y,ã	´¨äËGÒ6@¼õ¡>ÛB¡òu	¾U¥¯WH^Æ낈CÐe(«Žè@œ‹$Ìp“AÖ»‘¦;ƒ8ÁF„GmóïûrxÞç…£æÐÝž)ºŠµ&ý0xYda›Ô¦“ÙS«ÿ⸗S¬^…Wl¡H‚ï}ÿNÛÇrˆN0œÎ!fÅ­~Í$¢ S‹Xª×Ï"}Î'ÒˆJS&T˜b?W¾I4¨„GàLˆÁéh Œv„YV.ÐûöšaÚÀó×4~PPqJÑé±ÔÏ’„6{áK—+ð£nd
+¬«†üøÏ5!L…Hÿ”_æ8ÿÿ!³€ê¿Ù©_¡†ˆ´)S"þF„(ðªX'¯ Óuί=Æ'ÂC½Á‰É‡‡s”³¢®F*(ôF©vNj`´©W˜á¯ž§Ë(ŒXJwã[(„‡Î ‰	Dšß¨Íà'\µ·ÇC£wº/ó—׌¾&,‰9Ý‹KÅA3C†iØ&aÃyôϪÓç|*„ˆüÁˆ9~c$1øÉ—é–HY­³š€[¬³2¯7á{+|n‹Ì§3±¥€¤­²E>.›¬q„úê5ñDþ•’,-	(òMÞ„¯UBÙÉ7Õ¾„8QûU¶$)Í:kÆÒfO¦¹Ie?
”ózýX7nƒ½øñ¼Å®ª¢¨èÖ§›+7ì¯Â€ï©àùµ³{'ùè\&,ÇCøÆÜÚ§:î•)ˆÙͳq:_™êoï¨F¤ûè”É؈ÿà°/}”	6€,£»¢º…©Ð£Š¼nò'	_/?b¨‹þʪ®Ûõ-Ié/µSÀIn$ÃÉÓZZ^0oy‚Ú•àêz~yñ‚7 !»suhÂ!)ÈôàÒðaíJwï¿õ—“
+rø*¨·&ì¢Ú>D>)Z‡åãÓŠŸÐ]Ýò
Öù$D‘ïr$ð©Çåi¯ð‚vsK¢h×äý)Hºú<ÖŠ“ê‹Ê?—à˜PŽLš•1ÑÚÛz=àéÊzß™ñdm€`ç~@ØïÝ„AÔ%|{È‹‚ /û|ñ-/Ñ´Àù.¬ñ&€'l1+p^ò/´}6Û×>ýÝ%¦8Áiè&Rw7:Ü·à¯Yá9ñ£8„\¶XÜ&JîkÕ–¬a|…z‘˜¶ò÷šDÐõ©F·âõ­u.hÝúç`QÜÕHfMíÑn9Ž`Ütþº5Á+	ÄÀÉ»U¶/ZÒ!ÂÌÇÓèrE`ÙÈP˜`ô²ßkˆ¦Û@K1œéê>¿wA7]®ÚßL¨¿PØ[‘>ªžË’Òew@5–Ÿ
Äýb›É䋈©À«vù’&VÈø†d<»N1A̤àñð†L‡—à9 >Žÿ¢Œ‡Zâ/`‰Œþ¾Fs(ÍGͤ&ß¾¼ÌãÖ·`þÌ"´
+‹tPšª/ÝëHÕÐ‘¨%yCW”€©Ïëšäu2ºNiŽ8±Ok¢å@¨ÏU38Íiù}®(™ŠåÀ‘wÈMÑ0À­+Ûª˜®jü•øæÓ e³@ŒÇ©Ó„ZÄuñ†/yý´?oH]Ìpèefp›mZ‹8ýZ†F£-§þçضÿÑ({ºôÄU@/Ž^v*ÃðGΑòÏ»yçÅ¿¥ö//¡¡OŽÜæ*nY"!Ÿ¥|C+5ï~t}®ú’zx‚endstream
+endobj
+1392 0 obj <<
+/Type /Page
+/Contents 1393 0 R
+/Resources 1391 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1395 0 R
+>> endobj
+1394 0 obj <<
+/D [1392 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 378 0 obj <<
-/D [1388 0 R /XYZ 85.0394 317.2404 null]
+/D [1392 0 R /XYZ 85.0394 245.9796 null]
 >> endobj
 1112 0 obj <<
-/D [1388 0 R /XYZ 85.0394 294.9454 null]
+/D [1392 0 R /XYZ 85.0394 222.9232 null]
 >> endobj
-1387 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F62 1100 0 R /F63 1103 0 R >>
+1391 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F62 1100 0 R /F63 1103 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1394 0 obj <<
-/Length 3374      
-/Filter /FlateDecode
->>
-stream
-xÚÅËrã6òî¯ð-rÕ‹'ÇÉŒgÖ©ÍdvâÔVm’%Qk$R);Î×o7ºÁ—(ÙS»U[: 4F£ßº–ðS×.QªÓë8µÂIå®—»+yýs¯ãÌÒ¼õýýÕß>˜ø:i¤£ëûuo­DÈ$Q×÷«_g‘ÐâV³w?}úp÷ñ—/oob;»¿ûéÓÍ\;9ûp÷[‚>~yûão¿ÜÌUâÔìÝßß~¾¿ýBS¯ñýݧ÷4’RsfÑ/·n¿Ü~zw{óûýW·÷íYúçUÒàAþ¸úõwy½‚cÿp%…Iwý)TšêëÝ•uF8kLÙ^ý|õÏvÁÞ¬ÿtŠÖ%Âi'‘Ä2žæ²±R€'"#“–ËZMq9`!—wÙŸóæ•õ:?ܨd6oŠ]>¯ŽÍøü
->W*U×ýMNHi±&h1=ZT¤€‹Ò
‰ùéØ,ªc¹‚«ˆÔ쯪Ì	
-ÖÔ=Ü$³cYåõ·7jV•pÂÞde€
-þd—•Ïå±Éyø©Øn	Z„­òî˜ãáQhAf%H¯R"uN{ˬÉW TFÉÙý&'©Yåëì¸m¨ã÷„ViI@·%t~“Nj7ÕñPC_—ƒK)vÇu³í1®¬Þ6{î­j¥íHk™¥%JbÒËÕC:/PiRžŠÕöŒ<alz™Žé”4v#‡”tÂdd&#e_˜pb—}õ‚„pYQ»÷¤W¾Éëš>,Jš%©¢oQª<¿Aéá,„9Åü`ÑŠDl”Š,òjáŠÎÉ–êdëÿ'Z&‰ŒÕ²Õú \9Tç‡"ÛÎÿ8æ‡çù˜u"Uùy™Æ™Ø S&©QfHÀÏÛì9f4ÒòH&É´††÷@bµ*–ÙvûLsžZšÜeuãÍ÷¾×³¦¢ö7)µ·€€Jã‹5
°A¤½—ÇÝ×ñrå(‚J†rµ!š“t¶Óøà%Ìêhv›-74^ˆðX{¹(£†®ž‡v [H_Š²¦±fÓõ¶Ý‘Ny3'û¯VæÍSuøJEV®žŠU³ñÂÄ”»ïoR=CÖ(;Û»7TŽ7‚±–
-€=ж+.œbõ@­B8ioÉz´¦+Z·{Ú ÛK^9TxÎ 
-™êÔyÙkuš°¾6©Øàht)ž\©ý¾0=’~	—¢Äž•ú‘¸Æ±Ð‘ãª}ST%žZ©™w†°QQ69úH¸	žñ:ï
ZN(qA®#Û]*\Þ¼:_VåÊóÀzx¡„pI$Îé¤YÓò¬Qq`$ðö²Qéc7*-Öˆ½x¶±EQ‰ˆ^Øq&6XmDdÁ¢v¿ÃëÑiN̼cÎHFä„D
—ghmY¡­µÁ 
뼡ýèúa¤»~m¯&üõÃ\îòx ‘÷wï—aSDß°S±'vȯgLÒ‰‘1`I¶Ûê)_ÑÚAl½×„l`Ý€B“‹Fì†&ÈóðP<æ%ÍaèŠá~옛8ŸR³ªh? ²j
ŠßvÃû…Sã<œzÂ$
("­gœØoÈ(ÊŠC‰ÎÖœÞ,$/B¦Î|ÃÕ*	`ÿjÙüÜ•àg2²{ ùÍØÜÙ`î܉¹³hîÀÖùkÔ6…Ô%in‚‰î¸ÐéL!tØ6àp¢ïÛð¢±{¬‰žáF©°äÛl`lãdÄ3æÄ& 2Ž.›“>ÖysÒbyîô£ßuuØe§±¯†¤'…Ôï"-ÖÃHEŠ(¶ÑŒû`A¥®ðbw‰ÏÓ]!Ä—â?zªXAô'ᵨt°úÍ”ï2±HR¼Ð1ž`Ó+s.ÙTÔ˜)½€øÒgÉ	FùÌëM*…WÓ*ì…Yt_Šï§Å.{Ùtæ.Çr§„‹’ëvk±Bh$Ì°%]Hh!Xòµ«Ü§¤%£“rzl¦‡6âîrU‹‰s…—’ôî„Y#u74rgï‚bÕZ†"Dã…ˆzÿégÙAÞ”=ð¨p”Í $',óþè’ŒäŠ>	¬§¹ÕÔ™4èÐo_)©°Ê{²Ï–_™ö¬¦}6ç™b"
NÖê¡ÀœÒ®U<¢½¦ÁŒÛ}U×Åb˨UÉ@âø£ªôy@õq¿¯²/ˆ$HS#ŸþL	&í´ÍpÇ[Ÿc ÿD“œx²ØÝhËyŽûK!‘Ôã´®æñ'#û¬^ÉÞœ©p4X•Oß&:dL«ºI!±s6鳘ïŸfÒ)¥˜b?dˆ2iE«ÕKºkj³mW/M«~ù‡-‹QRÿX,©QWkú×s C«ê©¦¥ÊˆøÙ¹=n\§‡ëŒ£Ô¾|zýÒéc!±4Ù3¹c?)\œ~³Mµ©R-uÏ+,8¾¨àЇbµÊKîs›Q³çå;ƒ
-ŸfuÈ2ϯB4Ø;ãdÚ!ÓfQ
-µéćM¾óÉà™àÃÄßéË¡G‡s>ð`œ>[ëyQžÄ¼^ä…}[œ“±†‚ÃÀI{;{¡Cmnóì´‘´¦ÔÛ¢9èpE ~E»ääCŒÙ¯üz„ABvGAZ‹)€Ñ]úi´ˆL|&ù42äèªbÕPcƒ€+9!aí siö]I:œg^Î&ô‚i¢‘b„‡J Ei/z&Šë}î“'{l9¶Ç`Ï#iÂC^.yÐ_~ÈF@¼
-o’Ó;ÏŠ†S¹ÔA Gdƒæ+Š¬MEwܼS*l«l5TÔÞÔÒgO˜4‡›8t&ܴĘȌ`‚`‹µä4`î7b.Ò¶¦Ý¦·€Ü5~”ïÿÏ[•@"âxÙFö±ÎÛÈë$kÀ|yúö§-äñD´X/P¡tŠ"ñ**ÆÂL‹“/¶ÿÔ'Û
-Žéb£fÙjÕ½6{4~Qd›‰-›\À¦çB°(Ÿ-A÷ï>Z\æK,Añ“ >N(Œ‘ö·©PhZç
U–Òpž–a¸ÚÔš—r2Õ«h
Œ¬1sq*ÄŒÉ'ƒoûÕèóa›ƒÞLÕå©Úî"®¿ñó+ôyíxöËûÏ4‚ù÷›aaÎWÓøQAx×

öJÞQ·'|ja½Õ3X¬bIóÇý
-4³t£áPkBÁ—ˆ‰—Á:§âWõt›Í×Ôó¦½ñÁ†¢f‚áòrŽÛ­'Æ‚30ˆ‚$^ë#3K“Áó{lÊ¥Öü„æåFùÒÀø´xXgKþæ7­ír[Õó©ÓAˆ\€*ÄC˜·ÃÁÕ‡‰Ü¿&:/ªÞœ΀$DÚÚÙ~Ÿgõ×Ð&¬=ò(0k7YøÜ©(¸aÿ>Õý§e¢ø+õ¸ü‹; L±6"U`®"KL6¦÷°¿È©"ÏÀß¡òùwÁˆÿ`fíG¾¬àò—ø(f––™æç‚é hêK¯ŒFBÒ¬ÝTÉæ’ÙÓ²´IŸ`ƒ,ü3‚ãbH¬!°‹FF‰£	~£€{ Œ}žÏ¨ðcA%G@8B˜ájÌÇŒà3!A„²=ò#g“BnC+G”:²cïdb›Œ¢²§¢Ù奚”Eìd`³?ñéÎàä"·ÿ8LU˜!´Ž\ Îógr§!Ž]€Ãú:ÌðÚlLŠÞÃñ…÷é«ÍÛ\œû/¥qÿ9á¦e›”ý×ÿ³ìþ„
-œƒ@ùLeKÇ:%°åÿ‚ªOã‰õ/=Aú·øÆendstream
-endobj
-1393 0 obj <<
-/Type /Page
-/Contents 1394 0 R
-/Resources 1392 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1391 0 R
->> endobj
-1395 0 obj <<
-/D [1393 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1392 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
 1398 0 obj <<
-/Length 2490      
+/Length 3560      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZKoÛH¾ûWè¶0ìéw7‘“'±³d¯£3s %Ê&"‰ŠHÙã]ìߪ~P¤DÉ	’Á> ,v«««¿zµÌFþ±‘U„ŠLŽL&‰¢L¦Ë3:º‡¹·g,ð¤‘)írý49ûñR˜QF2Íõh2ïȲ„ZËF“Ù¯Éë¿žßL.nÇ)W4Ñdœ*M“Ÿ®®ßø‘Ì?^¿¿¾¼zûñö|ld2¹zí‡o/./n/®__ŒSfƒïypäƒË«wžz{{þË/ç·ãß'?Ÿ]LÚ½t÷˨À|>ûõw:šÁ¶>£DdVžà…–e|´<“J%…ˆ#‹³gkvfݧCö“Ü-´fDPždYaíð²CmÀòGeùï(È
-dü¢/*eÎPêQª3N¶=^.FŒ‘L)Žç˘"šK32JÁ¡kÀ×hbÇš¥%sœ”(Á%ˆGŽ÷ãT³dÿóäbÿ@P¨àÊŽ¬dǵGŸGŒP™eÂ3uh·ÙÜÀWK>zSÁ–FÝ]EÁiG²Û•æÐ2´Ö炘ÌX§ò‡j‘ot*)ëq*t–€eód¾šy¢<‹²Øø‘YUþUÕx¢Þ®×LKšÄ‘¢iÊÕ½iŠ0Zm7Ó@ç³Ù¦¨ƒ¤ùXÐ$€áðØÛ5'¯oíÆÂÇÓ1§É'ü¯hê1(Eö--3ƒ(£î1r„‘¸QºCÿ·á:åÁIôÅy6(¡x°ZƒZpÖâ•
„£–-ÖlòU=‡ãb6I½ÉÓG}JøÄhÖ]á@–k@Ñ…˜aÄH±§É#U/•×Á—ºÛPš0ž±àKúwü/~£
Õóƒ—^ü1-Ö§ÿQ­ÂšQ`Tp’ÃܺØ̫Ͳ˜ù×míP‹äÕÍ£>˜?0šW¡ìÔÙ¡Í:\'/ráFòE“1@ÿô`û€“zD¦=úgÇ!v@ðé)r¾×4*6«¼A·5zw8n•C-SÃ{9÷OïñÀîÎGeÝ ‘×jœŸiˆM_@ñ“y^.ê 4„¯Ã%$O–1doë"Ek» “ÂA›	Õ>_¨Ä£¢Ü2ÀBà|bR%\1ù]’¤DK‘}E¨‹_K’Š¢õR’TÆÊÙ÷M’ðx¶aB–ìŠ>‘&Öz7¸BDSš÷îêȲ¤³dë'¢šH;c!1+ÖÅ*n×ÕÊ;`»TPÛƒê>ÖXä«ø¬Ñ~Oanì.Õ{C3º§K@@üF)ßÔÙs(=üËç­?ÔŒy¼¤è:Å·ùÙ¸¤@h«Ùé¬ÔrÈJCe……œéQw‘ÃĘTé%&‹%™}]Î
-h71áë.1á[71qÃ\br\Ý@ÄÄ„ôpb¢–0@çñÄÌ°§½•D2ÉûÉÉ)>œœ Tj:ÉÉû…„ l¹‘}w>Q&ì«í˜‹™/%§X¶HaTž®mº\'P¹cÐéú^ãÑŸR¦åЦ¤ð&­î«ó±FØ%lÖƒŽï e³¤j?]…	l£™rÉgËâ©"ÛbÆëu1-19ÀYìŒÊ lVÌóí¢	_Aü:DH
-^c(Ð=$¬ªCgÐù³ˆ¥
-ö·*Þ2ÔÇ^‘Qèy¦‚ ç¢ZË(ü#ÏoTѹ³ŒêÞXÿ˜VËuÞ”wå¢lž•!ԣĨ1N‚°Ëu„-—·WSΟÁN‚·h®N/ßr½°>SÉ%Ô§§ØolJÇfhV$—åÊõÜT&OåÔ•Ð’WÓ|áG{u8LasípW×X=0z`­ÖMY­òæn|ÿøæÆ|˜ŸÊE|W„ìŒHPÊö‹
-wMà.>ëÂ_˜äúýäêòï~t	zä÷E
n¢µ€¶Ðß8Ø®žs[7aj½vwH—+/3\$À2‹ü1’Åæ]ÔÈä/C½¥Ð4—m
ºÌ!Üo†p,,ÞÄxíºÇ€![KµçvÓE¾EBº@€O§¦X§êjHÍt¬¤‹ê)õPÐEe€}ʯånY4,W7©–Ū	¯x)â(4Ó€3K(Ÿ3
ñ0„ÙöVq¹Ch .(Ù¦y¨æÀXK‹~5wª±
-NlSÎfE(è°bŒµ¬CvM¼	Ѷ3ƒ1G”~µ‹¢X>ûg¹š.¶³]á8”Ö
ÄH%õ—›ƒf4žHÇô(ÿ©„@¾òÚ™G*ÖGQDÙÞb\j²¨š¿Û?MhQtÛs:cÊÑÜD¥ï `|
-9`¢~¼ ™V+ÌK÷ÛMŽáÁâÈ¢8ÚÄ
-&0›ÿÒ›^.4{µåPË3,°¬ü®M,t2x× þ„&¶+úDË5Þ§Pöÿ×Û=èÿé»^H“ú¥j¦å:[CídN!nue4‘k@…^©§!fZfû:¼+?ƒzÄ´ùãÅð
-¦å‚õos]Zq7¶ë5`rW©ºgHžŽŽFlnVMŸïrƒ¨]ÅõÈ@¤fš®ð&+j¢Jø³ÓêXF)õUÊ»ªÉSï ‘¬#ª¹!‚ÑÝÕË£L·³uŠ5ÖPía †Ö6k·?ÐB¸·±8É«rö’LÀ²„ôKe:-õWi	!6;ÒÍb³rOßÓÒ-Ô<IϵJîx…vE<°UGJ%ÕÜÀ¹ÊPphE²Œî·ÉÚ8·<'C^G6yã)_ù"Ÿ«U`Ä׸H¹
-ž."Ën*‚z×ÀÑYc?oèTÅ‚ŠäCqÐŽH cP0Á‰ö™ÖÏmîC¸íþÙÓÿ¡Hu¢˜†Äš°D…a¹éêsLZ¦ÓZÄpÆ8%š^wUôù‡êi¯FÉór‘ß-â/7Á¶û¿è´Ó
ËhrÛÑâ|¹^!º`Ѷ·Â¼Â²¼ýh¿(r˜•¬É*Q:}(Õ+þé›|u_xRp£­'µ‚PóÊÓÿz5”œ§+VB8¢¯–P8–èpø%†þZ@(‚?ñœ(m˦oþK‚ÝŸYHÖòal
-‘–g&*å°8ŠÆCÕÿ
	lyendstream
+xÚÝZÝoã6Ï_‘·:ÀšÇOI|Ün³½×íÞ6Å×öA¶•DX[r-9ÙÜ_3œ¡,ɲ“½;à€Â¢È9þæ“V—~êÒ%"ñÚ_¦Þ
+'•»\n.äå=Œ}¡˜f‰æ}ªoo/þòÞ¤—^øD'—·w½¹2!³L]Þ®~%B‹+˜AÎÞýôáýÍ÷¿|z{•ÚÙíÍO®æÚÉÙû›¿]SëûOoüñí§«¹Êœš½ûë۷ןh(á9¾½ùðõxzœ˜ôÓõûëO×Þ]_ý~ûÃÅõm·—þ~•4¸‘?.~ý]^®`Û?\Ha|æ.ŸàE
+å½¾Ü\Xg„³ÆÄžõÅÏï&ì†O§äg]&œ¶ÉåÜX‘ÁúÓRV"U
+ˆRçEb´é¤¬Õ””#Jy“™·»¼jîŠÝ•Êfó¶Üó²o_9)\vÙ_ሦ™`ÃôØPÎ	—(3äã¦ZÔûju57™ý«®
+jEÖ|5³ÝU6ÛWUYÝÓðº®îo"}È«Ø*jmò꙾ܔվ-¸û©\¯©µˆë»M9ÇMûxU)ìG	ïœüUy[¬KFÉÙíCA`Ywù~ÝÒ®‰O¥%5º%ñå7餦æC½ß5ð®ÆÓÁY”›ý†^óõ¾ά3^6îÍj¥­HsñË IU*T08¤Õ$EªI$•«õ$’l*2%ÝyN:ª	V†hÒ"õ*òr@“êФ†hRˆŽÏ„$hW5=·÷ú><Š†)ËŠ' d©YʡЯԌÁï.ÅàR#p)°Zÿ§àJNaK°õƒV’ZÀ…qç¡Õ§:
­Žê´‘ª÷í±•J„R^g¥£šàe€­KÌü´o\:Q.lõÀ…¯}S…ïk	[«@¬µJþ„0ZÝñÂ
+[‹¸TP«ôPêÏe­À?­­zR=ª3ŠT§­Õ$¤Œ0Ö¿ÀJG5ÁËÐ\eÂ9bæ)##¤Œ”{%ÕÁ^A;Ø+xNØ+ø0Ø+±Eß{%	[Wˆ!a{%	^á+	,)X±!À`’?‡Ír™©³Ùy€õ©N¬£B	5Å®Ì×ó?öÅîy¾aË <Ï3À4ë@eá
DT~^ç(1£‘—G2L¦3'нëU¹Ì×ëgÜÒà&oÚ`¬ »÷½žµ5=“R+¨7¡³¼£6‹´6ÈÚÕ~³Ày® 4÷À>Ï™Ÿ-Á@Þ„YÌ®óåõ7ûØŠÌBsß\A+§=wm@·¿åŽúÚlÖÝŠ´Ë«9äßðlUÑ>Õ»Ïô²È«ÕS¹j˜à€œß^y=CÑ€Ã_—›„h€‚¾Žh.0@ˆ3-ìbõšZÅth|oÊf4g€ÍÎË==” ÛKž%TÉ 	™ziŠªÑjŸ±¾5©Ø`k¤ì]©Ãº0š”õÀêF[Î;°?‚Œaöø@Ó¹rËÄ&¦*¤ìYᅣκzÊù40Ñ$cZÕ÷`+lÖ1Ÿ?ø)¥˜¿ñBf´:½Ä »¡g¾nðè¥éI5 üðÉ0êBêË%!šúŽ»þqå`hU?54U•€Hž½;Ђkbbb÷pœiâíË»×/í>2•ißäŽý¤p©ÿj›j½RwÏ+,8¾¨aÓ»rµ**~çgN-O0¨ðiÞÄ,cñüÊ Dƒ½3NúCò8m¥PI—~A|Ø›ž>À¶ˆÔ¿PÓí="Q_²ÍÔdžgynéŽèxíAÀ¡ ©0°Ýþâz¨Ó]/]<­)AÇgÙÝ#èîAït¸yj©l,˜rpa…ƒ´¬‚ä£I¨Ñ"1é‰ÔȘ©‡fT«†ˆÌŒ0Wrqî¨	sÉöMEš\ämÚ!‹4ÉH=â!Ž&Ð%߆ž‰ãf[„
+šû->9ÂÇÏ#éÃ}Q-¹3~ȦšxÁ0epA-'tÞáËH€lÖB]‘uª(v¦6~KÎq½Œ@_tfÐŒÐÃ&ÁZûfÏÂÒdðÂÜâRk¾Bór¥B™	Úx͸»Ë—üÍoZÛåºnæSçA"J&¨‘Û¼v¬>áfÑi¼]
æh,!ÑfçÌ·Û"ßQoøë†6qî‘G˜û›É*‰J„SItÃá®êð—‰B\*¬ÔãR0®€˜bl„W`®'îTŒé]ò/
+ªNàU Èw¨|áŽ0ῘY÷Q(q@¸üe‰Å>Š™¥e¡…±hºãŸ	ÚæÜ£‘:k7U¾9gö´ì"mÒ'X ÿ’ฒjì=D>G|_çÀÿüsCŒï<žÓktÀ%•`Gq$þwÑuŽ›ÏDÊzÏ÷ÐO‚܆þZ‰(!ubÇÞ3bb›¢²§²}(«sõ)›ŠÔÉ(æ°ãã•ÁÉ%:íþ°›ª6Ch¸È\Ïä<2õ1Ž]€Ãú<ÌðºlLBï~¿Ëã]ˆ•çu!NýÜ8ÿÛžpÓ²KÊþ뿇þ;’ƒ@ùÄšN!uÊ`f*üs^Ç9Ë`z‚õ7¨"aendstream
 endobj
 1397 0 obj <<
 /Type /Page
 /Contents 1398 0 R
 /Resources 1396 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1391 0 R
-/Annots [ 1401 0 R ]
+/Parent 1395 0 R
 >> endobj
+1399 0 obj <<
+/D [1397 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1396 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1402 0 obj <<
+/Length 2499      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝoÛHÏ_á·“Õì|Ï}ʶI/‹nšK݇Ãî>(¶œµ-×’“Íî?r>dÉ–íâp‡5Cq8$‡üq6¢ð¬"Tdrd2Iej4]žÑÑ=̽=c'Li—ë§ÉÙ—ÂŒ2’i®G“yG–%ÔZ6šÌ~M^ÿýüfrq;N¹¢‰&ãTišütuýÆdþñúýõåÕÛ·çc#“ÉÕûk?|{qyq{qýúbœ2«|σ„#\^½»ðÔÛÛó_~9¿ÿ>ùùìbÒ_FnäóÙ¯¿ÓÑ¶ýó%"³jô/”°,ã£å™T‚()DYœ}8ûG+°3ë>²Ÿä–h¡Í(°-¿dUaíðª|¡‰6`ø£²üwd2~Ñ•2
+.”z”jˈÒ2k½Ëň1’)ÅѽŒ)¢¹4##ÁˆÔpçßk´°cÍðcæ8)Q‚KïÇ©fÉþçÉž?P¨àÊŽ¥ÄÁpñÑç#Tf™ð\Úívg7ðãÕ’ÞT°§Qw[QrÚíö¥y'j™‚-Z
+0N¬°™SúCµÈ7u*)ë1¸-K8Q„y2_Íj¹ÐbÍ&_Õsp³IêMž>ꃰԚ
Òº+¨Ñr
("º!f1Rìi2AÇcªªóe ò:œ¦î6àÆ3NÓ€þ¿ÑŒGÕóƒ—^ü1-Ö§ÿ¬VaÍ(°*8Éan]læÕfYÌüë¶vQ‹äÕÍ£>0ï0W/ùmÖá:á¼È…ÉMzÄ}ïÁö!>Nê™ôèû³dŸž"ç+8šÆ BÅf•7xlÞ9ÇM¢r¨¥;Ôð^ÎýÓŸx`w>À‘EY7hdǵˆÎàœic¿* ê´ˆŸÌórQ¥!}.!9œd“ö¶.R´¶K:)8‚ØL¨~òùB- å–!Ì „O,D˜lÔw)“V-Åפºøű2)Þp«_*“J["%gßµL*H‹‚Ú¿¢LvEŸ(“vˆ`Ôoë
+CšÒäëNµõ/³
+Ÿ,T@x*ëOùÐÂ…$œœ„H‚ˆ),x,"GåŸwá¢tö’º¯AýPm³@·½îFå^áîCÕ€åA k$bh÷mˆ+Ól¾^oªu@
°«Å3}îϨ#Ë’jÌ’­Ÿˆj"팅ĬX«0¸]W+Û¥zjßG  _Ågö{
+»pcwy€î
Íèž®ñ¥|S7þeSÌ{<ø—Ï[ïÔŒyS„S¡¾ý ý—1…„„ŸQ*O—¥–ëDY˜Ú@î"‡•)0
¨Ò«L1™}]Î]ÐneÂ×]e·ne↹Ê主G@ÄÊ„ôpe¢–0ˆÎã•)˜aO{+‰d’÷«“S|¸:A®4Ôtª“?²²åFöÏÅ	œ°¯d?ê’æKÕ)â)(ážÆ6¦1˜Ðitƒ~×è÷š´L‡ªôb(ƒP“P˺º|¬Ñù6æ›õ‚	ÇwÁd³N0Õ~º
+Òæ1åÊÎ<–ÅSD¶8Æëu1-1	¹P³Ø•Aج˜çÛE¾‚Ìu)œC1àKÓªp7ƒ®ŸÅ(ª`¨Mì–wVTtxEF&=õÐZ°¾Œ<¿QEçÎ2ª{ÿaýcZ-×ySÞ•‹²yVv4ü0;*…àdüu¹Ž`ËåíÕ”óçc1-¿|zù–ë…õ™‚.!ÚN+°ßÓîP:öA³BrY®\»MeòôPNÈ€n¼šæ?Úƒà0…}µ‹»ºFÜÀlèåµZ7eµÊXµñýã›ÿ
4ïM`~*Að]ê2F‚‚"¶'Ü
/µø¬g`’ë÷“«ËúÑ%è‘ß5­t„þ²ÁvõœÛº	Sëµ»v@º\y™á–Yä‘,6xDLþ6ÔV
+A_ÙÂÏe‰~3ÇÂÅEÌÔ®q©ê´Tº¿õé"ßâ‰BºD€O§¦ˆPõ5¤f:b¨Å¢zJ}(è¢2/ž)¿–»dÑx°\Ý@¦Z«&¼â}ˆ£ÐL‡YrÎt4Ä„!d̶­Š{Ì]drÁ¥ J¶A‡ip˜a´è窻€Ã*ðئœÍŠå+FTçëPBÿnB¶íÌ`ŽÅ ¯vYñß³–«éb;ÛAÆ¡‚n G*©¿Ü4£Ñ#Ó£ü§ùÊk3l|0ˆ!\*Ö¢e{‹~£&‹ªù+±}o2buÛn:cÊÑÜD¥ï a|
+5`²~¼›™V+¬K÷ÛMŽéÁâÈ¢8Ú¿
+<J|Ç[^õoy9Tzˆ@õRûÊ¡ç—œ›ïÚ¾‚õTuó´¯]Ñ'ÚW®±‘‚²üËÛuôÿô-/§ŠXÅ_èÈZ®ƒ¬5Ô‡A!álÓ•}ˆg"×€
+=¤§!eZfû:¼+?ƒWyÄ´åãÅì
+¦å‚õïq]Uqwµë5Ä䨺g¨ŽŽø"v5«¦Ï‹·¸AÔp HÔL388x(p“Ö_„â/rL€±ŒRêAÊ»Ðä©wÐAÖ1ª¹&Lʬmyeº­S„XCÐÄÖ6k·?ÐB¶·›äU9{I&IJ„ÎóKe:-õWi	)6;ÒÆb³rOßÓÒ-@žŒÆšç:%ç^¡&€öèH©¤šûð«xC+’et¿?ÆÔƹÀ³à9òz8²yÈOyà‹|ªÀˆ‡¸H9O—
+‘e7•A½ûàè¬1Ÿ·
+t@± "ùPt#xáÁd
&ÞK»œï'7÷¡bÜvüi÷ƒÃs|(׉bJ?(âý ¡(Dɪew…ƒ„Òr½ HÌi É„õÅ*¿«âÁ¨žöpJþ˜—‹ün¸	ÞÿA§íšfh]F“ËØ’äËõ¢)ÛÞ
+ó
+¡yûÐ>0r+YÿŠ*‰?¤TCÂø—lòÕ}áIÁ¶žÔ
+òÍ+OÿûÕPe8A]±r}u°„Âá°D‡Ã/1ô×ñ¤ð? ïû”Ž"ÿæ?%Øý…4ê'A!ßòÌ´Z¹<,ŽFä€òÿ¸ÃŒendstream
+endobj
 1401 0 obj <<
+/Type /Page
+/Contents 1402 0 R
+/Resources 1400 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1395 0 R
+/Annots [ 1405 0 R ]
+>> endobj
+1405 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [471.1233 128.8813 539.579 140.941]
+/Rect [471.1233 128.088 539.579 140.1476]
 /Subtype /Link
 /A << /S /GoTo /D (query_address) >>
 >> endobj
-1399 0 obj <<
-/D [1397 0 R /XYZ 85.0394 794.5015 null]
+1403 0 obj <<
+/D [1401 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 382 0 obj <<
-/D [1397 0 R /XYZ 85.0394 188.6884 null]
+/D [1401 0 R /XYZ 85.0394 185.9364 null]
+>> endobj
+1404 0 obj <<
+/D [1401 0 R /XYZ 85.0394 162.4216 null]
 >> endobj
 1400 0 obj <<
-/D [1397 0 R /XYZ 85.0394 164.0083 null]
->> endobj
-1396 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F62 1100 0 R /F21 738 0 R /F63 1103 0 R /F41 969 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1404 0 obj <<
+1408 0 obj <<
 /Length 3525      
 /Filter /FlateDecode
 >>
@@ -5549,48 +5566,48 @@ n=LxD!
 fÓz¿™Sx™‘ºÀ3Hè_ºðÙ1ÍРϤš ÿxë³2h-šN £î<„S¯âæ(ÄÑ_Á˸¿ÊT¢m_n¿–&ôl}•ýò‘jHå¤~!ì‹©®i òHÔ‹O£qF–Xð™×9¢ÎꤘaäzÖãÑ_Qüç…dÚ€—rh:_Š¢¿<<Ä‹—÷WÂÃÓš‰@0XZ«á‰”‹xw‘ì£j§d>¼árQYUæ”ía#$ož¢¦¾.ÌpR÷î>¼å’ö‚iÁVZÁÙ÷Êp«­c
W¢!õE%
WuWîjð(zŸÆœÇèé‚k{màwZLi†Qr~
 o¢”ίULuÙ¨zªàNªÏt{5[7³1¢VZ_£§‘c`bÊ%Z€â¡ÐWåê$å$aß¼mÖe‡µsmµ=âáb±(·tko¾ðÃus¼ɹ€
ºGGâ9c)ä^e½W„ísâ4gYÏMJ‰D¥2vÚÿ{Mºè¶^Ã|¶ƒ¤²{X¬R«}•v*~F×ýuIÊ,}ÁçÆT—u©§º´ÊS5JÍ¢N•(ç5”à®ôx¡Sºú‹ð_(”Äé4ÊÂS Å‚ÓùæÐ6i[ž—#µK¤èƒÕ\«ãúv>ï Ž‡iÄåóJžJ¤6æúîöT/Hq>U ·3ãÒé|y¥áëÐñ¤xRŠÄj“Ÿä°[.´a0‹Šž…0ý…“£±Îãe§¸‚†ÞéÆŸ5ëeÙvܹ+ê¶X„`4£û¸y/1¾pz	­9û®Ù(,<þ_¼¯Ù4O}ýûü·H3„Áü/D^Ì*áú8‚nvý­`ïB|R dK™êì§B÷ˆmÕ^Æ
ú`ÒüOLu3.æ±i»M]ÕÂF·30Ø3Ø€H,ˬ».DO5"Å8´I2ãÄPŒw¸=Öü´ÙÔ¡¶e2ÒÄ–HH{ qŒmá[Ná‰k£Ñãi"ö]Ef”gZ¾m„ç'pe	åäLÈêD`X6P?¼µ-7|]ÿÅ^ ø3¥—¼@DuåDÕ0›Œ2Æ¡ßèᮉÐSÈ0t6­ÒC!Ævq<¤8`‡áuWÔe³o‰Š¬šÁ•ï¦ù´ß¶ƒNïÃ=È´¸nä@ÁÁƒÆ*§žß¼|,Ö(×þ%à*ïÖæRÅËp1œ¸…GÁ”ËEéûØí”Jr‘ê¨ê˜Êé·å¢ "LN[Ñ>ø(µ—Ž†ùúZ
®ŠjGóª‹WÕ]1¬ò îúŽT¸‘€:AáÛÒÿNFàc·LéýSµnð"¸õ?ù0ỌîåyŠÕµ_‡ÁhjÏJ!—ËY‘šþ"„Xy F^ü#AE$ì™óû²\оTƒÃEñV@–™’2ò‚HtÕßÄ«67¹ôëMeüÉ刡ÁÞø¿ýËÎãÏ^u¶ëä¸ÅJuµƒIX(ŸjêsœâŸ€ž‹þ'Mtï“endstream
 endobj
-1403 0 obj <<
-/Type /Page
-/Contents 1404 0 R
-/Resources 1402 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1391 0 R
-/Annots [ 1407 0 R 1409 0 R ]
->> endobj
 1407 0 obj <<
+/Type /Page
+/Contents 1408 0 R
+/Resources 1406 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1395 0 R
+/Annots [ 1411 0 R 1413 0 R ]
+>> endobj
+1411 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [361.118 570.951 409.8647 583.0107]
 /Subtype /Link
 /A << /S /GoTo /D (configuration_file_elements) >>
 >> endobj
-1409 0 obj <<
+1413 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [347.1258 193.4648 404.2417 205.5244]
 /Subtype /Link
 /A << /S /GoTo /D (journal) >>
 >> endobj
-1405 0 obj <<
-/D [1403 0 R /XYZ 56.6929 794.5015 null]
+1409 0 obj <<
+/D [1407 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 386 0 obj <<
-/D [1403 0 R /XYZ 56.6929 651.2334 null]
+/D [1407 0 R /XYZ 56.6929 651.2334 null]
 >> endobj
-1406 0 obj <<
-/D [1403 0 R /XYZ 56.6929 626.1263 null]
+1410 0 obj <<
+/D [1407 0 R /XYZ 56.6929 626.1263 null]
 >> endobj
 390 0 obj <<
-/D [1403 0 R /XYZ 56.6929 322.0105 null]
+/D [1407 0 R /XYZ 56.6929 322.0105 null]
 >> endobj
-1408 0 obj <<
-/D [1403 0 R /XYZ 56.6929 299.3741 null]
+1412 0 obj <<
+/D [1407 0 R /XYZ 56.6929 299.3741 null]
 >> endobj
-1402 0 obj <<
+1406 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1412 0 obj <<
+1416 0 obj <<
 /Length 3325      
 /Filter /FlateDecode
 >>
@@ -5614,28 +5631,28 @@ HF
 H‹‰ŠRC¿™ü9Á{`šJ"êÁn¯â›—˜|WÁŽ&ýMƳg·«X¾cq5#"†¿˜q{r2 Ô> endobj
-1413 0 obj <<
-/D [1411 0 R /XYZ 85.0394 794.5015 null]
+1417 0 obj <<
+/D [1415 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 394 0 obj <<
-/D [1411 0 R /XYZ 85.0394 439.4679 null]
+/D [1415 0 R /XYZ 85.0394 439.4679 null]
+>> endobj
+1418 0 obj <<
+/D [1415 0 R /XYZ 85.0394 414.5066 null]
 >> endobj
 1414 0 obj <<
-/D [1411 0 R /XYZ 85.0394 414.5066 null]
->> endobj
-1410 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F62 1100 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1417 0 obj <<
+1421 0 obj <<
 /Length 3432      
 /Filter /FlateDecode
 >>
@@ -5651,49 +5668,49 @@ d
 ÍCåÂú>ϱ*+G´C2TÓ­V9+n6I¤!²,•Q‹ã×æÒ9´°t>áðà-¥†ƒZ!1“É“Tfû<óÜÒ·OJ»TÕ†gA¯Õ`Ü}å}ÙÔå… àº,¿t·uç@Ú¥ÒmØáŸ0‰éO—Bb…|^—óŸ6’9Fš6–¯•¡)¦5µLY¬°¸í(Ëj}Ú`ËŠSÂ)UR1JÎ3ºŸj¼Â’ðÏ÷+	=ŸÅñö¾y¬©ü€Äýè®e
 *´ù$:ú½L€Ÿ¦d‡½‚>,aš¦£½cFÜ> endobj
-1421 0 obj <<
+1425 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [213.6732 308.8411 286.8984 320.9007]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1422 0 obj <<
+1426 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [209.702 230.3842 283.4678 242.4439]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-1418 0 obj <<
-/D [1416 0 R /XYZ 56.6929 794.5015 null]
+1422 0 obj <<
+/D [1420 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 398 0 obj <<
-/D [1416 0 R /XYZ 56.6929 769.5949 null]
+/D [1420 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1419 0 obj <<
-/D [1416 0 R /XYZ 56.6929 749.6227 null]
+1423 0 obj <<
+/D [1420 0 R /XYZ 56.6929 749.6227 null]
 >> endobj
 402 0 obj <<
-/D [1416 0 R /XYZ 56.6929 377.478 null]
+/D [1420 0 R /XYZ 56.6929 377.478 null]
 >> endobj
-1420 0 obj <<
-/D [1416 0 R /XYZ 56.6929 355.0589 null]
+1424 0 obj <<
+/D [1420 0 R /XYZ 56.6929 355.0589 null]
 >> endobj
-1415 0 obj <<
+1419 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F62 1100 0 R /F63 1103 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1425 0 obj <<
+1429 0 obj <<
 /Length 2102      
 /Filter /FlateDecode
 >>
@@ -5704,41 +5721,41 @@ diB
 }æòc¿©Húî±ðº•ù]æ*÷OYùwAz;¢œÖ A‰ÓN	90I»âʪßì…j‘© bš+eªžsy…Ô$ª»}ÿÞ*¯Ý}\8¨®£ ËuýŠa¶ðFòp?pŽçW)ˆ†*P€¢Êý%düç3¾ûˆÂ»Äº":ï½$
Þ’
ß0mËIé]XªéO{‚ú
¤Ðè÷ºÊÇ
 z³ªÌÉ^¦áqÇ|"ó2´Í¹Âƒ@ïö¾H¿âðR(7´ÆGy2D£ûÃÑqªÿ߇'¢endstream
 endobj
-1424 0 obj <<
+1428 0 obj <<
 /Type /Page
-/Contents 1425 0 R
-/Resources 1423 0 R
+/Contents 1429 0 R
+/Resources 1427 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1430 0 R
-/Annots [ 1427 0 R ]
+/Parent 1434 0 R
+/Annots [ 1431 0 R ]
 >> endobj
-1427 0 obj <<
+1431 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [353.6787 237.4931 427.332 249.5528]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1426 0 obj <<
-/D [1424 0 R /XYZ 85.0394 794.5015 null]
+1430 0 obj <<
+/D [1428 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 406 0 obj <<
-/D [1424 0 R /XYZ 85.0394 308.0833 null]
+/D [1428 0 R /XYZ 85.0394 308.0833 null]
 >> endobj
 1053 0 obj <<
-/D [1424 0 R /XYZ 85.0394 280.4919 null]
+/D [1428 0 R /XYZ 85.0394 280.4919 null]
 >> endobj
-1428 0 obj <<
-/D [1424 0 R /XYZ 85.0394 154.8032 null]
+1432 0 obj <<
+/D [1428 0 R /XYZ 85.0394 154.8032 null]
 >> endobj
-1429 0 obj <<
-/D [1424 0 R /XYZ 85.0394 142.848 null]
+1433 0 obj <<
+/D [1428 0 R /XYZ 85.0394 142.848 null]
 >> endobj
-1423 0 obj <<
+1427 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1433 0 obj <<
+1437 0 obj <<
 /Length 2594      
 /Filter /FlateDecode
 >>
@@ -5755,28 +5772,28 @@ c
 OÞìð¶H£·o¨'ÞÆããÐ%üùæ’úGO){‰<‰ ¤¨R¯v¤G³!m.BÓœõ3á0Ê8û²Ÿ
©ÎûYOý¬¬²m]·Í‰Å\¼çEÖ=ÕïƒÐk¨Š˜§ÈáPŠÎ³ü>Îé*±%–úäT
M¥G7èE3Ï;•¿Û•ûG{˜MnêéöT¡i’óú®îˆkM$÷É	¥fJ»#Ü.‹°Lf•Ùº}ærÛ=SɱÇ)-"81' ÖƒÐ'´dÒzÿQoâ.þ¨æξYØÔzñ	¥(­8©;é2Ë™åÜyrO['¡=¾Ø˜¿ãyìÏ[¨F”"7ÛëP·o6ØøôqSd£4È.ðy;=xE³`Àøü‹o2!=”éU!ý0=þ¥` Ë/»z7ž«Oú=åEÛA÷ðÜ`i¢™>éØÿb:x˜°D;Sˆô?Á¨œÁ^é×dw
 ÂœI(Û{²ðÿnsc>endstream
 endobj
-1432 0 obj <<
+1436 0 obj <<
 /Type /Page
-/Contents 1433 0 R
-/Resources 1431 0 R
+/Contents 1437 0 R
+/Resources 1435 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1430 0 R
+/Parent 1434 0 R
 >> endobj
-1434 0 obj <<
-/D [1432 0 R /XYZ 56.6929 794.5015 null]
+1438 0 obj <<
+/D [1436 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 410 0 obj <<
-/D [1432 0 R /XYZ 56.6929 415.868 null]
+/D [1436 0 R /XYZ 56.6929 415.868 null]
+>> endobj
+1439 0 obj <<
+/D [1436 0 R /XYZ 56.6929 390.8599 null]
 >> endobj
 1435 0 obj <<
-/D [1432 0 R /XYZ 56.6929 390.8599 null]
->> endobj
-1431 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F62 1100 0 R /F63 1103 0 R /F48 985 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1438 0 obj <<
+1442 0 obj <<
 /Length 3814      
 /Filter /FlateDecode
 >>
@@ -5804,36 +5821,36 @@ T~L
 TÜÛÎ?3P¾ñ€·Îg_›¹Ò±OïAúFR?áØ›¸ŸÒXN6°eiS	bXŸ¥)8ŽŽuiÓA2°F)ò/ÛåÇœ¥û–ÜV\oAu§æcÈž_Ô@2c"¾qÓÈë²°ÞÑ#©§C.¿ÃnöU¾
™ ôÂxZ³ïêå‘í"{ÊJ#;ú÷‚6ÿÙÂlk¢Qô³ÚTûðƒ^ÇÌ7{°ŽCßZÍ›åçªÉ\ðÏi@÷ý"âÏ^0 ¥IpGó1Ò6ÅôeãòE¬iØäìcüž3—d,Iüè
Ñ£q?ˆáç0è髦笳gâÀ¼7ÂÃůE.l9ñ¶Õ>Õý¤Çvî•Ís¶ù"tˆâO+,"þµ¬>dGä„Ó
 ÷c°­¾éèü7! e¬Ôtä9ÍpÐ÷b¥â79hT÷k–Õ£å'Ùý‚£ß´E*Eãs¶&Ö3½Á ¬ÈÑÍypÎË$CÜšÏÙV|+Na =¨Pc]½ÄêWUZaUÂ=‰cú:wU߃„pî¦]ø­¯	<üö»¨ÿóï€ûI[06øudÞë@Þk¬2Qôi/™RŽßσXG3¤ÿ);‘_endstream
 endobj
-1437 0 obj <<
+1441 0 obj <<
 /Type /Page
-/Contents 1438 0 R
-/Resources 1436 0 R
+/Contents 1442 0 R
+/Resources 1440 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1430 0 R
-/Annots [ 1440 0 R 1441 0 R ]
+/Parent 1434 0 R
+/Annots [ 1444 0 R 1445 0 R ]
 >> endobj
-1440 0 obj <<
+1444 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [315.1789 725.8736 363.5077 737.9332]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update) >>
 >> endobj
-1441 0 obj <<
+1445 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [353.2799 109.336 410.176 121.3956]
 /Subtype /Link
 /A << /S /GoTo /D (zonefile_format) >>
 >> endobj
-1439 0 obj <<
-/D [1437 0 R /XYZ 85.0394 794.5015 null]
+1443 0 obj <<
+/D [1441 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1436 0 obj <<
+1440 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1445 0 obj <<
+1449 0 obj <<
 /Length 3589      
 /Filter /FlateDecode
 >>
@@ -5853,41 +5870,41 @@ I
 B»‹w8¬,Yœ»lhgjäÛmu µH•Ö]Û­o:ï§RÁ¸ h‡fOUአôñ¨)¿@’_iY¶ù¼:áìK?Jײ𲑙™î+xa#*IbÅ°€m_[1uө‡ô5ìà½èÒ#ç7œŒyjxÂÒ˜Y{P@ÎZt‰¹¥¨ÝuˆtŒ[ðYü¶­Ê…¢¡ÞK	s€rÉ,á:Imì šy	9·ZÉÜ‹uL­C4Ù/4Œ:àÜrc^tú³.‡:q–Ó[¡XS×µX°cY?gdÕ¾lš(	±Íɪ>¦0qy×é5z!¶CÉÚäÕÛf×ù·Ëœþb{hRÈÓãéÊç÷$f³©Œµ—'¹p_jüÈ¿cøÔW9lÇ®L•&RÚ€Rÿ~C2hÊÀ‘²Qˆ¨!UáRáE/ÞBtd"^ÌÚYáƒ"hD¤ÆNÙÒ³£¤ö¼¢^<2ìÄøÚÎÜ{ƒ?G­pA
iø~‡YÐ'G®&±¤Ñƒ£ðëŒÔ” ‚‘ŸôçÌGyx}U#Ôbz…òXl¸à€pÊ	·©}Ýû³.;`œ…²®!¬¶y60¥²ì•ã¬‘¥åà+Uz°6¹a–…p½.£f½Òàú‰ÂùaF¥˜,‹~M§è>ÏK~hx¢tÊ©A KŽèJ
§nˆ‹Œ»!×àO&•§Vò‡üÞM/S |ÁäŸv=`IåQ,ø^Kt¼£Ý“ò•þÑ ™rˆ8œÂu²X—uo.Ýwý)áí¬—û¤>Œ™Ì[fðtE©¿Pš¾¿©€£ÊÕÝ‚H~ûÈf¬öµ‹…]½.¤ðÂvWnrgØÙï°j@o8Û¢­”éÕZ”¦XSQM!ˆ¨}þ
 Ô”Ÿ“¤ÉWþñ[Ä|>1ÛR×­Éܧ‘Eî>=³ðA—cTq3ÝîçC˜ß¾€l? ׎ZÇ*¥°oØ–0"Ø8ñA„ûzìÊ‘‰NM€÷ˆlÃZ™0Å1ìÿï8¦(«xןuïâ¬^„5®ryvd#@LþêêaÒÈêr’Cv²:Y¥ÑÓÛôì!b¶Ö™Ö´;Wl‰#‹¢|&5ªžÀãŽNZ=®·Î~ݯ<èîáö£w"£=r†¢õÉg*¾³DØáuçá–[ª1pëÏ	àñ3åAo?&7÷ÿº¹KVR8Äì4äAÆ—B	YiŒÊÿÄ"»‹ÑFÿc›!Y>’ØGH]Ü#R‘¶3•5üÔရ	‚jxq	{—°éÀž9=zHt2;‰cÿ<"ÍH„]B"l‘Heo Íz½O¬èËp¤ ëb|Gî!ð ‚B‚IÝ“R§âu)cŠçˆAÇ…¼#öä¾²È÷í…A&CŠÿ?°)À lØY‚U>=¶2ìVõoo ç-QýýŠ$—­Ú[9~¿º—Ž÷«V,Äî*Æî#÷¡Y5ªÀ‘ŒUAöo{ŸF´¤OR~ øñoôç. C™~ÿŒ8.ãj´¬G‹Á7›mw æÞ*ýjÇïÎáL¦’>™Iü(Eu^ õj‹Ð+ˆ;N	UJ÷k¸”=|~Ot÷Õ©wôô÷Õœ–~¦®xvpZ™`±ú‰_bÉ:®î>XjNJº‡F‚›ËÏœ@Ôá¾EÙÌCCø ˆ”ªY„iáÇ(@
±“í_·½ßf¡udÞÒÏ¢¬ÿBnÃOb€p[wÅ®.º¿x>„Ç4Ä%EŸI/Õk±T0úE…M‚SþÏ?«<–{Áö¤1—~¤1.&^(TºfçÑ’ÿýå¹èÿ6¬þ°endstream
 endobj
-1444 0 obj <<
+1448 0 obj <<
 /Type /Page
-/Contents 1445 0 R
-/Resources 1443 0 R
+/Contents 1449 0 R
+/Resources 1447 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1430 0 R
-/Annots [ 1451 0 R ]
+/Parent 1434 0 R
+/Annots [ 1452 0 R ]
 >> endobj
-1451 0 obj <<
+1452 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [55.6967 395.7911 116.59 407.8508]
 /Subtype /Link
 /A << /S /GoTo /D (view_statement_grammar) >>
 >> endobj
-1446 0 obj <<
-/D [1444 0 R /XYZ 56.6929 794.5015 null]
+1450 0 obj <<
+/D [1448 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 414 0 obj <<
-/D [1444 0 R /XYZ 56.6929 468.5048 null]
+/D [1448 0 R /XYZ 56.6929 468.5048 null]
 >> endobj
-1450 0 obj <<
-/D [1444 0 R /XYZ 56.6929 442.1853 null]
+1451 0 obj <<
+/D [1448 0 R /XYZ 56.6929 442.1853 null]
 >> endobj
 418 0 obj <<
-/D [1444 0 R /XYZ 56.6929 122.2539 null]
+/D [1448 0 R /XYZ 56.6929 122.2539 null]
 >> endobj
-1452 0 obj <<
-/D [1444 0 R /XYZ 56.6929 93.4835 null]
+1453 0 obj <<
+/D [1448 0 R /XYZ 56.6929 93.4835 null]
 >> endobj
-1443 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F11 1449 0 R >>
+1447 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F11 1336 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1456 0 obj <<
+1457 0 obj <<
 /Length 2497      
 /Filter /FlateDecode
 >>
@@ -5906,22 +5923,22 @@ pQ
 gˆ.´žÜÛÃ)WmwÜÓ{»•Qß»·‡	‹!]éëÿ€7Ä›"ñžô‘ƒ”1HÓx´™vDHÑiM4N9>él¢û>‰gr>¼»t›6}O!ž>C‘0¡¤¾ƒà§bˆ ¸?é;ï‹ö8*Žÿ7Óðõ?ÜØ#î/ÛÓ#ÊÌ7÷SBŠ™ p¤&‚ÂJuA±©Êo'Q‘° ˜SßJèïE…Yà
h£÷ Š
 Üp¬EšmÜlã6¶a´Ý°Ì®Â›tXtM]X`#]­T—yiÃ"„„̆„‰ðgÂâc9*þ÷?…A$aûâÓAÐÉœ#Ó€F»ÂýºÈN¢ Žàz†SÚ[™õ½Pœ)%cWÿuÙ¥`6sêåe©õÐð«"ž‹pF¼z¶WÌ]z,šÎ㆟ºWAB¸={’á4F úíë§âVܘP*÷–ð#¦ð°2F¡·b>´¼ýÁÈ©éÿÿbtendstream
 endobj
-1455 0 obj <<
+1456 0 obj <<
 /Type /Page
-/Contents 1456 0 R
-/Resources 1454 0 R
+/Contents 1457 0 R
+/Resources 1455 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1430 0 R
+/Parent 1434 0 R
 >> endobj
-1457 0 obj <<
-/D [1455 0 R /XYZ 85.0394 794.5015 null]
+1458 0 obj <<
+/D [1456 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1454 0 obj <<
+1455 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F14 765 0 R /F41 969 0 R /F62 1100 0 R /F21 738 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1460 0 obj <<
+1461 0 obj <<
 /Length 3719      
 /Filter /FlateDecode
 >>
@@ -5945,33 +5962,33 @@ p
 pnòÓ*l î¹\¦`Äl/ìô‹‡ð<·“Úô²²x3&#lvßÔ®LÔXle‘RvÐH¬0’±tÑLlÈÁÁôøû1­á˜î0?],‘Þ`¬žOŸZMši9nÀ†a“©á…!K~¬þ(«Ì…sªÃ¹ÑxA‘-”¸†Q¯8¨È°ôá0¬‡=:˜±}ø$ÂÛ#&Åjጷÿ“IÑ}êlt`9$ñ1Nð„âŸþ…åøk'è-?øîÎô•!mƒÃuA?š™0æ"‚R,›5û
 Ï—c§¿þƒ\}j›TÀ9õTu¾â¼ yºJ{sì÷¨Æ	üéLD,O#_þöoU‡ò‚W7Yv$ï쟋0QHxªŸ§$*¤ž!ý¿‹q
endstream
 endobj
-1459 0 obj <<
+1460 0 obj <<
 /Type /Page
-/Contents 1460 0 R
-/Resources 1458 0 R
+/Contents 1461 0 R
+/Resources 1459 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1430 0 R
->> endobj
-1461 0 obj <<
-/D [1459 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-422 0 obj <<
-/D [1459 0 R /XYZ 56.6929 712.5662 null]
->> endobj
-1030 0 obj <<
-/D [1459 0 R /XYZ 56.6929 687.7843 null]
->> endobj
-426 0 obj <<
-/D [1459 0 R /XYZ 56.6929 215.6322 null]
+/Parent 1434 0 R
 >> endobj
 1462 0 obj <<
-/D [1459 0 R /XYZ 56.6929 188.2003 null]
+/D [1460 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1458 0 obj <<
+422 0 obj <<
+/D [1460 0 R /XYZ 56.6929 712.5662 null]
+>> endobj
+1030 0 obj <<
+/D [1460 0 R /XYZ 56.6929 687.7843 null]
+>> endobj
+426 0 obj <<
+/D [1460 0 R /XYZ 56.6929 215.6322 null]
+>> endobj
+1463 0 obj <<
+/D [1460 0 R /XYZ 56.6929 188.2003 null]
+>> endobj
+1459 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1465 0 obj <<
+1466 0 obj <<
 /Length 3015      
 /Filter /FlateDecode
 >>
@@ -5988,34 +6005,34 @@ I8
 òŒö
 ©8z¤Òž(SÈ«&†‘evž:­~Ž'_ªhÜÊbO³9ê½´äƒ5eºŒ€,GSÌ-ø¼U˜š*ä7„~Å1%¢§Cé†<ÓˆF*†a¦X°¤t×êÊ‚^3F=šFÏ3,ôΚnïwoÓ•|©À"d»R™±8]òÀ¥G$ŽÃiñž&3ñº5-cÝw™&
T?›o_™€µ­éž`Yiݪ¬û¦Gf|¯»§—(Aåd`¤“CªãIÀB‡±k‘Iã‚Á¡9-†™Jò¾ãC›°„A™±ÎÕ>f¶fœbòý*aQ­TÕ5T3œ&Ðô+ÖJ?bø˜~KÞ9q$C|‰¯³Ú~
>ºÊ¬¨úðµ+×þ ÅÀ¢O»3ÞÛTôî˜ô/	Ë61Y/0…O2äÅä…Öµ::3là·™ÄôɤCjˆï°PôÇŒò’qE¡‰€LÜËZVlž³–mHŸ±Q] ö{uíAêzô»3þ|/"è«gÜü¾n!í(¡áo÷uºƒ1_ÞCù™$,`FżڿGþÞ\Ð/U…,ß™×äÁõìDLKÚ7´cUm:~êx’Íûª~q—üÊñnN»|x_ë(ºTëúÿÀ1" –¿w²i?‡ÌË?Ìž]vù~Ù¨K•ÝneDû	·ïÒÇÏCÐÖiÙ¬eÝ|øôÜ¿r€…áÿ_Ìüã…ÓÛâgÿ›Çñ`üÈöâøøãéø×P'´c7‰QÈaäM)ïÿä”ôÿ¨ï:endstream
 endobj
-1464 0 obj <<
+1465 0 obj <<
 /Type /Page
-/Contents 1465 0 R
-/Resources 1463 0 R
+/Contents 1466 0 R
+/Resources 1464 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1469 0 R
-/Annots [ 1467 0 R ]
+/Parent 1470 0 R
+/Annots [ 1468 0 R ]
 >> endobj
-1467 0 obj <<
+1468 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [91.7919 602.6942 93.7844 612.334]
 /Subtype/Link/A<>
 >> endobj
-1466 0 obj <<
-/D [1464 0 R /XYZ 85.0394 794.5015 null]
+1467 0 obj <<
+/D [1465 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 430 0 obj <<
-/D [1464 0 R /XYZ 85.0394 191.1478 null]
+/D [1465 0 R /XYZ 85.0394 191.1478 null]
 >> endobj
-1468 0 obj <<
-/D [1464 0 R /XYZ 85.0394 166.7586 null]
+1469 0 obj <<
+/D [1465 0 R /XYZ 85.0394 166.7586 null]
 >> endobj
-1463 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F11 1449 0 R >>
+1464 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F11 1336 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1472 0 obj <<
+1473 0 obj <<
 /Length 3460      
 /Filter /FlateDecode
 >>
@@ -6033,27 +6050,27 @@ Z
 øŸç…­ñÑ‹lóOÚ7`qdß©ö-Òx
!úS¹=l©iÊÆŽãEž—h}¿á¸â–‰ÐÆ>mÏ©í¬žõ>PU…›VçÆƘFcäKGprN—ˆÝÁJI&*%?6€L!l¢š(u&Šƒ¤¹Ž<ä\Zòë@zEèØD'ÁFÐÇŠDòÃüG£ÄqVS€>°²ïU}w¬jŸ¯Ñ¿_MÙÈbñ8qüP†*ÓÝ9Ÿ<þ4ñ^eã(§Ò,QÚN¼A]Ù߬¨>CvPÝÕæ+7§†Wn˜îA¢Q/ÁÈæ6†lÙ4ÊMñ‘Bß]d¾'šÈeb¬4ý’á>£¡]:šÈ 9ÑŽ ³ã›dpð*VL…,üb‹+LJ¾?Ü!¬ÿþ¦{®˜ð2|#ÒyŽÁÇPžΠ«* 2lhëPÙfô)Õ˜ÇI1Œ}˜¾ËÛÅ:^Š1ã—=Ø…î#ðBëü'œØ‚L21 ó™×³£3
Âã(6Â+óêž:\:‡[ò`/ÔqÜÆ!Äb#g$Ñ.ß—»S×9⤧|•‚ìã—|'¾PTËÜ©ï	Óî‹Š?üõbÿi§¶‰rNv&ŽKëð.QE¢«P?s|Húÿ8Ä
 [endstream
 endobj
-1471 0 obj <<
+1472 0 obj <<
 /Type /Page
-/Contents 1472 0 R
-/Resources 1470 0 R
+/Contents 1473 0 R
+/Resources 1471 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1469 0 R
+/Parent 1470 0 R
 >> endobj
-1473 0 obj <<
-/D [1471 0 R /XYZ 56.6929 794.5015 null]
+1474 0 obj <<
+/D [1472 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 434 0 obj <<
-/D [1471 0 R /XYZ 56.6929 575.952 null]
+/D [1472 0 R /XYZ 56.6929 575.952 null]
 >> endobj
-1350 0 obj <<
-/D [1471 0 R /XYZ 56.6929 545.1349 null]
+1354 0 obj <<
+/D [1472 0 R /XYZ 56.6929 545.1349 null]
 >> endobj
-1470 0 obj <<
+1471 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1476 0 obj <<
+1477 0 obj <<
 /Length 3592      
 /Filter /FlateDecode
 >>
@@ -6071,48 +6088,48 @@ e
 ´Êpû7)>´I ¤ølÒW[&,Bâm˜ë-b!• 8„Cšü(N€Êþbü¤ÚL2{ôAœq!Aë?Kšˆh€ë£zÌì§>£‚Èc9׌ü¦wó~!–„ô,:ô&ßw`ŸÏÇð!9¨àQÕþò:ÉRáah4á®_³+ª° °ØVXÆWNš·ïôU‰”žGÕ‚}3þH𶺹Ÿ8Ðf±Ü>ŠI+))êŒJ&ƒ{©¤¦2Zò	P	«ÛPÉØî*ȩדŸ§è±{*ô¢É§U»@Á•µ)}"ôËñÌô©Æ)õàn­ŒÑÈÆÓ/{ÐÄxì.JnXòøüq`Hˆ©«×¼c>ûïÃ×ïÒWkOÜáŠ\g4n
 97GÐõ_‚oý¿P—Òendstream
 endobj
-1475 0 obj <<
+1476 0 obj <<
 /Type /Page
-/Contents 1476 0 R
-/Resources 1474 0 R
+/Contents 1477 0 R
+/Resources 1475 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1469 0 R
-/Annots [ 1478 0 R 1479 0 R ]
+/Parent 1470 0 R
+/Annots [ 1479 0 R 1480 0 R ]
 >> endobj
-1478 0 obj <<
+1479 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [116.0003 680.0038 166.1092 692.0635]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1479 0 obj <<
+1480 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [399.2874 568.3155 467.9594 580.3752]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1477 0 obj <<
-/D [1475 0 R /XYZ 85.0394 794.5015 null]
+1478 0 obj <<
+/D [1476 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 438 0 obj <<
-/D [1475 0 R /XYZ 85.0394 461.551 null]
->> endobj
-1480 0 obj <<
-/D [1475 0 R /XYZ 85.0394 434.206 null]
->> endobj
-442 0 obj <<
-/D [1475 0 R /XYZ 85.0394 334.6837 null]
+/D [1476 0 R /XYZ 85.0394 461.551 null]
 >> endobj
 1481 0 obj <<
-/D [1475 0 R /XYZ 85.0394 301.5645 null]
+/D [1476 0 R /XYZ 85.0394 434.206 null]
 >> endobj
-1474 0 obj <<
+442 0 obj <<
+/D [1476 0 R /XYZ 85.0394 334.6837 null]
+>> endobj
+1482 0 obj <<
+/D [1476 0 R /XYZ 85.0394 301.5645 null]
+>> endobj
+1475 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1484 0 obj <<
+1485 0 obj <<
 /Length 2869      
 /Filter /FlateDecode
 >>
@@ -6129,98 +6146,100 @@ h}X
 lYá±eá³<&ýhd8Û0…
 ø @‘Ju½”&Ä{1lþuŸzs¼ð~èâ¯ù3¿Š>	þÃÿ40üGEie’ÈùŸ!·ƒ¼˜°Pxž8:‘ÜþwÁ©èÿ&ãˆendstream
 endobj
-1483 0 obj <<
+1484 0 obj <<
 /Type /Page
-/Contents 1484 0 R
-/Resources 1482 0 R
+/Contents 1485 0 R
+/Resources 1483 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1469 0 R
-/Annots [ 1488 0 R ]
+/Parent 1470 0 R
+/Annots [ 1489 0 R ]
 >> endobj
-1488 0 obj <<
+1489 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [432.8521 616.4281 481.8988 628.4877]
 /Subtype /Link
 /A << /S /GoTo /D (DNSSEC) >>
 >> endobj
-1485 0 obj <<
-/D [1483 0 R /XYZ 56.6929 794.5015 null]
+1486 0 obj <<
+/D [1484 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 446 0 obj <<
-/D [1483 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1486 0 obj <<
-/D [1483 0 R /XYZ 56.6929 748.9522 null]
->> endobj
-450 0 obj <<
-/D [1483 0 R /XYZ 56.6929 667.6879 null]
+/D [1484 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 1487 0 obj <<
-/D [1483 0 R /XYZ 56.6929 636.0345 null]
+/D [1484 0 R /XYZ 56.6929 748.9522 null]
+>> endobj
+450 0 obj <<
+/D [1484 0 R /XYZ 56.6929 667.6879 null]
+>> endobj
+1488 0 obj <<
+/D [1484 0 R /XYZ 56.6929 636.0345 null]
 >> endobj
 454 0 obj <<
-/D [1483 0 R /XYZ 56.6929 425.9376 null]
->> endobj
-1489 0 obj <<
-/D [1483 0 R /XYZ 56.6929 394.4436 null]
->> endobj
-458 0 obj <<
-/D [1483 0 R /XYZ 56.6929 313.1793 null]
+/D [1484 0 R /XYZ 56.6929 425.9376 null]
 >> endobj
 1490 0 obj <<
-/D [1483 0 R /XYZ 56.6929 281.526 null]
+/D [1484 0 R /XYZ 56.6929 394.4436 null]
 >> endobj
-1482 0 obj <<
+458 0 obj <<
+/D [1484 0 R /XYZ 56.6929 313.1793 null]
+>> endobj
+1491 0 obj <<
+/D [1484 0 R /XYZ 56.6929 281.526 null]
+>> endobj
+1483 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1493 0 obj <<
-/Length 3642      
+1494 0 obj <<
+/Length 3647      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Zmsܶþ®_¡o=ÍäXâ•`óÉIäTm㤎2Öñx¨;žÅ1E^Ž<)N§ÿ½»ØŽ<á,ÕÍh4·À°Ø—gç9ü‰sg²\•ú¼(ufraÎWwgùù{èûöLð˜e´œŽúêúì/Uq^f¥•öüz3áå²Ü9q~½~³øúÏ/~¸¾|}±”&_Øìbil¾øêêÕ7ÔRÒÏ×ß¿zyõíO¯_\zq}õý+j~}ùòòõ嫯//–ÂïKæpâ…—W»$êÛ×/¾ûîÅë‹·×9»¼Ž{™îWä
-7òËÙ›·ùù¶ý—³úyoÞÝÑ»Ÿc¨×ä"
˜û¯#Q'‚šEqO5…Ê£ †|«ÍXï˜ä9	Q^”¼¤e®H‘‰\™ÂÀÄ ”q
ÓØbN(“Î3?Ûø¦j6aüÒT;Yõ;Zæ2`E^ê‘.l!ó €UÄ€ÔCÓ¶DÝpËúåtcEˆu@´ pA€
-Z€Ët†£(´J‚QR¢eQ²«€´ù…ÍŒœ6Òõ¤mkÖÝ›ú8Å C!Á«§w3YâTŽTõÞÿpv„€1ûñ‹‡N*Nõ@Ö-§PQRód)H
-­]YYól‰ÉJÛ|H‚!3#JûyÙnMf¶,Ž“wÒ)»¬¢˜ʼn™$ài)JMàD8®:ªcH=ö[>eØ-¿¿IÁM“Câ­?m"øèyjDÂÁÑ10¹o™ÎÌØÅ¢ËqÂÌ•åÊçø§‚½¡|Ùº†zµlûþÀ¡u*r"Ës•l;6}GøX’³ÐüŒ=ýþ,¥®ö#XOdêdEŽªëžv©¥a±äp`¦36«ª%Ï'až‡`¾ZN#h‹œiA"*`ÎLjTþøˆµÌ„.ƒ^®Ûû¬VY¿{ÿœ‡WLÀ–¼"Â=NDX>Pfìë¹gºÅàoUÀøHÌ™ävsî7˜ 7íHOðVŸ8¤¥ÈHÔ¤ƒš“§•ge©ì\cžºªº¹­;ßíšõ:`÷y=ãC”ÒeP›¦[£¥/3µ)¥„æ`¢ÔËxÊ(ŽÆ:ˆOp/´‹õTi Ës¶7¿¸§U‡|ñí®º»«v	ÝÏ-
<Ƴ#–y½óa5OÌI2ü7«¶†·4þß©PJ¿º]®ÚV2„qþ§Z¯wpÊïüˆwX‡¡öÿ|™Ä¥žÏºƦ«Ð¢?ÙtQ»zµß
Í}½$·Šã?Öû~÷$>&ß~3y—/©%˲·©µóh›ï"9~g™0­ÿX€¿¬šKsÐû”|S£ò¡EöÝ‘¦ÿ4€ËI(eT
ñg²âÈY°æúéñLƒßw.U³œûZŠòNÀYÅbSWè—÷±²mXÆ‘á
-ÂÒ„HÅBÐç\¿¬ ïî	õXNf!©'pÄî#‘óÂnèàëEqT/!èA(®Þּ襎hñ¶'¢a´W
`VJµ¸çÛjQcßV»ÀÜ,	§å=ùœ—hœnض
ó¢a[=î·C­ãm¿Súz[ÝC);àÜeߎͶÅ™®Ä]V«ÛTH‡<º4OhŒÉ¤‰*@6­×eÊT…Ç‹ÐJª”¿5€
-8B’°Õ`ØV+nç(&dˆÕ0ä†ûÎ¥Ïü&óûB“™ØÃùŒÙ,^°†à=҉Ⱦ Gä‹b®ðúçÜâ㜷axÀûš‘
=Y‚‡øð|õ¿nTzsÆ:"«yÑÝ@‰êÙ‡߶4ÌlQò´BÔ³îÛ$À 4÷ÔmÛ2r\NYú«´Ùú”+2SJ}˜9:ïãEjк¼pâ÷[däøÄ"5åÜÂ!Ïé#PB©-àg4¿ßNǨÀÒEêÂæ‡Ò&†/V1˜Õ˜Ò¥tlHT|X„ïýàÕÝqÕH8Ò5$&Ñ–PÙüЩ²aCT6|8¡l°PgâÌ'•MeªPò\
-8—‹ßAÙ˜ãrÊ2¥l6Sv2ñ'tÍfNÅï·ÆÈñ‰5‚?ÌžÞl‘§t­ýq™üT¸p⤮…tË>C×hú&K¦Œ¢ŒÙ%)Þÿ›’ò>J{jVVÄÄÝèÅM?Þ&áµ@*h`ØÅQ÷á'7r\¨é2ÝêÇÚú~{”×RÍí»ªó•Å¥ÌKq½y –’Mw˜Plm3a´­‡ô}™So³‰7Qƒ¨âÚ¥Š×:Ãq©¥PZ/1>áL`³‹5€m|Š>t`샗'RÌOµÚn½–ñ{( èë .¿ç*}U¦ñîGúoodÊÑØ6	Ú‹DfþÖ‹,c€]qcÕÒ—oüüúÃûbRH8×ú0UÌS*õiËxÿ÷G«‡/zuNÊô÷¨*‘~yQ(õ¢8^yüºõñÒÿß²s¹endstream
+xÚ­]sã¶ñÝ¿Âo•g"–ø$Ø<]r¾ëµÍ%uœé´I憖¨3ç(R);—Nÿ{w±ˆ”á³{Íx<Áåb±ß»€8ÏáOœ;“åªÔçE©3“s¾ÚžåçïáÝë3Á0Ë´œB}u}öÇWª8/³ÒJ{~½™àrYîœ8¿^ÿ¸øúÏ/¾»¾¼ºXJ“/lv±46_|õæíKš)éçëoß¾zóú‡«…^\¿ùö-M_]¾º¼º|ûõåÅR8#à{ÉùàÕ›¿]ÒèõÕ‹o¾yquñóõ_Î.¯ã^¦û¹ÂüröãÏùù¶ý—³N€±™VEÉÀ¼«u³¹n±©÷M÷žVj:úokìöRu·ªïùRÁÂÊ9w¾"+‘e¿ø<|˜‹¡^õÝš&ÊsY·k\VÊÌUÓÑšÇOÜh¿ïýzkÚ‚žm¸,2é´ã=‚±©ZÜpŠá&+ŒÒz¬Z\‡…Ž÷›Ã­ùùf`ïoùU5œlËó×Oµ
2œx"­mrrÎd¦,eZ|e¦KÔägI¯Ìè>#ÿšîPrÔü½ñÏP]¸…ÇFónôxEÑîèÆÛþŽ>‹Ÿé·	!HYfR¥ëªm½Î€žMšè¢0n¢r9,Ì,aé5¿y-À–#è—-2g¬¼$×ÆÜwS_á7ÅWm2c´~¦YºLk]>4K¿Ê@¿}×"×Àk/Ä"|r9•)lMa_Ï&s²¨€í•2ý‰ÌlzïרxÕ¶÷ŒÁ]òLÃtÕ‡š§¼ì᣶¯˜5^OqÀ;§‡È[©Ñ–f®§ëj¬nª¡&g^uk?ö#
-‰W_Ó« Ñ¯T0Ø‚QuWysÂ	òýª†Ì¯ŸÃº¼­ oëíQ€ìÑ?쇑Æf['êd¬USÍK0WɬÌm`®—W7Þûf¼¥QE?‘E‚ÕÏ@›‘œ÷2~
*—ðH…Èœ5Ÿg
2×^¤ˆ}S«ÛšéW^¾ýþ¯—ÿ¤ñÕÕPl¢©Å›Ë°!zW#i«;Z±"	Âà·¾ãQµ«EB
+Å2‡¹;°IP¯`ðèu΢?!;""¹Ã`ØÕ«Æ»xFâí“A
+RI†…{¶‰y4QðèÊêÅ›
óbƒµâÄÿF­
œôì9é‡dá9mºe-š÷]¡Šõ¾cØ“oCÍfR
'6¦ È¬ˆ~ºú>ØJ4Ïœc
+Ž‚%&ÍåU¨’¸\5Òh×7ûý¬rÀºú‚X*q$´yÊ’@Ë\ÌoØ’{ÃË
u=jR¢.T&Á!>;GÊ”§’æ%Á>VÂb=ýnÁ2!l­¬
BgJ;×ﺔV캔f£Ç©™ë‰[ø¤j9X3èM*¯bC9â+/mP¶ 3ÓÀ7ë—Â=YKVç1mèíÐóÏ`œh¶»öcT†I<Äp$
+BÇü¦,9¿ÚæëÄÏï„zD^Âæ1«çGÏÒåÁ×6LM×4 ñ‹õôœ=UÝp_ï‡/q§ä
+q–/"Ÿq‡ecKbà@´ÓséÂbÁœn>ždŒPÁ7Œ}ôóÞ¼»“o?ÇP¯ÉE0÷_G=Ô,ˆ{2¨)¬P5Ä[mÆzÏC^ÐȳR‚—ô¬L¤+Rd☮LÓÀ
PÊHÃ4¶˜G”Iç™ÎŸmüK5›0~iCV;Yõ{"srE^ê.ì ò €UÄ€£û¦mitÃ3óÔ·(§+B¬ƒÁQ
+´FALg8ŠÂïÃÕ8ÀZŒbÝÞeÍ°ÊúýûçtDЯC¹È!²Œ>ÄÅú78.7ñÍt‹Ó¢“±¸ÓR°œ–‚óêú<á¡iCÍÝE)ά_åY¡Š§„”ge¡¾`k6ÓÊbž=ÅwUus;…P°ß7ëuÈûç½y¶¯Ñû¦éÖè%–˜oµ)…·¨ðÊD”QÒ´7“b[‘i]h‹½Xi Ìs¶UOÜ÷ÓŽE¾x½¯¶ÛjŸPðú@liãÑ˸Þù”¹¥Ö³'ÝWm5?ü¿Sa
+,`u»\µ
P28ÿS­×{ù;ñ{84ÿŸ/“9­Ç³®‡±é*ôŸ‡lJÔ¾^öCsW/É%#üÇzx×ïßapÅÇä×?NØCžéKšÉ²ìçíü께¾œ~³L2˜è?ÕÀ¯!ÏÍ¥9j€}J^Ö¨|hž}wÒÍùaÿ“Pʨ6æ®Én%dÝ‚5×/Ÿðµb†s©nše{·o,Ô¬ûo>Ü‹M
Nü@ìJÂ6”2_X:¾°ÑCY˜ã+ç¾»Ïû;ʘ,3À—o¿§ä û4œ7…C2€ñ£8éµPÚB`½«'¹¦ç:fš·=
Ϋá¡×-ÕâÍ8¹«öBmµhÁçsŠÐDp¨=Gãrîmíçêñ°BÂ;Þö‡1¥¯·Õ¡19ûõœ+®{íØìÚ˜½ ;Ó]¼Ëju›J /Íc2©E¢ÿ
+é°Öë2U¹>Žâ,©>Žü‰ƒ\lI,ÀTƒaW­xž;%BràF~7p•)}Õ8Yg8Üøìcº{8_m›ÅÖ<>²'BXäˆ|CÍ^ÿœ[ܶ“
ÃVÿø®hèÉ|ð„ç7ßñÇàé4f /g¨cV6OL‘	ã>ûÐÓ“:H+3›+{5^!êYguÊ4÷ÔIÝ2b\NQúc¸}Ê™)¥>®÷)‘´.‡Øøû1>A¤†J9· ä‘>%”ÚBî-‚æ÷›£tüøCºÁ]ØüØÅðÅ*«Sº”Ž
él8(€ð}¼º;î8	Gº†ƒI´¥	T6:U6œˆÊ†(êL\ùQeS™*”<—Äârñ;(c\NQ¦”ÍfÊNþ„®ÙÌi(N~7#Æ'h˜9”ÞŒÈÇt­ýq™üT8¬„Á£º™($®öºFËÏr²d¹)ÊX™’ÂáÝÈè±fT*´Õ¬%‰E¿Ñ‹›~¼Mö©æbFäãJou& ¦ª×­S1	9jæŸØZ‰ŸÄµ®7Õ¡åø¶¦R„ƒ)·¤ *À‹3c­|ň§yG³ª®ÂÞtñ]ÌÜBµURç»	§>œâImâoábåû$÷T¦U¼LæYkcþî9üDFOT…¶C<ÌL,åtr4°g5a ÔÏ|ïo°g<ÄUçö°WèŸñŶ^ÝV]3lé‘÷64î±ÑÈÇ^Îðr¨Ûzæà±q²´F@RàA9KADaIÚ³òíXÆ7kÎ#HJË°»D©tRÝ$´Ê7m6ðGØPùFr!BV]ÄÞÌñ‰"-1‚¬yùÃiÇTmÁ£Š%!¾
+ÝWš,ëí†IÉ{Â\•îV(³àK">©ÇÇ
ý¦ûR¥ËœTæÉÚEîç„·á_<ô¡Ž4õ“”Ž4õyÌ1óƒñ„Y4G†Ú
dè[ê@ãbÝq31^÷ sÚªç¤t™ÊsóÈg8PO´R€Í*zþOTr²,;¶•Ã!(§Ü,„`â¬óªà_½ÏÜñ”;$ò¸Á\»¹NߌÉ%ÈB=]l
+ku¢Ø´Ìç\eÎÉêü’+lB57¾´ÉÉ‹ãüQWs¶œ«¨«¹~¬í©ämºx‚\Ìc³2Ã+/fñÕGZƒt!àüŒö†t‚3”Í)ÜÛPÁ`ðå/¾êx$èÀÏNë9œE*ýa®{xjœ¯#|ïž°3ãò	&Þƒcà)ò’".º¿fén¢(­­°Æå~5Ø–Æ6⾫ZŸ44p
+ìâäõQŒ“Ó> endobj
-1494 0 obj <<
-/D [1492 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-462 0 obj <<
-/D [1492 0 R /XYZ 85.0394 479.6298 null]
->> endobj
-1453 0 obj <<
-/D [1492 0 R /XYZ 85.0394 454.1046 null]
->> endobj
-466 0 obj <<
-/D [1492 0 R /XYZ 85.0394 323.2236 null]
+/Parent 1470 0 R
 >> endobj
 1495 0 obj <<
-/D [1492 0 R /XYZ 85.0394 292.0835 null]
+/D [1493 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1491 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F39 927 0 R >>
+462 0 obj <<
+/D [1493 0 R /XYZ 85.0394 479.6298 null]
+>> endobj
+1454 0 obj <<
+/D [1493 0 R /XYZ 85.0394 454.1046 null]
+>> endobj
+466 0 obj <<
+/D [1493 0 R /XYZ 85.0394 323.2236 null]
+>> endobj
+1496 0 obj <<
+/D [1493 0 R /XYZ 85.0394 292.0835 null]
+>> endobj
+1492 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F39 927 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1498 0 obj <<
+1499 0 obj <<
 /Length 1735      
 /Filter /FlateDecode
 >>
@@ -6238,27 +6257,27 @@ xÚ­X
  ¶ÚáÀ»Ïe¾,j'%rUÉZM+^®“HMDœ4x¥•ü‡)2ÆÊšh„BnëOíû=eÊP.¨R«ÅmšùZ§oÔ–¢&‚L®hò†*ÃŒÒ&´“öâ¸äUÅ«¡þaÆà.WWÆP·zzž<Ä!	(T
×|©ÀÔ‘Iù2Iw”[Ú/_©z6qô§y“ô7wˆÓ«~÷x-‰ñqËúö>·G–,¯{õÁU±\m¶é| {EÉ×IÞT[6“qíÀyrOÑ©xΗMõŒšÑ@
~JMdù³KhZ—ITkì~gQ¨›uWòžÜBß\Á¬g,Š X’+ÍKSa§
Qø;á^Z:½ÂØÑO*Œ~Õ´gQ·¼ÆÙػԇ«î GÙ—ÞuH|»(Ùj׊ý£H¤ÜEØñí Äh‘±•š^´WáËbŠ*ÏAL†}ÑÕf~k}ox¹և삋¶‚iRÕ]µ´ÏKSöuZšÞ¿Mm]²¬ZòòWÔhŠ˜éÃå7ø*ÕYE¥¢€MóH·…;Rv!ee£™|º|Ü©P¢œ1úÁžçúÓä¾ëÿvzË5endstream
 endobj
-1497 0 obj <<
+1498 0 obj <<
 /Type /Page
-/Contents 1498 0 R
-/Resources 1496 0 R
+/Contents 1499 0 R
+/Resources 1497 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1469 0 R
+/Parent 1470 0 R
 >> endobj
-1499 0 obj <<
-/D [1497 0 R /XYZ 56.6929 794.5015 null]
+1500 0 obj <<
+/D [1498 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 470 0 obj <<
-/D [1497 0 R /XYZ 56.6929 241.8725 null]
+/D [1498 0 R /XYZ 56.6929 241.8725 null]
 >> endobj
-1367 0 obj <<
-/D [1497 0 R /XYZ 56.6929 214.6175 null]
+1371 0 obj <<
+/D [1498 0 R /XYZ 56.6929 214.6175 null]
 >> endobj
-1496 0 obj <<
+1497 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1502 0 obj <<
+1503 0 obj <<
 /Length 1115      
 /Filter /FlateDecode
 >>
@@ -6268,21 +6287,21 @@ x
 š…Tî˜fW!Tšƒ>¶µó=µgè?Øѧ“ƒ ]Ë(A>o™F¶Hï¨èe_JLêC,Ò&Ïêt$ÅÒ^H[še\±øpàXU}Î2µE¬ÜæÝYèj+Ñ„ÔL’†<‹d_Å䤓Eméš/îèrÿ˜^›÷4·Z:©#HH7!€åvË]W%r=hyXgO=ÛrJ˜ÊG<Ï1ZôMäxÏ×+éò,hÙAð¾”àÑmêîªs£¥÷¯µwu½¿ ‚¸Ì¾ÖÏ(Š(&å±¹M²9x$	‹t~,3¥xlÒCû[ßV‹i/\ýÏ´…€ŒGM„ëé~m”b$j!ºC½*ZæÇ…¨ˆ(rtàOu¨4Ö
 Ü—AéèÐv:H)‰Ë^h_Ž¾[Rè`£S  ¡â¢;9Q÷³Œ¤´;Yè@eRGÉš$üiÕdµU((QtÅ㸃:/Tpm§EàJ%ï{ÀŠjxK4]=Ô{4jᪧ-õ«½*Lˆ”Ó¦ˆ)XÂnìU&ä‘~zëTŠCí´UGEè¢RÎt
ÞÏ5Þ,xÐ>è÷'aâW0ASIl“ü?ø¹e%^”Ÿkßÿ±käªayýëAí	…CiÞVÙÑ'ýk?ÒÁµ¨XVÍÍ)eTó&Nõ×…$’²á®•}ì[Ðõ]|¸ÿ¸ììƒ÷ûÏÂß妎Ц“­bÂ’•ÎF\Ð^ÏQ­(:¶Åÿ¡VÜŠâÿG+ŠNjEñ)­è¡[!ËÅUÎ;ý¯·<ùÆhsfëÎÀ÷ñú2[­Ë Ët¡¯ªPÕv%__-í‹þ/NY9endstream
 endobj
-1501 0 obj <<
+1502 0 obj <<
 /Type /Page
-/Contents 1502 0 R
-/Resources 1500 0 R
+/Contents 1503 0 R
+/Resources 1501 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
+/Parent 1505 0 R
 >> endobj
-1503 0 obj <<
-/D [1501 0 R /XYZ 85.0394 794.5015 null]
+1504 0 obj <<
+/D [1502 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1500 0 obj <<
+1501 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1507 0 obj <<
+1508 0 obj <<
 /Length 1100      
 /Filter /FlateDecode
 >>
@@ -6290,21 +6309,21 @@ stream
 xÚíX]sÚ8}çWøvFŠ>lËš>¥Y’¥³M·,ûÄ2ŒƒñÔØÔMÈ&ÿ½²­€Mh÷©Ã0þutîѽWWÂÒ?l9.t9áã6tv¬É¼…¬™n»iaó
xý”¿z?h]\SfqÈ]âZƒi	˃Èó°5†mØѨ}õéöºwóOÿ²Ãìö ÷鶈ƒÚ×½?»ÅÝMÿòãÇË~`ÏÁí«?.ÿtûE“k0Þ÷n/Þðâ²´ß½îö»·WÝÎhð¡Õ¬m)Û‹ÍùÚŽh³?´¤Üs¬ý€ æœXó–íPèØ”¾¾‰Z·>¯K­y×Zý0‚„º¤F@—ôt‘†b‡.%4pØ.Bíðqš5_€i‰â•TiÏŠûwÅe”Ù«Cî8¤Œ0÷ÃXé?È¡î|i`VBŽ“t'G I%RY<IªÇÅ8{Oÿ—‘ƒ*ÝÆQ(M‡çu??Ò|Dì8ÐÆŒ¼\xQÝ uü¾ˆUñ•¾­ÇLjBÓöR1l½eôc¡\”Ì€ŸŒzñr~'Ò}Òám•ú±œŠ„A$@7"û’¥:I…óc(áý@§RŠNWµîi\F<.¢pVý¨p0ÄÑêÈ¡@ "ßt’b’Äll¶AP	‰¿Å¹Åòníµe™vÝõë	‘É2ˆML†»ˆ:£`|ŒCJ˜£‘ ³©ý–793æZ¥÷›ÀÚ™¶ÂËs ÕjUÜâ	¾¹eªî[ªœA¢³¥¡êì êœF• ª36ãµ’ú‘GÉZBû)\9$:u5åzPZB0Ä¹Í½ çÁdÈs'î:×°9´)wkmXJvj~L¨™Hm	.ƒ”{—Îy‘À(¤6çûòIÓ8ØÕOð-Ì1$aµr>%±RùJ¯çáDžZM¾ò7ÕÈáôV]st=“Ši*ä}¾äœ¼ž’3Qéê(ü–DZUËH… XO'‘& Η3 Tt
 9ÎsqÉ(]\™1Šæ"V2§Ù¸Ï8ö_
N"_Êuí˜'¢:XµZ˜÷ºž}WgÇ®yŠHÌ´#'q©zh¤\e'÷bòd6ÉMÔ>øiü<õÃè9œÅI*Þ¤Ææ‹‹âz›˜ÀìÍ‘˜‹X‰ÖêLju¦çêL¶t–jy·O€ÛœNÚºd÷<²>[#´t¶F˜mOƒR™azÃüõ¤î-õï6Ðv„endstream
 endobj
-1506 0 obj <<
+1507 0 obj <<
 /Type /Page
-/Contents 1507 0 R
-/Resources 1505 0 R
+/Contents 1508 0 R
+/Resources 1506 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
+/Parent 1505 0 R
 >> endobj
-1508 0 obj <<
-/D [1506 0 R /XYZ 56.6929 794.5015 null]
+1509 0 obj <<
+/D [1507 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1505 0 obj <<
+1506 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1511 0 obj <<
+1512 0 obj <<
 /Length 2059      
 /Filter /FlateDecode
 >>
@@ -6318,39 +6337,39 @@ xÚ­
 _×ÀqJñî¼/†ƒû·=bó"Æ¿Y
 ÊÒ±¿niÿzÿæ?Šÿ¢Ã€
³ïÇ:MI΋ÄÈ2^ÉŸšÃÿ£ì¨ªÿès	Ñendstream
 endobj
-1510 0 obj <<
+1511 0 obj <<
 /Type /Page
-/Contents 1511 0 R
-/Resources 1509 0 R
+/Contents 1512 0 R
+/Resources 1510 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
->> endobj
-1512 0 obj <<
-/D [1510 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-474 0 obj <<
-/D [1510 0 R /XYZ 85.0394 457.5229 null]
+/Parent 1505 0 R
 >> endobj
 1513 0 obj <<
-/D [1510 0 R /XYZ 85.0394 427.409 null]
+/D [1511 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-478 0 obj <<
-/D [1510 0 R /XYZ 85.0394 427.409 null]
+474 0 obj <<
+/D [1511 0 R /XYZ 85.0394 457.5229 null]
 >> endobj
 1514 0 obj <<
-/D [1510 0 R /XYZ 85.0394 402.9976 null]
+/D [1511 0 R /XYZ 85.0394 427.409 null]
+>> endobj
+478 0 obj <<
+/D [1511 0 R /XYZ 85.0394 427.409 null]
 >> endobj
 1515 0 obj <<
-/D [1510 0 R /XYZ 85.0394 402.9976 null]
+/D [1511 0 R /XYZ 85.0394 402.9976 null]
 >> endobj
 1516 0 obj <<
-/D [1510 0 R /XYZ 85.0394 391.0424 null]
+/D [1511 0 R /XYZ 85.0394 402.9976 null]
 >> endobj
-1509 0 obj <<
+1517 0 obj <<
+/D [1511 0 R /XYZ 85.0394 391.0424 null]
+>> endobj
+1510 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1519 0 obj <<
+1520 0 obj <<
 /Length 3497      
 /Filter /FlateDecode
 >>
@@ -6367,35 +6386,35 @@ P
 MÎԞΡÓÜ—ž*Ì^h¨.Þ0Ô›’hÝ´CRq’RU"!.&ÅÓ!Ô§tS§ìϱ¿á6~¬0Žüa÷‹í±¤¬•”zf«¢•Aw÷WðpZ8)ÀÂbˢřÍzS­Êù”œ
 æå¢Ø­F)’ìÈHvdƯAN¤YTpâŒÞ{¤Žó9˜Ëu ÁœÖÝÝË,*3 ¦n¸}ÚU«nÊ%ÜS
 ©âtdÇ7
ÇàN~Õ-?˜@oþÊŠaÆ[†ÃêDÛ,SÚ;Há0½Ìt*zÿéãwÝß<â³åÿ>=|@¤¸ïº/‡¤1„øÞsÀØ"½õQ8˜õÉÿžñ-Ä…28ëÐб×;¦¼ â¼É-¹i“»èþ?ß~úx}w¯Í’EhÞ”2„žhg3¢”±ˆCD¨Çâ¨òñÞðjcF`Éel¼rüFÀ“xtÜ¥:­®Êbò}«œcþ¤RÃ0±n‘j­ŽÂÄ"îpF·ã $2þ ÌÄÃ:4N:Îaæ§)ìQÔrV×,C•l[Œ´¡¡‚K†Êû	Ħ*É=½sçöyÂÀÃॼ?N «qŸ­‹TmÁjOGØ<¤ÒåµÍŽ(:{±ïGÐqvŸ­ÆioÙë)ü:ãz°×‡ßüá`NœÇÇ¿cø¿&2€•™Äb¢Õ•!/ÏxjÓ‚\ç@“Òμ!Ûð
ã!w±ÀÛð3¹!Üh
æœïÈ
Ò¨B ÏI~ˆ,MÎwôo-àDµ\8ÏÄœ€¿ŸdÀ¢Y­šW¶Pš*ØÜPxBvESøsÚÅ`ve›¥‡ñ~+£Ïídâ*·&Ôw œñƒNe>
ù!úšñÒ²IU®mx¾£p9š{,§éô° áÄlêÁ5ùÜÆÇF-$Çp‚>6cÒ¤{w¬ûþY³³Ô†Å”¼­ô­‹_Ä­fz€sa‹¿!™zg$å̯åþuð3ŽßùîóØ
+áãlPG#}”·ˆ}ÝÔûõ‰Ê±.¨·~æ¨nhÆü‹¿ú‡c‡_ÕÁ•sYfÇ=Lo5UxÊÌžÑn´²,ññÿü#Xendstream
 endobj
-1518 0 obj <<
+1519 0 obj <<
 /Type /Page
-/Contents 1519 0 R
-/Resources 1517 0 R
+/Contents 1520 0 R
+/Resources 1518 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
-/Annots [ 1521 0 R ]
+/Parent 1505 0 R
+/Annots [ 1522 0 R ]
 >> endobj
-1521 0 obj <<
+1522 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [251.8681 205.1117 347.399 217.8489]
 /Subtype /Link
 /A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
-1520 0 obj <<
-/D [1518 0 R /XYZ 56.6929 794.5015 null]
+1521 0 obj <<
+/D [1519 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 482 0 obj <<
-/D [1518 0 R /XYZ 56.6929 162.5022 null]
+/D [1519 0 R /XYZ 56.6929 162.5022 null]
 >> endobj
-1522 0 obj <<
-/D [1518 0 R /XYZ 56.6929 137.1661 null]
+1523 0 obj <<
+/D [1519 0 R /XYZ 56.6929 137.1661 null]
 >> endobj
-1517 0 obj <<
+1518 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1526 0 obj <<
+1527 0 obj <<
 /Length 2817      
 /Filter /FlateDecode
 >>
@@ -6412,133 +6431,133 @@ r
 u	RB8_÷fEË2=¿©SKÂkƒn±¾O¬3¢ºcvf8­Õ þhµlG|¢R¤æ~¯[«ór3Uª¨I/ž6J$íÐz“›ÚBC¥¯©Ïç°jÚ©“HÊåtdùíQl«ËäG=†4&zȽv#gî»[»ÇéAƒò	Ó®t†j¤™²¶ð}¯O&#ª5âLòx2ê£N'#:&£í_A&‚
ÖÅ5{Ô„êaU	ûes)9Ð}žíL߃ñº/PÆÕéƒgª¤	‰8Ù¾x|ÂÝPî©í	¶õ°ºJ¢Y<î•0$”ݾ@Õu-&	–õP–u¨ãAõ½^Áf3¼êàPH×ïQ³“†C©¡çäZßðªƒh¥"Wfÿ+q߇èU‡Ã'œå¾™q›s-ãÑ÷¨„!¡´8ã˜0¯&.×ú¨ã:Ôq¤ ë_enšabdÊø¨5aÁrÊ|WE
M8'厌9GÁ4Â9&a…A߉ç:|ÂëPîwpŽ£ŒJ¿G%	¥Å9pjÊ8çz¨ç:Ôq¨êòófâ|°ýv	7K`L½GMè2Ž I}hÀy¾>¸1¾ð`Hi­#æÒ‰=^x8|ÂçPîÛWU‘¹èƾ¥ÌËŠ’ÀŠÀÍ÷£dë£N“Í£Úz±8˜õ¢®òEÓl‡a”ˆŠàQé&’ŒM8Ý&N!Æ#×¹l¢J\æ7‡O8Êý¾™›`ÅãÑ÷¨”!´8å æ{‚qÊõPÊu¨Þ›Í_ë¯ç2`	ÉxÔ„	ÎIxªåȆó,ªSžŒ¿‡
 [ÅLF¾’g eß¼Ôý›Ã'Üå¾}U…ݘ™ŽÇߣ†„Òâ¬ÃaÂ÷o}T„uÊh\ïê¯Å«¥Ee®!ÒÁÞ<ÃøïÿöO(Ž¿/á1uêz–™í5…íµ3Ê®ØØrÿ[‹Ðôÿªœendstream
 endobj
-1525 0 obj <<
+1526 0 obj <<
 /Type /Page
-/Contents 1526 0 R
-/Resources 1524 0 R
+/Contents 1527 0 R
+/Resources 1525 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
-/Annots [ 1529 0 R 1530 0 R 1531 0 R 1532 0 R 1533 0 R 1534 0 R 1535 0 R 1536 0 R 1537 0 R 1538 0 R 1539 0 R 1540 0 R 1541 0 R 1542 0 R 1543 0 R ]
+/Parent 1505 0 R
+/Annots [ 1530 0 R 1531 0 R 1532 0 R 1533 0 R 1534 0 R 1535 0 R 1536 0 R 1537 0 R 1538 0 R 1539 0 R 1540 0 R 1541 0 R 1542 0 R 1543 0 R 1544 0 R ]
 >> endobj
-1529 0 obj <<
+1530 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [312.6233 664.9538 381.2953 677.0134]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1530 0 obj <<
+1531 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [310.4119 633.2165 379.0839 645.2761]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1531 0 obj <<
+1532 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [340.2996 601.4792 408.9716 613.5388]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1532 0 obj <<
+1533 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [328.1051 569.7418 396.7771 581.8015]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1533 0 obj <<
+1534 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [320.3548 538.0045 389.0268 550.0642]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1534 0 obj <<
+1535 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [359.1386 506.2672 427.8106 518.3268]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1535 0 obj <<
+1536 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [429.9426 474.5299 498.6146 486.5895]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1536 0 obj <<
+1537 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [286.0435 295.6317 354.7155 307.6914]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1537 0 obj <<
+1538 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [339.144 263.8944 407.816 275.954]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1538 0 obj <<
+1539 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [336.952 232.1571 405.624 244.2167]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1539 0 obj <<
+1540 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [322.5463 200.4198 391.2183 212.4794]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1540 0 obj <<
+1541 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [331.4327 168.6824 400.1047 180.7421]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1541 0 obj <<
+1542 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [361.2812 136.9451 429.9532 149.0047]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1542 0 obj <<
+1543 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [353.5699 105.2078 422.2419 117.2674]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1543 0 obj <<
+1544 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [330.3165 73.4705 398.9885 85.5301]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1527 0 obj <<
-/D [1525 0 R /XYZ 85.0394 794.5015 null]
+1528 0 obj <<
+/D [1526 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 486 0 obj <<
-/D [1525 0 R /XYZ 85.0394 725.3455 null]
+/D [1526 0 R /XYZ 85.0394 725.3455 null]
 >> endobj
-1528 0 obj <<
-/D [1525 0 R /XYZ 85.0394 697.9265 null]
+1529 0 obj <<
+/D [1526 0 R /XYZ 85.0394 697.9265 null]
 >> endobj
-1524 0 obj <<
+1525 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1546 0 obj <<
+1547 0 obj <<
 /Length 2986      
 /Filter /FlateDecode
 >>
@@ -6555,92 +6574,92 @@ b
 íè ’Hˆ$èpLkS‘NÞ¢èk‚7ao‚—†|#ƒ¦ua.î&ìá’Yèè9øb¨Ó5[p‡*á@åìümãQ³©óßÇQ‚1„ù‚hBþU„B˜_z|ž[¯);â¥BŠ39{ÿÅ`C_²gk¤ËnéÌó½ÿÂ# t‘"áqÿ·TKšŒ¸Eûl*Àc‚Ê8èºTó k©ÂfÙjçù,•³ÍĽt§\Åõð4jô Ç9â‚°¾ŸzsÖc:¢RF (0"œôMŽA0Ð/˜?æ;A9TÉô$Šß…–jA‘1·8¡MÒqv¨"T“{–ï‹IBVPó¸&-Õ„*}R8vfººüM(ìX4D!C+:B½éZCa _0Ì÷O  ª)ïCKµ È˜[…˜#ŒñBgÛ¥Š 0PÍGŽêÒŒ!$¢I\•–jB—1ŸÍy_™¿3z“&úmM„ž¢„}b¸ovˆ~Ác¾ˆúC¬@ÑR-(2æ"‘Pg	½ðEªK5Ä–j>xL‘!–èUZª	]úñP!Æð@™¿D‡Ó@ÔæKT[¯O¥eN#=££YÙ‘/X?âú'@H¡Ž´Dw¡¥ZÐcÌ-ÂÄ\à+¶ÂU„Ê]t6æ¾lØN'櫵Š‹
Db»–*Ó—aÒûyàvU~¸ËPy	ùêN%’œÞU=öÕ=Ð/Ø:æû'¾º'(ÁJÇ}ÞR-)2â‡Öˆb¹ðq¯KW ºîù°™Ž?¹Š¸¦*.½¥šß¿“ˆË„ôåžü:´b ÚTÅ<Úà¤)“ž¡1´ú“Ç|gÑÆÇå&‡žêѨó[ªMÆÜ¢p“Q).`;D‘¿\õD]jªM]¥c°™¯î	‹Ên‰ÆÂûPÓH*.{Ò?+Ò®6DCK)0%¨) €´Ò1 Š4O7xÄõG58»1§{’¸>Óè
 Wm™?¢žÿý­è_þ[íë²CÊ”š;¢R¡D¯”Q\%ãs¡4tBõÿ/ˆ
üendstream
 endobj
-1545 0 obj <<
+1546 0 obj <<
 /Type /Page
-/Contents 1546 0 R
-/Resources 1544 0 R
+/Contents 1547 0 R
+/Resources 1545 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1504 0 R
-/Annots [ 1548 0 R 1549 0 R 1550 0 R 1551 0 R 1552 0 R 1553 0 R 1554 0 R 1555 0 R 1556 0 R 1557 0 R ]
+/Parent 1505 0 R
+/Annots [ 1549 0 R 1550 0 R 1551 0 R 1552 0 R 1553 0 R 1554 0 R 1555 0 R 1556 0 R 1557 0 R 1558 0 R ]
 >> endobj
-1548 0 obj <<
+1549 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [231.137 624.1678 299.809 636.2275]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1549 0 obj <<
+1550 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [143.8055 560.4651 239.3365 572.2657]
 /Subtype /Link
 /A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
-1550 0 obj <<
+1551 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [324.1075 296.9881 397.7608 309.0477]
 /Subtype /Link
 /A << /S /GoTo /D (server_resource_limits) >>
 >> endobj
-1551 0 obj <<
+1552 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [359.1555 265.057 427.8275 277.1166]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1552 0 obj <<
+1553 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [353.6164 233.1259 422.2884 245.1855]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1553 0 obj <<
+1554 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [370.2338 201.1948 438.9058 213.2544]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1554 0 obj <<
+1555 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [364.6948 169.2637 433.3668 181.3234]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1555 0 obj <<
+1556 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [226.7331 137.3326 295.4051 149.3923]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1556 0 obj <<
+1557 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [283.1811 105.4015 356.8344 117.4612]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1557 0 obj <<
+1558 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [287.6042 73.4705 356.2762 85.5301]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1547 0 obj <<
-/D [1545 0 R /XYZ 56.6929 794.5015 null]
+1548 0 obj <<
+/D [1546 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1544 0 obj <<
+1545 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1560 0 obj <<
+1561 0 obj <<
 /Length 3134      
 /Filter /FlateDecode
 >>
@@ -6662,141 +6681,141 @@ q
 ÿfíœv…3\<•­»²ÜuÛ[¹ùÎöY[UáRs‚løG_@ûˆÍ0åêMkóÆ^4›ý 1ß&¥í“ïÛ·yv‹Pˆ·¿»sº-žví`ÿtÝÕSaÌ9D‘yŽÉe‹\sÒ™ª]sX<×ýÝc²7Q FŽþgL¢/Ñbºó˜WeçSÕð``Š-HK‰u&ZxX¶A
 U˜ôW~ŸiÆúKà‘ÁdþPaÇpÇYùÔ†áÀISGgû¿â‡ØôGÏ;;`ÒŒ$MSÊ¿‚š„Mþü.üéÿ²uþÿl\!fZö§Çrt®¼RFq¿~ƒ“‚ÐTM¨þ€ŽÆËendstream
 endobj
-1559 0 obj <<
+1560 0 obj <<
 /Type /Page
-/Contents 1560 0 R
-/Resources 1558 0 R
+/Contents 1561 0 R
+/Resources 1559 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1579 0 R
-/Annots [ 1562 0 R 1563 0 R 1564 0 R 1565 0 R 1566 0 R 1567 0 R 1568 0 R 1569 0 R 1570 0 R 1571 0 R 1572 0 R 1573 0 R 1574 0 R 1575 0 R 1576 0 R 1577 0 R 1578 0 R ]
+/Parent 1580 0 R
+/Annots [ 1563 0 R 1564 0 R 1565 0 R 1566 0 R 1567 0 R 1568 0 R 1569 0 R 1570 0 R 1571 0 R 1572 0 R 1573 0 R 1574 0 R 1575 0 R 1576 0 R 1577 0 R 1578 0 R 1579 0 R ]
 >> endobj
-1562 0 obj <<
+1563 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [381.2254 659.5291 454.8788 671.5888]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1563 0 obj <<
+1564 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [362.4163 629.3132 436.0696 641.3728]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1564 0 obj <<
+1565 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [402.2465 599.0972 475.8998 611.1568]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1565 0 obj <<
+1566 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [348.0303 568.8812 421.6837 580.9409]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1566 0 obj <<
+1567 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [335.4973 538.6652 404.1693 550.7249]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1567 0 obj <<
+1568 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [363.1733 508.4493 431.8453 520.5089]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1568 0 obj <<
+1569 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [365.365 478.2333 434.037 490.2929]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1569 0 obj <<
+1570 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [393.041 448.0173 461.713 460.077]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1570 0 obj <<
+1571 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [402.9837 417.8013 471.6557 429.861]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1571 0 obj <<
+1572 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [320.374 387.5854 389.046 399.645]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1572 0 obj <<
+1573 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [348.05 357.3694 416.722 369.429]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1573 0 obj <<
+1574 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [488.512 327.1534 561.5676 339.2131]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1574 0 obj <<
+1575 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [397.3443 296.9374 467.1586 308.9971]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1575 0 obj <<
+1576 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [321.49 254.7663 382.69 266.8259]
 /Subtype /Link
 /A << /S /GoTo /D (options) >>
 >> endobj
-1576 0 obj <<
+1577 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [357.6499 152.1632 436.0651 164.2228]
 /Subtype /Link
 /A << /S /GoTo /D (man.dnssec-keygen) >>
 >> endobj
-1577 0 obj <<
+1578 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [455.3558 152.1632 533.7708 164.2228]
 /Subtype /Link
 /A << /S /GoTo /D (man.dnssec-settime) >>
 >> endobj
-1578 0 obj <<
+1579 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [317.0267 61.5153 385.6987 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1561 0 obj <<
-/D [1559 0 R /XYZ 85.0394 794.5015 null]
+1562 0 obj <<
+/D [1560 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1558 0 obj <<
+1559 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1584 0 obj <<
+1585 0 obj <<
 /Length 3506      
 /Filter /FlateDecode
 >>
@@ -6812,48 +6831,48 @@ C
 ߌÆ#î1Í3›„¿O<3N?í‘Œ¶]¥½a ¡vG­\†CÀ7ó	#ôûåÚpˆ–··¼hv{¨XƒQÚî¡{å4|èØ)ý0¨v{3b|¸ËHtâ­|FÅ,ø€]JIHwÛfTóºX6]iZ£ùJHc¢
 G÷\{¸½] ~q!mÛ30
€z°lÙoó”N’ܨ¤—G‚¦¡M$ÑüÛb{O¨¦¥ˆôuVnÒŠ^é£EÔï Š	‰óMx_ÑtjK{=úˆ£¼8q¿f·Ã|ÏË›uZÖ_L•ô>T¢I<êï¬ò–CBi(mqêÄqˆàTZ@çk„ùÖÒûîK…^¨C5ÖrnÑî9Mqq²­‹bºÿT¦Ü¯mhò«·Ó¨bвMZ·ÜO`?oáôa˜»ie‹0˜/OYPìNY类ÜXÐá'•	µ¸›”-¤Ñ"vMØ„ùžâ@¸ã ŸØRËSz˜ôpñë.­FŸ”¤¯Ô8¯Ç6€2×A˜?Bºö"å‹A×Î$
Óz!d|¨>9QIOjÛL:ô‚ÀåG#Ø0ÆŸŠ:-á¸ÓùÒ5ãw÷,‡ÉòK%údT¬hSËPy:ðÕÉDMg+ÄZøG°`);AŽðtèàNB„ÌýyÆ>o¹Ø«Ò^„*ðÂ@Åc—±n¡<…ÏAר{A!4Ôã:NŇ„½€M	ONÜ)ñ)—0ÀôbB¼w	®o0ÑX!›Õñàkã)Êvðƒ7áƒÿƒ?(Ž$–É)¿ñ”¡öþ–nò7žø³ÍPhˆ0±á·ÿ‰ŸOÁÖ ?ý“Òþ÷¶pRë`úwXÒîd0“ÆRR]þþÏ÷÷`âÿµ¬O^endstream
 endobj
-1583 0 obj <<
+1584 0 obj <<
 /Type /Page
-/Contents 1584 0 R
-/Resources 1582 0 R
+/Contents 1585 0 R
+/Resources 1583 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1579 0 R
-/Annots [ 1586 0 R 1587 0 R ]
+/Parent 1580 0 R
+/Annots [ 1587 0 R 1588 0 R ]
 >> endobj
-1586 0 obj <<
+1587 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [328.5503 737.8938 402.2036 749.9535]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1587 0 obj <<
+1588 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [336.2616 708.0059 404.9336 720.0656]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1585 0 obj <<
-/D [1583 0 R /XYZ 56.6929 794.5015 null]
+1586 0 obj <<
+/D [1584 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 490 0 obj <<
-/D [1583 0 R /XYZ 56.6929 693.8168 null]
+/D [1584 0 R /XYZ 56.6929 693.8168 null]
 >> endobj
 1075 0 obj <<
-/D [1583 0 R /XYZ 56.6929 669.0349 null]
->> endobj
-1588 0 obj <<
-/D [1583 0 R /XYZ 56.6929 84.3175 null]
+/D [1584 0 R /XYZ 56.6929 669.0349 null]
 >> endobj
 1589 0 obj <<
-/D [1583 0 R /XYZ 56.6929 72.3624 null]
+/D [1584 0 R /XYZ 56.6929 84.3175 null]
 >> endobj
-1582 0 obj <<
+1590 0 obj <<
+/D [1584 0 R /XYZ 56.6929 72.3624 null]
+>> endobj
+1583 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1592 0 obj <<
+1593 0 obj <<
 /Length 2811      
 /Filter /FlateDecode
 >>
@@ -6873,22 +6892,22 @@ A-8
 Òj=…f¥ ŽKq1 «Eê´ë‹šT.Ò
 f‰É躲Ž§x‘ï+GEËâÔŽ_o„§Z’¤U•ÍÃÄT¼²á<ÖM’L³YVwGË!adB×éÓ2––e1Éã·8d^ÝÆ’}Á§;gwÀPŒÜÖPD£»Í&ßj¬ßÔ߆diÛeyY5Ÿ"mN0Ž:aû¾RSžî¶Ùƒ7gí«?a[ߧáÔpNuÓPCWõ¬p¿\²=wÔgð‹‚ŽÉÿæK¡¾endstream
 endobj
-1591 0 obj <<
+1592 0 obj <<
 /Type /Page
-/Contents 1592 0 R
-/Resources 1590 0 R
+/Contents 1593 0 R
+/Resources 1591 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1579 0 R
+/Parent 1580 0 R
 >> endobj
-1593 0 obj <<
-/D [1591 0 R /XYZ 85.0394 794.5015 null]
+1594 0 obj <<
+/D [1592 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1590 0 obj <<
+1591 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F53 1062 0 R /F21 738 0 R /F62 1100 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1596 0 obj <<
+1597 0 obj <<
 /Length 3030      
 /Filter /FlateDecode
 >>
@@ -6906,66 +6925,66 @@ J%
 ÿhê­·ÖôŽˆÉ#)Âë"¯z”ëÂLu"Lâàq…Œ­#ºÃlUD9ñÔZO#üqеÐ&ð™‡!’ŒMßàÈPV„ý¨¨!¶Q„Å5ë×ÈÎå;N$&2åÇE—àï"
 Â~øôñÒéìÝàbÔ÷Z÷U3s1îªiKÌøÜÏP6+ü¹â†þBÉÚᇗ‡áôúu{WBJÈO±ø¸Æ|ßO+Øè$Ö_úcÖízÁJ­ÜÙš´Ä¤çB¬µ~ñS[÷«WËå-ý«óR`endstream
 endobj
-1595 0 obj <<
+1596 0 obj <<
 /Type /Page
-/Contents 1596 0 R
-/Resources 1594 0 R
+/Contents 1597 0 R
+/Resources 1595 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1579 0 R
-/Annots [ 1600 0 R 1601 0 R ]
+/Parent 1580 0 R
+/Annots [ 1601 0 R 1602 0 R ]
 >> endobj
-1600 0 obj <<
+1601 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [312.8189 570.0778 386.4723 582.1375]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1601 0 obj <<
+1602 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [406.3277 570.0778 479.981 582.1375]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1597 0 obj <<
-/D [1595 0 R /XYZ 56.6929 794.5015 null]
+1598 0 obj <<
+/D [1596 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 494 0 obj <<
-/D [1595 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1598 0 obj <<
-/D [1595 0 R /XYZ 56.6929 748.2826 null]
->> endobj
-498 0 obj <<
-/D [1595 0 R /XYZ 56.6929 748.2826 null]
->> endobj
-999 0 obj <<
-/D [1595 0 R /XYZ 56.6929 718.4268 null]
->> endobj
-502 0 obj <<
-/D [1595 0 R /XYZ 56.6929 661.7689 null]
+/D [1596 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 1599 0 obj <<
-/D [1595 0 R /XYZ 56.6929 639.4577 null]
+/D [1596 0 R /XYZ 56.6929 748.2826 null]
 >> endobj
-1602 0 obj <<
-/D [1595 0 R /XYZ 56.6929 553.1414 null]
+498 0 obj <<
+/D [1596 0 R /XYZ 56.6929 748.2826 null]
+>> endobj
+999 0 obj <<
+/D [1596 0 R /XYZ 56.6929 718.4268 null]
+>> endobj
+502 0 obj <<
+/D [1596 0 R /XYZ 56.6929 661.7689 null]
+>> endobj
+1600 0 obj <<
+/D [1596 0 R /XYZ 56.6929 639.4577 null]
 >> endobj
 1603 0 obj <<
-/D [1595 0 R /XYZ 56.6929 541.1862 null]
+/D [1596 0 R /XYZ 56.6929 553.1414 null]
 >> endobj
 1604 0 obj <<
-/D [1595 0 R /XYZ 56.6929 361.0617 null]
+/D [1596 0 R /XYZ 56.6929 541.1862 null]
 >> endobj
 1605 0 obj <<
-/D [1595 0 R /XYZ 56.6929 349.1065 null]
+/D [1596 0 R /XYZ 56.6929 361.0617 null]
 >> endobj
-1594 0 obj <<
+1606 0 obj <<
+/D [1596 0 R /XYZ 56.6929 349.1065 null]
+>> endobj
+1595 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1608 0 obj <<
+1609 0 obj <<
 /Length 2817      
 /Filter /FlateDecode
 >>
@@ -6976,21 +6995,21 @@ x
 ­2J
b£¼ˆ]!Ûí+“‚;ÆHJaP7ɉŠ†hº•Ü
Ÿ¶ÞøÆ1מçÝú•ÁV<öwlýµ®(ÞÂ6Œg°¡t¹£ÀeyMšîh|š¶ÜÑáá6FëHoù"²_DšÂI“âU8¹{/kBL%¶ß
(A!&~‰p¬ÒˆÍgJ‰˜0€ñ¡¶	ž°xgý_z5ÐVÇ;~5 aë2
Lá	PFç‡xÌØغIub½VuˆQÃ>|MeFMèh´ñau%&„×`nóÊÀÆcù‚wv­¥¾ãHδµ]1–qî)]œ «¶kîÌ­¡BåóI8}QΊñ#Ñ'K8%D˜åô¸`E!#x
Ùn¹ß÷yô˜|}u¼Ž¡ž“+‡ŸØ£º–PÞqDä-3¦óJSpÉxJ/pFþ1Éßðhõf«,®Êp˜ÙZå¾Ìqw
äj‡lò`Å894D¸´V»µ÷÷ŸF	QççånEµ$ðžGJL×Ðy1oôÃ	^=c˜¹}Ïê \O²Gª‡œ!06\ø%¼×«¦ô9#ÞºUì5
ªÆO_òÇ?UÄE”ï9€ÜäËÅò×Ü;ýMîKR¶ô2™c.ØI‹jtL
 ™>õœ÷:Ÿ<÷Ùúúé¾vp~÷;n^·ÌK&cé­¥O·Åa”gÆËU«ÖÔÿ$g0endstream
 endobj
-1607 0 obj <<
+1608 0 obj <<
 /Type /Page
-/Contents 1608 0 R
-/Resources 1606 0 R
+/Contents 1609 0 R
+/Resources 1607 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1579 0 R
+/Parent 1580 0 R
 >> endobj
-1609 0 obj <<
-/D [1607 0 R /XYZ 85.0394 794.5015 null]
+1610 0 obj <<
+/D [1608 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1606 0 obj <<
+1607 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1612 0 obj <<
+1613 0 obj <<
 /Length 3339      
 /Filter /FlateDecode
 >>
@@ -7014,39 +7033,39 @@ p1
 NA£noó?(‚âÀÿ™Lh¥²iýHŠÌh8J(t¨hx¨çïuœÔÆh£¿®62-tšéG¼Å |ÙÁýþb J
*HfÂHžTËhÇ¿®ZÒX¤‚q’4Š2íp~ØŽŸœ>þˆó“?zÊãk)R©G¼BC¥žÄôûæÁd7ö	t"Ó“:m÷i'ˆC-Ò0ŽÝÏaJ%jêÏÃÙ£ó{ÿ(rÿ‡¡1ì—erúµáw7•ä…
 3áƒ?ÙDE)=̉þ{lEendstream
 endobj
-1611 0 obj <<
+1612 0 obj <<
 /Type /Page
-/Contents 1612 0 R
-/Resources 1610 0 R
+/Contents 1613 0 R
+/Resources 1611 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1579 0 R
->> endobj
-1613 0 obj <<
-/D [1611 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1580 0 R
 >> endobj
 1614 0 obj <<
-/D [1611 0 R /XYZ 56.6929 660.0058 null]
+/D [1612 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1615 0 obj <<
-/D [1611 0 R /XYZ 56.6929 648.0507 null]
->> endobj
-506 0 obj <<
-/D [1611 0 R /XYZ 56.6929 345.1443 null]
+/D [1612 0 R /XYZ 56.6929 660.0058 null]
 >> endobj
 1616 0 obj <<
-/D [1611 0 R /XYZ 56.6929 320.442 null]
+/D [1612 0 R /XYZ 56.6929 648.0507 null]
+>> endobj
+506 0 obj <<
+/D [1612 0 R /XYZ 56.6929 345.1443 null]
 >> endobj
 1617 0 obj <<
-/D [1611 0 R /XYZ 56.6929 134.8978 null]
+/D [1612 0 R /XYZ 56.6929 320.442 null]
 >> endobj
 1618 0 obj <<
-/D [1611 0 R /XYZ 56.6929 122.9426 null]
+/D [1612 0 R /XYZ 56.6929 134.8978 null]
 >> endobj
-1610 0 obj <<
+1619 0 obj <<
+/D [1612 0 R /XYZ 56.6929 122.9426 null]
+>> endobj
+1611 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1621 0 obj <<
+1622 0 obj <<
 /Length 2988      
 /Filter /FlateDecode
 >>
@@ -7060,51 +7079,51 @@ p
 YÕü(yºˆ%›,±·ì€ÆV;8oÍÆçù¾+"1Ulô9zªérô8UGjslÈ9
’ÏY2:L¢”‹°ÐaòOý<úŒ1ÿé“€µ…ÈçôÑ©VI{„>zLQÌn+êæî	êŒð¾,u^RçtlIòÓ1Xk©¸ðXƒ +Öê/T¾Š¨ŽÓh„ýo,ABeÜ—häbIŽîit F@ë'ˆ¤i„þ¥ˆôü²â_á=@¡D"#ûµeEmœ°Æ¹§ËŠA=J¿)<Ðz”j­B°ã>X€¶O铼÷!¯­Jº(DªŠ0µ‚%V†¨•ÃŸÃ]S ‚MG›ê/ìŠ2—èDóŒW}¨‚רø†}æŒa뜷pø…y°HœRû±IÁåÆ*/87Ù{µ©ÃKV»[.sŸOû:è@X+ÐÍ8 •Ñm°¡SdÓBÙ(Й™e9²óK̬#…V§°’kB¥Õõ•VÕÖ÷y×QŠ»]_ÿòŒš*¿•¹yWlòEW/JJé`„h‡ Îq™ÈùØ?/WôA	Eèð9¼Ú9ÿjwGwYn9OÉ9¢ôP´Á®*ºvŒÙá»($êô.¢û¥Ãz“5½žÅTj:œŽê·%W|Q–ÒÒ`è-!MÌ©{uÕ¢ˆ&U©ŠÐ¼Óº¾§NY{8C9-i_Fu“­ÂØm=d@fîIˆuèu½+{˜©ÜxU´K~xõY…Qrx¥·à^$Þ(±ÀØîë]e±?
VÿwMxO•T×£·Ù½„ÿÕUN©ËüQ,¡ˆŸ#Ð÷XXmž÷z™Bj có•ï@“«Fá~†L˯qB´"~ô:.µ°) ÔG¬¹Ò
 3cgd‚)àGàwà5#°$oѼÌ|‘"³‘®&u4ÒÐRÍÅèÂU~—quÆ’¨±xž§ÌA±çP QÜœ%YÛS)rkûzt‡Zèf°n¶×'èVõ¬ìz1<Ž[oæ/?¼~÷öìâ2Ô"ì¨N‡¯aJ}K§Ý¨=Ô»§É°É>›C£©^ØØ9ä’cr
C
(dÓ³¦ŽÃ8G&B;§g#qø>	‹ 9ÖÚ%Þ|k—º© ÉÙÅçþÜiøÉÈ$‰ž–è>ŽŸ„{!ÕÓDZ1$$6Ñ=Ôèèÿ‹˜>¸endstream
 endobj
-1620 0 obj <<
+1621 0 obj <<
 /Type /Page
-/Contents 1621 0 R
-/Resources 1619 0 R
+/Contents 1622 0 R
+/Resources 1620 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1631 0 R
->> endobj
-1622 0 obj <<
-/D [1620 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1632 0 R
 >> endobj
 1623 0 obj <<
-/D [1620 0 R /XYZ 85.0394 660.0058 null]
+/D [1621 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1624 0 obj <<
-/D [1620 0 R /XYZ 85.0394 648.0507 null]
->> endobj
-510 0 obj <<
-/D [1620 0 R /XYZ 85.0394 560.3373 null]
+/D [1621 0 R /XYZ 85.0394 660.0058 null]
 >> endobj
 1625 0 obj <<
-/D [1620 0 R /XYZ 85.0394 535.9977 null]
+/D [1621 0 R /XYZ 85.0394 648.0507 null]
+>> endobj
+510 0 obj <<
+/D [1621 0 R /XYZ 85.0394 560.3373 null]
 >> endobj
 1626 0 obj <<
-/D [1620 0 R /XYZ 85.0394 336.1431 null]
+/D [1621 0 R /XYZ 85.0394 535.9977 null]
 >> endobj
 1627 0 obj <<
-/D [1620 0 R /XYZ 85.0394 324.188 null]
->> endobj
-514 0 obj <<
-/D [1620 0 R /XYZ 85.0394 188.6539 null]
+/D [1621 0 R /XYZ 85.0394 336.1431 null]
 >> endobj
 1628 0 obj <<
-/D [1620 0 R /XYZ 85.0394 161.3494 null]
+/D [1621 0 R /XYZ 85.0394 324.188 null]
+>> endobj
+514 0 obj <<
+/D [1621 0 R /XYZ 85.0394 188.6539 null]
 >> endobj
 1629 0 obj <<
-/D [1620 0 R /XYZ 85.0394 119.8769 null]
+/D [1621 0 R /XYZ 85.0394 161.3494 null]
 >> endobj
 1630 0 obj <<
-/D [1620 0 R /XYZ 85.0394 107.9217 null]
+/D [1621 0 R /XYZ 85.0394 119.8769 null]
 >> endobj
-1619 0 obj <<
+1631 0 obj <<
+/D [1621 0 R /XYZ 85.0394 107.9217 null]
+>> endobj
+1620 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1634 0 obj <<
+1635 0 obj <<
 /Length 2794      
 /Filter /FlateDecode
 >>
@@ -7130,52 +7149,52 @@ aE
 ¾ûðœŽ2ȽwBí¤Ñ.‰u/'ÈnèK¿¡$Q±¥÷ô©’#ÜA¬¦d;¸›DÉoÊ:†˜†îÑ&±Ì}s’
 ç=9BÈ0¤žMj”"3ý\0(©Ìà¹Ó)Dû¢)DStÃIHzP2&.ÏpÀF>‹æ1Ç–N¤£wx_úν‡÷ÊË1dxÿ§˜!ÆêŠËp‡©k$êyD3È?ôè|{Øv@¯XO×4×€¹3ܸŸGröØ?)€Lˆÿ`âðÙ³/J_ûÏ
Ž-(MùñÍÿH§Â¦ðÌV>ع«FÐF?Üú‹"Úendstream
 endobj
-1633 0 obj <<
+1634 0 obj <<
 /Type /Page
-/Contents 1634 0 R
-/Resources 1632 0 R
+/Contents 1635 0 R
+/Resources 1633 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1631 0 R
->> endobj
-1635 0 obj <<
-/D [1633 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-518 0 obj <<
-/D [1633 0 R /XYZ 56.6929 647.5054 null]
+/Parent 1632 0 R
 >> endobj
 1636 0 obj <<
-/D [1633 0 R /XYZ 56.6929 617.516 null]
+/D [1634 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+518 0 obj <<
+/D [1634 0 R /XYZ 56.6929 647.5054 null]
 >> endobj
 1637 0 obj <<
-/D [1633 0 R /XYZ 56.6929 528.2228 null]
+/D [1634 0 R /XYZ 56.6929 617.516 null]
 >> endobj
 1638 0 obj <<
-/D [1633 0 R /XYZ 56.6929 516.2676 null]
->> endobj
-522 0 obj <<
-/D [1633 0 R /XYZ 56.6929 321.585 null]
+/D [1634 0 R /XYZ 56.6929 528.2228 null]
 >> endobj
 1639 0 obj <<
-/D [1633 0 R /XYZ 56.6929 297.1352 null]
+/D [1634 0 R /XYZ 56.6929 516.2676 null]
 >> endobj
-526 0 obj <<
-/D [1633 0 R /XYZ 56.6929 227.8928 null]
+522 0 obj <<
+/D [1634 0 R /XYZ 56.6929 321.585 null]
 >> endobj
 1640 0 obj <<
-/D [1633 0 R /XYZ 56.6929 200.1731 null]
+/D [1634 0 R /XYZ 56.6929 297.1352 null]
 >> endobj
-530 0 obj <<
-/D [1633 0 R /XYZ 56.6929 151.1547 null]
+526 0 obj <<
+/D [1634 0 R /XYZ 56.6929 227.8928 null]
 >> endobj
 1641 0 obj <<
-/D [1633 0 R /XYZ 56.6929 126.2246 null]
+/D [1634 0 R /XYZ 56.6929 200.1731 null]
 >> endobj
-1632 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F62 1100 0 R /F63 1103 0 R /F11 1449 0 R /F53 1062 0 R >>
+530 0 obj <<
+/D [1634 0 R /XYZ 56.6929 151.1547 null]
+>> endobj
+1642 0 obj <<
+/D [1634 0 R /XYZ 56.6929 126.2246 null]
+>> endobj
+1633 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F62 1100 0 R /F63 1103 0 R /F11 1336 0 R /F53 1062 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1644 0 obj <<
+1645 0 obj <<
 /Length 2012      
 /Filter /FlateDecode
 >>
@@ -7189,40 +7208,40 @@ gjw(
 ˜þsxq1%Ãé;kÌaà6 ݯ\-·m¾ÈÁ]º	N|‡Osþgþ%ŒÅŸp˜Üâˆcg‡×±±‚‚g'/ng„vgئF¯}ók®µè2A‡Vì›Z½‚ÿ
 #ôö-F
Ó Ý¿)
SB¾zë†Òf_•;ž“é¡h÷ãu£çMˆHSÞ¼E7´l¥€†ÀeEÏÄsɯܧ¢ÿ"ŸÖ)endstream
 endobj
-1643 0 obj <<
+1644 0 obj <<
 /Type /Page
-/Contents 1644 0 R
-/Resources 1642 0 R
+/Contents 1645 0 R
+/Resources 1643 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1631 0 R
->> endobj
-1645 0 obj <<
-/D [1643 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-534 0 obj <<
-/D [1643 0 R /XYZ 85.0394 645.1438 null]
+/Parent 1632 0 R
 >> endobj
 1646 0 obj <<
-/D [1643 0 R /XYZ 85.0394 617.8288 null]
+/D [1644 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-538 0 obj <<
-/D [1643 0 R /XYZ 85.0394 390.8337 null]
+534 0 obj <<
+/D [1644 0 R /XYZ 85.0394 645.1438 null]
 >> endobj
 1647 0 obj <<
-/D [1643 0 R /XYZ 85.0394 367.3195 null]
+/D [1644 0 R /XYZ 85.0394 617.8288 null]
 >> endobj
-542 0 obj <<
-/D [1643 0 R /XYZ 85.0394 281.8762 null]
+538 0 obj <<
+/D [1644 0 R /XYZ 85.0394 390.8337 null]
 >> endobj
 1648 0 obj <<
-/D [1643 0 R /XYZ 85.0394 253.4771 null]
+/D [1644 0 R /XYZ 85.0394 367.3195 null]
 >> endobj
-1642 0 obj <<
+542 0 obj <<
+/D [1644 0 R /XYZ 85.0394 281.8762 null]
+>> endobj
+1649 0 obj <<
+/D [1644 0 R /XYZ 85.0394 253.4771 null]
+>> endobj
+1643 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R /F62 1100 0 R /F63 1103 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1651 0 obj <<
+1652 0 obj <<
 /Length 2813      
 /Filter /FlateDecode
 >>
@@ -7240,27 +7259,27 @@ x
 l@šD§§1ø{…©ZE±p_Bt8º°Dv)
 ~B7uù,T“{‹òÂEàaI/<:Lxü‹þ£Õ•Á³nÜÿÏ‘ˆù{A¶w­zu#9–XܪÏø‰Ð!õÒµMA&k]N”r¶*Ìw%pepä'ÅG^{\ß1Ò@J]{^ŽÀÕÙî	˜éÎñòÍôýûAòÐsÿÈxhþFøÿ}Ñ·Ÿûoã?–"[×ãaKé,Ê1e¤¤¢'œû¿õ> endobj
-1652 0 obj <<
-/D [1650 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1632 0 R
 >> endobj
 1653 0 obj <<
-/D [1650 0 R /XYZ 56.6929 520.5289 null]
+/D [1651 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1654 0 obj <<
-/D [1650 0 R /XYZ 56.6929 508.5737 null]
+/D [1651 0 R /XYZ 56.6929 520.5289 null]
 >> endobj
-1649 0 obj <<
+1655 0 obj <<
+/D [1651 0 R /XYZ 56.6929 508.5737 null]
+>> endobj
+1650 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1657 0 obj <<
+1658 0 obj <<
 /Length 3177      
 /Filter /FlateDecode
 >>
@@ -7277,39 +7296,39 @@ iÕ¦#%
 ¹ÑÖ¸yóÒ	wsÏgSÝ÷j­a·¢_Á³ÈdI{â;¿.~.„»}œ+Ú8-·‡pOî.„•V+{犕]E€­ÝèÄ€X<°WQ	§ÃÂÄ[ǘ:+&>èmãoFçSø7üTF:ÕâFäk¼|ž‚ž•à¯?•ÆèD›Îû¼ëÎ!îsâ¢ÛÉ׉½GþiÁò»‚SœÅû8;ÓgÏ
ÁòÖ”Û¿@cž·
yopÈŸÀªlx0fZÓž(Öáœ
³Ð8o3«Ð«ÂkiÞÀ6æ‹Ù‹Gå_® a>ÍÊÜŸ¾!_3…WÉÿ «Ú”Žå#"´K4¬ÔŸË¦t©»…/ŽS:UGO6.—ŽZçp*ƒö»-s»iNœ"¥;ýAŽÕ;‘öf²>VõsåÊ×ÄšJ[=O†tå•/
¾¥ËsÁÆþ›—xã#æÞ¾@!ÔÍïîî¯DÍECCùŠÍÎù¬àûÝìp°W-å+'¢øö…'1-gõì£q§Û×?Þ~öjÜíé\åié½OrÒóãÕ8ë”*KÂjáùäOJûrdèDô	ßEœ@âÙÆþm Qà;§„'ÒGOø:ïÞ=J¦£Tdx-Ž·‚‚éáùòÏ9Kq¾2º=Ç—Bò©u[HÛslÆý®8a×t÷Æ„¹KaøÎê²ô×ÀÌߦaËKë›\û6üáœ4þ!s—ì¶j§Ûeîú	¹ù¶]Ö|è8à=_xʃúI”h€bLšS·Žpií_þÐU޶ᾔnŽÓ®UÄÑþ±ÐÎµêß×Q¼åãóƸ.¥ö6„¹ùþu ÚÅW@E»$&¨¨8x:ä'ëØm¦]ÓÝÛ
 ®’Hòìà=Ûµk»©ýÌ,·!z÷^-º­]÷c½*ÚðÊdá%…æf‘oËv`á±óšÂ2£´y|»Rwt‰Ã‡¡zx®)ïf‰ê^ßJwU‹EíU­ì\Õî3ý»Þ-2ÆøJŒo+—S4¾}×µ¯².sâq÷ˆGÒ¥±{¡6ôl0¤È›;úIõþ‘9N}šŠ¼¼÷.N(œ…,>vÅîíõ±èïÛngendstream
 endobj
-1656 0 obj <<
+1657 0 obj <<
 /Type /Page
-/Contents 1657 0 R
-/Resources 1655 0 R
+/Contents 1658 0 R
+/Resources 1656 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1631 0 R
->> endobj
-1658 0 obj <<
-/D [1656 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-546 0 obj <<
-/D [1656 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1442 0 obj <<
-/D [1656 0 R /XYZ 85.0394 752.4085 null]
->> endobj
-550 0 obj <<
-/D [1656 0 R /XYZ 85.0394 542.1781 null]
+/Parent 1632 0 R
 >> endobj
 1659 0 obj <<
-/D [1656 0 R /XYZ 85.0394 510.0725 null]
+/D [1657 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+546 0 obj <<
+/D [1657 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1446 0 obj <<
+/D [1657 0 R /XYZ 85.0394 752.4085 null]
+>> endobj
+550 0 obj <<
+/D [1657 0 R /XYZ 85.0394 542.1781 null]
 >> endobj
 1660 0 obj <<
-/D [1656 0 R /XYZ 85.0394 447.7453 null]
+/D [1657 0 R /XYZ 85.0394 510.0725 null]
 >> endobj
 1661 0 obj <<
-/D [1656 0 R /XYZ 85.0394 435.7902 null]
+/D [1657 0 R /XYZ 85.0394 447.7453 null]
 >> endobj
-1655 0 obj <<
+1662 0 obj <<
+/D [1657 0 R /XYZ 85.0394 435.7902 null]
+>> endobj
+1656 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1664 0 obj <<
+1665 0 obj <<
 /Length 2603      
 /Filter /FlateDecode
 >>
@@ -7325,53 +7344,53 @@ Y
 aBÆ…®+ŠI{		¸RUkPŸhËÕ#4Šá>ÝEZ‚‚ê…_¯—LAy6üúëù°ÍÿyýÇÎe’—×õg§H¢Û×GÌ¡fhv`9®©„øº˜&UJ¹ª¥xAÒ
ï‡û<™g_õ:/Ä·åúç®
 Y¤ÃŽŠB(hD¢®(ðC!~p*PÁÕ»¼<„h‡°Lójt-§Ž:)™æ¶kßK
æ´hP¹;Ùr•ãß¡HÌQßbÊÅA=¢•ƒ?‚iËÛ#Þï‚3…]5™7â”ÿpîý„ÐfËÍãMP3zû±ä’É8Š7ùyà]á	,7wƒý¶œ;^cÍLW2Z°¯¸nP9ôþú~/°ûqܸøRq=¡ÄŸC2%Ä®Šñ^'ćþ.só÷Ð@ÍËÝ¿8“Š”XÉžŠXè?ðZýŒúœ^«åúÿº€Oèendstream
 endobj
-1663 0 obj <<
+1664 0 obj <<
 /Type /Page
-/Contents 1664 0 R
-/Resources 1662 0 R
+/Contents 1665 0 R
+/Resources 1663 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1631 0 R
-/Annots [ 1666 0 R ]
+/Parent 1632 0 R
+/Annots [ 1667 0 R ]
 >> endobj
-1666 0 obj <<
+1667 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [55.6967 732.5838 116.8967 743.9759]
 /Subtype /Link
 /A << /S /GoTo /D (statschannels) >>
 >> endobj
-1665 0 obj <<
-/D [1663 0 R /XYZ 56.6929 794.5015 null]
+1666 0 obj <<
+/D [1664 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 554 0 obj <<
-/D [1663 0 R /XYZ 56.6929 718.3947 null]
+/D [1664 0 R /XYZ 56.6929 718.3947 null]
 >> endobj
 1329 0 obj <<
-/D [1663 0 R /XYZ 56.6929 695.4159 null]
+/D [1664 0 R /XYZ 56.6929 695.4159 null]
 >> endobj
 558 0 obj <<
-/D [1663 0 R /XYZ 56.6929 492.5344 null]
->> endobj
-1667 0 obj <<
-/D [1663 0 R /XYZ 56.6929 467.9557 null]
->> endobj
-562 0 obj <<
-/D [1663 0 R /XYZ 56.6929 360.5123 null]
+/D [1664 0 R /XYZ 56.6929 492.5344 null]
 >> endobj
 1668 0 obj <<
-/D [1663 0 R /XYZ 56.6929 338.2011 null]
+/D [1664 0 R /XYZ 56.6929 467.9557 null]
+>> endobj
+562 0 obj <<
+/D [1664 0 R /XYZ 56.6929 360.5123 null]
 >> endobj
 1669 0 obj <<
-/D [1663 0 R /XYZ 56.6929 338.2011 null]
+/D [1664 0 R /XYZ 56.6929 338.2011 null]
 >> endobj
 1670 0 obj <<
-/D [1663 0 R /XYZ 56.6929 326.2459 null]
+/D [1664 0 R /XYZ 56.6929 338.2011 null]
 >> endobj
-1662 0 obj <<
+1671 0 obj <<
+/D [1664 0 R /XYZ 56.6929 326.2459 null]
+>> endobj
+1663 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1673 0 obj <<
+1674 0 obj <<
 /Length 2927      
 /Filter /FlateDecode
 >>
@@ -7389,41 +7408,41 @@ $8G
 V)Î$÷;V¿æ<øóPXÃ%]ÿuèW-ŠdP"m¨€s»Øˆ<©lU âDšÚÙÄþ6HˆqDüå+ü¸ò¯ì¯h!?ŒqöŸ.Îúò¶˜çóq¸±?¹j p
\}“
¦¦@œÃ¢F>붌k¸§b/ðU$QºK
	…ˆ–“•*A@”Ø@âcK*&‡ñÍÓ쮂¤”‹fg¾ÞÕ†o[kE#à’ é!¯#ÜBÄ°ÖߘÁô.q[aA8¸*Ó—÷O×Ëö÷ØÑ<& —`Røù_[Úì8š”¦˜·h7|Ž.ùÆÑ3„Âæ‡ÀÃ`ˆâàÉç€'¿¼„¬7:®„<ž!`Ì)M°»œ¿JîÂ׎¢|è		:âÞ0„
 MŠù•A$ä¾ç!˜Ðv\É1”BuÁ ("‚˜ÂþrÙ‚sÜýçá(új7Š	}¯ŒŠ0FŠJWöAÄþIÏ×<8(¤Ïý—šÕ?q–\ÓþÏ"]à‘†ÝËâfÔv”¨‘д›•þhjk(endstream
 endobj
-1672 0 obj <<
+1673 0 obj <<
 /Type /Page
-/Contents 1673 0 R
-/Resources 1671 0 R
+/Contents 1674 0 R
+/Resources 1672 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1679 0 R
-/Annots [ 1675 0 R ]
+/Parent 1680 0 R
+/Annots [ 1676 0 R ]
 >> endobj
-1675 0 obj <<
+1676 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [333.4761 409.1267 413.3061 421.1864]
 /Subtype /Link
 /A << /S /GoTo /D (clients-per-query) >>
 >> endobj
-1674 0 obj <<
-/D [1672 0 R /XYZ 85.0394 794.5015 null]
+1675 0 obj <<
+/D [1673 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 566 0 obj <<
-/D [1672 0 R /XYZ 85.0394 172.7706 null]
->> endobj
-1676 0 obj <<
-/D [1672 0 R /XYZ 85.0394 147.65 null]
+/D [1673 0 R /XYZ 85.0394 172.7706 null]
 >> endobj
 1677 0 obj <<
-/D [1672 0 R /XYZ 85.0394 147.65 null]
+/D [1673 0 R /XYZ 85.0394 147.65 null]
 >> endobj
 1678 0 obj <<
-/D [1672 0 R /XYZ 85.0394 135.6948 null]
+/D [1673 0 R /XYZ 85.0394 147.65 null]
 >> endobj
-1671 0 obj <<
+1679 0 obj <<
+/D [1673 0 R /XYZ 85.0394 135.6948 null]
+>> endobj
+1672 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1683 0 obj <<
+1684 0 obj <<
 /Length 3078      
 /Filter /FlateDecode
 >>
@@ -7449,33 +7468,33 @@ Z<7
 *£[ŒL›¨	‚¦Ò¬GÓ"þ‚f¦ýÉ&~“×$K«P
oÕg}vÛææ$̦6z·%˜wÊÃr÷~K¬9öC–-–ˆ»D[‘¡„´ÕÏ©FÜKF¥+å)Á[ÑÔ_À†i\,ª#c­03c릜då)“°"*žóåt‚ÏÒóƒ6¿À_ª<ˆ“Š .Zñ•„71§
_‰"T,
 ¼š1'À·âØY¶áÒòfä2Žü»mCE½J'!@Wpƒ)îl $³$Î*çŠ.|x›såÊ®œ+xïê@ކׂMí\±}ݹâË•sÅ×”ÅSßŸøc‚í¹Ø¼V±5åncÓ)äû Ê»çbű²Üž¨Rz²šhWDù!`×Ö´î> endobj
-1684 0 obj <<
-/D [1682 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-570 0 obj <<
-/D [1682 0 R /XYZ 56.6929 627.067 null]
+/Parent 1680 0 R
 >> endobj
 1685 0 obj <<
-/D [1682 0 R /XYZ 56.6929 601.9463 null]
+/D [1683 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+570 0 obj <<
+/D [1683 0 R /XYZ 56.6929 627.067 null]
 >> endobj
 1686 0 obj <<
-/D [1682 0 R /XYZ 56.6929 601.9463 null]
+/D [1683 0 R /XYZ 56.6929 601.9463 null]
 >> endobj
 1687 0 obj <<
-/D [1682 0 R /XYZ 56.6929 589.9912 null]
+/D [1683 0 R /XYZ 56.6929 601.9463 null]
 >> endobj
-1681 0 obj <<
+1688 0 obj <<
+/D [1683 0 R /XYZ 56.6929 589.9912 null]
+>> endobj
+1682 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1690 0 obj <<
+1691 0 obj <<
 /Length 2375      
 /Filter /FlateDecode
 >>
@@ -7486,59 +7505,59 @@ x
 1Iš<Þµ:k7¦Ð»ššþXÇÛWˆ¬œs$„9PE¶doÐë"|)@)öµuªæNú<Öò¢|,üËN©á1pãóéjR„V±æÞTŸÿ«àö~ÍØ¿ñ÷ßÊßñ7¿Ô6¼zͼ²‘»t×哶Ho¿…«øp±>þz’Û8Uß|€ý$ûºç&1ý±B躀úÿ¸Â'Ò ¦*ªVíJîVE—a‰45Êÿ€\Óý]¦Á;%3IAW„‚î°z˜ƒÍoËi¹Öy*—a³“iMÀĬ!·BLËO4„ÆÝU¬l®‰%“íºð¯UmÃ3¥­b0£$©Ù·Ëû,Ð=±¼c©Ö¥$÷²œuMÛ˜)Åþ˜ÉÀ””®×cÙe-QÓº
 S]ÍçÕÂùÇN¡Ç9£/j‚Р€ú¾zš5‚bRql£œÝVñ¦ÔêĆ
{·ús‘VĶÊc±lv[­Bu­A‹xi°.ãá`W;«aø|^d‹­J[½1¡ÍÏ$0„lMz#¢Áß‚¢AJµÇ	"•ÐçO“ëw7öÿVUOÀ¸Ø+¼¡êÞª¢J˜%Uº-~ì5À¸L
­5´¸·àЛ"š·Ež­êÎظËny^@”ÀxNª"L!HýlRÍÃ\m4¼tTû‘² ½ðèUwÕÂgI¨àÀ(°icó)[¸ëÂŽIJ gq[Îê®ÕBšn$yQÒ`ZNvbŽ*û9…dû1—RíÆ\Cå0÷áßçÛh#÷%æûÅ6Tr[hƒ Ê`KhùÀíD2vfîøV6å”­‚øúüg[ŸWÅ¢ŒÑ¡ö'ÁÝÊ´Ù.×8¥Ú£ÌHå”9ú¼¥J8Wq{´Û+´¡êÚþüT®•i‹=®*¯ÃõÎ3uiË4‹ºL¨öè2R9]^Ηõ60JÂföûÄ6Tr[Ú´µ·Ðf³‰$ñÏÕvÇ?È¢@ê%!ÁÄ«Ø›·öÄd#…¬µJ¿/Ù²µÍƒu2Ÿfùv>ÛìM1ÆH—Šqïàåøs¿\=i‹Zï"Mrgå´d6çÞ|UØ1ùÿ¦NÆ]endstream
 endobj
-1689 0 obj <<
+1690 0 obj <<
 /Type /Page
-/Contents 1690 0 R
-/Resources 1688 0 R
+/Contents 1691 0 R
+/Resources 1689 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1679 0 R
->> endobj
-1691 0 obj <<
-/D [1689 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-574 0 obj <<
-/D [1689 0 R /XYZ 85.0394 769.5949 null]
+/Parent 1680 0 R
 >> endobj
 1692 0 obj <<
-/D [1689 0 R /XYZ 85.0394 752.4444 null]
+/D [1690 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+574 0 obj <<
+/D [1690 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 1693 0 obj <<
-/D [1689 0 R /XYZ 85.0394 696.016 null]
+/D [1690 0 R /XYZ 85.0394 752.4444 null]
 >> endobj
 1694 0 obj <<
-/D [1689 0 R /XYZ 85.0394 684.0608 null]
+/D [1690 0 R /XYZ 85.0394 696.016 null]
+>> endobj
+1695 0 obj <<
+/D [1690 0 R /XYZ 85.0394 684.0608 null]
 >> endobj
 578 0 obj <<
-/D [1689 0 R /XYZ 85.0394 401.8966 null]
+/D [1690 0 R /XYZ 85.0394 401.8966 null]
 >> endobj
-1698 0 obj <<
-/D [1689 0 R /XYZ 85.0394 374.3052 null]
+1699 0 obj <<
+/D [1690 0 R /XYZ 85.0394 374.3052 null]
 >> endobj
-1688 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F11 1449 0 R /F39 927 0 R /F67 1697 0 R >>
+1689 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F11 1336 0 R /F39 927 0 R /F67 1698 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1701 0 obj <<
+1702 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1700 0 obj <<
+1701 0 obj <<
 /Type /Page
-/Contents 1701 0 R
-/Resources 1699 0 R
+/Contents 1702 0 R
+/Resources 1700 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1679 0 R
+/Parent 1680 0 R
 >> endobj
-1702 0 obj <<
-/D [1700 0 R /XYZ 56.6929 794.5015 null]
+1703 0 obj <<
+/D [1701 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1699 0 obj <<
+1700 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1705 0 obj <<
+1706 0 obj <<
 /Length 1238      
 /Filter /FlateDecode
 >>
@@ -7548,33 +7567,33 @@ xÚ•WK
 ôU³5œ‰éJÓ)HY+mk­p-ʼnÔgJyc'J–…‰#[ZÎÔ|J—¯¥“¶cuø€:vP½ì@:¬#I¸|­t©í`êA›a¶Oºc;;\CëÀÚ-¥@€‹T9l%R®ûT\ÃõhhÈžŒÚBú#!—U«ÀT…ùQª¸á3µUjíDÖRÌÕ#Yž2ljf–€Ä™ …iîÆOLÅd<‚5~v™"'89DÜ	ËÍ4ÝUÚ–0ž‡ç–~ÞcÑ™ÞdIĦù1i„«ÚŠNW>XY»$¶î/²ÑxзJÙÒsÙ´>±–M%êiÚÀ¦ª>ï1}¯>áu`Eµ6ët‹­¨š^Ÿ–ÎqHf²ý³ôã˜+åÜ_Å®­åÔ¦R½"a[jtQµ²«Ýå*ÚÖ“Ý°("vr'šàæ©5cµ2ù¢pGk$ `K`50H@‹­‘¼}VÛ¡o¤îoñ¯: ^«ºFê¹VÅË\—y•¿x`9ËpÓ·¢šš^íÜQ'm4×G¼oœ¾²‚«ȪŸ»½¶BívªàX/{V5T©-Xk&˜ÌÙ/
 ï¡nÿ±ÌQjæ6M§"”Øß*»GVv²ç§Ïs81ÿîç¼âfÆ£HèEÎt¤Ü´=bü~ÎÐÂ’Y’{w{ÌÙÿ}”ç!É
¯¬ÂÜ>à¦AqU ÛzL½.«Þב.ý™¼TE.0im¡»gÙæŽMsç­ð©³ËWb6èÓæ¾ÏRµø.{Tþñ„Y£ÎŽùÙ»Õ±•Þô‹&¾ý\pѨÃ+Ë1âØ	mòÁIpØlá+û7Õ8U·n&ÓÉ·Bhzß:¹èÍ?kЦò~ÜîVÇð÷×äC4û©Û—ü»ùñiü0óŸ[ð‚e>Þæ>Ý> endobj
-1706 0 obj <<
-/D [1704 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-582 0 obj <<
-/D [1704 0 R /XYZ 85.0394 769.5949 null]
+/Parent 1680 0 R
 >> endobj
 1707 0 obj <<
-/D [1704 0 R /XYZ 85.0394 574.0823 null]
+/D [1705 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-586 0 obj <<
-/D [1704 0 R /XYZ 85.0394 574.0823 null]
+582 0 obj <<
+/D [1705 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 1708 0 obj <<
-/D [1704 0 R /XYZ 85.0394 543.8373 null]
+/D [1705 0 R /XYZ 85.0394 574.0823 null]
 >> endobj
-1703 0 obj <<
+586 0 obj <<
+/D [1705 0 R /XYZ 85.0394 574.0823 null]
+>> endobj
+1709 0 obj <<
+/D [1705 0 R /XYZ 85.0394 543.8373 null]
+>> endobj
+1704 0 obj <<
 /Font << /F21 738 0 R /F23 762 0 R /F39 927 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1711 0 obj <<
+1712 0 obj <<
 /Length 3284      
 /Filter /FlateDecode
 >>
@@ -7593,53 +7612,53 @@ j(!R
 IØ°£	ìÚ×3$˜üD`ÁgŒ¬½¥_°Uȃ{ÿ(âÌðŒ¹¾ítLø­m¬ï’J	ÏÚqBmé„mÜçL{ˆ;J©ÓÛŠ¥„†Æ_Èò²©rrè÷LMÞv<©M—sϽMOÀ/Zz¶5(Ô°eåÖ[ÐÐ¥=â†H±U‰Y>ס&Uê(²pz4Õ¿fûèe ã?Þlý5Ï»SìGr|
6)|»~€pâ§8½=€!‚•»}–v¹+}sÕñOŠß¤ìŠÁÝÞÕ“{0éeN¿½cýöÞ,Ý0èÚµmÝ—™»£Oá¼á¨Kîa‘xV+pT›o£t ËøÁ‘,oí”#ËÓÛ¹ª<Ìq°gKÖÅ9ö²šŸ·”IµÛˆîÓ–2 EØžh—F)ïæg¤YFü´å(áR®§ö¶5¥LîbðdKL)ÇÝhç.Ù»x’e1tÕT§{a處RÄBë¨j CÈJ—§Ùþ’â÷W’ÛJkh^¼ˆ}'ŽkÙ›Õõl~jÌ€bpùØpú‡d\…\,Gñ.ï¶uÆÓ`$hœÃu&¸9¤ñùqŽ¶w[S÷bz8âñF®"ÈZ&Ù:ë1ƒÑbûî-înˆå“Ígâf˜Vž¶…MbBº>€±­ÁzWe[óŽ×Ý0ÕÔ©x˜L>¦SœN:çaìþR
Ö)¼x2*Q¾”-|ådVC÷™¼†±E$[-¡š,4¦;kåø‚~Ú2}â®Ã­V«˜ô`5
 ì-oðJº%4Ÿ)µãl¤u€| ÕØ{6%ŽSÚ¥‹5s†¿¡‚6ÁŒÁi±¬Íé'ˆÓ®Ã³Íèå=KÛ!›‡jdš©™sYØU_R{àwj¸ZÑã5Ò+ºh™QÅ«áïm¡ ÄKÅÏ&ÃEÂKäuâÛTpêϧýLžsôÈ;ÓýèžÊ2ÜÎ]›öü@†ÎüAŽ‚å1sõ\ð/ÿ1É1BjÌÿ;{!¹€›n¡äÙÔÝŸœÏýÿN’'«endstream
 endobj
-1710 0 obj <<
+1711 0 obj <<
 /Type /Page
-/Contents 1711 0 R
-/Resources 1709 0 R
+/Contents 1712 0 R
+/Resources 1710 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1679 0 R
-/Annots [ 1716 0 R ]
+/Parent 1680 0 R
+/Annots [ 1717 0 R ]
 >> endobj
-1716 0 obj <<
+1717 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 707.8911 452.088 718.0529]
 /Subtype/Link/A<>
 >> endobj
-1712 0 obj <<
-/D [1710 0 R /XYZ 56.6929 794.5015 null]
+1713 0 obj <<
+/D [1711 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 590 0 obj <<
-/D [1710 0 R /XYZ 56.6929 690.9391 null]
->> endobj
-1717 0 obj <<
-/D [1710 0 R /XYZ 56.6929 656.5891 null]
->> endobj
-594 0 obj <<
-/D [1710 0 R /XYZ 56.6929 517.028 null]
+/D [1711 0 R /XYZ 56.6929 690.9391 null]
 >> endobj
 1718 0 obj <<
-/D [1710 0 R /XYZ 56.6929 489.6469 null]
+/D [1711 0 R /XYZ 56.6929 656.5891 null]
 >> endobj
-598 0 obj <<
-/D [1710 0 R /XYZ 56.6929 373.2709 null]
+594 0 obj <<
+/D [1711 0 R /XYZ 56.6929 517.028 null]
 >> endobj
 1719 0 obj <<
-/D [1710 0 R /XYZ 56.6929 344.9674 null]
+/D [1711 0 R /XYZ 56.6929 489.6469 null]
+>> endobj
+598 0 obj <<
+/D [1711 0 R /XYZ 56.6929 373.2709 null]
+>> endobj
+1720 0 obj <<
+/D [1711 0 R /XYZ 56.6929 344.9674 null]
 >> endobj
 602 0 obj <<
-/D [1710 0 R /XYZ 56.6929 184.6919 null]
+/D [1711 0 R /XYZ 56.6929 184.6919 null]
 >> endobj
-1381 0 obj <<
-/D [1710 0 R /XYZ 56.6929 151.8489 null]
+1385 0 obj <<
+/D [1711 0 R /XYZ 56.6929 151.8489 null]
 >> endobj
-1709 0 obj <<
-/Font << /F37 827 0 R /F71 1715 0 R /F23 762 0 R /F39 927 0 R /F11 1449 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F48 985 0 R /F62 1100 0 R /F63 1103 0 R >>
+1710 0 obj <<
+/Font << /F37 827 0 R /F71 1716 0 R /F23 762 0 R /F39 927 0 R /F11 1336 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F48 985 0 R /F62 1100 0 R /F63 1103 0 R >>
 /XObject << /Im2 1089 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1722 0 obj <<
+1723 0 obj <<
 /Length 847       
 /Filter /FlateDecode
 >>
@@ -7648,41 +7667,41 @@ xÚ¥UM
 ?—‚P.óx)s"(qÝG4ÞÃÞûˆLz¥×¨·UôË;¾Œ%‘EVÄÕ·+_%¡eÉâªùœÜÿz÷X­Ÿi&h²$‹T4y»yX¡Eâ²]ß|ÚTŸP»ÿýa»Y­ŸîË<©6 -Ò¼¤%œçÁÃêÓÃÝo›{Ä|\!týÊÛ×êC´®ž¹.–Qî«ø3úü•Æ
Ôü!¢„ËRÄ'P(aRfqå‚‘s~±tÑ6úãÙáÕî|ôy‚—D”Ùò{¿Åž¤à°åÙ{g¦EÊi‘¸ƒ¶Ú‹ËdZ°2ÑÊšÁ¾KF““FuóžöÝù[›¾×Csñ¤JDZQN[TvÁ{=Ggö“m­:tT$êLNG»£×j°žj¨7eŒH!²9yó
ÚQd‰› jךÁXbÛý Ü“³úB­¶›÷°2‚°jÎÔo¶¾Ò¬È=
>PÇ®¨c² y2ãBÖæ”bu}Mt‘ÉdÀf¼ä•%ö`Ž]ƒÁ»Ö†àfð$Ì	A~hû®Ï(–¨EÊ’iŠd0n&¦Q^dù?‰Ù<✪¦	Ø™0ù~ûuÐîd¦ï¨ŒˆúBiöS[`‡3šÜuNO@cûCC~Œ±ä
¢=GÁÇéYY.	-8õ#Méhº¶>ßbK±äÅk¶À}­‚°ñŽV7ëæ,‡!.`èÙ’HÓïOoM?CaR[‡I}0Ƴ3~@¯Ñ½D¡9ªÇ‰­mpcå_‡¡œB©ÐMPíqט^¡\ád£;½÷3‚±qÚ.øôÖD'¼ÄL¹œC€jõ¨&tÚ_fÐ/Iuh-"Oê¥Kù¥K`wfL;
M|9‹RmñÚaô©õ÷¯Ãc¡ZûXPR!Tð]â ùWƒ¸œ7
 ;˜lçIï˜"aÔ—ß¡dõôCOö2g:üÜãQ#‚—1/Xò_/5Ä?¯7ÞUø‡¼ÿ÷+þò}ËáS–ÙíšÓœp.Ù%)Ï|E^§þüÞÿ;÷¿à`endstream
 endobj
-1721 0 obj <<
+1722 0 obj <<
 /Type /Page
-/Contents 1722 0 R
-/Resources 1720 0 R
+/Contents 1723 0 R
+/Resources 1721 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1724 0 R
+/Parent 1725 0 R
 >> endobj
-1723 0 obj <<
-/D [1721 0 R /XYZ 85.0394 794.5015 null]
+1724 0 obj <<
+/D [1722 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1720 0 obj <<
+1721 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1727 0 obj <<
+1728 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1726 0 obj <<
+1727 0 obj <<
 /Type /Page
-/Contents 1727 0 R
-/Resources 1725 0 R
+/Contents 1728 0 R
+/Resources 1726 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1724 0 R
+/Parent 1725 0 R
 >> endobj
-1728 0 obj <<
-/D [1726 0 R /XYZ 56.6929 794.5015 null]
+1729 0 obj <<
+/D [1727 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1725 0 obj <<
+1726 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1731 0 obj <<
+1732 0 obj <<
 /Length 1964      
 /Filter /FlateDecode
 >>
@@ -7697,84 +7716,84 @@ i	
 “¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoãã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy7G)JΑOü©5­¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+¾,}w¸ÉÀUßÄx³Q³Ô}\Wù¸·ö߶
 ߣ«ª]qöü´Þíâ³äZÄ^d{‘¡ÉeIGid!EDòÖÝüÀyïï?*Zendstream
 endobj
-1730 0 obj <<
+1731 0 obj <<
 /Type /Page
-/Contents 1731 0 R
-/Resources 1729 0 R
+/Contents 1732 0 R
+/Resources 1730 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1724 0 R
-/Annots [ 1738 0 R 1739 0 R ]
+/Parent 1725 0 R
+/Annots [ 1739 0 R 1740 0 R ]
 >> endobj
-1738 0 obj <<
+1739 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<>
 >> endobj
-1739 0 obj <<
+1740 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<>
 >> endobj
-1732 0 obj <<
-/D [1730 0 R /XYZ 85.0394 794.5015 null]
+1733 0 obj <<
+/D [1731 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 606 0 obj <<
-/D [1730 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1733 0 obj <<
-/D [1730 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-610 0 obj <<
-/D [1730 0 R /XYZ 85.0394 576.7004 null]
+/D [1731 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 1734 0 obj <<
-/D [1730 0 R /XYZ 85.0394 548.3785 null]
+/D [1731 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-614 0 obj <<
-/D [1730 0 R /XYZ 85.0394 548.3785 null]
+610 0 obj <<
+/D [1731 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 1735 0 obj <<
-/D [1730 0 R /XYZ 85.0394 518.5228 null]
+/D [1731 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-618 0 obj <<
-/D [1730 0 R /XYZ 85.0394 460.6968 null]
+614 0 obj <<
+/D [1731 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
 1736 0 obj <<
-/D [1730 0 R /XYZ 85.0394 425.0333 null]
+/D [1731 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
-622 0 obj <<
-/D [1730 0 R /XYZ 85.0394 260.2468 null]
+618 0 obj <<
+/D [1731 0 R /XYZ 85.0394 460.6968 null]
 >> endobj
 1737 0 obj <<
-/D [1730 0 R /XYZ 85.0394 224.698 null]
+/D [1731 0 R /XYZ 85.0394 425.0333 null]
 >> endobj
-1729 0 obj <<
-/Font << /F21 738 0 R /F23 762 0 R /F11 1449 0 R /F41 969 0 R >>
+622 0 obj <<
+/D [1731 0 R /XYZ 85.0394 260.2468 null]
+>> endobj
+1738 0 obj <<
+/D [1731 0 R /XYZ 85.0394 224.698 null]
+>> endobj
+1730 0 obj <<
+/Font << /F21 738 0 R /F23 762 0 R /F11 1336 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1742 0 obj <<
+1743 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0BCS3=3K#KsK=SCS…ä\.…t œ;—!T‰©±ž©‰±1ƒEV.­knj©g`fA‚!ÂVŒendstream
 endobj
-1741 0 obj <<
+1742 0 obj <<
 /Type /Page
-/Contents 1742 0 R
-/Resources 1740 0 R
+/Contents 1743 0 R
+/Resources 1741 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1724 0 R
+/Parent 1725 0 R
 >> endobj
-1743 0 obj <<
-/D [1741 0 R /XYZ 56.6929 794.5015 null]
+1744 0 obj <<
+/D [1742 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1740 0 obj <<
+1741 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1746 0 obj <<
+1747 0 obj <<
 /Length 2544      
 /Filter /FlateDecode
 >>
@@ -7788,39 +7807,39 @@ FXЭ
 D¤<ÐÎÿ—yÇ‘sU@E…ÎqÌ*Š‘×8P”Ì Ë¿/@f4áRÊ}^º¦ÖÒRº#›Úv°/×ˈÖFtÅŒ‚þ[åSr Òéú@Øèªé)ŽL½"Ÿûæ¢@ù<ñpJµÙ>~æÜpËLtGY­Fgá±[A
—(-̃ÅÙ¶Ä ˜Þ°)Ëx™AaíF¼¨‚ÕáPâ¥V)§8·º>@ÌÔ4ûôÜÄP‰BÍÞ(dvP&máªëæßFD3zœ`·“¢ÂEàÛ=ÃBj{
†rh®ÔÐq½ ‘®³«zß&Å(uùJ¸8…B×ò5ø?Š²9Òp#ªf'Ë’•ú&_æùM_—¢±J6iðU£ª#E}ïãÏ^5X*‰eÃÏÖJ©>KF\¢P¯SSŒo&Œ>Ï! ·LÝ–è@±¸ˆ¤ægH@Ä9³ZI(	Ž:ž()6Sq
 UŸiQc¢õFêƆEiX*×5ÔÏ]OÕ-ãÖXXE p³Í‚¥¢o¹‡šMÔºõÁùˆ4òs®øbðج–×y­P°M”`à· FAˆ½Ž¼m¥uGKÑ–‹;ÕAŸ^–,y§ž%­Þõ½1,ôUUD¼.µæ!u[È8ˆló#_÷'k®ÿ1,°Èq‘<Äa	U®ßù³{”ül>Â1¥ƒÏéD}ãX/Í›·ô(òÄ-O¿õÄ7‹›.f2ïeO˜ÅËŒ¶±|ïÛþjÄJ˜±Ò¶ë–BºfÓ„È^'Dö6!2‹Šµ>¹Õª?DZ…Ú™ðìÂ
DðFÍ\¥Pà1ª~)‰ÅïšVýØ^
.-㤎Í°·ÁqÏGß5p’³:ñLðÊçaAêð0xšnþ5cµN¼‡£*itUV`+c!ž¡z'[´Úzå},ÿdêUi‘دšèœ7³v«êœÈu{d¤ÌcIÀýj~ÅžXfQ‹gR`sdß׳=¥±iˆ%†zߊêÁïªÂ÷UY*»bI뎺,hùAØ7{pä‘Å?õ°–ˆV¸M¯jjK€ü­?%
ÊGË_¾(XàëÿšV@%Ÿ£J4ËÝh^ý]žÔ‹f6×níƒ+LÍìS2vDN?š`®…8ä9H3ð`3zø…$ÛVÂïå4ýˆÕÕHƒ®\Büu|-Fc˜¤ë\5¢œs²knTuü×tè«ÊeÁ?Mä' ÁÙX€p†h¨k.æÍâõñkMb q‘ÌB°ƒiû†sk(ß½üdÚÿÃlhßp²ÑoC;àÐn;Õ£ž»¿¨Î…?^Uè&ŠÌ(\¹'HðêÑáC5mWp}cŒ‡XÉ„?)â’éÀ9–ÜI[(‘î¾›¨Â^5ðù©‡m7ïÍlŠR͇蕽M|1x:
t´yãizaÁSBïHæ>Ëíé±³Oâ"HÓȃ…×UØNÉø©|hÑçòÅ™X]ÖÌ=Î÷¯»"L1œ¬ù‹Oï×WHÎÔšæÝǧá#¾û4á·óhö3¿cYŒ<ôú9¢wEYà6B=?}{Üð'ƒ¿Ÿ÷¢tendstream
 endobj
-1745 0 obj <<
+1746 0 obj <<
 /Type /Page
-/Contents 1746 0 R
-/Resources 1744 0 R
+/Contents 1747 0 R
+/Resources 1745 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1724 0 R
->> endobj
-1747 0 obj <<
-/D [1745 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-626 0 obj <<
-/D [1745 0 R /XYZ 85.0394 769.5949 null]
+/Parent 1725 0 R
 >> endobj
 1748 0 obj <<
-/D [1745 0 R /XYZ 85.0394 573.5449 null]
+/D [1746 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-630 0 obj <<
-/D [1745 0 R /XYZ 85.0394 573.5449 null]
+626 0 obj <<
+/D [1746 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 1749 0 obj <<
-/D [1745 0 R /XYZ 85.0394 539.0037 null]
+/D [1746 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-634 0 obj <<
-/D [1745 0 R /XYZ 85.0394 539.0037 null]
+630 0 obj <<
+/D [1746 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
 1750 0 obj <<
-/D [1745 0 R /XYZ 85.0394 510.2426 null]
+/D [1746 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-1744 0 obj <<
+634 0 obj <<
+/D [1746 0 R /XYZ 85.0394 539.0037 null]
+>> endobj
+1751 0 obj <<
+/D [1746 0 R /XYZ 85.0394 510.2426 null]
+>> endobj
+1745 0 obj <<
 /Font << /F21 738 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1753 0 obj <<
+1754 0 obj <<
 /Length 2810      
 /Filter /FlateDecode
 >>
@@ -7834,64 +7853,64 @@ k
 ½5ºÂ5æaŸ6|šq˜ÐëA¤S‘ônhaЫg#ˆV˜ilÚqø…Ë·­(„á´ª[Óà2àdƒûÚ“9òŸóv¼LZ•Ï–\'NrÓQT&1À;Þ3Y¶÷j†+~Sm vRM“—ç	V¸_hvK%OÆ1e¼»YÞrîMlk‘ă,ómúOm?‹çŸ¸ÙÓ"Ñú„ôÂ@•ÒâwÖÞÊz…±rp3ûöû\p©z»|à;Ù^Mdûu»¿º¼|yyA8….•.‹ja¬t‰­¾qý`èúÂOàZ…¶þ
 Ä“N"\‹ä´_ùaEŒóŠÈ¶Å>þtâ¾%AlZv&>}ë å/3;ú±ÿîÑíX·˜ïþðàSÊ#uUßwÈk/ùó‘ÿ8ŽŽø;úÓaò4RÆ)5äé/SyW01bŒ‰®ôÒ=<žÚ
¢¡'ñfßµ8…¶ˆê½W¶-±O,Ý"x‹õbšé‰oi©í'ç´°OªC—íèýR­Fþ{¤²~¶¡éáÄBßñ}zÒqEðÇ^d7,†;Nè„®©ÚÞ‰T»vêfsÙ¬³ßñÜÈI\yÌÕ‘ïtX§¬ŒqJí-߉œÈ£áÏqz7!Ø$MÓ’3Ðo}ᔃŸ%'äp»Äü?ýì?s2Ž½é›^À
13…7>aÝ~'=åý¿z'ðJendstream
 endobj
-1752 0 obj <<
+1753 0 obj <<
 /Type /Page
-/Contents 1753 0 R
-/Resources 1751 0 R
+/Contents 1754 0 R
+/Resources 1752 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1724 0 R
-/Annots [ 1757 0 R 1758 0 R ]
+/Parent 1725 0 R
+/Annots [ 1758 0 R 1759 0 R ]
 >> endobj
-1757 0 obj <<
+1758 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [253.7995 149.3637 417.685 161.4234]
 /Subtype/Link/A<>
 >> endobj
-1758 0 obj <<
+1759 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 110.455 208.8999 120.6168]
 /Subtype/Link/A<>
 >> endobj
-1754 0 obj <<
-/D [1752 0 R /XYZ 56.6929 794.5015 null]
+1755 0 obj <<
+/D [1753 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 638 0 obj <<
-/D [1752 0 R /XYZ 56.6929 662.0717 null]
->> endobj
-1755 0 obj <<
-/D [1752 0 R /XYZ 56.6929 624.1661 null]
->> endobj
-642 0 obj <<
-/D [1752 0 R /XYZ 56.6929 624.1661 null]
->> endobj
-1184 0 obj <<
-/D [1752 0 R /XYZ 56.6929 593.0972 null]
->> endobj
-646 0 obj <<
-/D [1752 0 R /XYZ 56.6929 294.2701 null]
+/D [1753 0 R /XYZ 56.6929 662.0717 null]
 >> endobj
 1756 0 obj <<
-/D [1752 0 R /XYZ 56.6929 255.4568 null]
+/D [1753 0 R /XYZ 56.6929 624.1661 null]
+>> endobj
+642 0 obj <<
+/D [1753 0 R /XYZ 56.6929 624.1661 null]
+>> endobj
+1184 0 obj <<
+/D [1753 0 R /XYZ 56.6929 593.0972 null]
+>> endobj
+646 0 obj <<
+/D [1753 0 R /XYZ 56.6929 294.2701 null]
+>> endobj
+1757 0 obj <<
+/D [1753 0 R /XYZ 56.6929 255.4568 null]
 >> endobj
 650 0 obj <<
-/D [1752 0 R /XYZ 56.6929 255.4568 null]
+/D [1753 0 R /XYZ 56.6929 255.4568 null]
 >> endobj
 1000 0 obj <<
-/D [1752 0 R /XYZ 56.6929 226.1045 null]
->> endobj
-1759 0 obj <<
-/D [1752 0 R /XYZ 56.6929 53.5688 null]
+/D [1753 0 R /XYZ 56.6929 226.1045 null]
 >> endobj
 1760 0 obj <<
-/D [1752 0 R /XYZ 56.6929 53.5688 null]
+/D [1753 0 R /XYZ 56.6929 53.5688 null]
 >> endobj
-1751 0 obj <<
-/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F11 1449 0 R /F41 969 0 R >>
+1761 0 obj <<
+/D [1753 0 R /XYZ 56.6929 53.5688 null]
+>> endobj
+1752 0 obj <<
+/Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F11 1336 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1763 0 obj <<
+1764 0 obj <<
 /Length 2825      
 /Filter /FlateDecode
 >>
@@ -7908,189 +7927,189 @@ xÚµZ]{
 µ9Te>#ôá¶6Ø6Ay2¾b$´ÌHÜ)³|Þ‰zA4lY3ª#Óò`ï§6c¿ŒI0‚¶Æ¾[g;µú,{Ù•oúùFÿÍ+”Ÿë¯’ù
Ø.…‚1¦‘•ß‹WñÈÌvìï&}•/\u˜sê8˜$Ðk“3©-å¡ZKY\{h½ÐÙ}lÛ6ø´Üïå®+Ö›­ßÁä\²Z*)#ý&ÇÍ:±¦‚ñwù·á£s£˜cû‰†Íçƒb‘÷Ç}ªO]žkÓçÁj%¬¼SƒS5ø´‰3zÝÏÞs–äWœ¹Ïw;sâû}&ÁDÂ(ò[„%ä6-Ô~P‘xN|¸­9ô‡­ÁF^d‡\•<ÛkÒlIdu¾ª2!³ðôtÖÅ:Úsq\û½I$Ø‚?Sÿ[Bn…k¡6ãû>ûòá¶
 ï+ÜF6Þuþ}^=gÛô5Õ Œ@õµ®­ÑLKç„}RÛˆÈBFo_#y5Y«YÈ°ƒŽAóañEXûDó*å!¯¶yJIŒ/…—(™»¼Øg¹vB½fgÉ>ÜprªÅ'¸ª
LnÿË_úZ;‡1¢Iâ8L£Ð|Rʱ~)ñ+pÀû¯n¾	>}÷ÿ‰_bÇendstream
 endobj
-1762 0 obj <<
+1763 0 obj <<
 /Type /Page
-/Contents 1763 0 R
-/Resources 1761 0 R
+/Contents 1764 0 R
+/Resources 1762 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1820 0 R
->> endobj
-1764 0 obj <<
-/D [1762 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1821 0 R
 >> endobj
 1765 0 obj <<
-/D [1762 0 R /XYZ 85.0394 752.3015 null]
+/D [1763 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1766 0 obj <<
-/D [1762 0 R /XYZ 85.0394 752.3015 null]
+/D [1763 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1767 0 obj <<
-/D [1762 0 R /XYZ 85.0394 752.3015 null]
+/D [1763 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1768 0 obj <<
-/D [1762 0 R /XYZ 85.0394 746.3107 null]
+/D [1763 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
 1769 0 obj <<
-/D [1762 0 R /XYZ 85.0394 731.5461 null]
+/D [1763 0 R /XYZ 85.0394 746.3107 null]
 >> endobj
 1770 0 obj <<
-/D [1762 0 R /XYZ 85.0394 728.1497 null]
+/D [1763 0 R /XYZ 85.0394 731.5461 null]
 >> endobj
 1771 0 obj <<
-/D [1762 0 R /XYZ 85.0394 713.3851 null]
+/D [1763 0 R /XYZ 85.0394 728.1497 null]
 >> endobj
 1772 0 obj <<
-/D [1762 0 R /XYZ 85.0394 709.9887 null]
+/D [1763 0 R /XYZ 85.0394 713.3851 null]
 >> endobj
 1773 0 obj <<
-/D [1762 0 R /XYZ 85.0394 651.9592 null]
->> endobj
-1122 0 obj <<
-/D [1762 0 R /XYZ 85.0394 651.9592 null]
+/D [1763 0 R /XYZ 85.0394 709.9887 null]
 >> endobj
 1774 0 obj <<
-/D [1762 0 R /XYZ 85.0394 651.9592 null]
+/D [1763 0 R /XYZ 85.0394 651.9592 null]
+>> endobj
+1122 0 obj <<
+/D [1763 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1775 0 obj <<
-/D [1762 0 R /XYZ 85.0394 648.8377 null]
+/D [1763 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
 1776 0 obj <<
-/D [1762 0 R /XYZ 85.0394 634.0731 null]
+/D [1763 0 R /XYZ 85.0394 648.8377 null]
 >> endobj
 1777 0 obj <<
-/D [1762 0 R /XYZ 85.0394 630.6767 null]
+/D [1763 0 R /XYZ 85.0394 634.0731 null]
 >> endobj
 1778 0 obj <<
-/D [1762 0 R /XYZ 85.0394 615.9121 null]
+/D [1763 0 R /XYZ 85.0394 630.6767 null]
 >> endobj
 1779 0 obj <<
-/D [1762 0 R /XYZ 85.0394 612.5156 null]
+/D [1763 0 R /XYZ 85.0394 615.9121 null]
 >> endobj
 1780 0 obj <<
-/D [1762 0 R /XYZ 85.0394 585.7959 null]
+/D [1763 0 R /XYZ 85.0394 612.5156 null]
 >> endobj
 1781 0 obj <<
-/D [1762 0 R /XYZ 85.0394 582.3994 null]
+/D [1763 0 R /XYZ 85.0394 585.7959 null]
 >> endobj
 1782 0 obj <<
-/D [1762 0 R /XYZ 85.0394 567.6349 null]
+/D [1763 0 R /XYZ 85.0394 582.3994 null]
 >> endobj
 1783 0 obj <<
-/D [1762 0 R /XYZ 85.0394 564.2384 null]
+/D [1763 0 R /XYZ 85.0394 567.6349 null]
 >> endobj
 1784 0 obj <<
-/D [1762 0 R /XYZ 85.0394 549.5337 null]
+/D [1763 0 R /XYZ 85.0394 564.2384 null]
 >> endobj
 1785 0 obj <<
-/D [1762 0 R /XYZ 85.0394 546.0774 null]
+/D [1763 0 R /XYZ 85.0394 549.5337 null]
 >> endobj
 1786 0 obj <<
-/D [1762 0 R /XYZ 85.0394 531.3128 null]
+/D [1763 0 R /XYZ 85.0394 546.0774 null]
 >> endobj
 1787 0 obj <<
-/D [1762 0 R /XYZ 85.0394 527.9163 null]
+/D [1763 0 R /XYZ 85.0394 531.3128 null]
 >> endobj
 1788 0 obj <<
-/D [1762 0 R /XYZ 85.0394 513.1518 null]
+/D [1763 0 R /XYZ 85.0394 527.9163 null]
 >> endobj
 1789 0 obj <<
-/D [1762 0 R /XYZ 85.0394 509.7553 null]
+/D [1763 0 R /XYZ 85.0394 513.1518 null]
 >> endobj
 1790 0 obj <<
-/D [1762 0 R /XYZ 85.0394 483.0356 null]
+/D [1763 0 R /XYZ 85.0394 509.7553 null]
 >> endobj
 1791 0 obj <<
-/D [1762 0 R /XYZ 85.0394 479.6391 null]
+/D [1763 0 R /XYZ 85.0394 483.0356 null]
 >> endobj
 1792 0 obj <<
-/D [1762 0 R /XYZ 85.0394 464.8745 null]
+/D [1763 0 R /XYZ 85.0394 479.6391 null]
 >> endobj
 1793 0 obj <<
-/D [1762 0 R /XYZ 85.0394 461.4781 null]
+/D [1763 0 R /XYZ 85.0394 464.8745 null]
 >> endobj
 1794 0 obj <<
-/D [1762 0 R /XYZ 85.0394 446.7135 null]
+/D [1763 0 R /XYZ 85.0394 461.4781 null]
 >> endobj
 1795 0 obj <<
-/D [1762 0 R /XYZ 85.0394 443.3171 null]
+/D [1763 0 R /XYZ 85.0394 446.7135 null]
 >> endobj
 1796 0 obj <<
-/D [1762 0 R /XYZ 85.0394 428.5525 null]
+/D [1763 0 R /XYZ 85.0394 443.3171 null]
 >> endobj
 1797 0 obj <<
-/D [1762 0 R /XYZ 85.0394 425.156 null]
+/D [1763 0 R /XYZ 85.0394 428.5525 null]
 >> endobj
 1798 0 obj <<
-/D [1762 0 R /XYZ 85.0394 355.0758 null]
+/D [1763 0 R /XYZ 85.0394 425.156 null]
 >> endobj
 1799 0 obj <<
-/D [1762 0 R /XYZ 85.0394 355.0758 null]
+/D [1763 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1800 0 obj <<
-/D [1762 0 R /XYZ 85.0394 355.0758 null]
+/D [1763 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1801 0 obj <<
-/D [1762 0 R /XYZ 85.0394 352.0499 null]
+/D [1763 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
 1802 0 obj <<
-/D [1762 0 R /XYZ 85.0394 337.3452 null]
+/D [1763 0 R /XYZ 85.0394 352.0499 null]
 >> endobj
 1803 0 obj <<
-/D [1762 0 R /XYZ 85.0394 333.8889 null]
+/D [1763 0 R /XYZ 85.0394 337.3452 null]
 >> endobj
 1804 0 obj <<
-/D [1762 0 R /XYZ 85.0394 309.8192 null]
+/D [1763 0 R /XYZ 85.0394 333.8889 null]
 >> endobj
 1805 0 obj <<
-/D [1762 0 R /XYZ 85.0394 303.7727 null]
+/D [1763 0 R /XYZ 85.0394 309.8192 null]
 >> endobj
 1806 0 obj <<
-/D [1762 0 R /XYZ 85.0394 278.3282 null]
+/D [1763 0 R /XYZ 85.0394 303.7727 null]
 >> endobj
 1807 0 obj <<
-/D [1762 0 R /XYZ 85.0394 273.6565 null]
+/D [1763 0 R /XYZ 85.0394 278.3282 null]
 >> endobj
 1808 0 obj <<
-/D [1762 0 R /XYZ 85.0394 246.9367 null]
+/D [1763 0 R /XYZ 85.0394 273.6565 null]
 >> endobj
 1809 0 obj <<
-/D [1762 0 R /XYZ 85.0394 243.5403 null]
+/D [1763 0 R /XYZ 85.0394 246.9367 null]
 >> endobj
 1810 0 obj <<
-/D [1762 0 R /XYZ 85.0394 173.5556 null]
+/D [1763 0 R /XYZ 85.0394 243.5403 null]
 >> endobj
 1811 0 obj <<
-/D [1762 0 R /XYZ 85.0394 173.5556 null]
+/D [1763 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
 1812 0 obj <<
-/D [1762 0 R /XYZ 85.0394 173.5556 null]
+/D [1763 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
 1813 0 obj <<
-/D [1762 0 R /XYZ 85.0394 170.4341 null]
+/D [1763 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
 1814 0 obj <<
-/D [1762 0 R /XYZ 85.0394 144.9896 null]
+/D [1763 0 R /XYZ 85.0394 170.4341 null]
 >> endobj
 1815 0 obj <<
-/D [1762 0 R /XYZ 85.0394 140.3179 null]
+/D [1763 0 R /XYZ 85.0394 144.9896 null]
 >> endobj
 1816 0 obj <<
-/D [1762 0 R /XYZ 85.0394 113.5982 null]
+/D [1763 0 R /XYZ 85.0394 140.3179 null]
 >> endobj
 1817 0 obj <<
-/D [1762 0 R /XYZ 85.0394 110.2017 null]
+/D [1763 0 R /XYZ 85.0394 113.5982 null]
 >> endobj
 1818 0 obj <<
-/D [1762 0 R /XYZ 85.0394 95.4372 null]
+/D [1763 0 R /XYZ 85.0394 110.2017 null]
 >> endobj
 1819 0 obj <<
-/D [1762 0 R /XYZ 85.0394 92.0407 null]
+/D [1763 0 R /XYZ 85.0394 95.4372 null]
 >> endobj
-1761 0 obj <<
+1820 0 obj <<
+/D [1763 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+1762 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1823 0 obj <<
+1824 0 obj <<
 /Length 2889      
 /Filter /FlateDecode
 >>
@@ -8110,177 +8129,177 @@ id
 …º#õ:ÓÊEYi(^ds›´¥«ÝÅÔOï7ÕḭD˜d™7žmôl‘‡ü€ºíÉÿ ãóa ±~ãcðÆÓÊ‚AYé´ŽbË®e•60tµû1˜Ú—YR–™>
 .Wçñ|¾FñZD—øw¦~TЙìkUUIw9SAèJ6î$Í«z꾅щlÍ£ü~dÃÏu1dwGÛ›VdÊJ#‰å4i•6uµû‘™ÚËøBm¼DÁ¶Ï9„§L½Î´ç1NîC݇MyúýȺ‡ лéz~ÐÛ–±DÇÊŽ§^I§‚ö;•“~f8ö–…a4LK5eb©TÛtV]á^T¦°Žqn¨bœñ7ƒ´ºsnÔ©b‚å2^Åâêr…tÇÉÐû¼¤é“ÖÓ?±N©áv3¥†f#¥æÒè¢.lå¹x	òüßµ·eYšìÕ‹Z¤uö×ÎÚyÍnð i©³xˆ¿OÛ3ùŽ>“þϯíUñÑ08¼2ڮ嗪+ñØ9ùêêßÓïþ–ÎOZendstream
 endobj
-1822 0 obj <<
+1823 0 obj <<
 /Type /Page
-/Contents 1823 0 R
-/Resources 1821 0 R
+/Contents 1824 0 R
+/Resources 1822 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1820 0 R
->> endobj
-1824 0 obj <<
-/D [1822 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1821 0 R
 >> endobj
 1825 0 obj <<
-/D [1822 0 R /XYZ 56.6929 748.5056 null]
+/D [1823 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1826 0 obj <<
-/D [1822 0 R /XYZ 56.6929 748.5056 null]
+/D [1823 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1827 0 obj <<
-/D [1822 0 R /XYZ 56.6929 748.5056 null]
+/D [1823 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1828 0 obj <<
-/D [1822 0 R /XYZ 56.6929 743.7078 null]
+/D [1823 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
 1829 0 obj <<
-/D [1822 0 R /XYZ 56.6929 719.6381 null]
+/D [1823 0 R /XYZ 56.6929 743.7078 null]
 >> endobj
 1830 0 obj <<
-/D [1822 0 R /XYZ 56.6929 711.8197 null]
+/D [1823 0 R /XYZ 56.6929 719.6381 null]
 >> endobj
 1831 0 obj <<
-/D [1822 0 R /XYZ 56.6929 697.0552 null]
+/D [1823 0 R /XYZ 56.6929 711.8197 null]
 >> endobj
 1832 0 obj <<
-/D [1822 0 R /XYZ 56.6929 691.8868 null]
+/D [1823 0 R /XYZ 56.6929 697.0552 null]
 >> endobj
 1833 0 obj <<
-/D [1822 0 R /XYZ 56.6929 665.1671 null]
+/D [1823 0 R /XYZ 56.6929 691.8868 null]
 >> endobj
 1834 0 obj <<
-/D [1822 0 R /XYZ 56.6929 659.9987 null]
+/D [1823 0 R /XYZ 56.6929 665.1671 null]
 >> endobj
 1835 0 obj <<
-/D [1822 0 R /XYZ 56.6929 635.929 null]
+/D [1823 0 R /XYZ 56.6929 659.9987 null]
 >> endobj
 1836 0 obj <<
-/D [1822 0 R /XYZ 56.6929 628.1106 null]
+/D [1823 0 R /XYZ 56.6929 635.929 null]
 >> endobj
 1837 0 obj <<
-/D [1822 0 R /XYZ 56.6929 601.3909 null]
+/D [1823 0 R /XYZ 56.6929 628.1106 null]
 >> endobj
 1838 0 obj <<
-/D [1822 0 R /XYZ 56.6929 596.2225 null]
+/D [1823 0 R /XYZ 56.6929 601.3909 null]
 >> endobj
 1839 0 obj <<
-/D [1822 0 R /XYZ 56.6929 569.5028 null]
+/D [1823 0 R /XYZ 56.6929 596.2225 null]
 >> endobj
 1840 0 obj <<
-/D [1822 0 R /XYZ 56.6929 564.3344 null]
+/D [1823 0 R /XYZ 56.6929 569.5028 null]
 >> endobj
 1841 0 obj <<
-/D [1822 0 R /XYZ 56.6929 549.6297 null]
+/D [1823 0 R /XYZ 56.6929 564.3344 null]
 >> endobj
 1842 0 obj <<
-/D [1822 0 R /XYZ 56.6929 544.4015 null]
+/D [1823 0 R /XYZ 56.6929 549.6297 null]
 >> endobj
 1843 0 obj <<
-/D [1822 0 R /XYZ 56.6929 529.6968 null]
+/D [1823 0 R /XYZ 56.6929 544.4015 null]
 >> endobj
 1844 0 obj <<
-/D [1822 0 R /XYZ 56.6929 524.4686 null]
+/D [1823 0 R /XYZ 56.6929 529.6968 null]
 >> endobj
 1845 0 obj <<
-/D [1822 0 R /XYZ 56.6929 500.3989 null]
+/D [1823 0 R /XYZ 56.6929 524.4686 null]
 >> endobj
 1846 0 obj <<
-/D [1822 0 R /XYZ 56.6929 492.5805 null]
+/D [1823 0 R /XYZ 56.6929 500.3989 null]
 >> endobj
 1847 0 obj <<
-/D [1822 0 R /XYZ 56.6929 467.136 null]
+/D [1823 0 R /XYZ 56.6929 492.5805 null]
 >> endobj
 1848 0 obj <<
-/D [1822 0 R /XYZ 56.6929 460.6924 null]
+/D [1823 0 R /XYZ 56.6929 467.136 null]
 >> endobj
 1849 0 obj <<
-/D [1822 0 R /XYZ 56.6929 436.6227 null]
+/D [1823 0 R /XYZ 56.6929 460.6924 null]
 >> endobj
 1850 0 obj <<
-/D [1822 0 R /XYZ 56.6929 428.8043 null]
+/D [1823 0 R /XYZ 56.6929 436.6227 null]
 >> endobj
 1851 0 obj <<
-/D [1822 0 R /XYZ 56.6929 414.0996 null]
+/D [1823 0 R /XYZ 56.6929 428.8043 null]
 >> endobj
 1852 0 obj <<
-/D [1822 0 R /XYZ 56.6929 408.8714 null]
+/D [1823 0 R /XYZ 56.6929 414.0996 null]
 >> endobj
 1853 0 obj <<
-/D [1822 0 R /XYZ 56.6929 382.1516 null]
+/D [1823 0 R /XYZ 56.6929 408.8714 null]
 >> endobj
 1854 0 obj <<
-/D [1822 0 R /XYZ 56.6929 376.9833 null]
+/D [1823 0 R /XYZ 56.6929 382.1516 null]
 >> endobj
 1855 0 obj <<
-/D [1822 0 R /XYZ 56.6929 350.2636 null]
+/D [1823 0 R /XYZ 56.6929 376.9833 null]
 >> endobj
 1856 0 obj <<
-/D [1822 0 R /XYZ 56.6929 345.0952 null]
+/D [1823 0 R /XYZ 56.6929 350.2636 null]
 >> endobj
 1857 0 obj <<
-/D [1822 0 R /XYZ 56.6929 321.0255 null]
+/D [1823 0 R /XYZ 56.6929 345.0952 null]
 >> endobj
 1858 0 obj <<
-/D [1822 0 R /XYZ 56.6929 313.2071 null]
+/D [1823 0 R /XYZ 56.6929 321.0255 null]
 >> endobj
 1859 0 obj <<
-/D [1822 0 R /XYZ 56.6929 298.5024 null]
+/D [1823 0 R /XYZ 56.6929 313.2071 null]
 >> endobj
 1860 0 obj <<
-/D [1822 0 R /XYZ 56.6929 293.2742 null]
+/D [1823 0 R /XYZ 56.6929 298.5024 null]
 >> endobj
 1861 0 obj <<
-/D [1822 0 R /XYZ 56.6929 267.8297 null]
+/D [1823 0 R /XYZ 56.6929 293.2742 null]
 >> endobj
 1862 0 obj <<
-/D [1822 0 R /XYZ 56.6929 261.3861 null]
+/D [1823 0 R /XYZ 56.6929 267.8297 null]
 >> endobj
 1863 0 obj <<
-/D [1822 0 R /XYZ 56.6929 199.468 null]
+/D [1823 0 R /XYZ 56.6929 261.3861 null]
 >> endobj
 1864 0 obj <<
-/D [1822 0 R /XYZ 56.6929 199.468 null]
+/D [1823 0 R /XYZ 56.6929 199.468 null]
 >> endobj
 1865 0 obj <<
-/D [1822 0 R /XYZ 56.6929 199.468 null]
+/D [1823 0 R /XYZ 56.6929 199.468 null]
 >> endobj
 1866 0 obj <<
-/D [1822 0 R /XYZ 56.6929 191.7053 null]
+/D [1823 0 R /XYZ 56.6929 199.468 null]
 >> endobj
 1867 0 obj <<
-/D [1822 0 R /XYZ 56.6929 176.9408 null]
+/D [1823 0 R /XYZ 56.6929 191.7053 null]
 >> endobj
 1868 0 obj <<
-/D [1822 0 R /XYZ 56.6929 171.7724 null]
+/D [1823 0 R /XYZ 56.6929 176.9408 null]
 >> endobj
 1869 0 obj <<
-/D [1822 0 R /XYZ 56.6929 157.0677 null]
+/D [1823 0 R /XYZ 56.6929 171.7724 null]
 >> endobj
 1870 0 obj <<
-/D [1822 0 R /XYZ 56.6929 151.8395 null]
+/D [1823 0 R /XYZ 56.6929 157.0677 null]
 >> endobj
 1871 0 obj <<
-/D [1822 0 R /XYZ 56.6929 137.1348 null]
+/D [1823 0 R /XYZ 56.6929 151.8395 null]
 >> endobj
 1872 0 obj <<
-/D [1822 0 R /XYZ 56.6929 131.9066 null]
+/D [1823 0 R /XYZ 56.6929 137.1348 null]
 >> endobj
 1873 0 obj <<
-/D [1822 0 R /XYZ 56.6929 117.2018 null]
+/D [1823 0 R /XYZ 56.6929 131.9066 null]
 >> endobj
 1874 0 obj <<
-/D [1822 0 R /XYZ 56.6929 111.9736 null]
+/D [1823 0 R /XYZ 56.6929 117.2018 null]
 >> endobj
 1875 0 obj <<
-/D [1822 0 R /XYZ 56.6929 97.2091 null]
+/D [1823 0 R /XYZ 56.6929 111.9736 null]
 >> endobj
 1876 0 obj <<
-/D [1822 0 R /XYZ 56.6929 92.0407 null]
+/D [1823 0 R /XYZ 56.6929 97.2091 null]
 >> endobj
-1821 0 obj <<
+1877 0 obj <<
+/D [1823 0 R /XYZ 56.6929 92.0407 null]
+>> endobj
+1822 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1879 0 obj <<
+1880 0 obj <<
 /Length 2542      
 /Filter /FlateDecode
 >>
@@ -8292,171 +8311,171 @@ xÚ¥Z[w
 ”vйQ`Å­cCÊ¡d%Õi9q¸ŠÚPóÛ¢g\ëss:˪¨ûs™îÔˆ€'+‹¾Ià…1Ì{žy'¤UVo•ÒÇ*˵Ʃ]ã~ì¡(¾0ê1¥WR]Ï8êX'´¡ñ!¶Eã&øBj–íÕdá:­³3;txª±ÍKQÎŽŽÓ>	zløÓô´Eé˜éÛ EðÂñ…v”r¡¤4$pt‘Nhƒˆ!¶…\g„P×üPÔnppSŽiñ£Gkñž½y#$¾Äæt‡$dúÉWþ-gd¦vÕ×îÁw~áì”ù«¼@?½Ü„þ¯~ùÑEy¹Ns˜-b+Ÿ~D½(¼”.L);ŸZªã“:ŠG'tÇçö8Ÿ=ð…ž¾³¢‹Þ)—’UÁÀùTõÇg9µcºrÖ(£úÿ¬·é¶ÝM¼ƒ¼tBZ¤.éQäèá\¸)`'òšA7FØÖ¨™-b¸"2ú]¨JÑŽ¼¡ Ý—àyõ`è×’5J%^ƒúû“¤¨sÆщ7àØN¡^€‚¥€)å JIi¦ 7;˜rAT
±-\™àKþåW²­›$œ.Nͨ¼ŒóÎÄ’ˆƒüH¹ùI4}çsñvõM42¼ùàç¼+KëFÞo·›u=êTt„)ºC(ù>Š»ïÚñ7ßµ„ž©«{ˆôíDB—-Ô…/{¦”ƒH%¥‰LËå\БCl‘&¸®éVOÅxê¨Ò¢îŠ¼³/÷üÓjžlü›òž:Gkêå©Òžª”«­ÞëÊÙ6ìØ¥0Xfâ{1Oý™øãK]æ¬a4°´Ã1gˆýªó½ý^1ã+êyˆ±Ø&GÁXܶ`JÙmAK]”#):¡;[8÷…¸°?œÞvC8k£'ü¿gå¾JoहXùì(0Cß‹)MÌá(žÞxâ»T|dy.wÚ/&>tËÛ·Sþ“«)ÿ”³¬)˜þîH°äö–RšŽ]Ydd¥£ð{ó˜ÿ¡…×ÐînJ9(VRºî	#G£ì„6(b[(6Á¯³B§­ÏéS=sv–iG{
 9±ôIŒ»©Òï¯bF²SÁà´?Õæ!±ò¡‘n!;J¨û$9úhnÇÁxœY8YŒ!à4¼ªÅœ7%ÿo6×°(£2ùP.ì÷ba¯¾ëÇÊ+à.kVœ¸¥7álE‘9ôˆAWܧ«»­Ì›òž[ݨϧÌøƧSþ3ŸŸxYAFméÿÿ ˘OF‰m3Ù…«‡j»#|ö{1ýÓ­ógÿ/’P÷ñendstream
 endobj
-1878 0 obj <<
+1879 0 obj <<
 /Type /Page
-/Contents 1879 0 R
-/Resources 1877 0 R
+/Contents 1880 0 R
+/Resources 1878 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1820 0 R
->> endobj
-1880 0 obj <<
-/D [1878 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1821 0 R
 >> endobj
 1881 0 obj <<
-/D [1878 0 R /XYZ 85.0394 748.4854 null]
+/D [1879 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 1882 0 obj <<
-/D [1878 0 R /XYZ 85.0394 748.4854 null]
+/D [1879 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1883 0 obj <<
-/D [1878 0 R /XYZ 85.0394 748.4854 null]
+/D [1879 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1884 0 obj <<
-/D [1878 0 R /XYZ 85.0394 743.3452 null]
+/D [1879 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
 1885 0 obj <<
-/D [1878 0 R /XYZ 85.0394 728.6405 null]
+/D [1879 0 R /XYZ 85.0394 743.3452 null]
 >> endobj
 1886 0 obj <<
-/D [1878 0 R /XYZ 85.0394 723.1655 null]
+/D [1879 0 R /XYZ 85.0394 728.6405 null]
 >> endobj
 1887 0 obj <<
-/D [1878 0 R /XYZ 85.0394 708.4607 null]
+/D [1879 0 R /XYZ 85.0394 723.1655 null]
 >> endobj
 1888 0 obj <<
-/D [1878 0 R /XYZ 85.0394 702.9857 null]
+/D [1879 0 R /XYZ 85.0394 708.4607 null]
 >> endobj
 1889 0 obj <<
-/D [1878 0 R /XYZ 85.0394 688.2211 null]
+/D [1879 0 R /XYZ 85.0394 702.9857 null]
 >> endobj
 1890 0 obj <<
-/D [1878 0 R /XYZ 85.0394 682.8059 null]
+/D [1879 0 R /XYZ 85.0394 688.2211 null]
 >> endobj
 1891 0 obj <<
-/D [1878 0 R /XYZ 85.0394 668.0414 null]
+/D [1879 0 R /XYZ 85.0394 682.8059 null]
 >> endobj
 1892 0 obj <<
-/D [1878 0 R /XYZ 85.0394 662.6262 null]
+/D [1879 0 R /XYZ 85.0394 668.0414 null]
 >> endobj
 1893 0 obj <<
-/D [1878 0 R /XYZ 85.0394 599.7666 null]
+/D [1879 0 R /XYZ 85.0394 662.6262 null]
 >> endobj
 1894 0 obj <<
-/D [1878 0 R /XYZ 85.0394 599.7666 null]
+/D [1879 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1895 0 obj <<
-/D [1878 0 R /XYZ 85.0394 599.7666 null]
+/D [1879 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1896 0 obj <<
-/D [1878 0 R /XYZ 85.0394 591.7571 null]
+/D [1879 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
 1897 0 obj <<
-/D [1878 0 R /XYZ 85.0394 565.0374 null]
+/D [1879 0 R /XYZ 85.0394 591.7571 null]
 >> endobj
 1898 0 obj <<
-/D [1878 0 R /XYZ 85.0394 559.6222 null]
+/D [1879 0 R /XYZ 85.0394 565.0374 null]
 >> endobj
 1899 0 obj <<
-/D [1878 0 R /XYZ 85.0394 534.1777 null]
+/D [1879 0 R /XYZ 85.0394 559.6222 null]
 >> endobj
 1900 0 obj <<
-/D [1878 0 R /XYZ 85.0394 527.4872 null]
+/D [1879 0 R /XYZ 85.0394 534.1777 null]
 >> endobj
 1901 0 obj <<
-/D [1878 0 R /XYZ 85.0394 502.0427 null]
+/D [1879 0 R /XYZ 85.0394 527.4872 null]
 >> endobj
 1902 0 obj <<
-/D [1878 0 R /XYZ 85.0394 495.3523 null]
+/D [1879 0 R /XYZ 85.0394 502.0427 null]
 >> endobj
 1903 0 obj <<
-/D [1878 0 R /XYZ 85.0394 420.5376 null]
+/D [1879 0 R /XYZ 85.0394 495.3523 null]
 >> endobj
 1904 0 obj <<
-/D [1878 0 R /XYZ 85.0394 420.5376 null]
+/D [1879 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1905 0 obj <<
-/D [1878 0 R /XYZ 85.0394 420.5376 null]
+/D [1879 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1906 0 obj <<
-/D [1878 0 R /XYZ 85.0394 412.5281 null]
+/D [1879 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
 1907 0 obj <<
-/D [1878 0 R /XYZ 85.0394 388.4584 null]
+/D [1879 0 R /XYZ 85.0394 412.5281 null]
 >> endobj
 1908 0 obj <<
-/D [1878 0 R /XYZ 85.0394 380.3932 null]
+/D [1879 0 R /XYZ 85.0394 388.4584 null]
 >> endobj
 1909 0 obj <<
-/D [1878 0 R /XYZ 85.0394 365.6884 null]
+/D [1879 0 R /XYZ 85.0394 380.3932 null]
 >> endobj
 1910 0 obj <<
-/D [1878 0 R /XYZ 85.0394 360.2134 null]
+/D [1879 0 R /XYZ 85.0394 365.6884 null]
 >> endobj
 1911 0 obj <<
-/D [1878 0 R /XYZ 85.0394 345.4488 null]
+/D [1879 0 R /XYZ 85.0394 360.2134 null]
 >> endobj
 1912 0 obj <<
-/D [1878 0 R /XYZ 85.0394 340.0336 null]
+/D [1879 0 R /XYZ 85.0394 345.4488 null]
 >> endobj
 1913 0 obj <<
-/D [1878 0 R /XYZ 85.0394 325.269 null]
+/D [1879 0 R /XYZ 85.0394 340.0336 null]
 >> endobj
 1914 0 obj <<
-/D [1878 0 R /XYZ 85.0394 319.8539 null]
+/D [1879 0 R /XYZ 85.0394 325.269 null]
 >> endobj
 1915 0 obj <<
-/D [1878 0 R /XYZ 85.0394 295.7842 null]
+/D [1879 0 R /XYZ 85.0394 319.8539 null]
 >> endobj
 1916 0 obj <<
-/D [1878 0 R /XYZ 85.0394 287.7189 null]
+/D [1879 0 R /XYZ 85.0394 295.7842 null]
 >> endobj
 1917 0 obj <<
-/D [1878 0 R /XYZ 85.0394 272.9543 null]
+/D [1879 0 R /XYZ 85.0394 287.7189 null]
 >> endobj
 1918 0 obj <<
-/D [1878 0 R /XYZ 85.0394 267.5392 null]
+/D [1879 0 R /XYZ 85.0394 272.9543 null]
 >> endobj
 1919 0 obj <<
-/D [1878 0 R /XYZ 85.0394 252.7746 null]
+/D [1879 0 R /XYZ 85.0394 267.5392 null]
 >> endobj
 1920 0 obj <<
-/D [1878 0 R /XYZ 85.0394 247.3594 null]
+/D [1879 0 R /XYZ 85.0394 252.7746 null]
 >> endobj
 1921 0 obj <<
-/D [1878 0 R /XYZ 85.0394 223.2897 null]
+/D [1879 0 R /XYZ 85.0394 247.3594 null]
 >> endobj
 1922 0 obj <<
-/D [1878 0 R /XYZ 85.0394 215.2245 null]
+/D [1879 0 R /XYZ 85.0394 223.2897 null]
 >> endobj
 1923 0 obj <<
-/D [1878 0 R /XYZ 85.0394 149.4956 null]
+/D [1879 0 R /XYZ 85.0394 215.2245 null]
 >> endobj
 1924 0 obj <<
-/D [1878 0 R /XYZ 85.0394 149.4956 null]
+/D [1879 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
 1925 0 obj <<
-/D [1878 0 R /XYZ 85.0394 149.4956 null]
+/D [1879 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
 1926 0 obj <<
-/D [1878 0 R /XYZ 85.0394 144.3554 null]
+/D [1879 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
 1927 0 obj <<
-/D [1878 0 R /XYZ 85.0394 120.2857 null]
+/D [1879 0 R /XYZ 85.0394 144.3554 null]
 >> endobj
 1928 0 obj <<
-/D [1878 0 R /XYZ 85.0394 112.2205 null]
+/D [1879 0 R /XYZ 85.0394 120.2857 null]
 >> endobj
 1929 0 obj <<
-/D [1878 0 R /XYZ 85.0394 97.4559 null]
+/D [1879 0 R /XYZ 85.0394 112.2205 null]
 >> endobj
 1930 0 obj <<
-/D [1878 0 R /XYZ 85.0394 92.0407 null]
+/D [1879 0 R /XYZ 85.0394 97.4559 null]
 >> endobj
-1877 0 obj <<
+1931 0 obj <<
+/D [1879 0 R /XYZ 85.0394 92.0407 null]
+>> endobj
+1878 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1933 0 obj <<
+1934 0 obj <<
 /Length 2121      
 /Filter /FlateDecode
 >>
@@ -8471,117 +8490,117 @@ a
 BRSOÄú1£ìô<(AD]­Xx©°óZìM¬¸¾{˜åºP¬ú\J"VßCÞäN¹Qï3;¡Ô»pý²©Î“	ì‚™8
 ÓÙ„õç‘A­Ç> endobj
-1934 0 obj <<
-/D [1932 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1821 0 R
 >> endobj
 1935 0 obj <<
-/D [1932 0 R /XYZ 56.6929 749.4437 null]
+/D [1933 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1936 0 obj <<
-/D [1932 0 R /XYZ 56.6929 749.4437 null]
+/D [1933 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1937 0 obj <<
-/D [1932 0 R /XYZ 56.6929 749.4437 null]
+/D [1933 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1938 0 obj <<
-/D [1932 0 R /XYZ 56.6929 746.6461 null]
+/D [1933 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
 1939 0 obj <<
-/D [1932 0 R /XYZ 56.6929 722.5763 null]
+/D [1933 0 R /XYZ 56.6929 746.6461 null]
 >> endobj
 1940 0 obj <<
-/D [1932 0 R /XYZ 56.6929 716.7581 null]
+/D [1933 0 R /XYZ 56.6929 722.5763 null]
 >> endobj
 1941 0 obj <<
-/D [1932 0 R /XYZ 56.6929 701.9936 null]
+/D [1933 0 R /XYZ 56.6929 716.7581 null]
 >> endobj
 1942 0 obj <<
-/D [1932 0 R /XYZ 56.6929 698.8254 null]
+/D [1933 0 R /XYZ 56.6929 701.9936 null]
 >> endobj
 1943 0 obj <<
-/D [1932 0 R /XYZ 56.6929 684.1207 null]
+/D [1933 0 R /XYZ 56.6929 698.8254 null]
 >> endobj
 1944 0 obj <<
-/D [1932 0 R /XYZ 56.6929 680.8926 null]
+/D [1933 0 R /XYZ 56.6929 684.1207 null]
 >> endobj
 1945 0 obj <<
-/D [1932 0 R /XYZ 56.6929 656.8229 null]
+/D [1933 0 R /XYZ 56.6929 680.8926 null]
 >> endobj
 1946 0 obj <<
-/D [1932 0 R /XYZ 56.6929 651.0047 null]
+/D [1933 0 R /XYZ 56.6929 656.8229 null]
 >> endobj
 1947 0 obj <<
-/D [1932 0 R /XYZ 56.6929 636.3 null]
+/D [1933 0 R /XYZ 56.6929 651.0047 null]
 >> endobj
 1948 0 obj <<
-/D [1932 0 R /XYZ 56.6929 633.072 null]
+/D [1933 0 R /XYZ 56.6929 636.3 null]
 >> endobj
 1949 0 obj <<
-/D [1932 0 R /XYZ 56.6929 609.0023 null]
+/D [1933 0 R /XYZ 56.6929 633.072 null]
 >> endobj
 1950 0 obj <<
-/D [1932 0 R /XYZ 56.6929 603.184 null]
+/D [1933 0 R /XYZ 56.6929 609.0023 null]
 >> endobj
 1951 0 obj <<
-/D [1932 0 R /XYZ 56.6929 579.1143 null]
+/D [1933 0 R /XYZ 56.6929 603.184 null]
 >> endobj
 1952 0 obj <<
-/D [1932 0 R /XYZ 56.6929 573.2961 null]
+/D [1933 0 R /XYZ 56.6929 579.1143 null]
 >> endobj
 1953 0 obj <<
-/D [1932 0 R /XYZ 56.6929 558.5914 null]
+/D [1933 0 R /XYZ 56.6929 573.2961 null]
 >> endobj
 1954 0 obj <<
-/D [1932 0 R /XYZ 56.6929 555.3634 null]
+/D [1933 0 R /XYZ 56.6929 558.5914 null]
 >> endobj
 1955 0 obj <<
-/D [1932 0 R /XYZ 56.6929 540.5988 null]
+/D [1933 0 R /XYZ 56.6929 555.3634 null]
 >> endobj
 1956 0 obj <<
-/D [1932 0 R /XYZ 56.6929 537.4306 null]
+/D [1933 0 R /XYZ 56.6929 540.5988 null]
 >> endobj
 1957 0 obj <<
-/D [1932 0 R /XYZ 56.6929 510.7109 null]
+/D [1933 0 R /XYZ 56.6929 537.4306 null]
 >> endobj
 1958 0 obj <<
-/D [1932 0 R /XYZ 56.6929 507.5427 null]
->> endobj
-654 0 obj <<
-/D [1932 0 R /XYZ 56.6929 477.5928 null]
+/D [1933 0 R /XYZ 56.6929 510.7109 null]
 >> endobj
 1959 0 obj <<
-/D [1932 0 R /XYZ 56.6929 453.2532 null]
+/D [1933 0 R /XYZ 56.6929 507.5427 null]
 >> endobj
-658 0 obj <<
-/D [1932 0 R /XYZ 56.6929 369.7201 null]
+654 0 obj <<
+/D [1933 0 R /XYZ 56.6929 477.5928 null]
 >> endobj
 1960 0 obj <<
-/D [1932 0 R /XYZ 56.6929 345.3805 null]
+/D [1933 0 R /XYZ 56.6929 453.2532 null]
+>> endobj
+658 0 obj <<
+/D [1933 0 R /XYZ 56.6929 369.7201 null]
 >> endobj
 1961 0 obj <<
-/D [1932 0 R /XYZ 56.6929 310.6805 null]
+/D [1933 0 R /XYZ 56.6929 345.3805 null]
 >> endobj
 1962 0 obj <<
-/D [1932 0 R /XYZ 56.6929 310.6805 null]
+/D [1933 0 R /XYZ 56.6929 310.6805 null]
 >> endobj
 1963 0 obj <<
-/D [1932 0 R /XYZ 56.6929 310.6805 null]
+/D [1933 0 R /XYZ 56.6929 310.6805 null]
 >> endobj
 1964 0 obj <<
-/D [1932 0 R /XYZ 56.6929 310.6805 null]
+/D [1933 0 R /XYZ 56.6929 310.6805 null]
 >> endobj
-1931 0 obj <<
+1965 0 obj <<
+/D [1933 0 R /XYZ 56.6929 310.6805 null]
+>> endobj
+1932 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F14 765 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1967 0 obj <<
+1968 0 obj <<
 /Length 1945      
 /Filter /FlateDecode
 >>
@@ -8594,42 +8613,42 @@ O3i_
 ³‰1éï\³\«XûXÌΚeyn@Çœ¥iJÿ¦ê7Í~½™8Jè8•ºvµ2eàÁÀUJÎkŒñª:àÌ›{Iôç²ßmÑl·`ý¤*kGkëýÖÕ}‡Wg$\.qU×צè‰æE¿Ûf ü=ãšR7€ÕB¹»ýB(bŠ%%}r¡h©ëCŽ8†(ÎŽ™JVÎç;C´Gˆ½
»=(½;Ф	DïÀxÆØ$õÔ$ä½	··¨X7$̉ˆnw˜‘ßêùóÆÕ4Âtò²È§9Âêp‘ÉfÚ«Lfc@¤OØð]—O®Fõšÿ³®ÊïŽè®ØU¥˜`úEÑÁiJÙMZ3{{÷ž8ò€ºm!øA÷âxR³šŒ	x‰¡¾X—Lj¢7ƒw6ÏdµDãÓ*züÛ}Õ—måN£»GòcX,»nïB”Ÿø…âÀ.7€Á
³áÆN‚lF)A‘ïK¥B1”phµ$Š?(¾°© J׺E‰N¸ y,{*Œ›TCV|i@ÉsïyÍ€^5繬ª XŠ2 —Ô«‚QÕ%jUvä–¨e=á‹Â&¤ˆêk×/^ê©žb*Ëàá$@º‘¿/šz5!÷¸Ñ‘82ÿ¿(Fd	¿éɵ1&ŒÎH>ÀŽc\|a“ŽIëë³É®Z_Èll}@
^ñ}Ûßè!0\E᥮þ#:ötM0!ßmzì)¢¡,<ƒyfÇ–ò}“ÍBà§ðëºÐ Õ;(P;ØZêG¨;ZZºUÖÑ:
 7Ñ[¤ʘÐ×ìbyíòTSþ*¤Ñ›þüïŸ?}øÏkx»Åb¦˜Í¬ü:5¿ßDU)ÇŸªŸ
µƒ8Èa€\Ô¢7…r$sÍ´gõȇ½á'®ƒ“¶…ü¹ŒYÍu\¼œcN‘‚³N¦{ß`Bɺ½£/uµ0x÷‘¾ô{ƒo™1§tDm ¦«¢¥I¨í0ê¯ÂõMK`•{rÑè•ý!`zfó%5YH§Î-œ1ñ³¼eL–ÅBç£ëMÓÙ+5´‚çžy1W±»M—ª¢T£ªÊ!Å¢´¼:Ë/
ðw¿F“™C]ôª^®×"‡¤aÉ~\”,†Ïpî‰4êHi0Fë)šP´ƒ4ʧۻ˜@`eè¡¡„*œžõÐÈøîcäwH¨©Ômá/„íàÍ]tì¦}²÷/açïðãó˜áϲ“íÀ’yèÙÑo#\Ó/UB7üÀûò¼ÿÐŽž„endstream
 endobj
-1966 0 obj <<
+1967 0 obj <<
 /Type /Page
-/Contents 1967 0 R
-/Resources 1965 0 R
+/Contents 1968 0 R
+/Resources 1966 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1820 0 R
->> endobj
-1968 0 obj <<
-/D [1966 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-662 0 obj <<
-/D [1966 0 R /XYZ 85.0394 769.5949 null]
+/Parent 1821 0 R
 >> endobj
 1969 0 obj <<
-/D [1966 0 R /XYZ 85.0394 573.0107 null]
+/D [1967 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-666 0 obj <<
-/D [1966 0 R /XYZ 85.0394 573.0107 null]
+662 0 obj <<
+/D [1967 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
 1970 0 obj <<
-/D [1966 0 R /XYZ 85.0394 538.4209 null]
+/D [1967 0 R /XYZ 85.0394 573.0107 null]
+>> endobj
+666 0 obj <<
+/D [1967 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
 1971 0 obj <<
-/D [1966 0 R /XYZ 85.0394 504.6118 null]
+/D [1967 0 R /XYZ 85.0394 538.4209 null]
 >> endobj
 1972 0 obj <<
-/D [1966 0 R /XYZ 85.0394 432.7569 null]
+/D [1967 0 R /XYZ 85.0394 504.6118 null]
 >> endobj
 1973 0 obj <<
-/D [1966 0 R /XYZ 85.0394 303.3232 null]
+/D [1967 0 R /XYZ 85.0394 432.7569 null]
 >> endobj
-1965 0 obj <<
+1974 0 obj <<
+/D [1967 0 R /XYZ 85.0394 303.3232 null]
+>> endobj
+1966 0 obj <<
 /Font << /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1976 0 obj <<
+1977 0 obj <<
 /Length 3824      
 /Filter /FlateDecode
 >>
@@ -8651,27 +8670,27 @@ h
 Giß\_¾AQ?çM@#`£JU¤7ÏøJg]­T;Tˆ8I§r3À-KBnöq\‘¬ºIËlö‹;—­@‰-Úñ¦©‰ÔÙ†¿(êÓeÛ›["’¨Ò£±r™—¨\ë
›ã+‚òŸ^ŒÕPð«ÔP%z˜¸vé^àŽÿ6u±•øȱÞæËqè"™’ð)ˆYaÆw&®úâ›!=Çoß]¼œ¿{•ŒãX€Yf¡ˆ=Ô‘¥pè'> endobj
-1977 0 obj <<
-/D [1975 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1821 0 R
 >> endobj
 1978 0 obj <<
-/D [1975 0 R /XYZ 56.6929 752.1413 null]
+/D [1976 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 1979 0 obj <<
-/D [1975 0 R /XYZ 56.6929 501.191 null]
+/D [1976 0 R /XYZ 56.6929 752.1413 null]
 >> endobj
-1974 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F53 1062 0 R /F11 1449 0 R >>
+1980 0 obj <<
+/D [1976 0 R /XYZ 56.6929 501.191 null]
+>> endobj
+1975 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F53 1062 0 R /F11 1336 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1982 0 obj <<
+1983 0 obj <<
 /Length 3111      
 /Filter /FlateDecode
 >>
@@ -8693,24 +8712,24 @@ kإuߵDz*
 §Ð8”ÉNíHqª•j­ËÎ;õœòŽS‡Ú'œÚUo²`™hâQ,ÅB7÷T2èÃÂÕ5ýbtsOpT•¥MJÏøõPð E9¢à…Ÿø|èƦÎ5I=èeŸØLeÕoûòÌçuóe¥Á©´>_ÊûüNjZì5¼)g$…3ÄW·#Õwîõá‹®ŠO«æÍJ/é¦È˜0}z–EIáàE¬_­øî”BZT‘èÉsä÷/-Šç»js	ÉøêØUÜΊ½æ&@(X¿%5e†§ym»˜ÛÞ®8t.Ç{³ž˜lÜ,×™oÜzö­ÇDR¿Ö¡ÐypN(ö@å—Û%¾®-¾|]RÅ>-Ÿð
9Pf¶‚ãÙÒO6qÏ9P·K÷¬Çx1‘ìE(t­zMk;bg1G¦boS\Vâ¼4I1xo*Øç)¦+5M1NÊQÌê<ÅœUÞR̉öqŠé©7“SµØ®i,™b°DÞ†ÂÇkúEŠY­óÕ3m
¨ÉŠO„ÿ‘Ô–Á‚	“ÝQz,ò‰e°©Ï2~ì·½ÜC>Ua•a®Iןïî>}ì-·;!V½Ä’.†&¡'c?x+µìMÁ
 µ8ØLÞÛžÓÚ^ÛÕŽßÚvõ^Ó#îT¾Îo¼÷ƒLçã¯WwwöŽ> endobj
-1983 0 obj <<
-/D [1981 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1986 0 R
 >> endobj
 1984 0 obj <<
-/D [1981 0 R /XYZ 85.0394 679.319 null]
+/D [1982 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1980 0 obj <<
+1985 0 obj <<
+/D [1982 0 R /XYZ 85.0394 679.319 null]
+>> endobj
+1981 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F48 985 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1988 0 obj <<
+1989 0 obj <<
 /Length 2837      
 /Filter /FlateDecode
 >>
@@ -8727,21 +8746,21 @@ lh
 ®’ñÌÜß.äPŸøÛPðƒ®­ú8‘äF&+¶ˆ'	7øû·­Ö\ëy9-é° 0(Žd0‰ÝdYpØK¹SQ—°2»{›±=C¯Êì˜õâ3´ \פUìSnçö-Áu ?C]C-.Ô?7.¤ÊjµŽÊ^xײŸÃvôì-ÎkOY¯øvÈÛB×Ýt©†?†±×mzÔéè:ûÔª†Æç÷7¦áî‡"2ncúæÀ!œ¦Æ|éá¹%¨Û~e5‘Ï	üEpLÕ#X®ÎË\6ë9¿È×Ý‹Õöâ¶f^ßÁ¥ß|]¼”ßÏe—g?¥9¸šn¸À¬RÃ\Ý@µí6áfªsëÏÀôevÀ
¯b:ËR’‰Ûå€hã/H–Hú$€Þb;âyÊwÎ!c‹fê8ð¨Qh›3ìѬšyÚÍ”93ÁÓÐ1{L›¾%LCš±b[$+f…t+öæ”'$5Ç>ŸÕ¡OS[:uO@iÎ
 Óš8³tüÌÕÿoœ'xL:´Uœnþëvßœ«éᢾŠsPÿ~µòÇ;à«þ-·€´sÎõÿ)oüË!Ë cædO$ã)|,œPJ€þ¹ã ”PH»sÙÿnÍþ¦endstream
 endobj
-1987 0 obj <<
+1988 0 obj <<
 /Type /Page
-/Contents 1988 0 R
-/Resources 1986 0 R
+/Contents 1989 0 R
+/Resources 1987 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1985 0 R
+/Parent 1986 0 R
 >> endobj
-1989 0 obj <<
-/D [1987 0 R /XYZ 56.6929 794.5015 null]
+1990 0 obj <<
+/D [1988 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1986 0 obj <<
+1987 0 obj <<
 /Font << /F37 827 0 R /F48 985 0 R /F23 762 0 R /F21 738 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1992 0 obj <<
+1993 0 obj <<
 /Length 3265      
 /Filter /FlateDecode
 >>
@@ -8766,24 +8785,24 @@ O
 >œ¹_¨ØE›­;¬`ÁÕ’Ôß·
íðh¼1Û¢Û6Ãl­ŽëÓ· °?Ûí¶¦Q¶¿ïz¸«‚^‘RÀôK;ƒÕý¶rëä…¤UT¡é:ÝoÛMOJø¢§{0#•äò$‹pÜù©_Š)¨ÒÕä‡Bä?þÙá7r2üò>™'€÷d
 ?æ˜B±‘³n06¦2™àýÌ"Àwendstream
 endobj
-1991 0 obj <<
+1992 0 obj <<
 /Type /Page
-/Contents 1992 0 R
-/Resources 1990 0 R
+/Contents 1993 0 R
+/Resources 1991 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1985 0 R
->> endobj
-1993 0 obj <<
-/D [1991 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1986 0 R
 >> endobj
 1994 0 obj <<
-/D [1991 0 R /XYZ 85.0394 179.5067 null]
+/D [1992 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1990 0 obj <<
+1995 0 obj <<
+/D [1992 0 R /XYZ 85.0394 179.5067 null]
+>> endobj
+1991 0 obj <<
 /Font << /F37 827 0 R /F48 985 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R /F21 738 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1997 0 obj <<
+1998 0 obj <<
 /Length 1913      
 /Filter /FlateDecode
 >>
@@ -8797,45 +8816,45 @@ xڥX[sۺ~ׯ
 ÙF¬šDÞ¶¬ÏP- HeˆTËã8¶¹½û„ï»Óº½G¯WªI¯*Uëâ•À	_¶iÇ0ˆìŠ¿üû·ÏÜü犀U:d=Üx~sƒÞÏ>Í?_ä÷•®ôÌpè;ü£áŠÌ£ž0+ëZ¥Óïjÿ¢ÊÞ¤Ý@Ä}è¨Ád‡Ý—Ûð”õ‡J‚ˆ„~·n\*Á³·kìý×ó‹nAεgßeý£×gH÷új´ÆÎÚ¾‘νÍ:ûÀtØÇ^ÙÝ	ä¼›®m0ÁOx8ûvŽáásϩɸ‹
 nþó{×mEÑÖý¦¿mò"oöçÓ1›ïK½©á|ÑŽ`$Œà1FPQ@å1ðy€‘Ü7—Óð·0šÁ©ìi8å˜îË[ôæ¢yb>N“YQVõb÷úÔŠÒ¡BS˜'l/Ó´HêzðUB,-ÚEÂû…Â'Qà·	Xfº9«/Œ~¹¬p»~VƒÏÅ€p.Ù±Ææ¢Æf¿üú!H̨<Ö÷÷‹úvIÞœÕ':}ø ‹‡à­ Â0>N×»´,’—¡]$‘at‚‚ìzëaíbeX<ûnÞ™]™J»£ñS{ûd(M‘ñáÏe<ô	ü9h2NÂSéÄôöëÛ©íÿpJ"6endstream
 endobj
-1996 0 obj <<
+1997 0 obj <<
 /Type /Page
-/Contents 1997 0 R
-/Resources 1995 0 R
+/Contents 1998 0 R
+/Resources 1996 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1985 0 R
->> endobj
-1998 0 obj <<
-/D [1996 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1986 0 R
 >> endobj
 1999 0 obj <<
-/D [1996 0 R /XYZ 56.6929 581.7741 null]
+/D [1997 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2000 0 obj <<
-/D [1996 0 R /XYZ 56.6929 460.6765 null]
+/D [1997 0 R /XYZ 56.6929 581.7741 null]
 >> endobj
 2001 0 obj <<
-/D [1996 0 R /XYZ 56.6929 366.7195 null]
+/D [1997 0 R /XYZ 56.6929 460.6765 null]
 >> endobj
 2002 0 obj <<
-/D [1996 0 R /XYZ 56.6929 293.4426 null]
->> endobj
-670 0 obj <<
-/D [1996 0 R /XYZ 56.6929 247.3727 null]
+/D [1997 0 R /XYZ 56.6929 366.7195 null]
 >> endobj
 2003 0 obj <<
-/D [1996 0 R /XYZ 56.6929 211.2315 null]
+/D [1997 0 R /XYZ 56.6929 293.4426 null]
+>> endobj
+670 0 obj <<
+/D [1997 0 R /XYZ 56.6929 247.3727 null]
 >> endobj
 2004 0 obj <<
-/D [1996 0 R /XYZ 56.6929 172.539 null]
+/D [1997 0 R /XYZ 56.6929 211.2315 null]
 >> endobj
 2005 0 obj <<
-/D [1996 0 R /XYZ 56.6929 96.3402 null]
+/D [1997 0 R /XYZ 56.6929 172.539 null]
 >> endobj
-1995 0 obj <<
+2006 0 obj <<
+/D [1997 0 R /XYZ 56.6929 96.3402 null]
+>> endobj
+1996 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F53 1062 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2008 0 obj <<
+2009 0 obj <<
 /Length 4192      
 /Filter /FlateDecode
 >>
@@ -8857,24 +8876,24 @@ O
 ÓqŒ'\ò̵î9'Ýȇÿ’J§YnìÙãdªTèÔ—Xj¨}-½%Ð|¡’®œxãÄM5ghêŽ,Ó†Nì4&Ä„9<¯yšéü)S‰ÉÓxÀö÷3ç,¶?g™<^Ä[T…‰Ã¼žft†ìÏîA¦0D¬Y^|m'NX§gOür	N2ÿÆ[q#Q¤-›“«p’ž
 ?B£ ‚Ø{Úè€äN-(_í/ËŠéêS¦!$ë¯U~˨dÊôlÃæÉ×Öj‚ fö&4(' úuùRõ™;‡i¿¦k~ŒðÉgêù.—Ögë¡Y¢Sm¿&%˜E%™µ£"}x•s(`Îß겉Ìss9ÛSâø®*îV¨6+*gS8`‚jÚ> endobj
-2009 0 obj <<
-/D [2007 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1986 0 R
 >> endobj
 2010 0 obj <<
-/D [2007 0 R /XYZ 85.0394 751.6872 null]
+/D [2008 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2006 0 obj <<
+2011 0 obj <<
+/D [2008 0 R /XYZ 85.0394 751.6872 null]
+>> endobj
+2007 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2013 0 obj <<
+2014 0 obj <<
 /Length 2016      
 /Filter /FlateDecode
 >>
@@ -8885,48 +8904,48 @@ xÚµ]
 Ø‹¯{È5žì-
¡o§/ÁÛ*VNÅä”Wþt™…1ŽûéövñÑô|…òë;U¯ß•MÝEã[ܧ¼œÏÍýf—÷ogðMºÓÉ”è4iÛ
6(4°s«±0r1@ka†}˜íŠ渃›¼9>ã©mrÊêÁCEÑNûvü/êý%Ï|s†Qµ¦òšYèÚøè`]1€Ãj@_5À5–g\°ô Ë²g¸ø÷˜àUÅÐìǹ®ŸÒëêqHv\]ã½Ùª³äç²f½c F›
 hž¯‰Ö"]ÊÖoŒ"¤ß¦º²-!“­µ~`€4J‹ùYiì(-`‚™qE<'ÙÉ.‹­·&È iè»áåk*oŸB'ÇúÉŠSäg>Í¿óXê8‚-±ùVc—&RÁt7"ûe³ç-öã6l 3Åú‚εš+ZJÚGج‡’æ•Ê«´†¤‰^{Á†:«Ÿ=–Ãm2ýÛ¯Ûç‡ü0FLê÷ÐĬ­PZ'„âË€°ïà—²ÿƒ¹ß¦endstream
 endobj
-2012 0 obj <<
+2013 0 obj <<
 /Type /Page
-/Contents 2013 0 R
-/Resources 2011 0 R
+/Contents 2014 0 R
+/Resources 2012 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1985 0 R
->> endobj
-2014 0 obj <<
-/D [2012 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1986 0 R
 >> endobj
 2015 0 obj <<
-/D [2012 0 R /XYZ 56.6929 684.0716 null]
+/D [2013 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2016 0 obj <<
-/D [2012 0 R /XYZ 56.6929 572.8605 null]
+/D [2013 0 R /XYZ 56.6929 684.0716 null]
 >> endobj
 2017 0 obj <<
-/D [2012 0 R /XYZ 56.6929 509.4701 null]
->> endobj
-674 0 obj <<
-/D [2012 0 R /XYZ 56.6929 470.2699 null]
+/D [2013 0 R /XYZ 56.6929 572.8605 null]
 >> endobj
 2018 0 obj <<
-/D [2012 0 R /XYZ 56.6929 433.5878 null]
+/D [2013 0 R /XYZ 56.6929 509.4701 null]
+>> endobj
+674 0 obj <<
+/D [2013 0 R /XYZ 56.6929 470.2699 null]
 >> endobj
 2019 0 obj <<
-/D [2012 0 R /XYZ 56.6929 401.47 null]
+/D [2013 0 R /XYZ 56.6929 433.5878 null]
 >> endobj
 2020 0 obj <<
-/D [2012 0 R /XYZ 56.6929 335.1577 null]
+/D [2013 0 R /XYZ 56.6929 401.47 null]
 >> endobj
 2021 0 obj <<
-/D [2012 0 R /XYZ 56.6929 244.1508 null]
+/D [2013 0 R /XYZ 56.6929 335.1577 null]
 >> endobj
 2022 0 obj <<
-/D [2012 0 R /XYZ 56.6929 168.8052 null]
+/D [2013 0 R /XYZ 56.6929 244.1508 null]
 >> endobj
-2011 0 obj <<
+2023 0 obj <<
+/D [2013 0 R /XYZ 56.6929 168.8052 null]
+>> endobj
+2012 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2025 0 obj <<
+2026 0 obj <<
 /Length 2160      
 /Filter /FlateDecode
 >>
@@ -8937,36 +8956,36 @@ xÚ¥Y[{
 g…¼±º6Éskc`©2ä„zÛ’Pmò¦ÉÒƒ)ñ(Tǃ©+õr0µR&˜â¡Ê(„º!åq•^hDe/L0²õUž—«b—j"²(øuyñÚŸŒñôè.+³mÒäåŸ.íÓRjU™gZ#mYük* šûj×X±æ>w[VM^•:| øª²x¶Ë:sz†ÀzxŸ¶e›^´³ÅÖ†Jš­“]1ðÎù•d'Ç‹A×#þ>ò?¡U‘{Å[©#ÞòRÆ[cÞ"ˆqéª"{ÌŠCo…ˆJèº"k¥F õ½EaÚ2k†^J³ÛÝÝmF`j!—³õ½ÂåÕ5\ƒA1ÑWH&¡9íÝpñKüéËåb$Éã	4߈Hfot~4
	nwyaò õ8H°ü)†ghWmA\íô×fUckê5Úм`î«ÊEöW²y€h]Uô:œwRJ€Î‘Š¢ýÅsÏ!²O2-V€SEõäl—ƒj3ó	*[ÄÅð‚á{ž§jW¤ý*¯ë]–¾9îkRkÀ´¬ël5Këõ¶Ú˜ûwˆq0£öùöã¶m‹|8
 Ôôi®TV›ÚÏ–+ù÷ì
À»È¦À_¬£Ý¢Ö~ÖO‹Õ…[±“E|ËXò¹:ÅóX…’†süRÇJÄs5ŸŸÒ9lÊ¡×*üÌœÛàè¸áƒXÄxñ1rã>«ÏÎ/Ëcœ–Û1Òãs·EÊìmQ/@ñÏïJSûavûlŸMçs;€6£lL6]Ùþb¬Å"УsŸ÷/Jø‡Þ%Iò.×ÿF@CŽx&cv•C¦-,Zs„)	2;5%ñ€’HI%{ú-û9‘j¤ê_þöØ>ç!>¥-úßs— Ü-É÷K·®¸(€@@Weë†àw'øa%–~_Œt~r‚Ý̃;™§ÅHì»ÿ7ÿ¸4ì]êf«cëP\Ù9åoüaÌãhcy4ÜÂГ¬º÷vO`ïývPX„QHi?‚>ÄSB£àÛ"ÖyÿæõXŠG[¼lkíïʼ
,ÍŽü1ëµi¿SÊ{N­¼«]™ê·nÃÇÌm‘»ËžÞ¿òº©ÑRÅr±°ŸÄ—Ëϯ—Áqþj&0î_ê\¡šÎk³/‹z¤ÓU‹yÎϯNõ&8ˆì#N7y	‡€²!wlÙ+Q¹rÁÿ))wñI1VC‰¸iËÖC)ÈNÀ^e@…§æ’ÿííôÍèÕíÐÈv•¤·ÍRŒ#I8í.p4fRqœÿ^¦G‹øëÍOŸ¯_§ýyÙdÛÒ§¥å3\Ê7.}¨ÊºÚ6ùnóÒ_A †õŸ.FÚDÜ"ü¿ÿB²ÿc—ˆ)EÇûM†uö‰ˆ¥G(Bp÷ŠÊìÿK X,endstream
 endobj
-2024 0 obj <<
+2025 0 obj <<
 /Type /Page
-/Contents 2025 0 R
-/Resources 2023 0 R
+/Contents 2026 0 R
+/Resources 2024 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2032 0 R
->> endobj
-2026 0 obj <<
-/D [2024 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2033 0 R
 >> endobj
 2027 0 obj <<
-/D [2024 0 R /XYZ 85.0394 463.2352 null]
+/D [2025 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2028 0 obj <<
-/D [2024 0 R /XYZ 85.0394 318.8302 null]
+/D [2025 0 R /XYZ 85.0394 463.2352 null]
 >> endobj
 2029 0 obj <<
-/D [2024 0 R /XYZ 85.0394 224.0131 null]
+/D [2025 0 R /XYZ 85.0394 318.8302 null]
 >> endobj
 2030 0 obj <<
-/D [2024 0 R /XYZ 85.0394 159.9229 null]
+/D [2025 0 R /XYZ 85.0394 224.0131 null]
 >> endobj
 2031 0 obj <<
-/D [2024 0 R /XYZ 85.0394 83.8775 null]
+/D [2025 0 R /XYZ 85.0394 159.9229 null]
 >> endobj
-2023 0 obj <<
+2032 0 obj <<
+/D [2025 0 R /XYZ 85.0394 83.8775 null]
+>> endobj
+2024 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2035 0 obj <<
+2036 0 obj <<
 /Length 2602      
 /Filter /FlateDecode
 >>
@@ -8985,39 +9004,39 @@ z+
 „êþ[®
  ÈDÕ‚+n{Ò¥·ïŸj.=ý÷òÀ¥%̓âÿý/öö?{x<÷ý,Ðl…Ò‡£Œí9û÷®ììDëóendstream
 endobj
-2034 0 obj <<
+2035 0 obj <<
 /Type /Page
-/Contents 2035 0 R
-/Resources 2033 0 R
+/Contents 2036 0 R
+/Resources 2034 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2032 0 R
->> endobj
-2036 0 obj <<
-/D [2034 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-678 0 obj <<
-/D [2034 0 R /XYZ 56.6929 769.5949 null]
+/Parent 2033 0 R
 >> endobj
 2037 0 obj <<
-/D [2034 0 R /XYZ 56.6929 744.6864 null]
+/D [2035 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+678 0 obj <<
+/D [2035 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
 2038 0 obj <<
-/D [2034 0 R /XYZ 56.6929 713.4673 null]
+/D [2035 0 R /XYZ 56.6929 744.6864 null]
 >> endobj
 2039 0 obj <<
-/D [2034 0 R /XYZ 56.6929 650.1002 null]
+/D [2035 0 R /XYZ 56.6929 713.4673 null]
 >> endobj
 2040 0 obj <<
-/D [2034 0 R /XYZ 56.6929 556.7542 null]
+/D [2035 0 R /XYZ 56.6929 650.1002 null]
 >> endobj
 2041 0 obj <<
-/D [2034 0 R /XYZ 56.6929 454.3841 null]
+/D [2035 0 R /XYZ 56.6929 556.7542 null]
 >> endobj
-2033 0 obj <<
+2042 0 obj <<
+/D [2035 0 R /XYZ 56.6929 454.3841 null]
+>> endobj
+2034 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2044 0 obj <<
+2045 0 obj <<
 /Length 2826      
 /Filter /FlateDecode
 >>
@@ -9037,24 +9056,24 @@ z
 GK!ð€f$°™(µµ WR·Â¤g^m_*5,‹ª\ˆeS
 ŽÔÎSÿB`ÒÁM^áL€[eïn\efàÞöÓ
"×U«o>Î'×%Ü·_AØ8ô|õúÀÏ0îË¿xé1+±ï7ûkvFÆà„ÉW'F 8±40BI•BêŠÎYâó„Æ=²ÿ¶	ÐJendstream
 endobj
-2043 0 obj <<
+2044 0 obj <<
 /Type /Page
-/Contents 2044 0 R
-/Resources 2042 0 R
+/Contents 2045 0 R
+/Resources 2043 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2032 0 R
->> endobj
-2045 0 obj <<
-/D [2043 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2033 0 R
 >> endobj
 2046 0 obj <<
-/D [2043 0 R /XYZ 85.0394 373.7264 null]
+/D [2044 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2042 0 obj <<
+2047 0 obj <<
+/D [2044 0 R /XYZ 85.0394 373.7264 null]
+>> endobj
+2043 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2049 0 obj <<
+2050 0 obj <<
 /Length 2078      
 /Filter /FlateDecode
 >>
@@ -9073,45 +9092,45 @@ V
 Ï:îy‚,4Ì’	WA}r\<\)œlÄSТH¿øâ6¸@Ì(î²ÌzYêR§|Þ{y
 °*$º”Ž\'á–‡W4Ø:媺ÀÓ„KúšÖEé\×èU%Y·U¬~Kìò•ÒzV5HðšfæYÕvš€ôÍíŠlÕù%ƒ6!b2˜¹zÞ*ݲÓ”	Ù·È
å¶cÞìn³»¡ca¿Ùn¨Å|vc(½½ÅH"m×E²45þ0‡¢ZAØzÇVvažÍ
ÃkjWšM¡‹YÀˆA_çtYèæÓõj}yÕ¨®ÁÕ³\µô¶\l®îaì\SEA$EßÐÂ"bÙ¨üÝ6Çε««³ÛÆSQÝE$¨{ÁJIøPm¨¹d™ïv•!è—-¤L}ͨi5‹ºô4ü«KœˆÙ†PîŽEi©¤\n:ü«}ÑkÛ
@Ì“H¶3i}waú÷ÖEöçMZ±õß~ÙÃxPõ
xÿE6DýCŠ§†EuLø׿לn"™Žñ©nŸ¨à!,ŽœR
LØ™êî—sÝÿ—!£ªendstream
 endobj
-2048 0 obj <<
+2049 0 obj <<
 /Type /Page
-/Contents 2049 0 R
-/Resources 2047 0 R
+/Contents 2050 0 R
+/Resources 2048 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2032 0 R
->> endobj
-2050 0 obj <<
-/D [2048 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2033 0 R
 >> endobj
 2051 0 obj <<
-/D [2048 0 R /XYZ 56.6929 751.6284 null]
+/D [2049 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2052 0 obj <<
-/D [2048 0 R /XYZ 56.6929 518.1706 null]
+/D [2049 0 R /XYZ 56.6929 751.6284 null]
 >> endobj
 2053 0 obj <<
-/D [2048 0 R /XYZ 56.6929 438.1556 null]
->> endobj
-682 0 obj <<
-/D [2048 0 R /XYZ 56.6929 395.7108 null]
->> endobj
-1580 0 obj <<
-/D [2048 0 R /XYZ 56.6929 357.6038 null]
+/D [2049 0 R /XYZ 56.6929 518.1706 null]
 >> endobj
 2054 0 obj <<
-/D [2048 0 R /XYZ 56.6929 324.0611 null]
+/D [2049 0 R /XYZ 56.6929 438.1556 null]
+>> endobj
+682 0 obj <<
+/D [2049 0 R /XYZ 56.6929 395.7108 null]
+>> endobj
+1581 0 obj <<
+/D [2049 0 R /XYZ 56.6929 357.6038 null]
 >> endobj
 2055 0 obj <<
-/D [2048 0 R /XYZ 56.6929 253.0794 null]
+/D [2049 0 R /XYZ 56.6929 324.0611 null]
 >> endobj
 2056 0 obj <<
-/D [2048 0 R /XYZ 56.6929 140.1638 null]
+/D [2049 0 R /XYZ 56.6929 253.0794 null]
 >> endobj
-2047 0 obj <<
+2057 0 obj <<
+/D [2049 0 R /XYZ 56.6929 140.1638 null]
+>> endobj
+2048 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F14 765 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2059 0 obj <<
+2060 0 obj <<
 /Length 3033      
 /Filter /FlateDecode
 >>
@@ -9134,24 +9153,24 @@ F
 %by>'^ ®^1ó.jDœux‚:2óò7åÜýC‘=žØ¸LüH)5ÎW‹`¬gãò#F}Îæöç
rŠžÿUöGP¡²Gš´T}˜´Àk•‚Ú7ø.øPŠÓw?~`NóK&ÎV¥ý
¦ƒ{,ó?û\Qn~΢$:z”êþŠÏ|¶cëcÃEÂÜ=;ZˆyኹûüeöûO³³*Ç~€¿ÿÛÂ4ò_²úòñÄü"?Ò:¥ç0§ôúdØ*îÑûØ) [ë92®åž·uë£xÀ&£5'yyÓÿ½_vÁ¼iºvá·›§¹±±\rúù螦Wþ¹ÿ’QÚÇm™hÿmåÿþšÃ
 …±¯’äÌC¨3¸ÈT:¦Pú¯³Þþ¯Í)ïÿ¥¥ôþendstream
 endobj
-2058 0 obj <<
+2059 0 obj <<
 /Type /Page
-/Contents 2059 0 R
-/Resources 2057 0 R
+/Contents 2060 0 R
+/Resources 2058 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2032 0 R
->> endobj
-2060 0 obj <<
-/D [2058 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2033 0 R
 >> endobj
 2061 0 obj <<
-/D [2058 0 R /XYZ 85.0394 751.4437 null]
+/D [2059 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2057 0 obj <<
+2062 0 obj <<
+/D [2059 0 R /XYZ 85.0394 751.4437 null]
+>> endobj
+2058 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2064 0 obj <<
+2065 0 obj <<
 /Length 3128      
 /Filter /FlateDecode
 >>
@@ -9174,66 +9193,66 @@ g
 #ì6§8x:§dD†::/0W³³ì½±*†S~)!t[C‚‰ež­©gÃpÍt+¨:Ì´¿ºêÖ“–óXAÆÿÝ-ïI‚ô®ÏQ`gS«¢­X0\†$¨mæßU#X©þóÒÀÖZ`Ùö?Px|µûMÂ?ïkŽw^µÐ@’[Î_j©ÄˆHºhŸê°î¨¬“þzòrBGþ¡šÛ­ìÖ”‚¡ŠË×Q
Øs×iãÊž€ì®S§Ú$µÑMìÒíg˜Ìh„>"$)çÐSÎ/`|½™,‹fa›îù7Ø5£Õ_Ïím
 M[ŸËB\yE¬[Ô¦&†\âÍŽ÷į†:ÖìçÁ!•ÓåfF ×ìâµssÚŠÀ/XàÅÇÃ^»ùÌ6cd÷mÖȬí86rÿÞÛp¨Wls¥“c¾#Çø3µ]*
}ª‰A"ä4à+'¶w×&W{wà;çoàËê
›Ãv(†&:aÕ;pTÖ®O~U;f‘€ä28.^G5 _ÏB	#¤	=ù3…qטư`O%0¡³ƒ•µìîýŠÚ	dèñðó`$‚¨Äp'&w·Â=Qœù{8ñ$KNbµs‹¿…{3ÞÒÄ™OìðîÏa¢FŽ°¢YÆ5ô,®C£	×@B¸F‹ë@¦ŽWL¸ö׳¸†¶Ã5L®a°ãÄH†##ÂñÎÿ×q, ï8áÞ=¢#ßñ™È‚úçaPK©ôƒjHWÃØ®#Ú—nÓ¡N’žxéÄ]&ÒA:!׎­ƒ´OEÀKø.0!ïÐœ0ó×ê»u>Ú:q>Ü­*½Ç[9P'rêD$:
úGÁ?È^^\@wW…}	2÷­»%Y.ûËž]x)Aç,Ù,üŸ6ìó`ïï•l%ȱ‡~v…§þÀHvuÏÿý“¬íOÏÂÜBrà‚q¼2ŒœP¨]¥£}“ÁËïHÈþvžušendstream
 endobj
-2063 0 obj <<
+2064 0 obj <<
 /Type /Page
-/Contents 2064 0 R
-/Resources 2062 0 R
+/Contents 2065 0 R
+/Resources 2063 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2032 0 R
->> endobj
-2065 0 obj <<
-/D [2063 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2033 0 R
 >> endobj
 2066 0 obj <<
-/D [2063 0 R /XYZ 56.6929 281.7838 null]
+/D [2064 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2062 0 obj <<
+2067 0 obj <<
+/D [2064 0 R /XYZ 56.6929 281.7838 null]
+>> endobj
+2063 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2069 0 obj <<
+2070 0 obj <<
 /Length 2171      
 /Filter /FlateDecode
 >>
 stream
 xÚ¥YM{Û6¾ûWè°úI‰Ä‰Þd[IÝÄNÖR¶Ýmz $ÊâS‰tEÊ®÷×ï>(R¢$ïnr ƒw^ÌÅþ³A"	åZb-ˆ¤Lfë:x„w/˜“	½PØ–ºš\¼ÿÀã&ZEj0Y´t%„&	Læ¿ï_G÷7·¿^†‘¤Á¹%¥ÁÝðþÛð³ûz©£`øq4¾™ÖB€B1Eƒ›ûñxt>ŒþñåÓèò÷ÉÏ£IcVÛtF9ÚôçÅo¿ÓÁNðó%\'rðPŠ£ÁúBHN¤àÜϬ.Æo¶Þš¥}P™	5A˜J™ôFáÆ‚!dܱ>À¼ÞâAß²%©‰J¸å(1Oëì}¹XTY½	S”ˆXñA{ãó©ûxkW¦$—q×ÀqVW—!ç,¨—™ E8¢AYØ™—e>[îIý‘½ÚAî×—vÑÔ	l.YdunŸs$äÁpQg+X/Óz·ã0”}ú_òÕÊŽªºÂ&øMÉX(0¢¥ŒÌ™òb¶Úγ¹ed^اьƒ—î†Ãé¶vBîi7ÃQQº©©[¶­¼F<)>«ü±ðËÉ¡k”Ö„‹äµÚRÇ©ÕHjÝôP‹áí‰ßB-A­“Óæ5R=öu©¥	„Ö5ÐR+Š¸ƒ–Z8BjEQä©Õ‘2®ÇAî×—öi\‹æÙ*«
¥8ežRVRÊï„NŽ’½ÎË0*œæUY<‚Ë)8PÑsÊF>Ï‚7pÍb4øN%½uZ§¯v`/Ã:õXɧ²ÊërózÉi—åKöÆÆ" °	³4Â4w`1#A4UÙ¸„I­Ì!>ŽîGCŒÐ“ÑUöiôϱSÐö(
’p&ìúe™Í6;©HƤòt+ª*›…p‚ÇFº­Hî„gåú	ˆŽuPmg³¬ªÛÕjwÖ$¶÷2¡ÁÓ&/j'›Ú©ª†¹G;U.윅&åfmMƒ9…±fΈOü#ïÒ4}—ã¿£!û‰Hj·ÀÔã>†+"JH$¹ê ªN‹yj<èˆRnë§mí˜1Yb£ûÝ3õt˜gE§4š¥u^ºÙæ¤0†ƒcŒaËÔi7d›Ô\”#ÙVj`GœD§…¶”¹üL´‚aÂ[ºï”Å1‡'•ˆOïÚHnÛq%£0†ÔÝÙýÙãÄHA½Ó=æ‡é:;U“X3uª–Ô	¨¼Ôy¨NíÚ‚jÛ~¨ÚÛéû‚Z"@Ul×Ù&Ÿu"”}T@ÜeÍ…l¯LWå&¯—ëãCÜUÎÎÜ’:°—:ð©][ïoÛp{Ûc…G„lj:ËÆ],ÈÜ•ÇŒâ¯ÿ¢,k1žØœ Q)d	a‰’oŠÑ1…EÚ7³¾MM˜æ\õ‹)òd€f­²Êmòi½´x…*+2MMÁ„³¶Ž¾¸“6œû·6¼‘¾p­8‰it$Z„êð “4ïÄäY	Í‹}¸Ÿ¶Ó•'4êkåYˆá=61̬ǃ=csh˜ˆ£¸Éýæ¸õ{ˆÍ58'QQÜõèd™õY	¹6ŠýfG‚°¨õ¹ÍºK*Õ²ÿJñcÿfÿ†šÁ,=f¥Ït8çªzT‚Y
¦# 0ÛX·Ã,0 léW¦v²£¶)Hú¹k"fõêÕªÂk€oóvJþv{ºÔ¬ ÍJöXpýùÛÍÈgUzµnV=ç¡…Icæ똭É>¼‚µá­ÐVOÙÌf+g.ÿj^aï”DÁsj˜/§Ïy¹uËá>oaù«}ånlUær*¬‰M‡æÔyæeæÖc£c‹ÁÞD±.`Ëô9kW«vìO]uó”mÖyUAôïÅñª'õ) ÀdòGc¢„ö! ÿJ‚G êª7yDÊ&º¹(Ä2°Õ‚«]ádß™šÕëzÕ&âŸY1Û¼>Ù¤‡ËG:PÔ.v7óÓÝðÚÑãÃʲ÷ÝtÑJü¦7(·ËqQéöµ?šQûçdV@{Ò×7ÐnÃ0úux÷õóè|ƒ0Á¦‹cèÍ
z—o$ôó0Èì|j±J©©U9
nÆC;k­å¾Àõ_pf^š~Éú=éøáUôÕJöWŠ=Ö¢¯û$–Meƒ û„„›-ÊÕª|±U6l	*ÖUüQnWs;?uâ@öm6ÿ±Ç¦0RŠ$ÌÈ»¡¢4Sû4˜‰©}@nÂIþëËýÈŽN±¹vª	_Æç»Óàwéš*Ç‘ÃN㠄ÞªïÈ{·ýSËHòŽRþ.RLÑóöÞšt!}À¢Â÷‡žò&PÒsööÖSë]îí”5fÇÌnèCÂaŒàH™öÁêÈÄ0üŒ¢>Ä ckÚ$ãf,¸ÆÞY²ý’¦³ù‰ÚƒCà£Ê§¢Þ›6B.XoŽG.]?¿œÎøeÓ9&ïó«s!×í¯Z	I´ôF]ÝÞ»OÚm8_çEŒLk_ô>d‹Ìú®˜9RޥŒRèЙ+¥šhrI“È>\[ÐÎë}²#zà¿V—ù¿«ûê€ôü¬º~sè”KÛ!~ømòÓ—‡óž½…‚}Sd.^Œ_+(ž\õz
ÅF¹©óíz·/äv¡|Jë‹ìç+¢ /PfŽ+›ì¹ü#óu˜F#m? ÞC3qÄ0M¨ŒX›r–F•m–¢(v¶z£›Hf‚pt›úï&¾wu±Ðþ\±Ë¥GÚV0eèiiƒþÿýcÆ®ÿ1áIë›H·µ„~•sèNœQà¾oºä	z2î±ý?öÊsendstream
 endobj
-2068 0 obj <<
+2069 0 obj <<
 /Type /Page
-/Contents 2069 0 R
-/Resources 2067 0 R
+/Contents 2070 0 R
+/Resources 2068 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2077 0 R
->> endobj
-2070 0 obj <<
-/D [2068 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2078 0 R
 >> endobj
 2071 0 obj <<
-/D [2068 0 R /XYZ 85.0394 644.0913 null]
+/D [2069 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2072 0 obj <<
-/D [2068 0 R /XYZ 85.0394 395.8255 null]
+/D [2069 0 R /XYZ 85.0394 644.0913 null]
 >> endobj
 2073 0 obj <<
-/D [2068 0 R /XYZ 85.0394 249.7608 null]
+/D [2069 0 R /XYZ 85.0394 395.8255 null]
 >> endobj
 2074 0 obj <<
-/D [2068 0 R /XYZ 85.0394 188.487 null]
->> endobj
-686 0 obj <<
-/D [2068 0 R /XYZ 85.0394 150.7575 null]
+/D [2069 0 R /XYZ 85.0394 249.7608 null]
 >> endobj
 2075 0 obj <<
-/D [2068 0 R /XYZ 85.0394 118.2791 null]
+/D [2069 0 R /XYZ 85.0394 188.487 null]
+>> endobj
+686 0 obj <<
+/D [2069 0 R /XYZ 85.0394 150.7575 null]
 >> endobj
 2076 0 obj <<
-/D [2068 0 R /XYZ 85.0394 83.2494 null]
+/D [2069 0 R /XYZ 85.0394 118.2791 null]
 >> endobj
-2067 0 obj <<
+2077 0 obj <<
+/D [2069 0 R /XYZ 85.0394 83.2494 null]
+>> endobj
+2068 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F14 765 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2080 0 obj <<
+2081 0 obj <<
 /Length 1617      
 /Filter /FlateDecode
 >>
@@ -9247,48 +9266,48 @@ w3n
 !‘í]ÜÏÿµá®Ú{Ú€E…D†ýø÷]°Ç?öåÏQ»:ú<ÔŸômÏC±—gQW¡4êóümO:‡ß;"Ì©ÿ<ç
 ·gù‡ß_Sâ”> endobj
-2081 0 obj <<
-/D [2079 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2078 0 R
 >> endobj
 2082 0 obj <<
-/D [2079 0 R /XYZ 56.6929 748.8989 null]
+/D [2080 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2083 0 obj <<
-/D [2079 0 R /XYZ 56.6929 686.2194 null]
+/D [2080 0 R /XYZ 56.6929 748.8989 null]
 >> endobj
 2084 0 obj <<
-/D [2079 0 R /XYZ 56.6929 608.6199 null]
+/D [2080 0 R /XYZ 56.6929 686.2194 null]
 >> endobj
 2085 0 obj <<
-/D [2079 0 R /XYZ 56.6929 351.8621 null]
+/D [2080 0 R /XYZ 56.6929 608.6199 null]
 >> endobj
 2086 0 obj <<
-/D [2079 0 R /XYZ 56.6929 286.2178 null]
->> endobj
-690 0 obj <<
-/D [2079 0 R /XYZ 56.6929 245.4515 null]
->> endobj
-1581 0 obj <<
-/D [2079 0 R /XYZ 56.6929 211.6394 null]
+/D [2080 0 R /XYZ 56.6929 351.8621 null]
 >> endobj
 2087 0 obj <<
-/D [2079 0 R /XYZ 56.6929 175.276 null]
+/D [2080 0 R /XYZ 56.6929 286.2178 null]
+>> endobj
+690 0 obj <<
+/D [2080 0 R /XYZ 56.6929 245.4515 null]
+>> endobj
+1582 0 obj <<
+/D [2080 0 R /XYZ 56.6929 211.6394 null]
 >> endobj
 2088 0 obj <<
-/D [2079 0 R /XYZ 56.6929 106.7098 null]
+/D [2080 0 R /XYZ 56.6929 175.276 null]
 >> endobj
-2078 0 obj <<
+2089 0 obj <<
+/D [2080 0 R /XYZ 56.6929 106.7098 null]
+>> endobj
+2079 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F55 1070 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2091 0 obj <<
+2092 0 obj <<
 /Length 2859      
 /Filter /FlateDecode
 >>
@@ -9308,30 +9327,30 @@ jR
 5:\9°Ëø«ð‹"ü›¼?ëü,—ÿ°¿ò•¯A_Èb•ˆóê9®ýúø“,–Jõ4ø6J@Ã^"üÅâÏç2·œð‡=

šSË›»t¿”ÂP8šõmã|{Ûȃ¶sM‡EÉ$çª_ˆ¿H׉¯ü¿%@|¦RžG–ÇtX–ÉÿÜkø›õºì—fYzV7Çt¬Üaîƒâ‹÷´3EC¨aŠ*<¬èq‘+ª|.óÙLPY…=
=µ`м¨
 J|øQÑVNZ„®œÌL×ôñíX®ñ/´j#¹jêe±uI0ûï’„¦?žLˆÃ‹
sëüÙ„ëÜ<ý!ˆ87M[êûPlû¶endstream
 endobj
-2090 0 obj <<
+2091 0 obj <<
 /Type /Page
-/Contents 2091 0 R
-/Resources 2089 0 R
+/Contents 2092 0 R
+/Resources 2090 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2077 0 R
->> endobj
-2092 0 obj <<
-/D [2090 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2078 0 R
 >> endobj
 2093 0 obj <<
-/D [2090 0 R /XYZ 85.0394 752.1018 null]
+/D [2091 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2094 0 obj <<
-/D [2090 0 R /XYZ 85.0394 591.9521 null]
+/D [2091 0 R /XYZ 85.0394 752.1018 null]
 >> endobj
 2095 0 obj <<
-/D [2090 0 R /XYZ 85.0394 346.8082 null]
+/D [2091 0 R /XYZ 85.0394 591.9521 null]
 >> endobj
-2089 0 obj <<
+2096 0 obj <<
+/D [2091 0 R /XYZ 85.0394 346.8082 null]
+>> endobj
+2090 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2098 0 obj <<
+2099 0 obj <<
 /Length 2259      
 /Filter /FlateDecode
 >>
@@ -9343,48 +9362,48 @@ xÚ¥Y
 èðñ¨O®ofWÝÌúx/«Ã€†­–žæ!%¨8gº)À©vWÑüˆŒ'™⫶ŸYÁ©á>°1o¦f“[3gøêÂÔÖ©Óm)TjºJ·‹¬oV9’Ym¯Pg›²ª¥y'ß½Û`‹u1þ*2ÖγˆëþƒºCcÀc»ÉX{·MÒlkó=SõK]ê<ÛÖKãèÊ,·vZ7aÒ2?˜U¼¿yI3Ÿ×ŸT™DÆo/|qcdçÏâ%/Rë5h¨Ílb{–²vƒOoÀu*"Û¿€Ï²jT­aÛbµ«Ù T¡p-DÝýè–bæ²zWR8}ÉSwré¾&Cá.Ï@D«Æ§FˆFÜå=Õh*²¶Og{w‰kÝ9X,¥>Pp@Ï)LönH§Óëëú(‰zoŽÒä®Ôá®_+¥+Ôd¯'ª_6qܤò˜t¥¢=“ÿÒí_x—Û]ÒtWŒ@˜ÛÃ>Ø%8V­Âø6©#Ø8)ÍÂ×UÝ}
+„®c’#ABvÜ1'äqŒXI,aµçÙÌu=]G¹½PÖÙXÔžù[mpzÛï`'æäD÷}'t¤ùn…4–W{q«˜²£öœÌ¾½Þs""˜èÙ»ªVkÈ…Oy‘7f”«^išýtD”Œom ™_~P• ¤]žù!ð<¶Œ ÁZ–«-ýå9`ÇH[c¸L¢ì«Ÿ´iš›^åúç—}·Dˆ„”.k¥õ§úÌèÃNA²/]Et#’lÅ»ÝdKŸQõÆz™»*Ò̮هqšû|2"ðø¸]žæÀ9¤dÝ>ïg@@…ù•Àm†þ¿"Üý
 e"ôÇ,¼=AalRŽŠ÷/¥ý1qß÷ÿɾ,Áendstream
 endobj
-2097 0 obj <<
+2098 0 obj <<
 /Type /Page
-/Contents 2098 0 R
-/Resources 2096 0 R
+/Contents 2099 0 R
+/Resources 2097 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2077 0 R
->> endobj
-2099 0 obj <<
-/D [2097 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2078 0 R
 >> endobj
 2100 0 obj <<
-/D [2097 0 R /XYZ 56.6929 752.3759 null]
+/D [2098 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2101 0 obj <<
-/D [2097 0 R /XYZ 56.6929 596.2077 null]
+/D [2098 0 R /XYZ 56.6929 752.3759 null]
 >> endobj
 2102 0 obj <<
-/D [2097 0 R /XYZ 56.6929 535.8202 null]
->> endobj
-694 0 obj <<
-/D [2097 0 R /XYZ 56.6929 498.7066 null]
+/D [2098 0 R /XYZ 56.6929 596.2077 null]
 >> endobj
 2103 0 obj <<
-/D [2097 0 R /XYZ 56.6929 462.9408 null]
+/D [2098 0 R /XYZ 56.6929 535.8202 null]
+>> endobj
+694 0 obj <<
+/D [2098 0 R /XYZ 56.6929 498.7066 null]
 >> endobj
 2104 0 obj <<
-/D [2097 0 R /XYZ 56.6929 431.7394 null]
+/D [2098 0 R /XYZ 56.6929 462.9408 null]
 >> endobj
 2105 0 obj <<
-/D [2097 0 R /XYZ 56.6929 368.4301 null]
+/D [2098 0 R /XYZ 56.6929 431.7394 null]
 >> endobj
 2106 0 obj <<
-/D [2097 0 R /XYZ 56.6929 251.2316 null]
+/D [2098 0 R /XYZ 56.6929 368.4301 null]
 >> endobj
 2107 0 obj <<
-/D [2097 0 R /XYZ 56.6929 166.9338 null]
+/D [2098 0 R /XYZ 56.6929 251.2316 null]
 >> endobj
-2096 0 obj <<
+2108 0 obj <<
+/D [2098 0 R /XYZ 56.6929 166.9338 null]
+>> endobj
+2097 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2110 0 obj <<
+2111 0 obj <<
 /Length 3468      
 /Filter /FlateDecode
 >>
@@ -9404,21 +9423,21 @@ t
 v@kšÐ£|W/l÷øÑý‚ð¢izñ·oÑ*ðΆ÷‚<>ÇOõn•Ÿ1Ö)§ŒYQìtzÚ)÷¹Ž;åŽË;å×çÂnïÆ°ùkR’aÜ@¤¬Üiù:®	Ž9‘Vp	oCHÍ"@[s¼möñ6G ØGމݭ¬‰õü}Ý4åݪ &¬áØy¯AV¥Ißß!ál‹O->'OÂÆ9#º;a3¾RaËObô¡…‹(¶J÷fÙfOÇ&p^X9çò“Q8ÏÅggöþÞ™y m¶%§åê™É`”þžÂ¿Q) !-…wJ±EFü¢ürI/!<Â6ßÙ{rÍÃ!Âp‹GÌwë
}‘Ì-‘í=%£Ó'ÊÕ‚Þ‚n`»Ÿ_á»MÎð‡ÞN¡qÇÃv‚çþšunY…ßï3ì5> endobj
-2111 0 obj <<
-/D [2109 0 R /XYZ 85.0394 794.5015 null]
+2112 0 obj <<
+/D [2110 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2108 0 obj <<
+2109 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2114 0 obj <<
+2115 0 obj <<
 /Length 3036      
 /Filter /FlateDecode
 >>
@@ -9432,21 +9451,21 @@ E
 ûrâzvj³Z2`MHGñp¯¹%8ܵeC†žó>߈±ÃjÛ¸IÇÌãä8C‘jÌ)ûWkøò¸hhÎßDúí£|V›lŸ­è]ðHŒ¹§¯Ï'óIR²öÁç8·¸	ß%ïί()k0Š,²ÒwòYîþʽ*%;ö´cH¢HF.ïc-äã$-¥³°²ÎKˆ…w#®>Ô#=È،۲´iU>¬mðÌÓ^G)¡#óDAÓǺàu–õ:7S1þâ–>ÆŸo9ã[Þl³=Ê!M\Nõ3h,ºÞ_CÀ\uíX¯/0B+éÌ=¯[ÈHÂFˆsM%PÅÒ0¾­%qÏ‚´bŸ,Ò”cL`´Š2-”]³$,î«¥ëFPðœQss·/ÁDÇñþAYª²×[)ÍB€ß6^*|8Ô–7}–Sö©Š¸„mÑet“qÆ-+¾g€bã³¢û³ø~°G87ø¢j7ëhÞßE¾¿x/xÿlå2‡ÅØý÷=ë­›ªjü¼52(<ØS¼ÉÜóU{X­À#—÷Å‘©eßÜ5bzñxöVê6´<>þç©žžHÁ@Æ.Y(LjýÌØt¼EŸÂÈÿ
 Ä"JsÜÇö1Ñ>­ôõÚ„qO›ðk“µ4XTÍ`Ò‡º¢BŸ—S}#9Ë”6ËLâ!ÜJ¦¶;,«²ÝXëH8ÿëbSÆBÍ8,smsx›óÇÂè8:ù¯þµ˜l©Ê]Äxó_Š¿GaJüéq/þ¾±€|~r†…’é×6 ‹“Yë:¥ÞS¸™3—°ƒ‚âÙùfÃU}eLù•I‚‹UËÿ]~=ÓâsH^z®ï ŒöÒä%ž±ðLè„gØ-ÙCǨVx&¤óW¥c„„¦ƒh°c3¾Ð`{QüòùÁÝPÒâ—°jGÌ–N‡»Y>7º¶cE|YQ¾°þûш.‚™»7ÿ÷9ÿŸ+L„NS5®V•DÇŽ)<¸Ôê<÷áÿ‡:çý?ìø{Øendstream
 endobj
-2113 0 obj <<
+2114 0 obj <<
 /Type /Page
-/Contents 2114 0 R
-/Resources 2112 0 R
+/Contents 2115 0 R
+/Resources 2113 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2077 0 R
+/Parent 2078 0 R
 >> endobj
-2115 0 obj <<
-/D [2113 0 R /XYZ 56.6929 794.5015 null]
+2116 0 obj <<
+/D [2114 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2112 0 obj <<
+2113 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F41 969 0 R /F21 738 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2118 0 obj <<
+2119 0 obj <<
 /Length 3164      
 /Filter /FlateDecode
 >>
@@ -9463,24 +9482,24 @@ vlP
 [l‹j‚ŸpÃt–Øq³ç}ï$ìk—_‹T&)†Y¬é¥Y~[¸Z{«âD%,,¸)1ûä'™é2ëøô(ýÓ#üÒ3î
 ê55´l%áÁ¦ã甡‹£½«ûi¹ß·p&ÁÉ®ó>oÚâ)fäçÝ8Tgƒh­%Kµ‰í­;6o™b&‹è^¨.¯ˆ™SYõþ²¾wuý©é’”©¤I±$±OÞ`:Qù§©M"i<šë%rû¼IÝp{â†ãR÷´i}…Hrµ@‰«£öú››™ìsr”ວ[çb3<†8t2´¾ßvcżÚN)óÌt ‡ô.&™.èxôIÿó„uú–¤à*²M|QØ]öL!óB©cÖµÊàvCŠ<æýßž¢¸endstream
 endobj
-2117 0 obj <<
+2118 0 obj <<
 /Type /Page
-/Contents 2118 0 R
-/Resources 2116 0 R
+/Contents 2119 0 R
+/Resources 2117 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2121 0 R
->> endobj
-2119 0 obj <<
-/D [2117 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2122 0 R
 >> endobj
 2120 0 obj <<
-/D [2117 0 R /XYZ 85.0394 119.0275 null]
+/D [2118 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2116 0 obj <<
+2121 0 obj <<
+/D [2118 0 R /XYZ 85.0394 119.0275 null]
+>> endobj
+2117 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F55 1070 0 R /F41 969 0 R /F53 1062 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2124 0 obj <<
+2125 0 obj <<
 /Length 1526      
 /Filter /FlateDecode
 >>
@@ -9491,45 +9510,45 @@ c
 ®Ûžb(нÞÒâLqÓ)+¹â´)H¥uo¢Êmc×Xûùd.YÎï`ÞEùjú8y¸¹ŸßÜÍû|¯p
eÖ+'ʓ¤¦6úJ²¿ÇËÂx­¼T]¤E_.ÚI‡¹M—íõeµhî^íe‰»„Ó±Uá/ìÐËÕ–ª+Šš*ª‘ªìÚë¾Iï&µÁdgò"{~Ïä}'}¸Ë> endobj
-2125 0 obj <<
-/D [2123 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2122 0 R
 >> endobj
 2126 0 obj <<
-/D [2123 0 R /XYZ 56.6929 562.7154 null]
+/D [2124 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2127 0 obj <<
-/D [2123 0 R /XYZ 56.6929 499.03 null]
->> endobj
-698 0 obj <<
-/D [2123 0 R /XYZ 56.6929 459.6249 null]
+/D [2124 0 R /XYZ 56.6929 562.7154 null]
 >> endobj
 2128 0 obj <<
-/D [2123 0 R /XYZ 56.6929 426.4105 null]
+/D [2124 0 R /XYZ 56.6929 499.03 null]
+>> endobj
+698 0 obj <<
+/D [2124 0 R /XYZ 56.6929 459.6249 null]
 >> endobj
 2129 0 obj <<
-/D [2123 0 R /XYZ 56.6929 390.6449 null]
+/D [2124 0 R /XYZ 56.6929 426.4105 null]
 >> endobj
 2130 0 obj <<
-/D [2123 0 R /XYZ 56.6929 324.0377 null]
+/D [2124 0 R /XYZ 56.6929 390.6449 null]
 >> endobj
 2131 0 obj <<
-/D [2123 0 R /XYZ 56.6929 263.3171 null]
+/D [2124 0 R /XYZ 56.6929 324.0377 null]
 >> endobj
 2132 0 obj <<
-/D [2123 0 R /XYZ 56.6929 199.6317 null]
+/D [2124 0 R /XYZ 56.6929 263.3171 null]
 >> endobj
-2122 0 obj <<
+2133 0 obj <<
+/D [2124 0 R /XYZ 56.6929 199.6317 null]
+>> endobj
+2123 0 obj <<
 /Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F39 927 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2135 0 obj <<
+2136 0 obj <<
 /Length 1951      
 /Filter /FlateDecode
 >>
@@ -9544,45 +9563,45 @@ C
 uVIžï§„½,Fb³£d³É3FU½Í–¦>­_¨ì‹\}Rye»¯÷öוã´>ª½aJ%ú…ABÒèøÒB{eå®ÞhT]•éÒ¸néú þ…èNm+©Üoá~—µ®Á˜¶EY·hˆÝ™~ôõ~ $(°=0…x€†Ô™j:ÀÔU™µêµ)å{ûÔut4U1
³¡áöWˆ(—½sÑálÊ×gó©`ç¿'$þ»‚J|×µÛkIåë|Úsݾú¦¬ü–l›è¾24Õï”Âa…¡Ä—¼9Ž
 ÁMyÝõ%ŠéckðV›ó훿R>ÈÁ†II‡KàëRyL¼QzM„‰¾éŽ!!'9¶ý/Ä8Üqendstream
 endobj
-2134 0 obj <<
+2135 0 obj <<
 /Type /Page
-/Contents 2135 0 R
-/Resources 2133 0 R
+/Contents 2136 0 R
+/Resources 2134 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2121 0 R
->> endobj
-2136 0 obj <<
-/D [2134 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2122 0 R
 >> endobj
 2137 0 obj <<
-/D [2134 0 R /XYZ 85.0394 618.8894 null]
+/D [2135 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2138 0 obj <<
-/D [2134 0 R /XYZ 85.0394 552.6593 null]
+/D [2135 0 R /XYZ 85.0394 618.8894 null]
 >> endobj
 2139 0 obj <<
-/D [2134 0 R /XYZ 85.0394 486.4293 null]
->> endobj
-702 0 obj <<
-/D [2134 0 R /XYZ 85.0394 445.2559 null]
+/D [2135 0 R /XYZ 85.0394 552.6593 null]
 >> endobj
 2140 0 obj <<
-/D [2134 0 R /XYZ 85.0394 411.2651 null]
+/D [2135 0 R /XYZ 85.0394 486.4293 null]
+>> endobj
+702 0 obj <<
+/D [2135 0 R /XYZ 85.0394 445.2559 null]
 >> endobj
 2141 0 obj <<
-/D [2134 0 R /XYZ 85.0394 374.723 null]
+/D [2135 0 R /XYZ 85.0394 411.2651 null]
 >> endobj
 2142 0 obj <<
-/D [2134 0 R /XYZ 85.0394 305.5711 null]
+/D [2135 0 R /XYZ 85.0394 374.723 null]
 >> endobj
 2143 0 obj <<
-/D [2134 0 R /XYZ 85.0394 163.3139 null]
+/D [2135 0 R /XYZ 85.0394 305.5711 null]
 >> endobj
-2133 0 obj <<
+2144 0 obj <<
+/D [2135 0 R /XYZ 85.0394 163.3139 null]
+>> endobj
+2134 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2146 0 obj <<
+2147 0 obj <<
 /Length 2696      
 /Filter /FlateDecode
 >>
@@ -9598,24 +9617,24 @@ x
 zÑÒæ‘éc6üecRˆIÌqöBNdˆ"ç§HQœ¼œ¾PÙ2ßEYûÖcSÿ¢¹¡Á¨ŒУûÆ
ŠiG!^‹ÝsYûœqÍ„`\'‘×)ZG'sÝuòé´9BÁ¿ø¥yèP×4å§"nˆß§¦äççú~&@oé:¥î…¿ãþõ£Ì\ðñú)–®ŸZ)[?-“õ“T,ô>L±v¤ÁQNÇB	ź¥l†(@ª«Yº”õÚײqgÁ§ÓC)u˜!Ô­ÃÅ”;· ãÛ¦ø£Ã-I×R‡P ½PƒÅa¾ËŸ‡ÖÈЗ)¨P
%Çào*±Ô0TZ)•7©®AŒ·Á8„†4j\µV*¡[-@ƒåZ´0Åý­X‹3hÐbÆüC[ƒ<í7:Qf<êz€À\q-ÞNZ;áaG@Œu€FL=„ »TA3àHc¨t{õóùP²aòŽìDP¨£Ù¡ ¦‡ÂÜGh8zUH}m—ižïë"‰÷bi̺„4í¥÷ÛuzX¡ý·ØožêÁ0¯¶M±iR®‘`òDN¥F%HÙ@ù=(J6Ò”8s­Nè„zušRâ™>Ò+4¥½€if@c]°3`b¢
óN´‘¶óÓu¾8R™Š7`VÐ|Æ!ÕüÙ59]{R¤R6„50Šn@T›§r]„„ñ=Ô¥í5`ZÅÙâ9ßm‡)…Ô²Ÿ,^¬÷Ù|ê £@r¤ˆP>n«Ý '‡);y–a	8>E{b©‘
R6D7©åHJ®ÇBT¿*7ªWJèÕ=Ç0#Í»ŠÎ1LLIcÈ·¹¡®o‡SÕ)Ö«jojsýP¸¬s?h»8F°ðOÍo)öÁªð«µ¬ßÞŠbÓ¬˜qÙ	L˜À¦«ç»éî	4­Dž§€).8{I÷bæåídóSÈ&’½”lÙ±Ô0²[)‹ì›²”bmY•D¶D,ƒzsT¯ ”Ðëø§)&ï*öÚÀÑý„a±g~Êp\Gš&šÉìÐyð¿~¸Žtûêkó5r¯Ç¿˜°3115S/Â#Á£D„eâL<‚÷(f|FñaÆÇq–`|_™¨(?õS],5‚Ì e‘¹ýS´hT¯–õõJÑ¢Ž^‡B“1›r/ÉÔf]so;dŒ%:dŒ¶Y×<øfH›um³¤ò‚…ošØ_°õY·×k9κ‹¸ze!ëvÞLõ^”H¶•q1tgHsñ8Å×âBúy]èÿ2”eˆfòÄ×‘ÐÈ'm^ÈFeuºªwõêz3‰õ¨f­P_µÎ™©8źýt™ñé®lLJg$tÜ>”îÌ2»ïÔ|D‘µ]¿xGëò)Ú6pÍoï‚š!úSˆ¡ùé)Á°é@Ê:5$pÒ³Tœ€Úv@c[Ûf³ÏÁ®	o†ê@˜·g&Œ€uüFîmÝm¤KOÕ(”mRkÑ-}6fŠ¦
 Ó¥cFMU˜|q°£¡ïN!‚ÍÇ¢	ôàöCÐ?ýMêáó[p9Sjà„ ™@ð²JÅ	“ý˜ô_¯öuÿµØendstream
 endobj
-2145 0 obj <<
+2146 0 obj <<
 /Type /Page
-/Contents 2146 0 R
-/Resources 2144 0 R
+/Contents 2147 0 R
+/Resources 2145 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2121 0 R
->> endobj
-2147 0 obj <<
-/D [2145 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2122 0 R
 >> endobj
 2148 0 obj <<
-/D [2145 0 R /XYZ 56.6929 751.8354 null]
+/D [2146 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2144 0 obj <<
+2149 0 obj <<
+/D [2146 0 R /XYZ 56.6929 751.8354 null]
+>> endobj
+2145 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2151 0 obj <<
+2152 0 obj <<
 /Length 2089      
 /Filter /FlateDecode
 >>
@@ -9632,39 +9651,39 @@ hQ.
 gµmpk'öšõô¤•µÐ´ø"hÙ	Øm©ú5oθǛ;rÏzµ²‹o>¯¿NœqÊ)š=¤æƒÜzJ7DƒŸÍ~LZd¾7²Ü¨Ý€™˜úÊGå=ûLmÈ‘’ÄWü÷wv?åN•B‰É›®/•ëõåÞø´Lœ[¿ÄeuèT=	%´8áè+ã‰_™à þcož6ÿþúxÝ£÷%ÔÁ2sY¿A“¼w±¿­Ê¦ªÛ¼ÛôByHÝ>\!¬ˆmùõWüÅ’`ìâá«
 “ÀhZæÁå÷©EŒ"!ÂAŒ]¶QÙÑØÌi‚k²ú/ûýrêßP€ô7ÿ	úÀ½;ÿï-þwÅ‘IyæBΰæ+E¼QúØ„EǦí> endobj
-2152 0 obj <<
-/D [2150 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2122 0 R
 >> endobj
 2153 0 obj <<
-/D [2150 0 R /XYZ 85.0394 351.3738 null]
+/D [2151 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2154 0 obj <<
-/D [2150 0 R /XYZ 85.0394 278.6168 null]
+/D [2151 0 R /XYZ 85.0394 351.3738 null]
 >> endobj
 2155 0 obj <<
-/D [2150 0 R /XYZ 85.0394 205.8598 null]
->> endobj
-706 0 obj <<
-/D [2150 0 R /XYZ 85.0394 160.1512 null]
+/D [2151 0 R /XYZ 85.0394 278.6168 null]
 >> endobj
 2156 0 obj <<
-/D [2150 0 R /XYZ 85.0394 124.1686 null]
+/D [2151 0 R /XYZ 85.0394 205.8598 null]
+>> endobj
+706 0 obj <<
+/D [2151 0 R /XYZ 85.0394 160.1512 null]
 >> endobj
 2157 0 obj <<
-/D [2150 0 R /XYZ 85.0394 85.6348 null]
+/D [2151 0 R /XYZ 85.0394 124.1686 null]
 >> endobj
-2149 0 obj <<
+2158 0 obj <<
+/D [2151 0 R /XYZ 85.0394 85.6348 null]
+>> endobj
+2150 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2160 0 obj <<
+2161 0 obj <<
 /Length 2814      
 /Filter /FlateDecode
 >>
@@ -9684,30 +9703,30 @@ Dp
 L5©êl¿5Sf+5(šíƒNü̬FÑ*ýÍÌÎÒ¢6&å3UQ´¡¿)œ;·)Š…ã\‘¡½Y™™Ü2Í­´¦°]\Æ,Z8wbAöaÝ×®¢ÓÿU«p6ä@æs]bwî†MÿÈ]cÚ*‡Õ.ǽ‘Hýì”7v¨&¼ÑQioÜôFWÍôœ‘ Ëz9"^½kå|6èõaâö«ß9Rla°äàŠª‰wÍ@‡
ÕØbC½uRÃæi5×U‹K0r@ëêBÙb%@áÈœd?òýù`2õ7Sž•‡íêý§Y‡¿=cêv[Ž4
 IÄ|,œRj˜Êc+±Äu¬ûïâP-endstream
 endobj
-2159 0 obj <<
+2160 0 obj <<
 /Type /Page
-/Contents 2160 0 R
-/Resources 2158 0 R
+/Contents 2161 0 R
+/Resources 2159 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2121 0 R
->> endobj
-2161 0 obj <<
-/D [2159 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2122 0 R
 >> endobj
 2162 0 obj <<
-/D [2159 0 R /XYZ 56.6929 748.7291 null]
+/D [2160 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2163 0 obj <<
-/D [2159 0 R /XYZ 56.6929 660.3963 null]
+/D [2160 0 R /XYZ 56.6929 748.7291 null]
 >> endobj
 2164 0 obj <<
-/D [2159 0 R /XYZ 56.6929 549.6423 null]
+/D [2160 0 R /XYZ 56.6929 660.3963 null]
 >> endobj
-2158 0 obj <<
+2165 0 obj <<
+/D [2160 0 R /XYZ 56.6929 549.6423 null]
+>> endobj
+2159 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2167 0 obj <<
+2168 0 obj <<
 /Length 2684      
 /Filter /FlateDecode
 >>
@@ -9728,22 +9747,22 @@ x
 Îù÷‘s„
 d¦sóõ2ÇóíÑC92ìp¾ÿÓ3w]QÆ"`xÉøÓ¾3˜ôùy×ídÎ|û#™à¸Ç1úÍRô²fùl駋‚ÞD÷¿ügÂóxÆ°­Ì‘eû_ý @þXö¶Î£Oæy›SiAG«6nYj¬²£6ŸýNWTýÁÝsŽŽÛ´8è›û=ì‡/üþ¿ŒôÔ¾Ào|ãPÀ¶äóÙÿ1c÷?O”°;õeU2ü”éxo.žKwhº–l…°#¶ÿ…U6ýendstream
 endobj
-2166 0 obj <<
+2167 0 obj <<
 /Type /Page
-/Contents 2167 0 R
-/Resources 2165 0 R
+/Contents 2168 0 R
+/Resources 2166 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2169 0 R
+/Parent 2170 0 R
 >> endobj
-2168 0 obj <<
-/D [2166 0 R /XYZ 85.0394 794.5015 null]
+2169 0 obj <<
+/D [2167 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2165 0 obj <<
+2166 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F62 1100 0 R /F21 738 0 R /F55 1070 0 R /F53 1062 0 R /F63 1103 0 R /F41 969 0 R >>
 /XObject << /Im2 1089 0 R /Im3 1223 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2172 0 obj <<
+2173 0 obj <<
 /Length 1809      
 /Filter /FlateDecode
 >>
@@ -9757,92 +9776,89 @@ h(H
 ïºàìâ—Œ³ëžBÓTlåòûíå»áˆhÌXOXpŒ$—Q;Y(´?’0âÚêø«Nü„:°u>Z<šÅ7¶†D¶0/ÿ“gæpÙ^'çVß}—–ô*CÍ6­jDlÒçò ™ýoe¾ã6PÇmÆwó÷×·':<ï/{ßÏŒwÙÙ3\œÖ¾½|%ß–iµÞïËã²i.9\]1\w›_ÊÀ´ã0+ªM¥µùE€A§
ÞS‹Mß@Á]
 ߤ4\ÌÀ•ÎΟÁ>é¿Lg¾
nÉÂÕv•–Ï/ýÚPüχï8ýå_âö¿8r…àöÿÂUîÐ7À؃²''RŒ(αÿôúRendstream
 endobj
-2171 0 obj <<
+2172 0 obj <<
 /Type /Page
-/Contents 2172 0 R
-/Resources 2170 0 R
+/Contents 2173 0 R
+/Resources 2171 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2169 0 R
->> endobj
-2173 0 obj <<
-/D [2171 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2170 0 R
 >> endobj
 2174 0 obj <<
-/D [2171 0 R /XYZ 56.6929 623.887 null]
+/D [2172 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2175 0 obj <<
-/D [2171 0 R /XYZ 56.6929 483.2189 null]
+/D [2172 0 R /XYZ 56.6929 623.887 null]
 >> endobj
 2176 0 obj <<
-/D [2171 0 R /XYZ 56.6929 367.2053 null]
+/D [2172 0 R /XYZ 56.6929 483.2189 null]
 >> endobj
 2177 0 obj <<
-/D [2171 0 R /XYZ 56.6929 263.1469 null]
+/D [2172 0 R /XYZ 56.6929 367.2053 null]
 >> endobj
 2178 0 obj <<
-/D [2171 0 R /XYZ 56.6929 189.3485 null]
->> endobj
-710 0 obj <<
-/D [2171 0 R /XYZ 56.6929 151.2234 null]
+/D [2172 0 R /XYZ 56.6929 263.1469 null]
 >> endobj
 2179 0 obj <<
-/D [2171 0 R /XYZ 56.6929 115.128 null]
+/D [2172 0 R /XYZ 56.6929 189.3485 null]
+>> endobj
+710 0 obj <<
+/D [2172 0 R /XYZ 56.6929 151.2234 null]
 >> endobj
 2180 0 obj <<
-/D [2171 0 R /XYZ 56.6929 83.3677 null]
+/D [2172 0 R /XYZ 56.6929 115.128 null]
 >> endobj
-2170 0 obj <<
+2181 0 obj <<
+/D [2172 0 R /XYZ 56.6929 83.3677 null]
+>> endobj
+2171 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F62 1100 0 R /F21 738 0 R /F39 927 0 R /F41 969 0 R /F48 985 0 R >>
 /XObject << /Im3 1223 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2183 0 obj <<
-/Length 3813      
+2184 0 obj <<
+/Length 3963      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ÙrÜ6ò]_¡·Œ*š8H‚yS,Ûq;^K®=?p†”†år2$¥ÌfóïÛnð$kk­*ã Ðhôݧ!ü‰S¡Jõi’ê 
-EtºÞ„§7ðíõ‰à5K·h9^õãÕÉóW*9Mƒ4–ñéÕõ–	BcÄéUþyqþáÃË÷oþq¶”Q¸ø18[Fa¸xwþþÓù/4÷á,•‹ó×//a(µŠa‘¸.ï/?}¸8?KôâêåÙ—«ŸO^^õhQ¡Bœ~?ùü%<Íá?Ÿ„JMtzƒ0i*Ow':RA¤•r3Û“Ë“¿õG_íV)"e‚ÈÈÄC)N…Ò(’bDi+©,1.U½oÊf~•ðQ4Q"Ði˜úŽ@hiè{Ya$_ŽAX´´ð±È­B¬ª¦ÛçY[œ-c`ÍçeþÅõ.úÞ
uþCͲž·Óáï÷üU¤F'K™B	è♟7»lýׯűÊvÅM±>-m› ,Ñ(Œ
os'|õƸ…øºÜˆZF+^öœ.u:A	ï9ˆ8.[ß1*HQÜ@[k‹UÑŠ‰õ“XËÔy˜MvËØ °]ñU†ç‰m™ö(¤ˆÕ”m¨Æ¨ºa²ø8¨˜–Ã¥¥ :UKÓ–äØnøøŽ÷첦E	ÃþÄ"xk
-í'jÅ¢Ìl‰æÃ)ø‚Ò†_º\¼{þî%uí:+K° ¾ž !ãsùëù“•åÄî`W9E\æþTAáp
±BœP`²¯Î»Ox« Nó$Ö+eÐÅÁÚO„]òy±ênø¸:G~F:e‚ãäžÌÍ-œgÚC¶¶6À\ׇ]Æ8Kø•uvá†Åœ^qæÀ°æMooY׳±Þey1Soâcd¿-`®%y2˜y²ñNöÂÑÔÿ/Lqâ4lyác²´î2ÇdºÑL–=I¿Áhé@3êCÛ»¹söÕòû†|r4ãÛEßľáãb̬¥%‹	cLc’'RQ…©Öå/~*0=§"Ç Ô³n:ŽàfmqSpHC2tÓíÈÁŒµ‹$<{ Í›òfãö6Eëb'ÀlkGB°á¶mq[lm4#of<áé·y€¬iœNõ¢déÍË&[m‹¹µ!
-ž¥!ÆêM¶fÕKÁÒ–7UÖvì§hÎFEرVZŠ~±gí?´Y÷cº&Û²	ÅNÛÃyY¸g¢2³`Ï\]¾y=5¬r$¥_šè™•¥¹ö¸ç¯`€Ö‡rUðkÀe£k£#š´^4aNaÎÿ-ŒÂþâ­´Šƒ¶ö†geª„ïZöxk__^.íÕíÓËÉ)0mO‰íT–ò)´¼¼M2¢dÍp]Íë3jš
F‡··´c»’6„bJ°ýZÕwÙéþ<Ý»ÄÇ
‘N„µ“ì³va?tØÊÞwðfñ¢;òUø”/P]´6âvs·GóV0ø¢ZŽÎÀ8ÛÞÔ°;^×TaqŠbµøéÝù‹eŸaYÔ§aéEd±0‹»M¹Fóü¡Íf’ëÁÐæÐ3©)¶—K¿V67€Éº%«ÝM†7Š™îç;{‡g„G¶G·>õÅ«74yWn·´²*ŠÜ'¡63)P­éúA:éKSlf±“íá$ö‡’ü6ΈÆڻÂâpÝLé+ƒ4-*Þ5 2ªˆ_f	nÍHT´L¯êƒ/T+«¦Í€Ð@X6]Ù¢õDh:;¤Äa4$40	Û=CCã;VX¶b.PµßAJ±îC²çE»~Žâž¹\{t%•ÂõU—¦fؤ³p00˜ª† <‰ÕÌ	CÝEDªÉØc'kšzM\¡>…fÊCü:68¶Ä²PX¶3p‡äk'€ß|à•yΦ½¡	t³£•€#´ŠO"¦àÃ'«D
³\cÏ2Ú®¡ºl1¡7¤º²•i3÷v¯5©ÐÛw«­uoÐ'Ž5'õÍ!ÛoÈ1 +,k×=>’šû‡ 8¶cJ©>žI­CÍitv]ÃÓŠ_ÓÖ½­·ÌÙ:jÞ¾ü'­Ÿû6ÏZ®½8#Ì‹VÇlµšGÄó4T§˜]FO
-Su"\¥!¯¶Â¶„€B>Ë=ê±>	@:o«ÖAbeú XŽ¼³­4.]x[V¬¹
-S…*Û6>,Ý“÷[íBi–EÙgK³›«4Ð`\P|ôçB'ñPÂñ„Ö2ˆâÄÑÞÛƒâ²PI•%Å80¶_&¡ˆ­BøŽÎÈ}#há⦨\6
-+¸àĪ÷¢4øzÍ–)dDûÍ
-¢s7’¦£j.l5:}晦“ÌÓúÞ÷:ë¶-}§ø{6\€˜ýPd\Ü‹_ˆZ

Gƒ]×R5Ô£ûÅë-˜±Û›iþÜ#×)<¯º©xT0t â>#ë³¥¾Š"m2ðldä4‡˜.vãzË(•†ÑgßÃJqŸ­Ù÷!–“Wž/¾Š@‰$žFïK\âI	T¤‰™<$…¸Oáá”SIbãÉ…ÍW+‚ÎȬË$µ.ò>Æ`¬âÈ©Òø%l‚›}x'¨Á‰-Z>}•5E¬é`skªÔ'ÓØ?
-‡IÌâSÃøÒÔB$C ~’|Cˆâd(;!Jd1ä©kH䲎8!ûM‚ĨhJÔUáê°Æ錜ÞĈ‰éÀïöœï0V U’£Jk6°Y×»¥ðm[V|È,éGhoØÙ¦Úâ$š†P‹«Œð}—éëŠAÝ–Mi£I†âQ羘Twí¾k}õ¦}ƒA‚  aüôà^+¸6
x€Ã?Ò€žH\­¨´o®œµ:Î
-Y@`	¾ú;ö`ÍBq¿9‹¢UM¤zØûÄ2zÔm€_NÌ´®õÌ'¨ JRù¤0A/—.&h,mg"6rÃâ÷ÝÇÛ˜–÷5VDq`´–¾Çæ)z“G`kG‚Ìh’øH~d“TP°ˆÜÕŒ9¶¥+…ÙÇbª0»¬m~ÀèQÒ“›Þ ߋE,Ü‹W¤P-|ïî¡Äq¨=5M_—T!ô15
-b‹h>IöµÑ>ÕzÆe;N¬c§s±à—I1ñ7±-SÕX¨dšÉHuÍb€µ{z4¨Œ“@(‡LžWÍI'y0!hRŽ^ÏظeHºØg%OP91]rcŠ[[ƒóHož„Ñ>.-Ú\¿'öÔV‹8PF;äßþ‰ ÿ
-¾`m¿ÿ“ÞíÿreWaË®éÔBù6Á˜x\µñ–fìË¿
9å­_§f®2Ñk>Ž÷iÂo·)¥w81æ=Nûx‰Q`šöf‚XÂ%`'DQÿ‚&ß¾sxÝ"¨ÊcF¶
-ðÝFÎÖfX±	½à·5h¹ê*øÕ
Úf_¬ËëãðÞ
-só,2uI©À¬l+FÁ®Øj­‚]ìƒ]Ìjaô¦b°î×á\£¬©L¼eªè]ðý#:2v;”ÔÙWj]ð< ÌÚÿóŽ¡Ðý¸§H#í¬‹›sa³èx®ä6£f[ƒX‚r¶´”k‹ðŸÀ¨ÇÉÕlìÅi^üLcïÏr\üðê
+ºR«	‰ë’(xwõñýåÅYªƒëWgŸ¯ÿqòêÚ¡5F]D
+qúýäÓçè´„üã$
+UžÅ§÷ЉB‘çòt{¢cÆZ);²9¹:ù§8š5[}¤ˆUÆ™L=´âTˆ0c9!Fœ‡‰’ÊãêØ´»®îæWI@S¥C)í;Z¡e¬¡íeQF1|1aÐÒÂÇ"»
+±jºÃ®,úêl‘k>-Ê϶uéZ·Ôø/}í´»™vx¿¯c5:YÊ4:“€.žùi½-Vß}þR›b[}×U«}ÕÓ¶	ÂB	 r’ñ6{Âß	y˜ev!¾©7•¢a¦/ûŒN:ŠC¢„;"Ž‹ÞwŒ
+s7Ð×Ûª=ôž#ÜALȃ¤ŠÃ,‰c^z(wCiJA¤æP÷Ï
+Þ×U÷(ÔlõÃW¡î‹¦l·euçªÃ$ŠåèÓ\é”8Ë4'sñ	¹†"ñ™ N•j!u˜GI»Ð`Úrùêêå‡7ï¯ßüòÎí°ˆ`0WÀí&²N+Ç7Óq¨„N_PÒ¨dpèª[Yз4Ò–Ûº§±KßzE—ï®hô#«îÏDT¿ª®ïh¶`Èeõ[ɆÀ§AÝÐô‡×/i@
+•LO.¨‹äaTªý]µGó² ó&r|½6—IPl6í=·	±®=˜Æª®Zó-y©9¾K³(Š²4XÃ,íÛ¶wvâÆŒ´[>˜>¶
Ÿs_÷k”pÓÙÍP;R¯*ë¾nnùèu5ÚŠwŒ¦ƒ4ÜT!.Š‚ò(lÝ7mkÚ°=â
¬Š†mÓuó`YG#HüÂũז⵩¿%Âq¯_[øæÞÆ1Õ‡QKõÐÝ3eÌ‚ûaÇ€í©UØÓ°shÊjOÍrKº1cCwuáQ‘£‰•ÿ§EêÈZ¶–Ï,èsùãË÷Ôbá¤60{SR»iû%#Ž¯xry¤/PŽé°à«²8I§|kd†È‡:ËHsó„CÕ+f6Šµyáípª•P|^]ôÅT–<³i»Þˬk#µqîS27:V2d®Bkà*tWV$rÊs†ôžU>0W}ÈbAÈ’%úY,NdnÝ̺¸clŒ%€ï’ûÆhäy CÛDö=Ž0ÄPS¶¡£²FiðaP1-‡KK-@tšž†
Éñ»æ)ð
ïÙ]†í±)4àÉêá}EP—¶Fƒt”6œaè2xûîâí+jšuF–`A{3ACZ4&‰¬íÕ/ÏPêÔɉ'æÁ¦²Š¸(=ü¨‚Âzá†9¡À_¬‹Ÿð>Qa’§Ù³X¯T6€®öäËvÍg”ÕòpËǵ%ò3Ö¹u30¸#ssç‘~_¬È¦07í~[0Î~I®®Y|„ÖxÅYHöˆ5e]/Æfx[”ÕL½‰ÈnS[À\«j£L82x²ÉNòÂÆÝ̼ðs™,’ÔjØâÒÇdjí¢2ËdºÑ#L–	=K¿ÁhiA3Ú}ïÜ\‡Yûjø}kø‡Ý	ÿØ.ú.¨ Žžcf--	m`˜`.“>“Š*Ê­°.~öS€é9m´Œ›Nb¸Y_Ý‹‚ƒ†,·‡-#1V¾V$<º§Íëúvm÷v•‘Ih‘¼@cÓZB‡5·mª»jƒ6+–Á›ÙçØÍÜV"5Oò©^Ô,½eÝËMõˆµ9Ë#ŒØ»bź—ƒ©­o›¢?°£¢1aØyør-ãà[àb`MWdr¶¡Øbb옘A›…‹¦J!7»öÀõÕ›|–ÕãL£lffi¬?îx,Ðj_/+ž0,²A6x	™é˜†Œ3ŽkÞ
+XüÅQÿÄãG=}@ÈXñÆøLçr%|1­AEÇÁWWCèiÊ`t|¢ŽéD˜&¨0 0á`’sØÍ1£NfWöÃxAŸnͳ¤iÌÇM¿§yNÌJŽä Ý6&(õFP`äKÓÞ3dkæÙؘ£O[(F)«-n­¬VÖü>ôüYðò°'ä›ðB¨GZ›	q³ù°C»W1øªYíÖD@¿Øܶ{0[êÞ´maqˆ‚üøöâå‚“0F}rÕ·—±Á"î×õ
+í¸LÚœSAìšDD³ `C
+ˆÜðryðKc’l{27Ðth2¼Q0õ8ß!3w8'<ŠxÀÕ¨5^½£Áûz³¡•MU•>95ÁY–Õºƒ;13*t¤™®ÚT&þÎ8FÄF±ƒ“8FØíkrè8>"6v;úÞW,s#Ò:iZ5¼k0Ldm¿Â<³4#QÑ@¿n÷>KS7]_¡Ï1­Ì@HêÍ*r@Ó¡Ø`…Ž‡Lac_¡Ëè¨ÏêË–ÀFðÐôzN™%a¢]¬ö¢êW/PÜËRš®äb;W“éZ†M:ÅÖ¤iRò")xN¬uNîm/"Àv'€¢ëÚq	»8wš)qvl8°oˆe  ±Lcà2vÉ	O¿yÏ+Ë’M~GèG+G0h
ŸD2LQ‰OV‰¦ô€ò4Ô3pA®ÞÀK#AjS·~àÌÞŠ«$»ÃrcÜ´IF aÌI{»/vk2Eè‹Þ­1©’<<Á±SJ¹ y&µ4G¤ÐØ:N¥–lüº¾u¶ÞX0këèóÓ«Óú¹·ó¬¥zŽ3¼hy|ÄV«y¨<ÏOuŽigü¬øU§Â– ʶb+ljØ ä‹Ò£^càƒA4«’}]Í°@’¨l­ÚÁI¤58n	;‰ˆ„ìø§j¿äЮ£9Ö“™”ʃ+°>eáëFf]4^3œôhµ¦”%(Âu%ÄåU3R@žf‰²^vqûHü¬¥­wcE¥¸e4/vÓ6ÖóEQ¨ç„íF—é«vzZ4œjÜû¡câëxzÙˆƒOSw9Ò÷׳ãžÒÔ2q@FQ4«èÙ͘0Q`3–¡ä'$žaª]ø±h¿šžYÂ<”jp4ëeI<•‘¯Ø´«ÜwCáÏËÄ<Ô`å-ªG¹@è4*vžLJ†q’Z²,OA±EqZŒÿc33	0Mqp`Â<†vŽ EÁmÕØâ¬àú"hxÃì
ûó…i«tæßy>¤+¦ƒé
+6\¡!Ï'…ˆ©nŠÃ¦§yÊ6°e‚@ˆô0ºˆ3›åàQ«£ÎžAg{è©øíqZÕ«
8§»Ê›ÏýJA—¥^b˜çŽ ÀL°¸ä#ì„H vO_hòͳ–×-‚ªü‚àË£%ª|z‡ýŽB5|ðüº8rõÿ÷o¬‡ß’ë¬Q&‡ŸO«Ù/•”~2Rˆ¾ÐbŽºû5öCÜÿJ…‰endstream
 endobj
-2182 0 obj <<
+2183 0 obj <<
 /Type /Page
-/Contents 2183 0 R
-/Resources 2181 0 R
+/Contents 2184 0 R
+/Resources 2182 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2169 0 R
->> endobj
-2184 0 obj <<
-/D [2182 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2170 0 R
 >> endobj
 2185 0 obj <<
-/D [2182 0 R /XYZ 85.0394 748.4221 null]
+/D [2183 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2186 0 obj <<
-/D [2182 0 R /XYZ 85.0394 656.9381 null]
+/D [2183 0 R /XYZ 85.0394 749.2922 null]
 >> endobj
-2181 0 obj <<
+2187 0 obj <<
+/D [2183 0 R /XYZ 85.0394 666.7399 null]
+>> endobj
+2182 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2189 0 obj <<
+2190 0 obj <<
 /Length 3278      
 /Filter /FlateDecode
 >>
@@ -9866,24 +9882,24 @@ xÚ¥Z_s
 ´V÷³BÀ-\k熯îç~¤dË»=f·7 …Ûw×JL~ôæZˆþ๵-lüEƒ®þ®öZ~÷7äãà'“êä÷)ÎåɘÒÛ30§Árr
 1øKú¶*ögŽÄe–»yrõ`ŠèÜ?»)á¨Íh?öþóÿ#Üø	ör9oH	©Î`ㆅBÙE"Oý–ÿeîTöÿà5d	endstream
 endobj
-2188 0 obj <<
+2189 0 obj <<
 /Type /Page
-/Contents 2189 0 R
-/Resources 2187 0 R
+/Contents 2190 0 R
+/Resources 2188 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2169 0 R
->> endobj
-2190 0 obj <<
-/D [2188 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2170 0 R
 >> endobj
 2191 0 obj <<
-/D [2188 0 R /XYZ 56.6929 507.1706 null]
+/D [2189 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2187 0 obj <<
+2192 0 obj <<
+/D [2189 0 R /XYZ 56.6929 507.1706 null]
+>> endobj
+2188 0 obj <<
 /Font << /F37 827 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2194 0 obj <<
+2195 0 obj <<
 /Length 2716      
 /Filter /FlateDecode
 >>
@@ -9897,368 +9913,387 @@ i
 brMÓq¥Cu$®xªa\É—ËAó2ɤ:Î~ Šð?„”IªtK4]‘ZȪxƆŠX=+-ì³ÇŠØ2	'j-°L‹ãvÃR’‰€X_søÀÿÛ•ÖxÒmNhA’DËã6×¥:lsÊÂèúyt±Ck¢9ºj Š,Û?©—DàEUoÝwe³Yå/èiâ°4»­5Šªµë¢iò‡ÝZðR€eeƒ)ŒÚ[ ÔÖ½‰Ôæ# ±¿:‚—þMv”Õ¢ØÏj“FÞ7‘UîËb>‡kP!a*9FºTG4è©,8·Ö×× ¸1^§]5PE–ík†ÌØ[÷Öm†—E=õA‡S_ˆû!b»'ªæ)_zsg‡ý˜Í¬š•9®ÁÇÝ*¯¾ì/¢‹šAÊËô‰r¿KuDÔžÊúyó\lG†à’è$=¾n Š,Ü6çè%ý…;ÞÒ·ãÇ_-ÆdÁ±!Ù‰“.ÕaY*ÏŠ»ÝÃX‚hÀGÇ—
T‘uûv§‰¦µ{ÏÏwî¶Uÿ¾Ò°óãà£$MÞ±j’Pë©Àhœï
  ­‚Ù¤Ó1µ¦X—‹zågß—IîFì³ M‘p­¢Æ=È22³¾tùçÅï×.o"	‚âÅ	ɸTáÔÆ„B¨·×›•½øæ°5vÀDtÓéBûðJYr„>Vƒã¥%þ  ëE½[-íöFOwMázì];ÚÛÖöYÉ@#ÔH@+þDþéþ\ɬàc0Ó)”„|P:q…¡ħvt2ýX·¥
åÊ_‘˜–ë*«ÍÎeSôB—=Ä2-;¯}q駱o¹›g›hôÉÇ(p—åÐjêáâ¹¥~°[ÜmÌÖh?±ø›1wßD̬	38×Ã@ü­B¹°/]déSbÑbn+kÈhÅvü#í“ï
°¹#v¹ÈG3‡0¦R«¤œÏJ{&7Üô¿,‰gÛÞ|°]¯–uÓ’žºqàâ•“\m˜(žã3éDRê'5–r¨	ä¾þ"¬»ˆOÃc÷íJà¢2'd§ÆÇÈðåVº8Ý-ìÿ¨w/¬­d¢a…¥£©:+ñ1Ö†¡°PT8`cD²WסLqíì¯#«þýrÙ+ÿ¬qÏ«—™êÚfçbú½i»ÐÌ|™ãê¹ùüÃþŽÀ)Ïýh©¯‰_%ûì®þÞ*’¤hˆÖ?ü³®ýÏ×$„|}èNªy"$ÇŠ™I1d]	M”†¤8æý?G/•ãendstream
 endobj
-2193 0 obj <<
+2194 0 obj <<
 /Type /Page
-/Contents 2194 0 R
-/Resources 2192 0 R
+/Contents 2195 0 R
+/Resources 2193 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2169 0 R
->> endobj
-2195 0 obj <<
-/D [2193 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2170 0 R
 >> endobj
 2196 0 obj <<
-/D [2193 0 R /XYZ 85.0394 216.5531 null]
+/D [2194 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2192 0 obj <<
+2197 0 obj <<
+/D [2194 0 R /XYZ 85.0394 216.5531 null]
+>> endobj
+2193 0 obj <<
 /Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F53 1062 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2199 0 obj <<
-/Length 2074      
+2200 0 obj <<
+/Length 1849      
 /Filter /FlateDecode
 >>
 stream
-xÚí]oÛ8ò=¿ÂÀ½8Øšá§D½&i/»­·gwhû H´-D–\KNšC¥H²ì¸×C€ˆ3‡3Ãù Ù„›¨€&a$‰¢LM’ͬ`îãó4³†hÖ¥zvñA„“ˆD&÷Ë/M¨ÖlrŸ~¾'Ls`A§wóë«ó—:’ÓË/_næ×·ÿXQ 
-J§Ÿ/ç]~BÜ—óˆO/?Þ,οßÿ~vsߊÓ™Qaeùqöõ;¤ ùïg”ˆH«É3”°(â“Í™T‚()DƒÉÏgÿlvfÝÒQ0J¸øˆ$ÓI†¨ƒ¿Ï8]Qí·i\{ à:cŒDJqGòw$ÙîÌÎüðä?Órg…‡²ä±ˆ7†˜Ÿñf›’”›>#Öeäwrã8MOðp3:”âðj~ùù‡U¹1벪ïÙ¾2Ej§/>pÑQ	s€"8âû5ˆÅÃÎzÎôÔàÿû¬Êj7£¦IY¤Y•®L]á¨nÖÚS mevOÀ§Kü&k“<6+â	a-n…q(üBÄUåÞ
¿b“Ò}S/J¹ô|Š¿ÓËvÔ²ËÒJ§ô¨öÁï…Ó[ËLE=a…—ñ@p}ðð€nlkÇöLU#bgyåØ*ÏVÃʬò2 Þ`”–¦Á•~©ù™Uµß,FÐFÜO¥é4«ý·Â/8›IaI˜ºÁð}¯\Dx»Àèym¬5óÔ­°µ²iÝn™ÄÊnÇeñR‘%
׬^7;dŸ—ÅjVÕ1øV±³Ôît›5‹`“Â~Ãé݇+2‘(µELj@}ZÄf_ÕWz§OÄÅ•_f½Å"Jgj‡ë»—ßÈ:“›Í–^ž.ÓjÀA§6‚ãoTQwÓp‡ÎÁÖ°jäðÆ™A0ï^©¨·3`¯ç‹ÅÍŽ³'A7\	…HwùçyùŒ('PÕŸ^ÇO1ww‹ÛïZîÜüÇ3(RDÎÛ
7Àé˜4lҞ…¡ˆTôÃí§‘ôÁHÈX‘šéèH¸G¢Y—
-£½‰ö-•ÝõÂÔÉÅ¢HþW¼X`Š¸ôâ´-Õ¡½èÊTHSA_†}åiÔé¾YjŠ:[¾ ”še¼Ïkš @›`zLc‚AæÓâ
u¨Nh¬¡r{Šw»}qa%I/Ò´¨È£y9PœMøa(OÒRJÒW\¦tØ¥Â\£Úp;ÐÕ=ø,Ž¬€nà<µJ÷º.ð›—IœÏÊ"÷”›25G•KA
-û
åv¨N(·¡²'ú/
-“]B…a¼](G‚'I"Í„'pþqÈ„1*=Ñê-.ä7몿0’Œh)دŠ³ƒuÈ€\}(õ–@Äc.Æ©&ŒCŽ;iŽ–êÐ=ãPú2ȾAâỂ.aŠ¤tùÈA®¨€ï?>_^Í>_«§%}tÄCs‹ª2ÉW¦°¡_ÛIŽùšAÅéI_ëR÷µ–êÿ¾vÊ׶»ìÉ—þ=œP¡äi“´T‡6éû›	eî¥õ7uýÍB忯þf!çovÐó7‹xð'üm˜’gLC[ÅEÔOÍ‹›tÝËO‹?4
ŠÐˆcub+
&[-Pn!Aiø
-qð¤¥z…lõÖ™ƒz¥E‚yÈ¥žö(i3ÑÌæðî1›9ÔÁX-õ+z”*ïÿú¸x[
Ø;A_ìÓPÄ|p€«”a
-m–î‹4.êÜOVuéñHä2|ës6}.q\™m¼ÃÆ ¨¦9”Œ°ÔóÐLøbÞ.®iŒ 觲Háú%À»(m¿ë°û
-ÃœÝumÆzŠëŽϛÙÃ.Þ
ÓkÖdæd÷²­ËÕ.Þ®³ÄέÑ¡c¬Þ!‹H›sã&x®ãb5HÐË}½m¸¨×]nàÆT«I"dÐXMRÐP´p#(4¿»"MšC	I4õÑ~Þ´Ãj¢Å£»ÕN„oœ‡GÊ2¶x)Êm•Uà õO¨1aPA†‚ë±Ä@t¸;0>™3º,Ž?Ž´T¯G·ï_gx
-ÕÕ”$Œtmož˜´ƒPaW>ìv÷ЂŒ…äßÎÉç~·×<[Í–YnFØŠ„JÈ!ÛÇ7ÙÂý<ÆS†DsyVoò|-ÓE@8—lÈq;Âq&B®ú¡k[îêƘÅñ¿ÚÑËÈ}ô:Û
-
7¶Jø…·<yUëñ—¼YËqÖeéã–ÌŠ˜¥#GgЇ)ôž”›Mܾv
žÔDÚçÄÞ廾Y\ÝÝ~¹¿ýsÞ®:ç›`2ÌïªH(2Z‡m"
ŒTù–m8ôà¿1~|`¡íãY(§ÄFf9½­ýÄ8@i:œ¥æ <5ª—™iˆ¨q‚&Xy¦±ßî9öûà›`ùÝjŠ˜¬9Cîïoç×.ЂÀ”(Eùð§Ã!uiûv(¼¢P	òFøcDèFá˜÷ˆôT>6™Ô?4º(›|ˆ¾áyVø„Zn]~B´ËiðžÕ~͹M]‚
-|Þ‚P2µ§ñS­íõÄl½‡]\Ž´ì–¨‘P.hÐO«m#Fµ×»i¼œÕ a¶äñSœåñCnšÛÈ? Î|fê…{µ·wBŒvî´½Eÿó‹þë/cÁ€üH½BsÁØeµÅ¤˜Cjøãp8œ?dS
+?6•‰’0™Æ‰ ’29Í6:]Á·×æy‚–)ès½\L._ñxš$
+£ébÙÃR„*Ŧ‹üãì%aœ\}¸»¹¾B¡1»zÿþöîæÍ¿ /)0¥³wWw^½Å±÷I8»z};¿ø¼øur»èÄé‹Ì(·²||üL§9Hþë„ž(9ýJX’„ÓÍDHN¤à¼)'óÉ`ï«›:ªFIÈ£pD‚é@Ä$ŠcÔÁOA»«Ì~›§¶Ô€1’H:– Ëv§wú«gÿž×›´¨|¯È¾TéFý=ÝlKM²z3b} ¿’£Ó¸ynÏÖÒ­ö´ip`™¥q°ÒÃ*˜Y/ê
¨¼ÖíXí§êï…iüb)
+„Æ0bf¸+EgEã[ƒ-›Îa}Au;ªÁö½rqÀŸPßÖÚž³b~ƒª3Á#X+›RÝ’YZ¡ì–®«O”ò"kQ‹fÝ®¤¾¬«U`šl«ZÔît[Zî(šÙ{gÛ¯®‘W#ò²•bãµ
+Ôfoü'”§UÏn|ëlˆÚ¸#‡Fæ²&…Ò,}Û5¨Ø8å¤?QIñ¾¹p{#;_[ðn³{mÃRhd¹ípb/×Ët_6ØiÝmÝì)QN„õg4Öã:£±–Ëiì!Ý]îöÕ¥•$¿ÌóÊ/úñHq6ˆcq^ŽëX’¡â’„0©â¡(£ìñ®`ÁHYá]?µJ÷º®°-ë,-ƒº*=ç¦Îõ)劘’8‰ùyåö¹N+·ã²;ú
/
+}F’ÄqØÎÉ#ÃID1îœ}ƒ„œ$Œ
+Ï´z…ülMõç Áˆœý]qvà.0C9À ")Ÿ¨•xÌÄBªÁëœ=ŽŽëø<&BRÌh$†rŸDMBWYí"•ë¹tÚ_Þ]]ïnä¥eèÑcÛûö:WÆè,Æ•®l8PÖC’“¶Æ\æy[ëq±µ–ëÿ¶vÎÖ¶»âÁ{ƒœ™r)ÎIÇu|&C{ã1¡,RÃCéì%}{³=ko¶}²7Ûsöf‰½Ù{ÿጽ†ä€)(¸Bž´¡ÙÉ4¿½E˽z;ÿ§Ç š‰p˜œ%j÷))=àLcHý¼ª_ŒÀÙÈ(cÏÐÁqJã‚þH8%ä„s‰í”Îfÿ5\t—pö7àΘsygtn,L2°ÙVß Ýú¶.•$b4fÃÿ
Óí¾üóõ|¼~2YLÇ“p¶¸`3L ƒŽcO2N0&ØÙN„OaŸH¡quÕ81ëÒgˆMQÍãó66¬ê­Ã;ˆ.„Šø4VÆèh´` 8ÜN ÏF÷™÷-Ïô´mûô1¸ÇȾ–$‡GµÓ¾®d:€‚*!ãÃc	ÅI¤à ýs‹œ c­½äÅ*X¥$‰%‡°_ž……»y
+SÄD…4>Ä4Ïb>•Sˆ<"a(Ø!âvêbèÄ¡Þ¿m½kF€1Oâ‡Àÿì¨Ç‘%†:+¼TgËÕ4ŠˆÂ§ÓçÞbCÈ~”‰
:¼à	Сh!;ОÉ
+Wä#›föròh¸é¬ÞlR|©{V†ƒ²oÁ#W„v·ò~r~zRâJJÛbÈ‘ ½PvLˆãìÝ?NËþ)*»hendstream
 endobj
-2198 0 obj <<
+2199 0 obj <<
 /Type /Page
-/Contents 2199 0 R
-/Resources 2197 0 R
+/Contents 2200 0 R
+/Resources 2198 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2169 0 R
->> endobj
-2200 0 obj <<
-/D [2198 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2170 0 R
 >> endobj
 2201 0 obj <<
-/D [2198 0 R /XYZ 56.6929 591.2744 null]
+/D [2199 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2202 0 obj <<
-/D [2198 0 R /XYZ 56.6929 428.8011 null]
+/D [2199 0 R /XYZ 56.6929 567.7585 null]
 >> endobj
 2203 0 obj <<
-/D [2198 0 R /XYZ 56.6929 356.2997 null]
->> endobj
-714 0 obj <<
-/D [2198 0 R /XYZ 56.6929 307.1205 null]
+/D [2199 0 R /XYZ 56.6929 386.52 null]
 >> endobj
 2204 0 obj <<
-/D [2198 0 R /XYZ 56.6929 274.8641 null]
+/D [2199 0 R /XYZ 56.6929 302.4578 null]
+>> endobj
+714 0 obj <<
+/D [2199 0 R /XYZ 56.6929 245.2457 null]
 >> endobj
 2205 0 obj <<
-/D [2198 0 R /XYZ 56.6929 240.0563 null]
+/D [2199 0 R /XYZ 56.6929 209.4615 null]
 >> endobj
 2206 0 obj <<
-/D [2198 0 R /XYZ 56.6929 176.5882 null]
+/D [2199 0 R /XYZ 56.6929 171.126 null]
 >> endobj
 2207 0 obj <<
-/D [2198 0 R /XYZ 56.6929 107.0516 null]
+/D [2199 0 R /XYZ 56.6929 96.0972 null]
 >> endobj
-2197 0 obj <<
-/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F14 765 0 R /F53 1062 0 R >>
+2198 0 obj <<
+/Font << /F37 827 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F14 765 0 R /F39 927 0 R /F53 1062 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 2210 0 obj <<
-/Length 3048      
+/Length 3151      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Z[sÛ¶~÷¯Ð[å™ÁÀ£siêNs9±sæÌ´} %Êâ„"]‘Šëvq!AŠ’ÓIÇ3&¸X‹Åîâ[¬è‚À]h™nÄ"3"•„ÊÅjwA÷Ð÷î‚zž$0%1׫ۋ—?ólaR£˜ZÜn¢±tJ´¦‹ÛõïË«OŸÞ~xsý¿Ë„I²|•^&’åû«_®~s´O—†-¯Þ½½W¡&Ê‘O‘åço^_þyûëÅÛÛ^œXdJ8Êò×Åï’Å$ÿõ‚¤Üh¹x„’RcØbw!$O¥à° Ï[‚i&¥8/\Ï5#Ýhw…I3&cñNZ‚É›‘o2¨͈ÌDfÀX€ÏŒû“(ýñÄ~ë±Ãº<ÇÎl=•:ÕÌ裭÷@f"[–¥Ѫßy€Æð¢ŸÇ‹†âÌLY7™ŠgrÐOšAHGÄ3R€Ö¦AæÇñ¸¡Ãgð„óvíZ6:Â3Nl¢¢Äû=Œ¾pÊ£æÄv¹:g£òÈŒ~¯¯*BèZ7…¤nº š
-•M2‡âï²íN:œÐ"\Êósv¸žË:\ûlôõjšº§Ì+q^´žëX¶±q•Ršecᆙ§y˜¶è=®´ù¥	‰œ	 ZxªãstÞÛŽÍä›Þ íó3lîònµ-üGù1+œæ]±ó	¯A÷¶’¸mW ~*Íx×ÇaŸë!ìsí@É1F×4UÙ3é2€§Œ¾œ¹¼Þ¸AëÆMÔ_3Íf…Hƒ¼·*mê	oN¤€¢4‹Ò; VÕñÞ†K m›ëiæ3pKÄ<
-IÞµ@„¥Tð1Þö‘,`<$kU€Óã4¿Z@LmCzo_9pÈËF…(ž
.?ÍbH”Ū¢TCÕi`tþŒ?G\gü9pY~xöÅ›#o‹Ñ´Îʘfäù2ƒ’©‰`7E@¢Q|ŽP®½Ø²(Ø‹7̤0–š,bºk*$ÄéáèŒLâÕõ‡7®e~ò"xÓÒÕ»©fnpÚþs8õNn/À®L˜ç¶7â:³½Ënï§Sœç¹)ÓÌ”#€ÉÚŒ§|[çwÁÊÁ3ïšà‘UsÉÈI%ðÌEQq^	1×i%ô\V	Oó6·˜7sYC©€ƒ9c#¹~貦ñxÑ5^D¹>öAƒÝì¼âz®ÍOTÎÊäxÖ/vó”ÙØèqØÈÛ¤myZ›Œ^¤\þ{ÚìGœÑæÈÅdÖ:£Î#ŸJ£ÞÞ8·ÞMpÚèB{:‡XÊ©ÉN«†C	éƒø÷TÓøŒj¸2€¶ô?W¿……ß³ðWˆHBè¯T8Ò‘ä«^î
 r¦Aöñ]¬¿ž“ñ͸}u§ÝoÛ÷nïo8¤?ó¢8àX;X Ý]
6&±Z.w€ïò{?ã·¼*×ýq-ýI3V«Ïæ„3‹
-°èx³¹‘)UŒÞlÉ cæ:[pH·–(~t³û“xÈãÍ–pÖ)–Éaæ“›
 
x5•ãͱ¨xz(V%Z|±~1—$F9¦ž/ÐpÉ¡!‡Ý[PHðÄh¾ºÄÒ]·{¹Ž›_b#@>lãöãÓÁKBÈJFˆ_mícà%#Þ»ÂUÅ`De/œÅfÅ´€ãáòAcÍÂU„zÌ/ǘ_øôCú’JÑöÎN
:IîI‡²Ó¸~Ögó‰Ë¶± °ñ¹¿‘Q¹ªÀA¦d®’ƒ‚¦È¤–›#$"¾ƒ¤ã8½=Äu]^Ú	¡'®SaïàÇž!$QÐ7Ürݧð(Dã‡rЪ”“ÚÎ1:›“¡*Ì+–œ’åõÌ>ÌèÄÛ4ñe,¦ë¶±Í¿yÒ}QûÜOª]úŒåB\¸V…(Ó¶i_kUãªÊÏö+n$„½ºx¨
-;‚Àû‰Î‘íÖ!Z,Pã"%tÞ=Í¥:Tâ…æ?È_„¹‹‰l8É8ÂÕzWÖ%Äë¼ù\l¼2ë•ÿì}^@gN\ÂLzlŸAuûK°zf
EÚ_¾|Wº†çSsèâ;öû:ÂÄNÜ*mmÇ÷l‹êÁÝY2[Þ 
!œèq•ç·ë÷×·ö'ø¯¯øL–Cœ5:×zü-Rl–OE°eg}­`Zð9HœOÒ!=›)«Ô°¾Â7/*5ø›`?‡®¬Êîé’Rê""­Ñ”ëw·ê·ÁïðbѸ(
-Ïè7¶$ƒáù˜{Bç	Q	!˜AÏ(:13FðîB3Ã+™KsiaJuâñŽ^	®
Dã?ñüˆI<¤=õG²!„Üš3Ÿƒx¬Ï—€EZ±˜4vþÁ`üÅx/Væ†;’UUø}šT¤çJ©þáí[÷íÕo7gV=ã^¶Øñ‘DÂ?êÓwìH°¢:öé¨Ï"ÝYâìP0RÄlEâ&¶'Í “à!Ñ
„_É$iH4Ò£¢•KP*.Ú,!	2™±2¯¾ÜþòñóóZ¼®»b_‡ˆsóÔþñ»ú „Ÿò°;õk.ú|ö^‚ô"þð/½†_²	¬k6Ÿs‰-‡€æ…ÂÅQ!P}øMرìÿ-±®rendstream
+xÚ­]sÛ6òÝ¿Bo•g"ßÓ$í¹Ó¤¹Ú½¹™^h‰²8¡HW¤ìó¿¿]| EÉéµã\,Åb¿WlAá-Œ"TX¹È¬$Š2µXï¯èâæ~¸bg‘V)ÖwwWß~/²…%Vs½¸Û&kBa‹»ÍoË·Ÿ?øôþæß×+®èò;r½R”.?¾ýôëÛŸ<ìóµåË·?|¸…Wi¬$&OÓå/ŸÞ¿»þýîÇ«w=9)ÉŒ
+¤å«ß~§‹
Pþã%µx†J˜µ|±¿’J%…ˆêêöêŸý‚ɬûtŽJ¢ÏfxÀÙ‚1b•â#&(K´àÂ1áý‡Ûw¿Ü|¾»ùùžÆ}3ð.VÜ™	îõf°D‚Å9QLÀF¤uSw‡kf–MÕߨZv»ÂšÇâweS‡×­æþQçû€×‡§âp©%0›[µ¼éÂÄVh‹M‘¬|J5—Ø¥=ó43<fxœcWVe÷ÍÃvÏyØçÑè©Ü)ãªøîæÓ{Ü8f)QŠòŪg>òW(ª"o‹N%…YÞlgˆW”É#ñç8.ˆ0‘á%iôÔ|qôÔ>—Ý΃ëÆCÖÍ~Ÿ×¬Êºðàæ/$,Ñü3wÔ>÷Eݵo®W‚ÂòÿàñP0àùG»ka¶=Â.‡—°ÜÖs$“„ª#C¼úy©-ƒK}„ïåðèlý›§=zþ”—U~_…×þ	vy°ô,䌃~Á¸Äq8c¢—ñýþX—ë¼CI ¨žß8r„ŠLyFPg7núQîwï>{|PœºXwå5[650]Ò¾¬7eýà1θϰSÝ9"6Aò‘#Á‹’ —›ò¡ìòÊ«T[>Ôywôbé$RŠåMí1=³k}V/~”
+™1ÍQÐ[M¤ÑöåÕCsîai-œ²áóß¾[}|¯pGË–Ï»r½ó3Ƕ8¹´;/‚¸·{/Öþ½óïhñYäq‰¢v¨ÒYHx™‚A”‘¦†ÓÒ.ïv‘¢ÄFµî@t¬ow·7?¬Úî¥rK™)l‹@è,nh«/žì?ŽEÛ…5âL„^g½ÐgrùM›~ß>‚üH?œðmU6šîï õâ‡Úî–Ùƒõ.žTþelæ}´. çÑ´Ü¿“à_Š—©ç&#–i¶ç@¨eìk|8'Ö 5žóà«~ÅUº¤wÏ#}¯a©´ÃÎζÊ¿ÔÍsÞL½¥\ÎY7tNÄh¥¾ÊÊáQ,‹šë®+÷¦Ø{…~¤þ¥üáØ»r˜Cˆ·È<(–›¢+{ïh¼kž=ÜÏ»…º|Ýà. …(@‰^€;.º÷ãgï¨qºWR¯ÉácEŽ¾¯Ý
Ê *ྎU˜<¢dF.&ÁH¤„)nÜb?»ˆéö$¤„*/X7Î23³¤UŠãµÓ˜µÇÂ}W÷ž8¸ÎÄL2b¬Š¦´mŽ‡u±Ê7›CѶS
+ì®9µ—Iì±fhGQŠhÊù˜È_Û•©‘lQ"¥Vg©œ,
j#ŒÊ¢pNEçÊÝ÷(žëÂOàBÞºLoÊ3|ÂÛÖj&EB6€“2FŽéã±êÊÇ”uÛåõºhÓh#Ì=¢üw}d57¯*¯¨»]çü»3nÛ`¦ç±S¿ùü$'!€tX$á…CxQøˆgNFefˆÍ¨¼,£)Öyí±œŒ®çd”BÈÔ#lˇն¬ŠÕŒP.Åeúz¬Gª5¡ÄhDá¼€bJ AægIœ¬«3ÀÍd"ÌIbvÆF"0ÚH£Ô€eõ/xïÌŠáóM±ÍAÈÞøå(¸¢p3‹T~[tëoј¤wNÑFó€~^¤&:3âaH°.CÄrÂðåUƒöx^¤$™Rò2q=Öu£Û…¤0ƒ¸dLÞYI°™ä3ôM…dÊÌ&bÀyŒž¹ž ½{äb¸zœp*Ï£ûÀ…«gÊí9¹úÇLhË2’Q£û›‡È˜A¸ö	¤!93[)È/m¦Ó¼E„à‡d`'¹íy*€ëÖ°Hós‰á8
+žÁüíÆœu„gš× D§!Ëb0˜|á™Ç†Çåv˜œqF™ *c_«ë–Éhº6M©›.2…©³IâPü·l»³
+' Ü“™z%BH±Î+\å®}Õú6MÕM0 é¸LZuJÛX…„&ŒeÙ˜¸açi¢-{ó
ó8ƒBù
+…û{7±|ÓŒCz†Ã}Þ­wEø(?EoÞûïZ_çI—YYùk×À~¦ìøÖÇf_˜ÁìヒÓÝ00H¯dËÈD1èrF–Ü¢XàÁú*À\Rˆ0H{«ÒežðæIŠQ”IjBÅš–X¬al׸TÏð€; ¦Q
+ª œ09‘ÿ`ÉVC¹Z•ƒÂÇÀiãŒ*9é5$¡Ñ™‚Ÿ€ÌFŠWXIÙ òÓ,†&Y¦*É$ÑT×g!	•WhŠuAŸ#–ÓçÇW(6N´™cQ]¦+"ÍÐ5Òe$×Ân‹z¶b£\W×rQp oj!¸%"ëK7ÖøÖ4‘4ÚéÁu&"á
+¯nd¿	$Ñ‹Ôõõ虂nû&|^ïìõR†~Œ½r½	Ö…ëXîzÿ5ÝÒ‚á¤h8/m‘f¶ñf©±ã-?ÔCõ4ó¾‰Y5ŒœeׂIXî"R¬óLè±^æe\6o¦VØÇœñ]©VÓ¯xzˆ	iP=>D¹9ÕAKŒfü2ãz¬Î=ªÄ΀ïú«»<›,0èã°‘¶)	ܤê<79…x‘	õ÷q³_q†›#‡è$£pÖvžñDYãí­Wëý„§¦€Þ´“Y;ĉ`6;ÏI$¤òïcM¿â+¬0Ë„ùó¬	uP8ø}‹PAD†þZG—Ž Ð$Ðjpê"gÆòq¹
å9•ÆÝ«÷jTÞvïÝ!T8B×LIŒâcãÃåk58˜ØjµÜC|—?„ŸòªÜôîZOƒ]Áõº@ß¼܇E…°èô²…U„iÎÏ_6V²´0Ù‚+_!Ì_¾ì~ÅUºäée+ðušgjØùìeC¸"úQÈå¢>
+ÁÓc±.Qâ‹Í›¹#Z¹¯h1Ê!\òÑ®Ë\PHÑc4_|béËmÔÕÖñáòKÄÇxýøôá%eCÈJG¾ºÖÇ€KG¸÷…oŠÁ•½	mFÅ´ãéóA«B;T&1¿Çü2¤±ë[´ý„—SÛ·ˆ„òÐu·Ïúl~å³mì§Å؆Üߪ¤[5´bM«¹Fêúâzù©q92µ}ÓÚÄn»±ƒ0Û‡¸¡ËK·!̤m*œô8 Ä$
+æ†*'ÀC
+D4a)"âI“rÒÚ9ÎfƒÉ؈b€
KÁ¨ÿaÀ¤„;zò¶MZŒÅtÝ
vùS=uqÈÃƱۢ˱<ƒ‰‹eU°2mKúV+DzÔTùÞ}$cABºÊÅcU¸$–':v7€ä¬M[”0yÿ2—é0…õÌ?‘,¾‰{ÚBÜ ëo7û².Á\ç]<È/Å6ð²^‡Ï>æõXæ™ ìdfÎñD£ž9$k”õµ—¯ÊÖÐ=5Çn¦¡?J×Ú	3»¢z­AïJf»;`£Á‚S›<þ>ºùxsç~„ÿú†Ïÿû™ä<¡ˆ”JåKÑ~Ñ·
+¦íΑ~¤yñ$2³‰²&–÷
¾3?±ø)1ùic,¶E8ÖÒ1›H…ÿ.j–­·¡ðL~@àZñržÏytt°MÌŒl·ãÞ½aæXЙ)™+ñ¥Ò—<y-„øØÎRæoïÂz«aAçïGtaYµˆ»^
+íxŸ'ªÇ=¶>´âvàÕ©Ù`þâ@m±Ó‘Þßmñ4ØÂÂ_ZTå :m”ÀÞÔÆÒȺ*Â
í³¹Æ¡½˜¯EÐ^ÿòæ†Jì!>ŸO	
+)‘]D!˜T'ñ`üyÝ)íÿÖ´
endstream
 endobj
 2209 0 obj <<
 /Type /Page
 /Contents 2210 0 R
 /Resources 2208 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2216 0 R
+/Parent 2215 0 R
 >> endobj
 2211 0 obj <<
 /D [2209 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2212 0 obj <<
-/D [2209 0 R /XYZ 85.0394 639.6376 null]
+/D [2209 0 R /XYZ 85.0394 751.281 null]
 >> endobj
 2213 0 obj <<
-/D [2209 0 R /XYZ 85.0394 238.9116 null]
+/D [2209 0 R /XYZ 85.0394 555.2948 null]
 >> endobj
 2214 0 obj <<
-/D [2209 0 R /XYZ 85.0394 143.0423 null]
->> endobj
-2215 0 obj <<
-/D [2209 0 R /XYZ 85.0394 83.0386 null]
+/D [2209 0 R /XYZ 85.0394 126.1169 null]
 >> endobj
 2208 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F53 1062 0 R /F41 969 0 R /F39 927 0 R >>
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F53 1062 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2219 0 obj <<
-/Length 2930      
+2218 0 obj <<
+/Length 2725      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ËnãFò‡Ðɨ§ßlΞ<'qqfcä@K´MD"‘²cìÏoUW7_¢Æ,|P³ºX]]ï*Z,8ü‰…±Ìf2[¤™f†³XmOøâö¾;g‘–C¬÷7'o¿Ué"c™•vqs7 åwN,nÖ¿%ï™Ðìô›Þ~kÔY²à@¬Ÿ¯>œ³óŸ®¾%ÌY™¦,*¨gŸ>]\}¸üõt)
ò§KÃyòñìê—³	öé4“ÉÙw×Hìä⦻Èð²‚+¼Å_'¿ýÁk¸ó'œ©Ì™Å3ùOGp°ë_žàL*+g¤'Å„£4lÅg2f•TøH&Ú
‘µ`N§iÉ®Z¯Øª®îuLwq—ʵÔúW®òm‹°ùb)3&ÒY²j¬lé\TÊïR¦$||‡VðâïœËûý.o˺" B6EϦ`™1Äf¤¸T°ÎÓ½~©êǦl¦šT‚¥Îª…UŠY£íœä0+Áæøµ€Q	»XIx­Œä•Òaw>ºÀ‡‹ëóŸ/?Ý\þtuDÚ†i%ÅëòN™Ìx”7H´)’ö¡ÀÅŒ°q7Û#ÜÕ»ŽÛžª`'ŠÛÍœ-9Ó©
-8o€^jû“ß_^} ã2ThYл§b×1ØîN…Kê
mîÛrS¶/§BˆœØ
-™Ü<нø€s‘<ä˜#k 1.Ï´Y,;©[M¹-79&MÒÀQ.Ù¯Ú½?² h^­ÃöKÕæÓº­gô"4—±:\o´>ª˜Œ¥©qÑ2Éu›·Å¶¨Ú&=䣨V›º)<3:)+‚ÞîòUÑL8m‹Ý¶¬€Vx~.Û‡(ά”2J,(/ËPðÛr¹ª7uüh¥“óM¾oº„Ј'"–W!š·¸Ñqë6MÐ:ªáýŽ¹pÊM$¸oöù†Võ)¾Ú—Mä"‚·á]îëÐ}×í:&­%—:§Hâi½±ž¼ýš`_¿}á›of^yK°¶¦ßEŽ‹úŽ~7eUÌQû¥*ÿ>$÷¯/¤v†´_¸¢ŸHí’í~õ€«íÿqƒÎ†àö!¯fNËS®£ñϬZñ,è‹î‰g»hû@*
½U½£×óŠðêGQÍë
mF'{ÐÊŠ±yÇ€BÒ/Òc%žÓÏŸÅËÍi¯4ãÿp{e£ "¿‡RÒše\Š€7àHñÔG¼¼Ä{âŠì©;äè5NcÁjÆ5öº¸Ë÷›v$pÈŠ³,Õ&ÖStVîêͦ~ö‘žn_è—â8,ªP@ú“4c§¬}l…x°^“š›†hâ~ƒ~Bø—…NEâÙMµŒRÅ»uÓÒê¹ÜlhuÞ܇è{EèÖøËGôCzu¤z_>ÅòÊã³gû~4ûåÔ%&÷%)ï¦ÍEÊ”¹Tº‰Ñ<©ÚŒqiìT‰Ò…ûeC%Ô+QfA‰ˆÂÉ‚ViÅ‘; üù¡Ä1¤Y®A"%è”n>wŸL@}h#“ó‘‚I®³¡c,ɸ4”—©Áfbh\äŸKkmr‰Œ[‡ú><‚ Táª?»\Ïœµš1™ÖJ6K©üx*Á*×þ¦ô¥’„c©~Ef.JÄÆø•OæBr„Y¥€n…›ô5ñX®ÕTÏ@“˜u ç}<Æ–4	Û¼]=a‚Ž˜³Â…YV÷sš2ÙiäXQÐ{wÑàêZ(’çωhÇô@Æåxôd<Ùužì(5"$߃¬ÁÞV@š ${@‰
áâ«pNPBx"Ñ&E  (­K§©âB6ÅØ4=âšV`£¥'®‰¥ÇŒdRñÀ7¹
ÖŒ¬
ÖÄkOׯZ°Àš–$ªbá5½â’ÇtÝmÝRÁÍaD欆€æCó‰ExŸâG|
-Z°Å ŽÜÚõÓQF$š1½tîE¾;£K1Á·Ôûï}KʤƒáT]Øý"V{E¹A&ÜÇsÊÀcN;Þ¹æý3žF®Ïy’nΓ8ž”ò'aŒ"I;W‚•w%ø
®”WJy00&;p$gÐIMK‰z¿[KÌç˜Ëo p^‰è¨›±@•Æ,惑ûͲ|²sçÉ„5ãpˆå!XuHWPù&+_?‚B|Ù
¦hÀWª°¸üô¤i
-DÙ€^S¸
-ȃҦh‚;EÞFJXà¹Polb;S_žÝµ}Q>§“ŒT¼—ôéN÷Yå¹öL¬ßÄÚ;VݱDÖÖôXBß¹_¡ðÎCßÐîÐÞ=(
-[»®Áèèb¹FaÇ—ðá„Q1ˆ€0fX,gBšI“ž“—Ç*EÂÔ‡–Z¿3(¦áÀbÐdàãcÝ4åí&¼LçÝœ`–Ⱥ’d>/CîÎTW«½™+@˜s¼€R¸ºŸu¨9¤“ˆCîQÌy¡Q,Íœ”š2b’±®“ÃòÝIfø´uÚî±Ü–VQŒ£%i×ê ù†~sú¡6ÊŽô/øBOA…–Ѥæ&B)žáªÚoo½]"-pª7›	•ˆ\ ]‚ôxu8àònnn0Ûô
-ŸígŸ•´dÓ/%Ueø‹ƒ‰Mé£UÝa9<ˆ8®nRˆWH¯jÚ"^ⱈ÷§D†5*Æwß*¹È½ÚƧ‘Ê¡ošOœâ¥Qæ´"ˆÁü
YR¸ŸÒåî¾V¸s´PüËXݾšBœa™èDGc’XwöýEù‚+æL×Ôá¡r|¨º©ÉNÈIT
-éYº±“xM™˜j‡o²wa¤@šB3¤ì2?„삯³¢LlÄðGŽdv½”–Ÿï5$ã÷f‚jï^|‚@%,abÊA(\¡*@·…,…oêÅ"4bÃGw\´ÏulYjõÄ ãØäPXl9Í2ßÜ×;¸Ív~Ž.„êæh}ë‹ùE…P¤”Ä)íî%Ö¹°ÑõGæé)”L®ëŸŽ
 ¤÷H¾šS¾œù7Öu:YíwdU»y¡Íº¢•L¾ÿxv¾üøÁ„9Yf úR“10eoÛR»í¤Fß³ {„æôØ+â£%paÝÕ
-ÃAn„ŠˆåM±´š  Íz
-”\vˆÛ	÷«f.°u‡{Á¬pøzý±?ÒþBe벉sÙ8z÷Ð@n]ï}	ë¿öÐe5Ç|°ãcËÐ?¤Þp»Î†Ÿ4yÎ_šÐÕ¹/ªbGï°1êøFhä×w~êÖéÜ@'~|(C);áC gÙý.ßΘjĸ©ŽG4“ÅÀþ|§Ãy÷)—Ò”‚·A·!˜j’þöRðº'àBh½¥uÔïz¤j3í+è±Ïe #Þu…ø¹l­˜ó}ɤ㱈ˆ'œ>u Uý\öš¹3¹cZéHj[~æPÅ„ê}DlãPÈÝ–DgCÅе|¡r(Š.¥Y7¢wfo=ìßÑ·´/ågJû–Í\LZÃL—°?/K
ëØSÖTÊáP¬¥³›‡ò‘@”XpE&Š»Yà|ßÆ™³c<ë?gÉ>Žaê|ÊËMÞùhÛ¼ŠCþ(¨¶Mˆ×E1IÔ¿ž}üôãE@ÆtixóÐ? ÄO×a<?Ý4äj1öú×ßxìL‚FÂb{uˆr©}hXZΓÿûï…_ŒÕÜGmÞqòÿgCÿ?t²ÿ§…q«cp k#Sx¡íëñ yÿû_ç{endstream
+xÚ¥Y_oÜF÷§Xà*·Yeþk”{r§uÑ8¹xÐôAÞ•m¡ZÉ]IvýíÎh%­6Nq0àq(‡ääŒø‚Á_h›T¤‹$U±f\/ÖÛ¶¸ƒ¹ŸO¸çY¦åëíêäõ{™,Ò85Â,V·Y6fÖòÅjó{ô6æ*>ýcõëë÷Z˜0s&`äú|õî<>ÿxõž8GbE’Ä	—©g=ûôéâêÝåO—B3ºÔŒEή¾œýF´O§©ˆÎ~¾¸Fa'«~#ÃÍr&qüþ[l`Ï¿ž°X¦V/žàÅÇÁŒ¹qÖ›Û1ÜT‚º,ÉÌ ”fÖ,VI€#€X&f¿2Á—K‰€À'B“ï–AÁÖ!´.i²k‹²hŸO!(ƒKÃE´º§}±æ<ºÏ<1CÕÀbÒCªôbÙ›ÔjŠmQf¸˜Ðä†Su붣¤@Ô¬ÚøéçªÍþ¦q[Ïø…+¨1ÊoyŸÊæ“ÆI¢mŸM–ZêèºÍòyÕ6~顣ʺÉ2***¢Þì²uÞL4…4¹dù秢½V`±B+²3ÀYŠ†ß¬Ëº}”TÑy™u
JPÙpEär.DB3Ð'zmÝCÙÔž­—êßï•ó«¬‚À®ÁÔë˜Öõ%{½Úç2hÁÝ°‰/»‡È‘ùæM?)[qJ
+ç”Kœ¬7`΢×?íÇ׳/üôÓÌ+¯‰ÖÖô›£ÉqPßÒoYTùHéö¥*þ>”ö¯ïvˆÿ¡¢/e܃¡l´íÖ÷8J1üJÄ’Ûû¬šY-…Tc{ÿ,¨%K½{a±€N\ˇPÛ{ò¨ŸØÕz=«ˆ¯~ÀÕL¸^ÑdÀ8„ƒ’†OâÂç²¾‘³`ñŒ~þÌŸ'|ñ\hà–fà»—&*è{h%¥â”	îùI–¸„—¸O|B“=æ~†Àˆ ±ü˜
+FÅLíeoòÛ¬+Û¥·À¡*Öĉҡ¦hµÂkp[—eýä	<Ý<Ó/¥qT¾'€òÅu¬›Ø¾v©ÒÁfCnn"`ˆ»	úñÙ_`:å‘S7Q./
+2<ÌÞ×MK£§¢,itãßì|r„¹û¼òrküe#ù¾ºÀ8H½+Ù'eáÙ©}×y%¤~1…ä ¡~OEĽ)}Ä‘"‰m"ìÄž‡RM3¡ÍÔ‰Âúý¥C'Õ9Q¤Þ‰@ÆI½W,yÅþt_`ÊÊ,6`‘t*7›ÛOÊcžôÝóüFô°L¥C`,)¸t˜‰Æ£à0¸ŸKhÊ£KTÜXô÷áâá%÷k›™Õ%œ©tª‡­’I£ê>ˆÊÛ)]§d‚aYj`‘„…‹ê01cã“Z_›aVCÁá¬Étò’ySrêgIÊZðs–qý!OÂã6k×÷Þ˜à£ØnÇÆ,ª»¹„GjÑ{äX‘prÔö £ÁÖ—`%§Ÿå!Žé‚˲€dë‘l{$[*HÉ:°5ÄÛD…l,Ð.~ðëx'ø'2=pRòV€ÎØØ„qÛ<@ʦ›$G i8“ÕšØyÌX&QX°ÉŒO°z”`O°:$X9¹nÔBÖ4„"Qåë@¯é”,´Ø@ ínëÖ‹ò0‡‘7™K°ÎŠM"ÂaŠÁœ C‚:²{ÀKt:ªˆ$3”—^„-˜	}‰ñØÒ[l-!¢žvDS	Zôi÷»TÝ;Ê*aÖ)¼ŽÍ8pÍã+žf®o!Ik6‹$Æ’6@æ(Š‘¤‡Œ”à×C)ñPJ˜&—;p¤Aœ§pš¶u·[çK¬çXËgîIðÆ å蛳@—¬#øÍ/²|4sëhs£ÇéÛCˆj_® óÖ®	d¤¸¶(»qA‚ëTapùéQÑ5ˆD2ž½¦ãáÚ3Z›¼ñp
+ºœî¹¹Ðo”á;Ó_žÝ¶û¦|Î9
+o2þb^¶pL·j_Užj§ÄæUè½C×ZäaoM;»MîïÌŸÚÆ»#c+Û0z¹Ø®QÚq-¼_aÔ"Áß2,––Å\èÉ=#”‡.EŽÒô‡†ŽnfÐLÃ+tƒÁ!ê¦)nJÿ’7s À*‘ö-É|]†ÚʾW{5×€ÄÖrýBJ`ë\|6Ð?2('‡à‘Ï¡PË8I­´š"	f¡¯ÃöÝŠX³éÑiÛa»-Œ¤GCò®QÞ#HrVøÍ臎Qfä|Á]!ì%H$Œé¢f¨”ÏpTuÛ—(€Cýf3‘ø=¤ÒHÇWû.oÇ×þòcîÐËeÌLoöMKðI:­ðBPW†¿x/Q.ëP×ƙÑ(ãèÆ3ù|…òª¦Í3ÿà,šx·J€0ŒÑ1îô-£‹Ì¹m¼¹Î
\±	Ø(_
+0eögN#¢h¬ßP5 „»K  ÝÝ2Üõ
+žwΘšºÛKˆÕqÊ{“†ȱHì…ûøþ®zÁdlu
+¨½ÂCç¸
+Põ#r“&ŸHdåYLú¤ÿéÀ{jp¡ãBöÖ_)§0©º¯|uÁW†ÕY&1¢Ù?¨#G*;ƒ³”ß>kà·”ÔÞQ(†¡yçn(p쮡Íg.LBÃÛgW @Å[˜PrJÉGè
+ÐO¡Jþ~7±–ò	©á²;Ú§:ãĨI@‡k“CC`³eeˬ¼«w°›íü5:粿GÛ}±¾HŸŠ¤xI»{}.Lì…ºÇ#×é	´L¶??»<€”¾grÝœtíÌ¿±¯SѺÛùoYmùL“uE#ýòáì|ùáö÷d©†îKNn©z›ý=jG3Iϱ?³ Ï,HÍè±ÉפGKä>%¸ï†]8á;–5ùÒ(¢‚5ëo4‚ì·7îÍÜ}ðÐárχ^¾®÷Kº‹?ßÙÀ¸h½l¸ywT/nSw®…Àñ_œ²(Ææ>üBKŒ_kg¾(±þ#ÐÿýQxÿ¹\%±´Vì¿÷Žû·!&(…–âʨ>êþ?ù"-Ûendstream
 endobj
-2218 0 obj <<
+2217 0 obj <<
 /Type /Page
-/Contents 2219 0 R
-/Resources 2217 0 R
+/Contents 2218 0 R
+/Resources 2216 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2216 0 R
+/Parent 2215 0 R
+>> endobj
+2219 0 obj <<
+/D [2217 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2220 0 obj <<
-/D [2218 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-718 0 obj <<
-/D [2218 0 R /XYZ 56.6929 769.5949 null]
+/D [2217 0 R /XYZ 56.6929 752.2635 null]
 >> endobj
 2221 0 obj <<
-/D [2218 0 R /XYZ 56.6929 748.5139 null]
+/D [2217 0 R /XYZ 56.6929 690.7232 null]
+>> endobj
+718 0 obj <<
+/D [2217 0 R /XYZ 56.6929 652.8084 null]
 >> endobj
 2222 0 obj <<
-/D [2218 0 R /XYZ 56.6929 713.3233 null]
+/D [2217 0 R /XYZ 56.6929 620.2916 null]
 >> endobj
 2223 0 obj <<
-/D [2218 0 R /XYZ 56.6929 648.7414 null]
+/D [2217 0 R /XYZ 56.6929 585.1376 null]
 >> endobj
 2224 0 obj <<
-/D [2218 0 R /XYZ 56.6929 590.0462 null]
+/D [2217 0 R /XYZ 56.6929 520.6753 null]
 >> endobj
 2225 0 obj <<
-/D [2218 0 R /XYZ 56.6929 95.4174 null]
+/D [2217 0 R /XYZ 56.6929 462.0998 null]
 >> endobj
-2217 0 obj <<
-/Font << /F37 827 0 R /F53 1062 0 R /F21 738 0 R /F48 985 0 R /F41 969 0 R /F23 762 0 R >>
+2216 0 obj <<
+/Font << /F37 827 0 R /F53 1062 0 R /F21 738 0 R /F23 762 0 R /F39 927 0 R /F48 985 0 R /F41 969 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 2228 0 obj <<
-/Length 1729      
+/Length 1782      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X[sÓ8~ϯÈôeY,¬›e/ÃC ´…¶0—×VZï:v‰BÙå¿ï‘Žì:©¡e˜7éût:àGÇ‘$ÅXÅ‚È€ÊqºãX;Q§ã·J~_ëÉÙèá>Wã˜Ä!Çgóž­ˆQDÇgÙoúêÕÞÑîìÝÄg2ðž‰/ƒÀ;œ½™¾DÙ«I̼éÁÞ)L™P!(QA&ŸÎž?Ü—¼gŸÇ1QBš°Œå“£Ý§äéñѾQíuñös¢7Á~}øŒ3Híù( <Žäx
“€Ð8fãÅHHN¤à¼•£ÓÑëÎ`oÕ¾:T#É#"#¦Š$h/	ʉ€Ž•ŒIÈ·¹dzž¬ŠÆ¯õò‹^N|Ê HE•&ÅeU7L†àƧ”ÄR²WþÑן _'‹«BÃõ;í×¾wÆ'<€2ië7ì»Åé¿VЖu­¢»]Ó{ºntÝôçwùf½ÔyÞ*R’eK]׺ní
exU-ÝHrÉáðû¯gbC
-ûÕ¸3‹¤¸¨–ys¹˜øÂlùå"IýE&“©uºÔiàí„û‡ó¿?®¿‰âúœ‰ã™fùÁÞ·¸˜Ó¢x~ügñmç7rpUý•Âû&`·mç„?›E¯Â'/Öñûõ»õûþÅêõãÇ÷ˆúá>ëƒÏ%`JJP©VuVZO^s©aÀc/9¯¾h”é¯v‹8c}€y)J…#™e™¥€XÆÒ)­ó¢@»ç×èÊ…«Ú€‘€¤=ã6*§Õ;”Fü1aŠð£0¡¨•”Ù–-HàõBgÎA²ð]%RñfÝñ¤”zIJ‡÷´Z,ÀxmH˜yMåžÖ£ѼK–\ö ÅDû¯õ`ä­Ïfª¼õež^âÊb…¦)¨Ú9?wF2ý1Xisq^Þ8m矲Z—®ÿ-“òW×›2ÛAâºYÛµíàä?|lG»Þq' k¡;Ê£éáæ}ºw2[ù-<ìÜ|»ÍÞœLM5ÏfÇGà 6MPìŒÙ{–ÓÐ]ʜʎ=»3:w«7W¿ÝW-|à™¤©¾jP/#u$
BíÔÊuÚ÷ÐXZ]”ù7"tð{$õ•Nsã¼õš—Cw¼kc¶!’˜‡ñ}¸4©ºÅEœÅí
Á)oÃãˆ>¾A •ô:3ÍËÁp™2ºÈà³n¾6r`ÇÞ©Ö[qÔ½
-s{íµËC·cÿ>øendstream
+xÚ¥XÝsÔ6¿¿â&/u¦XÕ§%µÃC€BI;Liœ³/çÖáìã-ÿ{WZÙç¦é܃¥Õj¿¤]ýöØœÂÍ"TX9×VE™š/ª_ÁÚ“a¨â„*ã(t‰ÅÐiÚ‡(>tð…ÖÓÀÞ_7é¯[_¢‹®ôNÁ°¨¯7™pŒ'Š(›|U,%ŒcÖä-J®›u·«âIÛ¢[ᯨ[µÁòM‡ª‘å¼–¥¢Å⓾O‹2½,sœºürß*­opÔÞ´]^µ‚Ñèu}Ö¸Áñ›£ÓóÇ9_tE/Ãg˜§¦Õu¯À%1\Gœ”E··˜ót±Ú…o8Ã%„#–	I¸TÞ^¯ç”ã@EL¢°»ÍX`škgèJ øþíÓ‹Þ»'Y¾L7e·ùú=”¤˜qà/›EZ®š¶ûÉo¤û‘췸̂â@{aŽüñ¤¦Oƒ0© wµ×›ŒÕÞiµW­ÍݪÙWªîò¶ÏïÒÍeØ4h¦û\i–­ó¶Í‡˜òðºY‡‘Jü„ÃOßî‰7)GãN/ÒòªYC2A>Kwä«*]ÄU¦&qEŽ–Òè y|ºüSŠ—íGYÞ\rùò$çÅ“ã¶\²²|öòûòãÁÿð!Dõ[•5ÔÔ¡!ÆJ5MB°¸âL§»<ÂÉZ•7Hèƒ!ã¨4:1xeÜ‚«‚î»…$ïò:ˆmÆâµë@>ö¯Yÿ|
+ÂáÌ÷3²Ùt¾Oð¨ÚÕ|¨Py7ˆÚo„1J´í3$Ô¨Û7ɇtpÕgBŽ%BéžÇÕœuS¶Sq…«vÆ¡„Ž°úçÂI¬Q}ª¹b}éØ蓤gº}ÙñÕÑ54[’4‚hö4Û/Ew&Í®€~KÖ$D£ïîÔ¤%†
}þdÆ0›éþÙË|±j§„ÖÑãß2u. Ø·Dn4ëQÛNþÁÏظ©¿€¹J3ñ‡
`äÿþ{h÷ÿ˜ÔDçÿùV@¡e½Q.LêÛ¦$}nû¿4w
?endstream
 endobj
 2227 0 obj <<
 /Type /Page
 /Contents 2228 0 R
 /Resources 2226 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2216 0 R
+/Parent 2215 0 R
 >> endobj
 2229 0 obj <<
 /D [2227 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2230 0 obj <<
-/D [2227 0 R /XYZ 85.0394 175.5261 null]
->> endobj
-2231 0 obj <<
-/D [2227 0 R /XYZ 85.0394 84.5049 null]
+/D [2227 0 R /XYZ 85.0394 668.3939 null]
 >> endobj
 2226 0 obj <<
-/Font << /F37 827 0 R /F53 1062 0 R /F41 969 0 R /F23 762 0 R /F21 738 0 R /F48 985 0 R /F39 927 0 R >>
+/Font << /F37 827 0 R /F53 1062 0 R /F23 762 0 R /F21 738 0 R /F41 969 0 R /F48 985 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
+2233 0 obj <<
+/Length 2487      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Y[oÛÆ~÷¯Ð£DÛ½_pžÜØÍqÑØ9¶sp€$2E[D%R)»î¯?³W‘ÒÊrQ×ËÑììÌì7ß,ÉÃ?2ICÍHŽ&bT¬Îðè	Þ}:#Af…¦}©ŸïÏ~ú…©‘AFR9ºìéÒkMF÷óoãŸh*ðøöúâãôãÍõ/Ÿ.¯'Sb¸âãó/_.¯/®þ7™RA$1>¿þzþ›Ÿû21t|þéònòãþ׳ËûdVßt‚™µé³o?ðh;øõ#f´½ÀcèhuÆC‚3g–gwgÿI
+{oÝO³® Q&iÆ”ŒAF:p†0H2Êœ3®Ï?_ú]Ý]ÞN`ûÿ…‡ûÛºåêÓ×Ûs»Ûû«›k»[ÐÉzþÅ#E˜3í”Ý/ÊÉ”9®g+7ã¶Ü<—?»Ú¶=„·ESǘ>m7¢ÇåÜ¿íÿœE¹î¼ä¦ž~~S—EW5uÄê¹—‰¿óÊŠæ©®þ
+u‹°âïå«Ÿi×eQÙÅãªUm7h·ä}æ“ÅþÐ훓޾‰D†IÂVÆÚ†À¬ÇŒ‡Àé†($ízËò,HÍxÛVõ“]›Eó˜Ý\çÌo–­Ÿi»YW®Êºóz+Ìü:,b??jAJ%QHnnÌø®,÷ìh{fã¦Þ½Î¬þRŒGnÖüÃŧ¤(UÑÇÔý¢·E›x°E÷tƸ3xu}áGÆ?Î竪®Ún3뚟º-K÷º?û<«·³¥?F¹yÙͪe‹‚uƒ¡g1bͺ»'ãü·»›ÓÉo³à;XÃäƒÿ¥›ÚH<•õþ»ì¸hæ¥'~Þ­ÁLß·J!¡`ì}ûÏß”mû~t'U‹MÓtój“³èHé’”nO*Ý]ȹ•JíÔeAŠP`Jzxø..ï>Þ^}é‘’ª¢‡dˆbS* Ai‘L›‰“¾Ø	[€M œ!…
í‰ÌÒ`P±^ɦj|Õ…•ga5K©ì\8÷£YXz–l|.ëÊ—Y;½´Àö>‡_ZúdŸ/›ª›:\ "¦¹樣-ÔÈ#|€Á!pœõ=äHqªäÈkvœŽH€±´oã«Z»nê¹5!ãNðÆœf"Ì .UL{»ZF›Ašº‘\5¼õ$"Óz›³dM‰3š¾‡¬I
+l)ÁÉë׺s‘·õÒp3ŒÏù.²Ë×	г±¥챡ç<$
>i`b3Ñãm˜{©º…ŸMáºEhD4WÁªé,çŒPDÛu8Üst«»uŒ&¶k?1˸Jid0!ýLʇAظï±l¯Þ'’ÕÿÜTó`Ã"l».Ë0åùá3À„Pj`Gð?> öG¢I%â˜ìÛTÂÛhwB`p÷»RF÷S1h^vÍS	ßØ/ÏóÖˆ3P0Ô³…Ÿ‡­n à3`)àú79J_*v¦‡$%Iíòª¿¤„·†è·—ŒB™%'†
+ÊÞ`É€>Û®YÁñ)2á€#©—'›!Fi¯!êà€c÷‹ªõË×b5‘°eL‘L>rKæ${×¹
+ÇêšïÚ¥ÃüSÙùÌUÀ/0û9[´¬h&"·¯­=‰/ûB}ˆ–XqìÅV0E`Ыۉøâea)¬ùÎÈÍÅ—ÛjÙÙÆÊÿÙ©îŽg\à÷ Ó«{6€‡§8¥¤äDä)â$ß‘º{ÅÚô@î8SdvîkÂ6áXoºíÙJ@Ý}K¦À€~*å!Z1í×zˆVGt^f­0ÛŽÓÚ%+.YÝìãl»ìüE³ZyPêU].ý›4glBÆ>8f‘3áp=ã—Ëæ%_åÎÈ8	M—+;Á²mm—,ƒO š1ªÄ^æUù€zÌ9?9†8pê^ä·˦ˆ·‹¦
øŠ.Œê&ÜXl7®ÝâlÜ”±—)aËMíz·ÛºÎû
¨>´iÕoU¾’+ ¨LÅdrQi½x¼‹þ.BÉv
FîþqÀÄë~°@¡c' ?PZ»DX{îïÈÖÓ*Øîòz9+ÿ‚†[Ÿ­j¬#±åk¹8Gy ‰ç7@$FEýp,¨ö,<•m¼AØËŒòϪí<¹Üzél+°J%¿ž¢‘€bp–C
+Q{¿döRèêÑ®ë‰Ç«Æ{×O–ËÙCc[ÿça瓵»QçµÄŽiî_<¼æ·×Z‡~Ššã)ªULWUAÔÛüǶ
+WË6&’Æ”€}ü9[­— ý½>çÑ^Ôêx÷#«Ü>ÝM3<Ý=6Ò…ÆÆÁ(k8áú0WÃÇÞCÛÿÜZ·3endstream
+endobj
+2232 0 obj <<
+/Type /Page
+/Contents 2233 0 R
+/Resources 2231 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2215 0 R
+>> endobj
 2234 0 obj <<
-/Length 2511      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYsÛF~ׯà#UNæ>jŸä#^¥6²×’«¶ÊñE‚"Ê$À å×oÏIJ¥üÀÑ ÙÓèã믇&ÿÈDH$
5e8˜ˆÉb{…'OðìÃ	2³(4ëJ½y¸úù¦&IåäaÕÑ¥ÖšL–_§oèTàéç»wogo?ÞýòáýÝõŒ®øôæÓ§÷wïnÿw=£ƒ0Hb<ýíæîËÍüÞ§kC§7Þß_{øõêýC2«k:ÁÌÚôÇÕ×ox²„7øõ
-#f´˜<Ãcèd{ÅC‚3w6W÷WÿM
-;OÝW³® Q&iÆ”LAFÚs†0H2Êœ3n¾<üûãgû" Î:®Ã“•H­œÜmÕûªh½î_š¶Ø6þ·uÕÔû¶Ê±õ;зÏè›1%J!eg){lpæÕ²ÞŽøêO)¡‡ê›‹æΗË}Ñ4¯÷@{Qåb½¯ëvYîsvŠ‰”.Iéá¢ÒCSäôQŽhG]¦êfŒP<‹;Ñwïïß~¾ýôpûñ.}i¨†¨2@ÉÅ4¦T@ƒÂ"™6SøÚïÓ§CBØ´;›(±ª÷gHa@oœLÈM1â*&´NÕô¶
'ÏÃi…ÿ.ýjŽž'UYTá›óf°÷Gøf[ûÏç}ÙήÎÓ\ös´¬ž@ÒÈi»Îe)ƒ"p­'½²nͼ€’â4æ³÷—×U`Âávõ~Mô´hvuµ´&dÜ	ž¢ÂÄLSÛ}½i2'3ƒ¸T1ííimiBèD2z@¼õ4-¤Ä<Üx›Ë*ã	gtTki9æI‘¢	N_¼Ö5˜‹||¸í—†›ÏSnŽ‘ݼ\B¦?Á79ØcCÏyH.|ÒÀÆþZOaï¹l×~7…·ï¡Ñ\«fóœ[0RLDÃë](
-Ðî’t7ŽÀÆaç7æW)&¤›Iù0wE‡‰ê}"Yý?êrlX‡×®Š"lÙò5ƒP„R=;‚ÿð½x¿>F¢	`Ã1ÚTÂÛhwB`p÷«RF‡©4oÚú©€ß_SEY%X#Î@YC?:ø¯ÁìÙF
E3ñ·yil)$Ž@ûüGB–I¬ûµól»àovÅ¢´î°%j7âƒçµ¥­võæöî]Ø‹å¦c‰ÿ³SÝx6-ƒ@ð{Ði!Õ}Ö€y§§x¤¤äBä)â$ÝH/wÅÚtA?W™£ûêðšPÊûö°Cý)äP.=¬/©”§ÓôX=ðòh332™
-óé²°U.Y±pÉêvWóæõ,êíÖ, GUÅÆ?I»Pc×d
-áƒ2‹<	¶ýˆe7›ú9ßÙLÞšq1›.×j‚e‡ÊYŸ@cT‰~×t}/“Ѓ9ç—"Ç݉œ›×á7õb¾ñËuÝLVUí?W‡½ƒh÷Ç	„8Û/e˜p/½åŸU•w°{,¨éx­;ñª|óVÀIíÔòÙ¥ñâ¾à¨Sã7òÉ®ÁÆ#§ÇKÌ°îÆ
-:Bú‹µG„³—®rëݬ¶ûJÞmæ‹D¹à‹¾‘wlUS¹,GXKÝú(õc"Qîü;;¨ˆ¢?ÅÔ–ÂSÑÄKƒAb–Mëù´½3
-6coóµX¥’_/1G€Ñ+åAT)kx/ƒnWöX?*H<ÝÖÞ¹~³ØÌk;ìø?OgØ =®Z¯%ÎHKÿàñ%W]FZÓºjÆ3T«˜;®§‚¨·ùCéKIcFÀ{ü9ßî6 ÿÐûÁd~`T‡û»²Êí§œý´	j?!AË–Aܸ­Ûßf\O_êƒhÖõa“„×ÎøÂÞÇÉåyT˜D'mÞÕ¯ÞÖ,o‡^ÆÎrv R¨g·ú€»×(Â	–´»'™4…7·äèZòš9êÔxRIòÓ’ä?ùç¡ö–!/‘hŒÎR ú lÎÚ®Ô8¥MRÎåñ^Mô]®M
-xçZ­k´àŒ°ó¶%©Œqý($Tõ­»Od˦;§ ìÂYäVõjðÚy¯—Û=×Ëí¢eÛØ›pà¿lçs›EülŸ‹"H’ Õ%,¡vÁœŠÁR§Ì†c0›³AŠù„»a'TF›hÈeäùhw¥Æ£¤\´¹hÛëv’¹ñìE†0%›œµ-IeŒëG›Yö7°îKh®Ýv•Ç˜ª˜J@;:êëDÌÒ¨ßivŽÉ¯^⬛RwGÑ!HÇo¦Ë²>h±^1q\«t_6|XPÉÄ…àw¤Î?J97­OæW‰°QŽŒB™#{½(Òƒ#?íËÀ€°ëáÖëk{Eí— æû€z5  >dÍð*ÂåÓ!Q+Ï|§”ªW6-Ä›±‹¡±÷xÀþ|h:RgB¥\h¾¿…ãY>kÛ…OË¢pϺ
-[2b$ã¯PÒõ=¿òqìÈÄ߬ä	0G
–™ ߸ÃM<Øü<"÷žûó»0ƒå²ÞÎËêhÊ‚°§P1¯†hœZa\Ói´r©ó*ˆ-UÀhÏfMGh-€ðKþ©íÿu…'endstream
-endobj
-2233 0 obj <<
-/Type /Page
-/Contents 2234 0 R
-/Resources 2232 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 2216 0 R
+/D [2232 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2235 0 obj <<
-/D [2233 0 R /XYZ 56.6929 794.5015 null]
+/D [2232 0 R /XYZ 56.6929 752.3759 null]
 >> endobj
 2236 0 obj <<
-/D [2233 0 R /XYZ 56.6929 751.8794 null]
->> endobj
-722 0 obj <<
-/D [2233 0 R /XYZ 56.6929 711.2251 null]
+/D [2232 0 R /XYZ 56.6929 668.0781 null]
 >> endobj
 2237 0 obj <<
-/D [2233 0 R /XYZ 56.6929 673.9044 null]
+/D [2232 0 R /XYZ 56.6929 607.6906 null]
+>> endobj
+722 0 obj <<
+/D [2232 0 R /XYZ 56.6929 570.577 null]
 >> endobj
 2238 0 obj <<
-/D [2233 0 R /XYZ 56.6929 641.148 null]
+/D [2232 0 R /XYZ 56.6929 534.8112 null]
 >> endobj
 2239 0 obj <<
-/D [2233 0 R /XYZ 56.6929 572.743 null]
+/D [2232 0 R /XYZ 56.6929 503.6098 null]
 >> endobj
 2240 0 obj <<
-/D [2233 0 R /XYZ 56.6929 498.2696 null]
+/D [2232 0 R /XYZ 56.6929 440.3004 null]
 >> endobj
 2241 0 obj <<
-/D [2233 0 R /XYZ 56.6929 396.921 null]
+/D [2232 0 R /XYZ 56.6929 370.9227 null]
 >> endobj
-2232 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F53 1062 0 R /F55 1070 0 R >>
+2242 0 obj <<
+/D [2232 0 R /XYZ 56.6929 274.6697 null]
+>> endobj
+2231 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F41 969 0 R /F39 927 0 R /F53 1062 0 R /F55 1070 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2244 0 obj <<
-/Length 2086      
+2245 0 obj <<
+/Length 2259      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X]oÛ¸}ϯð£¬Y~K|L·iomš»Iº}P-9*‹©$7H±?þΈ¤,Ùt²ÀE€ˆ"ÇäpæÌ™±…?¶È¡ÂÈEj$Q”©ÅzwA÷°öî‚y™UZM¥^ß]¼z+Ò…!Fs½¸ÛLöÊÍ2¶¸+¾$—77W×oÞÿµ\qE“×d¹R”&/¯?_~ps7KÓËwW·Ë3Jqbå4MÞ¼¹¾]ýþéúí»«ëå×»?.®îFµ¦ª3*P§_¾ÒE7øã‚a2µx„J˜1|±»J%…3õÅíÅÇ
'«ÃOc¦*#ŠK½X)I2ÃtÜ`”PX¥ÂM
ÆYÌ`A
-
¶jñ¢¯Þ*5‘„õL(Ø%Ú¼)ìnSÕå±I(%M–-¦çžh7JEÔ“C™2Df”Íõ»}(×Õß”ò²[®„’IŽ•tvß.Y–¬K7m7îé´u2EÞçnvc[7¸/›²Íûª¹w"ýÖÿ>ß÷[ÛV¿`Í6ÍEòÞïé…TbÂÁàC”xEFJƒÂÝS×— ×<),jÍ5KÛ»©‡Akû³*J7‘;ûË©§ËÆ;àUQþ|åï5ÈÎ̦ATÓà,¼'îZþØW?óºlzw>lQ­ËßðÅ_zЯÜäûÚ‹L-Š‹hQ|º“›²ëÜ­Y¦IªŒ
-×vWáE•N¾—Oßl>lT¸™ªyØ÷$rËñÏÙf gäŽJ!Ó`n
-	<ÁÝM¾ó£Ayxæî±Þæm¾îK´c°†—lÝ7¬ýÜÚ6}^5Jðý`|¸4 33sŸ; ¡{‹Oš|+Ýû¾+7S5€‹¼pÓζ4x‚Oð„äÉ›¦îªyídÀŸû2bG.3ëÞEÌŽ”H¦3/X5EµÎûÑ~›÷îÔ#ÂÚàCwt«ÓL¡~k÷uáv¸;<ñîä„F=WiˆöŒ±ôyB›J'´Qj ´.BhŒ.FåEÑz8ÏèL¤„1ù¼jA(¢ÚŒÌ$'Ô(1×mFfœÿs–¼¿q¨ÚÕ&·¥›ðîœÑ„„JØÛ]Ñóº„e™öRu8lüî/âùk»ÛÈÝ,DKÓ”µ±0^#+†ß8ÛEâTn„!Ýëˆ>P˜
-/C<•rMæ¹)§¸0$x
-^ÓÛÁ ¶öá[¾þîÞæ„	ÆSx"ì<™"YjØXœH=ƒÅ 5`±&WÆUðÙzÛZÛU{F™Â/ :xV¹Q*¢Ý<·rb$Øw¦ÞgGNÆ$U¿u#´ê©c5üJd!~VyÄ«à8žêàzû€ˆñ[Z÷Èlóä^/
ðK圵îmëWžEvw
±«å¹Ø•$M{6vÁÊœ™ãØ¡$“®ìàö±Ê)nŽÎŸ³‚C½HÍ¿C>@ߎœàËö!R`*óÓ‹¦
-ºE°¸wv‚!€×ƒ.8D’×]¸å˜ŸO
-K|jæyÉ6õÓQ:TXé-"Á§(Œ¹{Ûæ>QU½Ó*—Šï}5\wµ
”b’ª5fOhI¡'Eå®þºüxóÚÛÓÛSø	ôÊÌgWl„­×¨®ícĤÒ¦0ì…|Î1…HîíièF¨0j¼”ûGÕPg ï÷íЂýæf=c;Te“CWªÊ| Š(çbÔp;mî‘5´þQ¼Óù¯‚%ÕПUØ3á0w.ß=ÔQFgDˆ¬ñäxû’ÉcX' ¥â`m[_´H´Ñy˜Ý^]¹s.?Ü~z1Öpó¿©¢ücAÁ€\P“…á®éasÚ¼»`™
-zýþúû©ñ:;è^»BÉz"ù³Üø²ªYûÈüè¢/âw
¥žeÝò4¤”y³8¿^~¾ûϧ?_´Çûzñ¦ô|x;|2ñä÷;4¶í«ý¡Á`Ú=z!‡c¸9az	…@/Š¦›úE¡WK9€E¯ñÛ@T/ÁH*3÷¹i¶‹cvÎSß…×Ãe„ÏI6P¾µõ¿ÏScºê¤ÕH·P¥V
·\aX<ÿ%ð°ÃPQÈè‡@/tzqdÎ/:Õ¼T`D³,[^ß[¨G·»H+¨ÂePô5ìºGß#ûC§‘ª±ƒC7£ßæì5˜ìxó6²¥€úI«øçÌc•&ÉŽwí^ÜõŒ–šÿ,l÷ÏH¿"»­„A²…ânF“¿lÝ,‹ß ÔüF¨Í×s°Aqüê!ûÜ>|ćpYv¦¶TbeA)¼“æXu%2u[Ñýƒ5ôendstream
+xÚ¥Y[oã¶~ϯð£Ô\ÞE>f»éž»ÙœM(ÐöA±äXXYr%yƒô×wx“%™¶{p ¢©19œù曚,0ü‘…3Í©æH`"«í^¼À»WÄË,ƒÐr,õþéêÝ/,]h¤%•‹§õh-…°Rdñ”ÿžÜ<<ÜÞ¸ûízINÞ£ë¥À8ù|sÿíæ“›{¸Ö4¹ùxûx½$Z
+BD9‰“î—?¹ÿåãíýõŸO¿^Ý>
jU'˜þºúýO¼Èá¿^aÄ´‹Wø€Ñš.¶W\0$8ca¦ºz¼úï°àè­ýjÌ\($(—‹%§„Åí…pþeÊ1J•:Ø‹’˜½‚”±×r3?'sNãÅŽ¶B‘-ÙhK­§b¶åC[Ö}眑¹G·iÚÞ÷ÛmÖ¾¹ÍÚ=ûMá'v}ÙÔáËuîí5QÉË~[÷9×Ì”kD)MáF‘¶ÎWËUS¯_ŠÚK•—àʨFGxðVO1|EiyÁ5#©3®	RÖ5ßRBŒ$	AJæ•ú^¼ÕÙ¶˜«F˜Bišªóº
RåÆv  '4™j÷¸+VåÓÂZ\I£”XÕìÈùq$cLïFÙ&ë¾\eƳ‡!`ó%£*yÚ”~í¾ëÝèÙ/”¹Ç¬*s7Ì›mVÖ
¬ãKÆ"Ì› ööOWy±Îö•‡ ìf
ÏÇ.’	ÅÅ:FÍcØð)Šå%ØH™"ÊÄØŒ¥NÃf²°Ù]„ÍÎDÛ3#s¾³z¡ˆ^ÄP63Å&ˆaÚ£ÁV
ļ	f¦E²Údu]TîÕÔŽ^7…ò"×#†ã¯çÏ0Ž4KƒTUv}Q{UÖMTÍWždŒ:k»k³lKð:æ|„‰È®`2>l
+ˆN¹²¸³¨ä˜"L	ŸÂrŽFû÷>V§Ò馑Ô0)¦6&¤bC$€ãšíº¬ŽYHÀBZ©óÚ
Rõ&˜K&Sý¦˜Üð"éš½õÛªpÓ†€ÌÓiëdò¬Ïܬó> -QýâDBͲÀRM[þmI
+œ()Kîüš^H@r
+_v¾ÕH0>cœî
P
+PI©,wJ’ÔMï¦vm?ʼpY„ŠQP1hï€wyñã?W$‰¨ÄÁYæœfÕâ¯}	”	¼ëö‡%ÊUñ“ùàmõ`"c‹š—–Òáév®‹®s§&Jšl!¦Ç”ùܸtí麬wûEN©LuDÉf gäŒB"ÆÓ`îdb:ÎG>{å´Ùª/Œu0¬5¼dëžfÁÊÏGôb,Jl2Œo’ª¦
‡w5©š1"T%ðÄ.{Áç}Wän¦¬Yî¦mCÙcýc=aò!§>kÁ{{Ô¬r2àÏ}±#å
+Á{q(Œbü(€©ˆT^°¬s“”DûMÖ»]g>„wÖ‡îüŠq™*6Cý¦ÙW¾X{ö)לý$¡	D}žÐÆR§	m²„ÖŲ#†,5X(ËóÖÃyZT¥ˆ~^µ QmZRí›|<ÑmZRÑàJ’»7aT³I°óç²"|‡9I/eE†ˆRržÍê–ÍþC‚6³C‚¶ÆùÒ~çt¾„ªQÍþ·|騔JDLô¯Š·iËP5Íî9[}÷­ÂÄ‚0AhŠOˆœÆ"a¨“Ïcq$u‹AÊb±&W¨ž‚ÏV›¶iú¼lÀU¦–Ð;žUnŠh7Í­iö¨÷Í‘“ÖÉkÙoܨßÄ&ÄL…øYf¯‚ãh*ƒë]ç—lÜÓ’ÙúÍ}0|©_Jç¬Uß´þÍYÄC€	'—¯S»×²ªÜÒíµJö^+°¼ÅqÓ–‚>\&7þU–/}KAD±)]&l_š³9Vf»·qÂdN³ЦJé(4P¼½0$͆põÊò.¥°äµ-ûk ë¢vŸ±*¨K~x	—„Œ"6VL¢Ÿ™^vƒ£}–”þ	[Âú³]×ÍÞÒƒ™z;dB€²ší–cG\)R”Jz‘»0Òš]ìµ87“ºÐk¥NGð e¡¾¿ØkAškOõZgõz­c½¢½ÖD1»Ö]6v%?»¥© gc¬L‰žÇî%žtE·4¯µ-§Ìp=ÛZÌ2
+õ"Öÿù}/8d°ƒ/Ûm¤2ÀTæÇMxèË÷N¯«à5Ä –dUN9äçÜ€0%>ÖSˆ7uõ6ËA‡êÑTz³—‡Hßfþjl“ùDU†«­`ZáRñ‹/£ìq=ÖPŠA»‹%$M¦žÔo»ùüðéö1rz_úž'sOÚx•ªªyØ”CÞdš\HèÔ$¡Ê}s\º‘G*Œj/5ÇÞ©°…†±â˾µ=ØOnÖS¶ƒ•mº”&“QÃ>
+¶?ºñ[JŒã€Çá[jb	†%4h¥išÌ0s.Ûîª(¥ÄØ×fçxÿ¢ø×v{'‚MÇÑúªe×@Yî:ÌyòÃö†+ðŽiRÚ¦êb¬	¨MiÈÅf“Èj0$rÔ4ÄxA#)Ò°N×CúX£sï-öìãœiBÃ|*ëD)1¥Ý¬¶Òì.ÀàMļÐ^sÌÇ	â¤}µ¡¸à‰‹È!WªõèDÂ
‡8óµüí­ÛçæÓã—ËÁfVÿ¬à	ȘbôÂv$mW¤Mû¢DÀÔû»ûþÉ+•o¡ízˆ¥ÆSÉ×bí«zåC󳿈ã¥i)å$ïу´ÁÀlb—›oOÿùòõ²AîjhÇëÂS⣽5ñü÷3ôMÛ—ûCA8b\?p†qŘùmç<
+‘žçu7v õ˜€úÁ×m÷þ"ýX/¨20IÝ…ÓdÇ픦¾ÉÃ/þ
+JM ý¦©Ný°ʘ_ƒ"µûÿètøq
z¦WsC^$(eŽN¸ž«.Àµ1ÓˆîÿWGÍíendstream
 endobj
-2243 0 obj <<
+2244 0 obj <<
 /Type /Page
-/Contents 2244 0 R
-/Resources 2242 0 R
+/Contents 2245 0 R
+/Resources 2243 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2216 0 R
->> endobj
-2245 0 obj <<
-/D [2243 0 R /XYZ 85.0394 794.5015 null]
+/Parent 2215 0 R
 >> endobj
 2246 0 obj <<
-/D [2243 0 R /XYZ 85.0394 497.7321 null]
+/D [2244 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 2247 0 obj <<
-/D [2243 0 R /XYZ 85.0394 355.5987 null]
+/D [2244 0 R /XYZ 85.0394 390.6346 null]
 >> endobj
 2248 0 obj <<
-/D [2243 0 R /XYZ 85.0394 285.4875 null]
->> endobj
-726 0 obj <<
-/D [2243 0 R /XYZ 85.0394 241.6173 null]
+/D [2244 0 R /XYZ 85.0394 257.7108 null]
 >> endobj
 2249 0 obj <<
-/D [2243 0 R /XYZ 85.0394 202.8843 null]
+/D [2244 0 R /XYZ 85.0394 193.2733 null]
+>> endobj
+726 0 obj <<
+/D [2244 0 R /XYZ 85.0394 153.3455 null]
 >> endobj
 2250 0 obj <<
-/D [2243 0 R /XYZ 85.0394 168.7156 null]
+/D [2244 0 R /XYZ 85.0394 116.3439 null]
 >> endobj
 2251 0 obj <<
-/D [2243 0 R /XYZ 85.0394 95.6826 null]
+/D [2244 0 R /XYZ 85.0394 83.9066 null]
 >> endobj
-2242 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F55 1070 0 R /F23 762 0 R /F41 969 0 R /F48 985 0 R /F39 927 0 R /F53 1062 0 R >>
+2243 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R /F48 985 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
 2254 0 obj <<
-/Length 3024      
+/Length 3141      
 /Filter /FlateDecode
 >>
 stream
-xÚ½ZÝoœH÷_1XÊtú¸{r'çÕ®“½ÒI›}À¶Ñ20˜8Î_U]Ý0Ì8§“N‘CÓÝÕõñ«F,8üc™MeºˆSÍf±ZŸñÅ<ûp&<Í2-‡TonÏ^¿Wñ"e©•vq{?X+a_JÃ(9~»¸þãâWšûtžه˛ó¿n9»¼íÙ².¸Bž¾žýù_äp‚_Î8SibOpÙHS¹XŸi£˜ÑJ…™êìæì÷~ÁÁS÷ê¬(gRY9#)B0<ÕH&eVIå„ñîòæíç«O·W¯ñ4î½üøb)5KµÐŽ8Ïëv¹jêû‡¢öÔj@m
SVHx‰¦Øf]Ñ‚ÐexQÑßÅ3Ýß7[ìÚ‚Ý=Ïp DÂL¬­_´nw›Ù]k–ĉö„YÏ­–¢’°X¶.ò™•giªÂ–`Zˆèª#vÛr½©Ê/œK:™Š@ xû°ƒÓ–MMdÍ=]ógØ¥\á. Ë8q»Xöj
~4µ[*MQîêeWÖtŸÑ…„‡÷p:$Ñf{.’¨ùVæ=m÷XÌœ\rÉR)ÄOÈÑ0®Àx_c¢õHŽíbf9°:•ÄÆ“¶Ïu—}ŒfžÊªò(èZE^äž®!é)0E‘€{é‘7“ù€W–Ý+?¨WÕÎËn³š®Å÷47'!-Ø,L<’d–›¦*WÏóf> n; ^uLjK‘J&t¬a³T±!Õ˜ƒ’1*RIåÍ:+kšBéÑlÙÒL»)Vda9=h<)ªÖ
VÍzílŸVe]ÀÑ•†:š""åÄäÉËñb¶g vF‹3ý>Á‡sºEûÃCò±'à	ni¸Òû‰ŒÚc"O,óÊ€b&¥R#ŸŒy½GÁ
½n_Í)—@ÖðúÁ†¯Âîë™Í…Ä0i0ߧfWù³ÑÐ]æM4ÖþÌØDÉm-¨-«*gÕ6‰¾H©7çÂÀ6`Ÿ£AÇÒ{;¼TœlM§©øI‡äqéÞpyïÀÜ
-Î	|yVSÚ`C8BEã§hœ@!+ ™H^ =×¥HpGÂàA'çf½•9ŠÝ×MW„]ÏC!@PâÛ஘µ=¸—][T÷þÐYNÁÕošÑ¥j@‰4ÄäF^Á‰?•`ðTvs
-“
-%¢±{eYÍiMÀábÑǤÃ%-Â&sv>a’ë°=ânÜÔù÷Rƒx¬ÕX‰=('’òA\ÁƒÔLc(`W±%Hé Ç
-ÕÚhwP4O’°æ²ËL¡.û¼¶Ô;\jg‘ó\þxqrâ­ÞZê‘ÂŒ¿Á3<•­«;D¨%øP° îYÁCL}æ¨\5fæyÉhé¶Ød>û†Ið¢ò‘YC&,L:ÎÀjž\c\£Á]‰kžfœ
IH4xÜ8
-öÀ^ÍœMò[1éäpôžÍ)A	ðXr’Û°'Ù?¼ýÃh½k;P•@n¬&æõ˜}+&qucô8ù-«Jy¡"Å1nçÃÀY[¶]_L‡ª¢ëŠmë©òòéÉž7àSLÝÛ²ÉÛã°Ç
³BÀiÜP¾@åÌþ뱈trË>"n9‘F[þ¾+/ðu“»ü¢¶‹S^Š˜hµÊÑ•
¤Œ&´/6UVg]‚YW|ËùJj×fŨÙq\Þ*6,6'å=¤:.ïžÊÉ{;i ˆNúškFѬïËê0Ö@&(ø$w=Õ{S·JÙ1ãpcQŒ‰Ú†Ê½UAÓ„ÚsK4PRd4ë²L;uHâC»p‰ê þX©¨dBôêf^¦‘BŠ '¥3UX¡IðR—›ZfÑÑÔ¾XÐD6º	Tpéu^|{íÏ5“§©å!öPA+]}pá÷‡%J*ɬ	m9HHd(Q|è°®´s]´­ï˜%Õ3A2Jg-:Æ]CÓLYov›9e‚Ír)Ff|iJê¾ünGņ±Á+CkG|–ÓBágÕÎ󌗆§ÜÒ¬üÀhðêaÔF{ááU
-iØ8^‘¡¡]}c¹ïÁˆ¾Ã]Y\d9M“lž8ý8M`Å ¥¯à¹;*50Âÿn.û:‚¬Oi¼òù­÷M‡²Î1û
-&ÚI|ªC+H‡¾a”&ÌƉš–OÔjC0»+¾ùQ@Ãe¸/$ÎCªã€ÖS
³¯i™,U/¡¹¼9…ôEAúr’¯@4Ã×PÌ©a‰°bÌ×
XÚ—Ò&zlÚŽF>àà'+Ê#`îDç[[lŽêŸì&:äm|pqPÔS¸x¢­{Vx"ì¬á5´¹pìûënLpªMøxJ›N¬bÐ'¥ŒZ;’ɽÿ¥LŽÁ#
‘h×nóÐò†öñU¼ÒÞuÏ›?Aòw(¹®õ¹ï»éÜ·ó‘.ä¸T‰ò-±Îyq('׃¯Rq⛢t€,d†qÊ”HÆ’ë!Ï…=O:Ÿ´ª?=_eµ-ʃŽtŽç ÞF 1Âsµ_Ò£$N54sçïIß9M®³gšÍË{„‚ûÂÇ–A‹m¸¬ïªƒlüáAøL94=BåârÖp‚	tL3«n¶ô0[ýBÕ¤µIFUÓq`R`–éK™íê0ª!k'úw¡-?&©€LNóˆfø“ÅÏbÌ—Û$,÷Ù¯
-=+q
-Œ„ÿ5?…E|ÁŠá†ŒpF8çl&ÚÂÑAÙƒ>`„óþË„i€|v ×Tfòa2Èþ„Œã1Iì^’‡ºo»;ï¤rï¤è†» PÏúWÃIZ¿NC“™û¦
-°N_ÝIòVOŠ¾¦÷UF‡S1vº“‰=½Mþ¼©í$›ý¸lû߸ì´3¿i
-éh’Œ;ô7——ÄÂů7gÖŸüR"|€øÂ
ð_hï­Ÿ˜éœLhÒm¡Òábð’Ö7W×ïèÍÔ3–¯!Ãl»-Öˆ4õ¹@ŒÅ66Lý–Õ»lî¤qôY{ð…i((N°mDz¹øãö_?¿,”«æ:”Æ7®®ñÆð¶©ÛfÛ•»õ±ßÔÀ†øC˜°â=‹ÿóïmö¿+Ò1SIrä‹…„‚^¶)<œ0ü0ø_æòþ÷è(–kK®%7›Åþñ7Ã!eI¦8©(j4g~ó!‹‡b–f¬´³Ôj–p‘Ì–›>{„g.„§Y¢ÅêÇ»‹7ïU:³Ìifw^ãY&fwÅçùLv	,øüÝ»›ÛÅOoÞ¸º¹\›$rþöÓ§«›w×ÿ¾\È„1Pr>ÿõíÍ¿ÞþBsŸ.-}¸º½üz÷óÅÕ]/ÖPtÁÊôíâóW>+`?_p¦l–Ìžà†3a­œm.t¢X¢•
+3ë‹Û‹ßz†ƒ§îÕ¨*gRÑ…3!îj¤ŒÄ2£¤rʸ}®›m[µÓ­(ÁǪ̀Yª4ãB›ØÒ-î„\,€XN,-bG¨Pª¢¨ÛŲ©Ëúra@ÿŸ9Šøæ=¬wxYpÁŒÈ,¬ˆ¯åëÇfWu«
‘Ž×QÌêÔxʯëªýáo–&Jû—þ(Ÿë|SF˜kÁ2­Ä”ù.ÂR%,3IâIwy]4›‡jã
+甦I6åÚ¾Èõ„”Ò²,ìþ&v‹¿"ÜÊ‚‰$lŠì‡篦Ž²Í¢µOÄüF(ÍWzol±LðbFðÄ1xwuûÓïןî®?Þô/ã3pA8ó4b(D=9?e`$Д»¼+[pãLÏs¼('ªî?¨—ë½×Üæ5]Ë?s8¹˜n„4`cÊHFÒÌbÛ¬«åsÜÌÔmÄ›²îI)¬dBÆ`¹Êî_ƒ5(™â9*iæByUÓ”C7aÁÍ´ÛrIVЃƓâɺÁ²Ùlœ	àÓuU—°s¥CGS¤O¤¼÷o€–i‚
៸ƒÆ‰«â ‡‚LdËŠí¹®<>‚7üÃ7:Ù7ë­Ìy±¸iº2¬
+r+ð_%/c»bÆôØ^um¹~ð›Îë°û€çˆ­~Ñœ.둆˜ÍÒÈpæ7%£XäÄ$ÚU.|VâHáÞãúp&1“•é»ã'P% Ü‚ÏïVÞÌŠò!߯;Ÿû´G¼ÙI³’’¥D>oVª3f¨œY­¦K‚¿p›¾°d Š,94•T6e“%?íªºó{Ͻû­š×J»‡0·{¦—™Ãµ
+l¶JíDãtî{Líü3JD§P®-$(2}%òJ–¨d„ã±£QDj
ußÙ£R>šžÊÍ1‡zÚ&ê¸îù;àÝê¼l=UD¸‘¿‹„iZI7rx%´Ï$aàB¬IÈVUX#
+ÈH”ïa²îª¥7ƒwû„+rœïÝoª6Rq+¨v„Õ£ØêSái”†Â1}¶¸"ƒæP´c9‰§€`厀¥ƒ|kmK쥞¡1V¦f6ísܺÙEØ@*%l0ÒІ8Ã…œ‚d«@¶–†ƒÚäŸ0£À{pOUëjê
+>T,¨;ªXˆ©±çœÔë Ü̽,9±nËmî3q˜/×>JkÈŠEbÇ©èC³^7O®¤I\ÏÁ]IjÝžfœ
IH5¸ÝÔÎKöÈ~ˆµixŠ}B;ÙÜ0Åg±CP¼Ö„üä.¬Iöoÿ0ÚìÛÎoTeÌ*51¯Uþ½œ „ÅMÞaУå÷|]yäÕ)Žq9œÔÚªíúº:0X—]WîZOUTT‡xö¼˜"ë¶ÜUMÑž?Ì5tπ߀êø*gößNÅ¥³KöqéxÉX\-ùÛ¾*½Â7MᲈÝ.Zy-bÒ=>¥€T^‰®„ ÃhB'c»Îë¼kBHëÊ?;_UíÛü±õ=Në[Ú„e™|!Ø©N뻧rúÞE‚
ÔY_²ãôRì|Vºž*"ÞÔ­„Rf,ß8Ü$„(I2o*ý–%Mh/-Ñ@y‘Ó¬Ë5q0lÚ!‰í¤«¹hñÇHE¡$D/ n¶áe
+-&餫(°Z“à¥.C5Ì¢£©C3°¤‰<º®¨¸ô¦(¿¿ñûŠd+@jxˆ=TÜJW«\8€ÄõEEå™IBK@ÒR j:ì€+­\—më›g™aéQ ¤¤Ö cÜ7ÐÍTõvß±È.3ü’#ÅÈÌ@ÎýIÝ—âí¨äHLðÊÐ&ß!ä4P-@øYv¥ó¼ÄkÃSîèŠ×~`´xõ0jæåæ•…LlÒ:q††JtUŽá¾#ú~w%r™4Mº
xâÎÇÖ
Zúºž»­R3C üï£_tuYŸÒø(â1ZU]`öL4´–øô 3ôÍ#›1ƒ=üIEm7³û2à[Yœ4‘Â@½hª3€¨†Ù×´^–JL?
å²¾(H_Îʈ"r
ÕŒø%ŒËuÖ„ö¥t2_5mG#pð{*å0w¦	®
6Jõ+{ˆ™ydõÔ)žh€Fëž•ž»lx
-/ûV»œê$|Ç …€§LübØ%?þ¦¦%“ÿ?|¡m‚‡
‘hßnóÐþ†ö"ñU¼ÒÞuÏÛ¿	Aòw(¹®ñ¹ï;ëÜ·ö‘.ä¸T‰Ë-±3Î#ŸÇ‚»o€zð*Í|ƒ”6‡Ì0µL‰lìO=Dã¾°ÿIû“Fõû£ç˼ö±EyБÎñÔ›9hŒð\Xz”Ä©†fîý=wA“›ü™f‹ê¡à¡ô±eÐn²õVÅ>BÜ­Bë#T..g
;˜@Ç4³ê¢¥—0€iÜèª&­û¯Æ´öI`0ÐÖ¾ÐqR¦žj(Ú™F^hÑ€I@* ³ór¢ˆ\#`2øéCŒår‹‚†å!ûU¡s%ΑPà¿É«°(_0bF¸ #\ÇÎ9›„‰¶ôDômPö`„á¼ÿJ!B _€H`À5U’áãi:F )ƒÝKòP÷yxïTœÝPb/êYÿjØIëù44™»Ï«0|úêN’·zRô…0}øÀ2þÕCŠ]ïlbO/@“ÿžoj#þÿ.Ûþ7.{ô‹	a-¤£Y6îÖß^]‘o¹ýá?ùÑDøñ…'\À¡!|°j|’LŸàdF“n	e‡[HÁ?THZ¼¾yGoZ/X±³ívX#ÒÔï%b,v²	´aê×¼Þç±MÆAÒgÌÉ.e(®†¿–Š€ïÕø?ÿ(ëðã32µ[~d
+8`aì…BÁE‘Øÿ|ëXöÿ³à»endstream
 endobj
 2253 0 obj <<
 /Type /Page
 /Contents 2254 0 R
 /Resources 2252 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2216 0 R
+/Parent 2215 0 R
 >> endobj
 2255 0 obj <<
 /D [2253 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 2256 0 obj <<
-/D [2253 0 R /XYZ 56.6929 752.4085 null]
+/D [2253 0 R /XYZ 56.6929 749.2278 null]
 >> endobj
 2257 0 obj <<
-/D [2253 0 R /XYZ 56.6929 572.8048 null]
+/D [2253 0 R /XYZ 56.6929 677.9694 null]
 >> endobj
 2258 0 obj <<
-/D [2253 0 R /XYZ 56.6929 166.0529 null]
+/D [2253 0 R /XYZ 56.6929 495.229 null]
 >> endobj
 2259 0 obj <<
-/D [2253 0 R /XYZ 56.6929 106.0009 null]
+/D [2253 0 R /XYZ 56.6929 83.499 null]
 >> endobj
 2252 0 obj <<
-/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R /F55 1070 0 R /F41 969 0 R /F53 1062 0 R /F39 927 0 R >>
+/Font << /F37 827 0 R /F21 738 0 R /F41 969 0 R /F53 1062 0 R /F23 762 0 R /F55 1070 0 R /F39 927 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1680 0 obj
+2262 0 obj <<
+/Length 315       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥’AOÂ0Çïý=n‡=ßëk·ö8` D¸‘˜N‚ÆÄA„ã·wc2¦âÉôÔ¾›ßÿ—’Äj‘´–‘Ó`Œ|(ʧj6ô•	N¡ ›êåâjÈ‘tàBÊü±ó–´–d¾^zñl–¤ƒñ½(ƒ^üÀ z·qºˆoš³™ï”’ÌÈ£ª…u.Do0H³ ?M‡£$õWùD$y‹ÕE'äšéU,W(×Uƒ‰@`g|¯6䜒…ІÁhæÓÉ‹Èļ}°3=^½¤Â°cUtÁ…"Iuƒo2Œƒ72ùõô®.RŹ£e 48Mú˜oËÍ~»)AÙǡ܇fÓßm»}ùüVüåƒ
Ô%.ÐcøoWç?¡#`kÕYC·£fG'¨ºú‰ÞZýÍþ	±zgendstream
+endobj
+2261 0 obj <<
+/Type /Page
+/Contents 2262 0 R
+/Resources 2260 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2265 0 R
+>> endobj
+2263 0 obj <<
+/D [2261 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2264 0 obj <<
+/D [2261 0 R /XYZ 85.0394 752.4085 null]
+>> endobj
+2260 0 obj <<
+/Font << /F37 827 0 R /F21 738 0 R /F23 762 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1681 0 obj
 [730 0 R /Fit]
 endobj
-1523 0 obj
+1524 0 obj
 [730 0 R /Fit]
 endobj
 1249 0 obj
 [730 0 R /Fit]
 endobj
-2260 0 obj <<
+2266 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1714 0 obj <<
+1715 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -10268,7 +10303,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü
 ¬‡¹rðpr‹t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññÃ…;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y{‚ÀN¿!v€ØÙââòø
€¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ	êõ'þÇëŸ ®.`¨
'&ïcNëcn[“ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ
-Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.=Y%9U¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
+Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.5%M#e}¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -10291,35 +10326,35 @@ $O
 t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç	Žð=Ï	añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGxd½DŽ…*~ÂJSÛ/
*ûÎÔF‹µëújQ‹jw	Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô.óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘	p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß	ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ
ñâSPÓKD³—dOjnÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“
_7T,Q1çTiHøBÕWL8­¡¾	 ,œ²£.±ßu2†)¶=–Oš ¹ÿêÚ´­Ùê²,
Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê	{>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM©	Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³	”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã
©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc	-@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜	…@ƒi/_	A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿÕ…õ–endstream
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿ¨Éõ«endstream
 endobj
-1715 0 obj <<
+1716 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 2261 0 R
-/BaseFont /USBGCJ+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1713 0 R
+/Widths 2267 0 R
+/BaseFont /KGNWHT+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1714 0 R
 >> endobj
-1713 0 obj <<
+1714 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /USBGCJ+URWPalladioL-Bold-Slant_167
+/FontName /KGNWHT+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1714 0 R
+/FontFile 1715 0 R
 >> endobj
-2261 0 obj
+2267 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1696 0 obj <<
+1697 0 obj <<
 /Length1 1630
 /Length2 6133
 /Length3 532
@@ -10331,7 +10366,7 @@ x
 Òy¦§aáèha
…«pJí•Ž HÀÈ(ã
 ±@Bá0Y$D¤±ÉB¬@¼¼ #Hîìå
 µµC‚XnxXÙÙ9þ²ürYzý‰ÜD" ¶0Ó̓;Äîì!o(þ×ZiÙ@! u
%5‹‚šHƒ¸Þ¡áf鵩@­ 0„dw9þqYÁaÖÐ_¥!¸n¸¤ Âb½	ƒxZAœA gˆ«¸yA [Wò¦H8
-³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`yCymuö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
+³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`i%])ö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
 ÿóü{é!Oˆ`zn%lŸš‘†¬"Ïéé—5úÐÁƒÑâ\\£ý:ß¿Þî—¾(Rf~QÂU;(zÕä5¾í|¹ªÌ¶ÖÛAæÈÜžÙË£ò¡g}ŸO4ÏôNˆ}-lZŒŸöU/Ê{LeÓP[wm©_ó™iÑÅ=àà;>WìýSVz÷|R†g_«”·¯´ÖÞ"®*ØþÊ”°yzÂÜÕ÷±§»ýðîûUJöìW8Œbî˜øL‘þ.Ù”OuJåÊߪݎË;BbubÁï<_^Ë¿Å`i¢KÙÅy¨yc@–‰Ÿ'\;ø$·®Q;S-”âs/,
9D¦Ô#,9ƦïKv²±SÐúê¿»èçö‰%…÷²õ-âÁ]3ëãÝ“±Ñ][™CæºÊlëŠÑLü‹¦ëÀ¢€5‘ؽrô›ìç3üÜ°˜üDÑSjÛðôä)Wï8Ž*öÜŸèž“3@'}~+ÏÝ6‘žˆ•Ø\Žpµ<züuÚ>AbåPóبLbZ÷a3ÒYÍEœVÁ= ¾‹­{·^®2<¿}5aq€©ÿ_5¹Ûðòµ÷>›À¥´ê$C}ÀXŠ¹­œÕ÷ji—û­€G‡/§Œdû-!j¹;Ë6#ÔÜŠ.Oé­×ôÎc´¼$z¾I(ñØÇ/Wj®½"¹ßKÒÿ¾ð{Lš¿ÞH¥hԻí:iÓFRF<g]Û39}—ÞÞF™8|à0­‰å‚Ô"¦¯£G$¼	ºêÆIª˜Ê΃.–Šô‹µŸE·ÛCqüQmæoi\7yªàmûŠJ…0:næÅÊØê®óÆ	XeŒ`Ãé’_ÿî½jâì…”Êr‰ÇO„DŸÓÕ6xÍ·o¯lŠýP¦ÿÎ*5„$8d”#ÙiWtu¿÷¾žG=kŸoHÉ]˜Ÿ:ã3ùN»­g}„™?&ì
 b݇a›yKÜ£%t×TcaÖËF˨?B:äÐ	3ÚZP‚ÌÆŠ}
fñφôˆƒTU‡J鉽žj:»«Ï‹ºôN)/ÂÕ	äE½¬^gº‹ ^/«k¯&6Ö7%³"”-ήQËòÍ“ñÆ‘r¾“'#LwDEëЙ}`?—$-`¤¦ÍC5Õ‡9æ3ÖXïžÊºUFC:ׇ¸T<íàìe¸z&îÄŠù @Õ!˜-“Ú½¡…´cEҼŸýÍó2¦±h’—Y#ªªÇSÀìjzaT
€Õx…^ÉÊ9%î5Fõ¡ƒ…™y	×±ªälš2$g$?˜ß{v€¢è§à,¯ŽÀnD£ÍfGªªSH4‡S"€ÚóôöóãNƒ^œ¤ä½t!¢+ÏøÝ÷n©X#õg«uW
³}ceS÷ö¸ïcZ¦BF%×#
èS=ªbÁõËFñÁp%ˆ&ˆ÷Ñÿø‡@§{›Â§F$
 ñÀèHvo»Vüy½¼Òç³³”ÎjÁÕŸ,_Âh^§–p³/â#Ó„HÊÀç„»ûÄŒ[‡¤Ê»B8Ò¬’%PË ™#¹&}Ô7uo(à–îu•úµÒ95ÀŒ¾?ËêcÕ8—ÄñâθÑ,™ê:f”†.‡Ðà¡ÝõÁ41hÀ›3):«;Ícƒ·ú‘¶Þ,èðY½:Nç5u…QEð‰rŸ–²ÌûŠ!&.ÜYâü×Éú;á$¤`×yme~b©@{•3*¹‡ô÷¤”
¥Åêg`iDÕ˜|)1IŸ\°êjñ˜Î™+ Ä&j‰wé„™–£Á{÷…á«-G3µ«®ô*UÅmÖ­ïè, ï!¦ öOµìl•yóâúŽàäç?MµŽÇ¾Ä팼®sÞÀ±x»åÅ!¼´œ®“X>ÒIÙ»—X,×EAœ;¯è%Š]"N?v6ÁnÁ$W¥0O«W4¸»Æ—NQI…>Äóq†z#ÚQû3]º¹Ñ
@@ -10349,77 +10384,82 @@ d 
 ÕB¾ª\h~8©$‰¼¼·ý˜7!g;É¥ƒ\®cf>}7›ùâžÐÙZسãÁÖ–Ü^-Už&(
 ÖËÓ»ÜIFÙØS­˜õOV_ºhýÐn-®
 X{$¢½‰¼û£@–rlZ™âɞˊ1o(­¶¨mèö¡Ðé»÷ÝõäIŒ]Œ_-ô‹¸Þûò'zŸT¶n76Gت–·&úìIĆ‹7ÎÔ‰‰f¾uä3¾õˆ;)EO4,Źk&l‰#õŽ¾„˜¬Ù¶³	½höâiF]	‹œx'´ÅfÊb\ñê{Ý?¬¹¶=ê3¤XTÕW©*®§‰\Ee¶©x‘@†Dz:ƒ!¡X¾ÂK”G½èß>c{BŒÍCŒ±¹0šUÕ¼ƒ¿ªÝ•5xfœéÉU“Nhèòã»Z–$8û훎·òБÞåú¸;ß¾2~%~QÍ÷*|6οÀ.©ó¶H&l]ážçµÐ[èù%¥κƬ!ÙrOxÆ!.B˜“zuW,Ôêr‹9å™ÊT°CHÖ‘_e‘‰ÿð:û5r€û3.ñ4v—W”ò]ª[)ïó–äÙÀ—݈H¾ÌûùSŽ¸+¹ºfS4çHõ¿ÞzyàÂ*/ç%Šâ׻͠Ï8ôæãmº'7…\ì°Å÷K)8ÐÁ@£bÅî\ç±ÄÝÊ‚×[g“©»5é«ÅÖ¡’'¯ÔíÌ¥ºégˆ<‚â¢Ï8TŠqùœ_Uå=¢¦#fœÞ*ª6í¶²*æ›\oi›–•`ûlj[ÛW*ˆ»ºœ2Ž(ËtŒp{ˆ¥6Í]š†}„¯>{?'CÆà§5zíEëÝÚÓÞ&vø¾öŠ
÷dYcØL‰8àÇÉu°à•GËÝšÎñtûëV²­ˆ’eÓëû­&KÅàჃ‘oS*.m•»8ÕîŒWQì3ÊDÌûj	OpHY²ï®f>×¼ù‰_ôŸö‘Ƥ‰´»ø|EÀ’=PzêîXDƒ%½+C£ˆ1_ù¶‡=AýYœ:&Aaú;æ¬U¾öÝ*“ÍXJ·=à²ùˆ1¦¬ý<ð»©,|#
O'Cƒµë“M]í¼æf°ºÜS4‡AÇ÷Mj€“Ò·ÐökxõÊáž™ËG‡ÞÕéú,óÔ92‚¬
߸gp0o9)ÁM£«&ChVF=Vv¯ñõ­Åž¡üÜÈT·Žïvä(Ê´ãé¿7jzä­ ¾¹Â6]E³ÚŸÉÞeIGOIùç…&˜+ÊZ Sl©
-Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀÉy·endstream
+Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀ„‰y…endstream
 endobj
-1697 0 obj <<
+1698 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 66
 /LastChar 78
-/Widths 2262 0 R
-/BaseFont /FUZFTO+URWPalladioL-BoldItal
-/FontDescriptor 1695 0 R
+/Widths 2268 0 R
+/BaseFont /CBIVGA+URWPalladioL-BoldItal
+/FontDescriptor 1696 0 R
 >> endobj
-1695 0 obj <<
+1696 0 obj <<
 /Ascent 728
 /CapHeight 669
 /Descent -256
-/FontName /FUZFTO+URWPalladioL-BoldItal
+/FontName /CBIVGA+URWPalladioL-BoldItal
 /ItalicAngle -9.9
 /StemV 114
 /XHeight 469
 /FontBBox [-170 -300 1073 935]
 /Flags 4
 /CharSet (/B/D/I/N)
-/FontFile 1696 0 R
+/FontFile 1697 0 R
 >> endobj
-2262 0 obj
+2268 0 obj
 [667 0 778 0 0 0 0 389 0 0 0 0 778 ]
 endobj
-1448 0 obj <<
+1335 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
-/Length 1712      
+/Length 1711      
 /Filter /FlateDecode
 >>
 stream
-xÚíRkTSW‘ª¡¬òRIÕzX%2yj	@ÄX4¼_soÈ-ɽôrIˆø ’ª,‹Øè’§¨(Vú@©%Va
-ø"­"°©Z_sÁººJÎüš5çü9ûÛßÙû;ßÙ49Caa	†“#Á2™”Ãä™Í¦ÐhÁ8¬ 
Q°p°Z§Ü€ÍòVy|
-
céIUÀ+˜>Iâ‘Æ¥2¡†µd
¥Bä˜	ˆ4°~òFXgÀx&1)€%6©JaMj’¢*ðßÂ.ý]*Æ3HQÀkJ&"!Õ«(¬µÙ
&µü7dM/.Ñi4kÚÉòSNý%¯Ð"ÃïL›®#`È0ÆÑéÔø­8!:íô¬”Ph¥MÕÀ€ÁYÉd¯|‹#DC¡T•B“Oá0
-MWBú7¥ƒ$ŠIDÞ¿íT2B D¤!ì?ØS1ç˜4	Gô Íd³9$‘ÜïNIÓš‰Q%!h*àò|€Ç
-9DdÄF@PÖXO*f1QŒ ¯Ò™ ÂpÊä¿ú°KgdL¢o.`¥NÎéÞ$öקaz#c0¸<²{¥/àóØ9"*u8£ÄÔø½‹Ué)ëa%ÅzSúmýtßéí5¹âªÎcöôŒ…æ#[ÛÏo;eöc÷ú¹\ÇŠ„?úÍy›ó§Èq§’‘ðoXŠ×G=-ʶå¬m=ÎG7zÅ~ù¬‡ÊáÄä—ËÚZ?ÐÜqϺx0½ÑûáÏžÏîfž·¯[sŸÃ¯¤Žά¹uóÕ“Ü´M}V‡¯!Ï¡JRÙ™5{áèÞ-º:ñ «Â¬Õ—ç'îæúÚJm½ÓvÛÑ,0•Éìn˜ý_ÎaÓõªþ
-ç@Úbkl©`µ\8{¡Ïõèr3°ùÐßÃÐÜ.ûuö@]0àa~¿[šŸS#]p¬ÂEY³@ãZMµ…ë[ã[´èÅ‚Áúuù.iõ\ÿbNzã^Úú”ñW´ß–ìœù4éÅ‹ÞçoLÔ–‡J£‡û‰1Þ¾3½¼‡éílªýµ/,q
-õW÷Q`X¯Ã*S›öïýÙÍc2+¸‘çvóèžV.å¾p\»¯üo²xïo›,{ÅzAÜ%ôãþÊGÿºÔb:ÀM–'ô¦œ¼å}¹¶áBUˆkmÁÌ$K“DRµ¤i6Ö34ß#Àu¡ß\'Qâ`$Pï²^ìÖ=PŸËváMŒ/:.ô9ØýÒo角(KãÈŸE¹öC[¤íb>ˆ\nôýÕî|xmŠ¡Ó·ö¤åÇyËöA‘ÙŒuûҎׄ×l×æì=&¨ı+Ï>÷TÔôƒª/u^ᛞ-§·Ñ6\©}L8E¼¨Laâqg[ZQ<1nÌäžýdÏ/1õuwÀ‘õ‡ª»7=||kå¢(B‡þž5]üyIî›­£=¡:gqS{‚½wÌ|çÇ>D0°åÜ!g§ì7KZ¨uþ1¶jƒë¬Š4²5qÞ…¶ý4¨¹R[ëFƒÜ/)R½¬î™ë÷ҧ9Ý´]Bп:YUÍÊìYuÊǃX3V)DåK¥§5ËmfÜ™9ö¤Ä}ð¾ùàµ0~Cù.(ðvEDühÅ„ÿÝ®	]žë•‘ÂŽ_ά©doä{S櫲úÎyYM]¥œÊõÁ¯­g>1~Éýê´©q³Í<|­4úÎVݾýºëÕ°hG-gKŒ@Ï}~4¶#ßîýœÂÕTêg¨iiݘ~]Xé`ßÑ—²¢>,°ÜõŠv/—¼¶‹®j·-K<̺4*ëM{.V;~­	ÆK#ó•m·“·¬–Õ5œØí°ƒsH]Ü5· yÖ›v{¼,S^ñu|Ày~~fô9	¯/pÎ÷ž‹‹Ô”œsr¨H\}0õž¸',ûyà@ïÙ‡Œ.ysÖ\XðbPÝ{Æ·¼X:|¥St«u­¶KÓT]Z°G6·ÆeÃ{¡N‡Û¯¯9ùïn/nç}Ö6N]F¼|pj¹Û·†”"NH·éQhËš,=Ò‚…8®ímtidæå‰JƒºnìQ'7t\/Ëû’7P'ÚªöÏáDå±Úfá‹v³ît5îóïRªùcÄ-I×z¾]·“ÿҚĢ'1ĪnÞ<ëƧY‡ó«¨µýìÿpQþ_ࢀR+pÓ*ð4Ê¿™<Œuendstream
+xÚíRiTSבª¡¬2©¤j=,Œy5„„1
£soÈ-ɽôrIˆ8PIU–EltÉ(*J…UE (µÄ*¼N¤U„GX>‹T­Š€S/XWWéÏö×[ïœ?gû;{ç;›æ)cˆ lŠ¡ƒÃäA°T*á°yf³)4Z0Ë	CCä,À¬Ôªw`ó…¼eBŸBÁXºGRUð
+¦Oø@¤qD!GTN¨`
YC!W¦@`BÏ"µ¬¸‘ÖÂ0ž	CL
+‡ DA€
p*‚RXš$¨ü70¤M›Ê„ñRðš”I¤HCÕzÁJ
+k5FvƒI-ÿ„¬©ÅCµjõj¹f¢ü¤SÉË5ˆZÿ;Ó¤k	R‚qt*5~#N
+CˆV35+!äjD!BSÕ0`p–3ÙËßàHF(¢ƒ¡H„P¨€R®Î€'q…¦*!ý›ÔÁŠ–DF‡H¼ÿÚÉd¤A‰(}:Ø°'cÎ1iŽè@›ÉfsH"¹ßž’¦4£
+BÐTÀåù9ŽËõrˆÈˆ€ ¬°ŽTÌb¢A^¤39@‰á”‰õa–ÎȘ@ß\ÀJ˜=Ò½	ì¯O
+ÂtÆ2.`pyd+ör_Àç±sþDThqF‰Éñ!
z+ÒSÖÁ
+Šå¦ðÛòñÞSÛjrÅUGíéóM‡·´ŸÛzÒäÇêõs¹†7þð«óVç‘cN%Ã_± %¯zJ”m6ÈX[{œÍŽnôŠ}²C‰ÉÓ.•µµ¾§9°ý®e¡5½ÑûÁžOïdž³¯[uï¤N¯¹yãåãÜ´}‡/!ÏÁJRÙéU{à˜ÿÞ)º2~?«Â,Õ—æ&î{êúÊBm½ÝvËÑ$0–Ií®›ü_ÌbÓuÊþ
+gÚBK\©`¥L8s¾Ïµ˜r°yßßÃÐÜ!ýeæ@]0àaz·[’ŸS+‰™w´ÂEQ3OíVMµ…ë[×µhÐÖú5ù.iõ\ÿbNzãÚÚ”±—´_í˜þ$éùóÞg¯Ô–
+ƒ‡ûñi±Þ¾û3½¼‡èílªýÕÏÌñrÕw	Q`x¯Ã
+c›æßýÙÍ£R'¸žçvãÈgž.åžpL³·ü_ÒuÞ_7™w'Šu6‚ø‹è‡ý•¾ØbÜÏM
NèM9uÓûRmÃùª×Ú‚éIæ¦ÐЪEM3±ž ¹®óýf;‰­Q@µÓr¡[Wt_u6Û…7>¶à˜Ðç@÷¿ÁJ¢ÍÇ}äÚnž—¶“y?j©Á÷»sµ)úNßÚæïç,ÙEe3ÖìM;VQ³M£$˜µç¨ þ!Ç®<ûìQÓwÊ2¼ÔyEl|º”ÞF[¹öáTù¼2…‰ÇžiiEqÔz|ÌÉ=óÑzž_bê«î€ÃkVvm|ðèæòÛ×S„ý=jºøÓ’Ü×[Fz´Îâ¦öz÷¨éö÷}ˆ``óÙƒÎZOÿ¸¯´PëÎÿgtÅ×Ye`«ã½mûÇiPs¥¦Ö¹Y/ÉS½,îf©ë·’'9ݸ-” zy¢ª$†•kíYqÒǃX5Z)De‹%§ÔKm¦Ýž>ú¸ÄÝúßtàj8¿¡|'x«"rÝHŸÿ®qmžëåáÂŽŸN/“*¥¯d{Ræ*³ôºÎ9YM]¥óœÊuÁ¯-§?2|Îýâ”±q“Í|µ$úÆVÕ¾íšë•ðG
gs¬@Ç}v$®#ßîݜ•Tê'¨qqݨn_]x©µïÈŽ‹YÑï˜ïxŸ—ŠK^ÙÆÇÔ
¶Û–%â
+]õÆÝ*‹?ŒQã¥QùŠ¶[É›WIëŽïrØÎ9¨Ê.îš]ÐY³ƒÿÂ’Ä¢'1äÄŠnÞˆ'Y‘‡ò«¨µý쿹(ÿ/ð?Q@¡†å8iäxå7ã5Œ endstream
 endobj
-1449 0 obj <<
+1336 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2263 0 R
+/Encoding 2269 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 2264 0 R
-/BaseFont /BAZAFA+CMMI10
-/FontDescriptor 1447 0 R
+/Widths 2270 0 R
+/BaseFont /UIPUDI+CMMI10
+/FontDescriptor 1334 0 R
 >> endobj
-1447 0 obj <<
+1334 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /BAZAFA+CMMI10
+/FontName /UIPUDI+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1448 0 R
+/FontFile 1335 0 R
 >> endobj
-2264 0 obj
+2270 0 obj
 [778 0 778 ]
 endobj
-2263 0 obj <<
+2269 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
@@ -10427,39 +10467,33 @@ endobj
 /Length1 1199
 /Length2 2269
 /Length3 544
-/Length 3059      
+/Length 3058      
 /Filter /FlateDecode
 >>
 stream
-xÚíWi<”k2e$[–ƒxÈ2Â,vSÙ:a4v*cæ™1Œf±d+¢8ÙÊR"Yrd«•-Ñb¢ˆÐPZ”D)Êzuª÷ôöíýöþÞçùðÜ÷õ¿®ÿu]ÿûº?<ê*x‚®%™éÚ1]œhÁþ\6ÈØ®»¤r8D:†D¸ºº+CéÖ,È¡16DäãÀ‰,@
`ÐX´	Ö
­Ñúß™,,€gÑ‚™{<ÈYt‚l˜$n0Èà¸!!tHÞ²™\	dc
-Tá¯3ÖÌHÀn;<´´µu~X0¦¦¦€ä7°Ù4*Ѐa ²œ
¢ÀN^öÅSˆ¶dg¹mÀá„`Q¨
-„lH6É9(-¨X[Ùš¼LÀ†/ëgCc$¨±HÔ¯4b0ÃQ¿„(4ùK{dnÊAå‚6@&øä†h=´)ÚC0‚€ZNí~1Ëf"ƒÂ(D:Œ¡Q@èbÃ@€Ãâ‚1QÿüsÇ`2ÄüA*t$?Ø!3Hùºw$rX´ÀD£1zùý¾Ú	.™É Gþpw"ƒÊ
-çn³ÕþUÿß=­¬˜­.ÆØÐÕ310¨OSCýŸY¿ëñM‹/V<‘öw­è”
-0ýڤ巶Â@šUñe´µ€ò;194 ~Œ‘/Ú
MôÁür¼þÿrÈ~ÎaÇ¥Ó¿(ƒø*	i¶˪С‹³¬ôQÄ`=òq?;z€_/Äßt?Ã_Ù-T:èbô¾il;ZHÆÓ8¤€¯³óMnò—
-â™lÚò‡B1?a®4Rd³¡CùòOIm$&™Æ 4¢Dù»a&qY,H§/'Å~ÛShP‰ ’àü&ióþÀÚýMg-ÂuŸßÑo7r›ûÌU6€§ÒF‘‚mNrA§ŠfM²lðf5>+W
-$e(ئ‡™Z5#WKJ%J
-Ú'Ë¿Bžßâ„]ûv
¢gÝ.ŸyH.·ð¥uä
û7*•s^êfÖ·%	ILé¸
Þ/ÆCa
-J•%ÕÂÎãZ¦2‹ñSÎöôX,ì¯Å WdÛ•ú»4·y‹Ô¿š—ªn–ôë¸f%jw/	çÔ¾õWð:mŒm¹}Eo1 ¢‘²x–Rb¸MgÈ°N÷yDê›ø+ícëÏr_¼’KðÜW©ÚVSQ:ÕZþ°èv–:湆Òý¥Ö­¢’üæV!iè@M>P_á)çО´`cc¸ÅrÑ*©GÈ=sÊ÷”Üq¥÷¹…°P%‹@•‚.»Žô5ö%÷XÜEyiJþ ù5üÞ'“žתÏ
-_ñ"¬ŸP0
9°éX3L?üF•6)Ta]bYçØg¾¦+çH5Ê:–,JVí¬½p¬µ#oÏŒ\óþO"RÉ“^èjÑJ_·¹÷¶Ä×÷}¶À?)dxlzµÖèpvzœ™ÌðZ]®ájé²F ¢_]à•ƒj&µô‡“Š®µ)ãEŒ­äžGO»›ðßîXqeÚ)Dhfµ†5…	ûø½ÞÿÎìD¯ÍFv•n)¹GÎN;ì<„w*¯šùbßìÃô—uüü6¿Èíé‰ý¾7^ñØCÝùîa
M]ÊÑ6çÏIÈêmùäçiàùÒübN©Å3´Üµîq»é›ù·VÉŒ]°«º½A¨´,þpgÉäsÂQSÊpþ$"¿ÿ‘PlŠæŒ‘@—údIÚýB¹;+[Œlç½EŠn°;ù”«	·­Òý`}‚Ì5ÛËtîì tvX©¨÷N^:»I×L&\g]÷ROàê"Uù‰¥C©¾\’éK¨Nño«c®QŒ»Q.¹UîØžòK\›8ke~<ŒfÖÕqþ^BŒ/ÑFwϨ«¹Ùõv‡^Ñí—ÛGtûÂ3ÐjEf#¢žuÂÆ€¸¢0i„§¾ÖÏÀ×Ê_Ñ87‡š­ª;9îaú]ž+ý£ƒZBÌo®Yœk›H·vàݪy‡æW]ÀO^)XÆÜèÑîÁQ07GÜÜG`kòƒ ó6WÁ7*¾P´[g*ý´ÙÊ4á {¬Þž^xÝÒ"¦,Dû(üÇØ© §ñu‡æ±ÙÌ[¹{<Žd›©oÍFRÛs쪭W__¶nZs{ hµù˜çÍ­è ÁÓðô\—Ž]
}oøÚîíÎwКR3=fìªigÌ,ºNßÃñb«¼5o/¾)FŽ´
­ha%˜Ù½.úôÁöiZ~âÕ£\ÿÛÅ°YŠKNC‹T†c:•¨¾¡;åˆàÀ¬YÏ<`³)Ù.ºlGÏ4/ù±¨HVjkßñblXL¸]í’…º&ÞÞûþ©5nË®MOÕ”ROÛ¥)‡Û¬ÎØ¡Qµ­»¤BÐQyѸ
-‘«ÈÛ—ÎÃÝÏ%Œ=i9©A<¡Ô: ã2­àúñ©~¹î‰Œc™rÈ‘Í6òÌõ2ºJO4ŽJ«¼NÓx|Žpò3ÊÙkÞ×YÌ°T„çvæ±ã*_ä EßîG‚w]hòÊô¹ÝW:²L‚÷̧àíwy»¿	!ît±ÓO¬8ëÒÞE—A®ï¤Ræ ›Áˈ0A—ë'ï6ñV/”¥&«$îV32|ؽ{TëÒÞª	>âÑ&rA7ÌÉhŒT9/üx¦ñ÷§LÑÇ—¬¯c‰¯½á`iô+€ÍY£ßo›ã­S›•ê9¢soF•Å)yÐíe¼zv–ht.ew¥zËM†]Ù…ŠùQá¦Äpg/\°Q˜Ç3x»˜ü3Eÿ}Û7X^º’^ï›uU´,[hJ[^îáååÔ¾CÏÊ2¥÷Éö£Ü5ˆ¶îÏHÞIB¿£¾p[L<\žì6&èu]cبÒó¸|T+º×ÚTRÓ»ÏÍÿƒ«Xüú4·ö㻹}¬Œ´õ‡”Qi¸ìå0ª~DU9p/n4œº²„“qûÚÇ·Œ8u™¤§—žˆ_ß_Z÷^ús®Þ›‹Ånæii¡ˆS•Û;X1/§õ‰úôs‰/bÃ+nMˆ™*ÆM¤Hš;ï%‹n*`wo†‹·+`É“I.ò)¿¿}]h-(Ö*ÛЇkºðÿüOè ‘ÅaYAð(Ȇ~(—ÿÍàÿd@‹endstream
+xÚíWiž øƒ[v¼þ/;d¿æ°áÒé_•A}“€5aÛ%UèðÅYR"ÿG)¢G,÷«£;øíBüM÷+üÝœA£ƒ€6Nç›bÛ@á …qÈþßfç»Ü”¯$0ÙÐÒ‡Côq¿`.þ9²Ùð¡|…@å—¤Ö2“1h‘(‰EùaX‚É\ÖéëIÁ±ß÷T.ÃA2rh€IÞ¼/ n_óüs¹0íg·u;\g¿põ©t¾14»£Là)9½¢£ì+ÂM“ï•+ù’2ä¬S
Ã-ZЫÅ%Åùí’e_¡Ïnqį}·Õ3…íÍ<(“[øÒ2âšÝ[¥ÊYOUË[âÄ$¦dì†y¯ç/Bœr
+•%Õ‚N/4Œ¥âß8ÙÑcœñˆ»¼V+l@üþ\¡m—ï|Tßæ%ÔøjN¢ºEÜ·àŠ…°~ìÝ$[$§îŸœç)C|ë­K:þMÔ…3¼àýmº;ƒG´ºÏº£RßÆ·Zh]†ûü•L‚ÇÞJåöÒèŠÒ7måŠn5h¨âž©)Ü[lÛß&,>ÔÒ& 	¨Ñ—ª+ïc{ŽHY|#{ÀôŠV~ïãI
kUg/y×O(¸‹9ˆ©{\?òZ•&9Dn]bÙÍñ/Cê.$[šAÖðÙýˆdaŠòͺú£my{¦eZö}’HžôÄVWú¹Î&¸µ'¾¾ç½ùY.ƒÏ}Ó«µ‡²ÓcM¤FÖj#l/^.@׈aü…t«É|¾wæApúˆ¡üv߈Í©‰}>×^ñØÃ݆ÜB.6w)FY­“ÖÙòÙ×CÏã¥é¹œR³§X™+Ý/l¦®çßX%5^oSukƒ@iYü¡$΢ѵ‚ö‘o‘C“¨¼¡}bRÔ§
øºT'KÒîÊÜ^Ùj`=çÕ$T‘niÏ»;\ó;TUO˜¼T°þ´©ÁÃ݃c`nŽ¨©7ßÖäûg3þl©Bn”.o÷®ÁXòÉEtÓTˆƒî±xwjþATk+_š¢%ô“àã'_|j8äÈ7‡ÏfÞÈÝã~8ÛDuk6ö Êž£—­=ûb‡¤«‘† %×ð·ûü›z\ߊ
<…LÏuîüÔÙuQ¬ïí¦[G…Óm¬ºÄt	û“ò|Úi³„®ã”H‚È*/õ[oË‚ÐÄÃíÃE+ZY	ÆÃ6¯‹>´~’–Ÿx¹ð×ïV@1b†êךScß*‘áN#©nèN9Ì?0cÒ3XmJ¶‰*[çÞ3ÅKA**’–ØÚw욈?Q„ìP9o¦ªN°óºw²UEˆl»eצ'*
+©§¬@ŠaV«3v¨Um+Ã/*Õ…äG_‡7­BåÊóö¦ólïåùÆ·žP#Wh
+rž’sùôD·\ûxÆÑLôèf+Ù‡¦:]¥Ç›Æ$•^§©=ª%žø‚qòœóqÑ/"æ¹C¸ï¸<$tÀ¬o÷Cþ;.|,Ž:U»ûRg–ž±О¹ô¼}Îbö5£Do vúŠg[päúL*dºê½åw¾zâN3oõ|Yj²RânÓ@ý§Ý»Ç4ÎÇUM¡n¢t#
ÆÉ•s‚¦›~Â~tÞò*žôÚ	–F½èQœ5º=ñÖ9^ÊÑuY©£Zw§•y‘œâàûÝž†«g扵)»+U[¯{3lÊê+æƛÜ„Ûæ/ˆvëæ×ôܽ´1ðÄ@ì´ðD¥s!éïd7{f ¥°XŠ/Þ*SÈU““åçT›Ø_ãµÂ¹<ÀrlÓûâXí3S†\Ö;½bV²ÔMÑ‘"ƒ#£*ùšK­J`ÑúÙ±è­.ê·Ã×ÐÄ2'ÒÍ lÓÄéÃAçR~ïä©{MÇøÜ]ª?£Î¨>@xé=£8VKIÍzUnLÕü‹ýøqNÇa"oë„MÒ±Ð*ÿû’÷
û¼iýjÅÂ&k‘Ü53Ê7•Òú‹º¤±ÿåƒü?Áÿ™’Xf‰ˆŒdlø‡réßù/Å8@¹endstream
 endobj
 1179 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 97
 /LastChar 110
-/Widths 2265 0 R
-/BaseFont /BGVCGE+NimbusSanL-ReguItal
+/Widths 2271 0 R
+/BaseFont /HOYVJL+NimbusSanL-ReguItal
 /FontDescriptor 1177 0 R
 >> endobj
 1177 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /BGVCGE+NimbusSanL-ReguItal
+/FontName /HOYVJL+NimbusSanL-ReguItal
 /ItalicAngle -12
 /StemV 88
 /XHeight 523
@@ -10468,73 +10502,69 @@ endobj
 /CharSet (/a/c/n)
 /FontFile 1178 0 R
 >> endobj
-2265 0 obj
+2271 0 obj
 [556 0 500 0 0 0 0 0 0 0 0 0 0 556 ]
 endobj
 1102 0 obj <<
 /Length1 1608
 /Length2 7939
 /Length3 532
-/Length 8790      
+/Length 8789      
 /Filter /FlateDecode
 >>
 stream
-xÚívgPTݶ-HPPÉIhrM‘œirNlèZº›,Q@¢ 9G%#A2HÎ9ƒäŒd âC¿{ιõ½óëÞóëÕÛU»j¯9çsÌ9æZµY´tyd K¨"ÂÍäåЀÙ[:£tÁj<²8pk&`a‘CBÁhÂAŒ†>B!y¨@@%`È!Ý‘0[4€]_ǃ‹‹û_–ß!K÷xnw¢`6ÖÛ(áhu@ßBü7êB¡´-`
ƒCršZÆ 
%»’†>@	êE‚á-gK8Ì
- ³‚:  kÿk°B8@`¿KCñÞbÉ `Êj»Ýu³‚:þvq¡H{
-uû
€¡6H°ú¶hæ`w†ü&pk·Fü!äˆDÜFØßúnÁ´(4Ê
-	sDn³jÉ+þÅmFÿ΂ݺëÛHÂÊùwI|·0·^4怠¡nèß¹,¡å»ßæ¾sDÂþÐpFÁlþÅ€€„Ú€‘8…º…¹ÅþÝÕ	øoÕƒáîv#þDý“‚­y	€·9­Ð·¹m`|¿ä`ùÿ²Cœÿás"ÿ4ˆý÷ÌpÜ’CpwjMÀ§@ߦ°ÿÏTæýωüø?"ðDÞÿ¸×è¿âÿíyþ;´¢3®¶¿€¿.Àí
ƒ¨~ß1ÿW,Øwÿ7Ñ4„þÅð߀ÐàÛ6È8ØÜJÁÏËÿ—†R„¹A!Z0´•-À¿íÑ»¾Š„à·Zþi#€(,ü7Ÿž-ÌÊÎáwÓŸˆþqA g~+ÏÞ|*Êjš†\¿MÿDiݪŽÖsw¼%ö_u¨# ÿ\üÆ•E¸jDâ~çðerÉö%e>w$ò¶J¨ˆ$k|X‰A\–³³Ëóõû9[GowWgó1Në:
Wz$>‹˜6!k˜¯S:”‰~‘g„e.0¦ãclKP«>»àÂÌ1yÕ’ ÀdÿS¡Õ¬çn9´éçï©|e>·'ëC‹›f§—ЛÙq€úYšµ«„8ë$fÚõSëÁ·RÞoÛ@*¾«ʹAÔguG…*|«eB‰;}ƒv©¢]ùßÖÒï6”‡yÛ}sx/Gj¢T«$Jñ£•H
âQ–®‹B~RlEÛ1w.ì*Çbr|¬½}$nÖ‡·Gs]> Ã?V1òx£+w¿³\õ9’e‡Ð†ŠØ¥ÍäÊv””7œœ¸äN­Ñ÷«/ùŠö.‹ú…&Ð)âá0äPùÝÚ…k¥èé¹éÛR§ö
-^8³÷&sݱ­|&éŸî#6cÕ¯‡‹úœ‚œEë=öÚÊÔïƒ.Œ}(pÚéc8hXÔêëeM±¸ÄÈpefI­|š
-8xÏŽo‚¹
Lœ¸Uˆ–¤¹ŸjñÝq*½ºÏáÃ'äy•JâêA@"]1\j-L¢3wØ°¥`”µÇ,–>aZ¦¶où¿-Ž~æÚn‹åãQQNq—5%
zh±)è#*õò¸”l\ÌÕ/(YfÿY½wç½Jt½o­QêÅTHú{ò=Ó™5Ú
-R!ß1Âr<;Þâ$ûg2³£§Ä¯Cǥs‹©Ï¹å‹E#‡„2‰ó9[ª«eÖb	äBñÇ›;qäë4‹¦y,'XÈ.ó¹^Ûû¾çm}l3S@+'éY“W[ZTç¤ay þR#ÁWeôùì¯w<Ààø!ËêHô‘ªÝ°a2Y'ŸxVc[ЃÖ̺«P‘|m÷L¨3X´•¢|FSp	õ6!wˆ¥qi­ÍÖ)/)y4ž^ÉdÏ—“¦'»À+Oð+Wë³Ã/HŽõ°8³:̨%¾0€°nô™¦RºNSX)šÄ©wo¸Vá"n®¡U®uë.ýe‡°ƒ5­†âÁ„v0äÓ=Ì­²Ðµ”ž²­ÔÂtwï‡tKy…‰	ö€À›Á²Ãí/hÆnfÔÛYÏß35|\Ã)͹b€½^s$QÛ<.'DÑ
-(^‹òp߬h7š” ~Ý¢ñí‚…Ë.^,°‰ðzÈî§D€×û3ÊZú’|JRA.KÞ&[å/0õî¼2³–ÛOy«óCúÒB«e€öžt‹:¹ïäCA2µÅËV‘ÀP½'Ûz”êÅŒ~,ÁÑ’ØAkQèoL¹>3a…\Ôô‘¯&û‡EÂË"g>1doµÖ‰g·s<î÷‚Ž!4ž„…ÊÚ%ôi®ä%-#£`‚h-GwX8n^]>ÃÇWÅîió¦p•ÞUÚåâãÎäIdØxÓ„LµvˆNÀî8‡Ä|x©îóÊØÆ|çBSP߮ଗ–g
Ô¢Jšóú¹mî9}Þ/@êcõH/š®JäÓü‚h_ÿܧ^à¼n‚K¼?71$ÕŽb¡’êRm:î^5c
¨íÇðêZDQ%qÞ©39ˆ;–*XgEvb»Ä#ªi.ƒRÍãÓLëŠ÷j;Už½À9ñû’šeÕôlëbZÊq5Sv‰¿P ÅùC»¬ÄÅYÚd42Ê¥¯XÜÿÑHC{€T óT½{bÕÞjÝ´?¦Ðàk)øeXïÙr™ÐWTbé£ÜlÝGN‹…1ß^¬ßNdVZ½”¤«ÔÀç,ZãˆÍaþgD¼äî-ç
-Çö7=s`[šzþáÞ•MåME÷¿€uG–h‰+÷ÜKI•9º¶Z¶ý3h#`+]¥J¢æ·šõ¬¥¸¦4G‹Æä5ÍɦŸñ
¨/„~
2…°ëIš%ƒR*µÈ¹ï¥‚CSž[çm•&ê,œ^ˆ®ül™ò‰0¼3F£!âù2°gáȺÝYzñ‚Ä^˜X@°æ¨Í›#díQ¿¸ ˜ßÈ?'ty…Š,ÿˆbx_¸Âæ••ÌDC«½¬}F0j|{¯Õ\þ˜ßsžù¬—}8$QŒáinúAµ$o<½öR•eµ#"Uòe¥rÞ‰KÿñÃ=Û`GS"“H®bʘ#6W?³æ—å‰ÖÎ+ëíø ·¯ô–-ÝI{ˆQeY:BøÂb¢÷‘>:_/!€ÐéË@íáÞÑȬýu¢‡3èµ+òLn¯óqŠq`Uúmò'ÄaeG-3¿rk	³o=m[¾Íbõ«	¢Ä"îE;A{°<¹æôþÊ1gŠº`F;¹Ex÷”‹S>EG‡t	62j"hkùýI5IëUÑ:ƒMn"A˜W¸Í(Î
-òÎqE„¹¯øç*+nû…Æ—²;OeŸöY:«*š“ïgœò'\Ý7"µkûl‡ÉqèËÑÌ'ð9‘Tgeix¿qVV^­ÐÅnOiêlÄ&Àh1ÿ¥n†	Šo-R’È!î±~x“ýè‘·ÞøyoÏõÏ4íÙ{¦Å\4X²‰¤÷•Ï´±ÝÈ/åµ½¸N%{’;4u)Ç!‹=íè¡ç"Â3¬¶Ðœš®`¬õ0¼f»åæ6ç-#vƒl|¯göÕšŽùí:qÄÔyN¿3-y„¨Å–UÇâ${Læ6¬ÆÚRøÉ™¼ó¥?"áZ¾þþË\øQ>È”	§{õîû7l]¢ÍK*;”]Rï¼Eú4à[·NhÀƒµŒÆëÍö—¹|j"œl‰\ö#Ã$,¼¡û4”Ÿµc2"S%öÍOZ5éê˜-=_~/•˜ñøˆLreá’ŽÙ7/Ý4w„_3ìƒý-Æ_õg$¨L&{[äã¤.¸4Ë<±I ½U€QrW(aRë*­ª)}¤{öÜùóš×Õ}ÿSM#¶ú¹”è>ž6ʈ~1ô–r¢„tBÖPÒ—µD 7S£á±iþ1N­@¤s‘e¸ö{‹>“õèÆw
-™mÜtW?e‡ÌŠØÇRXÝŸ¶«
qÐNøb%2t)(	æß-Ö§9¢A¸‰Éš2žŠŸ±;Njf:¯ƒ9NÃïÊœT)š…ùïš=l“'v!V‚»ú7?êÑš\“Äk=ò†º¦ù^š-2~ë‰Uïs‘.»o¨ËªüaMfsÍ%W2b+¯ø¾
-(Ì°?ø6|Kú‘œ™µÁ86<6zlDÌ)®VésF¢¹¦GfôZ¸èøJü
P!HlÆ<¼H›8ºîeg©õ/¶D-¾ú‰¤÷ ã›UêYœqáÕ±ÇøË
-*Ïp›Â¤AwÓ'v•ù7Vš4¶¨ž+jÙÚN9dB àmN+ômn˜ÿïA9X#@¿ìgÇø\ È?
âø=3œ·$À„ÜZðk з)ÿ3•ùþs"ÿ$þü‘÷'îß5úo‡ø{žÿ­ä‡k€íoà¯p{àj€ßwÌÿ¶‡ÁÝÿMôß
¡1üw  4ø¶
²6·Rð	üe„¡”`nPˆme°Ão{ôÇ®ï"á0è­–ÚàŠˆüͧg³²søÝôÇb\PÈß™ßÊó‡7¿Š²¾¼÷ßoÓ?QZ·ª£õÜo‰ýWêÈ?¿1äänO^ ¨€WH@ôö°	ĄżþM¾?@À­ÕÁh$Ì
ðü¶hàŸÒÿëý×Êìo0ŠVÈï9ÑEƒ ·£õOÃo·•3y«èŸÓ~[ò?Ö†
+uƒZ|™BX‰¼LLIB—Qdt
( Ã?V1ñŸx£+w¿³^õ9’e‡Ð†ŠÚ¥ÍäÊu””7œœ¸äN­Ñ÷ˆ¨/ùŠõ.‹ú…'Ð)á0äPùÝÚ…ke
+¸éÛR§ö
+]8sô&sß±­|*åŸî#>cÕ¯‡‹úœ‚œEëÑymeê÷AÆ€>8m„1œ4¬jõõr¦XÜâd8„²³¤¿V>M¼çÀ7ÁÜ&N\€*ÄJÒÜOµøï8•^Ýçôáö¼J%qõ‡  ‘®.µ&у;ìXBÒ0ÊÚcVKŸ0-SÛ·ߌG?óí·Eƒòñ(€(§¸Ëš’=´øô•ú+y\J6.æꔋ‚œÞ»ó^eúÞ‚·V„(õb*$Ã=AÁžéÌmEéïa9žoñ€Rý3™ÙÑS×!÷8ÎãÒ9‹ÅÕçÜrƒÅ£‘C™Äù\‹-ÕÕ²k±ò¡øáÃÍ8
+ušÅ?Ó<–“G¬dtü®×ö¾ïùZélf
+hEá$=k
+jK‹ê\ô#Œ²Ô_j$ø>Û}~';Äë08~Ⱥ:{¤j7l˜ŒEÖÉ/‘ÕØô 5³î*Tô#ÛýêŒm¥(Ÿ¡\B½MÈb\Zk³u
+ÂKJ^'W²Ù3FÁå¤éÉ.ðÊüÊÕúìðã‹’c=,®¬3jÉ/Ì ¬}橃”.‡Ó6Š&	êÝîU¸¨Ûkh•kgݺKÙ!ì`M«a'x0¡ƒÌ	ùts«,t-¥§†ìC+µýÝû¡ÝÒ^aâBý" ðf°Üpûš±›õvV¥³ƒÃ÷Ì
×pJs®a¯—ÀœÉAgÔ6tå„è/ZÅkQ^î›íF“’Ô¯[t#¾]°rÛÅ‹60^Ùý”ðzFYËP’OI*ÄmÉ×d«òñ¦¾âWfÖòûé!ou¾qÊÜCZhµÐÞ“iQ'÷|(D¦¶xÙ*ª÷d_R½˜Ñ%8Z?Èb+
+à‹)קw&¬š>òÕäø° DxùAt€næ£`öVkøqvëð1']/¸t¡yô8,TÎ.a Os%/i5Bk9ºÃÂqóêò?¾*vO›7…›<ë]¥].>náJAž´AÖ	7MÈTk‡è´±ìŽsḢ—ê>¯ŒmÌw.4…ôí
+ÉzY`yÖP@-ª¤9¯ŸÇæžÓçý¤>Vo€Ì¢éªd>Í/ˆöõÏ}êYÎàá&¸ÄÛøøsc cRí(æ*©.%Ѧó(á^áU3Ö€Ú~Ÿ®EU×:3у¸cé‚u6d'¶K<¢šæ2(Õ<>Í´®x¯¶óÙÓ8'~_R³¬šžn]LKû"îà²f*Ã.ñW
+³¸~h—•¸8˸ƒŒFF¹õ•Šû?ih
+vžj ×`­Ú[­›öÇ|-…>°ë=].žàŽJ,}”›­ûÈi±ð!æÛ‹õÛ‰ÌJ«—–r•øœEk±9,ð”ˆO’ܽ…n®Ðq!páxÓ“1¶¥©~à]ÙDXÞÑTtÿXwd‰–¸rϽ”T…³k«eÛ?ƒ6òg¶òõPªj~«YÏZš{JÃÁp´hü@AÓœlú)ÿ€úBè×@aS‡ž”Y2(õ¡r‹¼û^*84å¹uÞVi¢¾¡HÑÂé…ØÊÏ–)ŸÃ;c4¢ž/{Ž¬Ûe/HìEˆ…jŽÚ¼9CÖ•Š‚ŒüsB—W¨Èòè!&÷E*l.\ÙÈL4´ÚËÚ÷h„¢Æ·GñZÍŽ<çYÎz9†CÅŸäá¦TKñÅ3c/ÕQYV;Ò+Q%_Vªdá¸ô¿ð‘8ܳ
v4e$2iä*õ Œ9csõ3k~YžØaí¼zf¡äö•Á’±¥;Éb1ª"(GO_XLô>ÅGçë%:}¨=Â[#™µ¿Nôp½vCžªÂíu>N1
¬Ê¼íQù„8¬ì¨`æWn-aö­§m+´Y¬~5A”XĽh§"hV לÞ_9æJqB—¡Ìh'·ïžrs)¤<ÃÑ!]‚ŒšÙZ~\ÍHÒzU´NÏh“[€Hái3
+RgT­$vÊ®éï9‡á׺ù§ßWŸa|…psØ´"ÀÅÑÁñgð~¸¿Õxy¿oA‹z¾Â¼âÕëPúí, +ƒ"aª
+GZ÷±Z6ÂlƒÝI§(²‡2˜Zδ!|Ñ?-IO“d×´–ÒÉ5(ÿà6÷YJã[u'·û²«€<±¤­åº	ú$„whïÀˆZ]À3W=K‹g¸2wñÙàZ)’ÅâK«fE™í›˜9½œ·•*(m¯Ö¦ÑúAÔD%Wãj‰r—þôÎ#gg…ø渆"ÂÜWüsU”·ýBãK9œ'Ž²Oû,U•Ì‰É÷3N®î‘Úµ}¶Ãä9õåiæøHª³²4	<ß¿8++¯Vìâ·§4u6b`´˜ÿR	7ÃÅ·)Kæ÷X?¼É~ôÈ[oü¼·çúgšöì=Óbnš¬¹DÒûÊÆgÚØo–òÎÚ^\§’=Κ‰¹”ãÅžvô0páV[hNHOW0Öz<ýPlpИؑ¤õéylv_ióÔ”½Düñœ˜º!aKfÔô–}#Ëd@‡ŸÍˆuÿŠœ}¾<»Qp5Ieëò*']7÷B¼iØDòÛç£èⵓº‹`u#²ëd^‹Ýrs‰ó…–‡‰A6¾×SûjMÇ|:»NquÞÓÃïÌK!j±eÕ±8É“¹
«±¶~ò&ï|ŽH¸—¯¿ÿ2y”2eÆéžE½ûþ
[€hó’ŽÄÆe—Ô;o‘>	$øÖ­ð`-£ñz³ýe.¿š(W {"·ýÈ0	'+_è>
åg혌ÈT`‰}ócÅVMú:DKÏ—_ÀKe<~"SE„|Yø„”cöÍK7Í‘×Ì û`‹ñWý	Ï&“Œ½-òÆqS\šeÛ$ÐÞ*À(¹+œ0)u•QÕ”9Ò={îüyÍëê¾€©¦{ý\JtoeD¿8zK%QR&!k(éËZ"Л¹ÑðØ4ÿ§V0Ò¹È2\û½EŸÉztã;ÅÌ6ú+ŒŽŸrCfEc)lîOÚÕ†8i'|±»UŠ……òï–ëÓÑ ÜDÈdMoÅÏØ'53×Áœ§áLweOª”ÌÂüwͶˆ+»+Ã]ý›õhM.IâµyC]Ó|/ÍŽ™¾õĪ÷¹È”‹ß7ÔeSù°&»¹æ’+±•W|ÿ(̸?ø6|Kú‘œ™µÁ46<6zlDÌ%¡VésF¢¹¦GfôZ¤è)øJâ
P1H|Æ<¼H›8ºîeg©õ/öND-¾ú‰”÷c Ó›UêYœq‘Õ1ºüeÅgÏp™šÂd„@ŒwÓ'vU6Vš4¶¨ž+iÙÚN9dB<ï·NZN,±$íŽÝ\ë|.ʳ4
-Úu&IFlµPÈ‹˜<>ê¼çO}ö•>ݧ·ðgžF±;YuQTˆ §ÿæ‡	¬ßôtD¤ûfP˜{s“cÞ·+J	.>xi¾’²È¦{¹3Åš®Þ~—ÛãŒd@ãa‚äÄ·Ž„kï887Kp¥ôRXŠCãóÑ°áTîEQæü^w~@³ßG±¸½Kë3rÎN¡ÀK’jùÚˆYi†Fý€ðF®ÒQG÷QÜKV1Wñ-ˆÄ]uÓ£¦¦Ç¦—D'Å4Žs^ï¥%͇aT{¦®ŒL7“ù—Šð¾äá®^8¡cññçî6S½¤(¸ZÉ€û`2$éß=ŸÝ›·4Žânâ%ÝÄ5Ì&¨¦ȇrŸšÉPjÔj©VÝJ%ž8#/Ô+¶tt:WšœÁcÓ0¤¾öíjMö“¼úŒº£èZ×aóŽÛÆýCØÛÉ7Û¾!-6‹Ú¯¿˜6œ6ÛÛj~ÁSis?ÛíS`¡°è%«èëÆ6¢™hSSÄrþû¤N¹’QëÔ_’­÷êsucÛUi¦¡G1ÞÔ‡´é<Õ
,¡7%ç”b>×Èê/7ÑÀdú^ÉÀŽ‹½ì±/ߤžâ:»özÝoW7…~Äf¥:7âTWÊxû¤¸1RTùã¢öƒ¿°ò}‘<}wD>‰ß­+=ó¦ºf7µ½îÓã'Z׫@='´EþMÅ)TÀSwú‹-Ñl:m‘Ÿ“¡ä÷ËG¡;r­ÒÐ/Ã*Ž¤fŠÞó-xz
-}~ÏLcÄçt>í	ÔN$c÷¬¤úœ ú=nÆ©ngþõžåÆIE^ÕÖŠdÙh›•™&|Œ݃Ûtmðp6ðQYMã©©SÝ;h†.¯ÚÉ/Švö˜ È6èDz‹~¾:ûK¸Æ&†Æ$€±sfƒr®©X¨Õ‡ìÝåö©6¸ÒY|CÈœ‘ÄHRÊ=›Ð<Ž3 S=ÍêU%6?Q<ÇÛSOújÞò5®+òr+׎™s[VŠ"ƒ¹ˆÛ­R@BLȼô½øóÉ*ùOx<‚Ýr”†a¯@$ñjKSMƒï”Øvª*8¬rŸâ¼Y¼ˆ5æ‡ßr¿™”‹ïÔØ	žÓâ8»­KÔ°§Ý;…§—?\—§Fä»j8‚\šO“§•×†øžŽu8a”öÖömÐú»«MÌø©rÛvÙjÐC;L‰C`„>Vx­iôALí+©Å[ƒ~þº†KIoä&žá2j4+»,~£7RQÅV$èÃL|‰<ÉœÄÐÖzÜÒýÁÏßo„˜0»T 2chÊ›îà
-!dÌFæö/¨˜õpŽI^ø©Ý©²‰µ([|«Fv/f»H/>_!üËê¹ocG¥%ÅÉs5“•ŽnÇ5¾Z‚ÏÝŸ¤±ðJ©ýšžÇÝ\UËúö¡
î[Ÿ2Êíß2û²Qx„úûs‘½¯Ø«PU XäxŠnO
-IÇäœ÷îÍóÍè	v ó4ýð
CihTðÞ²° ÇÒf%’2Žãl}Þç×^#ò†-¼hC¤ó|7ÄïçiжràÕýŠQÉH‚d.à–ŒñÆld„1(_¾wiNŽ3ªÖO^U·s5@p».ú0}¼ƒµ³W
-Oyâ|g܇;Òðh¬Ù#1|éôë6Ög²›œ·UëáÇ	rk_‹öw€º«¹j!:/œ*¼È_Ô¦¶S+³(#>û­pKÕs%ìÛø“hj£ê·ßN
-\O–ˆuõ–.½½h8¤Ëµ[%-n&í—o{Ø,OJ‹ä k ƒ$4Œsz!¼¢‡bÃ7Ú‡vçˆemÝÊ5Hcý™’W¤uÊTãO³‰³7	†³Ê;B¥È†“ŸÌõáõý"¡dËUŒtúÀóñ[í¹0!Ã<Ú—(U½›È>ä9íÁ;˜Ö€7¤ÊÞ­:À¤Õ²y£7À­ÔÁT}I”C¶–‘Qîì¹È\·ÞWõ3›Ã½ZÆ™&ÝhÄlÊÞK\o`~~çt!•†ó(à'¤§tq	Y†¶bëÑ4r3ÛDZëòa[ö_ó>(ÁÔE7	bO;8<0¹8Ô4;Õª>*ËVëu?+«h–H½~šq»x/·}$ãºÊá+¡V8|ýƒ!Ù‘`Ç©³Mò×ÎàåÇøQÝ'ï³eò^JYõžâ7:¯?¾kñs”ÛqWç®fa Š’Œý4>§ ÇZ'úy]Ü;_GdRÁú	È•†bn¥æf§çƒ\Qù²1³7›^voŸØ4Ò-מyþ«wýE’ñ$-¤;k3¡j¹õ½³"í§¬kEŸÄ¼ÕSíÇ»õ7ó´ÎˆÏÖ1ªÉœÛü¤¦Ð#,õ÷9ïÓ¬æ1Om—’÷Ÿ»uÄËnP“ÒZ}7LÎ$·*1e¥PÈ
mêõ¶ÇCgùVGŠñGÈÚ=Êïà9’"ðfÙ°ÙèRÒxªú;ø®^í,‚£åzOirŠ>׳wÈÍcÅ¥˜?!wÏÇFNyÆ/^€Â(Œ’‰‚SÌ—òñy`LÿâÅ”ÎàQwѳˆ.ýÌéììç ²7L‡²m³‚Ô-Ôc—†\ÂýÂ
îãE>`­X|úZ-‡ŒØ3!lüqÆ׃팚ˆfrMºîôaúKãŠÌˆxè¯Rnºí®{ɼD£?ø&´ÌFóŸ´T%ɘZ8­U6
-3ú·<Ȉ›h¥=¯`·C-ãZ*¾•‘Û3ØJ`+>…p˜;w	cÁ¿ù\åµdf؆:îÉVÂÊ£QÏ
-Ló¶Ú±{iC¤üD8þúñ7.4ß=£Nƒ~ØA·™Y¼ŸíQíì
-;dÕÚÞùYÌú.ëÅ3¬m
-Œ·Ò'OܧZM•ÈkÚEä»óÔAøV¿F+áÖØ\7H”ÕÁ¬–ÞÙ‹s±
-A7µ¢¿ï?å151"yUF„I×íòÏfwÊ*Q;1WG¬ä‡üÖWG9
-dòú“¢Ï¡ã6–±hò¶þ|áç RÖ/?‚jïVÈttf=]«­mîXCh-»E²`?|(“躃Øçw¹©”]“RÉÆè·¸¿½ú‚[O÷^Üä'^m[ñ™4]aÄ‘þÖ9ö5QºÄ”ÔbcÅ‘n"¾ÿ]½GF&<ç
¤3dRµ°%‘	”Ê.Óµ­ÉÂÆWòQmw)‡GÒDa™e¹ÔÖlNA|¦Z–ýÒ½‹Lýƒ÷ÛE}b\ÝîL» &épƒ·gr[‹÷šßžz÷ìòdÈÄº‚íüë£-«‡Z‹ÎîpnöŒ´Ð|˨)	2xqô¦S=w¶Æß
jIž6a›6Ä.OSy]ÆñþS§oa¶Ô«ˆÌ±â£Š51r»%ob2üpȈEÐ&â§ÜÈÕöIòÊp¤ì‚è¯ôV²í­NæçiX¯Ô²»Íæá‡A$­Ñe$D{òD¾Ÿû‡‡';,Ög¦•k\Ü Gái3¼q¸Qþ¥L‚¨99ö]/9(C쯆IV-u—ß$#ô?(Ð%¤<×~ü^nsÑÔpPpmªJÛ7'êüyô,YEj–lw‹hÓ>
;Ko·ˆíŲ"ƒÞhÆðÇû­uÔÌm:n=¦ÇŠX—N7ŒÐä£Ïà‘Çžßi®1zUL-íµf½+OGÅŽF÷Ù*v|­FO]ÆvGÓÙŸ¥¥>Š?$¡$ï.ÇpHSî	4ó¢1Ž‹,V‰Æ;…Š¥"mLôWµOËétoÕÛu_Ý„fhJ#ʯ\ü¦CÀ¹÷)O!òiç¸SÔD3ŸJ6IÐëYåÍW«;Õ9#%“UÔ…ò@KÁÝDFjðc¾®=ésË‹¯N|½Ý‘m*ú‰¯—œœR–Ph<ßûÒøºà;wíöÐ5Ÿ÷ãyí]³õ–èÏáÊ͇#
-Xæ"¢Úbò3¸ý]ub7¾‚夨õù-ÅsÅK>ˆ<–!!’=j‰Á
bê÷](åÏi·t9ù
-KÆ.Ha½+-Ε[åòÿÑÒñx Ciif|-is \‹¦ÿ€|6±m¦ÍñŠ =“1ä`K^!y9ÊÌßIjX÷žXHO~ûLýì«œÈF7v—")òï@µW™[zb™®ÕÚ4“*ý÷L´ªŽœ0–¯z$¹Š/‚„à{>UiO³ýE©²5êæ÷”t¦=Ä;î
-€¯À4?œt€sTeù›!4J%h¹‰¸—ŽQÏ:µ¿yÓ´(kY¸³½M>X‹–
sôqÀirÐÀ³8!ÂùÕÏS€¤Sì$óÅ­$R÷Ñ•amPÍ$?çÔg•ËŸ˜Vd[ƒ1ËiÇO°<Ø_¥¶%yÐœáZ.›eˆô¤Xþ*Iò{()õŠ_¼¾êW÷ºÛ£x}kã¾ããVÔ³Ö–I͵'EÜöGi‚õÂV;áåÏ¿Ø×6™+Ý$Éž	{ýTö"1Ðœä5v-V$ÍlÂÞ¯«ª›bݦ´³ã)º§ÊoS6”hLGñ…îÇ,v%¹u©I~®]%¾)Ñ}ú‚¸2¸ âoJ°]^¯ÿRÓ HmØ;Âúž³d¶ù핈`)ÑÑëùÄÚ”°•dv
-8>ÔfN-öÓ¥]¥rÆp4’	w0N¼‚+à.ƒÅf4¢ÎfŒý˜¬ê/7r¦ÀCêOÝpñ%\ï‚©.úÌ•â{šÞ‚§mÝ’ó³éÁm÷µp7ßßçŽÆQ}⥜ñMÃècFn°ãH¶ÈH¿­D^{D
^HÒœð.xØ´Yæ^¥$ÃNèR¾äK'^é’²td?õ’¸I}²ß©fxaúÁ(‹Œ™K‹ŠÖâ€MÓÞ*ôSæ›iô‘ h	šŒ%–ýb¢¨¦—úˆ*äÝ*Wæò(#]V’Ü<ši#ÒY²•Š‚DÁ°¡ÃÕFFV鹕6ÁóÑÕ+3ÙøÛM~o£¼Wö¥Ø…Ú©5QÐ8ÿµ;¼³Óæ?¾z¤á½³0MñÇ€nZ_:¾ª"‰4Oñ÷
™Ë±NGÕÛØW,vÕxF™GM2Îzä}ézÚZç=¯‘ZO+Itš_¿Êk÷ïMjëgàÒk/^R\LsG‰
-²©
-3ã½+ôÞÊ•÷aˆlª Ïn×–OBw:ëÌDöƒ^ቃ€¸Rn¹šd¢¯ÅÓò;SÓtd®ÌA~zM“èRVt}õÚ+'˜	†4~}µ÷°}³íÚš[T:áµ%|Å’Q"èXê³ÚÎÝ9"áòç0Tw³È‹d·¿Pô@åÉ@ÅìÓEâòxOæî¹Ã	åÏIXUb_4²üQ
¨:ù©^\õ47ãÇU¸µ&²ðc
óŒA«`á0Ôýµ˜—™žÌ‘¥ˆß·%¢y†.Sz¾M²hàž·ãý°óg
#$SÿçÅOÁëÏàBø[yã¦5åž Šq(OÜâƒL#‘'Þ/ãØ«*ûü©¯ð5X1œæ)ol×Ós[2L&³d´/øÿ—ÁÿøÀ
-#Ñ{0ÒŽàÿ#)öendstream
+žä¶5Äõv!.[7$›\ÙÌù ö	%Ü-DÇ9øÓ\¯ÔÍŸÄ7& Oâ×ÏžÅÚÅ8“£òÅff\Æ
+-â×6™…ÈXÓØø¬ï¾ÆÇ„)h}YÆð–êA±>–?qhYêJÁoȯü¸"Š˜‰œñµŠýVw$ˆÇÑ5-C¶Ãö&šgŸI}2Ñ»5ãùáö¶DăuéBÿ;¤»¥ªïÕ\rþhüæx€Í?‚^z:“Å„ê!Ïå¨Úqn\*$þ²2RAרêÇ"Yþˆ§ò¾_Zp%ý ¤|r(ÒÚpÀ£5§HêDžæÔà¢èE=$‹a”WXœoäž÷[§	-'å\’Äö	Çn®u>ãÝNí:“‹&#¶Ú(DMèŽ:ïùSŸ}eH÷é-ü™§QìNV]"äéÿ£ùaÛ÷}é¾æÞ<Åä˜÷íŠdƒ‹^š¯¤,²ë^îL±¥«·ßåñ8#Ðx˜ 5ñ­#áÚ;ŽÅÃ\)³–âÐø|4l8•gQÌ%¿×]Ðì÷Q<îEï’Å:猼³Shpã’¤Z¡6bVš¡Q? ²‘«¼EÔÑ}÷’MgŒÄUb"yWVÝô¨iÆ…™®Àô’è¤øÆqÎë]£´¤ù0ŒjÏÔ•‘éf2ÿRQ¾×€<ÜÕ't,>þÜÂÆbª—EW+pLfƒ$ý»ç³{Sã–f"Q)¨Ï¨;Š­u6¡1ï¸mÜ?„½|³íÒb°ø¡ýú‹iÃi³½­æ¼gmîg»}Š!½„cÝcÝØF4ã!mjJXο`ŸÔ)W2júK²õ^}®nl»*Í4ô(Æû‚ú6§º%ü£äœ’SÜçYýå&º˜ÌpÃ'xÂy±—2öå‚ÔSBg×^¯ûíê¦ðجTçFœêJYoŸ7&Š*\Ô~ð6þ/R§ïŽÈ'1ð»uefÞT×즶×}¢{lA õp½
+DЃqB[äßTœB*«ic:5uª ÍÐåS;ùEÑÎÙÀHoÑÏWçx	×ØÄИ0uÎlPÎ5—¢ú½»<>ÕW:‹ƒoY2’˜HJyf€ÇòTcª§Y½ªÄæ'Jçx{êI_Í[¾ÆuE^n¥ñÙ±pmËISDx°ñ¸U
+JŠ+Y–¾^#Y%ÿ	GpXŽÒ0Nãˆ&^-`iªiðŸ;ÐNU‡UîS’7K±Åüð[Žç&“vñ;ÁsZ§â§u‰ö´{§¸àôò‡ëòÔˆBW
×B‹CóáiòT£ÊÚÿ“±'ŒÒÞÚ¾
ZwÕ¢‰?UÛ.[
h‡)qŒÐÇ
+¯5Áƒ ¨“¹Ýa%µxkÐÏ_WÃp)ÉâüdÃSY]K¢þäWOk‹à0É3£¶×ÞGº?úða‚f—ŠTfŒ@Ó\a„¬™âˆÁÜþK ÎÉ?µ;U6±e‹oÕ¨ÓîÅlé¥Âç+D~Y=÷m쨴¤8™a©f¦ÒÑí¸ÆWKð¹û“4^)½_ÓC×Í]µ¬oÚà¾õ)£Ü~ðM ‹/;…G¨¿?7ÙûŠ½ÚaAUE‚EÎ'èö¤t)®yïÞqŸÑŒž`2OÓÏß0”‡F…îý(r.mV")ã€1ÎÖç}~í5¢oèÑ"{€6@æ8ÏÇqCâ~žm+ ^ݯ˜g©SÌÜ’ñ/Þ˜,ƒ0F•Ë÷Ž#ÍÉqFÕúÉ«êv®W‚ÀEßæw°vöJá)ïŒûðD5{$†/~ÝÆúLb“ó¶j=ü8A~íkÑþPw5W-Dgã…SE˜ù‹Ú”ÁvjŽÄg¿™A£zî„}MmTýöÃIÁëÉñ®^ÂÒ¥·
‡ô¹v«¤ÅÁͤý
+m›Hi‘œô
d„†q. „WôâPløFûÐÀî±Ü"“­[¹É`¬?sòŠô£NÙêqüiv	Ž&#‘ÑPb6G¨4Ùpòã¹>¼¾_$”ì¹J‘Nx?~«=!ädœGû¥ªw³ù‡<§=øÓð†T9ºU˜µZ6áa¸•:˜ª/‰rÈÖò12Ê=ùëBB"ûª~fs¸WË!Ó¤˜MÙ{‰ë
,Ïïœ.¤Òp%ü¢ã„õ”/.!ËÐRl=šFb›Hk]~lKÂþk¾ç%˜ºè&!ìi§‘²‡šf§ZÕGeÙj½îgeµÍ’©×O2nbïÅâ¶d\—@9}%Õ
+‡¯0&;ì8u¶IýÚ¼ü?"¦ûø}¶lÞK©#«ÞÓBüFçõ'Ã÷bc-~Žò8îêÜÕ,|¦,kÏ%äq†Ö‰~^÷ŽÓ×™E°~r¥¡˜[©¹Ùéù _T¾lÌâÍÝÛ'6t˵g™ÿêd‘dç}šÕ<æá©íR²óþs·Žx¹
jRZáï†ÉyƒäVåã æ¬
+ù¡M½Þöxhá,ÿ
+áHQ þY»BåÕjªâD^ûÐ."ß·ƽú5Zï°Æ溱@²¬®fµ4ðÎ^‚›M²¸©ým|ÿ	¯©‰É«ê4
+$L¦nW`6»SN™’h܉¥::`í ?ä·¾:*Q “ן”„y·±,ˆÅ’·õç?‘²}ùT{·BV°£3ëÉZmmsÇBkÙ-’Ãøá+@™d׾€ËM¥Üšô³lŒ~‹ûÛ«/xôñTpïÅM~âÓ¶•˜IÓAéoc_3¥KNI/6Và&âûßÕ{´adÂ{Þ@:C&][°A=Ûe¾¶5YØøJ>ªí®(íPãHš(b"»,ŸÚšíÑ)„Ï\˺_ºw‘©¿cð>b»¨Oœ»ÛybôÃ$N`ðöL~kñ^óÛSïž]ÞÙXƒ‚AW°}´e•!]¨µØìà×fÏHÍ·Œš’ ƒGïa:Õsg«1ì8ñÍÑ –äiöÉñhCìò´g¯Ë8ßêô-Ì–~‘9V|T±&Nn·äML†‘§ÚDü”¹Ú>I^Ž”[û•ÞJ¶½ÕÉò<
ë•Zv·yÁ<ü0ˆ¤5ºŒ„hO!ƒÈ÷sÿððd‡åÁúÌ´Jb+"ä(2mfƒ77Ê¿”Í@5'çѾë%eˆýÕ0©ª¥îò{d„þº„”ÇÚtÁïå7M
…Ö¦ª´}s¢ÎŸGÏ’U¤fÉu'¼ˆ6íãÕ°³ôv‹Ø^,!2èöh§Ûo­£Þ`iÓpë1å·¼øê”ÁßÛÙVaðL?ñ5à²Q‹KÚÒ
+‡á{__bçâ.°ßþºæó}<¯½kb¶Þý9\¥™àpDË\TL[\a·¿«NüÆW¨œµ>¿¥t®tÉQÀRD‚!$Dr£G¢1¸AÌý¾¥Y í–.ç#_©ØÉ#¬w¥Å¹ò«|Sþ?Z:è:”—fÆ×’¸ʵhúÏÈ×XaÛfÚœ¯Ú3™B¶“—£Ìü¤‡uቇôä·ÏÔϾʉltãp)’&ÿT+p•°e –íZ­M31I¡ÒÏL«êÈcýªG’«ô"Hx¾çS•ö$Û_Œ*[£n~OYgÚC¢ã® ø
+LóÃI8GU–¿Bã¡\‚–Ÿˆ{éõ´Sû›7M‹Š–…;ûÛ䃵h¹0GQœ&÷
<‹"œ_ý¼ÈAze‰ÀN2ÿPÜJ"u]©¶ÕLòs.}æQùü‰iõHö5¨ñ‹‚‘öqLðëƒýUj[’	=Á®…1Ñè²YÆHOŠåoq ’„!¿‡RÒ¯¸ð%ê«~u¯³¿0Š×·6î;>nE=m½aÔ\{\ÄcïQq”&T/bµ^þü‹}m“¹ò
A’ü陈×O/ÍI>c×b%ÒÌ&ìýºªú· ¶mJ;û7žb{ª6eC‰Æô_è<@ÀbW’+Q'‘šäçÚU›‚ݧ/ˆ+ƒË°a*¦Ûåõú/5
JÔ†½ó'lï	0Kf›/Ð^‰ˆÖ½žO¼¡M	[If§€ãC
`æÔbï1}ÚU*÷ig#™HÓÄ+¸"î2X|F#êLq¶ÀØÙªþr#g
+<¤þdÑ
_IÒõ.˜ê¢Ï\9¾§é-xÚÖ-9?›ìÐv_wóý}¾éH`…Ñ'>Êß4¬>äŽT‹¬ÌÛúGäµGÔà…$Í	ï‚7LI›u`žUJ2ì„΃79ç¯~f´lá­ÊΚìïW5?|¸':U—.ûrJoÇÓlÔË5áAÜçxE ³º×ا‰3Ç•ÚTñ#åKþtâ•.iKW@ö/É›ÔÑ÷ ûj&Q ¦Œ²È˜¥t°Èð§Äh-ؤ1íý b?e¾™F	Š– ÉXrÙ/&Šjz©¨rAÁM°re.2Òe%ÉÍ£™6"5[¹(H4:\mdb“™[i:ýP½2“¿Ýä÷ö0JÑ»pÕh¯QšQ¨ý±Qó_»Ã7;mþã«÷Aú^ÁÐ;Óèvñ¡Õñ¥ã«*’Hóß¹,QëtT½}…ÁbWý€g”ùxÔ$Ó¬GÞ×™®'}¡uÞói õ´’D§ùõ; ¼xðÞÔ¡Æ°~.
°öâ%ÅÅ4O”˜»ª¡Þ»Bï­\ÿÆÈæ 
+†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.ïdîžk0œPañœ„5ðYÓëF–?ªU'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å[|)h$úØûeGUeŸ?õ¾†Ó<åízznKB†Éd–¬ö…Àÿò!øÿÿOXÁ¡`$aFÚüV1)éendstream
 endobj
 1103 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 2266 0 R
-/BaseFont /JHLVOW+NimbusSanL-Bold
+/Widths 2272 0 R
+/BaseFont /VHGUCP+NimbusSanL-Bold
 /FontDescriptor 1101 0 R
 >> endobj
 1101 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /JHLVOW+NimbusSanL-Bold
+/FontName /VHGUCP+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
@@ -10543,7 +10573,7 @@ endobj
 /CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
 /FontFile 1102 0 R
 >> endobj
-2266 0 obj
+2272 0 obj
 [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
 endobj
 1099 0 obj <<
@@ -10554,61 +10584,60 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚízUX\[ÖmàÜ¡pww—à.…+ pªp‚— Á58„àN°àîî—‚ËåœþO÷íÓ}ŸîÛýîÞ{­1æsαæþê¥h)ÕµX%-ÌArNŽ®¬œlBU°ƒ¹TËÌQ™UdíxyÍPhiµÁ®ö ÿ _iÈÌìä(cæúÂkÛ¸TÌ .'‡‡€/çËšƒû¯@'ˆ@vpò¨ƒ\A{°ã%ãdáærtÕrsv¶ƒ,5AP'7ˆ*°z©ì?³¤œ½ `kWƒŽ¦#33Ë¿NAAA€¹×_@[;è^î {'ç?2½HȃA—¢-ÿˆU·2“µ»þÑ.€ÁÆÕÕYˆÝÙÊô‚±A­ØA®ìŒ/…Ê:ZJ;9ü!EùÃ30dñÒ”ûß}³stòpôùØ
-ìhùgK–nÎì:Ž`7Ð[™ÿ	~Pþ…Yƒ\¼\‚\äiaÃþGJm/gП$ç°™£¥¯³“3ÀÊÌ
-ò[^(>P3wÀâòõù߉ß¡pr,Á®sõË1üKýYýc¯bæ
-{9Ø888Üÿ\¿¨¥“£½×¿ÂUÍ@v-}U})æ¿÷þÏ())§IVN~+—ïˤ¼(
-òrÿ]ñŸ^üåߨºøêäø—ä[G+'€à?Úyññ¯–ÜAèËlþcFÀ¿ë«:¹‚-@†Ž/ÇËÔ¼<8ÿëHýÿ_ëï9äÜìíÿt…áv^ü€”8boùp3°½×yáïz LÿÿAç­«™=ØBÒÑÚþŸ6¡r`O¥:ØÕÂæãò—Ë–~‡ u'(ø/ÀÊÉËù7NÛlaç‚B_ÎâO
-ähù·”²ŽN–`Gk€–ëËTšA,ÿ	üA[¸A /öüy@/ïþµ·¿y‚,Pçœ,„ƒmk‚[oª$I(™eÔ]Gþm!2¢ë!D
-[D«	“-Á'u™¯nòŽ<'Xð"Yeð&­øc‘#Ñô,åKXÈm®_l™Y¢o׃GÐoR:©‡;Ѧ¯êJ³Š÷ѧ‰mŠoâºë•Bå‚n‚‘7Cj¹sD¼˜<îcØGÌàwÛlÞ—q+Z/½²Í"^Ø|$Go-ÅlêØTåPÛû2oT cÚÝŠùýüÌ
yÚô~8!4}"–öj6ääkÝ8x>9"¡EVj›Y
-˜ñ)l¾ÍkU¾q¥DÚÌå¼S2³òOyÍR¥vHDShÛ!¤ÍÙaæÙþá¿U
¿ë-¿ku§zIúèçÝ‰ŒPËi‹.7
-‹\÷+í°Zû²Æß5eEmüØyò£
¿×Sewœ•õ‹k†­bטUÊA-”Šß
»,ÎCz7†–#œ$%Ïɶ$¢Å*:ú8¬û¼!Ì·ì«%×ç[âÁÄeÂ[³6æÂîŠî×ÙšÀ³õðù‹Åôm›Ÿi8e>Hg33nlGº®3có€_ê0µihù¡gÊÀäxFnPê¤ëηk,4K§ͯ_MKíkû ß 6ÚÀx.a¾+íÌå”o·gKR™¥
Œ’H!ÚèE=é_–9ºã4?
kûŒê‰Z*¬ wøŸOV#•3Ul# 2µÕ¾Aé£ßÚ¿d›K€–¤–g§$ýæªâ'ÚG÷nAüùuÊnûF¼‚›*ñƒ5_ /NŒšrþj{|í
lÎC¤rè·Ív¢âr‡"¡þßù¦…µš6#qØFn²‹³9ôgåÉŠEg€+Á öÊL–¡ÀN,@‹%8]è:ÔÊñ»¤>$5o5Ò"“a£ø0ªÃ4v~Ý«¿~õðõ@÷܃3/qviùk'´-âzÞ<öë#n×wÍîü‘m•Gï%Εxó¿{àzKÜ(ý„÷’¡¦7IâA³ÑÁ8&ÕÑ¿u<é‘Ø”¹oe²ænrÎA4ZÞ¶OÑ©Q?Ÿ&ºõJ=ÞÃ^…j´\!ÃûÖ—ÝpÁ±äÞ:ê íg|ˆ»}¾‹œœ
-yíó»Ñ€:+ÅIÄA=ÁÅqÇR&…{ÅšýÈÉô\‘Ñ›ll„%Ós@÷j¢¥”¾ì{P¡-ùq¹§~AioMu“Yuæ4m¿ø.ãг޸ùûlÌÞÖ5ŽI£ÅÏ+Üïzê#–jˆÛÞ)2PÛµZü"{7&Iò‹fÉìY§qxø6·-!{.t>ò1Êœ<›ËÅ‘w°ÿ;)¥ÕHfßO-`ÌÛžÅ"}Š¯ò¸t¨T1úä8
-“þ¡•Æí‰÷@@P‡‘»‹©ÝeÓ¸­
-ÜÜŒ”9rƒéÔ˜OÓ[¬™ï!)-oB€û³}‡rñ.ïÞ%¸ÂÙõ@
-º" "†9ûˆÄ«@ŽŠê&z
-§/ÔÂŒV‚¦¢PŠ\Ký`a0Œ¸É0òç?æˆn8Ô&Òm†_Ž'{•ƒ
-ÈxìúYxU‚Äb/Ö[áNŒe­pŠÞŽéPS{Dí÷æØ*÷¤ë½þ[@ìŠô`ŒJ´ÝŒ	I¢ömu:¶>ÿC˹@â!±S „Á‚Å5ä!4ˆ	•ï¯ÞÄü65ûö£¢M#·Dž^ëgœÒ–óÖp|Ø.õw®òž‚ö§E¨=z¥åÆU²ƒ¬]!áß9Ø)'ª’,4в¨XûrYuPÖJÙ35S1CKX{ûºE†å™ªwïÃ(aÁÛè|êÍ tþ MLªe±礨]´ClözÉÞÀÏ·?©ª_±ð3~‡³?®Üv-‰›qT·‘?Exqj›2± Ž	%ÊŽ3m‘Ád™°IÍ»O‘ý—Ž›§Í)?ÉeGJ¨£w¿ýág§“fϯˆÀös¤È»I–û5-<‹o.S#Wb$Ø#ÝÊâ¿gt{öª«$~]šõñM˜Ò~=©ëÄÄ|_ÕLÈSE×»=¶\z°‚éÍÿªpe‡#˸æ•(‹êþ¤I>X,>¹k–!tvÏõŒˆ0€jƒu¼T†ŸbœºüíWfB¦ËÎNXB0êTª3½#“Ò²í¼%ÿÒY]¸r;%lÂóùéÆ^rÝ‚:LɆ¸×„ùõÁô”H4ª©vÆ“»ÍwÅà›MFog雲ã ZÏ„	1˜ù (“­¶2}!¹ëïòúq56sžd
-ÕS”Åzo¢É-Ê–¯‘®xg`ùÕ56b]¿¶Ù0-÷9§ä:Э4•/ú*å^X2Ô`”.ªHa|œ¸BgH,h/¾“û®RÍ<ß81ðf¤ØþkÁ{ŸËÛÞÍȧËÙ/[`¼† bYõ^]²­Ù§,€ŒÝ?]ñ[úûªˆ_Ë2´nnB6+æ`±•L ZA1ùçàÈO–-–r³m)ìxŽ#ª3ã1Na5yK`k1Šoí_¶aÞi­$j(#ªD	Œ~%²m©+3!Äû×:š4¡#÷+.Ň·uíèúš'7þ­ÑL2tlª>­ö?ÓÈepžî¸w¬)ÂëÅrï])RÄ9òDXø¿3)>?éSEÛ™§)»œ_l×wfˆá!MµçIZ§¿#áMݾh‰¯Ù[m2Š…¶Í_EŠÏùøy:ÃÐî+“E±MªhF‘¨Pж\6([‹™Ò«úÓHJº#}M”•è˜ôNÄjø‰®Hæ…	ˆîÄ­™%°`WjÏsäìË…ýÜܱb-Ö9¨\t¨$ر&<Ç‘‡†gXp>Ûe5È7îç€WPèn÷ÑTÞ<Õt,Å.ã@©£ :ýDªÓŒ²™[9%þÁJî}<	:¶¸O`ö$)ÿF9ØR'm=4Ú¸†ÃkÆ…¦3•”âYD
—(C}whø{kx„¤G‹Ú<Ì|r‡Oõ3ÏbAl‚ý«R1¢ ”òz…õS¸ïªüõÏÓžŒûn8™Ãq4 á0
Ÿ¨Q¡°ñÁ­¾»âçxÊGú÷kÍd”™¯ˆ±0X–z#) A
ÂÝ·¢°a+Y::8ÂBõïe©Ž+Ë~‰‘ß\u„è‚M—®Ujèç>'¸…Yaïu:©Ô‡„ô
-‹ÔÈN¨ÆÈ›ÚM„XÉåxÔʈ•xšê®c€‘˜ç$KÁT@üäÛk?ÎT˜þ‹[ìöÀØ”†©´ý²Û7Ç´c¿ÆäâÛê̈GŒŠÈ9ob»ÊŒ¡˜‚üDò÷à-:=N&”b¬Ö,áämŠJ-)¸‡0&Ù{Þ‹zîoHª¿^ûûqN:zá¹HÏâxFbq‡Ô›–wˆ­)ÔµîNØUOíãõ¿ÊwáõAKŒðÉõñL
-ˆ°S‘bð(b¬Ùj›_äá~5BWg<÷7©TÑ_á-75ÓúX{´cE=Gc)|
Y­¤h°—ÇùÐVüå‰g¡õaûÇÐvèiUX…DÿM¡m`Ižl½”›oaü %t§ò@Ìšÿ›3„O¦kų™4-šzIÏÀ·‚~½Ç›™'·&>86Ób)&	›xý\góŠN¶Ï“rˆ¸öñ}ö—›OƒÍ±Êaoï<±Gº¨6DIjܹêDwtO)[\cpöI±v
—Öž‹¿å÷w‘PæT'yñæyÑy[€©ŠÑ·UíDb2{x³eNb$ú'Â+X"„–1Ÿú{ˆ=…¢ó×·ž¦Å?Ç€VÝʶ°OºÁ
QT«•ëòÞ¾_ÍÃG[tc—Ûzú	¯pÜw+vx´c-²
&ôæXØ^os>–%ê~þ:O¹<0P¼¤'‘ù&Zèç–
§/ Ü/_;Ä샎 +{è„Å~~ò`1ïQ¢´¤6¡ç@$&ZÉçÓI›¹*zTHf–§Ì²Êcçvr~Åm}wdË77¸V×ÌÇQêúj›NB íË0É»£NZÎ÷îç+Œö
-ú¡ÖMz*xù³Ù™Mœ%˃­ÚUºîCkÐQLn™“:OÆcüTº8з/²)¡>(÷ÀÍön÷©sz'­`04I¯ÁDWKÜNèOâý†÷tY$áÀÌ)Ø*L§‰ç};Jo[ÞEˆëä
Ng²Ž8¸ll¿zd¶Üì˹¸DÍjÝsP´Ðæt¤c~þEûj$fã‡óOùS&ìóÌÇIÖÖÙ}ÉâÙ´î(a_Ñi'QÒS¼w°º”=_”‡´dMÐZÅ£ˆÔ|+£ÞÆ´ÅTÊ29¨ÅœÙ®"ø·¤#.bíâvÙ†ÆVõ/‘ƒIŸáqÍ>#œ÷j¥ûÛJ¼¨p©†ã¢*¾éN#ža"›ËŠ›½Þ ÕC|§‚¥X´#`²|£^Zë Å•›4E2öE‡u-ý§æÄ*{`€õNÖ”xœ	Ÿ
-!›Ý RŽ_hJK`*twé½Âð!……܇î[ ‹–4
 ÚohëðåŽF(]F<
Æ©—G©_
-Äê~¢)cGB‹/U¸sP8®mØÇúÒ¢¶`¶Tø`M»"²€œéê¿ó(uÚ·´s´1~µc9&$†÷œzC×·yá8õkm
-ó6-UNy"Œ‹4°™L;ù4±IKpVƒœÀÞ¤ºT	±ØâigÆ%^gÞg¢¹ÃXGÌs§v
-å-òý0òe	[¿½UeyZ
ŠÜƒ‚¢½šý~Îƹ©Íëw·ï‡rø;)¶loXë[–ˆ;<ªœ‰¦u†¸,‹#ˆ¯±Ê4#Æ–LkžE{èä" Þ{WMÅoão~ªJ(â¼þíÈ?ÙíÛqLºdØmM¢1ö?kæQáo•d‰eùbÓ
-mUm‡·Ã—ó»@}[ñ½óþw8u"n‰m´ýºß­>?¦ƒé\Wm ázCFàS©þ|í™1ú¦	eFµÉ£®ùÀ’ö±’©û$-dà¬þÍ}Óì‚'©xY¨ùE¿gâ´¸ÊtÁy®y^8'À³ë²O¡¥=ÁŒlèAJ1ês|ügäÊi”KÀƒÇ§%RzP_BÏ„%Švà}ÌÎì'Qö!‹ÛÈδb¦/"ÜLê°Fn6V¦âØœ9ëp”7ù>ëvâïÚ¯‘Ûºa)ÉÐB¸"ŒÚE-D¯„Nêl£/0´é6ÈG™)¶e½'‡[KzÐ0àGX'õÅ0ÎYàƒmÕÜïƒ1±q÷#Ü`ËEoT©Ç"Dí,4Ë_
™Pã]‚‡vDL¬)7¯H£·>ÔZ»ÆJÌGåO&Z•¿VôžÞ“,žS½·tFŸ¹ùeúäºÊ9s>?{TÜXgÓ´
öv¦ÜóîHôñÖÀU·¢ÇŒŠcB¥z©a´vNÒØW:Žx^…Hãh³ìUQG³)½`‘wúðê•R¦Õ窅!…z=ùø¼HvQæüE.é	º‡Äcè³Îí_{t<¹ga›ÜKº­òãwe ÊÔEÊQU‰ð4Aj¾Œ¡‚Ú—á(yeÁæøD{Á*淋ŠVè>´§=ÂÏËòQº™mcW™³}±ù/Š‚U2­8`öÆ ¦RCrÙ:-XEª¤ö÷.çë%eë1‚&5 ÛáÏÕG¦â¬ÂoªÙŽbª9©MåÕaKl2È°}þˆ‰výhÙCjÄ熰lÖ¼Þ¾B¥)ìW²+¿`,.}‚;§7ð&´y‹‡‘¬›”ËŽÆ•¥õ
§IÓ'ËpCy¦¸ûÉúœzä_i½¯—V
àøPŒR”ünòöµIâ
-(ÿC–MsÕXAr^Ó17êLÙÌžlõ­$/xš®X;õi¢¥=bøŸ1_mb|L½dò¦Üw'>z²ò‹O¼#Ìÿ(€5¸ÒC¬Tpy½’kô:Fd‚yÛ¶±Þ4ÙÏi#¦ôâ^ÑpdѵˆÂú#¬áæË”CbëÁÃ%1“}`5^'\[v¬j ‰vý¿ÆÒ›Û'5\ë±IN"(Û
D\ã4˜Øa.O/;ç÷g™¥XêÄêÜŠ¡šWOWÈVå黤{ýg›ß¢‘ÕR÷w¶¦ô$Ÿ2Így0iƒCif0kgÓm0qÎS.Gp·Â‹'è§ûŒ”nÔ,=&‚,bœ”ËUƒ­üøèpß.Z®¨ÈÀ¼®¢O6àøŠÏtó¾I›¿Å˜ÑdGŒW	;VÞ`š#L†ÑšøòtÄ’Ö‰àŹ|Ì’ûÎëžµ¾H°gˆGEŒ²/l“9—w^e ™A]9|LÕX/öU)­;tT#é³/‹ñ«¨ƒ0\Í!ñO¼É|®Îiæ*¿ªV#”±Þ.g)óøá¬]Ú­Å„‹©(üŠý8zËÞ³e”R|6T…HP£l_›UÔbyv˜{²M6öJxEuÕ5½µlŸ!rl‘ĬïD+«<]á¶Z†«×ÇåmT
'j½‘3~jÇxݸç'3Úµ&ÒE…ˆ.š§.ÿ÷| Êu´Jë*‹Ä6·W,
-mCC$³%ɺ¿¾rš³övž]%ØZ™r˜äkЄäªUºN%U+þ÷Š¶[÷þå°GgÍýÉçà¸çaÿ¬Q9®èB€¨¢â&vÚSóK‘\K™ p\n¶	;÷#cÌ›š¨¡5÷5m"5ƒ[7Û¹æ©ùšHŒ’ýàh®-5‘T²V³d¸8âs³Ìµt~GEìõaD-‘Äë	³:EìÍ/-‹Æ§Œ‚Mˆ{ CaŠnÀîä‘þ‰ýs¾E]íw>³˜&Fn_™g­	ÎÇX¨
-­s3uÇ…u’Õõ	®]Ãý=rY˜NÊåGÔdÞi<Ô+ßoÆ‚’ôó"hßÇàÀ¿sUòrE©
Ñ{zØÞkpO‰(b„ær>_e”iqÎÑipemë…¦Ôobæa-Ƹ±.Õ=ò’ó”èÐÅã?0Ábxºœ{ö¥]æÁèo‘êËä¯dŸtPÖ¢]ÞÂ
-½Ä»¹MmÎG“¯ä7ñ“Z4š-W!ׂçØù{Öe–”7ÁRš5\ÀÜQ^jRòR©éLYÐ9)˜ÀUnoꃶ:6Јàn!_¾]‹¨'­B xÒƒÅv{FWÚ„3¡jì¨cn$“@¼y\D,B@nš¬ôÇÈpiÍèïï°FÙ|w‡4D<=Ãa§w&ª½GNsàã%¿nR>7=–¼J¿ï·>?OúØVÓf
-,;.Q39œŸ£K÷Uʃ™/!Œ^¦n›˜x§]Sd¾2LÀŹœêxÊVLÒ
•žÅöÍL² M‚ÌÇõ}õY‡Á¨ù
¦{×Ôÿ„mÆâ	Ul!Q‡"ߺÖÉê‡2ß\™ör­h”ôúÚ>™¯­ZŸÁ†åfÊ}Ôæh¾ú A‹¸"UÂã@‹µÒ ^øZe5O§”=Ž+&qÁÜ—^B—ló¦Cµ%üð`M=0ÜMàvnßI}V×âGèZ2w²}ïïÌs§ð2Š(³Ƹ¿Ñúªv¢R
-j6ïàѲËY[M'㣩ëÓ3ëK)ÎdâˆE~=‰ÓÐâZ1ŠY±SÍçw¿
-à¿(žÃÙÁY>Pºjo¬ÎWï`wÇmDZ%/#KÇXš$8ˆJ¢¹–'R‹5ât~šë–¼oI’öz•Yz b©MªaÜíÒøÊ•Fp‹„÷‡.Ø—îÆ/,|•ÞH7ëäH;O¦Ž9¦üpÜ°Çâ®0äã-ÔtñÓ²6_G®¦'B®§¿×_YÍ*Ëû
±Ü„?Æ€îdãí;ù¬ã¸Ý´&‹"ñB~<I#¡„‹6ØHxÂv›Üd-3&ƒÑÕx0rpëÓ»—Corý~éYš–Å]bæ¬Ù«Þîs‘Ú‘ŠfÈ)1‘j¾Ú‹8Í4ˆgùÙúµÇw9”BžëÕ%+š'4TU“¦ËÎøDµ°G¤çˆR°ßqsD±
uµîçpék3(F•i%	¶lOà¨Ù˜zp~Öu­3|#OO˜gàIÙ:t™V&Ñ‚Õ6àﲺKk΂Âø’P’’¤¡ˆèYƒ¾Výì{-s4]¤5Wghú
c!
-Ã{Q”(õ¦ú`í|ª[]˜’·.YMðÉÆ–™“ƒ]ZÜ•[NgN»Ã‹¨×ê-Tt×n9ÑB{^Ù¤â¡?Á’#]ü–KÝcôƒvÖoÚS)ãPß7cï·Ž
-_™v5Ìh­a6ÃŒmäs\mµ1;×Û,¤æ‚pVƒ?Qñ:7i‚ð,yK%Ô‰‚/²Þ4?à'…ÒpV¥ú®”ÊYøÖåw»:/û0JpaäÒ´øm'v¼ÝŽ[#}é<‚ú$OY°ÒÃ^;W ‹ƒô	<
-3M©VÞM`	€o³z˜™Z`¦›E?É÷c¤«?\ejÆö>îÆø°Ü·M• BöºI@;xl¨Sã0¨
ûŸFTWIƒìg#YNßÙð~+\@O,¨­¦ñåiA7Th¡†QüÅö«a¿8ý ¥Ù¨ó³8Œ±g±ÂC…ì/¿õNìññáß$d×.†”Ó‘µ¡DÅ$!Œ˜%eÜ''¶¢
-ïË»6ä½ã¬#Q2Ï EèÈMmaYEÞêÆ´¼F_wKßûLãqq‡ÿeO-âùgk=þIh®.íéÖ9ûr‹ÕÑÅ)­µ–aJ_Ü’ÁæG&Sb÷~ã‡gŽÝoûé	·ÃAAWQLÆ|C¦Ä,hèÓ×Ê›'jý1ÃʱåwôF5ÿ낡ѼfbhœÕ¨V¤eÒoŸZoxLÓô$eàÿD ‡™3]@IâNHËæô-y©‹ñôÈ="²üL^ïçj‚»j:&ŠèenY?º9«ÿ—ÊÿøBÀÂdqur0ƒØ¡ø@@PW'ÈÿOCù_ÎŒÎ~endstream
+xÚízUX\[ÖmàÜ¡pwwww($X…S…$¸
®Á!w‚ww'Á!@€àr9§ÿÓ}ûtߧûv¿»÷Ã^kŒ¹Çœs¬¹¿z)ZJ
mVI+gœ³“+'‡@
ìháÕ6wRaÕÙ¸^@^sZZ°›è?èB2w;;ɘ»½ð:¶îUs€‹ÀÉ!Ä! ÄËù²æàþ+Ð"Ѐ€} 7ÄìôBÉ8[º;‚œÜ´Ý]\À +-ÔÙb	‚
+¬_*ûϬigoØÆÖ
À «¥ÏÈÌÌò/„SPP`áýAÁ6Nº—…ÈÁÙåL/ò 'ä¥h«?b5¬Íe­Àn´`°ussbgw±6½`lPk6';ãK¡²NVÒÎŽ@QþðLY¾4åÍþwßìœ=|ÿ¶;YýÙ’•»»®ØÕ¤(ó?Á/Ê¿0€—ƒ‹Cƒr€¼,mÙÿH©ãíú“äü6w²òóuqvX›;@A~`kÐËÅjî¸AÜA~¾ÿ;ñï;NN€ØÒ
`²y9†©¿À ëìUÍÝ `/€'€ãûŸ+“—µrvrðþW¸š¹#À®a ¥¤«Èü÷Þÿ%%åü"ÉÊÉÏ`åà}™”EA^î¿+þÓ‹¿|øÕ0ÿOÿ’Tt²vþ£ÿjɾÌ&€áÏ1fü»¾š³Ø`ø×èsðr¼LÍ˃ó¿ŽÔ¿ñÿu°þžCÎÝÁáOWþaàÅ(@ð‡#æÿ7w;xÿ—þ¨úÇôÿtÝÌÀ–’N6ÿ´	•{¬4Àn–¶ÿ—¿\¶úó;i8CÁ|ÉVN^οq:¶`K{'úrR '«¿¥”u²t¶;Ù´Ý^¦ÒbõOàÚÒy±çÏzy÷¯½5ø¥@Èd‰²4ïl)bWÒvS-Iâɺ3ÎÝç{õìNÁƒãóƒ
¶[оŒ„'ï·@r¶ŒÆˆ­X¥œ*LX<‰l¿§½ T;"6N(6¬B$ñ1[ˆšÚÃä/Žâ„„©¹ÒÞý
+§”åW†´bÒcØÚaÎxd7À½}Wuòò‚
+dõýyFAü» uM!„Ù¡» ðTT¥ÎÆ©[z% jãñ5NE;¶ÙÜ|¯:oÀl˜<Š[홉a¿PÇX'×íç¯ÖwÕC.¼JÜ&.+,}€èÆÛ½†KmÌöþXûJclQ!ñ+ØD)?š+E¨q!7‹ý¨’ºZ.˜gÛ*Túõ6ssWä=J¸Ü7ëTu»¢­êcßRL9á·Øhoéð4]붟ëK&üèYÕŠ7´ú­´‹xyÝ+ö4°ò»ÎØõ÷‹¹¦èßÏtƒê(„/p5´ä<䫶¢³=Ä+·[!#Yº¶'F:Ý^¿~ŒÊ[ðì‹ÍpËÒEï°#s6Äq°-£ëkòÄúúkÏF°7~”nÿ¼ï¯pµ Y<¦øòµ„Ì2æ¡+¯X„Œèv‘ÂÑnÆdKôMÛ`æë…›º#Ï
¼HQºÉ@+~BäH2;KýÞŽrŸ[a–èÂÛõäôŸ’NîåNò…鯾Ҫæ}ômf›æ›¼î~¥Pµ(¤—hìÃVoáR/‘ &û	ö3üÝ>—ÿyšƒÖ[¿|«˜¶‰Ä‰ÃG[)‡:.ÍQ%Ìî¾Ü•è”þEo•ba¿ «WSž6cNÍ€ˆ¥”½†
ùùZ/žOŽHh‰•ÚöBÖ“fb›¯UëZoB9‰6k%ÿ”̼âc~‹TY¤=Ñ4šá¶D(iKNä`øƒÅcN@Äo5£oú‹ÄoÛ\Ài€>’~úw#"cÔŠ Úâ‹ÃÍ¢b·ý*{¬¶þ쉷ÍÙÑ›ßwžüi#nÅ
ÄÔØædýã[`«Ù5ç”sQ‹¤vÃ/Kò‘†ßŽ£å
+'KÉs²-‹h³ŠŽ=Žè=o
+ó­øédKÁõû•z2±C™ðÖmL¸°»ctLâÙyúþÆÅbúºÍÏ4’º¬€³Š?¾#]ß•¹uÀ/u˜Ö<<ŠüÐ;mhz<+7$uR‹uç׆5–­Û‰æßÿÙÍ¿¶’¥n”µcˆoHíûfP—0ß•NÖJê×Û³e©¬²AËFFI¤PôâÞŒÏ+=ñšCGt|ÇôE­V‘;ΧjÊ™*·Ð	™ÚëÞ ôÓïï_²ÆϧÂÆHR˳S’Æ}uSõí§û	·¨éÞú2m¿}#^ɉM•ôÞ†/È'V]¥ÿ=µ¾Î&6çaRôëVQI…c±ÐæÀï³"á:-ÛÑxlcwÙ¥¹\Mú³Š¥bÇ3À•`0{UËpP Õ
+œ‚Æ‹.tfíôMÒ‹š¿e™Å°YrÝi·°á=аvøz°gþÁ…À8§¬âµ3ÚâÞ|öë#n·@­ž‚ÑmÕGo¥.UxA¿{áúÊ
+Ý)ý…÷R f7Éšâ™Ás1!8…¦51¿’t=éšØT¸oerçorÏA4Ú>vO1…iÑ?Ÿ&{ôË<ß–À^…i¶\!Ãû5”ßpÁ±äÝ:é"Ãmd¾¿}¾‹šš}íû»Éº+ÅIÄA=É	ÅñÀR!…{ÅšóÈÉô\™Ù—b˜bŒ%3ps@÷j²µŒ¾ü[p‘-ù÷	¹§OAi-
ÓFY
ætÿ„n“°³¾ø…ûÍͬо¶uŽ)ã¥O«Üo{"Wk‰Ûß*2PÛ·Yþ"{;.Iö
+aÉê]Ÿ q|ø:¿-!{.t>ú!Ú‚<‡ËÕ‘whà)¥õhVÿOm`¬â ÏR±¯*Åy\:T*‚XòJ…©Ç€°*“Ž¤{  ¸ÓØÃÕÌþ²šiÜ^
niAʽÁtn* é+Ñ*ð””–7%ÀýÙ±¿C¹t—ïRéâ‚z ]ÃK€}Ä?âU GEu=…ÓO	neF«AÓOQ(E®¥¾³0EJÜdðsÆ4êéµÀ¯$½ÊEd>vÿ,º*Eb1IaËkÀð ƲQ8Å?ïÀt¬­;¢öslwÒýÎ@·*=«c?kJ’¤s[SŽŽmÀ?ÌÐz.tˆGìa°äGs
{
+ÍaBåj…·0¿NÏ)~P²mâ–È×oû„SÖzÞÛ­ñÖMÞKÐá´µ7S¿¬Â¤Z6sˆµ²;4â[;ådu²¥&Z6«S«.Êz{–VfX)k_Ȉ«Pé „M|>?ÝÜK©FЀ)Ý÷ž´¸>˜™‰AõG ÕÅμbò°ý¦r³Åèã"=h[~\‡ç­ÁÿKþK>
˜üF^Tw8ë§~¥RÊýóáiÝñn™ß/äòXzE¶Ÿ™4Òý*ϘSœöí–‹á´Â-ß'©ãÝ¥fä½m9"ÄÁS¿±gkkøŠ<7±1Y
+¯ŠOoDM…ϳ GBæ¾(JÇdkmLŸIîúº‡½¿G^Ïž'›Aõ•dq£ßYƒh
+@KE2Â&EëG¤«>™XþõM„MXD!¯m7Í*|Ï)¹ôªÌäF~ÊyVµeKªR&¯Ð’
+;Jî侩Ö0/4M|)¶¿ÅYòÞçñvô0òéqˆÁ6 ˜¬#¨ZU¿Óloñ-$cÈPzëΖñî€*ò×âŠ­»»íªXl5¨^XBþ)$ê£U«•Ü\{*;žÓ¨ZÐìD¬sxmþòØFŒâkÇçm˜·Úk†Iš*ˆª1!Åc_@Il?4T˜ˆêœL›Ñ‘¤?eìj¡3J¢‚ðç{øœâÉÄ·UØV»Z²¿ö(0î¯mÑŒo‡×åŒgrà¦%
|q÷6*³ì”ä±n	$=çC¤Ø”W3°Žú5x ŒÁüeÞ¨¿—â½b}ºÖÉM€c[“›šo›ÃÏtrDœ§;î`ªðF‰Ü;WFŠTqŽ|ÖFþoŒÆJÏOT1öé*®çÛ
%ß\byHÓx2€6oIxÓ¶/šFã„&*A6D[ŒbaíWQâó¾þ^.0´û*ÅçdÑlSê†ZÑ$ª´­—*6¢Åfôj4’’H_’då;§|’°¢+‘ycbºpk§D	,Ù•;ò8ûó`?5Áw¬YGtª–«vlH ÏÇñäa™–œÏ¶@Y'MòÍûyàºÛs4¿@5G±Ë8XæÍ(H…N?ˆêKúoHj’¾\øsN9yã¹JÏáxEaq‡6˜UtŠ­+Ô·íNÚ×Lïã
¼*påõEKŠðÉõóL	ˆ°S‘bð(a¬ÛéX\äã~1FWg<0­:Z?‹uavìvFÙW×ÏèMj¼)û>¿—,^…ü“ª^D «8÷i¦NœVïù'±ö³æ´Å„Ï–©'0‰1æµÛ/™[&O³”Xë;<ÍüÑìFÚMÛa œýd2{›jàÞv¾G ü…–wHBa>¯ju»ñò“'³4ýp¿êwï§ôï+×0{ó1Ý-Œî|Š(ÊúõNò5ŽÃÞ§|ö.´îZ®a®>8,[3épÇZ9¡ˆTÕ¯ï\wkˆá§Ë¼	yªÈè¶Ü+ò©<¤{Uº,™ãá2·¥Z¾(J†MY`8Lvø?'BLZ·µ8¾;ú`IÄ›ZÚOÜüFe	îrÖ#˜ŠŒŒgy¬GŽ–
+µh¡¢å#OþbPJº”GüÄŠÔøž^å,ç=‚Á$ö®”ªñ…AüðÖ@+Fžƒ*—ñC¥…'‡#›üþH!n­Ãïp\6•x³µ‡¶cB}µzì¤H»N	uy9št¹÷ÕôÅx+Í-´‡¾6žXÑÏ1X
+_"‚Fת(äqÞw¸ ª—|~âYl{Øþ>¼vÄGl^)1pSHhX–'Û(ããæ[œ8H
Û©:óƒüæ哆é^õjA&M¡^Ö7ô«¤_CïµÃfæÉ«M‰Ë²\Ž-XÆ&Þ8×ݺ¢“í÷¢æ®A|—ó9ôæãPKœJ¸âöhÏÕ¦(I­W½èÞ)e«[,Î>)Ö®ÑòúsÉׂnÊÜšdoÞ|o:K0U	úö’šý HlV/oŽÌI¬ÄÀãdD%ËA¤Ð²à1æÓ@/±—PLÁÆçƒñDZ 5÷òØ'=àÆhªµª
y¿/c­zq+í½„‚W‹†8»•;<:qKC–Ž9†“úó,l¯ˆ·9Ë“ô>}Y \,YÖ—Èz#
+ôwÏ3	T¯föEGГ=tÆb??y°…÷,U^VŸÔw$­b÷í¢ÍZ=*"3ÏWaYã±w?9¿â6Š¹;²cŸZ¯oáã(s{5…M§!Ðñc˜âÝÑ ­à{ûóFG,…'ýpÛ=¼|¨ù÷œ¬fÎÒ¦•¡6j=až£
àgõ&ØoxYß9ê¹þÜôHEå
+ža‹î‘fh»+œŠÖ&CÜù¾»ùG‹ê̽d]­ïÉ­ãûQ¥î]0­v²|X¡Ðþx÷›Ef7Ðó’«÷ºÎ•±îª?ÌÂq•Ìv/ïà\M¦È6îÛ£°)â
+MNø€Qr²BBšØ…P…Ú_\üt\ºgÜDŠ¼©6!‰>wç»ÒÃMéZ?*ÇЉ±}
+-¿¹¨+kÚ‚÷‘qô~Šÿ$Ãs”b÷fûÝsËšçl¶žž>a­›k¦Eå6í_^§÷IÅîÀ(¥
+i„DìQ¤ÜJgß¡´”1¦Z®JüQ¥é§B»&M)ÁöMÙ>5ö´8_vh´ðgµü{³÷9Ÿ¥ÇXdyƒ‘Í
+
+ƒáu.猪9@VŒ¯ÌH™„ŸÙ]Yd’Ýsj@û¸
ÿ™î‘ŸzuµôsVâmŠâWêDYÅd±þ†{ªÚ݇¤”½±y£3•TÏ]ëNv«È%±l®OštSÛÁ¤.ÓE	?•/ÊƃmKBiÀA*£ps}Ûýœ>É«ÌÍÒë015·“Sø_¾â=]‹Aø1s%S‡Åó¿e´¯l†!ÄwñŽd0ÙD\6·_=2[ªž¶O,œ*<†Í`§EÉTäolœpƳ¢T¢*xœÀL÷½VÓk!ËTÕšojÍ5~PtnZ©j=_¯´$õMVñ»¢keü!š³@ÙŠ|)AúïËo «Ä÷üCÖÃ;¬±«+IôÜ¡ö=E+mngæ§_´¯Fc7¿»ü”_5cÂ=Ïzœbm›Û—,™Kï‰öq%=Å{©·IÙqôCyHOÑ­W^0ŠH-´1êoÎXžA¥Œ(S‚[-í+C~K:á"Ö-m—ojþ¨ù%#r0å;2¡ÕoŒóN½l[™w.ÍhBTÕ/Ãy´Ó+\ÄrkÅð@i«Ï¤vˆï\¸‡v¤L‘oÒOo²¼r—¦HÁ¾hå°©£ÿØ’TíÔ¤ÞÉÞ„O°3áS!ä°VÀñMkL‡íN!½S9¤P {ßsdÑ–¦DŒì?ßÑ(¥Ë‰gbÀ8
’€ãhË"8½4åìHh	eʃwŽ
+ÇuûXŸ[ÕÍ—‹lhWE6‘S†ëƒì”õ›\:¨D
+ÒYa#B£·ýgŠå*D?"öÀQêˆC”´ƒ8Ñ’? %ŠÝuÓ׫.ýÜCÛ‚E>TîÌøF‹YrÀŽZÖž#²V€døsÕGx)C‡°£V™à‡de°ªó‘ÎIMJ#šcêh<°»mP F¶}`¥_EmK–
+*xÀŽhÜd'¬ð¢1'§•ŽúdVQ\,ðz&,¢™ øÐ^ÖxŽøÐA¿ôTÒˆ3¶ÔÙŸ=k%£Ë•$q“ìÞ`¨K”»ËÈáx‚ÍÅâšË¹>Ãà+VÑ¥y|ç-R	±™g2a{
E}?|Ô¸µ‚`rÿ@³;àªÐܺBg%Ÿò
Ø}”:í_Þ9Úœ¸Ú€±—ÎÃ{N»¡ëߺpšþµ>y›ž&§2ÎEÔB¦“ršÔ¬€%8§ÉÆNNà`ZS¦ŒXbù´3ëš »àÿÎSÉÂq¼3ö¹K'…òù~ù²”­>@‚Þºª¢­Eî€AAÉAÝa?wóÜŸÔ™æõÛÛwEEùü]?ìnXZW‚¾‹;>ª]ˆft‡¹¬J¢‰¯‹°Ê´"Ç—MjŸE{éä"¡>{WÍ%Š	7?Õ$‚p^ÿvâŸêñ‚8%_2ì¶%Ó˜œµð¨ò·I²Ä±…~¶mƒ¶©uÀMØãËùß? *V~ëºÿA„[jã°áÏwkÀ?€Ðh6ß]D¸Ñ˜ôT¦¤?_fŒ¹)DAB™Emö¬o9°¢}¬bê9Ijí“töÕ.“Å#ž×@!ÒÚl5ÔÃQ£JoXä~¼åÔùaH‘~o>/’}´¦e±kF¢Þ!ñ8úœKÇ—^ÝE/î9Ø–¡@Òndë‚„ ¨
+u±J´@uÑ^ˆ*äÁi’5º¯&í)dðÓÊû”&B»¸Õ æ?l~—Kãb‚Õ,˜½)˜i°Ìˆ\¶^V‰*¹ã«ÄùFiùF¬ i-¨ÔnäSÍ‘™8«ð›¶c†‡ØNj3y
زï[2lŸ>`¢]?Zõ’ó¹#¬˜…·lt¬Ri	û—îÊ/šˆKŸàÎë¾	kùÁÃHV‹MJ‹eOž¨?Tmé}ëÆÒö†ÓÞ´ù£U„‘ŒÄ1dô®E§–œ
W#Ôª8ÔewÆ X]†æl“¿^U[sËh+ߧÆEˆ_"1ï?ÑήÈP¸­‘áêçõuUŒî§áDm0vÁO뜨ŸðúhN»ÞLº¤°ÑCóÒãÿVDY¤ŽQm[£c‘ØæöŽcB¡mlŒb¶"Ù0PIwÑÙη¯Û¨PŽ|	ž”\³ÎÐ¥¤jÃÿVùÝîÇ}@ìÑYË@Ê98þyÄ4 {LŽ+¦ ª¬¼É‡ñÒ:ÀR"×G&(š›kÆÎûÀØ
+óf‘&zxÝc]‡HÝð6ÀÝÑn¾ez¡6
+£t?8–gGM$•¢Ýb)‰<ÆÜ*w+[ØQ{}YB$ñþL¬AGwóKÛ²)ô)³pâÄP”ª¸;udpâð\`Y_÷Ï<¶™‘ÛOæY{ÒÒÖ—3Õ)NêˆBëÒBÝya3l}A}ÂÄkßx\®›zù5…wõÊïû›ñàdƒüHZE“Xø·nÊÞn(•a¡úOÛ{©‘ÅŒ0Â\î!çkŒ2­NÀyšacM®ìm½â°Ô†-Ì|¬¥xw#!Ö¥†g~J¾2ºØaÂ{&X/×s¯þôË|ƒ- R½R¹ü•ì’.ÊZ|¡Ç[T©Ÿt7¿¥Ãùhú…üÆ0a
+¢Y‡FóÃMĵè5~þŽu…%õMˆ”V-0oŒ—Ú–”¼Lj&KtN
+&ðG•Û†ú¢­Í„6!8FXÊWlÃ"êK«(ôÆbà_±ÝÇÑ•5ãLª9;éZË$o׋[†§ª02]Û2º':mP¶ÞÁÝ!
ÏÌrØ량êBï‘Óùxɯ›5€ÏÍ¥¯2îlÎÏ“?´×¶›ÁAKÇKÕMæé2”³ñ`J	#—iÛ¦¦>é×Y¯Œqq.§;Ÿr”’õ¤ç°ý²’-IÓƒ!	@?Ö0jA£ÙÞ5Ö†²Jê¤ÌyÃIS'!ËÇDÆñ4@ø.*³K¾ºÄ©¡®//ɪÝi—v²nÁgÀ×WÊúøĪ̡*ÒÕ=5OùfubgQ¡¨Æé;'j@¶ÜëÄšˆf8„똄-҆Ÿ°-X®UÍÒ>?"ÐG‹õ5›3Øð¼,¹:-Wï5iwA¤ÊxÜhI’Î`:Ô»ßSÛ³¼ö锲×ÉÑrÕ4>„ûÒ[è’mÁl¸®”¬¥†»éÜÎë?iÈî^ú]æ@æNqèûuîQNm>
+ßè?–I_ÝATKÊBAÍæ2V~b5g§ålÒh<}½³ó~fvc9Õ…L±øÑ¿7iZR'@1'vªõüV"èW!üg¥s8{8«§ãQ
+@qÝõùÚÝìîÄ¡­€H›äeTÙ8K³Qi×2âdZ‰f¼îO½Òw­ÉÒÞ¯#£³n@T,5cÉ5@"Œ»]Ú?¹²H®c‘ˆ°E‡²Ý„ÅÅ/#›æ]éç)ԱǴSï÷X<†}}„š/~ZÕèÊÕö¦BÈõ
öª Ùåùß ¡V[ð‡ÀXpál‚CŸM<×»öTq^è÷çai$”ÑF[	/ØÓ›ìÆ0º:F.n}RFÏJØMžÿ/}+³òøKÌÜuµÛ}.R{RÑL9e&RMÂ×B{‘§ ÙFñìb»"BÿŽ„n€rèsƒ†deˤ¦€šZòŒ`ù’¨ö¨ÔãÙÚ1ÓBbs±ËJ:±ò*è,hwxUãÛ|„Šï:¬3[éoÏ«z‚U=
&Yr¥K¹4<ÇÞëdÿ¦=•2	ó{9þîÇQÑ+³îÆYÍàuÌf˜ñ­ÂŽ«M²vf—ÛÅ´<ÎZÈG*^—f-žo™„QÈEcö[Ö{üä0Îê4¿Õ29+ßzünw×å@!F).Œ\º6¿Ý䮀{âa[”Ý¢gð@££ä)VF8Ák—J´q’gQ–ÕêÛI,ðmv/“€!"S+ÌL‹èGy“Œ‡«,­¸¾ÇݸB_ûöéRDÈ^	ho“
uzæµqÿã¨Úi°Ã\Ëé[[Þ¯QKáƒèI…uõ!4~<­èF
+­Ô0J¿X¿c5î—d´6 w}ç5Qæ,Qx¨”ýå?¨Ñ…ý!!!âëƒä÷œº¥Ð
+:²v”èØd„1CóäÌû”¤6T¡ó}y·Æü·œõ$Ê™´¨‘]¹éXÖQ·z±­¯Ñ7Ü3ö>Ñx^ÜáÞS|þÙÖ€–§G{úãœ}¥Åúèb””Ö×FÛ(5/î	Ép등ǀÉÃ3Çî×}Žô„Û Áà+‰h&¾aM3b4ô™k•­õØÁ•¸ŠÍ;úÀLãZ@ÀuáðX~14ÞzL+Ê*ù·o<¦YF²
+ð.`2ˆÃÜ….°´Pq'´ukæ–¼ÌÕdfôY~6¿ïÓuÁ]u]S%t„Çr÷ìï=€5ŽÿËåÿü?!`é2‡¸9;šCìQ|! ¨›3äÿ§¡ü/Îyendstream
 endobj
 1100 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2267 0 R
-/BaseFont /SXNXDB+NimbusSanL-Regu
+/Widths 2273 0 R
+/BaseFont /PXBJUI+NimbusSanL-Regu
 /FontDescriptor 1098 0 R
 >> endobj
 1098 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /SXNXDB+NimbusSanL-Regu
+/FontName /PXBJUI+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
@@ -10617,66 +10646,69 @@ endobj
 /CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/five/seven/eight/nine/semicolon/A/B/C/D/E/F/H/I/L/N/O/P/R/S/T/U/W/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
 /FontFile 1099 0 R
 >> endobj
-2267 0 obj
+2273 0 obj
 [500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 278 556 556 556 556 0 556 0 556 556 556 0 278 0 0 0 0 0 667 667 722 722 667 611 0 722 278 0 0 556 0 722 778 667 0 722 667 611 722 0 944 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
 endobj
 1069 0 obj <<
 /Length1 1624
 /Length2 9819
 /Length3 532
-/Length 10685     
+/Length 10683     
 /Filter /FlateDecode
 >>
 stream
-xÚíweP\í–.Ü-84îîNÐàîÚ@5Ò¸»
Ü]ƒ X‚»,A‚ûï»gÎÔ¹ókæüºu»jwíw=k=KßUµé¨ÔµØÞXA,@r'(;§0@ìháî¦qRf“‚8X©Y8€/*´+Cœd€P0@dY¸¹\BBB¨tiˆ³·+ØÆ
-`ÔÑÔcbaaý§ä
-ÀÂûÈ‹¥ØÆ	@ÿòâr€8;‚œ /ÿcC-µ¬Á €´šº‚ª<€Q^U r¹êî/©X”Á– '7Àâ
-pøû°„8Yÿ¤æÆþÂõÆ
¸9ƒ,Á/f /Kóˆàru»¹½¼ÀnW ô¥Pìdéànõ'€¹5䯀œ]!/Ž/Ø™:Ä
êfé
-v†^¼ªËÈý'ÔýãÛ
ü Ö/šVK÷?)ý…½Ð¼ P ØÉ
yAÿø²¬ÀnÎ@ïß/dήà¿Âpw;Ùü3V€+Èèjårs{¡yáþSæ	ø/Ù¼ÿ²†ü¥õŸ1€¡n kvT.Ðß6`'TŽ?âàd
pqþ-·rwþærý«@Œf†é% ÄÉÁ`²FåP…@_\ÿg]fÿ÷5ùßÐâKƒÿ-íýß5÷_{ô_.ñÿö>ÿ+µœ»ƒƒ*Ðñeþ^2€—-(þìÀŸEãâú¿l€Ž`ïÿÆê_õ@Gú‡ì_1(ð¥oœl^ZÂÆÅÍÎù·ì&öY©ƒ¡–¶k ÃKµþ’ë8Y\ÀN —®þUÐ#NÎÁ´mÁ–öNÊÏ÷7r²ú×Ø_õWäÚêjº,ÿÝnýKSýe ÚÞÎ Àÿq£§±úÏÃ))ˆÀ—ŸÀÆ- äå
-pùÿ7ÿ¢áúçYu{Œ8Ù99¹/ÿÿxþy2ùY'KˆÕŸ™Ñ‚¬^Æì?`KwW×—îþuó_’þÇù¯¼@–¨‹sK‘0»ŒìLh-á‡/c2F}=\ð_ÂK´?UCº3¢6„*ÌjÂÙ'„ŸÚ¼gw™w‡{^;0t§ŽÈüi˜zqVé;XvC8LK02ôâ|Of”×_òsêînŽihš? ’Otð¸"Ÿ\3ÑxáÓ^9cX¦×'tb7ÂàÖ~<<¢OÙ¿¾bú2Ø}†Ð»CÊ’—€B'âñ
-ƒ>6È%TÂP§Â7šV\vdÍ8åÍõ²/F@´‡,å2¯Fþ%Î÷2
-‡ê´¤˜
<$qlã¯jŒ]ÃoI/`h7°†A³~Ò‘QÓîGÀ§SIúÛ·²„’ñ±«
e'yLi`Sd&Þ΀™^ƒò
¹%Ç"¼‡ÛF
- K ½Ý4\}¿xª4	¿-ÖüÇLô‹Pì0‹íB
-Ê·ó¦<ŒÏIuáúÔ^Xµçlï¦Ißæž½ÍÕ=3„—âyQ--N{œ	|NÕ/ä.‡êÔð<ÏÚíÔ’ȸm¹<ÆÜeÕÁ·×ˆ#òÑPzr˜IXÉki.‡e%}o¦3;¾—-	è•òKP#ƒ•­æ±[$•œˆ ¬ïè&LjÝÓ³ˆÇ÷àö2À1Ço]Þ#²Öˆ0~'£:#^¾>IV«Ð÷ÛTÑ&÷¸Q@ ±½r%´RK»¹3"‹›l¯¹÷šŽ‚l^_7ÔµõÊ:þ±¿‘85)¾l®LNduŒt›î}r§ë§¡™º6êð+Læ÷~©½IŨzfMëò´¹Ïwq˜C33ô9Á‰öŽÏÕ*†Q»³Ü÷¯nOV¸¨e²U|¬‚²äŠ1Ã	.#¥Ý8BÞdà:ÓeÑ[§àÄuìyvXáúHw…—¹"f,¬|$‹2¦þ܈?¬9<:[›P>º™HÜm¢^^¦WÐþe™‡Øe·	»ý+®Å>p¡ ÄeøãÈ[(ð:>Ñ:s4§‚!]¨­Zl¥`Q}ãTÿ{RÿÝ·>fBÊäP_Š¥^G'±'ÏY~Þ^êC£\&ˆ0•÷ÍeówW÷:ñÛ˜ÉF5é5!¯OTþáB65¦½yòÁ\IidÞeƒ…§ãûÕöÁÑÁªgù’çü>ù#[‚Çæ¥ÞbÍ(½~ý^L?ă¹8¯È¸ëéºOî½”«6®ÈÌ8e.jU2ëìI—zô·.õ‡X
-ŒÞß,©«JTTü^g‹ï6MÆä<%½*8˜¦¯âåÌÐò«:éõ\¯º\ïaÅ›ºXôZóüPZµR¥oEe7#Z{‡‡ìâaß:éDaœÒ¢Tú§sÔ†Ò¡q ¥åˆ ¨×‘fV6¹þêp
Œ®ØEhØMáŠ]öGJÂæ`¸ªOÞ-Æï¯Ó4s,AåaZH”5ksuÂLnCü=,,–]sä†5h+q€ùHVr^>b‹ÚçúÖ”ý`ˆŸT¤jsû$Žr:KjâXriÉÿÞgU`Ò‡±r]„§7OªƒÞ<¶løÎ&Õ.¶EøŽ£pÅDÄ—_\êR$*“Ú2äìl¥ò©'Ñ>¯èãooøðL“äWRv˜WˆŒÃT?@5Èc(y5hú­S»4õ†ûК;‰–7˽[êͬz>bÕû=°½ï±;Gv#É­gÒw~ç@Κ„5LÐç]&BˆÔß·°&YŒ‹ß÷œøÏE^|DoŦÄp6¤ÃÒ³ÂËÔ—¡[”᎑ÙéºcãÏCÃæÓS¿5³âCëÉ”¬g€3ùÌü._Mƒé¨ø#}0á­cg»ÒF¿6ºeÏUߥ9”çþìÁ2……÷:^bËS”÷Qñ¯ÔµW:ÆiYn›}bïÃ:ûåû»„ °<Ì¿h‹BÅÀO0`ûc(³ÃyjéÒ
-ɳÿ•Çdö4Š“-‘µæô’ó›s”mã»Ù×ÎmY…v}lÔ[«êÙuuߘã»[|-¿T‹™ú­##ðò}Q©÷¥1&&1ê}!³-ëºÚè~‡Ëƒ¡ˆ!€ï&•”²W‘/÷ʯ%ˆnÖ*´@g¦üÄÉ5Torñö~×,PìÒoM¶/	Þ¢áþ• XEõlE¦}(!¿à×Õæ÷Ÿ½HY…T~3ý|’6t¿O'cŒ•ºe[E6l^ÉàÒ›3R+¢g?€˜¾ckk_‡â^m_
àa±¡×Š+4æzø|³PJ«y~³¸*?°
ã“MÆ
-´¦mêÿY0Ô÷¬_\[~s9ºUgtÈÑŸ¸õŘG•ò·›rˆUFz½hËõHïOÌwÈîýéÔi_°u//ï¢'I0“X‚¥ÓEâ€gŒC3Jåènq³èè™
z£þŠ\àý«y‚xrîˆ*‹¾£ÁŽyÙkØzƒÛ¡t”°O»
-é×£-ÏC”Ãñ„<ŸÞÀ¾”Åô¸W(äû¬nÏBmÎS˜~(—Àá¨Ûn’ö¶Ú’¦ô*ω˜?ß#›N¿iTh¯¨êWSrìì~{©œšwÿ,Ÿ†ë.." †iÊ34f"ìŽäÞ,®á.Uq ùÝ ÑD!šÅY?ÞýŽA»†àÇ•£~t¹ ¶Ññ”½0Vâý$µdç×>+Q›iîqÛÍ/ŸÖdžgß»äÌ
-8=³ý•v¾xëüÚå”	¦8Œw_,0FX^Λ+óÆnÿÔ&mæìH&ƒ—Ó’Uý5žøf‘^uzóŠq>Ôµ„9ºþæY+=Z•a÷×ýD/½JÃ.‡|ì*"‡gþšcwüàà’\¬Ò9‘Ö­Yø“&ñ‘A‘¨Yè£Ü@Š
AŸg–$´åq²øFn©šaîŠi09äÃïKã¬XɸJ´Xi~‚•;÷sÖdøïgpÀ6ÄùâÜöË;m¿u§–[DµðCÐÕÇCöÁFXN´Â3|}Œ
Yê¸	©CzÿhÉ÷‰nÝ;úÙç;Y¯†|Ý9L%pS1”>vø‘†{¼¦BךE!c6¸f`®ÚuüÖÐ ì$ñM•úýh“Ð&úMaÖ!MÄı³:àQ¨Ù^eeûƒ¸2úüQW¬þþ,—<Ÿ®¦³è9jûŽ%‘ÔWãõ9ùD~àãJ¶>}²’ÖE»þuŒÒ/òP_Ð+{Ð^=Õ÷4v¿|rìjåè¸{FÖŸ™-È’Ë7zBÑÊ¿EâàÛgŠE[Wú9–t7±·9›½|ªqXEšbnHéwR*´\a僰C{áš~ñíP«&ð|Ï{¡V2ä:ô/xÝ&Þ(.Œ×—î­ÇàßóŒaYÚK¢#?ró1t,Ë4Ï0(›èwU!˜fJ§b~»ˆÕJœŠ“ü°gFÕчõA»Ï؈Œ§Tªûº¡òž±8›g§ðú€N×ÿˆ»ùóf!|Ü>%f|ÇuÇRõéØÀúsìä:9GϬÅE`ãÂ"¼ÊàÌžº¨†H]
-o,mÁ[ññW­ˆíbÒ"rbÇ2£¥è4*ŽvÎKïw{%"'¾ää!¹_›c§Dy13ÆEsù¯œÿ(ÈÌ–QÆ·È¢­/¿I³ƒ‹C±6ú
6”™¡ùW?ý`;¼#Se˜=¯7æïžü«´/èûx/5,6%ŒJ[‘a³£7*Hš¥JÒ¼WsŽþ˜/`×1»guÒD	9'èLØ¡—~·üûzCè7£’»~â¾ôLˆIf±hê™/†´ØrUñ%nøsžýY°^þð«ÞÒ'œ›@y¦Õäß¡üÏ‚¸©j!Q'Ã?o5ý°VJƒª*Õ¾h²51Aý…}DL¬e
-'Ç»AMØÎã÷QX¤:“òç¯ÍKOØ7¾]ëàÌÇKИºÀFù,-Pç°§m­¢çîŽÑ†7#”ß+µ69¿tKÛ»§±{°q¿KØï{¿œZ¨í^Ìü‰˜.!dÓ.[¾vØÿŠÆ°tˆŽP{ë¹3±÷[‚[-CZQA7ܬ×
·¯J
-ýâøugá}ÍfL¾0c˜ÏSLæWfýã¦ôvÖ;ƒ2ŒtøŽÜÞ1FJâÊœ
«7Â;4X“ãf‘”ð}lŸî	'»»jfGÄÒ¾N!&Õº®¸6µ`eÐJ‚áwV©Î’	: Εh5õe
z£X‰0Yëþ¿Ù]Ic%9UYÔU|ìfŽj†»øjío°nÐ\æCúÛÂÞJ7X›ßs-ò´Ëyææb~4QÚ²\WÀLD`¯äý]NÞ<‡ÙÿLâ€ÃÈ
Ó*–×(9æü拤\º±S2F¬c,ÝõäK–k$‚VýÁ«ŸÓø™ÏÆ8	PšLDÍ8×%XˆfáèW„Ñ÷ɘòF†÷-qŸƒZxÑA.:g*#Y¼JS¨uå
-‚ÝA’Ó&T†e¡~R™‹Ñ!Ý!†7ËŠše¾Ní{É—AM|8j¬¨VªÐwcߥZŒ+ÿ=ì÷k¶ÏwÈÓyÊsW{)*Ö¬Ü)ÒSI×ë€ëê9RlšÀbm±h ¾'̺à~6ALŽ¥<º3JŠH¯½cÌÄ7œÙäJòñPd?¶VòõcÃyh.’ïuÏ’™æcÐ	»ŸêìBЧáÂ7+¼CSý¬+8'•€ÎTüå—>)W˜‚bTëz´¾õM4BÒD}ËÞ=v¥¯ªmxfœùÊlÉÒ3îÞ„³„nwMiÑüÎ+§L¶c…y X0¥E¨¶Ž§óù{øú,Û|õÈ¡`O÷Ñt×/
º„¤Ð®üäô™‡Çw¶{	rŽdøæ(ÐEì±,Wq‘¼= ©¯":åz€¡÷ÌƇ
7e@¡™ôpN4ÌE¡Ò±ì=wÉÃo”$9 ¦!",ª‹„ÑêŠÃߤæ$y7µW
ì4ÒÛž^@G<ÉõµFüe¥4ÞöÉý~<¿1&7¡h°_éMCêŠ÷Ï/Ñ&ÉÔWçmQ¢èvÑ…Áå£ÉGx©Šê-µÔ· 1ôM™‰Oßêuü¢T–-¨dç²Z“~÷¤?Ô6=³ûL7QùxWj:™B©x7²FøÍ}çul0I³µÙñ[¯Ó„2~Ò[›oç"#Ñøî¹·T=}Ô‡Á.·ËÍñsêì9|R‹T€ˆóªH¼ÊƒVë—»Æiúø=f'c-ij­Í§^üTFŽàñž“s,y—ñF„0(g¯àîÆ¢ïÞïÈwâ÷[qoÆL^¾*á4w»òg=éÚ¦ð´,øÃcå€ümšãf¸ÃÖ³cM4—òúÖfö¹”ûLll1Ìù¯Ì_h¬/TO÷-/üç	8û4,Æ`♒ȼ~ÃMÝ…‡#E‡X¦Æq(…6oq~Q
¶—{R^/0ÕŒ@}/ÙÔIFÀ‰5€AžËVX{a›¯½ÄZ#“nbâ,Ÿ¥Gƒá£óJ5|Z{#~r”ÆùÖ•ÚÓÏ2?H€Äjv.¬¼·Pò"b=Q=Ë/àô“··‡ÿ&Ò03îï`*÷©ßáúñÐ2Â(‹öH; 7]ž¼ŽÄÊQ$ª×”t²9Sp–DvLôFöJ‘`Åá¼äÏêïÈäŒÛ”$]´[ U·•µÑþ~ÀÝl½µ”D²c0Ù·ÌÀ#A4^ªÄÏøQg£ì‹’viRTrf:òc¿ú¥Å’t¶}U*ØGj¾åÉÚÄŸb–LFQoGêT4o8\—Æ++¢Ì¼¹l¡¾¢%g’nAµ¢óakÜÉ=fjÁó	°ÖÁŽÍcªÎÎ'þXËú¢ú.w8O|úÈ©É;>al%Íe.KñÊë{Á¸ý~§¨svï”è®VùØGR~$¦áCÛ74¯ ½¥:ËœÂBGÍ	$
öQ™yìä“C#ÅTgåëƒß\9¹‰¢ü¹'Þ{we‘ÂÞGÐ/gJ™D|p/eÒïí¦Ï­JôWŸ&cüèÐ5Ó_ÏIiY=¥4QîãšÐ©>
HÅö”¶û%*g=püI€@3o­R‰IXü£PÉw®2O­VdÞËÓ‚"üeë·ÍUgDŸÖö¢·¾ÌV~P
fûq”e\v=Çz]ÅcÕ!éX=RD¬ndIIÕ_\¬UaÔ’x¯÷¾µéÔƒÌ]Òj\õÕ[qŸ¡ÍñÀµ‚tÙï³¢A€‚bý¸ôOÔ4®Áí~î4Áä‘›'.ÕHÜ7È,Ü&ïtî¿á.׸?¯Bïp4@TÉ|µm9Ê·E¯ƒÍ‚MšAÝžj§O…äP³—úrƒÑˆ¯t ø¡ðˆ`‹ßÊíÕ3M`b°~ž™ü8­·*#ßÚÑcxÕ,ØFX³ItŽ™”/T8HB¨Xÿ%íj•Àêüĵ¡,»ù¿·>:ðî¬2[¹¬õùIÉë}££ŠÌ·‚Pb”Õë^žÔîzF}ÏÍã§/E;ù˜E_4!™ü¬)µ™½ÙÍvaÔ
›½„ãØ”[ìÈùH¹º›«‰žèˈýÖ±²|¢?¿™y¶›ÔØŸ‘èÁ«^Ä‚,¶0~
K
-§2Êâ^Œº@?Ú³ûñq&€Ðáz<˜;ól‘¶"Qï
-¥[i§ª¼³ÇžÞvëiÖ|¯ÅEÙÐLèæ­Ûa—·fjº™9‚_%™Œ7WßteÒwZ¡õwgvŠŒÛÛ´ÖÛ@lY¿¡8ÍL4¯úªI“gZ;j×çU10Γwào³‰®G°?ËùïÙoLÃAˆÏú%íRsáädZâœF­Ì/ØCβtŠ˜f‡Œ(À]Ùžx¡#…oéb3++N•‰¯ÆZZÉ¢¶*Óð…h9÷#h2š4š¶­în&dMoVØòÔÇhҨá·};ÇNo	=±?ÛÌl©^‘uw^–&žñXº2wJÌõ¼åµ4ËvÜž¹o‘¸U§\6j¹R•kVrôœR‰ƒ÷„wöùË7猑Çyµ’Ðm§ÉXÍ´Z’¸5~Ì–*éOG©ìViêàÎÀ~S/~–VWºÞs÷.c˜þÚÌùÞeSdOAxçÓG»=,…XRƒñ³2UõG,(ÔG^2`ìûÊöu¨øDFOXžÆ°žŒ±l®] 8oÄ&LKC)‚<ÕýRyò.êÌ\éëÖ›|"Øœ¢ØxXg¾¢Dk³û³¢ØéçÎe2Õý"ŠQü(Ñck5ëÑP;$‰¥­X}›¿C6rR1¥ÂÓ—“‡ÜŠ¯=¶õž«êmãPcˆÒÖÔ‰ú¼HÇ"ÿ:°DÛlj‘ð,†"Ò6‹úH…DCrI"[ÚIo5S**®ôc+ Â‰.˜°XØ•=xJy°eðdÌcž?ªžwޱȢ:ÄJbBÁNöÙ3ʨ„`rI|¬î®0ÏýÖáóUDáERJï
-³6û¼‘Û]KJÓ¦ËÁñ2ž²¤§ÏÁbBbIxüÐŒUѯvYìºý¿
«Že[ˆ<1tû0œ~Œ*ÙšÔüâÌHÉZüJ°A"ÔjIQ£ºy™î‘`R®¶tÕ`+GAUWÂÏå±ûžjû•è4¡Q§ñùêCªÎ*%Ò|I+)¢S^ƒÇ-´æ!θlÒ'~Ë‘„RP˜žË—˜o?QèaÜãàÄ}ÁNF²Ã@R™°Ž0§­	¬µå<}w‘è¦ÒãŽÖ•Ù<¡ÂiùΓ=äi15ÊÛ›M¥ƒ¹^yš “!{W}æW3îPÏ_©Œ¿bÊP‚qnïF8UÓQrßg¿¼ÖÒ
-Ø7R‡UúImÂt=6“³”‰ž!ix/À6Öˆ!nûž†3<}&nÞ
D{%ã3&ÉtwøkÒ#÷‹ˆñÝý^Y­TõHe†ç#é´Tz•OÎáÃÙçßF.Œ"F¾üÜÈ3Gù­€d® ½”‘³ž.o®FŒÈ±Ÿ¹±8†Ékóˆ%x´&7•ƒÃ^Ù0åªùAà¡Ã£R)`~HªŸ­cq>¡>_kš¨Ó¸(tjRLhxóÑYQyÉá]~ycýäüêŸÔ8d´‚a¨QQ³Å?i§µp[Ç?Hˆ XG|uºßf’œ«xÔ`æîê4Žf†Qyz½šSVÕf9‹çÎ|á<,r|9¸úLÀ¨¿dÞz5Ìk6gMŸÍž0Ë-µ;FðªÎyuɤ“FXóœ™Á‚®k2y(OFÞ{eS¾*§S›Îgeó|YX°{hƒ1JÛÝ!ƒç."&›q7L{ÏV2$6Ÿ¯Û5#àBüC®hpÂlÒùMˆ‡¡¨ñËöÙÆŽµ]·ï÷!÷­á-ËŒ¤â:<ѵ¯”b×ñ 1’]b,¹ãòuûÊ} —7Ûª4ÇÇǤ‚ºI,Zš¾D®DvZ‹*þ»tµ¡:í«(pÅ..¿ãaó#×bnÎt4œ„Q7øqöøÚm_DÒ¨Npx`¥²®ø²·¾ˆžþƒfËv¨Í›L
-æLšïùÜö_×ÄõËVÄ«†e…rTïi±_^I—úf£¶}ÓùY}
-™A5ãRd3ý¹?sµ utlc2@ìôÜßš‘|7ˆw$O÷ë}µ/{óÂwÓî]7MWïäâ7e*q™³]•ˆÞÁ`¾„8aU–J°£+,!‘í¨æe;câü à›îéçÀåtC^ÌÇâgYJÏÄ·*1?ɧÆÉ‘¾óÀC>»:‰r¼\»±¬+Êšœ‰¯Œ‘;Üž2ݾGnš¢j,qsþ$iúŽHÆî>nrùÈšãg9ï¸	Ý-’î9~ù£iî´ÖåRw‰²²øL|~ª™-ñÄüNƳ.ÜC°˜¸
-Gõ)øí+¥*ŒüŽ¹îò<šh-`~¥"ðX½”¾n8[ŸP±Tv˜jëÎ.ìú€me}b©oXï¯à3™¯Íöû3dm1´sÒDg	³]!Z‹‡^úHéÚ±‚†Øæ±Ä_¯¸DÛ'*tÁ×­ÜÿCªø\*É3f¬J"ñ9/Ýþ®vÅßm…Æì2¡|ÛáÑ#ý9Ç.ƒâ;c ajø»BWÔ£™[¥W*Þtg;¹aù—ó3
Ñ·
-ÛQ±7cT¨¥œ¨4»°ÕyË_v¦8d4ÃÖä`9 !xa¯9Nfè×
ì<‚ùab3éDxdf±5Ž•¥F=ø5Ã:T]>1¡­Š7]·
”"
-‚á+\>§hàä`™	K8în±Cišù1k	ï	]ÚôÚkÇXƒZ×µ¨øú)œãÞð´|>äºT©o	V,¾÷îkÌ?ê.¿Þ"
&ðLD·ÍÝ—E•°î
rO¸/>Y»KU}¨ÙÜeË/^Ý[™W¸J½r%ûÑ”Q¤^ŒH—C‰ƒâ³e1κ˜µ‹
-#6ÚEHU¬ƒR´šÖ!aÔ¹ôÙD,í_2J|+9»J~:˜^êâôSsi'¢üœ1ÑðM°îiÃy0àxe§L|ÿ¨šI_ñ“”%p¹!ÔN¾õ輻ÜSô¿»{
‰b‡_3?ÁŸÆV2bKˆJø¦}¶Û¤–ÅO<y/x±¼ÂAÿû§‹qh.ñÍaiEJÚÞDa¿ê
®ã‚-Œðµ»}ׯ&Làh扰pñˆp¿—˜ôŒiƒûؘõì1tD„‰n‰¡A+8<ÍÝUÞM|üy¢Ct2^8(9î)â÷…žS¬:KQzZžRüÖ¦íUÚÛÇÏ€5;~Ôz³†»Æñk2ÃáI‘±¤`WV·-Ãt¼C&£ayõmûHCÂZ§¡]gZ}™ûç‹ðé1zcÅÆ\»S#©Å6æñ«R“§°ª)Ý.@ªuN\hXÇøíí£ªˆ¯‚£‹¤bþÃ7wRX=× ’+:¥kU4Ïæ,½Ú‚GïjÇgˆkµ‘ä
å¼°™îÞž_@y_©ø§
,–C—–Ï#!–ËÌôò0[^O8p—竳9XÜ…Fú˜XÛÂÕü"ÔîÍÏL¥—ˆò=ºyt*B<¢òùü¥úK—Âs»><;ªÐkÈ«•÷8E€ \ÞО…’‘Õ¾w˜!¼×…)ƒF¢–òJë¦÷ÁSu|˜Ç^}J»amº°ídÔ2l±
?BQ³¬	WòŸ5òÑÜ.T,-&MÍ\–ƒn8µt­µ¼Q0e¼5g+ ˆ‹«°Zø5¨E&"¨kfáz~†´À™é•èæ¦"ŽìÖtñè–]JíÉM8¶òà†y’ @ÏàȦÏ$
€“€çØË—hvÄ«rd3¾?e=ˆØ7`3oŠ·€ü˜ò—@™döRÉ¡Š:Œ‚õâUS1„G“0’Çþy[^‰½ý'á<ƒÆÓn@/Í—¾¨,_ÒÚ¯ò|~?$I3á„Ò${·¡^W’[Y(<´²¥-ÖÉ©FÔA±ù‹$NáM\©}5Þ)[4·g‹¼·;Þ–®?pUKªùnfŒ²¶Š½åÀ(˜_ŒDG›Z‡¥£‚wCàáô]Ú÷§°!e#žÉùê$1ÕøŽDqLkLÆk¾tt›Å£(Ëj4Naá*fÍ:3ËçqÍãš,2äÁÝF(\]5‡9¦Â'þÆ—ý´$Wȇ ‡ž#*¤Ö&jݾ$`I¼›äˆ»’ɨnæ'1aû81CÀ#hv‘tY–rwœ§Ø+k,÷»’5ÙR†.â´ú ½è=×ËBê¦.j€9þ­BÌþÛAjóî^‚p¢Ï	UøÝaÄUõÒm†ÆëGYü¼
Mäñ…¶GŒÚºêÇ+0öÊïTvWLjSø{*ôɱN&¾4ËÆG÷XÓ]­rÆ7Óß	¨·ûbòÓÈõ#E˜ÚÊl­J7ÚV¼®tOq~æÝâ !®2t¬Ûìëy#ÐÏÁTÚ´ÉÜî>„–ñ¬uX{-Ifè±e±’ƒ#ͧoÊ#9ÈWôéPþ9éõ!Æ\Žc£JnÐjP·‰ÏÔ‘Ó@hßR­‰c'Eö
-²;9
-Ó›¼JnÞ@3yJ¡CuGã¢âßL„%Uíýœ¯ÎÞ)Yx,t®Jjä„SEºí‚Ÿ??Þà‚ÐB_#™Ç›?rTž1Ó:Õ!å>ö]5R–Ûëp|Ù£‹(=‘+e°ü8µR‰q&^>µÕó€sîuüíåý9Tj›
-“?=btÜe——KxìÁ)óøkØAÍÉØ PMšInfÂûÞ·B `%,#úQ­ý0h§/ºaª’¶‡ÏÚd‘	'ïK±ÔNowHØ“†þ;#èNÖæ;Éæ1pÿÚàœïN½Áh4¢Ñf``ŽÂÅŒˆô·Zþ5›(Õ#¾}Ä°ï•d¥®ýÒ÷¯Þœà§ö˜Yû_ocæœÙoô·Zf5½Ž_V©ï¦OQËufƒªø9FoM:—Špyn<Üt,_ÉÞ†\cJƒ„B=¦0œxR´ ¹K1"¡H`x?¬^Ñ÷9žª³žf/ž2ˆ? g¨b³¸ÇsS»ƒÓ¾ÏMz<çÊ©Á”+Qã¹Ë,ÙãÔL~¤ÃF5P_î>Tç^ÒX…0|5ˆ)NTìX±à"^­=I¯u
Ÿì¤Í´`J	0t±G‹ÉXêù›õ:µs'"¢óˆªÓ‡ª=2Åã­öW+µò¨ßɹo”Õ§WU»mc5­Æ
€Ç¶ca"@ËþÏ“˜çF“Þº3Vþl**"íü¼d|sÔ‘›¶Zíæî
ûba*–FfÙ(ûÓZ•EQZ:´8ìü8vÿÛuñí×_¶×
8RŒ¢*ŠºË¿ñ&\Q‹‚SSÁ]¾§÷bZpØì­°õ[·U!ÛŽr?tó|`òt¸øÛÖ~Âx½3|¼¤±sï1VéáY\!ëDäá&Hµ/5$’§4ýÒô—ƒ l	|3›$ª&ºïU?£:k
qb*ýB^dËg¯¯C<âP[Îl.Yp¡€Š,«£ìɉÚ0ž _àÁèÇGMé'D{Ï_+yÊùÐÖØÚ×]wÞF«á¢¬2²P2q”†b²Þغý6LîÆ‹3eÂ>jï²Ú¯I¤amÝÚŠ:°Ë{ZAÌ!'βY‹3Ô°"N%‰Þ*³A™–O†çÅOÌ%U3~¶EJ—y•üÀM‰Í99Ìx#¢kÙÕUÝ£¶ç¥œ™+––Èÿ†1¦;|µÉùj´|¯8b3׳výAáùE™ï˜6ÿÄ=4TH]u2Iq?ý¹kÁ{Eê.û
ÄNUè1c¥sÒ\4Ç¢²7+ELo	å3 åƒd²	SC<íRv-ئNÌGA‹ ¼üs×Yïܾñ¨>/êDþÓÌHöÅuµä\²ªz+PVL!vfà?©9±¼r½wNö Sð«ÈÝdÿb؃mÁNN¯ï°ÀÂhçüZglgjãbö'€W¹9䯀ì!¯¶¯Ø+™
+ÄÉÙÉÔlïxõª")ýwœÎ–@ç?¾À¯0bþªi1uù“Ò_Ø+Í+êÛ9œAîÎ|™€f`'{ Ç«ïW2{Gð_a¸8í,þÀdt4³99½Ò¼rÿ©Î?óü—ìöö6YCþÒúÏÀÎN sdvŽWŸ¦Î¯¾-ÀvȬ†EÖÎ`gû[næbÿÌäøWèþÌýk@3ˆÀdŽÌªq~u	 ûŸu™åß×äC‹ÿ-
þ·´÷×ÜíѹÄÿÛûü¯ÔÒ.66J@Û×ø{É^· ø³gƒèÿ²Ú‚m<þ«UÔýé²Åd¯åxogñÚfv¶¿Å`'i°;ÈLìlj	0Ú¼Vë/¹†ÈÑlzíê_}5bcûì£%ØÔÚîOù¹ÿ†@vfÿûk£þŠœUGWBBS‡ñ¿Û­iª¼Î€óG{àÿ¸ÑR„˜ýçá¸8ÄàÅÌÃ`æàåðq±øxÙ}þÑ°ÿó¬tv»ôØXØØدÿÿxþy2ø);SˆÙŸ™QwÚ™½ŽÙ
+þÀ¦.ŽŽ¯Ýýëæ¿&ýó_¹ƒL‘f!¦‚ÁV©iÎUx_F%õzºØaBìk?~Ëó¯€tú¥†¯ó—?V†°Ô<7{ÌÚ?mË1ìu½³¡íLäûPÒwça­Ð´ò2î²¢¥iE{N+¬½ÑåaÓÜÙUU3,x„'oåtD<½¡÷§tÍóÇ¡º¶G÷5M©‰ÅmìƒÂ®úzxD“¸sMÛ7<8Ðßy×½MĘ‹D-èú&Êß!›HTW£Ô+‚JDjxE?ñý8Å’šo„+?4Ù—jÎÖÏbR›ŠäøÈõ·"˜úß•é:†>]BQ­cuýg¼%§\Ž€ÏÛÛgb4w¤ðÄb¢Vj‹O³éý’Á†ˆhôh\m¾ÓÝ:%ëÒ>ò¶ùoïêHŒ~ÖVS05½"½I¸„<½–s_ÑQ/ƒ0ƒM¶òHÉ>̶qÒ½ÄW‡hS¸cT]0š"êÿuþ!Kó\VœóIP©¨ ùi"Ðï%I;£ÄY£’Ç÷eÆj»PÒiÓèà)ò>½¶¥2Wš£‹Ô•IGôȈGRE¥w<,.ìy?•Öú³x‘WÛ¿ˆG”ñ´T§Õ‘Øx(YMk'	ZÔž–IŽ+‡»f 1NÓÒ®¸¹j¨þ'I¥iÉ’µ	ââ(ٞ߆rY'u¼¼u-eËAeêKÛBÓY0‰÷j±o¨I‰ç´5ƒ»¯ÍÓ`Ÿzë’âcŠg‹¥5Af''Q)®§÷šÞªjIA«#6ÇÁ’¿÷‹¬
jIG,TÒ*›–¦Œ=Š@ùê¡Îò·´¶W(ê†C¬Î׳>¿{¼;Å]f§äÍPô4óO—.@Á½
+“pb;|ŸŠmONcžˆݺçÖj†í)Ñ6RìŸ:¿ü•8\Ÿ¢½gHmh¤/ª*¶¤?h#Ž Ó@¥¤X1:·åÒ'ÃN=fËwl“}Và|n ÃÐ-Ú‘¿ßMLœyÚHf)m
+s…ðrî‚Êú™ÎÏø\žû=xd	A^¤‹Ý¶v©vn3<\ݼ‡zYô ArÛ«†ŸŽ.Õ"–‘ÛuÊ«üîßÈ}Bø-*
K»³eØ㓉=ŠûóÎHÇö+¬"”ÎsÄ.xò&IÜ	Im„6v
ZÅ@°ÓG;£B*óIa­
+¢F¹àgÍEI΄S©&J+«w`¶É
ïð…‘˜OÃ¥lÿ΄Àר Î9Œóâ«|ndŠ7yè:õ™
ÅÅ»üŠÚ„I†f¯K%Œ¡e„•¬(F5)Æ%¶ÒtFÅ\Ï¥$~?j(`Âq®!–÷5ŸNç0ð8|7 ±#çéóD‡5Ê›éH†ÿ^蔺P:ù”lS’õ«ÃÖ팮ÀTnL-ÊT®
+¯ñ¡1âèd‘9[N:`,ÆSÑ5¤LÓZþ«q©y晥ãüØúw!®_I°Oþ&+Ô[9-î´¯NÔî`Zšýäâ•‚[ï׉Œ)$;Kj=+
+aô©Eû÷H[ú÷3ïìy›Óó¬z˜ç)6UWT2ª«0Ät6z™Tˆàz¯!Âqq(ÖxQMëêu‚ˆ-‹;®·x;?as¢É¡ñâ8‰Ç'î•æH?ñ¨ó¡5ñÏS)<³±øW†ÄX^~xØÃ6ò¾ò^•ê‰‡‡5©ý²oÆ'\Z1SZŒn„ÇÃ÷}¥ás»;¿âoú_Ϻ.)ÄtQâwÌ+ˆº
Ë©ìZ³zÊù4,ÃO,ÑÍ-óà ìë­ë¾·̨U"²u™Cº®ž?L€Ên?L®K,‚¹¥0üÌ©ê{åö¼¨ÂT•Ü^ìcäÃè²öÆm:{¡Í!‹ûXMÚD) ¼Ûð³d"µ!à>dwÿ²k3‹ÉÝ|€•qÐÃŽ+ÄÐè ´y«E9Bnëbr»`ë–z¯ò†„÷ó›9ÜŽÐr“\î£a¾Ö9©è»ÁÄào;²)7#/ƒdC¬1xœ¸ßÞö_I¡»>Èös·«X3Rsæ¥
+EgF°X«·ê%<Ì6%ȼ€
+³<|†öDé÷u²-¥å½Êò¶m®’²^d’±]Dy…Ñ
é"G
\0ã]êDT]ÄKÔ~êÄÈF0ÚkǸÜÓ~¬Äݽ¶ÕŽ(áÃtÅ?™´Àˆ{XD€$ÕnïS:âç2f4QCy6}!v[?ÿÙ!k”קÃæ–á#¿=à¡q¼Ã&@zã²P,À«·´”=[ìÙò­YÂÈÞ–XòmfczÅ÷‚Û¥©kº¹ ŸYäB†Hçµ÷/ê)J´;ÇãÝ4Šµ;¬2Qç´Èð¬n9«¶1ýý‹ÒQêøêwF!ÏjG:ùBF•BOÒ}‰V¸=ünébÎO·Ò‹´³×ô{x	_~_é`D‰E—¡D±Jðà.ß»\0%Àþ<‡6ÃÏdµ\Ýô^³k¼ƒW9]=d鯃fCÉ;ÇaÔF[—¢ˆ?¤ñ‰û÷å–Ï¥µ—e®ézÐË…Õð(NÛ6	MÈJæi勦»x[ŠçX¹ ɯÏÓÌR¤ˆÙ쇞 ¸M'Wy©÷ZD¼ÏK?¤?±W<ñ7X+.o}ÑA¤ÔAÔëˆÒÞŸa—áÖ4%ÈšÑF·º@nÙ6Åÿ®¿v@(-Ç|çFÊðÔÀ¡IW¿lѾ‰”ßæBìñebñß«¡6û™ÌâG‚Y¡ð{OϼÞÏ„8¡d½+¥äGŽuúˆpÄ5y ·mag=K³½‘ÿ맫Y˜!úº¸v™lî5F3¨¦þ˜{›B)–³<çŽ\F›eÓ;ï~w+7?VS´ã¿R‰sÀ9Šaj-ª‹ŠøÔÏÁMÛº$Ù0M«`„«ÝQg˜&‘„~øã2J(z&B¸kM7„¬¡
í‰òºCݯ^ý}]ñ3'|AçvÞ͵öŽÏGCûFlô(z*lëMëbÅÙhßÚKÔÄ	;k×#´É¥_Ýü¬bÿôžŠª`u"W14Uî\‘1_GõЭ¢/‚ÒÂ'’#E¨”Š¶¾hVö‹ŸwºEÃÆ2³\nŒûN0ÃÝè"ñÆØ}–/vsÓ2$pLÒ)…jJn„„­„aB¥‘Ìõ~ƒu%§)E×L=ZmK–›ûeÌiú؇$õøÿ릀Æ$ƒR¬eÎ×m°õ@I0–‹w+“¢ïQžpûîØft­LÈ#fÆíñZµ²¡Bî—~߬óÿ¦“wÑŽÛ—˜4H+J:÷B“^*/¸Âyɶ>÷ÐÊzÓ]ôŒ•há'C¿’ð;ˆç…;	W90üthðAÍc¹È¿¼Ly@¹žÞÙGÀSÐÀ\2ob¬Tùåœ÷0f‰Q¼M.>gîƸè”e£öÇÖ,AŒ(¥Ñ™t¸çÿH?€1dd«upjTò7pN!q¢#XÏÉ„>9T©i,…ÛÇÕËs‘Àâ»k&)/mHŠ› š‹vîˆÿŒéDzov휜^3³Ý÷G~ÂO=ÄQ èÒË„ˆˆ>Õ0mE¡IÇ4E˜fnL˜IRµøÇü!vB¹†i÷…C6Ná%>_~u”zG4ÎNá§É¥è
+`›žÖÖÔ<*üiΈ—9ü±™üXó7—‡±œ2øȬØüþ^ù÷µIË¿"(®/КÅHMP­"òZ!
+GO°â}‰¤›ÊI@¨’ãß~T÷“©DHå–±°›­J|€yÖlž‡Úy¡ƒ(~½/2œÈ!•~™Ãí:g}r?Ñ$[Zl{¯U«9Ó}ÓZka'&Tý鶷X1uïßù9Dz‡ƒõ×äùKÈ„‘ ÐëM¾H¹•ú±‹êYÊñ¾º­úÆs7NkÀX×醌C H\°3[7ßÎú.þOßϼ$Û1ûMØ·£¯_•0j;¾93nÔÍ“o?úšð/DIyšÕÆŒ°‡ÌgFë)¯ %5M±,³‰Ó螘˜Âèsß(Í/k•ÎöMåô/}æpÙzTMF¡bèã‰ÝÃLÞ‡„ Dšá%Eá³Êû5l²
(X€KÜÈnæé+‡½®˜•ñ‡Áq•€~Ϋ&O4hk‹ïÝãêÃNÂ"Œí#°ÙEªžMÝa¼¿XKÚ±~t$uõrä Íõã¾b4ØçVA¿ɸüà1žÉ_dæ}±zIZZB~ã«é÷¶Ò—xÖl³ï>6ÓI¡p‹V‡#À÷%ïeŽyßÉàïÕУ£1¶OO|ÒÚ“lnkÑ~
+oàkÆ«Ü A8GNÈäÉÄÕ®µ‡K8šÅ2Ù?³¯+Hm<Åì߯ô}:/ËP(núFrZøn_ï¨4íß¼³'ÒÊM7gRg
¤6+¯ÛÆÉó@þvzþ€$‡É5±*4­;£Á*˜¢v£Ïw“ŒÖd“Å1G!Ksc%Î
u	¾×ýÌ )¸#ÃímÐpÞꨴ²ÒS:‚ëѦ<ß&âðMÚ²d~*x¶=ºPÊÔ^Õú-³û»¾q)ÃÛeæl•Q*‘A
+Ø-¯¶Ñ³;9<7Ìv‹éM¥kâζ«Â¼¸sNSGZ’6ÑÙ®ÜA¦F¶[Ó¢÷£B*dKz×JÒ
ò¶n“ŠÑ°n°öžÐܳöhÙl×˱ÖÑÊatô+…qKÎúOâE3‚½)HeŠü½¼©˜ïkd.Îã‚«‹ÖºîŸÀÅ´SßؾÀ:lÈ‚¬Iñ£={¨¶†Ä±ü
+¢+Ñ~•%)í&Cc‚â³Ìé9Ý7&Öo8œ,½Õ!GssBãÜå+À#ƒÅ	J]ún•Î¢Ùû[·üD’¯ß
MS®Ínw¬¿_ÞÒ ò˜-51}á;î:!“)i¥ÒÆUŠk¬A‰òâu­¥4)yu5'‹Óêg’åwü³8¸:º—ë/I+ds…MhDðvôÙµî¬wΕ0úÅX1›¶„d|,l°ì^ÌÜûqüc®§.óV’b­:b
+xÕx™Íõ`õM×€©ûË8'Å.”Ž´†qE6ÓOn,Ï›ðIáÌŠ­5
+S¸mܤp£Ø2¨ãPÇ
؃]×ÜE’>r‰ƒ±úÕšÝë!äõG	=í õÅe°W˜“ijò¸
ÑZTz=
müО¯e”môÖ%[
+IÊtôœˆêZÒsTŒþþðxÂ5k@Pÿþa¯¸J<—Ÿb¸,Õí	hJ<¥Ü3óðñ½ÔËo=Ú/—z|±¡Ã¿Ö³‘~Ë"Ë~\LÍ\K…5VƆfZOßšœ@e7»Fá>™“JÂ`.¯²Wîâùz¤jp*–ñigh˜\L‡ªÌUÆ©EÖ-ðŸàéÞ~õfSX´ù”SRW31·Kñ‹‹˜Š/ø2’m†0Ý·Éæ1¢‚Hæ¡ßí¶èÅfKŸT8:Úô# Ÿß­d—7›Î¼uÅ
+a¸´<¹ê_yÁåñÓ^4nzâ2š5§É`ÉñáàßùWd¾¹¢×HÆ«|IKeDÕ4˜8”!#î½±(Y‘Ö¨Já6³x¹ÊËÝ9´@¡êl•|ë"(,•z?DõÀ\8ì/<—£Ù1Íë@°+¿8e0hûÁÏI›_?°u¾¾mnÕéõsPÐeshÓ45¾ ú­Ðêw2\á›Ð(á!„Ävé¦eyœÆO™ÝƒyE‚õëS|nõeOœ"{• I9Ï}Šò`õÇëppé6íaÃ)ûBVæT°s!fÀÓôÉ!*ʾ ˜^5ßPßRYuÁUwM>
͵ƭ ‹÷i¤’i”?‡x³ž8¬¿¯Šhÿ–*Q
+Nñc-?ÙSg¹º–(ÎóÊ@nþ¡=ü«â2lÄ.Çløk
+ëz^ýèÄ À)5á¾ÿí?,yÌýñç
+/–†ùŸ†šNjŽ	ï‹m¢Óf:Êà=Àܱ­0JŒ‘dÁG×ü‚¡Ã–¬ô	rR€šgí~]
+)º\èO/Rdnq¾ŒNåÂÞbÏuÃ=~‡ÜV­Ô®¢%o±­FO1®É*3oE¿‹Ò…ms¸Ivz9©	)3FÏú&kÛ"è»x:Iç ªÑŽg~âÀs1Í`=öAQÛnªÎ¢èbbôÌn®œ)ô	CÿJ̹&Љ»·Cþ-àÃùr´œÖÙŽ’lÊÞM`-N™ðD¥ˆ¶z(CO®Hjˆ|óÞ*øjŸeYM6|‘Wp÷qÀ9Þt¢ûÆ2ËÃ9âGa”¢8{Q£~*“Çnš.HÑꉬªðÆ(?ÄG« ð£$Z<ˆÿ ”»S¡wW¼àBÜÁ-r´\4î%;Åú¾jÙÇe™Òè*¶dËæÉ5å%Ó*•ô'ŸnRȧ' AH§qå5_Ô»¨÷Alf…ä¬?¥ÈÁî—ÚâvhÉ]œî
+_õóº}?^*ÀöÚJàáI4²ì-&…ëp‹÷1áΧµzbOÎçþþ$œqvÕü{†UF‡)*$ê•œßnµA!…w2ü™ïri™•æ÷/O}_ÐlÜûÃL¢ÒÄä½ñ¼R¥[lÛyKR(ëŽãztà,hú™0ù„êû°ÿ‚nýT—þâÑu™@­
+£ä;—²º»(~ÿúëTÿt,¯_lÌMÐf€†M¸"]NbJ
–Lä΢ùMò‡§vÀªr
­Qí}$ÝØ
±îP!ï„à­p|€#“Ó¦nÊÛi]z
½!•-8ׇ0]¼T*»Á{*mÉÀ‡—Ë©Q\}¹º.l«3=ñ…f†À±ë"ƒçàòIÍ@’yftP:XCÿÃÝ“’ —¬­ƒ˜\Îã"4h,-GÿÂkjù%·†t­ªÜ'
+Ûˆc…žØ-Ùœ€‘æÞž·oIO‘È·uÆS]$‡Æöñá@Ó%¨M÷g,˜Ë«4Èõù¬$4ö|Md”eÞJN>rg Z;}ѼL—f6µ"?§LO‘öâ•ÀìŽ''ÀŠ<èòfù3V>À?‹+¨k¾px¥çºo ×M^b?šžÐ#š©ŒüšáCÀ$m57ú‰{üNp³&t1…$sTínòaº9Þ
+o΋jŠÓ¥¢©É„¡Q­Ã’ÿ-ÛÓÇ\
?su?$tIµ™Rgø¯å<ª‚ã¡•30]¿[¾`Mw‹v²‘„uª9¸vJ-&ue%	Ÿ˜¹r@=‹’¢¦²fФùˆBN2­e
+sÕ:b”XÓ
+è>Ÿ±Œ„îë0×ǘ@v'}Dû&Ü3†)üÃáݹ”uaQDõd0Ý•”an
`eRí§Q8¡Zt(C`%¸Sd
+›º`_.ÆüyýÃ(G!lΔ	ø( we„fæòMÌÉÕÒJ¡ÕΘ<ón„	ã¡ñ§ù‡“éÕ‘¡žvßã5°e²ÌèBJ÷ÜÜ”‰ÅzãI¸÷H&{¹Äâ_@çLÂa4GôáMXJ×€´é§ý’‡ÜiQ–—1qÓ_ã&ߎ_+×ß.^0¶f{0>Ù’¨9pTŽ¯üi¤´º‚¹iCÇ—S€@C•T¡¡øö"×+&ÔÁÿ§„×/]²º·+äcÛ¢™‘M‘©ï¸QQ-ŽÂM+ÎѲóב«æiéžO«®7Äaçp.Þ”ü!*J™‘¥ž1·^,g…Yüž¸™4¬áUákÖ…¾‹"„øeôzÕÓ¿€´['qéh¼®þ3DKRd;cœîé£Y?å͉‡RͰ᧬P¯-ùŸÙ§ç“64‘}qîd#÷?ôSpwvã†à·Ç–ãt”×H4ëꯕ¦óˆ¦rÕÖ“ÄäYÑ}|ÒT!=Y†²Vø¤¸³lP•ÈÓUªM‚q:þ=·AÚ/&L¿Ëœúz…-¦^ŸºàžW¥Å‡Rº!ÔÈÏúPrëhE¢ÎÚ¯ô]™K¢ý»`FQÅÁÍ/·[Þ^ÚTú¢ú
†—A”Ôõê1b]×½p“åL,	n¥CN±~îüo‡2/ñL‘ÆÒthëår0ýfýšõ܆¶l:üû¦Êõ¬Û‰RŸß"Z¹ Ó¿Ï.ãàò3’!Ãâ?ôT±ÕÏ/èûM_׊WZXÞÒËöæœö“¼‰ë|ÛŠ( RZ I°Ó*à¥ýð„ôÁ8Æø‰U§ìBÊ®!S÷©çºŽ¬ÄZƒu`k”t4´èTºˆÖ¼ÿëärFè¹@HI¿³¥–+ŒÝP·íowç_ƒE–IP9SÃz'ÖÑÙ±Qx'®l’OÇC6Êvú:yÊÚSôÒÓã^¥¼¾Ë!`I¡ŸðÊÍ,‡þëX=µ“eT]ÜæLXÙâÛÕ^ÁϪڟôœ·Ó7>‰5Œ‚{Wûg½¶ktF"àõ6:}³¤FøDPØ2ȟp¬C‡¼®ÅÊ4­w?¿ë{Š“Ôedîs³…žyn½Þ=dvr˜^ÿ.f>@±¦÷…&Q9ËžÙYÑÛ6bs¾HÝmýñ¶uéZê.ð]ÄØï:‰fÇ™¨ÉZŒúBÅõe嚦ÇöL…é,cáŒVäI?ãK9³ÉÃ['yá{˜w1YñO왕èÒ…Ê< ÉEkìÜʉ¯Ô˜È z\Š«ÇŠß¼+곂>Úï:‘qrm3&_løëÕg‰ÕŽ¡ÓíäÑéFtq^Ú–aIS-£n»¶¡8xT}N!š ÿ'†Á ùü>ÝJ™z6Å'—õâšÄ‚ò²§-Œú•˜Ñ>ðè¦\T(hÉçeýBoÂCsÚ̇ÙDQQ°…‡‹‚cŒ<|Û\õ±¡sݺ@€œ±î-¢^KSyT×—¹¦»܃ärÊïãl:3po€	ÄÃDÔªŠÀæ{„gìβ¯—j¦ªÎTŸ?ü!rI/ãÛj¹I~rªsAðÅI,ôþ›‚»ïÇ–7µXâtBŠršK¿ßŽ;"ç$%;¼ZÇÏ„Õaæ1Yš k6ïÊ·l[¥w5³=¡²5ØyšW¡Ü?é>]QZ¹té+vq.,·Á³ƒ°cÅ[kãHNëÕ¼b>eÂIýÞϤûií»×L+͘Cìè‹Hò-¹­µ5†mª*BŒÅr/e‘¥4ÜØkÇbeªœh½8ðB±¼’½x(ŸyªÄÎ؛뚺£;«/šÁ(¥’ìdåz&ò¶ÎèL·‡N¿uzß…¢paMZ²L%Yû ­ôªá«šD˜75!÷íp•°òÁH¤0nTa
Ö.‹‹¡6É@í@¦d’†`¹pbý²ðF”õ_,R$ß$~6‚uAу‰4²»™ìøE,Á€¾6‚r%½`Q-ì)«ŽRÒÞqÞ=»¯?¢Í…¼
‘ù6=œqyS!6› ¤Ò”‰šÀö¤úœOpe¾âæ<Åö¿ü!ÿ‚ÿ'Lm@@Ggˆ-ÐÑù?æµêendstream
 endobj
 1070 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 35
 /LastChar 122
-/Widths 2268 0 R
-/BaseFont /QYTPOV+NimbusMonL-BoldObli
+/Widths 2274 0 R
+/BaseFont /YZCCVY+NimbusMonL-BoldObli
 /FontDescriptor 1068 0 R
 >> endobj
 1068 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /QYTPOV+NimbusMonL-BoldObli
+/FontName /YZCCVY+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
@@ -10685,7 +10717,7 @@ endobj
 /CharSet (/numbersign/hyphen/period/slash/A/C/D/P/R/U/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
 /FontFile 1069 0 R
 >> endobj
-2268 0 obj
+2274 0 obj
 [600 0 0 0 0 0 0 0 0 0 600 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 0 600 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
 endobj
 1061 0 obj <<
@@ -10701,7 +10733,7 @@ x
 www4Xp×àNp×à®yœs»ûö¸¯u÷¯7^±kìo͵撹öGC©¦É"nî`
 ’q°‡°°³²	TÀv¦®.ÊöJ, KWUS[0à
àF¦¡‘t!`{) $Й¤@f;???2
@ÒÁÑÓliÐkkè2011ÿÓò—ÀÔóß‘·H°¥=€öíÅ
dëàh²‡¼Qü·5A Ä
 °Û‚’ªjåUdô²*ÚY=ÈhPs}kÅ 6Ù»€ÎÛföæà¿Zsa}ãw.Ž 3ð[ÈÃäøÄp9Û]\ÞÞ`€¥3Ðò6ˆlofëjþWov‡¿rtvxó°{ÃÞÈÔ\ .fÎ`Gà-«š”Ì?ê„X!åv¿Á‹7Os3׿Zú{£yC!@°½ò€ü•Ë0»8Ú=ßr¿‘9:ƒÿ.ÃÕloùÏ
-˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒ„¦Š²¶ÓuÃþí©ö¶	-OGàßÒè*;˜ÿÇá/		€7;€…ƒ“ÀËËàcg÷ý/2þMÃþϳ2âö°±²±±ÞþÿýùçéÓ¿ÐHÛ›9˜ÿµ9š ½ùÛ²ý‡á/ØÌÕÙùMã¿¿ÿ·¦ÿýü÷Úƒ@ 3ä_óf‚!ÖÙ™oy£R=]ì0¡Ž¥õZE…Õþü&Ï5¡¬
㯭žsGŽ/;
+˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒŽŒ’†Š2ÓuÃþí©ö¶	-OGàßÒè*;˜ÿÇá/		€7;€…ƒ“ÀËËàcg÷ý/2þMÃþϳ2âö°±²±±ÞþÿýùçéÓ¿ÐHÛ›9˜ÿµ9š ½ùÛ²ý‡á/ØÌÕÙùMã¿¿ÿ·¦ÿýü÷Úƒ@ 3ä_óf‚!ÖÙ™oy£R=]ì0¡Ž¥õZE…Õþü&Ï5¡¬
㯭žsGŽ/;
 Œ»C]ø¶ti ÓRß÷Ý…X«´m¼L»AŒJÑ2uc¼Ïf•ÖaõyØtv7GÕ5ŒJžáÉÆÛ8ÏîÞ»àRß:¢û™¥×Åãµc6¼Ãþöåè˜6ùàî–®oxp ¿ó®{‡„)7‰FÐ
6:À)—DT_»Â;’iºv—"®;)ˆmq*ó‚?˜1û5_ÝN[ë’ǯ=×ç³"/LIê}Ä£›k¼¶lBñ«¨¯¾-š|oRkÜó&[Þ&±ÝñreéòDQnßô?ª[K79Ð7/Ù/–_!ýmÛÑŸ	·¥Ê“žHÕ]Çy÷A8­\¼ÙŸ.¶h¬æèú†ô“­Bj£­Öè®{ŽúÈ£÷ öÖt=¿	!æ¢DÚ–¶bO„t8&óïû·ù#¿-L.Ii§¼µ\’îžhRºª®
xïNŒ¼LÒV°Î¼0È'È:”n]ó’¢k+ÏQbÙP2ÿ,ˆè鼕8S“š·³ìâ>mLÃÂÇp]_1Œƒ,Žbš¨ðM›zÁí\#¨m-˜$²¶Ó“S”4cW"Ó?£^—ò–aÇ¢;áû±ÝP<Ö‹„¬²Ý2²&‡øÕÒ<³A–dâôÝÞ¡Ÿ¶*Ô1ó—)‘º°ÄÚnÏýå>ð,üöUaƒîùÂ4ÜU/ÎÏ	ÅíºÏCÔ½!¼L0ûBkÎÝØŸfRkSGD:,þaX§}îK+žÉ¥÷ÆíÊa5òb=L§A!ô.
;õ“¹žEFìÎ`­;[aß9\²@§å~Ê3ùű
óRIáPE‚»PÊ•!¼ö.líblÃ!3¢µÚøœÔªÊì=ý°:5¢Ä§"/pïgúîéãÄÃ7<Ú_Ĥ(LF•žR.Ø31s[’\(œ‚®¤'¾t;ßw&YÒM’Žª?ºcmbU‹Š¶*´XÞ/‹ÿ2ä±I
€¡y—Öë^‚TûþÒAªHAmfŠÉ9ï§Û‘a_Ë®ÀÔa÷r;ôzp=§æ¬@[>`S÷µWøªNt°óäËa7&%êìXÕåÒÎ’Ñ{î›òwß1	$t®L+í÷âQzŸº4ðm_ÈaêBkzK‡H‚Ï©-M_„÷œp:º¤õ4 1°îNŒYIzÍWƒ‰Ûyì	©÷ù3TÃÛu&ÌÀ„†6Ó¦0¥ÇmŒBw‰éÛQ¯èIR´Së‚òj>ËŧÒ—‚øˆQ—Šæ†ßF™bp5S±7ìuŽ½§±ÔlI*ÖÃ(>Úñ¨$®ßi w­i!œQ4±±¨äÀÌÂ…vU|Ð÷üÇ’Y›¾wûuNWdtä[KÙm8~=¶iš5¾Íû]SMÖÑj.¾ ˆÁ±üqÉÒõƒÙøyÑ¿Z6k’ÅŸZåzÊIæ ù»:N=•´qo¯õ¹+¥„B™¡dì¡AÙÝÕÏYgOþ†¥tãµN•¶‚.“Ÿ„ŒE¤¥ïmvž÷ç]4Ú}Ò°'~ªRÉfv5cêÙ‰¯Ó‡)ë8jÒès°;C­L‡’~œ‹Ãò%¸ëP"¸ÞUÉì^ª¤6PçÚ'% ðãÔ'Nurp~Q
Ø÷}ñƒ:|Š©½lLÇŽH|·—ÜÝþ¶w›æAµù½	ân¹‡T¦:¿ËzÊ(ï!ɯÄú_͆vEÂëÁ|Ž¹Eʯ#«îu€U•ý9å™x¼.­dávÈ!ý:8ò¾€Ù€;pñJ#WT	¢Âª^Ûà'áHðmAFr4”,=gK3M¨Ì(R
@@ -10733,23 +10765,23 @@ L
 uÎÂüÕÏÍ{1T¨—t+jªNìpC4ç@ÖîÅfÙä:)0ýôðtòuwô›§`âèÃJ_Âåfò²¤p¡Éý@ ë¤åcùC¡î—rj¿ÁRµP“ÜüQ[öºC›¨˜2Jí¹~?„.ìpÞ»ÂVXz%˜©­^ŒºÎµ†×þ'R¹ÊxE˜•ú½Æ#´ÂETíö`…TÆ*‘Æ4d¹ÆÔÊô;é¯QÍ·ìe¿Éŵ§Ú-Œ™–¾~jͶœÅ`k(vï¯ûa¤æ ‰öឆ…ö*„þlØNÙçfr²ÇŠ1³|/0î4ÑÉÇýžjÈ¿>VùEƒ" OáZ¨zßû,q!¿å]3„*Øœì>ÀŽÅ­ˆ‘{+$v¤fx[VÿÁ§ðaXïòÞòÃݸ´îÖæ#¬OÆfe­Ž¨€Ägs·BÌgtíD·°¦1?éBmbvø¶—9¢¯'2S☟—øø/Ð]Å`œÎækâ$:DKØ$žr°[[/o•‡á‡¦„ô¨ÜëÏ~fwHý¥ÈC¸¯É½ßn	
 ê÷E6K¿­í‹zv
$àg¨¡Ñ8qx!]ü`b6#2•›PÖŠ>)ЦšôʈQІ)C(Õƒ}R~­­‡_¯˜>{š·u9;ƃn¡“íó'\	=…i{,Áe“b««=µÅ¹ÛˆÎÝ6ß®ãÑÜ€AŃšlôϺΛv6Úì	5ÕÍRjå8äò¬Úèpõh.	ÒÛþ1«,Sd¢Ïì^5
ö¢ ÚO舄iᔚ8Ž¨á§ˆCî¤M¾»ÙIrúdöÿÃß#58ƒ8øìꯦ‘c‡9<œÔ?Xé(õ£ƒÙFkcˆÊU#´gƒ–ŸA>fâÃ穬-mDñ{nÊ¢,B‘dKÝ*ÞFΑt0¸ß28°ê!Û™h—Ÿ"à}8Bò˜á"¥f]™M<"$‡[ÕënwYÅ—ÛuÌ6ÎG¹óê=¦™¨ˆG(fjwfÐÜÄÃú£Ù_Y×Òm¨õPø²—'MWußÛKjÓ\·EE}‚Sy识cÔPÞc
U»¿WÎ…{gÎV©)ûðqBÐPègõ‚ »€‘j´µJ¡!ýÌÇO^â®=ÓôÑF~÷H×¥[ñ²ÕÉ»yè¦<€]¯©RE›x†{r.¸õSz÷N®rÍcOdùñ6“ôíFƒZÅ»µp±êLÛll™ÞÔòÓž¾h¾s,ü×Ã"TqÂÝ^–Oãrç,ÙÅŸ¨ÅEò/*f’”Ž€˜›…#ê–úJ8Š\ÐTH6ÄÄëêVäùã§q_(7QÐNàQK¸7VÓ¯¾«v…!YԫΓ²QŠÚ—>÷m‚«“мNØY©ŽJÉèÀê5—I«^ê‘ËT3Ey+fèÏÛ¥ý¯Ô°€H7Û³k
‡9ùÔá?b&=eÖ–›ÆÓG"ÎkM•å­•ø‚ÚXaI\ßmhû]½“T†·8ŸNÀÝKmpæéðí”?Qã·°U[˜Éä”y­¤®|ïöZíµ§&”A¶ùLðÕ(ãðÎ^X&¿*HðÌ·lØgÔõ"‘‡³oÆÿ×aáTž'zûû¹®^u?%Àtc	¶èÁÁVuA†|£¸ÅÍ×”6>1Å'¨¥Ô2¼oòg ’o›Ê
KâúÂTðÝö3r
bBWnêPÑÕƒÕZì)dž¡ÌBT«Í´Añ5¾S5£æ̦¥ÐTU¢¯:Üê‹°¡À†zBnüm`Lô“š!±ÂH¾¤å–+Ž«I¾†ïSªùqS”Ñ&bFœ °–gVÁYòÌÒb‰‰(ôŽÜÄø¦XãÂ]¿ã>€)­—¨°ÇFÓ<äGFÝ«bºD•Š£nw…|œpg¾0ª“•MPü,‚›E˜ž±Y™ü§Û¢bÎl·×Ø‚³èÏl¨¡~æ!È¥ÔS.šÈåwò©‚h€9ƒÔU¨7w¾¤9“Ü‹”‰ór‘¤òá[ÊKâìÜX¯÷ÓÝn\t“Ó~¿ÔlOöü8Å’ëÝBj”Nf{橆uö{!^æ’™Y«‡w댰1Ù$M­,ÑgZÒƒŒÈ&“É‚FS´Ã§·…¥wlü4w ƒ#F.°Ëc’¼uÔi´íòE¿·Y±uÌÑrÂåäÎ3J2ý9}°ÃÒX¬søwéª0ÜwP1®¤Tv=gvM¢Ç6igU›÷* ¸WŽˆ%Ñú¦ó¡VÆÊ`Â/½Ù#»ÏÃâÒß¾!õÈŽb>"Ä*200œ7¬ÏT}èó fT÷¡·MEfº>³¼5qÖ€m®)½—ú~ètL‘×(æ{ŒùCõá¢^m„çÇ'y؈~
 EªÊqÓëTéCòâ¯yÇõ•+«ûv©FZpÇZòU1ì´‚îâD¨4ùÓ£Bªg9Œ¤ÁÆ{¾Púé™S›vÑ$‡¾\ñxllË5çÍiéõ$éTlFÚ—}GÈØf<üÈ -ü%ë2bh{açògôCÿ£ÜïW{e1¯éF¾'GŠ)Æa.¨³BG=(”ˆüªCÞÛjHk_×iêPtkºé7ïze›¶ý“tå9¬)U1M¯ž6¾¬ 4*k?¦‘<ꮢ±²àN|×P’.n¹||£ÜU+¶3F”MhÆœ¡¦9Ÿ?hHû›ç—nrÞ-ä0±Å‡ÝÖà’U·¢PA7ÄÜFwæ°'ŽÁìÓÖ‘–º@çPú)B²àFpéœ=ç(®é…àÎÂL„N·Í-þÄYØÒ.ŽF¹ÏîÀ1­ÇN4.ì—{œH¶/ªB¥0¿N­æ%@»&ZëÑ»BhÙœæ¹áí„WèºÑ$Kí[Êit9œßë;*ø¢FÜíƒPk—×xøOyŒüøŠ¼ÂÛ/¯OwÙóp»B"6àl:ˆ›ŠÕ‚U‘eP
-Ç^;áµ³†˜¸ÔÕñXðÞŸÀ»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼ø+[Xìè¤P˸—úòbhê~ƒÐT¥:J‹ìÛÔM,ŠÔšf4énhØ~Ÿûâè1çäí›}“ïÞ®ì”[/0ûË,¹Ø1¤ù…Ž 4E]MIw1Ÿx}ÿØ€®°ý`”dt.¨«]í»¬çŸ÷^²ÎبH¼â(kæOýGɯ¿Q"g‚ÏŸuú·­Añh{fº{iŒv®Ù¦=ò9Û)ÐÔ•#ùîÒé–KTå+§"»dåXïkø’S.ð„›÷]lÿÃòÿ'ø‚ÀÌt†8Ømÿ̲Ð`endstream
+Ç^;áµ³†˜¸ÔÕñXðÞŸÀ»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼ø+[Xìè¤P˸—úòbhê~ƒÐT¥:J‹ìÛÔM,ŠÔšf4énhØ~Ÿûâè1çäí›}“ïÞ®ì”[/0ûË,¹Ø1¤ù…Ž 4E]MIw1Ÿx}ÿØ€®°ý`”dt.¨«]í»¬çŸ÷^²ÎبH¼â(kæOýGɯ¿Q"g‚ÏŸuú·­Añh{fº{iŒv®Ù¦=ò9Û)ÐÔ•#ùîÒé–KTå+§"»dåXïkø’S.ð„›÷]lÿÃòÿ'ø‚ÀÌt†8Ømÿ»¬ÐZendstream
 endobj
 1062 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 34
 /LastChar 122
-/Widths 2269 0 R
-/BaseFont /BSNMUV+NimbusMonL-ReguObli
+/Widths 2275 0 R
+/BaseFont /VFLRNM+NimbusMonL-ReguObli
 /FontDescriptor 1060 0 R
 >> endobj
 1060 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /BSNMUV+NimbusMonL-ReguObli
+/FontName /VFLRNM+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
@@ -10758,91 +10790,112 @@ endobj
 /CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/slash/four/six/colon/B/C/D/F/I/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
 /FontFile 1061 0 R
 >> endobj
-2269 0 obj
+2275 0 obj
 [600 600 0 0 0 0 600 600 0 600 0 600 600 600 0 0 0 0 600 0 600 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 600 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 984 0 obj <<
 /Length1 1606
 /Length2 17112
 /Length3 532
-/Length 18024     
+/Length 18022     
 /Filter /FlateDecode
 >>
 stream
-xÚ¬·ct¥ÝÖ&ÛvvlÛ¬˜Û¶m۬ضí¤bÛ¶­úê9§»ßçë_Ýï=Æ=±®‰k®¹Æ&#RP¢2¶34³³u¦c¢gäÈYغ8ÉÚÙÊÐ	ÛYþ*Ù`ÈÈDMœ-ìlE
œM¸j&ÆQ#33€‰‹‹† bgïáhafî Tù©FECCû_š\†ÿÓò÷¤“…™-€ü‰µ½‰­ó_ˆÿëƒJ&&gs€©…µ	@D^ACRN@).§7±5q4°(¸Z[d,ŒLlL¨¦vŽë#;[c‹Js¢ÿ‹%ä08Ù›Yü=fândbÿ‰`oâhcáäô÷`á0s4°uþÛg;€…­‘µ‹ñ?	üÕ›Úý+!{G»¿6mÁ윜Œ-ì£*ˆŠý;Ogsçb;Yü5ìLÿzÛ¹üSÒ¿laþZ
,lÎ&îÎÿÄ24[8Ù[xüýÌÞÑâ_i¸8YØšýW´G3Gck'§¿0±ÿéÎÕ	øߪ7°··öø×i»yý¯,œL¬Méa˜˜ÿÆ4rþÛ̆áŸA‘´5µ01þ[oìbÿ?m®&Žÿjå?3Cõ7	c;[k€±‰)ƒœóßÊÿ;–éÿûHþo ø¿…àÿzÿßÈýOŽþ·KüÿzŸÿZÌÅÚZÎÀæïü{Áþn;€àŸóÿó5°±°öø?xÿ§£šÉ¿3ü?H:ümƒ­Ù_*éÿ­´p³p71V°p62˜XÿíÑ¿ô*¶Æ&ŽÖ¶&¹üWtLŒŒÿaS6·0²²ý§élÿ6™ØÿgæéùWÞ2š"*4ÿ¹Mÿå¥ð—ugeû¿‰ý:díŒÿ—ð†°°;À‹Ž•@ÇÌÁ	`çdpr0ùü¢ý†é¿dYgGw€Öß’™þUøÿøý—¤ó0?lìŒÿ™%g[㿃õ¿ÿ˜\ÿòù¯»þ·àÿ)ÿkÄMLÜMŒ`Ö–íŒx‚-Óe8×aæŽLŠj
ô1Ž„Ø—6*ø×Øõú¥‡ïrUêÖ†Ð7Ms·{,ÛJQõaXSô¦š\çãùPõ o‘wrÐ2è–Âg\¨E{Ý,Êì€i²3ªíM*þÔ-ù„ÀŸîdq„ºy¡ò'q-ðG#}¶Gð5JkˆCïBjB©+<¿ O:}y¦ú=:2Ü{ÞˆK“MÆã
-Oåïƒ+ ©RéA½tœ9>i!xÁhÖ;"ÉùˆÁ¾ÎγU9âæsy*¯;j§8BäriåèØŸ4×ç3”عÐdJÞMt_Ýù…&žtã"u®‡·Î‚tÊçž—Žgº\7#é“ÝŸì3xòû[º$,1ÊÔx!÷••¬zf¯Bi&Ëÿ9o¨ˆtWãJŠäÑÓŸÁU•J[†Ê–…^çí¼tKdvŽœ1Wè½uפFŽ»@ïñ]Ò%®â6üô£ë(æIäg€õq#’¾oÏñ«áâèÏšC^ ©ÞyõQW-Tu“kP9uômIò¡R€¾Wm	XÒ5G`íªü¾¸*Û<mNJ-»ïÆ1/Åâí^Ð÷z=Sý5K»7=¶AëHG¡7ÿ	äw($Á¶šj¼Ïm®7ï#RÒ”éåä$ñ£’$ÊD<,ÔqŠs©øfI˜?EäEtŽ
-´e²ÜhE®…›T>ÇN|¹²ïwÿÄ’ùDF†ÇSÍHm™Üú5ºñœ»2Þ£R€;Ôgª°ÚLDýØ.
-¬€å­[Zµ
-ïµöäÒÐmV]ÓYúñ‰¡6ÎË'ˬY‚’¼o†í²÷·iFÉA€s5õc`ýnXÙˆÈÍÉ£5í’D,÷WúUÑGMX8“¶_zœìÊø)“bFlS âzˆpr m¤¦åÃŒø86
]¬2+½ÄgL~Ö—ÆGWØϦhM	Du¬0	XѵŒªPű1.<‡ÌÁ°²QÔÀcCTÎ7Ô•D±ôÊWà“!Þk8{e£û¢Ý¯Tƒ‚µÜhà· šEhSïiqÌVHXn´NxAMÿ19ýn%}ÃW(‰îªžµZL®ý;4AKó”ÕÑøð]Š•-þ¡M=^¤›±âY½æGb;é«Ä°à¼vCSR·e{ب[JNyòbÕªá¨H|ú¶/Ö´þéçùïœÃ¹ÀÑËD`kÝ)¡°2_XfD€x¨§„÷h„ÿ.¢gFZmWÓn\ð³·¦µè[omÊoV_9êŽË̪íØr]ŠÁ]~µ‡àè¯=sߪµ3§±ƒ
-œì!»žó,Ç‹÷ÒŽÎyòR+`üÜ-Ó%I¬-(7óKѲ¤Òë	›”A­6Ÿ‚öÞµÚ?‡Që_ʽ*ß}iÆóèYTÒæÀ	ì¾ó™š~r
ÂC{J4|#XÔØ"C½5Œ"ðqvÚH•œˆ–o^«nîéïpÁé1þpϬÂ;÷SNUC8"ÊÊýÛZ‹Ž„ûã”KA[Äsü»™¿TÜ4þƒì²§Âû-€aí+x
Š¹Éc™¯Â½-Äÿ]bÑšÊ(u°:fŸ_z ¸&ëApП>TüÜ©•ü¼¥_QŠ|”‚b³ø˜yÇÌ7~Ï£a} Æûê¥}«TD*¦¾¥°›úâo*—>Ãtþê&¬—ô»û¤éˆrG	Ù*ŠcEK«¹ž¥`%F¾$ âcþä;/Ç]bm*ëMùÇo”´Tø&¡röã7¸<&ªZÆcam2Z&´C£´bE7ï~#+¹ínæ[”•¢M]C€Ï¹	
-õçY—sþû
¬Ù{øv—²ÎP½„°f°ý•.Öp„wq.›ôüåœMfY?EpÞ=Üðf‹h@?¬vüm¢Ð
-¸3N½{z±@$ý'üåùË‹=nÙ)Ø[Å>OÏ
¸Šžã!@….aïFByT1·Ãnïýê¨75s|ÖªÁ*-µ±hÝôVÃàùž}Éí8W-Vz˜l|›<ðÍD$æe
­µùm¾
â=X* Û6šKdYÝùðEª²ÊM?
-ê»zé;C BbRJ1˜Ýˆ¤]ë?|ÓòÃå5ûÚBëßÅYçñ… ‘í#±pqž…°Ø D)U5¯34ùãîÎÌÝ–!…œ]¤ÞÍ¥ZQU–Î>mÆÆPRbÑ\—÷µã¢‚Tæ§MsЮg€žË'7
-
av£Jñ¢‘Ž•:ÑFH¨pˆKQ:¤ûëâMÖ:§,à”^~äD²ŽCÔG™œ4°3Á¿h©zòGßLÈd[ÔBäÏI’“þ¬öý`ðu'Þ¼yÇJã­1é$¨|z>н·ø¨¼”Ñp«}îü >êŸ~ý¹¡)從mp-n¥RC±¬(Ÿ[1I”‚Ÿ…Ž®eŠDž‘…4¯Ë{´Ie¾YNDì#Å R? ~S¡½Žg›ýßh-_—É0=QˆreùNGBìj'$ߣûI®ŽVf9
-›íï/mí–ñ"%ƒ©tª²À#%)ó/ñ¼Qé÷gÅ6glMýDÜf›ýAÓ2Bº©zU¡å^<dÎã‹…Å¡w‘ÐtÆ
-‚®ë4›_¶˜q!~8hiüÒZà˜l"__Ï$½Í>ì¾mß
-Oæ"ÒŠ’º}¨À›æ]JéN|€S.'n”\åm›lE
-®ìXà9@å÷@¤ý<ø"ÞˆI†_Cz¹MAùâëß—QešM;„Ž§±reÂ÷ÈÊ­©2)ÊëÜ-̳§¹EcÊçêi;”Ë¡Ñ~"WË7¿KÓ…ÿŠð¸Kp¶kj‡g•ç—ß‚¥QO½¤úŸÕÌäš~•Û=pŠ1kñÀ	w&•Ž¥Óó\b¹ŽÔ*®é (lv˜À*>$lØ¥°Gl†VrŽîÁ°äã_V~üc©‹dÉÜÀÖÍ_Œv?¦òfLç2j"d`2ø…ÞÖ…K«©êJ±f¯2§Ë„ÒþDcBµ3ÝŒ«ñ;“AèD—Q÷‡°!Ûr›½:y¾3Mâeºk$[UúHé_:Éd 7±Õµ‚~0›ýñ—ÙIQ$A¦ù!ý/ª¤-f—Ý|ÕùT`DI+èwoÑŹñ«Ÿbãï_+qÉâ×ñ¸¹lCƒRÿxCä&7¯˜Pf<*µTÛÅ9^
Fݨ&/6¶qv:Iן‰Ær…FÊ@}æ/ÙÔcëeèL¥ òÓî¾cÓcD!Òy{³zÖ/Â’ëV9?\€$£ÒY=tÃS¤—&Å:OõÄP%‹öðÂøÃw>û“¤]ëÝÔÎèžpoß+/&®¿º5‚ÝQeX?¾–G»!K@ú¸¤¬u*Е¼É8Z­°lÉ,}.0^ˆYÜ0$kpåJFÁeu5	,ñ?Û¬H"ãØz—´v!Påê î§>2ɤ&9¢‘kÇvDV~¦Ç&ò
)+CÖyUmh•ß§/ÙJúÃiŽQ‚L
—RZ.º%íºÓŸÝ#Šþ"™þ•”åîÐ{µ=%üÎ`eö÷­ $™¢ÛräeŸ¤ØJîŸ-ˆ±šÐ³õÖBˆUêÍêpêªñ>Í×äÛ*ÊS,ÒÖ¤ù§ÀK_QI
4÷ÁÎ#ª:VGc–öÁHjpiµïùèé/•ú>v`?ˆ0…,<–RËÕÃ	µÃܽ±.ªúîkAB—i<À.¼?¶³ÒáÕ‘øR4'Ê~¬h9
mK_µr6¢æ§‰²¾{¼~¿{8Å}Uò7êVåñbž&ÏY‘žh+Édµ[Îò¦ð­{Nc9{î}Ž]}ÿ²œw•‘ýõ’¶d„KSš°%Nè:<7ÁÐkbÁmbá¡Îk¨ˆA24?±›Ø6¨ËŸtÃ(œ×¾í_ZR	Ø,ey1°ÉùA*xÝj*­räΦÀJ:Ô5Šñ{
u4f>Gð=Ôê";èŸàº–Á–Ý…»Æe>
-àî·õD¯³3ø¶p„¯kd¬WNd]¾Š.ӽÚú@Š=üyö²œ¬àrFx/EºÎƒ1™“NR²rß6H½Þî`POx÷Ô~Ì)ºdžùvU3“E$êª×kˆH‚h?ÌSu°¶Û^ˆÑ£j;ŒØÎ|Ðïü¾dp$“ˆUÙ3)`¡²ì‚ð†|3—µ¢ÑÆòén\9Zø2åú~„Í“.ž~ÙE-)‚®’´Y9Ð.Å
CÝ'4“Jп„öÃ^µr©Ëëo®þ„-[v
R¦ë÷Þ¿f„ØU
èÍ뤘oVØ.à½8/é{÷æÄÖ[‰.èÖÈwdû^-kž+ˆH0KCÀg32p*lã'P!åðw!£Úú9}Û‰˜(£KÅ—úÓ|³þÀâ¶á±õÐe- »~4,”¿QGÎœ«ìv?Üyâ!™Èñ—1³ä‹„d¦/G“¿T§‘¤—YÔÜùì:“0ðW«ÎRçu¹Ço6ld“©ëÌ1ï"
ÞyÅú¸œ`Ñf/SMsŠ`m˜c¿4!‚ÈwÁ¹ùµ~oúÖ¸íD‚Ôcçg5¨$úR_äQ®	6åo‹ºKƒ˜¥0£nÆ/ò²{36ÿ®ð?Ò®
÷ísšú<¯{ª;¾oZä°ùã?©-ˆ€ ¾ô¸?ìN?ó7Gkƒ½?Á>‰rø–ì5©Miàå7¤ªÚpkPÚ-¤£ÖúNM¸ýù¾2ÏPR[õ”—Úý·gõçòX£9œÆB½6®æðìƶ¯(—m’M
-ò‘ñloa"UZ&öÓ…Á-à˜ÉKU)1ë<÷Â÷E1õÇŒZf,m{€‘Ç4²”WDäh¹£R;d
Ò1¡fŪ'º8*HcÅó»WzycÇn¾¤ÁÙHweŽ@%…k.ÇiÛã;“?º“iÃT·âK#k;Ž÷_–~€°OÛAç‘® }Î,aËoÅcv¿TÓCÎN®cÔ®ûjåR7ߥ-/û½çÓÙ°€ ªã¢ƒ¦/Ú]9¬òáS
-Lþ9ÐkF 4§¦´J7¬Ip,óOÐ…Í~bšö,Óo·.ÂчQð‚AŒáŸÂ·dtJ\å ”i'ÀåîëžÇCùWpþóðmtáÍnÔ''òÝʶ#nÜLaB¢\»,â-,CR§“¼OzY\`>)4¡8)¬£´ÀwBTêµN¶yæ¡oSr“¥åÑò”ñÛ‚ˆ'hM·aCo–…·s©´íxmŸ‰’f#
)$¶#ô®¸£¨’zóÛ6zÙ¬—øU@çKÐîS•"ûïB£ÉûêÄ­¤úp>/ã}d
n	ÏË­»ø¼ŒËV=L×øtä1hv©¡hê>ŸÊ¶YѱŒh§~3rÁ\ˆ¥@—°¦v–<@6Ý&‡H2Q–ÌïLNTñè•öw)O’`Ì7@J°nØ~v–®‘N—HÎó›HÏ#çɃH­n¾·#…½ƒöÙîšècr=qמ$1céo7/ñÍ¥ÎR%L8*´0Ù·Î>È!˜ûŠ(2^·‡VîŽYZ„lê‘AÏûRQtµ’;3Ÿ´LåsAI!©È
-o+-u¾r¿¤©q(ÜRp辧ù¤×8 º~>ÅûfÐI¾à‡ÃçØýn^=]®u—™nu˜§Dа¸fD¶€Ÿla Ô‚E·DøUHèCbGØ”"Ý…mâŠcS€{Ÿ»›GRX;'•xÐÅnÉS!n³ø[ËÊö—ÑDÀ•\Þµ8U>Mƒõ3,à¡’Ùèå߶’ÏAÚ¹-¯Cš¬™K÷£càUåBû›èî”ù6¥ìgøU¸FƒVˆÉaÌ°6›N4_@“ÃuÐæó
YçÊTσ3"=8\RezôÈ\îõ+4¢”½Dqì,Ìçõ
-2—f¤J\jàÊø5Ëaò‘†ýìÖHêÔNã{Ÿ‡ÊÇ°Nx¹Ìdઅ+ãiÅilyÕ‘,Yùö³®VÐ×Ù¾„ã
ÉôbÔ·’ãáˆå]í¼}ŽòD »bÄoFRÿ R©[RéµhÕI6h7ò‹;; Êvl”Ñ÷h·mÅÒÔ*{?•‚5 ¥}l·à—Íl–D{•žqžÙ³º˜c3vYsß.輦®êUC«”M8;þ™ÅàÔI•h™Üÿ·Äé@jbÎÊp‹7êâ›r;‰´ì-¡ºáÎ>·ˆv"Ýä…'ûÚšq½;þÐß½‡³¤SÓE:s/¨r¨‚‚í³ ´Ö¸ñäNŠ¥`—c*jƒi¸.J»üÕ'´*è}·–úeT¶5sãÙäźPɪ=?¥‘ß±~“ó™ŽÄh'“®)ŒÏ¿Uë8¥[̕Ɖ×]ŒŽ;ÕEˆ]æ˜ÿûCôWT0i˜Òͽ(K@ÚAú︌#…_VÇ
-4¿JÓ7YS#N§¡-YÖÖ¿*ÞÉ3+Vè´[}Ðdv˜·Kê¢_eØq¿¿GÅ­0ºwÉŽÍ¦b~'»xaÀÅÄlUJ›ô™bqÁ¤Œt¼¬odcºW\|gtí,гç<¯ø,Õ{%¬ÐöB’`ßÅ9ÅPÌ©Âc9훳8ñjµŠü\%÷ãâjÁÆß'¶3ðt„çg‡*ËãSÌ<ö!‘|—n>~Db…Ï¿5F"®:nÂ
-_°4Mtj6˜¦Â‡Îf$®Qæ%¹B[Ï?ºmÂ'LÁ­†*Xs=šRKä¨(Ù…ÆRßÄ¢–»ðXŸŠ›I=L.ÁÆ)Æìí¾7ضª\daqCF<Ÿ¤‹bÕgÚÙòDüÑ×;½¢ÛŒÃ&Ž½15%´¯MP³2`?‰ØéTÁÙŠddÁjïà׺Äßꢞo&™Ri¢h&ÅÄ©~ïKDy¡m&Ó9ô­Ü"dj£òEìÝÏáiõçE%“Q6}½RëÙÅêÿԳ㙌ÚÞÔ‹'ýÔ]Î='Ki;¥ÈüBCVÏûŦ¡Ã Ô€A•h`Ö—jx4wðÆ¢jR;t¿Öâ×Ëv6Û¨Ÿ™4‡:ƒ›qrã¹dy§;ð2nb\†ãï„Óéã£ß%ÂGì*9	¦*ÏuÐÙên6´‡ƒY¤ãxŽ|NA«
ÛzXÙÖû
-@/iã>P%.LHNúÛ~°I¼Ü ½¥•>³¼Ó5SØÛó#:ÙÞ§N€w!QññyüÍqocÞüOœG1½êÓ,eg³.öi™Å×P• ó“šÉïPàC#EXIó
- juAÌ_¥Á™‘
&–… Kiå'¤Nj‹Iãhú	!XÁ‡èhÚ#»ï…
¢Ô$±|ê»ÏŒ8Á° ?u÷f•ÞÚ{¡òà3z'$Åê+•à`¬ˆÝ€Câëy2X’*KÍ£\ýôá}
-e/á<šL!¶á1ý¸”£õŸb†@:vÕ>Lôe6)
-ÍôP«-€Žˆ¸âu¬Oh>·Þ×A¯ÝA´3£
-1&|¿eÈ«ÕˆKÒÓVyÄlƒÐ°¶Kþ©Ù£º†!šMsèÈA{͘—Èž±ìEQÀ·K?ýsüŒjáòò@ˆðÊâ!pQg°xQn¥ˆ1‚q¿ˆoýŽGåÁÆÏWê’rÏ	ÄÌ¥ËØä°½°)ØÂéoN쥪Iïêgß¹GÕ‘Â
WÛŽˆ~º©ç2H.gŽsQÕE_VD²ÜUÝNíz'£”^ña™àæcÒ|Ã:Â>·k™+›ò&{½2LïL>ÜöL€9E
-ܻɠ/dö!ô"
¶Sªl€2ô&´¤ÿ77L”L§còŒN ì¯6	±UERáÐá?2ýé,Pd=SêãuãvFoÁëßiùß!4ÉZhêå,
:×Åë@\âZŸ:ôEm+u;ªz¡PÚ¸…Ú”Fy/ûí½àL‹÷DÕètÞE–D9[ˆÁXßææC=¢˜YÉ{a’¸Íεü–9ŸVdÙÜ
FMOè5ÊùýÑŸR|ÃÛºã;{˜¯³U­#m¢n3”M ʼ¦¿ä[¯˜qÜÙ®T¿Ðçè¸ÒÉ.Ãe>k±G^ƒ^Ät­á·(e b3“…$mOcÇnzjÓsêêW
-JY­på£?|oû9|ÿìUS“‰ó¥A!0—ÅF‡_|Ћã°<§ê—sÑl­É†÷÷ƒÎÝKEZæ,!i3¯ZSŠ~Åe|lø_¨Év*lÚUð¥?7ÄÁD,BªtAå?„6BhJép4„hYÔˆªGÈÒ³ÿ¹me“\²& P´µw¼m=ɸ9ˆJkÊd¿@¿gX]c0äÞî´T¿Gœ=¾‚¥“÷Q¡A@rÂÔÓï
‡i˜øð€æb—Hã€û™ÀVšM™>ñ„V'ë„à¹VË2·ypiÉA.ç¦,]Fa/”ШŽóvƳùø
¢Zb‘{BfèætC-·¥HÑœ…lƒéåE”p	œžÖ(Ë]™p¶Û?§8@ÝÊ?•Kõˆ^ëzÀ“ÉFf‘BçòlSg1TJhÔÒ02ÂóÅù|×®³u	)õ’ú}ë÷µ-8P¾ÔuÊ£dÄ‚ˆ†¹NÈ»ŸÅ$Þ/QÐèG˜Ý’ëÊ>9T.¼à¬¶JýR;.ŽÛ¦é,fä¹à•ÚDØqK4–1ÃMz¤ŽB¤lÔRÑsâYŽ õüŒ¼,¿;oTâ|Ièo$Ѩ«Ÿò¯@½j˜M’BR†ë8j‹Øש3F’šH 7ÛYŒ;{Ož¬À¢è¿ÙsÞó›êóûu4‹ÆŽYõ›rlЇvÜ”öÓ¸w§²ÊÇ%ëDÖ2×¥ÑéÓž©I£%µ¹²\øÑoÀæöŽ«N˜ªT%˜n; µ‹ßæp/È(­¡(~b½€±O¼ŸnéÇI¦¤¥i)Cf¯Ä—Å<¥ª™­æê€né€ó…¼dñ…ß”ÐVrÁªûÙß·ŽÞ¹(ÃCCóγkU)P,#lÅôëNk¥Éêãx “Ò¨-·ûhχ¾@†uxraaËËqá	ÆÏ~\™,¦>k_AÅòþMôŠ _[ßñ˜ÜòˆrF”A¾áïa ðÇQ=Å«ã7ErÔ@ùGG¨eŽÝˆhC>v?·Ú嵟#l¹í.ÞÀX¨Š¾QOgNsƤTÉ™/ž!”"G]áWrð¢ wËSˆBs‚Ö7s©œIÅ3#Y¤±°à{Á¡_OKÝGµ–ùªúÏq2š4ÄÄi2¯V("icúéO7I¾Ãƒèv7ÞáSÒxü¸2š
½(åþ2ôI‘¹QÓö©íåkLX§N%¢TÅz»^À=ç¼/¯À(åûºË'§kÀ—UÓ<¿Ä°Õg®VD‘ýC€‘¦,ˆ<û
8˜{$A:—<‹7)u±îžn 2Å#ØœH¿~-4¿/E£àOÂWWíÙ"t£-¦’­µ¾½Š²hØ–,tqcD>„±=6ë0ŽÆ)LHtè~&˜›V…½ÜÈÃú0ß²cˇw‚^oÝ_&»‰™È­ðÏ{ûn	û/B4%mkñ[‚ŒT?Gôõ©€EãŸ}ÒË+~ÜÞ£Ux>«$¥–&[‹‹ÚžŽ¾úê5¿5­Aô†%nIbò¡ ^œ²åø᧠A¿(¨|}„7Ñdåb;†F—³ÆÚróý`òªœúÅÖŒÉ8ý{q³f–'©]w{1™8c‹Nç8´.6öºN§ñu{ÏuK’Wæ¹Od¬ÎÖû^ö$ÅÔB쌫”cŒõÒ:;vïÉ º›öX.4¼mg—	š­¯A‰›Ðц!òÃíÀQÐöÔMÏj¬'ÑnX=…iâpe—°DµïäŠ6Ì1R‚¦¦•í¨×¥x¿È¤ey-­ýV­ˆ¿øÚ:AäÓc¿­jsJÃŽ‰ð´G5HæÓöK£FÉ–ÿWz¡jñðëéÖ
-"£Í­GÁüF:Xú!nFÌ4îÁešƒÐc,щ¼òú®½[kIãH×”zÓžZ"Ü˼úònË…¥Z«œQ¡b쨩/d‡F³yÈÓUæÄZù’=ÀÕá”±üè/Çzù$ÚÕ®kȺeˆ—h¿+
-jº¥ /Íù/p]/n<µÛbŒ^Ðuù@{eó;3#h‡.àMcLÓM2Ùœôcã¡åécq{øjºR×s{~ÛS§K0}DøËLö,Ÿù¸¡JPÛ0j ØñIxTµž¬
-dò݆¬ŽqQìÜÀ8•Ë´3Õûž±ugÔÄ!pOä_;݃…Ã’ñék—ú:ÇŠ—ò¦©§¢ù"#¬¹K§Íùýh ¨q|Ê…†RÕpœìñÒ¤2Ù]ɬ˜Pà^·IÇ›y
åLfÃòÖÁY«_
‰!`nþèöv·Ýj£?+Å…_m
-‚¹±Tr×Í»›îýŽ×Cjú‚ŠZèá ˆ¦É@ûìÎð|.I¦××cÈ5Â8yö%sà™°vPþ±÷Véd’Ç¥±£\
þŒ$k‹}R{’¿7¡‚ƒ‘ì˜\ê“‹3«Âô[kÞzœˆŒ‰q‡|ëP÷o¼åVþ@_§ºª
-ñmF04µ3NBÔ¹ýWüü‘¿¤ÕÈï“"”;æFLîdÚêUÛåñÀÙˆ^ýŒVU³@²]†¯d¸¨ð4}kD"¿y'ò<ÞÛ[õ¤Zu/–ÞJFKÜÃî*êÚÀ®ìgŽÉ¬æšuîƒþ;L©ßÅržyX¦y!e¤ÕÈÙ®¯ ‰H¤Sæ§Ö¬úk»ù0¶É»ýÄr ÒíxäÌ;íBÕcÊÃúÒ€NG•þE3£(æ%c-ºt;FÀ¸²³JA1=ú@g­ØDbS®O²>ÝÑJL,]Nõ½iÂù¦z|ö[½½tñ+•wòZfk=¨öœ¾UiHJ/#d7’'#n¦í‚Zôj«ÉMÔJ¹}"ŒÉtFO¬ôzÈi\ßàçi’­3ÐJQó»Yš{ÝGJ­ò¶r;bëGàÆ ¥À™t]ŠðøG)<Ã,vÇŠbF¦;OPY{Uþ›_Æ6]ƒa'ªÊ§¹°Ö‚Î×MÁN;zI¼¼¸½yú÷C¸· ÙõçútêÔ¹B•žã!Ù³ÖýÃæÁ…t)véGê0¯Óß-ÐgC8/'Sç•×D£¿Výçü[¬~`^}G»ä4¦É²Êù2£
-9«BÚæh•ÃII0»=bTÜ¡¸€òΞ®ÿòëæÚ,äÿ4ñšãÍÇN–Ï=yâ<3Y¨NG«À.GÒÍMåø¾ÛqäQ¥$¥÷²e²w¦€ÞÓVßàuàÇ)La‡ÛXÑ·QeHÌDËͬk(y`ÀiñÚ&ØÅ_¸"º€%ý*'fÔ|5Í Ð`i§mE_Œ
-}
-îýhN¹NyíÙä€ ˆ	ÉË:ÓÈjž$¡{m@¿»Iï1<¾Üæ?s»8«¼q“",·ÖßT	fYsÝ~2Õ7=³?TaÚ0Udêò¢àYï«”uÊÈy
x”Ý0(ðÅuUãÞ?W¨uŒQ%AWÁapyñÓ¥ùjÔߟ‚ÁÍ]©²ÞIåvð&èÒ«ðÕlýÝM~â{lä}ƒ:ƒ17¬§}B“I8÷˜®Ï)ˆ³]B~R—~‡‘ZìS“ãsòlÛr—A#`eínò	qÕLo¤•ª±ª&,êÊe‡ýŸ.˜j)D,Þf[U;6HÆ™Ÿ½e4ПO<œ±©Y ªFMÆ/\Ñ«+-²¼¬åÕËóÿªì-ÛÜÝÓÁ[™ðzˆÞõïýŽ¢'¡_–a½¯øý^“é<\š°—KQeQ@Iž/öʱ©=4V_þ­%a
y]+¶ÚF$;ÓŸkâêæùôèâ@¸Ï*xìT[•&ë­©ó&ÿN8|juÌ¿Zr›m¯ƒ-‹¢A(#15ûE“¹Ûºß—½À²“*4˜ûçV]³Bs%Ñ·X2šc®U]ñˆÞðƒÜ®Æ¹¹€ùÙú4]H€˜Gân®Ú»öóÚa‚‘(Д4ç#á»tI~ü«{wS2Ðc5ìϱ«o!±6Þm8ˆX˜+™ÀDÅÉIb­t†Óp7³´áo3 ŸZ³8§¯õ ªM(Pæ“s[MæŽòµVé~1”3}Ø®ÖNµ“ŸO]DžxvP1/¾ÿaóÖD2–¡bÌüé1—nœLgÆžµ:—dì÷ëjDžF7:†õ¼Ô08AG{ø±š¨Å­RÒ¾fHw¡ù4|ð«äNZµî„B|„ô˜’â,$¢ëÆ—þEˆ±«-5i‰^QÆôŠªà³.ðAY™q
‡Æ¼¹æ8C#ÈyG¬2F̶­Y ‚i§ÝÇþYÔZJ8áeĉ=IæL»Ð‡Ž öÔj?Ìöó¥ÑÜþ3žŸ¯tî<5nv¢›%ÁÑ8Å•2á—Ók£þYÐO´ÕÚÇBùzø.°ÉnõC`'b—Ö_ܹ‰ù¿ƒ„½Œ!“–öK[3Ú@Ër©vÀ@«xÙ9…‹ .ÞrXÆÝ‚ci¹¡±¼h[ú&ùHC’R TD'ftÝŠá¨Vœ8ÚÄR=æc~s;çðgvÓh[êO¼üh¬©…%rÍ:£½â5VÞ¹™ÃÿÆ|G®°×ŠyEn@x2m5\”Ÿ²á`ó—f¯cmo¤]ßb©	#Ìc]l6ï¾?{íåJÃëý'g‹ó
-åIÐ"é´‘E|­qoâ6eâˆgUÕ,Y¢;. éB,y)|U©îËâ:ÄÏZßo8d(ÒH1ò"hœÒ
-
Æ’‚œ7¿©ŒóñÙ—P(ñ§i:Ê©#.+èÞ“q„öÿ™Æ¼~J¤Ã¡Î«Æ+<ÆnÛNÄujTØ}p˜A8ßKÛ¤¢†8ÿ]Ïh
-hñÍqåÄe `]–{<,§(°€¦®›
kø8æû3kÆ‘Bõ°ögE ÖÉM´¥Æ\#FÞ6Ú3|lþòŠ•1YœÉÃ4C<óä6GA»ð
-µrÀ,©R 	è=ÖRc)¹õfq?ehL@ô}
-¬çÄÙ‚mkŽN˜'”Ëm̃G¨ê7êzzœ|‰ÿÓŸ‡µÙñ"{÷µ¸`P?¹	ÐËx˜j—yuZ`™&á”T1†–«óY¤VQÙ1ÝA¼¡–qãÂx0;éyiª¾OÈ]0‹cº[&ئÜv!lµ=“*8€ÞÄPÒò8m?ñS××ΘFÁo»;–©w!4u;,u¹'²"ïßµ$ë<‹®÷wYÿFŠ•Í©„¢8ŠD'0!ŠQv“¨Ûš5ÅtXWƒ©dû;ÁëÏg5”Ê'ºìn1wpü¤¢ï¤Xîêâ䳉ýïFb+ÆÍŒó¾Á¯—qZf[%´êt¡d1˜âXÝ‚¨I˜OÚÅqU|LGóϵ3%iù‘_åQÑù×S}VX@N]FG:5íŠ)Øù¯G´âîûÀ9œ½U©”ìKk§*ð=z1™~EmT„ìì©&Ä-+»B»¾Múáå0y[«Ó´r8‡iLB.%Uys:ŠäZœÜ
«]‘‹àþisTZüÛ×À¡Ì†XFYœé² ?XìBX.ªNCWüB®,¨Æ-$:¢P½‹5X{×A°žâ銽iP‡ºðò°îøyM&JGß0¹³ƒÌŒUS”¡ö¤èúÇ,ÖÜ#PÜ	»‚èˆ3·‹¢'¾Õu‘÷ëêÅí˜Xl»ýwƒâõ;ƧŠÔÇw¿çéölÓ·Šùt+¬gÞz
-Ë”œòL›)˜ö6wÑÅ®èåBÚäŸ2M‡ìy
æh4¢®~R®ãYÈóæìIðd€_œ¿Ò’¸3q)ËDŸóà†WŽAÆ2öÊÉYom²^úw"¢ùæ”ɱ‚ðÚj¨KÚzþ@w"Xe~½¥t8h§ß.þ=m¨ªðòÃeB_‹¤¾üGVq©—–º®×>dt×p>–óJ0 ú~žÉ.®RÌPà©:o&wÇšDöTcƒ› €VóäQ½1‰ûµˆï3·Aó ÎA‡z(} ÄTÖj¨úfXö_¦‹P_@¶S\uö¼wœ¥Oß E½@R΀âP"ÙÐ,Êÿ9]uo¸ØaÆB²î¦eÇЇÈ¬6ݾàωö'F-l‹è‰ø‰ª:«wjÇDìÝœðS¤çk°šiŸ,"e½Já̱oR4®Y~5ßaSØ©²´Ò=ù…¢•÷óÕ™àNãÁ¡ÿ"Ý©õ"ZQ˜R|ÐSÝ>ù‚E3ÍÅQi:kOù¯pý{bÑCýÍdKa™¯œŠÕ)dÏ„©’p5#d©§h‚Jˆzª:ˆªIì”S!êÐØoY‰-jQŠßöZKèÔ#uï¬àuÁ/óз
ð•É1®D£þâz-‹Ô¯þ©—g»îöú<î™Ûj—]åÀüH
7{;§ýéQüÞ‘§éºÍÀ˜ž¯ª]¦ôÒ¶6SîäÖg_Òêa£nŸ.~ÈÎå5#ÙûU¶“’´ª‡B»àVÝ>i&¡Y4ûé…!cÊo™ò0aUz[“ŽRӬיí¥8ËtæfÓ¢ƒpÛTÔcGqƒ>ºgÑØÉ’*RË% 0$ì[}üÏ¡’6‰W¢©†,k6´­-ä”'YRààêË•-rõÍÁ¹Óȳ†º4°:@8«¬$f¾Oà0ÏCHMŸDàVt6£å&†‹æ
ü$ä×7Ô»uUr+YÆ€B†6ÐèVŸÐþ0z¶Ðãcøð•›xD×€ x«#-U
-…ÏÓ¹MШ—iØÇ$ÏÁ¢Mδ¥<¹×åÔüíñ–S”±è“×C('†Q| ™ˆFˆËKÞ¥—áÓðPÌ…Þ·g0.srŽ…Ïú‡·‘Ö§ctw7b¶U!úßÓ6‚äÞ^d¡’\mLë­M¬¢–¹¯üæò3ÿÍYeùõ±öÓ»Ö>ÞüáÅA¿úád‰ˆjðu­fg1m×þRêIH¨e¥¶3O[u5}ŸQøÖ£VkýWÙ­Q¾î¦Sª#
rµ@ÎJtgÂà,Òåi¼™*hÆÊÅ8[Þª0I²«*¨YÙÃäÕüN¯”å×L¡_ò	ŠmÏ0dùEG G%ØßI5˜0ÏP£[t“×—ÀÕ‚‡C®¹Ûeí1— ¼QŠ‹x	X£¾'Sy–ž´6]\3%T’yž•Ô+U]«…*L²2ºJ[	Ûò0êYv!T{E­DpQý‹o6±â»ËÀ–îí&9÷W$8TúÊ÷&™:Ç)[ŒŒ¹ãÞYfîòi‘H$â²I}Úm3zŒ¥¸ÇØâå×ùŠhí×£¥xt—5‘ΨäZín¸Rà}j'¿Ã+y”!^óí'žBÁ8Šâäç›ÓPåzf§"?
-Í|Rêw5(ÖˆYŒ‡ëŒ»hðúÝìŒ%"{ªã—¶ýáN¦'lÄÜ1$»ÆCäI¨xžf_Œë]jU.QfzàÄŠÝš¸ÖŽJ
ºmau—‘¬¡U•ùdæœû3€•~´£N’ŸÒe7ôzLÓùIhª­ûž¬ê¢sõƒJUî&EB/´-«“£FÝô`ëûžb¹øSÄ4H==ŽÈ€ð<³ú¤À/)hp1ÃjŸt²ÞkH¡{ò°åOÿV3ÀiŒ ŒŠl,ÃLŠ>s‘õ›2³@	ËûBÿtºÒoaõ¾Ñ•®ã©§¬íËtÇMZ¦:€?K>£å$/õ+ñ~[(¸‡Ye¸ˆË±qÉY˜vâ·ø›"»÷%3©½I<:8Çãì¦-ò'ª¥î–¶œök§ig*†(|+þfÇ“[ÐPžÒù‚(¤í¾ýì-NC­#ÆFœµ€ÀZû7Ã@å×îå¬dÀr}¢l-ü¯ù‡	͹‡ÒnÑ °/}°½§“ºV 'G.ÉD~b}쉡?‘0ͱß<—õèms±YÖL8ÙSÅ÷2t&Bá›»O×Í}=âŒqûvŠÃO4TxŠÜ²æbsïd9´lŸŒ­ƒË½÷Ñ]E3ÆQ£žwFÕ]Ç¢—u¸ì¬ÉÁnÌTPùߪ 
-6Ä¡àЕ–DßÇUÂ5Í;á]{Q³„‚›¾}Äf€70V6dÍ×ÿ(‰íëRî[ç&¥ËHç¢2›nÅá‘.J`Ôý~N¶òq ^šS¿ÏÅ;D5¶ðbT³‰,Û±dž±Tاõú:’®¹m'Ú©¯ø)Ó¯‘o‹^Zc”>Eì8sëBºôxç¿VŒ·¡ÿvA«sû1¶ÿª§Í*ŸèÚ5‡…auàs–£ŒÅb=cI­»„ÿ}A‰—ÅU¾_X~&ð£Â[&´­'8±ŠEí½D=ýÚ·8Gæumð¬¶ZxÉO…‘2ÅY]q ˜X*=È}HˆvÚãÝA:qÎ.šµÖ'pìAMÁ¦í¿)Cn”+imO#íš„W3‰dŠGº«iGÄÿ¹k¡-Äyi`!ûáœáΡ‚3{"l0äêí”N=*R&×Ô£¬“hbþ²_µITÙd½XÄÿ¼™;&	®8
-ýr;h{÷cMé0pöžÖ†±ÝýiÕZe2‹±[åc6H¤:v•¹¡Z€!AŽ´li<Ÿ1•$Ìéaƒs“ñº?ÑÛèÝi?=e¢ò¦v×`1íÇT§ÔµÿTä:þ2\Á4·&B<¯ÁùТÂå8»D“_¥$nB‚亹„«÷5֘ɟTO¥uYäãfc“¢
-Æ“¤µ`ášÐá?.CÅ|÷šËïi‹?ATN">kO|M¬6f:ÃòüÿÚ™ó&à"÷ò9CÙrÄØ°<2É}Ô­m嘳rÅæcOâ1GŽ¤YŽÂxÎYîçHÉmÆs6zÎ6¼È5•÷G¼ßÞç}ÿ€ïý‹g\¤oìÖ;aÏ´eÚkU5¸nÅ
-FÚ
-¹€ytOèeÖ¤½K;M2˜OûàˆJeÉ£ÚX¾âõOi{
‰ØlE—½§ê1ºŒzfÝã>"Ã8±ÞN¥³ÒƒBN6©¯êt'aàÒœ‘ŸVtJiÔé4³<Ó«ùkûå¹Iô/M)äÜ)®¿º°"ãsjò—xTËê 00­ù)ôîæ=<›ÓÊÈýÆ;¬§†ê?´…©=ÇðMà?èÉ4‰’
-f&‹ÌC\/øîO.Î$—_¯~v[žGÈ­›í¿ý’ý8Êâš6iñeEwkšI²¡
¾«nmýK¼±¬bdŒ³µ­îuqýBÒ*i%eB!Ì8®Ô #ê±ð°žLÏŸv
zÞ5Æn<ЇˆhfNÊsÌí¶4~‘Tò‚µð.o3YîÓÄÝnÉ–´Œý£kéïykíò›ºØ¥œ¦f’´Ô	à|â"õ”×êóƒÈwyKÅâé?'„×z.ëúÆ*‰æÎÚôÁÅÖÎÅBÎÿ¾”ô}±Ù=<^o’xÇ"mý†t÷¹H°Úè_ò*k0é™ûÊ	ŒÔ¿øê0ËçrCcg Zh\6=£}ÙA_#Éø‘nÞ«	sÐSVye÷éD'²áHî<åÚ|3ËÁHÊsG
?6â6_-©R´&&b/HÇK–ÈPS!ªmñ(!-ÕJm–4ctkƒ|“õ‘”“@êþ,Ìp-V¥jo@¶ÀðŒmPœ[êèÀ[$©öÈwgiýµã{KIKïëmÙ%<5ÇÕ,Jìu¤[q¨v³ ÿ’ØÿÁ"ð
öÇEÂBpAbÿ²÷¦endstream
+xÚ¬µct¦ÝÖ%ÛvîضY1+¶mÛ¶Y±mÛIŶm[õÕsNw¿=Î׿ºß×מsíµÉˆ”è„ŒíMÄìlé˜è¹r6†.N²v¶2tÂvÖÆ€¿J622Gg;[Qgn€š‰1@ÔÄÀÌ`âââ‚!ˆØÙ{8Z˜™;(U~ªQÑÐÐþ—怡Çÿ´ü=édaf ÿûãjbmgocbëüâÿú ’‰	ÀÙÜ`jam‘WДPŠË©ÄMlM
¬
+.†ÖF#['*€©#ÀúßÀÈÎÖØâŸÒœèÿb	9Nö&F™¸™Øÿc¢Ø›8ÚX89ýýX8Ì
lÿöÀÙ`akdíbüOõ¦vÿJÈÞÑÍ_Û_0;'g'#G{gÀߨ
+¢bÿÎÓÙÜÀùŸØNÍ;Ó¿žÆvF.ÿ”ô/Û_˜¿Vg['€³‰»ó?±MÆNöÖcÿ³w´øW.N¶fÿ•-ÀÑÄÌÀÑØÚÄÉé/Ì_ìºó_uþ·ê
ìí­=þuÚî_^ÿ+g'kSz&æ¿1œÿÆ6³°…aøgP$mMíLŒÿÖ»ØÿO›«‰ã¿DùÏÌPýMÂÀØÎÖÚ`lb
+à gçü7$€òÿŽeúÿ>’ÿ(þo!ø¿…Þÿ7rÿ“£ÿíÿ¿Þçÿ„s±¶–3°ù;ÿ^0€¿Æ øgÇüÿ|
l,¬=þÞÿé¨fòïÿO ’ÎÛ dkö—
+FzÆ+-œÄ,ÜMŒ,œÌ¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF#ãØ”Í-Œ¬lÿi:Û¿M&¶Æÿ™ù_zþ•7ƒ¢¦¸ŠÜOšÿܦÿòRø˺³²‡ýßÄþG²vÆÿKøCXØÎàEÇÊ cæà°s289˜|þÑþÃô_²¬³£…;@ëoÉŒLÿ*ü|ÿ%éüÌ[#;ã¦DÉÙÀÖøï`ý/Å?f#GÇ¿|þë®ÿ-øÊÿqw#˜µe;#ž`Ëô_Îu˜¹#“¢Z}L #!ö¥ÊEþ5v½~éá»\•úŸµ!ôMÓÜßíKçö_‡RÔGc}Ö½©&×ùx>$TýÈ[ä4Gº¥ðjÑ^7‹2;`šìŒªG{“Š?uK>!ð§;Y¡n^¨üI\üÑHŸí|Òâлš€Pê
+Ï/È“N_ž)†~Ž÷Þ÷âÒäÄA“ñ¸‚Á“Gù;äà
+hªTzEP/gŽOZc^0šõŽHr>b°o„3…ólUŽ¸ù\cÞŸÊã+ÁŽÚ)Ž¹\Z9zö'Íõùã%vî4™’wÝWw~¡‰'ݸHëá­³ ò¹ç¥cÀ™.×ÄHºFÄd÷çÅ;Ãž<Çðî–îA#	KL„2uÞDÈ}e%«žÙ«PZ£ÉòÎ*"ÝÕ¸’"yôôgpU¥ÒÖ¡²e¡×y;/…Æ™#gÌã•zoÝõ©‘ã.Ð{|—t‰«¸
?ýè:Šyù F}ÜÈ£¤ïÛsüj¸8ú³æhªw^}ÔUU]ÇÀäTN}Ûc’|¨ ïU[–†tÍØE»*¿/.€Ê6Ãc›¤RËnÆ»qÌK±x»ô½^ÄTÍÒ®ÆMmÐ:ÒQDèÍù
+I°­¦šïÅs[€ëÍûˆ”4ez99Iü¨$‰2uœâ\çGj¾ÙEæOy£Âm™,7Z‘káÇ&•Ï±_®ìûÝ?±d>‘‘áñT3R[&·~n<箌÷h„àŽõÅ™*¬6Q?¶‹+`yëÁ–V­Â{­=¹4t›U×t–~|b(‚órÆÉ2k$€ dï›a»ìýmšQr Á\MAý˜E¿V6"rsòhE»$Ëý•~UôQΤí—'»2~Ê$‡˜Q Ûˆ¸Þ"œH©iù0#>ŽMC«ÌJ/ñ“ßõ¥1ÂÑö³)FSQ+LEt-£*TqlŒÅ!sð¬lÔ5ðØ•ó
u%d,½òø¤AˆwÆÎ^Ùè¾h÷+Õ `-7xÇ-¨fÚÔ{Z³–­^PÓLNÿ@‡[IßðJ¢»j‡g­“kÿ
GÐÒ<å°Fe4>|—be‹(dSéf¬xV¯ù‘ØNúj'1,8o„ÝДÔmÅ6ê–’Sž¼Aµj8*Ÿ¾í†5­úyþ;çp.pô2ØZw@J¨¬Ì– ê)á=Ή虑VÛÕ´üì­i­ÅúÖ[›òã›ÕWŽºã2$³jG;¶œDW†bp—_í!8úkÏÜw…j­ÆÌiì ';EÈ®ç<Ëñâ½´#‚sž¼Ô
+?wËt@FIkÊÍüR´,©ôzÂ&eP«Í§ ½w­6ÃÏáDÔÇú—r¯ÊÇw_šñ­Bä’9é%!ÈiÝD^VËÅ¡þxpb?˜;ÁKB&TÂ…ÅО
ß56‡ÈPoA
£|œöR%'¢åÛת›{ú;\púDŒ?Ü3«ðNãý”SÕŽH§²r?Ƕ֢#áþ8åRÐñÿnæ/7ÿ »„ì©ð~`X»Ç
+Àžû`àdEƒbnòXæ«ðEoñ—X´¦2J¬ŽÙç—.Ézô§Õ@?w*D%?¯CéÇW”"¥ Ø,>fÞ1óßóhX¨ñ¾zißê‘Š©o)즾ø‚Ê¥Ï0¿º	ë%ýî~€$iú¢ÜßQÂE¶ŠâXÆAçÒj®g)X‰‘/	ˆø˜?ùÎËq—XÛ€ÊzSþñ%-¾I¨‚„=äø
.‰ª–ñXXÛ†Œ–	íÐ(­XÑÍ»ßÈJn»›yÇåC¥hS×àsn‚ÂpíyÖå@£ÿ~kö¾Ý¥¬3T/!¬Ùl@`¥‹5á]œË&=ùg“œ)HÃ:v*æ7ÇðcÌ
/½¢Ë»eàGD2œõñ³.Ö&–~:IÇ=iä’踒’¶;ÂÖa
w
+ ¥‰2ñ‡¯zøï9ﳊW0S)äš"!C7¢OÖÅOœw7¼Ù"Ы›(´.ÂŒSïž^,IÿÉ#yþòb[öEÊöÂV±ÏÓs®¢çxPáKØ»‘PUÌí°‡ÛûE¿:êMÍŸµj°JKm,Z7½Õ0x¾çc_r;ÎUF‹•ž&ß&|3	¤yYCkmþDF›o€xÏ…–
+è¶fÆYGVw>|‘êŸ,¤rÓ‚zã®^úΨ˜¬[N|?©×ÚeûŒ‹mà÷öÝkl–CØx€[Ñ«âþv0zèú†³RXqºñgòØÃ9sÞ²ÙçFš¦ü#wÛ]NI²û÷QNÝu£mcû_×}ØÞˆ4—öÀ·Øc¾æR-I¢™<Ä((µøj³#þ3˜N_tžšôú‡)ß—:ßýZà¿ŠéMl>AÖ[[˃ù¯&»Iúƒ0Œ1s¿g^9Ù®ÅåXÖ?Äyâ°Tk1Žo³k†×÷u±Ò–X‚û‘A¨]AÆ!÷@wN1¦„iïeÌ®û®WP²ç?ƒê„SB7L‘>	¼ž°!¬Dvšp%¹m!¤úÉ`eÂ22ê¤_f¾0-ƒÔâ„Žœ¦³c¸Ì79V|óJM`*eÕÚ´ãú·Ù£™4l¢ÄühWr¡ˆ[æ²ñ!kI£UTßJà‘Ÿ¦M•öѳ¶Ò1ú#¦Ì×sS·øÛúþ0¡ÿl˜îÑŸf·då{yסžàtó;(ÞÉo†ˆY'ù»zóÜimß߇}ª'oÃúO®›6z]ãÔÈÝÅÀ¿î,<»hàµeí¥9ð½çY#ÜVt@O™éAqö7Ç¢”¥¶dFÛ°Šïûòn„¯‹™ÊˆHÎY~²Ðöf·…Š	2
ÖÒ~ñ¡5/~A±cä3`u?w,Êæ©6Ýø0SrhjsêÌ¡KñhÇ{¥|Î1f»ÌßšJGYRf7"i`×úßÅ´üðAy
À¾¶Ð:ÇwqÖy|!hdûH,\܃g!¬6ˆQJUÍëMþø;€3óF·eH!g©ws©VT•€¥3‡O›ƒ±±””X4×å}í¸¨ •ùiÓ´ëà†çòÅɇGC˜Ý¨R¼(Edc¥Nt*âR”iÀ~çºx“µŽÄß)8¥¤9Q„¬ãõQ&'
ìLð/Zgªž…üãÑ72ŵùóA’äd„?«}?|݉7oÞ±RÆxkL:	*Ÿžtï->*/e4ÜjŸ;?ˆú§_nhJ¹¯gd‹[©ÔP,+ŠÆçAL¥àg¡£k™"ƒgdáÍëòmR™oÖ„Q#ûH1¨Ôˆß”Ehï„ãÙæ@?ä7Z‹Ä×e2LOÔ¢\Y¾ÓÁ‘»Ú	É·Çè~‚«£•YŽÂfûûK[»e¼HÉ`*ª,ðHIDÊÀ<ÀKüoTúýY±Í[S?÷ƆÙfдŒ†nªFUh¹™óøbaqè]$4±‚ ë:Íæ—-&@D\ˆZ¿´8&›ˆÅ××3I/Cs…»‡o۷“¹ˆ´¢¤îCA*ð&Á…y—RºSà”ˉ†%WyÛ&[‘‚+;xPù=i?¾ˆ7b’á×^nSP¾øú÷eTY„fÓ¡ãi¬\™‡ð=²rkê…dŠò:wóìinFÑX…ò¹zÚårh´ŸÈÕò
ÆïÒtá¿"<îœíšÚáYåùå·`iÔS/©þg53¹¦_åvœbÇZRú—E2Y#èMlu­`€̦CüåpfR”Ii~H@ÿÀ‹*i‹Ùe7_u>QÒ
+úÁ[t1@nü꧘Æøû׊C\`²øu.)k
+t%o2ŽVk,[2KŸ†b7É\¹’QpY]M‚KüÏ6+¤Hã8¶Ä%­]”C¹:¨û©Lò©ÉcŽèCäÚ±‘€•Ÿé±‰|CÊÊ5d^UZå÷é‹C¶Òþpšc” SÃ¥”–ƒ‹nI»îôg÷ˆb„¿HA¦%e¹†{ô^íAO‰¿3Øã_™1ÈHB’)º-G^öIŠ­ä.üÙ‚«	=[o-t€X¥žÑ¬©®ïáÓxM¾­¢<Å"MaHš
+¼Tñ•Ô@sì<¢ªcu4fiŒ¤—Vûžþ˜þRé1 ïc÷öƒ¸qSÈÉc)µ\=œP;ÌÝ뢪ï¾$t™Æ\áÂûc;+^‰/Es¢ì×xÁŠ–ÓжôU+gƒ(j~š(ë»Çë÷°‡SÜ7Q%Op£nU/æiòœÙáù‡¶’LV»å,ð(_°Áð`
+ߺ÷ç4–³çÞçØÕñ/ËyW	Ð_/iK&@¸40¥	[â„ž¡Ãs½&Ü&꼆Š$Có»‰mƒj±üI7<€ÂyíÛþ¥%•€ÍR–›¼‘¤‚×­¦Ò*Gîl
+¬„ óG]£¿×PGcFàsßã~èK­.‚°ƒþ	®+alÙ]¸k\æ£ðî~[Oô:;ƒo`Gøº±FÆzåDÖå«è2Ý;¬©¤Øßg/ËÉ
+.Ça„÷R¤ë<“é1é$%+÷m`ƒÔëíõ„wOíwÁü˜¢Kæ™oW53YD¢®z½†ˆ$ˆöÃ\0UQk¸í…í0ª¶Ã€íÌýÎïKG2‰€X•=c‘*Ë.!oèÀ7sY+m,Ÿ¾àÆ•£…?!Sž¡ïGØ<éâé—]Ô™"è*I›•íRÜ0Ð}BÃ1©ÝøKh?ìU+—º¼þæêOزe× eº~ïýkFˆ]Õ€Þ¼NŠùf…á~Ћó’¾woÎAl½•¸à‚n|G¶ïÕ²æ¹Â€ˆ³4|6#§Â6~R2ª­ŸÓ·ˆ‰2ºT|©?Í7ë,n[]Ö²ëGÃ2@ùuä̹Ên÷ÃM'’‰3K¾HHfúr4ù+1@qIzY‘EýÁÏ®3	µêœ!µq®Q—{üfÃF6™ºÎó.ÒàW\ Ë	mö2Õ4§Öæ€96ñKãÒ!ˆ|ü›_ë÷¦oÛN$Hí0v~VƒJâ o õEõáš`CPÞñ¶©»4ˆY
+3êaü"/»7#`óßè
+ÿ#íÚpß>§©_0Á󺧺ãû¦E›?þ“ÚâøâKûÃîô3s´6èÑûì“!‡oYÀ^“Ú”^~Cªª
·¥ÝÒHJ0j­ïÔ„ÛŸï+ó%µU@ùq©ÝK1pV.5šÃi,ÔkãjÏnlûŠrÙ&Ù¤ Ïö&R¥eba?]ÜŽ™¼T•Ò³Îs/|QS̨eÆÒ¶yL“!KyED.AÛ9*µCÖ jV¬z¢‹£‚4V<¿›q¥—7vìéKœtWæTRx±ærœ¶=¾3ù£K1™6Lu+þ·4²¶óèxÿeéð´té
+Òç\Á¶¬ñfQ
™
¢:.j0hªñ¢Ý•Ã*>©Àä/Á½fJ#|jJ«tú‘Ç2Oð]Øì'¦)`Ï2ývë"<Œ‰‘q8å/Äþ)\pK¶Awá¡ÄUB™v\î¾îy<”_pç?ßFÞìFýpòq"ß­l;âÆÍ&$ʵÀâ!ÞÂ2$u:¹Áû¤—%Áæ“BŠC‘bÁ:ÚA|!D¥^ëd›gú6%W1QZ=!ÿ@¿-ˆx‚Öt6ôfYxë0—ÚAÛŽ×ö™(i6ÒBb;BïŠ;Š*©7¿m£—Íz‰_´p¾í>U)²ÿþ!4š¼¯NÜJªçó2ÞW@Öà–ð\1±Üº‹ÏËظlÕÃtOGNƒf—Š¦îÓù©l‘}ˈvê7#Ì…X
+t	kjgÉÓdÓmr8€$ƒeÉüÎäD^iOq—ò$	Æ|¤ë†íggéét‰ä<¿¹ô”’Š¬ð¶ÒRç+÷;Aš‡Â-‡î{
+¡‘ŸAzý€ªëçS¼oäîp8|ŽÝïÖéÕÓéZw™éV‡yŠ€A
‹kFdøÉB-XtK„_…„Î1$v„M)Ò]ØÆ!®816¸÷¹»y$…µsÂP‰]ì–<â6‹¿µ¬lqM\Éå]‹SàÓ4X?Ã*™^îð
Ia+ù¤Ûò:¤ÉÀš¹t?:^U.´¿‰îN™ï@`SÊŽp†_…k4h…x‘Æk³éDó49¼Pgm>ßu®LAõ‚@k@î¤X
+v9¦¢6X6뢴Ë_}B«‚Þwk©_Fe[37žM^¬•¬Úós€Pùë79Ÿé¸@ŒvÒ9éZ‘Âøü[µŽSºÅ\il‘qÝÅè¸S]ˆØeŽù¿?DE“†)Ý,Ћ²¤¤ÿŽË8Røeu¬@ó«4} q“5õ7ât
+Ú’emý«â<³b…N»ÕMf‡y»¤.úU†÷û{TÜ
+£{—ìÑÌ`*æwB°‹\LÌV¥´	AŸ)×LÊHÇËúø&ñH6¦{ÅÅwF×Î={ÎóŠÏR½WÂ
+m/$	ö]œSµÁœ*<–Ó¾9‹¯V«ÈÏUÒx_0 ®lÌñ}b;O'Ax~vÈ ò¸<>ÕÉÌcÉwéæãG$Vøü[c$âªã&¬ðK“ÑD¡fƒi*|èlæA",áe^’ë!´õÜ	ñ£{Ð&|bÁÜj¨‚5×£)%¡±DŽŠ’]h,õM,jyA±±O€õù¡¸™ÔÃä|aœbÌÞîÛyƒm«ÊE7T`ÄóIº(æP}¦
)OÄ}½£±Ñ+ºÍ8lâØSSBûÚ´5›!ö“ˆNœý ˆ@F¬ö~­Kü­.êùfò‘)•&ŠfRLœÚá÷¾$A”Úf2c@ßÊ-âA¦&1*_ÄþØýžVÿpq^T2eÓ×Û!µž
ÉQ\ þO=;žÉ¨íH}±xÒOÝåÜs²”¶SŠÌ/4aõl°_ì`:B
T‰`}©†Gs1o,ú¡&µC÷k-~½l÷aÓˆ°
+ù™Is¨3¸à±‰'7žK–wJ±/ã&ÖÁe8þ¾A8>>ú]"lqÄ®’“`ªò\‘Í îf#A«q1˜E8ŽçÈç´Ú° ‡•m½ß¡Ðô’6î3áUâ„ä¤o±½à›Ä»Á
Ú[ªQéC1Ë;]3…½=?¢“í}êxŸÇßÜ÷6æÍÿÄyÓ«~1ÍRv6›ábŸ–Y|
U	2?©™ü>4"P„•4¯¢öQÀüUœ©Ñ`bÙI Qº”V~Bꤶ˜4Ž¦Ÿ‚|ˆŽ¦=ò°û.QØ ðAM˧¾û̈òSwoVé­½*>£wBRÜù¡¾R	ÆŠØ
Ø9$¾ž'ƒ%©²Ô^7ngô¼ñý˜–ÿB“¬…Æ ^ÎÒ s]¼þÄ%®õ©C_Ô±R·£ªZ¥[¨Mi”÷²oÑÞδxOTNç]dId³…Œõ=`n>Ô#Š™•Œ°&ù€Ûì\Ëo™óiE–ÍÝ`ÔTqð„^£œßßý)Å7¼ý¡;¾³Wù:0[Õ:Ò&ê6CÙ¢ÌkúK¾õŠÇíJõ}ŽÞ+ì2\æ³{áAà5èEL×~‹Rö*63YHÒö4v즧Ö8
9§®~…  ô—Õ
+W>úÃ÷¶ŸÃ÷ÏþX55™8_sYltøŽ¨±0NËsª~9ÍÖšlx?èÜ1ѽQ¤eÎB’6óªe1¥è§Q\Ædžÿ…šl§Â¦íP_êðsCLÔØÉ"¤JTþCh#„¦”Ç!ACˆ–E¨z„,=ûŸÛV6É%a¢E[{ÇÛÖ“Œûƒ¨´¦|±Aöô{æåÐ5CîíNû@ùøpÄÙã+X:y$'L=ýÞp˜†‰h.v‰4þ¸Ÿ	l¥Ù”éOhu²Nžku°,s+—–¬ärn
+ùÈÒeöB	ê8og<›ß ª%¹'d†nN7Ôòp[šÍYÈ6˜^^D	—Àé™a²Ü•	g»ýsŠ3Ô­üS¹Tèµ®<™lôg)t.Ï6uC¥„F-
##<_œÏwí:[—R/©ß·>|[Û‚åK]§Žg:)ÚÑr»ö|ètaX÷à'¶¼ž`üìÇ•éÁbê³öT,ïßô@¯¡úµõÉ-(g`DäþBÕS¼:~S$G
”ïpt„Zæ؈6äc÷s«]^û9–Ûîâ
l…ªèõ$pæ4gLJ•œùâIB)rÔ~%/
+z·<…(4'h}3—ÊÉ@‘T%Ç+£ÙЋRî/CŸ™u0mŸZÐ^¾Æ„uêT úAQ¬·ëÜsÎûòúŒR¾¯»|rº|Y5ÍóK[q¶àjA´Ù?Øiʂȳ߀‰¹G¤sɳx“R·ëî™á*S<‚͉´ñëØBóûR4
+þ4,xuÕÞ˜-Â@7JÐb*ÙZëÛ (‹†mÉB7FäCÛc³ãhœÂ„DG€îg‚¹iUØË<¬ó-;¶|x'øçõÖýe±›˜‰Ü
+ÿ¼¸ï–°ÿ"D³PÒF±¿%øÉHõsäA_˜
+X4þÙ'½¼â×Áí=Z…ç³JRji²µ¸¨íé諯^ó[ÓDoXâ–$&
+âÅ)[Ž~
+¢ô‹*Á×GxMV.‰ap±Cqaht9k¬-7ÿ×&¯Ê©_l͘ŒÑ¿7Kafy’Úu·“‰3¶è4|ŠCëbó°!`/ ët_·÷\·$‰qežû$AÆêl½ïeO@RL-´ÀÁ¸
+A9ÆX/­³c÷ž¢°‰`åÒAÃÛv6q™ Ùú”¸	m"?Üü}`OÝtñ¡Æzmà†ÑS˜¶ Wv)KTûN~¡(`Ã#%hj
+PÙŽz}PŠ÷‹LZF×ÒÚoÕŠø‹¯­D>=öÛªæ1§4ì˜	O{Tƒd>m¿4j”l©ñ¥ª¿žn­`!2ÚÜÙzÌo¤ƒ¥âfÁLè\¦9=ÆÈ+¯ïÚ»µ–4ŽtM©7]Pà©%2À½Ì«/ï¶\XªµÊ*ÆŽšúBvh4›‡Ü8]eN¬•ß!Ùó\~@Ë_þr¬—O¢]ÍẆ¬[†x‰ö»¢ ¦[
+úòÐœÿ×õâÆS»-Æè]—´W6¿33‚vèÞ4Æ4Ý$“ÍI?6Zž>·‡¯¦+u=·ç·=uºÓG„¿ÌÄaÏ"ñ™ê¡µ
£¡ŠŸ„GUëɪ@&ßmÈšáÅÎ
ŒS¹L;S½ï[wFM÷DþµÓ=X8,Ÿ¾v©¡s¬xi ošz*š/2š»tڜ߂Ç7¡\h(UýgÇÉ/M*“-ÑUÌŠ	îy›t¼™×PÎh6,o쑵úÕæænow;Ñ­6ø³R\øÕÆ  ˜K%wݼ»éÞïx=¤¦/¨¨…Ž‚hš´ÏîÏç’dz}=†\#Ì“g_2‡>‘ykåáá{o•N&	p\;úÈÕàÏH²¶Øg õ±'ù{p*8ÉŽÉ¥>¹h0³*¼@¿µæ­Ç‰8À˜gqÈ÷±pðÆ[nåôuª» ªßfCS;ã$D‘Û_qÅÏùKZü>É B¹cnÄäN¦= ^µ]üèÕÏhU5$Ûe¸ðJ†‹
+OÓ·F$ò›·p"Ï#ཽUOªU÷bé­d´Ä=ì®ò§®
ìÊ~æ˜|Èj®YQç>è¿Ã”ú],癇Uaš7ñâQFZœíú
+šˆDº0e~jͪ¿Ö¸›c›¼ÛO,"ÝŽ·@μӮ!ÔQ=¦<¬/
XáátT™á_43Šòg^ò7Ö¢›A·cŒ+;«Ó£tÖŠ­A$6åú$ëÓ­ÄÄÒåTß‘&œoªÇg¿ÕÛK¿Ry'¯e¶ÖƒêaÏé[•†¤ô2Bv#yò7âfÚ.¨E¯¶š,`ФA­”Û'˜LgôÄJÿ¡‡œÆõ
~ž&Ù:­5¿›¥i°×}¤Ô*o+·Ó‰ ¶î1pn<rP
+œ©A×¥”Â3Ìbw¬X!fdºóE‘µWå¿ùe59Î1'϶-w4&QÖî&ÿWÍôFøW©«j¢®\vØOñé‚©–BÄâm¶Pµcƒd\‘ù	Ñ[FýùÄÛšªjÔdüÂõ½ºÒ"ËËZnQ½<ÿ¯ÊÞ²ýÈ
Ð=¼•	¯‡è]ÿÞï(zúeöØûŠßï59œÊSÀ¥	{¹U”äùb¯›ÚCc¥ðåßZÖ'ѵb«mD²3ý¹&®nžO.„û¬‚ÇNµUi±±Þš:oòï„Ã7¡VÇü«%·Ùö:ز(„2S³_4™»­Ûù}Ù,[1©Bƒ¹ÞaÕ5+4W}‹%£9æZÕè
?Èíjl‘›˜­OÓ…ˆy$î檱k?¯&‰MIs>¾K—äÇ¿ºw7%=VÃÁþ»úkã݆Ãш¸…¹’	LTœœ$Ö
+I÷a8
w3Kþ6ú©u1‹súZ¢úØÔ9ˆUa>9·Õdîø'_k•îC9Ó‡íjíôX;YŒûôÑE$ìÙ‰góâû6oÝA$cy*ÆÌŸ.ãp™áÆÉtfìY«sIÆ~¿®Fäit£cXÏK
ƒôXp´‡ÿ«‰ZÌAÑ*%ík†tšOÿJî¤Uë~A(ÄGH))ÎB"ºn|é_„»ÊÐR“–èeL¯¨
+>딕×phÌ›KaŽ39‚¼‘wÄ*cÄ,`Ûš"(vÚ}ÜèŸE­¥„^FœØãtÁaδ}èÚaO­öÃl@1_Íí?ãùøJçγÀQãf'ºY²3Q\)~9½6êŸýD[­},”O¡‡ï;‘ìV?v"†qiýÅ›˜ÿ;HØË2ii¿´µ1£
±,—jŒ´Ê—S¸êâ-‡eÜí 8––ûA ±Ë‹¶¥o’4$)BEtbF×­ŽzaÅ)£M,•QÐc>æ7·sfg0¶¥þÄËÆšZX"׬C0Ú+^cåë9üoÌwä
+{­˜Wä„'ÙVÃEù)f1iö:ÖöFÚEð-–š0Â<ÖÅfóîûS¡±Ø^®4¼Þßxr¶x0¯PN‘-’NYÄ×Ú÷&nS&ŽxVUÍ’%ºã’.IJ‘—ÂW•Zà¾l!®3LXð¬õý†C†"#/‚Æ)­Ð`,)(Àyó›Ê8o‘}	…š¦£œ:ⱂî=GhïðŸiÌÛxá§D:ê¼j¼Âcì¶íD\g F…݇„ó½´M*jˆóßõŒ1€ ˆßWN\Öe¹ÇÃr
+hêºÙ°†c¾?C±f)TkÆPjÜD[Z`<Á5bä
i£=ÃÇæ/¯Xy“Å™›Øÿn$F°bÜÌ8ïüq§e¶UB«NJ6ƒ)ŽuÐ-ˆš„ù¤]WUÁÇt4ÿ\;S’–ùU=Õg…uäÔet¤SÓ®˜‚ÿzD+³ÁÙ[•j@ÉN°´vªߣ·“éWÔFEÈΞjBܲ²+´ëÛ¤^Á·µ:MA ‡s˜Æ$´àRR•7§£Hn ÅÉÝ°Ú±þXàŸ&1G¥ÅO°}
Êl¸`0Á€e”Å™.‚ñƒÅ.„å¢ê8tÅ/äÊ‚jÜB¢#
+ÕÙ»Qƒu±wë)ž®Øë‘u¨/ë>€Ÿ×d¢tô
“;;ÈÌX5EjIŠž¡ßqÌbÍ=2Å°+¨Ž8sû¸(zâëaQíQy¿®^Ü.€‰Å¶Ûÿq7(^¿3`¼pªH}|÷{ž~`Ï6}«˜O·Âúwæý§§°LÉ)Ï´™‚ios]ìê^.¤Mþ)ÓtÈž×`ŽF#ê
+Pá'å:ž…s4Zát¨‡rÐÇBLe­ö‡ªo†eÿeºeðd;ÅUgÏ{ÇYú”ñ
JPÔ$å(%’
Í¢üŸ‘ÓU÷†‹f,$ënêQv}ˆÜÁ
+aÓíNðœ(`bÔÂ汈žˆŸ¨ª³Êp§vLÄÞÍ	?Ez¾«™VŒË"RÖë¡Îû&õGãšå·Qó6…*K+Ý“_( Z	y?Q	î4ú/ÒZ/¢…)Å=Õí“/(Pô1Ó\•¦³ö”ÿ
+׿'=ÔßLƱ–ùÊ©XBölA˜*	W3ÂÀ@–zŠ&¨„¨§Š ƒ¨šÄN9¢ý–•Ø¢¥øm¯µ„N=R÷Î
+^¼ð2}ÛßQ™càJ4êßñ!®×Ò¹HýúèŸz¹q¶ën¯Ïãž¹­vÙUÌÔp³·súÑŸÅïyš®ÛŒéùªÚµ`J/mk3åNn}ö%­6êöéâ‡ì\^3’½_e;)ÙA«z(´nåÐí“fšEs±ŸnP2¦üÆ‘)V¥·5é(5]Ází‘Ù^Š³Lgn6-:·M5A=v7è£Àx,©"µ\C"À¾ÕÇÿ
+)i“x%šJ`XPÀ²fCÛÚBANyB%®ž±\Ù"Wßœ;†ÿX¹‰Gt
Š·:ÒR¥Pø0]Ûðx	†}Lò,ÚäL[Ê“{]NÍßo9E‹>y=„rbÅ	B‰h„¸¸ä]z>
Å\è}{ã2'çXø¬xiýp:Fww#f[¢ÿ=m#Ø@îíE*ÉÕ¦Á´Þ
+ÑÄ*j™ûÊŸa.?óßœU–_k?½kíãÍ^üô«N–ø¨_×jöxÓví/¥ž„ô€ZVj;ó´UWcÐ÷…o-1jµÖ•Ýå‹àn:Å1 :Ò Wôá¬Dw&Î ]žÆ[á©‚f¬\€³å­
+“$»ª‚š•=L^Íïô÷JY~Íú%Ÿ ¸ÐöC–_trT‚ýT#	ó5ºE7yýp	\-x8äšK±]Ös	Â¥¸ˆ—€5ê{2•géIkÓ5Á5S’A ™çYI½RÕõ°Z¨Â$+Ó©«´Õ˜°-ƒ¡že"AµYÔJ…пøfó+¾»léÞn’sE‚C¥¯|o’©sœ²ÅȘ;îeæ.Ÿ‰D".›Ô§
Ù6£ÇXŠ{Œ-^~¯ˆÖ~ý1ZŠG‡qYéŒJþ¡Õî†+Þ§vò;¼’Gâ5ß~â)Œ£(N~¾9
U®gv*ò£ÐüÁ'¥~Wƒb˜Åx¸Î¸»¯ßØÍÎX"²§:~iÛîT`zÂö@ÌC²kðôa5œÆÊx ÈÆ2,aÀ¤èƒ0Y¿)3	äp°¼/ôO§+ýVï]é:žúapÊÚ¾Lwܤ…`ªø³„á3ZNòR¿è·u‚{X‘U†‹¸—œ…i'~‹ÿ±)²{_2‘ڛģƒq<ÎnÚ"ÿ÷x¢ZêniËi¿všv¦bˆÂ·âov<±
å)/ˆBÚîÛ_Á.ÐÑá4´Ñ:blÔÈY¬%±?q3T~í^^ÁJ,×'ÊÖÂÿš˜Ð,œ{(í
+ûÒÛûq:©k¢qräÒ˜Lä'ÖÇžú	Óû
ÁƒqYÞ6›eÍ„“=0õPp/Cg"¾¹ût½ÐÜ×#ηo§8üD³@ˆ§È-k.&1÷N–CËæðùÇØ:¸Ü{ÏÝU4c5‘1êygTmÑuÜ)zY‡ËΚìÆL•Ï35—­EMNYÛ“4]°cH_ÁRU’MvÔˆôÁÎç¼GR•iæ6<ߊÆÀL¾³“’w.âºG–pÝ7Ë_ûi³ø(Á-(ÛÆñ+?l'”£!Ó}>·Ê—K¿uczÓ1•]òº?V€j 6²ÊÃ’ùfÆÉCßÅð›€RòÂì\ÊÑZÝܯ‹
]éeC¥‹/‘Y…1®ò>M½é%n®¨ŸÖ„X9‡€5[Äîë> 
+Gžã/|
‹€â’IÈw\­ÎÍIF¸Û	Öè×锹láj<å!# t#EI>øö(ªBñÍå—ºœúXå
?9‹®‰`Œž7ZllRA5(…¾qÏÄݬȽ
+A»4›Î¸¨y†Ó}–ŽoÉArn_8F7êùoÞx}3|¡y[“§ìO<)£\Yý)hå…3¤Ëø`5<ÒÀ)q·¿º#
mò×]NpÇÈ{›z˫带|—È)éN‡ÎQmÑjꤊÌ™ªN[¥!?1Ÿèõ@­ŽwXIO§ 3Ÿ°â$–'5\7M3wj¯Š˨AG&t`Øq#8…ð«TY°½ÑŤæeི
u$`øLÊL«Y~‘ŒÖ” Ì«NúC⌳jï¾g‘<ÿ©W9w
+Uw=-gT·8Ó.Ñ=ŸëÆåܘ"w\{ÄUónJ‹|`ÃÛÝÉ{ðëõg5Åçø¦!¿mUÁ–‚ë¿ ZÎO‘¦ 7Q'N‚!´ÍÇó~/¤ÊÕ+Ò¶"_ee”e
+ú£J&21¤µÄ÷]=ÛZÆD™ <Êfß&{¤¹ÓtУO å¼ò£[¿©÷~ôH’MšJTŒá#\Ó¼Þµ5Kh ¸éÛGlxchCvÐ|ýƒÕd‚ùžp‰ök7&ÝîriÁT§E~q%Ç΋åE
oI72˜Ã>‰Û/md‚vï Œ«Q'±/æ^‚NìÒ²]¸»‚koT$iJOžD`í!ïñfhNCÃ).ÎDŸ~?êX!]èx']åê-çú^p!4É)é·uí1GzªÉäê©/¬˜Z¯¬U³3ˆ—ÆÓ3¦\&AQªw4ÆÑD$û¤|*Ùžç^Ùge©ClÙ‚–‹t¾óL&è9Ñv	ŒeR¯‰×eV²]‘¢gƒ?QaƒÜh×™4`óÿ¾·&âp¼t´–‰Ç@ÑÔà[L…¾L-Qãu·;”¨N÷5	jÔrW	|´S$D·w!ݦ>¢Õzf«%°Öåîؾ.å¾u^aRºŒt.(³éÖYYà¢FÝïçd+ê¥9õËñ\¼CTc/vA5›È²KæKE}Z¯¯#éšûÑv¢úŠŸ2ýÙñ¶è¥5¶@éS¤ÁŽ3·.ô¡KwþkÅÈqúo´:·cû¯zÚ¬ò‰®]sXV>g9ÊX,Ö3–Ôú¸@øß”xY\Åàû…åg?*¼eyA[Ñz‚«XÔÞKØÓ¯}ˆsd^×Àj«…—ü÷øT)SœÕ¥‚‰¥ÒƒÜ‡Ô‰h§]1Þ
¤çì¢Yk}ÇÔlÚø›á2äF¹’Ö¶ð4Ò®Ix5“‘H¦x„¡»Z‘vDüŸ»
+ÑBœ—²Îî*8³)ÂC®ÞNéÔ£"ebpM=Êú8‰&æ/ûU›D•MÖ‹EüÏ›¹c’àŠ£Ð/÷°ƒ¶w?Ö”gïi`mÛÝŸV­U&³»U>fƒDªcW™ªäHË–ÆóSI¼687¯û½ÞöÓS&*ojw
Ó~LuH]ûOE®ã/ÃLóxk"ÄÓñœp-*Yˆ³K4yñUJâ&$HŽ »K¸Úáq_c™ŒñIõTZ—E>n66)ª`âzU(ôjØÂtž}~¤ÍgôÜ©™D‡óßõïý|[-¨?Wâ(âÔd	Ý™ßId¼6mšÈÇÖün‘ŸÎÒH<âjøR1^˜}]݃·×gôß]nþ)Y.çÚ‡·øŠ°s@\W‚ £Öø^¶s|£ñ¸¹õ³¡n0UÙ„SyËSÌ+cyúm8›m…1z>ó0
+gâ©’¨™an“À0jxÃéÙ,ÆÞùÂýù»HÇŸQ¼BKku‘«mþ‡¼´ÖC5|/Ù4¥µi×ïÃjc¦3üÿ¯9ÿgB.r/Ï‘3”-GŒ
Ë#ó˜ÜGÍÑÚVî«rÅæcOâ1GŽ¤YŽÂxÎYîçH	s,ÂxÎFCÏÙ†¹¦òþˆ÷Ûû¼ïðÝ‹¹ñ¬‘‹ôÝ'ì™ö,[`ª×­DÁH[!ð5„î	½Ìž´wé J†ðiqBi,yT¢A;ËO¼á)u¯1	›£èá²÷T=V—ÑÀ¬ܧQl/֛ɩ²qVzPÄ	Ä&÷UŸîÂ\š3ò׊I-‹>ˆfVdyµ|í¸<7‰þ¥9•”7Å
PVd|NKù’€j}X¦"?…Ýݼ‡cbÛy‚Ãy‡5â!ã”0]‡öpµçÞ 	ü-…*QZÉÌÂs‘ùˆ«ã…ߧqh4ƒÏ3dKQàÐ<,Ö=3n¦ÉjÙ‰€5j·Í“غ„ÊO’¢K鶹ÕPIC4'Œæ™À`¸‚Á·1}£rëfBæÖ‚H¨…°ç'!“a?À,X)ÄÓõ-Kr¯‚Èïíß÷ÝEy?!w[ï}³uß‚aĆ˜~Úyt´1¾¼!ÒpÊ2¨R‰PÃý:£‘z°Ÿ;nÆÊ 3Ðçlj3…IþÞù&ö‹1#ó‡ÄÍ“ ×ÌÊí­¨…¦Qø4ý_–ÜЋ—°QðŒ‘/Ø#îîL¹fJרC6ó:¢Ùà7£Ê>pÝ>¶Ñ$q^éÆÍåø„ªî*¢&SÏžG¯tÑK3*€ â	K}™´à+n®QÌ ÙÎsXAÄÌän£Ão5¡Ìûà6"ð5U6Û¿óúÃ'Ç÷…^cv‚Øeª³gª§6æc?"ïÞ†ã«ÿ&¬º»Û¿í:y_Ës¹÷^%±Æ,ŽõsN2Tt6¼¥­„S„¦ôS°2ú/¾§­áÚöNõxq/cëbSèÇrÿ«SWd¢ÒnO„µc¯-®Å€ÂÖ”‹~ÿDí’‡…ÂÖ¤Ëu6ã
ýPÕ‘%™Û\Ïh84íü¸8“Rq¼úÙmy!·n¶ÿZôKÎãh‹kÚÄÅ—•=mé&…ÈÆvø®ºµõo,ñ¦òÊ‘i°­íhM¯‹ë¢Vi1eÆs¥îä¹Q…‡€­ˆZÁ´kðóî1vÓÖ8DD3kRžcn°¥ò[ˆ¤‘¬…wy›‰ÈšßfîvkŽìÀ˜ eÜÝK?È_ëßÔÅ.å6·í¼ ½ .ç»ø£P©§¼~PŸçѾ<ögGAN<†d¨jšóŠ¶*xv–+0þ¶/¸ûј:ÓiÚšÚ¬‡S¥_€û(D¢Ï…`J$Ó­Š:ýjÅPÊ$A)Ëg+«äßÓœ&ûÓÖ×¹	÷°F {È.¦·ÊQ{9þŸ‘à?(G­Ô:U7ÖíÞ!(E&”š,Ž´Õˉ™°¼þròÚÒ´: àò1…jVY„ñG
+ç®VT@QSP1žâ;ˆ|—¿T"žñópbDç²®_œ’qî¬M\lí\äüïKÉß÷›=Ãs
&Iw,Ò×oH÷\‘‹«Ý‰Ùñ#­²“ß™ùº¯œÀˆý‹¯³}/76u©…ÅçÐ2;–ô•1’ŒPñæ½Úp=e•WvŸNt¢äΓ¯Í·°Œ¤	 îÏÂ×âTª÷dÝðÏØ%yeŽ¼@²*]¾'[ë§Øè¿[JZz_oË.áà¨9®fqR¯#ÍŠC)´{œ
ý—Äþþ_H€O$><Ô'2Xìäà÷¿endstream
 endobj
 985 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 2270 0 R
-/BaseFont /LHZCHU+NimbusMonL-Bold
+/Widths 2276 0 R
+/BaseFont /QZGUNR+NimbusMonL-Bold
 /FontDescriptor 983 0 R
 >> endobj
 983 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /LHZCHU+NimbusMonL-Bold
+/FontName /QZGUNR+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
@@ -10851,7 +10904,7 @@ endobj
 /CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
 /FontFile 984 0 R
 >> endobj
-2270 0 obj
+2276 0 obj
 [600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 968 0 obj <<
@@ -10863,7 +10916,7 @@ endobj
 >>
 stream
 xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)Mlpdd"@C's[QC' 7@h˜™L\\\pd[;wsS3'¥š²

íYþ	ütÿŸž¿™Žæ¦6ò¿.@+[;k Ó_ˆÿëD àd˜˜["
-ŠšRòJ	y5€Ðè`hPtþien57Ú8©&¶«F¶6Ææÿ´æHÿKÈ`p´™ÿMºíþqÑì€Ö掎¿æŽSC§¿3p²˜ÛY9ÿCà¯ÝÄö_„ìlÿFXÿõýS´utr4r0·sü­ª(*þožNf†NÿÔv4ÿëØšü4¶5rþ§¥ùþÂüõ:šÛ8œ€nNÿÔú	›;ÚYºÿ­ýÌÎÁü_4œÍmLÿ‹-Àhjè`lttüóûŸéüWŸ€ÿ­{C;;+÷eÛþ+êq0wrZ™ÐÃ11ÿ­iäô·¶©¹
Ã?‹"ecb`bü·ÝØÙîú\€ÿå?;Cõ—„¡±­•;ÀhÇ oëô·$€òÿNeúÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î !§)¥%OóŸoê¿¢ÿjï¤ên÷—ØÿhEÎÖøþÁ¶uxÒý½tÌ,ö¿9™˜¼ÿÕþÃô_g9C's7€öß–™þÕøÿøý×I÷?`ÄlŒlÿÙ'Cã¿ëõ¿ÿ¸œþªú¯ÿ·áÿyþ×¢n@#¸Õ߶F‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î !%©(,CóŸoê¿¢ÿjï¤ên÷—ØÿhEÎÖøþÁ¶uxÒý½tÌ,ö¿9™˜¼ÿÕþÃô_g9C's7€öß–™þÕøÿøý×I÷?`ÄlŒlÿÙ'Cã¿ëõ¿ÿ¸œþªú¯ÿ·áÿyþ×¢n@#¸Õ߶Fö¥©F{1­(zR€—ùøÞ$T}¨›ä4z%ˆégQžW‹²ÛZìŒê»“JÊzÅïPߧ;X`®ž¨üH\
 üÐIí|ŒRëc1:QA¾Õžž‘'?=RŽõÜ@öíãÑäÄÂ’ñ¸@ ’GúÙçà	h©Ux†SA¥7!àÝ´_}jt{êå‘‘â’FX˾*šæ¯Ù´Ë¾'A¦·ð&Ê9H¶îWþÀ¼žŸŽäJœæšËýZw&sÄâmŸ
 쿵$
œÉ„®'~»¦ìw󬵮¦~íCÊ]™Qê,©wmÚ'c¤	w®Diµs$óÐY–1¾—f‡ÙÄ&>.jüäë賬9“5ÎÕu¨ÍÄV¤?m=Á8ib/4l¼˜’lºÖ’Ÿ$):Srïð¹ŒtéÇ#/sƒydŠü¡
_•vÏÐX¢ÖÙ"» ú”4Ú]Ô†Üf†·”-FêÕˆFG‚„ùs!kt>
@@ -10944,23 +10997,23 @@ i
 ^hâŒð·¹ œ£“hZ™Í/øÅ_à7œÀ+P¸¸&&êåî$+Nȶp®Ô
~I(–»c¹ÚŸYªÓÅg¶%ø¥p%ö>­’H¾iL¿\ÚõÐß(¦µâ_«8Cƒ—R{‹
 Žµrð¦ëØíû‹0Ê{‡˜ÊQê¸2‰«Zœa‰ƒ†*7Äc¹äJî„I›ÏüìÒ]©æÁ 1=Š¡å©òñS€MX¡¥GMøªéþP¢‹:*½ÙOT9†ÜD¨*ÀzÞÃ*Úž“¬ÿ°Ë_hg
 ‚œ«ê9ŸjˆŠ"J7Þ®(ðhT(ìâ ª¦¼ÜðÊ™§Ä‹V¬áÝq
-oò]ç}£¯9B‘7õ·	öœH{È­’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤Ëq¸ŠÖˆÕ"™[Ø m¥cA¸¶¹"t8Q+PK¥ìó÷Ñ”¶ëÛãh_“	®$+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝåûm®Ý‘(ãŸÄ"Þïòwnúê›»ÉÕ”^«¦y$3î3i=+iÿWuÈæÔmâ’<£Ⱥ][±÷QgShSÝ»¤SñºïX±wû@`z>ÍÛòÈëB¶"Æ®.(ñôAàN¥Ã|³w®3¬ín1eqÞ¸XäL%­1;¹MÊ®¦*Åÿ^OìU©‘yo•½§ìRùùÑ©	lå™Õº©RéÓåú’ØyšQÝÅêØÌ·XçY2‹†¸Ä¾ŒPñ+«Ö$ßo¼7SæDEÏ–GÙËËGªvË.¼–Õ£ª¾PH^ ÍuòñjzZ+3àÆ´¤Nc<ÃÃe™åGKB.þ/Qü?øŸÜ|Ý]ƒà~.>ÿÄØßendstream
+oò]ç}£¯9B‘7õ·	öœH{È­’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤Ëq¸ŠÖˆÕ"™[Ø m¥cA¸¶¹"t8Q+PK¥ìó÷Ñ”¶ëÛãh_“	®$+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝåûm®Ý‘(ãŸÄ"Þïòwnúê›»ÉÕ”^«¦y$3î3i=+iÿWuÈæÔmâ’<£Ⱥ][±÷QgShSÝ»¤SñºïX±wû@`z>ÍÛòÈëB¶"Æ®.(ñôAàN¥Ã|³w®3¬ín1eqÞ¸XäL%­1;¹MÊ®¦*Åÿ^OìU©‘yo•½§ìRùùÑ©	lå™Õº©RéÓåú’ØyšQÝÅêØÌ·XçY2‹†¸Ä¾ŒPñ+«Ö$ßo¼7SæDEÏ–GÙËËGªvË.¼–Õ£ª¾PH^ ÍuòñjzZ+3àÆ´¤Nc<ÃÃe™åGKB.þ/Qü?øŸÜ|Ý]ƒà~.>ÿRÞýendstream
 endobj
 969 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 2271 0 R
-/BaseFont /GMYIZN+NimbusMonL-Regu
+/Widths 2277 0 R
+/BaseFont /WIHPBK+NimbusMonL-Regu
 /FontDescriptor 967 0 R
 >> endobj
 967 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /GMYIZN+NimbusMonL-Regu
+/FontName /WIHPBK+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
@@ -10969,7 +11022,7 @@ endobj
 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
 /FontFile 968 0 R
 >> endobj
-2271 0 obj
+2277 0 obj
 [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
 926 0 obj <<
@@ -10980,7 +11033,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA,ŒÌ<5e
ECkkC;Y)¡5௙’RÔh²°³3y@€Ðð퀅›› jgïîhafPÿå ¡££ÿ/Ë?.#÷ÿ@þF:Y˜Ù¾þ}pZÛÙÛmA)þ¯U€@È0µ°Dµ¤ä%Ô’òjI -ÐñoŠÎFÖÆYc ­`jç°þ÷`lgkbñOkNŒ¹„†'{ ±Åß0 ›1Ðþˆ`t´±prúû°p˜9Ú‚þÎd°°5¶v6ù§€¿vS»dïh÷×Ãæ/ö—LÑÎ	ädìhaüͪ(&ñï:A憠r;Yü…v¦=MìŒÿié_Ø_š¿(ÈÐÂÖ	ºþÉe˜X8Ù[ºÿÍý—ÌÞÑâ_e8;YØšýWôG ™¡£‰5ÐÉé/Í_î¦ó_}þ—î
íí­Ýÿm÷/¯ÿ¬Áä´6eD`ùö7§1èon3[¦¶Š”­©€…ùßvgûÿÀ\€Žÿõ?{†æo†&v¶Öî )“¼èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„³µµ¼¡
ð_A€ÿ¸c²€.ãÿÍÝÐÆÂÚýÿðß=5€ÿ®RhælmèøßáÓÛšýU„›‘ýßV'	7 ‰¢ÈØ`jhýwVÿ²«Ùš­-l5ý×8,ÌÌÿ
S5·0¶²ýgøìÿ†€¶&ÿ½ü¿2ý«x&iQa5%%ºÿý^ý—Ÿâ_ýAªîö@ÀÿŸDCÎÎä?ÿ°ˆˆØ¹<X8™¬ÌìÝ߃ÇÍÆâýÈø/"–ÿZË‚-ÜÚÌŒÌÌ,€¿ßÿñù¯•î£·5¶3ùgǨ€mMþn²ÿ4ü;;:þÕö_çþoÓÿ±þ×vÝ€Æë+vƼA–i™é :ÜÜ‘)1í>È‘`ûÒFÕ¢¿»^ß´°]îJƒÚ`ƦžßíîËçöŸ‡Ò´Gc}8ÖT½)Àë|"o
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA,ŒÌ<5e
ECkkC;Y)¡5௙’RÔh²°³3y@€Ðð퀅›› jgïîhafPÿå ¡££ÿ/Ë?.#÷ÿ@þF:Y˜Ù¾þ}pZÛÙÛmA)þ¯U€@È0µ°Dµ¤ä%Ô’òjI -ÐñoŠÎFÖÆYc ­`jç°þ÷`lgkbñOkNŒ¹„†'{ ±Åß0 ›1Ðþˆ`t´±prúû°p˜9Ú‚þÎd°°5¶v6ù§€¿vS»dïh÷×Ãæ/ö—LÑÎ	ädìhaüͪ(&ñï:A憠r;Yü…v¦=MìŒÿié_Ø_š¿(ÈÐÂÖ	ºþÉe˜X8Ù[ºÿÍý—ÌÞÑâ_e8;YØšýWôG ™¡£‰5ÐÉé/Í_î¦ó_}þ—î
íí­Ýÿm÷/¯ÿ¬Áä´6eD`ùö7§1èon3[¦¶Š”­©€…ùßvgûÿÀ\€Žÿõ?{†æo†&v¶Öî )“¼èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„³µµ¼¡
ð_A€ÿ¸c²€.ãÿÍÝÐÆÂÚýÿðß=5€ÿ®RhælmèøßáÓÛšýU„›‘ýßV'	7 ‰¢ÈØ`jhýwVÿ²«Ùš­-l5ý×8,ÌÌÿ
S5·0¶²ýgøìÿ†€¶&ÿ½ü¿2ý«x&EU95
ºÿý^ý—Ÿâ_ýAªîö@ÀÿŸDCÎÎä?ÿ°ˆˆØ¹<X8™¬ÌìÝ߃ÇÍÆâýÈø/"–ÿZË‚-ÜÚÌŒÌÌ,€¿ßÿñù¯•î£·5¶3ùgǨ€mMþn²ÿ4ü;;:þÕö_çþoÓÿ±þ×vÝ€Æë+vƼA–i™é :ÜÜ‘)1í>È‘`ûÒFÕ¢¿»^ß´°]îJƒÚ`ƦžßíîËçöŸ‡Ò´Gc}8ÖT½)Àë|"o
 šþô­¯œtGLz¥ÈéQž7K²;P?8˜Õö¦””õJ>`ˆg:Yánžiü(\
 ü°¾<Ù£ø§6Äbw¡5aÔž_|M<}~¢î½…î?$¤Ë‰…§äuBþéçC(øC­B¼ªùÕi{Ju¡glŸÏÏìC(»ƒ¢ÈbÓËZÁçjð§fÌÁpC@¶VBjä+s^"ò“£œŸpÖj×Ñm¡HNZ¬¹Šù—;Ão{ô«OŠ—©š}¾ŽÈïqM gÀÁõ@‰Î
@@ -11054,23 +11107,23 @@ K
 p÷†ÓºùáXk)iÇÝKqkùÈüÙ²ú´{Ô°!¢1µçsßÚ3‘à
æý“B òÐ2t¦£ƒ% ]–Aþu²"ÉÜß2åº.Ó
“ñx•s,õ)®k¾óÒ>hœýbyZÃ÷-ý$ËbÇ;¨´²*	#Œ6^ÿ´Œ‹Ä*jj¾}5™üÊ­tÿg ›­ûá=)ìGõ™;RVÛÚ½wV*îM\ˆšhßn`ÇPÙºzÇ'I~©VŽ;&븙i—wâc3:™S‹åa¥40ÏZ:	Moè¥Ø~ƒÐ#YcÑV„³IF^¸Övú¾&ÕÍBoªzôåÒ½¢šºˆ<è@ÕŽ!ÄVo£Cé·³s~íAãŸ)4°jsY™ÖÑÁ¤¤Òøɉ
cxg4Hc=‰‚­|(—æ3§‘»Ñô¯ðÑqr1¥~tÓ™²süçŸVý;Ë}I†õ„=*š½Â!³ ®8¸²ù	¢Ÿ{J½ÅhJ$‘¹Í2ÕtKcÇZ=P¶)»ûøÔÂwË,û«øƒˆcÌm#ãdxÐu!^	Ú9ûi7ŸÙJcÔŒ]+µ
jÆ»Ò_€[hI£YÉì0…òÇ*껪¦úݳj€í¨ž¨ß`Ù?8sGx9g3ÎîèñÙt÷:n:—SúluHx‹œ›ÍÉPo·«ÃJAüÕh€ß¾ÅW'ˆÃô´B ¶q…¡Jˆ`“ý kaæ®´bg>–MO”¶æB8uk—ÄþÙ7)Çê®Ü¿5GVQ(ë¿P­m-FG*åTA¸¡WK2z)·	Ž×?3Ì›QOl
 s¹xŽ5WË–§zGϺß?ÁyËÇDóÛ8Þ6<,óyÊœ³%ɾŠaîjôër¤ôç ³L.¸!åeÖ&A—¯y!qíµ¸`Û®8&ƒûCá°ˆ×P·KÄMZQƒñˆR“!»V¸x3ËßÀÃ'£l{…x|#”ÄÒ,ò9r&tã|¼a¥ïéæ3sawÄø²Ã××ÿuåÝ™×Ãùv¦&R®É;Ƴo©5$rÇâ¯%ì»iÕav·4ËEìØÔ;E6'µ…¹ïh;ž7\oqkÙñ*¯u¾+ÍNcýàÿOÃõÿû‚ÿ
-¹ƒ%ÔÕÝÙêjý°Ýáòendstream
+¹ƒ%ÔÕÝÙêjýÚdâendstream
 endobj
 927 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2272 0 R
-/BaseFont /JCAUQQ+URWPalladioL-Ital
+/Widths 2278 0 R
+/BaseFont /PKTMUW+URWPalladioL-Ital
 /FontDescriptor 925 0 R
 >> endobj
 925 0 obj <<
 /Ascent 722
 /CapHeight 693
 /Descent -261
-/FontName /JCAUQQ+URWPalladioL-Ital
+/FontName /PKTMUW+URWPalladioL-Ital
 /ItalicAngle -9.5
 /StemV 78
 /XHeight 482
@@ -11079,7 +11132,7 @@ endobj
 /CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
 /FontFile 926 0 R
 >> endobj
-2272 0 obj
+2278 0 obj
 [528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
 endobj
 826 0 obj <<
@@ -11093,7 +11146,7 @@ stream
 xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kTªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸yZ@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
  ùËAKOÏð_–\¦^ÿütYÚ¨þ>¸mí€ö®)þŸÕ€@€«`²Ä””ud¥4RŠ) =ÐÙÄ ìfj2ȃ̀ö.@Z€…ƒ3Àö߀™ƒ½9蟭¹0ýåq˜\f ¿a@O3 ã?Àèlrqùû¹,Mì]ÿöÀÕ²7³u3ÿ§€¿v‡äèìð×Ãî/ö—LÙÁÅÕÅÌäè
 ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.W §ë?¹Ls‹£­‰×ßÜÉAÿ*ÃÍdoù_0œ–&Îæ¶@—¿4¹ÿéÎíð¿íÞÄÑÑÖë_ÑÿòúÏ@®.@[&V¶¿9Í\ÿæ¶Ù#0ÿ3*2öV–ÛÍÝÿs:ÿ«A4ÿÌíß"LÌìm½æ@fE׿)4ÿo*3ýωü? ñÿˆÀÿ#òþÿ÷¿kô¿âÿ¿çù¿SKºÙÚ*šØÿø; øç’±ÿ?¼Mì@¶^ÿ7ÿÿî©üw‘ÿWW“¿­±·ü+ãW&–¯ÿ@.’ O ¹2ÈÕÌ
-`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYQNM]^‘þÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
+`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYGZGIDŠþÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
 ™**À)—PHW£B¢ªU³m·WÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬OXÏ1Ï-¼§c-NÂ1ipÝ›í\AÖµ?ªª…¹{G.ž'Þ½µ$5õü^oDÌÒ’j8Á¬R/ë‰yÝ࣑<Ì`½^
 úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
 ¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨åÁ³ñÂjD•jÊ
@@ -11155,23 +11208,23 @@ MI
 ¿n$rÝ	XðD˜t
ÎõÓ…”2§—n„sÞmOÆ„ ˆ;²ÃßshuåU9ñÖ&;y-sõP~K*ªÅz4rnp´}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰ Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5½·x¯'_Ë
 c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'žWùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ‹Œ:…‘XF.ÿ§Òfb1\ÄñSÙ£Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.zàÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
 cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷5ØI*·[ÔrHîD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë …x;³°çlqf—š
“d79˜R€2õ¨)iµ†–Gö»€ê&‚—ÜÞ¨CšùŸeVò]ÏÓ~„ð¡T}îY¸dë`XÕìéÎ<òeJË»1ÒXê¤QáÀ#÷gX¹;«ÜÉà{}¤*½lÈ»€~.ž©kÜõVÅÇ®þÒ€§ú‘7ã$o—#€àkص<Éâ{
-¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,ÊæL_fªendstream
+¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,Êæmf¡endstream
 endobj
 827 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 40
 /LastChar 90
-/Widths 2273 0 R
-/BaseFont /NKSTLN+URWPalladioL-Roma-Slant_167
+/Widths 2279 0 R
+/BaseFont /YHYOAG+URWPalladioL-Roma-Slant_167
 /FontDescriptor 825 0 R
 >> endobj
 825 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /NKSTLN+URWPalladioL-Roma-Slant_167
+/FontName /YHYOAG+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
@@ -11180,7 +11233,7 @@ endobj
 /CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
 /FontFile 826 0 R
 >> endobj
-2273 0 obj
+2279 0 obj
 [333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
 764 0 obj <<
@@ -11192,34 +11245,30 @@ endobj
 >>
 stream
 xÚíUkTgnõJÀ+Å€€¸
-æ2M°hZHeH&$d`’`€
-,P ‚A…ÊE ÒJi½”‹ÁŠ‚§F„‚Ü4
-& X¹ê
-ºè±KîþÚ³3æ}žç{¿gž÷;ç³0óô!08H삈$Òg7Ÿ ‰dœ……3
-C>"ÚI`::8€C€T€L£SÈt*
g8#a‘(?˜'¬œ?YцFùlH¸A,Äz°!àƒ°ù°$’0À{a…ð†Å0sˆ88|¶‚ƒù"iÁKÄEÚÌ‘†½¥"`TŒ™¬0“Ÿ˜E"D˜‹#¹#Ø^0æä¿ajys©@à	Ú/¦ôò‘oˆ0L*QÀ
áÀ¨h¹Ô^2çsøRár–%|6C,€hG$ÛR—¾Ø…/ƒ9ž|	›p!^Äag¹,¾E#$wÆ^o/›7s]$=!¾H²72ÈïÔ‹5ø®ÆRBù2ÀŸL$“ALˆ½o¿–mö™ˆpø¢`€Bµ …"qØ	Â**
|–°sL"Š	¶À¢9
-p·0VÐ ±ù([³¦&Y`—*@
-Â2‡ÿ‘)†BlXsÿÛ¾—†þ·Çp}``;T,€Ä¼Eø¯Á1™ˆ,š@qöØ€ =@£Qþ›-EQX$Y<›Xüok.Ë`6®§a;&†äV%•Ç|vîö÷t^´Vhz´›üjbòøœ£>Ô³^fÁ’’‘"Õ•ã
-|¨Òðs¶ãI}ô²Qº{Ú—SÅú®¤–ùeÆQ‰Ý>øÈ„TùªW6–#,EøþSù_«ŒéèÃ3ßlÙÚ3µ%¶Uï,GÍ£+t<4ûŸÊ)Q‹	õcÏtpUÏæm»&>Ô½”ï=|rÛŠµ´åÛ꽜ÀûSUû6¼ÎØÿ¬i˜óQè?ôgü4/ÃsçiŽ©=佊K¸÷ódßÿøÛ`ÉDøÚ¼«7WDBËxKßÍB{ªòȃ	ÕµŠë£ÒúŽ–r’êe_üéLŽI®ï…4‘ìËj«G•
ݵsÉâù0讲òcúÊ}ê2Vî8QQâOÿÔgϯ±T	÷ãù/'I¯ºžkÕ¶ÈLJ}™•É“SÅ:-¯7{f¶
zÈgm¬™”ªUÒ=M ÕagŸñ¶]ÜÙó¿Ëš×Œù*¢ô¼ƒœqÖê=ùéNÓÎW¼¼§Ç´¢“C…L|Âÿ{êjÍ)“0ú=E@ù(±¶ õü¯î;
-TÉIs›ò¯5”ïØŸËjòi~@;¶n¦ñe‚•ú›ŒJOó•¦E½óÅsËP‘&¿ÿ’dki¿[¸!a„Îÿ´0¾¾=ܳ¶Sš]ŸŸí®¸EÎx\‚ùµØé•á‹º£/‰»ÖÁQ&­Õõ·ÿžât¤sÍô»pJ]|ÔU½"Z»×HÿN‡Kéˆ~Ë|
ggó­§AÆUi Uû§yùÁÆpÐ77M{Ún]b–0Ö•¿ÕÐxM–ÉnWàkœÃ?¦>˜Ùì5`?6™Egä5b	•ƒ£Ï™ýðuÔaõ°ÿêð‘Ÿ{›
Õµµ‡Out&ùƸšÏ¶É’O«&×ooë"ß‘åñˆu¢÷s¦ëi­¾Y…ÎÊIJN{H{@Ú}4Ë[«GÎË_Ø“SÎ}Oü>¸ÿ7øŸh€]Ý*A„ŠûYþaendstream
+æ2@	Š(åŽ
+ŠT†dBI&	(—
+A@0¨P¹TZ)­`r1XQðÔˆP›FÁ+W]Aw=véÏÝ_{væϼÏó|ï÷Ìó~ç|&Fž>;#$‚4ÀÑÍçH@"gbâˆÂˆ‹œ L@[[p  ÛÐ(dÕg8"a‘(7˜#Ì?[Ù|å2!à‰80ëÁ„x€Âä¢H"àÀãÞ‹+„€7,„јEÄ Àâ2E@ÌàH‹Ž6Ø,Ã,qØ;*F…˜)À3ù€Yd!^$À‚Ù8’;‚ícNþ¦V6wóxî±ýRJá!>—ùVðÃÄ"ÜŒ
+VJ}áesn0‹+æ¯d"ˆÇe:‚y0@­ˆdKê2Á:s%0Ë“+br6ÄÂK8,`­´‚Å·d„ä²×ÏiŸ£ÅÛ¹.‘žW Úä÷ê¥|_c)¡\	àO&’É &ÄÞw_+6ûBÀDX\A0@¡ZŠB‘8ìaˆ®€KX‚9&ˆ[`ÑÄlÅ-Ž´HL.ÊäÁÌÅ©‰Ùe‚
+‚°Ìá?Ad
+†¡æÁì?Öoáå¡¿Ç­1BßXÀò !g	þkpt:"‰&Pl‚­5ö# h
ØØPcþMÈ£(,-M,þw5›‹†%0×Û0í’Bòª“+b¿8çûH/Û*U½êÍ~µ±ù\VŒõœ—Q°¨t´Xqõ„*×ÝË´;¥^ÑËpOÿrºDûâÕ´¢r¿¬xj±Ç™˜&]óÚÂt”!?xºàk…>­	}tö›mÛ{§·Åµic)é‡Ï7Î
vkn4÷>in¼Ù¦÷‚úÀ‡›ð‘O:·NÖÆåÝØÉœ¸}ß•á‰:§™ÊÙöšAÓÐìc\;B.·ðqh¹§TÓeͯ÷Hoò—<5L5N1yÞêS.™I‹ÕþýV˜:þnêXFñÌW¸&Cúõ;²¤
+RfüžFCWƒ¶G–œW›Û,Ü¥Ÿ“-W]©Õky|àç*0åR}sYì‹r(´ &×ÐéiTøwõ;çà3bˆûªOzVZ/Óì®×µwÝëuÌ|Y¨áÞ¡–Fq_•ÖrNŒ‘ðÃãVÝwö”>Šç ¥÷íW^5¸ÈùµZFËðàñëa
ci—é—_1V—¯–˜m–\ŠK¤õ«nvv”ãGrb“Œ4Üàk	0Žo[eÞ¼QZ§ÓSsV*ëÓ2TïWdEéȤ•¢@.ûŒælfz†g€»—ß>µ¸#ÍyIÏUª¾Ïʳ;ƶ$Œùª’'Z_NXL	Ç}4i—ºJýRôM#áK
öV3êåg×+r$§ý&Ýïâþ.Nar6'j*õÜoÆ/ãÿ˜üncQáÇhó¡	5ä–KöL܈›ÞÉ2Îs…G]u™¡±×vÜ&©'$gJ“ÚkžâoZvvy@1Ë:>f䩦íQ.½b§™ÀWq\·P2»C'BsþY)Ÿ´P?õÌ×ônÝá4ù±æåï‘S;~TQÌÅ­ßÖìg>˜®>°éMæÁçtÝÜOBÿ¡=ë§zž7tXu\é!í“]Æ}˜ß(ùžÿÇ߆J'Ã×ç_»%»&#:Z'ZûoYSåÇN*®WÞ7Ü´3•’·)Îd±üKó|/þ òˆd^Qš=®jjì©›O	.„A÷äUŸÒæQö3çñ
+»ÉÊRÚç>.¿ÆQEì“/~9Ez“ØýB­®UbPæK¯J™š.Ñh}³Õ3«}ÈcPG:gaN§T¯»4€4ÛÝýú;œØs~—ض¬÷•'FÛjy7:âÌ?ÖzúÓÝæݯ9ùÏŽ«E§È†‹èøÄuþ÷•«”ªÓa´û²€Š1b]aÚ…_Ýw*R’ç#¶ä]o¬Øu0ÑìÓòÐæø†Ù¦W‰fÊo2«=í»Îe£Ú­µ¬Ý-·GíC†®iˆƒxmê?-H7€„þyéê3V£œô€ñî‚íºúë²
öØ<|XÓ<þ	õáìV¯Aëñ©lšC~Ó_þ$8ú¼Ñ_GUŽø¯
ý¹¯EWYWwôtgW²o¬«ñ\»$åŒbjãÎön‰]Ù'ûöÒ]ϨõÏÉ4V'•Ç²:Bê­Ð¸C➘loµ^)§`m`onû-òøàþßà¢vuC¨áCh(î_ÒèþQendstream
 endobj
 765 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2274 0 R
+/Encoding 2280 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 2275 0 R
-/BaseFont /FNATRQ+CMSY10
+/Widths 2281 0 R
+/BaseFont /HJXDKC+CMSY10
 /FontDescriptor 763 0 R
 >> endobj
 763 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /FNATRQ+CMSY10
+/FontName /HJXDKC+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
@@ -11228,10 +11277,10 @@ endobj
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
 /FontFile 764 0 R
 >> endobj
-2275 0 obj
+2281 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-2274 0 obj <<
+2280 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
@@ -11243,7 +11292,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNLQXTQ„꟩ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
+xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNNDEIRœêŸ©ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
 üPˆŸìá|ŒRbQ»š€ê
 ÏÎIOžŸÈ†ÆGG†{oÁú°©rb’p¹€Â’FúýÊÁæÓT©©jUmÛëÕb3ô]ÿ””sÂ
 Îl~^õ­H¹²çŸÈôÿbاÑÙ®ï岞ÒæNHÙ™C	½‰h1R^iC«ÙÂ{»AùÖˆqwÛÁxyÒWcÁ·ÿ¡y÷'‡—ÁOéTñ´šŸ­wôêuòÓsPMTUËçýNÀ(5±†ÅÄ ö¶‘ÛMüc,‚¨×]EI[™Y…	¸îˆ0^ÆMÏm}™×Ë 3ž@óɪ0öGƺ°>KÛyE‡“åÜTh6þÁØŸøÐJ¢w¢§æ_[c
³öB8xÕ¾Vk”Ô‚—I¯¿ä„÷gÞk‰òŒ+(}‘²Å+åýdä„P9Œ,U•äD¡&w("Z·´U¾D£|yÛ)Õ‚þ0ŽÖ)¹` Á6l¬NÒµ½žŒÍ&²˜ W	WâãÆ[.¸N5ÈõëZS†
@@ -11337,23 +11386,23 @@ A
 ­u|Ðí8t^ˆš/€‹MÝp­_’<{*ñ>Jn
ÐÅ—6¹s²R¯aÆ‹úr×€]9ä¯:²(`\‰áÉlA7¾ĦK”ž·†9z8nb64Ë¢jE¢$µ1V|·ZBËÐöX#Y»ͪföWßqYûlf/ö»­8Fj…›ë_X1¡ÁèínÕ
(N1©þ¢CÑð´ýÆ9(AÄEêÞ–«ôáÃÉ€ÖÜÑf}_¢£J¾:¤ íéJ$<ÂBÿˆSUÅöìMø›Yr¤˜¾ÃÈ×`Qíå?›Ù±VƒÝŽˆ½¸ÂˆÚÖñhÃÙƒXÔ‡7Ó¶,Í!Á•FÿÁEè^F¸¯xÀÁ¦ÿàB*·ÛvªR&¤N<•ê`¢µ+çN¼é¬
 g¤£Ê¾2f~mû„m}…i¶xÄãæužÙÆœ»‚ÙüÂx\Ôt{™CÀåò	›ËøýÈ·'5'	ªzqvipd×kµ»¶j©@ƒæ…:Íw¾?bøàôVs,%ãIP¡ÍSÃ…„A³ô‰ìDª`Ïûñ,{r˜¦fY—AÀ˜EÏ¡+LNä^õ,¸¬Y¼B™¡9ÛœÐç†dbTC4è¿JLWl©0Âkž ^¸ùT›Úò«¾¦ét«§^Þí§/‡3SÄ蚇dQœv(CÜ쇵È%#¾j0Æ7›5pEZ‡ì—,í¼éÀOÇéÃõ¤¯(CæýéZb4üÁP”™Γ{5Þ…k`åùÃJÙãpÔféAvs,µp̈Õ.¨±g¸Ño¡µ°±P9:Ý,'c|Ì1eÁh†M~‘fQÞúûdú9’LÈúôÖN0–"/Ó|8׃ҿ]‰/óûÚûس˜z$©Ôü³[<~q÷é#ƒä2
 'óP4I×¥ŸÐ?`b¬FH.÷R}ÿÀ#]«iÀAñ7FÌÐ5øùq6O‰Ç/êúWbõÑFåq-¢´ð
§]xžök%˜Ã–td˜¯‘ŒÎ¼r¿?qEµÀ¡Glq_åOÎ1ŠL$HülÓ‚|²ëÅ›:vÐ
Ø›¨†À<¬è2ëg8„7ë%j ÅL/ARWˆŠmõƒÑ±)Cðî&œ£Ò(q14ŒED;ÌjdWåqêÒÚ8ß'‡õt˜{r›`üz$¸~ЗV-ðr#QcªžÉ¹=H­EÍëCóIîÁÕŒ–aYÅuz8UG²þºÝ¡HJP+dGR]¤IؘNd'×DóN'é[ºqÆIÒĵF,·;Å—d•”©7•‘W­_ˆF®kô­é¢á£tΘ~­
yTjænUÀNöÂߥ6”éŸì¶\e>:3‚t{ù^÷p*kõ!1ñÖ3«/¥tŒëÖÈ|æeWç¯ÛQ#`IbýÍÃ$ŒPÍXÉSKUŽž¡’`ËAÅžþ›m­%N©ò’÷Y¥Ê¡K_º`ÕsYGõ¾ìŸö¨,4ƒ“³›¯HC'Ÿû89cá[ãÛ2?ÆN¼	ü±ù#°¥ª0ägã¶,Š¢œ¡. éj”¿ê?ÉxG# Ò+“Å.ă-†cå-Yo¢UÄVõñÈö15Ò»æ¾Ýc@@íéíAŸLüUÜêÏÉ…ÜÔ¿©ÿÌZÏ‚ñåÎSUn9“mbµf[‘€Š±ÑT8D1¿4г#hqÙך½E9É{Ь¶uîœb…M'­?/ÖGÐÿéε%¨˜Gš±Ñ3?hßó¤¸þa¶„çŽØyžÓ€’^`´ý×Þz\‹÷¶v«áP{ÑÑ•Ih~×`5»æ0ïfM…ÂÛ
-ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶ûK¬¹-endstream
+ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶ûCm¹Aendstream
 endobj
 762 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2260 0 R
+/Encoding 2266 0 R
 /FirstChar 2
 /LastChar 216
-/Widths 2276 0 R
-/BaseFont /GRDFRE+URWPalladioL-Roma
+/Widths 2282 0 R
+/BaseFont /OEUSJH+URWPalladioL-Roma
 /FontDescriptor 760 0 R
 >> endobj
 760 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /GRDFRE+URWPalladioL-Roma
+/FontName /OEUSJH+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
@@ -11362,7 +11411,7 @@ endobj
 /CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/endash/emdash/Oslash)
 /FontFile 761 0 R
 >> endobj
-2276 0 obj
+2282 0 obj
 [605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
 endobj
 737 0 obj <<
@@ -11373,7 +11422,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:9IiªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
+xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:I%%
AªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
 Šº%`¸3LŽ7)ü‰]üQHžíá|ÒâP»šê
 ÿ\%ý}þ54>:2Ü{Ú„M•IÊå
 KåïƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó#\2®˜Æíß»OÍß
6.â'¢ÿp$iÊíù2ŸÒ;LÛ–Oòá ±Fóyº)‘ùµ©ãà~¥ŸC¡ë­„aø
ÅÑ«¨ÙûGæhg[&óâ<1—Xû²Âø{iª_“¸bf)¦Œ²§T˜
ÜÓ»GAe!ógF玦àUa!*ÚZ0Ÿðç/èa0¼€ž~£œ†äwÝo	âïfŸJ³xÛw®ÞaÇL¿õ0è^š`8¿Ú	Ù4Ùç÷Ï©4†V×"”]BÝ3pþà·½_) èIÞ\H$séåXŒ{Òb^Z,ÃÛ6ö©ÉÁ¬–R2µCÇŠ‰t(£ˆOܲÓ7‚9òó`e€²ä@y%0júAÈëRÿ˜à˜~xƒ4wÖ5çíÂàÖ±åmÝÓ×â}=Ð’tRX[>͔ҞÐRÔ "çH³l/é•_r> endobj
 736 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /QOEJLQ+URWPalladioL-Bold
+/FontName /JSSYBU+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
@@ -11498,195 +11546,201 @@ endobj
 /CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
 /FontFile 737 0 R
 >> endobj
-2277 0 obj
+2283 0 obj
 [611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
 739 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2278 0 R
+/Parent 2284 0 R
 /Kids [730 0 R 757 0 R 767 0 R 822 0 R 886 0 R 949 0 R]
 >> endobj
 986 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2278 0 R
+/Parent 2284 0 R
 /Kids [974 0 R 988 0 R 1002 0 R 1013 0 R 1020 0 R 1032 0 R]
 >> endobj
 1044 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2278 0 R
+/Parent 2284 0 R
 /Kids [1037 0 R 1046 0 R 1055 0 R 1065 0 R 1077 0 R 1083 0 R]
 >> endobj
 1107 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2278 0 R
+/Parent 2284 0 R
 /Kids [1091 0 R 1114 0 R 1124 0 R 1129 0 R 1133 0 R 1138 0 R]
 >> endobj
 1155 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2278 0 R
+/Parent 2284 0 R
 /Kids [1148 0 R 1157 0 R 1164 0 R 1170 0 R 1174 0 R 1186 0 R]
 >> endobj
 1196 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2278 0 R
+/Parent 2284 0 R
 /Kids [1190 0 R 1198 0 R 1202 0 R 1212 0 R 1217 0 R 1225 0 R]
 >> endobj
 1241 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2279 0 R
+/Parent 2285 0 R
 /Kids [1233 0 R 1243 0 R 1251 0 R 1262 0 R 1268 0 R 1274 0 R]
 >> endobj
 1283 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2279 0 R
+/Parent 2285 0 R
 /Kids [1280 0 R 1285 0 R 1292 0 R 1300 0 R 1307 0 R 1311 0 R]
 >> endobj
 1318 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2279 0 R
-/Kids [1315 0 R 1320 0 R 1324 0 R 1331 0 R 1335 0 R 1342 0 R]
+/Parent 2285 0 R
+/Kids [1315 0 R 1320 0 R 1324 0 R 1331 0 R 1339 0 R 1345 0 R]
 >> endobj
-1355 0 obj <<
+1359 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2279 0 R
-/Kids [1352 0 R 1357 0 R 1361 0 R 1369 0 R 1375 0 R 1383 0 R]
+/Parent 2285 0 R
+/Kids [1356 0 R 1361 0 R 1365 0 R 1373 0 R 1379 0 R 1387 0 R]
 >> endobj
-1391 0 obj <<
+1395 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2279 0 R
-/Kids [1388 0 R 1393 0 R 1397 0 R 1403 0 R 1411 0 R 1416 0 R]
+/Parent 2285 0 R
+/Kids [1392 0 R 1397 0 R 1401 0 R 1407 0 R 1415 0 R 1420 0 R]
 >> endobj
-1430 0 obj <<
+1434 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2279 0 R
-/Kids [1424 0 R 1432 0 R 1437 0 R 1444 0 R 1455 0 R 1459 0 R]
+/Parent 2285 0 R
+/Kids [1428 0 R 1436 0 R 1441 0 R 1448 0 R 1456 0 R 1460 0 R]
 >> endobj
-1469 0 obj <<
+1470 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2280 0 R
-/Kids [1464 0 R 1471 0 R 1475 0 R 1483 0 R 1492 0 R 1497 0 R]
+/Parent 2286 0 R
+/Kids [1465 0 R 1472 0 R 1476 0 R 1484 0 R 1493 0 R 1498 0 R]
 >> endobj
-1504 0 obj <<
+1505 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2280 0 R
-/Kids [1501 0 R 1506 0 R 1510 0 R 1518 0 R 1525 0 R 1545 0 R]
+/Parent 2286 0 R
+/Kids [1502 0 R 1507 0 R 1511 0 R 1519 0 R 1526 0 R 1546 0 R]
 >> endobj
-1579 0 obj <<
+1580 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2280 0 R
-/Kids [1559 0 R 1583 0 R 1591 0 R 1595 0 R 1607 0 R 1611 0 R]
+/Parent 2286 0 R
+/Kids [1560 0 R 1584 0 R 1592 0 R 1596 0 R 1608 0 R 1612 0 R]
 >> endobj
-1631 0 obj <<
+1632 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2280 0 R
-/Kids [1620 0 R 1633 0 R 1643 0 R 1650 0 R 1656 0 R 1663 0 R]
+/Parent 2286 0 R
+/Kids [1621 0 R 1634 0 R 1644 0 R 1651 0 R 1657 0 R 1664 0 R]
 >> endobj
-1679 0 obj <<
+1680 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2280 0 R
-/Kids [1672 0 R 1682 0 R 1689 0 R 1700 0 R 1704 0 R 1710 0 R]
+/Parent 2286 0 R
+/Kids [1673 0 R 1683 0 R 1690 0 R 1701 0 R 1705 0 R 1711 0 R]
 >> endobj
-1724 0 obj <<
+1725 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2280 0 R
-/Kids [1721 0 R 1726 0 R 1730 0 R 1741 0 R 1745 0 R 1752 0 R]
+/Parent 2286 0 R
+/Kids [1722 0 R 1727 0 R 1731 0 R 1742 0 R 1746 0 R 1753 0 R]
 >> endobj
-1820 0 obj <<
+1821 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2281 0 R
-/Kids [1762 0 R 1822 0 R 1878 0 R 1932 0 R 1966 0 R 1975 0 R]
+/Parent 2287 0 R
+/Kids [1763 0 R 1823 0 R 1879 0 R 1933 0 R 1967 0 R 1976 0 R]
 >> endobj
-1985 0 obj <<
+1986 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2281 0 R
-/Kids [1981 0 R 1987 0 R 1991 0 R 1996 0 R 2007 0 R 2012 0 R]
+/Parent 2287 0 R
+/Kids [1982 0 R 1988 0 R 1992 0 R 1997 0 R 2008 0 R 2013 0 R]
 >> endobj
-2032 0 obj <<
+2033 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2281 0 R
-/Kids [2024 0 R 2034 0 R 2043 0 R 2048 0 R 2058 0 R 2063 0 R]
+/Parent 2287 0 R
+/Kids [2025 0 R 2035 0 R 2044 0 R 2049 0 R 2059 0 R 2064 0 R]
 >> endobj
-2077 0 obj <<
+2078 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2281 0 R
-/Kids [2068 0 R 2079 0 R 2090 0 R 2097 0 R 2109 0 R 2113 0 R]
+/Parent 2287 0 R
+/Kids [2069 0 R 2080 0 R 2091 0 R 2098 0 R 2110 0 R 2114 0 R]
 >> endobj
-2121 0 obj <<
+2122 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2281 0 R
-/Kids [2117 0 R 2123 0 R 2134 0 R 2145 0 R 2150 0 R 2159 0 R]
+/Parent 2287 0 R
+/Kids [2118 0 R 2124 0 R 2135 0 R 2146 0 R 2151 0 R 2160 0 R]
 >> endobj
-2169 0 obj <<
+2170 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2281 0 R
-/Kids [2166 0 R 2171 0 R 2182 0 R 2188 0 R 2193 0 R 2198 0 R]
+/Parent 2287 0 R
+/Kids [2167 0 R 2172 0 R 2183 0 R 2189 0 R 2194 0 R 2199 0 R]
 >> endobj
-2216 0 obj <<
+2215 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2282 0 R
-/Kids [2209 0 R 2218 0 R 2227 0 R 2233 0 R 2243 0 R 2253 0 R]
+/Parent 2288 0 R
+/Kids [2209 0 R 2217 0 R 2227 0 R 2232 0 R 2244 0 R 2253 0 R]
 >> endobj
-2278 0 obj <<
+2265 0 obj <<
 /Type /Pages
-/Count 36
-/Parent 2283 0 R
-/Kids [739 0 R 986 0 R 1044 0 R 1107 0 R 1155 0 R 1196 0 R]
->> endobj
-2279 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2283 0 R
-/Kids [1241 0 R 1283 0 R 1318 0 R 1355 0 R 1391 0 R 1430 0 R]
->> endobj
-2280 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2283 0 R
-/Kids [1469 0 R 1504 0 R 1579 0 R 1631 0 R 1679 0 R 1724 0 R]
->> endobj
-2281 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 2283 0 R
-/Kids [1820 0 R 1985 0 R 2032 0 R 2077 0 R 2121 0 R 2169 0 R]
->> endobj
-2282 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 2283 0 R
-/Kids [2216 0 R]
->> endobj
-2283 0 obj <<
-/Type /Pages
-/Count 150
-/Kids [2278 0 R 2279 0 R 2280 0 R 2281 0 R 2282 0 R]
+/Count 1
+/Parent 2288 0 R
+/Kids [2261 0 R]
 >> endobj
 2284 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2289 0 R
+/Kids [739 0 R 986 0 R 1044 0 R 1107 0 R 1155 0 R 1196 0 R]
+>> endobj
+2285 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2289 0 R
+/Kids [1241 0 R 1283 0 R 1318 0 R 1359 0 R 1395 0 R 1434 0 R]
+>> endobj
+2286 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2289 0 R
+/Kids [1470 0 R 1505 0 R 1580 0 R 1632 0 R 1680 0 R 1725 0 R]
+>> endobj
+2287 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2289 0 R
+/Kids [1821 0 R 1986 0 R 2033 0 R 2078 0 R 2122 0 R 2170 0 R]
+>> endobj
+2288 0 obj <<
+/Type /Pages
+/Count 7
+/Parent 2289 0 R
+/Kids [2215 0 R 2265 0 R]
+>> endobj
+2289 0 obj <<
+/Type /Pages
+/Count 151
+/Kids [2284 0 R 2285 0 R 2286 0 R 2287 0 R 2288 0 R]
+>> endobj
+2290 0 obj <<
 /Type /Outlines
 /First 7 0 R
 /Last 663 0 R
@@ -11805,7 +11859,7 @@ endobj
 663 0 obj <<
 /Title 664 0 R
 /A 661 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 627 0 R
 /First 667 0 R
 /Last 727 0 R
@@ -11871,7 +11925,7 @@ endobj
 627 0 obj <<
 /Title 628 0 R
 /A 625 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 607 0 R
 /Next 663 0 R
 /First 631 0 R
@@ -11908,7 +11962,7 @@ endobj
 607 0 obj <<
 /Title 608 0 R
 /A 605 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 583 0 R
 /Next 627 0 R
 /First 611 0 R
@@ -11952,7 +12006,7 @@ endobj
 583 0 obj <<
 /Title 584 0 R
 /A 581 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 243 0 R
 /Next 607 0 R
 /First 587 0 R
@@ -12560,7 +12614,7 @@ endobj
 243 0 obj <<
 /Title 244 0 R
 /A 241 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 231 0 R
 /Next 583 0 R
 /First 247 0 R
@@ -12582,7 +12636,7 @@ endobj
 231 0 obj <<
 /Title 232 0 R
 /A 229 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 131 0 R
 /Next 243 0 R
 /First 235 0 R
@@ -12764,7 +12818,7 @@ endobj
 131 0 obj <<
 /Title 132 0 R
 /A 129 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 91 0 R
 /Next 231 0 R
 /First 135 0 R
@@ -12838,7 +12892,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 67 0 R
 /Next 131 0 R
 /First 95 0 R
@@ -12881,7 +12935,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -12990,37 +13044,37 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 2284 0 R
+/Parent 2290 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-2285 0 obj <<
-/Names [(Access_Control_Lists) 1708 0 R (Bv9ARM.ch01) 977 0 R (Bv9ARM.ch02) 1023 0 R (Bv9ARM.ch03) 1040 0 R (Bv9ARM.ch04) 1094 0 R (Bv9ARM.ch05) 1193 0 R (Bv9ARM.ch06) 1205 0 R (Bv9ARM.ch07) 1707 0 R (Bv9ARM.ch08) 1733 0 R (Bv9ARM.ch09) 1748 0 R (Bv9ARM.ch10) 1969 0 R (Configuration_File_Grammar) 1229 0 R (DNSSEC) 1161 0 R (Doc-Start) 735 0 R (Setting_TTLs) 1628 0 R (acache) 1030 0 R (access_control) 1372 0 R (acl) 1237 0 R (address_match_lists) 1210 0 R (admin_tools) 1063 0 R (appendix.A) 626 0 R (appendix.B) 662 0 R (bibliography) 1756 0 R (boolean_options) 1111 0 R (builtin) 1450 0 R (chapter*.1) 770 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 582 0 R (chapter.8) 606 0 R (cite.RFC1033) 1884 0 R (cite.RFC1034) 1768 0 R (cite.RFC1035) 1770 0 R (cite.RFC1101) 1866 0 R (cite.RFC1123) 1868 0 R (cite.RFC1183) 1828 0 R (cite.RFC1464) 1906 0 R (cite.RFC1535) 1813 0 R (cite.RFC1536) 1815 0 R (cite.RFC1537) 1886 0 R (cite.RFC1591) 1870 0 R (cite.RFC1706) 1830 0 R (cite.RFC1712) 1926 0 R (cite.RFC1713) 1908 0 R (cite.RFC1794) 1910 0 R (cite.RFC1876) 1832 0 R (cite.RFC1912) 1888 0 R (cite.RFC1982) 1817 0 R (cite.RFC1995) 1775 0 R (cite.RFC1996) 1777 0 R (cite.RFC2010) 1890 0 R (cite.RFC2052) 1834 0 R (cite.RFC2065) 1938 0 R (cite.RFC2136) 1779 0 R (cite.RFC2137) 1940 0 R (cite.RFC2163) 1836 0 R (cite.RFC2168) 1838 0 R (cite.RFC2181) 1781 0 R (cite.RFC2219) 1892 0 R (cite.RFC2230) 1840 0 R (cite.RFC2240) 1912 0 R (cite.RFC2308) 1783 0 R (cite.RFC2317) 1872 0 R (cite.RFC2345) 1914 0 R (cite.RFC2352) 1916 0 R (cite.RFC2535) 1942 0 R (cite.RFC2536) 1842 0 R (cite.RFC2537) 1844 0 R (cite.RFC2538) 1846 0 R (cite.RFC2539) 1848 0 R (cite.RFC2540) 1850 0 R (cite.RFC2671) 1785 0 R (cite.RFC2672) 1787 0 R (cite.RFC2673) 1928 0 R (cite.RFC2782) 1852 0 R (cite.RFC2825) 1896 0 R (cite.RFC2826) 1874 0 R (cite.RFC2845) 1789 0 R (cite.RFC2874) 1930 0 R (cite.RFC2915) 1854 0 R (cite.RFC2929) 1876 0 R (cite.RFC2930) 1791 0 R (cite.RFC2931) 1793 0 R (cite.RFC3007) 1795 0 R (cite.RFC3008) 1944 0 R (cite.RFC3071) 1918 0 R (cite.RFC3090) 1946 0 R (cite.RFC3110) 1856 0 R (cite.RFC3123) 1858 0 R (cite.RFC3225) 1801 0 R (cite.RFC3258) 1920 0 R (cite.RFC3445) 1948 0 R (cite.RFC3490) 1898 0 R (cite.RFC3491) 1900 0 R (cite.RFC3492) 1902 0 R (cite.RFC3596) 1860 0 R (cite.RFC3597) 1862 0 R (cite.RFC3645) 1797 0 R (cite.RFC3655) 1950 0 R (cite.RFC3658) 1952 0 R (cite.RFC3755) 1954 0 R (cite.RFC3757) 1956 0 R (cite.RFC3833) 1803 0 R (cite.RFC3845) 1958 0 R (cite.RFC3901) 1922 0 R (cite.RFC4033) 1805 0 R (cite.RFC4034) 1807 0 R (cite.RFC4035) 1809 0 R (cite.RFC4074) 1819 0 R (cite.RFC974) 1772 0 R (cite.id2507489) 1963 0 R (clients-per-query) 1680 0 R (configuration_file_elements) 1206 0 R (controls_statement_definition_and_usage) 1081 0 R (diagnostic_tools) 1011 0 R (dynamic_update) 1104 0 R (dynamic_update_policies) 1075 0 R (dynamic_update_security) 1381 0 R (empty) 1452 0 R (historical_dns_information) 1750 0 R (id2466552) 978 0 R (id2466576) 979 0 R (id2467534) 980 0 R (id2467544) 981 0 R (id2467716) 993 0 R (id2467737) 994 0 R (id2467771) 995 0 R (id2467856) 998 0 R (id2467948) 991 0 R (id2470253) 1005 0 R (id2470277) 1008 0 R (id2470375) 1009 0 R (id2470396) 1010 0 R (id2470426) 1016 0 R (id2470530) 1017 0 R (id2470556) 1018 0 R (id2470590) 1024 0 R (id2470617) 1025 0 R (id2470630) 1026 0 R (id2470724) 1029 0 R (id2470734) 1035 0 R (id2470766) 1042 0 R (id2470782) 1043 0 R (id2470805) 1049 0 R (id2470822) 1050 0 R (id2471227) 1058 0 R (id2471233) 1059 0 R (id2473198) 1086 0 R (id2473210) 1087 0 R (id2473636) 1120 0 R (id2473654) 1121 0 R (id2474087) 1141 0 R (id2474104) 1142 0 R (id2474142) 1143 0 R (id2474161) 1144 0 R (id2474171) 1145 0 R (id2474276) 1146 0 R (id2474333) 1151 0 R (id2474382) 1153 0 R (id2474533) 1154 0 R (id2474582) 1160 0 R (id2474718) 1162 0 R (id2474797) 1167 0 R (id2475015) 1168 0 R (id2475197) 1180 0 R (id2475328) 1182 0 R (id2475349) 1183 0 R (id2475382) 1194 0 R (id2475597) 1207 0 R (id2476558) 1215 0 R (id2476586) 1220 0 R (id2476792) 1221 0 R (id2476807) 1222 0 R (id2476837) 1228 0 R (id2477048) 1230 0 R (id2477514) 1236 0 R (id2477557) 1238 0 R (id2477704) 1240 0 R (id2478064) 1248 0 R (id2478149) 1254 0 R (id2478172) 1255 0 R (id2478196) 1256 0 R (id2478286) 1260 0 R (id2478412) 1265 0 R (id2478465) 1266 0 R (id2479158) 1277 0 R (id2479824) 1288 0 R (id2479954) 1289 0 R (id2480343) 1295 0 R (id2480417) 1296 0 R (id2480549) 1303 0 R (id2480593) 1304 0 R (id2480608) 1305 0 R (id2483432) 1338 0 R (id2485354) 1364 0 R (id2485413) 1366 0 R (id2485850) 1380 0 R (id2487122) 1400 0 R (id2487318) 1406 0 R (id2487604) 1414 0 R (id2488174) 1428 0 R (id2489684) 1462 0 R (id2490572) 1481 0 R (id2490727) 1486 0 R (id2490778) 1487 0 R (id2490825) 1489 0 R (id2490876) 1490 0 R (id2491230) 1495 0 R (id2492804) 1513 0 R (id2492811) 1514 0 R (id2492817) 1515 0 R (id2493307) 1522 0 R (id2493340) 1528 0 R (id2495252) 1588 0 R (id2495606) 1598 0 R (id2495761) 1599 0 R (id2495781) 1602 0 R (id2495949) 1604 0 R (id2497120) 1614 0 R (id2497248) 1616 0 R (id2497337) 1617 0 R (id2497632) 1623 0 R (id2497768) 1625 0 R (id2497786) 1626 0 R (id2498190) 1629 0 R (id2498384) 1636 0 R (id2498398) 1637 0 R (id2498510) 1639 0 R (id2498533) 1640 0 R (id2498549) 1641 0 R (id2498678) 1646 0 R (id2498816) 1647 0 R (id2498852) 1648 0 R (id2498928) 1653 0 R (id2499302) 1660 0 R (id2499805) 1668 0 R (id2499811) 1669 0 R (id2501483) 1676 0 R (id2501490) 1677 0 R (id2501866) 1685 0 R (id2501872) 1686 0 R (id2502888) 1692 0 R (id2502920) 1693 0 R (id2503261) 1698 0 R (id2503504) 1717 0 R (id2503585) 1718 0 R (id2503644) 1719 0 R (id2503861) 1734 0 R (id2503866) 1735 0 R (id2503878) 1736 0 R (id2503895) 1737 0 R (id2503957) 1749 0 R (id2504197) 1755 0 R (id2504453) 1760 0 R (id2504455) 1766 0 R (id2504464) 1771 0 R (id2504487) 1767 0 R (id2504579) 1769 0 R (id2504615) 1780 0 R (id2504642) 1782 0 R (id2504667) 1774 0 R (id2504692) 1776 0 R (id2504715) 1778 0 R (id2504771) 1784 0 R (id2504797) 1786 0 R (id2504824) 1788 0 R (id2504886) 1790 0 R (id2504916) 1792 0 R (id2504946) 1794 0 R (id2504972) 1796 0 R (id2505047) 1799 0 R (id2505054) 1800 0 R (id2505081) 1802 0 R (id2505117) 1804 0 R (id2505182) 1806 0 R (id2505248) 1808 0 R (id2505313) 1811 0 R (id2505321) 1812 0 R (id2505347) 1814 0 R (id2505415) 1816 0 R (id2505450) 1818 0 R (id2505491) 1826 0 R (id2505496) 1827 0 R (id2505554) 1829 0 R (id2505591) 1837 0 R (id2505626) 1831 0 R (id2505681) 1833 0 R (id2505719) 1835 0 R (id2505745) 1839 0 R (id2505770) 1841 0 R (id2505797) 1843 0 R (id2505824) 1845 0 R (id2505863) 1847 0 R (id2505893) 1849 0 R (id2505923) 1851 0 R (id2505965) 1853 0 R (id2505998) 1855 0 R (id2506025) 1857 0 R (id2506049) 1859 0 R (id2506106) 1861 0 R (id2506131) 1864 0 R (id2506138) 1865 0 R (id2506164) 1867 0 R (id2506186) 1869 0 R (id2506210) 1871 0 R (id2506256) 1873 0 R (id2506279) 1875 0 R (id2506329) 1882 0 R (id2506337) 1883 0 R (id2506360) 1885 0 R (id2506387) 1887 0 R (id2506413) 1889 0 R (id2506450) 1891 0 R (id2506490) 1894 0 R (id2506496) 1895 0 R (id2506528) 1897 0 R (id2506573) 1899 0 R (id2506609) 1901 0 R (id2506635) 1904 0 R (id2506653) 1905 0 R (id2506676) 1907 0 R (id2506701) 1909 0 R (id2506727) 1911 0 R (id2506750) 1913 0 R (id2506796) 1915 0 R (id2506888) 1917 0 R (id2506915) 1919 0 R (id2506940) 1921 0 R (id2506978) 1924 0 R (id2506984) 1925 0 R (id2507042) 1927 0 R (id2507068) 1929 0 R (id2507105) 1936 0 R (id2507116) 1937 0 R (id2507156) 1939 0 R (id2507182) 1941 0 R (id2507212) 1943 0 R (id2507238) 1945 0 R (id2507265) 1947 0 R (id2507301) 1949 0 R (id2507337) 1951 0 R (id2507364) 1953 0 R (id2507390) 1955 0 R (id2507435) 1957 0 R (id2507477) 1960 0 R (id2507486) 1962 0 R (id2507489) 1964 0 R (incremental_zone_transfers) 1117 0 R (internet_drafts) 1959 0 R (ipv6addresses) 1184 0 R (journal) 1106 0 R (lwresd) 1195 0 R (man.ddns-confgen) 2249 0 R (man.dig) 1970 0 R (man.dnssec-dsfromkey) 2018 0 R (man.dnssec-keyfromlabel) 2037 0 R (man.dnssec-keygen) 1580 0 R (man.dnssec-revoke) 2075 0 R (man.dnssec-settime) 1581 0 R (man.dnssec-signzone) 2103 0 R (man.host) 2003 0 R (man.named) 2156 0 R (man.named-checkconf) 2128 0 R (man.named-checkzone) 2140 0 R (man.nsupdate) 2179 0 R (man.rndc) 2204 0 R (man.rndc-confgen) 2237 0 R (man.rndc.conf) 2221 0 R (notify) 1095 0 R (options) 1074 0 R (page.1) 734 0 R (page.10) 1015 0 R (page.100) 1702 0 R (page.101) 1706 0 R (page.102) 1712 0 R (page.103) 1723 0 R (page.104) 1728 0 R (page.105) 1732 0 R (page.106) 1743 0 R (page.107) 1747 0 R (page.108) 1754 0 R (page.109) 1764 0 R (page.11) 1022 0 R (page.110) 1824 0 R (page.111) 1880 0 R (page.112) 1934 0 R (page.113) 1968 0 R (page.114) 1977 0 R (page.115) 1983 0 R (page.116) 1989 0 R (page.117) 1993 0 R (page.118) 1998 0 R (page.119) 2009 0 R (page.12) 1034 0 R (page.120) 2014 0 R (page.121) 2026 0 R (page.122) 2036 0 R (page.123) 2045 0 R (page.124) 2050 0 R (page.125) 2060 0 R (page.126) 2065 0 R (page.127) 2070 0 R (page.128) 2081 0 R (page.129) 2092 0 R (page.13) 1039 0 R (page.130) 2099 0 R (page.131) 2111 0 R (page.132) 2115 0 R (page.133) 2119 0 R (page.134) 2125 0 R (page.135) 2136 0 R (page.136) 2147 0 R (page.137) 2152 0 R (page.138) 2161 0 R (page.139) 2168 0 R (page.14) 1048 0 R (page.140) 2173 0 R (page.141) 2184 0 R (page.142) 2190 0 R (page.143) 2195 0 R (page.144) 2200 0 R (page.145) 2211 0 R (page.146) 2220 0 R (page.147) 2229 0 R (page.148) 2235 0 R (page.149) 2245 0 R (page.15) 1057 0 R (page.150) 2255 0 R (page.16) 1067 0 R (page.17) 1079 0 R (page.18) 1085 0 R (page.19) 1093 0 R (page.2) 759 0 R (page.20) 1116 0 R (page.21) 1126 0 R (page.22) 1131 0 R (page.23) 1135 0 R (page.24) 1140 0 R (page.25) 1150 0 R (page.26) 1159 0 R (page.27) 1166 0 R (page.28) 1172 0 R (page.29) 1176 0 R (page.3) 769 0 R (page.30) 1188 0 R (page.31) 1192 0 R (page.32) 1200 0 R (page.33) 1204 0 R (page.34) 1214 0 R (page.35) 1219 0 R (page.36) 1227 0 R (page.37) 1235 0 R (page.38) 1245 0 R (page.39) 1253 0 R (page.4) 824 0 R (page.40) 1264 0 R (page.41) 1270 0 R (page.42) 1276 0 R (page.43) 1282 0 R (page.44) 1287 0 R (page.45) 1294 0 R (page.46) 1302 0 R (page.47) 1309 0 R (page.48) 1313 0 R (page.49) 1317 0 R (page.5) 888 0 R (page.50) 1322 0 R (page.51) 1326 0 R (page.52) 1333 0 R (page.53) 1337 0 R (page.54) 1344 0 R (page.55) 1354 0 R (page.56) 1359 0 R (page.57) 1363 0 R (page.58) 1371 0 R (page.59) 1377 0 R (page.6) 951 0 R (page.60) 1385 0 R (page.61) 1390 0 R (page.62) 1395 0 R (page.63) 1399 0 R (page.64) 1405 0 R (page.65) 1413 0 R (page.66) 1418 0 R (page.67) 1426 0 R (page.68) 1434 0 R (page.69) 1439 0 R (page.7) 976 0 R (page.70) 1446 0 R (page.71) 1457 0 R (page.72) 1461 0 R (page.73) 1466 0 R (page.74) 1473 0 R (page.75) 1477 0 R (page.76) 1485 0 R (page.77) 1494 0 R (page.78) 1499 0 R (page.79) 1503 0 R (page.8) 990 0 R (page.80) 1508 0 R (page.81) 1512 0 R (page.82) 1520 0 R (page.83) 1527 0 R (page.84) 1547 0 R (page.85) 1561 0 R (page.86) 1585 0 R (page.87) 1593 0 R (page.88) 1597 0 R (page.89) 1609 0 R (page.9) 1004 0 R (page.90) 1613 0 R (page.91) 1622 0 R (page.92) 1635 0 R (page.93) 1645 0 R (page.94) 1652 0 R (page.95) 1658 0 R (page.96) 1665 0 R (page.97) 1674 0 R (page.98) 1684 0 R (page.99) 1691 0 R (proposed_standards) 1122 0 R (query_address) 1386 0 R (rfcs) 1000 0 R (rndc) 1249 0 R (root_delegation_only) 1523 0 R (rrset_ordering) 1053 0 R (sample_configuration) 1041 0 R (section*.10) 1893 0 R (section*.100) 2177 0 R (section*.101) 2178 0 R (section*.102) 2180 0 R (section*.103) 2185 0 R (section*.104) 2186 0 R (section*.105) 2191 0 R (section*.106) 2196 0 R (section*.107) 2201 0 R (section*.108) 2202 0 R (section*.109) 2203 0 R (section*.11) 1903 0 R (section*.110) 2205 0 R (section*.111) 2206 0 R (section*.112) 2207 0 R (section*.113) 2212 0 R (section*.114) 2213 0 R (section*.115) 2214 0 R (section*.116) 2215 0 R (section*.117) 2222 0 R (section*.118) 2223 0 R (section*.119) 2224 0 R (section*.12) 1923 0 R (section*.120) 2225 0 R (section*.121) 2230 0 R (section*.122) 2231 0 R (section*.123) 2236 0 R (section*.124) 2238 0 R (section*.125) 2239 0 R (section*.126) 2240 0 R (section*.127) 2241 0 R (section*.128) 2246 0 R (section*.129) 2247 0 R (section*.13) 1935 0 R (section*.130) 2248 0 R (section*.131) 2250 0 R (section*.132) 2251 0 R (section*.133) 2256 0 R (section*.134) 2257 0 R (section*.135) 2258 0 R (section*.136) 2259 0 R (section*.14) 1961 0 R (section*.15) 1971 0 R (section*.16) 1972 0 R (section*.17) 1973 0 R (section*.18) 1978 0 R (section*.19) 1979 0 R (section*.2) 1759 0 R (section*.20) 1984 0 R (section*.21) 1994 0 R (section*.22) 1999 0 R (section*.23) 2000 0 R (section*.24) 2001 0 R (section*.25) 2002 0 R (section*.26) 2004 0 R (section*.27) 2005 0 R (section*.28) 2010 0 R (section*.29) 2015 0 R (section*.3) 1765 0 R (section*.30) 2016 0 R (section*.31) 2017 0 R (section*.32) 2019 0 R (section*.33) 2020 0 R (section*.34) 2021 0 R (section*.35) 2022 0 R (section*.36) 2027 0 R (section*.37) 2028 0 R (section*.38) 2029 0 R (section*.39) 2030 0 R (section*.4) 1773 0 R (section*.40) 2031 0 R (section*.41) 2038 0 R (section*.42) 2039 0 R (section*.43) 2040 0 R (section*.44) 2041 0 R (section*.45) 2046 0 R (section*.46) 2051 0 R (section*.47) 2052 0 R (section*.48) 2053 0 R (section*.49) 2054 0 R (section*.5) 1798 0 R (section*.50) 2055 0 R (section*.51) 2056 0 R (section*.52) 2061 0 R (section*.53) 2066 0 R (section*.54) 2071 0 R (section*.55) 2072 0 R (section*.56) 2073 0 R (section*.57) 2074 0 R (section*.58) 2076 0 R (section*.59) 2082 0 R (section*.6) 1810 0 R (section*.60) 2083 0 R (section*.61) 2084 0 R (section*.62) 2085 0 R (section*.63) 2086 0 R (section*.64) 2087 0 R (section*.65) 2088 0 R (section*.66) 2093 0 R (section*.67) 2094 0 R (section*.68) 2095 0 R (section*.69) 2100 0 R (section*.7) 1825 0 R (section*.70) 2101 0 R (section*.71) 2102 0 R (section*.72) 2104 0 R (section*.73) 2105 0 R (section*.74) 2106 0 R (section*.75) 2107 0 R (section*.76) 2120 0 R (section*.77) 2126 0 R (section*.78) 2127 0 R (section*.79) 2129 0 R (section*.8) 1863 0 R (section*.80) 2130 0 R (section*.81) 2131 0 R (section*.82) 2132 0 R (section*.83) 2137 0 R (section*.84) 2138 0 R (section*.85) 2139 0 R (section*.86) 2141 0 R (section*.87) 2142 0 R (section*.88) 2143 0 R (section*.89) 2148 0 R (section*.9) 1881 0 R (section*.90) 2153 0 R (section*.91) 2154 0 R (section*.92) 2155 0 R (section*.93) 2157 0 R (section*.94) 2162 0 R (section*.95) 2163 0 R (section*.96) 2164 0 R (section*.97) 2174 0 R (section*.98) 2175 0 R (section*.99) 2176 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 494 0 R (section.6.4) 550 0 R (section.7.1) 586 0 R (section.7.2) 590 0 R (section.7.3) 602 0 R (section.8.1) 610 0 R (section.8.2) 618 0 R (section.8.3) 622 0 R (section.A.1) 630 0 R (section.A.2) 638 0 R (section.A.3) 646 0 R (section.B.1) 666 0 R (section.B.10) 702 0 R (section.B.11) 706 0 R (section.B.12) 710 0 R (section.B.13) 714 0 R (section.B.14) 718 0 R (section.B.15) 722 0 R (section.B.16) 726 0 R (section.B.2) 670 0 R (section.B.3) 674 0 R (section.B.4) 678 0 R (section.B.5) 682 0 R (section.B.6) 686 0 R (section.B.7) 690 0 R (section.B.8) 694 0 R (section.B.9) 698 0 R (server_resource_limits) 1408 0 R (server_statement_definition_and_usage) 1350 0 R (server_statement_grammar) 1468 0 R (statistics) 1659 0 R (statistics_counters) 1667 0 R (statschannels) 1480 0 R (statsfile) 1329 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 346 0 R (subsection.6.2.16) 350 0 R (subsection.6.2.17) 430 0 R (subsection.6.2.18) 434 0 R (subsection.6.2.19) 438 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 442 0 R (subsection.6.2.21) 446 0 R (subsection.6.2.22) 450 0 R (subsection.6.2.23) 454 0 R (subsection.6.2.24) 458 0 R (subsection.6.2.25) 462 0 R (subsection.6.2.26) 466 0 R (subsection.6.2.27) 470 0 R (subsection.6.2.28) 474 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 498 0 R (subsection.6.3.2) 510 0 R (subsection.6.3.3) 514 0 R (subsection.6.3.4) 518 0 R (subsection.6.3.5) 522 0 R (subsection.6.3.6) 542 0 R (subsection.6.3.7) 546 0 R (subsection.6.4.1) 558 0 R (subsection.7.2.1) 594 0 R (subsection.7.2.2) 598 0 R (subsection.8.1.1) 614 0 R (subsection.A.1.1) 634 0 R (subsection.A.2.1) 642 0 R (subsection.A.3.1) 650 0 R (subsection.A.3.2) 654 0 R (subsection.A.3.3) 658 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.10.3) 326 0 R (subsubsection.6.2.16.1) 354 0 R (subsubsection.6.2.16.10) 390 0 R (subsubsection.6.2.16.11) 394 0 R (subsubsection.6.2.16.12) 398 0 R (subsubsection.6.2.16.13) 402 0 R (subsubsection.6.2.16.14) 406 0 R (subsubsection.6.2.16.15) 410 0 R (subsubsection.6.2.16.16) 414 0 R (subsubsection.6.2.16.17) 418 0 R (subsubsection.6.2.16.18) 422 0 R (subsubsection.6.2.16.19) 426 0 R (subsubsection.6.2.16.2) 358 0 R (subsubsection.6.2.16.3) 362 0 R (subsubsection.6.2.16.4) 366 0 R (subsubsection.6.2.16.5) 370 0 R (subsubsection.6.2.16.6) 374 0 R (subsubsection.6.2.16.7) 378 0 R (subsubsection.6.2.16.8) 382 0 R (subsubsection.6.2.16.9) 386 0 R (subsubsection.6.2.28.1) 478 0 R (subsubsection.6.2.28.2) 482 0 R (subsubsection.6.2.28.3) 486 0 R (subsubsection.6.2.28.4) 490 0 R (subsubsection.6.3.1.1) 502 0 R (subsubsection.6.3.1.2) 506 0 R (subsubsection.6.3.5.1) 526 0 R (subsubsection.6.3.5.2) 530 0 R (subsubsection.6.3.5.3) 534 0 R (subsubsection.6.3.5.4) 538 0 R (subsubsection.6.4.0.1) 554 0 R (subsubsection.6.4.1.1) 562 0 R (subsubsection.6.4.1.2) 566 0 R (subsubsection.6.4.1.3) 570 0 R (subsubsection.6.4.1.4) 574 0 R (subsubsection.6.4.1.5) 578 0 R (table.1.1) 982 0 R (table.1.2) 992 0 R (table.3.1) 1051 0 R (table.3.2) 1088 0 R (table.6.1) 1208 0 R (table.6.10) 1603 0 R (table.6.11) 1605 0 R (table.6.12) 1615 0 R (table.6.13) 1618 0 R (table.6.14) 1624 0 R (table.6.15) 1627 0 R (table.6.16) 1630 0 R (table.6.17) 1638 0 R (table.6.18) 1654 0 R (table.6.19) 1661 0 R (table.6.2) 1231 0 R (table.6.20) 1670 0 R (table.6.21) 1678 0 R (table.6.22) 1687 0 R (table.6.23) 1694 0 R (table.6.3) 1239 0 R (table.6.4) 1278 0 R (table.6.5) 1290 0 R (table.6.6) 1339 0 R (table.6.7) 1429 0 R (table.6.8) 1516 0 R (table.6.9) 1589 0 R (the_category_phrase) 1272 0 R (the_sortlist_statement) 1420 0 R (topology) 1419 0 R (tsig) 1136 0 R (tuning) 1435 0 R (types_of_resource_records_and_when_to_use_them) 999 0 R (view_statement_grammar) 1453 0 R (zone_statement_grammar) 1367 0 R (zone_transfers) 1112 0 R (zonefile_format) 1442 0 R]
+2291 0 obj <<
+/Names [(Access_Control_Lists) 1709 0 R (Bv9ARM.ch01) 977 0 R (Bv9ARM.ch02) 1023 0 R (Bv9ARM.ch03) 1040 0 R (Bv9ARM.ch04) 1094 0 R (Bv9ARM.ch05) 1193 0 R (Bv9ARM.ch06) 1205 0 R (Bv9ARM.ch07) 1708 0 R (Bv9ARM.ch08) 1734 0 R (Bv9ARM.ch09) 1749 0 R (Bv9ARM.ch10) 1970 0 R (Configuration_File_Grammar) 1229 0 R (DNSSEC) 1161 0 R (Doc-Start) 735 0 R (Setting_TTLs) 1629 0 R (acache) 1030 0 R (access_control) 1376 0 R (acl) 1237 0 R (address_match_lists) 1210 0 R (admin_tools) 1063 0 R (appendix.A) 626 0 R (appendix.B) 662 0 R (bibliography) 1757 0 R (boolean_options) 1111 0 R (builtin) 1451 0 R (chapter*.1) 770 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 582 0 R (chapter.8) 606 0 R (cite.RFC1033) 1885 0 R (cite.RFC1034) 1769 0 R (cite.RFC1035) 1771 0 R (cite.RFC1101) 1867 0 R (cite.RFC1123) 1869 0 R (cite.RFC1183) 1829 0 R (cite.RFC1464) 1907 0 R (cite.RFC1535) 1814 0 R (cite.RFC1536) 1816 0 R (cite.RFC1537) 1887 0 R (cite.RFC1591) 1871 0 R (cite.RFC1706) 1831 0 R (cite.RFC1712) 1927 0 R (cite.RFC1713) 1909 0 R (cite.RFC1794) 1911 0 R (cite.RFC1876) 1833 0 R (cite.RFC1912) 1889 0 R (cite.RFC1982) 1818 0 R (cite.RFC1995) 1776 0 R (cite.RFC1996) 1778 0 R (cite.RFC2010) 1891 0 R (cite.RFC2052) 1835 0 R (cite.RFC2065) 1939 0 R (cite.RFC2136) 1780 0 R (cite.RFC2137) 1941 0 R (cite.RFC2163) 1837 0 R (cite.RFC2168) 1839 0 R (cite.RFC2181) 1782 0 R (cite.RFC2219) 1893 0 R (cite.RFC2230) 1841 0 R (cite.RFC2240) 1913 0 R (cite.RFC2308) 1784 0 R (cite.RFC2317) 1873 0 R (cite.RFC2345) 1915 0 R (cite.RFC2352) 1917 0 R (cite.RFC2535) 1943 0 R (cite.RFC2536) 1843 0 R (cite.RFC2537) 1845 0 R (cite.RFC2538) 1847 0 R (cite.RFC2539) 1849 0 R (cite.RFC2540) 1851 0 R (cite.RFC2671) 1786 0 R (cite.RFC2672) 1788 0 R (cite.RFC2673) 1929 0 R (cite.RFC2782) 1853 0 R (cite.RFC2825) 1897 0 R (cite.RFC2826) 1875 0 R (cite.RFC2845) 1790 0 R (cite.RFC2874) 1931 0 R (cite.RFC2915) 1855 0 R (cite.RFC2929) 1877 0 R (cite.RFC2930) 1792 0 R (cite.RFC2931) 1794 0 R (cite.RFC3007) 1796 0 R (cite.RFC3008) 1945 0 R (cite.RFC3071) 1919 0 R (cite.RFC3090) 1947 0 R (cite.RFC3110) 1857 0 R (cite.RFC3123) 1859 0 R (cite.RFC3225) 1802 0 R (cite.RFC3258) 1921 0 R (cite.RFC3445) 1949 0 R (cite.RFC3490) 1899 0 R (cite.RFC3491) 1901 0 R (cite.RFC3492) 1903 0 R (cite.RFC3596) 1861 0 R (cite.RFC3597) 1863 0 R (cite.RFC3645) 1798 0 R (cite.RFC3655) 1951 0 R (cite.RFC3658) 1953 0 R (cite.RFC3755) 1955 0 R (cite.RFC3757) 1957 0 R (cite.RFC3833) 1804 0 R (cite.RFC3845) 1959 0 R (cite.RFC3901) 1923 0 R (cite.RFC4033) 1806 0 R (cite.RFC4034) 1808 0 R (cite.RFC4035) 1810 0 R (cite.RFC4074) 1820 0 R (cite.RFC974) 1773 0 R (cite.id2507617) 1964 0 R (clients-per-query) 1681 0 R (configuration_file_elements) 1206 0 R (controls_statement_definition_and_usage) 1081 0 R (diagnostic_tools) 1011 0 R (dynamic_update) 1104 0 R (dynamic_update_policies) 1075 0 R (dynamic_update_security) 1385 0 R (empty) 1453 0 R (historical_dns_information) 1751 0 R (id2466552) 978 0 R (id2466576) 979 0 R (id2467534) 980 0 R (id2467544) 981 0 R (id2467716) 993 0 R (id2467737) 994 0 R (id2467771) 995 0 R (id2467856) 998 0 R (id2467948) 991 0 R (id2470253) 1005 0 R (id2470277) 1008 0 R (id2470375) 1009 0 R (id2470396) 1010 0 R (id2470426) 1016 0 R (id2470530) 1017 0 R (id2470556) 1018 0 R (id2470590) 1024 0 R (id2470617) 1025 0 R (id2470630) 1026 0 R (id2470724) 1029 0 R (id2470734) 1035 0 R (id2470766) 1042 0 R (id2470782) 1043 0 R (id2470805) 1049 0 R (id2470822) 1050 0 R (id2471227) 1058 0 R (id2471233) 1059 0 R (id2473198) 1086 0 R (id2473210) 1087 0 R (id2473636) 1120 0 R (id2473654) 1121 0 R (id2474087) 1141 0 R (id2474104) 1142 0 R (id2474142) 1143 0 R (id2474161) 1144 0 R (id2474171) 1145 0 R (id2474276) 1146 0 R (id2474333) 1151 0 R (id2474382) 1153 0 R (id2474533) 1154 0 R (id2474582) 1160 0 R (id2474718) 1162 0 R (id2474797) 1167 0 R (id2475015) 1168 0 R (id2475197) 1180 0 R (id2475328) 1182 0 R (id2475349) 1183 0 R (id2475382) 1194 0 R (id2475597) 1207 0 R (id2476558) 1215 0 R (id2476586) 1220 0 R (id2476792) 1221 0 R (id2476807) 1222 0 R (id2476837) 1228 0 R (id2477048) 1230 0 R (id2477514) 1236 0 R (id2477557) 1238 0 R (id2477704) 1240 0 R (id2478064) 1248 0 R (id2478149) 1254 0 R (id2478172) 1255 0 R (id2478196) 1256 0 R (id2478286) 1260 0 R (id2478412) 1265 0 R (id2478465) 1266 0 R (id2479158) 1277 0 R (id2479824) 1288 0 R (id2479954) 1289 0 R (id2480343) 1295 0 R (id2480417) 1296 0 R (id2480549) 1303 0 R (id2480593) 1304 0 R (id2480608) 1305 0 R (id2483488) 1342 0 R (id2485412) 1368 0 R (id2485470) 1370 0 R (id2485976) 1384 0 R (id2487248) 1404 0 R (id2487376) 1410 0 R (id2487730) 1418 0 R (id2488300) 1432 0 R (id2489741) 1463 0 R (id2490630) 1482 0 R (id2490785) 1487 0 R (id2490836) 1488 0 R (id2490883) 1490 0 R (id2491002) 1491 0 R (id2491290) 1496 0 R (id2492864) 1514 0 R (id2492871) 1515 0 R (id2492876) 1516 0 R (id2493367) 1523 0 R (id2493468) 1529 0 R (id2495380) 1589 0 R (id2495734) 1599 0 R (id2495752) 1600 0 R (id2495772) 1603 0 R (id2496009) 1605 0 R (id2497179) 1615 0 R (id2497307) 1617 0 R (id2497329) 1618 0 R (id2497691) 1624 0 R (id2497828) 1626 0 R (id2497846) 1627 0 R (id2498455) 1630 0 R (id2498580) 1637 0 R (id2498595) 1638 0 R (id2498775) 1640 0 R (id2498797) 1641 0 R (id2498813) 1642 0 R (id2498874) 1647 0 R (id2498944) 1648 0 R (id2498980) 1649 0 R (id2499056) 1654 0 R (id2499498) 1661 0 R (id2500002) 1669 0 R (id2500007) 1670 0 R (id2501611) 1677 0 R (id2501618) 1678 0 R (id2501994) 1686 0 R (id2502000) 1687 0 R (id2503084) 1693 0 R (id2503116) 1694 0 R (id2503458) 1699 0 R (id2503632) 1718 0 R (id2503781) 1719 0 R (id2503841) 1720 0 R (id2503921) 1735 0 R (id2503926) 1736 0 R (id2503938) 1737 0 R (id2504091) 1738 0 R (id2504153) 1750 0 R (id2504325) 1756 0 R (id2504581) 1761 0 R (id2504583) 1767 0 R (id2504592) 1772 0 R (id2504615) 1768 0 R (id2504638) 1770 0 R (id2504675) 1781 0 R (id2504701) 1783 0 R (id2504727) 1775 0 R (id2504752) 1777 0 R (id2504775) 1779 0 R (id2504830) 1785 0 R (id2504857) 1787 0 R (id2504884) 1789 0 R (id2504946) 1791 0 R (id2504976) 1793 0 R (id2505005) 1795 0 R (id2505032) 1797 0 R (id2505107) 1800 0 R (id2505114) 1801 0 R (id2505141) 1803 0 R (id2505177) 1805 0 R (id2505242) 1807 0 R (id2505307) 1809 0 R (id2505372) 1812 0 R (id2505381) 1813 0 R (id2505406) 1815 0 R (id2505475) 1817 0 R (id2505510) 1819 0 R (id2505550) 1827 0 R (id2505556) 1828 0 R (id2505613) 1830 0 R (id2505651) 1838 0 R (id2505686) 1832 0 R (id2505740) 1834 0 R (id2505779) 1836 0 R (id2505804) 1840 0 R (id2505830) 1842 0 R (id2505857) 1844 0 R (id2505883) 1846 0 R (id2505923) 1848 0 R (id2505953) 1850 0 R (id2505982) 1852 0 R (id2506025) 1854 0 R (id2506058) 1856 0 R (id2506085) 1858 0 R (id2506108) 1860 0 R (id2506166) 1862 0 R (id2506190) 1865 0 R (id2506198) 1866 0 R (id2506224) 1868 0 R (id2506246) 1870 0 R (id2506269) 1872 0 R (id2506315) 1874 0 R (id2506339) 1876 0 R (id2506389) 1883 0 R (id2506396) 1884 0 R (id2506420) 1886 0 R (id2506446) 1888 0 R (id2506473) 1890 0 R (id2506509) 1892 0 R (id2506550) 1895 0 R (id2506555) 1896 0 R (id2506587) 1898 0 R (id2506633) 1900 0 R (id2506668) 1902 0 R (id2506695) 1905 0 R (id2506713) 1906 0 R (id2506736) 1908 0 R (id2506898) 1910 0 R (id2506923) 1912 0 R (id2506947) 1914 0 R (id2506993) 1916 0 R (id2507016) 1918 0 R (id2507043) 1920 0 R (id2507068) 1922 0 R (id2507106) 1925 0 R (id2507112) 1926 0 R (id2507170) 1928 0 R (id2507196) 1930 0 R (id2507233) 1937 0 R (id2507244) 1938 0 R (id2507284) 1940 0 R (id2507310) 1942 0 R (id2507340) 1944 0 R (id2507366) 1946 0 R (id2507393) 1948 0 R (id2507429) 1950 0 R (id2507465) 1952 0 R (id2507492) 1954 0 R (id2507518) 1956 0 R (id2507563) 1958 0 R (id2507605) 1961 0 R (id2507614) 1963 0 R (id2507617) 1965 0 R (incremental_zone_transfers) 1117 0 R (internet_drafts) 1960 0 R (ipv6addresses) 1184 0 R (journal) 1106 0 R (lwresd) 1195 0 R (man.ddns-confgen) 2250 0 R (man.dig) 1971 0 R (man.dnssec-dsfromkey) 2019 0 R (man.dnssec-keyfromlabel) 2038 0 R (man.dnssec-keygen) 1581 0 R (man.dnssec-revoke) 2076 0 R (man.dnssec-settime) 1582 0 R (man.dnssec-signzone) 2104 0 R (man.host) 2004 0 R (man.named) 2157 0 R (man.named-checkconf) 2129 0 R (man.named-checkzone) 2141 0 R (man.nsupdate) 2180 0 R (man.rndc) 2205 0 R (man.rndc-confgen) 2238 0 R (man.rndc.conf) 2222 0 R (notify) 1095 0 R (options) 1074 0 R (page.1) 734 0 R (page.10) 1015 0 R (page.100) 1703 0 R (page.101) 1707 0 R (page.102) 1713 0 R (page.103) 1724 0 R (page.104) 1729 0 R (page.105) 1733 0 R (page.106) 1744 0 R (page.107) 1748 0 R (page.108) 1755 0 R (page.109) 1765 0 R (page.11) 1022 0 R (page.110) 1825 0 R (page.111) 1881 0 R (page.112) 1935 0 R (page.113) 1969 0 R (page.114) 1978 0 R (page.115) 1984 0 R (page.116) 1990 0 R (page.117) 1994 0 R (page.118) 1999 0 R (page.119) 2010 0 R (page.12) 1034 0 R (page.120) 2015 0 R (page.121) 2027 0 R (page.122) 2037 0 R (page.123) 2046 0 R (page.124) 2051 0 R (page.125) 2061 0 R (page.126) 2066 0 R (page.127) 2071 0 R (page.128) 2082 0 R (page.129) 2093 0 R (page.13) 1039 0 R (page.130) 2100 0 R (page.131) 2112 0 R (page.132) 2116 0 R (page.133) 2120 0 R (page.134) 2126 0 R (page.135) 2137 0 R (page.136) 2148 0 R (page.137) 2153 0 R (page.138) 2162 0 R (page.139) 2169 0 R (page.14) 1048 0 R (page.140) 2174 0 R (page.141) 2185 0 R (page.142) 2191 0 R (page.143) 2196 0 R (page.144) 2201 0 R (page.145) 2211 0 R (page.146) 2219 0 R (page.147) 2229 0 R (page.148) 2234 0 R (page.149) 2246 0 R (page.15) 1057 0 R (page.150) 2255 0 R (page.151) 2263 0 R (page.16) 1067 0 R (page.17) 1079 0 R (page.18) 1085 0 R (page.19) 1093 0 R (page.2) 759 0 R (page.20) 1116 0 R (page.21) 1126 0 R (page.22) 1131 0 R (page.23) 1135 0 R (page.24) 1140 0 R (page.25) 1150 0 R (page.26) 1159 0 R (page.27) 1166 0 R (page.28) 1172 0 R (page.29) 1176 0 R (page.3) 769 0 R (page.30) 1188 0 R (page.31) 1192 0 R (page.32) 1200 0 R (page.33) 1204 0 R (page.34) 1214 0 R (page.35) 1219 0 R (page.36) 1227 0 R (page.37) 1235 0 R (page.38) 1245 0 R (page.39) 1253 0 R (page.4) 824 0 R (page.40) 1264 0 R (page.41) 1270 0 R (page.42) 1276 0 R (page.43) 1282 0 R (page.44) 1287 0 R (page.45) 1294 0 R (page.46) 1302 0 R (page.47) 1309 0 R (page.48) 1313 0 R (page.49) 1317 0 R (page.5) 888 0 R (page.50) 1322 0 R (page.51) 1326 0 R (page.52) 1333 0 R (page.53) 1341 0 R (page.54) 1347 0 R (page.55) 1358 0 R (page.56) 1363 0 R (page.57) 1367 0 R (page.58) 1375 0 R (page.59) 1381 0 R (page.6) 951 0 R (page.60) 1389 0 R (page.61) 1394 0 R (page.62) 1399 0 R (page.63) 1403 0 R (page.64) 1409 0 R (page.65) 1417 0 R (page.66) 1422 0 R (page.67) 1430 0 R (page.68) 1438 0 R (page.69) 1443 0 R (page.7) 976 0 R (page.70) 1450 0 R (page.71) 1458 0 R (page.72) 1462 0 R (page.73) 1467 0 R (page.74) 1474 0 R (page.75) 1478 0 R (page.76) 1486 0 R (page.77) 1495 0 R (page.78) 1500 0 R (page.79) 1504 0 R (page.8) 990 0 R (page.80) 1509 0 R (page.81) 1513 0 R (page.82) 1521 0 R (page.83) 1528 0 R (page.84) 1548 0 R (page.85) 1562 0 R (page.86) 1586 0 R (page.87) 1594 0 R (page.88) 1598 0 R (page.89) 1610 0 R (page.9) 1004 0 R (page.90) 1614 0 R (page.91) 1623 0 R (page.92) 1636 0 R (page.93) 1646 0 R (page.94) 1653 0 R (page.95) 1659 0 R (page.96) 1666 0 R (page.97) 1675 0 R (page.98) 1685 0 R (page.99) 1692 0 R (proposed_standards) 1122 0 R (query_address) 1390 0 R (rfcs) 1000 0 R (rndc) 1249 0 R (root_delegation_only) 1524 0 R (rrset_ordering) 1053 0 R (sample_configuration) 1041 0 R (section*.10) 1894 0 R (section*.100) 2178 0 R (section*.101) 2179 0 R (section*.102) 2181 0 R (section*.103) 2186 0 R (section*.104) 2187 0 R (section*.105) 2192 0 R (section*.106) 2197 0 R (section*.107) 2202 0 R (section*.108) 2203 0 R (section*.109) 2204 0 R (section*.11) 1904 0 R (section*.110) 2206 0 R (section*.111) 2207 0 R (section*.112) 2212 0 R (section*.113) 2213 0 R (section*.114) 2214 0 R (section*.115) 2220 0 R (section*.116) 2221 0 R (section*.117) 2223 0 R (section*.118) 2224 0 R (section*.119) 2225 0 R (section*.12) 1924 0 R (section*.120) 2230 0 R (section*.121) 2235 0 R (section*.122) 2236 0 R (section*.123) 2237 0 R (section*.124) 2239 0 R (section*.125) 2240 0 R (section*.126) 2241 0 R (section*.127) 2242 0 R (section*.128) 2247 0 R (section*.129) 2248 0 R (section*.13) 1936 0 R (section*.130) 2249 0 R (section*.131) 2251 0 R (section*.132) 2256 0 R (section*.133) 2257 0 R (section*.134) 2258 0 R (section*.135) 2259 0 R (section*.136) 2264 0 R (section*.14) 1962 0 R (section*.15) 1972 0 R (section*.16) 1973 0 R (section*.17) 1974 0 R (section*.18) 1979 0 R (section*.19) 1980 0 R (section*.2) 1760 0 R (section*.20) 1985 0 R (section*.21) 1995 0 R (section*.22) 2000 0 R (section*.23) 2001 0 R (section*.24) 2002 0 R (section*.25) 2003 0 R (section*.26) 2005 0 R (section*.27) 2006 0 R (section*.28) 2011 0 R (section*.29) 2016 0 R (section*.3) 1766 0 R (section*.30) 2017 0 R (section*.31) 2018 0 R (section*.32) 2020 0 R (section*.33) 2021 0 R (section*.34) 2022 0 R (section*.35) 2023 0 R (section*.36) 2028 0 R (section*.37) 2029 0 R (section*.38) 2030 0 R (section*.39) 2031 0 R (section*.4) 1774 0 R (section*.40) 2032 0 R (section*.41) 2039 0 R (section*.42) 2040 0 R (section*.43) 2041 0 R (section*.44) 2042 0 R (section*.45) 2047 0 R (section*.46) 2052 0 R (section*.47) 2053 0 R (section*.48) 2054 0 R (section*.49) 2055 0 R (section*.5) 1799 0 R (section*.50) 2056 0 R (section*.51) 2057 0 R (section*.52) 2062 0 R (section*.53) 2067 0 R (section*.54) 2072 0 R (section*.55) 2073 0 R (section*.56) 2074 0 R (section*.57) 2075 0 R (section*.58) 2077 0 R (section*.59) 2083 0 R (section*.6) 1811 0 R (section*.60) 2084 0 R (section*.61) 2085 0 R (section*.62) 2086 0 R (section*.63) 2087 0 R (section*.64) 2088 0 R (section*.65) 2089 0 R (section*.66) 2094 0 R (section*.67) 2095 0 R (section*.68) 2096 0 R (section*.69) 2101 0 R (section*.7) 1826 0 R (section*.70) 2102 0 R (section*.71) 2103 0 R (section*.72) 2105 0 R (section*.73) 2106 0 R (section*.74) 2107 0 R (section*.75) 2108 0 R (section*.76) 2121 0 R (section*.77) 2127 0 R (section*.78) 2128 0 R (section*.79) 2130 0 R (section*.8) 1864 0 R (section*.80) 2131 0 R (section*.81) 2132 0 R (section*.82) 2133 0 R (section*.83) 2138 0 R (section*.84) 2139 0 R (section*.85) 2140 0 R (section*.86) 2142 0 R (section*.87) 2143 0 R (section*.88) 2144 0 R (section*.89) 2149 0 R (section*.9) 1882 0 R (section*.90) 2154 0 R (section*.91) 2155 0 R (section*.92) 2156 0 R (section*.93) 2158 0 R (section*.94) 2163 0 R (section*.95) 2164 0 R (section*.96) 2165 0 R (section*.97) 2175 0 R (section*.98) 2176 0 R (section*.99) 2177 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 494 0 R (section.6.4) 550 0 R (section.7.1) 586 0 R (section.7.2) 590 0 R (section.7.3) 602 0 R (section.8.1) 610 0 R (section.8.2) 618 0 R (section.8.3) 622 0 R (section.A.1) 630 0 R (section.A.2) 638 0 R (section.A.3) 646 0 R (section.B.1) 666 0 R (section.B.10) 702 0 R (section.B.11) 706 0 R (section.B.12) 710 0 R (section.B.13) 714 0 R (section.B.14) 718 0 R (section.B.15) 722 0 R (section.B.16) 726 0 R (section.B.2) 670 0 R (section.B.3) 674 0 R (section.B.4) 678 0 R (section.B.5) 682 0 R (section.B.6) 686 0 R (section.B.7) 690 0 R (section.B.8) 694 0 R (section.B.9) 698 0 R (server_resource_limits) 1412 0 R (server_statement_definition_and_usage) 1354 0 R (server_statement_grammar) 1469 0 R (statistics) 1660 0 R (statistics_counters) 1668 0 R (statschannels) 1481 0 R (statsfile) 1329 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 346 0 R (subsection.6.2.16) 350 0 R (subsection.6.2.17) 430 0 R (subsection.6.2.18) 434 0 R (subsection.6.2.19) 438 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 442 0 R (subsection.6.2.21) 446 0 R (subsection.6.2.22) 450 0 R (subsection.6.2.23) 454 0 R (subsection.6.2.24) 458 0 R (subsection.6.2.25) 462 0 R (subsection.6.2.26) 466 0 R (subsection.6.2.27) 470 0 R (subsection.6.2.28) 474 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 498 0 R (subsection.6.3.2) 510 0 R (subsection.6.3.3) 514 0 R (subsection.6.3.4) 518 0 R (subsection.6.3.5) 522 0 R (subsection.6.3.6) 542 0 R (subsection.6.3.7) 546 0 R (subsection.6.4.1) 558 0 R (subsection.7.2.1) 594 0 R (subsection.7.2.2) 598 0 R (subsection.8.1.1) 614 0 R (subsection.A.1.1) 634 0 R (subsection.A.2.1) 642 0 R (subsection.A.3.1) 650 0 R (subsection.A.3.2) 654 0 R (subsection.A.3.3) 658 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.10.3) 326 0 R (subsubsection.6.2.16.1) 354 0 R (subsubsection.6.2.16.10) 390 0 R (subsubsection.6.2.16.11) 394 0 R (subsubsection.6.2.16.12) 398 0 R (subsubsection.6.2.16.13) 402 0 R (subsubsection.6.2.16.14) 406 0 R (subsubsection.6.2.16.15) 410 0 R (subsubsection.6.2.16.16) 414 0 R (subsubsection.6.2.16.17) 418 0 R (subsubsection.6.2.16.18) 422 0 R (subsubsection.6.2.16.19) 426 0 R (subsubsection.6.2.16.2) 358 0 R (subsubsection.6.2.16.3) 362 0 R (subsubsection.6.2.16.4) 366 0 R (subsubsection.6.2.16.5) 370 0 R (subsubsection.6.2.16.6) 374 0 R (subsubsection.6.2.16.7) 378 0 R (subsubsection.6.2.16.8) 382 0 R (subsubsection.6.2.16.9) 386 0 R (subsubsection.6.2.28.1) 478 0 R (subsubsection.6.2.28.2) 482 0 R (subsubsection.6.2.28.3) 486 0 R (subsubsection.6.2.28.4) 490 0 R (subsubsection.6.3.1.1) 502 0 R (subsubsection.6.3.1.2) 506 0 R (subsubsection.6.3.5.1) 526 0 R (subsubsection.6.3.5.2) 530 0 R (subsubsection.6.3.5.3) 534 0 R (subsubsection.6.3.5.4) 538 0 R (subsubsection.6.4.0.1) 554 0 R (subsubsection.6.4.1.1) 562 0 R (subsubsection.6.4.1.2) 566 0 R (subsubsection.6.4.1.3) 570 0 R (subsubsection.6.4.1.4) 574 0 R (subsubsection.6.4.1.5) 578 0 R (table.1.1) 982 0 R (table.1.2) 992 0 R (table.3.1) 1051 0 R (table.3.2) 1088 0 R (table.6.1) 1208 0 R (table.6.10) 1604 0 R (table.6.11) 1606 0 R (table.6.12) 1616 0 R (table.6.13) 1619 0 R (table.6.14) 1625 0 R (table.6.15) 1628 0 R (table.6.16) 1631 0 R (table.6.17) 1639 0 R (table.6.18) 1655 0 R (table.6.19) 1662 0 R (table.6.2) 1231 0 R (table.6.20) 1671 0 R (table.6.21) 1679 0 R (table.6.22) 1688 0 R (table.6.23) 1695 0 R (table.6.3) 1239 0 R (table.6.4) 1278 0 R (table.6.5) 1290 0 R (table.6.6) 1343 0 R (table.6.7) 1433 0 R (table.6.8) 1517 0 R (table.6.9) 1590 0 R (the_category_phrase) 1272 0 R (the_sortlist_statement) 1424 0 R (topology) 1423 0 R (tsig) 1136 0 R (tuning) 1439 0 R (types_of_resource_records_and_when_to_use_them) 999 0 R (view_statement_grammar) 1454 0 R (zone_statement_grammar) 1371 0 R (zone_transfers) 1112 0 R (zonefile_format) 1446 0 R]
 /Limits [(Access_Control_Lists) (zonefile_format)]
 >> endobj
-2286 0 obj <<
-/Kids [2285 0 R]
+2292 0 obj <<
+/Kids [2291 0 R]
 >> endobj
-2287 0 obj <<
-/Dests 2286 0 R
+2293 0 obj <<
+/Dests 2292 0 R
 >> endobj
-2288 0 obj <<
+2294 0 obj <<
 /Type /Catalog
-/Pages 2283 0 R
-/Outlines 2284 0 R
-/Names 2287 0 R
+/Pages 2289 0 R
+/Outlines 2290 0 R
+/Names 2293 0 R
 /PageMode /UseOutlines 
 /OpenAction 729 0 R
 >> endobj
-2289 0 obj <<
+2295 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20091012231359Z)
+/CreationDate (D:20091016041913Z)
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 2290
+0 2296
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
@@ -13028,727 +13082,727 @@ xref
 0000000000 00000 f 
 0000000009 00000 n 
 0000073718 00000 n 
-0000803820 00000 n 
+0000805513 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
 0000073842 00000 n 
-0000803748 00000 n 
+0000805441 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
 0000073967 00000 n 
-0000803662 00000 n 
+0000805355 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
 0000074092 00000 n 
-0000803576 00000 n 
+0000805269 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
 0000078417 00000 n 
-0000803466 00000 n 
+0000805159 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
 0000078541 00000 n 
-0000803392 00000 n 
+0000805085 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
 0000078666 00000 n 
-0000803305 00000 n 
+0000804998 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
 0000078790 00000 n 
-0000803218 00000 n 
+0000804911 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
 0000083079 00000 n 
-0000803094 00000 n 
+0000804787 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
 0000083207 00000 n 
-0000803020 00000 n 
+0000804713 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
 0000083335 00000 n 
-0000802933 00000 n 
+0000804626 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
 0000083463 00000 n 
-0000802859 00000 n 
+0000804552 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
 0000086445 00000 n 
-0000802735 00000 n 
+0000804428 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
 0000086573 00000 n 
-0000802674 00000 n 
+0000804367 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
 0000086701 00000 n 
-0000802600 00000 n 
+0000804293 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
 0000089643 00000 n 
-0000802475 00000 n 
+0000804168 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
 0000089771 00000 n 
-0000802401 00000 n 
+0000804094 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
 0000089899 00000 n 
-0000802314 00000 n 
+0000804007 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
 0000090027 00000 n 
-0000802227 00000 n 
+0000803920 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
 0000090154 00000 n 
-0000802140 00000 n 
+0000803833 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
 0000091231 00000 n 
-0000802066 00000 n 
+0000803759 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
 0000092890 00000 n 
-0000801938 00000 n 
+0000803631 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
 0000093017 00000 n 
-0000801825 00000 n 
+0000803518 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
 0000093145 00000 n 
-0000801749 00000 n 
+0000803442 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
 0000093273 00000 n 
-0000801672 00000 n 
+0000803365 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
 0000095719 00000 n 
-0000801581 00000 n 
+0000803274 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
 0000099057 00000 n 
-0000801464 00000 n 
+0000803157 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
 0000099185 00000 n 
-0000801346 00000 n 
+0000803039 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
 0000099313 00000 n 
-0000801267 00000 n 
+0000802960 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
 0000099442 00000 n 
-0000801188 00000 n 
+0000802881 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
 0000111318 00000 n 
-0000801109 00000 n 
+0000802802 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
 0000116628 00000 n 
-0000800977 00000 n 
+0000802670 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
 0000116757 00000 n 
-0000800898 00000 n 
+0000802591 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
 0000116886 00000 n 
-0000800766 00000 n 
+0000802459 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
 0000117015 00000 n 
-0000800701 00000 n 
+0000802394 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
 0000121390 00000 n 
-0000800608 00000 n 
+0000802301 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
 0000121519 00000 n 
-0000800476 00000 n 
+0000802169 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
 0000121648 00000 n 
-0000800411 00000 n 
+0000802104 00000 n 
 0000003632 00000 n 
 0000003681 00000 n 
 0000128465 00000 n 
-0000800279 00000 n 
+0000801972 00000 n 
 0000003730 00000 n 
 0000003758 00000 n 
 0000131234 00000 n 
-0000800161 00000 n 
+0000801854 00000 n 
 0000003812 00000 n 
 0000003881 00000 n 
 0000131363 00000 n 
-0000800082 00000 n 
+0000801775 00000 n 
 0000003940 00000 n 
 0000003988 00000 n 
 0000131492 00000 n 
-0000800003 00000 n 
+0000801696 00000 n 
 0000004047 00000 n 
 0000004092 00000 n 
 0000131621 00000 n 
-0000799910 00000 n 
+0000801603 00000 n 
 0000004146 00000 n 
 0000004214 00000 n 
 0000131750 00000 n 
-0000799817 00000 n 
+0000801510 00000 n 
 0000004268 00000 n 
 0000004338 00000 n 
 0000131879 00000 n 
-0000799724 00000 n 
+0000801417 00000 n 
 0000004392 00000 n 
 0000004455 00000 n 
 0000135612 00000 n 
-0000799631 00000 n 
+0000801324 00000 n 
 0000004509 00000 n 
 0000004564 00000 n 
 0000135741 00000 n 
-0000799552 00000 n 
+0000801245 00000 n 
 0000004618 00000 n 
 0000004650 00000 n 
 0000135870 00000 n 
-0000799459 00000 n 
+0000801152 00000 n 
 0000004699 00000 n 
 0000004727 00000 n 
 0000139474 00000 n 
-0000799366 00000 n 
+0000801059 00000 n 
 0000004776 00000 n 
 0000004808 00000 n 
 0000139603 00000 n 
-0000799234 00000 n 
+0000800927 00000 n 
 0000004857 00000 n 
 0000004887 00000 n 
 0000139732 00000 n 
-0000799155 00000 n 
+0000800848 00000 n 
 0000004941 00000 n 
 0000004982 00000 n 
 0000143462 00000 n 
-0000799062 00000 n 
+0000800755 00000 n 
 0000005036 00000 n 
 0000005078 00000 n 
 0000143591 00000 n 
-0000798983 00000 n 
+0000800676 00000 n 
 0000005132 00000 n 
 0000005177 00000 n 
 0000149546 00000 n 
-0000798865 00000 n 
+0000800558 00000 n 
 0000005226 00000 n 
 0000005272 00000 n 
 0000149675 00000 n 
-0000798786 00000 n 
+0000800479 00000 n 
 0000005326 00000 n 
 0000005386 00000 n 
 0000149804 00000 n 
-0000798707 00000 n 
+0000800400 00000 n 
 0000005440 00000 n 
 0000005509 00000 n 
 0000152988 00000 n 
-0000798574 00000 n 
+0000800267 00000 n 
 0000005556 00000 n 
 0000005609 00000 n 
 0000153117 00000 n 
-0000798495 00000 n 
+0000800188 00000 n 
 0000005658 00000 n 
 0000005714 00000 n 
 0000153246 00000 n 
-0000798416 00000 n 
+0000800109 00000 n 
 0000005763 00000 n 
 0000005812 00000 n 
 0000157515 00000 n 
-0000798283 00000 n 
+0000799976 00000 n 
 0000005859 00000 n 
 0000005911 00000 n 
 0000157644 00000 n 
-0000798165 00000 n 
+0000799858 00000 n 
 0000005960 00000 n 
 0000006011 00000 n 
 0000162334 00000 n 
-0000798047 00000 n 
+0000799740 00000 n 
 0000006065 00000 n 
 0000006110 00000 n 
 0000162462 00000 n 
-0000797968 00000 n 
+0000799661 00000 n 
 0000006169 00000 n 
 0000006203 00000 n 
 0000166052 00000 n 
-0000797889 00000 n 
+0000799582 00000 n 
 0000006262 00000 n 
 0000006310 00000 n 
 0000166181 00000 n 
-0000797771 00000 n 
+0000799464 00000 n 
 0000006364 00000 n 
 0000006404 00000 n 
 0000166310 00000 n 
-0000797692 00000 n 
+0000799385 00000 n 
 0000006463 00000 n 
 0000006497 00000 n 
 0000170086 00000 n 
-0000797613 00000 n 
+0000799306 00000 n 
 0000006556 00000 n 
 0000006604 00000 n 
 0000170215 00000 n 
-0000797480 00000 n 
+0000799173 00000 n 
 0000006653 00000 n 
 0000006703 00000 n 
 0000173283 00000 n 
-0000797401 00000 n 
+0000799094 00000 n 
 0000006757 00000 n 
 0000006804 00000 n 
 0000173411 00000 n 
-0000797308 00000 n 
+0000799001 00000 n 
 0000006858 00000 n 
 0000006918 00000 n 
 0000173670 00000 n 
-0000797215 00000 n 
+0000798908 00000 n 
 0000006972 00000 n 
 0000007024 00000 n 
 0000178850 00000 n 
-0000797122 00000 n 
+0000798815 00000 n 
 0000007078 00000 n 
 0000007143 00000 n 
 0000178979 00000 n 
-0000797029 00000 n 
+0000798722 00000 n 
 0000007197 00000 n 
 0000007248 00000 n 
 0000182453 00000 n 
-0000796936 00000 n 
+0000798629 00000 n 
 0000007302 00000 n 
 0000007366 00000 n 
 0000182582 00000 n 
-0000796843 00000 n 
+0000798536 00000 n 
 0000007420 00000 n 
 0000007467 00000 n 
 0000182711 00000 n 
-0000796750 00000 n 
+0000798443 00000 n 
 0000007521 00000 n 
 0000007581 00000 n 
 0000182840 00000 n 
-0000796657 00000 n 
+0000798350 00000 n 
 0000007635 00000 n 
 0000007686 00000 n 
 0000186856 00000 n 
-0000796525 00000 n 
+0000798218 00000 n 
 0000007741 00000 n 
 0000007806 00000 n 
 0000186985 00000 n 
-0000796446 00000 n 
+0000798139 00000 n 
 0000007866 00000 n 
 0000007913 00000 n 
 0000193801 00000 n 
-0000796353 00000 n 
+0000798046 00000 n 
 0000007973 00000 n 
 0000008021 00000 n 
 0000200933 00000 n 
-0000796274 00000 n 
+0000797967 00000 n 
 0000008081 00000 n 
 0000008135 00000 n 
 0000204634 00000 n 
-0000796181 00000 n 
+0000797874 00000 n 
 0000008190 00000 n 
 0000008240 00000 n 
 0000204763 00000 n 
-0000796088 00000 n 
+0000797781 00000 n 
 0000008295 00000 n 
 0000008358 00000 n 
 0000206494 00000 n 
-0000795995 00000 n 
+0000797688 00000 n 
 0000008413 00000 n 
 0000008465 00000 n 
 0000206623 00000 n 
-0000795902 00000 n 
+0000797595 00000 n 
 0000008520 00000 n 
 0000008585 00000 n 
 0000206751 00000 n 
-0000795809 00000 n 
+0000797502 00000 n 
 0000008640 00000 n 
 0000008692 00000 n 
 0000212695 00000 n 
-0000795676 00000 n 
+0000797369 00000 n 
 0000008747 00000 n 
 0000008812 00000 n 
-0000225348 00000 n 
-0000795597 00000 n 
+0000225755 00000 n 
+0000797290 00000 n 
 0000008872 00000 n 
 0000008916 00000 n 
-0000246636 00000 n 
-0000795504 00000 n 
+0000247041 00000 n 
+0000797197 00000 n 
 0000008976 00000 n 
 0000009015 00000 n 
-0000246765 00000 n 
-0000795411 00000 n 
+0000247170 00000 n 
+0000797104 00000 n 
 0000009075 00000 n 
 0000009122 00000 n 
-0000250067 00000 n 
-0000795318 00000 n 
+0000250690 00000 n 
+0000797011 00000 n 
 0000009182 00000 n 
 0000009225 00000 n 
-0000254254 00000 n 
-0000795225 00000 n 
+0000254909 00000 n 
+0000796918 00000 n 
 0000009285 00000 n 
 0000009324 00000 n 
-0000257954 00000 n 
-0000795132 00000 n 
+0000258591 00000 n 
+0000796825 00000 n 
 0000009384 00000 n 
 0000009426 00000 n 
-0000261009 00000 n 
-0000795039 00000 n 
+0000261570 00000 n 
+0000796732 00000 n 
 0000009486 00000 n 
 0000009529 00000 n 
-0000267994 00000 n 
-0000794946 00000 n 
+0000268763 00000 n 
+0000796639 00000 n 
 0000009589 00000 n 
 0000009632 00000 n 
-0000272447 00000 n 
-0000794853 00000 n 
+0000273216 00000 n 
+0000796546 00000 n 
 0000009692 00000 n 
 0000009753 00000 n 
-0000272576 00000 n 
-0000794760 00000 n 
+0000273345 00000 n 
+0000796453 00000 n 
 0000009814 00000 n 
 0000009866 00000 n 
-0000276414 00000 n 
-0000794667 00000 n 
+0000277183 00000 n 
+0000796360 00000 n 
 0000009927 00000 n 
 0000009980 00000 n 
-0000280762 00000 n 
-0000794574 00000 n 
+0000281531 00000 n 
+0000796267 00000 n 
 0000010041 00000 n 
 0000010079 00000 n 
-0000280891 00000 n 
-0000794481 00000 n 
+0000281660 00000 n 
+0000796174 00000 n 
 0000010140 00000 n 
 0000010192 00000 n 
-0000283752 00000 n 
-0000794388 00000 n 
+0000284521 00000 n 
+0000796081 00000 n 
 0000010253 00000 n 
 0000010297 00000 n 
-0000287002 00000 n 
-0000794295 00000 n 
+0000287771 00000 n 
+0000795988 00000 n 
 0000010358 00000 n 
 0000010394 00000 n 
-0000295912 00000 n 
-0000794202 00000 n 
+0000296681 00000 n 
+0000795895 00000 n 
 0000010455 00000 n 
 0000010518 00000 n 
-0000296041 00000 n 
-0000794109 00000 n 
+0000296810 00000 n 
+0000795802 00000 n 
 0000010579 00000 n 
 0000010629 00000 n 
-0000303223 00000 n 
-0000794016 00000 n 
+0000303992 00000 n 
+0000795709 00000 n 
 0000010690 00000 n 
 0000010746 00000 n 
-0000303352 00000 n 
-0000793937 00000 n 
+0000304121 00000 n 
+0000795630 00000 n 
 0000010807 00000 n 
 0000010854 00000 n 
-0000307051 00000 n 
-0000793844 00000 n 
+0000307820 00000 n 
+0000795537 00000 n 
 0000010909 00000 n 
 0000010960 00000 n 
-0000311038 00000 n 
-0000793751 00000 n 
+0000311807 00000 n 
+0000795444 00000 n 
 0000011015 00000 n 
 0000011079 00000 n 
-0000315486 00000 n 
-0000793658 00000 n 
+0000316255 00000 n 
+0000795351 00000 n 
 0000011134 00000 n 
 0000011198 00000 n 
-0000315613 00000 n 
-0000793565 00000 n 
+0000316382 00000 n 
+0000795258 00000 n 
 0000011253 00000 n 
 0000011330 00000 n 
-0000319170 00000 n 
-0000793472 00000 n 
+0000319939 00000 n 
+0000795165 00000 n 
 0000011385 00000 n 
 0000011442 00000 n 
-0000319299 00000 n 
-0000793379 00000 n 
+0000320068 00000 n 
+0000795072 00000 n 
 0000011497 00000 n 
 0000011567 00000 n 
-0000319428 00000 n 
-0000793286 00000 n 
+0000320197 00000 n 
+0000794979 00000 n 
 0000011622 00000 n 
 0000011679 00000 n 
-0000319557 00000 n 
-0000793193 00000 n 
+0000320326 00000 n 
+0000794886 00000 n 
 0000011734 00000 n 
 0000011804 00000 n 
-0000323711 00000 n 
-0000793100 00000 n 
+0000324485 00000 n 
+0000794793 00000 n 
 0000011859 00000 n 
 0000011908 00000 n 
-0000323840 00000 n 
-0000793007 00000 n 
+0000324614 00000 n 
+0000794700 00000 n 
 0000011963 00000 n 
 0000012025 00000 n 
-0000326101 00000 n 
-0000792914 00000 n 
+0000326888 00000 n 
+0000794607 00000 n 
 0000012080 00000 n 
 0000012129 00000 n 
-0000331630 00000 n 
-0000792796 00000 n 
+0000332417 00000 n 
+0000794489 00000 n 
 0000012184 00000 n 
 0000012246 00000 n 
-0000331758 00000 n 
-0000792717 00000 n 
+0000332545 00000 n 
+0000794410 00000 n 
 0000012306 00000 n 
 0000012345 00000 n 
-0000336085 00000 n 
-0000792624 00000 n 
+0000336872 00000 n 
+0000794317 00000 n 
 0000012405 00000 n 
 0000012439 00000 n 
-0000342002 00000 n 
-0000792531 00000 n 
+0000342789 00000 n 
+0000794224 00000 n 
 0000012499 00000 n 
 0000012540 00000 n 
-0000357856 00000 n 
-0000792452 00000 n 
+0000358643 00000 n 
+0000794145 00000 n 
 0000012600 00000 n 
 0000012652 00000 n 
-0000365167 00000 n 
-0000792320 00000 n 
+0000365954 00000 n 
+0000794013 00000 n 
 0000012701 00000 n 
 0000012734 00000 n 
-0000365296 00000 n 
-0000792202 00000 n 
+0000366083 00000 n 
+0000793895 00000 n 
 0000012788 00000 n 
 0000012860 00000 n 
-0000365424 00000 n 
-0000792123 00000 n 
+0000366211 00000 n 
+0000793816 00000 n 
 0000012919 00000 n 
 0000012963 00000 n 
-0000372841 00000 n 
-0000792044 00000 n 
+0000373628 00000 n 
+0000793737 00000 n 
 0000013022 00000 n 
 0000013075 00000 n 
-0000376614 00000 n 
-0000791951 00000 n 
+0000377401 00000 n 
+0000793644 00000 n 
 0000013129 00000 n 
 0000013179 00000 n 
-0000376872 00000 n 
-0000791858 00000 n 
+0000377659 00000 n 
+0000793551 00000 n 
 0000013233 00000 n 
 0000013271 00000 n 
-0000380322 00000 n 
-0000791765 00000 n 
+0000381109 00000 n 
+0000793458 00000 n 
 0000013325 00000 n 
 0000013374 00000 n 
-0000380580 00000 n 
-0000791633 00000 n 
+0000381367 00000 n 
+0000793326 00000 n 
 0000013428 00000 n 
 0000013480 00000 n 
-0000380708 00000 n 
-0000791554 00000 n 
+0000381495 00000 n 
+0000793247 00000 n 
 0000013539 00000 n 
 0000013584 00000 n 
-0000380837 00000 n 
-0000791461 00000 n 
+0000381624 00000 n 
+0000793154 00000 n 
 0000013643 00000 n 
 0000013695 00000 n 
-0000383460 00000 n 
-0000791368 00000 n 
+0000384247 00000 n 
+0000793061 00000 n 
 0000013754 00000 n 
 0000013807 00000 n 
-0000383589 00000 n 
-0000791289 00000 n 
+0000384376 00000 n 
+0000792982 00000 n 
 0000013866 00000 n 
 0000013915 00000 n 
-0000383718 00000 n 
-0000791196 00000 n 
+0000384505 00000 n 
+0000792889 00000 n 
 0000013969 00000 n 
 0000014049 00000 n 
-0000390819 00000 n 
-0000791117 00000 n 
+0000391606 00000 n 
+0000792810 00000 n 
 0000014103 00000 n 
 0000014152 00000 n 
-0000390948 00000 n 
-0000790999 00000 n 
+0000391735 00000 n 
+0000792692 00000 n 
 0000014201 00000 n 
 0000014241 00000 n 
-0000394388 00000 n 
-0000790920 00000 n 
+0000395175 00000 n 
+0000792613 00000 n 
 0000014300 00000 n 
 0000014347 00000 n 
-0000394517 00000 n 
-0000790802 00000 n 
+0000395304 00000 n 
+0000792495 00000 n 
 0000014401 00000 n 
 0000014446 00000 n 
-0000394646 00000 n 
-0000790723 00000 n 
+0000395433 00000 n 
+0000792416 00000 n 
 0000014505 00000 n 
 0000014564 00000 n 
-0000398402 00000 n 
-0000790630 00000 n 
+0000399189 00000 n 
+0000792323 00000 n 
 0000014623 00000 n 
 0000014687 00000 n 
-0000402119 00000 n 
-0000790537 00000 n 
+0000402906 00000 n 
+0000792230 00000 n 
 0000014746 00000 n 
 0000014802 00000 n 
-0000405136 00000 n 
-0000790444 00000 n 
+0000405923 00000 n 
+0000792137 00000 n 
 0000014861 00000 n 
 0000014919 00000 n 
-0000405394 00000 n 
-0000790365 00000 n 
+0000406181 00000 n 
+0000792058 00000 n 
 0000014978 00000 n 
 0000015040 00000 n 
-0000407556 00000 n 
-0000790232 00000 n 
+0000408343 00000 n 
+0000791925 00000 n 
 0000015087 00000 n 
 0000015139 00000 n 
-0000407685 00000 n 
-0000790153 00000 n 
+0000408472 00000 n 
+0000791846 00000 n 
 0000015188 00000 n 
 0000015232 00000 n 
-0000411719 00000 n 
-0000790021 00000 n 
+0000412506 00000 n 
+0000791714 00000 n 
 0000015281 00000 n 
 0000015322 00000 n 
-0000411848 00000 n 
-0000789942 00000 n 
+0000412635 00000 n 
+0000791635 00000 n 
 0000015376 00000 n 
 0000015424 00000 n 
-0000411976 00000 n 
-0000789863 00000 n 
+0000412763 00000 n 
+0000791556 00000 n 
 0000015478 00000 n 
 0000015529 00000 n 
-0000412105 00000 n 
-0000789784 00000 n 
+0000412892 00000 n 
+0000791477 00000 n 
 0000015578 00000 n 
 0000015625 00000 n 
-0000416699 00000 n 
-0000789651 00000 n 
+0000417486 00000 n 
+0000791344 00000 n 
 0000015672 00000 n 
 0000015709 00000 n 
-0000416828 00000 n 
-0000789533 00000 n 
+0000417615 00000 n 
+0000791226 00000 n 
 0000015758 00000 n 
 0000015797 00000 n 
-0000416957 00000 n 
-0000789468 00000 n 
+0000417744 00000 n 
+0000791161 00000 n 
 0000015851 00000 n 
 0000015929 00000 n 
-0000417086 00000 n 
-0000789375 00000 n 
+0000417873 00000 n 
+0000791068 00000 n 
 0000015978 00000 n 
 0000016045 00000 n 
-0000417215 00000 n 
-0000789296 00000 n 
+0000418002 00000 n 
+0000790989 00000 n 
 0000016094 00000 n 
 0000016139 00000 n 
-0000420655 00000 n 
-0000789163 00000 n 
+0000421442 00000 n 
+0000790856 00000 n 
 0000016187 00000 n 
 0000016219 00000 n 
-0000420784 00000 n 
-0000789045 00000 n 
+0000421571 00000 n 
+0000790738 00000 n 
 0000016268 00000 n 
 0000016307 00000 n 
-0000420913 00000 n 
-0000788980 00000 n 
+0000421700 00000 n 
+0000790673 00000 n 
 0000016361 00000 n 
 0000016422 00000 n 
-0000424594 00000 n 
-0000788848 00000 n 
+0000425381 00000 n 
+0000790541 00000 n 
 0000016471 00000 n 
 0000016528 00000 n 
-0000424723 00000 n 
-0000788783 00000 n 
+0000425510 00000 n 
+0000790476 00000 n 
 0000016582 00000 n 
 0000016631 00000 n 
-0000424852 00000 n 
-0000788665 00000 n 
+0000425639 00000 n 
+0000790358 00000 n 
 0000016680 00000 n 
 0000016742 00000 n 
-0000424981 00000 n 
-0000788586 00000 n 
+0000425768 00000 n 
+0000790279 00000 n 
 0000016796 00000 n 
 0000016851 00000 n 
-0000449004 00000 n 
-0000788493 00000 n 
+0000449791 00000 n 
+0000790186 00000 n 
 0000016905 00000 n 
 0000016946 00000 n 
-0000449133 00000 n 
-0000788414 00000 n 
+0000449920 00000 n 
+0000790107 00000 n 
 0000017000 00000 n 
 0000017052 00000 n 
-0000451864 00000 n 
-0000788294 00000 n 
+0000452651 00000 n 
+0000789987 00000 n 
 0000017100 00000 n 
 0000017134 00000 n 
-0000451993 00000 n 
-0000788215 00000 n 
+0000452780 00000 n 
+0000789908 00000 n 
 0000017183 00000 n 
 0000017210 00000 n 
-0000469815 00000 n 
-0000788122 00000 n 
+0000470602 00000 n 
+0000789815 00000 n 
 0000017259 00000 n 
 0000017287 00000 n 
-0000477349 00000 n 
-0000788029 00000 n 
+0000478136 00000 n 
+0000789722 00000 n 
 0000017336 00000 n 
 0000017376 00000 n 
-0000483671 00000 n 
-0000787936 00000 n 
+0000484458 00000 n 
+0000789629 00000 n 
 0000017425 00000 n 
 0000017468 00000 n 
-0000490034 00000 n 
-0000787843 00000 n 
+0000490821 00000 n 
+0000789536 00000 n 
 0000017517 00000 n 
 0000017554 00000 n 
-0000500299 00000 n 
-0000787750 00000 n 
+0000501086 00000 n 
+0000789443 00000 n 
 0000017603 00000 n 
 0000017640 00000 n 
-0000502871 00000 n 
-0000787657 00000 n 
+0000503658 00000 n 
+0000789350 00000 n 
 0000017689 00000 n 
 0000017727 00000 n 
-0000509460 00000 n 
-0000787564 00000 n 
+0000510247 00000 n 
+0000789257 00000 n 
 0000017776 00000 n 
 0000017815 00000 n 
-0000522882 00000 n 
-0000787471 00000 n 
+0000523669 00000 n 
+0000789164 00000 n 
 0000017864 00000 n 
 0000017903 00000 n 
-0000525842 00000 n 
-0000787378 00000 n 
+0000526629 00000 n 
+0000789071 00000 n 
 0000017953 00000 n 
 0000017993 00000 n 
-0000532019 00000 n 
-0000787285 00000 n 
+0000532806 00000 n 
+0000788978 00000 n 
 0000018043 00000 n 
 0000018073 00000 n 
-0000541344 00000 n 
-0000787192 00000 n 
+0000542131 00000 n 
+0000788885 00000 n 
 0000018123 00000 n 
 0000018156 00000 n 
-0000555519 00000 n 
-0000787099 00000 n 
+0000556229 00000 n 
+0000788792 00000 n 
 0000018206 00000 n 
 0000018235 00000 n 
-0000562929 00000 n 
-0000787006 00000 n 
+0000563535 00000 n 
+0000788699 00000 n 
 0000018285 00000 n 
 0000018319 00000 n 
-0000568586 00000 n 
-0000786913 00000 n 
+0000569223 00000 n 
+0000788606 00000 n 
 0000018369 00000 n 
 0000018406 00000 n 
-0000571665 00000 n 
-0000786834 00000 n 
+0000572490 00000 n 
+0000788527 00000 n 
 0000018456 00000 n 
 0000018493 00000 n 
 0000018862 00000 n 
@@ -13757,10 +13811,10 @@ xref
 0000018546 00000 n 
 0000026687 00000 n 
 0000026750 00000 n 
-0000781934 00000 n 
-0000755991 00000 n 
-0000781760 00000 n 
-0000782959 00000 n 
+0000783538 00000 n 
+0000757595 00000 n 
+0000783364 00000 n 
+0000784563 00000 n 
 0000021847 00000 n 
 0000022064 00000 n 
 0000022133 00000 n 
@@ -13781,12 +13835,12 @@ xref
 0000027992 00000 n 
 0000026913 00000 n 
 0000028114 00000 n 
-0000754770 00000 n 
-0000728249 00000 n 
-0000754596 00000 n 
-0000727564 00000 n 
-0000725420 00000 n 
-0000727400 00000 n 
+0000756374 00000 n 
+0000729853 00000 n 
+0000756200 00000 n 
+0000729168 00000 n 
+0000727024 00000 n 
+0000729004 00000 n 
 0000039881 00000 n 
 0000031232 00000 n 
 0000028262 00000 n 
@@ -13846,9 +13900,9 @@ xref
 0000043217 00000 n 
 0000039966 00000 n 
 0000053208 00000 n 
-0000724869 00000 n 
-0000707788 00000 n 
-0000724685 00000 n 
+0000726473 00000 n 
+0000709392 00000 n 
+0000726289 00000 n 
 0000043807 00000 n 
 0000043970 00000 n 
 0000044133 00000 n 
@@ -13946,9 +14000,9 @@ xref
 0000062911 00000 n 
 0000063078 00000 n 
 0000063244 00000 n 
-0000706899 00000 n 
-0000685568 00000 n 
-0000706725 00000 n 
+0000708503 00000 n 
+0000687172 00000 n 
+0000708329 00000 n 
 0000063410 00000 n 
 0000063576 00000 n 
 0000063731 00000 n 
@@ -13988,9 +14042,9 @@ xref
 0000070157 00000 n 
 0000070314 00000 n 
 0000070472 00000 n 
-0000684602 00000 n 
-0000664635 00000 n 
-0000684429 00000 n 
+0000686206 00000 n 
+0000666239 00000 n 
+0000686033 00000 n 
 0000070630 00000 n 
 0000070788 00000 n 
 0000070946 00000 n 
@@ -14004,10 +14058,10 @@ xref
 0000074154 00000 n 
 0000074217 00000 n 
 0000074280 00000 n 
-0000663841 00000 n 
-0000645522 00000 n 
-0000663668 00000 n 
-0000783077 00000 n 
+0000665445 00000 n 
+0000647128 00000 n 
+0000665272 00000 n 
+0000784681 00000 n 
 0000078914 00000 n 
 0000077734 00000 n 
 0000074467 00000 n 
@@ -14020,8 +14074,8 @@ xref
 0000077884 00000 n 
 0000078077 00000 n 
 0000078851 00000 n 
-0000365360 00000 n 
-0000425045 00000 n 
+0000366147 00000 n 
+0000425832 00000 n 
 0000083591 00000 n 
 0000082534 00000 n 
 0000079038 00000 n 
@@ -14051,7 +14105,7 @@ xref
 0000089272 00000 n 
 0000089425 00000 n 
 0000090217 00000 n 
-0000303287 00000 n 
+0000304056 00000 n 
 0000091359 00000 n 
 0000091041 00000 n 
 0000090368 00000 n 
@@ -14065,7 +14119,7 @@ xref
 0000093080 00000 n 
 0000093208 00000 n 
 0000093337 00000 n 
-0000783199 00000 n 
+0000784803 00000 n 
 0000095978 00000 n 
 0000095348 00000 n 
 0000093501 00000 n 
@@ -14074,29 +14128,29 @@ xref
 0000095848 00000 n 
 0000095913 00000 n 
 0000095495 00000 n 
-0000283816 00000 n 
+0000284585 00000 n 
 0000099571 00000 n 
 0000098866 00000 n 
 0000096090 00000 n 
 0000098992 00000 n 
 0000099121 00000 n 
 0000099248 00000 n 
-0000644839 00000 n 
-0000632777 00000 n 
-0000644660 00000 n 
+0000646445 00000 n 
+0000634383 00000 n 
+0000646266 00000 n 
 0000099506 00000 n 
 0000103690 00000 n 
 0000102964 00000 n 
 0000099697 00000 n 
 0000103625 00000 n 
-0000632204 00000 n 
-0000621218 00000 n 
-0000632025 00000 n 
+0000633810 00000 n 
+0000622826 00000 n 
+0000633631 00000 n 
 0000103129 00000 n 
 0000103283 00000 n 
 0000103454 00000 n 
 0000212759 00000 n 
-0000357920 00000 n 
+0000358707 00000 n 
 0000107860 00000 n 
 0000107461 00000 n 
 0000103856 00000 n 
@@ -14119,21 +14173,21 @@ xref
 0000116821 00000 n 
 0000116068 00000 n 
 0000116230 00000 n 
-0000620320 00000 n 
-0000610524 00000 n 
-0000620146 00000 n 
-0000609960 00000 n 
-0000600873 00000 n 
-0000609785 00000 n 
+0000621928 00000 n 
+0000612132 00000 n 
+0000621754 00000 n 
+0000611568 00000 n 
+0000602482 00000 n 
+0000611393 00000 n 
 0000116950 00000 n 
 0000116392 00000 n 
 0000117079 00000 n 
-0000783324 00000 n 
+0000784928 00000 n 
 0000115897 00000 n 
 0000115955 00000 n 
 0000116045 00000 n 
-0000225412 00000 n 
-0000261073 00000 n 
+0000225819 00000 n 
+0000261634 00000 n 
 0000121775 00000 n 
 0000120841 00000 n 
 0000117312 00000 n 
@@ -14143,7 +14197,7 @@ xref
 0000121163 00000 n 
 0000121583 00000 n 
 0000121711 00000 n 
-0000429073 00000 n 
+0000429860 00000 n 
 0000125434 00000 n 
 0000125054 00000 n 
 0000121927 00000 n 
@@ -14176,7 +14230,7 @@ xref
 0000135376 00000 n 
 0000135805 00000 n 
 0000135934 00000 n 
-0000783449 00000 n 
+0000785053 00000 n 
 0000139861 00000 n 
 0000139283 00000 n 
 0000136136 00000 n 
@@ -14198,14 +14252,14 @@ xref
 0000149173 00000 n 
 0000146256 00000 n 
 0000149481 00000 n 
-0000600598 00000 n 
-0000597238 00000 n 
-0000600419 00000 n 
+0000602207 00000 n 
+0000598848 00000 n 
+0000602028 00000 n 
 0000149610 00000 n 
 0000149320 00000 n 
 0000149739 00000 n 
 0000149868 00000 n 
-0000424787 00000 n 
+0000425574 00000 n 
 0000150704 00000 n 
 0000150513 00000 n 
 0000150115 00000 n 
@@ -14217,7 +14271,7 @@ xref
 0000153052 00000 n 
 0000153181 00000 n 
 0000153310 00000 n 
-0000783574 00000 n 
+0000785178 00000 n 
 0000153815 00000 n 
 0000153624 00000 n 
 0000153474 00000 n 
@@ -14262,7 +14316,7 @@ xref
 0000173540 00000 n 
 0000173605 00000 n 
 0000173731 00000 n 
-0000783699 00000 n 
+0000785303 00000 n 
 0000179107 00000 n 
 0000178319 00000 n 
 0000173908 00000 n 
@@ -14270,7 +14324,7 @@ xref
 0000178475 00000 n 
 0000178626 00000 n 
 0000179043 00000 n 
-0000575864 00000 n 
+0000577475 00000 n 
 0000182969 00000 n 
 0000181698 00000 n 
 0000179245 00000 n 
@@ -14304,7 +14358,7 @@ xref
 0000197424 00000 n 
 0000194172 00000 n 
 0000197550 00000 n 
-0000783824 00000 n 
+0000785428 00000 n 
 0000201192 00000 n 
 0000200742 00000 n 
 0000197727 00000 n 
@@ -14339,985 +14393,991 @@ xref
 0000212504 00000 n 
 0000210031 00000 n 
 0000212630 00000 n 
-0000783949 00000 n 
+0000785553 00000 n 
 0000217041 00000 n 
 0000216850 00000 n 
 0000212949 00000 n 
 0000216976 00000 n 
-0000221563 00000 n 
-0000221015 00000 n 
+0000221575 00000 n 
+0000221027 00000 n 
 0000217179 00000 n 
-0000221498 00000 n 
-0000221171 00000 n 
-0000221328 00000 n 
-0000394452 00000 n 
-0000225477 00000 n 
-0000225157 00000 n 
-0000221688 00000 n 
-0000225283 00000 n 
-0000229594 00000 n 
-0000229100 00000 n 
-0000225602 00000 n 
-0000229399 00000 n 
-0000229464 00000 n 
-0000229529 00000 n 
-0000229247 00000 n 
-0000234621 00000 n 
-0000233490 00000 n 
-0000229719 00000 n 
-0000234556 00000 n 
-0000233673 00000 n 
-0000233830 00000 n 
-0000234014 00000 n 
-0000234187 00000 n 
-0000234372 00000 n 
-0000311101 00000 n 
-0000239006 00000 n 
-0000238815 00000 n 
-0000234802 00000 n 
-0000238941 00000 n 
-0000784074 00000 n 
-0000242806 00000 n 
-0000242615 00000 n 
-0000239131 00000 n 
-0000242741 00000 n 
-0000246894 00000 n 
-0000246255 00000 n 
-0000242931 00000 n 
-0000246571 00000 n 
-0000246700 00000 n 
-0000246402 00000 n 
-0000246829 00000 n 
-0000326165 00000 n 
-0000250196 00000 n 
-0000249688 00000 n 
-0000247006 00000 n 
-0000250002 00000 n 
-0000250131 00000 n 
-0000249835 00000 n 
-0000254383 00000 n 
-0000253692 00000 n 
-0000250352 00000 n 
-0000254189 00000 n 
-0000253848 00000 n 
-0000254018 00000 n 
-0000254318 00000 n 
-0000412169 00000 n 
-0000258083 00000 n 
-0000257763 00000 n 
-0000254508 00000 n 
-0000257889 00000 n 
-0000258018 00000 n 
-0000261138 00000 n 
-0000260818 00000 n 
-0000258195 00000 n 
-0000260944 00000 n 
-0000784199 00000 n 
-0000264940 00000 n 
-0000264749 00000 n 
-0000261294 00000 n 
-0000264875 00000 n 
-0000268123 00000 n 
-0000267623 00000 n 
-0000265052 00000 n 
-0000267929 00000 n 
-0000268058 00000 n 
-0000267770 00000 n 
-0000272705 00000 n 
-0000271898 00000 n 
-0000268292 00000 n 
-0000272382 00000 n 
-0000272511 00000 n 
-0000272054 00000 n 
-0000272640 00000 n 
-0000272227 00000 n 
-0000276543 00000 n 
-0000276223 00000 n 
-0000272817 00000 n 
-0000276349 00000 n 
-0000276478 00000 n 
-0000281019 00000 n 
-0000280224 00000 n 
-0000276711 00000 n 
-0000280697 00000 n 
-0000280826 00000 n 
-0000280954 00000 n 
-0000280380 00000 n 
-0000280542 00000 n 
-0000284010 00000 n 
-0000283371 00000 n 
-0000281188 00000 n 
-0000283687 00000 n 
-0000283518 00000 n 
-0000283881 00000 n 
-0000283946 00000 n 
-0000784324 00000 n 
-0000287130 00000 n 
-0000286811 00000 n 
-0000284136 00000 n 
-0000286937 00000 n 
-0000287065 00000 n 
-0000291751 00000 n 
-0000291207 00000 n 
-0000287312 00000 n 
-0000291686 00000 n 
-0000291363 00000 n 
-0000291525 00000 n 
-0000390883 00000 n 
-0000296169 00000 n 
-0000295533 00000 n 
-0000291863 00000 n 
-0000295847 00000 n 
-0000596883 00000 n 
-0000594885 00000 n 
-0000596718 00000 n 
-0000295976 00000 n 
-0000295680 00000 n 
-0000296105 00000 n 
-0000323775 00000 n 
-0000299064 00000 n 
-0000298873 00000 n 
-0000296295 00000 n 
-0000298999 00000 n 
-0000303481 00000 n 
-0000303032 00000 n 
-0000299232 00000 n 
-0000303158 00000 n 
-0000303416 00000 n 
-0000307180 00000 n 
-0000306689 00000 n 
-0000303593 00000 n 
-0000306986 00000 n 
-0000306836 00000 n 
-0000307115 00000 n 
-0000784449 00000 n 
-0000311166 00000 n 
-0000310847 00000 n 
-0000307306 00000 n 
-0000310973 00000 n 
-0000315742 00000 n 
-0000314951 00000 n 
-0000311278 00000 n 
-0000315421 00000 n 
-0000315107 00000 n 
-0000315259 00000 n 
-0000315549 00000 n 
-0000315677 00000 n 
-0000319685 00000 n 
-0000318804 00000 n 
-0000315854 00000 n 
-0000319105 00000 n 
-0000319234 00000 n 
-0000319363 00000 n 
-0000318951 00000 n 
-0000319492 00000 n 
-0000319621 00000 n 
-0000323969 00000 n 
-0000323520 00000 n 
-0000319797 00000 n 
-0000323646 00000 n 
-0000323904 00000 n 
-0000326230 00000 n 
-0000325910 00000 n 
-0000324094 00000 n 
-0000326036 00000 n 
-0000327729 00000 n 
-0000327538 00000 n 
-0000326342 00000 n 
-0000327664 00000 n 
-0000784574 00000 n 
-0000329200 00000 n 
-0000329009 00000 n 
-0000327828 00000 n 
-0000329135 00000 n 
-0000332016 00000 n 
-0000331439 00000 n 
-0000329299 00000 n 
-0000331565 00000 n 
-0000331694 00000 n 
-0000331821 00000 n 
-0000331886 00000 n 
-0000331951 00000 n 
-0000336214 00000 n 
-0000335706 00000 n 
-0000332128 00000 n 
-0000336020 00000 n 
-0000335853 00000 n 
-0000336149 00000 n 
-0000575831 00000 n 
-0000342131 00000 n 
-0000339224 00000 n 
-0000336326 00000 n 
-0000341937 00000 n 
-0000342066 00000 n 
-0000339497 00000 n 
-0000339659 00000 n 
-0000339821 00000 n 
-0000339983 00000 n 
-0000340145 00000 n 
-0000340307 00000 n 
-0000340478 00000 n 
-0000340640 00000 n 
-0000340803 00000 n 
-0000340963 00000 n 
-0000341124 00000 n 
-0000341287 00000 n 
-0000341450 00000 n 
-0000341613 00000 n 
-0000341776 00000 n 
-0000347227 00000 n 
-0000345310 00000 n 
-0000342243 00000 n 
-0000347162 00000 n 
-0000345538 00000 n 
-0000345699 00000 n 
-0000345867 00000 n 
-0000346037 00000 n 
-0000346198 00000 n 
-0000346360 00000 n 
-0000346522 00000 n 
-0000346684 00000 n 
-0000346847 00000 n 
-0000347001 00000 n 
-0000353619 00000 n 
-0000350567 00000 n 
-0000347352 00000 n 
-0000353554 00000 n 
-0000350858 00000 n 
-0000351012 00000 n 
-0000351166 00000 n 
-0000351320 00000 n 
-0000351474 00000 n 
-0000351636 00000 n 
-0000351798 00000 n 
-0000351958 00000 n 
-0000352117 00000 n 
-0000352278 00000 n 
-0000352437 00000 n 
-0000352595 00000 n 
-0000352748 00000 n 
-0000352911 00000 n 
-0000353062 00000 n 
-0000353227 00000 n 
-0000353393 00000 n 
-0000784699 00000 n 
-0000490098 00000 n 
-0000502935 00000 n 
-0000358113 00000 n 
-0000357318 00000 n 
-0000353731 00000 n 
-0000357791 00000 n 
-0000357474 00000 n 
-0000357628 00000 n 
-0000357985 00000 n 
-0000358049 00000 n 
-0000361335 00000 n 
-0000361144 00000 n 
-0000358252 00000 n 
-0000361270 00000 n 
-0000365813 00000 n 
-0000364615 00000 n 
-0000361504 00000 n 
-0000365102 00000 n 
-0000365231 00000 n 
-0000365488 00000 n 
-0000364771 00000 n 
-0000364941 00000 n 
-0000365553 00000 n 
-0000365618 00000 n 
-0000365683 00000 n 
-0000365748 00000 n 
-0000369014 00000 n 
-0000368823 00000 n 
-0000365925 00000 n 
-0000368949 00000 n 
-0000373099 00000 n 
-0000372520 00000 n 
-0000369100 00000 n 
-0000372646 00000 n 
-0000372711 00000 n 
-0000372776 00000 n 
-0000372905 00000 n 
-0000372969 00000 n 
-0000373034 00000 n 
-0000377131 00000 n 
-0000376293 00000 n 
-0000373224 00000 n 
-0000376419 00000 n 
-0000376484 00000 n 
-0000376549 00000 n 
-0000376678 00000 n 
-0000376743 00000 n 
-0000376808 00000 n 
-0000376936 00000 n 
-0000377001 00000 n 
-0000377066 00000 n 
-0000784824 00000 n 
-0000380966 00000 n 
-0000380131 00000 n 
-0000377256 00000 n 
-0000380257 00000 n 
-0000380386 00000 n 
-0000380450 00000 n 
-0000380515 00000 n 
-0000380643 00000 n 
-0000380772 00000 n 
-0000380901 00000 n 
-0000383847 00000 n 
-0000383269 00000 n 
-0000381176 00000 n 
-0000383395 00000 n 
-0000383524 00000 n 
-0000383653 00000 n 
-0000383782 00000 n 
-0000387245 00000 n 
-0000386924 00000 n 
-0000384030 00000 n 
-0000387050 00000 n 
-0000387115 00000 n 
-0000387180 00000 n 
-0000391207 00000 n 
-0000390628 00000 n 
-0000387370 00000 n 
-0000390754 00000 n 
-0000391012 00000 n 
-0000391077 00000 n 
-0000391142 00000 n 
-0000394905 00000 n 
-0000394016 00000 n 
-0000391332 00000 n 
-0000394323 00000 n 
-0000394163 00000 n 
-0000394581 00000 n 
-0000394710 00000 n 
-0000394775 00000 n 
-0000394840 00000 n 
-0000398657 00000 n 
-0000398025 00000 n 
-0000395017 00000 n 
-0000398337 00000 n 
-0000398172 00000 n 
-0000398466 00000 n 
-0000398529 00000 n 
-0000398592 00000 n 
-0000784949 00000 n 
-0000575798 00000 n 
-0000402377 00000 n 
-0000401928 00000 n 
-0000398769 00000 n 
-0000402054 00000 n 
-0000402182 00000 n 
-0000402247 00000 n 
-0000402312 00000 n 
-0000405523 00000 n 
-0000404945 00000 n 
-0000402489 00000 n 
-0000405071 00000 n 
-0000405200 00000 n 
-0000405265 00000 n 
-0000405329 00000 n 
-0000594604 00000 n 
-0000587320 00000 n 
-0000594424 00000 n 
-0000405458 00000 n 
-0000406004 00000 n 
-0000405813 00000 n 
-0000405663 00000 n 
-0000405939 00000 n 
-0000407814 00000 n 
-0000407365 00000 n 
-0000406046 00000 n 
-0000407491 00000 n 
-0000407620 00000 n 
-0000407749 00000 n 
-0000412234 00000 n 
-0000411291 00000 n 
-0000407926 00000 n 
-0000411654 00000 n 
-0000586999 00000 n 
-0000577786 00000 n 
-0000586813 00000 n 
-0000411438 00000 n 
-0000411783 00000 n 
-0000411911 00000 n 
-0000412040 00000 n 
-0000413590 00000 n 
-0000413399 00000 n 
-0000412471 00000 n 
-0000413525 00000 n 
-0000785074 00000 n 
-0000414030 00000 n 
-0000413839 00000 n 
-0000413689 00000 n 
-0000413965 00000 n 
-0000417343 00000 n 
-0000416117 00000 n 
-0000414072 00000 n 
-0000416634 00000 n 
-0000416763 00000 n 
-0000416892 00000 n 
-0000417021 00000 n 
-0000417150 00000 n 
-0000417279 00000 n 
-0000416273 00000 n 
-0000416445 00000 n 
-0000417797 00000 n 
-0000417606 00000 n 
-0000417456 00000 n 
-0000417732 00000 n 
-0000421042 00000 n 
-0000420464 00000 n 
-0000417839 00000 n 
-0000420590 00000 n 
-0000420719 00000 n 
-0000420848 00000 n 
-0000420977 00000 n 
-0000425238 00000 n 
-0000424019 00000 n 
-0000421128 00000 n 
-0000424529 00000 n 
-0000424658 00000 n 
-0000424916 00000 n 
-0000424175 00000 n 
-0000424354 00000 n 
-0000425110 00000 n 
-0000425174 00000 n 
-0000432125 00000 n 
-0000428297 00000 n 
-0000425391 00000 n 
-0000428423 00000 n 
-0000428488 00000 n 
-0000428553 00000 n 
-0000428618 00000 n 
-0000428683 00000 n 
-0000428748 00000 n 
-0000428813 00000 n 
-0000428878 00000 n 
-0000428943 00000 n 
-0000429008 00000 n 
-0000429138 00000 n 
-0000429203 00000 n 
-0000429268 00000 n 
-0000429333 00000 n 
-0000429398 00000 n 
-0000429463 00000 n 
-0000429528 00000 n 
-0000429593 00000 n 
-0000429658 00000 n 
-0000429723 00000 n 
-0000429788 00000 n 
-0000429853 00000 n 
-0000429918 00000 n 
-0000429983 00000 n 
-0000430048 00000 n 
-0000430113 00000 n 
-0000430178 00000 n 
-0000430243 00000 n 
-0000430308 00000 n 
-0000430373 00000 n 
-0000430438 00000 n 
-0000430503 00000 n 
-0000430568 00000 n 
-0000430633 00000 n 
-0000430697 00000 n 
-0000430762 00000 n 
-0000430827 00000 n 
-0000430892 00000 n 
-0000430957 00000 n 
-0000431022 00000 n 
-0000431087 00000 n 
-0000431152 00000 n 
-0000431217 00000 n 
-0000431282 00000 n 
-0000431347 00000 n 
-0000431412 00000 n 
-0000431477 00000 n 
-0000431542 00000 n 
-0000431607 00000 n 
-0000431672 00000 n 
-0000431737 00000 n 
-0000431802 00000 n 
-0000431867 00000 n 
-0000431932 00000 n 
-0000431997 00000 n 
-0000432061 00000 n 
-0000785199 00000 n 
-0000438771 00000 n 
-0000435207 00000 n 
-0000432237 00000 n 
-0000435333 00000 n 
-0000435398 00000 n 
-0000435463 00000 n 
-0000435528 00000 n 
-0000435593 00000 n 
-0000435658 00000 n 
-0000435723 00000 n 
-0000435788 00000 n 
-0000435853 00000 n 
-0000435918 00000 n 
-0000435983 00000 n 
-0000436048 00000 n 
-0000436112 00000 n 
-0000436177 00000 n 
-0000436242 00000 n 
-0000436307 00000 n 
-0000436372 00000 n 
-0000436437 00000 n 
-0000436502 00000 n 
-0000436567 00000 n 
-0000436632 00000 n 
-0000436697 00000 n 
-0000436762 00000 n 
-0000436827 00000 n 
-0000436891 00000 n 
-0000436956 00000 n 
-0000437021 00000 n 
-0000437086 00000 n 
-0000437151 00000 n 
-0000437216 00000 n 
-0000437281 00000 n 
-0000437346 00000 n 
-0000437411 00000 n 
-0000437476 00000 n 
-0000437541 00000 n 
-0000437606 00000 n 
-0000437671 00000 n 
-0000437736 00000 n 
-0000437801 00000 n 
-0000437866 00000 n 
-0000437930 00000 n 
-0000437994 00000 n 
-0000438058 00000 n 
-0000438123 00000 n 
-0000438188 00000 n 
-0000438253 00000 n 
-0000438318 00000 n 
-0000438383 00000 n 
-0000438448 00000 n 
-0000438513 00000 n 
-0000438578 00000 n 
-0000438643 00000 n 
-0000438707 00000 n 
-0000444944 00000 n 
-0000441506 00000 n 
-0000438883 00000 n 
-0000441632 00000 n 
-0000441697 00000 n 
-0000441762 00000 n 
-0000441827 00000 n 
-0000441892 00000 n 
-0000441957 00000 n 
-0000442022 00000 n 
-0000442087 00000 n 
-0000442152 00000 n 
-0000442217 00000 n 
-0000442282 00000 n 
-0000442347 00000 n 
-0000442412 00000 n 
-0000442477 00000 n 
-0000442542 00000 n 
-0000442607 00000 n 
-0000442672 00000 n 
-0000442737 00000 n 
-0000442802 00000 n 
-0000442867 00000 n 
-0000442932 00000 n 
-0000442997 00000 n 
-0000443062 00000 n 
-0000443127 00000 n 
-0000443192 00000 n 
-0000443257 00000 n 
-0000443322 00000 n 
-0000443387 00000 n 
-0000443452 00000 n 
-0000443517 00000 n 
-0000443582 00000 n 
-0000443647 00000 n 
-0000443712 00000 n 
-0000443777 00000 n 
-0000443841 00000 n 
-0000443906 00000 n 
-0000443971 00000 n 
-0000444036 00000 n 
-0000444101 00000 n 
-0000444166 00000 n 
-0000444231 00000 n 
-0000444296 00000 n 
-0000444361 00000 n 
-0000444426 00000 n 
-0000444491 00000 n 
-0000444556 00000 n 
-0000444621 00000 n 
-0000444686 00000 n 
-0000444751 00000 n 
-0000444816 00000 n 
-0000444880 00000 n 
-0000449522 00000 n 
-0000447258 00000 n 
-0000445056 00000 n 
-0000447384 00000 n 
-0000447449 00000 n 
-0000447514 00000 n 
-0000447579 00000 n 
-0000447644 00000 n 
-0000447709 00000 n 
-0000447774 00000 n 
-0000447839 00000 n 
-0000447904 00000 n 
-0000447969 00000 n 
-0000448034 00000 n 
-0000448099 00000 n 
-0000448164 00000 n 
-0000448229 00000 n 
-0000448291 00000 n 
-0000448355 00000 n 
-0000448420 00000 n 
-0000448484 00000 n 
-0000448549 00000 n 
-0000448614 00000 n 
-0000448679 00000 n 
-0000448744 00000 n 
-0000448809 00000 n 
-0000448874 00000 n 
-0000448939 00000 n 
-0000449068 00000 n 
-0000449197 00000 n 
-0000449262 00000 n 
-0000449327 00000 n 
-0000449392 00000 n 
-0000449457 00000 n 
-0000452317 00000 n 
-0000451673 00000 n 
-0000449647 00000 n 
-0000451799 00000 n 
-0000451928 00000 n 
-0000452057 00000 n 
-0000452122 00000 n 
-0000452187 00000 n 
-0000452252 00000 n 
-0000456655 00000 n 
-0000456335 00000 n 
-0000452430 00000 n 
-0000456461 00000 n 
-0000456526 00000 n 
-0000456591 00000 n 
-0000460255 00000 n 
-0000460000 00000 n 
-0000456808 00000 n 
-0000460126 00000 n 
-0000460191 00000 n 
-0000785324 00000 n 
-0000463503 00000 n 
-0000463312 00000 n 
-0000460394 00000 n 
-0000463438 00000 n 
-0000467231 00000 n 
-0000466975 00000 n 
-0000463629 00000 n 
-0000467101 00000 n 
-0000467166 00000 n 
-0000470072 00000 n 
-0000469364 00000 n 
-0000467370 00000 n 
-0000469490 00000 n 
-0000469555 00000 n 
-0000469620 00000 n 
-0000469685 00000 n 
-0000469750 00000 n 
-0000469879 00000 n 
-0000469944 00000 n 
-0000470008 00000 n 
-0000474740 00000 n 
-0000474484 00000 n 
-0000470211 00000 n 
-0000474610 00000 n 
-0000474675 00000 n 
-0000477736 00000 n 
-0000476963 00000 n 
-0000474866 00000 n 
-0000477089 00000 n 
-0000477154 00000 n 
-0000477219 00000 n 
-0000477284 00000 n 
-0000477413 00000 n 
-0000477478 00000 n 
-0000477541 00000 n 
-0000477606 00000 n 
-0000477671 00000 n 
-0000480645 00000 n 
-0000480130 00000 n 
-0000477889 00000 n 
-0000480256 00000 n 
-0000480321 00000 n 
-0000480386 00000 n 
-0000480451 00000 n 
-0000480516 00000 n 
-0000480581 00000 n 
-0000785449 00000 n 
-0000484060 00000 n 
-0000483480 00000 n 
-0000480797 00000 n 
-0000483606 00000 n 
-0000483735 00000 n 
-0000483800 00000 n 
-0000483865 00000 n 
-0000483930 00000 n 
-0000483995 00000 n 
-0000487363 00000 n 
-0000487107 00000 n 
-0000484200 00000 n 
-0000487233 00000 n 
-0000487298 00000 n 
-0000490358 00000 n 
-0000489648 00000 n 
-0000487489 00000 n 
-0000489774 00000 n 
-0000489839 00000 n 
-0000489904 00000 n 
-0000489969 00000 n 
-0000490163 00000 n 
-0000490228 00000 n 
-0000490293 00000 n 
-0000493880 00000 n 
-0000493624 00000 n 
-0000490510 00000 n 
-0000493750 00000 n 
-0000493815 00000 n 
-0000497471 00000 n 
-0000497215 00000 n 
-0000494006 00000 n 
-0000497341 00000 n 
-0000497406 00000 n 
-0000500492 00000 n 
-0000499849 00000 n 
-0000497597 00000 n 
-0000499975 00000 n 
-0000500040 00000 n 
-0000500105 00000 n 
-0000500170 00000 n 
-0000500235 00000 n 
-0000500363 00000 n 
-0000500428 00000 n 
-0000785574 00000 n 
-0000503129 00000 n 
-0000502355 00000 n 
-0000500657 00000 n 
-0000502481 00000 n 
-0000502546 00000 n 
-0000502611 00000 n 
-0000502676 00000 n 
-0000502741 00000 n 
-0000502806 00000 n 
-0000503000 00000 n 
-0000503064 00000 n 
-0000506608 00000 n 
-0000506222 00000 n 
-0000503282 00000 n 
-0000506348 00000 n 
-0000506413 00000 n 
-0000506478 00000 n 
-0000506543 00000 n 
-0000509849 00000 n 
-0000509074 00000 n 
-0000506734 00000 n 
-0000509200 00000 n 
-0000509265 00000 n 
-0000509330 00000 n 
-0000509395 00000 n 
-0000509524 00000 n 
-0000509589 00000 n 
-0000509654 00000 n 
-0000509719 00000 n 
-0000509784 00000 n 
-0000513742 00000 n 
-0000513551 00000 n 
-0000510002 00000 n 
-0000513677 00000 n 
-0000517176 00000 n 
-0000516985 00000 n 
-0000513868 00000 n 
-0000517111 00000 n 
-0000520803 00000 n 
-0000520547 00000 n 
-0000517302 00000 n 
-0000520673 00000 n 
-0000520738 00000 n 
-0000785699 00000 n 
-0000523271 00000 n 
-0000522563 00000 n 
-0000520956 00000 n 
-0000522689 00000 n 
-0000522754 00000 n 
-0000522819 00000 n 
-0000522946 00000 n 
-0000523011 00000 n 
-0000523076 00000 n 
-0000523141 00000 n 
-0000523206 00000 n 
-0000526165 00000 n 
-0000525456 00000 n 
-0000523424 00000 n 
-0000525582 00000 n 
-0000525647 00000 n 
-0000525712 00000 n 
-0000525777 00000 n 
-0000525906 00000 n 
-0000525971 00000 n 
-0000526035 00000 n 
-0000526100 00000 n 
-0000529337 00000 n 
-0000529081 00000 n 
-0000526304 00000 n 
-0000529207 00000 n 
-0000529272 00000 n 
-0000532212 00000 n 
-0000531633 00000 n 
-0000529463 00000 n 
-0000531759 00000 n 
-0000531824 00000 n 
-0000531889 00000 n 
-0000531954 00000 n 
-0000532083 00000 n 
-0000532148 00000 n 
-0000535632 00000 n 
-0000535246 00000 n 
-0000532351 00000 n 
-0000535372 00000 n 
-0000535437 00000 n 
-0000535502 00000 n 
-0000535567 00000 n 
-0000538728 00000 n 
-0000538537 00000 n 
-0000535772 00000 n 
-0000538663 00000 n 
-0000785824 00000 n 
-0000541536 00000 n 
-0000540829 00000 n 
-0000538939 00000 n 
-0000540955 00000 n 
-0000541020 00000 n 
-0000541084 00000 n 
-0000541149 00000 n 
-0000541214 00000 n 
-0000541279 00000 n 
-0000541408 00000 n 
-0000541472 00000 n 
-0000545932 00000 n 
-0000545611 00000 n 
-0000541717 00000 n 
-0000545737 00000 n 
-0000545802 00000 n 
-0000545867 00000 n 
-0000549673 00000 n 
-0000549417 00000 n 
-0000546058 00000 n 
-0000549543 00000 n 
-0000549608 00000 n 
-0000552852 00000 n 
-0000552596 00000 n 
-0000549799 00000 n 
-0000552722 00000 n 
-0000552787 00000 n 
-0000555843 00000 n 
-0000555133 00000 n 
-0000552978 00000 n 
-0000555259 00000 n 
-0000555324 00000 n 
-0000555389 00000 n 
-0000555454 00000 n 
-0000555583 00000 n 
-0000555648 00000 n 
-0000555713 00000 n 
-0000555778 00000 n 
-0000559574 00000 n 
-0000559124 00000 n 
-0000555995 00000 n 
-0000559250 00000 n 
-0000559315 00000 n 
-0000559380 00000 n 
-0000559445 00000 n 
-0000559510 00000 n 
-0000785949 00000 n 
-0000563317 00000 n 
-0000562738 00000 n 
-0000559727 00000 n 
-0000562864 00000 n 
-0000562993 00000 n 
-0000563058 00000 n 
-0000563123 00000 n 
-0000563188 00000 n 
-0000563253 00000 n 
-0000565586 00000 n 
-0000565266 00000 n 
-0000563456 00000 n 
-0000565392 00000 n 
-0000565457 00000 n 
-0000565522 00000 n 
-0000568972 00000 n 
-0000568330 00000 n 
-0000565738 00000 n 
-0000568456 00000 n 
-0000568521 00000 n 
-0000568650 00000 n 
-0000568715 00000 n 
-0000568779 00000 n 
-0000568843 00000 n 
-0000568908 00000 n 
-0000571923 00000 n 
-0000571279 00000 n 
-0000569112 00000 n 
-0000571405 00000 n 
-0000571470 00000 n 
-0000571535 00000 n 
-0000571600 00000 n 
-0000571729 00000 n 
-0000571794 00000 n 
-0000571859 00000 n 
-0000575645 00000 n 
-0000575194 00000 n 
-0000572089 00000 n 
-0000575320 00000 n 
-0000575385 00000 n 
-0000575450 00000 n 
-0000575515 00000 n 
-0000575580 00000 n 
-0000575897 00000 n 
-0000587241 00000 n 
-0000594830 00000 n 
-0000597130 00000 n 
-0000597099 00000 n 
-0000600818 00000 n 
-0000610259 00000 n 
-0000620766 00000 n 
-0000632510 00000 n 
-0000645227 00000 n 
-0000664296 00000 n 
-0000685183 00000 n 
-0000707326 00000 n 
-0000725221 00000 n 
-0000728051 00000 n 
-0000727821 00000 n 
-0000755358 00000 n 
-0000782469 00000 n 
-0000786074 00000 n 
-0000786198 00000 n 
-0000786324 00000 n 
-0000786450 00000 n 
-0000786576 00000 n 
-0000786656 00000 n 
-0000786757 00000 n 
-0000803930 00000 n 
-0000824312 00000 n 
-0000824353 00000 n 
-0000824393 00000 n 
-0000824527 00000 n 
+0000221510 00000 n 
+0000221183 00000 n 
+0000221340 00000 n 
+0000395239 00000 n 
+0000225884 00000 n 
+0000225390 00000 n 
+0000221700 00000 n 
+0000225690 00000 n 
+0000598493 00000 n 
+0000596496 00000 n 
+0000598328 00000 n 
+0000225537 00000 n 
+0000229789 00000 n 
+0000229469 00000 n 
+0000226023 00000 n 
+0000229595 00000 n 
+0000229660 00000 n 
+0000229725 00000 n 
+0000234924 00000 n 
+0000233629 00000 n 
+0000229914 00000 n 
+0000234859 00000 n 
+0000233821 00000 n 
+0000233975 00000 n 
+0000234132 00000 n 
+0000234317 00000 n 
+0000234491 00000 n 
+0000234676 00000 n 
+0000311870 00000 n 
+0000239346 00000 n 
+0000239155 00000 n 
+0000235092 00000 n 
+0000239281 00000 n 
+0000785678 00000 n 
+0000243260 00000 n 
+0000243069 00000 n 
+0000239484 00000 n 
+0000243195 00000 n 
+0000247298 00000 n 
+0000246660 00000 n 
+0000243372 00000 n 
+0000246976 00000 n 
+0000247105 00000 n 
+0000246807 00000 n 
+0000247234 00000 n 
+0000326952 00000 n 
+0000250819 00000 n 
+0000250311 00000 n 
+0000247410 00000 n 
+0000250625 00000 n 
+0000250754 00000 n 
+0000250458 00000 n 
+0000255037 00000 n 
+0000254347 00000 n 
+0000250975 00000 n 
+0000254844 00000 n 
+0000254503 00000 n 
+0000254673 00000 n 
+0000254973 00000 n 
+0000412956 00000 n 
+0000258720 00000 n 
+0000258400 00000 n 
+0000255162 00000 n 
+0000258526 00000 n 
+0000258655 00000 n 
+0000261699 00000 n 
+0000261379 00000 n 
+0000258832 00000 n 
+0000261505 00000 n 
+0000785803 00000 n 
+0000265700 00000 n 
+0000265509 00000 n 
+0000261868 00000 n 
+0000265635 00000 n 
+0000268892 00000 n 
+0000268392 00000 n 
+0000265812 00000 n 
+0000268698 00000 n 
+0000268827 00000 n 
+0000268539 00000 n 
+0000273474 00000 n 
+0000272667 00000 n 
+0000269061 00000 n 
+0000273151 00000 n 
+0000273280 00000 n 
+0000272823 00000 n 
+0000273409 00000 n 
+0000272996 00000 n 
+0000277312 00000 n 
+0000276992 00000 n 
+0000273586 00000 n 
+0000277118 00000 n 
+0000277247 00000 n 
+0000281788 00000 n 
+0000280993 00000 n 
+0000277480 00000 n 
+0000281466 00000 n 
+0000281595 00000 n 
+0000281723 00000 n 
+0000281149 00000 n 
+0000281311 00000 n 
+0000284779 00000 n 
+0000284140 00000 n 
+0000281957 00000 n 
+0000284456 00000 n 
+0000284287 00000 n 
+0000284650 00000 n 
+0000284715 00000 n 
+0000785928 00000 n 
+0000287899 00000 n 
+0000287580 00000 n 
+0000284905 00000 n 
+0000287706 00000 n 
+0000287834 00000 n 
+0000292520 00000 n 
+0000291976 00000 n 
+0000288081 00000 n 
+0000292455 00000 n 
+0000292132 00000 n 
+0000292294 00000 n 
+0000391670 00000 n 
+0000296938 00000 n 
+0000296302 00000 n 
+0000292632 00000 n 
+0000296616 00000 n 
+0000296745 00000 n 
+0000296449 00000 n 
+0000296874 00000 n 
+0000324549 00000 n 
+0000299833 00000 n 
+0000299642 00000 n 
+0000297064 00000 n 
+0000299768 00000 n 
+0000304250 00000 n 
+0000303801 00000 n 
+0000300001 00000 n 
+0000303927 00000 n 
+0000304185 00000 n 
+0000307949 00000 n 
+0000307458 00000 n 
+0000304362 00000 n 
+0000307755 00000 n 
+0000307605 00000 n 
+0000307884 00000 n 
+0000786053 00000 n 
+0000311935 00000 n 
+0000311616 00000 n 
+0000308075 00000 n 
+0000311742 00000 n 
+0000316511 00000 n 
+0000315720 00000 n 
+0000312047 00000 n 
+0000316190 00000 n 
+0000315876 00000 n 
+0000316028 00000 n 
+0000316318 00000 n 
+0000316446 00000 n 
+0000320454 00000 n 
+0000319573 00000 n 
+0000316623 00000 n 
+0000319874 00000 n 
+0000320003 00000 n 
+0000320132 00000 n 
+0000319720 00000 n 
+0000320261 00000 n 
+0000320390 00000 n 
+0000324743 00000 n 
+0000324294 00000 n 
+0000320566 00000 n 
+0000324420 00000 n 
+0000324678 00000 n 
+0000327017 00000 n 
+0000326697 00000 n 
+0000324881 00000 n 
+0000326823 00000 n 
+0000328516 00000 n 
+0000328325 00000 n 
+0000327129 00000 n 
+0000328451 00000 n 
+0000786178 00000 n 
+0000329987 00000 n 
+0000329796 00000 n 
+0000328615 00000 n 
+0000329922 00000 n 
+0000332803 00000 n 
+0000332226 00000 n 
+0000330086 00000 n 
+0000332352 00000 n 
+0000332481 00000 n 
+0000332608 00000 n 
+0000332673 00000 n 
+0000332738 00000 n 
+0000337001 00000 n 
+0000336493 00000 n 
+0000332915 00000 n 
+0000336807 00000 n 
+0000336640 00000 n 
+0000336936 00000 n 
+0000577442 00000 n 
+0000342918 00000 n 
+0000340011 00000 n 
+0000337113 00000 n 
+0000342724 00000 n 
+0000342853 00000 n 
+0000340284 00000 n 
+0000340446 00000 n 
+0000340608 00000 n 
+0000340770 00000 n 
+0000340932 00000 n 
+0000341094 00000 n 
+0000341265 00000 n 
+0000341427 00000 n 
+0000341590 00000 n 
+0000341750 00000 n 
+0000341911 00000 n 
+0000342074 00000 n 
+0000342237 00000 n 
+0000342400 00000 n 
+0000342563 00000 n 
+0000348014 00000 n 
+0000346097 00000 n 
+0000343030 00000 n 
+0000347949 00000 n 
+0000346325 00000 n 
+0000346486 00000 n 
+0000346654 00000 n 
+0000346824 00000 n 
+0000346985 00000 n 
+0000347147 00000 n 
+0000347309 00000 n 
+0000347471 00000 n 
+0000347634 00000 n 
+0000347788 00000 n 
+0000354406 00000 n 
+0000351354 00000 n 
+0000348139 00000 n 
+0000354341 00000 n 
+0000351645 00000 n 
+0000351799 00000 n 
+0000351953 00000 n 
+0000352107 00000 n 
+0000352261 00000 n 
+0000352423 00000 n 
+0000352585 00000 n 
+0000352745 00000 n 
+0000352904 00000 n 
+0000353065 00000 n 
+0000353224 00000 n 
+0000353382 00000 n 
+0000353535 00000 n 
+0000353698 00000 n 
+0000353849 00000 n 
+0000354014 00000 n 
+0000354180 00000 n 
+0000786303 00000 n 
+0000490885 00000 n 
+0000503722 00000 n 
+0000358900 00000 n 
+0000358105 00000 n 
+0000354518 00000 n 
+0000358578 00000 n 
+0000358261 00000 n 
+0000358415 00000 n 
+0000358772 00000 n 
+0000358836 00000 n 
+0000362122 00000 n 
+0000361931 00000 n 
+0000359039 00000 n 
+0000362057 00000 n 
+0000366600 00000 n 
+0000365402 00000 n 
+0000362291 00000 n 
+0000365889 00000 n 
+0000366018 00000 n 
+0000366275 00000 n 
+0000365558 00000 n 
+0000365728 00000 n 
+0000366340 00000 n 
+0000366405 00000 n 
+0000366470 00000 n 
+0000366535 00000 n 
+0000369801 00000 n 
+0000369610 00000 n 
+0000366712 00000 n 
+0000369736 00000 n 
+0000373886 00000 n 
+0000373307 00000 n 
+0000369887 00000 n 
+0000373433 00000 n 
+0000373498 00000 n 
+0000373563 00000 n 
+0000373692 00000 n 
+0000373756 00000 n 
+0000373821 00000 n 
+0000377918 00000 n 
+0000377080 00000 n 
+0000374011 00000 n 
+0000377206 00000 n 
+0000377271 00000 n 
+0000377336 00000 n 
+0000377465 00000 n 
+0000377530 00000 n 
+0000377595 00000 n 
+0000377723 00000 n 
+0000377788 00000 n 
+0000377853 00000 n 
+0000786428 00000 n 
+0000381753 00000 n 
+0000380918 00000 n 
+0000378043 00000 n 
+0000381044 00000 n 
+0000381173 00000 n 
+0000381237 00000 n 
+0000381302 00000 n 
+0000381430 00000 n 
+0000381559 00000 n 
+0000381688 00000 n 
+0000384634 00000 n 
+0000384056 00000 n 
+0000381963 00000 n 
+0000384182 00000 n 
+0000384311 00000 n 
+0000384440 00000 n 
+0000384569 00000 n 
+0000388032 00000 n 
+0000387711 00000 n 
+0000384817 00000 n 
+0000387837 00000 n 
+0000387902 00000 n 
+0000387967 00000 n 
+0000391994 00000 n 
+0000391415 00000 n 
+0000388157 00000 n 
+0000391541 00000 n 
+0000391799 00000 n 
+0000391864 00000 n 
+0000391929 00000 n 
+0000395692 00000 n 
+0000394803 00000 n 
+0000392119 00000 n 
+0000395110 00000 n 
+0000394950 00000 n 
+0000395368 00000 n 
+0000395497 00000 n 
+0000395562 00000 n 
+0000395627 00000 n 
+0000399444 00000 n 
+0000398812 00000 n 
+0000395804 00000 n 
+0000399124 00000 n 
+0000398959 00000 n 
+0000399253 00000 n 
+0000399316 00000 n 
+0000399379 00000 n 
+0000786553 00000 n 
+0000577409 00000 n 
+0000403164 00000 n 
+0000402715 00000 n 
+0000399556 00000 n 
+0000402841 00000 n 
+0000402969 00000 n 
+0000403034 00000 n 
+0000403099 00000 n 
+0000406310 00000 n 
+0000405732 00000 n 
+0000403276 00000 n 
+0000405858 00000 n 
+0000405987 00000 n 
+0000406052 00000 n 
+0000406116 00000 n 
+0000596215 00000 n 
+0000588931 00000 n 
+0000596035 00000 n 
+0000406245 00000 n 
+0000406791 00000 n 
+0000406600 00000 n 
+0000406450 00000 n 
+0000406726 00000 n 
+0000408601 00000 n 
+0000408152 00000 n 
+0000406833 00000 n 
+0000408278 00000 n 
+0000408407 00000 n 
+0000408536 00000 n 
+0000413021 00000 n 
+0000412078 00000 n 
+0000408713 00000 n 
+0000412441 00000 n 
+0000588610 00000 n 
+0000579397 00000 n 
+0000588424 00000 n 
+0000412225 00000 n 
+0000412570 00000 n 
+0000412698 00000 n 
+0000412827 00000 n 
+0000414377 00000 n 
+0000414186 00000 n 
+0000413258 00000 n 
+0000414312 00000 n 
+0000786678 00000 n 
+0000414817 00000 n 
+0000414626 00000 n 
+0000414476 00000 n 
+0000414752 00000 n 
+0000418130 00000 n 
+0000416904 00000 n 
+0000414859 00000 n 
+0000417421 00000 n 
+0000417550 00000 n 
+0000417679 00000 n 
+0000417808 00000 n 
+0000417937 00000 n 
+0000418066 00000 n 
+0000417060 00000 n 
+0000417232 00000 n 
+0000418584 00000 n 
+0000418393 00000 n 
+0000418243 00000 n 
+0000418519 00000 n 
+0000421829 00000 n 
+0000421251 00000 n 
+0000418626 00000 n 
+0000421377 00000 n 
+0000421506 00000 n 
+0000421635 00000 n 
+0000421764 00000 n 
+0000426025 00000 n 
+0000424806 00000 n 
+0000421915 00000 n 
+0000425316 00000 n 
+0000425445 00000 n 
+0000425703 00000 n 
+0000424962 00000 n 
+0000425141 00000 n 
+0000425897 00000 n 
+0000425961 00000 n 
+0000432912 00000 n 
+0000429084 00000 n 
+0000426178 00000 n 
+0000429210 00000 n 
+0000429275 00000 n 
+0000429340 00000 n 
+0000429405 00000 n 
+0000429470 00000 n 
+0000429535 00000 n 
+0000429600 00000 n 
+0000429665 00000 n 
+0000429730 00000 n 
+0000429795 00000 n 
+0000429925 00000 n 
+0000429990 00000 n 
+0000430055 00000 n 
+0000430120 00000 n 
+0000430185 00000 n 
+0000430250 00000 n 
+0000430315 00000 n 
+0000430380 00000 n 
+0000430445 00000 n 
+0000430510 00000 n 
+0000430575 00000 n 
+0000430640 00000 n 
+0000430705 00000 n 
+0000430770 00000 n 
+0000430835 00000 n 
+0000430900 00000 n 
+0000430965 00000 n 
+0000431030 00000 n 
+0000431095 00000 n 
+0000431160 00000 n 
+0000431225 00000 n 
+0000431290 00000 n 
+0000431355 00000 n 
+0000431420 00000 n 
+0000431484 00000 n 
+0000431549 00000 n 
+0000431614 00000 n 
+0000431679 00000 n 
+0000431744 00000 n 
+0000431809 00000 n 
+0000431874 00000 n 
+0000431939 00000 n 
+0000432004 00000 n 
+0000432069 00000 n 
+0000432134 00000 n 
+0000432199 00000 n 
+0000432264 00000 n 
+0000432329 00000 n 
+0000432394 00000 n 
+0000432459 00000 n 
+0000432524 00000 n 
+0000432589 00000 n 
+0000432654 00000 n 
+0000432719 00000 n 
+0000432784 00000 n 
+0000432848 00000 n 
+0000786803 00000 n 
+0000439558 00000 n 
+0000435994 00000 n 
+0000433024 00000 n 
+0000436120 00000 n 
+0000436185 00000 n 
+0000436250 00000 n 
+0000436315 00000 n 
+0000436380 00000 n 
+0000436445 00000 n 
+0000436510 00000 n 
+0000436575 00000 n 
+0000436640 00000 n 
+0000436705 00000 n 
+0000436770 00000 n 
+0000436835 00000 n 
+0000436899 00000 n 
+0000436964 00000 n 
+0000437029 00000 n 
+0000437094 00000 n 
+0000437159 00000 n 
+0000437224 00000 n 
+0000437289 00000 n 
+0000437354 00000 n 
+0000437419 00000 n 
+0000437484 00000 n 
+0000437549 00000 n 
+0000437614 00000 n 
+0000437678 00000 n 
+0000437743 00000 n 
+0000437808 00000 n 
+0000437873 00000 n 
+0000437938 00000 n 
+0000438003 00000 n 
+0000438068 00000 n 
+0000438133 00000 n 
+0000438198 00000 n 
+0000438263 00000 n 
+0000438328 00000 n 
+0000438393 00000 n 
+0000438458 00000 n 
+0000438523 00000 n 
+0000438588 00000 n 
+0000438653 00000 n 
+0000438717 00000 n 
+0000438781 00000 n 
+0000438845 00000 n 
+0000438910 00000 n 
+0000438975 00000 n 
+0000439040 00000 n 
+0000439105 00000 n 
+0000439170 00000 n 
+0000439235 00000 n 
+0000439300 00000 n 
+0000439365 00000 n 
+0000439430 00000 n 
+0000439494 00000 n 
+0000445731 00000 n 
+0000442293 00000 n 
+0000439670 00000 n 
+0000442419 00000 n 
+0000442484 00000 n 
+0000442549 00000 n 
+0000442614 00000 n 
+0000442679 00000 n 
+0000442744 00000 n 
+0000442809 00000 n 
+0000442874 00000 n 
+0000442939 00000 n 
+0000443004 00000 n 
+0000443069 00000 n 
+0000443134 00000 n 
+0000443199 00000 n 
+0000443264 00000 n 
+0000443329 00000 n 
+0000443394 00000 n 
+0000443459 00000 n 
+0000443524 00000 n 
+0000443589 00000 n 
+0000443654 00000 n 
+0000443719 00000 n 
+0000443784 00000 n 
+0000443849 00000 n 
+0000443914 00000 n 
+0000443979 00000 n 
+0000444044 00000 n 
+0000444109 00000 n 
+0000444174 00000 n 
+0000444239 00000 n 
+0000444304 00000 n 
+0000444369 00000 n 
+0000444434 00000 n 
+0000444499 00000 n 
+0000444564 00000 n 
+0000444628 00000 n 
+0000444693 00000 n 
+0000444758 00000 n 
+0000444823 00000 n 
+0000444888 00000 n 
+0000444953 00000 n 
+0000445018 00000 n 
+0000445083 00000 n 
+0000445148 00000 n 
+0000445213 00000 n 
+0000445278 00000 n 
+0000445343 00000 n 
+0000445408 00000 n 
+0000445473 00000 n 
+0000445538 00000 n 
+0000445603 00000 n 
+0000445667 00000 n 
+0000450309 00000 n 
+0000448045 00000 n 
+0000445843 00000 n 
+0000448171 00000 n 
+0000448236 00000 n 
+0000448301 00000 n 
+0000448366 00000 n 
+0000448431 00000 n 
+0000448496 00000 n 
+0000448561 00000 n 
+0000448626 00000 n 
+0000448691 00000 n 
+0000448756 00000 n 
+0000448821 00000 n 
+0000448886 00000 n 
+0000448951 00000 n 
+0000449016 00000 n 
+0000449078 00000 n 
+0000449142 00000 n 
+0000449207 00000 n 
+0000449271 00000 n 
+0000449336 00000 n 
+0000449401 00000 n 
+0000449466 00000 n 
+0000449531 00000 n 
+0000449596 00000 n 
+0000449661 00000 n 
+0000449726 00000 n 
+0000449855 00000 n 
+0000449984 00000 n 
+0000450049 00000 n 
+0000450114 00000 n 
+0000450179 00000 n 
+0000450244 00000 n 
+0000453104 00000 n 
+0000452460 00000 n 
+0000450434 00000 n 
+0000452586 00000 n 
+0000452715 00000 n 
+0000452844 00000 n 
+0000452909 00000 n 
+0000452974 00000 n 
+0000453039 00000 n 
+0000457442 00000 n 
+0000457122 00000 n 
+0000453217 00000 n 
+0000457248 00000 n 
+0000457313 00000 n 
+0000457378 00000 n 
+0000461042 00000 n 
+0000460787 00000 n 
+0000457595 00000 n 
+0000460913 00000 n 
+0000460978 00000 n 
+0000786928 00000 n 
+0000464290 00000 n 
+0000464099 00000 n 
+0000461181 00000 n 
+0000464225 00000 n 
+0000468018 00000 n 
+0000467762 00000 n 
+0000464416 00000 n 
+0000467888 00000 n 
+0000467953 00000 n 
+0000470859 00000 n 
+0000470151 00000 n 
+0000468157 00000 n 
+0000470277 00000 n 
+0000470342 00000 n 
+0000470407 00000 n 
+0000470472 00000 n 
+0000470537 00000 n 
+0000470666 00000 n 
+0000470731 00000 n 
+0000470795 00000 n 
+0000475527 00000 n 
+0000475271 00000 n 
+0000470998 00000 n 
+0000475397 00000 n 
+0000475462 00000 n 
+0000478523 00000 n 
+0000477750 00000 n 
+0000475653 00000 n 
+0000477876 00000 n 
+0000477941 00000 n 
+0000478006 00000 n 
+0000478071 00000 n 
+0000478200 00000 n 
+0000478265 00000 n 
+0000478328 00000 n 
+0000478393 00000 n 
+0000478458 00000 n 
+0000481432 00000 n 
+0000480917 00000 n 
+0000478676 00000 n 
+0000481043 00000 n 
+0000481108 00000 n 
+0000481173 00000 n 
+0000481238 00000 n 
+0000481303 00000 n 
+0000481368 00000 n 
+0000787053 00000 n 
+0000484847 00000 n 
+0000484267 00000 n 
+0000481584 00000 n 
+0000484393 00000 n 
+0000484522 00000 n 
+0000484587 00000 n 
+0000484652 00000 n 
+0000484717 00000 n 
+0000484782 00000 n 
+0000488150 00000 n 
+0000487894 00000 n 
+0000484987 00000 n 
+0000488020 00000 n 
+0000488085 00000 n 
+0000491145 00000 n 
+0000490435 00000 n 
+0000488276 00000 n 
+0000490561 00000 n 
+0000490626 00000 n 
+0000490691 00000 n 
+0000490756 00000 n 
+0000490950 00000 n 
+0000491015 00000 n 
+0000491080 00000 n 
+0000494667 00000 n 
+0000494411 00000 n 
+0000491297 00000 n 
+0000494537 00000 n 
+0000494602 00000 n 
+0000498258 00000 n 
+0000498002 00000 n 
+0000494793 00000 n 
+0000498128 00000 n 
+0000498193 00000 n 
+0000501279 00000 n 
+0000500636 00000 n 
+0000498384 00000 n 
+0000500762 00000 n 
+0000500827 00000 n 
+0000500892 00000 n 
+0000500957 00000 n 
+0000501022 00000 n 
+0000501150 00000 n 
+0000501215 00000 n 
+0000787178 00000 n 
+0000503916 00000 n 
+0000503142 00000 n 
+0000501444 00000 n 
+0000503268 00000 n 
+0000503333 00000 n 
+0000503398 00000 n 
+0000503463 00000 n 
+0000503528 00000 n 
+0000503593 00000 n 
+0000503787 00000 n 
+0000503851 00000 n 
+0000507395 00000 n 
+0000507009 00000 n 
+0000504069 00000 n 
+0000507135 00000 n 
+0000507200 00000 n 
+0000507265 00000 n 
+0000507330 00000 n 
+0000510636 00000 n 
+0000509861 00000 n 
+0000507521 00000 n 
+0000509987 00000 n 
+0000510052 00000 n 
+0000510117 00000 n 
+0000510182 00000 n 
+0000510311 00000 n 
+0000510376 00000 n 
+0000510441 00000 n 
+0000510506 00000 n 
+0000510571 00000 n 
+0000514529 00000 n 
+0000514338 00000 n 
+0000510789 00000 n 
+0000514464 00000 n 
+0000517963 00000 n 
+0000517772 00000 n 
+0000514655 00000 n 
+0000517898 00000 n 
+0000521590 00000 n 
+0000521334 00000 n 
+0000518089 00000 n 
+0000521460 00000 n 
+0000521525 00000 n 
+0000787303 00000 n 
+0000524058 00000 n 
+0000523350 00000 n 
+0000521743 00000 n 
+0000523476 00000 n 
+0000523541 00000 n 
+0000523606 00000 n 
+0000523733 00000 n 
+0000523798 00000 n 
+0000523863 00000 n 
+0000523928 00000 n 
+0000523993 00000 n 
+0000526952 00000 n 
+0000526243 00000 n 
+0000524211 00000 n 
+0000526369 00000 n 
+0000526434 00000 n 
+0000526499 00000 n 
+0000526564 00000 n 
+0000526693 00000 n 
+0000526758 00000 n 
+0000526822 00000 n 
+0000526887 00000 n 
+0000530124 00000 n 
+0000529868 00000 n 
+0000527091 00000 n 
+0000529994 00000 n 
+0000530059 00000 n 
+0000532999 00000 n 
+0000532420 00000 n 
+0000530250 00000 n 
+0000532546 00000 n 
+0000532611 00000 n 
+0000532676 00000 n 
+0000532741 00000 n 
+0000532870 00000 n 
+0000532935 00000 n 
+0000536419 00000 n 
+0000536033 00000 n 
+0000533138 00000 n 
+0000536159 00000 n 
+0000536224 00000 n 
+0000536289 00000 n 
+0000536354 00000 n 
+0000539515 00000 n 
+0000539324 00000 n 
+0000536559 00000 n 
+0000539450 00000 n 
+0000787428 00000 n 
+0000542323 00000 n 
+0000541616 00000 n 
+0000539726 00000 n 
+0000541742 00000 n 
+0000541807 00000 n 
+0000541871 00000 n 
+0000541936 00000 n 
+0000542001 00000 n 
+0000542066 00000 n 
+0000542195 00000 n 
+0000542259 00000 n 
+0000546869 00000 n 
+0000546548 00000 n 
+0000542504 00000 n 
+0000546674 00000 n 
+0000546739 00000 n 
+0000546804 00000 n 
+0000550610 00000 n 
+0000550354 00000 n 
+0000546995 00000 n 
+0000550480 00000 n 
+0000550545 00000 n 
+0000553789 00000 n 
+0000553533 00000 n 
+0000550736 00000 n 
+0000553659 00000 n 
+0000553724 00000 n 
+0000556486 00000 n 
+0000555845 00000 n 
+0000553915 00000 n 
+0000555971 00000 n 
+0000556036 00000 n 
+0000556101 00000 n 
+0000556164 00000 n 
+0000556293 00000 n 
+0000556358 00000 n 
+0000556422 00000 n 
+0000560268 00000 n 
+0000559883 00000 n 
+0000556651 00000 n 
+0000560009 00000 n 
+0000560074 00000 n 
+0000560138 00000 n 
+0000560203 00000 n 
+0000787553 00000 n 
+0000563859 00000 n 
+0000563214 00000 n 
+0000560408 00000 n 
+0000563340 00000 n 
+0000563405 00000 n 
+0000563470 00000 n 
+0000563599 00000 n 
+0000563664 00000 n 
+0000563729 00000 n 
+0000563794 00000 n 
+0000566130 00000 n 
+0000565874 00000 n 
+0000564011 00000 n 
+0000566000 00000 n 
+0000566065 00000 n 
+0000569611 00000 n 
+0000568837 00000 n 
+0000566269 00000 n 
+0000568963 00000 n 
+0000569028 00000 n 
+0000569093 00000 n 
+0000569158 00000 n 
+0000569286 00000 n 
+0000569351 00000 n 
+0000569416 00000 n 
+0000569481 00000 n 
+0000569546 00000 n 
+0000572683 00000 n 
+0000572104 00000 n 
+0000569764 00000 n 
+0000572230 00000 n 
+0000572295 00000 n 
+0000572360 00000 n 
+0000572425 00000 n 
+0000572554 00000 n 
+0000572619 00000 n 
+0000576505 00000 n 
+0000576057 00000 n 
+0000572835 00000 n 
+0000576183 00000 n 
+0000576248 00000 n 
+0000576313 00000 n 
+0000576378 00000 n 
+0000576442 00000 n 
+0000577310 00000 n 
+0000577054 00000 n 
+0000576658 00000 n 
+0000577180 00000 n 
+0000577245 00000 n 
+0000787678 00000 n 
+0000577508 00000 n 
+0000588852 00000 n 
+0000596441 00000 n 
+0000598740 00000 n 
+0000598709 00000 n 
+0000602427 00000 n 
+0000611867 00000 n 
+0000622374 00000 n 
+0000634116 00000 n 
+0000646833 00000 n 
+0000665900 00000 n 
+0000686787 00000 n 
+0000708930 00000 n 
+0000726825 00000 n 
+0000729655 00000 n 
+0000729425 00000 n 
+0000756962 00000 n 
+0000784073 00000 n 
+0000787758 00000 n 
+0000787882 00000 n 
+0000788008 00000 n 
+0000788134 00000 n 
+0000788260 00000 n 
+0000788349 00000 n 
+0000788450 00000 n 
+0000805623 00000 n 
+0000826025 00000 n 
+0000826066 00000 n 
+0000826106 00000 n 
+0000826240 00000 n 
 trailer
 <<
-/Size 2290
-/Root 2288 0 R
-/Info 2289 0 R
-/ID [ ]
+/Size 2296
+/Root 2294 0 R
+/Info 2295 0 R
+/ID [ ]
 >>
 startxref
-824785
+826498
 %%EOF
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index bb451a664e..c4ae4d9d3e 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 23af9d9f26..4f82e99754 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index ec716bc8f1..173a778dcd 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index d8071ebe93..349fc51aed 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -172,7 +172,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -219,7 +219,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -258,7 +258,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -268,7 +268,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 3ca81ed1af..8d6bf885da 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -238,7 +238,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -285,7 +285,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -331,7 +331,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -352,7 +352,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -361,7 +361,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index c8ecfb9e77..c86cd8c7c2 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 71a3db9f24..2a12858f23 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -185,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index e469e62e9f..6935cda17d 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -397,7 +397,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -427,14 +427,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index da17b4d222..82f1d0b402 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index fe667b424e..afbeff79c7 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index b1d01693a2..081fa67101 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 8254f59254..339722af23 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 87b6b34cbe..0934734769 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,9 +50,9 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
-      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
@@ -94,8 +94,8 @@
 
    
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
-      in RFC2845 or the SIG(0) record described in RFC3535 and
-      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      in RFC 2845 or the SIG(0) record described in RFC 2535 and
+      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       nsupdate and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -112,7 +112,12 @@
       record in a zone served by the name server.
       nsupdate does not read
       /etc/named.conf.
-      GSS-TSIG uses Kerberos credentials.
+    
    
+
    
+      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
+      is switched on with the -g flag.  A
+      non-standards-compliant variant of GSS-TSIG used by Windows
+      2000 can be switched on with the -o flag.
     
    
 
    nsupdate
       uses the -y or -k option
@@ -205,7 +210,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -469,7 +474,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -516,14 +521,14 @@
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC1034 that a name must not exist as any other
+      long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -546,21 +551,22 @@
 
    
 
    
 
    
-
    SEE ALSO
    
-
    RFC2136,
-      RFC3007,
-      RFC2104,
-      RFC2845,
-      RFC1034,
-      RFC2535,
-      RFC2931,
+
    SEE ALSO
    
+
    
+      RFC 2136,
+      RFC 3007,
+      RFC 2104,
+      RFC 2845,
+      RFC 1034,
+      RFC 2535,
+      RFC 2931,
       named(8),
       ddns-confgen(8),
       dnssec-keygen(8).
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index cc71f45bae..b087a9a740 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index c401a23df0..2c8df27697 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 2b40f61e49..a09d5bfcc6 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From eec29cfd40361662b25bad50e1b94f7738a8fea0 Mon Sep 17 00:00:00 2001
From: Jeremy Reed 
Date: Fri, 16 Oct 2009 15:37:01 +0000
Subject: [PATCH 324/385] Fix typo as reported by SUN Guonian .
 This was seen in 9.7.0a3. No CHANGES entry as is too minor.

---
 bin/dnssec/dnssec-keyfromlabel.docbook | 4 ++--
 bin/dnssec/dnssec-keygen.docbook       | 4 ++--
 bin/dnssec/dnssec-settime.docbook      | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 1b576acad1..7770d0fdd1 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     February 8, 2008
@@ -297,7 +297,7 @@
         
           
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
           
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 1daa979788..2ea7fd4a31 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -400,7 +400,7 @@
         
           
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
           
diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index 54e49b76b6..175183c1a8 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     July 15, 2009
@@ -171,7 +171,7 @@
         
           
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.
           
         

From 799933b034a800fab181e7776a2a52b30c3ce0da Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 16 Oct 2009 23:18:39 +0000
Subject: [PATCH 325/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index d5b9956df0..2b37b7213f 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -37,6 +37,7 @@ custom_WFB_v9_5_0_P1		private	marka	// 2008-07-15 00:05 +0000
 custom_WFB_v9_5_0_P2		new	each	// 2008-08-05 21:06 +0000
 custom_WFB_v9_5_0_P2_1_servfail	new	jinmei	// 2008-12-08 22:38 +0000
 custom_WFB_v9_6_0_P1		new	marka	// 2009-02-05 07:00 +0000
+custom_YAHOO_v9_7_0b1		new	ebersman	// 2009-10-16 00:16 +0000
 gsstsig4			open	sra	// head + gsstsig as of 12 may 2006
 gsstsig4_win32			open	danny	// sub-branch off gsstsig4 for windows development
 jinmei-mmapzone-test		open		// mmap based zone file. very experimental, just for reference purposes

From 8ab6a775bb8d3494f1db6d4c5abfa3f69afe20b3 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 16 Oct 2009 23:47:54 +0000
Subject: [PATCH 326/385] update copyright notice

---
 lib/dns/dnssec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index d55d3ec378..9c90215bed 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.105 2009/10/16 02:59:41 each Exp $
+ * $Id: dnssec.c,v 1.106 2009/10/16 23:47:54 tbox Exp $
  */
 
 /*! \file */
@@ -1284,9 +1284,9 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 
 		addkey(keylist, &privkey, savekeys, mctx);
  again:
- 		if (pubkey != NULL)
+		if (pubkey != NULL)
 			dst_key_free(&pubkey);
- 		if (privkey != NULL)
+		if (privkey != NULL)
 			dst_key_free(&privkey);
 	}
 	if (result == ISC_R_NOMORE)

From 5a24d24c8fba3480d707c0c902379ddb36501e12 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 17 Oct 2009 01:14:35 +0000
Subject: [PATCH 327/385] regen

---
 bin/dnssec/dnssec-keyfromlabel.8     | 4 ++--
 bin/dnssec/dnssec-keyfromlabel.html  | 4 ++--
 bin/dnssec/dnssec-keygen.8           | 4 ++--
 bin/dnssec/dnssec-keygen.html        | 4 ++--
 bin/dnssec/dnssec-settime.8          | 4 ++--
 bin/dnssec/dnssec-settime.html       | 4 ++--
 doc/arm/man.dnssec-keyfromlabel.html | 4 ++--
 doc/arm/man.dnssec-keygen.html       | 4 ++--
 doc/arm/man.dnssec-settime.html      | 4 ++--
 9 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index 37719b1ace..9ab7885cc3 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.13 2009/10/07 01:14:42 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.14 2009/10/17 01:14:35 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -147,7 +147,7 @@ Sets the date on which a key is to be published to the zone. After that date, th
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
 .RE
 .PP
 \-R \fIdate/offset\fR
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index 4121f82eab..2369456e21 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -175,7 +175,7 @@
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
           
    
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 0fec92dd93..016241ed5a 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.49 2009/10/06 01:14:41 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.50 2009/10/17 01:14:35 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -188,7 +188,7 @@ Sets the date on which a key is to be published to the zone. After that date, th
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
 .RE
 .PP
 \-R \fIdate/offset\fR
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 5a16af80b7..8d680d6630 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -242,7 +242,7 @@
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
           
    
diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
index 3d690fcc46..9effbde82f 100644
--- a/bin/dnssec/dnssec-settime.8
+++ b/bin/dnssec/dnssec-settime.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-settime.8,v 1.7 2009/10/06 01:14:41 tbox Exp $
+.\" $Id: dnssec-settime.8,v 1.8 2009/10/17 01:14:35 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -92,7 +92,7 @@ Sets the date on which a key is to be published to the zone. After that date, th
 .PP
 \-A \fIdate/offset\fR
 .RS 4
-Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it.
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
 .RE
 .PP
 \-R \fIdate/offset\fR
diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html
index d4d97ab1e2..69134cca88 100644
--- a/bin/dnssec/dnssec-settime.html
+++ b/bin/dnssec/dnssec-settime.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
 
 
@@ -109,7 +109,7 @@
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.
           
    
 
    -R date/offset
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 349fc51aed..67ca1f0027 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -194,7 +194,7 @@
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
           
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 8d6bf885da..54587c0f7b 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -260,7 +260,7 @@
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.  If not set, and if the -G option has not been used, the
             default is "now".
           
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 2a12858f23..b2d0292220 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -127,7 +127,7 @@
 
    -A date/offset
    
 
    
             Sets the date on which the key is to be activated.  After that
-            date, the key will be included and the zone and used to sign
+            date, the key will be included in the zone and used to sign
             it.
           
    
 
    -R date/offset
    

From 02b69ec7f2cf8b629c05a75803e990eec812f17a Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 17 Oct 2009 01:24:06 +0000
Subject: [PATCH 328/385] regen

---
 doc/arm/Bv9ARM.pdf | 1557 ++++++++++++++++++++++----------------------
 1 file changed, 778 insertions(+), 779 deletions(-)

diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index ec8380c0e7..9327dbb101 100755
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -9037,24 +9037,23 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 2045 0 obj <<
-/Length 2826      
+/Length 2822      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Z[wã(~ϯð[”³±Ðå1ݹt&ËvÒ»;gzdÛ:-K^KN&óë· #Y–{Îl÷> ¨úª(P‚ÿÁ(á>ai8ŠÓÐç$à£éê„ŒÐwshÌØ€Æ.êãËɇkR?h4z™;s%>I’`ô2ûÍ»xzºz¸¼ýÏÙ˜râ}ôÏÆœïþâáÛÅl{:K©wqsõ|6x’D
-%,"ÞåÃóóÕ§ñÝÕ¯×_ï¿\|¼úröûË/'W/V8waR²ÿžüö;Í`¿œŸ¥	½ÁâiJG«“3Ÿ‡Œ™–âäùäŸvB§W
íSHÈŸÓ0œò˜õ«ø„ƒÆqH`ÊZµÑ Om%Õ6žÊ~¸æÜAħ´OdZduÝUG@¹/µ8r×Ü“Ì¢zDcî‚T’ -Ûm9˧Y#j°_ȼf™5¦&°v“êm΂ÄÓJ•3ìœVe“åe^.:£~ˆw¬ÔËj[hô2{-õ굘æß	¡ÂÌ(5”a$ñnçØVVZ(…K=ÆTZ<”
-Àl·ƒ3#Q©ªzû€e®ok1ó÷è§m¥1(ˆ'ÃDpQ‡‰`QŠó"¤~”0Ãy‘-öh$~ĀărYT`-PæGн%Ù³h¤ÊC4Œ¬´תe œêÌËzש€ô,ðD¡VóBÀ`ø»M,°}3ïÅ «²xoãeþg[ª)ÀÖ¢$jS"Ãah÷»ç;¬|'œÜ)ŽÂç|¡),!â:ü‘•3¬|½ú×ãÝÕaÊp¦a¡Œƒ ŒA)ÊÜt—L#?â<^Ò€z–l‘@š¸½ä(ÅB‚ÖÒŸƒ ð´kM¶
Vf–è¢PYo'E^/µ»éF0­*kP4ÖÞòÆb¤·,n¼³Z7yU¶=6/§Õj5ù¤Ý)ÆOk/[
-øÏ	ÄaK9¨K”²ÔrÏR¡†á‘%
¨gI×Riꇔw–|ÚäeS·ìáv£•^oW«l£).P–x­ŽëŽâÐYÛ•°7­–h˜ú”ÒX‡­YY×b:’Ì7ÕªÈ&¢ÐƒZ{€ƒ*sÐB<¥~‘tØB.ê°…,JYè®ï}òÔì#߈iSÒº1˜SÈ ¢hX8‹ê‘®åv<öYœ´¥ƒ\wlâ`ÈS"i7Ðä_æÓeþÃÄ3Q»&Ö˜è¿Æ‡6yÓˆò°-¢Àƒ8:b5`ƒR¶øqÈ[—´Þ²¿dŸ·´–lÇ5uúÈJûôÑJÜRlŒ~3­tshõ;¬AH»X9\Ô€
JipÝÇæÀORn\l½©šjZ{lC?æ<΢z¤k±bAÌ¢¸-Ò™™\A®·VºÒ"©®×¬Ø
-¬Îå!QÎì‘#ïI¢hïNCÕ!{2,Êíj"ôlѼ	QbÑ0íd…rîL®R{IIÜN!fbžm™!T-–¤ß2‘À«Ì|ì{DöÈþuU×xfɵá{pÇÐØ,sÝä†_ì³Þ+»á`mTâ*ƒ¶¯×Ÿ°rÆõ,¥Á4˜‘övêít*êºÚfmsð r$vQ‡YkQŠµMo
-—s–4ïkÑ—“˜‡ÃrYT`ݘp lK2÷&DMT¥¼*`‹:Bw=Ä!¨ÚR´Ö€£ 	“Φ:’Ðî¹&÷_më'žè¥«²³ôÅ·—ÏŸ®å-û›÷ݨ@3ÌŽ!F–k‘ááÑŒõ%F1=Âx5ÀxƒRŒíÓn9Úò…xûAÈAc¸¨
JfQ=¢µoÿOyÔ­/å“íba/CJ2ß&€–8sXd®Ã?5›^nïonpìãÓËíãÃsíÁ„ vÄ®]j¯‹¹7UGm¢@ƒøÃ=Ä+õBãåSv¡ÌP@ºRÏÐù+ü»¿¿¼ÄuïpZ?¾¿~ö±S½.Äánžvô•-ªè¡úò!GaqúSY‰ôšÐ0>•N¼ÅÚ‡ ’v±ÑÛjpW0îÌôîÀå¡^=xŽ§Þª³w£+r“¯„:…"ïÚˆ2­ÊWQæàB‰'æ{à(X¯›÷n^Eõ¦d"o"½.ˆu¼‚¯ Å„†z«¦•‰éÊÖÐy
-ÑÓS:¢¡wºª°Ê¼Ó7[›ÙÚÒÔÔžäèUnšdøÀeôzq{V=”ò¹E*×ÃÞE¶ÑBÉã|&¤œ% zâ
Ú)ñXıBÃñ²ÚnðÇ,{¯•ŠÁÊ‹²Ú #AG!²5ÖÔb2WиUU6K=i{uÕd×#–s¦‚Lç‡YÞ‘DâM]s®ò´RŸ»©­|jrp›…ÉKú¿Ï8l­)›ö½Ó1ðy÷ªéùÒ;Æpn6p‘¬Ê„Hê§äju8P[”
-ÔOGj8Aćj®¶Ò
×õ£ä˜|Õ#`+\G±EÐÛ’PÇëÔèR¼šÐ¤LÒÝÍP&Ø‚÷B™šÑ–=‰~³Q–pºí"‚cËg9šzóFÝ‹T·
-ºZˆsùgÆèEUÚwݘ2Þö¢·¼($…©ôT¾ïÛ²žêOMœ£J=@1/fÎøøäL¶­ÍDj/Pê—'9µzo‚Ȇñß
V=×NW9æ9Æ7XÚ'*¨/ÑGñºÇ»&êbžÏ÷N\“f9®ñbbY½Éâ°#ÐX|äjî€Ü@ƒ”\}$r‚Ðgì ‰;Ÿ(¢§±fZšlj
ÓÝ>MghB׌
¡¦èrŠt0ÒYbIÍD1ÒÙ]LÑJKgèD:C£IjšÀò$hô•™¸+ÿU:C.é“„y(qQ‡	mQŠÑ_ûMH@†ÒÌÝ)û) ñÚ”Nü8†Ó¤%Ÿæt¢c‚¬hN'Õei8í¢y	ÑO¸%7'òóVñ,­~(bÇ¡
±ÁÍ‚`×0 {Ó†Ø	Ù;ñš²½oo,[,ÌyžÕn6a$̹m̾
-àÎs¤ãNF`C¥v
÷Ází,Î%p÷ÕA:Ë!úÉGäûv òiâÞ·ÿG4’mM÷„릮tšyÖèæiæA“b´æíPTS:s3¾Âr¢§Ñ—ý~­¾é¥ÜROM¥¨§W”!…Æ=ókêASÝØêφ×Cê~ÃÊ÷øh¿fýMRÉ2áGRUt˜T¤HuÙG*ù'ñÏ‘*IÓdP6Ú®K*Hfƒ–t:I¥æ#?Tt’*ooRg”Ú$ÕEaš
-•ÜŒ¯°Äç0
-GK!ð€f$°™(µµ WR·Â¤g^m_*5,‹ª\ˆeS
-ŽÔÎSÿB`ÒÁM^áL€[eïn\efàÞöÓ
"×U«o>Î'×%Ü·_AØ8ô|õúÀÏ0îË¿xé1+±ï7ûkvFÆà„ÉW'F 8±40BI•BêŠÎYâó„Æ=²ÿ¶	ÐJendstream
+xÚ­Z[wÛ8~ϯð[œ³±*‘¢.isi&Íe›twçLçA¶i[§¶äµäd2¿~‚¤)Y–»;Û>&A>€•`àÃÿ`Ïçi8ˆÓÐ~ “Õ‰?˜ÃÜÍI iF†häR}|9ùpÍãAꥋ/3‡WâùI^¦¿
/žž®.oÿu6bÂ~ôÎFÂ÷‡÷ß.¾ÐØÓYʆ7WÏg£@$ID!’EþðòáùùêÓèîê×ë¯÷_.>^}9ûýå—“«+œ{€Àç(Ù¿O~ûÝLá¿œøO1xƒ¾¤)¬NBÁ=rnF–'Ï'·Yµ´K!¡H<ÁÂh0âTļ[m¾çPÃ(}`2«6t©ÍP¡ÚF<è‡k!ÊÀ÷íûŠd²Ìªª­Ž€	µ8p÷Ü“ÌRuˆÆÝ
9¨(ôƒ¦l·Å4Ÿdµ¬À~!Ö‹¬6=I°vØps$C9)U;¥ÉIYÔY^äżµê‡|§Nµ(·KM½È^eƒŽ
«µœäß}ŸIÃ5á~2¼ÑXQj¡õõ41´xˆ
+Àl‚ŽCœÎ	Œ¤TÕ½} 6׿·•œz{ðÓ6ŽÒ$’~ ¸T‡`©f@H½(á³e6߃Ax÷Êe©:kÀ€q/
+î
Éže*É0Øi†ûUËA85™-êݤ"dgÁP.õÂrÖ"†ðP
ýnlÆ|øb¨ËbùÞ¤›ùŸM©*‚DG‹’¨	‰Œ–‘Ýïžï¨óÝþÂ(üxÎçÂH"ßa2 Y1¥Î׫<Þ]†Œ€`ÆáÈ8T=1T
+27í-ÓÈ‹„ˆû·4D[6Ààš¸¹å,äB‚Ö5èÏAµk·5u¦%µä¢ÐYoÇ˼ZhwÓƒ`ZÕV hê½åµ¥Ao|°¸ñÎr]çeÑôؼ˜”«uVçã¥l³=µ¬5º8l)À¿ð!nô[Ê¡ê±”¡R–ZìY*ôÂ0<²¥!êØÒµTšz!­-Ÿ6yQW
;A¸Ýh¥WÛÕ*Ûhˆ£bK×ê¸j)Žœe¾]I˸.)h54ÀÂÔcŒÅ:lM‹ª’“€d¶)WËl,—zQãpQ%0BkZH¤Ì#?í·KuØB–JYè®ë}ŠÔœ#ßÈI]‚ÒÚ1X0È ¢¨_8KÕ!]ÃíDìñ8iJ!¸jÙÄ¡§DÒn Á¿È'‹ùÏ0/eåšTZc’ÿÚäu-‹Ã¶ˆ/âèˆ-ª[*e‹‡¼¥wKë-û[vyKcËf\S·vš·VÐ-äÆè7ÓJ7—VDzÄ´‹Çá‘›Á¥êÑ ¡R\w¡9ð’T[oʺœ”Ë=4‡¡ög©:¤k bAÌ£¸)Á™›\C®·VºÒ"©©×l¹•ÔáTšœÛ+ë‡$Ñ	Œ·Ù0uGàLFM±]¥æ6–õ›”Møš£v˜s•Bp8KêÇÍb*gÙv‰ªÍ’tÈé'&TÚ`ÖàÑÜ#¡ç×eUÑ…êÀÍЉa°^äzÈ
¿4g½§áb­Uâ*ƒ±¯×Ÿh€	.4—ÂÐÔ”ùÍãTÛÉDVU¹9ŒÚ0àAþ‘Ø¥:ŒZK¥P[w¦ÀPĘ»¤~_Ë®ØEØ/—¥ê¬ûÛÌ­„˜‰ª,ÀRFÔº›ñ€ª#…Ac¸
+’0iª%	‹ Î5¹ÿj[ÕÄx¬·.‹ÖÖß^>z|¸Æ*ûœ†÷=¨)f”C0Œ|Ø®†‡G³ÖCòˆü;õøC¥aк›y»!ì	gr£‰Õmƒ­a™óe^¿7g³-̵R¾Þ9«3ž:31µiÌ”ÙÛoÇÛ¹çd1Ù¼¯M®
+l#êÉ0ŠÙÄ;T=ˆ7T
+ñ¯ÝqšC•£-¿”¯r?H8X…Z¯d–ªC´fõxLDMѺR9ÞÎç¶R’y6´À™Á~°q€¹O¼4Öhz¹½¿}¸¡µO/·Ï°‚ØO„Zt©½.ɺjã\äî!^©‚˜ŠOœ"™¡t¥ž-`òWøwyI3ªîpF?¾¿~öhR½.ÄáŽO3úâÈX‚*:c¨.>p5§;ÅN¤÷„Ñ)b8	¨
+ŠµÁ$ír£UÓ©€žÌôéÀåa~VI½xF·Þªuv£+r¯¤º…¢áµeR¯²ÈÁ¤	nÌÍÀU°èß7ï<þ¬\.Ë7%{
ÇèuA¬ã¨x$&T[ÅÓ?”­aò¢çP鈅ÃÓUI]><}³½©í-LO	W¯r3„ჶÑûÅÍSZõÐb
¹%U®—½Ël£…Âë|*QΨ:â
Ù)òHP‡…£E¹ÝÐiö^)ƒ•çE¹!G‚‰¥ÌÖÔS›a® éVeQ/4ÓæîjÈîçØÎa™Î³½#	Ò›¾¾Zæ\åh¥:wS[|ªsp›…a‘þÏ3G«eݬ;Ÿ·KM×NIïél ,‹ž„@ê¥äöj—êp ¶T*P?M¨á‘Ê™:J;\GÌ‹’còYªá:Š½(‚Ù†„:^§F·âMéÒ„!õ`’î*CLi„êBÌÍê’Ú±f¢ßl”%œi»ÉŸàØø,ÇÒáŬVu‘šVAWqŽïqfÞT¥PëÆŒ‹¦½åË%B˜é@Ïð}g¹ꙎñÌÄ9¦DÐòbîð Ç'‡Ù¶2ŒÔY Õ/OÈZ½7Ad£øשׂžk§+Œ³–£jíôä£ôNÝá]cU€˜gçó½פYŽk|‡˜X”oØvŠ”æQh"åGIúœ ô¸’^Ù,ѾpMH=ÎyÐNW•B߀Ø!ÀÚƒ‹Ðx@ƒJùvr³¾¤v¬	2vÀ
+ߟ#¸4Љ	Ýì…@‡K}Ÿ3áQó$èÃ	’¸õ‰btÎ	èØ;Î5ÐqˆÊ8nЬ¨Jj	ÍH®Ð,¡§šq†ÐÌ…eÄšÍÍØ4c_¡¹Á‰ðk$QL©ªïÀúÿŒfH%=?aGÞI\ªÃx¶T
+Ð_»íûûDs/vYv#šˆ:Äk":ñâ.“†|Ò‰	ØÑN(¨ck íRð_¿HPÜFhŽñëué*-(\Ç 
®À͆`×0`{ìƒëÄßá:ñ–ò½Oo<›ÏÍužUn2a$Àâ¶6ï÷*~;¯‘Îà$6Rê;À}¯Þç¡C¿Sî>: ³‚¾	$Çз#êŸ&RØûöÿ¦}²í‚éžpÁÔ•N#ϲ<<Rȃƒ¼ÓЀÉܬ/©k6º¶ÑÏ×ê“^*,ô+=½#†wð×Ѓ¡ª¶ÝŸŒ®!Ôþ„•ïáÑ~Ìú‹ Â6G2U‡è0¨‘Õe¨ð/&âŸU’¦I¯l–h_¸6¨ —
Òé•™oüÐÑ9*o¨3ÆlŽêRQ–
+ܬ/©¥×0WËRÒýÌýÀ&¢ÌþÑ‚ÞI…I_m_†yµË²˜ËES
+ŽÔLSÿ‹À¤ƒVp&À­²w7®2³pýrC”ë²ÊÕ'ç‹ëÊíW6‡žú>}àog¸ðð^:ÌêÛ盿üw5»¿"
+cpÂäÀ£÷!8ñ40B¡J!µE<ñDÂâÙÿóFÏDendstream
 endobj
 2044 0 obj <<
 /Type /Page
@@ -9171,27 +9170,20 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 2065 0 obj <<
-/Length 3128      
+/Length 3127      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKs㸾ûWøf9±0HðQ9yÇž±wcÏdí©dkw”DY¬‘H-IÙëüút£(QRR±f£ÑøúJKøWç&QªÓó8
…‘ÊœOWgòüæ>Ÿ)¦;¢±OõÃóÙ‡OA|žŠ4ÒÑùóÜã•™$êüyöëèaÄ%p£›Ç§§ÛãŸnù|ûx9VibÒÑõׯ·7÷ÿºk#H¥=\?~»þ;}½LõèúóíÓåïÏ?žÝ>wbù¢+ Lœýú»<ŸÁ~<“"€ÎßàA
-•¦ú|uš@˜0ÜÈòìéìCoÖ¾:¤ŠÐ$Âè0:¡H`ýa…)+D±IEè S˜VC
-sT¨°ñnôÃ'cÏ6Ë–l¥ÇV‹=£adÆÒˆ0ÒÉ	øzTGàë¨,|»KF‘i|bIG4°¤ÉX	';K~­‹²ågÔ4‹ªf]4›Õ*«ßé¡šS‹J¤u[T¥{‘c;ö_6«¼cÜVd–=
è0Hé˜írV6M>ÆMLîK›L
ØQ<›( Jp­GÏƧ:|6•=›Ÿ†\8=“ºu>#xß÷,¡FêãÂuTÒõ=K*dq¤'ÞSÞ)ÛÈc
œd"l—Ô¾-Šéb‡½‹í Å.óÆ?ͼ;GÛNøù­.Ú6/FŠ4͉Ã𨎆£²‡ñý¡]²3”ý%‡¥·äM¾fufm>ë«sž½¢ïódüL-Dlë³ëH…"JLxBGÕ9*«£õp,LR0b×uÕVÓj¹X‰P&éqá:ªéú€…œ"ü}ñ°J	ÆX`‰d§l¸¢É¹.>9G`ÜEG\Àæù0WŠOà±Ü¬&yMC“¼}Ëó’&$“g³10HEœÊ¸;´ÁP@âeWÔZyál86ÀËHJæ §Í}Á(E]¿èÉ…k퀃î±ç»Z„ß^^âò„V”¤¤ÖFVì@d5üoq'.Χ4›é4ošªnâ²Ta8ã8ö©㸣²8®p9UDãįV³üußñB®‡ñqá:ªéú86B™¨/ÝS—ã ¨¤bxJ=jª=ŒiNè°%iKP'œ~J
-·oåz›"£w8ÃMÍ*·NYµ4Íø~-füzFú
-}Í€R•jgø@Y¨‡IÒ?yr |b´É&pl
-Àª…!Z°/¦9&}á}ÙQ¶|¥§ÜÀœˆ¶ê¡ñ¢éÌ{R¼gïo¿éŸjèÎ&•™MWaˆÎ“rwh¦‹¬Î¦­u$@G`ÊšZ
-¬L^•mV”|ÈS¸›e-3Å€‹í„Wç|FŠ@‘Íú¢ì¥·ÊOoÑM)ç¦Ð¨q“Ù’ÈÓîëR)ƒ`׬K>…Ù€*
T~J9„å¬ÀHÙ%%YÛ¥Þ9R…sìRÏÍrÖO2pϽNõkª•¤OuØëtTÖë4CÑS
-™m±ië¼|iûÑ3‹Ý®£®çuD…}ñvÜŽt•(•
V2;₨”ÚšaÄØæRðB5]Д~ЄÉd¶„Ž2èTà…ÑD@uœö1:ÝÔ¼b»ä:æÙVNºØ”I(“4í;öm:>ÖiÀ¾0
¼”
lz­c«Ó*&8Žnë´±›ut€9Z¾TP-VWì¹7Ž)·ÓŒùLxéê5¯ëb6süm‘+âÒÎ|î*ƒþ[Ñr-÷tÿóKI©¥{9 ˆ}÷‹nËu¶²gx‰‡œè®4òîáúãø/\Ùðº7wÈžŸŠqÓ¹yw{Bwý²ñd-Äàëdp¢^ô©[gGe­³Ì!!£s™Ìi&èy“ô¸XŽh@,Íà¼c¼hí‰uïIíJqHÇéh5W“ÛyÔ°”Ö"HÂdgG;‚èH€3陕ÖmaéªÜYúúÛóÝÇ/Ÿð&ùŠ†¿ì
*d
-g„*R"’r'»züâÞµõOä*§È¯œ"®œ¢žb;„=îjž×Ll±†­c™MŠeѾ÷g³
Ì—­U>¯9
-(¾É‚1»è@YÔ]™ly{(ÏËiý¾æ„Ù†;&8Qù{DGÀÎDë¯'ïÀ—ùk¾Wô§±Hu¢Jåhö¥ê!-R™šžXCTùdóòÒ¹$+•èn
-;C–FB«µ‰Àhâø|ÿpÿȾëË×çû/Ox‡³)Â$¢{²6·Ø°'Ž)»ÆüO¾âilšS6­ˆ¹†Áx¼•Meaòø{x¸¹¡ë½Ñ»»‡‡§'A“XãádÇg§t‡‘Iªh†ðÆߢæâ¯؉xM_ xEa&f㙢„’„·E7Ȇ'3Þ]e?;Ì›œ_ÞÞÄ÷öî´Ó‰Ü««Š$}r¢@aóš—XAnEÒöjgšÍtq|Ý¢Žxî``4AsS1;*°Ž
-HLh6ÝW”?íYÃäÅûÅ¥"WŽ.V•U—Fo]oÖõ®g÷„o¯
-7ÔR œ‡AIü](V=´Ój…
É’`ô=Ïj
-#ì6§8x:§dD†::/0W³³ì½±*†S~)!t[C‚‰ež­©gÃpÍt+¨:Ì´¿ºêÖ“–óXAÆÿÝ-ïI‚ô®ÏQ`gS«¢­X0\†$¨mæßU#X©þóÒÀÖZ`Ùö?Px|µûMÂ?ïkŽw^µÐ@’[Î_j©ÄˆHºhŸê°î¨¬“þzòrBGþ¡šÛ­ìÖ”‚¡ŠË×Q
Øs×iãÊž€ì®S§Ú$µÑMìÒíg˜Ìh„>"$)çÐSÎ/`|½™,‹fa›îù7Ø5£Õ_Ïím
-M[ŸËB\yE¬[Ô¦&†\âÍŽ÷į†:ÖìçÁ!•ÓåfF ×ìâµssÚŠÀ/XàÅÇÃ^»ùÌ6cd÷mÖȬí86rÿÞÛp¨Wls¥“c¾#Çø3µ]*
}ª‰A"ä4à+'¶w×&W{wà;çoàËê
›Ãv(†&:aÕ;pTÖ®O~U;f‘€ä28.^G5 _ÏB	#¤	=ù3…qטư`O%0¡³ƒ•µìîýŠÚ	dèñðó`$‚¨Äp'&w·Â=Qœù{8ñ$KNbµs‹¿…{3ÞÒÄ™OìðîÏa¢FŽ°¢YÆ5ô,®C£	×@B¸F‹ë@¦ŽWL¸ö׳¸†¶Ã5L®a°ãÄH†##ÂñÎÿ×q, ï8áÞ=¢#ßñ™È‚úçaPK©ôƒjHWÃØ®#Ú—nÓ¡N’žxéÄ]&ÒA:!׎­ƒ´OEÀKø.0!ïÐœ0ó×ê»u>Ú:q>Ü­*½Ç[9P'rêD$:
úGÁ?È^^\@wW…}	2÷­»%Y.ûËž]x)Aç,Ù,üŸ6ìó`ïï•l%ȱ‡~v…§þÀHvuÏÿý“¬íOÏÂÜBrà‚q¼2ŒœP¨]¥£}“ÁËïHÈþvžušendstream
+xÚ¥ZKs㸾ûWøf9±0x|TNÞñ<¼{&kO%[»{ $ÊbDjEÊ^çקÝ A‰’’Š}4Æ×/Pê\¿:·±ˆ3'Y$¬Tö|º:“çO0÷éL1ÍØCªÏÞ}4Éy&²XÇçó€W*dšªóÇÙ¯£„—ÀAŽnî>¼ÿôá—Oî/Ç*Km6ºþúõÃýÍí¿.ÇÚJ R)Gw×÷ß®ÿNc_/3=ºþôááò÷ÇÏ>_EÖãG–ggÿè³îÕ!UD6VGñùØD"…õ‡¦D¢%6±Ñ¦S˜VC
+óT¨°ñnôÝGkJ¥„‰’¸#ÉSQ›¼­7»*QZ‰Ô€èáº{ÒuTâ™pQ‹Ž©/ßíürltä…(«'zΩ¹)ç—*ý&¥.häs±\®òŠ¾¯—J©Ñh“MàþØ–€UC´`_NLúŒå}¹Q¶|¥§ÜÀœˆÞÔCãeÓ™÷¤&xÏx¦Zo[1´YcE*e:í@’q>n¿éŸjäÏÆŒªÜ¥«0DçI¹;4ÓE¾É§­s$@G`Ê
µX™¼®Ú¼¬øW¸››å-3Å€‹í„Wç|FÊ
+@‘Ïú¢ì¥·*LoÑM)ï¦Ð¨q“ù’ÈÓîëR)‹`׬K>…Ù€*-T~Jy„•Õ¬ÄHÙ%%yÛ¥Á9R…sìRÏírÖO2pϽNõ«ÉÔ‰J2¤:ìu:*çuš¡è)…ÆÌ‹¶Ø´›¢zjûÑ3‹Ý®£®çuDG}ñvÜŽô•(•N27⃨””€:šQÌØæRòB95]ДaЄÉd®„Ž²è”	Âh* :Îún7¼b»äÞÞÝÞ³ïúòõñöËýÃÞáì@Š(éžì†Í-±ì‰Ê®q ø“¯x—fã”K+®a°oåRY˜üþîînnhÆùÇ`ôóç»»‡A“XãádÇg§t‡‘Iªh†ðÆߢæâ¯؉yM_ xSEa&a㙲‚’„·E7Ȇ'sÞ]í>;Ì›‚_~»‰ïíÝk§¹-WVi<úèEÂ湨J°‚‰¤ÝÕ<Î4Ûéâøºe3ñüÀÀh‚æ¦vT0à˜0Ðl»¯(º³†É‹×‹KE®*]¬j§.mF/]oÖõ¾çö„o¯J?ÔR ¼‡AIÂ](V=´Óz…
É’`ôµÈ7,FØ·œvààéœÒ‘‰-ut4^`®æfùkãT§üTAèv†Ë"_SÏ-†ášéVPu.˜iu7Ô­',°‚Œÿ»_>é}Ÿ£ÀΦVeZq4`¸)HPÛÌ¿«F°Rý祅­µÀ²í øj÷›DxÁלà0‚j¡$·š¾ÔR©±uÑ!ÕaÝQ9'ýõäå,„Žâ]=w[Ù­”‚‘JŽË×Q
Øs×iãÊž€ì®3¯Ú4sÑKì²·Ï0™Ó}DH3Ρ9*fœ_Àøz;Y–ÍÂD0Ý-òo°k,F!«¿ž»Ûšv>—…¸
+ŠX¿¨K7l¹Ä›ï‰_
u¢ÙσCª¦ËíŒ@¯ÙÅkïæ´_pÀKLÀÃ]»…̶gäömÖȬÝ86rÿÁÛp¨Wls•—c¾#Çøµ]*
}ª‰A"ä4à+'®÷×&W{wà;çoà«ú›Ãv`”ˆ"Ÿ°ƒ€êˆx*g×'¿ª3ƒX@riŽ‹×Q
È×3ƒHBÁiBO@þLaý5¦µlØÃS16òvУr–€Ò¿_S;a‚=~¾ŒÄ•îÄáî×B¸§j€3'žd`Éi¢vnñ;¸CpÇ–ØÃpÇ!º³1ÓŽª¦–0äÓÖ¦qŠ.¢a†0
é™gdø«|·a[iì;L÷8Š½$Ž©9q¹ù¿c:Iä'\{@tä>9@ÿ<h)•þo
©j”Ø£ÂuDûÒíâ9ÒiÚáœú+ÀTz8§äÖ±õp©t)ߦ乖& @þ\w€NÀ?{@§ÞûÕà@#¥÷x+èT¾:©ÎLÿÈ!ð›üéÉsMØ—ˆÛÖß,—ýKå é@ç(9„?kØçÁž?(ýØó#ÇVúÉžžüq‘ìjžÿûçXo?;‹p	éËeHÂñº0öB¡v•Ž÷M/¾c= ûDtendstream
 endobj
 2064 0 obj <<
 /Type /Page
@@ -9308,24 +9300,20 @@ endobj
 /ProcSet [ /PDF /Text ]
 >> endobj
 2092 0 obj <<
-/Length 2859      
+/Length 2856      
 /Filter /FlateDecode
 >>
 stream
-xÚµZQsã6~ϯðÌ=D™YQEé1ݤÛt›Ý½:ÞM¯²-Ûš•%×’7›þú’¦lÙI{½äA‚ ð)óQÿ|”JŠ,©,f2är4[_„£%ô½»à†gl™Æ>×·ß|'Ô(cY%£Ç…'+eašòÑãü×àæÓ§»·÷ÿºG2¾eWc†ÁÃ͇Ÿo~$Ú§«,
+xÚµZQsã6~ϯðÌ=D™YQEé1ݤÛt›Ý½:ÞM¯²-Ûš•%×’“MýIS¶ìM{½äA‚ ð)óQÿ|”JŠ,©,f2är4[_„£%ô½»à†gl™Æ>×·ß|'Ô(cY%£Ç…'+eašòÑãü×àæÓ§»·÷ÿºG2¾eWc†ÁÃ͇Ÿo~$Ú§«,
 nÞÝM®Æéž»àm–×؈Ð-5‘¦†q×j×A¸î©°QOÜl©å²þ£©¡ª×¡ÓnK³40ñ–¦Á±ˆ*:‹”³T%Ym³èžr‚9…Ž®¡ç¼èŠ-€ÒŸôr°•ÓCCeÛ85#6»iU¶«b~í$jzPGÏvÕìªy Ù	[‹Æ°Û•ø
- UŒè¢›1½JØícI¢ôêî`5Z`CMZK"·½4OØ«¦·vˆ0kÖkÚÒ@­J­ƒà‚ü}ìÕH&LH‘xõdüI )¸uj[®7Õ3Í‘¦Ö”0Ú/h
-ru”°(•¼ïê=Nµ+یۮ!Š±}iÜ­§²çœƒ–þ…àe‘Ƭ#W…ßöˆƒ—Ù*¯—!‚)˜P5#ÐqzäÁ,›¼ÜÚd8´ÍUÂTÈ­Þ×ðÇÞäyþ¦Ä?†’v~»E„vÔpáã±ìK&Ä\±D©´ïoV›6f“Yb«âàá̳¾P{YÔÅÄÌ!&)©‚‡}(Ê|“Cæí÷ïèl|® ±OkFPU˜9nˆ¶ÚÁ.ÓjʽÕZ|åÓª°!¥mK½Ýˆ êc¬QYòª5±eSå³C€â†,ôÎ8	[Ý°«°{Ô«+ÌB±(KI󺘘ÕF!%”`2á,‰¤®ëÓØç²¥Ìq]ç¸tZN™E,Â:çì”–i`JX¬C êMùá`†ÆB õ2ì6sí}¤i'úཚ!0¯óŽÞÉÀÀðTꤺ!ŠçÎ,ux AUür%%äHFP·Ò‡q’¯©P1‹E¨^NÇW›¥¢Í§²ªÇ"y©[Òd8¤å]W¬A]Af6¤[« -'RU,óÙ3‘ö<¡×åk#F¯GÙõ…LÌž3ãu·ÕNRéÚK3³¥:½m¡»¬],öGÐWIPOعl
-Ҷ7t)¹ÑlËeYç‘ɳ@6>iÐå÷0èˆTQ!„\À~Ù›Ó”¶:‰(¨V‡´©¡èd‹]B¨Ä–´û…Qñ¾!©-ìv³ÉÁéìÔ63	€‡|v›ú\§·©ãÒÛô=
J5/lÃ1Gf–嶘Aˆ}>ÔËŽAIr^9Ç5 ]¿nŠz2ù‘^HG†©S˜BÉPmÊ
-S¾Q°G1ŸÞ¿üƒs"·»Í¦ÙvôRvÄ1/ù®B§éù¢nfŸ[ί©ä‹”ÇR%?dOCê|]ôb…ƒÝJ6–Ôæi—3P§£Ž¼©\£æñþáþÃ;ì•nV>¸º…|d“•®lTìòQñÕf:‰B—Ž—ûLiS*uþþno©GŸY=ê÷ß?^hþf}°ö~Ƈ¡HtAIVmj€kYÔ³Âå¤ûÝlu~Þ²Jÿ‹¦ªš'­;Oôõ$½@í‘ ëT{¹†„v§Åbûª}
—P¢ÚFQ\®jŠàòɵ段²-½&½.-‰®wp3Ÿê¯‚ÓsÚˆ;²9p•fØs‘oRxr¨'TUCŽ'?¥H$5¢xuó–^æùs«M^^ÖPÂé°
-U‘o¨¥'ã¤á[7u·2Bû³k’›/<1'ê©(>Ûé=M߶Á|‹Z—5X¥½îE‡
)æ*WIœö7@¾ƒ¯2LÏÞYÒs†WÁ!¢©õÉç{ÄÛsvµafÅJöÚÝTQão˜.Of0`a¡/Ô@>×éæ¸üûÜ3Õý¦YhK¦±$bIú’~Žk@Á^KK’Lö54É?³®I3{’>dû*4¥ûÌÖ ð^ÚÑ
=§Fˆ»]ìw»IðvšQÜ,:}í¨»uÌ6J\{W{vRÝ ®V‘CgFÿ¢²¬gÕn~òÂìÆ^žN-p÷2ê¦;uëi"^zÚTyZx÷¢’N9>×hY.ÿšÿÌ)ç²b&$OÏ«ç¸ôë#+cBÞWEˆ9AKi…-}mçoƒ¬³1¤Øñ
=§†!Çd®ÕÈ@$dçB¥|@²9Á“L‚,!UW²}¹³Ã‚\ß_„	OÀÇ*Sçaâs†‰ãò¿äÂ$yôœ¦|‘Ã0!¦õú(I™R÷zú”¤ö?
-JRŠ?ø´(ñ¹È—©ù$’½ÑÛS¨ 
-jRÒúÒ|¦Xˆ%*©5vB€JÌ£#ñÜB%
÷PIY
-¥|*äD¾\:¬´~Ú´`òº?
-5:\9°Ëø«ð‹"ü›¼?ëü,—ÿ°¿ò•¯A_Èb•ˆóê9®ýúø“,–Jõ4ø6J@Ã^"üÅâÏç2·œð‡=

šSË›»t¿”ÂP8šõmã|{Ûȃ¶sM‡EÉ$çª_ˆ¿H׉¯ü¿%@|¦RžG–ÇtX–ÉÿÜkø›õºì—fYzV7Çt¬Üaîƒâ‹÷´3EC¨aŠ*<¬èq‘+ª|.óÙLPY…=
=µ`м¨
-J|øQÑVNZ„®œÌL×ôñíX®ñ/´j#¹jêe±uI0ûï’„¦?žLˆÃ‹
sëüÙ„ëÜ<ý!ˆ87M[êûPlû¶endstream
+Ù’0¸ý0™Ü½Oîïî®~{üáâîÑéåëÎCJý~ñëoáhKøá"d"Kåè^BƳ,­/b)˜Œ…°”êbrñO'ÐëÕC‡l!EÊd©cD|Ä9ˤŒzÖKD$´5nï&oºÿôxÿñ®FÙ0AXFdºyݶÅlÜ]W®Ã/<~«ãÆ!ûöŠ§A‘ÏÛ«±€VN2!¶U°Ù–OyWPÇçâ…ÿ	è2ļžS&miP·:Ú”õ’Úë¢Ëçy—onæn7ŬD¹…7µCWf±¿î±]ÈØÙÖ3þ4°dË@K¾&Y’qeÆ7ƒŒŸþ÷¯1×8°I+ívHšd\JËÒlº²©[ÜGQöj$&¤H¼z2þ$ÐÜ:µ-×›ê…æ‚HSëJmŒ4…¹:JX”JÞwõ§Úˆ•mÆm×Åؾ4îÖSY‡s΃AKÿBðˆ2ƒ‹ÈcHÖ‘«Â@Šo{ÄÁËl•×K‚‰ÁL(ˆšè8=ò`–M^ní2Úæ*a*äÖïkøcoò<SâCI;?‚Ý"B;j8‚ðŒñXö%“b®X¢TÚ÷€7«M3‡ŠÉ,±€UqðpæÙ_¨½,êbbæ“”TÁÃ>e¾É!óö‡ûÎÆwt6>	WÐا5#¨*Ì7D[í`ŒiµNåÞj-¾òiUØÒζ¥ÞnDÐNõ1ÖǨ,y՚ز©òÙ!@qCzgœ„­nØUØ=êÕf¡X”¥¤ùG]LLŽj£…J0™p–DR×u†iìsÙR渮s\:-§Ì"asvJË40¥¬VÈ!õ¦üŽp0Cc!HÐz™
+v›¹ö>Ò´“€F}ð^Íǘ×yGïd``x.õÎRÝÅsg–:< *~¹’ò$#¨[i‡Ã8
+É×áT¨˜Å"T¯
§c«ÍRÑÇæsYU€c‹¼Ô-i2Òò®+Ö ‚.È 3Ò­U–©*–ùì…Hû	žÐ닃ò
+ƒµ£×‡£ìúÆB&fÏ™ñºÛj'©t
+í¥™ÙRÞ¶Ð]Ö.{‹#è«$¨‹glȀ܅6…âCÛº¿”Üh¶å²¬óŠÈäY ‰4èrÈ{tDª¨B.`¿l‰ÍiJ[DÔG«CÚÔPt²E‚.!TbKÚý¨xßÔv»Ùäàtvj›Æ™ÀC>»M}®ÓÛÔqémúž€¥š¶á˜#3Ër[Ì Ä¾êÆeÇ $9¯œãЮ_ž*& ³§Ý¤°¡Ð…@P‡ð£Uê…ÉçU9[˜6‰Æ!åüŒ’R!˜æ¼<®3n°\Ú
«£h	±!Ž¿2¥e˜²-3Gò`Ê»µ­[wm¾t9«Ý¿èÊP—¤_Êî´Mœ®Eü“ì™ÎXÄ0iƒ<
á’3+a€YOEuJ,ϩ嘎õêARp%oO¯!DÓÝré*z­Öik…°·2Xþysy\gìe¹´Áî†
–fÒ¬¨—%¾zKasœWÍq
èÖ·™b*…š¿§ÜÏx>á™É²â²|Â…´›¢žL~¤Ò‘aê¦G2ÔE›²ÂToìQ̧÷o'ÿàœÈín³i¶½”qÌ‹E¾«Ðizþ†¨›Ùç–ók*ù"å±”C‰ÁÙÓÄ:_½XáÀ`·’%µyÚåÔiã(†#/F*ר†y¼¸ÿðŽ{¥Û•.‚n!Ùd¥+»|T|±™†N¢Ð¥ãå>SÚ”Jÿ†¿‡‡Û[êÑgVúý÷“	£N<‘b§“Cau¹[SRS˜óaýíPbß'l“/ß\Ú¼mãKå9YzJ³H8;[³¬ŽV%õÝ’~šÕA©ý—š¿Y¬½Ÿ‡±Gça¨]P’U›àZõ¬0…G¹0é~7[Ÿ·l‡Òÿ¢©ªæYëÎ}ýI/ÐG{$è:Õ^®!¡Ýi±˜Å¾h_Cç%”h¶Q—놚"¸|v­¹k­lK¯	G¯KK¢ëœÆ̧ú«àÆôœ6âŽl\¥öRä[£ž\çê	UÕãÉOi I(Cݼ¥—yþÒjƒ——5”p:¬BGUäjéÉð(iøÖMÝ­ŒÐþìšäæOLç‰z.ŠÏvzOä·m0ßÀ¢Öe
Vi¯{ÑaE
+„¹ÊUÒ‚‡'…ý
ïàëƒÓs†w–ôœá•Apˆhj}2ÁùñöÜD£]íD˜Y±’½v7UԸĦ˓XX¨ÄWj Ÿëts\þ}î™†ê~Ó,´%ÓX±$ýš~Žk@Á^KK’Lö54É?³®I3{’>dû*4¥ûÌÖ ð^ÚÑ
=§Fˆ»]ìw»IðvšQÜ,:}í¨»uÌ6J\{W{vRÝ ®V‘CgFÿ¢²¬gÕn~òÂìÆ^žN-p÷2ê¦;uëi"^zÚTyZx÷¢’¯œr|®3в\þ5ÿ™SÎ9dÅLHžžWÏq
è×GVÆ„¼¯ !Šs‚–Ò [úÚÎßY=.:gcH±ãzN
CŽ1È\«%'€HÈÎ…Jù€ds‚'™)XBª®d_
 w¬ø‹(á	¸Xeê¹25_R²7:{
+DAMÊYOÍgº€…Pb‘’ÚPc'¤Ä<:Ï-RÒp””¥PÉ÷‘9NäË¥u~ÞúYÓj€¹ëþ(ÒüéhåÀv,ã¯Â/Šðoòøy\gàg¹üo€=øe®„|
úB«DœWÏq
è×ÇŸd±Tª¯ ÁŸ°AöÑà(>—¹ä„?ìihÐÔ0˜RÞ\í û¥€ÂÐ̨/‡äÛËF´k:,J&9Wý:ü@º>È{åÿ-ÿá3•ò<²<¦ÓÀ²Lþ×à~XßD¨×%¿4ËÒ³º9¦cåSÔ^¼§©©èB
SSáYE‡‹\Mås™¯f‚ª*ìi詃æEUPÞÃoŠ¶pÒ"tádfº¦ooÇr¡UÉUS/‹­Ë™Ø–$4ý‰ðdBXl˜[ç/~$\çvàéï@ĹiÚR_‡â9ÃÀu§Ë'PÎçLw;ñã;]~‹	ÝmÅÿüÙý/„b¥C
D„PC‰Œ[¥Ð¤<ÊUw?±9Öý¿:bûZendstream
 endobj
 2091 0 obj <<
 /Type /Page
@@ -10303,7 +10291,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?³?½¿w¾Ìÿ^×Z׺î7¶‡Œ5Ü
 ¬‡¹rðpr‹t´P(ÐWç…C­fL9g0ЇÉ]Á¢#°5@ðòxDDD0rp'/gˆ­+€ù‘ƒ…ý_–ß.+¯ ‘.[€ññÃ…;9‚a®ÿã@=0àjØ@ `€œ–¶‰Š¦€YIÓ †P€¶›¨C@`˜˜`w@ÿ:@p˜5ä÷Õ\8¹d\@€‹y{‚ÀN¿!v€ØÙââòø
€¸l0×ǸÂêfý[À£ÝþG“3üÑÃñ{$Ó†»¸º€œ!N®€Ç¬ÚòŠétµºþÎíy„p›GOk8Èí÷•þ`4¨+s¸‚=]粬!.NP ×cîG2'gÈn.˜í¿°œÁ¶@gk(ØÅå‘æ‘ûwuþuOÀ¹=ÐÉ	êõ'þÇëŸ ®.`¨
'&ïcNëcn[“ë÷¨¨Àlàî¿ìÖnNÿÀÜÁÎ
-Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.5%M#e}¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
+Äü{fXE­á0¨ÀlƒÉ¥	w}L	`þŸu™ó?×äÿ@‹ÿ#
þ´÷×Ü¿÷è¿,ñÿvŸÿN­è…jÁ‚ÿxcê€ßÌs:B ^ÿÎýïžFà¿4þ;Wàc!d`¶Íàáäæù€¸(B<ÁÖÚWÀ}¬Ô»Ìì…ÀÀýSL7÷ß0};Èö»ôA`˜õßå?6éx.c}Ec=¶ÿöªrèA§Ë‚GPè¯íÇ9pÕ÷rþo:#
¸õ?¿ùdeáž^7Ïãú=*áðû7¹ÿñüë¬tu†x^psr?Fr~ÿsÿÎýOÀìo4
 0Üú÷äè¹aÖÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{xÂœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇî)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–ÂwÍ<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -10326,7 +10314,7 @@ $O
 t‡Í=žÝbóÆÃwî6ß"£“˵?”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ­(e÷åû È"QÔüFØs(úF$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?ÒK áéá@F)Ø,êw÷ó?È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%Å~jÉwXjz1îi´·î¬%uÕ3^¿±g¸`d+ÎK[ŽDe—„]âò†YèÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_ï‚¿œ%%½¥åŒìé|°D>W²7}C–Í#—ZR¸­$º`bÛGο…a¿9gÝS%\”Á/œîñhC|?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘˜÷ÇÝ›Á¤'P6ߢH‚Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)wL=(‚Œ£± L|)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9ÛB±T¨d>è.òY[a-³ZyÏ•px9ÝØÜ>穾„»*|,4°ç	Žð=Ï	añŽ©{ZwLVqžCÅo, H;ç_7Gg[åGxd½DŽ…*~ÂJSÛ/
*ûÎÔF‹µëújQ‹jw	Ý]_-Òq;Œ,1t³õ2ߥÆíËòê{:Ö§Ùo$<×ð¬žôôJ©Àëóüλì„b›F=ÍçåcT”u;ÐuË›÷#³»Z1q“ÒYÖgHŠ^fiyv|‰¢,PkŠA±¢FH£s^…EËRôƇnQWEÛt%Ú·y3™{æÈŒõFbKã<%Æ)â"-L+{墒zS'“#é²ÊòZÃ+•÷U­Á׎#Ç©ÃCcæHŸ,êä;÷=íÏô.óYäg:¯jÔn¹¶Æô×êS:c¤¬UºW¹Þ/Ëf¹ŠšcO¥ÛøŒM¯lD‰Á¦9²ú:­ÈùÈßÛ˜ìÑËr6½õx§ç±2ú]úS¹‘	p7O¼,j1îöÐËÚ{ž$ªS7O–xYŽróæs÷â»ì(è˜Ýš‹ÏD‚@§­Y#žC²L%¯íáž›1A•Ã¸©3¾~M+ÖAîDí>¤¶¯cãµã-Nˆ¥”ûÚÔß	ÄÖtzâ"¹tãØ'>(˜“”hSðÕœM]ˆÎÛ…0ìŽ
ñâSPÓKD³—dOjnÌó®|KHtÞ‘Ñ+㢟S'÷@6„iõ“¨C,÷ág3B½žpÖáΡÄêφÖÑn‰Ü;ɦc“
_7T,Q1çTiHøBÕWL8­¡¾	 ,œ²£.±ßu2†)¶=–Oš ¹ÿêÚ´­Ùê²,
Aq¨¿râ^T!1í¢ëç2)áN\§‹¬‚)æÄËR…Ëbž÷ž6Cb5ü´çêÞ›Ô;ð¶¹mH“üÅL¸^Ȭü¤Ý¸Ê	{>«m@Ë›ðzéN‹›´×»ÔÌÃBÿ]¬—š@)õp[jÊâá…6붡²BSHQøר.öØ«N÷Ž`ðG¿§zŽ^n)?ìû±«892ÉÿxÈÌÄ÷Ù%¼­Ø3ÕÎZJðô]\ÿ^¸Äé„SXA㣅¸r}[(â0Ò@¥elöÉmi¶ö­EWÕ9úQѲ´ˆC¶Û¯µAñ=°g>MF{Q’= †*Ëk¨+™×Øõµk¤i@ïħÕW:x<›ó"Í}<=<²šC½Q¤4Æð÷i©UµSöA-ÒiMÛk×qnñÔÆèO“¦R<)D¾€÷/ÇT#î¡ÍM©	Æ$ÖžåÔ3³Ð¿Á¢\ç{Uª÷Þ<UW=ˆ$®&<ƒªZ€0óØÒgÒR*¹ÉÒO¦1‘'£ùŽŠj*5wË-·‰ûùT j4ÝióÍu``òh߯µ“K…ݻʔÑk‡‡A›”ôÈÔDôìtk¯ö2ÅÛö÷ú—¨§$ÌöZ¥ï@Î^ùÝêõ^E~§”Üúí¨u4߉<*ôŽ±§¸KJßùy/žn•C*}…ÃåLgI£J·8jŽ[“Þ³	”ØT7%JÈOïä,Á!ØžÈ+ÌÁ¯f—ÉȘs‡h`Úq¢O”1£<ƒ3(©dØOfBOŸ º'"p=Q£B¿âäpJ}ÝØü™ŸZ®¤!p{òëÈa}÷qÑ¥³äƒ£DKXôžòxÇ(žÏÑã
©¨“{ÏçÉšj¿dqX·ã·ŸP¦Üv£ä£Ï€³i¬¾AÕ;³@øyŠ*œoLœOœÕøë…ú¾›ºxOÛÝËc	-@YšUʳªø;žBiäMÖð.•\rž;ùU´¾Rø'î…ç)眄š˜	…@ƒi/_	A®ÉéÙêr«0áFx<×Er;¾zÇ´UÏšøSÂö²Ù„.¥mô÷Œhâæ¨É2Ø’ç/{I;õŠjÑm÷¬
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿ¨Éõ«endstream
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}U¹ôZø: hÁ‚)8f÷EµÔëÛDäµsüð¢ qTMŠ:ù‘ɸX!±l®ûÔ”Ëû΄,ñº17ýbŸgûŸ&fܽ×Y'jeAt
]ôÛïwV^þ%ÑåµÛR¼”tμ‡Ël¥¿é˜¦j¹„‚øϸ3èm>YjŸÖCƒÕ¸ÄžÄÈÊjbÆn“ªŒUý©?ô‹ïðu«ÈÃWøìý#ë,M€¾ߥJBQlŽ‰âXè-ebtxÃ]€s<—ÿ¢:XÝQ…¸w¶²-N;N¾?Vl¤‘vG‰…,Å%ë9êçöË'bìη9|1.…±!]¹¶DšÏó=RԌݬ¤Iˆg‰=Åh_ìŸ5rÿ/˜ÿŸàÿ	tv…;0ÿ^îõÎendstream
 endobj
 1716 0 obj <<
 /Type /Font
@@ -10335,14 +10323,14 @@ endobj
 /FirstChar 67
 /LastChar 85
 /Widths 2267 0 R
-/BaseFont /KGNWHT+URWPalladioL-Bold-Slant_167
+/BaseFont /YXTFXS+URWPalladioL-Bold-Slant_167
 /FontDescriptor 1714 0 R
 >> endobj
 1714 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /KGNWHT+URWPalladioL-Bold-Slant_167
+/FontName /YXTFXS+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
@@ -10366,7 +10354,7 @@ x
 Òy¦§aáèha
…«pJí•Ž HÀÈ(ã
 ±@Bá0Y$D¤±ÉB¬@¼¼ #Hîìå
 µµC‚XnxXÙÙ9þ²ürYzý‰ÜD" ¶0Ó̓;Äîì!o(þ×ZiÙ@! u
%5‹‚šHƒ¸Þ¡áf鵩@­ 0„dw9þqYÁaÖÐ_¥!¸n¸¤ Âb½	ƒxZAœA gˆ«¸yA [Wò¦H8
-³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`i%])ö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
+³rt³þ%àÆnÿ-ÈÙ~ãátƒÝiÀH„•+Ô	ºÉª!+ÿ‡N¤òWnôÁmn<­áVn¿JúÝÐÜ H(BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#¸¡¹áþÕ¿êýSõÎÎŽ^¿£á¿½þ¡ŠD@m¸<¼79­7¹m¡0ø׺(Álà î?ìÖnÎbî×ß
bùµ3¬7",¬á0G/5ÄVƒ#oR‚XþwSæúÏ
ù?0âÿÈ€ÿ#ãý÷†û÷ýÓKüï¾Ï§–wstT³p‚üýyÏ€T@¿.Я›jõ?b,œ Ž^ÿ*êïžz?¤þ"û;ö·Ìöf&œ"\"X¡y¨'ÄZŠ´²ÙX8Þtë·]f
qu„ 7SýÝP'7÷ß0m;¨•ìWûþ€ 0ë¿k¿Ôoå`
)9yUEö}»þöÕ¸Ù¤¶—3ô߉ôTáÖÿ8üb’–†{‚¼9y„¸Aœ|7rx¸…ø@"|>ÿ"ëo"ž¿ÎªHW¨'Ȉ›‹››tóûç÷¯“Éßhä`Vpë_{£…´€Y߬Ú?¿`+7W×›	ÿ~ûo
 ÿóü{é!Oˆ`zn%lŸš‘†¬"Ïéé—5úÐÁƒÑâ\\£ý:ß¿Þî—¾(Rf~QÂU;(zÕä5¾í|¹ªÌ¶ÖÛAæÈÜžÙË£ò¡g}ŸO4ÏôNˆ}-lZŒŸöU/Ê{LeÓP[wm©_ó™iÑÅ=àà;>WìýSVz÷|R†g_«”·¯´ÖÞ"®*ØþÊ”°yzÂÜÕ÷±§»ýðîûUJöìW8Œbî˜øL‘þ.Ù”OuJåÊߪݎË;BbubÁï<_^Ë¿Å`i¢KÙÅy¨yc@–‰Ÿ'\;ø$·®Q;S-”âs/,
9D¦Ô#,9ƦïKv²±SÐúê¿»èçö‰%…÷²õ-âÁ]3ëãÝ“±Ñ][™CæºÊlëŠÑLü‹¦ëÀ¢€5‘ؽrô›ìç3üÜ°˜üDÑSjÛðôä)Wï8Ž*öÜŸèž“3@'}~+ÏÝ6‘žˆ•Ø\Žpµ<züuÚ>AbåPóبLbZ÷a3ÒYÍEœVÁ= ¾‹­{·^®2<¿}5aq€©ÿ_5¹Ûðòµ÷>›À¥´ê$C}ÀXŠ¹­œÕ÷ji—û­€G‡/§Œdû-!j¹;Ë6#ÔÜŠ.Oé­×ôÎc´¼$z¾I(ñØÇ/Wj®½"¹ßKÒÿ¾ð{Lš¿ÞH¥hԻí:iÓFRF<g]Û39}—ÞÞF™8|à0­‰å‚Ô"¦¯£G$¼	ºêÆIª˜Ê΃.–Šô‹µŸE·ÛCqüQmæoi\7yªàmûŠJ…0:næÅÊØê®óÆ	XeŒ`Ãé’_ÿî½jâì…”Êr‰ÇO„DŸÓÕ6xÍ·o¯lŠýP¦ÿÎ*5„$8d”#ÙiWtu¿÷¾žG=kŸoHÉ]˜Ÿ:ã3ùN»­g}„™?&ì
 b݇a›yKÜ£%t×TcaÖËF˨?B:äÐ	3ÚZP‚ÌÆŠ}
fñφôˆƒTU‡J鉽žj:»«Ï‹ºôN)/ÂÕ	äE½¬^gº‹ ^/«k¯&6Ö7%³"”-ήQËòÍ“ñÆ‘r¾“'#LwDEëЙ}`?—$-`¤¦ÍC5Õ‡9æ3ÖXïžÊºUFC:ׇ¸T<íàìe¸z&îÄŠù @Õ!˜-“Ú½¡…´cEҼŸýÍó2¦±h’—Y#ªªÇSÀìjzaT
€Õx…^ÉÊ9%î5Fõ¡ƒ…™y	×±ªälš2$g$?˜ß{v€¢è§à,¯ŽÀnD£ÍfGªªSH4‡S"€ÚóôöóãNƒ^œ¤ä½t!¢+ÏøÝ÷n©X#õg«uW
³}ceS÷ö¸ïcZ¦BF%×#
èS=ªbÁõËFñÁp%ˆ&ˆ÷Ñÿø‡@§{›Â§F$
 ñÀèHvo»Vüy½¼Òç³³”ÎjÁÕŸ,_Âh^§–p³/â#Ó„HÊÀç„»ûÄŒ[‡¤Ê»B8Ò¬’%PË ™#¹&}Ô7uo(à–îu•úµÒ95ÀŒ¾?ËêcÕ8—ÄñâθÑ,™ê:f”†.‡Ðà¡ÝõÁ41hÀ›3):«;Ícƒ·ú‘¶Þ,èðY½:Nç5u…QEð‰rŸ–²ÌûŠ!&.ÜYâü×Éú;á$¤`×yme~b©@{•3*¹‡ô÷¤”
¥Åêg`iDÕ˜|)1IŸ\°êjñ˜Î™+ Ä&j‰wé„™–£Á{÷…á«-G3µ«®ô*UÅmÖ­ïè, ï!¦ öOµìl•yóâúŽàäç?MµŽÇ¾Ä팼®sÞÀ±x»åÅ!¼´œ®“X>ÒIÙ»—X,×EAœ;¯è%Š]"N?v6ÁnÁ$W¥0O«W4¸»Æ—NQI…>Äóq†z#ÚQû3]º¹Ñ
@@ -10384,7 +10372,7 @@ d 
 ÕB¾ª\h~8©$‰¼¼·ý˜7!g;É¥ƒ\®cf>}7›ùâžÐÙZسãÁÖ–Ü^-Už&(
 ÖËÓ»ÜIFÙØS­˜õOV_ºhýÐn-®
 X{$¢½‰¼û£@–rlZ™âɞˊ1o(­¶¨mèö¡Ðé»÷ÝõäIŒ]Œ_-ô‹¸Þûò'zŸT¶n76Gت–·&úìIĆ‹7ÎÔ‰‰f¾uä3¾õˆ;)EO4,Źk&l‰#õŽ¾„˜¬Ù¶³	½höâiF]	‹œx'´ÅfÊb\ñê{Ý?¬¹¶=ê3¤XTÕW©*®§‰\Ee¶©x‘@†Dz:ƒ!¡X¾ÂK”G½èß>c{BŒÍCŒ±¹0šUÕ¼ƒ¿ªÝ•5xfœéÉU“Nhèòã»Z–$8û훎·òБÞåú¸;ß¾2~%~QÍ÷*|6οÀ.©ó¶H&l]ážçµÐ[èù%¥κƬ!ÙrOxÆ!.B˜“zuW,Ôêr‹9å™ÊT°CHÖ‘_e‘‰ÿð:û5r€û3.ñ4v—W”ò]ª[)ïó–äÙÀ—݈H¾ÌûùSŽ¸+¹ºfS4çHõ¿ÞzyàÂ*/ç%Šâ׻͠Ï8ôæãmº'7…\ì°Å÷K)8ÐÁ@£bÅî\ç±ÄÝÊ‚×[g“©»5é«ÅÖ¡’'¯ÔíÌ¥ºégˆ<‚â¢Ï8TŠqùœ_Uå=¢¦#fœÞ*ª6í¶²*æ›\oi›–•`ûlj[ÛW*ˆ»ºœ2Ž(ËtŒp{ˆ¥6Í]š†}„¯>{?'CÆà§5zíEëÝÚÓÞ&vø¾öŠ
÷dYcØL‰8àÇÉu°à•GËÝšÎñtûëV²­ˆ’eÓëû­&KÅàჃ‘oS*.m•»8ÕîŒWQì3ÊDÌûj	OpHY²ï®f>×¼ù‰_ôŸö‘Ƥ‰´»ø|EÀ’=PzêîXDƒ%½+C£ˆ1_ù¶‡=AýYœ:&Aaú;æ¬U¾öÝ*“ÍXJ·=à²ùˆ1¦¬ý<ð»©,|#
O'Cƒµë“M]í¼æf°ºÜS4‡AÇ÷Mj€“Ò·ÐökxõÊáž™ËG‡ÞÕéú,óÔ92‚¬
߸gp0o9)ÁM£«&ChVF=Vv¯ñõ­Åž¡üÜÈT·Žïvä(Ê´ãé¿7jzä­ ¾¹Â6]E³ÚŸÉÞeIGOIùç…&˜+ÊZ Sl©
-Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀ„‰y…endstream
+Í`ƒ©c½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀ‚yŠendstream
 endobj
 1698 0 obj <<
 /Type /Font
@@ -10393,14 +10381,14 @@ endobj
 /FirstChar 66
 /LastChar 78
 /Widths 2268 0 R
-/BaseFont /CBIVGA+URWPalladioL-BoldItal
+/BaseFont /PAEFMH+URWPalladioL-BoldItal
 /FontDescriptor 1696 0 R
 >> endobj
 1696 0 obj <<
 /Ascent 728
 /CapHeight 669
 /Descent -256
-/FontName /CBIVGA+URWPalladioL-BoldItal
+/FontName /PAEFMH+URWPalladioL-BoldItal
 /ItalicAngle -9.9
 /StemV 114
 /XHeight 469
@@ -10416,22 +10404,17 @@ endobj
 /Length1 771
 /Length2 1151
 /Length3 532
-/Length 1711      
+/Length 1712      
 /Filter /FlateDecode
 >>
 stream
-xÚíRiTSבª¡¬2©¤j=,Œy5„„1
£soÈ-ɽôrIˆ8PIU–EltÉ(*J…UE (µÄ*¼N¤U„GX>‹T­Š€S/XWWéÏö×[ïœ?gû;{ç;›æ)cˆ lŠ¡ƒÃäA°T*á°yf³)4Z0Ë	CCä,À¬Ôªw`ó…¼eBŸBÁXºGRUð
-¦Oø@¤qD!GTN¨`
YC!W¦@`BÏ"µ¬¸‘ÖÂ0ž	CL
-‡ DA€
p*‚RXš$¨ü70¤M›Ê„ñRðš”I¤HCÕzÁJ
-k5FvƒI-ÿ„¬©ÅCµjõj¹f¢ü¤SÉË5ˆZÿ;Ó¤k	R‚qt*5~#N
-CˆV35+!äjD!BSÕ0`p–3ÙËßàHF(¢ƒ¡H„P¨€R®Î€'q…¦*!ý›ÔÁŠ–DF‡H¼ÿÚÉd¤A‰(}:Ø°'cÎ1iŽè@›ÉfsH"¹ßž’¦4£
-BÐTÀåù9ŽËõrˆÈˆ€ ¬°ŽTÌb¢A^¤39@‰á”‰õa–ÎȘ@ß\ÀJ˜=Ò½	ì¯O
-ÂtÆ2.`pyd+ör_Àç±sþDThqF‰Éñ!
z+ÒSÖÁ
-Šå¦ðÛòñÞSÛjrÅUGíéóM‡·´ŸÛzÒäÇêõs¹†7þð«óVç‘cN%Ã_± %¯zJ”m6ÈX[{œÍŽnôŠ}²C‰ÉÓ.•µµ¾§9°ý®e¡5½ÑûÁžOïdž³¯[uï¤N¯¹yãåãÜ´}‡/!ÏÁJRÙéU{à˜ÿÞ)º2~?«Â,Õ—æ&î{êúÊBm½ÝvËÑ$0–Ií®›ü_ÌbÓuÊþ
-gÚBK\©`¥L8s¾Ïµ˜r°yßßÃÐÜ!ýeæ@]0àaz·[’ŸS+‰™w´ÂEQ3OíVMµ…ë[×µhÐÖú5ù.iõ\ÿbNzãÚÚ”±—´_í˜þ$éùóÞg¯Ô–
-ƒ‡ûñi±Þ¾û3½¼‡èílªýÕÏÌñrÕw	Q`x¯Ã
-c›æßýÙÍ£R'¸žçvãÈgž.åžpL³·ü_ÒuÞ_7™w'Šu6‚ø‹è‡ý•¾ØbÜÏM
NèM9uÓûRmÃùª×Ú‚éIæ¦ÐЪEM3±ž ¹®óýf;‰­Q@µÓr¡[Wt_u6Û…7>¶à˜Ðç@÷¿ÁJ¢ÍÇ}äÚnž—¶“y?j©Á÷»sµ)úNßÚæïç,ÙEe3ÖìM;VQ³M£$˜µç¨ þ!Ç®<ûìQÓwÊ2¼ÔyEl|º”ÞF[¹öáTù¼2…‰ÇžiiEqÔz|ÌÉ=óÑzž_bê«î€ÃkVvm|ðèæòÛ×S„ý=jºøÓ’Ü×[Fz´Îâ¦öz÷¨éö÷}ˆ``óÙƒÎZOÿ¸¯´PëÎÿgtÅ×Ye`«ã½mûÇiPs¥¦Ö¹Y/ÉS½,îf©ë·’'9ݸ-” zy¢ª$†•kíYqÒǃX5Z)De‹%§ÔKm¦Ýž>ú¸ÄÝúßtàj8¿¡|'x«"rÝHŸÿ®qmžëåáÂŽŸN/“*¥¯d{Ræ*³ôºÎ9YM]¥óœÊuÁ¯-§?2|Îýâ”±q“Í|µ$úÆVÕ¾íšë•ðG
gs¬@Ç}v$®#ßîݜ•Tê'¨qqݨn_]x©µïÈŽ‹YÑï˜ïxŸ—ŠK^ÙÆÇÔ
¶Û–%â
-]õÆÝ*‹?ŒQã¥QùŠ¶[É›WIëŽïrØÎ9¨Ê.îš]ÐY³ƒÿÂ’Ä¢'1äÄŠnÞˆ'Y‘‡ò«¨µý쿹(ÿ/ð?Q@¡†å8iäxå7ã5Œ endstream
+xÚíRkPSבª¡Ly©¤jÝF‰Ü<5„„1
‡ÄœrJr=œ@Ò">¨¤*cyŠŠRaªÔJ-±
+·€/Ò*ÂÆk‘ªUðÕÖé”þlݹ{ÿÙë[ß^ëÛß^4HCaàP%&G‚¥R	‡
È3›M¡Ñ‚qXA ¢ `!à>`¥N¸Ë›/ä-òøÆÒ8’¢&€W0}‚Ä"-Œ#J
+¤
+B
kÉJ…È0%&i4`íÄt°N‡ñbR8!Jl€S”šÐ$AUà¿!]ÚÛTŒ§“¢€×¤L: EBª1VQX«1²Ljù'dM-ªÓhV+´å'úK^¡E4†ß˜6MGÀ8bŒ£S©1ðqRBtÚ©Y	¡Ð Jš¢ƒ³œÉ^þGÒC=E"„R
T
+M:<‰Ã(4U	éߤ–\&óþýk'“‘
+%¢i0`ÿÁžŒ9ĤI8¢ñl&›Í!‰ä~{JœÒLŒ*1AS—ç8®0PÈ!"#0r‚B°ÀzR1‹‰byÎd†S&þÕ‡
X8=}}p+eböH÷&°¿>-(Ó˸€Áå‘­ØË}ŸÇÎþQ©Ãq%&LJ4èm¬BHOaX+)Ö˜ÒoËÇ{Om«ÎWvµ§§Ï7ÞÒvnëI³s¨ÇÏåÞðCüÁ¯Î[?FŽ9G|Å‚T¼^ê)Q–Å(cmív¶8ºÑË÷Éf×äef`󾿇96 ©1BúËÌþNº ßÃün—$/»8º^ø
þPmi>ì³ Ç~pó¼ÔÌûQK¾¿Ø‹¨I6tøÖœ°|?gÉ^(*‹±foê±êˆêmZÃ#Á¬=Gu9veYgŸˆ¿S•â… Ö+bãÓ¥ôVÚúË5§ÂÈçÉL<.ðLsŠ£ÇÇŒÜ3­çù%¤¼ê
+8¼ö`•q×Æn._°}=EèÐ×Ý/ ¦‰?-Îy½e¤;Lçà,nl‹·¢wšoß‹ú7Ÿ=è¬óôýjq@3µöüFW¬apUQF¶&λÀ¶oœ5UhkÜhÛÀ¥ EŠ—ÕÝ"uýVòĵ4¥™¶…´C/OTËY9Ý+Núx«F+„¨l±ä”f©Í´ÛÓG»<Å7¸ί/Û	Þ*\7R>î§s\—ëzy¸ ý§Óˤ*éëxٞ乪Lƒ¾cNfcgÉ<§2}0ÃkË錟s¿8ejØd3_-‰„¾±U·m»æz%\î¨ålŽè¹ÏŽÄ¶çÙ½›]°’Jý5-®Õï«
/è=²ãbfôûù–;^r÷qñ+Û8yí`›miÂ!®Ð¥AÙPgÚ}¡¢ÈñC¹&/‰ÊS¶ÞJÚ¼rHZ[|—ÃvÎAuVQçìü¦ówlúÑíÑ’Yù—ëÎñó2ägCy½³¾õ\X¨& ¤ìƒ…âª)wÅÝáYÏ¿{zÇ>ddÑã˜3æ‚üçêžÓ¾eE’¡Ë¢›-»i5šÆª’üÝÒÙÕ.ëß	s:ÔvYxÕÉW[Qï“Ö1êâÅ«ø“Kݾ6$rBºLÚWeBèáf,ÄquOƒKk 37WTÔy}ç°:©¾ýZiîOh´¬ž:ÞZ¹o':—Ð:_(°›qïƒ+qŸ~“\Åï=/nN¼ÚýùÈšüÖD=±¡ VtñæX7<ÉŒ<”WI­écÿÍEùÿ‰J
¬À	L«ÀS)¿e¬Œ±endstream
 endobj
 1336 0 obj <<
 /Type /Font
@@ -10440,14 +10423,14 @@ endobj
 /FirstChar 60
 /LastChar 62
 /Widths 2270 0 R
-/BaseFont /UIPUDI+CMMI10
+/BaseFont /VVWDGS+CMMI10
 /FontDescriptor 1334 0 R
 >> endobj
 1334 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /UIPUDI+CMMI10
+/FontName /VVWDGS+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
@@ -10467,17 +10450,24 @@ endobj
 /Length1 1199
 /Length2 2269
 /Length3 544
-/Length 3058      
+/Length 3057      
 /Filter /FlateDecode
 >>
 stream
-xÚíWiž øƒ[v¼þ/;d¿æ°áÒé_•A}“€5aÛ%UèðÅYR"ÿG)¢G,÷«£;øíBüM÷+üÝœA£ƒ€6Nç›bÛ@á …qÈþßfç»Ü”¯$0ÙÐÒ‡Côq¿`.þ9²Ùð¡|…@å—¤Ö2“1h‘(‰EùaX‚É\ÖéëIÁ±ß÷T.ÃA2rh€IÞ¼/ n_óüs¹0íg·u;\g¿põ©t¾14»£Là)9½¢£ì+ÂM“ï•+ù’2ä¬S
Ã-ZЫÅ%Åùí’e_¡Ïnqį}·Õ3…íÍ<(“[øÒ2âšÝ[¥ÊYOUË[âÄ$¦dì†y¯ç/Bœr
-•%Õ‚N/4Œ¥âß8ÙÑcœñˆ»¼V+l@üþ\¡m—ï|Tßæ%ÔøjN¢ºEÜ·àŠ…°~ìÝ$[$§îŸœç)C|ë­K:þMÔ…3¼àýmº;ƒG´ºÏº£RßÆ·Zh]†ûü•L‚ÇÞJåöÒèŠÒ7måŠn5h¨âž©)Ü[lÛß&,>ÔÒ& 	¨Ñ—ª+ïc{ŽHY|#{ÀôŠV~ïãI
kUg/y×O(¸‹9ˆ©{\?òZ•&9Dn]bÙÍñ/Cê.$[šAÖðÙýˆdaŠòͺú£my{¦eZö}’HžôÄVWú¹Î&¸µ'¾¾ç½ùY.ƒÏ}Ó«µ‡²ÓcM¤FÖj#l/^.@׈aü…t«É|¾wæApúˆ¡üv߈Í©‰}>×^ñØÃ݆ÜB.6w)FY­“ÖÙòÙ×CÏã¥é¹œR³§X™+Ý/l¦®çßX%5^oSukƒ@iYü¡$΢ѵ‚ö‘o‘C“¨¼¡}bRÔ§
øºT'KÒîÊÜ^Ùj`=çÕ$T‘niÏ»;\ó;TUO˜¼T°þ´©ÁÃ݃c`nŽ¨©7ßÖäûg3þl©Bn”.o÷®ÁXòÉEtÓTˆƒî±xwjþATk+_š¢%ô“àã'_|j8äÈ7‡ÏfÞÈÝã~8ÛDuk6ö Êž£—­=ûb‡¤«‘† %×ð·ûü›z\ߊ
<…LÏuîüÔÙuQ¬ïí¦[G…Óm¬ºÄt	û“ò|Úi³„®ã”H‚È*/õ[oË‚ÐÄÃíÃE+ZY	ÆÃ6¯‹>´~’–Ÿx¹ð×ïV@1b†êךScß*‘áN#©nèN9Ì?0cÒ3XmJ¶‰*[çÞ3ÅKA**’–ØÚw욈?Q„ìP9o¦ªN°óºw²UEˆl»eצ'*
-©§¬@ŠaV«3v¨Um+Ã/*Õ…äG_‡7­BåÊóö¦ólïåùÆ·žP#Wh
-rž’sùôD·\ûxÆÑLôèf+Ù‡¦:]¥Ç›Æ$•^§©=ª%žø‚qòœóqÑ/"æ¹C¸ï¸<$tÀ¬o÷Cþ;.|,Ž:U»ûRg–ž±О¹ô¼}Îbö5£Do vúŠg[päúL*dºê½åw¾zâN3oõ|Yj²RânÓ@ý§Ý»Ç4ÎÇUM¡n¢t#
ÆÉ•s‚¦›~Â~tÞò*žôÚ	–F½èQœ5º=ñÖ9^ÊÑuY©£Zw§•y‘œâàûÝž†«g扵)»+U[¯{3lÊê+æƛÜ„Ûæ/ˆvëæ×ôܽ´1ðÄ@ì´ðD¥s!éïd7{f ¥°XŠ/Þ*SÈU““åçT›Ø_ãµÂ¹<ÀrlÓûâXí3S†\Ö;½bV²ÔMÑ‘"ƒ#£*ùšK­J`ÑúÙ±è­.ê·Ã×ÐÄ2'ÒÍ lÓÄéÃAçR~ïä©{MÇøÜ]ª?£Î¨>@xé=£8VKIÍzUnLÕü‹ýøqNÇa"oë„MÒ±Ð*ÿû’÷
û¼iýjÅÂ&k‘Ü53Ê7•Òú‹º¤±ÿåƒü?Áÿ™’Xf‰ˆŒdlø‡réßù/Å8@¹endstream
+xÚíWi<”k2e$²ÄC–f±›Ê:H'ŒÆNeÌ<3†1Ã,ö¥ˆâd+K‰dÉ‘­•-ÑbJ‘µ¡]©hC–èÔû¨S½§·oï·÷÷>χ羯ÿuý¯ëúß×ýáQWÁt-ÉL?ЖÉàèbh,àHòã²	DÆÝ •kÏ!Ò0$ÂÕÕ]h:øK´fDÉÀ9‹?p ²=4€AcÑ&X4´Fësd²°žEbFx²è4á˜$nÈà¸ÁÁtHÞ	²™\	dc
+Tá¯3ÖÌàêÏ®;ݵ´µu~X0¦¦¦€_Ä7Àl•h@‹PÎ^ÎQØN^öÅSˆ6dg¹máÏácQ¨`
+„lH6É9(-¨XÙš´LÀ†/뇣±@ÔXêW2˜aŒ¨_Bƒü¥=27åÊ …pA{Üß	þÃF9€!ZmŠ6À'ù£–S»Dƒ_@̲™È ÇD3ƒ
+‘ÎchúÀ£ØÄPà°¸`LÔ¿ÿÜÁ1€L#q?
+ÉvÈR¾îˆ-ðF#Ñh€^~¿¯vA‡Kf2è?܉A €²³ß‰wrÔþUÿß=­¬˜­.ÆØÐÕ310¨OSCýŸY¿ëñM‹/V<‘öw­è”ö
+0ýڤ巶BAšUñe´µ€ò;294 ~Œ‘Ú
MôÁür¼þÿrÈ~ÎaË¥Ó¿(ƒø*	iÂv˪С‹³¬ôQÄ =âq?;ºƒ_/Äßt?Ã_Ù-T:èbô¾il[Z8HÆÓ8$ÿ¯³óMnò—
+â™lÚò‡B1?a.þ4R d³¡CùòOIm$&™Æ 4¢Dù»a&qY,H§/'Å~ÛShP‰ ’àü!&ióþ€ºý-g-ÂtŸÝÖï4rûÌU6€§ÒÆ‚Žr§ŠfM²pø›þf5Þ+V
+$e(ؤ‡šZµ"WKH&JnK–…<·Å»öÝDïºS>ó\náKëˆkÛÞªTÎyª›Yß’ $1¥ã6,x=âSPª,©vz1¤e*³ÿÆi=ÖàµáÐñrE¶_j¼óAs»—Hã«yÉêV	ßÁ¡+V¢†qIvpNÝ;?ÏÓÆض[—ôý+š)‹gyÁ%†ÛõwêôœsG¤¾o³Ò>&u–ûü•\‚ǾJÕŽÒ˜ŠÒ7íå÷‹n5h©cži(Ý]j?Ð.*Áom’†ÔäóõröIV18Ã-–‹V¹H=Bî™S>§äŽ+½Ï-„…(Y¨tÛv¥w©±/¸ÅÚ'—ÞÈ4¿¢“ß÷xÒcƒÃZõYáKž©	UÓ”›Š5³Ç¯Ui“BÖ%–ÝÿÌ×t!Ú9P²F΀%‹’UoÖÕkïÊ‹œ–kÝÿIDr(yÒ]-Zé#â:—àÖ‘øú®÷ø'…÷M¯ÖÎN3“]«³kº\:¬Yòѯ.ðÌAµ’ÚC‰IEW:”ñ"ÆVrÏ¢'‹ÝLøïv®?Ž2½)Djeµ‡¶„
+{û¾Þ?cv¢÷‡‘­F¥kJîÿ³Sö»áËŸd>ß7{?8ýe?¿Ã7"C{jb¿ÏµW<öHÏA¾[hASK·r4î\ízY½-Ÿ|=<^šŸÏ)µxŠ–»ÒóÂvêzþU2ãõ¶U·6•–ÅNâ,™üQ+lõFΟDäñ÷?ŠMÑœ6èVŸ,I»[(w{e›‘ͼW³Hñж'?€r/ÀjÂ-'«t_Ø#ï@sÍÎ2Û;)]FIE(êÍÈKg·èšÉ„é¬ëYê
X]¤*?±tˆ'®uÙ³Ve.ŒWñ×ãÇ,
û8
+÷æêqH*¢Õä7‡+°Ó©Ø¬§š^ïc©p÷σ˜y„Ñ{½vªb­â÷¥ùŒúºõõ’að—ϱ¶M‰÷§R|J%‡þüSÅaÄÎÂ66½naZ\kÜ6£512º×þºß|û“ü@Üjd
 |3-¨H~ó>!*ÞkÝŠuîç׫Âi…&oÆ[tîªì‰ÌÛ=ZŽ‘áñ%s~{ºúŒ~¾¼]8Á>•bK÷CßôJOLÈÞ
¯!øÝku`DøÎÍW-ˆÍñ¾¥Ñ%ƒ~˜§.RŒ°7¼<ʦҭøq¿Œ²óÖÇÉQ÷bħZ¬"ï4Z–…åsö4­ËÈuȲZUwW†ù†¤XˆFý¶9ÌÂM;…9]ÂÙ¦Ö-»ªè¼a	¢ô¢ãÞǦ¨XçÅg–3%Ki"äÙ¥±Ý>âÅVØÞþä(ù„šB†¤ð¶¾O&|mï½+þ›3RƳÐý»$"W_,Éô!T§x¿èh`.QŒ»V.±UîØžòK»qÖÊüxͬ»ëÜ@BŒ§9æbnvµÓ¾OtÇÅŽ€ºýahµ"³¢
ÂÆ€¸¢0éO}­¯©];EóÜjd¶¨J¼Éq]×ïöXé4Ôl~}Íâ\ÇDºµ=o`¤fͯªÇO^*:cnôpÏð˜›#nî-°5ù^์?[«àŸ+n{×`*ý¤	ÙÎ4á {­Þ^¸ÝÖ&¦,Dý(üÇø©@Ç;
+Ìc³™7r#Ýd›©oÍFR‹
èÙ3¦uaoÕñp¹ æh4Nªœ~4Ýüû¦è£ÖW±Ä×^p°4ú@æ¬Ñï·ÉñR©ËJõx 30­Ê‹âßëñ4^=»K4ªMÙS©ÞvÝ›a[V_1?&Ü’æ$âidêþÞ)&ÿTÑoŸÆŽ
–.¥7úd]-àZ€Ò–{yy9u3èYY¦ô>ÙA”›ƒÑÆíþ‰;ÓIèês×ÅÄÃåɮゞWµ0†Í*½ÊÇ´¢û¬±!-%å1}û\ý>¸ˆÅ/ Osë><¼“ÛÏÊH“:¤ŒJ³ËNQ¥ê‡W•þp£ÑÔ•%œŒ[W>Ö¸fÄ©Ë$=¹pÿD¼Ô`iÃ{éϹzoÏ3{˜§¥…ÂOUîèbż<žÖ/êÝGÌ%>
«¸a`4!fª7‘"aî´—,.¸©€Ý%¼.ÞQ¬€%O&9˧üþîu¡µ X»lOB¿]ËÅ„mëÖô\Úxr(nÚVt¢Ò¹øÎw²‡=;”RX,#ËÔ2aE×ädE;ä9Õ&Öx­p.°Û4S§[`aÎPÈzgPÌJ–¹)>ZdtôZ>žêR«X$5W³>f«‹æíð5Ôõ™é´lóÄéƒ#AdçRAïä©»Í'…Ü]ª?!ΪßG
+yó
ž‘«e‹dæ¼*7¦jÿÅ~ü8§ó·uÂ6éxh•’ÿ=é{ÆýÞÔAÆbQ³µð
+îšåÂ
øÃ*iBƒEݲèÿòÿŸà‚€D‰,3ˆÈ
+„G±@6ôC¹üoÿ@¬endstream
 endobj
 1179 0 obj <<
 /Type /Font
@@ -10486,14 +10476,14 @@ endobj
 /FirstChar 97
 /LastChar 110
 /Widths 2271 0 R
-/BaseFont /HOYVJL+NimbusSanL-ReguItal
+/BaseFont /GIRPON+NimbusSanL-ReguItal
 /FontDescriptor 1177 0 R
 >> endobj
 1177 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /HOYVJL+NimbusSanL-ReguItal
+/FontName /GIRPON+NimbusSanL-ReguItal
 /ItalicAngle -12
 /StemV 88
 /XHeight 523
@@ -10516,7 +10506,7 @@ stream
 xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº–††î&K(HÎQÉH’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯ÜEXYå‘P0†pP£¡O†P@jÅÄÄXòGw$ÌÆ
àÐ×1ääææù—åwÀÒýžÛ(˜€íöÃ
 G8ÚCзÿãºP(mXÃàP€¼¦–1HCÀ¡¬¡P†:@‘`8@ËÙ³¨Á¬ (('ÀÀÿZ¬ØïÒP|·X²(€r„ZÁn·Aݬ Ž¿]<G(Ò†BÝ~`(€
쀾í€9XÁ!¿	ÜÚ­9"·ö·¾[0-
 ²BÂÑ€Û¬Z
-JñDÛ‚Ñ¿s£`·nÂú6‚°rþ]Òß-Ì­
†9 h¨úw.K(C9ÂÁî·¹oÁ‘°?4œQ0›1à ¡6`$E¡nan±wç_uþ[õ`GG¸ûŸÝˆ?QÿäC£ pk> àmN+ômn˜ÿïA9X#@¿ìgÇø\ È?
âø=3œ·$À„ÜZðk з)ÿ3•ùþs"ÿ$þü‘÷'îß5úo‡ø{žÿ­ä‡k€íoà¯p{àj€ßwÌÿ¶‡ÁÝÿMôß
¡1üw  4ø¶
²6·Rð	üe„¡”`nPˆme°Ão{ôÇ®ï"á0è­–ÚàŠˆüͧg³²søÝôÇb\PÈß™ßÊó‡7¿Š²¾¼÷ßoÓ?QZ·ª£õÜo‰ýWêÈ?¿1äänO^ ¨€WH@ôö°	ĄżþM¾?@À­ÕÁh$Ì
ðü¶hàŸÒÿëý×Êìo0ŠVÈï9ÑEƒ ·£õOÃo·•3y«èŸÓ~[ò?Ö†
+JñDÛ‚Ñ¿s£`·nÂú6‚°rþ]Òß-Ì­
†9 h¨úw.K(C9ÂÁî·¹oÁ‘°?4œQ0›1à ¡6`$E¡nan±wç_uþ[õ`GG¸ûŸÝˆ?QÿäC£ pk> àmN+ômn˜ÿïA9X#@¿ìgÇø\ È?
âø=3œ·$À„ÜZðk з)ÿ3•ùþs"ÿ$þü‘÷'îß5úo‡ø{žÿ­ä‡k€íoà¯p{àj€ßwÌÿ¶‡ÁÝÿMôß
¡1üw  4ø¶
²6·Rð	üe„¡”`nPˆme°Ão{ôÇ®ï"á0è­–ÚàŠˆüͧg³²søÝôÇb\PÈß™ßÊó‡7¿®¼Ž’‚	÷ßoÓ?QZ·ª£õÜo‰ýWêÈ?¿1äänO^ ¨€WH@ôö°	ĄżþM¾?@À­ÕÁh$Ì
ðü¶hàŸÒÿëý×Êìo0ŠVÈï9ÑEƒ ·£õOÃo·•3y«èŸÓ~[ò?Ö†
 uƒZ|™BX‰¼LLIB—Qdt
( Ã?V1ñŸx£+w¿³^õ9’e‡Ð†ŠÚ¥ÍäÊu””7œœ¸äN­Ñ÷ˆ¨/ùŠõ.‹ú…'Ð)á0äPùÝÚ…ke
 ¸éÛR§ö
 ]8sô&sß±­|*åŸî#>cÕ¯‡‹úœ‚œEëÑymeê÷AÆ€>8m„1œ4¬jõõr¦XÜâd8„²³¤¿V>M¼çÀ7ÁÜ&N\€*ÄJÒÜOµøï8•^Ýçôáö¼J%qõ‡  ‘®.µ&у;ìXBÒ0ÊÚcVKŸ0-SÛ·ߌG?óí·Eƒòñ(€(§¸Ëš’=´øô•ú+y\J6.æꔋ‚œÞ»ó^eúÞ‚·V„(õb*$Ã=AÁžéÌmEéïa9žoñ€Rý3™ÙÑS×!÷8ÎãÒ9‹ÅÕçÜrƒÅ£‘C™Äù\‹-ÕÕ²k±ò¡øáÃÍ8
@@ -10548,7 +10538,7 @@ QH;
 ‡á{__bçâ.°ßþºæó}<¯½kb¶Þý9\¥™àpDË\TL[\a·¿«NüÆW¨œµ>¿¥t®tÉQÀRD‚!$Dr£G¢1¸AÌý¾¥Y í–.ç#_©ØÉ#¬w¥Å¹ò«|Sþ?Z:è:”—fÆ×’¸ʵhúÏÈ×XaÛfÚœ¯Ú3™B¶“—£Ìü¤‡uቇôä·ÏÔϾʉltãp)’&ÿT+p•°e –íZ­M31I¡ÒÏL«êÈcýªG’«ô"Hx¾çS•ö$Û_Œ*[£n~OYgÚC¢ã® ø
 LóÃI8GU–¿Bã¡\‚–Ÿˆ{éõ´Sû›7M‹Š–…;ûÛ䃵h¹0GQœ&÷
<‹"œ_ý¼ÈAze‰ÀN2ÿPÜJ"u]©¶ÕLòs.}æQùü‰iõHö5¨ñ‹‚‘öqLðëƒýUj[’	=Á®…1Ñè²YÆHOŠåoq ’„!¿‡RÒ¯¸ð%ê«~u¯³¿0Š×·6î;>nE=m½aÔ\{\ÄcïQq”&T/bµ^þü‹}m“¹ò
A’ü陈×O/ÍI>c×b%ÒÌ&ìýºªú· ¶mJ;û7žb{ª6eC‰Æô_è<@ÀbW’+Q'‘šäçÚU›‚ݧ/ˆ+ƒË°a*¦Ûåõú/5
JÔ†½ó'lï	0Kf›/Ð^‰ˆÖ½žO¼¡M	[If§€ãC
`æÔbï1}ÚU*÷ig#™HÓÄ+¸"î2X|F#êLq¶ÀØÙªþr#g
 <¤þdÑ
_IÒõ.˜ê¢Ï\9¾§é-xÚÖ-9?›ìÐv_wóý}¾éH`…Ñ'>Êß4¬>äŽT‹¬ÌÛúGäµGÔà…$Í	ï‚7LI›u`žUJ2ì„΃79ç¯~f´lá­ÊΚìïW5?|¸':U—.ûrJoÇÓlÔË5áAÜçxE ³º×ا‰3Ç•ÚTñ#åKþtâ•.iKW@ö/É›ÔÑ÷ ûj&Q ¦Œ²È˜¥t°Èð§Äh-ؤ1íý b?e¾™F	Š– ÉXrÙ/&Šjz©¨rAÁM°re.2Òe%ÉÍ£™6"5[¹(H4:\mdb“™[i:ýP½2“¿Ýä÷ö0JÑ»pÕh¯QšQ¨ý±Qó_»Ã7;mþã«÷Aú^ÁÐ;Óèvñ¡Õñ¥ã«*’Hóß¹,QëtT½}…ÁbWý€g”ùxÔ$Ó¬GÞ×™®'}¡uÞói õ´’D§ùõ; ¼xðÞÔ¡Æ°~.
°öâ%ÅÅ4O”˜»ª¡Þ»Bï­\ÿÆÈæ 
-†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.ïdîžk0œPañœ„5ðYÓëF–?ªU'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å[|)h$úØûeGUeŸ?õ¾†Ó<åízznKB†Éd–¬ö…Àÿò!øÿÿOXÁ¡`$aFÚüV1)éendstream
+†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.ïdîžk0œPañœ„5ðYÓëF–?ªU'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å[|)h$úØûeGUeŸ?õ¾†Ó<åízznKB†Éd–¬ö…Àÿò!øÿÿOXÁ¡`$aFÚü4)èendstream
 endobj
 1103 0 obj <<
 /Type /Font
@@ -10557,14 +10547,14 @@ endobj
 /FirstChar 36
 /LastChar 121
 /Widths 2272 0 R
-/BaseFont /VHGUCP+NimbusSanL-Bold
+/BaseFont /SCRFDZ+NimbusSanL-Bold
 /FontDescriptor 1101 0 R
 >> endobj
 1101 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /VHGUCP+NimbusSanL-Bold
+/FontName /SCRFDZ+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
@@ -10584,44 +10574,39 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚízUX\[ÖmàÜ¡pwwww($X…S…$¸
®Á!w‚ww'Á!@€àr9§ÿÓ}ûtߧûv¿»÷Ã^kŒ¹Çœs¬¹¿z)ZJ
mVI+gœ³“+'‡@
ìháÕ6wRaÕÙ¸^@^sZZ°›è?èB2w;;ɘ»½ð:¶îUs€‹ÀÉ!Ä! ÄËù²æàþ+Ð"Ѐ€} 7ÄìôBÉ8[º;‚œÜ´Ý]\À +-ÔÙb	‚
-¬_*ûϬigoØÆÖ
À «¥ÏÈÌÌò/„SPP`áýAÁ6Nº—…ÈÁÙåL/ò 'ä¥h«?b5¬Íe­Àn´`°ussbgw±6½`lPk6';ãK¡²NVÒÎŽ@QþðLY¾4åÍþwßìœ=|ÿ¶;YýÙ’•»»®ØÕ¤(ó?Á/Ê¿0€—ƒ‹Cƒr€¼,mÙÿH©ãíú“äü6w²òóuqvX›;@A~`kÐËÅjî¸AÜA~¾ÿ;ñï;NN€ØÒ
`²y9†©¿À ëìUÍÝ `/€'€ãûŸ+“—µrvrðþW¸š¹#À®a ¥¤«Èü÷Þÿ%%åü"ÉÊÉÏ`åà}™”EA^î¿+þÓ‹¿|øÕ0ÿOÿ’Tt²vþ£ÿjɾÌ&€áÏ1fü»¾š³Ø`ø×èsðr¼LÍ˃ó¿ŽÔ¿ñÿu°þžCÎÝÁáOWþaàÅ(@ð‡#æÿ7w;xÿ—þ¨úÇôÿtÝÌÀ–’N6ÿ´	•{¬4Àn–¶ÿ—¿\¶úó;i8CÁ|ÉVN^οq:¶`K{'úrR '«¿¥”u²t¶;Ù´Ý^¦ÒbõOàÚÒy±çÏzy÷¯½5ø¥@Èd‰²4ïl)bWÒvS-Iâɺ3ÎÝç{õìNÁƒãóƒ
¶[оŒ„'ï·@r¶ŒÆˆ­X¥œ*LX<‰l¿§½ T;"6N(6¬B$ñ1[ˆšÚÃä/Žâ„„©¹ÒÞý
-§”åW†´bÒcØÚaÎxd7À½}Wuòò‚
-dõýyFAü» uM!„Ù¡» ðTT¥ÎÆ©[z% jãñ5NE;¶ÙÜ|¯:oÀl˜<Š[홉a¿PÇX'×íç¯ÖwÕC.¼JÜ&.+,}€èÆÛ½†KmÌöþXûJclQ!ñ+ØD)?š+E¨q!7‹ý¨’ºZ.˜gÛ*Túõ6ssWä=J¸Ü7ëTu»¢­êcßRL9á·Øhoéð4]붟ëK&üèYÕŠ7´ú­´‹xyÝ+ö4°ò»ÎØõ÷‹¹¦èßÏtƒê(„/p5´ä<䫶¢³=Ä+·[!#Yº¶'F:Ý^¿~ŒÊ[ðì‹ÍpËÒEï°#s6Äq°-£ëkòÄúúkÏF°7~”nÿ¼ï¯pµ Y<¦øòµ„Ì2æ¡+¯X„Œèv‘ÂÑnÆdKôMÛ`æë…›º#Ï
¼HQºÉ@+~BäH2;KýÞŽrŸ[a–èÂÛõäôŸ’NîåNò…鯾Ҫæ}ômf›æ›¼î~¥Pµ(¤—hìÃVoáR/‘ &û	ö3üÝ>—ÿyšƒÖ[¿|«˜¶‰Ä‰ÃG[)‡:.ÍQ%Ìî¾Ü•è”þEo•ba¿ «WSž6cNÍ€ˆ¥”½†
ùùZ/žOŽHh‰•ÚöBÖ“fb›¯UëZoB9‰6k%ÿ”̼âc~‹TY¤=Ñ4šá¶D(iKNä`øƒÅcN@Äo5£oú‹ÄoÛ\Ài€>’~úw#"cÔŠ Úâ‹ÃÍ¢b·ý*{¬¶þ쉷ÍÙÑ›ßwžüi#nÅ
ÄÔØædýã[`«Ù5ç”sQ‹¤vÃ/Kò‘†ßŽ£å
-'KÉs²-‹h³ŠŽ=Žè=o
-ó­øédKÁõû•z2±C™ðÖmL¸°»ctLâÙyúþÆÅbúºÍÏ4’º¬€³Š?¾#]ß•¹uÀ/u˜Ö<<ŠüÐ;mhz<+7$uR‹uç׆5–­Û‰æßÿÙÍ¿¶’¥n”µcˆoHíûfP—0ß•NÖJê×Û³e©¬²AËFFI¤PôâÞŒÏ+=ñšCGt|ÇôE­V‘;ΧjÊ™*·Ð	™ÚëÞ ôÓïï_²ÆϧÂÆHR˳S’Æ}uSõí§û	·¨éÞú2m¿}#^ɉM•ôÞ†/È'V]¥ÿ=µ¾Î&6çaRôëVQI…c±ÐæÀï³"á:-ÛÑxlcwÙ¥¹\Mú³Š¥bÇ3À•`0{UËpP Õ
-œ‚Æ‹.tfíôMÒ‹š¿e™Å°YrÝi·°á=аvøz°gþÁ…À8§¬âµ3ÚâÞ|öë#n·@­ž‚ÑmÕGo¥.UxA¿{áúÊ
-Ý)ý…÷R f7Éšâ™Ás1!8…¦51¿’t=éšØT¸oerçorÏA4Ú>vO1…iÑ?Ÿ&{ôË<ß–À^…i¶\!Ãû5”ßpÁ±äÝ:é"Ãmd¾¿}¾‹šš}íû»Éº+ÅIÄA=É	ÅñÀR!…{ÅšóÈÉô\™Ù—b˜bŒ%3ps@÷j²µŒ¾ü[p‘-ù÷	¹§OAi-
ÓFY
ætÿ„n“°³¾ø…ûÍͬо¶uŽ)ã¥O«Üo{"Wk‰Ûß*2PÛ·Yþ"{;.Iö
-aÉê]Ÿ q|ø:¿-!{.t>ú!Ú‚<‡ËÕ‘whà)¥õhVÿOm`¬â ÏR±¯*Åy\:T*‚XòJ…©Ç€°*“Ž¤{  ¸ÓØÃÕÌþ²šiÜ^
niAʽÁtn* é+Ñ*ð””–7%ÀýÙ±¿C¹t—ïRéâ‚z ]ÃK€}Ä?âU GEu=…ÓO	neF«AÓOQ(E®¥¾³0EJÜdðsÆ4êéµÀ¯$½ÊEd>vÿ,º*Eb1IaËkÀð ƲQ8Å?ïÀt¬­;¢öslwÒýÎ@·*=«c?kJ’¤s[SŽŽmÀ?ÌÐz.tˆGìa°äGs
{
-ÍaBåj…·0¿NÏ)~P²mâ–È×oû„SÖzÞÛ­ñÖMÞKÐá´µ7S¿¬Â¤Z6sˆµ²;4â[;ådu²¥&Z6«S«.Êz{–VfX)k_Ȉ«Pé „M|>?ÝÜK©FЀ)Ý÷ž´¸>˜™‰AõG ÕÅμbò°ý¦r³Åèã"=h[~\‡ç­ÁÿKþK>
˜üF^Tw8ë§~¥RÊýóáiÝñn™ß/äòXzE¶Ÿ™4Òý*ϘSœöí–‹á´Â-ß'©ãÝ¥fä½m9"ÄÁS¿±gkkøŠ<7±1Y
-¯ŠOoDM…ϳ GBæ¾(JÇdkmLŸIîúº‡½¿G^Ïž'›Aõ•dq£ßYƒh
-@KE2Â&EëG¤«>™XþõM„MXD!¯m7Í*|Ï)¹ôªÌäF~ÊyVµeKªR&¯Ð’
-;Jî侩Ö0/4M|)¶¿ÅYòÞçñvô0òéqˆÁ6 ˜¬#¨ZU¿Óloñ-$cÈPzëΖñî€*ò×âŠ­»»íªXl5¨^XBþ)$ê£U«•Ü\{*;žÓ¨ZÐìD¬sxmþòØFŒâkÇçm˜·Úk†Iš*ˆª1!Åc_@Il?4T˜ˆêœL›Ñ‘¤?eìj¡3J¢‚ðç{øœâÉÄ·UØV»Z²¿ö(0î¯mÑŒo‡×åŒgrà¦%
|q÷6*³ì”ä±n	$=çC¤Ø”W3°Žú5x ŒÁüeÞ¨¿—â½b}ºÖÉM€c[“›šo›ÃÏtrDœ§;î`ªðF‰Ü;WFŠTqŽ|ÖFþoŒÆJÏOT1öé*®çÛ
%ß\byHÓx2€6oIxÓ¶/šFã„&*A6D[ŒbaíWQâó¾þ^.0´û*ÅçdÑlSê†ZÑ$ª´­—*6¢Åfôj4’’H_’då;§|’°¢+‘ycbºpk§D	,Ù•;ò8ûó`?5Áw¬YGtª–«vlH ÏÇñäa™–œÏ¶@Y'MòÍûyàºÛs4¿@5G±Ë8XæÍ(H…N?ˆêKúoHj’¾\øsN9yã¹JÏáxEaq‡6˜UtŠ­+Ô·íNÚ×Lïã
¼*påõEKŠðÉõóL	ˆ°S‘bð(a¬ÛéX\äã~1FWg<0­:Z?‹uavìvFÙW×ÏèMj¼)û>¿—,^…ü“ª^D «8÷i¦NœVïù'±ö³æ´Å„Ï–©'0‰1æµÛ/™[&O³”Xë;<ÍüÑìFÚMÛa œýd2{›jàÞv¾G ü…–wHBa>¯ju»ñò“'³4ýp¿êwï§ôï+×0{ó1Ý-Œî|Š(ÊúõNò5ŽÃÞ§|ö.´îZ®a®>8,[3épÇZ9¡ˆTÕ¯ï\wkˆá§Ë¼	yªÈè¶Ü+ò©<¤{Uº,™ãá2·¥Z¾(J†MY`8Lvø?'BLZ·µ8¾;ú`IÄ›ZÚOÜüFe	îrÖ#˜ŠŒŒgy¬GŽ–
-µh¡¢å#OþbPJº”GüÄŠÔøž^å,ç=‚Á$ö®”ªñ…AüðÖ@+Fžƒ*—ñC¥…'‡#›üþH!n­Ãïp\6•x³µ‡¶cB}µzì¤H»N	uy9št¹÷ÕôÅx+Í-´‡¾6žXÑÏ1X
-_"‚Fת(äqÞw¸ ª—|~âYl{Øþ>¼vÄGl^)1pSHhX–'Û(ããæ[œ8H
Û©:óƒüæ哆é^õjA&M¡^Ö7ô«¤_CïµÃfæÉ«M‰Ë²\Ž-XÆ&Þ8×ݺ¢“í÷¢æ®A|—ó9ôæãPKœJ¸âöhÏÕ¦(I­W½èÞ)e«[,Î>)Ö®ÑòúsÉׂnÊÜšdoÞ|o:K0U	úö’šý HlV/oŽÌI¬ÄÀãdD%ËA¤Ð²à1æÓ@/±—PLÁÆçƒñDZ 5÷òØ'=àÆhªµª
y¿/c­zq+í½„‚W‹†8»•;<:qKC–Ž9†“úó,l¯ˆ·9Ë“ô>}Y \,YÖ—Èz#
-ôwÏ3	T¯föEGГ=tÆb??y°…÷,U^VŸÔw$­b÷í¢ÍZ=*"3ÏWaYã±w?9¿â6Š¹;²cŸZ¯oáã(s{5…M§!Ðñc˜âÝÑ ­à{ûóFG,…'ýpÛ=¼|¨ù÷œ¬fÎÒ¦•¡6j=až£
àgõ&ØoxYß9ê¹þÜôHEå
-ža‹î‘fh»+œŠÖ&CÜù¾»ùG‹ê̽d]­ïÉ­ãûQ¥î]0­v²|X¡Ðþx÷›Ef7Ðó’«÷ºÎ•±îª?ÌÂq•Ìv/ïà\M¦È6îÛ£°)â
-MNø€Qr²BBšØ…P…Ú_\üt\ºgÜDŠ¼©6!‰>wç»ÒÃMéZ?*ÇЉ±}
--¿¹¨+kÚ‚÷‘qô~Šÿ$Ãs”b÷fûÝsËšçl¶žž>a­›k¦Eå6í_^§÷IÅîÀ(¥
-i„DìQ¤ÜJgß¡´”1¦Z®JüQ¥é§B»&M)ÁöMÙ>5ö´8_vh´ðgµü{³÷9Ÿ¥ÇXdyƒ‘Í
-
-ƒáu.猪9@VŒ¯ÌH™„ŸÙ]Yd’Ýsj@û¸
ÿ™î‘ŸzuµôsVâmŠâWêDYÅd±þ†{ªÚ݇¤”½±y£3•TÏ]ëNv«È%±l®OštSÛÁ¤.ÓE	?•/ÊƃmKBiÀA*£ps}Ûýœ>É«ÌÍÒë015·“Sø_¾â=]‹Aø1s%S‡Åó¿e´¯l†!ÄwñŽd0ÙD\6·_=2[ªž¶O,œ*<†Í`§EÉTäolœpƳ¢T¢*xœÀL÷½VÓk!ËTÕšojÍ5~PtnZ©j=_¯´$õMVñ»¢keü!š³@ÙŠ|)AúïËo «Ä÷üCÖÃ;¬±«+IôÜ¡ö=E+mngæ§_´¯Fc7¿»ü”_5cÂ=Ïzœbm›Û—,™Kï‰öq%=Å{©·IÙqôCyHOÑ­W^0ŠH-´1êoÎXžA¥Œ(S‚[-í+C~K:á"Ö-m—ojþ¨ù%#r0å;2¡ÕoŒóN½l[™w.ÍhBTÕ/Ãy´Ó+\ÄrkÅð@i«Ï¤vˆï\¸‡v¤L‘oÒOo²¼r—¦HÁ¾hå°©£ÿØ’TíÔ¤ÞÉÞ„O°3áS!ä°VÀñMkL‡íN!½S9¤P {ßsdÑ–¦DŒì?ßÑ(¥Ë‰gbÀ8
’€ãhË"8½4åìHh	eʃwŽ
-ÇuûXŸ[ÕÍ—‹lhWE6‘S†ëƒì”õ›\:¨D
-ÒYa#B£·ýgŠå*D?"öÀQêˆC”´ƒ8Ñ’? %ŠÝuÓ׫.ýÜCÛ‚E>TîÌøF‹YrÀŽZÖž#²V€døsÕGx)C‡°£V™à‡de°ªó‘ÎIMJ#šcêh<°»mP F¶}`¥_EmK–
-*xÀŽhÜd'¬ð¢1'§•ŽúdVQ\,ðz&,¢™ øÐ^ÖxŽøÐA¿ôTÒˆ3¶ÔÙŸ=k%£Ë•$q“ìÞ`¨K”»ËÈáx‚ÍÅâšË¹>Ãà+VÑ¥y|ç-R	±™g2a{
E}?|Ô¸µ‚`rÿ@³;àªÐܺBg%Ÿò
Ø}”:í_Þ9Úœ¸Ú€±—ÎÃ{N»¡ëߺpšþµ>y›ž&§2ÎEÔB¦“ršÔ¬€%8§ÉÆNNà`ZS¦ŒXbù´3ëš »àÿÎSÉÂq¼3ö¹K'…òù~ù²”­>@‚Þºª¢­Eî€AAÉAÝa?wóÜŸÔ™æõÛÛwEEùü]?ìnXZW‚¾‹;>ª]ˆft‡¹¬J¢‰¯‹°Ê´"Ç—MjŸE{éä"¡>{WÍ%Š	7?Õ$‚p^ÿvâŸêñ‚8%_2ì¶%Ó˜œµð¨ò·I²Ä±…~¶mƒ¶©uÀMØãËùß? *V~ëºÿA„[jã°áÏwkÀ?€Ðh6ß]D¸Ñ˜ôT¦¤?_fŒ¹)DAB™Emö¬o9°¢}¬bê9Ijí“töÕ.“Å#ž×@!ÒÚl5ÔÃQ£JoXä~¼åÔùaH‘~o>/’}´¦e±kF¢Þ!ñ8úœKÇ—^ÝE/î9Ø–¡@Òndë‚„ ¨
-u±J´@uÑ^ˆ*äÁi’5º¯&í)dðÓÊû”&B»¸Õ æ?l~—Kãb‚Õ,˜½)˜i°Ìˆ\¶^V‰*¹ã«ÄùFiùF¬ i-¨ÔnäSÍ‘™8«ð›¶c†‡ØNj3y
زï[2lŸ>`¢]?Zõ’ó¹#¬˜…·lt¬Ri	û—îÊ/šˆKŸàÎë¾	kùÁÃHV‹MJ‹eOž¨?Tmé}ëÆÒö†ÓÞ´ù£U„‘ŒÄ1dô®E§–œ
W#Ôª8ÔewÆ X]†æl“¿^U[sËh+ߧÆEˆ_"1ï?ÑήÈP¸­‘áêçõuUŒî§áDm0vÁO뜨ŸðúhN»ÞLº¤°ÑCóÒãÿVDY¤ŽQm[£c‘ØæöŽcB¡mlŒb¶"Ù0PIwÑÙη¯Û¨PŽ|	ž”\³ÎÐ¥¤jÃÿVùÝîÇ}@ìÑYË@Ê98þyÄ4 {LŽ+¦ ª¬¼É‡ñÒ:ÀR"×G&(š›kÆÎûÀØ
-óf‘&zxÝc]‡HÝð6ÀÝÑn¾ez¡6
-£t?8–gGM$•¢Ýb)‰<ÆÜ*w+[ØQ{}YB$ñþL¬AGwóKÛ²)ô)³pâÄP”ª¸;udpâð\`Y_÷Ï<¶™‘ÛOæY{ÒÒÖ—3Õ)NêˆBëÒBÝya3l}A}ÂÄkßx\®›zù5…wõÊïû›ñàdƒüHZE“Xø·nÊÞn(•a¡úOÛ{©‘ÅŒ0Â\î!çkŒ2­NÀyšacM®ìm½â°Ô†-Ì|¬¥xw#!Ö¥†g~J¾2ºØaÂ{&X/×s¯þôË|ƒ- R½R¹ü•ì’.ÊZ|¡Ç[T©Ÿt7¿¥Ãùhú…üÆ0a
-¢Y‡FóÃMĵè5~þŽu…%õMˆ”V-0oŒ—Ú–”¼Lj&KtN
-&ðG•Û†ú¢­Í„6!8FXÊWlÃ"êK«(ôÆbà_±ÝÇÑ•5ãLª9;éZË$o׋[†§ª02]Û2º':mP¶ÞÁÝ!
ÏÌrØ량êBï‘Óùxɯ›5€ÏÍ¥¯2îlÎÏ“?´×¶›ÁAKÇKÕMæé2”³ñ`J	#—iÛ¦¦>é×Y¯Œqq.§;Ÿr”’õ¤ç°ý²’-IÓƒ!	@?Ö0jA£ÙÞ5Ö†²Jê¤ÌyÃIS'!ËÇDÆñ4@ø.*³K¾ºÄ©¡®//ɪÝi—v²nÁgÀ×WÊúøĪ̡*ÒÕ=5OùfubgQ¡¨Æé;'j@¶ÜëÄšˆf8„똄-҆Ÿ°-X®UÍÒ>?"ÐG‹õ5›3Øð¼,¹:-Wï5iwA¤ÊxÜhI’Î`:Ô»ßSÛ³¼ö锲×ÉÑrÕ4>„ûÒ[è’mÁl¸®”¬¥†»éÜÎë?iÈî^ú]æ@æNqèûuîQNm>
-ßè?–I_ÝATKÊBAÍæ2V~b5g§ålÒh<}½³ó~fvc9Õ…L±øÑ¿7iZR'@1'vªõüV"èW!üg¥s8{8«§ãQ
-@qÝõùÚÝìîÄ¡­€H›äeTÙ8K³Qi×2âdZ‰f¼îO½Òw­ÉÒÞ¯#£³n@T,5cÉ5@"Œ»]Ú?¹²H®c‘ˆ°E‡²Ý„ÅÅ/#›æ]éç)ԱǴSï÷X<†}}„š/~ZÕèÊÕö¦BÈõ
öª Ùåùß ¡V[ð‡ÀXpál‚CŸM<×»öTq^è÷çai$”ÑF[	/ØÓ›ìÆ0º:F.n}RFÏJØMžÿ/}+³òøKÌÜuµÛ}.R{RÑL9e&RMÂ×B{‘§ ÙFñìb»"BÿŽ„n€rèsƒ†deˤ¦€šZòŒ`ù’¨ö¨ÔãÙÚ1ÓBbs±ËJ:±ò*è,hwxUãÛ|„Šï:¬3[éoÏ«z‚U=
&Yr¥K¹4<ÇÞëdÿ¦=•2	ó{9þîÇQÑ+³îÆYÍàuÌf˜ñ­ÂŽ«M²vf—ÛÅ´<ÎZÈG*^—f-žo™„QÈEcö[Ö{üä0Îê4¿Õ29+ßzünw×å@!F).Œ\º6¿Ý䮀{âa[”Ý¢gð@££ä)VF8Ák—J´q’gQ–ÕêÛI,ðmv/“€!"S+ÌL‹èGy“Œ‡«,­¸¾ÇݸB_ûöéRDÈ^	ho“
uzæµqÿã¨Úi°Ã\Ëé[[Þ¯QKáƒèI…uõ!4~<­èF
-­Ô0J¿X¿c5î—d´6 w}ç5Qæ,Qx¨”ýå?¨Ñ…ý!!!âëƒä÷œº¥Ð
-:²v”èØd„1CóäÌû”¤6T¡ó}y·Æü·œõ$Ê™´¨‘]¹éXÖQ·z±­¯Ñ7Ü3ö>Ñx^ÜáÞS|þÙÖ€–§G{úãœ}¥Åúèb””Ö×FÛ(5/î	Ép등ǀÉÃ3Çî×}Žô„Û Áà+‰h&¾aM3b4ô™k•­õØÁ•¸ŠÍ;úÀLãZ@ÀuáðX~14ÞzL+Ê*ù·o<¦YF²
-ð.`2ˆÃÜ….°´Pq'´ukæ–¼ÌÕdfôY~6¿ïÓuÁ]u]S%t„Çr÷ìï=€5ŽÿËåÿü?!`é2‡¸9;šCìQ|! ¨›3äÿ§¡ü/Îyendstream
+xÚízUX\[ÖmàÜ¡pww—à.…+ pªp‚— Á58„àN°àîî—‚ËåœþO÷íÓ}ŸîÛýîÞ{­1æsαæþê¥h)ÕµX%-ÌArNŽ®¬œlBU°ƒ¹TËÌQ™UdíxyÍPhiµÁ®ö ÿ _iÈÌìä(cæúÂkÛ¸TÌ .'‡‡€/çËšƒû¯@'ˆ@vpò¨ƒ\A{°ã%ãdáærtÕrsv¶ƒ,5AP'7ˆ*°z©ì?³¤œ½ `kWƒŽ¦#33Ë¿NAAA€¹×_@[;è^î {'ç?2½HȃA—¢-ÿˆU·2“µ»þÑ.€ÁÆÕÕYˆÝÙÊô‚±A­ØA®ìŒ/…Ê:ZJ;9ü!EùÃ30dñÒ”ûß}³stòpôùØ
+ìhùgK–nÎì:Ž`7Ð[™ÿ	~Pþ…Yƒ\¼\‚\äiaÃþGJm/gП$ç°™£¥¯³“3ÀÊÌ
+ò[^(>P3wÀâòõù߉ß¡pr,Á®sõË1üKýYýc¯bæ
+{9Ø888Üÿ\¿¨¥“£½×¿ÂUÍ@v9 ¶®”&óß{ÿg”””Ó‹$+'?€•K€÷eR^y¹ÿ®øO/þòáOTÝü?urüKò­£•@ðí¼øøWKî ôe6Ž1#àßõU\Á ÿFLjƒ—ãej^œÿu¤þÿ¯ƒõ÷rnööºÂð;/~@Ê€?±7ƒüG¸™ØÞ뿼ð÷@=Ð?¦ÿÿ óÖÕÌl!éhmÿO›ÀP9°'ÈRìjaóqùËeË?¿CºüÇ—`åäåü§m¶°sA¡/gñ'r´ü[JYG'K°£5@Ëõe*Í –ÿþ -Ü {þ< —wÿÚ[_
+‰#‡·–b6ulªƒr¨í}™7*	Ð1íŠî
+Åü~~f†K	{5òòµn<Ÿ‘Ð"+µÍ…¬Ìø6_‹æµ*߸R"mærÞ)™Yù§¼f©Ò;$¢)4ƒm‰Òæ숰óÇlÿðߪ†ßõˆßµ:ƒS½$}ôón†DF¨å´E‡…E®û•vX­}Yãïš²¢6~ì<ùцߊ닩²;ÎÊúÅ5ÃV±kÌ*å JÅï†]ç!
½CËN’’çd[Ñb}Ö}Þæ[öÕÎ’‚ëó-ñ`b‡2á­YsawE÷ëlMàÙzøüÆÅbú¶ÍÏ4œ2¤€³‚7¶#]×™±yÀ/u˜Ú44‚üÐ3e`r<#7(uR‹uçÛŠ5š¥Óæ×÷ÅÕ¯¦‚¥v„µ}oPíÇF`<—0ß•værÊ·Û³%©ÌÒ‹FI¤mô¢žô/ËÝqƒŸ†µ}FõD-V;üÏ'«‘ÊŽ™*¶Ð	™Újß ôÑïí_²ÆÍ¥
ÀFKR˳S’Æ~sUñí£û	· áÞü:e·}#^Á‰M•øÁš/Ð'FM¹ÿµ=¾ö6ç¡?R9ôÛf;Qq¹C‘ÐFÿï|ÓBáZM›‘8l#7ÙÅÙ
ú³òdÅ"‡3À•`{e&ËP`' ÅœŒÆ‹.tjåø]Rƒš·i‘É°Q|Õa;¿îÕ_¿zøz {îÁ™À—8»´üµÚq=oûõ·k€»fwþȶʣÀ÷çJ¼ùÀß=p½¥n”~Â{ÉPÓ›$
ñŽŒ Ùè`œ“êè_‰:ˆtHlÊÜ·2Ùs79ç ­oÛ§è‚Ô¨ŸOÝz¥ïŠa¯B5Z®á}ëËn¸àXrouáÖ3>ÄÝ>ßENÎ…¼öùÝhÀ‡•â$â ž`€â¸c)“½â@Íþädz®ÈˆèM6H6Â’é¿9 {5ÑRJ_ö=¨P€–üǸÜS¿‡ ´·¦ºIƒ¬:sš¶_|—qèYoÜü}¶ÆFfHoëǤÑâçîw=õË	5Ämï	¨íZ-~‘½“‚$y†E³dö¬Ó8<|›Û–=:ùeNžÍåbŽÈ;Øÿ”Òj$³ï§0æíÏb‘¾
+ÅWy\:T*‚}ò
+…ÉGÿÐJãöÄ{  ¨ÃÈÝÅÔiÜVnnFʹÁtj̧é-ÖÌ÷”–7!ÀýÙ¾¿C¹x—wï\áìŒz ]Ç}Ä?âU GEu=…Ó‹	jaF«AÓNQ(E®¥~°0FHÜdùósD7jé6Ã/Ç“½ÊAdl—ú;WyOAûÓ"Ôž½Òrã*ÙŒAÖŠ®ðïì”UIhYT¬Ž}¹¬:(k¥ì™š©˜¡%¬½}Ý"ÃòLÕ»÷a”°àmt>u‰fP:&&Õ2€ØŒsRÔ®
ZŽ!6{½‡doàgƒÛŸTÕ¯ØFø™G¿ÀÃÙWHn»–ÄÍ8ªÛÈÈ"¼8µM™XÇ„eÇ™¶HŠ`²LؤŠæ]§ÈþKÇÍÓ攟ä²#¥FÔÑ»ßþð³ÓI
+³çWD`û9ÒäÝ$ËýšžÅ7—©‘+1ì‘n
+eñß3:Æ=ûGÕU¿.Íúø¦	Li¿žÔubb¾¯j&ä©¢ëÝH[.=XÁŽôæU¸²Ã‘e\óJ”EuÒ$,ŸÜ5Ë:»‹¿çzFD@µÁ:^*ÃO1N]þö«
3!Óeg§N,!u*Õ™ÞŽ‘IiÙvÞ’é¬.\¹6áùütc/¹nA¦dCÜkÂüú`zJ$ÕT;ãŠÉÝæ»bðÍ&£·³ô€MÙqP-ž—:ÿ/ù¯y4tbòë¹PAàŒ¯Ú•r	÷χ§5‡»%~ßàkÈcÉÙ~|FÐPç›N\¡3$´ßÉ}W©fžoœx3Rlµà½ÏåmïfäÓå샭G0^CP±¬z¯.ÙÖìS@ÆøÎ-ýýUį…eZ77!›s°ØJ&P­ ˜üspä'ËK¹Ù¶v<ÇÕÀ™ñ§°š¼¥°µÅ·ö/Û0ï´V
5”U¢ƒ‹F¿‚Ù¶Ô•™â‰ýkMšÐ‘û¤?§ïj¢3J¢€ðçºùœŽâÈÄ·•ÙVºš³¾u+0î¯nÒŒm‡Õfe“rà¦&öuó
2̵èä±j =ç
E¤ØWÕ·Šü5p ŒÁüuΰ€?—âÃÛºvt}Í“‡Öh&:6UŸVûŸiäˆ28OwÜ;ÖÀáõb¹÷.Œ)ây"¬
üߟŸô©¢íÌÓ”]Î/¶ë‹¿;3Äð¦Úó¤­Óß‘ð¦n_4ŽÄ
+W€ì­‰6ÅBÛæ¯"Åç|üž[Ü‚'0{’ˆ”£aL©“¶m\Ãa5ãBÓ€™JJñ,"Œ†K”¡¾»G4ü½59‹Ã§zŒ™g± ¶ÁþU©QPJy½Âú)ÜwUþ€ŒúçiO	Æ}7œÌá8šÐp
+˜†OÔ¨‰PØøàVß]ñs<å#ýûµf²ÊÌWÄX,K½ˆ‘Р†Gáî[QØ°•€…,a¡ú÷²TG‹•áE¿ÄHo®ºBtÁ¦K×*5ôsŸܬ°ƒ÷:
+TêCBz…Ejä'Ô	
cäMí&B¬är¿ùÊÔé¤K0
!Ët_‹û"jÖDEËCžøÅد˜x)ø™©á½òYöý	ì])£ý¸¡ÍþŒ\{.£‡
+s¿6ùýáÜûßa¸lÊqö¦«ÉlÇ„zªu؉¶jòr4irªè/Šð–›ši}¬=Ú±¢ž£±¾†Ž¬VR4ØËã|hwFT+þòijÐú°ých;ôˆ4È*¬B¢ÿ¦€Ð6°$O¶^ÊÇÍ·0~ºSy æÍÿÍÂ'
ÓµâÙŒLšM½¤gà[A¿ŠÞc‹ÍÌ“[›i±“¿„M¼~®³yE'ÛçI9Ä\ûŠø>ûKÈͧÁæXå°·wžØ#ÝGT¢$5î\u¢;º§”-®18û¤X»†KkÏÅßòû»H(sª“¼xó¼è¼-ÀTÅèÛ‹ªv"1™=¼Ù2'1ýá,BK‚ǘOý=ÄžBÑùë[ÏÓ⟎c@«ne[Ø'Ýà†(ªÕÊuyo߯æá£-º±Ëm=ý„‚W8î»;<Ú±‹ƒÙzs,l¯ˆ·9Ëu?§\(^Ò‰“ȉ|-
+ôsˆÓ	Pî—¯böAGЕ=tÂb??y°÷(QZR›Ðs ­dóé¤Í\=*$3ËSfYå±s;9¿â6Œ¾;²e›\«kæã(u}5‰M§!Ðöe˜äÝQ'-ç{÷óF{…ýPë&=¼|ˆÙìÌ&Î’ÆåÁVí*]÷!ž£uàµFØwhIÏ)ò¹îÜäHYù
+ža“î‘fh³+œ‚Ö*CÜñ¡«i«Yezœ^²¶Æg‡ä‰ÖáȽ±b×.˜V+É>´@h¬ëÍ3Œ+	èyÑÅë]ûÊÖHgU€fþ¸Rf»‡‚w`¶:Cd÷Ýaè$ñz¹'¼ÿ9™?!!MÌVT¡æ?—Î7Ñ[Þõððëàoõ»ó]é¡Æ4Í­rƒQtb,Aï‹ïÎjJ6à}dÝŸâ?ÉpG¤Ø½Ø~wß²æ:™®¥¥[éä˜jR¹Nù•Õê~V¶=0L®DÚ!$¹*µÐÙµ+.¦O¡©”i¡R}Rn<Ä)תNUŒw‚„~W²K‰9-Ê“)øY%ÿÁôCöéQYÞ·AȦùAðÚ—w•Ðlu +FºgF„L|º÷Ì®,2Éî95 mL††ÿLçÈW­ªJú93a6ùí7êÙ·IÖÞb;}õ'vT5»‰É{£s†gÊ)»Vì–ë‹bY\Ÿ5è(&·ƒÌI§
+ã1~*]èÛ—ŽÙ‡Ðƃ”ûGàf{·ûÔ9½“V0˜š¤×`¢«%n'ô'ñ¿~Ã{º,ƒð`æl&‚S†Äó¾¥·-o„"ÄuòŽ§3YG\6¶_=2[žªœ6ÏŸ*<†Nc§FÊ”çm诟pƱ¢T *¸ŸÀLõ¾VÕm&ËP
+ÑœmhÎ6||ëÔ¸\Ùöz®N!qQê»ìÛo]*â>
+ќȖçiH	ÒÎÐx_~ƒ™Å>ç3nöe\\H¢fµî9(Zhs:Ò1?ÿ¢}5³ñÃù§üŠ)vÈyæã$këì¾dñlZw”°¯è´“(é)Þ;ØÝ
ʈƒ/ÊCZ²&h­â‚QDj¾•QocÚâ*eH™ÔbN€lWü[Ò±vq»lCc«ú—ŒÈÁ¤Ïð¸fŸÎ{µÒým%Þ
T¸TÃqQßt§‘Ï0‹ÍeƒÅÍ^oê!¾SÁR,Ú‘0Y¾Q/­uÐâÊMš"û¢…ú–þSsb•=0@ƒz'kJ<Î΄O…ÍnP©Ç/4¥%0º;‰ô^aøBBîC÷-EKší7´uørG£”.#žŽãÔKŽ£Ô/bu?Ñ”±#¡Å—*
Ü9(×6ìc}iQ[0[*|°¦]Ù@Nª}´UÒktn§ÉOc…ô‰Úö=œ.’+ý„Ø
G©s QÔ
+<àDKrøˆ– vWXØL[+(¨¼ôui
ùXN¸?<íW%fÁ;j`QsŽüÉZ’áÏQæ¥ÚbG3¨4ÆÎÌògUã#•šF0ÃÔV`w]§öGŒhýÈ6B¿‚Úš$˜ÿ€Þ°ÁNXîIcFN+ùÙ´:¼¨HàõthEAС¬Ñ,ñ¡½^ɨ¤kd¡½?sÖBF—#Iâ*ÙµÎP› w—žÍñ›ƒÅ5›}}†ÁW¤¬Có$øÞK¤b2Î`ÂöŒüqø¨~k	Áä6ÚB³=à*ÐؼBg%Ÿô	õßy”:í[Ú9Ú¿Z‡±“NÃ{N½¡ëÛ¼pœúµ6…y›–*§<ÆEØL¦|šØ¤€%8«ÁÆNN`oR]ª„Xlñ´3ã¯3ï÷ÞCÑÜa¬#æ¹S;…òù~ù²„­Î_‚Þª²¼­Eî€AAÑ^Í~?gãÜÔ‰æõ»Û÷……C9ü[¶7¬õ-Ë?ÄžUÎDÓ:C\–Å‘	Ä×…Xe
+šcK&Ž5Ï¢=trPォ¦â·ñ7?U%q^ÿväŸìöí„8&]2ì¶&ÑûŸ5ó¨ð·J²Ä²…|±i…¶ª¶ÃÛáËùÝ? ¾­øÞyÿ;œ:·Ä6Ú~ÝïVŸ¿Ó¿Át®«6p½!#ð©TH¾öÌ}S€‚„2#ŠÚäQ×|`IûXÉÔ}’2pVÿæˆ>ivÁ“T¼,Ôü¢ß3qZ\eºà<×fgö“(ûÅmdgZ1Ón&uX#7›N+Sql΂œu8Ê›Î|Ÿu;ñwí×ÈmÝ°‰”dh!\
+Fí¢–	¢ÇWB'u6ŠÑ—NÚƒtä£ÌÛ‡²ÞƒÃ­%=hð#,‡“úbç,ðÁ¶jî÷ÁˆØ¸ûn°å¢·ƒªÔc¢všŠåǯ†L¨ñ.ÁC;"&V‚”›W¤ÑÛj­Š]c%æ£ò'­Ê_+zOïIÏ©Þ[:£ÏÜü2}rÝåœ9ŸŸ=*n¬Ž³iÚ†{;Sîyw$zÈxkàª[шcFÅ1¡ŒR½Ô0Z;'iì+ÆG<¯B¤ñ´Yöª¨‡#†Ù”^°È;}xõJ)ÓêsÕÂB½ž||^$»(sþ‹"—ôÝCâ1ôYçö¯=:žÜ³°Íƒî%]ÈVùñ;2Peê"å(ªDxš µ	_ÆPAíËp”¼²`s|¢½`Èw‚ÓZE+t
ÚSÈáçåù(ÝL„¶±+ÌÙ¾ØüΗFEÁ*™Ö0{cÓ@©!¹l¬"URû{‰óõ’²õA“P‰íðçê#SqVá7ÕlÇ1՜Ԧòê°¥?6dØ>ÄD»~´ì!5âsCX6
k^o_¡Òö+Ù•_0—>ÁÓxÚ¼ÅÃHVƒMJ‹eGž 
?XeáuãÊÒú†ÓΤé“e¸¡¦^2ySn»½YùÅ'ÞæÀ\é!V*¸¼^É5z#2Á¼mÛXošŒìç´Szq/Šh8²èZDaýÖpóeÊ!±õàá’˜É>°¯®­;V5ÈD»~‹_céÍí“®õ؇$'”í"®qLì0—§—óû³ÌR,ubõn
+ÅPÍ+‹§+d«òtŽ]Ò½þ³ÍoÑÈj)ƒû;[Sz’ÆO™æ³<˜´Á¡43H˜µ³é6˜8ç)—#¸[áÅôÓ}FJ7j–ŒŒžFA1ÎÊåªÁÖ~|t¸o­WTd`^Wѧp|Ågºyß$ŠÍßbÌh²#Æ«„+o0Í&ÃhM|y:bIëDðâÜ>fÉ}çuÏÎZ_$Ø3Ä£"FٶɜË;¯2ÐÌ ®>¦j¬ûª”Ö:ª‘ôÙ—ÅøUÔŒA®æø'Þd>Wç4ó•_U«¿ÊXo—³”yüpÖ.íˆÖbÂÅT~Å~=ˆeHïY2J)>ªB$¨Q¶¯Í*êˆF±¼;Ì=Ù&{%¼¢ºêšÞZ¶O‹9¶HbÖw¢•Už®p[-ÃÕÇëãò6ª†µÞÈ?µc¼nÜó“íZé¢ÂDÍS—ÿ{>e:Z¥u•ŽEb›Û+–	…¶¡!’Ù’dÝ__9ÍY{;Ï®l­L9Lò5hBrÕ*]'†’ªÿ{ÅÛ­{ÿrØ£³æþäspÜó°‰Ö¨Wt!@TQq“;í©y€¥H®%ŽLP8.7Û„û‘±æÍMÔКûš6‘šÁ­¿›ƒí\óÔ|M$FÉ~p4×–šH*Y«Ù2\qŒ¹YæZ:¿£"öú0¢„Hâõ…„YŽ"öæ—–EcÈSFÁ&Ä=¡0E7`wòHÿÄþ9ߢ®ö;ŸYL#·¯Ì³Ö„…gŠc¬
+Ô…Ö¹™ºãº?Éê‚ú„‰×®áþ¹,L'åò#j2ï4ê•ï7cAIúy´ocpàß¹*y¹¢T„†è==lï5¸§D1Âs¹Ÿ¯2Ê´8çh†Œ4¸²¶u‹BSê71ó°ãÜ
„X—êyÉyJtèb‡ñ˜`1<]Î=ûÒ.ó`ô7HuŠeòW²OH:(kÑ….oa…^âÝܦ6ç£ÉWòƒøIˆF-Í–«ˆkÁsìü=ë2KÊ›`)Í.`î(/µ
)y©Ôt¦,èœLà‡*·7õA[hDp·/ß.‚EÔ“V!P<é‰ÁÀ¿b»Š=£+m™Pµ?vÔ17’I Þ<®"! 7MV
+úcd¸´fôwwX£l¾‡»C"žžá°Ó;Õ€Þ#§9ðñ’_7©Ÿ›K^¥ß÷[ŸŸ'}l«i3…ƒ–Œ—¨™ÎÏÑ¥û‡*eáÁÌ—F/S·ML¼Ó®)2_&àâ\Nujs4_}РEÜ‘*áq Å‰ÚiP¯|-²š§SÊG‹“¸`îK/¡K¶yÓ¡Ú~x°¦î¦Gp;·ï¤>«kñ#t-Š™;Ù¾÷wæ¹SxE”Ùc\‚ßh}U;Q
)5›wðhى嬭¦“qƒÑÔõηé™õ¥g2qÄ¢G¿žÄihq­˜?Ŭةæó;‰À_ð_Ïáìà,ŸŽG(ÝFµ7Vç«w°»ã‡6"­’—‘¥c,MD%Ñ\Kˆ©Åq:?ÍuKÞ·$I{½ŽˆÊ¬¿=P±T&U‰0îvi|åJ#¸ŽEÂûCìKwã¾Jo¤›ur¤'SÇÓN~8nØcqWòñjºøiY›¯#WÓ“!×Óß믬‡f•å}‡†XnÂcÀw²ñö|Öq\ƒnZ“E‘x!?ž‡¤‘PÂEl$Õ­.LÉ[—ά&ødcËL‰ÉÁ.-îÀÊ-§3§ÝáET‰kõ*ºk·Èh¡¿=¯ìRñП`É‘.~Ë¥î1úA;ë7í©”q¨ï›ˆ±÷[G…¯L»f4‚Ö0›ŒaÆ6ò9®6ÈÚ˜ëmRsA8«ÁŸ¨x›4Ax–¼¥êDÁ
Yï@šð“Bi8«R}WJå,|kò»]—ý%¸0riZü¶»Þn	G„­‘¾tAý
’§,Xéa¯+ЊÅAHú…™¦T+ï&°À·Y=LˆL-0ÓÍ¢Ÿäû1ÒÕ®25c{wc|XîÛ¦J!{Ý$ ¼
6Ô©q˜Ô†ýO#ª«¤Aö³‘,§ïlx¿•G.†
 'ÔÖÓøò´ *´PÃ(þb	ûÕ°_œ~ÐRlÔùYœ?ÆX‰³Xá¡Bö—߀z'öÇøøðo’?²kCÊéÈÚP¢b’F
Ì’2î“[Q…Î÷å]òÞqÖ‘(™gТFt
+䦶°¬"oucZ^£¯»¥ï}¦ñ¸¸Ãÿ²§ñü³µÿ$4W—ötëœ}¹Åêèb„”ÖÇZË0%/î	É`ó#“)±{¿ñÃ3Çî·}Žô„Ûá  +‰(&c¾!
Sb4ôékå͵þ˜aåØò;ú€£€ÿuÁÐh^314ÎjT+Ò2é·O­7<¦iz’2ðÎ"ÃÌ™. ¤@q'¤esú–¼ÔÅxzäY~&¯÷óG5Á]5Et„Ç2·¬Ý€UŽÿËåÿü?!`a2ƒ¸:9˜AìP|  ¨«äÿ§¡ü/Ú'Î…endstream
 endobj
 1100 0 obj <<
 /Type /Font
@@ -10630,14 +10615,14 @@ endobj
 /FirstChar 2
 /LastChar 151
 /Widths 2273 0 R
-/BaseFont /PXBJUI+NimbusSanL-Regu
+/BaseFont /FZTVBR+NimbusSanL-Regu
 /FontDescriptor 1098 0 R
 >> endobj
 1098 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /PXBJUI+NimbusSanL-Regu
+/FontName /FZTVBR+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
@@ -10653,46 +10638,49 @@ endobj
 /Length1 1624
 /Length2 9819
 /Length3 532
-/Length 10683     
+/Length 10682     
 /Filter /FlateDecode
 >>
 stream
-xÚíweP\í–.Ü	‡ÆÝÝ	Ü‚k
4Ö¸»kÐà ÁÝÝ=X‚»;Á‚ûï»gÎÔ¹ókæüºu»jwíw=k=KßUµ©ÉUԙߛAL@Ò;gfv6€ØÖÄÅIb§À,±1S6±^ndjj	GÐ±“:ƒZ 3€$ÈÀÁ`çççG¦H@ì=Á–Î:
5-zFF¦Jþ¨L<þ¼Z:-ì4¯/® ˆ½-ÈÎù•âl¨œ-As°
 ¡¬¢#«$ “QÒÈ€ì@Ž@€ŠËk*¦°)ÈÎ	D0‡8lþ>L!vfà?©9±¼r½wNö Sð«ÈÝdÿb؃mÁNN¯ï°ÀÂhçüZglgjãbö'€W¹9䯀ì!¯¶¯Ø+™
-ÄÉÙÉÔlïxõª")ýwœÎ–@ç?¾À¯0bþªi1uù“Ò_Ø+Í+êÛ9œAîÎ|™€f`'{ Ç«ïW2{Gð_a¸8í,þÀdt4³99½Ò¼rÿ©Î?óü—ìöö6YCþÒúÏÀÎN sdvŽWŸ¦Î¯¾-ÀvȬ†EÖÎ`gû[næbÿÌäøWèþÌýk@3ˆÀdŽÌªq~u	 ûŸu™åß×äC‹ÿ-
þ·´÷×ÜíѹÄÿÛûü¯ÔÒ.66J@Û×ø{É^· ø³gƒèÿ²Ú‚m<þ«UÔýé²Åd¯åxogñÚfv¶¿Å`'i°;ÈLìlj	0Ú¼Vë/¹†ÈÑlzíê_}5bcûì£%ØÔÚîOù¹ÿ†@vfÿûk£þŠœUGWBBS‡ñ¿Û­iª¼Î€óG{àÿ¸ÑR„˜ýçá¸8ÄàÅÌÃ`æàåðq±øxÙ}þÑ°ÿó¬tv»ôØXØØدÿÿxþy2ø);SˆÙŸ™QwÚ™½ŽÙ
-þÀ¦.ŽŽ¯Ýýëæ¿&ýó_¹ƒL‘f!¦‚ÁV©iÎUx_F%õzºØaBìk?~Ëó¯€tú¥†¯ó—?V†°Ô<7{ÌÚ?mË1ìu½³¡íLäûPÒwça­Ð´ò2î²¢¥iE{N+¬½ÑåaÓÜÙUU3,x„'oåtD<½¡÷§tÍóÇ¡º¶G÷5M©‰ÅmìƒÂ®úzxD“¸sMÛ7<8Ðßy×½MĘ‹D-èú&Êß!›HTW£Ô+‚JDjxE?ñý8Å’šo„+?4Ù—jÎÖÏbR›ŠäøÈõ·"˜úß•é:†>]BQ­cuýg¼%§\Ž€ÏÛÛgb4w¤ðÄb¢Vj‹O³éý’Á†ˆhôh\m¾ÓÝ:%ëÒ>ò¶ùoïêHŒ~ÖVS05½"½I¸„<½–s_ÑQ/ƒ0ƒM¶òHÉ>̶qÒ½ÄW‡hS¸cT]0š"êÿuþ!Kó\VœóIP©¨ ùi"Ðï%I;£ÄY£’Ç÷eÆj»PÒiÓèà)ò>½¶¥2Wš£‹Ô•IGôȈGRE¥w<,.ìy?•Öú³x‘WÛ¿ˆG”ñ´T§Õ‘Øx(YMk'	ZÔž–IŽ+‡»f 1NÓÒ®¸¹j¨þ'I¥iÉ’µ	ââ(ٞ߆rY'u¼¼u-eËAeêKÛBÓY0‰÷j±o¨I‰ç´5ƒ»¯ÍÓ`Ÿzë’âcŠg‹¥5Af''Q)®§÷šÞªjIA«#6ÇÁ’¿÷‹¬
jIG,TÒ*›–¦Œ=Š@ùê¡Îò·´¶W(ê†C¬Î׳>¿{¼;Å]f§äÍPô4óO—.@Á½
-“pb;|ŸŠmONcžˆݺçÖj†í)Ñ6RìŸ:¿ü•8\Ÿ¢½gHmh¤/ª*¶¤?h#Ž Ó@¥¤X1:·åÒ'ÃN=fËwl“}Và|n ÃÐ-Ú‘¿ßMLœyÚHf)m
-s…ðrî‚Êú™ÎÏø\žû=xd	A^¤‹Ý¶v©vn3<\ݼ‡zYô ArÛ«†ŸŽ.Õ"–‘ÛuÊ«üîßÈ}Bø-*
K»³eØ㓉=ŠûóÎHÇö+¬"”ÎsÄ.xò&IÜ	Im„6v
ZÅ@°ÓG;£B*óIa­
-¢F¹àgÍEI΄S©&J+«w`¶É
ïð…‘˜OÃ¥lÿ΄Àר Î9Œóâ«|ndŠ7yè:õ™
ÅÅ»üŠÚ„I†f¯K%Œ¡e„•¬(F5)Æ%¶ÒtFÅ\Ï¥$~?j(`Âq®!–÷5ŸNç0ð8|7 ±#çéóD‡5Ê›éH†ÿ^蔺P:ù”lS’õ«ÃÖ팮ÀTnL-ÊT®
-¯ñ¡1âèd‘9[N:`,ÆSÑ5¤LÓZþ«q©y晥ãüØúw!®_I°Oþ&+Ô[9-î´¯NÔî`Zšýäâ•‚[ï׉Œ)$;Kj=+
-aô©Eû÷H[ú÷3ïìy›Óó¬z˜ç)6UWT2ª«0Ät6z™Tˆàz¯!Âqq(ÖxQMëêu‚ˆ-‹;®·x;?as¢É¡ñâ8‰Ç'î•æH?ñ¨ó¡5ñÏS)<³±øW†ÄX^~xØÃ6ò¾ò^•ê‰‡‡5©ý²oÆ'\Z1SZŒn„ÇÃ÷}¥ás»;¿âoú_Ϻ.)ÄtQâwÌ+ˆº
Ë©ìZ³zÊù4,ÃO,ÑÍ-óà ìë­ë¾·̨U"²u™Cº®ž?L€Ên?L®K,‚¹¥0üÌ©ê{åö¼¨ÂT•Ü^ìcäÃè²öÆm:{¡Í!‹ûXMÚD) ¼Ûð³d"µ!à>dwÿ²k3‹ÉÝ|€•qÐÃŽ+ÄÐè ´y«E9Bnëbr»`ë–z¯ò†„÷ó›9ÜŽÐr“\î£a¾Ö9©è»ÁÄào;²)7#/ƒdC¬1xœ¸ßÞö_I¡»>Èös·«X3Rsæ¥
-EgF°X«·ê%<Ì6%ȼ€
-³<|†öDé÷u²-¥å½Êò¶m®’²^d’±]Dy…Ñ
é"G
\0ã]êDT]ÄKÔ~êÄÈF0ÚkǸÜÓ~¬Äݽ¶ÕŽ(áÃtÅ?™´Àˆ{XD€$ÕnïS:âç2f4QCy6}!v[?ÿÙ!k”קÃæ–á#¿=à¡q¼Ã&@zã²P,À«·´”=[ìÙò­YÂÈÞ–XòmfczÅ÷‚Û¥©kº¹ ŸYäB†Hçµ÷/ê)J´;ÇãÝ4Šµ;¬2Qç´Èð¬n9«¶1ýý‹ÒQêøêwF!ÏjG:ùBF•BOÒ}‰V¸=ünébÎO·Ò‹´³×ô{x	_~_é`D‰E—¡D±Jðà.ß»\0%Àþ<‡6ÃÏdµ\Ýô^³k¼ƒW9]=d鯃fCÉ;ÇaÔF[—¢ˆ?¤ñ‰û÷å–Ï¥µ—e®ézÐË…Õð(NÛ6	MÈJæi勦»x[ŠçX¹ ɯÏÓÌR¤ˆÙ쇞 ¸M'Wy©÷ZD¼ÏK?¤?±W<ñ7X+.o}ÑA¤ÔAÔëˆÒÞŸa—áÖ4%ÈšÑF·º@nÙ6Åÿ®¿v@(-Ç|çFÊðÔÀ¡IW¿lѾ‰”ßæBìñebñß«¡6û™ÌâG‚Y¡ð{OϼÞÏ„8¡d½+¥äGŽuúˆpÄ5y ·mag=K³½‘ÿ맫Y˜!úº¸v™lî5F3¨¦þ˜{›B)–³<çŽ\F›eÓ;ï~w+7?VS´ã¿R‰sÀ9Šaj-ª‹ŠøÔÏÁMÛº$Ù0M«`„«ÝQg˜&‘„~øã2J(z&B¸kM7„¬¡
í‰òºCݯ^ý}]ñ3'|AçvÞ͵öŽÏGCûFlô(z*lëMëbÅÙhßÚKÔÄ	;k×#´É¥_Ýü¬bÿôžŠª`u"W14Uî\‘1_GõЭ¢/‚ÒÂ'’#E¨”Š¶¾hVö‹ŸwºEÃÆ2³\nŒûN0ÃÝè"ñÆØ}–/vsÓ2$pLÒ)…jJn„„­„aB¥‘Ìõ~ƒu%§)E×L=ZmK–›ûeÌiú؇$õøÿ릀Æ$ƒR¬eÎ×m°õ@I0–‹w+“¢ïQžpûîØft­LÈ#fÆíñZµ²¡Bî—~߬óÿ¦“wÑŽÛ—˜4H+J:÷B“^*/¸Âyɶ>÷ÐÊzÓ]ôŒ•há'C¿’ð;ˆç…;	W90üthðAÍc¹È¿¼Ly@¹žÞÙGÀSÐÀ\2ob¬Tùåœ÷0f‰Q¼M.>gîƸè”e£öÇÖ,AŒ(¥Ñ™t¸çÿH?€1dd«upjTò7pN!q¢#XÏÉ„>9T©i,…ÛÇÕËs‘Àâ»k&)/mHŠ› š‹vîˆÿŒéDzov휜^3³Ý÷G~ÂO=ÄQ èÒË„ˆˆ>Õ0mE¡IÇ4E˜fnL˜IRµøÇü!vB¹†i÷…C6Ná%>_~u”zG4ÎNá§É¥è
-`›žÖÖÔ<*üiΈ—9ü±™üXó7—‡±œ2øȬØüþ^ù÷µIË¿"(®/КÅHMP­"òZ!
-GO°â}‰¤›ÊI@¨’ãß~T÷“©DHå–±°›­J|€yÖlž‡Úy¡ƒ(~½/2œÈ!•~™Ãí:g}r?Ñ$[Zl{¯U«9Ó}ÓZka'&Tý鶷X1uïßù9Dz‡ƒõ×äùKÈ„‘ ÐëM¾H¹•ú±‹êYÊñ¾º­úÆs7NkÀX×醌C H\°3[7ßÎú.þOßϼ$Û1ûMØ·£¯_•0j;¾93nÔÍ“o?úšð/DIyšÕÆŒ°‡ÌgFë)¯ %5M±,³‰Ó螘˜Âèsß(Í/k•ÎöMåô/}æpÙzTMF¡bèã‰ÝÃLÞ‡„ Dšá%Eá³Êû5l²
(X€KÜÈnæé+‡½®˜•ñ‡Áq•€~Ϋ&O4hk‹ïÝãêÃNÂ"Œí#°ÙEªžMÝa¼¿XKÚ±~t$uõrä Íõã¾b4ØçVA¿ɸüà1žÉ_dæ}±zIZZB~ã«é÷¶Ò—xÖl³ï>6ÓI¡p‹V‡#À÷%ïeŽyßÉàïÕУ£1¶OO|ÒÚ“lnkÑ~
-oàkÆ«Ü A8GNÈäÉÄÕ®µ‡K8šÅ2Ù?³¯+Hm<Åì߯ô}:/ËP(núFrZøn_ï¨4íß¼³'ÒÊM7gRg
¤6+¯ÛÆÉó@þvzþ€$‡É5±*4­;£Á*˜¢v£Ïw“ŒÖd“Å1G!Ksc%Î
u	¾×ýÌ )¸#ÃímÐpÞꨴ²ÒS:‚ëѦ<ß&âðMÚ²d~*x¶=ºPÊÔ^Õú-³û»¾q)ÃÛeæl•Q*‘A
-Ø-¯¶Ñ³;9<7Ìv‹éM¥kâζ«Â¼¸sNSGZ’6ÑÙ®ÜA¦F¶[Ó¢÷£B*dKz×JÒ
ò¶n“ŠÑ°n°öžÐܳöhÙl×˱ÖÑÊatô+…qKÎúOâE3‚½)HeŠü½¼©˜ïkd.Îã‚«‹ÖºîŸÀÅ´SßؾÀ:lÈ‚¬Iñ£={¨¶†Ä±ü
-¢+Ñ~•%)í&Cc‚â³Ìé9Ý7&Öo8œ,½Õ!GssBãÜå+À#ƒÅ	J]ún•Î¢Ùû[·üD’¯ß
MS®Ínw¬¿_ÞÒ ò˜-51}á;î:!“)i¥ÒÆUŠk¬A‰òâu­¥4)yu5'‹Óêg’åwü³8¸:º—ë/I+ds…MhDðvôÙµî¬wΕ0úÅX1›¶„d|,l°ì^ÌÜûqüc®§.óV’b­:b
-xÕx™Íõ`õM×€©ûË8'Å.”Ž´†qE6ÓOn,Ï›ðIáÌŠ­5
-S¸mܤp£Ø2¨ãPÇ
؃]×ÜE’>r‰ƒ±úÕšÝë!äõG	=í õÅe°W˜“ijò¸
ÑZTz=
müО¯e”môÖ%[
-IÊtôœˆêZÒsTŒþþðxÂ5k@Pÿþa¯¸J<—Ÿb¸,Õí	hJ<¥Ü3óðñ½ÔËo=Ú/—z|±¡Ã¿Ö³‘~Ë"Ë~\LÍ\K…5VƆfZOßšœ@e7»Fá>™“JÂ`.¯²Wîâùz¤jp*–ñigh˜\L‡ªÌUÆ©EÖ-ðŸàéÞ~õfSX´ù”SRW31·Kñ‹‹˜Š/ø2’m†0Ý·Éæ1¢‚Hæ¡ßí¶èÅfKŸT8:Úô# Ÿß­d—7›Î¼uÅ
-a¸´<¹ê_yÁåñÓ^4nzâ2š5§É`ÉñáàßùWd¾¹¢×HÆ«|IKeDÕ4˜8”!#î½±(Y‘Ö¨Já6³x¹ÊËÝ9´@¡êl•|ë"(,•z?DõÀ\8ì/<—£Ù1Íë@°+¿8e0hûÁÏI›_?°u¾¾mnÕéõsPÐeshÓ45¾ ú­Ðêw2\á›Ð(á!„Ävé¦eyœÆO™ÝƒyE‚õëS|nõeOœ"{• I9Ï}Šò`õÇëppé6íaÃ)ûBVæT°s!fÀÓôÉ!*ʾ ˜^5ßPßRYuÁUwM>
͵ƭ ‹÷i¤’i”?‡x³ž8¬¿¯Šhÿ–*Q
-Nñc-?ÙSg¹º–(ÎóÊ@nþ¡=ü«â2lÄ.Çløk
-ëz^ýèÄ À)5á¾ÿí?,yÌýñç
-/–†ùŸ†šNjŽ	ï‹m¢Óf:Êà=Àܱ­0JŒ‘dÁG×ü‚¡Ã–¬ô	rR€šgí~]
-)º\èO/Rdnq¾ŒNåÂÞbÏuÃ=~‡ÜV­Ô®¢%o±­FO1®É*3oE¿‹Ò…ms¸Ivz9©	)3FÏú&kÛ"è»x:Iç ªÑŽg~âÀs1Í`=öAQÛnªÎ¢èbbôÌn®œ)ô	CÿJ̹&Љ»·Cþ-àÃùr´œÖÙŽ’lÊÞM`-N™ðD¥ˆ¶z(CO®Hjˆ|óÞ*øjŸeYM6|‘Wp÷qÀ9Þt¢ûÆ2ËÃ9âGa”¢8{Q£~*“Çnš.HÑꉬªðÆ(?ÄG« ð£$Z<ˆÿ ”»S¡wW¼àBÜÁ-r´\4î%;Åú¾jÙÇe™Òè*¶dËæÉ5å%Ó*•ô'ŸnRȧ' AH§qå5_Ô»¨÷Alf…ä¬?¥ÈÁî—ÚâvhÉ]œî
-_õóº}?^*ÀöÚJàáI4²ì-&…ëp‹÷1áΧµzbOÎçþþ$œqvÕü{†UF‡)*$ê•œßnµA!…w2ü™ïri™•æ÷/O}_ÐlÜûÃL¢ÒÄä½ñ¼R¥[lÛyKR(ëŽãztà,hú™0ù„êû°ÿ‚nýT—þâÑu™@­
-£ä;—²º»(~ÿúëTÿt,¯_lÌMÐf€†M¸"]NbJ
–Lä΢ùMò‡§vÀªr
­Qí}$ÝØ
±îP!ï„à­p|€#“Ó¦nÊÛi]z
½!•-8ׇ0]¼T*»Á{*mÉÀ‡—Ë©Q\}¹º.l«3=ñ…f†À±ë"ƒçàòIÍ@’yftP:XCÿÃÝ“’ —¬­ƒ˜\Îã"4h,-GÿÂkjù%·†t­ªÜ'
-Ûˆc…žØ-Ùœ€‘æÞž·oIO‘È·uÆS]$‡Æöñá@Ó%¨M÷g,˜Ë«4Èõù¬$4ö|Md”eÞJN>rg Z;}ѼL—f6µ"?§LO‘öâ•ÀìŽ''ÀŠ<èòfù3V>À?‹+¨k¾px¥çºo ×M^b?šžÐ#š©ŒüšáCÀ$m57ú‰{üNp³&t1…$sTínòaº9Þ
-o΋jŠÓ¥¢©É„¡Q­Ã’ÿ-ÛÓÇ\
?su?$tIµ™Rgø¯å<ª‚ã¡•30]¿[¾`Mw‹v²‘„uª9¸vJ-&ue%	Ÿ˜¹r@=‹’¢¦²fФùˆBN2­e
-sÕ:b”XÓ
-è>Ÿ±Œ„îë0×ǘ@v'}Dû&Ü3†)üÃáݹ”uaQDõd0Ý•”an
`eRí§Q8¡Zt(C`%¸Sd
-›º`_.ÆüyýÃ(G!lΔ	ø( we„fæòMÌÉÕÒJ¡ÕΘ<ón„	ã¡ñ§ù‡“éÕ‘¡žvßã5°e²ÌèBJ÷ÜÜ”‰ÅzãI¸÷H&{¹Äâ_@çLÂa4GôáMXJ×€´é§ý’‡ÜiQ–—1qÓ_ã&ߎ_+×ß.^0¶f{0>Ù’¨9pTŽ¯üi¤´º‚¹iCÇ—S€@C•T¡¡øö"×+&ÔÁÿ§„×/]²º·+äcÛ¢™‘M‘©ï¸QQ-ŽÂM+ÎѲóב«æiéžO«®7Äaçp.Þ”ü!*J™‘¥ž1·^,g…Yüž¸™4¬áUákÖ…¾‹"„øeôzÕÓ¿€´['qéh¼®þ3DKRd;cœîé£Y?å͉‡RͰ᧬P¯-ùŸÙ§ç“64‘}qîd#÷?ôSpwvã†à·Ç–ãt”×H4ëꯕ¦óˆ¦rÕÖ“ÄäYÑ}|ÒT!=Y†²Vø¤¸³lP•ÈÓUªM‚q:þ=·AÚ/&L¿Ëœúz…-¦^ŸºàžW¥Å‡Rº!ÔÈÏúPrëhE¢ÎÚ¯ô]™K¢ý»`FQÅÁÍ/·[Þ^ÚTú¢ú
†—A”Ôõê1b]×½p“åL,	n¥CN±~îüo‡2/ñL‘ÆÒthëår0ýfýšõ܆¶l:üû¦Êõ¬Û‰RŸß"Z¹ Ó¿Ï.ãàò3’!Ãâ?ôT±ÕÏ/èûM_׊WZXÞÒËöæœö“¼‰ë|ÛŠ( RZ I°Ó*à¥ýð„ôÁ8Æø‰U§ìBÊ®!S÷©çºŽ¬ÄZƒu`k”t4´èTºˆÖ¼ÿëärFè¹@HI¿³¥–+ŒÝP·íowç_ƒE–IP9SÃz'ÖÑÙ±Qx'®l’OÇC6Êvú:yÊÚSôÒÓã^¥¼¾Ë!`I¡ŸðÊÍ,‡þëX=µ“eT]ÜæLXÙâÛÕ^ÁϪڟôœ·Ó7>‰5Œ‚{Wûg½¶ktF"àõ6:}³¤FøDPØ2ȟp¬C‡¼®ÅÊ4­w?¿ë{Š“Ôedîs³…žyn½Þ=dvr˜^ÿ.f>@±¦÷…&Q9ËžÙYÑÛ6bs¾HÝmýñ¶uéZê.ð]ÄØï:‰fÇ™¨ÉZŒúBÅõe嚦ÇöL…é,cáŒVäI?ãK9³ÉÃ['yá{˜w1YñO왕èÒ…Ê< ÉEkìÜʉ¯Ô˜È z\Š«ÇŠß¼+곂>Úï:‘qrm3&_løëÕg‰ÕŽ¡ÓíäÑéFtq^Ú–aIS-£n»¶¡8xT}N!š ÿ'†Á ùü>ÝJ™z6Å'—õâšÄ‚ò²§-Œú•˜Ñ>ðè¦\T(hÉçeýBoÂCsÚ̇ÙDQQ°…‡‹‚cŒ<|Û\õ±¡sݺ@€œ±î-¢^KSyT×—¹¦»܃ärÊïãl:3po€	ÄÃDÔªŠÀæ{„gìβ¯—j¦ªÎTŸ?ü!rI/ãÛj¹I~rªsAðÅI,ôþ›‚»ïÇ–7µXâtBŠršK¿ßŽ;"ç$%;¼ZÇÏ„Õaæ1Yš k6ïÊ·l[¥w5³=¡²5ØyšW¡Ü?é>]QZ¹té+vq.,·Á³ƒ°cÅ[kãHNëÕ¼b>eÂIýÞϤûií»×L+͘Cìè‹Hò-¹­µ5†mª*BŒÅr/e‘¥4ÜØkÇbeªœh½8ðB±¼’½x(ŸyªÄÎ؛뚺£;«/šÁ(¥’ìdåz&ò¶ÎèL·‡N¿uzß…¢paMZ²L%Yû ­ôªá«šD˜75!÷íp•°òÁH¤0nTa
Ö.‹‹¡6É@í@¦d’†`¹pbý²ðF”õ_,R$ß$~6‚uAу‰4²»™ìøE,Á€¾6‚r%½`Q-ì)«ŽRÒÞqÞ=»¯?¢Í…¼
‘ù6=œqyS!6› ¤Ò”‰šÀö¤úœOpe¾âæ<Åö¿ü!ÿ‚ÿ'Lm@@Ggˆ-ÐÑù?æµêendstream
+xÚíweP\í–.Ü-84îîîÜ]h ±ÆÝ]ƒ‡	îîîÁ\ƒKà>äûî™3uîüš9¿nÝ®Ú]û]ÏZÏÒwUm
+5M	Kˆ9HâèÆÂÁÊ.P;˜»»*C•X$!ö–ªæö`À+ÀƒLC#åº!ŽÒ@7 @d	Y89È4)ˆ“·ØÚÆ
@¯­¡ËÀÄÄüOÉ€¹÷?WKW°µ#€öõÅdqr9º½Rü
5A €›
`¶¤TÕôåUäôr*Ú9#ÈhPsMÅ ¶9º‚V€ý߀ÄÑü'5WÖW.	Wà겿š¼,@N f€ÈÅìêúú»¬]€Žn¯5pƒÀŽöî–x•[Aþ
+ÈÉòªáðŠ½’©A\Ý\-\ÀNn€W¯jÒ²ÇéftûãÛü
+ V¯š–÷?)ý…½Ò¼¢n@°£+À
äåöÇ—9`	vu²z¿ú~%srÿ†»+ØÑúŸ0\@Ö@K{«ë+Í+÷Ÿêü3OÀÉèädïý—5ä/­ÿŒìæ
+²·bEæà|õiáöêÛìˆÌögXä­ ö¿å–îNÿÀ<@.ˆþÏÌ0¼´„8Ú{,AVÈl*·W—úÿY—Yÿ}Mþ7´øßÒàK{ÿwÍý×ý—Kü¿½ÏÿJ-ëno¯tx€¿—àuË@J€?{ðgÑ8»ƒþ/ ØÞû¿±úWE]Ðß‘þ!ûWLÞ
øZ	Gë×–°pp²²ÿ-»Ê‚½@–j`7€ÐþµZɵ-A.ö`GÐkWÿ*è«;û¿`Z6`;Ç?åçù9Zþkì¯ú+r65	9i¦ÿn·þ¥©ö:nZÞN Àÿq£«±üÏÃIIˆÀ—…—ÀÂÉÇàçfðóqøÿ7ÿ¢áøçYèæö²³²³s^ÿÿñüódü/42ŽË?3£ét´|³ÿü-Ü]\^»û×ÍMúç¿òY //@,„Âl3²3Ýjñ?OHö÷rÀ‡;•4h}.ª†ôfDm
+T˜=Ö„³6N	>·yÏ9=í*0îö¾µ§ëIøS1ôb­Óvð1í…°™” eëÆùžÎ)m¼1àe×ÙÛšP×0)~„'êàrA<½a¢ò(Â¥¾vB°H¯OÀëÄl„®ýttL›rpsM7862<Ôs×·KÌ”—€D#äñ66È9XÌ@»Â7šZTflÅ(EbŠrÕ- ÚCš|•[=ÿ
+ë[™}uZRÌ&‚(¦ÑUúîÑwÄ—PÔ›˜@ƒ y?©È¨Y÷càóîî™8íÝ;|ñøØõ†²Ó<†À4°	"wgÀ\Ÿ~ù¦lˆ¿¢CHÎã]#)ÐÎv¦~@t U
+ˆwÀcñÓ#:êe(f˜ùN!ù»E“N.ú—¤ºp=J/ŒÚ–÷³ÄCïrÏßåêœÀJr=	©”§=M‡¾¤êr–»i×ð¼ÌÛîÖàI»n;>ÅÜgÕÁ¶×ˆ#òPzsð‰™ðIk©
¯€Ge%ý³™ßÊVøô‚JyÅ(¿BËTsÙ.‹OE×wô¢ÅîëšÇãzpzéc†˜á¶®îãIZ©G½—V™“/ߘ&)‹•ïÿm¢`{ÒÈÇ×Ø^¹Z©©UØ‘ÅŠI²ßÜ€}CCF²¨§êÒ‹|m•	û4ÐH˜š_¶P&«²½×ñS×H
ý>nÿ+Lú÷A©qÙ¸µZfMë꬙Ï7Q¨SSÔþ©öŽ®jeƒ(ˆíùfw§xk”Ò|ÙÊ>–AY²ÅèáxW‘R®ì‡!ØN4Y´V)Xqûž–Ø>R#áe.ðKkŸH¢Œ(»qG5FÇckʇB·	{ŒÕÊË”ã
+Ú"­r:ï5a¶Á6?`.„8Þ¢{ÞÄ'ZeŽçTÐ¥´U‹¬,«mž©à~K*à½ÿÚψOžêK¶Òçà(’áè9ÏËÝÇW}d˜Ë¤ð¾½jþæâ^'b3½Û¨*õ]Àë3…¸€uIE_ž\0GR‰wÙPáÙäAµ]pt°Êy¾ø¯OþØ6ÿɨI©·H3Rߡ߀ÃÑ`¶ÆkÎz:º0¸žÓ/¥ªÍkSv™ãËZåÌ:;╾C]üŸ+a|ã„·+j*b¿7Xâ{LR FÑÙψžN&€ÙëxYS”üªNZ]—ën—hѦn¦ÝÖ‚¥¬¤ŸÐ¼ö¥¾5é â'©ÒÜ>¥”Δš8Q£TZrɻߥL:ô0Rª‹pf÷æJ5…£Ó]Ä”	ßÝ ØÃ4¿|p¬˜Šþ5Èa¯&I¤<­%MÊÊR*—zíó†0ùî–Ç$In-e/€qÀ(L壛:éPa9¾:Õ€Uj·†îòÒh?Js'ÁêVÙ“wË`½©eï'Œz¿G– àf§ÂØ$©Õ\úîïÜy“ º1ê¢ó_Ú‡æ$óIчÞSÿ…<üËO¨­˜ähNÔ"º–@XéÁ2Tó2ì	[@OlüEhØbzÊÑ—ãæbf\·zÅ«9à\>#¯ó“`ZG
+Þ¡HtX«ØÂùî´1ø/M€™•“÷iöå¹?{1L a=Ïè‹-&Á4bÌUêðÚïj£OVXòdƒ'ã}”=Â+uìO°ZVÛæŸYû1ÎyAÿ.Á,ó/ÚfƒÂPÐñâÍèÇþɬDsšY¹²Dðxã1=‹ähCchK)‚>»â$q´cr?ÿÖ‰¯-«Ð¶Ÿe‰r[}]-»®î+c|ÏQ‹¯Åpµ(‰ß"7Ï°r½/õœ!‘ah˜Ä¦¬ûz‡¯ç=6š®«dRÊ~E¾ìs(¯&?ªi«À©Ò3;ÇxPMx¼MÈ廇=8lÓ@‘+¿ï2ýIð°æ
,ùE*ªç+ÊÐíBñyù¿¬7èò"fPþÍðóYÊÀý!„>VòŽeÑ y-ƒCwÁPµˆ–õbòž5®­}	Š}½s=ˆƒÁ‚Z+*ߘ3jàáóÕ\	(¥êùÕüºüÐ&8ŒG&#ЊºiàgÁHÿ‹:lqmùíÕøFŒáÛ@⶛/Ú"²¤¿íŒ}¬ÂÛ­@Ž'RX§xBž#VpßOÇNËø‚íAX9g]q¼¹Äín"{#,ªq
+wóÛeÏl„ÚR¾oñâI9#ªÌxŽÇø;en ëõïFÒµSÂ>ïɧߌ·¼Œ²Åãsá}–€íº’A÷x/âéR³c¢4ã*L?ŽË‰`±Õí4Iy[nK‘û•øŒ]ˆ&³òíUªŠ=ï®”Ró^äÒ°ÝE…øDÐMècF&ŒÝ1“܃EÕÝ%+5¾é'ËG39éÅ»ßÓiÕàý¸vЋ.çÇô 8™±ÄH|XA€¤6íþ: r!(`1É=i;¦úåÓú‘Äsóü[·,žiá >»g¶¿âî°·ö¯=vé`²£x÷å2A>#¸ÕÕ¼…2oÌöÏmR¦N$Ò89-YÕ_â	o—iUf·®éCýKcÜ6$^4Ó£Uèö~=LõÑ*7ì±ÉÅžÓ!óyæwè‰Z‘ÕD¸ м3
Ö <Ö/6­~’L±µÆëðÌwkyš.¾•]©¦[¸fØÇOùøûÊè#V<®%–MŠoíÞý‚9öÛ9°
~ñ”0·ýê^Ëoñå^5ütýéˆu¨š¥ð—ImS†2nJòˆÖ?ZüCâÇ[~÷ŽÖÅNæë_w6“ãD1l‡T4 ¹mn¤Á>§)ߥfYZÀˆ¦˜«:B¿=2=Mx›E¡ö0Þä´Ž–(Ì:¢Š˜:qR<	4Û)¯í|ÕG¤ÒG]1ìŽÕ;˜çãÑ1‡%Ì×Cw¾@nßµ üb´qH$+—È|šâAÊöÑÆ¥MVÔ¼l×»‰QÜåFéš`f
Ú¯§±ü–Æê—GŠY­ô{ßЪ‹!Ðœ$¹|³7¥ük$®]Ö¸Hô×
E ŸCIOk›“iÐ맛e¤	ú¦¤^'¹|+Þ5F>3´¦éÏ.¥JW?xѹ’.×~`Éë.ñVai²¾t/h½8÷.˜kÃÂNÌñiˆ“‡®cUºyŽNÉO¯»
+Î$S*ýèëe¬PìL”è‡ý(²¶´ÊCÆfd<ÍJTÝ—Må\ðÅÙ\»…7‡4z{þÇœÍ][…°q¸äè°7+Õgƒ/±Ó¤l½Ðæ—KË°ÊCsûjÂêBu)ÜeÐÔïðD'\4#vŠ‰?
+ÉŠœH—¢R); Ù:­|Øë‹œÎÉCp¿1<ÁN‰òb¤!ˆåð_»øQ™-­„kžE"\_~›,,b+!‹deøl =Gõ3®~öÑftWºÊ*0{QwÂß)<ùWiзÉ>JhLr(å–"ƒfodS•¸YŸ*ú>
ì	OÀžCvïú´±"bNÐ	¿C7*ü~õ÷ͦÀozEw½Ä©¹ãÌbáÔs_4)‘Õªâ+ìð—<»ó AÝüÑ7}¥ÏX)ÖrëÉ¿Cy_ø±SñTC¢NGÞiøa¬•UUªk°41¸ùú[INOö€š0?žóÅïÃ#1Iv*$å/Þ˜•ž²n5|½ÑÆZ Œ£2=s†ŽòYX¢ÌaM#Ø^GÍ=(œ o†+Plmrzè–²sOcõ`à|ŸpÐÿa5µP˽˜ø>]LÀº]¦üûÑÀ*ƒÒ&|­í—ÎÄBì¯	®µtx(uœ40ó^·xœ¾Ê)\´Ë“×”…5Ûè1ù‚ôa>Ï1™™õO[R;YïõËäÑ>Ñà:p6zÇ*Š*±7¬ß
+îRécLOšF’Ãö³|~ÀŸRèé)Я
˜I·ÿ2ŸTë²àØÒ„–YB)	†Ý…[§8OÆëL€8U¢ÔÔ—5êŽc$Bemøÿfu!ŽgWaRSö±;9®í橵»mÀ¸3DYþq•h{'Õ`eöÀ±ÌÕ.ë™›‹þÉXqÛbCm(Žµ’ûw9ió\äÀ‘=='T«`X^£ø„“Ä°¸lº‘c2Z¬C,Í9åô5S–K$œf/—Ýᛟ³¸™/FX	nT™ðq.+Ð6üñ/pã’Ñå
Z⺂Z¸QAÎÚçÊc—YÜŠ3Èuåòü=Aâ³Æe¡~’™ƒËÑ!=!·l«
+e¾ŽíûÉWAM+„Ö_­ƒÿÕñ‹\-Z¦ ’•Ãò»Ô;˜g½‘¶Ù)¨½šIˆò§ûR“é|RÅûIÜ·Ü÷^'ã4ë]¿:
7úϺßÛ9HˆÔ¿yî¯TÏÞõà ±„Ëîq²ýœ9	Ÿ–à Àc½)­ÒG£Öüå®~–þ#~ŸÑÑHSŠ’Nsë¹7•ž-x²÷ôCÎ9D´.̽oóÁ7ï€|¤»ñ­Ø·Ư_•0{=ùóž4m38Zæ¼a˱²@Þ6ISìQ«ù‰&ª+Hy}k#ëBÊú&¦úâÆa*«Ë•³£KÿE<öþCuó	¨x†$¯ß03÷ááÑ!–ø©±lŠA¡ÍÛìÃ*ÁÖàrOò›%†š17ß+U|¢1pb
`ˆëªÕ
ÚNÐúKß¡æØ´«ˆ(S—Ôx0lt^©ºOk_$ßO¶ò.¬¯Ý©½œùH‹Cx8@Œf§BÀw÷ïrî@xŒgŠ¹¥¬Òööðßê¦Få>õ»?[ÆèePž¨âfËó€7‘9
+õÚüâŽÖü£cçòN∉ވ^	#"cbÌXìW¼Y™ìq[âÄ˶KÄò““62Öz@ƒßØ[­wâ¶tÆ8DðF+•¸?êì°”|‘Ò®Œ‹gM[úÏž³Ûr¡©Ì°0”Ò0KÐuRÁ¬¹8tûb†Ñ<›’Ée¨ÖŠ[þ²	o+iÎ^<ÏS#K™Y5ðEÕ…–?‡vI³t.M_7ßÁãÃ…ßóNM¢ mçÞwâù±IVjx8/¶:Ù´¨×Ö$*ñ “2ÒžøÕ¯|*§´é¯R&óLÚt
+;e÷Íïi&‘nƒ}ÄåÆ >¶}Eñ
+Ú_©³È),tИBPg—^ÄLþ4=2FVüDq^¾ñ4ôՅ퉓 ÊŸsJÿƒwwæñ1ÔÑCíj¦¤qÄG÷RV íþ^úºØ@õY2ÚS½œ”–õ3rc¥~Ž)íê³€TLO)Û_²Vƒ'Ÿùð4ò¾W*2Š~(ùÇQCâ©ÙŠÈaqVR„»jõ®¹êü’àó÷ýèíáù
+â*Àl?¶²Œ«î—ø#ï/ë8ÌÚDëÇ
+ðÕL)©zË˵Êôšbt?´6y¸‹[‘ª¼y'ê3 ¾µ;ø½ ]æ›ý¼p  X/.ý3%Õ Kp»Ÿ;Õ¦G0iäÖ©s5çíGÒ‹wÉ»üœåêU¨úðÊ™ov,ÆYãV¢hµ1™0‰3(ÛSBmõ(¼ªv’÷h¸Š‡ü€€–øGðÁ~=Ã:KñQ×Üô§YÝmPéö®.Ýû¨fþ6üš-Z„spÌ´\¡üa\ÅFW””‹e³Ó3Ǧ’ÌÖSüÁýÆøàûóÊl¥²ÖϤ§%o+2ßñ/¹és"­ßôq¥öÔÓKë±ñyn<íæ£
k@2y™=Rj#2û²›mÃ(¶úð&1ÉéÌ·YÍóÕru¶Ö=QWá¬bex„~34#ðl7®±;'Ò…
+V¹Œ™o£ýL¥—Á¾ÆwvûdÇêÇÞ\B…éõ€cì̳AØŽD¾/”j¥ž©òΞx>|×£«Qó­kJ#¡‡»n—UΊ¡èjê~“d<Ù\}ÛIÛi‰2ГÙ)4igÝZo
±aJüŠä87=ؼî«*Ešiå aTŸWEG¿HÚ»Ã"¼Áú"{ì¿o·9!,<·MÍ…‘•Ih‰s·4+¼d
=>ÏÒ9.b˜1$wg{â„Ž¾£‰Í¬¬8¥W"¼žh-h%‰Ú¦«Là†gߧ ÊhæSoÚ±¼¿œ’1¹]cÉS› ¡„Ýñíœ8»SÀ÷Ä첞ÛV¹&éé¼*)L<ç²p¡#í[è}Çjaší°3÷Ð"v?!¬F¾jØr­"Û¬èà9£ë	ëä3Í³à„–Ç~½–Ðc§I_Í°^’¸êfô”-Y:/4ŽTÙ£Ü"0ÀÇ™)Q/wqžVWºÑ{ÿ.£›ýÒÌþÖyKdG†çÓO½3*‰XRƒö³2UåG4(ÔGN<`âëÚÎM¨èTFoXžÚ¨®´‘L®m 8oÌ:LS]1‚4ÕýRyú>×͉±Ò/Öµ/ù”¿9E¡ñ¨ÎlM‘Ú&fïgE±ãÏÝ«dX¸j~¡âŸCò	3¨ÓE•~6Ȉ‘¬áÞNô-¨Å¹óU<lòvò”6f(ßKNñêkQn±/i,†­àóûÐØrsâ"¾ýÄ=ÇÀÿÉîrœ¡;vÜ)ÌHÖFˆ1Õý2Š^ô8Ñc{=CÂp¤’ÄÔV̇ºÃÛ!9­¿Vá¿åËÎÊŒClEˆ×ÃœØþËQõ®q¤1Dq{æTmQ¨c™wX¢åc‹@CiEy¬L¤.¾‰ Œ)娻ž)Wú©PáHŒ_,èÂ<#?ÜÉÒ6â2ËWË»èXfRa&2!c%éòŒ2,Á›^¨»/Ìs¿³¿DQx™”ҷƨEÀºhèzß’Ò´å|x²Š£O(îéŠÆõƒ¿ŸP74c]ø‹m«ÎÀoƒªiþO4…~4Ç“CCŠ6Æ5¿Ø3R²–¿àm	´ZÕ¨l]¥{$—«®\7ØÈ’QÔÕps¹l¿¥Ú|!8K„kÔn|¹þ˜ª½NŽ°XÒŠFïÈ×àÅvçVócT6mŒ¿í@DÎ/ÈÊËáKÈÂs(ð8éqxê¾d+-Þ¡/®„_‡ŸÓÖÖÜöž½¿LtUîuGéÎlžRf·xïÉò¼
ŸåíÍ¢ÜÁX¯4‹×ÉC—=-‡:õ«{¤÷š§TÚ_!e$Á¨N§o3œ¢é8¹¿ä/§¹²öÔf–zV²'ÞˆÍäF/e ¥KÝ°‰5¤‹Ûy bO'MŸ‹[tQ_KûLˆ3ÜýšöÈ2ºØ/«•à«Ìð|B ž•L¯òÉ9z”yùmH÷ñÒ?!bløçfžÒoy3y­•ŒœtñX3U|`DŽÝÜ­ù	T^›G,Þ“©‰ìæÚ¦	GÍüïm.åJ>³#b½lmó‹¹µÅZ“D˜Æe3ãb|ƒÛO~Œ
+J+öïóËë§Pþ¤Ä"¡æûH‰Œä-BÿY+­…Ó*þQLÉ*â‹ãÃøBÅ“:#gw§Q4#”òóÛõœ²ª6‹y¬pÆK§Q¡“«¡õ<Þ@½³Ö‡¨QnÓ+ÚlÖü€yNþ¨½)0œWuΛ+í4üš—Ì&Tãé#90âþëòuYíÚtK뗫‚½#k´qêžiw!™ŒûQê–’± ‘Å|î9>g²E«€SFãί\tE%ðÃ;ç›»V¶=¾ßF„Ü·G·-2’Šëp„¿!ǹ‰MíbAHVoÚצhU9¼YÖ¥Ø>=%ÔMcPSõ'*s$²BQ™WñÞ§«ŽÔi]G+ö°yŽšŸÈ8–ssfÃ܉èu‚Ÿ&¡OnLPQ„Ä
ëøGÇ‘*늯úê‹hi?j´ì„ZKd’I3fR}åË}â´ûò]Tï·LE¼JXVx [Õɾ&ëÕµTY¡o6rÛW½±ŸÕg9dS“Ÿ³X×KšÇ'Öƃ„Ž/­É÷C8Ç°ñ÷¿>Tû²6/}3éyÔqÕpñN.–(S¶Ëœï®„÷ó$tÀª0Åk‡_cEhE5¯Úæg_uκ{•Ò
¸ÑŸŠ_dÈ=˜\«DüÄŸ§Çú/xl;h<ÄÊq±m'N1®ÉkrnžˆÑGîrzJ÷ø»j«2Å-ø¥é9 ¹û¸Êæ#jÐMžç¼çÄw·(Hz`û墱ÛZ—KÙ-ÌÌäS0;Öõ\3_â‰þ•„kC°5o9q†âsð»7ŠUhù‡œåyTÑ|ÛÀÜJà‰Z)lÝh¶¾B©Ì(Åö½mØGÔA›Êú<øRß°¾_Áçøs)^[k¬çˆZ"(ĉNb¦{Ôæ}´½ÆÒï'òê"[X„Ýâ-SHœd¨ÀaOÒÀÉâÉ lϘ‰*±Ä—¼t»ûÚ5”5*Ó«„òû'ô—Û²oô©áï]Ǥïß,){Óœï>æ†å_-Î5DßÉïdLEÅÞNP —²#SíAW›çu¬ïΰ!Hk„~—…fsÁ	{Ënx:G»¡oëÌ›I#ÄÅg/0¨~¢$9îÁ«Ö¡âü™e]´é¦m4 žÛXá,ÿ	
+è4C•#͈_ÂvÇzBÕÌ^‹ÿ€ïܦ¯Û^;ÁÔº¡IÁ3@æ´'ÁÕò5øˆãJ¹¾%X¡øÁ»¿1ÿ¸§üf›8Ï3Õ&÷@UX̪/È=mlð¡Xðôû}ªÊã`ÍÖKŽhñwáýµEùëÔk’MõÇjÅð49äXH>ÛÆ°—“ÌËY{ÈP"ãÝøøQÅÚð!E»nQ‹‚ÚDôÚW~XÓð¥+†‰ïÄç×IφÒKj¬ìF”_Ð'Ü ð×=o:
ág`®m•žÔ@sék~â2xηøZÉwþõÐÓû
+þ÷÷o!QL“°ßMÀÏ°gø±•ô˜bÂb¾iE]¶[”2¸‰'cø/W×ØhÿôqÖ7
+-$JåW¤¤íOVðªÜbë;,ÙA	Þ¸ÛuÿjB.€æžiK—O¨û‰I/èÖØOY/¾çñidàa˜ðæˆJ‘[›§™»òû©O?Oµ	N'‡Ä'=…|a†iÙEª³¤f5`ÉEï¬ÛÞ¤½{ê|·åE®§3m¸¡Ÿ¼!1-᛺I
+vbvÝ6HÇ™3`Ð6•SÛóxˆ4ÀÏ vÙs¢Ö“yx¹ŸÀ£5RhìŶ=3”\nc™¼.5~«šÑé¤ZåÄ…fµÞÝ=©ùÊ;8‹+ä?~u'FƒÆÒu	*¹¦Q¼QAñlÎÒ­-xò®vx¸TŠß’/
+šêìïû”÷—Š~ÞÄ`:5pFrnéš±Xe¤•ƒÚöz6Ç‚¹¼º@ƒ\Ÿ/HCc/5ÒÆÄÚ®ç!÷„ht1”^ÁËõêäÑ(p	Ëåó–ê­\	.ìùpl)Bo oÖ>`‚r¹C{—JÆÖûߣ„pߦ¡
+?¢YÈ)n˜<ÏÐÕñ Ÿxõ+î…µé@·“PJ³Ä6üE>ʲÂ_çËQÏGq½T¶0Ÿ61mp^
ºeÒ*дÒôDB—öÖ˜¯pƒÿT\…Ñ«N)4AY3Óû3¤ý#Ö\ŸXÛ(ad†³GÌJjonªðÔ‰¥'Ô³j[6m&qŒä$ÇN®¤@£û0^…-³˜þÃëøaÄ>‹YS¼9äÇŒ¿Ø Ò4£—röePÔQ´·ª²,Š˜¡æÏ»òJÌa¬l@†Ó
+T»>U8¬Oú²’\Ik/¬òËÅÃd_P$Õ„Ý*Ù»…ô¶’(ØÒjLþ±•%m¹NV%â°Î
“wÉ“(y*"é´èh&«Ž2&ÂÇñK’¶ ¶\ž©%=Rxž§××Jñ?|)¯PBé4_÷‚¨°üâ8Œ¶èAüiY³zÃ\KsÚ¨-"ÊÚ&^–Ë‹PâÎÔµê£Ý²e3;–È‘“©úCÕ¤šo¦FHß×1·íéùó‹ha¨Së0´•q.bð|ã#œƒ¾Iùþ4 oÄ1¾XŸ&¤˜ÜË!ŒiÉxËÓ‚Šj½|eQ
p‹“_ºŽùn•™åóôÝã†$2äÎÝJ \M%‡1¦Â'þÖ—õ¬$WÀ/‡–-*¤Ö:jî$`E´‡è‘€³’Á°nî'!nç$1Ï#h~™xU†|o’«Ø+k"÷›¢ÉB†%6ü¬-ê5 ½èÇÓRê–r€î|ÌÁ»!J.³ž>¼p‚®„*Üž0ªz©6£ãŠ,^±î†&ÒøB›cz­'5²“5(;¥÷Ê{kƵ)¼½z¤§S_
+šeã#z­h®×Ù㛌hŠïùÔÚ}Ñy©d"L펤wŽ×¥í+ÞVº§8½
ón±U9Ñiöõ¼å Ë`(mÚblwAÉxÑ<ª½'1ðØ2_ËÁ’âQ‰7áâ)ú|$÷’ôÈüc&K¶Y¥3d9¤ÓÄcâÀ®/p`¡ÚĶ›"ó^ÑÖ‰„A"¯’“;ÐTŽKàÈGÍÁ¨¨xð7Cc~EIUûû›sº÷ŠæKëb€YÁT¡Ûà—®€6%ô-‚Y¼Ù›~å…!#µcBŽÁSÿu#y¹6ÛðÎÙDDé©l)ÕЧ™µJŒˆsÁðò!7]ÇÑ>‡ß^în?GJmR¡ògÇOºíâòbñO<Ø¥Ÿ~Ú«:éªêÍ2ÈÎMy?øV𬅃¥…¿Á«¶±mbõG7ÌTR÷òX/3#`å
KîÖùö„„=«ë½7tÛÍÚz/Þ<ø>´à»[¯?o¸Õ
\ s6% >„®–{Ë"Lñ„k1ê{-^©c·òãÃÛA‰SÜÔ^S+ÿ›ôœs»Í¾ÅPË“£¬¦·ñKÁÊõ/´)ª¹N,nÊ~ÑÛÓN¥Bž›·«×2w!7èR !4'8®MHîJŒPèG"(îë×´ýgjÌgÙËgt¢HFÙ«XÌp\Eîa´îâs“ž.8rjÐeKTyAîÒ+vØ5ÓŸh0‘AMx”W{Õù…W4‡–ᄃt_ôcŠ:–ÌØð×ߟ¥¾wžî¦M̵ KòÑu³F‹H[èú›ö9¶³&£q	«Ñ†ª=1ŽÄã­–è×+5ó(ß˹o–Õ§WU»î`4­ÇO‚'¶b¡"@«þ/Óè†ÓÞ:s–þ,æÊÊBí¼Ü$\3ä±Û¶Z­æžM»bA
+¦FDÃöÖbŠX¨Þ‹­wýx‡áiUT_§ÞÙ÷dãÝ~JFŠjÔ–‚­ö‰Î8Üä_/Õ|m£…‘@ÔC̪aöçïUæEiݨnÅa'	Ð_oŠï¾ü²¹iÀ’¤VVÐYý3å‚\œš
+îöí˜:{Ñ„YÂdm…®ß¾«:Ùqèý¡“畧ÍÁÛöý×”×{ƒ§+*[÷^#å^®å5’Nxv‚dûJC"éIJÓ/
ßø÷9p²À–@‰ù¬ a½0á¯ú9•y+ˆ#Cé0i‘
ž6á˜}mu8£™xÁ¥<2¢Œ¶’';rÃd‚\-€m^8Ozåo­øûc[ck_\OÝE¥Bšƒ¼ÊÐ\ÑØAÊ
ùÖúÈõ·AòÀÛn¬»ÖÙT;¤õ
uóh«ÖVäÁ=î³
+B6~©t¦­Z¬‘†5Q
+qÔV9¨=Ò¬\ê(,7nB`.þ¸ªÑ‹
Bºô›äGNrLöéQú[¾‹îîê^M°7íÓÜB±”X¾èW´	ØIà›-ö7ãåsnñ
+cÖSñáq½ßo>Ê¿“•ùNhñNýاBAÖçƒÔU·° Ð^¸|P€£ì¶[S‡ïTq;¡¯tJZˆf[Bôf&‹ék#"¤|O6fhˆ‡ \ÉC¶®ñ‘×Ä/ïê>ï[80×ãFÞ…È}ž˾¼©_HVQkʈÆNcûP("¼²Z÷t›eÿ_þÿ?Áÿö  ‹Äèb‡ü¶endstream
 endobj
 1070 0 obj <<
 /Type /Font
@@ -10701,14 +10689,14 @@ endobj
 /FirstChar 35
 /LastChar 122
 /Widths 2274 0 R
-/BaseFont /YZCCVY+NimbusMonL-BoldObli
+/BaseFont /JNPAGD+NimbusMonL-BoldObli
 /FontDescriptor 1068 0 R
 >> endobj
 1068 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /YZCCVY+NimbusMonL-BoldObli
+/FontName /JNPAGD+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
@@ -10733,7 +10721,7 @@ x
 www4Xp×àNp×à®yœs»ûö¸¯u÷¯7^±kìo͵撹öGC©¦É"nî`
 ’q°‡°°³²	TÀv¦®.ÊöJ, KWUS[0à
àF¦¡‘t!`{) $Й¤@f;???2
@ÒÁÑÓliÐkkè2011ÿÓò—ÀÔóß‘·H°¥=€öíÅ
dëàh²‡¼Qü·5A Ä
 °Û‚’ªjåUdô²*ÚY=ÈhPs}kÅ 6Ù»€ÎÛföæà¿Zsa}ãw.Ž 3ð[ÈÃäøÄp9Û]\ÞÞ`€¥3Ðò6ˆlofëjþWov‡¿rtvxó°{ÃÞÈÔ\ .fÎ`Gà-«š”Ì?ê„X!åv¿Á‹7Os3׿Zú{£yC!@°½ò€ü•Ë0»8Ú=ßr¿‘9:ƒÿ.ÃÕloùÏ
-˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒŽŒ’†Š2ÓuÃþí©ö¶	-OGàßÒè*;˜ÿÇá/		€7;€…ƒ“ÀËËàcg÷ý/2þMÃþϳ2âö°±²±±ÞþÿýùçéÓ¿ÐHÛ›9˜ÿµ9š ½ùÛ²ý‡á/ØÌÕÙùMã¿¿ÿ·¦ÿýü÷Úƒ@ 3ä_óf‚!ÖÙ™oy£R=]ì0¡Ž¥õZE…Õþü&Ï5¡¬
㯭žsGŽ/;
+˜Î K ³¹-ÈÅåæû¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8ØÙþa7wuüwÌ
äü÷€èÿÚ†·"€æö¶žsòÈ[JýOeÖÿ=‘ÿ$þ_øEÞÿ™¸ÿªÑúˆÿ§ßó¿R˸ÚÚªíÞà—àí–q(þºgl΀¿î'WÐÿ´Ûzþÿê¨úG±ÿÆ÷¯°<ø6q{Ë7aXØ9XÙþa»È€=@æj`ˆ™Àhû6³¿íÚöæ g[°=èMÛ¿ÇúÄÆö/˜–ØÌÆþ/¸ÿìÍÿµü7¹þ.þƒ†‚’¸¬"ÓuÃþí©ö¶	-OGàßÒè*;˜ÿÇá/		€7;€…ƒ“ÀËËàcg÷ý/2þMÃþϳ2âö°±²±±ÞþÿýùçéÓ¿ÐHÛ›9˜ÿµ9š ½ùÛ²ý‡á/ØÌÕÙùMã¿¿ÿ·¦ÿýü÷Úƒ@ 3ä_óf‚!ÖÙ™oy£R=]ì0¡Ž¥õZE…Õþü&Ï5¡¬
㯭žsGŽ/;
 Œ»C]ø¶ti ÓRß÷Ý…X«´m¼L»AŒJÑ2uc¼Ïf•ÖaõyØtv7GÕ5ŒJžáÉÆÛ8ÏîÞ»àRß:¢û™¥×Åãµc6¼Ãþöåè˜6ùàî–®oxp ¿ó®{‡„)7‰FÐ
6:À)—DT_»Â;’iºv—"®;)ˆmq*ó‚?˜1û5_ÝN[ë’ǯ=×ç³"/LIê}Ä£›k¼¶lBñ«¨¯¾-š|oRkÜó&[Þ&±ÝñreéòDQnßô?ª[K79Ð7/Ù/–_!ýmÛÑŸ	·¥Ê“žHÕ]Çy÷A8­\¼ÙŸ.¶h¬æèú†ô“­Bj£­Öè®{ŽúÈ£÷ öÖt=¿	!æ¢DÚ–¶bO„t8&óïû·ù#¿-L.Ii§¼µ\’îžhRºª®
xïNŒ¼LÒV°Î¼0È'È:”n]ó’¢k+ÏQbÙP2ÿ,ˆè鼕8S“š·³ìâ>mLÃÂÇp]_1Œƒ,Žbš¨ðM›zÁí\#¨m-˜$²¶Ó“S”4cW"Ó?£^—ò–aÇ¢;áû±ÝP<Ö‹„¬²Ý2²&‡øÕÒ<³A–dâôÝÞ¡Ÿ¶*Ô1ó—)‘º°ÄÚnÏýå>ð,üöUaƒîùÂ4ÜU/ÎÏ	ÅíºÏCÔ½!¼L0ûBkÎÝØŸfRkSGD:,þaX§}îK+žÉ¥÷ÆíÊa5òb=L§A!ô.
;õ“¹žEFìÎ`­;[aß9\²@§å~Ê3ùű
óRIáPE‚»PÊ•!¼ö.líblÃ!3¢µÚøœÔªÊì=ý°:5¢Ä§"/pïgúîéãÄÃ7<Ú_Ĥ(LF•žR.Ø31s[’\(œ‚®¤'¾t;ßw&YÒM’Žª?ºcmbU‹Š¶*´XÞ/‹ÿ2ä±I
€¡y—Öë^‚TûþÒAªHAmfŠÉ9ï§Û‘a_Ë®ÀÔa÷r;ôzp=§æ¬@[>`S÷µWøªNt°óäËa7&%êìXÕåÒÎ’Ñ{î›òwß1	$t®L+í÷âQzŸº4ðm_ÈaêBkzK‡H‚Ï©-M_„÷œp:º¤õ4 1°îNŒYIzÍWƒ‰Ûyì	©÷ù3TÃÛu&ÌÀ„†6Ó¦0¥ÇmŒBw‰éÛQ¯èIR´Së‚òj>ËŧÒ—‚øˆQ—Šæ†ßF™bp5S±7ìuŽ½§±ÔlI*ÖÃ(>Úñ¨$®ßi w­i!œQ4±±¨äÀÌÂ…vU|Ð÷üÇ’Y›¾wûuNWdtä[KÙm8~=¶iš5¾Íû]SMÖÑj.¾ ˆÁ±üqÉÒõƒÙøyÑ¿Z6k’ÅŸZåzÊIæ ù»:N=•´qo¯õ¹+¥„B™¡dì¡AÙÝÕÏYgOþ†¥tãµN•¶‚.“Ÿ„ŒE¤¥ïmvž÷ç]4Ú}Ò°'~ªRÉfv5cêÙ‰¯Ó‡)ë8jÒès°;C­L‡’~œ‹Ãò%¸ëP"¸ÞUÉì^ª¤6PçÚ'% ðãÔ'Nurp~Q
Ø÷}ñƒ:|Š©½lLÇŽH|·—ÜÝþ¶w›æAµù½	ân¹‡T¦:¿ËzÊ(ï!ɯÄú_͆vEÂëÁ|Ž¹Eʯ#«îu€U•ý9å™x¼.­dávÈ!ý:8ò¾€Ù€;pñJ#WT	¢Âª^Ûà'áHðmAFr4”,=gK3M¨Ì(R
@@ -10765,7 +10753,7 @@ L
 uÎÂüÕÏÍ{1T¨—t+jªNìpC4ç@ÖîÅfÙä:)0ýôðtòuwô›§`âèÃJ_Âåfò²¤p¡Éý@ ë¤åcùC¡î—rj¿ÁRµP“ÜüQ[öºC›¨˜2Jí¹~?„.ìpÞ»ÂVXz%˜©­^ŒºÎµ†×þ'R¹ÊxE˜•ú½Æ#´ÂETíö`…TÆ*‘Æ4d¹ÆÔÊô;é¯QÍ·ìe¿Éŵ§Ú-Œ™–¾~jͶœÅ`k(vï¯ûa¤æ ‰öឆ…ö*„þlØNÙçfr²ÇŠ1³|/0î4ÑÉÇýžjÈ¿>VùEƒ" OáZ¨zßû,q!¿å]3„*Øœì>ÀŽÅ­ˆ‘{+$v¤fx[VÿÁ§ðaXïòÞòÃݸ´îÖæ#¬OÆfe­Ž¨€Ägs·BÌgtíD·°¦1?éBmbvø¶—9¢¯'2S☟—øø/Ð]Å`œÎækâ$:DKØ$žr°[[/o•‡á‡¦„ô¨ÜëÏ~fwHý¥ÈC¸¯É½ßn	
 ê÷E6K¿­í‹zv
$àg¨¡Ñ8qx!]ü`b6#2•›PÖŠ>)ЦšôʈQІ)C(Õƒ}R~­­‡_¯˜>{š·u9;ƃn¡“íó'\	=…i{,Áe“b««=µÅ¹ÛˆÎÝ6ß®ãÑÜ€AŃšlôϺΛv6Úì	5ÕÍRjå8äò¬Úèpõh.	ÒÛþ1«,Sd¢Ïì^5
ö¢ ÚO舄iᔚ8Ž¨á§ˆCî¤M¾»ÙIrúdöÿÃß#58ƒ8øìꯦ‘c‡9<œÔ?Xé(õ£ƒÙFkcˆÊU#´gƒ–ŸA>fâÃ穬-mDñ{nÊ¢,B‘dKÝ*ÞFΑt0¸ß28°ê!Û™h—Ÿ"à}8Bò˜á"¥f]™M<"$‡[ÕënwYÅ—ÛuÌ6ÎG¹óê=¦™¨ˆG(fjwfÐÜÄÃú£Ù_Y×Òm¨õPø²—'MWußÛKjÓ\·EE}‚Sy识cÔPÞc
U»¿WÎ…{gÎV©)ûðqBÐPègõ‚ »€‘j´µJ¡!ýÌÇO^â®=ÓôÑF~÷H×¥[ñ²ÕÉ»yè¦<€]¯©RE›x†{r.¸õSz÷N®rÍcOdùñ6“ôíFƒZÅ»µp±êLÛll™ÞÔòÓž¾h¾s,ü×Ã"TqÂÝ^–Oãrç,ÙÅŸ¨ÅEò/*f’”Ž€˜›…#ê–úJ8Š\ÐTH6ÄÄëêVäùã§q_(7QÐNàQK¸7VÓ¯¾«v…!YԫΓ²QŠÚ—>÷m‚«“мNØY©ŽJÉèÀê5—I«^ê‘ËT3Ey+fèÏÛ¥ý¯Ô°€H7Û³k
‡9ùÔá?b&=eÖ–›ÆÓG"ÎkM•å­•ø‚ÚXaI\ßmhû]½“T†·8ŸNÀÝKmpæéðí”?Qã·°U[˜Éä”y­¤®|ïöZíµ§&”A¶ùLðÕ(ãðÎ^X&¿*HðÌ·lØgÔõ"‘‡³oÆÿ×aáTž'zûû¹®^u?%Àtc	¶èÁÁVuA†|£¸ÅÍ×”6>1Å'¨¥Ô2¼oòg ’o›Ê
KâúÂTðÝö3r
bBWnêPÑÕƒÕZì)dž¡ÌBT«Í´Añ5¾S5£æ̦¥ÐTU¢¯:Üê‹°¡À†zBnüm`Lô“š!±ÂH¾¤å–+Ž«I¾†ïSªùqS”Ñ&bFœ °–gVÁYòÌÒb‰‰(ôŽÜÄø¦XãÂ]¿ã>€)­—¨°ÇFÓ<äGFÝ«bºD•Š£nw…|œpg¾0ª“•MPü,‚›E˜ž±Y™ü§Û¢bÎl·×Ø‚³èÏl¨¡~æ!È¥ÔS.šÈåwò©‚h€9ƒÔU¨7w¾¤9“Ü‹”‰ór‘¤òá[ÊKâìÜX¯÷ÓÝn\t“Ó~¿ÔlOöü8Å’ëÝBj”Nf{橆uö{!^æ’™Y«‡w댰1Ù$M­,ÑgZÒƒŒÈ&“É‚FS´Ã§·…¥wlü4w ƒ#F.°Ëc’¼uÔi´íòE¿·Y±uÌÑrÂåäÎ3J2ý9}°ÃÒX¬søwéª0ÜwP1®¤Tv=gvM¢Ç6igU›÷* ¸WŽˆ%Ñú¦ó¡VÆÊ`Â/½Ù#»ÏÃâÒß¾!õÈŽb>"Ä*200œ7¬ÏT}èó fT÷¡·MEfº>³¼5qÖ€m®)½—ú~ètL‘×(æ{ŒùCõá¢^m„çÇ'y؈~
 EªÊqÓëTéCòâ¯yÇõ•+«ûv©FZpÇZòU1ì´‚îâD¨4ùÓ£Bªg9Œ¤ÁÆ{¾Púé™S›vÑ$‡¾\ñxllË5çÍiéõ$éTlFÚ—}GÈØf<üÈ -ü%ë2bh{açògôCÿ£ÜïW{e1¯éF¾'GŠ)Æa.¨³BG=(”ˆüªCÞÛjHk_×iêPtkºé7ïze›¶ý“tå9¬)U1M¯ž6¾¬ 4*k?¦‘<ꮢ±²àN|×P’.n¹||£ÜU+¶3F”MhÆœ¡¦9Ÿ?hHû›ç—nrÞ-ä0±Å‡ÝÖà’U·¢PA7ÄÜFwæ°'ŽÁìÓÖ‘–º@çPú)B²àFpéœ=ç(®é…àÎÂL„N·Í-þÄYØÒ.ŽF¹ÏîÀ1­ÇN4.ì—{œH¶/ªB¥0¿N­æ%@»&ZëÑ»BhÙœæ¹áí„WèºÑ$Kí[Êit9œßë;*ø¢FÜíƒPk—×xøOyŒüøŠ¼ÂÛ/¯OwÙóp»B"6àl:ˆ›ŠÕ‚U‘eP
-Ç^;áµ³†˜¸ÔÕñXðÞŸÀ»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼ø+[Xìè¤P˸—úòbhê~ƒÐT¥:J‹ìÛÔM,ŠÔšf4énhØ~Ÿûâè1çäí›}“ïÞ®ì”[/0ûË,¹Ø1¤ù…Ž 4E]MIw1Ÿx}ÿØ€®°ý`”dt.¨«]í»¬çŸ÷^²ÎبH¼â(kæOýGɯ¿Q"g‚ÏŸuú·­Añh{fº{iŒv®Ù¦=ò9Û)ÐÔ•#ùîÒé–KTå+§"»dåXïkø’S.ð„›÷]lÿÃòÿ'ø‚ÀÌt†8Ømÿ»¬ÐZendstream
+Ç^;áµ³†˜¸ÔÕñXðÞŸÀ»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼ø+[Xìè¤P˸—úòbhê~ƒÐT¥:J‹ìÛÔM,ŠÔšf4énhØ~Ÿûâè1çäí›}“ïÞ®ì”[/0ûË,¹Ø1¤ù…Ž 4E]MIw1Ÿx}ÿØ€®°ý`”dt.¨«]í»¬çŸ÷^²ÎبH¼â(kæOýGɯ¿Q"g‚ÏŸuú·­Añh{fº{iŒv®Ù¦=ò9Û)ÐÔ•#ùîÒé–KTå+§"»dåXïkø’S.ð„›÷]lÿÃòÿ'ø‚ÀÌt†8Ømÿ§Ð@endstream
 endobj
 1062 0 obj <<
 /Type /Font
@@ -10774,14 +10762,14 @@ endobj
 /FirstChar 34
 /LastChar 122
 /Widths 2275 0 R
-/BaseFont /VFLRNM+NimbusMonL-ReguObli
+/BaseFont /RJLAGK+NimbusMonL-ReguObli
 /FontDescriptor 1060 0 R
 >> endobj
 1060 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /VFLRNM+NimbusMonL-ReguObli
+/FontName /RJLAGK+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
@@ -10805,7 +10793,7 @@ xÚ¬
 .†ÖF#['*€©#ÀúßÀÈÎÖØâŸÒœèÿb	9Nö&F™¸™Øÿc¢Ø›8ÚX89ýýX8Ì
lÿöÀÙ`akdíbüOõ¦vÿJÈÞÑÍ_Û_0;'g'#G{gÀߨ
 ¢bÿÎÓÙÜÀùŸØNÍ;Ó¿žÆvF.ÿ”ô/Û_˜¿Vg['€³‰»ó?±MÆNöÖcÿ³w´øW.N¶fÿ•-ÀÑÄÌÀÑØÚÄÉé/Ì_ìºó_uþ·ê
ìí­=þuÚî_^ÿ+g'kSz&æ¿1œÿÆ6³°…aøgP$mMíLŒÿÖ»ØÿO›«‰ã¿DùÏÌPýMÂÀØÎÖÚ`lb
 à gçü7$€òÿŽeúÿ>’ÿ(þo!ø¿…Þÿ7rÿ“£ÿíÿ¿Þçÿ„s±¶–3°ù;ÿ^0€¿Æ øgÇüÿ|
l,¬=þÞÿé¨fòïÿO ’ÎÛ dkö—
-FzÆ+-œÄ,ÜMŒ,œÌ¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF#ãØ”Í-Œ¬lÿi:Û¿M&¶Æÿ™ù_zþ•7ƒ¢¦¸ŠÜOšÿܦÿòRø˺³²‡ýßÄþG²vÆÿKøCXØÎàEÇÊ cæà°s289˜|þÑþÃô_²¬³£…;@ëoÉŒLÿ*ü|ÿ%éüÌ[#;ã¦DÉÙÀÖøï`ý/Å?f#GÇ¿|þë®ÿ-øÊÿqw#˜µe;#ž`Ëô_Îu˜¹#“¢Z}L #!ö¥ÊEþ5v½~éá»\•úŸµ!ôMÓÜßíKçö_‡RÔGc}Ö½©&×ùx>$TýÈ[ä4Gº¥ðjÑ^7‹2;`šìŒªG{“Š?uK>!ð§;Y¡n^¨üI\üÑHŸí|Òâлš€Pê
+FzÆ+-œÄ,ÜMŒ,œÌ¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF#ãØ”Í-Œ¬lÿi:Û¿M&¶Æÿ™ù_zþ•7ÃOue1Q)šÿܦÿòRø˺³²‡ýßÄþG²vÆÿKøCXØÎàEÇÊ cæà°s289˜|þÑþÃô_²¬³£…;@ëoÉŒLÿ*ü|ÿ%éüÌ[#;ã¦DÉÙÀÖøï`ý/Å?f#GÇ¿|þë®ÿ-øÊÿqw#˜µe;#ž`Ëô_Îu˜¹#“¢Z}L #!ö¥ÊEþ5v½~éá»\•úŸµ!ôMÓÜßíKçö_‡RÔGc}Ö½©&×ùx>$TýÈ[ä4Gº¥ðjÑ^7‹2;`šìŒªG{“Š?uK>!ð§;Y¡n^¨üI\üÑHŸí|Òâлš€Pê
 Ï/È“N_ž)†~Ž÷Þ÷âÒäÄA“ñ¸‚Á“Gù;äà
 hªTzEP/gŽOZc^0šõŽHr>b°o„3…ólUŽ¸ù\cÞŸÊã+ÁŽÚ)Ž¹\Z9zö'Íõùã%vî4™’wÝWw~¡‰'ݸHëá­³ ò¹ç¥cÀ™.×ÄHºFÄd÷çÅ;Ãž<Çðî–îA#	KL„2uÞDÈ}e%«žÙ«PZ£ÉòÎ*"ÝÕ¸’"yôôgpU¥ÒÖ¡²e¡×y;/…Æ™#gÌã•zoÝõ©‘ã.Ð{|—t‰«¸
?ýè:Šyù F}ÜÈ£¤ïÛsüj¸8ú³æhªw^}ÔUU]ÇÀäTN}Ûc’|¨ ïU[–†tÍØE»*¿/.€Ê6Ãc›¤RËnÆ»qÌK±x»ô½^ÄTÍÒ®ÆMmÐ:ÒQDèÍù
 I°­¦šïÅs[€ëÍûˆ”4ez99Iü¨$‰2uœâ\çGj¾ÙEæOy£Âm™,7Z‘káÇ&•Ï±_®ìûÝ?±d>‘‘áñT3R[&·~n<箌÷h„àŽõÅ™*¬6Q?¶‹+`yëÁ–V­Â{­=¹4t›U×t–~|b(‚órÆÉ2k$€ dï›a»ìýmšQr Á\MAý˜E¿V6"rsòhE»$Ëý•~UôQΤí—'»2~Ê$‡˜Q Ûˆ¸Þ"œH©iù0#>ŽMC«ÌJ/ñ“ßõ¥1ÂÑö³)FSQ+LEt-£*TqlŒÅ!sð¬lÔ5ðØ•ó
u%d,½òø¤AˆwÆÎ^Ùè¾h÷+Õ `-7xÇ-¨fÚÔ{Z³–­^PÓLNÿ@‡[IßðJ¢»j‡g­“kÿ
GÐÒ<å°Fe4>|—be‹(dSéf¬xV¯ù‘ØNúj'1,8o„ÝДÔmÅ6ê–’Sž¼Aµj8*Ÿ¾í†5­úyþ;çp.pô2ØZw@J¨¬Ì– ê)á=Ή虑VÛÕ´üì­i­ÅúÖ[›òã›ÕWŽºã2$³jG;¶œDW†bp—_í!8úkÏÜw…j­ÆÌiì ';EÈ®ç<Ëñâ½´#‚sž¼Ô
@@ -10879,7 +10867,7 @@ Uw=-gT
 ¶§G1l؈)‹
|h˜££aÂz!@
 1±‡Aô&Äpwmö/ñöf“ºS–¼	Ú[·®Ýïo¢³ÞeÕ pÄTÌã·;ïhF­fùeœÍêf¼ ø™ržž®fС>âzU(ôjØÂtž}~¤ÍgôÜ©™D‡óßõïý|[-¨?Wâ(âÔd	Ý™ßId¼6mšÈÇÖün‘ŸÎÒH<âjøR1^˜}]݃·×gôß]nþ)Y.çÚ‡·øŠ°s@\W‚ £Öø^¶s|£ñ¸¹õ³¡n0UÙ„SyËSÌ+cyúm8›m…1z>ó0
 gâ©’¨™an“À0jxÃéÙ,ÆÞùÂýù»HÇŸQ¼BKku‘«mþ‡¼´ÖC5|/Ù4¥µi×ïÃjc¦3üÿ¯9ÿgB.r/Ï‘3”-GŒ
Ë#ó˜ÜGÍÑÚVî«rÅæcOâ1GŽ¤YŽÂxÎYîçH	s,ÂxÎFCÏÙ†¹¦òþˆ÷Ûû¼ïðÝ‹¹ñ¬‘‹ôÝ'ì™ö,[`ª×­DÁH[!ð5„î	½Ìž´wé J†ðiqBi,yT¢A;ËO¼á)u¯1	›£èá²÷T=V—ÑÀ¬ܧQl/֛ɩ²qVzPÄ	Ä&÷UŸîÂ\š3ò׊I-‹>ˆfVdyµ|í¸<7‰þ¥9•”7Å
PVd|NKù’€j}X¦"?…Ýݼ‡cbÛy‚Ãy‡5â!ã”0]‡öpµçÞ 	ü-…*QZÉÌÂs‘ùˆ«ã…ߧqh4ƒÏ3dKQàÐ<,Ö=3n¦ÉjÙ‰€5j·Í“غ„ÊO’¢K鶹ÕPIC4'Œæ™À`¸‚Á·1}£rëfBæÖ‚H¨…°ç'!“a?À,X)ÄÓõ-Kr¯‚Èïíß÷ÝEy?!w[ï}³uß‚aĆ˜~Úyt´1¾¼!ÒpÊ2¨R‰PÃý:£‘z°Ÿ;nÆÊ 3Ðçlj3…IþÞù&ö‹1#ó‡ÄÍ“ ×ÌÊí­¨…¦Qø4ý_–ÜЋ—°QðŒ‘/Ø#îîL¹fJרC6ó:¢Ùà7£Ê>pÝ>¶Ñ$q^éÆÍåø„ªî*¢&SÏžG¯tÑK3*€ â	K}™´à+n®QÌ ÙÎsXAÄÌän£Ão5¡Ìûà6"ð5U6Û¿óúÃ'Ç÷…^cv‚Øeª³gª§6æc?"ïÞ†ã«ÿ&¬º»Û¿í:y_Ës¹÷^%±Æ,ŽõsN2Tt6¼¥­„S„¦ôS°2ú/¾§­áÚöNõxq/cëbSèÇrÿ«SWd¢ÒnO„µc¯-®Å€ÂÖ”‹~ÿDí’‡…ÂÖ¤Ëu6ã
ýPÕ‘%™Û\Ïh84íü¸8“Rq¼úÙmy!·n¶ÿZôKÎãh‹kÚÄÅ—•=mé&…ÈÆvø®ºµõo,ñ¦òÊ‘i°­íhM¯‹ë¢Vi1eÆs¥îä¹Q…‡€­ˆZÁ´kðóî1vÓÖ8DD3kRžcn°¥ò[ˆ¤‘¬…wy›‰ÈšßfîvkŽìÀ˜ eÜÝK?È_ëßÔÅ.å6·í¼ ½ .ç»ø£P©§¼~PŸçѾ<ögGAN<†d¨jšóŠ¶*xv–+0þ¶/¸ûј:ÓiÚšÚ¬‡S¥_€û(D¢Ï…`J$Ó­Š:ýjÅPÊ$A)Ëg+«äßÓœ&ûÓÖ×¹	÷°F {È.¦·ÊQ{9þŸ‘à?(G­Ô:U7ÖíÞ!(E&”š,Ž´Õˉ™°¼þròÚÒ´: àò1…jVY„ñG
-ç®VT@QSP1žâ;ˆ|—¿T"žñópbDç²®_œ’qî¬M\lí\äüïKÉß÷›=Ãs
&Iw,Ò×oH÷\‘‹«Ý‰Ùñ#­²“ß™ùº¯œÀˆý‹¯³}/76u©…ÅçÐ2;–ô•1’ŒPñæ½Úp=e•WvŸNt¢äΓ¯Í·°Œ¤	 îÏÂ×âTª÷dÝðÏØ%yeŽ¼@²*]¾'[ë§Øè¿[JZz_oË.áà¨9®fqR¯#ÍŠC)´{œ
ý—Äþþ_H€O$><Ô'2Xìäà÷¿endstream
+ç®VT@QSP1žâ;ˆ|—¿T"žñópbDç²®_œ’qî¬M\lí\äüïKÉß÷›=Ãs
&Iw,Ò×oH÷\‘‹«Ý‰Ùñ#­²“ß™ùº¯œÀˆý‹¯³}/76u©…ÅçÐ2;–ô•1’ŒPñæ½Úp=e•WvŸNt¢äΓ¯Í·°Œ¤	 îÏÂ×âTª÷dÝðÏØ%yeŽ¼@²*]¾'[ë§Øè¿[JZz_oË.áà¨9®fqR¯#ÍŠC)´{œ
ý—Äþþ_H€O$><Ô'2Xì*W÷ªendstream
 endobj
 985 0 obj <<
 /Type /Font
@@ -10888,14 +10876,14 @@ endobj
 /FirstChar 34
 /LastChar 125
 /Widths 2276 0 R
-/BaseFont /QZGUNR+NimbusMonL-Bold
+/BaseFont /RXTFDJ+NimbusMonL-Bold
 /FontDescriptor 983 0 R
 >> endobj
 983 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /QZGUNR+NimbusMonL-Bold
+/FontName /RXTFDJ+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
@@ -10916,7 +10904,7 @@ endobj
 >>
 stream
 xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)Mlpdd"@C's[QC' 7@h˜™L\\\pd[;wsS3'¥š²

íYþ	ütÿŸž¿™Žæ¦6ò¿.@+[;k Ó_ˆÿëD àd˜˜["
-ŠšRòJ	y5€Ðè`hPtþien57Ú8©&¶«F¶6Ææÿ´æHÿKÈ`p´™ÿMºíþqÑì€Ö掎¿æŽSC§¿3p²˜ÛY9ÿCà¯ÝÄö_„ìlÿFXÿõýS´utr4r0·sü­ª(*þožNf†NÿÔv4ÿëØšü4¶5rþ§¥ùþÂüõ:šÛ8œ€nNÿÔú	›;ÚYºÿ­ýÌÎÁü_4œÍmLÿ‹-Àhjè`lttüóûŸéüWŸ€ÿ­{C;;+÷eÛþ+êq0wrZ™ÐÃ11ÿ­iäô·¶©¹
Ã?‹"ecb`bü·ÝØÙîú\€ÿå?;Cõ—„¡±­•;ÀhÇ oëô·$€òÿNeúÿ>‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î !%©(,CóŸoê¿¢ÿjï¤ên÷—ØÿhEÎÖøþÁ¶uxÒý½tÌ,ö¿9™˜¼ÿÕþÃô_g9C's7€öß–™þÕøÿøý×I÷?`ÄlŒlÿÙ'Cã¿ëõ¿ÿ¸œþªú¯ÿ·áÿyþ×¢n@#¸Õ߶F‘ÿ$þoø¿EÞÿâþ§FÿÛ%þÿ{ŸÿZÜÙÊJÞÐúïüûü}al²€Þ+C‡ÿW¸¡µ¹•ûÿ!á?5€ÿ&ùÿ#ådøwB6¦a¤gü·ÑÜQÜÜ
h¬hîdd01´ú;©ÙÕlŒVæ6À¿Šþk˜:&FÆÿð©š™YÚü3z¶»€6ÆÿIþ¯Hÿ¢Î ª® !©NóŸoê¿¢ÿjï¤ên÷—ØÿhEÎÖøþÁ¶uxÒý½tÌ,ö¿9™˜¼ÿÕþÃô_g9C's7€öß–™þÕøÿøý×I÷?`ÄlŒlÿÙ'Cã¿ëõ¿ÿ¸œþªú¯ÿ·áÿyþ×¢n@#¸Õ߶Fö¥©F{1­(zR€—ùøÞ$T}¨›ä4z%ˆégQžW‹²ÛZìŒê»“JÊzÅïPߧ;X`®ž¨üH\
 üÐIí|ŒRëc1:QA¾Õžž‘'?=RŽõÜ@öíãÑäÄÂ’ñ¸@ ’GúÙçà	h©Ux†SA¥7!àÝ´_}jt{êå‘‘â’FX˾*šæ¯Ù´Ë¾'A¦·ð&Ê9H¶îWþÀ¼žŸŽäJœæšËýZw&sÄâmŸ
 쿵$
œÉ„®'~»¦ìw󬵮¦~íCÊ]™Qê,©wmÚ'c¤	w®Diµs$óÐY–1¾—f‡ÙÄ&>.jüäë賬9“5ÎÕu¨ÍÄV¤?m=Á8ib/4l¼˜’lºÖ’Ÿ$):Srïð¹ŒtéÇ#/sƒydŠü¡
_•vÏÐX¢ÖÙ"» ú”4Ú]Ô†Üf†·”-FêÕˆFG‚„ùs!kt>
@@ -10997,7 +10985,7 @@ i
 ^hâŒð·¹ œ£“hZ™Í/øÅ_à7œÀ+P¸¸&&êåî$+Nȶp®Ô
~I(–»c¹ÚŸYªÓÅg¶%ø¥p%ö>­’H¾iL¿\ÚõÐß(¦µâ_«8Cƒ—R{‹
 Žµrð¦ëØíû‹0Ê{‡˜ÊQê¸2‰«Zœa‰ƒ†*7Äc¹äJî„I›ÏüìÒ]©æÁ 1=Š¡å©òñS€MX¡¥GMøªéþP¢‹:*½ÙOT9†ÜD¨*ÀzÞÃ*Úž“¬ÿ°Ë_hg
 ‚œ«ê9ŸjˆŠ"J7Þ®(ðhT(ìâ ª¦¼ÜðÊ™§Ä‹V¬áÝq
-oò]ç}£¯9B‘7õ·	öœH{È­’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤Ëq¸ŠÖˆÕ"™[Ø m¥cA¸¶¹"t8Q+PK¥ìó÷Ñ”¶ëÛãh_“	®$+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝåûm®Ý‘(ãŸÄ"Þïòwnúê›»ÉÕ”^«¦y$3î3i=+iÿWuÈæÔmâ’<£Ⱥ][±÷QgShSÝ»¤SñºïX±wû@`z>ÍÛòÈëB¶"Æ®.(ñôAàN¥Ã|³w®3¬ín1eqÞ¸XäL%­1;¹MÊ®¦*Åÿ^OìU©‘yo•½§ìRùùÑ©	lå™Õº©RéÓåú’ØyšQÝÅêØÌ·XçY2‹†¸Ä¾ŒPñ+«Ö$ßo¼7SæDEÏ–GÙËËGªvË.¼–Õ£ª¾PH^ ÍuòñjzZ+3àÆ´¤Nc<ÃÃe™åGKB.þ/Qü?øŸÜ|Ý]ƒà~.>ÿRÞýendstream
+oò]ç}£¯9B‘7õ·	öœH{È­’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤Ëq¸ŠÖˆÕ"™[Ø m¥cA¸¶¹"t8Q+PK¥ìó÷Ñ”¶ëÛãh_“	®$+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝåûm®Ý‘(ãŸÄ"Þïòwnúê›»ÉÕ”^«¦y$3î3i=+iÿWuÈæÔmâ’<£Ⱥ][±÷QgShSÝ»¤SñºïX±wû@`z>ÍÛòÈëB¶"Æ®.(ñôAàN¥Ã|³w®3¬ín1eqÞ¸XäL%­1;¹MÊ®¦*Åÿ^OìU©‘yo•½§ìRùùÑ©	lå™Õº©RéÓåú’ØyšQÝÅêØÌ·XçY2‹†¸Ä¾ŒPñ+«Ö$ßo¼7SæDEÏ–GÙËËGªvË.¼–Õ£ª¾PH^ ÍuòñjzZ+3àÆ´¤Nc<ÃÃe™åGKB.þ/Qü?øŸÜ|Ý]ƒà~.>ÿ]ßendstream
 endobj
 969 0 obj <<
 /Type /Font
@@ -11006,14 +10994,14 @@ endobj
 /FirstChar 33
 /LastChar 125
 /Widths 2277 0 R
-/BaseFont /WIHPBK+NimbusMonL-Regu
+/BaseFont /DVOGHV+NimbusMonL-Regu
 /FontDescriptor 967 0 R
 >> endobj
 967 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /WIHPBK+NimbusMonL-Regu
+/FontName /DVOGHV+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
@@ -11033,66 +11021,76 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø%ìlA,ŒÌ<5e
ECkkC;Y)¡5௙’RÔh²°³3y@€Ðð퀅›› jgïîhafPÿå ¡££ÿ/Ë?.#÷ÿ@þF:Y˜Ù¾þ}pZÛÙÛmA)þ¯U€@È0µ°Dµ¤ä%Ô’òjI -ÐñoŠÎFÖÆYc ­`jç°þ÷`lgkbñOkNŒ¹„†'{ ±Åß0 ›1Ðþˆ`t´±prúû°p˜9Ú‚þÎd°°5¶v6ù§€¿vS»dïh÷×Ãæ/ö—LÑÎ	ädìhaüͪ(&ñï:A憠r;Yü…v¦=MìŒÿié_Ø_š¿(ÈÐÂÖ	ºþÉe˜X8Ù[ºÿÍý—ÌÞÑâ_e8;YØšýWôG ™¡£‰5ÐÉé/Í_î¦ó_}þ—î
íí­Ýÿm÷/¯ÿ¬Áä´6eD`ùö7§1èon3[¦¶Š”­©€…ùßvgûÿÀ\€Žÿõ?{†æo†&v¶Öî )“¼èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„³µµ¼¡
ð_A€ÿ¸c²€.ãÿÍÝÐÆÂÚýÿðß=5€ÿ®RhælmèøßáÓÛšýU„›‘ýßV'	7 ‰¢ÈØ`jhýwVÿ²«Ùš­-l5ý×8,ÌÌÿ
S5·0¶²ýgøìÿ†€¶&ÿ½ü¿2ý«x&EU95
ºÿý^ý—Ÿâ_ýAªîö@ÀÿŸDCÎÎä?ÿ°ˆˆØ¹<X8™¬ÌìÝ߃ÇÍÆâýÈø/"–ÿZË‚-ÜÚÌŒÌÌ,€¿ßÿñù¯•î£·5¶3ùgǨ€mMþn²ÿ4ü;;:þÕö_çþoÓÿ±þ×vÝ€Æë+vƼA–i™é :ÜÜ‘)1í>È‘`ûÒFÕ¢¿»^ß´°]îJƒÚ`ƦžßíîËçöŸ‡Ò´Gc}8ÖT½)Àë|"o
-šþô­¯œtGLz¥ÈéQž7K²;P?8˜Õö¦””õJ>`ˆg:Yánžiü(\
-ü°¾<Ù£ø§6Äbw¡5aÔž_|M<}~¢î½…î?$¤Ë‰…§äuBþéçC(øC­B¼ªùÕi{Ju¡glŸÏÏìC(»ƒ¢ÈbÓËZÁçjð§fÌÁpC@¶VBjä+s^"ò“£œŸpÖj×Ñm¡HNZ¬¹Šù—;Ão{ô«OŠ—©š}¾ŽÈïqM gÀÁõ@‰Î
-vÌó_ŸäsýðKÞ`zŒ—6$Aïܪ“³ÖUªÔ¼qTÉŒ!ÝNë”›Å/˜4ú#pöpò>ÙMBˆÁrêM<õlb®‚‡é‹à\jÑhŽ!··qèš–í:—…u>5±“ª——‡³›G¿:×MÎ{òεÁéKœJC·Ò@µ¾/)qpgŸ”­µí‚ ¨•Šgý´»Û]^ÕÞƒÛ1Ü ½û߬Dþµß™á…°ä]xŠ©9ØhNT:™~«„r…7Ôè¯ArÒx‹'£º줔(IÖR×Äf*®•5`™xZi”çe™•Vê]è®tßó ¦@ßë¨ÖŸ :º·WH’gå Îãí;g¡ÎÞqQþ6ÿ*<È8Ô²nir{:^2‘@àcÆÃLˆ&º¢a™³SûI˜ ¡NÕÊÁãɤðÛeã‘[‹}­H}öA÷4OöÖgí
-„7N•{œP¾©3¹¥Œ/Ä[Ö]ªp­Cƒ’½f±eB8|*ÿá´%Q0d’hyŽÏË9€œH7þ5'i}=½ó{LXwÜëaä6Aº„ï5Ëo7F—Aµbñ#¹‰…O[?ˆny=¯7…³¾ÏÆ_žMSÑÓ<Ÿj²¹O-ÄËOrlºÈ|!•¡ÀºüV„,y©+¥,ßê¹2š_Sûà£#üåž·${qÛF2<üm=àmûS}ü{/°¥ÖÌ:i­‚ƒ‹\’³¦ææŒ"×îS©ÄÙM>?gЀñ¤kMí!,£sê-Ð@‘œm.êÎ@ušltÚŽ£{±/¦£¢a?©8AŽ°KjðæêBQù–‹Mør“J­õ¡F7ÇET¤tVÂÌ''¿3ÉØn¦»3=æܽ‰(®!að5÷åñŠ&'×ì
®n612"à8F•–²£
_;Ù¦kžO„ÝÓjwX	í¨FVfzÙâ1ÖãðÆé›­iàRQKzó€ü§$·+,o@rÂð*šAnú³,½,¶¹}ºeÄ)ywÉG~­(JYœ…Gåy T0}O7&·wŠÖŸ D©ÓÙé@ê±=Iµ~½sŽè#"Jk6ÿ´µªt‰`úb˜B½”ÿ}FžÎå”ê¡scÆ_»K3B|=iLõ÷*öY/È×d@OÏ9FÔ•Îk…&÷;®/Þ¯/]ÁH}ÄËg•ëYnq¿C…å#!èkšž®¸B<.›/æǤ¯çXd\ºiÐØñ-z+ŠÉ¥KHõQ´ h¦ÿFÏÀÁÕØ
wˆÇÕµÊÉàŽÌ–$^?Bäu):pãuÖêShÏ©ÏUbŸ¼ƒMÝ(¶&gPð	\`{$¾ɦc¢¹Ýà%_
µæ”¼:ËÔiÏ¿J”­¶¸•#HÆÌ)o=A¨|iÃHo5¦x8ûÕ¬¹Ùî?[8V=—¦­Mº.ïS`Ç¿%¼à%¨âÙÞëju¦JÕs¦þð²=ö–ÒkŒVH‹CÁVÑ"¯•›ˆøKŒÉúÖxÞfªxkžv7`­ÄJmœ,™iì‹—³é éM|ó‚X2<».Íhì¾0úd²n¬ØÕ ŽgÈ-KÇkenI`sã\ãQ
-ï™°H¯Ñq<)XÍe.vUÀŒ‹Ææ6¼j÷(OóÈŠ¨ð"AÏ@ä_ÞžX$#–alxUeh[fdþ.Þ_lÔæ8-®(˜ÙÉë¾—©)ZóÕŸÐ-Ž¡ÀULµîu!lIã$)ùºI@ÂÁA5ØÀ4“î¬Y’ËËŒÞòQ€!I…ó
-Ôû´Þܼõz2‹÷¤#‚JÇ_N‚aºäYCÏ>\z…„–gĈÏs³Ìjd¨¦!X¸ˆÓwÜ2mö8Ùp!os´C?yTÿ@[Qc×Üÿq…ÒŽ¥Á=5(æΡm³×	ÔIìÑ/Ôa1VGKj]Ø w´Ú}oä¿8A#çÁ°\SêœM,ZkyÀºHí(¨ ·³ÔŠSñçöš]MC~ÌTŸÜ¤Pg}÷p€‡€
J¥'Þ fØ‘Vý"‡øíbÇdsªÝë~£vz-t±~ŸU²ôn5\±ìÕµIýS«Uÿ	>¢KóHšÃmµ[»nKYݼ øËÈ|(ÚÍs@w³™ >sϽ°V…–šü	®ÙÞÇ+×Xª‰‘†€9õUW«K8†?é
`(zšŒÜ›×Io_eîÁ‘Í>&p×$ÏoLòŠJß´/õý…›R-“ÃOÃÄ,Á‰ þØFáÒÓýâùu.Í­Ž©X€²£ÝF:ûL@¥å߸‰+¸CVçD§›î$2ܘ±­¤‚Tô¦:‡4Oòü?ŒÙì7ØC*™VBÆò6Vjó­šÛ¾§
÷fÝÆ1÷ídž
¿ô|ÒÞÞ@OBG	À§˜«T ˜Ã1=Úuø1&\ÛTĉº(Ð64Ï›§¼ì¥—¿ž6ÇnÚ4~ÆcÅÛ[zFbÆ’RJ»žƒ.¶¡ÖkŽãÃÞDþÈÉ+GâzƒîÔ¹m_C|øþ0/–­Xµ³-`_1+Rå¬Ë¸ƒðžM*&`*ó|ÜTF-ò\<óãT¢Щ› 7³Âý7GÓ\[C2Öb”Ÿ‘„fÊPš{í›ÔW‹Ìà±(B(¾\íɵ^*L²€N8)”póiÿ *aG„ò7(…ÛŸòŽUvÝ9ÝÛ”NŽri$!誨’«¼Ž×ãý±"ðníyæñàg±ë?ϳ· ÓøÖ8Zj"kô䓆üùàÆUb´r¤|Ù÷̓ÌÛ­ç,¤p†é÷ƒ³ÍÚ…ïßý«½	>õz´ø#㉸Pb¦ÝÝ7K"*t²[ÝqýXÁ2¢?Ù®Î>¿cQµôÄ	
-³ì$"½ƒd"<Ò-דº!ú!áŒI™o‚öé­•“0óV;q„¿kù ÚAƱç!²‡Í¹iÉ—?E«\6ï•qV½w8á’Ž_ö3—‘¡DÏ	RöpÓd‡á~.ÖàËR“Eû?ø¿±ó­šK1Ã
-v¿»1	ëæƒÙ(ˆ¼JCü
-à+N‰Ø5ÚNjÔÐY›€¨áàݵiï+Zf;ˆ?Çåe³ÙvWà·kŸÒÅüµ—¢I¹ë´“F4{½*-5	…)2x¤iÎ#§·5ž.‰©sVñº^ñ¼ëÓýªÀ›`õVÙÅ¢UR¸¼ûpœ“åæ41$ûFÐ8ªŸ8lV{v”ƒîÞw©³î~¯ìýý«&À꾃~èôÓEKå½ây­
Dj”¹÷-vá'†H=~€Œøä“þܦð!UMÌÆ‚qzÝKs"œÏòçžNIZÇ&s™/í}‡•‚ðQE´¶åï¼1àE˜»×AÖö¹›€Ú8!ZŒ%©u4¶7×)-¹¢þxÏÌŠi#Ò},V{ 3ê™Lk0Ûd±À1èÙýåÇN@ˆñ€ÖXzdöi¢ð»†¢”YµÇÙ¹þÕ‚ÅmË.»ÎÅ)6>NSã"jú¦HËèË­LnE™ƒ¦üÂKh°ï_ŽÆˆ\RÙßC*  5¦
T(´eLjÔ9úÞÓ…eñrWtA…¤ÙlõtŽcKª¿ÔL©ÓšïÃÍCm á‚cÆó7ªÓû:³HAÁÏÑ×$k!å8Õ#[;mñW¨$¥„ÊQã]T”PpÎÊ©j0)¤p)8H‹Ûä—4ÞÌd9ãYVä]mze;ûµª.ò+ÜôÖƼ9+C­…ŒµÍ7ÈÀaÀõñú%B{PçÑó²ŒG>¦ï\8ÞÓ>\ùë
-¾07ÙtîRÝçP{myZí2÷<ijœçâzxÒô£'2ºñÉþD–£,9tÞ±¾vR§ðSpCŠ%è²³O»¢‘χæhÇeUfL†öH)”éßѦ"¥2¦TVÞ¤Vx/>’^Ž³Š$pEÚŸºþ<˜÷|š‡+œüäî˜jlJ¢ÂKiMù	éÝÙ—áø~‰Ò!ÖQ‡ü{Ç´ûô"¹HПc!v©+2é5ÍlqJ®‚MÏWàï3hŸsÞ:®ÕýT‡1›ãð1QâÑ?nÑa»A› ²¨ÍÜf§”RéTø§qÉíæÛ·>Åé™*QÕŠú™Égš¾p¸ãù€ß°L£¥ÍùŒ„Ê«˜½HÔvN„4'F­Ÿ_?jw­í€ë`Dz?ú¾É¤‡ªŸ}¯?]{•jåqL®tsµN!CPóÅñ5ˆÃ·Ì|Ïå~º0È žÕ	iê“Ojh¤Jb§
=¯ÉŒÕÿ;Ñõ¥efÚU»oÕŠþ-gì©Ù¯–Ï‚ƒ‡ÐhèCÌÖ¼Á‹Xž
0Kvî5möAœáÅ\AW*£PôŒ~é_rqúõ§EÓ<ÕÔCvCX±
¸q`3'¹¤­„{èF°–$õh\..‡ ¤õc½ÑŒ â†Ù]ÖÛi ¹ýhIèuü–¶ô#”;üÌÎl²k¾HSEb0pßÂéôÈUÖùz¶ˆ~ë>
-º.F5|EKÖ_kßU­†Ä&“ó"÷•€äûdÎ…#æ›5åØK"20¬.Fí¢Jà(2\࢚z~"‚*X¸×”•›¹-=‰Œ!‹2ZK
…‹3…~`ÊòJ&qðmvpˆ;¢¬¬Õ¼}ÜtЈD½N¸Q/pÏÐ@Øy)diDÿD¡L"Y^ßî/;>Ìûjö‚cÊP;É)>¡ˆD‚qL¢‘hF‡\§›:ÄzPªÂK
b÷{Ž:bÌ_ÊúDÓýx©4—wB<ÂhESUÈyè,ºf=°jŦc³Ûb¤€™×Nx”ØBÞ.Ô¿œÃóoRKŽNMðͱŒNpt
ØA¬¡âϹùèÓAØûElÞn_V~MTÈüð
-ÛIX¨_QW:ÿµ
]úÐÀï9Lœ`]fd„ú1ØñœÖʨó™¢r
-EþØÜlgøÕ_:jûìe‚¡¡¬¯	3"=%…m7áûìç‚=~WéFF× 4"K¬³DÜ'ªÑ?¶úï…nÞüú
-M
q‚8IoÜ•ªÅö›ÍL-Ô…`€ToÞ½*Pvz:N“x›ÝžÜ™3*IŸeÀ4µô
-;S9Á%]9Ao¢ÁN©‡’p6/€ôJš6:7õ"élÈ2îqœÞ܃A«ñ)Û«Â!F—?+Íõ­ÙV³d$7ÁÌ&áýWW(Þg0 ÎÜ#Úž8¤;ßJì­¯ý‰Ù¡L¹ŒÙOÝ5oYÖá˜
-AÒà}…a™5‚>ÂÃNFØX4²–€žÞri¸™½‹…:'é‹NÎXªËQ±lC#Ë4’w‰ùŸÈ>ßOºÒLZx¯dTH‘™‡Ø*:ÑP=@[›CQƒi«m®þ²´!
-ÚÕìΨWtŠã?oAZdævò6I›¼)’þ‰èRUÛÌ(Á@Ú”µ²âa»¦Ð£ñ	Ûå²ÛšÖ/ì¬ý&Å%é¾ACF÷êÏa¶šƒ;öùZjûâÛQBÙ„ãljÎYIN«ä…{Ïy|—hX®t²RML‡WK&q¨aEPjÍ–_ê›Í2ÒÙmYL¡£Ý§ÎŒrêgsÓ¯NãÚ‹+A׃²„7g¨ëÞÊN óké…%¦~aÝ–o¥­~F¼».û#3{9D«Áä1;â´æÍôQôÃZÏú8w&_a†¶j¡ã÷q ´r©>Ý}~9ÃQ‡“¹ýñQËöš‚¸¸ÅÒRß
-nº_Ø;úáW„ZÏ(œd ÆÅÕ>¤õ„‹ÁêÍ¢*qöŒ‚#röwQ;£œjÚÆ^kNÿyŠÕzÁ	tjY×rCD[")Q’£#˜Øn]Ìcõ(ð(»CÈ=g}¶F`³k940Œܧk¤ÿe:ä#_tRáYL©£½N‡íAKZ'	KLH§£tvH¶ÐSÑe6óSò<ø]©k>¿2 GÇNê#u0UóQŽÅÕòK»/ó<'\`ÛyæÒ5êLZ íèÄn™çšz‹ˆÆL²˜)ÏvŒX¡[M5þÉž„¤´‚o®HõÌLg‡œQäzä<¸±5î6Ýc²±ï.U¨vÉM{bUWåL¼Ù¾Î,mxÙ*û+‚ikX‚â{uõ<„NZ'8ƒ,T¥~Xè%{2Ñ/f>[µª¦Dîïö|Ý¡±šöœ©.q´Ÿ›l¢”„AMãSæKæí3r,ÁãZ<Ë›¬ïám)œ+h¯zìÏa~¥^Ø‹Yºxà½M67­
-}¾Q@°ë_Â!¡nÒ
q£^c7Nh?–Dbk]z‘Zøù·Íà[ÛX=mÅ›P
:žž‰ÍW½G°tC#<áß×VÂ'¦ŠÒyÞÄ1ò\ðÎòˆ¿ƒˆ§9&åŒÂT«âÞ°;¯oQ
-Äd²’Ø[EÜ­°¿ÈÇ`n—ÅædþǦiBŠFtù£¿
mŽ<{töJD|Ï;±Æ&G‚iþco§Àå²-çaA3©±W(æ‚2MYÕô(mò¤	œFã³{gþz&V__éa6ÎÇp›¯ØalĺÃuwðnæc"8¡n‡:Ñ!1w‡Í‘˜Ý¿g•Ã
ˆ%ù[ÛÃÞI‘nÓåÙ–~gdº/~û¬ugÉp¡`ÁPþôTiHŸì2\)ÜЙÍàÿ®ºþ0æ‡zx)œE½ Úéq;7,¦ýs¸ƒ,ª‡izÕ­éü*ið¾\~]•mî§Æ Æ
K•!ì†ß!ou4›¿›û‹†«ðw<«^UG‰/)cy¯$Ë‹>täCÔž•6rеð‚jåº)×ä;æC'17'IÙŬõ1:Ï–¼pV%¤»Ã
-2°ÅѦyWýö¾¥jÖÎŒUËü«üÂ@¹,íðÊ&©¾JèS"§oóZ²,¢tëpbýèÒúc•û"i}„¦Z~K¹ŠX`i~l…`šúI‹%âù>ÑH—ÓVÒE©ÆÅU
…ú©KÜÖ·w+ÁJS¼=öËŸ.Ç=|µ >üô=ÛŒ
-’úC¡ãa4Ÿ—7C‘ªÜ݃~Z¨‹ˆÃ©µ»*‡‚s·@qp![~_£Œ¿:[8&‹”ŽËNp€0ËtÃ"¤ü4q%¬i¨•F³høð¡HÁ81äј=Þü2¶ã³âL˜lƒK¯:ÏÂiåsB¢/]ûP6•[x²	_#6}°ÅfT¬…%*FųÖËÇ}Ù‘8?´Ï›PÒ¬“ê<7í¹õìÒÂgVq_î½ò±fKú–lFîkÉ(w(:Wâyx­¹CIBÞâ‚Û¨[NõbÖcpq¹Ú4j´¥"#žþs7¾hÐag•Þ^c
QÔ'?ªæå´AÂÞÊ…øh¹(LMa.‰(<ûù
¹â¹®ÄÃä%ÄkëºT)ƽØGbª8Ø—ö×tà,D¿“¿¾µ•*Òš.S:µ›èY|Ùä'Fz„yÎv~lˆ²Ð…ÿþ5£àfâ¤û–¤A-í-³ñsEZEÄ÷QàÝÜ=‹þ‹ÑMTsî›?8á‡t2eVe&…¾1›B¦\q(ɽAˆð"_²ó8ŽvTD=°e™U³ÓÚÖ®e#"EîÍÌ-ûax‘Se¯;ŠF$­àÈY‘×Ç7¢=HÞ¯½~òp±Õ¿þ) ’ýÐ+PXY-x"yQùºì€ìCˆ«=³&o™ù…ŠÒ¿$¿Bb‰ÔÜ“Q80ƒÁ˜jU¥9Ãüró5½C£öñ²·Ëä—A<Õ¦¡1RÁgó[¼X-	?¼§µebÑ×k^6*ÙJ¬(І¦7Ü1)ºPïNଛ/r§tªX¥õø&™ ¥ƒÆôÏážµÓfÇH­öõŒ’°.ÛJó9øP>µe't§l†ƒì1M¾#,Çä1¾#Ü­ÕÄš#[ÀN).·E¶/°6~ª§ˆÄ•T1˜ôY¶#ß:a³áI]ï¡‘g=㟗ì26®HZÄ+ØÃîk
-z|~ÝX!ö×½’F`à[m”Ý»”}«SqÁM÷]»&ÃÍÝùԛꚥ‘ü…@ÏHÈúûÓnê
-c—™XúAÒœü.;
®¯˜›'·Œ©½C›ˆ^zºnõâ塳ýæzI‡•f®.µ[bO\–äïoË2@c„ÓRvÛQ“5¦_nuˆ+ç±Þ0p%í(p“ ,\íqºGÞâ•ÕœJÈzpˆF­zè€ÙB+>„	iÎÞbcýЗޜ:È3\0/¡4ÜcàˆýÚTÑýŒ§mq¢Òß\cÇ úb{OhD~éì#­Hýð&Åû˜éì¿Íäj…¾d›ÐTC	ÿcä¢Be({fŸ9¢z±í¯ãîí+¸ƒ»ˆÚ2HŸÃ{Y³ït”CX¿4±5=vßê„$òVëlY„ÒT PNóD©	“¿÷Âá4¾4k[ç†ÙÎ|y©RøŒ³„‚KÝOsOsN±<
–$õ
ßO8,xìÔÝMSc1#ØÐ¥[±V¤Dæó:1lž ÔzÔ,•é$âλ›¼ôá·µ©¤C}cç
-RÐ%åØWÔ糖Î;ÇOÏØŒI“ëöL%Ç’,úÛ¼F¬>žÜÁ|á™ôaײÍ4˜m?3’V=·_L=Rx;`‚i<’kav`Äóè·¶²ú0
-pºs*Å"øVŸûå¦ä!¥`˜nƒ³ß+ó+ŽµÐ˜-”a¦¿FJá`éˆöF%†m„lï×Ñ|GÅ“ˆ9€lö,Îh¶IŽ¢‡…ÿNEIýõ>ähÜ—ð¥‡Ôâ VG¯ªuIl?¦_a‡EÁX¬¬¡Ó]VbîÒ\ß0—ð&®Bs:¹¨k~`µ8î¶ÈÑgk[÷Þ–C*qÁí%b,ˆÍ¦Y=S„Ü›)kT}3ÐwZúY+Ì¿¸‰Z™ m@}‹å],×jIºJëÇ™Œs³mæ™!É=â1P1@\¨²5ãd £ÊÕ¢+3[9DŒ§Ý´º;A‘þsš-lFQRÒÀöÛa¾Övþ[A(Ïô䕨:>Üa$/)œ¦ÿâMU_q£ªÀX9ð(ÂÙ9Nø†Ó3+öš¸wQžugGвeŽd‹@ÂLkZÍöç@QvÛ˜Š!-+¬d±ëO%è \é¥&û)Ë£zÝ»èëvÁ10䘰²ÿø£T7ÞúûèÌ›ó÷ÏeN£Ow·OªCõ§{gW¸¦u‡3Ž«›°ž¯uÇ*/[ê7,›¸GÜ°”¿¤Z·R	®²¡Ï”ÊÇ‚À“É*ì5tõŠQ,öO^ÇHO‡^!VçnõYç†ã2?K0eXËk¦·zy*’"\ü®æj‰¸gFÓïiêC.Níe†Êë”–"—²a÷4TÔîÛϹÿ)ÂP~CMH” sü•cň$çi~}c5mDÍÚ64òÀG¬þ¢ÏsÒœ¸—Ò¸×õs† ¹žGîì¾íʨ	¶49×ÔüɆÿ»–21“膞„P1Ün`‡\¨_RðbèÖ‡èΑ6ÂdÙ.ÛNã²êü–û:ããœÀË<2¹»ì¼‹¶Q†.j”¤ãôiaŠ(«Ť{+ÚE
-çøx£ƒ®Ñãz#ú€½ãJÿy‘ÃEäºF•“Róª»ÿø†D¯11tü@Ct´Y$Á¼šGj™¯%?¼äX+å•?L¤ÔÛ˜‡Í”_´Ò#(?Êô\˜ã@¨nw"àYl™À<”w„ÙY)ª5avQÿÊ%éömŒ—êÆ5=–AâŒ*$$–-Ò{OcŒËüŒÖ3n¡÷j¦&•3ì£Ç€ÄY+÷U&‡Zg\'ãMnÿ@÷W¢4’:zvlAÚ”‘…‡’>é„Üo¦˜Vü_Ù¹šÇ};*ˆux’ÆC,(¨ƒ|ýÜñ¹Ú÷zw¹)ç`‚‚zÂÐg\ÔMñJÿ¤žÜɆ'Ž§¡j9åÛôWÙM¶¬út5àÅWª˜»ž›Eþvó[rǺ4®€Ü’™`h—=¿©ÆôB•š¹ÍjÂìI~•[ak‰¸‹
-£fÍ6•9í]ØTÉ°bµ÷áú1K/š&‘9€‡e×¢hœj4Šß.Î[)Z
-dCŽREm46¬8Ó¥N¸ «Ô6<É,ÆÐÍÉÎæi:ýx(¥Ët8ÐËn ÿ`’®!©›86·§FåK•5JíB«×½VYg©»,&à1:¥ËãŒ'„D=lï«&è©IãQ
¯€äÌWƺ¥„RÒŠHw²ˆsë&üÙ­kèàûmïyoµ©ltxebmHçfïêïo&Hì*âj¦Î¾kÒrX›0 —
ó=è^›,›.Âå˜/Z—[’áXýõ~™?4ÒxÈÙ'€äñq´¤ª^JÙ[K™†OøHÊW|Ý@yw³IÉ:—ˆ™ôU-MÎLáÖœZàZÌBÊíXÃ6‚|6å˃ÃçÙÚœ—äºëZ£ÇØų%GÁc‡0Cüs‰ö[}‹#µ\ˆae¤Ãú4R{ ä{ÙãaË4#ôbÏ7áÅÂ…z¬«@½‰	FC̳„…žóc’ÒNÜ4.~4\jtÑõœáåxþ;²![EâOB
ÆwkäL•1Ó-M‰Ë㤶@fõ$²&©U"Ë*uA½
-¼ë0å ®ÏØ¿îZïܪc~[Q7µê4è©Hšñq‡Ôø°7ò=­³ž‰’§™òÆú˜“duˆ?ÎÕ+r^9kæÖq槜a^NžbÁ:ÐÞ“ªC=>JÅЕd›dg‡¼]ÕúˆËz@øeaªCšs5z Q/FÐé­Dú÷8È«âX²D›íŽO@Ñ%
U÷Méd>kZ|èdü%ÎÐ?,cYÎMw5ÊÃÃP|øTëZBŒåæxM~`Ô•ä×P
-Ïoé†-Ë»ç² ¹
Y¶ñ­Î±‹èÞÛ°ëÙC¼aŸèß7嶸מ
-뜻%CAÌ‚¬UV´‰Maü€¤Ï¹uñçó„áÜêÀ:œð؃CÛ(|#ºÉ&ÇëéòɼÏÈ8GÙx被Š³p<BÌýÀ«›[¤Êñ+ÇÕ˳ž8b׈×[ÍT|­¥#NùæQߧCW;Gˆ|SmÿFÞÖil±^õãþ™ef C¹‡¸·á¢y	JòëL;˜L]¸îÙÙeÂAÚbˆPAIÛdðIÔPîÅ¡êîµx£x¤ÀvóóZVSshö†ñ<(ïmýyh·-®Í䦊ŽEʼnqØ•!fmÝSÚ‡ðËZŒóÈAöÉlxýJ|Ÿ¶q³åTÒŽ4˜Ìýý—HUUmnˆ øCWÜ]Òï[÷²;ZØtnh3¦œ¨8	ì.(Ðë[Ù_ô~{hRÒ¡tá%kj†)á¦U12Óx±g¥×_nŸò‘±q»ÉWŘÄÕÜh95Ýô릆‚˪¿´¥eI]"è+©$jW
 M vžÈæ ZTb"}¤ªTS‘O{hŠ?"ʲ|kêz*uÖqÎtR‡c7J—‚5ø
Z‚†R
-×·³÷ŒAÿÞ]ÿ¹:#¥µI丙û@òñœPœ p9EñxŒ9"úˆçFëÒ1“ä2cÈÝVâârÌàOÜ>KÖ>uÒ»jì¡ír¡Ž#ú$ÝQoë<µƒº²#×_›Êÿ~†L²¸Q“Îxêœ-ñ9t­@i_Àš9™’»ÂuŸîçrÿ
-ÑÅÛ±åprkBÙûCzÆaÑÓ3ëÌ"!²2ö]3¾v{ÌÆY­»G«Œs»Oå×náR¤C2¾&`ñNƒ§Eƒ“\ÙÍ9È&Bê.üŒ¶Ù· nRV'“BV’äýáú%h:¾.l¶CÑy%4KÉÂTÙfÝ4„T·:ùÔÖ4_'áULšj€žXËÜý¤öiûÃÆûêç”´c§=`²¨øqªe˜ßC´Ü¥îóÚlméòùfôæw Ñå#ÑÇ’tx³%;$àh
én÷ý ‰7pP0OÇI¢£§f2TûvÆafÕ4Qö“ˆ,‘XûÜLܧ–zá_ÐáVM¹‡¦OšdvÉDþeQܪ#éØ©èªmc…PðQh–ȳç%w"?/]]‡iîä-7.ã’ÿ¦VÆ|K‰bÆ”`ˆëF¡·bÈÑ¢-ñ1Œ¨y4T,}ueé'ÊÇõ»•ãNø0mT#?[½ø<ÿ=†C³)õðœC“$²h,™#O±Píe8ÒE(,–#s¼zMÎ)0Ý‚³0µÀ²DU4–;ÒðÕ…1¦ãŠ~Ç0W€/MY$g´™•A-5 Òþ 7ãnîS}Ž@N:°óï3ÆúZ½Fõkwy<Òð‹÷ÜhŠKÏ=s+8T¬ªÈáö@°on»ÕÜDükw¢ïž@8'ïop°ò›KéC©ºyϚʡ½
-H¦Ö¼9Gž¸M‡ôº„þP¼¡ïÒ4Š›µ.¾êJøiˆG•Ä$…hÎX÷lÕ-DÞßÍ›á/c;§Ü?‚Ë¥9‡l®Ñ{Ä­Æ»òni†n½$›B×:õÒ©~’Xvyx’9c…Y
-	w/¼ÞU·O§”~EÁÏAç8Q•|ðŒGÇ=gý9,?YÁ2Ë2L"ôÄEñK‡æPüÚ÷AÍí"I1„'{†§³
úº¿¯c¼NøŒß_lbéøûö—
m„nĜɫí÷Zäo£‚³|t0ó>ú>S‹Â™ÔRú—°zaI¿ î%ÕA˜">©
•N~ú‚×-†®2-QVçh-‰úó
ýÞpܹâÛ/–¹"5vÎf—GWnT66þ8éô^úÞu¾4+k‹O5Q]¬NÙ 
¡-ël_M¸k˜ÚûAú=é&;4³áhgVå°CºìÞÃ5ÉÕMå×\Æ»8Ô\¬è”&fO³úÇ;^‘RÒ.æ,S–¼÷ƒ`÷‰†¹¼3y°f?s&†ñÊ;
WÙ,¼K#«©Ù¯®øbj[¸_VM2ë*BWMŠ¬3@¿1(Ÿ¸éŽ÷ÏÉXúŒ¶UÑäDär÷ñÇtƒ7Õ‘lg
h/‚Ÿw˼¯rÔú'‡cÀUµÁªqFÜŠ%ÿÖi8ÉÜÕYýXò³+~¢‹Ùäûó¥rkHú¶>O­ÐÑѤ²v†1˜#°^:á?Q7Q¥×8Tnn¨tÑ#œ6nœlÕóÚî×îŽq
-Òo)³S™2áØ¢c—¶FäKa·\®ó*‡©‘@èž›XsIÅXðûh‰ðeýÖ8%W6¤¹¤‹»Ü²yÕŠ½¢uoUêJP'mͧésŠêø?¹ÄÆŽÞמ+Ü¿eB*£HH:`rÀL]¿ºH.âØð~}Êη¡>¼üHÇ8š½D ýâ.ºQÞùÎ_]Ì—%×Ïت3©W$@2?d…°Õã¾Â`¾²ß³Þ׆>xÊ:ªÔý°™9•YæÒÊßÞñ˜¥ãë^:?Ü'°‡eIº¼¨-„~ä˦MÕ7W¥_ÓÞàÁ¥MxqÅß)w¾€Ì}®+È Á‘ÄâGu™.­Y6¸D£‰ý}KCîý§WçRPn"8U+Sœ÷ÂøÌûyvÝôL½3ìüî3QÁš\É–ä>¨UHC{ϊѼ•€Q¹!÷Å“÷.¼?;L9§ZšÒE¾é«v¥Ž}03|­˜6þ–ˆ¶9£,whœ-ÇËŸ­×;?zøpÙÍ„y8àŽ9Ë¥H»ÑHîÍÄû-q˜˜\—1άÄ.5HLUcß|{¨8óŒòZßÔç`äô³ÁPß½Q5åŽèz”=ûŒW0zúU÷Þ r	còRˆžÿžDCh-&¦)¬u#Å>"1™k–ôÿ»žÍÌÃá±N”vD#¹¢A窠›`_ÝxXÒÈwgÞ„ÏÙå솋ÛÈK+´CܦA"Ê
-âc§x~XÃJo(¦cé;‚÷ÿ¨š#1âŽøé}SUx °f=”4+ÿ䎧õZ›…HK0
-—€_úØî*Ý– ·£ý7<³Y6ªãvl¤ÎݱæŒú‹Ù¸™‡ÈÈc?m·Ò†h¡ˆÕ©Åç•¥RäÍ×”»L|âÊLwõø
Ρò°¤¼AçYKr¼Ï¹ÙÖJÑkW½b%òyQ·ŠTæ9æ‹Ló"$N¬½ôž‡9ȯòL¡åùö;û¿ZÆMú›¦Ýj{wAÆILTI¨£%èÔ&ëö…ôâÞ %§½(1ã:«/h•¶µôÕ9óUÖô”‘­Í¡i¬rÝxUæ¸ÂÝPÂ#á61”#,*@Š
–üb±·Tx8ÙÄç{ëG79yçÐê°ÀCþ“væ$Põ`Ò匀V–ƒÿþu6®%…Ùqc†¬Ó:†wtÎì•NôwØÒPÄv©*û&<û'ývýЊâ¹!ÔA"OýMBð¼"ðÛQܸ…ÍK)	z²>Ç'áØóô-oâŠÌ#°±ÛÓ­ÀD/&Ësgk7/;ô^D÷‡ÞKÉÁ¤ ŸCH-²oS<ÛõCoõšÂÛw˜´øŒª"ØK–_Š­"H‘¬ûVpÆsáõpa¡£_Ì×SÈÚua¯õ°Ü±l|ÚV±{+	wókÎ:¤6=s÷(HfUôRê¸zP¢[E ïcYÄEùºŽsûr~3§Ÿ°3ŸMÆ?å¦T‚°ÍZ5ÕèR˜±˜rL‰buO[ˆ`×w\ÁU·?‚‹œWà&ó+Дzu(“	Ø!ÌìÅûR% 2ú§8xdßÿó	<ÌЃ|Šˆîç}®rw‚RÕ:Mp’òÛBÿÉ]˜RòöÖ„½®íX((gÿ¶Ä?ɸ‹e»¿è­ÚXÄ`]¹#ƒÝ’X—ÕofQg	è¿ÏU„»7­‰¥äœ“sõö‘ý£Ëw5Y¬•ÓaM(Ã]Fƒn\^¥BW¢É–Œ~3
-ܯ*ù V}ÒD¦ÿôð¥ÎÈ
-}ˆÒçq=G/¦8õ6ÙüÍ/]Z?ó{P>yêU•œµú}éË2&@žÊå:Þä®þ;TÆ
-݂Ư9ÎÖïSftt7,-–‘hV©©<
®ÙÒ]+,àŒA‡Ø  •;…ÔzEå]þ<Ïßý‹ÌɤC™Ñ6ïðÖR®{ÒºsŽyZÍÒ+±êÈÜôÄk´ѤFÈZ‰!FÝmP€×:%•éd
-Ü)„lk2'¨á"€”Öó±âµ|syùͱÕe€\ûÊJ;YýMªI­‘_£ƒ~Æ1bfÓõÝd=–ÙþÅ|SÅ=UkΫ
-S­‚DÍ0»(ë%ªUÎ17%g:F‡°ÞZ?{¡ßs·1SÊ«„]«
-G7ôæøÆnuÒ{«ýef‚‰@ÆÚJt'D©Ñeèb
ÕÓþÿkŸ,ÛšŠ(
¢Ä’n¤Gw3pÔèÝH·„4I‘.é–îÝ%HŒîîÚ{ÿÃûí>÷ü€óá<ÏñÊ@J>N‘÷x°íþ®/Àï^ÈnÙv®Q’U	õ×=[#Cã]6öçÑŠŸ‚h&
’Œ# ëyƒòk»6úq
+xÚ¬ºct¤]·.Ûv*I§cul'ÛFÅNÅFǶm۶͎í¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ú%ìí@,ŒÌ<5e
E##SK{Y)‘
௙’RÔ	h²´·3y@S€Ðð퀅›› jïàádinPÿå ¡££ÿ/Ë?.cÿ@þF:[šÛ¾þ}pÚØ;Øí@)þ¯U€@È0³´Dµ¤ä%Ô’òjI ÐéoŠ.Æ6–&YK 3`fï°ù÷`bogjùOkÎŒ¹„Fg ‰åß0 »	Ðáˆàt²µtvþû°t˜;ÙþÎd°´3±q1ý§€¿v3ûäàdÿ×Ãö/ö—LÑÞälâdéüͪ(&ñï:AF r;[þ…öf=MíM\þié_Ø_š¿(ÈÈÒκƒþÉe˜Z:;ØyüÍý—ÌÁÉò_e¸8[Ú™ÿWô' ¹‘“©
ÐÙù/Í_î¦ó_}þ—îl<þmÿ/¯ÿ¬Áä´1cD`ùö7§	èonsK;¦¶Š”™=€…ùßvS‡ÿÀ\Nÿõ?{†æoF¦öv6S “¼=èoJõÿÊŒÿs"ÿHü?"ðÿˆ¼ÿoâþwþ—Cüÿzžÿ;µ„‹¼‘-ð_A€ÿ¸c²€.K“ÿÍÝÈÖÒÆãÿðß=5€ÿ®RhîbcäôßáÓÛ™ÿU„›‘ýßVKg	Kw ©¢%ÈÄ`fdówVÿ²«Ù™l,í€5ý×8,ÌÌÿ
Sµ°4±¶ûgøìÿ†€v¦ÿ½ü¿2ý«x&9)m	Uºÿý^ý—Ÿâ_ýAª@ÀÿŸDCÎÞô?ÿ°ˆˆØ»¼X8™¬ÌìÝ߃ÇÍÆâóÈø/"–ÿZËœ,Ý:ÌŒÌÌ,€¿ßÿñù¯•Þ£·3±7ýgǨ€ŒìLÿn²ÿ4ü›¸89ýÕö_çþoÓÿ±þ×vÝ&ë+ö&¼ÁVi™é :ÜÜ‘)1>È‘¥ªEþ5ö½~ia»Ü•†µ?›fx~·{,Ÿ;|JÓõáØPõ¦¯ó‰|(húз¾vrÒ2é—"§_hDyÝ,Éî@is0«íM))ë—|ÀÏt²:ÁÝ<ÓøS¸øc}yr@ñ5ImˆÅîBkè+<¿øšxúüD54>:2Ü{ÝHH—OÉë
+…ü5Òß1‡PP[­B¼ªùÕy{Ju¡glŸÏßüC(»ƒ¢ÈrÓÛFÁ÷jð§fÌÁpC`¶VBjä+s^"òœ’£\žpÖk×Ñí HNZl¸Š”»Ào{ö«OŠ—©™}½ŽÈïqM gÀÁõ@‰Î
+vÌó™\Ÿäsi‹ø'o0=ÆK‘ wnÕÉÙë)ÕiÞ8©dÆî¦uË͈âL8{8yŸì'!HÄ`9õ'žz6±VÁ‹ÃDp.µh4ÇÛÛ8ôÌÊv]ÊB‡ºŒŒžš¿ØKÕËËÃÙÏ£€_ë%ç=ùäÚâô%N¥¡[é¡Zß—”Ž8¸³OÊÖÚvAÔÊ
+ųÎ:]Ní®¯jï‚?Ú1Ü¡}ú߬Eþ·ß™ã…°ä]x‰©9ØhÎTº™þ«„r…7Ôè¯ÁrÒx‹'£z줔(I6R×Äæ*n•5`™xZi”çe™•Öê]èntßMò ¦@ßë¨ÖŸ :º·WH’gå Îã:g¡ÎßqQþ5ÿ*<È8Ô²iir:ÿ±d*$ÀÇŒ‡™M ,tEÃ2g¯ö“0ACª•ƒÇ‹IyàbLÅ¢ê|cÔdˆ&ó­Ð“}7ÆÈZVóJfŒ!`/—ö©ÄaiCB2l´–¼â¸¡Å¯Û‰ÜÑäÈÖ)/úh½0XéZ=p|K‡À ôî3Ob¨cË\2Í%׹߰%Æ
+¾@£dJî'¾T¨×½–
’ÆÑë«úþ®@Zl—,P*0ï™7oöÇRÄÈŸÖÛóŸ®Q§ Sý a‘²rÕmûx	“ŽºñZHìnõóø•ãÙøï
+z	õÊøjØNE'·M¼¼²_ÉHËq	zÎ9W±O´à¼¢\Y`Gà^ùa“ñóQýÕùÒ^mš¿RDÓyYÕãľ¤w§fküV¥_d•ôúÁï¡qUåM»n<%ò„é±D}^õ…ï9ÜÚ™/˜zšâ.Øè×)ú/…0×Ο·×rþ¦›§›Ü:;Òé:of\ÛsG§ys÷ÌäxQåç!X[EsèAm®¿NB(^WÄÌoÑÎÉ…qeQoP½'“ÀäŠÛ±vÅTäŠËÔ›Ê`Þ£>G}òxeVÈ#E²Á¯¶b@:4ÖëOØ,Û“œÖ˜	w÷Ý@)Æ	óeîG£J
(På[ývÞ²zž¹<ú JŠÔÂY­CµŸÐÝ^R°¼keMÒ]@KòB ™ŽtFò°…&eð	*VÛÃì`
+îïø`—÷¹K³†>E9‰ú¢%óeKšb¥6$O÷Àw¯sjºN«–'šuYv™ÁuC0=õOS‘GQ‰þ¯Âì{êMüqûÊ¿ûw^³4)pD^W¾i
22øQæBæeëðÄø8Ü+Î(ä€#x2dßë~r%³õç:9ÿ8¯%è5.Ý‹IáÊ9ƒnò)6Ý(€É7ÇÅåÑÚ:T÷	¼$Ó­jæÏI,n›Ýƒ0C5r¦Ð{Ûôù4uJS·1Q¾àIÞ[°šùq™B·ã§ThBŒ¢$¹*3„¯ld¹oH÷¸¾I¤#×A·<ã;¹(m„ý0ïïwôù¨î´ó[bµˆv/“•†&fò5©hž›û:ß•·ÖÜ€–>È´!^$!±k•€‰˜“'æ	?›µ…÷yÌø•3ºš}Q(+pRÌ_jíy
+j)ÔˆÀ9”‰©P͸\‘<«Cz„	w$;48™un¤£Üó
+yÍ:
+Þäâ¨Mœj‚ñí*Ã;øí3ÈñÈmľÎV¤>û¢{Ž'ûh„³vÁ›¤ÊŒ=N(ßÔ™Þ‡RÆÇâ-ë-U¸Õ¡AÉ^³Ø1!>•…k;oI™&Z£Åó²A`þH¤Žš“´¹žÞù=&¬;îõ4vŸ ]Â÷žå·£Ë Z±ÔNnbáÓ1¦[^ÏÂëMᬯij
ç_ÓTô²È§šl`îSñö—›.²XˆGe(p¤.¿¡CžFêJ)ËÂÀ€z®Œæ×Ô9øè¹'ÆÂ-ÉÆÞGܶ•[|ÛþTÿÞl©5·	BZ«àà"—䬩¹9£ÈµÿT*qq„ÏÏ4dG<éZS{Ëèœz2T$g€E‡úÅ3P&¶ãäQ,À‹é$‡(YÐF¥›Ýúg¾ÙþËœ;HGŸ€UÏ0/ˆF®A¶¢ºhÝÂüÏɬSŠ›?…ð.zì$ƒþ¾‰OøBw
F9.é»°{IÛÖ]µYÎÙÛö>….¹©i>Öª®¤Á¹º·t’ÞѱûªÜI
rvWL«Ýa%´§AX™ée‹ÇXço^´¡€KE-éÍBòŸ’Þ®ü1Ò^Þ€8ä„áU„4‡Ü46
+`YzY,lsÿtψSòé’üZQ”²8!Êó@¨`öžnBîàñÃ`N€¥Nw§©Ç!ô$ÕæõÎ%¢ˆ(­ÙâÐκÒC$‚é‹Q
+=öRþ÷y:×S¨‡ÎG~.Ílñõ¤1Õß«Øg½ ?o!==çxQWP8?®~|˜Üÿ¸¾x¿¾tW õ/ŸU®kdY¸Åã–„ ¯iHxºâñ¸l±˜“¾ž?b™qé®yx@cÏ·è£P(&—.!ÕGÑ‚¢™þ=Wc7Ü1WÏ28'ƒ;2[.ˆxý‘×µèÀw,ÔEh@¡3§>WYˆ}ðùaæNy´59ƒ‚Oà
+Û#ñ=X6µÈøÌý/ùj¨5§äÕ‰X¦NëxþU¢lµÅ•¬A2fNyë	BåK@z«1ÅÓÅ¿fÍÈnÿÙÒ©ê¹4mmÒmyŸ;þ-áu/AÏî^O«3Uªž3õ÷@ ¿Ý±”ÁX#`´BZŒ
+¶Šy­ŒØœX6$ XbLÖ¯Æë6SÅGó´»k%¾PjãdÉ\c_¼œMMâ›7IJÑ1è‡ÛÒŒÆîC¡oÖ)ëÆ
+‰}
âx†Ü²t¼Væ–67Î5¥ðž)‹ôÇ“‚õ\æb—qå‘!̸øglnëNò4ü ˆ
+/ôÄ@þåí‰e2bƆwU†ŽUöq`æïâðÅFŽÓ⊂™¼ná{™š¢5¿áPƒ	Ýâx0
+\ÅT»à^7–4N’’Ÿ»$$Tƒ-L3éΚ¹¼Ìè-h’T8 @½Okè#ÁMÁ[¯/³xO:"¨4áxüåäL—„Z¯9rŠ;{ù#'¯‰ëºSçv²{
ñåûÃ<¾@nT´fÕɶ„m|ŬH•³)ãÆ{6­˜€©ÌómpWµÌsõÊS‰8B§n‚ÞÌ/÷ßœÌríŒÈX‹Q~Fš+AiîµoR_-v0ƒÇJH ¡øqµ'×z«0É:á¤PÂ-¦v€ª„Êß\¡nÊ8UÙwtwät?lwP2<8;É¥‘„ «¢J®ò:]÷7ÆŠÀ»·çYăŸÅ®ÿ<ÏÞ"€LàÛàh©‰¬Ñ/OQð烛T‰ÑÊ‘2ðUdß7G2o´ž³ÂQI¤ßÎB6뾨ö!øÔïÑâŒ'âB‰™öðØ,‰¨ÐÍ>nõÀõgËlˆþd»:ûüŽEÕÒ'(̲gˆXô	–‰0ôL·ZO2ì†X臄2&e¾	:¤·VNÂÌKXïÄþ®åƒj™Ävœ‡tÊ6ç¦%_þ­Ö¾lÞ+ã,¬zïpÆ%¿ìg.#C‰ž4¥ì#,jsÓd‡á~.ÖàËR“Eû?ø¿±ó­ZH1Ã
+v¿»3	ëåƒÙ*ˆ¼JCü
+ä+N‰Ø5ÞNj4xÐ]›€¨áàݵmï+Zf;ˆ?Çåe³ÝöPà·oŸÒÃüµ—¢I¹ë¼“F<{½*-5	…)ôcÚ
+#oÓÂíçç‚͘™ØÔäs½ºAï6?\$Ý
“Ûh¿øæ´OÅ@¸º?ÑG´/á1¨÷÷7®š@ëûú¡ÓOW-•÷Šçµ6©qæÞ·lØ…Ÿ"õø2â“OcPp›Â‡T51&éuS,͉p¾ËŸ{º%i›Ìe~´÷Ö
+
+8À#D=ÐÚ–'¼ËÆ€7aî^MXÛsänjã„h1B–¤ÖÑØÞt\§´äŠúã=/t2K(¦­H÷±X
į̀W2­ál“åÇ W÷íÀyŠ|¸`¡ïì¹Æî§È…çÁ™kÙYÔë:½	|â­±ôÈìÓDáw
E)³*j³sý«‹ÛV]öŠSl|œf&EÔô5L‘VÑ
V	ºZ™ÜŠ2Mù…%VÐ`ß¿1¹¦²¿‡T@@jLªPèȘ֨s*ô½§Ëâå®è
+I³ÙêéœÆ–T©-˜Q§5߇[„þÚ@ÂÇŒçoT§÷sa‘‚‚Ÿ£;?®IÖB,$Êq®G¶qÞâ¯PIJ	•£Æ»¨(¡àœ•SÕ`RHáRp”·Í/i¼™É6vÁ³ªÈ»ÚôÎvñoU;]äW¸é­ysQ†$Zk›oÀëãõO„ö¤Î£ýÁË2Uø˜>¼sUàtO?úp '@úÂÜdÛ¹KuŸCí½ìe½oÄÜóÏrž‹ëéEÓ3ŒžÈèÎ#$ûYjŒ²äØyÇúÚIÂOÁu)–8 Çúƒ}Ú
|þ84G'.«2c2´GÂdL¡ÌàŽ6(­1¥²ò&µÂgùð‘ôrœP$A€+ÒádˆÐíçÁ¼_äÓôèä8\áä'wÇT`S^JkÊ_HÿΡÇÐïK”.±®:¤vìÓîÓcˆä"AŽ¥Øm¤.l¬È¤÷4³å)¸
+4=_A€ï CÎyëºnlT÷SIÆlBŽãÇD‰gÿ¸e‡Ýl‚È¢s›y|œRJ¥sáŸÆ%÷›oßú§gªDT+êg&Ÿ‡
+û
+ÀáRLæÃ2–6çW0*¯bö"QÛ8Òœ3,´~~ý¨yܵ±®ƒ!èk÷}“IU?û
+^ºö.ÕÊ;â˜<\éæjB† :æ‹ãk‡o™ùžËýta˜A=«(ÓÔ'ŸÔÐH•ÄN!z^“kðw¢ëKËŽÌ´«öߪ&ZÎØS³_­ž!¡ÑÐ9†˜mx,by5À,Ù{Ô´9s†s_=ªŒBÑ3ú§ÉÅé7˜MgðRSÙ
aÅL4äÆÍœdä’¶î¡ÁZ’Ô§q½ ¸‚’6ˆõA3†Švbwq]o§æö§%¡×+DðXÚ2ˆPvêð7?³Í®=Dø"EL‰ÁÀ}§Û#WYççÕ"ú­Cø(øºÕèa	,Ù`­}Ta¼R›L΋ÜW’ï“9Ž˜oÖ”c/9ŠÈÀ°º·‹*£ÈpOˆjêû‹ª`=à^SVnæ¶ô@&2†4.Ê0h-5zPÖz.Îxúƒ)Ë+™ÆÁ·ÙÃ!îˆF°²VóöqÓA#õ:ãF½À=Ca祥…1‰d1xýº¿ìø2ï«9Œ)Cí$§øV„"	Æ1‰F¢rnêOèó$9žíÞŠòZ
«>’qXøŒúÑú‡¶úIÛ¦Q!yˆ|¨(wàÌh"¾n£K²ñúB©
+/5ˆÝï9éŠ1)ëM÷çY¤Ò\Þ5ö£yLU!?䡳ìšýõÀªi›Ž}Ìn‹‘f^;àQbù¸RÿBr	Ï¿I-9:5Å·À2>ÁÐ3d±†Fˆc,¬ã1‚¤á7ú><
+£2„‡Œ°±hdw,}ýåÒps9KuN4ÒÝœ°T×£bK؆F–i$Ÿ‹‹'p‘}¾Ÿt¥™´ðÞɨ"3±Ut¢¡úx²Ø&x4D	K¬ZógÜVú‘xC¶‹]äÂØý9¦yóï³t¶Úxæ‘…HÞ#ü¡ æh
+ø>_@[›cQƒY«]®Á²´%!
+ÚÕìΨwtŠÓ?oAZdævò6I‡¼)’þ‰èRUÇÜ(Á@Ú”µ²âi·¦Ð£ñ	ÛåºÛšÖ/ì¢ó&Å%é±ACF÷Àa¾šƒ;öùZjûâ×QBÙŒãωÎYIN«ä{Ïy|—hT®t²RML‡WK&q¨aMPjÍ–_ê›Í2ÖÝmYL¡£Ý§ÎŒrîgs7¨NãÚ‹+Aׇ²‚·`¨ëÞÊN óoé…%¦~aÝ–o¥­~F¼».û#3{9D«Áä9;â´æÍôQ¤m£ÆgsHœ;“¯0C[µÐñû8Z¹Ô€î>¿œáƒ¨ÃY„Üá€ø¨e{MA\\ˆbi©O»‚›îöŽÁAø¡Ö3
+'ˆqqµi½á¢C°z³(†Jœ=ã€àˆœý]ÔÞ8§š¶±×†3`žbµ^0Ï »©uDA"e‰57"jÍLLÇXÝ'N-ëZnˆhK$%JrrÛ­‹y¬ewyä¬ÏÖlv-‡åƒÑ‚ûvô¿L‡|ä‹N*<‹c)u4¢×é²=hIë&a‰	ét•ÎÉV¢z*ºìÃfÞaJž¿+uÍçWâèÚK}¤¦
+cþ1α¼ZÞÃbi÷cžç„Š¢c;Ï\ºFý‚I¤Ø-óÒF ¡Ù¡·ŒhÌ$‹™òjLjÚ¹ÕTãŸLàIHJ+øæö‡dPßÜlvÈåAÞñ GΓ[ãŽ`Ñ#&ûîR…j—ܬ'VuUÎÔ‡íëÌÒ†·r€"˜Ž†(¾WwPßSè¤u‚3ØRUê·€¥~²ýbæ³u«jJäþnÏ×íºÁëi¯™ê'‡¹IÀ&JIÔô0>e¾dÞ>#Ç<®å³Ü±éúÞv‘¹‚ΪçñæWêÕ‰½˜¥‹ÞÛd³ªÐçÄsFÞLÖ÷ÍÝ">nfhx¬ºqŠ~K~áåÔZçW
+D9ÐÄ×ý«ÌNc­ü¤¶ƒ("ý÷÷‹¬~”Ù]Ç@Ž€pmMÂËSãÂy|ºµXùJgÑ »bdÌ”qs/}Q,†Ô"ǧLsõÕ÷¯JnJ8œ~ØÙ“«‘Óø?ÏzNèlüšIÅ	m󯔫͗Éd.¼”»N~ÄmY»	kD—hÕ‘¼m™³£Þ/}·±ù Ýö‡ó#–ùI×ý&¿²œ}X§¹ýQ3öÉÚU¨¥ûÁZ*蜷,û@Õ>ºxY62’«’HäÙ€«!<¤ðá¢'œ‹k4»ï™iÓ‰‘³Ïrï­ˆÆ(Àf9ÁlCšã1xxçûVÜjÅŒDÂA=¦p¹ËÇzî­üv«ªÓIÇ¥†kþ@ÑzßÄfOoÓìk”Nâ6emWáî™äQÏäé‘
ñ…]øYu“nȈõ›¸qBû±$[ë:ЋÔÈÏ¿mßÚÆêe+(Þ„jØñôLl±ê3‚¥áÿ¾†´b>1U”Îón,Ž‘çŠw–GüD<Í1)g¦Zµ÷†Ýy}+ˆR &“¥Ä.Ø*âaý€èD>s»,6'ó?Þ0MR4¢ Kíþ6´9òì1@ÒÙ+ñ=ïÄ›	¦…öÞNëe?ZÎÂfRc¯PÌeš²ªÙQÚ"äI8
+4Æg÷ÎüôL¬¾¾Ò?Âlœá¶_±Ã؈õ†ëî$àÝ-:ÇDpBÝu£Cbî›#13º;Ï
+*‡Kò·¶‡;¾-’"+ܦ˳-ý<ÎÈôXüöYëÁ’áJÁ‚¡$üé¥Ò.&>Ùe¸R¸¡3ŸÁÿ]u7üaÂõñ.R8‹zAµÓã~nTLûçpYTÓìª[7ÒøUÒð=|¹üº*ÚÂ_AŒ/–*CØ¿?CÞúh67÷
Wáïx,V[ýªŽ?RÆò^oH–èÈ;Ǩ=käàkáÕÊu3®ÉẇNbnN’²‹Y)êctž-yá¬JHÇd`‹“mó®úí}KÕ4¬½9«–øWù…YÚá•M3
|•Ð§DN¿"æµdYDé@ÖáÄúÑ¥õÇ*1öEÒ.úMµü–r± ÒüØ
+Á4õ5’+Äó}†#‘.ç­¤‹R‹ë
+õS׸­oïÖ‚•fx{ì—?]Ž{øjA}øé{v$õFBÇÃh¾/oF"U¹»ý´P‡SkwUŽçî0€8â…lù9|2öêlá˜,RºÆ,;?…Y¦y$…䯠‰+aÍB•¨ì5šEÇ婳Ž÷õ¾Ióþ†n$ŸJ±šÿHbN±ãHÿ­^Ù’Ÿ¨aêºV§hÞšW>#žµºra·‰áWvdyóEúC
‰ÙãÃ/c7>+΄É6¸ôªû,,V>'$úÒµeP¹…'›ð3f3[l64d±DÅZX¢bT<0o½|ÜÙ—‰óGû¼	µ´$Í:©Îs×™[Ïî -|f÷ãþØ‹ k–±¤oÉögä¾–Œr‡¢s%ž‡×Z8–$ä-.¸ºçT/f=þ(.×E›F¶RdÄ3xîæÀ
¾3ê¬Òßk¬!ŠúäGÕ¼œ6LØ[¹-…©)Ì%…g?¿!W<דx˜¼ä‘xmÝA—*ŸûèOLçûÒþÚ‚š…ˆãw0ð¤¶VEZÓcJ§v=‹o#›üÄHP"ÏÙÎ
QºØ¿fÜLœôØ’4¬¥½e6y®H«ˆø¾3Š¼›»g1x1ÖÞDµà^°ýƒ~H'3Pf
!PfZè׳	!dƇ’ÜŒß!ò%;ãhGEÔ[–Y5;­míJQ6"RäÞbÁª†9Uöº£hDÒŽœy}|#Ú“äýºÑûà'¯![ÝùëŸ"‰Ðý…åÕ‚'’‡•¯ËŽÈ¾„¸:3kòV™_è (JRañ+$–H-œÀ³¶VdoÔ³ H\[»°údÊ,ëÜÍÈ5…ðNÂ#žšÏGÞ¥ÝsÚb{Ðí™igÂê`Åá?¿ó"‹›—qÍŒâFD^õãÌÔ¢^Gw„á]£vž3ø)&).
+J̺6I>ìß
$‘–HåÇ(ÃÈ;LØAB¿ªƒKéíqrm”ü¼Ëµ˜+ู؂۾Ó&§døäNÃ0I¿r!7%tj[®†ð¼¸‡¿¬e°¢zñ÷pöZù¹Üvi3l*.p.&€Ñ·Kóâd¹¨É
+ÃŽ¿NõÆç*匶ölIUQ8(±J	8a•˜· 5«X~+Õøëam:Êœ·jP¤^Jœ§î‘¸ÃsÀÿ‰û‡FmA@ [r«@æ	[¼¼'O24ö‰¨-ç¯Ô‰Qy"ð빟z¿–2¯\ÅC]õõtQŸ;G@(úŠÆ^½|B(8Ú¯–×ÙûsHbM,)ÀÔ û%3ßJɽ@
ÄgJm)l¶	lû$Þ_Wûú?Á‡ä‹Â
(bS¼¤nñ!Y!~QŽžß {{°Q$¤ïöƒK[N(‘æ[bÚ©HQöœý3Èð¹ùf6ø æ¡
+ƒmÕR¯
Ö$õìÔÛ6Áò´K·8}bS5Û €UÞXÈs^ƒ=$Bÿ©†Þ‚€`õ©£X&ýµ§=²w3ØÔ]ö§ã^êÌNóÊ»Aøðc0ÎäÚ5¯uÈòtœ)
¼Ã؆Fê|ZEò‹Vjê¹Cç‚¡þË€y·rûÌÂqëBªUèü	õÉK%©BIhs”¨ƒr¾‰Ÿc\už…L}dþlùÅ#œsþµÝ
+­­Ûä¾xP1S'¢Ä”ÀÏ/m*5blð•šZh—E5Ú°ZÊ‚?7/ ö®Ê¼¢¾Ø‡ç]Ï|Ö;ŠÔBùúéíôý'rUS”ÂŒ,ù³Ç?»FöÌ’±ÛõÚ$Ämk¥kˆ"ƒVa+±<•šºa¶>Sû%­äù‡¸’øVî™ÏáEü4¬:ÀðÊT?ëðÎhx®‘ÕÓéUDÂãÚ%†è(
+Djà&$ >g÷5«d(
+x­áO¶S.eƒ›»NÄÑűn5wÔÖ‹IêÞ(ˆÂ8ãÞ×Àn†hºkͬ½P#éQ'ÕíîaT¿£þ$RyÉà–&S(v±8m`iʽ]rþù¦³íJùQ5x9–Bgaàž}x’2ÍDÑÔ1 IÐÏ4—ÆÇûèr¶¡¥Ø17€!C,o¾ÃGv;§T³…þd°{+W™ ã;…Ã3øS­ª4çq’_n¾¦whÔ!^öv™Cà2x‚§Ú,#FêÇÙü/VKÇOŸi™Xôõš—J6ÃCk
+´¡é
LŠ.Ô»4,›æË…Ü)]Ã*Vi}¾I&È éà1ƒs¸g´YÄ1Rë}}ã$¬Ë¶Ò|>”OÙ‰@½)Ûá`LÓïËñyŒoãwk5±ÈVð…SŠËm‘í¬Í‡Ÿê)"q%Uæ#}VíÈ·ŽGØlxR×{häYÏøç%»Œk#’–ñ
+°û€‚ß_7ÖˆýõƯ¤øÖe÷®eßêT\qÓýÖ®Épswþõ§ºfidG#¿C!Ð3²þþ´›ºÂØe.V ~4'¿ËNƒë'æîÅ-cæàXà."†—ž®W½xyèâ0„¹^Òa-€™ë‰KížØ—%ùûÛFƲÐá´”Ýn4Àté—{âÊy¬\I;
+Ü$(Wgœî‘·xeµ§²Þ¢Q«:p¶ÐšaBš³·ØÄ ô¥7'‡ÎòÌ[H›†{±_‡*ºŸñ´í!NTúû[ìD_lïñ	(bÂ/Ý}¤)mR¼™~pÁþØL®†PèK¶	M5”ð?Æ®*äQF2±g™#ªûغà>~‚;H°‹¨-ƒô9ü·—5ûÎG	9„õKƒ[Óc÷­~@H"…°Î–E(Mõˆ@å4/”š0ù{oNcáKC¹¶un˜íÌ——*ÕˆÏh1+(¸Ôýd04—DËÓ`IRïÐðý„ã‚çNÝÝ45öH3‚-]º5û`EJd>¯3Ãæ	B­gÍR™n"éK`~[›J:4qð7v®`=RŽ}EñŽ:è¼süôŒÍ˜4¹nÏñÈôQr,É¢ï°ÍkÄêãÉÌ^Iö-ûØLƒÙ£1#iÕ³q{ÁðÅÔ#…·¦˜&#¹–æÆÌ0žpk+«£ç;çR,‚oUñ¹_nJR
+†é68û½3¿âØ
€ÙAehD¡–~ØioÔQbØFÈöyÍpR<‰˜ÈfÏâŒ&a›æ(z
+YìT”ÄÐ_ïCŽÆ}	_zA-nuò®Z˜ÄögúvXPô‹•5tºÁúOÌ]šÛæÞÄUhN'u6V‹3án[ }¶ŽMïm9¤‚Ü.QÒ(Æ‚Ølšõ3EȽ¹²FÕ7CÇ¡¥ŸµÂü‹›¸¡•	Ò†Ô·X>År­V¤«´þœùÈ87‹Ðæ^’Ü#ž³Ä…*[Ã00Άºª\-zÂ0³•CÄx:M«»ÄãVNcÇICÃOgUÛ¼¬*¶@ÚU·ae’+b˜ÀèÌ¥¯é¶QñóP/Anžóu–ÇúeÙM"èzpJ™Ïò®­"U‰
ñ+“ãé?§ÙÂf%%íl¿çkíæ¿„òLO^‰ªãÃFÒò’Âiú,ÞTõg1ª
+l•"\\â„o8½²b¯‰{åIPwví ËQæH¶$ÜÉ´¦ÕL`e·©ѲÂJ»ýT‚Ε^jr˜²:ª×»‹¾n³d@Ž	+û?Ju㭿μ¹|ÿ¼Pæà4þôpÿ¤:Tº·uqƒkZw<㸺	ëùZwŒ¡ò²õ¨~3áÉÒ¸‰{ÔÁ
KùKªu+•à*úÜX©|,<™¬ÂÁICO¿%ÁrÿäuŒôtèbuîÖ€Õqn8.ó³£Q†µ¼fz«—§"ù'ÂÅïj®–ˆ{vða4ƒž¦>äâÑ^f¨¼Ni)r)[v/#E¾ýœûŸ"|å7Ô„D	2Ç_9VŒIPqžæ×7VÓFÔlìH#ÜxÄê/,û¼&-ˆ{)­€{]?gšëyäÎî+Ю<ˆš`K“sÍ,žlù¿ky"3‰nèKuÃíuÈ2€ú%/†nýqˆîœh#L—í³íÕ8.«Îo¹¯3>Î	¼-"“»ËÀ»heè¢FI:NŸ¦ˆ"|±ZL{±·Âó†¶Ý›·jËó+à£]¥pŽ7j1è=¯7"¡Ø;®p9\E®kT9)5¡zHñaHôüŠCÇ4BG›EÌ«yD¡–™ñ^òÇKŽ%°V^ùÃDJ½yØLùE'0=2òc¡ÌÀÑ•9„ê~'žÅ–	ÈCyG˜õ”¢Zf
¨\’nß&ÀxI n\Ó—a$ΨBBbÙ"½÷2Á¸ÌÏh=ã:ð¨fjR9cÁ>zLœµöXer¬uÁu6Ù4à"ñx%J#©Ã gǤMYˆq,éó•n‘á@øÀýf†iÍÿ•«yܯ£‚X—'ikZ|èdü%Î0 ,cYÎ]o5ÊÓÓˆP|øTëZBŒåæxM~`Ôä×P
+Ïoé†-«ûç²`¹
Y¶ñ­Î±‹èÞÛ°ëÙC¼aßèß7åv¸×^
+뜻%CÁÌ‚¬UÖ´‰Maü€¤Ï¹uñçó„áÜê :œð؃C»(|cºÉ&§ëéòɼ¯È8'Ùx被Šóp<]BÌý «›[¤„Êñ+§Õ˳ž8Wb·ˆ×[ÍT|­¥#NùæQ¿§CÏWGˆ|SmÿFÞÎyl±^õãþ™ef C¹‡¸·á¢y	JòëL;˜L]¸ÞÙÙeÂAÚbˆPAIÛä#’¨¡Ü‹BÕÝkñ:FñHí`—絬¦æÐì
	âyPÞÛúóÐn#Z\›é72L]ËŠ“°-*#ÌÚº§´á—µg摃ì“Ùðú”ø>“f«©¤7i0˜ûû/‘ªª:ÜÁñ‡n¸»¤ß3¶îew´°éÜÑgÌ8QqÙ]Q ×·²¿èÿöÔ¤¤5FéÂKÖÔ(ÿRÂM«bl®ñâÀJn°Ü>å+cë~“¯Š1‰«¹Ñrj¶éßM
—U;hGË’ºDÐWRIÔ®H$š@ì2‘ÍA´¨ÄDú&„IU©¦"ŸöÐ9~D”eõÖÔ	ôRê¬ãœé(¤Çn.”.kø¼
¥n`ïà3ƒþ½»þsuF(”ëw+ÇœðaÚ¨F~¶zñyþþ{‡>gS(êá9‡&IdÑX2)Fžb¡8ÚËp¤«PX,Gæ(xõš2œsPº%	fajU‰ªh.,w¤Ñ«
+cLÇý2 Ža®_š²HÎh	2/ƒZj@¥Ò¦7çnîS}Ž@N:°›è3ÁúZ½Fõkwy<Òè‹ÏÜhŠKÏ=s+8T¬ªÈáöÀ¿Üvë%¸‰ø×îD¿=pNÞßà`å7—Ò‡Rtóž^5•C{
+L­ysNRú?]œã|DuVò=Â+÷œõç°üdË,󴵋¨t}ïæBÖ 9Q’Ž¹¡¥PÖ•g$±»ÖùW7‡È0‰dÐs`Å/]N˜Cñh¿5÷‹$YlÄžìžvÌ6èëZü¾Žñ:á3~|±‰Q¤ãïÛ_6tºs´“WÛïµÈßFgùè`æ}
|5*¦
+…3©	¤0.aõÃ’ AÜÿJ&ªƒ0C|R*ü(ô¯[\eZ¢¬ ÏÑZ
àú½á´sÅ%¶_,sEjâ’ñƒ]]¹QÙÄäã¤Óoxé{×ùÒT¬¬>ÔDu±:eƒ„Ž¬‹C5áj¬QjCìé÷¤›ìÐ̆£Y•Ãé²{G·$7wA”_sïâPs±¢Sš˜=ÍêïxEJI7z˜³LYò>‚Ý'ò.ä?4û™36L®PæØi¸Êfá]Y­IÍuÅSÛÁý²n’YWºjRdúAùú†ÄMw¼NÆÒ`´­Š&'"—cxŒ?¦¾©Žd[ºhxB{ü¼ãXæ}•£689®ªíV3*àV,´NÃIæ®ÎúÄ’Ÿ]ñ]Ì&ßkÏ—Ê­!ØEø>µBGD“ÊÚ	DÄ`ŽÀzë†ÿD9ÜD•^ãP¹¹¡ÒC`pÞ¸q¶SÏ/@j»_»;Æ),H¿¥ÌNeÊ„cwLˆ^ŒM\Ú‘/Q„Ýr½Î«D¦F¡CzmbÍ$cÁïW %—õÛà”\Ù’æ’.îrËäU+ôŠÖ½U©+A´5ŸJ¤Ï)ªãÿä;z_{®ðø–	©ŒJ !uêˆÉ3e|Yüê*¹ˆcËûõ);ß.†úðò#ãDhö€ö‹G¸èFyç;u=2_–\?c«î¤~‘Éü5ÂV?ø
+ƒÅÊ~Ïz_úà)ë¨R÷Ãfæ4Vf™k+{Çc–®ŸSxéüýpŸÀ–éò¢Žú‘›B6Uß\•AM{ƒo—áŧÜùþ1÷¹ž ƒG‹KÕeºd´fÙà&ö÷-
¹÷ŸÞ
ŸLHÁ¹‰àT­Lq>ã3ïçÙuÐ3õ.°ó»ÏDkr%[’û V!
=?(F‹V>Då†TÜ'LÞ»tðþDì0åœjiJWù¦¯:•º?˜ákÅtð·Dt,e¹Cëàì8´­~¶^Wìh÷ðá²›ó&pÀs–K‘v£yª¤}ÜYhÇû/q˜š\—1άÄ.5HLUcß|{¨8óŠò^ß4à`äô·ÅPß½Q5ãŽèz”=ûý¯`ôô«î½A$äÆô¥=ÿ7<‰†ÐZLLSXëNŠ}Db6¶Ð,èÿv;=›#˜‡Ãc“(í„FrEƒÎUA7Á¾ºñ°¤‘ïÁ¼	Ÿ³ËÔ
0
+·•—Vh/†¸MƒD:•ÄÇNñú°•:#Þþ>PLÇÒwðQ5GbÌñ
Ò禪ð@`	Ìf(iVþÉOëµ6‘–`.¿ô#¨Ý'Uº-AnGG7<³Y6ªãvl¤ÎÝ©æŒú‹;Ù¸¹‡ÈÈc?m·Ò†h¡ˆõ©åç••RäÍ×”‡L|âÊLwõø
Ρò°¤¼açYKr¼ï¹#ÙÖJÑkW½b%òy°q·ŠTæ9æ‹Ló"$N¬½7ôž§È¿òL¡åùö;û]€ZÆMú›¡¦ýj{wAÆILTI¨“èÔ&ëƒö…ôâÞ %§ƒ(1ã:«;/h•¶µôÕ%óUÖ씑­Í±i¬rÝdUæ¸ÂÃHÂ3á61”#,*PŠ
–üb±·Tx8ÙÔ÷{ëG79yçЪ6XÐ!ÿI;s¨z0érF@+Ë1à
ÿ:›?׊Âü¸1CÖyÃ':göJ7ú;li(b»T•}žý“¿^»Ý ´¢xnuFÈË`“<¯üv7naóRŠ@‚ž¬ÏéI8vÁ"}ˇ¸"ólìötg+(Ñ›ÉêÜÃÆÝÛ½Ñã¡÷RòC0)øçR‹ìÛÏvýÆ[½æ…ðö&->£ê£ö’ÕWÄâFëR$›¾„ñ\x}\XhàèÀG‹õ²vD=Ø+A},A,[߶UìÞJÂÝüš³©MO£Ü=A
+’Yý”:®”èAèÂûXqQ¾®ãÜþŸœß,è'ì-¦E“qàO¹)• ìG³VÍ4ºf,§œR¢X=ÒÄ"Æ
œVpÕŽà"ç¸Éü4¥^Ëdw3{ñ¾T	¨Œþ)þ1²ðùfäI>EÄ÷ó…>W¹;A©jæG’òÛB¿¶ä®.L)y{kÂ^×ö
,”K@[âŸdOÜŲÝ_tNÖm,b°®Ü‘ÁnI¬Ëê7ó(Ž³ôßç*ÂÝ›6ÄRr.ɹúûHFÑ&廚‡,6Êé°¦NᮣÁ7®/ŒR¡+ÑdKÆ¿‡nÀWLÆ|Q«>i"ÓúøQgd…>D𸋞£Sœú˜nþæ—.­ŸyŽ=‰(Ÿ<õªJÎÚ	ý¾ôc OåroòP‚*c…nAã7€gë÷-3>º›ø!-–‘h^©©<
®ÙÒ]+,à‚A‡Ø  •;…ÔzEåSþ<Ïßý‹Ì
+É´C™Ñ.ïðÖJ®{Ò¦sŽyZÍÊ;±êÈÂìÄk´3ѤFÈZ‰FÝmp ÷:%•Ùd
+Ü)„lk2'¨á"”Öë±âµ|syùͱÕu€\çÊZ'YýMªI­‘_£ƒ~Æ)bfÓíÝt=–ÙáÅbSÅ#Uk.`«
+S­‚DÍ(»(ë%ªUÎ)7%g:F—°ÞÆ {¡ßk·1SÊ»„]«
+G7üæôÆn}Ò{«óef‚‰@ƃÚZt'ˆD©Ñuèb
ÕËáÿkŸ,ÛšŠ(
¢Ä’n¤Gw3pÔèÝH·„4I‘.é–îÝ%HŒîîÚ{ÿÃûí>÷ü€óá<ÏñÊ@J>N‘÷x°íþ®/Àï^ÈnÙv®Q’U	õ×=[#Cã]6öçÑŠŸ‚h&
’Œ# ëyƒòk»6úq
 ÅGÕkX:gׂ	še£¤xu®ôØ\CùqKå1¦g¡lø	7[Ù²Ì4Òÿ¹[PÞÿøç¥ÏFÔ´²ÿšûI#pŒ"­ªºóöWwxN¥&ÿÊYGúéÆ„¾åoK?\aùt@½=¥¢D#UŠ&ÐmÂ΃:Kó#˜´ÏÙf`ÃN¯Ú¬5}=ÿúfy$V·‹Id”-é%#©¾¯{z²5…رF’oö¾!²’»÷ØIáMØïä†H}ØÝÖR´x`î/Æ]è›Òª^3±Í7é¶ûñâ¬Â^µñŠ
 ·(FLH³~å¶ÞÖ@Õ6Jäó¾xÌ0V?K£ÈÕJÑ}gy,‹¨†/ã©$þ¸Ì~“Æp\!#…þö/»-ñæ
–Ú3Uv+l•EM ´Dýý_O‰uò!÷¶:)
G‚·Ñ	é91¬ÄdÐ~í@§q&±ÑŸ<¹¥ËŠ)üÁžjÄÆpîp 	ãO`6ÿÓaÌ€“Ê ‰bœ›³ƒø*LnhœýbyZÃ÷-ý$ËbÇ;¨´²*	#Œ6^ÿ´Œ‹Ä*jj¾}5™üÊ­tÿg ›­ûá=)ìGõ™;RVÛÚ½wV*îM\ˆšhßn`ÇPÙºzÇ'I~©VŽ;&븙i—wâc3:™S‹åa¥40ÏZ:	Moè¥Ø~ƒÐ#YcÑV„³IF^¸Övú¾&ÕÍBoªzôåÒ½¢šºˆ<è@ÕŽ!ÄVo£Cé·³s~íAãŸ)4°jsY™ÖÑÁ¤¤Òøɉ
cxg4Hc=‰‚­|(—æ3§‘»Ñô¯ðÑqr1¥~tÓ™²süçŸVý;Ë}I†õ„=*š½Â!³ ®8¸²ù	¢Ÿ{J½ÅhJ$‘¹Í2ÕtKcÇZ=P¶)»ûøÔÂwË,û«øƒˆcÌm#ãdxÐu!^	Ú9ûi7ŸÙJcÔŒ]+µ
jÆ»Ò_€[hI£YÉì0…òÇ*껪¦úݳj€í¨ž¨ß`Ù?8sGx9g3ÎîèñÙt÷:n:—SúluHx‹œ›ÍÉPo·«ÃJAüÕh€ß¾ÅW'ˆÃô´B ¶q…¡Jˆ`“ý kaæ®´bg>–MO”¶æB8uk—ÄþÙ7)Çê®Ü¿5GVQ(ë¿P­m-FG*åTA¸¡WK2z)·	Ž×?3Ì›QOl
 s¹xŽ5WË–§zGϺß?ÁyËÇDóÛ8Þ6<,óyÊœ³%ɾŠaîjôër¤ôç ³L.¸!åeÖ&A—¯y!qíµ¸`Û®8&ƒûCá°ˆ×P·KÄMZQƒñˆR“!»V¸x3ËßÀÃ'£l{…x|#”ÄÒ,ò9r&tã|¼a¥ïéæ3sawÄø²Ã××ÿuåÝ™×Ãùv¦&R®É;Ƴo©5$rÇâ¯%ì»iÕav·4ËEìØÔ;E6'µ…¹ïh;ž7\oqkÙñ*¯u¾+ÍNcýàÿOÃõÿû‚ÿ
-¹ƒ%ÔÕÝÙêjýÚdâendstream
+¹ƒ%ÔÕÝÙêjýÜâendstream
 endobj
 927 0 obj <<
 /Type /Font
@@ -11116,14 +11114,14 @@ endobj
 /FirstChar 2
 /LastChar 151
 /Widths 2278 0 R
-/BaseFont /PKTMUW+URWPalladioL-Ital
+/BaseFont /MIZFOT+URWPalladioL-Ital
 /FontDescriptor 925 0 R
 >> endobj
 925 0 obj <<
 /Ascent 722
 /CapHeight 693
 /Descent -261
-/FontName /PKTMUW+URWPalladioL-Ital
+/FontName /MIZFOT+URWPalladioL-Ital
 /ItalicAngle -9.5
 /StemV 78
 /XHeight 482
@@ -11146,7 +11144,7 @@ stream
 xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kTªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸yZ@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
  ùËAKOÏð_–\¦^ÿütYÚ¨þ>¸mí€ö®)þŸÕ€@€«`²Ä””ud¥4RŠ) =ÐÙÄ ìfj2ȃ̀ö.@Z€…ƒ3Àö߀™ƒ½9蟭¹0ýåq˜\f ¿a@O3 ã?Àèlrqùû¹,Mì]ÿöÀÕ²7³u3ÿ§€¿v‡äèìð×Ãî/ö—LÙÁÅÕÅÌäè
 ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.W §ë?¹Ls‹£­‰×ßÜÉAÿ*ÃÍdoù_0œ–&Îæ¶@—¿4¹ÿéÎíð¿íÞÄÑÑÖë_ÑÿòúÏ@®.@[&V¶¿9Í\ÿæ¶Ù#0ÿ3*2öV–ÛÍÝÿs:ÿ«A4ÿÌíß"LÌìm½æ@fE׿)4ÿo*3ýωü? ñÿˆÀÿ#òþÿ÷¿kô¿âÿ¿çù¿SKºÙÚ*šØÿø; øç’±ÿ?¼Mì@¶^ÿ7ÿÿî©üw‘ÿWW“¿­±·ü+ãW&–¯ÿ@.’ O ¹2ÈÕÌ
-`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYGZGIDŠþÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
+`abû·Wÿ²kØ›mAöÀ¿šþ«FV–ÿ†©[Ìlìÿi>ç¿! ½ù¯ÿ¯LÿªžYDQSZ[’þÿ¸WÕlÿΗ+÷¿#”ÿN‚«º—#ð¿Òi)8˜ÿçâ>QQO€7#+€‘‡ýïdc|å`÷ý¿äþë­L\Až=&Ö¿¤ÿü²ü“û?
ƒÿF#aoæ`þÏ쨹šØ›ÿ·ÿ4ü›¹9;ÿUù_7ÀßíÿÇú_ƒzÍV9˜ñ[§ge¸Öáæ
OŠë
ô±B‡8–6ªÔ8ôú§‡o­4~«
ajšæýh÷Z:q|ß—¥;íñ¥îM^ù’Óö¢ÿ¦êä¦?d6,EÎ8ÕŠö¾\”ß‚ÒåbÑ<Ø™TQ5,yƒ!žîdw†»|¤
 w/À¢xpDñ3KkˆÃîBkèûqrJ•tüø@=462ü³÷ºŸ>7ž’Ï
 ™**À)—PHW£B¢ªU³m·WÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬OXÏ1Ï-¼§c-NÂ1ipÝ›í\AÖµ?ªª…¹{G.ž'Þ½µ$5õü^oDÌÒ’j8Á¬R/ë‰yÝ࣑<Ì`½^
 úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
 ¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨åÁ³ñÂjD•jÊ
@@ -11208,7 +11206,7 @@ MI
 ¿n$rÝ	XðD˜t
ÎõÓ…”2§—n„sÞmOÆ„ ˆ;²ÃßshuåU9ñÖ&;y-sõP~K*ªÅz4rnp´}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰ Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5½·x¯'_Ë
 c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'žWùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ‹Œ:…‘XF.ÿ§Òfb1\ÄñSÙ£Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.zàÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
 cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷5ØI*·[ÔrHîD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë …x;³°çlqf—š
“d79˜R€2õ¨)iµ†–Gö»€ê&‚—ÜÞ¨CšùŸeVò]ÏÓ~„ð¡T}îY¸dë`XÕìéÎ<òeJË»1ÒXê¤QáÀ#÷gX¹;«ÜÉà{}¤*½lÈ»€~.ž©kÜõVÅÇ®þÒ€§ú‘7ã$o—#€àkص<Éâ{
-¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,Êæmf¡endstream
+¯41¶{ºQµÚâl·Pãg;‹($@QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þKTØ&§Ð9æ2ös³Ìü±×îªÊ›õäõ§=ìÌÉIx=ãç7åv[¿Céhw›«Ó(îl*ø®Ÿq	‰Ëb“ÛfÜèYàûYÚÿßRŸåÆ	|)¶U-*ª[rᇻ……øw8me-PÍsóQîñúW™N‡vé¸î²”š{e³ã=öEëe>*­xQÿuò_­Rñ„çÒ˜
¢þ«Iïç?d¯Y¹Æa½/Kz†Âc™›gZ6qæåØöì—3 p0,HÎIM,*ÉÏM,Êæ{Gf›endstream
 endobj
 827 0 obj <<
 /Type /Font
@@ -11217,14 +11215,14 @@ endobj
 /FirstChar 40
 /LastChar 90
 /Widths 2279 0 R
-/BaseFont /YHYOAG+URWPalladioL-Roma-Slant_167
+/BaseFont /ANVHXF+URWPalladioL-Roma-Slant_167
 /FontDescriptor 825 0 R
 >> endobj
 825 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /YHYOAG+URWPalladioL-Roma-Slant_167
+/FontName /ANVHXF+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
@@ -11245,14 +11243,15 @@ endobj
 >>
 stream
 xÚíUkTgnõJÀ+Å€€¸
-æ2@	Š(åŽ
-ŠT†dBI&	(—
-A@0¨P¹TZ)­`r1XQðÔˆP›FÁ+W]Aw=véÏÝ_{væϼÏó|ï÷Ìó~ç|&Fž>;#$‚4ÀÑÍçH@"gbâˆÂˆ‹œ L@[[p  ÛÐ(dÕg8"a‘(7˜#Ì?[Ù|å2!à‰80ëÁ„x€Âä¢H"àÀãÞ‹+„€7,„јEÄ Àâ2E@ÌàH‹Ž6Ø,Ã,qØ;*F…˜)À3ù€Yd!^$À‚Ù8’;‚ícNþ¦V6wóxî±ýRJá!>—ùVðÃÄ"ÜŒ
-VJ}áesn0‹+æ¯d"ˆÇe:‚y0@­ˆdKê2Á:s%0Ë“+br6ÄÂK8,`­´‚Å·d„ä²×ÏiŸ£ÅÛ¹.‘žW Úä÷ê¥|_c)¡\	àO&’É &ÄÞw_+6ûBÀDX\A0@¡ZŠB‘8ìaˆ®€KX‚9&ˆ[`ÑÄlÅ-Ž´HL.ÊäÁÌÅ©‰Ùe‚
-‚°Ìá?Ad
-†¡æÁì?Öoáå¡¿Ç­1BßXÀò !g	þkpt:"‰&Pl‚­5ö# h
ØØPcþMÈ£(,-M,þw5›‹†%0×Û0í’Bòª“+b¿8çûH/Û*U½êÍ~µ±ù\VŒõœ—Q°¨t´Xqõ„*×ÝË´;¥^ÑËpOÿrºDûâÕ´¢r¿¬xj±Ç™˜&]óÚÂt”!?xºàk…>­	}tö›mÛ{§·Åµic)é‡Ï7Î
vkn4÷>in¼Ù¦÷‚úÀ‡›ð‘O:·NÖÆåÝØÉœ¸}ß•á‰:§™ÊÙöšAÓÐìc\;B.·ðqh¹§TÓeͯ÷Hoò—<5L5N1yÞêS.™I‹ÕþýV˜:þnêXFñÌW¸&Cúõ;²¤
-RfüžFCWƒ¶G–œW›Û,Ü¥Ÿ“-W]©Õky|àç*0åR}sYì‹r(´ &×ÐéiTøwõ;çà3bˆûªOzVZ/Óì®×µwÝëuÌ|Y¨áÞ¡–Fq_•ÖrNŒ‘ðÃãVÝwö”>Šç ¥÷íW^5¸ÈùµZFËðàñëa
ci—é—_1V—¯–˜m–\ŠK¤õ«nvv”ãGrb“Œ4Üàk	0Žo[eÞ¼QZ§ÓSsV*ëÓ2TïWdEéȤ•¢@.ûŒælfz†g€»—ß>µ¸#ÍyIÏUª¾Ïʳ;ƶ$Œùª’'Z_NXL	Ç}4i—ºJýRôM#áK
öV3êåg×+r$§ý&Ýïâþ.Nar6'j*õÜoÆ/ãÿ˜üncQáÇhó¡	5ä–KöL܈›ÞÉ2Îs…G]u™¡±×vÜ&©'$gJ“ÚkžâoZvvy@1Ë:>f䩦íQ.½b§™ÀWq\·P2»C'BsþY)Ÿ´P?õÌ×ônÝá4ù±æåï‘S;~TQÌÅ­ßÖìg>˜®>°éMæÁçtÝÜOBÿ¡=ë§zž7tXu\é!í“]Æ}˜ß(ùžÿÇ߆J'Ã×ç_»%»&#:Z'ZûoYSåÇN*®WÞ7Ü´3•’·)Îd±üKó|/þ òˆd^Qš=®jjì©›O	.„A÷äUŸÒæQö3çñ
-»ÉÊRÚç>.¿ÆQEì“/~9Ez“ØýB­®UbPæK¯J™š.Ñh}³Õ3«}ÈcPG:gaN§T¯»4€4ÛÝýú;œØs~—ض¬÷•'FÛjy7:âÌ?ÖzúÓÝæݯ9ùÏŽ«E§È†‹èøÄuþ÷•«”ªÓa´û²€Š1b]aÚ…_Ýw*R’ç#¶ä]o¬Øu0ÑìÓòÐæø†Ù¦W‰fÊo2«=í»Îe£Ú­µ¬Ý-·GíC†®iˆƒxmê?-H7€„þyéê3V£œô€ñî‚íºúë²
öØ<|XÓ<þ	õáìV¯Aëñ©lšC~Ó_þ$8ú¼Ñ_GUŽø¯
ý¹¯EWYWwôtgW²o¬«ñ\»$åŒbjãÎön‰]Ù'ûöÒ]ϨõÏÉ4V'•Ç²:Bê­Ð¸C➘loµ^)§`m`onû-òøàþßà¢vuC¨áCh(î_ÒèþQendstream
+æ2@	Š&X4-wDP¤2$H20I0@¹,P ‚A…ÊE ÒJi½”‹ÁŠ‚§F„‚Ü4
+& X¹ê
+ºè±KîþÚ³3æ}žç{¿gž÷;ç33ñð&ÐÙHìŒÅÒ'Wïƒ ‰dœ™™
+Cb"܉aÚÛƒ]€T€lG£iT;œà„„E¢¼`®°púdQdÐ0ÊcABÀsaÖƒño„ŃőD€Îç^‹+D€,‚јMÄ Àæ±Ä@ÌâH‹Ž˜BØ-ÃlIØ[*FE˜)À3ù	€Yd#B~$À†98’‚ícNþ¦V6w–ðùn`±ýRJá!ùFÂ$b\6Œ
+WJ}áes®0›'¬d™bˆÏcÑ…Á| €6D²5u™à‰œyR˜íÁ³¸â‹à%²WZÁâ[2Brq¢ûdX½™ëéñ„âý‘a0@~§^ªÁw5–Ê“þd"™bBì}û°b³Ï„,„ͪ-¡(‰ÃNVQhà	Ù°€¥˜cQˆˆ±%MÀAPÜâXAk€Äâ¡,>ÌZœšx‘]&¨)ËþD¦`
+±`>Ìù3lý^ú;ÜÃ!ô€e€¬Pq—à¿Ç` ÒhÅ ØÛb?‚¶€5æß„,	ŠÂBñÒÙÄâ[sxØÈ`X
+³p½ÝË!)$¯:¹"ö³s·¿ÿ€¤õ¢­RÝ«ÙìW›ÏcÇxSÏzš‹KG‹•WŽËñ¡
+ýÏY'uÑËné_N—è^¸’VTî—Om"öxã#Ódk^Y™2åáN|­4¤5¡Ï|³m{ïô¶¸6³lãйƹÁní–^',M7Ûõž×x>ràqçÖÉÚ¸¼ë;Y·î¹0=ð"ç4sÇQ;hš}„àD(Vž#ô–»*åQ}öüz÷ô&éãTÓ³g­ÞåÒ™´XÃèßo†iâ癩eÏ|å®…k2f\¸-Oº®$eÆïm4v1j{hÍ}¹¹ÍÊMöQ0yÐzÕÅ‘ZƒöG>?W)¯Uš›ËbŸ—C¡5¹Æ{žD…W¿sΟCü¢úÔÁ§¥õríîz=Pw×Ý^§Ì…ZniWÉ•YY-÷ø	?cÍ~eV”žÂDV)äqNkÏf¦gx¸yú}¡w¸9/)À=à™ZÝ÷¼âirfÇØ–„1_u2óxë‹Á	«)Ѹ·6íbW©_Š¡y$|±ÁÑf¦@“^~f½Š©@rÚo0ü.ìïâ&gs£¦RÏþfú"nðÉï6…~Œ¶šÐ@nîËž‰q58QÆ}¦t¯s¨.36!öÚÛ%õ„DàQYR»rÍü
ëÀÎCûîSŒÃ㲎„™xh躗Ë.;h'$Ô\—-”…ÌîЉМV*¦…­FÔ=2À5½[wì™üPûR×ÈÉ?ª)–’Öokö³ïOWûlzyàYC?÷£ÐèÎú©_†çÍVS¹Ëúä—pïç7J¿üñ·¡ÒÉðõùWoʯʉ΄։Öþ›E¶TÅÑ“Êk•×Ç$
7Ìe$å-ŠOÂé,¶ižï…ÔË*‹GUM=uó)ƒ¢…0订êcÚ<Êyê<^á0YYêOûÔ{߯qT1çýù/'I¯»ŸkÔµJÊ|U)SÓ%Z­¯·zdµ¹êÉæ¬,”ê5’}Í Í~w¿áŽ=œ¹ó¿Kí[Öû*£íu¼‚p–ê<ùéNóîWÜü§Ç4¢SäÃE|â:ÿ{ªU*õ)£0Ú=y@ű®0íü¯n»
+•)Éó[ò‡®5Vì:Çlöny`wlÃlÓËDÕ7™U¦«‹ûJ*ƶábuÁÀ$ñö²×p}Â(5ñiQBCG¸ÇÀ\—$§!7!ÇM~9Šœù¸)ökµÑ)Ç÷D_uo€£ŒÚjnÿ=Õñh׺™;wáÔúBÙ˜‹jU´fŸîNç²QÝÖ…Zöî–[£Ž!Cô«Z’ ~›æO²CM áo^ºæŒÍ†DÄ$'=`¼»`»¾áºl£½$ßÖ4L}0»ÕsÐv|*›FÏo:Ì(GŸ3ùáë¨#ªÿµá£?÷µè«êꎜêìJöu1k—¦œVNmÜÙÞM8¾+ÛýóDßç—Óýsr­ÕIå±ìŽz4î ¤'&ÛK£WÆ-XØ›[ÁyO‡ü>¸ÿ7øŸh€]Ý*FŠûôwþUendstream
 endobj
 765 0 obj <<
 /Type /Font
@@ -11261,14 +11260,14 @@ endobj
 /FirstChar 13
 /LastChar 110
 /Widths 2281 0 R
-/BaseFont /HJXDKC+CMSY10
+/BaseFont /LCAUYB+CMSY10
 /FontDescriptor 763 0 R
 >> endobj
 763 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /HJXDKC+CMSY10
+/FontName /LCAUYB+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
@@ -11292,7 +11291,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNNDEIRœêŸ©ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
+xÚ¬ºc”¤]°%\]î²,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDílhhé9*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"ÙÙ»;X˜™;ÈÿbPPQQÿ—埀¡ûzþît´0³þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6ÉÉkHÈŠÈÅdUb&¶&ÖygCk#€´…‘‰­£	ÀÔÎ`ý€‘­±Å?¥9ÒþÅpíMŒ,þn3q32±ÿÇE
°7q°±ptüû°p˜9Ø:ýí“ÀÂÖÈÚÙøí¦vÿ²w°ûaó×÷LÞÎÑÉÑÈÁÂÞ	ð7«¼°èðt27pú'·£Å_7ÀÎôo¤±‘ó?%ýëûó×ëd`aëp2qsú'—¡	ÀØÂÑÞÚÀýoî¿`öÿÒpv´°5û/Ô3ckGÇ¿0±ÿéÎÕ	ø_ª7°··vÿw·Ý¿Qÿ“ƒ…“£‰µ)-ãßœFNs›YØBÑýsT$lMíôÿa7v¶ÿOŸ‹‰Ã¿
"ÿçÌPü%a`lgkí061…¢“µsú›@þ§2íÿ;‘ÿHüÿDàÿ'òþÿ÷¿kô¿\âÿ¿÷ù¿C‹:[[Ëؘü»	ðŸ3 
øgÈØþoÑ6Öîÿ§øÿ©fò$ÿ0N[!`köWzZúÿ0Z8ŠZ¸™Ë[8™L
¬ÿöé_»Š­±‰ƒµ…­É_=ÿm%€†žþ¿ù”Í-Œ¬lÿi<˸Llÿ;÷¿ýËœNR@V\X꟩ÿÆÉÿÕÞIÙÝþ/µÿQŠŒñÿ\üƒ"(hçð¤a`eÐ0²3ý½rŒf&ïÿCÆþk-càä`áÐú[6=ÿÅÿÏ­tþŒˆ­‘ñ?§EÉÉÀÖøïûŸ†ÜFÎuý÷Îÿ-ú?×ÿu7#¨µßvF\A–i™éNuè¹#SÂZ} #Áö¥ÊE~5v½¾ia8*õ?jƒi›f8¿ÚÝ—Ïì?$)ÇúЬÉzSL®òq¼‰(ú·H;Ù¨ètKaÓÏÕ¢<¯—¤w@5YéUw§uK>Àqg:™ ¯Ÿ)üˆ\
 üPˆŸìá|ŒRbQ»š€ê
 ÏÎIOžŸÈ†ÆGG†{oÁú°©rb’p¹€Â’FúýÊÁæÓT©©jUmÛëÕb3ô]ÿ””sÂ
 Îl~^õ­H¹²çŸÈôÿbاÑÙ®ï岞ÒæNHÙ™C	½‰h1R^iC«ÙÂ{»AùÖˆqwÛÁxyÒWcÁ·ÿ¡y÷'‡—ÁOéTñ´šŸ­wôêuòÓsPMTUËçýNÀ(5±†ÅÄ ö¶‘ÛMüc,‚¨×]EI[™Y…	¸îˆ0^ÆMÏm}™×Ë 3ž@óɪ0öGƺ°>KÛyE‡“åÜTh6þÁØŸøÐJ¢w¢§æ_[c
³öB8xÕ¾Vk”Ô‚—I¯¿ä„÷gÞk‰òŒ+(}‘²Å+åýdä„P9Œ,U•äD¡&w("Z·´U¾D£|yÛ)Õ‚þ0ŽÖ)¹` Á6l¬NÒµ½žŒÍ&²˜ W	WâãÆ[.¸N5ÈõëZS†
@@ -11386,7 +11385,7 @@ A
 ­u|Ðí8t^ˆš/€‹MÝp­_’<{*ñ>Jn
ÐÅ—6¹s²R¯aÆ‹úr×€]9ä¯:²(`\‰áÉlA7¾ĦK”ž·†9z8nb64Ë¢jE¢$µ1V|·ZBËÐöX#Y»ͪföWßqYûlf/ö»­8Fj…›ë_X1¡ÁèínÕ
(N1©þ¢CÑð´ýÆ9(AÄEêÞ–«ôáÃÉ€ÖÜÑf}_¢£J¾:¤ íéJ$<ÂBÿˆSUÅöìMø›Yr¤˜¾ÃÈ×`Qíå?›Ù±VƒÝŽˆ½¸ÂˆÚÖñhÃÙƒXÔ‡7Ó¶,Í!Á•FÿÁEè^F¸¯xÀÁ¦ÿàB*·ÛvªR&¤N<•ê`¢µ+çN¼é¬
 g¤£Ê¾2f~mû„m}…i¶xÄãæužÙÆœ»‚ÙüÂx\Ôt{™CÀåò	›ËøýÈ·'5'	ªzqvipd×kµ»¶j©@ƒæ…:Íw¾?bøàôVs,%ãIP¡ÍSÃ…„A³ô‰ìDª`Ïûñ,{r˜¦fY—AÀ˜EÏ¡+LNä^õ,¸¬Y¼B™¡9ÛœÐç†dbTC4è¿JLWl©0Âkž ^¸ùT›Úò«¾¦ét«§^Þí§/‡3SÄ蚇dQœv(CÜ쇵È%#¾j0Æ7›5pEZ‡ì—,í¼éÀOÇéÃõ¤¯(CæýéZb4üÁP”™Γ{5Þ…k`åùÃJÙãpÔféAvs,µp̈Õ.¨±g¸Ño¡µ°±P9:Ý,'c|Ì1eÁh†M~‘fQÞúûdú9’LÈúôÖN0–"/Ó|8׃ҿ]‰/óûÚûس˜z$©Ôü³[<~q÷é#ƒä2
 'óP4I×¥ŸÐ?`b¬FH.÷R}ÿÀ#]«iÀAñ7FÌÐ5øùq6O‰Ç/êúWbõÑFåq-¢´ð
§]xžök%˜Ã–td˜¯‘ŒÎ¼r¿?qEµÀ¡Glq_åOÎ1ŠL$HülÓ‚|²ëÅ›:vÐ
Ø›¨†À<¬è2ëg8„7ë%j ÅL/ARWˆŠmõƒÑ±)Cðî&œ£Ò(q14ŒED;ÌjdWåqêÒÚ8ß'‡õt˜{r›`üz$¸~ЗV-ðr#QcªžÉ¹=H­EÍëCóIîÁÕŒ–aYÅuz8UG²þºÝ¡HJP+dGR]¤IؘNd'×DóN'é[ºqÆIÒĵF,·;Å—d•”©7•‘W­_ˆF®kô­é¢á£tΘ~­
yTjænUÀNöÂߥ6”éŸì¶\e>:3‚t{ù^÷p*kõ!1ñÖ3«/¥tŒëÖÈ|æeWç¯ÛQ#`IbýÍÃ$ŒPÍXÉSKUŽž¡’`ËAÅžþ›m­%N©ò’÷Y¥Ê¡K_º`ÕsYGõ¾ìŸö¨,4ƒ“³›¯HC'Ÿû89cá[ãÛ2?ÆN¼	ü±ù#°¥ª0ägã¶,Š¢œ¡. éj”¿ê?ÉxG# Ò+“Å.ă-†cå-Yo¢UÄVõñÈö15Ò»æ¾Ýc@@íéíAŸLüUÜêÏÉ…ÜÔ¿©ÿÌZÏ‚ñåÎSUn9“mbµf[‘€Š±ÑT8D1¿4г#hqÙך½E9É{Ь¶uîœb…M'­?/ÖGÐÿéε%¨˜Gš±Ñ3?hßó¤¸þa¶„çŽØyžÓ€’^`´ý×Þz\‹÷¶v«áP{ÑÑ•Ih~×`5»æ0ïfM…ÂÛ
-ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶ûCm¹Aendstream
+ä&oH[œ¯A•9fÜË•ÿ+J†'¡1ê’ëyC\<†æ›îyʇfäiX.²¢¦	ËÅoöøA…°•#ó3ÆÎÑ—ï;¦ûÁ_;râw‚›ìĽÅzi“Ã+Yxh­ÀêÐÃz5xu¾5)sþ³py}Mµ~à
óÿ¸ÿüŸ˜Øš9ÿv°3r¶û³¹)endstream
 endobj
 762 0 obj <<
 /Type /Font
@@ -11395,14 +11394,14 @@ endobj
 /FirstChar 2
 /LastChar 216
 /Widths 2282 0 R
-/BaseFont /OEUSJH+URWPalladioL-Roma
+/BaseFont /JANHDQ+URWPalladioL-Roma
 /FontDescriptor 760 0 R
 >> endobj
 760 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /OEUSJH+URWPalladioL-Roma
+/FontName /JANHDQ+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
@@ -11422,7 +11421,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:I%%
AªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
+xÚ¬zSm]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%c;CQ;[gZzNE5ykkc;iA;kc‚3)©£‰³…­°³	'š‰1°‰##)½‡£…™¹3ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿçJ&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
lzàlG`akdíbü»©Ý¿Ù;ÚýDØüø~Àä휜Œ-ì	~²Ê‹þOgsçr;Yü¸	ìL"íŒ\þ)é_¾˜¯³…­³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrúùÁþ§;ÿU'ÁÿV½½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþwþ·Cüÿ{žÿ;´¨‹µµ¬É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:iUu!IªÿóFýWœüòÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`DlìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþõ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛdlTÇtº¥°jÑ^7KÒ» š¬ôªÇûS
 Šº%`¸3LŽ7)ü‰]üQHžíá|ÒâP»šê
 ÿ\%ý}þ54>:2Ü{Ú„M•IÊå
 KåïƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó#\2®˜Æíß»OÍß
6.â'¢ÿp$iÊíù2ŸÒ;LÛ–Oòá ±Fóyº)‘ùµ©ãà~¥ŸC¡ë­„aø
ÅÑ«¨ÙûGæhg[&óâ<1—Xû²Âø{iª_“¸bf)¦Œ²§T˜
ÜÓ»GAe!ógF玦àUa!*ÚZ0Ÿðç/èa0¼€ž~£œ†äwÝo	âïfŸJ³xÛw®ÞaÇL¿õ0è^š`8¿Ú	Ù4Ùç÷Ï©4†V×"”]BÝ3pþà·½_) èIÞ\H$séåXŒ{Òb^Z,ÃÛ6ö©ÉÁ¬–R2µCÇŠ‰t(£ˆOܲÓ7‚9òó`e€²ä@y%0júAÈëRÿ˜à˜~xƒ4wÖ5çíÂàÖ±åmÝÓ×â}=Ð’tRX[>͔ҞÐRÔ "çH³l/é•_r> endobj
 736 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /JSSYBU+URWPalladioL-Bold
+/FontName /LVXCAJ+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
@@ -13070,7 +13069,7 @@ endobj
 >> endobj
 2295 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20091016041913Z)
+/CreationDate (D:20091017011317Z)
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
@@ -13082,727 +13081,727 @@ xref
 0000000000 00000 f 
 0000000009 00000 n 
 0000073718 00000 n 
-0000805513 00000 n 
+0000805504 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
 0000073842 00000 n 
-0000805441 00000 n 
+0000805432 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
 0000073967 00000 n 
-0000805355 00000 n 
+0000805346 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
 0000074092 00000 n 
-0000805269 00000 n 
+0000805260 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
 0000078417 00000 n 
-0000805159 00000 n 
+0000805150 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
 0000078541 00000 n 
-0000805085 00000 n 
+0000805076 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
 0000078666 00000 n 
-0000804998 00000 n 
+0000804989 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
 0000078790 00000 n 
-0000804911 00000 n 
+0000804902 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
 0000083079 00000 n 
-0000804787 00000 n 
+0000804778 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
 0000083207 00000 n 
-0000804713 00000 n 
+0000804704 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
 0000083335 00000 n 
-0000804626 00000 n 
+0000804617 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
 0000083463 00000 n 
-0000804552 00000 n 
+0000804543 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
 0000086445 00000 n 
-0000804428 00000 n 
+0000804419 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
 0000086573 00000 n 
-0000804367 00000 n 
+0000804358 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
 0000086701 00000 n 
-0000804293 00000 n 
+0000804284 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
 0000089643 00000 n 
-0000804168 00000 n 
+0000804159 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
 0000089771 00000 n 
-0000804094 00000 n 
+0000804085 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
 0000089899 00000 n 
-0000804007 00000 n 
+0000803998 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
 0000090027 00000 n 
-0000803920 00000 n 
+0000803911 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
 0000090154 00000 n 
-0000803833 00000 n 
+0000803824 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
 0000091231 00000 n 
-0000803759 00000 n 
+0000803750 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
 0000092890 00000 n 
-0000803631 00000 n 
+0000803622 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
 0000093017 00000 n 
-0000803518 00000 n 
+0000803509 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
 0000093145 00000 n 
-0000803442 00000 n 
+0000803433 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
 0000093273 00000 n 
-0000803365 00000 n 
+0000803356 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
 0000095719 00000 n 
-0000803274 00000 n 
+0000803265 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
 0000099057 00000 n 
-0000803157 00000 n 
+0000803148 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
 0000099185 00000 n 
-0000803039 00000 n 
+0000803030 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
 0000099313 00000 n 
-0000802960 00000 n 
+0000802951 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
 0000099442 00000 n 
-0000802881 00000 n 
+0000802872 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
 0000111318 00000 n 
-0000802802 00000 n 
+0000802793 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
 0000116628 00000 n 
-0000802670 00000 n 
+0000802661 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
 0000116757 00000 n 
-0000802591 00000 n 
+0000802582 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
 0000116886 00000 n 
-0000802459 00000 n 
+0000802450 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
 0000117015 00000 n 
-0000802394 00000 n 
+0000802385 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
 0000121390 00000 n 
-0000802301 00000 n 
+0000802292 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
 0000121519 00000 n 
-0000802169 00000 n 
+0000802160 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
 0000121648 00000 n 
-0000802104 00000 n 
+0000802095 00000 n 
 0000003632 00000 n 
 0000003681 00000 n 
 0000128465 00000 n 
-0000801972 00000 n 
+0000801963 00000 n 
 0000003730 00000 n 
 0000003758 00000 n 
 0000131234 00000 n 
-0000801854 00000 n 
+0000801845 00000 n 
 0000003812 00000 n 
 0000003881 00000 n 
 0000131363 00000 n 
-0000801775 00000 n 
+0000801766 00000 n 
 0000003940 00000 n 
 0000003988 00000 n 
 0000131492 00000 n 
-0000801696 00000 n 
+0000801687 00000 n 
 0000004047 00000 n 
 0000004092 00000 n 
 0000131621 00000 n 
-0000801603 00000 n 
+0000801594 00000 n 
 0000004146 00000 n 
 0000004214 00000 n 
 0000131750 00000 n 
-0000801510 00000 n 
+0000801501 00000 n 
 0000004268 00000 n 
 0000004338 00000 n 
 0000131879 00000 n 
-0000801417 00000 n 
+0000801408 00000 n 
 0000004392 00000 n 
 0000004455 00000 n 
 0000135612 00000 n 
-0000801324 00000 n 
+0000801315 00000 n 
 0000004509 00000 n 
 0000004564 00000 n 
 0000135741 00000 n 
-0000801245 00000 n 
+0000801236 00000 n 
 0000004618 00000 n 
 0000004650 00000 n 
 0000135870 00000 n 
-0000801152 00000 n 
+0000801143 00000 n 
 0000004699 00000 n 
 0000004727 00000 n 
 0000139474 00000 n 
-0000801059 00000 n 
+0000801050 00000 n 
 0000004776 00000 n 
 0000004808 00000 n 
 0000139603 00000 n 
-0000800927 00000 n 
+0000800918 00000 n 
 0000004857 00000 n 
 0000004887 00000 n 
 0000139732 00000 n 
-0000800848 00000 n 
+0000800839 00000 n 
 0000004941 00000 n 
 0000004982 00000 n 
 0000143462 00000 n 
-0000800755 00000 n 
+0000800746 00000 n 
 0000005036 00000 n 
 0000005078 00000 n 
 0000143591 00000 n 
-0000800676 00000 n 
+0000800667 00000 n 
 0000005132 00000 n 
 0000005177 00000 n 
 0000149546 00000 n 
-0000800558 00000 n 
+0000800549 00000 n 
 0000005226 00000 n 
 0000005272 00000 n 
 0000149675 00000 n 
-0000800479 00000 n 
+0000800470 00000 n 
 0000005326 00000 n 
 0000005386 00000 n 
 0000149804 00000 n 
-0000800400 00000 n 
+0000800391 00000 n 
 0000005440 00000 n 
 0000005509 00000 n 
 0000152988 00000 n 
-0000800267 00000 n 
+0000800258 00000 n 
 0000005556 00000 n 
 0000005609 00000 n 
 0000153117 00000 n 
-0000800188 00000 n 
+0000800179 00000 n 
 0000005658 00000 n 
 0000005714 00000 n 
 0000153246 00000 n 
-0000800109 00000 n 
+0000800100 00000 n 
 0000005763 00000 n 
 0000005812 00000 n 
 0000157515 00000 n 
-0000799976 00000 n 
+0000799967 00000 n 
 0000005859 00000 n 
 0000005911 00000 n 
 0000157644 00000 n 
-0000799858 00000 n 
+0000799849 00000 n 
 0000005960 00000 n 
 0000006011 00000 n 
 0000162334 00000 n 
-0000799740 00000 n 
+0000799731 00000 n 
 0000006065 00000 n 
 0000006110 00000 n 
 0000162462 00000 n 
-0000799661 00000 n 
+0000799652 00000 n 
 0000006169 00000 n 
 0000006203 00000 n 
 0000166052 00000 n 
-0000799582 00000 n 
+0000799573 00000 n 
 0000006262 00000 n 
 0000006310 00000 n 
 0000166181 00000 n 
-0000799464 00000 n 
+0000799455 00000 n 
 0000006364 00000 n 
 0000006404 00000 n 
 0000166310 00000 n 
-0000799385 00000 n 
+0000799376 00000 n 
 0000006463 00000 n 
 0000006497 00000 n 
 0000170086 00000 n 
-0000799306 00000 n 
+0000799297 00000 n 
 0000006556 00000 n 
 0000006604 00000 n 
 0000170215 00000 n 
-0000799173 00000 n 
+0000799164 00000 n 
 0000006653 00000 n 
 0000006703 00000 n 
 0000173283 00000 n 
-0000799094 00000 n 
+0000799085 00000 n 
 0000006757 00000 n 
 0000006804 00000 n 
 0000173411 00000 n 
-0000799001 00000 n 
+0000798992 00000 n 
 0000006858 00000 n 
 0000006918 00000 n 
 0000173670 00000 n 
-0000798908 00000 n 
+0000798899 00000 n 
 0000006972 00000 n 
 0000007024 00000 n 
 0000178850 00000 n 
-0000798815 00000 n 
+0000798806 00000 n 
 0000007078 00000 n 
 0000007143 00000 n 
 0000178979 00000 n 
-0000798722 00000 n 
+0000798713 00000 n 
 0000007197 00000 n 
 0000007248 00000 n 
 0000182453 00000 n 
-0000798629 00000 n 
+0000798620 00000 n 
 0000007302 00000 n 
 0000007366 00000 n 
 0000182582 00000 n 
-0000798536 00000 n 
+0000798527 00000 n 
 0000007420 00000 n 
 0000007467 00000 n 
 0000182711 00000 n 
-0000798443 00000 n 
+0000798434 00000 n 
 0000007521 00000 n 
 0000007581 00000 n 
 0000182840 00000 n 
-0000798350 00000 n 
+0000798341 00000 n 
 0000007635 00000 n 
 0000007686 00000 n 
 0000186856 00000 n 
-0000798218 00000 n 
+0000798209 00000 n 
 0000007741 00000 n 
 0000007806 00000 n 
 0000186985 00000 n 
-0000798139 00000 n 
+0000798130 00000 n 
 0000007866 00000 n 
 0000007913 00000 n 
 0000193801 00000 n 
-0000798046 00000 n 
+0000798037 00000 n 
 0000007973 00000 n 
 0000008021 00000 n 
 0000200933 00000 n 
-0000797967 00000 n 
+0000797958 00000 n 
 0000008081 00000 n 
 0000008135 00000 n 
 0000204634 00000 n 
-0000797874 00000 n 
+0000797865 00000 n 
 0000008190 00000 n 
 0000008240 00000 n 
 0000204763 00000 n 
-0000797781 00000 n 
+0000797772 00000 n 
 0000008295 00000 n 
 0000008358 00000 n 
 0000206494 00000 n 
-0000797688 00000 n 
+0000797679 00000 n 
 0000008413 00000 n 
 0000008465 00000 n 
 0000206623 00000 n 
-0000797595 00000 n 
+0000797586 00000 n 
 0000008520 00000 n 
 0000008585 00000 n 
 0000206751 00000 n 
-0000797502 00000 n 
+0000797493 00000 n 
 0000008640 00000 n 
 0000008692 00000 n 
 0000212695 00000 n 
-0000797369 00000 n 
+0000797360 00000 n 
 0000008747 00000 n 
 0000008812 00000 n 
 0000225755 00000 n 
-0000797290 00000 n 
+0000797281 00000 n 
 0000008872 00000 n 
 0000008916 00000 n 
 0000247041 00000 n 
-0000797197 00000 n 
+0000797188 00000 n 
 0000008976 00000 n 
 0000009015 00000 n 
 0000247170 00000 n 
-0000797104 00000 n 
+0000797095 00000 n 
 0000009075 00000 n 
 0000009122 00000 n 
 0000250690 00000 n 
-0000797011 00000 n 
+0000797002 00000 n 
 0000009182 00000 n 
 0000009225 00000 n 
 0000254909 00000 n 
-0000796918 00000 n 
+0000796909 00000 n 
 0000009285 00000 n 
 0000009324 00000 n 
 0000258591 00000 n 
-0000796825 00000 n 
+0000796816 00000 n 
 0000009384 00000 n 
 0000009426 00000 n 
 0000261570 00000 n 
-0000796732 00000 n 
+0000796723 00000 n 
 0000009486 00000 n 
 0000009529 00000 n 
 0000268763 00000 n 
-0000796639 00000 n 
+0000796630 00000 n 
 0000009589 00000 n 
 0000009632 00000 n 
 0000273216 00000 n 
-0000796546 00000 n 
+0000796537 00000 n 
 0000009692 00000 n 
 0000009753 00000 n 
 0000273345 00000 n 
-0000796453 00000 n 
+0000796444 00000 n 
 0000009814 00000 n 
 0000009866 00000 n 
 0000277183 00000 n 
-0000796360 00000 n 
+0000796351 00000 n 
 0000009927 00000 n 
 0000009980 00000 n 
 0000281531 00000 n 
-0000796267 00000 n 
+0000796258 00000 n 
 0000010041 00000 n 
 0000010079 00000 n 
 0000281660 00000 n 
-0000796174 00000 n 
+0000796165 00000 n 
 0000010140 00000 n 
 0000010192 00000 n 
 0000284521 00000 n 
-0000796081 00000 n 
+0000796072 00000 n 
 0000010253 00000 n 
 0000010297 00000 n 
 0000287771 00000 n 
-0000795988 00000 n 
+0000795979 00000 n 
 0000010358 00000 n 
 0000010394 00000 n 
 0000296681 00000 n 
-0000795895 00000 n 
+0000795886 00000 n 
 0000010455 00000 n 
 0000010518 00000 n 
 0000296810 00000 n 
-0000795802 00000 n 
+0000795793 00000 n 
 0000010579 00000 n 
 0000010629 00000 n 
 0000303992 00000 n 
-0000795709 00000 n 
+0000795700 00000 n 
 0000010690 00000 n 
 0000010746 00000 n 
 0000304121 00000 n 
-0000795630 00000 n 
+0000795621 00000 n 
 0000010807 00000 n 
 0000010854 00000 n 
 0000307820 00000 n 
-0000795537 00000 n 
+0000795528 00000 n 
 0000010909 00000 n 
 0000010960 00000 n 
 0000311807 00000 n 
-0000795444 00000 n 
+0000795435 00000 n 
 0000011015 00000 n 
 0000011079 00000 n 
 0000316255 00000 n 
-0000795351 00000 n 
+0000795342 00000 n 
 0000011134 00000 n 
 0000011198 00000 n 
 0000316382 00000 n 
-0000795258 00000 n 
+0000795249 00000 n 
 0000011253 00000 n 
 0000011330 00000 n 
 0000319939 00000 n 
-0000795165 00000 n 
+0000795156 00000 n 
 0000011385 00000 n 
 0000011442 00000 n 
 0000320068 00000 n 
-0000795072 00000 n 
+0000795063 00000 n 
 0000011497 00000 n 
 0000011567 00000 n 
 0000320197 00000 n 
-0000794979 00000 n 
+0000794970 00000 n 
 0000011622 00000 n 
 0000011679 00000 n 
 0000320326 00000 n 
-0000794886 00000 n 
+0000794877 00000 n 
 0000011734 00000 n 
 0000011804 00000 n 
 0000324485 00000 n 
-0000794793 00000 n 
+0000794784 00000 n 
 0000011859 00000 n 
 0000011908 00000 n 
 0000324614 00000 n 
-0000794700 00000 n 
+0000794691 00000 n 
 0000011963 00000 n 
 0000012025 00000 n 
 0000326888 00000 n 
-0000794607 00000 n 
+0000794598 00000 n 
 0000012080 00000 n 
 0000012129 00000 n 
 0000332417 00000 n 
-0000794489 00000 n 
+0000794480 00000 n 
 0000012184 00000 n 
 0000012246 00000 n 
 0000332545 00000 n 
-0000794410 00000 n 
+0000794401 00000 n 
 0000012306 00000 n 
 0000012345 00000 n 
 0000336872 00000 n 
-0000794317 00000 n 
+0000794308 00000 n 
 0000012405 00000 n 
 0000012439 00000 n 
 0000342789 00000 n 
-0000794224 00000 n 
+0000794215 00000 n 
 0000012499 00000 n 
 0000012540 00000 n 
 0000358643 00000 n 
-0000794145 00000 n 
+0000794136 00000 n 
 0000012600 00000 n 
 0000012652 00000 n 
 0000365954 00000 n 
-0000794013 00000 n 
+0000794004 00000 n 
 0000012701 00000 n 
 0000012734 00000 n 
 0000366083 00000 n 
-0000793895 00000 n 
+0000793886 00000 n 
 0000012788 00000 n 
 0000012860 00000 n 
 0000366211 00000 n 
-0000793816 00000 n 
+0000793807 00000 n 
 0000012919 00000 n 
 0000012963 00000 n 
 0000373628 00000 n 
-0000793737 00000 n 
+0000793728 00000 n 
 0000013022 00000 n 
 0000013075 00000 n 
 0000377401 00000 n 
-0000793644 00000 n 
+0000793635 00000 n 
 0000013129 00000 n 
 0000013179 00000 n 
 0000377659 00000 n 
-0000793551 00000 n 
+0000793542 00000 n 
 0000013233 00000 n 
 0000013271 00000 n 
 0000381109 00000 n 
-0000793458 00000 n 
+0000793449 00000 n 
 0000013325 00000 n 
 0000013374 00000 n 
 0000381367 00000 n 
-0000793326 00000 n 
+0000793317 00000 n 
 0000013428 00000 n 
 0000013480 00000 n 
 0000381495 00000 n 
-0000793247 00000 n 
+0000793238 00000 n 
 0000013539 00000 n 
 0000013584 00000 n 
 0000381624 00000 n 
-0000793154 00000 n 
+0000793145 00000 n 
 0000013643 00000 n 
 0000013695 00000 n 
 0000384247 00000 n 
-0000793061 00000 n 
+0000793052 00000 n 
 0000013754 00000 n 
 0000013807 00000 n 
 0000384376 00000 n 
-0000792982 00000 n 
+0000792973 00000 n 
 0000013866 00000 n 
 0000013915 00000 n 
 0000384505 00000 n 
-0000792889 00000 n 
+0000792880 00000 n 
 0000013969 00000 n 
 0000014049 00000 n 
 0000391606 00000 n 
-0000792810 00000 n 
+0000792801 00000 n 
 0000014103 00000 n 
 0000014152 00000 n 
 0000391735 00000 n 
-0000792692 00000 n 
+0000792683 00000 n 
 0000014201 00000 n 
 0000014241 00000 n 
 0000395175 00000 n 
-0000792613 00000 n 
+0000792604 00000 n 
 0000014300 00000 n 
 0000014347 00000 n 
 0000395304 00000 n 
-0000792495 00000 n 
+0000792486 00000 n 
 0000014401 00000 n 
 0000014446 00000 n 
 0000395433 00000 n 
-0000792416 00000 n 
+0000792407 00000 n 
 0000014505 00000 n 
 0000014564 00000 n 
 0000399189 00000 n 
-0000792323 00000 n 
+0000792314 00000 n 
 0000014623 00000 n 
 0000014687 00000 n 
 0000402906 00000 n 
-0000792230 00000 n 
+0000792221 00000 n 
 0000014746 00000 n 
 0000014802 00000 n 
 0000405923 00000 n 
-0000792137 00000 n 
+0000792128 00000 n 
 0000014861 00000 n 
 0000014919 00000 n 
 0000406181 00000 n 
-0000792058 00000 n 
+0000792049 00000 n 
 0000014978 00000 n 
 0000015040 00000 n 
 0000408343 00000 n 
-0000791925 00000 n 
+0000791916 00000 n 
 0000015087 00000 n 
 0000015139 00000 n 
 0000408472 00000 n 
-0000791846 00000 n 
+0000791837 00000 n 
 0000015188 00000 n 
 0000015232 00000 n 
 0000412506 00000 n 
-0000791714 00000 n 
+0000791705 00000 n 
 0000015281 00000 n 
 0000015322 00000 n 
 0000412635 00000 n 
-0000791635 00000 n 
+0000791626 00000 n 
 0000015376 00000 n 
 0000015424 00000 n 
 0000412763 00000 n 
-0000791556 00000 n 
+0000791547 00000 n 
 0000015478 00000 n 
 0000015529 00000 n 
 0000412892 00000 n 
-0000791477 00000 n 
+0000791468 00000 n 
 0000015578 00000 n 
 0000015625 00000 n 
 0000417486 00000 n 
-0000791344 00000 n 
+0000791335 00000 n 
 0000015672 00000 n 
 0000015709 00000 n 
 0000417615 00000 n 
-0000791226 00000 n 
+0000791217 00000 n 
 0000015758 00000 n 
 0000015797 00000 n 
 0000417744 00000 n 
-0000791161 00000 n 
+0000791152 00000 n 
 0000015851 00000 n 
 0000015929 00000 n 
 0000417873 00000 n 
-0000791068 00000 n 
+0000791059 00000 n 
 0000015978 00000 n 
 0000016045 00000 n 
 0000418002 00000 n 
-0000790989 00000 n 
+0000790980 00000 n 
 0000016094 00000 n 
 0000016139 00000 n 
 0000421442 00000 n 
-0000790856 00000 n 
+0000790847 00000 n 
 0000016187 00000 n 
 0000016219 00000 n 
 0000421571 00000 n 
-0000790738 00000 n 
+0000790729 00000 n 
 0000016268 00000 n 
 0000016307 00000 n 
 0000421700 00000 n 
-0000790673 00000 n 
+0000790664 00000 n 
 0000016361 00000 n 
 0000016422 00000 n 
 0000425381 00000 n 
-0000790541 00000 n 
+0000790532 00000 n 
 0000016471 00000 n 
 0000016528 00000 n 
 0000425510 00000 n 
-0000790476 00000 n 
+0000790467 00000 n 
 0000016582 00000 n 
 0000016631 00000 n 
 0000425639 00000 n 
-0000790358 00000 n 
+0000790349 00000 n 
 0000016680 00000 n 
 0000016742 00000 n 
 0000425768 00000 n 
-0000790279 00000 n 
+0000790270 00000 n 
 0000016796 00000 n 
 0000016851 00000 n 
 0000449791 00000 n 
-0000790186 00000 n 
+0000790177 00000 n 
 0000016905 00000 n 
 0000016946 00000 n 
 0000449920 00000 n 
-0000790107 00000 n 
+0000790098 00000 n 
 0000017000 00000 n 
 0000017052 00000 n 
 0000452651 00000 n 
-0000789987 00000 n 
+0000789978 00000 n 
 0000017100 00000 n 
 0000017134 00000 n 
 0000452780 00000 n 
-0000789908 00000 n 
+0000789899 00000 n 
 0000017183 00000 n 
 0000017210 00000 n 
 0000470602 00000 n 
-0000789815 00000 n 
+0000789806 00000 n 
 0000017259 00000 n 
 0000017287 00000 n 
 0000478136 00000 n 
-0000789722 00000 n 
+0000789713 00000 n 
 0000017336 00000 n 
 0000017376 00000 n 
 0000484458 00000 n 
-0000789629 00000 n 
+0000789620 00000 n 
 0000017425 00000 n 
 0000017468 00000 n 
-0000490821 00000 n 
-0000789536 00000 n 
+0000490817 00000 n 
+0000789527 00000 n 
 0000017517 00000 n 
 0000017554 00000 n 
-0000501086 00000 n 
-0000789443 00000 n 
+0000501081 00000 n 
+0000789434 00000 n 
 0000017603 00000 n 
 0000017640 00000 n 
-0000503658 00000 n 
-0000789350 00000 n 
+0000503653 00000 n 
+0000789341 00000 n 
 0000017689 00000 n 
 0000017727 00000 n 
-0000510247 00000 n 
-0000789257 00000 n 
+0000510239 00000 n 
+0000789248 00000 n 
 0000017776 00000 n 
 0000017815 00000 n 
-0000523669 00000 n 
-0000789164 00000 n 
+0000523661 00000 n 
+0000789155 00000 n 
 0000017864 00000 n 
 0000017903 00000 n 
-0000526629 00000 n 
-0000789071 00000 n 
+0000526621 00000 n 
+0000789062 00000 n 
 0000017953 00000 n 
 0000017993 00000 n 
-0000532806 00000 n 
-0000788978 00000 n 
+0000532798 00000 n 
+0000788969 00000 n 
 0000018043 00000 n 
 0000018073 00000 n 
-0000542131 00000 n 
-0000788885 00000 n 
+0000542123 00000 n 
+0000788876 00000 n 
 0000018123 00000 n 
 0000018156 00000 n 
-0000556229 00000 n 
-0000788792 00000 n 
+0000556221 00000 n 
+0000788783 00000 n 
 0000018206 00000 n 
 0000018235 00000 n 
-0000563535 00000 n 
-0000788699 00000 n 
+0000563527 00000 n 
+0000788690 00000 n 
 0000018285 00000 n 
 0000018319 00000 n 
-0000569223 00000 n 
-0000788606 00000 n 
+0000569215 00000 n 
+0000788597 00000 n 
 0000018369 00000 n 
 0000018406 00000 n 
-0000572490 00000 n 
-0000788527 00000 n 
+0000572482 00000 n 
+0000788518 00000 n 
 0000018456 00000 n 
 0000018493 00000 n 
 0000018862 00000 n 
@@ -13811,10 +13810,10 @@ xref
 0000018546 00000 n 
 0000026687 00000 n 
 0000026750 00000 n 
-0000783538 00000 n 
-0000757595 00000 n 
-0000783364 00000 n 
-0000784563 00000 n 
+0000783529 00000 n 
+0000757586 00000 n 
+0000783355 00000 n 
+0000784554 00000 n 
 0000021847 00000 n 
 0000022064 00000 n 
 0000022133 00000 n 
@@ -13835,12 +13834,12 @@ xref
 0000027992 00000 n 
 0000026913 00000 n 
 0000028114 00000 n 
-0000756374 00000 n 
-0000729853 00000 n 
-0000756200 00000 n 
-0000729168 00000 n 
-0000727024 00000 n 
-0000729004 00000 n 
+0000756365 00000 n 
+0000729844 00000 n 
+0000756191 00000 n 
+0000729159 00000 n 
+0000727015 00000 n 
+0000728995 00000 n 
 0000039881 00000 n 
 0000031232 00000 n 
 0000028262 00000 n 
@@ -13900,9 +13899,9 @@ xref
 0000043217 00000 n 
 0000039966 00000 n 
 0000053208 00000 n 
-0000726473 00000 n 
-0000709392 00000 n 
-0000726289 00000 n 
+0000726464 00000 n 
+0000709383 00000 n 
+0000726280 00000 n 
 0000043807 00000 n 
 0000043970 00000 n 
 0000044133 00000 n 
@@ -14000,9 +13999,9 @@ xref
 0000062911 00000 n 
 0000063078 00000 n 
 0000063244 00000 n 
-0000708503 00000 n 
-0000687172 00000 n 
-0000708329 00000 n 
+0000708494 00000 n 
+0000687163 00000 n 
+0000708320 00000 n 
 0000063410 00000 n 
 0000063576 00000 n 
 0000063731 00000 n 
@@ -14042,9 +14041,9 @@ xref
 0000070157 00000 n 
 0000070314 00000 n 
 0000070472 00000 n 
-0000686206 00000 n 
-0000666239 00000 n 
-0000686033 00000 n 
+0000686197 00000 n 
+0000666230 00000 n 
+0000686024 00000 n 
 0000070630 00000 n 
 0000070788 00000 n 
 0000070946 00000 n 
@@ -14058,10 +14057,10 @@ xref
 0000074154 00000 n 
 0000074217 00000 n 
 0000074280 00000 n 
-0000665445 00000 n 
-0000647128 00000 n 
-0000665272 00000 n 
-0000784681 00000 n 
+0000665436 00000 n 
+0000647119 00000 n 
+0000665263 00000 n 
+0000784672 00000 n 
 0000078914 00000 n 
 0000077734 00000 n 
 0000074467 00000 n 
@@ -14119,7 +14118,7 @@ xref
 0000093080 00000 n 
 0000093208 00000 n 
 0000093337 00000 n 
-0000784803 00000 n 
+0000784794 00000 n 
 0000095978 00000 n 
 0000095348 00000 n 
 0000093501 00000 n 
@@ -14135,17 +14134,17 @@ xref
 0000098992 00000 n 
 0000099121 00000 n 
 0000099248 00000 n 
-0000646445 00000 n 
-0000634383 00000 n 
-0000646266 00000 n 
+0000646436 00000 n 
+0000634374 00000 n 
+0000646257 00000 n 
 0000099506 00000 n 
 0000103690 00000 n 
 0000102964 00000 n 
 0000099697 00000 n 
 0000103625 00000 n 
-0000633810 00000 n 
-0000622826 00000 n 
-0000633631 00000 n 
+0000633801 00000 n 
+0000622818 00000 n 
+0000633622 00000 n 
 0000103129 00000 n 
 0000103283 00000 n 
 0000103454 00000 n 
@@ -14173,16 +14172,16 @@ xref
 0000116821 00000 n 
 0000116068 00000 n 
 0000116230 00000 n 
-0000621928 00000 n 
-0000612132 00000 n 
-0000621754 00000 n 
-0000611568 00000 n 
-0000602482 00000 n 
-0000611393 00000 n 
+0000621920 00000 n 
+0000612124 00000 n 
+0000621746 00000 n 
+0000611560 00000 n 
+0000602474 00000 n 
+0000611385 00000 n 
 0000116950 00000 n 
 0000116392 00000 n 
 0000117079 00000 n 
-0000784928 00000 n 
+0000784919 00000 n 
 0000115897 00000 n 
 0000115955 00000 n 
 0000116045 00000 n 
@@ -14230,7 +14229,7 @@ xref
 0000135376 00000 n 
 0000135805 00000 n 
 0000135934 00000 n 
-0000785053 00000 n 
+0000785044 00000 n 
 0000139861 00000 n 
 0000139283 00000 n 
 0000136136 00000 n 
@@ -14252,9 +14251,9 @@ xref
 0000149173 00000 n 
 0000146256 00000 n 
 0000149481 00000 n 
-0000602207 00000 n 
-0000598848 00000 n 
-0000602028 00000 n 
+0000602199 00000 n 
+0000598841 00000 n 
+0000602020 00000 n 
 0000149610 00000 n 
 0000149320 00000 n 
 0000149739 00000 n 
@@ -14271,7 +14270,7 @@ xref
 0000153052 00000 n 
 0000153181 00000 n 
 0000153310 00000 n 
-0000785178 00000 n 
+0000785169 00000 n 
 0000153815 00000 n 
 0000153624 00000 n 
 0000153474 00000 n 
@@ -14316,7 +14315,7 @@ xref
 0000173540 00000 n 
 0000173605 00000 n 
 0000173731 00000 n 
-0000785303 00000 n 
+0000785294 00000 n 
 0000179107 00000 n 
 0000178319 00000 n 
 0000173908 00000 n 
@@ -14324,7 +14323,7 @@ xref
 0000178475 00000 n 
 0000178626 00000 n 
 0000179043 00000 n 
-0000577475 00000 n 
+0000577467 00000 n 
 0000182969 00000 n 
 0000181698 00000 n 
 0000179245 00000 n 
@@ -14358,7 +14357,7 @@ xref
 0000197424 00000 n 
 0000194172 00000 n 
 0000197550 00000 n 
-0000785428 00000 n 
+0000785419 00000 n 
 0000201192 00000 n 
 0000200742 00000 n 
 0000197727 00000 n 
@@ -14393,7 +14392,7 @@ xref
 0000212504 00000 n 
 0000210031 00000 n 
 0000212630 00000 n 
-0000785553 00000 n 
+0000785544 00000 n 
 0000217041 00000 n 
 0000216850 00000 n 
 0000212949 00000 n 
@@ -14409,9 +14408,9 @@ xref
 0000225390 00000 n 
 0000221700 00000 n 
 0000225690 00000 n 
-0000598493 00000 n 
-0000596496 00000 n 
-0000598328 00000 n 
+0000598486 00000 n 
+0000596488 00000 n 
+0000598321 00000 n 
 0000225537 00000 n 
 0000229789 00000 n 
 0000229469 00000 n 
@@ -14434,7 +14433,7 @@ xref
 0000239155 00000 n 
 0000235092 00000 n 
 0000239281 00000 n 
-0000785678 00000 n 
+0000785669 00000 n 
 0000243260 00000 n 
 0000243069 00000 n 
 0000239484 00000 n 
@@ -14470,7 +14469,7 @@ xref
 0000261379 00000 n 
 0000258832 00000 n 
 0000261505 00000 n 
-0000785803 00000 n 
+0000785794 00000 n 
 0000265700 00000 n 
 0000265509 00000 n 
 0000261868 00000 n 
@@ -14509,7 +14508,7 @@ xref
 0000284287 00000 n 
 0000284650 00000 n 
 0000284715 00000 n 
-0000785928 00000 n 
+0000785919 00000 n 
 0000287899 00000 n 
 0000287580 00000 n 
 0000284905 00000 n 
@@ -14545,7 +14544,7 @@ xref
 0000307755 00000 n 
 0000307605 00000 n 
 0000307884 00000 n 
-0000786053 00000 n 
+0000786044 00000 n 
 0000311935 00000 n 
 0000311616 00000 n 
 0000308075 00000 n 
@@ -14580,7 +14579,7 @@ xref
 0000328325 00000 n 
 0000327129 00000 n 
 0000328451 00000 n 
-0000786178 00000 n 
+0000786169 00000 n 
 0000329987 00000 n 
 0000329796 00000 n 
 0000328615 00000 n 
@@ -14599,7 +14598,7 @@ xref
 0000336807 00000 n 
 0000336640 00000 n 
 0000336936 00000 n 
-0000577442 00000 n 
+0000577434 00000 n 
 0000342918 00000 n 
 0000340011 00000 n 
 0000337113 00000 n 
@@ -14655,9 +14654,9 @@ xref
 0000353849 00000 n 
 0000354014 00000 n 
 0000354180 00000 n 
-0000786303 00000 n 
-0000490885 00000 n 
-0000503722 00000 n 
+0000786294 00000 n 
+0000490881 00000 n 
+0000503717 00000 n 
 0000358900 00000 n 
 0000358105 00000 n 
 0000354518 00000 n 
@@ -14707,7 +14706,7 @@ xref
 0000377723 00000 n 
 0000377788 00000 n 
 0000377853 00000 n 
-0000786428 00000 n 
+0000786419 00000 n 
 0000381753 00000 n 
 0000380918 00000 n 
 0000378043 00000 n 
@@ -14755,8 +14754,8 @@ xref
 0000399253 00000 n 
 0000399316 00000 n 
 0000399379 00000 n 
-0000786553 00000 n 
-0000577409 00000 n 
+0000786544 00000 n 
+0000577401 00000 n 
 0000403164 00000 n 
 0000402715 00000 n 
 0000399556 00000 n 
@@ -14771,9 +14770,9 @@ xref
 0000405987 00000 n 
 0000406052 00000 n 
 0000406116 00000 n 
-0000596215 00000 n 
-0000588931 00000 n 
-0000596035 00000 n 
+0000596207 00000 n 
+0000588923 00000 n 
+0000596027 00000 n 
 0000406245 00000 n 
 0000406791 00000 n 
 0000406600 00000 n 
@@ -14789,9 +14788,9 @@ xref
 0000412078 00000 n 
 0000408713 00000 n 
 0000412441 00000 n 
-0000588610 00000 n 
-0000579397 00000 n 
-0000588424 00000 n 
+0000588602 00000 n 
+0000579389 00000 n 
+0000588416 00000 n 
 0000412225 00000 n 
 0000412570 00000 n 
 0000412698 00000 n 
@@ -14800,7 +14799,7 @@ xref
 0000414186 00000 n 
 0000413258 00000 n 
 0000414312 00000 n 
-0000786678 00000 n 
+0000786669 00000 n 
 0000414817 00000 n 
 0000414626 00000 n 
 0000414476 00000 n 
@@ -14896,7 +14895,7 @@ xref
 0000432719 00000 n 
 0000432784 00000 n 
 0000432848 00000 n 
-0000786803 00000 n 
+0000786794 00000 n 
 0000439558 00000 n 
 0000435994 00000 n 
 0000433024 00000 n 
@@ -15061,7 +15060,7 @@ xref
 0000457595 00000 n 
 0000460913 00000 n 
 0000460978 00000 n 
-0000786928 00000 n 
+0000786919 00000 n 
 0000464290 00000 n 
 0000464099 00000 n 
 0000461181 00000 n 
@@ -15108,7 +15107,7 @@ xref
 0000481238 00000 n 
 0000481303 00000 n 
 0000481368 00000 n 
-0000787053 00000 n 
+0000787044 00000 n 
 0000484847 00000 n 
 0000484267 00000 n 
 0000481584 00000 n 
@@ -15118,266 +15117,266 @@ xref
 0000484652 00000 n 
 0000484717 00000 n 
 0000484782 00000 n 
-0000488150 00000 n 
-0000487894 00000 n 
+0000488146 00000 n 
+0000487890 00000 n 
 0000484987 00000 n 
-0000488020 00000 n 
-0000488085 00000 n 
-0000491145 00000 n 
-0000490435 00000 n 
-0000488276 00000 n 
-0000490561 00000 n 
-0000490626 00000 n 
-0000490691 00000 n 
-0000490756 00000 n 
-0000490950 00000 n 
-0000491015 00000 n 
-0000491080 00000 n 
-0000494667 00000 n 
-0000494411 00000 n 
-0000491297 00000 n 
-0000494537 00000 n 
-0000494602 00000 n 
-0000498258 00000 n 
-0000498002 00000 n 
-0000494793 00000 n 
-0000498128 00000 n 
-0000498193 00000 n 
-0000501279 00000 n 
-0000500636 00000 n 
-0000498384 00000 n 
-0000500762 00000 n 
-0000500827 00000 n 
-0000500892 00000 n 
-0000500957 00000 n 
-0000501022 00000 n 
-0000501150 00000 n 
-0000501215 00000 n 
-0000787178 00000 n 
-0000503916 00000 n 
-0000503142 00000 n 
-0000501444 00000 n 
-0000503268 00000 n 
-0000503333 00000 n 
-0000503398 00000 n 
-0000503463 00000 n 
-0000503528 00000 n 
-0000503593 00000 n 
-0000503787 00000 n 
-0000503851 00000 n 
-0000507395 00000 n 
-0000507009 00000 n 
-0000504069 00000 n 
-0000507135 00000 n 
-0000507200 00000 n 
-0000507265 00000 n 
-0000507330 00000 n 
-0000510636 00000 n 
-0000509861 00000 n 
-0000507521 00000 n 
-0000509987 00000 n 
-0000510052 00000 n 
-0000510117 00000 n 
-0000510182 00000 n 
-0000510311 00000 n 
-0000510376 00000 n 
-0000510441 00000 n 
-0000510506 00000 n 
-0000510571 00000 n 
-0000514529 00000 n 
-0000514338 00000 n 
-0000510789 00000 n 
-0000514464 00000 n 
-0000517963 00000 n 
-0000517772 00000 n 
-0000514655 00000 n 
-0000517898 00000 n 
-0000521590 00000 n 
-0000521334 00000 n 
-0000518089 00000 n 
-0000521460 00000 n 
-0000521525 00000 n 
-0000787303 00000 n 
-0000524058 00000 n 
-0000523350 00000 n 
-0000521743 00000 n 
-0000523476 00000 n 
-0000523541 00000 n 
-0000523606 00000 n 
-0000523733 00000 n 
-0000523798 00000 n 
-0000523863 00000 n 
-0000523928 00000 n 
-0000523993 00000 n 
-0000526952 00000 n 
-0000526243 00000 n 
-0000524211 00000 n 
-0000526369 00000 n 
-0000526434 00000 n 
-0000526499 00000 n 
-0000526564 00000 n 
-0000526693 00000 n 
-0000526758 00000 n 
-0000526822 00000 n 
-0000526887 00000 n 
-0000530124 00000 n 
-0000529868 00000 n 
-0000527091 00000 n 
-0000529994 00000 n 
-0000530059 00000 n 
-0000532999 00000 n 
-0000532420 00000 n 
-0000530250 00000 n 
-0000532546 00000 n 
-0000532611 00000 n 
-0000532676 00000 n 
-0000532741 00000 n 
-0000532870 00000 n 
-0000532935 00000 n 
-0000536419 00000 n 
-0000536033 00000 n 
-0000533138 00000 n 
-0000536159 00000 n 
-0000536224 00000 n 
-0000536289 00000 n 
-0000536354 00000 n 
-0000539515 00000 n 
-0000539324 00000 n 
-0000536559 00000 n 
-0000539450 00000 n 
-0000787428 00000 n 
-0000542323 00000 n 
-0000541616 00000 n 
-0000539726 00000 n 
-0000541742 00000 n 
-0000541807 00000 n 
-0000541871 00000 n 
-0000541936 00000 n 
-0000542001 00000 n 
-0000542066 00000 n 
-0000542195 00000 n 
-0000542259 00000 n 
-0000546869 00000 n 
-0000546548 00000 n 
-0000542504 00000 n 
-0000546674 00000 n 
-0000546739 00000 n 
-0000546804 00000 n 
-0000550610 00000 n 
-0000550354 00000 n 
-0000546995 00000 n 
-0000550480 00000 n 
-0000550545 00000 n 
-0000553789 00000 n 
-0000553533 00000 n 
-0000550736 00000 n 
-0000553659 00000 n 
-0000553724 00000 n 
-0000556486 00000 n 
-0000555845 00000 n 
-0000553915 00000 n 
-0000555971 00000 n 
-0000556036 00000 n 
-0000556101 00000 n 
-0000556164 00000 n 
-0000556293 00000 n 
-0000556358 00000 n 
-0000556422 00000 n 
-0000560268 00000 n 
-0000559883 00000 n 
-0000556651 00000 n 
-0000560009 00000 n 
-0000560074 00000 n 
-0000560138 00000 n 
-0000560203 00000 n 
-0000787553 00000 n 
-0000563859 00000 n 
-0000563214 00000 n 
-0000560408 00000 n 
-0000563340 00000 n 
-0000563405 00000 n 
-0000563470 00000 n 
-0000563599 00000 n 
-0000563664 00000 n 
-0000563729 00000 n 
-0000563794 00000 n 
-0000566130 00000 n 
-0000565874 00000 n 
-0000564011 00000 n 
-0000566000 00000 n 
-0000566065 00000 n 
-0000569611 00000 n 
-0000568837 00000 n 
-0000566269 00000 n 
-0000568963 00000 n 
-0000569028 00000 n 
-0000569093 00000 n 
-0000569158 00000 n 
-0000569286 00000 n 
-0000569351 00000 n 
-0000569416 00000 n 
-0000569481 00000 n 
-0000569546 00000 n 
-0000572683 00000 n 
-0000572104 00000 n 
-0000569764 00000 n 
-0000572230 00000 n 
-0000572295 00000 n 
-0000572360 00000 n 
-0000572425 00000 n 
-0000572554 00000 n 
-0000572619 00000 n 
-0000576505 00000 n 
-0000576057 00000 n 
-0000572835 00000 n 
-0000576183 00000 n 
-0000576248 00000 n 
-0000576313 00000 n 
-0000576378 00000 n 
-0000576442 00000 n 
-0000577310 00000 n 
-0000577054 00000 n 
-0000576658 00000 n 
-0000577180 00000 n 
-0000577245 00000 n 
-0000787678 00000 n 
-0000577508 00000 n 
-0000588852 00000 n 
-0000596441 00000 n 
-0000598740 00000 n 
-0000598709 00000 n 
-0000602427 00000 n 
-0000611867 00000 n 
-0000622374 00000 n 
-0000634116 00000 n 
-0000646833 00000 n 
-0000665900 00000 n 
-0000686787 00000 n 
-0000708930 00000 n 
-0000726825 00000 n 
-0000729655 00000 n 
-0000729425 00000 n 
-0000756962 00000 n 
-0000784073 00000 n 
-0000787758 00000 n 
-0000787882 00000 n 
-0000788008 00000 n 
-0000788134 00000 n 
-0000788260 00000 n 
-0000788349 00000 n 
-0000788450 00000 n 
-0000805623 00000 n 
-0000826025 00000 n 
-0000826066 00000 n 
-0000826106 00000 n 
-0000826240 00000 n 
+0000488016 00000 n 
+0000488081 00000 n 
+0000491141 00000 n 
+0000490431 00000 n 
+0000488272 00000 n 
+0000490557 00000 n 
+0000490622 00000 n 
+0000490687 00000 n 
+0000490752 00000 n 
+0000490946 00000 n 
+0000491011 00000 n 
+0000491076 00000 n 
+0000494663 00000 n 
+0000494407 00000 n 
+0000491293 00000 n 
+0000494533 00000 n 
+0000494598 00000 n 
+0000498253 00000 n 
+0000497997 00000 n 
+0000494789 00000 n 
+0000498123 00000 n 
+0000498188 00000 n 
+0000501274 00000 n 
+0000500631 00000 n 
+0000498379 00000 n 
+0000500757 00000 n 
+0000500822 00000 n 
+0000500887 00000 n 
+0000500952 00000 n 
+0000501017 00000 n 
+0000501145 00000 n 
+0000501210 00000 n 
+0000787169 00000 n 
+0000503911 00000 n 
+0000503137 00000 n 
+0000501439 00000 n 
+0000503263 00000 n 
+0000503328 00000 n 
+0000503393 00000 n 
+0000503458 00000 n 
+0000503523 00000 n 
+0000503588 00000 n 
+0000503782 00000 n 
+0000503846 00000 n 
+0000507387 00000 n 
+0000507001 00000 n 
+0000504064 00000 n 
+0000507127 00000 n 
+0000507192 00000 n 
+0000507257 00000 n 
+0000507322 00000 n 
+0000510628 00000 n 
+0000509853 00000 n 
+0000507513 00000 n 
+0000509979 00000 n 
+0000510044 00000 n 
+0000510109 00000 n 
+0000510174 00000 n 
+0000510303 00000 n 
+0000510368 00000 n 
+0000510433 00000 n 
+0000510498 00000 n 
+0000510563 00000 n 
+0000514521 00000 n 
+0000514330 00000 n 
+0000510781 00000 n 
+0000514456 00000 n 
+0000517955 00000 n 
+0000517764 00000 n 
+0000514647 00000 n 
+0000517890 00000 n 
+0000521582 00000 n 
+0000521326 00000 n 
+0000518081 00000 n 
+0000521452 00000 n 
+0000521517 00000 n 
+0000787294 00000 n 
+0000524050 00000 n 
+0000523342 00000 n 
+0000521735 00000 n 
+0000523468 00000 n 
+0000523533 00000 n 
+0000523598 00000 n 
+0000523725 00000 n 
+0000523790 00000 n 
+0000523855 00000 n 
+0000523920 00000 n 
+0000523985 00000 n 
+0000526944 00000 n 
+0000526235 00000 n 
+0000524203 00000 n 
+0000526361 00000 n 
+0000526426 00000 n 
+0000526491 00000 n 
+0000526556 00000 n 
+0000526685 00000 n 
+0000526750 00000 n 
+0000526814 00000 n 
+0000526879 00000 n 
+0000530116 00000 n 
+0000529860 00000 n 
+0000527083 00000 n 
+0000529986 00000 n 
+0000530051 00000 n 
+0000532991 00000 n 
+0000532412 00000 n 
+0000530242 00000 n 
+0000532538 00000 n 
+0000532603 00000 n 
+0000532668 00000 n 
+0000532733 00000 n 
+0000532862 00000 n 
+0000532927 00000 n 
+0000536411 00000 n 
+0000536025 00000 n 
+0000533130 00000 n 
+0000536151 00000 n 
+0000536216 00000 n 
+0000536281 00000 n 
+0000536346 00000 n 
+0000539507 00000 n 
+0000539316 00000 n 
+0000536551 00000 n 
+0000539442 00000 n 
+0000787419 00000 n 
+0000542315 00000 n 
+0000541608 00000 n 
+0000539718 00000 n 
+0000541734 00000 n 
+0000541799 00000 n 
+0000541863 00000 n 
+0000541928 00000 n 
+0000541993 00000 n 
+0000542058 00000 n 
+0000542187 00000 n 
+0000542251 00000 n 
+0000546861 00000 n 
+0000546540 00000 n 
+0000542496 00000 n 
+0000546666 00000 n 
+0000546731 00000 n 
+0000546796 00000 n 
+0000550602 00000 n 
+0000550346 00000 n 
+0000546987 00000 n 
+0000550472 00000 n 
+0000550537 00000 n 
+0000553781 00000 n 
+0000553525 00000 n 
+0000550728 00000 n 
+0000553651 00000 n 
+0000553716 00000 n 
+0000556478 00000 n 
+0000555837 00000 n 
+0000553907 00000 n 
+0000555963 00000 n 
+0000556028 00000 n 
+0000556093 00000 n 
+0000556156 00000 n 
+0000556285 00000 n 
+0000556350 00000 n 
+0000556414 00000 n 
+0000560260 00000 n 
+0000559875 00000 n 
+0000556643 00000 n 
+0000560001 00000 n 
+0000560066 00000 n 
+0000560130 00000 n 
+0000560195 00000 n 
+0000787544 00000 n 
+0000563851 00000 n 
+0000563206 00000 n 
+0000560400 00000 n 
+0000563332 00000 n 
+0000563397 00000 n 
+0000563462 00000 n 
+0000563591 00000 n 
+0000563656 00000 n 
+0000563721 00000 n 
+0000563786 00000 n 
+0000566122 00000 n 
+0000565866 00000 n 
+0000564003 00000 n 
+0000565992 00000 n 
+0000566057 00000 n 
+0000569603 00000 n 
+0000568829 00000 n 
+0000566261 00000 n 
+0000568955 00000 n 
+0000569020 00000 n 
+0000569085 00000 n 
+0000569150 00000 n 
+0000569278 00000 n 
+0000569343 00000 n 
+0000569408 00000 n 
+0000569473 00000 n 
+0000569538 00000 n 
+0000572675 00000 n 
+0000572096 00000 n 
+0000569756 00000 n 
+0000572222 00000 n 
+0000572287 00000 n 
+0000572352 00000 n 
+0000572417 00000 n 
+0000572546 00000 n 
+0000572611 00000 n 
+0000576497 00000 n 
+0000576049 00000 n 
+0000572827 00000 n 
+0000576175 00000 n 
+0000576240 00000 n 
+0000576305 00000 n 
+0000576370 00000 n 
+0000576434 00000 n 
+0000577302 00000 n 
+0000577046 00000 n 
+0000576650 00000 n 
+0000577172 00000 n 
+0000577237 00000 n 
+0000787669 00000 n 
+0000577500 00000 n 
+0000588844 00000 n 
+0000596433 00000 n 
+0000598733 00000 n 
+0000598702 00000 n 
+0000602419 00000 n 
+0000611859 00000 n 
+0000622366 00000 n 
+0000634107 00000 n 
+0000646824 00000 n 
+0000665891 00000 n 
+0000686778 00000 n 
+0000708921 00000 n 
+0000726816 00000 n 
+0000729646 00000 n 
+0000729416 00000 n 
+0000756953 00000 n 
+0000784064 00000 n 
+0000787749 00000 n 
+0000787873 00000 n 
+0000787999 00000 n 
+0000788125 00000 n 
+0000788251 00000 n 
+0000788340 00000 n 
+0000788441 00000 n 
+0000805614 00000 n 
+0000826016 00000 n 
+0000826057 00000 n 
+0000826097 00000 n 
+0000826231 00000 n 
 trailer
 <<
 /Size 2296
 /Root 2294 0 R
 /Info 2295 0 R
-/ID [ ]
+/ID [<08FCAC3F5083F8D34C4A12BB3B9659DA> <08FCAC3F5083F8D34C4A12BB3B9659DA>]
 >>
 startxref
-826498
+826489
 %%EOF

From 9ac35b4e4d9b3b7354f451cdd5ce77d445f417a0 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 19 Oct 2009 02:37:08 +0000
Subject: [PATCH 329/385] grammar, line length

---
 lib/isc/include/isc/entropy.h | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index 13ec0e703e..d28f29a56e 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.h,v 1.34 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
@@ -182,8 +182,8 @@ isc_result_t
 isc_entropy_createsamplesource(isc_entropy_t *ent,
 			       isc_entropysource_t **sourcep);
 /*!<
- * \brief Create an entropy source that consists of samples.  Each sample is added
- * to the source via isc_entropy_addsamples(), below.
+ * \brief Create an entropy source that consists of samples.  Each sample is
+ * added to the source via isc_entropy_addsamples(), below.
  */
 
 isc_result_t
@@ -254,11 +254,11 @@ void
 isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
 		    isc_uint32_t entropy);
 /*!<
- * \brief Add "length" bytes in "data" to the entropy pool, incrementing the pool's
- * entropy count by "entropy."
+ * \brief Add "length" bytes in "data" to the entropy pool, incrementing the
+ * pool's entropy count by "entropy."
  *
- * These bytes will prime the pseudorandom portion even no entropy is actually
- * added.
+ * These bytes will prime the pseudorandom portion even if no entropy is
+ * actually added.
  */
 
 void

From 84dd224e468343124737032a582c7e966f13e3e3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 19 Oct 2009 04:56:27 +0000
Subject: [PATCH 330/385] new draft

---
 .../draft-ietf-dnsext-dnssec-gost-01.txt      | 435 ++++++++++++++++++
 1 file changed, 435 insertions(+)
 create mode 100644 doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt

diff --git a/doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt
new file mode 100644
index 0000000000..c7ffbce49c
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-gost-01.txt
@@ -0,0 +1,435 @@
+DNS Extensions working group                             V.Dolmatov, Ed.  
+Internet-Draft                                            Cryptocom Ltd.    
+Intended status: Standards Track                        October 18, 2009
+Expires: April 18, 2010                                 
+
+
+ Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
+                               for DNSSEC
+                 draft-ietf-dnsext-dnssec-gost-01
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on April 18 2010.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document describes how to produce GOST signature and hash 
+   algorithms    DNSKEY and RRSIG resource records for use in the Domain
+   Name System Security Extensions (DNSSEC, RFC 4033, RFC 4034, 
+   and RFC 4035).
+
+V.Dolmatov              Expires April 18, 2010               [Page 1]
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
+   2.  DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 3
+     2.1.  Using a public key with existing cryptographic libraries. . 3
+     2.2.  GOST DNSKEY RR Example  . . . . . . . . . . . . . . . . . . 3
+   3.  RRSIG Resource Records  . . . . . . . . . . . . . . . . . . . . 4
+     3.1 RRSIG RR Example  . . . . . . . . . . . . . . . . . . . . . . 4
+   4.  DS Resource Records . . . . . . . . . . . . . . . . . . . . . . 4
+     4.1 DS RR Example . . . . . . . . . . . . . . . . . . . . . . . . 5
+   5.  Deployment Considerations . . . . . . . . . . . . . . . . . . . 5
+     5.1.  Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 5
+     5.2.  Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 5
+     5.3.  Digest Sizes  . . . . . . . . . . . . . . . . . . . . . . . 5
+   6.  Implementation Considerations . . . . . . . . . . . . . . . . . 5
+     6.1.  Support for GOST signatures . . . . . . . . . . . . . . . . 5
+     6.2.  Support for NSEC3 Denial of Existence . . . . . . . . . . . 5
+     6.3.  Byte order  . . . . . . . . . . . . . . . . . . . . . . . . 5
+   7. Security consideration . . . . . . . . . . . . . . . . . . . . . 5
+   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
+   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
+   10.  References   . . . . . . . . . . . . . . . . . . . . . . . . . 6
+     10.1.  Normative References . . . . . . . . . . . . . . . . . . . 6
+     10.2.  Informative References . . . . . . . . . . . . . . . . . . 7
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 8
+
+1.  Introduction
+
+   The Domain Name System (DNS) is the global hierarchical distributed
+   database for Internet Naming.  The DNS has been extended to use
+   cryptographic keys and digital signatures for the verification of the
+   authenticity and integrity of its data.  RFC 4033 [RFC4033], RFC 4034
+   [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
+   Extensions, called DNSSEC.
+
+   RFC 4034 describes how to store DNSKEY and RRSIG resource records,
+   and specifies a list of cryptographic algorithms to use.  This
+   document extends that list with the signature and hash algorithms 
+   GOST [GOST3410, GOST3411],
+   and specifies how to store DNSKEY data and how to produce
+   RRSIG resource records with these hash algorithms.
+
+   Familiarity with DNSSEC  and GOST signature and hash
+   algorithms is assumed in this document.
+
+   The term "GOST" is not officially defined, but is usually used to
+   refer to the collection of the Russian cryptographic algorithms
+   GOST R 34.10-2001, GOST R 34.11-94, GOST 28147-89. 
+   Since GOST 28147-89 is not used in DNSSEC, "GOST" will only refer to
+   the GOST R 34.10-2001 and GOST R 34.11-94 in this document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+V.Dolmatov              Expires April 18, 2010                [Page 2]
+
+2.  DNSKEY Resource Records
+
+   The format of the DNSKEY RR can be found in RFC 4034 [RFC4034].
+
+   GOST R 34.10-2001 public keys are stored with the algorithm number 
+   {TBA1}.
+      
+   The wire format of the public key is compatible with 
+   RFC 4491 [RFC4491]:
+
+   According to [GOSTR341001], a public key is a point on the elliptic
+   curve Q = (x,y).
+
+   The wire representation of a public key MUST contain 66 octets, 
+   where the first octet designates public key parameters, the second
+   octet designates digest parameters next 32 octets contain the 
+   little-endian representation of x and the second 32 octets contain
+   the little-endian representation of y. 
+   This corresponds to the binary representation of (256||256) 
+   from [GOSTR341001], ch.  5.3.
+
+   The only valid value for both parameters octets is 0.
+   Other parameters octets values are reserved for future use.
+   
+   Corresponding public key parameters are those identified by
+   id-GostR3410-2001-CryptoPro-A-ParamSet (1.2.643.2.2.35.1) [RFC4357],
+   and the digest parameters are those identified by
+   id-GostR3411-94-CryptoProParamSet (1.2.643.2.2.30.1) [RFC4357].
+
+2.1.  Using a public key with existing cryptographic libraries
+
+   Existing GOST-aware cryptographic libraries at the time of this 
+   document writing are capable to read GOST public keys via a generic
+   X509 API if the key is encoded according to RFC 4491 [RFC4491],
+   section 2.3.2.
+
+   To make this encoding from the wire format of a GOST public key 
+   with the parameters used in this document, prepend last 64 octets
+   of key data (in other words, substitute first two parameter octets)
+   with the following 37-byte sequence:
+
+   0x30 0x63 0x30 0x1c 0x06 0x06 0x2a 0x85 0x03 0x02 0x02 0x13 0x30 
+   0x12 0x06 0x07 0x2a 0x85 0x03 0x02 0x02 0x23 0x01 0x06 0x07 0x2a
+   0x85 0x03 0x02 0x02 0x1e 0x01 0x03 0x43 0x00 0x04 0x40
+  
+2.2.  GOST DNSKEY RR Example
+
+   Given a private key with the following value:
+
+   Private-key-format: v1.2
+   Algorithm: {TBA1} (GOST)
+   GostAsn1: MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEE
+             IgQgAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+   (corresponding to private key value 1)
+
+V.Dolmatov              Expires April 18, 2010                [Page 3]
+
+   The following DNSKEY RR stores a DNS zone key for example.net
+ 
+  example.net. 86400 IN DNSKEY 256 3 {TBA1} ( AAABAAAAAAAAAAAAAAAAAAAA
+                                              AAAAAAAAAAAAAAAAAAAAABQe
+                                              n56cyawiseMj3y1PKTV2Kz9F
+                                              WlDfJ9qcmOBx5JGN )
+
+3.  RRSIG Resource Records
+
+   The value of the signature field in the RRSIG RR follows RFC 4490
+   [RFC4490] and is calculated as follows.  The values for the RDATA 
+   fields that precede the signature data are specified 
+   in RFC 4034 [RFC4034].
+
+   hash = GOSTR3411(data)
+
+   where "data" is the wire format data of the resource record set 
+   that is signed, as specified in RFC 4034 [RFC4034].
+   
+   Hash MUST be calculated with GOST R 34.11-94 parameters identified
+   by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+   Signature is calculated from the hash according to the 
+   GOST R 34.10-2001 standard and its wire format is compatible with 
+   RFC 4490 [RFC4490].
+
+   Quoting RFC 4490:
+
+   "The signature algorithm GOST R 34.10-2001 generates a digital
+   signature in the form of two 256-bit numbers, r and s.  Its octet
+   string representation consists of 64 octets, where the first 32
+   octets contain the big-endian representation of s and the second 32
+   octets contain the big-endian representation of r."
+
+3.1. RRSIG RR Example
+
+   With the private key from section 2.2 sign the following RRSet, 
+   consisting of one A record:
+
+   www.example.net. 3600 IN A 192.0.32.10
+
+   Setting the inception date to 2000-01-01 00:00:00 UTC and the 
+   expiration date to 2030-01-01 00:00:00 UTC, the following signature
+   should be created (assuming {TBA1}==249 until proped code is 
+   assigned by IANA)
+
+   www.example.net. 3600 IN RRSIG ( A {TBA1} 3 3600
+                    20300101000000 20000101000000 9033 example.net.
+                    96ObOt5gR6Xln8g42w70OZvi6BZoQvLIhrN9F+VBc29mp+ap
+                    DQov1re0hApGenYDd2zLaHecw4H2vnPj0NhhxA== )
+
+4.  DS Resource Records
+
+   GOST R 34.11-94 digest algorithm is denoted in DS RRs by the digest
+   type {TBA2}.  The wire format of a digest value is compatible with 
+   RFC 4490 [RFC4490]. 
+
+V.Dolmatov              Expires April 18, 2010                [Page 4]
+
+   Quoting RFC 4490: 
+   
+   "A 32-byte digest in little-endian representation."
+
+   The digest MUST always be calculated with GOST R 34.11-94 parameters
+   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+4.1. DS RR Example
+
+   example.net. 3600 IN DS 9033 {TBA1} {TBA2} ( Su0ToNow7Lwex+wqac+cTQ
+                                                djJ733qubhan+KqUrselc= )
+ 
+5.  Deployment Considerations
+
+5.1.  Key Sizes
+
+   According to RFC4357 [RFC4357], the key size of GOST public keys
+   MUST be 512 bits.
+
+5.2.  Signature Sizes
+
+   According to the GOST signature algorithm specification [GOST3410],
+   the size of a GOST signature is 512 bits.
+
+5.3.  Digest Sizes
+
+   According to the GOST R 34.11-94 [GOST3411], the size of a GOST digest
+   is 256 bits.
+
+6.  Implementation Considerations
+
+6.1.  Support for GOST signatures
+
+   DNSSEC aware implementations SHOULD be able to support RRSIG and
+   DNSKEY resource records created with the GOST algorithms as
+   defined in this document.
+
+6.2.  Support for NSEC3 Denial of Existence
+
+    Any DNSSEC-GOST implementation is required to have either NSEC or
+    NSEC3 support.
+
+6.3  Byte order
+
+    Due to the fact that all existing industry implementations of GOST
+    cryptographic libraries are returning GOST blobs in little-endian 
+    format and in order to avoid the necessity for DNSSEC developers 
+    to hanlde different cryptographic algorithms differently, it was
+    chosen to send these blobs on the wire "as is" without 
+    transformation of endianness.
+
+7.  Security considerations
+
+    Currently, the cryptographic resistance of the GOST 34.10-2001 
+    digital signature algorithm is estimated as 2**128 operations
+    of multiple elliptic curve point computations on prime modulus
+    2**256.
+
+V.Dolmatov              Expires April 18, 2010                [Page 5]
+
+    Currently, the cryptographic resistance of GOST 34.11-94 hash
+    algorithm is estimated as 2**128 operations of computations of a
+    step hash function. (There is known method to reduce this 
+    estimate to 2**105 operations, but it demands padding the 
+    colliding message with 1024 random bit blocks each of 256 bit
+    length, thus it cannot be used in any practical implementation).
+
+8.  IANA Considerations
+
+   This document updates the IANA registry "DNS SECURITY ALGORITHM
+   NUMBERS -- per [RFC4035] "
+   (http://www.iana.org/assignments/dns-sec-alg-numbers).  The 
+   following entries are added to the registry:
+                                        Zone     Trans.
+   Value   Algorithm          Mnemonic  Signing  Sec.   References   Status
+   {TBA1}  GOST R 34.10-2001  GOST      Y        *      (this memo)  OPTIONAL
+
+   This document updates the RFC 4034 [RFC4034] Digest Types assignment
+   (RFC 4034, section A.2):
+
+   Value   Algorithm        Status
+   {TBA2}  GOST R 34.11-94  OPTIONAL
+
+9. Acknowledgments
+
+   This document is a minor extension to RFC 4034 [RFC4034].  Also, we
+   tried to follow the documents RFC 3110 [RFC3110], RFC 4509 [RFC4509],
+   and RFC 4357 [RFC4357] for consistency. The authors of and 
+   contributors to these documents are gratefully acknowledged for 
+   their hard work.
+
+   The following people provided additional feedback and text: Dmitry 
+   Burkov, Jaap Akkerhuis, Olafur Gundmundsson,Jelte Jansen 
+   and Wouter Wijngaards.
+
+
+10.  References
+
+10.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", RFC 2119, March 1997.
+
+   [RFC3110]  Eastlake D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
+              Name System (DNS)", RFC 3110, May 2001.
+
+   [RFC4033]  Arends R., Austein R., Larson M., Massey D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends R., Austein R., Larson M., Massey D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+V.Dolmatov              Expires April 18, 2010                [Page 6]
+
+   [RFC4035]  Arends R., Austein R., Larson M., Massey D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [GOST3410] "Information technology.  Cryptographic data security.
+              Signature and verification processes of [electronic]
+              digital signature.", GOST R 34.10-2001, Gosudarstvennyi
+              Standard of Russian Federation, Government Committee of
+              the Russia for Standards, 2001.  (In Russian)
+
+   [GOST3411] "Information technology.  Cryptographic Data Security.
+              Hashing function.", GOST R 34.11-94, Gosudarstvennyi
+              Standard of Russian Federation, Government Committee of
+              the Russia for Standards, 1994.  (In Russian)
+
+   [RFC4357] Popov V., Kurepkin I., and S. Leontiev, "Additional
+             Cryptographic Algorithms for Use with GOST 28147-89,
+             GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+             Algorithms", RFC 4357, January 2006.
+
+   [RFC4490] S. Leontiev and G. Chudov, "Using the GOST 28147-89, 
+	     GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 
+             Algorithms with Cryptographic Message Syntax (CMS)",
+             RFC 4490, May 2006.
+
+   [RFC4491] S. Leontiev and D. Shefanovski, "Using the GOST 
+             R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 
+             Algorithms with the Internet X.509 Public Key 
+             Infrastructure Certificate and CRL Profile", RFC 4491,
+             May 2006. 
+
+
+
+10.2.  Informative References
+
+   [NIST800-57]
+              Barker E., Barker W., Burr W., Polk W., and M. Smid,
+              "Recommendations for Key Management", NIST SP 800-57,
+              March 2007.
+
+   [RFC3447]  Jonsson J. and B. Kaliski, "Public-Key Cryptography
+              Standards (PKCS) #1: RSA Cryptography Specifications
+              Version 2.1", RFC 3447, February 2003.
+
+   [RFC4509]  Hardaker W., "Use of SHA-256 in DNSSEC Delegation Signer
+              (DS) Resource Records (RRs)", RFC 4509, May 2006.
+
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+              Security (DNSSEC) Hashed Authenticated Denial of
+              Existence", RFC 5155, March 2008.
+
+   [DRAFT1]   Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
+              "GOST R 34.10-2001 digital signature algorithm"
+              draft-dolmatov-cryptocom-gost3410-2001-05,
+              work in progress
+V.Dolmatov              Expires April 18, 2010               [Page 7]
+
+   [DRAFT2]   Dolmatov V., Kabelev D., Ustinov I., Vyshensky S.,
+              "GOST R 34.11-94 Hash function algorithm"
+              draft-dolmatov-cryptocom-gost341194-03, work in progress
+
+   [DRAFT3]   Dolmatov V., Kabelev D., Ustinov I., Emelyanova I.,
+              "GOST 28147-89 encryption, decryption and MAC algorithms"
+              draft-dolmatov-cryptocom-gost2814789-03, work in progress
+
+Authors' Addresses
+
+
+Vasily Dolmatov, Ed.
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: dol@cryptocom.ru
+
+Artem Chuprina
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: ran@cryptocom.ru
+
+Igor Ustinov
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: igus@cryptocom.ru
+
+V.Dolmatov              Expires April 18, 2010                [Page 8]
+
+

From a17270b2a6af9fbe2021dab146b7b78cd108d167 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 19 Oct 2009 18:36:37 +0000
Subject: [PATCH 331/385] fix typo

---
 NSEC3-NOTES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NSEC3-NOTES b/NSEC3-NOTES
index e35ff4a5d7..73a8cca4e4 100644
--- a/NSEC3-NOTES
+++ b/NSEC3-NOTES
@@ -63,7 +63,7 @@ to perform based on the flag bits.
 	0x20 NONSEC
 
 If you wish to go straight to a secure zone using NSEC3 you should
-also add a NSECPARAM record to the update request with the flags
+also add a NSEC3PARAM record to the update request with the flags
 field set to indicate whether the NSEC3 chain will have the OPTOUT
 bit set or not.
 

From 2623503170eec371ca4fa44e7d9f7381be5c4a27 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 19 Oct 2009 19:21:07 +0000
Subject: [PATCH 332/385] added some clarifications, per rt20407

---
 README.pkcs11 | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/README.pkcs11 b/README.pkcs11
index 4abb34ee0a..b203a45a81 100644
--- a/README.pkcs11
+++ b/README.pkcs11
@@ -9,7 +9,7 @@ and other cryptographic support devices.
 
 BIND 9 is known to work with two HSMs:  The Sun SCA 6000 cryptographic
 acceration board, tested under Solaris x86, and the AEP Keyper
-network-attached key storage device, tested with a Debian Linux system,
+network-attached key storage device, tested with Debian Linux,
 Solaris x86 and Windows Server 2003.
 
 PREREQUISITES
@@ -203,8 +203,9 @@ for use by PKCS #11 provider library.  If the machine file is in
     export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider
 
 These environment variables must be set whenever running any tool
-which uses the HSM, including pkcs11-keygen, pkcs11-list, pkcs11-destroy,
-dnssec-keyfromlabel, dnssec-signzone, and named.
+that uses the HSM, including pkcs11-keygen, pkcs11-list, pkcs11-destroy,
+dnssec-keyfromlabel, dnssec-signzone, dnssec-keygen (which will use
+the HSM for random number generation), and named.
 
 We can now create and use keys in the HSM.  In this case, we will
 create a 2048 bit key and give it the label "sample-ksk":
@@ -299,6 +300,10 @@ Sample openssl.cnf:
         [ pkcs11_section ]
         PIN = 
 
+This will also allow the dnssec-* tools to access the HSM without
+PIN entry.  (The pkcs11-* tools access the HSM directly, not via
+OpenSSL, so a PIN will still be required to use them.)
+
 PLEASE NOTE:  Placing the HSM's PIN in a text file in this manner
 may reduce the security advantage of using an HSM.  Be sure this
 is what you want to do before configuring BIND 9 in this way.

From 13174b302f0e809bb5279bb4767dc07369dba93c Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Mon, 19 Oct 2009 23:42:52 +0000
Subject: [PATCH 333/385] new draft

---
 doc/draft/draft-ietf-behave-dns64-01.txt | 1624 ++++++++++++++++++++++
 1 file changed, 1624 insertions(+)
 create mode 100644 doc/draft/draft-ietf-behave-dns64-01.txt

diff --git a/doc/draft/draft-ietf-behave-dns64-01.txt b/doc/draft/draft-ietf-behave-dns64-01.txt
new file mode 100644
index 0000000000..25a6dd4d07
--- /dev/null
+++ b/doc/draft/draft-ietf-behave-dns64-01.txt
@@ -0,0 +1,1624 @@
+
+
+
+BEHAVE WG                                                     M. Bagnulo
+Internet-Draft                                                      UC3M
+Intended status: Standards Track                             A. Sullivan
+Expires: April 22, 2010                                         Shinkuro
+                                                             P. Matthews
+                                                          Alcatel-Lucent
+                                                          I. van Beijnum
+                                                          IMDEA Networks
+                                                        October 19, 2009
+
+
+DNS64: DNS extensions for Network Address Translation from IPv6 Clients
+                            to IPv4 Servers
+                       draft-ietf-behave-dns64-01
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on April 22, 2010.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 1]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+Abstract
+
+   DNS64 is a mechanism for synthesizing AAAA records from A records.
+   DNS64 is used with an IPv6/IPv4 translator to enable client-server
+   communication between an IPv6-only client and an IPv4-only server,
+   without requiring any changes to either the IPv6 or the IPv4 node,
+   for the class of applications that work through NATs.  This document
+   specifies DNS64, and provides suggestions on how it should be
+   deployed in conjunction with IPv6/IPv4 translators.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
+   3.  Background to DNS64 - DNSSEC interaction . . . . . . . . . . .  6
+   4.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  8
+   5.  DNS64 Normative Specification  . . . . . . . . . . . . . . . .  9
+     5.1.  Resolving AAAA queries and the answer section  . . . . . .  9
+       5.1.1.  The answer when there is AAAA data available . . . . .  9
+       5.1.2.  The answer when there is an error  . . . . . . . . . .  9
+       5.1.3.  Data for the answer when performing synthesis  . . . .  9
+       5.1.4.  Performing the synthesis . . . . . . . . . . . . . . . 10
+       5.1.5.  Querying in parallel . . . . . . . . . . . . . . . . . 11
+     5.2.  Generation of the IPv6 representations of IPv4
+           addresses  . . . . . . . . . . . . . . . . . . . . . . . . 11
+     5.3.  Handling other RRs . . . . . . . . . . . . . . . . . . . . 12
+       5.3.1.  PTR queries  . . . . . . . . . . . . . . . . . . . . . 12
+       5.3.2.  Handling the additional section  . . . . . . . . . . . 13
+       5.3.3.  Other records  . . . . . . . . . . . . . . . . . . . . 13
+     5.4.  Assembling a synthesized response to a AAAA query  . . . . 14
+     5.5.  DNSSEC processing: DNS64 in recursive server mode  . . . . 14
+     5.6.  DNS64 and multihoming  . . . . . . . . . . . . . . . . . . 15
+   6.  Deployment notes . . . . . . . . . . . . . . . . . . . . . . . 16
+     6.1.  DNS resolvers and DNS64  . . . . . . . . . . . . . . . . . 16
+     6.2.  DNSSEC validators and DNS64  . . . . . . . . . . . . . . . 16
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 16
+   8.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
+   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
+   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
+     10.1. Normative References . . . . . . . . . . . . . . . . . . . 17
+     10.2. Informative References . . . . . . . . . . . . . . . . . . 18
+   Appendix A.  Deployment scenarios and examples . . . . . . . . . . 20
+     A.1.  Embed and Zero-Pad algorithm description . . . . . . . . . 21
+     A.2.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in
+           DNS server mode  . . . . . . . . . . . . . . . . . . . . . 22
+     A.3.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in
+           stub-resolver mode . . . . . . . . . . . . . . . . . . . . 23
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 2]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+     A.4.  IPv6-Internet-to-an-IPv4-network setup DNS64 in DNS
+           server mode  . . . . . . . . . . . . . . . . . . . . . . . 25
+   Appendix B.  Motivations and Implications of synthesizing AAAA
+                RR when real AAAA RR exists . . . . . . . . . . . . . 27
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 3]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+1.  Introduction
+
+   This document specifies DNS64, a mechanism that is part of the
+   toolbox for IPv6-IPv4 transition and co-existence.  DNS64, used
+   together with an IPv6/IPv4 translator such as NAT64
+   [I-D.bagnulo-behave-nat64], allows an IPv6-only client to initiate
+   communications by name to an IPv4-only server.
+
+   DNS64 is a mechanism for synthesizing AAAA resource records (RRs)
+   from A RRs.  A synthetic AAAA RR created by the DNS64 from an
+   original A RR contains the same FQDN of the original A RR but it
+   contains an IPv6 address instead of an IPv4 address.  The IPv6
+   address is an IPv6 representation of the IPv4 address contained in
+   the original A RR.  The IPv6 representation of the IPv4 address is
+   algorithmically generated from the IPv4 address returned in the A RR
+   and a set of parameters configured in the DNS64 (typically, an IPv6
+   prefix used by IPv6 representations of IPv4 addresses and optionally
+   other parameters).
+
+   Together with a IPv6/IPv4 translator, these two mechanisms allow an
+   IPv6-only client to initiate communications to an IPv4-only server
+   using the FQDN of the server.
+
+   These mechanisms are expected to play a critical role in the IPv4-
+   IPv6 transition and co-existence.  Due to IPv4 address depletion, it
+   is likely that in the future, many IPv6-only clients will want to
+   connect to IPv4-only servers.  In the typical case, the approach only
+   requires the deployment of IPv6/IPv4 translators that connect an
+   IPv6-only network to an IPv4-only network, along with the deployment
+   of one or more DNS64-enabled name servers.  However, some advanced
+   features require performing the DNS64 function directly by the end-
+   hosts themselves.
+
+
+2.  Overview
+
+   This section provides a non-normative introduction to the DNS64
+   mechanism.
+
+   We assume that we have an IPv6/IPv4 translator box connecting an IPv4
+   network and an IPv6 network.  The IPv6/IPv4 translator device
+   provides translation services between the two networks enabling
+   communication between IPv4-only hosts and IPv6-only hosts.  (NOTE: By
+   IPv6-only hosts we mean hosts running IPv6-only applications, hosts
+   that can only use IPv6, as well as the cases where only IPv6
+   connectivity is available to the client.  By IPv4-only servers we
+   mean servers running IPv4-only applications, servers that can only
+   use IPv4, as well as the cases where only IPv4 connectivity is
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 4]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   available to the server).  The IPv6/IPv4 translator used in
+   conjunction with DNS64 must allow communications initiated from the
+   IPv6-only host to the IPv4-only host.
+
+   To allow an IPv6 initiator to do a standard AAAA RR DNS lookup to
+   learn the address of the responder, DNS64 is used to synthesize a
+   AAAA record from an A record containing a real IPv4 address of the
+   responder, whenever the DNS64 service cannot retrieve a AAAA record
+   for the requested host name.  The DNS64 device appears as a regular
+   recursive resolver for the IPv6 initiator.  The DNS64 box receives an
+   AAAA DNS query generated by the IPv6 initiator.  It first attempts a
+   recursive resolution for the requested AAAA records.  If there is no
+   AAAA record available for the target node (which is the normal case
+   when the target node is an IPv4-only node), DNS64 performs a query
+   for A records.  If any A records are discovered, DNS64 creates a
+   synthetic AAAA RR from the information retrieved in each A RR.
+
+   The FQDN of a synthetic AAAA RR is the same as that of the original A
+   RR, but an IPv6 representation of the IPv4 address contained in the
+   original A RR is included in the AAAA RR.  The IPv6 representation of
+   the IPv4 address is algorithmically generated from the IPv4 address
+   and additional parameters configured in the DNS64.  Among those
+   parameters configured in the DNS64, there is at least one IPv6
+   prefix, called Pref64::/n.  The IPv6 address representing IPv4
+   addresses included in the AAAA RR synthesized by the DNS64 function
+   contain Pref64::/n and they also embed the original IPv4 address.
+
+   The same algorithm and the same Pref64::/n prefix or prefixes must be
+   configured both in the DNS64 device and the IPv6/IPv4 translator, so
+   that both can algorithmically generate the same IPv6 representation
+   for a given IPv4 address.  In addition, it is required that IPv6
+   packets addressed to an IPv6 destination that contains the Pref64::/n
+   be delivered to the IPv6/IPv4 translator, so they can be translated
+   into IPv4 packets.
+
+   Once the DNS64 has synthesized the AAAA RR, the synthetic AAAA RR is
+   passed back to the IPv6 initiator, which will initiate an IPv6
+   communication with the IPv6 address associated with the IPv4
+   receiver.  The packet will be routed to the IPv6/IPv4 translator
+   which will forward it to the IPv4 network .
+
+   In general, the only shared state between the DNS64 and the IPv6/IPv4
+   translator is the Pref64::/n and an optional set of static
+   parameters.  The Pref64::/n and the set of static parameters must be
+   configured to be the same on both; there is no communication between
+   the DNS64 device and IPv6/IPv4 translator functions.  The mechanism
+   to be used for configuring the parameters of the DNS64 is beyond the
+   scope of this memo.
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 5]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   The DNS64 function can be performed in two places.
+
+      One option is to locate the DNS64 function in recursive name
+      servers serving end hosts.  In this case, when an IPv6-only host
+      queries the name server for AAAA RRs for an IPv4-only host, the
+      name server can perform the synthesis of AAAA RRs and pass them
+      back to the IPv6 only initiator.  The main advantage of this mode
+      is that current IPv6 nodes can use this mechanism without
+      requiring any modification.  This mode is called "DNS64 in DNS
+      server mode".
+
+      The other option is to place the DNS64 function in the end hosts
+      themselves, coupled to the local stub resolver.  In this case, the
+      stub resolver will try to obtain (real) AAAA RRs and in case they
+      are not available, the DNS64 function will synthesize AAAA RRs for
+      internal usage.  This mode is compatible with some advanced
+      functions like DNSSEC validation in the end host.  The main
+      drawback of this mode is its deployability, since it requires
+      changes in the end hosts.  This mode is called "DNS64 in stub-
+      resolver mode"".
+
+
+3.  Background to DNS64 - DNSSEC interaction
+
+   DNSSEC presents a special challenge for DNS64, because DNSSEC is
+   designed to detect changes to DNS answers, and DNS64 may alter
+   answers coming from an authoritative server.
+
+   A recursive resolver can be security-aware or security-oblivious.
+   Moreover, a security-aware recursive name server can be validating or
+   non-validating, according to operator policy.  In the cases below,
+   the recursive server is also performing DNS64, and has a local policy
+   to validate.  We call this general case vDNS64, but in all the cases
+   below the DNS64 functionality should be assumed needed.
+
+   DNSSEC includes some signaling bits that offer some indicators of
+   what the query originator understands.
+
+   If a query arrives at a vDNS64 device with the DO bit set, the query
+   originator is signaling that it understands DNSSEC.  The DO bit does
+   not indicate that the query originator will validate the response.
+   It only means that the query originator can understand responses
+   containing DNSSEC data.  Conversely, if the DO bit is clear, that is
+   evidence that the querying agent is not aware of DNSSEC.
+
+   If a query arrives at a vDNS64 device with the CD bit set, it is an
+   indication that the querying agent wants all the validation data so
+   it can do checking itself.  By local policy, vDNS64 could still
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 6]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   validate, but it must return all data to the querying agent anyway.
+
+   Here are the possible cases:
+
+   1.  A security-oblivious DNS64 node receives a query with the DO bit
+       clear.  In this case, DNSSEC is not a concern, because the
+       querying agent does not understand DNSSEC responses.
+
+   2.  A security-oblivious DNS64 node receives a query with the DO bit
+       set, and the CD bit clear.  This is just like the case of a non-
+       DNS64 case: the server doesn't support it, so the querying agent
+       is out of luck.
+
+   3.  A security-aware and non-validating DNS64 node receives a query
+       with the DO bit set and the CD bit clear.  Such a resolver is not
+       validating responses, likely due to local policy (see [RFC4035],
+       section 4.2).  For that reason, this case amounts to the same as
+       the previous case, and no validation happens.
+
+   4.  A security-aware and non-validating DNS64 node receives a query
+       with the DO bit set and the CD bit set.  In this case, the
+       resolver is supposed to pass on all the data it gets to the query
+       initiator (see section 3.2.2 of [RFC4035]).  This case will be
+       problematic with DNS64.  If the DNS64 server modifies the record,
+       the client will get the data back and try to validate it, and the
+       data will be invalid as far as the client is concerned.
+
+   5.  A security-aware and validating DNS64 node receives a query with
+       the DO bit clear and CD clear.  In this case, the resolver
+       validates the data.  If it fails, it returns RCODE 2 (SERVFAIL);
+       otherwise, it returns the answer.  This is the ideal case for
+       vDNS64.  The resolver validates the data, and then synthesizes
+       the new record and passes that to the client.  The client, which
+       is presumably not validating (else it would have set DO and CD),
+       cannot tell that DNS64 is involved.
+
+   6.  A security-aware and validating DNS64 node receives a query with
+       the DO bit set and CD clear.  In principle, this ought to work
+       like the previous case, except that the resolver should also set
+       the AD bit on the response.
+
+   7.  A security-aware and validating DNS64 node receives a query with
+       the DO bit set and CD set.  This is effectively the same as the
+       case where a security-aware and non-validating recursive resolver
+       receives a similar query, and the same thing will happen: the
+       downstream validator will mark the data as invalid if DNS64 has
+       performed synthesis.
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 7]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+4.  Terminology
+
+   This section provides definitions for the special terms used in the
+   document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+   Authoritative server:  A DNS server that can answer authoritatively a
+      given DNS question.
+
+   DNS64:  A logical function that synthesizes DNS resource records (e.g
+      AAAA records containing IPv6 addresses) from DNS resource records
+      actually contained in the global DNS (e.g.  A records containing
+      IPv4 addresses).
+
+   DNS64 recursor:  A recursive resolver that provides the DNS64
+      functionality as part of its operation.
+
+   Recursive resolver:  A DNS server that accepts requests from one
+      resolver, and asks another resolver for the answer on behalf of
+      the first resolver.  In the context of this document, "the
+      recursive resolver" means a recursive resolver immediately next in
+      the DNS resolution chain from an end point.  The end point usually
+      has only a stub resolver available.[[anchor5: I can't actually
+      remember why we needed the sentences following "In the context of
+      this document. . ."  Unless someone has a reason, I'll take it
+      out. --ajs@shinkuro.com]]
+
+   Synthetic RR:  A DNS resource record (RR) that is not contained in
+      any zone data file, but has been synthesized from other RRs.  An
+      example is a synthetic AAAA record created from an A record.
+
+   Stub resolver:  A resolver with minimum functionality, typically for
+      use in end points that depend on a recursive resolver.  Most end
+      points on the Internet as of this writing use stub
+      resolvers.[[anchor6: Do we need this in the document?  I don't
+      think so. 1034 defines this term. --ajs@shinkuro.com]]
+
+   IPv6/IPv4 translator:  A device that translates IPv6 packets to IPv4
+      packets and vice-versa.  It is only required that the
+      communication initiated from the IPv6 side be supported.
+
+   For a detailed understanding of this document, the reader should also
+   be familiar with DNS terminology from [RFC1034],[RFC1035] and current
+   NAT terminology from [RFC4787].  Some parts of this document assume
+   familiarity with the terminology of the DNS security extensions
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 8]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   outlined in [RFC4035].
+
+
+5.  DNS64 Normative Specification
+
+   A DNS64 is a logical function that synthesizes AAAA records from A
+   records.  The DNS64 function may be implemented in a stub resolver,
+   in a recursive resolver, or in an authoritative name server.
+
+   The implementation SHOULD support mapping of IPv4 address ranges to
+   separate IPv6 prefixes for AAAA record synthesis.  This allows
+   handling of special use IPv4 addresses [I-D.iana-rfc3330bis].
+   Multicast address handling is further specified in
+   [I-D.venaas-behave-mcast46].
+
+5.1.  Resolving AAAA queries and the answer section
+
+   When the DNS64 receives a query for RRs of type AAAA and class IN, it
+   first attempts to retrieve non-synthetic RRs of this type and class,
+   either by performing a query or, in the case of an authoritative
+   server, by examining its own results.
+
+5.1.1.  The answer when there is AAAA data available
+
+   If the query results in one or more AAAA records in the answer
+   section, the result is returned to the requesting client as per
+   normal DNS semantics (except in the case where the AAAA falls in the
+   ::ffff/96 network; see below for treatment of that network).  In this
+   case, DNS64 SHOULD NOT include synthetic AAAA RRs in the response
+   (see Appendix B for an analysis of the motivations for and the
+   implications of not complying with this recommendation).  By default
+   DNS64 implementations MUST NOT synthesize AAAA RRs when real AAAA RRs
+   exist.
+
+5.1.2.  The answer when there is an error
+
+   If the query results in a response with an error code other than 0,
+   the result is handled according to normal DNS operation -- that is,
+   either the resolver tries again using a different server from the
+   authoritative NS RRSet, or it returns the error to the client.  This
+   stage is still prior to any synthesis having happened, so a response
+   to be returned to the client does not need any special assembly than
+   would usually happen in DNS operation.
+
+5.1.3.  Data for the answer when performing synthesis
+
+   If the query results in no error but an empty answer section in the
+   response, the DNS64 resolver attempts to retrieve A records for the
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                 [Page 9]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   name in question.  If this new A RR query results in an empty answer
+   or in an error, then the empty result or error is used as the basis
+   for the answer returned to the querying client.  (Transient errors
+   may result in retrying the query, depening on the operation of the
+   resolver; this is just as in Section 5.1.2.)  If instead the query
+   results in one or more A RRs, the DNS64 synthesizes AAAA RRs based on
+   the A RRs according to the procedure outlined in Section 5.1.4.  The
+   DNS64 resolver then returns the synthesized AAAA records in the
+   answer section to the client, removing the A records that form the
+   basis of the synthesis.
+
+   As an exception to the general rule about always returning the AAAA
+   records if they are returned in the answer, AAAA records with
+   addresses in the ::ffff/96 network are treated just like the case
+   where there is neither an error nor an empty answer section.  This is
+   because a real IPv6-only node will not be any more able to reach the
+   addresses in ::ffff/96 than it is able to reach an IPv4 address
+   without assistance.  An implementation MAY use the address in
+   ::ffff/96 as the basis of synthesis without querying for an A record,
+   by using the last 32 bits of the address provided in the AAAA record.
+   [[anchor10: I changed this to say "neither. . .nor" because the
+   previous version suggested that it would return the error-or-empty-
+   answer to the querying client, and that can't be right.  Correct?
+   --ajs@shinkuro.com]]
+
+5.1.4.  Performing the synthesis
+
+   A synthetic AAAA record is created from an A record as follows:
+
+   o  The NAME field is set to the NAME field from the A record
+
+   o  The TYPE field is set to 28 (AAAA)
+
+   o  The CLASS field is set to 1 (IN)
+
+   o  The TTL field is set to the minimum of the TTL of the original A
+      RR and the SOA RR for the queried domain.  (Note that in order to
+      obtain the TTL of the SOA RR the DNS64 does not need to perform a
+      new query, but it can remember the TTL from the SOA RR in the
+      negative response to the AAAA query).
+
+   o  The RDLENGTH field is set to 16
+
+   o  The RDATA field is set to the IPv6 representation of the IPv4
+      address from the RDATA field of the A record.  The DNS64 SHOULD
+      check each A RR against IPv4 address ranges and select the
+      corresponding IPv6 prefix to use in synthesizing the AAAA RR.  See
+      Section 5.2 for discussion of the algorithms to be used in
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 10]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+      effecting the transformation.
+
+5.1.5.  Querying in parallel
+
+   DNS64 MAY perform the query for the AAAA RR and for the A RR in
+   parallel, in order to minimize the delay.  However, this would result
+   in performing unnecessary A RR queries in the case no AAAA RR
+   synthesis is required.  A possible trade-off would be to perform them
+   sequentially but with a very short interval between them, so if we
+   obtain a fast reply, we avoid doing the additional query.  (Note that
+   this discussion is relevant only if the DNS64 function needs to
+   perform external queries to fetch the RR.  If the needed RR
+   information is available locally, as in the case of an authoritative
+   server, the issue is no longer relevant.)
+
+5.2.  Generation of the IPv6 representations of IPv4 addresses
+
+   DNS64 supports multiple algorithms for the generation of the IPv6
+   representation of an IPv4 address.  The constraints imposed on the
+   generation algorithms are the following:
+
+      The same algorithm to create an IPv6 address from an IPv4 address
+      MUST be used by both the DNS64 to create the IPv6 address to be
+      returned in the synthetic AAAA RR from the IPv4 address contained
+      in original A RR, and by the IPv6/IPv4 translator to create the
+      IPv6 address to be included in the destination address field of
+      the outgoing IPv6 packets from the IPv4 address included in the
+      destination address field of the incoming IPv4 packet.
+
+      The algorithm MUST be reversible, i.e. it MUST be possible to
+      extract the original IPv4 address from the IPv6 representation.
+
+      The input for the algorithm MUST be limited to the IPv4 address,
+      the IPv6 prefix (denoted Pref64::/n) used in the IPv6
+      representations and optionally a set of stable parameters that are
+      configured in the DNS64 (such as fixed string to be used as a
+      suffix).
+
+         If we note n the length of the prefix Pref64::/n, then n MUST
+         the less or equal than 96.  If a Pref64::/n is configured
+         through any means in the DNS64 (such as manually configured, or
+         other automatic mean not specified in this document), the
+         default algorithm MUST use this prefix.  If no prefix is
+         available, the algorithm MUST use the Well-Known prefix TBD1
+         defined in [I-D.thaler-behave-translator-addressing]
+
+      [[anchor12: Note in document: TBD1 in the passage above is to be
+      substituted by whatever prefix is assigned by IANA to be the well-
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 11]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+      known prefix.]]
+
+   DNS64 MUST support the following algorithms for generating IPv6
+   representations of IPv4 addresses defined in
+   [I-D.thaler-behave-translator-addressing]:
+
+      Zero-Pad And Embed, defined in section 3.2.3 of
+      [I-D.thaler-behave-translator-addressing]
+
+      Compensation-Pad And Embed, defined in section of 3.2.4 of
+      [I-D.thaler-behave-translator-addressing]
+
+      Embed And Zero-Pad, defined in section of 3.2.5 of
+      [I-D.thaler-behave-translator-addressing]
+
+      Preconfigured Mapping Table, defined in section of 3.2.6 of
+      [I-D.thaler-behave-translator-addressing]
+
+   The default algorithm used by DNS64 must be Embed and Zero-Pad.
+   While the normative description of the algorithms is provided in
+   [I-D.thaler-behave-translator-addressing], an sample description of
+   the algorithm and its application to different scenarios is provided
+   in Appendix A for illustration purposes.
+
+5.3.  Handling other RRs
+
+5.3.1.  PTR queries
+
+   If a DNS64 nameserver receives a PTR query for a record in the
+   IP6.ARPA domain, it MUST strip the IP6.ARPA labels from the QNAME,
+   reverse the address portion of the QNAME according to the encoding
+   scheme outlined in section 2.5 of [RFC3596] , and examine the
+   resulting address to see whether its prefix matches the locally-
+   configured Pref64::/n.  There are two alternatives for a DNS64
+   nameserver to respond to such PTR queries.  A DNS64 node MUST provide
+   one of these, and SHOULD NOT provide both at the same time unless
+   different IP6.ARPA zones require answers of different sorts.
+
+   The first option is for the DNS64 nameserver to respond
+   authoritatively for its prefixes.  If the address prefix matches any
+   Pref64::/n used in the site, either a LIR prefix or a well-known
+   prefix used for NAT64 as defined in
+   [I-D.thaler-behave-translator-addressing], then the DNS64 server MAY
+   answer the query using locally-appropriate RDATA.  The DNS64 server
+   MAY use the same RDATA for all answers.  Note that the requirement is
+   to match any Pref64::/n used at the site, and not merely the locally-
+   configured Pref64::/n.  This is because end clients could ask for a
+   PTR record matching an address received through a different (site-
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 12]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   provided) DNS64, and if this strategy is in effect, those queries
+   should never be sent to the global DNS.  The advantage of this
+   strategy is that it makes plain to the querying client that the
+   prefix is one operated by the DNS64 site, and that the answers the
+   client is getting are generated by the DNS64.  The disadvantage is
+   that any useful reverse-tree information that might be in the global
+   DNS is unavailable to the clients querying the DNS64.
+
+   The second option is for the DNS64 nameserver to synthesize a CNAME
+   mapping the IP6.ARPA namespace to the corresponding IN-ADDR.ARPA
+   name.  The rest of the response would be the normal DNS processing.
+   The CNAME can be signed on the fly if need be.  The advantage of this
+   approach is that any useful information in the reverse tree is
+   available to the querying client.  The disadvantage is that it adds
+   additional load to the DNS64 (because CNAMEs have to be synthesized
+   for each PTR query that matches the Pref64::/n), and that it may
+   require signing on the fly. [[anchor15: what are we supposed to do
+   here when the in-addr.arpa zone is unmaintained, as it may be.  If
+   there is no data at the target name, then we'll get a CNAME with a
+   map to an empty namespace, I think?  Isn't that bad?
+   --ajs@shinkuro.com]]
+
+   If the address prefix does not match any of the Pref64::/n, then the
+   DNS64 server MUST process the query as though it were any other query
+   -- i.e. a recursive nameserver MUST attempt to resolve the query as
+   though it were any other (non-A/AAAA) query, and an authoritative
+   server MUST respond authoritatively or with a referral, as
+   appropriate.
+
+5.3.2.  Handling the additional section
+
+   DNS64 synthesis MUST NOT be performed on any records in the
+   additional section of synthesized answers.  The DNS64 MUST pass the
+   additional section unchanged.
+
+   [[anchor16: We had some discussion, as an alternative to the above,
+   of allowing the DNS64 to truncate the additional section completely,
+   on the grounds that the additional section could break mixed-mode
+   iterative/forwarding resolvers that happen to end up behind DNS64.
+   Nobody else seemed to like that plan, so I haven't included it.
+   --ajs@shinkuro.com]]
+
+5.3.3.  Other records
+
+   If the DNS64 is in recursive resolver mode, then it SHOULD also serve
+   the zones specified in [I-D.ietf-dnsop-default-local-zones], rather
+   than forwarding those queries elsewhere to be handled.
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 13]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   All other RRs MUST be returned unchanged.
+
+5.4.  Assembling a synthesized response to a AAAA query
+
+   The DNS64 uses different pieces of data to build the response
+   returned to the querying client.
+
+   The query that is used as the basis for synthesis results either in
+   an error, an answer that can be used as a basis for synthesis, or an
+   empty (authoritative) answer.  If there is an empty answer, then the
+   DNS64 responds to the original querying client with the answer the
+   DNS64 received to the original AAAA query.  Otherwise, the response
+   is assembled as follows.
+
+   The header fields are set according to the usual rules for recursive
+   or authoritative servers, depending on the role that the DNS64 is
+   serving.  The question section is copied from the original AAAA
+   query.  The answer section is populated according to the rules in
+   Section 5.1.4.  The authority section is copied from the response to
+   the A query that the DNS64 performed.  The additional section is
+   populated according to the rules in Section 5.3.2.
+
+   [[anchor18: The cross-reference to how to do the additional section
+   can be removed, and replaced by "copied from the response to the A
+   query that the DNS64 performed" if we don't want to allow the DNS64
+   to truncate the additional section.  See the note above.  If I hear
+   no more feedback on this topic, then I'll make this change in the
+   next version. --ajs@shinkuro.com]]
+
+5.5.  DNSSEC processing: DNS64 in recursive server mode
+
+   We consider the case where the recursive server that is performing
+   DNS64 also has a local policy to validate the answers according to
+   the procedures outlined in [RFC4035] Section 5.  We call this general
+   case vDNS64.
+
+   The vDNS64 uses the presence of the DO and CD bits to make some
+   decisions about what the query originator needs, and can react
+   accordingly:
+
+   1.  If CD is not set and DO is not set, vDNS64 SHOULD perform
+       validation and do synthesis as needed.
+
+   2.  If CD is not set and DO is set, then vDNS64 SHOULD perform
+       validation.  Whenever vDNS64 performs validation, it MUST
+       validate the negative answer for AAAA queries before proceeding
+       to query for A records for the same name, in order to be sure
+       that there is not a legitimate AAAA record on the Internet.
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 14]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+       Failing to observe this step would allow an attacker to use DNS64
+       as a mechanism to circumvent DNSSEC.  If the negative response
+       validates, and the response to the A query validates, then the
+       vDNS64 MAY perform synthesis and SHOULD set the AD bit in the
+       answer to the client.  This is acceptable, because [RFC4035],
+       section 3.2.3 says that the AD bit is set by the name server side
+       of a security-aware recursive name server if and only if it
+       considers all the RRSets in the Answer and Authority sections to
+       be authentic.  In this case, the name server has reason to
+       believe the RRSets are all authentic, so it SHOULD set the AD
+       bit.  If the data does not validate, the vDNS64 MUST respond with
+       RCODE=2 (server failure).
+       A security-aware end point might take the presence of the AD bit
+       as an indication that the data is valid, and may pass the DNS
+       (and DNSSEC) data to an application.  If the application attempts
+       to validate the synthesized data, of course, the validation will
+       fail.  One could argue therefore that this approach is not
+       desirable.  But security aware stub resolvers MUST NOT place any
+       reliance on data received from resolvers and validated on their
+       behalf without certain criteria established by [RFC4035], section
+       4.9.3.  An application that wants to perform validation on its
+       own should use the CD bit.
+
+   3.  If the CD bit is set and DO is set, then vDNS64 MAY perform
+       validation, but MUST NOT perform synthesis.  It MUST hand the
+       data back to the query initiator, just like a regular recursive
+       resolver, and depend on the client to do the validation and the
+       synthesis itself.
+       The disadvantage to this approach is that an end point that is
+       translation-oblivious but security-aware and validating will not
+       be able to use the DNS64 functionality.  In this case, the end
+       point will not have the desired benefit of NAT64.  In effect,
+       this strategy means that any end point that wishes to do
+       validation in a NAT64 context must be upgraded to be translation-
+       aware as well.
+
+5.6.  DNS64 and multihoming
+
+   Synthetic AAAA records may be constructed on the basis of the network
+   context in which they were constructed.  Therefore, a synthetic AAAA
+   received from one interface MUST NOT be used to resolve hosts via
+   another network interface. [[anchor21: This seems to be the result of
+   the discussion on-list starting with message id 18034D4D7FE9AE48BF19A
+   B1B0EF2729F3EF0E69687@NOK-EUMSG-01.mgdnok.nokia.com, but it's pretty
+   strange when stated baldly.  In particular, how is the multi-homed
+   host supposed to know that a given AAAA is synthetic?
+   --ajs@shinkuro.com]]
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 15]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+6.  Deployment notes
+
+   While DNS64 is intended to be part of a strategy for aiding IPv6
+   deployment in an internetworking environment with some IPv4-only and
+   IPv6-only networks, it is important to realise that it is
+   incompatible with some things that may be deployed in an IPv4-only or
+   dual-stack context.
+
+6.1.  DNS resolvers and DNS64
+
+   Full-service resolvers that are unaware of the DNS64 function can be
+   (mis)configured to act as mixed-mode iterative and forwarding
+   resolvers.  In a native-IPv4 context, this sort of configuration may
+   appear to work.  It is impossible to make it work properly without it
+   being aware of the DNS64 function, because it will likely at some
+   point obtain IPv4-only glue records and attempt to use them for
+   resolution.  The result that is returned will contain only A records,
+   and without the ability to perform the DNS64 function the resolver
+   will simply be unable to answer the necessary AAAA queries.
+
+6.2.  DNSSEC validators and DNS64
+
+   Existing DNSSEC validators (i.e. that are unaware of DNS64) will
+   reject all the data that comes from the DNS64 as having been tampered
+   with.  If it is necessary to have validation behind the DNS64, then
+   the validator must know how to perform the DNS64 function itself.
+   Alternatively, the validating host may establish a trusted connection
+   with the DNS64, and allow the DNS64 to do all validation on its
+   behalf.
+
+
+7.  Security Considerations
+
+   See the discussion on the usage of DNSSEC and DNS64 described in the
+   document.
+
+
+8.  Contributors
+
+      Dave Thaler
+
+      Microsoft
+
+      dthaler@windows.microsoft.com
+
+
+
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 16]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+9.  Acknowledgements
+
+   This draft contains the result of discussions involving many people,
+   including the participants of the IETF BEHAVE Working Group.  The
+   following IETF participants made specific contributions to parts of
+   the text, and their help is gratefully acknowledged: Mark Andrews,
+   Jari Arkko, Rob Austein, Timothy Baldwin, Fred Baker, Marc Blanchet,
+   Cameron Byrne, Brian Carpenter, Hui Deng, Francis Dupont, Ed
+   Jankiewicz, Peter Koch, Suresh Krishnan, Ed Lewis, Xing Li, Matthijs
+   Mekking, Hiroshi Miyata, Simon Perrault, Teemu Savolainen, Jyrki
+   Soini, Dave Thaler, Mark Townsley, Stig Venaas, Magnus Westerlund,
+   Florian Weimer, Dan Wing, Xu Xiaohu.
+
+   Marcelo Bagnulo and Iljitsch van Beijnum are partly funded by
+   Trilogy, a research project supported by the European Commission
+   under its Seventh Framework Program.
+
+
+10.  References
+
+10.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+              RFC 2671, August 1999.
+
+   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection",
+              RFC 2672, August 1999.
+
+   [RFC2765]  Nordmark, E., "Stateless IP/ICMP Translation Algorithm
+              (SIIT)", RFC 2765, February 2000.
+
+   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
+              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
+              RFC 4787, January 2007.
+
+   [I-D.ietf-behave-tcp]
+              Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P.
+              Srisuresh, "NAT Behavioral Requirements for TCP",
+              draft-ietf-behave-tcp-08 (work in progress),
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 17]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+              September 2008.
+
+   [I-D.ietf-behave-nat-icmp]
+              Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
+              Behavioral Requirements for ICMP protocol",
+              draft-ietf-behave-nat-icmp-12 (work in progress),
+              January 2009.
+
+   [I-D.thaler-behave-translator-addressing]
+              Thaler, D., "IPv6 Addressing of IPv6/IPv4 Translators",
+              draft-thaler-behave-translator-addressing-00 (work in
+              progress), July 2009.
+
+10.2.  Informative References
+
+   [I-D.bagnulo-behave-nat64]
+              Bagnulo, M., Matthews, P., and I. Beijnum, "NAT64: Network
+              Address and Protocol Translation from IPv6 Clients to IPv4
+              Servers", draft-bagnulo-behave-nat64-03 (work in
+              progress), March 2009.
+
+   [RFC2766]  Tsirtsis, G. and P. Srisuresh, "Network Address
+              Translation - Protocol Translation (NAT-PT)", RFC 2766,
+              February 2000.
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+              RFC 2136, April 1997.
+
+   [RFC1858]  Ziemba, G., Reed, D., and P. Traina, "Security
+              Considerations for IP Fragment Filtering", RFC 1858,
+              October 1995.
+
+   [RFC3128]  Miller, I., "Protection Against a Variant of the Tiny
+              Fragment Attack (RFC 1858)", RFC 3128, June 2001.
+
+   [RFC3022]  Srisuresh, P. and K. Egevang, "Traditional IP Network
+              Address Translator (Traditional NAT)", RFC 3022,
+              January 2001.
+
+   [RFC3484]  Draves, R., "Default Address Selection for Internet
+              Protocol version 6 (IPv6)", RFC 3484, February 2003.
+
+   [RFC3596]  Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
+              "DNS Extensions to Support IP Version 6", RFC 3596,
+              October 2003.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 18]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [RFC4966]  Aoun, C. and E. Davies, "Reasons to Move the Network
+              Address Translator - Protocol Translator (NAT-PT) to
+              Historic Status", RFC 4966, July 2007.
+
+   [I-D.iana-rfc3330bis]
+              Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
+              draft-iana-rfc3330bis-06 (work in progress),
+              February 2009.
+
+   [I-D.ietf-mmusic-ice]
+              Rosenberg, J., "Interactive Connectivity Establishment
+              (ICE): A Protocol for Network Address  Translator (NAT)
+              Traversal for Offer/Answer Protocols",
+              draft-ietf-mmusic-ice-19 (work in progress), October 2007.
+
+   [I-D.ietf-6man-addr-select-sol]
+              Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama,
+              "Solution approaches for address-selection problems",
+              draft-ietf-6man-addr-select-sol-01 (work in progress),
+              June 2008.
+
+   [RFC3498]  Kuhfeld, J., Johnson, J., and M. Thatcher, "Definitions of
+              Managed Objects for Synchronous Optical Network (SONET)
+              Linear Automatic Protection Switching (APS)
+              Architectures", RFC 3498, March 2003.
+
+   [I-D.wing-behave-learn-prefix]
+              Wing, D., Wang, X., and X. Xu, "Learning the IPv6 Prefix
+              of an IPv6/IPv4 Translator",
+              draft-wing-behave-learn-prefix-02 (work in progress),
+              May 2009.
+
+   [I-D.miyata-behave-prefix64]
+              Miyata, H. and M. Bagnulo, "PREFIX64 Comparison",
+              draft-miyata-behave-prefix64-02 (work in progress),
+              March 2009.
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 19]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   [I-D.venaas-behave-mcast46]
+              Venaas, S., "An IPv4 - IPv6 multicast translator",
+              draft-venaas-behave-mcast46-00 (work in progress),
+              December 2008.
+
+   [I-D.ietf-dnsop-default-local-zones]
+              Andrews, M., "Locally-served DNS Zones",
+              draft-ietf-dnsop-default-local-zones-08 (work in
+              progress), February 2009.
+
+
+Appendix A.  Deployment scenarios and examples
+
+   In this section, we first provide a description of the default
+   address transformation algorithm and then we walk through some sample
+   scenarios that are expected to be common deployment cases.  It should
+   be noted that is provided for illustrative purposes and this section
+   is not normative.  The normative definition of DNS64 is provided in
+   Section 5 and the normative definition of the address transformation
+   algorithm is provided in [I-D.thaler-behave-translator-addressing].
+
+   There are two main different setups where DNS64 is expected to be
+   used (other setups are possible as well, but these two are the main
+   ones identified at the time of this writing).
+
+      One possible setup that is expected to be common is the case of an
+      end site or an ISP that is providing IPv6-only connectivity or
+      connectivity to IPv6-only hosts that wants to allow the
+      communication from these IPv6-only connected hosts to the IPv4
+      Internet.  This case is called An-IPv6-network-to-IPv4-Internet.
+      In this case, the IPv6/IPv4 Translator is used to connect the end
+      site or the ISP to the IPv4 Internet and the DNS64 function is
+      provided by the end site or the ISP.
+
+      The other possible setup that is expected is an IPv4 site that
+      wants that its IPv4 servers to be reachable from the IPv6
+      Internet.  This case is called IPv6-Internet-to-an-IPv4-network.
+      It should be noted that the IPv4 addresses used in the IPv4 site
+      can be either public or private.  In this case, the IPv6/IPv4
+      Translator is used to connect the IPv4 end site to the IPv6
+      Internet and the DNS64 function is provided by the end site
+      itself.
+
+   In this section we illustrate how the DNS64 behaves in the different
+   scenarios that are expected to be common.  We consider then 3
+   possible scenarios, namely:
+
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 20]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   1.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in DNS server
+       mode
+
+   2.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in stub-
+       resolver mode
+
+   3.  IPv6-Internet-to-an-IPv4-network setup with DNS64 in DNS server
+       mode
+
+   The notation used is the following: upper case letters are IPv4
+   addresses; upper case letters with a prime(') are IPv6 addresses;
+   lower case letters are ports; prefixes are indicated by "P::X", which
+   is an IPv6 address built from an IPv4 address X by adding the prefix
+   P, mappings are indicated as "(X,x) <--> (Y',y)".
+
+A.1.   Embed and Zero-Pad algorithm description
+
+   In this section we describe the default algorithm for the generation
+   of IPv6 address from IPv4 address to be implemented in the DNS64.
+
+   The only parameter required by the default algorithm is an IPv6
+   prefix.  This prefix is used to map IPv4 addresses into IPv6
+   addresses, and is denoted Pref64.  If we note n the length of the
+   prefix Pref64, then n must the less or equal than 96.  If an Pref64
+   is configured through any means in the DNS64 (such as manually
+   configured, or other automatic mean not specified in this document),
+   the default algorithm must use this prefix.  If no prefix is
+   available the algorithm must use the Well-Know prefix (include here
+   the prefix to be assigned by IANA) defined in
+   [I-D.thaler-behave-translator-addressing]
+
+   The input for the algorithm are:
+
+      The IPv4 address: X
+
+      The IPv6 prefix: Pref64::/n
+
+   The IPv6 address is generated by concatenating the prefix Pref64::/n,
+   the IPv4 address X and optionally (in case n is strictly smaller than
+   96) an all-zero suffix.  So, the resulting IPv6 address would be
+   Pref64:X::
+
+   Reverse algorithm
+
+   We next describe the reverse algorithm of the algorithm described in
+   the previous section.  This algorithm allows to generate and IPv4
+   address from an IPv6 address.  This reverse algorithm is NOT
+   implemented by the DNS64 but it is implemented in the IPv6/IPv4
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 21]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   translator that is serving the same domain the DNS64.
+
+   The only parameter required by the default algorithm is an IPv6
+   prefix.  This prefix is the one originally used to map IPv4 addresses
+   into IPv6 addresses, and is denoted Pref64.
+
+   The input for the algorithm are:
+
+      The IPv6 address: X'
+
+      The IPv6 prefix: Pref64::/n
+
+   First, the algorithm checks that the fist n bits of the IPv6 address
+   X' match with the prefix Pref64::/n i.e. verifies that Pref64::/n =
+   X'/n.
+
+      If this is not the case, the algorithm ends and no IPv4 address is
+      generated.
+
+      If the verification is successful, then the bits between the n+1
+      and the n+32 of the IPv6 address X' are extracted to form the IPv4
+      address.
+
+A.2.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in DNS server
+      mode
+
+   In this example, we consider an IPv6 node located in an IPv6-only
+   site that initiates a communication to an IPv4 node located in the
+   IPv4 Internet.
+
+   The scenario for this case is depicted in the following figure:
+
+
+      +---------------------------------------+         +-----------+
+      |IPv6 site       +-------------+        |IP Addr: |           |
+      |  +----+        | Name server |   +-------+ T    |   IPv4    |
+      |  | H1 |        | with DNS64  |   |64Trans|------| Internet  |
+      |  +----+        +-------------+   +-------+      +-----------+
+      |    |IP addr: Y'     |              |  |            |IP addr: X
+      |    ---------------------------------  |          +----+
+      +---------------------------------------+          | H2 |
+                                                         +----+
+
+   The figure shows an IPv6 node H1 which has an IPv6 address Y' and an
+   IPv4 node H2 with IPv4 address X.
+
+   A IPv6/IPv4 Translator connects the IPv6 network to the IPv4
+   Internet.  This IPv6/IPv4 Translator has a prefix (called Pref64::/n)
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 22]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   an IPv4 address T assigned to its IPv4 interface.
+
+   The other element involved is the local name server.  The name server
+   is a dual-stack node, so that H1 can contact it via IPv6, while it
+   can contact IPv4-only name servers via IPv4.
+
+   The local name server needs to know the prefix assigned to the local
+   IPv6/IPv4 Translator (Pref64::/n).  For the purpose of this example,
+   we assume it learns this through manual configuration.
+
+   For this example, assume the typical DNS situation where IPv6 hosts
+   have only stub resolvers, and always query a name server that
+   performs recursive lookups (henceforth called "the recursive
+   nameserver").
+
+   The steps by which H1 establishes communication with H2 are:
+
+   1.  H1 does a DNS lookup for FQDN(H2).  H1 does this by sending a DNS
+       query for an AAAA record for H2 to the recursive name server.
+       The recursive name server implements DNS64 functionality.
+
+   2.  The recursive name server resolves the query, and discovers that
+       there are no AAAA records for H2.
+
+   3.  The recursive name server queries for an A record for H2 and gets
+       back an A record containing the IPv4 address X. The name server
+       then synthesizes an AAAA record.  The IPv6 address in the AAAA
+       record contains the prefix assigned to the IPv6/IPv4 Translator
+       in the upper n bits then the IPv4 address X and then an all-zero
+       padding i.e. the resulting IPv6 address is Pref64:X::
+
+   4.  H1 receives the synthetic AAAA record and sends a packet towards
+       H2.  The packet is sent from a source transport address of (Y',y)
+       to a destination transport address of (Pref64:X::,x), where y and
+       x are ports chosen by H2.
+
+   5.  The packet is routed to the IPv6 interface of the IPv6/IPv4
+       Translator and the subsequent communication flows by means of the
+       IPv6/IPv4 Translator mechanisms.
+
+A.3.  An-IPv6-network-to-IPv4-Internet setup with DNS64 in stub-resolver
+      mode
+
+   The scenario for this case is depicted in the following figure:
+
+
+
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 23]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+      +---------------------------------------+         +-----------+
+      |IPv6 site             +-------+        |IP addr: |           |
+      |  +---------------+   | Name  |   +-------+  T   |   IPv4    |
+      |  | H1 with DNS64 |   | Server|   |64Trans|------| Internet  |
+      |  +---------------+   +-------+   +-------+      +-----------+
+      |        |IP addr: Y'      |         |  |            |IP addr: X
+      |    ---------------------------------  |          +----+
+      +---------------------------------------+          | H2 |
+                                                         +----+
+
+   The figure shows an IPv6 node H1 which has an IPv6 address Y' and an
+   IPv4 node H2 with IPv4 address X. Node H1 is implementing the DNS64
+   function.
+
+   A IPv6/IPv4 Translator connects the IPv6 network to the IPv4
+   Internet.  This IPv6/IPv4 Translator has a prefix (called Pref64::/n)
+   and an IPv4 address T assigned to its IPv4 interface.
+
+   H1 needs to know the prefix assigned to the local IPv6/IPv4
+   Translator (Pref64::/n).  For the purpose of this example, we assume
+   it learns this through manual configuration.
+
+   Also shown is a name server.  For the purpose of this example, we
+   assume that the name server is a dual-stack node, so that H1 can
+   contact it via IPv6, while it can contact IPv4-only name servers via
+   IPv4.
+
+   For this example, assume the typical situation where IPv6 hosts have
+   only stub resolvers and always query a name server that provides
+   recursive lookups (henceforth called "the recursive name server").
+   The recursive name server does not perform the DNS64 function.
+
+   The steps by which H1 establishes communication with H2 are:
+
+   1.  H1 does a DNS lookup for FQDN(H2).  H1 does this by sending a DNS
+       query for a AAAA record for H2 to the recursive name server.
+
+   2.  The recursive DNS server resolves the query, and returns the
+       answer to H1.  Because there are no AAAA records in the global
+       DNS for H2, the answer is empty.
+
+   3.  The stub resolver at H1 then queries for an A record for H2 and
+       gets back an A record containing the IPv4 address X. The DNS64
+       function within H1 then synthesizes a AAAA record.  The IPv6
+       address in the AAAA record contains the prefix assigned to the
+       IPv6/IPv4 Translator in the upper n bits, then the IPv4 address X
+       and then an all-zero padding i.e. the resulting IPv6 address is
+       Pref64:X::.
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 24]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   4.  H1 sends a packet towards H2.  The packet is sent from a source
+       transport address of (Y',y) to a destination transport address of
+       (Pref64:X::,x), where y and x are ports chosen by H2.
+
+   5.  The packet is routed to the IPv6 interface of the IPv6/IPv4
+       Translator and the subsequent communication flows using the IPv6/
+       IPv4 Translator mechanisms.
+
+A.4.  IPv6-Internet-to-an-IPv4-network setup DNS64 in DNS server mode
+
+   In this example, we consider an IPv6 node located in the IPv6
+   Internet site that initiates a communication to a IPv4 node located
+   in the IPv4 site.
+
+   This scenario can be addressed without using any form of DNS64
+   function.  This is so because it is possible to assign a fixed IPv6
+   address to each of the IPv4 servers.  Such an IPv6 address would be
+   constructed as the Pref64::/n concatenated with the IPv4 address of
+   the IPv4 server and an all-zero padding.  Note that the IPv4 address
+   can be a public or a private address; the latter does not present any
+   additional difficulty, since the LIR prefix must be used a Pref64 (in
+   this scenario the usage of the WK prefix is not supported).  Once
+   these IPv6 addresses have been assigned to represent the IPv4 servers
+   in the IPv6 Internet, real AAAA RRs containing these addresses can be
+   published in the DNS under the site's domain.  This is the
+   recommended approach to handle this scenario, because it does not
+   involve synthesizing AAAA records at the time of query.  Such a
+   configuration is easier to troubleshoot in the event of problems,
+   because it always provides the same answer to every query.
+
+   However, there are some more dynamic scenarios, where synthesizing
+   AAAA RRs in this setup may be needed.  In particular, when DNS Update
+   [RFC2136] is used in the IPv4 site to update the A RRs for the IPv4
+   servers, there are two options: One option is to modify the server
+   that receives the dynamic DNS updates.  That would normally be the
+   authoritative server for the zone.  So the authoritative zone would
+   have normal AAAA RRs that are synthesized as dynamic updates occur.
+   The other option is modify the authoritative server to generate
+   synthetic AAAA records for a zone, possibly based on additional
+   constraints, upon the receipt of a DNS query for the AAAA RR.  The
+   first option -- in which the AAAA is synthesized when the DNS update
+   message is received, and the data published in the relevant zone --
+   is recommended over the second option (i.e. the synthesis upon
+   receipt of the AAAA DNS query).  This is because it is usually easier
+   to solve problems of misconfiguration and so on when the DNS
+   responses are not being generated dynamically.  For completeness, the
+   DNS64 behavior that we describe in this section covers the case of
+   synthesizing the AAAA RR when the DNS query arrives.  Nevertheless,
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 25]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   such a configuration is NOT RECOMMENDED.  Troubleshooting
+   configurations that change the data depending on the query they
+   receive is notoriously hard, and the IPv4/IPv6 translation scenario
+   is complicated enough without adding additional opportunities for
+   possible malfunction.
+
+   The scenario for this case is depicted in the following figure:
+
+
+     +-----------+          +----------------------------------------+
+     |           |          |   IPv4 site            +-------------+ |
+     |   IPv6    |      +-------+      +----+        | Name server | |
+     | Internet  |------|64Trans|      | H2 |        | with DNS64  | |
+     +-----------+      +-------+      +----+        +-------------+ |
+       |IP addr: Y'         |  |         |IP addr: X     |           |
+     +----+                 | -----------------------------------    |
+     | H1 |                 +----------------------------------------+
+     +----+
+
+   The figure shows an IPv6 node H1 which has an IPv6 address Y' and an
+   IPv4 node H2 with IPv4 address X.
+
+   A IPv6/IPv4 Translator connects the IPv4 network to the IPv6
+   Internet.  This IPv6/IPv4 Translator has a prefix (called
+   Pref64::/n).
+
+   Also shown is the authoritative name server for the local domain with
+   DNS64 functionality.  For the purpose of this example, we assume that
+   the name server is a dual-stack node, so that H1 or a recursive
+   resolver acting on the request of H1 can contact it via IPv6, while
+   it can be contacted by IPv4-only nodes to receive dynamic DNS updates
+   via IPv4.
+
+   The local name server needs to know the prefix assigned to the local
+   IPv6/IPv4 Translator (Pref64::/n).  For the purpose of this example,
+   we assume it learns this through manual configuration.
+
+   The steps by which H1 establishes communication with H2 are:
+
+   1.  H1 does a DNS lookup for FQDN(H2).  H1 does this by sending a DNS
+       query for an AAAA record for H2.  The query is eventually
+       forwarded to the server in the IPv4 site.
+
+   2.  The local DNS server resolves the query (locally), and discovers
+       that there are no AAAA records for H2.
+
+   3.  The name server verifies that FQDN(H2) and its A RR are among
+       those that the local policy defines as allowed to generate a AAAA
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 26]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+       RR from.  If that is the case, the name server synthesizes an
+       AAAA record from the A RR and the relevant Pref64::/n.  The IPv6
+       address in the AAAA record contains the prefix assigned to the
+       IPv6/IPv4 Translator in the first n bits and the IPv4 address X
+       and then an all-zero padding.
+
+   4.  H1 receives the synthetic AAAA record and sends a packet towards
+       H2.  The packet is sent from a source transport address of (Y',y)
+       to a destination transport address of (Pref64:X::,x), where y and
+       x are ports chosen by H2.
+
+   5.  The packet is routed through the IPv6 Internet to the IPv6
+       interface of the IPv6/IPv4 Translator and the communication flows
+       using the IPv6/IPv4 Translator mechanisms.
+
+
+Appendix B.  Motivations and Implications of synthesizing AAAA RR when
+             real AAAA RR exists
+
+   The motivation for synthesizing AAAA RR when a real AAAA RR exists is
+   to support the following scenario:
+
+      An IPv4-only server application (e.g. web server software) is
+      running on a dual-stack host.  There may also be dual-stack server
+      applications also running on the same host.  That host has fully
+      routable IPv4 and IPv6 addresses and hence the authoritative DNS
+      server has an A and a AAAA record as a result.
+
+      An IPv6-only client (regardless of whether the client application
+      is IPv6-only, the client stack is IPv6-only, or it only has an
+      IPv6 address) wants to access the above server.
+
+      The client issues a DNS query to a DNS64 recursor.
+
+   If the DNS64 only generates a synthetic AAAA if there's no real AAAA,
+   then the communication will fail.  Even though there's a real AAAA,
+   the only way for communication to succeed is with the translated
+   address.  So, in order to support this scenario, the administrator of
+   a DNS64 service may want to enable the synthesis of AAAA RR even when
+   real AAAA RR exist.
+
+   The implication of including synthetic AAAA RR when real AAAA RR
+   exist is that translated connectivity may be preferred over native
+   connectivity in some cases where the DNS64 is operated in DNS server
+   mode.
+
+   RFC3484 [RFC3484] rules use longest prefix match to select which is
+   the preferred destination address to use.  So, if the DNS64 recursor
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 27]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+   returns both the synthetic AAAA RR and the real AAAA RR, then if the
+   DNS64 is operated by the same domain as the initiating host, and a
+   global unicast prefix (called the LIR prefix as defined in
+   [I-D.thaler-behave-translator-addressing]) is used, then the
+   synthetic AAAA RR is likely to be preferred.
+
+   This means that without further configuration:
+
+      In the case of An IPv6 network to the IPv4 internet, the host will
+      prefer translated connectivity if LIR prefix is used.  If the
+      Well-Known (WK) prefix defined in
+      [I-D.thaler-behave-translator-addressing] is used, it will
+      probably prefer native connectivity.
+
+      In the case of the IPv6 Internet to an IPv4 network, it is
+      possible to bias the selection towards the real AAAA RR if the
+      DNS64 recursor returns the real AAAA first in the DNS reply, when
+      the LIR prefix is used (the WK prefix usage is not recommended in
+      this case)
+
+      In the case of the IPv6 to IPv4 in the same network, for local
+      destinations (i.e., target hosts inside the local site), it is
+      likely that the LIR prefix and the destination prefix are the
+      same, so we can use the order of RR in the DNS reply to bias the
+      selection through native connectivity.  If a WK prefix is used,
+      the longest prefix match rule will select native connectivity.
+
+   So this option introduces problems in the following cases:
+
+      An IPv6 network to the IPv4 internet with the LIR prefix
+
+      IPv6 to IPv4 in the same network when reaching external
+      destinations and the LIR prefix is used.
+
+   In any case, the problem can be solved by properly configuring the
+   RFC3484 [RFC3484] policy table, but this requires effort on the part
+   of the site operator.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 28]
+
+Internet-Draft                    DNS64                     October 2009
+
+
+Authors' Addresses
+
+   Marcelo Bagnulo
+   UC3M
+   Av. Universidad 30
+   Leganes, Madrid  28911
+   Spain
+
+   Phone: +34-91-6249500
+   Fax:
+   Email: marcelo@it.uc3m.es
+   URI:   http://www.it.uc3m.es/marcelo
+
+
+   Andrew Sullivan
+   Shinkuro
+   4922 Fairmont Avenue, Suite 250
+   Bethesda, MD  20814
+   USA
+
+   Phone: +1 301 961 3131
+   Email: ajs@shinkuro.com
+
+
+   Philip Matthews
+   Unaffiliated
+   600 March Road
+   Ottawa, Ontario
+   Canada
+
+   Phone: +1 613-592-4343 x224
+   Fax:
+   Email: philip_matthews@magma.ca
+   URI:
+
+
+   Iljitsch van Beijnum
+   IMDEA Networks
+   Av. Universidad 30
+   Leganes, Madrid  28911
+   Spain
+
+   Phone: +34-91-6246245
+   Email: iljitsch@muada.com
+
+
+
+
+
+
+
+Bagnulo, et al.          Expires April 22, 2010                [Page 29]
+

From 4b30598fb908755c4fd04f51cf3ce1f550434bf3 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Oct 2009 01:04:03 +0000
Subject: [PATCH 334/385] 2716.   [bug]           nslookup debug mode didn't
 return the ttl. [RT #20414]

---
 CHANGES            | 2 ++
 bin/dig/nslookup.c | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index d65f71d97c..34fc3e4703 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
+
 	--- 9.7.0b1 released ---
 
 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 22614b415f..004cf77ab2 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.123 2009/09/15 03:13:43 each Exp $ */
+/* $Id: nslookup.c,v 1.124 2009/10/20 01:04:03 marka Exp $ */
 
 #include 
 
@@ -373,6 +373,7 @@ detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
 					printrdata(&rdata);
 				}
 				dns_rdata_reset(&rdata);
+				printf("\tttl = %u\n", rdataset->ttl);
 				loopresult = dns_rdataset_next(rdataset);
 			}
 		}

From 29dd4bdd14d359dbf45bf9c8a9151b73a1a389b8 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Oct 2009 02:45:06 +0000
Subject: [PATCH 335/385] 2717.   [bug]           named failed to update the
 NSEC/NSEC3 record when                         the last private type record
 was removed as a result                         of completing the signing the
 zone with a key.                         [RT #20399]

---
 CHANGES        |   5 ++
 lib/dns/zone.c | 133 +++++++++++++++++++++++--------------------------
 2 files changed, 66 insertions(+), 72 deletions(-)

diff --git a/CHANGES b/CHANGES
index 34fc3e4703..1de6cb1c2c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2717.	[bug]		named failed to update the NSEC/NSEC3 record when
+			the last private type record was removed as a result
+			of completing the signing the zone with a key.
+			[RT #20399]
+
 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
 
 	--- 9.7.0b1 released ---
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f42cd99cca..978f528c2c 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.517 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: zone.c,v 1.518 2009/10/20 02:45:06 marka Exp $ */
 
 /*! \file */
 
@@ -4986,7 +4986,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 		result = ISC_R_SUCCESS;
 	if (seen_dname)
 		*delegation = ISC_TRUE;
-failure:
+ failure:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	if (iterator != NULL)
@@ -4999,8 +4999,7 @@ failure:
  */
 static isc_result_t
 updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	     dns_ttl_t minimum, isc_boolean_t update_only,
-	     isc_boolean_t *secureupdated, dns_diff_t *diff)
+	     dns_ttl_t minimum, isc_boolean_t update_only, dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_rdataset_t rdataset;
@@ -5015,19 +5014,15 @@ updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 					     0, &rdataset, NULL);
 		if (dns_rdataset_isassociated(&rdataset))
 			dns_rdataset_disassociate(&rdataset);
-		if (result == ISC_R_NOTFOUND) {
-			result = ISC_R_SUCCESS;
-			goto done;
-		}
+		if (result == ISC_R_NOTFOUND)
+			goto success;
 		if (result != ISC_R_SUCCESS)
 			goto failure;
 	}
 	CHECK(delete_nsec(db, version, node, name, diff));
 	CHECK(add_nsec(db, version, name, node, minimum, ISC_FALSE, diff));
- done:
-	if (secureupdated != NULL)
-		*secureupdated = ISC_TRUE;
-
+ success:
+	result = ISC_R_SUCCESS;
  failure:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
@@ -5036,7 +5031,8 @@ updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 
 static isc_result_t
 updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
-		  dns_dbversion_t *version, dns_diff_t *diff)
+		  dns_dbversion_t *version, isc_boolean_t build_nsec3,
+		  dns_ttl_t minimum, dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -5044,6 +5040,7 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	unsigned char data[5];
 	isc_boolean_t seen_done = ISC_FALSE;
+	isc_boolean_t have_rr = ISC_FALSE;
 
 	dns_rdataset_init(&rdataset);
 	result = dns_db_getoriginnode(signing->db, &node);
@@ -5066,16 +5063,32 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdataset_current(&rdataset, &rdata);
+		/*
+		 * If we don't match the algorithm or keyid skip the record.
+		 */
 		if (rdata.length != 5 ||
 		    rdata.data[0] != signing->algorithm ||
 		    rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
 		    rdata.data[2] != (signing->keyid & 0xff)) {
+			have_rr = ISC_TRUE;
 			dns_rdata_reset(&rdata);
 			continue;
 		}
-		if (!signing->delete && rdata.data[4] != 0)
+		/*
+		 * We have a match.  If we were signing (!signing->delete)
+		 * and we already have a record indicating that we have
+		 * finished signing (rdata.data[4] != 0) then keep it.
+		 * Otherwise it needs to be deleted as we have removed all
+		 * the signatures (signing->delete), so any record indicating
+		 * completion is now out of date, or we have finished signing
+		 * with the new record so we no longer need to remember that
+		 * we need to sign the zone with the matching key across a
+		 * nameserver re-start.
+		 */
+		if (!signing->delete && rdata.data[4] != 0) {
 			seen_done = ISC_TRUE;
-		else
+			have_rr = ISC_TRUE;
+		} else
 			CHECK(update_one_rr(signing->db, version, diff,
 					    DNS_DIFFOP_DEL, &zone->origin,
 					    rdataset.ttl, &rdata));
@@ -5084,7 +5097,11 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
 	if (!signing->delete && !seen_done) {
-
+		/*
+		 * If we were signing then we need to indicate that we have
+		 * finished signing the zone with this key.  If it is already
+		 * there we don't need to add it a second time.
+		 */
 		data[0] = signing->algorithm;
 		data[1] = (signing->keyid >> 8) & 0xff;
 		data[2] = signing->keyid & 0xff;
@@ -5096,7 +5113,19 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 		rdata.rdclass = dns_db_class(signing->db);
 		CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
 				    &zone->origin, rdataset.ttl, &rdata));
+	} else if (!have_rr) {
+		dns_name_t *origin = dns_db_origin(signing->db);
+		/*
+		 * Rebuild the NSEC/NSEC3 record for the origin as we no
+		 * longer have any private records.
+		 */
+		if (build_nsec3) 
+			CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
+						  minimum, ISC_FALSE, diff));
+		CHECK(updatesecure(signing->db, version, origin, minimum,
+				   ISC_TRUE, diff));
 	}
+ 
  failure:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
@@ -5970,7 +5999,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 		dns_db_detachnode(db, &node);
 		if (rebuild_nsec) {
 			result = updatesecure(db, version, &zone->origin,
-					      zone->minimum, ISC_TRUE, NULL,
+					      zone->minimum, ISC_TRUE,
 					      &nsec_diff);
 			if (result != ISC_R_SUCCESS) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -6022,8 +6051,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 	if (updatensec) {
 		result = updatesecure(db, version, &zone->origin,
-				      zone->minimum, ISC_FALSE, NULL,
-				      &nsec_diff);
+				      zone->minimum, ISC_FALSE, &nsec_diff);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
 				     "updatesecure -> %s\n",
@@ -6268,6 +6296,7 @@ zone_sign(dns_zone_t *zone) {
 	dns_dbnode_t *node = NULL;
 	dns_dbversion_t *version = NULL;
 	dns_diff_t sig_diff;
+	dns_diff_t post_diff;
 	dns_fixedname_t fixed;
 	dns_fixedname_t nextfixed;
 	dns_name_t *name, *nextname;
@@ -6279,8 +6308,6 @@ zone_sign(dns_zone_t *zone) {
 	isc_boolean_t check_ksk, keyset_kskonly, is_ksk;
 	isc_boolean_t commit = ISC_FALSE;
 	isc_boolean_t delegation;
-	isc_boolean_t finishedakey = ISC_FALSE;
-	isc_boolean_t secureupdated = ISC_FALSE;
 	isc_boolean_t build_nsec = ISC_FALSE;
 	isc_boolean_t build_nsec3 = ISC_FALSE;
 	isc_boolean_t first;
@@ -6299,6 +6326,7 @@ zone_sign(dns_zone_t *zone) {
 	nextname = dns_fixedname_name(&nextfixed);
 	dns_diff_init(zone->mctx, &sig_diff);
 	sig_diff.resign = zone->sigresigninginterval;
+	dns_diff_init(zone->mctx, &post_diff);
 	ISC_LIST_INIT(cleanup);
 
 	/*
@@ -6530,8 +6558,7 @@ zone_sign(dns_zone_t *zone) {
 				ISC_LIST_UNLINK(zone->signing, signing, link);
 				ISC_LIST_APPEND(cleanup, signing, link);
 				dns_dbiterator_pause(signing->dbiterator);
-				finishedakey = ISC_TRUE;
-				if (!secureupdated && nkeys != 0 && build_nsec) {
+				if (nkeys != 0 && build_nsec) {
 					/*
 					 * We have finished regenerating the
 					 * zone with a zone signing key.
@@ -6544,8 +6571,7 @@ zone_sign(dns_zone_t *zone) {
 							      &zone->origin,
 							      zone->minimum,
 							      ISC_FALSE,
-							      &secureupdated,
-							      &sig_diff);
+							      &post_diff);
 					if (result != ISC_R_SUCCESS) {
 						dns_zone_log(zone,
 							     ISC_LOG_ERROR,
@@ -6555,7 +6581,10 @@ zone_sign(dns_zone_t *zone) {
 					}
 				}
 				result = updatesignwithkey(zone, signing,
-							   version, &sig_diff);
+							   version,
+							   build_nsec3,
+							   zone->minimum,
+							   &post_diff);
 				if (result != ISC_R_SUCCESS) {
 					dns_zone_log(zone, ISC_LOG_ERROR,
 						     "updatesignwithkey "
@@ -6587,53 +6616,13 @@ zone_sign(dns_zone_t *zone) {
 		first = ISC_TRUE;
 	}
 
-	if (secureupdated) {
-		/*
-		 * We have changed the NSEC RRset above so we need to update
-		 * the signatures.
-		 */
-		result = del_sigs(zone, db, version, &zone->origin,
-				  dns_rdatatype_nsec, &sig_diff, zone_keys,
-				  nkeys, now);
+	if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
+		result = update_sigs(&post_diff, db, version, zone_keys,
+				     nkeys, zone, inception, expire, now,
+				     check_ksk, keyset_kskonly, &sig_diff);
 		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:del_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &zone->origin,
-				  dns_rdatatype_nsec, &sig_diff, zone_keys,
-				  nkeys, zone->mctx, inception, soaexpire,
-				  check_ksk, keyset_kskonly);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:add_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
-
-	if (finishedakey) {
-		/*
-		 * We have changed the RRset above so we need to update
-		 * the signatures.
-		 */
-		result = del_sigs(zone, db, version, &zone->origin,
-				  zone->privatetype, &sig_diff,
-				  zone_keys, nkeys, now);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:del_sigs -> %s\n",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &zone->origin,
-				  zone->privatetype, &sig_diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  soaexpire, check_ksk, keyset_kskonly);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:add_sigs -> %s\n",
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
+				     "update_sigs -> %s\n",
 				     dns_result_totext(result));
 			goto failure;
 		}

From 3c5e54941fe8ed891d1588e84e210d8829b9903a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Oct 2009 02:59:19 +0000
Subject: [PATCH 336/385] 2718.   [bug]           The space calculations in
 opensslrsa_todns() were                         incorrect. [RT #20394]

---
 CHANGES                   | 3 +++
 lib/dns/opensslrsa_link.c | 9 +++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1de6cb1c2c..118a99edc1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2718.	[bug]		The space calculations in opensslrsa_todns() were
+			incorrect. [RT #20394]
+
 2717.	[bug]		named failed to update the NSEC/NSEC3 record when
 			the last private type record was removed as a result
 			of completing the signing the zone with a key.
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index e81b4b9ab4..5e22ea5ce6 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.29 2009/10/05 17:30:49 fdupont Exp $
+ * $Id: opensslrsa_link.c,v 1.30 2009/10/20 02:59:19 marka Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -549,19 +549,20 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 		if (r.length < 1)
 			DST_RET(ISC_R_NOSPACE);
 		isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
+		isc_region_consume(&r, 1);
 	} else {
 		if (r.length < 3)
 			DST_RET(ISC_R_NOSPACE);
 		isc_buffer_putuint8(data, 0);
 		isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
+		isc_region_consume(&r, 3);
 	}
 
 	if (r.length < e_bytes + mod_bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_availableregion(data, &r);
+		DST_RET(ISC_R_NOSPACE);
 
 	BN_bn2bin(rsa->e, r.base);
-	r.base += e_bytes;
+	isc_region_consume(&r, e_bytes);
 	BN_bn2bin(rsa->n, r.base);
 
 	isc_buffer_add(data, e_bytes + mod_bytes);

From 06e7340198bbd89b6765998a04abde217e7b0e7b Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Oct 2009 03:15:06 +0000
Subject: [PATCH 337/385] 2719.   [func]          Skip trusted/managed keys for
 unsupported algorithms.                         [RT #20392]

---
 CHANGES            |  3 +++
 bin/named/server.c | 17 ++++++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 118a99edc1..39608fe428 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
+			[RT #20392]
+
 2718.	[bug]		The space calculations in opensslrsa_todns() were
 			incorrect. [RT #20394]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 8b7ab9951a..268a60e478 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.551 2009/10/12 20:48:11 each Exp $ */
+/* $Id: server.c,v 1.552 2009/10/20 03:15:06 marka Exp $ */
 
 /*! \file */
 
@@ -552,6 +552,11 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 			    "ignoring %s key for '%s': no crypto support",
 			    managed ? "managed" : "trusted",
 			    keynamestr);
+	} else if (result == DST_R_UNSUPPORTEDALG) {
+		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
+			    "skipping %s key for '%s': %s",
+			    managed ? "managed" : "trusted",
+			    keynamestr, isc_result_totext(result));
 	} else {
 		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
 			    "configuring %s key for '%s': %s",
@@ -584,8 +589,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 		     elt2 != NULL;
 		     elt2 = cfg_list_next(elt2)) {
 			key = cfg_listelt_value(elt2);
-			CHECK(dstkey_fromconfig(vconfig, key, managed,
-						&dstkey, mctx));
+			result = dstkey_fromconfig(vconfig, key, managed,
+						   &dstkey, mctx);
+			if (result ==  DST_R_UNSUPPORTEDALG) {
+				result = ISC_R_SUCCESS;
+				continue;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
 			CHECK(dns_keytable_add(view->secroots, managed,
 					       &dstkey));
 		}

From 859cfb24bfd7bd7754bb1d9ca68bce861a4b0a40 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Oct 2009 03:30:07 +0000
Subject: [PATCH 338/385] silence compiler warnings. [RT #20412]

---
 bin/named/statschannel.c | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 1547c41613..062fdb5d9e 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: statschannel.c,v 1.23 2009/10/05 19:39:20 each Exp $ */
+/* $Id: statschannel.c,v 1.24 2009/10/20 03:30:07 marka Exp $ */
 
 /*! \file */
 
@@ -130,11 +130,11 @@ init_desc(void) {
 	int i;
 
 	/* Initialize name server statistics */
-	memset((void *)nsstats_desc, 0,
-	       dns_nsstatscounter_max * sizeof(nsstats_desc[0]));
+	for (i = 0; i < dns_nsstatscounter_max; i++)
+		nsstats_desc[i] = NULL;
 #ifdef HAVE_LIBXML2
-	memset((void *)nsstats_xmldesc, 0,
-	       dns_nsstatscounter_max * sizeof(nsstats_xmldesc[0]));
+	for (i = 0; i < dns_nsstatscounter_max; i++)
+		nsstats_xmldesc[i] = NULL;
 #endif
 
 #define SET_NSSTATDESC(counterid, desc, xmldesc) \
@@ -198,11 +198,11 @@ init_desc(void) {
 	INSIST(i == dns_nsstatscounter_max);
 
 	/* Initialize resolver statistics */
-	memset((void *)resstats_desc, 0,
-	       dns_resstatscounter_max * sizeof(resstats_desc[0]));
+	for (i = 0; i < dns_resstatscounter_max; i++)
+		resstats_desc[i] = NULL;
 #ifdef  HAVE_LIBXML2
-	memset((void *)resstats_xmldesc, 0,
-	       dns_resstatscounter_max * sizeof(resstats_xmldesc[0]));
+	for (i = 0; i < dns_resstatscounter_max; i++)
+		resstats_xmldesc[i] = NULL;
 #endif
 
 #define SET_RESSTATDESC(counterid, desc, xmldesc) \
@@ -268,11 +268,11 @@ init_desc(void) {
 	INSIST(i == dns_resstatscounter_max);
 
 	/* Initialize zone statistics */
-	memset((void *)zonestats_desc, 0,
-	       dns_zonestatscounter_max * sizeof(zonestats_desc[0]));
+	for (i = 0; i < dns_zonestatscounter_max; i++)
+		zonestats_desc[i] = NULL;
 #ifdef  HAVE_LIBXML2
-	memset((void *)zonestats_xmldesc, 0,
-	       dns_zonestatscounter_max * sizeof(zonestats_xmldesc[0]));
+	for (i = 0; i < dns_zonestatscounter_max; i++)
+		zonestats_xmldesc[i] = NULL;
 #endif
 
 #define SET_ZONESTATDESC(counterid, desc, xmldesc) \
@@ -300,11 +300,11 @@ init_desc(void) {
 	INSIST(i == dns_zonestatscounter_max);
 
 	/* Initialize socket statistics */
-	memset((void *)sockstats_desc, 0,
-	       isc_sockstatscounter_max * sizeof(sockstats_desc[0]));
+	for (i = 0; i < isc_sockstatscounter_max; i++)
+		sockstats_desc[i] = NULL;
 #ifdef  HAVE_LIBXML2
-	memset((void *)sockstats_xmldesc, 0,
-	       isc_sockstatscounter_max * sizeof(sockstats_xmldesc[0]));
+	for (i = 0; i < isc_sockstatscounter_max; i++)
+		sockstats_xmldesc[i] = NULL;
 #endif
 
 #define SET_SOCKSTATDESC(counterid, desc, xmldesc) \

From bfbd69c43f2b63ac122e4a47a510d46ffffb613c Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 20 Oct 2009 04:13:38 +0000
Subject: [PATCH 339/385] 2720.	[bug]		RFC 5011 trust anchor updates
 could trigger an 			assert if the DNSKEY record was
 unsigned. [RT #20406]

---
 CHANGES        |  3 +++
 lib/dns/zone.c | 14 ++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 39608fe428..081788080f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2720.	[bug]		RFC 5011 trust anchor updates could trigger an
+			assert if the DNSKEY record was unsigned. [RT #20406]
+
 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
 			[RT #20392]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 978f528c2c..001c3ae070 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.518 2009/10/20 02:45:06 marka Exp $ */
+/* $Id: zone.c,v 1.519 2009/10/20 04:13:38 each Exp $ */
 
 /*! \file */
 
@@ -7042,7 +7042,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dns_diff_init(zone->mctx, &diff);
 
 	/* Fetch failed */
-	if (eresult != ISC_R_SUCCESS) {
+	if (eresult != ISC_R_SUCCESS ||
+	    !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
 		dns_zone_log(zone, ISC_LOG_WARNING,
 			     "Unable to fetch DNSKEY set "
 			     "'%s': %s", namebuf, dns_result_totext(eresult));
@@ -7050,6 +7051,15 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 		goto failure;
 	}
 
+	/* No RRSIGs found */
+	if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "No DNSKEY RRSIGs found for "
+			     "'%s': %s", namebuf, dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto failure;
+	}
+
 	/*
 	 * Validate the dnskeyset against the current trusted keys.
 	 * (Note, if a key has been revoked and isn't RSAMD5, then

From a01095a487a2c858c4f86e0f32c93b482d179a78 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Oct 2009 04:39:48 +0000
Subject: [PATCH 340/385] 2721.   [port]          Have dst__entropy_status()
 prime the random number                         generator. [RT #20369]

---
 CHANGES           |  3 +++
 lib/dns/dst_api.c | 22 +++++++++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 081788080f..2440343b58 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2721.	[port]		Have dst__entropy_status() prime the random number
+			generator. [RT #20369]
+
 2720.	[bug]		RFC 5011 trust anchor updates could trigger an
 			assert if the DNSKEY record was unsigned. [RT #20406]
 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index b0dabb5be4..08e8ee3c7a 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.41 2009/10/12 20:48:12 each Exp $
+ * $Id: dst_api.c,v 1.42 2009/10/20 04:39:48 marka Exp $
  */
 
 /*! \file */
@@ -1581,6 +1581,9 @@ isc_result_t
 dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 #ifdef BIND9
 	unsigned int flags = dst_entropy_flags;
+
+	if (len == 0)
+		return (ISC_R_SUCCESS);
 	if (pseudo)
 		flags &= ~ISC_ENTROPY_GOODONLY;
 	else
@@ -1598,6 +1601,23 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 unsigned int
 dst__entropy_status(void) {
 #ifdef BIND9
+#ifdef GSSAPI
+	unsigned int flags = dst_entropy_flags;
+	isc_result_t ret;
+	unsigned char buf[32];
+	static isc_boolean_t first = ISC_TRUE;
+
+	if (first) {
+		/* Someone believes RAND_status() initializes the PRNG */
+		flags &= ~ISC_ENTROPY_GOODONLY;
+		ret = isc_entropy_getdata(dst_entropy_pool, buf,
+					  sizeof(buf), NULL, flags);
+		INSIST(ret == ISC_R_SUCCESS);
+		isc_entropy_putdata(dst_entropy_pool, buf,
+				    sizeof(buf), 2 * sizeof(buf));
+		first = ISC_FALSE;
+	}
+#endif
 	return (isc_entropy_status(dst_entropy_pool));
 #else
 	return (0);

From 7704a47aec081144bdb7a0218d5e2dd5296b6b08 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 20 Oct 2009 04:57:57 +0000
Subject: [PATCH 341/385] 2722.   [bug]           Ensure that the memory
 associated with the name of                         a node in a rbt tree is
 not altered during the life                         of the node. [RT #20431]

---
 CHANGES                   |  4 ++++
 lib/dns/include/dns/rbt.h |  6 +++---
 lib/dns/rbt.c             | 35 +++++++++++++++++++++--------------
 3 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2440343b58..8aa8017a1f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2722.	[bug]		Ensure that the memory associated with the name of
+			a node in a rbt tree is not altered during the life
+			of the node. [RT #20431]
+
 2721.	[port]		Have dst__entropy_status() prime the random number
 			generator. [RT #20369]
 
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index a33bda4d34..20d05bf6b0 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.74 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: rbt.h,v 1.75 2009/10/20 04:57:57 marka Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
@@ -105,11 +105,11 @@ struct dns_rbtnode {
 	unsigned int is_root : 1;       /*%< range is 0..1 */
 	unsigned int color : 1;         /*%< range is 0..1 */
 	unsigned int find_callback : 1; /*%< range is 0..1 */
-	unsigned int attributes : 3;    /*%< range is 0..2 */
+	unsigned int attributes : 4;    /*%< range is 0..2 */
 	unsigned int nsec3 : 1;    	/*%< range is 0..1 */
 	unsigned int namelen : 8;       /*%< range is 1..255 */
 	unsigned int offsetlen : 8;     /*%< range is 1..128 */
-	unsigned int padbytes : 9;      /*%< range is 0..380 */
+	unsigned int oldnamelen : 8;    /*%< range is 1..255 */
 	/*@}*/
 
 #ifdef DNS_RBT_USEHASH
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 81911816e0..b3f06349f6 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.144 2009/01/17 23:47:42 tbox Exp $ */
+/* $Id: rbt.c,v 1.145 2009/10/20 04:57:57 marka Exp $ */
 
 /*! \file */
 
@@ -85,9 +85,9 @@ struct dns_rbt {
 #define HASHVAL(node)           ((node)->hashval)
 #define COLOR(node)             ((node)->color)
 #define NAMELEN(node)           ((node)->namelen)
+#define OLDNAMELEN(node)        ((node)->oldnamelen)
 #define OFFSETLEN(node)         ((node)->offsetlen)
 #define ATTRS(node)             ((node)->attributes)
-#define PADBYTES(node)          ((node)->padbytes)
 #define IS_ROOT(node)           ISC_TF((node)->is_root == 1)
 #define FINDCALLBACK(node)      ISC_TF((node)->find_callback == 1)
 
@@ -100,13 +100,23 @@ struct dns_rbt {
 #define LOCKNUM(node)   ((node)->locknum)
 
 /*%
- * The variable length stuff stored after the node.
+ * The variable length stuff stored after the node has the following
+ * structure.
+ *
+ *	{1..255}{1}{1..128}
+ *
+ *  contains the name of the node when it was created.
+ *  contains the length of  when the node was created.
+ *  contains the offets into name for each label when the node was
+ * created.
  */
+
 #define NAME(node)      ((unsigned char *)((node) + 1))
-#define OFFSETS(node)   (NAME(node) + NAMELEN(node))
+#define OFFSETS(node)   (NAME(node) + OLDNAMELEN(node) + 1)
+#define OLDOFFSETLEN(node) (OFFSETS(node)[-1])
 
 #define NODE_SIZE(node) (sizeof(*node) + \
-			 NAMELEN(node) + OFFSETLEN(node) + PADBYTES(node))
+			 OLDNAMELEN(node) + OLDOFFSETLEN(node) + 1)
 
 /*%
  * Color management.
@@ -553,11 +563,6 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 				NAMELEN(current) = prefix->length;
 				OFFSETLEN(current) = prefix->labels;
-				memcpy(OFFSETS(current), prefix->offsets,
-				       prefix->labels);
-				PADBYTES(current) +=
-				       (current_name.length - prefix->length) +
-				       (current_name.labels - prefix->labels);
 
 				/*
 				 * Set up the new root of the next level.
@@ -1423,7 +1428,7 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	 * Allocate space for the node structure, the name, and the offsets.
 	 */
 	node = (dns_rbtnode_t *)isc_mem_get(mctx, sizeof(*node) +
-					    region.length + labels);
+					    region.length + labels + 1);
 
 	if (node == NULL)
 		return (ISC_R_NOMEMORY);
@@ -1460,10 +1465,12 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	 *      The offsets table could be made smaller by eliminating the
 	 *      first offset, which is always 0.  This requires changes to
 	 *      lib/dns/name.c.
+	 *
+	 * Note: OLDOFFSETLEN *must* be assigned *after* OLDNAMELEN is assigned
+	 * 	 as it uses OLDNAMELEN.
 	 */
-	NAMELEN(node) = region.length;
-	PADBYTES(node) = 0;
-	OFFSETLEN(node) = labels;
+	OLDNAMELEN(node) = NAMELEN(node) = region.length;
+	OLDOFFSETLEN(node) = OFFSETLEN(node) = labels;
 	ATTRS(node) = name->attributes;
 
 	memcpy(NAME(node), region.base, region.length);

From eccf8cc404a04ffc465a6947ed4351703dfbadaf Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 20 Oct 2009 14:42:57 +0000
Subject: [PATCH 342/385] fix typo

---
 doc/rfc/index | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/rfc/index b/doc/rfc/index
index 2c9eea9595..671a899b99 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -120,5 +120,5 @@
          Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
 4892:	Requirements for a Mechanism Identifying a Name Server Instance
 5155:	DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
-5295:	Host Identity Protocol (HIP) Domain Name System (DNS) Extension
+5205:	Host Identity Protocol (HIP) Domain Name System (DNS) Extension
 5507:	Design Choices When Expanding the DNS

From e193c6c98e51665c12a60164710b20df3041ce77 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 20 Oct 2009 23:18:22 +0000
Subject: [PATCH 343/385] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 2b37b7213f..e18d87e21a 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -268,6 +268,8 @@ rt20369a			new	fdupont	// 2009-10-06 14:25 +0000
 rt20372				new	each	// 2009-10-06 22:08 +0000
 rt20399				new	marka	// 2009-10-14 02:27 +0000
 rt20405				new	each	// 2009-10-14 05:15 +0000
+rt20406				new	each	// 2009-10-20 00:14 +0000
+rt20421				new	each	// 2009-10-20 19:04 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From b15df8f9bc01440540f5348a4251a04864b2bb41 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 20 Oct 2009 23:47:32 +0000
Subject: [PATCH 344/385] update copyright notice

---
 lib/dns/zone.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 001c3ae070..da1cf3e6a4 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.519 2009/10/20 04:13:38 each Exp $ */
+/* $Id: zone.c,v 1.520 2009/10/20 23:47:32 tbox Exp $ */
 
 /*! \file */
 
@@ -5119,13 +5119,13 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 		 * Rebuild the NSEC/NSEC3 record for the origin as we no
 		 * longer have any private records.
 		 */
-		if (build_nsec3) 
+		if (build_nsec3)
 			CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
 						  minimum, ISC_FALSE, diff));
 		CHECK(updatesecure(signing->db, version, origin, minimum,
 				   ISC_TRUE, diff));
 	}
- 
+
  failure:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);

From 8ec993c774d7c996cb266d0ff5f1282fa3940f09 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Wed, 21 Oct 2009 01:22:29 +0000
Subject: [PATCH 345/385] 2723.	[bug]		isc_base32_totext(),
 isc_base32hex_totext(), and 			isc_base64_totext(), didn't
 always mark regions of 			memory as fully consumed after
 conversion.  [RT #20445]

---
 CHANGES          | 4 ++++
 lib/isc/base32.c | 4 +++-
 lib/isc/base64.c | 4 +++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8aa8017a1f..c43a87829f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
+			isc_base64_totext(), didn't always mark regions of
+			memory as fully consumed after conversion.  [RT #20445]
+
 2722.	[bug]		Ensure that the memory associated with the name of
 			a node in a rbt tree is not altered during the life
 			of the node. [RT #20431]
diff --git a/lib/isc/base32.c b/lib/isc/base32.c
index 67398c6b8c..d25e3c4716 100644
--- a/lib/isc/base32.c
+++ b/lib/isc/base32.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base32.c,v 1.5 2009/01/18 23:48:14 tbox Exp $ */
+/* $Id: base32.c,v 1.6 2009/10/21 01:22:29 each Exp $ */
 
 /*! \file */
 
@@ -112,6 +112,8 @@ base32_totext(isc_region_t *source, int wordlength, const char *wordbreak,
 			RETERR(str_totext(wordbreak, target));
 		}
 	}
+	if (source->length > 0)
+		isc_region_consume(source, source->length);
 	return (ISC_R_SUCCESS);
 }
 
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index 13ed6b5c5c..e5f44856e0 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.32 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: base64.c,v 1.33 2009/10/21 01:22:29 each Exp $ */
 
 /*! \file */
 
@@ -85,11 +85,13 @@ isc_base64_totext(isc_region_t *source, int wordlength,
 		buf[2] = base64[((source->base[1]<<2)&0x3c)];
 		buf[3] = '=';
 		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 2);
 	} else if (source->length == 1) {
 		buf[0] = base64[(source->base[0]>>2)&0x3f];
 		buf[1] = base64[((source->base[0]<<4)&0x30)];
 		buf[2] = buf[3] = '=';
 		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 1);
 	}
 	return (ISC_R_SUCCESS);
 }

From ae5da6a185bd799d6a3b96a2235f224b7de7eb5e Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 21 Oct 2009 22:33:23 +0000
Subject: [PATCH 346/385] new draft

---
 ...-ietf-6man-text-addr-representation-01.txt | 785 ++++++++++++++++++
 1 file changed, 785 insertions(+)
 create mode 100644 doc/draft/draft-ietf-6man-text-addr-representation-01.txt

diff --git a/doc/draft/draft-ietf-6man-text-addr-representation-01.txt b/doc/draft/draft-ietf-6man-text-addr-representation-01.txt
new file mode 100644
index 0000000000..f15b069b5b
--- /dev/null
+++ b/doc/draft/draft-ietf-6man-text-addr-representation-01.txt
@@ -0,0 +1,785 @@
+
+
+
+IPv6 Maintenance Working Group                               S. Kawamura
+Internet-Draft                                         NEC BIGLOBE, Ltd.
+Intended status: Informational                              M. Kawashima
+Expires: April 21, 2010                         NEC AccessTechnica, Ltd.
+                                                        October 18, 2009
+
+
+         A Recommendation for IPv6 Address Text Representation
+              draft-ietf-6man-text-addr-representation-01
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on April 21, 2010.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   As IPv6 network grows, there will be more engineers and also non-
+   engineers who will have the need to use an IPv6 address in text.
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 1]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+   While the IPv6 address architecture RFC 4291 section 2.2 depicts a
+   flexible model for text representation of an IPv6 address, this
+   flexibility has been causing problems for operators, system
+   engineers, and users.  This document will describe the problems that
+   a flexible text representation has been causing.  This document also
+   recommends a canonical representation format that best avoids
+   confusion.  It is expected that the canonical format is followed by
+   humans and systems when representing IPv6 addresses as text, but all
+   implementations must accept and be able to handle any legitimate
+   RFC4291 format.
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1.  Requirements Language  . . . . . . . . . . . . . . . . . .  4
+   2.  Text Representation Flexibility of RFC4291 . . . . . . . . . .  4
+     2.1.  Leading Zeros in a 16 Bit Field  . . . . . . . . . . . . .  4
+     2.2.  Zero Compression . . . . . . . . . . . . . . . . . . . . .  5
+     2.3.  Uppercase or Lowercase . . . . . . . . . . . . . . . . . .  5
+   3.  Problems Encountered with the Flexible Model . . . . . . . . .  6
+     3.1.  Searching  . . . . . . . . . . . . . . . . . . . . . . . .  6
+       3.1.1.  General Summary  . . . . . . . . . . . . . . . . . . .  6
+       3.1.2.  Searching Spreadsheets and Text Files  . . . . . . . .  6
+       3.1.3.  Searching with Whois . . . . . . . . . . . . . . . . .  6
+       3.1.4.  Searching for an Address in a Network Diagram  . . . .  7
+     3.2.  Parsing and Modifying  . . . . . . . . . . . . . . . . . .  7
+       3.2.1.  General Summary  . . . . . . . . . . . . . . . . . . .  7
+       3.2.2.  Logging  . . . . . . . . . . . . . . . . . . . . . . .  7
+       3.2.3.  Auditing: Case 1 . . . . . . . . . . . . . . . . . . .  8
+       3.2.4.  Auditing: Case 2 . . . . . . . . . . . . . . . . . . .  8
+       3.2.5.  Verification . . . . . . . . . . . . . . . . . . . . .  8
+       3.2.6.  Unexpected Modifying . . . . . . . . . . . . . . . . .  8
+     3.3.  Operating  . . . . . . . . . . . . . . . . . . . . . . . .  8
+       3.3.1.  General Summary  . . . . . . . . . . . . . . . . . . .  8
+       3.3.2.  Customer Calls . . . . . . . . . . . . . . . . . . . .  9
+       3.3.3.  Abuse  . . . . . . . . . . . . . . . . . . . . . . . .  9
+     3.4.  Other Minor Problems . . . . . . . . . . . . . . . . . . .  9
+       3.4.1.  Changing Platforms . . . . . . . . . . . . . . . . . .  9
+       3.4.2.  Preference in Documentation  . . . . . . . . . . . . .  9
+       3.4.3.  Legibility . . . . . . . . . . . . . . . . . . . . . . 10
+   4.  A Recommendation for IPv6 Text Representation  . . . . . . . . 10
+     4.1.  Handling Leading Zeros in a 16 Bit Field . . . . . . . . . 10
+     4.2.  "::" Usage . . . . . . . . . . . . . . . . . . . . . . . . 10
+       4.2.1.  Shorten As Much As Possible  . . . . . . . . . . . . . 10
+       4.2.2.  Handling One 16 Bit 0 Field  . . . . . . . . . . . . . 10
+       4.2.3.  Choice in Placement of "::"  . . . . . . . . . . . . . 10
+     4.3.  Lower Case . . . . . . . . . . . . . . . . . . . . . . . . 11
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 2]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+   5.  Text Representation of Special Addresses . . . . . . . . . . . 11
+   6.  Notes on Combining IPv6 Addresses with Port Numbers  . . . . . 11
+   7.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 12
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
+   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
+   10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
+   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+     11.1. Normative References . . . . . . . . . . . . . . . . . . . 13
+     11.2. Informative References . . . . . . . . . . . . . . . . . . 13
+   Appendix A.  For Developers  . . . . . . . . . . . . . . . . . . . 13
+   Appendix B.  Prefix Issues . . . . . . . . . . . . . . . . . . . . 13
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 3]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+1.  Introduction
+
+   A single IPv6 address can be text represented in many ways.  Examples
+   are shown below.
+
+      2001:db8:0:0:1:0:0:1
+
+      2001:0db8:0:0:1:0:0:1
+
+      2001:db8::1:0:0:1
+
+      2001:db8::0:1:0:0:1
+
+      2001:0db8::1:0:0:1
+
+      2001:db8:0:0:1::1
+
+      2001:db8:0000:0:1::1
+
+      2001:DB8:0:0:1::1
+
+   All the above point to the same IPv6 address.  This flexibility has
+   caused many problems for operators, systems engineers, and customers.
+   The problems will be noted in Section 3.  Also, a canonical
+   representation format to avoid problems will be introduced in
+   Section 4.
+
+1.1.  Requirements Language
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+2.  Text Representation Flexibility of RFC4291
+
+   Examples of flexibility in Section 2.2 of [RFC4291] are described
+   below.
+
+2.1.  Leading Zeros in a 16 Bit Field
+
+      'It is not necessary to write the leading zeros in an individual
+      field.'
+
+   In other words, it is also not necessary to omit leading zeros.  This
+   means that, it is possible to select from such as the following
+   example.  The final 16 bit field is different, but all these
+   addresses mean the same.
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 4]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+      2001:db8:aaaa:bbbb:cccc:dddd:eeee:0001
+
+      2001:db8:aaaa:bbbb:cccc:dddd:eeee:001
+
+      2001:db8:aaaa:bbbb:cccc:dddd:eeee:01
+
+      2001:db8:aaaa:bbbb:cccc:dddd:eeee:1
+
+2.2.  Zero Compression
+
+      'A special syntax is available to compress the zeros.  The use of
+      "::" indicates one or more groups of 16 bits of zeros.'
+
+   It is possible to select whether or not to omit just one 16 bits of
+   zeros.
+
+      2001:db8:aaaa:bbbb:cccc:dddd::1
+
+      2001:db8:aaaa:bbbb:cccc:dddd:0:1
+
+   In case where there are more than one zero fields, there is a choice
+   of how many fields can be shortened.  Examples follow.
+
+      2001:db8:0:0:0::1
+
+      2001:db8:0:0::1
+
+      2001:db8:0::1
+
+      2001:db8::1
+
+   In addition, [RFC4291] in section 2.2 notes,
+
+      'The "::" can only appear once in an address.'
+
+   This gives a choice on where, in a single address to compress the
+   zero.  Examples are shown below.
+
+      2001:db8::aaaa:0:0:1
+
+      2001:db8:0:0:aaaa::1
+
+2.3.  Uppercase or Lowercase
+
+   [RFC4291] does not mention about preference of uppercase or
+   lowercase.  Various flavors are shown below.
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 5]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+      2001:db8:aaaa:bbbb:cccc:dddd:eeee:aaaa
+
+      2001:db8:aaaa:bbbb:cccc:dddd:eeee:AAAA
+
+      2001:db8:aaaa:bbbb:cccc:dddd:eeee:AaAa
+
+
+3.  Problems Encountered with the Flexible Model
+
+3.1.  Searching
+
+3.1.1.  General Summary
+
+   A search of an IPv6 address if conducted through a UNIX system is
+   usually case sensitive and extended options to allow for regular
+   expression use will come in handy.  However, there are many
+   applications in the Internet today that do not provide this
+   capability.  When searching for an IPv6 address in such systems, the
+   system engineer will have to try each and every possibility to search
+   for an address.  This has critical impacts especially when trying to
+   deploy IPv6 over an enterprise network.
+
+3.1.2.  Searching Spreadsheets and Text Files
+
+   Spreadsheet applications and text editors on GUI systems, rarely have
+   the ability to search for a text using regular expression.  Moreover,
+   there are many non-engineers (who are not aware of case sensitivity
+   and regular expression use) that use these application to manage IP
+   addresses.  This has worked quite well with IPv4 since text
+   representation in IPv4 has very little flexibility.  There is no
+   incentive to encourage these non-engineers to change their tool or
+   learn regular expression when they decide to go dual-stack.  If the
+   entry in the spreadsheet reads, 2001:db8::1:0:0:1, but the search was
+   conducted as 2001:db8:0:0:1::1, this will show a result of no match.
+   One example where this will cause problem is, when the search is
+   being conducted to assign a new address from a pool, and a check was
+   being done to see if it was not in use.  This may cause problems to
+   the end-hosts or end-users.  This type of address management is very
+   often seen in enterprise networks and also in ISPs.
+
+3.1.3.  Searching with Whois
+
+   The "whois" utility is used by a wide range of people today.  When a
+   record is set to a database, one will likely check the output to see
+   if the entry is correct.  If an entity was recorded as 2001:db8::/48,
+   but the whois output showed 2001:0db8:0000::/48, most non-engineers
+   would think that their input was wrong, and will likely retry several
+   times or make a frustrated call to the database hostmaster.  If there
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 6]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+   was a need to register the same address on different systems, and
+   each system showed a different text representation, this would
+   confuse people even more.  Although this document focuses on
+   addresses rather than prefixes, this is worth mentioning since
+   problems encountered are mostly equal.
+
+3.1.4.  Searching for an Address in a Network Diagram
+
+   Network diagrams and blue-prints contain IP addresses as allocated to
+   system devices.  In times of trouble shooting, there may be a need to
+   search through a diagram to find the point of failure (for example,
+   if a traceroute stopped at 2001:db8::1, one would search the diagram
+   for that address).  This is a technique quite often in use in
+   enterprise networks and managed services.  Again, the different
+   flavors of text representation will result in a time-consuming
+   search, leading to longer MTTR in times of trouble.
+
+3.2.  Parsing and Modifying
+
+3.2.1.  General Summary
+
+   With all the possible text representation ways, each application must
+   include a module, object, link, etc. to a function that will parse
+   IPv6 addresses in a manner that no matter how it is represented, they
+   will mean the same address.  This is not too much a problem if the
+   output is to be just 'read' or 'managed' by a network engineer.
+   However, many system engineers who integrate complex computer systems
+   to corporate customers will have difficulties finding that their
+   favorite tool will not have this function, or will encounter
+   difficulties such as having to rewrite their macro's or scripts for
+   their customers.  It must be noted that each additional line of a
+   program will result in increased development fees that will be
+   charged to the customers.
+
+3.2.2.  Logging
+
+   If an application were to output a log summary that represented the
+   address in full (such as 2001:0db8:0000:0000:1111:2222:3333:4444),
+   the output would be highly unreadable compared to the IPv4 output.
+   The address would have to be parsed and reformed to make it useful
+   for human reading.  This will result in additional code on the
+   applications which will result in extra fees charged to the
+   customers.  Sometimes, logging for critical systems is done by
+   mirroring the same traffic to two different systems.  Care must be
+   taken that no matter what the log output is, the logs should be
+   parsed so they will mean the same.
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 7]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+3.2.3.  Auditing: Case 1
+
+   When a router or any other network appliance machine configuration is
+   audited, there are many methods to compare the configuration
+   information of a node.  Sometimes, auditing will be done by just
+   comparing the changes made each day.  In this case, if configuration
+   was done such that 2001:db8::1 was changed to 2001:0db8:0000:0000:
+   0000:0000:0000:0001 just because the new engineer on the block felt
+   it was better, a simple diff will tell you that a different address
+   was configured.  If this was done on a wide scale network, people
+   will be focusing on 'why the extra zeros were put in' instead of
+   doing any real auditing.  Lots of tools are just plain 'diff's that
+   do not take into account address representation rules.
+
+3.2.4.  Auditing: Case 2
+
+   Node configurations will be matched against an information system
+   that manages IP addresses.  If output notation is different, there
+   will need to be a script that is implemented to cover for this.  An
+   SNMP GET of an interface address and text representation in a humanly
+   written text file is highly unlikely to match on first try.
+
+3.2.5.  Verification
+
+   Some protocols require certain data fields to be verified.  One
+   example of this is X.509 certificates.  If an IPv6 address was
+   embedded in one of the fields in a certificate, and the verification
+   was done by just a simple textual comparison, the certificate may be
+   maistakenly shown as being invalid due to a difference in text
+   representation methods.
+
+3.2.6.  Unexpected Modifying
+
+   Sometimes, a system will take an address and modify it as a
+   convenience.  For example, a system may take an input of
+   2001:0db8:0::1 and make the output 2001:db8::1 (which is seen in some
+   RIR databases).  If the zeros were input for a reason, the outcome
+   may be somewhat unexpected.
+
+3.3.  Operating
+
+3.3.1.  General Summary
+
+   When an operator sets an IPv6 address of a system as 2001:db8:0:0:1:
+   0:0:1, the system may take the address and show the configuration
+   result as 2001:DB8::1:0:0:1.  A distinguished engineer will know that
+   the right address is set, but an operator, or a customer that is
+   communicating with the operator to solve a problem, is usually not as
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 8]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+   distinguished as we would like.  Again, the extra load in checking
+   that the IP address is the same as was intended, will result in fees
+   that will be charged to the customers.
+
+3.3.2.  Customer Calls
+
+   When a customer calls to inquire about a suspected outage, IPv6
+   address representation should be handled with care.  Not all
+   customers are engineers nor have the same skill in IPv6 technology.
+   The NOC will have to take extra steps to humanly parse the address to
+   avoid having to explain to the customers that 2001:db8:0:1::1 is the
+   same as 2001:db8::1:0:0:0:1.  This is one thing that will never
+   happen in IPv4 because IPv4 address cannot be abbreviated.
+
+3.3.3.  Abuse
+
+   Network abuse is reported along with the abusing IP address.  This
+   'reporting' could take any shape or form of the flexible model.  A
+   team that handles network abuse must be able to tell the difference
+   between a 2001:db8::1:0:1 and 2001:db8:1::0:1.  Mistakes in the
+   placement of the "::" will result in a critical situation.  A system
+   that handles these incidents should be able to handle any type of
+   input and parse it in a correct manner.  Also, incidents are reported
+   over the phone.  It is unnecessary to report if the letter is an
+   uppercase or lowercase.  However, when a letter is spelled uppercase,
+   people tend to clarify that it is uppercase, which is unnecessary
+   information.
+
+3.4.  Other Minor Problems
+
+3.4.1.  Changing Platforms
+
+   When an engineer decides to change the platform of a running service,
+   the same code may not work as expected due to the difference in IPv6
+   address text representation.  Usually, a change in a platform (e.g.
+   Unix to Windows, Cisco to Juniper) will result in a major change of
+   code, but flexibility in address representation will increase the
+   work load which will again, result in fees that will be charged to
+   the customers, and also longer down time of systems.
+
+3.4.2.  Preference in Documentation
+
+   A document that is edited by more than one author, may become harder
+   to read.
+
+
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                 [Page 9]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+3.4.3.  Legibility
+
+   Capital case D and 0 can be quite often misread.  Capital B and 8 can
+   also be misread.
+
+
+4.  A Recommendation for IPv6 Text Representation
+
+   A recommendation for a canonical text representation format of IPv6
+   addresses is presented in this section.  The recommendation in this
+   document is one that, complies fully with [RFC4291], is implemented
+   by various operating systems, and is human friendly.  The
+   recommendation in this document SHOULD be followed by humans and
+   systems when generating an address to represent as text, but all
+   implementations MUST accept any legitimate [RFC4291] format.
+
+4.1.  Handling Leading Zeros in a 16 Bit Field
+
+   Leading zeros should be chopped for human legibility and easier
+   searching.  Also, a single 16 bit 0000 field should be represented as
+   just 0.  Place holder zeros are often cause of misreading.
+
+4.2.  "::" Usage
+
+4.2.1.  Shorten As Much As Possible
+
+   The use of "::" should be used to its maximum capability (i.e. 2001:
+   db8::0:1 is not considered as clean representation).
+
+4.2.2.  Handling One 16 Bit 0 Field
+
+   "::" should not be used to shorten just one 16 bit 0 field for it
+   would tend to mislead that there are more than one 16 bit field that
+   is shortened.
+
+4.2.3.  Choice in Placement of "::"
+
+   When there is an alternative choice in the placement of a "::", the
+   longest run of consecutive 16 bit 0 fields should be shortened (i.e.
+   latter is shortened in 2001:0:0:1:0:0:0:1).  When the length of the
+   consecutive 16 bit 0 fields are equal (i.e. 2001:db8:0:0:1:0:0:1),
+   the former is shortened.  This is consistent with many current
+   implementations.  One idea to avoid any confusion, is for the
+   operator to not use 16 bit field 0 in the first 64 bits.  By nature
+   IPv6 addresses are usually assigned or allocated to end-users as
+   longer than 32 bits (typically 48 bits or longer).
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                [Page 10]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+4.3.  Lower Case
+
+   Recent implementations tend to represent IPv6 address as lower case.
+   It is better to use lower case to avoid problems such as described in
+   section 3.3.3 and 3.4.3.
+
+
+5.  Text Representation of Special Addresses
+
+   Addresses such as IPv4-Mapped IPv6 addresses, ISATAP [RFC5214], and
+   IPv4-translated addresses [RFC2765] have IPv4 addresses embedded in
+   the low-order 32 bits of the address.  These addresses have special
+   representation that may mix hexadecimal and decimal notations.  In
+   cases where there is a choice of whether to express the address as
+   fully hexadecimal or hexadecimal and decimal mixed, and if the
+   address type can be distinguished as having IPv4 addresses embedded
+   in the lower 32 bits solely from the 128bits of the address field
+   itself, mixed notation is the better choice.  However, there may be
+   situations where hexadecimal representation is chosen to meet certain
+   needs.  Addressing those needs is out of the scope of this document.
+   The text representation method noted in Section 4 should be applied
+   for the leading hexadecimal part (i.e. ::ffff:192.0.2.1 instead of
+   0:0:0:0:0:ffff:192.0.2.1).
+
+
+6.  Notes on Combining IPv6 Addresses with Port Numbers
+
+   When IPv6 addresses and port numbers are represented in text combined
+   together, there seems to be many different ways to do so.  Examples
+   are shown below.
+
+   o  [2001:db8::1]:80
+
+   o  2001:db8::1:80
+
+   o  2001:db8::1.80
+
+   o  2001:db8::1 port 80
+
+   o  2001:db8::1p80
+
+   o  2001:db8::1#80
+
+   The situation is not much different in IPv4, but the most ambiguous
+   case with IPv6 is the second bullet.  This is due to the "::"usage in
+   IPv6 addresses.  This style is not recommended for its ambiguity.
+   The [] style as expressed in [RFC3986] is recommended.  Other styles
+   are acceptable when cross-platform portability does not become an
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                [Page 11]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+   issue.
+
+
+7.  Conclusion
+
+   The recommended format of text representing an IPv6 address is
+   summarized as follows.
+
+      (1) omit leading zeros in a 16 bit field
+
+      (2) when using "::", shorten consecutive zero fields to their
+      maximum extent (leave no zero fields behind).
+
+      (3) "::" used where shortens address the most
+
+      (4) "::" used in the former part in case of a tie breaker
+
+      (5) do not shorten one 16 bit 0 field, but always shorten when
+      there are two or more consecutive 16 bit 0 fields
+
+      (6) use lower case
+
+   Hints for developers are written in the Appendix section.
+
+
+8.  Security Considerations
+
+   None.
+
+
+9.  IANA Considerations
+
+   None.
+
+
+10.  Acknowledgements
+
+   The authors would like to thank Jan Zorz, Randy Bush, Yuichi Minami,
+   Toshimitsu Matsuura for their generous and helpful comments in kick
+   starting this document.  We also would like to thank Brian Carpenter,
+   Akira Kato, Juergen Schoenwaelder, Antonio Querubin, Dave Thaler,
+   Brian Haley, Suresh Krishnan, Jerry Huang, Roman Donchenko, Heikki
+   Vatiainen for their input.  Also a very special thanks to Ron Bonica,
+   Fred Baker, Brian Haberman, Robert Hinden, Jari Arkko, and Kurt
+   Lindqvist for their support in bringing this document to the light of
+   IETF working groups.
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                [Page 12]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+11.  References
+
+11.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
+              Architecture", RFC 4291, February 2006.
+
+11.2.  Informative References
+
+   [RFC2765]  Nordmark, E., "Stateless IP/ICMP Translation Algorithm
+              (SIIT)", RFC 2765, February 2000.
+
+   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+              Resource Identifier (URI): Generic Syntax", STD 66,
+              RFC 3986, January 2005.
+
+   [RFC4038]  Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and E.
+              Castro, "Application Aspects of IPv6 Transition",
+              RFC 4038, March 2005.
+
+   [RFC5214]  Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
+              Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
+              March 2008.
+
+
+Appendix A.  For Developers
+
+   We recommend that developers use display routines that conform to
+   these rules.  For example, the usage of getnameinfo() with flags
+   argument NI_NUMERICHOST in FreeBSD 7.0 will give a conforming output,
+   except for the special addresses notes in Section 5.  The function
+   inet_ntop() of FreeBSD7.0 is a good C code reference, but should not
+   be called directly.  See [RFC4038] for details.
+
+
+Appendix B.  Prefix Issues
+
+   Problems with prefixes are just the same as problems encountered with
+   addresses.  Text representation method of IPv6 prefixes should be no
+   different from that of IPv6 addresses.
+
+
+
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                [Page 13]
+
+Internet-Draft          IPv6 Text Representation            October 2009
+
+
+Authors' Addresses
+
+   Seiichi Kawamura
+   NEC BIGLOBE, Ltd.
+   14-22, Shibaura 4-chome
+   Minatoku, Tokyo  108-8558
+   JAPAN
+
+   Phone: +81 3 3798 6085
+   Email: kawamucho@mesh.ad.jp
+
+
+   Masanobu Kawashima
+   NEC AccessTechnica, Ltd.
+   800, Shimomata
+   Kakegawa-shi, Shizuoka  436-8501
+   JAPAN
+
+   Phone: +81 537 23 9655
+   Email: kawashimam@necat.nec.co.jp
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kawamura & Kawashima     Expires April 21, 2010                [Page 14]
+
+

From 55aec75784a22e9d06d52b2b8a7d5aa42d31dc00 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 21 Oct 2009 23:30:41 +0000
Subject: [PATCH 347/385] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 1b37ef12f3..34adafbfaa 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2130,7 +2130,7 @@
 ./lib/isc/backtrace-emptytbl.c			C	2009
 ./lib/isc/backtrace.c				C	2009
 ./lib/isc/base32.c				C	2008,2009
-./lib/isc/base64.c				C	1998,1999,2000,2001,2003,2004,2005,2007
+./lib/isc/base64.c				C	1998,1999,2000,2001,2003,2004,2005,2007,2009
 ./lib/isc/bitstring.c				C	1999,2000,2001,2004,2005,2007
 ./lib/isc/buffer.c				C	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008
 ./lib/isc/bufferlist.c				C	1999,2000,2001,2004,2005,2007

From 3cae549ddb56c52c1f585dabd54da5b9d7edeeb9 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Wed, 21 Oct 2009 23:48:05 +0000
Subject: [PATCH 348/385] update copyright notice

---
 lib/isc/base64.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index e5f44856e0..bad1565bea 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.33 2009/10/21 01:22:29 each Exp $ */
+/* $Id: base64.c,v 1.34 2009/10/21 23:48:05 tbox Exp $ */
 
 /*! \file */
 
@@ -219,7 +219,7 @@ isc_base64_decodestring(const char *cstr, isc_buffer_t *target) {
 			continue;
 		RETERR(base64_decode_char(&ctx, c));
 	}
-	RETERR(base64_decode_finish(&ctx));	
+	RETERR(base64_decode_finish(&ctx));
 	return (ISC_R_SUCCESS);
 }
 

From d2a8d00228973e59eb3efcc377126d856bf7df18 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Thu, 22 Oct 2009 01:55:55 +0000
Subject: [PATCH 349/385] 2724.   [bug]           Updates to a existing node in
 secure zone using NSEC                         were failing. [RT #20448]

---
 CHANGES            |  3 +++
 bin/named/update.c | 19 +++++++++++--------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index c43a87829f..c62f92496c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2724.	[bug]		Updates to a existing node in secure zone using NSEC
+			were failing. [RT #20448]
+
 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
 			isc_base64_totext(), didn't always mark regions of
 			memory as fully consumed after conversion.  [RT #20445]
diff --git a/bin/named/update.c b/bin/named/update.c
index 132481fb4f..45f698b1a4 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.163 2009/10/10 23:47:58 tbox Exp $ */
+/* $Id: update.c,v 1.164 2009/10/22 01:55:55 marka Exp $ */
 
 #include 
 
@@ -2333,15 +2333,18 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 					dns_rdatatype_any, 0, NULL, diff));
 		} else {
 			/*
-			 * This name is not obscured.  It should have a NSEC
-			 * unless it is the at the origin, in which case it
-			 * should already exist.
+			 * This name is not obscured.  It needs to have a
+			 * NSEC unless it is the at the origin, in which
+			 * case it should already exist if there is a complete
+			 * NSEC chain and if there isn't a complete NSEC chain
+			 * we don't want to add one as that would signal that
+			 * there is a complete NSEC chain. 
 			 */
 			if (!dns_name_equal(name, dns_db_origin(db))) {
-				CHECK(dns_private_chains(db, newver,
-							 privatetype, &flag,
-							 NULL));
-				if (flag)
+				CHECK(rrset_exists(db, newver, name,
+						   dns_rdatatype_nsec, 0,
+						   &flag));
+				if (!flag)
 					CHECK(add_placeholder_nsec(db, newver,
 								   name, diff));
 			}

From 8d307467b70800564491f37097f4b877c155ab3e Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 22 Oct 2009 02:04:07 +0000
Subject: [PATCH 350/385] Doc the "managed-keys.bind" and
 "managed-keys.bind.jnl" file. [rt20235]

---
 CHANGES                 |  3 +++
 doc/arm/Bv9ARM-book.xml | 17 ++++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index c62f92496c..8ad105054b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2725.	[doc]		Added information about the file "managed-keys.bind"
+			to the ARM. [RT #20235]
+
 2724.	[bug]		Updates to a existing node in secure zone using NSEC
 			were failing. [RT #20448]
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c92446a270..c1764ab2f5 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -9232,6 +9232,21 @@ deny-answer-aliases { "example.net"; };
             managed-keys may only be set at the top
             level of named.conf, not within a view.
 	  
+          
+            In the current implementation, the managed keys database is
+            stored as a master-format zone file called
+            managed-keys.bind.  When the key database
+            is changed, the zone is updated.  As with any other dynamic
+            zone, changes will be written into a journal file,
+            managed-keys.bind.jnl.  They are committed
+            to the master file as soon as possible afterward; in the case
+            of the managed key database, this will usually occur within 30
+            seconds.  So, whenever named is using
+            automatic key maintenace, those two files can be expected to
+            exist in the working directory.  (For this reason among others,
+            the working directory should be always be writable by
+            named.)
+	  
 	  
 	    If the dnssec-lookaside option is
 	    set to auto, named

From cc6cddfd94e8f0c58c290317b0853dac30b1b895 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 22 Oct 2009 02:21:31 +0000
Subject: [PATCH 351/385] 2726.	[func]		Added support for SHA-2 DNSSEC
 algorithms, 			RSASHA256 and RSASHA512. [RT #20023]

---
 CHANGES                                       |   3 +
 bin/dnssec/dnssec-keyfromlabel.c              |   5 +-
 bin/dnssec/dnssec-keyfromlabel.docbook        |  14 +-
 bin/dnssec/dnssec-keygen.c                    |  24 +-
 bin/dnssec/dnssec-keygen.docbook              |  18 +-
 ...draft-ietf-dnsext-dnssec-rsasha256-14.txt} | 146 +++----
 lib/dns/dst_api.c                             |  11 +-
 lib/dns/dst_internal.h                        |   5 +-
 lib/dns/dst_parse.c                           |   8 +-
 lib/dns/include/dns/keyvalues.h               |   4 +-
 lib/dns/include/dst/dst.h                     |   4 +-
 lib/dns/opensslrsa_link.c                     | 398 +++++++++++++++---
 lib/dns/rcode.c                               |   4 +-
 lib/isc/include/isc/sha2.h                    |   6 +-
 lib/isc/sha2.c                                |  42 +-
 15 files changed, 520 insertions(+), 172 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-dnssec-rsasha256-13.txt => draft-ietf-dnsext-dnssec-rsasha256-14.txt} (80%)

diff --git a/CHANGES b/CHANGES
index 8ad105054b..b2cc363be4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
+			RSASHA256 and RSASHA512. [RT #20023]
+
 2725.	[doc]		Added information about the file "managed-keys.bind"
 			to the ARM. [RT #20235]
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index c92763cbed..d51efbd449 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.22 2009/10/14 22:07:13 marka Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.23 2009/10/22 02:21:30 each Exp $ */
 
 /*! \file */
 
@@ -53,7 +53,8 @@ int verbose;
 #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
 
 static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
-			  " NSEC3DSA | NSEC3RSASHA1";
+			  " NSEC3DSA | NSEC3RSASHA1 |"
+			  " RSASHA256 | RSASHA512";
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 7770d0fdd1..e966362868 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     February 8, 2008
@@ -90,14 +90,16 @@
         
 	  
 	    Selects the cryptographic algorithm.  The value of
-	     must be one of RSAMD5 (RSA),
-	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+             must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
 	    These values are case insensitive.
 	  
           
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the  option is specified,
-            in which case NSEC3RSASHA1 will be used instead.
+            in which case NSEC3RSASHA1 will be used instead.  (If
+             is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
           
           
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -394,9 +396,7 @@
         dnssec-signzone8
       ,
       BIND 9 Administrator Reference Manual,
-      RFC 2539,
-      RFC 2845,
-      RFC 4033.
+      RFC 4034.
     
   
 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index d4dabbc9ef..1d19297467 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.101 2009/10/12 20:48:10 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.102 2009/10/22 02:21:30 each Exp $ */
 
 /*! \file */
 
@@ -83,8 +83,9 @@ usage(void) {
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -K : write keys into directory\n");
 	fprintf(stderr, "    -a :\n");
-	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | "
-				"NSEC3RSASHA1 | NSEC3DSA |\n");
+	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
+				" | NSEC3DSA |\n");
+	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
 	fprintf(stderr, "        DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
 				"HMAC-SHA256 | \n");
 	fprintf(stderr, "        HMAC-SHA384 | HMAC-SHA512\n");
@@ -95,6 +96,8 @@ usage(void) {
 	fprintf(stderr, "	 RSAMD5:\t[512..%d]\n", MAX_RSA);
 	fprintf(stderr, "	 RSASHA1:\t[512..%d]\n", MAX_RSA);
 	fprintf(stderr, "	 NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "	 RSASHA256:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "	 RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "	 DH:\t\t[128..4096]\n");
 	fprintf(stderr, "	 DSA:\t\t[512..1024] and divisible by 64\n");
 	fprintf(stderr, "	 NSEC3DSA:\t[512..1024] and divisible "
@@ -469,7 +472,8 @@ main(int argc, char **argv) {
 	}
 
 	if (use_nsec3 &&
-	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
+	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+	    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512) {
 		fatal("%s is incompatible with NSEC3; "
 		      "do not use the -3 option", algname);
 	}
@@ -505,9 +509,14 @@ main(int argc, char **argv) {
 	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
 	case DNS_KEYALG_NSEC3RSASHA1:
+	case DNS_KEYALG_RSASHA256:
 		if (size != 0 && (size < 512 || size > MAX_RSA))
 			fatal("RSA key size %d out of range", size);
 		break;
+	case DNS_KEYALG_RSASHA512:
+		if (size != 0 && (size < 1024 || size > MAX_RSA))
+			fatal("RSA key size %d out of range", size);
+		break;
 	case DNS_KEYALG_DH:
 		if (size != 0 && (size < 128 || size > 4096))
 			fatal("DH key size %d out of range", size);
@@ -574,7 +583,8 @@ main(int argc, char **argv) {
 	}
 
 	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
-	      alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
+	      alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
+	      alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
 		fatal("specified RSA exponent for a non-RSA key");
 
 	if (alg != DNS_KEYALG_DH && generator != 0)
@@ -643,12 +653,16 @@ main(int argc, char **argv) {
 	switch(alg) {
 	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
+	case DNS_KEYALG_NSEC3RSASHA1:
+	case DNS_KEYALG_RSASHA256:
+	case DNS_KEYALG_RSASHA512:
 		param = rsa_exp;
 		break;
 	case DNS_KEYALG_DH:
 		param = generator;
 		break;
 	case DNS_KEYALG_DSA:
+	case DNS_KEYALG_NSEC3DSA:
 	case DST_ALG_HMACMD5:
 	case DST_ALG_HMACSHA1:
 	case DST_ALG_HMACSHA224:
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 2ea7fd4a31..5afc009fd2 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -110,7 +110,8 @@
           
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of  must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, or NSEC3DSA.  For TSIG/TKEY, the value must
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
+	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
@@ -118,7 +119,9 @@
           
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the  option is specified,
-            in which case NSEC3RSASHA1 will be used instead.
+            in which case NSEC3RSASHA1 will be used instead.  (If
+             is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
           
           
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -137,10 +140,10 @@
         
           
             Specifies the number of bits in the key.  The choice of key
-            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            size depends on the algorithm used.  RSA keys must be
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
-            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            bits and an exact multiple of 64.  HMAC keys must be
             between 1 and 512 bits.
           
           
@@ -177,7 +180,8 @@
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
-            default.
+            default. Note that RSASHA256 and RSASHA512 algorithms
+	    are NSEC3-capable.
           
         
       
@@ -526,7 +530,7 @@
       BIND 9 Administrator Reference Manual,
       RFC 2539,
       RFC 2845,
-      RFC 4033.
+      RFC 4034.
     
   
 
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-14.txt
similarity index 80%
rename from doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt
rename to doc/draft/draft-ietf-dnsext-dnssec-rsasha256-14.txt
index bab65653eb..57bc52bc40 100644
--- a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt
+++ b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-14.txt
@@ -3,13 +3,13 @@
 
 DNS Extensions working group                                   J. Jansen
 Internet-Draft                                                NLnet Labs
-Intended status: Standards Track                          April 24, 2009
-Expires: October 26, 2009
+Intended status: Standards Track                           June 04, 2009
+Expires: December 6, 2009
 
 
  Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
                                for DNSSEC
-                 draft-ietf-dnsext-dnssec-rsasha256-13
+                 draft-ietf-dnsext-dnssec-rsasha256-14
 
 Status of this Memo
 
@@ -32,7 +32,7 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on October 26, 2009.
+   This Internet-Draft will expire on December 6, 2009.
 
 Copyright Notice
 
@@ -52,9 +52,9 @@ Abstract
 
 
 
-Jansen                  Expires October 26, 2009                [Page 1]
+Jansen                  Expires December 6, 2009                [Page 1]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
    Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
@@ -77,7 +77,7 @@ Table of Contents
      5.2.  Support for NSEC3 Denial of Existence  . . . . . . . . . .  5
    6.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
      6.1.  RSA/SHA-256 Key and Signature  . . . . . . . . . . . . . .  6
-     6.2.  RSA/SHA-512 Key and Signature  . . . . . . . . . . . . . .  6
+     6.2.  RSA/SHA-512 Key and Signature  . . . . . . . . . . . . . .  7
    7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
    8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
      8.1.  SHA-1 versus SHA-2 Considerations for RRSIG Resource
@@ -108,9 +108,9 @@ Table of Contents
 
 
 
-Jansen                  Expires October 26, 2009                [Page 2]
+Jansen                  Expires December 6, 2009                [Page 2]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
 1.  Introduction
@@ -164,9 +164,9 @@ Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
 
 
 
-Jansen                  Expires October 26, 2009                [Page 3]
+Jansen                  Expires December 6, 2009                [Page 3]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
 2.2.  RSA/SHA-512 DNSKEY Resource Records
@@ -220,9 +220,9 @@ Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
 
 
 
-Jansen                  Expires October 26, 2009                [Page 4]
+Jansen                  Expires December 6, 2009                [Page 4]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
 3.2.  RSA/SHA-512 RRSIG Resource Records
@@ -276,14 +276,15 @@ Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
 
 
 
-Jansen                  Expires October 26, 2009                [Page 5]
+Jansen                  Expires December 6, 2009                [Page 5]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
-   both NSEC and NSEC3 [RFC5155] negative answers.  An authoritative
-   server that does not implement NSEC3 MAY still serve zones that use
-   RSA/SHA-2 with NSEC denial of existence.
+   negative answers in the form of both NSEC and NSEC3 with hash
+   algorithm 1, as defined in [RFC5155].  An authoritative server that
+   does not implement NSEC3 MAY still serve zones that use RSA/SHA-2
+   with NSEC denial of existence.
 
 
 6.  Examples
@@ -313,84 +314,83 @@ Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
 
    With this key, sign the following RRSet, consisting of 1 A record:
 
-   www.example.net. 3600  IN  A  123.123.123.123
+   www.example.net. 3600  IN  A  192.0.2.91
 
    If the inception date is set at 00:00 hours on January 1st, 2000, and
    the expiration date at 00:00 hours on January 1st, 2030, the
    following signature should be created:
 
    www.example.net. 3600  IN  RRSIG  (A 8 3 3600 20300101000000
-                    20000101000000 9033 example.net. KWgSIg3khRfyrHmtJU
-                    5pzpsANyy27+HOZ6waMQ5kV690ljVmbHmGc8ULOfXw3aWmP0wJB
-                    ND/TQhjCvrb3T9ffQ== );{id = 9033}
+                    20000101000000 9033 example.net. kRCOH6u7l0QGy9qpC9
+                    l1sLncJcOKFLJ7GhiUOibu4teYp5VE9RncriShZNz85mwlMgNEa
+                    cFYK/lPtPiVYP4bwg== ;{id = 9033}
+
+
+
+
+
+
+
+
+Jansen                  Expires December 6, 2009                [Page 6]
+
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
+
 
 6.2.  RSA/SHA-512 Key and Signature
 
    Given a private key with the following values (in Base64):
 
-
-
-
-
-Jansen                  Expires October 26, 2009                [Page 6]
-
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
-
-
    Private-key-format: v1.2
-   Algorithm:       9 (RSASHA512)
-   Modulus:         8Du9YHEwFNjO5iG9jrrNyKwRs5mAzJgXBrjbA49R/ESWJKw6eHH
-                    XfZaxnP+gVhZBDmqwND/SFwrEkN5LyH3HZ+/d/ECW+vT8Lxprqf
-                    haTfxQkV4OFjw/ikuTcBMoUIYfhO1NVPBcH1mWh34DWmu6eedzH
-                    IbdeNZnIkWSv4muchs=
+   Algorithm:       10 (RSASHA512)
+   Modulus:         0eg1M5b563zoq4k5ZEOnWmd2/BvpjzedJVdfIsDcMuuhE5SQ3pf
+                    Q7qmdaeMlC6Nf8DKGoUPGPXe06cP27/WRODtxXquSUytkO0kJDk
+                    8KX8PtA0+yBWwy7UnZDyCkynO00Uuk8HPVtZeMO1pHtlAGVnc8V
+                    jXZlNKdyit99waaE4s=
    PublicExponent:  AQAB
-   PrivateExponent: sRm5YLHQ2m2DCdDx55j7P+bqHdcaRroQr5nzi8pKjIkbjumRKV3
-                    zmNhRFAa3cv9w8mnggIRUIzyC8LGQeLuRFjbv6uXDzoPX2O321j
-                    PlTUOwCYMTVnbkZUem6c+7iRd2v5zNNe9uiXex6T8CDXyhQhqYb
-                    8q2AajPrTlRzv6uW8E=
-   Prime1:          +DPVg2OlfYqcNlm67T42608gjyqWFdVc0UtDDDBo+ABWavqp+Yk
-                    Fb/z/Ig+iBE901Q8RWdqVLND3PtGwWipIyw==
-   Prime2:          98fQbOaWH3D/WFhnu47f1qOgaob/ss3FQ12QbUdRDpgfmdryHH7
-                    j1UGR2Xs0aRPwBASXYhgtamXtxLorXIFh8Q==
-   Exponent1:       j0UsbGlqr6sBPQZStnuBLBdCziFg/T1qFI4DJ9gR34YiXCJRV29
-                    Wqiw6AalQdnh/EjVeaKWaEoKVFbfoukNKPQ==
-   Exponent2:       4YTy9ftVjd5p+f3UxEgBATnCatLebd6NeYfySRQM+YyJzp4RmNA
-                    BC/t3BQv3IuBrpyyKoFTDGUEWjOSpTLPR8Q==
-   Coefficient:     BpIAEwh5rlw9M8FpGHjpF5TxSdhCjnA8NT0tB+MB/k0msceyBbx
-                    avjzJXTi/QPk9PIO8Wv6eCzMQEM0QDZO53Q==
+   PrivateExponent: rFS1IPbJllFFgFc33B5DDlC1egO8e81P4fFadODbp56V7sphKa6
+                    AZQCx8NYAew6VXFFPAKTw41QdHnK5kIYOwxvfFDjDcUGza88qbj
+                    yrDPSJenkeZbISMUSSqy7AMFzEolkk6WSn6k3thUVRgSlqDoOV3
+                    SEIAsrB043XzGrKIVE=
+   Prime1:          8mbtsu9Tl9v7tKSHdCIeprLIQXQLzxlSZun5T1n/OjvXSUtvD7x
+                    nZJ+LHqaBj1dIgMbCq2U8O04QVcK3TS9GiQ==
+   Prime2:          3a6gkfs74d0Jb7yL4j4adAif4fcp7ZrGt7G5NRVDDY/Mv4TERAK
+                    Ma0TKN3okKE0A7X+Rv2K84mhT4QLDlllEcw==
+   Exponent1:       v3D5A9uuCn5rgVR7wgV8ba0/KSpsdSiLgsoA42GxiB1gvvs7gJM
+                    MmVTDu/ZG1p1ZnpLbhh/S/Qd/MSwyNlxC+Q==
+   Exponent2:       m+ezf9dsDvYQK+gzjOLWYeKq5xWYBEYFGa3BLocMiF4oxkzOZ3J
+                    PZSWU/h1Fjp5RV7aPP0Vmx+hNjYMPIQ8Y5w==
+   Coefficient:     Je5YhYpUron/WdOXjxNAxDubAp3i5X7UOUfhJcyIggqwY86IE0Q
+                    /Bk0Dw4SC9zxnsimmdBXW2Izd8Lwuk8FQcQ==
 
    The DNSKEY record for this key would be:
 
-   example.net.    3600  IN  DNSKEY  (256 3 9 AwEAAfA7vWBxMBTYzuYhvY66z
-                   cisEbOZgMyYFwa42wOPUfxEliSsOnhx132WsZz/oFYWQQ5qsDQ/0
-                   hcKxJDeS8h9x2fv3fxAlvr0/C8aa6n4Wk38UJFeDhY8P4pLk3ATK
-                   FCGH4TtTVTwXB9Zlod+A1prunnncxyG3XjWZyJFkr+JrnIb
-                   );{id = 28237 (zsk), size = 1024b}
+   example.net.    3600  IN  DNSKEY  (256 3 10 AwEAAdHoNTOW+et86KuJOWRD
+                   p1pndvwb6Y83nSVXXyLA3DLroROUkN6X0O6pnWnjJQujX/AyhqFD
+                   xj13tOnD9u/1kTg7cV6rklMrZDtJCQ5PCl/D7QNPsgVsMu1J2Q8g
+                   pMpztNFLpPBz1bWXjDtaR7ZQBlZ3PFY12ZTSncorffcGmhOL
+                   );{id = 3740 (zsk), size = 1024b}
 
    With this key, sign the following RRSet, consisting of 1 A record:
 
-   www.example.net. 3600  IN  A  123.123.123.123
+   www.example.net. 3600  IN  A  192.0.2.91
 
    If the inception date is set at 00:00 hours on January 1st, 2000, and
    the expiration date at 00:00 hours on January 1st, 2030, the
    following signature should be created:
 
-   www.example.net. 3600  IN  RRSIG  (A 9 3 3600 20300101000000
-                    20000101000000 28237 example.net. mCanSdkQztEUOmslG
-                    z7VvfkKPMp4ftz3K1PTf2jdla4vUu/tRE585xymurMB+wXhrFcK
-                    dhm0egnPq8X/gmm0cmui/GQwFT5hmP5bL1ETuQsM3HOu3j9E3tq
-                    4sFWIsUv3N6ohpYEbhj5jk0b/01EMUPM9y5rLzFHmYYujzKQwqu
-                    M= );{id = 28237}
+   www.example.net. 3600  IN  RRSIG  (A 10 3 3600 20300101000000
+                    20000101000000 3740 example.net. tsb4wnjRUDnB1BUi+t
+                    6TMTXThjVnG+eCkWqjvvjhzQL1d0YRoOe0CbxrVDYd0xDtsuJRa
+                    eUw1ep94PzEWzr0iGYgZBWm/zpq+9fOuagYJRfDqfReKBzMweOL
+                    DiNa8iP5g9vMhpuv6OPlvpXwm9Sa9ZXIbNl1MBGk0fthPgxdDLw
+                    =);{id = 3740}
 
 
 
-
-
-
-
-Jansen                  Expires October 26, 2009                [Page 7]
+Jansen                  Expires December 6, 2009                [Page 7]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
 7.  IANA Considerations
@@ -444,9 +444,9 @@ Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
 
 
 
-Jansen                  Expires October 26, 2009                [Page 8]
+Jansen                  Expires December 6, 2009                [Page 8]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
 9.  Acknowledgments
@@ -500,9 +500,9 @@ Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
 
 
 
-Jansen                  Expires October 26, 2009                [Page 9]
+Jansen                  Expires December 6, 2009                [Page 9]
 
-Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+Internet-Draft              DNSSEC RSA/SHA-2                   June 2009
 
 
               Version 2.1", RFC 3447, February 2003.
@@ -556,5 +556,5 @@ Author's Address
 
 
 
-Jansen                  Expires October 26, 2009               [Page 10]
+Jansen                  Expires December 6, 2009               [Page 10]
 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 08e8ee3c7a..72f4fe670d 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.42 2009/10/20 04:39:48 marka Exp $
+ * $Id: dst_api.c,v 1.43 2009/10/22 02:21:30 each Exp $
  */
 
 /*! \file */
@@ -204,6 +204,8 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256]));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512]));
 #ifdef HAVE_OPENSSL_DSA
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
@@ -1045,6 +1047,8 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	case DST_ALG_RSAMD5:
 	case DST_ALG_RSASHA1:
 	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
 		*n = (key->key_size + 7) / 8;
 		break;
 	case DST_ALG_DSA:
@@ -1300,6 +1304,8 @@ issymmetric(const dst_key_t *key) {
 	case DST_ALG_RSAMD5:
 	case DST_ALG_RSASHA1:
 	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
 	case DST_ALG_DSA:
 	case DST_ALG_NSEC3DSA:
 	case DST_ALG_DH:
@@ -1545,7 +1551,8 @@ algorithm_status(unsigned int alg) {
 	if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
 	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
 	    alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
-	    alg == DST_ALG_NSEC3RSASHA1)
+	    alg == DST_ALG_NSEC3RSASHA1 ||
+	    alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512)
 		return (DST_R_NOCRYPTO);
 #endif
 	return (DST_R_UNSUPPORTEDALG);
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index c363d33b27..c0c09a8aa2 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.20 2009/10/09 06:09:21 each Exp $ */
+/* $Id: dst_internal.h,v 1.21 2009/10/22 02:21:30 each Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -42,6 +42,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -136,6 +137,8 @@ struct dst_context {
 		dst_gssapi_signverifyctx_t *gssctx;
 		isc_md5_t *md5ctx;
 		isc_sha1_t *sha1ctx;
+		isc_sha256_t *sha256ctx;
+		isc_sha512_t *sha512ctx;
 		isc_hmacmd5_t *hmacmd5ctx;
 		isc_hmacsha1_t *hmacsha1ctx;
 		isc_hmacsha224_t *hmacsha224ctx;
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 66d0f17c43..c5dc612f41 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -31,7 +31,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.21 2009/10/09 06:09:21 each Exp $
+ * $Id: dst_parse.c,v 1.22 2009/10/22 02:21:30 each Exp $
  */
 
 #include 
@@ -579,6 +579,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	case DST_ALG_NSEC3DSA:
 		fprintf(fp, "(NSEC3DSA)\n");
 		break;
+	case DST_ALG_RSASHA256:
+		fprintf(fp, "(RSASHA256)\n");
+		break;
+	case DST_ALG_RSASHA512:
+		fprintf(fp, "(RSASHA512)\n");
+		break;
 	case DST_ALG_HMACMD5:
 		fprintf(fp, "(HMAC_MD5)\n");
 		break;
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index 38d78fabc9..cc36d286e4 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyvalues.h,v 1.26 2009/06/30 02:52:32 each Exp $ */
+/* $Id: keyvalues.h,v 1.27 2009/10/22 02:21:31 each Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
@@ -68,6 +68,8 @@
 #define DNS_KEYALG_ECC		4
 #define DNS_KEYALG_RSASHA1	5
 #define DNS_KEYALG_NSEC3RSASHA1	7
+#define DNS_KEYALG_RSASHA256	8
+#define DNS_KEYALG_RSASHA512	10
 #define DNS_KEYALG_INDIRECT	252
 #define DNS_KEYALG_PRIVATEDNS	253
 #define DNS_KEYALG_PRIVATEOID	254     /*%< Key begins with OID giving alg */
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index b9697d2b95..fffd4b40d2 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.22 2009/10/12 20:48:12 each Exp $ */
+/* $Id: dst.h,v 1.23 2009/10/22 02:21:31 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -56,6 +56,8 @@ typedef struct dst_context 	dst_context_t;
 #define DST_ALG_RSASHA1		5
 #define DST_ALG_NSEC3DSA	6
 #define DST_ALG_NSEC3RSASHA1	7
+#define DST_ALG_RSASHA256	8
+#define DST_ALG_RSASHA512	10
 #define DST_ALG_HMACMD5		157
 #define DST_ALG_GSSAPI		160
 #define DST_ALG_HMACSHA1	161	/* XXXMPA */
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 5e22ea5ce6..eb1e26087c 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.30 2009/10/20 02:59:19 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.31 2009/10/22 02:21:30 each Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -29,6 +29,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -105,27 +106,122 @@
 
 static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
 
+#if defined(USE_EVP) && OPENSSL_VERSION_NUMBER < 0x00908000L
+/*
+ * OpenSSL 0.9.7 doesn't support SHA2.
+ * Provide the method functions we need.
+ */
+
+/*
+ * Use our namespace, not OpenSSL's.
+ */
+#define EVP_sha256 ISC_EVP_sha256
+#define EVP_sha512 ISC_EVP_sha512
+
+/*
+ * OpensSSL 0.9.8 defines these.
+ */
+#if 0
+#define NID_sha256WithRSAEncryption	668
+#define NID_sha256			672
+#define NID_sha512WithRSAEncryption	670
+#define NID_sha512			674
+#else
+#define NID_sha256WithRSAEncryption	0
+#define NID_sha256			0
+#define NID_sha512WithRSAEncryption	0
+#define NID_sha512			0
+#endif
+
+static int init256(EVP_MD_CTX *ctx)
+        { isc_sha256_init(ctx->md_data); return 1; }
+static int update256(EVP_MD_CTX *ctx,const void *data, unsigned long count)
+        { isc_sha256_update(ctx->md_data,data,count); return 1; }
+static int final256(EVP_MD_CTX *ctx,unsigned char *md)
+        { isc_sha256_final(md,ctx->md_data); return 1; }
+
+static const EVP_MD sha256_md=
+        {
+        NID_sha256,
+        NID_sha256WithRSAEncryption,
+        ISC_SHA256_DIGESTLENGTH,
+        0,
+        init256,
+        update256,
+        final256,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        ISC_SHA256_BLOCK_LENGTH,
+        sizeof(EVP_MD *)+sizeof(isc_sha256_t),
+        };
+
+static const EVP_MD *EVP_sha256(void)
+        { return(&sha256_md); }
+
+static int init512(EVP_MD_CTX *ctx)
+        { isc_sha512_init(ctx->md_data); return 1; }
+static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { isc_sha512_update(ctx->md_data,data,count); return 1; }
+static int final512(EVP_MD_CTX *ctx,unsigned char *md)
+        { isc_sha512_final(md,ctx->md_data); return 1; }
+
+static const EVP_MD sha512_md=
+        {
+        NID_sha512,
+        NID_sha512WithRSAEncryption,
+        ISC_SHA512_DIGESTLENGTH,
+        0,
+        init512,
+        update512,
+        final512,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        ISC_SHA512_BLOCK_LENGTH,
+        sizeof(EVP_MD *)+sizeof(isc_sha512_t),
+        };
+
+static const EVP_MD *EVP_sha512(void)
+        { return(&sha512_md); }
+#endif
+
 static isc_result_t
 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 #if USE_EVP
 	EVP_MD_CTX *evp_md_ctx;
-	const EVP_MD *type;
+	const EVP_MD *type = NULL;
 #endif
 
 	UNUSED(key);
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
 		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
 
 #if USE_EVP
 	evp_md_ctx = EVP_MD_CTX_create();
 	if (evp_md_ctx == NULL)
 		return (ISC_R_NOMEMORY);
 
-	if (dctx->key->key_alg == DST_ALG_RSAMD5)
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
 		type = EVP_md5();	/* MD5 + RSA */
-	else
+		break;
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
 		type = EVP_sha1();	/* SHA1 + RSA */
+		break;
+	case DST_ALG_RSASHA256:
+		type = EVP_sha256();	/* SHA256 + RSA */
+		break;
+	case DST_ALG_RSASHA512:
+		type = EVP_sha512();
+		break;
+	default:
+		INSIST(0);
+	}
 
 	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
 		EVP_MD_CTX_destroy(evp_md_ctx);
@@ -133,22 +229,56 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 	}
 	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
 #else
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx;
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx;
 
-		md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
-		if (md5ctx == NULL)
-			return (ISC_R_NOMEMORY);
-		isc_md5_init(md5ctx);
-		dctx->ctxdata.md5ctx = md5ctx;
-	} else {
-		isc_sha1_t *sha1ctx;
+			md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
+			if (md5ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_md5_init(md5ctx);
+			dctx->ctxdata.md5ctx = md5ctx;
+		}
+		break;
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx;
 
-		sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-		if (sha1ctx == NULL)
-			return (ISC_R_NOMEMORY);
-		isc_sha1_init(sha1ctx);
-		dctx->ctxdata.sha1ctx = sha1ctx;
+			sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+			if (sha1ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_sha1_init(sha1ctx);
+			dctx->ctxdata.sha1ctx = sha1ctx;
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx;
+
+			sha256ctx = isc_mem_get(dctx->mctx, 
+						sizeof(isc_sha256_t));
+			if (sha256ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_sha256_init(sha256ctx);
+			dctx->ctxdata.sha256ctx = sha256ctx;
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx;
+
+			sha512ctx = isc_mem_get(dctx->mctx, 
+						sizeof(isc_sha512_t));
+			if (sha512ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_sha512_init(sha512ctx);
+			dctx->ctxdata.sha512ctx = sha512ctx;
+		}
+		break;
+	default:
+		INSIST(0);
 	}
 #endif
 
@@ -163,7 +293,9 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
 		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
 
 #if USE_EVP
 	if (evp_md_ctx != NULL) {
@@ -171,22 +303,58 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
 		dctx->ctxdata.evp_md_ctx = NULL;
 	}
 #else
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 
-		if (md5ctx != NULL) {
-			isc_md5_invalidate(md5ctx);
-			isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t));
-			dctx->ctxdata.md5ctx = NULL;
+			if (md5ctx != NULL) {
+				isc_md5_invalidate(md5ctx);
+				isc_mem_put(dctx->mctx, md5ctx,
+					    sizeof(isc_md5_t));
+				dctx->ctxdata.md5ctx = NULL;
+			}
 		}
-	} else {
-		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+		break;
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 
-		if (sha1ctx != NULL) {
-			isc_sha1_invalidate(sha1ctx);
-			isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
-			dctx->ctxdata.sha1ctx = NULL;
+			if (sha1ctx != NULL) {
+				isc_sha1_invalidate(sha1ctx);
+				isc_mem_put(dctx->mctx, sha1ctx,
+					    sizeof(isc_sha1_t));
+				dctx->ctxdata.sha1ctx = NULL;
+			}
 		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			if (sha256ctx != NULL) {
+				isc_sha256_invalidate(sha256ctx);
+				isc_mem_put(dctx->mctx, sha256ctx,
+					    sizeof(isc_sha256_t));
+				dctx->ctxdata.sha256ctx = NULL;
+			}
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			if (sha512ctx != NULL) {
+				isc_sha512_invalidate(sha512ctx);
+				isc_mem_put(dctx->mctx, sha512ctx,
+					    sizeof(isc_sha512_t));
+				dctx->ctxdata.sha512ctx = NULL;
+			}
+		}
+		break;
+	default:
+		INSIST(0);
 	}
 #endif
 }
@@ -199,19 +367,47 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
 		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
 
 #if USE_EVP
 	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
 		return (ISC_R_FAILURE);
 	}
 #else
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-		isc_md5_update(md5ctx, data->base, data->length);
-	} else {
-		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-		isc_sha1_update(sha1ctx, data->base, data->length);
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+			isc_md5_update(md5ctx, data->base, data->length);
+		}
+		break;
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+			isc_sha1_update(sha1ctx, data->base, data->length);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			isc_sha256_update(sha256ctx, data->base, data->length);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			isc_sha512_update(sha512ctx, data->base, data->length);
+		}
+		break;
+	default:
+		INSIST(0);
 	}
 #endif
 	return (ISC_R_SUCCESS);
@@ -227,11 +423,11 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	EVP_PKEY *pkey = key->keydata.pkey;
 #else
 	RSA *rsa = key->keydata.rsa;
-	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
 	int status;
-	int type;
-	unsigned int digestlen;
+	int type = 0;
+	unsigned int digestlen = 0;
 	char *message;
 	unsigned long err;
 	const char* file;
@@ -240,7 +436,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
 		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
 
 	isc_buffer_availableregion(sig, &r);
 
@@ -255,16 +453,46 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	if (r.length < (unsigned int) RSA_size(rsa))
 		return (ISC_R_NOSPACE);
 
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-		isc_md5_final(md5ctx, digest);
-		type = NID_md5;
-		digestlen = ISC_MD5_DIGESTLENGTH;
-	} else {
-		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-		isc_sha1_final(sha1ctx, digest);
-		type = NID_sha1;
-		digestlen = ISC_SHA1_DIGESTLENGTH;
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+			isc_md5_final(md5ctx, digest);
+			type = NID_md5;
+			digestlen = ISC_MD5_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+			isc_sha1_final(sha1ctx, digest);
+			type = NID_sha1;
+			digestlen = ISC_SHA1_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			isc_sha256_final(digest, sha256ctx);
+			type = NID_sha256;
+			digestlen = ISC_SHA256_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			isc_sha512_final(digest, sha512ctx);
+			type = NID_sha512;
+			digestlen = ISC_SHA512_DIGESTLENGTH;
+		}
+		break;
+	default:
+		INSIST(0);
 	}
 
 	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
@@ -290,30 +518,62 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 	EVP_PKEY *pkey = key->keydata.pkey;
 #else
-	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	int type;
-	unsigned int digestlen;
+	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+	int type = 0;
+	unsigned int digestlen = 0;
 	RSA *rsa = key->keydata.rsa;
 #endif
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
 		dctx->key->key_alg == DST_ALG_RSASHA1 ||
-		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
 
 #if USE_EVP
 	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
 #else
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-		isc_md5_final(md5ctx, digest);
-		type = NID_md5;
-		digestlen = ISC_MD5_DIGESTLENGTH;
-	} else {
-		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-		isc_sha1_final(sha1ctx, digest);
-		type = NID_sha1;
-		digestlen = ISC_SHA1_DIGESTLENGTH;
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+			isc_md5_final(md5ctx, digest);
+			type = NID_md5;
+			digestlen = ISC_MD5_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+			isc_sha1_final(sha1ctx, digest);
+			type = NID_sha1;
+			digestlen = ISC_SHA1_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			isc_sha256_final(digest, sha256ctx);
+			type = NID_sha256;
+			digestlen = ISC_SHA256_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			isc_sha512_final(digest, sha512ctx);
+			type = NID_sha512;
+			digestlen = ISC_SHA512_DIGESTLENGTH;
+		}
+		break;
+	default:
+		INSIST(0);
 	}
 
 	if (sig->length < (unsigned int) RSA_size(rsa))
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index 177b00be25..2ea6d1c886 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.11 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: rcode.c,v 1.12 2009/10/22 02:21:30 each Exp $ */
 
 #include 
 #include 
@@ -105,6 +105,8 @@
 	{ DNS_KEYALG_ECC, "ECC", 0 }, \
 	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
 	{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
+	{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
+	{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
 	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
 	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
 	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h
index c2c94cb993..439bbb948e 100644
--- a/lib/isc/include/isc/sha2.h
+++ b/lib/isc/include/isc/sha2.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.h,v 1.11 2009/02/06 23:47:42 tbox Exp $ */
+/* $Id: sha2.h,v 1.12 2009/10/22 02:21:31 each Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $	*/
 /*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
@@ -113,24 +113,28 @@ ISC_LANG_BEGINDECLS
 /*** SHA-224/256/384/512 Function Prototypes ******************************/
 
 void isc_sha224_init (isc_sha224_t *);
+void isc_sha224_invalidate (isc_sha224_t *);
 void isc_sha224_update (isc_sha224_t *, const isc_uint8_t *, size_t);
 void isc_sha224_final (isc_uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
 char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
 char *isc_sha224_data (const isc_uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
 
 void isc_sha256_init (isc_sha256_t *);
+void isc_sha256_invalidate (isc_sha256_t *);
 void isc_sha256_update (isc_sha256_t *, const isc_uint8_t *, size_t);
 void isc_sha256_final (isc_uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
 char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
 char *isc_sha256_data (const isc_uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
 
 void isc_sha384_init (isc_sha384_t *);
+void isc_sha384_invalidate (isc_sha384_t *);
 void isc_sha384_update (isc_sha384_t *, const isc_uint8_t *, size_t);
 void isc_sha384_final (isc_uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
 char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
 char *isc_sha384_data (const isc_uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
 
 void isc_sha512_init (isc_sha512_t *);
+void isc_sha512_invalidate (isc_sha512_t *);
 void isc_sha512_update (isc_sha512_t *, const isc_uint8_t *, size_t);
 void isc_sha512_final (isc_uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
 char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
index e33a1026ce..d42ad584ba 100644
--- a/lib/isc/sha2.c
+++ b/lib/isc/sha2.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.17 2009/02/06 23:47:42 tbox Exp $ */
+/* $Id: sha2.c,v 1.18 2009/10/22 02:21:31 each Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -73,6 +73,11 @@ isc_sha224_init(isc_sha224_t *context) {
 	EVP_DigestInit(context, EVP_sha224());
 }
 
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
 void
 isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
 	if (len == 0U) {
@@ -107,6 +112,11 @@ isc_sha256_init(isc_sha256_t *context) {
 	EVP_DigestInit(context, EVP_sha256());
 }
 
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
 void
 isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
 	if (len == 0U) {
@@ -141,6 +151,11 @@ isc_sha512_init(isc_sha512_t *context) {
 	EVP_DigestInit(context, EVP_sha512());
 }
 
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
 void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
 	if (len == 0U) {
 		/* Calling with no data is valid - we do nothing */
@@ -173,6 +188,11 @@ isc_sha384_init(isc_sha384_t *context) {
 	EVP_DigestInit(context, EVP_sha384());
 }
 
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
 void
 isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
 	if (len == 0U) {
@@ -546,6 +566,11 @@ isc_sha224_init(isc_sha224_t *context) {
 	context->bitcount = 0;
 }
 
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+	memset(context, 0, sizeof(isc_sha224_t));
+}
+
 void
 isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
 	isc_sha256_update((isc_sha256_t *)context, data, len);
@@ -571,6 +596,11 @@ isc_sha256_init(isc_sha256_t *context) {
 	context->bitcount = 0;
 }
 
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+	memset(context, 0, sizeof(isc_sha256_t));
+}
+
 #ifdef ISC_SHA2_UNROLL_TRANSFORM
 
 /* Unrolled SHA-256 round macros: */
@@ -881,6 +911,11 @@ isc_sha512_init(isc_sha512_t *context) {
 	context->bitcount[0] = context->bitcount[1] =  0;
 }
 
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+	memset(context, 0, sizeof(isc_sha512_t));
+}
+
 #ifdef ISC_SHA2_UNROLL_TRANSFORM
 
 /* Unrolled SHA-512 round macros: */
@@ -1189,6 +1224,11 @@ isc_sha384_init(isc_sha384_t *context) {
 	context->bitcount[0] = context->bitcount[1] = 0;
 }
 
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+	memset(context, 0, sizeof(isc_sha384_t));
+}
+
 void
 isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
 	isc_sha512_update((isc_sha512_t *)context, data, len);

From f10a8fa0343038946384c44f6bb8dc2615f0cc20 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Thu, 22 Oct 2009 03:43:16 +0000
Subject: [PATCH 352/385] 2727.	[func]		The 'key-directory' option can
 now specify a relative 			path. [RT #20154]

---
 CHANGES                 | 3 +++
 bin/named/zoneconf.c    | 8 +-------
 doc/arm/Bv9ARM-book.xml | 7 +++----
 3 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index b2cc363be4..073154d949 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2727.	[func]		The 'key-directory' option can now specify a relative
+			path. [RT #20154]
+
 2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
 			RSASHA256 and RSASHA512. [RT #20023]
 
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index b2a893cbc1..ce615d5cac 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.158 2009/10/12 23:48:01 tbox Exp $ */
+/* $Id: zoneconf.c,v 1.159 2009/10/22 03:43:16 each Exp $ */
 
 /*% */
 
@@ -830,12 +830,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		result = ns_config_get(maps, "key-directory", &obj);
 		if (result == ISC_R_SUCCESS) {
 			filename = cfg_obj_asstring(obj);
-			if (!isc_file_isabsolute(filename)) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-					    "key-directory '%s' "
-					    "is not absolute", filename);
-				return (ISC_R_FAILURE);
-			}
 			RETERR(dns_zone_setkeydirectory(zone, filename));
 		}
 
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index c1764ab2f5..b5e16f595f 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -5165,9 +5165,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 When performing dynamic update of secure zones, the
                 directory where the public and private DNSSEC key files
                 should be found, if different than the current working
-                directory.  The directory specified must be an absolute
-                path.  (Note that this option has no effect on the paths
-                for files containing non-DNSSEC keys such as
+                directory.  (Note that this option has no effect on the
+                paths for files containing non-DNSSEC keys such as
                 bind.keys,
                 rndc.key or
                 session.key.)

From 2fe5f8303ed2280b7cfbd2aa032117de689c5150 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 22 Oct 2009 23:19:17 +0000
Subject: [PATCH 353/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index e18d87e21a..90207c1f17 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -17,6 +17,7 @@ custom_ALLIANZ_v9_4_2		private	marka	// 2007-11-23 04:32 +0000
 custom_ALLIANZ_v9_4_2_P1	new	each	// 2008-05-27 23:33 +0000
 custom_ALLIANZ_v9_4_2_P2	new	each	// 2008-08-05 21:28 +0000
 custom_ATT_v9_4			new	each	// 2009-07-28 17:05 +0000
+custom_ATT_v9_6_1_P1		new	cathya	// 2009-10-22 13:24 +0000
 custom_CISCO_v9_3_4_P1		private	marka	// 2007-11-23 04:19 +0000
 custom_DYNDNS_v9_6		new	each	// 2009-06-19 15:34 +0000
 custom_NOM_v9_5_0a7		private	

From 510032fdf484af254b0d362bdc7c371f3eb6fe2f Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Thu, 22 Oct 2009 23:48:07 +0000
Subject: [PATCH 354/385] update copyright notice

---
 bin/named/update.c        |  4 +-
 lib/dns/opensslrsa_link.c | 78 +++++++++++++++++++--------------------
 2 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/bin/named/update.c b/bin/named/update.c
index 45f698b1a4..db7ca03210 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.164 2009/10/22 01:55:55 marka Exp $ */
+/* $Id: update.c,v 1.165 2009/10/22 23:48:07 tbox Exp $ */
 
 #include 
 
@@ -2338,7 +2338,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * case it should already exist if there is a complete
 			 * NSEC chain and if there isn't a complete NSEC chain
 			 * we don't want to add one as that would signal that
-			 * there is a complete NSEC chain. 
+			 * there is a complete NSEC chain.
 			 */
 			if (!dns_name_equal(name, dns_db_origin(db))) {
 				CHECK(rrset_exists(db, newver, name,
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index eb1e26087c..71c3fa90a5 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.31 2009/10/22 02:21:30 each Exp $
+ * $Id: opensslrsa_link.c,v 1.32 2009/10/22 23:48:07 tbox Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -134,56 +134,56 @@ static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
 #endif
 
 static int init256(EVP_MD_CTX *ctx)
-        { isc_sha256_init(ctx->md_data); return 1; }
+	{ isc_sha256_init(ctx->md_data); return 1; }
 static int update256(EVP_MD_CTX *ctx,const void *data, unsigned long count)
-        { isc_sha256_update(ctx->md_data,data,count); return 1; }
+	{ isc_sha256_update(ctx->md_data,data,count); return 1; }
 static int final256(EVP_MD_CTX *ctx,unsigned char *md)
-        { isc_sha256_final(md,ctx->md_data); return 1; }
+	{ isc_sha256_final(md,ctx->md_data); return 1; }
 
 static const EVP_MD sha256_md=
-        {
-        NID_sha256,
-        NID_sha256WithRSAEncryption,
-        ISC_SHA256_DIGESTLENGTH,
-        0,
-        init256,
-        update256,
-        final256,
-        NULL,
-        NULL,
-        EVP_PKEY_RSA_method,
-        ISC_SHA256_BLOCK_LENGTH,
-        sizeof(EVP_MD *)+sizeof(isc_sha256_t),
-        };
+	{
+	NID_sha256,
+	NID_sha256WithRSAEncryption,
+	ISC_SHA256_DIGESTLENGTH,
+	0,
+	init256,
+	update256,
+	final256,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	ISC_SHA256_BLOCK_LENGTH,
+	sizeof(EVP_MD *)+sizeof(isc_sha256_t),
+	};
 
 static const EVP_MD *EVP_sha256(void)
-        { return(&sha256_md); }
+	{ return(&sha256_md); }
 
 static int init512(EVP_MD_CTX *ctx)
-        { isc_sha512_init(ctx->md_data); return 1; }
+	{ isc_sha512_init(ctx->md_data); return 1; }
 static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
-        { isc_sha512_update(ctx->md_data,data,count); return 1; }
+	{ isc_sha512_update(ctx->md_data,data,count); return 1; }
 static int final512(EVP_MD_CTX *ctx,unsigned char *md)
-        { isc_sha512_final(md,ctx->md_data); return 1; }
+	{ isc_sha512_final(md,ctx->md_data); return 1; }
 
 static const EVP_MD sha512_md=
-        {
-        NID_sha512,
-        NID_sha512WithRSAEncryption,
-        ISC_SHA512_DIGESTLENGTH,
-        0,
-        init512,
-        update512,
-        final512,
-        NULL,
-        NULL,
-        EVP_PKEY_RSA_method,
-        ISC_SHA512_BLOCK_LENGTH,
-        sizeof(EVP_MD *)+sizeof(isc_sha512_t),
-        };
+	{
+	NID_sha512,
+	NID_sha512WithRSAEncryption,
+	ISC_SHA512_DIGESTLENGTH,
+	0,
+	init512,
+	update512,
+	final512,
+	NULL,
+	NULL,
+	EVP_PKEY_RSA_method,
+	ISC_SHA512_BLOCK_LENGTH,
+	sizeof(EVP_MD *)+sizeof(isc_sha512_t),
+	};
 
 static const EVP_MD *EVP_sha512(void)
-        { return(&sha512_md); }
+	{ return(&sha512_md); }
 #endif
 
 static isc_result_t
@@ -257,7 +257,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		{
 			isc_sha256_t *sha256ctx;
 
-			sha256ctx = isc_mem_get(dctx->mctx, 
+			sha256ctx = isc_mem_get(dctx->mctx,
 						sizeof(isc_sha256_t));
 			if (sha256ctx == NULL)
 				return (ISC_R_NOMEMORY);
@@ -269,7 +269,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		{
 			isc_sha512_t *sha512ctx;
 
-			sha512ctx = isc_mem_get(dctx->mctx, 
+			sha512ctx = isc_mem_get(dctx->mctx,
 						sizeof(isc_sha512_t));
 			if (sha512ctx == NULL)
 				return (ISC_R_NOMEMORY);

From 8e821eea5f57ac47a94305aa7ab0c3570d92a311 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 23 Oct 2009 01:14:48 +0000
Subject: [PATCH 355/385] regen

---
 bin/dnssec/dnssec-keyfromlabel.8     |  12 +-
 bin/dnssec/dnssec-keyfromlabel.html  |  22 ++--
 bin/dnssec/dnssec-keygen.8           |  14 ++-
 bin/dnssec/dnssec-keygen.html        |  28 +++--
 doc/arm/Bv9ARM.ch06.html             | 106 +++++++++-------
 doc/arm/Bv9ARM.ch07.html             |  14 +--
 doc/arm/Bv9ARM.ch08.html             |  18 +--
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  44 +++----
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |  20 +--
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  26 ++--
 doc/arm/man.dnssec-keygen.html       |  32 ++---
 doc/arm/man.dnssec-revoke.html       |  10 +-
 doc/arm/man.dnssec-settime.html      |  14 +--
 doc/arm/man.dnssec-signzone.html     |  12 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkconf.html     |  12 +-
 doc/arm/man.named-checkzone.html     |  12 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 25 files changed, 351 insertions(+), 327 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
index 9ab7885cc3..f8452ed16b 100644
--- a/bin/dnssec/dnssec-keyfromlabel.8
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keyfromlabel.8,v 1.14 2009/10/17 01:14:35 tbox Exp $
+.\" $Id: dnssec-keyfromlabel.8,v 1.15 2009/10/23 01:14:47 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -47,11 +47,13 @@ of the key is specified on the command line. This must match the name of the zon
 .RS 4
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
-must be one of RSAMD5 (RSA), RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. These values are case insensitive.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
-option is specified, in which case NSEC3RSASHA1 will be used instead.
+option is specified, in which case NSEC3RSASHA1 will be used instead. (If
+\fB\-3\fR
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
 .sp
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
 .sp
@@ -203,9 +205,7 @@ file contains algorithm\-specific fields. For obvious security reasons, this fil
 \fBdnssec\-keygen\fR(8),
 \fBdnssec\-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
-RFC 2539,
-RFC 2845,
-RFC 4033.
+RFC 4034.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
index 2369456e21..7bb428785b 100644
--- a/bin/dnssec/dnssec-keyfromlabel.html
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,16 @@
 
    
 
    
 	    Selects the cryptographic algorithm.  The value of
-	    algorithm must be one of RSAMD5 (RSA),
-	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+            algorithm must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
 	    These values are case insensitive.
 	  
    
 
    
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the -3 option is specified,
-            in which case NSEC3RSASHA1 will be used instead.
+            in which case NSEC3RSASHA1 will be used instead.  (If
+            -3 is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
           
    
 
    
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -153,7 +155,7 @@
 
    
 
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -200,7 +202,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -239,17 +241,15 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
-      RFC 2539,
-      RFC 2845,
-      RFC 4033.
+      RFC 4034.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 016241ed5a..ed62ada8f8 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.50 2009/10/17 01:14:35 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.51 2009/10/23 01:14:47 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -48,11 +48,13 @@ of the key is specified on the command line. For DNSSEC keys, this must match th
 .RS 4
 Selects the cryptographic algorithm. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
-option is specified, in which case NSEC3RSASHA1 will be used instead.
+option is specified, in which case NSEC3RSASHA1 will be used instead. (If
+\fB\-3\fR
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
 .sp
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
 .sp
@@ -61,7 +63,7 @@ Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
+Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.
 .sp
 The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
 \fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
@@ -79,7 +81,7 @@ must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a
 .PP
 \-3
 .RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256 and RSASHA512 algorithms are NSEC3\-capable.
 .RE
 .PP
 \-C
@@ -268,7 +270,7 @@ and
 BIND 9 Administrator Reference Manual,
 RFC 2539,
 RFC 2845,
-RFC 4033.
+RFC 4034.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 8d680d6630..c7365c80c6 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -53,7 +53,8 @@
 
    
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of algorithm must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, or NSEC3DSA.  For TSIG/TKEY, the value must
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
+	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
@@ -61,7 +62,9 @@
 
    
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the -3 option is specified,
-            in which case NSEC3RSASHA1 will be used instead.
+            in which case NSEC3RSASHA1 will be used instead.  (If
+            -3 is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
           
    
 
    
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -77,10 +80,10 @@
 
    
 
    
             Specifies the number of bits in the key.  The choice of key
-            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            size depends on the algorithm used.  RSA keys must be
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
-            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            bits and an exact multiple of 64.  HMAC keys must be
             between 1 and 512 bits.
           
    
 
    
@@ -108,7 +111,8 @@
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
-            default.
+            default. Note that RSASHA256 and RSASHA512 algorithms
+	    are NSEC3-capable.
           
    
 
    -C
    
 
    
@@ -220,7 +224,7 @@
 
 
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -267,7 +271,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -313,7 +317,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -334,16 +338,16 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
       RFC 2845,
-      RFC 4033.
+      RFC 4034.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index b5a0dd3c9f..7295cc1ff7 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -78,28 +78,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
+
    managed-keys Statement Grammar
    
 
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -2363,9 +2363,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 When performing dynamic update of secure zones, the
                 directory where the public and private DNSSEC key files
                 should be found, if different than the current working
-                directory.  The directory specified must be an absolute
-                path.  (Note that this option has no effect on the paths
-                for files containing non-DNSSEC keys such as
+                directory.  (Note that this option has no effect on the
+                paths for files containing non-DNSSEC keys such as
                 bind.keys,
                 rndc.key or
                 session.key.)
@@ -3430,7 +3429,7 @@ options {
 
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3474,7 +3473,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3671,7 +3670,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4123,7 +4122,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4165,7 +4164,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -5123,7 +5122,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5453,7 +5452,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5504,7 +5503,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5513,7 +5512,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5553,7 +5552,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5648,6 +5647,21 @@ deny-answer-aliases { "example.net"; };
             managed-keys may only be set at the top
             level of named.conf, not within a view.
           
    
+
    
+            In the current implementation, the managed keys database is
+            stored as a master-format zone file called
+            managed-keys.bind.  When the key database
+            is changed, the zone is updated.  As with any other dynamic
+            zone, changes will be written into a journal file,
+            managed-keys.bind.jnl.  They are committed
+            to the master file as soon as possible afterward; in the case
+            of the managed key database, this will usually occur within 30
+            seconds.  So, whenever named is using
+            automatic key maintenace, those two files can be expected to
+            exist in the working directory.  (For this reason among others,
+            the working directory should be always be writable by
+            named.)
+          
    
 
    
             If the dnssec-lookaside option is
             set to auto, named
@@ -5673,7 +5687,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -5953,10 +5967,10 @@ zone zone_name [
 
    
 
    
-zone Statement Definition and Usage
    
+zone Statement Definition and Usage
    
 
    
 
    
-Zone Types
    
+Zone Types
    
 
    
 
 

    @@ -6167,7 +6181,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6189,7 +6203,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6859,7 +6873,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6872,7 +6886,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7609,7 +7623,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7812,7 +7826,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -8068,7 +8082,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8129,7 +8143,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8144,7 +8158,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8155,7 +8169,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8184,7 +8198,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8220,7 +8234,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8239,7 +8253,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8663,7 +8677,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9220,7 +9234,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9374,7 +9388,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9757,7 +9771,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9912,7 +9926,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 836f16fb98..50a850e165 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -46,10 +46,10 @@
 
    Table of Contents
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
@@ -122,7 +122,7 @@ zone "example.com" {
 
 
    
 
    
-Chroot and Setuid
+Chroot and Setuid
 
    
 
    
           On UNIX servers, it is possible to run BIND
@@ -148,7 +148,7 @@ zone "example.com" {
         
    
 
    
 
    
-The chroot Environment
    
+The chroot Environment
    
 
    
             In order for a chroot environment
             to
@@ -176,7 +176,7 @@ zone "example.com" {
 
 
    
 
    
-Using the setuid Function
    
+Using the setuid Function
    
 
    
             Prior to running the named daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index d79c282d90..edfb4832f2 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,18 +45,18 @@
 
    
 
    Table of Contents
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    
 
    
 
    
-Common Problems
    
+Common Problems
    
 
    
 
    
-It's not working; how can I figure out what's wrong?
    
+It's not working; how can I figure out what's wrong?
    
 
    
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 
 
    
 
    
-Incrementing and Changing the Serial Number
    
+Incrementing and Changing the Serial Number
    
 
    
           Zone serial numbers are just numbers — they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 2aca0934f4..2fcc2aec1e 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 0727e92cca..d60bda27d1 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,28 +157,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
+
    managed-keys Statement Grammar
    
 
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
-
    zone Statement Definition and Usage
    
+
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -187,31 +187,31 @@
 
    7. BIND 9 Security Considerations
    
 
    
 
    Access Control Lists
    
-
    Chroot and Setuid
    
+
    Chroot and Setuid
    
 
    
-
    The chroot Environment
    
-
    Using the setuid Function
    
+
    The chroot Environment
    
+
    Using the setuid Function
    
 
    
 
    Dynamic Update Security
    
 
    
 
    8. Troubleshooting
    
 
    
-
    Common Problems
    
-
    It's not working; how can I figure out what's wrong?
    
-
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Common Problems
    
+
    It's not working; how can I figure out what's wrong?
    
+
    Incrementing and Changing the Serial Number
    
+
    Where Can I Get Help?
    
 
    
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index c4ae4d9d3e..fad2f908cf 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4f82e99754..e7e51c704e 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -52,7 +52,7 @@
 
    dig  [global-queryopt...] [query...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dig
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     
    
 
    
 
    
-
    SIMPLE USAGE
    
+
    SIMPLE USAGE
    
 
    
       A typical invocation of dig looks like:
       
    
@@ -144,7 +144,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
       The -b option sets the source IP address of the query
       to address.  This must be a valid
@@ -248,7 +248,7 @@
     
    
 
    
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If dig has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    ${HOME}/.digrc
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    host(1),
       named(8),
       dnssec-keygen(8),
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       There are probably too many query options.
     
    
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 173a778dcd..aa1de9ac0e 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 67ca1f0027..d1644226d9 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,20 +63,22 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
 
    
 	    Selects the cryptographic algorithm.  The value of
-	    algorithm must be one of RSAMD5 (RSA),
-	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+            algorithm must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
 	    These values are case insensitive.
 	  
    
 
    
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the -3 option is specified,
-            in which case NSEC3RSASHA1 will be used instead.
+            in which case NSEC3RSASHA1 will be used instead.  (If
+            -3 is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
           
    
 
    
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -172,7 +174,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -219,7 +221,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -258,17 +260,15 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
-      RFC 2539,
-      RFC 2845,
-      RFC 4033.
+      RFC 4034.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 54587c0f7b..20ca67be94 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,14 +64,15 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
 
    
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of algorithm must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, or NSEC3DSA.  For TSIG/TKEY, the value must
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
+	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
@@ -79,7 +80,9 @@
 
    
             If no algorithm is specified, then RSASHA1 will be used by
             default, unless the -3 option is specified,
-            in which case NSEC3RSASHA1 will be used instead.
+            in which case NSEC3RSASHA1 will be used instead.  (If
+            -3 is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
           
    
 
    
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -95,10 +98,10 @@
 
    
 
    
             Specifies the number of bits in the key.  The choice of key
-            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
+            size depends on the algorithm used.  RSA keys must be
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
-            bits and an exact multiple of 64.  HMAC-MD5 keys must be
+            bits and an exact multiple of 64.  HMAC keys must be
             between 1 and 512 bits.
           
    
 
    
@@ -126,7 +129,8 @@
 	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
             If this option is used and no algorithm is explicitly
             set on the command line, NSEC3RSASHA1 will be used by
-            default.
+            default. Note that RSASHA256 and RSASHA512 algorithms
+	    are NSEC3-capable.
           
    
 
    -C
    
 
    
@@ -238,7 +242,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -285,7 +289,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -331,7 +335,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -352,16 +356,16 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
       RFC 2845,
-      RFC 4033.
+      RFC 4034.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index c86cd8c7c2..dcc32a1b4c 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index b2d0292220..a4ff91ddb7 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -151,7 +151,7 @@
 
    
 
 
    
-
    PRINTING OPTIONS
    
+
    PRINTING OPTIONS
    
 
    
       dnssec-settime can also be used to print the
       timing metadata associated with a key.
@@ -177,7 +177,7 @@
 
    
 
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -185,7 +185,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 6935cda17d..60b0881e90 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-signzone  [-a] [-c class] [-d directory] [-E engine] [-e end-time] [-f output-file] [-g] [-h] [-K directory] [-k key] [-l domain] [-i interval] [-I input-format] [-j jitter] [-N soa-serial-format] [-o origin] [-O output-format] [-p] [-P] [-r randomdev] [-S] [-s start-time] [-T ttl] [-t] [-u] [-v level] [-x] [-z] [-3 salt] [-H iterations] [-A] {zonefile} [key...]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-signzone
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -397,7 +397,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -427,14 +427,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 82f1d0b402..1435323bb6 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index afbeff79c7..55f08c73b4 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,14 +50,14 @@
 
    named-checkconf  [-h] [-v] [-j] [-t directory] {filename} [-p] [-z]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkconf
       checks the syntax, but not the semantics, of a named
       configuration file.
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -96,21 +96,21 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkconf
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkzone(8),
       BIND 9 Administrator Reference Manual.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 081fa67101..bfc7516b37 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,7 +51,7 @@
 
    named-compilezone  [-d] [-j] [-q] [-v] [-c class] [-C mode] [-f format] [-F format] [-i mode] [-k mode] [-m mode] [-n mode] [-o filename] [-s style] [-t directory] [-w directory] [-D] [-W mode] {zonename} {filename}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named-checkzone
       checks the syntax and integrity of a zone file.  It performs the
       same checks as named does when loading a
@@ -71,7 +71,7 @@
      
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -d
    
 
    
@@ -257,14 +257,14 @@
 
    
 
    
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 339722af23..346d211ef4 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 0934734769..3699de927d 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -210,7 +210,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -474,7 +474,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -528,7 +528,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -551,7 +551,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       RFC 2136,
       RFC 3007,
@@ -566,7 +566,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index b087a9a740..260e0c4884 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 2c8df27697..3f930c1a37 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index a09d5bfcc6..653b30feab 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From 412b30659bcac1d9950664c0c4f9c864c4d002d9 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Fri, 23 Oct 2009 23:18:16 +0000
Subject: [PATCH 356/385] auto update

---
 doc/private/branches | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/private/branches b/doc/private/branches
index 90207c1f17..1093fd87e2 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -271,6 +271,7 @@ rt20399				new	marka	// 2009-10-14 02:27 +0000
 rt20405				new	each	// 2009-10-14 05:15 +0000
 rt20406				new	each	// 2009-10-20 00:14 +0000
 rt20421				new	each	// 2009-10-20 19:04 +0000
+rt20453				new	marka	// 2009-10-23 12:52 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 8f0502e922120f27207fbf6b6dda18f1112e486c Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Sat, 24 Oct 2009 00:00:06 +0000
Subject: [PATCH 357/385] 2728.	[bug]		dnssec-keygen,
 dnssec-keyfromlabel and 			dnssec-signzone now warn
 immediately if asked to 			write into a nonexistent
 directory. [RT #20278]

---
 CHANGES                          |  4 ++++
 bin/dnssec/dnssec-keyfromlabel.c |  6 +++++-
 bin/dnssec/dnssec-keygen.c       | 10 ++++++----
 bin/dnssec/dnssec-signzone.c     |  6 +++++-
 bin/dnssec/dnssectool.c          | 16 +++++++++++++++-
 bin/dnssec/dnssectool.h          |  4 +++-
 6 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 073154d949..2150496a03 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
+			dnssec-signzone now warn immediately if asked to
+			write into a nonexistent directory. [RT #20278]
+
 2727.	[func]		The 'key-directory' option can now specify a relative
 			path. [RT #20154]
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index d51efbd449..58eb349aaa 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.23 2009/10/22 02:21:30 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.24 2009/10/24 00:00:06 each Exp $ */
 
 /*! \file */
 
@@ -188,6 +188,10 @@ main(int argc, char **argv) {
 			break;
 		case 'K':
 			directory = isc_commandline_argument;
+			ret = try_dir(directory);
+			if (ret != ISC_R_SUCCESS)
+				fatal("Cannot write to directory %s: %s",
+				      directory, isc_result_totext(ret));
 			break;
 		case 'k':
 			options |= DST_TYPE_KEY;
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 1d19297467..0631af15b7 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.102 2009/10/22 02:21:30 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.103 2009/10/24 00:00:06 each Exp $ */
 
 /*! \file */
 
@@ -281,6 +281,10 @@ main(int argc, char **argv) {
 			break;
 		case 'K':
 			directory = isc_commandline_argument;
+			ret = try_dir(directory);
+			if (ret != ISC_R_SUCCESS)
+				fatal("cannot write to directory %s: %s",
+				      directory, isc_result_totext(ret));
 			break;
 		case 'k':
 			fatal("The -k option has been deprecated.\n"
@@ -773,8 +777,7 @@ main(int argc, char **argv) {
 		if (conflict == ISC_TRUE) {
 			if (verbose > 0) {
 				isc_buffer_clear(&buf);
-				ret = dst_key_buildfilename(key, 0, directory,
-							    &buf);
+				dst_key_buildfilename(key, 0, directory, &buf);
 				fprintf(stderr,
 					"%s: %s already exists, "
 					"generating a new key\n",
@@ -782,7 +785,6 @@ main(int argc, char **argv) {
 			}
 			dst_key_free(&key);
 		}
-
 	} while (conflict == ISC_TRUE);
 
 	if (conflict)
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 4739dfc290..2f3da0f990 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.247 2009/10/13 23:48:12 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.248 2009/10/24 00:00:06 each Exp $ */
 
 /*! \file */
 
@@ -3274,6 +3274,10 @@ main(int argc, char *argv[]) {
 			dsdir = isc_commandline_argument;
 			if (strlen(dsdir) == 0U)
 				fatal("DS directory must be non-empty string");
+			result = try_dir(dsdir);
+			if (result != ISC_R_SUCCESS)
+				fatal("Cannot write to directory %s: %s",
+				      dsdir, isc_result_totext(result));
 			break;
 
 		case 'E':
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 38ab8c2006..541dda0b12 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.55 2009/10/12 20:48:11 each Exp $ */
+/* $Id: dnssectool.c,v 1.56 2009/10/24 00:00:06 each Exp $ */
 
 /*! \file */
 
@@ -28,6 +28,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -348,3 +349,16 @@ strtoclass(const char *str) {
 		fatal("unknown class %s", str);
 	return (rdclass);
 }
+
+isc_result_t
+try_dir(const char *dirname) {
+	isc_result_t result;
+	isc_dir_t d;
+
+	isc_dir_init(&d);
+	result = isc_dir_open(&d, dirname);
+	if (result == ISC_R_SUCCESS) {
+		isc_dir_close(&d);
+	}
+	return (result);
+}
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index 82e1d62fef..c1a0ee1767 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.27 2009/10/12 20:48:11 each Exp $ */
+/* $Id: dnssectool.h,v 1.28 2009/10/24 00:00:06 each Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -68,4 +68,6 @@ strtotime(const char *str, isc_int64_t now, isc_int64_t base);
 dns_rdataclass_t
 strtoclass(const char *str);
 
+isc_result_t
+try_dir(const char *dirname);
 #endif /* DNSSEC_DNSSECTOOL_H */

From c07236a635d2bbe10ffd03804a2478835c7f7018 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Sat, 24 Oct 2009 04:38:19 +0000
Subject: [PATCH 358/385] 2729.   [func]          When constructing a CNAME
 from a DNAME use the DNAME                         TTL. [RT #20451]

---
 CHANGES           |  3 +++
 bin/named/query.c | 11 ++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2150496a03..eb9ace7af3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
+			TTL. [RT #20451]
+
 2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
 			dnssec-signzone now warn immediately if asked to
 			write into a nonexistent directory. [RT #20278]
diff --git a/bin/named/query.c b/bin/named/query.c
index 12a53e5c49..a0726f8eea 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.327 2009/09/14 23:13:37 marka Exp $ */
+/* $Id: query.c,v 1.328 2009/10/24 04:38:19 marka Exp $ */
 
 /*! \file */
 
@@ -2240,7 +2240,8 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
 
 static inline isc_result_t
 query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
-		   dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type)
+		   dns_rdataset_t *dname, dns_name_t **anamep,
+		   dns_rdatatype_t type)
 {
 	dns_rdataset_t *rdataset;
 	dns_rdatalist_t *rdatalist;
@@ -2276,7 +2277,7 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
 	rdatalist->type = type;
 	rdatalist->covers = 0;
 	rdatalist->rdclass = client->message->rdclass;
-	rdatalist->ttl = 0;
+	rdatalist->ttl = dname->ttl;
 
 	dns_name_toregion(tname, &r);
 	rdata->data = r.base;
@@ -2288,7 +2289,7 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
 		      == ISC_R_SUCCESS);
-	rdataset->trust = trust;
+	rdataset->trust = dname->trust;
 
 	query_addrrset(client, anamep, &rdataset, NULL, NULL,
 		       DNS_SECTION_ANSWER);
@@ -4606,7 +4607,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 */
 		dns_name_init(tname, NULL);
 		(void)query_addcnamelike(client, client->query.qname, fname,
-					 trdataset->trust, &tname,
+					 trdataset, &tname,
 					 dns_rdatatype_cname);
 		if (tname != NULL)
 			dns_message_puttempname(client->message, &tname);

From 775a8d86d93269a621a7ad15c49b31b533da0671 Mon Sep 17 00:00:00 2001
From: Francis Dupont 
Date: Sat, 24 Oct 2009 09:46:19 +0000
Subject: [PATCH 359/385] keygen progress indication [RT #20284]

---
 CHANGES                    |  7 +++++++
 bin/dnssec/dnssec-keygen.c | 34 +++++++++++++++++++++++++++++++---
 lib/dns/dst_api.c          | 16 ++++++++++++++--
 lib/dns/dst_internal.h     |  5 +++--
 lib/dns/gssapi_link.c      |  7 ++++---
 lib/dns/hmac_link.c        | 34 +++++++++++++++++++++++++++-------
 lib/dns/include/dst/dst.h  | 10 +++++++++-
 lib/dns/openssldh_link.c   | 28 ++++++++++++++++++++++++----
 lib/dns/openssldsa_link.c  | 29 ++++++++++++++++++++++++-----
 lib/dns/opensslrsa_link.c  | 27 ++++++++++++++++++++++++---
 lib/dns/win32/libdns.def   |  1 +
 11 files changed, 168 insertions(+), 30 deletions(-)

diff --git a/CHANGES b/CHANGES
index eb9ace7af3..159108b04d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+2730.	[func]		Have dnssec-keygen display a progress indication
+			a la 'openssl genrsa' on standard error. Note
+			when the first '.' is followed by a long stop
+			one has the choice between slow generation vs.
+			poor random quality, i.e., '-r /dev/urandom'.
+			[RT #20284]
+
 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
 			TTL. [RT #20451]
 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 0631af15b7..fb5782d110 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.103 2009/10/24 00:00:06 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.104 2009/10/24 09:46:18 fdupont Exp $ */
 
 /*! \file */
 
@@ -74,6 +74,8 @@ dsa_size_ok(int size) {
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
 
+static void progress(int p);
+
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
@@ -157,6 +159,31 @@ usage(void) {
 	exit (-1);
 }
 
+static void
+progress(int p)
+{
+	char c = '*';
+
+	switch (p) {
+	case 0:
+		c = '.';
+		break;
+	case 1:
+		c = '+';
+		break;
+	case 2:
+		c = '*';
+		break;
+	case 3:
+		c = '\n';
+		break;
+	default:
+		break;
+	}
+	(void) putc(c, stderr);
+	(void) fflush(stderr);
+}
+
 int
 main(int argc, char **argv) {
 	char	        *algname = NULL, *nametype = NULL, *type = NULL;
@@ -687,8 +714,9 @@ main(int argc, char **argv) {
 		oldkey = NULL;
 
 		/* generate the key */
-		ret = dst_key_generate(name, alg, size, param, flags, protocol,
-				       rdclass, mctx, &key);
+		ret = dst_key_generate2(name, alg, size, param, flags,
+					protocol, rdclass, mctx, &key,
+					&progress);
 		isc_entropy_stopcallbacksources(ectx);
 
 		if (ret != ISC_R_SUCCESS) {
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 72f4fe670d..9a08ed5d79 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.43 2009/10/22 02:21:30 each Exp $
+ * $Id: dst_api.c,v 1.44 2009/10/24 09:46:18 fdupont Exp $
  */
 
 /*! \file */
@@ -752,6 +752,18 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 		 unsigned int flags, unsigned int protocol,
 		 dns_rdataclass_t rdclass,
 		 isc_mem_t *mctx, dst_key_t **keyp)
+{
+	return (dst_key_generate2(name, alg, bits, param, flags, protocol,
+				  rdclass, mctx, keyp, NULL));
+}
+
+isc_result_t
+dst_key_generate2(dns_name_t *name, unsigned int alg,
+		  unsigned int bits, unsigned int param,
+		  unsigned int flags, unsigned int protocol,
+		  dns_rdataclass_t rdclass,
+		  isc_mem_t *mctx, dst_key_t **keyp,
+		  void (*callback)(int))
 {
 	dst_key_t *key;
 	isc_result_t ret;
@@ -778,7 +790,7 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 		return (DST_R_UNSUPPORTEDALG);
 	}
 
-	ret = key->func->generate(key, param);
+	ret = key->func->generate(key, param, callback);
 	if (ret != ISC_R_SUCCESS) {
 		dst_key_free(&key);
 		return (ret);
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index c0c09a8aa2..19b0f8bf2c 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.21 2009/10/22 02:21:30 each Exp $ */
+/* $Id: dst_internal.h,v 1.22 2009/10/24 09:46:19 fdupont Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -170,7 +170,8 @@ struct dst_func {
 	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
 	isc_boolean_t (*paramcompare)(const dst_key_t *key1,
 				      const dst_key_t *key2);
-	isc_result_t (*generate)(dst_key_t *key, int parms);
+	isc_result_t (*generate)(dst_key_t *key, int parms,
+				 void (*callback)(int));
 	isc_boolean_t (*isprivate)(const dst_key_t *key);
 	void (*destroy)(dst_key_t *key);
 
diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c
index 0dd27bbea3..edc2bf26ff 100644
--- a/lib/dns/gssapi_link.c
+++ b/lib/dns/gssapi_link.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: gssapi_link.c,v 1.12 2008/11/11 03:55:01 marka Exp $
+ * $Id: gssapi_link.c,v 1.13 2009/10/24 09:46:19 fdupont Exp $
  */
 
 #include 
@@ -254,9 +254,10 @@ gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-gssapi_generate(dst_key_t *key, int unused) {
+gssapi_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	UNUSED(key);
 	UNUSED(unused);
+	UNUSED(callback);
 
 	/* No idea */
 	return (ISC_R_FAILURE);
@@ -292,7 +293,7 @@ static dst_func_t gssapi_functions = {
 	NULL, /*%< tofile */
 	NULL, /*%< parse */
 	NULL, /*%< cleanup */
-	NULL  /*%< fromlabel */
+	NULL,  /*%< fromlabel */
 };
 
 isc_result_t
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 24d836538c..70eb41bef9 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.14 2009/10/09 06:09:21 each Exp $
+ * $Id: hmac_link.c,v 1.15 2009/10/24 09:46:19 fdupont Exp $
  */
 
 #include 
@@ -149,12 +149,14 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
 	unsigned char data[HMAC_LEN];
 
+	UNUSED(callback);
+
 	bytes = (key->key_size + 7) / 8;
 	if (bytes > HMAC_LEN) {
 		bytes = HMAC_LEN;
@@ -420,12 +422,14 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
 	unsigned char data[HMAC_LEN];
 
+	UNUSED(callback);
+
 	bytes = (key->key_size + 7) / 8;
 	if (bytes > HMAC_LEN) {
 		bytes = HMAC_LEN;
@@ -691,12 +695,16 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
 	unsigned char data[HMAC_LEN];
 
+	UNUSED(callback);
+
 	bytes = (key->key_size + 7) / 8;
 	if (bytes > HMAC_LEN) {
 		bytes = HMAC_LEN;
@@ -962,12 +970,16 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
 	unsigned char data[HMAC_LEN];
 
+	UNUSED(callback);
+
 	bytes = (key->key_size + 7) / 8;
 	if (bytes > HMAC_LEN) {
 		bytes = HMAC_LEN;
@@ -1233,12 +1245,16 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
 	unsigned char data[HMAC_LEN];
 
+	UNUSED(callback);
+
 	bytes = (key->key_size + 7) / 8;
 	if (bytes > HMAC_LEN) {
 		bytes = HMAC_LEN;
@@ -1504,12 +1520,16 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
 	int bytes;
 	unsigned char data[HMAC_LEN];
 
+	UNUSED(callback);
+
 	bytes = (key->key_size + 7) / 8;
 	if (bytes > HMAC_LEN) {
 		bytes = HMAC_LEN;
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index fffd4b40d2..2217139e3d 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.23 2009/10/22 02:21:31 each Exp $ */
+/* $Id: dst.h,v 1.24 2009/10/24 09:46:19 fdupont Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -479,6 +479,14 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 		 unsigned int flags, unsigned int protocol,
 		 dns_rdataclass_t rdclass,
 		 isc_mem_t *mctx, dst_key_t **keyp);
+
+isc_result_t
+dst_key_generate2(dns_name_t *name, unsigned int alg,
+		  unsigned int bits, unsigned int param,
+		  unsigned int flags, unsigned int protocol,
+		  dns_rdataclass_t rdclass,
+		  isc_mem_t *mctx, dst_key_t **keyp,
+		  void (*callback)(int));
 /*%<
  * Generate a DST key (or keypair) with the supplied parameters.  The
  * interpretation of the "param" field depends on the algorithm:
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 43506d5555..8773cbf9c3 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.16 2009/09/03 23:48:13 tbox Exp $
+ * $Id: openssldh_link.c,v 1.17 2009/10/24 09:46:19 fdupont Exp $
  */
 
 #ifdef OPENSSL
@@ -149,12 +149,28 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+static int
+progress_cb(int p, int n, BN_GENCB *cb)
+{
+	void (*callback)(int) = cb->arg;
+
+	UNUSED(n);
+	if (callback != NULL)
+		callback(p);
+	return (1);
+}
+#endif
+
 static isc_result_t
-openssldh_generate(dst_key_t *key, int generator) {
+openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+	DH *dh = NULL;
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 	BN_GENCB cb;
+#else
+
+	UNUSED(callback);
 #endif
-	DH *dh = NULL;
 
 	if (generator == 0) {
 		if (key->key_size == 768 ||
@@ -181,7 +197,11 @@ openssldh_generate(dst_key_t *key, int generator) {
 		if (dh == NULL)
 			return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 
-		BN_GENCB_set_old(&cb, NULL, NULL);
+		if (callback == NULL) {
+			BN_GENCB_set_old(&cb, NULL, NULL);
+		} else {
+			BN_GENCB_set(&cb, &progress_cb, callback);
+		}
 
 		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
 					       &cb)) {
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index 3cad0f907a..e25b27e6ba 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.16 2009/09/03 04:09:58 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.17 2009/10/24 09:46:19 fdupont Exp $ */
 
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -313,15 +313,30 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
-static isc_result_t
-openssldsa_generate(dst_key_t *key, int unused) {
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
-	BN_GENCB cb;
+static int
+progress_cb(int p, int n, BN_GENCB *cb)
+{
+	void (*callback)(int) = cb->arg;
+
+	UNUSED(n);
+	if (callback != NULL)
+		callback(p);
+	return (1);
+}
 #endif
+
+static isc_result_t
+openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	DSA *dsa;
 	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
 	isc_result_t result;
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	BN_GENCB cb;
 
+#else
+	UNUSED(callback);
+#endif
 	UNUSED(unused);
 
 	result = dst__entropy_getdata(rand_array, sizeof(rand_array),
@@ -334,7 +349,11 @@ openssldsa_generate(dst_key_t *key, int unused) {
 	if (dsa == NULL)
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 
-	BN_GENCB_set_old(&cb, NULL, NULL);
+	if (callback == NULL) {
+		BN_GENCB_set_old(&cb, NULL, NULL);
+	} else {
+		BN_GENCB_set(&cb, &progress_cb, callback);
+	}
 
 	if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
 					ISC_SHA1_DIGESTLENGTH,  NULL, NULL,
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 71c3fa90a5..68b0a84d8c 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.32 2009/10/22 23:48:07 tbox Exp $
+ * $Id: opensslrsa_link.c,v 1.33 2009/10/24 09:46:19 fdupont Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -653,8 +653,21 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+static int
+progress_cb(int p, int n, BN_GENCB *cb)
+{
+	void (*callback)(int) = cb->arg;
+
+	UNUSED(n);
+	if (callback != NULL)
+		callback(p);
+	return (1);
+}
+#endif
+
 static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp) {
+opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 	BN_GENCB cb;
 	RSA *rsa = RSA_new();
@@ -682,7 +695,11 @@ opensslrsa_generate(dst_key_t *key, int exp) {
 		BN_set_bit(e, 32);
 	}
 
-	BN_GENCB_set_old(&cb, NULL, NULL);
+	if (callback == NULL) {
+		BN_GENCB_set_old(&cb, NULL, NULL);
+	} else {
+		BN_GENCB_set(&cb, &progress_cb, callback);
+	}
 
 	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
 		BN_free(e);
@@ -713,8 +730,12 @@ err:
 #if USE_EVP
 	EVP_PKEY *pkey = EVP_PKEY_new();
 
+	UNUSED(callback);
+
 	if (pkey == NULL)
 		return (ISC_R_NOMEMORY);
+#else
+	UNUSED(callback);
 #endif
 
 	if (exp == 0)
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 657c72c662..f0c8522e01 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -881,6 +881,7 @@ dst_key_fromgssapi
 dst_key_fromlabel
 dst_key_fromnamedfile
 dst_key_generate
+dst_key_generate2
 dst_key_getprivateformat
 dst_key_gettime
 dst_key_id

From 7bc8c1465ba7e32381db02b6d53e1fbca6a59356 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 24 Oct 2009 23:30:31 +0000
Subject: [PATCH 360/385] newcopyrights

---
 util/copyrights | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/copyrights b/util/copyrights
index 34adafbfaa..83e5ef3d61 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1759,7 +1759,7 @@
 ./lib/dns/gen-unix.h				C	1999,2000,2001,2004,2005,2007,2009
 ./lib/dns/gen-win32.h				C	1999,2000,2001,2004,2005,2006,2007,2009
 ./lib/dns/gen.c					C	1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008
-./lib/dns/gssapi_link.c				C	2000,2001,2002,2004,2005,2006,2007,2008
+./lib/dns/gssapi_link.c				C	2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/gssapictx.c				C	2000,2001,2004,2005,2006,2007,2008,2009
 ./lib/dns/hmac_link.c				C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./lib/dns/include/.cvsignore			X	1998,1999,2000,2001

From 0da9fafc188f5578f725c97515bb846fdb624d2b Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Sat, 24 Oct 2009 23:47:36 +0000
Subject: [PATCH 361/385] update copyright notice

---
 lib/dns/gssapi_link.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c
index edc2bf26ff..5645814562 100644
--- a/lib/dns/gssapi_link.c
+++ b/lib/dns/gssapi_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: gssapi_link.c,v 1.13 2009/10/24 09:46:19 fdupont Exp $
+ * $Id: gssapi_link.c,v 1.14 2009/10/24 23:47:36 tbox Exp $
  */
 
 #include 

From c02149960459e4406d9e50fb1867433e7f0e8f0d Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 26 Oct 2009 21:18:24 +0000
Subject: [PATCH 362/385] 2731.	[func]		Additional work on change
 2709.  The key parser 			will now ignore unrecognized fields
 when the 			minor version number of the private key format
 			has been increased.  It will reject any key with 
 		the major version number increased. [RT #20310]

---
 CHANGES                     |  6 ++++++
 bin/dnssec/dnssec-revoke.c  | 15 +++++++------
 bin/dnssec/dnssec-settime.c | 25 +++++++---------------
 bin/dnssec/dnssectool.c     | 42 ++++++++++++++++++++++++++++++++++++-
 bin/dnssec/dnssectool.h     |  8 ++++++-
 lib/dns/dnssec.c            |  4 +++-
 lib/dns/dst_parse.c         | 16 +++++++-------
 lib/dns/dst_parse.h         |  5 +----
 lib/dns/include/dst/dst.h   | 24 ++++++++++++++++++++-
 9 files changed, 106 insertions(+), 39 deletions(-)

diff --git a/CHANGES b/CHANGES
index 159108b04d..2b9eb3e9fc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+2731.	[func]		Additional work on change 2709.  The key parser
+			will now ignore unrecognized fields when the
+			minor version number of the private key format
+			has been increased.  It will reject any key with
+			the major version number increased. [RT #20310]
+
 2730.	[func]		Have dnssec-keygen display a progress indication
 			a la 'openssl genrsa' on standard error. Note
 			when the first '.' is followed by a long stop
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 34798f8b98..a04cabeecb 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.16 2009/10/12 20:48:10 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.17 2009/10/26 21:18:24 each Exp $ */
 
 /*! \file */
 
@@ -179,18 +179,21 @@ main(int argc, char **argv) {
 		fatal("Invalid keyfile name %s: %s",
 		      filename, isc_result_totext(result));
 
-	if (verbose > 2) {
-		char keystr[DST_KEY_FORMATSIZE];
+	dst_key_format(key, keystr, sizeof(keystr));
 
-		dst_key_format(key, keystr, sizeof(keystr));
+	if (verbose > 2)
 		fprintf(stderr, "%s: %s\n", program, keystr);
-	}
+
+	if (force)
+		set_keyversion(key);
+	else
+		check_keyversion(key, keystr);
+
 
 	flags = dst_key_flags(key);
 	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
 		isc_stdtime_t now;
 
-
 		if ((flags & DNS_KEYFLAG_KSK) == 0)
 			fprintf(stderr, "%s: warning: Key is not flagged "
 					"as a KSK. Revoking a ZSK is "
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 7371955a25..4a7f04811c 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.17 2009/10/12 20:48:10 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.18 2009/10/26 21:18:24 each Exp $ */
 
 /*! \file */
 
@@ -131,7 +131,6 @@ main(int argc, char **argv) {
 	isc_entropy_t *ectx = NULL;
 	dst_key_t *key = NULL;
 	isc_buffer_t buf;
-	int major, minor;
 	isc_stdtime_t	now;
 	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
@@ -143,7 +142,7 @@ main(int argc, char **argv) {
 	isc_boolean_t	printcreate = ISC_FALSE, printpub = ISC_FALSE;
 	isc_boolean_t	printact = ISC_FALSE,  printrev = ISC_FALSE;
 	isc_boolean_t	printinact = ISC_FALSE, printdel = ISC_FALSE;
-	isc_boolean_t	forceupdate = ISC_FALSE;
+	isc_boolean_t	force = ISC_FALSE;
 	isc_boolean_t   epoch = ISC_FALSE;
 	isc_boolean_t   changed = ISC_FALSE;
 
@@ -167,7 +166,7 @@ main(int argc, char **argv) {
 			engine = isc_commandline_argument;
 			break;
 		case 'f':
-			forceupdate = ISC_TRUE;
+			force = ISC_TRUE;
 			break;
 		case 'p':
 			p = isc_commandline_argument;
@@ -346,20 +345,10 @@ main(int argc, char **argv) {
 
 	dst_key_format(key, keystr, sizeof(keystr));
 
-	/* Is this an old-style key? */
-	dst_key_getprivateformat(key, &major, &minor);
-	if (major <= 1 && minor <= 2) {
-		if (forceupdate) {
-			/*
-			 * Updating to new-style key: set
-			 * Private-key-format to 1.3
-			 */
-			dst_key_setprivateformat(key, 1, 3);
-			dst_key_settime(key, DST_TIME_CREATED, now);
-		} else
-			fatal("Incompatible key %s, "
-			      "use -f to force update.", keystr);
-	}
+	if (force)
+		set_keyversion(key);
+	else
+		check_keyversion(key, keystr);
 
 	if (verbose > 2)
 		fprintf(stderr, "%s: %s\n", program, keystr);
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 541dda0b12..d8c4ea4865 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.56 2009/10/24 00:00:06 each Exp $ */
+/* $Id: dnssectool.c,v 1.57 2009/10/26 21:18:24 each Exp $ */
 
 /*! \file */
 
@@ -362,3 +362,43 @@ try_dir(const char *dirname) {
 	}
 	return (result);
 }
+
+/*
+ * Check private key version compatibility.
+ */
+void
+check_keyversion(dst_key_t *key, char *keystr) {
+	int major, minor;
+	dst_key_getprivateformat(key, &major, &minor);
+        INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
+
+	if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) 
+		fatal("Key %s has incompatible format version %d.%d, "
+		      "use -f to force upgrade to new version.",
+		      keystr, major, minor);
+	if (minor > DST_MINOR_VERSION)
+		fatal("Key %s has incompatible format version %d.%d, "
+		      "use -f to force downgrade to current version.",
+		      keystr, major, minor);
+}
+
+void
+set_keyversion(dst_key_t *key) {
+	int major, minor;
+	dst_key_getprivateformat(key, &major, &minor);
+        INSIST(major <= DST_MAJOR_VERSION);
+
+	if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
+		dst_key_setprivateformat(key, DST_MAJOR_VERSION,
+					 DST_MINOR_VERSION);
+
+	/*
+	 * If the key is from a version older than 1.3, set
+	 * set the creation date
+	 */
+	if (major < 1 || (major == 1 && minor <= 2)) {
+		isc_stdtime_t now;
+		isc_stdtime_get(&now);
+		dst_key_settime(key, DST_TIME_CREATED, now);
+	}
+}
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index c1a0ee1767..249d7054e6 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.28 2009/10/24 00:00:06 each Exp $ */
+/* $Id: dnssectool.h,v 1.29 2009/10/26 21:18:24 each Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -70,4 +70,10 @@ strtoclass(const char *str);
 
 isc_result_t
 try_dir(const char *dirname);
+
+void
+check_keyversion(dst_key_t *key, char *keystr);
+
+void
+set_keyversion(dst_key_t *key);
 #endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 9c90215bed..5a40d2e80a 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.106 2009/10/16 23:47:54 tbox Exp $
+ * $Id: dnssec.c,v 1.107 2009/10/26 21:18:24 each Exp $
  */
 
 /*! \file */
@@ -985,6 +985,8 @@ dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
 
 	/* Is this an old-style key? */
 	result = dst_key_getprivateformat(dk->key, &major, &minor);
+
+	/* Smart signing started with key format 1.3 */
 	dk->legacy = ISC_TF(major == 1 && minor <= 2);
 
 	ISC_LINK_INIT(dk, link);
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index c5dc612f41..5fc5638193 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -31,7 +31,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.22 2009/10/22 02:21:30 each Exp $
+ * $Id: dst_parse.c,v 1.23 2009/10/26 21:18:24 each Exp $
  */
 
 #include 
@@ -385,9 +385,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		goto fail;
 	}
 
-	if (major > MAJOR_VERSION ||
-	    (major == MAJOR_VERSION && minor > MINOR_VERSION))
-	{
+	if (major > DST_MAJOR_VERSION) {
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
 	}
@@ -476,10 +474,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 
 		/* Key data */
 		tag = find_value(DST_AS_STR(token), alg);
-		if (tag < 0) {
+		if (tag < 0 && minor > DST_MINOR_VERSION)
+			goto next;
+		else if (tag < 0) {
 			ret = DST_R_INVALIDPRIVATEKEY;
 			goto fail;
 		}
+
 		priv->elements[n].tag = tag;
 
 		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
@@ -490,6 +491,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		ret = isc_base64_tobuffer(lex, &b, -1);
 		if (ret != ISC_R_SUCCESS)
 			goto fail;
+
 		isc_buffer_usedregion(&b, &r);
 		priv->elements[n].length = r.length;
 		priv->elements[n].data = r.base;
@@ -550,8 +552,8 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 
 	dst_key_getprivateformat(key, &major, &minor);
 	if (major == 0 && minor == 0) {
-		major = MAJOR_VERSION;
-		minor = MINOR_VERSION;
+		major = DST_MAJOR_VERSION;
+		minor = DST_MINOR_VERSION;
 	}
 
 	/* XXXDCL return value should be checked for full filesystem */
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
index d893c2dc2a..ceb8b188bd 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_parse.h,v 1.14 2009/09/02 06:29:01 each Exp $ */
+/* $Id: dst_parse.h,v 1.15 2009/10/26 21:18:24 each Exp $ */
 
 /*! \file */
 #ifndef DST_DST_PARSE_H
@@ -39,9 +39,6 @@
 
 #include 
 
-#define MAJOR_VERSION		1
-#define MINOR_VERSION		3
-
 #define MAXFIELDSIZE		512
 
 /*
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 2217139e3d..1f6020a3bf 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.24 2009/10/24 09:46:19 fdupont Exp $ */
+/* $Id: dst.h,v 1.25 2009/10/26 21:18:24 each Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -100,6 +100,28 @@ typedef struct dst_context 	dst_context_t;
 #define DST_NUM_ROLLPERIOD	3
 #define DST_MAX_NUMERIC		3
 
+/*
+ * Current format version number of the private key parser.
+ *
+ * When parsing a key file with the same major number but a higher minor
+ * number, the key parser will ignore any fields it does not recognize.
+ * Thus, DST_MINOR_VERSION should be incremented whenever new
+ * fields are added to the private key file (such as new metadata).
+ *
+ * When rewriting these keys, those fields will be dropped, and the
+ * format version set back to the current one..
+ *
+ * When a key is seen with a higher major number, the key parser will
+ * reject it as invalid.  Thus, DST_MAJOR_VERSION should be incremented
+ * and DST_MINOR_VERSION set to zero whenever there is a format change
+ * which is not backward compatible to previous versions of the dst_key
+ * parser, such as change in the syntax of an existing field, the removal
+ * of a currently mandatory field, or a new field added which would
+ * alter the functioning of the key if it were absent.
+ */
+#define DST_MAJOR_VERSION	1
+#define DST_MINOR_VERSION	3
+
 /***
  *** Functions
  ***/

From c8aa7ce70d75d5d8f28f941e3a522c71e948b166 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 26 Oct 2009 23:14:54 +0000
Subject: [PATCH 363/385] 2732.	[func]		Add optional filter-aaaa-on-v4
 option, available 			if built with './configure
 --enable-filter-aaaa'. 			Filters out AAAA answers to
 clients connecting 			via IPv4.  (This is NOT recommended
 for general 			use.) [RT #20339]

---
 CHANGES                          |   6 ++
 bin/named/client.c               |  27 +++++--
 bin/named/config.c               |   6 +-
 bin/named/include/named/client.h |   6 +-
 bin/named/include/named/server.h |   5 +-
 bin/named/query.c                | 128 ++++++++++++++++++++++++++++++-
 bin/named/server.c               |  21 ++++-
 config.h.in                      |   6 +-
 configure.in                     |  21 ++++-
 doc/arm/Bv9ARM-book.xml          |  57 +++++++++++++-
 lib/dns/include/dns/message.h    |   5 +-
 lib/dns/include/dns/types.h      |  11 ++-
 lib/dns/message.c                |  49 +++++++++++-
 lib/isccfg/namedconf.c           |  21 ++++-
 14 files changed, 349 insertions(+), 20 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2b9eb3e9fc..c1b34cb2a7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+2732.	[func]		Add optional filter-aaaa-on-v4 option, available
+			if built with './configure --enable-filter-aaaa'.
+			Filters out AAAA answers to clients connecting
+			via IPv4.  (This is NOT recommended for general
+			use.) [RT #20339]
+
 2731.	[func]		Additional work on change 2709.  The key parser
 			will now ignore unrecognized fields when the
 			minor version number of the private key format
diff --git a/bin/named/client.c b/bin/named/client.c
index 19fa2251b8..c92f0930a2 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.265 2009/05/07 09:41:21 fdupont Exp $ */
+/* $Id: client.c,v 1.266 2009/10/26 23:14:53 each Exp $ */
 
 #include 
 
@@ -918,7 +918,7 @@ ns_client_send(ns_client_t *client) {
 	dns_compress_t cctx;
 	isc_boolean_t cleanup_cctx = ISC_FALSE;
 	unsigned char sendbuf[SEND_BUFFER_SIZE];
-	unsigned int dnssec_opts;
+	unsigned int render_opts;
 	unsigned int preferred_glue;
 	isc_boolean_t opt_included = ISC_FALSE;
 
@@ -930,10 +930,21 @@ ns_client_send(ns_client_t *client) {
 		client->message->flags |= DNS_MESSAGEFLAG_RA;
 
 	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
-		dnssec_opts = 0;
+		render_opts = 0;
 	else
-		dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC;
-
+		render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	/*
+	 * filter-aaaa-on-v4 yes or break-dnssec option to suppress
+	 * AAAA records
+	 * We already know that request came via IPv4,
+	 * that we have both AAAA and A records,
+	 * and that we either have no signatures that the client wants
+	 * or we are supposed to break DNSSEC.
+	 */
+	if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0)
+		render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;
+#endif
 	preferred_glue = 0;
 	if (client->view != NULL) {
 		if (client->view->preferred_glue == dns_rdatatype_a)
@@ -977,7 +988,7 @@ ns_client_send(ns_client_t *client) {
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_ANSWER,
 					   DNS_MESSAGERENDER_PARTIAL |
-					   dnssec_opts);
+					   render_opts);
 	if (result == ISC_R_NOSPACE) {
 		client->message->flags |= DNS_MESSAGEFLAG_TC;
 		goto renderend;
@@ -987,7 +998,7 @@ ns_client_send(ns_client_t *client) {
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_AUTHORITY,
 					   DNS_MESSAGERENDER_PARTIAL |
-					   dnssec_opts);
+					   render_opts);
 	if (result == ISC_R_NOSPACE) {
 		client->message->flags |= DNS_MESSAGEFLAG_TC;
 		goto renderend;
@@ -996,7 +1007,7 @@ ns_client_send(ns_client_t *client) {
 		goto done;
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_ADDITIONAL,
-					   preferred_glue | dnssec_opts);
+					   preferred_glue | render_opts);
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
 		goto done;
  renderend:
diff --git a/bin/named/config.c b/bin/named/config.c
index 39a8ba7ac6..4623482998 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.103 2009/10/10 01:47:59 each Exp $ */
+/* $Id: config.c,v 1.104 2009/10/26 23:14:53 each Exp $ */
 
 /*! \file */
 
@@ -158,6 +158,10 @@ options {\n\
 	zero-no-soa-ttl-cache no;\n\
 	nsec3-test-zone no;\n\
 "
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+"	filter-aaaa-on-v4 no;\n\
+"
+#endif
 
 "	/* zone */\n\
 	allow-query {any;};\n\
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index f6956454e1..9fff31a822 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.90 2009/05/07 09:41:22 fdupont Exp $ */
+/* $Id: client.h,v 1.91 2009/10/26 23:14:53 each Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -168,6 +168,10 @@ struct ns_client {
 #define NS_CLIENTATTR_MULTICAST		0x08 /*%< recv'd from multicast */
 #define NS_CLIENTATTR_WANTDNSSEC	0x10 /*%< include dnssec records */
 #define NS_CLIENTATTR_WANTNSID          0x20 /*%< include nameserver ID */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+#define NS_CLIENTATTR_FILTER_AAAA	0x40 /*%< suppress AAAAs */
+#define NS_CLIENTATTR_FILTER_AAAA_RC	0x80 /*%< recursing for A against AAAA */
+#endif
 
 extern unsigned int ns_client_requests;
 
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 83ba09afc2..75416d95a6 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.102 2009/10/12 20:48:11 each Exp $ */
+/* $Id: server.h,v 1.103 2009/10/26 23:14:53 each Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -115,6 +115,9 @@ struct ns_server {
 	dns_name_t		*session_keyname;
 	unsigned int		session_keyalg;
 	isc_uint16_t		session_keybits;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	dns_v4_aaaa_t		v4_aaaa;
+#endif
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
diff --git a/bin/named/query.c b/bin/named/query.c
index a0726f8eea..d15ac5a8e7 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.328 2009/10/24 04:38:19 marka Exp $ */
+/* $Id: query.c,v 1.329 2009/10/26 23:14:53 each Exp $ */
 
 /*! \file */
 
@@ -4637,6 +4637,20 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	}
 
 	if (type == dns_rdatatype_any) {
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+		isc_boolean_t have_aaaa, have_a, have_sig;
+		
+		/*
+		 * The filter-aaaa-on-v4 option should
+		 * suppress AAAAs for IPv4 clients if there is an A.
+		 * If we are not authoritative, assume there is a A
+		 * even in if it is not in our cache.  This assumption could
+		 * be wrong but it is a good bet.
+		 */
+		have_aaaa = ISC_FALSE;
+		have_a = !authoritative;
+		have_sig = ISC_FALSE;
+#endif
 		/*
 		 * XXXRTH  Need to handle zonecuts with special case
 		 * code.
@@ -4664,6 +4678,20 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		result = dns_rdatasetiter_first(rdsiter);
 		while (result == ISC_R_SUCCESS) {
 			dns_rdatasetiter_current(rdsiter, rdataset);
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+			/*
+			 * Notice the presence of A and AAAAs so
+			 * that AAAAs can be hidden from IPv4 clients.
+			 */
+			if (ns_g_server->v4_aaaa != dns_v4_aaaa_ok &&
+			    client->peeraddr_valid &&
+			    client->peeraddr.type.sa.sa_family == AF_INET) {
+				if (rdataset->type == dns_rdatatype_aaaa)
+					have_aaaa = ISC_TRUE;
+				else if (rdataset->type == dns_rdatatype_a)
+					have_a = ISC_TRUE;
+			}
+#endif
 			if (is_zone && qtype == dns_rdatatype_any &&
 			    !dns_db_issecure(db) &&
 			    dns_rdatatype_isdnssec(rdataset->type)) {
@@ -4675,6 +4703,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				dns_rdataset_disassociate(rdataset);
 			} else if ((qtype == dns_rdatatype_any ||
 			     rdataset->type == qtype) && rdataset->type != 0) {
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+				if (dns_rdatatype_isdnssec(rdataset->type))
+					have_sig = ISC_TRUE;
+#endif
 				if (NOQNAME(rdataset) && WANTDNSSEC(client))
 					noqname = rdataset;
 				else
@@ -4705,6 +4737,16 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			result = dns_rdatasetiter_next(rdsiter);
 		}
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+		/*
+		 * Filter AAAAs if there is an A and there is no signature
+		 * or we are supposed to break DNSSEC.
+		 */
+		if (have_aaaa && have_a &&
+		    (!have_sig || !WANTDNSSEC(client) ||
+		     ns_g_server->v4_aaaa == dns_v4_aaaa_break_dnssec))
+			client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
+#endif
 		if (fname != NULL)
 			dns_message_puttempname(client->message, &fname);
 
@@ -4766,6 +4808,90 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * This is the "normal" case -- an ordinary question to which
 		 * we know the answer.
 		 */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+		/*
+		 * Optionally hide AAAAs from IPv4 clients if there is an A.
+		 * We add the AAAAs now, but might refuse to render them later
+		 * after DNSSEC is figured out.
+		 * This could be more efficient, but the whole idea is
+		 * so fundamentally wrong, unavoidably inaccurate, and
+		 * unneeded that it is best to keep it as short as possible.
+		 */
+		if (ns_g_server->v4_aaaa != dns_v4_aaaa_ok &&
+		    client->peeraddr_valid &&
+		    client->peeraddr.type.sa.sa_family == AF_INET &&
+		    (!WANTDNSSEC(client) ||
+		     sigrdataset == NULL ||
+		     !dns_rdataset_isassociated(sigrdataset) ||
+		     ns_g_server->v4_aaaa == dns_v4_aaaa_break_dnssec)) {
+			if (qtype == dns_rdatatype_aaaa) {
+				trdataset = query_newrdataset(client);
+				result = dns_db_findrdataset(db, node, version,
+							dns_rdatatype_a, 0,
+							client->now,
+							trdataset, NULL);
+				if (dns_rdataset_isassociated(trdataset))
+					dns_rdataset_disassociate(trdataset);
+				query_putrdataset(client, &trdataset);
+
+				/*
+				 * We have an AAAA but the A is not in our cache.
+				 * Assume any result other than DNS_R_DELEGATION
+				 * or ISC_R_NOTFOUND means there is no A and
+				 * so AAAAs are ok.
+				 * Assume there is no A if we can't recurse
+				 * for this client, although that could be
+				 * the wrong answer. What else can we do?
+				 * Besides, that we have the AAAA and are using
+				 * this mechanism suggests that we care more
+				 * about As than AAAAs and would have cached
+				 * the A if it existed.
+				 */
+				if (result == ISC_R_SUCCESS) {
+					client->attributes |=
+						    NS_CLIENTATTR_FILTER_AAAA;
+
+				} else if (authoritative ||
+					   !RECURSIONOK(client) ||
+					   (result != DNS_R_DELEGATION &&
+					    result != ISC_R_NOTFOUND)) {
+					client->attributes &=
+						    ~NS_CLIENTATTR_FILTER_AAAA;
+				} else {
+					/*
+					 * This is an ugly kludge to recurse
+					 * for the A and discard the result.
+					 *
+					 * Continue to add the AAAA now.
+					 * We'll make a note to not render it
+					 * if the recursion for the A succeeds.
+					 */
+					result = query_recurse(client,
+							dns_rdatatype_a,
+							NULL, NULL, resuming);
+					if (result == ISC_R_SUCCESS) {
+					    client->attributes |=
+						    NS_CLIENTATTR_FILTER_AAAA_RC;
+					    client->query.attributes |=
+							NS_QUERYATTR_RECURSING;
+					}
+				}
+
+			} else if (qtype == dns_rdatatype_a &&
+				   (client->attributes &
+					    NS_CLIENTATTR_FILTER_AAAA_RC) != 0) {
+				client->attributes &=
+					    ~NS_CLIENTATTR_FILTER_AAAA_RC;
+				client->attributes |= 
+					    NS_CLIENTATTR_FILTER_AAAA;
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+					dns_rdataset_disassociate(sigrdataset);
+				goto cleanup;
+			}
+		}
+#endif
 		if (sigrdataset != NULL)
 			sigrdatasetp = &sigrdataset;
 		else
diff --git a/bin/named/server.c b/bin/named/server.c
index 268a60e478..6bedd20887 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.552 2009/10/20 03:15:06 marka Exp $ */
+/* $Id: server.c,v 1.553 2009/10/26 23:14:53 each Exp $ */
 
 /*! \file */
 
@@ -4355,6 +4355,25 @@ load_configuration(const char *filename, ns_server_t *server,
 		server->flushonshutdown = ISC_FALSE;
 	}
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	obj = NULL;
+	result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
+			server->v4_aaaa = dns_v4_aaaa_filter;
+		else
+			server->v4_aaaa = dns_v4_aaaa_ok;
+	} else {
+		const char *v4_aaaastr = cfg_obj_asstring(obj);
+		if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
+			server->v4_aaaa
+					= dns_v4_aaaa_break_dnssec;
+		else
+			INSIST(0);
+	}
+
+#endif
 	result = ISC_R_SUCCESS;
 
  cleanup:
diff --git a/config.h.in b/config.h.in
index cc78c6d318..38f5a16101 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.120 2009/09/01 18:40:25 jinmei Exp $ */
+/* $Id: config.h.in,v 1.121 2009/10/26 23:14:53 each Exp $ */
 
 /*! \file */
 
@@ -365,3 +365,7 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to empty if the keyword `volatile' does not work. Warning: valid
    code using `volatile' can become incorrect without. Disable with care. */
 #undef volatile
+
+/* Define to enable the "filter-aaaa-on-v4" option. */
+#undef ALLOW_FILTER_AAAA_ON_V4
+
diff --git a/configure.in b/configure.in
index b36570d86c..af79aad318 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.485 $)
+AC_REVISION($Revision: 1.486 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -2641,6 +2641,25 @@ case "$enable_fixed" in
 		;;
 esac
 
+#
+# Activate "filter-aaaa-on-v4" or not?
+#
+AC_ARG_ENABLE(filter-aaaa,
+	[  --enable-filter-aaaa    enable filtering of AAAA records over IPv4
+			  [[default=no]]],
+			enable_filter="$enableval",
+			enable_filter="no")
+case "$enable_filter" in
+	yes)
+		AC_DEFINE(ALLOW_FILTER_AAAA_ON_V4, 1,
+			  [Define to enable the "filter-aaaa-on-v4" option.])
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
 #
 #  The following sets up how non-blocking i/o is established.
 #  Sunos, cygwin and solaris 2.x (x<5) require special handling.
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index b5e16f595f..9ea53bccd9 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   BIND 9 Administrator Reference Manual
 
@@ -5000,6 +5000,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
      random-device path_name ; 
      max-cache-size size_spec ; 
      match-mapped-addresses yes_or_no; 
+     match-mapped-addresses yes_or_no; 
+     disable-aaaa-on-v4-transport ( yes_or_no | break-dnssec ); 
      preferred-glue ( A | AAAA | NONE ); 
      edns-udp-size number; 
      max-udp-size number; 
@@ -6232,6 +6234,59 @@ options {
               
             
 
+            
+              filter-aaaa-on-v4
+              
+                
+                  This option is only available when
+                  BIND 9 is compiled with the
+                  --with-filter-aaaa option on the
+                  "configure" command line.  It is intended to help the
+                  transition from IPv4 to IPv6 by not giving IPv6 addresses
+                  to DNS clients unless they have connections to the IPv6
+                  Internet.  This is not recommended unless absolutely
+                  necessary.  The default is no.
+                
+                
+                  If yes,
+                  the DNS client is at an IPv4 address,
+                  and if the response does not include DNSSEC signatures, 
+                  then all AAAA records are deleted from the response.
+                  This filtering applies to all responses and not only
+                  authoritative responses.
+                
+                
+                  If break-dnssec,
+                  then AAAA records are deleted even when dnssec is enabled.
+                  As suggested by the name, this makes the response not verify,
+                  because the DNSSEC protocol is designed detect deletions.
+                
+                
+                  This mechanism can erroneously cause other servers to 
+		  not give AAAA records to their clients.  
+		  A recursing server with both IPv6 and IPv4 network connections
+		  that queries an authoritative server using this mechanism
+		  via IPv4 will be denied AAAA records even if its client is
+		  using IPv6.
+                
+                
+                  This mechanism is applied to authoritative as well as
+		  non-authoritative records.
+		  A client using IPv4 that is not allowed recursion can
+		  erroneously be given AAAA records because the server is not
+		  allowed to check for A records.
+                
+                
+		  Some AAAA records are given to IPv4 clients in glue records.
+		  IPv4 clients that are servers can then erroneously
+		  answer requests for AAAA records received via IPv4.
+                
+                
+		  security
+                
+              
+            
+
             
               ixfr-from-differences
               
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 044b0103dd..da59409d54 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.128 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: message.h,v 1.129 2009/10/26 23:14:54 each Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -173,6 +173,9 @@ typedef int dns_messagetextflag_t;
 						      additional section. */
 #define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/*%< prefer AAAA records in
 						  additional section. */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+#define DNS_MESSAGERENDER_FILTER_AAAA	0x0020	/*%< filter AAAA records */
+#endif 
 
 typedef struct dns_msgblock dns_msgblock_t;
 
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 79be222e10..46faaab982 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.136 2009/09/01 00:22:27 jinmei Exp $ */
+/* $Id: types.h,v 1.137 2009/10/26 23:14:54 each Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -187,6 +187,15 @@ typedef enum {
 	dns_masterformat_raw = 2
 } dns_masterformat_t;
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+typedef enum {
+	dns_v4_aaaa_ok = 0,
+	dns_v4_aaaa_filter = 1,
+	dns_v4_aaaa_break_dnssec = 2
+} dns_v4_aaaa_t;
+
+#endif
+
 /*
  * These are generated by gen.c.
  */
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 302a75453d..d74382b5b0 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.247 2009/01/17 23:47:42 tbox Exp $ */
+/* $Id: message.c,v 1.248 2009/10/26 23:14:54 each Exp $ */
 
 /*! \file */
 
@@ -1802,6 +1802,36 @@ wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
 	return (ISC_TRUE);
 }
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+/*
+ * Decide whether to not answer with an AAAA record and its RRSIG
+ */
+static inline isc_boolean_t
+norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options)
+{
+	switch (rdataset->type) {
+	case dns_rdatatype_aaaa:
+		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0)
+			return (ISC_FALSE);
+		break;
+
+	case dns_rdatatype_rrsig:
+		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0 ||
+		    rdataset->covers != dns_rdatatype_aaaa)
+			return (ISC_FALSE);
+		break;
+
+	default:
+		return (ISC_FALSE);
+	}
+
+	if (rdataset->rdclass != dns_rdataclass_in)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+#endif
 isc_result_t
 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 			  unsigned int options)
@@ -1927,6 +1957,23 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 						      preferred_glue))
 					goto next;
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+				/*
+				 * Suppress AAAAs if asked and we are
+				 * not doing DNSSEC or are breaking DNSSEC.
+				 * Say so in the AD bit if we break DNSSEC.
+				 */
+				if (norender_rdataset(rdataset, options) &&
+				    sectionid != DNS_SECTION_QUESTION) {
+					if (sectionid == DNS_SECTION_ANSWER ||
+					    sectionid == DNS_SECTION_AUTHORITY)
+					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
+					if (OPTOUT(rdataset))
+					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
+					goto next;
+				}
+
+#endif
 				st = *(msg->buffer);
 
 				count = 0;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 96fac89dba..c38de43203 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.109 2009/10/12 23:48:02 tbox Exp $ */
+/* $Id: namedconf.c,v 1.110 2009/10/26 23:14:54 each Exp $ */
 
 /*! \file */
 
@@ -120,6 +120,9 @@ static cfg_type_t cfg_type_zone;
 static cfg_type_t cfg_type_zoneopts;
 static cfg_type_t cfg_type_dynamically_loadable_zones;
 static cfg_type_t cfg_type_dynamically_loadable_zones_opts;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+static cfg_type_t cfg_type_v4_aaaa;
+#endif
 
 /*
  * Clauses that can be found in a 'dynamically loadable zones' statement
@@ -874,6 +877,9 @@ options_clauses[] = {
 	{ "use-ixfr", &cfg_type_boolean, 0 },
 	{ "version", &cfg_type_qstringornone, 0 },
 	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa, 0 },
+#endif
 	{ NULL, NULL, 0 }
 };
 
@@ -1591,6 +1597,19 @@ static cfg_type_t cfg_type_ixfrdifftype = {
 	&cfg_rep_string, ixfrdiff_enums,
 };
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+static const char *v4_aaaa_enums[] = { "break-dnssec", NULL };
+static isc_result_t
+parse_v4_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static cfg_type_t cfg_type_v4_aaaa = {
+	"v4_aaaa", parse_v4_aaaa, cfg_print_ustring,
+	doc_enum_or_other, &cfg_rep_string, v4_aaaa_enums,
+};
+
+#endif
 static keyword_type_t key_kw = { "key", &cfg_type_astring };
 
 LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {

From 6f9c93a8858a28b131dbd36b75b81e9250c6d11a Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Mon, 26 Oct 2009 23:36:53 +0000
Subject: [PATCH 364/385] 2733.	[cleanup]	Clean up coding style in
 pkcs11-* tools. [RT #20355]

---
 CHANGES                     |   2 +
 bin/pkcs11/pkcs11-destroy.c | 376 ++++++++++++++++-------------
 bin/pkcs11/pkcs11-keygen.c  | 469 ++++++++++++++++++++----------------
 bin/pkcs11/pkcs11-list.c    | 408 +++++++++++++++++--------------
 bin/pkcs11/unix/cryptoki.h  |  22 +-
 bin/pkcs11/unix/unix.c      |  20 ++
 bin/pkcs11/win32/win32.c    |  20 ++
 7 files changed, 768 insertions(+), 549 deletions(-)

diff --git a/CHANGES b/CHANGES
index c1b34cb2a7..777214c527 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
+
 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
 			if built with './configure --enable-filter-aaaa'.
 			Filters out AAAA answers to clients connecting
diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c
index 8b7eb74aac..d7e4a92d2f 100644
--- a/bin/pkcs11/pkcs11-destroy.c
+++ b/bin/pkcs11/pkcs11-destroy.c
@@ -1,5 +1,49 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: pkcs11-destroy.c,v 1.7 2009/10/26 23:36:53 each Exp $ */
+
 /* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */
 
+/*! \file */
+
 #include 
 
 #include 
@@ -26,179 +70,189 @@
 int
 main(int argc, char *argv[])
 {
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE attr_id[2];
-    CK_OBJECT_HANDLE akey[50];
-    char *label = NULL;
-    int error = 0;
-    unsigned int id = 0, i = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &attr_id, sizeof(attr_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-    char *pk11_provider;
-
-    pk11_provider = getenv("PKCS11_PROVIDER");
-    if (pk11_provider != NULL)
-        pk11_libname = pk11_provider;
-
-    while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) {
-	switch (c) {
-	case 'm':
-	    pk11_libname = optarg;
-	    break;
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-	case 'i':
-	    id = atoi(optarg);
-	    id &= 0xffff;
-	    break;
-	case 'l':
-	    label = optarg;
-	    break;
-	case 'p':
-	    pin = (CK_UTF8CHAR *)optarg;
-	    break;
-	case ':':
-	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
-	    errflg++;
-	    break;
-	case '?':
-	default:
-	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-	    errflg++;
-	}
-    }
-    if (errflg || ((!id) && (!label))) {
-	fprintf(stderr,
-		"usage: pkcs11-destroy [-m module] [-s slot] "
-		"[-i id | -l label] [-p pin]\n");
-	exit(1);
-    }
-    if (id) {
-	printf("id %i\n", id);
-	attr_id[0] = (id >> 8) & 0xff;
-	attr_id[1] = id & 0xff;
-    } else if (label) {
-	printf("label %s\n", label);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
-
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-	if (rv == 0xfe)
-	    fprintf(stderr,
-		    "Can't load or link module \"%s\"\n",
-		    pk11_libname);
-	else
-	    fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
-	exit(1);
-    }
-
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
-	error = 1;
-	goto exit_program;
-    }
-
-    /* Login to the Token (Keystore) */
-    if (!pin)
-	pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template,
-			   ((id != 0) || (label != NULL)) ? 1 : 0); 
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-    
-    rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
-	error = 1;
-	goto exit_search;
-    }
-
-    for (i = 0; i < ulObjectCount; i++) {
-	CK_OBJECT_CLASS oclass = 0;
-	CK_BYTE labelbuf[64 + 1];
-	CK_BYTE idbuf[64];
-	CK_ATTRIBUTE attr_template[] = {
-	    {CKA_CLASS, &oclass, sizeof(oclass)},
-	    {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
-	    {CKA_ID, idbuf, sizeof(idbuf)}
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession;
+	CK_UTF8CHAR *pin = NULL;
+	CK_BYTE attr_id[2];
+	CK_OBJECT_HANDLE akey[50];
+	char *label = NULL;
+	int error = 0;
+	unsigned int id = 0, i = 0;
+	int c, errflg = 0;
+	CK_ULONG ulObjectCount;
+	CK_ATTRIBUTE search_template[] = {
+		{CKA_ID, &attr_id, sizeof(attr_id)}
 	};
+	char *pk11_provider;
 	unsigned int j, len;
+	extern char *optarg;
+	extern int optopt;
 
-	memset(labelbuf, 0, sizeof(labelbuf));
-	memset(idbuf, 0, sizeof(idbuf));
+	pk11_provider = getenv("PKCS11_PROVIDER");
+	if (pk11_provider != NULL)
+		pk11_libname = pk11_provider;
 
-	rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i, rv);
-	    error = 1;
-	    goto exit_search;
+	while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) {
+		switch (c) {
+		case 'm':
+			pk11_libname = optarg;
+			break;
+		case 's':
+			slot = atoi(optarg);
+			break;
+		case 'i':
+			id = atoi(optarg);
+			id &= 0xffff;
+			break;
+		case 'l':
+			label = optarg;
+			break;
+		case 'p':
+			pin = (CK_UTF8CHAR *)optarg;
+			break;
+		case ':':
+			fprintf(stderr,
+				"Option -%c requires an operand\n",
+				optopt);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+			errflg++;
+		}
 	}
-	len = attr_template[2].ulValueLen;
-	printf("object[%u]: class %lu label '%s' id[%lu] ",
-	       i, oclass, labelbuf, attr_template[2].ulValueLen);
-	if (len > 4)
-	    len = 4;
-	if (len > 0)
-	    printf("0x");
-	for (j = 0; j < len; j++)
-	    printf("%02x", idbuf[j]);
-	if (attr_template[2].ulValueLen > len)
-	    printf("...\n");
-	else
-	    printf("\n");
-    }
 
-    /* give a chance to kill this */
-    printf("sleeping 5 seconds...\n");
-    sleep(5);
-
-    for (i = 0; i < ulObjectCount; i++) {
-	rv = C_DestroyObject(hSession, akey[i]);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_DestroyObject[%u]: rv = 0x%.8lX\n", i, rv);
-	    error = 1;
+	if (errflg || (!id && (label != NULL))) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
+				"[-i id | -l label] [-p pin]\n");
+		exit(1);
+	}
+
+	if (id) {
+		printf("id %i\n", id);
+		attr_id[0] = (id >> 8) & 0xff;
+		attr_id[1] = id & 0xff;
+	} else if (label) {
+		printf("label %s\n", label);
+		search_template[0].type = CKA_LABEL;
+		search_template[0].pValue = label;
+		search_template[0].ulValueLen = strlen(label);
+	}
+
+	/* Initialize the CRYPTOKI library */
+	rv = C_Initialize(NULL_PTR);
+	if (rv != CKR_OK) {
+		if (rv == 0xfe)
+			fprintf(stderr,
+				"Can't load or link module \"%s\"\n",
+				pk11_libname);
+		else
+			fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+		exit(1);
+	}
+
+	/* Open a session on the slot found */
+	rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
+			   NULL_PTR, NULL_PTR, &hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_program;
+	}
+
+	if (pin == NULL)
+		pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+
+	/* Login to the Token (Keystore) */
+	rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+	memset(pin, 0, strlen((char *)pin));
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+
+	rv = C_FindObjectsInit(hSession, search_template,
+		   ((id != 0) || (label != NULL)) ? 1 : 0); 
+
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+	
+	rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_search;
+	}
+
+	for (i = 0; i < ulObjectCount; i++) {
+		CK_OBJECT_CLASS oclass = 0;
+		CK_BYTE labelbuf[64 + 1];
+		CK_BYTE idbuf[64];
+		CK_ATTRIBUTE attr_template[] = {
+			{CKA_CLASS, &oclass, sizeof(oclass)},
+			{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
+			{CKA_ID, idbuf, sizeof(idbuf)}
+		};
+
+		memset(labelbuf, 0, sizeof(labelbuf));
+		memset(idbuf, 0, sizeof(idbuf));
+
+		rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_GetAttributeValue[%u]: rv = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+			goto exit_search;
+		}
+		len = attr_template[2].ulValueLen;
+		printf("object[%u]: class %lu label '%s' id[%lu] ",
+		       i, oclass, labelbuf, attr_template[2].ulValueLen);
+		if (len > 4)
+			len = 4;
+		if (len > 0)
+			printf("0x");
+		for (j = 0; j < len; j++)
+			printf("%02x", idbuf[j]);
+		if (attr_template[2].ulValueLen > len)
+			printf("...\n");
+		else
+			printf("\n");
+	}
+
+	/* give a chance to kill this */
+	printf("sleeping 5 seconds...\n");
+	sleep(5);
+
+	for (i = 0; i < ulObjectCount; i++) {
+		rv = C_DestroyObject(hSession, akey[i]);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_DestroyObject[%u]: rv = 0x%.8lX\n",
+				i, rv);
+			error = 1;
+		}
 	}
-    }
 
  exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
-	error = 1;
-    }
+	rv = C_FindObjectsFinal(hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+		error = 1;
+	}
 
  exit_session:
-    (void) C_CloseSession(hSession);
+	(void)C_CloseSession(hSession);
 
  exit_program:
-    (void) C_Finalize(NULL_PTR);
+	(void)C_Finalize(NULL_PTR);
 
-    exit(error);
+	exit(error);
 }
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index 79e5e7dfd5..1ffb3430ab 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -1,16 +1,60 @@
-/* pkcs11-keygen - pkcs11 rsa key generator
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * create RSASHA1 key in the keystore of an SCA6000
- * The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts 
- * it into a zone file.
- *
- * usage:
- * pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
- *               -l label [-i id] [-p pin] 
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: pkcs11-keygen.c,v 1.9 2009/10/26 23:36:53 each Exp $ */
+
+/* pkcs11-keygen - pkcs11 rsa key generator
+*
+* create RSASHA1 key in the keystore of an SCA6000
+* The calculation of key tag is left to the script
+* that converts the key into a DNSKEY RR and inserts 
+* it into a zone file.
+*
+* usage:
+* pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
+*               -l label [-i id] [-p pin] 
+*
+*/
+
+/*! \file */
+
 #include 
 
 #include 
@@ -40,222 +84,225 @@ static CK_BBOOL falsevalue = FALSE;
 int
 main(int argc, char *argv[])
 {
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_MECHANISM genmech;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_ULONG modulusbits = 0;
-    CK_CHAR *label = NULL;
-    CK_OBJECT_HANDLE privatekey, publickey;
-    CK_BYTE public_exponent[5];
-    CK_ULONG expsize = 3;
-    int error = 0;
-    int c, errflg = 0;
-    int hide = 1;
-    int idlen = 0;
-    unsigned long id = 0;
-    CK_BYTE idbuf[4];
-    CK_ULONG ulObjectCount;
-    /* Set search template */
-    CK_ATTRIBUTE search_template[] = {
-        {CKA_LABEL, NULL_PTR, 0}
-    };
-    CK_ATTRIBUTE publickey_template[] = {
-        {CKA_LABEL, NULL_PTR, 0},
-        {CKA_VERIFY, &truevalue, sizeof (truevalue)},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-        {CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
-        {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
-	{CKA_ID, &idbuf, idlen}
-    };
-    CK_ULONG publickey_attrcnt = 6;
-    CK_ATTRIBUTE privatekey_template[] = {
-        {CKA_LABEL, NULL_PTR, 0},
-        {CKA_SIGN, &truevalue, sizeof (truevalue)},
-        {CKA_TOKEN, &truevalue, sizeof (truevalue)},
-        {CKA_PRIVATE, &truevalue, sizeof (truevalue)},
-        {CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
-        {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)},
-	{CKA_ID, &idbuf, idlen}
-    };
-    CK_ULONG privatekey_attrcnt = 7;
-    extern char *optarg;
-    extern int optopt;
-    char *pk11_provider;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_MECHANISM genmech;
+	CK_SESSION_HANDLE hSession;
+	CK_UTF8CHAR *pin = NULL;
+	CK_ULONG modulusbits = 0;
+	CK_CHAR *label = NULL;
+	CK_OBJECT_HANDLE privatekey, publickey;
+	CK_BYTE public_exponent[5];
+	CK_ULONG expsize = 3;
+	int error = 0;
+	int c, errflg = 0;
+	int hide = 1;
+	int idlen = 0;
+	unsigned long id = 0;
+	CK_BYTE idbuf[4];
+	CK_ULONG ulObjectCount;
+	/* Set search template */
+	CK_ATTRIBUTE search_template[] = {
+		{CKA_LABEL, NULL_PTR, 0}
+	};
+	CK_ATTRIBUTE publickey_template[] = {
+		{CKA_LABEL, NULL_PTR, 0},
+		{CKA_VERIFY, &truevalue, sizeof(truevalue)},
+		{CKA_TOKEN, &truevalue, sizeof(truevalue)},
+		{CKA_MODULUS_BITS, &modulusbits, sizeof(modulusbits)},
+		{CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
+		{CKA_ID, &idbuf, idlen}
+	};
+	CK_ULONG publickey_attrcnt = 6;
+	CK_ATTRIBUTE privatekey_template[] = {
+		{CKA_LABEL, NULL_PTR, 0},
+		{CKA_SIGN, &truevalue, sizeof(truevalue)},
+		{CKA_TOKEN, &truevalue, sizeof(truevalue)},
+		{CKA_PRIVATE, &truevalue, sizeof(truevalue)},
+		{CKA_SENSITIVE, &truevalue, sizeof(truevalue)},
+		{CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)},
+		{CKA_ID, &idbuf, idlen}
+	};
+	CK_ULONG privatekey_attrcnt = 7;
+	char *pk11_provider;
+	extern char *optarg;
+	extern int optopt;
 
-    pk11_provider = getenv("PKCS11_PROVIDER");
-    if (pk11_provider != NULL)
-        pk11_libname = pk11_provider;
-    
-    while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
-        switch (c) {
-	case 'P':
-	    hide = 0;
-	    break;
-	case 'm':
-	    pk11_libname = optarg;
-	    break;
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-	case 'e':
-	    expsize = 5;
-	    break;
-        case 'b':
-            modulusbits = atoi(optarg);
-            break;
-        case 'l':
-            label = (CK_CHAR *)optarg;
-            break;
-	case 'i':
-	    id = strtoul(optarg, NULL, 0);
-	    idlen = 4;
-	    break;
-        case 'p':
-            pin = (CK_UTF8CHAR *)optarg;
-            break;
-        case ':':
-            fprintf(stderr, "Option -%c requires an operand\n", optopt);
-            errflg++;
-            break;
-        case '?':
-	default:
-            fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-            errflg++;
-        }
-    }
-    if ((errflg) || (!modulusbits) || (!label)) {
-        fprintf(stderr,
-		"usage: pkcs11-keygen "
-		"[-P] [-m module] [-s slot] [-e] -b keysize\n"
-		"                     "
-		"-l label [-i id] [-p pin]\n");
-        exit(2);
-    }
-    
-    search_template[0].pValue = label;
-    search_template[0].ulValueLen = strlen((char *)label);
-    publickey_template[0].pValue = label;
-    publickey_template[0].ulValueLen = strlen((char *)label);
-    privatekey_template[0].pValue = label;
-    privatekey_template[0].ulValueLen = strlen((char *)label);
+	pk11_provider = getenv("PKCS11_PROVIDER");
+	if (pk11_provider != NULL)
+		pk11_libname = pk11_provider;
 
-    /* Set public exponent to F4 or F5 */
-    public_exponent[0] = 0x01;
-    public_exponent[1] = 0x00;
-    if (expsize == 3)
-	public_exponent[2] = 0x01;
-    else {
-	publickey_template[4].ulValueLen = expsize;
-	public_exponent[2] = 0x00;
-	public_exponent[3] = 0x00;
-	public_exponent[4] = 0x01;
-    }
+	while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
+		switch (c) {
+		case 'P':
+			hide = 0;
+			break;
+		case 'm':
+			pk11_libname = optarg;
+			break;
+		case 's':
+			slot = atoi(optarg);
+			break;
+		case 'e':
+			expsize = 5;
+			break;
+		case 'b':
+			modulusbits = atoi(optarg);
+			break;
+		case 'l':
+			label = (CK_CHAR *)optarg;
+			break;
+		case 'i':
+			id = strtoul(optarg, NULL, 0);
+			idlen = 4;
+			break;
+		case 'p':
+			pin = (CK_UTF8CHAR *)optarg;
+			break;
+		case ':':
+			fprintf(stderr,
+				"Option -%c requires an operand\n",
+				optopt);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+			errflg++;
+		}
+	}
 
-    /* Set up mechanism for generating key pair */
-    genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-    genmech.pParameter = NULL_PTR;
-    genmech.ulParameterLen = 0;
+	if (errflg || !modulusbits || (label == NULL)) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tpkcs11-keygen -b keysize -l label\n");
+		fprintf(stderr, "\t              [-P] [-m module] "
+				"[-s slot] [-e] [-i id] [-p PIN]\n");
+		exit(2);
+	}
+	
+	search_template[0].pValue = label;
+	search_template[0].ulValueLen = strlen((char *)label);
+	publickey_template[0].pValue = label;
+	publickey_template[0].ulValueLen = strlen((char *)label);
+	privatekey_template[0].pValue = label;
+	privatekey_template[0].ulValueLen = strlen((char *)label);
 
-    if (idlen == 0) {
-        publickey_attrcnt--;
-        privatekey_attrcnt--;
-    } else if (id <= 0xffff) {
-	idlen = 2;
-	publickey_template[5].ulValueLen = idlen;
-	privatekey_template[6].ulValueLen = idlen;
-	idbuf[0] = (CK_BYTE) (id >> 8);
-	idbuf[1] = (CK_BYTE) id;
-    } else {
-        idbuf[0] = (CK_BYTE) (id >> 24);
-	idbuf[1] = (CK_BYTE) (id >> 16);
-	idbuf[2] = (CK_BYTE) (id >> 8);
-	idbuf[3] = (CK_BYTE) id;
-    }
+	/* Set public exponent to F4 or F5 */
+	public_exponent[0] = 0x01;
+	public_exponent[1] = 0x00;
+	if (expsize == 3)
+		public_exponent[2] = 0x01;
+	else {
+		publickey_template[4].ulValueLen = expsize;
+		public_exponent[2] = 0x00;
+		public_exponent[3] = 0x00;
+		public_exponent[4] = 0x01;
+	}
 
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
+	/* Set up mechanism for generating key pair */
+	genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+	genmech.pParameter = NULL_PTR;
+	genmech.ulParameterLen = 0;
 
-    if (rv != CKR_OK) {
-	if (rv == 0xfe)
-	    fprintf(stderr,
-		    "Can't load or link module \"%s\"\n",
-		    pk11_libname);
-	else
-	    fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
-	exit(1);
-    }
+	if (idlen == 0) {
+		publickey_attrcnt--;
+		privatekey_attrcnt--;
+	} else if (id <= 0xffff) {
+		idlen = 2;
+		publickey_template[5].ulValueLen = idlen;
+		privatekey_template[6].ulValueLen = idlen;
+		idbuf[0] = (CK_BYTE)(id >> 8);
+		idbuf[1] = (CK_BYTE)id;
+	} else {
+		idbuf[0] = (CK_BYTE)(id >> 24);
+		idbuf[1] = (CK_BYTE)(id >> 16);
+		idbuf[2] = (CK_BYTE)(id >> 8);
+		idbuf[3] = (CK_BYTE)id;
+	}
 
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
+	/* Initialize the CRYPTOKI library */
+	rv = C_Initialize(NULL_PTR);
 
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
-	error = 1;
-	goto exit_program;
-    }
+	if (rv != CKR_OK) {
+		if (rv == 0xfe)
+			fprintf(stderr,
+				"Can't load or link module \"%s\"\n",
+				pk11_libname);
+		else
+			fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+		exit(1);
+	}
 
-    /* Login to the Token (Keystore) */
-    if (!pin)
-        pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-    rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-    memset(pin, 0, strlen((char *)pin));
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-   
-    /* check if a key with the same id already exists */
-    rv = C_FindObjectsInit(hSession, search_template, 1); 
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
-        error = 1;
-        goto exit_session;
-    }
-    rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
-        error = 1;
-        goto exit_search;
-    }
-    if (ulObjectCount != 0) {
-        fprintf(stderr, "Key already exists.\n");
-        error = 1;
-        goto exit_search;
-    }
-    
-    /* Set attributes if the key is not to be hidden */
-    if (!hide) {
-        privatekey_template[4].pValue = &falsevalue;
-	privatekey_template[5].pValue = &truevalue;
-    }
+	/* Open a session on the slot found */
+	rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
+			   NULL_PTR, NULL_PTR, &hSession);
 
-    /* Generate Key pair for signing/verifying */
-    rv = C_GenerateKeyPair(hSession, &genmech,
-			   publickey_template, publickey_attrcnt,
-			   privatekey_template, privatekey_attrcnt,
-			   &publickey, &privatekey);
-        
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
-        error = 1;
-    }
-    
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_program;
+	}
+
+	/* Login to the Token (Keystore) */
+	if (pin == NULL)
+		pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+
+	rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+	memset(pin, 0, strlen((char *)pin));
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+
+	/* check if a key with the same id already exists */
+	rv = C_FindObjectsInit(hSession, search_template, 1); 
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+	rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_search;
+	}
+	if (ulObjectCount != 0) {
+		fprintf(stderr, "Key already exists.\n");
+		error = 1;
+		goto exit_search;
+	}
+
+	/* Set attributes if the key is not to be hidden */
+	if (!hide) {
+		privatekey_template[4].pValue = &falsevalue;
+		privatekey_template[5].pValue = &truevalue;
+	}
+
+	/* Generate Key pair for signing/verifying */
+	rv = C_GenerateKeyPair(hSession, &genmech,
+			       publickey_template, publickey_attrcnt,
+			       privatekey_template, privatekey_attrcnt,
+			       &publickey, &privatekey);
+	
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
+		error = 1;
+	}
+	
  exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-        fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
-        error = 1;
-    }
+	rv = C_FindObjectsFinal(hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+		error = 1;
+	}
 
  exit_session:
-    (void) C_CloseSession(hSession);
+	(void)C_CloseSession(hSession);
 
  exit_program:
-    (void) C_Finalize(NULL_PTR);
+	(void)C_Finalize(NULL_PTR);
 
-    exit(error);
+	exit(error);
 }
diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c
index 1cfbd5d368..336bf41625 100644
--- a/bin/pkcs11/pkcs11-list.c
+++ b/bin/pkcs11/pkcs11-list.c
@@ -1,5 +1,49 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: pkcs11-list.c,v 1.7 2009/10/26 23:36:53 each Exp $ */
+
 /* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */
 
+/*! \file */
+
 #include 
 
 #include 
@@ -19,200 +63,214 @@
 #endif
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x)	getpass(x)
+#define getpassphrase(x)		getpass(x)
 #endif
 
 int
 main(int argc, char *argv[])
 {
-    CK_RV rv;
-    CK_SLOT_ID slot = 0;
-    CK_SESSION_HANDLE hSession;
-    CK_UTF8CHAR *pin = NULL;
-    CK_BYTE attr_id[2];
-    CK_OBJECT_HANDLE akey[50];
-    char *label = NULL;
-    int error = 0, public = 0, all = 0;
-    unsigned int i = 0, id = 0;
-    int c, errflg = 0;
-    CK_ULONG ulObjectCount;
-    CK_ATTRIBUTE search_template[] = {
-	{CKA_ID, &attr_id, sizeof(attr_id)}
-    };
-    extern char *optarg;
-    extern int optopt;
-    char *pk11_provider;
+	CK_RV rv;
+	CK_SLOT_ID slot = 0;
+	CK_SESSION_HANDLE hSession;
+	CK_UTF8CHAR *pin = NULL;
+	CK_BYTE attr_id[2];
+	CK_OBJECT_HANDLE akey[50];
+	char *label = NULL;
+	int error = 0, public = 0, all = 0;
+	unsigned int i = 0, id = 0;
+	int c, errflg = 0;
+	CK_ULONG ulObjectCount;
+	CK_ATTRIBUTE search_template[] = {
+		{CKA_ID, &attr_id, sizeof(attr_id)}
+	};
+	char *pk11_provider;
+	extern char *optarg;
+	extern int optopt;
 
-    pk11_provider = getenv("PKCS11_PROVIDER");
-    if (pk11_provider != NULL)
-        pk11_libname = pk11_provider;
+	pk11_provider = getenv("PKCS11_PROVIDER");
+	if (pk11_provider != NULL)
+		pk11_libname = pk11_provider;
 
-    while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) {
-	switch (c) {
-	case 'P':
-	    public = 1;
-	    break;
-	case 'm':
-	    pk11_libname = optarg;
-	    break;
-	case 's':
-	    slot = atoi(optarg);
-	    break;
-	case 'i':
-	    id = atoi(optarg);
-	    id &= 0xffff;
-	    break;
-	case 'l':
-	    label = optarg;
-	    break;
-	case 'p':
-	    pin = (CK_UTF8CHAR *)optarg;
-	    break;
-	case ':':
-	    fprintf(stderr, "Option -%c requires an operand\n", optopt);
-	    errflg++;
-	    break;
-	case '?':
-	default:
-	    fprintf(stderr, "Unrecognised option: -%c\n", optopt);
-	    errflg++;
+	while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) {
+		switch (c) {
+		case 'P':
+			public = 1;
+			break;
+		case 'm':
+			pk11_libname = optarg;
+			break;
+		case 's':
+			slot = atoi(optarg);
+			break;
+		case 'i':
+			id = atoi(optarg);
+			id &= 0xffff;
+			break;
+		case 'l':
+			label = optarg;
+			break;
+		case 'p':
+			pin = (CK_UTF8CHAR *)optarg;
+			break;
+		case ':':
+			fprintf(stderr, "Option -%c requires an operand\n",
+				optopt);
+			errflg++;
+			break;
+		case '?':
+		default:
+			fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+			errflg++;
+		}
 	}
-    }
-    if (errflg) {
-	fprintf(stderr,
-		"usage: pkcs11-list [-P] [-m module] [-s slot] "
-		"[-i id | -l label] [-p pin]\n");
-	exit(1);
-    }
-    if ((!id) && (!label))
-	all = 1;
-    if (slot)
-	printf("slot %lu\n", slot);
-    if (id) {
-	printf("id %i\n", id);
-	attr_id[0] = (id >> 8) & 0xff;
-	attr_id[1] = id & 0xff;
-    } else if (label) {
-	printf("label %s\n", label);
-	search_template[0].type = CKA_LABEL;
-	search_template[0].pValue = label;
-	search_template[0].ulValueLen = strlen(label);
-    }
 
-    /* Initialize the CRYPTOKI library */
-    rv = C_Initialize(NULL_PTR);
-    if (rv != CKR_OK) {
-	if (rv == 0xfe)
-	    fprintf(stderr,
-		    "Can't load or link module \"%s\"\n",
-		    pk11_libname);
-	else
-	    fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
-	exit(1);
-    }
+	if (errflg) {
+		fprintf(stderr, "Usage:\n");
+		fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] "
+				"[-i id | -l label] [-p pin]\n");
+		exit(1);
+	}
 
-    /* Open a session on the slot found */
-    rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
-		       NULL_PTR, NULL_PTR, &hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
-	error = 1;
-	goto exit_program;
-    }
+	if (!id && (label == NULL))
+		all = 1;
 
-    /* Login to the Token (Keystore) */
-    if (!public) {
-	if (!pin)
-	    pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-	rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-	memset(pin, 0, strlen((char *)pin));
+	if (slot)
+		printf("slot %lu\n", slot);
+
+	if (id) {
+		printf("id %i\n", id);
+		attr_id[0] = (id >> 8) & 0xff;
+		attr_id[1] = id & 0xff;
+	} else if (label != NULL) {
+		printf("label %s\n", label);
+		search_template[0].type = CKA_LABEL;
+		search_template[0].pValue = label;
+		search_template[0].ulValueLen = strlen(label);
+	}
+
+	/* Initialize the CRYPTOKI library */
+	rv = C_Initialize(NULL_PTR);
 	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
-	    error = 1;
-	    goto exit_session;
-	}
-    }
-
-    rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
-	error = 1;
-	goto exit_session;
-    }
-    
-    ulObjectCount = 1;
-    while (ulObjectCount) {
-	rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
-	if (rv != CKR_OK) {
-	    fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
-	    error = 1;
-	    goto exit_search;
-	}
-
-	for (i = 0; i < ulObjectCount; i++) {
-	    CK_OBJECT_CLASS oclass = 0;
-	    CK_BYTE labelbuf[64 + 1];
-	    CK_BYTE idbuf[64];
-	    CK_ATTRIBUTE attr_template[] = {
-		{CKA_CLASS, &oclass, sizeof(oclass)},
-		{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
-		{CKA_ID, idbuf, sizeof(idbuf)}
-	    };
-	    unsigned int j, len;
-
-	    memset(labelbuf, 0, sizeof(labelbuf));
-	    memset(idbuf, 0, sizeof(idbuf));
-
-	    rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
-	    if (rv != CKR_OK) {
-		fprintf(stderr,
-			"C_GetAttributeValue[%u]: rv = 0x%.8lX\n", i, rv);
-		if (rv == CKR_BUFFER_TOO_SMALL)
-		    fprintf(stderr, "%u too small: %lu %lu %lu\n", i,
-			    attr_template[0].ulValueLen,
-			    attr_template[1].ulValueLen,
-			    attr_template[2].ulValueLen);
-		error = 1;
-		continue;
-	    }
-
-	    len = attr_template[2].ulValueLen;
-	    printf("object[%u]: handle %lu class %lu "
-		   "label[%lu] '%s' id[%lu] ",
-		   i, akey[i], oclass,
-		   attr_template[1].ulValueLen, labelbuf,
-		   attr_template[2].ulValueLen);
-	    if (len == 2) {
-		id = (idbuf[0] << 8) & 0xff00;
-		id |= idbuf[1] & 0xff;
-		printf("%u\n", id);
-	    } else {
-		if (len > 8)
-		    len = 8;
-		if (len > 0)
-		    printf("0x");
-		for (j = 0; j < len; j++)
-		    printf("%02x", idbuf[j]);
-		if (attr_template[2].ulValueLen > len)
-		    printf("...\n");
+		if (rv == 0xfe)
+			fprintf(stderr,
+				"Can't load or link module \"%s\"\n",
+				pk11_libname);
 		else
-		    printf("\n");
-	    }
+			fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+		exit(1);
+	}
+
+	/* Open a session on the slot found */
+	rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
+			   NULL_PTR, NULL_PTR, &hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_program;
+	}
+
+	/* Login to the Token (Keystore) */
+	if (!public) {
+		if (pin == NULL)
+			pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+		rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+		memset(pin, 0, strlen((char *)pin));
+		if (rv != CKR_OK) {
+			fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
+			error = 1;
+			goto exit_session;
+		}
+	}
+
+	rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+		error = 1;
+		goto exit_session;
+	}
+	
+	ulObjectCount = 1;
+	while (ulObjectCount) {
+		rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+		if (rv != CKR_OK) {
+			fprintf(stderr,
+				"C_FindObjects: Error = 0x%.8lX\n",
+				rv);
+			error = 1;
+			goto exit_search;
+		}
+
+		for (i = 0; i < ulObjectCount; i++) {
+			unsigned int j, len;
+
+			CK_OBJECT_CLASS oclass = 0;
+			CK_BYTE labelbuf[64 + 1];
+			CK_BYTE idbuf[64];
+			CK_ATTRIBUTE template[] = {
+				{CKA_CLASS, &oclass, sizeof(oclass)},
+				{CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
+				{CKA_ID, idbuf, sizeof(idbuf)}
+			};
+
+			memset(labelbuf, 0, sizeof(labelbuf));
+			memset(idbuf, 0, sizeof(idbuf));
+
+			rv = C_GetAttributeValue(hSession, akey[i],
+						 template, 3);
+			if (rv != CKR_OK) {
+				fprintf(stderr,
+					"C_GetAttributeValue[%u]: "
+					"rv = 0x%.8lX\n",
+					i, rv);
+				if (rv == CKR_BUFFER_TOO_SMALL)
+					fprintf(stderr,
+						"%u too small: %lu %lu %lu\n",
+						i,
+						template[0].ulValueLen,
+						template[1].ulValueLen,
+						template[2].ulValueLen);
+				error = 1;
+				continue;
+			}
+
+			len = template[2].ulValueLen;
+			printf("object[%u]: handle %lu class %lu "
+			       "label[%lu] '%s' id[%lu] ",
+			       i, akey[i], oclass,
+			       template[1].ulValueLen,
+			       labelbuf,
+			       template[2].ulValueLen);
+			if (len == 2) {
+				id = (idbuf[0] << 8) & 0xff00;
+				id |= idbuf[1] & 0xff;
+				printf("%u\n", id);
+			} else {
+				if (len > 8)
+					len = 8;
+				if (len > 0)
+					printf("0x");
+				for (j = 0; j < len; j++)
+					printf("%02x", idbuf[j]);
+				if (template[2].ulValueLen > len)
+					printf("...\n");
+				else
+					printf("\n");
+			}
+		}
 	}
-    }
 
  exit_search:
-    rv = C_FindObjectsFinal(hSession);
-    if (rv != CKR_OK) {
-	fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
-	error = 1;
-    }
+	rv = C_FindObjectsFinal(hSession);
+	if (rv != CKR_OK) {
+		fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+		error = 1;
+	}
 
  exit_session:
-    (void) C_CloseSession(hSession);
+	(void)C_CloseSession(hSession);
 
  exit_program:
-    (void) C_Finalize(NULL_PTR);
+	(void)C_Finalize(NULL_PTR);
 
-    exit(error);
+	exit(error);
 }
diff --git a/bin/pkcs11/unix/cryptoki.h b/bin/pkcs11/unix/cryptoki.h
index 7b63280e8f..33d911cc32 100644
--- a/bin/pkcs11/unix/cryptoki.h
+++ b/bin/pkcs11/unix/cryptoki.h
@@ -1,7 +1,25 @@
 /* cryptoki.h include file for PKCS #11. */
-/* $Revision: 1.2 $ */
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/* $Revision: 1.3 $ */
 
-/* License to copy and use this software is granted provided that it is
+/*
+ * Portions Copyright RSA Security Inc.
+ *
+ * License to copy and use this software is granted provided that it is
  * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
  * (Cryptoki)" in all material mentioning or referencing this software.
 
diff --git a/bin/pkcs11/unix/unix.c b/bin/pkcs11/unix/unix.c
index 026f5a748e..95ad860896 100644
--- a/bin/pkcs11/unix/unix.c
+++ b/bin/pkcs11/unix/unix.c
@@ -1,3 +1,23 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id */
+
+/*! \file */
+
 /* dynamic loader (ifndef FORCE_STATIC_PROVIDER) */
 
 #include 
diff --git a/bin/pkcs11/win32/win32.c b/bin/pkcs11/win32/win32.c
index 5c39654128..289d5529f1 100644
--- a/bin/pkcs11/win32/win32.c
+++ b/bin/pkcs11/win32/win32.c
@@ -1,3 +1,23 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id */
+
+/*! \file */
+
 /* missing code for WIN32 */
 
 #include 

From 5f744ebbdc7caa4b0c700b2aedd7e604a0775dd6 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Mon, 26 Oct 2009 23:47:35 +0000
Subject: [PATCH 365/385] update copyright notice

---
 bin/dnssec/dnssectool.c       |  8 ++++----
 bin/named/query.c             |  6 +++---
 bin/pkcs11/unix/unix.c        | 16 +++++++++-------
 bin/pkcs11/win32/win32.c      | 16 +++++++++-------
 lib/dns/include/dns/message.h |  4 ++--
 5 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index d8c4ea4865..a1b3f600bb 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.57 2009/10/26 21:18:24 each Exp $ */
+/* $Id: dnssectool.c,v 1.58 2009/10/26 23:47:35 tbox Exp $ */
 
 /*! \file */
 
@@ -370,9 +370,9 @@ void
 check_keyversion(dst_key_t *key, char *keystr) {
 	int major, minor;
 	dst_key_getprivateformat(key, &major, &minor);
-        INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
+	INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
 
-	if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) 
+	if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
 		fatal("Key %s has incompatible format version %d.%d, "
 		      "use -f to force upgrade to new version.",
 		      keystr, major, minor);
@@ -386,7 +386,7 @@ void
 set_keyversion(dst_key_t *key) {
 	int major, minor;
 	dst_key_getprivateformat(key, &major, &minor);
-        INSIST(major <= DST_MAJOR_VERSION);
+	INSIST(major <= DST_MAJOR_VERSION);
 
 	if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
 		dst_key_setprivateformat(key, DST_MAJOR_VERSION,
diff --git a/bin/named/query.c b/bin/named/query.c
index d15ac5a8e7..d24b2f85ed 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.329 2009/10/26 23:14:53 each Exp $ */
+/* $Id: query.c,v 1.330 2009/10/26 23:47:35 tbox Exp $ */
 
 /*! \file */
 
@@ -4639,7 +4639,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	if (type == dns_rdatatype_any) {
 #ifdef ALLOW_FILTER_AAAA_ON_V4
 		isc_boolean_t have_aaaa, have_a, have_sig;
-		
+
 		/*
 		 * The filter-aaaa-on-v4 option should
 		 * suppress AAAAs for IPv4 clients if there is an A.
@@ -4882,7 +4882,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 					    NS_CLIENTATTR_FILTER_AAAA_RC) != 0) {
 				client->attributes &=
 					    ~NS_CLIENTATTR_FILTER_AAAA_RC;
-				client->attributes |= 
+				client->attributes |=
 					    NS_CLIENTATTR_FILTER_AAAA;
 				dns_rdataset_disassociate(rdataset);
 				if (sigrdataset != NULL &&
diff --git a/bin/pkcs11/unix/unix.c b/bin/pkcs11/unix/unix.c
index 95ad860896..38473981f0 100644
--- a/bin/pkcs11/unix/unix.c
+++ b/bin/pkcs11/unix/unix.c
@@ -5,15 +5,17 @@
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* $Id: unix.c,v 1.4 2009/10/26 23:47:35 tbox Exp $ */
+
 /* $Id */
 
 /*! \file */
diff --git a/bin/pkcs11/win32/win32.c b/bin/pkcs11/win32/win32.c
index 289d5529f1..d302060f5b 100644
--- a/bin/pkcs11/win32/win32.c
+++ b/bin/pkcs11/win32/win32.c
@@ -5,15 +5,17 @@
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* $Id: win32.c,v 1.5 2009/10/26 23:47:35 tbox Exp $ */
+
 /* $Id */
 
 /*! \file */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index da59409d54..c51d2e33dc 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.129 2009/10/26 23:14:54 each Exp $ */
+/* $Id: message.h,v 1.130 2009/10/26 23:47:35 tbox Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -175,7 +175,7 @@ typedef int dns_messagetextflag_t;
 						  additional section. */
 #ifdef ALLOW_FILTER_AAAA_ON_V4
 #define DNS_MESSAGERENDER_FILTER_AAAA	0x0020	/*%< filter AAAA records */
-#endif 
+#endif
 
 typedef struct dns_msgblock dns_msgblock_t;
 

From e4adb07cc1f8253b3c39aeeeb3ea03dc5b7011cc Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 27 Oct 2009 01:14:46 +0000
Subject: [PATCH 366/385] regen

---
 doc/arm/Bv9ARM.ch06.html             | 138 +++++++++++++-------
 doc/arm/Bv9ARM.ch08.html             |   6 +-
 doc/arm/Bv9ARM.ch09.html             | 180 +++++++++++++--------------
 doc/arm/Bv9ARM.html                  |  32 ++---
 doc/arm/man.ddns-confgen.html        |  10 +-
 doc/arm/man.dig.html                 |   6 +-
 doc/arm/man.dnssec-dsfromkey.html    |  16 +--
 doc/arm/man.dnssec-keyfromlabel.html |  14 +--
 doc/arm/man.dnssec-keygen.html       |  16 +--
 doc/arm/man.dnssec-revoke.html       |  10 +-
 doc/arm/man.dnssec-settime.html      |   8 +-
 doc/arm/man.dnssec-signzone.html     |   8 +-
 doc/arm/man.host.html                |  10 +-
 doc/arm/man.named-checkzone.html     |   8 +-
 doc/arm/man.named.html               |  16 +--
 doc/arm/man.nsupdate.html            |  14 +--
 doc/arm/man.rndc-confgen.html        |  12 +-
 doc/arm/man.rndc.conf.html           |  12 +-
 doc/arm/man.rndc.html                |  12 +-
 19 files changed, 290 insertions(+), 238 deletions(-)

diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 7295cc1ff7..eb14f33eaa 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -78,28 +78,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
 
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -2220,6 +2220,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     [ random-device path_name ; ]
     [ max-cache-size size_spec ; ]
     [ match-mapped-addresses yes_or_no; ]
+    [ match-mapped-addresses yes_or_no; ]
+    [ disable-aaaa-on-v4-transport ( yes_or_no | break-dnssec ); ]
     [ preferred-glue ( A | AAAA | NONE ); ]
     [ edns-udp-size number; ]
     [ max-udp-size number; ]
@@ -3207,6 +3209,56 @@ options {
                   internally.  The use of this option is discouraged.
                 
    
 
+
    filter-aaaa-on-v4
    
+
    
+
    
+                  This option is only available when
+                  BIND 9 is compiled with the
+                  --with-filter-aaaa option on the
+                  "configure" command line.  It is intended to help the
+                  transition from IPv4 to IPv6 by not giving IPv6 addresses
+                  to DNS clients unless they have connections to the IPv6
+                  Internet.  This is not recommended unless absolutely
+                  necessary.  The default is no.
+                
    
+
    
+                  If yes,
+                  the DNS client is at an IPv4 address,
+                  and if the response does not include DNSSEC signatures, 
+                  then all AAAA records are deleted from the response.
+                  This filtering applies to all responses and not only
+                  authoritative responses.
+                
    
+
    
+                  If break-dnssec,
+                  then AAAA records are deleted even when dnssec is enabled.
+                  As suggested by the name, this makes the response not verify,
+                  because the DNSSEC protocol is designed detect deletions.
+                
    
+
    
+                  This mechanism can erroneously cause other servers to 
+                  not give AAAA records to their clients.  
+                  A recursing server with both IPv6 and IPv4 network connections
+                  that queries an authoritative server using this mechanism
+                  via IPv4 will be denied AAAA records even if its client is
+                  using IPv6.
+                
    
+
    
+                  This mechanism is applied to authoritative as well as
+                  non-authoritative records.
+                  A client using IPv4 that is not allowed recursion can
+                  erroneously be given AAAA records because the server is not
+                  allowed to check for A records.
+                
    
+
    
+                  Some AAAA records are given to IPv4 clients in glue records.
+                  IPv4 clients that are servers can then erroneously
+                  answer requests for AAAA records received via IPv4.
+                
    
+
    
+                  security
+                
    
+
    
 
    ixfr-from-differences
    
 
    
 
    
@@ -3429,7 +3481,7 @@ options {
 
    
 
    
 
    
-Forwarding
    
+Forwarding
    
 
    
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3473,7 +3525,7 @@ options {
 
 
    
 
    
-Dual-stack Servers
    
+Dual-stack Servers
    
 
    
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3670,7 +3722,7 @@ options {
 
 
    
 
    
-Interfaces
    
+Interfaces
    
 
    
             The interfaces and ports that the server will answer queries
             from may be specified using the listen-on option. listen-on takes
@@ -4122,7 +4174,7 @@ avoid-v6-udp-ports {};
 
 
    
 
    
-UDP Port Lists
    
+UDP Port Lists
    
 
    
             use-v4-udp-ports,
             avoid-v4-udp-ports,
@@ -4164,7 +4216,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Operating System Resource Limits
    
+Operating System Resource Limits
    
 
    
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4326,7 +4378,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
 
    
 
    
-Periodic Task Intervals
    
+Periodic Task Intervals
    
 
    
 
    cleaning-interval
    
 
    
@@ -5122,7 +5174,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
    
 
    
 
    
-Content Filtering
    
+Content Filtering
    
 
    
             BIND 9 provides the ability to filter
             out DNS responses from external DNS servers containing
@@ -5452,7 +5504,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-statistics-channels Statement Definition and
+statistics-channels Statement Definition and
             Usage
    
 
    
           The statistics-channels statement
@@ -5503,7 +5555,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-trusted-keys Statement Grammar
    
+trusted-keys Statement Grammar
    
 
    trusted-keys {
     string number number number string ;
     [ string number number number string ; [...]]
@@ -5512,7 +5564,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-trusted-keys Statement Definition
+trusted-keys Statement Definition
             and Usage
    
 
    
             The trusted-keys statement defines
@@ -5552,7 +5604,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-managed-keys Statement Grammar
    
+managed-keys Statement Grammar
    
 
    managed-keys {
     string initial-key number number number string ;
     [ string initial-key number number number string ; [...]]
@@ -5561,7 +5613,7 @@ deny-answer-aliases { "example.net"; };
 
 
    
 
    
-managed-keys Statement Definition
+managed-keys Statement Definition
             and Usage
    
 
    
             The managed-keys statement, like 
@@ -5687,7 +5739,7 @@ deny-answer-aliases { "example.net"; };
 
    
 
    
 
    
-view Statement Definition and Usage
    
+view Statement Definition and Usage
    
 
    
             The view statement is a powerful
             feature
@@ -6181,7 +6233,7 @@ zone zone_name [
 
    
 
    
-Class
    
+Class
    
 
    
               The zone's name may optionally be followed by a class. If
               a class is not specified, class IN (for Internet),
@@ -6203,7 +6255,7 @@ zone zone_name [
 
    
 
    
-Zone Options
    
+Zone Options
    
 
    
 
    allow-notify
    
 
    
@@ -6873,7 +6925,7 @@ zone zone_name [
 
    
 
    
-Zone File
    
+Zone File
    
 
    
 
    
 Types of Resource Records and When to Use Them
    
@@ -6886,7 +6938,7 @@ zone zone_name [
 
    
 
    
-Resource Records
    
+Resource Records
    
 
    
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7623,7 +7675,7 @@ zone zone_name [
 
    
 
    
-Textual expression of RRs
    
+Textual expression of RRs
    
 
    
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7826,7 +7878,7 @@ zone zone_name [
 
    
 
    
-Discussion of MX Records
    
+Discussion of MX Records
    
 
    
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -8082,7 +8134,7 @@ zone zone_name [
 
    
 
    
-Inverse Mapping in IPv4
    
+Inverse Mapping in IPv4
    
 
    
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the in-addr.arpa domain
@@ -8143,7 +8195,7 @@ zone zone_name [
 
    
 
    
-Other Zone File Directives
    
+Other Zone File Directives
    
 
    
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -8158,7 +8210,7 @@ zone zone_name [
 
    
 
    
-The @ (at-sign)
    
+The @ (at-sign)
    
 
    
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -8169,7 +8221,7 @@ zone zone_name [
 
    
 
    
-The $ORIGIN Directive
    
+The $ORIGIN Directive
    
 
    
               Syntax: $ORIGIN
               domain-name
@@ -8198,7 +8250,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $INCLUDE Directive
    
+The $INCLUDE Directive
    
 
    
               Syntax: $INCLUDE
               filename
@@ -8234,7 +8286,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-The $TTL Directive
    
+The $TTL Directive
    
 
    
               Syntax: $TTL
               default-ttl
@@ -8253,7 +8305,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 
 
    
 
    
-BIND Master File Extension: the  $GENERATE Directive
    
+BIND Master File Extension: the  $GENERATE Directive
    
 
    
             Syntax: $GENERATE
             range
@@ -8677,7 +8729,7 @@ HOST-127.EXAMPLE. MX 0 .
           
    
 
    
 
    
-Name Server Statistics Counters
    
+Name Server Statistics Counters
    
 
    
 
 

    @@ -9234,7 +9286,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Zone Maintenance Statistics Counters
    
+Zone Maintenance Statistics Counters
    
 
    
 
 

    @@ -9388,7 +9440,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Resolver Statistics Counters
    
+Resolver Statistics Counters
    
 
    
 
 

    @@ -9771,7 +9823,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Socket I/O Statistics Counters
    
+Socket I/O Statistics Counters
    
 
    
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9926,7 +9978,7 @@ HOST-127.EXAMPLE. MX 0 .
 
 
    
 
    
-Compatibility with BIND 8 Counters
    
+Compatibility with BIND 8 Counters
    
 
    
               Most statistics counters that were available
               in BIND 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index edfb4832f2..239c5553cb 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    Common Problems
    
 
    It's not working; how can I figure out what's wrong?
    
 
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Where Can I Get Help?
    
 
 
 
    
@@ -95,7 +95,7 @@
 
    
 
    
 
    
-Where Can I Get Help?
    
+Where Can I Get Help?
    
 
    
           The Internet Systems Consortium
           (ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 2fcc2aec1e..10c714075b 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -45,21 +45,21 @@
 
    
 
    Table of Contents
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    
 
    
 
    
-Acknowledgments
    
+Acknowledgments
    
 
    
 
    
 A Brief History of the DNS and BIND
@@ -162,7 +162,7 @@
 
    
 
    
 
    
-General DNS Reference Information
    
+General DNS Reference Information
    
 
    
 
    
 IPv6 addresses (AAAA)
    
@@ -250,17 +250,17 @@
           
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
 
    Standards
    
 
    
-
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
+
    [RFC974] C. Partridge. Mail Routing and the Domain System. January 1986. 
    
 
    
 
    
-
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
+
    [RFC1034] P.V. Mockapetris. Domain Names — Concepts and Facilities. November 1987. 
    
 
    
 
    
-
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
+
    [RFC1035] P. V. Mockapetris. Domain Names — Implementation and
                   Specification. November 1987. 
    
 
    
 
    
@@ -268,42 +268,42 @@
 
    
 Proposed Standards
    
 
    
-
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
+
    [RFC2181] R., R. Bush Elz. Clarifications to the DNS
                   Specification. July 1997. 
    
 
    
 
    
-
    [RFC2308] M. Andrews. Negative Caching of DNS
+
    [RFC2308] M. Andrews. Negative Caching of DNS
                   Queries. March 1998. 
    
 
    
 
    
-
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
+
    [RFC1995] M. Ohta. Incremental Zone Transfer in DNS. August 1996. 
    
 
    
 
    
-
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
+
    [RFC1996] P. Vixie. A Mechanism for Prompt Notification of Zone Changes. August 1996. 
    
 
    
 
    
-
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
+
    [RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates in the Domain Name System. April 1997. 
    
 
    
 
    
-
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
+
    [RFC2671] P. Vixie. Extension Mechanisms for DNS (EDNS0). August 1997. 
    
 
    
 
    
-
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
+
    [RFC2672] M. Crawford. Non-Terminal DNS Name Redirection. August 1999. 
    
 
    
 
    
-
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
+
    [RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington. Secret Key Transaction Authentication for DNS (TSIG). May 2000. 
    
 
    
 
    
-
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
+
    [RFC2930] D. Eastlake, 3rd. Secret Key Establishment for DNS (TKEY RR). September 2000. 
    
 
    
 
    
-
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
+
    [RFC2931] D. Eastlake, 3rd. DNS Request and Transaction Signatures (SIG(0)s). September 2000. 
    
 
    
 
    
-
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
+
    [RFC3007] B. Wellington. Secure Domain Name System (DNS) Dynamic Update. November 2000. 
    
 
    
 
    
-
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
+
    [RFC3645] S. Kwan, P. Garg, J. Gilroy, L. Esibov, J. Westhead, and R. Hall. Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG). October 2003. 
    
 
    
@@ -312,19 +312,19 @@
 
    
 DNS Security Proposed Standards
    
 
    
-
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
+
    [RFC3225] D. Conrad. Indicating Resolver Support of DNSSEC. December 2001. 
    
 
    
 
    
-
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
+
    [RFC3833] D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). August 2004. 
    
 
    
 
    
-
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
+
    [RFC4033] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. DNS Security Introduction and Requirements. March 2005. 
    
 
    
 
    
-
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
+
    [RFC4034] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Resource Records for the DNS Security Extensions. March 2005. 
    
 
    
 
    
-
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
+
    [RFC4035] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. Protocol Modifications for the DNS
                        Security Extensions. March 2005. 
    
 
    
 
@@ -332,146 +332,146 @@
 
    Other Important RFCs About DNS
                 Implementation
    
 
    
-
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
+
    [RFC1535] E. Gavron. A Security Problem and Proposed Correction With Widely
                   Deployed DNS Software.. October 1993. 
    
 
    
 
    
-
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
+
    [RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller. Common DNS Implementation
                   Errors and Suggested Fixes. October 1993. 
    
 
    
 
    
-
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
+
    [RFC1982] R. Elz and R. Bush. Serial Number Arithmetic. August 1996. 
    
 
    
 
    
-
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
+
    [RFC4074] Y. Morishita and T. Jinmei. Common Misbehaviour Against DNS
                 Queries for IPv6 Addresses. May 2005. 
    
 
    
 
 
    
 
    Resource Record Types
    
 
    
-
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
+
    [RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris. New DNS RR Definitions. October 1990. 
    
 
    
 
    
-
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
+
    [RFC1706] B. Manning and R. Colella. DNS NSAP Resource Records. October 1994. 
    
 
    
 
    
-
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
+
    [RFC2168] R. Daniel and M. Mealling. Resolution of Uniform Resource Identifiers using
                   the Domain Name System. June 1997. 
    
 
    
 
    
-
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
+
    [RFC1876] C. Davis, P. Vixie, T., and I. Dickinson. A Means for Expressing Location Information in the
                   Domain
                   Name System. January 1996. 
    
 
    
 
    
-
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
+
    [RFC2052] A. Gulbrandsen and P. Vixie. A DNS RR for Specifying the
                   Location of
                   Services.. October 1996. 
    
 
    
 
    
-
    [RFC2163] A. Allocchio. Using the Internet DNS to
+
    [RFC2163] A. Allocchio. Using the Internet DNS to
                   Distribute MIXER
                   Conformant Global Address Mapping. January 1998. 
    
 
    
 
    
-
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
+
    [RFC2230] R. Atkinson. Key Exchange Delegation Record for the DNS. October 1997. 
    
 
    
 
    
-
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2536] D. Eastlake, 3rd. DSA KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2537] D. Eastlake, 3rd. RSA/MD5 KEYs and SIGs in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2538] D. Eastlake, 3rd and O. Gudmundsson. Storing Certificates in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
+
    [RFC2539] D. Eastlake, 3rd. Storage of Diffie-Hellman Keys in the Domain Name System (DNS). March 1999. 
    
 
    
 
    
-
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
+
    [RFC2540] D. Eastlake, 3rd. Detached Domain Name System (DNS) Information. March 1999. 
    
 
    
 
    
-
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
+
    [RFC2782] A. Gulbrandsen. P. Vixie. L. Esibov. A DNS RR for specifying the location of services (DNS SRV). February 2000. 
    
 
    
 
    
-
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
+
    [RFC2915] M. Mealling. R. Daniel. The Naming Authority Pointer (NAPTR) DNS Resource Record. September 2000. 
    
 
    
 
    
-
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
+
    [RFC3110] D. Eastlake, 3rd. RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS). May 2001. 
    
 
    
 
    
-
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
+
    [RFC3123] P. Koch. A DNS RR Type for Lists of Address Prefixes (APL RR). June 2001. 
    
 
    
 
    
-
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
+
    [RFC3596] S. Thomson, C. Huitema, V. Ksinant, and M. Souissi. DNS Extensions to support IP
                   version 6. October 2003. 
    
 
    
 
    
-
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
+
    [RFC3597] A. Gustafsson. Handling of Unknown DNS Resource Record (RR) Types. September 2003. 
    
 
    
 
    
 
    
 
    
 DNS and the Internet
    
 
    
-
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
+
    [RFC1101] P. V. Mockapetris. DNS Encoding of Network Names
                   and Other Types. April 1989. 
    
 
    
 
    
-
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
+
    [RFC1123] Braden. Requirements for Internet Hosts - Application and
                   Support. October 1989. 
    
 
    
 
    
-
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
+
    [RFC1591] J. Postel. Domain Name System Structure and Delegation. March 1994. 
    
 
    
 
    
-
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
+
    [RFC2317] H. Eidnes, G. de Groot, and P. Vixie. Classless IN-ADDR.ARPA Delegation. March 1998. 
    
 
    
 
    
-
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
+
    [RFC2826] Internet Architecture Board. IAB Technical Comment on the Unique DNS Root. May 2000. 
    
 
    
 
    
-
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
+
    [RFC2929] D. Eastlake, 3rd, E. Brunner-Williams, and B. Manning. Domain Name System (DNS) IANA Considerations. September 2000. 
    
 
    
 
    
 
    
 
    
 DNS Operations
    
 
    
-
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
+
    [RFC1033] M. Lottor. Domain administrators operations guide.. November 1987. 
    
 
    
 
    
-
    [RFC1537] P. Beertema. Common DNS Data File
+
    [RFC1537] P. Beertema. Common DNS Data File
                   Configuration Errors. October 1993. 
    
 
    
 
    
-
    [RFC1912] D. Barr. Common DNS Operational and
+
    [RFC1912] D. Barr. Common DNS Operational and
                   Configuration Errors. February 1996. 
    
 
    
 
    
-
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
+
    [RFC2010] B. Manning and P. Vixie. Operational Criteria for Root Name Servers.. October 1996. 
    
 
    
 
    
-
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
+
    [RFC2219] M. Hamilton and R. Wright. Use of DNS Aliases for
                   Network Services.. October 1997. 
    
 
    
 
    
 
    
 
    Internationalized Domain Names
    
 
    
-
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
+
    [RFC2825] IAB and R. Daigle. A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols. May 2000. 
    
 
    
 
    
-
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
+
    [RFC3490] P. Faltstrom, P. Hoffman, and A. Costello. Internationalizing Domain Names in Applications (IDNA). March 2003. 
    
 
    
 
    
-
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
+
    [RFC3491] P. Hoffman and M. Blanchet. Nameprep: A Stringprep Profile for Internationalized Domain Names. March 2003. 
    
 
    
 
    
-
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
+
    [RFC3492] A. Costello. Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA). March 2003. 
    
 
    
@@ -487,47 +487,47 @@
                 
    
 
    
 
    
-
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
+
    [RFC1464] R. Rosenbaum. Using the Domain Name System To Store Arbitrary String
                   Attributes. May 1993. 
    
 
    
 
    
-
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
+
    [RFC1713] A. Romao. Tools for DNS Debugging. November 1994. 
    
 
    
 
    
-
    [RFC1794] T. Brisco. DNS Support for Load
+
    [RFC1794] T. Brisco. DNS Support for Load
                   Balancing. April 1995. 
    
 
    
 
    
-
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
+
    [RFC2240] O. Vaughan. A Legal Basis for Domain Name Allocation. November 1997. 
    
 
    
 
    
-
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
+
    [RFC2345] J. Klensin, T. Wolf, and G. Oglesby. Domain Names and Company Name Retrieval. May 1998. 
    
 
    
 
    
-
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
+
    [RFC2352] O. Vaughan. A Convention For Using Legal Names as Domain Names. May 1998. 
    
 
    
 
    
-
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
+
    [RFC3071] J. Klensin. Reflections on the DNS, RFC 1591, and Categories of Domains. February 2001. 
    
 
    
 
    
-
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
+
    [RFC3258] T. Hardie. Distributing Authoritative Name Servers via
                        Shared Unicast Addresses. April 2002. 
    
 
    
 
    
-
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
+
    [RFC3901] A. Durand and J. Ihren. DNS IPv6 Transport Operational Guidelines. September 2004. 
    
 
    
 
 
    
 
    Obsolete and Unimplemented Experimental RFC
    
 
    
-
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
+
    [RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. DNS Encoding of Geographical
                   Location. November 1994. 
    
 
    
 
    
-
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
+
    [RFC2673] M. Crawford. Binary Labels in the Domain Name System. August 1999. 
    
 
    
 
    
-
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
+
    [RFC2874] M. Crawford and C. Huitema. DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering. July 2000. 
    
 
    
 
    
@@ -541,39 +541,39 @@
                 
    
 
 
    
-
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
+
    [RFC2065] D. Eastlake, 3rd and C. Kaufman. Domain Name System Security Extensions. January 1997. 
    
 
    
 
    
-
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
+
    [RFC2137] D. Eastlake, 3rd. Secure Domain Name System Dynamic Update. April 1997. 
    
 
    
 
    
-
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
+
    [RFC2535] D. Eastlake, 3rd. Domain Name System Security Extensions. March 1999. 
    
 
    
 
    
-
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
+
    [RFC3008] B. Wellington. Domain Name System Security (DNSSEC)
                        Signing Authority. November 2000. 
    
 
    
 
    
-
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
+
    [RFC3090] E. Lewis. DNS Security Extension Clarification on Zone Status. March 2001. 
    
 
    
 
    
-
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
+
    [RFC3445] D. Massey and S. Rose. Limiting the Scope of the KEY Resource Record (RR). December 2002. 
    
 
    
 
    
-
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
+
    [RFC3655] B. Wellington and O. Gudmundsson. Redefinition of DNS Authenticated Data (AD) bit. November 2003. 
    
 
    
 
    
-
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
+
    [RFC3658] O. Gudmundsson. Delegation Signer (DS) Resource Record (RR). December 2003. 
    
 
    
 
    
-
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
+
    [RFC3755] S. Weiler. Legacy Resolver Compatibility for Delegation Signer (DS). May 2004. 
    
 
    
 
    
-
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
+
    [RFC3757] O. Kolkman, J. Schlyter, and E. Lewis. Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag. April 2004. 
    
 
    
 
    
-
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
+
    [RFC3845] J. Schlyter. DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format. August 2004. 
    
 
    
 
 
@@ -594,14 +594,14 @@
 
 
    
 
    
-Other Documents About BIND
+Other Documents About BIND
 
    
 
    
 
    
 
    
-Bibliography
    
+Bibliography
    
 
    
-
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
+
    Paul Albitz and Cricket Liu. DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. 
    
 
    
 
 
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index d60bda27d1..1d45adf2fe 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -157,28 +157,28 @@
 
    server Statement Definition and
             Usage
    
 
    statistics-channels Statement Grammar
    
-
    statistics-channels Statement Definition and
+
    statistics-channels Statement Definition and
             Usage
    
-
    trusted-keys Statement Grammar
    
-
    trusted-keys Statement Definition
+
    trusted-keys Statement Grammar
    
+
    trusted-keys Statement Definition
             and Usage
    
-
    managed-keys Statement Grammar
    
-
    managed-keys Statement Definition
+
    managed-keys Statement Grammar
    
+
    managed-keys Statement Definition
             and Usage
    
 
    view Statement Grammar
    
-
    view Statement Definition and Usage
    
+
    view Statement Definition and Usage
    
 
    zone
             Statement Grammar
    
 
    zone Statement Definition and Usage
    
 
-
    Zone File
    
+
    Zone File
    
 
    
 
    Types of Resource Records and When to Use Them
    
-
    Discussion of MX Records
    
+
    Discussion of MX Records
    
 
    Setting TTLs
    
-
    Inverse Mapping in IPv4
    
-
    Other Zone File Directives
    
-
    BIND Master File Extension: the  $GENERATE Directive
    
+
    Inverse Mapping in IPv4
    
+
    Other Zone File Directives
    
+
    BIND Master File Extension: the  $GENERATE Directive
    
 
    Additional File Formats
    
 
    
 
    BIND9 Statistics
    
@@ -199,19 +199,19 @@
 
    Common Problems
    
 
    It's not working; how can I figure out what's wrong?
    
 
    Incrementing and Changing the Serial Number
    
-
    Where Can I Get Help?
    
+
    Where Can I Get Help?
    
 
 
    A. Appendices
    
 
    
-
    Acknowledgments
    
+
    Acknowledgments
    
 
    A Brief History of the DNS and BIND
    
-
    General DNS Reference Information
    
+
    General DNS Reference Information
    
 
    IPv6 addresses (AAAA)
    
 
    Bibliography (and Suggested Reading)
    
 
    
 
    Request for Comments (RFCs)
    
 
    Internet Drafts
    
-
    Other Documents About BIND
    
+
    Other Documents About BIND
    
 
    
 
    
 
    I. Manual pages
    
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index fad2f908cf..ce810926a5 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -48,7 +48,7 @@
 
    ddns-confgen  [-a algorithm] [-h] [-k keyname] [-r randomfile] [ -s name  |   -z zone ] [-q] [name]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    ddns-confgen
       generates a key for use by nsupdate
       and named.  It simplifies configuration
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -142,7 +142,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    nsupdate(1),
       named.conf(5),
       named(8),
@@ -150,7 +150,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index e7e51c704e..2160379fc1 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -248,7 +248,7 @@
     
    
 
 
    
-
    QUERY OPTIONS
    
+
    QUERY OPTIONS
    
 
    dig
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     
    
 
    
 
    
-
    MULTIPLE QUERIES
    
+
    MULTIPLE QUERIES
    
 
    
       The BIND 9 implementation of dig 
       supports
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index aa1de9ac0e..122e2b1c06 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -51,14 +51,14 @@
 
    dnssec-dsfromkey  {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-dsfromkey
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -1
    
 
    
@@ -119,7 +119,7 @@
 
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To build the SHA-256 DS RR from the
       Kexample.com.+003+26160
@@ -134,7 +134,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
       The keyfile can be designed by the key identification
       Knnnn.+aaa+iiiii or the full file name
@@ -148,13 +148,13 @@
     
    
 
    
 
    
-
    CAVEAT
    
+
    CAVEAT
    
 
    
       A keyfile error can give a "file not found" even if the file exists.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -164,7 +164,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index d1644226d9..5836a1cfe5 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keyfromlabel  {-l label} [-3] [-a algorithm] [-A date/offset] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-I date/offset] [-k] [-K directory] [-n nametype] [-P date/offset] [-p protocol] [-R date/offset] [-t type] [-v level] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keyfromlabel
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -63,7 +63,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -174,7 +174,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -221,7 +221,7 @@
 
    
 
 
    
-
    GENERATED KEY FILES
    
+
    GENERATED KEY FILES
    
 
    
       When dnssec-keyfromlabel completes
       successfully,
@@ -260,7 +260,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
@@ -268,7 +268,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 20ca67be94..092efba004 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-keygen  [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-e] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-K directory] [-k] [-P date/offset] [-p protocol] [-R date/offset] [-r randomdev] [-s strength] [-t type] [-v level] [-z] {name}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-keygen
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -64,7 +64,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a algorithm
    
 
    
@@ -242,7 +242,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
@@ -289,7 +289,7 @@
 
    
 
 
    
-
    GENERATED KEYS
    
+
    GENERATED KEYS
    
 
    
       When dnssec-keygen completes
       successfully,
@@ -335,7 +335,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       To generate a 768-bit DSA key for the domain
       example.com, the following command would be
@@ -356,7 +356,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-signzone(8),
       BIND 9 Administrator Reference Manual,
       RFC 2539,
@@ -365,7 +365,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index dcc32a1b4c..0e27d614a2 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-revoke  [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-revoke
       reads a DNSSEC key file, sets the REVOKED bit on the key as defined
       in RFC 5011, and creates a new pair of key files containing the
@@ -58,7 +58,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -h
    
 
    
@@ -91,14 +91,14 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 5011.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index a4ff91ddb7..bc3e9e8155 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    dnssec-settime  [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    dnssec-settime
       reads a DNSSEC private key file and sets the key timing metadata
       as specified by the -P, -A,
@@ -75,7 +75,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -f
    
 
    
@@ -106,7 +106,7 @@
 
    
 
    
 
    
-
    TIMING OPTIONS
    
+
    TIMING OPTIONS
    
 
    
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
       If the argument begins with a '+' or '-', it is interpreted as
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 60b0881e90..5511c11db5 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -397,7 +397,7 @@
 
    
 
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
    
       The following command signs the example.com
       zone with the DSA key generated by dnssec-keygen
@@ -427,14 +427,14 @@ db.example.com.signed
 %
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dnssec-keygen(8),
       BIND 9 Administrator Reference Manual,
       RFC 4033.
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 1435323bb6..3a0f1c912c 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    host  [-aCdlnrsTwv] [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    host
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     
    
 
    
 
    
-
    IDN SUPPORT
    
+
    IDN SUPPORT
    
 
    
       If host has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    /etc/resolv.conf
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    dig(1),
       named(8).
     
    
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index bfc7516b37..7a39b93346 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -257,14 +257,14 @@
 
    
 
 
    
-
    RETURN VALUES
    
+
    RETURN VALUES
    
 
    named-checkzone
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    named(8),
       named-checkconf(8),
       RFC 1035,
@@ -272,7 +272,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 346d211ef4..677a773ea9 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    named  [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f] [-g] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks] [-t directory] [-u user] [-v] [-V] [-x cache-file]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    named
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -4
    
 
    
@@ -246,7 +246,7 @@
 
    
 
    
 
    
-
    SIGNALS
    
+
    SIGNALS
    
 
    
       In routine operation, signals should not be used to control
       the nameserver; rndc should be used
@@ -267,7 +267,7 @@
     
    
 
    
 
    
-
    CONFIGURATION
    
+
    CONFIGURATION
    
 
    
       The named configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -284,7 +284,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/named.conf
    
 
    
@@ -297,7 +297,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    RFC 1033,
       RFC 1034,
       RFC 1035,
@@ -310,7 +310,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 3699de927d..95900666a5 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    nsupdate  [-d] [-D] [[-g] |  [-o] |  [-l] |  [-y [hmac:]keyname:secret] |  [-k keyfile]] [-t timeout] [-u udptimeout] [-r udpretries] [-R randomdev] [-v] [filename]
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    nsupdate
       is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
@@ -210,7 +210,7 @@
     
    
 
    
 
    
-
    INPUT FORMAT
    
+
    INPUT FORMAT
    
 
    nsupdate
       reads input from
       filename
@@ -474,7 +474,7 @@
     
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       The examples below show how
       nsupdate
@@ -528,7 +528,7 @@
     
    
 
    
 
    
-
    FILES
    
+
    FILES
    
 
    
 
    /etc/resolv.conf
    
 
    
@@ -551,7 +551,7 @@
 
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    
       RFC 2136,
       RFC 3007,
@@ -566,7 +566,7 @@
     
    
 
    
 
    
-
    BUGS
    
+
    BUGS
    
 
    
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 260e0c4884..c0013eea22 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc-confgen  [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
    
 
    
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc-confgen
       generates configuration files
       for rndc.  It can be used as a
@@ -66,7 +66,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -a
    
 
    
@@ -173,7 +173,7 @@
 
    
 
    
 
    
-
    EXAMPLES
    
+
    EXAMPLES
    
 
    
       To allow rndc to be used with
       no manual configuration, run
@@ -190,7 +190,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc.conf(5),
       named(8),
@@ -198,7 +198,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 3f930c1a37..8a5bf6cb19 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc.conf 
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc.conf is the configuration file
       for rndc, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     
    
 
    
 
    
-
    EXAMPLE
    
+
    EXAMPLE
    
 
           options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     
    
 
    
 
    
-
    NAME SERVER CONFIGURATION
    
+
    NAME SERVER CONFIGURATION
    
 
    
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the rndc.conf
@@ -219,7 +219,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc(8),
       rndc-confgen(8),
       mmencode(1),
@@ -227,7 +227,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 653b30feab..d6226c4410 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
+
 
 
 
@@ -50,7 +50,7 @@
 
    rndc  [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
    
 
 
    
-
    DESCRIPTION
    
+
    DESCRIPTION
    
 
    rndc
       controls the operation of a name
       server.  It supersedes the ndc utility
@@ -79,7 +79,7 @@
     
    
 
    
 
    
-
    OPTIONS
    
+
    OPTIONS
    
 
    
 
    -b source-address
    
 
    
@@ -151,7 +151,7 @@
     
    
 
    
 
    
-
    LIMITATIONS
    
+
    LIMITATIONS
    
 
    rndc
       does not yet support all the commands of
       the BIND 8 ndc utility.
@@ -165,7 +165,7 @@
     
    
 
    
 
    
-
    SEE ALSO
    
+
    SEE ALSO
    
 
    rndc.conf(5),
       rndc-confgen(8),
       named(8),
@@ -175,7 +175,7 @@
     
    
 
    
 
    
-
    AUTHOR
    
+
    AUTHOR
    
 
    Internet Systems Consortium
     
    
 
    

From af30180834ac4b3b206338be5c42e89bab07ca27 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 27 Oct 2009 03:05:33 +0000
Subject: [PATCH 367/385] 2734.   [port]          cygwin: arpaname did not
 compile. [RT #20473]

---
 CHANGES              | 2 ++
 bin/tools/arpaname.c | 8 +++-----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 777214c527..87ea1b8649 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
+
 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
 
 2732.	[func]		Add optional filter-aaaa-on-v4 option, available
diff --git a/bin/tools/arpaname.c b/bin/tools/arpaname.c
index 12c4fe9445..356a883a45 100644
--- a/bin/tools/arpaname.c
+++ b/bin/tools/arpaname.c
@@ -14,14 +14,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: arpaname.c,v 1.3 2009/06/18 16:02:25 each Exp $ */
+/* $Id: arpaname.c,v 1.4 2009/10/27 03:05:33 marka Exp $ */
 
 #include "config.h"
 
-#include 
-#include 
-#include 
-#include 
+#include 
+
 #include 
 
 #define UNUSED(x) (void)(x)

From e8831e51c162f5961fcf1d89f68acd9336cf8a83 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 27 Oct 2009 03:59:45 +0000
Subject: [PATCH 368/385] 2735.	[bug]		dnssec-signzone could fail to
 read keys 			that were specified on the command line with 
 		full paths, but weren't in the current 		
 directory. [RT #20421]

---
 CHANGES                      |   5 +
 bin/dnssec/dnssec-signzone.c | 194 +++++++++++++++++------------------
 lib/dns/dnssec.c             | 175 +++++++++++++++++--------------
 lib/dns/include/dns/dnssec.h |  11 +-
 lib/dns/zone.c               |  20 ++--
 5 files changed, 219 insertions(+), 186 deletions(-)

diff --git a/CHANGES b/CHANGES
index 87ea1b8649..642d12f2cd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2735.	[bug]		dnssec-signzone could fail to read keys
+			that were specified on the command line with
+			full paths, but weren't in the current
+			directory. [RT #20421]
+
 2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
 
 2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 2f3da0f990..d235455768 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.248 2009/10/24 00:00:06 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.249 2009/10/27 03:59:45 each Exp $ */
 
 /*! \file */
 
@@ -2634,12 +2634,9 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 static void
 loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
 	dns_dbnode_t *node;
-	dns_dbversion_t *currentversion;
+	dns_dbversion_t *currentversion = NULL;
 	isc_result_t result;
-	dns_rdataset_t rdataset;
-
-	currentversion = NULL;
-	dns_db_currentversion(gdb, ¤tversion);
+	dns_rdataset_t rdataset, keysigs, soasigs;
 
 	node = NULL;
 	result = dns_db_findnode(gdb, gorigin, ISC_FALSE, &node);
@@ -2647,11 +2644,24 @@ loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
 		fatal("failed to find the zone's origin: %s",
 		      isc_result_totext(result));
 
-	/* Preserve the TTL of the DNSKEY RRset, if any */
+	dns_db_currentversion(gdb, ¤tversion);
+
 	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&soasigs);
+	dns_rdataset_init(&keysigs);
+
+	/* Make note of the keys which signed the SOA, if any */
+	result = dns_db_findrdataset(gdb, node, currentversion,
+				     dns_rdatatype_soa, 0, 0,
+				     &rdataset, &soasigs);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Preserve the TTL of the DNSKEY RRset, if any */
+	dns_rdataset_disassociate(&rdataset);
 	result = dns_db_findrdataset(gdb, node, currentversion,
 				     dns_rdatatype_dnskey, 0, 0,
-				     &rdataset, NULL);
+				     &rdataset, &keysigs);
 
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
@@ -2668,8 +2678,9 @@ loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
 
 	/* Load keys corresponding to the existing DNSKEY RRset */
 	result = dns_dnssec_keylistfromrdataset(gorigin, directory, mctx,
-						&rdataset, NULL, preserve_keys,
-						load_public, &keylist);
+						&rdataset, &keysigs, &soasigs,
+						preserve_keys, load_public,
+						&keylist);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed to load the zone keys: %s",
 		      isc_result_totext(result));
@@ -2677,10 +2688,65 @@ loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
  cleanup:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
+	if (dns_rdataset_isassociated(&keysigs))
+		dns_rdataset_disassociate(&keysigs);
+	if (dns_rdataset_isassociated(&soasigs))
+		dns_rdataset_disassociate(&soasigs);
 	dns_db_detachnode(gdb, &node);
 	dns_db_closeversion(gdb, ¤tversion, ISC_FALSE);
 }
 
+static void
+loadexplicitkeys(char *keyfiles[], int n, isc_boolean_t setksk) {
+	isc_result_t result;
+	int i;
+
+	for (i = 0; i < n; i++) {
+		dns_dnsseckey_t *key = NULL;
+		dst_key_t *newkey = NULL;
+
+		result = dst_key_fromnamedfile(keyfiles[i], directory,
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &newkey);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot load dnskey %s: %s", keyfiles[i],
+			      isc_result_totext(result));
+
+		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+			fatal("key %s not at origin\n", keyfiles[i]);
+
+		if (!dst_key_isprivate(newkey))
+			fatal("cannot sign zone with non-private dnskey %s",
+			      keyfiles[i]);
+
+		/* Skip any duplicates */
+		for (key = ISC_LIST_HEAD(keylist);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			if (dst_key_id(key->key) == dst_key_id(newkey) &&
+			    dst_key_alg(key->key) == dst_key_alg(newkey))
+				break;
+		}
+
+		if (key == NULL) {
+			/* We haven't seen this key before */
+			dns_dnsseckey_create(mctx, &newkey, &key);
+			ISC_LIST_APPEND(keylist, key, link);
+			key->source = dns_keysource_user;
+		} else {
+			dst_key_free(&key->key);
+			key->key = newkey;
+		}
+
+		key->force_publish = ISC_TRUE;
+		key->force_sign = ISC_TRUE;
+
+		if (setksk)
+			key->ksk = ISC_TRUE;
+	}
+}
+
 static void
 report(const char *format, ...) {
 	va_list args;
@@ -2690,7 +2756,7 @@ report(const char *format, ...) {
 }
 
 static void
-build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
+build_final_keylist() {
 	isc_result_t result;
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t del, add;
@@ -2707,7 +2773,7 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 		result = ISC_R_SUCCESS;
 	check_result(result, "dns_dnssec_findmatchingkeys");
 
-	result = dns_db_newversion(db, &ver);
+	result = dns_db_newversion(gdb, &ver);
 	check_result(result, "dns_db_newversion");
 
 	dns_diff_init(mctx, &del);
@@ -2721,17 +2787,17 @@ build_final_keylist(dns_db_t *db, const char *directory, isc_mem_t *mctx) {
 
 	dns_name_format(gorigin, name, sizeof(name));
 
-	result = dns_diff_applysilently(&del, db, ver);
+	result = dns_diff_applysilently(&del, gdb, ver);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed to delete DNSKEYs at node '%s': %s",
 		      name, isc_result_totext(result));
 
-	result = dns_diff_applysilently(&add, db, ver);
+	result = dns_diff_applysilently(&add, gdb, ver);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed to add DNSKEYs at node '%s': %s",
 		      name, isc_result_totext(result));
 
-	dns_db_closeversion(db, &ver, ISC_TRUE);
+	dns_db_closeversion(gdb, &ver, ISC_TRUE);
 
 	dns_diff_clear(&del);
 	dns_diff_clear(&add);
@@ -3580,90 +3646,20 @@ main(int argc, char *argv[]) {
 	ISC_LIST_INIT(keylist);
 	isc_rwlock_init(&keylist_lock, 0, 0);
 
+	/*
+	 * Fill keylist with:
+	 * 1) Keys listed in the DNSKEY set that have
+	 *    private keys associated
+	 * 2) KSKs set on the command line
+	 * 3) ZSKs set on the command line
+	 * 4) Any keys remaining in the DNSKEY set which
+	 *    do not have private keys associated and were
+	 *    not specified on the command line.
+	 */
 	loadzonekeys(!smartsign, ISC_FALSE);
-
-	for (i = 0; i < ndskeys; i++) {
-		dst_key_t *newkey = NULL;
-
-		result = dst_key_fromnamedfile(dskeyfile[i], directory,
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &newkey);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot load dnskey %s: %s", dskeyfile[i],
-			      isc_result_totext(result));
-
-		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
-			fatal("key %s not at origin\n", dskeyfile[i]);
-
-		/* Skip any duplicates */
-		for (key = ISC_LIST_HEAD(keylist);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			if (dst_key_id(key->key) == dst_key_id(newkey) &&
-			    dst_key_alg(key->key) == dst_key_alg(newkey) &&
-			    dns_name_equal(dst_key_name(key->key), gorigin))
-				break;
-		}
-
-		if (key == NULL) {
-			/* We haven't seen this key before */
-			dns_dnsseckey_create(mctx, &newkey, &key);
-			ISC_LIST_APPEND(keylist, key, link);
-			key->source = dns_keysource_user;
-		} else {
-			dst_key_free(&key->key);
-			key->key = newkey;
-		}
-		key->force_publish = ISC_TRUE;
-		key->force_sign = ISC_TRUE;
-		key->ksk = ISC_TRUE;
-	}
-
-	for (i = 0; i < argc; i++) {
-		dst_key_t *newkey = NULL;
-
-		result = dst_key_fromnamedfile(argv[i], directory,
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &newkey);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot load dnskey %s: %s", argv[i],
-			      isc_result_totext(result));
-
-		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
-			fatal("key %s not at origin\n", argv[i]);
-
-		/* Skip any duplicates */
-		for (key = ISC_LIST_HEAD(keylist);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			dst_key_t *dkey = key->key;
-			if (dst_key_id(dkey) == dst_key_id(newkey) &&
-			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-			    dns_name_equal(dst_key_name(dkey), gorigin)) {
-				if (!dst_key_isprivate(dkey))
-					fatal("cannot sign zone with "
-					      "non-private dnskey %s",
-					      argv[i]);
-				break;
-			}
-		}
-
-		if (key == NULL) {
-			/* We haven't seen this key before */
-			dns_dnsseckey_create(mctx, &newkey, &key);
-			key->force_publish = ISC_TRUE;
-			key->force_sign = ISC_TRUE;
-			key->source = dns_keysource_user;
-			ISC_LIST_APPEND(keylist, key, link);
-		} else {
-			dst_key_free(&newkey);
-		}
-	}
-
-	if (argc != 0)
-		loadzonekeys(!smartsign, ISC_TRUE);
+	loadexplicitkeys(dskeyfile, ndskeys, ISC_TRUE);
+	loadexplicitkeys(argv, argc, ISC_FALSE);
+	loadzonekeys(!smartsign, ISC_TRUE);
 
 	/*
 	 * If we're doing smart signing, look in the key repository for
@@ -3671,7 +3667,7 @@ main(int argc, char *argv[]) {
 	 * we have now.
 	 */
 	if (smartsign)
-		build_final_keylist(gdb, directory, mctx);
+		build_final_keylist();
 
 	/* Now enumerate the key list */
 	for (key = ISC_LIST_HEAD(keylist);
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 5a40d2e80a..9bfef56754 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.107 2009/10/26 21:18:24 each Exp $
+ * $Id: dnssec.c,v 1.108 2009/10/27 03:59:45 each Exp $
  */
 
 /*! \file */
@@ -1202,7 +1202,8 @@ addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
 		/*
 		 * Found a match.  If the old key was only public and the
 		 * new key is private, replace the old one; otherwise
-		 * we're done.
+		 * leave it.  But either way, mark the key as having
+		 * been found in the zone.
 		 */
 		if (dst_key_isprivate(key->key)) {
 			dst_key_free(newkey);
@@ -1211,6 +1212,7 @@ addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
 			key->key = *newkey;
 		}
 
+		key->source = dns_keysource_zoneapex;
 		return;
 	}
 
@@ -1224,49 +1226,95 @@ addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
 	*newkey = NULL;
 }
 
+
+/*%
+ * Mark all keys which signed the DNSKEY/SOA RRsets as "active",
+ * for future reference.
+ */
+static isc_result_t
+mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t sigs;
+	dns_dnsseckey_t *key;
+
+	REQUIRE(rrsigs != NULL && dns_rdataset_isassociated(rrsigs));
+
+	dns_rdataset_init(&sigs);
+	dns_rdataset_clone(rrsigs, &sigs);
+	for (key = ISC_LIST_HEAD(*keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		isc_uint16_t keyid, sigid;
+		dns_secalg_t keyalg, sigalg;
+		keyid = dst_key_id(key->key);
+		keyalg = dst_key_alg(key->key);
+
+		for (result = dns_rdataset_first(&sigs);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&sigs)) {
+			dns_rdata_rrsig_t sig;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&sigs, &rdata);
+			result = dns_rdata_tostruct(&rdata, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			sigalg = sig.algorithm;
+			sigid = sig.keyid;
+			if (keyid == sigid && keyalg == sigalg) {
+				key->is_active = ISC_TRUE;
+				break;
+			}
+		}
+	}
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	if (dns_rdataset_isassociated(&sigs))
+		dns_rdataset_disassociate(&sigs);
+	return (result);
+}
+
 /*%
  * Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
  */
 isc_result_t
 dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 			       const char *directory, isc_mem_t *mctx,
-			       dns_rdataset_t *keyset, dns_rdataset_t *sigset,
-			       isc_boolean_t savekeys, isc_boolean_t public,
+			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+			       dns_rdataset_t *soasigs, isc_boolean_t savekeys,
+			       isc_boolean_t public,
 			       dns_dnsseckeylist_t *keylist)
 {
-	dns_rdataset_t keys, sigs;
+	dns_rdataset_t keys;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *pubkey, *privkey;
-	dns_dnsseckey_t *key;
+	dst_key_t *pubkey = NULL, *privkey = NULL;
 	isc_result_t result;
 
-	dns_rdataset_init(&keys);
-	dns_rdataset_init(&sigs);
-
 	REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
-	dns_rdataset_clone(keyset, &keys);
 
+	dns_rdataset_init(&keys);
+
+	dns_rdataset_clone(keyset, &keys);
 	for (result = dns_rdataset_first(&keys);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&keys)) {
-		pubkey = NULL;
-		privkey = NULL;
-
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
 
 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
-			goto again;
+			goto skip;
 
 		/* Corrupted .key file? */
 		if (!dns_name_equal(origin, dst_key_name(pubkey)))
-			goto again;
+			goto skip;
 
 		if (public) {
 			addkey(keylist, &pubkey, savekeys, mctx);
-			goto again;
+			goto skip;
 		}
 
 		result = dst_key_fromfile(dst_key_name(pubkey),
@@ -1276,65 +1324,36 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 					  directory, mctx, &privkey);
 		if (result == ISC_R_FILENOTFOUND) {
 			addkey(keylist, &pubkey, savekeys, mctx);
-			goto again;
+			goto skip;
 		}
 		RETERR(result);
 
 		/* This should never happen. */
 		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
-			goto again;
+			goto skip;
 
 		addkey(keylist, &privkey, savekeys, mctx);
- again:
+ skip:
 		if (pubkey != NULL)
 			dst_key_free(&pubkey);
 		if (privkey != NULL)
 			dst_key_free(&privkey);
 	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	else if (result != ISC_R_SUCCESS)
-		goto failure;
 
-	if (sigset == NULL || !dns_rdataset_isassociated(sigset))
-		goto success;
+	if (result != ISC_R_NOMORE)
+		RETERR(result);
 
-	dns_rdataset_clone(sigset, &sigs);
+	if (keysigs != NULL && dns_rdataset_isassociated(keysigs))
+		RETERR(mark_active_keys(keylist, keysigs));
 
-	/*
-	 * Mark all keys which signed the DNSKEY set, for future reference.
-	 */
-	for (key = ISC_LIST_HEAD(*keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link)) {
-		isc_uint16_t keyid, sigid;
-		isc_uint8_t keyalg, sigalg;
-		keyid = dst_key_id(key->key);
-		keyalg = dst_key_alg(key->key);
+	if (soasigs != NULL && dns_rdataset_isassociated(soasigs))
+		RETERR(mark_active_keys(keylist, soasigs));
 
-		for (result = dns_rdataset_first(&sigs);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&sigs)) {
-			dns_rdata_reset(&rdata);
-			dns_rdataset_current(&sigs, &rdata);
-			sigalg = rdata.data[2];
-			sigid = (rdata.data[16] << 8) | rdata.data[17];
-			if (keyid == sigid && keyalg == sigalg) {
-				key->is_active = ISC_TRUE;
-				break;
-			}
-		}
-	}
-
-	if (result == ISC_R_NOMORE)
- success:
-		result = ISC_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
  failure:
 	if (dns_rdataset_isassociated(&keys))
 		dns_rdataset_disassociate(&keys);
-	if (dns_rdataset_isassociated(&sigs))
-		dns_rdataset_disassociate(&sigs);
 	if (pubkey != NULL)
 		dst_key_free(&pubkey);
 	if (privkey != NULL)
@@ -1342,7 +1361,6 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 	return (result);
 }
 
-
 static isc_result_t
 make_dnskey(dst_key_t *key, dns_rdata_t *target) {
 	isc_result_t result;
@@ -1441,11 +1459,32 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 		      void (*report)(const char *, ...))
 {
 	isc_result_t result;
-	dns_dnsseckey_t *key1, *key2;
+	dns_dnsseckey_t *key, *key1, *key2, *next;
 
-	key1 = ISC_LIST_HEAD(*newkeys);
-	while (key1 != NULL) {
+	/*
+	 * First, look through the existing key list to find keys
+	 * supplied from the command line which are not in the zone.
+	 * Update the zone to include them.
+	 */
+	for (key = ISC_LIST_HEAD(*keys);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		if (key->source == dns_keysource_user &&
+		    (key->hint_publish || key->force_publish)) {
+			RETERR(publish_key(add, key, origin, ttl,
+					   mctx, allzsk, report));
+		}
+	}
+
+	/*
+	 * Second, scan the list of newly found keys looking for matches
+	 * with known keys, and update accordingly.
+	 */
+	for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
 		isc_boolean_t key_revoked = ISC_FALSE;
+
+		next = ISC_LIST_NEXT(key1, link);
+
 		for (key2 = ISC_LIST_HEAD(*keys);
 		     key2 != NULL;
 		     key2 = ISC_LIST_NEXT(key2, link)) {
@@ -1477,7 +1516,6 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 					key1->first_sign = ISC_TRUE;
 			}
 
-			key1 = next;
 			continue;
 		}
 
@@ -1492,7 +1530,6 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 				dns_dnsseckey_destroy(mctx, &key2);
 		} else if (key_revoked &&
 			 (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
-			dns_dnsseckey_t *next;
 
 			/*
 			 * A previously valid key has been revoked.
@@ -1509,7 +1546,6 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 
 			RETERR(publish_key(add, key1, origin, ttl,
 					   mctx, allzsk, report));
-			next = ISC_LIST_NEXT(key1, link);
 			ISC_LIST_UNLINK(*newkeys, key1, link);
 			ISC_LIST_APPEND(*keys, key1, link);
 
@@ -1522,27 +1558,14 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 			 * sign other records with it.
 			 */
 			key1->ksk = ISC_TRUE;
-			key1 = next;
 			continue;
 		} else {
 			if (!key2->is_active &&
 			    (key1->hint_sign || key1->force_sign))
 				key2->first_sign = ISC_TRUE;
 			key2->hint_sign = key1->hint_sign;
-
-			/*
-			 * If a key was specified on the command line,
-			 * not in the zone, it can be imported into the
-			 * zone now.
-			 */
 			key2->hint_publish = key1->hint_publish;
-			if (key2->source == dns_keysource_user &&
-			    (key2->hint_publish || key2->force_publish))
-				RETERR(publish_key(add, key2, origin, ttl,
-						   mctx, allzsk, report));
 		}
-
-		key1 = ISC_LIST_NEXT(key1, link);
 	}
 
 	/* Free any leftover keys in newkeys */
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 6e904ece25..2edc8efe71 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.38 2009/10/12 23:48:02 tbox Exp $ */
+/* $Id: dnssec.h,v 1.39 2009/10/27 03:59:45 each Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -271,8 +271,9 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
 isc_result_t
 dns_dnssec_keylistfromrdataset(dns_name_t *origin,
 			       const char *directory, isc_mem_t *mctx,
-			       dns_rdataset_t *keyset, dns_rdataset_t *sigset,
-			       isc_boolean_t savekeys, isc_boolean_t public,
+			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+			       dns_rdataset_t *soasigs, isc_boolean_t savekeys,
+			       isc_boolean_t public,
 			       dns_dnsseckeylist_t *keylist);
 /*%<
  * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
@@ -280,6 +281,10 @@ dns_dnssec_keylistfromrdataset(dns_name_t *origin,
  * matching key files, and load the private keys that go with
  * the public ones.  If 'savekeys' is ISC_TRUE, mark the keys so
  * they will not be deleted or inactivated regardless of metadata.
+ *
+ * 'keysigs' and 'soasigs', if not NULL and associated, contain the
+ * RRSIGS for the DNSKEY and SOA records respectively and are used to mark
+ * whether a key is already active int eh zone.
  */
 
 isc_result_t
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index da1cf3e6a4..3bb7094f11 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.520 2009/10/20 23:47:32 tbox Exp $ */
+/* $Id: zone.c,v 1.521 2009/10/27 03:59:45 each Exp $ */
 
 /*! \file */
 
@@ -13279,7 +13279,7 @@ zone_rekey(dns_zone_t *zone) {
 	dns_db_t *db = NULL;
 	dns_dbnode_t *node = NULL;
 	dns_dbversion_t *ver = NULL;
-	dns_rdataset_t soaset, keyset, sigset;
+	dns_rdataset_t soaset, soasigs, keyset, keysigs;
 	dns_dnsseckeylist_t dnskeys, keys, oldkeys;
 	dns_dnsseckey_t *key;
 	dns_diff_t add, del;
@@ -13295,8 +13295,9 @@ zone_rekey(dns_zone_t *zone) {
 	ISC_LIST_INIT(keys);
 	ISC_LIST_INIT(oldkeys);
 	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&soasigs);
 	dns_rdataset_init(&keyset);
-	dns_rdataset_init(&sigset);
+	dns_rdataset_init(&keysigs);
 	dir = dns_zone_getkeydirectory(zone);
 	mctx = zone->mctx;
 	dns_diff_init(mctx, &add);
@@ -13309,17 +13310,18 @@ zone_rekey(dns_zone_t *zone) {
 
 	/* Get the SOA record's TTL */
 	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
-				  dns_rdatatype_none, 0, &soaset, NULL));
+				  dns_rdatatype_none, 0, &soaset, &soasigs));
 	ttl = soaset.ttl;
 	dns_rdataset_disassociate(&soaset);
 
 	/* Get the DNSKEY rdataset */
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
-				     dns_rdatatype_none, 0, &keyset, &sigset);
+				     dns_rdatatype_none, 0, &keyset, &keysigs);
 	if (result == ISC_R_SUCCESS) {
 		ttl = keyset.ttl;
 		CHECK(dns_dnssec_keylistfromrdataset(&zone->origin, dir,
-						     mctx, &keyset, &sigset,
+						     mctx, &keyset,
+						     &keysigs, &soasigs,
 						     ISC_FALSE, ISC_FALSE,
 						     &dnskeys));
 	} else if (result != ISC_R_NOTFOUND)
@@ -13414,8 +13416,10 @@ zone_rekey(dns_zone_t *zone) {
 		dns_db_closeversion(db, &ver, ISC_FALSE);
 	if (dns_rdataset_isassociated(&keyset))
 		dns_rdataset_disassociate(&keyset);
-	if (dns_rdataset_isassociated(&sigset))
-		dns_rdataset_disassociate(&sigset);
+	if (dns_rdataset_isassociated(&keysigs))
+		dns_rdataset_disassociate(&keysigs);
+	if (dns_rdataset_isassociated(&soasigs))
+		dns_rdataset_disassociate(&soasigs);
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
 	if (db != NULL)

From 63d5a6f680864b58b8eddc58dfa9957e19abf084 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 27 Oct 2009 04:46:58 +0000
Subject: [PATCH 369/385] 2736.   [func]          Improve the performance of
 NSEC signed zones with                         more than a normal amount of
 glue below a delegation.                         [RT #20191]

---
 CHANGES                      |   4 +
 bin/dnssec/dnssec-signzone.c |   3 +-
 lib/dns/include/dns/rbt.h    |  16 +-
 lib/dns/rbt.c                |   9 +-
 lib/dns/rbtdb.c              | 433 +++++++++++++++++++++++++++--------
 5 files changed, 361 insertions(+), 104 deletions(-)

diff --git a/CHANGES b/CHANGES
index 642d12f2cd..33d2f31e4e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2736.	[func]		Improve the performance of NSEC signed zones with
+			more than a normal amount of glue below a delegation.
+			[RT #20191]
+
 2735.	[bug]		dnssec-signzone could fail to read keys
 			that were specified on the command line with
 			full paths, but weren't in the current
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index d235455768..e493642e56 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.249 2009/10/27 03:59:45 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.250 2009/10/27 04:46:58 marka Exp $ */
 
 /*! \file */
 
@@ -2115,6 +2115,7 @@ nsecify(void) {
 		} else if (result != ISC_R_SUCCESS)
 			fatal("iterating through the database failed: %s",
 			      isc_result_totext(result));
+		dns_dbiterator_pause(dbiter);
 		result = dns_nsec_build(gdb, gversion, node, nextname,
 					zone_soa_min_ttl);
 		check_result(result, "dns_nsec_build()");
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index 20d05bf6b0..a0f5acaa54 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.75 2009/10/20 04:57:57 marka Exp $ */
+/* $Id: rbt.h,v 1.76 2009/10/27 04:46:58 marka Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
@@ -94,10 +94,7 @@ struct dns_rbtnode {
 	 * The following bitfields add up to a total bitwidth of 32.
 	 * The range of values necessary for each item is indicated,
 	 * but in the case of "attributes" the field is wider to accommodate
-	 * possible future expansion.  "offsetlen" could be one bit
-	 * narrower by always adjusting its value by 1 to find the real
-	 * offsetlen, but doing so does not gain anything (except perhaps
-	 * another bit for "attributes", which doesn't yet need any more).
+	 * possible future expansion.
 	 *
 	 * In each case below the "range" indicated is what's _necessary_ for
 	 * the bitfield to hold, not what it actually _can_ hold.
@@ -105,8 +102,13 @@ struct dns_rbtnode {
 	unsigned int is_root : 1;       /*%< range is 0..1 */
 	unsigned int color : 1;         /*%< range is 0..1 */
 	unsigned int find_callback : 1; /*%< range is 0..1 */
-	unsigned int attributes : 4;    /*%< range is 0..2 */
-	unsigned int nsec3 : 1;    	/*%< range is 0..1 */
+	unsigned int attributes : 3;    /*%< range is 0..2 */
+	enum {
+	    DNS_RBT_NSEC_NORMAL=0,      /*      in main tree */
+	    DNS_RBT_NSEC_HAS_NSEC=1,    /*      also has node in nsec tree */
+	    DNS_RBT_NSEC_NSEC=2,        /*      in nsec tree */
+	    DNS_RBT_NSEC_NSEC3=3        /*      in nsec3 tree */
+	} nsec : 2;                     /*%< range is 0..3 */
 	unsigned int namelen : 8;       /*%< range is 1..255 */
 	unsigned int offsetlen : 8;     /*%< range is 1..128 */
 	unsigned int oldnamelen : 8;    /*%< range is 1..255 */
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index b3f06349f6..c0f41b810d 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.145 2009/10/20 04:57:57 marka Exp $ */
+/* $Id: rbt.c,v 1.146 2009/10/27 04:46:58 marka Exp $ */
 
 /*! \file */
 
@@ -537,7 +537,10 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				 * current node.
 				 */
 				new_current->is_root = current->is_root;
-				new_current->nsec3 = current->nsec3;
+				if (current->nsec == DNS_RBT_NSEC_HAS_NSEC)
+					new_current->nsec = DNS_RBT_NSEC_NORMAL;
+				else
+					new_current->nsec = current->nsec;
 				PARENT(new_current)  = PARENT(current);
 				LEFT(new_current)    = LEFT(current);
 				RIGHT(new_current)   = RIGHT(current);
@@ -1451,7 +1454,7 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	DIRTY(node) = 0;
 	dns_rbtnode_refinit(node, 0);
 	node->find_callback = 0;
-	node->nsec3 = 0;
+	node->nsec = DNS_RBT_NSEC_NORMAL;
 
 	MAKE_BLACK(node);
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 0fbbac2f6b..dc01dd9e42 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.283 2009/10/08 23:13:06 marka Exp $ */
+/* $Id: rbtdb.c,v 1.284 2009/10/27 04:46:58 marka Exp $ */
 
 /*! \file */
 
@@ -436,6 +436,7 @@ typedef struct {
 
 	/* Locked by tree_lock. */
 	dns_rbt_t *                     tree;
+	dns_rbt_t *			nsec;
 	dns_rbt_t *			nsec3;
 
 	/* Unlocked */
@@ -820,6 +821,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 	isc_ondestroy_t ondest;
 	isc_result_t result;
 	char buf[DNS_NAME_FORMATSIZE];
+	dns_rbt_t **treep;
 	isc_time_t start;
 
 	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
@@ -856,33 +858,26 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 
 	if (event == NULL)
 		rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
- again:
-	if (rbtdb->tree != NULL) {
-		isc_time_now(&start);
-		result = dns_rbt_destroy2(&rbtdb->tree, rbtdb->quantum);
-		if (result == ISC_R_QUOTA) {
-			INSIST(rbtdb->task != NULL);
-			if (rbtdb->quantum != 0)
-				rbtdb->quantum = adjust_quantum(rbtdb->quantum,
-								&start);
-			if (event == NULL)
-				event = isc_event_allocate(rbtdb->common.mctx,
-							   NULL,
-							 DNS_EVENT_FREESTORAGE,
-							   free_rbtdb_callback,
-							   rbtdb,
-							   sizeof(isc_event_t));
-			if (event == NULL)
-				goto again;
-			isc_task_send(rbtdb->task, &event);
-			return;
-		}
-		INSIST(result == ISC_R_SUCCESS && rbtdb->tree == NULL);
-	}
 
-	if (rbtdb->nsec3 != NULL) {
+	for (;;) {
+		/*
+		 * pick the next tree to (start to) destroy
+		 */
+		treep = &rbtdb->tree;
+		if (*treep == NULL) {
+			treep = &rbtdb->nsec;
+			if (*treep == NULL) {
+				treep = &rbtdb->nsec3;
+				/*
+				 * we're finished after clear cutting
+				 */
+				if (*treep == NULL)
+					break;
+			}
+		}
+
 		isc_time_now(&start);
-		result = dns_rbt_destroy2(&rbtdb->nsec3, rbtdb->quantum);
+		result = dns_rbt_destroy2(treep, rbtdb->quantum);
 		if (result == ISC_R_QUOTA) {
 			INSIST(rbtdb->task != NULL);
 			if (rbtdb->quantum != 0)
@@ -896,11 +891,11 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 							   rbtdb,
 							   sizeof(isc_event_t));
 			if (event == NULL)
-				goto again;
+				continue;
 			isc_task_send(rbtdb->task, &event);
 			return;
 		}
-		INSIST(result == ISC_R_SUCCESS && rbtdb->nsec3 == NULL);
+		INSIST(result == ISC_R_SUCCESS && *treep == NULL);
 	}
 
 	if (event != NULL)
@@ -1478,6 +1473,71 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		node->dirty = 0;
 }
 
+static void
+delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node)
+{
+	dns_rbtnode_t *nsecnode;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result = ISC_R_UNEXPECTED;
+
+	INSIST(!ISC_LINK_LINKED(node, deadlink));
+
+	switch (node->nsec) {
+	case DNS_RBT_NSEC_NORMAL:
+		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
+		break;
+	case DNS_RBT_NSEC_HAS_NSEC:
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		dns_rbt_fullnamefromnode(node, name);
+		/*
+		 * Delete the corresponding node from the auxiliary NSEC
+		 * tree before deleting from the main tree.
+		 */
+		nsecnode = NULL;
+		result = dns_rbt_findnode(rbtdb->nsec, name, NULL, &nsecnode,
+					  NULL, DNS_RBTFIND_EMPTYDATA,
+					  NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "delete_node: "
+				      "dns_rbt_findnode(nsec): %s",
+				      isc_result_totext(result));
+		} else {
+			result = dns_rbt_deletenode(rbtdb->nsec, nsecnode,
+						    ISC_FALSE);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_WARNING,
+					      "delete_nsecnode(): "
+					      "dns_rbt_deletenode(nsecnode): %s",
+					      isc_result_totext(result));
+			}
+		}
+		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
+		break;
+	case DNS_RBT_NSEC_NSEC:
+		result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE);
+		break;
+	case DNS_RBT_NSEC_NSEC3:
+		result = dns_rbt_deletenode(rbtdb->nsec3, node, ISC_FALSE);
+		break;
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "delete_nsecnode(): "
+			      "dns_rbt_deletenode: %s",
+			      isc_result_totext(result));
+	}
+}
+
 /*%
  * Clean up dead nodes.  These are nodes which have no references, and
  * have no data.  They are dead but we could not or chose not to delete
@@ -1489,7 +1549,6 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 static void
 cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
 	dns_rbtnode_t *node;
-	isc_result_t result;
 	int count = 10;         /* XXXJT: should be adjustable */
 
 	node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
@@ -1503,19 +1562,8 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
 		INSIST(dns_rbtnode_refcurrent(node) == 0 &&
 		       node->data == NULL);
 
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
-		if (node->nsec3)
-			result = dns_rbt_deletenode(rbtdb->nsec3, node,
-						    ISC_FALSE);
-		else
-			result = dns_rbt_deletenode(rbtdb->tree, node,
-						    ISC_FALSE);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "cleanup_dead_nodes: "
-				      "dns_rbt_deletenode: %s",
-				      isc_result_totext(result));
+		delete_node(rbtdb, node);
+
 		node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
 		count--;
 	}
@@ -1764,22 +1812,7 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 							sizeof(printname)));
 			}
 
-			INSIST(!ISC_LINK_LINKED(node, deadlink));
-			if (node->nsec3)
-				result = dns_rbt_deletenode(rbtdb->nsec3, node,
-							    ISC_FALSE);
-			else
-				result = dns_rbt_deletenode(rbtdb->tree, node,
-							    ISC_FALSE);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_DATABASE,
-					      DNS_LOGMODULE_CACHE,
-					      ISC_LOG_WARNING,
-					      "decrement_reference: "
-					      "dns_rbt_deletenode: %s",
-					      isc_result_totext(result));
-			}
+			delete_node(rbtdb, node);
 		}
 	} else if (dns_rbtnode_refcurrent(node) == 0) {
 		INSIST(!ISC_LINK_LINKED(node, deadlink));
@@ -2344,7 +2377,7 @@ add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
 	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
-	node->nsec3 = 0;
+	node->nsec = DNS_RBT_NSEC_NORMAL;
 	node->find_callback = 1;
 	node->wild = 1;
 	return (ISC_R_SUCCESS);
@@ -2372,7 +2405,7 @@ add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 						 &node);
 			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 				return (result);
-			node->nsec3 = 0;
+			node->nsec = DNS_RBT_NSEC_NORMAL;
 		}
 		i++;
 	}
@@ -2418,7 +2451,6 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
 				rbtdb->node_lock_count;
 #endif
-			node->nsec3 = 0;
 			add_empty_wildcards(rbtdb, name);
 
 			if (dns_name_iswildcard(name)) {
@@ -2480,13 +2512,14 @@ findnsec3node(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
 				rbtdb->node_lock_count;
 #endif
-			node->nsec3 = 1U;
+			node->nsec = DNS_RBT_NSEC_NSEC3;
 		} else if (result != ISC_R_EXISTS) {
 			RWUNLOCK(&rbtdb->tree_lock, locktype);
 			return (result);
 		}
-	} else
-		INSIST(node->nsec3);
+	} else {
+		INSIST(node->nsec == DNS_RBT_NSEC_NSEC3);
+	}
 	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
 	new_reference(rbtdb, node);
 	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
@@ -3191,14 +3224,111 @@ matchparams(rdatasetheader_t *header, rbtdb_search_t *search)
 	return (ISC_FALSE);
 }
 
+static inline isc_result_t
+previous_close_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
+		    dns_name_t *name, dns_name_t *origin,
+		    dns_rbtnode_t **nodep, dns_rbtnodechain_t *nsecchain,
+		    isc_boolean_t *firstp)
+{
+	dns_fixedname_t ftarget;
+	dns_name_t *target;
+	dns_rbtnode_t *nsecnode;
+	isc_result_t result;
+
+	if (type == dns_rdatatype_nsec3)
+		return (dns_rbtnodechain_prev(&search->chain, NULL, NULL));
+
+	dns_fixedname_init(&ftarget);
+	target = dns_fixedname_name(&ftarget);
+
+	for (;;) {
+		if (*firstp) {
+			/*
+			 * Construct the name of the second node to check.
+			 * It is the first node sought in the NSEC tree.
+			 */
+			*firstp = ISC_FALSE;
+			dns_rbtnodechain_init(nsecchain, NULL);
+			result = dns_name_concatenate(name, origin,
+						      target, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			nsecnode = NULL;
+			result = dns_rbt_findnode(search->rbtdb->nsec,
+						  target, NULL,
+						  &nsecnode, nsecchain,
+						  DNS_RBTFIND_NOOPTIONS,
+						  NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * Since this was the first loop, finding the
+				 * name in the NSEC tree implies that the first
+				 * node checked in the main tree had an
+				 * unacceptable NSEC record.
+				 * Try the previous node in the NSEC tree.
+				 */
+				result = dns_rbtnodechain_prev(nsecchain,
+							name, origin);
+			} else if (result == ISC_R_NOTFOUND
+				   || result == DNS_R_PARTIALMATCH) {
+				result = dns_rbtnodechain_current(nsecchain,
+							name, origin, NULL);
+				if (result == ISC_R_NOTFOUND)
+					result = ISC_R_NOMORE;
+			}
+		} else {
+			/*
+			 * This is a second or later trip through the auxiliary
+			 * tree for the name of a third or earlier NSEC node in
+			 * the main tree.  Previous trips through the NSEC tree
+			 * must have found nodes in the main tree with NSEC
+			 * records.  Perhaps they lacked signature records.
+			 */
+			result = dns_rbtnodechain_prev(nsecchain, name, origin);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * Construct the name to seek in the main tree.
+		 */
+		result = dns_name_concatenate(name, origin, target, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		*nodep = NULL;
+		result = dns_rbt_findnode(search->rbtdb->tree, target, NULL,
+					  nodep, &search->chain,
+					  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * There should always be a node in the main tree with the
+		 * same name as the node in the auxiliary NSEC tree, except for
+		 * nodes in the auxiliary tree that are awaiting deletion.
+		 */
+		if (result != ISC_R_NOTFOUND) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_ERROR,
+				      "previous_closest_nsec(): %s",
+				      isc_result_totext(result));
+			return (DNS_R_BADDB);
+		}
+	}
+}
+
 static inline isc_result_t
 find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		  dns_name_t *foundname, dns_rdataset_t *rdataset,
 		  dns_rdataset_t *sigrdataset, dns_rbt_t *tree,
 		  dns_db_secure_t secure)
 {
-	dns_rbtnode_t *node;
+	dns_rbtnode_t *node, *prevnode;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	dns_rbtnodechain_t nsecchain;
 	isc_boolean_t empty_node;
 	isc_result_t result;
 	dns_fixedname_t fname, forigin;
@@ -3206,6 +3336,7 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	dns_rdatatype_t type;
 	rbtdb_rdatatype_t sigtype;
 	isc_boolean_t wraps;
+	isc_boolean_t first = ISC_TRUE;
 	isc_boolean_t need_sig = ISC_TF(secure == dns_db_secure);
 
 	if (tree == search->rbtdb->nsec3) {
@@ -3218,17 +3349,20 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		wraps = ISC_FALSE;
 	}
 
- again:
-	do {
-		node = NULL;
+	/*
+	 * Use the auxiliary tree only starting with the second node in the
+	 * hope that the original node will be right much of the time.
+	 */
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
 		dns_fixedname_init(&forigin);
 		origin = dns_fixedname_name(&forigin);
-		result = dns_rbtnodechain_current(&search->chain, name,
-						  origin, &node);
+ again:
+	node = NULL;
+	result = dns_rbtnodechain_current(&search->chain, name, origin, &node);
 		if (result != ISC_R_SUCCESS)
 			return (result);
+	do {
 		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
 			  isc_rwlocktype_read);
 		found = NULL;
@@ -3281,8 +3415,7 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				result = dns_rbtnodechain_prev(&search->chain,
 							       NULL, NULL);
 			} else if (found != NULL &&
-				   (foundsig != NULL || !need_sig))
-			{
+				   (foundsig != NULL || !need_sig)) {
 				/*
 				 * We've found the right NSEC/NSEC3 record.
 				 *
@@ -3319,8 +3452,9 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				 * node as if it were empty and keep looking.
 				 */
 				empty_node = ISC_TRUE;
-				result = dns_rbtnodechain_prev(&search->chain,
-							       NULL, NULL);
+				result = previous_close_nsec(type, search,
+							name, origin, &prevnode,
+							&nsecchain, &first);
 			} else {
 				/*
 				 * We found an active node, but either the
@@ -3334,13 +3468,18 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			 * This node isn't active.  We've got to keep
 			 * looking.
 			 */
-			result = dns_rbtnodechain_prev(&search->chain, NULL,
-						       NULL);
+			result = previous_close_nsec(type, search,
+						     name, origin, &prevnode,
+						     &nsecchain, &first);
 		}
 		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
 			    isc_rwlocktype_read);
+		node = prevnode;
 	} while (empty_node && result == ISC_R_SUCCESS);
 
+	if (!first)
+		dns_rbtnodechain_invalidate(&nsecchain);
+
 	if (result == ISC_R_NOMORE && wraps) {
 		result = dns_rbtnodechain_last(&search->chain, tree,
 					       NULL, NULL);
@@ -5917,15 +6056,16 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	rdatasetheader_t *header;
 	isc_result_t result;
 	isc_boolean_t delegating;
+	isc_boolean_t newnsec;
 	isc_boolean_t tree_locked = ISC_FALSE;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
 	if (rbtdb->common.methods == &zone_methods)
-		REQUIRE(((rbtnode->nsec3 &&
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
 			  (rdataset->type == dns_rdatatype_nsec3 ||
 			   rdataset->covers == dns_rdatatype_nsec3)) ||
-			 (!rbtnode->nsec3 &&
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
 			   rdataset->type != dns_rdatatype_nsec3 &&
 			   rdataset->covers != dns_rdatatype_nsec3)));
 
@@ -6000,12 +6140,21 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		delegating = ISC_FALSE;
 
 	/*
-	 * If we're adding a delegation type or the DB is a cache in an overmem
-	 * state, hold an exclusive lock on the tree.  In the latter case
-	 * the lock does not necessarily have to be acquired but it will help
-	 * purge stale entries more effectively.
+	 * Add to the auxiliary NSEC tree if we're adding an NSEC record.
 	 */
-	if (delegating || (IS_CACHE(rbtdb) && rbtdb->overmem)) {
+	if (rbtnode->nsec != DNS_RBT_NSEC_HAS_NSEC &&
+	    rdataset->type == dns_rdatatype_nsec)
+		newnsec = ISC_TRUE;
+	else
+		newnsec = ISC_FALSE;
+	
+	/*
+	 * If we're adding a delegation type, adding to the auxiliary NSEC tree,
+	 * or the DB is a cache in an overmem state, hold an exclusive lock on
+	 * the tree.  In the latter case the lock does not necessarily have to
+	 * be acquired but it will help purge stale entries more effectively.
+	 */
+	if (delegating || newnsec || (IS_CACHE(rbtdb) && rbtdb->overmem)) {
 		tree_locked = ISC_TRUE;
 		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 	}
@@ -6034,14 +6183,40 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		 * cleaning, we can release it now.  However, we still need the
 		 * node lock.
 		 */
-		if (tree_locked && !delegating) {
+		if (tree_locked && !delegating && !newnsec) {
 			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 			tree_locked = ISC_FALSE;
 		}
 	}
 
-	result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE,
-		     addedrdataset, now);
+	result = ISC_R_SUCCESS;
+	if (newnsec) {
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		dns_rbtnode_t *nsecnode;
+
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		dns_rbt_fullnamefromnode(rbtnode, name);
+		nsecnode = NULL;
+		result = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+		if (result == ISC_R_SUCCESS) {
+			nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		} else if (result == ISC_R_EXISTS) {
+			isc_log_write(dns_lctx,
+				      DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE,
+				      ISC_LOG_ERROR,
+				      "addrdataset: node lied about NSEC");
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS)
+		result = add(rbtdb, rbtnode, rbtversion, newheader, options,
+			     ISC_FALSE, addedrdataset, now);
 	if (result == ISC_R_SUCCESS && delegating)
 		rbtnode->find_callback = 1;
 
@@ -6078,10 +6253,10 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	REQUIRE(VALID_RBTDB(rbtdb));
 
 	if (rbtdb->common.methods == &zone_methods)
-		REQUIRE(((rbtnode->nsec3 &&
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
 			  (rdataset->type == dns_rdatatype_nsec3 ||
 			   rdataset->covers == dns_rdatatype_nsec3)) ||
-			 (!rbtnode->nsec3 &&
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
 			   rdataset->type != dns_rdatatype_nsec3 &&
 			   rdataset->covers != dns_rdatatype_nsec3)));
 
@@ -6300,6 +6475,72 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	return (result);
 }
 
+/*
+ * load a non-NSEC3 node in the main tree and optionally to the auxiliary NSEC
+ */
+static isc_result_t
+loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
+	 isc_boolean_t hasnsec)
+{
+	isc_result_t noderesult, nsecresult;
+	dns_rbtnode_t *nsecnode;
+
+	noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep);
+	if (!hasnsec)
+		return (noderesult);
+	if (noderesult == ISC_R_EXISTS) {
+		/*
+		 * Add a node to the auxiliary NSEC tree for an old node
+		 * just now getting an NSEC record.
+		 */
+		if ((*nodep)->nsec == DNS_RBT_NSEC_HAS_NSEC)
+			return noderesult;
+	} else if (noderesult != ISC_R_SUCCESS) {
+		return (noderesult);
+	}
+
+	/*
+	 * Build the auxiliary tree for NSECs as we go.
+	 * This tree speeds searches for closest NSECs that would otherwise
+	 * need to examine many irrelevant nodes in large TLDs.
+	 *
+	 * Add nodes to the auxiliary tree after corresponding nodes have
+	 * been added to the main tree.
+	 */
+	nsecnode = NULL;
+	nsecresult = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+	if (nsecresult == ISC_R_SUCCESS) {
+		nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (nsecresult == ISC_R_EXISTS) {
+#if 1 /* 0 */
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "addnode: NSEC node already exists");
+#endif
+		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		return (noderesult);
+	}
+
+	nsecresult = dns_rbt_deletenode(rbtdb->tree, *nodep, ISC_FALSE);
+	if (nsecresult != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "loading_addrdataset: "
+			      "dns_rbt_deletenode: %s after "
+			      "dns_rbt_addnode(NSEC): %s",
+			      isc_result_totext(nsecresult),
+			      isc_result_totext(noderesult));
+	return (noderesult);
+}
+
 static isc_result_t
 loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	rbtdb_load_t *loadctx = arg;
@@ -6348,11 +6589,11 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	    rdataset->covers == dns_rdatatype_nsec3) {
 		result = dns_rbt_addnode(rbtdb->nsec3, name, &node);
 		if (result == ISC_R_SUCCESS)
-			node->nsec3 = 1;
+			node->nsec = DNS_RBT_NSEC_NSEC3;
+	} else if (rdataset->type == dns_rdatatype_nsec) {
+		result = loadnode(rbtdb, name, &node, ISC_TRUE);
 	} else {
-		result = dns_rbt_addnode(rbtdb->tree, name, &node);
-		if (result == ISC_R_SUCCESS)
-			node->nsec3 = 0;
+		result = loadnode(rbtdb, name, &node, ISC_FALSE);
 	}
 	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
@@ -7019,6 +7260,12 @@ dns_rbtdb_create
 		return (result);
 	}
 
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
+		return (result);
+	}
+
 	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec3);
 	if (result != ISC_R_SUCCESS) {
 		free_rbtdb(rbtdb, ISC_FALSE, NULL);
@@ -7047,7 +7294,7 @@ dns_rbtdb_create
 			free_rbtdb(rbtdb, ISC_FALSE, NULL);
 			return (result);
 		}
-		rbtdb->origin_node->nsec3 = 0;
+		rbtdb->origin_node->nsec = DNS_RBT_NSEC_NORMAL;
 		/*
 		 * We need to give the origin node the right locknum.
 		 */

From 9e9e7112f9d712fe9e1740162f88a82ef1aa4711 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 27 Oct 2009 05:42:25 +0000
Subject: [PATCH 370/385] 2737.   [func]          UPDATE requests can leak
 existance information.                         [RT #17261]

---
 CHANGES            |  3 +++
 bin/named/update.c | 52 ++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 33d2f31e4e..f89fac388b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2737.	[func]		UPDATE requests can leak existance information.
+			[RT #17261]
+
 2736.	[func]		Improve the performance of NSEC signed zones with
 			more than a normal amount of glue below a delegation.
 			[RT #20191]
diff --git a/bin/named/update.c b/bin/named/update.c
index db7ca03210..140c8493af 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.165 2009/10/22 23:48:07 tbox Exp $ */
+/* $Id: update.c,v 1.166 2009/10/27 05:42:25 marka Exp $ */
 
 #include 
 
@@ -281,6 +281,43 @@ inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
 	}
 }
 
+/*%
+ * Check if we could have queried for the contents of this zone or
+ * if the zone is potentially updateable.
+ * If the zone can potentially be updated and the check failed then
+ * log a error otherwise we log a informational message.
+ */
+static isc_result_t
+checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
+	      dns_acl_t *updateacl, dns_ssutable_t *ssutable)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	int level;
+	isc_result_t result;
+
+	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(zonename, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(client->view->rdclass, classbuf,
+				      sizeof(classbuf));
+
+		level = (updateacl == NULL && ssutable == NULL) ?
+				ISC_LOG_INFO : ISC_LOG_ERROR;
+
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, level,
+			      "update '%s/%s' denied due to allow-query",
+			      namebuf, classbuf);
+	} else if (updateacl == NULL && ssutable == NULL) {
+		result = DNS_R_REFUSED;
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
+			      "update '%s/%s' denied", namebuf, classbuf);
+	}
+	return (result);
+}
+
 /*%
  * Override the default acl logging when checking whether a client
  * can update the zone or whether we can forward the request to the
@@ -3506,6 +3543,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	zonename = dns_db_origin(db);
 	zoneclass = dns_db_class(db);
 	dns_zone_getssutable(zone, &ssutable);
+
+	/*
+	 * Update message processing can leak record existance information
+	 * so check that we are allowed to query this zone.  Additionally
+	 * if we would refuse all updates for this zone we bail out here.
+	 */
+	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
+			    dns_zone_getupdateacl(zone), ssutable));
+
+	/*
+	 * Get old and new versions now that queryacl has been checked.
+	 */
 	dns_db_currentversion(db, &oldver);
 	CHECK(dns_db_newversion(db, &ver));
 
@@ -3598,7 +3647,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_NOMORE)
 		FAIL(result);
 
-
 	/*
 	 * Perform the final check of the "rrset exists (value dependent)"
 	 * prerequisites.

From 42f7c09369154ee1d7020d7d0f3a4e568c26cc42 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 27 Oct 2009 05:49:31 +0000
Subject: [PATCH 371/385] prep for 9.7.0b2 release

---
 version | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version b/version
index 1f74f775b8..8cbe283a03 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.48 2009/10/05 22:48:07 each Exp $
+# $Id: version,v 1.49 2009/10/27 05:49:31 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=7
 PATCHVER=0
 RELEASETYPE=b
-RELEASEVER=1
+RELEASEVER=2

From 0ce9fba8f0efa1f8107fbcf194009ce1199769e9 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 27 Oct 2009 05:49:50 +0000
Subject: [PATCH 372/385] cleanup DLV test

---
 bin/tests/system/dlv/ns3/sign.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index e3382cf719..3c14604e81 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.4 2007/06/19 23:47:02 tbox Exp $
+# $Id: sign.sh,v 1.5 2009/10/27 05:49:50 each Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -82,7 +82,7 @@ keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
+$SIGNER -g -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null
 echo "I: signed $zone"
 
 
@@ -162,7 +162,7 @@ $SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null
 echo "I: signed $zone"
 
 
-cat $keyname2.key | $PERL -n -e '
+grep -v '^;' $keyname2.key | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
 local $key = join("", @rest);
 print <
Date: Tue, 27 Oct 2009 05:57:06 +0000
Subject: [PATCH 373/385] cleanup ddns.key after nsupdate test

---
 bin/tests/system/nsupdate/clean.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index abde14b879..a24e607935 100644
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -15,14 +15,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.15 2009/07/30 15:11:41 each Exp $
+# $Id: clean.sh,v 1.16 2009/10/27 05:57:06 each Exp $
 
 #
 # Clean up after zone transfer tests.
 #
 
 rm -f dig.out.ns1 dig.out.ns2 dig.out.ns1.after ns1/*.jnl ns2/*.jnl \
-    ns1/example.db ns1/update.db ns1/other.db
+    ns1/example.db ns1/update.db ns1/other.db ns1/ddns.key
 rm -f random.data
 rm -f ns2/example.bk
 rm -f ns2/update.bk

From 312a00fb7523ca878585064f3b3e23e3729bab8a Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 27 Oct 2009 06:06:46 +0000
Subject: [PATCH 374/385] add named-symtbl.c to .cvsignore

---
 bin/named/.cvsignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bin/named/.cvsignore b/bin/named/.cvsignore
index 6b7b0aa1f9..419ad074bf 100644
--- a/bin/named/.cvsignore
+++ b/bin/named/.cvsignore
@@ -3,4 +3,5 @@ Makefile
 *.la
 *.lo
 named
+named-symtbl.c
 lwresd

From e3b59e4af757d4b26ecb96e65f9953488283c216 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 27 Oct 2009 18:56:49 +0000
Subject: [PATCH 375/385] Minor cleanup in dnssec-* tools

---
 bin/dnssec/dnssec-keyfromlabel.c |  4 ++--
 bin/dnssec/dnssec-keygen.c       |  4 ++--
 bin/dnssec/dnssec-revoke.c       | 10 +++++++---
 bin/dnssec/dnssec-settime.c      | 10 +++++++---
 bin/dnssec/dnssec-signzone.c     |  4 ++--
 5 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 58eb349aaa..ed88a37445 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.24 2009/10/24 00:00:06 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.25 2009/10/27 18:56:48 each Exp $ */
 
 /*! \file */
 
@@ -190,7 +190,7 @@ main(int argc, char **argv) {
 			directory = isc_commandline_argument;
 			ret = try_dir(directory);
 			if (ret != ISC_R_SUCCESS)
-				fatal("Cannot write to directory %s: %s",
+				fatal("cannot open directory %s: %s",
 				      directory, isc_result_totext(ret));
 			break;
 		case 'k':
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index fb5782d110..b7ec3d1de0 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.104 2009/10/24 09:46:18 fdupont Exp $ */
+/* $Id: dnssec-keygen.c,v 1.105 2009/10/27 18:56:48 each Exp $ */
 
 /*! \file */
 
@@ -310,7 +310,7 @@ main(int argc, char **argv) {
 			directory = isc_commandline_argument;
 			ret = try_dir(directory);
 			if (ret != ISC_R_SUCCESS)
-				fatal("cannot write to directory %s: %s",
+				fatal("cannot open directory %s: %s",
 				      directory, isc_result_totext(ret));
 			break;
 		case 'k':
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index a04cabeecb..4df61fd5c0 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.17 2009/10/26 21:18:24 each Exp $ */
+/* $Id: dnssec-revoke.c,v 1.18 2009/10/27 18:56:48 each Exp $ */
 
 /*! \file */
 
@@ -156,8 +156,12 @@ main(int argc, char **argv) {
 	if (dir != NULL) {
 		filename = argv[isc_commandline_index];
 	} else {
-		isc_file_splitpath(mctx, argv[isc_commandline_index],
-				   &dir, &filename);
+		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+					    &dir, &filename);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot process filename %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(result));
 	}
 
 	if (ectx == NULL)
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 4a7f04811c..0fedbbb7f9 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.18 2009/10/26 21:18:24 each Exp $ */
+/* $Id: dnssec-settime.c,v 1.19 2009/10/27 18:56:49 each Exp $ */
 
 /*! \file */
 
@@ -317,8 +317,12 @@ main(int argc, char **argv) {
 	if (directory != NULL) {
 		filename = argv[isc_commandline_index];
 	} else {
-		isc_file_splitpath(mctx, argv[isc_commandline_index],
-				   &directory, &filename);
+		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+					    &directory, &filename);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot process filename %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(result));
 	}
 
 	if (ectx == NULL)
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index e493642e56..da80bd2205 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.250 2009/10/27 04:46:58 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.251 2009/10/27 18:56:49 each Exp $ */
 
 /*! \file */
 
@@ -3343,7 +3343,7 @@ main(int argc, char *argv[]) {
 				fatal("DS directory must be non-empty string");
 			result = try_dir(dsdir);
 			if (result != ISC_R_SUCCESS)
-				fatal("Cannot write to directory %s: %s",
+				fatal("cannot open directory %s: %s",
 				      dsdir, isc_result_totext(result));
 			break;
 

From e09cdbac087b88524ac40e943d040e2a032c48f2 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 27 Oct 2009 22:25:37 +0000
Subject: [PATCH 376/385] 2738.   [func]          Add RSASHA256 and RSASHA512
 tests to the dnssec system                         test. [RT #20453]

---
 CHANGES                                       |   3 +
 bin/tests/system/dnssec/clean.sh              |   3 +-
 bin/tests/system/dnssec/ns1/sign.sh           |   4 +-
 bin/tests/system/dnssec/ns2/example.db.in     |   8 +-
 bin/tests/system/dnssec/ns2/sign.sh           |   7 +-
 bin/tests/system/dnssec/ns3/named.conf        |  12 +-
 .../system/dnssec/ns3/rsasha256.example.db.in |  33 +++
 .../system/dnssec/ns3/rsasha512.example.db.in |  33 +++
 bin/tests/system/dnssec/ns3/sign.sh           |  30 ++-
 bin/tests/system/dnssec/setup.sh              |   4 +-
 bin/tests/system/dnssec/tests.sh              |  22 +-
 configure.in                                  |  10 +-
 lib/dns/dst_api.c                             |  17 +-
 lib/dns/dst_internal.h                        |   5 +-
 lib/dns/opensslrsa_link.c                     | 251 +++++++++++-------
 15 files changed, 326 insertions(+), 116 deletions(-)
 create mode 100644 bin/tests/system/dnssec/ns3/rsasha256.example.db.in
 create mode 100644 bin/tests/system/dnssec/ns3/rsasha512.example.db.in

diff --git a/CHANGES b/CHANGES
index f89fac388b..d5a78f0488 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
+			test. [RT #20453]
+
 2737.	[func]		UPDATE requests can leak existance information.
 			[RT #17261]
 
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 3f207d5c6a..63b834be5d 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -15,12 +15,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.23 2008/09/25 04:02:38 tbox Exp $
+# $Id: clean.sh,v 1.24 2009/10/27 22:25:37 marka Exp $
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
 rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
 rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
+rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
 rm -f ns2/private.secure.example.db
 rm -f */example.bk
 rm -f dig.out.*
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 410450aeca..55e11bba45 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.28 2009/07/19 04:18:04 each Exp $
+# $Id: sign.sh,v 1.29 2009/10/27 22:25:37 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index c2b5e987a7..24be4d5b8e 100644
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.19 2008/09/25 04:02:38 tbox Exp $
+; $Id: example.db.in,v 1.20 2009/10/27 22:25:37 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -95,3 +95,9 @@ multiple		NS	ns.multiple
 ns.multiple		A	10.53.0.3
 
 *.wild			A	10.0.0.27
+
+rsasha256		NS	ns.rsasha256
+ns.rsasha256		A	10.53.0.3
+
+rsasha512		NS	ns.rsasha512
+ns.rsasha512		A	10.53.0.3
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index e9ce8f2e9f..17df3d2760 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.33 2009/07/19 04:18:04 each Exp $
+# $Id: sign.sh,v 1.34 2009/10/27 22:25:37 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -30,7 +30,8 @@ zonefile=example.db
 
 ( cd ../ns3 && sh sign.sh )
 
-for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown optout-unknown multiple
+for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
+    optout-unknown multiple rsasha256 rsasha512
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 38f4ad022d..78b6389951 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.33 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: named.conf,v 1.34 2009/10/27 22:25:37 marka Exp $ */
 
 // NS3
 
@@ -156,4 +156,14 @@ zone "rfc2335.example" {
 	file "rfc2335.example.bk";
 };
 
+zone "rsasha256.example" {
+	type master;
+	file "rsasha256.example.db.signed";
+};
+
+zone "rsasha512.example" {
+	type master;
+	file "rsasha512.example.db.signed";
+};
+
 include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns3/rsasha256.example.db.in b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in
new file mode 100644
index 0000000000..a25c07339f
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/rsasha256.example.db.in
@@ -0,0 +1,33 @@
+; Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha256.example.db.in,v 1.2 2009/10/27 22:25:37 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/dnssec/ns3/rsasha512.example.db.in b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in
new file mode 100644
index 0000000000..16ce88b6a7
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/rsasha512.example.db.in
@@ -0,0 +1,33 @@
+; Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha512.example.db.in,v 1.2 2009/10/27 22:25:37 marka Exp $
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2009102722 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
+x			CNAME	a
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index cc91ef6213..936de270d1 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.28 2009/09/25 06:47:50 each Exp $
+# $Id: sign.sh,v 1.29 2009/10/27 22:25:37 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -222,3 +222,29 @@ mv $zonefile.signed $zonefile
 $SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
 $SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
+
+#
+# A RSASHA256 zone.
+#
+zone=rsasha256.example.
+infile=rsasha256.example.db.in
+zonefile=rsasha256.example.db
+
+keyname=`$KEYGEN -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+
+#
+# A RSASHA512 zone.
+#
+zone=rsasha512.example.
+infile=rsasha512.example.db.in
+zonefile=rsasha512.example.db
+
+keyname=`$KEYGEN -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
index 913589b8f5..ca77f30a7d 100644
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
 #
 # Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.16 2009/03/02 23:47:43 tbox Exp $
+# $Id: setup.sh,v 1.17 2009/10/27 22:25:37 marka Exp $
 
 ../../../tools/genrandom 400 random.data
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 57faa63787..ff620024e6 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.53 2008/09/25 04:02:38 tbox Exp $
+# $Id: tests.sh,v 1.54 2009/10/27 22:25:37 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -607,6 +607,26 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking positive validation RSASHA256 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation RSASHA512 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking cd bit on a query that should fail ($n)"
 ret=0
 $DIG $DIGOPTS a.bogus.example. soa @10.53.0.4 \
diff --git a/configure.in b/configure.in
index af79aad318..e815f03bb0 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.486 $)
+AC_REVISION($Revision: 1.487 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -666,8 +666,10 @@ esac
 		else
 			AC_MSG_RESULT(no)
 		fi
+		AC_CHECK_FUNCS(EVP_sha256 EVP_sha512)
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
+
 		;;
 esac
 
@@ -1941,8 +1943,10 @@ int getnameinfo(const struct sockaddr *, socklen_t, char *,
                 socklen_t, char *, socklen_t, unsigned int);],
 [ return (0);],
 	[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
-	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
-	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)],
+	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
+		   [Define to the buffer length type used by getnameinfo(3).])
+	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
+		   [Define to the flags type used by getnameinfo(3).])],
 [AC_TRY_COMPILE([
 #include 
 #include 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 9a08ed5d79..420aaf2a06 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.44 2009/10/24 09:46:18 fdupont Exp $
+ * $Id: dst_api.c,v 1.45 2009/10/27 22:25:37 marka Exp $
  */
 
 /*! \file */
@@ -201,11 +201,16 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
 #ifdef OPENSSL
 	RETERR(dst__openssl_init(engine));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256]));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
+				    DST_ALG_RSAMD5));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
+				    DST_ALG_RSASHA1));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
+				    DST_ALG_NSEC3RSASHA1));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
+				    DST_ALG_RSASHA256));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
+				    DST_ALG_RSASHA512));
 #ifdef HAVE_OPENSSL_DSA
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 19b0f8bf2c..84e461a70f 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.22 2009/10/24 09:46:19 fdupont Exp $ */
+/* $Id: dst_internal.h,v 1.23 2009/10/27 22:25:37 marka Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -201,7 +201,8 @@ isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
-isc_result_t dst__opensslrsa_init(struct dst_func **funcp);
+isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
+				  unsigned char algorithm);
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldh_init(struct dst_func **funcp);
 isc_result_t dst__gssapi_init(struct dst_func **funcp);
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 68b0a84d8c..dea074b51e 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,14 +17,19 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.33 2009/10/24 09:46:19 fdupont Exp $
+ * $Id: opensslrsa_link.c,v 1.34 2009/10/27 22:25:37 marka Exp $
  */
 #ifdef OPENSSL
+#include 
+
 #ifndef USE_EVP
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA512)
+#define USE_EVP 0
+#else
 #define USE_EVP 1
 #endif
+#endif
 
-#include 
 
 #include 
 #include 
@@ -106,86 +111,6 @@
 
 static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
 
-#if defined(USE_EVP) && OPENSSL_VERSION_NUMBER < 0x00908000L
-/*
- * OpenSSL 0.9.7 doesn't support SHA2.
- * Provide the method functions we need.
- */
-
-/*
- * Use our namespace, not OpenSSL's.
- */
-#define EVP_sha256 ISC_EVP_sha256
-#define EVP_sha512 ISC_EVP_sha512
-
-/*
- * OpensSSL 0.9.8 defines these.
- */
-#if 0
-#define NID_sha256WithRSAEncryption	668
-#define NID_sha256			672
-#define NID_sha512WithRSAEncryption	670
-#define NID_sha512			674
-#else
-#define NID_sha256WithRSAEncryption	0
-#define NID_sha256			0
-#define NID_sha512WithRSAEncryption	0
-#define NID_sha512			0
-#endif
-
-static int init256(EVP_MD_CTX *ctx)
-	{ isc_sha256_init(ctx->md_data); return 1; }
-static int update256(EVP_MD_CTX *ctx,const void *data, unsigned long count)
-	{ isc_sha256_update(ctx->md_data,data,count); return 1; }
-static int final256(EVP_MD_CTX *ctx,unsigned char *md)
-	{ isc_sha256_final(md,ctx->md_data); return 1; }
-
-static const EVP_MD sha256_md=
-	{
-	NID_sha256,
-	NID_sha256WithRSAEncryption,
-	ISC_SHA256_DIGESTLENGTH,
-	0,
-	init256,
-	update256,
-	final256,
-	NULL,
-	NULL,
-	EVP_PKEY_RSA_method,
-	ISC_SHA256_BLOCK_LENGTH,
-	sizeof(EVP_MD *)+sizeof(isc_sha256_t),
-	};
-
-static const EVP_MD *EVP_sha256(void)
-	{ return(&sha256_md); }
-
-static int init512(EVP_MD_CTX *ctx)
-	{ isc_sha512_init(ctx->md_data); return 1; }
-static int update512(EVP_MD_CTX *ctx,const void *data,unsigned long count)
-	{ isc_sha512_update(ctx->md_data,data,count); return 1; }
-static int final512(EVP_MD_CTX *ctx,unsigned char *md)
-	{ isc_sha512_final(md,ctx->md_data); return 1; }
-
-static const EVP_MD sha512_md=
-	{
-	NID_sha512,
-	NID_sha512WithRSAEncryption,
-	ISC_SHA512_DIGESTLENGTH,
-	0,
-	init512,
-	update512,
-	final512,
-	NULL,
-	NULL,
-	EVP_PKEY_RSA_method,
-	ISC_SHA512_BLOCK_LENGTH,
-	sizeof(EVP_MD *)+sizeof(isc_sha512_t),
-	};
-
-static const EVP_MD *EVP_sha512(void)
-	{ return(&sha512_md); }
-#endif
-
 static isc_result_t
 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 #if USE_EVP
@@ -213,12 +138,16 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 	case DST_ALG_NSEC3RSASHA1:
 		type = EVP_sha1();	/* SHA1 + RSA */
 		break;
+#ifdef HAVE_EVP_SHA256
 	case DST_ALG_RSASHA256:
 		type = EVP_sha256();	/* SHA256 + RSA */
 		break;
+#endif
+#ifdef HAVE_EVP_SHA512
 	case DST_ALG_RSASHA512:
 		type = EVP_sha512();
 		break;
+#endif
 	default:
 		INSIST(0);
 	}
@@ -413,6 +342,21 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
 	return (ISC_R_SUCCESS);
 }
 
+#if ! USE_EVP && OPENSSL_VERSION_NUMBER < 0x00908000L
+/*
+ * Digest prefixes from RFC XXXX (draft-ietf-dnsext-dnssec-rsasha256-14).
+ */
+static unsigned char sha256_prefix[] =
+	 { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+	   0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
+static unsigned char sha512_prefix[] =
+	 { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+	   0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
+#define PREFIXLEN sizeof(sha512_prefix)
+#else
+#define PREFIXLEN 0
+#endif
+
 static isc_result_t
 opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	dst_key_t *key = dctx->key;
@@ -424,7 +368,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 #else
 	RSA *rsa = key->keydata.rsa;
 	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
-	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+	unsigned char digest[PREFIXLEN + ISC_SHA512_DIGESTLENGTH];
 	int status;
 	int type = 0;
 	unsigned int digestlen = 0;
@@ -432,6 +376,10 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	unsigned long err;
 	const char* file;
 	int line;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	unsigned int prefixlen = 0;
+	const unsigned char *prefix = NULL;
+#endif
 #endif
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
@@ -478,8 +426,13 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
 
 			isc_sha256_final(digest, sha256ctx);
-			type = NID_sha256;
 			digestlen = ISC_SHA256_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha256_prefix;
+			prefixlen = sizeof(sha256_prefix);
+#else
+			type = NID_sha256;
+#endif
 		}
 		break;
 	case DST_ALG_RSASHA512:
@@ -487,15 +440,53 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
 
 			isc_sha512_final(digest, sha512ctx);
-			type = NID_sha512;
 			digestlen = ISC_SHA512_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha512_prefix;
+			prefixlen = sizeof(sha512_prefix);
+#else
+			type = NID_sha512;
+#endif
 		}
 		break;
 	default:
 		INSIST(0);
 	}
 
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		INSIST(type != 0);
+		status = RSA_sign(type, digest, digestlen, r.base,
+				  &siglen, rsa);
+		break;
+
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+		INSIST(prefix != NULL);
+		INSIST(prefixlen != 0);
+		INSIST(prefixlen + digestlen <= sizeof(digest));
+
+		memmove(digest + prefixlen, digest, digestlen);
+		memcpy(digest, prefix, prefixlen);
+		status = RSA_private_encrypt(digestlen + prefixlen,
+					     digest, r.base, rsa,
+					     RSA_PKCS1_PADDING);
+		if (status < 0)
+			status = 0;
+		else
+			siglen = status;
+		break;
+
+	default:
+		INSIST(0);
+	}
+#else
+	INSIST(type != 0);
 	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
+#endif
 	if (status == 0) {
 		err = ERR_peek_error_line(&file, &line);
 		if (err != 0U) {
@@ -523,6 +514,10 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	int type = 0;
 	unsigned int digestlen = 0;
 	RSA *rsa = key->keydata.rsa;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	unsigned int prefixlen = 0;
+	const unsigned char *prefix = NULL;
+#endif
 #endif
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
@@ -559,8 +554,13 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
 
 			isc_sha256_final(digest, sha256ctx);
-			type = NID_sha256;
 			digestlen = ISC_SHA256_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha256_prefix;
+			prefixlen = sizeof(sha256_prefix);
+#else
+			type = NID_sha256;
+#endif
 		}
 		break;
 	case DST_ALG_RSASHA512:
@@ -568,19 +568,70 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
 
 			isc_sha512_final(digest, sha512ctx);
-			type = NID_sha512;
 			digestlen = ISC_SHA512_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha512_prefix;
+			prefixlen = sizeof(sha512_prefix);
+#else
+			type = NID_sha512;
+#endif
 		}
 		break;
 	default:
 		INSIST(0);
 	}
 
-	if (sig->length < (unsigned int) RSA_size(rsa))
+	if (sig->length != (unsigned int) RSA_size(rsa))
 		return (DST_R_VERIFYFAILURE);
 
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		INSIST(type != 0);
+		status = RSA_verify(type, digest, digestlen, sig->base,
+				    RSA_size(rsa), rsa);
+		break;
+
+	case DST_ALG_RSASHA256: 
+	case DST_ALG_RSASHA512:
+		{
+			/*
+			 * 1024 is big enough for all valid RSA bit sizes
+			 * for use with DNSSEC.
+			 */
+			unsigned char original[PREFIXLEN + 1024];
+
+			INSIST(prefix != NULL);
+			INSIST(prefixlen != 0U);
+
+			if (RSA_size(rsa) > (int)sizeof(original))
+				return (DST_R_VERIFYFAILURE);
+
+			status = RSA_public_decrypt(sig->length, sig->base,
+						    original, rsa,
+						    RSA_PKCS1_PADDING);
+			if (status <= 0) 
+				return (DST_R_VERIFYFAILURE);
+			if (status != (int)(prefixlen + digestlen)) 
+				return (DST_R_VERIFYFAILURE);
+			if (memcmp(original, prefix, prefixlen))
+				return (DST_R_VERIFYFAILURE);
+			if (memcmp(original + prefixlen, digest, digestlen))
+				return (DST_R_VERIFYFAILURE);
+			status = 1;
+		}
+		break;
+
+	default:
+		INSIST(0);
+	}
+#else
+	INSIST(type != 0);
 	status = RSA_verify(type, digest, digestlen, sig->base,
-			    RSA_size(rsa), rsa);
+			     RSA_size(rsa), rsa);
+#endif
 #endif
 	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
@@ -1328,10 +1379,26 @@ static dst_func_t opensslrsa_functions = {
 };
 
 isc_result_t
-dst__opensslrsa_init(dst_func_t **funcp) {
+dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
 	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &opensslrsa_functions;
+
+	if (*funcp == NULL) {
+		switch (algorithm) {
+		case DST_ALG_RSASHA256:
+#if defined(HAVE_EVP_SHA256) || !USE_EVP
+			*funcp = &opensslrsa_functions;
+#endif
+			break;
+		case DST_ALG_RSASHA512:
+#if defined(HAVE_EVP_SHA512) || !USE_EVP
+			*funcp = &opensslrsa_functions;
+#endif
+			break;
+		default:
+			*funcp = &opensslrsa_functions;
+			break;
+		}
+	}
 	return (ISC_R_SUCCESS);
 }
 

From 9a97696b543b9957049a663b4f73245589c47921 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 27 Oct 2009 22:26:05 +0000
Subject: [PATCH 377/385] regen

---
 config.h.in |  29 +++++----
 configure   | 178 ++++++++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 168 insertions(+), 39 deletions(-)

diff --git a/config.h.in b/config.h.in
index 38f5a16101..7a203857d1 100644
--- a/config.h.in
+++ b/config.h.in
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.121 2009/10/26 23:14:53 each Exp $ */
+/* $Id: config.h.in,v 1.122 2009/10/27 22:26:05 marka Exp $ */
 
 /*! \file */
 
@@ -144,6 +144,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if threads need PTHREAD_SCOPE_SYSTEM */
 #undef NEED_PTHREAD_SCOPE_SYSTEM
 
+/* Define to enable the "filter-aaaa-on-v4" option. */
+#undef ALLOW_FILTER_AAAA_ON_V4
+
 /* Define if recvmsg() does not meet all of the BSD socket API specifications.
    */
 #undef BROKEN_RECVMSG
@@ -163,6 +166,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the  header file. */
 #undef HAVE_DLFCN_H
 
+/* Define to 1 if you have the `EVP_sha256' function. */
+#undef HAVE_EVP_SHA256
+
+/* Define to 1 if you have the `EVP_sha512' function. */
+#undef HAVE_EVP_SHA512
+
 /* Define to 1 if you have the  header file. */
 #undef HAVE_FCNTL_H
 
@@ -181,6 +190,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `cap' library (-lcap). */
 #undef HAVE_LIBCAP
 
+/* if system have backtrace function */
+#undef HAVE_LIBCTRACE
+
 /* Define to 1 if you have the `c_r' library (-lc_r). */
 #undef HAVE_LIBC_R
 
@@ -289,8 +301,8 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the  header file. */
 #undef HAVE_UNISTD_H
 
-/* Defined if extern char *optarg is not declared. */
-#undef NEED_OPTARG
+/* return type of gai_srerror */
+#undef IRS_GAISTRERROR_RETURN_T
 
 /* Define to the buffer length type used by getnameinfo(3). */
 #undef IRS_GETNAMEINFO_BUFLEN_T
@@ -298,8 +310,8 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to the flags type used by getnameinfo(3). */
 #undef IRS_GETNAMEINFO_FLAGS_T
 
-/* Define to the return type of gai_strerror(3). */
-#undef IRS_GAISTRERROR_RETURN_T
+/* Defined if extern char *optarg is not declared. */
+#undef NEED_OPTARG
 
 /* Define if connect does not honour the permission on the UNIX domain socket.
    */
@@ -334,9 +346,6 @@ int sigwait(const unsigned int *set, int *sig);
    non-blocking. */
 #undef USE_FIONBIO_IOCTL
 
-/** define if the system have backtrace function. */
-#undef HAVE_LIBCTRACE
-
 /* define if idnkit support is to be included. */
 #undef WITH_IDN
 
@@ -365,7 +374,3 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to empty if the keyword `volatile' does not work. Warning: valid
    code using `volatile' can become incorrect without. Disable with care. */
 #undef volatile
-
-/* Define to enable the "filter-aaaa-on-v4" option. */
-#undef ALLOW_FILTER_AAAA_ON_V4
-
diff --git a/configure b/configure
index 0ccc615360..ca4278bf59 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.470 2009/10/16 04:18:04 marka Exp $
+# $Id: configure,v 1.471 2009/10/27 22:26:05 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,7 +29,7 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.485 .
+# From configure.in Revision: 1.487 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61.
 #
@@ -1671,6 +1671,8 @@ Optional Features:
 			  [default=autodetect]
   --enable-fixed-rrset    enable fixed rrset ordering
 			  [default=no]
+  --enable-filter-aaaa    enable filtering of AAAA records over IPv4
+			  [default=no]
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -3960,7 +3962,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 3963 "configure"' > conftest.$ac_ext
+  echo '#line 3965 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -6908,11 +6910,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6911: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6913: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6915: \$? = $ac_status" >&5
+   echo "$as_me:6917: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7198,11 +7200,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7201: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7203: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7205: \$? = $ac_status" >&5
+   echo "$as_me:7207: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7302,11 +7304,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7305: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7307: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7309: \$? = $ac_status" >&5
+   echo "$as_me:7311: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9666,7 +9668,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext < conftest.$ac_ext <&5)
+   (eval echo "\"\$as_me:12176: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12178: \$? = $ac_status" >&5
+   echo "$as_me:12180: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -12275,11 +12277,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12278: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12280: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12282: \$? = $ac_status" >&5
+   echo "$as_me:12284: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13858,11 +13860,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13861: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13863: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13865: \$? = $ac_status" >&5
+   echo "$as_me:13867: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13962,11 +13964,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13965: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13967: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13969: \$? = $ac_status" >&5
+   echo "$as_me:13971: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16173,11 +16175,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16176: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16178: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16180: \$? = $ac_status" >&5
+   echo "$as_me:16182: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16463,11 +16465,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16466: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16468: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16470: \$? = $ac_status" >&5
+   echo "$as_me:16472: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16567,11 +16569,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16570: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16572: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16574: \$? = $ac_status" >&5
+   echo "$as_me:16576: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -22794,8 +22796,104 @@ echo "${ECHO_T}yes" >&6; }
 			{ echo "$as_me:$LINENO: result: no" >&5
 echo "${ECHO_T}no" >&6; }
 		fi
+
+
+for ac_func in EVP_sha256 EVP_sha512
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case  declares $ac_func.
+   For example, HP-UX 11i  declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer  to  if __STDC__ is defined, since
+     exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include 
+#else
+# include 
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
+
 		;;
 esac
 
@@ -27615,11 +27713,13 @@ eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
        } && test -s conftest.$ac_objext; then
   { echo "$as_me:$LINENO: result: socklen_t for buflen; u_int for flags" >&5
 echo "${ECHO_T}socklen_t for buflen; u_int for flags" >&6; }
-	 cat >>confdefs.h <<\_ACEOF
+
+cat >>confdefs.h <<\_ACEOF
 #define IRS_GETNAMEINFO_BUFLEN_T socklen_t
 _ACEOF
 
-	 cat >>confdefs.h <<\_ACEOF
+
+cat >>confdefs.h <<\_ACEOF
 #define IRS_GETNAMEINFO_FLAGS_T unsigned int
 _ACEOF
 
@@ -31517,6 +31617,30 @@ _ACEOF
 		;;
 esac
 
+#
+# Activate "filter-aaaa-on-v4" or not?
+#
+# Check whether --enable-filter-aaaa was given.
+if test "${enable_filter_aaaa+set}" = set; then
+  enableval=$enable_filter_aaaa; enable_filter="$enableval"
+else
+  enable_filter="no"
+fi
+
+case "$enable_filter" in
+	yes)
+
+cat >>confdefs.h <<\_ACEOF
+#define ALLOW_FILTER_AAAA_ON_V4 1
+_ACEOF
+
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
 #
 #  The following sets up how non-blocking i/o is established.
 #  Sunos, cygwin and solaris 2.x (x<5) require special handling.

From 95f2377b4f180a564d35343c8d150e8f03c98a52 Mon Sep 17 00:00:00 2001
From: Evan Hunt 
Date: Tue, 27 Oct 2009 22:46:13 +0000
Subject: [PATCH 378/385] 2739.	[cleanup]	Clean up API for initializing
 and clearing trust 			anchors for a view. [RT #20211]

---
 CHANGES                    |  3 ++
 bin/named/server.c         | 32 +++++++++++--------
 lib/dns/client.c           | 35 +++++++++++----------
 lib/dns/include/dns/view.h | 59 +++++++++++++++++++++++++++++++++--
 lib/dns/resolver.c         | 15 +++++----
 lib/dns/validator.c        |  9 ++++--
 lib/dns/view.c             | 34 +++++++++++++++++---
 lib/dns/zone.c             | 64 ++++++++++++++++++++++++++++----------
 8 files changed, 190 insertions(+), 61 deletions(-)

diff --git a/CHANGES b/CHANGES
index d5a78f0488..e928a4a2cc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2739.	[cleanup]	Clean up API for initializing and clearing trust
+			anchors for a view. [RT #20211]
+
 2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
 			test. [RT #20453]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 6bedd20887..99ef01eff0 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.553 2009/10/26 23:14:53 each Exp $ */
+/* $Id: server.c,v 1.554 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -578,7 +578,10 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 	const cfg_listelt_t *elt, *elt2;
 	const cfg_obj_t *key, *keylist;
 	dst_key_t *dstkey = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t result;
+	dns_keytable_t *secroots = NULL;
+
+	CHECK(dns_view_getsecroots(view, &secroots));
 
 	for (elt = cfg_list_first(keys);
 	     elt != NULL;
@@ -597,12 +600,14 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
 			}
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
-			CHECK(dns_keytable_add(view->secroots, managed,
-					       &dstkey));
+
+			CHECK(dns_keytable_add(secroots, managed, &dstkey));
 		}
 	}
 
  cleanup:
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
 	if (result == DST_R_NOCRYPTO)
 		result = ISC_R_SUCCESS;
 	return (result);
@@ -628,14 +633,18 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
+	isc_boolean_t meta;
 	int i = 0;
 
 	/* We don't need trust anchors for the _bind view */
-	if (strcmp(view->name, "_bind") == 0) {
-		view->secroots = NULL;
+	if (strcmp(view->name, "_bind") == 0 &&
+	    view->rdclass == dns_rdataclass_chaos) {
 		return (ISC_R_SUCCESS);
 	}
 
+	meta = ISC_TF(strcmp(view->name, "_meta") == 0 &&
+		      view->rdclass == dns_rdataclass_in);
+
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		if (voptions != NULL) {
@@ -657,9 +666,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
 
-	if (view->secroots != NULL)
-		dns_keytable_detach(&view->secroots);
-	result = dns_keytable_create(mctx, &view->secroots);
+	result = dns_view_initsecroots(view, mctx);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
@@ -697,7 +704,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 		CHECK(load_view_keys(builtin_keys, vconfig, view,
 				     ISC_FALSE, mctx));
 
-		if (strcmp(view->name, "_meta") == 0)
+		if (meta)
 			CHECK(load_view_keys(builtin_managed_keys, vconfig,
 					     view, ISC_TRUE, mctx));
 	}
@@ -705,7 +712,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
 	CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE, mctx));
 
-	if (strcmp(view->name, "_meta") == 0)
+	if (meta)
 		CHECK(load_view_keys(global_managed_keys, vconfig, view,
 			       ISC_TRUE, mctx));
 
@@ -714,8 +721,7 @@ configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 }
 
 static isc_result_t
-mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
-{
+mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *obj;
 	const char *str;
diff --git a/lib/dns/client.c b/lib/dns/client.c
index 3124cf4642..4e218b716d 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.5 2009/09/03 21:45:46 jinmei Exp $ */
+/* $Id: client.c,v 1.6 2009/10/27 22:46:13 each Exp $ */
 
 #include 
 
@@ -309,16 +309,11 @@ dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	/*
-	 * Workaround for a recent change in dns_view_create(): proactively
-	 * create view->secroots if it's not created with view creation.
-	 */
-	if (view->secroots == NULL) {
-		result = dns_keytable_create(mctx, &view->secroots);
-		if (result != ISC_R_SUCCESS) {
-			dns_view_detach(&view);
-			return (result);
-		}
+	/* Initialize view security roots */
+	result = dns_view_initsecroots(view, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
 	}
 
 	result = dns_view_createresolver(view, taskmgr, ntasks, socketmgr,
@@ -1398,6 +1393,7 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 	isc_result_t result;
 	dns_view_t *view = NULL;
 	dst_key_t *dstkey = NULL;
+	dns_keytable_t *secroots = NULL;
 
 	REQUIRE(DNS_CLIENT_VALID(client));
 
@@ -1406,17 +1402,24 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 				   rdclass, &view);
 	UNLOCK(&client->lock);
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto cleanup;
+
+	result = dns_view_getsecroots(view, &secroots);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
 
 	result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx,
 				 &dstkey);
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto cleanup;
 
-	result = dns_keytable_add(view->secroots, ISC_FALSE, &dstkey);
-
-	dns_view_detach(&view);
+	result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
 
+ cleanup:
+	if (view != NULL)
+		dns_view_detach(&view);
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
 	return (result);
 }
 
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 0f511384d1..b29d7ba14f 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.118 2009/06/30 02:52:32 each Exp $ */
+/* $Id: view.h,v 1.119 2009/10/27 22:46:13 each Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -92,7 +92,13 @@ struct dns_view {
 	dns_cache_t *			cache;
 	dns_db_t *			cachedb;
 	dns_db_t *			hints;
-	dns_keytable_t *		secroots;   /* security roots */
+
+	/*
+	 * security roots.
+	 * internal use only; access via * dns_view_getsecroots()
+	 */
+	dns_keytable_t *		secroots_priv;
+
 	isc_mutex_t			lock;
 	isc_boolean_t			frozen;
 	isc_task_t *			task;
@@ -904,4 +910,53 @@ dns_view_iscacheshared(dns_view_t *view);
  *\li	#ISC_FALSE otherwise.
  */
 
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx);
+/*%<
+ * Initialize security roots for the view.  (Note that secroots is
+ * NULL until this function is called, so any function using
+ * secroots must check its validity first.  One way to do this is
+ * use dns_view_getsecroots() and check its return value.)
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'view->secroots' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
+/*%<
+ * Get the security roots for this view.  Returns ISC_R_NOTFOUND if
+ * the security roots keytable has not been initialized for the view.
+ *
+ * '*ktp' is attached on success; the caller is responsible for
+ * detaching it with dns_keytable_detach().
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'ktp' is not NULL and '*ktp' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			 isc_boolean_t *secure_domain);
+/*%<
+ * Is 'name' at or beneath a trusted key?  Put answer in
+ * '*secure_domain'.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other value indicates failure
+ */
 #endif /* DNS_VIEW_H */
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4cfc737e00..df1f2a4def 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.405 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: resolver.c,v 1.406 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -1691,9 +1691,8 @@ resquery_send(resquery_t *query) {
 	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
 		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
 	} else if (res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots,
-						     &fctx->name,
-						     &secure_domain);
+		result = dns_view_issecuredomain(res->view, &fctx->name,
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			secure_domain = ISC_FALSE;
 		if (res->view->dlv != NULL)
@@ -4217,8 +4216,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	 * Is DNSSEC validation required for this name?
 	 */
 	if (res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots, name,
-						     &secure_domain);
+		result = dns_view_issecuredomain(res->view, name,
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 
@@ -4675,8 +4674,8 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	 * Is DNSSEC validation required for this name?
 	 */
 	if (fctx->res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots, name,
-						     &secure_domain);
+		result = dns_view_issecuredomain(res->view, name,
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 8f8f331296..88582cd5a5 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.178 2009/06/30 02:52:32 each Exp $ */
+/* $Id: validator.c,v 1.179 2009/10/27 22:46:13 each Exp $ */
 
 #include 
 
@@ -3651,6 +3651,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		return (ISC_R_NOMEMORY);
 	val->view = NULL;
 	dns_view_weakattach(view, &val->view);
+
 	event = (dns_validatorevent_t *)
 		isc_event_allocate(view->mctx, task,
 				   DNS_EVENT_VALIDATORSTART,
@@ -3679,8 +3680,12 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	val->fetch = NULL;
 	val->subvalidator = NULL;
 	val->parent = NULL;
+
 	val->keytable = NULL;
-	dns_keytable_attach(val->view->secroots, &val->keytable);
+	result = dns_view_getsecroots(val->view, &val->keytable);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
 	val->keynode = NULL;
 	val->key = NULL;
 	val->siginfo = NULL;
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 0c477c3656..2265a4934a 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.156 2009/09/01 00:22:26 jinmei Exp $ */
+/* $Id: view.c,v 1.157 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -97,7 +97,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		goto cleanup_mutex;
 	}
 #endif
-	view->secroots = NULL;
+	view->secroots_priv = NULL;
 	view->fwdtable = NULL;
 	result = dns_fwdtable_create(mctx, &view->fwdtable);
 	if (result != ISC_R_SUCCESS) {
@@ -354,8 +354,8 @@ destroy(dns_view_t *view) {
 		isc_stats_detach(&view->resstats);
 	if (view->resquerystats != NULL)
 		dns_stats_detach(&view->resquerystats);
-	if (view->secroots != NULL)
-		dns_keytable_detach(&view->secroots);
+	if (view->secroots_priv != NULL)
+		dns_keytable_detach(&view->secroots_priv);
 	dns_fwdtable_destroy(&view->fwdtable);
 	dns_aclenv_destroy(&view->aclenv);
 	DESTROYLOCK(&view->lock);
@@ -1531,3 +1531,29 @@ dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) {
 	if (view->resquerystats != NULL)
 		dns_stats_attach(view->resquerystats, statsp);
 }
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	if (view->secroots_priv != NULL)
+		dns_keytable_detach(&view->secroots_priv);
+	return (dns_keytable_create(mctx, &view->secroots_priv));
+}
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ktp != NULL && *ktp == NULL);
+	if (view->secroots_priv == NULL)
+		return (ISC_R_NOTFOUND);
+	dns_keytable_attach(view->secroots_priv, ktp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			 isc_boolean_t *secure_domain) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (dns_keytable_issecuredomain(view->secroots_priv, name,
+					    secure_domain));
+}
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 3bb7094f11..72cb8c1002 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.521 2009/10/27 03:59:45 each Exp $ */
+/* $Id: zone.c,v 1.522 2009/10/27 22:46:13 each Exp $ */
 
 /*! \file */
 
@@ -2705,6 +2705,7 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
 	unsigned char data[4096];
 	isc_buffer_t buffer;
 	dns_view_t *view;
+	dns_keytable_t *sr = NULL;
 
 	/* Convert dnskey to DST key. */
 	isc_buffer_init(&buffer, data, sizeof(data));
@@ -2713,15 +2714,20 @@ trust_key(dns_viewlist_t *viewlist, dns_name_t *keyname,
 
 	for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots != NULL) {
-			dst_key_t *key = NULL;
-			CHECK(dns_dnssec_keyfromrdata(keyname, &rdata,
-						      mctx, &key));
-			CHECK(dns_keytable_add(view->secroots, ISC_TRUE, &key));
-		}
+		dst_key_t *key = NULL;
+
+		result = dns_view_getsecroots(view, &sr);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key));
+		CHECK(dns_keytable_add(sr, ISC_TRUE, &key));
+		dns_keytable_detach(&sr);
 	}
 
   failure:
+	if (sr != NULL)
+		dns_keytable_detach(&sr);
 	return;
 }
 
@@ -2755,9 +2761,13 @@ untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx,
 
 	for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots == NULL)
+		dns_keytable_t *sr = NULL;
+		result = dns_view_getsecroots(view, &sr);
+		if (result != ISC_R_SUCCESS)
 			continue;
-		dns_keytable_deletekeynode(view->secroots, key);
+
+		dns_keytable_deletekeynode(sr, key);
+		dns_keytable_detach(&sr);
 	}
 
 	dst_key_free(&key);
@@ -2769,13 +2779,20 @@ untrust_key(dns_viewlist_t *viewlist, dns_name_t *keyname, isc_mem_t *mctx,
  */
 static void
 fail_secure(dns_viewlist_t *viewlist, dns_name_t *keyname) {
+	isc_result_t result;
 	dns_view_t *view;
 
 	for (view = ISC_LIST_HEAD(*viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots != NULL)
-			dns_keytable_marksecure(view->secroots, keyname);
+		dns_keytable_t *sr = NULL;
+
+		result = dns_view_getsecroots(view, &sr);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		dns_keytable_marksecure(sr, keyname);
+		dns_keytable_detach(&sr);
 	}
 }
 
@@ -2801,8 +2818,14 @@ load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
 	/* For each view, delete references to this key from secroots. */
 	for (view = ISC_LIST_HEAD(*viewlist); view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		if (view->secroots != NULL)
-			dns_keytable_delete(view->secroots, name);
+		dns_keytable_t *sr = NULL;
+
+		result = dns_view_getsecroots(view, &sr);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		dns_keytable_delete(sr, name);
+		dns_keytable_detach(&sr);
 	}
 
 	/* Now insert all the accepted trust anchors from this keydata set. */
@@ -3029,7 +3052,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 	dns_name_t foundname, *origin;
 	dns_keynode_t *keynode = NULL;
 	dns_view_t *view = zone->view;
-	dns_keytable_t *sr = view->secroots;
+	dns_keytable_t *sr = NULL;
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t diff;
 	dns_rriterator_t rrit;
@@ -3042,6 +3065,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 
 	dns_diff_init(zone->mctx, &diff);
 
+	CHECK(dns_view_getsecroots(view, &sr));
+
 	result = dns_db_newversion(db, &ver);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
@@ -3150,6 +3175,8 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 	}
 
  failure:
+ 	if (sr != NULL)
+		dns_keytable_detach(&sr);
 	if (ver != NULL)
 		dns_db_closeversion(db, &ver, changed);
 	dns_diff_clear(&diff);
@@ -6994,7 +7021,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent;
 	dns_keyfetch_t *kfetch;
 	dns_zone_t *zone;
-	dns_keytable_t *secroots;
+	dns_keytable_t *secroots = NULL;
 	dns_dbversion_t *ver = NULL;
 	dns_diff_t diff;
 	isc_boolean_t changed = ISC_FALSE;
@@ -7020,7 +7047,6 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 	kfetch = event->ev_arg;
 	zone = kfetch->zone;
-	secroots = zone->view->secroots;
 	keyname = dns_fixedname_name(&kfetch->name);
 
 	devent = (dns_fetchevent_t *) event;
@@ -7037,6 +7063,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	isc_stdtime_get(&now);
 	dns_name_format(keyname, namebuf, sizeof(namebuf));
 
+	result = dns_view_getsecroots(zone->view, &secroots);
+	INSIST(result == ISC_R_SUCCESS);
+
 	LOCK_ZONE(zone);
 	dns_db_newversion(kfetch->db, &ver);
 	dns_diff_init(zone->mctx, &diff);
@@ -7431,6 +7460,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 	dns_name_free(keyname, zone->mctx);
 	isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
+
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
 }
 
 /*

From e9d45c0a0456d6267d9ea220751b6e495c55a8cf Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Tue, 27 Oct 2009 23:05:53 +0000
Subject: [PATCH 379/385] 2740.   [func]          Identify bad answers from
 GTLD servers and treat them                         as referrals. [RT #18884]

---
 CHANGES            |   3 +
 lib/dns/resolver.c | 133 ++++++++++++++++++++++++++++++++++-----------
 2 files changed, 105 insertions(+), 31 deletions(-)

diff --git a/CHANGES b/CHANGES
index e928a4a2cc..c1bbb144db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2740.	[func]		Identify bad answers from GTLD servers and treat them
+			as referrals. [RT #18884]
+
 2739.	[cleanup]	Clean up API for initializing and clearing trust
 			anchors for a view. [RT #20211]
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index df1f2a4def..1f5d7796b7 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.406 2009/10/27 22:46:13 each Exp $ */
+/* $Id: resolver.c,v 1.407 2009/10/27 23:05:53 marka Exp $ */
 
 /*! \file */
 
@@ -4819,7 +4819,9 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
 }
 
 static isc_result_t
-check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+	      dns_section_t section)
+{
 	fetchctx_t *fctx = arg;
 	isc_result_t result;
 	dns_name_t *name;
@@ -4830,15 +4832,19 @@ check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
 
 	REQUIRE(VALID_FCTX(fctx));
 
+#if CHECK_FOR_GLUE_IN_ANSWER
+	if (section == DNS_SECTION_ANSWER && type != dns_rdatatype_a)
+		return (ISC_R_SUCCESS);
+#endif
+
 	if (GLUING(fctx))
 		gluing = ISC_TRUE;
 	else
 		gluing = ISC_FALSE;
 	name = NULL;
 	rdataset = NULL;
-	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
-				      addname, dns_rdatatype_any, 0, &name,
-				      NULL);
+	result = dns_message_findname(fctx->rmessage, section, addname,
+				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		if (type == dns_rdatatype_a) {
@@ -4876,6 +4882,21 @@ check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ADDITIONAL));
+}
+
+#ifndef CHECK_FOR_GLUE_IN_ANSWER
+#define CHECK_FOR_GLUE_IN_ANSWER 0
+#endif
+#if CHECK_FOR_GLUE_IN_ANSWER
+static isc_result_t
+check_answer(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ANSWER));
+}
+#endif
+
 static void
 chase_additional(fetchctx_t *fctx) {
 	isc_boolean_t rescan;
@@ -5103,14 +5124,13 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
 
 /*
  * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
- * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
- * response to an NS query that should be treated as a referral
- * even though the NS records occur in the answer section
- * rather than the authority section.
+ * If look_in_answer is ISC_TRUE then we look in the answer section
+ * for the NS RRset if the query type is NS or look for glue incorrectly
+ * returned in the answer section for A and AAAA queries.
  */
 static isc_result_t
 noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
-		  isc_boolean_t bind8_ns_resp)
+		  isc_boolean_t look_in_answer)
 {
 	isc_result_t result;
 	dns_message_t *message;
@@ -5118,11 +5138,15 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t aa, negative_response;
 	dns_rdatatype_t type;
-	dns_section_t section =
-		bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
+	dns_section_t section;
 
 	FCTXTRACE("noanswer_response");
 
+	if (fctx->type == dns_rdatatype_ns && look_in_answer)
+		section = DNS_SECTION_ANSWER;
+	else
+		section = DNS_SECTION_AUTHORITY;
+
 	message = fctx->rmessage;
 
 	/*
@@ -5403,6 +5427,20 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		fctx->attributes |= FCTX_ATTR_GLUING;
 		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
 						  fctx);
+#if CHECK_FOR_GLUE_IN_ANSWER
+		/*
+		 * Look in the answer section for "glue" that is incorrectly
+		 * returned as a answer.  This is needed if the server also
+		 * minimizes the response size by not adding records to the
+		 * additional section that are in the answer section or if
+		 * the record gets dropped due to message size constraints.
+		 */
+		if (look_in_answer &&
+		    (fctx->type == dns_rdatatype_aaaa ||
+		     fctx->type == dns_rdatatype_a))
+			(void)dns_rdataset_additionaldata(ns_rdataset,
+							  check_answer, fctx);
+#endif
 		fctx->attributes &= ~FCTX_ATTR_GLUING;
 		/*
 		 * NS rdatasets with 0 TTL cause problems.
@@ -6137,6 +6175,16 @@ log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
 		isc_mem_put(mctx, buf, len);
 }
 
+static isc_boolean_t
+iscname(fetchctx_t *fctx) {
+	isc_result_t result;
+
+	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ANSWER,
+				      &fctx->name, dns_rdatatype_cname, 0,
+				      NULL, NULL);
+	return (result == ISC_R_SUCCESS ? ISC_TRUE : ISC_FALSE);
+}
+
 static void
 resquery_response(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -6576,27 +6624,51 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	    (message->rcode == dns_rcode_noerror ||
 	     message->rcode == dns_rcode_nxdomain)) {
 		/*
-		 * We've got answers.  However, if we sent
-		 * a BIND 8 server an NS query, it may have
-		 * incorrectly responded with a non-authoritative
-		 * answer instead of a referral.  Since this
-		 * answer lacks the SIGs necessary to do DNSSEC
-		 * validation, we must invoke the following special
-		 * kludge to treat it as a referral.
+		 * [normal case]
+		 * We've got answers.  If it has an authoritative answer or an
+		 * answer from a forwarder, we're done.
 		 */
-		if (fctx->type == dns_rdatatype_ns &&
-		    (message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
-		    !ISFORWARDER(query->addrinfo))
-		{
-			result = noanswer_response(fctx, NULL, ISC_TRUE);
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 ||
+		    ISFORWARDER(query->addrinfo))
+			result = answer_response(fctx);
+		else if (iscname(fctx) &&
+			 fctx->type != dns_rdatatype_any &&
+			 fctx->type != dns_rdatatype_cname) {
+			/*
+			 * A BIND8 server could return a non-authoritative
+			 * answer when a CNAME is followed.  We should treat
+			 * it as a valid answer.
+			 */
+			result = answer_response(fctx);
+		} else {
+			if (fctx->type == dns_rdatatype_ns) {
+				/*
+				 * A BIND 8 server could incorrectly return a
+				 * non-authoritative answer to an NS query
+				 * instead of a referral. Since this answer
+				 * lacks the SIGs necessary to do DNSSEC
+				 * validation, we must invoke the following
+				 * special kludge to treat it as a referral.
+				 */
+				result = noanswer_response(fctx, NULL,
+							   ISC_TRUE);
+			} else {
+				/*
+				 * Some other servers may still somehow include
+				 * an answer when it should return a referral
+				 * with an empty answer.  Check to see if we can
+				 * treat this as a referral by ignoring the
+				 * answer.
+				 */
+				result = noanswer_response(fctx, NULL,
+							   ISC_TRUE);
+			}
 			if (result != DNS_R_DELEGATION) {
 				/*
-				 * The answer section must have contained
-				 * something other than the NS records
-				 * we asked for.  Since AA is not set
-				 * and the server is not a forwarder,
-				 * it is technically lame and it's easier
-				 * to treat it as such than to figure out
+				 * At this point, AA is not set, the response
+				 * is not a referral, and the server is not a
+				 * forwarder.  It is technically lame and it's
+				 * easier to treat it as such than to figure out
 				 * some more elaborate course of action.
 				 */
 				broken_server = DNS_R_LAME;
@@ -6605,7 +6677,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			}
 			goto force_referral;
 		}
-		result = answer_response(fctx);
 		if (result != ISC_R_SUCCESS) {
 			if (result == DNS_R_FORMERR)
 				keep_trying = ISC_TRUE;

From fb93a46d74ba83c1fd5ce2e168e122fd3b5898ad Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 27 Oct 2009 23:18:42 +0000
Subject: [PATCH 380/385] auto update

---
 doc/private/branches | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/private/branches b/doc/private/branches
index 1093fd87e2..b0cb12eb21 100644
--- a/doc/private/branches
+++ b/doc/private/branches
@@ -246,6 +246,7 @@ rt20062				new	marka	// 2009-08-10 05:00 +0000
 rt20062a			new	marka	// 2009-09-14 04:51 +0000
 rt20112				new	marka	// 2009-08-18 05:22 +0000
 rt20191				new	vjs	// 2009-09-20 01:55 +0000
+rt20211				new	each	// 2009-10-27 21:09 +0000
 rt20225				new	fdupont	// 2009-09-18 11:50 +0000
 rt20229				new	fdupont	// 2009-09-23 22:33 +0000
 rt20230				new	fdupont	// 2009-09-19 22:45 +0000
@@ -272,6 +273,7 @@ rt20405				new	each	// 2009-10-14 05:15 +0000
 rt20406				new	each	// 2009-10-20 00:14 +0000
 rt20421				new	each	// 2009-10-20 19:04 +0000
 rt20453				new	marka	// 2009-10-23 12:52 +0000
+rt20474				new	each	// 2009-10-27 05:30 +0000
 shane_dbbackend			open	
 skan				open	explorer
 skan-metazones1			private	explorer

From 4104e236f71eb5108fcfda6711878a97f6f4a8e7 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 27 Oct 2009 23:30:34 +0000
Subject: [PATCH 381/385] newcopyrights

---
 util/copyrights | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/util/copyrights b/util/copyrights
index 83e5ef3d61..3556e91f0b 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -138,7 +138,7 @@
 ./bin/dnssec/win32/signzone.dsp			X	2001,2004,2005,2006,2009
 ./bin/dnssec/win32/signzone.dsw			X	2001
 ./bin/dnssec/win32/signzone.mak			X	2001,2004,2005,2006,2009
-./bin/named/.cvsignore				X	1999,2000,2001,2007,2008
+./bin/named/.cvsignore				X	1999,2000,2001,2007,2008,2009
 ./bin/named/Makefile.in				MAKE	1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./bin/named/bind.keys.h				X	2009
 ./bin/named/bind9.xsl				SGML	2006,2007,2008,2009
@@ -590,7 +590,7 @@
 ./bin/tests/system/dlv/ns3/dlv.db.in		ZONE	2004,2007
 ./bin/tests/system/dlv/ns3/hints		ZONE	2004,2007
 ./bin/tests/system/dlv/ns3/named.conf		CONF-C	2004,2007
-./bin/tests/system/dlv/ns3/sign.sh		SH	2004,2007
+./bin/tests/system/dlv/ns3/sign.sh		SH	2004,2007,2009
 ./bin/tests/system/dlv/ns4/child.db		ZONE	2004,2007
 ./bin/tests/system/dlv/ns4/hints		ZONE	2004,2007
 ./bin/tests/system/dlv/ns4/named.conf		CONF-C	2004,2007
@@ -600,7 +600,7 @@
 ./bin/tests/system/dlv/setup.sh			SH	2004,2007,2009
 ./bin/tests/system/dlv/tests.sh			SH	2004,2007
 ./bin/tests/system/dnssec/README		TXT.BRIEF	2000,2001,2002,2004
-./bin/tests/system/dnssec/clean.sh		SH	2000,2001,2002,2004,2007,2008
+./bin/tests/system/dnssec/clean.sh		SH	2000,2001,2002,2004,2007,2008,2009
 ./bin/tests/system/dnssec/dnssec_update_test.pl	PERL	2002,2004,2007
 ./bin/tests/system/dnssec/ns1/.cvsignore	X	2000,2001
 ./bin/tests/system/dnssec/ns1/named.conf	CONF-C	2000,2001,2004,2006,2007
@@ -611,7 +611,7 @@
 ./bin/tests/system/dnssec/ns2/child.optout.example.db	ZONE	2006,2008
 ./bin/tests/system/dnssec/ns2/dlv.db.in		ZONE	2004,2007
 ./bin/tests/system/dnssec/ns2/dst.example.db.in	ZONE	2004,2007
-./bin/tests/system/dnssec/ns2/example.db.in	ZONE	2000,2001,2002,2004,2007,2008
+./bin/tests/system/dnssec/ns2/example.db.in	ZONE	2000,2001,2002,2004,2007,2008,2009
 ./bin/tests/system/dnssec/ns2/insecure.secure.example.db	ZONE	2000,2001,2004,2007
 ./bin/tests/system/dnssec/ns2/named.conf	CONF-C	2000,2001,2002,2004,2006,2007,2008
 ./bin/tests/system/dnssec/ns2/private.secure.example.db.in	ZONE	2000,2001,2004,2007
@@ -625,7 +625,7 @@
 ./bin/tests/system/dnssec/ns3/insecure.optout.example.db	ZONE	2008
 ./bin/tests/system/dnssec/ns3/keyless.example.db.in	ZONE	2001,2002,2004,2007
 ./bin/tests/system/dnssec/ns3/multiple.example.db.in	ZONE	2006,2008
-./bin/tests/system/dnssec/ns3/named.conf	CONF-C	2000,2001,2002,2004,2006,2007,2008
+./bin/tests/system/dnssec/ns3/named.conf	CONF-C	2000,2001,2002,2004,2006,2007,2008,2009
 ./bin/tests/system/dnssec/ns3/nsec3-unknown.example.db.in	ZONE	2006,2008
 ./bin/tests/system/dnssec/ns3/nsec3.example.db.in	ZONE	2006,2008
 ./bin/tests/system/dnssec/ns3/nsec3.nsec3.example.db.in	ZONE	2008
@@ -634,6 +634,8 @@
 ./bin/tests/system/dnssec/ns3/optout.example.db.in	ZONE	2006,2008
 ./bin/tests/system/dnssec/ns3/optout.nsec3.example.db.in	ZONE	2008
 ./bin/tests/system/dnssec/ns3/optout.optout.example.db.in	ZONE	2008
+./bin/tests/system/dnssec/ns3/rsasha256.example.db.in	ZONE	2009
+./bin/tests/system/dnssec/ns3/rsasha512.example.db.in	ZONE	2009
 ./bin/tests/system/dnssec/ns3/secure.example.db.in	ZONE	2000,2001,2004,2007,2008
 ./bin/tests/system/dnssec/ns3/secure.nsec3.example.db.in	ZONE	2008
 ./bin/tests/system/dnssec/ns3/secure.optout.example.db.in	ZONE	2008
@@ -647,7 +649,7 @@
 ./bin/tests/system/dnssec/ns7/named.conf	CONF-C	2006,2008
 ./bin/tests/system/dnssec/prereq.sh		SH	2000,2001,2002,2004,2006,2007,2009
 ./bin/tests/system/dnssec/setup.sh		SH	2000,2001,2004,2007,2009
-./bin/tests/system/dnssec/tests.sh		SH	2000,2001,2002,2004,2005,2006,2007,2008
+./bin/tests/system/dnssec/tests.sh		SH	2000,2001,2002,2004,2005,2006,2007,2008,2009
 ./bin/tests/system/forward/clean.sh		SH	2000,2001,2004,2007
 ./bin/tests/system/forward/ns1/.cvsignore	X	2000,2001
 ./bin/tests/system/forward/ns1/example.db	X	2000,2001

From 990dca4605f47703dfdadacb594fbafe01760661 Mon Sep 17 00:00:00 2001
From: Automatic Updater 
Date: Tue, 27 Oct 2009 23:47:45 +0000
Subject: [PATCH 382/385] update copyright notice

---
 bin/tests/system/dlv/ns3/sign.sh          | 4 ++--
 bin/tests/system/dnssec/clean.sh          | 4 ++--
 bin/tests/system/dnssec/ns2/example.db.in | 4 ++--
 bin/tests/system/dnssec/ns3/named.conf    | 4 ++--
 bin/tests/system/dnssec/tests.sh          | 4 ++--
 lib/dns/opensslrsa_link.c                 | 8 ++++----
 lib/dns/rbtdb.c                           | 4 ++--
 lib/dns/zone.c                            | 4 ++--
 8 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index 3c14604e81..e7a832aa2b 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.5 2009/10/27 05:49:50 each Exp $
+# $Id: sign.sh,v 1.6 2009/10/27 23:47:44 tbox Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 63b834be5d..0f866b2249 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.24 2009/10/27 22:25:37 marka Exp $
+# $Id: clean.sh,v 1.25 2009/10/27 23:47:44 tbox Exp $
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
index 24be4d5b8e..9a47023b87 100644
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.20 2009/10/27 22:25:37 marka Exp $
+; $Id: example.db.in,v 1.21 2009/10/27 23:47:44 tbox Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
index 78b6389951..c3f7d10de9 100644
--- a/bin/tests/system/dnssec/ns3/named.conf
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.34 2009/10/27 22:25:37 marka Exp $ */
+/* $Id: named.conf,v 1.35 2009/10/27 23:47:44 tbox Exp $ */
 
 // NS3
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index ff620024e6..30a9ec96b1 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.54 2009/10/27 22:25:37 marka Exp $
+# $Id: tests.sh,v 1.55 2009/10/27 23:47:44 tbox Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index dea074b51e..d782d8814e 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.34 2009/10/27 22:25:37 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.35 2009/10/27 23:47:45 tbox Exp $
  */
 #ifdef OPENSSL
 #include 
@@ -594,7 +594,7 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 				    RSA_size(rsa), rsa);
 		break;
 
-	case DST_ALG_RSASHA256: 
+	case DST_ALG_RSASHA256:
 	case DST_ALG_RSASHA512:
 		{
 			/*
@@ -612,9 +612,9 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 			status = RSA_public_decrypt(sig->length, sig->base,
 						    original, rsa,
 						    RSA_PKCS1_PADDING);
-			if (status <= 0) 
+			if (status <= 0)
 				return (DST_R_VERIFYFAILURE);
-			if (status != (int)(prefixlen + digestlen)) 
+			if (status != (int)(prefixlen + digestlen))
 				return (DST_R_VERIFYFAILURE);
 			if (memcmp(original, prefix, prefixlen))
 				return (DST_R_VERIFYFAILURE);
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index dc01dd9e42..ee7161c77b 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.284 2009/10/27 04:46:58 marka Exp $ */
+/* $Id: rbtdb.c,v 1.285 2009/10/27 23:47:45 tbox Exp $ */
 
 /*! \file */
 
@@ -6147,7 +6147,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		newnsec = ISC_TRUE;
 	else
 		newnsec = ISC_FALSE;
-	
+
 	/*
 	 * If we're adding a delegation type, adding to the auxiliary NSEC tree,
 	 * or the DB is a cache in an overmem state, hold an exclusive lock on
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 72cb8c1002..a0e3509545 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.522 2009/10/27 22:46:13 each Exp $ */
+/* $Id: zone.c,v 1.523 2009/10/27 23:47:45 tbox Exp $ */
 
 /*! \file */
 
@@ -3175,7 +3175,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
 	}
 
  failure:
- 	if (sr != NULL)
+	if (sr != NULL)
 		dns_keytable_detach(&sr);
 	if (ver != NULL)
 		dns_db_closeversion(db, &ver, changed);

From c6d2578fd67bc1a427d13fd0699b25a187feec8a Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 28 Oct 2009 00:27:10 +0000
Subject: [PATCH 383/385] 2741.   [func]          Allow the dnssec-keygen
 progress messages to be                         suppressed (dnssec-keygen
 -q).  Automatically                         suppress the progress messages
 when stdin is not                         a tty. [RT #20474]

---
 CHANGES                             |  5 ++++
 bin/dnssec/dnssec-keygen.c          | 38 +++++++++++++++++++++++------
 bin/dnssec/dnssec-keygen.docbook    | 22 ++++++++++++++++-
 bin/tests/system/dnssec/ns1/sign.sh |  4 +--
 bin/tests/system/dnssec/ns2/sign.sh | 10 ++++----
 bin/tests/system/dnssec/ns3/sign.sh | 38 ++++++++++++++---------------
 bin/tests/system/dnssec/prereq.sh   |  4 +--
 7 files changed, 85 insertions(+), 36 deletions(-)

diff --git a/CHANGES b/CHANGES
index c1bbb144db..88ed07126c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+2741.	[func]		Allow the dnssec-keygen progress messages to be
+			suppressed (dnssec-keygen -q).  Automatically 
+			suppress the progress messages when stdin is not
+			a tty. [RT #20474]
+
 2740.	[func]		Identify bad answers from GTLD servers and treat them
 			as referrals. [RT #18884]
 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index b7ec3d1de0..b40d477a71 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.105 2009/10/27 18:56:48 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.106 2009/10/28 00:27:10 marka Exp $ */
 
 /*! \file */
 
@@ -37,6 +37,7 @@
 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -175,7 +176,7 @@ progress(int p)
 		c = '*';
 		break;
 	case 3:
-		c = '\n';
+		c = ' ';
 		break;
 	default:
 		break;
@@ -225,6 +226,8 @@ main(int argc, char **argv) {
 	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
 	isc_boolean_t	genonly = ISC_FALSE;
+	isc_boolean_t	quiet = ISC_FALSE;
+	isc_boolean_t	show_progress = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -236,7 +239,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
+#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:qr:s:T:t:v:hGP:A:R:I:D:"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'm':
@@ -329,6 +332,9 @@ main(int argc, char **argv) {
 				fatal("-p must be followed by a number "
 				      "[0..255]");
 			break;
+		case 'q':
+			quiet = ISC_TRUE;
+			break;
 		case 'r':
 			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
@@ -443,6 +449,9 @@ main(int argc, char **argv) {
 		}
 	}
 
+	if (!isatty(0))
+		quiet = ISC_TRUE;
+
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
 	ret = dst_lib_init2(mctx, ectx, engine,
@@ -688,12 +697,18 @@ main(int argc, char **argv) {
 	case DNS_KEYALG_RSASHA256:
 	case DNS_KEYALG_RSASHA512:
 		param = rsa_exp;
+		show_progress = ISC_TRUE;
 		break;
+
 	case DNS_KEYALG_DH:
 		param = generator;
 		break;
+
 	case DNS_KEYALG_DSA:
 	case DNS_KEYALG_NSEC3DSA:
+		show_progress = ISC_TRUE;
+		/* fall through */
+
 	case DST_ALG_HMACMD5:
 	case DST_ALG_HMACSHA1:
 	case DST_ALG_HMACSHA224:
@@ -713,10 +728,19 @@ main(int argc, char **argv) {
 		conflict = ISC_FALSE;
 		oldkey = NULL;
 
-		/* generate the key */
-		ret = dst_key_generate2(name, alg, size, param, flags,
-					protocol, rdclass, mctx, &key,
-					&progress);
+		if (!quiet && show_progress) {
+			fprintf(stderr, "Generating key pair.");
+			ret = dst_key_generate2(name, alg, size, param, flags,
+						protocol, rdclass, mctx, &key,
+						&progress);
+			putc('\n', stderr);
+			fflush(stderr);
+		} else {
+			ret = dst_key_generate2(name, alg, size, param, flags,
+						protocol, rdclass, mctx, &key,
+						NULL);
+		}
+
 		isc_entropy_stopcallbacksources(ectx);
 
 		if (ret != ISC_R_SUCCESS) {
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 5afc009fd2..713e3ca847 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-
+
 
   
     June 30, 2000
@@ -75,6 +75,7 @@
       
       
       
+      
       
       
       
@@ -304,6 +305,25 @@
         
       
 
+      
+        -q
+        
+          
+            Quiet mode: Suppresses unnecessary output, including
+            progress indication.  Without this option, when
+            dnssec-keygen is run interactively
+            to generate an RSA or DSA key pair, it will print a string
+            of symbols to stderr indicating the
+            progress of the key generation.  A '.' indicates that a
+            random number has been found which passed an initial
+            sieve test; '+' means a number has passed a single
+            round of the Miller-Rabin primality test; a space
+            means that the number has passed all the tests and is
+            a satisfactory key.
+          
+        
+      
+
       
         -r randomdev
         
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 55e11bba45..95c395c91f 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.29 2009/10/27 22:25:37 marka Exp $
+# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -31,7 +31,7 @@ zonefile=root.db
 cp ../ns2/dsset-example. .
 cp ../ns2/dsset-dlv. .
 
-keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 17df3d2760..0d47b90959 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.34 2009/10/27 22:25:37 marka Exp $
+# $Id: sign.sh,v 1.35 2009/10/28 00:27:10 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -36,8 +36,8 @@ do
 	cp ../ns3/dsset-$subdomain.example. .
 done
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
@@ -49,7 +49,7 @@ privzone=private.secure.example.
 privinfile=private.secure.example.db.in
 privzonefile=private.secure.example.db
 
-privkeyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
 
 cat $privinfile $privkeyname.key >$privzonefile
 
@@ -62,7 +62,7 @@ dlvzone=dlv.
 dlvinfile=dlv.db.in
 dlvzonefile=dlv.db
 
-dlvkeyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
 
 cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
 
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 936de270d1..faab14a769 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.29 2009/10/27 22:25:37 marka Exp $
+# $Id: sign.sh,v 1.30 2009/10/28 00:27:10 marka Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -26,7 +26,7 @@ zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -36,7 +36,7 @@ zone=bogus.example.
 infile=bogus.example.db.in
 zonefile=bogus.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -46,8 +46,8 @@ zone=dynamic.example.
 infile=dynamic.example.db.in
 zonefile=dynamic.example.db
 
-keyname1=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
-keyname2=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
+keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
@@ -57,7 +57,7 @@ zone=keyless.example.
 infile=keyless.example.db.in
 zonefile=keyless.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -77,7 +77,7 @@ zone=secure.nsec3.example.
 infile=secure.nsec3.example.db.in
 zonefile=secure.nsec3.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -90,7 +90,7 @@ zone=nsec3.nsec3.example.
 infile=nsec3.nsec3.example.db.in
 zonefile=nsec3.nsec3.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -103,7 +103,7 @@ zone=optout.nsec3.example.
 infile=optout.nsec3.example.db.in
 zonefile=optout.nsec3.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -116,7 +116,7 @@ zone=nsec3.example.
 infile=nsec3.example.db.in
 zonefile=nsec3.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -129,7 +129,7 @@ zone=secure.optout.example.
 infile=secure.optout.example.db.in
 zonefile=secure.optout.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -142,7 +142,7 @@ zone=nsec3.optout.example.
 infile=nsec3.optout.example.db.in
 zonefile=nsec3.optout.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -155,7 +155,7 @@ zone=optout.optout.example.
 infile=optout.optout.example.db.in
 zonefile=optout.optout.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -168,7 +168,7 @@ zone=optout.example.
 infile=optout.example.db.in
 zonefile=optout.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -181,7 +181,7 @@ zone=nsec3-unknown.example.
 infile=nsec3-unknown.example.db.in
 zonefile=nsec3-unknown.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -194,7 +194,7 @@ zone=optout-unknown.example.
 infile=optout-unknown.example.db.in
 zonefile=optout-unknown.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -207,7 +207,7 @@ zone=multiple.example.
 infile=multiple.example.db.in
 zonefile=multiple.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -230,7 +230,7 @@ zone=rsasha256.example.
 infile=rsasha256.example.db.in
 zonefile=rsasha256.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
@@ -243,7 +243,7 @@ zone=rsasha512.example.
 infile=rsasha512.example.db.in
 zonefile=rsasha512.example.db
 
-keyname=`$KEYGEN -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh
index 78fafebe43..e5cd5465d3 100644
--- a/bin/tests/system/dnssec/prereq.sh
+++ b/bin/tests/system/dnssec/prereq.sh
@@ -15,11 +15,11 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.12 2009/03/02 23:47:43 tbox Exp $
+# $Id: prereq.sh,v 1.13 2009/10/28 00:27:10 marka Exp $
 
 ../../../tools/genrandom 400 random.data
 
-if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
+if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else

From df4408b77a8b5f4a1de659df23307c55f828d553 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 28 Oct 2009 00:46:15 +0000
Subject: [PATCH 384/385] new draft

---
 ...t-ietf-dnsext-dns-tcp-requirements-01.txt} | 164 +++++++++---------
 1 file changed, 82 insertions(+), 82 deletions(-)
 rename doc/draft/{draft-ietf-dnsext-dns-tcp-requirements-00.txt => draft-ietf-dnsext-dns-tcp-requirements-01.txt} (75%)

diff --git a/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-00.txt b/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-01.txt
similarity index 75%
rename from doc/draft/draft-ietf-dnsext-dns-tcp-requirements-00.txt
rename to doc/draft/draft-ietf-dnsext-dns-tcp-requirements-01.txt
index c1dc5fbcd8..41ae72ec2e 100644
--- a/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-00.txt
+++ b/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-01.txt
@@ -3,14 +3,14 @@
 
 DNSEXT                                                         R. Bellis
 Internet-Draft                                                Nominet UK
-Updates: 1123, 1035                                      October 6, 2009
+Updates: 1035, 1123                                     October 26, 2009
 (if approved)
 Intended status: Standards Track
-Expires: April 9, 2010
+Expires: April 29, 2010
 
 
                          DNS Transport over TCP
-               draft-ietf-dnsext-dns-tcp-requirements-00
+               draft-ietf-dnsext-dns-tcp-requirements-01
 
 Status of this Memo
 
@@ -33,7 +33,7 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on April 9, 2010.
+   This Internet-Draft will expire on April 29, 2010.
 
 Copyright Notice
 
@@ -52,7 +52,7 @@ Abstract
 
 
 
-Bellis                    Expires April 9, 2010                 [Page 1]
+Bellis                   Expires April 29, 2010                 [Page 1]
 
 Internet-Draft           DNS Transport over TCP             October 2009
 
@@ -108,7 +108,7 @@ Table of Contents
 
 
 
-Bellis                    Expires April 9, 2010                 [Page 2]
+Bellis                   Expires April 29, 2010                 [Page 2]
 
 Internet-Draft           DNS Transport over TCP             October 2009
 
@@ -117,7 +117,7 @@ Internet-Draft           DNS Transport over TCP             October 2009
 
    Most DNS [RFC1035] transactions take place over the UDP [RFC0792]
    protocol.  The TCP [RFC0793] protocol is used for zone transfers and
-   is supported by some implementations for the transfer of other
+   is supported by many implementations for the transfer of other
    packets which exceed the protocol's original 512 byte packet-size
    limit.
 
@@ -126,6 +126,9 @@ Internet-Draft           DNS Transport over TCP             October 2009
       DNS resolvers and recursive servers MUST support UDP, and SHOULD
       support TCP, for sending (non-zone-transfer) queries.
 
+   However, some implementors have taken the text quoted above to mean
+   that TCP support is truly optional for typical DNS operation.
+
    This document normatively updates the core DNS protocol
    specifications such that (except in very limited circumstances)
    support for the TCP protocol is henceforth REQUIRED.
@@ -140,36 +143,15 @@ Internet-Draft           DNS Transport over TCP             October 2009
 
 3.  Discussion
 
-   Some implementors have taken the [RFC1123] text quoted above to mean
-   that TCP support is truly optional for typical DNS operation.
-
-   However, whilst RFC 1123 predates the current RFC 2119 terminology
-   document it uses exactly the same text:
-
-      SHOULD - This word, or the adjective "RECOMMENDED", mean that
-      there may exist valid reasons in particular circumstances to
-      ignore a particular item, but the full implications must be
-      understood and carefully weighed before choosing a different
-      course.
-
    In the absence of EDNS0 (see below) the normal behaviour of any DNS
-   server needing to send a UDP response that exceeds that 512 limit is
-   for the server to truncate the response at the 512 byte limit and set
-   the TC flag in the response header.  When the client receives such a
-   response it takes the TC flag as notice that it should retry over TCP
-   instead.
+   server needing to send a UDP response that exceeds that 512 byte
+   limit is for the server to truncate the response at the 512 byte
+   limit and set the TC flag in the response header.  When the client
+   receives such a response it takes the TC flag as notice that it
+   should retry over TCP instead.
 
    RFC 1123 also says:
 
-
-
-
-Bellis                    Expires April 9, 2010                 [Page 3]
-
-Internet-Draft           DNS Transport over TCP             October 2009
-
-
-
       ... it is also clear that some new DNS record types defined in the
       future will contain information exceeding the 512 byte limit that
       applies to UDP, and hence will require TCP.  Thus, resolvers and
@@ -179,11 +161,19 @@ Internet-Draft           DNS Transport over TCP             October 2009
 
    Existing deployments of DNSSEC [RFC4033] have shown that truncation
    at the 512 byte boundary is now commonplace.  For example an NXDOMAIN
+
+
+
+Bellis                   Expires April 29, 2010                 [Page 3]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
    (RCODE == 3) response from a DNSSEC signed zone using NSEC3 [RFC5155]
    is almost invariably longer than 512 bytes.
 
-   Since the original core specifications for DNS were written the
-   Extension Mechanisms for DNS EDNS0 [RFC2671] have been introduced.
+   Since the original core specifications for DNS were written, the
+   Extension Mechanisms for DNS (EDNS0 [RFC2671]) have been introduced.
    These extensions can be used to indicate that the client is prepared
    to receive UDP responses longer than 512 bytes.  An EDNS0 compatible
    server receiving a request from an EDNS0 compatible client may send
@@ -203,30 +193,22 @@ Internet-Draft           DNS Transport over TCP             October 2009
    1500 bytes, and even that limit is routinely exceeded by DNSSEC
    signed responses.
 
-   The future that was anticipated in RFC 1123 is now here, and the only
+   The future that was anticipated in RFC 1123 has arrived, and the only
    standardised mechanism which may have resolved the packet size issue
    has been found inadequate.
 
 
 4.  Transport Protocol Selection
 
+   All DNS implementations MUST support both UDP and TCP transport
+   protocols, except as set out below.
+
    On a case by case basis, authoritative DNS server operators MAY elect
-   to disable DNS transport over TCP if all of the conditions below are
-   satisfied:
-
-   o  the server is authoritative
-
-
-
-
-
-Bellis                    Expires April 9, 2010                 [Page 4]
-
-Internet-Draft           DNS Transport over TCP             October 2009
-
+   to disable DNS transport over TCP if all of the following conditions
+   are satisfied:
 
+   o  the server is authoritative only
    o  the server does not support AXFR
-   o  the server does not support DNSSEC
    o  all requests and responses are guaranteed to be <= 512 bytes
 
    A general purpose stub resolver implementation (e.g. an operating
@@ -235,25 +217,31 @@ Internet-Draft           DNS Transport over TCP             October 2009
    with upstream servers.
 
    A proprietary stub resolver implementation MAY omit support for TCP
-   if it is operating in an environment where truncation will not occur,
-   or if it is prepared to accept a DNS lookup failure should truncation
-   occur.
+
+
+
+Bellis                   Expires April 29, 2010                 [Page 4]
+
+Internet-Draft           DNS Transport over TCP             October 2009
+
+
+   if it is operating in an environment where truncation can never
+   occur, or if it is prepared to accept a DNS lookup failure should
+   truncation occur.
 
    A recursive resolver or forwarder MUST support TCP so that it does
    not prevent long responses from a TCP-capable server from reaching
    its TCP-capable clients.
 
-   Otherwise, all DNS implementations MUST support TCP transport.
-
    Regarding the choice of when to use UDP or TCP, RFC 1123 says:
 
       ... a DNS resolver or server that is sending a non-zone-transfer
       query MUST send a UDP query first.
 
-   This requirement is no longer mandatory.  A resolver SHOULD send a
-   UDP query first, but MAY elect to send a TCP query instead if it has
-   good reason to expect the response would be truncated if it were sent
-   over UDP, or other operational considerations suggest otherwise.
+   That requirement is hereby relaxed.  A resolver SHOULD send a UDP
+   query first, but MAY elect to send a TCP query instead if it has good
+   reason to expect the response would be truncated if it were sent over
+   UDP (with or without EDNS0) or for other operational reasons.
 
 
 5.  Dormant Connection Handling
@@ -271,31 +259,42 @@ Internet-Draft           DNS Transport over TCP             October 2009
    them dormant can trivially create a "denial of service" attack.
 
    This document therefore RECOMMENDS that the idle period should be of
-   the order of TBD seconds.  With modern high performance networks 2 to
-   4 seconds should be sufficient to allow significant numbers (i.e.
+   the order of TBD seconds.
+
+   Servers MAY allow dormant connections to remain open for longer
+   periods, but for the avoidance of doubt persistent DNS connections
+   should generally be considered to be as much for the server's benefit
+   as for the client's.  Therefore if the server needs to unilaterally
+   close a dormant TCP connection it MUST be free to do so whenever
+   required.
+
+   Further recommendations for the tuning of TCP parameters to allow
+   higher throughput or improved resiliency against denial of service
+   attacks are (currently) outside the scope of this document.
 
 
 
-Bellis                    Expires April 9, 2010                 [Page 5]
+
+
+Bellis                   Expires April 29, 2010                 [Page 5]
 
 Internet-Draft           DNS Transport over TCP             October 2009
 
 
-   thousands) of concurrent dormant connections without impacting
-   service performance.
-
-   Servers MAY allow idle connections to remain open for longer periods,
-   but for the avoidance of doubt persistent DNS connections should
-   generally be considered to be as much for the server's benefit as for
-   the client's.  Therefore if the server needs to unilaterally close a
-   dormant TCP connection it MUST be free to do so whenever required.
-
-
 6.  Response re-ordering
 
-   [Potential text to be added regarding whether TCP responses can come
-   back in a different order to requests.  I'm not aware whether this is
-   specified anywhere]
+   RFC 1035 is ambiguous on the question of whether TCP queries may be
+   re-ordered - the only relevant text is in Section 4.2.1 which relates
+   to UDP:
+
+      Queries or their responses may be reordered by the network, or by
+      processing in name servers, so resolvers should not depend on them
+      being returned in order.
+
+   For the avoidance of future doubt, this requirement is clarified.
+   Client resolvers MUST be able to process responses which arrive in a
+   different order to that in which the requests were sent, regardless
+   of the transport protocol in use.
 
 
 7.  Security Considerations
@@ -329,16 +328,15 @@ Internet-Draft           DNS Transport over TCP             October 2009
               RFC 792, September 1981.
 
    [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
+              RFC 793, September 1981.
 
 
 
-Bellis                    Expires April 9, 2010                 [Page 6]
+Bellis                   Expires April 29, 2010                 [Page 6]
 
 Internet-Draft           DNS Transport over TCP             October 2009
 
 
-              RFC 793, September 1981.
-
    [RFC1035]  Mockapetris, P., "Domain names - implementation and
               specification", STD 13, RFC 1035, November 1987.
 
@@ -377,6 +375,10 @@ Appendix A.  Change Log
 
    NB: to be removed by the RFC Editor before publication.
 
+   draft-ietf-dnsext-dns-tcp-requirements-01
+      Addition of response ordering section
+      Various minor editorial changes from WG reviewers
+
    draft-ietf-dnsext-dns-tcp-requirements-00
       Initial draft
 
@@ -386,9 +388,7 @@ Appendix A.  Change Log
 
 
 
-
-
-Bellis                    Expires April 9, 2010                 [Page 7]
+Bellis                   Expires April 29, 2010                 [Page 7]
 
 Internet-Draft           DNS Transport over TCP             October 2009
 
@@ -444,5 +444,5 @@ Author's Address
 
 
 
-Bellis                    Expires April 9, 2010                 [Page 8]
+Bellis                   Expires April 29, 2010                 [Page 8]
 

From a050fc374c925e0a8ac35e5b32e1a8f2a526e180 Mon Sep 17 00:00:00 2001
From: Mark Andrews 
Date: Wed, 28 Oct 2009 00:56:17 +0000
Subject: [PATCH 385/385] 1912:   Common DNS Operational and Configuration
 Errors

---
 doc/rfc/index       |   1 +
 doc/rfc/rfc1912.txt | 899 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 900 insertions(+)
 create mode 100644 doc/rfc/rfc1912.txt

diff --git a/doc/rfc/index b/doc/rfc/index
index 671a899b99..53b4212851 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -20,6 +20,7 @@
 1750:	Randomness Recommendations for Security
 1876:	A Means for Expressing Location Information in the Domain Name System
 1886:	DNS Extensions to support IP version 6
+1912:	Common DNS Operational and Configuration Errors
 1982:	Serial Number Arithmetic
 1995:	Incremental Zone Transfer in DNS
 1996:	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
diff --git a/doc/rfc/rfc1912.txt b/doc/rfc/rfc1912.txt
new file mode 100644
index 0000000000..8ace7d2674
--- /dev/null
+++ b/doc/rfc/rfc1912.txt
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Network Working Group                                            D. Barr
+Request for Comments: 1912             The Pennsylvania State University
+Obsoletes: 1537                                            February 1996
+Category: Informational
+
+
+            Common DNS Operational and Configuration Errors
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+Abstract
+
+   This memo describes errors often found in both the operation of
+   Domain Name System (DNS) servers, and in the data that these DNS
+   servers contain.  This memo tries to summarize current Internet
+   requirements as well as common practice in the operation and
+   configuration of the DNS.  This memo also tries to summarize or
+   expand upon issues raised in [RFC 1537].
+
+1. Introduction
+
+   Running a nameserver is not a trivial task.  There are many things
+   that can go wrong, and many decisions have to be made about what data
+   to put in the DNS and how to set up servers.  This memo attempts to
+   address many of the common mistakes and pitfalls that are made in DNS
+   data as well as in the operation of nameservers.  Discussions are
+   also made regarding some other relevant issues such as server or
+   resolver bugs, and a few political issues with respect to the
+   operation of DNS on the Internet.
+
+2. DNS Data
+
+   This section discusses problems people typically have with the DNS
+   data in their nameserver, as found in the zone data files that the
+   nameserver loads into memory.
+
+2.1 Inconsistent, Missing, or Bad Data
+
+   Every Internet-reachable host should have a name.  The consequences
+   of this are becoming more and more obvious.  Many services available
+   on the Internet will not talk to you if you aren't correctly
+   registered in the DNS.
+
+
+
+
+
+Barr                         Informational                      [Page 1]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   Make sure your PTR and A records match.  For every IP address, there
+   should be a matching PTR record in the in-addr.arpa domain.  If a
+   host is multi-homed, (more than one IP address) make sure that all IP
+   addresses have a corresponding PTR record (not just the first one).
+   Failure to have matching PTR and A records can cause loss of Internet
+   services similar to not being registered in the DNS at all.  Also,
+   PTR records must point back to a valid A record, not a alias defined
+   by a CNAME.  It is highly recommended that you use some software
+   which automates this checking, or generate your DNS data from a
+   database which automatically creates consistent data.
+
+   DNS domain names consist of "labels" separated by single dots.  The
+   DNS is very liberal in its rules for the allowable characters in a
+   domain name.  However, if a domain name is used to name a host, it
+   should follow rules restricting host names.  Further if a name is
+   used for mail, it must follow the naming rules for names in mail
+   addresses.
+
+   Allowable characters in a label for a host name are only ASCII
+   letters, digits, and the `-' character.  Labels may not be all
+   numbers, but may have a leading digit  (e.g., 3com.com).  Labels must
+   end and begin only with a letter or digit.  See [RFC 1035] and [RFC
+   1123].  (Labels were initially restricted in [RFC 1035] to start with
+   a letter, and some older hosts still reportedly have problems with
+   the relaxation in [RFC 1123].)  Note there are some Internet
+   hostnames which violate this rule (411.org, 1776.com).  The presence
+   of underscores in a label is allowed in [RFC 1033], except [RFC 1033]
+   is informational only and was not defining a standard.  There is at
+   least one popular TCP/IP implementation which currently refuses to
+   talk to hosts named with underscores in them.  It must be noted that
+   the language in [1035] is such that these rules are voluntary -- they
+   are there for those who wish to minimize problems.  Note that the
+   rules for Internet host names also apply to hosts and addresses used
+   in SMTP (See RFC 821).
+
+   If a domain name is to be used for mail (not involving SMTP), it must
+   follow the rules for mail in [RFC 822], which is actually more
+   liberal than the above rules.  Labels for mail can be any ASCII
+   character except "specials", control characters, and whitespace
+   characters.  "Specials" are specific symbols used in the parsing of
+   addresses.  They are the characters "()<>@,;:\".[]".  (The "!"
+   character wasn't in [RFC 822], however it also shouldn't be used due
+   to the conflict with UUCP mail as defined in RFC 976)  However, since
+   today almost all names which are used for mail on the Internet are
+   also names used for hostnames, one rarely sees addresses using these
+   relaxed standard, but mail software should be made liberal and robust
+   enough to accept them.
+
+
+
+
+Barr                         Informational                      [Page 2]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   You should also be careful to not have addresses which are valid
+   alternate syntaxes to the inet_ntoa() library call.  For example 0xe
+   is a valid name, but if you were to type "telnet 0xe", it would try
+   to connect to IP address 0.0.0.14.  It is also rumored that there
+   exists some broken inet_ntoa() routines that treat an address like
+   x400 as an IP address.
+
+   Certain operating systems have limitations on the length of their own
+   hostname.  While not strictly of issue to the DNS, you should be
+   aware of your operating system's length limits before choosing the
+   name of a host.
+
+   Remember that many resource records (abbreviated RR) take on more
+   than one argument.  HINFO requires two arguments, as does RP.  If you
+   don't supply enough arguments, servers sometime return garbage for
+   the missing fields.  If you need to include whitespace within any
+   data, you must put the string in quotes.
+
+2.2 SOA records
+
+   In the SOA record of every zone, remember to fill in the e-mail
+   address that will get to the person who maintains the DNS at your
+   site (commonly referred to as "hostmaster").  The `@' in the e-mail
+   must be replaced by a `.' first.  Do not try to put an `@' sign in
+   this address.  If the local part of the address already contains a
+   `.' (e.g., John.Smith@widget.xx), then you need to quote the `.' by
+   preceding it with `\' character.  (e.g., to become
+   John\.Smith.widget.xx) Alternately (and preferred), you can just use
+   the generic name `hostmaster', and use a mail alias to redirect it to
+   the appropriate persons.  There exists software which uses this field
+   to automatically generate the e-mail address for the zone contact.
+   This software will break if this field is improperly formatted.  It
+   is imperative that this address get to one or more real persons,
+   because it is often used for everything from reporting bad DNS data
+   to reporting security incidents.
+
+   Even though some BIND versions allow you to use a decimal in a serial
+   number, don't.  A decimal serial number is converted to an unsigned
+   32-bit integer internally anyway.  The formula for a n.m serial
+   number is n*10^(3+int(0.9+log10(m))) + m which translates to
+   something rather unexpected.  For example it's routinely possible
+   with a decimal serial number (perhaps automatically generated by
+   SCCS) to be incremented such that it is numerically larger, but after
+   the above conversion yield a serial number which is LOWER than
+   before.  Decimal serial numbers have been officially deprecated in
+   recent BIND versions.  The recommended syntax is YYYYMMDDnn
+   (YYYY=year, MM=month, DD=day, nn=revision number.  This won't
+   overflow until the year 4294.
+
+
+
+Barr                         Informational                      [Page 3]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   Choose logical values for the timer values in the SOA record (note
+   values below must be expressed as seconds in the zone data):
+
+      Refresh: How often a secondary will poll the primary server to see
+          if the serial number for the zone has increased (so it knows
+          to request a new copy of the data for the zone).  Set this to
+          how long your secondaries can comfortably contain out-of-date
+          data.  You can keep it short (20 mins to 2 hours) if you
+          aren't worried about a small increase in bandwidth used, or
+          longer (2-12 hours) if your Internet connection is slow or is
+          started on demand.  Recent BIND versions (4.9.3) have optional
+          code to automatically notify secondaries that data has
+          changed, allowing you to set this TTL to a long value (one
+          day, or more).
+
+      Retry: If a secondary was unable to contact the primary at the
+          last refresh, wait the retry value before trying again.  This
+          value isn't as important as others, unless the secondary is on
+          a distant network from the primary or the primary is more
+          prone to outages.  It's typically some fraction of the refresh
+          interval.
+
+
+      Expire: How long a secondary will still treat its copy of the zone
+          data as valid if it can't contact the primary.  This value
+          should be greater than how long a major outage would typically
+          last, and must be greater than the minimum and retry
+          intervals, to avoid having a secondary expire the data before
+          it gets a chance to get a new copy.  After a zone is expired a
+          secondary will still continue to try to contact the primary,
+          but it will no longer provide nameservice for the zone.  2-4
+          weeks are suggested values.
+
+      Minimum: The default TTL (time-to-live) for resource records --
+          how long data will remain in other nameservers' cache.  ([RFC
+          1035] defines this to be the minimum value, but servers seem
+          to always implement this as the default value)  This is by far
+          the most important timer.  Set this as large as is comfortable
+          given how often you update your nameserver.  If you plan to
+          make major changes, it's a good idea to turn this value down
+          temporarily beforehand.  Then wait the previous minimum value,
+          make your changes, verify their correctness, and turn this
+          value back up.  1-5 days are typical values.  Remember this
+          value can be overridden on individual resource records.
+
+
+
+
+
+
+
+Barr                         Informational                      [Page 4]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   As you can see, the typical values above for the timers vary widely.
+   Popular documentation like [RFC 1033] recommended a day for the
+   minimum TTL, which is now considered too low except for zones with
+   data that vary regularly.  Once a DNS stabilizes, values on the order
+   of 3 or more days are recommended.  It is also recommended that you
+   individually override the TTL on certain RRs which are often
+   referenced and don't often change to have very large values (1-2
+   weeks).  Good examples of this are the MX, A, and PTR records of your
+   mail host(s), the NS records of your zone, and the A records of your
+   nameservers.
+
+2.3 Glue A Records
+
+   Glue records are A records that are associated with NS records to
+   provide "bootstrapping" information to the nameserver.  For example:
+
+           podunk.xx.      in      ns      ns1.podunk.xx.
+                           in      ns      ns2.podunk.xx.
+           ns1.podunk.xx.  in      a       1.2.3.4
+           ns2.podunk.xx.  in      a       1.2.3.5
+
+   Here, the A records are referred to as "Glue records".
+
+   Glue records are required only in forward zone files for nameservers
+   that are located in the subdomain of the current zone that is being
+   delegated.  You shouldn't have any A records in an in-addr.arpa zone
+   file (unless you're using RFC 1101-style encoding of subnet masks).
+
+   If your nameserver is multi-homed (has more than one IP address), you
+   must list all of its addresses in the glue to avoid cache
+   inconsistency due to differing TTL values, causing some lookups to
+   not find all addresses for your nameserver.
+
+   Some people get in the bad habit of putting in a glue record whenever
+   they add an NS record "just to make sure".  Having duplicate glue
+   records in your zone files just makes it harder when a nameserver
+   moves to a new IP address, or is removed. You'll spend hours trying
+   to figure out why random people still see the old IP address for some
+   host, because someone forgot to change or remove a glue record in
+   some other file.  Newer BIND versions will ignore these extra glue
+   records in local zone files.
+
+   Older BIND versions (4.8.3 and previous) have a problem where it
+   inserts these extra glue records in the zone transfer data to
+   secondaries.  If one of these glues is wrong, the error can be
+   propagated to other nameservers.  If two nameservers are secondaries
+   for other zones of each other, it's possible for one to continually
+   pass old glue records back to the other.  The only way to get rid of
+
+
+
+Barr                         Informational                      [Page 5]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   the old data is to kill both of them, remove the saved backup files,
+   and restart them.  Combined with that those same versions also tend
+   to become infected more easily with bogus data found in other non-
+   secondary nameservers (like the root zone data).
+
+2.4 CNAME records
+
+   A CNAME record is not allowed to coexist with any other data.  In
+   other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
+   can't also have an MX record for suzy.podunk.edu, or an A record, or
+   even a TXT record.  Especially do not try to combine CNAMEs and NS
+   records like this!:
+
+
+           podunk.xx.      IN      NS      ns1
+                           IN      NS      ns2
+                           IN      CNAME   mary
+           mary            IN      A       1.2.3.4
+
+
+   This is often attempted by inexperienced administrators as an obvious
+   way to allow your domain name to also be a host.  However, DNS
+   servers like BIND will see the CNAME and refuse to add any other
+   resources for that name.  Since no other records are allowed to
+   coexist with a CNAME, the NS entries are ignored.  Therefore all the
+   hosts in the podunk.xx domain are ignored as well!
+
+   If you want to have your domain also be a host, do the following:
+
+           podunk.xx.      IN      NS      ns1
+                           IN      NS      ns2
+                           IN      A       1.2.3.4
+           mary            IN      A       1.2.3.4
+
+   Don't go overboard with CNAMEs.  Use them when renaming hosts, but
+   plan to get rid of them (and inform your users).  However CNAMEs are
+   useful (and encouraged) for generalized names for servers -- `ftp'
+   for your ftp server, `www' for your Web server, `gopher' for your
+   Gopher server, `news' for your Usenet news server, etc.
+
+   Don't forget to delete the CNAMEs associated with a host if you
+   delete the host it is an alias for.  Such "stale CNAMEs" are a waste
+   of resources.
+
+
+
+
+
+
+
+
+Barr                         Informational                      [Page 6]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   Don't use CNAMEs in combination with RRs which point to other names
+   like MX, CNAME, PTR and NS.  (PTR is an exception if you want to
+   implement classless in-addr delegation.)  For example, this is
+   strongly discouraged:
+
+           podunk.xx.      IN      MX      mailhost
+           mailhost        IN      CNAME   mary
+           mary            IN      A       1.2.3.4
+
+
+   [RFC 1034] in section 3.6.2 says this should not be done, and [RFC
+   974] explicitly states that MX records shall not point to an alias
+   defined by a CNAME.  This results in unnecessary indirection in
+   accessing the data, and DNS resolvers and servers need to work more
+   to get the answer.  If you really want to do this, you can accomplish
+   the same thing by using a preprocessor such as m4 on your host files.
+
+   Also, having chained records such as CNAMEs pointing to CNAMEs may
+   make administration issues easier, but is known to tickle bugs in
+   some resolvers that fail to check loops correctly.  As a result some
+   hosts may not be able to resolve such names.
+
+   Having NS records pointing to a CNAME is bad and may conflict badly
+   with current BIND servers.  In fact, current BIND implementations
+   will ignore such records, possibly leading to a lame delegation.
+   There is a certain amount of security checking done in BIND to
+   prevent spoofing DNS NS records.  Also, older BIND servers reportedly
+   will get caught in an infinite query loop trying to figure out the
+   address for the aliased nameserver, causing a continuous stream of
+   DNS requests to be sent.
+
+2.5 MX records
+
+   It is a good idea to give every host an MX record, even if it points
+   to itself!  Some mailers will cache MX records, but will always need
+   to check for an MX before sending mail.  If a site does not have an
+   MX, then every piece of mail may result in one more resolver query,
+   since the answer to the MX query often also contains the IP addresses
+   of the MX hosts.  Internet SMTP mailers are required by [RFC 1123] to
+   support the MX mechanism.
+
+   Put MX records even on hosts that aren't intended to send or receive
+   e-mail.  If there is a security problem involving one of these hosts,
+   some people will mistakenly send mail to postmaster or root at the
+   site without checking first to see if it is a "real" host or just a
+   terminal or personal computer that's not set up to accept e-mail.  If
+   you give it an MX record, then the e-mail can be redirected to a real
+   person.  Otherwise mail can just sit in a queue for hours or days
+
+
+
+Barr                         Informational                      [Page 7]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   until the mailer gives up trying to send it.
+
+   Don't forget that whenever you add an MX record, you need to inform
+   the target mailer if it is to treat the first host as "local".  (The
+   "Cw" flag in sendmail, for example)
+
+   If you add an MX record which points to an external host (e.g., for
+   the purposes of backup mail routing) be sure to ask permission from
+   that site first.  Otherwise that site could get rather upset and take
+   action (like throw your mail away, or appeal to higher authorities
+   like your parent DNS administrator or network provider.)
+
+2.6 Other Resource Records
+
+2.6.1 WKS
+
+   WKS records are deprecated in [RFC 1123].  They serve no known useful
+   function, except internally among LISP machines.  Don't use them.
+
+2.6.2 HINFO
+
+   On the issue HINFO records, some will argue that these is a security
+   problem (by broadcasting what vendor hardware and operating system
+   you so people can run systematic attacks on known vendor security
+   holes).  If you do use them, you should keep up to date with known
+   vendor security problems.  However, they serve a useful purpose.
+   Don't forget that HINFO requires two arguments, the hardware type,
+   and the operating system.
+
+   HINFO is sometimes abused to provide other information.  The record
+   is meant to provide specific information about the machine itself.
+   If you need to express other information about the host in the DNS,
+   use TXT.
+
+2.6.3 TXT
+
+   TXT records have no specific definition.  You can put most anything
+   in them.  Some use it for a generic description of the host, some put
+   specific information like its location, primary user, or maybe even a
+   phone number.
+
+2.6.4 RP
+
+   RP records are relatively new.  They are used to specify an e-mail
+   address (see first paragraph of section 2.2)  of the "Responsible
+   Person" of the host, and the name of a TXT record where you can get
+   more information.  See [RFC 1183].
+
+
+
+
+Barr                         Informational                      [Page 8]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+2.7 Wildcard records
+
+   Wildcard MXs are useful mostly for non IP-connected sites.  A common
+   mistake is thinking that a wildcard MX for a zone will apply to all
+   hosts in the zone.  A wildcard MX will apply only to names in the
+   zone which aren't listed in the DNS at all.  e.g.,
+
+           podunk.xx.      IN      NS      ns1
+                           IN      NS      ns2
+           mary            IN      A       1.2.3.4
+           *.podunk.xx.    IN      MX      5 sue
+
+   Mail for mary.podunk.xx will be sent to itself for delivery.  Only
+   mail for jane.podunk.xx or any hosts you don't see above will be sent
+   to the MX.  For most Internet sites, wildcard MX records are not
+   useful.  You need to put explicit MX records on every host.
+
+   Wildcard MXs can be bad, because they make some operations succeed
+   when they should fail instead.  Consider the case where someone in
+   the domain "widget.com" tries to send mail to "joe@larry".  If the
+   host "larry" doesn't actually exist, the mail should in fact bounce
+   immediately.  But because of domain searching the address gets
+   resolved to "larry.widget.com", and because of the wildcard MX this
+   is a valid address according to DNS.  Or perhaps someone simply made
+   a typo in the hostname portion of the address.  The mail message then
+   gets routed to the mail host, which then rejects the mail with
+   strange error messages like "I refuse to talk to myself" or "Local
+   configuration error".
+
+   Wildcard MX records are good for when you have a large number of
+   hosts which are not directly Internet-connected (for example, behind
+   a firewall) and for administrative or political reasons it is too
+   difficult to have individual MX records for every host, or to force
+   all e-mail addresses to be "hidden" behind one or more domain names.
+   In that case, you must divide your DNS into two parts, an internal
+   DNS, and an external DNS.  The external DNS will have only a few
+   hosts and explicit MX records, and one or more wildcard MXs for each
+   internal domain.  Internally the DNS will be complete, with all
+   explicit MX records and no wildcards.
+
+   Wildcard As and CNAMEs are possible too, and are really confusing to
+   users, and a potential nightmare if used without thinking first.  It
+   could result (due again to domain searching) in any telnet/ftp
+   attempts from within the domain to unknown hosts to be directed to
+   one address.  One such wildcard CNAME (in *.edu.com) caused
+   Internet-wide loss of services and potential security nightmares due
+   to unexpected interactions with domain searching.  It resulted in
+   swift fixes, and even an RFC ([RFC 1535]) documenting the problem.
+
+
+
+Barr                         Informational                      [Page 9]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+2.8 Authority and Delegation Errors (NS records)
+
+   You are required to have at least two nameservers for every domain,
+   though more is preferred.  Have secondaries outside your network.  If
+   the secondary isn't under your control, periodically check up on them
+   and make sure they're getting current zone data from you.  Queries to
+   their nameserver about your hosts should always result in an
+   "authoritative" response.  If not, this is called a "lame
+   delegation".  A lame delegations exists when a nameserver is
+   delegated responsibility for providing nameservice for a zone (via NS
+   records) but is not performing nameservice for that zone (usually
+   because it is not set up as a primary or secondary for the zone).
+
+   The "classic" lame delegation can be illustrated in this example:
+
+           podunk.xx.      IN      NS      ns1.podunk.xx.
+                           IN      NS      ns0.widget.com.
+
+   "podunk.xx" is a new domain which has recently been created, and
+   "ns1.podunk.xx" has been set up to perform nameservice for the zone.
+   They haven't quite finished everything yet and haven't made sure that
+   the hostmaster at "ns0.widget.com" has set up to be a proper
+   secondary, and thus has no information about the podunk.xx domain,
+   even though the DNS says it is supposed to.  Various things can
+   happen depending on which nameserver is used.  At best, extra DNS
+   traffic will result from a lame delegation.  At worst, you can get
+   unresolved hosts and bounced e-mail.
+
+   Also, sometimes a nameserver is moved to another host or removed from
+   the list of secondaries.  Unfortunately due to caching of NS records,
+   many sites will still think that a host is a secondary after that
+   host has stopped providing nameservice.  In order to prevent lame
+   delegations while the cache is being aged, continue to provide
+   nameservice on the old nameserver for the length of the maximum of
+   the minimum plus refresh times for the zone and the parent zone.
+   (See section 2.2)
+
+   Whenever a primary or secondary is removed or changed, it takes a
+   fair amount of human coordination among the parties involved.  (The
+   site itself, it's parent, and the site hosting the secondary)  When a
+   primary moves, make sure all secondaries have their named.boot files
+   updated and their servers reloaded.  When a secondary moves, make
+   sure the address records at both the primary and parent level are
+   changed.
+
+   It's also been reported that some distant sites like to pick popular
+   nameservers like "ns.uu.net" and just add it to their list of NS
+   records in hopes that they will magically perform additional
+
+
+
+Barr                         Informational                     [Page 10]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   nameservice for them.  This is an even worse form of lame delegation,
+   since this adds traffic to an already busy nameserver.  Please
+   contact the hostmasters of sites which have lame delegations.
+   Various tools can be used to detect or actively find lame
+   delegations.  See the list of contributed software in the BIND
+   distribution.
+
+   Make sure your parent domain has the same NS records for your zone as
+   you do.  (Don't forget your in-addr.arpa zones too!).  Do not list
+   too many (7 is the recommended maximum), as this just makes things
+   harder to manage and is only really necessary for very popular top-
+   level or root zones.  You also run the risk of overflowing the 512-
+   byte limit of a UDP packet in the response to an NS query.  If this
+   happens, resolvers will "fall back" to using TCP requests, resulting
+   in increased load on your nameserver.
+
+   It's important when picking geographic locations for secondary
+   nameservers to minimize latency as well as increase reliability.
+   Keep in mind network topologies.  For example if your site is on the
+   other end of a slow local or international link, consider a secondary
+   on the other side of the link to decrease average latency.  Contact
+   your Internet service provider or parent domain contact for more
+   information about secondaries which may be available to you.
+
+3. BIND operation
+
+   This section discusses common problems people have in the actual
+   operation of the nameserver (specifically, BIND).  Not only must the
+   data be correct as explained above, but the nameserver must be
+   operated correctly for the data to be made available.
+
+3.1 Serial numbers
+
+   Each zone has a serial number associated with it.  Its use is for
+   keeping track of who has the most current data.  If and only if the
+   primary's serial number of the zone is greater will the secondary ask
+   the primary for a copy of the new zone data (see special case below).
+
+   Don't forget to change the serial number when you change data!  If
+   you don't, your secondaries will not transfer the new zone
+   information.  Automating the incrementing of the serial number with
+   software is also a good idea.
+
+   If you make a mistake and increment the serial number too high, and
+   you want to reset the serial number to a lower value, use the
+   following procedure:
+
+
+
+
+
+Barr                         Informational                     [Page 11]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+      Take the `incorrect' serial number and add 2147483647 to it.  If
+      the number exceeds 4294967296, subtract 4294967296.  Load the
+      resulting number.  Then wait 2 refresh periods to allow the zone
+      to propagate to all servers.
+
+      Repeat above until the resulting serial number is less than the
+      target serial number.
+
+      Up the serial number to the target serial number.
+
+   This procedure won't work if one of your secondaries is running an
+   old version of BIND (4.8.3 or earlier).  In this case you'll have to
+   contact the hostmaster for that secondary and have them kill the
+   secondary servers, remove the saved backup file, and restart the
+   server.  Be careful when editing the serial number -- DNS admins
+   don't like to kill and restart nameservers because you lose all that
+   cached data.
+
+3.2 Zone file style guide
+
+   Here are some useful tips in structuring your zone files.  Following
+   these will help you spot mistakes, and avoid making more.
+
+   Be consistent with the style of entries in your DNS files. If your
+   $ORIGIN is podunk.xx., try not to write entries like:
+
+           mary            IN      A       1.2.3.1
+           sue.podunk.xx.  IN      A       1.2.3.2
+
+   or:
+
+           bobbi           IN      A       1.2.3.2
+                           IN      MX      mary.podunk.xx.
+
+
+   Either use all FQDNs (Fully Qualified Domain Names) everywhere or
+   used unqualified names everywhere.  Or have FQDNs all on the right-
+   hand side but unqualified names on the left.  Above all, be
+   consistent.
+
+   Use tabs between fields, and try to keep columns lined up.  It makes
+   it easier to spot missing fields (note some fields such as "IN" are
+   inherited from the previous record and may be left out in certain
+   circumstances.)
+
+
+
+
+
+
+
+Barr                         Informational                     [Page 12]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   Remember you don't need to repeat the name of the host when you are
+   defining multiple records for one host.  Be sure also to keep all
+   records associated with a host together in the file.  It will make
+   things more straightforward when it comes time to remove or rename a
+   host.
+
+   Always remember your $ORIGIN.  If you don't put a `.' at the end of
+   an FQDN, it's not recognized as an FQDN.  If it is not an FQDN, then
+   the nameserver will append $ORIGIN to the name.  Double check, triple
+   check, those trailing dots, especially in in-addr.arpa zone files,
+   where they are needed the most.
+
+   Be careful with the syntax of the SOA and WKS records (the records
+   which use parentheses).  BIND is not very flexible in how it parses
+   these records.  See the documentation for BIND.
+
+3.3 Verifying data
+
+   Verify the data you just entered or changed by querying the resolver
+   with dig (or your favorite DNS tool, many are included in the BIND
+   distribution) after a change.  A few seconds spent double checking
+   can save hours of trouble, lost mail, and general headaches.  Also be
+   sure to check syslog output when you reload the nameserver.  If you
+   have grievous errors in your DNS data or boot file, named will report
+   it via syslog.
+
+   It is also highly recommended that you automate this checking, either
+   with software which runs sanity checks on the data files before they
+   are loaded into the nameserver, or with software which checks the
+   data already loaded in the nameserver.  Some contributed software to
+   do this is included in the BIND distribution.
+
+4. Miscellaneous Topics
+
+4.1 Boot file setup
+
+   Certain zones should always be present in nameserver configurations:
+
+           primary         localhost               localhost
+           primary         0.0.127.in-addr.arpa    127.0
+           primary         255.in-addr.arpa        255
+           primary         0.in-addr.arpa          0
+
+   These are set up to either provide nameservice for "special"
+   addresses, or to help eliminate accidental queries for broadcast or
+   local address to be sent off to the root nameservers.  All of these
+   files will contain NS and SOA records just like the other zone files
+   you maintain, the exception being that you can probably make the SOA
+
+
+
+Barr                         Informational                     [Page 13]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   timers very long, since this data will never change.
+
+   The "localhost" address is a "special" address which always refers to
+   the local host.  It should contain the following line:
+
+           localhost.      IN      A       127.0.0.1
+
+   The "127.0" file should contain the line:
+
+           1    PTR     localhost.
+
+   There has been some extensive discussion about whether or not to
+   append the local domain to it.  The conclusion is that "localhost."
+   would be the best solution.  The reasons given include:
+
+      "localhost" by itself is used and expected to work in some
+      systems.
+
+      Translating 127.0.0.1 into "localhost.dom.ain" can cause some
+      software to connect back to the loopback interface when it didn't
+      want to because "localhost" is not equal to "localhost.dom.ain".
+
+   The "255" and "0" files should not contain any additional data beyond
+   the NS and SOA records.
+
+   Note that future BIND versions may include all or some of this data
+   automatically without additional configuration.
+
+4.2 Other Resolver and Server bugs
+
+   Very old versions of the DNS resolver have a bug that cause queries
+   for names that look like IP addresses to go out, because the user
+   supplied an IP address and the software didn't realize that it didn't
+   need to be resolved.  This has been fixed but occasionally it still
+   pops up.  It's important because this bug means that these queries
+   will be sent directly to the root nameservers, adding to an already
+   heavy DNS load.
+
+   While running a secondary nameserver off another secondary nameserver
+   is possible, it is not recommended unless necessary due to network
+   topologies.  There are known cases where it has led to problems like
+   bogus TTL values.  While this may be caused by older or flawed DNS
+   implementations, you should not chain secondaries off of one another
+   since this builds up additional reliability dependencies as well as
+   adds additional delays in updates of new zone data.
+
+
+
+
+
+
+Barr                         Informational                     [Page 14]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+4.3 Server issues
+
+   DNS operates primarily via UDP (User Datagram Protocol) messages.
+   Some UNIX operating systems, in an effort to save CPU cycles, run
+   with UDP checksums turned off.  The relative merits of this have long
+   been debated.  However, with the increase in CPU speeds, the
+   performance considerations become less and less important.  It is
+   strongly encouraged that you turn on UDP checksumming to avoid
+   corrupted data not only with DNS but with other services that use UDP
+   (like NFS).  Check with your operating system documentation to verify
+   that UDP checksumming is enabled.
+
+References
+
+   [RFC 974] Partridge, C., "Mail routing and the domain system", STD
+              14, RFC 974, CSNET CIC BBN Laboratories Inc, January 1986.
+
+   [RFC 1033] Lottor, M, "Domain Administrators Operations Guide", RFC
+              1033, USC/Information Sciences Institute, November 1987.
+
+   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, USC/Information Sciences Institute,
+              November 1987.
+
+   [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, USC/Information Sciences
+              Institute, November 1987.
+
+   [RFC 1123] Braden, R., "Requirements for Internet Hosts --
+              Application and Support", STD 3, RFC 1123, IETF, October
+              1989.
+
+   [RFC 1178] Libes, D., "Choosing a Name for Your Computer", FYI 5, RFC
+              1178, Integrated Systems Group/NIST, August 1990.
+
+   [RFC 1183] Ullman, R., Mockapetris, P., Mamakos, L, and C. Everhart,
+              "New DNS RR Definitions", RFC 1183, October 1990.
+
+   [RFC 1535] Gavron, E., "A Security Problem and Proposed Correction
+              With Widely Deployed DNS Software", RFC 1535, ACES
+              Research Inc., October 1993.
+
+   [RFC 1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S.
+              Miller, "Common DNS Implementation Errors and Suggested
+              Fixes", RFC 1536, USC/Information Sciences Institute, USC,
+              October 1993.
+
+
+
+
+
+Barr                         Informational                     [Page 15]
+
+RFC 1912                   Common DNS Errors               February 1996
+
+
+   [RFC 1537] Beertema, P., "Common DNS Data File Configuration Errors",
+              RFC 1537, CWI, October 1993.
+
+   [RFC 1713] A. Romao, "Tools for DNS debugging", RFC 1713, FCCN,
+              November 1994.
+
+   [BOG] Vixie, P, et. al., "Name Server Operations Guide for BIND",
+              Vixie Enterprises, July 1994.
+
+5. Security Considerations
+
+   Security issues are not discussed in this memo.
+
+6. Author's Address
+
+   David Barr
+   The Pennsylvania State University
+   Department of Mathematics
+   334 Whitmore Building
+   University Park, PA 16802
+
+   Voice: +1 814 863 7374
+   Fax: +1 814 863-8311
+   EMail: barr@math.psu.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Barr                         Informational                     [Page 16]
+